diff --git a/.ci-operator.yaml b/.ci-operator.yaml
index e307e5af6628b..a3628cf240a63 100644
--- a/.ci-operator.yaml
+++ b/.ci-operator.yaml
@@ -1,4 +1,4 @@
 build_root_image:
   name: release
   namespace: openshift
-  tag: rhel-9-release-golang-1.24-openshift-4.21
+  tag: rhel-9-release-golang-1.25-openshift-4.22
diff --git a/.go-version b/.go-version
index eb716f77a7b8d..198ec23ccfcc9 100644
--- a/.go-version
+++ b/.go-version
@@ -1 +1 @@
-1.24.9
+1.25.6
diff --git a/CHANGELOG/CHANGELOG-1.34.md b/CHANGELOG/CHANGELOG-1.34.md
deleted file mode 100644
index 336f60a6e28cc..0000000000000
--- a/CHANGELOG/CHANGELOG-1.34.md
+++ /dev/null
@@ -1,2214 +0,0 @@
-<!-- BEGIN MUNGE: GENERATED_TOC -->
-
-- [v1.34.1](#v1341)
-  - [Downloads for v1.34.1](#downloads-for-v1341)
-    - [Source Code](#source-code)
-    - [Client Binaries](#client-binaries)
-    - [Server Binaries](#server-binaries)
-    - [Node Binaries](#node-binaries)
-    - [Container Images](#container-images)
-  - [Changelog since v1.34.0](#changelog-since-v1340)
-  - [Changes by Kind](#changes-by-kind)
-    - [Bug or Regression](#bug-or-regression)
-  - [Dependencies](#dependencies)
-    - [Added](#added)
-    - [Changed](#changed)
-    - [Removed](#removed)
-- [v1.34.0](#v1340)
-  - [Downloads for v1.34.0](#downloads-for-v1340)
-    - [Source Code](#source-code-1)
-    - [Client Binaries](#client-binaries-1)
-    - [Server Binaries](#server-binaries-1)
-    - [Node Binaries](#node-binaries-1)
-    - [Container Images](#container-images-1)
-  - [Changelog since v1.33.0](#changelog-since-v1330)
-  - [Urgent Upgrade Notes](#urgent-upgrade-notes)
-    - [(No, really, you MUST read this before you upgrade)](#no-really-you-must-read-this-before-you-upgrade)
-  - [Changes by Kind](#changes-by-kind-1)
-    - [Deprecation](#deprecation)
-    - [API Change](#api-change)
-    - [Feature](#feature)
-    - [Failing Test](#failing-test)
-    - [Bug or Regression](#bug-or-regression-1)
-    - [Other (Cleanup or Flake)](#other-cleanup-or-flake)
-  - [Dependencies](#dependencies-1)
-    - [Added](#added-1)
-    - [Changed](#changed-1)
-    - [Removed](#removed-1)
-- [v1.34.0-rc.2](#v1340-rc2)
-  - [Downloads for v1.34.0-rc.2](#downloads-for-v1340-rc2)
-    - [Source Code](#source-code-2)
-    - [Client Binaries](#client-binaries-2)
-    - [Server Binaries](#server-binaries-2)
-    - [Node Binaries](#node-binaries-2)
-    - [Container Images](#container-images-2)
-  - [Changelog since v1.34.0-rc.1](#changelog-since-v1340-rc1)
-  - [Changes by Kind](#changes-by-kind-2)
-    - [Feature](#feature-1)
-    - [Documentation](#documentation)
-    - [Bug or Regression](#bug-or-regression-2)
-  - [Dependencies](#dependencies-2)
-    - [Added](#added-2)
-    - [Changed](#changed-2)
-    - [Removed](#removed-2)
-- [v1.34.0-rc.1](#v1340-rc1)
-  - [Downloads for v1.34.0-rc.1](#downloads-for-v1340-rc1)
-    - [Source Code](#source-code-3)
-    - [Client Binaries](#client-binaries-3)
-    - [Server Binaries](#server-binaries-3)
-    - [Node Binaries](#node-binaries-3)
-    - [Container Images](#container-images-3)
-  - [Changelog since v1.34.0-rc.0](#changelog-since-v1340-rc0)
-  - [Changes by Kind](#changes-by-kind-3)
-    - [Bug or Regression](#bug-or-regression-3)
-  - [Dependencies](#dependencies-3)
-    - [Added](#added-3)
-    - [Changed](#changed-3)
-    - [Removed](#removed-3)
-- [v1.34.0-rc.0](#v1340-rc0)
-  - [Downloads for v1.34.0-rc.0](#downloads-for-v1340-rc0)
-    - [Source Code](#source-code-4)
-    - [Client Binaries](#client-binaries-4)
-    - [Server Binaries](#server-binaries-4)
-    - [Node Binaries](#node-binaries-4)
-    - [Container Images](#container-images-4)
-  - [Changelog since v1.34.0-beta.0](#changelog-since-v1340-beta0)
-  - [Changes by Kind](#changes-by-kind-4)
-    - [Deprecation](#deprecation-1)
-    - [API Change](#api-change-1)
-    - [Feature](#feature-2)
-    - [Failing Test](#failing-test-1)
-    - [Bug or Regression](#bug-or-regression-4)
-    - [Other (Cleanup or Flake)](#other-cleanup-or-flake-1)
-  - [Dependencies](#dependencies-4)
-    - [Added](#added-4)
-    - [Changed](#changed-4)
-    - [Removed](#removed-4)
-- [v1.34.0-beta.0](#v1340-beta0)
-  - [Downloads for v1.34.0-beta.0](#downloads-for-v1340-beta0)
-    - [Source Code](#source-code-5)
-    - [Client Binaries](#client-binaries-5)
-    - [Server Binaries](#server-binaries-5)
-    - [Node Binaries](#node-binaries-5)
-    - [Container Images](#container-images-5)
-  - [Changelog since v1.34.0-alpha.3](#changelog-since-v1340-alpha3)
-  - [Changes by Kind](#changes-by-kind-5)
-    - [API Change](#api-change-2)
-    - [Feature](#feature-3)
-    - [Bug or Regression](#bug-or-regression-5)
-    - [Other (Cleanup or Flake)](#other-cleanup-or-flake-2)
-  - [Dependencies](#dependencies-5)
-    - [Added](#added-5)
-    - [Changed](#changed-5)
-    - [Removed](#removed-5)
-- [v1.34.0-alpha.3](#v1340-alpha3)
-  - [Downloads for v1.34.0-alpha.3](#downloads-for-v1340-alpha3)
-    - [Source Code](#source-code-6)
-    - [Client Binaries](#client-binaries-6)
-    - [Server Binaries](#server-binaries-6)
-    - [Node Binaries](#node-binaries-6)
-    - [Container Images](#container-images-6)
-  - [Changelog since v1.34.0-alpha.2](#changelog-since-v1340-alpha2)
-  - [Changes by Kind](#changes-by-kind-6)
-    - [API Change](#api-change-3)
-    - [Feature](#feature-4)
-    - [Failing Test](#failing-test-2)
-    - [Bug or Regression](#bug-or-regression-6)
-    - [Other (Cleanup or Flake)](#other-cleanup-or-flake-3)
-  - [Dependencies](#dependencies-6)
-    - [Added](#added-6)
-    - [Changed](#changed-6)
-    - [Removed](#removed-6)
-- [v1.34.0-alpha.2](#v1340-alpha2)
-  - [Downloads for v1.34.0-alpha.2](#downloads-for-v1340-alpha2)
-    - [Source Code](#source-code-7)
-    - [Client Binaries](#client-binaries-7)
-    - [Server Binaries](#server-binaries-7)
-    - [Node Binaries](#node-binaries-7)
-    - [Container Images](#container-images-7)
-  - [Changelog since v1.34.0-alpha.1](#changelog-since-v1340-alpha1)
-  - [Changes by Kind](#changes-by-kind-7)
-    - [Deprecation](#deprecation-2)
-    - [API Change](#api-change-4)
-    - [Feature](#feature-5)
-    - [Bug or Regression](#bug-or-regression-7)
-    - [Other (Cleanup or Flake)](#other-cleanup-or-flake-4)
-  - [Dependencies](#dependencies-7)
-    - [Added](#added-7)
-    - [Changed](#changed-7)
-    - [Removed](#removed-7)
-- [v1.34.0-alpha.1](#v1340-alpha1)
-  - [Downloads for v1.34.0-alpha.1](#downloads-for-v1340-alpha1)
-    - [Source Code](#source-code-8)
-    - [Client Binaries](#client-binaries-8)
-    - [Server Binaries](#server-binaries-8)
-    - [Node Binaries](#node-binaries-8)
-    - [Container Images](#container-images-8)
-  - [Changelog since v1.33.0](#changelog-since-v1330-1)
-  - [Urgent Upgrade Notes](#urgent-upgrade-notes-1)
-    - [(No, really, you MUST read this before you upgrade)](#no-really-you-must-read-this-before-you-upgrade-1)
-  - [Changes by Kind](#changes-by-kind-8)
-    - [Deprecation](#deprecation-3)
-    - [API Change](#api-change-5)
-    - [Feature](#feature-6)
-    - [Failing Test](#failing-test-3)
-    - [Bug or Regression](#bug-or-regression-8)
-    - [Other (Cleanup or Flake)](#other-cleanup-or-flake-5)
-  - [Dependencies](#dependencies-8)
-    - [Added](#added-8)
-    - [Changed](#changed-8)
-    - [Removed](#removed-8)
-
-<!-- END MUNGE: GENERATED_TOC -->
-
-# v1.34.1
-
-
-## Downloads for v1.34.1
-
-
-
-### Source Code
-
-filename | sha512 hash
--------- | -----------
-[kubernetes.tar.gz](https://dl.k8s.io/v1.34.1/kubernetes.tar.gz) | b1262f114376f7bc0532ef688e758657ada0796e958c7b49e1401e8a2789791a7d59e5460c54780131fc8fa7398c6e87a7e59fdc4a84061c15d015c69a07e10d
-[kubernetes-src.tar.gz](https://dl.k8s.io/v1.34.1/kubernetes-src.tar.gz) | 5109cd698bd249341357f5a0b7ab3cd078a641747ef1a17e168f650c62af854cc46bf3bca884f43ea33d51e81a2be4e31d0d02af639a3f58d79f3f1322b0e238
-
-### Client Binaries
-
-filename | sha512 hash
--------- | -----------
-[kubernetes-client-darwin-amd64.tar.gz](https://dl.k8s.io/v1.34.1/kubernetes-client-darwin-amd64.tar.gz) | c977b7ede3a07ec721a874ec127a9b2d2e1edce097e33fc5bfe0a7a2ecf61153c4e514787e89003eeb8d463f47ba0c09f3267669769f0cba873c5265674e056d
-[kubernetes-client-darwin-arm64.tar.gz](https://dl.k8s.io/v1.34.1/kubernetes-client-darwin-arm64.tar.gz) | ae6b112e45e50a9d1ce0738f948f933eed419dde20a70f399cfcf77ebf5179b6af893ae7e1e633f5b99c1f34a499a2238474cc45878afdf250c048ea43c559a2
-[kubernetes-client-linux-386.tar.gz](https://dl.k8s.io/v1.34.1/kubernetes-client-linux-386.tar.gz) | 3e8aff795fa394343b4d3a943dba25b06b5c122df91fe5893cb354ee605a087f6150cee6225ff60d4b1ed9e0fa02adb9e4ccd8e38cd12337a92cedbdcfaabff2
-[kubernetes-client-linux-amd64.tar.gz](https://dl.k8s.io/v1.34.1/kubernetes-client-linux-amd64.tar.gz) | 3abedd362fffd5eb749febdeb59c2edd9902f7f69fb182f879daeb27cc88405983c539513cb74ef9b9587ab3829bde992f22f2067fd181311989345f6e13b867
-[kubernetes-client-linux-arm.tar.gz](https://dl.k8s.io/v1.34.1/kubernetes-client-linux-arm.tar.gz) | 0d28e96ff4bf3f570277f194a975c19e8a1b49e7240908a91278647c44b5f019251dd7774aed5dbbfe7c030ded993701044c90ac97e14de5c51d0e9ae84d2127
-[kubernetes-client-linux-arm64.tar.gz](https://dl.k8s.io/v1.34.1/kubernetes-client-linux-arm64.tar.gz) | 279832e1ac95532807aeb68ed951e8099300e3cd4a09f1d829c4b0197e0010d18d1de19e54f73b0ab7f104ee5670ef4897127432fac42867b7a727d75dc8bd48
-[kubernetes-client-linux-ppc64le.tar.gz](https://dl.k8s.io/v1.34.1/kubernetes-client-linux-ppc64le.tar.gz) | 1367d4dfebab6f504612d6aa7e6dd7f6391ec28779c0610ef89c77bb691a5020ff3d863d5414645d62e9dfbf1fe814cf8b3bae3097c210f8e8ad895deb19c291
-[kubernetes-client-linux-s390x.tar.gz](https://dl.k8s.io/v1.34.1/kubernetes-client-linux-s390x.tar.gz) | d03ff4bbad2c947a37a6ffc62f3db08cf2cc1d9d702d90b94f80fb9fdcc637c4f96096beb3a466f07ac4ca807d89e81240f15cf7d2ae1c6fbd4a953122728e28
-[kubernetes-client-windows-386.tar.gz](https://dl.k8s.io/v1.34.1/kubernetes-client-windows-386.tar.gz) | 7929fd442acfa851c1510b52a6c3a11f6d3c2fb318597e68134a1927bac18ab70c6de7d572c0c05ecbc8c5764cf20fc91ab4c1ad604c7cd3707b86c01cb9fd16
-[kubernetes-client-windows-amd64.tar.gz](https://dl.k8s.io/v1.34.1/kubernetes-client-windows-amd64.tar.gz) | f73e914d28e0986d4b32bbf0d39c428d3e4d28dac11cf8d2b48eae4f1825511fc8b1b706427a1fe752fc0d280f1b4c539f4261cc31f679f25646ac5234afa7ad
-[kubernetes-client-windows-arm64.tar.gz](https://dl.k8s.io/v1.34.1/kubernetes-client-windows-arm64.tar.gz) | f03de193bc851a1327cbc7338f019cabe7167775ca597c36637b10332b8892a7a4bcc5daa090349f24347f5210fced19c7a15211c69abb94fee87e88c1efaa30
-
-### Server Binaries
-
-filename | sha512 hash
--------- | -----------
-[kubernetes-server-linux-amd64.tar.gz](https://dl.k8s.io/v1.34.1/kubernetes-server-linux-amd64.tar.gz) | 8fd1e779f4d0188592644e234a6e5b728b9000a2afeb9d8da25131a5a4e54718bb46c4d521c62e26ea971e32745529fbb001c4f011ef2c54091cb5e81b4b90f2
-[kubernetes-server-linux-arm64.tar.gz](https://dl.k8s.io/v1.34.1/kubernetes-server-linux-arm64.tar.gz) | 77f68803b34f710c9623f388452494075ca9bb38567e7878176ec12a6d2971d2feba381e99462dc8c6e83ff5064dcffcaa7df736b67208880f5e90d71a831c2c
-[kubernetes-server-linux-ppc64le.tar.gz](https://dl.k8s.io/v1.34.1/kubernetes-server-linux-ppc64le.tar.gz) | 6a5378a02b9b27cce9e0bc26399f8c0a8676372407bb618949fa41caacb4bbfbc7ec5487e00d973fbf409abe848a3aed42b2ead2c78753a1dd7c3251daf61745
-[kubernetes-server-linux-s390x.tar.gz](https://dl.k8s.io/v1.34.1/kubernetes-server-linux-s390x.tar.gz) | 6b9b4b64907ec817ce93a70faecbfcccf665e6b7681d0c21e26844c9d2645227ee8956c3b6b6a2417725b1e64353d5e1ed7071cf2c8e71ea8551cd47d662c3d8
-
-### Node Binaries
-
-filename | sha512 hash
--------- | -----------
-[kubernetes-node-linux-amd64.tar.gz](https://dl.k8s.io/v1.34.1/kubernetes-node-linux-amd64.tar.gz) | c9b7d52708c4282757cd7aaa8b059c26f8f427cf8c238dff95cdc85a68d42c28b6e09fbf1aee3fa6f5f377aa395c6b9a73c112c56a6485e22b16a9c8562a8eef
-[kubernetes-node-linux-arm64.tar.gz](https://dl.k8s.io/v1.34.1/kubernetes-node-linux-arm64.tar.gz) | efe54933eb5e7e6b44c76efe0b4cec911340793ef2eafdd595593fb2537e5704429d3a291793cb69ad459fe14058da491a29a12d963ba34ee4c1475cc0799b0f
-[kubernetes-node-linux-ppc64le.tar.gz](https://dl.k8s.io/v1.34.1/kubernetes-node-linux-ppc64le.tar.gz) | 59a7223e167c890d8cb8544b9692182aaccb3814cb203337ea21a87902e0174d6f0e114d015989c42890d3b73cb73bdf8b1b71ef89fd1b0cf615349d10c23f8f
-[kubernetes-node-linux-s390x.tar.gz](https://dl.k8s.io/v1.34.1/kubernetes-node-linux-s390x.tar.gz) | b648658aaae4812d787b7be04bdfd13dc379316bbcda107eca410ffbdf57713f00bbb68ad4fe9501c3bb26e5d35f589653d4067a5753f681e41f493a28309ea9
-[kubernetes-node-windows-amd64.tar.gz](https://dl.k8s.io/v1.34.1/kubernetes-node-windows-amd64.tar.gz) | 4c70f856364a976aa919662f3b3f6f06da3fe7ae156b7bf3fd84de4b5a0b0c70221283220c48c3cc31dddce0f2e0167606126515b1750ca90aaf129f1c9280ce
-
-### Container Images
-
-All container images are available as manifest lists and support the described
-architectures. It is also possible to pull a specific architecture directly by
-adding the "-$ARCH" suffix  to the container image name.
-
-name | architectures
----- | -------------
-[registry.k8s.io/conformance:v1.34.1](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/conformance) | [amd64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/conformance-amd64), [arm64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/conformance-arm64), [ppc64le](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/conformance-ppc64le), [s390x](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/conformance-s390x)
-[registry.k8s.io/kube-apiserver:v1.34.1](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-apiserver) | [amd64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-apiserver-amd64), [arm64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-apiserver-arm64), [ppc64le](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-apiserver-ppc64le), [s390x](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-apiserver-s390x)
-[registry.k8s.io/kube-controller-manager:v1.34.1](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-controller-manager) | [amd64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-controller-manager-amd64), [arm64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-controller-manager-arm64), [ppc64le](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-controller-manager-ppc64le), [s390x](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-controller-manager-s390x)
-[registry.k8s.io/kube-proxy:v1.34.1](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-proxy) | [amd64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-proxy-amd64), [arm64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-proxy-arm64), [ppc64le](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-proxy-ppc64le), [s390x](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-proxy-s390x)
-[registry.k8s.io/kube-scheduler:v1.34.1](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-scheduler) | [amd64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-scheduler-amd64), [arm64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-scheduler-arm64), [ppc64le](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-scheduler-ppc64le), [s390x](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-scheduler-s390x)
-[registry.k8s.io/kubectl:v1.34.1](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kubectl) | [amd64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kubectl-amd64), [arm64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kubectl-arm64), [ppc64le](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kubectl-ppc64le), [s390x](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kubectl-s390x)
-
-## Changelog since v1.34.0
-
-## Changes by Kind
-
-### Bug or Regression
-
-- Fixed SELinux warning controller not emitting events on some SELinux label conflicts. ([#133745](https://github.com/kubernetes/kubernetes/pull/133745), [@jsafrane](https://github.com/jsafrane)) [SIG Apps, Storage and Testing]
-- Fixed broken shell completion for api resources. ([#133783](https://github.com/kubernetes/kubernetes/pull/133783), [@vpnachev](https://github.com/vpnachev)) [SIG CLI]
-- Kube-apiserver: Fixed a 1.34 regression in CustomResourceDefinition handling that incorrectly warned about unrecognized formats on number and integer properties ([#133901](https://github.com/kubernetes/kubernetes/pull/133901), [@yongruilin](https://github.com/yongruilin)) [SIG API Machinery]
-- Kube-apiserver: Fixes a 1.34 regression with spurious "Error getting keys" log messages ([#133866](https://github.com/kubernetes/kubernetes/pull/133866), [@serathius](https://github.com/serathius)) [SIG API Machinery and Etcd]
-- Kube-apiserver: Fixes a possible 1.34 performance regression calculating object size statistics for resources not served from the watch cache, typically only Events ([#133879](https://github.com/kubernetes/kubernetes/pull/133879), [@serathius](https://github.com/serathius)) [SIG API Machinery and Etcd]
-- Kubeadm: fixed bug where v1beta3's ClusterConfiguration.APIServer.TimeoutForControlPlane is not respected in newer versions of kubeadm where v1beta4 is the default. ([#133753](https://github.com/kubernetes/kubernetes/pull/133753), [@HirazawaUi](https://github.com/HirazawaUi)) [SIG Cluster Lifecycle]
-
-## Dependencies
-
-### Added
-_Nothing has changed._
-
-### Changed
-_Nothing has changed._
-
-### Removed
-_Nothing has changed._
-
-
-
-# v1.34.0
-
-[Documentation](https://docs.k8s.io)
-
-## Downloads for v1.34.0
-
-### Source Code
-
-filename | sha512 hash
--------- | -----------
-[kubernetes.tar.gz](https://dl.k8s.io/v1.34.0/kubernetes.tar.gz) | `133a1ea99881ac8988b1931908506b8b02e0533c6c6521b67152c00e0ba5c124870a3a5050887827a7d1b1b8cc4b1da9e2b07f76684975585d0947e5d234faa5`
-[kubernetes-src.tar.gz](https://dl.k8s.io/v1.34.0/kubernetes-src.tar.gz) | `2fa409c71ce0f98dc540baa0e5058f751ee982cf0b9dfe4d3ed5eea1331586e7a464a631909889f9c0758d364643718a336816343136b603ef59bdf43c7a30d7`
-
-### Client Binaries
-
-filename | sha512 hash
--------- | -----------
-[kubernetes-client-darwin-amd64.tar.gz](https://dl.k8s.io/v1.34.0/kubernetes-client-darwin-amd64.tar.gz) | `20b6c4f9327f4d0b5873429595e2b7bdfec6269e9a39dee69e28ff9f3fd168611f56f378b867c35edc605dac23227b0d95083fdbc676c04f5d8d1142ceff829c`
-[kubernetes-client-darwin-arm64.tar.gz](https://dl.k8s.io/v1.34.0/kubernetes-client-darwin-arm64.tar.gz) | `c48d5efa26f8313f535a173201c38896fa9147fd46a7d3a085c70dcbb16391a894d4c4f09ecb6d1d7ed081a7d3fdd8f71afadd0253a55808addb383680ef89b7`
-[kubernetes-client-linux-386.tar.gz](https://dl.k8s.io/v1.34.0/kubernetes-client-linux-386.tar.gz) | `efc91631134a8cdd543d4e9cf429928b0b7abe2f6212f05ea82ad62830caef74aa4b9b090b45d583912de280e13af87b8b20c0d3fc6fbc43b5c99beb5a9ff8db`
-[kubernetes-client-linux-amd64.tar.gz](https://dl.k8s.io/v1.34.0/kubernetes-client-linux-amd64.tar.gz) | `aa5e3a41986e23ad6910eb86e68eb10217db60978dadc88370c669cb9c9e10d1431133cc8f7401b4e9843e0d15120c867f2803121e690ac7c74ee85eabbc13b5`
-[kubernetes-client-linux-arm.tar.gz](https://dl.k8s.io/v1.34.0/kubernetes-client-linux-arm.tar.gz) | `aeafc3d539a400e2e1a32ed501aca7e265ed817d0d56acf62f306c26c2be0beac6af88b6478a26df865105a2c13f2006cc1e062189f4b6885814133090228e86`
-[kubernetes-client-linux-arm64.tar.gz](https://dl.k8s.io/v1.34.0/kubernetes-client-linux-arm64.tar.gz) | `24158910deed9d09e99e5fb358bd9758de509f344bfb0b1482b2426e26c1e52f7f97657438fa698b51da10c7444699f7addae58ee67b23f38eb175df0e17661a`
-[kubernetes-client-linux-ppc64le.tar.gz](https://dl.k8s.io/v1.34.0/kubernetes-client-linux-ppc64le.tar.gz) | `b30f3966ab6d2b723956cd400e73a685ea6431230eb1994bbb995af163f6ba7abbda79834dab3f0fc0a6b4a9c9af3582f07689e100841ea012015070cac9cd80`
-[kubernetes-client-linux-s390x.tar.gz](https://dl.k8s.io/v1.34.0/kubernetes-client-linux-s390x.tar.gz) | `b543accac845a9a8d1fccc62e43d44479247f9ed65d7db7e2fcf0004ee02c7eaf9d10ab977040bf77f4f5171974a1d4d8a1852d93668b1f593ad5f957ba84952`
-[kubernetes-client-windows-386.tar.gz](https://dl.k8s.io/v1.34.0/kubernetes-client-windows-386.tar.gz) | `2f60547e2e8800df61c57adfb862031e81ba27cba3edeaf483aa8616820561c6ed9b87778b4e81be14545dcaa35bef9d80c817972039357f8e594a6f4edeeb13`
-[kubernetes-client-windows-amd64.tar.gz](https://dl.k8s.io/v1.34.0/kubernetes-client-windows-amd64.tar.gz) | `a528fdec4aa426f0b72ff96f39727842e6561f4c49e273e6f007934f42ab2992fd75a8fa43c9ae7d9f3345091228d43bc03e3bdf3696d36a56b4fb49d20a6e9d`
-[kubernetes-client-windows-arm64.tar.gz](https://dl.k8s.io/v1.34.0/kubernetes-client-windows-arm64.tar.gz) | `467dcadaa8b48d45caa0a5aca5669317fd501689e4a90219c701adb5e9f46ce66085dd3800321e2377c775992180d76aae2e2b84a4f7bb50f997198def0dd8e6`
-
-### Server Binaries
-
-filename | sha512 hash
--------- | -----------
-[kubernetes-server-linux-amd64.tar.gz](https://dl.k8s.io/v1.34.0/kubernetes-server-linux-amd64.tar.gz) | `a9ec9abe6a803d55d56753e1be8549223cd34ebcbec26536cbdc277c5f17a28c4942329e1df01a2bd067b60a0c1c2901e240d5014e9ce445400239bd488582af`
-[kubernetes-server-linux-arm64.tar.gz](https://dl.k8s.io/v1.34.0/kubernetes-server-linux-arm64.tar.gz) | `d05fd68c31f30b1853aa927200ce99fc1e7e67b39803be7508c5591b57e74f3496bcd8b50b84afeabd293f41bc647ea4bcb0bf85a7be5b49e8d2604214e5ccda`
-[kubernetes-server-linux-ppc64le.tar.gz](https://dl.k8s.io/v1.34.0/kubernetes-server-linux-ppc64le.tar.gz) | `173d638506736cfd0bd8ffe7719447895068ed3f3c8a20405548f0db6689bcd63a4f226f6b19e35e7696801c338d9071f2f93392c8ec6316617303350cb44cff`
-[kubernetes-server-linux-s390x.tar.gz](https://dl.k8s.io/v1.34.0/kubernetes-server-linux-s390x.tar.gz) | `80fd0c55c3c1cdbdd47faf9bfcf2f89d36c56bb91c0281c126e8ba84ad36c527f1861646f54dc4258ba6fae0fb8ee23674ed41f811a08758da3fe1337f723748`
-
-### Node Binaries
-
-filename | sha512 hash
--------- | -----------
-[kubernetes-node-linux-amd64.tar.gz](https://dl.k8s.io/v1.34.0/kubernetes-node-linux-amd64.tar.gz) | `93ae93af2d39bf00747b66f365781c64880b4ca235031a7ecae7a9d017e04df7ca925f8c005b1da49447cf64cb3f1ecc790db460e60cd1f98f34aae1434ad103`
-[kubernetes-node-linux-arm64.tar.gz](https://dl.k8s.io/v1.34.0/kubernetes-node-linux-arm64.tar.gz) | `33216af73a02919579985be5d5372ecb305b6fb2013297f3ea36b357d3cf4bce2a07a612e188b76c752aabbe23bdc726645f348f5db43b12893fc80ac65711f3`
-[kubernetes-node-linux-ppc64le.tar.gz](https://dl.k8s.io/v1.34.0/kubernetes-node-linux-ppc64le.tar.gz) | `781df3a7785435ed365949850ef3c4555e3531826907d75e2edf102cdef8950176c17c8dc8ad97077908b12895eb2cf2796e27418252cb790a7876484270d33a`
-[kubernetes-node-linux-s390x.tar.gz](https://dl.k8s.io/v1.34.0/kubernetes-node-linux-s390x.tar.gz) | `133c8c011e3f0c6094262efa2cd053e96facdfdb603f90eb51b9ee085c082ac82bcd53863cc517f7ae9e219265f8e66e94e4fbdc21ee01b79b72c993792dde5c`
-[kubernetes-node-windows-amd64.tar.gz](https://dl.k8s.io/v1.34.0/kubernetes-node-windows-amd64.tar.gz) | `e5f6dbd19106b4f4d125d048f1351be2b6a06a79622ece31c24a2a27c03268474a42a1b0b85b1de46423a66c0ee9e1060e9bcee709ae1668c7a650b5575ccc76`
-
-### Container Images
-
-All container images are available as manifest lists and support the described
-architectures. It is also possible to pull a specific architecture directly by
-adding the "-$ARCH" suffix  to the container image name.
-name | architectures
----- | -------------
-[registry.k8s.io/conformance:v1.34.0](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/conformance) | [amd64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/conformance-amd64), [arm64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/conformance-arm64), [ppc64le](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/conformance-ppc64le), [s390x](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/conformance-s390x)
-[registry.k8s.io/kube-apiserver:v1.34.0](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-apiserver) | [amd64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-apiserver-amd64), [arm64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-apiserver-arm64), [ppc64le](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-apiserver-ppc64le), [s390x](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-apiserver-s390x)
-[registry.k8s.io/kube-controller-manager:v1.34.0](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-controller-manager) | [amd64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-controller-manager-amd64), [arm64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-controller-manager-arm64), [ppc64le](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-controller-manager-ppc64le), [s390x](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-controller-manager-s390x)
-[registry.k8s.io/kube-proxy:v1.34.0](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-proxy) | [amd64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-proxy-amd64), [arm64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-proxy-arm64), [ppc64le](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-proxy-ppc64le), [s390x](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-proxy-s390x)
-[registry.k8s.io/kube-scheduler:v1.34.0](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-scheduler) | [amd64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-scheduler-amd64), [arm64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-scheduler-arm64), [ppc64le](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-scheduler-ppc64le), [s390x](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-scheduler-s390x)
-[registry.k8s.io/kubectl:v1.34.0](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kubectl) | [amd64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kubectl-amd64), [arm64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kubectl-arm64), [ppc64le](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kubectl-ppc64le), [s390x](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kubectl-s390x)
-
-## Changelog since v1.33.0
-
-## Urgent Upgrade Notes 
-
-### (No, really, you MUST read this before you upgrade)
-
-- For metrics `apiserver_cache_list_fetched_objects_total`, `apiserver_cache_list_returned_objects_total`, `apiserver_cache_list_total` replace `resource_prefix` label with API `group` and `resource` labels.
-  For metrics `etcd_request_duration_seconds`, `etcd_requests_total` and `etcd_request_errors_total` replace `type` label with API `resource` and `group` label.
-  For metric `apiserver_selfrequest_total` add a API `group` label.
-  For metrics `apiserver_watch_events_sizes` and `apiserver_watch_events_total` replace API `kind` label with `resource` label.
-  For metrics `apiserver_request_body_size_bytes`, `apiserver_storage_events_received_total`, `apiserver_storage_list_evaluated_objects_total`, `apiserver_storage_list_fetched_objects_total`, `apiserver_storage_list_returned_objects_total`, `apiserver_storage_list_total`, `apiserver_watch_cache_events_dispatched_total`, `apiserver_watch_cache_events_received_total`, `apiserver_watch_cache_initializations_total`, `apiserver_watch_cache_resource_version`, `watch_cache_capacity`, `apiserver_init_events_total`, `apiserver_terminated_watchers_total`, `watch_cache_capacity_increase_total`, `watch_cache_capacity_decrease_total`, `apiserver_watch_cache_read_wait_seconds`, `apiserver_watch_cache_consistent_read_total`, `apiserver_storage_consistency_checks_total`, `etcd_bookmark_counts`, `storage_decode_errors_total` extract the API group from `resource` label and put it in new `group` label. ([#131845](https://github.com/kubernetes/kubernetes/pull/131845), [@serathius](https://github.com/serathius)) [SIG API Machinery, Etcd, Instrumentation and Testing]
- - Kubelet:  removed the deprecated flag `--cloud-config` from the command line. ([#130161](https://github.com/kubernetes/kubernetes/pull/130161), [@carlory](https://github.com/carlory)) [SIG Cloud Provider, Node and Scalability]
- - Static pods that reference API objects were denied admission by the kubelet so that static pods would not be silently running even after the mirror pod creation failed. ([#131837](https://github.com/kubernetes/kubernetes/pull/131837), [@sreeram-venkitesh](https://github.com/sreeram-venkitesh)) [SIG Auth, Node and Testing]
- - The Scheduling Framework exposed `NodeInfos` to the PreFilter plugins. The PreFilter plugins now accepted the `NodeInfo` list from the arguments. ([#130720](https://github.com/kubernetes/kubernetes/pull/130720), [@saintube](https://github.com/saintube)) [SIG Node, Scheduling, Storage and Testing]
- 
-## Changes by Kind
-
-### Deprecation
-
-- Apimachinery: Deprecated `MessageCountMap` and `CreateAggregateFromMessageCountMap`. ([#132376](https://github.com/kubernetes/kubernetes/pull/132376), [@tico88612](https://github.com/tico88612))
-- DRA kubelet: gRPC API graduated to v1, v1beta1 was deprecated starting in 1.34. Updating DRA drivers to the `k8s.io/dynamic-resource-allocation/kubeletplugin` helper from 1.34 added support for both API versions. ([#132700](https://github.com/kubernetes/kubernetes/pull/132700), [@pohly](https://github.com/pohly)) [SIG Node and Testing]
-- Deprecated the `preferences` field in kubeconfig in favor of `kuberc`. ([#131741](https://github.com/kubernetes/kubernetes/pull/131741), [@soltysh](https://github.com/soltysh)) [SIG API Machinery, CLI, Cluster Lifecycle and Testing]
-- Kubeadm: Consistently prefixed errors with error: when printing them. ([#132080](https://github.com/kubernetes/kubernetes/pull/132080), [@neolit123](https://github.com/neolit123))
-- Kubeadm: Exposed only the non-deprecated klog flags (-v and -vmodule), in line with KEP https://features.k8s.io/2845. ([#131647](https://github.com/kubernetes/kubernetes/pull/131647), [@carsontham](https://github.com/carsontham))
-- [cloud-provider] Respected the `exclude-from-external-load-balancers=false` label. ([#131085](https://github.com/kubernetes/kubernetes/pull/131085), [@kayrus](https://github.com/kayrus)) [SIG Cloud Provider and Network]
-
-### API Change
-
-- Added `omitempty` and `opt` tag to the API `v1beta2` AdminAccess type in the `DeviceRequestAllocationResult` struct. ([#132338](https://github.com/kubernetes/kubernetes/pull/132338), [@PatrickLaabs](https://github.com/PatrickLaabs))
-- Added a `runtime.ApplyConfiguration` interface implemented by all generated apply configuration types. ([#132194](https://github.com/kubernetes/kubernetes/pull/132194), [@alvaroaleman](https://github.com/alvaroaleman)) [SIG API Machinery and Instrumentation]
-- Added a detailed event for in-place pod vertical scaling completed, improving cluster management and debugging. ([#130387](https://github.com/kubernetes/kubernetes/pull/130387), [@shiya0705](https://github.com/shiya0705)) [SIG API Machinery, Apps, Autoscaling, Node, Scheduling and Testing]
-- Added a mechanism for configurable container restarts: _container-level restart rules_. This was an alpha feature behind the `ContainerRestartRules` feature gate. ([#132642](https://github.com/kubernetes/kubernetes/pull/132642), [@yuanwang04](https://github.com/yuanwang04)) [SIG API Machinery, Apps, Node and Testing]
-- Added a new `FileKeyRef` field to containers, allowing them to load variables from files by setting this field.
-  
-  Introduced the `EnvFiles` feature gate to govern activation of this functionality. ([#132626](https://github.com/kubernetes/kubernetes/pull/132626), [@HirazawaUi](https://github.com/HirazawaUi)) [SIG API Machinery, Apps, Node and Testing]
-- Added driver-owned fields in `ResourceSlice` to mark whether the device was shareable among multiple resource claims (or requests) and to specify how each capacity could be shared between different requests.
-  - Added user-owned fields in `ResourceClaim` to specify resource requirements against each device capacity.
-  - Added scheduler-owned field in `ResourceClaim.Status` to specify how much device capacity is reserved for a specific request.
-  - Added an additional identifier to `ResourceClaim.Status` for the device supports multiple allocations.
-  - Added a new constraint type to enforce uniqueness of specified attributes across all allocated devices. ([#132522](https://github.com/kubernetes/kubernetes/pull/132522), [@sunya-ch](https://github.com/sunya-ch)) [SIG API Machinery, Apps, Architecture, CLI, Cluster Lifecycle, Network, Node, Release, Scheduling and Testing]
-- Added new optional APIs in `ResouceSlice.Basic` and `ResourceClaim.Status.AllocatedDeviceStatus`. ([#130160](https://github.com/kubernetes/kubernetes/pull/130160), [@KobayashiD27](https://github.com/KobayashiD27)) [SIG API Machinery, Apps, Architecture, Node, Release, Scheduling and Testing]
-- Added support for specifying `controlplane` or `cluster` egress selectors in JWT authenticators via the `issuer.egressSelectorType` field in the `AuthenticationConfiguration.jwt` array. If unset, the previous behavior of using no egress selector is preserved. This functionality requires the `StructuredAuthenticationConfigurationEgressSelector` beta feature gate (enabled by default). ([#132768](https://github.com/kubernetes/kubernetes/pull/132768), [@enj](https://github.com/enj)) [SIG API Machinery, Auth and Testing]
-- Added support in the Kubelet for monitoring the health of devices allocated via Dynamic Resource Allocation (DRA) and report it in the `pod.status.containerStatuses.allocatedResourcesStatus` field. This required the DRA plugin to implement the new v1alpha1 `NodeHealth` gRPC service. This feature was controlled by the `ResourceHealthStatus` feature gate. ([#130606](https://github.com/kubernetes/kubernetes/pull/130606), [@Jpsassine](https://github.com/Jpsassine)) [SIG Apps, Architecture, Auth, CLI, Cloud Provider, Cluster Lifecycle, Etcd, Network, Node, Release, Scheduling, Storage and Testing]
-- Added support in the kubelet's image pull credential tracking for service account-based verification. When an image was pulled using service account credentials via external credential providers, subsequent Pods using the same service account (UID, name, and namespace) could access the cached image without re-authentication for the lifetime of that service account. ([#132771](https://github.com/kubernetes/kubernetes/pull/132771), [@aramase](https://github.com/aramase)) [SIG Auth, Node and Testing]
-- Added validation to reject Pods using the `PodLevelResources` feature on Windows OS due to lack of support. The API server rejected Pods with pod-level resources and a `Pod.spec.os.name` targeting Windows. Kubelet on nodes running Windows also rejected Pods with pod-level resources at the admission phase. ([#133046](https://github.com/kubernetes/kubernetes/pull/133046), [@toVersus](https://github.com/toVersus)) [SIG Apps and Node]
-- Added warnings when creating headless service with set `loadBalancerIP`,`externalIPs` and/or `SessionAffinity`. ([#132214](https://github.com/kubernetes/kubernetes/pull/132214), [@Peac36](https://github.com/Peac36))
-- Allowed `pvc.spec.VolumeAttributesClassName` to change from non-nil to nil. ([#132106](https://github.com/kubernetes/kubernetes/pull/132106), [@AndrewSirenko](https://github.com/AndrewSirenko))
-- Allowed setting the `hostnameOverride` field in `PodSpec` to specify any RFC 1123 DNS subdomain as the pod's hostname. The `HostnameOverride` feature gate was introduced to control enablement of this functionality. ([#132558](https://github.com/kubernetes/kubernetes/pull/132558), [@HirazawaUi](https://github.com/HirazawaUi)) [SIG API Machinery, Apps, Network, Node and Testing]
-- Changed underlying logic for `Eviction Manager` helper functions. ([#132277](https://github.com/kubernetes/kubernetes/pull/132277), [@KevinTMtz](https://github.com/KevinTMtz)) [SIG Node, Scheduling and Testing]
-- Changed underlying logic to propagate pod-level hugepage cgroup to containers when they did not specify hugepage resources.
-  - Added validation to enforce the hugepage aggregated container limits to be smaller than or equal to pod-level limits. This was already enforced with the defaulted requests from the specified limits, however it did not make it clear about both hugepage requests and limits. ([#131089](https://github.com/kubernetes/kubernetes/pull/131089), [@KevinTMtz](https://github.com/KevinTMtz)) [SIG Apps, Node and Testing]
-- Corrected the documentation to clarify that `podSelector` is optional and described its default behavior. ([#131354](https://github.com/kubernetes/kubernetes/pull/131354), [@tomoish](https://github.com/tomoish))
-- DRA API: resource.k8s.io/v1alpha3 now only contains DeviceTaintRule. All other types got removed because they became obsolete when introducing the v1beta1 API in 1.32.
-  before updating a cluster where resourceclaims, resourceclaimtemplates, deviceclasses, or resourceslices might have been stored using Kubernetes < 1.32, delete all of those resources before updating and recreate them as needed while running Kubernetes >= 1.32. ([#132000](https://github.com/kubernetes/kubernetes/pull/132000), [@pohly](https://github.com/pohly)) [SIG Etcd, Node, Scheduling and Testing]
-- DRA: Starting with Kubernetes 1.34, the alpha-level `resource.k8s.io/admin-access` label has been updated to `resource.kubernetes.io/admin-access`. Admins using the alpha feature and updating from 1.33 can set both labels, upgrade, then remove `resource.k8s.io/admin-access` when no downgrade is going to happen anymore. ([#131996](https://github.com/kubernetes/kubernetes/pull/131996), [@ritazh](https://github.com/ritazh)) [SIG Node and Testing]
-- DRA: The scheduler plugin prevented abnormal filter runtimes by timing out after 10 seconds. This was configurable via the plugin configuration's `FilterTimeout`. Setting it to zero disabled the timeout and restored the behavior of Kubernetes <= 1.33. ([#132033](https://github.com/kubernetes/kubernetes/pull/132033), [@pohly](https://github.com/pohly)) [SIG Node, Scheduling and Testing]
-- DRA: When the prioritized list feature was used in a request and the resulting number of allocated devices exceeded the number of allowed devices per claim, the scheduler aborted the attempt to allocate devices early. Previously, it tried to many different combinations, which could take a long time. ([#130593](https://github.com/kubernetes/kubernetes/pull/130593), [@mortent](https://github.com/mortent)) [SIG Apps, Node, Scheduling and Testing]
-- DRA: removed support for the v1alpha4 kubelet gRPC API (added in 1.31, superseded in 1.32). DRA drivers using the helper package from Kubernetes  >= 1.32 use the v1beta1 API and continue to be supported. ([#132574](https://github.com/kubernetes/kubernetes/pull/132574), [@pohly](https://github.com/pohly))
-- Deprecated `StreamingConnectionIdleTimeout` field of the kubelet config. ([#131992](https://github.com/kubernetes/kubernetes/pull/131992), [@lalitc375](https://github.com/lalitc375))
-- Dynamic Resource Allocation: Graduated core functionality to general availability (GA). This newly stable feature uses the _structured parameters_ flavor of DRA. ([#132706](https://github.com/kubernetes/kubernetes/pull/132706), [@pohly](https://github.com/pohly)) [SIG API Machinery, Apps, Auth, Autoscaling, Etcd, Node, Scheduling and Testing]
-- Enabled kube-apiserver support for `PodCertificateRequest` and `PodCertificate` projected volumes (behind the `PodCertificateRequest` feature gate). ([#128010](https://github.com/kubernetes/kubernetes/pull/128010), [@ahmedtd](https://github.com/ahmedtd)) [SIG API Machinery, Apps, Auth, Cloud Provider, Etcd, Node, Storage and Testing]
-- Extended resources backed by DRA feature allowed cluster operator to specify `extendedResourceName` in `DeviceClass`, and application operator to continue using extended resources in pod's requests to request for DRA devices matching the DeviceClass.
-  
-  `NodeResourcesFit` plugin scoring didn't work for extended resources backed by DRA. ([#130653](https://github.com/kubernetes/kubernetes/pull/130653), [@yliaog](https://github.com/yliaog)) [SIG API Machinery, Apps, Auth, Node, Scheduling and Testing]
-- Extended the NodePorts scheduling plugin to consider hostPorts used by restartable init containers. ([#132040](https://github.com/kubernetes/kubernetes/pull/132040), [@avrittrohwer](https://github.com/avrittrohwer)) [SIG Scheduling and Testing]
-- Fixed a 1.33 regression that causes a nil panic in kube-scheduler when aggregating resource requested across container's spec and status. ([#132895](https://github.com/kubernetes/kubernetes/pull/132895), [@yue9944882](https://github.com/yue9944882)) [SIG Node and Scheduling]
-- Fixed prerelease lifecycle for `PodCertificateRequest`. ([#133350](https://github.com/kubernetes/kubernetes/pull/133350), [@carlory](https://github.com/carlory))
-- Introduced OpenAPI format support for `k8s-short-name` and `k8s-long-name` in CustomResourceDefinition schemas. ([#132504](https://github.com/kubernetes/kubernetes/pull/132504), [@jpbetz](https://github.com/jpbetz)) [SIG API Machinery, Architecture, Auth, CLI, Cloud Provider, Cluster Lifecycle, Instrumentation, Network, Node, Scheduling and Storage]
-- Introduced the `admissionregistration.k8s.io/v1beta1/MutatingAdmissionPolicy` API type. To enable, enable the `MutatingAdmissionPolicy` feature gate (which was off by default) and set `--runtime-config=admissionregistration.k8s.io/v1beta1=true` on the kube-apiserver. 
-  Note that the default stored version remained alpha in 1.34, and whoever enabled beta during 1.34 needed to run a storage migration yourself to ensure you don't depend on alpha data in etcd. ([#132821](https://github.com/kubernetes/kubernetes/pull/132821), [@cici37](https://github.com/cici37)) [SIG API Machinery, Etcd and Testing]
-- Kube-apiserver: Added support for disabling caching of authorization webhook decisions in the `--authorization-config` file. The new fields `cacheAuthorizedRequests` and `cacheUnauthorizedRequests` could be set to `false` to prevent caching for authorized or unauthorized requests. See the https://kubernetes.io/docs/reference/access-authn-authz/authorization/#using-configuration-file-for-authorization for more details. ([#129237](https://github.com/kubernetes/kubernetes/pull/129237), [@rfranzke](https://github.com/rfranzke)) [SIG API Machinery and Auth]
-- Kube-apiserver: Promoted the `StructuredAuthenticationConfiguration` feature gate to GA. ([#131916](https://github.com/kubernetes/kubernetes/pull/131916), [@aramase](https://github.com/aramase)) [SIG API Machinery, Auth and Testing]
-- Kube-apiserver: the AuthenticationConfiguration type accepted in `--authentication-config` files has been promoted to `apiserver.config.k8s.io/v1`. ([#131752](https://github.com/kubernetes/kubernetes/pull/131752), [@aramase](https://github.com/aramase)) [SIG API Machinery, Auth and Testing]
-- Kube-log-runner: Added the `-log-file-size` parameter to rotate log output into a new file once it reached a certain size. Introduced `-log-file-age` to enable automatic removal of old output files, and `-flush-interval` to support periodic flushing. ([#127667](https://github.com/kubernetes/kubernetes/pull/127667), [@zylxjtu](https://github.com/zylxjtu)) [SIG API Machinery, Apps, Architecture, Auth, Autoscaling, CLI, Cloud Provider, Cluster Lifecycle, Etcd, Instrumentation, Network, Node, Release, Scheduling, Storage, Testing and Windows]
-- Kubectl: Graduated kuberc support to beta. A `kuberc` configuration file provided a mechanism for customizing `kubectl` behavior (distinct from kubeconfig, which configures cluster access across different clients). ([#131818](https://github.com/kubernetes/kubernetes/pull/131818), [@soltysh](https://github.com/soltysh)) [SIG CLI and Testing]
-- Promoted Job Pod Replacement Policy to general availability. The `JobPodReplacementPolicy` feature gate was locked to `true` and will be removed in a future Kubernetes release. ([#132173](https://github.com/kubernetes/kubernetes/pull/132173), [@dejanzele](https://github.com/dejanzele)) [SIG Apps and Testing]
-- Promoted `MutableCSINodeAllocatableCount` to beta. ([#132429](https://github.com/kubernetes/kubernetes/pull/132429), [@torredil](https://github.com/torredil))
-- Promoted feature-gate `VolumeAttributesClass` to GA
-  - Promoted API `VolumeAttributesClass` and `VolumeAttributesClassList` to `storage.k8s.io/v1`. ([#131549](https://github.com/kubernetes/kubernetes/pull/131549), [@carlory](https://github.com/carlory)) [SIG API Machinery, Apps, Auth, CLI, Etcd, Storage and Testing]
-- Promoted the `APIServerTracing` feature gate to GA. The `--tracing-config-file` flag accepted `TracingConfiguration` in version `apiserver.config.k8s.io/v1` (with no changes from `apiserver.config.k8s.io/v1beta1`). ([#132340](https://github.com/kubernetes/kubernetes/pull/132340), [@dashpole](https://github.com/dashpole)) [SIG API Machinery and Testing]
-- Promoted the `AuthorizeWithSelectors` and `AuthorizeNodeWithSelectors` feature gates to stable and locked on. ([#132656](https://github.com/kubernetes/kubernetes/pull/132656), [@liggitt](https://github.com/liggitt)) [SIG API Machinery, Auth and Testing]
-- Promoted the `KubeletTracing` feature gate to GA. ([#132341](https://github.com/kubernetes/kubernetes/pull/132341), [@dashpole](https://github.com/dashpole)) [SIG Instrumentation and Node]
-- Promoted the `RelaxedEnvironmentVariableValidation` feature gate to GA and locked it in the enabled state by default. ([#132054](https://github.com/kubernetes/kubernetes/pull/132054), [@HirazawaUi](https://github.com/HirazawaUi)) [SIG Apps, Architecture, Node and Testing]
-- Removed an inaccurate statement about requiring ports when the Pod spec `hostNetwork` field was set. ([#130994](https://github.com/kubernetes/kubernetes/pull/130994), [@BenTheElder](https://github.com/BenTheElder)) [SIG Network and Node]
-- Removed deprecated `gogo` protocol definitions from `k8s.io/kubelet/pkg/apis/pluginregistration` in favor of `google.golang.org/protobuf`. ([#132773](https://github.com/kubernetes/kubernetes/pull/132773), [@saschagrunert](https://github.com/saschagrunert))
-- Removed deprecated gogo protocol definitions from `k8s.io/cri-api` in favor of `google.golang.org/protobuf`. ([#128653](https://github.com/kubernetes/kubernetes/pull/128653), [@saschagrunert](https://github.com/saschagrunert)) [SIG API Machinery, Auth, Instrumentation, Node and Testing]
-- Replaced Boolean-pointer-helper functions with the `k8s.io/utils/ptr` implementations. ([#132794](https://github.com/kubernetes/kubernetes/pull/132794), [@PatrickLaabs](https://github.com/PatrickLaabs)) [SIG API Machinery, Auth, CLI, Node and Testing]
-- Replaced `boolPtrFn` helper functions with the "k8s.io/utils/ptr" implementation. ([#132907](https://github.com/kubernetes/kubernetes/pull/132907), [@PatrickLaabs](https://github.com/PatrickLaabs))
-- Replaced deprecated package `k8s.io/utils/pointer` with `k8s.io/utils/ptr` for the apiextensions-apiserver apiextensions. ([#132723](https://github.com/kubernetes/kubernetes/pull/132723), [@PatrickLaabs](https://github.com/PatrickLaabs))
-- Replaced deprecated package `k8s.io/utils/pointer` with `k8s.io/utils/ptr` for the apiserver (1/2). ([#132751](https://github.com/kubernetes/kubernetes/pull/132751), [@PatrickLaabs](https://github.com/PatrickLaabs)) [SIG API Machinery and Auth]
-- Replaced deprecated package `k8s.io/utils/pointer` with `k8s.io/utils/ptr` for the component-base. ([#132754](https://github.com/kubernetes/kubernetes/pull/132754), [@PatrickLaabs](https://github.com/PatrickLaabs)) [SIG API Machinery, Architecture, Instrumentation and Scheduling]
-- Replaced deprecated package `k8s.io/utils/pointer` with `k8s.io/utils/ptr` for the kube-aggregator apiregistration. ([#132701](https://github.com/kubernetes/kubernetes/pull/132701), [@PatrickLaabs](https://github.com/PatrickLaabs))
-- Simplied validation error message for invalid fields by removing redundant field name. ([#132513](https://github.com/kubernetes/kubernetes/pull/132513), [@xiaoweim](https://github.com/xiaoweim)) [SIG API Machinery, Apps, Auth, Node and Scheduling]
-- Simplied validation error message for required fields by removing redundant messages. ([#132472](https://github.com/kubernetes/kubernetes/pull/132472), [@xiaoweim](https://github.com/xiaoweim)) [SIG API Machinery, Apps, Architecture, Auth, Cloud Provider, Network, Node and Storage]
-- The `KubeletServiceAccountTokenForCredentialProviders` feature was beta and enabled by default. ([#133017](https://github.com/kubernetes/kubernetes/pull/133017), [@aramase](https://github.com/aramase)) [SIG Auth and Node]
-- The `conditionType` is "oneof" approved/denied check of CertificateSigningRequest's `.status.conditions` field was migrated to declarative validation. 
-  If the `DeclarativeValidation` feature gate was enabled, mismatches with existing validation are reported via metrics.
-  If the `DeclarativeValidationTakeover` feature gate was enabled, declarative validation was the primary source of errors for migrated fields. ([#133013](https://github.com/kubernetes/kubernetes/pull/133013), [@aaron-prindle](https://github.com/aaron-prindle)) [SIG API Machinery and Auth]
-- The fallback behavior of the Downward API's `resourceFieldRef` field was updated to account for pod-level resources: if container-level limits were not set, pod-level limits were now used before falling back to node allocatable resources. ([#132605](https://github.com/kubernetes/kubernetes/pull/132605), [@toVersus](https://github.com/toVersus)) [SIG Node, Scheduling and Testing]
-- The validation of `replicas` field in the ReplicationController `/scale` subresource has been migrated to declarative validation.
-  If the `DeclarativeValidation` feature gate is enabled, mismatches with existing validation are reported via metrics.
-  If the `DeclarativeValidationTakeover` feature gate is enabled, declarative validation is the primary source of errors for migrated fields. ([#131664](https://github.com/kubernetes/kubernetes/pull/131664), [@jpbetz](https://github.com/jpbetz)) [SIG API Machinery and Apps]
-- The validation-gen code generator generated validation code that supported validation ratcheting. ([#132236](https://github.com/kubernetes/kubernetes/pull/132236), [@yongruilin](https://github.com/yongruilin)) [SIG API Machinery, Apps, Auth and Node]
-- Updated `IsDNS1123SubdomainWithUnderscore` so that, when it returned an error, it also returned the correct regex information (`dns1123SubdomainFmtWithUnderscore`). ([#132034](https://github.com/kubernetes/kubernetes/pull/132034), [@ChosenFoam](https://github.com/ChosenFoam))
-- Updated etcd version to v3.6.0. ([#131501](https://github.com/kubernetes/kubernetes/pull/131501), [@joshjms](https://github.com/joshjms)) [SIG API Machinery, Cloud Provider, Cluster Lifecycle, Etcd and Testing]
-- Updated the `v1` credential provider configuration to include the `tokenAttributes.cacheType` field. This field is required and must be set to either `ServiceAccount` or `Token` when configuring a provider that uses a service account to fetch registry credentials. ([#132617](https://github.com/kubernetes/kubernetes/pull/132617), [@aramase](https://github.com/aramase)) [SIG Auth, Node and Testing]
-- Zero-value `metadata.creationTimestamp` values are now omitted and no longer serialize an explicit `null` in JSON, YAML, and CBOR output ([#130989](https://github.com/kubernetes/kubernetes/pull/130989), [@liggitt](https://github.com/liggitt)) [SIG API Machinery, Apps, Architecture, Auth, CLI, Cloud Provider, Cluster Lifecycle, Etcd, Instrumentation, Network, Node, Scheduling, Storage and Testing]
-- `AppArmor` profiles specified in the Pod or container `SecurityContext` were no longer copied to deprecated `AppArmor` annotations (prefix `container.apparmor.security.beta.kubernetes.io/`). Anything that inspected the deprecated annotations must be migrated to use the `SecurityContext` fields instead. ([#131989](https://github.com/kubernetes/kubernetes/pull/131989), [@tallclair](https://github.com/tallclair))
-- `MultiCIDRServiceAllocator` was locked and enabled by default, `DisableAllocatorDualWrite` was enabled by default. ([#131318](https://github.com/kubernetes/kubernetes/pull/131318), [@aojea](https://github.com/aojea)) [SIG API Machinery, Apps, Architecture, Auth, Etcd, Network and Testing]
-
-### Feature
-
-- Added 3 new metrics for monitoring async API calls in the scheduler when the `SchedulerAsyncAPICalls` feature gate was enabled:
-    - `scheduler_async_api_call_execution_total`: tracks executed API calls by call type and result (success/error)
-    - `scheduler_async_api_call_duration_seconds`: histogram of API call execution duration by call type and result
-    - `scheduler_pending_async_api_calls`: gauge showing current number of pending API calls in the queue. ([#133120](https://github.com/kubernetes/kubernetes/pull/133120), [@utam0k](https://github.com/utam0k)) [SIG Release and Scheduling]
-- Added HPA support to pod-level resource specifications. When the pod-level resource feature was enabled, HPAs configured with `Resource` type metrics calculated the pod resources from `pod.Spec.Resources` field, if specified. ([#132430](https://github.com/kubernetes/kubernetes/pull/132430), [@laoj2](https://github.com/laoj2)) [SIG Apps, Autoscaling and Testing]
-- Added Traffic Distribution field to `kubectl describe service` output ([#131491](https://github.com/kubernetes/kubernetes/pull/131491), [@tchap](https://github.com/tchap)) [SIG CLI]
-- Added `SizeBasedListCostEstimate` feature gate that allowed apiserver to estimate sizes of objects to calculate cost of LIST requests. ([#132355](https://github.com/kubernetes/kubernetes/pull/132355), [@serathius](https://github.com/serathius)) [SIG API Machinery and Etcd]
-- Added `apiserver_resource_size_estimate_bytes` metric to API server. ([#132893](https://github.com/kubernetes/kubernetes/pull/132893), [@serathius](https://github.com/serathius)) [SIG API Machinery, Etcd and Instrumentation]
-- Added `started_user_namespaced_pods_total` and `started_user_namespaced_pods_errors_total` for tracking the successes and failures in creating pods if a user namespace was requested. ([#132902](https://github.com/kubernetes/kubernetes/pull/132902), [@haircommander](https://github.com/haircommander)) [SIG Node and Testing]
-- Added a `--show-swap` option to `kubectl top` subcommands ([#129458](https://github.com/kubernetes/kubernetes/pull/129458), [@iholder101](https://github.com/iholder101)) [SIG CLI]
-- Added a `container_swap_limit_bytes` metric to expose the swap limit assigned to containers under the `LimitedSwap` swap behavior. ([#132348](https://github.com/kubernetes/kubernetes/pull/132348), [@iholder101](https://github.com/iholder101)) [SIG Node and Testing]
-- Added a delay to node updates after kubelet startup. A random offset, based on the configured `nodeStatusReportFrequency`, helped distribute traffic and load from node status updates more evenly over time. The initial status update could occur up to 50% earlier or later than the regular schedule. ([#130919](https://github.com/kubernetes/kubernetes/pull/130919), [@mengqiy](https://github.com/mengqiy))
-- Added a flag to kubectl version to detect whether a client/server version mismatch was outside the officially supported range. ([#127365](https://github.com/kubernetes/kubernetes/pull/127365), [@omerap12](https://github.com/omerap12))
-- Added a new `PreBindPreFlight` function to the `PreBindPlugin` interface. All in-tree `PreBind` plugins have been updated to implement `PreBindPreFlight` function. ([#132391](https://github.com/kubernetes/kubernetes/pull/132391), [@sanposhiho](https://github.com/sanposhiho)) [SIG Node, Scheduling, Storage and Testing]
-- Added a warning when alpha metrics are used with emulated versions. ([#132276](https://github.com/kubernetes/kubernetes/pull/132276), [@michaelasp](https://github.com/michaelasp)) [SIG API Machinery and Architecture]
-- Added alpha metrics for compatibility versioning ([#131842](https://github.com/kubernetes/kubernetes/pull/131842), [@michaelasp](https://github.com/michaelasp)) [SIG API Machinery, Architecture, Instrumentation and Scheduling]
-- Added configurable flags to kube-apiserver for coordinated leader election. ([#132433](https://github.com/kubernetes/kubernetes/pull/132433), [@michaelasp](https://github.com/michaelasp)) [SIG API Machinery and Testing]
-- Added machine readable output options (JSON & YAML) to `kubectl api-resources`. ([#132604](https://github.com/kubernetes/kubernetes/pull/132604), [@dharmit](https://github.com/dharmit)) [SIG Apps, CLI and Network]
-- Added memory tracking to scheduler performance tests to help detect memory leaks and monitored memory usage patterns while running `scheduler_perf`. ([#132910](https://github.com/kubernetes/kubernetes/pull/132910), [@utam0k](https://github.com/utam0k)) [SIG Scheduling and Testing]
-- Added support for CEL expressions with escaped names in the structured authentication config. Using `[...]` to access claims or user data was recommended when names contained characters that would otherwise need escaping. CEL optionals with `?` could be used where has was not applicable — for example, `claims[?"kubernetes.io"]` or `user.extra[?"domain.io/foo"]`. ([#131574](https://github.com/kubernetes/kubernetes/pull/131574), [@enj](https://github.com/enj)) [SIG API Machinery and Auth]
-- Added support for `--cpu`, `--memory` flag to `kubectl autoscale`, started deprecating `--cpu-precent`. ([#129373](https://github.com/kubernetes/kubernetes/pull/129373), [@googs1025](https://github.com/googs1025))
-- Added support for a new kubectl output format, `kyaml`. KYAML was a strict subset of YAML and should be accepted by any YAML processor. The formatting of KYAML was halfway between JSON and YAML.  Because it was more explicit than the default YAML style, it was less error-prone. ([#132942](https://github.com/kubernetes/kubernetes/pull/132942), [@thockin](https://github.com/thockin)) [SIG API Machinery, Architecture, Auth, CLI, Cloud Provider, Cluster Lifecycle, Contributor Experience, Instrumentation, Network, Node, Scheduling, Storage and Testing]
-- Added the `DetectCacheInconsistency` feature gate, allowing the API server to periodically verify consistency between its `cache` and `etcd`. Detected inconsistencies reported via the `apiserver_storage_consistency_checks_total` metric and trigger purging of affected cache snapshots. ([#132884](https://github.com/kubernetes/kubernetes/pull/132884), [@serathius](https://github.com/serathius)) [SIG API Machinery, Instrumentation and Testing]
-- Added the `SizeBasedListCostEstimate` feature gate (enabled by default), which changes how APF seats are assigned to `LIST` requests. With this feature, one seat is assigned per 100KB of data loaded into memory at once during a `LIST` operation. ([#132932](https://github.com/kubernetes/kubernetes/pull/132932), [@serathius](https://github.com/serathius))
-- Added useful endpoints for kube-apiserver. ([#132581](https://github.com/kubernetes/kubernetes/pull/132581), [@itssimrank](https://github.com/itssimrank)) [SIG API Machinery, Architecture, Instrumentation, Network, Node, Scheduling and Testing]
-- Built Kubernetes using Go 1.24.3. ([#131934](https://github.com/kubernetes/kubernetes/pull/131934), [@cpanato](https://github.com/cpanato)) [SIG Release and Testing]
-- Built Kubernetes using Go 1.24.4. ([#132222](https://github.com/kubernetes/kubernetes/pull/132222), [@cpanato](https://github.com/cpanato)) [SIG Release and Testing]
-- Bumped DRA API version to `v1` in `deviceattribute` package in `k8s.io/dynamic-resource-allocation`. ([#133164](https://github.com/kubernetes/kubernetes/pull/133164), [@everpeace](https://github.com/everpeace))
-- Bumped `KubeletCgroupDriverFromCRI` to GA and add metric to track out-of-support CRI implementations. ([#133157](https://github.com/kubernetes/kubernetes/pull/133157), [@haircommander](https://github.com/haircommander)) [SIG Node and Testing]
-- CRI API had auth fields in image pulling marked as `debug_redact`. ([#133135](https://github.com/kubernetes/kubernetes/pull/133135), [@SergeyKanzhelev](https://github.com/SergeyKanzhelev))
-- Changed handling of `CustomResourceDefinitions` with unrecognized formats. Writing a schema with an unrecognized format now triggered a warning (the write was still accepted). ([#133136](https://github.com/kubernetes/kubernetes/pull/133136), [@yongruilin](https://github.com/yongruilin))
-- DRA kubelet: Fixed the kubelet to also clean up `ResourceSlices` in some additional failure scenarios (driver was removed forcibly or crashed and did not restart). ([#132058](https://github.com/kubernetes/kubernetes/pull/132058), [@pohly](https://github.com/pohly)) [SIG Node and Testing]
-- DRAAdminAccess was enabled by default allowing users to create `ResourceClaims` and `ResourceClaimTemplates` in privileged mode to grant access to devices that were in use by other users for admin tasks like monitoring health or status of the device. ([#133085](https://github.com/kubernetes/kubernetes/pull/133085), [@ritazh](https://github.com/ritazh)) [SIG Auth and Node]
-- Demoted KEP-5278 feature gates `ClearingNominatedNodeNameAfterBinding` and `NominatedNodeNameForExpectation` to alpha from beta. ([#133293](https://github.com/kubernetes/kubernetes/pull/133293), [@utam0k](https://github.com/utam0k)) [SIG Scheduling and Testing]
-- Deprecated `apiserver_storage_objects` and replaced it with `apiserver_resource_objects` metric using labels consistent with other metrics. ([#132965](https://github.com/kubernetes/kubernetes/pull/132965), [@serathius](https://github.com/serathius)) [SIG API Machinery, Etcd and Instrumentation]
-- Eliminated work when creating Services or understanding port purposes, especially for external resources deployed via Helm charts. ([#133018](https://github.com/kubernetes/kubernetes/pull/133018), [@rushmash91](https://github.com/rushmash91))
-- Enabled compact snapshots in the watch cache based on `etcd` compaction events. ([#132876](https://github.com/kubernetes/kubernetes/pull/132876), [@serathius](https://github.com/serathius)) [SIG API Machinery and Etcd]
-- Enabled completion for aliases defined in `kubectlrc`. ([#131586](https://github.com/kubernetes/kubernetes/pull/131586), [@ardaguclu](https://github.com/ardaguclu))
-- Ensured memory resizing for Guaranteed QoS pods on static Memory policy configurations was gated by `InPlacePodVerticalScalingExclusiveMemory` (defaults: `false`). ([#132473](https://github.com/kubernetes/kubernetes/pull/132473), [@pravk03](https://github.com/pravk03)) [SIG Node, Scheduling and Testing]
-- Ensured that non-scheduling related errors (e.g., network errors) did not lengthen the Pod scheduling backoff time. ([#128748](https://github.com/kubernetes/kubernetes/pull/128748), [@sanposhiho](https://github.com/sanposhiho)) [SIG Scheduling and Testing]
-- Executed API calls dispatched during pod scheduling asynchronously if the `SchedulerAsyncAPICalls` feature gate was enabled.
-  Out-of-tree plugins used `APIDispatcher` and `APICacher` from the framework to dispatch their own calls. ([#132886](https://github.com/kubernetes/kubernetes/pull/132886), [@macsko](https://github.com/macsko)) [SIG Release, Scheduling and Testing]
-- Fixed recording the `kubelet_container_resize_requests_total` metric to include all resize-related updates. ([#133060](https://github.com/kubernetes/kubernetes/pull/133060), [@natasha41575](https://github.com/natasha41575))
-- Graduated `ListFromCacheSnapshot` to beta. ([#132901](https://github.com/kubernetes/kubernetes/pull/132901), [@serathius](https://github.com/serathius)) [SIG API Machinery and Etcd]
-- Graduated `PodLevelResources` feature to beta and have it on by default. This feature allowed defining CPU and memory resources for an entire pod in `pod.spec.resources`. ([#132999](https://github.com/kubernetes/kubernetes/pull/132999), [@ndixita](https://github.com/ndixita))
-- Graduated `PodObservedGenerationTracking` feature to beta and had it on by default. This feature meant that the top level `status.observedGeneration` and `status.conditions[].observedGeneration` fields in Pods were populated to reflect the `metadata.generation` of the podspec at the time that the status or condition was reported. ([#132912](https://github.com/kubernetes/kubernetes/pull/132912), [@natasha41575](https://github.com/natasha41575)) [SIG Apps, Node and Testing]
-- Graduated `ResilientWatchCacheInitialization` to GA. ([#131979](https://github.com/kubernetes/kubernetes/pull/131979), [@serathius](https://github.com/serathius))
-- Graduated `StreamingCollectionEncodingToJSON` and `StreamingCollectionEncodingToProtobuf` to GA. ([#132648](https://github.com/kubernetes/kubernetes/pull/132648), [@serathius](https://github.com/serathius))
-- Graduated configurable endpoints for anonymous authentication using the authentication configuration file to stable. ([#131654](https://github.com/kubernetes/kubernetes/pull/131654), [@vinayakankugoyal](https://github.com/vinayakankugoyal)) [SIG API Machinery and Testing]
-- Graduated relaxed DNS search string validation to GA. For the Pod API, `.spec.dnsConfig.searches`
-  now allows an underscore (`_`) where a dash (`-`) would be allowed, and it allows search strings be a single dot `.`. ([#132036](https://github.com/kubernetes/kubernetes/pull/132036), [@adrianmoisey](https://github.com/adrianmoisey)) [SIG Network and Testing]
-- Graduated scheduler `QueueingHint` support to GA (general availability) ([#131973](https://github.com/kubernetes/kubernetes/pull/131973), [@sanposhiho](https://github.com/sanposhiho)) [SIG Scheduling and Testing]
-- Graduated the WinOverlay feature in the kube-proxy to GA. The **WinOverlay** feature gate was enabled by default. ([#133042](https://github.com/kubernetes/kubernetes/pull/133042), [@rzlink](https://github.com/rzlink)) [SIG Network and Windows]
-- Graduated the `ConsistentListFromCache` to GA. ([#132645](https://github.com/kubernetes/kubernetes/pull/132645), [@serathius](https://github.com/serathius))
-- Graduated the `WatchList` feature gate to beta for kube-apiserver and enabled `WatchListClient` for KCM. ([#132704](https://github.com/kubernetes/kubernetes/pull/132704), [@p0lyn0mial](https://github.com/p0lyn0mial)) [SIG API Machinery and Testing]
-- Graduated the `WinDSR` feature in the kube-proxy to GA. The `WinDSR` feature gate was enabled by default. ([#132108](https://github.com/kubernetes/kubernetes/pull/132108), [@rzlink](https://github.com/rzlink)) [SIG Network and Windows]
-- If `PreBindPreFlight` returned `Skip`, the scheduler didn't run the plugin at `PreBind`.
-  If any `PreBindPreFlight` returned `Success`, the scheduler put NominatedNodeName to the pod 
-  so that other components (such as the cluster autoscaler) could notice the pod was going to be bound to the node. ([#133021](https://github.com/kubernetes/kubernetes/pull/133021), [@sanposhiho](https://github.com/sanposhiho)) [SIG Scheduling and Testing]
-- Implemented prioritization of resize requests based on `priorityClass` and QoS class when node resources are insufficient to accommodate all pending resize operations. ([#132342](https://github.com/kubernetes/kubernetes/pull/132342), [@natasha41575](https://github.com/natasha41575)) [SIG Node and Testing]
-- Included the namespace in the output of `kubectl delete` for better identification of resources. ([#126619](https://github.com/kubernetes/kubernetes/pull/126619), [@totegamma](https://github.com/totegamma))
-- Increased APF max seats to 100 for LIST requests. ([#133034](https://github.com/kubernetes/kubernetes/pull/133034), [@serathius](https://github.com/serathius))
-- Introduced a method `GetPCIeRootAttributeByPCIBusID(pciBusID)` for third-party DRA drivers to provide common logic for the standardized device attribute `resource.kubernetes.io/pcieRoot`. ([#132296](https://github.com/kubernetes/kubernetes/pull/132296), [@everpeace](https://github.com/everpeace))
-- Kube-apiserver reported the last configuration hash as a label in
-  
-  - `apiserver_authentication_config_controller_last_config_info` metric after successfully loading the authentication configuration file.
-  - `apiserver_authorization_config_controller_last_config_info` metric after successfully loading the authorization configuration file.
-  - `apiserver_encryption_config_controller_last_config_info` metric after successfully loading the encryption configuration file. ([#132299](https://github.com/kubernetes/kubernetes/pull/132299), [@aramase](https://github.com/aramase)) [SIG API Machinery, Auth and Testing]
-- Kube-apiserver: Each unique set of etcd server overrides specified with `--etcd-servers-overrides` surfaced health checks named `etcd-override-<index>` and `etcd-override-readiness-<index>`. These checks were still excluded by the `?exclude=etcd` and `?exclude=etcd-readiness` directives. ([#129438](https://github.com/kubernetes/kubernetes/pull/129438), [@pacoxu](https://github.com/pacoxu)) [SIG API Machinery and Testing]
-- Kube-apiserver: Previously persisted `CustomResourceDefinition` objects with an invalid whitespace-only `caBundle` could serve requests that did not require conversion. ([#132514](https://github.com/kubernetes/kubernetes/pull/132514), [@tiffanny29631](https://github.com/tiffanny29631))
-- Kube-apiserver: Promoted the `ExternalServiceAccountTokenSigner` feature to beta, which enabled external signing of service account tokens and fetching of public verifying keys. This was accomplished by enabling the beta `ExternalServiceAccountTokenSigner` feature gate and specifying the `--service-account-signing-endpoint` flag. The flag value could either be the path to a Unix domain socket on the filesystem, or be prefixed with @ to indicate a Unix domain socket in the abstract namespace. ([#131300](https://github.com/kubernetes/kubernetes/pull/131300), [@HarshalNeelkamal](https://github.com/HarshalNeelkamal)) [SIG API Machinery, Auth and Testing]
-- Kube-proxy: Checked whether IPv6 was available on Linux before using it. ([#131265](https://github.com/kubernetes/kubernetes/pull/131265), [@rikatz](https://github.com/rikatz))
-- Kubeadm: Added support for ECDSA-P384 as an encryption algorithm type in v1beta4. ([#131677](https://github.com/kubernetes/kubernetes/pull/131677), [@lalitc375](https://github.com/lalitc375))
-- Kubeadm: Fixed an issue where etcd member promotion failed with an error indicating the member was already promoted. ([#130782](https://github.com/kubernetes/kubernetes/pull/130782), [@BernardMC](https://github.com/BernardMC))
-- Kubeadm: graduated the `NodeLocalCRISocket` feature gate to beta and enabed it by default. When its enabled, kubeadm will:
-    1. Generate a `/var/lib/kubelet/instance-config.yaml` file to customize the `containerRuntimeEndpoint` field in per-node kubelet configurations.
-    2. Remove the `kubeadm.alpha.kubernetes.io/cri-socket` annotation from nodes during upgrade operations.
-    3. Remove the `--container-runtime-endpoint` flag from the `/var/lib/kubelet/kubeadm-flags.env` file during upgrades. ([#131981](https://github.com/kubernetes/kubernetes/pull/131981), [@HirazawaUi](https://github.com/HirazawaUi)) [SIG Cluster Lifecycle]
-- Kubeadm: graduated the kubeadm specific feature gate `WaitForAllControlPlaneComponents` to GA. The feature gate is was locked to always be enabled and on node initialization kubeadm performed a health check for all control plane components and not only the `kube-apiserver`. ([#132594](https://github.com/kubernetes/kubernetes/pull/132594), [@neolit123](https://github.com/neolit123))
-- Kubeadm: switched the validation check for Linux kernel version to throw warnings instead of errors. ([#131919](https://github.com/kubernetes/kubernetes/pull/131919), [@neolit123](https://github.com/neolit123)) [SIG Cluster Lifecycle and Node]
-- Kubelet detected terminal CSI volume mount failures due to exceeded attachment limits on the node and marked the Stateful Pod as Failed, allowing its controller to recreate it. This prevented Pods from getting stuck indefinitely in the `ContainerCreating` state. ([#132933](https://github.com/kubernetes/kubernetes/pull/132933), [@torredil](https://github.com/torredil)) [SIG Apps, Node, Storage and Testing]
-- Kubelet reported a hash of the credential provider configuration via the `kubelet_credential_provider_config_info` metric. The hash was exposed in the `hash` label. ([#133016](https://github.com/kubernetes/kubernetes/pull/133016), [@aramase](https://github.com/aramase)) [SIG API Machinery and Auth]
-- Kubelet: Extended the `--image-credential-provider-config` flag to accept a directory path in addition to a single file. When a directory was specified, all .json, .yaml, and .yml files in that directory were loaded and merged in lexicographical order. ([#131658](https://github.com/kubernetes/kubernetes/pull/131658), [@dims](https://github.com/dims)) [SIG Auth and Node]
-- LeaseLocks could now have custom labels that different holders would overwrite when they became the holder of the underlying lease. ([#131632](https://github.com/kubernetes/kubernetes/pull/131632), [@DerekFrank](https://github.com/DerekFrank))
-- Memory limits could be decreased with a `NotRequired` resize restart policy. When decreasing memory limits,a best-effort check was performed to prevent limits from decreasing below usage and triggering an OOM-kill. ([#133012](https://github.com/kubernetes/kubernetes/pull/133012), [@tallclair](https://github.com/tallclair)) [SIG Apps, Node and Testing]
-- Migrated validation in `CertificateSigningRequest` to use declarative validation. When the `DeclarativeValidation` feature gate is enabled, mismatches with existing validation are reported via metrics. If `DeclarativeValidationTakeover` is enabled, declarative validation becomes the primary source of errors for migrated fields. ([#132361](https://github.com/kubernetes/kubernetes/pull/132361), [@yongruilin](https://github.com/yongruilin)) [SIG API Machinery and Auth]
-- Moved Recover from volume expansion failure to GA. ([#132662](https://github.com/kubernetes/kubernetes/pull/132662), [@gnufied](https://github.com/gnufied)) [SIG Apps, Auth, Node, Storage and Testing]
-- Prevented any type of CPU/Memory alignment or hint generation with the Topology Manager from the CPU or Memory Manager when pod-level resources were used in the Pod spec. ([#133279](https://github.com/kubernetes/kubernetes/pull/133279), [@ffromani](https://github.com/ffromani)) [SIG Node and Testing]
-- Promoted Linux node pressure stall information (PSI) metrics to beta. ([#132822](https://github.com/kubernetes/kubernetes/pull/132822), [@roycaihw](https://github.com/roycaihw)) [SIG Node]
-- Promoted Windows graceful shutdown feature from alpha to beta. ([#133062](https://github.com/kubernetes/kubernetes/pull/133062), [@zylxjtu](https://github.com/zylxjtu))
-- Promoted the Ordered Namespace Deletion test to Conformance. ([#132219](https://github.com/kubernetes/kubernetes/pull/132219), [@BenTheElder](https://github.com/BenTheElder)) [SIG API Machinery, Architecture and Testing]
-- Promoted the `KubeletPodResourcesDynamicResources` and `KubeletPodResourcesGet` feature gates to beta, which were enabled by default if DRA went to GA. ([#132940](https://github.com/kubernetes/kubernetes/pull/132940), [@guptaNswati](https://github.com/guptaNswati))
-- Promoted the feature `OrderedNamespaceDeletion` to GA. ([#131514](https://github.com/kubernetes/kubernetes/pull/131514), [@cici37](https://github.com/cici37)) [SIG API Machinery and Testing]
-- Removed "endpoint-controller" and "workload-leader-election" FlowSchemas from the default APF configuration.
-  
-  migrate the lock type used in the leader election in your workloads from configmapsleases/endpointsleases to leases. ([#131215](https://github.com/kubernetes/kubernetes/pull/131215), [@tosi3k](https://github.com/tosi3k)) [SIG API Machinery, Apps, Network, Scalability and Scheduling]
-- Started recording metrics for in-place Pod resize. ([#132903](https://github.com/kubernetes/kubernetes/pull/132903), [@natasha41575](https://github.com/natasha41575))
-- The Kubernetes API server merged selectors built from `matchLabelKeys` into the `labelSelector` of `topologySpreadConstraints`, aligning Pod Topology Spread behavior with Inter-Pod Affinity. To prevent breaking existing Pods using `matchLabelKeys`, this scheduler behavior was preserved until v1.34. Upgrades from v1.32 to v1.34 should be done incrementally (v1.32 → v1.33 → v1.34), ensuring Pods created at v1.32 with `matchLabelKeys` are scheduled before reaching v1.34. Controllers relying on `matchLabelKeys` no longer need to handle them directly and can use `labelSelector` instead. The new feature gate `MatchLabelKeysInPodTopologySpreadSelectorMerge`, enabled by default, controls this behavior. ([#129874](https://github.com/kubernetes/kubernetes/pull/129874), [@mochizuki875](https://github.com/mochizuki875)) [SIG Apps, Node, Scheduling and Testing]
-- The PreferSameTrafficDistribution feature gate is now enabled by default,
-  enabling the `PreferSameNode` traffic distribution value for Services. ([#132127](https://github.com/kubernetes/kubernetes/pull/132127), [@danwinship](https://github.com/danwinship)) [SIG Apps and Network]
-- The new `dra_resource_claims_in_use` kubelet metrics reported active `ResourceClaims`, overall and by driver. ([#131641](https://github.com/kubernetes/kubernetes/pull/131641), [@pohly](https://github.com/pohly)) [SIG Architecture, Instrumentation, Node and Testing]
-- The scheduler no longer cleared the `nominatedNodeName` field for Pods. External components, such as Cluster Autoscaler and Karpenter, were responsible for managing this field when needed. ([#133276](https://github.com/kubernetes/kubernetes/pull/133276), [@macsko](https://github.com/macsko)) [SIG Scheduling and Testing]
-- The validation in the CertificateSigningRequest `/status` and `/approval` subresources was migrated to declarative validation.
-  If the `DeclarativeValidation` feature gate was enabled, mismatches with existing validation are reported via metrics.
-  If the `DeclarativeValidationTakeover` feature gate was enabled, declarative validation was the primary source of errors for migrated fields. ([#133068](https://github.com/kubernetes/kubernetes/pull/133068), [@yongruilin](https://github.com/yongruilin)) [SIG API Machinery and Auth]
-- Updated `kube-controller-manager` events to support contextual logging. ([#128351](https://github.com/kubernetes/kubernetes/pull/128351), [@mengjiao-liu](https://github.com/mengjiao-liu))
-- Updated pause version to `registry.k8s.io/pause:3.10.1`. ([#130713](https://github.com/kubernetes/kubernetes/pull/130713), [@ArkaSaha30](https://github.com/ArkaSaha30)) [SIG Cluster Lifecycle, Node, Scheduling and Testing]
-- Updated the Kubernetes build environment to use Go `1.24.5`. ([#132896](https://github.com/kubernetes/kubernetes/pull/132896), [@cpanato](https://github.com/cpanato)) [SIG Release and Testing]
-- Updated the built in `system:monitoring` role with permission to access kubelet metrics endpoints. ([#132178](https://github.com/kubernetes/kubernetes/pull/132178), [@gavinkflam](https://github.com/gavinkflam)) [SIG Auth]
-- When `RelaxedServiceNameValidation` feature gate is enabled, the 
-  names of new Services names are validation with `NameIsDNSLabel()`,
-  relaxing the  pre-existing validation. ([#132339](https://github.com/kubernetes/kubernetes/pull/132339), [@adrianmoisey](https://github.com/adrianmoisey)) [SIG Apps, Network and Testing]
-- When proxying to an aggregated API server, kube-apiserver used the
-  `EndpointSlices` of the `service` indicated by the `APIServer`, rather than
-  using Endpoints.
-  
-  If you were using the aggregated API server feature, and you were writing out
-  the endpoints for it by hand (rather than letting kube-controller-manager
-  generate `Endpoints` and `EndpointSlices` for it automatically based on the
-  Service definition), then you should write out an EndpointSlice object rather
-  than (or in addition to) an `Endpoints` object. ([#129837](https://github.com/kubernetes/kubernetes/pull/129837), [@danwinship](https://github.com/danwinship)) [SIG API Machinery, Network and Testing]
-- Whenever a pod was successfully bound to a node, the kube-apiserver  cleared the pod's `nominatedNodeName` field. This prevented stale information from affecting external scheduling components. ([#132443](https://github.com/kubernetes/kubernetes/pull/132443), [@utam0k](https://github.com/utam0k)) [SIG Apps, Node, Scheduling and Testing]
-- `DRAPrioritizedList` was turned on by default which made it possible to provide a prioritized list of subrequests in a `ResourceClaim`. ([#132767](https://github.com/kubernetes/kubernetes/pull/132767), [@mortent](https://github.com/mortent)) [SIG Node, Scheduling and Testing]
-- `PodLifecycleSleepAction` was graduated to GA. ([#132595](https://github.com/kubernetes/kubernetes/pull/132595), [@AxeZhan](https://github.com/AxeZhan)) [SIG Apps, Node and Testing]
-- `kube-controller-manager` reported the following metrics for `ResourceClaims` with admin access:
-  - `resourceclaim_controller_creates_total` count metric with labels `admin_access` (true or false), `status` (failure or success) to track the total number of `ResourceClaims` creation requests
-  - `resourceclaim_controller_resource_claims` gauge metric with labels `admin_access` (true or false), `allocated` (true or false) to track the current number of `ResourceClaims`. ([#132800](https://github.com/kubernetes/kubernetes/pull/132800), [@ritazh](https://github.com/ritazh)) [SIG Apps, Auth, Instrumentation and Node]
-- `kubeadm`: Started using a named port `probe-port` for all probes in the static pod manifests generated by `kubeadm` for the `kube-apiserver`, `kube-controller-manager`, `kube-scheduler`, and related components. If probe port values were previously patched using `kubeadm` patches, the corresponding named port under the container’s `ports` field must now also be patched. ([#132776](https://github.com/kubernetes/kubernetes/pull/132776), [@neolit123](https://github.com/neolit123))
-
-### Failing Test
-
-- DRA driver helper: Fixed handling of apiserver restart when running on a Kubernetes version which did not support the `resource.k8s.io` version used by the DRA driver. ([#133076](https://github.com/kubernetes/kubernetes/pull/133076), [@pohly](https://github.com/pohly)) [SIG Node and Testing]
-- Fixed e2e test "[Driver: csi-hostpath] [Testpattern: Dynamic PV (filesystem volmode)] volumeLimits should support volume limits" not to leak Pods and namespaces. ([#132674](https://github.com/kubernetes/kubernetes/pull/132674), [@jsafrane](https://github.com/jsafrane)) [SIG Storage and Testing]
-- Kube-apiserver: The --service-account-signing-endpoint flag now only validates the format of abstract socket names ([#131509](https://github.com/kubernetes/kubernetes/pull/131509), [@liggitt](https://github.com/liggitt)) [SIG API Machinery and Auth]
-
-### Bug or Regression
-
-- Added `podSpec` validation for creating `StatefulSet`. ([#131790](https://github.com/kubernetes/kubernetes/pull/131790), [@chengjoey](https://github.com/chengjoey)) [SIG Apps, Etcd and Testing]
-- Checked for newer resize fields when deciding the recovery feature status in the kubelet. ([#131418](https://github.com/kubernetes/kubernetes/pull/131418), [@gnufied](https://github.com/gnufied))
-- Clarified help message of `--ignore-not-found` flag. Supported `--ignore-not-found` in `watch` operation. ([#132542](https://github.com/kubernetes/kubernetes/pull/132542), [@gemmahou](https://github.com/gemmahou))
-- DRA drivers: the resource slice controller sometimes didn't react properly when kubelet or someone else deleted a recently created ResourceSlice. It incorrectly assumed that the ResourceSlice still exists and didn't recreate it. ([#132683](https://github.com/kubernetes/kubernetes/pull/132683), [@pohly](https://github.com/pohly)) [SIG Apps, Node and Testing]
-- DRA: Ensured that ResourceClaims requesting a fixed number of devices with `adminAccess` were no longer allocated the same device multiple times. ([#131299](https://github.com/kubernetes/kubernetes/pull/131299), [@nojnhuh](https://github.com/nojnhuh))
-- Disabled reading of disk geometry before calling expansion for ext and xfs filesystems. ([#131568](https://github.com/kubernetes/kubernetes/pull/131568), [@gnufied](https://github.com/gnufied))
-- Ensured objects are transformed prior to storage in `SharedInformers` if a transformer is provided and `WatchList` is activated. ([#131799](https://github.com/kubernetes/kubernetes/pull/131799), [@valerian-roche](https://github.com/valerian-roche))
-- Fixed API response for `StorageClassList` queries to return a graceful error message, if the provided `ResourceVersion` is too large. ([#132374](https://github.com/kubernetes/kubernetes/pull/132374), [@PatrickLaabs](https://github.com/PatrickLaabs)) [SIG API Machinery and Etcd]
-- Fixed ReplicationController reconciliation when the `DeploymentReplicaSetTerminatingReplicas` feature gate was enabled. ([#131822](https://github.com/kubernetes/kubernetes/pull/131822), [@atiratree](https://github.com/atiratree))
-- Fixed a bug in CEL's common.UnstructuredToVal where `==` evaluates to false for identical objects when a field is present but the value is null.  This bug does not impact the Kubernetes API. ([#131559](https://github.com/kubernetes/kubernetes/pull/131559), [@jpbetz](https://github.com/jpbetz)) [SIG API Machinery]
-- Fixed a bug in the Job controller that could result in creating unnecessary Pods for Jobs already marked as finished (either successful or failed). ([#130333](https://github.com/kubernetes/kubernetes/pull/130333), [@kmala](https://github.com/kmala)) [SIG Apps and Testing]
-- Fixed a bug that caused an unexpected delay in creating Pods for newly created Jobs. ([#132109](https://github.com/kubernetes/kubernetes/pull/132109), [@linxiulei](https://github.com/linxiulei)) [SIG Apps and Testing]
-- Fixed a bug that caused duplicate validation when updating a ReplicaSet. ([#131873](https://github.com/kubernetes/kubernetes/pull/131873), [@gavinkflam](https://github.com/gavinkflam)) [SIG Apps]
-- Fixed a bug that fails to create a replica set when a deployment name is too long. ([#132560](https://github.com/kubernetes/kubernetes/pull/132560), [@hdp617](https://github.com/hdp617)) [SIG API Machinery and Apps]
-- Fixed a bug that the async preemption feature keeps preemptor pods unnecessarily in the queue. ([#133167](https://github.com/kubernetes/kubernetes/pull/133167), [@sanposhiho](https://github.com/sanposhiho)) [SIG Scheduling]
-- Fixed a panic issue related to kubectl revision history kubernetes/kubectl#1724 ([#130503](https://github.com/kubernetes/kubernetes/pull/130503), [@tahacodes](https://github.com/tahacodes)) [SIG CLI]
-- Fixed a possible deadlock in the watch client that could happen if the watch was not stopped. ([#131266](https://github.com/kubernetes/kubernetes/pull/131266), [@karlkfi](https://github.com/karlkfi)) [SIG API Machinery]
-- Fixed a regression introduced in 1.33 where some paginated LIST calls fell back to `etcd` instead of being served from cache. ([#132244](https://github.com/kubernetes/kubernetes/pull/132244), [@hakuna-matatah](https://github.com/hakuna-matatah))
-- Fixed an incorrect reference to `JoinConfigurationKind` in the error message when no ResetConfiguration is found during `kubeadm reset` with the `--config` flag. ([#132258](https://github.com/kubernetes/kubernetes/pull/132258), [@J3m3](https://github.com/J3m3)) [SIG Cluster Lifecycle]
-- Fixed an issue that allowed Custom Resources to be created using Server-Side Apply even when their `CustomResourceDefinition` was terminating. ([#132467](https://github.com/kubernetes/kubernetes/pull/132467), [@sdowell](https://github.com/sdowell))
-- Fixed an issue where Windows kube-proxy’s `ModifyLoadBalancer` API updates did not match the HNS state in version 15.4. Support for `ModifyLoadBalancer` policy began with Kubernetes 1.31+. ([#131506](https://github.com/kubernetes/kubernetes/pull/131506), [@princepereira](https://github.com/princepereira))
-- Fixed an issue where `insufficientResources` was logged as a pointer during pod preemption, making logs more readable. ([#132183](https://github.com/kubernetes/kubernetes/pull/132183), [@chrisy-x](https://github.com/chrisy-x)) [SIG Node]
-- Fixed an issue where the kubelet token cache returned stale tokens when service accounts were recreated with the same name. The cache is now UID-aware. Additionally, the new `TokenRequestServiceAccountUIDValidation` feature gate (Beta, enabled by default) ensures the `TokenRequest` UID matches the service account UID when set. ([#132803](https://github.com/kubernetes/kubernetes/pull/132803), [@aramase](https://github.com/aramase)) [SIG API Machinery, Auth, Node and Testing]
-- Fixed bug that prevented the alpha feature `PodTopologyLabelAdmission` from working due to checking for the incorrect label key when copying topology labels. This bug delayed the graduation of the feature to beta by an additional release to allow time for meaningful feedback. ([#132462](https://github.com/kubernetes/kubernetes/pull/132462), [@munnerz](https://github.com/munnerz))
-- Fixed incorrect behavior for AllocationMode: All in ResourceClaim when used in subrequests. ([#131660](https://github.com/kubernetes/kubernetes/pull/131660), [@mortent](https://github.com/mortent)) [SIG Node]
-- Fixed misleading response codes in admission control metrics. ([#132165](https://github.com/kubernetes/kubernetes/pull/132165), [@gavinkflam](https://github.com/gavinkflam)) [SIG API Machinery, Architecture and Instrumentation]
-- Fixed runtime cost estimation for `x-int-or-string` custom resource schemas with maximum lengths. ([#132837](https://github.com/kubernetes/kubernetes/pull/132837), [@JoelSpeed](https://github.com/JoelSpeed))
-- Fixed the `allocatedResourceStatuses` field name mismatch in PVC status validation. ([#131213](https://github.com/kubernetes/kubernetes/pull/131213), [@carlory](https://github.com/carlory))
-- Fixed the `observedGeneration` field in pod resize conditions to accurately reflect the associated pod generation when both `InPlacePodVerticalScaling` and `PodObservedGenerationTracking` feature gates are enabled. ([#131157](https://github.com/kubernetes/kubernetes/pull/131157), [@natasha41575](https://github.com/natasha41575))
-- Fixed the bug when swap related metrics were not available in `/metrics/resource` endpoint. ([#132065](https://github.com/kubernetes/kubernetes/pull/132065), [@yuanwang04](https://github.com/yuanwang04)) [SIG Node and Testing]
-- Fixed the problem of validation error when specifying resource requirements at the container level for a resource not supported at the pod level. It implicitly interpreted the pod-level value as 0. ([#132551](https://github.com/kubernetes/kubernetes/pull/132551), [@chao-liang](https://github.com/chao-liang)) [SIG Apps]
-- Fixed validation for Job with `suspend=true`, and `completions=0` to set the Complete condition. ([#132614](https://github.com/kubernetes/kubernetes/pull/132614), [@mimowo](https://github.com/mimowo)) [SIG Apps and Testing]
-- HPA status displayed memory metrics using Ki. ([#132351](https://github.com/kubernetes/kubernetes/pull/132351), [@googs1025](https://github.com/googs1025)) [SIG Apps and Autoscaling]
-- Improved the error message shown when a Pod using user namespaces was created on a runtime that did not support user namespaces. ([#131623](https://github.com/kubernetes/kubernetes/pull/131623), [@rata](https://github.com/rata))
-- Kube-apiserver: Defaulted empty `spec.jobTemplate.spec.podFailurePolicy.rules[*].onPodConditions[*].status` fields for CronJob objects as documented, avoiding validation failures during write requests. ([#131525](https://github.com/kubernetes/kubernetes/pull/131525), [@carlory](https://github.com/carlory))
-- Kube-apiserver: Fixed OIDC discovery document publishing when external service account token signing was enabled. ([#131493](https://github.com/kubernetes/kubernetes/pull/131493), [@hoskeri](https://github.com/hoskeri)) [SIG API Machinery, Auth and Testing]
-- Kube-proxy: Removed the iptables CLI wait interval flag. ([#131961](https://github.com/kubernetes/kubernetes/pull/131961), [@cyclinder](https://github.com/cyclinder))
-- Kube-scheduler: in Kubernetes 1.33, the number of devices that can be allocated per ResourceClaim was accidentally reduced to 16. Now the supported number of devices per ResourceClaim is 32 again. ([#131662](https://github.com/kubernetes/kubernetes/pull/131662), [@mortent](https://github.com/mortent)) [SIG Node]
-- Kubeadm: Fixed a bug where the default args for etcd were not correct when a local etcd image was used and the etcd version was less than 3.6.0. ([#133023](https://github.com/kubernetes/kubernetes/pull/133023), [@carlory](https://github.com/carlory))
-- Kubelet: Closed a loophole that allowed static Pods to reference arbitrary ResourceClaims. Even though these Pods failed to run due to a sanity check, such references are now explicitly disallowed. ([#131844](https://github.com/kubernetes/kubernetes/pull/131844), [@pohly](https://github.com/pohly)) [SIG Apps, Auth and Node]
-- Kubelet: Fixed a bug that caused an unexpected `NodeResizeError` condition to appear in the PVC status when the CSI driver did not support node volume expansion and the PVC had the `ReadWriteMany` access mode. ([#131495](https://github.com/kubernetes/kubernetes/pull/131495), [@carlory](https://github.com/carlory))
-- Modified the node-local `podresources` API endpoint to consider only active pods. Since this changes long-standing behavior, the `KubeletPodResourcesListUseActivePods` feature gate (enabled by default) can be disabled to restore the previous behavior. Users encountering regressions are encouraged to file an issue if they rely on the old behavior. ([#132028](https://github.com/kubernetes/kubernetes/pull/132028), [@ffromani](https://github.com/ffromani)) [SIG Node and Testing]
-- Pods were not allowed to mix the usage of `user-namespaces` (`hostUsers: false`) and `volumeDevices`. Kubernetes returned an error in this case. ([#132868](https://github.com/kubernetes/kubernetes/pull/132868), [@rata](https://github.com/rata))
-- Reduced the 5s delay before tainting `node.kubernetes.io/unreachable:NoExecute` when a Node became unreachable. ([#120816](https://github.com/kubernetes/kubernetes/pull/120816), [@tnqn](https://github.com/tnqn)) [SIG Apps and Node]
-- Removed defunct `make vet` target, please use `make lint` instead ([#132509](https://github.com/kubernetes/kubernetes/pull/132509), [@yongruilin](https://github.com/yongruilin)) [SIG Testing]
-- Removed the deprecated flag `--wait-interval` for the `ip6tables-legacy-restore` binary. ([#132352](https://github.com/kubernetes/kubernetes/pull/132352), [@PatrickLaabs](https://github.com/PatrickLaabs))
-- ReplicaSets and Deployments should always count `.status.availableReplicas` at the correct time without a delay. This results in faster reconciliation of Deployment conditions and faster, unblocked Deployment rollouts. ([#132121](https://github.com/kubernetes/kubernetes/pull/132121), [@atiratree](https://github.com/atiratree)) [SIG Apps]
-- Resolved a bug where DaemonSet updates unnecessarily triggered duplicate validation due to overlapping calls to `ValidateDaemonSet` and ValidateDaemonSetUpdate. This redundancy has been removed to prevent repeated validation runs. ([#132548](https://github.com/kubernetes/kubernetes/pull/132548), [@gavinkflam](https://github.com/gavinkflam))
-- Skipped pod backoff entirely when the `PodMaxBackoffDuration` kube-scheduler option was set to zero and the `SchedulerPopFromBackoffQ` feature gate was enabled. ([#131965](https://github.com/kubernetes/kubernetes/pull/131965), [@macsko](https://github.com/macsko))
-- Stopped expanding PVCs annotated with node-expand-not-required. ([#131907](https://github.com/kubernetes/kubernetes/pull/131907), [@gnufied](https://github.com/gnufied)) [SIG API Machinery, Etcd, Node, Storage and Testing]
-- Stopped expanding the volume on the node if controller-side expansion was already completed. ([#131868](https://github.com/kubernetes/kubernetes/pull/131868), [@gnufied](https://github.com/gnufied))
-- Stopped logging error events when waiting for expansion on the kubelet. ([#131408](https://github.com/kubernetes/kubernetes/pull/131408), [@gnufied](https://github.com/gnufied))
-- Stopped removing the CSI JSON file if the volume was already mounted during subsequent errors. ([#131311](https://github.com/kubernetes/kubernetes/pull/131311), [@gnufied](https://github.com/gnufied))
-- The `baseline` and `restricted` pod security admission levels blocked setting the `host` field on probe and lifecycle handlers. ([#125271](https://github.com/kubernetes/kubernetes/pull/125271), [@tssurya](https://github.com/tssurya)) [SIG Auth, Node and Testing]
-- The garbage collection controller no longer raced with changes to `ownerReferences` when deleting orphaned objects. ([#132632](https://github.com/kubernetes/kubernetes/pull/132632), [@sdowell](https://github.com/sdowell)) [SIG API Machinery and Apps]
-- The shorthand for --output flag in kubectl explain was accidentally deleted, but has been added back. ([#131962](https://github.com/kubernetes/kubernetes/pull/131962), [@superbrothers](https://github.com/superbrothers)) [SIG CLI]
-- Updated Windows `kube-proxy` to align with Linux behavior by correctly honoring the port specified in `EndpointSlice` for internal traffic routing. ([#132647](https://github.com/kubernetes/kubernetes/pull/132647), [@princepereira](https://github.com/princepereira)) [SIG Network and Windows]
-- Updated `kube-proxy` with `nftables` to reject or drop traffic to services with no endpoints from filter chains at priority 0 (`NF_IP_PRI_FILTER`). ([#132456](https://github.com/kubernetes/kubernetes/pull/132456), [@aroradaman](https://github.com/aroradaman))
-- Updated `kubectl get job` to display the `SuccessCriteriaMet` status for listed jobs. ([#132832](https://github.com/kubernetes/kubernetes/pull/132832), [@Goend](https://github.com/Goend)) [SIG Apps and CLI]
-- Updated the HPA controller so that it no longer emitted a `FailedRescale` event if a scale operation initially failed due to a conflict but succeeded after a retry; it now emitted a `SuccessfulRescale` event in this case. A `FailedRescale` event was still emitted if all retries were exhausted. ([#132007](https://github.com/kubernetes/kubernetes/pull/132007), [@AumPatel1](https://github.com/AumPatel1)) [SIG Apps and Autoscaling]
-- `Statefulset` respected `minReadySeconds`. ([#130909](https://github.com/kubernetes/kubernetes/pull/130909), [@Edwinhr716](https://github.com/Edwinhr716))
-- `kubectl create|delete|get|replace --raw` commands now honored the server root paths specified in the kubeconfig file. ([#131165](https://github.com/kubernetes/kubernetes/pull/131165), [@liggitt](https://github.com/liggitt))
-
-### Other (Cleanup or Flake)
-
-- Added a warning to `kubectl attach`, notifying / reminding users that commands and output are available via the `log` subresource of that Pod. ([#127183](https://github.com/kubernetes/kubernetes/pull/127183), [@mochizuki875](https://github.com/mochizuki875)) [SIG Auth, CLI, Node and Security]
-- Added support for encoding and decoding types that implement the standard library interfaces `json.Marshaler`, `json.Unmarshaler`, `encoding.TextMarshaler`, or `encoding.TextUnmarshaler` to and from CBOR by transcoding. ([#132935](https://github.com/kubernetes/kubernetes/pull/132935), [@benluddy](https://github.com/benluddy))
-- Bumped kube-dns to v1.26.4. ([#132012](https://github.com/kubernetes/kubernetes/pull/132012), [@pacoxu](https://github.com/pacoxu))
-- Bumped the cel-go dependency to v0.25.0. The changeset is available at: https://github.com/google/cel-go/compare/v0.23.2...v0.25.0. ([#131444](https://github.com/kubernetes/kubernetes/pull/131444), [@erdii](https://github.com/erdii)) [SIG API Machinery, Auth, Cloud Provider and Node]
-- By default, binaries like kube-apiserver were built with the `grpcnotrace` tag enabled. Used the `DBG` flag to enable Golang tracing if needed. ([#132210](https://github.com/kubernetes/kubernetes/pull/132210), [@dims](https://github.com/dims))
-- Changed Job controller to use the controller UID index for Pod lookups to improve performance. ([#132305](https://github.com/kubernetes/kubernetes/pull/132305), [@xigang](https://github.com/xigang))
-- Changed apiserver to treat failures decoding a mutating webhook patch as failures to call the webhook so they trigger the webhook failurePolicy and count against metrics like `webhook_fail_open_count` ([#131627](https://github.com/kubernetes/kubernetes/pull/131627), [@dims](https://github.com/dims)) [SIG API Machinery]
-- Crane digest gcr.io/k8s-staging-e2e-test-images/agnhost:2.56 ([#132117](https://github.com/kubernetes/kubernetes/pull/132117), [@yashsingh74](https://github.com/yashsingh74)) [SIG Network and Testing]
-- DRA kubelet- Updated logging to use `driverName` instead of `pluginName`, aligning with the rest of the Kubernetes components. ([#132096](https://github.com/kubernetes/kubernetes/pull/132096), [@pohly](https://github.com/pohly)) [SIG Node and Testing]
-- DRA kubelet: Simplified recovery from mistakes like scheduling a Pod onto a node where the required driver was not running, as the kubelet no longer unnecessarily blocked Pod deletion. ([#131968](https://github.com/kubernetes/kubernetes/pull/131968), [@pohly](https://github.com/pohly)) [SIG Node and Testing]
-- Fixed some missing white spaces in the flag descriptions and logs. ([#131562](https://github.com/kubernetes/kubernetes/pull/131562), [@logica0419](https://github.com/logica0419)) [SIG Network]
-- Hack/update-codegen.sh now automatically ensured goimports and protoc. ([#131459](https://github.com/kubernetes/kubernetes/pull/131459), [@BenTheElder](https://github.com/BenTheElder))
-- Increased test coverage for kubelet package to 92.3%. ([#132484](https://github.com/kubernetes/kubernetes/pull/132484), [@ylink-lfs](https://github.com/ylink-lfs))
-- Kube-apiserver: removed the deprecated `apiserver_encryption_config_controller_automatic_reload_success_total` and `apiserver_encryption_config_controller_automatic_reload_failure_total` metrics in favor of `apiserver_encryption_config_controller_automatic_reloads_total`. ([#132238](https://github.com/kubernetes/kubernetes/pull/132238), [@aramase](https://github.com/aramase)) [SIG API Machinery, Auth and Testing]
-- Kube-scheduler: removed the deprecated scheduler_scheduler_cache_size metric  in favor of scheduler_cache_size ([#131425](https://github.com/kubernetes/kubernetes/pull/131425), [@carlory](https://github.com/carlory)) [SIG Scheduling]
-- Kubeadm: fixed missing space when printing the warning about pause image mismatch. ([#131563](https://github.com/kubernetes/kubernetes/pull/131563), [@logica0419](https://github.com/logica0419)) [SIG Cluster Lifecycle]
-- Kubeadm: made the coredns deployment manifest use named ports consistently for the liveness and readiness probes. ([#131587](https://github.com/kubernetes/kubernetes/pull/131587), [@neolit123](https://github.com/neolit123)) [SIG Cluster Lifecycle]
-- Kubectl interactive delete: treat empty newline input as N ([#132251](https://github.com/kubernetes/kubernetes/pull/132251), [@ardaguclu](https://github.com/ardaguclu)) [SIG CLI]
-- Masked access to Linux thermal interrupt information exposed via `/proc` and `/sys`. ([#131018](https://github.com/kubernetes/kubernetes/pull/131018), [@saschagrunert](https://github.com/saschagrunert))
-- Migrated Memory Manager to contextual logging. ([#130727](https://github.com/kubernetes/kubernetes/pull/130727), [@swatisehgal](https://github.com/swatisehgal))
-- Migrated `pkg/kubelet/status` to use contextual logging. ([#130852](https://github.com/kubernetes/kubernetes/pull/130852), [@Chulong-Li](https://github.com/Chulong-Li))
-- Migrated `pkg/kubelet/volumemanager` to contextual logging. ([#131306](https://github.com/kubernetes/kubernetes/pull/131306), [@Chulong-Li](https://github.com/Chulong-Li))
-- Migrated `pkg/kubelet/winstats` to contextual logging. ([#131001](https://github.com/kubernetes/kubernetes/pull/131001), [@Chulong-Li](https://github.com/Chulong-Li))
-- NONW ([#132890](https://github.com/kubernetes/kubernetes/pull/132890), [@atiratree](https://github.com/atiratree)) [SIG Apps]
-- Promoted the `SeparateTaintEvictionController` feature gate to GA; it is now enabled unconditionally. ([#122634](https://github.com/kubernetes/kubernetes/pull/122634), [@carlory](https://github.com/carlory)) [SIG API Machinery, Apps, Node and Testing]
-- Promoted the `apiserver_authentication_config_controller_automatic_reloads_total` and `apiserver_authentication_config_controller_automatic_reload_last_timestamp_seconds` metrics to BETA. ([#131798](https://github.com/kubernetes/kubernetes/pull/131798), [@aramase](https://github.com/aramase)) [SIG API Machinery, Auth and Instrumentation]
-- Promoted the `apiserver_authorization_config_controller_automatic_reloads_total` and `apiserver_authorization_config_controller_automatic_reload_last_timestamp_seconds` metrics to BETA. ([#131768](https://github.com/kubernetes/kubernetes/pull/131768), [@aramase](https://github.com/aramase)) [SIG API Machinery, Auth and Instrumentation]
-- Promoted two `EndpointSlice` tests to conformance to ensure that service proxy implementations rely on `EndpointSlices` instead of `Endpoints`. ([#132019](https://github.com/kubernetes/kubernetes/pull/132019), [@danwinship](https://github.com/danwinship)) [SIG Architecture, Network and Testing]
-- Reduced excessive logging in the Volume Binding scheduler plugin by lowering the verbosity of high-frequency messages from `V(4)` to `V(5)`. ([#132840](https://github.com/kubernetes/kubernetes/pull/132840), [@ppmechlinski](https://github.com/ppmechlinski)) [SIG Autoscaling, Scheduling and Storage]
-- Removed deprecated gogo protocol definitions from `k8s.io/externaljwt` in favor of `google.golang.org/protobuf`. ([#132772](https://github.com/kubernetes/kubernetes/pull/132772), [@saschagrunert](https://github.com/saschagrunert)) [SIG Auth]
-- Removed deprecated gogo protocol definitions from `k8s.io/kms/apis` in favor of `google.golang.org/protobuf`. ([#132833](https://github.com/kubernetes/kubernetes/pull/132833), [@saschagrunert](https://github.com/saschagrunert)) [SIG API Machinery, Auth and Testing]
-- Removed deprecated gogo protocol definitions from `k8s.io/kubelet/pkg/apis/deviceplugin` in favor of `google.golang.org/protobuf`. ([#133028](https://github.com/kubernetes/kubernetes/pull/133028), [@saschagrunert](https://github.com/saschagrunert)) [SIG Node and Testing]
-- Removed deprecated gogo protocol definitions from `k8s.io/kubelet/pkg/apis/podresources` in favor of `google.golang.org/protobuf`. ([#133027](https://github.com/kubernetes/kubernetes/pull/133027), [@saschagrunert](https://github.com/saschagrunert)) [SIG Node and Testing]
-- Removed general available feature-gate `DevicePluginCDIDevices`. ([#132083](https://github.com/kubernetes/kubernetes/pull/132083), [@carlory](https://github.com/carlory)) [SIG Node and Testing]
-- Removed generally available feature-gate `PodDisruptionConditions`. ([#129501](https://github.com/kubernetes/kubernetes/pull/129501), [@carlory](https://github.com/carlory)) [SIG Apps]
-- Removed support for API streaming from the REST client. ([#132285](https://github.com/kubernetes/kubernetes/pull/132285), [@p0lyn0mial](https://github.com/p0lyn0mial))
-- Removed support for API streaming from the `List()` method of the typed client. ([#132257](https://github.com/kubernetes/kubernetes/pull/132257), [@p0lyn0mial](https://github.com/p0lyn0mial)) [SIG API Machinery and Testing]
-- Removed support for API streaming from the dynamic client’s `List() method`. ([#132229](https://github.com/kubernetes/kubernetes/pull/132229), [@p0lyn0mial](https://github.com/p0lyn0mial)) [SIG API Machinery, CLI and Testing]
-- Removed support for API streaming from the metadata client’s `List() method`. ([#132149](https://github.com/kubernetes/kubernetes/pull/132149), [@p0lyn0mial](https://github.com/p0lyn0mial)) [SIG API Machinery and Testing]
-- Removed the `kubernetes.io/initial-events-list-blueprint` annotation from the synthetic "Bookmark" event in watch stream requests. ([#132326](https://github.com/kubernetes/kubernetes/pull/132326), [@p0lyn0mial](https://github.com/p0lyn0mial))
-- Removed the deprecated `--register-schedulable` command line argument from the kubelet. ([#122384](https://github.com/kubernetes/kubernetes/pull/122384), [@carlory](https://github.com/carlory)) [SIG Cloud Provider, Node and Scalability]
-- Replaced `toPtr` helper functions with the "k8s.io/utils/ptr" implementations. ([#132806](https://github.com/kubernetes/kubernetes/pull/132806), [@PatrickLaabs](https://github.com/PatrickLaabs)) [SIG Apps, Testing and Windows]
-- Replaced deprecated package `k8s.io/utils/pointer` with `k8s.io/utils/ptr` for ./test/e2e and ./test/utils. ([#132763](https://github.com/kubernetes/kubernetes/pull/132763), [@PatrickLaabs](https://github.com/PatrickLaabs)) [SIG Autoscaling and Testing]
-- Replaced deprecated package `k8s.io/utils/pointer` with `k8s.io/utils/ptr` for ./test/e2e. ([#132764](https://github.com/kubernetes/kubernetes/pull/132764), [@PatrickLaabs](https://github.com/PatrickLaabs)) [SIG Auth, Network, Node, Storage and Testing]
-- Replaced deprecated package `k8s.io/utils/pointer` with `k8s.io/utils/ptr` for ./test/e2e. ([#132765](https://github.com/kubernetes/kubernetes/pull/132765), [@PatrickLaabs](https://github.com/PatrickLaabs)) [SIG API Machinery, Apps, CLI and Testing]
-- Replaced deprecated package `k8s.io/utils/pointer` with `k8s.io/utils/ptr` for ./test/integration. ([#132762](https://github.com/kubernetes/kubernetes/pull/132762), [@PatrickLaabs](https://github.com/PatrickLaabs))
-- Replaced deprecated package `k8s.io/utils/pointer` with `k8s.io/utils/ptr` for apiextensions apiservers validation tests. ([#132726](https://github.com/kubernetes/kubernetes/pull/132726), [@PatrickLaabs](https://github.com/PatrickLaabs))
-- Replaced deprecated package `k8s.io/utils/pointer` with `k8s.io/utils/ptr` for apiextensions-apiserver pkg/controller. ([#132724](https://github.com/kubernetes/kubernetes/pull/132724), [@PatrickLaabs](https://github.com/PatrickLaabs))
-- Replaced deprecated package `k8s.io/utils/pointer` with `k8s.io/utils/ptr` for apiextensions-apiserver pkg/registry. ([#132725](https://github.com/kubernetes/kubernetes/pull/132725), [@PatrickLaabs](https://github.com/PatrickLaabs))
-- Replaced deprecated package `k8s.io/utils/pointer` with `k8s.io/utils/ptr` for pkg/apis (1/2). ([#132778](https://github.com/kubernetes/kubernetes/pull/132778), [@PatrickLaabs](https://github.com/PatrickLaabs)) [SIG Apps and Network]
-- Replaced deprecated package `k8s.io/utils/pointer` with `k8s.io/utils/ptr` for pkg/apis (2/2). ([#132779](https://github.com/kubernetes/kubernetes/pull/132779), [@PatrickLaabs](https://github.com/PatrickLaabs)) [SIG Apps, Auth and Storage]
-- Replaced deprecated package `k8s.io/utils/pointer` with `k8s.io/utils/ptr` for pkg/controller (1/2). ([#132781](https://github.com/kubernetes/kubernetes/pull/132781), [@PatrickLaabs](https://github.com/PatrickLaabs)) [SIG API Machinery, Apps and Network]
-- Replaced deprecated package `k8s.io/utils/pointer` with `k8s.io/utils/ptr` for pkg/controller (2/2). ([#132784](https://github.com/kubernetes/kubernetes/pull/132784), [@PatrickLaabs](https://github.com/PatrickLaabs)) [SIG API Machinery, Apps, Network, Node and Storage]
-- Replaced deprecated package `k8s.io/utils/pointer` with `k8s.io/utils/ptr` for pod-security-admission tests. ([#132741](https://github.com/kubernetes/kubernetes/pull/132741), [@PatrickLaabs](https://github.com/PatrickLaabs))
-- Replaced deprecated package `k8s.io/utils/pointer` with `k8s.io/utils/ptr` for the apiextensions-apiservers integration tests. ([#132721](https://github.com/kubernetes/kubernetes/pull/132721), [@PatrickLaabs](https://github.com/PatrickLaabs))
-- Replaced deprecated package `k8s.io/utils/pointer` with `k8s.io/utils/ptr` for the apiserver (2/2). ([#132752](https://github.com/kubernetes/kubernetes/pull/132752), [@PatrickLaabs](https://github.com/PatrickLaabs)) [SIG API Machinery and Auth]
-- Replaced deprecated package `k8s.io/utils/pointer` with `k8s.io/utils/ptr` for the cli-runtime. ([#132750](https://github.com/kubernetes/kubernetes/pull/132750), [@PatrickLaabs](https://github.com/PatrickLaabs)) [SIG CLI and Release]
-- Replaced deprecated package `k8s.io/utils/pointer` with `k8s.io/utils/ptr` for the cloud-provider. ([#132720](https://github.com/kubernetes/kubernetes/pull/132720), [@PatrickLaabs](https://github.com/PatrickLaabs)) [SIG Cloud Provider and Network]
-- Replaced deprecated package `k8s.io/utils/pointer` with `k8s.io/utils/ptr` for the components-helper of the apimachinery. ([#132413](https://github.com/kubernetes/kubernetes/pull/132413), [@PatrickLaabs](https://github.com/PatrickLaabs))
-- Replaced deprecated package `k8s.io/utils/pointer` with `k8s.io/utils/ptr` for the controller-manager. ([#132753](https://github.com/kubernetes/kubernetes/pull/132753), [@PatrickLaabs](https://github.com/PatrickLaabs)) [SIG API Machinery and Cloud Provider]
-- Replaced deprecated package `k8s.io/utils/pointer` with `k8s.io/utils/ptr` for the csr. ([#132699](https://github.com/kubernetes/kubernetes/pull/132699), [@PatrickLaabs](https://github.com/PatrickLaabs)) [SIG API Machinery and Auth]
-- Replaced deprecated package `k8s.io/utils/pointer` with `k8s.io/utils/ptr` for the e2e_node. ([#132755](https://github.com/kubernetes/kubernetes/pull/132755), [@PatrickLaabs](https://github.com/PatrickLaabs)) [SIG Node and Testing]
-- Replaced deprecated package `k8s.io/utils/pointer` with `k8s.io/utils/ptr` for the kubeapiserver. ([#132529](https://github.com/kubernetes/kubernetes/pull/132529), [@PatrickLaabs](https://github.com/PatrickLaabs)) [SIG API Machinery and Architecture]
-- Replaced deprecated package `k8s.io/utils/pointer` with `k8s.io/utils/ptr` for the pkg/security and plugin/pkg. ([#132777](https://github.com/kubernetes/kubernetes/pull/132777), [@PatrickLaabs](https://github.com/PatrickLaabs)) [SIG Auth, Node and Release]
-- Replaced deprecated package `k8s.io/utils/pointer` with `k8s.io/utils/ptr` for the pod-security-admission admissiontests. ([#132742](https://github.com/kubernetes/kubernetes/pull/132742), [@PatrickLaabs](https://github.com/PatrickLaabs))
-- Replaced deprecated package `k8s.io/utils/pointer` with `k8s.io/utils/ptr` for the pod-security-admission policy. ([#132743](https://github.com/kubernetes/kubernetes/pull/132743), [@PatrickLaabs](https://github.com/PatrickLaabs))
-- Replaced deprecated package `k8s.io/utils/pointer` with `k8s.io/utils/ptr` for the reflector. ([#132698](https://github.com/kubernetes/kubernetes/pull/132698), [@PatrickLaabs](https://github.com/PatrickLaabs))
-- Replaced timer ptr helper function with the `k8s.io/utils/ptr` implementations. ([#133030](https://github.com/kubernetes/kubernetes/pull/133030), [@PatrickLaabs](https://github.com/PatrickLaabs)) [SIG API Machinery and Auth]
-- The deprecated `LegacySidecarContainers` feature gate was completely removed. ([#131463](https://github.com/kubernetes/kubernetes/pull/131463), [@gjkim42](https://github.com/gjkim42)) [SIG Node and Testing]
-- Types: Code and Status moved from pkg/scheduler/framework to staging repo.
-  Users should update import path for these types from `k8s.io/kubernetes/pkg/scheduler/framework` to `k8s.io/kube-scheduler/framework`. ([#132087](https://github.com/kubernetes/kubernetes/pull/132087), [@ania-borowiec](https://github.com/ania-borowiec)) [SIG Node, Scheduling, Storage and Testing]
-- Types: CycleState, StateData, StateKey and ErrNotFound moved from pkg/scheduler/framework to k8s.io/kube-scheduler/framework.
-  Type CycleState that is passed to each plugin in scheduler framework is changed to the new interface CycleState (in k8s.io/kube-scheduler/framework) ([#131887](https://github.com/kubernetes/kubernetes/pull/131887), [@ania-borowiec](https://github.com/ania-borowiec)) [SIG Node, Scheduling, Storage and Testing]
-- Types: `ClusterEvent`, `ActionType`, `EventResource`, `ClusterEventWithHint`, `QueueingHint` and `QueueingHintFn` moved from `pkg/scheduler/framework` to `k8s.io/kube-scheduler/framework`. ([#132190](https://github.com/kubernetes/kubernetes/pull/132190), [@ania-borowiec](https://github.com/ania-borowiec)) [SIG Node, Scheduling, Storage and Testing]
-- Types: `NodeInfo`, `PodInfo`, `QueuedPodInfo`, `PodResource`, `AffinityTerm`, `WeightedAffinityTerm`, `Resource`, `ImageStateSummary`, `ProtocolPort` and `HostPortInfo` were moved from `pkg/scheduler/framework` to staging repo.
-  Users should update import path for these types from `k8s.io/kubernetes/pkg/scheduler/framework` to `k8s.io/kube-scheduler/framework` and update use of fields (to use getter/setter functions instead) where needed. ([#132457](https://github.com/kubernetes/kubernetes/pull/132457), [@ania-borowiec](https://github.com/ania-borowiec)) [SIG Node, Scheduling, Storage and Testing]
-- Updated CNI plugins to v1.7.1 ([#131602](https://github.com/kubernetes/kubernetes/pull/131602), [@adrianmoisey](https://github.com/adrianmoisey)) [SIG Cloud Provider, Node and Testing]
-- Updated `conntrack` reconciler to consider a Service’s target port during cleanup of stale flow entries. ([#130542](https://github.com/kubernetes/kubernetes/pull/130542), [@aroradaman](https://github.com/aroradaman))
-- Updated `kubeadm` to use the `InitialCorruptCheck=true` etcd feature gate instead of the deprecated `--experimental-initial-corrupt-check` flag. Also replaced the use of `--experimental-watch-progress-notify-interval` with its graduated counterpart `--watch-progress-notify-interval`. ([#132838](https://github.com/kubernetes/kubernetes/pull/132838), [@AwesomePatrol](https://github.com/AwesomePatrol))
-- Updated cri-tools to v1.33.0. ([#131406](https://github.com/kubernetes/kubernetes/pull/131406), [@saschagrunert](https://github.com/saschagrunert)) [SIG Cloud Provider]
-- Updated etcd version to v3.6.1. ([#132284](https://github.com/kubernetes/kubernetes/pull/132284), [@ArkaSaha30](https://github.com/ArkaSaha30)) [SIG API Machinery, Cloud Provider, Cluster Lifecycle, Etcd and Testing]
-- Updated the etcd client library to v3.6.4. ([#133226](https://github.com/kubernetes/kubernetes/pull/133226), [@ivanvc](https://github.com/ivanvc)) [SIG API Machinery, Auth, Cloud Provider and Node]
-- Upgraded CoreDNS to v1.12.1. ([#131151](https://github.com/kubernetes/kubernetes/pull/131151), [@yashsingh74](https://github.com/yashsingh74)) [SIG Cloud Provider and Cluster Lifecycle]
-- Upgraded functionality of `kubectl kustomize` as described at https://github.com/kubernetes-sigs/kustomize/releases/tag/kustomize%2Fv5.7.0. ([#132593](https://github.com/kubernetes/kubernetes/pull/132593), [@koba1t](https://github.com/koba1t))
-- Validated APIVersion fields of the `HorizontalPodAutoscaler` to ensure that API objects were created and functioned properly. ([#132537](https://github.com/kubernetes/kubernetes/pull/132537), [@lalitc375](https://github.com/lalitc375)) [SIG Etcd and Testing]
-
-## Dependencies
-
-### Added
-- buf.build/gen/go/bufbuild/protovalidate/protocolbuffers/go: 63bb56e
-- github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp: [v1.26.0](https://github.com/GoogleCloudPlatform/opentelemetry-operations-go/tree/detectors/gcp/v1.26.0)
-- github.com/bufbuild/protovalidate-go: [v0.9.1](https://github.com/bufbuild/protovalidate-go/tree/v0.9.1)
-- github.com/envoyproxy/go-control-plane/envoy: [v1.32.4](https://github.com/envoyproxy/go-control-plane/tree/envoy/v1.32.4)
-- github.com/envoyproxy/go-control-plane/ratelimit: [v0.1.0](https://github.com/envoyproxy/go-control-plane/tree/ratelimit/v0.1.0)
-- github.com/go-jose/go-jose/v4: [v4.0.4](https://github.com/go-jose/go-jose/tree/v4.0.4)
-- github.com/golang-jwt/jwt/v5: [v5.2.2](https://github.com/golang-jwt/jwt/tree/v5.2.2)
-- github.com/grpc-ecosystem/go-grpc-middleware/providers/prometheus: [v1.0.1](https://github.com/grpc-ecosystem/go-grpc-middleware/tree/providers/prometheus/v1.0.1)
-- github.com/grpc-ecosystem/go-grpc-middleware/v2: [v2.3.0](https://github.com/grpc-ecosystem/go-grpc-middleware/tree/v2.3.0)
-- github.com/spiffe/go-spiffe/v2: [v2.5.0](https://github.com/spiffe/go-spiffe/tree/v2.5.0)
-- github.com/zeebo/errs: [v1.4.0](https://github.com/zeebo/errs/tree/v1.4.0)
-- go.etcd.io/raft/v3: v3.6.0
-- go.opentelemetry.io/contrib/detectors/gcp: v1.34.0
-- go.opentelemetry.io/otel/sdk/metric: v1.34.0
-- go.yaml.in/yaml/v2: v2.4.2
-- go.yaml.in/yaml/v3: v3.0.4
-- sigs.k8s.io/structured-merge-diff/v6: v6.3.0
-
-### Changed
-- cel.dev/expr: v0.19.1 → v0.24.0
-- cloud.google.com/go/compute/metadata: v0.5.0 → v0.6.0
-- github.com/Microsoft/hnslib: [v0.0.8 → v0.1.1](https://github.com/Microsoft/hnslib/compare/v0.0.8...v0.1.1)
-- github.com/cncf/xds/go: [b4127c9 → 2f00578](https://github.com/cncf/xds/compare/b4127c9...2f00578)
-- github.com/coredns/corefile-migration: [v1.0.25 → v1.0.26](https://github.com/coredns/corefile-migration/compare/v1.0.25...v1.0.26)
-- github.com/cpuguy83/go-md2man/v2: [v2.0.4 → v2.0.6](https://github.com/cpuguy83/go-md2man/compare/v2.0.4...v2.0.6)
-- github.com/emicklei/go-restful/v3: [v3.11.0 → v3.12.2](https://github.com/emicklei/go-restful/compare/v3.11.0...v3.12.2)
-- github.com/envoyproxy/go-control-plane: [v0.13.0 → v0.13.4](https://github.com/envoyproxy/go-control-plane/compare/v0.13.0...v0.13.4)
-- github.com/envoyproxy/protoc-gen-validate: [v1.1.0 → v1.2.1](https://github.com/envoyproxy/protoc-gen-validate/compare/v1.1.0...v1.2.1)
-- github.com/fsnotify/fsnotify: [v1.7.0 → v1.9.0](https://github.com/fsnotify/fsnotify/compare/v1.7.0...v1.9.0)
-- github.com/fxamacker/cbor/v2: [v2.7.0 → v2.9.0](https://github.com/fxamacker/cbor/compare/v2.7.0...v2.9.0)
-- github.com/golang/glog: [v1.2.2 → v1.2.4](https://github.com/golang/glog/compare/v1.2.2...v1.2.4)
-- github.com/google/cel-go: [v0.23.2 → v0.26.0](https://github.com/google/cel-go/compare/v0.23.2...v0.26.0)
-- github.com/google/gnostic-models: [v0.6.9 → v0.7.0](https://github.com/google/gnostic-models/compare/v0.6.9...v0.7.0)
-- github.com/grpc-ecosystem/grpc-gateway/v2: [v2.24.0 → v2.26.3](https://github.com/grpc-ecosystem/grpc-gateway/compare/v2.24.0...v2.26.3)
-- github.com/ishidawataru/sctp: [7ff4192 → ae8eb7f](https://github.com/ishidawataru/sctp/compare/7ff4192...ae8eb7f)
-- github.com/jonboulle/clockwork: [v0.4.0 → v0.5.0](https://github.com/jonboulle/clockwork/compare/v0.4.0...v0.5.0)
-- github.com/modern-go/reflect2: [v1.0.2 → 35a7c28](https://github.com/modern-go/reflect2/compare/v1.0.2...35a7c28)
-- github.com/spf13/cobra: [v1.8.1 → v1.9.1](https://github.com/spf13/cobra/compare/v1.8.1...v1.9.1)
-- github.com/spf13/pflag: [v1.0.5 → v1.0.6](https://github.com/spf13/pflag/compare/v1.0.5...v1.0.6)
-- github.com/vishvananda/netlink: [62fb240 → v1.3.1](https://github.com/vishvananda/netlink/compare/62fb240...v1.3.1)
-- github.com/vishvananda/netns: [v0.0.4 → v0.0.5](https://github.com/vishvananda/netns/compare/v0.0.4...v0.0.5)
-- go.etcd.io/bbolt: v1.3.11 → v1.4.2
-- go.etcd.io/etcd/api/v3: v3.5.21 → v3.6.4
-- go.etcd.io/etcd/client/pkg/v3: v3.5.21 → v3.6.4
-- go.etcd.io/etcd/client/v3: v3.5.21 → v3.6.4
-- go.etcd.io/etcd/pkg/v3: v3.5.21 → v3.6.4
-- go.etcd.io/etcd/server/v3: v3.5.21 → v3.6.4
-- go.etcd.io/gofail: v0.1.0 → v0.2.0
-- go.opentelemetry.io/contrib/instrumentation/github.com/emicklei/go-restful/otelrestful: v0.42.0 → v0.44.0
-- go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc: v0.58.0 → v0.60.0
-- go.opentelemetry.io/contrib/propagators/b3: v1.17.0 → v1.19.0
-- go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc: v1.33.0 → v1.34.0
-- go.opentelemetry.io/otel/exporters/otlp/otlptrace: v1.33.0 → v1.34.0
-- go.opentelemetry.io/otel/metric: v1.33.0 → v1.35.0
-- go.opentelemetry.io/otel/sdk: v1.33.0 → v1.34.0
-- go.opentelemetry.io/otel/trace: v1.33.0 → v1.35.0
-- go.opentelemetry.io/otel: v1.33.0 → v1.35.0
-- go.opentelemetry.io/proto/otlp: v1.4.0 → v1.5.0
-- google.golang.org/genproto/googleapis/api: e6fa225 → a0af3ef
-- google.golang.org/genproto/googleapis/rpc: e6fa225 → a0af3ef
-- google.golang.org/grpc: v1.68.1 → v1.72.1
-- k8s.io/gengo/v2: 1244d31 → 85fd79d
-- k8s.io/kube-openapi: c8a335a → f3f2b99
-- k8s.io/system-validators: v1.9.1 → v1.10.1
-- k8s.io/utils: 3ea5e8c → 4c0f3b2
-- sigs.k8s.io/json: 9aa6b5e → cfa47c3
-- sigs.k8s.io/kustomize/api: v0.19.0 → v0.20.1
-- sigs.k8s.io/kustomize/cmd/config: v0.19.0 → v0.20.1
-- sigs.k8s.io/kustomize/kustomize/v5: v5.6.0 → v5.7.1
-- sigs.k8s.io/kustomize/kyaml: v0.19.0 → v0.20.1
-- sigs.k8s.io/yaml: v1.4.0 → v1.6.0
-
-### Removed
-- cloud.google.com/go/accessapproval: v1.7.4
-- cloud.google.com/go/accesscontextmanager: v1.8.4
-- cloud.google.com/go/aiplatform: v1.58.0
-- cloud.google.com/go/analytics: v0.22.0
-- cloud.google.com/go/apigateway: v1.6.4
-- cloud.google.com/go/apigeeconnect: v1.6.4
-- cloud.google.com/go/apigeeregistry: v0.8.2
-- cloud.google.com/go/appengine: v1.8.4
-- cloud.google.com/go/area120: v0.8.4
-- cloud.google.com/go/artifactregistry: v1.14.6
-- cloud.google.com/go/asset: v1.17.0
-- cloud.google.com/go/assuredworkloads: v1.11.4
-- cloud.google.com/go/automl: v1.13.4
-- cloud.google.com/go/baremetalsolution: v1.2.3
-- cloud.google.com/go/batch: v1.7.0
-- cloud.google.com/go/beyondcorp: v1.0.3
-- cloud.google.com/go/bigquery: v1.58.0
-- cloud.google.com/go/billing: v1.18.0
-- cloud.google.com/go/binaryauthorization: v1.8.0
-- cloud.google.com/go/certificatemanager: v1.7.4
-- cloud.google.com/go/channel: v1.17.4
-- cloud.google.com/go/cloudbuild: v1.15.0
-- cloud.google.com/go/clouddms: v1.7.3
-- cloud.google.com/go/cloudtasks: v1.12.4
-- cloud.google.com/go/compute: v1.23.3
-- cloud.google.com/go/contactcenterinsights: v1.12.1
-- cloud.google.com/go/container: v1.29.0
-- cloud.google.com/go/containeranalysis: v0.11.3
-- cloud.google.com/go/datacatalog: v1.19.2
-- cloud.google.com/go/dataflow: v0.9.4
-- cloud.google.com/go/dataform: v0.9.1
-- cloud.google.com/go/datafusion: v1.7.4
-- cloud.google.com/go/datalabeling: v0.8.4
-- cloud.google.com/go/dataplex: v1.14.0
-- cloud.google.com/go/dataproc/v2: v2.3.0
-- cloud.google.com/go/dataqna: v0.8.4
-- cloud.google.com/go/datastore: v1.15.0
-- cloud.google.com/go/datastream: v1.10.3
-- cloud.google.com/go/deploy: v1.17.0
-- cloud.google.com/go/dialogflow: v1.48.1
-- cloud.google.com/go/dlp: v1.11.1
-- cloud.google.com/go/documentai: v1.23.7
-- cloud.google.com/go/domains: v0.9.4
-- cloud.google.com/go/edgecontainer: v1.1.4
-- cloud.google.com/go/errorreporting: v0.3.0
-- cloud.google.com/go/essentialcontacts: v1.6.5
-- cloud.google.com/go/eventarc: v1.13.3
-- cloud.google.com/go/filestore: v1.8.0
-- cloud.google.com/go/firestore: v1.14.0
-- cloud.google.com/go/functions: v1.15.4
-- cloud.google.com/go/gkebackup: v1.3.4
-- cloud.google.com/go/gkeconnect: v0.8.4
-- cloud.google.com/go/gkehub: v0.14.4
-- cloud.google.com/go/gkemulticloud: v1.1.0
-- cloud.google.com/go/gsuiteaddons: v1.6.4
-- cloud.google.com/go/iam: v1.1.5
-- cloud.google.com/go/iap: v1.9.3
-- cloud.google.com/go/ids: v1.4.4
-- cloud.google.com/go/iot: v1.7.4
-- cloud.google.com/go/kms: v1.15.5
-- cloud.google.com/go/language: v1.12.2
-- cloud.google.com/go/lifesciences: v0.9.4
-- cloud.google.com/go/logging: v1.9.0
-- cloud.google.com/go/longrunning: v0.5.4
-- cloud.google.com/go/managedidentities: v1.6.4
-- cloud.google.com/go/maps: v1.6.3
-- cloud.google.com/go/mediatranslation: v0.8.4
-- cloud.google.com/go/memcache: v1.10.4
-- cloud.google.com/go/metastore: v1.13.3
-- cloud.google.com/go/monitoring: v1.17.0
-- cloud.google.com/go/networkconnectivity: v1.14.3
-- cloud.google.com/go/networkmanagement: v1.9.3
-- cloud.google.com/go/networksecurity: v0.9.4
-- cloud.google.com/go/notebooks: v1.11.2
-- cloud.google.com/go/optimization: v1.6.2
-- cloud.google.com/go/orchestration: v1.8.4
-- cloud.google.com/go/orgpolicy: v1.12.0
-- cloud.google.com/go/osconfig: v1.12.4
-- cloud.google.com/go/oslogin: v1.13.0
-- cloud.google.com/go/phishingprotection: v0.8.4
-- cloud.google.com/go/policytroubleshooter: v1.10.2
-- cloud.google.com/go/privatecatalog: v0.9.4
-- cloud.google.com/go/pubsub: v1.34.0
-- cloud.google.com/go/pubsublite: v1.8.1
-- cloud.google.com/go/recaptchaenterprise/v2: v2.9.0
-- cloud.google.com/go/recommendationengine: v0.8.4
-- cloud.google.com/go/recommender: v1.12.0
-- cloud.google.com/go/redis: v1.14.1
-- cloud.google.com/go/resourcemanager: v1.9.4
-- cloud.google.com/go/resourcesettings: v1.6.4
-- cloud.google.com/go/retail: v1.14.4
-- cloud.google.com/go/run: v1.3.3
-- cloud.google.com/go/scheduler: v1.10.5
-- cloud.google.com/go/secretmanager: v1.11.4
-- cloud.google.com/go/security: v1.15.4
-- cloud.google.com/go/securitycenter: v1.24.3
-- cloud.google.com/go/servicedirectory: v1.11.3
-- cloud.google.com/go/shell: v1.7.4
-- cloud.google.com/go/spanner: v1.55.0
-- cloud.google.com/go/speech: v1.21.0
-- cloud.google.com/go/storagetransfer: v1.10.3
-- cloud.google.com/go/talent: v1.6.5
-- cloud.google.com/go/texttospeech: v1.7.4
-- cloud.google.com/go/tpu: v1.6.4
-- cloud.google.com/go/trace: v1.10.4
-- cloud.google.com/go/translate: v1.10.0
-- cloud.google.com/go/video: v1.20.3
-- cloud.google.com/go/videointelligence: v1.11.4
-- cloud.google.com/go/vision/v2: v2.7.5
-- cloud.google.com/go/vmmigration: v1.7.4
-- cloud.google.com/go/vmwareengine: v1.0.3
-- cloud.google.com/go/vpcaccess: v1.7.4
-- cloud.google.com/go/webrisk: v1.9.4
-- cloud.google.com/go/websecurityscanner: v1.6.4
-- cloud.google.com/go/workflows: v1.12.3
-- cloud.google.com/go: v0.112.0
-- github.com/BurntSushi/toml: [v0.3.1](https://github.com/BurntSushi/toml/tree/v0.3.1)
-- github.com/census-instrumentation/opencensus-proto: [v0.4.1](https://github.com/census-instrumentation/opencensus-proto/tree/v0.4.1)
-- github.com/client9/misspell: [v0.3.4](https://github.com/client9/misspell/tree/v0.3.4)
-- github.com/cncf/udpa/go: [269d4d4](https://github.com/cncf/udpa/tree/269d4d4)
-- github.com/ghodss/yaml: [v1.0.0](https://github.com/ghodss/yaml/tree/v1.0.0)
-- github.com/go-kit/kit: [v0.9.0](https://github.com/go-kit/kit/tree/v0.9.0)
-- github.com/go-logfmt/logfmt: [v0.4.0](https://github.com/go-logfmt/logfmt/tree/v0.4.0)
-- github.com/go-stack/stack: [v1.8.0](https://github.com/go-stack/stack/tree/v1.8.0)
-- github.com/golang-jwt/jwt/v4: [v4.5.2](https://github.com/golang-jwt/jwt/tree/v4.5.2)
-- github.com/golang/mock: [v1.1.1](https://github.com/golang/mock/tree/v1.1.1)
-- github.com/google/shlex: [e7afc7f](https://github.com/google/shlex/tree/e7afc7f)
-- github.com/grpc-ecosystem/grpc-gateway: [v1.16.0](https://github.com/grpc-ecosystem/grpc-gateway/tree/v1.16.0)
-- github.com/konsorten/go-windows-terminal-sequences: [v1.0.1](https://github.com/konsorten/go-windows-terminal-sequences/tree/v1.0.1)
-- github.com/kr/logfmt: [b84e30a](https://github.com/kr/logfmt/tree/b84e30a)
-- github.com/opentracing/opentracing-go: [v1.1.0](https://github.com/opentracing/opentracing-go/tree/v1.1.0)
-- go.etcd.io/etcd/client/v2: v2.305.21
-- go.etcd.io/etcd/raft/v3: v3.5.21
-- go.uber.org/atomic: v1.7.0
-- golang.org/x/lint: d0100b6
-- google.golang.org/appengine: v1.4.0
-- google.golang.org/genproto: ef43131
-- honnef.co/go/tools: ea95bdf
-- sigs.k8s.io/structured-merge-diff/v4: v4.6.0
-
-
-
-# v1.34.0-rc.2
-
-
-## Downloads for v1.34.0-rc.2
-
-
-
-### Source Code
-
-filename | sha512 hash
--------- | -----------
-[kubernetes.tar.gz](https://dl.k8s.io/v1.34.0-rc.2/kubernetes.tar.gz) | f7bdadc269da91b2892d45a493bc673bd7a2f309e52d0af00e08c28ec15fd52fecfb0f53e1eb32098a910ca4cb5f4824f50ffa855fd1ca1f8ad4426223633227
-[kubernetes-src.tar.gz](https://dl.k8s.io/v1.34.0-rc.2/kubernetes-src.tar.gz) | 6272b6ac799dae382779592c890e838ce1c0264a4b300a501ba3952329d177f9b07b9e1ddb2636327d8e95b572ee2da9d08824c6d88d7c3a8342323360b6d1df
-
-### Client Binaries
-
-filename | sha512 hash
--------- | -----------
-[kubernetes-client-darwin-amd64.tar.gz](https://dl.k8s.io/v1.34.0-rc.2/kubernetes-client-darwin-amd64.tar.gz) | 453293b8fe62dfea905bb7d6859e684ae46ebd1c32d454e06d424a3adf78f3c05d8e5d3b82fcfac7707ccf55ce05e1936b3808e2190ae33fedf6f58b8300d1e6
-[kubernetes-client-darwin-arm64.tar.gz](https://dl.k8s.io/v1.34.0-rc.2/kubernetes-client-darwin-arm64.tar.gz) | 4ac21ca50bf0ace0f876c43658e34715ea49671542db9fad15028b4e49ddd078ddb449f674bd76bfc39d5854bb12864e4811554148381b207582b510ed73ae11
-[kubernetes-client-linux-386.tar.gz](https://dl.k8s.io/v1.34.0-rc.2/kubernetes-client-linux-386.tar.gz) | 300a21a090e564290f200203ef276f1829f1cb8a59ea4cfdfc78f5bf08a092d5241d19926f6958c8d5677aba57a2871f20e1764c15d3d223249e741c04666b58
-[kubernetes-client-linux-amd64.tar.gz](https://dl.k8s.io/v1.34.0-rc.2/kubernetes-client-linux-amd64.tar.gz) | d283a216e442eed1664f32cdb5a2cad47011bc5ee49cbfd072a9cfd9f9970e578aed3f90cfebe5a45fc6194fd720ebb035ebb4cb5a151f638899133d88c2a41b
-[kubernetes-client-linux-arm.tar.gz](https://dl.k8s.io/v1.34.0-rc.2/kubernetes-client-linux-arm.tar.gz) | 08e500b65bac726f984fde0f2d3af74ad6d3f2e6c2b58c34b0732503960b715c011f81cfdc9a6ef9f77adbc585f0f5b2b94993dd705a2cde20e9baec3cb11e9f
-[kubernetes-client-linux-arm64.tar.gz](https://dl.k8s.io/v1.34.0-rc.2/kubernetes-client-linux-arm64.tar.gz) | 111702bec96f578ef6aaa9f42ba77146d5246f50e5d307275261fcbf9bdb7a569a9963400165659436dfdbed5640ad22cebd8603dcef4de671eed5072919b96c
-[kubernetes-client-linux-ppc64le.tar.gz](https://dl.k8s.io/v1.34.0-rc.2/kubernetes-client-linux-ppc64le.tar.gz) | 98a48f18d9038f4553d1e0cd0e23c19f5e5dfaaabe7d35fcff1cd79340e6c38f0967d9a94c18c3e177790170acc7663bd98a3f6e6b9eeb05ce4d302d7d9bcbee
-[kubernetes-client-linux-s390x.tar.gz](https://dl.k8s.io/v1.34.0-rc.2/kubernetes-client-linux-s390x.tar.gz) | b2006580603819b01b9300eaa9bae34133ee3ca2ee86314ca890aba472a81b833bb0ef4e9eb07b46a8ae0074d5b0c9c826129d338720dae63752c0d92736002b
-[kubernetes-client-windows-386.tar.gz](https://dl.k8s.io/v1.34.0-rc.2/kubernetes-client-windows-386.tar.gz) | ee20616424acf66d0499f1228016324a634da3e53ed2728d33269fb06cafb96b7d2c8585a253ba9b05d43a51ee72a034a73000d3672ba1239b7cf75be9d10089
-[kubernetes-client-windows-amd64.tar.gz](https://dl.k8s.io/v1.34.0-rc.2/kubernetes-client-windows-amd64.tar.gz) | 1f3a69ccac5cd00be47a4e89adfcd4bcbfe203895e98d8cc51282620a414a269891337cead1763ff7160b75b93fe48689d2cfd2467b8872f6e5fdc095fae0660
-[kubernetes-client-windows-arm64.tar.gz](https://dl.k8s.io/v1.34.0-rc.2/kubernetes-client-windows-arm64.tar.gz) | b619d292bc6427328a319c9ffc5e3e22039b89e8a875fa73c8cc2c6c767a066d6b1dd1984178a7035dd2eb38a468089f6259a6ba72506e32ab1249354a2590f0
-
-### Server Binaries
-
-filename | sha512 hash
--------- | -----------
-[kubernetes-server-linux-amd64.tar.gz](https://dl.k8s.io/v1.34.0-rc.2/kubernetes-server-linux-amd64.tar.gz) | ec025926ab67e9307763266fbf178b533af679c3e371297dafd204981d1ecc9fd6cff34986a6580b2106d2ddab7f78ad66b1e01b223b612f0847c530922a41b2
-[kubernetes-server-linux-arm64.tar.gz](https://dl.k8s.io/v1.34.0-rc.2/kubernetes-server-linux-arm64.tar.gz) | 0cf717718ed42283e8065d80afa18589dd2cb16f985811f25f8bf27302f4cbe5eb07bd264562a17798678047631584c10cd015c94982a91e7cd971cea8833b27
-[kubernetes-server-linux-ppc64le.tar.gz](https://dl.k8s.io/v1.34.0-rc.2/kubernetes-server-linux-ppc64le.tar.gz) | d2e91d34fb64832ee3142289adbe61a025de832f5b594e93046b6ec4e3d5c557fd564236e095d7673a243dbfe59cd6d56475d97bc741dfb899c7db9036e8af5a
-[kubernetes-server-linux-s390x.tar.gz](https://dl.k8s.io/v1.34.0-rc.2/kubernetes-server-linux-s390x.tar.gz) | f36021108f5e5c9c8223dd1044579c6321fab4567ab6fdbb476ce81791ae5c09672f2121e9156f9166f8fd774a0d8ecddb4915093038ff617d2a0f3014f2a0cf
-
-### Node Binaries
-
-filename | sha512 hash
--------- | -----------
-[kubernetes-node-linux-amd64.tar.gz](https://dl.k8s.io/v1.34.0-rc.2/kubernetes-node-linux-amd64.tar.gz) | eda824ac2a18a02a655bdf23137c9196698a6688acb97f147f97ee430054a2d93da1ebdd5a75a5862435d311aeb3841e4e6592290831a8cb51da4f99a463777d
-[kubernetes-node-linux-arm64.tar.gz](https://dl.k8s.io/v1.34.0-rc.2/kubernetes-node-linux-arm64.tar.gz) | e0bd74348eb3c6d973b9a71c2114e9141eec6dc8448b38669261c7233254ece002e77971dc5de41ddbb1f34f9e2597f9429b0939123de889ee39e9dfee465633
-[kubernetes-node-linux-ppc64le.tar.gz](https://dl.k8s.io/v1.34.0-rc.2/kubernetes-node-linux-ppc64le.tar.gz) | 737d536c7f3b458fc222e8ff600f3b4d71cb6f832cdea7900f0d0b4ceb473aa018cb6848b69b2c4609fe6a9d2681a666927678d98ce0fb959ad1a54c2bf046ac
-[kubernetes-node-linux-s390x.tar.gz](https://dl.k8s.io/v1.34.0-rc.2/kubernetes-node-linux-s390x.tar.gz) | 1a5dee2a9816128069fb3bde1bfec5f07e521425c1daa4b5538a18369850c186cff0a3e2a5f6f29325b83f275de86b26e4b5eea6b70297fb406a5d98eb77c8db
-[kubernetes-node-windows-amd64.tar.gz](https://dl.k8s.io/v1.34.0-rc.2/kubernetes-node-windows-amd64.tar.gz) | 51026e3f0ae4820fee2be15bef726deab5f8bc5e1ad33b5ca6f208e453a5bfd4ec161210d0ade1252ef899200b973f547e768d2d48a74b1af1514cdd9902d590
-
-### Container Images
-
-All container images are available as manifest lists and support the described
-architectures. It is also possible to pull a specific architecture directly by
-adding the "-$ARCH" suffix  to the container image name.
-
-name | architectures
----- | -------------
-[registry.k8s.io/conformance:v1.34.0-rc.2](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/conformance) | [amd64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/conformance-amd64), [arm64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/conformance-arm64), [ppc64le](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/conformance-ppc64le), [s390x](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/conformance-s390x)
-[registry.k8s.io/kube-apiserver:v1.34.0-rc.2](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-apiserver) | [amd64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-apiserver-amd64), [arm64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-apiserver-arm64), [ppc64le](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-apiserver-ppc64le), [s390x](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-apiserver-s390x)
-[registry.k8s.io/kube-controller-manager:v1.34.0-rc.2](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-controller-manager) | [amd64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-controller-manager-amd64), [arm64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-controller-manager-arm64), [ppc64le](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-controller-manager-ppc64le), [s390x](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-controller-manager-s390x)
-[registry.k8s.io/kube-proxy:v1.34.0-rc.2](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-proxy) | [amd64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-proxy-amd64), [arm64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-proxy-arm64), [ppc64le](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-proxy-ppc64le), [s390x](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-proxy-s390x)
-[registry.k8s.io/kube-scheduler:v1.34.0-rc.2](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-scheduler) | [amd64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-scheduler-amd64), [arm64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-scheduler-arm64), [ppc64le](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-scheduler-ppc64le), [s390x](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-scheduler-s390x)
-[registry.k8s.io/kubectl:v1.34.0-rc.2](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kubectl) | [amd64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kubectl-amd64), [arm64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kubectl-arm64), [ppc64le](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kubectl-ppc64le), [s390x](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kubectl-s390x)
-
-## Changelog since v1.34.0-rc.1
-
-## Changes by Kind
-
-### Feature
-
-- Kubernetes is now built using Go 1.24.6 ([#133516](https://github.com/kubernetes/kubernetes/pull/133516), [@cpanato](https://github.com/cpanato)) [SIG Release and Testing]
-
-### Documentation
-
-- Document how to contribute to staging repositories by redirecting to the main kubernetes repo ([#133570](https://github.com/kubernetes/kubernetes/pull/133570), [@BenTheElder](https://github.com/BenTheElder)) [SIG API Machinery, Architecture, Auth, CLI, Cloud Provider, Cluster Lifecycle, Instrumentation, Network, Node, Scheduling and Storage]
-
-### Bug or Regression
-
-- Changed the node restrictions to disallow the node to change it's ownerReferences. ([#133467](https://github.com/kubernetes/kubernetes/pull/133467), [@natherz97](https://github.com/natherz97)) [SIG Auth]
-- DRA: fixed a data race which, depending on timing, could have led to broken allocation of devices backing extended resources ([#133587](https://github.com/kubernetes/kubernetes/pull/133587), [@pohly](https://github.com/pohly)) [SIG Node]
-- Fixes a regression in 1.34 release candidates where object storage count metrics could include all instances of all types instead of only the object count for a particular type ([#133604](https://github.com/kubernetes/kubernetes/pull/133604), [@serathius](https://github.com/serathius)) [SIG API Machinery and Etcd]
-
-## Dependencies
-
-### Added
-_Nothing has changed._
-
-### Changed
-_Nothing has changed._
-
-### Removed
-_Nothing has changed._
-
-
-
-# v1.34.0-rc.1
-
-
-## Downloads for v1.34.0-rc.1
-
-
-
-### Source Code
-
-filename | sha512 hash
--------- | -----------
-[kubernetes.tar.gz](https://dl.k8s.io/v1.34.0-rc.1/kubernetes.tar.gz) | 0685ab08c9f1c9696b66d17c6bb480c5e880b217b4cdd239f5c3884f2bdbf0052544724d9e366e5ce51d86008176bfccf6406b088b0d97336f8e1d436894aea8
-[kubernetes-src.tar.gz](https://dl.k8s.io/v1.34.0-rc.1/kubernetes-src.tar.gz) | 845873a513e35e3b54c68b578825a47252591558b53781948de660494355e8d3b658a337f2bb096634b47a7f72a6bec2ed02285b1fd08d772d562011f310a8c4
-
-### Client Binaries
-
-filename | sha512 hash
--------- | -----------
-[kubernetes-client-darwin-amd64.tar.gz](https://dl.k8s.io/v1.34.0-rc.1/kubernetes-client-darwin-amd64.tar.gz) | b24ab87ffd978869c4b2d20190695225a6cdc827c2db5ca9774dfbdc7d879b57e7474b1fcd006fe8169ed37a020e194a99134aaebd90188c86ce85ffde71b2ab
-[kubernetes-client-darwin-arm64.tar.gz](https://dl.k8s.io/v1.34.0-rc.1/kubernetes-client-darwin-arm64.tar.gz) | 0c8826535a3836d55405acce38c3a58e4fbd488c8933e9eced8e59deeba26ae583908062d809ff4b319c891a9ef7ac2bb736e3b7c665b7f9a47e65387f0ec964
-[kubernetes-client-linux-386.tar.gz](https://dl.k8s.io/v1.34.0-rc.1/kubernetes-client-linux-386.tar.gz) | 4c6d920d2ab1003fcb5fc4b815337fd3b571256d64471fa0613a1d1f394f3ca55b9ac4f80bdb3921fd57ffc2887181f004abb252c23f0ed42e26a1bdbe26e9ca
-[kubernetes-client-linux-amd64.tar.gz](https://dl.k8s.io/v1.34.0-rc.1/kubernetes-client-linux-amd64.tar.gz) | e1a0e3c2552fef6a21acef1ce1fb0f9a15c6b86c6b7b1c34fa8e6b60d2b341fe8fd3208555474cf4a1f2f4cffd90d175f866e508900ddf3d47178a24f6f6ae64
-[kubernetes-client-linux-arm.tar.gz](https://dl.k8s.io/v1.34.0-rc.1/kubernetes-client-linux-arm.tar.gz) | bc4d687d8a8aa906a1e91e36dca875283aec2ec42c9a45db8c23dd38e7b9fb30e48c6bbf118c582717d3c0dc28cb1b198b90b167790ebbdaa9e33c7a29500187
-[kubernetes-client-linux-arm64.tar.gz](https://dl.k8s.io/v1.34.0-rc.1/kubernetes-client-linux-arm64.tar.gz) | c1a460ec2698034181261d8678fb4ae4addbd21b80850539b7c38bed402f664dabaab76c0aff23a283516aeddc45658ab1b619d82d17590ca9f8e3d9a0268d8d
-[kubernetes-client-linux-ppc64le.tar.gz](https://dl.k8s.io/v1.34.0-rc.1/kubernetes-client-linux-ppc64le.tar.gz) | 6ff03ab89e77ef519f5dd81ff547ca3267b71a6fe6b876409282b39e90f7af1531d20d50266487d7ab75a9154cb9260d546b8dcd5868180175c76c538baa93cb
-[kubernetes-client-linux-s390x.tar.gz](https://dl.k8s.io/v1.34.0-rc.1/kubernetes-client-linux-s390x.tar.gz) | 4b25feee780e0b6cfb7b9b9f263cea678ee2436ae4d674babaa5729abe065d07f1e8faa44b8881272716d703cffa7ee3712d6f9405f5ee825828ad9ca7d9d675
-[kubernetes-client-windows-386.tar.gz](https://dl.k8s.io/v1.34.0-rc.1/kubernetes-client-windows-386.tar.gz) | 9a561196c73f4a2208347eb2bc8b98d462049798ea48961d3cc19ab9165d1985825f16014d6f4ba5ec19019e9c4dee7975415b7ef58d52d775b16838478b9708
-[kubernetes-client-windows-amd64.tar.gz](https://dl.k8s.io/v1.34.0-rc.1/kubernetes-client-windows-amd64.tar.gz) | 9a8540a961c27395748c1d69988d4e93135b620e99a76cdbad403e42af41ef174eff50f590c0226d7431084134cf8b8aa7afb267024660ce8116117e7dde96d5
-[kubernetes-client-windows-arm64.tar.gz](https://dl.k8s.io/v1.34.0-rc.1/kubernetes-client-windows-arm64.tar.gz) | 5f7388b575dbf909423bc7b08e9a2b580d74c2827fd7740120d28f14b7d7cf1266c213dcda73268ad5acc030b1ef0f0a6c1d6683173661a37ddf34822306564a
-
-### Server Binaries
-
-filename | sha512 hash
--------- | -----------
-[kubernetes-server-linux-amd64.tar.gz](https://dl.k8s.io/v1.34.0-rc.1/kubernetes-server-linux-amd64.tar.gz) | cb719756e1e15e8b2dd656aae888d3b70478d12b9384636b8d6f2cd685f76dc8e79e94b8ee3f428e9e2f4503dc3a103b6918c9a5825c099723a14a314668fb5f
-[kubernetes-server-linux-arm64.tar.gz](https://dl.k8s.io/v1.34.0-rc.1/kubernetes-server-linux-arm64.tar.gz) | bf187239d1f2108e96d89503af0d8eed89608470470beb781dce0393263919d18c7ae3e6cb94c00d37413d295af135752c6d63de6abe11c717e96a4b2c1b549d
-[kubernetes-server-linux-ppc64le.tar.gz](https://dl.k8s.io/v1.34.0-rc.1/kubernetes-server-linux-ppc64le.tar.gz) | c140f4784438140ac65c672185c579e7b6fc5839bbcfa03390110726655b07e02b6c0a0adfc96446b4d4a8659c1831da74bfd5d83fc8a6d8cd2d6fcbf8750ed8
-[kubernetes-server-linux-s390x.tar.gz](https://dl.k8s.io/v1.34.0-rc.1/kubernetes-server-linux-s390x.tar.gz) | cc1fe349b9b39b52bbe0e2172049a60ce97dc4e2d4d23007c07ccc8692d01c0ee22012c74e1712d19dd50d6a8c391a9894f7e0a02e3596389083f360c6744743
-
-### Node Binaries
-
-filename | sha512 hash
--------- | -----------
-[kubernetes-node-linux-amd64.tar.gz](https://dl.k8s.io/v1.34.0-rc.1/kubernetes-node-linux-amd64.tar.gz) | daffae5fe6930b631fbfb68a9a3f9b7128c98a0a5916afde8de513b8967a4334c4cdb74a87ba0ab75e193e6fdfcfcf74136eaca059b3095be5e06c2828f2ab11
-[kubernetes-node-linux-arm64.tar.gz](https://dl.k8s.io/v1.34.0-rc.1/kubernetes-node-linux-arm64.tar.gz) | 0c4bc0530eea7b136b9a6977fa0212f43123f5215ab9e6c53739688890e2a88d7c4aee75cd09d1f7f03d645fa756b48bbea30b46b255527ba2bcc5f954fffab4
-[kubernetes-node-linux-ppc64le.tar.gz](https://dl.k8s.io/v1.34.0-rc.1/kubernetes-node-linux-ppc64le.tar.gz) | 7c6da33a3f82e2e14274d7be6a329277ee4ee483e0d2e228d3500fc57201f6b6220e1fed3c4214c46ca2c660257c83cdd0157724f17cafd79b4ac47f98c2ce84
-[kubernetes-node-linux-s390x.tar.gz](https://dl.k8s.io/v1.34.0-rc.1/kubernetes-node-linux-s390x.tar.gz) | 8ee20942b91808026b9e54c8964422cb7a6dcf4c081b26bf41ea910721dfdccb449eab7b7ea2e11ef0260693f7c48411e65c4b18ab8d0045d243020b674f93d4
-[kubernetes-node-windows-amd64.tar.gz](https://dl.k8s.io/v1.34.0-rc.1/kubernetes-node-windows-amd64.tar.gz) | b9b112456539ef0dd4b08178cdf3c56e1723746fdbad2dddb3ca18075e1258591b4f9937cfc884fb64f5ef275b82c8f5a3d25e29307753bdb574f18bd56da358
-
-### Container Images
-
-All container images are available as manifest lists and support the described
-architectures. It is also possible to pull a specific architecture directly by
-adding the "-$ARCH" suffix  to the container image name.
-
-name | architectures
----- | -------------
-[registry.k8s.io/conformance:v1.34.0-rc.1](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/conformance) | [amd64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/conformance-amd64), [arm64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/conformance-arm64), [ppc64le](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/conformance-ppc64le), [s390x](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/conformance-s390x)
-[registry.k8s.io/kube-apiserver:v1.34.0-rc.1](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-apiserver) | [amd64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-apiserver-amd64), [arm64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-apiserver-arm64), [ppc64le](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-apiserver-ppc64le), [s390x](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-apiserver-s390x)
-[registry.k8s.io/kube-controller-manager:v1.34.0-rc.1](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-controller-manager) | [amd64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-controller-manager-amd64), [arm64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-controller-manager-arm64), [ppc64le](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-controller-manager-ppc64le), [s390x](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-controller-manager-s390x)
-[registry.k8s.io/kube-proxy:v1.34.0-rc.1](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-proxy) | [amd64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-proxy-amd64), [arm64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-proxy-arm64), [ppc64le](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-proxy-ppc64le), [s390x](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-proxy-s390x)
-[registry.k8s.io/kube-scheduler:v1.34.0-rc.1](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-scheduler) | [amd64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-scheduler-amd64), [arm64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-scheduler-arm64), [ppc64le](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-scheduler-ppc64le), [s390x](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-scheduler-s390x)
-[registry.k8s.io/kubectl:v1.34.0-rc.1](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kubectl) | [amd64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kubectl-amd64), [arm64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kubectl-arm64), [ppc64le](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kubectl-ppc64le), [s390x](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kubectl-s390x)
-
-## Changelog since v1.34.0-rc.0
-
-## Changes by Kind
-
-### Bug or Regression
-
-- Fixes an issue that caused kube-apiserver to panic in 1.34.0-rc.0 ([#133412](https://github.com/kubernetes/kubernetes/pull/133412), [@richabanker](https://github.com/richabanker)) [SIG API Machinery and Etcd]
-- Make podcertificaterequestcleaner role feature-gated ([#133409](https://github.com/kubernetes/kubernetes/pull/133409), [@carlory](https://github.com/carlory)) [SIG Auth]
-
-## Dependencies
-
-### Added
-_Nothing has changed._
-
-### Changed
-_Nothing has changed._
-
-### Removed
-_Nothing has changed._
-
-
-
-# v1.34.0-rc.0
-
-
-## Downloads for v1.34.0-rc.0
-
-
-
-### Source Code
-
-filename | sha512 hash
--------- | -----------
-[kubernetes.tar.gz](https://dl.k8s.io/v1.34.0-rc.0/kubernetes.tar.gz) | 3a40163a162b703ca49714789d751c741cc09a4921e1dd1a3e51cd1e45285c43aa84c153a9130b105220defe573ecc9bc2f9e69e7ead50f470110eba0f3eb2e7
-[kubernetes-src.tar.gz](https://dl.k8s.io/v1.34.0-rc.0/kubernetes-src.tar.gz) | f1e769b6bd1c24e88a445ba58c30448b4f138c36b4acb1de04616630eb8d74b01986c94d7ed2022943425e0e9ea8043253fe3f32a696c510187ccae2deb81334
-
-### Client Binaries
-
-filename | sha512 hash
--------- | -----------
-[kubernetes-client-darwin-amd64.tar.gz](https://dl.k8s.io/v1.34.0-rc.0/kubernetes-client-darwin-amd64.tar.gz) | c5b135c912d5d942cdeff31b23f3d7865aa40252730e367f8170d70fbb2c695efbc04648787b8d36ec788ce761f71adde0c8bd92ab1bec714ded7e5b43f1e70e
-[kubernetes-client-darwin-arm64.tar.gz](https://dl.k8s.io/v1.34.0-rc.0/kubernetes-client-darwin-arm64.tar.gz) | d2dc774dbf6ec52a6e848be7ede8d3640ec3969d6b79462ab5b06c654d65046961fecf7b0dee7861af7895beb65c90867f7f0b370d0437322f92d2afbe7ff999
-[kubernetes-client-linux-386.tar.gz](https://dl.k8s.io/v1.34.0-rc.0/kubernetes-client-linux-386.tar.gz) | c5df62de030efad772ff72ce96776229a4cdf7c80c6e8625f46f32d7fe064b84021432eda05aa48d8dfd3b38f5d8bb1f0fec010fa39bdcc437d48f7dc02ce20c
-[kubernetes-client-linux-amd64.tar.gz](https://dl.k8s.io/v1.34.0-rc.0/kubernetes-client-linux-amd64.tar.gz) | 789c6ffc56ed8772fdd7142865cd788d0975dbeb759533d00768c6ac964973d5553aaac8341c8d55604e70abdfdb3c5b1b91cf7f2a6fc08ccc4a5a0d93e76127
-[kubernetes-client-linux-arm.tar.gz](https://dl.k8s.io/v1.34.0-rc.0/kubernetes-client-linux-arm.tar.gz) | f82bb1bc87d8288f54de7f5dbb54ff6e29dea210e0632348b3912cff326a78047da4dd05581dd29be2d9f7756eab1f2af1a9bf45818e378b22ccaf7c265803c1
-[kubernetes-client-linux-arm64.tar.gz](https://dl.k8s.io/v1.34.0-rc.0/kubernetes-client-linux-arm64.tar.gz) | 977cd13d6ad03c3e3b820d69d9136acb90e0efc13253a6233cf2c0d819c0b68734672ab623a7496080417c750ee04d3ce276e41d541cd07deb31ff90b6c19ee7
-[kubernetes-client-linux-ppc64le.tar.gz](https://dl.k8s.io/v1.34.0-rc.0/kubernetes-client-linux-ppc64le.tar.gz) | 6bb7a7935989c301727e355b3db6774d2ca057f317c166ceddb3aee1d4d5c553b62dc28f851b8acf0dda73f64d41aec77e41721e9cd5c1d9e8ffb7afc318ff6c
-[kubernetes-client-linux-s390x.tar.gz](https://dl.k8s.io/v1.34.0-rc.0/kubernetes-client-linux-s390x.tar.gz) | e922a13265a591f989e6026321c792221663f09f062a5f7866fb4c1efa28a91216bc7f297b4c778eac8784f773d642ed873bcd6d97dfcff6897631a17c3d35d7
-[kubernetes-client-windows-386.tar.gz](https://dl.k8s.io/v1.34.0-rc.0/kubernetes-client-windows-386.tar.gz) | 963016b3be20076dd94f46aac858d2e4fe3a973d54a574b0289c8e5e20ec192680b3e4cf9f813f17658f892c96adabfd467cb8a7ad6332007e4aea07a828572c
-[kubernetes-client-windows-amd64.tar.gz](https://dl.k8s.io/v1.34.0-rc.0/kubernetes-client-windows-amd64.tar.gz) | 01432a7dcdcd99c0c8e00bd9085dde13fb07a7091c19592bd7b7323932af56f47d2554b4806fc5ff867f7f04428a4572e0149bec32f7b9e1b3dc2dc0e63792d6
-[kubernetes-client-windows-arm64.tar.gz](https://dl.k8s.io/v1.34.0-rc.0/kubernetes-client-windows-arm64.tar.gz) | 38fefd2b9c6a5b37b461e1787ee824d8208bd76f375bb0f5740e4dc2ede98baa30532021629cfc9ccb04b854ce19c7ccde245e4edd3a7482336d70ea47dd09d4
-
-### Server Binaries
-
-filename | sha512 hash
--------- | -----------
-[kubernetes-server-linux-amd64.tar.gz](https://dl.k8s.io/v1.34.0-rc.0/kubernetes-server-linux-amd64.tar.gz) | 4a63efa6876bc66683650361a071ddca8c201a653a3947e3939f68d32835b76357a5c63bebfdbd9e2420b485b9dfe42ea03ad6b230960207c21a98d96f24ddda
-[kubernetes-server-linux-arm64.tar.gz](https://dl.k8s.io/v1.34.0-rc.0/kubernetes-server-linux-arm64.tar.gz) | 0965a31c7db0dcbbe8160c420df3ca12923fa1bfc720103b93f3ba238c529667933477df0f190737595402173f38b1785179f468047d504e4a1bfbe969951df9
-[kubernetes-server-linux-ppc64le.tar.gz](https://dl.k8s.io/v1.34.0-rc.0/kubernetes-server-linux-ppc64le.tar.gz) | b62515af8f866bcde5866b10def38c63bb0ef50d84dcac1b536dad85d04b10285e38bafd79e0d80fcab8820455597164e4202cc4848b1cc03137a967a1ca5597
-[kubernetes-server-linux-s390x.tar.gz](https://dl.k8s.io/v1.34.0-rc.0/kubernetes-server-linux-s390x.tar.gz) | 17eaa46f21730ad8e809b827c053030249e8cfff812fbd0a2252650ef1b90ae4c98c57d54972317d806fcad7c77444f69c97436d1f652b7ac0a6ba908acee09a
-
-### Node Binaries
-
-filename | sha512 hash
--------- | -----------
-[kubernetes-node-linux-amd64.tar.gz](https://dl.k8s.io/v1.34.0-rc.0/kubernetes-node-linux-amd64.tar.gz) | 97bb8e23f59afae0f0a5d4a9b594dca25e76fc426d1e05d13582df44f207b913f82eb1b36e2669a267f0d8171978049e623556395a94f63ad30a873d41bb0a47
-[kubernetes-node-linux-arm64.tar.gz](https://dl.k8s.io/v1.34.0-rc.0/kubernetes-node-linux-arm64.tar.gz) | caa6625eec52dee92dec7f33936e7a5f3ba8166e1150b6c747048b74f1bb574dcc097fb7ce7a634f122d42a7fbdbf81e5b4a483a71adeed2c2937af8977114a8
-[kubernetes-node-linux-ppc64le.tar.gz](https://dl.k8s.io/v1.34.0-rc.0/kubernetes-node-linux-ppc64le.tar.gz) | cab3bd432093fb03bdc6497f94dd501e412fb90eca9b350319239fcca5687012561f7342114b52e09bad61e6eea3109158ef92add94809d4b56f9aa3470e9e93
-[kubernetes-node-linux-s390x.tar.gz](https://dl.k8s.io/v1.34.0-rc.0/kubernetes-node-linux-s390x.tar.gz) | 0c95a03a6539f99de244213359c6d4f42ebf6aea79c26c8cfb82d319b7c27dd5ca4050cc58ef27f999fba334fc67629a0b96bb7af66721309a203b1f0aec6467
-[kubernetes-node-windows-amd64.tar.gz](https://dl.k8s.io/v1.34.0-rc.0/kubernetes-node-windows-amd64.tar.gz) | 9f2e1f5e6227e41d0c681e07a2edc3eb4da4b6ba20125a4aad6b94c2023d29238257244b243e508c17c5693a8168da5bf66cf744a9610799d77adbed29363c45
-
-### Container Images
-
-All container images are available as manifest lists and support the described
-architectures. It is also possible to pull a specific architecture directly by
-adding the "-$ARCH" suffix  to the container image name.
-
-name | architectures
----- | -------------
-[registry.k8s.io/conformance:v1.34.0-rc.0](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/conformance) | [amd64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/conformance-amd64), [arm64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/conformance-arm64), [ppc64le](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/conformance-ppc64le), [s390x](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/conformance-s390x)
-[registry.k8s.io/kube-apiserver:v1.34.0-rc.0](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-apiserver) | [amd64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-apiserver-amd64), [arm64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-apiserver-arm64), [ppc64le](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-apiserver-ppc64le), [s390x](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-apiserver-s390x)
-[registry.k8s.io/kube-controller-manager:v1.34.0-rc.0](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-controller-manager) | [amd64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-controller-manager-amd64), [arm64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-controller-manager-arm64), [ppc64le](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-controller-manager-ppc64le), [s390x](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-controller-manager-s390x)
-[registry.k8s.io/kube-proxy:v1.34.0-rc.0](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-proxy) | [amd64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-proxy-amd64), [arm64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-proxy-arm64), [ppc64le](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-proxy-ppc64le), [s390x](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-proxy-s390x)
-[registry.k8s.io/kube-scheduler:v1.34.0-rc.0](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-scheduler) | [amd64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-scheduler-amd64), [arm64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-scheduler-arm64), [ppc64le](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-scheduler-ppc64le), [s390x](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-scheduler-s390x)
-[registry.k8s.io/kubectl:v1.34.0-rc.0](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kubectl) | [amd64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kubectl-amd64), [arm64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kubectl-arm64), [ppc64le](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kubectl-ppc64le), [s390x](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kubectl-s390x)
-
-## Changelog since v1.34.0-beta.0
-
-## Changes by Kind
-
-### Deprecation
-
-- DRA kubelet: gRPC API graduated to v1, v1beta1 is deprecated starting in 1.34. Updating DRA drivers to the k8s.io/dynamic-resource-allocation/kubeletplugin helper from 1.34 adds support for both API versions. ([#132700](https://github.com/kubernetes/kubernetes/pull/132700), [@pohly](https://github.com/pohly)) [SIG Node and Testing]
-
-### API Change
-
-- Add a new `FileKeyRef` field to containers, allowing them to load variables from files by setting this field.
-  
-  Introduce the EnvFiles feature gate to govern activation of this functionality. ([#132626](https://github.com/kubernetes/kubernetes/pull/132626), [@HirazawaUi](https://github.com/HirazawaUi)) [SIG API Machinery, Apps, Node and Testing]
-- Add driver-owned fields in ResourceSlice to mark whether the device is shareable among multiple resource claims (or requests) and to specify how each capacity can be shared between different requests.
-  - Add user-owned fields in ResourceClaim to specify resource requirements against each device capacity.
-  - Add scheduler-owned field in ResourceClaim.Status to specify how much device capacity is reserved for a specific request.
-  - Add an additional identifier to ResourceClaim.Status for the device supports multiple allocations.
-  - Add a new constraint type to enforce uniqueness of specified attributes across all allocated devices. ([#132522](https://github.com/kubernetes/kubernetes/pull/132522), [@sunya-ch](https://github.com/sunya-ch)) [SIG API Machinery, Apps, Architecture, CLI, Cluster Lifecycle, Network, Node, Release, Scheduling and Testing]
-- Add new optional APIs in ResouceSlice.Basic and ResourceClaim.Status.AllocatedDeviceStatus. ([#130160](https://github.com/kubernetes/kubernetes/pull/130160), [@KobayashiD27](https://github.com/KobayashiD27)) [SIG API Machinery, Apps, Architecture, Node, Release, Scheduling and Testing]
-- Added a mechanism for configurable container restarts: _container level restart rules_. This is an alpha feature behind the `ContainerRestartRules` feature gate. ([#132642](https://github.com/kubernetes/kubernetes/pull/132642), [@yuanwang04](https://github.com/yuanwang04)) [SIG API Machinery, Apps, Node and Testing]
-- Added detailed event for in-place pod vertical scaling completed, improving cluster management and debugging ([#130387](https://github.com/kubernetes/kubernetes/pull/130387), [@shiya0705](https://github.com/shiya0705)) [SIG API Machinery, Apps, Autoscaling, Node, Scheduling and Testing]
-- Added validation to reject Pods using the `PodLevelResources` feature on Windows OS due to lack of support. The API server rejects Pods with Pod-level resources and a `Pod.spec.os.name` targeting Windows. Kubelet on nodes running Windows also rejects Pods with Pod-level resources at admission phase. ([#133046](https://github.com/kubernetes/kubernetes/pull/133046), [@toVersus](https://github.com/toVersus)) [SIG Apps and Node]
-- Adds warnings when creating headless service with set loadBalancerIP,externalIPs and/or SessionAffinity ([#132214](https://github.com/kubernetes/kubernetes/pull/132214), [@Peac36](https://github.com/Peac36)) [SIG Network]
-- Allow pvc.spec.VolumeAttributesClassName to go from non-nil to nil ([#132106](https://github.com/kubernetes/kubernetes/pull/132106), [@AndrewSirenko](https://github.com/AndrewSirenko)) [SIG Apps]
-- Allows setting the `hostnameOverride` field in `PodSpec` to specify any RFC 1123 DNS subdomain as the pod's hostname. The `HostnameOverride` feature gate has been introduced to control enablement of this functionality. ([#132558](https://github.com/kubernetes/kubernetes/pull/132558), [@HirazawaUi](https://github.com/HirazawaUi)) [SIG API Machinery, Apps, Network, Node and Testing]
-- AppArmor profiles specified in the pod or container SecurityContext are no longer copied to deprecated AppArmor annotations (prefix `container.apparmor.security.beta.kubernetes.io/`). Anything that inspects the deprecated annotations must be migrated to use the SecurityContext fields instead. ([#131989](https://github.com/kubernetes/kubernetes/pull/131989), [@tallclair](https://github.com/tallclair)) [SIG Node]
-- Changes underlying logic to propagate Pod level hugepage cgroup to containers when they do not specify hugepage resources.
-  - Adds validation to enforce the hugepage aggregated container limits to be smaller or equal to pod-level limits. This was already enforced with the defaulted requests from the specified limits, however it did not make it clear about both hugepage requests and limits. ([#131089](https://github.com/kubernetes/kubernetes/pull/131089), [@KevinTMtz](https://github.com/KevinTMtz)) [SIG Apps, Node and Testing]
-- DRA: the scheduler plugin now prevents abnormal filter runtimes by timing out after 10 seconds. This is configurable via the plugin configuration's `FilterTimeout`. Setting it to zero disables the timeout and restores the behavior of Kubernetes <= 1.33. ([#132033](https://github.com/kubernetes/kubernetes/pull/132033), [@pohly](https://github.com/pohly)) [SIG Node, Scheduling and Testing]
-- DRA: when the prioritized list feature is used in a request and the resulting number of allocated devices exceeds the number of allowed devices per claim, the scheduler aborts the attempt to allocate devices early. Previously it tried to many different combinations, which can take a long time. ([#130593](https://github.com/kubernetes/kubernetes/pull/130593), [@mortent](https://github.com/mortent)) [SIG Apps, Node, Scheduling and Testing]
-- Dynamic Resource Allocation: graduated core functionality to general availability (GA). This newly stable feature uses the _structured parameters_ flavor of DRA. ([#132706](https://github.com/kubernetes/kubernetes/pull/132706), [@pohly](https://github.com/pohly)) [SIG API Machinery, Apps, Auth, Autoscaling, Etcd, Node, Scheduling and Testing]
-- Enable kube-apiserver support for PodCertificateRequest and PodCertificate projected volumes (behind the PodCertificateRequest feature gate). ([#128010](https://github.com/kubernetes/kubernetes/pull/128010), [@ahmedtd](https://github.com/ahmedtd)) [SIG API Machinery, Apps, Auth, Cloud Provider, Etcd, Node, Storage and Testing]
-- Extended resources backed by DRA feature allows cluster operator to specify extendedResourceName in DeviceClass, and application operator to continue using extended resources in pod's requests to request for DRA devices matching the DeviceClass.
-  
-  NodeResourcesFit plugin scoring won't work for extended resources backed by DRA ([#130653](https://github.com/kubernetes/kubernetes/pull/130653), [@yliaog](https://github.com/yliaog)) [SIG API Machinery, Apps, Auth, Node, Scheduling and Testing]
-- Fix prerelease lifecycle  for PodCertificateRequest ([#133350](https://github.com/kubernetes/kubernetes/pull/133350), [@carlory](https://github.com/carlory)) [SIG Auth]
-- Fixes a 1.33 regression that can cause a nil panic in kube-scheduler when aggregating resource requests across container's spec and status. ([#132895](https://github.com/kubernetes/kubernetes/pull/132895), [@yue9944882](https://github.com/yue9944882)) [SIG Node and Scheduling]
-- Introduced the admissionregistration.k8s.io/v1beta1/MutatingAdmissionPolicy API type.
-  To enable, enable the `MutatingAdmissionPolicy` feature gate (which is off by default) and set `--runtime-config=admissionregistration.k8s.io/v1beta1=true` on the kube-apiserver. 
-  Note that the default stored version remains alpha in 1.34 and whoever enabled beta during 1.34 needs to run a storage migration yourself to ensure you don't depend on alpha data in etcd. ([#132821](https://github.com/kubernetes/kubernetes/pull/132821), [@cici37](https://github.com/cici37)) [SIG API Machinery, Etcd and Testing]
-- No, changes underlying logic for Eviction Manager helper functions ([#132277](https://github.com/kubernetes/kubernetes/pull/132277), [@KevinTMtz](https://github.com/KevinTMtz)) [SIG Node, Scheduling and Testing]
-- Promote MutableCSINodeAllocatableCount to Beta. ([#132429](https://github.com/kubernetes/kubernetes/pull/132429), [@torredil](https://github.com/torredil)) [SIG Storage]
-- Promoted feature-gate `VolumeAttributesClass` to GA
-  - Promoted API `VolumeAttributesClass` and `VolumeAttributesClassList` to `storage.k8s.io/v1`. ([#131549](https://github.com/kubernetes/kubernetes/pull/131549), [@carlory](https://github.com/carlory)) [SIG API Machinery, Apps, Auth, CLI, Etcd, Storage and Testing]
-- Promoted the `APIServerTracing` feature gate to GA. The `--tracing-config-file` flag now accepts `TracingConfiguration` in version `apiserver.config.k8s.io/v1` (with no changes from `apiserver.config.k8s.io/v1beta1`). ([#132340](https://github.com/kubernetes/kubernetes/pull/132340), [@dashpole](https://github.com/dashpole)) [SIG API Machinery and Testing]
-- Removed deprecated gogo protocol definitions from `k8s.io/kubelet/pkg/apis/pluginregistration` in favor of `google.golang.org/protobuf`. ([#132773](https://github.com/kubernetes/kubernetes/pull/132773), [@saschagrunert](https://github.com/saschagrunert)) [SIG Node]
-- The Kubelet can now monitor the health of devices allocated via Dynamic Resource Allocation (DRA) and report it in the `pod.status.containerStatuses.allocatedResourcesStatus` field. This requires the DRA plugin to implement the new v1alpha1 `NodeHealth` gRPC service. This feature is controlled by the `ResourceHealthStatus` feature gate. ([#130606](https://github.com/kubernetes/kubernetes/pull/130606), [@Jpsassine](https://github.com/Jpsassine)) [SIG Apps, Architecture, Auth, CLI, Cloud Provider, Cluster Lifecycle, Etcd, Network, Node, Release, Scheduling, Storage and Testing]
-- The KubeletServiceAccountTokenForCredentialProviders feature is now beta and enabled by default. ([#133017](https://github.com/kubernetes/kubernetes/pull/133017), [@aramase](https://github.com/aramase)) [SIG Auth and Node]
-- The conditionType is "oneof" approved/denied check of CertificateSigningRequest's `.status.conditions` field has been migrated to declarative validation. 
-  If the `DeclarativeValidation` feature gate is enabled, mismatches with existing validation are reported via metrics.
-  If the `DeclarativeValidationTakeover` feature gate is enabled, declarative validation is the primary source of errors for migrated fields. ([#133013](https://github.com/kubernetes/kubernetes/pull/133013), [@aaron-prindle](https://github.com/aaron-prindle)) [SIG API Machinery and Auth]
-- The fallback behavior of the Downward API's `resourceFieldRef` field has been updated to account for pod-level resources: if container-level limits are not set, pod-level limits are now used before falling back to node allocatable resources. ([#132605](https://github.com/kubernetes/kubernetes/pull/132605), [@toVersus](https://github.com/toVersus)) [SIG Node, Scheduling and Testing]
-- The kubelet's image pull credential tracking now supports service account-based verification. When an image is pulled using service account credentials via external credential providers, subsequent pods using the same service account (UID, name, and namespace) can access the cached image without re-authentication for the lifetime of that service account. ([#132771](https://github.com/kubernetes/kubernetes/pull/132771), [@aramase](https://github.com/aramase)) [SIG Auth, Node and Testing]
-
-### Feature
-
-- API calls dispatched during pod scheduling are now executed asynchronously if the SchedulerAsyncAPICalls feature gate is enabled.
-  Out-of-tree plugins can use APIDispatcher and APICacher from the framework to dispatch their own calls. ([#132886](https://github.com/kubernetes/kubernetes/pull/132886), [@macsko](https://github.com/macsko)) [SIG Release, Scheduling and Testing]
-- Add `started_user_namespaced_pods_total` and `started_user_namespaced_pods_errors_total` for tracking the successes and failures in creating pods if a user namespace is requested. ([#132902](https://github.com/kubernetes/kubernetes/pull/132902), [@haircommander](https://github.com/haircommander)) [SIG Node and Testing]
-- Add apiserver_resource_size_estimate_bytes metric to apiserver ([#132893](https://github.com/kubernetes/kubernetes/pull/132893), [@serathius](https://github.com/serathius)) [SIG API Machinery, Etcd and Instrumentation]
-- Add memory tracking to scheduler performance tests to help detect memory leaks and monitor memory usage patterns while running scheduler_perf ([#132910](https://github.com/kubernetes/kubernetes/pull/132910), [@utam0k](https://github.com/utam0k)) [SIG Scheduling and Testing]
-- Added 3 new metrics for monitoring async API calls in the scheduler when the SchedulerAsyncAPICalls feature gate is enabled:
-    - scheduler_async_api_call_execution_total: tracks executed API calls by call type and result (success/error)
-    - scheduler_async_api_call_duration_seconds: histogram of API call execution duration by call type and result
-    - scheduler_pending_async_api_calls: gauge showing current number of pending API calls in the queue ([#133120](https://github.com/kubernetes/kubernetes/pull/133120), [@utam0k](https://github.com/utam0k)) [SIG Release and Scheduling]
-- Added machine readable output options (JSON & YAML) to kubectl api-resources ([#132604](https://github.com/kubernetes/kubernetes/pull/132604), [@dharmit](https://github.com/dharmit)) [SIG Apps, CLI and Network]
-- Added support for a new kubectl output format, `kyaml`. KYAML is a strict subset of YAML and should be accepted by any YAML processor. The formatting of KYAML is halfway between JSON and YAML.  Because it is more explicit than the default YAML style, it should be less error-prone. ([#132942](https://github.com/kubernetes/kubernetes/pull/132942), [@thockin](https://github.com/thockin)) [SIG API Machinery, Architecture, Auth, CLI, Cloud Provider, Cluster Lifecycle, Contributor Experience, Instrumentation, Network, Node, Scheduling, Storage and Testing]
-- Adds HPA support to pod-level resource specifications. When the pod-level resource feature is enabled, HPAs configured with `Resource` type metrics will calculate the pod resources from `pod.Spec.Resources` field, if specified. ([#132430](https://github.com/kubernetes/kubernetes/pull/132430), [@laoj2](https://github.com/laoj2)) [SIG Apps, Autoscaling and Testing]
-- Adds a `container_swap_limit_bytes` metric to expose the swap limit assigned to containers under the `LimitedSwap` swap behavior. ([#132348](https://github.com/kubernetes/kubernetes/pull/132348), [@iholder101](https://github.com/iholder101)) [SIG Node and Testing]
-- Adds useful endpoints for kube-apiserver ([#132581](https://github.com/kubernetes/kubernetes/pull/132581), [@itssimrank](https://github.com/itssimrank)) [SIG API Machinery, Architecture, Instrumentation, Network, Node, Scheduling and Testing]
-- Bump KubeletCgroupDriverFromCRI to GA and add metric to track out of support CRI implementations ([#133157](https://github.com/kubernetes/kubernetes/pull/133157), [@haircommander](https://github.com/haircommander)) [SIG Node and Testing]
-- CRI API has auth fields in image pulling marked as debug_redact. ([#133135](https://github.com/kubernetes/kubernetes/pull/133135), [@SergeyKanzhelev](https://github.com/SergeyKanzhelev)) [SIG Node]
-- Changed handling of CustomResourceDefinitions with unrecognized formats. Writing a schema with an unrecognized formats now triggers a warning (the write is still accepted). ([#133136](https://github.com/kubernetes/kubernetes/pull/133136), [@yongruilin](https://github.com/yongruilin)) [SIG API Machinery]
-- DRAAdminAccess is enabled by default allowing users to create ResourceClaims and ResourceClaimTemplates in privileged mode to grant access to devices that are in use by other users for admin tasks like monitor health or status of the device. ([#133085](https://github.com/kubernetes/kubernetes/pull/133085), [@ritazh](https://github.com/ritazh)) [SIG Auth and Node]
-- DRAPrioritizedList is now turned on by default which makes it possible to provide a prioritized list of subrequests in a ResourceClaim. ([#132767](https://github.com/kubernetes/kubernetes/pull/132767), [@mortent](https://github.com/mortent)) [SIG Node, Scheduling and Testing]
-- Demote KEP-5278 feature gates ClearingNominatedNodeNameAfterBinding and NominatedNodeNameForExpectation to Alpha from Beta ([#133293](https://github.com/kubernetes/kubernetes/pull/133293), [@utam0k](https://github.com/utam0k)) [SIG Scheduling and Testing]
-- Deprecate apiserver_storage_objects and replace it with apiserver_resource_objects metric using labels consistent with other metrics ([#132965](https://github.com/kubernetes/kubernetes/pull/132965), [@serathius](https://github.com/serathius)) [SIG API Machinery, Etcd and Instrumentation]
-- Ensure memory resizing for Guaranteed QOS pods on static Memory policy configured is gated by `InPlacePodVerticalScalingExclusiveMemory` (defaults to `false`). ([#132473](https://github.com/kubernetes/kubernetes/pull/132473), [@pravk03](https://github.com/pravk03)) [SIG Node, Scheduling and Testing]
-- Fix recording the kubelet_container_resize_requests_total metric to include all resize-related updates. ([#133060](https://github.com/kubernetes/kubernetes/pull/133060), [@natasha41575](https://github.com/natasha41575)) [SIG Node]
-- Graduate ListFromCacheSnapshot to Beta ([#132901](https://github.com/kubernetes/kubernetes/pull/132901), [@serathius](https://github.com/serathius)) [SIG API Machinery and Etcd]
-- Graduate `PodLevelResources` feature to beta and have it on by default. This feature allows defining CPU and memory resources for an entire pod in `pod.spec.resources`. ([#132999](https://github.com/kubernetes/kubernetes/pull/132999), [@ndixita](https://github.com/ndixita)) [SIG Node]
-- Graduate `PodObservedGenerationTracking` feature to beta and have it on by default. This feature means that the top level `status.observedGeneration` and `status.conditions[].observedGeneration` fields in pods will now be populated to reflect the `metadata.generation` of the podspec at the time that the status or condition is being reported. ([#132912](https://github.com/kubernetes/kubernetes/pull/132912), [@natasha41575](https://github.com/natasha41575)) [SIG Apps, Node and Testing]
-- Graduate the WinDSR feature in the kube-proxy to GA. The `WinDSR` feature gate is now enabled by default. ([#132108](https://github.com/kubernetes/kubernetes/pull/132108), [@rzlink](https://github.com/rzlink)) [SIG Network and Windows]
-- Graduate the WinOverlay feature in the kube-proxy to GA. The **WinOverlay** feature gate is now enabled by default. ([#133042](https://github.com/kubernetes/kubernetes/pull/133042), [@rzlink](https://github.com/rzlink)) [SIG Network and Windows]
-- Graduates the `WatchList` feature gate to Beta for kube-apiserver and enables `WatchListClient` for KCM. ([#132704](https://github.com/kubernetes/kubernetes/pull/132704), [@p0lyn0mial](https://github.com/p0lyn0mial)) [SIG API Machinery and Testing]
-- If PreBindPreFlight returns Skip, the scheduler doesn't run the plugin at PreBind.
-  If any PreBindPreFlight returns Success, the scheduler puts NominatedNodeName to the pod 
-  so that other components (such as the cluster autoscaler) can notice the pod is going to be bound to the node. ([#133021](https://github.com/kubernetes/kubernetes/pull/133021), [@sanposhiho](https://github.com/sanposhiho)) [SIG Scheduling and Testing]
-- Increase APF max seats to 100 for LIST requests ([#133034](https://github.com/kubernetes/kubernetes/pull/133034), [@serathius](https://github.com/serathius)) [SIG API Machinery]
-- Introduce a method 'GetPCIeRootAttributeByPCIBusID(pciBusID)' for third-party DRA drivers to provide common logic for the standardized device attribute 'resource.kubernetes.io/pcieRoot' ([#132296](https://github.com/kubernetes/kubernetes/pull/132296), [@everpeace](https://github.com/everpeace)) [SIG Node]
-- It will promote windows graceful shutdown feature from alpha to beta. ([#133062](https://github.com/kubernetes/kubernetes/pull/133062), [@zylxjtu](https://github.com/zylxjtu)) [SIG Windows]
-- Kube-apiserver now reports the last configuration hash as a label in
-  
-  - `apiserver_authentication_config_controller_last_config_info` metric after successfully loading the authentication configuration file.
-  - `apiserver_authorization_config_controller_last_config_info` metric after successfully loading the authorization configuration file.
-  - `apiserver_encryption_config_controller_last_config_info` metric after successfully loading the encryption configuration file. ([#132299](https://github.com/kubernetes/kubernetes/pull/132299), [@aramase](https://github.com/aramase)) [SIG API Machinery, Auth and Testing]
-- Kube-apiserver: previously persisted CustomResourceDefinition objects with an invalid whitespace-only `caBundle` can now serve requests that do not require conversion. ([#132514](https://github.com/kubernetes/kubernetes/pull/132514), [@tiffanny29631](https://github.com/tiffanny29631)) [SIG API Machinery]
-- Kube-controller-manager now reports the following metrics for ResourceClaims with admin access:
-  - `resourceclaim_controller_creates_total` count metric with labels admin_access (true or false), status (failure or success) to track the total number of ResourceClaims creation requests
-  - `resourceclaim_controller_resource_claims` gauge metric with labels admin_access (true or false), allocated (true or false) to track the current number of ResourceClaims ([#132800](https://github.com/kubernetes/kubernetes/pull/132800), [@ritazh](https://github.com/ritazh)) [SIG Apps, Auth, Instrumentation and Node]
-- Kubelet now detects terminal CSI volume mount failures due to exceeded attachment limits on the node and marks the stateful pod as Failed, allowing its controller to recreate it. This prevents pods from getting stuck indefinitely in the `ContainerCreating` state. ([#132933](https://github.com/kubernetes/kubernetes/pull/132933), [@torredil](https://github.com/torredil)) [SIG Apps, Node, Storage and Testing]
-- Kubelet now reports a hash of the credential provider configuration via the `kubelet_credential_provider_config_info` metric. The hash is exposed in the `hash` label. ([#133016](https://github.com/kubernetes/kubernetes/pull/133016), [@aramase](https://github.com/aramase)) [SIG API Machinery and Auth]
-- Memory limits can now be decreased with a NotRequired resize restart policy. When decreasing memory limits, perform a best-effort check to prevent limits from decreasing below usage and triggering an OOM-kill. ([#133012](https://github.com/kubernetes/kubernetes/pull/133012), [@tallclair](https://github.com/tallclair)) [SIG Apps, Node and Testing]
-- Move Recover from volume expansion failure GA ([#132662](https://github.com/kubernetes/kubernetes/pull/132662), [@gnufied](https://github.com/gnufied)) [SIG Apps, Auth, Node, Storage and Testing]
-- PodLifecycleSleepAction is graduated to GA ([#132595](https://github.com/kubernetes/kubernetes/pull/132595), [@AxeZhan](https://github.com/AxeZhan)) [SIG Apps, Node and Testing]
-- Prevents any type of CPU/Memory alignment or hint generation with the Topology manager from the CPU or Memory manager when Pod Level resources are used in the pod spec. ([#133279](https://github.com/kubernetes/kubernetes/pull/133279), [@ffromani](https://github.com/ffromani)) [SIG Node and Testing]
-- Promoted Linux node pressure stall information (PSI) metrics to beta. ([#132822](https://github.com/kubernetes/kubernetes/pull/132822), [@roycaihw](https://github.com/roycaihw)) [SIG Node]
-- Start recording metrics for in-place pod resize. ([#132903](https://github.com/kubernetes/kubernetes/pull/132903), [@natasha41575](https://github.com/natasha41575)) [SIG Node]
-- The scheduler no longer clears the `nominatedNodeName` field for Pods. External components, such as Cluster Autoscaler and Karpenter, are responsible for managing this field when needed. ([#133276](https://github.com/kubernetes/kubernetes/pull/133276), [@macsko](https://github.com/macsko)) [SIG Scheduling and Testing]
-- The validation in the CertificateSigningRequest `/status` and `/approval` subresource has been migrated to declarative validation.
-  If the `DeclarativeValidation` feature gate is enabled, mismatches with existing validation are reported via metrics.
-  If the `DeclarativeValidationTakeover` feature gate is enabled, declarative validation is the primary source of errors for migrated fields. ([#133068](https://github.com/kubernetes/kubernetes/pull/133068), [@yongruilin](https://github.com/yongruilin)) [SIG API Machinery and Auth]
-- This will promote the `KubeletPodResourcesDynamicResources` and `KubeletPodResourcesGet` feature gates to Beta which will be enabled by default if DRA goes to GA. ([#132940](https://github.com/kubernetes/kubernetes/pull/132940), [@guptaNswati](https://github.com/guptaNswati))
-- Update pause version to registry.k8s.io/pause:3.10.1 ([#130713](https://github.com/kubernetes/kubernetes/pull/130713), [@ArkaSaha30](https://github.com/ArkaSaha30)) [SIG Cluster Lifecycle, Node, Scheduling and Testing]
-- Use DRA API version to "v1" in "deviceattribute" package in "k8s.io/dynamic-resource-allocation" module ([#133164](https://github.com/kubernetes/kubernetes/pull/133164), [@everpeace](https://github.com/everpeace)) [SIG Node]
-- When proxying to an aggregated API server, kube-apiserver now uses the
-  EndpointSlices of the `service` indicated by the `APIServer`, rather than
-  using Endpoints.
-  
-  If you are using the aggregated API server feature, and you are writing out
-  the endpoints for it by hand (rather than letting kube-controller-manager
-  generate Endpoints and EndpointSlices for it automatically based on the
-  Service definition), then you should write out an EndpointSlice object rather
-  than (or in addition to) an Endpoints object. ([#129837](https://github.com/kubernetes/kubernetes/pull/129837), [@danwinship](https://github.com/danwinship)) [SIG API Machinery, Network and Testing]
-- Whenever a pod is successfully bound to a node, the kube-apiserver now clears the pod's `nominatedNodeName` field. This prevents stale information from affecting external scheduling components. ([#132443](https://github.com/kubernetes/kubernetes/pull/132443), [@utam0k](https://github.com/utam0k)) [SIG Apps, Node, Scheduling and Testing]
-
-### Failing Test
-
-- DRA driver helper: fixed handling of apiserver restart when running on a Kubernetes version which does not support the resource.k8s.io version used by the DRA driver. ([#133076](https://github.com/kubernetes/kubernetes/pull/133076), [@pohly](https://github.com/pohly)) [SIG Node and Testing]
-
-### Bug or Regression
-
-- Fix bug that prevents the alpha feature PodTopologyLabelAdmission to not work due to checking for the incorrect label key when copying topology labels. This bug delays the graduation of the feature to beta by an additional release to allow time for meaningful feedback. ([#132462](https://github.com/kubernetes/kubernetes/pull/132462), [@munnerz](https://github.com/munnerz)) [SIG Node]
-- Fix runtime cost estimation for x-int-or-string custom resource schemas with maximum lengths ([#132837](https://github.com/kubernetes/kubernetes/pull/132837), [@JoelSpeed](https://github.com/JoelSpeed)) [SIG API Machinery]
-- Fixed a bug that the async preemption feature keeps preemptor pods unnecessarily in the queue. ([#133167](https://github.com/kubernetes/kubernetes/pull/133167), [@sanposhiho](https://github.com/sanposhiho)) [SIG Scheduling]
-- Kubeadm: fix a bug where the default args for etcd are not correct when a local etcd image is used and the etcd version is less than 3.6.0. ([#133023](https://github.com/kubernetes/kubernetes/pull/133023), [@carlory](https://github.com/carlory)) [SIG Cluster Lifecycle]
-- Pods can't mix the usage of user-namespaces (`hostUsers: false`) and volumeDevices. Kubernetes now returns an error in this case. ([#132868](https://github.com/kubernetes/kubernetes/pull/132868), [@rata](https://github.com/rata)) [SIG Apps]
-- ReplicaSets and Deployments should always count `.status.availableReplicas` at the correct time without a delay. This results in faster reconciliation of Deployment conditions and faster, unblocked Deployment rollouts. ([#132121](https://github.com/kubernetes/kubernetes/pull/132121), [@atiratree](https://github.com/atiratree)) [SIG Apps]
-- The `baseline` and `restricted` pod security admission levels now block setting the `host` field on probe and lifecycle handlers ([#125271](https://github.com/kubernetes/kubernetes/pull/125271), [@tssurya](https://github.com/tssurya)) [SIG Auth, Node and Testing]
-- The garbage collection controller no longer races with changes to ownerReferences when deleting orphaned objects. ([#132632](https://github.com/kubernetes/kubernetes/pull/132632), [@sdowell](https://github.com/sdowell)) [SIG API Machinery and Apps]
-
-### Other (Cleanup or Flake)
-
-- APIVersion fields of the HorizontalPodAutoscaler API are now validated to ensure created API objects function properly ([#132537](https://github.com/kubernetes/kubernetes/pull/132537), [@lalitc375](https://github.com/lalitc375)) [SIG Etcd and Testing]
-- Added support for encoding and decoding types that implement the standard library interfaces json.Marshaler, json.Unmarshaler, encoding.TextMarshaler, or encoding.TextUnmarshaler to and from CBOR by transcoding. ([#132935](https://github.com/kubernetes/kubernetes/pull/132935), [@benluddy](https://github.com/benluddy)) [SIG API Machinery]
-- Kubeadm: instead of passing the etcd flag --experimental-initial-corrupt-check, set the InitialCorruptCheck=true etcd feature gate, and instead of passing the --experimental-watch-progress-notify-interval flag, pass its graduated variant --watch-progress-notify-interval. ([#132838](https://github.com/kubernetes/kubernetes/pull/132838), [@AwesomePatrol](https://github.com/AwesomePatrol)) [SIG Cluster Lifecycle]
-- Migrate Memory Manager to contextual logging ([#130727](https://github.com/kubernetes/kubernetes/pull/130727), [@swatisehgal](https://github.com/swatisehgal)) [SIG Node]
-- Migrate pkg/kubelet/volumemanager to contextual logging ([#131306](https://github.com/kubernetes/kubernetes/pull/131306), [@Chulong-Li](https://github.com/Chulong-Li)) [SIG Node]
-- Migrate pkg/kubelet/winstats to contextual logging ([#131001](https://github.com/kubernetes/kubernetes/pull/131001), [@Chulong-Li](https://github.com/Chulong-Li)) [SIG Node]
-- Removed deprecated gogo protocol definitions from `k8s.io/kms/apis` in favor of `google.golang.org/protobuf`. ([#132833](https://github.com/kubernetes/kubernetes/pull/132833), [@saschagrunert](https://github.com/saschagrunert)) [SIG API Machinery, Auth and Testing]
-- Removed deprecated gogo protocol definitions from `k8s.io/kubelet/pkg/apis/deviceplugin` in favor of `google.golang.org/protobuf`. ([#133028](https://github.com/kubernetes/kubernetes/pull/133028), [@saschagrunert](https://github.com/saschagrunert)) [SIG Node and Testing]
-- Removed deprecated gogo protocol definitions from `k8s.io/kubelet/pkg/apis/podresources` in favor of `google.golang.org/protobuf`. ([#133027](https://github.com/kubernetes/kubernetes/pull/133027), [@saschagrunert](https://github.com/saschagrunert)) [SIG Node and Testing]
-- Removed general avaliable feature-gate DevicePluginCDIDevices ([#132083](https://github.com/kubernetes/kubernetes/pull/132083), [@carlory](https://github.com/carlory)) [SIG Node and Testing]
-- Replaces timer ptr helper function with the "k8s.io/utils/ptr" implementations. ([#133030](https://github.com/kubernetes/kubernetes/pull/133030), [@PatrickLaabs](https://github.com/PatrickLaabs)) [SIG API Machinery and Auth]
-- The deprecated `LegacySidecarContainers` feature gate is completely removed. ([#131463](https://github.com/kubernetes/kubernetes/pull/131463), [@gjkim42](https://github.com/gjkim42)) [SIG Node and Testing]
-- Types: NodeInfo, PodInfo, QueuedPodInfo, PodResource, AffinityTerm, WeightedAffinityTerm, Resource, ImageStateSummary, ProtocolPort and HostPortInfo moved from pkg/scheduler/framework to staging repo.
-  Users should update import path for these types from "k8s.io/kubernetes/pkg/scheduler/framework" to "k8s.io/kube-scheduler/framework" and update use of fields (to use getter/setter functions instead) where needed. ([#132457](https://github.com/kubernetes/kubernetes/pull/132457), [@ania-borowiec](https://github.com/ania-borowiec)) [SIG Node, Scheduling, Storage and Testing]
-- Updates the etcd client library to v3.6.4 ([#133226](https://github.com/kubernetes/kubernetes/pull/133226), [@ivanvc](https://github.com/ivanvc)) [SIG API Machinery, Auth, Cloud Provider and Node]
-- Upgrades functionality of `kubectl kustomize` as described at https://github.com/kubernetes-sigs/kustomize/releases/tag/kustomize%2Fv5.7.0 ([#132593](https://github.com/kubernetes/kubernetes/pull/132593), [@koba1t](https://github.com/koba1t)) [SIG CLI]
-
-## Dependencies
-
-### Added
-_Nothing has changed._
-
-### Changed
-- cel.dev/expr: v0.23.1 → v0.24.0
-- github.com/fxamacker/cbor/v2: [v2.8.0 → v2.9.0](https://github.com/fxamacker/cbor/compare/v2.8.0...v2.9.0)
-- github.com/google/cel-go: [v0.25.0 → v0.26.0](https://github.com/google/cel-go/compare/v0.25.0...v0.26.0)
-- go.etcd.io/bbolt: v1.4.0 → v1.4.2
-- go.etcd.io/etcd/api/v3: v3.6.1 → v3.6.4
-- go.etcd.io/etcd/client/pkg/v3: v3.6.1 → v3.6.4
-- go.etcd.io/etcd/client/v3: v3.6.1 → v3.6.4
-- go.etcd.io/etcd/pkg/v3: v3.6.1 → v3.6.4
-- go.etcd.io/etcd/server/v3: v3.6.1 → v3.6.4
-- sigs.k8s.io/kustomize/api: v0.19.0 → v0.20.1
-- sigs.k8s.io/kustomize/cmd/config: v0.19.0 → v0.20.1
-- sigs.k8s.io/kustomize/kustomize/v5: v5.6.0 → v5.7.1
-- sigs.k8s.io/kustomize/kyaml: v0.19.0 → v0.20.1
-- sigs.k8s.io/structured-merge-diff/v6: v6.2.0 → v6.3.0
-- sigs.k8s.io/yaml: v1.5.0 → v1.6.0
-
-### Removed
-- github.com/google/shlex: [e7afc7f](https://github.com/google/shlex/tree/e7afc7f)
-
-
-
-# v1.34.0-beta.0
-
-
-## Downloads for v1.34.0-beta.0
-
-
-
-### Source Code
-
-filename | sha512 hash
--------- | -----------
-[kubernetes.tar.gz](https://dl.k8s.io/v1.34.0-beta.0/kubernetes.tar.gz) | e1a1cf79f95354bae349afa992f72cf8cb23aa9a016f67599de1f0c31572a00cd84f541163d0da3205ecfe421901a88dc2c9012cec91d45fa2f094d524059f92
-[kubernetes-src.tar.gz](https://dl.k8s.io/v1.34.0-beta.0/kubernetes-src.tar.gz) | 7e2c9837dd9be43df835d999024d516d52d211ee7e65f995da8e6c45442c8a8b6e5bc3e13a9279fc401c58b3ad1ba2b0b37abba3719e0605dfb5cb5c752d7df7
-
-### Client Binaries
-
-filename | sha512 hash
--------- | -----------
-[kubernetes-client-darwin-amd64.tar.gz](https://dl.k8s.io/v1.34.0-beta.0/kubernetes-client-darwin-amd64.tar.gz) | 1a3944812f26c37de6418f84d14e97366a1d2e268d8d61619f98f92778f3f3a9e30e4fd092ea0963ee19524284815803511e3d143c9f1b7df77f06728eddcefd
-[kubernetes-client-darwin-arm64.tar.gz](https://dl.k8s.io/v1.34.0-beta.0/kubernetes-client-darwin-arm64.tar.gz) | 01bcf3e380e9b18e7db316c0a7968b9293ff0cee6bd6395f8b3a8fcfbd9bc660b3016cfa636498c28d35a0e8a221f56303bd34b136d044df2356f3085aa4e613
-[kubernetes-client-linux-386.tar.gz](https://dl.k8s.io/v1.34.0-beta.0/kubernetes-client-linux-386.tar.gz) | 847526c7c2d2559f16ad1f6172d07590b4f35051a7bcf741c98067ace09fc92c52241f74a8c1d7ad1f4b713b26d8abc7059b47d97f4a8d9afc87d465b837dfd4
-[kubernetes-client-linux-amd64.tar.gz](https://dl.k8s.io/v1.34.0-beta.0/kubernetes-client-linux-amd64.tar.gz) | 260d78b743af5e7a6563cf26df7a4a4e75987f1bce96de3cec020d47f1a2586a39f3058cc1668a0b77266bb131490c74c55eaf669766918c8379e3c9818abebe
-[kubernetes-client-linux-arm.tar.gz](https://dl.k8s.io/v1.34.0-beta.0/kubernetes-client-linux-arm.tar.gz) | f4dcc3597f2e005b51c4f3fc8323e119582fd00626ddaea6f2602810fd64fb65d1c1a795519d458b2c74ef5bd52467e6cd77b01972e858bb97d12f4ef2c81839
-[kubernetes-client-linux-arm64.tar.gz](https://dl.k8s.io/v1.34.0-beta.0/kubernetes-client-linux-arm64.tar.gz) | 4cc18be405d27f797ccd93b2f3ae0fe985450a0cf6f35e023c91e4a116b8443e32ba99e07bbc93c8dc4d9739c5adbb888cbc16ba457e362975e907057d0f38c1
-[kubernetes-client-linux-ppc64le.tar.gz](https://dl.k8s.io/v1.34.0-beta.0/kubernetes-client-linux-ppc64le.tar.gz) | 06eca6eb5dc82304566fc7194f1ae6f002a70dd031357608bbf65e9449840dcb55b37b1c61ff13e40f0eb95a0456bb6e5d692b14f806cd7e694ef71cb720bfb1
-[kubernetes-client-linux-s390x.tar.gz](https://dl.k8s.io/v1.34.0-beta.0/kubernetes-client-linux-s390x.tar.gz) | ed6db8acb534c557e3619628b78c1de5abcb31bda04e418296acc4fde54e23bba1ee42b4db9daefdf5622b09e3c9d4916461b85da10058d822251ac3da2eebca
-[kubernetes-client-windows-386.tar.gz](https://dl.k8s.io/v1.34.0-beta.0/kubernetes-client-windows-386.tar.gz) | 0302f1dea8c321f254b9aeb87882c82b28a4be74b4718f73840769e06c21a4a240d285ec89d94657522e49bd7550eda44a8e7312d83198c4b4f60990609beaae
-[kubernetes-client-windows-amd64.tar.gz](https://dl.k8s.io/v1.34.0-beta.0/kubernetes-client-windows-amd64.tar.gz) | 28dcf914521f31ed11d258fe1ff516eac9f7e1ed317bc55a816a2bca2ef41ce18140c296ea0c22e1a3808f82979ce8970e91951a982c33dd18e3fedb840ca4ad
-[kubernetes-client-windows-arm64.tar.gz](https://dl.k8s.io/v1.34.0-beta.0/kubernetes-client-windows-arm64.tar.gz) | ed50434e96f2fd80abaf3b9fa6befa96f829c086ac6b87d0d9f6ce9d6d3e10a22eb17928902b42b95ad4709a936e791d189b338af46fbe91d5391fde7c1f2904
-
-### Server Binaries
-
-filename | sha512 hash
--------- | -----------
-[kubernetes-server-linux-amd64.tar.gz](https://dl.k8s.io/v1.34.0-beta.0/kubernetes-server-linux-amd64.tar.gz) | 2862b8ed25f52542558fe48a6a584b02644a731decec878cfa0cee00173476f354d70a04efb84d084b87fe303291092d06e795e42e13a40c339699982a90044a
-[kubernetes-server-linux-arm64.tar.gz](https://dl.k8s.io/v1.34.0-beta.0/kubernetes-server-linux-arm64.tar.gz) | 1c00a6559f4f6c6190fe2265fb88cad4ac448eb3223dbd809976e3c85139d04b9cc02b4a9b80e9b42a2e4ee4a7a03a7a303ced49bc9673bff7be7cde7bb5f7a5
-[kubernetes-server-linux-ppc64le.tar.gz](https://dl.k8s.io/v1.34.0-beta.0/kubernetes-server-linux-ppc64le.tar.gz) | 7a998922d3fff36914ee690a5937d7b592f1916f68f7a31311065b25e7035cd38572df062e90680d56299b93be278c2fa24a370547270c07add274cf4a420d2f
-[kubernetes-server-linux-s390x.tar.gz](https://dl.k8s.io/v1.34.0-beta.0/kubernetes-server-linux-s390x.tar.gz) | 555b5690e99d0470ea7ca1bc4aebfda68a1126859962876db897b3024d5d7e352a3beeae4f2f3cba28a0d1b3c6edcf7094395492ff36fbc7d2d7a1e87ebb5fca
-
-### Node Binaries
-
-filename | sha512 hash
--------- | -----------
-[kubernetes-node-linux-amd64.tar.gz](https://dl.k8s.io/v1.34.0-beta.0/kubernetes-node-linux-amd64.tar.gz) | 4b029d2f1022c4fd84ad1afaeeff9ae4fd80593c90f3f30a633df04bde68fac182c72bd906575b779eff01cc2e7d18884d9b5b0a3259a02e3131976a4339d1e1
-[kubernetes-node-linux-arm64.tar.gz](https://dl.k8s.io/v1.34.0-beta.0/kubernetes-node-linux-arm64.tar.gz) | c65b44be119997d321d13d6f9d08e42b1576fb9515cbf646c730f72e4e80a47afa1e59ea55cf8a8de1aa93a9db586ecb7101b2f59633460f4a4381ded987051b
-[kubernetes-node-linux-ppc64le.tar.gz](https://dl.k8s.io/v1.34.0-beta.0/kubernetes-node-linux-ppc64le.tar.gz) | 837442a3311c2382b417e2d8cbf9638f9abc22f8584519becd44e9a161ef2cecee686a76977391f2c20b0477d5417d657ec29b9f0ab81e059a64f9566065f37b
-[kubernetes-node-linux-s390x.tar.gz](https://dl.k8s.io/v1.34.0-beta.0/kubernetes-node-linux-s390x.tar.gz) | 3c8232cd07d8869258cc4a7793fee524ec26847d32c4c6efe966946b81df6e36450acbfcbe199296b2ad79201875d00e7a8af8ceacc2c9681fdae9b4a11c2c0e
-[kubernetes-node-windows-amd64.tar.gz](https://dl.k8s.io/v1.34.0-beta.0/kubernetes-node-windows-amd64.tar.gz) | 768c4cd582f4b708451d5f3fdacf048de7550251e468a9e255f1c5180602d7abca5f86f22a16089309e35c0f5eee18c9133cebe24830461e3471bc180efc3769
-
-### Container Images
-
-All container images are available as manifest lists and support the described
-architectures. It is also possible to pull a specific architecture directly by
-adding the "-$ARCH" suffix  to the container image name.
-
-name | architectures
----- | -------------
-[registry.k8s.io/conformance:v1.34.0-beta.0](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/conformance) | [amd64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/conformance-amd64), [arm64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/conformance-arm64), [ppc64le](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/conformance-ppc64le), [s390x](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/conformance-s390x)
-[registry.k8s.io/kube-apiserver:v1.34.0-beta.0](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-apiserver) | [amd64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-apiserver-amd64), [arm64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-apiserver-arm64), [ppc64le](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-apiserver-ppc64le), [s390x](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-apiserver-s390x)
-[registry.k8s.io/kube-controller-manager:v1.34.0-beta.0](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-controller-manager) | [amd64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-controller-manager-amd64), [arm64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-controller-manager-arm64), [ppc64le](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-controller-manager-ppc64le), [s390x](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-controller-manager-s390x)
-[registry.k8s.io/kube-proxy:v1.34.0-beta.0](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-proxy) | [amd64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-proxy-amd64), [arm64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-proxy-arm64), [ppc64le](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-proxy-ppc64le), [s390x](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-proxy-s390x)
-[registry.k8s.io/kube-scheduler:v1.34.0-beta.0](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-scheduler) | [amd64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-scheduler-amd64), [arm64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-scheduler-arm64), [ppc64le](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-scheduler-ppc64le), [s390x](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-scheduler-s390x)
-[registry.k8s.io/kubectl:v1.34.0-beta.0](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kubectl) | [amd64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kubectl-amd64), [arm64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kubectl-arm64), [ppc64le](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kubectl-ppc64le), [s390x](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kubectl-s390x)
-
-## Changelog since v1.34.0-alpha.3
-
-## Changes by Kind
-
-### API Change
-
-- Added `tokenAttributes.cacheType` field to v1 credential provider config. This field is required to be set to either ServiceAccount or Token when configuring a provider that uses service account to fetch registry credentials. ([#132617](https://github.com/kubernetes/kubernetes/pull/132617), [@aramase](https://github.com/aramase)) [SIG Auth, Node and Testing]
-- JWT authenticators specified via the `AuthenticationConfiguration.jwt` array can now optionally specify either the `controlplane` or `cluster` egress selector by setting the `issuer.egressSelectorType` field.  When unset, the prior behavior of using no egress selector is retained.  The StructuredAuthenticationConfigurationEgressSelector beta feature (default on) must be enabled to use this functionality. ([#132768](https://github.com/kubernetes/kubernetes/pull/132768), [@enj](https://github.com/enj)) [SIG API Machinery, Auth and Testing]
-- Promoted the `KubeletTracing` feature gate to GA. ([#132341](https://github.com/kubernetes/kubernetes/pull/132341), [@dashpole](https://github.com/dashpole)) [SIG Instrumentation and Node]
-- Replaces boolPtrFn helper functions with the "k8s.io/utils/ptr" implementation. ([#132907](https://github.com/kubernetes/kubernetes/pull/132907), [@PatrickLaabs](https://github.com/PatrickLaabs)) [SIG Architecture]
-- Simplied validation error message for invalid fields by removing redundant field name. ([#132513](https://github.com/kubernetes/kubernetes/pull/132513), [@xiaoweim](https://github.com/xiaoweim)) [SIG API Machinery, Apps, Auth, Node and Scheduling]
-- The `AuthorizeWithSelectors` and `AuthorizeNodeWithSelectors` feature gates are promoted to stable and locked on. ([#132656](https://github.com/kubernetes/kubernetes/pull/132656), [@liggitt](https://github.com/liggitt)) [SIG API Machinery, Auth and Testing]
-
-### Feature
-
-- Add DetectCacheInconsistency feature gate that allows apiserver to periodically compare consistency between cache and etcd. Inconsistency is reported to `apiserver_storage_consistency_checks_total` metric and results in cache snapshots being purged. ([#132884](https://github.com/kubernetes/kubernetes/pull/132884), [@serathius](https://github.com/serathius)) [SIG API Machinery, Instrumentation and Testing]
-- Add SizeBasedListCostEstimate feature gate, enabled by default, changing method of assigning APF seats to LIST request. Assign one seat per 100KB of data loaded to memory at once to handle LIST request. ([#132932](https://github.com/kubernetes/kubernetes/pull/132932), [@serathius](https://github.com/serathius)) [SIG API Machinery]
-- Add warning on use of alpha metrics with emulated versions. ([#132276](https://github.com/kubernetes/kubernetes/pull/132276), [@michaelasp](https://github.com/michaelasp)) [SIG API Machinery and Architecture]
-- Compact snapshots in watch cache based on etcd compaction ([#132876](https://github.com/kubernetes/kubernetes/pull/132876), [@serathius](https://github.com/serathius)) [SIG API Machinery and Etcd]
-- Graduate `ConsistentListFromCache` to GA ([#132645](https://github.com/kubernetes/kubernetes/pull/132645), [@serathius](https://github.com/serathius)) [SIG API Machinery]
-- Kubeadm: started using a named port 'probe-port' for all probes in the static pod manifests for kube-apiserver, kube-controller-manager, kube-scheduler and etc. If you have previously patched the port values in probes with kubeadm patches, you must now also patch the named port value in the pod container under 'ports'. ([#132776](https://github.com/kubernetes/kubernetes/pull/132776), [@neolit123](https://github.com/neolit123)) [SIG Cluster Lifecycle]
-- Kubernetes is now built using Go 1.24.5 ([#132896](https://github.com/kubernetes/kubernetes/pull/132896), [@cpanato](https://github.com/cpanato)) [SIG Release and Testing]
-- New PreBindPreFlight function is added to PreBindPlugin interface. In-tree PreBind plugins now implement PreBindPreFlight function. ([#132391](https://github.com/kubernetes/kubernetes/pull/132391), [@sanposhiho](https://github.com/sanposhiho)) [SIG Node, Scheduling, Storage and Testing]
-- Prioritize resize requests by priorityClass and qos class when there is not enough room on the node to accept all the resize requests. ([#132342](https://github.com/kubernetes/kubernetes/pull/132342), [@natasha41575](https://github.com/natasha41575)) [SIG Node and Testing]
-- Promote Ordered Namespace Deletion to Conformance ([#132219](https://github.com/kubernetes/kubernetes/pull/132219), [@BenTheElder](https://github.com/BenTheElder)) [SIG API Machinery, Architecture and Testing]
-
-### Bug or Regression
-
-- CLI: `kubectl get job` now displays the SuccessCriteriaMet status for the listed jobs. ([#132832](https://github.com/kubernetes/kubernetes/pull/132832), [@Goend](https://github.com/Goend)) [SIG Apps and CLI]
-- Change the node-local podresources API endpoint to only consider of active pods. Because this fix changes a long-established behavior, users observing a regressions can use the KubeletPodResourcesListUseActivePods feature gate (default on) to restore the old behavior. Please file an issue if you encounter problems and have to use the Feature Gate. ([#132028](https://github.com/kubernetes/kubernetes/pull/132028), [@ffromani](https://github.com/ffromani)) [SIG Node and Testing]
-- Fix kubelet token cache returning stale tokens when service accounts are recreated with the same name. The token cache is now UID-aware and the new `TokenRequestServiceAccountUIDValidation` feature gate (Beta, enabled by default) validates the TokenRequest UID when set matches the service account UID. ([#132803](https://github.com/kubernetes/kubernetes/pull/132803), [@aramase](https://github.com/aramase)) [SIG API Machinery, Auth, Node and Testing]
-- Fixed a bug that caused duplicate validation when updating a DaemonSet. ([#132548](https://github.com/kubernetes/kubernetes/pull/132548), [@gavinkflam](https://github.com/gavinkflam)) [SIG Apps]
-- Kube-proxy nftables now reject/drop traffic to service with no endpoints from filter chains at priority 0 (NF_IP_PRI_FILTER) ([#132456](https://github.com/kubernetes/kubernetes/pull/132456), [@aroradaman](https://github.com/aroradaman)) [SIG Network]
-- When both InPlacePodVerticalScaling and PodObservedGenerationTracking feature gates are set, fix the `observedGeneration` field exposed in the pod resize conditions to more accurately reflect which pod generation is associated with the condition. ([#131157](https://github.com/kubernetes/kubernetes/pull/131157), [@natasha41575](https://github.com/natasha41575)) [SIG Node]
-- Windows kube-proxy: ensures that Windows kube-proxy aligns with Linux behavior and correctly honors the EndpointSlice-provided port for internal traffic routing. ([#132647](https://github.com/kubernetes/kubernetes/pull/132647), [@princepereira](https://github.com/princepereira)) [SIG Network and Windows]
-
-### Other (Cleanup or Flake)
-
-- Kubeadm: instead of passing the etcd flag --experimental-initial-corrupt-check, set the InitialCorruptCheck=true etcd feature gate, and instead of passing the --experimental-watch-progress-notify-interval flag, pass its graduated variant --watch-progress-notify-interval. ([#132838](https://github.com/kubernetes/kubernetes/pull/132838), [@AwesomePatrol](https://github.com/AwesomePatrol)) [SIG Cluster Lifecycle]
-- Masked off access to Linux thermal interrupt info in `/proc` and `/sys`. ([#131018](https://github.com/kubernetes/kubernetes/pull/131018), [@saschagrunert](https://github.com/saschagrunert)) [SIG Node]
-- NONW ([#132890](https://github.com/kubernetes/kubernetes/pull/132890), [@atiratree](https://github.com/atiratree)) [SIG Apps]
-- Promoted two EndpointSlice tests to conformance, to require that service
-  proxy implementations are based on EndpointSlices rather than Endpoints. ([#132019](https://github.com/kubernetes/kubernetes/pull/132019), [@danwinship](https://github.com/danwinship)) [SIG Architecture, Network and Testing]
-- Reduced excessive logging from the volume binding scheduler plugin by lowering verbosity of high-frequency messages from V(4) to V(5). ([#132840](https://github.com/kubernetes/kubernetes/pull/132840), [@ppmechlinski](https://github.com/ppmechlinski)) [SIG Autoscaling, Scheduling and Storage]
-
-## Dependencies
-
-### Added
-- sigs.k8s.io/structured-merge-diff/v6: v6.2.0
-
-### Changed
-- k8s.io/kube-openapi: d90c4fd → f3f2b99
-
-### Removed
-- sigs.k8s.io/structured-merge-diff/v4: v4.7.0
-
-
-
-# v1.34.0-alpha.3
-
-
-## Downloads for v1.34.0-alpha.3
-
-
-
-### Source Code
-
-filename | sha512 hash
--------- | -----------
-[kubernetes.tar.gz](https://dl.k8s.io/v1.34.0-alpha.3/kubernetes.tar.gz) | ec76c311b4aa0bcc97d4a83e6586a14081129343721bf844f0907ec2e14cad1ba4d0db04b667de963043c0fd4b410f7fe90788c10f070fa3b8ad0aa340e2dc5f
-[kubernetes-src.tar.gz](https://dl.k8s.io/v1.34.0-alpha.3/kubernetes-src.tar.gz) | b99cf04b86438285c24872e6ec2fdc03998a95b88e502e457ea03fba01beb870ef34e57055f7a14a016ae102906a1ed32ea20ddada31c9c1fa467c47b203d1f9
-
-### Client Binaries
-
-filename | sha512 hash
--------- | -----------
-[kubernetes-client-darwin-amd64.tar.gz](https://dl.k8s.io/v1.34.0-alpha.3/kubernetes-client-darwin-amd64.tar.gz) | 5f2b298b4f1c27e06e79258b2ac840a36f70d46bd95b776d01bee89c1821b8a1138556224d4c23b8e582ca1676e0125bda8ebc93e8db0a92ede240efa169b01f
-[kubernetes-client-darwin-arm64.tar.gz](https://dl.k8s.io/v1.34.0-alpha.3/kubernetes-client-darwin-arm64.tar.gz) | 719d4d81d85cf7f73e6f461e17c1559768f4e084753d0b210603e920b2ee6d687350e7ba5ae0bfa160630c02159e2900936ebde03104050f2eb6906b24573694
-[kubernetes-client-linux-386.tar.gz](https://dl.k8s.io/v1.34.0-alpha.3/kubernetes-client-linux-386.tar.gz) | 07ec8bd3d5308431bb4cf17dc8937ad13b95a2aab35fa0389479776228cc0f47756d1791d2371a66fa8f045d1894ac6d0dec4e42a3f96e443ea961cd2e7477ee
-[kubernetes-client-linux-amd64.tar.gz](https://dl.k8s.io/v1.34.0-alpha.3/kubernetes-client-linux-amd64.tar.gz) | 5c4613fa4b8de852147a24e7c80894f1588e93023cff4bfe58725e2b141f5417662bcf837272c41eeaf8a91382eca3e6015b27cca099e516ba2e08214521279a
-[kubernetes-client-linux-arm.tar.gz](https://dl.k8s.io/v1.34.0-alpha.3/kubernetes-client-linux-arm.tar.gz) | 1204c3f108b5e83a081b31af13d9e3185f0ff3c9547213ecbd854293b89661f5060c2b10a2c73d8bb6d5099438287dedbcdf88f33de6bc95a060e2d634d80652
-[kubernetes-client-linux-arm64.tar.gz](https://dl.k8s.io/v1.34.0-alpha.3/kubernetes-client-linux-arm64.tar.gz) | 763d07a3a3f69b42047686e81e6cc137f9ef4b7ab2f50cc7bfbb26b8a15e011549501893e5cb9b77de0008cc77631fd8f37d113c0f0ee6a17e6435da06c269a2
-[kubernetes-client-linux-ppc64le.tar.gz](https://dl.k8s.io/v1.34.0-alpha.3/kubernetes-client-linux-ppc64le.tar.gz) | ad4f45f8402014da35a3ff1daa5cfaafedd2d7e579bff1a0a87f49647e2d8488eb2b791776de3e4d5ac25631f13ec9c0bc64e7e0edd9f9049619659b9ebf9305
-[kubernetes-client-linux-s390x.tar.gz](https://dl.k8s.io/v1.34.0-alpha.3/kubernetes-client-linux-s390x.tar.gz) | aba923f458d8f8d4c27b0144f40cac186663884447a5a67c20d2fb59d0c9ebd83e8d7480555365562e97c88992d28ffdd20378ce18412465a0356b2c20fa5dff
-[kubernetes-client-windows-386.tar.gz](https://dl.k8s.io/v1.34.0-alpha.3/kubernetes-client-windows-386.tar.gz) | b5b1a854e0298f2f401627ecec5bd61fad8ccb7f77a42b5c34e6c0dc8f4f5e7485d13525f2775b160b15277d591d46c1633acddea60dd2b20949794f0f80a4e5
-[kubernetes-client-windows-amd64.tar.gz](https://dl.k8s.io/v1.34.0-alpha.3/kubernetes-client-windows-amd64.tar.gz) | 75b60210f1e6994abc4da9fceb23290438be81c094e27b2025c96addde4cbc034348dde0d50098db22aeceed3e3d6dd855d8d740d36e0f16932ca4ae537542d0
-[kubernetes-client-windows-arm64.tar.gz](https://dl.k8s.io/v1.34.0-alpha.3/kubernetes-client-windows-arm64.tar.gz) | f997fa3ba6081273b46e6a71a98fcee06c0df36e045fd43eb38454b28dcf3863e8e5f053cc14057f9cfd53267ae611477f5410a2305d56b7a60a88f4c0cb36bd
-
-### Server Binaries
-
-filename | sha512 hash
--------- | -----------
-[kubernetes-server-linux-amd64.tar.gz](https://dl.k8s.io/v1.34.0-alpha.3/kubernetes-server-linux-amd64.tar.gz) | 3313f4746bdfaf7bd86bd72d035c552ae800426f5546eb23b83bdb3178e378d3aa5c4a59bc2b5ce5d97755432879812a293f582ca1dec3733e95adc5a5c07524
-[kubernetes-server-linux-arm64.tar.gz](https://dl.k8s.io/v1.34.0-alpha.3/kubernetes-server-linux-arm64.tar.gz) | add5d69f2d48656649d1712c476a9de99ef2fcf4473d982b78b834e5ad544cf947a9fc35324552cd38e3824ea96194a81d76bc99111bfc725b9aa9212da8e88d
-[kubernetes-server-linux-ppc64le.tar.gz](https://dl.k8s.io/v1.34.0-alpha.3/kubernetes-server-linux-ppc64le.tar.gz) | f2038f7382e660e8c97c4efa05adcb3d785ccd550597a50aa9d98e04e9bf1f29b5ac0c5d3d686f01870d64949dc43cf83e176c718fddc20f84ed38bd44f8ba54
-[kubernetes-server-linux-s390x.tar.gz](https://dl.k8s.io/v1.34.0-alpha.3/kubernetes-server-linux-s390x.tar.gz) | 077708405b4b22ebeaee8feeddbe1134374008129cc0cc40830434fa762f549f5950c1c2f76b72ddfab2ccc972e3325cb360a13acdbe54729a1eae0324b60b08
-
-### Node Binaries
-
-filename | sha512 hash
--------- | -----------
-[kubernetes-node-linux-amd64.tar.gz](https://dl.k8s.io/v1.34.0-alpha.3/kubernetes-node-linux-amd64.tar.gz) | 9c0a3e76311789bfbaa3d8e27c289e5b5ab142ab0269dd5922016d2e3e8be6ddffd60ba1a57d6deb2571e4826bec1aab81c98a973d633b263ac316275ee01251
-[kubernetes-node-linux-arm64.tar.gz](https://dl.k8s.io/v1.34.0-alpha.3/kubernetes-node-linux-arm64.tar.gz) | 1289b5e39164eaac2acce143dbb389341966e06b8b0261eb0eb4eb774848dd34f35b78d22b56d1613d5a6801868881415af62aa15ff8b1cbedbec9cad0567591
-[kubernetes-node-linux-ppc64le.tar.gz](https://dl.k8s.io/v1.34.0-alpha.3/kubernetes-node-linux-ppc64le.tar.gz) | 235d060ddd4c3da0b58fdb64a6a25b03690b7eb9c2888201b86d269f29d2a4e70000cea9711dff472626e78b56e228b9ffd16ab89442c54991de44bc8c3d9344
-[kubernetes-node-linux-s390x.tar.gz](https://dl.k8s.io/v1.34.0-alpha.3/kubernetes-node-linux-s390x.tar.gz) | 8e9ca919e77e0ff226e92c036ac35ab284aa07fdd2e01b01bb4352d04acd567f40edc4caf934092cb3c1b04ac4ea281ef6681b6589d9e43ea25ae038381e95ad
-[kubernetes-node-windows-amd64.tar.gz](https://dl.k8s.io/v1.34.0-alpha.3/kubernetes-node-windows-amd64.tar.gz) | 421cf6c68c5e0603f67dd44ac0d4d02c6feb3e60e9608268cdc4b498718c99b2cef4842fb7df60feaa99dc18d650164a0fcc31fbf896653ea4b6d126e0683d14
-
-### Container Images
-
-All container images are available as manifest lists and support the described
-architectures. It is also possible to pull a specific architecture directly by
-adding the "-$ARCH" suffix  to the container image name.
-
-name | architectures
----- | -------------
-[registry.k8s.io/conformance:v1.34.0-alpha.3](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/conformance) | [amd64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/conformance-amd64), [arm64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/conformance-arm64), [ppc64le](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/conformance-ppc64le), [s390x](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/conformance-s390x)
-[registry.k8s.io/kube-apiserver:v1.34.0-alpha.3](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-apiserver) | [amd64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-apiserver-amd64), [arm64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-apiserver-arm64), [ppc64le](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-apiserver-ppc64le), [s390x](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-apiserver-s390x)
-[registry.k8s.io/kube-controller-manager:v1.34.0-alpha.3](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-controller-manager) | [amd64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-controller-manager-amd64), [arm64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-controller-manager-arm64), [ppc64le](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-controller-manager-ppc64le), [s390x](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-controller-manager-s390x)
-[registry.k8s.io/kube-proxy:v1.34.0-alpha.3](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-proxy) | [amd64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-proxy-amd64), [arm64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-proxy-arm64), [ppc64le](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-proxy-ppc64le), [s390x](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-proxy-s390x)
-[registry.k8s.io/kube-scheduler:v1.34.0-alpha.3](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-scheduler) | [amd64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-scheduler-amd64), [arm64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-scheduler-arm64), [ppc64le](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-scheduler-ppc64le), [s390x](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-scheduler-s390x)
-[registry.k8s.io/kubectl:v1.34.0-alpha.3](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kubectl) | [amd64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kubectl-amd64), [arm64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kubectl-arm64), [ppc64le](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kubectl-ppc64le), [s390x](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kubectl-s390x)
-
-## Changelog since v1.34.0-alpha.2
-
-## Changes by Kind
-
-### API Change
-
-- DRA: the v1alpha4 kubelet gRPC API (added in 1.31, superseded in 1.32) is no longer supported. DRA drivers using the helper package from Kubernetes  >= 1.32 use the v1beta1 API and continue to be supported. ([#132574](https://github.com/kubernetes/kubernetes/pull/132574), [@pohly](https://github.com/pohly)) [SIG Node]
-- Deprecate StreamingConnectionIdleTimeout field of the kubelet config. ([#131992](https://github.com/kubernetes/kubernetes/pull/131992), [@lalitc375](https://github.com/lalitc375)) [SIG Node]
-- Removed deprecated gogo protocol definitions from `k8s.io/cri-api` in favor of `google.golang.org/protobuf`. ([#128653](https://github.com/kubernetes/kubernetes/pull/128653), [@saschagrunert](https://github.com/saschagrunert)) [SIG API Machinery, Auth, Instrumentation, Node and Testing]
-- Replaced deprecated package 'k8s.io/utils/pointer' with 'k8s.io/utils/ptr' for the apiextensions-apiserver apiextensions. ([#132723](https://github.com/kubernetes/kubernetes/pull/132723), [@PatrickLaabs](https://github.com/PatrickLaabs)) [SIG API Machinery]
-- Replaced deprecated package 'k8s.io/utils/pointer' with 'k8s.io/utils/ptr' for the component-base. ([#132754](https://github.com/kubernetes/kubernetes/pull/132754), [@PatrickLaabs](https://github.com/PatrickLaabs)) [SIG API Machinery, Architecture, Instrumentation and Scheduling]
-- Replaced deprecated package 'k8s.io/utils/pointer' with 'k8s.io/utils/ptr' for the kube-aggregator apiregistration. ([#132701](https://github.com/kubernetes/kubernetes/pull/132701), [@PatrickLaabs](https://github.com/PatrickLaabs)) [SIG API Machinery]
-- Replaces Boolean-pointer-helper functions with the "k8s.io/utils/ptr" implementations. ([#132794](https://github.com/kubernetes/kubernetes/pull/132794), [@PatrickLaabs](https://github.com/PatrickLaabs)) [SIG API Machinery, Auth, CLI, Node and Testing]
-- Replaces deprecated package 'k8s.io/utils/pointer' with 'k8s.io/utils/ptr' for the apiserver (1/2). ([#132751](https://github.com/kubernetes/kubernetes/pull/132751), [@PatrickLaabs](https://github.com/PatrickLaabs)) [SIG API Machinery and Auth]
-- Simplied validation error message for required fields by removing redundant messages. ([#132472](https://github.com/kubernetes/kubernetes/pull/132472), [@xiaoweim](https://github.com/xiaoweim)) [SIG API Machinery, Apps, Architecture, Auth, Cloud Provider, Network, Node and Storage]
-
-### Feature
-
-- Add configurable flags to kube-apiserver for coordinated leader election. ([#132433](https://github.com/kubernetes/kubernetes/pull/132433), [@michaelasp](https://github.com/michaelasp)) [SIG API Machinery and Testing]
-- Add support for --cpu, --memory flag to kubectl autoscale, start deprecating --cpu-precent. ([#129373](https://github.com/kubernetes/kubernetes/pull/129373), [@googs1025](https://github.com/googs1025)) [SIG CLI]
-- Added SizeBasedListCostEstimate feature gate that allows apiserver to estimate sizes of objects to calculate cost of LIST requests ([#132355](https://github.com/kubernetes/kubernetes/pull/132355), [@serathius](https://github.com/serathius)) [SIG API Machinery and Etcd]
-- DRA kubelet: the kubelet now also cleans up ResourceSlices in some additional failure scenarios (driver gets removed forcibly or crashes and does not restart). ([#132058](https://github.com/kubernetes/kubernetes/pull/132058), [@pohly](https://github.com/pohly)) [SIG Node and Testing]
-- Graduate `StreamingCollectionEncodingToJSON` and `StreamingCollectionEncodingToProtobuf` to GA ([#132648](https://github.com/kubernetes/kubernetes/pull/132648), [@serathius](https://github.com/serathius)) [SIG API Machinery]
-- Kubeadm: graduated the kubeadm specific feature gate WaitForAllControlPlaneComponents to GA. The feature gate is now locked to always enabled and on node initialization kubeadm will perform a health check for all control plane components and not only the kube-apiserver. ([#132594](https://github.com/kubernetes/kubernetes/pull/132594), [@neolit123](https://github.com/neolit123)) [SIG Cluster Lifecycle]
-- Static pods that reference API objects are now denied admission by the kubelet so that static pods would not be silently running even after the mirror pod creation fails. ([#131837](https://github.com/kubernetes/kubernetes/pull/131837), [@sreeram-venkitesh](https://github.com/sreeram-venkitesh)) [SIG Auth, Node and Testing]
-- The new `dra_resource_claims_in_use` kubelet metrics informs about active ResourceClaims, overall and by driver. ([#131641](https://github.com/kubernetes/kubernetes/pull/131641), [@pohly](https://github.com/pohly)) [SIG Architecture, Instrumentation, Node and Testing]
-- When `RelaxedServiceNameValidation` feature gate is enabled, the 
-  names of new Services names are validation with `NameIsDNSLabel()`,
-  relaxing the  pre-existing validation. ([#132339](https://github.com/kubernetes/kubernetes/pull/132339), [@adrianmoisey](https://github.com/adrianmoisey)) [SIG Apps, Network and Testing]
-
-### Failing Test
-
-- Fixed e2e test "[Driver: csi-hostpath] [Testpattern: Dynamic PV (filesystem volmode)] volumeLimits should support volume limits]" not to leak Pods and namespaces. ([#132674](https://github.com/kubernetes/kubernetes/pull/132674), [@jsafrane](https://github.com/jsafrane)) [SIG Storage and Testing]
-
-### Bug or Regression
-
-- Add podSpec validation for create StatefulSet ([#131790](https://github.com/kubernetes/kubernetes/pull/131790), [@chengjoey](https://github.com/chengjoey)) [SIG Apps, Etcd and Testing]
-- Clarify help message of --ignore-not-found flag. Support --ignore-not-found in `watch` operation. ([#132542](https://github.com/kubernetes/kubernetes/pull/132542), [@gemmahou](https://github.com/gemmahou)) [SIG CLI]
-- DRA drivers: the resource slice controller sometimes didn't react properly when kubelet or someone else deleted a recently created ResourceSlice. It incorrectly assumed that the ResourceSlice still exists and didn't recreate it. ([#132683](https://github.com/kubernetes/kubernetes/pull/132683), [@pohly](https://github.com/pohly)) [SIG Apps, Node and Testing]
-- Ensure objects are transformed prior to storage in SharedInformers if a transformer is provided and `WatchList` is activated ([#131799](https://github.com/kubernetes/kubernetes/pull/131799), [@valerian-roche](https://github.com/valerian-roche)) [SIG API Machinery]
-- Fix validation for Job with suspend=true, and completions=0 to set the Complete condition. ([#132614](https://github.com/kubernetes/kubernetes/pull/132614), [@mimowo](https://github.com/mimowo)) [SIG Apps and Testing]
-- Fixed a bug that fails to create a replica set when a deployment name is too long. ([#132560](https://github.com/kubernetes/kubernetes/pull/132560), [@hdp617](https://github.com/hdp617)) [SIG API Machinery and Apps]
-- Fixed the bug when swap related metrics were not available in `/metrics/resource` endpoint. ([#132065](https://github.com/kubernetes/kubernetes/pull/132065), [@yuanwang04](https://github.com/yuanwang04)) [SIG Node and Testing]
-- Fixed the problem of validation error when specifying resource requirements at the container level for a resource not supported at the pod level. It implicitly interpreted the pod-level value as 0. ([#132551](https://github.com/kubernetes/kubernetes/pull/132551), [@chao-liang](https://github.com/chao-liang)) [SIG Apps]
-- HPA status now displays memory metrics using Ki ([#132351](https://github.com/kubernetes/kubernetes/pull/132351), [@googs1025](https://github.com/googs1025)) [SIG Apps and Autoscaling]
-- Removed defunct `make vet` target, please use `make lint` instead ([#132509](https://github.com/kubernetes/kubernetes/pull/132509), [@yongruilin](https://github.com/yongruilin)) [SIG Testing]
-- Statefulset now respects minReadySeconds ([#130909](https://github.com/kubernetes/kubernetes/pull/130909), [@Edwinhr716](https://github.com/Edwinhr716)) [SIG Apps]
-
-### Other (Cleanup or Flake)
-
-- Removed deprecated gogo protocol definitions from `k8s.io/externaljwt` in favor of `google.golang.org/protobuf`. ([#132772](https://github.com/kubernetes/kubernetes/pull/132772), [@saschagrunert](https://github.com/saschagrunert)) [SIG Auth]
-- Replaced deprecated package 'k8s.io/utils/pointer' with 'k8s.io/utils/ptr' for ./test/e2e and ./test/utils. ([#132763](https://github.com/kubernetes/kubernetes/pull/132763), [@PatrickLaabs](https://github.com/PatrickLaabs)) [SIG Autoscaling and Testing]
-- Replaced deprecated package 'k8s.io/utils/pointer' with 'k8s.io/utils/ptr' for ./test/e2e. ([#132764](https://github.com/kubernetes/kubernetes/pull/132764), [@PatrickLaabs](https://github.com/PatrickLaabs)) [SIG Auth, Network, Node, Storage and Testing]
-- Replaced deprecated package 'k8s.io/utils/pointer' with 'k8s.io/utils/ptr' for ./test/e2e. ([#132765](https://github.com/kubernetes/kubernetes/pull/132765), [@PatrickLaabs](https://github.com/PatrickLaabs)) [SIG API Machinery, Apps, CLI and Testing]
-- Replaced deprecated package 'k8s.io/utils/pointer' with 'k8s.io/utils/ptr' for ./test/integration ([#132762](https://github.com/kubernetes/kubernetes/pull/132762), [@PatrickLaabs](https://github.com/PatrickLaabs)) [SIG Testing]
-- Replaced deprecated package 'k8s.io/utils/pointer' with 'k8s.io/utils/ptr' for apiextensions apiservers validation tests. ([#132726](https://github.com/kubernetes/kubernetes/pull/132726), [@PatrickLaabs](https://github.com/PatrickLaabs)) [SIG API Machinery]
-- Replaced deprecated package 'k8s.io/utils/pointer' with 'k8s.io/utils/ptr' for apiextensions-apiserver pkg/controller. ([#132724](https://github.com/kubernetes/kubernetes/pull/132724), [@PatrickLaabs](https://github.com/PatrickLaabs)) [SIG API Machinery]
-- Replaced deprecated package 'k8s.io/utils/pointer' with 'k8s.io/utils/ptr' for apiextensions-apiserver pkg/registry. ([#132725](https://github.com/kubernetes/kubernetes/pull/132725), [@PatrickLaabs](https://github.com/PatrickLaabs)) [SIG API Machinery]
-- Replaced deprecated package 'k8s.io/utils/pointer' with 'k8s.io/utils/ptr' for pkg/apis (1/2). ([#132778](https://github.com/kubernetes/kubernetes/pull/132778), [@PatrickLaabs](https://github.com/PatrickLaabs)) [SIG Apps and Network]
-- Replaced deprecated package 'k8s.io/utils/pointer' with 'k8s.io/utils/ptr' for pkg/apis (2/2). ([#132779](https://github.com/kubernetes/kubernetes/pull/132779), [@PatrickLaabs](https://github.com/PatrickLaabs)) [SIG Apps, Auth and Storage]
-- Replaced deprecated package 'k8s.io/utils/pointer' with 'k8s.io/utils/ptr' for pkg/controller (1/2). ([#132781](https://github.com/kubernetes/kubernetes/pull/132781), [@PatrickLaabs](https://github.com/PatrickLaabs)) [SIG API Machinery, Apps and Network]
-- Replaced deprecated package 'k8s.io/utils/pointer' with 'k8s.io/utils/ptr' for pkg/controller (2/2). ([#132784](https://github.com/kubernetes/kubernetes/pull/132784), [@PatrickLaabs](https://github.com/PatrickLaabs)) [SIG API Machinery, Apps, Network, Node and Storage]
-- Replaced deprecated package 'k8s.io/utils/pointer' with 'k8s.io/utils/ptr' for pod-security-admission tests. ([#132741](https://github.com/kubernetes/kubernetes/pull/132741), [@PatrickLaabs](https://github.com/PatrickLaabs)) [SIG Auth]
-- Replaced deprecated package 'k8s.io/utils/pointer' with 'k8s.io/utils/ptr' for the apiextensions-apiservers integration tests. ([#132721](https://github.com/kubernetes/kubernetes/pull/132721), [@PatrickLaabs](https://github.com/PatrickLaabs)) [SIG API Machinery]
-- Replaced deprecated package 'k8s.io/utils/pointer' with 'k8s.io/utils/ptr' for the cli-runtime. ([#132750](https://github.com/kubernetes/kubernetes/pull/132750), [@PatrickLaabs](https://github.com/PatrickLaabs)) [SIG CLI and Release]
-- Replaced deprecated package 'k8s.io/utils/pointer' with 'k8s.io/utils/ptr' for the cloud-provider. ([#132720](https://github.com/kubernetes/kubernetes/pull/132720), [@PatrickLaabs](https://github.com/PatrickLaabs)) [SIG Cloud Provider and Network]
-- Replaced deprecated package 'k8s.io/utils/pointer' with 'k8s.io/utils/ptr' for the components-helper of the apimachinery. ([#132413](https://github.com/kubernetes/kubernetes/pull/132413), [@PatrickLaabs](https://github.com/PatrickLaabs)) [SIG API Machinery]
-- Replaced deprecated package 'k8s.io/utils/pointer' with 'k8s.io/utils/ptr' for the controller-manager. ([#132753](https://github.com/kubernetes/kubernetes/pull/132753), [@PatrickLaabs](https://github.com/PatrickLaabs)) [SIG API Machinery and Cloud Provider]
-- Replaced deprecated package 'k8s.io/utils/pointer' with 'k8s.io/utils/ptr' for the csr. ([#132699](https://github.com/kubernetes/kubernetes/pull/132699), [@PatrickLaabs](https://github.com/PatrickLaabs)) [SIG API Machinery and Auth]
-- Replaced deprecated package 'k8s.io/utils/pointer' with 'k8s.io/utils/ptr' for the e2e_node. ([#132755](https://github.com/kubernetes/kubernetes/pull/132755), [@PatrickLaabs](https://github.com/PatrickLaabs)) [SIG Node and Testing]
-- Replaced deprecated package 'k8s.io/utils/pointer' with 'k8s.io/utils/ptr' for the kubeapiserver. ([#132529](https://github.com/kubernetes/kubernetes/pull/132529), [@PatrickLaabs](https://github.com/PatrickLaabs)) [SIG API Machinery and Architecture]
-- Replaced deprecated package 'k8s.io/utils/pointer' with 'k8s.io/utils/ptr' for the pkg/security and plugin/pkg. ([#132777](https://github.com/kubernetes/kubernetes/pull/132777), [@PatrickLaabs](https://github.com/PatrickLaabs)) [SIG Auth, Node and Release]
-- Replaced deprecated package 'k8s.io/utils/pointer' with 'k8s.io/utils/ptr' for the pod-security-admission admissiontests. ([#132742](https://github.com/kubernetes/kubernetes/pull/132742), [@PatrickLaabs](https://github.com/PatrickLaabs)) [SIG Auth]
-- Replaced deprecated package 'k8s.io/utils/pointer' with 'k8s.io/utils/ptr' for the pod-security-admission policy. ([#132743](https://github.com/kubernetes/kubernetes/pull/132743), [@PatrickLaabs](https://github.com/PatrickLaabs)) [SIG Auth]
-- Replaced deprecated package 'k8s.io/utils/pointer' with 'k8s.io/utils/ptr' for the reflector. ([#132698](https://github.com/kubernetes/kubernetes/pull/132698), [@PatrickLaabs](https://github.com/PatrickLaabs)) [SIG API Machinery]
-- Replaces deprecated package 'k8s.io/utils/pointer' with 'k8s.io/utils/ptr' for the apiserver (2/2). ([#132752](https://github.com/kubernetes/kubernetes/pull/132752), [@PatrickLaabs](https://github.com/PatrickLaabs)) [SIG API Machinery and Auth]
-- Replaces toPtr helper functions with the "k8s.io/utils/ptr" implementations. ([#132806](https://github.com/kubernetes/kubernetes/pull/132806), [@PatrickLaabs](https://github.com/PatrickLaabs)) [SIG Apps, Testing and Windows]
-- Types: ClusterEvent, ActionType, EventResource, ClusterEventWithHint, QueueingHint and QueueingHintFn moved from pkg/scheduler/framework to k8s.io/kube-scheduler/framework. ([#132190](https://github.com/kubernetes/kubernetes/pull/132190), [@ania-borowiec](https://github.com/ania-borowiec)) [SIG Node, Scheduling, Storage and Testing]
-- Types: Code and Status moved from pkg/scheduler/framework to staging repo.
-  Users should update import path for these types from "k8s.io/kubernetes/pkg/scheduler/framework" to "k8s.io/kube-scheduler/framework" ([#132087](https://github.com/kubernetes/kubernetes/pull/132087), [@ania-borowiec](https://github.com/ania-borowiec)) [SIG Node, Scheduling, Storage and Testing]
-- Update etcd version to v3.6.1 ([#132284](https://github.com/kubernetes/kubernetes/pull/132284), [@ArkaSaha30](https://github.com/ArkaSaha30)) [SIG API Machinery, Cloud Provider, Cluster Lifecycle, Etcd and Testing]
-
-## Dependencies
-
-### Added
-- go.yaml.in/yaml/v2: v2.4.2
-- go.yaml.in/yaml/v3: v3.0.4
-
-### Changed
-- github.com/emicklei/go-restful/v3: [v3.11.0 → v3.12.2](https://github.com/emicklei/go-restful/compare/v3.11.0...v3.12.2)
-- github.com/google/gnostic-models: [v0.6.9 → v0.7.0](https://github.com/google/gnostic-models/compare/v0.6.9...v0.7.0)
-- k8s.io/kube-openapi: 8b98d1e → d90c4fd
-- sigs.k8s.io/json: 9aa6b5e → cfa47c3
-- sigs.k8s.io/yaml: v1.4.0 → v1.5.0
-
-### Removed
-_Nothing has changed._
-
-
-
-# v1.34.0-alpha.2
-
-
-## Downloads for v1.34.0-alpha.2
-
-
-
-### Source Code
-
-filename | sha512 hash
--------- | -----------
-[kubernetes.tar.gz](https://dl.k8s.io/v1.34.0-alpha.2/kubernetes.tar.gz) | 566db0b881557117fd7038bb5f25c46c727d2cc6a7cf3de0afc720eeeecfce947ae0e1b5162173a3ebfb915cfcc2c05fe8ab61db4551ac882a2756ad333d6337
-[kubernetes-src.tar.gz](https://dl.k8s.io/v1.34.0-alpha.2/kubernetes-src.tar.gz) | 3ccccf95776d0639455cead6d74a04e1af8f244915c583213b70f688ffd0cb291752da48589134eac5392ff1f6fb5046803d1e35f70475bcf74ded85c587df49
-
-### Client Binaries
-
-filename | sha512 hash
--------- | -----------
-[kubernetes-client-darwin-amd64.tar.gz](https://dl.k8s.io/v1.34.0-alpha.2/kubernetes-client-darwin-amd64.tar.gz) | 058f6b47787adabfbb191ef80888633cddf5e2e36be6bb113da7db2c239c2691ad5467d381b09ca78bf9c54397a7eb0d54f2025ba7314c504eee4537787982b1
-[kubernetes-client-darwin-arm64.tar.gz](https://dl.k8s.io/v1.34.0-alpha.2/kubernetes-client-darwin-arm64.tar.gz) | 1e22f2b5c699e991daa282aaa1475d37e1614e4d90022dadc205b64c988c5050005a2347d0e93c9b0804c0db1fd0eb1f8eb4f86a0811638ccd9324cda95265fa
-[kubernetes-client-linux-386.tar.gz](https://dl.k8s.io/v1.34.0-alpha.2/kubernetes-client-linux-386.tar.gz) | dacff605a6be45b4844b5120e420aedeea422297de1c9d5b5bc5926cc730efdc13f9881c75cb346159cb8a4e0a4364070299ffcc41494dbdd8ece6f698238658
-[kubernetes-client-linux-amd64.tar.gz](https://dl.k8s.io/v1.34.0-alpha.2/kubernetes-client-linux-amd64.tar.gz) | 38f5c80ad4cf1c8e422d5ac54cf6e5ea93425bd4fe4dd8d9ac011734e2b187769f74da749240bea1cc3a850ea6530dcbc27979af8fc9d86b3ec3299362c54e03
-[kubernetes-client-linux-arm.tar.gz](https://dl.k8s.io/v1.34.0-alpha.2/kubernetes-client-linux-arm.tar.gz) | e8e116b2603e961d6090da8755d61c895a5ec7e9b6bf0bfc52a6a2b45c2111c73f7c30496dfdc624778c9ce74aa116206c0b3adcc41b046d06d8301a55218679
-[kubernetes-client-linux-arm64.tar.gz](https://dl.k8s.io/v1.34.0-alpha.2/kubernetes-client-linux-arm64.tar.gz) | ece12bddbae26f6d63e39482985a43429b768d82bc6c1b523724c134d98f52ae41c64f66d267d53400566bf0428021228c9cf9b0b663399ab27c08304bbe193f
-[kubernetes-client-linux-ppc64le.tar.gz](https://dl.k8s.io/v1.34.0-alpha.2/kubernetes-client-linux-ppc64le.tar.gz) | 4346923ea8eae6e51c07fa53a6a6f72d75ca6a50db5ae255c9902f4bd7af0a1cde359f9d6c2a84253c74e4d32f32ee81abe8b1dfaabb0206f871c57ba1eacb73
-[kubernetes-client-linux-s390x.tar.gz](https://dl.k8s.io/v1.34.0-alpha.2/kubernetes-client-linux-s390x.tar.gz) | e7f93440b0497bab07db1f5bf70be61148abe555a8aa83712201128056a0e53c0273a7269ba92c65af0095bb9e69d3bfe85359720969bca1399d21e0b04b1264
-[kubernetes-client-windows-386.tar.gz](https://dl.k8s.io/v1.34.0-alpha.2/kubernetes-client-windows-386.tar.gz) | 5a43893f34cac36608a7817c1116c43b71411ef75d71188886672941db7d8080efcb94e183b0beadc852b36b12986eb356bdde4c4a7729e284e214ba8cf43fea
-[kubernetes-client-windows-amd64.tar.gz](https://dl.k8s.io/v1.34.0-alpha.2/kubernetes-client-windows-amd64.tar.gz) | 52f3514824ab0a152eaf588722f56e6d12366ecf8479e1cd11f0e878ed7c9b0b5ec528cdb7dd0f03273eef704adeaa3cce3918e89bd7a4c15480130aa5c6b5f3
-[kubernetes-client-windows-arm64.tar.gz](https://dl.k8s.io/v1.34.0-alpha.2/kubernetes-client-windows-arm64.tar.gz) | 5f31dfc54626f31feff6373a7282cf624779a79b2178f0d7ff4e977652c5f8bc2b2c64de1b6db22eda9c563a4980b3b72b134ff2a1743a5b196ab3eeb6f5e452
-
-### Server Binaries
-
-filename | sha512 hash
--------- | -----------
-[kubernetes-server-linux-amd64.tar.gz](https://dl.k8s.io/v1.34.0-alpha.2/kubernetes-server-linux-amd64.tar.gz) | b13750ef0157384cf353ef6a4471fd17706c3bf3bd7bed2c84efc57f8863f3c7306a09813d8788fcd97d0e7e0929f4c136e2ac047c30fef2c45d4fb3d0bbe8ff
-[kubernetes-server-linux-arm64.tar.gz](https://dl.k8s.io/v1.34.0-alpha.2/kubernetes-server-linux-arm64.tar.gz) | 84d004c4df9c46a280abfca2af02d5601d07fa8e1355b4ebfc2dcc069829804650a1097f97254c4f4ad0423b7f4828c76dfd2a56348aa1339f5518bbb9257c8e
-[kubernetes-server-linux-ppc64le.tar.gz](https://dl.k8s.io/v1.34.0-alpha.2/kubernetes-server-linux-ppc64le.tar.gz) | f1cb4b333fc9bc696a3a75b4b0a846fe9f207c79fcfac438f2d3e3a709d23039c3f1507ea6e03dff2b5a4ef737052c613d354efe3b034384544ebf99551be7ea
-[kubernetes-server-linux-s390x.tar.gz](https://dl.k8s.io/v1.34.0-alpha.2/kubernetes-server-linux-s390x.tar.gz) | ded6953d4d2b04f589a24f5e6e21aa3630d9a12f5562d8c8e6301660b1fa04782523500d74bb5399a8cb0d6102546bd1000591c3dd8464d98a3d3399576a20e7
-
-### Node Binaries
-
-filename | sha512 hash
--------- | -----------
-[kubernetes-node-linux-amd64.tar.gz](https://dl.k8s.io/v1.34.0-alpha.2/kubernetes-node-linux-amd64.tar.gz) | e4e4e2ac9acb4d36aded75ee4e841947b8eec2e66b08d11b01b662c5372be51cd746b9a87248a03be45c49de9aa53a31904b38a3e1253f0aaecc5e5b774cb4d7
-[kubernetes-node-linux-arm64.tar.gz](https://dl.k8s.io/v1.34.0-alpha.2/kubernetes-node-linux-arm64.tar.gz) | 40318c61e6b060c18d2cd80143d83bab9178275f099e65b82161334eb9970ec9151b581654151799532564c92c4a3730abeb00a9e88ddcfddd66ed69d09c9921
-[kubernetes-node-linux-ppc64le.tar.gz](https://dl.k8s.io/v1.34.0-alpha.2/kubernetes-node-linux-ppc64le.tar.gz) | 778ca04559776b3e03537e13ff9f2136ae7fdb71c2a130e9734761cb2ad278f1af9e7285a132f2f77f49566f0c302ef8ca7f3694f84e48c93f5585236718cd8e
-[kubernetes-node-linux-s390x.tar.gz](https://dl.k8s.io/v1.34.0-alpha.2/kubernetes-node-linux-s390x.tar.gz) | b6b0865359b6c767b233374918263d05cfd8fb52130b67ca7db2dcc01df119efbff89041a6310dbed77c96aa8faeb5a50bd1c184ccd9e5441eb09c1cb6df8e03
-[kubernetes-node-windows-amd64.tar.gz](https://dl.k8s.io/v1.34.0-alpha.2/kubernetes-node-windows-amd64.tar.gz) | 9374a3ec4ea2d417a63fef4809e982b9cc62f98ef67cd0bcabb7b673f1efaa82c66724bf605e658d0905cf9ee61f61f1ab00a077a330ee1e4197c06c582d9a37
-
-### Container Images
-
-All container images are available as manifest lists and support the described
-architectures. It is also possible to pull a specific architecture directly by
-adding the "-$ARCH" suffix  to the container image name.
-
-name | architectures
----- | -------------
-[registry.k8s.io/conformance:v1.34.0-alpha.2](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/conformance) | [amd64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/conformance-amd64), [arm64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/conformance-arm64), [ppc64le](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/conformance-ppc64le), [s390x](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/conformance-s390x)
-[registry.k8s.io/kube-apiserver:v1.34.0-alpha.2](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-apiserver) | [amd64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-apiserver-amd64), [arm64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-apiserver-arm64), [ppc64le](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-apiserver-ppc64le), [s390x](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-apiserver-s390x)
-[registry.k8s.io/kube-controller-manager:v1.34.0-alpha.2](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-controller-manager) | [amd64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-controller-manager-amd64), [arm64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-controller-manager-arm64), [ppc64le](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-controller-manager-ppc64le), [s390x](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-controller-manager-s390x)
-[registry.k8s.io/kube-proxy:v1.34.0-alpha.2](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-proxy) | [amd64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-proxy-amd64), [arm64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-proxy-arm64), [ppc64le](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-proxy-ppc64le), [s390x](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-proxy-s390x)
-[registry.k8s.io/kube-scheduler:v1.34.0-alpha.2](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-scheduler) | [amd64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-scheduler-amd64), [arm64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-scheduler-arm64), [ppc64le](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-scheduler-ppc64le), [s390x](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-scheduler-s390x)
-[registry.k8s.io/kubectl:v1.34.0-alpha.2](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kubectl) | [amd64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kubectl-amd64), [arm64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kubectl-arm64), [ppc64le](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kubectl-ppc64le), [s390x](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kubectl-s390x)
-
-## Changelog since v1.34.0-alpha.1
-
-## Changes by Kind
-
-### Deprecation
-
-- Apimachinery: deprecated MessageCountMap and CreateAggregateFromMessageCountMap ([#132376](https://github.com/kubernetes/kubernetes/pull/132376), [@tico88612](https://github.com/tico88612)) [SIG API Machinery]
-
-### API Change
-
-- Add a `runtime.ApplyConfiguration` interface that is implemented by all generated applyconfigs ([#132194](https://github.com/kubernetes/kubernetes/pull/132194), [@alvaroaleman](https://github.com/alvaroaleman)) [SIG API Machinery and Instrumentation]
-- Added omitempty and opt tag to the API v1beta2 AdminAccess type in the DeviceRequestAllocationResult struct. ([#132338](https://github.com/kubernetes/kubernetes/pull/132338), [@PatrickLaabs](https://github.com/PatrickLaabs)) [SIG Auth]
-- Introduces OpenAPI format support for `k8s-short-name` and `k8s-long-name`. ([#132504](https://github.com/kubernetes/kubernetes/pull/132504), [@jpbetz](https://github.com/jpbetz)) [SIG API Machinery, Architecture, Auth, CLI, Cloud Provider, Cluster Lifecycle, Instrumentation, Network, Node, Scheduling and Storage]
-- Promoted Job Pod Replacement Policy to general availability. The `JobPodReplacementPolicy` feature gate is now locked to true, and will be removed in a future release of Kubernetes. ([#132173](https://github.com/kubernetes/kubernetes/pull/132173), [@dejanzele](https://github.com/dejanzele)) [SIG Apps and Testing]
-- This PR corrects that documentation, making it clear to users that podSelector is optional and describes its default behavior. ([#131354](https://github.com/kubernetes/kubernetes/pull/131354), [@tomoish](https://github.com/tomoish)) [SIG Network]
-
-### Feature
-
-- Added a delay to node updates after kubelet startup. A random offset, based on the configured `nodeStatusReportFrequency`, helps spread the traffic and load (due to node status updates) more evenly over time. The initial status update can be up to 50% earlier or 50% later than the regular schedule. ([#130919](https://github.com/kubernetes/kubernetes/pull/130919), [@mengqiy](https://github.com/mengqiy)) [SIG Node]
-- Included namespace in the output of the kubectl delete for clearer identification of resources. ([#126619](https://github.com/kubernetes/kubernetes/pull/126619), [@totegamma](https://github.com/totegamma)) [SIG CLI]
-- Kube-apiserver: each unique set of etcd server overrides specified with `--etcd-servers-overrides` now surface health checks named `etcd-override-<index>` and `etcd-override-readiness-<index>`. These checks are still excluded by `?exclude=etcd` and `?exclude=etcd-readiness` directives. ([#129438](https://github.com/kubernetes/kubernetes/pull/129438), [@pacoxu](https://github.com/pacoxu)) [SIG API Machinery and Testing]
-
-### Bug or Regression
-
-- Fix regression introduced in 1.33  - where some Paginated LIST calls are falling back to etcd instead of serving from cache. ([#132244](https://github.com/kubernetes/kubernetes/pull/132244), [@hakuna-matatah](https://github.com/hakuna-matatah)) [SIG API Machinery]
-- Fixed API response for StorageClassList queries and returns a graceful error message, if the provided ResourceVersion is too large. ([#132374](https://github.com/kubernetes/kubernetes/pull/132374), [@PatrickLaabs](https://github.com/PatrickLaabs)) [SIG API Machinery and Etcd]
-- Fixed an issue which allowed Custom Resources to be created with Server-Side Apply even when its CustomResourceDefinition was terminating. ([#132467](https://github.com/kubernetes/kubernetes/pull/132467), [@sdowell](https://github.com/sdowell)) [SIG API Machinery]
-- Removed the deprecated flag '--wait-interval' for the ip6tables-legacy-restore binary. ([#132352](https://github.com/kubernetes/kubernetes/pull/132352), [@PatrickLaabs](https://github.com/PatrickLaabs)) [SIG Network]
-
-### Other (Cleanup or Flake)
-
-- Conntrack reconciler now considers service's target port during cleanup of stale flow entries. ([#130542](https://github.com/kubernetes/kubernetes/pull/130542), [@aroradaman](https://github.com/aroradaman)) [SIG Network]
-- Job controller uses controller UID index for pod lookups. ([#132305](https://github.com/kubernetes/kubernetes/pull/132305), [@xigang](https://github.com/xigang)) [SIG Apps]
-- Removed the deprecated `--register-schedulable` command line argument from the kubelet. ([#122384](https://github.com/kubernetes/kubernetes/pull/122384), [@carlory](https://github.com/carlory)) [SIG Cloud Provider, Node and Scalability]
-- Removes the `kubernetes.io/initial-events-list-blueprint` annotation from the synthetic "Bookmark" event for the watch stream requests. ([#132326](https://github.com/kubernetes/kubernetes/pull/132326), [@p0lyn0mial](https://github.com/p0lyn0mial)) [SIG API Machinery]
-
-## Dependencies
-
-### Added
-- go.yaml.in/yaml/v2: v2.4.2
-- go.yaml.in/yaml/v3: v3.0.3
-
-### Changed
-- k8s.io/kube-openapi: c8a335a → 8b98d1e
-- sigs.k8s.io/yaml: v1.4.0 → v1.5.0
-
-### Removed
-_Nothing has changed._
-
-
-
-# v1.34.0-alpha.1
-
-
-## Downloads for v1.34.0-alpha.1
-
-
-
-### Source Code
-
-filename | sha512 hash
--------- | -----------
-[kubernetes.tar.gz](https://dl.k8s.io/v1.34.0-alpha.1/kubernetes.tar.gz) | 4125206915e9f0cd7bffd77021f210901bade4747d84855c8210922c82e2085628a05b81cef137e347b16a05828f99ac2a27a8f8f19a14397011031454736ea0
-[kubernetes-src.tar.gz](https://dl.k8s.io/v1.34.0-alpha.1/kubernetes-src.tar.gz) | c1dfe0a1df556adcad5881a7960da5348feacc23894188b94eb75be0b156912ab8680b94e2579a96d9d71bff74b1c813b8592de6926fba8e5a030a88d8b4b208
-
-### Client Binaries
-
-filename | sha512 hash
--------- | -----------
-[kubernetes-client-darwin-amd64.tar.gz](https://dl.k8s.io/v1.34.0-alpha.1/kubernetes-client-darwin-amd64.tar.gz) | 22c4d1031297ea1833b3cd3e6805008c34b66f932ead3818db3eb2663a71510a8cdb53a05852991d54e354800ee97a2aad4afc31726d956f38c674929ce10778
-[kubernetes-client-darwin-arm64.tar.gz](https://dl.k8s.io/v1.34.0-alpha.1/kubernetes-client-darwin-arm64.tar.gz) | 6be320d2075d8a7835751c019556059ff2fca704d0bbeeff181248492d8ed6fcc2d6d6b68c509e4453431100b06a20268e61b9e434b638a78ebfad68e7c41276
-[kubernetes-client-linux-386.tar.gz](https://dl.k8s.io/v1.34.0-alpha.1/kubernetes-client-linux-386.tar.gz) | e63ac6b7127591068626a3d7caf0e1bae6390106f6c93efae34b18e38af257f1521635eb2adf76c40ad0f0d9a5397947bbb0215087d4d2e87ce6f253b6aec1a4
-[kubernetes-client-linux-amd64.tar.gz](https://dl.k8s.io/v1.34.0-alpha.1/kubernetes-client-linux-amd64.tar.gz) | 12dc8dc4997b71038c377bfd9869610110cebb20afcb051e85c86832f75bc8e7eabbb08b5caa00423c5f8df68210ad5ca140a61d4a8e9ad8640f648250205752
-[kubernetes-client-linux-arm.tar.gz](https://dl.k8s.io/v1.34.0-alpha.1/kubernetes-client-linux-arm.tar.gz) | 0a7f8df6abfe9971f778add6771135d7079c245b18dd941eacf1230f75f461e7d8302142584aa4d60062c8cfd4e021f21ae5aa428d82b5fbe3697bda0e5854ff
-[kubernetes-client-linux-arm64.tar.gz](https://dl.k8s.io/v1.34.0-alpha.1/kubernetes-client-linux-arm64.tar.gz) | b1442640ac1e45268e9916d0c51e711b7640fd2594ecad05a0d990c19db2e0dcde53cc90fb13588a2b926e25c831f62bf5461fa9c8e6a03a83573cc1c3791903
-[kubernetes-client-linux-ppc64le.tar.gz](https://dl.k8s.io/v1.34.0-alpha.1/kubernetes-client-linux-ppc64le.tar.gz) | e5a028da7fcb24aee85d010741c864fa4e5a3d6c87223b5c397686107a53dd2801a8c75cf9e1046ab28c97b06a5457aa6b3e4f809cd46cbe4858f78b2cb6a4df
-[kubernetes-client-linux-s390x.tar.gz](https://dl.k8s.io/v1.34.0-alpha.1/kubernetes-client-linux-s390x.tar.gz) | 4d3fce13d8f29e801c4d7355f83ded4d2e4abcc0b788f09d616ef7f89bd04e9d92d0b32e6e365118e618b32020d8b43e4cbd59a82262cc787b98f42e7df4ddbc
-[kubernetes-client-windows-386.tar.gz](https://dl.k8s.io/v1.34.0-alpha.1/kubernetes-client-windows-386.tar.gz) | 3bbe15f8856cab69c727b02766024e1bb430add8ad18216929a96d7731d255c5d5bb6b678a4d4e7a021f2e976633b69c0516c2260dcc0bee7d2447f64bd52fe8
-[kubernetes-client-windows-amd64.tar.gz](https://dl.k8s.io/v1.34.0-alpha.1/kubernetes-client-windows-amd64.tar.gz) | 1833d8b09d5524df91120115667f897df47ad66edb57d2570e022234794c4d0d09212fca9b0b64e21ccc8ce6dcd41080bf9198c81583949cb8001c749f25e8a0
-[kubernetes-client-windows-arm64.tar.gz](https://dl.k8s.io/v1.34.0-alpha.1/kubernetes-client-windows-arm64.tar.gz) | c0819674e11923b38d2df7cb9955929247a5b0752c93fc5215300da3514c592348cbe649a5c6fd6ac63500c6d68cf61a2733c099788164547e3f7738afe78ecf
-
-### Server Binaries
-
-filename | sha512 hash
--------- | -----------
-[kubernetes-server-linux-amd64.tar.gz](https://dl.k8s.io/v1.34.0-alpha.1/kubernetes-server-linux-amd64.tar.gz) | acd0b0b6723789780fd536894a965001056e94e92e2070edacdb53d2d879f56a90cc2c1ad0ff6d634ed74ef4debcefa01eee9f675cc4c70063da6cc52cc140d3
-[kubernetes-server-linux-arm64.tar.gz](https://dl.k8s.io/v1.34.0-alpha.1/kubernetes-server-linux-arm64.tar.gz) | 31321659424b4847ec456ae507486efe57c8e903c2bc450df65ffc3bc90011ba050e8351ab32133943dfebd9d6e8ad47f2546a7cdc47e424cdaf0dc7247e08c3
-[kubernetes-server-linux-ppc64le.tar.gz](https://dl.k8s.io/v1.34.0-alpha.1/kubernetes-server-linux-ppc64le.tar.gz) | fe81aa313be46ed5cc91507e58bc165e98722921d33473c29d382dceb948b1ffc0437d74825277a7da487f9390dec64f6a70617b05e0441c106fa87af737b90c
-[kubernetes-server-linux-s390x.tar.gz](https://dl.k8s.io/v1.34.0-alpha.1/kubernetes-server-linux-s390x.tar.gz) | 69a54f40e7a8684a6a1606f0463266d83af615f70a55d750031d82601c8070f4f9161048018c78e0859faa631ec9984fc20af3bc17240c8fc9394c6cbffacaf9
-
-### Node Binaries
-
-filename | sha512 hash
--------- | -----------
-[kubernetes-node-linux-amd64.tar.gz](https://dl.k8s.io/v1.34.0-alpha.1/kubernetes-node-linux-amd64.tar.gz) | 797a5df349e571330e8090bd78f024d659d0d46e8a7352210b80ac594ef50dc2f3866240b75f7c0d2e08fa526388d0dfdcb91b4686f01b547c860a2d0a9846a7
-[kubernetes-node-linux-arm64.tar.gz](https://dl.k8s.io/v1.34.0-alpha.1/kubernetes-node-linux-arm64.tar.gz) | 552a114facbd42c655574953186ba15a91c061b3db9ad25e665892c355347bf841e1bf716f8e28a16f1f1b37492911103212ec452bf5e663f8fcf26fae3ccc6a
-[kubernetes-node-linux-ppc64le.tar.gz](https://dl.k8s.io/v1.34.0-alpha.1/kubernetes-node-linux-ppc64le.tar.gz) | 7f08bad1921127fdceba7deb58d305e0b599de7ab588da936ff753ab4c6410b5db0634d71094e97ee1baeaccc491370c88268f6a540eedb556c90fb1ce350eda
-[kubernetes-node-linux-s390x.tar.gz](https://dl.k8s.io/v1.34.0-alpha.1/kubernetes-node-linux-s390x.tar.gz) | 4d1ac168b4591bf5ed7773d87eb47e64eb322adb6fd22b89f4f79c9849aee70188f0fa04a18775feff6f9baf95277499c56cd471a56240a87f9810c82434ba35
-[kubernetes-node-windows-amd64.tar.gz](https://dl.k8s.io/v1.34.0-alpha.1/kubernetes-node-windows-amd64.tar.gz) | 896e508aa1c0bb3249c01554aea0ea25d65c4d9740772f8c053ded411b89a34a1c1e954e62fad10a1366cb0a9534af9b3d4e0a46acd956b47eb801e900dfcbe6
-
-### Container Images
-
-All container images are available as manifest lists and support the described
-architectures. It is also possible to pull a specific architecture directly by
-adding the "-$ARCH" suffix  to the container image name.
-
-name | architectures
----- | -------------
-[registry.k8s.io/conformance:v1.34.0-alpha.1](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/conformance) | [amd64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/conformance-amd64), [arm64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/conformance-arm64), [ppc64le](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/conformance-ppc64le), [s390x](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/conformance-s390x)
-[registry.k8s.io/kube-apiserver:v1.34.0-alpha.1](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-apiserver) | [amd64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-apiserver-amd64), [arm64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-apiserver-arm64), [ppc64le](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-apiserver-ppc64le), [s390x](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-apiserver-s390x)
-[registry.k8s.io/kube-controller-manager:v1.34.0-alpha.1](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-controller-manager) | [amd64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-controller-manager-amd64), [arm64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-controller-manager-arm64), [ppc64le](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-controller-manager-ppc64le), [s390x](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-controller-manager-s390x)
-[registry.k8s.io/kube-proxy:v1.34.0-alpha.1](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-proxy) | [amd64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-proxy-amd64), [arm64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-proxy-arm64), [ppc64le](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-proxy-ppc64le), [s390x](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-proxy-s390x)
-[registry.k8s.io/kube-scheduler:v1.34.0-alpha.1](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-scheduler) | [amd64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-scheduler-amd64), [arm64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-scheduler-arm64), [ppc64le](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-scheduler-ppc64le), [s390x](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-scheduler-s390x)
-[registry.k8s.io/kubectl:v1.34.0-alpha.1](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kubectl) | [amd64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kubectl-amd64), [arm64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kubectl-arm64), [ppc64le](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kubectl-ppc64le), [s390x](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kubectl-s390x)
-
-## Changelog since v1.33.0
-
-## Urgent Upgrade Notes
-
-### (No, really, you MUST read this before you upgrade)
-
- - For metrics `apiserver_cache_list_fetched_objects_total`, `apiserver_cache_list_returned_objects_total`, `apiserver_cache_list_total` replace `resource_prefix` label with API `group` and `resource` labels.
-  For metrics `etcd_request_duration_seconds`, `etcd_requests_total` and `etcd_request_errors_total` replace `type` label with API `resource` and `group` label.
-  For metric `apiserver_selfrequest_total` add a API `group` label.
-  For metrics `apiserver_watch_events_sizes` and `apiserver_watch_events_total` replace API `kind` label with `resource` label.
-  For metrics `apiserver_request_body_size_bytes`, `apiserver_storage_events_received_total`, `apiserver_storage_list_evaluated_objects_total`, `apiserver_storage_list_fetched_objects_total`, `apiserver_storage_list_returned_objects_total`, `apiserver_storage_list_total`, `apiserver_watch_cache_events_dispatched_total`, `apiserver_watch_cache_events_received_total`, `apiserver_watch_cache_initializations_total`, `apiserver_watch_cache_resource_version`, `watch_cache_capacity`, `apiserver_init_events_total`, `apiserver_terminated_watchers_total`, `watch_cache_capacity_increase_total`, `watch_cache_capacity_decrease_total`, `apiserver_watch_cache_read_wait_seconds`, `apiserver_watch_cache_consistent_read_total`, `apiserver_storage_consistency_checks_total`, `etcd_bookmark_counts`, `storage_decode_errors_total` extract the API group from `resource` label and put it in new `group` label. ([#131845](https://github.com/kubernetes/kubernetes/pull/131845), [@serathius](https://github.com/serathius)) [SIG API Machinery, Etcd, Instrumentation and Testing]
-  - Kubelet:  removed the deprecated flag `--cloud-config` from the command line. ([#130161](https://github.com/kubernetes/kubernetes/pull/130161), [@carlory](https://github.com/carlory)) [SIG Cloud Provider, Node and Scalability]
-  - Scheduling Framework exposes NodeInfos to the PreFilterPlugins.
-  The PreFilterPlugins need to accept the NodeInfo list from the arguments. ([#130720](https://github.com/kubernetes/kubernetes/pull/130720), [@saintube](https://github.com/saintube)) [SIG Node, Scheduling, Storage and Testing]
- 
-## Changes by Kind
-
-### Deprecation
-
-- Deprecate preferences field in kubeconfig in favor of kuberc ([#131741](https://github.com/kubernetes/kubernetes/pull/131741), [@soltysh](https://github.com/soltysh)) [SIG API Machinery, CLI, Cluster Lifecycle and Testing]
-- Kubeadm: consistently print an 'error: ' prefix before errors. ([#132080](https://github.com/kubernetes/kubernetes/pull/132080), [@neolit123](https://github.com/neolit123)) [SIG Cluster Lifecycle]
-- Kubeadm: only expose non-deprecated klog flags, 'v' and 'vmodule', to align with KEP https://features.k8s.io/2845 ([#131647](https://github.com/kubernetes/kubernetes/pull/131647), [@carsontham](https://github.com/carsontham)) [SIG Cluster Lifecycle]
-- [cloud-provider] respect the "exclude-from-external-load-balancers=false" label ([#131085](https://github.com/kubernetes/kubernetes/pull/131085), [@kayrus](https://github.com/kayrus)) [SIG Cloud Provider and Network]
-
-### API Change
-
-- #### Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:
-  
-  <!--
-  This section can be blank if this pull request does not require a release note.
-  
-  When adding links which point to resources within git repositories, like
-  KEPs or supporting documentation, please reference a specific commit and avoid
-  linking directly to the master branch. This ensures that links reference a
-  specific point in time, rather than a document that may change over time.
-  
-  See here for guidance on getting permanent links to files: https://help.github.com/en/articles/getting-permanent-links-to-files
-  
-  Please use the following format for linking documentation:
-  - [KEP]: <link>
-  - [Usage]: <link>
-  - [Other doc]: <link>
-  --> ([#131996](https://github.com/kubernetes/kubernetes/pull/131996), [@ritazh](https://github.com/ritazh)) [SIG Node and Testing]
-- DRA API: resource.k8s.io/v1alpha3 now only contains DeviceTaintRule. All other types got removed because they became obsolete when introducing the v1beta1 API in 1.32.
-  before updating a cluster where resourceclaims, resourceclaimtemplates, deviceclasses, or resourceslices might have been stored using Kubernetes < 1.32, delete all of those resources before updating and recreate them as needed while running Kubernetes >= 1.32. ([#132000](https://github.com/kubernetes/kubernetes/pull/132000), [@pohly](https://github.com/pohly)) [SIG Etcd, Node, Scheduling and Testing]
-- Extends the nodeports scheduling plugin to consider hostPorts used by restartable init containers. ([#132040](https://github.com/kubernetes/kubernetes/pull/132040), [@avrittrohwer](https://github.com/avrittrohwer)) [SIG Scheduling and Testing]
-- Kube-apiserver: Caching of authorization webhook decisions for authorized and unauthorized requests can now be disabled in the `--authorization-config` file by setting the new fields `cacheAuthorizedRequests` or `cacheUnauthorizedRequests` to `false` explicitly. See https://kubernetes.io/docs/reference/access-authn-authz/authorization/#using-configuration-file-for-authorization for more details. ([#129237](https://github.com/kubernetes/kubernetes/pull/129237), [@rfranzke](https://github.com/rfranzke)) [SIG API Machinery and Auth]
-- Kube-apiserver: Promoted the `StructuredAuthenticationConfiguration` feature gate to GA. ([#131916](https://github.com/kubernetes/kubernetes/pull/131916), [@aramase](https://github.com/aramase)) [SIG API Machinery, Auth and Testing]
-- Kube-apiserver: the AuthenticationConfiguration type accepted in `--authentication-config` files has been promoted to `apiserver.config.k8s.io/v1`. ([#131752](https://github.com/kubernetes/kubernetes/pull/131752), [@aramase](https://github.com/aramase)) [SIG API Machinery, Auth and Testing]
-- Kube-log-runner: rotating log output into a new file when reaching a certain file size can be requested via the new `-log-file-size` parameter. `-log-file-age` enables automatical removal of old output files.  Periodic flushing can be requested through ` -flush-interval`. ([#127667](https://github.com/kubernetes/kubernetes/pull/127667), [@zylxjtu](https://github.com/zylxjtu)) [SIG API Machinery, Apps, Architecture, Auth, Autoscaling, CLI, Cloud Provider, Cluster Lifecycle, Etcd, Instrumentation, Network, Node, Release, Scheduling, Storage, Testing and Windows]
-- Kubectl: graduated `kuberc` support to beta. A `kuberc` configuration file provides a mechanism for customizing kubectl behavior (separate from kubeconfig, which configured cluster access across different clients). ([#131818](https://github.com/kubernetes/kubernetes/pull/131818), [@soltysh](https://github.com/soltysh)) [SIG CLI and Testing]
-- Promote the RelaxedEnvironmentVariableValidation feature gate to GA and lock it in the default enabled state. ([#132054](https://github.com/kubernetes/kubernetes/pull/132054), [@HirazawaUi](https://github.com/HirazawaUi)) [SIG Apps, Architecture, Node and Testing]
-- Remove inaccurate statement about requiring ports from pod spec hostNetwork field ([#130994](https://github.com/kubernetes/kubernetes/pull/130994), [@BenTheElder](https://github.com/BenTheElder)) [SIG Network and Node]
-- TBD ([#131318](https://github.com/kubernetes/kubernetes/pull/131318), [@aojea](https://github.com/aojea)) [SIG API Machinery, Apps, Architecture, Auth, Etcd, Network and Testing]
-- The validation of `replicas` field in the ReplicationController `/scale` subresource has been migrated to declarative validation.
-  If the `DeclarativeValidation` feature gate is enabled, mismatches with existing validation are reported via metrics.
-  If the `DeclarativeValidationTakeover` feature gate is enabled, declarative validation is the primary source of errors for migrated fields. ([#131664](https://github.com/kubernetes/kubernetes/pull/131664), [@jpbetz](https://github.com/jpbetz)) [SIG API Machinery and Apps]
-- The validation-gen code generator generates validation code that supports validation ratcheting. ([#132236](https://github.com/kubernetes/kubernetes/pull/132236), [@yongruilin](https://github.com/yongruilin)) [SIG API Machinery, Apps, Auth and Node]
-- Update etcd version to v3.6.0 ([#131501](https://github.com/kubernetes/kubernetes/pull/131501), [@joshjms](https://github.com/joshjms)) [SIG API Machinery, Cloud Provider, Cluster Lifecycle, Etcd and Testing]
-- When the IsDNS1123SubdomainWithUnderscore function returns an error, it will return the correct regex information dns1123SubdomainFmtWithUnderscore. ([#132034](https://github.com/kubernetes/kubernetes/pull/132034), [@ChosenFoam](https://github.com/ChosenFoam)) [SIG Network]
-- Zero-value `metadata.creationTimestamp` values are now omitted and no longer serialize an explicit `null` in JSON, YAML, and CBOR output ([#130989](https://github.com/kubernetes/kubernetes/pull/130989), [@liggitt](https://github.com/liggitt)) [SIG API Machinery, Apps, Architecture, Auth, CLI, Cloud Provider, Cluster Lifecycle, Etcd, Instrumentation, Network, Node, Scheduling, Storage and Testing]
-
-### Feature
-
-- Add a flag to `kubectl version` that detects whether a client/server version mismatch is outside the officially supported range. ([#127365](https://github.com/kubernetes/kubernetes/pull/127365), [@omerap12](https://github.com/omerap12)) [SIG CLI]
-- Add support for CEL expressions with escaped names in structured authentication config.  Using `[` for accessing claims or user data is preferred when names contain characters that would need to be escaped.  CEL optionals via `?` can be used in places where `has` cannot be used, i.e. `claims[?"kubernetes.io"]` or `user.extra[?"domain.io/foo"]`. ([#131574](https://github.com/kubernetes/kubernetes/pull/131574), [@enj](https://github.com/enj)) [SIG API Machinery and Auth]
-- Added Traffic Distribution field to `kubectl describe service` output ([#131491](https://github.com/kubernetes/kubernetes/pull/131491), [@tchap](https://github.com/tchap)) [SIG CLI]
-- Added a `--show-swap` option to `kubectl top` subcommands ([#129458](https://github.com/kubernetes/kubernetes/pull/129458), [@iholder101](https://github.com/iholder101)) [SIG CLI]
-- Added alpha metrics for compatibility versioning ([#131842](https://github.com/kubernetes/kubernetes/pull/131842), [@michaelasp](https://github.com/michaelasp)) [SIG API Machinery, Architecture, Instrumentation and Scheduling]
-- Enabling completion for aliases defined in kuberc ([#131586](https://github.com/kubernetes/kubernetes/pull/131586), [@ardaguclu](https://github.com/ardaguclu)) [SIG CLI]
-- Graduate ResilientWatchCacheInitialization to GA ([#131979](https://github.com/kubernetes/kubernetes/pull/131979), [@serathius](https://github.com/serathius)) [SIG API Machinery]
-- Graduate configurable endpoints for anonymous authentication using the authentication configuration file to stable. ([#131654](https://github.com/kubernetes/kubernetes/pull/131654), [@vinayakankugoyal](https://github.com/vinayakankugoyal)) [SIG API Machinery and Testing]
-- Graduated relaxed DNS search string validation to GA. For the Pod API, `.spec.dnsConfig.searches`
-  now allows an underscore (`_`) where a dash (`-`) would be allowed, and it allows search strings be a single dot `.`. ([#132036](https://github.com/kubernetes/kubernetes/pull/132036), [@adrianmoisey](https://github.com/adrianmoisey)) [SIG Network and Testing]
-- Graduated scheduler `QueueingHint` support to GA (general availability) ([#131973](https://github.com/kubernetes/kubernetes/pull/131973), [@sanposhiho](https://github.com/sanposhiho)) [SIG Scheduling and Testing]
-- Kube-apiserver: Promoted `ExternalServiceAccountTokenSigner` feature to beta, which enables external signing of service account tokens and fetching of public verifying keys, by enabling the beta `ExternalServiceAccountTokenSigner` feature gate and specifying `--service-account-signing-endpoint`. The flag value can either be the location of a Unix domain socket on a filesystem, or be prefixed with an @ symbol and name a Unix domain socket in the abstract socket namespace. ([#131300](https://github.com/kubernetes/kubernetes/pull/131300), [@HarshalNeelkamal](https://github.com/HarshalNeelkamal)) [SIG API Machinery, Auth and Testing]
-- Kube-controller-manager events to support contextual logging. ([#128351](https://github.com/kubernetes/kubernetes/pull/128351), [@mengjiao-liu](https://github.com/mengjiao-liu)) [SIG API Machinery]
-- Kube-proxy: Check if IPv6 is available on Linux before using it ([#131265](https://github.com/kubernetes/kubernetes/pull/131265), [@rikatz](https://github.com/rikatz)) [SIG Network]
-- Kubeadm: add support for ECDSA-P384 as an encryption algorithm type in v1beta4. ([#131677](https://github.com/kubernetes/kubernetes/pull/131677), [@lalitc375](https://github.com/lalitc375)) [SIG Cluster Lifecycle]
-- Kubeadm: fixed issue where etcd member promotion fails with an error saying the member was already promoted ([#130782](https://github.com/kubernetes/kubernetes/pull/130782), [@BernardMC](https://github.com/BernardMC)) [SIG Cluster Lifecycle]
-- Kubeadm: graduated the `NodeLocalCRISocket` feature gate to beta and enabed it by default. When its enabled, kubeadm will:
-    1. Generate a `/var/lib/kubelet/instance-config.yaml` file to customize the `containerRuntimeEndpoint` field in per-node kubelet configurations.
-    2. Remove the `kubeadm.alpha.kubernetes.io/cri-socket` annotation from nodes during upgrade operations.
-    3. Remove the `--container-runtime-endpoint` flag from the `/var/lib/kubelet/kubeadm-flags.env` file during upgrades. ([#131981](https://github.com/kubernetes/kubernetes/pull/131981), [@HirazawaUi](https://github.com/HirazawaUi)) [SIG Cluster Lifecycle]
-- Kubeadm: switched the validation check for Linux kernel version to throw warnings instead of errors. ([#131919](https://github.com/kubernetes/kubernetes/pull/131919), [@neolit123](https://github.com/neolit123)) [SIG Cluster Lifecycle and Node]
-- Kubelet: the `--image-credential-provider-config` flag previously only accepted an individual file, but can now specify a directory path as well; when a directory is specified, all .json/.yaml/.yml files in the directory are loaded and merged in lexicographical order. ([#131658](https://github.com/kubernetes/kubernetes/pull/131658), [@dims](https://github.com/dims)) [SIG Auth and Node]
-- Kubernetes api-server now merges selectors built from matchLabelKeys into the labelSelector of topologySpreadConstraints, 
-  aligning Pod Topology Spread with the approach used by Inter-Pod Affinity.
-  
-  To avoid breaking existing pods that use matchLabelKeys, the current scheduler behavior will be preserved until it is removed in v1.34. 
-  Therefore, do not upgrade your scheduler directly from v1.32 to v1.34. 
-  Instead, upgrade step-by-step (from v1.32 to v1.33, then to v1.34), 
-  ensuring that any pods created at v1.32 with matchLabelKeys are either removed or already scheduled by the time you reach v1.34.
-  
-  If you maintain controllers that previously relied on matchLabelKeys (for instance, to simulate scheduling), 
-  you likely no longer need to handle matchLabelKeys directly. Instead, you can just rely on the labelSelector field going forward.
-  
-  Additionally, a new feature gate `MatchLabelKeysInPodTopologySpreadSelectorMerge`, which is enabled by default, has been 
-  added to control this behavior. ([#129874](https://github.com/kubernetes/kubernetes/pull/129874), [@mochizuki875](https://github.com/mochizuki875)) [SIG Apps, Node, Scheduling and Testing]
-- Kubernetes is now built using Go 1.24.3 ([#131934](https://github.com/kubernetes/kubernetes/pull/131934), [@cpanato](https://github.com/cpanato)) [SIG Release and Testing]
-- Kubernetes is now built using Go 1.24.4 ([#132222](https://github.com/kubernetes/kubernetes/pull/132222), [@cpanato](https://github.com/cpanato)) [SIG Release and Testing]
-- LeaseLocks can now have custom Labels that different holders will overwrite when they become the holder of the underlying lease. ([#131632](https://github.com/kubernetes/kubernetes/pull/131632), [@DerekFrank](https://github.com/DerekFrank)) [SIG API Machinery]
-- Non-scheduling related errors (e.g., network errors) don't lengthen the Pod scheduling backoff time. ([#128748](https://github.com/kubernetes/kubernetes/pull/128748), [@sanposhiho](https://github.com/sanposhiho)) [SIG Scheduling and Testing]
-- Promote feature OrderedNamespaceDeletion to GA. ([#131514](https://github.com/kubernetes/kubernetes/pull/131514), [@cici37](https://github.com/cici37)) [SIG API Machinery and Testing]
-- Removed "endpoint-controller" and "workload-leader-election" FlowSchemas from the default APF configuration.
-  
-  migrate the lock type used in the leader election in your workloads from configmapsleases/endpointsleases to leases. ([#131215](https://github.com/kubernetes/kubernetes/pull/131215), [@tosi3k](https://github.com/tosi3k)) [SIG API Machinery, Apps, Network, Scalability and Scheduling]
-- The PreferSameTrafficDistribution feature gate is now enabled by default,
-  enabling the `PreferSameNode` traffic distribution value for Services. ([#132127](https://github.com/kubernetes/kubernetes/pull/132127), [@danwinship](https://github.com/danwinship)) [SIG Apps and Network]
-- Updated the built in `system:monitoring` role with permission to access kubelet metrics endpoints. ([#132178](https://github.com/kubernetes/kubernetes/pull/132178), [@gavinkflam](https://github.com/gavinkflam)) [SIG Auth]
-
-### Failing Test
-
-- Kube-apiserver: The --service-account-signing-endpoint flag now only validates the format of abstract socket names ([#131509](https://github.com/kubernetes/kubernetes/pull/131509), [@liggitt](https://github.com/liggitt)) [SIG API Machinery and Auth]
-
-### Bug or Regression
-
-- Check for newer resize fields when deciding recovery feature's status in kubelet ([#131418](https://github.com/kubernetes/kubernetes/pull/131418), [@gnufied](https://github.com/gnufied)) [SIG Storage]
-- DRA: ResourceClaims requesting a fixed number of devices with `adminAccess` will no longer be allocated the same device multiple times. ([#131299](https://github.com/kubernetes/kubernetes/pull/131299), [@nojnhuh](https://github.com/nojnhuh)) [SIG Node]
-- Disable reading of disk geometry before calling expansion for ext and xfs filesystems ([#131568](https://github.com/kubernetes/kubernetes/pull/131568), [@gnufied](https://github.com/gnufied)) [SIG Storage]
-- Do not expand PVCs annotated with node-expand-not-required ([#131907](https://github.com/kubernetes/kubernetes/pull/131907), [@gnufied](https://github.com/gnufied)) [SIG API Machinery, Etcd, Node, Storage and Testing]
-- Do not expand volume on the node, if controller expansion is finished ([#131868](https://github.com/kubernetes/kubernetes/pull/131868), [@gnufied](https://github.com/gnufied)) [SIG Storage]
-- Do not log error event when waiting for expansion on the kubelet ([#131408](https://github.com/kubernetes/kubernetes/pull/131408), [@gnufied](https://github.com/gnufied)) [SIG Storage]
-- Do not remove CSI json file if volume is already mounted on subsequent errors ([#131311](https://github.com/kubernetes/kubernetes/pull/131311), [@gnufied](https://github.com/gnufied)) [SIG Storage]
-- Fix ReplicationController reconciliation when the DeploymentReplicaSetTerminatingReplicas feature gate is enabled ([#131822](https://github.com/kubernetes/kubernetes/pull/131822), [@atiratree](https://github.com/atiratree)) [SIG Apps]
-- Fix a bug causing unexpected delay of creating pods for newly created jobs ([#132109](https://github.com/kubernetes/kubernetes/pull/132109), [@linxiulei](https://github.com/linxiulei)) [SIG Apps and Testing]
-- Fix a bug in Job controller which could result in creating unnecessary Pods for a Job which is already
-  recognized as finished (successful or failed). ([#130333](https://github.com/kubernetes/kubernetes/pull/130333), [@kmala](https://github.com/kmala)) [SIG Apps and Testing]
-- Fix the allocatedResourceStatuses Field name mismatch in PVC status validation ([#131213](https://github.com/kubernetes/kubernetes/pull/131213), [@carlory](https://github.com/carlory)) [SIG Apps]
-- Fixed a bug in CEL's common.UnstructuredToVal where `==` evaluates to false for identical objects when a field is present but the value is null.  This bug does not impact the Kubernetes API. ([#131559](https://github.com/kubernetes/kubernetes/pull/131559), [@jpbetz](https://github.com/jpbetz)) [SIG API Machinery]
-- Fixed a bug that caused duplicate validation when updating a ReplicaSet. ([#131873](https://github.com/kubernetes/kubernetes/pull/131873), [@gavinkflam](https://github.com/gavinkflam)) [SIG Apps]
-- Fixed a panic issue related to kubectl revision history kubernetes/kubectl#1724 ([#130503](https://github.com/kubernetes/kubernetes/pull/130503), [@tahacodes](https://github.com/tahacodes)) [SIG CLI]
-- Fixed a possible deadlock in the watch client that could happen if the watch was not stopped. ([#131266](https://github.com/kubernetes/kubernetes/pull/131266), [@karlkfi](https://github.com/karlkfi)) [SIG API Machinery]
-- Fixed an incorrect reference to `JoinConfigurationKind` in the error message when no ResetConfiguration is found during `kubeadm reset` with the `--config` flag. ([#132258](https://github.com/kubernetes/kubernetes/pull/132258), [@J3m3](https://github.com/J3m3)) [SIG Cluster Lifecycle]
-- Fixed an issue where `insufficientResources` was logged as a pointer during pod preemption, making logs more readable. ([#132183](https://github.com/kubernetes/kubernetes/pull/132183), [@chrisy-x](https://github.com/chrisy-x)) [SIG Node]
-- Fixed incorrect behavior for AllocationMode: All in ResourceClaim when used in subrequests. ([#131660](https://github.com/kubernetes/kubernetes/pull/131660), [@mortent](https://github.com/mortent)) [SIG Node]
-- Fixed misleading response codes in admission control metrics. ([#132165](https://github.com/kubernetes/kubernetes/pull/132165), [@gavinkflam](https://github.com/gavinkflam)) [SIG API Machinery, Architecture and Instrumentation]
-- Fixes an issue where Windows kube-proxy's ModifyLoadBalancer API updates did not match HNS state in version 15.4. ModifyLoadBalancer policy is supported from Kubernetes 1.31+. ([#131506](https://github.com/kubernetes/kubernetes/pull/131506), [@princepereira](https://github.com/princepereira)) [SIG Windows]
-- HPA controller will no longer emit a 'FailedRescale' event if a scale operation initially fails due to a conflict but succeeds after a retry; a 'SuccessfulRescale' event will be emitted instead. A 'FailedRescale' event is still emitted if retries are exhausted. ([#132007](https://github.com/kubernetes/kubernetes/pull/132007), [@AumPatel1](https://github.com/AumPatel1)) [SIG Apps and Autoscaling]
-- Improve error message when a pod with user namespaces is created and the runtime doesn't support user namespaces. ([#131623](https://github.com/kubernetes/kubernetes/pull/131623), [@rata](https://github.com/rata)) [SIG Node]
-- Kube-apiserver: Fixes OIDC discovery document publishing when external service account token signing is enabled ([#131493](https://github.com/kubernetes/kubernetes/pull/131493), [@hoskeri](https://github.com/hoskeri)) [SIG API Machinery, Auth and Testing]
-- Kube-apiserver: cronjob objects now default empty `spec.jobTemplate.spec.podFailurePolicy.rules[*].onPodConditions[*].status` fields as documented, avoiding validation failures during write requests. ([#131525](https://github.com/kubernetes/kubernetes/pull/131525), [@carlory](https://github.com/carlory)) [SIG Apps]
-- Kube-proxy:  Remove iptables cli wait interval flag ([#131961](https://github.com/kubernetes/kubernetes/pull/131961), [@cyclinder](https://github.com/cyclinder)) [SIG Network]
-- Kube-scheduler: in Kubernetes 1.33, the number of devices that can be allocated per ResourceClaim was accidentally reduced to 16. Now the supported number of devices per ResourceClaim is 32 again. ([#131662](https://github.com/kubernetes/kubernetes/pull/131662), [@mortent](https://github.com/mortent)) [SIG Node]
-- Kubelet: close a loophole where static pods could reference arbitrary ResourceClaims. The pods created by the kubelet then don't run due to a sanity check, but such references shouldn't be allowed regardless. ([#131844](https://github.com/kubernetes/kubernetes/pull/131844), [@pohly](https://github.com/pohly)) [SIG Apps, Auth and Node]
-- Kubelet: fix a bug where the unexpected NodeResizeError condition was in PVC status when the csi driver does not support node volume expansion and the pvc has the ReadWriteMany access mode. ([#131495](https://github.com/kubernetes/kubernetes/pull/131495), [@carlory](https://github.com/carlory)) [SIG Storage]
-- Reduce 5s delay of tainting `node.kubernetes.io/unreachable:NoExecute` when a Node becomes unreachable ([#120816](https://github.com/kubernetes/kubernetes/pull/120816), [@tnqn](https://github.com/tnqn)) [SIG Apps and Node]
-- Skip pod backoff completely when PodMaxBackoffDuration kube-scheduler option is set to zero and SchedulerPopFromBackoffQ feature gate is enabled. ([#131965](https://github.com/kubernetes/kubernetes/pull/131965), [@macsko](https://github.com/macsko)) [SIG Scheduling]
-- The shorthand for --output flag in kubectl explain was accidentally deleted, but has been added back. ([#131962](https://github.com/kubernetes/kubernetes/pull/131962), [@superbrothers](https://github.com/superbrothers)) [SIG CLI]
-- `kubectl create|delete|get|replace --raw` commands now honor server root paths specified in the kubeconfig file. ([#131165](https://github.com/kubernetes/kubernetes/pull/131165), [@liggitt](https://github.com/liggitt)) [SIG API Machinery]
-
-### Other (Cleanup or Flake)
-
-- Added a warning to `kubectl attach`, notifying / reminding users that commands and output are available via the `log` subresource of that Pod. ([#127183](https://github.com/kubernetes/kubernetes/pull/127183), [@mochizuki875](https://github.com/mochizuki875)) [SIG Auth, CLI, Node and Security]
-- Bump cel-go dependency to v0.25.0. The changeset is available at: https://github.com/google/cel-go/compare/v0.23.2...v0.25.0 ([#131444](https://github.com/kubernetes/kubernetes/pull/131444), [@erdii](https://github.com/erdii)) [SIG API Machinery, Auth, Cloud Provider and Node]
-- Bump kube dns to v1.26.4 ([#132012](https://github.com/kubernetes/kubernetes/pull/132012), [@pacoxu](https://github.com/pacoxu)) [SIG Cloud Provider]
-- By default the binaries like kube-apiserver are built with "grpcnotrace" tag enabled. Please use DBG flag if you want to enable golang tracing. ([#132210](https://github.com/kubernetes/kubernetes/pull/132210), [@dims](https://github.com/dims)) [SIG Architecture]
-- Changed apiserver to treat failures decoding a mutating webhook patch as failures to call the webhook so they trigger the webhook failurePolicy and count against metrics like `webhook_fail_open_count` ([#131627](https://github.com/kubernetes/kubernetes/pull/131627), [@dims](https://github.com/dims)) [SIG API Machinery]
-- DRA kubelet: logging now uses `driverName` like the rest of the Kubernetes components, instead of `pluginName`. ([#132096](https://github.com/kubernetes/kubernetes/pull/132096), [@pohly](https://github.com/pohly)) [SIG Node and Testing]
-- DRA kubelet: recovery from mistakes like scheduling a pod onto a node with the required driver not running is a bit simpler now because the kubelet does not block pod deletion unnecessarily. ([#131968](https://github.com/kubernetes/kubernetes/pull/131968), [@pohly](https://github.com/pohly)) [SIG Node and Testing]
-- Fixed some missing white spaces in the flag descriptions and logs. ([#131562](https://github.com/kubernetes/kubernetes/pull/131562), [@logica0419](https://github.com/logica0419)) [SIG Network]
-- Hack/update-codegen.sh now automatically ensures goimports and protoc ([#131459](https://github.com/kubernetes/kubernetes/pull/131459), [@BenTheElder](https://github.com/BenTheElder)) [SIG API Machinery]
-- Kube-apiserver: removed the deprecated `apiserver_encryption_config_controller_automatic_reload_success_total` and `apiserver_encryption_config_controller_automatic_reload_failure_total` metrics in favor of `apiserver_encryption_config_controller_automatic_reloads_total`. ([#132238](https://github.com/kubernetes/kubernetes/pull/132238), [@aramase](https://github.com/aramase)) [SIG API Machinery, Auth and Testing]
-- Kube-scheduler: removed the deprecated scheduler_scheduler_cache_size metric  in favor of scheduler_cache_size ([#131425](https://github.com/kubernetes/kubernetes/pull/131425), [@carlory](https://github.com/carlory)) [SIG Scheduling]
-- Kubeadm: fixed missing space when printing the warning about pause image mismatch. ([#131563](https://github.com/kubernetes/kubernetes/pull/131563), [@logica0419](https://github.com/logica0419)) [SIG Cluster Lifecycle]
-- Kubeadm: made the coredns deployment manifest use named ports consistently for the liveness and readiness probes. ([#131587](https://github.com/kubernetes/kubernetes/pull/131587), [@neolit123](https://github.com/neolit123)) [SIG Cluster Lifecycle]
-- Kubectl interactive delete: treat empty newline input as N ([#132251](https://github.com/kubernetes/kubernetes/pull/132251), [@ardaguclu](https://github.com/ardaguclu)) [SIG CLI]
-- Migrate pkg/kubelet/status to contextual logging ([#130852](https://github.com/kubernetes/kubernetes/pull/130852), [@Chulong-Li](https://github.com/Chulong-Li)) [SIG Node]
-- Promote `apiserver_authentication_config_controller_automatic_reloads_total` and `apiserver_authentication_config_controller_automatic_reload_last_timestamp_seconds` metrics to BETA. ([#131798](https://github.com/kubernetes/kubernetes/pull/131798), [@aramase](https://github.com/aramase)) [SIG API Machinery, Auth and Instrumentation]
-- Promote `apiserver_authorization_config_controller_automatic_reloads_total` and `apiserver_authorization_config_controller_automatic_reload_last_timestamp_seconds` metrics to BETA. ([#131768](https://github.com/kubernetes/kubernetes/pull/131768), [@aramase](https://github.com/aramase)) [SIG API Machinery, Auth and Instrumentation]
-- Promoted the `SeparateTaintEvictionController` feature gate to GA; it is now enabled unconditionally. ([#122634](https://github.com/kubernetes/kubernetes/pull/122634), [@carlory](https://github.com/carlory)) [SIG API Machinery, Apps, Node and Testing]
-- Removed generally available feature-gate `PodDisruptionConditions`. ([#129501](https://github.com/kubernetes/kubernetes/pull/129501), [@carlory](https://github.com/carlory)) [SIG Apps]
-- Removes support for API streaming from the `List() method` of the dynamic client. ([#132229](https://github.com/kubernetes/kubernetes/pull/132229), [@p0lyn0mial](https://github.com/p0lyn0mial)) [SIG API Machinery, CLI and Testing]
-- Removes support for API streaming from the `List() method` of the metadata client. ([#132149](https://github.com/kubernetes/kubernetes/pull/132149), [@p0lyn0mial](https://github.com/p0lyn0mial)) [SIG API Machinery and Testing]
-- Removes support for API streaming from the `List() method` of the typed client. ([#132257](https://github.com/kubernetes/kubernetes/pull/132257), [@p0lyn0mial](https://github.com/p0lyn0mial)) [SIG API Machinery and Testing]
-- Removes support for API streaming from the rest client. ([#132285](https://github.com/kubernetes/kubernetes/pull/132285), [@p0lyn0mial](https://github.com/p0lyn0mial)) [SIG API Machinery]
-- Types: CycleState, StateData, StateKey and ErrNotFound moved from pkg/scheduler/framework to k8s.io/kube-scheduler/framework.
-  Type CycleState that is passed to each plugin in scheduler framework is changed to the new interface CycleState (in k8s.io/kube-scheduler/framework) ([#131887](https://github.com/kubernetes/kubernetes/pull/131887), [@ania-borowiec](https://github.com/ania-borowiec)) [SIG Node, Scheduling, Storage and Testing]
-- Updated CNI plugins to v1.7.1 ([#131602](https://github.com/kubernetes/kubernetes/pull/131602), [@adrianmoisey](https://github.com/adrianmoisey)) [SIG Cloud Provider, Node and Testing]
-- Updated cri-tools to v1.33.0. ([#131406](https://github.com/kubernetes/kubernetes/pull/131406), [@saschagrunert](https://github.com/saschagrunert)) [SIG Cloud Provider]
-- Upgrade CoreDNS to v1.12.1 ([#131151](https://github.com/kubernetes/kubernetes/pull/131151), [@yashsingh74](https://github.com/yashsingh74)) [SIG Cloud Provider and Cluster Lifecycle]
-
-## Dependencies
-
-### Added
-- buf.build/gen/go/bufbuild/protovalidate/protocolbuffers/go: 63bb56e
-- github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp: [v1.26.0](https://github.com/GoogleCloudPlatform/opentelemetry-operations-go/tree/detectors/gcp/v1.26.0)
-- github.com/bufbuild/protovalidate-go: [v0.9.1](https://github.com/bufbuild/protovalidate-go/tree/v0.9.1)
-- github.com/envoyproxy/go-control-plane/envoy: [v1.32.4](https://github.com/envoyproxy/go-control-plane/tree/envoy/v1.32.4)
-- github.com/envoyproxy/go-control-plane/ratelimit: [v0.1.0](https://github.com/envoyproxy/go-control-plane/tree/ratelimit/v0.1.0)
-- github.com/go-jose/go-jose/v4: [v4.0.4](https://github.com/go-jose/go-jose/tree/v4.0.4)
-- github.com/golang-jwt/jwt/v5: [v5.2.2](https://github.com/golang-jwt/jwt/tree/v5.2.2)
-- github.com/grpc-ecosystem/go-grpc-middleware/providers/prometheus: [v1.0.1](https://github.com/grpc-ecosystem/go-grpc-middleware/tree/providers/prometheus/v1.0.1)
-- github.com/grpc-ecosystem/go-grpc-middleware/v2: [v2.3.0](https://github.com/grpc-ecosystem/go-grpc-middleware/tree/v2.3.0)
-- github.com/spiffe/go-spiffe/v2: [v2.5.0](https://github.com/spiffe/go-spiffe/tree/v2.5.0)
-- github.com/zeebo/errs: [v1.4.0](https://github.com/zeebo/errs/tree/v1.4.0)
-- go.etcd.io/raft/v3: v3.6.0
-- go.opentelemetry.io/contrib/detectors/gcp: v1.34.0
-- go.opentelemetry.io/otel/sdk/metric: v1.34.0
-
-### Changed
-- cel.dev/expr: v0.19.1 → v0.23.1
-- cloud.google.com/go/compute/metadata: v0.5.0 → v0.6.0
-- github.com/Microsoft/hnslib: [v0.0.8 → v0.1.1](https://github.com/Microsoft/hnslib/compare/v0.0.8...v0.1.1)
-- github.com/cncf/xds/go: [b4127c9 → 2f00578](https://github.com/cncf/xds/compare/b4127c9...2f00578)
-- github.com/coredns/corefile-migration: [v1.0.25 → v1.0.26](https://github.com/coredns/corefile-migration/compare/v1.0.25...v1.0.26)
-- github.com/cpuguy83/go-md2man/v2: [v2.0.4 → v2.0.6](https://github.com/cpuguy83/go-md2man/compare/v2.0.4...v2.0.6)
-- github.com/envoyproxy/go-control-plane: [v0.13.0 → v0.13.4](https://github.com/envoyproxy/go-control-plane/compare/v0.13.0...v0.13.4)
-- github.com/envoyproxy/protoc-gen-validate: [v1.1.0 → v1.2.1](https://github.com/envoyproxy/protoc-gen-validate/compare/v1.1.0...v1.2.1)
-- github.com/fsnotify/fsnotify: [v1.7.0 → v1.9.0](https://github.com/fsnotify/fsnotify/compare/v1.7.0...v1.9.0)
-- github.com/fxamacker/cbor/v2: [v2.7.0 → v2.8.0](https://github.com/fxamacker/cbor/compare/v2.7.0...v2.8.0)
-- github.com/golang/glog: [v1.2.2 → v1.2.4](https://github.com/golang/glog/compare/v1.2.2...v1.2.4)
-- github.com/google/cel-go: [v0.23.2 → v0.25.0](https://github.com/google/cel-go/compare/v0.23.2...v0.25.0)
-- github.com/grpc-ecosystem/grpc-gateway/v2: [v2.24.0 → v2.26.3](https://github.com/grpc-ecosystem/grpc-gateway/compare/v2.24.0...v2.26.3)
-- github.com/ishidawataru/sctp: [7ff4192 → ae8eb7f](https://github.com/ishidawataru/sctp/compare/7ff4192...ae8eb7f)
-- github.com/jonboulle/clockwork: [v0.4.0 → v0.5.0](https://github.com/jonboulle/clockwork/compare/v0.4.0...v0.5.0)
-- github.com/modern-go/reflect2: [v1.0.2 → 35a7c28](https://github.com/modern-go/reflect2/compare/v1.0.2...35a7c28)
-- github.com/spf13/cobra: [v1.8.1 → v1.9.1](https://github.com/spf13/cobra/compare/v1.8.1...v1.9.1)
-- github.com/spf13/pflag: [v1.0.5 → v1.0.6](https://github.com/spf13/pflag/compare/v1.0.5...v1.0.6)
-- github.com/vishvananda/netlink: [62fb240 → v1.3.1](https://github.com/vishvananda/netlink/compare/62fb240...v1.3.1)
-- github.com/vishvananda/netns: [v0.0.4 → v0.0.5](https://github.com/vishvananda/netns/compare/v0.0.4...v0.0.5)
-- go.etcd.io/bbolt: v1.3.11 → v1.4.0
-- go.etcd.io/etcd/api/v3: v3.5.21 → v3.6.1
-- go.etcd.io/etcd/client/pkg/v3: v3.5.21 → v3.6.1
-- go.etcd.io/etcd/client/v3: v3.5.21 → v3.6.1
-- go.etcd.io/etcd/pkg/v3: v3.5.21 → v3.6.1
-- go.etcd.io/etcd/server/v3: v3.5.21 → v3.6.1
-- go.etcd.io/gofail: v0.1.0 → v0.2.0
-- go.opentelemetry.io/contrib/instrumentation/github.com/emicklei/go-restful/otelrestful: v0.42.0 → v0.44.0
-- go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc: v0.58.0 → v0.60.0
-- go.opentelemetry.io/contrib/propagators/b3: v1.17.0 → v1.19.0
-- go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc: v1.33.0 → v1.34.0
-- go.opentelemetry.io/otel/exporters/otlp/otlptrace: v1.33.0 → v1.34.0
-- go.opentelemetry.io/otel/metric: v1.33.0 → v1.35.0
-- go.opentelemetry.io/otel/sdk: v1.33.0 → v1.34.0
-- go.opentelemetry.io/otel/trace: v1.33.0 → v1.35.0
-- go.opentelemetry.io/otel: v1.33.0 → v1.35.0
-- go.opentelemetry.io/proto/otlp: v1.4.0 → v1.5.0
-- google.golang.org/genproto/googleapis/api: e6fa225 → a0af3ef
-- google.golang.org/genproto/googleapis/rpc: e6fa225 → a0af3ef
-- google.golang.org/grpc: v1.68.1 → v1.72.1
-- k8s.io/gengo/v2: 1244d31 → 85fd79d
-- k8s.io/system-validators: v1.9.1 → v1.10.1
-- k8s.io/utils: 3ea5e8c → 4c0f3b2
-- sigs.k8s.io/structured-merge-diff/v4: v4.6.0 → v4.7.0
-
-### Removed
-- cloud.google.com/go/accessapproval: v1.7.4
-- cloud.google.com/go/accesscontextmanager: v1.8.4
-- cloud.google.com/go/aiplatform: v1.58.0
-- cloud.google.com/go/analytics: v0.22.0
-- cloud.google.com/go/apigateway: v1.6.4
-- cloud.google.com/go/apigeeconnect: v1.6.4
-- cloud.google.com/go/apigeeregistry: v0.8.2
-- cloud.google.com/go/appengine: v1.8.4
-- cloud.google.com/go/area120: v0.8.4
-- cloud.google.com/go/artifactregistry: v1.14.6
-- cloud.google.com/go/asset: v1.17.0
-- cloud.google.com/go/assuredworkloads: v1.11.4
-- cloud.google.com/go/automl: v1.13.4
-- cloud.google.com/go/baremetalsolution: v1.2.3
-- cloud.google.com/go/batch: v1.7.0
-- cloud.google.com/go/beyondcorp: v1.0.3
-- cloud.google.com/go/bigquery: v1.58.0
-- cloud.google.com/go/billing: v1.18.0
-- cloud.google.com/go/binaryauthorization: v1.8.0
-- cloud.google.com/go/certificatemanager: v1.7.4
-- cloud.google.com/go/channel: v1.17.4
-- cloud.google.com/go/cloudbuild: v1.15.0
-- cloud.google.com/go/clouddms: v1.7.3
-- cloud.google.com/go/cloudtasks: v1.12.4
-- cloud.google.com/go/compute: v1.23.3
-- cloud.google.com/go/contactcenterinsights: v1.12.1
-- cloud.google.com/go/container: v1.29.0
-- cloud.google.com/go/containeranalysis: v0.11.3
-- cloud.google.com/go/datacatalog: v1.19.2
-- cloud.google.com/go/dataflow: v0.9.4
-- cloud.google.com/go/dataform: v0.9.1
-- cloud.google.com/go/datafusion: v1.7.4
-- cloud.google.com/go/datalabeling: v0.8.4
-- cloud.google.com/go/dataplex: v1.14.0
-- cloud.google.com/go/dataproc/v2: v2.3.0
-- cloud.google.com/go/dataqna: v0.8.4
-- cloud.google.com/go/datastore: v1.15.0
-- cloud.google.com/go/datastream: v1.10.3
-- cloud.google.com/go/deploy: v1.17.0
-- cloud.google.com/go/dialogflow: v1.48.1
-- cloud.google.com/go/dlp: v1.11.1
-- cloud.google.com/go/documentai: v1.23.7
-- cloud.google.com/go/domains: v0.9.4
-- cloud.google.com/go/edgecontainer: v1.1.4
-- cloud.google.com/go/errorreporting: v0.3.0
-- cloud.google.com/go/essentialcontacts: v1.6.5
-- cloud.google.com/go/eventarc: v1.13.3
-- cloud.google.com/go/filestore: v1.8.0
-- cloud.google.com/go/firestore: v1.14.0
-- cloud.google.com/go/functions: v1.15.4
-- cloud.google.com/go/gkebackup: v1.3.4
-- cloud.google.com/go/gkeconnect: v0.8.4
-- cloud.google.com/go/gkehub: v0.14.4
-- cloud.google.com/go/gkemulticloud: v1.1.0
-- cloud.google.com/go/gsuiteaddons: v1.6.4
-- cloud.google.com/go/iam: v1.1.5
-- cloud.google.com/go/iap: v1.9.3
-- cloud.google.com/go/ids: v1.4.4
-- cloud.google.com/go/iot: v1.7.4
-- cloud.google.com/go/kms: v1.15.5
-- cloud.google.com/go/language: v1.12.2
-- cloud.google.com/go/lifesciences: v0.9.4
-- cloud.google.com/go/logging: v1.9.0
-- cloud.google.com/go/longrunning: v0.5.4
-- cloud.google.com/go/managedidentities: v1.6.4
-- cloud.google.com/go/maps: v1.6.3
-- cloud.google.com/go/mediatranslation: v0.8.4
-- cloud.google.com/go/memcache: v1.10.4
-- cloud.google.com/go/metastore: v1.13.3
-- cloud.google.com/go/monitoring: v1.17.0
-- cloud.google.com/go/networkconnectivity: v1.14.3
-- cloud.google.com/go/networkmanagement: v1.9.3
-- cloud.google.com/go/networksecurity: v0.9.4
-- cloud.google.com/go/notebooks: v1.11.2
-- cloud.google.com/go/optimization: v1.6.2
-- cloud.google.com/go/orchestration: v1.8.4
-- cloud.google.com/go/orgpolicy: v1.12.0
-- cloud.google.com/go/osconfig: v1.12.4
-- cloud.google.com/go/oslogin: v1.13.0
-- cloud.google.com/go/phishingprotection: v0.8.4
-- cloud.google.com/go/policytroubleshooter: v1.10.2
-- cloud.google.com/go/privatecatalog: v0.9.4
-- cloud.google.com/go/pubsub: v1.34.0
-- cloud.google.com/go/pubsublite: v1.8.1
-- cloud.google.com/go/recaptchaenterprise/v2: v2.9.0
-- cloud.google.com/go/recommendationengine: v0.8.4
-- cloud.google.com/go/recommender: v1.12.0
-- cloud.google.com/go/redis: v1.14.1
-- cloud.google.com/go/resourcemanager: v1.9.4
-- cloud.google.com/go/resourcesettings: v1.6.4
-- cloud.google.com/go/retail: v1.14.4
-- cloud.google.com/go/run: v1.3.3
-- cloud.google.com/go/scheduler: v1.10.5
-- cloud.google.com/go/secretmanager: v1.11.4
-- cloud.google.com/go/security: v1.15.4
-- cloud.google.com/go/securitycenter: v1.24.3
-- cloud.google.com/go/servicedirectory: v1.11.3
-- cloud.google.com/go/shell: v1.7.4
-- cloud.google.com/go/spanner: v1.55.0
-- cloud.google.com/go/speech: v1.21.0
-- cloud.google.com/go/storagetransfer: v1.10.3
-- cloud.google.com/go/talent: v1.6.5
-- cloud.google.com/go/texttospeech: v1.7.4
-- cloud.google.com/go/tpu: v1.6.4
-- cloud.google.com/go/trace: v1.10.4
-- cloud.google.com/go/translate: v1.10.0
-- cloud.google.com/go/video: v1.20.3
-- cloud.google.com/go/videointelligence: v1.11.4
-- cloud.google.com/go/vision/v2: v2.7.5
-- cloud.google.com/go/vmmigration: v1.7.4
-- cloud.google.com/go/vmwareengine: v1.0.3
-- cloud.google.com/go/vpcaccess: v1.7.4
-- cloud.google.com/go/webrisk: v1.9.4
-- cloud.google.com/go/websecurityscanner: v1.6.4
-- cloud.google.com/go/workflows: v1.12.3
-- cloud.google.com/go: v0.112.0
-- github.com/BurntSushi/toml: [v0.3.1](https://github.com/BurntSushi/toml/tree/v0.3.1)
-- github.com/census-instrumentation/opencensus-proto: [v0.4.1](https://github.com/census-instrumentation/opencensus-proto/tree/v0.4.1)
-- github.com/client9/misspell: [v0.3.4](https://github.com/client9/misspell/tree/v0.3.4)
-- github.com/cncf/udpa/go: [269d4d4](https://github.com/cncf/udpa/tree/269d4d4)
-- github.com/ghodss/yaml: [v1.0.0](https://github.com/ghodss/yaml/tree/v1.0.0)
-- github.com/go-kit/kit: [v0.9.0](https://github.com/go-kit/kit/tree/v0.9.0)
-- github.com/go-logfmt/logfmt: [v0.4.0](https://github.com/go-logfmt/logfmt/tree/v0.4.0)
-- github.com/go-stack/stack: [v1.8.0](https://github.com/go-stack/stack/tree/v1.8.0)
-- github.com/golang-jwt/jwt/v4: [v4.5.2](https://github.com/golang-jwt/jwt/tree/v4.5.2)
-- github.com/golang/mock: [v1.1.1](https://github.com/golang/mock/tree/v1.1.1)
-- github.com/grpc-ecosystem/grpc-gateway: [v1.16.0](https://github.com/grpc-ecosystem/grpc-gateway/tree/v1.16.0)
-- github.com/konsorten/go-windows-terminal-sequences: [v1.0.1](https://github.com/konsorten/go-windows-terminal-sequences/tree/v1.0.1)
-- github.com/kr/logfmt: [b84e30a](https://github.com/kr/logfmt/tree/b84e30a)
-- github.com/opentracing/opentracing-go: [v1.1.0](https://github.com/opentracing/opentracing-go/tree/v1.1.0)
-- go.etcd.io/etcd/client/v2: v2.305.21
-- go.etcd.io/etcd/raft/v3: v3.5.21
-- go.uber.org/atomic: v1.7.0
-- golang.org/x/lint: d0100b6
-- google.golang.org/appengine: v1.4.0
-- google.golang.org/genproto: ef43131
-- honnef.co/go/tools: ea95bdf
\ No newline at end of file
diff --git a/CHANGELOG/CHANGELOG-1.35.md b/CHANGELOG/CHANGELOG-1.35.md
new file mode 100644
index 0000000000000..0716b0f3d60a3
--- /dev/null
+++ b/CHANGELOG/CHANGELOG-1.35.md
@@ -0,0 +1,1575 @@
+<!-- BEGIN MUNGE: GENERATED_TOC -->
+
+- [v1.35.0](#v1350)
+  - [Downloads for v1.35.0](#downloads-for-v1350)
+    - [Source Code](#source-code)
+    - [Client Binaries](#client-binaries)
+    - [Server Binaries](#server-binaries)
+    - [Node Binaries](#node-binaries)
+    - [Container Images](#container-images)
+  - [Changelog since v1.34.0](#changelog-since-v1340)
+  - [Urgent Upgrade Notes](#urgent-upgrade-notes)
+    - [(No, really, you MUST read this before you upgrade)](#no-really-you-must-read-this-before-you-upgrade)
+  - [Changes by Kind](#changes-by-kind)
+    - [Deprecation](#deprecation)
+    - [API Change](#api-change)
+    - [Feature](#feature)
+    - [Documentation](#documentation)
+    - [Bug or Regression](#bug-or-regression)
+    - [Other (Cleanup or Flake)](#other-cleanup-or-flake)
+  - [Dependencies](#dependencies)
+    - [Added](#added)
+    - [Changed](#changed)
+    - [Removed](#removed)
+- [v1.35.0-rc.1](#v1350-rc1)
+  - [Downloads for v1.35.0-rc.1](#downloads-for-v1350-rc1)
+    - [Source Code](#source-code-1)
+    - [Client Binaries](#client-binaries-1)
+    - [Server Binaries](#server-binaries-1)
+    - [Node Binaries](#node-binaries-1)
+    - [Container Images](#container-images-1)
+  - [Changelog since v1.35.0-rc.0](#changelog-since-v1350-rc0)
+  - [Changes by Kind](#changes-by-kind-1)
+    - [Feature](#feature-1)
+    - [Bug or Regression](#bug-or-regression-1)
+    - [Other (Cleanup or Flake)](#other-cleanup-or-flake-1)
+  - [Dependencies](#dependencies-1)
+    - [Added](#added-1)
+    - [Changed](#changed-1)
+    - [Removed](#removed-1)
+- [v1.35.0-rc.0](#v1350-rc0)
+  - [Downloads for v1.35.0-rc.0](#downloads-for-v1350-rc0)
+    - [Source Code](#source-code-2)
+    - [Client Binaries](#client-binaries-2)
+    - [Server Binaries](#server-binaries-2)
+    - [Node Binaries](#node-binaries-2)
+    - [Container Images](#container-images-2)
+  - [Changelog since v1.35.0-beta.0](#changelog-since-v1350-beta0)
+  - [Changes by Kind](#changes-by-kind-2)
+    - [Feature](#feature-2)
+    - [Bug or Regression](#bug-or-regression-2)
+  - [Dependencies](#dependencies-2)
+    - [Added](#added-2)
+    - [Changed](#changed-2)
+    - [Removed](#removed-2)
+- [v1.35.0-beta.0](#v1350-beta0)
+  - [Downloads for v1.35.0-beta.0](#downloads-for-v1350-beta0)
+    - [Source Code](#source-code-3)
+    - [Client Binaries](#client-binaries-3)
+    - [Server Binaries](#server-binaries-3)
+    - [Node Binaries](#node-binaries-3)
+    - [Container Images](#container-images-3)
+  - [Changelog since v1.35.0-alpha.3](#changelog-since-v1350-alpha3)
+  - [Changes by Kind](#changes-by-kind-3)
+    - [API Change](#api-change-1)
+    - [Feature](#feature-3)
+    - [Bug or Regression](#bug-or-regression-3)
+    - [Other (Cleanup or Flake)](#other-cleanup-or-flake-2)
+  - [Dependencies](#dependencies-3)
+    - [Added](#added-3)
+    - [Changed](#changed-3)
+    - [Removed](#removed-3)
+- [v1.35.0-alpha.3](#v1350-alpha3)
+  - [Downloads for v1.35.0-alpha.3](#downloads-for-v1350-alpha3)
+    - [Source Code](#source-code-4)
+    - [Client Binaries](#client-binaries-4)
+    - [Server Binaries](#server-binaries-4)
+    - [Node Binaries](#node-binaries-4)
+    - [Container Images](#container-images-4)
+  - [Changelog since v1.35.0-alpha.2](#changelog-since-v1350-alpha2)
+  - [Urgent Upgrade Notes](#urgent-upgrade-notes-1)
+    - [(No, really, you MUST read this before you upgrade)](#no-really-you-must-read-this-before-you-upgrade-1)
+  - [Changes by Kind](#changes-by-kind-4)
+    - [API Change](#api-change-2)
+    - [Feature](#feature-4)
+    - [Bug or Regression](#bug-or-regression-4)
+    - [Other (Cleanup or Flake)](#other-cleanup-or-flake-3)
+  - [Dependencies](#dependencies-4)
+    - [Added](#added-4)
+    - [Changed](#changed-4)
+    - [Removed](#removed-4)
+- [v1.35.0-alpha.2](#v1350-alpha2)
+  - [Downloads for v1.35.0-alpha.2](#downloads-for-v1350-alpha2)
+    - [Source Code](#source-code-5)
+    - [Client Binaries](#client-binaries-5)
+    - [Server Binaries](#server-binaries-5)
+    - [Node Binaries](#node-binaries-5)
+    - [Container Images](#container-images-5)
+  - [Changelog since v1.35.0-alpha.1](#changelog-since-v1350-alpha1)
+  - [Changes by Kind](#changes-by-kind-5)
+    - [Deprecation](#deprecation-1)
+    - [API Change](#api-change-3)
+    - [Feature](#feature-5)
+    - [Documentation](#documentation-1)
+    - [Bug or Regression](#bug-or-regression-5)
+    - [Other (Cleanup or Flake)](#other-cleanup-or-flake-4)
+  - [Dependencies](#dependencies-5)
+    - [Added](#added-5)
+    - [Changed](#changed-5)
+    - [Removed](#removed-5)
+- [v1.35.0-alpha.1](#v1350-alpha1)
+  - [Downloads for v1.35.0-alpha.1](#downloads-for-v1350-alpha1)
+    - [Source Code](#source-code-6)
+    - [Client Binaries](#client-binaries-6)
+    - [Server Binaries](#server-binaries-6)
+    - [Node Binaries](#node-binaries-6)
+    - [Container Images](#container-images-6)
+  - [Changelog since v1.34.0](#changelog-since-v1340-1)
+  - [Changes by Kind](#changes-by-kind-6)
+    - [API Change](#api-change-4)
+    - [Feature](#feature-6)
+    - [Bug or Regression](#bug-or-regression-6)
+    - [Other (Cleanup or Flake)](#other-cleanup-or-flake-5)
+  - [Dependencies](#dependencies-6)
+    - [Added](#added-6)
+    - [Changed](#changed-6)
+    - [Removed](#removed-6)
+
+<!-- END MUNGE: GENERATED_TOC -->
+
+# v1.35.0
+
+[Documentation](https://docs.k8s.io)
+
+## Downloads for v1.35.0
+
+### Source Code
+
+filename | sha512 hash
+-------- | -----------
+[kubernetes.tar.gz](https://dl.k8s.io/v1.35.0/kubernetes.tar.gz) | `478ae8101675fa873a3ad84c81c91604e70bdb947e3379564907916c8a3a1d4a0b7d2077e1d2701f18f2509a6fce0997d93a441ef6d1a17a2e90fdffdd4c13ec`
+[kubernetes-src.tar.gz](https://dl.k8s.io/v1.35.0/kubernetes-src.tar.gz) | `dc9fc72736999bc40fdf28a7668c8e183effe135893c98f0773b0a50fe018c2f49156026c490f201def57645bf6172c81e07c1c6cb2d80bfb6b246c94fb4c5aa`
+
+### Client Binaries
+
+filename | sha512 hash
+-------- | -----------
+[kubernetes-client-darwin-amd64.tar.gz](https://dl.k8s.io/v1.35.0/kubernetes-client-darwin-amd64.tar.gz) | `e7d510566442afd96dd3759764b573719469bb0ef00086d536bd7af0b8af29ddf150e6ece5ae95856daaaf7f2454f45755ac300648c692508e445aca7a8bd0de`
+[kubernetes-client-darwin-arm64.tar.gz](https://dl.k8s.io/v1.35.0/kubernetes-client-darwin-arm64.tar.gz) | `cd3b216a5418ef2eb00aeb74bf0ebae34c41aa16419bd5bbe5cbb5d394570a38f54c88294aaa5bd7c27ef28c4f1aee2b5658beb4cd025258b6bbd522e8d499bc`
+[kubernetes-client-linux-386.tar.gz](https://dl.k8s.io/v1.35.0/kubernetes-client-linux-386.tar.gz) | `50250aefecc03afe5a6b1be8dffbd58efb4814fed2aae299ac3bbd3b32a40b47697897bafcc36f31f226c5fd2b185cb970e64674aa9ee60412e122128487598d`
+[kubernetes-client-linux-amd64.tar.gz](https://dl.k8s.io/v1.35.0/kubernetes-client-linux-amd64.tar.gz) | `a1469924896411ab3365628b301d2bbacaf235908cea47308498c9c351a17462ab4154928ef6f91cee849ff52600e394f2abe70f5165371ccfe6638446699d2c`
+[kubernetes-client-linux-arm.tar.gz](https://dl.k8s.io/v1.35.0/kubernetes-client-linux-arm.tar.gz) | `df921ad2702a8bc90b8797d97e5ddba5d7d077d18f3b9e53a4594a432f628f52842ee5e26f70c16a82b4decf7c72cba1d04c43163c85026f9b0610fbde63e183`
+[kubernetes-client-linux-arm64.tar.gz](https://dl.k8s.io/v1.35.0/kubernetes-client-linux-arm64.tar.gz) | `0b332e13c9bb52093f57c4f2ae4ab103bc7f51e4c5dad2859300e7ece09ef303a9345ed3aea4d050b287f52dd8ed8d7cf9185c9e40ea5cc900c8d34e63eec83d`
+[kubernetes-client-linux-ppc64le.tar.gz](https://dl.k8s.io/v1.35.0/kubernetes-client-linux-ppc64le.tar.gz) | `07789dc2ec7e8439774d88437f0b1ee35d6b60a8bd23055b93dcf1461de5ae69aba0e0e99a0202892f6c70217388646e1592b087f048bb57e5ab10b1b0dfa956`
+[kubernetes-client-linux-s390x.tar.gz](https://dl.k8s.io/v1.35.0/kubernetes-client-linux-s390x.tar.gz) | `6563b8d452d29e7f155563294478e39dba7311dd086cf9fb0bc62c94a139b7f5d81a5716880d8072cd864948988e68f2dcd607a8ec79e339224ed5f4bcd48dc9`
+[kubernetes-client-windows-386.tar.gz](https://dl.k8s.io/v1.35.0/kubernetes-client-windows-386.tar.gz) | `522f96799bdaacdd1d10ab4c3a58d8fd86e45e6326c3b6538cc079ca951c28916bd1c8c9bb1d98f6257be0ba1ed91e97614407fe11a1c4bbea2c2052ba0feca7`
+[kubernetes-client-windows-amd64.tar.gz](https://dl.k8s.io/v1.35.0/kubernetes-client-windows-amd64.tar.gz) | `149145263071c8e1a4d73efe4d1c868286e7cea37629f1c076d2f2683e6b63fb3387d867f3283c9950a3b5b830f005019fa03874e4d53dfa9ad489aaaa9f535b`
+[kubernetes-client-windows-arm64.tar.gz](https://dl.k8s.io/v1.35.0/kubernetes-client-windows-arm64.tar.gz) | `2cffd56e01eaf24ace819cf9f4ef94187185978c8fa1192fd9d47236824ccfe745fe649d38c4351a016e0406bcfd1944178cb93af67b5e69015c04ab2ca5bf7c`
+
+### Server Binaries
+
+filename | sha512 hash
+-------- | -----------
+[kubernetes-server-linux-amd64.tar.gz](https://dl.k8s.io/v1.35.0/kubernetes-server-linux-amd64.tar.gz) | `23af53c49de841a0d5c19d9525d820cecc9d55367c132296a5f381d051438bf06dcddff3d0236df8ba6011a6aa5d0ffc31960d277c7f53a0ad98e66d6f8d6a0a`
+[kubernetes-server-linux-arm64.tar.gz](https://dl.k8s.io/v1.35.0/kubernetes-server-linux-arm64.tar.gz) | `fd245273c6ace20abc893f868d678c4a24c0dbe7d5340087f852d245e59329e66f79afce489dc1b396908d2f005b132eca8d15a7664508fe923627bb2eddee18`
+[kubernetes-server-linux-ppc64le.tar.gz](https://dl.k8s.io/v1.35.0/kubernetes-server-linux-ppc64le.tar.gz) | `68c48db8537c0470d2245740b8cdf3225efafc48a96646e369137e35931bd43324caf1394ee4b31774b0f43d44e6a4eaa5976186248a114d0e0feb2cb8953edc`
+[kubernetes-server-linux-s390x.tar.gz](https://dl.k8s.io/v1.35.0/kubernetes-server-linux-s390x.tar.gz) | `dd71c4b5ab213452d41059772de3b0db2c71fc6f958280694b2c1b20151bded5b6beb1b03a40dc683ce2d587e9a8bbf3bf486b3965064945803af4f10557558e`
+
+### Node Binaries
+
+filename | sha512 hash
+-------- | -----------
+[kubernetes-node-linux-amd64.tar.gz](https://dl.k8s.io/v1.35.0/kubernetes-node-linux-amd64.tar.gz) | `179278fecb65d246443f58cef00ca2f2a9d0ac6fbdb310994f0ac7fca249f7bdc1c79ea7f3e5455c1e2d2460f5447d006bfa579f97b502ee7034b2a1927f934a`
+[kubernetes-node-linux-arm64.tar.gz](https://dl.k8s.io/v1.35.0/kubernetes-node-linux-arm64.tar.gz) | `01178703c84e0f671770e53024e3cc53f540c0cf93b0804d35884a777c3e3bc44c44d62b6fd25204348986fa589969a9255c0ef04235a0bb9d5560b09867aa0b`
+[kubernetes-node-linux-ppc64le.tar.gz](https://dl.k8s.io/v1.35.0/kubernetes-node-linux-ppc64le.tar.gz) | `05d1ae963d5c4a382d380cb4f4cdfa924fa8a311953b5eaefe66b8696cebf14bffb13bda8ea784ca5fa1dd073c82ee148faa9a50911449cefad16fe2e800d7c1`
+[kubernetes-node-linux-s390x.tar.gz](https://dl.k8s.io/v1.35.0/kubernetes-node-linux-s390x.tar.gz) | `b7501e91153d062c7c545ef9900faf9b29826b6ff5ec5320f6a799d3d3b479f6ae79092909a1905e055b72dd540a9c8fb02b2d0655f6957cd0b4b7b2e9c18909`
+[kubernetes-node-windows-amd64.tar.gz](https://dl.k8s.io/v1.35.0/kubernetes-node-windows-amd64.tar.gz) | `f54c606e8ecc29b4ba4ef4570f679352f66cbae1f1bd4f49db5e18227b00ed0e6d8dd47422390fd2a3b87d837cf39dae58a260208096169a3aabef9e874c7586`
+
+### Container Images
+
+All container images are available as manifest lists and support the described
+architectures. It is also possible to pull a specific architecture directly by
+adding the "-$ARCH" suffix  to the container image name.
+name | architectures
+---- | -------------
+[registry.k8s.io/conformance:v1.35.0](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/conformance) | [amd64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/conformance-amd64), [arm64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/conformance-arm64), [ppc64le](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/conformance-ppc64le), [s390x](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/conformance-s390x)
+[registry.k8s.io/kube-apiserver:v1.35.0](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-apiserver) | [amd64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-apiserver-amd64), [arm64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-apiserver-arm64), [ppc64le](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-apiserver-ppc64le), [s390x](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-apiserver-s390x)
+[registry.k8s.io/kube-controller-manager:v1.35.0](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-controller-manager) | [amd64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-controller-manager-amd64), [arm64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-controller-manager-arm64), [ppc64le](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-controller-manager-ppc64le), [s390x](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-controller-manager-s390x)
+[registry.k8s.io/kube-proxy:v1.35.0](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-proxy) | [amd64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-proxy-amd64), [arm64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-proxy-arm64), [ppc64le](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-proxy-ppc64le), [s390x](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-proxy-s390x)
+[registry.k8s.io/kube-scheduler:v1.35.0](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-scheduler) | [amd64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-scheduler-amd64), [arm64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-scheduler-arm64), [ppc64le](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-scheduler-ppc64le), [s390x](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-scheduler-s390x)
+[registry.k8s.io/kubectl:v1.35.0](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kubectl) | [amd64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kubectl-amd64), [arm64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kubectl-arm64), [ppc64le](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kubectl-ppc64le), [s390x](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kubectl-s390x)
+
+## Changelog since v1.34.0
+
+## Urgent Upgrade Notes 
+
+### (No, really, you MUST read this before you upgrade)
+
+- ACTION REQUIRED:
+  
+  Removed the `--pod-infra-container-image` flag from `kubelet` command line. For `non-kubeadm` clusters, users must manually remove this flag from their `kubelet` configuration to prevent startup failures before upgrading `kubelet`. For `kubeadm` clusters, if users pass extra arguments to the `kubelet` like `--pod-infra-container-image`, it will be written to the `kubelet` env file during the `init` phase. `kubeadm` does not remove it during the `init` or `join` phase, so users must manually remove it from `extraArgs` in the `kubelet` configuration file. ([#133779](https://github.com/kubernetes/kubernetes/pull/133779), [@carlory](https://github.com/carlory))
+ - ACTION REQUIRED:
+  
+  vendor: Updated `k8s.io/system-validators` to `v1.12.1`. The cgroups validator now throws an error instead of a warning if cgroups v1 is detected on the host and the provided KubeletVersion is `v1.35` or newer.
+  
+  kubeadm: Started using `k8s.io/system-validators` `v1.12.1` in `kubeadm` `v1.35`. During `kubeadm init`, `kubeadm join`, and `kubeadm upgrade`, the SystemVerification preflight check throws an error if cgroups v1 is detected and the detected `kubelet` version is `v1.35` or newer. For older versions of `kubelet`, a preflight warning is displayed.
+  
+  To allow cgroups v1 with `kubeadm` and `kubelet` version `v1.35` or newer, you must:
+  - Ignore the error from the SystemVerification preflight check by `kubeadm`.
+  - Edit the `kube-system/kubelet-config` ConfigMap and add the `failCgroupV1: false` field before upgrading. ([#134744](https://github.com/kubernetes/kubernetes/pull/134744), [@neolit123](https://github.com/neolit123)) [SIG Cluster Lifecycle and Node]
+ 
+## Changes by Kind
+
+### Deprecation
+
+- ACTION REQUIRED: `failCgroupV1` will be set to true from 1.35. 
+  This means that nodes will not start on a cgroup v1 by default. This puts cgroup v1 into a deprecated state. ([#134298](https://github.com/kubernetes/kubernetes/pull/134298), [@kannon92](https://github.com/kannon92))
+- Marked `ipvs` mode in kube-proxy as deprecated, which will be removed in a future version of Kubernetes. Users are encouraged to migrate to `nftables`. ([#134539](https://github.com/kubernetes/kubernetes/pull/134539), [@adrianmoisey](https://github.com/adrianmoisey))
+
+### API Change
+
+- Added `ObservedGeneration` to CustomResourceDefinition conditions. ([#134984](https://github.com/kubernetes/kubernetes/pull/134984), [@michaelasp](https://github.com/michaelasp))
+- Added `WithOrigin` within `apis/core/validation` with adjusted tests. ([#132825](https://github.com/kubernetes/kubernetes/pull/132825), [@PatrickLaabs](https://github.com/PatrickLaabs))
+- Added scoring for the prioritized list feature so nodes that best satisfy the highest-ranked subrequests were chosen. ([#134711](https://github.com/kubernetes/kubernetes/pull/134711), [@mortent](https://github.com/mortent)) [SIG Node, Scheduling and Testing]
+- Added the `--min-compatibility-version` flag to `kube-apiserver`, `kube-controller-manager`, and `kube-scheduler`. ([#133980](https://github.com/kubernetes/kubernetes/pull/133980), [@siyuanfoundation](https://github.com/siyuanfoundation)) [SIG API Machinery, Architecture, Cluster Lifecycle, Etcd, Scheduling and Testing]
+- Added the `StorageVersionMigration` `v1beta1` API and removed the `v1alpha1` API.
+  
+  ACTION REQUIRED: The `v1alpha1` API is no longer supported. Users must remove any `v1alpha1` resources before upgrading. ([#134784](https://github.com/kubernetes/kubernetes/pull/134784), [@michaelasp](https://github.com/michaelasp)) [SIG API Machinery, Apps, Auth, Etcd and Testing]
+- Added validation to ensure `log-flush-frequency` is a positive value, returning an error instead of causing a panic. ([#133540](https://github.com/kubernetes/kubernetes/pull/133540), [@BenTheElder](https://github.com/BenTheElder)) [SIG Architecture, Instrumentation, Network and Node]
+- All containers are restarted when a source container in a restart policy rule exits. This alpha feature is gated behind `RestartAllContainersOnContainerExit`. ([#134345](https://github.com/kubernetes/kubernetes/pull/134345), [@yuanwang04](https://github.com/yuanwang04)) [SIG Apps, Node and Testing]
+- CSI drivers can now opt in to receive service account tokens via the secrets field instead of volume context by setting `spec.serviceAccountTokenInSecrets: true` in the CSIDriver object. This prevents tokens from being exposed in logs and other outputs. The feature is gated by the `CSIServiceAccountTokenSecrets` feature gate (beta in `v1.35`). ([#134826](https://github.com/kubernetes/kubernetes/pull/134826), [@aramase](https://github.com/aramase)) [SIG API Machinery, Auth, Storage and Testing]
+- Changed kuberc configuration schema. Two new optional fields added to kuberc configuration, `credPluginPolicy` and `credPluginAllowlist`. This is documented in [KEP-3104](https://github.com/kubernetes/enhancements/blob/master/keps/sig-cli/3104-introduce-kuberc/README.md#allowlist-design-details) and documentation is added to the website by [kubernetes/website#52877](https://github.com/kubernetes/website/pull/52877) ([#134870](https://github.com/kubernetes/kubernetes/pull/134870), [@pmengelbert](https://github.com/pmengelbert)) [SIG API Machinery, Architecture, Auth, CLI, Instrumentation and Testing]
+- DRA device taints: `DeviceTaintRule` status provides information about the rule, including whether Pods still need to be evicted (`EvictionInProgress` condition). The newly added `None` effect can be used to preview what a `DeviceTaintRule` would do if it used the `NoExecute` effect and to taint devices (`device health`) without immediately affecting scheduling or running Pods. ([#134152](https://github.com/kubernetes/kubernetes/pull/134152), [@pohly](https://github.com/pohly)) [SIG API Machinery, Apps, Auth, Node, Release, Scheduling and Testing]
+- DRA: The `DynamicResourceAllocation` feature gate for the core functionality (GA in `v1.34`) has now been locked to enabled-by-default and cannot be disabled anymore. ([#134452](https://github.com/kubernetes/kubernetes/pull/134452), [@pohly](https://github.com/pohly)) [SIG Auth, Node, Scheduling and Testing]
+- Enabled `kubectl get -o kyaml` by default. To disable it, set `KUBECTL_KYAML=false`. ([#133327](https://github.com/kubernetes/kubernetes/pull/133327), [@thockin](https://github.com/thockin))
+- Enabled in-place resizing of pod-level resources.  
+  - Added `Resources` in `PodStatus` to capture resources set in the pod-level cgroup.  
+  - Added `AllocatedResources` in `PodStatus` to capture resources requested in the `PodSpec`. ([#132919](https://github.com/kubernetes/kubernetes/pull/132919), [@ndixita](https://github.com/ndixita)) [SIG API Machinery, Apps, Architecture, Auth, CLI, Instrumentation, Node, Scheduling and Testing]
+- Enabled the `NominatedNodeNameForExpectation` feature in kube-scheduler by default.
+  - Enabled the `ClearingNominatedNodeNameAfterBinding` feature in kube-apiserver by default. ([#135103](https://github.com/kubernetes/kubernetes/pull/135103), [@ania-borowiec](https://github.com/ania-borowiec)) [SIG API Machinery, Apps, Architecture, Auth, Autoscaling, CLI, Cloud Provider, Cluster Lifecycle, Etcd, Instrumentation, Network, Node, Scheduling, Storage and Testing]
+- Enhanced discovery responses to merge API groups and resources from all peer apiservers when the `UnknownVersionInteroperabilityProxy` feature is enabled. ([#133648](https://github.com/kubernetes/kubernetes/pull/133648), [@richabanker](https://github.com/richabanker)) [SIG API Machinery, Auth, Cloud Provider, Node, Scheduling and Testing]
+- Extended `core/v1` `Toleration` to support numeric comparison operators (`Gt`,`Lt`). ([#134665](https://github.com/kubernetes/kubernetes/pull/134665), [@helayoty](https://github.com/helayoty)) [SIG API Machinery, Apps, Node, Scheduling, Testing and Windows]
+- Feature gate dependencies are now explicit, and validated at startup. A feature can no longer be enabled if it depends on a disabled feature. In particular, this means that `AllAlpha=true` will no longer work without enabling disabled-by-default beta features that are depended on (either with `AllBeta=true` or explicitly enumerating the disabled dependencies). ([#133697](https://github.com/kubernetes/kubernetes/pull/133697), [@tallclair](https://github.com/tallclair)) [SIG API Machinery, Architecture, Cluster Lifecycle and Node]
+- Generated OpenAPI model packages for API types into `zz_generated.model_name.go` files, accessible via the `OpenAPIModelName()` function. This allows API authors to declare desired OpenAPI model packages instead of relying on the Go package path of API types. ([#131755](https://github.com/kubernetes/kubernetes/pull/131755), [@jpbetz](https://github.com/jpbetz)) [SIG API Machinery, Apps, Architecture, Auth, CLI, Cloud Provider, Cluster Lifecycle, Instrumentation, Network, Node, Scheduling, Storage and Testing]
+- Implemented constrained impersonation as described in [KEP-5284](https://kep.k8s.io/5284). ([#134803](https://github.com/kubernetes/kubernetes/pull/134803), [@enj](https://github.com/enj)) [SIG API Machinery, Auth and Testing]
+- Introduced a new declarative validation tag `+k8s:customUnique` to control listmap uniqueness. ([#134279](https://github.com/kubernetes/kubernetes/pull/134279), [@yongruilin](https://github.com/yongruilin)) [SIG API Machinery and Auth]
+- Introduced a structured and versioned `v1alpha1` response for the `statusz` endpoint. ([#134313](https://github.com/kubernetes/kubernetes/pull/134313), [@richabanker](https://github.com/richabanker)) [SIG API Machinery, Architecture, Instrumentation, Network, Node, Scheduling and Testing]
+- Introduced a structured and versioned `v1alpha1` response format for the `flagz` endpoint. ([#134995](https://github.com/kubernetes/kubernetes/pull/134995), [@yongruilin](https://github.com/yongruilin)) [SIG API Machinery, Architecture, Instrumentation, Network, Node, Scheduling and Testing]
+- Introduced the GangScheduling kube-scheduler plugin to support "all-or-nothing" scheduling using the `scheduling.k8s.io/v1alpha1` Workload API. ([#134722](https://github.com/kubernetes/kubernetes/pull/134722), [@macsko](https://github.com/macsko)) [SIG API Machinery, Apps, Auth, CLI, Etcd, Scheduling and Testing]
+- Introduced the Node Declared Features capability (alpha), which includes:
+  - A new `Node.Status.DeclaredFeatures` field for publishing node-specific features.
+  - A `component-helpers` library for feature registration and inference.
+  - A `NodeDeclaredFeatures` scheduler plugin to match pods with nodes that provide required features.
+  - A `NodeDeclaredFeatureValidator` admission plugin to validate pod updates against a node's declared features. ([#133389](https://github.com/kubernetes/kubernetes/pull/133389), [@pravk03](https://github.com/pravk03)) [SIG API Machinery, Apps, Node, Release, Scheduling and Testing]
+- Introduced the `scheduling.k8s.io/v1alpha1` Workload API to express workload-level scheduling requirements and allow the kube-scheduler to act on them. ([#134564](https://github.com/kubernetes/kubernetes/pull/134564), [@macsko](https://github.com/macsko)) [SIG API Machinery, Apps, CLI, Etcd, Scheduling and Testing]
+- Introduced the alpha `MutableSchedulingDirectivesForSuspendedJobs` feature gate (disabled by default), which allows mutating a Job's scheduling directives while the Job is suspended. 
+  It also updates the Job controller to clears the `status.startTime` field for suspended Jobs. ([#135104](https://github.com/kubernetes/kubernetes/pull/135104), [@mimowo](https://github.com/mimowo)) [SIG Apps and Testing]
+- Kube-apiserver: Fixed a `v1.34` regression in `CustomResourceDefinition` handling that incorrectly warned about unrecognized formats on number and integer properties. ([#133896](https://github.com/kubernetes/kubernetes/pull/133896), [@yongruilin](https://github.com/yongruilin)) [SIG API Machinery, Apps, Architecture, Auth, CLI, Cloud Provider, Contributor Experience, Network, Node and Scheduling]
+- Kube-apiserver: Fixed a possible panic validating a custom resource whose `CustomResourceDefinition` indicates a status subresource exists, but which does not define a `status` property in the `openAPIV3Schema`. ([#133721](https://github.com/kubernetes/kubernetes/pull/133721), [@fusida](https://github.com/fusida)) [SIG API Machinery, Apps, Architecture, Auth, Autoscaling, CLI, Cloud Provider, Cluster Lifecycle, Etcd, Instrumentation, Network, Node, Release, Scheduling, Storage and Testing]
+- Kubernetes API Go types removed runtime use of the `github.com/gogo/protobuf` library, and are no longer registered into the global gogo type registry. Kubernetes API Go types were not suitable for use with the `google.golang.org/protobuf` library, and no longer implement `ProtoMessage()` by default to avoid accidental incompatible use. If removal of these marker methods impacts your use, it can be re-enabled for one more release with a `kubernetes_protomessage_one_more_release` build tag, but will be removed in `v1.36`. ([#134256](https://github.com/kubernetes/kubernetes/pull/134256), [@liggitt](https://github.com/liggitt)) [SIG API Machinery, Apps, Architecture, Auth, CLI, Cluster Lifecycle, Instrumentation, Network, Node, Scheduling and Storage]
+- Made node affinity in Persistent Volume mutable. ([#134339](https://github.com/kubernetes/kubernetes/pull/134339), [@huww98](https://github.com/huww98)) [SIG API Machinery, Apps and Node]
+- Moved the `ImagePullIntent` and `ImagePulledRecord` objects used by the kubelet to track image pulls to the `v1beta1` API version. ([#132579](https://github.com/kubernetes/kubernetes/pull/132579), [@stlaz](https://github.com/stlaz)) [SIG Auth and Node]
+- Pod resize now only allows CPU and memory resources; other resource types are forbidden. ([#135084](https://github.com/kubernetes/kubernetes/pull/135084), [@tallclair](https://github.com/tallclair)) [SIG Apps, Node and Testing]
+- Prevented Pods from being scheduled onto nodes that lack the required CSI driver. ([#135012](https://github.com/kubernetes/kubernetes/pull/135012), [@gnufied](https://github.com/gnufied)) [SIG API Machinery, Scheduling, Storage and Testing]
+- Promoted HPA configurable tolerance to beta. The `HPAConfigurableTolerance` feature gate has now been enabled by default. ([#133128](https://github.com/kubernetes/kubernetes/pull/133128), [@jm-franc](https://github.com/jm-franc)) [SIG API Machinery and Autoscaling]
+- Promoted ReplicaSet and Deployment `.status.terminatingReplicas` tracking to beta. The `DeploymentReplicaSetTerminatingReplicas` feature gate is now enabled by default. ([#133087](https://github.com/kubernetes/kubernetes/pull/133087), [@atiratree](https://github.com/atiratree)) [SIG API Machinery, Apps and Testing]
+- Promoted `PodObservedGenerationTracking` to GA. ([#134948](https://github.com/kubernetes/kubernetes/pull/134948), [@natasha41575](https://github.com/natasha41575)) [SIG API Machinery, Apps, Node, Scheduling and Testing]
+- Promoted the `JobManagedBy` feature to general availability. The `JobManagedBy` feature gate was locked to `true` and will be removed in a future Kubernetes release. ([#135080](https://github.com/kubernetes/kubernetes/pull/135080), [@dejanzele](https://github.com/dejanzele)) [SIG API Machinery, Apps and Testing]
+- Promoted the `MaxUnavailableStatefulSet` feature to beta and enabling it by default. ([#133153](https://github.com/kubernetes/kubernetes/pull/133153), [@helayoty](https://github.com/helayoty)) [SIG API Machinery and Apps]
+- Removed the `StrictCostEnforcementForVAP` and `StrictCostEnforcementForWebhooks` feature gates, which were locked since `v1.32`. ([#134994](https://github.com/kubernetes/kubernetes/pull/134994), [@liggitt](https://github.com/liggitt)) [SIG API Machinery, Auth, Node and Testing]
+- Scheduler: Added the `bindingTimeout` argument to the DynamicResources plugin configuration, allowing customization of the wait duration in `PreBind` for device binding conditions.
+  Defaults to 10 minutes when `DRADeviceBindingConditions` and `DRAResourceClaimDeviceStatus` are both enabled. ([#134905](https://github.com/kubernetes/kubernetes/pull/134905), [@fj-naji](https://github.com/fj-naji)) [SIG Node and Scheduling]
+- The DRA device taints and toleration feature received a separate feature gate, `DRADeviceTaintRules`, which controlled support for `DeviceTaintRules`. This allowed disabling it while keeping `DRADeviceTaints` enabled so that tainting via `ResourceSlices` continued to work. ([#135068](https://github.com/kubernetes/kubernetes/pull/135068), [@pohly](https://github.com/pohly)) [SIG API Machinery, Apps, Auth, Node, Scheduling and Testing]
+- The Pod Certificates feature moved to beta. The `PodCertificateRequest` feature gate is set disabled by default. To use the feature, users must enable the certificates API groups in `v1beta1` and enable the `PodCertificateRequest` feature gate. The `UserAnnotations` field was added to the `PodCertificateProjection` API and the corresponding `UnverifiedUserAnnotations` field was added to the `PodCertificateRequest` API. ([#134624](https://github.com/kubernetes/kubernetes/pull/134624), [@yt2985](https://github.com/yt2985)) [SIG API Machinery, Apps, Auth, Etcd, Instrumentation, Node and Testing]
+- The `KubeletEnsureSecretPulledImages` feature was promoted to Beta and enabled by default. ([#135228](https://github.com/kubernetes/kubernetes/pull/135228), [@aramase](https://github.com/aramase)) [SIG Auth, Node and Testing]
+- The `PreferSameZone` and `PreferSameNode` values for the Service
+  `trafficDistribution` field graduated to general availability. The
+  `PreferClose` value is now deprecated in favor of the more explicit
+  `PreferSameZone`. ([#134457](https://github.com/kubernetes/kubernetes/pull/134457), [@danwinship](https://github.com/danwinship)) [SIG API Machinery, Apps, Network and Testing]
+- Updated `ResourceQuota` to count device class requests within a `ResourceClaim` as two additional quotas when the `DRAExtendedResource` feature is enabled:
+  - `requests.deviceclass.resource.k8s.io/<deviceclass>` is charged based on the worst-case number of devices requested.
+  - Device classes mapping to an extended resource now consume `requests.<extended resource name>`. ([#134210](https://github.com/kubernetes/kubernetes/pull/134210), [@yliaog](https://github.com/yliaog)) [SIG API Machinery, Apps, Node, Scheduling and Testing]
+- Updated storage version for `MutatingAdmissionPolicy` to `v1beta1`. ([#133715](https://github.com/kubernetes/kubernetes/pull/133715), [@cici37](https://github.com/cici37)) [SIG API Machinery, Etcd and Testing]
+- Updated the Partitionable Devices feature to support referencing counter sets across ResourceSlices within the same resource pool. Devices from incomplete pools were no longer considered for allocation. This change introduced backwards-incompatible updates to the alpha feature, requiring any ResourceSlices using it to be removed before upgrading or downgrading between v1.34 and v1.35. ([#134189](https://github.com/kubernetes/kubernetes/pull/134189), [@mortent](https://github.com/mortent)) [SIG API Machinery, Node, Scheduling and Testing]
+- Upgraded the `PodObservedGenerationTracking` feature to beta in `v1.34` and removed the alpha version description from the OpenAPI specification. ([#133883](https://github.com/kubernetes/kubernetes/pull/133883), [@yangjunmyfm192085](https://github.com/yangjunmyfm192085))
+
+### Feature
+
+- Added `k8s-short-name` and `k8s-long-name` format validation tags to enforce DNS label and DNS subdomain compliance. ([#133894](https://github.com/kubernetes/kubernetes/pull/133894), [@lalitc375](https://github.com/lalitc375))
+- Added `kubectl kuberc view` and `kubectl kuberc set` commands to perform operations against the `kuberc` file. ([#135003](https://github.com/kubernetes/kubernetes/pull/135003), [@ardaguclu](https://github.com/ardaguclu)) [SIG CLI and Testing]
+- Added `kubelet` stress test for pod cleanup when rejection due to `VolumeAttachmentLimitExceeded`. ([#133357](https://github.com/kubernetes/kubernetes/pull/133357), [@torredil](https://github.com/torredil)) [SIG Node and Storage]
+- Added `paths` section to kubelet `statusz` endpoint. ([#133239](https://github.com/kubernetes/kubernetes/pull/133239), [@Peac36](https://github.com/Peac36))
+- Added a `source` label to the `resourceclaim_controller_resource_claims` metric.
+  Added the `scheduler_resourceclaim_creates_total` metric for `DRAExtendedResource`. ([#134523](https://github.com/kubernetes/kubernetes/pull/134523), [@bitoku](https://github.com/bitoku)) [SIG Apps, Instrumentation, Node and Scheduling]
+- Added a counter metric `kubelet_image_manager_ensure_image_requests_total{present_locally, pull_policy, pull_required}` that exposes details about `kubelet` ensuring an image exists on the node. ([#132644](https://github.com/kubernetes/kubernetes/pull/132644), [@stlaz](https://github.com/stlaz)) [SIG Auth and Node]
+- Added additional event emissions during Pod resizing to provide clearer visibility when a Pod’s resize status changes. ([#134825](https://github.com/kubernetes/kubernetes/pull/134825), [@natasha41575](https://github.com/natasha41575))
+- Added configurable per-device health check timeouts to the DRA health monitoring API. ([#135147](https://github.com/kubernetes/kubernetes/pull/135147), [@harche](https://github.com/harche)) [SIG Node]
+- Added metrics for the `MaxUnavailable` feature in `StatefulSet`. ([#130951](https://github.com/kubernetes/kubernetes/pull/130951), [@Edwinhr716](https://github.com/Edwinhr716)) [SIG Apps and Instrumentation]
+- Added paths section to scheduler `statusz` endpoint. ([#132606](https://github.com/kubernetes/kubernetes/pull/132606), [@Peac36](https://github.com/Peac36)) [SIG API Machinery, Architecture, Instrumentation, Network, Node, Scheduling and Testing]
+- Added remote runtime and image `Close()` method to be able to close the connection. ([#133211](https://github.com/kubernetes/kubernetes/pull/133211), [@saschagrunert](https://github.com/saschagrunert)) [SIG Node]
+- Added support for tracing in `kubectl` with the `--profile=trace` flag. ([#134709](https://github.com/kubernetes/kubernetes/pull/134709), [@tchap](https://github.com/tchap))
+- Added support for validating UUID format. ([#133948](https://github.com/kubernetes/kubernetes/pull/133948), [@lalitc375](https://github.com/lalitc375))
+- Added the `-n` flag as a shorthand for `--namespace` in the `kubectl config set-context` command. ([#134384](https://github.com/kubernetes/kubernetes/pull/134384), [@tchap](https://github.com/tchap)) [SIG CLI and Testing]
+- Added the `ChangeContainerStatusOnKubeletRestart` feature gate, which defaults to disabled. When the feature gate is disabled, `kubelet` does not change the Pod status upon restart, and Pods do not re-run startup probes after the `kubelet` restarts. ([#134746](https://github.com/kubernetes/kubernetes/pull/134746), [@HirazawaUi](https://github.com/HirazawaUi)) [SIG Node and Testing]
+- Added the `CloudControllerManagerWatchBasedRoutesReconciliation` feature gate. ([#131220](https://github.com/kubernetes/kubernetes/pull/131220), [@lukasmetzner](https://github.com/lukasmetzner)) [SIG API Machinery and Cloud Provider]
+- Added the `UserNamespacesHostNetworkSupport` feature gate. This gate is disabled by default, and when enabled, allowed `hostNetwork` pods to use user namespaces. ([#134893](https://github.com/kubernetes/kubernetes/pull/134893), [@HirazawaUi](https://github.com/HirazawaUi)) [SIG Apps, Node and Testing]
+- After fixing regressions detected in `v1.34`, the `SchedulerAsyncAPICalls` feature gate was re-enabled by default. ([#135059](https://github.com/kubernetes/kubernetes/pull/135059), [@macsko](https://github.com/macsko))
+- Changed `WaitForNamedCacheSync` to `WaitForNamedCacheSyncWithContext`. ([#133904](https://github.com/kubernetes/kubernetes/pull/133904), [@aditigupta96](https://github.com/aditigupta96)) [SIG API Machinery, Apps, Auth and Network]
+- DRA: the resource.k8s.io API now uses the v1 API version (introduced in 1.34) as default storage version. Downgrading to 1.33 is not supported. ([#133876](https://github.com/kubernetes/kubernetes/pull/133876), [@kei01234kei](https://github.com/kei01234kei)) [SIG API Machinery, Etcd and Testing]
+- Enabled the `MutableCSINodeAllocatableCount` feature gate by default in beta. ([#134647](https://github.com/kubernetes/kubernetes/pull/134647), [@torredil](https://github.com/torredil))
+- Enabled the `WatchListClient` feature gate. ([#134180](https://github.com/kubernetes/kubernetes/pull/134180), [@p0lyn0mial](https://github.com/p0lyn0mial)) [SIG API Machinery, Apps, Auth, CLI, Instrumentation, Node and Testing]
+- Enabled the feature gate `ContainerRestartRules` by default. The `ContainerRestartRules` feature has been promoted to beta. Fixed a bug in this feature that caused probes to continue to run even if the container has terminated and is not restartable. ([#134631](https://github.com/kubernetes/kubernetes/pull/134631), [@yuanwang04](https://github.com/yuanwang04))
+- Graduated the `PodTopologyLabelsAdmission` feature gate to Beta and enabled it by default.
+  Pods now receive `topology.kubernetes.io/zone` and `topology.kubernetes.io/region` labels automatically when their assigned Node has these labels. ([#135158](https://github.com/kubernetes/kubernetes/pull/135158), [@andrewsykim](https://github.com/andrewsykim))
+- Graduated the fine-grained supplemental groups policy (KEP-3619) to GA. ([#135088](https://github.com/kubernetes/kubernetes/pull/135088), [@everpeace](https://github.com/everpeace)) [SIG Node and Testing]
+- Graduated the image volume source feature to Beta and enabled it by default. ([#135195](https://github.com/kubernetes/kubernetes/pull/135195), [@haircommander](https://github.com/haircommander)) [SIG Apps, Instrumentation, Node and Testing]
+- Implemented opportunistic batching (KEP-5598) to optimize scheduling for pods with identical scheduling requirements. ([#135231](https://github.com/kubernetes/kubernetes/pull/135231), [@bwsalmon](https://github.com/bwsalmon)) [SIG Node, Scheduling, Storage and Testing]
+- Implemented scoring for DRA-backed extended resources. ([#134058](https://github.com/kubernetes/kubernetes/pull/134058), [@bart0sh](https://github.com/bart0sh)) [SIG Node, Scheduling and Testing]
+- Improved throughput in the `real-FIFO` queue used by `informers` and `controllers` by adding batch handling for processing watch events. ([#132240](https://github.com/kubernetes/kubernetes/pull/132240), [@yue9944882](https://github.com/yue9944882)) [SIG API Machinery, Scheduling and Storage]
+- Introduced end-to-end tests to verify component invariant metrics across the entire test suite. ([#133394](https://github.com/kubernetes/kubernetes/pull/133394), [@BenTheElder](https://github.com/BenTheElder))
+- Introduced new kubelet metrics for the Ensure Secret Pulled Images KEP, including:
+      - `kubelet_imagemanager_ondisk_pullintents` for tracking pull intent records on disk
+      - `kubelet_imagemanager_ondisk_pulledrecords` for tracking pulled image records on disk
+      - `kubelet_imagemanager_image_mustpull_checks_total{result}` for counting image must-pull verification checks. ([#132812](https://github.com/kubernetes/kubernetes/pull/132812), [@stlaz](https://github.com/stlaz)) [SIG Auth and Node]
+- Introduced the `--as-user-extra` persistent flag in `kubectl`, which allows passing extra arguments during impersonation. ([#134378](https://github.com/kubernetes/kubernetes/pull/134378), [@ardaguclu](https://github.com/ardaguclu)) [SIG CLI and Testing]
+- K8s.io/apimachinery: Introduced a helper function to compare `resourceVersion` strings between two objects of the same resource. ([#134330](https://github.com/kubernetes/kubernetes/pull/134330), [@michaelasp](https://github.com/michaelasp)) [SIG API Machinery, Apps, Auth, Instrumentation, Network, Node, Scheduling, Storage and Testing]
+- KEP-5440: Enabled support for resizing resources while a Job is suspended. This feature is alpha. ([#132441](https://github.com/kubernetes/kubernetes/pull/132441), [@kannon92](https://github.com/kannon92)) [SIG Apps and Testing]
+- Kube-apiserver: Made the subresources `pods/exec`, `pods/attach`, and `pods/portforward` require `create` permission for both SPDY and Websocket API requests. Previously, SPDY requests required `create` permission, but Websocket requests only required `get` permission. This change is gated by the `AuthorizePodWebsocketUpgradeCreatePermission` feature-gate, which is enabled by default.
+  
+  Before upgrading to 1.35, ensure any custom ClusterRoles and Roles intended to grant `pods/exec`, `pods/attach`, or `pods/portforward` permission include the `create` verb. ([#134577](https://github.com/kubernetes/kubernetes/pull/134577), [@seans3](https://github.com/seans3)) [SIG API Machinery, Auth, Node and Testing]
+- Kubeadm: Added error printing during retries related to the `WaitForAllControlPlaneComponents` functionality at verbosity level 5. ([#134433](https://github.com/kubernetes/kubernetes/pull/134433), [@neolit123](https://github.com/neolit123))
+- Kubeadm: Added the `HTTPEndpoints` field to `ClusterConfiguration.Etcd.ExternalEtcd` to configure HTTP endpoints for etcd communication in v1beta4. This separates HTTP traffic (e.g., `/metrics`, `/health`) from gRPC traffic, improving access control. Mirrors etcd’s `--listen-client-http-urls` behavior; if not set, the `Endpoints` field handles both traffic types. ([#134890](https://github.com/kubernetes/kubernetes/pull/134890), [@SataQiu](https://github.com/SataQiu))
+- Kubeadm: Graduated the kubeadm-specific feature gate `ControlPlaneKubeletLocalMode` to GA and locked it to enabled by default. To opt out, patch the `server` field in `/etc/kubernetes/kubelet.conf`. Deprecated the subphase of `kubeadm join phase control-plane-join` called `etcd`, which is now hidden and replaced by subphase with identical functionality `etcd-join`. The `etcd` subphase will be removed in a future release. The subphase `kubelet-wait-bootstrap` of `kubeadm join` is no longer experimental and will now always run. ([#134106](https://github.com/kubernetes/kubernetes/pull/134106), [@neolit123](https://github.com/neolit123))
+- Kubernetes is now built using Go 1.25.1 ([#134095](https://github.com/kubernetes/kubernetes/pull/134095), [@dims](https://github.com/dims)) [SIG Release and Testing]
+- Kubernetes is now built using Go 1.25.4 ([#135492](https://github.com/kubernetes/kubernetes/pull/135492), [@cpanato](https://github.com/cpanato)) [SIG Release and Testing]
+- Kubernetes now uses Go Language Version 1.25, including https://go.dev/blog/container-aware-gomaxprocs ([#134120](https://github.com/kubernetes/kubernetes/pull/134120), [@BenTheElder](https://github.com/BenTheElder)) [SIG API Machinery, Architecture, Auth, CLI, Cloud Provider, Cluster Lifecycle, Instrumentation, Network, Node, Release, Scheduling and Storage]
+- Locked down the `AllowOverwriteTerminationGracePeriodSeconds` feature gate. ([#133792](https://github.com/kubernetes/kubernetes/pull/133792), [@HirazawaUi](https://github.com/HirazawaUi))
+- Locked the (generally available) feature gate `ExecProbeTimeout` to true. ([#134635](https://github.com/kubernetes/kubernetes/pull/134635), [@vivzbansal](https://github.com/vivzbansal)) [SIG Node and Testing]
+- Metrics: Excluded `dryRun` requests from `apiserver_request_sli_duration_seconds`. ([#131092](https://github.com/kubernetes/kubernetes/pull/131092), [@aldudko](https://github.com/aldudko)) [SIG API Machinery and Instrumentation]
+- Migrated validation in `resource.k8s.io` to declarative validation.
+  When the `DeclarativeValidation` feature gate is enabled, mismatches with existing validation are reported via metrics.
+  when `DeclarativeValidationTakeover` feature gate is enabled, declarative validation becomes the primary source of errors for migrated fields. ([#134072](https://github.com/kubernetes/kubernetes/pull/134072), [@yongruilin](https://github.com/yongruilin)) [SIG API Machinery, Apps and Auth]
+- Moved the Pod Certificates feature to beta. Added `UserAnnotations` to the `PodCertificateProjection` API and `UnverifiedUserAnnotations` to the `PodCertificateRequest` API. The `PodCertificateRequest` feature gate remains disabled by default and requires enabling the v1beta1 certificates API groups. ([#134790](https://github.com/kubernetes/kubernetes/pull/134790), [@yt2985](https://github.com/yt2985)) [SIG Auth, Instrumentation and Testing]
+- Promoted `ImageGCMaximumAge` to stable. ([#134736](https://github.com/kubernetes/kubernetes/pull/134736), [@haircommander](https://github.com/haircommander)) [SIG Node and Testing]
+- Promoted `InPlacePodVerticalScaling` to GA. ([#134949](https://github.com/kubernetes/kubernetes/pull/134949), [@natasha41575](https://github.com/natasha41575)) [SIG API Machinery, Node and Scheduling]
+- Promoted `kubectl` command headers to stable. ([#134777](https://github.com/kubernetes/kubernetes/pull/134777), [@soltysh](https://github.com/soltysh)) [SIG CLI and Testing]
+- Promoted the `EnvFiles` feature gate to beta and is enabled by default. Additionally, the syntax specification for environment variables has been restricted to a subset of POSIX shell syntax (all variable values must be wrapped in single quotes). ([#134414](https://github.com/kubernetes/kubernetes/pull/134414), [@HirazawaUi](https://github.com/HirazawaUi)) [SIG Node and Testing]
+- Promoted the `HostnameOverride` feature gate to beta and enabled it by default. ([#134729](https://github.com/kubernetes/kubernetes/pull/134729), [@HirazawaUi](https://github.com/HirazawaUi)) [SIG Network and Node]
+- Promoted the `KubeletCrashLoopBackOffMax` feature gate to beta and enabled it by default. ([#135044](https://github.com/kubernetes/kubernetes/pull/135044), [@hankfreund](https://github.com/hankfreund))
+- Selected a single device class deterministically when multiple device classes were available for an extended resource. ([#135037](https://github.com/kubernetes/kubernetes/pull/135037), [@yliaog](https://github.com/yliaog)) [SIG Node, Scheduling and Testing]
+- The JWT authenticator in `kube-apiserver` now reports the following metrics when the `StructuredAuthenticationConfiguration` feature gate is enabled:
+  - `apiserver_authentication_jwt_authenticator_jwks_fetch_last_timestamp_seconds`
+  - `apiserver_authentication_jwt_authenticator_jwks_fetch_last_key_set_info`. ([#123642](https://github.com/kubernetes/kubernetes/pull/123642), [@aramase](https://github.com/aramase)) [SIG API Machinery, Auth and Testing]
+- The scheduler now clears the `nominatedNodeName` field for Pods upon scheduling or binding failure. External components, such as Cluster Autoscaler and Karpenter, should not overwrite this field. ([#135007](https://github.com/kubernetes/kubernetes/pull/135007), [@ania-borowiec](https://github.com/ania-borowiec)) [SIG Scheduling and Testing]
+- Updated `applyconfiguration-gen` to generate extract functions for all subresources. ([#132665](https://github.com/kubernetes/kubernetes/pull/132665), [@mrIncompetent](https://github.com/mrIncompetent))
+- Updated `applyconfiguration-gen` to preserve struct and field comments from source types in the generated code. ([#132663](https://github.com/kubernetes/kubernetes/pull/132663), [@mrIncompetent](https://github.com/mrIncompetent))
+- Updated `kubectl describe pods` to include the involved object’s `fieldPath` (e.g., container name) in event messages, providing better context for debugging multi-container Pods. Note: This changes the previous message format for events that include a `fieldPath`. ([#133627](https://github.com/kubernetes/kubernetes/pull/133627), [@itzPranshul](https://github.com/itzPranshul))
+- Updated sandbox ordering to use by attempt count or creation time. ([#130551](https://github.com/kubernetes/kubernetes/pull/130551), [@yylt](https://github.com/yylt))
+- Updated the Kubernetes build to use Go `1.25.4`. ([#135187](https://github.com/kubernetes/kubernetes/pull/135187), [@BenTheElder](https://github.com/BenTheElder))
+- Updated underlying images and dependencies to be compatible with Go version`1.25.3`. ([#134611](https://github.com/kubernetes/kubernetes/pull/134611), [@cpanato](https://github.com/cpanato)) [SIG Architecture, Cloud Provider, Etcd, Release, Storage and Testing]
+- `kubeadm`: Added a preflight check `ContainerRuntimeVersion` to validate if the installed container runtime supports the `RuntimeConfig` gRPC method. If unsupported, `kubeadm` prints a warning message.
+  
+  Starting with Kubernetes `v1.36`, `kubelet` might refuse to start if the CRI runtime does not support this feature. More information can be found at the [Kubernetes blog](https://kubernetes.io/blog/2025/09/12/kubernetes-v1-34-cri-cgroup-driver-lookup-now-ga/). ([#134906](https://github.com/kubernetes/kubernetes/pull/134906), [@carlory](https://github.com/carlory))
+
+- Kubernetes is now built using Go `1.25.5`. ([#135609](https://github.com/kubernetes/kubernetes/pull/135609), [@cpanato](https://github.com/cpanato)) [SIG Release and Testing]
+
+### Documentation
+
+- Promoted the `--chunk-size` flag to stable. The kubectl `describe`, `get`, `drain`, and `events` commands can use `--chunk-size` flag to set chunk size. ([#134481](https://github.com/kubernetes/kubernetes/pull/134481), [@soltysh](https://github.com/soltysh))
+
+### Bug or Regression
+
+- Added support for Pods to reference the same `PersistentVolumeClaim` across multiple volumes. ([#122140](https://github.com/kubernetes/kubernetes/pull/122140), [@huww98](https://github.com/huww98)) [SIG Node, Storage and Testing]
+- Added support for the `ShareID` field of the `DRAConsumableCapacity` feature in the Kubelet Plugin API. ([#134520](https://github.com/kubernetes/kubernetes/pull/134520), [@sunya-ch](https://github.com/sunya-ch)) [SIG Node and Testing]
+- Added the correct error when eviction is blocked due to the failSafe mechanism of the `DisruptionController`. ([#133097](https://github.com/kubernetes/kubernetes/pull/133097), [@kei01234kei](https://github.com/kei01234kei)) [SIG Apps and Node]
+- Changed `kubectl exec` syntax to require `--` before the command. The form `kubectl exec [POD] [COMMAND]` is no longer supported; use `kubectl exec [POD] -- [COMMAND]` instead. ([#133841](https://github.com/kubernetes/kubernetes/pull/133841), [@yangjunmyfm192085](https://github.com/yangjunmyfm192085))
+- DRA API: Fixed the `tolerations` field in exact and sub requests to drop properly when the `DRADeviceTaints` API is disabled. ([#132927](https://github.com/kubernetes/kubernetes/pull/132927), [@pohly](https://github.com/pohly))
+- DRA Device Taints: Fixed toleration of `NoExecute`. Prior to this enhancement, tolerating a `NoExecute` did not work because the scheduler did not inform the eviction controller about the toleration, so the scheduled pod got evicted almost immediately. ([#134479](https://github.com/kubernetes/kubernetes/pull/134479), [@pohly](https://github.com/pohly)) [SIG Apps, Node, Scheduling and Testing]
+- Deprecated metrics will be hidden as per the metrics deprecation policy. https://kubernetes.io/docs/reference/using-api/deprecation-policy/#deprecating-a-metric . ([#133436](https://github.com/kubernetes/kubernetes/pull/133436), [@richabanker](https://github.com/richabanker)) [SIG Architecture, Instrumentation and Network]
+- Disabled the `SchedulerAsyncAPICalls` feature gate to mitigate a bug where its interaction with asynchronous preemption could degrade `kube-scheduler` performance, especially under high `kube-apiserver` load. ([#134400](https://github.com/kubernetes/kubernetes/pull/134400), [@macsko](https://github.com/macsko))
+- Dropped `DeviceBindingConditions` fields when the `DRADeviceBindingConditions` feature gate is not enabled and not in use. ([#134964](https://github.com/kubernetes/kubernetes/pull/134964), [@sunya-ch](https://github.com/sunya-ch))
+- Extended resources requested by initContainers which are allocated using an automatic ResourceClaim now match the behavior of legacy device plugins, reusing the same resources requested by later sidecar initContainers or regular containers when possible, to minimize the total number of devices requested by the pod. ([#134882](https://github.com/kubernetes/kubernetes/pull/134882), [@yliaog](https://github.com/yliaog)) [SIG Apps, CLI, Node, Scheduling and Testing]
+- Fixed SELinux warning controller not emitting events on some SELinux label conflicts. ([#133425](https://github.com/kubernetes/kubernetes/pull/133425), [@jsafrane](https://github.com/jsafrane)) [SIG Apps, Storage and Testing]
+- Fixed `replicaCount` calculation exceeding max `int32`. ([#126979](https://github.com/kubernetes/kubernetes/pull/126979), [@omerap12](https://github.com/omerap12)) [SIG Apps and Autoscaling]
+- Fixed a Windows kube-proxy (winkernel) issue where stale `RemoteEndpoints`
+  remained when a Deployment was referenced by multiple Services due to premature
+  clearing of the `terminatedEndpoints` map. ([#135146](https://github.com/kubernetes/kubernetes/pull/135146), [@princepereira](https://github.com/princepereira)) [SIG Network and Windows]
+- Fixed a bug in `ValidatingAdmissionPolicy` where schemas with `additionalProperties: true` could cause the kube-controller-manager to crash with a nil pointer exception. ([#135155](https://github.com/kubernetes/kubernetes/pull/135155), [@jpbetz](https://github.com/jpbetz))
+- Fixed a bug in `kube-proxy` `nftables` mode (GA as of `v1.33`) which fails to determine if traffic originates from a local source on the node. The issue was caused by using the wrong meta `iif` instead of `iifname` for name based matches. ([#134024](https://github.com/kubernetes/kubernetes/pull/134024), [@jack4it](https://github.com/jack4it))
+- Fixed a bug in `kube-scheduler` where pending pod preemption caused preemptor pods to be retried more frequently. ([#134245](https://github.com/kubernetes/kubernetes/pull/134245), [@macsko](https://github.com/macsko)) [SIG Scheduling and Testing]
+- Fixed a bug that caused apiservers to send an inappropriate Content-Type request header to authorization, token authentication, imagepolicy admission, and audit webhooks when the alpha client-go feature gate "ClientsPreferCBOR" is enabled. ([#132960](https://github.com/kubernetes/kubernetes/pull/132960), [@benluddy](https://github.com/benluddy)) [SIG API Machinery and Node]
+- Fixed a bug that caused duplicate validation when updating `PersistentVolumeClaims`, `VolumeAttachments` and `VolumeAttributesClasses`. ([#132549](https://github.com/kubernetes/kubernetes/pull/132549), [@gavinkflam](https://github.com/gavinkflam))
+- Fixed a bug that caused duplicate validation when updating `Role` and `RoleBinding` resources. ([#132550](https://github.com/kubernetes/kubernetes/pull/132550), [@gavinkflam](https://github.com/gavinkflam))
+- Fixed a bug that prevented allocating the same device that was previously consuming the `CounterSet` when both `DRAConsumableCapacity` and `DRAPartitionableDevices` were enabled. ([#134103](https://github.com/kubernetes/kubernetes/pull/134103), [@sunya-ch](https://github.com/sunya-ch))
+- Fixed a bug that prevents scheduling the next pod when using the `DRAConsumableCapacity` feature. ([#133706](https://github.com/kubernetes/kubernetes/pull/133706), [@sunya-ch](https://github.com/sunya-ch))
+- Fixed a bug to prevent segmentation fault from occurring when updating deeply nested JSON fields. ([#134381](https://github.com/kubernetes/kubernetes/pull/134381), [@kon-angelo](https://github.com/kon-angelo)) [SIG API Machinery and CLI]
+- Fixed a bug where 64-bit IPv6 `ServiceCIDRs` allocated addresses outside the subnet range. ([#134193](https://github.com/kubernetes/kubernetes/pull/134193), [@hoskeri](https://github.com/hoskeri))
+- Fixed a bug where Job status updates fail after resuming a Job that was previously started and suspended.
+  The error message was: `status.startTime: Required value: startTime cannot be removed for unsuspended job`. ([#134769](https://github.com/kubernetes/kubernetes/pull/134769), [@dejanzele](https://github.com/dejanzele)) [SIG Apps and Testing]
+- Fixed a bug where `AllocationMode: All` would not succeed if a resource pool contained `ResourceSlices` that were not targeting the current node. ([#134466](https://github.com/kubernetes/kubernetes/pull/134466), [@mortent](https://github.com/mortent))
+- Fixed a bug where a deleted Pod in the binding phase continued to occupy space on the node in `kube-scheduler`. ([#134157](https://github.com/kubernetes/kubernetes/pull/134157), [@macsko](https://github.com/macsko)) [SIG Scheduling and Testing]
+- Fixed a bug where high latency `kube-apiserver` caused scheduling throughput degradation. ([#134154](https://github.com/kubernetes/kubernetes/pull/134154), [@macsko](https://github.com/macsko))
+- Fixed a bug where the health of a DRA resource was not reported in the Pod status if the resource claim was generated from a template or used a different local name in the Pod spec. ([#134875](https://github.com/kubernetes/kubernetes/pull/134875), [@Jpsassine](https://github.com/Jpsassine)) [SIG Node and Testing]
+- Fixed a long-standing issue where `kubelet` rejected Pods with `NodeAffinityFailed` due to a stale informer cache. ([#134445](https://github.com/kubernetes/kubernetes/pull/134445), [@natasha41575](https://github.com/natasha41575))
+- Fixed a panic in `kubectl api-resources` that occurred when the Discovery Client failed. ([#134833](https://github.com/kubernetes/kubernetes/pull/134833), [@rikatz](https://github.com/rikatz))
+- Fixed a possible data race during metrics registration. ([#134390](https://github.com/kubernetes/kubernetes/pull/134390), [@liggitt](https://github.com/liggitt)) [SIG Architecture and Instrumentation]
+- Fixed a spurious `namespace not found` error in default `v1.30+` configurations when using `ValidatingAdmissionPolicy` or `MutatingAdmissionPolicy` to intercept namespaced objects in newly-created namespaces. ([#135359](https://github.com/kubernetes/kubernetes/pull/135359), [@liggitt](https://github.com/liggitt))
+- Fixed a startup probe race condition that caused main containers to remain stuck in "Initializing" state when sidecar containers with startup probes had failed initially but succeeded on restart in pods with `restartPolicy=Never`. ([#133072](https://github.com/kubernetes/kubernetes/pull/133072), [@AadiDev005](https://github.com/AadiDev005)) [SIG Node and Testing]
+- Fixed an issue in asynchronous preemption: Scheduler now checks if preemption is ongoing for a Pod before initiating new preemption calls. ([#134730](https://github.com/kubernetes/kubernetes/pull/134730), [@ania-borowiec](https://github.com/ania-borowiec)) [SIG Scheduling and Testing]
+- Fixed an issue that prevented restart policies and restart rules from being applied to static pods. ([#135031](https://github.com/kubernetes/kubernetes/pull/135031), [@yuanwang04](https://github.com/yuanwang04))
+- Fixed an issue where requests for a config `FromClass` in the `ResourceClaim` status were not referenced. ([#134793](https://github.com/kubernetes/kubernetes/pull/134793), [@LionelJouin](https://github.com/LionelJouin))
+- Fixed an issue where the `kubelet` `/configz` endpoint reported an incorrect value for `kubeletconfig.cgroupDriver` when the cgroup driver setting was received from the container runtime. ([#134743](https://github.com/kubernetes/kubernetes/pull/134743), [@marquiz](https://github.com/marquiz))
+- Fixed an issue where the default `serviceCIDR` controller did not log events because the event broadcaster was shutdown during initialization. ([#133338](https://github.com/kubernetes/kubernetes/pull/133338), [@aojea](https://github.com/aojea))
+- Fixed an issue with setting `distinctAttribute=nil` when the `DRAConsumableCapacity` feature gate is disabled. ([#134962](https://github.com/kubernetes/kubernetes/pull/134962), [@sunya-ch](https://github.com/sunya-ch))
+- Fixed broken shell completion for API resources. ([#133771](https://github.com/kubernetes/kubernetes/pull/133771), [@marckhouzam](https://github.com/marckhouzam))
+- Fixed incorrect behavior of preemptor pod when preemption of the victim takes long to complete. The preemptor pod should not be circling in scheduling cycles until preemption is finished. ([#134294](https://github.com/kubernetes/kubernetes/pull/134294), [@ania-borowiec](https://github.com/ania-borowiec)) [SIG Scheduling and Testing]
+- Fixed missing `kubelet_volume_stats_*` metrics. ([#133890](https://github.com/kubernetes/kubernetes/pull/133890), [@huww98](https://github.com/huww98)) [SIG Instrumentation and Node]
+- Fixed occasional schedule delays when a static `PersistentVolume` is created. ([#133929](https://github.com/kubernetes/kubernetes/pull/133929), [@huww98](https://github.com/huww98)) [SIG Scheduling and Storage]
+- Fixed resource claims deallocation for extended resource when Pod completes. ([#134312](https://github.com/kubernetes/kubernetes/pull/134312), [@alaypatel07](https://github.com/alaypatel07)) [SIG Apps, Node and Testing]
+- Fixed the kubelet to honor the `userNamespaces.idsPerPod` configuration, which was previously ignored. ([#133373](https://github.com/kubernetes/kubernetes/pull/133373), [@AkihiroSuda](https://github.com/AkihiroSuda)) [SIG Node and Testing]
+- Fixed the replacement tag in APIs so it no longer acted as a selector for storage version. ([#135197](https://github.com/kubernetes/kubernetes/pull/135197), [@Jefftree](https://github.com/Jefftree))
+- Fixed validation error when `ConfigFlags` includes `CertFile` and/or `KeyFile` while the original configuration also contains `CertFileData` and/or `KeyFileData`. ([#133917](https://github.com/kubernetes/kubernetes/pull/133917), [@n2h9](https://github.com/n2h9)) [SIG API Machinery and CLI]
+- Improved performance of `Endpoint` and `EndpointSlice` controllers when there are a large number of services in a single namespace by making pod-to-service lookup asynchronous. ([#134739](https://github.com/kubernetes/kubernetes/pull/134739), [@shyamjvs](https://github.com/shyamjvs)) [SIG Apps and Network]
+- Improved the `FreeDiskSpaceFailed` warning event to provide more actionable details when image garbage collection fails to free enough disk space. Example: `Insufficient free disk space on the node's image filesystem (95.0% of 10.0 GiB used). Failed to free sufficient space by deleting unused images. Consider resizing the disk or deleting unused files.`. ([#132578](https://github.com/kubernetes/kubernetes/pull/132578), [@drigz](https://github.com/drigz))
+- Introduced support for using an implicit extended resource name derived from the device class (`deviceclass.resource.kubernetes.io/<device-class-name>`) to request DRA devices matching that class. ([#133363](https://github.com/kubernetes/kubernetes/pull/133363), [@yliaog](https://github.com/yliaog)) [SIG Node, Scheduling and Testing]
+- Kube-apiserver: Fixed a `v1.34` regression with spurious "Error getting keys" log messages. ([#133817](https://github.com/kubernetes/kubernetes/pull/133817), [@serathius](https://github.com/serathius)) [SIG API Machinery and Etcd]
+- Kube-apiserver: Fixed a possible `v1.34` performance regression calculating object size statistics for resources not served from the watch cache, typically only `Events`. ([#133873](https://github.com/kubernetes/kubernetes/pull/133873), [@serathius](https://github.com/serathius)) [SIG API Machinery and Etcd]
+- Kube-apiserver: Improved validation error messages for custom resources with CEL validation rules to include the value that failed validation. ([#132798](https://github.com/kubernetes/kubernetes/pull/132798), [@cbandy](https://github.com/cbandy))
+- Kube-apiserver: Made sure that when `--requestheader-client-ca-file` and `--client-ca-file` contain overlapping certificates, `--requestheader-allowed-names` must be specified so that regular client certificates cannot set authenticating proxy headers for arbitrary users. ([#131411](https://github.com/kubernetes/kubernetes/pull/131411), [@ballista01](https://github.com/ballista01)) [SIG API Machinery, Auth and Security]
+- Kube-apiserver: Resolved an issue causing unnecessary warning log messages about enabled alpha APIs during API server startup. ([#135327](https://github.com/kubernetes/kubernetes/pull/135327), [@michaelasp](https://github.com/michaelasp))
+- Kube-controller-manager: Fixed a possible data race in the garbage collection controller. ([#134379](https://github.com/kubernetes/kubernetes/pull/134379), [@liggitt](https://github.com/liggitt)) [SIG API Machinery and Apps]
+- Kube-controller-manager: Resolved potential issues handling pods with incorrect uids in their `ownerReference`. ([#134654](https://github.com/kubernetes/kubernetes/pull/134654), [@liggitt](https://github.com/liggitt))
+- Kubeadm: Added missing cluster-info context validation to prevent panics when the user has a malformed kubeconfig in the cluster-info ConfigMap that excludes a valid current context. ([#134715](https://github.com/kubernetes/kubernetes/pull/134715), [@neolit123](https://github.com/neolit123))
+- Kubeadm: Ensured waiting for `apiserver` uses a local client that doesn't reach to the control plane endpoint and instead reaches directly to the local API server endpoint. ([#134265](https://github.com/kubernetes/kubernetes/pull/134265), [@neolit123](https://github.com/neolit123))
+- Kubeadm: Fixed `KUBEADM_UPGRADE_DRYRUN_DIR` not honored in upgrade phase when writing kubelet config files. ([#134007](https://github.com/kubernetes/kubernetes/pull/134007), [@carlory](https://github.com/carlory))
+- Kubeadm: Fixed a bug where `ClusterConfiguration.APIServer.TimeoutForControlPlane` from `v1beta3` was not respected in newer kubeadm versions where `v1beta4` is the default. ([#133513](https://github.com/kubernetes/kubernetes/pull/133513), [@tom1299](https://github.com/tom1299))
+- Kubeadm: Fixed a bug where the node registration information for a given node was not fetched correctly during `kubeadm upgrade node` and the node name can end up being incorrect in cases where the node name is not the same as the host name. ([#134319](https://github.com/kubernetes/kubernetes/pull/134319), [@neolit123](https://github.com/neolit123))
+- Kubeadm: Fixed a preflight check that could fail hostname construction in IPv6 setups. ([#134588](https://github.com/kubernetes/kubernetes/pull/134588), [@liggitt](https://github.com/liggitt)) [SIG API Machinery, Auth, Cloud Provider, Cluster Lifecycle and Testing]
+- Kubelet: Fixed a concurrent map write error when creating a pod with an empty volume while the `LocalStorageCapacityIsolationFSQuotaMonitoring` feature gate is enabled. ([#135174](https://github.com/kubernetes/kubernetes/pull/135174), [@carlory](https://github.com/carlory))
+- Kubelet: Fixed an internal deadlock that caused the connection to a DRA driver to become unusable after being idle for 30 minutes. ([#133926](https://github.com/kubernetes/kubernetes/pull/133926), [@pohly](https://github.com/pohly))
+- Made legacy watch calls (`ResourceVersion` = 0 or unset) that generate init-events weigh higher in `API Priority and Fairness (APF)` seat usage. Properly accounting for their cost protects the API server from CPU overload. Users might see increased throttling of such calls as a result. ([#134601](https://github.com/kubernetes/kubernetes/pull/134601), [@shyamjvs](https://github.com/shyamjvs))
+- Namespace is now included in the `--dry-run=client` output for `HorizontalPodAutoscaler (HPA)` objects. ([#134263](https://github.com/kubernetes/kubernetes/pull/134263), [@ardaguclu](https://github.com/ardaguclu)) [SIG CLI and Testing]
+- Populated `involvedObject.apiVersion` on Events created for Nodes and Pods. ([#134545](https://github.com/kubernetes/kubernetes/pull/134545), [@novahe](https://github.com/novahe)) [SIG Cloud Provider, Network, Node, Scalability and Testing]
+- Promoted VAC API test to conformance. ([#133615](https://github.com/kubernetes/kubernetes/pull/133615), [@carlory](https://github.com/carlory)) [SIG Architecture, Storage and Testing]
+- Removed `BlockOwnerDeletion` from `ResourceClaim` created from `ResourceClaimTemplate` and from `extendedResourceClaim` created by the `scheduler`. ([#134956](https://github.com/kubernetes/kubernetes/pull/134956), [@yliaog](https://github.com/yliaog)) [SIG Apps, Node and Scheduling]
+- Removed an incorrect `SessionAffinity` warning that appeared when a headless service was created or updated. ([#134054](https://github.com/kubernetes/kubernetes/pull/134054), [@Peac36](https://github.com/Peac36))
+- Slow container runtime initialization no longer causes the System WatchDog to kill the kubelet. The Device Manager was treated as unhealthy until it began listening on its port. ([#135153](https://github.com/kubernetes/kubernetes/pull/135153), [@SergeyKanzhelev](https://github.com/SergeyKanzhelev))
+- Typed workqueue now cleans up goroutines before shutting down ([#135072](https://github.com/kubernetes/kubernetes/pull/135072), [@Jefftree](https://github.com/Jefftree)) [SIG API Machinery]
+- Updated `kubectl scale` to return a consistent error message when a specified resource is not found. Previously, it returned: `error: no objects passed to scale <GroupResource> "<ResourceName>" not found`. It now matches the format used by other commands (e.g., `kubectl get`): `Error from server (NotFound): <GroupResource> "<ResourceName>" not found`. ([#134017](https://github.com/kubernetes/kubernetes/pull/134017), [@mochizuki875](https://github.com/mochizuki875))
+- `kube-controller-manager`: Fixed a `v1.34` regression that triggered a spurious rollout of existing StatefulSets when upgrading the control plane from `v1.33` to `v1.34`. This fix is guarded by the `StatefulSetSemanticRevisionComparison` feature gate, which is enabled by default. ([#135017](https://github.com/kubernetes/kubernetes/pull/135017), [@liggitt](https://github.com/liggitt))
+- `kube-scheduler`: Pod statuses no longer include specific taint keys or values when scheduling fails due to untolerated taints. ([#134740](https://github.com/kubernetes/kubernetes/pull/134740), [@hoskeri](https://github.com/hoskeri))
+- Fixes a bug where `MutatingAdmissionPolicy` would fail to apply to objects with duplicate list items (like env vars). ([#135560](https://github.com/kubernetes/kubernetes/pull/135560), [@lalitc375](https://github.com/lalitc375) [SIG API Machinery]
+- K8s.io/client-go: Fixes a regression in 1.34+ which prevented informers from using configured Transformer functions. ([#135580](https://github.com/kubernetes/kubernetes/pull/135580), [@serathius](https://github.com/serathius) [SIG API Machinery]
+
+### Other (Cleanup or Flake)
+
+- Added the `Step` field to the testing framework to allow volume expansion in configurable step sizes for tests. ([#134760](https://github.com/kubernetes/kubernetes/pull/134760), [@Rishita-Golla](https://github.com/Rishita-Golla)) [SIG Storage and Testing]
+- Bumped addon manager to use `kubectl` version `v1.32.2`. ([#130548](https://github.com/kubernetes/kubernetes/pull/130548), [@Jefftree](https://github.com/Jefftree)) [SIG Cloud Provider, Scalability and Testing]
+- Dropped support for `certificates/v1beta1` `CertificateSigningRequest` in `kubectl`. ([#134782](https://github.com/kubernetes/kubernetes/pull/134782), [@scaliby](https://github.com/scaliby))
+- Dropped support for `discovery/v1beta1` `EndpointSlice` in `kubectl`. ([#134913](https://github.com/kubernetes/kubernetes/pull/134913), [@scaliby](https://github.com/scaliby))
+- Dropped support for `networking/v1beta1` `Ingress` in `kubectl`. ([#135108](https://github.com/kubernetes/kubernetes/pull/135108), [@scaliby](https://github.com/scaliby))
+- Dropped support for `networking/v1beta1` `Ingress` in `kubectl`. ([#135176](https://github.com/kubernetes/kubernetes/pull/135176), [@scaliby](https://github.com/scaliby))
+- Dropped support for `policy/v1beta1` PodDisruptionBudget in kubectl. ([#134685](https://github.com/kubernetes/kubernetes/pull/134685), [@scaliby](https://github.com/scaliby))
+- Eliminated and prevented future use of the `md5` algorithm in favor of more appropriate hashing algorithms. ([#133511](https://github.com/kubernetes/kubernetes/pull/133511), [@BenTheElder](https://github.com/BenTheElder)) [SIG Apps, Architecture, CLI, Cluster Lifecycle, Network, Node, Security, Storage and Testing]
+- Fixed `nfacct` test cases on s390x. ([#133603](https://github.com/kubernetes/kubernetes/pull/133603), [@saisindhuri91](https://github.com/saisindhuri91))
+- Fixed formatting of various Go API deprecations for `GoDoc` and `pkgsite`, and enabled a linter to detect misformatted deprecations. ([#133571](https://github.com/kubernetes/kubernetes/pull/133571), [@BenTheElder](https://github.com/BenTheElder)) [SIG API Machinery, Architecture, CLI, Instrumentation and Testing]
+- Improved HPA performance when using container-specific resource metrics by optimizing container lookup logic to exit early once the target container is found, reducing unnecessary iterations through all containers in a pod. ([#133415](https://github.com/kubernetes/kubernetes/pull/133415), [@AadiDev005](https://github.com/AadiDev005)) [SIG Apps and Autoscaling]
+- Increased the coverage to 89.8%. ([#132607](https://github.com/kubernetes/kubernetes/pull/132607), [@ylink-lfs](https://github.com/ylink-lfs))
+- Kube-apiserver: Fixed an issue where passing invalid `DeleteOptions` incorrectly returned a 500 status instead of 400. ([#133358](https://github.com/kubernetes/kubernetes/pull/133358), [@ostrain](https://github.com/ostrain))
+- Kubeadm: Updated the supported `etcd` version to `v3.5.23` for supported control plane versions `v1.31`, `v1.32`, and `v1.33`. ([#134692](https://github.com/kubernetes/kubernetes/pull/134692), [@joshjms](https://github.com/joshjms)) [SIG Cluster Lifecycle and Etcd]
+- Kubeadm: stopped applying the `--pod-infra-container-image` flag for the kubelet. The flag has been deprecated and no longer served a purpose in the kubelet as the logic was migrated to CRI (Container Runtime Interface). During upgrade, kubeadm will attempt to remove the flag from the file `/var/lib/kubelet/kubeadm-flags.env`. ([#133778](https://github.com/kubernetes/kubernetes/pull/133778), [@carlory](https://github.com/carlory)) [SIG Cloud Provider and Cluster Lifecycle]
+- Migrated the `CPUManager` to contextual logging. ([#125912](https://github.com/kubernetes/kubernetes/pull/125912), [@ffromani](https://github.com/ffromani))
+- Moved Types in `k/k/pkg/scheduler/framework`:
+  `Handle`,
+  `Plugin`,
+  `PreEnqueuePlugin`, `QueueSortPlugin`, `EnqueueExtensions`, `PreFilterExtensions`, `PreFilterPlugin`, `FilterPlugin`, `PostFilterPlugin`, `PreScorePlugin`, `ScorePlugin`, `ReservePlugin`, `PreBindPlugin`, `PostBindPlugin`, `PermitPlugin`, `BindPlugin`,
+  `PodActivator`, `PodNominator`, `PluginsRunner`,
+  `LessFunc`, `ScoreExtensions`, `NodeToStatusReader`, `NodeScoreList`, `NodeScore`, `NodePluginScores`, `PluginScore`, `NominatingMode`, `NominatingInfo`, `WaitingPod`, `PreFilterResult`, `PostFilterResult`,
+  `Extender`,
+  `NodeInfoLister`, `StorageInfoLister`, `SharedLister`, `ResourceSliceLister`, `DeviceClassLister`, `ResourceClaimTracker`, `SharedDRAManager`
+  
+  to package `k8s.io/kube-scheduler/framework`. Users should update import paths. The interfaces don't change.
+  
+  Type `Parallelizer` in `k/k/pkg/scheduler/framework/parallelism` has been split into interface `Parallelizer` (in `k8s.io/kube-scheduler/framework`) and `struct Parallelizer` (location unchanged in k/k). Plugin developers should update the import path to staging repo. ([#133172](https://github.com/kubernetes/kubernetes/pull/133172), [@ania-borowiec](https://github.com/ania-borowiec)) [SIG Node, Release, Scheduling, Storage and Testing]
+- Moved the CPU Manager static policy option `strict-cpu-reservation` to the GA version. ([#134388](https://github.com/kubernetes/kubernetes/pull/134388), [@psasnal](https://github.com/psasnal))
+- Promoted the Topology Manager policy option `max-allowable-numa-nodes` to GA version. ([#134614](https://github.com/kubernetes/kubernetes/pull/134614), [@ffromani](https://github.com/ffromani))
+- Reduced event spam during volume operation errors in the Portworx in-tree driver. ([#135081](https://github.com/kubernetes/kubernetes/pull/135081), [@gohilankit](https://github.com/gohilankit))
+- Removed `rsync` as a dependency to build Kubernetes. ([#134656](https://github.com/kubernetes/kubernetes/pull/134656), [@BenTheElder](https://github.com/BenTheElder)) [SIG Release and Testing]
+- Removed container name from messages for container created and started events. ([#134043](https://github.com/kubernetes/kubernetes/pull/134043), [@HirazawaUi](https://github.com/HirazawaUi))
+- Removed deprecated gogo protocol definitions from `k8s.io/kubelet/pkg/apis/dra` in favor of `google.golang.org/protobuf`. ([#133026](https://github.com/kubernetes/kubernetes/pull/133026), [@saschagrunert](https://github.com/saschagrunert)) [SIG API Machinery and Node]
+- Removed general available feature-gate `SizeMemoryBackedVolumes`. ([#133720](https://github.com/kubernetes/kubernetes/pull/133720), [@carlory](https://github.com/carlory)) [SIG Node, Storage and Testing]
+- Removed the `ComponentSLIs` feature gate, as it was promoted to stable in the Kubernetes `v1.32` release. ([#133742](https://github.com/kubernetes/kubernetes/pull/133742), [@carlory](https://github.com/carlory)) [SIG Architecture and Instrumentation]
+- Removed the `KUBECTL_OPENAPIV3_PATCH` environment variable, as aggregated discovery has been stable since `v1.30`. ([#134130](https://github.com/kubernetes/kubernetes/pull/134130), [@ardaguclu](https://github.com/ardaguclu))
+- Removed the `UserNamespacesPodSecurityStandards` feature gate. The minimum supported Kubernetes version for `kubelet` is now `v1.31`, so the gate is no longer needed. ([#132157](https://github.com/kubernetes/kubernetes/pull/132157), [@haircommander](https://github.com/haircommander)) [SIG Auth, Node and Testing]
+- Removed the `VolumeAttributesClass` resource from the `storage.k8s.io/v1alpha1` API in `v1.35`. ([#134625](https://github.com/kubernetes/kubernetes/pull/134625), [@liggitt](https://github.com/liggitt)) [SIG API Machinery, Etcd, Storage and Testing]
+- Specified the deprecated version of `apiserver_storage_objects` metric in metrics docs. ([#134028](https://github.com/kubernetes/kubernetes/pull/134028), [@richabanker](https://github.com/richabanker)) [SIG API Machinery, Etcd and Instrumentation]
+- Substantially simplified building Kubernetes by making the process run a pre-built container image directly without running `rsyncd`. ([#134510](https://github.com/kubernetes/kubernetes/pull/134510), [@BenTheElder](https://github.com/BenTheElder)) [SIG Release and Testing]
+- Tests: Switched to https://go.dev/doc/go1.25#container-aware-gomaxprocs from `go.uber.org/automaxprocs`. ([#133492](https://github.com/kubernetes/kubernetes/pull/133492), [@BenTheElder](https://github.com/BenTheElder))
+- The `AggregatedDiscoveryRemoveBetaType` feature gate was deprecated and locked to `true`. ([#134230](https://github.com/kubernetes/kubernetes/pull/134230), [@Jefftree](https://github.com/Jefftree))
+- The `SystemdWatchdog` feature gate has been locked to default and will be removed in future release. The systemd watchdog functionality in `kubelet` can be enabled via systemd without any feature gate configuration. See the [systemd watchdog documentation](https://kubernetes.io/docs/reference/node/systemd-watchdog/) for more information. ([#134691](https://github.com/kubernetes/kubernetes/pull/134691), [@SergeyKanzhelev](https://github.com/SergeyKanzhelev))
+- Updated CNI plugins to v1.8.0. ([#133837](https://github.com/kubernetes/kubernetes/pull/133837), [@saschagrunert](https://github.com/saschagrunert)) [SIG Cloud Provider, Node and Testing]
+- Updated `etcd` to `v3.6.5`. ([#134251](https://github.com/kubernetes/kubernetes/pull/134251), [@joshjms](https://github.com/joshjms)) [SIG API Machinery, Cloud Provider, Cluster Lifecycle, Etcd and Testing]
+- Updated `kubectl auth reconcile` to retry reconciliation when a conflict error occurs. ([#133323](https://github.com/kubernetes/kubernetes/pull/133323), [@liggitt](https://github.com/liggitt)) [SIG Auth and CLI]
+- Updated `kubectl get` and `kubectl describe` human-readable output to no longer show counts for referenced tokens and secrets. ([#117160](https://github.com/kubernetes/kubernetes/pull/117160), [@liggitt](https://github.com/liggitt)) [SIG CLI and Testing]
+- Updated cri-tools to v1.34.0. ([#133636](https://github.com/kubernetes/kubernetes/pull/133636), [@saschagrunert](https://github.com/saschagrunert)) [SIG Cloud Provider]
+- Updated the Go version of Kubernetes to `1.25.3`. ([#134598](https://github.com/kubernetes/kubernetes/pull/134598), [@BenTheElder](https://github.com/BenTheElder))
+- Updated the `/statusz` page for `kube-proxy` to include a list of exposed endpoints, making debugging and introspection easier. ([#133190](https://github.com/kubernetes/kubernetes/pull/133190), [@aman4433](https://github.com/aman4433)) [SIG Network and Node]
+- Updated the `kubectl wait` command description by removing the `Experimental` prefix, as the command has been stable for a long time. ([#133731](https://github.com/kubernetes/kubernetes/pull/133731), [@ardaguclu](https://github.com/ardaguclu))
+- Updated the etcd client library to `v3.6.5`. ([#134780](https://github.com/kubernetes/kubernetes/pull/134780), [@joshjms](https://github.com/joshjms)) [SIG API Machinery, Architecture, Auth, CLI, Cloud Provider, Cluster Lifecycle, Instrumentation, Network, Node, Scheduling and Storage]
+- Updated the short description of the `kubectl wait` command by removing the `Experimental` prefix, as the command has been stable for a long time. ([#133907](https://github.com/kubernetes/kubernetes/pull/133907), [@ardaguclu](https://github.com/ardaguclu))
+- Upgraded CoreDNS to v1.12.4. ([#133968](https://github.com/kubernetes/kubernetes/pull/133968), [@yashsingh74](https://github.com/yashsingh74)) [SIG Cloud Provider and Cluster Lifecycle]
+- Upgraded `CoreDNS` to `v1.12.3`. ([#132288](https://github.com/kubernetes/kubernetes/pull/132288), [@thevilledev](https://github.com/thevilledev)) [SIG Cloud Provider and Cluster Lifecycle]
+- `kubeadm`: Removed the `WaitForAllControlPlaneComponents` feature gate, which graduated to GA in `v1.34` and was locked to enabled by default. ([#134781](https://github.com/kubernetes/kubernetes/pull/134781), [@neolit123](https://github.com/neolit123))
+- `kubeadm`: Updated the supported etcd version to `v3.5.24` for control plane versions `v1.32`, `v1.33`, and `v1.34`. ([#134779](https://github.com/kubernetes/kubernetes/pull/134779), [@joshjms](https://github.com/joshjms)) [SIG API Machinery, Cloud Provider, Cluster Lifecycle, Etcd and Testing]
+- `etcd: Update etcd to `v3.6.6`. (#135271, @bzsuni) [SIG API Machinery, Cloud Provider, Cluster Lifecycle, Etcd and Testing]
+- Fix a bug in the kube-apiserver where a malformed Service without name can cause high CPU usage. The bug is present on the new Cluster IP allocators enabled with the feature MultiCIDRServiceAllocator (enabled by default since 1.33)
+
+
+## Dependencies
+
+### Added
+- cyphar.com/go-pathrs: v0.2.1
+- github.com/Masterminds/semver/v3: [v3.4.0](https://github.com/Masterminds/semver/tree/v3.4.0)
+- github.com/gkampitakis/ciinfo: [v0.3.2](https://github.com/gkampitakis/ciinfo/tree/v0.3.2)
+- github.com/gkampitakis/go-diff: [v1.3.2](https://github.com/gkampitakis/go-diff/tree/v1.3.2)
+- github.com/gkampitakis/go-snaps: [v0.5.15](https://github.com/gkampitakis/go-snaps/tree/v0.5.15)
+- github.com/goccy/go-yaml: [v1.18.0](https://github.com/goccy/go-yaml/tree/v1.18.0)
+- github.com/joshdk/go-junit: [v1.0.0](https://github.com/joshdk/go-junit/tree/v1.0.0)
+- github.com/maruel/natural: [v1.1.1](https://github.com/maruel/natural/tree/v1.1.1)
+- github.com/mfridman/tparse: [v0.18.0](https://github.com/mfridman/tparse/tree/v0.18.0)
+- github.com/moby/sys/atomicwriter: [v0.1.0](https://github.com/moby/sys/tree/atomicwriter/v0.1.0)
+- github.com/tidwall/gjson: [v1.18.0](https://github.com/tidwall/gjson/tree/v1.18.0)
+- github.com/tidwall/match: [v1.1.1](https://github.com/tidwall/match/tree/v1.1.1)
+- github.com/tidwall/pretty: [v1.2.1](https://github.com/tidwall/pretty/tree/v1.2.1)
+- github.com/tidwall/sjson: [v1.2.5](https://github.com/tidwall/sjson/tree/v1.2.5)
+- go.uber.org/automaxprocs: v1.6.0
+- golang.org/x/tools/go/expect: v0.1.1-deprecated
+- golang.org/x/tools/go/packages/packagestest: v0.1.1-deprecated
+
+### Changed
+- cloud.google.com/go/compute/metadata: v0.6.0 → v0.7.0
+- github.com/aws/aws-sdk-go-v2/config: [v1.27.24 → v1.29.14](https://github.com/aws/aws-sdk-go-v2/compare/config/v1.27.24...config/v1.29.14)
+- github.com/aws/aws-sdk-go-v2/credentials: [v1.17.24 → v1.17.67](https://github.com/aws/aws-sdk-go-v2/compare/credentials/v1.17.24...credentials/v1.17.67)
+- github.com/aws/aws-sdk-go-v2/feature/ec2/imds: [v1.16.9 → v1.16.30](https://github.com/aws/aws-sdk-go-v2/compare/feature/ec2/imds/v1.16.9...feature/ec2/imds/v1.16.30)
+- github.com/aws/aws-sdk-go-v2/internal/configsources: [v1.3.13 → v1.3.34](https://github.com/aws/aws-sdk-go-v2/compare/internal/configsources/v1.3.13...internal/configsources/v1.3.34)
+- github.com/aws/aws-sdk-go-v2/internal/endpoints/v2: [v2.6.13 → v2.6.34](https://github.com/aws/aws-sdk-go-v2/compare/internal/endpoints/v2/v2.6.13...internal/endpoints/v2/v2.6.34)
+- github.com/aws/aws-sdk-go-v2/internal/ini: [v1.8.0 → v1.8.3](https://github.com/aws/aws-sdk-go-v2/compare/internal/ini/v1.8.0...internal/ini/v1.8.3)
+- github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding: [v1.11.3 → v1.12.3](https://github.com/aws/aws-sdk-go-v2/compare/service/internal/accept-encoding/v1.11.3...service/internal/accept-encoding/v1.12.3)
+- github.com/aws/aws-sdk-go-v2/service/internal/presigned-url: [v1.11.15 → v1.12.15](https://github.com/aws/aws-sdk-go-v2/compare/service/internal/presigned-url/v1.11.15...service/internal/presigned-url/v1.12.15)
+- github.com/aws/aws-sdk-go-v2/service/sso: [v1.22.1 → v1.25.3](https://github.com/aws/aws-sdk-go-v2/compare/service/sso/v1.22.1...service/sso/v1.25.3)
+- github.com/aws/aws-sdk-go-v2/service/ssooidc: [v1.26.2 → v1.30.1](https://github.com/aws/aws-sdk-go-v2/compare/service/ssooidc/v1.26.2...service/ssooidc/v1.30.1)
+- github.com/aws/aws-sdk-go-v2/service/sts: [v1.30.1 → v1.33.19](https://github.com/aws/aws-sdk-go-v2/compare/service/sts/v1.30.1...service/sts/v1.33.19)
+- github.com/aws/aws-sdk-go-v2: [v1.30.1 → v1.36.3](https://github.com/aws/aws-sdk-go-v2/compare/v1.30.1...v1.36.3)
+- github.com/aws/smithy-go: [v1.20.3 → v1.22.3](https://github.com/aws/smithy-go/compare/v1.20.3...v1.22.3)
+- github.com/containerd/containerd/api: [v1.8.0 → v1.9.0](https://github.com/containerd/containerd/compare/api/v1.8.0...api/v1.9.0)
+- github.com/containerd/ttrpc: [v1.2.6 → v1.2.7](https://github.com/containerd/ttrpc/compare/v1.2.6...v1.2.7)
+- github.com/containerd/typeurl/v2: [v2.2.2 → v2.2.3](https://github.com/containerd/typeurl/compare/v2.2.2...v2.2.3)
+- github.com/coredns/corefile-migration: [v1.0.26 → v1.0.29](https://github.com/coredns/corefile-migration/compare/v1.0.26...v1.0.29)
+- github.com/cyphar/filepath-securejoin: [v0.4.1 → v0.6.0](https://github.com/cyphar/filepath-securejoin/compare/v0.4.1...v0.6.0)
+- github.com/docker/docker: [v26.1.4+incompatible → v28.2.2+incompatible](https://github.com/docker/docker/compare/v26.1.4...v28.2.2)
+- github.com/go-logr/logr: [v1.4.2 → v1.4.3](https://github.com/go-logr/logr/compare/v1.4.2...v1.4.3)
+- github.com/google/cadvisor: [v0.52.1 → v0.53.0](https://github.com/google/cadvisor/compare/v0.52.1...v0.53.0)
+- github.com/google/pprof: [d1b30fe → 27863c8](https://github.com/google/pprof/compare/d1b30fe...27863c8)
+- github.com/onsi/ginkgo/v2: [v2.21.0 → v2.27.2](https://github.com/onsi/ginkgo/compare/v2.21.0...v2.27.2)
+- github.com/onsi/gomega: [v1.35.1 → v1.38.2](https://github.com/onsi/gomega/compare/v1.35.1...v1.38.2)
+- github.com/opencontainers/cgroups: [v0.0.1 → v0.0.3](https://github.com/opencontainers/cgroups/compare/v0.0.1...v0.0.3)
+- github.com/opencontainers/runc: [v1.2.5 → v1.3.0](https://github.com/opencontainers/runc/compare/v1.2.5...v1.3.0)
+- github.com/opencontainers/runtime-spec: [v1.2.0 → v1.2.1](https://github.com/opencontainers/runtime-spec/compare/v1.2.0...v1.2.1)
+- github.com/opencontainers/selinux: [v1.11.1 → v1.13.0](https://github.com/opencontainers/selinux/compare/v1.11.1...v1.13.0)
+- github.com/prometheus/client_golang: [v1.22.0 → v1.23.2](https://github.com/prometheus/client_golang/compare/v1.22.0...v1.23.2)
+- github.com/prometheus/client_model: [v0.6.1 → v0.6.2](https://github.com/prometheus/client_model/compare/v0.6.1...v0.6.2)
+- github.com/prometheus/common: [v0.62.0 → v0.66.1](https://github.com/prometheus/common/compare/v0.62.0...v0.66.1)
+- github.com/prometheus/procfs: [v0.15.1 → v0.16.1](https://github.com/prometheus/procfs/compare/v0.15.1...v0.16.1)
+- github.com/rogpeppe/go-internal: [v1.13.1 → v1.14.1](https://github.com/rogpeppe/go-internal/compare/v1.13.1...v1.14.1)
+- github.com/spf13/cobra: [v1.9.1 → v1.10.0](https://github.com/spf13/cobra/compare/v1.9.1...v1.10.0)
+- github.com/spf13/pflag: [v1.0.6 → v1.0.9](https://github.com/spf13/pflag/compare/v1.0.6...v1.0.9)
+- github.com/stretchr/testify: [v1.10.0 → v1.11.1](https://github.com/stretchr/testify/compare/v1.10.0...v1.11.1)
+- go.etcd.io/bbolt: v1.4.2 → v1.4.3
+- go.etcd.io/etcd/api/v3: v3.6.4 → v3.6.5
+- go.etcd.io/etcd/client/pkg/v3: v3.6.4 → v3.6.5
+- go.etcd.io/etcd/client/v3: v3.6.4 → v3.6.5
+- go.etcd.io/etcd/pkg/v3: v3.6.4 → v3.6.5
+- go.etcd.io/etcd/server/v3: v3.6.4 → v3.6.5
+- go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp: v0.58.0 → v0.61.0
+- go.opentelemetry.io/otel/metric: v1.35.0 → v1.36.0
+- go.opentelemetry.io/otel/sdk/metric: v1.34.0 → v1.36.0
+- go.opentelemetry.io/otel/sdk: v1.34.0 → v1.36.0
+- go.opentelemetry.io/otel/trace: v1.35.0 → v1.36.0
+- go.opentelemetry.io/otel: v1.35.0 → v1.36.0
+- go.yaml.in/yaml/v2: v2.4.2 → v2.4.3
+- golang.org/x/crypto: v0.36.0 → v0.45.0
+- golang.org/x/mod: v0.21.0 → v0.29.0
+- golang.org/x/net: v0.38.0 → v0.47.0
+- golang.org/x/oauth2: v0.27.0 → v0.30.0
+- golang.org/x/sync: v0.12.0 → v0.18.0
+- golang.org/x/sys: v0.31.0 → v0.38.0
+- golang.org/x/telemetry: bda5523 → 078029d
+- golang.org/x/term: v0.30.0 → v0.37.0
+- golang.org/x/text: v0.23.0 → v0.31.0
+- golang.org/x/tools: v0.26.0 → v0.38.0
+- google.golang.org/genproto/googleapis/rpc: a0af3ef → 200df99
+- google.golang.org/grpc: v1.72.1 → v1.72.2
+- google.golang.org/protobuf: v1.36.5 → v1.36.8
+- gopkg.in/evanphx/json-patch.v4: v4.12.0 → v4.13.0
+- k8s.io/gengo/v2: 85fd79d → ec3ebc5
+- k8s.io/kube-openapi: f3f2b99 → 589584f
+- k8s.io/system-validators: v1.10.1 → v1.12.1
+- k8s.io/utils: 4c0f3b2 → bc988d5
+- sigs.k8s.io/json: cfa47c3 → 2d32026
+
+### Removed
+- gopkg.in/yaml.v2: v2.4.0
+
+
+
+# v1.35.0-rc.1
+
+
+## Downloads for v1.35.0-rc.1
+
+
+
+### Source Code
+
+filename | sha512 hash
+-------- | -----------
+[kubernetes.tar.gz](https://dl.k8s.io/v1.35.0-rc.1/kubernetes.tar.gz) | 6b08badb1402c5a4d5e83e14bc64e464c7bd8bbdd9473ea1b501b7bf04ac9f53d2ac23a5f70761cc03024bd046c329253d2914af9225530755bcbc06d7459616
+[kubernetes-src.tar.gz](https://dl.k8s.io/v1.35.0-rc.1/kubernetes-src.tar.gz) | 35d2827a2bb7b01162c506d7a15392c72c6537f9f1570ade160bc286ad9a409e0830d32e7ea5ae8191bb6435859826d2d5ec56255a29fe279aee3517239cb9a6
+
+### Client Binaries
+
+filename | sha512 hash
+-------- | -----------
+[kubernetes-client-darwin-amd64.tar.gz](https://dl.k8s.io/v1.35.0-rc.1/kubernetes-client-darwin-amd64.tar.gz) | 85f9f154296b0579444ee9ff43f74ad616ef52e453782da8dd10f5150d1fb6f1d71151b7525fe5784142f930fb9fe9bfbc395277b5a088d3bc892c9415e15611
+[kubernetes-client-darwin-arm64.tar.gz](https://dl.k8s.io/v1.35.0-rc.1/kubernetes-client-darwin-arm64.tar.gz) | 2811a1b3901c9a82cb042e4b4c4bc4d75ea0d894b42e7f7c63b25b5df8d26b5ff2bfd0ee819b9cb8e946a2bac90ac4dfb649c692f054fb290e08516966384d0b
+[kubernetes-client-linux-386.tar.gz](https://dl.k8s.io/v1.35.0-rc.1/kubernetes-client-linux-386.tar.gz) | aed99699ba9f635d1e073061ab89b7ee80744cb56a4aa078ad6afc5670483db456fcc6a544bf34b95a4a3c8f25938898b093d7d279120063688f0406efaf37f9
+[kubernetes-client-linux-amd64.tar.gz](https://dl.k8s.io/v1.35.0-rc.1/kubernetes-client-linux-amd64.tar.gz) | 607724204e2b3265f25d12cda5397c4943e8df4ae66efe2f5cf2582b7aa1c9fc9a60c61a193aef8ae1ee5b3d261146f5cc9956de873d82864979ef19c70c48c7
+[kubernetes-client-linux-arm.tar.gz](https://dl.k8s.io/v1.35.0-rc.1/kubernetes-client-linux-arm.tar.gz) | 378770b5529ce39fbdbb1d39c4a966ad96c03523411e5f830ac2e86e67e23518de534f148838903561de5a7db6f852f532ad7a0799514b72892fea0362f3c635
+[kubernetes-client-linux-arm64.tar.gz](https://dl.k8s.io/v1.35.0-rc.1/kubernetes-client-linux-arm64.tar.gz) | 357f66e108d651d0a77d61f9f0da286f5c8d312d6f320174dab42cd6aae69ecdf24e081f5bdcbc6313d2688c2585009348766f7a0eed58f23f8eda898d3e7081
+[kubernetes-client-linux-ppc64le.tar.gz](https://dl.k8s.io/v1.35.0-rc.1/kubernetes-client-linux-ppc64le.tar.gz) | ac9d343138f01a1d6fa986ef684938686e7ac656f8b8b1b5c1a75894e2c98f7f36754eef15a95b20c0812c5a62d775a285c4e015b5eca9bc4e937b9f44b7a537
+[kubernetes-client-linux-s390x.tar.gz](https://dl.k8s.io/v1.35.0-rc.1/kubernetes-client-linux-s390x.tar.gz) | b12631a0bb8c2f9e28ca855302a57ab4bffb2db4105668cf16635193cada26bd0aa63f80428835339f42eea13839d1990f171276697eb00f9cbe5d8edae434f0
+[kubernetes-client-windows-386.tar.gz](https://dl.k8s.io/v1.35.0-rc.1/kubernetes-client-windows-386.tar.gz) | 5b1849523011be7f569f17f42250a98a2513caa7652c3055712bace9ba440ab4e38d4f5bceb6e89158f4f3008a836fcee765ef9af818ba6cb07296ef8467cf02
+[kubernetes-client-windows-amd64.tar.gz](https://dl.k8s.io/v1.35.0-rc.1/kubernetes-client-windows-amd64.tar.gz) | fb95a54326565bcc3458fa0a876d5f457e5218eafa349f9cee3db93982c30482b8fe57d0f43a2be89e4816382a5efc97b95fae069bc2ed8f19b6ac253e46790a
+[kubernetes-client-windows-arm64.tar.gz](https://dl.k8s.io/v1.35.0-rc.1/kubernetes-client-windows-arm64.tar.gz) | 465a7fe0e87dd3dc0b22d3881bbe4c33e706ca53a512a981afd49bccdd5d638a818cabb84dbc5796b54ce97d045bbaf466c0cbf46f809bb5a31d64117386a0c7
+
+### Server Binaries
+
+filename | sha512 hash
+-------- | -----------
+[kubernetes-server-linux-amd64.tar.gz](https://dl.k8s.io/v1.35.0-rc.1/kubernetes-server-linux-amd64.tar.gz) | c6728d534c85e11a58dea5ca830541efde07f390586ca77f7f59308179b677f3f3f28492e1c26314adf79e800b7690a1b0d5ac5670d18282064bc4fbb4093b05
+[kubernetes-server-linux-arm64.tar.gz](https://dl.k8s.io/v1.35.0-rc.1/kubernetes-server-linux-arm64.tar.gz) | 6b9eb6d36179bef49b8f4f276f1ffe03552876e46c9477129b6e9a690c38e7343e0430e22fbbfaccab83c3879282e6994cdaca47a709267617a84e3143b4598e
+[kubernetes-server-linux-ppc64le.tar.gz](https://dl.k8s.io/v1.35.0-rc.1/kubernetes-server-linux-ppc64le.tar.gz) | 946b9b5d817437258a77e6b3fcf674c0c9adb0a5b4cc2aa3f68f8364c7916016d6811a9596221801f570018f3976ae456eb01a6ad871fb5461daebfd1c2ff589
+[kubernetes-server-linux-s390x.tar.gz](https://dl.k8s.io/v1.35.0-rc.1/kubernetes-server-linux-s390x.tar.gz) | 5d5c22a1149d5c741b5c37710a97a84b2f9f45ccc9b8457408233a6a7c5fc20c3a2bbf92b68f135630308991cdc463559cdad6131fa6c9e0ad5cfdca7933cdc2
+
+### Node Binaries
+
+filename | sha512 hash
+-------- | -----------
+[kubernetes-node-linux-amd64.tar.gz](https://dl.k8s.io/v1.35.0-rc.1/kubernetes-node-linux-amd64.tar.gz) | 269725e2afd028e6eb8a3d12605789f6a5715a0bf9cf477df689bdc9f9b164f0fd32c3007b16ffee17c5234f6fff17ff9096396892e71155074a3499e9480088
+[kubernetes-node-linux-arm64.tar.gz](https://dl.k8s.io/v1.35.0-rc.1/kubernetes-node-linux-arm64.tar.gz) | 37472ba5b63177bcb9430b761f1d4df459771cab2bf9448f69fa5abe0dc4f2e0a26bd6b9c8d747d37e05e8e0263736ca4150a624cecf03938aacd4e98929d03d
+[kubernetes-node-linux-ppc64le.tar.gz](https://dl.k8s.io/v1.35.0-rc.1/kubernetes-node-linux-ppc64le.tar.gz) | 25dce33f916a55d27f825902fc7776735a5ddfd0e86555b193d431eab54781d52fff9c41dafcf5a845e79f0153d515b014cb8a5c21179c82e96321851109195c
+[kubernetes-node-linux-s390x.tar.gz](https://dl.k8s.io/v1.35.0-rc.1/kubernetes-node-linux-s390x.tar.gz) | 16e22350e2871ea0d42668bb9c1487b2c5a6e6b436c78d1f986f68bc0312d340ab0285aca7f619322e3238cf9ee90f5425e49dc018e53069e5b0cd092bdd28a2
+[kubernetes-node-windows-amd64.tar.gz](https://dl.k8s.io/v1.35.0-rc.1/kubernetes-node-windows-amd64.tar.gz) | 1b4aab8eb20bd974c7585ba55a5caeb43174afbef738e1bb99fd51fd228b800c943c4a8f0204ef935c733b15cab52ae0ae2a9a7da9299387be272932b1c54c9e
+
+### Container Images
+
+All container images are available as manifest lists and support the described
+architectures. It is also possible to pull a specific architecture directly by
+adding the "-$ARCH" suffix  to the container image name.
+
+name | architectures
+---- | -------------
+[registry.k8s.io/conformance:v1.35.0-rc.1](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/conformance) | [amd64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/conformance-amd64), [arm64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/conformance-arm64), [ppc64le](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/conformance-ppc64le), [s390x](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/conformance-s390x)
+[registry.k8s.io/kube-apiserver:v1.35.0-rc.1](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-apiserver) | [amd64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-apiserver-amd64), [arm64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-apiserver-arm64), [ppc64le](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-apiserver-ppc64le), [s390x](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-apiserver-s390x)
+[registry.k8s.io/kube-controller-manager:v1.35.0-rc.1](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-controller-manager) | [amd64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-controller-manager-amd64), [arm64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-controller-manager-arm64), [ppc64le](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-controller-manager-ppc64le), [s390x](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-controller-manager-s390x)
+[registry.k8s.io/kube-proxy:v1.35.0-rc.1](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-proxy) | [amd64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-proxy-amd64), [arm64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-proxy-arm64), [ppc64le](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-proxy-ppc64le), [s390x](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-proxy-s390x)
+[registry.k8s.io/kube-scheduler:v1.35.0-rc.1](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-scheduler) | [amd64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-scheduler-amd64), [arm64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-scheduler-arm64), [ppc64le](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-scheduler-ppc64le), [s390x](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-scheduler-s390x)
+[registry.k8s.io/kubectl:v1.35.0-rc.1](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kubectl) | [amd64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kubectl-amd64), [arm64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kubectl-arm64), [ppc64le](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kubectl-ppc64le), [s390x](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kubectl-s390x)
+
+## Changelog since v1.35.0-rc.0
+
+## Changes by Kind
+
+### Feature
+
+- Kubernetes is now built using Go 1.25.5 ([#135609](https://github.com/kubernetes/kubernetes/pull/135609), [@cpanato](https://github.com/cpanato)) [SIG Release and Testing]
+
+### Bug or Regression
+
+- Fix a bug in the kube-apiserver where a malformed Service without name can cause high CPU usage. The bug is present on the new Cluster IP allocators enabled with the feature MultiCIDRServiceAllocator (enabled by default since 1.33) ([#135499](https://github.com/kubernetes/kubernetes/pull/135499), [@aojea](https://github.com/aojea)) [SIG Testing]
+- Fixes a bug where MutatingAdmissionPolicy would fail to apply to objects with duplicate list items (like env vars). ([#135560](https://github.com/kubernetes/kubernetes/pull/135560), [@lalitc375](https://github.com/lalitc375)) [SIG API Machinery]
+- K8s.io/client-go: Fixes a regression in 1.34+ which prevented informers from using configured Transformer functions ([#135580](https://github.com/kubernetes/kubernetes/pull/135580), [@serathius](https://github.com/serathius)) [SIG API Machinery]
+
+### Other (Cleanup or Flake)
+
+- Etcd: Update etcd to v3.6.6 ([#135271](https://github.com/kubernetes/kubernetes/pull/135271), [@bzsuni](https://github.com/bzsuni)) [SIG API Machinery, Cloud Provider, Cluster Lifecycle, Etcd and Testing]
+
+## Dependencies
+
+### Added
+_Nothing has changed._
+
+### Changed
+- golang.org/x/crypto: v0.41.0 → v0.45.0
+- golang.org/x/mod: v0.28.0 → v0.29.0
+- golang.org/x/net: v0.43.0 → v0.47.0
+- golang.org/x/sync: v0.17.0 → v0.18.0
+- golang.org/x/sys: v0.37.0 → v0.38.0
+- golang.org/x/telemetry: 1a19826 → 078029d
+- golang.org/x/term: v0.36.0 → v0.37.0
+- golang.org/x/text: v0.29.0 → v0.31.0
+- golang.org/x/tools: v0.36.0 → v0.38.0
+
+### Removed
+_Nothing has changed._
+
+
+
+# v1.35.0-rc.0
+
+
+## Downloads for v1.35.0-rc.0
+
+
+
+### Source Code
+
+filename | sha512 hash
+-------- | -----------
+[kubernetes.tar.gz](https://dl.k8s.io/v1.35.0-rc.0/kubernetes.tar.gz) | ef5c549823abd93a260ef90bd282362015e8e7e4f079bb59acc3104191bed88eed98638726866ef9d5e56849cbe58b641e7ebaf0d247c0088deaae81141b4007
+[kubernetes-src.tar.gz](https://dl.k8s.io/v1.35.0-rc.0/kubernetes-src.tar.gz) | 906dbf942d446b9ffaa56dc31024dd496c609599a5391c81891ed2223c60017eec879de2d68d8ac5003e05c03cdaf5584186b3303291ce81885ec1875e24748c
+
+### Client Binaries
+
+filename | sha512 hash
+-------- | -----------
+[kubernetes-client-darwin-amd64.tar.gz](https://dl.k8s.io/v1.35.0-rc.0/kubernetes-client-darwin-amd64.tar.gz) | f771e62019fc1cba671015aca0efaf24492598d8200330672e61525a0cd56d406ce53bde56ed1bbdfac4b1ac09e8b4820ce9d612904cf9169f075010a81f3548
+[kubernetes-client-darwin-arm64.tar.gz](https://dl.k8s.io/v1.35.0-rc.0/kubernetes-client-darwin-arm64.tar.gz) | 74c1b281351df048797db693cb0fe01dc4646d7884b1588e80184fb41ef83bb6016d095e0266eb7993fc2e75d54df6bcf4b8909f6c1e0a7245afb457a6f17516
+[kubernetes-client-linux-386.tar.gz](https://dl.k8s.io/v1.35.0-rc.0/kubernetes-client-linux-386.tar.gz) | ca6b1747442056c10cbc838ffaca3ace45d7fc773183d526aaec728bb322370f2cc05b2b7304dc19434b40d1fb3b39f7e4eb1930cc9952ac27abccf260968737
+[kubernetes-client-linux-amd64.tar.gz](https://dl.k8s.io/v1.35.0-rc.0/kubernetes-client-linux-amd64.tar.gz) | c9e5e3aa9df4e8c2f1253e4f72cdea94a8deae601b5df0b2cbdac4babdd2d2ac85191c908453bca40a2a0b44247dbb18ef1b5a7751c16660f9487391ed8dacad
+[kubernetes-client-linux-arm.tar.gz](https://dl.k8s.io/v1.35.0-rc.0/kubernetes-client-linux-arm.tar.gz) | 167490337b040849d953de5aa32e3c5491f4d6225fc0c5c86ff6ef9820f61e189f91da26831ee2d910749b38331ec1a73ff820bc29497939935e1f1b3462bf9a
+[kubernetes-client-linux-arm64.tar.gz](https://dl.k8s.io/v1.35.0-rc.0/kubernetes-client-linux-arm64.tar.gz) | 21d7091f25a112e6f940bc1a047294a2c6cd03a8b52c3cfb7ac024460d21ad5ab0a5aea448ec705ed3c5f0619d512a132051eea492e7d7ae008716abbab51a24
+[kubernetes-client-linux-ppc64le.tar.gz](https://dl.k8s.io/v1.35.0-rc.0/kubernetes-client-linux-ppc64le.tar.gz) | b4a1b9c03f7de8e0e2c89b1c32fcd4347a287eb62fe21bc8b4d6abafc3ae30559173bd070b5ddcb94038bc7d980e09d946a131ef0191ce2febbadffd1621143e
+[kubernetes-client-linux-s390x.tar.gz](https://dl.k8s.io/v1.35.0-rc.0/kubernetes-client-linux-s390x.tar.gz) | 737916148885ade333cbd5c7f927d32e30bb6f6bfe78db8c3c00c05c82d0a6ea5255a6c85b256acb14dc2b322e79e0af6bfa4f2ee055625da0b7ba29f99c847b
+[kubernetes-client-windows-386.tar.gz](https://dl.k8s.io/v1.35.0-rc.0/kubernetes-client-windows-386.tar.gz) | aa6b19469d3268235012a4a6a2f3d6ee3d56734b083133c213fa7064afef6f3caecadf9a714b6905ba69c22f0103eb44135e51a00907e4ddd1856c14b988ea58
+[kubernetes-client-windows-amd64.tar.gz](https://dl.k8s.io/v1.35.0-rc.0/kubernetes-client-windows-amd64.tar.gz) | 7d7c7edc9e67fecdb0d2a96992933acf2e4d68680ea20349af3feabf449072130de99a9aad6e03ca47806c1e10415de4fb69e56e8f73293fde96eb27bf02a71b
+[kubernetes-client-windows-arm64.tar.gz](https://dl.k8s.io/v1.35.0-rc.0/kubernetes-client-windows-arm64.tar.gz) | c5302ca43bbf8ba1f2f4d89f561edb53c4a6021d084593524a20418dff20c6f4f0052ad85a230961b208a40ca89d4daa64852e9730ce2350932e4d9e369f1621
+
+### Server Binaries
+
+filename | sha512 hash
+-------- | -----------
+[kubernetes-server-linux-amd64.tar.gz](https://dl.k8s.io/v1.35.0-rc.0/kubernetes-server-linux-amd64.tar.gz) | 5aa98c85cefbdc12c7816add8c5eb40438e39779fc96cd0606b21ab89c4d0af354168572f39787cc3f3ef471862d543b1804d433f76f52191490498aa4670255
+[kubernetes-server-linux-arm64.tar.gz](https://dl.k8s.io/v1.35.0-rc.0/kubernetes-server-linux-arm64.tar.gz) | 0942d2aee9638b32a976dc623269332d1f82feb0dc601e009fe97a8179cd23704fdd3ccecb3ecb51cea1abf57bee89d60707b1e69679580e1534ab4222820b01
+[kubernetes-server-linux-ppc64le.tar.gz](https://dl.k8s.io/v1.35.0-rc.0/kubernetes-server-linux-ppc64le.tar.gz) | 76a9351112c6f40752f3c2526bcc3fbb100f7e577ca7746644087c386f4e38f01f12b6306a329ec3bcbfc33ce244db95fd3035cc2c37dc32920181f26b7cf78b
+[kubernetes-server-linux-s390x.tar.gz](https://dl.k8s.io/v1.35.0-rc.0/kubernetes-server-linux-s390x.tar.gz) | bb70ad37cd30db82afa9dbd2b6a221f7ed43d6ec54c8a22ff852c5ac5364f2abc7c30db26640d42ba3e265dff70607f5dde86075fe841fe13500c811000ba0bc
+
+### Node Binaries
+
+filename | sha512 hash
+-------- | -----------
+[kubernetes-node-linux-amd64.tar.gz](https://dl.k8s.io/v1.35.0-rc.0/kubernetes-node-linux-amd64.tar.gz) | dcb41e49aed2c0c686c283a721a509d1d72f8cda4ad15216cdf6f65b48b7ba803a88a22aa2dc2bb35c4ffcc329f9184638423e3b0e0e5edd0142ed05922617d1
+[kubernetes-node-linux-arm64.tar.gz](https://dl.k8s.io/v1.35.0-rc.0/kubernetes-node-linux-arm64.tar.gz) | e91bcc56eea9d07aa65b2e855d9b15c6b480c05bc9581cd3aed740d3fe712b064cd9a9dd1baea27e0678747179bd76752ccdf510cc4855764f38b78cf2d9ebdf
+[kubernetes-node-linux-ppc64le.tar.gz](https://dl.k8s.io/v1.35.0-rc.0/kubernetes-node-linux-ppc64le.tar.gz) | 7870ee543c2a131451eaaa7b62e7292045e5ee0d4cd592c385a81170d1787835883d58326adabe201df9f920d2bedc8a1c59714b541dabe4f8ee4b9491bbdd23
+[kubernetes-node-linux-s390x.tar.gz](https://dl.k8s.io/v1.35.0-rc.0/kubernetes-node-linux-s390x.tar.gz) | d8265447f63f2466b0d890b3f37918b70cadec0a3e0682f5410414d5456403e992dc859129447b02980b544ddb43cb6feef421d95d29ec5c2bd3fba8811884ca
+[kubernetes-node-windows-amd64.tar.gz](https://dl.k8s.io/v1.35.0-rc.0/kubernetes-node-windows-amd64.tar.gz) | 8cbb1c7fd68dc474fbb88baaf4f169d9adf3ee177a963be3927c51bc08ab19ca5f1cb6a20fc45b52eba8c95b8abdf884d9f140dfacf4b64bfc5f3bf3540cd481
+
+### Container Images
+
+All container images are available as manifest lists and support the described
+architectures. It is also possible to pull a specific architecture directly by
+adding the "-$ARCH" suffix  to the container image name.
+
+name | architectures
+---- | -------------
+[registry.k8s.io/conformance:v1.35.0-rc.0](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/conformance) | [amd64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/conformance-amd64), [arm64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/conformance-arm64), [ppc64le](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/conformance-ppc64le), [s390x](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/conformance-s390x)
+[registry.k8s.io/kube-apiserver:v1.35.0-rc.0](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-apiserver) | [amd64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-apiserver-amd64), [arm64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-apiserver-arm64), [ppc64le](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-apiserver-ppc64le), [s390x](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-apiserver-s390x)
+[registry.k8s.io/kube-controller-manager:v1.35.0-rc.0](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-controller-manager) | [amd64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-controller-manager-amd64), [arm64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-controller-manager-arm64), [ppc64le](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-controller-manager-ppc64le), [s390x](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-controller-manager-s390x)
+[registry.k8s.io/kube-proxy:v1.35.0-rc.0](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-proxy) | [amd64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-proxy-amd64), [arm64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-proxy-arm64), [ppc64le](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-proxy-ppc64le), [s390x](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-proxy-s390x)
+[registry.k8s.io/kube-scheduler:v1.35.0-rc.0](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-scheduler) | [amd64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-scheduler-amd64), [arm64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-scheduler-arm64), [ppc64le](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-scheduler-ppc64le), [s390x](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-scheduler-s390x)
+[registry.k8s.io/kubectl:v1.35.0-rc.0](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kubectl) | [amd64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kubectl-amd64), [arm64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kubectl-arm64), [ppc64le](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kubectl-ppc64le), [s390x](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kubectl-s390x)
+
+## Changelog since v1.35.0-beta.0
+
+## Changes by Kind
+
+### Feature
+
+- Kubernetes is now built using Go 1.25.4 ([#135492](https://github.com/kubernetes/kubernetes/pull/135492), [@cpanato](https://github.com/cpanato)) [SIG Release and Testing]
+
+### Bug or Regression
+
+- Fixes a spurious "namespace not found" error possible in default configurations in 1.30+ when using ValidatingAdmissionPolicy or MutatingAdmissionPolicy to intercept namespaced objects in newly-created namespaces ([#135359](https://github.com/kubernetes/kubernetes/pull/135359), [@liggitt](https://github.com/liggitt)) [SIG API Machinery]
+- Kube-apiserver: Fixes spurious warning log messages about enabled alpha APIs while starting API server ([#135327](https://github.com/kubernetes/kubernetes/pull/135327), [@michaelasp](https://github.com/michaelasp)) [SIG API Machinery]
+
+## Dependencies
+
+### Added
+_Nothing has changed._
+
+### Changed
+_Nothing has changed._
+
+### Removed
+_Nothing has changed._
+
+
+
+# v1.35.0-beta.0
+
+
+## Downloads for v1.35.0-beta.0
+
+
+
+### Source Code
+
+filename | sha512 hash
+-------- | -----------
+[kubernetes.tar.gz](https://dl.k8s.io/v1.35.0-beta.0/kubernetes.tar.gz) | 17fae05597b73bf8ed2c14bfbc7d863e6ca470877be12a510cb354bcaf4fa5f9b15b3702e45d231efe9f4865f687bf8d1ace312b4e0a15442a14c9997f1caa07
+[kubernetes-src.tar.gz](https://dl.k8s.io/v1.35.0-beta.0/kubernetes-src.tar.gz) | a51fcd8dbe8097f1890931435bdeaf9c1aa31ae3c55ae6abeb504aa881c3e125ecb72af7518a9d3d38ffe67fbcffc6f1dd9e1e456218856ba2f25ec4d466f339
+
+### Client Binaries
+
+filename | sha512 hash
+-------- | -----------
+[kubernetes-client-darwin-amd64.tar.gz](https://dl.k8s.io/v1.35.0-beta.0/kubernetes-client-darwin-amd64.tar.gz) | 50e6712a9d2a35d782ac0ddb22eb0799fdceca6c434c5ebe446e9f49bf9b7612cd3af3f31af211d8364d128d8b75f87ba9e61466aa7c6552416c50c14b08dd78
+[kubernetes-client-darwin-arm64.tar.gz](https://dl.k8s.io/v1.35.0-beta.0/kubernetes-client-darwin-arm64.tar.gz) | c181381e2554d20b5ffbe024b33b8593800491bccceb98eaacc25fbc9ef44be4c360ec59603b857b730670c6cdcfe8d8428b790e1413d402f699c6579877ed4a
+[kubernetes-client-linux-386.tar.gz](https://dl.k8s.io/v1.35.0-beta.0/kubernetes-client-linux-386.tar.gz) | 26fcb99525560328c9ab1e856741e3eb6aecbb3fc8e9adf72daaeb0f6c57058e61989f696ad866a0f9b1a43098914933bed142077754e0bd82bd2054965fe44a
+[kubernetes-client-linux-amd64.tar.gz](https://dl.k8s.io/v1.35.0-beta.0/kubernetes-client-linux-amd64.tar.gz) | d6118e683ea4a64b1812a0eb0374678879a0b0b37868bd8b43517e5961a46b36f9addfbdbd84aa87e6dd4510afa644102140ec727bef3143788e2c97f23cc318
+[kubernetes-client-linux-arm.tar.gz](https://dl.k8s.io/v1.35.0-beta.0/kubernetes-client-linux-arm.tar.gz) | cafd385adecb9ed43201df1c5206f127177fbef0345972a5492c62eb4304c8666eafc1bffa9fb54f530d4258d8f7aaded83f08efaab5391bf92ac50a4d53122f
+[kubernetes-client-linux-arm64.tar.gz](https://dl.k8s.io/v1.35.0-beta.0/kubernetes-client-linux-arm64.tar.gz) | bb7d2281b2b9f02ae61a9607d932873a2dfd1ed551c79209a55feba88219093c8594c03c3915e87f7d847c6e59cf75625123dce8f367c34bb16d4e0ad5681f22
+[kubernetes-client-linux-ppc64le.tar.gz](https://dl.k8s.io/v1.35.0-beta.0/kubernetes-client-linux-ppc64le.tar.gz) | 198e2102eb0b24e6c6b406ceb8cce6803154c3e68bef5ace7583683cd49d09b6a8ecbd2ca8f1d105a6454b8550b1d6132e65e618dd0ac49c9d36494af24e3ecb
+[kubernetes-client-linux-s390x.tar.gz](https://dl.k8s.io/v1.35.0-beta.0/kubernetes-client-linux-s390x.tar.gz) | 6e81675b8b523aa1df9f4599548f92bc990a2dbe6ab4f6a4039477e237f2e6286a19e2786ba436bada30969cd5b2f3fd2fb8bc16a41943fcf6865f8b6b690f67
+[kubernetes-client-windows-386.tar.gz](https://dl.k8s.io/v1.35.0-beta.0/kubernetes-client-windows-386.tar.gz) | 0a68cd18169b4f269766aaff195b07fef44418f6e108ce47f6ce445407a28c1ff27cde4ef015bb01affd2309044a5ef86392132112681edfd5fe2e1632e99862
+[kubernetes-client-windows-amd64.tar.gz](https://dl.k8s.io/v1.35.0-beta.0/kubernetes-client-windows-amd64.tar.gz) | d64bba50e7878fb1bc89dd31e9c4a2796364d2226fcfb14964ca2783d18fe482824b6cd0a4b842076998db1794c6a5e33d78fd3bd2d5ae696ab438d4c7207114
+[kubernetes-client-windows-arm64.tar.gz](https://dl.k8s.io/v1.35.0-beta.0/kubernetes-client-windows-arm64.tar.gz) | c1820e5be65918d6278ed8897059c5d87d8faa8640a5a7bab7f28822d2af19f1dbba650069a469b8eb955353d9c47a7f3098e9c7598f7f1272d08e4edba5bff8
+
+### Server Binaries
+
+filename | sha512 hash
+-------- | -----------
+[kubernetes-server-linux-amd64.tar.gz](https://dl.k8s.io/v1.35.0-beta.0/kubernetes-server-linux-amd64.tar.gz) | f57c7fb934e0261f71fa7f2e219730cc977367bd015a0572d4446f28c9a70e89f641d029d206d27238c7fa27ba166a6c1e81e129b583e8c1555513d5360fabf0
+[kubernetes-server-linux-arm64.tar.gz](https://dl.k8s.io/v1.35.0-beta.0/kubernetes-server-linux-arm64.tar.gz) | 1d5b399f921da76ba0f88c9c28a64880a7be32c017fefd961939c3538e0361cd08f1d7bb38b09982600c5d09711a89c13ee757363d3f10101ee0b1775c85f97e
+[kubernetes-server-linux-ppc64le.tar.gz](https://dl.k8s.io/v1.35.0-beta.0/kubernetes-server-linux-ppc64le.tar.gz) | 1b6dbe8765ad8f740e699b842447d513b3b4e0a685db8380a3f38fc89efd3b962b0ec3026e6df55ac4c3cadc0120577d34e4cf5c10311fd1d2bcde9bc47ba844
+[kubernetes-server-linux-s390x.tar.gz](https://dl.k8s.io/v1.35.0-beta.0/kubernetes-server-linux-s390x.tar.gz) | dd0213e41f26158f3cb9a589ca68211d4d68ca2cc9346726361f609b896b4b8975274dd53d3e7561c1f61178bd9aef69c156a435b530def48c215e2d03d18414
+
+### Node Binaries
+
+filename | sha512 hash
+-------- | -----------
+[kubernetes-node-linux-amd64.tar.gz](https://dl.k8s.io/v1.35.0-beta.0/kubernetes-node-linux-amd64.tar.gz) | 7c43a88e1b86871d5f76d3d3fed4c458aedcb7d41f3dd944f08a24087b6e0703b2ce8c4d34ee2625de18d75b5bfbc36f5ab6da5158e69ba929cd1cf9f0a205cc
+[kubernetes-node-linux-arm64.tar.gz](https://dl.k8s.io/v1.35.0-beta.0/kubernetes-node-linux-arm64.tar.gz) | 0fbca961eead65de9401ff6211792f27f845003bb5d91655299b3d0c05dc805eca0ade4e0caf784d561734e1ba15ac1112efd92a439953835730a866c92f2205
+[kubernetes-node-linux-ppc64le.tar.gz](https://dl.k8s.io/v1.35.0-beta.0/kubernetes-node-linux-ppc64le.tar.gz) | c9bbfcb37f32d267e00067b7334b5a961e875be5776a941ef84a2b2a9d8ee7f2bd97998a789b2180809a9869dbbfa52ef3b5c154447207a83c1de4fa07ed7b05
+[kubernetes-node-linux-s390x.tar.gz](https://dl.k8s.io/v1.35.0-beta.0/kubernetes-node-linux-s390x.tar.gz) | 32b416cc48008e5c1b34af1205a880f8c43a194c264451222bb6281ffa894e4267d2ebdd49e4b08731a44274f5bd7c7ff54733dfd6aaa5df89ac57c12bc50073
+[kubernetes-node-windows-amd64.tar.gz](https://dl.k8s.io/v1.35.0-beta.0/kubernetes-node-windows-amd64.tar.gz) | 90eb6f5b268eacadeba1be60f2765740c77a65b3f2b357cec8814a225c26bb8a60341b1c515c0867abf119f3522c7d90281a5490ed7c8926c2ecb7c8ec0b4fe9
+
+### Container Images
+
+All container images are available as manifest lists and support the described
+architectures. It is also possible to pull a specific architecture directly by
+adding the "-$ARCH" suffix  to the container image name.
+
+name | architectures
+---- | -------------
+[registry.k8s.io/conformance:v1.35.0-beta.0](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/conformance) | [amd64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/conformance-amd64), [arm64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/conformance-arm64), [ppc64le](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/conformance-ppc64le), [s390x](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/conformance-s390x)
+[registry.k8s.io/kube-apiserver:v1.35.0-beta.0](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-apiserver) | [amd64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-apiserver-amd64), [arm64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-apiserver-arm64), [ppc64le](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-apiserver-ppc64le), [s390x](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-apiserver-s390x)
+[registry.k8s.io/kube-controller-manager:v1.35.0-beta.0](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-controller-manager) | [amd64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-controller-manager-amd64), [arm64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-controller-manager-arm64), [ppc64le](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-controller-manager-ppc64le), [s390x](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-controller-manager-s390x)
+[registry.k8s.io/kube-proxy:v1.35.0-beta.0](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-proxy) | [amd64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-proxy-amd64), [arm64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-proxy-arm64), [ppc64le](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-proxy-ppc64le), [s390x](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-proxy-s390x)
+[registry.k8s.io/kube-scheduler:v1.35.0-beta.0](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-scheduler) | [amd64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-scheduler-amd64), [arm64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-scheduler-arm64), [ppc64le](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-scheduler-ppc64le), [s390x](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-scheduler-s390x)
+[registry.k8s.io/kubectl:v1.35.0-beta.0](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kubectl) | [amd64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kubectl-amd64), [arm64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kubectl-arm64), [ppc64le](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kubectl-ppc64le), [s390x](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kubectl-s390x)
+
+## Changelog since v1.35.0-alpha.3
+
+## Changes by Kind
+
+### API Change
+
+- Add scoring for the prioritized list feature so that the node that can satisfy the best ranked subrequests are chosen. ([#134711](https://github.com/kubernetes/kubernetes/pull/134711), [@mortent](https://github.com/mortent)) [SIG Node, Scheduling and Testing]
+- Allows restart all containers when the source container exits with a matching restart policy rule. This is an alpha feature behind feature gate RestartAllContainersOnContainerExit. ([#134345](https://github.com/kubernetes/kubernetes/pull/134345), [@yuanwang04](https://github.com/yuanwang04)) [SIG Apps, Node and Testing]
+- Changed kuberc configuration schema. Two new optional fields added to kuberc configuration, `credPluginPolicy` and `credPluginAllowlist`. This is documented in [KEP-3104](https://github.com/kubernetes/enhancements/blob/master/keps/sig-cli/3104-introduce-kuberc/README.md#allowlist-design-details) and documentation is added to the website by [kubernetes/website#52877](https://github.com/kubernetes/website/pull/52877) ([#134870](https://github.com/kubernetes/kubernetes/pull/134870), [@pmengelbert](https://github.com/pmengelbert)) [SIG API Machinery, Architecture, Auth, CLI, Instrumentation and Testing]
+- Enhanced discovery response to support merged API groups/resources from all peer apiservers when UnknownVersionInteroperabilityProxy feature is enabled ([#133648](https://github.com/kubernetes/kubernetes/pull/133648), [@richabanker](https://github.com/richabanker)) [SIG API Machinery, Auth, Cloud Provider, Node, Scheduling and Testing]
+- Extend `core/v1 Toleration` to support numeric comparison operators (`Gt`, `Lt`). ([#134665](https://github.com/kubernetes/kubernetes/pull/134665), [@helayoty](https://github.com/helayoty)) [SIG API Machinery, Apps, Node, Scheduling, Testing and Windows]
+- Features: NominatedNodeNameForExpectation in kube-scheduler and CleaeringNominatedNodeNameAfterBinding in kube-apiserver are now enabled by default. ([#135103](https://github.com/kubernetes/kubernetes/pull/135103), [@ania-borowiec](https://github.com/ania-borowiec)) [SIG API Machinery, Apps, Architecture, Auth, Autoscaling, CLI, Cloud Provider, Cluster Lifecycle, Etcd, Instrumentation, Network, Node, Scheduling, Storage and Testing]
+- Implement changes to prevent pod scheduling to a node without CSI driver ([#135012](https://github.com/kubernetes/kubernetes/pull/135012), [@gnufied](https://github.com/gnufied)) [SIG API Machinery, Scheduling, Storage and Testing]
+- Introduce scheduling.k8s.io/v1alpha1 Workload API to allow for expressing workload-level scheduling requirements and let kube-scheduler act on those. ([#134564](https://github.com/kubernetes/kubernetes/pull/134564), [@macsko](https://github.com/macsko)) [SIG API Machinery, Apps, CLI, Etcd, Scheduling and Testing]
+- Introduce the alpha MutableSchedulingDirectivesForSuspendedJobs feature gate (disabled by default) which:
+  1. allows to mutate Job's scheduling directives for suspended Jobs
+  2. makes the Job controller to clear the status.startTime field for suspended Jobs ([#135104](https://github.com/kubernetes/kubernetes/pull/135104), [@mimowo](https://github.com/mimowo)) [SIG Apps and Testing]
+- Introduced GangScheduling kube-scheduler plugin to enable "all-or-nothing" scheduling. Workload API in scheduling.k8s.io/v1alpha1 is used to express the desired policy. ([#134722](https://github.com/kubernetes/kubernetes/pull/134722), [@macsko](https://github.com/macsko)) [SIG API Machinery, Apps, Auth, CLI, Etcd, Scheduling and Testing]
+- PV node affinity is now mutable. ([#134339](https://github.com/kubernetes/kubernetes/pull/134339), [@huww98](https://github.com/huww98)) [SIG API Machinery, Apps and Node]
+- ResourceQuota now counts device class requests within a ResourceClaim object as consuming two additional quotas when the DRAExtendedResource feature is enabled:
+  - `requests.deviceclass.resource.k8s.io/<deviceclass>` with a quantity equal to the worst case count of devices requested
+  - requests for device classes that map to an extended resource consume `requests.<extended resource name>` ([#134210](https://github.com/kubernetes/kubernetes/pull/134210), [@yliaog](https://github.com/yliaog)) [SIG API Machinery, Apps, Node, Scheduling and Testing]
+- The DRA device taints and toleration feature now has a separate feature gate, DRADeviceTaintRules, which controls whether support for DeviceTaintRules is enabled. It is possible to disable that and keep DRADeviceTaints enabled, in which case tainting by DRA drivers through ResourceSlices continues to work. ([#135068](https://github.com/kubernetes/kubernetes/pull/135068), [@pohly](https://github.com/pohly)) [SIG API Machinery, Apps, Auth, Node, Scheduling and Testing]
+- The ImagePullIntent and ImagePulledRecord objects used by kubelet to store information about image pulls have been moved to the v1beta1 API version. ([#132579](https://github.com/kubernetes/kubernetes/pull/132579), [@stlaz](https://github.com/stlaz)) [SIG Auth and Node]
+- The KubeletEnsureSecretPulledImages feature is now beta and enabled by default. ([#135228](https://github.com/kubernetes/kubernetes/pull/135228), [@aramase](https://github.com/aramase)) [SIG Auth, Node and Testing]
+- This change adds a new alpha feature Node Declared Features, which includes:
+  - A new `Node.Status.DeclaredFeatures` field for Kubelet to publish node-specific features.
+  - A library in `component-helpers` for feature registration and inference.
+  - A scheduler plugin (`NodeDeclaredFeatures`) scheduler plugin to match pods with nodes that provide their required features.
+  - An admission plugin (`NodeDeclaredFeatureValidator`) to validate pod updates against a node's declared features. ([#133389](https://github.com/kubernetes/kubernetes/pull/133389), [@pravk03](https://github.com/pravk03)) [SIG API Machinery, Apps, Node, Release, Scheduling and Testing]
+- This change allows In Place Resize of Pod Level Resources 
+  - Add Resources in PodStatus to capture resources set at pod-level cgroup
+  - Add AllocatedResources in PodStatus to capture resources requested in the PodSpec ([#132919](https://github.com/kubernetes/kubernetes/pull/132919), [@ndixita](https://github.com/ndixita)) [SIG API Machinery, Apps, Architecture, Auth, CLI, Instrumentation, Node, Scheduling and Testing]
+- Updates to the Partitionable Devices feature which allows for referencing counter sets across different ResourceSlices within the same resource pool.
+  
+  Devices from incomplete pools are no longer considered for allocation.
+  
+  This contains backwards incompatible changes to the Partitionable Devices alpha feature, so any ResourceSlices that uses the feature should be removed prior to upgrading or downgrading between 1.34 and 1.35. ([#134189](https://github.com/kubernetes/kubernetes/pull/134189), [@mortent](https://github.com/mortent)) [SIG API Machinery, Node, Scheduling and Testing]
+
+### Feature
+
+- Add cloud-controller-manager feature gate CloudControllerManagerWatchBasedRoutesReconciliation ([#131220](https://github.com/kubernetes/kubernetes/pull/131220), [@lukasmetzner](https://github.com/lukasmetzner)) [SIG API Machinery and Cloud Provider]
+- Add the `UserNamespacesHostNetworkSupport` feature gate. The feature gate defaults to disabled. When the feature gate is enabled, will allow `hostNetwork` pods to use `user namespace`. ([#134893](https://github.com/kubernetes/kubernetes/pull/134893), [@HirazawaUi](https://github.com/HirazawaUi)) [SIG Apps, Node and Testing]
+- Added a new `source` label in `resourceclaim_controller_resource_claims`.
+  Added a new metrics for DRAExtendedResource `scheduler_resourceclaim_creates_total`. ([#134523](https://github.com/kubernetes/kubernetes/pull/134523), [@bitoku](https://github.com/bitoku)) [SIG Apps, Instrumentation, Node and Scheduling]
+- Added configurable per-device health check timeouts to the DRA health monitoring API. ([#135147](https://github.com/kubernetes/kubernetes/pull/135147), [@harche](https://github.com/harche)) [SIG Node]
+- Bump ImageGCMaximumAge to stable ([#134736](https://github.com/kubernetes/kubernetes/pull/134736), [@haircommander](https://github.com/haircommander)) [SIG Node and Testing]
+- Enables the `WatchListClient` feature gate. ([#134180](https://github.com/kubernetes/kubernetes/pull/134180), [@p0lyn0mial](https://github.com/p0lyn0mial)) [SIG API Machinery, Apps, Auth, CLI, Instrumentation, Node and Testing]
+- Graduate PodTopologyLabelsAdmission feature gate to Beta and on by default.
+  
+  Pods will now have labels `topology.kubernetes.io/zone` and `topology.kubernetes.io/region` by default if the assigned Node has these labels. ([#135158](https://github.com/kubernetes/kubernetes/pull/135158), [@andrewsykim](https://github.com/andrewsykim)) [SIG Node]
+- Graduate image volume source to on by default Beta ([#135195](https://github.com/kubernetes/kubernetes/pull/135195), [@haircommander](https://github.com/haircommander)) [SIG Apps, Instrumentation, Node and Testing]
+- Implement scoring for DRA-backed extended resources ([#134058](https://github.com/kubernetes/kubernetes/pull/134058), [@bart0sh](https://github.com/bart0sh)) [SIG Node, Scheduling and Testing]
+- KEP-3619: fined-grained supplemental groups policy is graduated to GA. ([#135088](https://github.com/kubernetes/kubernetes/pull/135088), [@everpeace](https://github.com/everpeace)) [SIG Node and Testing]
+- KEP-5440: Allow for resizing of resources while job is suspended.  This feature is alpha. ([#132441](https://github.com/kubernetes/kubernetes/pull/132441), [@kannon92](https://github.com/kannon92)) [SIG Apps and Testing]
+- KEP-5598 opportunistic batching is implemented to optimize scheduling for pods that have the same scheduling requirements. ([#135231](https://github.com/kubernetes/kubernetes/pull/135231), [@bwsalmon](https://github.com/bwsalmon)) [SIG Node, Scheduling, Storage and Testing]
+- Kubeadm: Add `HTTPEndpoints` field to `ClusterConfiguration.Etcd.ExternalEtcd` that can be used to configure the HTTP endpoints for etcd communication in v1beta4. This field is used to separate the HTTP traffic (such as /metrics and /health endpoints) from the gRPC traffic handled by Endpoints. This separation allows for better access control, as HTTP endpoints can be exposed without exposing the primary gRPC interface. Corresponds to etcd's `--listen-client-http-urls` configuration. If not provided, Endpoints will be used for both gRPC and HTTP traffic. ([#134890](https://github.com/kubernetes/kubernetes/pull/134890), [@SataQiu](https://github.com/SataQiu)) [SIG Cluster Lifecycle]
+- Kubernetes is now built with go 1.25.4 ([#135187](https://github.com/kubernetes/kubernetes/pull/135187), [@BenTheElder](https://github.com/BenTheElder)) [SIG Release]
+- New metrics are introduced related to Ensure Secret Pulled Images KEP:
+      - kubelet_imagemanager_ondisk_pullintents - the number of pull intent records currently kept on disk
+      - kubelet_imagemanager_ondisk_pulledrecords - the number of image pulled records currently kept on disk
+      - kubelet_imagemanager_image_mustpull_checks_total{result} - the number for how many times an image was checked against the pull records and the results of those checks ([#132812](https://github.com/kubernetes/kubernetes/pull/132812), [@stlaz](https://github.com/stlaz)) [SIG Auth and Node]
+- Pick one device class deterministically for extended resource when there are more than one ([#135037](https://github.com/kubernetes/kubernetes/pull/135037), [@yliaog](https://github.com/yliaog)) [SIG Node, Scheduling and Testing]
+- Promoted the `EnvFiles` feature gate to beta and is enabled by default. Additionally, the syntax specification for environment variables has been restricted to a subset of POSIX shell syntax (all variable values must be wrapped in single quotes). ([#134414](https://github.com/kubernetes/kubernetes/pull/134414), [@HirazawaUi](https://github.com/HirazawaUi)) [SIG Node and Testing]
+- Promoted the `KubeletCrashLoopBackOffMax` feature gate to beta, it is now enabled by default. ([#135044](https://github.com/kubernetes/kubernetes/pull/135044), [@hankfreund](https://github.com/hankfreund)) [SIG Node]
+- The Pod Certificates feature is moving to beta. The PodCertificateRequest feature gate is still set false by default. To use the feature, users will need to enable the certificates API groups in v1beta1 and enable the feature gate PodCertificateRequest. A new field UserAnnotations is added to the PodCertificateProjection API and the corresponding UnverifiedUserAnnotations is added to the PodCertificateRequest API. ([#134790](https://github.com/kubernetes/kubernetes/pull/134790), [@yt2985](https://github.com/yt2985)) [SIG Auth, Instrumentation and Testing]
+- When resizing pods, more events will be emitted when the pod's resize status changes. ([#134825](https://github.com/kubernetes/kubernetes/pull/134825), [@natasha41575](https://github.com/natasha41575)) [SIG Node]
+
+### Bug or Regression
+
+- Extended resources requested by initContainers which are allocated using an automatic ResourceClaim now match the behavior of legacy device plugins, reusing the same resources requested by later sidecar initContainers or regular containers when possible, to minimize the total number of devices requested by the pod. ([#134882](https://github.com/kubernetes/kubernetes/pull/134882), [@yliaog](https://github.com/yliaog)) [SIG Apps, CLI, Node, Scheduling and Testing]
+- Fix Windows kube-proxy (winkernel) issue where stale RemoteEndpoints remained
+  when a Deployment was referenced by multiple Services due to premature clearing
+  of the terminatedEndpoints map. ([#135146](https://github.com/kubernetes/kubernetes/pull/135146), [@princepereira](https://github.com/princepereira)) [SIG Network and Windows]
+- Fix bug in ValidatingAdmissionPolicy where a object schema with additionalProperties:true would crash the kube-controller-manager with a nil pointer exception. ([#135155](https://github.com/kubernetes/kubernetes/pull/135155), [@jpbetz](https://github.com/jpbetz)) [SIG API Machinery]
+- Fixes an issue that disallowed restart policies and restart rules on static pods. ([#135031](https://github.com/kubernetes/kubernetes/pull/135031), [@yuanwang04](https://github.com/yuanwang04)) [SIG Node]
+- Fixes the replacement tag in APIs to not be a selector for storage version ([#135197](https://github.com/kubernetes/kubernetes/pull/135197), [@Jefftree](https://github.com/Jefftree)) [SIG API Machinery]
+- Kube-apiserver: Fixes spurious warning log messages about enabled alpha APIs while starting API server ([#135327](https://github.com/kubernetes/kubernetes/pull/135327), [@michaelasp](https://github.com/michaelasp)) [SIG API Machinery]
+- Kubelet: fix concurrent map write error when creating a pod with empty volume when the LocalStorageCapacityIsolationFSQuotaMonitoring feature-gate is enabled ([#135174](https://github.com/kubernetes/kubernetes/pull/135174), [@carlory](https://github.com/carlory)) [SIG Storage]
+- Support ShareID of DRAConsumableCapacity feature in the Kubelet Plugin API ([#134520](https://github.com/kubernetes/kubernetes/pull/134520), [@sunya-ch](https://github.com/sunya-ch)) [SIG Node and Testing]
+- The slow initialization of container runtime will not cause System WatchDog to kill kubelet. Device Manager is not considered healthy before it attempted to start listening on the port. ([#135153](https://github.com/kubernetes/kubernetes/pull/135153), [@SergeyKanzhelev](https://github.com/SergeyKanzhelev)) [SIG Node]
+- Typed workqueue now cleans up goroutines before shutting down ([#135072](https://github.com/kubernetes/kubernetes/pull/135072), [@Jefftree](https://github.com/Jefftree)) [SIG API Machinery]
+
+### Other (Cleanup or Flake)
+
+- AggregatedDiscoveryRemoveBetaType feature gate is deprecated and locked to True ([#134230](https://github.com/kubernetes/kubernetes/pull/134230), [@Jefftree](https://github.com/Jefftree)) [SIG API Machinery]
+- Dropped support for networking/v1beta1 Ingress in kubectl ([#135176](https://github.com/kubernetes/kubernetes/pull/135176), [@scaliby](https://github.com/scaliby)) [SIG CLI]
+- Dropped support for networking/v1beta1 IngressClass in kubectl ([#135108](https://github.com/kubernetes/kubernetes/pull/135108), [@scaliby](https://github.com/scaliby)) [SIG CLI]
+- Upgrade CoreDNS to v1.12.4 ([#133968](https://github.com/kubernetes/kubernetes/pull/133968), [@yashsingh74](https://github.com/yashsingh74)) [SIG Cloud Provider and Cluster Lifecycle]
+
+## Dependencies
+
+### Added
+- cyphar.com/go-pathrs: v0.2.1
+
+### Changed
+- github.com/coredns/corefile-migration: [v1.0.27 → v1.0.29](https://github.com/coredns/corefile-migration/compare/v1.0.27...v1.0.29)
+- github.com/cyphar/filepath-securejoin: [v0.4.1 → v0.6.0](https://github.com/cyphar/filepath-securejoin/compare/v0.4.1...v0.6.0)
+- github.com/opencontainers/selinux: [v1.11.1 → v1.13.0](https://github.com/opencontainers/selinux/compare/v1.11.1...v1.13.0)
+
+### Removed
+_Nothing has changed._
+
+
+
+# v1.35.0-alpha.3
+
+
+## Downloads for v1.35.0-alpha.3
+
+
+
+### Source Code
+
+filename | sha512 hash
+-------- | -----------
+[kubernetes.tar.gz](https://dl.k8s.io/v1.35.0-alpha.3/kubernetes.tar.gz) | 054e77631e6a17dcb1589e14aaf215672c054a3315de0e72fad066d5f4392ff09288dc0ead2e9667c65c3c7c770d81206abb94eaf2615b1ef0cc99fbf3a5c793
+[kubernetes-src.tar.gz](https://dl.k8s.io/v1.35.0-alpha.3/kubernetes-src.tar.gz) | fe30a5b352bb1656d7306aec0f491fde6f874af7d749fa31fe75ac5035c98d3c63d95db1b0c0024b30c55eadf7b60a1c3513a343eff2d6b0793147112940c82b
+
+### Client Binaries
+
+filename | sha512 hash
+-------- | -----------
+[kubernetes-client-darwin-amd64.tar.gz](https://dl.k8s.io/v1.35.0-alpha.3/kubernetes-client-darwin-amd64.tar.gz) | ca86f0ff39c9ee9ddf75674369cac952652afb3d36c11d8b761d00e9a6f9827adda24d87db6d936ab4ff54cd3d65afcc1e8b77868bc8054837d36cc9725a0fe8
+[kubernetes-client-darwin-arm64.tar.gz](https://dl.k8s.io/v1.35.0-alpha.3/kubernetes-client-darwin-arm64.tar.gz) | b5a6772bfd7fd59ad18d0ccd6cece28d316613c1364607bdcb6389b2be1e911297b8ea3fb4b0ced7c38e66be36bf3f42898e4a5fade67add6a29cc5caec0f449
+[kubernetes-client-linux-386.tar.gz](https://dl.k8s.io/v1.35.0-alpha.3/kubernetes-client-linux-386.tar.gz) | 8ecf519056385911fcec30039c8c3bf8537726c35ad9637602444dc6f1c5cc4f34fd2b924641b64b5a94b81935deff3a1445bc161fa3c3887a26b6a572e5a126
+[kubernetes-client-linux-amd64.tar.gz](https://dl.k8s.io/v1.35.0-alpha.3/kubernetes-client-linux-amd64.tar.gz) | 499d946c3baf4bf55cc12ae0166ebbd3ae2c0c383d0f0cabca18cdc843b101e4fe0a972117f01d59e6eb61056471bdf5ff7b1c124e42298a4d758c01f8d888dc
+[kubernetes-client-linux-arm.tar.gz](https://dl.k8s.io/v1.35.0-alpha.3/kubernetes-client-linux-arm.tar.gz) | fc240f0e23fad7578330cfb65ee271b3dfee099fd4fea3df6e5bd6cd5c50d8d398915d3c1dd735593b96ed1f3d30a800dd3ee6b1553c32bbc46428823ff68d6d
+[kubernetes-client-linux-arm64.tar.gz](https://dl.k8s.io/v1.35.0-alpha.3/kubernetes-client-linux-arm64.tar.gz) | ee4a49a4c55d9fce0cddf8150fa506df2c498abb257bb87c773260c26dc32fcb14be97630a27a22dd7406207778c7111f95751dc80b5dfabdf0755757b9c7082
+[kubernetes-client-linux-ppc64le.tar.gz](https://dl.k8s.io/v1.35.0-alpha.3/kubernetes-client-linux-ppc64le.tar.gz) | 758eab71ab6435a689ac081bad27270967b6f8a09532b2dbc1c45b16eb8cc9ee24d317c4c8adf4345c569e89a1edeea8fb6f1bf97f7f84604fc17a7459f9a59f
+[kubernetes-client-linux-s390x.tar.gz](https://dl.k8s.io/v1.35.0-alpha.3/kubernetes-client-linux-s390x.tar.gz) | 13947dfc8a67de7805e2e0818452d287079f9f382c8e36e8501b0871c5083f3eef1ac0461ca3570abeb39f84391b75843236a98f56f17a75f01a3d88cbfc6998
+[kubernetes-client-windows-386.tar.gz](https://dl.k8s.io/v1.35.0-alpha.3/kubernetes-client-windows-386.tar.gz) | 813f670f33f20dfbec2dfd53136831f1117b5d172fa381fb1f69348d9f2e1cdda5eff2f807529924d1751d31011f3ba0a9dfd2e395114f8c289cbc3a262a207b
+[kubernetes-client-windows-amd64.tar.gz](https://dl.k8s.io/v1.35.0-alpha.3/kubernetes-client-windows-amd64.tar.gz) | 6cfafe20404a2d6d8d7f9ed923eabc59360ba16454db8602de7aaaf3f40af7ff0429f54c3a34fd8c94d4a2e83bffeab29de5eed78f45f3cbe4027a8ae23a25c9
+[kubernetes-client-windows-arm64.tar.gz](https://dl.k8s.io/v1.35.0-alpha.3/kubernetes-client-windows-arm64.tar.gz) | dc4f018a9d7182c32f82727e42624f6b5883e944a730855ab0dd9ab9e8a5eea0766c5214ce5bf63c3bafc795d28bc335a94c9e50f1c4c80887c944780bb7811a
+
+### Server Binaries
+
+filename | sha512 hash
+-------- | -----------
+[kubernetes-server-linux-amd64.tar.gz](https://dl.k8s.io/v1.35.0-alpha.3/kubernetes-server-linux-amd64.tar.gz) | 741bc1b0cb536ae82284b299fbb27c466e7ce3b54ba879a40631c5c00d822bce76dbb927d51ccb50383f22e115c4f0a5d22d8157cd9ea69da797f2fae2229b50
+[kubernetes-server-linux-arm64.tar.gz](https://dl.k8s.io/v1.35.0-alpha.3/kubernetes-server-linux-arm64.tar.gz) | 26d073a93c26511aa3ec2e47954193175a87426d6f489370cbc5d2cbc636e98785a8c065d3cee1e3fcd52f4ee2b37e3137ade65739704b4aa3582c41d9e69341
+[kubernetes-server-linux-ppc64le.tar.gz](https://dl.k8s.io/v1.35.0-alpha.3/kubernetes-server-linux-ppc64le.tar.gz) | 2ce67d08040129bc1d290faf63573f7e1881f2ec7eaf02a4a27cbd48285fc315ff336d245c63f6bb8dd5b2e82821beed731bf9e9f807a4d5a0fadac355413183
+[kubernetes-server-linux-s390x.tar.gz](https://dl.k8s.io/v1.35.0-alpha.3/kubernetes-server-linux-s390x.tar.gz) | 6b12151c9ab895a9c51f7e17b067d165b511f8c7e32c5ee2cb9924087314bcacd74826e1b18bccd1e06b85a9a3c26e151c38fed9a4f40794777bd06f68cb3e95
+
+### Node Binaries
+
+filename | sha512 hash
+-------- | -----------
+[kubernetes-node-linux-amd64.tar.gz](https://dl.k8s.io/v1.35.0-alpha.3/kubernetes-node-linux-amd64.tar.gz) | f13943abe46974a701c1de6a20f76a2ade96db4795de7f6615680c3a360d602d5efca1d062c206f5154e3c3f504c0e51fda10e96ed31e20b3bd3d711be3600f8
+[kubernetes-node-linux-arm64.tar.gz](https://dl.k8s.io/v1.35.0-alpha.3/kubernetes-node-linux-arm64.tar.gz) | b7b664dde1dea0469dcab0a8f30032c583210d008621580930feb4a56353f9d51b732643fb41600febae3da3f2f17617c7914487539e4d7be8b4942c52219c85
+[kubernetes-node-linux-ppc64le.tar.gz](https://dl.k8s.io/v1.35.0-alpha.3/kubernetes-node-linux-ppc64le.tar.gz) | 38cc958f6bc855b9fb6da6dbe1dd4eda874916865b030b929eab5f4110fa9554d7531757992e54ad912ca41d7eee6f01e6a299132c023199d7751491ae5456da
+[kubernetes-node-linux-s390x.tar.gz](https://dl.k8s.io/v1.35.0-alpha.3/kubernetes-node-linux-s390x.tar.gz) | c32b6d753f1c76bfcac7c37d5986d243cb5b7ad6bd01596b84d4262250ba31d875005302e8b92f7b8bac9ad30a85a6a60f99609fbbcceb0df1d08dfad8539488
+[kubernetes-node-windows-amd64.tar.gz](https://dl.k8s.io/v1.35.0-alpha.3/kubernetes-node-windows-amd64.tar.gz) | c5dfdcf501f39003ff818fa66c90e3874d9db21afc74ce9d6fe20de6f074d755ee0a90e18e47ffebda0da5685e9b42e8385f6e7e3d518b08a911c019686257d9
+
+### Container Images
+
+All container images are available as manifest lists and support the described
+architectures. It is also possible to pull a specific architecture directly by
+adding the "-$ARCH" suffix  to the container image name.
+
+name | architectures
+---- | -------------
+[registry.k8s.io/conformance:v1.35.0-alpha.3](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/conformance) | [amd64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/conformance-amd64), [arm64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/conformance-arm64), [ppc64le](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/conformance-ppc64le), [s390x](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/conformance-s390x)
+[registry.k8s.io/kube-apiserver:v1.35.0-alpha.3](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-apiserver) | [amd64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-apiserver-amd64), [arm64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-apiserver-arm64), [ppc64le](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-apiserver-ppc64le), [s390x](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-apiserver-s390x)
+[registry.k8s.io/kube-controller-manager:v1.35.0-alpha.3](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-controller-manager) | [amd64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-controller-manager-amd64), [arm64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-controller-manager-arm64), [ppc64le](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-controller-manager-ppc64le), [s390x](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-controller-manager-s390x)
+[registry.k8s.io/kube-proxy:v1.35.0-alpha.3](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-proxy) | [amd64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-proxy-amd64), [arm64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-proxy-arm64), [ppc64le](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-proxy-ppc64le), [s390x](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-proxy-s390x)
+[registry.k8s.io/kube-scheduler:v1.35.0-alpha.3](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-scheduler) | [amd64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-scheduler-amd64), [arm64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-scheduler-arm64), [ppc64le](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-scheduler-ppc64le), [s390x](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-scheduler-s390x)
+[registry.k8s.io/kubectl:v1.35.0-alpha.3](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kubectl) | [amd64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kubectl-amd64), [arm64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kubectl-arm64), [ppc64le](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kubectl-ppc64le), [s390x](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kubectl-s390x)
+
+## Changelog since v1.35.0-alpha.2
+
+## Urgent Upgrade Notes
+
+### (No, really, you MUST read this before you upgrade)
+
+ - ACTION REQUIRED
+  
+  vendor: updated k8s.io/system-validators to v1.12.1. The cgroups validator will now throw an error instead of a warning if cgroups v1 is detected on the host and the provided KubeletVersion is 1.35 or newer.
+  
+  kubeadm: started using k8s.io/system-validators v1.12.1 in kubeadm 1.35. During `kubeadm init`, `kubeadm join` and `kubeadm upgrade`, the SystemVerification preflight check will throw an error if cgroups v1 is detected and if the detected kubelet version is 1.35 or newer. For older versions of kubelet, there will be just a preflight warning.
+  
+  To allow cgroups v1 with kubeadm and kubelet version 1.35 or newer, you must:
+  - Ignore the error from the SystemVerifcation preflight check by kubeadm.
+  - Edit the kube-system/kubelet-config ConfigMap and add the `failCgroupV1: false` field, before upgrading. ([#134744](https://github.com/kubernetes/kubernetes/pull/134744), [@neolit123](https://github.com/neolit123)) [SIG Cluster Lifecycle and Node]
+  - Removed the `--pod-infra-container-image` flag from kubelet's command line. For non-kubeadm clusters, users must manually remove this flag from their kubelet configuration to prevent startup failures before they upgrade kubelet. ([#133779](https://github.com/kubernetes/kubernetes/pull/133779), [@carlory](https://github.com/carlory)) [SIG Node]
+ 
+## Changes by Kind
+
+### API Change
+
+- Add ObservedGeneration to CustomResourceDefinition Conditions. ([#134984](https://github.com/kubernetes/kubernetes/pull/134984), [@michaelasp](https://github.com/michaelasp)) [SIG API Machinery]
+- Add StorageVersionMigration v1beta1 api and remove the v1alpha API. 
+  
+  Any use of the v1alpha1 api is no longer supported and 
+  users must remove any v1alpha1 resources prior to upgrade. ([#134784](https://github.com/kubernetes/kubernetes/pull/134784), [@michaelasp](https://github.com/michaelasp)) [SIG API Machinery, Apps, Auth, Etcd and Testing]
+- CSI drivers can now opt-in to receive service account tokens via the secrets field instead of volume context by setting `spec.serviceAccountTokenInSecrets: true` in the CSIDriver object. This prevents tokens from being exposed in logs and other outputs. The feature is gated by the `CSIServiceAccountTokenSecrets` feature gate (Beta in v1.35). ([#134826](https://github.com/kubernetes/kubernetes/pull/134826), [@aramase](https://github.com/aramase)) [SIG API Machinery, Auth, Storage and Testing]
+- DRA device taints: DeviceTaintRule status provided information about the rule, in particular whether pods still need to be evicted ("EvictionInProgress" condition). The new "None" effect can be used to preview what a DeviceTaintRule would do if it used the "NoExecute" effect and to taint devices ("device health") without immediately affecting scheduling or running pods. ([#134152](https://github.com/kubernetes/kubernetes/pull/134152), [@pohly](https://github.com/pohly)) [SIG API Machinery, Apps, Auth, Node, Release, Scheduling and Testing]
+- DRA: the DynamicResourceAllocation feature gate for the core functionality (GA in 1.34) is now locked to enabled-by-default and thus cannot be disabled anymore. ([#134452](https://github.com/kubernetes/kubernetes/pull/134452), [@pohly](https://github.com/pohly)) [SIG Auth, Node, Scheduling and Testing]
+- Forbid adding resources other than CPU & memory on pod resize. ([#135084](https://github.com/kubernetes/kubernetes/pull/135084), [@tallclair](https://github.com/tallclair)) [SIG Apps, Node and Testing]
+- Implement constrained impersonation as described in https://kep.k8s.io/5284 ([#134803](https://github.com/kubernetes/kubernetes/pull/134803), [@enj](https://github.com/enj)) [SIG API Machinery, Auth and Testing]
+- Introduces a structured and versioned v1alpha1 response for flagz ([#134995](https://github.com/kubernetes/kubernetes/pull/134995), [@yongruilin](https://github.com/yongruilin)) [SIG API Machinery, Architecture, Instrumentation, Network, Node, Scheduling and Testing]
+- Introduces a structured and versioned v1alpha1 response for statusz ([#134313](https://github.com/kubernetes/kubernetes/pull/134313), [@richabanker](https://github.com/richabanker)) [SIG API Machinery, Architecture, Instrumentation, Network, Node, Scheduling and Testing]
+- New `--min-compatibility-version` flag for apiserver, kcm and kube scheduler ([#133980](https://github.com/kubernetes/kubernetes/pull/133980), [@siyuanfoundation](https://github.com/siyuanfoundation)) [SIG API Machinery, Architecture, Cluster Lifecycle, Etcd, Scheduling and Testing]
+- Promote PodObservedGenerationTracking to GA. ([#134948](https://github.com/kubernetes/kubernetes/pull/134948), [@natasha41575](https://github.com/natasha41575)) [SIG API Machinery, Apps, Node, Scheduling and Testing]
+- Promoted Job Managed By to general availability. The `JobManagedBy` feature gate is now locked to true, and will be removed in a future release of Kubernetes. ([#135080](https://github.com/kubernetes/kubernetes/pull/135080), [@dejanzele](https://github.com/dejanzele)) [SIG API Machinery, Apps and Testing]
+- Promoted ReplicaSet and Deployment `.status.terminatingReplicas` tracking to beta. The `DeploymentReplicaSetTerminatingReplicas` feature gate is now enabled by default. ([#133087](https://github.com/kubernetes/kubernetes/pull/133087), [@atiratree](https://github.com/atiratree)) [SIG API Machinery, Apps and Testing]
+- Scheduler: added a new `bindingTimeout` argument to the DynamicResources plugin configuration.
+  This allows customizing the wait duration in PreBind for device binding conditions.
+  Defaults to 10 minutes when DRADeviceBindingConditions and DRAResourceClaimDeviceStatus are both enabled. ([#134905](https://github.com/kubernetes/kubernetes/pull/134905), [@fj-naji](https://github.com/fj-naji)) [SIG Node and Scheduling]
+- The Pod Certificates feature is moving to beta. The PodCertificateRequest feature gate is still set false by default. To use the feature, users will need to enable the certificates API groups in v1beta1 and enable the feature gate PodCertificateRequest. A new field UserAnnotations is added to the PodCertificateProjection API and the corresponding UnverifiedUserAnnotations is added to the PodCertificateRequest API. ([#134624](https://github.com/kubernetes/kubernetes/pull/134624), [@yt2985](https://github.com/yt2985)) [SIG API Machinery, Apps, Auth, Etcd, Instrumentation, Node and Testing]
+- The StrictCostEnforcementForVAP and StrictCostEnforcementForWebhooks feature gates, locked on since 1.32, have been removed ([#134994](https://github.com/kubernetes/kubernetes/pull/134994), [@liggitt](https://github.com/liggitt)) [SIG API Machinery, Auth, Node and Testing]
+- The `PreferSameZone` and `PreferSameNode` values for Service's
+  `trafficDistribution` field are now GA. The old value `PreferClose` is now
+  deprecated in favor of the more-explicit `PreferSameZone`. ([#134457](https://github.com/kubernetes/kubernetes/pull/134457), [@danwinship](https://github.com/danwinship)) [SIG API Machinery, Apps, Network and Testing]
+
+### Feature
+
+- Add the `ChangeContainerStatusOnKubeletRestart` feature gate. The feature gate defaults to disabled. When the feature gate is disabled, the kubelet does not change the pod status upon restart, and pods will not re-run startup probes after kubelet restart. ([#134746](https://github.com/kubernetes/kubernetes/pull/134746), [@HirazawaUi](https://github.com/HirazawaUi)) [SIG Node and Testing]
+- Added a new `source` label in `resourceclaim_controller_resource_claims`.
+  Added a new metrics for DRAExtendedResource `scheduler_resourceclaim_creates_total`. ([#134523](https://github.com/kubernetes/kubernetes/pull/134523), [@bitoku](https://github.com/bitoku)) [SIG Apps, Instrumentation, Node and Scheduling]
+- Added support for tracing in kubectl with --profile=trace ([#134709](https://github.com/kubernetes/kubernetes/pull/134709), [@tchap](https://github.com/tchap)) [SIG CLI]
+- Adding new kuberc view/set commands in kubectl to perform operations against kuberc file ([#135003](https://github.com/kubernetes/kubernetes/pull/135003), [@ardaguclu](https://github.com/ardaguclu)) [SIG CLI and Testing]
+- Enable MutableCSINodeAllocatableCount by default. ([#134647](https://github.com/kubernetes/kubernetes/pull/134647), [@torredil](https://github.com/torredil)) [SIG Storage]
+- Improved throughput in the real-FIFO queue used by informer/controllers by adding batch handling for processing watch events. ([#132240](https://github.com/kubernetes/kubernetes/pull/132240), [@yue9944882](https://github.com/yue9944882)) [SIG API Machinery, Scheduling and Storage]
+- Introducing new flag --as-user-extra persistent flag in kubectl that can be used to pass extra arguments during the impersonation ([#134378](https://github.com/kubernetes/kubernetes/pull/134378), [@ardaguclu](https://github.com/ardaguclu)) [SIG CLI and Testing]
+- Kube-apiserver: JWT authenticator now report the following metrics:
+  - apiserver_authentication_jwt_authenticator_jwks_fetch_last_timestamp_seconds
+  - apiserver_authentication_jwt_authenticator_jwks_fetch_last_key_set_info
+  
+  when StructuredAuthenticationConfiguration feature is enabled. ([#123642](https://github.com/kubernetes/kubernetes/pull/123642), [@aramase](https://github.com/aramase)) [SIG API Machinery, Auth and Testing]
+- Kubeadm: added a new preflight check `ContainerRuntimeVersion ` to validate if the installed container runtime supports the RuntimeConfig gRPC method. If the container runtime does not support the RuntimeConfig gRPC method, kubeadm will print a warning message. 
+  
+  Once Kubernetes 1.36 is released, the kubelet might refuse to start if the CRI runtime does not support this feature. More information can be found in https://kubernetes.io/blog/2025/09/12/kubernetes-v1-34-cri-cgroup-driver-lookup-now-ga/. ([#134906](https://github.com/kubernetes/kubernetes/pull/134906), [@carlory](https://github.com/carlory)) [SIG Cluster Lifecycle]
+- New counter metric exposing details about kubelet ensuring an image exists on the node is added - `kubelet_image_manager_ensure_image_requests_total{present_locally, pull_policy, pull_required}` ([#132644](https://github.com/kubernetes/kubernetes/pull/132644), [@stlaz](https://github.com/stlaz)) [SIG Auth and Node]
+- Promote InPlacePodVerticalScaling to GA. ([#134949](https://github.com/kubernetes/kubernetes/pull/134949), [@natasha41575](https://github.com/natasha41575)) [SIG API Machinery, Node and Scheduling]
+- Promote Relaxed validation for Services names to beta (enabled by default)
+  
+  Promote `RelaxedServiceNameValidation` feature to beta (enabled by default)
+  The  names of new Services names are validation with `NameIsDNSLabel()`,
+  relaxing the  pre-existing validation. ([#134493](https://github.com/kubernetes/kubernetes/pull/134493), [@adrianmoisey](https://github.com/adrianmoisey)) [SIG Network]
+- Promote kubectl command headers to stable ([#134777](https://github.com/kubernetes/kubernetes/pull/134777), [@soltysh](https://github.com/soltysh)) [SIG CLI and Testing]
+- The SchedulerAsyncAPICalls feature gate has been re-enabled by default after fixing regressions detected in v1.34. ([#135059](https://github.com/kubernetes/kubernetes/pull/135059), [@macsko](https://github.com/macsko)) [SIG Scheduling]
+- The scheduler clears the `nominatedNodeName` field for Pods upon scheduling or binding failure. External components, such as Cluster Autoscaler and Karpenter, should not overwrite this field. ([#135007](https://github.com/kubernetes/kubernetes/pull/135007), [@ania-borowiec](https://github.com/ania-borowiec)) [SIG Scheduling and Testing]
+
+### Bug or Regression
+
+- BlockOwnerDeletion is removed from resource claims created from resource claim templates, and extended resource claims created by scheduler ([#134956](https://github.com/kubernetes/kubernetes/pull/134956), [@yliaog](https://github.com/yliaog)) [SIG Apps, Node and Scheduling]
+- Drop DeviceBindingConditions fields if the DRADeviceBindingConditions is not enabled and not in-use ([#134964](https://github.com/kubernetes/kubernetes/pull/134964), [@sunya-ch](https://github.com/sunya-ch))
+- Fix a very old issue where kubelet rejects pods with NodeAffinityFailed due to a stale informer cache. ([#134445](https://github.com/kubernetes/kubernetes/pull/134445), [@natasha41575](https://github.com/natasha41575)) [SIG Node]
+- Fix issue in asynchronous preemption: Scheduler checks if preemption is ongoing for a pod before initiating new preemption calls ([#134730](https://github.com/kubernetes/kubernetes/pull/134730), [@ania-borowiec](https://github.com/ania-borowiec)) [SIG Scheduling and Testing]
+- Fix panic on kubectl api-resources ([#134833](https://github.com/kubernetes/kubernetes/pull/134833), [@rikatz](https://github.com/rikatz)) [SIG CLI]
+- Fix setting distinctAttribute=nil when DRAConsumableCapacity is disabled ([#134962](https://github.com/kubernetes/kubernetes/pull/134962), [@sunya-ch](https://github.com/sunya-ch)) [SIG Node]
+- Fix the bug which could result in Job status updates failing with the error:
+  status.startTime: Required value: startTime cannot be removed for unsuspended job
+  The error could be raised after a Job is resumed, if started and suspended previously. ([#134769](https://github.com/kubernetes/kubernetes/pull/134769), [@dejanzele](https://github.com/dejanzele)) [SIG Apps and Testing]
+- Fix: The requests for a config FromClass in the status of a ResourceClaim were not referenced. ([#134793](https://github.com/kubernetes/kubernetes/pull/134793), [@LionelJouin](https://github.com/LionelJouin)) [SIG Node]
+- Fixed a bug that caused a deleted pod staying in the binding phase to occupy space on the node in the kube-scheduler. ([#134157](https://github.com/kubernetes/kubernetes/pull/134157), [@macsko](https://github.com/macsko)) [SIG Scheduling and Testing]
+- Fixed a bug that prevent allocating the same device that was previously consuming the CounterSet when enabling both DRAConsumableCapacity and DRAPartitionableDevices. ([#134103](https://github.com/kubernetes/kubernetes/pull/134103), [@sunya-ch](https://github.com/sunya-ch)) [SIG Node]
+- Fixed a bug where the health of a DRA resource was not reported in the Pod status if the resource claim was generated from a template or used a different local name in the pod spec. ([#134875](https://github.com/kubernetes/kubernetes/pull/134875), [@Jpsassine](https://github.com/Jpsassine)) [SIG Node and Testing]
+- Fixes an issue where the kubelet /configz endpoint reported incorrect value for kubeletconfig.cgroupDriver when the cgroup driver setting is received from the container runtime. ([#134743](https://github.com/kubernetes/kubernetes/pull/134743), [@marquiz](https://github.com/marquiz)) [SIG Node]
+- Fixes bug where AllocationMode: All would not succeed if a resource pool contained ResourceSlices that wasn't targeting the current node. ([#134466](https://github.com/kubernetes/kubernetes/pull/134466), [@mortent](https://github.com/mortent)) [SIG Node]
+- Kube-controller-manager: Fixes a 1.34 regression, which triggered a spurious rollout of existing statefulsets when upgrading the control plane from 1.33 → 1.34. This fix is guarded by a `StatefulSetSemanticRevisionComparison` feature gate, which is enabled by default. ([#135017](https://github.com/kubernetes/kubernetes/pull/135017), [@liggitt](https://github.com/liggitt)) [SIG Apps]
+- Kube-scheduler: Pod statuses no longer include specific taint keys or values when scheduling fails because of untolerated taints ([#134740](https://github.com/kubernetes/kubernetes/pull/134740), [@hoskeri](https://github.com/hoskeri)) [SIG Scheduling]
+- Namespace is added to the output of dry-run=client of HPA object ([#134263](https://github.com/kubernetes/kubernetes/pull/134263), [@ardaguclu](https://github.com/ardaguclu)) [SIG CLI and Testing]
+
+### Other (Cleanup or Flake)
+
+- Added a new filed `Step` in the testing framework to allow volume expansion in configurable step sizes for tests. ([#134760](https://github.com/kubernetes/kubernetes/pull/134760), [@Rishita-Golla](https://github.com/Rishita-Golla)) [SIG Storage and Testing]
+- Dropped support for certificates/v1beta1 CertificateSigningRequest in kubectl ([#134782](https://github.com/kubernetes/kubernetes/pull/134782), [@scaliby](https://github.com/scaliby)) [SIG CLI]
+- Dropped support for discovery/v1beta1 EndpointSlice in kubectl ([#134913](https://github.com/kubernetes/kubernetes/pull/134913), [@scaliby](https://github.com/scaliby)) [SIG CLI]
+- Dropped support for networking/v1beta1 IngressClass in kubectl ([#135108](https://github.com/kubernetes/kubernetes/pull/135108), [@scaliby](https://github.com/scaliby)) [SIG CLI]
+- Eliminate use of md5 and prevent future use of md5 in favor of more appropriate hashing algorithms. ([#133511](https://github.com/kubernetes/kubernetes/pull/133511), [@BenTheElder](https://github.com/BenTheElder)) [SIG Apps, Architecture, CLI, Cluster Lifecycle, Network, Node, Security, Storage and Testing]
+- Kubeadm: removed the kubeadm-specific feature gate WaitForAllControlPlaneComponents which graduated to GA in 1.34 and was locked to enabled by default. ([#134781](https://github.com/kubernetes/kubernetes/pull/134781), [@neolit123](https://github.com/neolit123)) [SIG Cluster Lifecycle]
+- Kubeadm: updated the supported etcd version to v3.5.24 for supported control plane versions v1.32, v1.33, and v1.34. ([#134779](https://github.com/kubernetes/kubernetes/pull/134779), [@joshjms](https://github.com/joshjms)) [SIG API Machinery, Cloud Provider, Cluster Lifecycle, Etcd and Testing]
+- Migrate the cpumanager to contextual logging ([#125912](https://github.com/kubernetes/kubernetes/pull/125912), [@ffromani](https://github.com/ffromani)) [SIG Node]
+- Removed the `UserNamespacesPodSecurityStandards` feature gate. The minimum supported Kubernetes version for a kubelet is now v1.31, so the gate is not needed. ([#132157](https://github.com/kubernetes/kubernetes/pull/132157), [@haircommander](https://github.com/haircommander)) [SIG Auth, Node and Testing]
+- The FeatureGate SystemdWatchdog is locked to default and will be removed. The Systemd Watchdog functionality in kubelet can be turned on via Systemd without any feature gate set up. See https://kubernetes.io/docs/reference/node/systemd-watchdog/ for information. ([#134691](https://github.com/kubernetes/kubernetes/pull/134691), [@SergeyKanzhelev](https://github.com/SergeyKanzhelev)) [SIG Node]
+- Updates the etcd client library to v3.6.5 ([#134780](https://github.com/kubernetes/kubernetes/pull/134780), [@joshjms](https://github.com/joshjms)) [SIG API Machinery, Architecture, Auth, CLI, Cloud Provider, Cluster Lifecycle, Instrumentation, Network, Node, Scheduling and Storage]
+
+## Dependencies
+
+### Added
+- github.com/Masterminds/semver/v3: [v3.4.0](https://github.com/Masterminds/semver/tree/v3.4.0)
+- github.com/gkampitakis/ciinfo: [v0.3.2](https://github.com/gkampitakis/ciinfo/tree/v0.3.2)
+- github.com/gkampitakis/go-diff: [v1.3.2](https://github.com/gkampitakis/go-diff/tree/v1.3.2)
+- github.com/gkampitakis/go-snaps: [v0.5.15](https://github.com/gkampitakis/go-snaps/tree/v0.5.15)
+- github.com/goccy/go-yaml: [v1.18.0](https://github.com/goccy/go-yaml/tree/v1.18.0)
+- github.com/joshdk/go-junit: [v1.0.0](https://github.com/joshdk/go-junit/tree/v1.0.0)
+- github.com/maruel/natural: [v1.1.1](https://github.com/maruel/natural/tree/v1.1.1)
+- github.com/mfridman/tparse: [v0.18.0](https://github.com/mfridman/tparse/tree/v0.18.0)
+- github.com/tidwall/gjson: [v1.18.0](https://github.com/tidwall/gjson/tree/v1.18.0)
+- github.com/tidwall/match: [v1.1.1](https://github.com/tidwall/match/tree/v1.1.1)
+- github.com/tidwall/pretty: [v1.2.1](https://github.com/tidwall/pretty/tree/v1.2.1)
+- github.com/tidwall/sjson: [v1.2.5](https://github.com/tidwall/sjson/tree/v1.2.5)
+- go.uber.org/automaxprocs: v1.6.0
+
+### Changed
+- github.com/google/pprof: [d1b30fe → 27863c8](https://github.com/google/pprof/compare/d1b30fe...27863c8)
+- github.com/onsi/ginkgo/v2: [v2.21.0 → v2.27.2](https://github.com/onsi/ginkgo/compare/v2.21.0...v2.27.2)
+- github.com/onsi/gomega: [v1.35.1 → v1.38.2](https://github.com/onsi/gomega/compare/v1.35.1...v1.38.2)
+- github.com/rogpeppe/go-internal: [v1.13.1 → v1.14.1](https://github.com/rogpeppe/go-internal/compare/v1.13.1...v1.14.1)
+- go.etcd.io/bbolt: v1.4.2 → v1.4.3
+- go.etcd.io/etcd/api/v3: v3.6.4 → v3.6.5
+- go.etcd.io/etcd/client/pkg/v3: v3.6.4 → v3.6.5
+- go.etcd.io/etcd/client/v3: v3.6.4 → v3.6.5
+- go.etcd.io/etcd/pkg/v3: v3.6.4 → v3.6.5
+- go.etcd.io/etcd/server/v3: v3.6.4 → v3.6.5
+- go.yaml.in/yaml/v2: v2.4.2 → v2.4.3
+- golang.org/x/mod: v0.27.0 → v0.28.0
+- golang.org/x/sync: v0.16.0 → v0.17.0
+- golang.org/x/sys: v0.35.0 → v0.37.0
+- golang.org/x/term: v0.34.0 → v0.36.0
+- golang.org/x/text: v0.28.0 → v0.29.0
+- k8s.io/system-validators: v1.11.1 → v1.12.1
+- k8s.io/utils: 4c0f3b2 → bc988d5
+
+### Removed
+_Nothing has changed._
+
+
+
+# v1.35.0-alpha.2
+
+
+## Downloads for v1.35.0-alpha.2
+
+
+
+### Source Code
+
+filename | sha512 hash
+-------- | -----------
+[kubernetes.tar.gz](https://dl.k8s.io/v1.35.0-alpha.2/kubernetes.tar.gz) | acba342356249738a81bf6bc6de95e4a30097fdd0ebe956b8cd8a2b0715e3161930f7408bd3b1ca1e05c07de4359485cf887b278987366efef3caf9024e80c6d
+[kubernetes-src.tar.gz](https://dl.k8s.io/v1.35.0-alpha.2/kubernetes-src.tar.gz) | 6e9f58180f53e57ae6b462d4ab3a13f7cafc9bb9802f8af3254e9f3c78b9883103972dced5dd0796c9c8e4176fd8557754981a63fc4b5eb4fb0d07838027ac70
+
+### Client Binaries
+
+filename | sha512 hash
+-------- | -----------
+[kubernetes-client-darwin-amd64.tar.gz](https://dl.k8s.io/v1.35.0-alpha.2/kubernetes-client-darwin-amd64.tar.gz) | cb54b9aa876b327915048fa3d9a152abcde442d60cee750566339335b19c668f1d440f1dd79409137e7ee5d7e32e2d3c6e8b3fcaf7f4932b19508b483e3d4172
+[kubernetes-client-darwin-arm64.tar.gz](https://dl.k8s.io/v1.35.0-alpha.2/kubernetes-client-darwin-arm64.tar.gz) | 600f2922a818c9c750269695b9158892fcfdd1dd1311701033f93b396689c7d4625c24880598ea36ca3d1ff76be53dcdff911a96d8f337ec93847e340639a92b
+[kubernetes-client-linux-386.tar.gz](https://dl.k8s.io/v1.35.0-alpha.2/kubernetes-client-linux-386.tar.gz) | bcc1d2c3b5577b22636b7c9aa515fb9944e586d5ae657e066e204388992bb1e9c94dd54ecc7feaaafe46c89943e5500366a26dac11ee2eb32ea3106daf1da51b
+[kubernetes-client-linux-amd64.tar.gz](https://dl.k8s.io/v1.35.0-alpha.2/kubernetes-client-linux-amd64.tar.gz) | 4250b2063c70cd69b49a50a4a416a9bd5a4e7734ed8b9ccc1081ed12e23c30018c2be9dc377100eb14823bab26aa33670e92d7ba38588a2a0ca011c3d63ecbf5
+[kubernetes-client-linux-arm.tar.gz](https://dl.k8s.io/v1.35.0-alpha.2/kubernetes-client-linux-arm.tar.gz) | 203825398afd6c697ac2fc13b126d7419b1c108362e6bb8a27eddef57e2845dd02735e4c48a5c2aa813f9e0ce24ee97ae94360cf50a9197fba53ba3ac736a50e
+[kubernetes-client-linux-arm64.tar.gz](https://dl.k8s.io/v1.35.0-alpha.2/kubernetes-client-linux-arm64.tar.gz) | b6669df8c4e096d7ca435bfa481823b74e131907433fc7b7dbf6e6a699f2905a60c98e3c23c9321462ae3afdd707ffea3acf473a13905e63203cebefa80028c2
+[kubernetes-client-linux-ppc64le.tar.gz](https://dl.k8s.io/v1.35.0-alpha.2/kubernetes-client-linux-ppc64le.tar.gz) | 37b0ce0d3dfa8dcd2222c63b6572e32ad1a7f07d4164de886b3eca04d4c655a3cc07786090eb24cc20f0bf641cae2efba7ab3c3cd2da5536575571db31aa89da
+[kubernetes-client-linux-s390x.tar.gz](https://dl.k8s.io/v1.35.0-alpha.2/kubernetes-client-linux-s390x.tar.gz) | 3d7054c4b8d18501b535b0cd070bab316b7393bcb575fc869e2fde7190044b15a42e32dbea6aee64aef933ec1d8c7c11581c61bcb4829e710b26971b133180c3
+[kubernetes-client-windows-386.tar.gz](https://dl.k8s.io/v1.35.0-alpha.2/kubernetes-client-windows-386.tar.gz) | ae011d1aa7b41160d50b9cd9bc4fe2890bbc2ce2f2b6c63695ae20f36e93cbf189c32deafc0d99c46532917ba291f40965cd4038edcb5bb3a27cd66974dba539
+[kubernetes-client-windows-amd64.tar.gz](https://dl.k8s.io/v1.35.0-alpha.2/kubernetes-client-windows-amd64.tar.gz) | bcff5d410cea98ab7e83a66c545b4322d17055ed0b3c7acb110a757e6f0ee55aadfc0174c8c641511ac832024af5b2660f4e2be5c3076a12e0b862aa55a1d02f
+[kubernetes-client-windows-arm64.tar.gz](https://dl.k8s.io/v1.35.0-alpha.2/kubernetes-client-windows-arm64.tar.gz) | 4fb60b2747b500f1139f590e436318fabdd692fc7d2de27be9667c1e5f9af3a6a67796fcd3c69b92e225a04ae92292d715c4c5e1a1437f1723e5bd16d30e5c59
+
+### Server Binaries
+
+filename | sha512 hash
+-------- | -----------
+[kubernetes-server-linux-amd64.tar.gz](https://dl.k8s.io/v1.35.0-alpha.2/kubernetes-server-linux-amd64.tar.gz) | b29aaf01ad35edf7d24ac2a1d493c28a65941fd9f490bbcaeecfc418b1e26060f90e1677353ace6229ae1b8416f5080e116fcfb90732a7aab094761d9f1dadbe
+[kubernetes-server-linux-arm64.tar.gz](https://dl.k8s.io/v1.35.0-alpha.2/kubernetes-server-linux-arm64.tar.gz) | fc8aeaec77c22d1cb777d9d626f6cbdc0bd178a29d1c125305592d4b40680c51d30d6ffeeb5754abd029c56ed2f49462a85799939f7ffc343f4816da3b9a2d20
+[kubernetes-server-linux-ppc64le.tar.gz](https://dl.k8s.io/v1.35.0-alpha.2/kubernetes-server-linux-ppc64le.tar.gz) | 61a70fa842e8afff5bdf3ab45a85b0bae183eb0e3910c440ca21520d3f03e0ee66ffbdd8b335b0d9ccfd2c77fb1a82e0f1480a267da6e6c10255c87465b12965
+[kubernetes-server-linux-s390x.tar.gz](https://dl.k8s.io/v1.35.0-alpha.2/kubernetes-server-linux-s390x.tar.gz) | 9275068613ddfaa163bbfaed5ae0c69dc2ca2031b3f42f990ed42995b14e7d5ed1bd5d49d3c3b7e95f7024a4434cb3518e05240b82d508f2be2c6d4971d3ab43
+
+### Node Binaries
+
+filename | sha512 hash
+-------- | -----------
+[kubernetes-node-linux-amd64.tar.gz](https://dl.k8s.io/v1.35.0-alpha.2/kubernetes-node-linux-amd64.tar.gz) | 2200656cfe27817ec8bfc67564fba75c0afb582c75b2ce37734dff1c2757d142d45a24695c7e898b4663362f4058ca0ae8399ee485883833498cac9867caccdc
+[kubernetes-node-linux-arm64.tar.gz](https://dl.k8s.io/v1.35.0-alpha.2/kubernetes-node-linux-arm64.tar.gz) | fe087958b7b7b7197132473508deffa90a740fffc2bf7a06c9a7c7df029394fd27a307efc6bb8003c6f95d9013f57ed577ec4a777881c44acba26a1ebc918ae5
+[kubernetes-node-linux-ppc64le.tar.gz](https://dl.k8s.io/v1.35.0-alpha.2/kubernetes-node-linux-ppc64le.tar.gz) | 621a7d6f7f3fcc382922f0912a5dd3f9587ec15992c65be806a18e4b3254895d42dc78ac2b1aab10a16dee1227ca315c1b5b35c27b29946c1337d548b799ddc7
+[kubernetes-node-linux-s390x.tar.gz](https://dl.k8s.io/v1.35.0-alpha.2/kubernetes-node-linux-s390x.tar.gz) | 16a9074fba6db7ef45b38ed5ea05ae9cd47a6388b01cfa551377de5bc1b720df3507b8bda974c1220d8a82394902192a4013754026f2d71732bb480743862c05
+[kubernetes-node-windows-amd64.tar.gz](https://dl.k8s.io/v1.35.0-alpha.2/kubernetes-node-windows-amd64.tar.gz) | 6a893a6a4ad7f664fea7536f22bd27d4f874e7568658f5863e156c290b4afee2ef566797c6e3dae86b4d706f219b8169da5e03ef61e565b7a4ba2123a6b43c5c
+
+### Container Images
+
+All container images are available as manifest lists and support the described
+architectures. It is also possible to pull a specific architecture directly by
+adding the "-$ARCH" suffix  to the container image name.
+
+name | architectures
+---- | -------------
+[registry.k8s.io/conformance:v1.35.0-alpha.2](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/conformance) | [amd64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/conformance-amd64), [arm64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/conformance-arm64), [ppc64le](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/conformance-ppc64le), [s390x](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/conformance-s390x)
+[registry.k8s.io/kube-apiserver:v1.35.0-alpha.2](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-apiserver) | [amd64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-apiserver-amd64), [arm64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-apiserver-arm64), [ppc64le](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-apiserver-ppc64le), [s390x](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-apiserver-s390x)
+[registry.k8s.io/kube-controller-manager:v1.35.0-alpha.2](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-controller-manager) | [amd64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-controller-manager-amd64), [arm64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-controller-manager-arm64), [ppc64le](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-controller-manager-ppc64le), [s390x](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-controller-manager-s390x)
+[registry.k8s.io/kube-proxy:v1.35.0-alpha.2](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-proxy) | [amd64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-proxy-amd64), [arm64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-proxy-arm64), [ppc64le](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-proxy-ppc64le), [s390x](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-proxy-s390x)
+[registry.k8s.io/kube-scheduler:v1.35.0-alpha.2](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-scheduler) | [amd64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-scheduler-amd64), [arm64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-scheduler-arm64), [ppc64le](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-scheduler-ppc64le), [s390x](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-scheduler-s390x)
+[registry.k8s.io/kubectl:v1.35.0-alpha.2](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kubectl) | [amd64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kubectl-amd64), [arm64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kubectl-arm64), [ppc64le](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kubectl-ppc64le), [s390x](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kubectl-s390x)
+
+## Changelog since v1.35.0-alpha.1
+
+## Changes by Kind
+
+### Deprecation
+
+- FailCgroupV1 will be set to true from 1.35. 
+  This means that nodes will not start on a cgroup v1 in our default behavior. 
+  This is putting cgroup v1 into a deprecated state. ([#134298](https://github.com/kubernetes/kubernetes/pull/134298), [@kannon92](https://github.com/kannon92)) [SIG Node]
+- Mark ipvs mode in kube-proxy as deprecated. ipvs mode in kube-proxy is deprecated and will be removed in a future version of Kubernetes. Users are encouraged to move to nftables. ([#134539](https://github.com/kubernetes/kubernetes/pull/134539), [@adrianmoisey](https://github.com/adrianmoisey)) [SIG Network]
+
+### API Change
+
+- Kube-apiserver: fix a possible panic validating a custom resource whose CustomResourceDefinition indicates a status subresource exists, but which does not define a `status` property in the `openAPIV3Schema` ([#133721](https://github.com/kubernetes/kubernetes/pull/133721), [@fusida](https://github.com/fusida)) [SIG API Machinery, Apps, Architecture, Auth, Autoscaling, CLI, Cloud Provider, Cluster Lifecycle, Etcd, Instrumentation, Network, Node, Release, Scheduling, Storage and Testing]
+- Kubernetes API Go types removed runtime use of the github.com/gogo/protobuf library, and are no longer registered into the global gogo type registry. Kubernetes API Go types were not suitable for use with the google.golang.org/protobuf library, and no longer implement `ProtoMessage()` by default to avoid accidental incompatible use. If removal of these marker methods impacts your use, it can be re-enabled for one more release with a `kubernetes_protomessage_one_more_release` build tag, but will be removed in 1.36. ([#134256](https://github.com/kubernetes/kubernetes/pull/134256), [@liggitt](https://github.com/liggitt)) [SIG API Machinery, Apps, Architecture, Auth, CLI, Cluster Lifecycle, Instrumentation, Network, Node, Scheduling and Storage]
+- Promoted HPA configurable tolerance to beta. The `HPAConfigurableTolerance` feature gate is now enabled by default. ([#133128](https://github.com/kubernetes/kubernetes/pull/133128), [@jm-franc](https://github.com/jm-franc)) [SIG API Machinery and Autoscaling]
+- The MaxUnavailableStatefulSet feature is now beta and enabled by default. ([#133153](https://github.com/kubernetes/kubernetes/pull/133153), [@helayoty](https://github.com/helayoty)) [SIG API Machinery and Apps]
+
+### Feature
+
+- Enable the feature gate `ContainerRestartRules` by default. The ContainerRestartRules feature is promoted to beta. Fixing a bug in this feature that caused probes continue to run even if the container has terminated and is not restartable. ([#134631](https://github.com/kubernetes/kubernetes/pull/134631), [@yuanwang04](https://github.com/yuanwang04)) [SIG Node]
+- Kube-apiserver: the subresources `pods/exec`, `pods/attach`, and `pods/portforward` now require `create` permission for both SPDY and Websocket API requests. Previously, SPDY requests required `create` permission, but Websocket requests only required `get` permission. This change is gated by the `AuthorizePodWebsocketUpgradeCreatePermission` feature-gate, which is enabled by default.
+  
+  Before upgrading to 1.35, ensure any custom ClusterRoles and Roles intended to grant `pods/exec`, `pods/attach`, or `pods/portforward` permission include the `create` verb. ([#134577](https://github.com/kubernetes/kubernetes/pull/134577), [@seans3](https://github.com/seans3)) [SIG API Machinery, Auth, Node and Testing]
+- Kubeadm: print the errors during retires related to the WaitForAllControlPlaneComponents functionality at verbosity level 5. ([#134433](https://github.com/kubernetes/kubernetes/pull/134433), [@neolit123](https://github.com/neolit123)) [SIG Cluster Lifecycle]
+- Kubernetes is now built using Go 1.25.3 ([#134611](https://github.com/kubernetes/kubernetes/pull/134611), [@cpanato](https://github.com/cpanato)) [SIG Architecture, Cloud Provider, Etcd, Release, Storage and Testing]
+- Locked the (generally available) feature gate `ExecProbeTimeout` to true. ([#134635](https://github.com/kubernetes/kubernetes/pull/134635), [@vivzbansal](https://github.com/vivzbansal)) [SIG Node and Testing]
+- Promoted the `HostnameOverride` feature gate to beta and is enabled by default. ([#134729](https://github.com/kubernetes/kubernetes/pull/134729), [@HirazawaUi](https://github.com/HirazawaUi)) [SIG Network and Node]
+
+### Documentation
+
+- Kubectl describe, get, drain and events have the ability to set chunk-size using --chunk-size flag, which is now officially stable. ([#134481](https://github.com/kubernetes/kubernetes/pull/134481), [@soltysh](https://github.com/soltysh)) [SIG CLI]
+
+### Bug or Regression
+
+- DRA API: the "tolerations" field in exact and sub requests now gets dropped properly when the DRADeviceTaints API is disabled. ([#132927](https://github.com/kubernetes/kubernetes/pull/132927), [@pohly](https://github.com/pohly))
+- DRA Device Taints: tolerating a NoExecute did not work because the scheduler did not inform the eviction controller about the toleration, so the scheduled pod got evicted almost immediately. ([#134479](https://github.com/kubernetes/kubernetes/pull/134479), [@pohly](https://github.com/pohly)) [SIG Apps, Node, Scheduling and Testing]
+- Endpoints/endpointslice controllers perform much better when there are a large number of services in a single namespace ([#134739](https://github.com/kubernetes/kubernetes/pull/134739), [@shyamjvs](https://github.com/shyamjvs)) [SIG Apps and Network]
+- Fixed a bug that prevents schedule next pod when using DRAConsumableCapacity feature. (#133705, @sunya-ch) ([#133706](https://github.com/kubernetes/kubernetes/pull/133706), [@sunya-ch](https://github.com/sunya-ch)) [SIG Node]
+- Fixed a bug where 64 bit IPv6 ServiceCIDRs allocated addresses outside the subnet range. ([#134193](https://github.com/kubernetes/kubernetes/pull/134193), [@hoskeri](https://github.com/hoskeri)) [SIG Network]
+- Fixed a startup probe race condition that caused main containers to remain stuck in "Initializing" state when sidecar containers with startup probes failed initially but succeeded on restart in pods with restartPolicy=Never. ([#133072](https://github.com/kubernetes/kubernetes/pull/133072), [@AadiDev005](https://github.com/AadiDev005)) [SIG Node and Testing]
+- Kube-apiserver: when --requestheader-client-ca-file and --client-ca-file contain overlapping certificates, --requestheader-allowed-names must be specified to ensure regular client certificates cannot set authenticating proxy headers for arbitrary users ([#131411](https://github.com/kubernetes/kubernetes/pull/131411), [@ballista01](https://github.com/ballista01)) [SIG API Machinery, Auth and Security]
+- Kube-controller-manager: Resolves potential issues handling pods with incorrect uids in their ownerReference ([#134654](https://github.com/kubernetes/kubernetes/pull/134654), [@liggitt](https://github.com/liggitt)) [SIG Apps]
+- Kubeadm: avoid panicing if the user has malformed the kubeconfig in the cluster-info config map to not include a valid current context. Include proper validation at the appropriate locations and throw errors instead. ([#134715](https://github.com/kubernetes/kubernetes/pull/134715), [@neolit123](https://github.com/neolit123)) [SIG Cluster Lifecycle]
+- Kubeadm: fixes a preflight check that can fail hostname construction in IPV6 setups ([#134588](https://github.com/kubernetes/kubernetes/pull/134588), [@liggitt](https://github.com/liggitt)) [SIG API Machinery, Auth, Cloud Provider, Cluster Lifecycle and Testing]
+- Legacy watch calls (RV = 0 or unset) that generate init-events weigh higher in APF seat usage now. Properly accounting for their cost protects the API server from CPU overload. Users might see increased throttling of such calls as a result. ([#134601](https://github.com/kubernetes/kubernetes/pull/134601), [@shyamjvs](https://github.com/shyamjvs)) [SIG API Machinery]
+- Prevent a segfault occurring when updating deeply nested JSON fields ([#134381](https://github.com/kubernetes/kubernetes/pull/134381), [@kon-angelo](https://github.com/kon-angelo)) [SIG API Machinery and CLI]
+- The kubelet now honors the configuration userNamespaces.idsPerPod. Before it was ignored. ([#133373](https://github.com/kubernetes/kubernetes/pull/133373), [@AkihiroSuda](https://github.com/AkihiroSuda)) [SIG Node and Testing]
+
+### Other (Cleanup or Flake)
+
+- Building Kubernetes is now implemented by running a pre-built container image directly, without running rsyncd, and is substantially simplified. ([#134510](https://github.com/kubernetes/kubernetes/pull/134510), [@BenTheElder](https://github.com/BenTheElder)) [SIG Release and Testing]
+- CPU Manager static policy option `strict-cpu-reservation` moved to the GA version ([#134388](https://github.com/kubernetes/kubernetes/pull/134388), [@psasnal](https://github.com/psasnal)) [SIG Node]
+- Dropped support for policy/v1beta1 PodDisruptionBudget in kubectl ([#134685](https://github.com/kubernetes/kubernetes/pull/134685), [@scaliby](https://github.com/scaliby)) [SIG CLI]
+- Kubeadm: stoped applying the --pod-infra-container-image flag for the kubelet. The flag has been deprecated and no longer served a purpose in the kubelet as the logic was migrated to CRI. During upgrade, kubeadm will attempt to remove the flag from the file /var/lib/kubelet/kubeadm-flags.env. ([#133778](https://github.com/kubernetes/kubernetes/pull/133778), [@carlory](https://github.com/carlory)) [SIG Cloud Provider and Cluster Lifecycle]
+- Kubeadm: updated the supported etcd version to v3.5.23 for supported control plane versions v1.31, v1.32, and v1.33. ([#134692](https://github.com/kubernetes/kubernetes/pull/134692), [@joshjms](https://github.com/joshjms)) [SIG Cluster Lifecycle and Etcd]
+- Kubeadm: updated the supported etcd version to v3.5.24 for supported control plane versions v1.32, v1.33, and v1.34. ([#134779](https://github.com/kubernetes/kubernetes/pull/134779), [@joshjms](https://github.com/joshjms)) [SIG API Machinery, Cloud Provider, Cluster Lifecycle, Etcd and Testing]
+- Kubernetes is now built with go 1.25.3 ([#134598](https://github.com/kubernetes/kubernetes/pull/134598), [@BenTheElder](https://github.com/BenTheElder)) [SIG Release]
+- Promote the Topology Manager policy option max-allowable-numa-nodes to GA ([#134614](https://github.com/kubernetes/kubernetes/pull/134614), [@ffromani](https://github.com/ffromani)) [SIG Node]
+- Rsync is no longer required to build kubernetes. ([#134656](https://github.com/kubernetes/kubernetes/pull/134656), [@BenTheElder](https://github.com/BenTheElder)) [SIG Release and Testing]
+- The storage.k8s.io/v1alpha1 VolumeAttributesClass API is no longer served in 1.35 ([#134625](https://github.com/kubernetes/kubernetes/pull/134625), [@liggitt](https://github.com/liggitt)) [SIG API Machinery, Etcd, Storage and Testing]
+
+## Dependencies
+
+### Added
+_Nothing has changed._
+
+### Changed
+_Nothing has changed._
+
+### Removed
+_Nothing has changed._
+
+
+
+# v1.35.0-alpha.1
+
+
+## Downloads for v1.35.0-alpha.1
+
+
+
+### Source Code
+
+filename | sha512 hash
+-------- | -----------
+[kubernetes.tar.gz](https://dl.k8s.io/v1.35.0-alpha.1/kubernetes.tar.gz) | 1d6fb6a4c7f82fe04e56757b733c3fc4aac652f8c2113e79ddce83b6cbe0179404147b35ddbc18e1b60eb802acb3f6d884599fd573f3d16f0558ef7ddfb8aae2
+[kubernetes-src.tar.gz](https://dl.k8s.io/v1.35.0-alpha.1/kubernetes-src.tar.gz) | 364788bac4d405ac6180fe3cb7e3d847e7960fcb0532146b105270aeac2624ade2ff87370c5aa8f768eda07fd28e5e75f73afbdf9cc1b786827a0e123bdea561
+
+### Client Binaries
+
+filename | sha512 hash
+-------- | -----------
+[kubernetes-client-darwin-amd64.tar.gz](https://dl.k8s.io/v1.35.0-alpha.1/kubernetes-client-darwin-amd64.tar.gz) | 1ba40849b104851d922bce32dc9306004e9b95cfadeff9ecfb65f779892009f9a70878b8efe96159088b1ad8c700bf19e58d68416dfdff7853660e6074dd3752
+[kubernetes-client-darwin-arm64.tar.gz](https://dl.k8s.io/v1.35.0-alpha.1/kubernetes-client-darwin-arm64.tar.gz) | 0c939895ad2d53f57e9137774eed99cbfbfa5f15d4276f5f55c4ea40b922a5f37ab375a065fdd330f5a1ddf452896f2a13621075b049f382ab42a65ea1085dac
+[kubernetes-client-linux-386.tar.gz](https://dl.k8s.io/v1.35.0-alpha.1/kubernetes-client-linux-386.tar.gz) | e98a9b2d5f1c8bec552be6353b623a8f12078befd968a662a933907d0ff72b0164fa8b38e4cbd4aae6191e28aedc19d996ec99298053d7bafc458f91580a7cfa
+[kubernetes-client-linux-amd64.tar.gz](https://dl.k8s.io/v1.35.0-alpha.1/kubernetes-client-linux-amd64.tar.gz) | 34ab1e9edf70c84fe58a223e91b0bf679e5d1273a2b6503a18a61a4bea79231948efe098f84e39f83dbfa2c5271aad8e9819aac104d6c3360c97e5c348b15be7
+[kubernetes-client-linux-arm.tar.gz](https://dl.k8s.io/v1.35.0-alpha.1/kubernetes-client-linux-arm.tar.gz) | 554f8240597e7eb8470c8e2b4bca33c06a0a91746831ef93f76b344f5c3d6226d4ef26cb59f127d1436ac091b7b79395320fe8a9b2acc512afd601989c138d4a
+[kubernetes-client-linux-arm64.tar.gz](https://dl.k8s.io/v1.35.0-alpha.1/kubernetes-client-linux-arm64.tar.gz) | 62c750654e898622aa87b2d81d4b0cbaf36614899f37181c2e3a6aa645d2270c4dedb7d6e7b974059a716ad144a5615407e6a9a4c03f761a512d37fdda796e50
+[kubernetes-client-linux-ppc64le.tar.gz](https://dl.k8s.io/v1.35.0-alpha.1/kubernetes-client-linux-ppc64le.tar.gz) | bbe22979c4e300675dfa955ce9855b7b33b29119a9f78e58bc1b088dba2b8dedbf0b068092d42cd98dbc10cda1da317eae6414b91587593678ec76780ff575df
+[kubernetes-client-linux-s390x.tar.gz](https://dl.k8s.io/v1.35.0-alpha.1/kubernetes-client-linux-s390x.tar.gz) | b8360d0bf930149d360da2a95549b35cb7e14932ae8507d99e34d93729ae645bab203dfba325c74db13204e09e5ee032f887cdd67badfbf3bc8a08d71ccf9c3d
+[kubernetes-client-windows-386.tar.gz](https://dl.k8s.io/v1.35.0-alpha.1/kubernetes-client-windows-386.tar.gz) | cc935a74f30dcd1eaaeadc8f2353a9742ebc4a36b133342c6402b065750f4028a1a392bd5f7ea51533c2d799ff2bdb3d0f21493e7fabacb27289e58f011bb229
+[kubernetes-client-windows-amd64.tar.gz](https://dl.k8s.io/v1.35.0-alpha.1/kubernetes-client-windows-amd64.tar.gz) | 119742103985be0cd4296b85aa2c713cdc510b9a9412706fdf88ca1c703f69338146efc5cf37168ab56e74576ad561ce37c3f500d29b63002139d11544b1b7cf
+[kubernetes-client-windows-arm64.tar.gz](https://dl.k8s.io/v1.35.0-alpha.1/kubernetes-client-windows-arm64.tar.gz) | 67f5fe6b14aa4c49acb6f706ec4a9e43b87f1e19555579895452183e0b2d2be2202f8d48622208ac5ef6e0fb9050d99bb7e1ed9e4e31e8fcac7c0b5e44787c39
+
+### Server Binaries
+
+filename | sha512 hash
+-------- | -----------
+[kubernetes-server-linux-amd64.tar.gz](https://dl.k8s.io/v1.35.0-alpha.1/kubernetes-server-linux-amd64.tar.gz) | a1c935db625766b02113087068fa1087a6b74e9f57ad72cc1d5d85e830c0569b9257746013053ee8dc89404940458c3bba00064666978ddff4df9f3cae0ae066
+[kubernetes-server-linux-arm64.tar.gz](https://dl.k8s.io/v1.35.0-alpha.1/kubernetes-server-linux-arm64.tar.gz) | 5f87f8f46719af413fa864b7d91d5b95fa86adf27df63cf904470b15e844ebda4c802d7ec7cb4006b4e5a3780903d0436eb57a7e2f2b79b74cf5e7e8f65496b1
+[kubernetes-server-linux-ppc64le.tar.gz](https://dl.k8s.io/v1.35.0-alpha.1/kubernetes-server-linux-ppc64le.tar.gz) | 9f2e9476ae3b95919c991dd0438b31eeded7c7f686948ef2d6227311dabc952e74f61d3638f224eb18e63a4fe4955b55a9e358032477b989800541617a8b5f6a
+[kubernetes-server-linux-s390x.tar.gz](https://dl.k8s.io/v1.35.0-alpha.1/kubernetes-server-linux-s390x.tar.gz) | 043311de9dad81d3774decc3aeeac48833d2d234a15ce4a2062fd9af778879afde5e2eb9fdec5f3641725f630e7c3bd845a348ad713b54275e77293941d4c8d0
+
+### Node Binaries
+
+filename | sha512 hash
+-------- | -----------
+[kubernetes-node-linux-amd64.tar.gz](https://dl.k8s.io/v1.35.0-alpha.1/kubernetes-node-linux-amd64.tar.gz) | 865b4ee818cd53bc91001f658243e6b6fd9464f17ef8dc0cc739586689f39998e5c47630df439ad43553d6830ae3a7375cc780c3a5e49f1422d35d77194efc35
+[kubernetes-node-linux-arm64.tar.gz](https://dl.k8s.io/v1.35.0-alpha.1/kubernetes-node-linux-arm64.tar.gz) | fc7df94bc328817d20c59e1ab1371634bf3849141ad982c9d403b136d009c3ed9ee3f7a20659a0f93af7179e13e2c0835b80fefc677b8840f7bcbde0dabb4483
+[kubernetes-node-linux-ppc64le.tar.gz](https://dl.k8s.io/v1.35.0-alpha.1/kubernetes-node-linux-ppc64le.tar.gz) | 8ec718436680766d9026b56ece5bff7a6bac9f63da0edf33843a7a6c255e1a1d22aecf260c1d5fc394c1e2f581931c5ae0acad80a0141fc8d4d7730bf04566b5
+[kubernetes-node-linux-s390x.tar.gz](https://dl.k8s.io/v1.35.0-alpha.1/kubernetes-node-linux-s390x.tar.gz) | fff0562e3a89b4f9444ce83bb8cfc860bcd5178a2c1ba0f1404d87556f483d48241aa3f927f2534d811b1c554958c167f1e5199fa916ebfd9a754cef2f761139
+[kubernetes-node-windows-amd64.tar.gz](https://dl.k8s.io/v1.35.0-alpha.1/kubernetes-node-windows-amd64.tar.gz) | 7774299a2b581a4ab2514d8dc95c1d0dff0652aa0518efbffa9ac39f5c510cb83d8a41a70e9b4e78f0b179e5a806402310dac161ff3a2398b97755938c225586
+
+### Container Images
+
+All container images are available as manifest lists and support the described
+architectures. It is also possible to pull a specific architecture directly by
+adding the "-$ARCH" suffix  to the container image name.
+
+name | architectures
+---- | -------------
+[registry.k8s.io/conformance:v1.35.0-alpha.1](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/conformance) | [amd64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/conformance-amd64), [arm64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/conformance-arm64), [ppc64le](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/conformance-ppc64le), [s390x](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/conformance-s390x)
+[registry.k8s.io/kube-apiserver:v1.35.0-alpha.1](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-apiserver) | [amd64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-apiserver-amd64), [arm64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-apiserver-arm64), [ppc64le](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-apiserver-ppc64le), [s390x](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-apiserver-s390x)
+[registry.k8s.io/kube-controller-manager:v1.35.0-alpha.1](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-controller-manager) | [amd64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-controller-manager-amd64), [arm64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-controller-manager-arm64), [ppc64le](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-controller-manager-ppc64le), [s390x](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-controller-manager-s390x)
+[registry.k8s.io/kube-proxy:v1.35.0-alpha.1](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-proxy) | [amd64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-proxy-amd64), [arm64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-proxy-arm64), [ppc64le](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-proxy-ppc64le), [s390x](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-proxy-s390x)
+[registry.k8s.io/kube-scheduler:v1.35.0-alpha.1](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-scheduler) | [amd64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-scheduler-amd64), [arm64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-scheduler-arm64), [ppc64le](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-scheduler-ppc64le), [s390x](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kube-scheduler-s390x)
+[registry.k8s.io/kubectl:v1.35.0-alpha.1](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kubectl) | [amd64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kubectl-amd64), [arm64](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kubectl-arm64), [ppc64le](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kubectl-ppc64le), [s390x](https://console.cloud.google.com/artifacts/docker/k8s-artifacts-prod/southamerica-east1/images/kubectl-s390x)
+
+## Changelog since v1.34.0
+
+## Changes by Kind
+
+### API Change
+
+- Added WithOrigin within apis/core/validation with adjusted tests ([#132825](https://github.com/kubernetes/kubernetes/pull/132825), [@PatrickLaabs](https://github.com/PatrickLaabs)) [SIG Apps]
+- Component-base: validate that log-flush-frequency is positive and return an error instead of panic-ing ([#133540](https://github.com/kubernetes/kubernetes/pull/133540), [@BenTheElder](https://github.com/BenTheElder)) [SIG Architecture, Instrumentation, Network and Node]
+- Feature gate dependencies are now explicit, and validated at startup. A feature can no longer be enabled if it depends on a disabled feature. In particular, this means that `AllAlpha=true` will no longer work without enabling disabled-by-default beta features that are depended on (either with `AllBeta=true` or explicitly enumerating the disabled dependencies). ([#133697](https://github.com/kubernetes/kubernetes/pull/133697), [@tallclair](https://github.com/tallclair)) [SIG API Machinery, Architecture, Cluster Lifecycle and Node]
+- In version 1.34, the PodObservedGenerationTracking feature has been upgraded to beta, and the description of the alpha version in the openapi has been removed. ([#133883](https://github.com/kubernetes/kubernetes/pull/133883), [@yangjunmyfm192085](https://github.com/yangjunmyfm192085)) [SIG Apps]
+- Introduce a new declarative validation tag +k8s:customUnique to control listmap uniqueness ([#134279](https://github.com/kubernetes/kubernetes/pull/134279), [@yongruilin](https://github.com/yongruilin)) [SIG API Machinery and Auth]
+- Kube-apiserver: Fixed a 1.34 regression in CustomResourceDefinition handling that incorrectly warned about unrecognized formats on number and integer properties ([#133896](https://github.com/kubernetes/kubernetes/pull/133896), [@yongruilin](https://github.com/yongruilin)) [SIG API Machinery, Apps, Architecture, Auth, CLI, Cloud Provider, Contributor Experience, Network, Node and Scheduling]
+- OpenAPI model packages of API types are generated into `zz_generated.model_name.go` files and are accessible using the `OpenAPIModelName()` function.  This allows API authors to declare the desired OpenAPI model packages instead of using the go package path of API types. ([#131755](https://github.com/kubernetes/kubernetes/pull/131755), [@jpbetz](https://github.com/jpbetz)) [SIG API Machinery, Apps, Architecture, Auth, CLI, Cloud Provider, Cluster Lifecycle, Instrumentation, Network, Node, Scheduling, Storage and Testing]
+- Support for `kubectl get -o kyaml` is now on by default.  To disable it, set `KUBECTL_KYAML=false`. ([#133327](https://github.com/kubernetes/kubernetes/pull/133327), [@thockin](https://github.com/thockin)) [SIG CLI]
+- The storage version for MutatingAdmissionPolicy is updated to v1beta1. ([#133715](https://github.com/kubernetes/kubernetes/pull/133715), [@cici37](https://github.com/cici37)) [SIG API Machinery, Etcd and Testing]
+
+### Feature
+
+- Add paths section to kubelet statusz endpoint ([#133239](https://github.com/kubernetes/kubernetes/pull/133239), [@Peac36](https://github.com/Peac36)) [SIG Node]
+- Add paths section to scheduler statusz endpoint ([#132606](https://github.com/kubernetes/kubernetes/pull/132606), [@Peac36](https://github.com/Peac36)) [SIG API Machinery, Architecture, Instrumentation, Network, Node, Scheduling and Testing]
+- Added kubectl config set-context -n flag as a shorthand for --namespace ([#134384](https://github.com/kubernetes/kubernetes/pull/134384), [@tchap](https://github.com/tchap)) [SIG CLI and Testing]
+- Added remote runtime and image `Close()` method to be able to close the connection. ([#133211](https://github.com/kubernetes/kubernetes/pull/133211), [@saschagrunert](https://github.com/saschagrunert)) [SIG Node]
+- Adds metric for Maxunavailable feature ([#130951](https://github.com/kubernetes/kubernetes/pull/130951), [@Edwinhr716](https://github.com/Edwinhr716)) [SIG Apps and Instrumentation]
+- Applyconfiguration-gen now generates extract functions for all subresources ([#132665](https://github.com/kubernetes/kubernetes/pull/132665), [@mrIncompetent](https://github.com/mrIncompetent)) [SIG API Machinery]
+- Applyconfiguration-gen now preserves struct and field comments from source types in generated code ([#132663](https://github.com/kubernetes/kubernetes/pull/132663), [@mrIncompetent](https://github.com/mrIncompetent)) [SIG API Machinery]
+- DRA: the resource.k8s.io API now uses the v1 API version (introduced in 1.34) as default storage version. Downgrading to 1.33 is not supported. ([#133876](https://github.com/kubernetes/kubernetes/pull/133876), [@kei01234kei](https://github.com/kei01234kei)) [SIG API Machinery, Etcd and Testing]
+- Events:
+    Type     Reason   Age                 From               Message
+    ----     ------   ----                ----               -------
+    Warning  Failed   7m11s (x2 over 7m33s) kubelet          spec.containers{nginx}: Failed to pull image "nginx": failed to pull and unpack image... ([#133627](https://github.com/kubernetes/kubernetes/pull/133627), [@itzPranshul](https://github.com/itzPranshul)) [SIG CLI]
+- Introduces e2e tests that check component invariant metrics across the entire suite run. ([#133394](https://github.com/kubernetes/kubernetes/pull/133394), [@BenTheElder](https://github.com/BenTheElder)) [SIG Testing]
+- K8s.io/apimachinery: Introduce a helper function to compare resourceVersion strings from two objects of the same resource ([#134330](https://github.com/kubernetes/kubernetes/pull/134330), [@michaelasp](https://github.com/michaelasp)) [SIG API Machinery, Apps, Auth, Instrumentation, Network, Node, Scheduling, Storage and Testing]
+- Kubeadm: graduate the kubeadm specific feature gate ControlPlaneKubeletLocalMode to GA and lock it to enabled by default. To opt-out manually from this desired default behavior you must patch the "server" field in the  /etc/kubernetes/kubelet.conf file. The subphase of "kubeadm join phase control-plane-join" called "etcd" is now deprecated, hidden and replaced by the subphase with identical functionality "etcd-join". "etcd" will be removed in a follow-up release. The subphase "kubelet-wait-bootstrap" of "kubeadm join" is no longer experimental and will always run. ([#134106](https://github.com/kubernetes/kubernetes/pull/134106), [@neolit123](https://github.com/neolit123)) [SIG Cluster Lifecycle]
+- Kubernetes is now built using Go 1.25.1 ([#134095](https://github.com/kubernetes/kubernetes/pull/134095), [@dims](https://github.com/dims)) [SIG Release and Testing]
+- Kubernetes now uses Go Language Version 1.25, including https://go.dev/blog/container-aware-gomaxprocs ([#134120](https://github.com/kubernetes/kubernetes/pull/134120), [@BenTheElder](https://github.com/BenTheElder)) [SIG API Machinery, Architecture, Auth, CLI, Cloud Provider, Cluster Lifecycle, Instrumentation, Network, Node, Release, Scheduling and Storage]
+- Lock down the `AllowOverwriteTerminationGracePeriodSeconds` feature gate. ([#133792](https://github.com/kubernetes/kubernetes/pull/133792), [@HirazawaUi](https://github.com/HirazawaUi)) [SIG Node]
+- Metrics: exclude dryRun requests from apiserver_request_sli_duration_seconds ([#131092](https://github.com/kubernetes/kubernetes/pull/131092), [@aldudko](https://github.com/aldudko)) [SIG API Machinery and Instrumentation]
+- The validation in the resouce.k8s.io has been migrated to declarative validation.
+  If the `DeclarativeValidation` feature gate is enabled, mismatches with existing validation are reported via metrics.
+  If the `DeclarativeValidationTakeover` feature gate is enabled, declarative validation is the primary source of errors for migrated fields. ([#134072](https://github.com/kubernetes/kubernetes/pull/134072), [@yongruilin](https://github.com/yongruilin)) [SIG API Machinery, Apps and Auth]
+
+### Bug or Regression
+
+- Added the correct error when eviction is blocked due to the failSafe mechanism of the DisruptionController. ([#133097](https://github.com/kubernetes/kubernetes/pull/133097), [@kei01234kei](https://github.com/kei01234kei)) [SIG Apps and Node]
+- Bugfix: the default serviceCIDR controller was not logging events because the event broadcaster was shutdown during its initialization. ([#133338](https://github.com/kubernetes/kubernetes/pull/133338), [@aojea](https://github.com/aojea)) [SIG Network]
+- Deprecated metrics will be hidden as per the metrics deprecation policy https://kubernetes.io/docs/reference/using-api/deprecation-policy/#deprecating-a-metric ([#133436](https://github.com/kubernetes/kubernetes/pull/133436), [@richabanker](https://github.com/richabanker)) [SIG Architecture, Instrumentation and Network]
+- Fix incorrect behavior of preemptor pod when preemption of the victim takes long to complete. The preemptor pod should not be circling in scheduling cycles until preemption is finished. ([#134294](https://github.com/kubernetes/kubernetes/pull/134294), [@ania-borowiec](https://github.com/ania-borowiec)) [SIG Scheduling and Testing]
+- Fix missing kubelet_volume_stats_* metrics ([#133890](https://github.com/kubernetes/kubernetes/pull/133890), [@huww98](https://github.com/huww98)) [SIG Instrumentation and Node]
+- Fix occasional schedule delay when the static PV is created ([#133929](https://github.com/kubernetes/kubernetes/pull/133929), [@huww98](https://github.com/huww98)) [SIG Scheduling and Storage]
+- Fix resource claims deallocation for extended resource when pod is completed ([#134312](https://github.com/kubernetes/kubernetes/pull/134312), [@alaypatel07](https://github.com/alaypatel07)) [SIG Apps, Node and Testing]
+- Fixed SELinux warning controller not emitting events on some SELinux label conflicts. ([#133425](https://github.com/kubernetes/kubernetes/pull/133425), [@jsafrane](https://github.com/jsafrane)) [SIG Apps, Storage and Testing]
+- Fixed a bug in kube-proxy nftables mode (GA as of 1.33) that fails to determine if traffic originates from a local source on the node. The issue was caused by using the wrong meta `iif` instead of `iifname` for name based matches. ([#134024](https://github.com/kubernetes/kubernetes/pull/134024), [@jack4it](https://github.com/jack4it)) [SIG Network]
+- Fixed a bug in kube-scheduler where pending pod preemption caused preemptor pods to be retried more frequently. ([#134245](https://github.com/kubernetes/kubernetes/pull/134245), [@macsko](https://github.com/macsko)) [SIG Scheduling and Testing]
+- Fixed a bug that caused apiservers to send an inappropriate Content-Type request header to authorization, token authentication, imagepolicy admission, and audit webhooks when the alpha client-go feature gate "ClientsPreferCBOR" is enabled. ([#132960](https://github.com/kubernetes/kubernetes/pull/132960), [@benluddy](https://github.com/benluddy)) [SIG API Machinery and Node]
+- Fixed a bug that caused duplicate validation when updating PersistentVolumeClaims, VolumeAttachments and VolumeAttributesClasses. ([#132549](https://github.com/kubernetes/kubernetes/pull/132549), [@gavinkflam](https://github.com/gavinkflam)) [SIG Storage]
+- Fixed a bug that caused duplicate validation when updating role and role binding resources. ([#132550](https://github.com/kubernetes/kubernetes/pull/132550), [@gavinkflam](https://github.com/gavinkflam)) [SIG Auth]
+- Fixed a bug where high latency kube-apiserver caused scheduling throughput degradation. ([#134154](https://github.com/kubernetes/kubernetes/pull/134154), [@macsko](https://github.com/macsko)) [SIG Scheduling]
+- Fixed broken shell completion for api resources. ([#133771](https://github.com/kubernetes/kubernetes/pull/133771), [@marckhouzam](https://github.com/marckhouzam)) [SIG CLI]
+- Fixed validation error when ConfigFlags has CertFile and (or) KeyFile and original config also contains CertFileData and (or) KeyFileData. ([#133917](https://github.com/kubernetes/kubernetes/pull/133917), [@n2h9](https://github.com/n2h9)) [SIG API Machinery and CLI]
+- Fixes a possible data race during metrics registration ([#134390](https://github.com/kubernetes/kubernetes/pull/134390), [@liggitt](https://github.com/liggitt)) [SIG Architecture and Instrumentation]
+- Implicit extended resource name derived from device class (deviceclass.resource.kubernetes.io/<device-class-name>) can be used to request DRA devices matching the device class. ([#133363](https://github.com/kubernetes/kubernetes/pull/133363), [@yliaog](https://github.com/yliaog)) [SIG Node, Scheduling and Testing]
+- Kube-apiserver: Fixes a 1.34 regression with spurious "Error getting keys" log messages ([#133817](https://github.com/kubernetes/kubernetes/pull/133817), [@serathius](https://github.com/serathius)) [SIG API Machinery and Etcd]
+- Kube-apiserver: Fixes a possible 1.34 performance regression calculating object size statistics for resources not served from the watch cache, typically only Events ([#133873](https://github.com/kubernetes/kubernetes/pull/133873), [@serathius](https://github.com/serathius)) [SIG API Machinery and Etcd]
+- Kube-apiserver: improve the validation error message shown for custom resources with CEL validation rules to include the value that failed validation ([#132798](https://github.com/kubernetes/kubernetes/pull/132798), [@cbandy](https://github.com/cbandy)) [SIG API Machinery]
+- Kube-controller-manager: Fixes a possible data race in the garbage collection controller ([#134379](https://github.com/kubernetes/kubernetes/pull/134379), [@liggitt](https://github.com/liggitt)) [SIG API Machinery and Apps]
+- Kubeadm: ensured waiting for apiserver uses a local client that doesn't reach to the control plane endpoint and instead reaches directly to the local API server endpoint. ([#134265](https://github.com/kubernetes/kubernetes/pull/134265), [@neolit123](https://github.com/neolit123)) [SIG Cluster Lifecycle]
+- Kubeadm: fix KUBEADM_UPGRADE_DRYRUN_DIR not honored in upgrade phase when writing kubelet config files ([#134007](https://github.com/kubernetes/kubernetes/pull/134007), [@carlory](https://github.com/carlory)) [SIG Cluster Lifecycle]
+- Kubeadm: fixed a bug where the node registration information for a given node was not fetched correctly during "kubeadm upgrade node" and the node name can end up being incorrect in cases where the node name is not the same as the host name. ([#134319](https://github.com/kubernetes/kubernetes/pull/134319), [@neolit123](https://github.com/neolit123)) [SIG Cluster Lifecycle]
+- Kubeadm: fixed bug where v1beta3's ClusterConfiguration.APIServer.TimeoutForControlPlane is not respected in newer versions of kubeadm where v1beta4 is the default. ([#133513](https://github.com/kubernetes/kubernetes/pull/133513), [@tom1299](https://github.com/tom1299)) [SIG Cluster Lifecycle]
+- Kubelet: the connection to a DRA driver became unusable because of an internal deadlock when a connection was idle for 30 minutes. ([#133926](https://github.com/kubernetes/kubernetes/pull/133926), [@pohly](https://github.com/pohly)) [SIG Node]
+- Pod can have multiple volumes reference the same PVC ([#122140](https://github.com/kubernetes/kubernetes/pull/122140), [@huww98](https://github.com/huww98)) [SIG Node, Storage and Testing]
+- Previously, `kubectl scale` returned the error message `error: no objects passed to scale <GroupResource> "<ResourceName>" not found` when the specified resource did not exist. 
+  For consistency with other commands(e.g. `kubectl get`), it has been changed to just return `Error from server (NotFound): <GroupResource> "<ResourceName>" not found`. ([#134017](https://github.com/kubernetes/kubernetes/pull/134017), [@mochizuki875](https://github.com/mochizuki875)) [SIG CLI]
+- Promote VAC API test to conformance ([#133615](https://github.com/kubernetes/kubernetes/pull/133615), [@carlory](https://github.com/carlory)) [SIG Architecture, Storage and Testing]
+- Remove incorrectly printed warning for SessionAffinity whenever a headless service is creater or updated ([#134054](https://github.com/kubernetes/kubernetes/pull/134054), [@Peac36](https://github.com/Peac36)) [SIG Network]
+- The SchedulerAsyncAPICalls feature gate has been disabled to mitigate a bug where its interaction with asynchronous preemption in could degrade kube-scheduler performance, particularly under high kube-apiserver load. ([#134400](https://github.com/kubernetes/kubernetes/pull/134400), [@macsko](https://github.com/macsko)) [SIG Scheduling]
+- When image garbage collection is unable to free enough disk space, the FreeDiskSpaceFailed warning event is now more actionable. Example: `Insufficient free disk space on the node's image filesystem (95.0% of 10.0 GiB used). Failed to free sufficient space by deleting unused images. Consider resizing the disk or deleting unused files.` ([#132578](https://github.com/kubernetes/kubernetes/pull/132578), [@drigz](https://github.com/drigz)) [SIG Node]
+
+### Other (Cleanup or Flake)
+
+- Bump addon manager to use kubectl v1.32.2 ([#130548](https://github.com/kubernetes/kubernetes/pull/130548), [@Jefftree](https://github.com/Jefftree)) [SIG Cloud Provider, Scalability and Testing]
+- Dropping the experimental prefix from kubectl wait command's short description, since kubectl wait command has been stable for a long time. ([#133907](https://github.com/kubernetes/kubernetes/pull/133907), [@ardaguclu](https://github.com/ardaguclu)) [SIG CLI]
+- Fix formatting of assorted go API deprecations for godoc / pkgsite and enable a linter to help catch mis-formatted deprecations ([#133571](https://github.com/kubernetes/kubernetes/pull/133571), [@BenTheElder](https://github.com/BenTheElder)) [SIG API Machinery, Architecture, CLI, Instrumentation and Testing]
+- Improved HPA performance when using container-specific resource metrics by optimizing container lookup logic to exit early once the target container is found, reducing unnecessary iterations through all containers in a pod. ([#133415](https://github.com/kubernetes/kubernetes/pull/133415), [@AadiDev005](https://github.com/AadiDev005)) [SIG Apps and Autoscaling]
+- Kube-apiserver: Fixes an issue where passing invalid DeleteOptions incorrectly returned status 500 rather than 400. ([#133358](https://github.com/kubernetes/kubernetes/pull/133358), [@ostrain](https://github.com/ostrain)) [SIG API Machinery]
+- Kubeadm: removed the `RootlessControlPlane` feature gate. User Namespaces will serve as its replacement. ([#134178](https://github.com/kubernetes/kubernetes/pull/134178), [@HirazawaUi](https://github.com/HirazawaUi)) [SIG Cluster Lifecycle]
+- Remove container name from messages for container created and started events. ([#134043](https://github.com/kubernetes/kubernetes/pull/134043), [@HirazawaUi](https://github.com/HirazawaUi)) [SIG Node]
+- Removed deprecated gogo protocol definitions from `k8s.io/kubelet/pkg/apis/dra` in favor of `google.golang.org/protobuf`. ([#133026](https://github.com/kubernetes/kubernetes/pull/133026), [@saschagrunert](https://github.com/saschagrunert)) [SIG API Machinery and Node]
+- Removed general available feature-gate SizeMemoryBackedVolumes ([#133720](https://github.com/kubernetes/kubernetes/pull/133720), [@carlory](https://github.com/carlory)) [SIG Node, Storage and Testing]
+- Removed the `ComponentSLIs` feature gate, which had been promoted to stable as part of the Kubernetes 1.32 release. ([#133742](https://github.com/kubernetes/kubernetes/pull/133742), [@carlory](https://github.com/carlory)) [SIG Architecture and Instrumentation]
+- Removing Experimental prefix from the description of kubectl wait to emphasize that it is stable. ([#133731](https://github.com/kubernetes/kubernetes/pull/133731), [@ardaguclu](https://github.com/ardaguclu)) [SIG CLI]
+- Removing the KUBECTL_OPENAPIV3_PATCH environment variable entirely, since aggregated discovery has been stable from 1.30. ([#134130](https://github.com/kubernetes/kubernetes/pull/134130), [@ardaguclu](https://github.com/ardaguclu)) [SIG CLI]
+- Specifies the deprecated version of apiserver_storage_objects metric in metrics docs ([#134028](https://github.com/kubernetes/kubernetes/pull/134028), [@richabanker](https://github.com/richabanker)) [SIG API Machinery, Etcd and Instrumentation]
+- Tests: switch to https://go.dev/doc/go1.25#container-aware-gomaxprocs from go.uber.org/automaxprocs ([#133492](https://github.com/kubernetes/kubernetes/pull/133492), [@BenTheElder](https://github.com/BenTheElder)) [SIG Testing]
+- The `/statusz` page for `kube-proxy` now includes a list of exposed endpoints, making it easier to debug and introspect. ([#133190](https://github.com/kubernetes/kubernetes/pull/133190), [@aman4433](https://github.com/aman4433)) [SIG Network and Node]
+- Types in k/k/pkg/scheduler/framework:
+  Handle,
+  Plugin,
+  PreEnqueuePlugin, QueueSortPlugin, EnqueueExtensions, PreFilterExtensions, PreFilterPlugin, FilterPlugin, PostFilterPlugin, PreScorePlugin, ScorePlugin, ReservePlugin, PreBindPlugin, PostBindPlugin, PermitPlugin, BindPlugin,
+  PodActivator, PodNominator, PluginsRunner,
+  LessFunc, ScoreExtensions, NodeToStatusReader, NodeScoreList, NodeScore, NodePluginScores, PluginScore, NominatingMode, NominatingInfo, WaitingPod, PreFilterResult, PostFilterResult,
+  Extender,
+  NodeInfoLister, StorageInfoLister, SharedLister, ResourceSliceLister, DeviceClassLister, ResourceClaimTracker, SharedDRAManager
+  
+  are moved to package k8s.io/kube-scheduler/framework . Users should update import paths. The interfaces don't change.
+  
+  Type Parallelizer in k/k/pkg/scheduler/framework/parallelism is split into interface Parallelizer (in k8s.io/kube-scheduler/framework) and struct Parallelizer (location unchanged in k/k). Plugin developers should update the import path to staging repo. ([#133172](https://github.com/kubernetes/kubernetes/pull/133172), [@ania-borowiec](https://github.com/ania-borowiec)) [SIG Node, Release, Scheduling, Storage and Testing]
+- Updated CNI plugins to v1.8.0. ([#133837](https://github.com/kubernetes/kubernetes/pull/133837), [@saschagrunert](https://github.com/saschagrunert)) [SIG Cloud Provider, Node and Testing]
+- Updated cri-tools to v1.34.0. ([#133636](https://github.com/kubernetes/kubernetes/pull/133636), [@saschagrunert](https://github.com/saschagrunert)) [SIG Cloud Provider]
+- Updated etcd to v3.6.5. ([#134251](https://github.com/kubernetes/kubernetes/pull/134251), [@joshjms](https://github.com/joshjms)) [SIG API Machinery, Cloud Provider, Cluster Lifecycle, Etcd and Testing]
+- Upgrade CoreDNS to v1.12.3 ([#132288](https://github.com/kubernetes/kubernetes/pull/132288), [@thevilledev](https://github.com/thevilledev)) [SIG Cloud Provider and Cluster Lifecycle]
+- `kubectl auth reconcile` now re-attempts reconciliation if it encounters a conflict error ([#133323](https://github.com/kubernetes/kubernetes/pull/133323), [@liggitt](https://github.com/liggitt)) [SIG Auth and CLI]
+- `kubectl get` and `kubectl describe` human-readable output no longer includes counts for referenced tokens and secrets ([#117160](https://github.com/kubernetes/kubernetes/pull/117160), [@liggitt](https://github.com/liggitt)) [SIG CLI and Testing]
+
+## Dependencies
+
+### Added
+- github.com/moby/sys/atomicwriter: [v0.1.0](https://github.com/moby/sys/tree/atomicwriter/v0.1.0)
+- golang.org/x/tools/go/expect: v0.1.1-deprecated
+- golang.org/x/tools/go/packages/packagestest: v0.1.1-deprecated
+
+### Changed
+- cloud.google.com/go/compute/metadata: v0.6.0 → v0.7.0
+- github.com/aws/aws-sdk-go-v2/config: [v1.27.24 → v1.29.14](https://github.com/aws/aws-sdk-go-v2/compare/config/v1.27.24...config/v1.29.14)
+- github.com/aws/aws-sdk-go-v2/credentials: [v1.17.24 → v1.17.67](https://github.com/aws/aws-sdk-go-v2/compare/credentials/v1.17.24...credentials/v1.17.67)
+- github.com/aws/aws-sdk-go-v2/feature/ec2/imds: [v1.16.9 → v1.16.30](https://github.com/aws/aws-sdk-go-v2/compare/feature/ec2/imds/v1.16.9...feature/ec2/imds/v1.16.30)
+- github.com/aws/aws-sdk-go-v2/internal/configsources: [v1.3.13 → v1.3.34](https://github.com/aws/aws-sdk-go-v2/compare/internal/configsources/v1.3.13...internal/configsources/v1.3.34)
+- github.com/aws/aws-sdk-go-v2/internal/endpoints/v2: [v2.6.13 → v2.6.34](https://github.com/aws/aws-sdk-go-v2/compare/internal/endpoints/v2/v2.6.13...internal/endpoints/v2/v2.6.34)
+- github.com/aws/aws-sdk-go-v2/internal/ini: [v1.8.0 → v1.8.3](https://github.com/aws/aws-sdk-go-v2/compare/internal/ini/v1.8.0...internal/ini/v1.8.3)
+- github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding: [v1.11.3 → v1.12.3](https://github.com/aws/aws-sdk-go-v2/compare/service/internal/accept-encoding/v1.11.3...service/internal/accept-encoding/v1.12.3)
+- github.com/aws/aws-sdk-go-v2/service/internal/presigned-url: [v1.11.15 → v1.12.15](https://github.com/aws/aws-sdk-go-v2/compare/service/internal/presigned-url/v1.11.15...service/internal/presigned-url/v1.12.15)
+- github.com/aws/aws-sdk-go-v2/service/sso: [v1.22.1 → v1.25.3](https://github.com/aws/aws-sdk-go-v2/compare/service/sso/v1.22.1...service/sso/v1.25.3)
+- github.com/aws/aws-sdk-go-v2/service/ssooidc: [v1.26.2 → v1.30.1](https://github.com/aws/aws-sdk-go-v2/compare/service/ssooidc/v1.26.2...service/ssooidc/v1.30.1)
+- github.com/aws/aws-sdk-go-v2/service/sts: [v1.30.1 → v1.33.19](https://github.com/aws/aws-sdk-go-v2/compare/service/sts/v1.30.1...service/sts/v1.33.19)
+- github.com/aws/aws-sdk-go-v2: [v1.30.1 → v1.36.3](https://github.com/aws/aws-sdk-go-v2/compare/v1.30.1...v1.36.3)
+- github.com/aws/smithy-go: [v1.20.3 → v1.22.3](https://github.com/aws/smithy-go/compare/v1.20.3...v1.22.3)
+- github.com/containerd/containerd/api: [v1.8.0 → v1.9.0](https://github.com/containerd/containerd/compare/api/v1.8.0...api/v1.9.0)
+- github.com/containerd/ttrpc: [v1.2.6 → v1.2.7](https://github.com/containerd/ttrpc/compare/v1.2.6...v1.2.7)
+- github.com/containerd/typeurl/v2: [v2.2.2 → v2.2.3](https://github.com/containerd/typeurl/compare/v2.2.2...v2.2.3)
+- github.com/coredns/corefile-migration: [v1.0.26 → v1.0.27](https://github.com/coredns/corefile-migration/compare/v1.0.26...v1.0.27)
+- github.com/docker/docker: [v26.1.4+incompatible → v28.2.2+incompatible](https://github.com/docker/docker/compare/v26.1.4...v28.2.2)
+- github.com/go-logr/logr: [v1.4.2 → v1.4.3](https://github.com/go-logr/logr/compare/v1.4.2...v1.4.3)
+- github.com/google/cadvisor: [v0.52.1 → v0.53.0](https://github.com/google/cadvisor/compare/v0.52.1...v0.53.0)
+- github.com/opencontainers/cgroups: [v0.0.1 → v0.0.3](https://github.com/opencontainers/cgroups/compare/v0.0.1...v0.0.3)
+- github.com/opencontainers/runc: [v1.2.5 → v1.3.0](https://github.com/opencontainers/runc/compare/v1.2.5...v1.3.0)
+- github.com/opencontainers/runtime-spec: [v1.2.0 → v1.2.1](https://github.com/opencontainers/runtime-spec/compare/v1.2.0...v1.2.1)
+- github.com/prometheus/client_golang: [v1.22.0 → v1.23.2](https://github.com/prometheus/client_golang/compare/v1.22.0...v1.23.2)
+- github.com/prometheus/client_model: [v0.6.1 → v0.6.2](https://github.com/prometheus/client_model/compare/v0.6.1...v0.6.2)
+- github.com/prometheus/common: [v0.62.0 → v0.66.1](https://github.com/prometheus/common/compare/v0.62.0...v0.66.1)
+- github.com/prometheus/procfs: [v0.15.1 → v0.16.1](https://github.com/prometheus/procfs/compare/v0.15.1...v0.16.1)
+- github.com/spf13/cobra: [v1.9.1 → v1.10.0](https://github.com/spf13/cobra/compare/v1.9.1...v1.10.0)
+- github.com/spf13/pflag: [v1.0.6 → v1.0.9](https://github.com/spf13/pflag/compare/v1.0.6...v1.0.9)
+- github.com/stretchr/testify: [v1.10.0 → v1.11.1](https://github.com/stretchr/testify/compare/v1.10.0...v1.11.1)
+- go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp: v0.58.0 → v0.61.0
+- go.opentelemetry.io/otel/metric: v1.35.0 → v1.36.0
+- go.opentelemetry.io/otel/sdk/metric: v1.34.0 → v1.36.0
+- go.opentelemetry.io/otel/sdk: v1.34.0 → v1.36.0
+- go.opentelemetry.io/otel/trace: v1.35.0 → v1.36.0
+- go.opentelemetry.io/otel: v1.35.0 → v1.36.0
+- golang.org/x/crypto: v0.36.0 → v0.41.0
+- golang.org/x/mod: v0.21.0 → v0.27.0
+- golang.org/x/net: v0.38.0 → v0.43.0
+- golang.org/x/oauth2: v0.27.0 → v0.30.0
+- golang.org/x/sync: v0.12.0 → v0.16.0
+- golang.org/x/sys: v0.31.0 → v0.35.0
+- golang.org/x/telemetry: bda5523 → 1a19826
+- golang.org/x/term: v0.30.0 → v0.34.0
+- golang.org/x/text: v0.23.0 → v0.28.0
+- golang.org/x/tools: v0.26.0 → v0.36.0
+- google.golang.org/genproto/googleapis/rpc: a0af3ef → 200df99
+- google.golang.org/grpc: v1.72.1 → v1.72.2
+- google.golang.org/protobuf: v1.36.5 → v1.36.8
+- gopkg.in/evanphx/json-patch.v4: v4.12.0 → v4.13.0
+- k8s.io/gengo/v2: 85fd79d → ec3ebc5
+- k8s.io/kube-openapi: f3f2b99 → 589584f
+- k8s.io/system-validators: v1.10.1 → v1.11.1
+- sigs.k8s.io/json: cfa47c3 → 2d32026
+
+### Removed
+- gopkg.in/yaml.v2: v2.4.0
\ No newline at end of file
diff --git a/CHANGELOG/README.md b/CHANGELOG/README.md
index b4a7e01f97a69..c587a652174a0 100644
--- a/CHANGELOG/README.md
+++ b/CHANGELOG/README.md
@@ -1,5 +1,6 @@
 # CHANGELOGs
 
+- [CHANGELOG-1.35.md](./CHANGELOG-1.35.md)
 - [CHANGELOG-1.34.md](./CHANGELOG-1.34.md)
 - [CHANGELOG-1.33.md](./CHANGELOG-1.33.md)
 - [CHANGELOG-1.32.md](./CHANGELOG-1.32.md)
diff --git a/LICENSES/vendor/cyphar.com/go-pathrs/LICENSE b/LICENSES/vendor/cyphar.com/go-pathrs/LICENSE
new file mode 100644
index 0000000000000..d0fe550bcdf4e
--- /dev/null
+++ b/LICENSES/vendor/cyphar.com/go-pathrs/LICENSE
@@ -0,0 +1,377 @@
+= vendor/cyphar.com/go-pathrs licensed under: =
+
+Mozilla Public License Version 2.0
+==================================
+
+1. Definitions
+--------------
+
+1.1. "Contributor"
+    means each individual or legal entity that creates, contributes to
+    the creation of, or owns Covered Software.
+
+1.2. "Contributor Version"
+    means the combination of the Contributions of others (if any) used
+    by a Contributor and that particular Contributor's Contribution.
+
+1.3. "Contribution"
+    means Covered Software of a particular Contributor.
+
+1.4. "Covered Software"
+    means Source Code Form to which the initial Contributor has attached
+    the notice in Exhibit A, the Executable Form of such Source Code
+    Form, and Modifications of such Source Code Form, in each case
+    including portions thereof.
+
+1.5. "Incompatible With Secondary Licenses"
+    means
+
+    (a) that the initial Contributor has attached the notice described
+        in Exhibit B to the Covered Software; or
+
+    (b) that the Covered Software was made available under the terms of
+        version 1.1 or earlier of the License, but not also under the
+        terms of a Secondary License.
+
+1.6. "Executable Form"
+    means any form of the work other than Source Code Form.
+
+1.7. "Larger Work"
+    means a work that combines Covered Software with other material, in
+    a separate file or files, that is not Covered Software.
+
+1.8. "License"
+    means this document.
+
+1.9. "Licensable"
+    means having the right to grant, to the maximum extent possible,
+    whether at the time of the initial grant or subsequently, any and
+    all of the rights conveyed by this License.
+
+1.10. "Modifications"
+    means any of the following:
+
+    (a) any file in Source Code Form that results from an addition to,
+        deletion from, or modification of the contents of Covered
+        Software; or
+
+    (b) any new file in Source Code Form that contains any Covered
+        Software.
+
+1.11. "Patent Claims" of a Contributor
+    means any patent claim(s), including without limitation, method,
+    process, and apparatus claims, in any patent Licensable by such
+    Contributor that would be infringed, but for the grant of the
+    License, by the making, using, selling, offering for sale, having
+    made, import, or transfer of either its Contributions or its
+    Contributor Version.
+
+1.12. "Secondary License"
+    means either the GNU General Public License, Version 2.0, the GNU
+    Lesser General Public License, Version 2.1, the GNU Affero General
+    Public License, Version 3.0, or any later versions of those
+    licenses.
+
+1.13. "Source Code Form"
+    means the form of the work preferred for making modifications.
+
+1.14. "You" (or "Your")
+    means an individual or a legal entity exercising rights under this
+    License. For legal entities, "You" includes any entity that
+    controls, is controlled by, or is under common control with You. For
+    purposes of this definition, "control" means (a) the power, direct
+    or indirect, to cause the direction or management of such entity,
+    whether by contract or otherwise, or (b) ownership of more than
+    fifty percent (50%) of the outstanding shares or beneficial
+    ownership of such entity.
+
+2. License Grants and Conditions
+--------------------------------
+
+2.1. Grants
+
+Each Contributor hereby grants You a world-wide, royalty-free,
+non-exclusive license:
+
+(a) under intellectual property rights (other than patent or trademark)
+    Licensable by such Contributor to use, reproduce, make available,
+    modify, display, perform, distribute, and otherwise exploit its
+    Contributions, either on an unmodified basis, with Modifications, or
+    as part of a Larger Work; and
+
+(b) under Patent Claims of such Contributor to make, use, sell, offer
+    for sale, have made, import, and otherwise transfer either its
+    Contributions or its Contributor Version.
+
+2.2. Effective Date
+
+The licenses granted in Section 2.1 with respect to any Contribution
+become effective for each Contribution on the date the Contributor first
+distributes such Contribution.
+
+2.3. Limitations on Grant Scope
+
+The licenses granted in this Section 2 are the only rights granted under
+this License. No additional rights or licenses will be implied from the
+distribution or licensing of Covered Software under this License.
+Notwithstanding Section 2.1(b) above, no patent license is granted by a
+Contributor:
+
+(a) for any code that a Contributor has removed from Covered Software;
+    or
+
+(b) for infringements caused by: (i) Your and any other third party's
+    modifications of Covered Software, or (ii) the combination of its
+    Contributions with other software (except as part of its Contributor
+    Version); or
+
+(c) under Patent Claims infringed by Covered Software in the absence of
+    its Contributions.
+
+This License does not grant any rights in the trademarks, service marks,
+or logos of any Contributor (except as may be necessary to comply with
+the notice requirements in Section 3.4).
+
+2.4. Subsequent Licenses
+
+No Contributor makes additional grants as a result of Your choice to
+distribute the Covered Software under a subsequent version of this
+License (see Section 10.2) or under the terms of a Secondary License (if
+permitted under the terms of Section 3.3).
+
+2.5. Representation
+
+Each Contributor represents that the Contributor believes its
+Contributions are its original creation(s) or it has sufficient rights
+to grant the rights to its Contributions conveyed by this License.
+
+2.6. Fair Use
+
+This License is not intended to limit any rights You have under
+applicable copyright doctrines of fair use, fair dealing, or other
+equivalents.
+
+2.7. Conditions
+
+Sections 3.1, 3.2, 3.3, and 3.4 are conditions of the licenses granted
+in Section 2.1.
+
+3. Responsibilities
+-------------------
+
+3.1. Distribution of Source Form
+
+All distribution of Covered Software in Source Code Form, including any
+Modifications that You create or to which You contribute, must be under
+the terms of this License. You must inform recipients that the Source
+Code Form of the Covered Software is governed by the terms of this
+License, and how they can obtain a copy of this License. You may not
+attempt to alter or restrict the recipients' rights in the Source Code
+Form.
+
+3.2. Distribution of Executable Form
+
+If You distribute Covered Software in Executable Form then:
+
+(a) such Covered Software must also be made available in Source Code
+    Form, as described in Section 3.1, and You must inform recipients of
+    the Executable Form how they can obtain a copy of such Source Code
+    Form by reasonable means in a timely manner, at a charge no more
+    than the cost of distribution to the recipient; and
+
+(b) You may distribute such Executable Form under the terms of this
+    License, or sublicense it under different terms, provided that the
+    license for the Executable Form does not attempt to limit or alter
+    the recipients' rights in the Source Code Form under this License.
+
+3.3. Distribution of a Larger Work
+
+You may create and distribute a Larger Work under terms of Your choice,
+provided that You also comply with the requirements of this License for
+the Covered Software. If the Larger Work is a combination of Covered
+Software with a work governed by one or more Secondary Licenses, and the
+Covered Software is not Incompatible With Secondary Licenses, this
+License permits You to additionally distribute such Covered Software
+under the terms of such Secondary License(s), so that the recipient of
+the Larger Work may, at their option, further distribute the Covered
+Software under the terms of either this License or such Secondary
+License(s).
+
+3.4. Notices
+
+You may not remove or alter the substance of any license notices
+(including copyright notices, patent notices, disclaimers of warranty,
+or limitations of liability) contained within the Source Code Form of
+the Covered Software, except that You may alter any license notices to
+the extent required to remedy known factual inaccuracies.
+
+3.5. Application of Additional Terms
+
+You may choose to offer, and to charge a fee for, warranty, support,
+indemnity or liability obligations to one or more recipients of Covered
+Software. However, You may do so only on Your own behalf, and not on
+behalf of any Contributor. You must make it absolutely clear that any
+such warranty, support, indemnity, or liability obligation is offered by
+You alone, and You hereby agree to indemnify every Contributor for any
+liability incurred by such Contributor as a result of warranty, support,
+indemnity or liability terms You offer. You may include additional
+disclaimers of warranty and limitations of liability specific to any
+jurisdiction.
+
+4. Inability to Comply Due to Statute or Regulation
+---------------------------------------------------
+
+If it is impossible for You to comply with any of the terms of this
+License with respect to some or all of the Covered Software due to
+statute, judicial order, or regulation then You must: (a) comply with
+the terms of this License to the maximum extent possible; and (b)
+describe the limitations and the code they affect. Such description must
+be placed in a text file included with all distributions of the Covered
+Software under this License. Except to the extent prohibited by statute
+or regulation, such description must be sufficiently detailed for a
+recipient of ordinary skill to be able to understand it.
+
+5. Termination
+--------------
+
+5.1. The rights granted under this License will terminate automatically
+if You fail to comply with any of its terms. However, if You become
+compliant, then the rights granted under this License from a particular
+Contributor are reinstated (a) provisionally, unless and until such
+Contributor explicitly and finally terminates Your grants, and (b) on an
+ongoing basis, if such Contributor fails to notify You of the
+non-compliance by some reasonable means prior to 60 days after You have
+come back into compliance. Moreover, Your grants from a particular
+Contributor are reinstated on an ongoing basis if such Contributor
+notifies You of the non-compliance by some reasonable means, this is the
+first time You have received notice of non-compliance with this License
+from such Contributor, and You become compliant prior to 30 days after
+Your receipt of the notice.
+
+5.2. If You initiate litigation against any entity by asserting a patent
+infringement claim (excluding declaratory judgment actions,
+counter-claims, and cross-claims) alleging that a Contributor Version
+directly or indirectly infringes any patent, then the rights granted to
+You by any and all Contributors for the Covered Software under Section
+2.1 of this License shall terminate.
+
+5.3. In the event of termination under Sections 5.1 or 5.2 above, all
+end user license agreements (excluding distributors and resellers) which
+have been validly granted by You or Your distributors under this License
+prior to termination shall survive termination.
+
+************************************************************************
+*                                                                      *
+*  6. Disclaimer of Warranty                                           *
+*  -------------------------                                           *
+*                                                                      *
+*  Covered Software is provided under this License on an "as is"       *
+*  basis, without warranty of any kind, either expressed, implied, or  *
+*  statutory, including, without limitation, warranties that the       *
+*  Covered Software is free of defects, merchantable, fit for a        *
+*  particular purpose or non-infringing. The entire risk as to the     *
+*  quality and performance of the Covered Software is with You.        *
+*  Should any Covered Software prove defective in any respect, You     *
+*  (not any Contributor) assume the cost of any necessary servicing,   *
+*  repair, or correction. This disclaimer of warranty constitutes an   *
+*  essential part of this License. No use of any Covered Software is   *
+*  authorized under this License except under this disclaimer.         *
+*                                                                      *
+************************************************************************
+
+************************************************************************
+*                                                                      *
+*  7. Limitation of Liability                                          *
+*  --------------------------                                          *
+*                                                                      *
+*  Under no circumstances and under no legal theory, whether tort      *
+*  (including negligence), contract, or otherwise, shall any           *
+*  Contributor, or anyone who distributes Covered Software as          *
+*  permitted above, be liable to You for any direct, indirect,         *
+*  special, incidental, or consequential damages of any character      *
+*  including, without limitation, damages for lost profits, loss of    *
+*  goodwill, work stoppage, computer failure or malfunction, or any    *
+*  and all other commercial damages or losses, even if such party      *
+*  shall have been informed of the possibility of such damages. This   *
+*  limitation of liability shall not apply to liability for death or   *
+*  personal injury resulting from such party's negligence to the       *
+*  extent applicable law prohibits such limitation. Some               *
+*  jurisdictions do not allow the exclusion or limitation of           *
+*  incidental or consequential damages, so this exclusion and          *
+*  limitation may not apply to You.                                    *
+*                                                                      *
+************************************************************************
+
+8. Litigation
+-------------
+
+Any litigation relating to this License may be brought only in the
+courts of a jurisdiction where the defendant maintains its principal
+place of business and such litigation shall be governed by laws of that
+jurisdiction, without reference to its conflict-of-law provisions.
+Nothing in this Section shall prevent a party's ability to bring
+cross-claims or counter-claims.
+
+9. Miscellaneous
+----------------
+
+This License represents the complete agreement concerning the subject
+matter hereof. If any provision of this License is held to be
+unenforceable, such provision shall be reformed only to the extent
+necessary to make it enforceable. Any law or regulation which provides
+that the language of a contract shall be construed against the drafter
+shall not be used to construe this License against a Contributor.
+
+10. Versions of the License
+---------------------------
+
+10.1. New Versions
+
+Mozilla Foundation is the license steward. Except as provided in Section
+10.3, no one other than the license steward has the right to modify or
+publish new versions of this License. Each version will be given a
+distinguishing version number.
+
+10.2. Effect of New Versions
+
+You may distribute the Covered Software under the terms of the version
+of the License under which You originally received the Covered Software,
+or under the terms of any subsequent version published by the license
+steward.
+
+10.3. Modified Versions
+
+If you create software not governed by this License, and you want to
+create a new license for such software, you may create and use a
+modified version of this License if you rename the license and remove
+any references to the name of the license steward (except to note that
+such modified license differs from this License).
+
+10.4. Distributing Source Code Form that is Incompatible With Secondary
+Licenses
+
+If You choose to distribute Source Code Form that is Incompatible With
+Secondary Licenses under the terms of this version of the License, the
+notice described in Exhibit B of this License must be attached.
+
+Exhibit A - Source Code Form License Notice
+-------------------------------------------
+
+  This Source Code Form is subject to the terms of the Mozilla Public
+  License, v. 2.0. If a copy of the MPL was not distributed with this
+  file, You can obtain one at https://mozilla.org/MPL/2.0/.
+
+If it is not possible or desirable to put the notice in a particular
+file, then You may include the notice in a location (such as a LICENSE
+file in a relevant directory) where a recipient would be likely to look
+for such a notice.
+
+You may add additional accurate notices of copyright ownership.
+
+Exhibit B - "Incompatible With Secondary Licenses" Notice
+---------------------------------------------------------
+
+  This Source Code Form is "Incompatible With Secondary Licenses", as
+  defined by the Mozilla Public License, v. 2.0.
+
+= vendor/cyphar.com/go-pathrs/COPYING f75d2927d3c1ed2414ef72048f5ad640
diff --git a/LICENSES/vendor/github.com/Masterminds/semver/v3/LICENSE b/LICENSES/vendor/github.com/Masterminds/semver/v3/LICENSE
new file mode 100644
index 0000000000000..6c8aec15ac15c
--- /dev/null
+++ b/LICENSES/vendor/github.com/Masterminds/semver/v3/LICENSE
@@ -0,0 +1,23 @@
+= vendor/github.com/Masterminds/semver/v3 licensed under: =
+
+Copyright (C) 2014-2019, Matt Butcher and Matt Farina
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.
+
+= vendor/github.com/Masterminds/semver/v3/LICENSE.txt 4c1ffeeb02e3f8f4af042205e189b3f7
diff --git a/LICENSES/vendor/github.com/cyphar/filepath-securejoin/LICENSE b/LICENSES/vendor/github.com/cyphar/filepath-securejoin/LICENSE
index 192e9c6239076..ebcf32a6f5680 100644
--- a/LICENSES/vendor/github.com/cyphar/filepath-securejoin/LICENSE
+++ b/LICENSES/vendor/github.com/cyphar/filepath-securejoin/LICENSE
@@ -29,4 +29,4 @@ THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
-= vendor/github.com/cyphar/filepath-securejoin/LICENSE 7e05df0b39896d74600ef94ab46dce89
+= vendor/github.com/cyphar/filepath-securejoin/LICENSE.BSD 7e05df0b39896d74600ef94ab46dce89
diff --git a/LICENSES/vendor/github.com/opencontainers/runc/LICENSE b/LICENSES/vendor/github.com/opencontainers/runc/LICENSE
deleted file mode 100644
index dac7dbf7e97cd..0000000000000
--- a/LICENSES/vendor/github.com/opencontainers/runc/LICENSE
+++ /dev/null
@@ -1,195 +0,0 @@
-= vendor/github.com/opencontainers/runc licensed under: =
-
-
-                                 Apache License
-                           Version 2.0, January 2004
-                        http://www.apache.org/licenses/
-
-   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
-
-   1. Definitions.
-
-      "License" shall mean the terms and conditions for use, reproduction,
-      and distribution as defined by Sections 1 through 9 of this document.
-
-      "Licensor" shall mean the copyright owner or entity authorized by
-      the copyright owner that is granting the License.
-
-      "Legal Entity" shall mean the union of the acting entity and all
-      other entities that control, are controlled by, or are under common
-      control with that entity. For the purposes of this definition,
-      "control" means (i) the power, direct or indirect, to cause the
-      direction or management of such entity, whether by contract or
-      otherwise, or (ii) ownership of fifty percent (50%) or more of the
-      outstanding shares, or (iii) beneficial ownership of such entity.
-
-      "You" (or "Your") shall mean an individual or Legal Entity
-      exercising permissions granted by this License.
-
-      "Source" form shall mean the preferred form for making modifications,
-      including but not limited to software source code, documentation
-      source, and configuration files.
-
-      "Object" form shall mean any form resulting from mechanical
-      transformation or translation of a Source form, including but
-      not limited to compiled object code, generated documentation,
-      and conversions to other media types.
-
-      "Work" shall mean the work of authorship, whether in Source or
-      Object form, made available under the License, as indicated by a
-      copyright notice that is included in or attached to the work
-      (an example is provided in the Appendix below).
-
-      "Derivative Works" shall mean any work, whether in Source or Object
-      form, that is based on (or derived from) the Work and for which the
-      editorial revisions, annotations, elaborations, or other modifications
-      represent, as a whole, an original work of authorship. For the purposes
-      of this License, Derivative Works shall not include works that remain
-      separable from, or merely link (or bind by name) to the interfaces of,
-      the Work and Derivative Works thereof.
-
-      "Contribution" shall mean any work of authorship, including
-      the original version of the Work and any modifications or additions
-      to that Work or Derivative Works thereof, that is intentionally
-      submitted to Licensor for inclusion in the Work by the copyright owner
-      or by an individual or Legal Entity authorized to submit on behalf of
-      the copyright owner. For the purposes of this definition, "submitted"
-      means any form of electronic, verbal, or written communication sent
-      to the Licensor or its representatives, including but not limited to
-      communication on electronic mailing lists, source code control systems,
-      and issue tracking systems that are managed by, or on behalf of, the
-      Licensor for the purpose of discussing and improving the Work, but
-      excluding communication that is conspicuously marked or otherwise
-      designated in writing by the copyright owner as "Not a Contribution."
-
-      "Contributor" shall mean Licensor and any individual or Legal Entity
-      on behalf of whom a Contribution has been received by Licensor and
-      subsequently incorporated within the Work.
-
-   2. Grant of Copyright License. Subject to the terms and conditions of
-      this License, each Contributor hereby grants to You a perpetual,
-      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
-      copyright license to reproduce, prepare Derivative Works of,
-      publicly display, publicly perform, sublicense, and distribute the
-      Work and such Derivative Works in Source or Object form.
-
-   3. Grant of Patent License. Subject to the terms and conditions of
-      this License, each Contributor hereby grants to You a perpetual,
-      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
-      (except as stated in this section) patent license to make, have made,
-      use, offer to sell, sell, import, and otherwise transfer the Work,
-      where such license applies only to those patent claims licensable
-      by such Contributor that are necessarily infringed by their
-      Contribution(s) alone or by combination of their Contribution(s)
-      with the Work to which such Contribution(s) was submitted. If You
-      institute patent litigation against any entity (including a
-      cross-claim or counterclaim in a lawsuit) alleging that the Work
-      or a Contribution incorporated within the Work constitutes direct
-      or contributory patent infringement, then any patent licenses
-      granted to You under this License for that Work shall terminate
-      as of the date such litigation is filed.
-
-   4. Redistribution. You may reproduce and distribute copies of the
-      Work or Derivative Works thereof in any medium, with or without
-      modifications, and in Source or Object form, provided that You
-      meet the following conditions:
-
-      (a) You must give any other recipients of the Work or
-          Derivative Works a copy of this License; and
-
-      (b) You must cause any modified files to carry prominent notices
-          stating that You changed the files; and
-
-      (c) You must retain, in the Source form of any Derivative Works
-          that You distribute, all copyright, patent, trademark, and
-          attribution notices from the Source form of the Work,
-          excluding those notices that do not pertain to any part of
-          the Derivative Works; and
-
-      (d) If the Work includes a "NOTICE" text file as part of its
-          distribution, then any Derivative Works that You distribute must
-          include a readable copy of the attribution notices contained
-          within such NOTICE file, excluding those notices that do not
-          pertain to any part of the Derivative Works, in at least one
-          of the following places: within a NOTICE text file distributed
-          as part of the Derivative Works; within the Source form or
-          documentation, if provided along with the Derivative Works; or,
-          within a display generated by the Derivative Works, if and
-          wherever such third-party notices normally appear. The contents
-          of the NOTICE file are for informational purposes only and
-          do not modify the License. You may add Your own attribution
-          notices within Derivative Works that You distribute, alongside
-          or as an addendum to the NOTICE text from the Work, provided
-          that such additional attribution notices cannot be construed
-          as modifying the License.
-
-      You may add Your own copyright statement to Your modifications and
-      may provide additional or different license terms and conditions
-      for use, reproduction, or distribution of Your modifications, or
-      for any such Derivative Works as a whole, provided Your use,
-      reproduction, and distribution of the Work otherwise complies with
-      the conditions stated in this License.
-
-   5. Submission of Contributions. Unless You explicitly state otherwise,
-      any Contribution intentionally submitted for inclusion in the Work
-      by You to the Licensor shall be under the terms and conditions of
-      this License, without any additional terms or conditions.
-      Notwithstanding the above, nothing herein shall supersede or modify
-      the terms of any separate license agreement you may have executed
-      with Licensor regarding such Contributions.
-
-   6. Trademarks. This License does not grant permission to use the trade
-      names, trademarks, service marks, or product names of the Licensor,
-      except as required for reasonable and customary use in describing the
-      origin of the Work and reproducing the content of the NOTICE file.
-
-   7. Disclaimer of Warranty. Unless required by applicable law or
-      agreed to in writing, Licensor provides the Work (and each
-      Contributor provides its Contributions) on an "AS IS" BASIS,
-      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
-      implied, including, without limitation, any warranties or conditions
-      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
-      PARTICULAR PURPOSE. You are solely responsible for determining the
-      appropriateness of using or redistributing the Work and assume any
-      risks associated with Your exercise of permissions under this License.
-
-   8. Limitation of Liability. In no event and under no legal theory,
-      whether in tort (including negligence), contract, or otherwise,
-      unless required by applicable law (such as deliberate and grossly
-      negligent acts) or agreed to in writing, shall any Contributor be
-      liable to You for damages, including any direct, indirect, special,
-      incidental, or consequential damages of any character arising as a
-      result of this License or out of the use or inability to use the
-      Work (including but not limited to damages for loss of goodwill,
-      work stoppage, computer failure or malfunction, or any and all
-      other commercial damages or losses), even if such Contributor
-      has been advised of the possibility of such damages.
-
-   9. Accepting Warranty or Additional Liability. While redistributing
-      the Work or Derivative Works thereof, You may choose to offer,
-      and charge a fee for, acceptance of support, warranty, indemnity,
-      or other liability obligations and/or rights consistent with this
-      License. However, in accepting such obligations, You may act only
-      on Your own behalf and on Your sole responsibility, not on behalf
-      of any other Contributor, and only if You agree to indemnify,
-      defend, and hold each Contributor harmless for any liability
-      incurred by, or claims asserted against, such Contributor by reason
-      of your accepting any such warranty or additional liability.
-
-   END OF TERMS AND CONDITIONS
-
-   Copyright 2014 Docker, Inc.
-
-   Licensed under the Apache License, Version 2.0 (the "License");
-   you may not use this file except in compliance with the License.
-   You may obtain a copy of the License at
-
-       http://www.apache.org/licenses/LICENSE-2.0
-
-   Unless required by applicable law or agreed to in writing, software
-   distributed under the License is distributed on an "AS IS" BASIS,
-   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-   See the License for the specific language governing permissions and
-   limitations under the License.
-
-= vendor/github.com/opencontainers/runc/LICENSE 435b266b3899aa8a959f17d41c56def8
diff --git a/OWNERS b/OWNERS
index 905df925d42d2..00ca8b940ed3f 100644
--- a/OWNERS
+++ b/OWNERS
@@ -18,9 +18,9 @@ filters:
       - smarterclayton
       - thockin
       - wojtek-t
-  # go.{mod,sum} files relate to go dependencies, and should be reviewed by the
-  # dep-approvers
-  "go\\.(mod|sum)$":
+  # go.{mod,sum,work,work.sum} files relate to go dependencies,
+  # and should be reviewed by the dep-approvers
+  "go\\.(mod|sum|work|work\\.sum)$":
     approvers:
       - dep-approvers
     reviewers:
diff --git a/OWNERS_ALIASES b/OWNERS_ALIASES
index d3166c3fadbc4..b4832c3fcb67f 100644
--- a/OWNERS_ALIASES
+++ b/OWNERS_ALIASES
@@ -1,4 +1,12 @@
 aliases:
+  sig-api-machinery-approvers:
+    - deads2k
+    - jpbetz
+    - sttts
+  sig-api-machinery-reviewers:
+    - deads2k
+    - jpbetz
+    - sttts
   # Note: sig-architecture-approvers has approval on root files (including go.mod/go.sum) until https://github.com/kubernetes/test-infra/pull/21398 is resolved.
   # People with approve rights via this alias should defer dependency update PRs to dep-approvers.
   sig-architecture-approvers:
@@ -179,6 +187,7 @@ aliases:
     - dom4ha
     - macsko
     - sanposhiho
+    - utam0k
     - kerthcet
   # emeritus:
   # - adtac
@@ -249,6 +258,7 @@ aliases:
     - dims
     - endocrimes
     - feiskyer
+    - HirazawaUi
     - mtaufen
     - sjenning
     - wzshiming
@@ -269,6 +279,7 @@ aliases:
     - kannon92
     - ffromani
     - tallclair
+    - natasha41575
   sig-network-approvers:
     - aojea
     - bowei
@@ -310,10 +321,14 @@ aliases:
   # - tnozicka
 
   sig-autoscaling-maintainers:
+    - adrianmoisey
     - gjtempleton
     - jackfrancis
-    - raywainman
     - towca
+  # emeritus
+  # - maciekpytel
+  # - mwielgus
+  # - raywainman
   sig-instrumentation-approvers:
     - logicalhan
     - dashpole
@@ -460,11 +475,22 @@ aliases:
     - MadhavJivrajani
     - mfahlandt
     - Priyankasaggu11929
+  # See https://github.com/kubernetes/org/blob/main/OWNERS_ALIASES
+  # for the authoritative list of SIG Docs leads, or look for
+  # https://github.com/kubernetes/website/blob/main/OWNERS_ALIASES
+  # for the list that this was derived from. SIG Docs' leads can
+  # confirm modifications here.
   sig-docs-approvers:
-    - jimangel
-    - kbhawkey
-    - onlydole
-    - sftim
+    - dipesh-rawat
+    - divya-mohan0209
+    - katcosgrove
+    - lmktfy
+    - natalisucks
+    - nate-double-u
+    - reylejano
+    - salaxander
+    - SayakMukhopadhyay
+    - tengqm
   sig-node-api-reviewers:
     - dchen1107
     - derekwaynecarr
@@ -512,8 +538,8 @@ aliases:
   dep-reviewers:
     - logicalhan
   feature-approvers:
+    - adrianmoisey # Autoscaling
     - andrewsykim # Cloud Provider
-    - ahg-g # Scheduling
     - ardaguclu # CLI
     - aojea # Network, Testing
     - danwinship # Network
@@ -523,9 +549,11 @@ aliases:
     - derekwaynecarr # Node
     - dgrisonnet # Instrumentation
     - dims # Architecture
+    - dom4ha # Scheduling
     - eddiezane # CLI
     - enj # Auth
     - gjtempleton # Autoscaling
+    - jackfrancis # Autoscaling
     - janetkuo # Apps
     - jayunit100 # Windows
     - jpbetz # API Machinery
@@ -536,7 +564,7 @@ aliases:
     - liggitt # Auth
     - logicalhan # Instrumentation
     - luxas # Cluster Lifecycle
-    - maciekpytel # Autoscaling
+    - macsko # Scheduling
     - marosset # Windows
     - mikezappa87 # Network
     - mrunalp # Node
@@ -544,12 +572,14 @@ aliases:
     - rexagod # Instrumentation
     - richabanker # Instrumentation
     - saad-ali # Storage
+    - sanposhiho # Scheduling
     - sergeykanzhelev # Node
     - shaneutt # Network
     - soltysh # Apps, CLI
     - sttts # API Machinery
     - tallclair # Auth
     - thockin # Network
+    - towca # Autoscaling
     - xing-yang # Storage
     - wojtek-t # Scalability
   # conformance aliases https://git.k8s.io/enhancements/keps/sig-architecture/20190412-conformance-behaviors.md
diff --git a/api/api-rules/aggregator_violation_exceptions.list b/api/api-rules/aggregator_violation_exceptions.list
index 8f1c9408a636a..403bff328f00c 100644
--- a/api/api-rules/aggregator_violation_exceptions.list
+++ b/api/api-rules/aggregator_violation_exceptions.list
@@ -1,3 +1,9 @@
+API rule violation: names_match,k8s.io/apimachinery/pkg/api/resource,Quantity,Format
+API rule violation: names_match,k8s.io/apimachinery/pkg/api/resource,Quantity,d
+API rule violation: names_match,k8s.io/apimachinery/pkg/api/resource,Quantity,i
+API rule violation: names_match,k8s.io/apimachinery/pkg/api/resource,Quantity,s
+API rule violation: names_match,k8s.io/apimachinery/pkg/api/resource,int64Amount,scale
+API rule violation: names_match,k8s.io/apimachinery/pkg/api/resource,int64Amount,value
 API rule violation: names_match,k8s.io/apimachinery/pkg/apis/meta/v1,APIResourceList,APIResources
 API rule violation: names_match,k8s.io/apimachinery/pkg/apis/meta/v1,Duration,Duration
 API rule violation: names_match,k8s.io/apimachinery/pkg/apis/meta/v1,InternalEvent,Object
diff --git a/api/api-rules/apiextensions_violation_exceptions.list b/api/api-rules/apiextensions_violation_exceptions.list
index 9f9227be5ce0e..34b860195553b 100644
--- a/api/api-rules/apiextensions_violation_exceptions.list
+++ b/api/api-rules/apiextensions_violation_exceptions.list
@@ -29,6 +29,12 @@ API rule violation: names_match,k8s.io/apiextensions-apiserver/pkg/apis/apiexten
 API rule violation: names_match,k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1,JSONSchemaPropsOrBool,Schema
 API rule violation: names_match,k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1,JSONSchemaPropsOrStringArray,Property
 API rule violation: names_match,k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1,JSONSchemaPropsOrStringArray,Schema
+API rule violation: names_match,k8s.io/apimachinery/pkg/api/resource,Quantity,Format
+API rule violation: names_match,k8s.io/apimachinery/pkg/api/resource,Quantity,d
+API rule violation: names_match,k8s.io/apimachinery/pkg/api/resource,Quantity,i
+API rule violation: names_match,k8s.io/apimachinery/pkg/api/resource,Quantity,s
+API rule violation: names_match,k8s.io/apimachinery/pkg/api/resource,int64Amount,scale
+API rule violation: names_match,k8s.io/apimachinery/pkg/api/resource,int64Amount,value
 API rule violation: names_match,k8s.io/apimachinery/pkg/apis/meta/v1,APIResourceList,APIResources
 API rule violation: names_match,k8s.io/apimachinery/pkg/apis/meta/v1,Duration,Duration
 API rule violation: names_match,k8s.io/apimachinery/pkg/apis/meta/v1,InternalEvent,Object
diff --git a/api/api-rules/codegen_violation_exceptions.list b/api/api-rules/codegen_violation_exceptions.list
index 8f1c9408a636a..eeee5ba290fa3 100644
--- a/api/api-rules/codegen_violation_exceptions.list
+++ b/api/api-rules/codegen_violation_exceptions.list
@@ -1,3 +1,9 @@
+API rule violation: names_match,k8s.io/apimachinery/pkg/api/resource,Quantity,Format
+API rule violation: names_match,k8s.io/apimachinery/pkg/api/resource,Quantity,d
+API rule violation: names_match,k8s.io/apimachinery/pkg/api/resource,Quantity,i
+API rule violation: names_match,k8s.io/apimachinery/pkg/api/resource,Quantity,s
+API rule violation: names_match,k8s.io/apimachinery/pkg/api/resource,int64Amount,scale
+API rule violation: names_match,k8s.io/apimachinery/pkg/api/resource,int64Amount,value
 API rule violation: names_match,k8s.io/apimachinery/pkg/apis/meta/v1,APIResourceList,APIResources
 API rule violation: names_match,k8s.io/apimachinery/pkg/apis/meta/v1,Duration,Duration
 API rule violation: names_match,k8s.io/apimachinery/pkg/apis/meta/v1,InternalEvent,Object
@@ -7,3 +13,5 @@ API rule violation: names_match,k8s.io/apimachinery/pkg/apis/meta/v1,StatusCause
 API rule violation: names_match,k8s.io/apimachinery/pkg/apis/meta/v1,Time,Time
 API rule violation: names_match,k8s.io/apimachinery/pkg/runtime,Unknown,ContentEncoding
 API rule violation: names_match,k8s.io/apimachinery/pkg/runtime,Unknown,ContentType
+API rule violation: names_match,k8s.io/code-generator/examples/apiserver/apis/example/v1,ConversionCustom,privateField
+API rule violation: names_match,k8s.io/code-generator/examples/apiserver/apis/example/v1,ConversionPrivate,privateField
diff --git a/api/api-rules/sample_apiserver_violation_exceptions.list b/api/api-rules/sample_apiserver_violation_exceptions.list
index 8f1c9408a636a..403bff328f00c 100644
--- a/api/api-rules/sample_apiserver_violation_exceptions.list
+++ b/api/api-rules/sample_apiserver_violation_exceptions.list
@@ -1,3 +1,9 @@
+API rule violation: names_match,k8s.io/apimachinery/pkg/api/resource,Quantity,Format
+API rule violation: names_match,k8s.io/apimachinery/pkg/api/resource,Quantity,d
+API rule violation: names_match,k8s.io/apimachinery/pkg/api/resource,Quantity,i
+API rule violation: names_match,k8s.io/apimachinery/pkg/api/resource,Quantity,s
+API rule violation: names_match,k8s.io/apimachinery/pkg/api/resource,int64Amount,scale
+API rule violation: names_match,k8s.io/apimachinery/pkg/api/resource,int64Amount,value
 API rule violation: names_match,k8s.io/apimachinery/pkg/apis/meta/v1,APIResourceList,APIResources
 API rule violation: names_match,k8s.io/apimachinery/pkg/apis/meta/v1,Duration,Duration
 API rule violation: names_match,k8s.io/apimachinery/pkg/apis/meta/v1,InternalEvent,Object
diff --git a/api/api-rules/violation_exceptions.list b/api/api-rules/violation_exceptions.list
index 61824bff581ff..6d16fc9fda746 100644
--- a/api/api-rules/violation_exceptions.list
+++ b/api/api-rules/violation_exceptions.list
@@ -1,4 +1,3 @@
-API rule violation: list_type_missing,k8s.io/api/storagemigration/v1alpha1,StorageVersionMigrationList,Items
 API rule violation: list_type_missing,k8s.io/cloud-provider/config/v1alpha1,WebhookConfiguration,Webhooks
 API rule violation: list_type_missing,k8s.io/controller-manager/config/v1alpha1,GenericControllerManagerConfiguration,Controllers
 API rule violation: list_type_missing,k8s.io/controller-manager/config/v1alpha1,LeaderMigrationConfiguration,ControllerLeaders
@@ -147,6 +146,8 @@ API rule violation: names_match,k8s.io/cloud-provider/config/v1alpha1,KubeCloudS
 API rule violation: names_match,k8s.io/cloud-provider/config/v1alpha1,KubeCloudSharedConfiguration,RouteReconciliationPeriod
 API rule violation: names_match,k8s.io/cloud-provider/config/v1alpha1,KubeCloudSharedConfiguration,UseServiceAccountCredentials
 API rule violation: names_match,k8s.io/cloud-provider/config/v1alpha1,WebhookConfiguration,Webhooks
+API rule violation: names_match,k8s.io/cloud-provider/controllers/node/config/v1alpha1,NodeControllerConfiguration,ConcurrentNodeSyncs
+API rule violation: names_match,k8s.io/cloud-provider/controllers/service/config/v1alpha1,ServiceControllerConfiguration,ConcurrentServiceSyncs
 API rule violation: names_match,k8s.io/controller-manager/config/v1alpha1,GenericControllerManagerConfiguration,Address
 API rule violation: names_match,k8s.io/controller-manager/config/v1alpha1,GenericControllerManagerConfiguration,ClientConnection
 API rule violation: names_match,k8s.io/controller-manager/config/v1alpha1,GenericControllerManagerConfiguration,ControllerStartInterval
@@ -171,6 +172,7 @@ API rule violation: names_match,k8s.io/kube-controller-manager/config/v1alpha1,C
 API rule violation: names_match,k8s.io/kube-controller-manager/config/v1alpha1,CronJobControllerConfiguration,ConcurrentCronJobSyncs
 API rule violation: names_match,k8s.io/kube-controller-manager/config/v1alpha1,DaemonSetControllerConfiguration,ConcurrentDaemonSetSyncs
 API rule violation: names_match,k8s.io/kube-controller-manager/config/v1alpha1,DeploymentControllerConfiguration,ConcurrentDeploymentSyncs
+API rule violation: names_match,k8s.io/kube-controller-manager/config/v1alpha1,DeviceTaintEvictionControllerConfiguration,ConcurrentSyncs
 API rule violation: names_match,k8s.io/kube-controller-manager/config/v1alpha1,EndpointControllerConfiguration,ConcurrentEndpointSyncs
 API rule violation: names_match,k8s.io/kube-controller-manager/config/v1alpha1,EndpointControllerConfiguration,EndpointUpdatesBatchPeriod
 API rule violation: names_match,k8s.io/kube-controller-manager/config/v1alpha1,EndpointSliceControllerConfiguration,ConcurrentServiceEndpointSyncs
@@ -198,6 +200,7 @@ API rule violation: names_match,k8s.io/kube-controller-manager/config/v1alpha1,K
 API rule violation: names_match,k8s.io/kube-controller-manager/config/v1alpha1,KubeControllerManagerConfiguration,DaemonSetController
 API rule violation: names_match,k8s.io/kube-controller-manager/config/v1alpha1,KubeControllerManagerConfiguration,DeploymentController
 API rule violation: names_match,k8s.io/kube-controller-manager/config/v1alpha1,KubeControllerManagerConfiguration,DeprecatedController
+API rule violation: names_match,k8s.io/kube-controller-manager/config/v1alpha1,KubeControllerManagerConfiguration,DeviceTaintEvictionController
 API rule violation: names_match,k8s.io/kube-controller-manager/config/v1alpha1,KubeControllerManagerConfiguration,EndpointController
 API rule violation: names_match,k8s.io/kube-controller-manager/config/v1alpha1,KubeControllerManagerConfiguration,EndpointSliceController
 API rule violation: names_match,k8s.io/kube-controller-manager/config/v1alpha1,KubeControllerManagerConfiguration,EndpointSliceMirroringController
diff --git a/api/discovery/aggregated_v2.json b/api/discovery/aggregated_v2.json
index 01dc28707d216..7a53c2e2a74e8 100644
--- a/api/discovery/aggregated_v2.json
+++ b/api/discovery/aggregated_v2.json
@@ -683,32 +683,6 @@
           ],
           "version": "v1"
         },
-        {
-          "freshness": "Current",
-          "resources": [
-            {
-              "resource": "clustertrustbundles",
-              "responseKind": {
-                "group": "",
-                "kind": "ClusterTrustBundle",
-                "version": ""
-              },
-              "scope": "Cluster",
-              "singularResource": "clustertrustbundle",
-              "verbs": [
-                "create",
-                "delete",
-                "deletecollection",
-                "get",
-                "list",
-                "patch",
-                "update",
-                "watch"
-              ]
-            }
-          ],
-          "version": "v1beta1"
-        },
         {
           "freshness": "Current",
           "resources": [
@@ -768,6 +742,32 @@
               ]
             }
           ],
+          "version": "v1beta1"
+        },
+        {
+          "freshness": "Current",
+          "resources": [
+            {
+              "resource": "clustertrustbundles",
+              "responseKind": {
+                "group": "",
+                "kind": "ClusterTrustBundle",
+                "version": ""
+              },
+              "scope": "Cluster",
+              "singularResource": "clustertrustbundle",
+              "verbs": [
+                "create",
+                "delete",
+                "deletecollection",
+                "get",
+                "list",
+                "patch",
+                "update",
+                "watch"
+              ]
+            }
+          ],
           "version": "v1alpha1"
         }
       ]
@@ -1312,35 +1312,6 @@
             }
           ],
           "version": "v1beta1"
-        },
-        {
-          "freshness": "Current",
-          "resources": [
-            {
-              "resource": "volumeattributesclasses",
-              "responseKind": {
-                "group": "",
-                "kind": "VolumeAttributesClass",
-                "version": ""
-              },
-              "scope": "Cluster",
-              "shortNames": [
-                "vac"
-              ],
-              "singularResource": "volumeattributesclass",
-              "verbs": [
-                "create",
-                "delete",
-                "deletecollection",
-                "get",
-                "list",
-                "patch",
-                "update",
-                "watch"
-              ]
-            }
-          ],
-          "version": "v1alpha1"
         }
       ]
     },
@@ -1656,6 +1627,32 @@
             }
           ],
           "version": "v1"
+        },
+        {
+          "freshness": "Current",
+          "resources": [
+            {
+              "resource": "workloads",
+              "responseKind": {
+                "group": "",
+                "kind": "Workload",
+                "version": ""
+              },
+              "scope": "Namespaced",
+              "singularResource": "workload",
+              "verbs": [
+                "create",
+                "delete",
+                "deletecollection",
+                "get",
+                "list",
+                "patch",
+                "update",
+                "watch"
+              ]
+            }
+          ],
+          "version": "v1alpha1"
         }
       ]
     },
@@ -2130,6 +2127,21 @@
               },
               "scope": "Cluster",
               "singularResource": "devicetaintrule",
+              "subresources": [
+                {
+                  "responseKind": {
+                    "group": "",
+                    "kind": "DeviceTaintRule",
+                    "version": ""
+                  },
+                  "subresource": "status",
+                  "verbs": [
+                    "get",
+                    "patch",
+                    "update"
+                  ]
+                }
+              ],
               "verbs": [
                 "create",
                 "delete",
@@ -2321,7 +2333,7 @@
               ]
             }
           ],
-          "version": "v1alpha1"
+          "version": "v1beta1"
         }
       ]
     }
diff --git a/api/discovery/apis.json b/api/discovery/apis.json
index f988f48285873..ae395b2e4a089 100644
--- a/api/discovery/apis.json
+++ b/api/discovery/apis.json
@@ -174,10 +174,6 @@
         {
           "groupVersion": "storage.k8s.io/v1beta1",
           "version": "v1beta1"
-        },
-        {
-          "groupVersion": "storage.k8s.io/v1alpha1",
-          "version": "v1alpha1"
         }
       ]
     },
@@ -225,6 +221,10 @@
         {
           "groupVersion": "scheduling.k8s.io/v1",
           "version": "v1"
+        },
+        {
+          "groupVersion": "scheduling.k8s.io/v1alpha1",
+          "version": "v1alpha1"
         }
       ]
     },
@@ -329,13 +329,13 @@
     {
       "name": "storagemigration.k8s.io",
       "preferredVersion": {
-        "groupVersion": "storagemigration.k8s.io/v1alpha1",
-        "version": "v1alpha1"
+        "groupVersion": "storagemigration.k8s.io/v1beta1",
+        "version": "v1beta1"
       },
       "versions": [
         {
-          "groupVersion": "storagemigration.k8s.io/v1alpha1",
-          "version": "v1alpha1"
+          "groupVersion": "storagemigration.k8s.io/v1beta1",
+          "version": "v1beta1"
         }
       ]
     }
diff --git a/api/discovery/apis__admissionregistration.k8s.io__v1alpha1.json b/api/discovery/apis__admissionregistration.k8s.io__v1alpha1.json
index 13f98d6a8aa0d..d8e54bcfe2597 100644
--- a/api/discovery/apis__admissionregistration.k8s.io__v1alpha1.json
+++ b/api/discovery/apis__admissionregistration.k8s.io__v1alpha1.json
@@ -11,7 +11,7 @@
       "name": "mutatingadmissionpolicies",
       "namespaced": false,
       "singularName": "mutatingadmissionpolicy",
-      "storageVersionHash": "lP2+lF8aHIY=",
+      "storageVersionHash": "LYmCf+UMVdg=",
       "verbs": [
         "create",
         "delete",
@@ -31,7 +31,7 @@
       "name": "mutatingadmissionpolicybindings",
       "namespaced": false,
       "singularName": "mutatingadmissionpolicybinding",
-      "storageVersionHash": "Q2Qe566oRi8=",
+      "storageVersionHash": "90V5FRZZ3Zg=",
       "verbs": [
         "create",
         "delete",
diff --git a/api/discovery/apis__admissionregistration.k8s.io__v1beta1.json b/api/discovery/apis__admissionregistration.k8s.io__v1beta1.json
index 26fbd2f7303d2..47eb7c592ca73 100644
--- a/api/discovery/apis__admissionregistration.k8s.io__v1beta1.json
+++ b/api/discovery/apis__admissionregistration.k8s.io__v1beta1.json
@@ -11,7 +11,7 @@
       "name": "mutatingadmissionpolicies",
       "namespaced": false,
       "singularName": "mutatingadmissionpolicy",
-      "storageVersionHash": "lP2+lF8aHIY=",
+      "storageVersionHash": "LYmCf+UMVdg=",
       "verbs": [
         "create",
         "delete",
@@ -31,7 +31,7 @@
       "name": "mutatingadmissionpolicybindings",
       "namespaced": false,
       "singularName": "mutatingadmissionpolicybinding",
-      "storageVersionHash": "Q2Qe566oRi8=",
+      "storageVersionHash": "90V5FRZZ3Zg=",
       "verbs": [
         "create",
         "delete",
diff --git a/api/discovery/apis__certificates.k8s.io__v1alpha1.json b/api/discovery/apis__certificates.k8s.io__v1alpha1.json
index daee682511fbc..c936702ea4bca 100644
--- a/api/discovery/apis__certificates.k8s.io__v1alpha1.json
+++ b/api/discovery/apis__certificates.k8s.io__v1alpha1.json
@@ -19,34 +19,6 @@
         "update",
         "watch"
       ]
-    },
-    {
-      "kind": "PodCertificateRequest",
-      "name": "podcertificaterequests",
-      "namespaced": true,
-      "singularName": "podcertificaterequest",
-      "storageVersionHash": "3F2mRg06NdI=",
-      "verbs": [
-        "create",
-        "delete",
-        "deletecollection",
-        "get",
-        "list",
-        "patch",
-        "update",
-        "watch"
-      ]
-    },
-    {
-      "kind": "PodCertificateRequest",
-      "name": "podcertificaterequests/status",
-      "namespaced": true,
-      "singularName": "",
-      "verbs": [
-        "get",
-        "patch",
-        "update"
-      ]
     }
   ]
 }
diff --git a/api/discovery/apis__certificates.k8s.io__v1beta1.json b/api/discovery/apis__certificates.k8s.io__v1beta1.json
index f1bf138d51619..3ea6c3087662a 100644
--- a/api/discovery/apis__certificates.k8s.io__v1beta1.json
+++ b/api/discovery/apis__certificates.k8s.io__v1beta1.json
@@ -19,6 +19,34 @@
         "update",
         "watch"
       ]
+    },
+    {
+      "kind": "PodCertificateRequest",
+      "name": "podcertificaterequests",
+      "namespaced": true,
+      "singularName": "podcertificaterequest",
+      "storageVersionHash": "wYA9yXQH8fg=",
+      "verbs": [
+        "create",
+        "delete",
+        "deletecollection",
+        "get",
+        "list",
+        "patch",
+        "update",
+        "watch"
+      ]
+    },
+    {
+      "kind": "PodCertificateRequest",
+      "name": "podcertificaterequests/status",
+      "namespaced": true,
+      "singularName": "",
+      "verbs": [
+        "get",
+        "patch",
+        "update"
+      ]
     }
   ]
 }
diff --git a/api/discovery/apis__resource.k8s.io__v1.json b/api/discovery/apis__resource.k8s.io__v1.json
index 41f9470526510..8a3337939b6e5 100644
--- a/api/discovery/apis__resource.k8s.io__v1.json
+++ b/api/discovery/apis__resource.k8s.io__v1.json
@@ -8,7 +8,7 @@
       "name": "deviceclasses",
       "namespaced": false,
       "singularName": "deviceclass",
-      "storageVersionHash": "weQRMT6DeYM=",
+      "storageVersionHash": "Yk2PTc1Ybxk=",
       "verbs": [
         "create",
         "delete",
@@ -25,7 +25,7 @@
       "name": "resourceclaims",
       "namespaced": true,
       "singularName": "resourceclaim",
-      "storageVersionHash": "EJAWH5WrAYg=",
+      "storageVersionHash": "wgAZaHcZxUg=",
       "verbs": [
         "create",
         "delete",
@@ -53,7 +53,7 @@
       "name": "resourceclaimtemplates",
       "namespaced": true,
       "singularName": "resourceclaimtemplate",
-      "storageVersionHash": "24m0okHrUtk=",
+      "storageVersionHash": "TuzjC49aUfM=",
       "verbs": [
         "create",
         "delete",
@@ -70,7 +70,7 @@
       "name": "resourceslices",
       "namespaced": false,
       "singularName": "resourceslice",
-      "storageVersionHash": "z6Bc9vgk6yE=",
+      "storageVersionHash": "KsC072WgaEY=",
       "verbs": [
         "create",
         "delete",
diff --git a/api/discovery/apis__resource.k8s.io__v1alpha3.json b/api/discovery/apis__resource.k8s.io__v1alpha3.json
index 70b14d2a6775a..9e91b4e383be8 100644
--- a/api/discovery/apis__resource.k8s.io__v1alpha3.json
+++ b/api/discovery/apis__resource.k8s.io__v1alpha3.json
@@ -19,6 +19,17 @@
         "update",
         "watch"
       ]
+    },
+    {
+      "kind": "DeviceTaintRule",
+      "name": "devicetaintrules/status",
+      "namespaced": false,
+      "singularName": "",
+      "verbs": [
+        "get",
+        "patch",
+        "update"
+      ]
     }
   ]
 }
diff --git a/api/discovery/apis__resource.k8s.io__v1beta1.json b/api/discovery/apis__resource.k8s.io__v1beta1.json
index 7be02cb32efcf..aef0a9d134fd4 100644
--- a/api/discovery/apis__resource.k8s.io__v1beta1.json
+++ b/api/discovery/apis__resource.k8s.io__v1beta1.json
@@ -8,7 +8,7 @@
       "name": "deviceclasses",
       "namespaced": false,
       "singularName": "deviceclass",
-      "storageVersionHash": "weQRMT6DeYM=",
+      "storageVersionHash": "Yk2PTc1Ybxk=",
       "verbs": [
         "create",
         "delete",
@@ -25,7 +25,7 @@
       "name": "resourceclaims",
       "namespaced": true,
       "singularName": "resourceclaim",
-      "storageVersionHash": "EJAWH5WrAYg=",
+      "storageVersionHash": "wgAZaHcZxUg=",
       "verbs": [
         "create",
         "delete",
@@ -53,7 +53,7 @@
       "name": "resourceclaimtemplates",
       "namespaced": true,
       "singularName": "resourceclaimtemplate",
-      "storageVersionHash": "24m0okHrUtk=",
+      "storageVersionHash": "TuzjC49aUfM=",
       "verbs": [
         "create",
         "delete",
@@ -70,7 +70,7 @@
       "name": "resourceslices",
       "namespaced": false,
       "singularName": "resourceslice",
-      "storageVersionHash": "z6Bc9vgk6yE=",
+      "storageVersionHash": "KsC072WgaEY=",
       "verbs": [
         "create",
         "delete",
diff --git a/api/discovery/apis__resource.k8s.io__v1beta2.json b/api/discovery/apis__resource.k8s.io__v1beta2.json
index c263ff9dcaf13..02e161222486b 100644
--- a/api/discovery/apis__resource.k8s.io__v1beta2.json
+++ b/api/discovery/apis__resource.k8s.io__v1beta2.json
@@ -8,7 +8,7 @@
       "name": "deviceclasses",
       "namespaced": false,
       "singularName": "deviceclass",
-      "storageVersionHash": "weQRMT6DeYM=",
+      "storageVersionHash": "Yk2PTc1Ybxk=",
       "verbs": [
         "create",
         "delete",
@@ -25,7 +25,7 @@
       "name": "resourceclaims",
       "namespaced": true,
       "singularName": "resourceclaim",
-      "storageVersionHash": "EJAWH5WrAYg=",
+      "storageVersionHash": "wgAZaHcZxUg=",
       "verbs": [
         "create",
         "delete",
@@ -53,7 +53,7 @@
       "name": "resourceclaimtemplates",
       "namespaced": true,
       "singularName": "resourceclaimtemplate",
-      "storageVersionHash": "24m0okHrUtk=",
+      "storageVersionHash": "TuzjC49aUfM=",
       "verbs": [
         "create",
         "delete",
@@ -70,7 +70,7 @@
       "name": "resourceslices",
       "namespaced": false,
       "singularName": "resourceslice",
-      "storageVersionHash": "z6Bc9vgk6yE=",
+      "storageVersionHash": "KsC072WgaEY=",
       "verbs": [
         "create",
         "delete",
diff --git a/api/discovery/apis__scheduling.k8s.io.json b/api/discovery/apis__scheduling.k8s.io.json
index 3782996ff7f06..a8f4e435bfb3b 100644
--- a/api/discovery/apis__scheduling.k8s.io.json
+++ b/api/discovery/apis__scheduling.k8s.io.json
@@ -10,6 +10,10 @@
     {
       "groupVersion": "scheduling.k8s.io/v1",
       "version": "v1"
+    },
+    {
+      "groupVersion": "scheduling.k8s.io/v1alpha1",
+      "version": "v1alpha1"
     }
   ]
 }
diff --git a/api/discovery/apis__scheduling.k8s.io__v1alpha1.json b/api/discovery/apis__scheduling.k8s.io__v1alpha1.json
new file mode 100644
index 0000000000000..8bc6b402acd3a
--- /dev/null
+++ b/api/discovery/apis__scheduling.k8s.io__v1alpha1.json
@@ -0,0 +1,24 @@
+{
+  "apiVersion": "v1",
+  "groupVersion": "scheduling.k8s.io/v1alpha1",
+  "kind": "APIResourceList",
+  "resources": [
+    {
+      "kind": "Workload",
+      "name": "workloads",
+      "namespaced": true,
+      "singularName": "workload",
+      "storageVersionHash": "7X3nQnlLxCA=",
+      "verbs": [
+        "create",
+        "delete",
+        "deletecollection",
+        "get",
+        "list",
+        "patch",
+        "update",
+        "watch"
+      ]
+    }
+  ]
+}
diff --git a/api/discovery/apis__storage.k8s.io.json b/api/discovery/apis__storage.k8s.io.json
index afb58ad6c0d18..e7e7ab7dc659f 100644
--- a/api/discovery/apis__storage.k8s.io.json
+++ b/api/discovery/apis__storage.k8s.io.json
@@ -14,10 +14,6 @@
     {
       "groupVersion": "storage.k8s.io/v1beta1",
       "version": "v1beta1"
-    },
-    {
-      "groupVersion": "storage.k8s.io/v1alpha1",
-      "version": "v1alpha1"
     }
   ]
 }
diff --git a/api/discovery/apis__storage.k8s.io__v1alpha1.json b/api/discovery/apis__storage.k8s.io__v1alpha1.json
deleted file mode 100644
index 91b4d008563a8..0000000000000
--- a/api/discovery/apis__storage.k8s.io__v1alpha1.json
+++ /dev/null
@@ -1,27 +0,0 @@
-{
-  "apiVersion": "v1",
-  "groupVersion": "storage.k8s.io/v1alpha1",
-  "kind": "APIResourceList",
-  "resources": [
-    {
-      "kind": "VolumeAttributesClass",
-      "name": "volumeattributesclasses",
-      "namespaced": false,
-      "shortNames": [
-        "vac"
-      ],
-      "singularName": "volumeattributesclass",
-      "storageVersionHash": "Bl3MtjZ/n/s=",
-      "verbs": [
-        "create",
-        "delete",
-        "deletecollection",
-        "get",
-        "list",
-        "patch",
-        "update",
-        "watch"
-      ]
-    }
-  ]
-}
diff --git a/api/discovery/apis__storagemigration.k8s.io.json b/api/discovery/apis__storagemigration.k8s.io.json
index 2299ca4699d98..863b74b928d42 100644
--- a/api/discovery/apis__storagemigration.k8s.io.json
+++ b/api/discovery/apis__storagemigration.k8s.io.json
@@ -3,13 +3,13 @@
   "kind": "APIGroup",
   "name": "storagemigration.k8s.io",
   "preferredVersion": {
-    "groupVersion": "storagemigration.k8s.io/v1alpha1",
-    "version": "v1alpha1"
+    "groupVersion": "storagemigration.k8s.io/v1beta1",
+    "version": "v1beta1"
   },
   "versions": [
     {
-      "groupVersion": "storagemigration.k8s.io/v1alpha1",
-      "version": "v1alpha1"
+      "groupVersion": "storagemigration.k8s.io/v1beta1",
+      "version": "v1beta1"
     }
   ]
 }
diff --git a/api/discovery/apis__storagemigration.k8s.io__v1alpha1.json b/api/discovery/apis__storagemigration.k8s.io__v1alpha1.json
deleted file mode 100644
index 1033ba3ae4fec..0000000000000
--- a/api/discovery/apis__storagemigration.k8s.io__v1alpha1.json
+++ /dev/null
@@ -1,35 +0,0 @@
-{
-  "apiVersion": "v1",
-  "groupVersion": "storagemigration.k8s.io/v1alpha1",
-  "kind": "APIResourceList",
-  "resources": [
-    {
-      "kind": "StorageVersionMigration",
-      "name": "storageversionmigrations",
-      "namespaced": false,
-      "singularName": "storageversionmigration",
-      "storageVersionHash": "N0mJdFqO17c=",
-      "verbs": [
-        "create",
-        "delete",
-        "deletecollection",
-        "get",
-        "list",
-        "patch",
-        "update",
-        "watch"
-      ]
-    },
-    {
-      "kind": "StorageVersionMigration",
-      "name": "storageversionmigrations/status",
-      "namespaced": false,
-      "singularName": "",
-      "verbs": [
-        "get",
-        "patch",
-        "update"
-      ]
-    }
-  ]
-}
diff --git a/api/discovery/apis__storagemigration.k8s.io__v1beta1.json b/api/discovery/apis__storagemigration.k8s.io__v1beta1.json
new file mode 100644
index 0000000000000..0fb2e76daad58
--- /dev/null
+++ b/api/discovery/apis__storagemigration.k8s.io__v1beta1.json
@@ -0,0 +1,35 @@
+{
+  "apiVersion": "v1",
+  "groupVersion": "storagemigration.k8s.io/v1beta1",
+  "kind": "APIResourceList",
+  "resources": [
+    {
+      "kind": "StorageVersionMigration",
+      "name": "storageversionmigrations",
+      "namespaced": false,
+      "singularName": "storageversionmigration",
+      "storageVersionHash": "pCjmmKOkLy4=",
+      "verbs": [
+        "create",
+        "delete",
+        "deletecollection",
+        "get",
+        "list",
+        "patch",
+        "update",
+        "watch"
+      ]
+    },
+    {
+      "kind": "StorageVersionMigration",
+      "name": "storageversionmigrations/status",
+      "namespaced": false,
+      "singularName": "",
+      "verbs": [
+        "get",
+        "patch",
+        "update"
+      ]
+    }
+  ]
+}
diff --git a/api/openapi-spec/swagger.json b/api/openapi-spec/swagger.json
index 305a8a0ee5dcf..2e0f73febff22 100644
--- a/api/openapi-spec/swagger.json
+++ b/api/openapi-spec/swagger.json
@@ -2314,7 +2314,7 @@
           "type": "integer"
         },
         "terminatingReplicas": {
-          "description": "Total number of terminating pods targeted by this deployment. Terminating pods have a non-null .metadata.deletionTimestamp and have not yet reached the Failed or Succeeded .status.phase.\n\nThis is an alpha field. Enable DeploymentReplicaSetTerminatingReplicas to be able to use this field.",
+          "description": "Total number of terminating pods targeted by this deployment. Terminating pods have a non-null .metadata.deletionTimestamp and have not yet reached the Failed or Succeeded .status.phase.\n\nThis is a beta field and requires enabling DeploymentReplicaSetTerminatingReplicas feature (enabled by default).",
           "format": "int32",
           "type": "integer"
         },
@@ -2512,7 +2512,7 @@
           "type": "integer"
         },
         "terminatingReplicas": {
-          "description": "The number of terminating pods for this replica set. Terminating pods have a non-null .metadata.deletionTimestamp and have not yet reached the Failed or Succeeded .status.phase.\n\nThis is an alpha field. Enable DeploymentReplicaSetTerminatingReplicas to be able to use this field.",
+          "description": "The number of terminating pods for this replica set. Terminating pods have a non-null .metadata.deletionTimestamp and have not yet reached the Failed or Succeeded .status.phase.\n\nThis is a beta field and requires enabling DeploymentReplicaSetTerminatingReplicas feature (enabled by default).",
           "format": "int32",
           "type": "integer"
         }
@@ -2555,7 +2555,7 @@
       "properties": {
         "maxUnavailable": {
           "$ref": "#/definitions/io.k8s.apimachinery.pkg.util.intstr.IntOrString",
-          "description": "The maximum number of pods that can be unavailable during the update. Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%). Absolute number is calculated from percentage by rounding up. This can not be 0. Defaults to 1. This field is alpha-level and is only honored by servers that enable the MaxUnavailableStatefulSet feature. The field applies to all pods in the range 0 to Replicas-1. That means if there is any unavailable pod in the range 0 to Replicas-1, it will be counted towards MaxUnavailable."
+          "description": "The maximum number of pods that can be unavailable during the update. Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%). Absolute number is calculated from percentage by rounding up. This can not be 0. Defaults to 1. This field is beta-level and is enabled by default. The field applies to all pods in the range 0 to Replicas-1. That means if there is any unavailable pod in the range 0 to Replicas-1, it will be counted towards MaxUnavailable. This setting might not be effective for the OrderedReady podManagementPolicy. That policy ensures pods are created and become ready one at a time."
         },
         "partition": {
           "description": "Partition indicates the ordinal at which the StatefulSet should be partitioned for updates. During a rolling update, all pods from ordinal Replicas-1 to Partition are updated. All pods from ordinal Partition-1 to 0 remain untouched. This is helpful in being able to do a canary based deployment. The default value is 0.",
@@ -3853,7 +3853,7 @@
       "type": "object"
     },
     "io.k8s.api.autoscaling.v2.HPAScalingRules": {
-      "description": "HPAScalingRules configures the scaling behavior for one direction via scaling Policy Rules and a configurable metric tolerance.\n\nScaling Policy Rules are applied after calculating DesiredReplicas from metrics for the HPA. They can limit the scaling velocity by specifying scaling policies. They can prevent flapping by specifying the stabilization window, so that the number of replicas is not set instantly, instead, the safest value from the stabilization window is chosen.\n\nThe tolerance is applied to the metric values and prevents scaling too eagerly for small metric variations. (Note that setting a tolerance requires enabling the alpha HPAConfigurableTolerance feature gate.)",
+      "description": "HPAScalingRules configures the scaling behavior for one direction via scaling Policy Rules and a configurable metric tolerance.\n\nScaling Policy Rules are applied after calculating DesiredReplicas from metrics for the HPA. They can limit the scaling velocity by specifying scaling policies. They can prevent flapping by specifying the stabilization window, so that the number of replicas is not set instantly, instead, the safest value from the stabilization window is chosen.\n\nThe tolerance is applied to the metric values and prevents scaling too eagerly for small metric variations. (Note that setting a tolerance requires the beta HPAConfigurableTolerance feature gate to be enabled.)",
       "properties": {
         "policies": {
           "description": "policies is a list of potential scaling polices which can be used during scaling. If not set, use the default values: - For scale up: allow doubling the number of pods, or an absolute change of 4 pods in a 15s window. - For scale down: allow all pods to be removed in a 15s window.",
@@ -3874,7 +3874,7 @@
         },
         "tolerance": {
           "$ref": "#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity",
-          "description": "tolerance is the tolerance on the ratio between the current and desired metric value under which no updates are made to the desired number of replicas (e.g. 0.01 for 1%). Must be greater than or equal to zero. If not set, the default cluster-wide tolerance is applied (by default 10%).\n\nFor example, if autoscaling is configured with a memory consumption target of 100Mi, and scale-down and scale-up tolerances of 5% and 1% respectively, scaling will be triggered when the actual consumption falls below 95Mi or exceeds 101Mi.\n\nThis is an alpha field and requires enabling the HPAConfigurableTolerance feature gate."
+          "description": "tolerance is the tolerance on the ratio between the current and desired metric value under which no updates are made to the desired number of replicas (e.g. 0.01 for 1%). Must be greater than or equal to zero. If not set, the default cluster-wide tolerance is applied (by default 10%).\n\nFor example, if autoscaling is configured with a memory consumption target of 100Mi, and scale-down and scale-up tolerances of 5% and 1% respectively, scaling will be triggered when the actual consumption falls below 95Mi or exceeds 101Mi.\n\nThis is an beta field and requires the HPAConfigurableTolerance feature gate to be enabled."
         }
       },
       "type": "object"
@@ -4587,7 +4587,7 @@
           "type": "integer"
         },
         "managedBy": {
-          "description": "ManagedBy field indicates the controller that manages a Job. The k8s Job controller reconciles jobs which don't have this field at all or the field value is the reserved string `kubernetes.io/job-controller`, but skips reconciling Jobs with a custom value for this field. The value must be a valid domain-prefixed path (e.g. acme.io/foo) - all characters before the first \"/\" must be a valid subdomain as defined by RFC 1123. All characters trailing the first \"/\" must be valid HTTP Path characters as defined by RFC 3986. The value cannot exceed 63 characters. This field is immutable.\n\nThis field is beta-level. The job controller accepts setting the field when the feature gate JobManagedBy is enabled (enabled by default).",
+          "description": "ManagedBy field indicates the controller that manages a Job. The k8s Job controller reconciles jobs which don't have this field at all or the field value is the reserved string `kubernetes.io/job-controller`, but skips reconciling Jobs with a custom value for this field. The value must be a valid domain-prefixed path (e.g. acme.io/foo) - all characters before the first \"/\" must be a valid subdomain as defined by RFC 1123. All characters trailing the first \"/\" must be valid HTTP Path characters as defined by RFC 3986. The value cannot exceed 63 characters. This field is immutable.",
           "type": "string"
         },
         "manualSelector": {
@@ -4771,8 +4771,7 @@
         }
       },
       "required": [
-        "type",
-        "status"
+        "type"
       ],
       "type": "object"
     },
@@ -4987,8 +4986,7 @@
         "request": {
           "description": "request contains an x509 certificate signing request encoded in a \"CERTIFICATE REQUEST\" PEM block. When serialized as JSON or YAML, the data is additionally base64-encoded.",
           "format": "byte",
-          "type": "string",
-          "x-kubernetes-list-type": "atomic"
+          "type": "string"
         },
         "signerName": {
           "description": "signerName indicates the requested signer, and is a qualified name.\n\nList/watch requests for CertificateSigningRequests can filter on this field using a \"spec.signerName=NAME\" fieldSelector.\n\nWell-known Kubernetes signers are:\n 1. \"kubernetes.io/kube-apiserver-client\": issues client certificates that can be used to authenticate to kube-apiserver.\n  Requests for this signer are never auto-approved by kube-controller-manager, can be issued by the \"csrsigning\" controller in kube-controller-manager.\n 2. \"kubernetes.io/kube-apiserver-client-kubelet\": issues client certificates that kubelets use to authenticate to kube-apiserver.\n  Requests for this signer can be auto-approved by the \"csrapproving\" controller in kube-controller-manager, and can be issued by the \"csrsigning\" controller in kube-controller-manager.\n 3. \"kubernetes.io/kubelet-serving\" issues serving certificates that kubelets use to serve TLS endpoints, which kube-apiserver can connect to securely.\n  Requests for this signer are never auto-approved by kube-controller-manager, and can be issued by the \"csrsigning\" controller in kube-controller-manager.\n\nMore details are available at https://k8s.io/docs/reference/access-authn-authz/certificate-signing-requests/#kubernetes-signers\n\nCustom signerNames can also be specified. The signer defines:\n 1. Trust distribution: how trust (CA bundles) are distributed.\n 2. Permitted subjects: and behavior when a disallowed subject is requested.\n 3. Required, permitted, or forbidden x509 extensions in the request (including whether subjectAltNames are allowed, which types, restrictions on allowed values) and behavior when a disallowed extension is requested.\n 4. Required, permitted, or forbidden key usages / extended key usages.\n 5. Expiration/certificate lifetime: whether it is fixed by the signer, configurable by the admin.\n 6. Whether or not requests for CA certificates are allowed.",
@@ -5023,8 +5021,7 @@
         "certificate": {
           "description": "certificate is populated with an issued certificate by the signer after an Approved condition is present. This field is set via the /status subresource. Once populated, this field is immutable.\n\nIf the certificate signing request is denied, a condition of type \"Denied\" is added and this field remains empty. If the signer cannot issue the certificate, a condition of type \"Failed\" is added and this field remains empty.\n\nValidation requirements:\n 1. certificate must contain one or more PEM blocks.\n 2. All PEM blocks must have the \"CERTIFICATE\" label, contain no headers, and the encoded data\n  must be a BER-encoded ASN.1 Certificate structure as described in section 4 of RFC5280.\n 3. Non-PEM content may appear before or after the \"CERTIFICATE\" PEM blocks and is unvalidated,\n  to allow for explanatory text as described in section 5.2 of RFC7468.\n\nIf more than one PEM block is present, and the definition of the requested spec.signerName does not indicate otherwise, the first block is the issued certificate, and subsequent blocks should be treated as intermediate certificates and presented in TLS handshakes.\n\nThe certificate is encoded in PEM format.\n\nWhen serialized as JSON or YAML, the data is additionally base64-encoded, so it consists of:\n\n    base64(\n    -----BEGIN CERTIFICATE-----\n    ...\n    -----END CERTIFICATE-----\n    )",
           "format": "byte",
-          "type": "string",
-          "x-kubernetes-list-type": "atomic"
+          "type": "string"
         },
         "conditions": {
           "description": "conditions applied to the request. Known conditions are \"Approved\", \"Denied\", and \"Failed\".",
@@ -5124,7 +5121,91 @@
       ],
       "type": "object"
     },
-    "io.k8s.api.certificates.v1alpha1.PodCertificateRequest": {
+    "io.k8s.api.certificates.v1beta1.ClusterTrustBundle": {
+      "description": "ClusterTrustBundle is a cluster-scoped container for X.509 trust anchors (root certificates).\n\nClusterTrustBundle objects are considered to be readable by any authenticated user in the cluster, because they can be mounted by pods using the `clusterTrustBundle` projection.  All service accounts have read access to ClusterTrustBundles by default.  Users who only have namespace-level access to a cluster can read ClusterTrustBundles by impersonating a serviceaccount that they have access to.\n\nIt can be optionally associated with a particular assigner, in which case it contains one valid set of trust anchors for that signer. Signers may have multiple associated ClusterTrustBundles; each is an independent set of trust anchors for that signer. Admission control is used to enforce that only users with permissions on the signer can create or modify the corresponding bundle.",
+      "properties": {
+        "apiVersion": {
+          "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
+          "type": "string"
+        },
+        "kind": {
+          "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
+          "type": "string"
+        },
+        "metadata": {
+          "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta",
+          "description": "metadata contains the object metadata."
+        },
+        "spec": {
+          "$ref": "#/definitions/io.k8s.api.certificates.v1beta1.ClusterTrustBundleSpec",
+          "description": "spec contains the signer (if any) and trust anchors."
+        }
+      },
+      "required": [
+        "spec"
+      ],
+      "type": "object",
+      "x-kubernetes-group-version-kind": [
+        {
+          "group": "certificates.k8s.io",
+          "kind": "ClusterTrustBundle",
+          "version": "v1beta1"
+        }
+      ]
+    },
+    "io.k8s.api.certificates.v1beta1.ClusterTrustBundleList": {
+      "description": "ClusterTrustBundleList is a collection of ClusterTrustBundle objects",
+      "properties": {
+        "apiVersion": {
+          "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
+          "type": "string"
+        },
+        "items": {
+          "description": "items is a collection of ClusterTrustBundle objects",
+          "items": {
+            "$ref": "#/definitions/io.k8s.api.certificates.v1beta1.ClusterTrustBundle"
+          },
+          "type": "array"
+        },
+        "kind": {
+          "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
+          "type": "string"
+        },
+        "metadata": {
+          "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta",
+          "description": "metadata contains the list metadata."
+        }
+      },
+      "required": [
+        "items"
+      ],
+      "type": "object",
+      "x-kubernetes-group-version-kind": [
+        {
+          "group": "certificates.k8s.io",
+          "kind": "ClusterTrustBundleList",
+          "version": "v1beta1"
+        }
+      ]
+    },
+    "io.k8s.api.certificates.v1beta1.ClusterTrustBundleSpec": {
+      "description": "ClusterTrustBundleSpec contains the signer and trust anchors.",
+      "properties": {
+        "signerName": {
+          "description": "signerName indicates the associated signer, if any.\n\nIn order to create or update a ClusterTrustBundle that sets signerName, you must have the following cluster-scoped permission: group=certificates.k8s.io resource=signers resourceName=<the signer name> verb=attest.\n\nIf signerName is not empty, then the ClusterTrustBundle object must be named with the signer name as a prefix (translating slashes to colons). For example, for the signer name `example.com/foo`, valid ClusterTrustBundle object names include `example.com:foo:abc` and `example.com:foo:v1`.\n\nIf signerName is empty, then the ClusterTrustBundle object's name must not have such a prefix.\n\nList/watch requests for ClusterTrustBundles can filter on this field using a `spec.signerName=NAME` field selector.",
+          "type": "string"
+        },
+        "trustBundle": {
+          "description": "trustBundle contains the individual X.509 trust anchors for this bundle, as PEM bundle of PEM-wrapped, DER-formatted X.509 certificates.\n\nThe data must consist only of PEM certificate blocks that parse as valid X.509 certificates.  Each certificate must include a basic constraints extension with the CA bit set.  The API server will reject objects that contain duplicate certificates, or that use PEM block headers.\n\nUsers of ClusterTrustBundles, including Kubelet, are free to reorder and deduplicate certificate blocks in this file according to their own logic, as well as to drop PEM block headers and inter-block data.",
+          "type": "string"
+        }
+      },
+      "required": [
+        "trustBundle"
+      ],
+      "type": "object"
+    },
+    "io.k8s.api.certificates.v1beta1.PodCertificateRequest": {
       "description": "PodCertificateRequest encodes a pod requesting a certificate from a given signer.\n\nKubelets use this API to implement podCertificate projected volumes",
       "properties": {
         "apiVersion": {
@@ -5140,11 +5221,11 @@
           "description": "metadata contains the object metadata."
         },
         "spec": {
-          "$ref": "#/definitions/io.k8s.api.certificates.v1alpha1.PodCertificateRequestSpec",
+          "$ref": "#/definitions/io.k8s.api.certificates.v1beta1.PodCertificateRequestSpec",
           "description": "spec contains the details about the certificate being requested."
         },
         "status": {
-          "$ref": "#/definitions/io.k8s.api.certificates.v1alpha1.PodCertificateRequestStatus",
+          "$ref": "#/definitions/io.k8s.api.certificates.v1beta1.PodCertificateRequestStatus",
           "description": "status contains the issued certificate, and a standard set of conditions."
         }
       },
@@ -5156,11 +5237,11 @@
         {
           "group": "certificates.k8s.io",
           "kind": "PodCertificateRequest",
-          "version": "v1alpha1"
+          "version": "v1beta1"
         }
       ]
     },
-    "io.k8s.api.certificates.v1alpha1.PodCertificateRequestList": {
+    "io.k8s.api.certificates.v1beta1.PodCertificateRequestList": {
       "description": "PodCertificateRequestList is a collection of PodCertificateRequest objects",
       "properties": {
         "apiVersion": {
@@ -5170,7 +5251,7 @@
         "items": {
           "description": "items is a collection of PodCertificateRequest objects",
           "items": {
-            "$ref": "#/definitions/io.k8s.api.certificates.v1alpha1.PodCertificateRequest"
+            "$ref": "#/definitions/io.k8s.api.certificates.v1beta1.PodCertificateRequest"
           },
           "type": "array"
         },
@@ -5191,11 +5272,11 @@
         {
           "group": "certificates.k8s.io",
           "kind": "PodCertificateRequestList",
-          "version": "v1alpha1"
+          "version": "v1beta1"
         }
       ]
     },
-    "io.k8s.api.certificates.v1alpha1.PodCertificateRequestSpec": {
+    "io.k8s.api.certificates.v1beta1.PodCertificateRequestSpec": {
       "description": "PodCertificateRequestSpec describes the certificate request.  All fields are immutable after creation.",
       "properties": {
         "maxExpirationSeconds": {
@@ -5240,6 +5321,13 @@
         "signerName": {
           "description": "signerName indicates the requested signer.\n\nAll signer names beginning with `kubernetes.io` are reserved for use by the Kubernetes project.  There is currently one well-known signer documented by the Kubernetes project, `kubernetes.io/kube-apiserver-client-pod`, which will issue client certificates understood by kube-apiserver.  It is currently unimplemented.",
           "type": "string"
+        },
+        "unverifiedUserAnnotations": {
+          "additionalProperties": {
+            "type": "string"
+          },
+          "description": "unverifiedUserAnnotations allow pod authors to pass additional information to the signer implementation.  Kubernetes does not restrict or validate this metadata in any way.\n\nEntries are subject to the same validation as object metadata annotations, with the addition that all keys must be domain-prefixed. No restrictions are placed on values, except an overall size limitation on the entire field.\n\nSigners should document the keys and values they support.  Signers should deny requests that contain keys they do not recognize.",
+          "type": "object"
         }
       },
       "required": [
@@ -5255,7 +5343,7 @@
       ],
       "type": "object"
     },
-    "io.k8s.api.certificates.v1alpha1.PodCertificateRequestStatus": {
+    "io.k8s.api.certificates.v1beta1.PodCertificateRequestStatus": {
       "description": "PodCertificateRequestStatus describes the status of the request, and holds the certificate data if the request is issued.",
       "properties": {
         "beginRefreshAt": {
@@ -5290,90 +5378,6 @@
       },
       "type": "object"
     },
-    "io.k8s.api.certificates.v1beta1.ClusterTrustBundle": {
-      "description": "ClusterTrustBundle is a cluster-scoped container for X.509 trust anchors (root certificates).\n\nClusterTrustBundle objects are considered to be readable by any authenticated user in the cluster, because they can be mounted by pods using the `clusterTrustBundle` projection.  All service accounts have read access to ClusterTrustBundles by default.  Users who only have namespace-level access to a cluster can read ClusterTrustBundles by impersonating a serviceaccount that they have access to.\n\nIt can be optionally associated with a particular assigner, in which case it contains one valid set of trust anchors for that signer. Signers may have multiple associated ClusterTrustBundles; each is an independent set of trust anchors for that signer. Admission control is used to enforce that only users with permissions on the signer can create or modify the corresponding bundle.",
-      "properties": {
-        "apiVersion": {
-          "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
-          "type": "string"
-        },
-        "kind": {
-          "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
-          "type": "string"
-        },
-        "metadata": {
-          "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta",
-          "description": "metadata contains the object metadata."
-        },
-        "spec": {
-          "$ref": "#/definitions/io.k8s.api.certificates.v1beta1.ClusterTrustBundleSpec",
-          "description": "spec contains the signer (if any) and trust anchors."
-        }
-      },
-      "required": [
-        "spec"
-      ],
-      "type": "object",
-      "x-kubernetes-group-version-kind": [
-        {
-          "group": "certificates.k8s.io",
-          "kind": "ClusterTrustBundle",
-          "version": "v1beta1"
-        }
-      ]
-    },
-    "io.k8s.api.certificates.v1beta1.ClusterTrustBundleList": {
-      "description": "ClusterTrustBundleList is a collection of ClusterTrustBundle objects",
-      "properties": {
-        "apiVersion": {
-          "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
-          "type": "string"
-        },
-        "items": {
-          "description": "items is a collection of ClusterTrustBundle objects",
-          "items": {
-            "$ref": "#/definitions/io.k8s.api.certificates.v1beta1.ClusterTrustBundle"
-          },
-          "type": "array"
-        },
-        "kind": {
-          "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
-          "type": "string"
-        },
-        "metadata": {
-          "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta",
-          "description": "metadata contains the list metadata."
-        }
-      },
-      "required": [
-        "items"
-      ],
-      "type": "object",
-      "x-kubernetes-group-version-kind": [
-        {
-          "group": "certificates.k8s.io",
-          "kind": "ClusterTrustBundleList",
-          "version": "v1beta1"
-        }
-      ]
-    },
-    "io.k8s.api.certificates.v1beta1.ClusterTrustBundleSpec": {
-      "description": "ClusterTrustBundleSpec contains the signer and trust anchors.",
-      "properties": {
-        "signerName": {
-          "description": "signerName indicates the associated signer, if any.\n\nIn order to create or update a ClusterTrustBundle that sets signerName, you must have the following cluster-scoped permission: group=certificates.k8s.io resource=signers resourceName=<the signer name> verb=attest.\n\nIf signerName is not empty, then the ClusterTrustBundle object must be named with the signer name as a prefix (translating slashes to colons). For example, for the signer name `example.com/foo`, valid ClusterTrustBundle object names include `example.com:foo:abc` and `example.com:foo:v1`.\n\nIf signerName is empty, then the ClusterTrustBundle object's name must not have such a prefix.\n\nList/watch requests for ClusterTrustBundles can filter on this field using a `spec.signerName=NAME` field selector.",
-          "type": "string"
-        },
-        "trustBundle": {
-          "description": "trustBundle contains the individual X.509 trust anchors for this bundle, as PEM bundle of PEM-wrapped, DER-formatted X.509 certificates.\n\nThe data must consist only of PEM certificate blocks that parse as valid X.509 certificates.  Each certificate must include a basic constraints extension with the CA bit set.  The API server will reject objects that contain duplicate certificates, or that use PEM block headers.\n\nUsers of ClusterTrustBundles, including Kubelet, are free to reorder and deduplicate certificate blocks in this file according to their own logic, as well as to drop PEM block headers and inter-block data.",
-          "type": "string"
-        }
-      },
-      "required": [
-        "trustBundle"
-      ],
-      "type": "object"
-    },
     "io.k8s.api.coordination.v1.Lease": {
       "description": "Lease defines a lease concept.",
       "properties": {
@@ -6517,7 +6521,7 @@
           "description": "Periodic probe of container service readiness. Container will be removed from service endpoints if the probe fails. Cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes"
         },
         "resizePolicy": {
-          "description": "Resources resize policy for the container.",
+          "description": "Resources resize policy for the container. This field cannot be set on ephemeral containers.",
           "items": {
             "$ref": "#/definitions/io.k8s.api.core.v1.ContainerResizePolicy"
           },
@@ -8899,6 +8903,14 @@
           "$ref": "#/definitions/io.k8s.api.core.v1.NodeDaemonEndpoints",
           "description": "Endpoints of daemons running on the Node."
         },
+        "declaredFeatures": {
+          "description": "DeclaredFeatures represents the features related to feature gates that are declared by the node.",
+          "items": {
+            "type": "string"
+          },
+          "type": "array",
+          "x-kubernetes-list-type": "atomic"
+        },
         "features": {
           "$ref": "#/definitions/io.k8s.api.core.v1.NodeFeatures",
           "description": "Features describes the set of features implemented by the CRI implementation."
@@ -9228,7 +9240,7 @@
         },
         "resources": {
           "$ref": "#/definitions/io.k8s.api.core.v1.VolumeResourceRequirements",
-          "description": "resources represents the minimum resources the volume should have. If RecoverVolumeExpansionFailure feature is enabled users are allowed to specify resource requirements that are lower than previous value but must still be higher than capacity recorded in the status field of the claim. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources"
+          "description": "resources represents the minimum resources the volume should have. Users are allowed to specify resource requirements that are lower than previous value but must still be higher than capacity recorded in the status field of the claim. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources"
         },
         "selector": {
           "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector",
@@ -9268,7 +9280,7 @@
           "additionalProperties": {
             "type": "string"
           },
-          "description": "allocatedResourceStatuses stores status of resource being resized for the given PVC. Key names follow standard Kubernetes label syntax. Valid values are either:\n\t* Un-prefixed keys:\n\t\t- storage - the capacity of the volume.\n\t* Custom resources must use implementation-defined prefixed names such as \"example.com/my-custom-resource\"\nApart from above values - keys that are unprefixed or have kubernetes.io prefix are considered reserved and hence may not be used.\n\nClaimResourceStatus can be in any of following states:\n\t- ControllerResizeInProgress:\n\t\tState set when resize controller starts resizing the volume in control-plane.\n\t- ControllerResizeFailed:\n\t\tState set when resize has failed in resize controller with a terminal error.\n\t- NodeResizePending:\n\t\tState set when resize controller has finished resizing the volume but further resizing of\n\t\tvolume is needed on the node.\n\t- NodeResizeInProgress:\n\t\tState set when kubelet starts resizing the volume.\n\t- NodeResizeFailed:\n\t\tState set when resizing has failed in kubelet with a terminal error. Transient errors don't set\n\t\tNodeResizeFailed.\nFor example: if expanding a PVC for more capacity - this field can be one of the following states:\n\t- pvc.status.allocatedResourceStatus['storage'] = \"ControllerResizeInProgress\"\n     - pvc.status.allocatedResourceStatus['storage'] = \"ControllerResizeFailed\"\n     - pvc.status.allocatedResourceStatus['storage'] = \"NodeResizePending\"\n     - pvc.status.allocatedResourceStatus['storage'] = \"NodeResizeInProgress\"\n     - pvc.status.allocatedResourceStatus['storage'] = \"NodeResizeFailed\"\nWhen this field is not set, it means that no resize operation is in progress for the given PVC.\n\nA controller that receives PVC update with previously unknown resourceName or ClaimResourceStatus should ignore the update for the purpose it was designed. For example - a controller that only is responsible for resizing capacity of the volume, should ignore PVC updates that change other valid resources associated with PVC.\n\nThis is an alpha field and requires enabling RecoverVolumeExpansionFailure feature.",
+          "description": "allocatedResourceStatuses stores status of resource being resized for the given PVC. Key names follow standard Kubernetes label syntax. Valid values are either:\n\t* Un-prefixed keys:\n\t\t- storage - the capacity of the volume.\n\t* Custom resources must use implementation-defined prefixed names such as \"example.com/my-custom-resource\"\nApart from above values - keys that are unprefixed or have kubernetes.io prefix are considered reserved and hence may not be used.\n\nClaimResourceStatus can be in any of following states:\n\t- ControllerResizeInProgress:\n\t\tState set when resize controller starts resizing the volume in control-plane.\n\t- ControllerResizeFailed:\n\t\tState set when resize has failed in resize controller with a terminal error.\n\t- NodeResizePending:\n\t\tState set when resize controller has finished resizing the volume but further resizing of\n\t\tvolume is needed on the node.\n\t- NodeResizeInProgress:\n\t\tState set when kubelet starts resizing the volume.\n\t- NodeResizeFailed:\n\t\tState set when resizing has failed in kubelet with a terminal error. Transient errors don't set\n\t\tNodeResizeFailed.\nFor example: if expanding a PVC for more capacity - this field can be one of the following states:\n\t- pvc.status.allocatedResourceStatus['storage'] = \"ControllerResizeInProgress\"\n     - pvc.status.allocatedResourceStatus['storage'] = \"ControllerResizeFailed\"\n     - pvc.status.allocatedResourceStatus['storage'] = \"NodeResizePending\"\n     - pvc.status.allocatedResourceStatus['storage'] = \"NodeResizeInProgress\"\n     - pvc.status.allocatedResourceStatus['storage'] = \"NodeResizeFailed\"\nWhen this field is not set, it means that no resize operation is in progress for the given PVC.\n\nA controller that receives PVC update with previously unknown resourceName or ClaimResourceStatus should ignore the update for the purpose it was designed. For example - a controller that only is responsible for resizing capacity of the volume, should ignore PVC updates that change other valid resources associated with PVC.",
           "type": "object",
           "x-kubernetes-map-type": "granular"
         },
@@ -9276,7 +9288,7 @@
           "additionalProperties": {
             "$ref": "#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity"
           },
-          "description": "allocatedResources tracks the resources allocated to a PVC including its capacity. Key names follow standard Kubernetes label syntax. Valid values are either:\n\t* Un-prefixed keys:\n\t\t- storage - the capacity of the volume.\n\t* Custom resources must use implementation-defined prefixed names such as \"example.com/my-custom-resource\"\nApart from above values - keys that are unprefixed or have kubernetes.io prefix are considered reserved and hence may not be used.\n\nCapacity reported here may be larger than the actual capacity when a volume expansion operation is requested. For storage quota, the larger value from allocatedResources and PVC.spec.resources is used. If allocatedResources is not set, PVC.spec.resources alone is used for quota calculation. If a volume expansion capacity request is lowered, allocatedResources is only lowered if there are no expansion operations in progress and if the actual volume capacity is equal or lower than the requested capacity.\n\nA controller that receives PVC update with previously unknown resourceName should ignore the update for the purpose it was designed. For example - a controller that only is responsible for resizing capacity of the volume, should ignore PVC updates that change other valid resources associated with PVC.\n\nThis is an alpha field and requires enabling RecoverVolumeExpansionFailure feature.",
+          "description": "allocatedResources tracks the resources allocated to a PVC including its capacity. Key names follow standard Kubernetes label syntax. Valid values are either:\n\t* Un-prefixed keys:\n\t\t- storage - the capacity of the volume.\n\t* Custom resources must use implementation-defined prefixed names such as \"example.com/my-custom-resource\"\nApart from above values - keys that are unprefixed or have kubernetes.io prefix are considered reserved and hence may not be used.\n\nCapacity reported here may be larger than the actual capacity when a volume expansion operation is requested. For storage quota, the larger value from allocatedResources and PVC.spec.resources is used. If allocatedResources is not set, PVC.spec.resources alone is used for quota calculation. If a volume expansion capacity request is lowered, allocatedResources is only lowered if there are no expansion operations in progress and if the actual volume capacity is equal or lower than the requested capacity.\n\nA controller that receives PVC update with previously unknown resourceName should ignore the update for the purpose it was designed. For example - a controller that only is responsible for resizing capacity of the volume, should ignore PVC updates that change other valid resources associated with PVC.",
           "type": "object"
         },
         "capacity": {
@@ -9476,7 +9488,7 @@
         },
         "nodeAffinity": {
           "$ref": "#/definitions/io.k8s.api.core.v1.VolumeNodeAffinity",
-          "description": "nodeAffinity defines constraints that limit what nodes this volume can be accessed from. This field influences the scheduling of pods that use this volume."
+          "description": "nodeAffinity defines constraints that limit what nodes this volume can be accessed from. This field influences the scheduling of pods that use this volume. This field is mutable if MutablePVNodeAffinity feature gate is enabled."
         },
         "persistentVolumeReclaimPolicy": {
           "description": "persistentVolumeReclaimPolicy defines what happens to a persistent volume when released from its claim. Valid options are Retain (default for manually created PersistentVolumes), Delete (default for dynamically provisioned PersistentVolumes), and Recycle (deprecated). Recycle must be supported by the volume plugin underlying this PersistentVolume. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#reclaiming",
@@ -9713,6 +9725,13 @@
         "signerName": {
           "description": "Kubelet's generated CSRs will be addressed to this signer.",
           "type": "string"
+        },
+        "userAnnotations": {
+          "additionalProperties": {
+            "type": "string"
+          },
+          "description": "userAnnotations allow pod authors to pass additional information to the signer implementation.  Kubernetes does not restrict or validate this metadata in any way.\n\nThese values are copied verbatim into the `spec.unverifiedUserAnnotations` field of the PodCertificateRequest objects that Kubelet creates.\n\nEntries are subject to the same validation as object metadata annotations, with the addition that all keys must be domain-prefixed. No restrictions are placed on values, except an overall size limitation on the entire field.\n\nSigners should document the keys and values they support. Signers should deny requests that contain keys they do not recognize.",
+          "type": "object"
         }
       },
       "required": [
@@ -9737,7 +9756,7 @@
           "type": "string"
         },
         "observedGeneration": {
-          "description": "If set, this represents the .metadata.generation that the pod condition was set based upon. This is an alpha field. Enable PodObservedGenerationTracking to be able to use this field.",
+          "description": "If set, this represents the .metadata.generation that the pod condition was set based upon. The PodObservedGenerationTracking feature gate must be enabled to use this field.",
           "format": "int64",
           "type": "integer"
         },
@@ -10183,7 +10202,7 @@
           "x-kubernetes-list-type": "atomic"
         },
         "resourceClaims": {
-          "description": "ResourceClaims defines which ResourceClaims must be allocated and reserved before the Pod is allowed to start. The resources will be made available to those containers which consume them by name.\n\nThis is an alpha field and requires enabling the DynamicResourceAllocation feature gate.\n\nThis field is immutable.",
+          "description": "ResourceClaims defines which ResourceClaims must be allocated and reserved before the Pod is allowed to start. The resources will be made available to those containers which consume them by name.\n\nThis is a stable field but requires that the DynamicResourceAllocation feature gate is enabled.\n\nThis field is immutable.",
           "items": {
             "$ref": "#/definitions/io.k8s.api.core.v1.PodResourceClaim"
           },
@@ -10287,6 +10306,10 @@
           "x-kubernetes-list-type": "map",
           "x-kubernetes-patch-merge-key": "name",
           "x-kubernetes-patch-strategy": "merge,retainKeys"
+        },
+        "workloadRef": {
+          "$ref": "#/definitions/io.k8s.api.core.v1.WorkloadReference",
+          "description": "WorkloadRef provides a reference to the Workload object that this Pod belongs to. This field is used by the scheduler to identify the PodGroup and apply the correct group scheduling policies. The Workload object referenced by this field may not exist at the time the Pod is created. This field is immutable, but a Workload object with the same name may be recreated with different policies. Doing this during pod scheduling may result in the placement not conforming to the expected policies."
         }
       },
       "required": [
@@ -10297,6 +10320,13 @@
     "io.k8s.api.core.v1.PodStatus": {
       "description": "PodStatus represents information about the status of a pod. Status may trail the actual state of a system, especially if the node that hosts the pod cannot contact the control plane.",
       "properties": {
+        "allocatedResources": {
+          "additionalProperties": {
+            "$ref": "#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity"
+          },
+          "description": "AllocatedResources is the total requests allocated for this pod by the node. If pod-level requests are not set, this will be the total requests aggregated across containers in the pod.",
+          "type": "object"
+        },
         "conditions": {
           "description": "Current service state of pod. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-conditions",
           "items": {
@@ -10361,7 +10391,7 @@
           "type": "string"
         },
         "observedGeneration": {
-          "description": "If set, this represents the .metadata.generation that the pod status was set based upon. This is an alpha field. Enable PodObservedGenerationTracking to be able to use this field.",
+          "description": "If set, this represents the .metadata.generation that the pod status was set based upon. The PodObservedGenerationTracking feature gate must be enabled to use this field.",
           "format": "int64",
           "type": "integer"
         },
@@ -10411,6 +10441,10 @@
           "x-kubernetes-patch-merge-key": "name",
           "x-kubernetes-patch-strategy": "merge,retainKeys"
         },
+        "resources": {
+          "$ref": "#/definitions/io.k8s.api.core.v1.ResourceRequirements",
+          "description": "Resources represents the compute resource requests and limits that have been applied at the pod level if pod-level requests or limits are set in PodSpec.Resources"
+        },
         "startTime": {
           "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time",
           "description": "RFC 3339 date and time at which the object was acknowledged by the Kubelet. This is before the Kubelet pulled the container image(s) for the pod."
@@ -12081,7 +12115,7 @@
           "type": "string"
         },
         "operator": {
-          "description": "Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.",
+          "description": "Operator represents a key's relationship to the value. Valid operators are Exists, Equal, Lt, and Gt. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category. Lt and Gt perform numeric comparisons (requires feature gate TaintTolerationComparisonOperators).",
           "type": "string"
         },
         "tolerationSeconds": {
@@ -12572,6 +12606,28 @@
       },
       "type": "object"
     },
+    "io.k8s.api.core.v1.WorkloadReference": {
+      "description": "WorkloadReference identifies the Workload object and PodGroup membership that a Pod belongs to. The scheduler uses this information to apply workload-aware scheduling semantics.",
+      "properties": {
+        "name": {
+          "description": "Name defines the name of the Workload object this Pod belongs to. Workload must be in the same namespace as the Pod. If it doesn't match any existing Workload, the Pod will remain unschedulable until a Workload object is created and observed by the kube-scheduler. It must be a DNS subdomain.",
+          "type": "string"
+        },
+        "podGroup": {
+          "description": "PodGroup is the name of the PodGroup within the Workload that this Pod belongs to. If it doesn't match any existing PodGroup within the Workload, the Pod will remain unschedulable until the Workload object is recreated and observed by the kube-scheduler. It must be a DNS label.",
+          "type": "string"
+        },
+        "podGroupReplicaKey": {
+          "description": "PodGroupReplicaKey specifies the replica key of the PodGroup to which this Pod belongs. It is used to distinguish pods belonging to different replicas of the same pod group. The pod group policy is applied separately to each replica. When set, it must be a DNS label.",
+          "type": "string"
+        }
+      },
+      "required": [
+        "name",
+        "podGroup"
+      ],
+      "type": "object"
+    },
     "io.k8s.api.discovery.v1.Endpoint": {
       "description": "Endpoint represents a single logical \"backend\" implementing a service.",
       "properties": {
@@ -12642,7 +12698,7 @@
       "description": "EndpointHints provides hints describing how an endpoint should be consumed.",
       "properties": {
         "forNodes": {
-          "description": "forNodes indicates the node(s) this endpoint should be consumed by when using topology aware routing. May contain a maximum of 8 entries. This is an Alpha feature and is only used when the PreferSameTrafficDistribution feature gate is enabled.",
+          "description": "forNodes indicates the node(s) this endpoint should be consumed by when using topology aware routing. May contain a maximum of 8 entries.",
           "items": {
             "$ref": "#/definitions/io.k8s.api.discovery.v1.ForNode"
           },
@@ -15231,7 +15287,7 @@
           "type": "string"
         },
         "driver": {
-          "description": "Driver specifies the name of the DRA driver whose kubelet plugin should be invoked to process the allocation once the claim is needed on a node.\n\nMust be a DNS subdomain and should end with a DNS domain owned by the vendor of the driver.",
+          "description": "Driver specifies the name of the DRA driver whose kubelet plugin should be invoked to process the allocation once the claim is needed on a node.\n\nMust be a DNS subdomain and should end with a DNS domain owned by the vendor of the driver. It should use only lower case characters.",
           "type": "string"
         },
         "networkData": {
@@ -15355,13 +15411,13 @@
       "type": "object"
     },
     "io.k8s.api.resource.v1.CounterSet": {
-      "description": "CounterSet defines a named set of counters that are available to be used by devices defined in the ResourceSlice.\n\nThe counters are not allocatable by themselves, but can be referenced by devices. When a device is allocated, the portion of counters it uses will no longer be available for use by other devices.",
+      "description": "CounterSet defines a named set of counters that are available to be used by devices defined in the ResourcePool.\n\nThe counters are not allocatable by themselves, but can be referenced by devices. When a device is allocated, the portion of counters it uses will no longer be available for use by other devices.",
       "properties": {
         "counters": {
           "additionalProperties": {
             "$ref": "#/definitions/io.k8s.api.resource.v1.Counter"
           },
-          "description": "Counters defines the set of counters for this CounterSet The name of each counter must be unique in that set and must be a DNS label.\n\nThe maximum number of counters in all sets is 32.",
+          "description": "Counters defines the set of counters for this CounterSet The name of each counter must be unique in that set and must be a DNS label.\n\nThe maximum number of counters is 32.",
           "type": "object"
         },
         "name": {
@@ -15421,7 +15477,7 @@
           "type": "object"
         },
         "consumesCounters": {
-          "description": "ConsumesCounters defines a list of references to sharedCounters and the set of counters that the device will consume from those counter sets.\n\nThere can only be a single entry per counterSet.\n\nThe total number of device counter consumption entries must be <= 32. In addition, the total number in the entire ResourceSlice must be <= 1024 (for example, 64 devices with 16 counters each).",
+          "description": "ConsumesCounters defines a list of references to sharedCounters and the set of counters that the device will consume from those counter sets.\n\nThere can only be a single entry per counterSet.\n\nThe maximum number of device counter consumptions per device is 2.",
           "items": {
             "$ref": "#/definitions/io.k8s.api.resource.v1.DeviceCounterConsumption"
           },
@@ -15441,7 +15497,7 @@
           "description": "NodeSelector defines the nodes where the device is available.\n\nMust use exactly one term.\n\nMust only be set if Spec.PerDeviceNodeSelection is set to true. At most one of NodeName, NodeSelector and AllNodes can be set."
         },
         "taints": {
-          "description": "If specified, these are the driver-defined taints.\n\nThe maximum number of taints is 4.\n\nThis is an alpha field and requires enabling the DRADeviceTaints feature gate.",
+          "description": "If specified, these are the driver-defined taints.\n\nThe maximum number of taints is 16. If taints are set for any device in a ResourceSlice, then the maximum number of allowed devices per ResourceSlice is 64 instead of 128.\n\nThis is an alpha field and requires enabling the DRADeviceTaints feature gate.",
           "items": {
             "$ref": "#/definitions/io.k8s.api.resource.v1.DeviceTaint"
           },
@@ -15725,7 +15781,7 @@
           "additionalProperties": {
             "$ref": "#/definitions/io.k8s.api.resource.v1.Counter"
           },
-          "description": "Counters defines the counters that will be consumed by the device.\n\nThe maximum number counters in a device is 32. In addition, the maximum number of all counters in all devices is 1024 (for example, 64 devices with 16 counters each).",
+          "description": "Counters defines the counters that will be consumed by the device.\n\nThe maximum number of counters is 32.",
           "type": "object"
         }
       },
@@ -15795,7 +15851,7 @@
           "type": "string"
         },
         "driver": {
-          "description": "Driver specifies the name of the DRA driver whose kubelet plugin should be invoked to process the allocation once the claim is needed on a node.\n\nMust be a DNS subdomain and should end with a DNS domain owned by the vendor of the driver.",
+          "description": "Driver specifies the name of the DRA driver whose kubelet plugin should be invoked to process the allocation once the claim is needed on a node.\n\nMust be a DNS subdomain and should end with a DNS domain owned by the vendor of the driver. It should use only lower case characters.",
           "type": "string"
         },
         "pool": {
@@ -15888,7 +15944,7 @@
       "description": "The device this taint is attached to has the \"effect\" on any claim which does not tolerate the taint and, through the claim, to pods using the claim.",
       "properties": {
         "effect": {
-          "description": "The effect of the taint on claims that do not tolerate the taint and through such claims on the pods using them. Valid effects are NoSchedule and NoExecute. PreferNoSchedule as used for nodes is not valid here.",
+          "description": "The effect of the taint on claims that do not tolerate the taint and through such claims on the pods using them.\n\nValid effects are None, NoSchedule and NoExecute. PreferNoSchedule as used for nodes is not valid here. More effects may get added in the future. Consumers must treat unknown effects like None.",
           "type": "string"
         },
         "key": {
@@ -16009,7 +16065,7 @@
       "description": "OpaqueDeviceConfiguration contains configuration parameters for a driver in a format defined by the driver vendor.",
       "properties": {
         "driver": {
-          "description": "Driver is used to determine which kubelet plugin needs to be passed these configuration parameters.\n\nAn admission policy provided by the driver developer could use this to decide whether it needs to validate them.\n\nMust be a DNS subdomain and should end with a DNS domain owned by the vendor of the driver.",
+          "description": "Driver is used to determine which kubelet plugin needs to be passed these configuration parameters.\n\nAn admission policy provided by the driver developer could use this to decide whether it needs to validate them.\n\nMust be a DNS subdomain and should end with a DNS domain owned by the vendor of the driver. It should use only lower case characters.",
           "type": "string"
         },
         "parameters": {
@@ -16352,7 +16408,7 @@
           "type": "boolean"
         },
         "devices": {
-          "description": "Devices lists some or all of the devices in this pool.\n\nMust not have more than 128 entries.",
+          "description": "Devices lists some or all of the devices in this pool.\n\nMust not have more than 128 entries. If any device uses taints or consumes counters the limit is 64.\n\nOnly one of Devices and SharedCounters can be set in a ResourceSlice.",
           "items": {
             "$ref": "#/definitions/io.k8s.api.resource.v1.Device"
           },
@@ -16360,7 +16416,7 @@
           "x-kubernetes-list-type": "atomic"
         },
         "driver": {
-          "description": "Driver identifies the DRA driver providing the capacity information. A field selector can be used to list only ResourceSlice objects with a certain driver name.\n\nMust be a DNS subdomain and should end with a DNS domain owned by the vendor of the driver. This field is immutable.",
+          "description": "Driver identifies the DRA driver providing the capacity information. A field selector can be used to list only ResourceSlice objects with a certain driver name.\n\nMust be a DNS subdomain and should end with a DNS domain owned by the vendor of the driver. It should use only lower case characters. This field is immutable.",
           "type": "string"
         },
         "nodeName": {
@@ -16380,7 +16436,7 @@
           "description": "Pool describes the pool that this ResourceSlice belongs to."
         },
         "sharedCounters": {
-          "description": "SharedCounters defines a list of counter sets, each of which has a name and a list of counters available.\n\nThe names of the SharedCounters must be unique in the ResourceSlice.\n\nThe maximum number of counters in all sets is 32.",
+          "description": "SharedCounters defines a list of counter sets, each of which has a name and a list of counters available.\n\nThe names of the counter sets must be unique in the ResourcePool.\n\nOnly one of Devices and SharedCounters can be set in a ResourceSlice.\n\nThe maximum number of counter sets is 8.",
           "items": {
             "$ref": "#/definitions/io.k8s.api.resource.v1.CounterSet"
           },
@@ -16394,34 +16450,11 @@
       ],
       "type": "object"
     },
-    "io.k8s.api.resource.v1alpha3.CELDeviceSelector": {
-      "description": "CELDeviceSelector contains a CEL expression for selecting a device.",
-      "properties": {
-        "expression": {
-          "description": "Expression is a CEL expression which evaluates a single device. It must evaluate to true when the device under consideration satisfies the desired criteria, and false when it does not. Any other result is an error and causes allocation of devices to abort.\n\nThe expression's input is an object named \"device\", which carries the following properties:\n - driver (string): the name of the driver which defines this device.\n - attributes (map[string]object): the device's attributes, grouped by prefix\n   (e.g. device.attributes[\"dra.example.com\"] evaluates to an object with all\n   of the attributes which were prefixed by \"dra.example.com\".\n - capacity (map[string]object): the device's capacities, grouped by prefix.\n\nExample: Consider a device with driver=\"dra.example.com\", which exposes two attributes named \"model\" and \"ext.example.com/family\" and which exposes one capacity named \"modules\". This input to this expression would have the following fields:\n\n    device.driver\n    device.attributes[\"dra.example.com\"].model\n    device.attributes[\"ext.example.com\"].family\n    device.capacity[\"dra.example.com\"].modules\n\nThe device.driver field can be used to check for a specific driver, either as a high-level precondition (i.e. you only want to consider devices from this driver) or as part of a multi-clause expression that is meant to consider devices from different drivers.\n\nThe value type of each attribute is defined by the device definition, and users who write these expressions must consult the documentation for their specific drivers. The value type of each capacity is Quantity.\n\nIf an unknown prefix is used as a lookup in either device.attributes or device.capacity, an empty map will be returned. Any reference to an unknown field will cause an evaluation error and allocation to abort.\n\nA robust expression should check for the existence of attributes before referencing them.\n\nFor ease of use, the cel.bind() function is enabled, and can be used to simplify expressions that access multiple attributes with the same domain. For example:\n\n    cel.bind(dra, device.attributes[\"dra.example.com\"], dra.someBool && dra.anotherBool)\n\nThe length of the expression must be smaller or equal to 10 Ki. The cost of evaluating it is also limited based on the estimated number of logical steps.",
-          "type": "string"
-        }
-      },
-      "required": [
-        "expression"
-      ],
-      "type": "object"
-    },
-    "io.k8s.api.resource.v1alpha3.DeviceSelector": {
-      "description": "DeviceSelector must have exactly one field set.",
-      "properties": {
-        "cel": {
-          "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.CELDeviceSelector",
-          "description": "CEL contains a CEL expression for selecting a device."
-        }
-      },
-      "type": "object"
-    },
     "io.k8s.api.resource.v1alpha3.DeviceTaint": {
       "description": "The device this taint is attached to has the \"effect\" on any claim which does not tolerate the taint and, through the claim, to pods using the claim.",
       "properties": {
         "effect": {
-          "description": "The effect of the taint on claims that do not tolerate the taint and through such claims on the pods using them. Valid effects are NoSchedule and NoExecute. PreferNoSchedule as used for nodes is not valid here.",
+          "description": "The effect of the taint on claims that do not tolerate the taint and through such claims on the pods using them.\n\nValid effects are None, NoSchedule and NoExecute. PreferNoSchedule as used for nodes is not valid here. More effects may get added in the future. Consumers must treat unknown effects like None.",
           "type": "string"
         },
         "key": {
@@ -16461,6 +16494,10 @@
         "spec": {
           "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.DeviceTaintRuleSpec",
           "description": "Spec specifies the selector and one taint.\n\nChanging the spec automatically increments the metadata.generation number."
+        },
+        "status": {
+          "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.DeviceTaintRuleStatus",
+          "description": "Status provides information about what was requested in the spec."
         }
       },
       "required": [
@@ -16515,7 +16552,7 @@
       "properties": {
         "deviceSelector": {
           "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.DeviceTaintSelector",
-          "description": "DeviceSelector defines which device(s) the taint is applied to. All selector criteria must be satified for a device to match. The empty selector matches all devices. Without a selector, no devices are matches."
+          "description": "DeviceSelector defines which device(s) the taint is applied to. All selector criteria must be satisfied for a device to match. The empty selector matches all devices. Without a selector, no devices are matches."
         },
         "taint": {
           "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.DeviceTaint",
@@ -16527,6 +16564,25 @@
       ],
       "type": "object"
     },
+    "io.k8s.api.resource.v1alpha3.DeviceTaintRuleStatus": {
+      "description": "DeviceTaintRuleStatus provides information about an on-going pod eviction.",
+      "properties": {
+        "conditions": {
+          "description": "Conditions provide information about the state of the DeviceTaintRule and the cluster at some point in time, in a machine-readable and human-readable format.\n\nThe following condition is currently defined as part of this API, more may get added: - Type: EvictionInProgress - Status: True if there are currently pods which need to be evicted, False otherwise\n  (includes the effects which don't cause eviction).\n- Reason: not specified, may change - Message: includes information about number of pending pods and already evicted pods\n  in a human-readable format, updated periodically, may change\n\nFor `effect: None`, the condition above gets set once for each change to the spec, with the message containing information about what would happen if the effect was `NoExecute`. This feedback can be used to decide whether changing the effect to `NoExecute` will work as intended. It only gets set once to avoid having to constantly update the status.\n\nMust have 8 or fewer entries.",
+          "items": {
+            "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Condition"
+          },
+          "type": "array",
+          "x-kubernetes-list-map-keys": [
+            "type"
+          ],
+          "x-kubernetes-list-type": "map",
+          "x-kubernetes-patch-merge-key": "type",
+          "x-kubernetes-patch-strategy": "merge"
+        }
+      },
+      "type": "object"
+    },
     "io.k8s.api.resource.v1alpha3.DeviceTaintSelector": {
       "description": "DeviceTaintSelector defines which device(s) a DeviceTaintRule applies to. The empty selector matches all devices. Without a selector, no devices are matched.",
       "properties": {
@@ -16534,10 +16590,6 @@
           "description": "If device is set, only devices with that name are selected. This field corresponds to slice.spec.devices[].name.\n\nSetting also driver and pool may be required to avoid ambiguity, but is not required.",
           "type": "string"
         },
-        "deviceClassName": {
-          "description": "If DeviceClassName is set, the selectors defined there must be satisfied by a device to be selected. This field corresponds to class.metadata.name.",
-          "type": "string"
-        },
         "driver": {
           "description": "If driver is set, only devices from that driver are selected. This fields corresponds to slice.spec.driver.",
           "type": "string"
@@ -16545,14 +16597,6 @@
         "pool": {
           "description": "If pool is set, only devices in that pool are selected.\n\nAlso setting the driver name may be useful to avoid ambiguity when different drivers use the same pool name, but this is not required because selecting pools from different drivers may also be useful, for example when drivers with node-local devices use the node name as their pool name.",
           "type": "string"
-        },
-        "selectors": {
-          "description": "Selectors contains the same selection criteria as a ResourceClaim. Currently, CEL expressions are supported. All of these selectors must be satisfied.",
-          "items": {
-            "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.DeviceSelector"
-          },
-          "type": "array",
-          "x-kubernetes-list-type": "atomic"
         }
       },
       "type": "object"
@@ -16580,7 +16624,7 @@
           "type": "string"
         },
         "driver": {
-          "description": "Driver specifies the name of the DRA driver whose kubelet plugin should be invoked to process the allocation once the claim is needed on a node.\n\nMust be a DNS subdomain and should end with a DNS domain owned by the vendor of the driver.",
+          "description": "Driver specifies the name of the DRA driver whose kubelet plugin should be invoked to process the allocation once the claim is needed on a node.\n\nMust be a DNS subdomain and should end with a DNS domain owned by the vendor of the driver. It should use only lower case characters.",
           "type": "string"
         },
         "networkData": {
@@ -16667,7 +16711,7 @@
           "type": "object"
         },
         "consumesCounters": {
-          "description": "ConsumesCounters defines a list of references to sharedCounters and the set of counters that the device will consume from those counter sets.\n\nThere can only be a single entry per counterSet.\n\nThe total number of device counter consumption entries must be <= 32. In addition, the total number in the entire ResourceSlice must be <= 1024 (for example, 64 devices with 16 counters each).",
+          "description": "ConsumesCounters defines a list of references to sharedCounters and the set of counters that the device will consume from those counter sets.\n\nThere can only be a single entry per counterSet.\n\nThe maximum number of device counter consumptions per device is 2.",
           "items": {
             "$ref": "#/definitions/io.k8s.api.resource.v1beta1.DeviceCounterConsumption"
           },
@@ -16683,7 +16727,7 @@
           "description": "NodeSelector defines the nodes where the device is available.\n\nMust use exactly one term.\n\nMust only be set if Spec.PerDeviceNodeSelection is set to true. At most one of NodeName, NodeSelector and AllNodes can be set."
         },
         "taints": {
-          "description": "If specified, these are the driver-defined taints.\n\nThe maximum number of taints is 4.\n\nThis is an alpha field and requires enabling the DRADeviceTaints feature gate.",
+          "description": "If specified, these are the driver-defined taints.\n\nThe maximum number of taints is 16. If taints are set for any device in a ResourceSlice, then the maximum number of allowed devices per ResourceSlice is 64 instead of 128.\n\nThis is an alpha field and requires enabling the DRADeviceTaints feature gate.",
           "items": {
             "$ref": "#/definitions/io.k8s.api.resource.v1beta1.DeviceTaint"
           },
@@ -16776,7 +16820,7 @@
       "type": "object"
     },
     "io.k8s.api.resource.v1beta1.CounterSet": {
-      "description": "CounterSet defines a named set of counters that are available to be used by devices defined in the ResourceSlice.\n\nThe counters are not allocatable by themselves, but can be referenced by devices. When a device is allocated, the portion of counters it uses will no longer be available for use by other devices.",
+      "description": "CounterSet defines a named set of counters that are available to be used by devices defined in the ResourcePool.\n\nThe counters are not allocatable by themselves, but can be referenced by devices. When a device is allocated, the portion of counters it uses will no longer be available for use by other devices.",
       "properties": {
         "counters": {
           "additionalProperties": {
@@ -17084,7 +17128,7 @@
           "additionalProperties": {
             "$ref": "#/definitions/io.k8s.api.resource.v1beta1.Counter"
           },
-          "description": "Counters defines the counters that will be consumed by the device.\n\nThe maximum number counters in a device is 32. In addition, the maximum number of all counters in all devices is 1024 (for example, 64 devices with 16 counters each).",
+          "description": "Counters defines the counters that will be consumed by the device.\n\nThe maximum number of counters is 32.",
           "type": "object"
         }
       },
@@ -17187,7 +17231,7 @@
           "type": "string"
         },
         "driver": {
-          "description": "Driver specifies the name of the DRA driver whose kubelet plugin should be invoked to process the allocation once the claim is needed on a node.\n\nMust be a DNS subdomain and should end with a DNS domain owned by the vendor of the driver.",
+          "description": "Driver specifies the name of the DRA driver whose kubelet plugin should be invoked to process the allocation once the claim is needed on a node.\n\nMust be a DNS subdomain and should end with a DNS domain owned by the vendor of the driver. It should use only lower case characters.",
           "type": "string"
         },
         "pool": {
@@ -17280,7 +17324,7 @@
       "description": "The device this taint is attached to has the \"effect\" on any claim which does not tolerate the taint and, through the claim, to pods using the claim.",
       "properties": {
         "effect": {
-          "description": "The effect of the taint on claims that do not tolerate the taint and through such claims on the pods using them. Valid effects are NoSchedule and NoExecute. PreferNoSchedule as used for nodes is not valid here.",
+          "description": "The effect of the taint on claims that do not tolerate the taint and through such claims on the pods using them.\n\nValid effects are None, NoSchedule and NoExecute. PreferNoSchedule as used for nodes is not valid here. More effects may get added in the future. Consumers must treat unknown effects like None.",
           "type": "string"
         },
         "key": {
@@ -17355,7 +17399,7 @@
       "description": "OpaqueDeviceConfiguration contains configuration parameters for a driver in a format defined by the driver vendor.",
       "properties": {
         "driver": {
-          "description": "Driver is used to determine which kubelet plugin needs to be passed these configuration parameters.\n\nAn admission policy provided by the driver developer could use this to decide whether it needs to validate them.\n\nMust be a DNS subdomain and should end with a DNS domain owned by the vendor of the driver.",
+          "description": "Driver is used to determine which kubelet plugin needs to be passed these configuration parameters.\n\nAn admission policy provided by the driver developer could use this to decide whether it needs to validate them.\n\nMust be a DNS subdomain and should end with a DNS domain owned by the vendor of the driver. It should use only lower case characters.",
           "type": "string"
         },
         "parameters": {
@@ -17698,7 +17742,7 @@
           "type": "boolean"
         },
         "devices": {
-          "description": "Devices lists some or all of the devices in this pool.\n\nMust not have more than 128 entries.",
+          "description": "Devices lists some or all of the devices in this pool.\n\nMust not have more than 128 entries. If any device uses taints or consumes counters the limit is 64.\n\nOnly one of Devices and SharedCounters can be set in a ResourceSlice.",
           "items": {
             "$ref": "#/definitions/io.k8s.api.resource.v1beta1.Device"
           },
@@ -17706,7 +17750,7 @@
           "x-kubernetes-list-type": "atomic"
         },
         "driver": {
-          "description": "Driver identifies the DRA driver providing the capacity information. A field selector can be used to list only ResourceSlice objects with a certain driver name.\n\nMust be a DNS subdomain and should end with a DNS domain owned by the vendor of the driver. This field is immutable.",
+          "description": "Driver identifies the DRA driver providing the capacity information. A field selector can be used to list only ResourceSlice objects with a certain driver name.\n\nMust be a DNS subdomain and should end with a DNS domain owned by the vendor of the driver. It should use only lower case characters. This field is immutable.",
           "type": "string"
         },
         "nodeName": {
@@ -17726,7 +17770,7 @@
           "description": "Pool describes the pool that this ResourceSlice belongs to."
         },
         "sharedCounters": {
-          "description": "SharedCounters defines a list of counter sets, each of which has a name and a list of counters available.\n\nThe names of the SharedCounters must be unique in the ResourceSlice.\n\nThe maximum number of SharedCounters is 32.",
+          "description": "SharedCounters defines a list of counter sets, each of which has a name and a list of counters available.\n\nThe names of the counter sets must be unique in the ResourcePool.\n\nOnly one of Devices and SharedCounters can be set in a ResourceSlice.\n\nThe maximum number of counter sets is 8.",
           "items": {
             "$ref": "#/definitions/io.k8s.api.resource.v1beta1.CounterSet"
           },
@@ -17763,7 +17807,7 @@
           "type": "string"
         },
         "driver": {
-          "description": "Driver specifies the name of the DRA driver whose kubelet plugin should be invoked to process the allocation once the claim is needed on a node.\n\nMust be a DNS subdomain and should end with a DNS domain owned by the vendor of the driver.",
+          "description": "Driver specifies the name of the DRA driver whose kubelet plugin should be invoked to process the allocation once the claim is needed on a node.\n\nMust be a DNS subdomain and should end with a DNS domain owned by the vendor of the driver. It should use only lower case characters.",
           "type": "string"
         },
         "networkData": {
@@ -17887,13 +17931,13 @@
       "type": "object"
     },
     "io.k8s.api.resource.v1beta2.CounterSet": {
-      "description": "CounterSet defines a named set of counters that are available to be used by devices defined in the ResourceSlice.\n\nThe counters are not allocatable by themselves, but can be referenced by devices. When a device is allocated, the portion of counters it uses will no longer be available for use by other devices.",
+      "description": "CounterSet defines a named set of counters that are available to be used by devices defined in the ResourcePool.\n\nThe counters are not allocatable by themselves, but can be referenced by devices. When a device is allocated, the portion of counters it uses will no longer be available for use by other devices.",
       "properties": {
         "counters": {
           "additionalProperties": {
             "$ref": "#/definitions/io.k8s.api.resource.v1beta2.Counter"
           },
-          "description": "Counters defines the set of counters for this CounterSet The name of each counter must be unique in that set and must be a DNS label.\n\nThe maximum number of counters in all sets is 32.",
+          "description": "Counters defines the set of counters for this CounterSet The name of each counter must be unique in that set and must be a DNS label.\n\nThe maximum number of counters is 32.",
           "type": "object"
         },
         "name": {
@@ -17953,7 +17997,7 @@
           "type": "object"
         },
         "consumesCounters": {
-          "description": "ConsumesCounters defines a list of references to sharedCounters and the set of counters that the device will consume from those counter sets.\n\nThere can only be a single entry per counterSet.\n\nThe total number of device counter consumption entries must be <= 32. In addition, the total number in the entire ResourceSlice must be <= 1024 (for example, 64 devices with 16 counters each).",
+          "description": "ConsumesCounters defines a list of references to sharedCounters and the set of counters that the device will consume from those counter sets.\n\nThere can only be a single entry per counterSet.\n\nThe maximum number of device counter consumptions per device is 2.",
           "items": {
             "$ref": "#/definitions/io.k8s.api.resource.v1beta2.DeviceCounterConsumption"
           },
@@ -17973,7 +18017,7 @@
           "description": "NodeSelector defines the nodes where the device is available.\n\nMust use exactly one term.\n\nMust only be set if Spec.PerDeviceNodeSelection is set to true. At most one of NodeName, NodeSelector and AllNodes can be set."
         },
         "taints": {
-          "description": "If specified, these are the driver-defined taints.\n\nThe maximum number of taints is 4.\n\nThis is an alpha field and requires enabling the DRADeviceTaints feature gate.",
+          "description": "If specified, these are the driver-defined taints.\n\nThe maximum number of taints is 16. If taints are set for any device in a ResourceSlice, then the maximum number of allowed devices per ResourceSlice is 64 instead of 128.\n\nThis is an alpha field and requires enabling the DRADeviceTaints feature gate.",
           "items": {
             "$ref": "#/definitions/io.k8s.api.resource.v1beta2.DeviceTaint"
           },
@@ -18257,7 +18301,7 @@
           "additionalProperties": {
             "$ref": "#/definitions/io.k8s.api.resource.v1beta2.Counter"
           },
-          "description": "Counters defines the counters that will be consumed by the device.\n\nThe maximum number counters in a device is 32. In addition, the maximum number of all counters in all devices is 1024 (for example, 64 devices with 16 counters each).",
+          "description": "Counters defines the counters that will be consumed by the device.\n\nThe maximum number of counters is 32.",
           "type": "object"
         }
       },
@@ -18327,7 +18371,7 @@
           "type": "string"
         },
         "driver": {
-          "description": "Driver specifies the name of the DRA driver whose kubelet plugin should be invoked to process the allocation once the claim is needed on a node.\n\nMust be a DNS subdomain and should end with a DNS domain owned by the vendor of the driver.",
+          "description": "Driver specifies the name of the DRA driver whose kubelet plugin should be invoked to process the allocation once the claim is needed on a node.\n\nMust be a DNS subdomain and should end with a DNS domain owned by the vendor of the driver. It should use only lower case characters.",
           "type": "string"
         },
         "pool": {
@@ -18420,7 +18464,7 @@
       "description": "The device this taint is attached to has the \"effect\" on any claim which does not tolerate the taint and, through the claim, to pods using the claim.",
       "properties": {
         "effect": {
-          "description": "The effect of the taint on claims that do not tolerate the taint and through such claims on the pods using them. Valid effects are NoSchedule and NoExecute. PreferNoSchedule as used for nodes is not valid here.",
+          "description": "The effect of the taint on claims that do not tolerate the taint and through such claims on the pods using them.\n\nValid effects are None, NoSchedule and NoExecute. PreferNoSchedule as used for nodes is not valid here. More effects may get added in the future. Consumers must treat unknown effects like None.",
           "type": "string"
         },
         "key": {
@@ -18541,7 +18585,7 @@
       "description": "OpaqueDeviceConfiguration contains configuration parameters for a driver in a format defined by the driver vendor.",
       "properties": {
         "driver": {
-          "description": "Driver is used to determine which kubelet plugin needs to be passed these configuration parameters.\n\nAn admission policy provided by the driver developer could use this to decide whether it needs to validate them.\n\nMust be a DNS subdomain and should end with a DNS domain owned by the vendor of the driver.",
+          "description": "Driver is used to determine which kubelet plugin needs to be passed these configuration parameters.\n\nAn admission policy provided by the driver developer could use this to decide whether it needs to validate them.\n\nMust be a DNS subdomain and should end with a DNS domain owned by the vendor of the driver. It should use only lower case characters.",
           "type": "string"
         },
         "parameters": {
@@ -18884,7 +18928,7 @@
           "type": "boolean"
         },
         "devices": {
-          "description": "Devices lists some or all of the devices in this pool.\n\nMust not have more than 128 entries.",
+          "description": "Devices lists some or all of the devices in this pool.\n\nMust not have more than 128 entries. If any device uses taints or consumes counters the limit is 64.\n\nOnly one of Devices and SharedCounters can be set in a ResourceSlice.",
           "items": {
             "$ref": "#/definitions/io.k8s.api.resource.v1beta2.Device"
           },
@@ -18892,7 +18936,7 @@
           "x-kubernetes-list-type": "atomic"
         },
         "driver": {
-          "description": "Driver identifies the DRA driver providing the capacity information. A field selector can be used to list only ResourceSlice objects with a certain driver name.\n\nMust be a DNS subdomain and should end with a DNS domain owned by the vendor of the driver. This field is immutable.",
+          "description": "Driver identifies the DRA driver providing the capacity information. A field selector can be used to list only ResourceSlice objects with a certain driver name.\n\nMust be a DNS subdomain and should end with a DNS domain owned by the vendor of the driver. It should use only lower case characters. This field is immutable.",
           "type": "string"
         },
         "nodeName": {
@@ -18912,7 +18956,7 @@
           "description": "Pool describes the pool that this ResourceSlice belongs to."
         },
         "sharedCounters": {
-          "description": "SharedCounters defines a list of counter sets, each of which has a name and a list of counters available.\n\nThe names of the SharedCounters must be unique in the ResourceSlice.\n\nThe maximum number of counters in all sets is 32.",
+          "description": "SharedCounters defines a list of counter sets, each of which has a name and a list of counters available.\n\nThe names of the counter sets must be unique in the ResourcePool.\n\nOnly one of Devices and SharedCounters can be set in a ResourceSlice.\n\nThe maximum number of counter sets is 8.",
           "items": {
             "$ref": "#/definitions/io.k8s.api.resource.v1beta2.CounterSet"
           },
@@ -19006,6 +19050,169 @@
         }
       ]
     },
+    "io.k8s.api.scheduling.v1alpha1.BasicSchedulingPolicy": {
+      "description": "BasicSchedulingPolicy indicates that standard Kubernetes scheduling behavior should be used.",
+      "type": "object"
+    },
+    "io.k8s.api.scheduling.v1alpha1.GangSchedulingPolicy": {
+      "description": "GangSchedulingPolicy defines the parameters for gang scheduling.",
+      "properties": {
+        "minCount": {
+          "description": "MinCount is the minimum number of pods that must be schedulable or scheduled at the same time for the scheduler to admit the entire group. It must be a positive integer.",
+          "format": "int32",
+          "type": "integer"
+        }
+      },
+      "required": [
+        "minCount"
+      ],
+      "type": "object"
+    },
+    "io.k8s.api.scheduling.v1alpha1.PodGroup": {
+      "description": "PodGroup represents a set of pods with a common scheduling policy.",
+      "properties": {
+        "name": {
+          "description": "Name is a unique identifier for the PodGroup within the Workload. It must be a DNS label. This field is immutable.",
+          "type": "string"
+        },
+        "policy": {
+          "$ref": "#/definitions/io.k8s.api.scheduling.v1alpha1.PodGroupPolicy",
+          "description": "Policy defines the scheduling policy for this PodGroup."
+        }
+      },
+      "required": [
+        "name",
+        "policy"
+      ],
+      "type": "object"
+    },
+    "io.k8s.api.scheduling.v1alpha1.PodGroupPolicy": {
+      "description": "PodGroupPolicy defines the scheduling configuration for a PodGroup.",
+      "properties": {
+        "basic": {
+          "$ref": "#/definitions/io.k8s.api.scheduling.v1alpha1.BasicSchedulingPolicy",
+          "description": "Basic specifies that the pods in this group should be scheduled using standard Kubernetes scheduling behavior."
+        },
+        "gang": {
+          "$ref": "#/definitions/io.k8s.api.scheduling.v1alpha1.GangSchedulingPolicy",
+          "description": "Gang specifies that the pods in this group should be scheduled using all-or-nothing semantics."
+        }
+      },
+      "type": "object"
+    },
+    "io.k8s.api.scheduling.v1alpha1.TypedLocalObjectReference": {
+      "description": "TypedLocalObjectReference allows to reference typed object inside the same namespace.",
+      "properties": {
+        "apiGroup": {
+          "description": "APIGroup is the group for the resource being referenced. If APIGroup is empty, the specified Kind must be in the core API group. For any other third-party types, setting APIGroup is required. It must be a DNS subdomain.",
+          "type": "string"
+        },
+        "kind": {
+          "description": "Kind is the type of resource being referenced. It must be a path segment name.",
+          "type": "string"
+        },
+        "name": {
+          "description": "Name is the name of resource being referenced. It must be a path segment name.",
+          "type": "string"
+        }
+      },
+      "required": [
+        "kind",
+        "name"
+      ],
+      "type": "object"
+    },
+    "io.k8s.api.scheduling.v1alpha1.Workload": {
+      "description": "Workload allows for expressing scheduling constraints that should be used when managing lifecycle of workloads from scheduling perspective, including scheduling, preemption, eviction and other phases.",
+      "properties": {
+        "apiVersion": {
+          "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
+          "type": "string"
+        },
+        "kind": {
+          "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
+          "type": "string"
+        },
+        "metadata": {
+          "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta",
+          "description": "Standard object's metadata. Name must be a DNS subdomain."
+        },
+        "spec": {
+          "$ref": "#/definitions/io.k8s.api.scheduling.v1alpha1.WorkloadSpec",
+          "description": "Spec defines the desired behavior of a Workload."
+        }
+      },
+      "required": [
+        "spec"
+      ],
+      "type": "object",
+      "x-kubernetes-group-version-kind": [
+        {
+          "group": "scheduling.k8s.io",
+          "kind": "Workload",
+          "version": "v1alpha1"
+        }
+      ]
+    },
+    "io.k8s.api.scheduling.v1alpha1.WorkloadList": {
+      "description": "WorkloadList contains a list of Workload resources.",
+      "properties": {
+        "apiVersion": {
+          "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
+          "type": "string"
+        },
+        "items": {
+          "description": "Items is the list of Workloads.",
+          "items": {
+            "$ref": "#/definitions/io.k8s.api.scheduling.v1alpha1.Workload"
+          },
+          "type": "array"
+        },
+        "kind": {
+          "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
+          "type": "string"
+        },
+        "metadata": {
+          "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta",
+          "description": "Standard list metadata."
+        }
+      },
+      "required": [
+        "items"
+      ],
+      "type": "object",
+      "x-kubernetes-group-version-kind": [
+        {
+          "group": "scheduling.k8s.io",
+          "kind": "WorkloadList",
+          "version": "v1alpha1"
+        }
+      ]
+    },
+    "io.k8s.api.scheduling.v1alpha1.WorkloadSpec": {
+      "description": "WorkloadSpec defines the desired state of a Workload.",
+      "properties": {
+        "controllerRef": {
+          "$ref": "#/definitions/io.k8s.api.scheduling.v1alpha1.TypedLocalObjectReference",
+          "description": "ControllerRef is an optional reference to the controlling object, such as a Deployment or Job. This field is intended for use by tools like CLIs to provide a link back to the original workload definition. When set, it cannot be changed."
+        },
+        "podGroups": {
+          "description": "PodGroups is the list of pod groups that make up the Workload. The maximum number of pod groups is 8. This field is immutable.",
+          "items": {
+            "$ref": "#/definitions/io.k8s.api.scheduling.v1alpha1.PodGroup"
+          },
+          "type": "array",
+          "x-kubernetes-list-map-keys": [
+            "name"
+          ],
+          "x-kubernetes-list-type": "map"
+        }
+      },
+      "required": [
+        "podGroups"
+      ],
+      "type": "object"
+    },
     "io.k8s.api.storage.v1.CSIDriver": {
       "description": "CSIDriver captures information about a Container Storage Interface (CSI) volume driver deployed on the cluster. Kubernetes attach detach controller uses this object to determine whether attach is required. Kubelet uses this object to determine whether pod information needs to be passed on mount. CSIDriver objects are non-namespaced.",
       "properties": {
@@ -19101,6 +19308,10 @@
           "description": "seLinuxMount specifies if the CSI driver supports \"-o context\" mount option.\n\nWhen \"true\", the CSI driver must ensure that all volumes provided by this CSI driver can be mounted separately with different `-o context` options. This is typical for storage backends that provide volumes as filesystems on block devices or as independent shared volumes. Kubernetes will call NodeStage / NodePublish with \"-o context=xyz\" mount option when mounting a ReadWriteOncePod volume used in Pod that has explicitly set SELinux context. In the future, it may be expanded to other volume AccessModes. In any case, Kubernetes will ensure that the volume is mounted only with a single SELinux context.\n\nWhen \"false\", Kubernetes won't pass any special SELinux mount options to the driver. This is typical for volumes that represent subdirectories of a bigger shared filesystem.\n\nDefault is \"false\".",
           "type": "boolean"
         },
+        "serviceAccountTokenInSecrets": {
+          "description": "serviceAccountTokenInSecrets is an opt-in for CSI drivers to indicate that service account tokens should be passed via the Secrets field in NodePublishVolumeRequest instead of the VolumeContext field. The CSI specification provides a dedicated Secrets field for sensitive information like tokens, which is the appropriate mechanism for handling credentials. This addresses security concerns where sensitive tokens were being logged as part of volume context.\n\nWhen \"true\", kubelet will pass the tokens only in the Secrets field with the key \"csi.storage.k8s.io/serviceAccount.tokens\". The CSI driver must be updated to read tokens from the Secrets field instead of VolumeContext.\n\nWhen \"false\" or not set, kubelet will pass the tokens in VolumeContext with the key \"csi.storage.k8s.io/serviceAccount.tokens\" (existing behavior). This maintains backward compatibility with existing CSI drivers.\n\nThis field can only be set when TokenRequests is configured. The API server will reject CSIDriver specs that set this field without TokenRequests.\n\nDefault behavior if unset is to pass tokens in the VolumeContext field.",
+          "type": "boolean"
+        },
         "storageCapacity": {
           "description": "storageCapacity indicates that the CSI volume driver wants pod scheduling to consider the storage capacity that the driver deployment will report by creating CSIStorageCapacity objects with capacity information, if set to true.\n\nThe check can be enabled immediately when deploying a driver. In that case, provisioning new volumes with late binding will pause until the driver deployment has published some suitable CSIStorageCapacity object.\n\nAlternatively, the driver can be deployed with the field unset or false and it can be flipped later when storage capacity information has been published.\n\nThis field was immutable in Kubernetes <= 1.22 and now is mutable.",
           "type": "boolean"
@@ -19682,80 +19893,6 @@
       },
       "type": "object"
     },
-    "io.k8s.api.storage.v1alpha1.VolumeAttributesClass": {
-      "description": "VolumeAttributesClass represents a specification of mutable volume attributes defined by the CSI driver. The class can be specified during dynamic provisioning of PersistentVolumeClaims, and changed in the PersistentVolumeClaim spec after provisioning.",
-      "properties": {
-        "apiVersion": {
-          "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
-          "type": "string"
-        },
-        "driverName": {
-          "description": "Name of the CSI driver This field is immutable.",
-          "type": "string"
-        },
-        "kind": {
-          "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
-          "type": "string"
-        },
-        "metadata": {
-          "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta",
-          "description": "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata"
-        },
-        "parameters": {
-          "additionalProperties": {
-            "type": "string"
-          },
-          "description": "parameters hold volume attributes defined by the CSI driver. These values are opaque to the Kubernetes and are passed directly to the CSI driver. The underlying storage provider supports changing these attributes on an existing volume, however the parameters field itself is immutable. To invoke a volume update, a new VolumeAttributesClass should be created with new parameters, and the PersistentVolumeClaim should be updated to reference the new VolumeAttributesClass.\n\nThis field is required and must contain at least one key/value pair. The keys cannot be empty, and the maximum number of parameters is 512, with a cumulative max size of 256K. If the CSI driver rejects invalid parameters, the target PersistentVolumeClaim will be set to an \"Infeasible\" state in the modifyVolumeStatus field.",
-          "type": "object"
-        }
-      },
-      "required": [
-        "driverName"
-      ],
-      "type": "object",
-      "x-kubernetes-group-version-kind": [
-        {
-          "group": "storage.k8s.io",
-          "kind": "VolumeAttributesClass",
-          "version": "v1alpha1"
-        }
-      ]
-    },
-    "io.k8s.api.storage.v1alpha1.VolumeAttributesClassList": {
-      "description": "VolumeAttributesClassList is a collection of VolumeAttributesClass objects.",
-      "properties": {
-        "apiVersion": {
-          "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
-          "type": "string"
-        },
-        "items": {
-          "description": "items is the list of VolumeAttributesClass objects.",
-          "items": {
-            "$ref": "#/definitions/io.k8s.api.storage.v1alpha1.VolumeAttributesClass"
-          },
-          "type": "array"
-        },
-        "kind": {
-          "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
-          "type": "string"
-        },
-        "metadata": {
-          "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta",
-          "description": "Standard list metadata More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata"
-        }
-      },
-      "required": [
-        "items"
-      ],
-      "type": "object",
-      "x-kubernetes-group-version-kind": [
-        {
-          "group": "storage.k8s.io",
-          "kind": "VolumeAttributesClassList",
-          "version": "v1alpha1"
-        }
-      ]
-    },
     "io.k8s.api.storage.v1beta1.VolumeAttributesClass": {
       "description": "VolumeAttributesClass represents a specification of mutable volume attributes defined by the CSI driver. The class can be specified during dynamic provisioning of PersistentVolumeClaims, and changed in the PersistentVolumeClaim spec after provisioning.",
       "properties": {
@@ -19830,55 +19967,7 @@
         }
       ]
     },
-    "io.k8s.api.storagemigration.v1alpha1.GroupVersionResource": {
-      "description": "The names of the group, the version, and the resource.",
-      "properties": {
-        "group": {
-          "description": "The name of the group.",
-          "type": "string"
-        },
-        "resource": {
-          "description": "The name of the resource.",
-          "type": "string"
-        },
-        "version": {
-          "description": "The name of the version.",
-          "type": "string"
-        }
-      },
-      "type": "object"
-    },
-    "io.k8s.api.storagemigration.v1alpha1.MigrationCondition": {
-      "description": "Describes the state of a migration at a certain point.",
-      "properties": {
-        "lastUpdateTime": {
-          "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time",
-          "description": "The last time this condition was updated."
-        },
-        "message": {
-          "description": "A human readable message indicating details about the transition.",
-          "type": "string"
-        },
-        "reason": {
-          "description": "The reason for the condition's last transition.",
-          "type": "string"
-        },
-        "status": {
-          "description": "Status of the condition, one of True, False, Unknown.",
-          "type": "string"
-        },
-        "type": {
-          "description": "Type of the condition.",
-          "type": "string"
-        }
-      },
-      "required": [
-        "type",
-        "status"
-      ],
-      "type": "object"
-    },
-    "io.k8s.api.storagemigration.v1alpha1.StorageVersionMigration": {
+    "io.k8s.api.storagemigration.v1beta1.StorageVersionMigration": {
       "description": "StorageVersionMigration represents a migration of stored data to the latest storage version.",
       "properties": {
         "apiVersion": {
@@ -19894,11 +19983,11 @@
           "description": "Standard object metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata"
         },
         "spec": {
-          "$ref": "#/definitions/io.k8s.api.storagemigration.v1alpha1.StorageVersionMigrationSpec",
+          "$ref": "#/definitions/io.k8s.api.storagemigration.v1beta1.StorageVersionMigrationSpec",
           "description": "Specification of the migration."
         },
         "status": {
-          "$ref": "#/definitions/io.k8s.api.storagemigration.v1alpha1.StorageVersionMigrationStatus",
+          "$ref": "#/definitions/io.k8s.api.storagemigration.v1beta1.StorageVersionMigrationStatus",
           "description": "Status of the migration."
         }
       },
@@ -19907,11 +19996,11 @@
         {
           "group": "storagemigration.k8s.io",
           "kind": "StorageVersionMigration",
-          "version": "v1alpha1"
+          "version": "v1beta1"
         }
       ]
     },
-    "io.k8s.api.storagemigration.v1alpha1.StorageVersionMigrationList": {
+    "io.k8s.api.storagemigration.v1beta1.StorageVersionMigrationList": {
       "description": "StorageVersionMigrationList is a collection of storage version migrations.",
       "properties": {
         "apiVersion": {
@@ -19921,15 +20010,9 @@
         "items": {
           "description": "Items is the list of StorageVersionMigration",
           "items": {
-            "$ref": "#/definitions/io.k8s.api.storagemigration.v1alpha1.StorageVersionMigration"
+            "$ref": "#/definitions/io.k8s.api.storagemigration.v1beta1.StorageVersionMigration"
           },
-          "type": "array",
-          "x-kubernetes-list-map-keys": [
-            "type"
-          ],
-          "x-kubernetes-list-type": "map",
-          "x-kubernetes-patch-merge-key": "type",
-          "x-kubernetes-patch-strategy": "merge"
+          "type": "array"
         },
         "kind": {
           "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
@@ -19948,19 +20031,15 @@
         {
           "group": "storagemigration.k8s.io",
           "kind": "StorageVersionMigrationList",
-          "version": "v1alpha1"
+          "version": "v1beta1"
         }
       ]
     },
-    "io.k8s.api.storagemigration.v1alpha1.StorageVersionMigrationSpec": {
+    "io.k8s.api.storagemigration.v1beta1.StorageVersionMigrationSpec": {
       "description": "Spec of the storage version migration.",
       "properties": {
-        "continueToken": {
-          "description": "The token used in the list options to get the next chunk of objects to migrate. When the .status.conditions indicates the migration is \"Running\", users can use this token to check the progress of the migration.",
-          "type": "string"
-        },
         "resource": {
-          "$ref": "#/definitions/io.k8s.api.storagemigration.v1alpha1.GroupVersionResource",
+          "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.GroupResource",
           "description": "The resource that is being migrated. The migrator sends requests to the endpoint serving the resource. Immutable."
         }
       },
@@ -19969,13 +20048,13 @@
       ],
       "type": "object"
     },
-    "io.k8s.api.storagemigration.v1alpha1.StorageVersionMigrationStatus": {
+    "io.k8s.api.storagemigration.v1beta1.StorageVersionMigrationStatus": {
       "description": "Status of the storage version migration.",
       "properties": {
         "conditions": {
           "description": "The latest available observations of the migration's current state.",
           "items": {
-            "$ref": "#/definitions/io.k8s.api.storagemigration.v1alpha1.MigrationCondition"
+            "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Condition"
           },
           "type": "array",
           "x-kubernetes-list-map-keys": [
@@ -20092,6 +20171,11 @@
           "description": "message is a human-readable message indicating details about last transition.",
           "type": "string"
         },
+        "observedGeneration": {
+          "description": "observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.",
+          "format": "int64",
+          "type": "integer"
+        },
         "reason": {
           "description": "reason is a unique, one-word, CamelCase reason for the condition's last transition.",
           "type": "string"
@@ -20246,6 +20330,11 @@
           ],
           "x-kubernetes-list-type": "map"
         },
+        "observedGeneration": {
+          "description": "The generation observed by the CRD controller.",
+          "format": "int64",
+          "type": "integer"
+        },
         "storedVersions": {
           "description": "storedVersions lists all versions of CustomResources that were ever persisted. Tracking these versions allows a migration path for stored versions in etcd. The field is mutable so a migration controller can finish a migration to another version (ensuring no old objects are left in storage), and then remove the rest of the versions from this list. Versions may not be removed from `spec.versions` while they exist in this list.",
           "items": {
@@ -21316,7 +21405,7 @@
         {
           "group": "storagemigration.k8s.io",
           "kind": "DeleteOptions",
-          "version": "v1alpha1"
+          "version": "v1beta1"
         }
       ]
     },
@@ -21350,6 +21439,22 @@
       "description": "FieldsV1 stores a set of fields in a data structure like a Trie, in JSON format.\n\nEach key is either a '.' representing the field itself, and will always map to an empty set, or a string representing a sub-field or item. The string will follow one of these four formats: 'f:<name>', where <name> is the name of a field in a struct, or key in a map 'v:<value>', where <value> is the exact json formatted value of a list item 'i:<index>', where <index> is position of a item in a list 'k:<keys>', where <keys> is a map of  a list item's key fields to their unique values If a key maps to an empty Fields value, the field that key represents is part of the set.\n\nThe exact format is defined in sigs.k8s.io/structured-merge-diff",
       "type": "object"
     },
+    "io.k8s.apimachinery.pkg.apis.meta.v1.GroupResource": {
+      "description": "GroupResource specifies a Group and a Resource, but does not force a version.  This is useful for identifying concepts during lookup stages without having partially valid types",
+      "properties": {
+        "group": {
+          "type": "string"
+        },
+        "resource": {
+          "type": "string"
+        }
+      },
+      "required": [
+        "group",
+        "resource"
+      ],
+      "type": "object"
+    },
     "io.k8s.apimachinery.pkg.apis.meta.v1.GroupVersionForDiscovery": {
       "description": "GroupVersion contains the \"group/version\" and \"version\" string of a version. It is made a struct to keep extensibility.",
       "properties": {
@@ -21657,8 +21762,7 @@
         },
         "details": {
           "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.StatusDetails",
-          "description": "Extended data associated with the reason.  Each reason may define its own extended details. This field is optional and the data returned is not guaranteed to conform to any schema except that defined by the reason type.",
-          "x-kubernetes-list-type": "atomic"
+          "description": "Extended data associated with the reason.  Each reason may define its own extended details. This field is optional and the data returned is not guaranteed to conform to any schema except that defined by the reason type."
         },
         "kind": {
           "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
@@ -22073,7 +22177,7 @@
         {
           "group": "storagemigration.k8s.io",
           "kind": "WatchEvent",
-          "version": "v1alpha1"
+          "version": "v1beta1"
         }
       ]
     },
@@ -58432,13 +58536,208 @@
         }
       }
     },
-    "/apis/certificates.k8s.io/v1alpha1/namespaces/{namespace}/podcertificaterequests": {
+    "/apis/certificates.k8s.io/v1alpha1/watch/clustertrustbundles": {
+      "get": {
+        "consumes": [
+          "*/*"
+        ],
+        "description": "watch individual changes to a list of ClusterTrustBundle. deprecated: use the 'watch' parameter with a list operation instead.",
+        "operationId": "watchCertificatesV1alpha1ClusterTrustBundleList",
+        "produces": [
+          "application/json",
+          "application/yaml",
+          "application/vnd.kubernetes.protobuf",
+          "application/cbor",
+          "application/json;stream=watch",
+          "application/vnd.kubernetes.protobuf;stream=watch",
+          "application/cbor-seq"
+        ],
+        "responses": {
+          "200": {
+            "description": "OK",
+            "schema": {
+              "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"
+            }
+          },
+          "401": {
+            "description": "Unauthorized"
+          }
+        },
+        "schemes": [
+          "https"
+        ],
+        "tags": [
+          "certificates_v1alpha1"
+        ],
+        "x-kubernetes-action": "watchlist",
+        "x-kubernetes-group-version-kind": {
+          "group": "certificates.k8s.io",
+          "kind": "ClusterTrustBundle",
+          "version": "v1alpha1"
+        }
+      },
+      "parameters": [
+        {
+          "$ref": "#/parameters/allowWatchBookmarks-HC2hJt-J"
+        },
+        {
+          "$ref": "#/parameters/continue-QfD61s0i"
+        },
+        {
+          "$ref": "#/parameters/fieldSelector-xIcQKXFG"
+        },
+        {
+          "$ref": "#/parameters/labelSelector-5Zw57w4C"
+        },
+        {
+          "$ref": "#/parameters/limit-1NfNmdNH"
+        },
+        {
+          "$ref": "#/parameters/pretty-tJGM1-ng"
+        },
+        {
+          "$ref": "#/parameters/resourceVersion-5WAnf1kx"
+        },
+        {
+          "$ref": "#/parameters/resourceVersionMatch-t8XhRHeC"
+        },
+        {
+          "$ref": "#/parameters/sendInitialEvents-rLXlEK_k"
+        },
+        {
+          "$ref": "#/parameters/timeoutSeconds-yvYezaOC"
+        },
+        {
+          "$ref": "#/parameters/watch-XNNPZGbK"
+        }
+      ]
+    },
+    "/apis/certificates.k8s.io/v1alpha1/watch/clustertrustbundles/{name}": {
+      "get": {
+        "consumes": [
+          "*/*"
+        ],
+        "description": "watch changes to an object of kind ClusterTrustBundle. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.",
+        "operationId": "watchCertificatesV1alpha1ClusterTrustBundle",
+        "produces": [
+          "application/json",
+          "application/yaml",
+          "application/vnd.kubernetes.protobuf",
+          "application/cbor",
+          "application/json;stream=watch",
+          "application/vnd.kubernetes.protobuf;stream=watch",
+          "application/cbor-seq"
+        ],
+        "responses": {
+          "200": {
+            "description": "OK",
+            "schema": {
+              "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"
+            }
+          },
+          "401": {
+            "description": "Unauthorized"
+          }
+        },
+        "schemes": [
+          "https"
+        ],
+        "tags": [
+          "certificates_v1alpha1"
+        ],
+        "x-kubernetes-action": "watch",
+        "x-kubernetes-group-version-kind": {
+          "group": "certificates.k8s.io",
+          "kind": "ClusterTrustBundle",
+          "version": "v1alpha1"
+        }
+      },
+      "parameters": [
+        {
+          "$ref": "#/parameters/allowWatchBookmarks-HC2hJt-J"
+        },
+        {
+          "$ref": "#/parameters/continue-QfD61s0i"
+        },
+        {
+          "$ref": "#/parameters/fieldSelector-xIcQKXFG"
+        },
+        {
+          "$ref": "#/parameters/labelSelector-5Zw57w4C"
+        },
+        {
+          "$ref": "#/parameters/limit-1NfNmdNH"
+        },
+        {
+          "description": "name of the ClusterTrustBundle",
+          "in": "path",
+          "name": "name",
+          "required": true,
+          "type": "string",
+          "uniqueItems": true
+        },
+        {
+          "$ref": "#/parameters/pretty-tJGM1-ng"
+        },
+        {
+          "$ref": "#/parameters/resourceVersion-5WAnf1kx"
+        },
+        {
+          "$ref": "#/parameters/resourceVersionMatch-t8XhRHeC"
+        },
+        {
+          "$ref": "#/parameters/sendInitialEvents-rLXlEK_k"
+        },
+        {
+          "$ref": "#/parameters/timeoutSeconds-yvYezaOC"
+        },
+        {
+          "$ref": "#/parameters/watch-XNNPZGbK"
+        }
+      ]
+    },
+    "/apis/certificates.k8s.io/v1beta1/": {
+      "get": {
+        "consumes": [
+          "application/json",
+          "application/yaml",
+          "application/vnd.kubernetes.protobuf",
+          "application/cbor"
+        ],
+        "description": "get available resources",
+        "operationId": "getCertificatesV1beta1APIResources",
+        "produces": [
+          "application/json",
+          "application/yaml",
+          "application/vnd.kubernetes.protobuf",
+          "application/cbor"
+        ],
+        "responses": {
+          "200": {
+            "description": "OK",
+            "schema": {
+              "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.APIResourceList"
+            }
+          },
+          "401": {
+            "description": "Unauthorized"
+          }
+        },
+        "schemes": [
+          "https"
+        ],
+        "tags": [
+          "certificates_v1beta1"
+        ]
+      }
+    },
+    "/apis/certificates.k8s.io/v1beta1/clustertrustbundles": {
       "delete": {
         "consumes": [
           "*/*"
         ],
-        "description": "delete collection of PodCertificateRequest",
-        "operationId": "deleteCertificatesV1alpha1CollectionNamespacedPodCertificateRequest",
+        "description": "delete collection of ClusterTrustBundle",
+        "operationId": "deleteCertificatesV1beta1CollectionClusterTrustBundle",
         "parameters": [
           {
             "$ref": "#/parameters/body-2Y1dVQaQ"
@@ -58508,21 +58807,21 @@
           "https"
         ],
         "tags": [
-          "certificates_v1alpha1"
+          "certificates_v1beta1"
         ],
         "x-kubernetes-action": "deletecollection",
         "x-kubernetes-group-version-kind": {
           "group": "certificates.k8s.io",
-          "kind": "PodCertificateRequest",
-          "version": "v1alpha1"
+          "kind": "ClusterTrustBundle",
+          "version": "v1beta1"
         }
       },
       "get": {
         "consumes": [
           "*/*"
         ],
-        "description": "list or watch objects of kind PodCertificateRequest",
-        "operationId": "listCertificatesV1alpha1NamespacedPodCertificateRequest",
+        "description": "list or watch objects of kind ClusterTrustBundle",
+        "operationId": "listCertificatesV1beta1ClusterTrustBundle",
         "parameters": [
           {
             "$ref": "#/parameters/allowWatchBookmarks-HC2hJt-J"
@@ -58568,7 +58867,7 @@
           "200": {
             "description": "OK",
             "schema": {
-              "$ref": "#/definitions/io.k8s.api.certificates.v1alpha1.PodCertificateRequestList"
+              "$ref": "#/definitions/io.k8s.api.certificates.v1beta1.ClusterTrustBundleList"
             }
           },
           "401": {
@@ -58579,19 +58878,16 @@
           "https"
         ],
         "tags": [
-          "certificates_v1alpha1"
+          "certificates_v1beta1"
         ],
         "x-kubernetes-action": "list",
         "x-kubernetes-group-version-kind": {
           "group": "certificates.k8s.io",
-          "kind": "PodCertificateRequest",
-          "version": "v1alpha1"
+          "kind": "ClusterTrustBundle",
+          "version": "v1beta1"
         }
       },
       "parameters": [
-        {
-          "$ref": "#/parameters/namespace-vgWSWtn3"
-        },
         {
           "$ref": "#/parameters/pretty-tJGM1-ng"
         }
@@ -58600,15 +58896,15 @@
         "consumes": [
           "*/*"
         ],
-        "description": "create a PodCertificateRequest",
-        "operationId": "createCertificatesV1alpha1NamespacedPodCertificateRequest",
+        "description": "create a ClusterTrustBundle",
+        "operationId": "createCertificatesV1beta1ClusterTrustBundle",
         "parameters": [
           {
             "in": "body",
             "name": "body",
             "required": true,
             "schema": {
-              "$ref": "#/definitions/io.k8s.api.certificates.v1alpha1.PodCertificateRequest"
+              "$ref": "#/definitions/io.k8s.api.certificates.v1beta1.ClusterTrustBundle"
             }
           },
           {
@@ -58639,19 +58935,19 @@
           "200": {
             "description": "OK",
             "schema": {
-              "$ref": "#/definitions/io.k8s.api.certificates.v1alpha1.PodCertificateRequest"
+              "$ref": "#/definitions/io.k8s.api.certificates.v1beta1.ClusterTrustBundle"
             }
           },
           "201": {
             "description": "Created",
             "schema": {
-              "$ref": "#/definitions/io.k8s.api.certificates.v1alpha1.PodCertificateRequest"
+              "$ref": "#/definitions/io.k8s.api.certificates.v1beta1.ClusterTrustBundle"
             }
           },
           "202": {
             "description": "Accepted",
             "schema": {
-              "$ref": "#/definitions/io.k8s.api.certificates.v1alpha1.PodCertificateRequest"
+              "$ref": "#/definitions/io.k8s.api.certificates.v1beta1.ClusterTrustBundle"
             }
           },
           "401": {
@@ -58662,23 +58958,23 @@
           "https"
         ],
         "tags": [
-          "certificates_v1alpha1"
+          "certificates_v1beta1"
         ],
         "x-kubernetes-action": "post",
         "x-kubernetes-group-version-kind": {
           "group": "certificates.k8s.io",
-          "kind": "PodCertificateRequest",
-          "version": "v1alpha1"
+          "kind": "ClusterTrustBundle",
+          "version": "v1beta1"
         }
       }
     },
-    "/apis/certificates.k8s.io/v1alpha1/namespaces/{namespace}/podcertificaterequests/{name}": {
+    "/apis/certificates.k8s.io/v1beta1/clustertrustbundles/{name}": {
       "delete": {
         "consumes": [
           "*/*"
         ],
-        "description": "delete a PodCertificateRequest",
-        "operationId": "deleteCertificatesV1alpha1NamespacedPodCertificateRequest",
+        "description": "delete a ClusterTrustBundle",
+        "operationId": "deleteCertificatesV1beta1ClusterTrustBundle",
         "parameters": [
           {
             "$ref": "#/parameters/body-2Y1dVQaQ"
@@ -58730,21 +59026,21 @@
           "https"
         ],
         "tags": [
-          "certificates_v1alpha1"
+          "certificates_v1beta1"
         ],
         "x-kubernetes-action": "delete",
         "x-kubernetes-group-version-kind": {
           "group": "certificates.k8s.io",
-          "kind": "PodCertificateRequest",
-          "version": "v1alpha1"
+          "kind": "ClusterTrustBundle",
+          "version": "v1beta1"
         }
       },
       "get": {
         "consumes": [
           "*/*"
         ],
-        "description": "read the specified PodCertificateRequest",
-        "operationId": "readCertificatesV1alpha1NamespacedPodCertificateRequest",
+        "description": "read the specified ClusterTrustBundle",
+        "operationId": "readCertificatesV1beta1ClusterTrustBundle",
         "produces": [
           "application/json",
           "application/yaml",
@@ -58755,7 +59051,7 @@
           "200": {
             "description": "OK",
             "schema": {
-              "$ref": "#/definitions/io.k8s.api.certificates.v1alpha1.PodCertificateRequest"
+              "$ref": "#/definitions/io.k8s.api.certificates.v1beta1.ClusterTrustBundle"
             }
           },
           "401": {
@@ -58766,27 +59062,24 @@
           "https"
         ],
         "tags": [
-          "certificates_v1alpha1"
+          "certificates_v1beta1"
         ],
         "x-kubernetes-action": "get",
         "x-kubernetes-group-version-kind": {
           "group": "certificates.k8s.io",
-          "kind": "PodCertificateRequest",
-          "version": "v1alpha1"
+          "kind": "ClusterTrustBundle",
+          "version": "v1beta1"
         }
       },
       "parameters": [
         {
-          "description": "name of the PodCertificateRequest",
+          "description": "name of the ClusterTrustBundle",
           "in": "path",
           "name": "name",
           "required": true,
           "type": "string",
           "uniqueItems": true
         },
-        {
-          "$ref": "#/parameters/namespace-vgWSWtn3"
-        },
         {
           "$ref": "#/parameters/pretty-tJGM1-ng"
         }
@@ -58799,8 +59092,8 @@
           "application/apply-patch+yaml",
           "application/apply-patch+cbor"
         ],
-        "description": "partially update the specified PodCertificateRequest",
-        "operationId": "patchCertificatesV1alpha1NamespacedPodCertificateRequest",
+        "description": "partially update the specified ClusterTrustBundle",
+        "operationId": "patchCertificatesV1beta1ClusterTrustBundle",
         "parameters": [
           {
             "$ref": "#/parameters/body-78PwaGsr"
@@ -58836,13 +59129,13 @@
           "200": {
             "description": "OK",
             "schema": {
-              "$ref": "#/definitions/io.k8s.api.certificates.v1alpha1.PodCertificateRequest"
+              "$ref": "#/definitions/io.k8s.api.certificates.v1beta1.ClusterTrustBundle"
             }
           },
           "201": {
             "description": "Created",
             "schema": {
-              "$ref": "#/definitions/io.k8s.api.certificates.v1alpha1.PodCertificateRequest"
+              "$ref": "#/definitions/io.k8s.api.certificates.v1beta1.ClusterTrustBundle"
             }
           },
           "401": {
@@ -58853,28 +59146,28 @@
           "https"
         ],
         "tags": [
-          "certificates_v1alpha1"
+          "certificates_v1beta1"
         ],
         "x-kubernetes-action": "patch",
         "x-kubernetes-group-version-kind": {
           "group": "certificates.k8s.io",
-          "kind": "PodCertificateRequest",
-          "version": "v1alpha1"
+          "kind": "ClusterTrustBundle",
+          "version": "v1beta1"
         }
       },
       "put": {
         "consumes": [
           "*/*"
         ],
-        "description": "replace the specified PodCertificateRequest",
-        "operationId": "replaceCertificatesV1alpha1NamespacedPodCertificateRequest",
+        "description": "replace the specified ClusterTrustBundle",
+        "operationId": "replaceCertificatesV1beta1ClusterTrustBundle",
         "parameters": [
           {
             "in": "body",
             "name": "body",
             "required": true,
             "schema": {
-              "$ref": "#/definitions/io.k8s.api.certificates.v1alpha1.PodCertificateRequest"
+              "$ref": "#/definitions/io.k8s.api.certificates.v1beta1.ClusterTrustBundle"
             }
           },
           {
@@ -58905,13 +59198,13 @@
           "200": {
             "description": "OK",
             "schema": {
-              "$ref": "#/definitions/io.k8s.api.certificates.v1alpha1.PodCertificateRequest"
+              "$ref": "#/definitions/io.k8s.api.certificates.v1beta1.ClusterTrustBundle"
             }
           },
           "201": {
             "description": "Created",
             "schema": {
-              "$ref": "#/definitions/io.k8s.api.certificates.v1alpha1.PodCertificateRequest"
+              "$ref": "#/definitions/io.k8s.api.certificates.v1beta1.ClusterTrustBundle"
             }
           },
           "401": {
@@ -58922,23 +59215,71 @@
           "https"
         ],
         "tags": [
-          "certificates_v1alpha1"
+          "certificates_v1beta1"
         ],
         "x-kubernetes-action": "put",
         "x-kubernetes-group-version-kind": {
           "group": "certificates.k8s.io",
-          "kind": "PodCertificateRequest",
-          "version": "v1alpha1"
+          "kind": "ClusterTrustBundle",
+          "version": "v1beta1"
         }
       }
     },
-    "/apis/certificates.k8s.io/v1alpha1/namespaces/{namespace}/podcertificaterequests/{name}/status": {
-      "get": {
+    "/apis/certificates.k8s.io/v1beta1/namespaces/{namespace}/podcertificaterequests": {
+      "delete": {
         "consumes": [
           "*/*"
         ],
-        "description": "read status of the specified PodCertificateRequest",
-        "operationId": "readCertificatesV1alpha1NamespacedPodCertificateRequestStatus",
+        "description": "delete collection of PodCertificateRequest",
+        "operationId": "deleteCertificatesV1beta1CollectionNamespacedPodCertificateRequest",
+        "parameters": [
+          {
+            "$ref": "#/parameters/body-2Y1dVQaQ"
+          },
+          {
+            "$ref": "#/parameters/continue-QfD61s0i"
+          },
+          {
+            "description": "When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed",
+            "in": "query",
+            "name": "dryRun",
+            "type": "string",
+            "uniqueItems": true
+          },
+          {
+            "$ref": "#/parameters/fieldSelector-xIcQKXFG"
+          },
+          {
+            "$ref": "#/parameters/gracePeriodSeconds--K5HaBOS"
+          },
+          {
+            "$ref": "#/parameters/ignoreStoreReadErrorWithClusterBreakingPotential-QbNkfIqj"
+          },
+          {
+            "$ref": "#/parameters/labelSelector-5Zw57w4C"
+          },
+          {
+            "$ref": "#/parameters/limit-1NfNmdNH"
+          },
+          {
+            "$ref": "#/parameters/orphanDependents-uRB25kX5"
+          },
+          {
+            "$ref": "#/parameters/propagationPolicy-6jk3prlO"
+          },
+          {
+            "$ref": "#/parameters/resourceVersion-5WAnf1kx"
+          },
+          {
+            "$ref": "#/parameters/resourceVersionMatch-t8XhRHeC"
+          },
+          {
+            "$ref": "#/parameters/sendInitialEvents-rLXlEK_k"
+          },
+          {
+            "$ref": "#/parameters/timeoutSeconds-yvYezaOC"
+          }
+        ],
         "produces": [
           "application/json",
           "application/yaml",
@@ -58949,7 +59290,7 @@
           "200": {
             "description": "OK",
             "schema": {
-              "$ref": "#/definitions/io.k8s.api.certificates.v1alpha1.PodCertificateRequest"
+              "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"
             }
           },
           "401": {
@@ -58960,83 +59301,67 @@
           "https"
         ],
         "tags": [
-          "certificates_v1alpha1"
+          "certificates_v1beta1"
         ],
-        "x-kubernetes-action": "get",
+        "x-kubernetes-action": "deletecollection",
         "x-kubernetes-group-version-kind": {
           "group": "certificates.k8s.io",
           "kind": "PodCertificateRequest",
-          "version": "v1alpha1"
+          "version": "v1beta1"
         }
       },
-      "parameters": [
-        {
-          "description": "name of the PodCertificateRequest",
-          "in": "path",
-          "name": "name",
-          "required": true,
-          "type": "string",
-          "uniqueItems": true
-        },
-        {
-          "$ref": "#/parameters/namespace-vgWSWtn3"
-        },
-        {
-          "$ref": "#/parameters/pretty-tJGM1-ng"
-        }
-      ],
-      "patch": {
+      "get": {
         "consumes": [
-          "application/json-patch+json",
-          "application/merge-patch+json",
-          "application/strategic-merge-patch+json",
-          "application/apply-patch+yaml",
-          "application/apply-patch+cbor"
+          "*/*"
         ],
-        "description": "partially update status of the specified PodCertificateRequest",
-        "operationId": "patchCertificatesV1alpha1NamespacedPodCertificateRequestStatus",
+        "description": "list or watch objects of kind PodCertificateRequest",
+        "operationId": "listCertificatesV1beta1NamespacedPodCertificateRequest",
         "parameters": [
           {
-            "$ref": "#/parameters/body-78PwaGsr"
+            "$ref": "#/parameters/allowWatchBookmarks-HC2hJt-J"
           },
           {
-            "description": "When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed",
-            "in": "query",
-            "name": "dryRun",
-            "type": "string",
-            "uniqueItems": true
+            "$ref": "#/parameters/continue-QfD61s0i"
           },
           {
-            "$ref": "#/parameters/fieldManager-7c6nTn1T"
+            "$ref": "#/parameters/fieldSelector-xIcQKXFG"
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
-            "in": "query",
-            "name": "fieldValidation",
-            "type": "string",
-            "uniqueItems": true
+            "$ref": "#/parameters/labelSelector-5Zw57w4C"
           },
           {
-            "$ref": "#/parameters/force-tOGGb0Yi"
+            "$ref": "#/parameters/limit-1NfNmdNH"
+          },
+          {
+            "$ref": "#/parameters/resourceVersion-5WAnf1kx"
+          },
+          {
+            "$ref": "#/parameters/resourceVersionMatch-t8XhRHeC"
+          },
+          {
+            "$ref": "#/parameters/sendInitialEvents-rLXlEK_k"
+          },
+          {
+            "$ref": "#/parameters/timeoutSeconds-yvYezaOC"
+          },
+          {
+            "$ref": "#/parameters/watch-XNNPZGbK"
           }
         ],
         "produces": [
           "application/json",
           "application/yaml",
           "application/vnd.kubernetes.protobuf",
-          "application/cbor"
+          "application/cbor",
+          "application/json;stream=watch",
+          "application/vnd.kubernetes.protobuf;stream=watch",
+          "application/cbor-seq"
         ],
         "responses": {
           "200": {
             "description": "OK",
             "schema": {
-              "$ref": "#/definitions/io.k8s.api.certificates.v1alpha1.PodCertificateRequest"
-            }
-          },
-          "201": {
-            "description": "Created",
-            "schema": {
-              "$ref": "#/definitions/io.k8s.api.certificates.v1alpha1.PodCertificateRequest"
+              "$ref": "#/definitions/io.k8s.api.certificates.v1beta1.PodCertificateRequestList"
             }
           },
           "401": {
@@ -59047,28 +59372,36 @@
           "https"
         ],
         "tags": [
-          "certificates_v1alpha1"
+          "certificates_v1beta1"
         ],
-        "x-kubernetes-action": "patch",
+        "x-kubernetes-action": "list",
         "x-kubernetes-group-version-kind": {
           "group": "certificates.k8s.io",
           "kind": "PodCertificateRequest",
-          "version": "v1alpha1"
+          "version": "v1beta1"
         }
       },
-      "put": {
+      "parameters": [
+        {
+          "$ref": "#/parameters/namespace-vgWSWtn3"
+        },
+        {
+          "$ref": "#/parameters/pretty-tJGM1-ng"
+        }
+      ],
+      "post": {
         "consumes": [
           "*/*"
         ],
-        "description": "replace status of the specified PodCertificateRequest",
-        "operationId": "replaceCertificatesV1alpha1NamespacedPodCertificateRequestStatus",
+        "description": "create a PodCertificateRequest",
+        "operationId": "createCertificatesV1beta1NamespacedPodCertificateRequest",
         "parameters": [
           {
             "in": "body",
             "name": "body",
             "required": true,
             "schema": {
-              "$ref": "#/definitions/io.k8s.api.certificates.v1alpha1.PodCertificateRequest"
+              "$ref": "#/definitions/io.k8s.api.certificates.v1beta1.PodCertificateRequest"
             }
           },
           {
@@ -59099,13 +59432,19 @@
           "200": {
             "description": "OK",
             "schema": {
-              "$ref": "#/definitions/io.k8s.api.certificates.v1alpha1.PodCertificateRequest"
+              "$ref": "#/definitions/io.k8s.api.certificates.v1beta1.PodCertificateRequest"
             }
           },
           "201": {
             "description": "Created",
             "schema": {
-              "$ref": "#/definitions/io.k8s.api.certificates.v1alpha1.PodCertificateRequest"
+              "$ref": "#/definitions/io.k8s.api.certificates.v1beta1.PodCertificateRequest"
+            }
+          },
+          "202": {
+            "description": "Accepted",
+            "schema": {
+              "$ref": "#/definitions/io.k8s.api.certificates.v1beta1.PodCertificateRequest"
             }
           },
           "401": {
@@ -59116,37 +59455,64 @@
           "https"
         ],
         "tags": [
-          "certificates_v1alpha1"
+          "certificates_v1beta1"
         ],
-        "x-kubernetes-action": "put",
+        "x-kubernetes-action": "post",
         "x-kubernetes-group-version-kind": {
           "group": "certificates.k8s.io",
           "kind": "PodCertificateRequest",
-          "version": "v1alpha1"
+          "version": "v1beta1"
         }
       }
     },
-    "/apis/certificates.k8s.io/v1alpha1/podcertificaterequests": {
-      "get": {
+    "/apis/certificates.k8s.io/v1beta1/namespaces/{namespace}/podcertificaterequests/{name}": {
+      "delete": {
         "consumes": [
           "*/*"
         ],
-        "description": "list or watch objects of kind PodCertificateRequest",
-        "operationId": "listCertificatesV1alpha1PodCertificateRequestForAllNamespaces",
+        "description": "delete a PodCertificateRequest",
+        "operationId": "deleteCertificatesV1beta1NamespacedPodCertificateRequest",
+        "parameters": [
+          {
+            "$ref": "#/parameters/body-2Y1dVQaQ"
+          },
+          {
+            "description": "When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed",
+            "in": "query",
+            "name": "dryRun",
+            "type": "string",
+            "uniqueItems": true
+          },
+          {
+            "$ref": "#/parameters/gracePeriodSeconds--K5HaBOS"
+          },
+          {
+            "$ref": "#/parameters/ignoreStoreReadErrorWithClusterBreakingPotential-QbNkfIqj"
+          },
+          {
+            "$ref": "#/parameters/orphanDependents-uRB25kX5"
+          },
+          {
+            "$ref": "#/parameters/propagationPolicy-6jk3prlO"
+          }
+        ],
         "produces": [
           "application/json",
           "application/yaml",
           "application/vnd.kubernetes.protobuf",
-          "application/cbor",
-          "application/json;stream=watch",
-          "application/vnd.kubernetes.protobuf;stream=watch",
-          "application/cbor-seq"
+          "application/cbor"
         ],
         "responses": {
           "200": {
             "description": "OK",
             "schema": {
-              "$ref": "#/definitions/io.k8s.api.certificates.v1alpha1.PodCertificateRequestList"
+              "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"
+            }
+          },
+          "202": {
+            "description": "Accepted",
+            "schema": {
+              "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"
             }
           },
           "401": {
@@ -59157,72 +59523,32 @@
           "https"
         ],
         "tags": [
-          "certificates_v1alpha1"
+          "certificates_v1beta1"
         ],
-        "x-kubernetes-action": "list",
+        "x-kubernetes-action": "delete",
         "x-kubernetes-group-version-kind": {
           "group": "certificates.k8s.io",
           "kind": "PodCertificateRequest",
-          "version": "v1alpha1"
+          "version": "v1beta1"
         }
       },
-      "parameters": [
-        {
-          "$ref": "#/parameters/allowWatchBookmarks-HC2hJt-J"
-        },
-        {
-          "$ref": "#/parameters/continue-QfD61s0i"
-        },
-        {
-          "$ref": "#/parameters/fieldSelector-xIcQKXFG"
-        },
-        {
-          "$ref": "#/parameters/labelSelector-5Zw57w4C"
-        },
-        {
-          "$ref": "#/parameters/limit-1NfNmdNH"
-        },
-        {
-          "$ref": "#/parameters/pretty-tJGM1-ng"
-        },
-        {
-          "$ref": "#/parameters/resourceVersion-5WAnf1kx"
-        },
-        {
-          "$ref": "#/parameters/resourceVersionMatch-t8XhRHeC"
-        },
-        {
-          "$ref": "#/parameters/sendInitialEvents-rLXlEK_k"
-        },
-        {
-          "$ref": "#/parameters/timeoutSeconds-yvYezaOC"
-        },
-        {
-          "$ref": "#/parameters/watch-XNNPZGbK"
-        }
-      ]
-    },
-    "/apis/certificates.k8s.io/v1alpha1/watch/clustertrustbundles": {
       "get": {
         "consumes": [
           "*/*"
         ],
-        "description": "watch individual changes to a list of ClusterTrustBundle. deprecated: use the 'watch' parameter with a list operation instead.",
-        "operationId": "watchCertificatesV1alpha1ClusterTrustBundleList",
+        "description": "read the specified PodCertificateRequest",
+        "operationId": "readCertificatesV1beta1NamespacedPodCertificateRequest",
         "produces": [
           "application/json",
           "application/yaml",
           "application/vnd.kubernetes.protobuf",
-          "application/cbor",
-          "application/json;stream=watch",
-          "application/vnd.kubernetes.protobuf;stream=watch",
-          "application/cbor-seq"
+          "application/cbor"
         ],
         "responses": {
           "200": {
             "description": "OK",
             "schema": {
-              "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"
+              "$ref": "#/definitions/io.k8s.api.certificates.v1beta1.PodCertificateRequest"
             }
           },
           "401": {
@@ -59233,72 +59559,83 @@
           "https"
         ],
         "tags": [
-          "certificates_v1alpha1"
+          "certificates_v1beta1"
         ],
-        "x-kubernetes-action": "watchlist",
+        "x-kubernetes-action": "get",
         "x-kubernetes-group-version-kind": {
           "group": "certificates.k8s.io",
-          "kind": "ClusterTrustBundle",
-          "version": "v1alpha1"
+          "kind": "PodCertificateRequest",
+          "version": "v1beta1"
         }
       },
       "parameters": [
         {
-          "$ref": "#/parameters/allowWatchBookmarks-HC2hJt-J"
-        },
-        {
-          "$ref": "#/parameters/continue-QfD61s0i"
-        },
-        {
-          "$ref": "#/parameters/fieldSelector-xIcQKXFG"
-        },
-        {
-          "$ref": "#/parameters/labelSelector-5Zw57w4C"
+          "description": "name of the PodCertificateRequest",
+          "in": "path",
+          "name": "name",
+          "required": true,
+          "type": "string",
+          "uniqueItems": true
         },
         {
-          "$ref": "#/parameters/limit-1NfNmdNH"
+          "$ref": "#/parameters/namespace-vgWSWtn3"
         },
         {
           "$ref": "#/parameters/pretty-tJGM1-ng"
-        },
-        {
-          "$ref": "#/parameters/resourceVersion-5WAnf1kx"
-        },
-        {
-          "$ref": "#/parameters/resourceVersionMatch-t8XhRHeC"
-        },
-        {
-          "$ref": "#/parameters/sendInitialEvents-rLXlEK_k"
-        },
-        {
-          "$ref": "#/parameters/timeoutSeconds-yvYezaOC"
-        },
-        {
-          "$ref": "#/parameters/watch-XNNPZGbK"
         }
-      ]
-    },
-    "/apis/certificates.k8s.io/v1alpha1/watch/clustertrustbundles/{name}": {
-      "get": {
+      ],
+      "patch": {
         "consumes": [
-          "*/*"
+          "application/json-patch+json",
+          "application/merge-patch+json",
+          "application/strategic-merge-patch+json",
+          "application/apply-patch+yaml",
+          "application/apply-patch+cbor"
+        ],
+        "description": "partially update the specified PodCertificateRequest",
+        "operationId": "patchCertificatesV1beta1NamespacedPodCertificateRequest",
+        "parameters": [
+          {
+            "$ref": "#/parameters/body-78PwaGsr"
+          },
+          {
+            "description": "When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed",
+            "in": "query",
+            "name": "dryRun",
+            "type": "string",
+            "uniqueItems": true
+          },
+          {
+            "$ref": "#/parameters/fieldManager-7c6nTn1T"
+          },
+          {
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "in": "query",
+            "name": "fieldValidation",
+            "type": "string",
+            "uniqueItems": true
+          },
+          {
+            "$ref": "#/parameters/force-tOGGb0Yi"
+          }
         ],
-        "description": "watch changes to an object of kind ClusterTrustBundle. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.",
-        "operationId": "watchCertificatesV1alpha1ClusterTrustBundle",
         "produces": [
           "application/json",
           "application/yaml",
           "application/vnd.kubernetes.protobuf",
-          "application/cbor",
-          "application/json;stream=watch",
-          "application/vnd.kubernetes.protobuf;stream=watch",
-          "application/cbor-seq"
+          "application/cbor"
         ],
         "responses": {
           "200": {
             "description": "OK",
             "schema": {
-              "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"
+              "$ref": "#/definitions/io.k8s.api.certificates.v1beta1.PodCertificateRequest"
+            }
+          },
+          "201": {
+            "description": "Created",
+            "schema": {
+              "$ref": "#/definitions/io.k8s.api.certificates.v1beta1.PodCertificateRequest"
             }
           },
           "401": {
@@ -59309,80 +59646,65 @@
           "https"
         ],
         "tags": [
-          "certificates_v1alpha1"
+          "certificates_v1beta1"
         ],
-        "x-kubernetes-action": "watch",
+        "x-kubernetes-action": "patch",
         "x-kubernetes-group-version-kind": {
           "group": "certificates.k8s.io",
-          "kind": "ClusterTrustBundle",
-          "version": "v1alpha1"
+          "kind": "PodCertificateRequest",
+          "version": "v1beta1"
         }
       },
-      "parameters": [
-        {
-          "$ref": "#/parameters/allowWatchBookmarks-HC2hJt-J"
-        },
-        {
-          "$ref": "#/parameters/continue-QfD61s0i"
-        },
-        {
-          "$ref": "#/parameters/fieldSelector-xIcQKXFG"
-        },
-        {
-          "$ref": "#/parameters/labelSelector-5Zw57w4C"
-        },
-        {
-          "$ref": "#/parameters/limit-1NfNmdNH"
-        },
-        {
-          "description": "name of the ClusterTrustBundle",
-          "in": "path",
-          "name": "name",
-          "required": true,
-          "type": "string",
-          "uniqueItems": true
-        },
-        {
-          "$ref": "#/parameters/pretty-tJGM1-ng"
-        },
-        {
-          "$ref": "#/parameters/resourceVersion-5WAnf1kx"
-        },
-        {
-          "$ref": "#/parameters/resourceVersionMatch-t8XhRHeC"
-        },
-        {
-          "$ref": "#/parameters/sendInitialEvents-rLXlEK_k"
-        },
-        {
-          "$ref": "#/parameters/timeoutSeconds-yvYezaOC"
-        },
-        {
-          "$ref": "#/parameters/watch-XNNPZGbK"
-        }
-      ]
-    },
-    "/apis/certificates.k8s.io/v1alpha1/watch/namespaces/{namespace}/podcertificaterequests": {
-      "get": {
+      "put": {
         "consumes": [
           "*/*"
         ],
-        "description": "watch individual changes to a list of PodCertificateRequest. deprecated: use the 'watch' parameter with a list operation instead.",
-        "operationId": "watchCertificatesV1alpha1NamespacedPodCertificateRequestList",
+        "description": "replace the specified PodCertificateRequest",
+        "operationId": "replaceCertificatesV1beta1NamespacedPodCertificateRequest",
+        "parameters": [
+          {
+            "in": "body",
+            "name": "body",
+            "required": true,
+            "schema": {
+              "$ref": "#/definitions/io.k8s.api.certificates.v1beta1.PodCertificateRequest"
+            }
+          },
+          {
+            "description": "When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed",
+            "in": "query",
+            "name": "dryRun",
+            "type": "string",
+            "uniqueItems": true
+          },
+          {
+            "$ref": "#/parameters/fieldManager-Qy4HdaTW"
+          },
+          {
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "in": "query",
+            "name": "fieldValidation",
+            "type": "string",
+            "uniqueItems": true
+          }
+        ],
         "produces": [
           "application/json",
           "application/yaml",
           "application/vnd.kubernetes.protobuf",
-          "application/cbor",
-          "application/json;stream=watch",
-          "application/vnd.kubernetes.protobuf;stream=watch",
-          "application/cbor-seq"
+          "application/cbor"
         ],
         "responses": {
           "200": {
             "description": "OK",
             "schema": {
-              "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"
+              "$ref": "#/definitions/io.k8s.api.certificates.v1beta1.PodCertificateRequest"
+            }
+          },
+          "201": {
+            "description": "Created",
+            "schema": {
+              "$ref": "#/definitions/io.k8s.api.certificates.v1beta1.PodCertificateRequest"
             }
           },
           "401": {
@@ -59393,75 +59715,34 @@
           "https"
         ],
         "tags": [
-          "certificates_v1alpha1"
+          "certificates_v1beta1"
         ],
-        "x-kubernetes-action": "watchlist",
+        "x-kubernetes-action": "put",
         "x-kubernetes-group-version-kind": {
           "group": "certificates.k8s.io",
           "kind": "PodCertificateRequest",
-          "version": "v1alpha1"
-        }
-      },
-      "parameters": [
-        {
-          "$ref": "#/parameters/allowWatchBookmarks-HC2hJt-J"
-        },
-        {
-          "$ref": "#/parameters/continue-QfD61s0i"
-        },
-        {
-          "$ref": "#/parameters/fieldSelector-xIcQKXFG"
-        },
-        {
-          "$ref": "#/parameters/labelSelector-5Zw57w4C"
-        },
-        {
-          "$ref": "#/parameters/limit-1NfNmdNH"
-        },
-        {
-          "$ref": "#/parameters/namespace-vgWSWtn3"
-        },
-        {
-          "$ref": "#/parameters/pretty-tJGM1-ng"
-        },
-        {
-          "$ref": "#/parameters/resourceVersion-5WAnf1kx"
-        },
-        {
-          "$ref": "#/parameters/resourceVersionMatch-t8XhRHeC"
-        },
-        {
-          "$ref": "#/parameters/sendInitialEvents-rLXlEK_k"
-        },
-        {
-          "$ref": "#/parameters/timeoutSeconds-yvYezaOC"
-        },
-        {
-          "$ref": "#/parameters/watch-XNNPZGbK"
+          "version": "v1beta1"
         }
-      ]
+      }
     },
-    "/apis/certificates.k8s.io/v1alpha1/watch/namespaces/{namespace}/podcertificaterequests/{name}": {
+    "/apis/certificates.k8s.io/v1beta1/namespaces/{namespace}/podcertificaterequests/{name}/status": {
       "get": {
         "consumes": [
           "*/*"
         ],
-        "description": "watch changes to an object of kind PodCertificateRequest. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.",
-        "operationId": "watchCertificatesV1alpha1NamespacedPodCertificateRequest",
+        "description": "read status of the specified PodCertificateRequest",
+        "operationId": "readCertificatesV1beta1NamespacedPodCertificateRequestStatus",
         "produces": [
           "application/json",
           "application/yaml",
           "application/vnd.kubernetes.protobuf",
-          "application/cbor",
-          "application/json;stream=watch",
-          "application/vnd.kubernetes.protobuf;stream=watch",
-          "application/cbor-seq"
+          "application/cbor"
         ],
         "responses": {
           "200": {
             "description": "OK",
             "schema": {
-              "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"
+              "$ref": "#/definitions/io.k8s.api.certificates.v1beta1.PodCertificateRequest"
             }
           },
           "401": {
@@ -59472,31 +59753,16 @@
           "https"
         ],
         "tags": [
-          "certificates_v1alpha1"
+          "certificates_v1beta1"
         ],
-        "x-kubernetes-action": "watch",
+        "x-kubernetes-action": "get",
         "x-kubernetes-group-version-kind": {
           "group": "certificates.k8s.io",
           "kind": "PodCertificateRequest",
-          "version": "v1alpha1"
+          "version": "v1beta1"
         }
       },
       "parameters": [
-        {
-          "$ref": "#/parameters/allowWatchBookmarks-HC2hJt-J"
-        },
-        {
-          "$ref": "#/parameters/continue-QfD61s0i"
-        },
-        {
-          "$ref": "#/parameters/fieldSelector-xIcQKXFG"
-        },
-        {
-          "$ref": "#/parameters/labelSelector-5Zw57w4C"
-        },
-        {
-          "$ref": "#/parameters/limit-1NfNmdNH"
-        },
         {
           "description": "name of the PodCertificateRequest",
           "in": "path",
@@ -59510,148 +59776,21 @@
         },
         {
           "$ref": "#/parameters/pretty-tJGM1-ng"
-        },
-        {
-          "$ref": "#/parameters/resourceVersion-5WAnf1kx"
-        },
-        {
-          "$ref": "#/parameters/resourceVersionMatch-t8XhRHeC"
-        },
-        {
-          "$ref": "#/parameters/sendInitialEvents-rLXlEK_k"
-        },
-        {
-          "$ref": "#/parameters/timeoutSeconds-yvYezaOC"
-        },
-        {
-          "$ref": "#/parameters/watch-XNNPZGbK"
-        }
-      ]
-    },
-    "/apis/certificates.k8s.io/v1alpha1/watch/podcertificaterequests": {
-      "get": {
-        "consumes": [
-          "*/*"
-        ],
-        "description": "watch individual changes to a list of PodCertificateRequest. deprecated: use the 'watch' parameter with a list operation instead.",
-        "operationId": "watchCertificatesV1alpha1PodCertificateRequestListForAllNamespaces",
-        "produces": [
-          "application/json",
-          "application/yaml",
-          "application/vnd.kubernetes.protobuf",
-          "application/cbor",
-          "application/json;stream=watch",
-          "application/vnd.kubernetes.protobuf;stream=watch",
-          "application/cbor-seq"
-        ],
-        "responses": {
-          "200": {
-            "description": "OK",
-            "schema": {
-              "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"
-            }
-          },
-          "401": {
-            "description": "Unauthorized"
-          }
-        },
-        "schemes": [
-          "https"
-        ],
-        "tags": [
-          "certificates_v1alpha1"
-        ],
-        "x-kubernetes-action": "watchlist",
-        "x-kubernetes-group-version-kind": {
-          "group": "certificates.k8s.io",
-          "kind": "PodCertificateRequest",
-          "version": "v1alpha1"
-        }
-      },
-      "parameters": [
-        {
-          "$ref": "#/parameters/allowWatchBookmarks-HC2hJt-J"
-        },
-        {
-          "$ref": "#/parameters/continue-QfD61s0i"
-        },
-        {
-          "$ref": "#/parameters/fieldSelector-xIcQKXFG"
-        },
-        {
-          "$ref": "#/parameters/labelSelector-5Zw57w4C"
-        },
-        {
-          "$ref": "#/parameters/limit-1NfNmdNH"
-        },
-        {
-          "$ref": "#/parameters/pretty-tJGM1-ng"
-        },
-        {
-          "$ref": "#/parameters/resourceVersion-5WAnf1kx"
-        },
-        {
-          "$ref": "#/parameters/resourceVersionMatch-t8XhRHeC"
-        },
-        {
-          "$ref": "#/parameters/sendInitialEvents-rLXlEK_k"
-        },
-        {
-          "$ref": "#/parameters/timeoutSeconds-yvYezaOC"
-        },
-        {
-          "$ref": "#/parameters/watch-XNNPZGbK"
         }
-      ]
-    },
-    "/apis/certificates.k8s.io/v1beta1/": {
-      "get": {
-        "consumes": [
-          "application/json",
-          "application/yaml",
-          "application/vnd.kubernetes.protobuf",
-          "application/cbor"
-        ],
-        "description": "get available resources",
-        "operationId": "getCertificatesV1beta1APIResources",
-        "produces": [
-          "application/json",
-          "application/yaml",
-          "application/vnd.kubernetes.protobuf",
-          "application/cbor"
-        ],
-        "responses": {
-          "200": {
-            "description": "OK",
-            "schema": {
-              "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.APIResourceList"
-            }
-          },
-          "401": {
-            "description": "Unauthorized"
-          }
-        },
-        "schemes": [
-          "https"
-        ],
-        "tags": [
-          "certificates_v1beta1"
-        ]
-      }
-    },
-    "/apis/certificates.k8s.io/v1beta1/clustertrustbundles": {
-      "delete": {
+      ],
+      "patch": {
         "consumes": [
-          "*/*"
+          "application/json-patch+json",
+          "application/merge-patch+json",
+          "application/strategic-merge-patch+json",
+          "application/apply-patch+yaml",
+          "application/apply-patch+cbor"
         ],
-        "description": "delete collection of ClusterTrustBundle",
-        "operationId": "deleteCertificatesV1beta1CollectionClusterTrustBundle",
+        "description": "partially update status of the specified PodCertificateRequest",
+        "operationId": "patchCertificatesV1beta1NamespacedPodCertificateRequestStatus",
         "parameters": [
           {
-            "$ref": "#/parameters/body-2Y1dVQaQ"
-          },
-          {
-            "$ref": "#/parameters/continue-QfD61s0i"
+            "$ref": "#/parameters/body-78PwaGsr"
           },
           {
             "description": "When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed",
@@ -59661,37 +59800,17 @@
             "uniqueItems": true
           },
           {
-            "$ref": "#/parameters/fieldSelector-xIcQKXFG"
-          },
-          {
-            "$ref": "#/parameters/gracePeriodSeconds--K5HaBOS"
-          },
-          {
-            "$ref": "#/parameters/ignoreStoreReadErrorWithClusterBreakingPotential-QbNkfIqj"
-          },
-          {
-            "$ref": "#/parameters/labelSelector-5Zw57w4C"
-          },
-          {
-            "$ref": "#/parameters/limit-1NfNmdNH"
-          },
-          {
-            "$ref": "#/parameters/orphanDependents-uRB25kX5"
-          },
-          {
-            "$ref": "#/parameters/propagationPolicy-6jk3prlO"
-          },
-          {
-            "$ref": "#/parameters/resourceVersion-5WAnf1kx"
-          },
-          {
-            "$ref": "#/parameters/resourceVersionMatch-t8XhRHeC"
+            "$ref": "#/parameters/fieldManager-7c6nTn1T"
           },
           {
-            "$ref": "#/parameters/sendInitialEvents-rLXlEK_k"
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "in": "query",
+            "name": "fieldValidation",
+            "type": "string",
+            "uniqueItems": true
           },
           {
-            "$ref": "#/parameters/timeoutSeconds-yvYezaOC"
+            "$ref": "#/parameters/force-tOGGb0Yi"
           }
         ],
         "produces": [
@@ -59704,78 +59823,13 @@
           "200": {
             "description": "OK",
             "schema": {
-              "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"
+              "$ref": "#/definitions/io.k8s.api.certificates.v1beta1.PodCertificateRequest"
             }
           },
-          "401": {
-            "description": "Unauthorized"
-          }
-        },
-        "schemes": [
-          "https"
-        ],
-        "tags": [
-          "certificates_v1beta1"
-        ],
-        "x-kubernetes-action": "deletecollection",
-        "x-kubernetes-group-version-kind": {
-          "group": "certificates.k8s.io",
-          "kind": "ClusterTrustBundle",
-          "version": "v1beta1"
-        }
-      },
-      "get": {
-        "consumes": [
-          "*/*"
-        ],
-        "description": "list or watch objects of kind ClusterTrustBundle",
-        "operationId": "listCertificatesV1beta1ClusterTrustBundle",
-        "parameters": [
-          {
-            "$ref": "#/parameters/allowWatchBookmarks-HC2hJt-J"
-          },
-          {
-            "$ref": "#/parameters/continue-QfD61s0i"
-          },
-          {
-            "$ref": "#/parameters/fieldSelector-xIcQKXFG"
-          },
-          {
-            "$ref": "#/parameters/labelSelector-5Zw57w4C"
-          },
-          {
-            "$ref": "#/parameters/limit-1NfNmdNH"
-          },
-          {
-            "$ref": "#/parameters/resourceVersion-5WAnf1kx"
-          },
-          {
-            "$ref": "#/parameters/resourceVersionMatch-t8XhRHeC"
-          },
-          {
-            "$ref": "#/parameters/sendInitialEvents-rLXlEK_k"
-          },
-          {
-            "$ref": "#/parameters/timeoutSeconds-yvYezaOC"
-          },
-          {
-            "$ref": "#/parameters/watch-XNNPZGbK"
-          }
-        ],
-        "produces": [
-          "application/json",
-          "application/yaml",
-          "application/vnd.kubernetes.protobuf",
-          "application/cbor",
-          "application/json;stream=watch",
-          "application/vnd.kubernetes.protobuf;stream=watch",
-          "application/cbor-seq"
-        ],
-        "responses": {
-          "200": {
-            "description": "OK",
+          "201": {
+            "description": "Created",
             "schema": {
-              "$ref": "#/definitions/io.k8s.api.certificates.v1beta1.ClusterTrustBundleList"
+              "$ref": "#/definitions/io.k8s.api.certificates.v1beta1.PodCertificateRequest"
             }
           },
           "401": {
@@ -59788,31 +59842,26 @@
         "tags": [
           "certificates_v1beta1"
         ],
-        "x-kubernetes-action": "list",
+        "x-kubernetes-action": "patch",
         "x-kubernetes-group-version-kind": {
           "group": "certificates.k8s.io",
-          "kind": "ClusterTrustBundle",
+          "kind": "PodCertificateRequest",
           "version": "v1beta1"
         }
       },
-      "parameters": [
-        {
-          "$ref": "#/parameters/pretty-tJGM1-ng"
-        }
-      ],
-      "post": {
+      "put": {
         "consumes": [
           "*/*"
         ],
-        "description": "create a ClusterTrustBundle",
-        "operationId": "createCertificatesV1beta1ClusterTrustBundle",
+        "description": "replace status of the specified PodCertificateRequest",
+        "operationId": "replaceCertificatesV1beta1NamespacedPodCertificateRequestStatus",
         "parameters": [
           {
             "in": "body",
             "name": "body",
             "required": true,
             "schema": {
-              "$ref": "#/definitions/io.k8s.api.certificates.v1beta1.ClusterTrustBundle"
+              "$ref": "#/definitions/io.k8s.api.certificates.v1beta1.PodCertificateRequest"
             }
           },
           {
@@ -59843,19 +59892,13 @@
           "200": {
             "description": "OK",
             "schema": {
-              "$ref": "#/definitions/io.k8s.api.certificates.v1beta1.ClusterTrustBundle"
+              "$ref": "#/definitions/io.k8s.api.certificates.v1beta1.PodCertificateRequest"
             }
           },
           "201": {
             "description": "Created",
             "schema": {
-              "$ref": "#/definitions/io.k8s.api.certificates.v1beta1.ClusterTrustBundle"
-            }
-          },
-          "202": {
-            "description": "Accepted",
-            "schema": {
-              "$ref": "#/definitions/io.k8s.api.certificates.v1beta1.ClusterTrustBundle"
+              "$ref": "#/definitions/io.k8s.api.certificates.v1beta1.PodCertificateRequest"
             }
           },
           "401": {
@@ -59868,62 +59911,35 @@
         "tags": [
           "certificates_v1beta1"
         ],
-        "x-kubernetes-action": "post",
+        "x-kubernetes-action": "put",
         "x-kubernetes-group-version-kind": {
           "group": "certificates.k8s.io",
-          "kind": "ClusterTrustBundle",
+          "kind": "PodCertificateRequest",
           "version": "v1beta1"
         }
       }
     },
-    "/apis/certificates.k8s.io/v1beta1/clustertrustbundles/{name}": {
-      "delete": {
+    "/apis/certificates.k8s.io/v1beta1/podcertificaterequests": {
+      "get": {
         "consumes": [
           "*/*"
         ],
-        "description": "delete a ClusterTrustBundle",
-        "operationId": "deleteCertificatesV1beta1ClusterTrustBundle",
-        "parameters": [
-          {
-            "$ref": "#/parameters/body-2Y1dVQaQ"
-          },
-          {
-            "description": "When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed",
-            "in": "query",
-            "name": "dryRun",
-            "type": "string",
-            "uniqueItems": true
-          },
-          {
-            "$ref": "#/parameters/gracePeriodSeconds--K5HaBOS"
-          },
-          {
-            "$ref": "#/parameters/ignoreStoreReadErrorWithClusterBreakingPotential-QbNkfIqj"
-          },
-          {
-            "$ref": "#/parameters/orphanDependents-uRB25kX5"
-          },
-          {
-            "$ref": "#/parameters/propagationPolicy-6jk3prlO"
-          }
-        ],
+        "description": "list or watch objects of kind PodCertificateRequest",
+        "operationId": "listCertificatesV1beta1PodCertificateRequestForAllNamespaces",
         "produces": [
           "application/json",
           "application/yaml",
           "application/vnd.kubernetes.protobuf",
-          "application/cbor"
+          "application/cbor",
+          "application/json;stream=watch",
+          "application/vnd.kubernetes.protobuf;stream=watch",
+          "application/cbor-seq"
         ],
         "responses": {
           "200": {
             "description": "OK",
             "schema": {
-              "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"
-            }
-          },
-          "202": {
-            "description": "Accepted",
-            "schema": {
-              "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"
+              "$ref": "#/definitions/io.k8s.api.certificates.v1beta1.PodCertificateRequestList"
             }
           },
           "401": {
@@ -59936,30 +59952,70 @@
         "tags": [
           "certificates_v1beta1"
         ],
-        "x-kubernetes-action": "delete",
+        "x-kubernetes-action": "list",
         "x-kubernetes-group-version-kind": {
           "group": "certificates.k8s.io",
-          "kind": "ClusterTrustBundle",
+          "kind": "PodCertificateRequest",
           "version": "v1beta1"
         }
       },
+      "parameters": [
+        {
+          "$ref": "#/parameters/allowWatchBookmarks-HC2hJt-J"
+        },
+        {
+          "$ref": "#/parameters/continue-QfD61s0i"
+        },
+        {
+          "$ref": "#/parameters/fieldSelector-xIcQKXFG"
+        },
+        {
+          "$ref": "#/parameters/labelSelector-5Zw57w4C"
+        },
+        {
+          "$ref": "#/parameters/limit-1NfNmdNH"
+        },
+        {
+          "$ref": "#/parameters/pretty-tJGM1-ng"
+        },
+        {
+          "$ref": "#/parameters/resourceVersion-5WAnf1kx"
+        },
+        {
+          "$ref": "#/parameters/resourceVersionMatch-t8XhRHeC"
+        },
+        {
+          "$ref": "#/parameters/sendInitialEvents-rLXlEK_k"
+        },
+        {
+          "$ref": "#/parameters/timeoutSeconds-yvYezaOC"
+        },
+        {
+          "$ref": "#/parameters/watch-XNNPZGbK"
+        }
+      ]
+    },
+    "/apis/certificates.k8s.io/v1beta1/watch/clustertrustbundles": {
       "get": {
         "consumes": [
           "*/*"
         ],
-        "description": "read the specified ClusterTrustBundle",
-        "operationId": "readCertificatesV1beta1ClusterTrustBundle",
+        "description": "watch individual changes to a list of ClusterTrustBundle. deprecated: use the 'watch' parameter with a list operation instead.",
+        "operationId": "watchCertificatesV1beta1ClusterTrustBundleList",
         "produces": [
           "application/json",
           "application/yaml",
           "application/vnd.kubernetes.protobuf",
-          "application/cbor"
+          "application/cbor",
+          "application/json;stream=watch",
+          "application/vnd.kubernetes.protobuf;stream=watch",
+          "application/cbor-seq"
         ],
         "responses": {
           "200": {
             "description": "OK",
             "schema": {
-              "$ref": "#/definitions/io.k8s.api.certificates.v1beta1.ClusterTrustBundle"
+              "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"
             }
           },
           "401": {
@@ -59972,7 +60028,7 @@
         "tags": [
           "certificates_v1beta1"
         ],
-        "x-kubernetes-action": "get",
+        "x-kubernetes-action": "watchlist",
         "x-kubernetes-group-version-kind": {
           "group": "certificates.k8s.io",
           "kind": "ClusterTrustBundle",
@@ -59981,69 +60037,61 @@
       },
       "parameters": [
         {
-          "description": "name of the ClusterTrustBundle",
-          "in": "path",
-          "name": "name",
-          "required": true,
-          "type": "string",
-          "uniqueItems": true
+          "$ref": "#/parameters/allowWatchBookmarks-HC2hJt-J"
+        },
+        {
+          "$ref": "#/parameters/continue-QfD61s0i"
+        },
+        {
+          "$ref": "#/parameters/fieldSelector-xIcQKXFG"
+        },
+        {
+          "$ref": "#/parameters/labelSelector-5Zw57w4C"
+        },
+        {
+          "$ref": "#/parameters/limit-1NfNmdNH"
         },
         {
           "$ref": "#/parameters/pretty-tJGM1-ng"
+        },
+        {
+          "$ref": "#/parameters/resourceVersion-5WAnf1kx"
+        },
+        {
+          "$ref": "#/parameters/resourceVersionMatch-t8XhRHeC"
+        },
+        {
+          "$ref": "#/parameters/sendInitialEvents-rLXlEK_k"
+        },
+        {
+          "$ref": "#/parameters/timeoutSeconds-yvYezaOC"
+        },
+        {
+          "$ref": "#/parameters/watch-XNNPZGbK"
         }
-      ],
-      "patch": {
+      ]
+    },
+    "/apis/certificates.k8s.io/v1beta1/watch/clustertrustbundles/{name}": {
+      "get": {
         "consumes": [
-          "application/json-patch+json",
-          "application/merge-patch+json",
-          "application/strategic-merge-patch+json",
-          "application/apply-patch+yaml",
-          "application/apply-patch+cbor"
-        ],
-        "description": "partially update the specified ClusterTrustBundle",
-        "operationId": "patchCertificatesV1beta1ClusterTrustBundle",
-        "parameters": [
-          {
-            "$ref": "#/parameters/body-78PwaGsr"
-          },
-          {
-            "description": "When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed",
-            "in": "query",
-            "name": "dryRun",
-            "type": "string",
-            "uniqueItems": true
-          },
-          {
-            "$ref": "#/parameters/fieldManager-7c6nTn1T"
-          },
-          {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
-            "in": "query",
-            "name": "fieldValidation",
-            "type": "string",
-            "uniqueItems": true
-          },
-          {
-            "$ref": "#/parameters/force-tOGGb0Yi"
-          }
+          "*/*"
         ],
+        "description": "watch changes to an object of kind ClusterTrustBundle. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.",
+        "operationId": "watchCertificatesV1beta1ClusterTrustBundle",
         "produces": [
           "application/json",
           "application/yaml",
           "application/vnd.kubernetes.protobuf",
-          "application/cbor"
+          "application/cbor",
+          "application/json;stream=watch",
+          "application/vnd.kubernetes.protobuf;stream=watch",
+          "application/cbor-seq"
         ],
         "responses": {
           "200": {
             "description": "OK",
             "schema": {
-              "$ref": "#/definitions/io.k8s.api.certificates.v1beta1.ClusterTrustBundle"
-            }
-          },
-          "201": {
-            "description": "Created",
-            "schema": {
-              "$ref": "#/definitions/io.k8s.api.certificates.v1beta1.ClusterTrustBundle"
+              "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"
             }
           },
           "401": {
@@ -60056,90 +60104,64 @@
         "tags": [
           "certificates_v1beta1"
         ],
-        "x-kubernetes-action": "patch",
+        "x-kubernetes-action": "watch",
         "x-kubernetes-group-version-kind": {
           "group": "certificates.k8s.io",
           "kind": "ClusterTrustBundle",
           "version": "v1beta1"
         }
       },
-      "put": {
-        "consumes": [
-          "*/*"
-        ],
-        "description": "replace the specified ClusterTrustBundle",
-        "operationId": "replaceCertificatesV1beta1ClusterTrustBundle",
-        "parameters": [
-          {
-            "in": "body",
-            "name": "body",
-            "required": true,
-            "schema": {
-              "$ref": "#/definitions/io.k8s.api.certificates.v1beta1.ClusterTrustBundle"
-            }
-          },
-          {
-            "description": "When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed",
-            "in": "query",
-            "name": "dryRun",
-            "type": "string",
-            "uniqueItems": true
-          },
-          {
-            "$ref": "#/parameters/fieldManager-Qy4HdaTW"
-          },
-          {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
-            "in": "query",
-            "name": "fieldValidation",
-            "type": "string",
-            "uniqueItems": true
-          }
-        ],
-        "produces": [
-          "application/json",
-          "application/yaml",
-          "application/vnd.kubernetes.protobuf",
-          "application/cbor"
-        ],
-        "responses": {
-          "200": {
-            "description": "OK",
-            "schema": {
-              "$ref": "#/definitions/io.k8s.api.certificates.v1beta1.ClusterTrustBundle"
-            }
-          },
-          "201": {
-            "description": "Created",
-            "schema": {
-              "$ref": "#/definitions/io.k8s.api.certificates.v1beta1.ClusterTrustBundle"
-            }
-          },
-          "401": {
-            "description": "Unauthorized"
-          }
+      "parameters": [
+        {
+          "$ref": "#/parameters/allowWatchBookmarks-HC2hJt-J"
         },
-        "schemes": [
-          "https"
-        ],
-        "tags": [
-          "certificates_v1beta1"
-        ],
-        "x-kubernetes-action": "put",
-        "x-kubernetes-group-version-kind": {
-          "group": "certificates.k8s.io",
-          "kind": "ClusterTrustBundle",
-          "version": "v1beta1"
+        {
+          "$ref": "#/parameters/continue-QfD61s0i"
+        },
+        {
+          "$ref": "#/parameters/fieldSelector-xIcQKXFG"
+        },
+        {
+          "$ref": "#/parameters/labelSelector-5Zw57w4C"
+        },
+        {
+          "$ref": "#/parameters/limit-1NfNmdNH"
+        },
+        {
+          "description": "name of the ClusterTrustBundle",
+          "in": "path",
+          "name": "name",
+          "required": true,
+          "type": "string",
+          "uniqueItems": true
+        },
+        {
+          "$ref": "#/parameters/pretty-tJGM1-ng"
+        },
+        {
+          "$ref": "#/parameters/resourceVersion-5WAnf1kx"
+        },
+        {
+          "$ref": "#/parameters/resourceVersionMatch-t8XhRHeC"
+        },
+        {
+          "$ref": "#/parameters/sendInitialEvents-rLXlEK_k"
+        },
+        {
+          "$ref": "#/parameters/timeoutSeconds-yvYezaOC"
+        },
+        {
+          "$ref": "#/parameters/watch-XNNPZGbK"
         }
-      }
+      ]
     },
-    "/apis/certificates.k8s.io/v1beta1/watch/clustertrustbundles": {
+    "/apis/certificates.k8s.io/v1beta1/watch/namespaces/{namespace}/podcertificaterequests": {
       "get": {
         "consumes": [
           "*/*"
         ],
-        "description": "watch individual changes to a list of ClusterTrustBundle. deprecated: use the 'watch' parameter with a list operation instead.",
-        "operationId": "watchCertificatesV1beta1ClusterTrustBundleList",
+        "description": "watch individual changes to a list of PodCertificateRequest. deprecated: use the 'watch' parameter with a list operation instead.",
+        "operationId": "watchCertificatesV1beta1NamespacedPodCertificateRequestList",
         "produces": [
           "application/json",
           "application/yaml",
@@ -60169,7 +60191,7 @@
         "x-kubernetes-action": "watchlist",
         "x-kubernetes-group-version-kind": {
           "group": "certificates.k8s.io",
-          "kind": "ClusterTrustBundle",
+          "kind": "PodCertificateRequest",
           "version": "v1beta1"
         }
       },
@@ -60189,6 +60211,9 @@
         {
           "$ref": "#/parameters/limit-1NfNmdNH"
         },
+        {
+          "$ref": "#/parameters/namespace-vgWSWtn3"
+        },
         {
           "$ref": "#/parameters/pretty-tJGM1-ng"
         },
@@ -60209,13 +60234,13 @@
         }
       ]
     },
-    "/apis/certificates.k8s.io/v1beta1/watch/clustertrustbundles/{name}": {
+    "/apis/certificates.k8s.io/v1beta1/watch/namespaces/{namespace}/podcertificaterequests/{name}": {
       "get": {
         "consumes": [
           "*/*"
         ],
-        "description": "watch changes to an object of kind ClusterTrustBundle. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.",
-        "operationId": "watchCertificatesV1beta1ClusterTrustBundle",
+        "description": "watch changes to an object of kind PodCertificateRequest. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.",
+        "operationId": "watchCertificatesV1beta1NamespacedPodCertificateRequest",
         "produces": [
           "application/json",
           "application/yaml",
@@ -60245,7 +60270,7 @@
         "x-kubernetes-action": "watch",
         "x-kubernetes-group-version-kind": {
           "group": "certificates.k8s.io",
-          "kind": "ClusterTrustBundle",
+          "kind": "PodCertificateRequest",
           "version": "v1beta1"
         }
       },
@@ -60266,13 +60291,92 @@
           "$ref": "#/parameters/limit-1NfNmdNH"
         },
         {
-          "description": "name of the ClusterTrustBundle",
+          "description": "name of the PodCertificateRequest",
           "in": "path",
           "name": "name",
           "required": true,
           "type": "string",
           "uniqueItems": true
         },
+        {
+          "$ref": "#/parameters/namespace-vgWSWtn3"
+        },
+        {
+          "$ref": "#/parameters/pretty-tJGM1-ng"
+        },
+        {
+          "$ref": "#/parameters/resourceVersion-5WAnf1kx"
+        },
+        {
+          "$ref": "#/parameters/resourceVersionMatch-t8XhRHeC"
+        },
+        {
+          "$ref": "#/parameters/sendInitialEvents-rLXlEK_k"
+        },
+        {
+          "$ref": "#/parameters/timeoutSeconds-yvYezaOC"
+        },
+        {
+          "$ref": "#/parameters/watch-XNNPZGbK"
+        }
+      ]
+    },
+    "/apis/certificates.k8s.io/v1beta1/watch/podcertificaterequests": {
+      "get": {
+        "consumes": [
+          "*/*"
+        ],
+        "description": "watch individual changes to a list of PodCertificateRequest. deprecated: use the 'watch' parameter with a list operation instead.",
+        "operationId": "watchCertificatesV1beta1PodCertificateRequestListForAllNamespaces",
+        "produces": [
+          "application/json",
+          "application/yaml",
+          "application/vnd.kubernetes.protobuf",
+          "application/cbor",
+          "application/json;stream=watch",
+          "application/vnd.kubernetes.protobuf;stream=watch",
+          "application/cbor-seq"
+        ],
+        "responses": {
+          "200": {
+            "description": "OK",
+            "schema": {
+              "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"
+            }
+          },
+          "401": {
+            "description": "Unauthorized"
+          }
+        },
+        "schemes": [
+          "https"
+        ],
+        "tags": [
+          "certificates_v1beta1"
+        ],
+        "x-kubernetes-action": "watchlist",
+        "x-kubernetes-group-version-kind": {
+          "group": "certificates.k8s.io",
+          "kind": "PodCertificateRequest",
+          "version": "v1beta1"
+        }
+      },
+      "parameters": [
+        {
+          "$ref": "#/parameters/allowWatchBookmarks-HC2hJt-J"
+        },
+        {
+          "$ref": "#/parameters/continue-QfD61s0i"
+        },
+        {
+          "$ref": "#/parameters/fieldSelector-xIcQKXFG"
+        },
+        {
+          "$ref": "#/parameters/labelSelector-5Zw57w4C"
+        },
+        {
+          "$ref": "#/parameters/limit-1NfNmdNH"
+        },
         {
           "$ref": "#/parameters/pretty-tJGM1-ng"
         },
@@ -81462,6 +81566,197 @@
         }
       }
     },
+    "/apis/resource.k8s.io/v1alpha3/devicetaintrules/{name}/status": {
+      "get": {
+        "consumes": [
+          "*/*"
+        ],
+        "description": "read status of the specified DeviceTaintRule",
+        "operationId": "readResourceV1alpha3DeviceTaintRuleStatus",
+        "produces": [
+          "application/json",
+          "application/yaml",
+          "application/vnd.kubernetes.protobuf",
+          "application/cbor"
+        ],
+        "responses": {
+          "200": {
+            "description": "OK",
+            "schema": {
+              "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.DeviceTaintRule"
+            }
+          },
+          "401": {
+            "description": "Unauthorized"
+          }
+        },
+        "schemes": [
+          "https"
+        ],
+        "tags": [
+          "resource_v1alpha3"
+        ],
+        "x-kubernetes-action": "get",
+        "x-kubernetes-group-version-kind": {
+          "group": "resource.k8s.io",
+          "kind": "DeviceTaintRule",
+          "version": "v1alpha3"
+        }
+      },
+      "parameters": [
+        {
+          "description": "name of the DeviceTaintRule",
+          "in": "path",
+          "name": "name",
+          "required": true,
+          "type": "string",
+          "uniqueItems": true
+        },
+        {
+          "$ref": "#/parameters/pretty-tJGM1-ng"
+        }
+      ],
+      "patch": {
+        "consumes": [
+          "application/json-patch+json",
+          "application/merge-patch+json",
+          "application/strategic-merge-patch+json",
+          "application/apply-patch+yaml",
+          "application/apply-patch+cbor"
+        ],
+        "description": "partially update status of the specified DeviceTaintRule",
+        "operationId": "patchResourceV1alpha3DeviceTaintRuleStatus",
+        "parameters": [
+          {
+            "$ref": "#/parameters/body-78PwaGsr"
+          },
+          {
+            "description": "When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed",
+            "in": "query",
+            "name": "dryRun",
+            "type": "string",
+            "uniqueItems": true
+          },
+          {
+            "$ref": "#/parameters/fieldManager-7c6nTn1T"
+          },
+          {
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "in": "query",
+            "name": "fieldValidation",
+            "type": "string",
+            "uniqueItems": true
+          },
+          {
+            "$ref": "#/parameters/force-tOGGb0Yi"
+          }
+        ],
+        "produces": [
+          "application/json",
+          "application/yaml",
+          "application/vnd.kubernetes.protobuf",
+          "application/cbor"
+        ],
+        "responses": {
+          "200": {
+            "description": "OK",
+            "schema": {
+              "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.DeviceTaintRule"
+            }
+          },
+          "201": {
+            "description": "Created",
+            "schema": {
+              "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.DeviceTaintRule"
+            }
+          },
+          "401": {
+            "description": "Unauthorized"
+          }
+        },
+        "schemes": [
+          "https"
+        ],
+        "tags": [
+          "resource_v1alpha3"
+        ],
+        "x-kubernetes-action": "patch",
+        "x-kubernetes-group-version-kind": {
+          "group": "resource.k8s.io",
+          "kind": "DeviceTaintRule",
+          "version": "v1alpha3"
+        }
+      },
+      "put": {
+        "consumes": [
+          "*/*"
+        ],
+        "description": "replace status of the specified DeviceTaintRule",
+        "operationId": "replaceResourceV1alpha3DeviceTaintRuleStatus",
+        "parameters": [
+          {
+            "in": "body",
+            "name": "body",
+            "required": true,
+            "schema": {
+              "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.DeviceTaintRule"
+            }
+          },
+          {
+            "description": "When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed",
+            "in": "query",
+            "name": "dryRun",
+            "type": "string",
+            "uniqueItems": true
+          },
+          {
+            "$ref": "#/parameters/fieldManager-Qy4HdaTW"
+          },
+          {
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "in": "query",
+            "name": "fieldValidation",
+            "type": "string",
+            "uniqueItems": true
+          }
+        ],
+        "produces": [
+          "application/json",
+          "application/yaml",
+          "application/vnd.kubernetes.protobuf",
+          "application/cbor"
+        ],
+        "responses": {
+          "200": {
+            "description": "OK",
+            "schema": {
+              "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.DeviceTaintRule"
+            }
+          },
+          "201": {
+            "description": "Created",
+            "schema": {
+              "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.DeviceTaintRule"
+            }
+          },
+          "401": {
+            "description": "Unauthorized"
+          }
+        },
+        "schemes": [
+          "https"
+        ],
+        "tags": [
+          "resource_v1alpha3"
+        ],
+        "x-kubernetes-action": "put",
+        "x-kubernetes-group-version-kind": {
+          "group": "resource.k8s.io",
+          "kind": "DeviceTaintRule",
+          "version": "v1alpha3"
+        }
+      }
+    },
     "/apis/resource.k8s.io/v1alpha3/watch/devicetaintrules": {
       "get": {
         "consumes": [
@@ -88690,40 +88985,7 @@
         }
       ]
     },
-    "/apis/storage.k8s.io/": {
-      "get": {
-        "consumes": [
-          "application/json",
-          "application/yaml",
-          "application/vnd.kubernetes.protobuf"
-        ],
-        "description": "get information of a group",
-        "operationId": "getStorageAPIGroup",
-        "produces": [
-          "application/json",
-          "application/yaml",
-          "application/vnd.kubernetes.protobuf"
-        ],
-        "responses": {
-          "200": {
-            "description": "OK",
-            "schema": {
-              "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.APIGroup"
-            }
-          },
-          "401": {
-            "description": "Unauthorized"
-          }
-        },
-        "schemes": [
-          "https"
-        ],
-        "tags": [
-          "storage"
-        ]
-      }
-    },
-    "/apis/storage.k8s.io/v1/": {
+    "/apis/scheduling.k8s.io/v1alpha1/": {
       "get": {
         "consumes": [
           "application/json",
@@ -88732,7 +88994,7 @@
           "application/cbor"
         ],
         "description": "get available resources",
-        "operationId": "getStorageV1APIResources",
+        "operationId": "getSchedulingV1alpha1APIResources",
         "produces": [
           "application/json",
           "application/yaml",
@@ -88754,17 +89016,17 @@
           "https"
         ],
         "tags": [
-          "storage_v1"
+          "scheduling_v1alpha1"
         ]
       }
     },
-    "/apis/storage.k8s.io/v1/csidrivers": {
+    "/apis/scheduling.k8s.io/v1alpha1/namespaces/{namespace}/workloads": {
       "delete": {
         "consumes": [
           "*/*"
         ],
-        "description": "delete collection of CSIDriver",
-        "operationId": "deleteStorageV1CollectionCSIDriver",
+        "description": "delete collection of Workload",
+        "operationId": "deleteSchedulingV1alpha1CollectionNamespacedWorkload",
         "parameters": [
           {
             "$ref": "#/parameters/body-2Y1dVQaQ"
@@ -88834,21 +89096,21 @@
           "https"
         ],
         "tags": [
-          "storage_v1"
+          "scheduling_v1alpha1"
         ],
         "x-kubernetes-action": "deletecollection",
         "x-kubernetes-group-version-kind": {
-          "group": "storage.k8s.io",
-          "kind": "CSIDriver",
-          "version": "v1"
+          "group": "scheduling.k8s.io",
+          "kind": "Workload",
+          "version": "v1alpha1"
         }
       },
       "get": {
         "consumes": [
           "*/*"
         ],
-        "description": "list or watch objects of kind CSIDriver",
-        "operationId": "listStorageV1CSIDriver",
+        "description": "list or watch objects of kind Workload",
+        "operationId": "listSchedulingV1alpha1NamespacedWorkload",
         "parameters": [
           {
             "$ref": "#/parameters/allowWatchBookmarks-HC2hJt-J"
@@ -88894,7 +89156,7 @@
           "200": {
             "description": "OK",
             "schema": {
-              "$ref": "#/definitions/io.k8s.api.storage.v1.CSIDriverList"
+              "$ref": "#/definitions/io.k8s.api.scheduling.v1alpha1.WorkloadList"
             }
           },
           "401": {
@@ -88905,16 +89167,19 @@
           "https"
         ],
         "tags": [
-          "storage_v1"
+          "scheduling_v1alpha1"
         ],
         "x-kubernetes-action": "list",
         "x-kubernetes-group-version-kind": {
-          "group": "storage.k8s.io",
-          "kind": "CSIDriver",
-          "version": "v1"
+          "group": "scheduling.k8s.io",
+          "kind": "Workload",
+          "version": "v1alpha1"
         }
       },
       "parameters": [
+        {
+          "$ref": "#/parameters/namespace-vgWSWtn3"
+        },
         {
           "$ref": "#/parameters/pretty-tJGM1-ng"
         }
@@ -88923,15 +89188,281 @@
         "consumes": [
           "*/*"
         ],
-        "description": "create a CSIDriver",
-        "operationId": "createStorageV1CSIDriver",
+        "description": "create a Workload",
+        "operationId": "createSchedulingV1alpha1NamespacedWorkload",
         "parameters": [
           {
             "in": "body",
             "name": "body",
             "required": true,
             "schema": {
-              "$ref": "#/definitions/io.k8s.api.storage.v1.CSIDriver"
+              "$ref": "#/definitions/io.k8s.api.scheduling.v1alpha1.Workload"
+            }
+          },
+          {
+            "description": "When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed",
+            "in": "query",
+            "name": "dryRun",
+            "type": "string",
+            "uniqueItems": true
+          },
+          {
+            "$ref": "#/parameters/fieldManager-Qy4HdaTW"
+          },
+          {
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "in": "query",
+            "name": "fieldValidation",
+            "type": "string",
+            "uniqueItems": true
+          }
+        ],
+        "produces": [
+          "application/json",
+          "application/yaml",
+          "application/vnd.kubernetes.protobuf",
+          "application/cbor"
+        ],
+        "responses": {
+          "200": {
+            "description": "OK",
+            "schema": {
+              "$ref": "#/definitions/io.k8s.api.scheduling.v1alpha1.Workload"
+            }
+          },
+          "201": {
+            "description": "Created",
+            "schema": {
+              "$ref": "#/definitions/io.k8s.api.scheduling.v1alpha1.Workload"
+            }
+          },
+          "202": {
+            "description": "Accepted",
+            "schema": {
+              "$ref": "#/definitions/io.k8s.api.scheduling.v1alpha1.Workload"
+            }
+          },
+          "401": {
+            "description": "Unauthorized"
+          }
+        },
+        "schemes": [
+          "https"
+        ],
+        "tags": [
+          "scheduling_v1alpha1"
+        ],
+        "x-kubernetes-action": "post",
+        "x-kubernetes-group-version-kind": {
+          "group": "scheduling.k8s.io",
+          "kind": "Workload",
+          "version": "v1alpha1"
+        }
+      }
+    },
+    "/apis/scheduling.k8s.io/v1alpha1/namespaces/{namespace}/workloads/{name}": {
+      "delete": {
+        "consumes": [
+          "*/*"
+        ],
+        "description": "delete a Workload",
+        "operationId": "deleteSchedulingV1alpha1NamespacedWorkload",
+        "parameters": [
+          {
+            "$ref": "#/parameters/body-2Y1dVQaQ"
+          },
+          {
+            "description": "When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed",
+            "in": "query",
+            "name": "dryRun",
+            "type": "string",
+            "uniqueItems": true
+          },
+          {
+            "$ref": "#/parameters/gracePeriodSeconds--K5HaBOS"
+          },
+          {
+            "$ref": "#/parameters/ignoreStoreReadErrorWithClusterBreakingPotential-QbNkfIqj"
+          },
+          {
+            "$ref": "#/parameters/orphanDependents-uRB25kX5"
+          },
+          {
+            "$ref": "#/parameters/propagationPolicy-6jk3prlO"
+          }
+        ],
+        "produces": [
+          "application/json",
+          "application/yaml",
+          "application/vnd.kubernetes.protobuf",
+          "application/cbor"
+        ],
+        "responses": {
+          "200": {
+            "description": "OK",
+            "schema": {
+              "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"
+            }
+          },
+          "202": {
+            "description": "Accepted",
+            "schema": {
+              "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"
+            }
+          },
+          "401": {
+            "description": "Unauthorized"
+          }
+        },
+        "schemes": [
+          "https"
+        ],
+        "tags": [
+          "scheduling_v1alpha1"
+        ],
+        "x-kubernetes-action": "delete",
+        "x-kubernetes-group-version-kind": {
+          "group": "scheduling.k8s.io",
+          "kind": "Workload",
+          "version": "v1alpha1"
+        }
+      },
+      "get": {
+        "consumes": [
+          "*/*"
+        ],
+        "description": "read the specified Workload",
+        "operationId": "readSchedulingV1alpha1NamespacedWorkload",
+        "produces": [
+          "application/json",
+          "application/yaml",
+          "application/vnd.kubernetes.protobuf",
+          "application/cbor"
+        ],
+        "responses": {
+          "200": {
+            "description": "OK",
+            "schema": {
+              "$ref": "#/definitions/io.k8s.api.scheduling.v1alpha1.Workload"
+            }
+          },
+          "401": {
+            "description": "Unauthorized"
+          }
+        },
+        "schemes": [
+          "https"
+        ],
+        "tags": [
+          "scheduling_v1alpha1"
+        ],
+        "x-kubernetes-action": "get",
+        "x-kubernetes-group-version-kind": {
+          "group": "scheduling.k8s.io",
+          "kind": "Workload",
+          "version": "v1alpha1"
+        }
+      },
+      "parameters": [
+        {
+          "description": "name of the Workload",
+          "in": "path",
+          "name": "name",
+          "required": true,
+          "type": "string",
+          "uniqueItems": true
+        },
+        {
+          "$ref": "#/parameters/namespace-vgWSWtn3"
+        },
+        {
+          "$ref": "#/parameters/pretty-tJGM1-ng"
+        }
+      ],
+      "patch": {
+        "consumes": [
+          "application/json-patch+json",
+          "application/merge-patch+json",
+          "application/strategic-merge-patch+json",
+          "application/apply-patch+yaml",
+          "application/apply-patch+cbor"
+        ],
+        "description": "partially update the specified Workload",
+        "operationId": "patchSchedulingV1alpha1NamespacedWorkload",
+        "parameters": [
+          {
+            "$ref": "#/parameters/body-78PwaGsr"
+          },
+          {
+            "description": "When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed",
+            "in": "query",
+            "name": "dryRun",
+            "type": "string",
+            "uniqueItems": true
+          },
+          {
+            "$ref": "#/parameters/fieldManager-7c6nTn1T"
+          },
+          {
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "in": "query",
+            "name": "fieldValidation",
+            "type": "string",
+            "uniqueItems": true
+          },
+          {
+            "$ref": "#/parameters/force-tOGGb0Yi"
+          }
+        ],
+        "produces": [
+          "application/json",
+          "application/yaml",
+          "application/vnd.kubernetes.protobuf",
+          "application/cbor"
+        ],
+        "responses": {
+          "200": {
+            "description": "OK",
+            "schema": {
+              "$ref": "#/definitions/io.k8s.api.scheduling.v1alpha1.Workload"
+            }
+          },
+          "201": {
+            "description": "Created",
+            "schema": {
+              "$ref": "#/definitions/io.k8s.api.scheduling.v1alpha1.Workload"
+            }
+          },
+          "401": {
+            "description": "Unauthorized"
+          }
+        },
+        "schemes": [
+          "https"
+        ],
+        "tags": [
+          "scheduling_v1alpha1"
+        ],
+        "x-kubernetes-action": "patch",
+        "x-kubernetes-group-version-kind": {
+          "group": "scheduling.k8s.io",
+          "kind": "Workload",
+          "version": "v1alpha1"
+        }
+      },
+      "put": {
+        "consumes": [
+          "*/*"
+        ],
+        "description": "replace the specified Workload",
+        "operationId": "replaceSchedulingV1alpha1NamespacedWorkload",
+        "parameters": [
+          {
+            "in": "body",
+            "name": "body",
+            "required": true,
+            "schema": {
+              "$ref": "#/definitions/io.k8s.api.scheduling.v1alpha1.Workload"
             }
           },
           {
@@ -88956,25 +89487,139 @@
           "application/json",
           "application/yaml",
           "application/vnd.kubernetes.protobuf",
-          "application/cbor"
+          "application/cbor"
+        ],
+        "responses": {
+          "200": {
+            "description": "OK",
+            "schema": {
+              "$ref": "#/definitions/io.k8s.api.scheduling.v1alpha1.Workload"
+            }
+          },
+          "201": {
+            "description": "Created",
+            "schema": {
+              "$ref": "#/definitions/io.k8s.api.scheduling.v1alpha1.Workload"
+            }
+          },
+          "401": {
+            "description": "Unauthorized"
+          }
+        },
+        "schemes": [
+          "https"
+        ],
+        "tags": [
+          "scheduling_v1alpha1"
+        ],
+        "x-kubernetes-action": "put",
+        "x-kubernetes-group-version-kind": {
+          "group": "scheduling.k8s.io",
+          "kind": "Workload",
+          "version": "v1alpha1"
+        }
+      }
+    },
+    "/apis/scheduling.k8s.io/v1alpha1/watch/namespaces/{namespace}/workloads": {
+      "get": {
+        "consumes": [
+          "*/*"
+        ],
+        "description": "watch individual changes to a list of Workload. deprecated: use the 'watch' parameter with a list operation instead.",
+        "operationId": "watchSchedulingV1alpha1NamespacedWorkloadList",
+        "produces": [
+          "application/json",
+          "application/yaml",
+          "application/vnd.kubernetes.protobuf",
+          "application/cbor",
+          "application/json;stream=watch",
+          "application/vnd.kubernetes.protobuf;stream=watch",
+          "application/cbor-seq"
+        ],
+        "responses": {
+          "200": {
+            "description": "OK",
+            "schema": {
+              "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"
+            }
+          },
+          "401": {
+            "description": "Unauthorized"
+          }
+        },
+        "schemes": [
+          "https"
+        ],
+        "tags": [
+          "scheduling_v1alpha1"
+        ],
+        "x-kubernetes-action": "watchlist",
+        "x-kubernetes-group-version-kind": {
+          "group": "scheduling.k8s.io",
+          "kind": "Workload",
+          "version": "v1alpha1"
+        }
+      },
+      "parameters": [
+        {
+          "$ref": "#/parameters/allowWatchBookmarks-HC2hJt-J"
+        },
+        {
+          "$ref": "#/parameters/continue-QfD61s0i"
+        },
+        {
+          "$ref": "#/parameters/fieldSelector-xIcQKXFG"
+        },
+        {
+          "$ref": "#/parameters/labelSelector-5Zw57w4C"
+        },
+        {
+          "$ref": "#/parameters/limit-1NfNmdNH"
+        },
+        {
+          "$ref": "#/parameters/namespace-vgWSWtn3"
+        },
+        {
+          "$ref": "#/parameters/pretty-tJGM1-ng"
+        },
+        {
+          "$ref": "#/parameters/resourceVersion-5WAnf1kx"
+        },
+        {
+          "$ref": "#/parameters/resourceVersionMatch-t8XhRHeC"
+        },
+        {
+          "$ref": "#/parameters/sendInitialEvents-rLXlEK_k"
+        },
+        {
+          "$ref": "#/parameters/timeoutSeconds-yvYezaOC"
+        },
+        {
+          "$ref": "#/parameters/watch-XNNPZGbK"
+        }
+      ]
+    },
+    "/apis/scheduling.k8s.io/v1alpha1/watch/namespaces/{namespace}/workloads/{name}": {
+      "get": {
+        "consumes": [
+          "*/*"
+        ],
+        "description": "watch changes to an object of kind Workload. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.",
+        "operationId": "watchSchedulingV1alpha1NamespacedWorkload",
+        "produces": [
+          "application/json",
+          "application/yaml",
+          "application/vnd.kubernetes.protobuf",
+          "application/cbor",
+          "application/json;stream=watch",
+          "application/vnd.kubernetes.protobuf;stream=watch",
+          "application/cbor-seq"
         ],
         "responses": {
           "200": {
             "description": "OK",
             "schema": {
-              "$ref": "#/definitions/io.k8s.api.storage.v1.CSIDriver"
-            }
-          },
-          "201": {
-            "description": "Created",
-            "schema": {
-              "$ref": "#/definitions/io.k8s.api.storage.v1.CSIDriver"
-            }
-          },
-          "202": {
-            "description": "Accepted",
-            "schema": {
-              "$ref": "#/definitions/io.k8s.api.storage.v1.CSIDriver"
+              "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"
             }
           },
           "401": {
@@ -88985,64 +89630,83 @@
           "https"
         ],
         "tags": [
-          "storage_v1"
+          "scheduling_v1alpha1"
         ],
-        "x-kubernetes-action": "post",
+        "x-kubernetes-action": "watch",
         "x-kubernetes-group-version-kind": {
-          "group": "storage.k8s.io",
-          "kind": "CSIDriver",
-          "version": "v1"
+          "group": "scheduling.k8s.io",
+          "kind": "Workload",
+          "version": "v1alpha1"
         }
-      }
+      },
+      "parameters": [
+        {
+          "$ref": "#/parameters/allowWatchBookmarks-HC2hJt-J"
+        },
+        {
+          "$ref": "#/parameters/continue-QfD61s0i"
+        },
+        {
+          "$ref": "#/parameters/fieldSelector-xIcQKXFG"
+        },
+        {
+          "$ref": "#/parameters/labelSelector-5Zw57w4C"
+        },
+        {
+          "$ref": "#/parameters/limit-1NfNmdNH"
+        },
+        {
+          "description": "name of the Workload",
+          "in": "path",
+          "name": "name",
+          "required": true,
+          "type": "string",
+          "uniqueItems": true
+        },
+        {
+          "$ref": "#/parameters/namespace-vgWSWtn3"
+        },
+        {
+          "$ref": "#/parameters/pretty-tJGM1-ng"
+        },
+        {
+          "$ref": "#/parameters/resourceVersion-5WAnf1kx"
+        },
+        {
+          "$ref": "#/parameters/resourceVersionMatch-t8XhRHeC"
+        },
+        {
+          "$ref": "#/parameters/sendInitialEvents-rLXlEK_k"
+        },
+        {
+          "$ref": "#/parameters/timeoutSeconds-yvYezaOC"
+        },
+        {
+          "$ref": "#/parameters/watch-XNNPZGbK"
+        }
+      ]
     },
-    "/apis/storage.k8s.io/v1/csidrivers/{name}": {
-      "delete": {
+    "/apis/scheduling.k8s.io/v1alpha1/watch/workloads": {
+      "get": {
         "consumes": [
           "*/*"
         ],
-        "description": "delete a CSIDriver",
-        "operationId": "deleteStorageV1CSIDriver",
-        "parameters": [
-          {
-            "$ref": "#/parameters/body-2Y1dVQaQ"
-          },
-          {
-            "description": "When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed",
-            "in": "query",
-            "name": "dryRun",
-            "type": "string",
-            "uniqueItems": true
-          },
-          {
-            "$ref": "#/parameters/gracePeriodSeconds--K5HaBOS"
-          },
-          {
-            "$ref": "#/parameters/ignoreStoreReadErrorWithClusterBreakingPotential-QbNkfIqj"
-          },
-          {
-            "$ref": "#/parameters/orphanDependents-uRB25kX5"
-          },
-          {
-            "$ref": "#/parameters/propagationPolicy-6jk3prlO"
-          }
-        ],
+        "description": "watch individual changes to a list of Workload. deprecated: use the 'watch' parameter with a list operation instead.",
+        "operationId": "watchSchedulingV1alpha1WorkloadListForAllNamespaces",
         "produces": [
           "application/json",
           "application/yaml",
           "application/vnd.kubernetes.protobuf",
-          "application/cbor"
+          "application/cbor",
+          "application/json;stream=watch",
+          "application/vnd.kubernetes.protobuf;stream=watch",
+          "application/cbor-seq"
         ],
         "responses": {
           "200": {
             "description": "OK",
             "schema": {
-              "$ref": "#/definitions/io.k8s.api.storage.v1.CSIDriver"
-            }
-          },
-          "202": {
-            "description": "Accepted",
-            "schema": {
-              "$ref": "#/definitions/io.k8s.api.storage.v1.CSIDriver"
+              "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"
             }
           },
           "401": {
@@ -89053,32 +89717,72 @@
           "https"
         ],
         "tags": [
-          "storage_v1"
+          "scheduling_v1alpha1"
         ],
-        "x-kubernetes-action": "delete",
+        "x-kubernetes-action": "watchlist",
         "x-kubernetes-group-version-kind": {
-          "group": "storage.k8s.io",
-          "kind": "CSIDriver",
-          "version": "v1"
+          "group": "scheduling.k8s.io",
+          "kind": "Workload",
+          "version": "v1alpha1"
         }
       },
+      "parameters": [
+        {
+          "$ref": "#/parameters/allowWatchBookmarks-HC2hJt-J"
+        },
+        {
+          "$ref": "#/parameters/continue-QfD61s0i"
+        },
+        {
+          "$ref": "#/parameters/fieldSelector-xIcQKXFG"
+        },
+        {
+          "$ref": "#/parameters/labelSelector-5Zw57w4C"
+        },
+        {
+          "$ref": "#/parameters/limit-1NfNmdNH"
+        },
+        {
+          "$ref": "#/parameters/pretty-tJGM1-ng"
+        },
+        {
+          "$ref": "#/parameters/resourceVersion-5WAnf1kx"
+        },
+        {
+          "$ref": "#/parameters/resourceVersionMatch-t8XhRHeC"
+        },
+        {
+          "$ref": "#/parameters/sendInitialEvents-rLXlEK_k"
+        },
+        {
+          "$ref": "#/parameters/timeoutSeconds-yvYezaOC"
+        },
+        {
+          "$ref": "#/parameters/watch-XNNPZGbK"
+        }
+      ]
+    },
+    "/apis/scheduling.k8s.io/v1alpha1/workloads": {
       "get": {
         "consumes": [
           "*/*"
         ],
-        "description": "read the specified CSIDriver",
-        "operationId": "readStorageV1CSIDriver",
+        "description": "list or watch objects of kind Workload",
+        "operationId": "listSchedulingV1alpha1WorkloadForAllNamespaces",
         "produces": [
           "application/json",
           "application/yaml",
           "application/vnd.kubernetes.protobuf",
-          "application/cbor"
+          "application/cbor",
+          "application/json;stream=watch",
+          "application/vnd.kubernetes.protobuf;stream=watch",
+          "application/cbor-seq"
         ],
         "responses": {
           "200": {
             "description": "OK",
             "schema": {
-              "$ref": "#/definitions/io.k8s.api.storage.v1.CSIDriver"
+              "$ref": "#/definitions/io.k8s.api.scheduling.v1alpha1.WorkloadList"
             }
           },
           "401": {
@@ -89089,80 +89793,70 @@
           "https"
         ],
         "tags": [
-          "storage_v1"
+          "scheduling_v1alpha1"
         ],
-        "x-kubernetes-action": "get",
+        "x-kubernetes-action": "list",
         "x-kubernetes-group-version-kind": {
-          "group": "storage.k8s.io",
-          "kind": "CSIDriver",
-          "version": "v1"
+          "group": "scheduling.k8s.io",
+          "kind": "Workload",
+          "version": "v1alpha1"
         }
       },
       "parameters": [
         {
-          "description": "name of the CSIDriver",
-          "in": "path",
-          "name": "name",
-          "required": true,
-          "type": "string",
-          "uniqueItems": true
+          "$ref": "#/parameters/allowWatchBookmarks-HC2hJt-J"
+        },
+        {
+          "$ref": "#/parameters/continue-QfD61s0i"
+        },
+        {
+          "$ref": "#/parameters/fieldSelector-xIcQKXFG"
+        },
+        {
+          "$ref": "#/parameters/labelSelector-5Zw57w4C"
+        },
+        {
+          "$ref": "#/parameters/limit-1NfNmdNH"
         },
         {
           "$ref": "#/parameters/pretty-tJGM1-ng"
+        },
+        {
+          "$ref": "#/parameters/resourceVersion-5WAnf1kx"
+        },
+        {
+          "$ref": "#/parameters/resourceVersionMatch-t8XhRHeC"
+        },
+        {
+          "$ref": "#/parameters/sendInitialEvents-rLXlEK_k"
+        },
+        {
+          "$ref": "#/parameters/timeoutSeconds-yvYezaOC"
+        },
+        {
+          "$ref": "#/parameters/watch-XNNPZGbK"
         }
-      ],
-      "patch": {
+      ]
+    },
+    "/apis/storage.k8s.io/": {
+      "get": {
         "consumes": [
-          "application/json-patch+json",
-          "application/merge-patch+json",
-          "application/strategic-merge-patch+json",
-          "application/apply-patch+yaml",
-          "application/apply-patch+cbor"
-        ],
-        "description": "partially update the specified CSIDriver",
-        "operationId": "patchStorageV1CSIDriver",
-        "parameters": [
-          {
-            "$ref": "#/parameters/body-78PwaGsr"
-          },
-          {
-            "description": "When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed",
-            "in": "query",
-            "name": "dryRun",
-            "type": "string",
-            "uniqueItems": true
-          },
-          {
-            "$ref": "#/parameters/fieldManager-7c6nTn1T"
-          },
-          {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
-            "in": "query",
-            "name": "fieldValidation",
-            "type": "string",
-            "uniqueItems": true
-          },
-          {
-            "$ref": "#/parameters/force-tOGGb0Yi"
-          }
+          "application/json",
+          "application/yaml",
+          "application/vnd.kubernetes.protobuf"
         ],
+        "description": "get information of a group",
+        "operationId": "getStorageAPIGroup",
         "produces": [
           "application/json",
           "application/yaml",
-          "application/vnd.kubernetes.protobuf",
-          "application/cbor"
+          "application/vnd.kubernetes.protobuf"
         ],
         "responses": {
           "200": {
             "description": "OK",
             "schema": {
-              "$ref": "#/definitions/io.k8s.api.storage.v1.CSIDriver"
-            }
-          },
-          "201": {
-            "description": "Created",
-            "schema": {
-              "$ref": "#/definitions/io.k8s.api.storage.v1.CSIDriver"
+              "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.APIGroup"
             }
           },
           "401": {
@@ -89173,48 +89867,20 @@
           "https"
         ],
         "tags": [
-          "storage_v1"
-        ],
-        "x-kubernetes-action": "patch",
-        "x-kubernetes-group-version-kind": {
-          "group": "storage.k8s.io",
-          "kind": "CSIDriver",
-          "version": "v1"
-        }
-      },
-      "put": {
+          "storage"
+        ]
+      }
+    },
+    "/apis/storage.k8s.io/v1/": {
+      "get": {
         "consumes": [
-          "*/*"
-        ],
-        "description": "replace the specified CSIDriver",
-        "operationId": "replaceStorageV1CSIDriver",
-        "parameters": [
-          {
-            "in": "body",
-            "name": "body",
-            "required": true,
-            "schema": {
-              "$ref": "#/definitions/io.k8s.api.storage.v1.CSIDriver"
-            }
-          },
-          {
-            "description": "When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed",
-            "in": "query",
-            "name": "dryRun",
-            "type": "string",
-            "uniqueItems": true
-          },
-          {
-            "$ref": "#/parameters/fieldManager-Qy4HdaTW"
-          },
-          {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
-            "in": "query",
-            "name": "fieldValidation",
-            "type": "string",
-            "uniqueItems": true
-          }
+          "application/json",
+          "application/yaml",
+          "application/vnd.kubernetes.protobuf",
+          "application/cbor"
         ],
+        "description": "get available resources",
+        "operationId": "getStorageV1APIResources",
         "produces": [
           "application/json",
           "application/yaml",
@@ -89225,13 +89891,7 @@
           "200": {
             "description": "OK",
             "schema": {
-              "$ref": "#/definitions/io.k8s.api.storage.v1.CSIDriver"
-            }
-          },
-          "201": {
-            "description": "Created",
-            "schema": {
-              "$ref": "#/definitions/io.k8s.api.storage.v1.CSIDriver"
+              "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.APIResourceList"
             }
           },
           "401": {
@@ -89243,22 +89903,16 @@
         ],
         "tags": [
           "storage_v1"
-        ],
-        "x-kubernetes-action": "put",
-        "x-kubernetes-group-version-kind": {
-          "group": "storage.k8s.io",
-          "kind": "CSIDriver",
-          "version": "v1"
-        }
+        ]
       }
     },
-    "/apis/storage.k8s.io/v1/csinodes": {
+    "/apis/storage.k8s.io/v1/csidrivers": {
       "delete": {
         "consumes": [
           "*/*"
         ],
-        "description": "delete collection of CSINode",
-        "operationId": "deleteStorageV1CollectionCSINode",
+        "description": "delete collection of CSIDriver",
+        "operationId": "deleteStorageV1CollectionCSIDriver",
         "parameters": [
           {
             "$ref": "#/parameters/body-2Y1dVQaQ"
@@ -89333,7 +89987,7 @@
         "x-kubernetes-action": "deletecollection",
         "x-kubernetes-group-version-kind": {
           "group": "storage.k8s.io",
-          "kind": "CSINode",
+          "kind": "CSIDriver",
           "version": "v1"
         }
       },
@@ -89341,8 +89995,8 @@
         "consumes": [
           "*/*"
         ],
-        "description": "list or watch objects of kind CSINode",
-        "operationId": "listStorageV1CSINode",
+        "description": "list or watch objects of kind CSIDriver",
+        "operationId": "listStorageV1CSIDriver",
         "parameters": [
           {
             "$ref": "#/parameters/allowWatchBookmarks-HC2hJt-J"
@@ -89388,7 +90042,7 @@
           "200": {
             "description": "OK",
             "schema": {
-              "$ref": "#/definitions/io.k8s.api.storage.v1.CSINodeList"
+              "$ref": "#/definitions/io.k8s.api.storage.v1.CSIDriverList"
             }
           },
           "401": {
@@ -89404,7 +90058,7 @@
         "x-kubernetes-action": "list",
         "x-kubernetes-group-version-kind": {
           "group": "storage.k8s.io",
-          "kind": "CSINode",
+          "kind": "CSIDriver",
           "version": "v1"
         }
       },
@@ -89417,15 +90071,15 @@
         "consumes": [
           "*/*"
         ],
-        "description": "create a CSINode",
-        "operationId": "createStorageV1CSINode",
+        "description": "create a CSIDriver",
+        "operationId": "createStorageV1CSIDriver",
         "parameters": [
           {
             "in": "body",
             "name": "body",
             "required": true,
             "schema": {
-              "$ref": "#/definitions/io.k8s.api.storage.v1.CSINode"
+              "$ref": "#/definitions/io.k8s.api.storage.v1.CSIDriver"
             }
           },
           {
@@ -89456,19 +90110,19 @@
           "200": {
             "description": "OK",
             "schema": {
-              "$ref": "#/definitions/io.k8s.api.storage.v1.CSINode"
+              "$ref": "#/definitions/io.k8s.api.storage.v1.CSIDriver"
             }
           },
           "201": {
             "description": "Created",
             "schema": {
-              "$ref": "#/definitions/io.k8s.api.storage.v1.CSINode"
+              "$ref": "#/definitions/io.k8s.api.storage.v1.CSIDriver"
             }
           },
           "202": {
             "description": "Accepted",
             "schema": {
-              "$ref": "#/definitions/io.k8s.api.storage.v1.CSINode"
+              "$ref": "#/definitions/io.k8s.api.storage.v1.CSIDriver"
             }
           },
           "401": {
@@ -89484,18 +90138,18 @@
         "x-kubernetes-action": "post",
         "x-kubernetes-group-version-kind": {
           "group": "storage.k8s.io",
-          "kind": "CSINode",
+          "kind": "CSIDriver",
           "version": "v1"
         }
       }
     },
-    "/apis/storage.k8s.io/v1/csinodes/{name}": {
+    "/apis/storage.k8s.io/v1/csidrivers/{name}": {
       "delete": {
         "consumes": [
           "*/*"
         ],
-        "description": "delete a CSINode",
-        "operationId": "deleteStorageV1CSINode",
+        "description": "delete a CSIDriver",
+        "operationId": "deleteStorageV1CSIDriver",
         "parameters": [
           {
             "$ref": "#/parameters/body-2Y1dVQaQ"
@@ -89530,13 +90184,13 @@
           "200": {
             "description": "OK",
             "schema": {
-              "$ref": "#/definitions/io.k8s.api.storage.v1.CSINode"
+              "$ref": "#/definitions/io.k8s.api.storage.v1.CSIDriver"
             }
           },
           "202": {
             "description": "Accepted",
             "schema": {
-              "$ref": "#/definitions/io.k8s.api.storage.v1.CSINode"
+              "$ref": "#/definitions/io.k8s.api.storage.v1.CSIDriver"
             }
           },
           "401": {
@@ -89552,7 +90206,7 @@
         "x-kubernetes-action": "delete",
         "x-kubernetes-group-version-kind": {
           "group": "storage.k8s.io",
-          "kind": "CSINode",
+          "kind": "CSIDriver",
           "version": "v1"
         }
       },
@@ -89560,8 +90214,8 @@
         "consumes": [
           "*/*"
         ],
-        "description": "read the specified CSINode",
-        "operationId": "readStorageV1CSINode",
+        "description": "read the specified CSIDriver",
+        "operationId": "readStorageV1CSIDriver",
         "produces": [
           "application/json",
           "application/yaml",
@@ -89572,7 +90226,7 @@
           "200": {
             "description": "OK",
             "schema": {
-              "$ref": "#/definitions/io.k8s.api.storage.v1.CSINode"
+              "$ref": "#/definitions/io.k8s.api.storage.v1.CSIDriver"
             }
           },
           "401": {
@@ -89588,13 +90242,13 @@
         "x-kubernetes-action": "get",
         "x-kubernetes-group-version-kind": {
           "group": "storage.k8s.io",
-          "kind": "CSINode",
+          "kind": "CSIDriver",
           "version": "v1"
         }
       },
       "parameters": [
         {
-          "description": "name of the CSINode",
+          "description": "name of the CSIDriver",
           "in": "path",
           "name": "name",
           "required": true,
@@ -89613,8 +90267,8 @@
           "application/apply-patch+yaml",
           "application/apply-patch+cbor"
         ],
-        "description": "partially update the specified CSINode",
-        "operationId": "patchStorageV1CSINode",
+        "description": "partially update the specified CSIDriver",
+        "operationId": "patchStorageV1CSIDriver",
         "parameters": [
           {
             "$ref": "#/parameters/body-78PwaGsr"
@@ -89650,13 +90304,13 @@
           "200": {
             "description": "OK",
             "schema": {
-              "$ref": "#/definitions/io.k8s.api.storage.v1.CSINode"
+              "$ref": "#/definitions/io.k8s.api.storage.v1.CSIDriver"
             }
           },
           "201": {
             "description": "Created",
             "schema": {
-              "$ref": "#/definitions/io.k8s.api.storage.v1.CSINode"
+              "$ref": "#/definitions/io.k8s.api.storage.v1.CSIDriver"
             }
           },
           "401": {
@@ -89672,7 +90326,7 @@
         "x-kubernetes-action": "patch",
         "x-kubernetes-group-version-kind": {
           "group": "storage.k8s.io",
-          "kind": "CSINode",
+          "kind": "CSIDriver",
           "version": "v1"
         }
       },
@@ -89680,15 +90334,15 @@
         "consumes": [
           "*/*"
         ],
-        "description": "replace the specified CSINode",
-        "operationId": "replaceStorageV1CSINode",
+        "description": "replace the specified CSIDriver",
+        "operationId": "replaceStorageV1CSIDriver",
         "parameters": [
           {
             "in": "body",
             "name": "body",
             "required": true,
             "schema": {
-              "$ref": "#/definitions/io.k8s.api.storage.v1.CSINode"
+              "$ref": "#/definitions/io.k8s.api.storage.v1.CSIDriver"
             }
           },
           {
@@ -89719,13 +90373,13 @@
           "200": {
             "description": "OK",
             "schema": {
-              "$ref": "#/definitions/io.k8s.api.storage.v1.CSINode"
+              "$ref": "#/definitions/io.k8s.api.storage.v1.CSIDriver"
             }
           },
           "201": {
             "description": "Created",
             "schema": {
-              "$ref": "#/definitions/io.k8s.api.storage.v1.CSINode"
+              "$ref": "#/definitions/io.k8s.api.storage.v1.CSIDriver"
             }
           },
           "401": {
@@ -89741,94 +90395,18 @@
         "x-kubernetes-action": "put",
         "x-kubernetes-group-version-kind": {
           "group": "storage.k8s.io",
-          "kind": "CSINode",
+          "kind": "CSIDriver",
           "version": "v1"
         }
       }
     },
-    "/apis/storage.k8s.io/v1/csistoragecapacities": {
-      "get": {
-        "consumes": [
-          "*/*"
-        ],
-        "description": "list or watch objects of kind CSIStorageCapacity",
-        "operationId": "listStorageV1CSIStorageCapacityForAllNamespaces",
-        "produces": [
-          "application/json",
-          "application/yaml",
-          "application/vnd.kubernetes.protobuf",
-          "application/cbor",
-          "application/json;stream=watch",
-          "application/vnd.kubernetes.protobuf;stream=watch",
-          "application/cbor-seq"
-        ],
-        "responses": {
-          "200": {
-            "description": "OK",
-            "schema": {
-              "$ref": "#/definitions/io.k8s.api.storage.v1.CSIStorageCapacityList"
-            }
-          },
-          "401": {
-            "description": "Unauthorized"
-          }
-        },
-        "schemes": [
-          "https"
-        ],
-        "tags": [
-          "storage_v1"
-        ],
-        "x-kubernetes-action": "list",
-        "x-kubernetes-group-version-kind": {
-          "group": "storage.k8s.io",
-          "kind": "CSIStorageCapacity",
-          "version": "v1"
-        }
-      },
-      "parameters": [
-        {
-          "$ref": "#/parameters/allowWatchBookmarks-HC2hJt-J"
-        },
-        {
-          "$ref": "#/parameters/continue-QfD61s0i"
-        },
-        {
-          "$ref": "#/parameters/fieldSelector-xIcQKXFG"
-        },
-        {
-          "$ref": "#/parameters/labelSelector-5Zw57w4C"
-        },
-        {
-          "$ref": "#/parameters/limit-1NfNmdNH"
-        },
-        {
-          "$ref": "#/parameters/pretty-tJGM1-ng"
-        },
-        {
-          "$ref": "#/parameters/resourceVersion-5WAnf1kx"
-        },
-        {
-          "$ref": "#/parameters/resourceVersionMatch-t8XhRHeC"
-        },
-        {
-          "$ref": "#/parameters/sendInitialEvents-rLXlEK_k"
-        },
-        {
-          "$ref": "#/parameters/timeoutSeconds-yvYezaOC"
-        },
-        {
-          "$ref": "#/parameters/watch-XNNPZGbK"
-        }
-      ]
-    },
-    "/apis/storage.k8s.io/v1/namespaces/{namespace}/csistoragecapacities": {
+    "/apis/storage.k8s.io/v1/csinodes": {
       "delete": {
         "consumes": [
           "*/*"
         ],
-        "description": "delete collection of CSIStorageCapacity",
-        "operationId": "deleteStorageV1CollectionNamespacedCSIStorageCapacity",
+        "description": "delete collection of CSINode",
+        "operationId": "deleteStorageV1CollectionCSINode",
         "parameters": [
           {
             "$ref": "#/parameters/body-2Y1dVQaQ"
@@ -89903,7 +90481,7 @@
         "x-kubernetes-action": "deletecollection",
         "x-kubernetes-group-version-kind": {
           "group": "storage.k8s.io",
-          "kind": "CSIStorageCapacity",
+          "kind": "CSINode",
           "version": "v1"
         }
       },
@@ -89911,8 +90489,8 @@
         "consumes": [
           "*/*"
         ],
-        "description": "list or watch objects of kind CSIStorageCapacity",
-        "operationId": "listStorageV1NamespacedCSIStorageCapacity",
+        "description": "list or watch objects of kind CSINode",
+        "operationId": "listStorageV1CSINode",
         "parameters": [
           {
             "$ref": "#/parameters/allowWatchBookmarks-HC2hJt-J"
@@ -89958,7 +90536,7 @@
           "200": {
             "description": "OK",
             "schema": {
-              "$ref": "#/definitions/io.k8s.api.storage.v1.CSIStorageCapacityList"
+              "$ref": "#/definitions/io.k8s.api.storage.v1.CSINodeList"
             }
           },
           "401": {
@@ -89974,14 +90552,11 @@
         "x-kubernetes-action": "list",
         "x-kubernetes-group-version-kind": {
           "group": "storage.k8s.io",
-          "kind": "CSIStorageCapacity",
+          "kind": "CSINode",
           "version": "v1"
         }
       },
       "parameters": [
-        {
-          "$ref": "#/parameters/namespace-vgWSWtn3"
-        },
         {
           "$ref": "#/parameters/pretty-tJGM1-ng"
         }
@@ -89990,15 +90565,15 @@
         "consumes": [
           "*/*"
         ],
-        "description": "create a CSIStorageCapacity",
-        "operationId": "createStorageV1NamespacedCSIStorageCapacity",
+        "description": "create a CSINode",
+        "operationId": "createStorageV1CSINode",
         "parameters": [
           {
             "in": "body",
             "name": "body",
             "required": true,
             "schema": {
-              "$ref": "#/definitions/io.k8s.api.storage.v1.CSIStorageCapacity"
+              "$ref": "#/definitions/io.k8s.api.storage.v1.CSINode"
             }
           },
           {
@@ -90029,19 +90604,19 @@
           "200": {
             "description": "OK",
             "schema": {
-              "$ref": "#/definitions/io.k8s.api.storage.v1.CSIStorageCapacity"
+              "$ref": "#/definitions/io.k8s.api.storage.v1.CSINode"
             }
           },
           "201": {
             "description": "Created",
             "schema": {
-              "$ref": "#/definitions/io.k8s.api.storage.v1.CSIStorageCapacity"
+              "$ref": "#/definitions/io.k8s.api.storage.v1.CSINode"
             }
           },
           "202": {
             "description": "Accepted",
             "schema": {
-              "$ref": "#/definitions/io.k8s.api.storage.v1.CSIStorageCapacity"
+              "$ref": "#/definitions/io.k8s.api.storage.v1.CSINode"
             }
           },
           "401": {
@@ -90057,18 +90632,18 @@
         "x-kubernetes-action": "post",
         "x-kubernetes-group-version-kind": {
           "group": "storage.k8s.io",
-          "kind": "CSIStorageCapacity",
+          "kind": "CSINode",
           "version": "v1"
         }
       }
     },
-    "/apis/storage.k8s.io/v1/namespaces/{namespace}/csistoragecapacities/{name}": {
+    "/apis/storage.k8s.io/v1/csinodes/{name}": {
       "delete": {
         "consumes": [
           "*/*"
         ],
-        "description": "delete a CSIStorageCapacity",
-        "operationId": "deleteStorageV1NamespacedCSIStorageCapacity",
+        "description": "delete a CSINode",
+        "operationId": "deleteStorageV1CSINode",
         "parameters": [
           {
             "$ref": "#/parameters/body-2Y1dVQaQ"
@@ -90103,13 +90678,13 @@
           "200": {
             "description": "OK",
             "schema": {
-              "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"
+              "$ref": "#/definitions/io.k8s.api.storage.v1.CSINode"
             }
           },
           "202": {
             "description": "Accepted",
             "schema": {
-              "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"
+              "$ref": "#/definitions/io.k8s.api.storage.v1.CSINode"
             }
           },
           "401": {
@@ -90125,7 +90700,7 @@
         "x-kubernetes-action": "delete",
         "x-kubernetes-group-version-kind": {
           "group": "storage.k8s.io",
-          "kind": "CSIStorageCapacity",
+          "kind": "CSINode",
           "version": "v1"
         }
       },
@@ -90133,8 +90708,8 @@
         "consumes": [
           "*/*"
         ],
-        "description": "read the specified CSIStorageCapacity",
-        "operationId": "readStorageV1NamespacedCSIStorageCapacity",
+        "description": "read the specified CSINode",
+        "operationId": "readStorageV1CSINode",
         "produces": [
           "application/json",
           "application/yaml",
@@ -90145,7 +90720,7 @@
           "200": {
             "description": "OK",
             "schema": {
-              "$ref": "#/definitions/io.k8s.api.storage.v1.CSIStorageCapacity"
+              "$ref": "#/definitions/io.k8s.api.storage.v1.CSINode"
             }
           },
           "401": {
@@ -90161,22 +90736,19 @@
         "x-kubernetes-action": "get",
         "x-kubernetes-group-version-kind": {
           "group": "storage.k8s.io",
-          "kind": "CSIStorageCapacity",
+          "kind": "CSINode",
           "version": "v1"
         }
       },
       "parameters": [
         {
-          "description": "name of the CSIStorageCapacity",
+          "description": "name of the CSINode",
           "in": "path",
           "name": "name",
           "required": true,
           "type": "string",
           "uniqueItems": true
         },
-        {
-          "$ref": "#/parameters/namespace-vgWSWtn3"
-        },
         {
           "$ref": "#/parameters/pretty-tJGM1-ng"
         }
@@ -90189,8 +90761,8 @@
           "application/apply-patch+yaml",
           "application/apply-patch+cbor"
         ],
-        "description": "partially update the specified CSIStorageCapacity",
-        "operationId": "patchStorageV1NamespacedCSIStorageCapacity",
+        "description": "partially update the specified CSINode",
+        "operationId": "patchStorageV1CSINode",
         "parameters": [
           {
             "$ref": "#/parameters/body-78PwaGsr"
@@ -90226,13 +90798,13 @@
           "200": {
             "description": "OK",
             "schema": {
-              "$ref": "#/definitions/io.k8s.api.storage.v1.CSIStorageCapacity"
+              "$ref": "#/definitions/io.k8s.api.storage.v1.CSINode"
             }
           },
           "201": {
             "description": "Created",
             "schema": {
-              "$ref": "#/definitions/io.k8s.api.storage.v1.CSIStorageCapacity"
+              "$ref": "#/definitions/io.k8s.api.storage.v1.CSINode"
             }
           },
           "401": {
@@ -90248,7 +90820,7 @@
         "x-kubernetes-action": "patch",
         "x-kubernetes-group-version-kind": {
           "group": "storage.k8s.io",
-          "kind": "CSIStorageCapacity",
+          "kind": "CSINode",
           "version": "v1"
         }
       },
@@ -90256,15 +90828,15 @@
         "consumes": [
           "*/*"
         ],
-        "description": "replace the specified CSIStorageCapacity",
-        "operationId": "replaceStorageV1NamespacedCSIStorageCapacity",
+        "description": "replace the specified CSINode",
+        "operationId": "replaceStorageV1CSINode",
         "parameters": [
           {
             "in": "body",
             "name": "body",
             "required": true,
             "schema": {
-              "$ref": "#/definitions/io.k8s.api.storage.v1.CSIStorageCapacity"
+              "$ref": "#/definitions/io.k8s.api.storage.v1.CSINode"
             }
           },
           {
@@ -90295,13 +90867,13 @@
           "200": {
             "description": "OK",
             "schema": {
-              "$ref": "#/definitions/io.k8s.api.storage.v1.CSIStorageCapacity"
+              "$ref": "#/definitions/io.k8s.api.storage.v1.CSINode"
             }
           },
           "201": {
             "description": "Created",
             "schema": {
-              "$ref": "#/definitions/io.k8s.api.storage.v1.CSIStorageCapacity"
+              "$ref": "#/definitions/io.k8s.api.storage.v1.CSINode"
             }
           },
           "401": {
@@ -90317,18 +90889,94 @@
         "x-kubernetes-action": "put",
         "x-kubernetes-group-version-kind": {
           "group": "storage.k8s.io",
-          "kind": "CSIStorageCapacity",
+          "kind": "CSINode",
           "version": "v1"
         }
       }
     },
-    "/apis/storage.k8s.io/v1/storageclasses": {
+    "/apis/storage.k8s.io/v1/csistoragecapacities": {
+      "get": {
+        "consumes": [
+          "*/*"
+        ],
+        "description": "list or watch objects of kind CSIStorageCapacity",
+        "operationId": "listStorageV1CSIStorageCapacityForAllNamespaces",
+        "produces": [
+          "application/json",
+          "application/yaml",
+          "application/vnd.kubernetes.protobuf",
+          "application/cbor",
+          "application/json;stream=watch",
+          "application/vnd.kubernetes.protobuf;stream=watch",
+          "application/cbor-seq"
+        ],
+        "responses": {
+          "200": {
+            "description": "OK",
+            "schema": {
+              "$ref": "#/definitions/io.k8s.api.storage.v1.CSIStorageCapacityList"
+            }
+          },
+          "401": {
+            "description": "Unauthorized"
+          }
+        },
+        "schemes": [
+          "https"
+        ],
+        "tags": [
+          "storage_v1"
+        ],
+        "x-kubernetes-action": "list",
+        "x-kubernetes-group-version-kind": {
+          "group": "storage.k8s.io",
+          "kind": "CSIStorageCapacity",
+          "version": "v1"
+        }
+      },
+      "parameters": [
+        {
+          "$ref": "#/parameters/allowWatchBookmarks-HC2hJt-J"
+        },
+        {
+          "$ref": "#/parameters/continue-QfD61s0i"
+        },
+        {
+          "$ref": "#/parameters/fieldSelector-xIcQKXFG"
+        },
+        {
+          "$ref": "#/parameters/labelSelector-5Zw57w4C"
+        },
+        {
+          "$ref": "#/parameters/limit-1NfNmdNH"
+        },
+        {
+          "$ref": "#/parameters/pretty-tJGM1-ng"
+        },
+        {
+          "$ref": "#/parameters/resourceVersion-5WAnf1kx"
+        },
+        {
+          "$ref": "#/parameters/resourceVersionMatch-t8XhRHeC"
+        },
+        {
+          "$ref": "#/parameters/sendInitialEvents-rLXlEK_k"
+        },
+        {
+          "$ref": "#/parameters/timeoutSeconds-yvYezaOC"
+        },
+        {
+          "$ref": "#/parameters/watch-XNNPZGbK"
+        }
+      ]
+    },
+    "/apis/storage.k8s.io/v1/namespaces/{namespace}/csistoragecapacities": {
       "delete": {
         "consumes": [
           "*/*"
         ],
-        "description": "delete collection of StorageClass",
-        "operationId": "deleteStorageV1CollectionStorageClass",
+        "description": "delete collection of CSIStorageCapacity",
+        "operationId": "deleteStorageV1CollectionNamespacedCSIStorageCapacity",
         "parameters": [
           {
             "$ref": "#/parameters/body-2Y1dVQaQ"
@@ -90403,7 +91051,7 @@
         "x-kubernetes-action": "deletecollection",
         "x-kubernetes-group-version-kind": {
           "group": "storage.k8s.io",
-          "kind": "StorageClass",
+          "kind": "CSIStorageCapacity",
           "version": "v1"
         }
       },
@@ -90411,8 +91059,8 @@
         "consumes": [
           "*/*"
         ],
-        "description": "list or watch objects of kind StorageClass",
-        "operationId": "listStorageV1StorageClass",
+        "description": "list or watch objects of kind CSIStorageCapacity",
+        "operationId": "listStorageV1NamespacedCSIStorageCapacity",
         "parameters": [
           {
             "$ref": "#/parameters/allowWatchBookmarks-HC2hJt-J"
@@ -90458,7 +91106,7 @@
           "200": {
             "description": "OK",
             "schema": {
-              "$ref": "#/definitions/io.k8s.api.storage.v1.StorageClassList"
+              "$ref": "#/definitions/io.k8s.api.storage.v1.CSIStorageCapacityList"
             }
           },
           "401": {
@@ -90474,11 +91122,14 @@
         "x-kubernetes-action": "list",
         "x-kubernetes-group-version-kind": {
           "group": "storage.k8s.io",
-          "kind": "StorageClass",
+          "kind": "CSIStorageCapacity",
           "version": "v1"
         }
       },
       "parameters": [
+        {
+          "$ref": "#/parameters/namespace-vgWSWtn3"
+        },
         {
           "$ref": "#/parameters/pretty-tJGM1-ng"
         }
@@ -90487,15 +91138,15 @@
         "consumes": [
           "*/*"
         ],
-        "description": "create a StorageClass",
-        "operationId": "createStorageV1StorageClass",
+        "description": "create a CSIStorageCapacity",
+        "operationId": "createStorageV1NamespacedCSIStorageCapacity",
         "parameters": [
           {
             "in": "body",
             "name": "body",
             "required": true,
             "schema": {
-              "$ref": "#/definitions/io.k8s.api.storage.v1.StorageClass"
+              "$ref": "#/definitions/io.k8s.api.storage.v1.CSIStorageCapacity"
             }
           },
           {
@@ -90526,19 +91177,19 @@
           "200": {
             "description": "OK",
             "schema": {
-              "$ref": "#/definitions/io.k8s.api.storage.v1.StorageClass"
+              "$ref": "#/definitions/io.k8s.api.storage.v1.CSIStorageCapacity"
             }
           },
           "201": {
             "description": "Created",
             "schema": {
-              "$ref": "#/definitions/io.k8s.api.storage.v1.StorageClass"
+              "$ref": "#/definitions/io.k8s.api.storage.v1.CSIStorageCapacity"
             }
           },
           "202": {
             "description": "Accepted",
             "schema": {
-              "$ref": "#/definitions/io.k8s.api.storage.v1.StorageClass"
+              "$ref": "#/definitions/io.k8s.api.storage.v1.CSIStorageCapacity"
             }
           },
           "401": {
@@ -90554,18 +91205,18 @@
         "x-kubernetes-action": "post",
         "x-kubernetes-group-version-kind": {
           "group": "storage.k8s.io",
-          "kind": "StorageClass",
+          "kind": "CSIStorageCapacity",
           "version": "v1"
         }
       }
     },
-    "/apis/storage.k8s.io/v1/storageclasses/{name}": {
+    "/apis/storage.k8s.io/v1/namespaces/{namespace}/csistoragecapacities/{name}": {
       "delete": {
         "consumes": [
           "*/*"
         ],
-        "description": "delete a StorageClass",
-        "operationId": "deleteStorageV1StorageClass",
+        "description": "delete a CSIStorageCapacity",
+        "operationId": "deleteStorageV1NamespacedCSIStorageCapacity",
         "parameters": [
           {
             "$ref": "#/parameters/body-2Y1dVQaQ"
@@ -90600,13 +91251,13 @@
           "200": {
             "description": "OK",
             "schema": {
-              "$ref": "#/definitions/io.k8s.api.storage.v1.StorageClass"
+              "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"
             }
           },
           "202": {
             "description": "Accepted",
             "schema": {
-              "$ref": "#/definitions/io.k8s.api.storage.v1.StorageClass"
+              "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"
             }
           },
           "401": {
@@ -90622,7 +91273,7 @@
         "x-kubernetes-action": "delete",
         "x-kubernetes-group-version-kind": {
           "group": "storage.k8s.io",
-          "kind": "StorageClass",
+          "kind": "CSIStorageCapacity",
           "version": "v1"
         }
       },
@@ -90630,8 +91281,8 @@
         "consumes": [
           "*/*"
         ],
-        "description": "read the specified StorageClass",
-        "operationId": "readStorageV1StorageClass",
+        "description": "read the specified CSIStorageCapacity",
+        "operationId": "readStorageV1NamespacedCSIStorageCapacity",
         "produces": [
           "application/json",
           "application/yaml",
@@ -90642,7 +91293,7 @@
           "200": {
             "description": "OK",
             "schema": {
-              "$ref": "#/definitions/io.k8s.api.storage.v1.StorageClass"
+              "$ref": "#/definitions/io.k8s.api.storage.v1.CSIStorageCapacity"
             }
           },
           "401": {
@@ -90658,19 +91309,22 @@
         "x-kubernetes-action": "get",
         "x-kubernetes-group-version-kind": {
           "group": "storage.k8s.io",
-          "kind": "StorageClass",
+          "kind": "CSIStorageCapacity",
           "version": "v1"
         }
       },
       "parameters": [
         {
-          "description": "name of the StorageClass",
+          "description": "name of the CSIStorageCapacity",
           "in": "path",
           "name": "name",
           "required": true,
           "type": "string",
           "uniqueItems": true
         },
+        {
+          "$ref": "#/parameters/namespace-vgWSWtn3"
+        },
         {
           "$ref": "#/parameters/pretty-tJGM1-ng"
         }
@@ -90683,8 +91337,8 @@
           "application/apply-patch+yaml",
           "application/apply-patch+cbor"
         ],
-        "description": "partially update the specified StorageClass",
-        "operationId": "patchStorageV1StorageClass",
+        "description": "partially update the specified CSIStorageCapacity",
+        "operationId": "patchStorageV1NamespacedCSIStorageCapacity",
         "parameters": [
           {
             "$ref": "#/parameters/body-78PwaGsr"
@@ -90720,13 +91374,13 @@
           "200": {
             "description": "OK",
             "schema": {
-              "$ref": "#/definitions/io.k8s.api.storage.v1.StorageClass"
+              "$ref": "#/definitions/io.k8s.api.storage.v1.CSIStorageCapacity"
             }
           },
           "201": {
             "description": "Created",
             "schema": {
-              "$ref": "#/definitions/io.k8s.api.storage.v1.StorageClass"
+              "$ref": "#/definitions/io.k8s.api.storage.v1.CSIStorageCapacity"
             }
           },
           "401": {
@@ -90742,7 +91396,7 @@
         "x-kubernetes-action": "patch",
         "x-kubernetes-group-version-kind": {
           "group": "storage.k8s.io",
-          "kind": "StorageClass",
+          "kind": "CSIStorageCapacity",
           "version": "v1"
         }
       },
@@ -90750,15 +91404,15 @@
         "consumes": [
           "*/*"
         ],
-        "description": "replace the specified StorageClass",
-        "operationId": "replaceStorageV1StorageClass",
+        "description": "replace the specified CSIStorageCapacity",
+        "operationId": "replaceStorageV1NamespacedCSIStorageCapacity",
         "parameters": [
           {
             "in": "body",
             "name": "body",
             "required": true,
             "schema": {
-              "$ref": "#/definitions/io.k8s.api.storage.v1.StorageClass"
+              "$ref": "#/definitions/io.k8s.api.storage.v1.CSIStorageCapacity"
             }
           },
           {
@@ -90789,13 +91443,13 @@
           "200": {
             "description": "OK",
             "schema": {
-              "$ref": "#/definitions/io.k8s.api.storage.v1.StorageClass"
+              "$ref": "#/definitions/io.k8s.api.storage.v1.CSIStorageCapacity"
             }
           },
           "201": {
             "description": "Created",
             "schema": {
-              "$ref": "#/definitions/io.k8s.api.storage.v1.StorageClass"
+              "$ref": "#/definitions/io.k8s.api.storage.v1.CSIStorageCapacity"
             }
           },
           "401": {
@@ -90811,18 +91465,18 @@
         "x-kubernetes-action": "put",
         "x-kubernetes-group-version-kind": {
           "group": "storage.k8s.io",
-          "kind": "StorageClass",
+          "kind": "CSIStorageCapacity",
           "version": "v1"
         }
       }
     },
-    "/apis/storage.k8s.io/v1/volumeattachments": {
+    "/apis/storage.k8s.io/v1/storageclasses": {
       "delete": {
         "consumes": [
           "*/*"
         ],
-        "description": "delete collection of VolumeAttachment",
-        "operationId": "deleteStorageV1CollectionVolumeAttachment",
+        "description": "delete collection of StorageClass",
+        "operationId": "deleteStorageV1CollectionStorageClass",
         "parameters": [
           {
             "$ref": "#/parameters/body-2Y1dVQaQ"
@@ -90897,7 +91551,7 @@
         "x-kubernetes-action": "deletecollection",
         "x-kubernetes-group-version-kind": {
           "group": "storage.k8s.io",
-          "kind": "VolumeAttachment",
+          "kind": "StorageClass",
           "version": "v1"
         }
       },
@@ -90905,8 +91559,8 @@
         "consumes": [
           "*/*"
         ],
-        "description": "list or watch objects of kind VolumeAttachment",
-        "operationId": "listStorageV1VolumeAttachment",
+        "description": "list or watch objects of kind StorageClass",
+        "operationId": "listStorageV1StorageClass",
         "parameters": [
           {
             "$ref": "#/parameters/allowWatchBookmarks-HC2hJt-J"
@@ -90952,7 +91606,7 @@
           "200": {
             "description": "OK",
             "schema": {
-              "$ref": "#/definitions/io.k8s.api.storage.v1.VolumeAttachmentList"
+              "$ref": "#/definitions/io.k8s.api.storage.v1.StorageClassList"
             }
           },
           "401": {
@@ -90968,7 +91622,7 @@
         "x-kubernetes-action": "list",
         "x-kubernetes-group-version-kind": {
           "group": "storage.k8s.io",
-          "kind": "VolumeAttachment",
+          "kind": "StorageClass",
           "version": "v1"
         }
       },
@@ -90981,15 +91635,15 @@
         "consumes": [
           "*/*"
         ],
-        "description": "create a VolumeAttachment",
-        "operationId": "createStorageV1VolumeAttachment",
+        "description": "create a StorageClass",
+        "operationId": "createStorageV1StorageClass",
         "parameters": [
           {
             "in": "body",
             "name": "body",
             "required": true,
             "schema": {
-              "$ref": "#/definitions/io.k8s.api.storage.v1.VolumeAttachment"
+              "$ref": "#/definitions/io.k8s.api.storage.v1.StorageClass"
             }
           },
           {
@@ -91020,19 +91674,19 @@
           "200": {
             "description": "OK",
             "schema": {
-              "$ref": "#/definitions/io.k8s.api.storage.v1.VolumeAttachment"
+              "$ref": "#/definitions/io.k8s.api.storage.v1.StorageClass"
             }
           },
           "201": {
             "description": "Created",
             "schema": {
-              "$ref": "#/definitions/io.k8s.api.storage.v1.VolumeAttachment"
+              "$ref": "#/definitions/io.k8s.api.storage.v1.StorageClass"
             }
           },
           "202": {
             "description": "Accepted",
             "schema": {
-              "$ref": "#/definitions/io.k8s.api.storage.v1.VolumeAttachment"
+              "$ref": "#/definitions/io.k8s.api.storage.v1.StorageClass"
             }
           },
           "401": {
@@ -91048,18 +91702,18 @@
         "x-kubernetes-action": "post",
         "x-kubernetes-group-version-kind": {
           "group": "storage.k8s.io",
-          "kind": "VolumeAttachment",
+          "kind": "StorageClass",
           "version": "v1"
         }
       }
     },
-    "/apis/storage.k8s.io/v1/volumeattachments/{name}": {
+    "/apis/storage.k8s.io/v1/storageclasses/{name}": {
       "delete": {
         "consumes": [
           "*/*"
         ],
-        "description": "delete a VolumeAttachment",
-        "operationId": "deleteStorageV1VolumeAttachment",
+        "description": "delete a StorageClass",
+        "operationId": "deleteStorageV1StorageClass",
         "parameters": [
           {
             "$ref": "#/parameters/body-2Y1dVQaQ"
@@ -91094,13 +91748,13 @@
           "200": {
             "description": "OK",
             "schema": {
-              "$ref": "#/definitions/io.k8s.api.storage.v1.VolumeAttachment"
+              "$ref": "#/definitions/io.k8s.api.storage.v1.StorageClass"
             }
           },
           "202": {
             "description": "Accepted",
             "schema": {
-              "$ref": "#/definitions/io.k8s.api.storage.v1.VolumeAttachment"
+              "$ref": "#/definitions/io.k8s.api.storage.v1.StorageClass"
             }
           },
           "401": {
@@ -91116,7 +91770,7 @@
         "x-kubernetes-action": "delete",
         "x-kubernetes-group-version-kind": {
           "group": "storage.k8s.io",
-          "kind": "VolumeAttachment",
+          "kind": "StorageClass",
           "version": "v1"
         }
       },
@@ -91124,8 +91778,8 @@
         "consumes": [
           "*/*"
         ],
-        "description": "read the specified VolumeAttachment",
-        "operationId": "readStorageV1VolumeAttachment",
+        "description": "read the specified StorageClass",
+        "operationId": "readStorageV1StorageClass",
         "produces": [
           "application/json",
           "application/yaml",
@@ -91136,7 +91790,7 @@
           "200": {
             "description": "OK",
             "schema": {
-              "$ref": "#/definitions/io.k8s.api.storage.v1.VolumeAttachment"
+              "$ref": "#/definitions/io.k8s.api.storage.v1.StorageClass"
             }
           },
           "401": {
@@ -91152,13 +91806,13 @@
         "x-kubernetes-action": "get",
         "x-kubernetes-group-version-kind": {
           "group": "storage.k8s.io",
-          "kind": "VolumeAttachment",
+          "kind": "StorageClass",
           "version": "v1"
         }
       },
       "parameters": [
         {
-          "description": "name of the VolumeAttachment",
+          "description": "name of the StorageClass",
           "in": "path",
           "name": "name",
           "required": true,
@@ -91177,8 +91831,8 @@
           "application/apply-patch+yaml",
           "application/apply-patch+cbor"
         ],
-        "description": "partially update the specified VolumeAttachment",
-        "operationId": "patchStorageV1VolumeAttachment",
+        "description": "partially update the specified StorageClass",
+        "operationId": "patchStorageV1StorageClass",
         "parameters": [
           {
             "$ref": "#/parameters/body-78PwaGsr"
@@ -91214,13 +91868,13 @@
           "200": {
             "description": "OK",
             "schema": {
-              "$ref": "#/definitions/io.k8s.api.storage.v1.VolumeAttachment"
+              "$ref": "#/definitions/io.k8s.api.storage.v1.StorageClass"
             }
           },
           "201": {
             "description": "Created",
             "schema": {
-              "$ref": "#/definitions/io.k8s.api.storage.v1.VolumeAttachment"
+              "$ref": "#/definitions/io.k8s.api.storage.v1.StorageClass"
             }
           },
           "401": {
@@ -91236,7 +91890,7 @@
         "x-kubernetes-action": "patch",
         "x-kubernetes-group-version-kind": {
           "group": "storage.k8s.io",
-          "kind": "VolumeAttachment",
+          "kind": "StorageClass",
           "version": "v1"
         }
       },
@@ -91244,15 +91898,15 @@
         "consumes": [
           "*/*"
         ],
-        "description": "replace the specified VolumeAttachment",
-        "operationId": "replaceStorageV1VolumeAttachment",
+        "description": "replace the specified StorageClass",
+        "operationId": "replaceStorageV1StorageClass",
         "parameters": [
           {
             "in": "body",
             "name": "body",
             "required": true,
             "schema": {
-              "$ref": "#/definitions/io.k8s.api.storage.v1.VolumeAttachment"
+              "$ref": "#/definitions/io.k8s.api.storage.v1.StorageClass"
             }
           },
           {
@@ -91283,13 +91937,13 @@
           "200": {
             "description": "OK",
             "schema": {
-              "$ref": "#/definitions/io.k8s.api.storage.v1.VolumeAttachment"
+              "$ref": "#/definitions/io.k8s.api.storage.v1.StorageClass"
             }
           },
           "201": {
             "description": "Created",
             "schema": {
-              "$ref": "#/definitions/io.k8s.api.storage.v1.VolumeAttachment"
+              "$ref": "#/definitions/io.k8s.api.storage.v1.StorageClass"
             }
           },
           "401": {
@@ -91305,18 +91959,66 @@
         "x-kubernetes-action": "put",
         "x-kubernetes-group-version-kind": {
           "group": "storage.k8s.io",
-          "kind": "VolumeAttachment",
+          "kind": "StorageClass",
           "version": "v1"
         }
       }
     },
-    "/apis/storage.k8s.io/v1/volumeattachments/{name}/status": {
-      "get": {
+    "/apis/storage.k8s.io/v1/volumeattachments": {
+      "delete": {
         "consumes": [
           "*/*"
         ],
-        "description": "read status of the specified VolumeAttachment",
-        "operationId": "readStorageV1VolumeAttachmentStatus",
+        "description": "delete collection of VolumeAttachment",
+        "operationId": "deleteStorageV1CollectionVolumeAttachment",
+        "parameters": [
+          {
+            "$ref": "#/parameters/body-2Y1dVQaQ"
+          },
+          {
+            "$ref": "#/parameters/continue-QfD61s0i"
+          },
+          {
+            "description": "When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed",
+            "in": "query",
+            "name": "dryRun",
+            "type": "string",
+            "uniqueItems": true
+          },
+          {
+            "$ref": "#/parameters/fieldSelector-xIcQKXFG"
+          },
+          {
+            "$ref": "#/parameters/gracePeriodSeconds--K5HaBOS"
+          },
+          {
+            "$ref": "#/parameters/ignoreStoreReadErrorWithClusterBreakingPotential-QbNkfIqj"
+          },
+          {
+            "$ref": "#/parameters/labelSelector-5Zw57w4C"
+          },
+          {
+            "$ref": "#/parameters/limit-1NfNmdNH"
+          },
+          {
+            "$ref": "#/parameters/orphanDependents-uRB25kX5"
+          },
+          {
+            "$ref": "#/parameters/propagationPolicy-6jk3prlO"
+          },
+          {
+            "$ref": "#/parameters/resourceVersion-5WAnf1kx"
+          },
+          {
+            "$ref": "#/parameters/resourceVersionMatch-t8XhRHeC"
+          },
+          {
+            "$ref": "#/parameters/sendInitialEvents-rLXlEK_k"
+          },
+          {
+            "$ref": "#/parameters/timeoutSeconds-yvYezaOC"
+          }
+        ],
         "produces": [
           "application/json",
           "application/yaml",
@@ -91327,7 +92029,7 @@
           "200": {
             "description": "OK",
             "schema": {
-              "$ref": "#/definitions/io.k8s.api.storage.v1.VolumeAttachment"
+              "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"
             }
           },
           "401": {
@@ -91340,78 +92042,65 @@
         "tags": [
           "storage_v1"
         ],
-        "x-kubernetes-action": "get",
+        "x-kubernetes-action": "deletecollection",
         "x-kubernetes-group-version-kind": {
           "group": "storage.k8s.io",
           "kind": "VolumeAttachment",
           "version": "v1"
         }
       },
-      "parameters": [
-        {
-          "description": "name of the VolumeAttachment",
-          "in": "path",
-          "name": "name",
-          "required": true,
-          "type": "string",
-          "uniqueItems": true
-        },
-        {
-          "$ref": "#/parameters/pretty-tJGM1-ng"
-        }
-      ],
-      "patch": {
+      "get": {
         "consumes": [
-          "application/json-patch+json",
-          "application/merge-patch+json",
-          "application/strategic-merge-patch+json",
-          "application/apply-patch+yaml",
-          "application/apply-patch+cbor"
+          "*/*"
         ],
-        "description": "partially update status of the specified VolumeAttachment",
-        "operationId": "patchStorageV1VolumeAttachmentStatus",
+        "description": "list or watch objects of kind VolumeAttachment",
+        "operationId": "listStorageV1VolumeAttachment",
         "parameters": [
           {
-            "$ref": "#/parameters/body-78PwaGsr"
+            "$ref": "#/parameters/allowWatchBookmarks-HC2hJt-J"
           },
           {
-            "description": "When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed",
-            "in": "query",
-            "name": "dryRun",
-            "type": "string",
-            "uniqueItems": true
+            "$ref": "#/parameters/continue-QfD61s0i"
           },
           {
-            "$ref": "#/parameters/fieldManager-7c6nTn1T"
+            "$ref": "#/parameters/fieldSelector-xIcQKXFG"
           },
           {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
-            "in": "query",
-            "name": "fieldValidation",
-            "type": "string",
-            "uniqueItems": true
+            "$ref": "#/parameters/labelSelector-5Zw57w4C"
           },
           {
-            "$ref": "#/parameters/force-tOGGb0Yi"
+            "$ref": "#/parameters/limit-1NfNmdNH"
+          },
+          {
+            "$ref": "#/parameters/resourceVersion-5WAnf1kx"
+          },
+          {
+            "$ref": "#/parameters/resourceVersionMatch-t8XhRHeC"
+          },
+          {
+            "$ref": "#/parameters/sendInitialEvents-rLXlEK_k"
+          },
+          {
+            "$ref": "#/parameters/timeoutSeconds-yvYezaOC"
+          },
+          {
+            "$ref": "#/parameters/watch-XNNPZGbK"
           }
         ],
         "produces": [
           "application/json",
           "application/yaml",
           "application/vnd.kubernetes.protobuf",
-          "application/cbor"
+          "application/cbor",
+          "application/json;stream=watch",
+          "application/vnd.kubernetes.protobuf;stream=watch",
+          "application/cbor-seq"
         ],
         "responses": {
           "200": {
             "description": "OK",
             "schema": {
-              "$ref": "#/definitions/io.k8s.api.storage.v1.VolumeAttachment"
-            }
-          },
-          "201": {
-            "description": "Created",
-            "schema": {
-              "$ref": "#/definitions/io.k8s.api.storage.v1.VolumeAttachment"
+              "$ref": "#/definitions/io.k8s.api.storage.v1.VolumeAttachmentList"
             }
           },
           "401": {
@@ -91424,19 +92113,24 @@
         "tags": [
           "storage_v1"
         ],
-        "x-kubernetes-action": "patch",
+        "x-kubernetes-action": "list",
         "x-kubernetes-group-version-kind": {
           "group": "storage.k8s.io",
           "kind": "VolumeAttachment",
           "version": "v1"
         }
       },
-      "put": {
+      "parameters": [
+        {
+          "$ref": "#/parameters/pretty-tJGM1-ng"
+        }
+      ],
+      "post": {
         "consumes": [
           "*/*"
         ],
-        "description": "replace status of the specified VolumeAttachment",
-        "operationId": "replaceStorageV1VolumeAttachmentStatus",
+        "description": "create a VolumeAttachment",
+        "operationId": "createStorageV1VolumeAttachment",
         "parameters": [
           {
             "in": "body",
@@ -91483,6 +92177,12 @@
               "$ref": "#/definitions/io.k8s.api.storage.v1.VolumeAttachment"
             }
           },
+          "202": {
+            "description": "Accepted",
+            "schema": {
+              "$ref": "#/definitions/io.k8s.api.storage.v1.VolumeAttachment"
+            }
+          },
           "401": {
             "description": "Unauthorized"
           }
@@ -91493,7 +92193,7 @@
         "tags": [
           "storage_v1"
         ],
-        "x-kubernetes-action": "put",
+        "x-kubernetes-action": "post",
         "x-kubernetes-group-version-kind": {
           "group": "storage.k8s.io",
           "kind": "VolumeAttachment",
@@ -91501,20 +92201,17 @@
         }
       }
     },
-    "/apis/storage.k8s.io/v1/volumeattributesclasses": {
+    "/apis/storage.k8s.io/v1/volumeattachments/{name}": {
       "delete": {
         "consumes": [
           "*/*"
         ],
-        "description": "delete collection of VolumeAttributesClass",
-        "operationId": "deleteStorageV1CollectionVolumeAttributesClass",
+        "description": "delete a VolumeAttachment",
+        "operationId": "deleteStorageV1VolumeAttachment",
         "parameters": [
           {
             "$ref": "#/parameters/body-2Y1dVQaQ"
           },
-          {
-            "$ref": "#/parameters/continue-QfD61s0i"
-          },
           {
             "description": "When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed",
             "in": "query",
@@ -91522,38 +92219,17 @@
             "type": "string",
             "uniqueItems": true
           },
-          {
-            "$ref": "#/parameters/fieldSelector-xIcQKXFG"
-          },
           {
             "$ref": "#/parameters/gracePeriodSeconds--K5HaBOS"
           },
           {
             "$ref": "#/parameters/ignoreStoreReadErrorWithClusterBreakingPotential-QbNkfIqj"
           },
-          {
-            "$ref": "#/parameters/labelSelector-5Zw57w4C"
-          },
-          {
-            "$ref": "#/parameters/limit-1NfNmdNH"
-          },
           {
             "$ref": "#/parameters/orphanDependents-uRB25kX5"
           },
           {
             "$ref": "#/parameters/propagationPolicy-6jk3prlO"
-          },
-          {
-            "$ref": "#/parameters/resourceVersion-5WAnf1kx"
-          },
-          {
-            "$ref": "#/parameters/resourceVersionMatch-t8XhRHeC"
-          },
-          {
-            "$ref": "#/parameters/sendInitialEvents-rLXlEK_k"
-          },
-          {
-            "$ref": "#/parameters/timeoutSeconds-yvYezaOC"
           }
         ],
         "produces": [
@@ -91566,7 +92242,13 @@
           "200": {
             "description": "OK",
             "schema": {
-              "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"
+              "$ref": "#/definitions/io.k8s.api.storage.v1.VolumeAttachment"
+            }
+          },
+          "202": {
+            "description": "Accepted",
+            "schema": {
+              "$ref": "#/definitions/io.k8s.api.storage.v1.VolumeAttachment"
             }
           },
           "401": {
@@ -91579,10 +92261,10 @@
         "tags": [
           "storage_v1"
         ],
-        "x-kubernetes-action": "deletecollection",
+        "x-kubernetes-action": "delete",
         "x-kubernetes-group-version-kind": {
           "group": "storage.k8s.io",
-          "kind": "VolumeAttributesClass",
+          "kind": "VolumeAttachment",
           "version": "v1"
         }
       },
@@ -91590,54 +92272,19 @@
         "consumes": [
           "*/*"
         ],
-        "description": "list or watch objects of kind VolumeAttributesClass",
-        "operationId": "listStorageV1VolumeAttributesClass",
-        "parameters": [
-          {
-            "$ref": "#/parameters/allowWatchBookmarks-HC2hJt-J"
-          },
-          {
-            "$ref": "#/parameters/continue-QfD61s0i"
-          },
-          {
-            "$ref": "#/parameters/fieldSelector-xIcQKXFG"
-          },
-          {
-            "$ref": "#/parameters/labelSelector-5Zw57w4C"
-          },
-          {
-            "$ref": "#/parameters/limit-1NfNmdNH"
-          },
-          {
-            "$ref": "#/parameters/resourceVersion-5WAnf1kx"
-          },
-          {
-            "$ref": "#/parameters/resourceVersionMatch-t8XhRHeC"
-          },
-          {
-            "$ref": "#/parameters/sendInitialEvents-rLXlEK_k"
-          },
-          {
-            "$ref": "#/parameters/timeoutSeconds-yvYezaOC"
-          },
-          {
-            "$ref": "#/parameters/watch-XNNPZGbK"
-          }
-        ],
+        "description": "read the specified VolumeAttachment",
+        "operationId": "readStorageV1VolumeAttachment",
         "produces": [
           "application/json",
           "application/yaml",
           "application/vnd.kubernetes.protobuf",
-          "application/cbor",
-          "application/json;stream=watch",
-          "application/vnd.kubernetes.protobuf;stream=watch",
-          "application/cbor-seq"
+          "application/cbor"
         ],
         "responses": {
           "200": {
             "description": "OK",
             "schema": {
-              "$ref": "#/definitions/io.k8s.api.storage.v1.VolumeAttributesClassList"
+              "$ref": "#/definitions/io.k8s.api.storage.v1.VolumeAttachment"
             }
           },
           "401": {
@@ -91650,32 +92297,39 @@
         "tags": [
           "storage_v1"
         ],
-        "x-kubernetes-action": "list",
+        "x-kubernetes-action": "get",
         "x-kubernetes-group-version-kind": {
           "group": "storage.k8s.io",
-          "kind": "VolumeAttributesClass",
+          "kind": "VolumeAttachment",
           "version": "v1"
         }
       },
       "parameters": [
+        {
+          "description": "name of the VolumeAttachment",
+          "in": "path",
+          "name": "name",
+          "required": true,
+          "type": "string",
+          "uniqueItems": true
+        },
         {
           "$ref": "#/parameters/pretty-tJGM1-ng"
         }
       ],
-      "post": {
+      "patch": {
         "consumes": [
-          "*/*"
+          "application/json-patch+json",
+          "application/merge-patch+json",
+          "application/strategic-merge-patch+json",
+          "application/apply-patch+yaml",
+          "application/apply-patch+cbor"
         ],
-        "description": "create a VolumeAttributesClass",
-        "operationId": "createStorageV1VolumeAttributesClass",
+        "description": "partially update the specified VolumeAttachment",
+        "operationId": "patchStorageV1VolumeAttachment",
         "parameters": [
           {
-            "in": "body",
-            "name": "body",
-            "required": true,
-            "schema": {
-              "$ref": "#/definitions/io.k8s.api.storage.v1.VolumeAttributesClass"
-            }
+            "$ref": "#/parameters/body-78PwaGsr"
           },
           {
             "description": "When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed",
@@ -91685,7 +92339,7 @@
             "uniqueItems": true
           },
           {
-            "$ref": "#/parameters/fieldManager-Qy4HdaTW"
+            "$ref": "#/parameters/fieldManager-7c6nTn1T"
           },
           {
             "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
@@ -91693,6 +92347,9 @@
             "name": "fieldValidation",
             "type": "string",
             "uniqueItems": true
+          },
+          {
+            "$ref": "#/parameters/force-tOGGb0Yi"
           }
         ],
         "produces": [
@@ -91705,19 +92362,13 @@
           "200": {
             "description": "OK",
             "schema": {
-              "$ref": "#/definitions/io.k8s.api.storage.v1.VolumeAttributesClass"
+              "$ref": "#/definitions/io.k8s.api.storage.v1.VolumeAttachment"
             }
           },
           "201": {
             "description": "Created",
             "schema": {
-              "$ref": "#/definitions/io.k8s.api.storage.v1.VolumeAttributesClass"
-            }
-          },
-          "202": {
-            "description": "Accepted",
-            "schema": {
-              "$ref": "#/definitions/io.k8s.api.storage.v1.VolumeAttributesClass"
+              "$ref": "#/definitions/io.k8s.api.storage.v1.VolumeAttachment"
             }
           },
           "401": {
@@ -91730,24 +92381,27 @@
         "tags": [
           "storage_v1"
         ],
-        "x-kubernetes-action": "post",
+        "x-kubernetes-action": "patch",
         "x-kubernetes-group-version-kind": {
           "group": "storage.k8s.io",
-          "kind": "VolumeAttributesClass",
+          "kind": "VolumeAttachment",
           "version": "v1"
         }
-      }
-    },
-    "/apis/storage.k8s.io/v1/volumeattributesclasses/{name}": {
-      "delete": {
+      },
+      "put": {
         "consumes": [
           "*/*"
         ],
-        "description": "delete a VolumeAttributesClass",
-        "operationId": "deleteStorageV1VolumeAttributesClass",
+        "description": "replace the specified VolumeAttachment",
+        "operationId": "replaceStorageV1VolumeAttachment",
         "parameters": [
           {
-            "$ref": "#/parameters/body-2Y1dVQaQ"
+            "in": "body",
+            "name": "body",
+            "required": true,
+            "schema": {
+              "$ref": "#/definitions/io.k8s.api.storage.v1.VolumeAttachment"
+            }
           },
           {
             "description": "When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed",
@@ -91757,16 +92411,14 @@
             "uniqueItems": true
           },
           {
-            "$ref": "#/parameters/gracePeriodSeconds--K5HaBOS"
-          },
-          {
-            "$ref": "#/parameters/ignoreStoreReadErrorWithClusterBreakingPotential-QbNkfIqj"
-          },
-          {
-            "$ref": "#/parameters/orphanDependents-uRB25kX5"
+            "$ref": "#/parameters/fieldManager-Qy4HdaTW"
           },
           {
-            "$ref": "#/parameters/propagationPolicy-6jk3prlO"
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "in": "query",
+            "name": "fieldValidation",
+            "type": "string",
+            "uniqueItems": true
           }
         ],
         "produces": [
@@ -91779,13 +92431,13 @@
           "200": {
             "description": "OK",
             "schema": {
-              "$ref": "#/definitions/io.k8s.api.storage.v1.VolumeAttributesClass"
+              "$ref": "#/definitions/io.k8s.api.storage.v1.VolumeAttachment"
             }
           },
-          "202": {
-            "description": "Accepted",
+          "201": {
+            "description": "Created",
             "schema": {
-              "$ref": "#/definitions/io.k8s.api.storage.v1.VolumeAttributesClass"
+              "$ref": "#/definitions/io.k8s.api.storage.v1.VolumeAttachment"
             }
           },
           "401": {
@@ -91798,19 +92450,21 @@
         "tags": [
           "storage_v1"
         ],
-        "x-kubernetes-action": "delete",
+        "x-kubernetes-action": "put",
         "x-kubernetes-group-version-kind": {
           "group": "storage.k8s.io",
-          "kind": "VolumeAttributesClass",
+          "kind": "VolumeAttachment",
           "version": "v1"
         }
-      },
+      }
+    },
+    "/apis/storage.k8s.io/v1/volumeattachments/{name}/status": {
       "get": {
         "consumes": [
           "*/*"
         ],
-        "description": "read the specified VolumeAttributesClass",
-        "operationId": "readStorageV1VolumeAttributesClass",
+        "description": "read status of the specified VolumeAttachment",
+        "operationId": "readStorageV1VolumeAttachmentStatus",
         "produces": [
           "application/json",
           "application/yaml",
@@ -91821,7 +92475,7 @@
           "200": {
             "description": "OK",
             "schema": {
-              "$ref": "#/definitions/io.k8s.api.storage.v1.VolumeAttributesClass"
+              "$ref": "#/definitions/io.k8s.api.storage.v1.VolumeAttachment"
             }
           },
           "401": {
@@ -91837,13 +92491,13 @@
         "x-kubernetes-action": "get",
         "x-kubernetes-group-version-kind": {
           "group": "storage.k8s.io",
-          "kind": "VolumeAttributesClass",
+          "kind": "VolumeAttachment",
           "version": "v1"
         }
       },
       "parameters": [
         {
-          "description": "name of the VolumeAttributesClass",
+          "description": "name of the VolumeAttachment",
           "in": "path",
           "name": "name",
           "required": true,
@@ -91862,8 +92516,8 @@
           "application/apply-patch+yaml",
           "application/apply-patch+cbor"
         ],
-        "description": "partially update the specified VolumeAttributesClass",
-        "operationId": "patchStorageV1VolumeAttributesClass",
+        "description": "partially update status of the specified VolumeAttachment",
+        "operationId": "patchStorageV1VolumeAttachmentStatus",
         "parameters": [
           {
             "$ref": "#/parameters/body-78PwaGsr"
@@ -91899,13 +92553,13 @@
           "200": {
             "description": "OK",
             "schema": {
-              "$ref": "#/definitions/io.k8s.api.storage.v1.VolumeAttributesClass"
+              "$ref": "#/definitions/io.k8s.api.storage.v1.VolumeAttachment"
             }
           },
           "201": {
             "description": "Created",
             "schema": {
-              "$ref": "#/definitions/io.k8s.api.storage.v1.VolumeAttributesClass"
+              "$ref": "#/definitions/io.k8s.api.storage.v1.VolumeAttachment"
             }
           },
           "401": {
@@ -91921,7 +92575,7 @@
         "x-kubernetes-action": "patch",
         "x-kubernetes-group-version-kind": {
           "group": "storage.k8s.io",
-          "kind": "VolumeAttributesClass",
+          "kind": "VolumeAttachment",
           "version": "v1"
         }
       },
@@ -91929,15 +92583,15 @@
         "consumes": [
           "*/*"
         ],
-        "description": "replace the specified VolumeAttributesClass",
-        "operationId": "replaceStorageV1VolumeAttributesClass",
+        "description": "replace status of the specified VolumeAttachment",
+        "operationId": "replaceStorageV1VolumeAttachmentStatus",
         "parameters": [
           {
             "in": "body",
             "name": "body",
             "required": true,
             "schema": {
-              "$ref": "#/definitions/io.k8s.api.storage.v1.VolumeAttributesClass"
+              "$ref": "#/definitions/io.k8s.api.storage.v1.VolumeAttachment"
             }
           },
           {
@@ -91968,13 +92622,13 @@
           "200": {
             "description": "OK",
             "schema": {
-              "$ref": "#/definitions/io.k8s.api.storage.v1.VolumeAttributesClass"
+              "$ref": "#/definitions/io.k8s.api.storage.v1.VolumeAttachment"
             }
           },
           "201": {
             "description": "Created",
             "schema": {
-              "$ref": "#/definitions/io.k8s.api.storage.v1.VolumeAttributesClass"
+              "$ref": "#/definitions/io.k8s.api.storage.v1.VolumeAttachment"
             }
           },
           "401": {
@@ -91990,108 +92644,77 @@
         "x-kubernetes-action": "put",
         "x-kubernetes-group-version-kind": {
           "group": "storage.k8s.io",
-          "kind": "VolumeAttributesClass",
+          "kind": "VolumeAttachment",
           "version": "v1"
         }
       }
     },
-    "/apis/storage.k8s.io/v1/watch/csidrivers": {
-      "get": {
+    "/apis/storage.k8s.io/v1/volumeattributesclasses": {
+      "delete": {
         "consumes": [
           "*/*"
         ],
-        "description": "watch individual changes to a list of CSIDriver. deprecated: use the 'watch' parameter with a list operation instead.",
-        "operationId": "watchStorageV1CSIDriverList",
-        "produces": [
-          "application/json",
-          "application/yaml",
-          "application/vnd.kubernetes.protobuf",
-          "application/cbor",
-          "application/json;stream=watch",
-          "application/vnd.kubernetes.protobuf;stream=watch",
-          "application/cbor-seq"
-        ],
-        "responses": {
-          "200": {
-            "description": "OK",
-            "schema": {
-              "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"
-            }
+        "description": "delete collection of VolumeAttributesClass",
+        "operationId": "deleteStorageV1CollectionVolumeAttributesClass",
+        "parameters": [
+          {
+            "$ref": "#/parameters/body-2Y1dVQaQ"
           },
-          "401": {
-            "description": "Unauthorized"
+          {
+            "$ref": "#/parameters/continue-QfD61s0i"
+          },
+          {
+            "description": "When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed",
+            "in": "query",
+            "name": "dryRun",
+            "type": "string",
+            "uniqueItems": true
+          },
+          {
+            "$ref": "#/parameters/fieldSelector-xIcQKXFG"
+          },
+          {
+            "$ref": "#/parameters/gracePeriodSeconds--K5HaBOS"
+          },
+          {
+            "$ref": "#/parameters/ignoreStoreReadErrorWithClusterBreakingPotential-QbNkfIqj"
+          },
+          {
+            "$ref": "#/parameters/labelSelector-5Zw57w4C"
+          },
+          {
+            "$ref": "#/parameters/limit-1NfNmdNH"
+          },
+          {
+            "$ref": "#/parameters/orphanDependents-uRB25kX5"
+          },
+          {
+            "$ref": "#/parameters/propagationPolicy-6jk3prlO"
+          },
+          {
+            "$ref": "#/parameters/resourceVersion-5WAnf1kx"
+          },
+          {
+            "$ref": "#/parameters/resourceVersionMatch-t8XhRHeC"
+          },
+          {
+            "$ref": "#/parameters/sendInitialEvents-rLXlEK_k"
+          },
+          {
+            "$ref": "#/parameters/timeoutSeconds-yvYezaOC"
           }
-        },
-        "schemes": [
-          "https"
-        ],
-        "tags": [
-          "storage_v1"
-        ],
-        "x-kubernetes-action": "watchlist",
-        "x-kubernetes-group-version-kind": {
-          "group": "storage.k8s.io",
-          "kind": "CSIDriver",
-          "version": "v1"
-        }
-      },
-      "parameters": [
-        {
-          "$ref": "#/parameters/allowWatchBookmarks-HC2hJt-J"
-        },
-        {
-          "$ref": "#/parameters/continue-QfD61s0i"
-        },
-        {
-          "$ref": "#/parameters/fieldSelector-xIcQKXFG"
-        },
-        {
-          "$ref": "#/parameters/labelSelector-5Zw57w4C"
-        },
-        {
-          "$ref": "#/parameters/limit-1NfNmdNH"
-        },
-        {
-          "$ref": "#/parameters/pretty-tJGM1-ng"
-        },
-        {
-          "$ref": "#/parameters/resourceVersion-5WAnf1kx"
-        },
-        {
-          "$ref": "#/parameters/resourceVersionMatch-t8XhRHeC"
-        },
-        {
-          "$ref": "#/parameters/sendInitialEvents-rLXlEK_k"
-        },
-        {
-          "$ref": "#/parameters/timeoutSeconds-yvYezaOC"
-        },
-        {
-          "$ref": "#/parameters/watch-XNNPZGbK"
-        }
-      ]
-    },
-    "/apis/storage.k8s.io/v1/watch/csidrivers/{name}": {
-      "get": {
-        "consumes": [
-          "*/*"
         ],
-        "description": "watch changes to an object of kind CSIDriver. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.",
-        "operationId": "watchStorageV1CSIDriver",
         "produces": [
           "application/json",
           "application/yaml",
           "application/vnd.kubernetes.protobuf",
-          "application/cbor",
-          "application/json;stream=watch",
-          "application/vnd.kubernetes.protobuf;stream=watch",
-          "application/cbor-seq"
+          "application/cbor"
         ],
         "responses": {
           "200": {
             "description": "OK",
             "schema": {
-              "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"
+              "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"
             }
           },
           "401": {
@@ -92104,64 +92727,51 @@
         "tags": [
           "storage_v1"
         ],
-        "x-kubernetes-action": "watch",
+        "x-kubernetes-action": "deletecollection",
         "x-kubernetes-group-version-kind": {
           "group": "storage.k8s.io",
-          "kind": "CSIDriver",
+          "kind": "VolumeAttributesClass",
           "version": "v1"
         }
       },
-      "parameters": [
-        {
-          "$ref": "#/parameters/allowWatchBookmarks-HC2hJt-J"
-        },
-        {
-          "$ref": "#/parameters/continue-QfD61s0i"
-        },
-        {
-          "$ref": "#/parameters/fieldSelector-xIcQKXFG"
-        },
-        {
-          "$ref": "#/parameters/labelSelector-5Zw57w4C"
-        },
-        {
-          "$ref": "#/parameters/limit-1NfNmdNH"
-        },
-        {
-          "description": "name of the CSIDriver",
-          "in": "path",
-          "name": "name",
-          "required": true,
-          "type": "string",
-          "uniqueItems": true
-        },
-        {
-          "$ref": "#/parameters/pretty-tJGM1-ng"
-        },
-        {
-          "$ref": "#/parameters/resourceVersion-5WAnf1kx"
-        },
-        {
-          "$ref": "#/parameters/resourceVersionMatch-t8XhRHeC"
-        },
-        {
-          "$ref": "#/parameters/sendInitialEvents-rLXlEK_k"
-        },
-        {
-          "$ref": "#/parameters/timeoutSeconds-yvYezaOC"
-        },
-        {
-          "$ref": "#/parameters/watch-XNNPZGbK"
-        }
-      ]
-    },
-    "/apis/storage.k8s.io/v1/watch/csinodes": {
       "get": {
         "consumes": [
           "*/*"
         ],
-        "description": "watch individual changes to a list of CSINode. deprecated: use the 'watch' parameter with a list operation instead.",
-        "operationId": "watchStorageV1CSINodeList",
+        "description": "list or watch objects of kind VolumeAttributesClass",
+        "operationId": "listStorageV1VolumeAttributesClass",
+        "parameters": [
+          {
+            "$ref": "#/parameters/allowWatchBookmarks-HC2hJt-J"
+          },
+          {
+            "$ref": "#/parameters/continue-QfD61s0i"
+          },
+          {
+            "$ref": "#/parameters/fieldSelector-xIcQKXFG"
+          },
+          {
+            "$ref": "#/parameters/labelSelector-5Zw57w4C"
+          },
+          {
+            "$ref": "#/parameters/limit-1NfNmdNH"
+          },
+          {
+            "$ref": "#/parameters/resourceVersion-5WAnf1kx"
+          },
+          {
+            "$ref": "#/parameters/resourceVersionMatch-t8XhRHeC"
+          },
+          {
+            "$ref": "#/parameters/sendInitialEvents-rLXlEK_k"
+          },
+          {
+            "$ref": "#/parameters/timeoutSeconds-yvYezaOC"
+          },
+          {
+            "$ref": "#/parameters/watch-XNNPZGbK"
+          }
+        ],
         "produces": [
           "application/json",
           "application/yaml",
@@ -92175,7 +92785,7 @@
           "200": {
             "description": "OK",
             "schema": {
-              "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"
+              "$ref": "#/definitions/io.k8s.api.storage.v1.VolumeAttributesClassList"
             }
           },
           "401": {
@@ -92188,154 +92798,74 @@
         "tags": [
           "storage_v1"
         ],
-        "x-kubernetes-action": "watchlist",
+        "x-kubernetes-action": "list",
         "x-kubernetes-group-version-kind": {
           "group": "storage.k8s.io",
-          "kind": "CSINode",
+          "kind": "VolumeAttributesClass",
           "version": "v1"
         }
       },
       "parameters": [
-        {
-          "$ref": "#/parameters/allowWatchBookmarks-HC2hJt-J"
-        },
-        {
-          "$ref": "#/parameters/continue-QfD61s0i"
-        },
-        {
-          "$ref": "#/parameters/fieldSelector-xIcQKXFG"
-        },
-        {
-          "$ref": "#/parameters/labelSelector-5Zw57w4C"
-        },
-        {
-          "$ref": "#/parameters/limit-1NfNmdNH"
-        },
         {
           "$ref": "#/parameters/pretty-tJGM1-ng"
-        },
-        {
-          "$ref": "#/parameters/resourceVersion-5WAnf1kx"
-        },
-        {
-          "$ref": "#/parameters/resourceVersionMatch-t8XhRHeC"
-        },
-        {
-          "$ref": "#/parameters/sendInitialEvents-rLXlEK_k"
-        },
-        {
-          "$ref": "#/parameters/timeoutSeconds-yvYezaOC"
-        },
-        {
-          "$ref": "#/parameters/watch-XNNPZGbK"
         }
-      ]
-    },
-    "/apis/storage.k8s.io/v1/watch/csinodes/{name}": {
-      "get": {
+      ],
+      "post": {
         "consumes": [
           "*/*"
         ],
-        "description": "watch changes to an object of kind CSINode. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.",
-        "operationId": "watchStorageV1CSINode",
-        "produces": [
-          "application/json",
-          "application/yaml",
-          "application/vnd.kubernetes.protobuf",
-          "application/cbor",
-          "application/json;stream=watch",
-          "application/vnd.kubernetes.protobuf;stream=watch",
-          "application/cbor-seq"
-        ],
-        "responses": {
-          "200": {
-            "description": "OK",
+        "description": "create a VolumeAttributesClass",
+        "operationId": "createStorageV1VolumeAttributesClass",
+        "parameters": [
+          {
+            "in": "body",
+            "name": "body",
+            "required": true,
             "schema": {
-              "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"
+              "$ref": "#/definitions/io.k8s.api.storage.v1.VolumeAttributesClass"
             }
           },
-          "401": {
-            "description": "Unauthorized"
+          {
+            "description": "When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed",
+            "in": "query",
+            "name": "dryRun",
+            "type": "string",
+            "uniqueItems": true
+          },
+          {
+            "$ref": "#/parameters/fieldManager-Qy4HdaTW"
+          },
+          {
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "in": "query",
+            "name": "fieldValidation",
+            "type": "string",
+            "uniqueItems": true
           }
-        },
-        "schemes": [
-          "https"
-        ],
-        "tags": [
-          "storage_v1"
-        ],
-        "x-kubernetes-action": "watch",
-        "x-kubernetes-group-version-kind": {
-          "group": "storage.k8s.io",
-          "kind": "CSINode",
-          "version": "v1"
-        }
-      },
-      "parameters": [
-        {
-          "$ref": "#/parameters/allowWatchBookmarks-HC2hJt-J"
-        },
-        {
-          "$ref": "#/parameters/continue-QfD61s0i"
-        },
-        {
-          "$ref": "#/parameters/fieldSelector-xIcQKXFG"
-        },
-        {
-          "$ref": "#/parameters/labelSelector-5Zw57w4C"
-        },
-        {
-          "$ref": "#/parameters/limit-1NfNmdNH"
-        },
-        {
-          "description": "name of the CSINode",
-          "in": "path",
-          "name": "name",
-          "required": true,
-          "type": "string",
-          "uniqueItems": true
-        },
-        {
-          "$ref": "#/parameters/pretty-tJGM1-ng"
-        },
-        {
-          "$ref": "#/parameters/resourceVersion-5WAnf1kx"
-        },
-        {
-          "$ref": "#/parameters/resourceVersionMatch-t8XhRHeC"
-        },
-        {
-          "$ref": "#/parameters/sendInitialEvents-rLXlEK_k"
-        },
-        {
-          "$ref": "#/parameters/timeoutSeconds-yvYezaOC"
-        },
-        {
-          "$ref": "#/parameters/watch-XNNPZGbK"
-        }
-      ]
-    },
-    "/apis/storage.k8s.io/v1/watch/csistoragecapacities": {
-      "get": {
-        "consumes": [
-          "*/*"
         ],
-        "description": "watch individual changes to a list of CSIStorageCapacity. deprecated: use the 'watch' parameter with a list operation instead.",
-        "operationId": "watchStorageV1CSIStorageCapacityListForAllNamespaces",
         "produces": [
           "application/json",
           "application/yaml",
           "application/vnd.kubernetes.protobuf",
-          "application/cbor",
-          "application/json;stream=watch",
-          "application/vnd.kubernetes.protobuf;stream=watch",
-          "application/cbor-seq"
+          "application/cbor"
         ],
         "responses": {
           "200": {
             "description": "OK",
             "schema": {
-              "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"
+              "$ref": "#/definitions/io.k8s.api.storage.v1.VolumeAttributesClass"
+            }
+          },
+          "201": {
+            "description": "Created",
+            "schema": {
+              "$ref": "#/definitions/io.k8s.api.storage.v1.VolumeAttributesClass"
+            }
+          },
+          "202": {
+            "description": "Accepted",
+            "schema": {
+              "$ref": "#/definitions/io.k8s.api.storage.v1.VolumeAttributesClass"
             }
           },
           "401": {
@@ -92348,70 +92878,62 @@
         "tags": [
           "storage_v1"
         ],
-        "x-kubernetes-action": "watchlist",
+        "x-kubernetes-action": "post",
         "x-kubernetes-group-version-kind": {
           "group": "storage.k8s.io",
-          "kind": "CSIStorageCapacity",
+          "kind": "VolumeAttributesClass",
           "version": "v1"
         }
-      },
-      "parameters": [
-        {
-          "$ref": "#/parameters/allowWatchBookmarks-HC2hJt-J"
-        },
-        {
-          "$ref": "#/parameters/continue-QfD61s0i"
-        },
-        {
-          "$ref": "#/parameters/fieldSelector-xIcQKXFG"
-        },
-        {
-          "$ref": "#/parameters/labelSelector-5Zw57w4C"
-        },
-        {
-          "$ref": "#/parameters/limit-1NfNmdNH"
-        },
-        {
-          "$ref": "#/parameters/pretty-tJGM1-ng"
-        },
-        {
-          "$ref": "#/parameters/resourceVersion-5WAnf1kx"
-        },
-        {
-          "$ref": "#/parameters/resourceVersionMatch-t8XhRHeC"
-        },
-        {
-          "$ref": "#/parameters/sendInitialEvents-rLXlEK_k"
-        },
-        {
-          "$ref": "#/parameters/timeoutSeconds-yvYezaOC"
-        },
-        {
-          "$ref": "#/parameters/watch-XNNPZGbK"
-        }
-      ]
+      }
     },
-    "/apis/storage.k8s.io/v1/watch/namespaces/{namespace}/csistoragecapacities": {
-      "get": {
+    "/apis/storage.k8s.io/v1/volumeattributesclasses/{name}": {
+      "delete": {
         "consumes": [
           "*/*"
         ],
-        "description": "watch individual changes to a list of CSIStorageCapacity. deprecated: use the 'watch' parameter with a list operation instead.",
-        "operationId": "watchStorageV1NamespacedCSIStorageCapacityList",
+        "description": "delete a VolumeAttributesClass",
+        "operationId": "deleteStorageV1VolumeAttributesClass",
+        "parameters": [
+          {
+            "$ref": "#/parameters/body-2Y1dVQaQ"
+          },
+          {
+            "description": "When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed",
+            "in": "query",
+            "name": "dryRun",
+            "type": "string",
+            "uniqueItems": true
+          },
+          {
+            "$ref": "#/parameters/gracePeriodSeconds--K5HaBOS"
+          },
+          {
+            "$ref": "#/parameters/ignoreStoreReadErrorWithClusterBreakingPotential-QbNkfIqj"
+          },
+          {
+            "$ref": "#/parameters/orphanDependents-uRB25kX5"
+          },
+          {
+            "$ref": "#/parameters/propagationPolicy-6jk3prlO"
+          }
+        ],
         "produces": [
           "application/json",
           "application/yaml",
           "application/vnd.kubernetes.protobuf",
-          "application/cbor",
-          "application/json;stream=watch",
-          "application/vnd.kubernetes.protobuf;stream=watch",
-          "application/cbor-seq"
+          "application/cbor"
         ],
         "responses": {
           "200": {
             "description": "OK",
             "schema": {
-              "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"
+              "$ref": "#/definitions/io.k8s.api.storage.v1.VolumeAttributesClass"
+            }
+          },
+          "202": {
+            "description": "Accepted",
+            "schema": {
+              "$ref": "#/definitions/io.k8s.api.storage.v1.VolumeAttributesClass"
             }
           },
           "401": {
@@ -92424,73 +92946,30 @@
         "tags": [
           "storage_v1"
         ],
-        "x-kubernetes-action": "watchlist",
+        "x-kubernetes-action": "delete",
         "x-kubernetes-group-version-kind": {
           "group": "storage.k8s.io",
-          "kind": "CSIStorageCapacity",
+          "kind": "VolumeAttributesClass",
           "version": "v1"
         }
       },
-      "parameters": [
-        {
-          "$ref": "#/parameters/allowWatchBookmarks-HC2hJt-J"
-        },
-        {
-          "$ref": "#/parameters/continue-QfD61s0i"
-        },
-        {
-          "$ref": "#/parameters/fieldSelector-xIcQKXFG"
-        },
-        {
-          "$ref": "#/parameters/labelSelector-5Zw57w4C"
-        },
-        {
-          "$ref": "#/parameters/limit-1NfNmdNH"
-        },
-        {
-          "$ref": "#/parameters/namespace-vgWSWtn3"
-        },
-        {
-          "$ref": "#/parameters/pretty-tJGM1-ng"
-        },
-        {
-          "$ref": "#/parameters/resourceVersion-5WAnf1kx"
-        },
-        {
-          "$ref": "#/parameters/resourceVersionMatch-t8XhRHeC"
-        },
-        {
-          "$ref": "#/parameters/sendInitialEvents-rLXlEK_k"
-        },
-        {
-          "$ref": "#/parameters/timeoutSeconds-yvYezaOC"
-        },
-        {
-          "$ref": "#/parameters/watch-XNNPZGbK"
-        }
-      ]
-    },
-    "/apis/storage.k8s.io/v1/watch/namespaces/{namespace}/csistoragecapacities/{name}": {
       "get": {
         "consumes": [
           "*/*"
         ],
-        "description": "watch changes to an object of kind CSIStorageCapacity. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.",
-        "operationId": "watchStorageV1NamespacedCSIStorageCapacity",
+        "description": "read the specified VolumeAttributesClass",
+        "operationId": "readStorageV1VolumeAttributesClass",
         "produces": [
           "application/json",
           "application/yaml",
           "application/vnd.kubernetes.protobuf",
-          "application/cbor",
-          "application/json;stream=watch",
-          "application/vnd.kubernetes.protobuf;stream=watch",
-          "application/cbor-seq"
+          "application/cbor"
         ],
         "responses": {
           "200": {
             "description": "OK",
             "schema": {
-              "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"
+              "$ref": "#/definitions/io.k8s.api.storage.v1.VolumeAttributesClass"
             }
           },
           "401": {
@@ -92503,81 +92982,78 @@
         "tags": [
           "storage_v1"
         ],
-        "x-kubernetes-action": "watch",
+        "x-kubernetes-action": "get",
         "x-kubernetes-group-version-kind": {
           "group": "storage.k8s.io",
-          "kind": "CSIStorageCapacity",
+          "kind": "VolumeAttributesClass",
           "version": "v1"
         }
       },
       "parameters": [
         {
-          "$ref": "#/parameters/allowWatchBookmarks-HC2hJt-J"
-        },
-        {
-          "$ref": "#/parameters/continue-QfD61s0i"
-        },
-        {
-          "$ref": "#/parameters/fieldSelector-xIcQKXFG"
-        },
-        {
-          "$ref": "#/parameters/labelSelector-5Zw57w4C"
-        },
-        {
-          "$ref": "#/parameters/limit-1NfNmdNH"
-        },
-        {
-          "description": "name of the CSIStorageCapacity",
+          "description": "name of the VolumeAttributesClass",
           "in": "path",
           "name": "name",
           "required": true,
           "type": "string",
           "uniqueItems": true
         },
-        {
-          "$ref": "#/parameters/namespace-vgWSWtn3"
-        },
         {
           "$ref": "#/parameters/pretty-tJGM1-ng"
-        },
-        {
-          "$ref": "#/parameters/resourceVersion-5WAnf1kx"
-        },
-        {
-          "$ref": "#/parameters/resourceVersionMatch-t8XhRHeC"
-        },
-        {
-          "$ref": "#/parameters/sendInitialEvents-rLXlEK_k"
-        },
-        {
-          "$ref": "#/parameters/timeoutSeconds-yvYezaOC"
-        },
-        {
-          "$ref": "#/parameters/watch-XNNPZGbK"
         }
-      ]
-    },
-    "/apis/storage.k8s.io/v1/watch/storageclasses": {
-      "get": {
+      ],
+      "patch": {
         "consumes": [
-          "*/*"
+          "application/json-patch+json",
+          "application/merge-patch+json",
+          "application/strategic-merge-patch+json",
+          "application/apply-patch+yaml",
+          "application/apply-patch+cbor"
+        ],
+        "description": "partially update the specified VolumeAttributesClass",
+        "operationId": "patchStorageV1VolumeAttributesClass",
+        "parameters": [
+          {
+            "$ref": "#/parameters/body-78PwaGsr"
+          },
+          {
+            "description": "When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed",
+            "in": "query",
+            "name": "dryRun",
+            "type": "string",
+            "uniqueItems": true
+          },
+          {
+            "$ref": "#/parameters/fieldManager-7c6nTn1T"
+          },
+          {
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "in": "query",
+            "name": "fieldValidation",
+            "type": "string",
+            "uniqueItems": true
+          },
+          {
+            "$ref": "#/parameters/force-tOGGb0Yi"
+          }
         ],
-        "description": "watch individual changes to a list of StorageClass. deprecated: use the 'watch' parameter with a list operation instead.",
-        "operationId": "watchStorageV1StorageClassList",
         "produces": [
           "application/json",
           "application/yaml",
           "application/vnd.kubernetes.protobuf",
-          "application/cbor",
-          "application/json;stream=watch",
-          "application/vnd.kubernetes.protobuf;stream=watch",
-          "application/cbor-seq"
+          "application/cbor"
         ],
         "responses": {
           "200": {
             "description": "OK",
             "schema": {
-              "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"
+              "$ref": "#/definitions/io.k8s.api.storage.v1.VolumeAttributesClass"
+            }
+          },
+          "201": {
+            "description": "Created",
+            "schema": {
+              "$ref": "#/definitions/io.k8s.api.storage.v1.VolumeAttributesClass"
             }
           },
           "401": {
@@ -92590,70 +93066,63 @@
         "tags": [
           "storage_v1"
         ],
-        "x-kubernetes-action": "watchlist",
+        "x-kubernetes-action": "patch",
         "x-kubernetes-group-version-kind": {
           "group": "storage.k8s.io",
-          "kind": "StorageClass",
+          "kind": "VolumeAttributesClass",
           "version": "v1"
         }
       },
-      "parameters": [
-        {
-          "$ref": "#/parameters/allowWatchBookmarks-HC2hJt-J"
-        },
-        {
-          "$ref": "#/parameters/continue-QfD61s0i"
-        },
-        {
-          "$ref": "#/parameters/fieldSelector-xIcQKXFG"
-        },
-        {
-          "$ref": "#/parameters/labelSelector-5Zw57w4C"
-        },
-        {
-          "$ref": "#/parameters/limit-1NfNmdNH"
-        },
-        {
-          "$ref": "#/parameters/pretty-tJGM1-ng"
-        },
-        {
-          "$ref": "#/parameters/resourceVersion-5WAnf1kx"
-        },
-        {
-          "$ref": "#/parameters/resourceVersionMatch-t8XhRHeC"
-        },
-        {
-          "$ref": "#/parameters/sendInitialEvents-rLXlEK_k"
-        },
-        {
-          "$ref": "#/parameters/timeoutSeconds-yvYezaOC"
-        },
-        {
-          "$ref": "#/parameters/watch-XNNPZGbK"
-        }
-      ]
-    },
-    "/apis/storage.k8s.io/v1/watch/storageclasses/{name}": {
-      "get": {
+      "put": {
         "consumes": [
           "*/*"
         ],
-        "description": "watch changes to an object of kind StorageClass. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.",
-        "operationId": "watchStorageV1StorageClass",
+        "description": "replace the specified VolumeAttributesClass",
+        "operationId": "replaceStorageV1VolumeAttributesClass",
+        "parameters": [
+          {
+            "in": "body",
+            "name": "body",
+            "required": true,
+            "schema": {
+              "$ref": "#/definitions/io.k8s.api.storage.v1.VolumeAttributesClass"
+            }
+          },
+          {
+            "description": "When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed",
+            "in": "query",
+            "name": "dryRun",
+            "type": "string",
+            "uniqueItems": true
+          },
+          {
+            "$ref": "#/parameters/fieldManager-Qy4HdaTW"
+          },
+          {
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "in": "query",
+            "name": "fieldValidation",
+            "type": "string",
+            "uniqueItems": true
+          }
+        ],
         "produces": [
           "application/json",
           "application/yaml",
           "application/vnd.kubernetes.protobuf",
-          "application/cbor",
-          "application/json;stream=watch",
-          "application/vnd.kubernetes.protobuf;stream=watch",
-          "application/cbor-seq"
+          "application/cbor"
         ],
         "responses": {
           "200": {
             "description": "OK",
             "schema": {
-              "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"
+              "$ref": "#/definitions/io.k8s.api.storage.v1.VolumeAttributesClass"
+            }
+          },
+          "201": {
+            "description": "Created",
+            "schema": {
+              "$ref": "#/definitions/io.k8s.api.storage.v1.VolumeAttributesClass"
             }
           },
           "401": {
@@ -92666,64 +93135,21 @@
         "tags": [
           "storage_v1"
         ],
-        "x-kubernetes-action": "watch",
+        "x-kubernetes-action": "put",
         "x-kubernetes-group-version-kind": {
           "group": "storage.k8s.io",
-          "kind": "StorageClass",
+          "kind": "VolumeAttributesClass",
           "version": "v1"
         }
-      },
-      "parameters": [
-        {
-          "$ref": "#/parameters/allowWatchBookmarks-HC2hJt-J"
-        },
-        {
-          "$ref": "#/parameters/continue-QfD61s0i"
-        },
-        {
-          "$ref": "#/parameters/fieldSelector-xIcQKXFG"
-        },
-        {
-          "$ref": "#/parameters/labelSelector-5Zw57w4C"
-        },
-        {
-          "$ref": "#/parameters/limit-1NfNmdNH"
-        },
-        {
-          "description": "name of the StorageClass",
-          "in": "path",
-          "name": "name",
-          "required": true,
-          "type": "string",
-          "uniqueItems": true
-        },
-        {
-          "$ref": "#/parameters/pretty-tJGM1-ng"
-        },
-        {
-          "$ref": "#/parameters/resourceVersion-5WAnf1kx"
-        },
-        {
-          "$ref": "#/parameters/resourceVersionMatch-t8XhRHeC"
-        },
-        {
-          "$ref": "#/parameters/sendInitialEvents-rLXlEK_k"
-        },
-        {
-          "$ref": "#/parameters/timeoutSeconds-yvYezaOC"
-        },
-        {
-          "$ref": "#/parameters/watch-XNNPZGbK"
-        }
-      ]
+      }
     },
-    "/apis/storage.k8s.io/v1/watch/volumeattachments": {
+    "/apis/storage.k8s.io/v1/watch/csidrivers": {
       "get": {
         "consumes": [
           "*/*"
         ],
-        "description": "watch individual changes to a list of VolumeAttachment. deprecated: use the 'watch' parameter with a list operation instead.",
-        "operationId": "watchStorageV1VolumeAttachmentList",
+        "description": "watch individual changes to a list of CSIDriver. deprecated: use the 'watch' parameter with a list operation instead.",
+        "operationId": "watchStorageV1CSIDriverList",
         "produces": [
           "application/json",
           "application/yaml",
@@ -92753,7 +93179,7 @@
         "x-kubernetes-action": "watchlist",
         "x-kubernetes-group-version-kind": {
           "group": "storage.k8s.io",
-          "kind": "VolumeAttachment",
+          "kind": "CSIDriver",
           "version": "v1"
         }
       },
@@ -92793,13 +93219,13 @@
         }
       ]
     },
-    "/apis/storage.k8s.io/v1/watch/volumeattachments/{name}": {
+    "/apis/storage.k8s.io/v1/watch/csidrivers/{name}": {
       "get": {
         "consumes": [
           "*/*"
         ],
-        "description": "watch changes to an object of kind VolumeAttachment. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.",
-        "operationId": "watchStorageV1VolumeAttachment",
+        "description": "watch changes to an object of kind CSIDriver. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.",
+        "operationId": "watchStorageV1CSIDriver",
         "produces": [
           "application/json",
           "application/yaml",
@@ -92829,7 +93255,7 @@
         "x-kubernetes-action": "watch",
         "x-kubernetes-group-version-kind": {
           "group": "storage.k8s.io",
-          "kind": "VolumeAttachment",
+          "kind": "CSIDriver",
           "version": "v1"
         }
       },
@@ -92850,7 +93276,7 @@
           "$ref": "#/parameters/limit-1NfNmdNH"
         },
         {
-          "description": "name of the VolumeAttachment",
+          "description": "name of the CSIDriver",
           "in": "path",
           "name": "name",
           "required": true,
@@ -92877,13 +93303,13 @@
         }
       ]
     },
-    "/apis/storage.k8s.io/v1/watch/volumeattributesclasses": {
+    "/apis/storage.k8s.io/v1/watch/csinodes": {
       "get": {
         "consumes": [
           "*/*"
         ],
-        "description": "watch individual changes to a list of VolumeAttributesClass. deprecated: use the 'watch' parameter with a list operation instead.",
-        "operationId": "watchStorageV1VolumeAttributesClassList",
+        "description": "watch individual changes to a list of CSINode. deprecated: use the 'watch' parameter with a list operation instead.",
+        "operationId": "watchStorageV1CSINodeList",
         "produces": [
           "application/json",
           "application/yaml",
@@ -92913,7 +93339,7 @@
         "x-kubernetes-action": "watchlist",
         "x-kubernetes-group-version-kind": {
           "group": "storage.k8s.io",
-          "kind": "VolumeAttributesClass",
+          "kind": "CSINode",
           "version": "v1"
         }
       },
@@ -92953,13 +93379,13 @@
         }
       ]
     },
-    "/apis/storage.k8s.io/v1/watch/volumeattributesclasses/{name}": {
+    "/apis/storage.k8s.io/v1/watch/csinodes/{name}": {
       "get": {
         "consumes": [
           "*/*"
         ],
-        "description": "watch changes to an object of kind VolumeAttributesClass. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.",
-        "operationId": "watchStorageV1VolumeAttributesClass",
+        "description": "watch changes to an object of kind CSINode. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.",
+        "operationId": "watchStorageV1CSINode",
         "produces": [
           "application/json",
           "application/yaml",
@@ -92989,7 +93415,7 @@
         "x-kubernetes-action": "watch",
         "x-kubernetes-group-version-kind": {
           "group": "storage.k8s.io",
-          "kind": "VolumeAttributesClass",
+          "kind": "CSINode",
           "version": "v1"
         }
       },
@@ -93010,7 +93436,7 @@
           "$ref": "#/parameters/limit-1NfNmdNH"
         },
         {
-          "description": "name of the VolumeAttributesClass",
+          "description": "name of the CSINode",
           "in": "path",
           "name": "name",
           "required": true,
@@ -93037,107 +93463,27 @@
         }
       ]
     },
-    "/apis/storage.k8s.io/v1alpha1/": {
+    "/apis/storage.k8s.io/v1/watch/csistoragecapacities": {
       "get": {
-        "consumes": [
-          "application/json",
-          "application/yaml",
-          "application/vnd.kubernetes.protobuf",
-          "application/cbor"
-        ],
-        "description": "get available resources",
-        "operationId": "getStorageV1alpha1APIResources",
-        "produces": [
-          "application/json",
-          "application/yaml",
-          "application/vnd.kubernetes.protobuf",
-          "application/cbor"
-        ],
-        "responses": {
-          "200": {
-            "description": "OK",
-            "schema": {
-              "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.APIResourceList"
-            }
-          },
-          "401": {
-            "description": "Unauthorized"
-          }
-        },
-        "schemes": [
-          "https"
-        ],
-        "tags": [
-          "storage_v1alpha1"
-        ]
-      }
-    },
-    "/apis/storage.k8s.io/v1alpha1/volumeattributesclasses": {
-      "delete": {
         "consumes": [
           "*/*"
         ],
-        "description": "delete collection of VolumeAttributesClass",
-        "operationId": "deleteStorageV1alpha1CollectionVolumeAttributesClass",
-        "parameters": [
-          {
-            "$ref": "#/parameters/body-2Y1dVQaQ"
-          },
-          {
-            "$ref": "#/parameters/continue-QfD61s0i"
-          },
-          {
-            "description": "When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed",
-            "in": "query",
-            "name": "dryRun",
-            "type": "string",
-            "uniqueItems": true
-          },
-          {
-            "$ref": "#/parameters/fieldSelector-xIcQKXFG"
-          },
-          {
-            "$ref": "#/parameters/gracePeriodSeconds--K5HaBOS"
-          },
-          {
-            "$ref": "#/parameters/ignoreStoreReadErrorWithClusterBreakingPotential-QbNkfIqj"
-          },
-          {
-            "$ref": "#/parameters/labelSelector-5Zw57w4C"
-          },
-          {
-            "$ref": "#/parameters/limit-1NfNmdNH"
-          },
-          {
-            "$ref": "#/parameters/orphanDependents-uRB25kX5"
-          },
-          {
-            "$ref": "#/parameters/propagationPolicy-6jk3prlO"
-          },
-          {
-            "$ref": "#/parameters/resourceVersion-5WAnf1kx"
-          },
-          {
-            "$ref": "#/parameters/resourceVersionMatch-t8XhRHeC"
-          },
-          {
-            "$ref": "#/parameters/sendInitialEvents-rLXlEK_k"
-          },
-          {
-            "$ref": "#/parameters/timeoutSeconds-yvYezaOC"
-          }
-        ],
+        "description": "watch individual changes to a list of CSIStorageCapacity. deprecated: use the 'watch' parameter with a list operation instead.",
+        "operationId": "watchStorageV1CSIStorageCapacityListForAllNamespaces",
         "produces": [
           "application/json",
           "application/yaml",
           "application/vnd.kubernetes.protobuf",
-          "application/cbor"
+          "application/cbor",
+          "application/json;stream=watch",
+          "application/vnd.kubernetes.protobuf;stream=watch",
+          "application/cbor-seq"
         ],
         "responses": {
           "200": {
             "description": "OK",
             "schema": {
-              "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"
+              "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"
             }
           },
           "401": {
@@ -93148,53 +93494,58 @@
           "https"
         ],
         "tags": [
-          "storage_v1alpha1"
+          "storage_v1"
         ],
-        "x-kubernetes-action": "deletecollection",
+        "x-kubernetes-action": "watchlist",
         "x-kubernetes-group-version-kind": {
           "group": "storage.k8s.io",
-          "kind": "VolumeAttributesClass",
-          "version": "v1alpha1"
+          "kind": "CSIStorageCapacity",
+          "version": "v1"
         }
       },
-      "get": {
-        "consumes": [
-          "*/*"
-        ],
-        "description": "list or watch objects of kind VolumeAttributesClass",
-        "operationId": "listStorageV1alpha1VolumeAttributesClass",
-        "parameters": [
-          {
-            "$ref": "#/parameters/allowWatchBookmarks-HC2hJt-J"
-          },
-          {
-            "$ref": "#/parameters/continue-QfD61s0i"
-          },
-          {
-            "$ref": "#/parameters/fieldSelector-xIcQKXFG"
-          },
-          {
-            "$ref": "#/parameters/labelSelector-5Zw57w4C"
-          },
-          {
-            "$ref": "#/parameters/limit-1NfNmdNH"
-          },
-          {
-            "$ref": "#/parameters/resourceVersion-5WAnf1kx"
-          },
-          {
-            "$ref": "#/parameters/resourceVersionMatch-t8XhRHeC"
-          },
-          {
-            "$ref": "#/parameters/sendInitialEvents-rLXlEK_k"
-          },
-          {
-            "$ref": "#/parameters/timeoutSeconds-yvYezaOC"
-          },
-          {
-            "$ref": "#/parameters/watch-XNNPZGbK"
-          }
+      "parameters": [
+        {
+          "$ref": "#/parameters/allowWatchBookmarks-HC2hJt-J"
+        },
+        {
+          "$ref": "#/parameters/continue-QfD61s0i"
+        },
+        {
+          "$ref": "#/parameters/fieldSelector-xIcQKXFG"
+        },
+        {
+          "$ref": "#/parameters/labelSelector-5Zw57w4C"
+        },
+        {
+          "$ref": "#/parameters/limit-1NfNmdNH"
+        },
+        {
+          "$ref": "#/parameters/pretty-tJGM1-ng"
+        },
+        {
+          "$ref": "#/parameters/resourceVersion-5WAnf1kx"
+        },
+        {
+          "$ref": "#/parameters/resourceVersionMatch-t8XhRHeC"
+        },
+        {
+          "$ref": "#/parameters/sendInitialEvents-rLXlEK_k"
+        },
+        {
+          "$ref": "#/parameters/timeoutSeconds-yvYezaOC"
+        },
+        {
+          "$ref": "#/parameters/watch-XNNPZGbK"
+        }
+      ]
+    },
+    "/apis/storage.k8s.io/v1/watch/namespaces/{namespace}/csistoragecapacities": {
+      "get": {
+        "consumes": [
+          "*/*"
         ],
+        "description": "watch individual changes to a list of CSIStorageCapacity. deprecated: use the 'watch' parameter with a list operation instead.",
+        "operationId": "watchStorageV1NamespacedCSIStorageCapacityList",
         "produces": [
           "application/json",
           "application/yaml",
@@ -93208,7 +93559,7 @@
           "200": {
             "description": "OK",
             "schema": {
-              "$ref": "#/definitions/io.k8s.api.storage.v1alpha1.VolumeAttributesClassList"
+              "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"
             }
           },
           "401": {
@@ -93219,76 +93570,75 @@
           "https"
         ],
         "tags": [
-          "storage_v1alpha1"
+          "storage_v1"
         ],
-        "x-kubernetes-action": "list",
+        "x-kubernetes-action": "watchlist",
         "x-kubernetes-group-version-kind": {
           "group": "storage.k8s.io",
-          "kind": "VolumeAttributesClass",
-          "version": "v1alpha1"
+          "kind": "CSIStorageCapacity",
+          "version": "v1"
         }
       },
       "parameters": [
+        {
+          "$ref": "#/parameters/allowWatchBookmarks-HC2hJt-J"
+        },
+        {
+          "$ref": "#/parameters/continue-QfD61s0i"
+        },
+        {
+          "$ref": "#/parameters/fieldSelector-xIcQKXFG"
+        },
+        {
+          "$ref": "#/parameters/labelSelector-5Zw57w4C"
+        },
+        {
+          "$ref": "#/parameters/limit-1NfNmdNH"
+        },
+        {
+          "$ref": "#/parameters/namespace-vgWSWtn3"
+        },
         {
           "$ref": "#/parameters/pretty-tJGM1-ng"
+        },
+        {
+          "$ref": "#/parameters/resourceVersion-5WAnf1kx"
+        },
+        {
+          "$ref": "#/parameters/resourceVersionMatch-t8XhRHeC"
+        },
+        {
+          "$ref": "#/parameters/sendInitialEvents-rLXlEK_k"
+        },
+        {
+          "$ref": "#/parameters/timeoutSeconds-yvYezaOC"
+        },
+        {
+          "$ref": "#/parameters/watch-XNNPZGbK"
         }
-      ],
-      "post": {
+      ]
+    },
+    "/apis/storage.k8s.io/v1/watch/namespaces/{namespace}/csistoragecapacities/{name}": {
+      "get": {
         "consumes": [
           "*/*"
         ],
-        "description": "create a VolumeAttributesClass",
-        "operationId": "createStorageV1alpha1VolumeAttributesClass",
-        "parameters": [
-          {
-            "in": "body",
-            "name": "body",
-            "required": true,
-            "schema": {
-              "$ref": "#/definitions/io.k8s.api.storage.v1alpha1.VolumeAttributesClass"
-            }
-          },
-          {
-            "description": "When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed",
-            "in": "query",
-            "name": "dryRun",
-            "type": "string",
-            "uniqueItems": true
-          },
-          {
-            "$ref": "#/parameters/fieldManager-Qy4HdaTW"
-          },
-          {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
-            "in": "query",
-            "name": "fieldValidation",
-            "type": "string",
-            "uniqueItems": true
-          }
-        ],
+        "description": "watch changes to an object of kind CSIStorageCapacity. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.",
+        "operationId": "watchStorageV1NamespacedCSIStorageCapacity",
         "produces": [
           "application/json",
           "application/yaml",
           "application/vnd.kubernetes.protobuf",
-          "application/cbor"
+          "application/cbor",
+          "application/json;stream=watch",
+          "application/vnd.kubernetes.protobuf;stream=watch",
+          "application/cbor-seq"
         ],
         "responses": {
           "200": {
             "description": "OK",
             "schema": {
-              "$ref": "#/definitions/io.k8s.api.storage.v1alpha1.VolumeAttributesClass"
-            }
-          },
-          "201": {
-            "description": "Created",
-            "schema": {
-              "$ref": "#/definitions/io.k8s.api.storage.v1alpha1.VolumeAttributesClass"
-            }
-          },
-          "202": {
-            "description": "Accepted",
-            "schema": {
-              "$ref": "#/definitions/io.k8s.api.storage.v1alpha1.VolumeAttributesClass"
+              "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"
             }
           },
           "401": {
@@ -93299,64 +93649,83 @@
           "https"
         ],
         "tags": [
-          "storage_v1alpha1"
+          "storage_v1"
         ],
-        "x-kubernetes-action": "post",
+        "x-kubernetes-action": "watch",
         "x-kubernetes-group-version-kind": {
           "group": "storage.k8s.io",
-          "kind": "VolumeAttributesClass",
-          "version": "v1alpha1"
+          "kind": "CSIStorageCapacity",
+          "version": "v1"
         }
-      }
+      },
+      "parameters": [
+        {
+          "$ref": "#/parameters/allowWatchBookmarks-HC2hJt-J"
+        },
+        {
+          "$ref": "#/parameters/continue-QfD61s0i"
+        },
+        {
+          "$ref": "#/parameters/fieldSelector-xIcQKXFG"
+        },
+        {
+          "$ref": "#/parameters/labelSelector-5Zw57w4C"
+        },
+        {
+          "$ref": "#/parameters/limit-1NfNmdNH"
+        },
+        {
+          "description": "name of the CSIStorageCapacity",
+          "in": "path",
+          "name": "name",
+          "required": true,
+          "type": "string",
+          "uniqueItems": true
+        },
+        {
+          "$ref": "#/parameters/namespace-vgWSWtn3"
+        },
+        {
+          "$ref": "#/parameters/pretty-tJGM1-ng"
+        },
+        {
+          "$ref": "#/parameters/resourceVersion-5WAnf1kx"
+        },
+        {
+          "$ref": "#/parameters/resourceVersionMatch-t8XhRHeC"
+        },
+        {
+          "$ref": "#/parameters/sendInitialEvents-rLXlEK_k"
+        },
+        {
+          "$ref": "#/parameters/timeoutSeconds-yvYezaOC"
+        },
+        {
+          "$ref": "#/parameters/watch-XNNPZGbK"
+        }
+      ]
     },
-    "/apis/storage.k8s.io/v1alpha1/volumeattributesclasses/{name}": {
-      "delete": {
+    "/apis/storage.k8s.io/v1/watch/storageclasses": {
+      "get": {
         "consumes": [
           "*/*"
         ],
-        "description": "delete a VolumeAttributesClass",
-        "operationId": "deleteStorageV1alpha1VolumeAttributesClass",
-        "parameters": [
-          {
-            "$ref": "#/parameters/body-2Y1dVQaQ"
-          },
-          {
-            "description": "When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed",
-            "in": "query",
-            "name": "dryRun",
-            "type": "string",
-            "uniqueItems": true
-          },
-          {
-            "$ref": "#/parameters/gracePeriodSeconds--K5HaBOS"
-          },
-          {
-            "$ref": "#/parameters/ignoreStoreReadErrorWithClusterBreakingPotential-QbNkfIqj"
-          },
-          {
-            "$ref": "#/parameters/orphanDependents-uRB25kX5"
-          },
-          {
-            "$ref": "#/parameters/propagationPolicy-6jk3prlO"
-          }
-        ],
+        "description": "watch individual changes to a list of StorageClass. deprecated: use the 'watch' parameter with a list operation instead.",
+        "operationId": "watchStorageV1StorageClassList",
         "produces": [
           "application/json",
           "application/yaml",
           "application/vnd.kubernetes.protobuf",
-          "application/cbor"
+          "application/cbor",
+          "application/json;stream=watch",
+          "application/vnd.kubernetes.protobuf;stream=watch",
+          "application/cbor-seq"
         ],
         "responses": {
           "200": {
             "description": "OK",
             "schema": {
-              "$ref": "#/definitions/io.k8s.api.storage.v1alpha1.VolumeAttributesClass"
-            }
-          },
-          "202": {
-            "description": "Accepted",
-            "schema": {
-              "$ref": "#/definitions/io.k8s.api.storage.v1alpha1.VolumeAttributesClass"
+              "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"
             }
           },
           "401": {
@@ -93367,32 +93736,72 @@
           "https"
         ],
         "tags": [
-          "storage_v1alpha1"
+          "storage_v1"
         ],
-        "x-kubernetes-action": "delete",
+        "x-kubernetes-action": "watchlist",
         "x-kubernetes-group-version-kind": {
           "group": "storage.k8s.io",
-          "kind": "VolumeAttributesClass",
-          "version": "v1alpha1"
+          "kind": "StorageClass",
+          "version": "v1"
         }
       },
+      "parameters": [
+        {
+          "$ref": "#/parameters/allowWatchBookmarks-HC2hJt-J"
+        },
+        {
+          "$ref": "#/parameters/continue-QfD61s0i"
+        },
+        {
+          "$ref": "#/parameters/fieldSelector-xIcQKXFG"
+        },
+        {
+          "$ref": "#/parameters/labelSelector-5Zw57w4C"
+        },
+        {
+          "$ref": "#/parameters/limit-1NfNmdNH"
+        },
+        {
+          "$ref": "#/parameters/pretty-tJGM1-ng"
+        },
+        {
+          "$ref": "#/parameters/resourceVersion-5WAnf1kx"
+        },
+        {
+          "$ref": "#/parameters/resourceVersionMatch-t8XhRHeC"
+        },
+        {
+          "$ref": "#/parameters/sendInitialEvents-rLXlEK_k"
+        },
+        {
+          "$ref": "#/parameters/timeoutSeconds-yvYezaOC"
+        },
+        {
+          "$ref": "#/parameters/watch-XNNPZGbK"
+        }
+      ]
+    },
+    "/apis/storage.k8s.io/v1/watch/storageclasses/{name}": {
       "get": {
         "consumes": [
           "*/*"
         ],
-        "description": "read the specified VolumeAttributesClass",
-        "operationId": "readStorageV1alpha1VolumeAttributesClass",
+        "description": "watch changes to an object of kind StorageClass. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.",
+        "operationId": "watchStorageV1StorageClass",
         "produces": [
           "application/json",
           "application/yaml",
           "application/vnd.kubernetes.protobuf",
-          "application/cbor"
+          "application/cbor",
+          "application/json;stream=watch",
+          "application/vnd.kubernetes.protobuf;stream=watch",
+          "application/cbor-seq"
         ],
         "responses": {
           "200": {
             "description": "OK",
             "schema": {
-              "$ref": "#/definitions/io.k8s.api.storage.v1alpha1.VolumeAttributesClass"
+              "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"
             }
           },
           "401": {
@@ -93403,18 +93812,33 @@
           "https"
         ],
         "tags": [
-          "storage_v1alpha1"
+          "storage_v1"
         ],
-        "x-kubernetes-action": "get",
+        "x-kubernetes-action": "watch",
         "x-kubernetes-group-version-kind": {
           "group": "storage.k8s.io",
-          "kind": "VolumeAttributesClass",
-          "version": "v1alpha1"
+          "kind": "StorageClass",
+          "version": "v1"
         }
       },
       "parameters": [
         {
-          "description": "name of the VolumeAttributesClass",
+          "$ref": "#/parameters/allowWatchBookmarks-HC2hJt-J"
+        },
+        {
+          "$ref": "#/parameters/continue-QfD61s0i"
+        },
+        {
+          "$ref": "#/parameters/fieldSelector-xIcQKXFG"
+        },
+        {
+          "$ref": "#/parameters/labelSelector-5Zw57w4C"
+        },
+        {
+          "$ref": "#/parameters/limit-1NfNmdNH"
+        },
+        {
+          "description": "name of the StorageClass",
           "in": "path",
           "name": "name",
           "required": true,
@@ -93423,60 +93847,45 @@
         },
         {
           "$ref": "#/parameters/pretty-tJGM1-ng"
+        },
+        {
+          "$ref": "#/parameters/resourceVersion-5WAnf1kx"
+        },
+        {
+          "$ref": "#/parameters/resourceVersionMatch-t8XhRHeC"
+        },
+        {
+          "$ref": "#/parameters/sendInitialEvents-rLXlEK_k"
+        },
+        {
+          "$ref": "#/parameters/timeoutSeconds-yvYezaOC"
+        },
+        {
+          "$ref": "#/parameters/watch-XNNPZGbK"
         }
-      ],
-      "patch": {
+      ]
+    },
+    "/apis/storage.k8s.io/v1/watch/volumeattachments": {
+      "get": {
         "consumes": [
-          "application/json-patch+json",
-          "application/merge-patch+json",
-          "application/strategic-merge-patch+json",
-          "application/apply-patch+yaml",
-          "application/apply-patch+cbor"
-        ],
-        "description": "partially update the specified VolumeAttributesClass",
-        "operationId": "patchStorageV1alpha1VolumeAttributesClass",
-        "parameters": [
-          {
-            "$ref": "#/parameters/body-78PwaGsr"
-          },
-          {
-            "description": "When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed",
-            "in": "query",
-            "name": "dryRun",
-            "type": "string",
-            "uniqueItems": true
-          },
-          {
-            "$ref": "#/parameters/fieldManager-7c6nTn1T"
-          },
-          {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
-            "in": "query",
-            "name": "fieldValidation",
-            "type": "string",
-            "uniqueItems": true
-          },
-          {
-            "$ref": "#/parameters/force-tOGGb0Yi"
-          }
+          "*/*"
         ],
+        "description": "watch individual changes to a list of VolumeAttachment. deprecated: use the 'watch' parameter with a list operation instead.",
+        "operationId": "watchStorageV1VolumeAttachmentList",
         "produces": [
           "application/json",
           "application/yaml",
           "application/vnd.kubernetes.protobuf",
-          "application/cbor"
+          "application/cbor",
+          "application/json;stream=watch",
+          "application/vnd.kubernetes.protobuf;stream=watch",
+          "application/cbor-seq"
         ],
         "responses": {
           "200": {
             "description": "OK",
             "schema": {
-              "$ref": "#/definitions/io.k8s.api.storage.v1alpha1.VolumeAttributesClass"
-            }
-          },
-          "201": {
-            "description": "Created",
-            "schema": {
-              "$ref": "#/definitions/io.k8s.api.storage.v1alpha1.VolumeAttributesClass"
+              "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"
             }
           },
           "401": {
@@ -93487,65 +93896,72 @@
           "https"
         ],
         "tags": [
-          "storage_v1alpha1"
+          "storage_v1"
         ],
-        "x-kubernetes-action": "patch",
+        "x-kubernetes-action": "watchlist",
         "x-kubernetes-group-version-kind": {
           "group": "storage.k8s.io",
-          "kind": "VolumeAttributesClass",
-          "version": "v1alpha1"
+          "kind": "VolumeAttachment",
+          "version": "v1"
         }
       },
-      "put": {
+      "parameters": [
+        {
+          "$ref": "#/parameters/allowWatchBookmarks-HC2hJt-J"
+        },
+        {
+          "$ref": "#/parameters/continue-QfD61s0i"
+        },
+        {
+          "$ref": "#/parameters/fieldSelector-xIcQKXFG"
+        },
+        {
+          "$ref": "#/parameters/labelSelector-5Zw57w4C"
+        },
+        {
+          "$ref": "#/parameters/limit-1NfNmdNH"
+        },
+        {
+          "$ref": "#/parameters/pretty-tJGM1-ng"
+        },
+        {
+          "$ref": "#/parameters/resourceVersion-5WAnf1kx"
+        },
+        {
+          "$ref": "#/parameters/resourceVersionMatch-t8XhRHeC"
+        },
+        {
+          "$ref": "#/parameters/sendInitialEvents-rLXlEK_k"
+        },
+        {
+          "$ref": "#/parameters/timeoutSeconds-yvYezaOC"
+        },
+        {
+          "$ref": "#/parameters/watch-XNNPZGbK"
+        }
+      ]
+    },
+    "/apis/storage.k8s.io/v1/watch/volumeattachments/{name}": {
+      "get": {
         "consumes": [
           "*/*"
         ],
-        "description": "replace the specified VolumeAttributesClass",
-        "operationId": "replaceStorageV1alpha1VolumeAttributesClass",
-        "parameters": [
-          {
-            "in": "body",
-            "name": "body",
-            "required": true,
-            "schema": {
-              "$ref": "#/definitions/io.k8s.api.storage.v1alpha1.VolumeAttributesClass"
-            }
-          },
-          {
-            "description": "When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed",
-            "in": "query",
-            "name": "dryRun",
-            "type": "string",
-            "uniqueItems": true
-          },
-          {
-            "$ref": "#/parameters/fieldManager-Qy4HdaTW"
-          },
-          {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
-            "in": "query",
-            "name": "fieldValidation",
-            "type": "string",
-            "uniqueItems": true
-          }
-        ],
+        "description": "watch changes to an object of kind VolumeAttachment. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.",
+        "operationId": "watchStorageV1VolumeAttachment",
         "produces": [
           "application/json",
           "application/yaml",
           "application/vnd.kubernetes.protobuf",
-          "application/cbor"
+          "application/cbor",
+          "application/json;stream=watch",
+          "application/vnd.kubernetes.protobuf;stream=watch",
+          "application/cbor-seq"
         ],
         "responses": {
           "200": {
             "description": "OK",
             "schema": {
-              "$ref": "#/definitions/io.k8s.api.storage.v1alpha1.VolumeAttributesClass"
-            }
-          },
-          "201": {
-            "description": "Created",
-            "schema": {
-              "$ref": "#/definitions/io.k8s.api.storage.v1alpha1.VolumeAttributesClass"
+              "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"
             }
           },
           "401": {
@@ -93556,23 +93972,66 @@
           "https"
         ],
         "tags": [
-          "storage_v1alpha1"
+          "storage_v1"
         ],
-        "x-kubernetes-action": "put",
+        "x-kubernetes-action": "watch",
         "x-kubernetes-group-version-kind": {
           "group": "storage.k8s.io",
-          "kind": "VolumeAttributesClass",
-          "version": "v1alpha1"
+          "kind": "VolumeAttachment",
+          "version": "v1"
         }
-      }
+      },
+      "parameters": [
+        {
+          "$ref": "#/parameters/allowWatchBookmarks-HC2hJt-J"
+        },
+        {
+          "$ref": "#/parameters/continue-QfD61s0i"
+        },
+        {
+          "$ref": "#/parameters/fieldSelector-xIcQKXFG"
+        },
+        {
+          "$ref": "#/parameters/labelSelector-5Zw57w4C"
+        },
+        {
+          "$ref": "#/parameters/limit-1NfNmdNH"
+        },
+        {
+          "description": "name of the VolumeAttachment",
+          "in": "path",
+          "name": "name",
+          "required": true,
+          "type": "string",
+          "uniqueItems": true
+        },
+        {
+          "$ref": "#/parameters/pretty-tJGM1-ng"
+        },
+        {
+          "$ref": "#/parameters/resourceVersion-5WAnf1kx"
+        },
+        {
+          "$ref": "#/parameters/resourceVersionMatch-t8XhRHeC"
+        },
+        {
+          "$ref": "#/parameters/sendInitialEvents-rLXlEK_k"
+        },
+        {
+          "$ref": "#/parameters/timeoutSeconds-yvYezaOC"
+        },
+        {
+          "$ref": "#/parameters/watch-XNNPZGbK"
+        }
+      ]
     },
-    "/apis/storage.k8s.io/v1alpha1/watch/volumeattributesclasses": {
+    "/apis/storage.k8s.io/v1/watch/volumeattributesclasses": {
       "get": {
         "consumes": [
           "*/*"
         ],
         "description": "watch individual changes to a list of VolumeAttributesClass. deprecated: use the 'watch' parameter with a list operation instead.",
-        "operationId": "watchStorageV1alpha1VolumeAttributesClassList",
+        "operationId": "watchStorageV1VolumeAttributesClassList",
         "produces": [
           "application/json",
           "application/yaml",
@@ -93597,13 +94056,13 @@
           "https"
         ],
         "tags": [
-          "storage_v1alpha1"
+          "storage_v1"
         ],
         "x-kubernetes-action": "watchlist",
         "x-kubernetes-group-version-kind": {
           "group": "storage.k8s.io",
           "kind": "VolumeAttributesClass",
-          "version": "v1alpha1"
+          "version": "v1"
         }
       },
       "parameters": [
@@ -93642,13 +94101,13 @@
         }
       ]
     },
-    "/apis/storage.k8s.io/v1alpha1/watch/volumeattributesclasses/{name}": {
+    "/apis/storage.k8s.io/v1/watch/volumeattributesclasses/{name}": {
       "get": {
         "consumes": [
           "*/*"
         ],
         "description": "watch changes to an object of kind VolumeAttributesClass. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.",
-        "operationId": "watchStorageV1alpha1VolumeAttributesClass",
+        "operationId": "watchStorageV1VolumeAttributesClass",
         "produces": [
           "application/json",
           "application/yaml",
@@ -93673,13 +94132,13 @@
           "https"
         ],
         "tags": [
-          "storage_v1alpha1"
+          "storage_v1"
         ],
         "x-kubernetes-action": "watch",
         "x-kubernetes-group-version-kind": {
           "group": "storage.k8s.io",
           "kind": "VolumeAttributesClass",
-          "version": "v1alpha1"
+          "version": "v1"
         }
       },
       "parameters": [
@@ -94448,7 +94907,7 @@
         ]
       }
     },
-    "/apis/storagemigration.k8s.io/v1alpha1/": {
+    "/apis/storagemigration.k8s.io/v1beta1/": {
       "get": {
         "consumes": [
           "application/json",
@@ -94457,7 +94916,7 @@
           "application/cbor"
         ],
         "description": "get available resources",
-        "operationId": "getStoragemigrationV1alpha1APIResources",
+        "operationId": "getStoragemigrationV1beta1APIResources",
         "produces": [
           "application/json",
           "application/yaml",
@@ -94479,17 +94938,17 @@
           "https"
         ],
         "tags": [
-          "storagemigration_v1alpha1"
+          "storagemigration_v1beta1"
         ]
       }
     },
-    "/apis/storagemigration.k8s.io/v1alpha1/storageversionmigrations": {
+    "/apis/storagemigration.k8s.io/v1beta1/storageversionmigrations": {
       "delete": {
         "consumes": [
           "*/*"
         ],
         "description": "delete collection of StorageVersionMigration",
-        "operationId": "deleteStoragemigrationV1alpha1CollectionStorageVersionMigration",
+        "operationId": "deleteStoragemigrationV1beta1CollectionStorageVersionMigration",
         "parameters": [
           {
             "$ref": "#/parameters/body-2Y1dVQaQ"
@@ -94559,13 +95018,13 @@
           "https"
         ],
         "tags": [
-          "storagemigration_v1alpha1"
+          "storagemigration_v1beta1"
         ],
         "x-kubernetes-action": "deletecollection",
         "x-kubernetes-group-version-kind": {
           "group": "storagemigration.k8s.io",
           "kind": "StorageVersionMigration",
-          "version": "v1alpha1"
+          "version": "v1beta1"
         }
       },
       "get": {
@@ -94573,7 +95032,7 @@
           "*/*"
         ],
         "description": "list or watch objects of kind StorageVersionMigration",
-        "operationId": "listStoragemigrationV1alpha1StorageVersionMigration",
+        "operationId": "listStoragemigrationV1beta1StorageVersionMigration",
         "parameters": [
           {
             "$ref": "#/parameters/allowWatchBookmarks-HC2hJt-J"
@@ -94619,7 +95078,7 @@
           "200": {
             "description": "OK",
             "schema": {
-              "$ref": "#/definitions/io.k8s.api.storagemigration.v1alpha1.StorageVersionMigrationList"
+              "$ref": "#/definitions/io.k8s.api.storagemigration.v1beta1.StorageVersionMigrationList"
             }
           },
           "401": {
@@ -94630,13 +95089,13 @@
           "https"
         ],
         "tags": [
-          "storagemigration_v1alpha1"
+          "storagemigration_v1beta1"
         ],
         "x-kubernetes-action": "list",
         "x-kubernetes-group-version-kind": {
           "group": "storagemigration.k8s.io",
           "kind": "StorageVersionMigration",
-          "version": "v1alpha1"
+          "version": "v1beta1"
         }
       },
       "parameters": [
@@ -94649,14 +95108,14 @@
           "*/*"
         ],
         "description": "create a StorageVersionMigration",
-        "operationId": "createStoragemigrationV1alpha1StorageVersionMigration",
+        "operationId": "createStoragemigrationV1beta1StorageVersionMigration",
         "parameters": [
           {
             "in": "body",
             "name": "body",
             "required": true,
             "schema": {
-              "$ref": "#/definitions/io.k8s.api.storagemigration.v1alpha1.StorageVersionMigration"
+              "$ref": "#/definitions/io.k8s.api.storagemigration.v1beta1.StorageVersionMigration"
             }
           },
           {
@@ -94687,19 +95146,19 @@
           "200": {
             "description": "OK",
             "schema": {
-              "$ref": "#/definitions/io.k8s.api.storagemigration.v1alpha1.StorageVersionMigration"
+              "$ref": "#/definitions/io.k8s.api.storagemigration.v1beta1.StorageVersionMigration"
             }
           },
           "201": {
             "description": "Created",
             "schema": {
-              "$ref": "#/definitions/io.k8s.api.storagemigration.v1alpha1.StorageVersionMigration"
+              "$ref": "#/definitions/io.k8s.api.storagemigration.v1beta1.StorageVersionMigration"
             }
           },
           "202": {
             "description": "Accepted",
             "schema": {
-              "$ref": "#/definitions/io.k8s.api.storagemigration.v1alpha1.StorageVersionMigration"
+              "$ref": "#/definitions/io.k8s.api.storagemigration.v1beta1.StorageVersionMigration"
             }
           },
           "401": {
@@ -94710,23 +95169,23 @@
           "https"
         ],
         "tags": [
-          "storagemigration_v1alpha1"
+          "storagemigration_v1beta1"
         ],
         "x-kubernetes-action": "post",
         "x-kubernetes-group-version-kind": {
           "group": "storagemigration.k8s.io",
           "kind": "StorageVersionMigration",
-          "version": "v1alpha1"
+          "version": "v1beta1"
         }
       }
     },
-    "/apis/storagemigration.k8s.io/v1alpha1/storageversionmigrations/{name}": {
+    "/apis/storagemigration.k8s.io/v1beta1/storageversionmigrations/{name}": {
       "delete": {
         "consumes": [
           "*/*"
         ],
         "description": "delete a StorageVersionMigration",
-        "operationId": "deleteStoragemigrationV1alpha1StorageVersionMigration",
+        "operationId": "deleteStoragemigrationV1beta1StorageVersionMigration",
         "parameters": [
           {
             "$ref": "#/parameters/body-2Y1dVQaQ"
@@ -94778,13 +95237,13 @@
           "https"
         ],
         "tags": [
-          "storagemigration_v1alpha1"
+          "storagemigration_v1beta1"
         ],
         "x-kubernetes-action": "delete",
         "x-kubernetes-group-version-kind": {
           "group": "storagemigration.k8s.io",
           "kind": "StorageVersionMigration",
-          "version": "v1alpha1"
+          "version": "v1beta1"
         }
       },
       "get": {
@@ -94792,7 +95251,7 @@
           "*/*"
         ],
         "description": "read the specified StorageVersionMigration",
-        "operationId": "readStoragemigrationV1alpha1StorageVersionMigration",
+        "operationId": "readStoragemigrationV1beta1StorageVersionMigration",
         "produces": [
           "application/json",
           "application/yaml",
@@ -94803,7 +95262,7 @@
           "200": {
             "description": "OK",
             "schema": {
-              "$ref": "#/definitions/io.k8s.api.storagemigration.v1alpha1.StorageVersionMigration"
+              "$ref": "#/definitions/io.k8s.api.storagemigration.v1beta1.StorageVersionMigration"
             }
           },
           "401": {
@@ -94814,13 +95273,13 @@
           "https"
         ],
         "tags": [
-          "storagemigration_v1alpha1"
+          "storagemigration_v1beta1"
         ],
         "x-kubernetes-action": "get",
         "x-kubernetes-group-version-kind": {
           "group": "storagemigration.k8s.io",
           "kind": "StorageVersionMigration",
-          "version": "v1alpha1"
+          "version": "v1beta1"
         }
       },
       "parameters": [
@@ -94845,7 +95304,7 @@
           "application/apply-patch+cbor"
         ],
         "description": "partially update the specified StorageVersionMigration",
-        "operationId": "patchStoragemigrationV1alpha1StorageVersionMigration",
+        "operationId": "patchStoragemigrationV1beta1StorageVersionMigration",
         "parameters": [
           {
             "$ref": "#/parameters/body-78PwaGsr"
@@ -94881,13 +95340,13 @@
           "200": {
             "description": "OK",
             "schema": {
-              "$ref": "#/definitions/io.k8s.api.storagemigration.v1alpha1.StorageVersionMigration"
+              "$ref": "#/definitions/io.k8s.api.storagemigration.v1beta1.StorageVersionMigration"
             }
           },
           "201": {
             "description": "Created",
             "schema": {
-              "$ref": "#/definitions/io.k8s.api.storagemigration.v1alpha1.StorageVersionMigration"
+              "$ref": "#/definitions/io.k8s.api.storagemigration.v1beta1.StorageVersionMigration"
             }
           },
           "401": {
@@ -94898,13 +95357,13 @@
           "https"
         ],
         "tags": [
-          "storagemigration_v1alpha1"
+          "storagemigration_v1beta1"
         ],
         "x-kubernetes-action": "patch",
         "x-kubernetes-group-version-kind": {
           "group": "storagemigration.k8s.io",
           "kind": "StorageVersionMigration",
-          "version": "v1alpha1"
+          "version": "v1beta1"
         }
       },
       "put": {
@@ -94912,14 +95371,14 @@
           "*/*"
         ],
         "description": "replace the specified StorageVersionMigration",
-        "operationId": "replaceStoragemigrationV1alpha1StorageVersionMigration",
+        "operationId": "replaceStoragemigrationV1beta1StorageVersionMigration",
         "parameters": [
           {
             "in": "body",
             "name": "body",
             "required": true,
             "schema": {
-              "$ref": "#/definitions/io.k8s.api.storagemigration.v1alpha1.StorageVersionMigration"
+              "$ref": "#/definitions/io.k8s.api.storagemigration.v1beta1.StorageVersionMigration"
             }
           },
           {
@@ -94950,13 +95409,13 @@
           "200": {
             "description": "OK",
             "schema": {
-              "$ref": "#/definitions/io.k8s.api.storagemigration.v1alpha1.StorageVersionMigration"
+              "$ref": "#/definitions/io.k8s.api.storagemigration.v1beta1.StorageVersionMigration"
             }
           },
           "201": {
             "description": "Created",
             "schema": {
-              "$ref": "#/definitions/io.k8s.api.storagemigration.v1alpha1.StorageVersionMigration"
+              "$ref": "#/definitions/io.k8s.api.storagemigration.v1beta1.StorageVersionMigration"
             }
           },
           "401": {
@@ -94967,23 +95426,23 @@
           "https"
         ],
         "tags": [
-          "storagemigration_v1alpha1"
+          "storagemigration_v1beta1"
         ],
         "x-kubernetes-action": "put",
         "x-kubernetes-group-version-kind": {
           "group": "storagemigration.k8s.io",
           "kind": "StorageVersionMigration",
-          "version": "v1alpha1"
+          "version": "v1beta1"
         }
       }
     },
-    "/apis/storagemigration.k8s.io/v1alpha1/storageversionmigrations/{name}/status": {
+    "/apis/storagemigration.k8s.io/v1beta1/storageversionmigrations/{name}/status": {
       "get": {
         "consumes": [
           "*/*"
         ],
         "description": "read status of the specified StorageVersionMigration",
-        "operationId": "readStoragemigrationV1alpha1StorageVersionMigrationStatus",
+        "operationId": "readStoragemigrationV1beta1StorageVersionMigrationStatus",
         "produces": [
           "application/json",
           "application/yaml",
@@ -94994,7 +95453,7 @@
           "200": {
             "description": "OK",
             "schema": {
-              "$ref": "#/definitions/io.k8s.api.storagemigration.v1alpha1.StorageVersionMigration"
+              "$ref": "#/definitions/io.k8s.api.storagemigration.v1beta1.StorageVersionMigration"
             }
           },
           "401": {
@@ -95005,13 +95464,13 @@
           "https"
         ],
         "tags": [
-          "storagemigration_v1alpha1"
+          "storagemigration_v1beta1"
         ],
         "x-kubernetes-action": "get",
         "x-kubernetes-group-version-kind": {
           "group": "storagemigration.k8s.io",
           "kind": "StorageVersionMigration",
-          "version": "v1alpha1"
+          "version": "v1beta1"
         }
       },
       "parameters": [
@@ -95036,7 +95495,7 @@
           "application/apply-patch+cbor"
         ],
         "description": "partially update status of the specified StorageVersionMigration",
-        "operationId": "patchStoragemigrationV1alpha1StorageVersionMigrationStatus",
+        "operationId": "patchStoragemigrationV1beta1StorageVersionMigrationStatus",
         "parameters": [
           {
             "$ref": "#/parameters/body-78PwaGsr"
@@ -95072,13 +95531,13 @@
           "200": {
             "description": "OK",
             "schema": {
-              "$ref": "#/definitions/io.k8s.api.storagemigration.v1alpha1.StorageVersionMigration"
+              "$ref": "#/definitions/io.k8s.api.storagemigration.v1beta1.StorageVersionMigration"
             }
           },
           "201": {
             "description": "Created",
             "schema": {
-              "$ref": "#/definitions/io.k8s.api.storagemigration.v1alpha1.StorageVersionMigration"
+              "$ref": "#/definitions/io.k8s.api.storagemigration.v1beta1.StorageVersionMigration"
             }
           },
           "401": {
@@ -95089,13 +95548,13 @@
           "https"
         ],
         "tags": [
-          "storagemigration_v1alpha1"
+          "storagemigration_v1beta1"
         ],
         "x-kubernetes-action": "patch",
         "x-kubernetes-group-version-kind": {
           "group": "storagemigration.k8s.io",
           "kind": "StorageVersionMigration",
-          "version": "v1alpha1"
+          "version": "v1beta1"
         }
       },
       "put": {
@@ -95103,14 +95562,14 @@
           "*/*"
         ],
         "description": "replace status of the specified StorageVersionMigration",
-        "operationId": "replaceStoragemigrationV1alpha1StorageVersionMigrationStatus",
+        "operationId": "replaceStoragemigrationV1beta1StorageVersionMigrationStatus",
         "parameters": [
           {
             "in": "body",
             "name": "body",
             "required": true,
             "schema": {
-              "$ref": "#/definitions/io.k8s.api.storagemigration.v1alpha1.StorageVersionMigration"
+              "$ref": "#/definitions/io.k8s.api.storagemigration.v1beta1.StorageVersionMigration"
             }
           },
           {
@@ -95141,13 +95600,13 @@
           "200": {
             "description": "OK",
             "schema": {
-              "$ref": "#/definitions/io.k8s.api.storagemigration.v1alpha1.StorageVersionMigration"
+              "$ref": "#/definitions/io.k8s.api.storagemigration.v1beta1.StorageVersionMigration"
             }
           },
           "201": {
             "description": "Created",
             "schema": {
-              "$ref": "#/definitions/io.k8s.api.storagemigration.v1alpha1.StorageVersionMigration"
+              "$ref": "#/definitions/io.k8s.api.storagemigration.v1beta1.StorageVersionMigration"
             }
           },
           "401": {
@@ -95158,23 +95617,23 @@
           "https"
         ],
         "tags": [
-          "storagemigration_v1alpha1"
+          "storagemigration_v1beta1"
         ],
         "x-kubernetes-action": "put",
         "x-kubernetes-group-version-kind": {
           "group": "storagemigration.k8s.io",
           "kind": "StorageVersionMigration",
-          "version": "v1alpha1"
+          "version": "v1beta1"
         }
       }
     },
-    "/apis/storagemigration.k8s.io/v1alpha1/watch/storageversionmigrations": {
+    "/apis/storagemigration.k8s.io/v1beta1/watch/storageversionmigrations": {
       "get": {
         "consumes": [
           "*/*"
         ],
         "description": "watch individual changes to a list of StorageVersionMigration. deprecated: use the 'watch' parameter with a list operation instead.",
-        "operationId": "watchStoragemigrationV1alpha1StorageVersionMigrationList",
+        "operationId": "watchStoragemigrationV1beta1StorageVersionMigrationList",
         "produces": [
           "application/json",
           "application/yaml",
@@ -95199,13 +95658,13 @@
           "https"
         ],
         "tags": [
-          "storagemigration_v1alpha1"
+          "storagemigration_v1beta1"
         ],
         "x-kubernetes-action": "watchlist",
         "x-kubernetes-group-version-kind": {
           "group": "storagemigration.k8s.io",
           "kind": "StorageVersionMigration",
-          "version": "v1alpha1"
+          "version": "v1beta1"
         }
       },
       "parameters": [
@@ -95244,13 +95703,13 @@
         }
       ]
     },
-    "/apis/storagemigration.k8s.io/v1alpha1/watch/storageversionmigrations/{name}": {
+    "/apis/storagemigration.k8s.io/v1beta1/watch/storageversionmigrations/{name}": {
       "get": {
         "consumes": [
           "*/*"
         ],
         "description": "watch changes to an object of kind StorageVersionMigration. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.",
-        "operationId": "watchStoragemigrationV1alpha1StorageVersionMigration",
+        "operationId": "watchStoragemigrationV1beta1StorageVersionMigration",
         "produces": [
           "application/json",
           "application/yaml",
@@ -95275,13 +95734,13 @@
           "https"
         ],
         "tags": [
-          "storagemigration_v1alpha1"
+          "storagemigration_v1beta1"
         ],
         "x-kubernetes-action": "watch",
         "x-kubernetes-group-version-kind": {
           "group": "storagemigration.k8s.io",
           "kind": "StorageVersionMigration",
-          "version": "v1alpha1"
+          "version": "v1beta1"
         }
       },
       "parameters": [
diff --git a/api/openapi-spec/v3/api__v1_openapi.json b/api/openapi-spec/v3/api__v1_openapi.json
index e97c10daeafab..8125c8ce3fc03 100644
--- a/api/openapi-spec/v3/api__v1_openapi.json
+++ b/api/openapi-spec/v3/api__v1_openapi.json
@@ -1230,7 +1230,7 @@
             "description": "Periodic probe of container service readiness. Container will be removed from service endpoints if the probe fails. Cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes"
           },
           "resizePolicy": {
-            "description": "Resources resize policy for the container.",
+            "description": "Resources resize policy for the container. This field cannot be set on ephemeral containers.",
             "items": {
               "allOf": [
                 {
@@ -4222,6 +4222,15 @@
             "default": {},
             "description": "Endpoints of daemons running on the Node."
           },
+          "declaredFeatures": {
+            "description": "DeclaredFeatures represents the features related to feature gates that are declared by the node.",
+            "items": {
+              "default": "",
+              "type": "string"
+            },
+            "type": "array",
+            "x-kubernetes-list-type": "atomic"
+          },
           "features": {
             "allOf": [
               {
@@ -4655,7 +4664,7 @@
               }
             ],
             "default": {},
-            "description": "resources represents the minimum resources the volume should have. If RecoverVolumeExpansionFailure feature is enabled users are allowed to specify resource requirements that are lower than previous value but must still be higher than capacity recorded in the status field of the claim. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources"
+            "description": "resources represents the minimum resources the volume should have. Users are allowed to specify resource requirements that are lower than previous value but must still be higher than capacity recorded in the status field of the claim. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources"
           },
           "selector": {
             "allOf": [
@@ -4701,7 +4710,7 @@
               "default": "",
               "type": "string"
             },
-            "description": "allocatedResourceStatuses stores status of resource being resized for the given PVC. Key names follow standard Kubernetes label syntax. Valid values are either:\n\t* Un-prefixed keys:\n\t\t- storage - the capacity of the volume.\n\t* Custom resources must use implementation-defined prefixed names such as \"example.com/my-custom-resource\"\nApart from above values - keys that are unprefixed or have kubernetes.io prefix are considered reserved and hence may not be used.\n\nClaimResourceStatus can be in any of following states:\n\t- ControllerResizeInProgress:\n\t\tState set when resize controller starts resizing the volume in control-plane.\n\t- ControllerResizeFailed:\n\t\tState set when resize has failed in resize controller with a terminal error.\n\t- NodeResizePending:\n\t\tState set when resize controller has finished resizing the volume but further resizing of\n\t\tvolume is needed on the node.\n\t- NodeResizeInProgress:\n\t\tState set when kubelet starts resizing the volume.\n\t- NodeResizeFailed:\n\t\tState set when resizing has failed in kubelet with a terminal error. Transient errors don't set\n\t\tNodeResizeFailed.\nFor example: if expanding a PVC for more capacity - this field can be one of the following states:\n\t- pvc.status.allocatedResourceStatus['storage'] = \"ControllerResizeInProgress\"\n     - pvc.status.allocatedResourceStatus['storage'] = \"ControllerResizeFailed\"\n     - pvc.status.allocatedResourceStatus['storage'] = \"NodeResizePending\"\n     - pvc.status.allocatedResourceStatus['storage'] = \"NodeResizeInProgress\"\n     - pvc.status.allocatedResourceStatus['storage'] = \"NodeResizeFailed\"\nWhen this field is not set, it means that no resize operation is in progress for the given PVC.\n\nA controller that receives PVC update with previously unknown resourceName or ClaimResourceStatus should ignore the update for the purpose it was designed. For example - a controller that only is responsible for resizing capacity of the volume, should ignore PVC updates that change other valid resources associated with PVC.\n\nThis is an alpha field and requires enabling RecoverVolumeExpansionFailure feature.",
+            "description": "allocatedResourceStatuses stores status of resource being resized for the given PVC. Key names follow standard Kubernetes label syntax. Valid values are either:\n\t* Un-prefixed keys:\n\t\t- storage - the capacity of the volume.\n\t* Custom resources must use implementation-defined prefixed names such as \"example.com/my-custom-resource\"\nApart from above values - keys that are unprefixed or have kubernetes.io prefix are considered reserved and hence may not be used.\n\nClaimResourceStatus can be in any of following states:\n\t- ControllerResizeInProgress:\n\t\tState set when resize controller starts resizing the volume in control-plane.\n\t- ControllerResizeFailed:\n\t\tState set when resize has failed in resize controller with a terminal error.\n\t- NodeResizePending:\n\t\tState set when resize controller has finished resizing the volume but further resizing of\n\t\tvolume is needed on the node.\n\t- NodeResizeInProgress:\n\t\tState set when kubelet starts resizing the volume.\n\t- NodeResizeFailed:\n\t\tState set when resizing has failed in kubelet with a terminal error. Transient errors don't set\n\t\tNodeResizeFailed.\nFor example: if expanding a PVC for more capacity - this field can be one of the following states:\n\t- pvc.status.allocatedResourceStatus['storage'] = \"ControllerResizeInProgress\"\n     - pvc.status.allocatedResourceStatus['storage'] = \"ControllerResizeFailed\"\n     - pvc.status.allocatedResourceStatus['storage'] = \"NodeResizePending\"\n     - pvc.status.allocatedResourceStatus['storage'] = \"NodeResizeInProgress\"\n     - pvc.status.allocatedResourceStatus['storage'] = \"NodeResizeFailed\"\nWhen this field is not set, it means that no resize operation is in progress for the given PVC.\n\nA controller that receives PVC update with previously unknown resourceName or ClaimResourceStatus should ignore the update for the purpose it was designed. For example - a controller that only is responsible for resizing capacity of the volume, should ignore PVC updates that change other valid resources associated with PVC.",
             "type": "object",
             "x-kubernetes-map-type": "granular"
           },
@@ -4709,7 +4718,7 @@
             "additionalProperties": {
               "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.api.resource.Quantity"
             },
-            "description": "allocatedResources tracks the resources allocated to a PVC including its capacity. Key names follow standard Kubernetes label syntax. Valid values are either:\n\t* Un-prefixed keys:\n\t\t- storage - the capacity of the volume.\n\t* Custom resources must use implementation-defined prefixed names such as \"example.com/my-custom-resource\"\nApart from above values - keys that are unprefixed or have kubernetes.io prefix are considered reserved and hence may not be used.\n\nCapacity reported here may be larger than the actual capacity when a volume expansion operation is requested. For storage quota, the larger value from allocatedResources and PVC.spec.resources is used. If allocatedResources is not set, PVC.spec.resources alone is used for quota calculation. If a volume expansion capacity request is lowered, allocatedResources is only lowered if there are no expansion operations in progress and if the actual volume capacity is equal or lower than the requested capacity.\n\nA controller that receives PVC update with previously unknown resourceName should ignore the update for the purpose it was designed. For example - a controller that only is responsible for resizing capacity of the volume, should ignore PVC updates that change other valid resources associated with PVC.\n\nThis is an alpha field and requires enabling RecoverVolumeExpansionFailure feature.",
+            "description": "allocatedResources tracks the resources allocated to a PVC including its capacity. Key names follow standard Kubernetes label syntax. Valid values are either:\n\t* Un-prefixed keys:\n\t\t- storage - the capacity of the volume.\n\t* Custom resources must use implementation-defined prefixed names such as \"example.com/my-custom-resource\"\nApart from above values - keys that are unprefixed or have kubernetes.io prefix are considered reserved and hence may not be used.\n\nCapacity reported here may be larger than the actual capacity when a volume expansion operation is requested. For storage quota, the larger value from allocatedResources and PVC.spec.resources is used. If allocatedResources is not set, PVC.spec.resources alone is used for quota calculation. If a volume expansion capacity request is lowered, allocatedResources is only lowered if there are no expansion operations in progress and if the actual volume capacity is equal or lower than the requested capacity.\n\nA controller that receives PVC update with previously unknown resourceName should ignore the update for the purpose it was designed. For example - a controller that only is responsible for resizing capacity of the volume, should ignore PVC updates that change other valid resources associated with PVC.",
             "type": "object"
           },
           "capacity": {
@@ -5009,7 +5018,7 @@
                 "$ref": "#/components/schemas/io.k8s.api.core.v1.VolumeNodeAffinity"
               }
             ],
-            "description": "nodeAffinity defines constraints that limit what nodes this volume can be accessed from. This field influences the scheduling of pods that use this volume."
+            "description": "nodeAffinity defines constraints that limit what nodes this volume can be accessed from. This field influences the scheduling of pods that use this volume. This field is mutable if MutablePVNodeAffinity feature gate is enabled."
           },
           "persistentVolumeReclaimPolicy": {
             "description": "persistentVolumeReclaimPolicy defines what happens to a persistent volume when released from its claim. Valid options are Retain (default for manually created PersistentVolumes), Delete (default for dynamically provisioned PersistentVolumes), and Recycle (deprecated). Recycle must be supported by the volume plugin underlying this PersistentVolume. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#reclaiming",
@@ -5326,6 +5335,14 @@
           "signerName": {
             "description": "Kubelet's generated CSRs will be addressed to this signer.",
             "type": "string"
+          },
+          "userAnnotations": {
+            "additionalProperties": {
+              "default": "",
+              "type": "string"
+            },
+            "description": "userAnnotations allow pod authors to pass additional information to the signer implementation.  Kubernetes does not restrict or validate this metadata in any way.\n\nThese values are copied verbatim into the `spec.unverifiedUserAnnotations` field of the PodCertificateRequest objects that Kubelet creates.\n\nEntries are subject to the same validation as object metadata annotations, with the addition that all keys must be domain-prefixed. No restrictions are placed on values, except an overall size limitation on the entire field.\n\nSigners should document the keys and values they support. Signers should deny requests that contain keys they do not recognize.",
+            "type": "object"
           }
         },
         "required": [
@@ -5358,7 +5375,7 @@
             "type": "string"
           },
           "observedGeneration": {
-            "description": "If set, this represents the .metadata.generation that the pod condition was set based upon. This is an alpha field. Enable PodObservedGenerationTracking to be able to use this field.",
+            "description": "If set, this represents the .metadata.generation that the pod condition was set based upon. The PodObservedGenerationTracking feature gate must be enabled to use this field.",
             "format": "int64",
             "type": "integer"
           },
@@ -5900,7 +5917,7 @@
             "x-kubernetes-list-type": "atomic"
           },
           "resourceClaims": {
-            "description": "ResourceClaims defines which ResourceClaims must be allocated and reserved before the Pod is allowed to start. The resources will be made available to those containers which consume them by name.\n\nThis is an alpha field and requires enabling the DynamicResourceAllocation feature gate.\n\nThis field is immutable.",
+            "description": "ResourceClaims defines which ResourceClaims must be allocated and reserved before the Pod is allowed to start. The resources will be made available to those containers which consume them by name.\n\nThis is a stable field but requires that the DynamicResourceAllocation feature gate is enabled.\n\nThis field is immutable.",
             "items": {
               "allOf": [
                 {
@@ -6037,6 +6054,14 @@
             "x-kubernetes-list-type": "map",
             "x-kubernetes-patch-merge-key": "name",
             "x-kubernetes-patch-strategy": "merge,retainKeys"
+          },
+          "workloadRef": {
+            "allOf": [
+              {
+                "$ref": "#/components/schemas/io.k8s.api.core.v1.WorkloadReference"
+              }
+            ],
+            "description": "WorkloadRef provides a reference to the Workload object that this Pod belongs to. This field is used by the scheduler to identify the PodGroup and apply the correct group scheduling policies. The Workload object referenced by this field may not exist at the time the Pod is created. This field is immutable, but a Workload object with the same name may be recreated with different policies. Doing this during pod scheduling may result in the placement not conforming to the expected policies."
           }
         },
         "required": [
@@ -6047,6 +6072,13 @@
       "io.k8s.api.core.v1.PodStatus": {
         "description": "PodStatus represents information about the status of a pod. Status may trail the actual state of a system, especially if the node that hosts the pod cannot contact the control plane.",
         "properties": {
+          "allocatedResources": {
+            "additionalProperties": {
+              "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.api.resource.Quantity"
+            },
+            "description": "AllocatedResources is the total requests allocated for this pod by the node. If pod-level requests are not set, this will be the total requests aggregated across containers in the pod.",
+            "type": "object"
+          },
           "conditions": {
             "description": "Current service state of pod. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-conditions",
             "items": {
@@ -6140,7 +6172,7 @@
             "type": "string"
           },
           "observedGeneration": {
-            "description": "If set, this represents the .metadata.generation that the pod status was set based upon. This is an alpha field. Enable PodObservedGenerationTracking to be able to use this field.",
+            "description": "If set, this represents the .metadata.generation that the pod status was set based upon. The PodObservedGenerationTracking feature gate must be enabled to use this field.",
             "format": "int64",
             "type": "integer"
           },
@@ -6200,6 +6232,14 @@
             "x-kubernetes-patch-merge-key": "name",
             "x-kubernetes-patch-strategy": "merge,retainKeys"
           },
+          "resources": {
+            "allOf": [
+              {
+                "$ref": "#/components/schemas/io.k8s.api.core.v1.ResourceRequirements"
+              }
+            ],
+            "description": "Resources represents the compute resource requests and limits that have been applied at the pod level if pod-level requests or limits are set in PodSpec.Resources"
+          },
           "startTime": {
             "allOf": [
               {
@@ -8227,7 +8267,7 @@
             "type": "string"
           },
           "operator": {
-            "description": "Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.",
+            "description": "Operator represents a key's relationship to the value. Valid operators are Exists, Equal, Lt, and Gt. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category. Lt and Gt perform numeric comparisons (requires feature gate TaintTolerationComparisonOperators).",
             "type": "string"
           },
           "tolerationSeconds": {
@@ -8855,6 +8895,30 @@
         },
         "type": "object"
       },
+      "io.k8s.api.core.v1.WorkloadReference": {
+        "description": "WorkloadReference identifies the Workload object and PodGroup membership that a Pod belongs to. The scheduler uses this information to apply workload-aware scheduling semantics.",
+        "properties": {
+          "name": {
+            "default": "",
+            "description": "Name defines the name of the Workload object this Pod belongs to. Workload must be in the same namespace as the Pod. If it doesn't match any existing Workload, the Pod will remain unschedulable until a Workload object is created and observed by the kube-scheduler. It must be a DNS subdomain.",
+            "type": "string"
+          },
+          "podGroup": {
+            "default": "",
+            "description": "PodGroup is the name of the PodGroup within the Workload that this Pod belongs to. If it doesn't match any existing PodGroup within the Workload, the Pod will remain unschedulable until the Workload object is recreated and observed by the kube-scheduler. It must be a DNS label.",
+            "type": "string"
+          },
+          "podGroupReplicaKey": {
+            "description": "PodGroupReplicaKey specifies the replica key of the PodGroup to which this Pod belongs. It is used to distinguish pods belonging to different replicas of the same pod group. The pod group policy is applied separately to each replica. When set, it must be a DNS label.",
+            "type": "string"
+          }
+        },
+        "required": [
+          "name",
+          "podGroup"
+        ],
+        "type": "object"
+      },
       "io.k8s.api.policy.v1.Eviction": {
         "description": "Eviction evicts a pod from its node subject to certain policies and safety constraints. This is a subresource of Pod.  A request to cause such an eviction is created by POSTing to .../pods/<pod name>/evictions.",
         "properties": {
@@ -9420,7 +9484,7 @@
           {
             "group": "storagemigration.k8s.io",
             "kind": "DeleteOptions",
-            "version": "v1alpha1"
+            "version": "v1beta1"
           }
         ]
       },
@@ -9745,8 +9809,7 @@
                 "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.StatusDetails"
               }
             ],
-            "description": "Extended data associated with the reason.  Each reason may define its own extended details. This field is optional and the data returned is not guaranteed to conform to any schema except that defined by the reason type.",
-            "x-kubernetes-list-type": "atomic"
+            "description": "Extended data associated with the reason.  Each reason may define its own extended details. This field is optional and the data returned is not guaranteed to conform to any schema except that defined by the reason type."
           },
           "kind": {
             "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
@@ -10176,7 +10239,7 @@
           {
             "group": "storagemigration.k8s.io",
             "kind": "WatchEvent",
-            "version": "v1alpha1"
+            "version": "v1beta1"
           }
         ]
       },
diff --git a/api/openapi-spec/v3/apis__admissionregistration.k8s.io__v1_openapi.json b/api/openapi-spec/v3/apis__admissionregistration.k8s.io__v1_openapi.json
index 8052dfe74be3e..cb41191363958 100644
--- a/api/openapi-spec/v3/apis__admissionregistration.k8s.io__v1_openapi.json
+++ b/api/openapi-spec/v3/apis__admissionregistration.k8s.io__v1_openapi.json
@@ -1615,7 +1615,7 @@
           {
             "group": "storagemigration.k8s.io",
             "kind": "DeleteOptions",
-            "version": "v1alpha1"
+            "version": "v1beta1"
           }
         ]
       },
@@ -1935,8 +1935,7 @@
                 "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.StatusDetails"
               }
             ],
-            "description": "Extended data associated with the reason.  Each reason may define its own extended details. This field is optional and the data returned is not guaranteed to conform to any schema except that defined by the reason type.",
-            "x-kubernetes-list-type": "atomic"
+            "description": "Extended data associated with the reason.  Each reason may define its own extended details. This field is optional and the data returned is not guaranteed to conform to any schema except that defined by the reason type."
           },
           "kind": {
             "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
@@ -2366,7 +2365,7 @@
           {
             "group": "storagemigration.k8s.io",
             "kind": "WatchEvent",
-            "version": "v1alpha1"
+            "version": "v1beta1"
           }
         ]
       },
diff --git a/api/openapi-spec/v3/apis__admissionregistration.k8s.io__v1alpha1_openapi.json b/api/openapi-spec/v3/apis__admissionregistration.k8s.io__v1alpha1_openapi.json
index 58ce51a89a79f..c5ececfdf252e 100644
--- a/api/openapi-spec/v3/apis__admissionregistration.k8s.io__v1alpha1_openapi.json
+++ b/api/openapi-spec/v3/apis__admissionregistration.k8s.io__v1alpha1_openapi.json
@@ -979,7 +979,7 @@
           {
             "group": "storagemigration.k8s.io",
             "kind": "DeleteOptions",
-            "version": "v1alpha1"
+            "version": "v1beta1"
           }
         ]
       },
@@ -1299,8 +1299,7 @@
                 "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.StatusDetails"
               }
             ],
-            "description": "Extended data associated with the reason.  Each reason may define its own extended details. This field is optional and the data returned is not guaranteed to conform to any schema except that defined by the reason type.",
-            "x-kubernetes-list-type": "atomic"
+            "description": "Extended data associated with the reason.  Each reason may define its own extended details. This field is optional and the data returned is not guaranteed to conform to any schema except that defined by the reason type."
           },
           "kind": {
             "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
@@ -1730,7 +1729,7 @@
           {
             "group": "storagemigration.k8s.io",
             "kind": "WatchEvent",
-            "version": "v1alpha1"
+            "version": "v1beta1"
           }
         ]
       },
diff --git a/api/openapi-spec/v3/apis__admissionregistration.k8s.io__v1beta1_openapi.json b/api/openapi-spec/v3/apis__admissionregistration.k8s.io__v1beta1_openapi.json
index fd68d7687caf2..9f7492da45b6b 100644
--- a/api/openapi-spec/v3/apis__admissionregistration.k8s.io__v1beta1_openapi.json
+++ b/api/openapi-spec/v3/apis__admissionregistration.k8s.io__v1beta1_openapi.json
@@ -981,7 +981,7 @@
           {
             "group": "storagemigration.k8s.io",
             "kind": "DeleteOptions",
-            "version": "v1alpha1"
+            "version": "v1beta1"
           }
         ]
       },
@@ -1301,8 +1301,7 @@
                 "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.StatusDetails"
               }
             ],
-            "description": "Extended data associated with the reason.  Each reason may define its own extended details. This field is optional and the data returned is not guaranteed to conform to any schema except that defined by the reason type.",
-            "x-kubernetes-list-type": "atomic"
+            "description": "Extended data associated with the reason.  Each reason may define its own extended details. This field is optional and the data returned is not guaranteed to conform to any schema except that defined by the reason type."
           },
           "kind": {
             "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
@@ -1732,7 +1731,7 @@
           {
             "group": "storagemigration.k8s.io",
             "kind": "WatchEvent",
-            "version": "v1alpha1"
+            "version": "v1beta1"
           }
         ]
       },
diff --git a/api/openapi-spec/v3/apis__apiextensions.k8s.io__v1_openapi.json b/api/openapi-spec/v3/apis__apiextensions.k8s.io__v1_openapi.json
index 515e9554b1220..8f7af3a53f336 100644
--- a/api/openapi-spec/v3/apis__apiextensions.k8s.io__v1_openapi.json
+++ b/api/openapi-spec/v3/apis__apiextensions.k8s.io__v1_openapi.json
@@ -128,6 +128,11 @@
             "description": "message is a human-readable message indicating details about last transition.",
             "type": "string"
           },
+          "observedGeneration": {
+            "description": "observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.",
+            "format": "int64",
+            "type": "integer"
+          },
           "reason": {
             "description": "reason is a unique, one-word, CamelCase reason for the condition's last transition.",
             "type": "string"
@@ -324,6 +329,11 @@
             ],
             "x-kubernetes-list-type": "map"
           },
+          "observedGeneration": {
+            "description": "The generation observed by the CRD controller.",
+            "format": "int64",
+            "type": "integer"
+          },
           "storedVersions": {
             "description": "storedVersions lists all versions of CustomResources that were ever persisted. Tracking these versions allows a migration path for stored versions in etcd. The field is mutable so a migration controller can finish a migration to another version (ensuring no old objects are left in storage), and then remove the rest of the versions from this list. Versions may not be removed from `spec.versions` while they exist in this list.",
             "items": {
@@ -1338,7 +1348,7 @@
           {
             "group": "storagemigration.k8s.io",
             "kind": "DeleteOptions",
-            "version": "v1alpha1"
+            "version": "v1beta1"
           }
         ]
       },
@@ -1601,8 +1611,7 @@
                 "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.StatusDetails"
               }
             ],
-            "description": "Extended data associated with the reason.  Each reason may define its own extended details. This field is optional and the data returned is not guaranteed to conform to any schema except that defined by the reason type.",
-            "x-kubernetes-list-type": "atomic"
+            "description": "Extended data associated with the reason.  Each reason may define its own extended details. This field is optional and the data returned is not guaranteed to conform to any schema except that defined by the reason type."
           },
           "kind": {
             "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
@@ -2032,7 +2041,7 @@
           {
             "group": "storagemigration.k8s.io",
             "kind": "WatchEvent",
-            "version": "v1alpha1"
+            "version": "v1beta1"
           }
         ]
       },
diff --git a/api/openapi-spec/v3/apis__apiregistration.k8s.io__v1_openapi.json b/api/openapi-spec/v3/apis__apiregistration.k8s.io__v1_openapi.json
index 93a04cde7c05b..2eb04c986d1ee 100644
--- a/api/openapi-spec/v3/apis__apiregistration.k8s.io__v1_openapi.json
+++ b/api/openapi-spec/v3/apis__apiregistration.k8s.io__v1_openapi.json
@@ -471,7 +471,7 @@
           {
             "group": "storagemigration.k8s.io",
             "kind": "DeleteOptions",
-            "version": "v1alpha1"
+            "version": "v1beta1"
           }
         ]
       },
@@ -734,8 +734,7 @@
                 "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.StatusDetails"
               }
             ],
-            "description": "Extended data associated with the reason.  Each reason may define its own extended details. This field is optional and the data returned is not guaranteed to conform to any schema except that defined by the reason type.",
-            "x-kubernetes-list-type": "atomic"
+            "description": "Extended data associated with the reason.  Each reason may define its own extended details. This field is optional and the data returned is not guaranteed to conform to any schema except that defined by the reason type."
           },
           "kind": {
             "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
@@ -1165,7 +1164,7 @@
           {
             "group": "storagemigration.k8s.io",
             "kind": "WatchEvent",
-            "version": "v1alpha1"
+            "version": "v1beta1"
           }
         ]
       },
diff --git a/api/openapi-spec/v3/apis__apps__v1_openapi.json b/api/openapi-spec/v3/apis__apps__v1_openapi.json
index 4224213dd3981..15df0b3735ed8 100644
--- a/api/openapi-spec/v3/apis__apps__v1_openapi.json
+++ b/api/openapi-spec/v3/apis__apps__v1_openapi.json
@@ -610,7 +610,7 @@
             "type": "integer"
           },
           "terminatingReplicas": {
-            "description": "Total number of terminating pods targeted by this deployment. Terminating pods have a non-null .metadata.deletionTimestamp and have not yet reached the Failed or Succeeded .status.phase.\n\nThis is an alpha field. Enable DeploymentReplicaSetTerminatingReplicas to be able to use this field.",
+            "description": "Total number of terminating pods targeted by this deployment. Terminating pods have a non-null .metadata.deletionTimestamp and have not yet reached the Failed or Succeeded .status.phase.\n\nThis is a beta field and requires enabling DeploymentReplicaSetTerminatingReplicas feature (enabled by default).",
             "format": "int32",
             "type": "integer"
           },
@@ -858,7 +858,7 @@
             "type": "integer"
           },
           "terminatingReplicas": {
-            "description": "The number of terminating pods for this replica set. Terminating pods have a non-null .metadata.deletionTimestamp and have not yet reached the Failed or Succeeded .status.phase.\n\nThis is an alpha field. Enable DeploymentReplicaSetTerminatingReplicas to be able to use this field.",
+            "description": "The number of terminating pods for this replica set. Terminating pods have a non-null .metadata.deletionTimestamp and have not yet reached the Failed or Succeeded .status.phase.\n\nThis is a beta field and requires enabling DeploymentReplicaSetTerminatingReplicas feature (enabled by default).",
             "format": "int32",
             "type": "integer"
           }
@@ -921,7 +921,7 @@
                 "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.util.intstr.IntOrString"
               }
             ],
-            "description": "The maximum number of pods that can be unavailable during the update. Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%). Absolute number is calculated from percentage by rounding up. This can not be 0. Defaults to 1. This field is alpha-level and is only honored by servers that enable the MaxUnavailableStatefulSet feature. The field applies to all pods in the range 0 to Replicas-1. That means if there is any unavailable pod in the range 0 to Replicas-1, it will be counted towards MaxUnavailable."
+            "description": "The maximum number of pods that can be unavailable during the update. Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%). Absolute number is calculated from percentage by rounding up. This can not be 0. Defaults to 1. This field is beta-level and is enabled by default. The field applies to all pods in the range 0 to Replicas-1. That means if there is any unavailable pod in the range 0 to Replicas-1, it will be counted towards MaxUnavailable. This setting might not be effective for the OrderedReady podManagementPolicy. That policy ensures pods are created and become ready one at a time."
           },
           "partition": {
             "description": "Partition indicates the ordinal at which the StatefulSet should be partitioned for updates. During a rolling update, all pods from ordinal Replicas-1 to Partition are updated. All pods from ordinal Partition-1 to 0 remain untouched. This is helpful in being able to do a canary based deployment. The default value is 0.",
@@ -1868,7 +1868,7 @@
             "description": "Periodic probe of container service readiness. Container will be removed from service endpoints if the probe fails. Cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes"
           },
           "resizePolicy": {
-            "description": "Resources resize policy for the container.",
+            "description": "Resources resize policy for the container. This field cannot be set on ephemeral containers.",
             "items": {
               "allOf": [
                 {
@@ -3342,7 +3342,7 @@
               }
             ],
             "default": {},
-            "description": "resources represents the minimum resources the volume should have. If RecoverVolumeExpansionFailure feature is enabled users are allowed to specify resource requirements that are lower than previous value but must still be higher than capacity recorded in the status field of the claim. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources"
+            "description": "resources represents the minimum resources the volume should have. Users are allowed to specify resource requirements that are lower than previous value but must still be higher than capacity recorded in the status field of the claim. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources"
           },
           "selector": {
             "allOf": [
@@ -3388,7 +3388,7 @@
               "default": "",
               "type": "string"
             },
-            "description": "allocatedResourceStatuses stores status of resource being resized for the given PVC. Key names follow standard Kubernetes label syntax. Valid values are either:\n\t* Un-prefixed keys:\n\t\t- storage - the capacity of the volume.\n\t* Custom resources must use implementation-defined prefixed names such as \"example.com/my-custom-resource\"\nApart from above values - keys that are unprefixed or have kubernetes.io prefix are considered reserved and hence may not be used.\n\nClaimResourceStatus can be in any of following states:\n\t- ControllerResizeInProgress:\n\t\tState set when resize controller starts resizing the volume in control-plane.\n\t- ControllerResizeFailed:\n\t\tState set when resize has failed in resize controller with a terminal error.\n\t- NodeResizePending:\n\t\tState set when resize controller has finished resizing the volume but further resizing of\n\t\tvolume is needed on the node.\n\t- NodeResizeInProgress:\n\t\tState set when kubelet starts resizing the volume.\n\t- NodeResizeFailed:\n\t\tState set when resizing has failed in kubelet with a terminal error. Transient errors don't set\n\t\tNodeResizeFailed.\nFor example: if expanding a PVC for more capacity - this field can be one of the following states:\n\t- pvc.status.allocatedResourceStatus['storage'] = \"ControllerResizeInProgress\"\n     - pvc.status.allocatedResourceStatus['storage'] = \"ControllerResizeFailed\"\n     - pvc.status.allocatedResourceStatus['storage'] = \"NodeResizePending\"\n     - pvc.status.allocatedResourceStatus['storage'] = \"NodeResizeInProgress\"\n     - pvc.status.allocatedResourceStatus['storage'] = \"NodeResizeFailed\"\nWhen this field is not set, it means that no resize operation is in progress for the given PVC.\n\nA controller that receives PVC update with previously unknown resourceName or ClaimResourceStatus should ignore the update for the purpose it was designed. For example - a controller that only is responsible for resizing capacity of the volume, should ignore PVC updates that change other valid resources associated with PVC.\n\nThis is an alpha field and requires enabling RecoverVolumeExpansionFailure feature.",
+            "description": "allocatedResourceStatuses stores status of resource being resized for the given PVC. Key names follow standard Kubernetes label syntax. Valid values are either:\n\t* Un-prefixed keys:\n\t\t- storage - the capacity of the volume.\n\t* Custom resources must use implementation-defined prefixed names such as \"example.com/my-custom-resource\"\nApart from above values - keys that are unprefixed or have kubernetes.io prefix are considered reserved and hence may not be used.\n\nClaimResourceStatus can be in any of following states:\n\t- ControllerResizeInProgress:\n\t\tState set when resize controller starts resizing the volume in control-plane.\n\t- ControllerResizeFailed:\n\t\tState set when resize has failed in resize controller with a terminal error.\n\t- NodeResizePending:\n\t\tState set when resize controller has finished resizing the volume but further resizing of\n\t\tvolume is needed on the node.\n\t- NodeResizeInProgress:\n\t\tState set when kubelet starts resizing the volume.\n\t- NodeResizeFailed:\n\t\tState set when resizing has failed in kubelet with a terminal error. Transient errors don't set\n\t\tNodeResizeFailed.\nFor example: if expanding a PVC for more capacity - this field can be one of the following states:\n\t- pvc.status.allocatedResourceStatus['storage'] = \"ControllerResizeInProgress\"\n     - pvc.status.allocatedResourceStatus['storage'] = \"ControllerResizeFailed\"\n     - pvc.status.allocatedResourceStatus['storage'] = \"NodeResizePending\"\n     - pvc.status.allocatedResourceStatus['storage'] = \"NodeResizeInProgress\"\n     - pvc.status.allocatedResourceStatus['storage'] = \"NodeResizeFailed\"\nWhen this field is not set, it means that no resize operation is in progress for the given PVC.\n\nA controller that receives PVC update with previously unknown resourceName or ClaimResourceStatus should ignore the update for the purpose it was designed. For example - a controller that only is responsible for resizing capacity of the volume, should ignore PVC updates that change other valid resources associated with PVC.",
             "type": "object",
             "x-kubernetes-map-type": "granular"
           },
@@ -3396,7 +3396,7 @@
             "additionalProperties": {
               "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.api.resource.Quantity"
             },
-            "description": "allocatedResources tracks the resources allocated to a PVC including its capacity. Key names follow standard Kubernetes label syntax. Valid values are either:\n\t* Un-prefixed keys:\n\t\t- storage - the capacity of the volume.\n\t* Custom resources must use implementation-defined prefixed names such as \"example.com/my-custom-resource\"\nApart from above values - keys that are unprefixed or have kubernetes.io prefix are considered reserved and hence may not be used.\n\nCapacity reported here may be larger than the actual capacity when a volume expansion operation is requested. For storage quota, the larger value from allocatedResources and PVC.spec.resources is used. If allocatedResources is not set, PVC.spec.resources alone is used for quota calculation. If a volume expansion capacity request is lowered, allocatedResources is only lowered if there are no expansion operations in progress and if the actual volume capacity is equal or lower than the requested capacity.\n\nA controller that receives PVC update with previously unknown resourceName should ignore the update for the purpose it was designed. For example - a controller that only is responsible for resizing capacity of the volume, should ignore PVC updates that change other valid resources associated with PVC.\n\nThis is an alpha field and requires enabling RecoverVolumeExpansionFailure feature.",
+            "description": "allocatedResources tracks the resources allocated to a PVC including its capacity. Key names follow standard Kubernetes label syntax. Valid values are either:\n\t* Un-prefixed keys:\n\t\t- storage - the capacity of the volume.\n\t* Custom resources must use implementation-defined prefixed names such as \"example.com/my-custom-resource\"\nApart from above values - keys that are unprefixed or have kubernetes.io prefix are considered reserved and hence may not be used.\n\nCapacity reported here may be larger than the actual capacity when a volume expansion operation is requested. For storage quota, the larger value from allocatedResources and PVC.spec.resources is used. If allocatedResources is not set, PVC.spec.resources alone is used for quota calculation. If a volume expansion capacity request is lowered, allocatedResources is only lowered if there are no expansion operations in progress and if the actual volume capacity is equal or lower than the requested capacity.\n\nA controller that receives PVC update with previously unknown resourceName should ignore the update for the purpose it was designed. For example - a controller that only is responsible for resizing capacity of the volume, should ignore PVC updates that change other valid resources associated with PVC.",
             "type": "object"
           },
           "capacity": {
@@ -3654,6 +3654,14 @@
           "signerName": {
             "description": "Kubelet's generated CSRs will be addressed to this signer.",
             "type": "string"
+          },
+          "userAnnotations": {
+            "additionalProperties": {
+              "default": "",
+              "type": "string"
+            },
+            "description": "userAnnotations allow pod authors to pass additional information to the signer implementation.  Kubernetes does not restrict or validate this metadata in any way.\n\nThese values are copied verbatim into the `spec.unverifiedUserAnnotations` field of the PodCertificateRequest objects that Kubelet creates.\n\nEntries are subject to the same validation as object metadata annotations, with the addition that all keys must be domain-prefixed. No restrictions are placed on values, except an overall size limitation on the entire field.\n\nSigners should document the keys and values they support. Signers should deny requests that contain keys they do not recognize.",
+            "type": "object"
           }
         },
         "required": [
@@ -4074,7 +4082,7 @@
             "x-kubernetes-list-type": "atomic"
           },
           "resourceClaims": {
-            "description": "ResourceClaims defines which ResourceClaims must be allocated and reserved before the Pod is allowed to start. The resources will be made available to those containers which consume them by name.\n\nThis is an alpha field and requires enabling the DynamicResourceAllocation feature gate.\n\nThis field is immutable.",
+            "description": "ResourceClaims defines which ResourceClaims must be allocated and reserved before the Pod is allowed to start. The resources will be made available to those containers which consume them by name.\n\nThis is a stable field but requires that the DynamicResourceAllocation feature gate is enabled.\n\nThis field is immutable.",
             "items": {
               "allOf": [
                 {
@@ -4211,6 +4219,14 @@
             "x-kubernetes-list-type": "map",
             "x-kubernetes-patch-merge-key": "name",
             "x-kubernetes-patch-strategy": "merge,retainKeys"
+          },
+          "workloadRef": {
+            "allOf": [
+              {
+                "$ref": "#/components/schemas/io.k8s.api.core.v1.WorkloadReference"
+              }
+            ],
+            "description": "WorkloadRef provides a reference to the Workload object that this Pod belongs to. This field is used by the scheduler to identify the PodGroup and apply the correct group scheduling policies. The Workload object referenced by this field may not exist at the time the Pod is created. This field is immutable, but a Workload object with the same name may be recreated with different policies. Doing this during pod scheduling may result in the placement not conforming to the expected policies."
           }
         },
         "required": [
@@ -4956,7 +4972,7 @@
             "type": "string"
           },
           "operator": {
-            "description": "Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.",
+            "description": "Operator represents a key's relationship to the value. Valid operators are Exists, Equal, Lt, and Gt. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category. Lt and Gt perform numeric comparisons (requires feature gate TaintTolerationComparisonOperators).",
             "type": "string"
           },
           "tolerationSeconds": {
@@ -5542,6 +5558,30 @@
         },
         "type": "object"
       },
+      "io.k8s.api.core.v1.WorkloadReference": {
+        "description": "WorkloadReference identifies the Workload object and PodGroup membership that a Pod belongs to. The scheduler uses this information to apply workload-aware scheduling semantics.",
+        "properties": {
+          "name": {
+            "default": "",
+            "description": "Name defines the name of the Workload object this Pod belongs to. Workload must be in the same namespace as the Pod. If it doesn't match any existing Workload, the Pod will remain unschedulable until a Workload object is created and observed by the kube-scheduler. It must be a DNS subdomain.",
+            "type": "string"
+          },
+          "podGroup": {
+            "default": "",
+            "description": "PodGroup is the name of the PodGroup within the Workload that this Pod belongs to. If it doesn't match any existing PodGroup within the Workload, the Pod will remain unschedulable until the Workload object is recreated and observed by the kube-scheduler. It must be a DNS label.",
+            "type": "string"
+          },
+          "podGroupReplicaKey": {
+            "description": "PodGroupReplicaKey specifies the replica key of the PodGroup to which this Pod belongs. It is used to distinguish pods belonging to different replicas of the same pod group. The pod group policy is applied separately to each replica. When set, it must be a DNS label.",
+            "type": "string"
+          }
+        },
+        "required": [
+          "name",
+          "podGroup"
+        ],
+        "type": "object"
+      },
       "io.k8s.apimachinery.pkg.api.resource.Quantity": {
         "description": "Quantity is a fixed-point representation of a number. It provides convenient marshaling/unmarshaling in JSON and YAML, in addition to String() and AsInt64() accessors.\n\nThe serialization format is:\n\n``` <quantity>        ::= <signedNumber><suffix>\n\n\t(Note that <suffix> may be empty, from the \"\" case in <decimalSI>.)\n\n<digit>           ::= 0 | 1 | ... | 9 <digits>          ::= <digit> | <digit><digits> <number>          ::= <digits> | <digits>.<digits> | <digits>. | .<digits> <sign>            ::= \"+\" | \"-\" <signedNumber>    ::= <number> | <sign><number> <suffix>          ::= <binarySI> | <decimalExponent> | <decimalSI> <binarySI>        ::= Ki | Mi | Gi | Ti | Pi | Ei\n\n\t(International System of units; See: http://physics.nist.gov/cuu/Units/binary.html)\n\n<decimalSI>       ::= m | \"\" | k | M | G | T | P | E\n\n\t(Note that 1024 = 1Ki but 1000 = 1k; I didn't choose the capitalization.)\n\n<decimalExponent> ::= \"e\" <signedNumber> | \"E\" <signedNumber> ```\n\nNo matter which of the three exponent forms is used, no quantity may represent a number greater than 2^63-1 in magnitude, nor may it have more than 3 decimal places. Numbers larger or more precise will be capped or rounded up. (E.g.: 0.1m will rounded up to 1m.) This may be extended in the future if we require larger or smaller quantities.\n\nWhen a Quantity is parsed from a string, it will remember the type of suffix it had, and will use the same type again when it is serialized.\n\nBefore serializing, Quantity will be put in \"canonical form\". This means that Exponent/suffix will be adjusted up or down (with a corresponding increase or decrease in Mantissa) such that:\n\n- No precision is lost - No fractional digits will be emitted - The exponent (or suffix) is as large as possible.\n\nThe sign will be omitted unless the number is negative.\n\nExamples:\n\n- 1.5 will be serialized as \"1500m\" - 1.5Gi will be serialized as \"1536Mi\"\n\nNote that the quantity will NEVER be internally represented by a floating point number. That is the whole point of this exercise.\n\nNon-canonical values will still parse as long as they are well formed, but will be re-emitted in their canonical form. (So always use canonical form, or don't diff.)\n\nThis format is intended to make it difficult to use these numbers without writing some sort of special handling code in the hopes that that will cause implementors to also use a fixed point implementation.",
         "oneOf": [
@@ -6023,7 +6063,7 @@
           {
             "group": "storagemigration.k8s.io",
             "kind": "DeleteOptions",
-            "version": "v1alpha1"
+            "version": "v1beta1"
           }
         ]
       },
@@ -6343,8 +6383,7 @@
                 "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.StatusDetails"
               }
             ],
-            "description": "Extended data associated with the reason.  Each reason may define its own extended details. This field is optional and the data returned is not guaranteed to conform to any schema except that defined by the reason type.",
-            "x-kubernetes-list-type": "atomic"
+            "description": "Extended data associated with the reason.  Each reason may define its own extended details. This field is optional and the data returned is not guaranteed to conform to any schema except that defined by the reason type."
           },
           "kind": {
             "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
@@ -6774,7 +6813,7 @@
           {
             "group": "storagemigration.k8s.io",
             "kind": "WatchEvent",
-            "version": "v1alpha1"
+            "version": "v1beta1"
           }
         ]
       },
diff --git a/api/openapi-spec/v3/apis__autoscaling__v1_openapi.json b/api/openapi-spec/v3/apis__autoscaling__v1_openapi.json
index e89070b446384..a6a895b4bd9f2 100644
--- a/api/openapi-spec/v3/apis__autoscaling__v1_openapi.json
+++ b/api/openapi-spec/v3/apis__autoscaling__v1_openapi.json
@@ -664,7 +664,7 @@
           {
             "group": "storagemigration.k8s.io",
             "kind": "DeleteOptions",
-            "version": "v1alpha1"
+            "version": "v1beta1"
           }
         ]
       },
@@ -927,8 +927,7 @@
                 "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.StatusDetails"
               }
             ],
-            "description": "Extended data associated with the reason.  Each reason may define its own extended details. This field is optional and the data returned is not guaranteed to conform to any schema except that defined by the reason type.",
-            "x-kubernetes-list-type": "atomic"
+            "description": "Extended data associated with the reason.  Each reason may define its own extended details. This field is optional and the data returned is not guaranteed to conform to any schema except that defined by the reason type."
           },
           "kind": {
             "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
@@ -1358,7 +1357,7 @@
           {
             "group": "storagemigration.k8s.io",
             "kind": "WatchEvent",
-            "version": "v1alpha1"
+            "version": "v1beta1"
           }
         ]
       },
diff --git a/api/openapi-spec/v3/apis__autoscaling__v2_openapi.json b/api/openapi-spec/v3/apis__autoscaling__v2_openapi.json
index 011a562d396f0..da9e7ef04f965 100644
--- a/api/openapi-spec/v3/apis__autoscaling__v2_openapi.json
+++ b/api/openapi-spec/v3/apis__autoscaling__v2_openapi.json
@@ -170,7 +170,7 @@
         "type": "object"
       },
       "io.k8s.api.autoscaling.v2.HPAScalingRules": {
-        "description": "HPAScalingRules configures the scaling behavior for one direction via scaling Policy Rules and a configurable metric tolerance.\n\nScaling Policy Rules are applied after calculating DesiredReplicas from metrics for the HPA. They can limit the scaling velocity by specifying scaling policies. They can prevent flapping by specifying the stabilization window, so that the number of replicas is not set instantly, instead, the safest value from the stabilization window is chosen.\n\nThe tolerance is applied to the metric values and prevents scaling too eagerly for small metric variations. (Note that setting a tolerance requires enabling the alpha HPAConfigurableTolerance feature gate.)",
+        "description": "HPAScalingRules configures the scaling behavior for one direction via scaling Policy Rules and a configurable metric tolerance.\n\nScaling Policy Rules are applied after calculating DesiredReplicas from metrics for the HPA. They can limit the scaling velocity by specifying scaling policies. They can prevent flapping by specifying the stabilization window, so that the number of replicas is not set instantly, instead, the safest value from the stabilization window is chosen.\n\nThe tolerance is applied to the metric values and prevents scaling too eagerly for small metric variations. (Note that setting a tolerance requires the beta HPAConfigurableTolerance feature gate to be enabled.)",
         "properties": {
           "policies": {
             "description": "policies is a list of potential scaling polices which can be used during scaling. If not set, use the default values: - For scale up: allow doubling the number of pods, or an absolute change of 4 pods in a 15s window. - For scale down: allow all pods to be removed in a 15s window.",
@@ -200,7 +200,7 @@
                 "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.api.resource.Quantity"
               }
             ],
-            "description": "tolerance is the tolerance on the ratio between the current and desired metric value under which no updates are made to the desired number of replicas (e.g. 0.01 for 1%). Must be greater than or equal to zero. If not set, the default cluster-wide tolerance is applied (by default 10%).\n\nFor example, if autoscaling is configured with a memory consumption target of 100Mi, and scale-down and scale-up tolerances of 5% and 1% respectively, scaling will be triggered when the actual consumption falls below 95Mi or exceeds 101Mi.\n\nThis is an alpha field and requires enabling the HPAConfigurableTolerance feature gate."
+            "description": "tolerance is the tolerance on the ratio between the current and desired metric value under which no updates are made to the desired number of replicas (e.g. 0.01 for 1%). Must be greater than or equal to zero. If not set, the default cluster-wide tolerance is applied (by default 10%).\n\nFor example, if autoscaling is configured with a memory consumption target of 100Mi, and scale-down and scale-up tolerances of 5% and 1% respectively, scaling will be triggered when the actual consumption falls below 95Mi or exceeds 101Mi.\n\nThis is an beta field and requires the HPAConfigurableTolerance feature gate to be enabled."
           }
         },
         "type": "object"
@@ -1324,7 +1324,7 @@
           {
             "group": "storagemigration.k8s.io",
             "kind": "DeleteOptions",
-            "version": "v1alpha1"
+            "version": "v1beta1"
           }
         ]
       },
@@ -1644,8 +1644,7 @@
                 "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.StatusDetails"
               }
             ],
-            "description": "Extended data associated with the reason.  Each reason may define its own extended details. This field is optional and the data returned is not guaranteed to conform to any schema except that defined by the reason type.",
-            "x-kubernetes-list-type": "atomic"
+            "description": "Extended data associated with the reason.  Each reason may define its own extended details. This field is optional and the data returned is not guaranteed to conform to any schema except that defined by the reason type."
           },
           "kind": {
             "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
@@ -2075,7 +2074,7 @@
           {
             "group": "storagemigration.k8s.io",
             "kind": "WatchEvent",
-            "version": "v1alpha1"
+            "version": "v1beta1"
           }
         ]
       },
diff --git a/api/openapi-spec/v3/apis__batch__v1_openapi.json b/api/openapi-spec/v3/apis__batch__v1_openapi.json
index fb22cbf0f978e..2df1e47230b57 100644
--- a/api/openapi-spec/v3/apis__batch__v1_openapi.json
+++ b/api/openapi-spec/v3/apis__batch__v1_openapi.json
@@ -345,7 +345,7 @@
             "type": "integer"
           },
           "managedBy": {
-            "description": "ManagedBy field indicates the controller that manages a Job. The k8s Job controller reconciles jobs which don't have this field at all or the field value is the reserved string `kubernetes.io/job-controller`, but skips reconciling Jobs with a custom value for this field. The value must be a valid domain-prefixed path (e.g. acme.io/foo) - all characters before the first \"/\" must be a valid subdomain as defined by RFC 1123. All characters trailing the first \"/\" must be valid HTTP Path characters as defined by RFC 3986. The value cannot exceed 63 characters. This field is immutable.\n\nThis field is beta-level. The job controller accepts setting the field when the feature gate JobManagedBy is enabled (enabled by default).",
+            "description": "ManagedBy field indicates the controller that manages a Job. The k8s Job controller reconciles jobs which don't have this field at all or the field value is the reserved string `kubernetes.io/job-controller`, but skips reconciling Jobs with a custom value for this field. The value must be a valid domain-prefixed path (e.g. acme.io/foo) - all characters before the first \"/\" must be a valid subdomain as defined by RFC 1123. All characters trailing the first \"/\" must be valid HTTP Path characters as defined by RFC 3986. The value cannot exceed 63 characters. This field is immutable.",
             "type": "string"
           },
           "manualSelector": {
@@ -582,8 +582,7 @@
           }
         },
         "required": [
-          "type",
-          "status"
+          "type"
         ],
         "type": "object"
       },
@@ -1207,7 +1206,7 @@
             "description": "Periodic probe of container service readiness. Container will be removed from service endpoints if the probe fails. Cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes"
           },
           "resizePolicy": {
-            "description": "Resources resize policy for the container.",
+            "description": "Resources resize policy for the container. This field cannot be set on ephemeral containers.",
             "items": {
               "allOf": [
                 {
@@ -2606,7 +2605,7 @@
               }
             ],
             "default": {},
-            "description": "resources represents the minimum resources the volume should have. If RecoverVolumeExpansionFailure feature is enabled users are allowed to specify resource requirements that are lower than previous value but must still be higher than capacity recorded in the status field of the claim. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources"
+            "description": "resources represents the minimum resources the volume should have. Users are allowed to specify resource requirements that are lower than previous value but must still be higher than capacity recorded in the status field of the claim. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources"
           },
           "selector": {
             "allOf": [
@@ -2846,6 +2845,14 @@
           "signerName": {
             "description": "Kubelet's generated CSRs will be addressed to this signer.",
             "type": "string"
+          },
+          "userAnnotations": {
+            "additionalProperties": {
+              "default": "",
+              "type": "string"
+            },
+            "description": "userAnnotations allow pod authors to pass additional information to the signer implementation.  Kubernetes does not restrict or validate this metadata in any way.\n\nThese values are copied verbatim into the `spec.unverifiedUserAnnotations` field of the PodCertificateRequest objects that Kubelet creates.\n\nEntries are subject to the same validation as object metadata annotations, with the addition that all keys must be domain-prefixed. No restrictions are placed on values, except an overall size limitation on the entire field.\n\nSigners should document the keys and values they support. Signers should deny requests that contain keys they do not recognize.",
+            "type": "object"
           }
         },
         "required": [
@@ -3266,7 +3273,7 @@
             "x-kubernetes-list-type": "atomic"
           },
           "resourceClaims": {
-            "description": "ResourceClaims defines which ResourceClaims must be allocated and reserved before the Pod is allowed to start. The resources will be made available to those containers which consume them by name.\n\nThis is an alpha field and requires enabling the DynamicResourceAllocation feature gate.\n\nThis field is immutable.",
+            "description": "ResourceClaims defines which ResourceClaims must be allocated and reserved before the Pod is allowed to start. The resources will be made available to those containers which consume them by name.\n\nThis is a stable field but requires that the DynamicResourceAllocation feature gate is enabled.\n\nThis field is immutable.",
             "items": {
               "allOf": [
                 {
@@ -3403,6 +3410,14 @@
             "x-kubernetes-list-type": "map",
             "x-kubernetes-patch-merge-key": "name",
             "x-kubernetes-patch-strategy": "merge,retainKeys"
+          },
+          "workloadRef": {
+            "allOf": [
+              {
+                "$ref": "#/components/schemas/io.k8s.api.core.v1.WorkloadReference"
+              }
+            ],
+            "description": "WorkloadRef provides a reference to the Workload object that this Pod belongs to. This field is used by the scheduler to identify the PodGroup and apply the correct group scheduling policies. The Workload object referenced by this field may not exist at the time the Pod is created. This field is immutable, but a Workload object with the same name may be recreated with different policies. Doing this during pod scheduling may result in the placement not conforming to the expected policies."
           }
         },
         "required": [
@@ -4148,7 +4163,7 @@
             "type": "string"
           },
           "operator": {
-            "description": "Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.",
+            "description": "Operator represents a key's relationship to the value. Valid operators are Exists, Equal, Lt, and Gt. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category. Lt and Gt perform numeric comparisons (requires feature gate TaintTolerationComparisonOperators).",
             "type": "string"
           },
           "tolerationSeconds": {
@@ -4734,6 +4749,30 @@
         },
         "type": "object"
       },
+      "io.k8s.api.core.v1.WorkloadReference": {
+        "description": "WorkloadReference identifies the Workload object and PodGroup membership that a Pod belongs to. The scheduler uses this information to apply workload-aware scheduling semantics.",
+        "properties": {
+          "name": {
+            "default": "",
+            "description": "Name defines the name of the Workload object this Pod belongs to. Workload must be in the same namespace as the Pod. If it doesn't match any existing Workload, the Pod will remain unschedulable until a Workload object is created and observed by the kube-scheduler. It must be a DNS subdomain.",
+            "type": "string"
+          },
+          "podGroup": {
+            "default": "",
+            "description": "PodGroup is the name of the PodGroup within the Workload that this Pod belongs to. If it doesn't match any existing PodGroup within the Workload, the Pod will remain unschedulable until the Workload object is recreated and observed by the kube-scheduler. It must be a DNS label.",
+            "type": "string"
+          },
+          "podGroupReplicaKey": {
+            "description": "PodGroupReplicaKey specifies the replica key of the PodGroup to which this Pod belongs. It is used to distinguish pods belonging to different replicas of the same pod group. The pod group policy is applied separately to each replica. When set, it must be a DNS label.",
+            "type": "string"
+          }
+        },
+        "required": [
+          "name",
+          "podGroup"
+        ],
+        "type": "object"
+      },
       "io.k8s.apimachinery.pkg.api.resource.Quantity": {
         "description": "Quantity is a fixed-point representation of a number. It provides convenient marshaling/unmarshaling in JSON and YAML, in addition to String() and AsInt64() accessors.\n\nThe serialization format is:\n\n``` <quantity>        ::= <signedNumber><suffix>\n\n\t(Note that <suffix> may be empty, from the \"\" case in <decimalSI>.)\n\n<digit>           ::= 0 | 1 | ... | 9 <digits>          ::= <digit> | <digit><digits> <number>          ::= <digits> | <digits>.<digits> | <digits>. | .<digits> <sign>            ::= \"+\" | \"-\" <signedNumber>    ::= <number> | <sign><number> <suffix>          ::= <binarySI> | <decimalExponent> | <decimalSI> <binarySI>        ::= Ki | Mi | Gi | Ti | Pi | Ei\n\n\t(International System of units; See: http://physics.nist.gov/cuu/Units/binary.html)\n\n<decimalSI>       ::= m | \"\" | k | M | G | T | P | E\n\n\t(Note that 1024 = 1Ki but 1000 = 1k; I didn't choose the capitalization.)\n\n<decimalExponent> ::= \"e\" <signedNumber> | \"E\" <signedNumber> ```\n\nNo matter which of the three exponent forms is used, no quantity may represent a number greater than 2^63-1 in magnitude, nor may it have more than 3 decimal places. Numbers larger or more precise will be capped or rounded up. (E.g.: 0.1m will rounded up to 1m.) This may be extended in the future if we require larger or smaller quantities.\n\nWhen a Quantity is parsed from a string, it will remember the type of suffix it had, and will use the same type again when it is serialized.\n\nBefore serializing, Quantity will be put in \"canonical form\". This means that Exponent/suffix will be adjusted up or down (with a corresponding increase or decrease in Mantissa) such that:\n\n- No precision is lost - No fractional digits will be emitted - The exponent (or suffix) is as large as possible.\n\nThe sign will be omitted unless the number is negative.\n\nExamples:\n\n- 1.5 will be serialized as \"1500m\" - 1.5Gi will be serialized as \"1536Mi\"\n\nNote that the quantity will NEVER be internally represented by a floating point number. That is the whole point of this exercise.\n\nNon-canonical values will still parse as long as they are well formed, but will be re-emitted in their canonical form. (So always use canonical form, or don't diff.)\n\nThis format is intended to make it difficult to use these numbers without writing some sort of special handling code in the hopes that that will cause implementors to also use a fixed point implementation.",
         "oneOf": [
@@ -5215,7 +5254,7 @@
           {
             "group": "storagemigration.k8s.io",
             "kind": "DeleteOptions",
-            "version": "v1alpha1"
+            "version": "v1beta1"
           }
         ]
       },
@@ -5535,8 +5574,7 @@
                 "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.StatusDetails"
               }
             ],
-            "description": "Extended data associated with the reason.  Each reason may define its own extended details. This field is optional and the data returned is not guaranteed to conform to any schema except that defined by the reason type.",
-            "x-kubernetes-list-type": "atomic"
+            "description": "Extended data associated with the reason.  Each reason may define its own extended details. This field is optional and the data returned is not guaranteed to conform to any schema except that defined by the reason type."
           },
           "kind": {
             "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
@@ -5966,7 +6004,7 @@
           {
             "group": "storagemigration.k8s.io",
             "kind": "WatchEvent",
-            "version": "v1alpha1"
+            "version": "v1beta1"
           }
         ]
       },
diff --git a/api/openapi-spec/v3/apis__certificates.k8s.io__v1_openapi.json b/api/openapi-spec/v3/apis__certificates.k8s.io__v1_openapi.json
index 41ca88bd80dd4..980da428dc7a3 100644
--- a/api/openapi-spec/v3/apis__certificates.k8s.io__v1_openapi.json
+++ b/api/openapi-spec/v3/apis__certificates.k8s.io__v1_openapi.json
@@ -170,8 +170,7 @@
           "request": {
             "description": "request contains an x509 certificate signing request encoded in a \"CERTIFICATE REQUEST\" PEM block. When serialized as JSON or YAML, the data is additionally base64-encoded.",
             "format": "byte",
-            "type": "string",
-            "x-kubernetes-list-type": "atomic"
+            "type": "string"
           },
           "signerName": {
             "default": "",
@@ -208,8 +207,7 @@
           "certificate": {
             "description": "certificate is populated with an issued certificate by the signer after an Approved condition is present. This field is set via the /status subresource. Once populated, this field is immutable.\n\nIf the certificate signing request is denied, a condition of type \"Denied\" is added and this field remains empty. If the signer cannot issue the certificate, a condition of type \"Failed\" is added and this field remains empty.\n\nValidation requirements:\n 1. certificate must contain one or more PEM blocks.\n 2. All PEM blocks must have the \"CERTIFICATE\" label, contain no headers, and the encoded data\n  must be a BER-encoded ASN.1 Certificate structure as described in section 4 of RFC5280.\n 3. Non-PEM content may appear before or after the \"CERTIFICATE\" PEM blocks and is unvalidated,\n  to allow for explanatory text as described in section 5.2 of RFC7468.\n\nIf more than one PEM block is present, and the definition of the requested spec.signerName does not indicate otherwise, the first block is the issued certificate, and subsequent blocks should be treated as intermediate certificates and presented in TLS handshakes.\n\nThe certificate is encoded in PEM format.\n\nWhen serialized as JSON or YAML, the data is additionally base64-encoded, so it consists of:\n\n    base64(\n    -----BEGIN CERTIFICATE-----\n    ...\n    -----END CERTIFICATE-----\n    )",
             "format": "byte",
-            "type": "string",
-            "x-kubernetes-list-type": "atomic"
+            "type": "string"
           },
           "conditions": {
             "description": "conditions applied to the request. Known conditions are \"Approved\", \"Denied\", and \"Failed\".",
@@ -700,7 +698,7 @@
           {
             "group": "storagemigration.k8s.io",
             "kind": "DeleteOptions",
-            "version": "v1alpha1"
+            "version": "v1beta1"
           }
         ]
       },
@@ -963,8 +961,7 @@
                 "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.StatusDetails"
               }
             ],
-            "description": "Extended data associated with the reason.  Each reason may define its own extended details. This field is optional and the data returned is not guaranteed to conform to any schema except that defined by the reason type.",
-            "x-kubernetes-list-type": "atomic"
+            "description": "Extended data associated with the reason.  Each reason may define its own extended details. This field is optional and the data returned is not guaranteed to conform to any schema except that defined by the reason type."
           },
           "kind": {
             "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
@@ -1394,7 +1391,7 @@
           {
             "group": "storagemigration.k8s.io",
             "kind": "WatchEvent",
-            "version": "v1alpha1"
+            "version": "v1beta1"
           }
         ]
       },
diff --git a/api/openapi-spec/v3/apis__certificates.k8s.io__v1alpha1_openapi.json b/api/openapi-spec/v3/apis__certificates.k8s.io__v1alpha1_openapi.json
index 1efa34f31a57d..19759ae02dd9e 100644
--- a/api/openapi-spec/v3/apis__certificates.k8s.io__v1alpha1_openapi.json
+++ b/api/openapi-spec/v3/apis__certificates.k8s.io__v1alpha1_openapi.json
@@ -106,222 +106,6 @@
         ],
         "type": "object"
       },
-      "io.k8s.api.certificates.v1alpha1.PodCertificateRequest": {
-        "description": "PodCertificateRequest encodes a pod requesting a certificate from a given signer.\n\nKubelets use this API to implement podCertificate projected volumes",
-        "properties": {
-          "apiVersion": {
-            "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
-            "type": "string"
-          },
-          "kind": {
-            "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
-            "type": "string"
-          },
-          "metadata": {
-            "allOf": [
-              {
-                "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"
-              }
-            ],
-            "default": {},
-            "description": "metadata contains the object metadata."
-          },
-          "spec": {
-            "allOf": [
-              {
-                "$ref": "#/components/schemas/io.k8s.api.certificates.v1alpha1.PodCertificateRequestSpec"
-              }
-            ],
-            "default": {},
-            "description": "spec contains the details about the certificate being requested."
-          },
-          "status": {
-            "allOf": [
-              {
-                "$ref": "#/components/schemas/io.k8s.api.certificates.v1alpha1.PodCertificateRequestStatus"
-              }
-            ],
-            "default": {},
-            "description": "status contains the issued certificate, and a standard set of conditions."
-          }
-        },
-        "required": [
-          "spec"
-        ],
-        "type": "object",
-        "x-kubernetes-group-version-kind": [
-          {
-            "group": "certificates.k8s.io",
-            "kind": "PodCertificateRequest",
-            "version": "v1alpha1"
-          }
-        ]
-      },
-      "io.k8s.api.certificates.v1alpha1.PodCertificateRequestList": {
-        "description": "PodCertificateRequestList is a collection of PodCertificateRequest objects",
-        "properties": {
-          "apiVersion": {
-            "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
-            "type": "string"
-          },
-          "items": {
-            "description": "items is a collection of PodCertificateRequest objects",
-            "items": {
-              "allOf": [
-                {
-                  "$ref": "#/components/schemas/io.k8s.api.certificates.v1alpha1.PodCertificateRequest"
-                }
-              ],
-              "default": {}
-            },
-            "type": "array"
-          },
-          "kind": {
-            "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
-            "type": "string"
-          },
-          "metadata": {
-            "allOf": [
-              {
-                "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"
-              }
-            ],
-            "default": {},
-            "description": "metadata contains the list metadata."
-          }
-        },
-        "required": [
-          "items"
-        ],
-        "type": "object",
-        "x-kubernetes-group-version-kind": [
-          {
-            "group": "certificates.k8s.io",
-            "kind": "PodCertificateRequestList",
-            "version": "v1alpha1"
-          }
-        ]
-      },
-      "io.k8s.api.certificates.v1alpha1.PodCertificateRequestSpec": {
-        "description": "PodCertificateRequestSpec describes the certificate request.  All fields are immutable after creation.",
-        "properties": {
-          "maxExpirationSeconds": {
-            "default": 86400,
-            "description": "maxExpirationSeconds is the maximum lifetime permitted for the certificate.\n\nIf omitted, kube-apiserver will set it to 86400(24 hours). kube-apiserver will reject values shorter than 3600 (1 hour).  The maximum allowable value is 7862400 (91 days).\n\nThe signer implementation is then free to issue a certificate with any lifetime *shorter* than MaxExpirationSeconds, but no shorter than 3600 seconds (1 hour).  This constraint is enforced by kube-apiserver. `kubernetes.io` signers will never issue certificates with a lifetime longer than 24 hours.",
-            "format": "int32",
-            "type": "integer"
-          },
-          "nodeName": {
-            "default": "",
-            "description": "nodeName is the name of the node the pod is assigned to.",
-            "type": "string"
-          },
-          "nodeUID": {
-            "default": "",
-            "description": "nodeUID is the UID of the node the pod is assigned to.",
-            "type": "string"
-          },
-          "pkixPublicKey": {
-            "description": "pkixPublicKey is the PKIX-serialized public key the signer will issue the certificate to.\n\nThe key must be one of RSA3072, RSA4096, ECDSAP256, ECDSAP384, ECDSAP521, or ED25519. Note that this list may be expanded in the future.\n\nSigner implementations do not need to support all key types supported by kube-apiserver and kubelet.  If a signer does not support the key type used for a given PodCertificateRequest, it must deny the request by setting a status.conditions entry with a type of \"Denied\" and a reason of \"UnsupportedKeyType\". It may also suggest a key type that it does support in the message field.",
-            "format": "byte",
-            "type": "string"
-          },
-          "podName": {
-            "default": "",
-            "description": "podName is the name of the pod into which the certificate will be mounted.",
-            "type": "string"
-          },
-          "podUID": {
-            "default": "",
-            "description": "podUID is the UID of the pod into which the certificate will be mounted.",
-            "type": "string"
-          },
-          "proofOfPossession": {
-            "description": "proofOfPossession proves that the requesting kubelet holds the private key corresponding to pkixPublicKey.\n\nIt is contructed by signing the ASCII bytes of the pod's UID using `pkixPublicKey`.\n\nkube-apiserver validates the proof of possession during creation of the PodCertificateRequest.\n\nIf the key is an RSA key, then the signature is over the ASCII bytes of the pod UID, using RSASSA-PSS from RFC 8017 (as implemented by the golang function crypto/rsa.SignPSS with nil options).\n\nIf the key is an ECDSA key, then the signature is as described by [SEC 1, Version 2.0](https://www.secg.org/sec1-v2.pdf) (as implemented by the golang library function crypto/ecdsa.SignASN1)\n\nIf the key is an ED25519 key, the the signature is as described by the [ED25519 Specification](https://ed25519.cr.yp.to/) (as implemented by the golang library crypto/ed25519.Sign).",
-            "format": "byte",
-            "type": "string"
-          },
-          "serviceAccountName": {
-            "default": "",
-            "description": "serviceAccountName is the name of the service account the pod is running as.",
-            "type": "string"
-          },
-          "serviceAccountUID": {
-            "default": "",
-            "description": "serviceAccountUID is the UID of the service account the pod is running as.",
-            "type": "string"
-          },
-          "signerName": {
-            "default": "",
-            "description": "signerName indicates the requested signer.\n\nAll signer names beginning with `kubernetes.io` are reserved for use by the Kubernetes project.  There is currently one well-known signer documented by the Kubernetes project, `kubernetes.io/kube-apiserver-client-pod`, which will issue client certificates understood by kube-apiserver.  It is currently unimplemented.",
-            "type": "string"
-          }
-        },
-        "required": [
-          "signerName",
-          "podName",
-          "podUID",
-          "serviceAccountName",
-          "serviceAccountUID",
-          "nodeName",
-          "nodeUID",
-          "pkixPublicKey",
-          "proofOfPossession"
-        ],
-        "type": "object"
-      },
-      "io.k8s.api.certificates.v1alpha1.PodCertificateRequestStatus": {
-        "description": "PodCertificateRequestStatus describes the status of the request, and holds the certificate data if the request is issued.",
-        "properties": {
-          "beginRefreshAt": {
-            "allOf": [
-              {
-                "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.Time"
-              }
-            ],
-            "description": "beginRefreshAt is the time at which the kubelet should begin trying to refresh the certificate.  This field is set via the /status subresource, and must be set at the same time as certificateChain.  Once populated, this field is immutable.\n\nThis field is only a hint.  Kubelet may start refreshing before or after this time if necessary."
-          },
-          "certificateChain": {
-            "description": "certificateChain is populated with an issued certificate by the signer. This field is set via the /status subresource. Once populated, this field is immutable.\n\nIf the certificate signing request is denied, a condition of type \"Denied\" is added and this field remains empty. If the signer cannot issue the certificate, a condition of type \"Failed\" is added and this field remains empty.\n\nValidation requirements:\n 1. certificateChain must consist of one or more PEM-formatted certificates.\n 2. Each entry must be a valid PEM-wrapped, DER-encoded ASN.1 Certificate as\n    described in section 4 of RFC5280.\n\nIf more than one block is present, and the definition of the requested spec.signerName does not indicate otherwise, the first block is the issued certificate, and subsequent blocks should be treated as intermediate certificates and presented in TLS handshakes.  When projecting the chain into a pod volume, kubelet will drop any data in-between the PEM blocks, as well as any PEM block headers.",
-            "type": "string"
-          },
-          "conditions": {
-            "description": "conditions applied to the request.\n\nThe types \"Issued\", \"Denied\", and \"Failed\" have special handling.  At most one of these conditions may be present, and they must have status \"True\".\n\nIf the request is denied with `Reason=UnsupportedKeyType`, the signer may suggest a key type that will work in the message field.",
-            "items": {
-              "allOf": [
-                {
-                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.Condition"
-                }
-              ],
-              "default": {}
-            },
-            "type": "array",
-            "x-kubernetes-list-map-keys": [
-              "type"
-            ],
-            "x-kubernetes-list-type": "map",
-            "x-kubernetes-patch-merge-key": "type",
-            "x-kubernetes-patch-strategy": "merge"
-          },
-          "notAfter": {
-            "allOf": [
-              {
-                "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.Time"
-              }
-            ],
-            "description": "notAfter is the time at which the certificate expires.  The value must be the same as the notAfter value in the leaf certificate in certificateChain.  This field is set via the /status subresource.  Once populated, it is immutable.  The signer must set this field at the same time it sets certificateChain."
-          },
-          "notBefore": {
-            "allOf": [
-              {
-                "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.Time"
-              }
-            ],
-            "description": "notBefore is the time at which the certificate becomes valid.  The value must be the same as the notBefore value in the leaf certificate in certificateChain.  This field is set via the /status subresource.  Once populated, it is immutable. The signer must set this field at the same time it sets certificateChain."
-          }
-        },
-        "type": "object"
-      },
       "io.k8s.apimachinery.pkg.apis.meta.v1.APIResource": {
         "description": "APIResource specifies the name of a resource and whether it is namespaced.",
         "properties": {
@@ -436,52 +220,6 @@
           }
         ]
       },
-      "io.k8s.apimachinery.pkg.apis.meta.v1.Condition": {
-        "description": "Condition contains details for one aspect of the current state of this API Resource.",
-        "properties": {
-          "lastTransitionTime": {
-            "allOf": [
-              {
-                "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.Time"
-              }
-            ],
-            "description": "lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable."
-          },
-          "message": {
-            "default": "",
-            "description": "message is a human readable message indicating details about the transition. This may be an empty string.",
-            "type": "string"
-          },
-          "observedGeneration": {
-            "description": "observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.",
-            "format": "int64",
-            "type": "integer"
-          },
-          "reason": {
-            "default": "",
-            "description": "reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.",
-            "type": "string"
-          },
-          "status": {
-            "default": "",
-            "description": "status of the condition, one of True, False, Unknown.",
-            "type": "string"
-          },
-          "type": {
-            "default": "",
-            "description": "type of condition in CamelCase or in foo.example.com/CamelCase.",
-            "type": "string"
-          }
-        },
-        "required": [
-          "type",
-          "status",
-          "lastTransitionTime",
-          "reason",
-          "message"
-        ],
-        "type": "object"
-      },
       "io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptions": {
         "description": "DeleteOptions may be provided when deleting an API object.",
         "properties": {
@@ -838,7 +576,7 @@
           {
             "group": "storagemigration.k8s.io",
             "kind": "DeleteOptions",
-            "version": "v1alpha1"
+            "version": "v1beta1"
           }
         ]
       },
@@ -1101,8 +839,7 @@
                 "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.StatusDetails"
               }
             ],
-            "description": "Extended data associated with the reason.  Each reason may define its own extended details. This field is optional and the data returned is not guaranteed to conform to any schema except that defined by the reason type.",
-            "x-kubernetes-list-type": "atomic"
+            "description": "Extended data associated with the reason.  Each reason may define its own extended details. This field is optional and the data returned is not guaranteed to conform to any schema except that defined by the reason type."
           },
           "kind": {
             "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
@@ -1532,7 +1269,7 @@
           {
             "group": "storagemigration.k8s.io",
             "kind": "WatchEvent",
-            "version": "v1alpha1"
+            "version": "v1beta1"
           }
         ]
       },
@@ -2494,1781 +2231,50 @@
         }
       }
     },
-    "/apis/certificates.k8s.io/v1alpha1/namespaces/{namespace}/podcertificaterequests": {
-      "delete": {
-        "description": "delete collection of PodCertificateRequest",
-        "operationId": "deleteCertificatesV1alpha1CollectionNamespacedPodCertificateRequest",
-        "parameters": [
-          {
-            "description": "The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the \"next key\".\n\nThis field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications.",
-            "in": "query",
-            "name": "continue",
-            "schema": {
-              "type": "string",
-              "uniqueItems": true
-            }
-          },
-          {
-            "description": "When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed",
-            "in": "query",
-            "name": "dryRun",
-            "schema": {
-              "type": "string",
-              "uniqueItems": true
-            }
-          },
-          {
-            "description": "A selector to restrict the list of returned objects by their fields. Defaults to everything.",
-            "in": "query",
-            "name": "fieldSelector",
-            "schema": {
-              "type": "string",
-              "uniqueItems": true
-            }
-          },
-          {
-            "description": "The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately.",
-            "in": "query",
-            "name": "gracePeriodSeconds",
-            "schema": {
-              "type": "integer",
-              "uniqueItems": true
-            }
-          },
-          {
-            "description": "if set to true, it will trigger an unsafe deletion of the resource in case the normal deletion flow fails with a corrupt object error. A resource is considered corrupt if it can not be retrieved from the underlying storage successfully because of a) its data can not be transformed e.g. decryption failure, or b) it fails to decode into an object. NOTE: unsafe deletion ignores finalizer constraints, skips precondition checks, and removes the object from the storage. WARNING: This may potentially break the cluster if the workload associated with the resource being unsafe-deleted relies on normal deletion flow. Use only if you REALLY know what you are doing. The default value is false, and the user must opt in to enable it",
-            "in": "query",
-            "name": "ignoreStoreReadErrorWithClusterBreakingPotential",
-            "schema": {
-              "type": "boolean",
-              "uniqueItems": true
-            }
-          },
-          {
-            "description": "A selector to restrict the list of returned objects by their labels. Defaults to everything.",
-            "in": "query",
-            "name": "labelSelector",
-            "schema": {
-              "type": "string",
-              "uniqueItems": true
-            }
-          },
-          {
-            "description": "limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.\n\nThe server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned.",
-            "in": "query",
-            "name": "limit",
-            "schema": {
-              "type": "integer",
-              "uniqueItems": true
-            }
-          },
-          {
-            "description": "Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the \"orphan\" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both.",
-            "in": "query",
-            "name": "orphanDependents",
-            "schema": {
-              "type": "boolean",
-              "uniqueItems": true
-            }
-          },
-          {
-            "description": "Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground.",
-            "in": "query",
-            "name": "propagationPolicy",
-            "schema": {
-              "type": "string",
-              "uniqueItems": true
-            }
-          },
-          {
-            "description": "resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.\n\nDefaults to unset",
-            "in": "query",
-            "name": "resourceVersion",
-            "schema": {
-              "type": "string",
-              "uniqueItems": true
-            }
-          },
-          {
-            "description": "resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.\n\nDefaults to unset",
-            "in": "query",
-            "name": "resourceVersionMatch",
-            "schema": {
-              "type": "string",
-              "uniqueItems": true
-            }
-          },
-          {
-            "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
-            "in": "query",
-            "name": "sendInitialEvents",
-            "schema": {
-              "type": "boolean",
-              "uniqueItems": true
-            }
-          },
-          {
-            "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
-            "in": "query",
-            "name": "timeoutSeconds",
-            "schema": {
-              "type": "integer",
-              "uniqueItems": true
-            }
-          }
-        ],
-        "requestBody": {
-          "content": {
-            "*/*": {
-              "schema": {
-                "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptions"
-              }
-            }
-          }
-        },
-        "responses": {
-          "200": {
-            "content": {
-              "application/cbor": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.Status"
-                }
-              },
-              "application/json": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.Status"
-                }
-              },
-              "application/vnd.kubernetes.protobuf": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.Status"
-                }
-              },
-              "application/yaml": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.Status"
-                }
-              }
-            },
-            "description": "OK"
-          },
-          "401": {
-            "description": "Unauthorized"
-          }
-        },
-        "tags": [
-          "certificates_v1alpha1"
-        ],
-        "x-kubernetes-action": "deletecollection",
-        "x-kubernetes-group-version-kind": {
-          "group": "certificates.k8s.io",
-          "kind": "PodCertificateRequest",
-          "version": "v1alpha1"
-        }
-      },
-      "get": {
-        "description": "list or watch objects of kind PodCertificateRequest",
-        "operationId": "listCertificatesV1alpha1NamespacedPodCertificateRequest",
-        "parameters": [
-          {
-            "description": "allowWatchBookmarks requests watch events with type \"BOOKMARK\". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored.",
-            "in": "query",
-            "name": "allowWatchBookmarks",
-            "schema": {
-              "type": "boolean",
-              "uniqueItems": true
-            }
-          },
-          {
-            "description": "The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the \"next key\".\n\nThis field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications.",
-            "in": "query",
-            "name": "continue",
-            "schema": {
-              "type": "string",
-              "uniqueItems": true
-            }
-          },
-          {
-            "description": "A selector to restrict the list of returned objects by their fields. Defaults to everything.",
-            "in": "query",
-            "name": "fieldSelector",
-            "schema": {
-              "type": "string",
-              "uniqueItems": true
-            }
-          },
-          {
-            "description": "A selector to restrict the list of returned objects by their labels. Defaults to everything.",
-            "in": "query",
-            "name": "labelSelector",
-            "schema": {
-              "type": "string",
-              "uniqueItems": true
-            }
-          },
-          {
-            "description": "limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.\n\nThe server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned.",
-            "in": "query",
-            "name": "limit",
-            "schema": {
-              "type": "integer",
-              "uniqueItems": true
-            }
-          },
-          {
-            "description": "resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.\n\nDefaults to unset",
-            "in": "query",
-            "name": "resourceVersion",
-            "schema": {
-              "type": "string",
-              "uniqueItems": true
-            }
-          },
-          {
-            "description": "resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.\n\nDefaults to unset",
-            "in": "query",
-            "name": "resourceVersionMatch",
-            "schema": {
-              "type": "string",
-              "uniqueItems": true
-            }
-          },
-          {
-            "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
-            "in": "query",
-            "name": "sendInitialEvents",
-            "schema": {
-              "type": "boolean",
-              "uniqueItems": true
-            }
-          },
-          {
-            "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
-            "in": "query",
-            "name": "timeoutSeconds",
-            "schema": {
-              "type": "integer",
-              "uniqueItems": true
-            }
-          },
-          {
-            "description": "Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion.",
-            "in": "query",
-            "name": "watch",
-            "schema": {
-              "type": "boolean",
-              "uniqueItems": true
-            }
-          }
-        ],
-        "responses": {
-          "200": {
-            "content": {
-              "application/cbor": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.api.certificates.v1alpha1.PodCertificateRequestList"
-                }
-              },
-              "application/cbor-seq": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.api.certificates.v1alpha1.PodCertificateRequestList"
-                }
-              },
-              "application/json": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.api.certificates.v1alpha1.PodCertificateRequestList"
-                }
-              },
-              "application/json;stream=watch": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.api.certificates.v1alpha1.PodCertificateRequestList"
-                }
-              },
-              "application/vnd.kubernetes.protobuf": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.api.certificates.v1alpha1.PodCertificateRequestList"
-                }
-              },
-              "application/vnd.kubernetes.protobuf;stream=watch": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.api.certificates.v1alpha1.PodCertificateRequestList"
-                }
-              },
-              "application/yaml": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.api.certificates.v1alpha1.PodCertificateRequestList"
-                }
-              }
-            },
-            "description": "OK"
-          },
-          "401": {
-            "description": "Unauthorized"
-          }
-        },
-        "tags": [
-          "certificates_v1alpha1"
-        ],
-        "x-kubernetes-action": "list",
-        "x-kubernetes-group-version-kind": {
-          "group": "certificates.k8s.io",
-          "kind": "PodCertificateRequest",
-          "version": "v1alpha1"
-        }
-      },
-      "parameters": [
-        {
-          "description": "object name and auth scope, such as for teams and projects",
-          "in": "path",
-          "name": "namespace",
-          "required": true,
-          "schema": {
-            "type": "string",
-            "uniqueItems": true
-          }
-        },
-        {
-          "description": "If 'true', then the output is pretty printed. Defaults to 'false' unless the user-agent indicates a browser or command-line HTTP tool (curl and wget).",
-          "in": "query",
-          "name": "pretty",
-          "schema": {
-            "type": "string",
-            "uniqueItems": true
-          }
-        }
-      ],
-      "post": {
-        "description": "create a PodCertificateRequest",
-        "operationId": "createCertificatesV1alpha1NamespacedPodCertificateRequest",
-        "parameters": [
-          {
-            "description": "When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed",
-            "in": "query",
-            "name": "dryRun",
-            "schema": {
-              "type": "string",
-              "uniqueItems": true
-            }
-          },
-          {
-            "description": "fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint.",
-            "in": "query",
-            "name": "fieldManager",
-            "schema": {
-              "type": "string",
-              "uniqueItems": true
-            }
-          },
-          {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
-            "in": "query",
-            "name": "fieldValidation",
-            "schema": {
-              "type": "string",
-              "uniqueItems": true
-            }
-          }
-        ],
-        "requestBody": {
-          "content": {
-            "*/*": {
-              "schema": {
-                "$ref": "#/components/schemas/io.k8s.api.certificates.v1alpha1.PodCertificateRequest"
-              }
-            }
-          },
-          "required": true
-        },
-        "responses": {
-          "200": {
-            "content": {
-              "application/cbor": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.api.certificates.v1alpha1.PodCertificateRequest"
-                }
-              },
-              "application/json": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.api.certificates.v1alpha1.PodCertificateRequest"
-                }
-              },
-              "application/vnd.kubernetes.protobuf": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.api.certificates.v1alpha1.PodCertificateRequest"
-                }
-              },
-              "application/yaml": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.api.certificates.v1alpha1.PodCertificateRequest"
-                }
-              }
-            },
-            "description": "OK"
-          },
-          "201": {
-            "content": {
-              "application/cbor": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.api.certificates.v1alpha1.PodCertificateRequest"
-                }
-              },
-              "application/json": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.api.certificates.v1alpha1.PodCertificateRequest"
-                }
-              },
-              "application/vnd.kubernetes.protobuf": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.api.certificates.v1alpha1.PodCertificateRequest"
-                }
-              },
-              "application/yaml": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.api.certificates.v1alpha1.PodCertificateRequest"
-                }
-              }
-            },
-            "description": "Created"
-          },
-          "202": {
-            "content": {
-              "application/cbor": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.api.certificates.v1alpha1.PodCertificateRequest"
-                }
-              },
-              "application/json": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.api.certificates.v1alpha1.PodCertificateRequest"
-                }
-              },
-              "application/vnd.kubernetes.protobuf": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.api.certificates.v1alpha1.PodCertificateRequest"
-                }
-              },
-              "application/yaml": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.api.certificates.v1alpha1.PodCertificateRequest"
-                }
-              }
-            },
-            "description": "Accepted"
-          },
-          "401": {
-            "description": "Unauthorized"
-          }
-        },
-        "tags": [
-          "certificates_v1alpha1"
-        ],
-        "x-kubernetes-action": "post",
-        "x-kubernetes-group-version-kind": {
-          "group": "certificates.k8s.io",
-          "kind": "PodCertificateRequest",
-          "version": "v1alpha1"
-        }
-      }
-    },
-    "/apis/certificates.k8s.io/v1alpha1/namespaces/{namespace}/podcertificaterequests/{name}": {
-      "delete": {
-        "description": "delete a PodCertificateRequest",
-        "operationId": "deleteCertificatesV1alpha1NamespacedPodCertificateRequest",
-        "parameters": [
-          {
-            "description": "When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed",
-            "in": "query",
-            "name": "dryRun",
-            "schema": {
-              "type": "string",
-              "uniqueItems": true
-            }
-          },
-          {
-            "description": "The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately.",
-            "in": "query",
-            "name": "gracePeriodSeconds",
-            "schema": {
-              "type": "integer",
-              "uniqueItems": true
-            }
-          },
-          {
-            "description": "if set to true, it will trigger an unsafe deletion of the resource in case the normal deletion flow fails with a corrupt object error. A resource is considered corrupt if it can not be retrieved from the underlying storage successfully because of a) its data can not be transformed e.g. decryption failure, or b) it fails to decode into an object. NOTE: unsafe deletion ignores finalizer constraints, skips precondition checks, and removes the object from the storage. WARNING: This may potentially break the cluster if the workload associated with the resource being unsafe-deleted relies on normal deletion flow. Use only if you REALLY know what you are doing. The default value is false, and the user must opt in to enable it",
-            "in": "query",
-            "name": "ignoreStoreReadErrorWithClusterBreakingPotential",
-            "schema": {
-              "type": "boolean",
-              "uniqueItems": true
-            }
-          },
-          {
-            "description": "Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the \"orphan\" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both.",
-            "in": "query",
-            "name": "orphanDependents",
-            "schema": {
-              "type": "boolean",
-              "uniqueItems": true
-            }
-          },
-          {
-            "description": "Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground.",
-            "in": "query",
-            "name": "propagationPolicy",
-            "schema": {
-              "type": "string",
-              "uniqueItems": true
-            }
-          }
-        ],
-        "requestBody": {
-          "content": {
-            "*/*": {
-              "schema": {
-                "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptions"
-              }
-            }
-          }
-        },
-        "responses": {
-          "200": {
-            "content": {
-              "application/cbor": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.Status"
-                }
-              },
-              "application/json": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.Status"
-                }
-              },
-              "application/vnd.kubernetes.protobuf": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.Status"
-                }
-              },
-              "application/yaml": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.Status"
-                }
-              }
-            },
-            "description": "OK"
-          },
-          "202": {
-            "content": {
-              "application/cbor": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.Status"
-                }
-              },
-              "application/json": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.Status"
-                }
-              },
-              "application/vnd.kubernetes.protobuf": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.Status"
-                }
-              },
-              "application/yaml": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.Status"
-                }
-              }
-            },
-            "description": "Accepted"
-          },
-          "401": {
-            "description": "Unauthorized"
-          }
-        },
-        "tags": [
-          "certificates_v1alpha1"
-        ],
-        "x-kubernetes-action": "delete",
-        "x-kubernetes-group-version-kind": {
-          "group": "certificates.k8s.io",
-          "kind": "PodCertificateRequest",
-          "version": "v1alpha1"
-        }
-      },
-      "get": {
-        "description": "read the specified PodCertificateRequest",
-        "operationId": "readCertificatesV1alpha1NamespacedPodCertificateRequest",
-        "responses": {
-          "200": {
-            "content": {
-              "application/cbor": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.api.certificates.v1alpha1.PodCertificateRequest"
-                }
-              },
-              "application/json": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.api.certificates.v1alpha1.PodCertificateRequest"
-                }
-              },
-              "application/vnd.kubernetes.protobuf": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.api.certificates.v1alpha1.PodCertificateRequest"
-                }
-              },
-              "application/yaml": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.api.certificates.v1alpha1.PodCertificateRequest"
-                }
-              }
-            },
-            "description": "OK"
-          },
-          "401": {
-            "description": "Unauthorized"
-          }
-        },
-        "tags": [
-          "certificates_v1alpha1"
-        ],
-        "x-kubernetes-action": "get",
-        "x-kubernetes-group-version-kind": {
-          "group": "certificates.k8s.io",
-          "kind": "PodCertificateRequest",
-          "version": "v1alpha1"
-        }
-      },
-      "parameters": [
-        {
-          "description": "name of the PodCertificateRequest",
-          "in": "path",
-          "name": "name",
-          "required": true,
-          "schema": {
-            "type": "string",
-            "uniqueItems": true
-          }
-        },
-        {
-          "description": "object name and auth scope, such as for teams and projects",
-          "in": "path",
-          "name": "namespace",
-          "required": true,
-          "schema": {
-            "type": "string",
-            "uniqueItems": true
-          }
-        },
-        {
-          "description": "If 'true', then the output is pretty printed. Defaults to 'false' unless the user-agent indicates a browser or command-line HTTP tool (curl and wget).",
-          "in": "query",
-          "name": "pretty",
-          "schema": {
-            "type": "string",
-            "uniqueItems": true
-          }
-        }
-      ],
-      "patch": {
-        "description": "partially update the specified PodCertificateRequest",
-        "operationId": "patchCertificatesV1alpha1NamespacedPodCertificateRequest",
-        "parameters": [
-          {
-            "description": "When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed",
-            "in": "query",
-            "name": "dryRun",
-            "schema": {
-              "type": "string",
-              "uniqueItems": true
-            }
-          },
-          {
-            "description": "fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch).",
-            "in": "query",
-            "name": "fieldManager",
-            "schema": {
-              "type": "string",
-              "uniqueItems": true
-            }
-          },
-          {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
-            "in": "query",
-            "name": "fieldValidation",
-            "schema": {
-              "type": "string",
-              "uniqueItems": true
-            }
-          },
-          {
-            "description": "Force is going to \"force\" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests.",
-            "in": "query",
-            "name": "force",
-            "schema": {
-              "type": "boolean",
-              "uniqueItems": true
-            }
-          }
-        ],
-        "requestBody": {
-          "content": {
-            "application/apply-patch+cbor": {
-              "schema": {
-                "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.Patch"
-              }
-            },
-            "application/apply-patch+yaml": {
-              "schema": {
-                "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.Patch"
-              }
-            },
-            "application/json-patch+json": {
-              "schema": {
-                "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.Patch"
-              }
-            },
-            "application/merge-patch+json": {
-              "schema": {
-                "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.Patch"
-              }
-            },
-            "application/strategic-merge-patch+json": {
-              "schema": {
-                "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.Patch"
-              }
-            }
-          },
-          "required": true
-        },
-        "responses": {
-          "200": {
-            "content": {
-              "application/cbor": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.api.certificates.v1alpha1.PodCertificateRequest"
-                }
-              },
-              "application/json": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.api.certificates.v1alpha1.PodCertificateRequest"
-                }
-              },
-              "application/vnd.kubernetes.protobuf": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.api.certificates.v1alpha1.PodCertificateRequest"
-                }
-              },
-              "application/yaml": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.api.certificates.v1alpha1.PodCertificateRequest"
-                }
-              }
-            },
-            "description": "OK"
-          },
-          "201": {
-            "content": {
-              "application/cbor": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.api.certificates.v1alpha1.PodCertificateRequest"
-                }
-              },
-              "application/json": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.api.certificates.v1alpha1.PodCertificateRequest"
-                }
-              },
-              "application/vnd.kubernetes.protobuf": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.api.certificates.v1alpha1.PodCertificateRequest"
-                }
-              },
-              "application/yaml": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.api.certificates.v1alpha1.PodCertificateRequest"
-                }
-              }
-            },
-            "description": "Created"
-          },
-          "401": {
-            "description": "Unauthorized"
-          }
-        },
-        "tags": [
-          "certificates_v1alpha1"
-        ],
-        "x-kubernetes-action": "patch",
-        "x-kubernetes-group-version-kind": {
-          "group": "certificates.k8s.io",
-          "kind": "PodCertificateRequest",
-          "version": "v1alpha1"
-        }
-      },
-      "put": {
-        "description": "replace the specified PodCertificateRequest",
-        "operationId": "replaceCertificatesV1alpha1NamespacedPodCertificateRequest",
-        "parameters": [
-          {
-            "description": "When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed",
-            "in": "query",
-            "name": "dryRun",
-            "schema": {
-              "type": "string",
-              "uniqueItems": true
-            }
-          },
-          {
-            "description": "fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint.",
-            "in": "query",
-            "name": "fieldManager",
-            "schema": {
-              "type": "string",
-              "uniqueItems": true
-            }
-          },
-          {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
-            "in": "query",
-            "name": "fieldValidation",
-            "schema": {
-              "type": "string",
-              "uniqueItems": true
-            }
-          }
-        ],
-        "requestBody": {
-          "content": {
-            "*/*": {
-              "schema": {
-                "$ref": "#/components/schemas/io.k8s.api.certificates.v1alpha1.PodCertificateRequest"
-              }
-            }
-          },
-          "required": true
-        },
-        "responses": {
-          "200": {
-            "content": {
-              "application/cbor": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.api.certificates.v1alpha1.PodCertificateRequest"
-                }
-              },
-              "application/json": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.api.certificates.v1alpha1.PodCertificateRequest"
-                }
-              },
-              "application/vnd.kubernetes.protobuf": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.api.certificates.v1alpha1.PodCertificateRequest"
-                }
-              },
-              "application/yaml": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.api.certificates.v1alpha1.PodCertificateRequest"
-                }
-              }
-            },
-            "description": "OK"
-          },
-          "201": {
-            "content": {
-              "application/cbor": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.api.certificates.v1alpha1.PodCertificateRequest"
-                }
-              },
-              "application/json": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.api.certificates.v1alpha1.PodCertificateRequest"
-                }
-              },
-              "application/vnd.kubernetes.protobuf": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.api.certificates.v1alpha1.PodCertificateRequest"
-                }
-              },
-              "application/yaml": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.api.certificates.v1alpha1.PodCertificateRequest"
-                }
-              }
-            },
-            "description": "Created"
-          },
-          "401": {
-            "description": "Unauthorized"
-          }
-        },
-        "tags": [
-          "certificates_v1alpha1"
-        ],
-        "x-kubernetes-action": "put",
-        "x-kubernetes-group-version-kind": {
-          "group": "certificates.k8s.io",
-          "kind": "PodCertificateRequest",
-          "version": "v1alpha1"
-        }
-      }
-    },
-    "/apis/certificates.k8s.io/v1alpha1/namespaces/{namespace}/podcertificaterequests/{name}/status": {
-      "get": {
-        "description": "read status of the specified PodCertificateRequest",
-        "operationId": "readCertificatesV1alpha1NamespacedPodCertificateRequestStatus",
-        "responses": {
-          "200": {
-            "content": {
-              "application/cbor": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.api.certificates.v1alpha1.PodCertificateRequest"
-                }
-              },
-              "application/json": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.api.certificates.v1alpha1.PodCertificateRequest"
-                }
-              },
-              "application/vnd.kubernetes.protobuf": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.api.certificates.v1alpha1.PodCertificateRequest"
-                }
-              },
-              "application/yaml": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.api.certificates.v1alpha1.PodCertificateRequest"
-                }
-              }
-            },
-            "description": "OK"
-          },
-          "401": {
-            "description": "Unauthorized"
-          }
-        },
-        "tags": [
-          "certificates_v1alpha1"
-        ],
-        "x-kubernetes-action": "get",
-        "x-kubernetes-group-version-kind": {
-          "group": "certificates.k8s.io",
-          "kind": "PodCertificateRequest",
-          "version": "v1alpha1"
-        }
-      },
-      "parameters": [
-        {
-          "description": "name of the PodCertificateRequest",
-          "in": "path",
-          "name": "name",
-          "required": true,
-          "schema": {
-            "type": "string",
-            "uniqueItems": true
-          }
-        },
-        {
-          "description": "object name and auth scope, such as for teams and projects",
-          "in": "path",
-          "name": "namespace",
-          "required": true,
-          "schema": {
-            "type": "string",
-            "uniqueItems": true
-          }
-        },
-        {
-          "description": "If 'true', then the output is pretty printed. Defaults to 'false' unless the user-agent indicates a browser or command-line HTTP tool (curl and wget).",
-          "in": "query",
-          "name": "pretty",
-          "schema": {
-            "type": "string",
-            "uniqueItems": true
-          }
-        }
-      ],
-      "patch": {
-        "description": "partially update status of the specified PodCertificateRequest",
-        "operationId": "patchCertificatesV1alpha1NamespacedPodCertificateRequestStatus",
-        "parameters": [
-          {
-            "description": "When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed",
-            "in": "query",
-            "name": "dryRun",
-            "schema": {
-              "type": "string",
-              "uniqueItems": true
-            }
-          },
-          {
-            "description": "fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch).",
-            "in": "query",
-            "name": "fieldManager",
-            "schema": {
-              "type": "string",
-              "uniqueItems": true
-            }
-          },
-          {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
-            "in": "query",
-            "name": "fieldValidation",
-            "schema": {
-              "type": "string",
-              "uniqueItems": true
-            }
-          },
-          {
-            "description": "Force is going to \"force\" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests.",
-            "in": "query",
-            "name": "force",
-            "schema": {
-              "type": "boolean",
-              "uniqueItems": true
-            }
-          }
-        ],
-        "requestBody": {
-          "content": {
-            "application/apply-patch+cbor": {
-              "schema": {
-                "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.Patch"
-              }
-            },
-            "application/apply-patch+yaml": {
-              "schema": {
-                "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.Patch"
-              }
-            },
-            "application/json-patch+json": {
-              "schema": {
-                "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.Patch"
-              }
-            },
-            "application/merge-patch+json": {
-              "schema": {
-                "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.Patch"
-              }
-            },
-            "application/strategic-merge-patch+json": {
-              "schema": {
-                "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.Patch"
-              }
-            }
-          },
-          "required": true
-        },
-        "responses": {
-          "200": {
-            "content": {
-              "application/cbor": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.api.certificates.v1alpha1.PodCertificateRequest"
-                }
-              },
-              "application/json": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.api.certificates.v1alpha1.PodCertificateRequest"
-                }
-              },
-              "application/vnd.kubernetes.protobuf": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.api.certificates.v1alpha1.PodCertificateRequest"
-                }
-              },
-              "application/yaml": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.api.certificates.v1alpha1.PodCertificateRequest"
-                }
-              }
-            },
-            "description": "OK"
-          },
-          "201": {
-            "content": {
-              "application/cbor": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.api.certificates.v1alpha1.PodCertificateRequest"
-                }
-              },
-              "application/json": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.api.certificates.v1alpha1.PodCertificateRequest"
-                }
-              },
-              "application/vnd.kubernetes.protobuf": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.api.certificates.v1alpha1.PodCertificateRequest"
-                }
-              },
-              "application/yaml": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.api.certificates.v1alpha1.PodCertificateRequest"
-                }
-              }
-            },
-            "description": "Created"
-          },
-          "401": {
-            "description": "Unauthorized"
-          }
-        },
-        "tags": [
-          "certificates_v1alpha1"
-        ],
-        "x-kubernetes-action": "patch",
-        "x-kubernetes-group-version-kind": {
-          "group": "certificates.k8s.io",
-          "kind": "PodCertificateRequest",
-          "version": "v1alpha1"
-        }
-      },
-      "put": {
-        "description": "replace status of the specified PodCertificateRequest",
-        "operationId": "replaceCertificatesV1alpha1NamespacedPodCertificateRequestStatus",
-        "parameters": [
-          {
-            "description": "When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed",
-            "in": "query",
-            "name": "dryRun",
-            "schema": {
-              "type": "string",
-              "uniqueItems": true
-            }
-          },
-          {
-            "description": "fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint.",
-            "in": "query",
-            "name": "fieldManager",
-            "schema": {
-              "type": "string",
-              "uniqueItems": true
-            }
-          },
-          {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
-            "in": "query",
-            "name": "fieldValidation",
-            "schema": {
-              "type": "string",
-              "uniqueItems": true
-            }
-          }
-        ],
-        "requestBody": {
-          "content": {
-            "*/*": {
-              "schema": {
-                "$ref": "#/components/schemas/io.k8s.api.certificates.v1alpha1.PodCertificateRequest"
-              }
-            }
-          },
-          "required": true
-        },
-        "responses": {
-          "200": {
-            "content": {
-              "application/cbor": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.api.certificates.v1alpha1.PodCertificateRequest"
-                }
-              },
-              "application/json": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.api.certificates.v1alpha1.PodCertificateRequest"
-                }
-              },
-              "application/vnd.kubernetes.protobuf": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.api.certificates.v1alpha1.PodCertificateRequest"
-                }
-              },
-              "application/yaml": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.api.certificates.v1alpha1.PodCertificateRequest"
-                }
-              }
-            },
-            "description": "OK"
-          },
-          "201": {
-            "content": {
-              "application/cbor": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.api.certificates.v1alpha1.PodCertificateRequest"
-                }
-              },
-              "application/json": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.api.certificates.v1alpha1.PodCertificateRequest"
-                }
-              },
-              "application/vnd.kubernetes.protobuf": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.api.certificates.v1alpha1.PodCertificateRequest"
-                }
-              },
-              "application/yaml": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.api.certificates.v1alpha1.PodCertificateRequest"
-                }
-              }
-            },
-            "description": "Created"
-          },
-          "401": {
-            "description": "Unauthorized"
-          }
-        },
-        "tags": [
-          "certificates_v1alpha1"
-        ],
-        "x-kubernetes-action": "put",
-        "x-kubernetes-group-version-kind": {
-          "group": "certificates.k8s.io",
-          "kind": "PodCertificateRequest",
-          "version": "v1alpha1"
-        }
-      }
-    },
-    "/apis/certificates.k8s.io/v1alpha1/podcertificaterequests": {
-      "get": {
-        "description": "list or watch objects of kind PodCertificateRequest",
-        "operationId": "listCertificatesV1alpha1PodCertificateRequestForAllNamespaces",
-        "responses": {
-          "200": {
-            "content": {
-              "application/cbor": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.api.certificates.v1alpha1.PodCertificateRequestList"
-                }
-              },
-              "application/cbor-seq": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.api.certificates.v1alpha1.PodCertificateRequestList"
-                }
-              },
-              "application/json": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.api.certificates.v1alpha1.PodCertificateRequestList"
-                }
-              },
-              "application/json;stream=watch": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.api.certificates.v1alpha1.PodCertificateRequestList"
-                }
-              },
-              "application/vnd.kubernetes.protobuf": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.api.certificates.v1alpha1.PodCertificateRequestList"
-                }
-              },
-              "application/vnd.kubernetes.protobuf;stream=watch": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.api.certificates.v1alpha1.PodCertificateRequestList"
-                }
-              },
-              "application/yaml": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.api.certificates.v1alpha1.PodCertificateRequestList"
-                }
-              }
-            },
-            "description": "OK"
-          },
-          "401": {
-            "description": "Unauthorized"
-          }
-        },
-        "tags": [
-          "certificates_v1alpha1"
-        ],
-        "x-kubernetes-action": "list",
-        "x-kubernetes-group-version-kind": {
-          "group": "certificates.k8s.io",
-          "kind": "PodCertificateRequest",
-          "version": "v1alpha1"
-        }
-      },
-      "parameters": [
-        {
-          "description": "allowWatchBookmarks requests watch events with type \"BOOKMARK\". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored.",
-          "in": "query",
-          "name": "allowWatchBookmarks",
-          "schema": {
-            "type": "boolean",
-            "uniqueItems": true
-          }
-        },
-        {
-          "description": "The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the \"next key\".\n\nThis field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications.",
-          "in": "query",
-          "name": "continue",
-          "schema": {
-            "type": "string",
-            "uniqueItems": true
-          }
-        },
-        {
-          "description": "A selector to restrict the list of returned objects by their fields. Defaults to everything.",
-          "in": "query",
-          "name": "fieldSelector",
-          "schema": {
-            "type": "string",
-            "uniqueItems": true
-          }
-        },
-        {
-          "description": "A selector to restrict the list of returned objects by their labels. Defaults to everything.",
-          "in": "query",
-          "name": "labelSelector",
-          "schema": {
-            "type": "string",
-            "uniqueItems": true
-          }
-        },
-        {
-          "description": "limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.\n\nThe server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned.",
-          "in": "query",
-          "name": "limit",
-          "schema": {
-            "type": "integer",
-            "uniqueItems": true
-          }
-        },
-        {
-          "description": "If 'true', then the output is pretty printed. Defaults to 'false' unless the user-agent indicates a browser or command-line HTTP tool (curl and wget).",
-          "in": "query",
-          "name": "pretty",
-          "schema": {
-            "type": "string",
-            "uniqueItems": true
-          }
-        },
-        {
-          "description": "resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.\n\nDefaults to unset",
-          "in": "query",
-          "name": "resourceVersion",
-          "schema": {
-            "type": "string",
-            "uniqueItems": true
-          }
-        },
-        {
-          "description": "resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.\n\nDefaults to unset",
-          "in": "query",
-          "name": "resourceVersionMatch",
-          "schema": {
-            "type": "string",
-            "uniqueItems": true
-          }
-        },
-        {
-          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
-          "in": "query",
-          "name": "sendInitialEvents",
-          "schema": {
-            "type": "boolean",
-            "uniqueItems": true
-          }
-        },
-        {
-          "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
-          "in": "query",
-          "name": "timeoutSeconds",
-          "schema": {
-            "type": "integer",
-            "uniqueItems": true
-          }
-        },
-        {
-          "description": "Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion.",
-          "in": "query",
-          "name": "watch",
-          "schema": {
-            "type": "boolean",
-            "uniqueItems": true
-          }
-        }
-      ]
-    },
-    "/apis/certificates.k8s.io/v1alpha1/watch/clustertrustbundles": {
-      "get": {
-        "description": "watch individual changes to a list of ClusterTrustBundle. deprecated: use the 'watch' parameter with a list operation instead.",
-        "operationId": "watchCertificatesV1alpha1ClusterTrustBundleList",
-        "responses": {
-          "200": {
-            "content": {
-              "application/cbor": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"
-                }
-              },
-              "application/cbor-seq": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"
-                }
-              },
-              "application/json": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"
-                }
-              },
-              "application/json;stream=watch": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"
-                }
-              },
-              "application/vnd.kubernetes.protobuf": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"
-                }
-              },
-              "application/vnd.kubernetes.protobuf;stream=watch": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"
-                }
-              },
-              "application/yaml": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"
-                }
-              }
-            },
-            "description": "OK"
-          },
-          "401": {
-            "description": "Unauthorized"
-          }
-        },
-        "tags": [
-          "certificates_v1alpha1"
-        ],
-        "x-kubernetes-action": "watchlist",
-        "x-kubernetes-group-version-kind": {
-          "group": "certificates.k8s.io",
-          "kind": "ClusterTrustBundle",
-          "version": "v1alpha1"
-        }
-      },
-      "parameters": [
-        {
-          "description": "allowWatchBookmarks requests watch events with type \"BOOKMARK\". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored.",
-          "in": "query",
-          "name": "allowWatchBookmarks",
-          "schema": {
-            "type": "boolean",
-            "uniqueItems": true
-          }
-        },
-        {
-          "description": "The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the \"next key\".\n\nThis field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications.",
-          "in": "query",
-          "name": "continue",
-          "schema": {
-            "type": "string",
-            "uniqueItems": true
-          }
-        },
-        {
-          "description": "A selector to restrict the list of returned objects by their fields. Defaults to everything.",
-          "in": "query",
-          "name": "fieldSelector",
-          "schema": {
-            "type": "string",
-            "uniqueItems": true
-          }
-        },
-        {
-          "description": "A selector to restrict the list of returned objects by their labels. Defaults to everything.",
-          "in": "query",
-          "name": "labelSelector",
-          "schema": {
-            "type": "string",
-            "uniqueItems": true
-          }
-        },
-        {
-          "description": "limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.\n\nThe server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned.",
-          "in": "query",
-          "name": "limit",
-          "schema": {
-            "type": "integer",
-            "uniqueItems": true
-          }
-        },
-        {
-          "description": "If 'true', then the output is pretty printed. Defaults to 'false' unless the user-agent indicates a browser or command-line HTTP tool (curl and wget).",
-          "in": "query",
-          "name": "pretty",
-          "schema": {
-            "type": "string",
-            "uniqueItems": true
-          }
-        },
-        {
-          "description": "resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.\n\nDefaults to unset",
-          "in": "query",
-          "name": "resourceVersion",
-          "schema": {
-            "type": "string",
-            "uniqueItems": true
-          }
-        },
-        {
-          "description": "resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.\n\nDefaults to unset",
-          "in": "query",
-          "name": "resourceVersionMatch",
-          "schema": {
-            "type": "string",
-            "uniqueItems": true
-          }
-        },
-        {
-          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
-          "in": "query",
-          "name": "sendInitialEvents",
-          "schema": {
-            "type": "boolean",
-            "uniqueItems": true
-          }
-        },
-        {
-          "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
-          "in": "query",
-          "name": "timeoutSeconds",
-          "schema": {
-            "type": "integer",
-            "uniqueItems": true
-          }
-        },
-        {
-          "description": "Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion.",
-          "in": "query",
-          "name": "watch",
-          "schema": {
-            "type": "boolean",
-            "uniqueItems": true
-          }
-        }
-      ]
-    },
-    "/apis/certificates.k8s.io/v1alpha1/watch/clustertrustbundles/{name}": {
-      "get": {
-        "description": "watch changes to an object of kind ClusterTrustBundle. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.",
-        "operationId": "watchCertificatesV1alpha1ClusterTrustBundle",
-        "responses": {
-          "200": {
-            "content": {
-              "application/cbor": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"
-                }
-              },
-              "application/cbor-seq": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"
-                }
-              },
-              "application/json": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"
-                }
-              },
-              "application/json;stream=watch": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"
-                }
-              },
-              "application/vnd.kubernetes.protobuf": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"
-                }
-              },
-              "application/vnd.kubernetes.protobuf;stream=watch": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"
-                }
-              },
-              "application/yaml": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"
-                }
-              }
-            },
-            "description": "OK"
-          },
-          "401": {
-            "description": "Unauthorized"
-          }
-        },
-        "tags": [
-          "certificates_v1alpha1"
-        ],
-        "x-kubernetes-action": "watch",
-        "x-kubernetes-group-version-kind": {
-          "group": "certificates.k8s.io",
-          "kind": "ClusterTrustBundle",
-          "version": "v1alpha1"
-        }
-      },
-      "parameters": [
-        {
-          "description": "allowWatchBookmarks requests watch events with type \"BOOKMARK\". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored.",
-          "in": "query",
-          "name": "allowWatchBookmarks",
-          "schema": {
-            "type": "boolean",
-            "uniqueItems": true
-          }
-        },
-        {
-          "description": "The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the \"next key\".\n\nThis field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications.",
-          "in": "query",
-          "name": "continue",
-          "schema": {
-            "type": "string",
-            "uniqueItems": true
-          }
-        },
-        {
-          "description": "A selector to restrict the list of returned objects by their fields. Defaults to everything.",
-          "in": "query",
-          "name": "fieldSelector",
-          "schema": {
-            "type": "string",
-            "uniqueItems": true
-          }
-        },
-        {
-          "description": "A selector to restrict the list of returned objects by their labels. Defaults to everything.",
-          "in": "query",
-          "name": "labelSelector",
-          "schema": {
-            "type": "string",
-            "uniqueItems": true
-          }
-        },
-        {
-          "description": "limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.\n\nThe server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned.",
-          "in": "query",
-          "name": "limit",
-          "schema": {
-            "type": "integer",
-            "uniqueItems": true
-          }
-        },
-        {
-          "description": "name of the ClusterTrustBundle",
-          "in": "path",
-          "name": "name",
-          "required": true,
-          "schema": {
-            "type": "string",
-            "uniqueItems": true
-          }
-        },
-        {
-          "description": "If 'true', then the output is pretty printed. Defaults to 'false' unless the user-agent indicates a browser or command-line HTTP tool (curl and wget).",
-          "in": "query",
-          "name": "pretty",
-          "schema": {
-            "type": "string",
-            "uniqueItems": true
-          }
-        },
-        {
-          "description": "resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.\n\nDefaults to unset",
-          "in": "query",
-          "name": "resourceVersion",
-          "schema": {
-            "type": "string",
-            "uniqueItems": true
-          }
-        },
-        {
-          "description": "resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.\n\nDefaults to unset",
-          "in": "query",
-          "name": "resourceVersionMatch",
-          "schema": {
-            "type": "string",
-            "uniqueItems": true
-          }
-        },
-        {
-          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
-          "in": "query",
-          "name": "sendInitialEvents",
-          "schema": {
-            "type": "boolean",
-            "uniqueItems": true
-          }
-        },
-        {
-          "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
-          "in": "query",
-          "name": "timeoutSeconds",
-          "schema": {
-            "type": "integer",
-            "uniqueItems": true
-          }
-        },
-        {
-          "description": "Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion.",
-          "in": "query",
-          "name": "watch",
-          "schema": {
-            "type": "boolean",
-            "uniqueItems": true
-          }
-        }
-      ]
-    },
-    "/apis/certificates.k8s.io/v1alpha1/watch/namespaces/{namespace}/podcertificaterequests": {
-      "get": {
-        "description": "watch individual changes to a list of PodCertificateRequest. deprecated: use the 'watch' parameter with a list operation instead.",
-        "operationId": "watchCertificatesV1alpha1NamespacedPodCertificateRequestList",
-        "responses": {
-          "200": {
-            "content": {
-              "application/cbor": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"
-                }
-              },
-              "application/cbor-seq": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"
-                }
-              },
-              "application/json": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"
-                }
-              },
-              "application/json;stream=watch": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"
-                }
-              },
-              "application/vnd.kubernetes.protobuf": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"
-                }
-              },
-              "application/vnd.kubernetes.protobuf;stream=watch": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"
-                }
-              },
-              "application/yaml": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"
-                }
-              }
-            },
-            "description": "OK"
+    "/apis/certificates.k8s.io/v1alpha1/watch/clustertrustbundles": {
+      "get": {
+        "description": "watch individual changes to a list of ClusterTrustBundle. deprecated: use the 'watch' parameter with a list operation instead.",
+        "operationId": "watchCertificatesV1alpha1ClusterTrustBundleList",
+        "responses": {
+          "200": {
+            "content": {
+              "application/cbor": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"
+                }
+              },
+              "application/cbor-seq": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"
+                }
+              },
+              "application/json": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"
+                }
+              },
+              "application/json;stream=watch": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"
+                }
+              },
+              "application/vnd.kubernetes.protobuf": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"
+                }
+              },
+              "application/vnd.kubernetes.protobuf;stream=watch": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"
+                }
+              },
+              "application/yaml": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"
+                }
+              }
+            },
+            "description": "OK"
           },
           "401": {
             "description": "Unauthorized"
@@ -4280,7 +2286,7 @@
         "x-kubernetes-action": "watchlist",
         "x-kubernetes-group-version-kind": {
           "group": "certificates.k8s.io",
-          "kind": "PodCertificateRequest",
+          "kind": "ClusterTrustBundle",
           "version": "v1alpha1"
         }
       },
@@ -4330,16 +2336,6 @@
             "uniqueItems": true
           }
         },
-        {
-          "description": "object name and auth scope, such as for teams and projects",
-          "in": "path",
-          "name": "namespace",
-          "required": true,
-          "schema": {
-            "type": "string",
-            "uniqueItems": true
-          }
-        },
         {
           "description": "If 'true', then the output is pretty printed. Defaults to 'false' unless the user-agent indicates a browser or command-line HTTP tool (curl and wget).",
           "in": "query",
@@ -4396,10 +2392,10 @@
         }
       ]
     },
-    "/apis/certificates.k8s.io/v1alpha1/watch/namespaces/{namespace}/podcertificaterequests/{name}": {
+    "/apis/certificates.k8s.io/v1alpha1/watch/clustertrustbundles/{name}": {
       "get": {
-        "description": "watch changes to an object of kind PodCertificateRequest. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.",
-        "operationId": "watchCertificatesV1alpha1NamespacedPodCertificateRequest",
+        "description": "watch changes to an object of kind ClusterTrustBundle. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.",
+        "operationId": "watchCertificatesV1alpha1ClusterTrustBundle",
         "responses": {
           "200": {
             "content": {
@@ -4451,7 +2447,7 @@
         "x-kubernetes-action": "watch",
         "x-kubernetes-group-version-kind": {
           "group": "certificates.k8s.io",
-          "kind": "PodCertificateRequest",
+          "kind": "ClusterTrustBundle",
           "version": "v1alpha1"
         }
       },
@@ -4502,7 +2498,7 @@
           }
         },
         {
-          "description": "name of the PodCertificateRequest",
+          "description": "name of the ClusterTrustBundle",
           "in": "path",
           "name": "name",
           "required": true,
@@ -4511,177 +2507,6 @@
             "uniqueItems": true
           }
         },
-        {
-          "description": "object name and auth scope, such as for teams and projects",
-          "in": "path",
-          "name": "namespace",
-          "required": true,
-          "schema": {
-            "type": "string",
-            "uniqueItems": true
-          }
-        },
-        {
-          "description": "If 'true', then the output is pretty printed. Defaults to 'false' unless the user-agent indicates a browser or command-line HTTP tool (curl and wget).",
-          "in": "query",
-          "name": "pretty",
-          "schema": {
-            "type": "string",
-            "uniqueItems": true
-          }
-        },
-        {
-          "description": "resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.\n\nDefaults to unset",
-          "in": "query",
-          "name": "resourceVersion",
-          "schema": {
-            "type": "string",
-            "uniqueItems": true
-          }
-        },
-        {
-          "description": "resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.\n\nDefaults to unset",
-          "in": "query",
-          "name": "resourceVersionMatch",
-          "schema": {
-            "type": "string",
-            "uniqueItems": true
-          }
-        },
-        {
-          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
-          "in": "query",
-          "name": "sendInitialEvents",
-          "schema": {
-            "type": "boolean",
-            "uniqueItems": true
-          }
-        },
-        {
-          "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
-          "in": "query",
-          "name": "timeoutSeconds",
-          "schema": {
-            "type": "integer",
-            "uniqueItems": true
-          }
-        },
-        {
-          "description": "Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion.",
-          "in": "query",
-          "name": "watch",
-          "schema": {
-            "type": "boolean",
-            "uniqueItems": true
-          }
-        }
-      ]
-    },
-    "/apis/certificates.k8s.io/v1alpha1/watch/podcertificaterequests": {
-      "get": {
-        "description": "watch individual changes to a list of PodCertificateRequest. deprecated: use the 'watch' parameter with a list operation instead.",
-        "operationId": "watchCertificatesV1alpha1PodCertificateRequestListForAllNamespaces",
-        "responses": {
-          "200": {
-            "content": {
-              "application/cbor": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"
-                }
-              },
-              "application/cbor-seq": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"
-                }
-              },
-              "application/json": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"
-                }
-              },
-              "application/json;stream=watch": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"
-                }
-              },
-              "application/vnd.kubernetes.protobuf": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"
-                }
-              },
-              "application/vnd.kubernetes.protobuf;stream=watch": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"
-                }
-              },
-              "application/yaml": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"
-                }
-              }
-            },
-            "description": "OK"
-          },
-          "401": {
-            "description": "Unauthorized"
-          }
-        },
-        "tags": [
-          "certificates_v1alpha1"
-        ],
-        "x-kubernetes-action": "watchlist",
-        "x-kubernetes-group-version-kind": {
-          "group": "certificates.k8s.io",
-          "kind": "PodCertificateRequest",
-          "version": "v1alpha1"
-        }
-      },
-      "parameters": [
-        {
-          "description": "allowWatchBookmarks requests watch events with type \"BOOKMARK\". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored.",
-          "in": "query",
-          "name": "allowWatchBookmarks",
-          "schema": {
-            "type": "boolean",
-            "uniqueItems": true
-          }
-        },
-        {
-          "description": "The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the \"next key\".\n\nThis field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications.",
-          "in": "query",
-          "name": "continue",
-          "schema": {
-            "type": "string",
-            "uniqueItems": true
-          }
-        },
-        {
-          "description": "A selector to restrict the list of returned objects by their fields. Defaults to everything.",
-          "in": "query",
-          "name": "fieldSelector",
-          "schema": {
-            "type": "string",
-            "uniqueItems": true
-          }
-        },
-        {
-          "description": "A selector to restrict the list of returned objects by their labels. Defaults to everything.",
-          "in": "query",
-          "name": "labelSelector",
-          "schema": {
-            "type": "string",
-            "uniqueItems": true
-          }
-        },
-        {
-          "description": "limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.\n\nThe server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned.",
-          "in": "query",
-          "name": "limit",
-          "schema": {
-            "type": "integer",
-            "uniqueItems": true
-          }
-        },
         {
           "description": "If 'true', then the output is pretty printed. Defaults to 'false' unless the user-agent indicates a browser or command-line HTTP tool (curl and wget).",
           "in": "query",
diff --git a/api/openapi-spec/v3/apis__certificates.k8s.io__v1beta1_openapi.json b/api/openapi-spec/v3/apis__certificates.k8s.io__v1beta1_openapi.json
index 45bbb790eae56..4f39f990d9341 100644
--- a/api/openapi-spec/v3/apis__certificates.k8s.io__v1beta1_openapi.json
+++ b/api/openapi-spec/v3/apis__certificates.k8s.io__v1beta1_openapi.json
@@ -106,6 +106,230 @@
         ],
         "type": "object"
       },
+      "io.k8s.api.certificates.v1beta1.PodCertificateRequest": {
+        "description": "PodCertificateRequest encodes a pod requesting a certificate from a given signer.\n\nKubelets use this API to implement podCertificate projected volumes",
+        "properties": {
+          "apiVersion": {
+            "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
+            "type": "string"
+          },
+          "kind": {
+            "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
+            "type": "string"
+          },
+          "metadata": {
+            "allOf": [
+              {
+                "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"
+              }
+            ],
+            "default": {},
+            "description": "metadata contains the object metadata."
+          },
+          "spec": {
+            "allOf": [
+              {
+                "$ref": "#/components/schemas/io.k8s.api.certificates.v1beta1.PodCertificateRequestSpec"
+              }
+            ],
+            "default": {},
+            "description": "spec contains the details about the certificate being requested."
+          },
+          "status": {
+            "allOf": [
+              {
+                "$ref": "#/components/schemas/io.k8s.api.certificates.v1beta1.PodCertificateRequestStatus"
+              }
+            ],
+            "default": {},
+            "description": "status contains the issued certificate, and a standard set of conditions."
+          }
+        },
+        "required": [
+          "spec"
+        ],
+        "type": "object",
+        "x-kubernetes-group-version-kind": [
+          {
+            "group": "certificates.k8s.io",
+            "kind": "PodCertificateRequest",
+            "version": "v1beta1"
+          }
+        ]
+      },
+      "io.k8s.api.certificates.v1beta1.PodCertificateRequestList": {
+        "description": "PodCertificateRequestList is a collection of PodCertificateRequest objects",
+        "properties": {
+          "apiVersion": {
+            "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
+            "type": "string"
+          },
+          "items": {
+            "description": "items is a collection of PodCertificateRequest objects",
+            "items": {
+              "allOf": [
+                {
+                  "$ref": "#/components/schemas/io.k8s.api.certificates.v1beta1.PodCertificateRequest"
+                }
+              ],
+              "default": {}
+            },
+            "type": "array"
+          },
+          "kind": {
+            "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
+            "type": "string"
+          },
+          "metadata": {
+            "allOf": [
+              {
+                "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"
+              }
+            ],
+            "default": {},
+            "description": "metadata contains the list metadata."
+          }
+        },
+        "required": [
+          "items"
+        ],
+        "type": "object",
+        "x-kubernetes-group-version-kind": [
+          {
+            "group": "certificates.k8s.io",
+            "kind": "PodCertificateRequestList",
+            "version": "v1beta1"
+          }
+        ]
+      },
+      "io.k8s.api.certificates.v1beta1.PodCertificateRequestSpec": {
+        "description": "PodCertificateRequestSpec describes the certificate request.  All fields are immutable after creation.",
+        "properties": {
+          "maxExpirationSeconds": {
+            "default": 86400,
+            "description": "maxExpirationSeconds is the maximum lifetime permitted for the certificate.\n\nIf omitted, kube-apiserver will set it to 86400(24 hours). kube-apiserver will reject values shorter than 3600 (1 hour).  The maximum allowable value is 7862400 (91 days).\n\nThe signer implementation is then free to issue a certificate with any lifetime *shorter* than MaxExpirationSeconds, but no shorter than 3600 seconds (1 hour).  This constraint is enforced by kube-apiserver. `kubernetes.io` signers will never issue certificates with a lifetime longer than 24 hours.",
+            "format": "int32",
+            "type": "integer"
+          },
+          "nodeName": {
+            "default": "",
+            "description": "nodeName is the name of the node the pod is assigned to.",
+            "type": "string"
+          },
+          "nodeUID": {
+            "default": "",
+            "description": "nodeUID is the UID of the node the pod is assigned to.",
+            "type": "string"
+          },
+          "pkixPublicKey": {
+            "description": "pkixPublicKey is the PKIX-serialized public key the signer will issue the certificate to.\n\nThe key must be one of RSA3072, RSA4096, ECDSAP256, ECDSAP384, ECDSAP521, or ED25519. Note that this list may be expanded in the future.\n\nSigner implementations do not need to support all key types supported by kube-apiserver and kubelet.  If a signer does not support the key type used for a given PodCertificateRequest, it must deny the request by setting a status.conditions entry with a type of \"Denied\" and a reason of \"UnsupportedKeyType\". It may also suggest a key type that it does support in the message field.",
+            "format": "byte",
+            "type": "string"
+          },
+          "podName": {
+            "default": "",
+            "description": "podName is the name of the pod into which the certificate will be mounted.",
+            "type": "string"
+          },
+          "podUID": {
+            "default": "",
+            "description": "podUID is the UID of the pod into which the certificate will be mounted.",
+            "type": "string"
+          },
+          "proofOfPossession": {
+            "description": "proofOfPossession proves that the requesting kubelet holds the private key corresponding to pkixPublicKey.\n\nIt is contructed by signing the ASCII bytes of the pod's UID using `pkixPublicKey`.\n\nkube-apiserver validates the proof of possession during creation of the PodCertificateRequest.\n\nIf the key is an RSA key, then the signature is over the ASCII bytes of the pod UID, using RSASSA-PSS from RFC 8017 (as implemented by the golang function crypto/rsa.SignPSS with nil options).\n\nIf the key is an ECDSA key, then the signature is as described by [SEC 1, Version 2.0](https://www.secg.org/sec1-v2.pdf) (as implemented by the golang library function crypto/ecdsa.SignASN1)\n\nIf the key is an ED25519 key, the the signature is as described by the [ED25519 Specification](https://ed25519.cr.yp.to/) (as implemented by the golang library crypto/ed25519.Sign).",
+            "format": "byte",
+            "type": "string"
+          },
+          "serviceAccountName": {
+            "default": "",
+            "description": "serviceAccountName is the name of the service account the pod is running as.",
+            "type": "string"
+          },
+          "serviceAccountUID": {
+            "default": "",
+            "description": "serviceAccountUID is the UID of the service account the pod is running as.",
+            "type": "string"
+          },
+          "signerName": {
+            "default": "",
+            "description": "signerName indicates the requested signer.\n\nAll signer names beginning with `kubernetes.io` are reserved for use by the Kubernetes project.  There is currently one well-known signer documented by the Kubernetes project, `kubernetes.io/kube-apiserver-client-pod`, which will issue client certificates understood by kube-apiserver.  It is currently unimplemented.",
+            "type": "string"
+          },
+          "unverifiedUserAnnotations": {
+            "additionalProperties": {
+              "default": "",
+              "type": "string"
+            },
+            "description": "unverifiedUserAnnotations allow pod authors to pass additional information to the signer implementation.  Kubernetes does not restrict or validate this metadata in any way.\n\nEntries are subject to the same validation as object metadata annotations, with the addition that all keys must be domain-prefixed. No restrictions are placed on values, except an overall size limitation on the entire field.\n\nSigners should document the keys and values they support.  Signers should deny requests that contain keys they do not recognize.",
+            "type": "object"
+          }
+        },
+        "required": [
+          "signerName",
+          "podName",
+          "podUID",
+          "serviceAccountName",
+          "serviceAccountUID",
+          "nodeName",
+          "nodeUID",
+          "pkixPublicKey",
+          "proofOfPossession"
+        ],
+        "type": "object"
+      },
+      "io.k8s.api.certificates.v1beta1.PodCertificateRequestStatus": {
+        "description": "PodCertificateRequestStatus describes the status of the request, and holds the certificate data if the request is issued.",
+        "properties": {
+          "beginRefreshAt": {
+            "allOf": [
+              {
+                "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.Time"
+              }
+            ],
+            "description": "beginRefreshAt is the time at which the kubelet should begin trying to refresh the certificate.  This field is set via the /status subresource, and must be set at the same time as certificateChain.  Once populated, this field is immutable.\n\nThis field is only a hint.  Kubelet may start refreshing before or after this time if necessary."
+          },
+          "certificateChain": {
+            "description": "certificateChain is populated with an issued certificate by the signer. This field is set via the /status subresource. Once populated, this field is immutable.\n\nIf the certificate signing request is denied, a condition of type \"Denied\" is added and this field remains empty. If the signer cannot issue the certificate, a condition of type \"Failed\" is added and this field remains empty.\n\nValidation requirements:\n 1. certificateChain must consist of one or more PEM-formatted certificates.\n 2. Each entry must be a valid PEM-wrapped, DER-encoded ASN.1 Certificate as\n    described in section 4 of RFC5280.\n\nIf more than one block is present, and the definition of the requested spec.signerName does not indicate otherwise, the first block is the issued certificate, and subsequent blocks should be treated as intermediate certificates and presented in TLS handshakes.  When projecting the chain into a pod volume, kubelet will drop any data in-between the PEM blocks, as well as any PEM block headers.",
+            "type": "string"
+          },
+          "conditions": {
+            "description": "conditions applied to the request.\n\nThe types \"Issued\", \"Denied\", and \"Failed\" have special handling.  At most one of these conditions may be present, and they must have status \"True\".\n\nIf the request is denied with `Reason=UnsupportedKeyType`, the signer may suggest a key type that will work in the message field.",
+            "items": {
+              "allOf": [
+                {
+                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.Condition"
+                }
+              ],
+              "default": {}
+            },
+            "type": "array",
+            "x-kubernetes-list-map-keys": [
+              "type"
+            ],
+            "x-kubernetes-list-type": "map",
+            "x-kubernetes-patch-merge-key": "type",
+            "x-kubernetes-patch-strategy": "merge"
+          },
+          "notAfter": {
+            "allOf": [
+              {
+                "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.Time"
+              }
+            ],
+            "description": "notAfter is the time at which the certificate expires.  The value must be the same as the notAfter value in the leaf certificate in certificateChain.  This field is set via the /status subresource.  Once populated, it is immutable.  The signer must set this field at the same time it sets certificateChain."
+          },
+          "notBefore": {
+            "allOf": [
+              {
+                "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.Time"
+              }
+            ],
+            "description": "notBefore is the time at which the certificate becomes valid.  The value must be the same as the notBefore value in the leaf certificate in certificateChain.  This field is set via the /status subresource.  Once populated, it is immutable. The signer must set this field at the same time it sets certificateChain."
+          }
+        },
+        "type": "object"
+      },
       "io.k8s.apimachinery.pkg.apis.meta.v1.APIResource": {
         "description": "APIResource specifies the name of a resource and whether it is namespaced.",
         "properties": {
@@ -220,6 +444,52 @@
           }
         ]
       },
+      "io.k8s.apimachinery.pkg.apis.meta.v1.Condition": {
+        "description": "Condition contains details for one aspect of the current state of this API Resource.",
+        "properties": {
+          "lastTransitionTime": {
+            "allOf": [
+              {
+                "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.Time"
+              }
+            ],
+            "description": "lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable."
+          },
+          "message": {
+            "default": "",
+            "description": "message is a human readable message indicating details about the transition. This may be an empty string.",
+            "type": "string"
+          },
+          "observedGeneration": {
+            "description": "observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.",
+            "format": "int64",
+            "type": "integer"
+          },
+          "reason": {
+            "default": "",
+            "description": "reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.",
+            "type": "string"
+          },
+          "status": {
+            "default": "",
+            "description": "status of the condition, one of True, False, Unknown.",
+            "type": "string"
+          },
+          "type": {
+            "default": "",
+            "description": "type of condition in CamelCase or in foo.example.com/CamelCase.",
+            "type": "string"
+          }
+        },
+        "required": [
+          "type",
+          "status",
+          "lastTransitionTime",
+          "reason",
+          "message"
+        ],
+        "type": "object"
+      },
       "io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptions": {
         "description": "DeleteOptions may be provided when deleting an API object.",
         "properties": {
@@ -576,7 +846,7 @@
           {
             "group": "storagemigration.k8s.io",
             "kind": "DeleteOptions",
-            "version": "v1alpha1"
+            "version": "v1beta1"
           }
         ]
       },
@@ -839,8 +1109,7 @@
                 "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.StatusDetails"
               }
             ],
-            "description": "Extended data associated with the reason.  Each reason may define its own extended details. This field is optional and the data returned is not guaranteed to conform to any schema except that defined by the reason type.",
-            "x-kubernetes-list-type": "atomic"
+            "description": "Extended data associated with the reason.  Each reason may define its own extended details. This field is optional and the data returned is not guaranteed to conform to any schema except that defined by the reason type."
           },
           "kind": {
             "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
@@ -1270,7 +1539,7 @@
           {
             "group": "storagemigration.k8s.io",
             "kind": "WatchEvent",
-            "version": "v1alpha1"
+            "version": "v1beta1"
           }
         ]
       },
@@ -2232,54 +2501,1785 @@
         }
       }
     },
-    "/apis/certificates.k8s.io/v1beta1/watch/clustertrustbundles": {
-      "get": {
-        "description": "watch individual changes to a list of ClusterTrustBundle. deprecated: use the 'watch' parameter with a list operation instead.",
-        "operationId": "watchCertificatesV1beta1ClusterTrustBundleList",
-        "responses": {
-          "200": {
-            "content": {
-              "application/cbor": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"
-                }
-              },
-              "application/cbor-seq": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"
-                }
-              },
-              "application/json": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"
-                }
-              },
-              "application/json;stream=watch": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"
-                }
-              },
-              "application/vnd.kubernetes.protobuf": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"
-                }
-              },
-              "application/vnd.kubernetes.protobuf;stream=watch": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"
-                }
-              },
-              "application/yaml": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"
-                }
-              }
-            },
-            "description": "OK"
+    "/apis/certificates.k8s.io/v1beta1/namespaces/{namespace}/podcertificaterequests": {
+      "delete": {
+        "description": "delete collection of PodCertificateRequest",
+        "operationId": "deleteCertificatesV1beta1CollectionNamespacedPodCertificateRequest",
+        "parameters": [
+          {
+            "description": "The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the \"next key\".\n\nThis field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications.",
+            "in": "query",
+            "name": "continue",
+            "schema": {
+              "type": "string",
+              "uniqueItems": true
+            }
           },
-          "401": {
-            "description": "Unauthorized"
-          }
+          {
+            "description": "When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed",
+            "in": "query",
+            "name": "dryRun",
+            "schema": {
+              "type": "string",
+              "uniqueItems": true
+            }
+          },
+          {
+            "description": "A selector to restrict the list of returned objects by their fields. Defaults to everything.",
+            "in": "query",
+            "name": "fieldSelector",
+            "schema": {
+              "type": "string",
+              "uniqueItems": true
+            }
+          },
+          {
+            "description": "The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately.",
+            "in": "query",
+            "name": "gracePeriodSeconds",
+            "schema": {
+              "type": "integer",
+              "uniqueItems": true
+            }
+          },
+          {
+            "description": "if set to true, it will trigger an unsafe deletion of the resource in case the normal deletion flow fails with a corrupt object error. A resource is considered corrupt if it can not be retrieved from the underlying storage successfully because of a) its data can not be transformed e.g. decryption failure, or b) it fails to decode into an object. NOTE: unsafe deletion ignores finalizer constraints, skips precondition checks, and removes the object from the storage. WARNING: This may potentially break the cluster if the workload associated with the resource being unsafe-deleted relies on normal deletion flow. Use only if you REALLY know what you are doing. The default value is false, and the user must opt in to enable it",
+            "in": "query",
+            "name": "ignoreStoreReadErrorWithClusterBreakingPotential",
+            "schema": {
+              "type": "boolean",
+              "uniqueItems": true
+            }
+          },
+          {
+            "description": "A selector to restrict the list of returned objects by their labels. Defaults to everything.",
+            "in": "query",
+            "name": "labelSelector",
+            "schema": {
+              "type": "string",
+              "uniqueItems": true
+            }
+          },
+          {
+            "description": "limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.\n\nThe server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned.",
+            "in": "query",
+            "name": "limit",
+            "schema": {
+              "type": "integer",
+              "uniqueItems": true
+            }
+          },
+          {
+            "description": "Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the \"orphan\" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both.",
+            "in": "query",
+            "name": "orphanDependents",
+            "schema": {
+              "type": "boolean",
+              "uniqueItems": true
+            }
+          },
+          {
+            "description": "Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground.",
+            "in": "query",
+            "name": "propagationPolicy",
+            "schema": {
+              "type": "string",
+              "uniqueItems": true
+            }
+          },
+          {
+            "description": "resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.\n\nDefaults to unset",
+            "in": "query",
+            "name": "resourceVersion",
+            "schema": {
+              "type": "string",
+              "uniqueItems": true
+            }
+          },
+          {
+            "description": "resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.\n\nDefaults to unset",
+            "in": "query",
+            "name": "resourceVersionMatch",
+            "schema": {
+              "type": "string",
+              "uniqueItems": true
+            }
+          },
+          {
+            "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+            "in": "query",
+            "name": "sendInitialEvents",
+            "schema": {
+              "type": "boolean",
+              "uniqueItems": true
+            }
+          },
+          {
+            "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
+            "in": "query",
+            "name": "timeoutSeconds",
+            "schema": {
+              "type": "integer",
+              "uniqueItems": true
+            }
+          }
+        ],
+        "requestBody": {
+          "content": {
+            "*/*": {
+              "schema": {
+                "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptions"
+              }
+            }
+          }
+        },
+        "responses": {
+          "200": {
+            "content": {
+              "application/cbor": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.Status"
+                }
+              },
+              "application/json": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.Status"
+                }
+              },
+              "application/vnd.kubernetes.protobuf": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.Status"
+                }
+              },
+              "application/yaml": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.Status"
+                }
+              }
+            },
+            "description": "OK"
+          },
+          "401": {
+            "description": "Unauthorized"
+          }
+        },
+        "tags": [
+          "certificates_v1beta1"
+        ],
+        "x-kubernetes-action": "deletecollection",
+        "x-kubernetes-group-version-kind": {
+          "group": "certificates.k8s.io",
+          "kind": "PodCertificateRequest",
+          "version": "v1beta1"
+        }
+      },
+      "get": {
+        "description": "list or watch objects of kind PodCertificateRequest",
+        "operationId": "listCertificatesV1beta1NamespacedPodCertificateRequest",
+        "parameters": [
+          {
+            "description": "allowWatchBookmarks requests watch events with type \"BOOKMARK\". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored.",
+            "in": "query",
+            "name": "allowWatchBookmarks",
+            "schema": {
+              "type": "boolean",
+              "uniqueItems": true
+            }
+          },
+          {
+            "description": "The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the \"next key\".\n\nThis field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications.",
+            "in": "query",
+            "name": "continue",
+            "schema": {
+              "type": "string",
+              "uniqueItems": true
+            }
+          },
+          {
+            "description": "A selector to restrict the list of returned objects by their fields. Defaults to everything.",
+            "in": "query",
+            "name": "fieldSelector",
+            "schema": {
+              "type": "string",
+              "uniqueItems": true
+            }
+          },
+          {
+            "description": "A selector to restrict the list of returned objects by their labels. Defaults to everything.",
+            "in": "query",
+            "name": "labelSelector",
+            "schema": {
+              "type": "string",
+              "uniqueItems": true
+            }
+          },
+          {
+            "description": "limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.\n\nThe server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned.",
+            "in": "query",
+            "name": "limit",
+            "schema": {
+              "type": "integer",
+              "uniqueItems": true
+            }
+          },
+          {
+            "description": "resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.\n\nDefaults to unset",
+            "in": "query",
+            "name": "resourceVersion",
+            "schema": {
+              "type": "string",
+              "uniqueItems": true
+            }
+          },
+          {
+            "description": "resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.\n\nDefaults to unset",
+            "in": "query",
+            "name": "resourceVersionMatch",
+            "schema": {
+              "type": "string",
+              "uniqueItems": true
+            }
+          },
+          {
+            "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+            "in": "query",
+            "name": "sendInitialEvents",
+            "schema": {
+              "type": "boolean",
+              "uniqueItems": true
+            }
+          },
+          {
+            "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
+            "in": "query",
+            "name": "timeoutSeconds",
+            "schema": {
+              "type": "integer",
+              "uniqueItems": true
+            }
+          },
+          {
+            "description": "Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion.",
+            "in": "query",
+            "name": "watch",
+            "schema": {
+              "type": "boolean",
+              "uniqueItems": true
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "content": {
+              "application/cbor": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.certificates.v1beta1.PodCertificateRequestList"
+                }
+              },
+              "application/cbor-seq": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.certificates.v1beta1.PodCertificateRequestList"
+                }
+              },
+              "application/json": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.certificates.v1beta1.PodCertificateRequestList"
+                }
+              },
+              "application/json;stream=watch": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.certificates.v1beta1.PodCertificateRequestList"
+                }
+              },
+              "application/vnd.kubernetes.protobuf": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.certificates.v1beta1.PodCertificateRequestList"
+                }
+              },
+              "application/vnd.kubernetes.protobuf;stream=watch": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.certificates.v1beta1.PodCertificateRequestList"
+                }
+              },
+              "application/yaml": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.certificates.v1beta1.PodCertificateRequestList"
+                }
+              }
+            },
+            "description": "OK"
+          },
+          "401": {
+            "description": "Unauthorized"
+          }
+        },
+        "tags": [
+          "certificates_v1beta1"
+        ],
+        "x-kubernetes-action": "list",
+        "x-kubernetes-group-version-kind": {
+          "group": "certificates.k8s.io",
+          "kind": "PodCertificateRequest",
+          "version": "v1beta1"
+        }
+      },
+      "parameters": [
+        {
+          "description": "object name and auth scope, such as for teams and projects",
+          "in": "path",
+          "name": "namespace",
+          "required": true,
+          "schema": {
+            "type": "string",
+            "uniqueItems": true
+          }
+        },
+        {
+          "description": "If 'true', then the output is pretty printed. Defaults to 'false' unless the user-agent indicates a browser or command-line HTTP tool (curl and wget).",
+          "in": "query",
+          "name": "pretty",
+          "schema": {
+            "type": "string",
+            "uniqueItems": true
+          }
+        }
+      ],
+      "post": {
+        "description": "create a PodCertificateRequest",
+        "operationId": "createCertificatesV1beta1NamespacedPodCertificateRequest",
+        "parameters": [
+          {
+            "description": "When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed",
+            "in": "query",
+            "name": "dryRun",
+            "schema": {
+              "type": "string",
+              "uniqueItems": true
+            }
+          },
+          {
+            "description": "fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint.",
+            "in": "query",
+            "name": "fieldManager",
+            "schema": {
+              "type": "string",
+              "uniqueItems": true
+            }
+          },
+          {
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "in": "query",
+            "name": "fieldValidation",
+            "schema": {
+              "type": "string",
+              "uniqueItems": true
+            }
+          }
+        ],
+        "requestBody": {
+          "content": {
+            "*/*": {
+              "schema": {
+                "$ref": "#/components/schemas/io.k8s.api.certificates.v1beta1.PodCertificateRequest"
+              }
+            }
+          },
+          "required": true
+        },
+        "responses": {
+          "200": {
+            "content": {
+              "application/cbor": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.certificates.v1beta1.PodCertificateRequest"
+                }
+              },
+              "application/json": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.certificates.v1beta1.PodCertificateRequest"
+                }
+              },
+              "application/vnd.kubernetes.protobuf": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.certificates.v1beta1.PodCertificateRequest"
+                }
+              },
+              "application/yaml": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.certificates.v1beta1.PodCertificateRequest"
+                }
+              }
+            },
+            "description": "OK"
+          },
+          "201": {
+            "content": {
+              "application/cbor": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.certificates.v1beta1.PodCertificateRequest"
+                }
+              },
+              "application/json": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.certificates.v1beta1.PodCertificateRequest"
+                }
+              },
+              "application/vnd.kubernetes.protobuf": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.certificates.v1beta1.PodCertificateRequest"
+                }
+              },
+              "application/yaml": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.certificates.v1beta1.PodCertificateRequest"
+                }
+              }
+            },
+            "description": "Created"
+          },
+          "202": {
+            "content": {
+              "application/cbor": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.certificates.v1beta1.PodCertificateRequest"
+                }
+              },
+              "application/json": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.certificates.v1beta1.PodCertificateRequest"
+                }
+              },
+              "application/vnd.kubernetes.protobuf": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.certificates.v1beta1.PodCertificateRequest"
+                }
+              },
+              "application/yaml": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.certificates.v1beta1.PodCertificateRequest"
+                }
+              }
+            },
+            "description": "Accepted"
+          },
+          "401": {
+            "description": "Unauthorized"
+          }
+        },
+        "tags": [
+          "certificates_v1beta1"
+        ],
+        "x-kubernetes-action": "post",
+        "x-kubernetes-group-version-kind": {
+          "group": "certificates.k8s.io",
+          "kind": "PodCertificateRequest",
+          "version": "v1beta1"
+        }
+      }
+    },
+    "/apis/certificates.k8s.io/v1beta1/namespaces/{namespace}/podcertificaterequests/{name}": {
+      "delete": {
+        "description": "delete a PodCertificateRequest",
+        "operationId": "deleteCertificatesV1beta1NamespacedPodCertificateRequest",
+        "parameters": [
+          {
+            "description": "When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed",
+            "in": "query",
+            "name": "dryRun",
+            "schema": {
+              "type": "string",
+              "uniqueItems": true
+            }
+          },
+          {
+            "description": "The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately.",
+            "in": "query",
+            "name": "gracePeriodSeconds",
+            "schema": {
+              "type": "integer",
+              "uniqueItems": true
+            }
+          },
+          {
+            "description": "if set to true, it will trigger an unsafe deletion of the resource in case the normal deletion flow fails with a corrupt object error. A resource is considered corrupt if it can not be retrieved from the underlying storage successfully because of a) its data can not be transformed e.g. decryption failure, or b) it fails to decode into an object. NOTE: unsafe deletion ignores finalizer constraints, skips precondition checks, and removes the object from the storage. WARNING: This may potentially break the cluster if the workload associated with the resource being unsafe-deleted relies on normal deletion flow. Use only if you REALLY know what you are doing. The default value is false, and the user must opt in to enable it",
+            "in": "query",
+            "name": "ignoreStoreReadErrorWithClusterBreakingPotential",
+            "schema": {
+              "type": "boolean",
+              "uniqueItems": true
+            }
+          },
+          {
+            "description": "Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the \"orphan\" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both.",
+            "in": "query",
+            "name": "orphanDependents",
+            "schema": {
+              "type": "boolean",
+              "uniqueItems": true
+            }
+          },
+          {
+            "description": "Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground.",
+            "in": "query",
+            "name": "propagationPolicy",
+            "schema": {
+              "type": "string",
+              "uniqueItems": true
+            }
+          }
+        ],
+        "requestBody": {
+          "content": {
+            "*/*": {
+              "schema": {
+                "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptions"
+              }
+            }
+          }
+        },
+        "responses": {
+          "200": {
+            "content": {
+              "application/cbor": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.Status"
+                }
+              },
+              "application/json": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.Status"
+                }
+              },
+              "application/vnd.kubernetes.protobuf": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.Status"
+                }
+              },
+              "application/yaml": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.Status"
+                }
+              }
+            },
+            "description": "OK"
+          },
+          "202": {
+            "content": {
+              "application/cbor": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.Status"
+                }
+              },
+              "application/json": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.Status"
+                }
+              },
+              "application/vnd.kubernetes.protobuf": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.Status"
+                }
+              },
+              "application/yaml": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.Status"
+                }
+              }
+            },
+            "description": "Accepted"
+          },
+          "401": {
+            "description": "Unauthorized"
+          }
+        },
+        "tags": [
+          "certificates_v1beta1"
+        ],
+        "x-kubernetes-action": "delete",
+        "x-kubernetes-group-version-kind": {
+          "group": "certificates.k8s.io",
+          "kind": "PodCertificateRequest",
+          "version": "v1beta1"
+        }
+      },
+      "get": {
+        "description": "read the specified PodCertificateRequest",
+        "operationId": "readCertificatesV1beta1NamespacedPodCertificateRequest",
+        "responses": {
+          "200": {
+            "content": {
+              "application/cbor": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.certificates.v1beta1.PodCertificateRequest"
+                }
+              },
+              "application/json": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.certificates.v1beta1.PodCertificateRequest"
+                }
+              },
+              "application/vnd.kubernetes.protobuf": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.certificates.v1beta1.PodCertificateRequest"
+                }
+              },
+              "application/yaml": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.certificates.v1beta1.PodCertificateRequest"
+                }
+              }
+            },
+            "description": "OK"
+          },
+          "401": {
+            "description": "Unauthorized"
+          }
+        },
+        "tags": [
+          "certificates_v1beta1"
+        ],
+        "x-kubernetes-action": "get",
+        "x-kubernetes-group-version-kind": {
+          "group": "certificates.k8s.io",
+          "kind": "PodCertificateRequest",
+          "version": "v1beta1"
+        }
+      },
+      "parameters": [
+        {
+          "description": "name of the PodCertificateRequest",
+          "in": "path",
+          "name": "name",
+          "required": true,
+          "schema": {
+            "type": "string",
+            "uniqueItems": true
+          }
+        },
+        {
+          "description": "object name and auth scope, such as for teams and projects",
+          "in": "path",
+          "name": "namespace",
+          "required": true,
+          "schema": {
+            "type": "string",
+            "uniqueItems": true
+          }
+        },
+        {
+          "description": "If 'true', then the output is pretty printed. Defaults to 'false' unless the user-agent indicates a browser or command-line HTTP tool (curl and wget).",
+          "in": "query",
+          "name": "pretty",
+          "schema": {
+            "type": "string",
+            "uniqueItems": true
+          }
+        }
+      ],
+      "patch": {
+        "description": "partially update the specified PodCertificateRequest",
+        "operationId": "patchCertificatesV1beta1NamespacedPodCertificateRequest",
+        "parameters": [
+          {
+            "description": "When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed",
+            "in": "query",
+            "name": "dryRun",
+            "schema": {
+              "type": "string",
+              "uniqueItems": true
+            }
+          },
+          {
+            "description": "fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch).",
+            "in": "query",
+            "name": "fieldManager",
+            "schema": {
+              "type": "string",
+              "uniqueItems": true
+            }
+          },
+          {
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "in": "query",
+            "name": "fieldValidation",
+            "schema": {
+              "type": "string",
+              "uniqueItems": true
+            }
+          },
+          {
+            "description": "Force is going to \"force\" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests.",
+            "in": "query",
+            "name": "force",
+            "schema": {
+              "type": "boolean",
+              "uniqueItems": true
+            }
+          }
+        ],
+        "requestBody": {
+          "content": {
+            "application/apply-patch+cbor": {
+              "schema": {
+                "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.Patch"
+              }
+            },
+            "application/apply-patch+yaml": {
+              "schema": {
+                "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.Patch"
+              }
+            },
+            "application/json-patch+json": {
+              "schema": {
+                "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.Patch"
+              }
+            },
+            "application/merge-patch+json": {
+              "schema": {
+                "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.Patch"
+              }
+            },
+            "application/strategic-merge-patch+json": {
+              "schema": {
+                "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.Patch"
+              }
+            }
+          },
+          "required": true
+        },
+        "responses": {
+          "200": {
+            "content": {
+              "application/cbor": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.certificates.v1beta1.PodCertificateRequest"
+                }
+              },
+              "application/json": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.certificates.v1beta1.PodCertificateRequest"
+                }
+              },
+              "application/vnd.kubernetes.protobuf": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.certificates.v1beta1.PodCertificateRequest"
+                }
+              },
+              "application/yaml": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.certificates.v1beta1.PodCertificateRequest"
+                }
+              }
+            },
+            "description": "OK"
+          },
+          "201": {
+            "content": {
+              "application/cbor": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.certificates.v1beta1.PodCertificateRequest"
+                }
+              },
+              "application/json": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.certificates.v1beta1.PodCertificateRequest"
+                }
+              },
+              "application/vnd.kubernetes.protobuf": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.certificates.v1beta1.PodCertificateRequest"
+                }
+              },
+              "application/yaml": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.certificates.v1beta1.PodCertificateRequest"
+                }
+              }
+            },
+            "description": "Created"
+          },
+          "401": {
+            "description": "Unauthorized"
+          }
+        },
+        "tags": [
+          "certificates_v1beta1"
+        ],
+        "x-kubernetes-action": "patch",
+        "x-kubernetes-group-version-kind": {
+          "group": "certificates.k8s.io",
+          "kind": "PodCertificateRequest",
+          "version": "v1beta1"
+        }
+      },
+      "put": {
+        "description": "replace the specified PodCertificateRequest",
+        "operationId": "replaceCertificatesV1beta1NamespacedPodCertificateRequest",
+        "parameters": [
+          {
+            "description": "When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed",
+            "in": "query",
+            "name": "dryRun",
+            "schema": {
+              "type": "string",
+              "uniqueItems": true
+            }
+          },
+          {
+            "description": "fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint.",
+            "in": "query",
+            "name": "fieldManager",
+            "schema": {
+              "type": "string",
+              "uniqueItems": true
+            }
+          },
+          {
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "in": "query",
+            "name": "fieldValidation",
+            "schema": {
+              "type": "string",
+              "uniqueItems": true
+            }
+          }
+        ],
+        "requestBody": {
+          "content": {
+            "*/*": {
+              "schema": {
+                "$ref": "#/components/schemas/io.k8s.api.certificates.v1beta1.PodCertificateRequest"
+              }
+            }
+          },
+          "required": true
+        },
+        "responses": {
+          "200": {
+            "content": {
+              "application/cbor": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.certificates.v1beta1.PodCertificateRequest"
+                }
+              },
+              "application/json": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.certificates.v1beta1.PodCertificateRequest"
+                }
+              },
+              "application/vnd.kubernetes.protobuf": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.certificates.v1beta1.PodCertificateRequest"
+                }
+              },
+              "application/yaml": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.certificates.v1beta1.PodCertificateRequest"
+                }
+              }
+            },
+            "description": "OK"
+          },
+          "201": {
+            "content": {
+              "application/cbor": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.certificates.v1beta1.PodCertificateRequest"
+                }
+              },
+              "application/json": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.certificates.v1beta1.PodCertificateRequest"
+                }
+              },
+              "application/vnd.kubernetes.protobuf": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.certificates.v1beta1.PodCertificateRequest"
+                }
+              },
+              "application/yaml": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.certificates.v1beta1.PodCertificateRequest"
+                }
+              }
+            },
+            "description": "Created"
+          },
+          "401": {
+            "description": "Unauthorized"
+          }
+        },
+        "tags": [
+          "certificates_v1beta1"
+        ],
+        "x-kubernetes-action": "put",
+        "x-kubernetes-group-version-kind": {
+          "group": "certificates.k8s.io",
+          "kind": "PodCertificateRequest",
+          "version": "v1beta1"
+        }
+      }
+    },
+    "/apis/certificates.k8s.io/v1beta1/namespaces/{namespace}/podcertificaterequests/{name}/status": {
+      "get": {
+        "description": "read status of the specified PodCertificateRequest",
+        "operationId": "readCertificatesV1beta1NamespacedPodCertificateRequestStatus",
+        "responses": {
+          "200": {
+            "content": {
+              "application/cbor": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.certificates.v1beta1.PodCertificateRequest"
+                }
+              },
+              "application/json": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.certificates.v1beta1.PodCertificateRequest"
+                }
+              },
+              "application/vnd.kubernetes.protobuf": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.certificates.v1beta1.PodCertificateRequest"
+                }
+              },
+              "application/yaml": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.certificates.v1beta1.PodCertificateRequest"
+                }
+              }
+            },
+            "description": "OK"
+          },
+          "401": {
+            "description": "Unauthorized"
+          }
+        },
+        "tags": [
+          "certificates_v1beta1"
+        ],
+        "x-kubernetes-action": "get",
+        "x-kubernetes-group-version-kind": {
+          "group": "certificates.k8s.io",
+          "kind": "PodCertificateRequest",
+          "version": "v1beta1"
+        }
+      },
+      "parameters": [
+        {
+          "description": "name of the PodCertificateRequest",
+          "in": "path",
+          "name": "name",
+          "required": true,
+          "schema": {
+            "type": "string",
+            "uniqueItems": true
+          }
+        },
+        {
+          "description": "object name and auth scope, such as for teams and projects",
+          "in": "path",
+          "name": "namespace",
+          "required": true,
+          "schema": {
+            "type": "string",
+            "uniqueItems": true
+          }
+        },
+        {
+          "description": "If 'true', then the output is pretty printed. Defaults to 'false' unless the user-agent indicates a browser or command-line HTTP tool (curl and wget).",
+          "in": "query",
+          "name": "pretty",
+          "schema": {
+            "type": "string",
+            "uniqueItems": true
+          }
+        }
+      ],
+      "patch": {
+        "description": "partially update status of the specified PodCertificateRequest",
+        "operationId": "patchCertificatesV1beta1NamespacedPodCertificateRequestStatus",
+        "parameters": [
+          {
+            "description": "When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed",
+            "in": "query",
+            "name": "dryRun",
+            "schema": {
+              "type": "string",
+              "uniqueItems": true
+            }
+          },
+          {
+            "description": "fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch).",
+            "in": "query",
+            "name": "fieldManager",
+            "schema": {
+              "type": "string",
+              "uniqueItems": true
+            }
+          },
+          {
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "in": "query",
+            "name": "fieldValidation",
+            "schema": {
+              "type": "string",
+              "uniqueItems": true
+            }
+          },
+          {
+            "description": "Force is going to \"force\" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests.",
+            "in": "query",
+            "name": "force",
+            "schema": {
+              "type": "boolean",
+              "uniqueItems": true
+            }
+          }
+        ],
+        "requestBody": {
+          "content": {
+            "application/apply-patch+cbor": {
+              "schema": {
+                "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.Patch"
+              }
+            },
+            "application/apply-patch+yaml": {
+              "schema": {
+                "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.Patch"
+              }
+            },
+            "application/json-patch+json": {
+              "schema": {
+                "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.Patch"
+              }
+            },
+            "application/merge-patch+json": {
+              "schema": {
+                "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.Patch"
+              }
+            },
+            "application/strategic-merge-patch+json": {
+              "schema": {
+                "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.Patch"
+              }
+            }
+          },
+          "required": true
+        },
+        "responses": {
+          "200": {
+            "content": {
+              "application/cbor": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.certificates.v1beta1.PodCertificateRequest"
+                }
+              },
+              "application/json": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.certificates.v1beta1.PodCertificateRequest"
+                }
+              },
+              "application/vnd.kubernetes.protobuf": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.certificates.v1beta1.PodCertificateRequest"
+                }
+              },
+              "application/yaml": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.certificates.v1beta1.PodCertificateRequest"
+                }
+              }
+            },
+            "description": "OK"
+          },
+          "201": {
+            "content": {
+              "application/cbor": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.certificates.v1beta1.PodCertificateRequest"
+                }
+              },
+              "application/json": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.certificates.v1beta1.PodCertificateRequest"
+                }
+              },
+              "application/vnd.kubernetes.protobuf": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.certificates.v1beta1.PodCertificateRequest"
+                }
+              },
+              "application/yaml": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.certificates.v1beta1.PodCertificateRequest"
+                }
+              }
+            },
+            "description": "Created"
+          },
+          "401": {
+            "description": "Unauthorized"
+          }
+        },
+        "tags": [
+          "certificates_v1beta1"
+        ],
+        "x-kubernetes-action": "patch",
+        "x-kubernetes-group-version-kind": {
+          "group": "certificates.k8s.io",
+          "kind": "PodCertificateRequest",
+          "version": "v1beta1"
+        }
+      },
+      "put": {
+        "description": "replace status of the specified PodCertificateRequest",
+        "operationId": "replaceCertificatesV1beta1NamespacedPodCertificateRequestStatus",
+        "parameters": [
+          {
+            "description": "When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed",
+            "in": "query",
+            "name": "dryRun",
+            "schema": {
+              "type": "string",
+              "uniqueItems": true
+            }
+          },
+          {
+            "description": "fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint.",
+            "in": "query",
+            "name": "fieldManager",
+            "schema": {
+              "type": "string",
+              "uniqueItems": true
+            }
+          },
+          {
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "in": "query",
+            "name": "fieldValidation",
+            "schema": {
+              "type": "string",
+              "uniqueItems": true
+            }
+          }
+        ],
+        "requestBody": {
+          "content": {
+            "*/*": {
+              "schema": {
+                "$ref": "#/components/schemas/io.k8s.api.certificates.v1beta1.PodCertificateRequest"
+              }
+            }
+          },
+          "required": true
+        },
+        "responses": {
+          "200": {
+            "content": {
+              "application/cbor": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.certificates.v1beta1.PodCertificateRequest"
+                }
+              },
+              "application/json": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.certificates.v1beta1.PodCertificateRequest"
+                }
+              },
+              "application/vnd.kubernetes.protobuf": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.certificates.v1beta1.PodCertificateRequest"
+                }
+              },
+              "application/yaml": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.certificates.v1beta1.PodCertificateRequest"
+                }
+              }
+            },
+            "description": "OK"
+          },
+          "201": {
+            "content": {
+              "application/cbor": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.certificates.v1beta1.PodCertificateRequest"
+                }
+              },
+              "application/json": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.certificates.v1beta1.PodCertificateRequest"
+                }
+              },
+              "application/vnd.kubernetes.protobuf": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.certificates.v1beta1.PodCertificateRequest"
+                }
+              },
+              "application/yaml": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.certificates.v1beta1.PodCertificateRequest"
+                }
+              }
+            },
+            "description": "Created"
+          },
+          "401": {
+            "description": "Unauthorized"
+          }
+        },
+        "tags": [
+          "certificates_v1beta1"
+        ],
+        "x-kubernetes-action": "put",
+        "x-kubernetes-group-version-kind": {
+          "group": "certificates.k8s.io",
+          "kind": "PodCertificateRequest",
+          "version": "v1beta1"
+        }
+      }
+    },
+    "/apis/certificates.k8s.io/v1beta1/podcertificaterequests": {
+      "get": {
+        "description": "list or watch objects of kind PodCertificateRequest",
+        "operationId": "listCertificatesV1beta1PodCertificateRequestForAllNamespaces",
+        "responses": {
+          "200": {
+            "content": {
+              "application/cbor": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.certificates.v1beta1.PodCertificateRequestList"
+                }
+              },
+              "application/cbor-seq": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.certificates.v1beta1.PodCertificateRequestList"
+                }
+              },
+              "application/json": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.certificates.v1beta1.PodCertificateRequestList"
+                }
+              },
+              "application/json;stream=watch": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.certificates.v1beta1.PodCertificateRequestList"
+                }
+              },
+              "application/vnd.kubernetes.protobuf": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.certificates.v1beta1.PodCertificateRequestList"
+                }
+              },
+              "application/vnd.kubernetes.protobuf;stream=watch": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.certificates.v1beta1.PodCertificateRequestList"
+                }
+              },
+              "application/yaml": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.certificates.v1beta1.PodCertificateRequestList"
+                }
+              }
+            },
+            "description": "OK"
+          },
+          "401": {
+            "description": "Unauthorized"
+          }
+        },
+        "tags": [
+          "certificates_v1beta1"
+        ],
+        "x-kubernetes-action": "list",
+        "x-kubernetes-group-version-kind": {
+          "group": "certificates.k8s.io",
+          "kind": "PodCertificateRequest",
+          "version": "v1beta1"
+        }
+      },
+      "parameters": [
+        {
+          "description": "allowWatchBookmarks requests watch events with type \"BOOKMARK\". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored.",
+          "in": "query",
+          "name": "allowWatchBookmarks",
+          "schema": {
+            "type": "boolean",
+            "uniqueItems": true
+          }
+        },
+        {
+          "description": "The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the \"next key\".\n\nThis field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications.",
+          "in": "query",
+          "name": "continue",
+          "schema": {
+            "type": "string",
+            "uniqueItems": true
+          }
+        },
+        {
+          "description": "A selector to restrict the list of returned objects by their fields. Defaults to everything.",
+          "in": "query",
+          "name": "fieldSelector",
+          "schema": {
+            "type": "string",
+            "uniqueItems": true
+          }
+        },
+        {
+          "description": "A selector to restrict the list of returned objects by their labels. Defaults to everything.",
+          "in": "query",
+          "name": "labelSelector",
+          "schema": {
+            "type": "string",
+            "uniqueItems": true
+          }
+        },
+        {
+          "description": "limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.\n\nThe server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned.",
+          "in": "query",
+          "name": "limit",
+          "schema": {
+            "type": "integer",
+            "uniqueItems": true
+          }
+        },
+        {
+          "description": "If 'true', then the output is pretty printed. Defaults to 'false' unless the user-agent indicates a browser or command-line HTTP tool (curl and wget).",
+          "in": "query",
+          "name": "pretty",
+          "schema": {
+            "type": "string",
+            "uniqueItems": true
+          }
+        },
+        {
+          "description": "resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.\n\nDefaults to unset",
+          "in": "query",
+          "name": "resourceVersion",
+          "schema": {
+            "type": "string",
+            "uniqueItems": true
+          }
+        },
+        {
+          "description": "resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.\n\nDefaults to unset",
+          "in": "query",
+          "name": "resourceVersionMatch",
+          "schema": {
+            "type": "string",
+            "uniqueItems": true
+          }
+        },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "schema": {
+            "type": "boolean",
+            "uniqueItems": true
+          }
+        },
+        {
+          "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
+          "in": "query",
+          "name": "timeoutSeconds",
+          "schema": {
+            "type": "integer",
+            "uniqueItems": true
+          }
+        },
+        {
+          "description": "Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion.",
+          "in": "query",
+          "name": "watch",
+          "schema": {
+            "type": "boolean",
+            "uniqueItems": true
+          }
+        }
+      ]
+    },
+    "/apis/certificates.k8s.io/v1beta1/watch/clustertrustbundles": {
+      "get": {
+        "description": "watch individual changes to a list of ClusterTrustBundle. deprecated: use the 'watch' parameter with a list operation instead.",
+        "operationId": "watchCertificatesV1beta1ClusterTrustBundleList",
+        "responses": {
+          "200": {
+            "content": {
+              "application/cbor": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"
+                }
+              },
+              "application/cbor-seq": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"
+                }
+              },
+              "application/json": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"
+                }
+              },
+              "application/json;stream=watch": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"
+                }
+              },
+              "application/vnd.kubernetes.protobuf": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"
+                }
+              },
+              "application/vnd.kubernetes.protobuf;stream=watch": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"
+                }
+              },
+              "application/yaml": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"
+                }
+              }
+            },
+            "description": "OK"
+          },
+          "401": {
+            "description": "Unauthorized"
+          }
+        },
+        "tags": [
+          "certificates_v1beta1"
+        ],
+        "x-kubernetes-action": "watchlist",
+        "x-kubernetes-group-version-kind": {
+          "group": "certificates.k8s.io",
+          "kind": "ClusterTrustBundle",
+          "version": "v1beta1"
+        }
+      },
+      "parameters": [
+        {
+          "description": "allowWatchBookmarks requests watch events with type \"BOOKMARK\". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored.",
+          "in": "query",
+          "name": "allowWatchBookmarks",
+          "schema": {
+            "type": "boolean",
+            "uniqueItems": true
+          }
+        },
+        {
+          "description": "The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the \"next key\".\n\nThis field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications.",
+          "in": "query",
+          "name": "continue",
+          "schema": {
+            "type": "string",
+            "uniqueItems": true
+          }
+        },
+        {
+          "description": "A selector to restrict the list of returned objects by their fields. Defaults to everything.",
+          "in": "query",
+          "name": "fieldSelector",
+          "schema": {
+            "type": "string",
+            "uniqueItems": true
+          }
+        },
+        {
+          "description": "A selector to restrict the list of returned objects by their labels. Defaults to everything.",
+          "in": "query",
+          "name": "labelSelector",
+          "schema": {
+            "type": "string",
+            "uniqueItems": true
+          }
+        },
+        {
+          "description": "limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.\n\nThe server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned.",
+          "in": "query",
+          "name": "limit",
+          "schema": {
+            "type": "integer",
+            "uniqueItems": true
+          }
+        },
+        {
+          "description": "If 'true', then the output is pretty printed. Defaults to 'false' unless the user-agent indicates a browser or command-line HTTP tool (curl and wget).",
+          "in": "query",
+          "name": "pretty",
+          "schema": {
+            "type": "string",
+            "uniqueItems": true
+          }
+        },
+        {
+          "description": "resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.\n\nDefaults to unset",
+          "in": "query",
+          "name": "resourceVersion",
+          "schema": {
+            "type": "string",
+            "uniqueItems": true
+          }
+        },
+        {
+          "description": "resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.\n\nDefaults to unset",
+          "in": "query",
+          "name": "resourceVersionMatch",
+          "schema": {
+            "type": "string",
+            "uniqueItems": true
+          }
+        },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "schema": {
+            "type": "boolean",
+            "uniqueItems": true
+          }
+        },
+        {
+          "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
+          "in": "query",
+          "name": "timeoutSeconds",
+          "schema": {
+            "type": "integer",
+            "uniqueItems": true
+          }
+        },
+        {
+          "description": "Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion.",
+          "in": "query",
+          "name": "watch",
+          "schema": {
+            "type": "boolean",
+            "uniqueItems": true
+          }
+        }
+      ]
+    },
+    "/apis/certificates.k8s.io/v1beta1/watch/clustertrustbundles/{name}": {
+      "get": {
+        "description": "watch changes to an object of kind ClusterTrustBundle. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.",
+        "operationId": "watchCertificatesV1beta1ClusterTrustBundle",
+        "responses": {
+          "200": {
+            "content": {
+              "application/cbor": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"
+                }
+              },
+              "application/cbor-seq": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"
+                }
+              },
+              "application/json": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"
+                }
+              },
+              "application/json;stream=watch": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"
+                }
+              },
+              "application/vnd.kubernetes.protobuf": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"
+                }
+              },
+              "application/vnd.kubernetes.protobuf;stream=watch": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"
+                }
+              },
+              "application/yaml": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"
+                }
+              }
+            },
+            "description": "OK"
+          },
+          "401": {
+            "description": "Unauthorized"
+          }
+        },
+        "tags": [
+          "certificates_v1beta1"
+        ],
+        "x-kubernetes-action": "watch",
+        "x-kubernetes-group-version-kind": {
+          "group": "certificates.k8s.io",
+          "kind": "ClusterTrustBundle",
+          "version": "v1beta1"
+        }
+      },
+      "parameters": [
+        {
+          "description": "allowWatchBookmarks requests watch events with type \"BOOKMARK\". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored.",
+          "in": "query",
+          "name": "allowWatchBookmarks",
+          "schema": {
+            "type": "boolean",
+            "uniqueItems": true
+          }
+        },
+        {
+          "description": "The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the \"next key\".\n\nThis field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications.",
+          "in": "query",
+          "name": "continue",
+          "schema": {
+            "type": "string",
+            "uniqueItems": true
+          }
+        },
+        {
+          "description": "A selector to restrict the list of returned objects by their fields. Defaults to everything.",
+          "in": "query",
+          "name": "fieldSelector",
+          "schema": {
+            "type": "string",
+            "uniqueItems": true
+          }
+        },
+        {
+          "description": "A selector to restrict the list of returned objects by their labels. Defaults to everything.",
+          "in": "query",
+          "name": "labelSelector",
+          "schema": {
+            "type": "string",
+            "uniqueItems": true
+          }
+        },
+        {
+          "description": "limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.\n\nThe server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned.",
+          "in": "query",
+          "name": "limit",
+          "schema": {
+            "type": "integer",
+            "uniqueItems": true
+          }
+        },
+        {
+          "description": "name of the ClusterTrustBundle",
+          "in": "path",
+          "name": "name",
+          "required": true,
+          "schema": {
+            "type": "string",
+            "uniqueItems": true
+          }
+        },
+        {
+          "description": "If 'true', then the output is pretty printed. Defaults to 'false' unless the user-agent indicates a browser or command-line HTTP tool (curl and wget).",
+          "in": "query",
+          "name": "pretty",
+          "schema": {
+            "type": "string",
+            "uniqueItems": true
+          }
+        },
+        {
+          "description": "resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.\n\nDefaults to unset",
+          "in": "query",
+          "name": "resourceVersion",
+          "schema": {
+            "type": "string",
+            "uniqueItems": true
+          }
+        },
+        {
+          "description": "resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.\n\nDefaults to unset",
+          "in": "query",
+          "name": "resourceVersionMatch",
+          "schema": {
+            "type": "string",
+            "uniqueItems": true
+          }
+        },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "schema": {
+            "type": "boolean",
+            "uniqueItems": true
+          }
+        },
+        {
+          "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
+          "in": "query",
+          "name": "timeoutSeconds",
+          "schema": {
+            "type": "integer",
+            "uniqueItems": true
+          }
+        },
+        {
+          "description": "Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion.",
+          "in": "query",
+          "name": "watch",
+          "schema": {
+            "type": "boolean",
+            "uniqueItems": true
+          }
+        }
+      ]
+    },
+    "/apis/certificates.k8s.io/v1beta1/watch/namespaces/{namespace}/podcertificaterequests": {
+      "get": {
+        "description": "watch individual changes to a list of PodCertificateRequest. deprecated: use the 'watch' parameter with a list operation instead.",
+        "operationId": "watchCertificatesV1beta1NamespacedPodCertificateRequestList",
+        "responses": {
+          "200": {
+            "content": {
+              "application/cbor": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"
+                }
+              },
+              "application/cbor-seq": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"
+                }
+              },
+              "application/json": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"
+                }
+              },
+              "application/json;stream=watch": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"
+                }
+              },
+              "application/vnd.kubernetes.protobuf": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"
+                }
+              },
+              "application/vnd.kubernetes.protobuf;stream=watch": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"
+                }
+              },
+              "application/yaml": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"
+                }
+              }
+            },
+            "description": "OK"
+          },
+          "401": {
+            "description": "Unauthorized"
+          }
         },
         "tags": [
           "certificates_v1beta1"
@@ -2287,7 +4287,7 @@
         "x-kubernetes-action": "watchlist",
         "x-kubernetes-group-version-kind": {
           "group": "certificates.k8s.io",
-          "kind": "ClusterTrustBundle",
+          "kind": "PodCertificateRequest",
           "version": "v1beta1"
         }
       },
@@ -2337,6 +4337,16 @@
             "uniqueItems": true
           }
         },
+        {
+          "description": "object name and auth scope, such as for teams and projects",
+          "in": "path",
+          "name": "namespace",
+          "required": true,
+          "schema": {
+            "type": "string",
+            "uniqueItems": true
+          }
+        },
         {
           "description": "If 'true', then the output is pretty printed. Defaults to 'false' unless the user-agent indicates a browser or command-line HTTP tool (curl and wget).",
           "in": "query",
@@ -2393,10 +4403,10 @@
         }
       ]
     },
-    "/apis/certificates.k8s.io/v1beta1/watch/clustertrustbundles/{name}": {
+    "/apis/certificates.k8s.io/v1beta1/watch/namespaces/{namespace}/podcertificaterequests/{name}": {
       "get": {
-        "description": "watch changes to an object of kind ClusterTrustBundle. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.",
-        "operationId": "watchCertificatesV1beta1ClusterTrustBundle",
+        "description": "watch changes to an object of kind PodCertificateRequest. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.",
+        "operationId": "watchCertificatesV1beta1NamespacedPodCertificateRequest",
         "responses": {
           "200": {
             "content": {
@@ -2448,7 +4458,7 @@
         "x-kubernetes-action": "watch",
         "x-kubernetes-group-version-kind": {
           "group": "certificates.k8s.io",
-          "kind": "ClusterTrustBundle",
+          "kind": "PodCertificateRequest",
           "version": "v1beta1"
         }
       },
@@ -2499,7 +4509,7 @@
           }
         },
         {
-          "description": "name of the ClusterTrustBundle",
+          "description": "name of the PodCertificateRequest",
           "in": "path",
           "name": "name",
           "required": true,
@@ -2508,6 +4518,177 @@
             "uniqueItems": true
           }
         },
+        {
+          "description": "object name and auth scope, such as for teams and projects",
+          "in": "path",
+          "name": "namespace",
+          "required": true,
+          "schema": {
+            "type": "string",
+            "uniqueItems": true
+          }
+        },
+        {
+          "description": "If 'true', then the output is pretty printed. Defaults to 'false' unless the user-agent indicates a browser or command-line HTTP tool (curl and wget).",
+          "in": "query",
+          "name": "pretty",
+          "schema": {
+            "type": "string",
+            "uniqueItems": true
+          }
+        },
+        {
+          "description": "resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.\n\nDefaults to unset",
+          "in": "query",
+          "name": "resourceVersion",
+          "schema": {
+            "type": "string",
+            "uniqueItems": true
+          }
+        },
+        {
+          "description": "resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.\n\nDefaults to unset",
+          "in": "query",
+          "name": "resourceVersionMatch",
+          "schema": {
+            "type": "string",
+            "uniqueItems": true
+          }
+        },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "schema": {
+            "type": "boolean",
+            "uniqueItems": true
+          }
+        },
+        {
+          "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
+          "in": "query",
+          "name": "timeoutSeconds",
+          "schema": {
+            "type": "integer",
+            "uniqueItems": true
+          }
+        },
+        {
+          "description": "Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion.",
+          "in": "query",
+          "name": "watch",
+          "schema": {
+            "type": "boolean",
+            "uniqueItems": true
+          }
+        }
+      ]
+    },
+    "/apis/certificates.k8s.io/v1beta1/watch/podcertificaterequests": {
+      "get": {
+        "description": "watch individual changes to a list of PodCertificateRequest. deprecated: use the 'watch' parameter with a list operation instead.",
+        "operationId": "watchCertificatesV1beta1PodCertificateRequestListForAllNamespaces",
+        "responses": {
+          "200": {
+            "content": {
+              "application/cbor": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"
+                }
+              },
+              "application/cbor-seq": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"
+                }
+              },
+              "application/json": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"
+                }
+              },
+              "application/json;stream=watch": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"
+                }
+              },
+              "application/vnd.kubernetes.protobuf": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"
+                }
+              },
+              "application/vnd.kubernetes.protobuf;stream=watch": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"
+                }
+              },
+              "application/yaml": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"
+                }
+              }
+            },
+            "description": "OK"
+          },
+          "401": {
+            "description": "Unauthorized"
+          }
+        },
+        "tags": [
+          "certificates_v1beta1"
+        ],
+        "x-kubernetes-action": "watchlist",
+        "x-kubernetes-group-version-kind": {
+          "group": "certificates.k8s.io",
+          "kind": "PodCertificateRequest",
+          "version": "v1beta1"
+        }
+      },
+      "parameters": [
+        {
+          "description": "allowWatchBookmarks requests watch events with type \"BOOKMARK\". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored.",
+          "in": "query",
+          "name": "allowWatchBookmarks",
+          "schema": {
+            "type": "boolean",
+            "uniqueItems": true
+          }
+        },
+        {
+          "description": "The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the \"next key\".\n\nThis field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications.",
+          "in": "query",
+          "name": "continue",
+          "schema": {
+            "type": "string",
+            "uniqueItems": true
+          }
+        },
+        {
+          "description": "A selector to restrict the list of returned objects by their fields. Defaults to everything.",
+          "in": "query",
+          "name": "fieldSelector",
+          "schema": {
+            "type": "string",
+            "uniqueItems": true
+          }
+        },
+        {
+          "description": "A selector to restrict the list of returned objects by their labels. Defaults to everything.",
+          "in": "query",
+          "name": "labelSelector",
+          "schema": {
+            "type": "string",
+            "uniqueItems": true
+          }
+        },
+        {
+          "description": "limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.\n\nThe server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned.",
+          "in": "query",
+          "name": "limit",
+          "schema": {
+            "type": "integer",
+            "uniqueItems": true
+          }
+        },
         {
           "description": "If 'true', then the output is pretty printed. Defaults to 'false' unless the user-agent indicates a browser or command-line HTTP tool (curl and wget).",
           "in": "query",
diff --git a/api/openapi-spec/v3/apis__coordination.k8s.io__v1_openapi.json b/api/openapi-spec/v3/apis__coordination.k8s.io__v1_openapi.json
index 448c4a9489f59..1bcf968e72352 100644
--- a/api/openapi-spec/v3/apis__coordination.k8s.io__v1_openapi.json
+++ b/api/openapi-spec/v3/apis__coordination.k8s.io__v1_openapi.json
@@ -599,7 +599,7 @@
           {
             "group": "storagemigration.k8s.io",
             "kind": "DeleteOptions",
-            "version": "v1alpha1"
+            "version": "v1beta1"
           }
         ]
       },
@@ -867,8 +867,7 @@
                 "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.StatusDetails"
               }
             ],
-            "description": "Extended data associated with the reason.  Each reason may define its own extended details. This field is optional and the data returned is not guaranteed to conform to any schema except that defined by the reason type.",
-            "x-kubernetes-list-type": "atomic"
+            "description": "Extended data associated with the reason.  Each reason may define its own extended details. This field is optional and the data returned is not guaranteed to conform to any schema except that defined by the reason type."
           },
           "kind": {
             "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
@@ -1298,7 +1297,7 @@
           {
             "group": "storagemigration.k8s.io",
             "kind": "WatchEvent",
-            "version": "v1alpha1"
+            "version": "v1beta1"
           }
         ]
       },
diff --git a/api/openapi-spec/v3/apis__coordination.k8s.io__v1alpha2_openapi.json b/api/openapi-spec/v3/apis__coordination.k8s.io__v1alpha2_openapi.json
index 6b694293851db..913b8d3715294 100644
--- a/api/openapi-spec/v3/apis__coordination.k8s.io__v1alpha2_openapi.json
+++ b/api/openapi-spec/v3/apis__coordination.k8s.io__v1alpha2_openapi.json
@@ -600,7 +600,7 @@
           {
             "group": "storagemigration.k8s.io",
             "kind": "DeleteOptions",
-            "version": "v1alpha1"
+            "version": "v1beta1"
           }
         ]
       },
@@ -868,8 +868,7 @@
                 "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.StatusDetails"
               }
             ],
-            "description": "Extended data associated with the reason.  Each reason may define its own extended details. This field is optional and the data returned is not guaranteed to conform to any schema except that defined by the reason type.",
-            "x-kubernetes-list-type": "atomic"
+            "description": "Extended data associated with the reason.  Each reason may define its own extended details. This field is optional and the data returned is not guaranteed to conform to any schema except that defined by the reason type."
           },
           "kind": {
             "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
@@ -1299,7 +1298,7 @@
           {
             "group": "storagemigration.k8s.io",
             "kind": "WatchEvent",
-            "version": "v1alpha1"
+            "version": "v1beta1"
           }
         ]
       },
diff --git a/api/openapi-spec/v3/apis__coordination.k8s.io__v1beta1_openapi.json b/api/openapi-spec/v3/apis__coordination.k8s.io__v1beta1_openapi.json
index 6a1f8bd4136b3..d062175244bb1 100644
--- a/api/openapi-spec/v3/apis__coordination.k8s.io__v1beta1_openapi.json
+++ b/api/openapi-spec/v3/apis__coordination.k8s.io__v1beta1_openapi.json
@@ -600,7 +600,7 @@
           {
             "group": "storagemigration.k8s.io",
             "kind": "DeleteOptions",
-            "version": "v1alpha1"
+            "version": "v1beta1"
           }
         ]
       },
@@ -868,8 +868,7 @@
                 "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.StatusDetails"
               }
             ],
-            "description": "Extended data associated with the reason.  Each reason may define its own extended details. This field is optional and the data returned is not guaranteed to conform to any schema except that defined by the reason type.",
-            "x-kubernetes-list-type": "atomic"
+            "description": "Extended data associated with the reason.  Each reason may define its own extended details. This field is optional and the data returned is not guaranteed to conform to any schema except that defined by the reason type."
           },
           "kind": {
             "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
@@ -1299,7 +1298,7 @@
           {
             "group": "storagemigration.k8s.io",
             "kind": "WatchEvent",
-            "version": "v1alpha1"
+            "version": "v1beta1"
           }
         ]
       },
diff --git a/api/openapi-spec/v3/apis__discovery.k8s.io__v1_openapi.json b/api/openapi-spec/v3/apis__discovery.k8s.io__v1_openapi.json
index 8ca040b7709a4..64d668dd8031d 100644
--- a/api/openapi-spec/v3/apis__discovery.k8s.io__v1_openapi.json
+++ b/api/openapi-spec/v3/apis__discovery.k8s.io__v1_openapi.json
@@ -121,7 +121,7 @@
         "description": "EndpointHints provides hints describing how an endpoint should be consumed.",
         "properties": {
           "forNodes": {
-            "description": "forNodes indicates the node(s) this endpoint should be consumed by when using topology aware routing. May contain a maximum of 8 entries. This is an Alpha feature and is only used when the PreferSameTrafficDistribution feature gate is enabled.",
+            "description": "forNodes indicates the node(s) this endpoint should be consumed by when using topology aware routing. May contain a maximum of 8 entries.",
             "items": {
               "allOf": [
                 {
@@ -781,7 +781,7 @@
           {
             "group": "storagemigration.k8s.io",
             "kind": "DeleteOptions",
-            "version": "v1alpha1"
+            "version": "v1beta1"
           }
         ]
       },
@@ -1044,8 +1044,7 @@
                 "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.StatusDetails"
               }
             ],
-            "description": "Extended data associated with the reason.  Each reason may define its own extended details. This field is optional and the data returned is not guaranteed to conform to any schema except that defined by the reason type.",
-            "x-kubernetes-list-type": "atomic"
+            "description": "Extended data associated with the reason.  Each reason may define its own extended details. This field is optional and the data returned is not guaranteed to conform to any schema except that defined by the reason type."
           },
           "kind": {
             "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
@@ -1475,7 +1474,7 @@
           {
             "group": "storagemigration.k8s.io",
             "kind": "WatchEvent",
-            "version": "v1alpha1"
+            "version": "v1beta1"
           }
         ]
       },
diff --git a/api/openapi-spec/v3/apis__events.k8s.io__v1_openapi.json b/api/openapi-spec/v3/apis__events.k8s.io__v1_openapi.json
index 051bf84f328a0..66270d22eccee 100644
--- a/api/openapi-spec/v3/apis__events.k8s.io__v1_openapi.json
+++ b/api/openapi-spec/v3/apis__events.k8s.io__v1_openapi.json
@@ -709,7 +709,7 @@
           {
             "group": "storagemigration.k8s.io",
             "kind": "DeleteOptions",
-            "version": "v1alpha1"
+            "version": "v1beta1"
           }
         ]
       },
@@ -977,8 +977,7 @@
                 "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.StatusDetails"
               }
             ],
-            "description": "Extended data associated with the reason.  Each reason may define its own extended details. This field is optional and the data returned is not guaranteed to conform to any schema except that defined by the reason type.",
-            "x-kubernetes-list-type": "atomic"
+            "description": "Extended data associated with the reason.  Each reason may define its own extended details. This field is optional and the data returned is not guaranteed to conform to any schema except that defined by the reason type."
           },
           "kind": {
             "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
@@ -1408,7 +1407,7 @@
           {
             "group": "storagemigration.k8s.io",
             "kind": "WatchEvent",
-            "version": "v1alpha1"
+            "version": "v1beta1"
           }
         ]
       },
diff --git a/api/openapi-spec/v3/apis__flowcontrol.apiserver.k8s.io__v1_openapi.json b/api/openapi-spec/v3/apis__flowcontrol.apiserver.k8s.io__v1_openapi.json
index 830ce2752b42e..fb04fcac3dfa4 100644
--- a/api/openapi-spec/v3/apis__flowcontrol.apiserver.k8s.io__v1_openapi.json
+++ b/api/openapi-spec/v3/apis__flowcontrol.apiserver.k8s.io__v1_openapi.json
@@ -1200,7 +1200,7 @@
           {
             "group": "storagemigration.k8s.io",
             "kind": "DeleteOptions",
-            "version": "v1alpha1"
+            "version": "v1beta1"
           }
         ]
       },
@@ -1463,8 +1463,7 @@
                 "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.StatusDetails"
               }
             ],
-            "description": "Extended data associated with the reason.  Each reason may define its own extended details. This field is optional and the data returned is not guaranteed to conform to any schema except that defined by the reason type.",
-            "x-kubernetes-list-type": "atomic"
+            "description": "Extended data associated with the reason.  Each reason may define its own extended details. This field is optional and the data returned is not guaranteed to conform to any schema except that defined by the reason type."
           },
           "kind": {
             "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
@@ -1894,7 +1893,7 @@
           {
             "group": "storagemigration.k8s.io",
             "kind": "WatchEvent",
-            "version": "v1alpha1"
+            "version": "v1beta1"
           }
         ]
       },
diff --git a/api/openapi-spec/v3/apis__internal.apiserver.k8s.io__v1alpha1_openapi.json b/api/openapi-spec/v3/apis__internal.apiserver.k8s.io__v1alpha1_openapi.json
index 202f941fdde24..29a9331d6bda5 100644
--- a/api/openapi-spec/v3/apis__internal.apiserver.k8s.io__v1alpha1_openapi.json
+++ b/api/openapi-spec/v3/apis__internal.apiserver.k8s.io__v1alpha1_openapi.json
@@ -690,7 +690,7 @@
           {
             "group": "storagemigration.k8s.io",
             "kind": "DeleteOptions",
-            "version": "v1alpha1"
+            "version": "v1beta1"
           }
         ]
       },
@@ -953,8 +953,7 @@
                 "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.StatusDetails"
               }
             ],
-            "description": "Extended data associated with the reason.  Each reason may define its own extended details. This field is optional and the data returned is not guaranteed to conform to any schema except that defined by the reason type.",
-            "x-kubernetes-list-type": "atomic"
+            "description": "Extended data associated with the reason.  Each reason may define its own extended details. This field is optional and the data returned is not guaranteed to conform to any schema except that defined by the reason type."
           },
           "kind": {
             "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
@@ -1384,7 +1383,7 @@
           {
             "group": "storagemigration.k8s.io",
             "kind": "WatchEvent",
-            "version": "v1alpha1"
+            "version": "v1beta1"
           }
         ]
       },
diff --git a/api/openapi-spec/v3/apis__networking.k8s.io__v1_openapi.json b/api/openapi-spec/v3/apis__networking.k8s.io__v1_openapi.json
index 6ff4af4efeee0..cc4bdb4a2fb5e 100644
--- a/api/openapi-spec/v3/apis__networking.k8s.io__v1_openapi.json
+++ b/api/openapi-spec/v3/apis__networking.k8s.io__v1_openapi.json
@@ -1574,7 +1574,7 @@
           {
             "group": "storagemigration.k8s.io",
             "kind": "DeleteOptions",
-            "version": "v1alpha1"
+            "version": "v1beta1"
           }
         ]
       },
@@ -1894,8 +1894,7 @@
                 "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.StatusDetails"
               }
             ],
-            "description": "Extended data associated with the reason.  Each reason may define its own extended details. This field is optional and the data returned is not guaranteed to conform to any schema except that defined by the reason type.",
-            "x-kubernetes-list-type": "atomic"
+            "description": "Extended data associated with the reason.  Each reason may define its own extended details. This field is optional and the data returned is not guaranteed to conform to any schema except that defined by the reason type."
           },
           "kind": {
             "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
@@ -2325,7 +2324,7 @@
           {
             "group": "storagemigration.k8s.io",
             "kind": "WatchEvent",
-            "version": "v1alpha1"
+            "version": "v1beta1"
           }
         ]
       },
diff --git a/api/openapi-spec/v3/apis__networking.k8s.io__v1beta1_openapi.json b/api/openapi-spec/v3/apis__networking.k8s.io__v1beta1_openapi.json
index dcb2896679058..5b05e1142bcf3 100644
--- a/api/openapi-spec/v3/apis__networking.k8s.io__v1beta1_openapi.json
+++ b/api/openapi-spec/v3/apis__networking.k8s.io__v1beta1_openapi.json
@@ -776,7 +776,7 @@
           {
             "group": "storagemigration.k8s.io",
             "kind": "DeleteOptions",
-            "version": "v1alpha1"
+            "version": "v1beta1"
           }
         ]
       },
@@ -1039,8 +1039,7 @@
                 "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.StatusDetails"
               }
             ],
-            "description": "Extended data associated with the reason.  Each reason may define its own extended details. This field is optional and the data returned is not guaranteed to conform to any schema except that defined by the reason type.",
-            "x-kubernetes-list-type": "atomic"
+            "description": "Extended data associated with the reason.  Each reason may define its own extended details. This field is optional and the data returned is not guaranteed to conform to any schema except that defined by the reason type."
           },
           "kind": {
             "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
@@ -1470,7 +1469,7 @@
           {
             "group": "storagemigration.k8s.io",
             "kind": "WatchEvent",
-            "version": "v1alpha1"
+            "version": "v1beta1"
           }
         ]
       },
diff --git a/api/openapi-spec/v3/apis__node.k8s.io__v1_openapi.json b/api/openapi-spec/v3/apis__node.k8s.io__v1_openapi.json
index 91a759a67dc50..08fd541701893 100644
--- a/api/openapi-spec/v3/apis__node.k8s.io__v1_openapi.json
+++ b/api/openapi-spec/v3/apis__node.k8s.io__v1_openapi.json
@@ -13,7 +13,7 @@
             "type": "string"
           },
           "operator": {
-            "description": "Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.",
+            "description": "Operator represents a key's relationship to the value. Valid operators are Exists, Equal, Lt, and Gt. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category. Lt and Gt perform numeric comparisons (requires feature gate TaintTolerationComparisonOperators).",
             "type": "string"
           },
           "tolerationSeconds": {
@@ -649,7 +649,7 @@
           {
             "group": "storagemigration.k8s.io",
             "kind": "DeleteOptions",
-            "version": "v1alpha1"
+            "version": "v1beta1"
           }
         ]
       },
@@ -912,8 +912,7 @@
                 "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.StatusDetails"
               }
             ],
-            "description": "Extended data associated with the reason.  Each reason may define its own extended details. This field is optional and the data returned is not guaranteed to conform to any schema except that defined by the reason type.",
-            "x-kubernetes-list-type": "atomic"
+            "description": "Extended data associated with the reason.  Each reason may define its own extended details. This field is optional and the data returned is not guaranteed to conform to any schema except that defined by the reason type."
           },
           "kind": {
             "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
@@ -1343,7 +1342,7 @@
           {
             "group": "storagemigration.k8s.io",
             "kind": "WatchEvent",
-            "version": "v1alpha1"
+            "version": "v1beta1"
           }
         ]
       },
diff --git a/api/openapi-spec/v3/apis__policy__v1_openapi.json b/api/openapi-spec/v3/apis__policy__v1_openapi.json
index 66d0497458421..bd1134c93f57a 100644
--- a/api/openapi-spec/v3/apis__policy__v1_openapi.json
+++ b/api/openapi-spec/v3/apis__policy__v1_openapi.json
@@ -711,7 +711,7 @@
           {
             "group": "storagemigration.k8s.io",
             "kind": "DeleteOptions",
-            "version": "v1alpha1"
+            "version": "v1beta1"
           }
         ]
       },
@@ -1031,8 +1031,7 @@
                 "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.StatusDetails"
               }
             ],
-            "description": "Extended data associated with the reason.  Each reason may define its own extended details. This field is optional and the data returned is not guaranteed to conform to any schema except that defined by the reason type.",
-            "x-kubernetes-list-type": "atomic"
+            "description": "Extended data associated with the reason.  Each reason may define its own extended details. This field is optional and the data returned is not guaranteed to conform to any schema except that defined by the reason type."
           },
           "kind": {
             "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
@@ -1462,7 +1461,7 @@
           {
             "group": "storagemigration.k8s.io",
             "kind": "WatchEvent",
-            "version": "v1alpha1"
+            "version": "v1beta1"
           }
         ]
       },
diff --git a/api/openapi-spec/v3/apis__rbac.authorization.k8s.io__v1_openapi.json b/api/openapi-spec/v3/apis__rbac.authorization.k8s.io__v1_openapi.json
index c30bb6c3262cb..525506b471ed4 100644
--- a/api/openapi-spec/v3/apis__rbac.authorization.k8s.io__v1_openapi.json
+++ b/api/openapi-spec/v3/apis__rbac.authorization.k8s.io__v1_openapi.json
@@ -984,7 +984,7 @@
           {
             "group": "storagemigration.k8s.io",
             "kind": "DeleteOptions",
-            "version": "v1alpha1"
+            "version": "v1beta1"
           }
         ]
       },
@@ -1304,8 +1304,7 @@
                 "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.StatusDetails"
               }
             ],
-            "description": "Extended data associated with the reason.  Each reason may define its own extended details. This field is optional and the data returned is not guaranteed to conform to any schema except that defined by the reason type.",
-            "x-kubernetes-list-type": "atomic"
+            "description": "Extended data associated with the reason.  Each reason may define its own extended details. This field is optional and the data returned is not guaranteed to conform to any schema except that defined by the reason type."
           },
           "kind": {
             "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
@@ -1735,7 +1734,7 @@
           {
             "group": "storagemigration.k8s.io",
             "kind": "WatchEvent",
-            "version": "v1alpha1"
+            "version": "v1beta1"
           }
         ]
       },
diff --git a/api/openapi-spec/v3/apis__resource.k8s.io__v1_openapi.json b/api/openapi-spec/v3/apis__resource.k8s.io__v1_openapi.json
index 7b6a4c9ad9e0d..03eadd66258fc 100644
--- a/api/openapi-spec/v3/apis__resource.k8s.io__v1_openapi.json
+++ b/api/openapi-spec/v3/apis__resource.k8s.io__v1_openapi.json
@@ -120,7 +120,7 @@
           },
           "driver": {
             "default": "",
-            "description": "Driver specifies the name of the DRA driver whose kubelet plugin should be invoked to process the allocation once the claim is needed on a node.\n\nMust be a DNS subdomain and should end with a DNS domain owned by the vendor of the driver.",
+            "description": "Driver specifies the name of the DRA driver whose kubelet plugin should be invoked to process the allocation once the claim is needed on a node.\n\nMust be a DNS subdomain and should end with a DNS domain owned by the vendor of the driver. It should use only lower case characters.",
             "type": "string"
           },
           "networkData": {
@@ -287,7 +287,7 @@
         "type": "object"
       },
       "io.k8s.api.resource.v1.CounterSet": {
-        "description": "CounterSet defines a named set of counters that are available to be used by devices defined in the ResourceSlice.\n\nThe counters are not allocatable by themselves, but can be referenced by devices. When a device is allocated, the portion of counters it uses will no longer be available for use by other devices.",
+        "description": "CounterSet defines a named set of counters that are available to be used by devices defined in the ResourcePool.\n\nThe counters are not allocatable by themselves, but can be referenced by devices. When a device is allocated, the portion of counters it uses will no longer be available for use by other devices.",
         "properties": {
           "counters": {
             "additionalProperties": {
@@ -298,7 +298,7 @@
               ],
               "default": {}
             },
-            "description": "Counters defines the set of counters for this CounterSet The name of each counter must be unique in that set and must be a DNS label.\n\nThe maximum number of counters in all sets is 32.",
+            "description": "Counters defines the set of counters for this CounterSet The name of each counter must be unique in that set and must be a DNS label.\n\nThe maximum number of counters is 32.",
             "type": "object"
           },
           "name": {
@@ -371,7 +371,7 @@
             "type": "object"
           },
           "consumesCounters": {
-            "description": "ConsumesCounters defines a list of references to sharedCounters and the set of counters that the device will consume from those counter sets.\n\nThere can only be a single entry per counterSet.\n\nThe total number of device counter consumption entries must be <= 32. In addition, the total number in the entire ResourceSlice must be <= 1024 (for example, 64 devices with 16 counters each).",
+            "description": "ConsumesCounters defines a list of references to sharedCounters and the set of counters that the device will consume from those counter sets.\n\nThere can only be a single entry per counterSet.\n\nThe maximum number of device counter consumptions per device is 2.",
             "items": {
               "allOf": [
                 {
@@ -401,7 +401,7 @@
             "description": "NodeSelector defines the nodes where the device is available.\n\nMust use exactly one term.\n\nMust only be set if Spec.PerDeviceNodeSelection is set to true. At most one of NodeName, NodeSelector and AllNodes can be set."
           },
           "taints": {
-            "description": "If specified, these are the driver-defined taints.\n\nThe maximum number of taints is 4.\n\nThis is an alpha field and requires enabling the DRADeviceTaints feature gate.",
+            "description": "If specified, these are the driver-defined taints.\n\nThe maximum number of taints is 16. If taints are set for any device in a ResourceSlice, then the maximum number of allowed devices per ResourceSlice is 64 instead of 128.\n\nThis is an alpha field and requires enabling the DRADeviceTaints feature gate.",
             "items": {
               "allOf": [
                 {
@@ -775,7 +775,7 @@
               ],
               "default": {}
             },
-            "description": "Counters defines the counters that will be consumed by the device.\n\nThe maximum number counters in a device is 32. In addition, the maximum number of all counters in all devices is 1024 (for example, 64 devices with 16 counters each).",
+            "description": "Counters defines the counters that will be consumed by the device.\n\nThe maximum number of counters is 32.",
             "type": "object"
           }
         },
@@ -859,7 +859,7 @@
           },
           "driver": {
             "default": "",
-            "description": "Driver specifies the name of the DRA driver whose kubelet plugin should be invoked to process the allocation once the claim is needed on a node.\n\nMust be a DNS subdomain and should end with a DNS domain owned by the vendor of the driver.",
+            "description": "Driver specifies the name of the DRA driver whose kubelet plugin should be invoked to process the allocation once the claim is needed on a node.\n\nMust be a DNS subdomain and should end with a DNS domain owned by the vendor of the driver. It should use only lower case characters.",
             "type": "string"
           },
           "pool": {
@@ -980,7 +980,7 @@
         "properties": {
           "effect": {
             "default": "",
-            "description": "The effect of the taint on claims that do not tolerate the taint and through such claims on the pods using them. Valid effects are NoSchedule and NoExecute. PreferNoSchedule as used for nodes is not valid here.",
+            "description": "The effect of the taint on claims that do not tolerate the taint and through such claims on the pods using them.\n\nValid effects are None, NoSchedule and NoExecute. PreferNoSchedule as used for nodes is not valid here. More effects may get added in the future. Consumers must treat unknown effects like None.",
             "type": "string"
           },
           "key": {
@@ -1124,7 +1124,7 @@
         "properties": {
           "driver": {
             "default": "",
-            "description": "Driver is used to determine which kubelet plugin needs to be passed these configuration parameters.\n\nAn admission policy provided by the driver developer could use this to decide whether it needs to validate them.\n\nMust be a DNS subdomain and should end with a DNS domain owned by the vendor of the driver.",
+            "description": "Driver is used to determine which kubelet plugin needs to be passed these configuration parameters.\n\nAn admission policy provided by the driver developer could use this to decide whether it needs to validate them.\n\nMust be a DNS subdomain and should end with a DNS domain owned by the vendor of the driver. It should use only lower case characters.",
             "type": "string"
           },
           "parameters": {
@@ -1571,7 +1571,7 @@
             "type": "boolean"
           },
           "devices": {
-            "description": "Devices lists some or all of the devices in this pool.\n\nMust not have more than 128 entries.",
+            "description": "Devices lists some or all of the devices in this pool.\n\nMust not have more than 128 entries. If any device uses taints or consumes counters the limit is 64.\n\nOnly one of Devices and SharedCounters can be set in a ResourceSlice.",
             "items": {
               "allOf": [
                 {
@@ -1585,7 +1585,7 @@
           },
           "driver": {
             "default": "",
-            "description": "Driver identifies the DRA driver providing the capacity information. A field selector can be used to list only ResourceSlice objects with a certain driver name.\n\nMust be a DNS subdomain and should end with a DNS domain owned by the vendor of the driver. This field is immutable.",
+            "description": "Driver identifies the DRA driver providing the capacity information. A field selector can be used to list only ResourceSlice objects with a certain driver name.\n\nMust be a DNS subdomain and should end with a DNS domain owned by the vendor of the driver. It should use only lower case characters. This field is immutable.",
             "type": "string"
           },
           "nodeName": {
@@ -1614,7 +1614,7 @@
             "description": "Pool describes the pool that this ResourceSlice belongs to."
           },
           "sharedCounters": {
-            "description": "SharedCounters defines a list of counter sets, each of which has a name and a list of counters available.\n\nThe names of the SharedCounters must be unique in the ResourceSlice.\n\nThe maximum number of counters in all sets is 32.",
+            "description": "SharedCounters defines a list of counter sets, each of which has a name and a list of counters available.\n\nThe names of the counter sets must be unique in the ResourcePool.\n\nOnly one of Devices and SharedCounters can be set in a ResourceSlice.\n\nThe maximum number of counter sets is 8.",
             "items": {
               "allOf": [
                 {
@@ -2160,7 +2160,7 @@
           {
             "group": "storagemigration.k8s.io",
             "kind": "DeleteOptions",
-            "version": "v1alpha1"
+            "version": "v1beta1"
           }
         ]
       },
@@ -2423,8 +2423,7 @@
                 "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.StatusDetails"
               }
             ],
-            "description": "Extended data associated with the reason.  Each reason may define its own extended details. This field is optional and the data returned is not guaranteed to conform to any schema except that defined by the reason type.",
-            "x-kubernetes-list-type": "atomic"
+            "description": "Extended data associated with the reason.  Each reason may define its own extended details. This field is optional and the data returned is not guaranteed to conform to any schema except that defined by the reason type."
           },
           "kind": {
             "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
@@ -2854,7 +2853,7 @@
           {
             "group": "storagemigration.k8s.io",
             "kind": "WatchEvent",
-            "version": "v1alpha1"
+            "version": "v1beta1"
           }
         ]
       },
diff --git a/api/openapi-spec/v3/apis__resource.k8s.io__v1alpha3_openapi.json b/api/openapi-spec/v3/apis__resource.k8s.io__v1alpha3_openapi.json
index 94ce67310b565..1f20120ccae4e 100644
--- a/api/openapi-spec/v3/apis__resource.k8s.io__v1alpha3_openapi.json
+++ b/api/openapi-spec/v3/apis__resource.k8s.io__v1alpha3_openapi.json
@@ -1,40 +1,12 @@
 {
   "components": {
     "schemas": {
-      "io.k8s.api.resource.v1alpha3.CELDeviceSelector": {
-        "description": "CELDeviceSelector contains a CEL expression for selecting a device.",
-        "properties": {
-          "expression": {
-            "default": "",
-            "description": "Expression is a CEL expression which evaluates a single device. It must evaluate to true when the device under consideration satisfies the desired criteria, and false when it does not. Any other result is an error and causes allocation of devices to abort.\n\nThe expression's input is an object named \"device\", which carries the following properties:\n - driver (string): the name of the driver which defines this device.\n - attributes (map[string]object): the device's attributes, grouped by prefix\n   (e.g. device.attributes[\"dra.example.com\"] evaluates to an object with all\n   of the attributes which were prefixed by \"dra.example.com\".\n - capacity (map[string]object): the device's capacities, grouped by prefix.\n\nExample: Consider a device with driver=\"dra.example.com\", which exposes two attributes named \"model\" and \"ext.example.com/family\" and which exposes one capacity named \"modules\". This input to this expression would have the following fields:\n\n    device.driver\n    device.attributes[\"dra.example.com\"].model\n    device.attributes[\"ext.example.com\"].family\n    device.capacity[\"dra.example.com\"].modules\n\nThe device.driver field can be used to check for a specific driver, either as a high-level precondition (i.e. you only want to consider devices from this driver) or as part of a multi-clause expression that is meant to consider devices from different drivers.\n\nThe value type of each attribute is defined by the device definition, and users who write these expressions must consult the documentation for their specific drivers. The value type of each capacity is Quantity.\n\nIf an unknown prefix is used as a lookup in either device.attributes or device.capacity, an empty map will be returned. Any reference to an unknown field will cause an evaluation error and allocation to abort.\n\nA robust expression should check for the existence of attributes before referencing them.\n\nFor ease of use, the cel.bind() function is enabled, and can be used to simplify expressions that access multiple attributes with the same domain. For example:\n\n    cel.bind(dra, device.attributes[\"dra.example.com\"], dra.someBool && dra.anotherBool)\n\nThe length of the expression must be smaller or equal to 10 Ki. The cost of evaluating it is also limited based on the estimated number of logical steps.",
-            "type": "string"
-          }
-        },
-        "required": [
-          "expression"
-        ],
-        "type": "object"
-      },
-      "io.k8s.api.resource.v1alpha3.DeviceSelector": {
-        "description": "DeviceSelector must have exactly one field set.",
-        "properties": {
-          "cel": {
-            "allOf": [
-              {
-                "$ref": "#/components/schemas/io.k8s.api.resource.v1alpha3.CELDeviceSelector"
-              }
-            ],
-            "description": "CEL contains a CEL expression for selecting a device."
-          }
-        },
-        "type": "object"
-      },
       "io.k8s.api.resource.v1alpha3.DeviceTaint": {
         "description": "The device this taint is attached to has the \"effect\" on any claim which does not tolerate the taint and, through the claim, to pods using the claim.",
         "properties": {
           "effect": {
             "default": "",
-            "description": "The effect of the taint on claims that do not tolerate the taint and through such claims on the pods using them. Valid effects are NoSchedule and NoExecute. PreferNoSchedule as used for nodes is not valid here.",
+            "description": "The effect of the taint on claims that do not tolerate the taint and through such claims on the pods using them.\n\nValid effects are None, NoSchedule and NoExecute. PreferNoSchedule as used for nodes is not valid here. More effects may get added in the future. Consumers must treat unknown effects like None.",
             "type": "string"
           },
           "key": {
@@ -89,6 +61,15 @@
             ],
             "default": {},
             "description": "Spec specifies the selector and one taint.\n\nChanging the spec automatically increments the metadata.generation number."
+          },
+          "status": {
+            "allOf": [
+              {
+                "$ref": "#/components/schemas/io.k8s.api.resource.v1alpha3.DeviceTaintRuleStatus"
+              }
+            ],
+            "default": {},
+            "description": "Status provides information about what was requested in the spec."
           }
         },
         "required": [
@@ -157,7 +138,7 @@
                 "$ref": "#/components/schemas/io.k8s.api.resource.v1alpha3.DeviceTaintSelector"
               }
             ],
-            "description": "DeviceSelector defines which device(s) the taint is applied to. All selector criteria must be satified for a device to match. The empty selector matches all devices. Without a selector, no devices are matches."
+            "description": "DeviceSelector defines which device(s) the taint is applied to. All selector criteria must be satisfied for a device to match. The empty selector matches all devices. Without a selector, no devices are matches."
           },
           "taint": {
             "allOf": [
@@ -174,6 +155,30 @@
         ],
         "type": "object"
       },
+      "io.k8s.api.resource.v1alpha3.DeviceTaintRuleStatus": {
+        "description": "DeviceTaintRuleStatus provides information about an on-going pod eviction.",
+        "properties": {
+          "conditions": {
+            "description": "Conditions provide information about the state of the DeviceTaintRule and the cluster at some point in time, in a machine-readable and human-readable format.\n\nThe following condition is currently defined as part of this API, more may get added: - Type: EvictionInProgress - Status: True if there are currently pods which need to be evicted, False otherwise\n  (includes the effects which don't cause eviction).\n- Reason: not specified, may change - Message: includes information about number of pending pods and already evicted pods\n  in a human-readable format, updated periodically, may change\n\nFor `effect: None`, the condition above gets set once for each change to the spec, with the message containing information about what would happen if the effect was `NoExecute`. This feedback can be used to decide whether changing the effect to `NoExecute` will work as intended. It only gets set once to avoid having to constantly update the status.\n\nMust have 8 or fewer entries.",
+            "items": {
+              "allOf": [
+                {
+                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.Condition"
+                }
+              ],
+              "default": {}
+            },
+            "type": "array",
+            "x-kubernetes-list-map-keys": [
+              "type"
+            ],
+            "x-kubernetes-list-type": "map",
+            "x-kubernetes-patch-merge-key": "type",
+            "x-kubernetes-patch-strategy": "merge"
+          }
+        },
+        "type": "object"
+      },
       "io.k8s.api.resource.v1alpha3.DeviceTaintSelector": {
         "description": "DeviceTaintSelector defines which device(s) a DeviceTaintRule applies to. The empty selector matches all devices. Without a selector, no devices are matched.",
         "properties": {
@@ -181,10 +186,6 @@
             "description": "If device is set, only devices with that name are selected. This field corresponds to slice.spec.devices[].name.\n\nSetting also driver and pool may be required to avoid ambiguity, but is not required.",
             "type": "string"
           },
-          "deviceClassName": {
-            "description": "If DeviceClassName is set, the selectors defined there must be satisfied by a device to be selected. This field corresponds to class.metadata.name.",
-            "type": "string"
-          },
           "driver": {
             "description": "If driver is set, only devices from that driver are selected. This fields corresponds to slice.spec.driver.",
             "type": "string"
@@ -192,19 +193,6 @@
           "pool": {
             "description": "If pool is set, only devices in that pool are selected.\n\nAlso setting the driver name may be useful to avoid ambiguity when different drivers use the same pool name, but this is not required because selecting pools from different drivers may also be useful, for example when drivers with node-local devices use the node name as their pool name.",
             "type": "string"
-          },
-          "selectors": {
-            "description": "Selectors contains the same selection criteria as a ResourceClaim. Currently, CEL expressions are supported. All of these selectors must be satisfied.",
-            "items": {
-              "allOf": [
-                {
-                  "$ref": "#/components/schemas/io.k8s.api.resource.v1alpha3.DeviceSelector"
-                }
-              ],
-              "default": {}
-            },
-            "type": "array",
-            "x-kubernetes-list-type": "atomic"
           }
         },
         "type": "object"
@@ -323,6 +311,52 @@
           }
         ]
       },
+      "io.k8s.apimachinery.pkg.apis.meta.v1.Condition": {
+        "description": "Condition contains details for one aspect of the current state of this API Resource.",
+        "properties": {
+          "lastTransitionTime": {
+            "allOf": [
+              {
+                "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.Time"
+              }
+            ],
+            "description": "lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable."
+          },
+          "message": {
+            "default": "",
+            "description": "message is a human readable message indicating details about the transition. This may be an empty string.",
+            "type": "string"
+          },
+          "observedGeneration": {
+            "description": "observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.",
+            "format": "int64",
+            "type": "integer"
+          },
+          "reason": {
+            "default": "",
+            "description": "reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.",
+            "type": "string"
+          },
+          "status": {
+            "default": "",
+            "description": "status of the condition, one of True, False, Unknown.",
+            "type": "string"
+          },
+          "type": {
+            "default": "",
+            "description": "type of condition in CamelCase or in foo.example.com/CamelCase.",
+            "type": "string"
+          }
+        },
+        "required": [
+          "type",
+          "status",
+          "lastTransitionTime",
+          "reason",
+          "message"
+        ],
+        "type": "object"
+      },
       "io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptions": {
         "description": "DeleteOptions may be provided when deleting an API object.",
         "properties": {
@@ -679,7 +713,7 @@
           {
             "group": "storagemigration.k8s.io",
             "kind": "DeleteOptions",
-            "version": "v1alpha1"
+            "version": "v1beta1"
           }
         ]
       },
@@ -942,8 +976,7 @@
                 "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.StatusDetails"
               }
             ],
-            "description": "Extended data associated with the reason.  Each reason may define its own extended details. This field is optional and the data returned is not guaranteed to conform to any schema except that defined by the reason type.",
-            "x-kubernetes-list-type": "atomic"
+            "description": "Extended data associated with the reason.  Each reason may define its own extended details. This field is optional and the data returned is not guaranteed to conform to any schema except that defined by the reason type."
           },
           "kind": {
             "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
@@ -1373,7 +1406,7 @@
           {
             "group": "storagemigration.k8s.io",
             "kind": "WatchEvent",
-            "version": "v1alpha1"
+            "version": "v1beta1"
           }
         ]
       },
@@ -2335,6 +2368,315 @@
         }
       }
     },
+    "/apis/resource.k8s.io/v1alpha3/devicetaintrules/{name}/status": {
+      "get": {
+        "description": "read status of the specified DeviceTaintRule",
+        "operationId": "readResourceV1alpha3DeviceTaintRuleStatus",
+        "responses": {
+          "200": {
+            "content": {
+              "application/cbor": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.resource.v1alpha3.DeviceTaintRule"
+                }
+              },
+              "application/json": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.resource.v1alpha3.DeviceTaintRule"
+                }
+              },
+              "application/vnd.kubernetes.protobuf": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.resource.v1alpha3.DeviceTaintRule"
+                }
+              },
+              "application/yaml": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.resource.v1alpha3.DeviceTaintRule"
+                }
+              }
+            },
+            "description": "OK"
+          },
+          "401": {
+            "description": "Unauthorized"
+          }
+        },
+        "tags": [
+          "resource_v1alpha3"
+        ],
+        "x-kubernetes-action": "get",
+        "x-kubernetes-group-version-kind": {
+          "group": "resource.k8s.io",
+          "kind": "DeviceTaintRule",
+          "version": "v1alpha3"
+        }
+      },
+      "parameters": [
+        {
+          "description": "name of the DeviceTaintRule",
+          "in": "path",
+          "name": "name",
+          "required": true,
+          "schema": {
+            "type": "string",
+            "uniqueItems": true
+          }
+        },
+        {
+          "description": "If 'true', then the output is pretty printed. Defaults to 'false' unless the user-agent indicates a browser or command-line HTTP tool (curl and wget).",
+          "in": "query",
+          "name": "pretty",
+          "schema": {
+            "type": "string",
+            "uniqueItems": true
+          }
+        }
+      ],
+      "patch": {
+        "description": "partially update status of the specified DeviceTaintRule",
+        "operationId": "patchResourceV1alpha3DeviceTaintRuleStatus",
+        "parameters": [
+          {
+            "description": "When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed",
+            "in": "query",
+            "name": "dryRun",
+            "schema": {
+              "type": "string",
+              "uniqueItems": true
+            }
+          },
+          {
+            "description": "fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch).",
+            "in": "query",
+            "name": "fieldManager",
+            "schema": {
+              "type": "string",
+              "uniqueItems": true
+            }
+          },
+          {
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "in": "query",
+            "name": "fieldValidation",
+            "schema": {
+              "type": "string",
+              "uniqueItems": true
+            }
+          },
+          {
+            "description": "Force is going to \"force\" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests.",
+            "in": "query",
+            "name": "force",
+            "schema": {
+              "type": "boolean",
+              "uniqueItems": true
+            }
+          }
+        ],
+        "requestBody": {
+          "content": {
+            "application/apply-patch+cbor": {
+              "schema": {
+                "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.Patch"
+              }
+            },
+            "application/apply-patch+yaml": {
+              "schema": {
+                "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.Patch"
+              }
+            },
+            "application/json-patch+json": {
+              "schema": {
+                "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.Patch"
+              }
+            },
+            "application/merge-patch+json": {
+              "schema": {
+                "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.Patch"
+              }
+            },
+            "application/strategic-merge-patch+json": {
+              "schema": {
+                "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.Patch"
+              }
+            }
+          },
+          "required": true
+        },
+        "responses": {
+          "200": {
+            "content": {
+              "application/cbor": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.resource.v1alpha3.DeviceTaintRule"
+                }
+              },
+              "application/json": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.resource.v1alpha3.DeviceTaintRule"
+                }
+              },
+              "application/vnd.kubernetes.protobuf": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.resource.v1alpha3.DeviceTaintRule"
+                }
+              },
+              "application/yaml": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.resource.v1alpha3.DeviceTaintRule"
+                }
+              }
+            },
+            "description": "OK"
+          },
+          "201": {
+            "content": {
+              "application/cbor": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.resource.v1alpha3.DeviceTaintRule"
+                }
+              },
+              "application/json": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.resource.v1alpha3.DeviceTaintRule"
+                }
+              },
+              "application/vnd.kubernetes.protobuf": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.resource.v1alpha3.DeviceTaintRule"
+                }
+              },
+              "application/yaml": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.resource.v1alpha3.DeviceTaintRule"
+                }
+              }
+            },
+            "description": "Created"
+          },
+          "401": {
+            "description": "Unauthorized"
+          }
+        },
+        "tags": [
+          "resource_v1alpha3"
+        ],
+        "x-kubernetes-action": "patch",
+        "x-kubernetes-group-version-kind": {
+          "group": "resource.k8s.io",
+          "kind": "DeviceTaintRule",
+          "version": "v1alpha3"
+        }
+      },
+      "put": {
+        "description": "replace status of the specified DeviceTaintRule",
+        "operationId": "replaceResourceV1alpha3DeviceTaintRuleStatus",
+        "parameters": [
+          {
+            "description": "When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed",
+            "in": "query",
+            "name": "dryRun",
+            "schema": {
+              "type": "string",
+              "uniqueItems": true
+            }
+          },
+          {
+            "description": "fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint.",
+            "in": "query",
+            "name": "fieldManager",
+            "schema": {
+              "type": "string",
+              "uniqueItems": true
+            }
+          },
+          {
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "in": "query",
+            "name": "fieldValidation",
+            "schema": {
+              "type": "string",
+              "uniqueItems": true
+            }
+          }
+        ],
+        "requestBody": {
+          "content": {
+            "*/*": {
+              "schema": {
+                "$ref": "#/components/schemas/io.k8s.api.resource.v1alpha3.DeviceTaintRule"
+              }
+            }
+          },
+          "required": true
+        },
+        "responses": {
+          "200": {
+            "content": {
+              "application/cbor": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.resource.v1alpha3.DeviceTaintRule"
+                }
+              },
+              "application/json": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.resource.v1alpha3.DeviceTaintRule"
+                }
+              },
+              "application/vnd.kubernetes.protobuf": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.resource.v1alpha3.DeviceTaintRule"
+                }
+              },
+              "application/yaml": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.resource.v1alpha3.DeviceTaintRule"
+                }
+              }
+            },
+            "description": "OK"
+          },
+          "201": {
+            "content": {
+              "application/cbor": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.resource.v1alpha3.DeviceTaintRule"
+                }
+              },
+              "application/json": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.resource.v1alpha3.DeviceTaintRule"
+                }
+              },
+              "application/vnd.kubernetes.protobuf": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.resource.v1alpha3.DeviceTaintRule"
+                }
+              },
+              "application/yaml": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.resource.v1alpha3.DeviceTaintRule"
+                }
+              }
+            },
+            "description": "Created"
+          },
+          "401": {
+            "description": "Unauthorized"
+          }
+        },
+        "tags": [
+          "resource_v1alpha3"
+        ],
+        "x-kubernetes-action": "put",
+        "x-kubernetes-group-version-kind": {
+          "group": "resource.k8s.io",
+          "kind": "DeviceTaintRule",
+          "version": "v1alpha3"
+        }
+      }
+    },
     "/apis/resource.k8s.io/v1alpha3/watch/devicetaintrules": {
       "get": {
         "description": "watch individual changes to a list of DeviceTaintRule. deprecated: use the 'watch' parameter with a list operation instead.",
diff --git a/api/openapi-spec/v3/apis__resource.k8s.io__v1beta1_openapi.json b/api/openapi-spec/v3/apis__resource.k8s.io__v1beta1_openapi.json
index 6a36dfaefa453..d3cf12a1f92a1 100644
--- a/api/openapi-spec/v3/apis__resource.k8s.io__v1beta1_openapi.json
+++ b/api/openapi-spec/v3/apis__resource.k8s.io__v1beta1_openapi.json
@@ -120,7 +120,7 @@
           },
           "driver": {
             "default": "",
-            "description": "Driver specifies the name of the DRA driver whose kubelet plugin should be invoked to process the allocation once the claim is needed on a node.\n\nMust be a DNS subdomain and should end with a DNS domain owned by the vendor of the driver.",
+            "description": "Driver specifies the name of the DRA driver whose kubelet plugin should be invoked to process the allocation once the claim is needed on a node.\n\nMust be a DNS subdomain and should end with a DNS domain owned by the vendor of the driver. It should use only lower case characters.",
             "type": "string"
           },
           "networkData": {
@@ -237,7 +237,7 @@
             "type": "object"
           },
           "consumesCounters": {
-            "description": "ConsumesCounters defines a list of references to sharedCounters and the set of counters that the device will consume from those counter sets.\n\nThere can only be a single entry per counterSet.\n\nThe total number of device counter consumption entries must be <= 32. In addition, the total number in the entire ResourceSlice must be <= 1024 (for example, 64 devices with 16 counters each).",
+            "description": "ConsumesCounters defines a list of references to sharedCounters and the set of counters that the device will consume from those counter sets.\n\nThere can only be a single entry per counterSet.\n\nThe maximum number of device counter consumptions per device is 2.",
             "items": {
               "allOf": [
                 {
@@ -262,7 +262,7 @@
             "description": "NodeSelector defines the nodes where the device is available.\n\nMust use exactly one term.\n\nMust only be set if Spec.PerDeviceNodeSelection is set to true. At most one of NodeName, NodeSelector and AllNodes can be set."
           },
           "taints": {
-            "description": "If specified, these are the driver-defined taints.\n\nThe maximum number of taints is 4.\n\nThis is an alpha field and requires enabling the DRADeviceTaints feature gate.",
+            "description": "If specified, these are the driver-defined taints.\n\nThe maximum number of taints is 16. If taints are set for any device in a ResourceSlice, then the maximum number of allowed devices per ResourceSlice is 64 instead of 128.\n\nThis is an alpha field and requires enabling the DRADeviceTaints feature gate.",
             "items": {
               "allOf": [
                 {
@@ -385,7 +385,7 @@
         "type": "object"
       },
       "io.k8s.api.resource.v1beta1.CounterSet": {
-        "description": "CounterSet defines a named set of counters that are available to be used by devices defined in the ResourceSlice.\n\nThe counters are not allocatable by themselves, but can be referenced by devices. When a device is allocated, the portion of counters it uses will no longer be available for use by other devices.",
+        "description": "CounterSet defines a named set of counters that are available to be used by devices defined in the ResourcePool.\n\nThe counters are not allocatable by themselves, but can be referenced by devices. When a device is allocated, the portion of counters it uses will no longer be available for use by other devices.",
         "properties": {
           "counters": {
             "additionalProperties": {
@@ -789,7 +789,7 @@
               ],
               "default": {}
             },
-            "description": "Counters defines the counters that will be consumed by the device.\n\nThe maximum number counters in a device is 32. In addition, the maximum number of all counters in all devices is 1024 (for example, 64 devices with 16 counters each).",
+            "description": "Counters defines the counters that will be consumed by the device.\n\nThe maximum number of counters is 32.",
             "type": "object"
           }
         },
@@ -917,7 +917,7 @@
           },
           "driver": {
             "default": "",
-            "description": "Driver specifies the name of the DRA driver whose kubelet plugin should be invoked to process the allocation once the claim is needed on a node.\n\nMust be a DNS subdomain and should end with a DNS domain owned by the vendor of the driver.",
+            "description": "Driver specifies the name of the DRA driver whose kubelet plugin should be invoked to process the allocation once the claim is needed on a node.\n\nMust be a DNS subdomain and should end with a DNS domain owned by the vendor of the driver. It should use only lower case characters.",
             "type": "string"
           },
           "pool": {
@@ -1038,7 +1038,7 @@
         "properties": {
           "effect": {
             "default": "",
-            "description": "The effect of the taint on claims that do not tolerate the taint and through such claims on the pods using them. Valid effects are NoSchedule and NoExecute. PreferNoSchedule as used for nodes is not valid here.",
+            "description": "The effect of the taint on claims that do not tolerate the taint and through such claims on the pods using them.\n\nValid effects are None, NoSchedule and NoExecute. PreferNoSchedule as used for nodes is not valid here. More effects may get added in the future. Consumers must treat unknown effects like None.",
             "type": "string"
           },
           "key": {
@@ -1121,7 +1121,7 @@
         "properties": {
           "driver": {
             "default": "",
-            "description": "Driver is used to determine which kubelet plugin needs to be passed these configuration parameters.\n\nAn admission policy provided by the driver developer could use this to decide whether it needs to validate them.\n\nMust be a DNS subdomain and should end with a DNS domain owned by the vendor of the driver.",
+            "description": "Driver is used to determine which kubelet plugin needs to be passed these configuration parameters.\n\nAn admission policy provided by the driver developer could use this to decide whether it needs to validate them.\n\nMust be a DNS subdomain and should end with a DNS domain owned by the vendor of the driver. It should use only lower case characters.",
             "type": "string"
           },
           "parameters": {
@@ -1568,7 +1568,7 @@
             "type": "boolean"
           },
           "devices": {
-            "description": "Devices lists some or all of the devices in this pool.\n\nMust not have more than 128 entries.",
+            "description": "Devices lists some or all of the devices in this pool.\n\nMust not have more than 128 entries. If any device uses taints or consumes counters the limit is 64.\n\nOnly one of Devices and SharedCounters can be set in a ResourceSlice.",
             "items": {
               "allOf": [
                 {
@@ -1582,7 +1582,7 @@
           },
           "driver": {
             "default": "",
-            "description": "Driver identifies the DRA driver providing the capacity information. A field selector can be used to list only ResourceSlice objects with a certain driver name.\n\nMust be a DNS subdomain and should end with a DNS domain owned by the vendor of the driver. This field is immutable.",
+            "description": "Driver identifies the DRA driver providing the capacity information. A field selector can be used to list only ResourceSlice objects with a certain driver name.\n\nMust be a DNS subdomain and should end with a DNS domain owned by the vendor of the driver. It should use only lower case characters. This field is immutable.",
             "type": "string"
           },
           "nodeName": {
@@ -1611,7 +1611,7 @@
             "description": "Pool describes the pool that this ResourceSlice belongs to."
           },
           "sharedCounters": {
-            "description": "SharedCounters defines a list of counter sets, each of which has a name and a list of counters available.\n\nThe names of the SharedCounters must be unique in the ResourceSlice.\n\nThe maximum number of SharedCounters is 32.",
+            "description": "SharedCounters defines a list of counter sets, each of which has a name and a list of counters available.\n\nThe names of the counter sets must be unique in the ResourcePool.\n\nOnly one of Devices and SharedCounters can be set in a ResourceSlice.\n\nThe maximum number of counter sets is 8.",
             "items": {
               "allOf": [
                 {
@@ -2157,7 +2157,7 @@
           {
             "group": "storagemigration.k8s.io",
             "kind": "DeleteOptions",
-            "version": "v1alpha1"
+            "version": "v1beta1"
           }
         ]
       },
@@ -2420,8 +2420,7 @@
                 "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.StatusDetails"
               }
             ],
-            "description": "Extended data associated with the reason.  Each reason may define its own extended details. This field is optional and the data returned is not guaranteed to conform to any schema except that defined by the reason type.",
-            "x-kubernetes-list-type": "atomic"
+            "description": "Extended data associated with the reason.  Each reason may define its own extended details. This field is optional and the data returned is not guaranteed to conform to any schema except that defined by the reason type."
           },
           "kind": {
             "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
@@ -2851,7 +2850,7 @@
           {
             "group": "storagemigration.k8s.io",
             "kind": "WatchEvent",
-            "version": "v1alpha1"
+            "version": "v1beta1"
           }
         ]
       },
diff --git a/api/openapi-spec/v3/apis__resource.k8s.io__v1beta2_openapi.json b/api/openapi-spec/v3/apis__resource.k8s.io__v1beta2_openapi.json
index 91b13fd164ab4..ba43ec7c65ffb 100644
--- a/api/openapi-spec/v3/apis__resource.k8s.io__v1beta2_openapi.json
+++ b/api/openapi-spec/v3/apis__resource.k8s.io__v1beta2_openapi.json
@@ -120,7 +120,7 @@
           },
           "driver": {
             "default": "",
-            "description": "Driver specifies the name of the DRA driver whose kubelet plugin should be invoked to process the allocation once the claim is needed on a node.\n\nMust be a DNS subdomain and should end with a DNS domain owned by the vendor of the driver.",
+            "description": "Driver specifies the name of the DRA driver whose kubelet plugin should be invoked to process the allocation once the claim is needed on a node.\n\nMust be a DNS subdomain and should end with a DNS domain owned by the vendor of the driver. It should use only lower case characters.",
             "type": "string"
           },
           "networkData": {
@@ -287,7 +287,7 @@
         "type": "object"
       },
       "io.k8s.api.resource.v1beta2.CounterSet": {
-        "description": "CounterSet defines a named set of counters that are available to be used by devices defined in the ResourceSlice.\n\nThe counters are not allocatable by themselves, but can be referenced by devices. When a device is allocated, the portion of counters it uses will no longer be available for use by other devices.",
+        "description": "CounterSet defines a named set of counters that are available to be used by devices defined in the ResourcePool.\n\nThe counters are not allocatable by themselves, but can be referenced by devices. When a device is allocated, the portion of counters it uses will no longer be available for use by other devices.",
         "properties": {
           "counters": {
             "additionalProperties": {
@@ -298,7 +298,7 @@
               ],
               "default": {}
             },
-            "description": "Counters defines the set of counters for this CounterSet The name of each counter must be unique in that set and must be a DNS label.\n\nThe maximum number of counters in all sets is 32.",
+            "description": "Counters defines the set of counters for this CounterSet The name of each counter must be unique in that set and must be a DNS label.\n\nThe maximum number of counters is 32.",
             "type": "object"
           },
           "name": {
@@ -371,7 +371,7 @@
             "type": "object"
           },
           "consumesCounters": {
-            "description": "ConsumesCounters defines a list of references to sharedCounters and the set of counters that the device will consume from those counter sets.\n\nThere can only be a single entry per counterSet.\n\nThe total number of device counter consumption entries must be <= 32. In addition, the total number in the entire ResourceSlice must be <= 1024 (for example, 64 devices with 16 counters each).",
+            "description": "ConsumesCounters defines a list of references to sharedCounters and the set of counters that the device will consume from those counter sets.\n\nThere can only be a single entry per counterSet.\n\nThe maximum number of device counter consumptions per device is 2.",
             "items": {
               "allOf": [
                 {
@@ -401,7 +401,7 @@
             "description": "NodeSelector defines the nodes where the device is available.\n\nMust use exactly one term.\n\nMust only be set if Spec.PerDeviceNodeSelection is set to true. At most one of NodeName, NodeSelector and AllNodes can be set."
           },
           "taints": {
-            "description": "If specified, these are the driver-defined taints.\n\nThe maximum number of taints is 4.\n\nThis is an alpha field and requires enabling the DRADeviceTaints feature gate.",
+            "description": "If specified, these are the driver-defined taints.\n\nThe maximum number of taints is 16. If taints are set for any device in a ResourceSlice, then the maximum number of allowed devices per ResourceSlice is 64 instead of 128.\n\nThis is an alpha field and requires enabling the DRADeviceTaints feature gate.",
             "items": {
               "allOf": [
                 {
@@ -775,7 +775,7 @@
               ],
               "default": {}
             },
-            "description": "Counters defines the counters that will be consumed by the device.\n\nThe maximum number counters in a device is 32. In addition, the maximum number of all counters in all devices is 1024 (for example, 64 devices with 16 counters each).",
+            "description": "Counters defines the counters that will be consumed by the device.\n\nThe maximum number of counters is 32.",
             "type": "object"
           }
         },
@@ -859,7 +859,7 @@
           },
           "driver": {
             "default": "",
-            "description": "Driver specifies the name of the DRA driver whose kubelet plugin should be invoked to process the allocation once the claim is needed on a node.\n\nMust be a DNS subdomain and should end with a DNS domain owned by the vendor of the driver.",
+            "description": "Driver specifies the name of the DRA driver whose kubelet plugin should be invoked to process the allocation once the claim is needed on a node.\n\nMust be a DNS subdomain and should end with a DNS domain owned by the vendor of the driver. It should use only lower case characters.",
             "type": "string"
           },
           "pool": {
@@ -980,7 +980,7 @@
         "properties": {
           "effect": {
             "default": "",
-            "description": "The effect of the taint on claims that do not tolerate the taint and through such claims on the pods using them. Valid effects are NoSchedule and NoExecute. PreferNoSchedule as used for nodes is not valid here.",
+            "description": "The effect of the taint on claims that do not tolerate the taint and through such claims on the pods using them.\n\nValid effects are None, NoSchedule and NoExecute. PreferNoSchedule as used for nodes is not valid here. More effects may get added in the future. Consumers must treat unknown effects like None.",
             "type": "string"
           },
           "key": {
@@ -1124,7 +1124,7 @@
         "properties": {
           "driver": {
             "default": "",
-            "description": "Driver is used to determine which kubelet plugin needs to be passed these configuration parameters.\n\nAn admission policy provided by the driver developer could use this to decide whether it needs to validate them.\n\nMust be a DNS subdomain and should end with a DNS domain owned by the vendor of the driver.",
+            "description": "Driver is used to determine which kubelet plugin needs to be passed these configuration parameters.\n\nAn admission policy provided by the driver developer could use this to decide whether it needs to validate them.\n\nMust be a DNS subdomain and should end with a DNS domain owned by the vendor of the driver. It should use only lower case characters.",
             "type": "string"
           },
           "parameters": {
@@ -1571,7 +1571,7 @@
             "type": "boolean"
           },
           "devices": {
-            "description": "Devices lists some or all of the devices in this pool.\n\nMust not have more than 128 entries.",
+            "description": "Devices lists some or all of the devices in this pool.\n\nMust not have more than 128 entries. If any device uses taints or consumes counters the limit is 64.\n\nOnly one of Devices and SharedCounters can be set in a ResourceSlice.",
             "items": {
               "allOf": [
                 {
@@ -1585,7 +1585,7 @@
           },
           "driver": {
             "default": "",
-            "description": "Driver identifies the DRA driver providing the capacity information. A field selector can be used to list only ResourceSlice objects with a certain driver name.\n\nMust be a DNS subdomain and should end with a DNS domain owned by the vendor of the driver. This field is immutable.",
+            "description": "Driver identifies the DRA driver providing the capacity information. A field selector can be used to list only ResourceSlice objects with a certain driver name.\n\nMust be a DNS subdomain and should end with a DNS domain owned by the vendor of the driver. It should use only lower case characters. This field is immutable.",
             "type": "string"
           },
           "nodeName": {
@@ -1614,7 +1614,7 @@
             "description": "Pool describes the pool that this ResourceSlice belongs to."
           },
           "sharedCounters": {
-            "description": "SharedCounters defines a list of counter sets, each of which has a name and a list of counters available.\n\nThe names of the SharedCounters must be unique in the ResourceSlice.\n\nThe maximum number of counters in all sets is 32.",
+            "description": "SharedCounters defines a list of counter sets, each of which has a name and a list of counters available.\n\nThe names of the counter sets must be unique in the ResourcePool.\n\nOnly one of Devices and SharedCounters can be set in a ResourceSlice.\n\nThe maximum number of counter sets is 8.",
             "items": {
               "allOf": [
                 {
@@ -2160,7 +2160,7 @@
           {
             "group": "storagemigration.k8s.io",
             "kind": "DeleteOptions",
-            "version": "v1alpha1"
+            "version": "v1beta1"
           }
         ]
       },
@@ -2423,8 +2423,7 @@
                 "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.StatusDetails"
               }
             ],
-            "description": "Extended data associated with the reason.  Each reason may define its own extended details. This field is optional and the data returned is not guaranteed to conform to any schema except that defined by the reason type.",
-            "x-kubernetes-list-type": "atomic"
+            "description": "Extended data associated with the reason.  Each reason may define its own extended details. This field is optional and the data returned is not guaranteed to conform to any schema except that defined by the reason type."
           },
           "kind": {
             "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
@@ -2854,7 +2853,7 @@
           {
             "group": "storagemigration.k8s.io",
             "kind": "WatchEvent",
-            "version": "v1alpha1"
+            "version": "v1beta1"
           }
         ]
       },
diff --git a/api/openapi-spec/v3/apis__scheduling.k8s.io__v1_openapi.json b/api/openapi-spec/v3/apis__scheduling.k8s.io__v1_openapi.json
index a731c1571b16e..207485422ff51 100644
--- a/api/openapi-spec/v3/apis__scheduling.k8s.io__v1_openapi.json
+++ b/api/openapi-spec/v3/apis__scheduling.k8s.io__v1_openapi.json
@@ -567,7 +567,7 @@
           {
             "group": "storagemigration.k8s.io",
             "kind": "DeleteOptions",
-            "version": "v1alpha1"
+            "version": "v1beta1"
           }
         ]
       },
@@ -830,8 +830,7 @@
                 "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.StatusDetails"
               }
             ],
-            "description": "Extended data associated with the reason.  Each reason may define its own extended details. This field is optional and the data returned is not guaranteed to conform to any schema except that defined by the reason type.",
-            "x-kubernetes-list-type": "atomic"
+            "description": "Extended data associated with the reason.  Each reason may define its own extended details. This field is optional and the data returned is not guaranteed to conform to any schema except that defined by the reason type."
           },
           "kind": {
             "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
@@ -1261,7 +1260,7 @@
           {
             "group": "storagemigration.k8s.io",
             "kind": "WatchEvent",
-            "version": "v1alpha1"
+            "version": "v1beta1"
           }
         ]
       },
diff --git a/api/openapi-spec/v3/apis__scheduling.k8s.io__v1alpha1_openapi.json b/api/openapi-spec/v3/apis__scheduling.k8s.io__v1alpha1_openapi.json
new file mode 100644
index 0000000000000..75e6562b8caa4
--- /dev/null
+++ b/api/openapi-spec/v3/apis__scheduling.k8s.io__v1alpha1_openapi.json
@@ -0,0 +1,3033 @@
+{
+  "components": {
+    "schemas": {
+      "io.k8s.api.scheduling.v1alpha1.BasicSchedulingPolicy": {
+        "description": "BasicSchedulingPolicy indicates that standard Kubernetes scheduling behavior should be used.",
+        "type": "object"
+      },
+      "io.k8s.api.scheduling.v1alpha1.GangSchedulingPolicy": {
+        "description": "GangSchedulingPolicy defines the parameters for gang scheduling.",
+        "properties": {
+          "minCount": {
+            "default": 0,
+            "description": "MinCount is the minimum number of pods that must be schedulable or scheduled at the same time for the scheduler to admit the entire group. It must be a positive integer.",
+            "format": "int32",
+            "type": "integer"
+          }
+        },
+        "required": [
+          "minCount"
+        ],
+        "type": "object"
+      },
+      "io.k8s.api.scheduling.v1alpha1.PodGroup": {
+        "description": "PodGroup represents a set of pods with a common scheduling policy.",
+        "properties": {
+          "name": {
+            "default": "",
+            "description": "Name is a unique identifier for the PodGroup within the Workload. It must be a DNS label. This field is immutable.",
+            "type": "string"
+          },
+          "policy": {
+            "allOf": [
+              {
+                "$ref": "#/components/schemas/io.k8s.api.scheduling.v1alpha1.PodGroupPolicy"
+              }
+            ],
+            "default": {},
+            "description": "Policy defines the scheduling policy for this PodGroup."
+          }
+        },
+        "required": [
+          "name",
+          "policy"
+        ],
+        "type": "object"
+      },
+      "io.k8s.api.scheduling.v1alpha1.PodGroupPolicy": {
+        "description": "PodGroupPolicy defines the scheduling configuration for a PodGroup.",
+        "properties": {
+          "basic": {
+            "allOf": [
+              {
+                "$ref": "#/components/schemas/io.k8s.api.scheduling.v1alpha1.BasicSchedulingPolicy"
+              }
+            ],
+            "description": "Basic specifies that the pods in this group should be scheduled using standard Kubernetes scheduling behavior."
+          },
+          "gang": {
+            "allOf": [
+              {
+                "$ref": "#/components/schemas/io.k8s.api.scheduling.v1alpha1.GangSchedulingPolicy"
+              }
+            ],
+            "description": "Gang specifies that the pods in this group should be scheduled using all-or-nothing semantics."
+          }
+        },
+        "type": "object"
+      },
+      "io.k8s.api.scheduling.v1alpha1.TypedLocalObjectReference": {
+        "description": "TypedLocalObjectReference allows to reference typed object inside the same namespace.",
+        "properties": {
+          "apiGroup": {
+            "description": "APIGroup is the group for the resource being referenced. If APIGroup is empty, the specified Kind must be in the core API group. For any other third-party types, setting APIGroup is required. It must be a DNS subdomain.",
+            "type": "string"
+          },
+          "kind": {
+            "default": "",
+            "description": "Kind is the type of resource being referenced. It must be a path segment name.",
+            "type": "string"
+          },
+          "name": {
+            "default": "",
+            "description": "Name is the name of resource being referenced. It must be a path segment name.",
+            "type": "string"
+          }
+        },
+        "required": [
+          "kind",
+          "name"
+        ],
+        "type": "object"
+      },
+      "io.k8s.api.scheduling.v1alpha1.Workload": {
+        "description": "Workload allows for expressing scheduling constraints that should be used when managing lifecycle of workloads from scheduling perspective, including scheduling, preemption, eviction and other phases.",
+        "properties": {
+          "apiVersion": {
+            "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
+            "type": "string"
+          },
+          "kind": {
+            "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
+            "type": "string"
+          },
+          "metadata": {
+            "allOf": [
+              {
+                "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"
+              }
+            ],
+            "default": {},
+            "description": "Standard object's metadata. Name must be a DNS subdomain."
+          },
+          "spec": {
+            "allOf": [
+              {
+                "$ref": "#/components/schemas/io.k8s.api.scheduling.v1alpha1.WorkloadSpec"
+              }
+            ],
+            "default": {},
+            "description": "Spec defines the desired behavior of a Workload."
+          }
+        },
+        "required": [
+          "spec"
+        ],
+        "type": "object",
+        "x-kubernetes-group-version-kind": [
+          {
+            "group": "scheduling.k8s.io",
+            "kind": "Workload",
+            "version": "v1alpha1"
+          }
+        ]
+      },
+      "io.k8s.api.scheduling.v1alpha1.WorkloadList": {
+        "description": "WorkloadList contains a list of Workload resources.",
+        "properties": {
+          "apiVersion": {
+            "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
+            "type": "string"
+          },
+          "items": {
+            "description": "Items is the list of Workloads.",
+            "items": {
+              "allOf": [
+                {
+                  "$ref": "#/components/schemas/io.k8s.api.scheduling.v1alpha1.Workload"
+                }
+              ],
+              "default": {}
+            },
+            "type": "array"
+          },
+          "kind": {
+            "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
+            "type": "string"
+          },
+          "metadata": {
+            "allOf": [
+              {
+                "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"
+              }
+            ],
+            "default": {},
+            "description": "Standard list metadata."
+          }
+        },
+        "required": [
+          "items"
+        ],
+        "type": "object",
+        "x-kubernetes-group-version-kind": [
+          {
+            "group": "scheduling.k8s.io",
+            "kind": "WorkloadList",
+            "version": "v1alpha1"
+          }
+        ]
+      },
+      "io.k8s.api.scheduling.v1alpha1.WorkloadSpec": {
+        "description": "WorkloadSpec defines the desired state of a Workload.",
+        "properties": {
+          "controllerRef": {
+            "allOf": [
+              {
+                "$ref": "#/components/schemas/io.k8s.api.scheduling.v1alpha1.TypedLocalObjectReference"
+              }
+            ],
+            "description": "ControllerRef is an optional reference to the controlling object, such as a Deployment or Job. This field is intended for use by tools like CLIs to provide a link back to the original workload definition. When set, it cannot be changed."
+          },
+          "podGroups": {
+            "description": "PodGroups is the list of pod groups that make up the Workload. The maximum number of pod groups is 8. This field is immutable.",
+            "items": {
+              "allOf": [
+                {
+                  "$ref": "#/components/schemas/io.k8s.api.scheduling.v1alpha1.PodGroup"
+                }
+              ],
+              "default": {}
+            },
+            "type": "array",
+            "x-kubernetes-list-map-keys": [
+              "name"
+            ],
+            "x-kubernetes-list-type": "map"
+          }
+        },
+        "required": [
+          "podGroups"
+        ],
+        "type": "object"
+      },
+      "io.k8s.apimachinery.pkg.apis.meta.v1.APIResource": {
+        "description": "APIResource specifies the name of a resource and whether it is namespaced.",
+        "properties": {
+          "categories": {
+            "description": "categories is a list of the grouped resources this resource belongs to (e.g. 'all')",
+            "items": {
+              "default": "",
+              "type": "string"
+            },
+            "type": "array",
+            "x-kubernetes-list-type": "atomic"
+          },
+          "group": {
+            "description": "group is the preferred group of the resource.  Empty implies the group of the containing resource list. For subresources, this may have a different value, for example: Scale\".",
+            "type": "string"
+          },
+          "kind": {
+            "default": "",
+            "description": "kind is the kind for the resource (e.g. 'Foo' is the kind for a resource 'foo')",
+            "type": "string"
+          },
+          "name": {
+            "default": "",
+            "description": "name is the plural name of the resource.",
+            "type": "string"
+          },
+          "namespaced": {
+            "default": false,
+            "description": "namespaced indicates if a resource is namespaced or not.",
+            "type": "boolean"
+          },
+          "shortNames": {
+            "description": "shortNames is a list of suggested short names of the resource.",
+            "items": {
+              "default": "",
+              "type": "string"
+            },
+            "type": "array",
+            "x-kubernetes-list-type": "atomic"
+          },
+          "singularName": {
+            "default": "",
+            "description": "singularName is the singular name of the resource.  This allows clients to handle plural and singular opaquely. The singularName is more correct for reporting status on a single item and both singular and plural are allowed from the kubectl CLI interface.",
+            "type": "string"
+          },
+          "storageVersionHash": {
+            "description": "The hash value of the storage version, the version this resource is converted to when written to the data store. Value must be treated as opaque by clients. Only equality comparison on the value is valid. This is an alpha feature and may change or be removed in the future. The field is populated by the apiserver only if the StorageVersionHash feature gate is enabled. This field will remain optional even if it graduates.",
+            "type": "string"
+          },
+          "verbs": {
+            "description": "verbs is a list of supported kube verbs (this includes get, list, watch, create, update, patch, delete, deletecollection, and proxy)",
+            "items": {
+              "default": "",
+              "type": "string"
+            },
+            "type": "array"
+          },
+          "version": {
+            "description": "version is the preferred version of the resource.  Empty implies the version of the containing resource list For subresources, this may have a different value, for example: v1 (while inside a v1beta1 version of the core resource's group)\".",
+            "type": "string"
+          }
+        },
+        "required": [
+          "name",
+          "singularName",
+          "namespaced",
+          "kind",
+          "verbs"
+        ],
+        "type": "object"
+      },
+      "io.k8s.apimachinery.pkg.apis.meta.v1.APIResourceList": {
+        "description": "APIResourceList is a list of APIResource, it is used to expose the name of the resources supported in a specific group and version, and if the resource is namespaced.",
+        "properties": {
+          "apiVersion": {
+            "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
+            "type": "string"
+          },
+          "groupVersion": {
+            "default": "",
+            "description": "groupVersion is the group and version this APIResourceList is for.",
+            "type": "string"
+          },
+          "kind": {
+            "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
+            "type": "string"
+          },
+          "resources": {
+            "description": "resources contains the name of the resources and if they are namespaced.",
+            "items": {
+              "allOf": [
+                {
+                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.APIResource"
+                }
+              ],
+              "default": {}
+            },
+            "type": "array",
+            "x-kubernetes-list-type": "atomic"
+          }
+        },
+        "required": [
+          "groupVersion",
+          "resources"
+        ],
+        "type": "object",
+        "x-kubernetes-group-version-kind": [
+          {
+            "group": "",
+            "kind": "APIResourceList",
+            "version": "v1"
+          }
+        ]
+      },
+      "io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptions": {
+        "description": "DeleteOptions may be provided when deleting an API object.",
+        "properties": {
+          "apiVersion": {
+            "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
+            "type": "string"
+          },
+          "dryRun": {
+            "description": "When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed",
+            "items": {
+              "default": "",
+              "type": "string"
+            },
+            "type": "array",
+            "x-kubernetes-list-type": "atomic"
+          },
+          "gracePeriodSeconds": {
+            "description": "The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately.",
+            "format": "int64",
+            "type": "integer"
+          },
+          "ignoreStoreReadErrorWithClusterBreakingPotential": {
+            "description": "if set to true, it will trigger an unsafe deletion of the resource in case the normal deletion flow fails with a corrupt object error. A resource is considered corrupt if it can not be retrieved from the underlying storage successfully because of a) its data can not be transformed e.g. decryption failure, or b) it fails to decode into an object. NOTE: unsafe deletion ignores finalizer constraints, skips precondition checks, and removes the object from the storage. WARNING: This may potentially break the cluster if the workload associated with the resource being unsafe-deleted relies on normal deletion flow. Use only if you REALLY know what you are doing. The default value is false, and the user must opt in to enable it",
+            "type": "boolean"
+          },
+          "kind": {
+            "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
+            "type": "string"
+          },
+          "orphanDependents": {
+            "description": "Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the \"orphan\" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both.",
+            "type": "boolean"
+          },
+          "preconditions": {
+            "allOf": [
+              {
+                "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.Preconditions"
+              }
+            ],
+            "description": "Must be fulfilled before a deletion is carried out. If not possible, a 409 Conflict status will be returned."
+          },
+          "propagationPolicy": {
+            "description": "Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground.",
+            "type": "string"
+          }
+        },
+        "type": "object",
+        "x-kubernetes-group-version-kind": [
+          {
+            "group": "",
+            "kind": "DeleteOptions",
+            "version": "v1"
+          },
+          {
+            "group": "admission.k8s.io",
+            "kind": "DeleteOptions",
+            "version": "v1"
+          },
+          {
+            "group": "admission.k8s.io",
+            "kind": "DeleteOptions",
+            "version": "v1beta1"
+          },
+          {
+            "group": "admissionregistration.k8s.io",
+            "kind": "DeleteOptions",
+            "version": "v1"
+          },
+          {
+            "group": "admissionregistration.k8s.io",
+            "kind": "DeleteOptions",
+            "version": "v1alpha1"
+          },
+          {
+            "group": "admissionregistration.k8s.io",
+            "kind": "DeleteOptions",
+            "version": "v1beta1"
+          },
+          {
+            "group": "apiextensions.k8s.io",
+            "kind": "DeleteOptions",
+            "version": "v1"
+          },
+          {
+            "group": "apiextensions.k8s.io",
+            "kind": "DeleteOptions",
+            "version": "v1beta1"
+          },
+          {
+            "group": "apiregistration.k8s.io",
+            "kind": "DeleteOptions",
+            "version": "v1"
+          },
+          {
+            "group": "apiregistration.k8s.io",
+            "kind": "DeleteOptions",
+            "version": "v1beta1"
+          },
+          {
+            "group": "apps",
+            "kind": "DeleteOptions",
+            "version": "v1"
+          },
+          {
+            "group": "apps",
+            "kind": "DeleteOptions",
+            "version": "v1beta1"
+          },
+          {
+            "group": "apps",
+            "kind": "DeleteOptions",
+            "version": "v1beta2"
+          },
+          {
+            "group": "authentication.k8s.io",
+            "kind": "DeleteOptions",
+            "version": "v1"
+          },
+          {
+            "group": "authentication.k8s.io",
+            "kind": "DeleteOptions",
+            "version": "v1alpha1"
+          },
+          {
+            "group": "authentication.k8s.io",
+            "kind": "DeleteOptions",
+            "version": "v1beta1"
+          },
+          {
+            "group": "authorization.k8s.io",
+            "kind": "DeleteOptions",
+            "version": "v1"
+          },
+          {
+            "group": "authorization.k8s.io",
+            "kind": "DeleteOptions",
+            "version": "v1beta1"
+          },
+          {
+            "group": "autoscaling",
+            "kind": "DeleteOptions",
+            "version": "v1"
+          },
+          {
+            "group": "autoscaling",
+            "kind": "DeleteOptions",
+            "version": "v2"
+          },
+          {
+            "group": "autoscaling",
+            "kind": "DeleteOptions",
+            "version": "v2beta1"
+          },
+          {
+            "group": "autoscaling",
+            "kind": "DeleteOptions",
+            "version": "v2beta2"
+          },
+          {
+            "group": "batch",
+            "kind": "DeleteOptions",
+            "version": "v1"
+          },
+          {
+            "group": "batch",
+            "kind": "DeleteOptions",
+            "version": "v1beta1"
+          },
+          {
+            "group": "certificates.k8s.io",
+            "kind": "DeleteOptions",
+            "version": "v1"
+          },
+          {
+            "group": "certificates.k8s.io",
+            "kind": "DeleteOptions",
+            "version": "v1alpha1"
+          },
+          {
+            "group": "certificates.k8s.io",
+            "kind": "DeleteOptions",
+            "version": "v1beta1"
+          },
+          {
+            "group": "coordination.k8s.io",
+            "kind": "DeleteOptions",
+            "version": "v1"
+          },
+          {
+            "group": "coordination.k8s.io",
+            "kind": "DeleteOptions",
+            "version": "v1alpha2"
+          },
+          {
+            "group": "coordination.k8s.io",
+            "kind": "DeleteOptions",
+            "version": "v1beta1"
+          },
+          {
+            "group": "discovery.k8s.io",
+            "kind": "DeleteOptions",
+            "version": "v1"
+          },
+          {
+            "group": "discovery.k8s.io",
+            "kind": "DeleteOptions",
+            "version": "v1beta1"
+          },
+          {
+            "group": "events.k8s.io",
+            "kind": "DeleteOptions",
+            "version": "v1"
+          },
+          {
+            "group": "events.k8s.io",
+            "kind": "DeleteOptions",
+            "version": "v1beta1"
+          },
+          {
+            "group": "extensions",
+            "kind": "DeleteOptions",
+            "version": "v1beta1"
+          },
+          {
+            "group": "flowcontrol.apiserver.k8s.io",
+            "kind": "DeleteOptions",
+            "version": "v1"
+          },
+          {
+            "group": "flowcontrol.apiserver.k8s.io",
+            "kind": "DeleteOptions",
+            "version": "v1beta1"
+          },
+          {
+            "group": "flowcontrol.apiserver.k8s.io",
+            "kind": "DeleteOptions",
+            "version": "v1beta2"
+          },
+          {
+            "group": "flowcontrol.apiserver.k8s.io",
+            "kind": "DeleteOptions",
+            "version": "v1beta3"
+          },
+          {
+            "group": "imagepolicy.k8s.io",
+            "kind": "DeleteOptions",
+            "version": "v1alpha1"
+          },
+          {
+            "group": "internal.apiserver.k8s.io",
+            "kind": "DeleteOptions",
+            "version": "v1alpha1"
+          },
+          {
+            "group": "networking.k8s.io",
+            "kind": "DeleteOptions",
+            "version": "v1"
+          },
+          {
+            "group": "networking.k8s.io",
+            "kind": "DeleteOptions",
+            "version": "v1beta1"
+          },
+          {
+            "group": "node.k8s.io",
+            "kind": "DeleteOptions",
+            "version": "v1"
+          },
+          {
+            "group": "node.k8s.io",
+            "kind": "DeleteOptions",
+            "version": "v1alpha1"
+          },
+          {
+            "group": "node.k8s.io",
+            "kind": "DeleteOptions",
+            "version": "v1beta1"
+          },
+          {
+            "group": "policy",
+            "kind": "DeleteOptions",
+            "version": "v1"
+          },
+          {
+            "group": "policy",
+            "kind": "DeleteOptions",
+            "version": "v1beta1"
+          },
+          {
+            "group": "rbac.authorization.k8s.io",
+            "kind": "DeleteOptions",
+            "version": "v1"
+          },
+          {
+            "group": "rbac.authorization.k8s.io",
+            "kind": "DeleteOptions",
+            "version": "v1alpha1"
+          },
+          {
+            "group": "rbac.authorization.k8s.io",
+            "kind": "DeleteOptions",
+            "version": "v1beta1"
+          },
+          {
+            "group": "resource.k8s.io",
+            "kind": "DeleteOptions",
+            "version": "v1"
+          },
+          {
+            "group": "resource.k8s.io",
+            "kind": "DeleteOptions",
+            "version": "v1alpha3"
+          },
+          {
+            "group": "resource.k8s.io",
+            "kind": "DeleteOptions",
+            "version": "v1beta1"
+          },
+          {
+            "group": "resource.k8s.io",
+            "kind": "DeleteOptions",
+            "version": "v1beta2"
+          },
+          {
+            "group": "scheduling.k8s.io",
+            "kind": "DeleteOptions",
+            "version": "v1"
+          },
+          {
+            "group": "scheduling.k8s.io",
+            "kind": "DeleteOptions",
+            "version": "v1alpha1"
+          },
+          {
+            "group": "scheduling.k8s.io",
+            "kind": "DeleteOptions",
+            "version": "v1beta1"
+          },
+          {
+            "group": "storage.k8s.io",
+            "kind": "DeleteOptions",
+            "version": "v1"
+          },
+          {
+            "group": "storage.k8s.io",
+            "kind": "DeleteOptions",
+            "version": "v1alpha1"
+          },
+          {
+            "group": "storage.k8s.io",
+            "kind": "DeleteOptions",
+            "version": "v1beta1"
+          },
+          {
+            "group": "storagemigration.k8s.io",
+            "kind": "DeleteOptions",
+            "version": "v1beta1"
+          }
+        ]
+      },
+      "io.k8s.apimachinery.pkg.apis.meta.v1.FieldsV1": {
+        "description": "FieldsV1 stores a set of fields in a data structure like a Trie, in JSON format.\n\nEach key is either a '.' representing the field itself, and will always map to an empty set, or a string representing a sub-field or item. The string will follow one of these four formats: 'f:<name>', where <name> is the name of a field in a struct, or key in a map 'v:<value>', where <value> is the exact json formatted value of a list item 'i:<index>', where <index> is position of a item in a list 'k:<keys>', where <keys> is a map of  a list item's key fields to their unique values If a key maps to an empty Fields value, the field that key represents is part of the set.\n\nThe exact format is defined in sigs.k8s.io/structured-merge-diff",
+        "type": "object"
+      },
+      "io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta": {
+        "description": "ListMeta describes metadata that synthetic resources must have, including lists and various status objects. A resource may have only one of {ObjectMeta, ListMeta}.",
+        "properties": {
+          "continue": {
+            "description": "continue may be set if the user set a limit on the number of items returned, and indicates that the server has more data available. The value is opaque and may be used to issue another request to the endpoint that served this list to retrieve the next set of available objects. Continuing a consistent list may not be possible if the server configuration has changed or more than a few minutes have passed. The resourceVersion field returned when using this continue value will be identical to the value in the first response, unless you have received this token from an error message.",
+            "type": "string"
+          },
+          "remainingItemCount": {
+            "description": "remainingItemCount is the number of subsequent items in the list which are not included in this list response. If the list request contained label or field selectors, then the number of remaining items is unknown and the field will be left unset and omitted during serialization. If the list is complete (either because it is not chunking or because this is the last chunk), then there are no more remaining items and this field will be left unset and omitted during serialization. Servers older than v1.15 do not set this field. The intended use of the remainingItemCount is *estimating* the size of a collection. Clients should not rely on the remainingItemCount to be set or to be exact.",
+            "format": "int64",
+            "type": "integer"
+          },
+          "resourceVersion": {
+            "description": "String that identifies the server's internal version of this object that can be used by clients to determine when objects have changed. Value must be treated as opaque by clients and passed unmodified back to the server. Populated by the system. Read-only. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency",
+            "type": "string"
+          },
+          "selfLink": {
+            "description": "Deprecated: selfLink is a legacy read-only field that is no longer populated by the system.",
+            "type": "string"
+          }
+        },
+        "type": "object"
+      },
+      "io.k8s.apimachinery.pkg.apis.meta.v1.ManagedFieldsEntry": {
+        "description": "ManagedFieldsEntry is a workflow-id, a FieldSet and the group version of the resource that the fieldset applies to.",
+        "properties": {
+          "apiVersion": {
+            "description": "APIVersion defines the version of this resource that this field set applies to. The format is \"group/version\" just like the top-level APIVersion field. It is necessary to track the version of a field set because it cannot be automatically converted.",
+            "type": "string"
+          },
+          "fieldsType": {
+            "description": "FieldsType is the discriminator for the different fields format and version. There is currently only one possible value: \"FieldsV1\"",
+            "type": "string"
+          },
+          "fieldsV1": {
+            "allOf": [
+              {
+                "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.FieldsV1"
+              }
+            ],
+            "description": "FieldsV1 holds the first JSON version format as described in the \"FieldsV1\" type."
+          },
+          "manager": {
+            "description": "Manager is an identifier of the workflow managing these fields.",
+            "type": "string"
+          },
+          "operation": {
+            "description": "Operation is the type of operation which lead to this ManagedFieldsEntry being created. The only valid values for this field are 'Apply' and 'Update'.",
+            "type": "string"
+          },
+          "subresource": {
+            "description": "Subresource is the name of the subresource used to update that object, or empty string if the object was updated through the main resource. The value of this field is used to distinguish between managers, even if they share the same name. For example, a status update will be distinct from a regular update using the same manager name. Note that the APIVersion field is not related to the Subresource field and it always corresponds to the version of the main resource.",
+            "type": "string"
+          },
+          "time": {
+            "allOf": [
+              {
+                "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.Time"
+              }
+            ],
+            "description": "Time is the timestamp of when the ManagedFields entry was added. The timestamp will also be updated if a field is added, the manager changes any of the owned fields value or removes a field. The timestamp does not update when a field is removed from the entry because another manager took it over."
+          }
+        },
+        "type": "object"
+      },
+      "io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta": {
+        "description": "ObjectMeta is metadata that all persisted resources must have, which includes all objects users must create.",
+        "properties": {
+          "annotations": {
+            "additionalProperties": {
+              "default": "",
+              "type": "string"
+            },
+            "description": "Annotations is an unstructured key value map stored with a resource that may be set by external tools to store and retrieve arbitrary metadata. They are not queryable and should be preserved when modifying objects. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations",
+            "type": "object"
+          },
+          "creationTimestamp": {
+            "allOf": [
+              {
+                "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.Time"
+              }
+            ],
+            "description": "CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.\n\nPopulated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata"
+          },
+          "deletionGracePeriodSeconds": {
+            "description": "Number of seconds allowed for this object to gracefully terminate before it will be removed from the system. Only set when deletionTimestamp is also set. May only be shortened. Read-only.",
+            "format": "int64",
+            "type": "integer"
+          },
+          "deletionTimestamp": {
+            "allOf": [
+              {
+                "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.Time"
+              }
+            ],
+            "description": "DeletionTimestamp is RFC 3339 date and time at which this resource will be deleted. This field is set by the server when a graceful deletion is requested by the user, and is not directly settable by a client. The resource is expected to be deleted (no longer visible from resource lists, and not reachable by name) after the time in this field, once the finalizers list is empty. As long as the finalizers list contains items, deletion is blocked. Once the deletionTimestamp is set, this value may not be unset or be set further into the future, although it may be shortened or the resource may be deleted prior to this time. For example, a user may request that a pod is deleted in 30 seconds. The Kubelet will react by sending a graceful termination signal to the containers in the pod. After that 30 seconds, the Kubelet will send a hard termination signal (SIGKILL) to the container and after cleanup, remove the pod from the API. In the presence of network partitions, this object may still exist after this timestamp, until an administrator or automated process can determine the resource is fully terminated. If not set, graceful deletion of the object has not been requested.\n\nPopulated by the system when a graceful deletion is requested. Read-only. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata"
+          },
+          "finalizers": {
+            "description": "Must be empty before the object is deleted from the registry. Each entry is an identifier for the responsible component that will remove the entry from the list. If the deletionTimestamp of the object is non-nil, entries in this list can only be removed. Finalizers may be processed and removed in any order.  Order is NOT enforced because it introduces significant risk of stuck finalizers. finalizers is a shared field, any actor with permission can reorder it. If the finalizer list is processed in order, then this can lead to a situation in which the component responsible for the first finalizer in the list is waiting for a signal (field value, external system, or other) produced by a component responsible for a finalizer later in the list, resulting in a deadlock. Without enforced ordering finalizers are free to order amongst themselves and are not vulnerable to ordering changes in the list.",
+            "items": {
+              "default": "",
+              "type": "string"
+            },
+            "type": "array",
+            "x-kubernetes-list-type": "set",
+            "x-kubernetes-patch-strategy": "merge"
+          },
+          "generateName": {
+            "description": "GenerateName is an optional prefix, used by the server, to generate a unique name ONLY IF the Name field has not been provided. If this field is used, the name returned to the client will be different than the name passed. This value will also be combined with a unique suffix. The provided value has the same validation rules as the Name field, and may be truncated by the length of the suffix required to make the value unique on the server.\n\nIf this field is specified and the generated name exists, the server will return a 409.\n\nApplied only if Name is not specified. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#idempotency",
+            "type": "string"
+          },
+          "generation": {
+            "description": "A sequence number representing a specific generation of the desired state. Populated by the system. Read-only.",
+            "format": "int64",
+            "type": "integer"
+          },
+          "labels": {
+            "additionalProperties": {
+              "default": "",
+              "type": "string"
+            },
+            "description": "Map of string keys and values that can be used to organize and categorize (scope and select) objects. May match selectors of replication controllers and services. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels",
+            "type": "object"
+          },
+          "managedFields": {
+            "description": "ManagedFields maps workflow-id and version to the set of fields that are managed by that workflow. This is mostly for internal housekeeping, and users typically shouldn't need to set or understand this field. A workflow can be the user's name, a controller's name, or the name of a specific apply path like \"ci-cd\". The set of fields is always in the version that the workflow used when modifying the object.",
+            "items": {
+              "allOf": [
+                {
+                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.ManagedFieldsEntry"
+                }
+              ],
+              "default": {}
+            },
+            "type": "array",
+            "x-kubernetes-list-type": "atomic"
+          },
+          "name": {
+            "description": "Name must be unique within a namespace. Is required when creating resources, although some resources may allow a client to request the generation of an appropriate name automatically. Name is primarily intended for creation idempotence and configuration definition. Cannot be updated. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names",
+            "type": "string"
+          },
+          "namespace": {
+            "description": "Namespace defines the space within which each name must be unique. An empty namespace is equivalent to the \"default\" namespace, but \"default\" is the canonical representation. Not all objects are required to be scoped to a namespace - the value of this field for those objects will be empty.\n\nMust be a DNS_LABEL. Cannot be updated. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces",
+            "type": "string"
+          },
+          "ownerReferences": {
+            "description": "List of objects depended by this object. If ALL objects in the list have been deleted, this object will be garbage collected. If this object is managed by a controller, then an entry in this list will point to this controller, with the controller field set to true. There cannot be more than one managing controller.",
+            "items": {
+              "allOf": [
+                {
+                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.OwnerReference"
+                }
+              ],
+              "default": {}
+            },
+            "type": "array",
+            "x-kubernetes-list-map-keys": [
+              "uid"
+            ],
+            "x-kubernetes-list-type": "map",
+            "x-kubernetes-patch-merge-key": "uid",
+            "x-kubernetes-patch-strategy": "merge"
+          },
+          "resourceVersion": {
+            "description": "An opaque value that represents the internal version of this object that can be used by clients to determine when objects have changed. May be used for optimistic concurrency, change detection, and the watch operation on a resource or set of resources. Clients must treat these values as opaque and passed unmodified back to the server. They may only be valid for a particular resource or set of resources.\n\nPopulated by the system. Read-only. Value must be treated as opaque by clients and . More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency",
+            "type": "string"
+          },
+          "selfLink": {
+            "description": "Deprecated: selfLink is a legacy read-only field that is no longer populated by the system.",
+            "type": "string"
+          },
+          "uid": {
+            "description": "UID is the unique in time and space value for this object. It is typically generated by the server on successful creation of a resource and is not allowed to change on PUT operations.\n\nPopulated by the system. Read-only. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids",
+            "type": "string"
+          }
+        },
+        "type": "object"
+      },
+      "io.k8s.apimachinery.pkg.apis.meta.v1.OwnerReference": {
+        "description": "OwnerReference contains enough information to let you identify an owning object. An owning object must be in the same namespace as the dependent, or be cluster-scoped, so there is no namespace field.",
+        "properties": {
+          "apiVersion": {
+            "default": "",
+            "description": "API version of the referent.",
+            "type": "string"
+          },
+          "blockOwnerDeletion": {
+            "description": "If true, AND if the owner has the \"foregroundDeletion\" finalizer, then the owner cannot be deleted from the key-value store until this reference is removed. See https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion for how the garbage collector interacts with this field and enforces the foreground deletion. Defaults to false. To set this field, a user needs \"delete\" permission of the owner, otherwise 422 (Unprocessable Entity) will be returned.",
+            "type": "boolean"
+          },
+          "controller": {
+            "description": "If true, this reference points to the managing controller.",
+            "type": "boolean"
+          },
+          "kind": {
+            "default": "",
+            "description": "Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
+            "type": "string"
+          },
+          "name": {
+            "default": "",
+            "description": "Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names",
+            "type": "string"
+          },
+          "uid": {
+            "default": "",
+            "description": "UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids",
+            "type": "string"
+          }
+        },
+        "required": [
+          "apiVersion",
+          "kind",
+          "name",
+          "uid"
+        ],
+        "type": "object",
+        "x-kubernetes-map-type": "atomic"
+      },
+      "io.k8s.apimachinery.pkg.apis.meta.v1.Patch": {
+        "description": "Patch is provided to give a concrete name and type to the Kubernetes PATCH request body.",
+        "type": "object"
+      },
+      "io.k8s.apimachinery.pkg.apis.meta.v1.Preconditions": {
+        "description": "Preconditions must be fulfilled before an operation (update, delete, etc.) is carried out.",
+        "properties": {
+          "resourceVersion": {
+            "description": "Specifies the target ResourceVersion",
+            "type": "string"
+          },
+          "uid": {
+            "description": "Specifies the target UID.",
+            "type": "string"
+          }
+        },
+        "type": "object"
+      },
+      "io.k8s.apimachinery.pkg.apis.meta.v1.Status": {
+        "description": "Status is a return value for calls that don't return other objects.",
+        "properties": {
+          "apiVersion": {
+            "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
+            "type": "string"
+          },
+          "code": {
+            "description": "Suggested HTTP return code for this status, 0 if not set.",
+            "format": "int32",
+            "type": "integer"
+          },
+          "details": {
+            "allOf": [
+              {
+                "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.StatusDetails"
+              }
+            ],
+            "description": "Extended data associated with the reason.  Each reason may define its own extended details. This field is optional and the data returned is not guaranteed to conform to any schema except that defined by the reason type."
+          },
+          "kind": {
+            "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
+            "type": "string"
+          },
+          "message": {
+            "description": "A human-readable description of the status of this operation.",
+            "type": "string"
+          },
+          "metadata": {
+            "allOf": [
+              {
+                "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"
+              }
+            ],
+            "default": {},
+            "description": "Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds"
+          },
+          "reason": {
+            "description": "A machine-readable description of why this operation is in the \"Failure\" status. If this value is empty there is no information available. A Reason clarifies an HTTP status code but does not override it.",
+            "type": "string"
+          },
+          "status": {
+            "description": "Status of the operation. One of: \"Success\" or \"Failure\". More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status",
+            "type": "string"
+          }
+        },
+        "type": "object",
+        "x-kubernetes-group-version-kind": [
+          {
+            "group": "",
+            "kind": "Status",
+            "version": "v1"
+          }
+        ]
+      },
+      "io.k8s.apimachinery.pkg.apis.meta.v1.StatusCause": {
+        "description": "StatusCause provides more information about an api.Status failure, including cases when multiple errors are encountered.",
+        "properties": {
+          "field": {
+            "description": "The field of the resource that has caused this error, as named by its JSON serialization. May include dot and postfix notation for nested attributes. Arrays are zero-indexed.  Fields may appear more than once in an array of causes due to fields having multiple errors. Optional.\n\nExamples:\n  \"name\" - the field \"name\" on the current resource\n  \"items[0].name\" - the field \"name\" on the first array entry in \"items\"",
+            "type": "string"
+          },
+          "message": {
+            "description": "A human-readable description of the cause of the error.  This field may be presented as-is to a reader.",
+            "type": "string"
+          },
+          "reason": {
+            "description": "A machine-readable description of the cause of the error. If this value is empty there is no information available.",
+            "type": "string"
+          }
+        },
+        "type": "object"
+      },
+      "io.k8s.apimachinery.pkg.apis.meta.v1.StatusDetails": {
+        "description": "StatusDetails is a set of additional properties that MAY be set by the server to provide additional information about a response. The Reason field of a Status object defines what attributes will be set. Clients must ignore fields that do not match the defined type of each attribute, and should assume that any attribute may be empty, invalid, or under defined.",
+        "properties": {
+          "causes": {
+            "description": "The Causes array includes more details associated with the StatusReason failure. Not all StatusReasons may provide detailed causes.",
+            "items": {
+              "allOf": [
+                {
+                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.StatusCause"
+                }
+              ],
+              "default": {}
+            },
+            "type": "array",
+            "x-kubernetes-list-type": "atomic"
+          },
+          "group": {
+            "description": "The group attribute of the resource associated with the status StatusReason.",
+            "type": "string"
+          },
+          "kind": {
+            "description": "The kind attribute of the resource associated with the status StatusReason. On some operations may differ from the requested resource Kind. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
+            "type": "string"
+          },
+          "name": {
+            "description": "The name attribute of the resource associated with the status StatusReason (when there is a single name which can be described).",
+            "type": "string"
+          },
+          "retryAfterSeconds": {
+            "description": "If specified, the time in seconds before the operation should be retried. Some errors may indicate the client must take an alternate action - for those errors this field may indicate how long to wait before taking the alternate action.",
+            "format": "int32",
+            "type": "integer"
+          },
+          "uid": {
+            "description": "UID of the resource. (when there is a single resource which can be described). More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids",
+            "type": "string"
+          }
+        },
+        "type": "object"
+      },
+      "io.k8s.apimachinery.pkg.apis.meta.v1.Time": {
+        "description": "Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON.  Wrappers are provided for many of the factory methods that the time package offers.",
+        "format": "date-time",
+        "type": "string"
+      },
+      "io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent": {
+        "description": "Event represents a single event to a watched resource.",
+        "properties": {
+          "object": {
+            "allOf": [
+              {
+                "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.runtime.RawExtension"
+              }
+            ],
+            "description": "Object is:\n * If Type is Added or Modified: the new state of the object.\n * If Type is Deleted: the state of the object immediately before deletion.\n * If Type is Error: *Status is recommended; other types may make sense\n   depending on context."
+          },
+          "type": {
+            "default": "",
+            "type": "string"
+          }
+        },
+        "required": [
+          "type",
+          "object"
+        ],
+        "type": "object",
+        "x-kubernetes-group-version-kind": [
+          {
+            "group": "",
+            "kind": "WatchEvent",
+            "version": "v1"
+          },
+          {
+            "group": "admission.k8s.io",
+            "kind": "WatchEvent",
+            "version": "v1"
+          },
+          {
+            "group": "admission.k8s.io",
+            "kind": "WatchEvent",
+            "version": "v1beta1"
+          },
+          {
+            "group": "admissionregistration.k8s.io",
+            "kind": "WatchEvent",
+            "version": "v1"
+          },
+          {
+            "group": "admissionregistration.k8s.io",
+            "kind": "WatchEvent",
+            "version": "v1alpha1"
+          },
+          {
+            "group": "admissionregistration.k8s.io",
+            "kind": "WatchEvent",
+            "version": "v1beta1"
+          },
+          {
+            "group": "apiextensions.k8s.io",
+            "kind": "WatchEvent",
+            "version": "v1"
+          },
+          {
+            "group": "apiextensions.k8s.io",
+            "kind": "WatchEvent",
+            "version": "v1beta1"
+          },
+          {
+            "group": "apiregistration.k8s.io",
+            "kind": "WatchEvent",
+            "version": "v1"
+          },
+          {
+            "group": "apiregistration.k8s.io",
+            "kind": "WatchEvent",
+            "version": "v1beta1"
+          },
+          {
+            "group": "apps",
+            "kind": "WatchEvent",
+            "version": "v1"
+          },
+          {
+            "group": "apps",
+            "kind": "WatchEvent",
+            "version": "v1beta1"
+          },
+          {
+            "group": "apps",
+            "kind": "WatchEvent",
+            "version": "v1beta2"
+          },
+          {
+            "group": "authentication.k8s.io",
+            "kind": "WatchEvent",
+            "version": "v1"
+          },
+          {
+            "group": "authentication.k8s.io",
+            "kind": "WatchEvent",
+            "version": "v1alpha1"
+          },
+          {
+            "group": "authentication.k8s.io",
+            "kind": "WatchEvent",
+            "version": "v1beta1"
+          },
+          {
+            "group": "authorization.k8s.io",
+            "kind": "WatchEvent",
+            "version": "v1"
+          },
+          {
+            "group": "authorization.k8s.io",
+            "kind": "WatchEvent",
+            "version": "v1beta1"
+          },
+          {
+            "group": "autoscaling",
+            "kind": "WatchEvent",
+            "version": "v1"
+          },
+          {
+            "group": "autoscaling",
+            "kind": "WatchEvent",
+            "version": "v2"
+          },
+          {
+            "group": "autoscaling",
+            "kind": "WatchEvent",
+            "version": "v2beta1"
+          },
+          {
+            "group": "autoscaling",
+            "kind": "WatchEvent",
+            "version": "v2beta2"
+          },
+          {
+            "group": "batch",
+            "kind": "WatchEvent",
+            "version": "v1"
+          },
+          {
+            "group": "batch",
+            "kind": "WatchEvent",
+            "version": "v1beta1"
+          },
+          {
+            "group": "certificates.k8s.io",
+            "kind": "WatchEvent",
+            "version": "v1"
+          },
+          {
+            "group": "certificates.k8s.io",
+            "kind": "WatchEvent",
+            "version": "v1alpha1"
+          },
+          {
+            "group": "certificates.k8s.io",
+            "kind": "WatchEvent",
+            "version": "v1beta1"
+          },
+          {
+            "group": "coordination.k8s.io",
+            "kind": "WatchEvent",
+            "version": "v1"
+          },
+          {
+            "group": "coordination.k8s.io",
+            "kind": "WatchEvent",
+            "version": "v1alpha2"
+          },
+          {
+            "group": "coordination.k8s.io",
+            "kind": "WatchEvent",
+            "version": "v1beta1"
+          },
+          {
+            "group": "discovery.k8s.io",
+            "kind": "WatchEvent",
+            "version": "v1"
+          },
+          {
+            "group": "discovery.k8s.io",
+            "kind": "WatchEvent",
+            "version": "v1beta1"
+          },
+          {
+            "group": "events.k8s.io",
+            "kind": "WatchEvent",
+            "version": "v1"
+          },
+          {
+            "group": "events.k8s.io",
+            "kind": "WatchEvent",
+            "version": "v1beta1"
+          },
+          {
+            "group": "extensions",
+            "kind": "WatchEvent",
+            "version": "v1beta1"
+          },
+          {
+            "group": "flowcontrol.apiserver.k8s.io",
+            "kind": "WatchEvent",
+            "version": "v1"
+          },
+          {
+            "group": "flowcontrol.apiserver.k8s.io",
+            "kind": "WatchEvent",
+            "version": "v1beta1"
+          },
+          {
+            "group": "flowcontrol.apiserver.k8s.io",
+            "kind": "WatchEvent",
+            "version": "v1beta2"
+          },
+          {
+            "group": "flowcontrol.apiserver.k8s.io",
+            "kind": "WatchEvent",
+            "version": "v1beta3"
+          },
+          {
+            "group": "imagepolicy.k8s.io",
+            "kind": "WatchEvent",
+            "version": "v1alpha1"
+          },
+          {
+            "group": "internal.apiserver.k8s.io",
+            "kind": "WatchEvent",
+            "version": "v1alpha1"
+          },
+          {
+            "group": "networking.k8s.io",
+            "kind": "WatchEvent",
+            "version": "v1"
+          },
+          {
+            "group": "networking.k8s.io",
+            "kind": "WatchEvent",
+            "version": "v1beta1"
+          },
+          {
+            "group": "node.k8s.io",
+            "kind": "WatchEvent",
+            "version": "v1"
+          },
+          {
+            "group": "node.k8s.io",
+            "kind": "WatchEvent",
+            "version": "v1alpha1"
+          },
+          {
+            "group": "node.k8s.io",
+            "kind": "WatchEvent",
+            "version": "v1beta1"
+          },
+          {
+            "group": "policy",
+            "kind": "WatchEvent",
+            "version": "v1"
+          },
+          {
+            "group": "policy",
+            "kind": "WatchEvent",
+            "version": "v1beta1"
+          },
+          {
+            "group": "rbac.authorization.k8s.io",
+            "kind": "WatchEvent",
+            "version": "v1"
+          },
+          {
+            "group": "rbac.authorization.k8s.io",
+            "kind": "WatchEvent",
+            "version": "v1alpha1"
+          },
+          {
+            "group": "rbac.authorization.k8s.io",
+            "kind": "WatchEvent",
+            "version": "v1beta1"
+          },
+          {
+            "group": "resource.k8s.io",
+            "kind": "WatchEvent",
+            "version": "v1"
+          },
+          {
+            "group": "resource.k8s.io",
+            "kind": "WatchEvent",
+            "version": "v1alpha3"
+          },
+          {
+            "group": "resource.k8s.io",
+            "kind": "WatchEvent",
+            "version": "v1beta1"
+          },
+          {
+            "group": "resource.k8s.io",
+            "kind": "WatchEvent",
+            "version": "v1beta2"
+          },
+          {
+            "group": "scheduling.k8s.io",
+            "kind": "WatchEvent",
+            "version": "v1"
+          },
+          {
+            "group": "scheduling.k8s.io",
+            "kind": "WatchEvent",
+            "version": "v1alpha1"
+          },
+          {
+            "group": "scheduling.k8s.io",
+            "kind": "WatchEvent",
+            "version": "v1beta1"
+          },
+          {
+            "group": "storage.k8s.io",
+            "kind": "WatchEvent",
+            "version": "v1"
+          },
+          {
+            "group": "storage.k8s.io",
+            "kind": "WatchEvent",
+            "version": "v1alpha1"
+          },
+          {
+            "group": "storage.k8s.io",
+            "kind": "WatchEvent",
+            "version": "v1beta1"
+          },
+          {
+            "group": "storagemigration.k8s.io",
+            "kind": "WatchEvent",
+            "version": "v1beta1"
+          }
+        ]
+      },
+      "io.k8s.apimachinery.pkg.runtime.RawExtension": {
+        "description": "RawExtension is used to hold extensions in external versions.\n\nTo use this, make a field which has RawExtension as its type in your external, versioned struct, and Object in your internal struct. You also need to register your various plugin types.\n\n// Internal package:\n\n\ttype MyAPIObject struct {\n\t\truntime.TypeMeta `json:\",inline\"`\n\t\tMyPlugin runtime.Object `json:\"myPlugin\"`\n\t}\n\n\ttype PluginA struct {\n\t\tAOption string `json:\"aOption\"`\n\t}\n\n// External package:\n\n\ttype MyAPIObject struct {\n\t\truntime.TypeMeta `json:\",inline\"`\n\t\tMyPlugin runtime.RawExtension `json:\"myPlugin\"`\n\t}\n\n\ttype PluginA struct {\n\t\tAOption string `json:\"aOption\"`\n\t}\n\n// On the wire, the JSON will look something like this:\n\n\t{\n\t\t\"kind\":\"MyAPIObject\",\n\t\t\"apiVersion\":\"v1\",\n\t\t\"myPlugin\": {\n\t\t\t\"kind\":\"PluginA\",\n\t\t\t\"aOption\":\"foo\",\n\t\t},\n\t}\n\nSo what happens? Decode first uses json or yaml to unmarshal the serialized data into your external MyAPIObject. That causes the raw JSON to be stored, but not unpacked. The next step is to copy (using pkg/conversion) into the internal struct. The runtime package's DefaultScheme has conversion functions installed which will unpack the JSON stored in RawExtension, turning it into the correct object type, and storing it in the Object. (TODO: In the case where the object is of an unknown type, a runtime.Unknown object will be created and stored.)",
+        "type": "object"
+      }
+    },
+    "securitySchemes": {
+      "BearerToken": {
+        "description": "Bearer Token authentication",
+        "in": "header",
+        "name": "authorization",
+        "type": "apiKey"
+      }
+    }
+  },
+  "info": {
+    "title": "Kubernetes",
+    "version": "unversioned"
+  },
+  "openapi": "3.0.0",
+  "paths": {
+    "/apis/scheduling.k8s.io/v1alpha1/": {
+      "get": {
+        "description": "get available resources",
+        "operationId": "getSchedulingV1alpha1APIResources",
+        "responses": {
+          "200": {
+            "content": {
+              "application/cbor": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.APIResourceList"
+                }
+              },
+              "application/json": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.APIResourceList"
+                }
+              },
+              "application/vnd.kubernetes.protobuf": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.APIResourceList"
+                }
+              },
+              "application/yaml": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.APIResourceList"
+                }
+              }
+            },
+            "description": "OK"
+          },
+          "401": {
+            "description": "Unauthorized"
+          }
+        },
+        "tags": [
+          "scheduling_v1alpha1"
+        ]
+      }
+    },
+    "/apis/scheduling.k8s.io/v1alpha1/namespaces/{namespace}/workloads": {
+      "delete": {
+        "description": "delete collection of Workload",
+        "operationId": "deleteSchedulingV1alpha1CollectionNamespacedWorkload",
+        "parameters": [
+          {
+            "description": "The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the \"next key\".\n\nThis field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications.",
+            "in": "query",
+            "name": "continue",
+            "schema": {
+              "type": "string",
+              "uniqueItems": true
+            }
+          },
+          {
+            "description": "When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed",
+            "in": "query",
+            "name": "dryRun",
+            "schema": {
+              "type": "string",
+              "uniqueItems": true
+            }
+          },
+          {
+            "description": "A selector to restrict the list of returned objects by their fields. Defaults to everything.",
+            "in": "query",
+            "name": "fieldSelector",
+            "schema": {
+              "type": "string",
+              "uniqueItems": true
+            }
+          },
+          {
+            "description": "The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately.",
+            "in": "query",
+            "name": "gracePeriodSeconds",
+            "schema": {
+              "type": "integer",
+              "uniqueItems": true
+            }
+          },
+          {
+            "description": "if set to true, it will trigger an unsafe deletion of the resource in case the normal deletion flow fails with a corrupt object error. A resource is considered corrupt if it can not be retrieved from the underlying storage successfully because of a) its data can not be transformed e.g. decryption failure, or b) it fails to decode into an object. NOTE: unsafe deletion ignores finalizer constraints, skips precondition checks, and removes the object from the storage. WARNING: This may potentially break the cluster if the workload associated with the resource being unsafe-deleted relies on normal deletion flow. Use only if you REALLY know what you are doing. The default value is false, and the user must opt in to enable it",
+            "in": "query",
+            "name": "ignoreStoreReadErrorWithClusterBreakingPotential",
+            "schema": {
+              "type": "boolean",
+              "uniqueItems": true
+            }
+          },
+          {
+            "description": "A selector to restrict the list of returned objects by their labels. Defaults to everything.",
+            "in": "query",
+            "name": "labelSelector",
+            "schema": {
+              "type": "string",
+              "uniqueItems": true
+            }
+          },
+          {
+            "description": "limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.\n\nThe server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned.",
+            "in": "query",
+            "name": "limit",
+            "schema": {
+              "type": "integer",
+              "uniqueItems": true
+            }
+          },
+          {
+            "description": "Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the \"orphan\" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both.",
+            "in": "query",
+            "name": "orphanDependents",
+            "schema": {
+              "type": "boolean",
+              "uniqueItems": true
+            }
+          },
+          {
+            "description": "Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground.",
+            "in": "query",
+            "name": "propagationPolicy",
+            "schema": {
+              "type": "string",
+              "uniqueItems": true
+            }
+          },
+          {
+            "description": "resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.\n\nDefaults to unset",
+            "in": "query",
+            "name": "resourceVersion",
+            "schema": {
+              "type": "string",
+              "uniqueItems": true
+            }
+          },
+          {
+            "description": "resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.\n\nDefaults to unset",
+            "in": "query",
+            "name": "resourceVersionMatch",
+            "schema": {
+              "type": "string",
+              "uniqueItems": true
+            }
+          },
+          {
+            "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+            "in": "query",
+            "name": "sendInitialEvents",
+            "schema": {
+              "type": "boolean",
+              "uniqueItems": true
+            }
+          },
+          {
+            "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
+            "in": "query",
+            "name": "timeoutSeconds",
+            "schema": {
+              "type": "integer",
+              "uniqueItems": true
+            }
+          }
+        ],
+        "requestBody": {
+          "content": {
+            "*/*": {
+              "schema": {
+                "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptions"
+              }
+            }
+          }
+        },
+        "responses": {
+          "200": {
+            "content": {
+              "application/cbor": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.Status"
+                }
+              },
+              "application/json": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.Status"
+                }
+              },
+              "application/vnd.kubernetes.protobuf": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.Status"
+                }
+              },
+              "application/yaml": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.Status"
+                }
+              }
+            },
+            "description": "OK"
+          },
+          "401": {
+            "description": "Unauthorized"
+          }
+        },
+        "tags": [
+          "scheduling_v1alpha1"
+        ],
+        "x-kubernetes-action": "deletecollection",
+        "x-kubernetes-group-version-kind": {
+          "group": "scheduling.k8s.io",
+          "kind": "Workload",
+          "version": "v1alpha1"
+        }
+      },
+      "get": {
+        "description": "list or watch objects of kind Workload",
+        "operationId": "listSchedulingV1alpha1NamespacedWorkload",
+        "parameters": [
+          {
+            "description": "allowWatchBookmarks requests watch events with type \"BOOKMARK\". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored.",
+            "in": "query",
+            "name": "allowWatchBookmarks",
+            "schema": {
+              "type": "boolean",
+              "uniqueItems": true
+            }
+          },
+          {
+            "description": "The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the \"next key\".\n\nThis field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications.",
+            "in": "query",
+            "name": "continue",
+            "schema": {
+              "type": "string",
+              "uniqueItems": true
+            }
+          },
+          {
+            "description": "A selector to restrict the list of returned objects by their fields. Defaults to everything.",
+            "in": "query",
+            "name": "fieldSelector",
+            "schema": {
+              "type": "string",
+              "uniqueItems": true
+            }
+          },
+          {
+            "description": "A selector to restrict the list of returned objects by their labels. Defaults to everything.",
+            "in": "query",
+            "name": "labelSelector",
+            "schema": {
+              "type": "string",
+              "uniqueItems": true
+            }
+          },
+          {
+            "description": "limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.\n\nThe server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned.",
+            "in": "query",
+            "name": "limit",
+            "schema": {
+              "type": "integer",
+              "uniqueItems": true
+            }
+          },
+          {
+            "description": "resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.\n\nDefaults to unset",
+            "in": "query",
+            "name": "resourceVersion",
+            "schema": {
+              "type": "string",
+              "uniqueItems": true
+            }
+          },
+          {
+            "description": "resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.\n\nDefaults to unset",
+            "in": "query",
+            "name": "resourceVersionMatch",
+            "schema": {
+              "type": "string",
+              "uniqueItems": true
+            }
+          },
+          {
+            "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+            "in": "query",
+            "name": "sendInitialEvents",
+            "schema": {
+              "type": "boolean",
+              "uniqueItems": true
+            }
+          },
+          {
+            "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
+            "in": "query",
+            "name": "timeoutSeconds",
+            "schema": {
+              "type": "integer",
+              "uniqueItems": true
+            }
+          },
+          {
+            "description": "Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion.",
+            "in": "query",
+            "name": "watch",
+            "schema": {
+              "type": "boolean",
+              "uniqueItems": true
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "content": {
+              "application/cbor": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.scheduling.v1alpha1.WorkloadList"
+                }
+              },
+              "application/cbor-seq": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.scheduling.v1alpha1.WorkloadList"
+                }
+              },
+              "application/json": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.scheduling.v1alpha1.WorkloadList"
+                }
+              },
+              "application/json;stream=watch": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.scheduling.v1alpha1.WorkloadList"
+                }
+              },
+              "application/vnd.kubernetes.protobuf": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.scheduling.v1alpha1.WorkloadList"
+                }
+              },
+              "application/vnd.kubernetes.protobuf;stream=watch": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.scheduling.v1alpha1.WorkloadList"
+                }
+              },
+              "application/yaml": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.scheduling.v1alpha1.WorkloadList"
+                }
+              }
+            },
+            "description": "OK"
+          },
+          "401": {
+            "description": "Unauthorized"
+          }
+        },
+        "tags": [
+          "scheduling_v1alpha1"
+        ],
+        "x-kubernetes-action": "list",
+        "x-kubernetes-group-version-kind": {
+          "group": "scheduling.k8s.io",
+          "kind": "Workload",
+          "version": "v1alpha1"
+        }
+      },
+      "parameters": [
+        {
+          "description": "object name and auth scope, such as for teams and projects",
+          "in": "path",
+          "name": "namespace",
+          "required": true,
+          "schema": {
+            "type": "string",
+            "uniqueItems": true
+          }
+        },
+        {
+          "description": "If 'true', then the output is pretty printed. Defaults to 'false' unless the user-agent indicates a browser or command-line HTTP tool (curl and wget).",
+          "in": "query",
+          "name": "pretty",
+          "schema": {
+            "type": "string",
+            "uniqueItems": true
+          }
+        }
+      ],
+      "post": {
+        "description": "create a Workload",
+        "operationId": "createSchedulingV1alpha1NamespacedWorkload",
+        "parameters": [
+          {
+            "description": "When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed",
+            "in": "query",
+            "name": "dryRun",
+            "schema": {
+              "type": "string",
+              "uniqueItems": true
+            }
+          },
+          {
+            "description": "fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint.",
+            "in": "query",
+            "name": "fieldManager",
+            "schema": {
+              "type": "string",
+              "uniqueItems": true
+            }
+          },
+          {
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "in": "query",
+            "name": "fieldValidation",
+            "schema": {
+              "type": "string",
+              "uniqueItems": true
+            }
+          }
+        ],
+        "requestBody": {
+          "content": {
+            "*/*": {
+              "schema": {
+                "$ref": "#/components/schemas/io.k8s.api.scheduling.v1alpha1.Workload"
+              }
+            }
+          },
+          "required": true
+        },
+        "responses": {
+          "200": {
+            "content": {
+              "application/cbor": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.scheduling.v1alpha1.Workload"
+                }
+              },
+              "application/json": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.scheduling.v1alpha1.Workload"
+                }
+              },
+              "application/vnd.kubernetes.protobuf": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.scheduling.v1alpha1.Workload"
+                }
+              },
+              "application/yaml": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.scheduling.v1alpha1.Workload"
+                }
+              }
+            },
+            "description": "OK"
+          },
+          "201": {
+            "content": {
+              "application/cbor": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.scheduling.v1alpha1.Workload"
+                }
+              },
+              "application/json": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.scheduling.v1alpha1.Workload"
+                }
+              },
+              "application/vnd.kubernetes.protobuf": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.scheduling.v1alpha1.Workload"
+                }
+              },
+              "application/yaml": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.scheduling.v1alpha1.Workload"
+                }
+              }
+            },
+            "description": "Created"
+          },
+          "202": {
+            "content": {
+              "application/cbor": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.scheduling.v1alpha1.Workload"
+                }
+              },
+              "application/json": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.scheduling.v1alpha1.Workload"
+                }
+              },
+              "application/vnd.kubernetes.protobuf": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.scheduling.v1alpha1.Workload"
+                }
+              },
+              "application/yaml": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.scheduling.v1alpha1.Workload"
+                }
+              }
+            },
+            "description": "Accepted"
+          },
+          "401": {
+            "description": "Unauthorized"
+          }
+        },
+        "tags": [
+          "scheduling_v1alpha1"
+        ],
+        "x-kubernetes-action": "post",
+        "x-kubernetes-group-version-kind": {
+          "group": "scheduling.k8s.io",
+          "kind": "Workload",
+          "version": "v1alpha1"
+        }
+      }
+    },
+    "/apis/scheduling.k8s.io/v1alpha1/namespaces/{namespace}/workloads/{name}": {
+      "delete": {
+        "description": "delete a Workload",
+        "operationId": "deleteSchedulingV1alpha1NamespacedWorkload",
+        "parameters": [
+          {
+            "description": "When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed",
+            "in": "query",
+            "name": "dryRun",
+            "schema": {
+              "type": "string",
+              "uniqueItems": true
+            }
+          },
+          {
+            "description": "The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately.",
+            "in": "query",
+            "name": "gracePeriodSeconds",
+            "schema": {
+              "type": "integer",
+              "uniqueItems": true
+            }
+          },
+          {
+            "description": "if set to true, it will trigger an unsafe deletion of the resource in case the normal deletion flow fails with a corrupt object error. A resource is considered corrupt if it can not be retrieved from the underlying storage successfully because of a) its data can not be transformed e.g. decryption failure, or b) it fails to decode into an object. NOTE: unsafe deletion ignores finalizer constraints, skips precondition checks, and removes the object from the storage. WARNING: This may potentially break the cluster if the workload associated with the resource being unsafe-deleted relies on normal deletion flow. Use only if you REALLY know what you are doing. The default value is false, and the user must opt in to enable it",
+            "in": "query",
+            "name": "ignoreStoreReadErrorWithClusterBreakingPotential",
+            "schema": {
+              "type": "boolean",
+              "uniqueItems": true
+            }
+          },
+          {
+            "description": "Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the \"orphan\" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both.",
+            "in": "query",
+            "name": "orphanDependents",
+            "schema": {
+              "type": "boolean",
+              "uniqueItems": true
+            }
+          },
+          {
+            "description": "Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground.",
+            "in": "query",
+            "name": "propagationPolicy",
+            "schema": {
+              "type": "string",
+              "uniqueItems": true
+            }
+          }
+        ],
+        "requestBody": {
+          "content": {
+            "*/*": {
+              "schema": {
+                "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptions"
+              }
+            }
+          }
+        },
+        "responses": {
+          "200": {
+            "content": {
+              "application/cbor": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.Status"
+                }
+              },
+              "application/json": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.Status"
+                }
+              },
+              "application/vnd.kubernetes.protobuf": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.Status"
+                }
+              },
+              "application/yaml": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.Status"
+                }
+              }
+            },
+            "description": "OK"
+          },
+          "202": {
+            "content": {
+              "application/cbor": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.Status"
+                }
+              },
+              "application/json": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.Status"
+                }
+              },
+              "application/vnd.kubernetes.protobuf": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.Status"
+                }
+              },
+              "application/yaml": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.Status"
+                }
+              }
+            },
+            "description": "Accepted"
+          },
+          "401": {
+            "description": "Unauthorized"
+          }
+        },
+        "tags": [
+          "scheduling_v1alpha1"
+        ],
+        "x-kubernetes-action": "delete",
+        "x-kubernetes-group-version-kind": {
+          "group": "scheduling.k8s.io",
+          "kind": "Workload",
+          "version": "v1alpha1"
+        }
+      },
+      "get": {
+        "description": "read the specified Workload",
+        "operationId": "readSchedulingV1alpha1NamespacedWorkload",
+        "responses": {
+          "200": {
+            "content": {
+              "application/cbor": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.scheduling.v1alpha1.Workload"
+                }
+              },
+              "application/json": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.scheduling.v1alpha1.Workload"
+                }
+              },
+              "application/vnd.kubernetes.protobuf": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.scheduling.v1alpha1.Workload"
+                }
+              },
+              "application/yaml": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.scheduling.v1alpha1.Workload"
+                }
+              }
+            },
+            "description": "OK"
+          },
+          "401": {
+            "description": "Unauthorized"
+          }
+        },
+        "tags": [
+          "scheduling_v1alpha1"
+        ],
+        "x-kubernetes-action": "get",
+        "x-kubernetes-group-version-kind": {
+          "group": "scheduling.k8s.io",
+          "kind": "Workload",
+          "version": "v1alpha1"
+        }
+      },
+      "parameters": [
+        {
+          "description": "name of the Workload",
+          "in": "path",
+          "name": "name",
+          "required": true,
+          "schema": {
+            "type": "string",
+            "uniqueItems": true
+          }
+        },
+        {
+          "description": "object name and auth scope, such as for teams and projects",
+          "in": "path",
+          "name": "namespace",
+          "required": true,
+          "schema": {
+            "type": "string",
+            "uniqueItems": true
+          }
+        },
+        {
+          "description": "If 'true', then the output is pretty printed. Defaults to 'false' unless the user-agent indicates a browser or command-line HTTP tool (curl and wget).",
+          "in": "query",
+          "name": "pretty",
+          "schema": {
+            "type": "string",
+            "uniqueItems": true
+          }
+        }
+      ],
+      "patch": {
+        "description": "partially update the specified Workload",
+        "operationId": "patchSchedulingV1alpha1NamespacedWorkload",
+        "parameters": [
+          {
+            "description": "When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed",
+            "in": "query",
+            "name": "dryRun",
+            "schema": {
+              "type": "string",
+              "uniqueItems": true
+            }
+          },
+          {
+            "description": "fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch).",
+            "in": "query",
+            "name": "fieldManager",
+            "schema": {
+              "type": "string",
+              "uniqueItems": true
+            }
+          },
+          {
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "in": "query",
+            "name": "fieldValidation",
+            "schema": {
+              "type": "string",
+              "uniqueItems": true
+            }
+          },
+          {
+            "description": "Force is going to \"force\" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests.",
+            "in": "query",
+            "name": "force",
+            "schema": {
+              "type": "boolean",
+              "uniqueItems": true
+            }
+          }
+        ],
+        "requestBody": {
+          "content": {
+            "application/apply-patch+cbor": {
+              "schema": {
+                "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.Patch"
+              }
+            },
+            "application/apply-patch+yaml": {
+              "schema": {
+                "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.Patch"
+              }
+            },
+            "application/json-patch+json": {
+              "schema": {
+                "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.Patch"
+              }
+            },
+            "application/merge-patch+json": {
+              "schema": {
+                "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.Patch"
+              }
+            },
+            "application/strategic-merge-patch+json": {
+              "schema": {
+                "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.Patch"
+              }
+            }
+          },
+          "required": true
+        },
+        "responses": {
+          "200": {
+            "content": {
+              "application/cbor": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.scheduling.v1alpha1.Workload"
+                }
+              },
+              "application/json": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.scheduling.v1alpha1.Workload"
+                }
+              },
+              "application/vnd.kubernetes.protobuf": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.scheduling.v1alpha1.Workload"
+                }
+              },
+              "application/yaml": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.scheduling.v1alpha1.Workload"
+                }
+              }
+            },
+            "description": "OK"
+          },
+          "201": {
+            "content": {
+              "application/cbor": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.scheduling.v1alpha1.Workload"
+                }
+              },
+              "application/json": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.scheduling.v1alpha1.Workload"
+                }
+              },
+              "application/vnd.kubernetes.protobuf": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.scheduling.v1alpha1.Workload"
+                }
+              },
+              "application/yaml": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.scheduling.v1alpha1.Workload"
+                }
+              }
+            },
+            "description": "Created"
+          },
+          "401": {
+            "description": "Unauthorized"
+          }
+        },
+        "tags": [
+          "scheduling_v1alpha1"
+        ],
+        "x-kubernetes-action": "patch",
+        "x-kubernetes-group-version-kind": {
+          "group": "scheduling.k8s.io",
+          "kind": "Workload",
+          "version": "v1alpha1"
+        }
+      },
+      "put": {
+        "description": "replace the specified Workload",
+        "operationId": "replaceSchedulingV1alpha1NamespacedWorkload",
+        "parameters": [
+          {
+            "description": "When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed",
+            "in": "query",
+            "name": "dryRun",
+            "schema": {
+              "type": "string",
+              "uniqueItems": true
+            }
+          },
+          {
+            "description": "fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint.",
+            "in": "query",
+            "name": "fieldManager",
+            "schema": {
+              "type": "string",
+              "uniqueItems": true
+            }
+          },
+          {
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "in": "query",
+            "name": "fieldValidation",
+            "schema": {
+              "type": "string",
+              "uniqueItems": true
+            }
+          }
+        ],
+        "requestBody": {
+          "content": {
+            "*/*": {
+              "schema": {
+                "$ref": "#/components/schemas/io.k8s.api.scheduling.v1alpha1.Workload"
+              }
+            }
+          },
+          "required": true
+        },
+        "responses": {
+          "200": {
+            "content": {
+              "application/cbor": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.scheduling.v1alpha1.Workload"
+                }
+              },
+              "application/json": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.scheduling.v1alpha1.Workload"
+                }
+              },
+              "application/vnd.kubernetes.protobuf": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.scheduling.v1alpha1.Workload"
+                }
+              },
+              "application/yaml": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.scheduling.v1alpha1.Workload"
+                }
+              }
+            },
+            "description": "OK"
+          },
+          "201": {
+            "content": {
+              "application/cbor": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.scheduling.v1alpha1.Workload"
+                }
+              },
+              "application/json": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.scheduling.v1alpha1.Workload"
+                }
+              },
+              "application/vnd.kubernetes.protobuf": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.scheduling.v1alpha1.Workload"
+                }
+              },
+              "application/yaml": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.scheduling.v1alpha1.Workload"
+                }
+              }
+            },
+            "description": "Created"
+          },
+          "401": {
+            "description": "Unauthorized"
+          }
+        },
+        "tags": [
+          "scheduling_v1alpha1"
+        ],
+        "x-kubernetes-action": "put",
+        "x-kubernetes-group-version-kind": {
+          "group": "scheduling.k8s.io",
+          "kind": "Workload",
+          "version": "v1alpha1"
+        }
+      }
+    },
+    "/apis/scheduling.k8s.io/v1alpha1/watch/namespaces/{namespace}/workloads": {
+      "get": {
+        "description": "watch individual changes to a list of Workload. deprecated: use the 'watch' parameter with a list operation instead.",
+        "operationId": "watchSchedulingV1alpha1NamespacedWorkloadList",
+        "responses": {
+          "200": {
+            "content": {
+              "application/cbor": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"
+                }
+              },
+              "application/cbor-seq": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"
+                }
+              },
+              "application/json": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"
+                }
+              },
+              "application/json;stream=watch": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"
+                }
+              },
+              "application/vnd.kubernetes.protobuf": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"
+                }
+              },
+              "application/vnd.kubernetes.protobuf;stream=watch": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"
+                }
+              },
+              "application/yaml": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"
+                }
+              }
+            },
+            "description": "OK"
+          },
+          "401": {
+            "description": "Unauthorized"
+          }
+        },
+        "tags": [
+          "scheduling_v1alpha1"
+        ],
+        "x-kubernetes-action": "watchlist",
+        "x-kubernetes-group-version-kind": {
+          "group": "scheduling.k8s.io",
+          "kind": "Workload",
+          "version": "v1alpha1"
+        }
+      },
+      "parameters": [
+        {
+          "description": "allowWatchBookmarks requests watch events with type \"BOOKMARK\". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored.",
+          "in": "query",
+          "name": "allowWatchBookmarks",
+          "schema": {
+            "type": "boolean",
+            "uniqueItems": true
+          }
+        },
+        {
+          "description": "The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the \"next key\".\n\nThis field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications.",
+          "in": "query",
+          "name": "continue",
+          "schema": {
+            "type": "string",
+            "uniqueItems": true
+          }
+        },
+        {
+          "description": "A selector to restrict the list of returned objects by their fields. Defaults to everything.",
+          "in": "query",
+          "name": "fieldSelector",
+          "schema": {
+            "type": "string",
+            "uniqueItems": true
+          }
+        },
+        {
+          "description": "A selector to restrict the list of returned objects by their labels. Defaults to everything.",
+          "in": "query",
+          "name": "labelSelector",
+          "schema": {
+            "type": "string",
+            "uniqueItems": true
+          }
+        },
+        {
+          "description": "limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.\n\nThe server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned.",
+          "in": "query",
+          "name": "limit",
+          "schema": {
+            "type": "integer",
+            "uniqueItems": true
+          }
+        },
+        {
+          "description": "object name and auth scope, such as for teams and projects",
+          "in": "path",
+          "name": "namespace",
+          "required": true,
+          "schema": {
+            "type": "string",
+            "uniqueItems": true
+          }
+        },
+        {
+          "description": "If 'true', then the output is pretty printed. Defaults to 'false' unless the user-agent indicates a browser or command-line HTTP tool (curl and wget).",
+          "in": "query",
+          "name": "pretty",
+          "schema": {
+            "type": "string",
+            "uniqueItems": true
+          }
+        },
+        {
+          "description": "resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.\n\nDefaults to unset",
+          "in": "query",
+          "name": "resourceVersion",
+          "schema": {
+            "type": "string",
+            "uniqueItems": true
+          }
+        },
+        {
+          "description": "resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.\n\nDefaults to unset",
+          "in": "query",
+          "name": "resourceVersionMatch",
+          "schema": {
+            "type": "string",
+            "uniqueItems": true
+          }
+        },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "schema": {
+            "type": "boolean",
+            "uniqueItems": true
+          }
+        },
+        {
+          "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
+          "in": "query",
+          "name": "timeoutSeconds",
+          "schema": {
+            "type": "integer",
+            "uniqueItems": true
+          }
+        },
+        {
+          "description": "Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion.",
+          "in": "query",
+          "name": "watch",
+          "schema": {
+            "type": "boolean",
+            "uniqueItems": true
+          }
+        }
+      ]
+    },
+    "/apis/scheduling.k8s.io/v1alpha1/watch/namespaces/{namespace}/workloads/{name}": {
+      "get": {
+        "description": "watch changes to an object of kind Workload. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.",
+        "operationId": "watchSchedulingV1alpha1NamespacedWorkload",
+        "responses": {
+          "200": {
+            "content": {
+              "application/cbor": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"
+                }
+              },
+              "application/cbor-seq": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"
+                }
+              },
+              "application/json": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"
+                }
+              },
+              "application/json;stream=watch": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"
+                }
+              },
+              "application/vnd.kubernetes.protobuf": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"
+                }
+              },
+              "application/vnd.kubernetes.protobuf;stream=watch": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"
+                }
+              },
+              "application/yaml": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"
+                }
+              }
+            },
+            "description": "OK"
+          },
+          "401": {
+            "description": "Unauthorized"
+          }
+        },
+        "tags": [
+          "scheduling_v1alpha1"
+        ],
+        "x-kubernetes-action": "watch",
+        "x-kubernetes-group-version-kind": {
+          "group": "scheduling.k8s.io",
+          "kind": "Workload",
+          "version": "v1alpha1"
+        }
+      },
+      "parameters": [
+        {
+          "description": "allowWatchBookmarks requests watch events with type \"BOOKMARK\". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored.",
+          "in": "query",
+          "name": "allowWatchBookmarks",
+          "schema": {
+            "type": "boolean",
+            "uniqueItems": true
+          }
+        },
+        {
+          "description": "The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the \"next key\".\n\nThis field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications.",
+          "in": "query",
+          "name": "continue",
+          "schema": {
+            "type": "string",
+            "uniqueItems": true
+          }
+        },
+        {
+          "description": "A selector to restrict the list of returned objects by their fields. Defaults to everything.",
+          "in": "query",
+          "name": "fieldSelector",
+          "schema": {
+            "type": "string",
+            "uniqueItems": true
+          }
+        },
+        {
+          "description": "A selector to restrict the list of returned objects by their labels. Defaults to everything.",
+          "in": "query",
+          "name": "labelSelector",
+          "schema": {
+            "type": "string",
+            "uniqueItems": true
+          }
+        },
+        {
+          "description": "limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.\n\nThe server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned.",
+          "in": "query",
+          "name": "limit",
+          "schema": {
+            "type": "integer",
+            "uniqueItems": true
+          }
+        },
+        {
+          "description": "name of the Workload",
+          "in": "path",
+          "name": "name",
+          "required": true,
+          "schema": {
+            "type": "string",
+            "uniqueItems": true
+          }
+        },
+        {
+          "description": "object name and auth scope, such as for teams and projects",
+          "in": "path",
+          "name": "namespace",
+          "required": true,
+          "schema": {
+            "type": "string",
+            "uniqueItems": true
+          }
+        },
+        {
+          "description": "If 'true', then the output is pretty printed. Defaults to 'false' unless the user-agent indicates a browser or command-line HTTP tool (curl and wget).",
+          "in": "query",
+          "name": "pretty",
+          "schema": {
+            "type": "string",
+            "uniqueItems": true
+          }
+        },
+        {
+          "description": "resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.\n\nDefaults to unset",
+          "in": "query",
+          "name": "resourceVersion",
+          "schema": {
+            "type": "string",
+            "uniqueItems": true
+          }
+        },
+        {
+          "description": "resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.\n\nDefaults to unset",
+          "in": "query",
+          "name": "resourceVersionMatch",
+          "schema": {
+            "type": "string",
+            "uniqueItems": true
+          }
+        },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "schema": {
+            "type": "boolean",
+            "uniqueItems": true
+          }
+        },
+        {
+          "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
+          "in": "query",
+          "name": "timeoutSeconds",
+          "schema": {
+            "type": "integer",
+            "uniqueItems": true
+          }
+        },
+        {
+          "description": "Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion.",
+          "in": "query",
+          "name": "watch",
+          "schema": {
+            "type": "boolean",
+            "uniqueItems": true
+          }
+        }
+      ]
+    },
+    "/apis/scheduling.k8s.io/v1alpha1/watch/workloads": {
+      "get": {
+        "description": "watch individual changes to a list of Workload. deprecated: use the 'watch' parameter with a list operation instead.",
+        "operationId": "watchSchedulingV1alpha1WorkloadListForAllNamespaces",
+        "responses": {
+          "200": {
+            "content": {
+              "application/cbor": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"
+                }
+              },
+              "application/cbor-seq": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"
+                }
+              },
+              "application/json": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"
+                }
+              },
+              "application/json;stream=watch": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"
+                }
+              },
+              "application/vnd.kubernetes.protobuf": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"
+                }
+              },
+              "application/vnd.kubernetes.protobuf;stream=watch": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"
+                }
+              },
+              "application/yaml": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"
+                }
+              }
+            },
+            "description": "OK"
+          },
+          "401": {
+            "description": "Unauthorized"
+          }
+        },
+        "tags": [
+          "scheduling_v1alpha1"
+        ],
+        "x-kubernetes-action": "watchlist",
+        "x-kubernetes-group-version-kind": {
+          "group": "scheduling.k8s.io",
+          "kind": "Workload",
+          "version": "v1alpha1"
+        }
+      },
+      "parameters": [
+        {
+          "description": "allowWatchBookmarks requests watch events with type \"BOOKMARK\". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored.",
+          "in": "query",
+          "name": "allowWatchBookmarks",
+          "schema": {
+            "type": "boolean",
+            "uniqueItems": true
+          }
+        },
+        {
+          "description": "The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the \"next key\".\n\nThis field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications.",
+          "in": "query",
+          "name": "continue",
+          "schema": {
+            "type": "string",
+            "uniqueItems": true
+          }
+        },
+        {
+          "description": "A selector to restrict the list of returned objects by their fields. Defaults to everything.",
+          "in": "query",
+          "name": "fieldSelector",
+          "schema": {
+            "type": "string",
+            "uniqueItems": true
+          }
+        },
+        {
+          "description": "A selector to restrict the list of returned objects by their labels. Defaults to everything.",
+          "in": "query",
+          "name": "labelSelector",
+          "schema": {
+            "type": "string",
+            "uniqueItems": true
+          }
+        },
+        {
+          "description": "limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.\n\nThe server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned.",
+          "in": "query",
+          "name": "limit",
+          "schema": {
+            "type": "integer",
+            "uniqueItems": true
+          }
+        },
+        {
+          "description": "If 'true', then the output is pretty printed. Defaults to 'false' unless the user-agent indicates a browser or command-line HTTP tool (curl and wget).",
+          "in": "query",
+          "name": "pretty",
+          "schema": {
+            "type": "string",
+            "uniqueItems": true
+          }
+        },
+        {
+          "description": "resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.\n\nDefaults to unset",
+          "in": "query",
+          "name": "resourceVersion",
+          "schema": {
+            "type": "string",
+            "uniqueItems": true
+          }
+        },
+        {
+          "description": "resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.\n\nDefaults to unset",
+          "in": "query",
+          "name": "resourceVersionMatch",
+          "schema": {
+            "type": "string",
+            "uniqueItems": true
+          }
+        },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "schema": {
+            "type": "boolean",
+            "uniqueItems": true
+          }
+        },
+        {
+          "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
+          "in": "query",
+          "name": "timeoutSeconds",
+          "schema": {
+            "type": "integer",
+            "uniqueItems": true
+          }
+        },
+        {
+          "description": "Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion.",
+          "in": "query",
+          "name": "watch",
+          "schema": {
+            "type": "boolean",
+            "uniqueItems": true
+          }
+        }
+      ]
+    },
+    "/apis/scheduling.k8s.io/v1alpha1/workloads": {
+      "get": {
+        "description": "list or watch objects of kind Workload",
+        "operationId": "listSchedulingV1alpha1WorkloadForAllNamespaces",
+        "responses": {
+          "200": {
+            "content": {
+              "application/cbor": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.scheduling.v1alpha1.WorkloadList"
+                }
+              },
+              "application/cbor-seq": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.scheduling.v1alpha1.WorkloadList"
+                }
+              },
+              "application/json": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.scheduling.v1alpha1.WorkloadList"
+                }
+              },
+              "application/json;stream=watch": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.scheduling.v1alpha1.WorkloadList"
+                }
+              },
+              "application/vnd.kubernetes.protobuf": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.scheduling.v1alpha1.WorkloadList"
+                }
+              },
+              "application/vnd.kubernetes.protobuf;stream=watch": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.scheduling.v1alpha1.WorkloadList"
+                }
+              },
+              "application/yaml": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.scheduling.v1alpha1.WorkloadList"
+                }
+              }
+            },
+            "description": "OK"
+          },
+          "401": {
+            "description": "Unauthorized"
+          }
+        },
+        "tags": [
+          "scheduling_v1alpha1"
+        ],
+        "x-kubernetes-action": "list",
+        "x-kubernetes-group-version-kind": {
+          "group": "scheduling.k8s.io",
+          "kind": "Workload",
+          "version": "v1alpha1"
+        }
+      },
+      "parameters": [
+        {
+          "description": "allowWatchBookmarks requests watch events with type \"BOOKMARK\". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored.",
+          "in": "query",
+          "name": "allowWatchBookmarks",
+          "schema": {
+            "type": "boolean",
+            "uniqueItems": true
+          }
+        },
+        {
+          "description": "The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the \"next key\".\n\nThis field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications.",
+          "in": "query",
+          "name": "continue",
+          "schema": {
+            "type": "string",
+            "uniqueItems": true
+          }
+        },
+        {
+          "description": "A selector to restrict the list of returned objects by their fields. Defaults to everything.",
+          "in": "query",
+          "name": "fieldSelector",
+          "schema": {
+            "type": "string",
+            "uniqueItems": true
+          }
+        },
+        {
+          "description": "A selector to restrict the list of returned objects by their labels. Defaults to everything.",
+          "in": "query",
+          "name": "labelSelector",
+          "schema": {
+            "type": "string",
+            "uniqueItems": true
+          }
+        },
+        {
+          "description": "limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.\n\nThe server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned.",
+          "in": "query",
+          "name": "limit",
+          "schema": {
+            "type": "integer",
+            "uniqueItems": true
+          }
+        },
+        {
+          "description": "If 'true', then the output is pretty printed. Defaults to 'false' unless the user-agent indicates a browser or command-line HTTP tool (curl and wget).",
+          "in": "query",
+          "name": "pretty",
+          "schema": {
+            "type": "string",
+            "uniqueItems": true
+          }
+        },
+        {
+          "description": "resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.\n\nDefaults to unset",
+          "in": "query",
+          "name": "resourceVersion",
+          "schema": {
+            "type": "string",
+            "uniqueItems": true
+          }
+        },
+        {
+          "description": "resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.\n\nDefaults to unset",
+          "in": "query",
+          "name": "resourceVersionMatch",
+          "schema": {
+            "type": "string",
+            "uniqueItems": true
+          }
+        },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "schema": {
+            "type": "boolean",
+            "uniqueItems": true
+          }
+        },
+        {
+          "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
+          "in": "query",
+          "name": "timeoutSeconds",
+          "schema": {
+            "type": "integer",
+            "uniqueItems": true
+          }
+        },
+        {
+          "description": "Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion.",
+          "in": "query",
+          "name": "watch",
+          "schema": {
+            "type": "boolean",
+            "uniqueItems": true
+          }
+        }
+      ]
+    }
+  }
+}
diff --git a/api/openapi-spec/v3/apis__storage.k8s.io__v1_openapi.json b/api/openapi-spec/v3/apis__storage.k8s.io__v1_openapi.json
index 6369f7164d49d..6212f1d5363b1 100644
--- a/api/openapi-spec/v3/apis__storage.k8s.io__v1_openapi.json
+++ b/api/openapi-spec/v3/apis__storage.k8s.io__v1_openapi.json
@@ -800,7 +800,7 @@
                 "$ref": "#/components/schemas/io.k8s.api.core.v1.VolumeNodeAffinity"
               }
             ],
-            "description": "nodeAffinity defines constraints that limit what nodes this volume can be accessed from. This field influences the scheduling of pods that use this volume."
+            "description": "nodeAffinity defines constraints that limit what nodes this volume can be accessed from. This field influences the scheduling of pods that use this volume. This field is mutable if MutablePVNodeAffinity feature gate is enabled."
           },
           "persistentVolumeReclaimPolicy": {
             "description": "persistentVolumeReclaimPolicy defines what happens to a persistent volume when released from its claim. Valid options are Retain (default for manually created PersistentVolumes), Delete (default for dynamically provisioned PersistentVolumes), and Recycle (deprecated). Recycle must be supported by the volume plugin underlying this PersistentVolume. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#reclaiming",
@@ -1311,6 +1311,10 @@
             "description": "seLinuxMount specifies if the CSI driver supports \"-o context\" mount option.\n\nWhen \"true\", the CSI driver must ensure that all volumes provided by this CSI driver can be mounted separately with different `-o context` options. This is typical for storage backends that provide volumes as filesystems on block devices or as independent shared volumes. Kubernetes will call NodeStage / NodePublish with \"-o context=xyz\" mount option when mounting a ReadWriteOncePod volume used in Pod that has explicitly set SELinux context. In the future, it may be expanded to other volume AccessModes. In any case, Kubernetes will ensure that the volume is mounted only with a single SELinux context.\n\nWhen \"false\", Kubernetes won't pass any special SELinux mount options to the driver. This is typical for volumes that represent subdirectories of a bigger shared filesystem.\n\nDefault is \"false\".",
             "type": "boolean"
           },
+          "serviceAccountTokenInSecrets": {
+            "description": "serviceAccountTokenInSecrets is an opt-in for CSI drivers to indicate that service account tokens should be passed via the Secrets field in NodePublishVolumeRequest instead of the VolumeContext field. The CSI specification provides a dedicated Secrets field for sensitive information like tokens, which is the appropriate mechanism for handling credentials. This addresses security concerns where sensitive tokens were being logged as part of volume context.\n\nWhen \"true\", kubelet will pass the tokens only in the Secrets field with the key \"csi.storage.k8s.io/serviceAccount.tokens\". The CSI driver must be updated to read tokens from the Secrets field instead of VolumeContext.\n\nWhen \"false\" or not set, kubelet will pass the tokens in VolumeContext with the key \"csi.storage.k8s.io/serviceAccount.tokens\" (existing behavior). This maintains backward compatibility with existing CSI drivers.\n\nThis field can only be set when TokenRequests is configured. The API server will reject CSIDriver specs that set this field without TokenRequests.\n\nDefault behavior if unset is to pass tokens in the VolumeContext field.",
+            "type": "boolean"
+          },
           "storageCapacity": {
             "description": "storageCapacity indicates that the CSI volume driver wants pod scheduling to consider the storage capacity that the driver deployment will report by creating CSIStorageCapacity objects with capacity information, if set to true.\n\nThe check can be enabled immediately when deploying a driver. In that case, provisioning new volumes with late binding will pause until the driver deployment has published some suitable CSIStorageCapacity object.\n\nAlternatively, the driver can be deployed with the field unset or false and it can be flipped later when storage capacity information has been published.\n\nThis field was immutable in Kubernetes <= 1.22 and now is mutable.",
             "type": "boolean"
@@ -2530,7 +2534,7 @@
           {
             "group": "storagemigration.k8s.io",
             "kind": "DeleteOptions",
-            "version": "v1alpha1"
+            "version": "v1beta1"
           }
         ]
       },
@@ -2850,8 +2854,7 @@
                 "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.StatusDetails"
               }
             ],
-            "description": "Extended data associated with the reason.  Each reason may define its own extended details. This field is optional and the data returned is not guaranteed to conform to any schema except that defined by the reason type.",
-            "x-kubernetes-list-type": "atomic"
+            "description": "Extended data associated with the reason.  Each reason may define its own extended details. This field is optional and the data returned is not guaranteed to conform to any schema except that defined by the reason type."
           },
           "kind": {
             "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
@@ -3281,7 +3284,7 @@
           {
             "group": "storagemigration.k8s.io",
             "kind": "WatchEvent",
-            "version": "v1alpha1"
+            "version": "v1beta1"
           }
         ]
       },
diff --git a/api/openapi-spec/v3/apis__storage.k8s.io__v1alpha1_openapi.json b/api/openapi-spec/v3/apis__storage.k8s.io__v1alpha1_openapi.json
deleted file mode 100644
index 75f42f5b76585..0000000000000
--- a/api/openapi-spec/v3/apis__storage.k8s.io__v1alpha1_openapi.json
+++ /dev/null
@@ -1,2554 +0,0 @@
-{
-  "components": {
-    "schemas": {
-      "io.k8s.api.storage.v1alpha1.VolumeAttributesClass": {
-        "description": "VolumeAttributesClass represents a specification of mutable volume attributes defined by the CSI driver. The class can be specified during dynamic provisioning of PersistentVolumeClaims, and changed in the PersistentVolumeClaim spec after provisioning.",
-        "properties": {
-          "apiVersion": {
-            "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
-            "type": "string"
-          },
-          "driverName": {
-            "default": "",
-            "description": "Name of the CSI driver This field is immutable.",
-            "type": "string"
-          },
-          "kind": {
-            "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
-            "type": "string"
-          },
-          "metadata": {
-            "allOf": [
-              {
-                "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"
-              }
-            ],
-            "default": {},
-            "description": "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata"
-          },
-          "parameters": {
-            "additionalProperties": {
-              "default": "",
-              "type": "string"
-            },
-            "description": "parameters hold volume attributes defined by the CSI driver. These values are opaque to the Kubernetes and are passed directly to the CSI driver. The underlying storage provider supports changing these attributes on an existing volume, however the parameters field itself is immutable. To invoke a volume update, a new VolumeAttributesClass should be created with new parameters, and the PersistentVolumeClaim should be updated to reference the new VolumeAttributesClass.\n\nThis field is required and must contain at least one key/value pair. The keys cannot be empty, and the maximum number of parameters is 512, with a cumulative max size of 256K. If the CSI driver rejects invalid parameters, the target PersistentVolumeClaim will be set to an \"Infeasible\" state in the modifyVolumeStatus field.",
-            "type": "object"
-          }
-        },
-        "required": [
-          "driverName"
-        ],
-        "type": "object",
-        "x-kubernetes-group-version-kind": [
-          {
-            "group": "storage.k8s.io",
-            "kind": "VolumeAttributesClass",
-            "version": "v1alpha1"
-          }
-        ]
-      },
-      "io.k8s.api.storage.v1alpha1.VolumeAttributesClassList": {
-        "description": "VolumeAttributesClassList is a collection of VolumeAttributesClass objects.",
-        "properties": {
-          "apiVersion": {
-            "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
-            "type": "string"
-          },
-          "items": {
-            "description": "items is the list of VolumeAttributesClass objects.",
-            "items": {
-              "allOf": [
-                {
-                  "$ref": "#/components/schemas/io.k8s.api.storage.v1alpha1.VolumeAttributesClass"
-                }
-              ],
-              "default": {}
-            },
-            "type": "array"
-          },
-          "kind": {
-            "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
-            "type": "string"
-          },
-          "metadata": {
-            "allOf": [
-              {
-                "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"
-              }
-            ],
-            "default": {},
-            "description": "Standard list metadata More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata"
-          }
-        },
-        "required": [
-          "items"
-        ],
-        "type": "object",
-        "x-kubernetes-group-version-kind": [
-          {
-            "group": "storage.k8s.io",
-            "kind": "VolumeAttributesClassList",
-            "version": "v1alpha1"
-          }
-        ]
-      },
-      "io.k8s.apimachinery.pkg.apis.meta.v1.APIResource": {
-        "description": "APIResource specifies the name of a resource and whether it is namespaced.",
-        "properties": {
-          "categories": {
-            "description": "categories is a list of the grouped resources this resource belongs to (e.g. 'all')",
-            "items": {
-              "default": "",
-              "type": "string"
-            },
-            "type": "array",
-            "x-kubernetes-list-type": "atomic"
-          },
-          "group": {
-            "description": "group is the preferred group of the resource.  Empty implies the group of the containing resource list. For subresources, this may have a different value, for example: Scale\".",
-            "type": "string"
-          },
-          "kind": {
-            "default": "",
-            "description": "kind is the kind for the resource (e.g. 'Foo' is the kind for a resource 'foo')",
-            "type": "string"
-          },
-          "name": {
-            "default": "",
-            "description": "name is the plural name of the resource.",
-            "type": "string"
-          },
-          "namespaced": {
-            "default": false,
-            "description": "namespaced indicates if a resource is namespaced or not.",
-            "type": "boolean"
-          },
-          "shortNames": {
-            "description": "shortNames is a list of suggested short names of the resource.",
-            "items": {
-              "default": "",
-              "type": "string"
-            },
-            "type": "array",
-            "x-kubernetes-list-type": "atomic"
-          },
-          "singularName": {
-            "default": "",
-            "description": "singularName is the singular name of the resource.  This allows clients to handle plural and singular opaquely. The singularName is more correct for reporting status on a single item and both singular and plural are allowed from the kubectl CLI interface.",
-            "type": "string"
-          },
-          "storageVersionHash": {
-            "description": "The hash value of the storage version, the version this resource is converted to when written to the data store. Value must be treated as opaque by clients. Only equality comparison on the value is valid. This is an alpha feature and may change or be removed in the future. The field is populated by the apiserver only if the StorageVersionHash feature gate is enabled. This field will remain optional even if it graduates.",
-            "type": "string"
-          },
-          "verbs": {
-            "description": "verbs is a list of supported kube verbs (this includes get, list, watch, create, update, patch, delete, deletecollection, and proxy)",
-            "items": {
-              "default": "",
-              "type": "string"
-            },
-            "type": "array"
-          },
-          "version": {
-            "description": "version is the preferred version of the resource.  Empty implies the version of the containing resource list For subresources, this may have a different value, for example: v1 (while inside a v1beta1 version of the core resource's group)\".",
-            "type": "string"
-          }
-        },
-        "required": [
-          "name",
-          "singularName",
-          "namespaced",
-          "kind",
-          "verbs"
-        ],
-        "type": "object"
-      },
-      "io.k8s.apimachinery.pkg.apis.meta.v1.APIResourceList": {
-        "description": "APIResourceList is a list of APIResource, it is used to expose the name of the resources supported in a specific group and version, and if the resource is namespaced.",
-        "properties": {
-          "apiVersion": {
-            "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
-            "type": "string"
-          },
-          "groupVersion": {
-            "default": "",
-            "description": "groupVersion is the group and version this APIResourceList is for.",
-            "type": "string"
-          },
-          "kind": {
-            "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
-            "type": "string"
-          },
-          "resources": {
-            "description": "resources contains the name of the resources and if they are namespaced.",
-            "items": {
-              "allOf": [
-                {
-                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.APIResource"
-                }
-              ],
-              "default": {}
-            },
-            "type": "array",
-            "x-kubernetes-list-type": "atomic"
-          }
-        },
-        "required": [
-          "groupVersion",
-          "resources"
-        ],
-        "type": "object",
-        "x-kubernetes-group-version-kind": [
-          {
-            "group": "",
-            "kind": "APIResourceList",
-            "version": "v1"
-          }
-        ]
-      },
-      "io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptions": {
-        "description": "DeleteOptions may be provided when deleting an API object.",
-        "properties": {
-          "apiVersion": {
-            "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
-            "type": "string"
-          },
-          "dryRun": {
-            "description": "When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed",
-            "items": {
-              "default": "",
-              "type": "string"
-            },
-            "type": "array",
-            "x-kubernetes-list-type": "atomic"
-          },
-          "gracePeriodSeconds": {
-            "description": "The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately.",
-            "format": "int64",
-            "type": "integer"
-          },
-          "ignoreStoreReadErrorWithClusterBreakingPotential": {
-            "description": "if set to true, it will trigger an unsafe deletion of the resource in case the normal deletion flow fails with a corrupt object error. A resource is considered corrupt if it can not be retrieved from the underlying storage successfully because of a) its data can not be transformed e.g. decryption failure, or b) it fails to decode into an object. NOTE: unsafe deletion ignores finalizer constraints, skips precondition checks, and removes the object from the storage. WARNING: This may potentially break the cluster if the workload associated with the resource being unsafe-deleted relies on normal deletion flow. Use only if you REALLY know what you are doing. The default value is false, and the user must opt in to enable it",
-            "type": "boolean"
-          },
-          "kind": {
-            "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
-            "type": "string"
-          },
-          "orphanDependents": {
-            "description": "Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the \"orphan\" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both.",
-            "type": "boolean"
-          },
-          "preconditions": {
-            "allOf": [
-              {
-                "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.Preconditions"
-              }
-            ],
-            "description": "Must be fulfilled before a deletion is carried out. If not possible, a 409 Conflict status will be returned."
-          },
-          "propagationPolicy": {
-            "description": "Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground.",
-            "type": "string"
-          }
-        },
-        "type": "object",
-        "x-kubernetes-group-version-kind": [
-          {
-            "group": "",
-            "kind": "DeleteOptions",
-            "version": "v1"
-          },
-          {
-            "group": "admission.k8s.io",
-            "kind": "DeleteOptions",
-            "version": "v1"
-          },
-          {
-            "group": "admission.k8s.io",
-            "kind": "DeleteOptions",
-            "version": "v1beta1"
-          },
-          {
-            "group": "admissionregistration.k8s.io",
-            "kind": "DeleteOptions",
-            "version": "v1"
-          },
-          {
-            "group": "admissionregistration.k8s.io",
-            "kind": "DeleteOptions",
-            "version": "v1alpha1"
-          },
-          {
-            "group": "admissionregistration.k8s.io",
-            "kind": "DeleteOptions",
-            "version": "v1beta1"
-          },
-          {
-            "group": "apiextensions.k8s.io",
-            "kind": "DeleteOptions",
-            "version": "v1"
-          },
-          {
-            "group": "apiextensions.k8s.io",
-            "kind": "DeleteOptions",
-            "version": "v1beta1"
-          },
-          {
-            "group": "apiregistration.k8s.io",
-            "kind": "DeleteOptions",
-            "version": "v1"
-          },
-          {
-            "group": "apiregistration.k8s.io",
-            "kind": "DeleteOptions",
-            "version": "v1beta1"
-          },
-          {
-            "group": "apps",
-            "kind": "DeleteOptions",
-            "version": "v1"
-          },
-          {
-            "group": "apps",
-            "kind": "DeleteOptions",
-            "version": "v1beta1"
-          },
-          {
-            "group": "apps",
-            "kind": "DeleteOptions",
-            "version": "v1beta2"
-          },
-          {
-            "group": "authentication.k8s.io",
-            "kind": "DeleteOptions",
-            "version": "v1"
-          },
-          {
-            "group": "authentication.k8s.io",
-            "kind": "DeleteOptions",
-            "version": "v1alpha1"
-          },
-          {
-            "group": "authentication.k8s.io",
-            "kind": "DeleteOptions",
-            "version": "v1beta1"
-          },
-          {
-            "group": "authorization.k8s.io",
-            "kind": "DeleteOptions",
-            "version": "v1"
-          },
-          {
-            "group": "authorization.k8s.io",
-            "kind": "DeleteOptions",
-            "version": "v1beta1"
-          },
-          {
-            "group": "autoscaling",
-            "kind": "DeleteOptions",
-            "version": "v1"
-          },
-          {
-            "group": "autoscaling",
-            "kind": "DeleteOptions",
-            "version": "v2"
-          },
-          {
-            "group": "autoscaling",
-            "kind": "DeleteOptions",
-            "version": "v2beta1"
-          },
-          {
-            "group": "autoscaling",
-            "kind": "DeleteOptions",
-            "version": "v2beta2"
-          },
-          {
-            "group": "batch",
-            "kind": "DeleteOptions",
-            "version": "v1"
-          },
-          {
-            "group": "batch",
-            "kind": "DeleteOptions",
-            "version": "v1beta1"
-          },
-          {
-            "group": "certificates.k8s.io",
-            "kind": "DeleteOptions",
-            "version": "v1"
-          },
-          {
-            "group": "certificates.k8s.io",
-            "kind": "DeleteOptions",
-            "version": "v1alpha1"
-          },
-          {
-            "group": "certificates.k8s.io",
-            "kind": "DeleteOptions",
-            "version": "v1beta1"
-          },
-          {
-            "group": "coordination.k8s.io",
-            "kind": "DeleteOptions",
-            "version": "v1"
-          },
-          {
-            "group": "coordination.k8s.io",
-            "kind": "DeleteOptions",
-            "version": "v1alpha2"
-          },
-          {
-            "group": "coordination.k8s.io",
-            "kind": "DeleteOptions",
-            "version": "v1beta1"
-          },
-          {
-            "group": "discovery.k8s.io",
-            "kind": "DeleteOptions",
-            "version": "v1"
-          },
-          {
-            "group": "discovery.k8s.io",
-            "kind": "DeleteOptions",
-            "version": "v1beta1"
-          },
-          {
-            "group": "events.k8s.io",
-            "kind": "DeleteOptions",
-            "version": "v1"
-          },
-          {
-            "group": "events.k8s.io",
-            "kind": "DeleteOptions",
-            "version": "v1beta1"
-          },
-          {
-            "group": "extensions",
-            "kind": "DeleteOptions",
-            "version": "v1beta1"
-          },
-          {
-            "group": "flowcontrol.apiserver.k8s.io",
-            "kind": "DeleteOptions",
-            "version": "v1"
-          },
-          {
-            "group": "flowcontrol.apiserver.k8s.io",
-            "kind": "DeleteOptions",
-            "version": "v1beta1"
-          },
-          {
-            "group": "flowcontrol.apiserver.k8s.io",
-            "kind": "DeleteOptions",
-            "version": "v1beta2"
-          },
-          {
-            "group": "flowcontrol.apiserver.k8s.io",
-            "kind": "DeleteOptions",
-            "version": "v1beta3"
-          },
-          {
-            "group": "imagepolicy.k8s.io",
-            "kind": "DeleteOptions",
-            "version": "v1alpha1"
-          },
-          {
-            "group": "internal.apiserver.k8s.io",
-            "kind": "DeleteOptions",
-            "version": "v1alpha1"
-          },
-          {
-            "group": "networking.k8s.io",
-            "kind": "DeleteOptions",
-            "version": "v1"
-          },
-          {
-            "group": "networking.k8s.io",
-            "kind": "DeleteOptions",
-            "version": "v1beta1"
-          },
-          {
-            "group": "node.k8s.io",
-            "kind": "DeleteOptions",
-            "version": "v1"
-          },
-          {
-            "group": "node.k8s.io",
-            "kind": "DeleteOptions",
-            "version": "v1alpha1"
-          },
-          {
-            "group": "node.k8s.io",
-            "kind": "DeleteOptions",
-            "version": "v1beta1"
-          },
-          {
-            "group": "policy",
-            "kind": "DeleteOptions",
-            "version": "v1"
-          },
-          {
-            "group": "policy",
-            "kind": "DeleteOptions",
-            "version": "v1beta1"
-          },
-          {
-            "group": "rbac.authorization.k8s.io",
-            "kind": "DeleteOptions",
-            "version": "v1"
-          },
-          {
-            "group": "rbac.authorization.k8s.io",
-            "kind": "DeleteOptions",
-            "version": "v1alpha1"
-          },
-          {
-            "group": "rbac.authorization.k8s.io",
-            "kind": "DeleteOptions",
-            "version": "v1beta1"
-          },
-          {
-            "group": "resource.k8s.io",
-            "kind": "DeleteOptions",
-            "version": "v1"
-          },
-          {
-            "group": "resource.k8s.io",
-            "kind": "DeleteOptions",
-            "version": "v1alpha3"
-          },
-          {
-            "group": "resource.k8s.io",
-            "kind": "DeleteOptions",
-            "version": "v1beta1"
-          },
-          {
-            "group": "resource.k8s.io",
-            "kind": "DeleteOptions",
-            "version": "v1beta2"
-          },
-          {
-            "group": "scheduling.k8s.io",
-            "kind": "DeleteOptions",
-            "version": "v1"
-          },
-          {
-            "group": "scheduling.k8s.io",
-            "kind": "DeleteOptions",
-            "version": "v1alpha1"
-          },
-          {
-            "group": "scheduling.k8s.io",
-            "kind": "DeleteOptions",
-            "version": "v1beta1"
-          },
-          {
-            "group": "storage.k8s.io",
-            "kind": "DeleteOptions",
-            "version": "v1"
-          },
-          {
-            "group": "storage.k8s.io",
-            "kind": "DeleteOptions",
-            "version": "v1alpha1"
-          },
-          {
-            "group": "storage.k8s.io",
-            "kind": "DeleteOptions",
-            "version": "v1beta1"
-          },
-          {
-            "group": "storagemigration.k8s.io",
-            "kind": "DeleteOptions",
-            "version": "v1alpha1"
-          }
-        ]
-      },
-      "io.k8s.apimachinery.pkg.apis.meta.v1.FieldsV1": {
-        "description": "FieldsV1 stores a set of fields in a data structure like a Trie, in JSON format.\n\nEach key is either a '.' representing the field itself, and will always map to an empty set, or a string representing a sub-field or item. The string will follow one of these four formats: 'f:<name>', where <name> is the name of a field in a struct, or key in a map 'v:<value>', where <value> is the exact json formatted value of a list item 'i:<index>', where <index> is position of a item in a list 'k:<keys>', where <keys> is a map of  a list item's key fields to their unique values If a key maps to an empty Fields value, the field that key represents is part of the set.\n\nThe exact format is defined in sigs.k8s.io/structured-merge-diff",
-        "type": "object"
-      },
-      "io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta": {
-        "description": "ListMeta describes metadata that synthetic resources must have, including lists and various status objects. A resource may have only one of {ObjectMeta, ListMeta}.",
-        "properties": {
-          "continue": {
-            "description": "continue may be set if the user set a limit on the number of items returned, and indicates that the server has more data available. The value is opaque and may be used to issue another request to the endpoint that served this list to retrieve the next set of available objects. Continuing a consistent list may not be possible if the server configuration has changed or more than a few minutes have passed. The resourceVersion field returned when using this continue value will be identical to the value in the first response, unless you have received this token from an error message.",
-            "type": "string"
-          },
-          "remainingItemCount": {
-            "description": "remainingItemCount is the number of subsequent items in the list which are not included in this list response. If the list request contained label or field selectors, then the number of remaining items is unknown and the field will be left unset and omitted during serialization. If the list is complete (either because it is not chunking or because this is the last chunk), then there are no more remaining items and this field will be left unset and omitted during serialization. Servers older than v1.15 do not set this field. The intended use of the remainingItemCount is *estimating* the size of a collection. Clients should not rely on the remainingItemCount to be set or to be exact.",
-            "format": "int64",
-            "type": "integer"
-          },
-          "resourceVersion": {
-            "description": "String that identifies the server's internal version of this object that can be used by clients to determine when objects have changed. Value must be treated as opaque by clients and passed unmodified back to the server. Populated by the system. Read-only. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency",
-            "type": "string"
-          },
-          "selfLink": {
-            "description": "Deprecated: selfLink is a legacy read-only field that is no longer populated by the system.",
-            "type": "string"
-          }
-        },
-        "type": "object"
-      },
-      "io.k8s.apimachinery.pkg.apis.meta.v1.ManagedFieldsEntry": {
-        "description": "ManagedFieldsEntry is a workflow-id, a FieldSet and the group version of the resource that the fieldset applies to.",
-        "properties": {
-          "apiVersion": {
-            "description": "APIVersion defines the version of this resource that this field set applies to. The format is \"group/version\" just like the top-level APIVersion field. It is necessary to track the version of a field set because it cannot be automatically converted.",
-            "type": "string"
-          },
-          "fieldsType": {
-            "description": "FieldsType is the discriminator for the different fields format and version. There is currently only one possible value: \"FieldsV1\"",
-            "type": "string"
-          },
-          "fieldsV1": {
-            "allOf": [
-              {
-                "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.FieldsV1"
-              }
-            ],
-            "description": "FieldsV1 holds the first JSON version format as described in the \"FieldsV1\" type."
-          },
-          "manager": {
-            "description": "Manager is an identifier of the workflow managing these fields.",
-            "type": "string"
-          },
-          "operation": {
-            "description": "Operation is the type of operation which lead to this ManagedFieldsEntry being created. The only valid values for this field are 'Apply' and 'Update'.",
-            "type": "string"
-          },
-          "subresource": {
-            "description": "Subresource is the name of the subresource used to update that object, or empty string if the object was updated through the main resource. The value of this field is used to distinguish between managers, even if they share the same name. For example, a status update will be distinct from a regular update using the same manager name. Note that the APIVersion field is not related to the Subresource field and it always corresponds to the version of the main resource.",
-            "type": "string"
-          },
-          "time": {
-            "allOf": [
-              {
-                "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.Time"
-              }
-            ],
-            "description": "Time is the timestamp of when the ManagedFields entry was added. The timestamp will also be updated if a field is added, the manager changes any of the owned fields value or removes a field. The timestamp does not update when a field is removed from the entry because another manager took it over."
-          }
-        },
-        "type": "object"
-      },
-      "io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta": {
-        "description": "ObjectMeta is metadata that all persisted resources must have, which includes all objects users must create.",
-        "properties": {
-          "annotations": {
-            "additionalProperties": {
-              "default": "",
-              "type": "string"
-            },
-            "description": "Annotations is an unstructured key value map stored with a resource that may be set by external tools to store and retrieve arbitrary metadata. They are not queryable and should be preserved when modifying objects. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations",
-            "type": "object"
-          },
-          "creationTimestamp": {
-            "allOf": [
-              {
-                "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.Time"
-              }
-            ],
-            "description": "CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.\n\nPopulated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata"
-          },
-          "deletionGracePeriodSeconds": {
-            "description": "Number of seconds allowed for this object to gracefully terminate before it will be removed from the system. Only set when deletionTimestamp is also set. May only be shortened. Read-only.",
-            "format": "int64",
-            "type": "integer"
-          },
-          "deletionTimestamp": {
-            "allOf": [
-              {
-                "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.Time"
-              }
-            ],
-            "description": "DeletionTimestamp is RFC 3339 date and time at which this resource will be deleted. This field is set by the server when a graceful deletion is requested by the user, and is not directly settable by a client. The resource is expected to be deleted (no longer visible from resource lists, and not reachable by name) after the time in this field, once the finalizers list is empty. As long as the finalizers list contains items, deletion is blocked. Once the deletionTimestamp is set, this value may not be unset or be set further into the future, although it may be shortened or the resource may be deleted prior to this time. For example, a user may request that a pod is deleted in 30 seconds. The Kubelet will react by sending a graceful termination signal to the containers in the pod. After that 30 seconds, the Kubelet will send a hard termination signal (SIGKILL) to the container and after cleanup, remove the pod from the API. In the presence of network partitions, this object may still exist after this timestamp, until an administrator or automated process can determine the resource is fully terminated. If not set, graceful deletion of the object has not been requested.\n\nPopulated by the system when a graceful deletion is requested. Read-only. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata"
-          },
-          "finalizers": {
-            "description": "Must be empty before the object is deleted from the registry. Each entry is an identifier for the responsible component that will remove the entry from the list. If the deletionTimestamp of the object is non-nil, entries in this list can only be removed. Finalizers may be processed and removed in any order.  Order is NOT enforced because it introduces significant risk of stuck finalizers. finalizers is a shared field, any actor with permission can reorder it. If the finalizer list is processed in order, then this can lead to a situation in which the component responsible for the first finalizer in the list is waiting for a signal (field value, external system, or other) produced by a component responsible for a finalizer later in the list, resulting in a deadlock. Without enforced ordering finalizers are free to order amongst themselves and are not vulnerable to ordering changes in the list.",
-            "items": {
-              "default": "",
-              "type": "string"
-            },
-            "type": "array",
-            "x-kubernetes-list-type": "set",
-            "x-kubernetes-patch-strategy": "merge"
-          },
-          "generateName": {
-            "description": "GenerateName is an optional prefix, used by the server, to generate a unique name ONLY IF the Name field has not been provided. If this field is used, the name returned to the client will be different than the name passed. This value will also be combined with a unique suffix. The provided value has the same validation rules as the Name field, and may be truncated by the length of the suffix required to make the value unique on the server.\n\nIf this field is specified and the generated name exists, the server will return a 409.\n\nApplied only if Name is not specified. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#idempotency",
-            "type": "string"
-          },
-          "generation": {
-            "description": "A sequence number representing a specific generation of the desired state. Populated by the system. Read-only.",
-            "format": "int64",
-            "type": "integer"
-          },
-          "labels": {
-            "additionalProperties": {
-              "default": "",
-              "type": "string"
-            },
-            "description": "Map of string keys and values that can be used to organize and categorize (scope and select) objects. May match selectors of replication controllers and services. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels",
-            "type": "object"
-          },
-          "managedFields": {
-            "description": "ManagedFields maps workflow-id and version to the set of fields that are managed by that workflow. This is mostly for internal housekeeping, and users typically shouldn't need to set or understand this field. A workflow can be the user's name, a controller's name, or the name of a specific apply path like \"ci-cd\". The set of fields is always in the version that the workflow used when modifying the object.",
-            "items": {
-              "allOf": [
-                {
-                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.ManagedFieldsEntry"
-                }
-              ],
-              "default": {}
-            },
-            "type": "array",
-            "x-kubernetes-list-type": "atomic"
-          },
-          "name": {
-            "description": "Name must be unique within a namespace. Is required when creating resources, although some resources may allow a client to request the generation of an appropriate name automatically. Name is primarily intended for creation idempotence and configuration definition. Cannot be updated. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names",
-            "type": "string"
-          },
-          "namespace": {
-            "description": "Namespace defines the space within which each name must be unique. An empty namespace is equivalent to the \"default\" namespace, but \"default\" is the canonical representation. Not all objects are required to be scoped to a namespace - the value of this field for those objects will be empty.\n\nMust be a DNS_LABEL. Cannot be updated. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces",
-            "type": "string"
-          },
-          "ownerReferences": {
-            "description": "List of objects depended by this object. If ALL objects in the list have been deleted, this object will be garbage collected. If this object is managed by a controller, then an entry in this list will point to this controller, with the controller field set to true. There cannot be more than one managing controller.",
-            "items": {
-              "allOf": [
-                {
-                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.OwnerReference"
-                }
-              ],
-              "default": {}
-            },
-            "type": "array",
-            "x-kubernetes-list-map-keys": [
-              "uid"
-            ],
-            "x-kubernetes-list-type": "map",
-            "x-kubernetes-patch-merge-key": "uid",
-            "x-kubernetes-patch-strategy": "merge"
-          },
-          "resourceVersion": {
-            "description": "An opaque value that represents the internal version of this object that can be used by clients to determine when objects have changed. May be used for optimistic concurrency, change detection, and the watch operation on a resource or set of resources. Clients must treat these values as opaque and passed unmodified back to the server. They may only be valid for a particular resource or set of resources.\n\nPopulated by the system. Read-only. Value must be treated as opaque by clients and . More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency",
-            "type": "string"
-          },
-          "selfLink": {
-            "description": "Deprecated: selfLink is a legacy read-only field that is no longer populated by the system.",
-            "type": "string"
-          },
-          "uid": {
-            "description": "UID is the unique in time and space value for this object. It is typically generated by the server on successful creation of a resource and is not allowed to change on PUT operations.\n\nPopulated by the system. Read-only. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids",
-            "type": "string"
-          }
-        },
-        "type": "object"
-      },
-      "io.k8s.apimachinery.pkg.apis.meta.v1.OwnerReference": {
-        "description": "OwnerReference contains enough information to let you identify an owning object. An owning object must be in the same namespace as the dependent, or be cluster-scoped, so there is no namespace field.",
-        "properties": {
-          "apiVersion": {
-            "default": "",
-            "description": "API version of the referent.",
-            "type": "string"
-          },
-          "blockOwnerDeletion": {
-            "description": "If true, AND if the owner has the \"foregroundDeletion\" finalizer, then the owner cannot be deleted from the key-value store until this reference is removed. See https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion for how the garbage collector interacts with this field and enforces the foreground deletion. Defaults to false. To set this field, a user needs \"delete\" permission of the owner, otherwise 422 (Unprocessable Entity) will be returned.",
-            "type": "boolean"
-          },
-          "controller": {
-            "description": "If true, this reference points to the managing controller.",
-            "type": "boolean"
-          },
-          "kind": {
-            "default": "",
-            "description": "Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
-            "type": "string"
-          },
-          "name": {
-            "default": "",
-            "description": "Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names",
-            "type": "string"
-          },
-          "uid": {
-            "default": "",
-            "description": "UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids",
-            "type": "string"
-          }
-        },
-        "required": [
-          "apiVersion",
-          "kind",
-          "name",
-          "uid"
-        ],
-        "type": "object",
-        "x-kubernetes-map-type": "atomic"
-      },
-      "io.k8s.apimachinery.pkg.apis.meta.v1.Patch": {
-        "description": "Patch is provided to give a concrete name and type to the Kubernetes PATCH request body.",
-        "type": "object"
-      },
-      "io.k8s.apimachinery.pkg.apis.meta.v1.Preconditions": {
-        "description": "Preconditions must be fulfilled before an operation (update, delete, etc.) is carried out.",
-        "properties": {
-          "resourceVersion": {
-            "description": "Specifies the target ResourceVersion",
-            "type": "string"
-          },
-          "uid": {
-            "description": "Specifies the target UID.",
-            "type": "string"
-          }
-        },
-        "type": "object"
-      },
-      "io.k8s.apimachinery.pkg.apis.meta.v1.Status": {
-        "description": "Status is a return value for calls that don't return other objects.",
-        "properties": {
-          "apiVersion": {
-            "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
-            "type": "string"
-          },
-          "code": {
-            "description": "Suggested HTTP return code for this status, 0 if not set.",
-            "format": "int32",
-            "type": "integer"
-          },
-          "details": {
-            "allOf": [
-              {
-                "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.StatusDetails"
-              }
-            ],
-            "description": "Extended data associated with the reason.  Each reason may define its own extended details. This field is optional and the data returned is not guaranteed to conform to any schema except that defined by the reason type.",
-            "x-kubernetes-list-type": "atomic"
-          },
-          "kind": {
-            "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
-            "type": "string"
-          },
-          "message": {
-            "description": "A human-readable description of the status of this operation.",
-            "type": "string"
-          },
-          "metadata": {
-            "allOf": [
-              {
-                "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"
-              }
-            ],
-            "default": {},
-            "description": "Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds"
-          },
-          "reason": {
-            "description": "A machine-readable description of why this operation is in the \"Failure\" status. If this value is empty there is no information available. A Reason clarifies an HTTP status code but does not override it.",
-            "type": "string"
-          },
-          "status": {
-            "description": "Status of the operation. One of: \"Success\" or \"Failure\". More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status",
-            "type": "string"
-          }
-        },
-        "type": "object",
-        "x-kubernetes-group-version-kind": [
-          {
-            "group": "",
-            "kind": "Status",
-            "version": "v1"
-          }
-        ]
-      },
-      "io.k8s.apimachinery.pkg.apis.meta.v1.StatusCause": {
-        "description": "StatusCause provides more information about an api.Status failure, including cases when multiple errors are encountered.",
-        "properties": {
-          "field": {
-            "description": "The field of the resource that has caused this error, as named by its JSON serialization. May include dot and postfix notation for nested attributes. Arrays are zero-indexed.  Fields may appear more than once in an array of causes due to fields having multiple errors. Optional.\n\nExamples:\n  \"name\" - the field \"name\" on the current resource\n  \"items[0].name\" - the field \"name\" on the first array entry in \"items\"",
-            "type": "string"
-          },
-          "message": {
-            "description": "A human-readable description of the cause of the error.  This field may be presented as-is to a reader.",
-            "type": "string"
-          },
-          "reason": {
-            "description": "A machine-readable description of the cause of the error. If this value is empty there is no information available.",
-            "type": "string"
-          }
-        },
-        "type": "object"
-      },
-      "io.k8s.apimachinery.pkg.apis.meta.v1.StatusDetails": {
-        "description": "StatusDetails is a set of additional properties that MAY be set by the server to provide additional information about a response. The Reason field of a Status object defines what attributes will be set. Clients must ignore fields that do not match the defined type of each attribute, and should assume that any attribute may be empty, invalid, or under defined.",
-        "properties": {
-          "causes": {
-            "description": "The Causes array includes more details associated with the StatusReason failure. Not all StatusReasons may provide detailed causes.",
-            "items": {
-              "allOf": [
-                {
-                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.StatusCause"
-                }
-              ],
-              "default": {}
-            },
-            "type": "array",
-            "x-kubernetes-list-type": "atomic"
-          },
-          "group": {
-            "description": "The group attribute of the resource associated with the status StatusReason.",
-            "type": "string"
-          },
-          "kind": {
-            "description": "The kind attribute of the resource associated with the status StatusReason. On some operations may differ from the requested resource Kind. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
-            "type": "string"
-          },
-          "name": {
-            "description": "The name attribute of the resource associated with the status StatusReason (when there is a single name which can be described).",
-            "type": "string"
-          },
-          "retryAfterSeconds": {
-            "description": "If specified, the time in seconds before the operation should be retried. Some errors may indicate the client must take an alternate action - for those errors this field may indicate how long to wait before taking the alternate action.",
-            "format": "int32",
-            "type": "integer"
-          },
-          "uid": {
-            "description": "UID of the resource. (when there is a single resource which can be described). More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids",
-            "type": "string"
-          }
-        },
-        "type": "object"
-      },
-      "io.k8s.apimachinery.pkg.apis.meta.v1.Time": {
-        "description": "Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON.  Wrappers are provided for many of the factory methods that the time package offers.",
-        "format": "date-time",
-        "type": "string"
-      },
-      "io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent": {
-        "description": "Event represents a single event to a watched resource.",
-        "properties": {
-          "object": {
-            "allOf": [
-              {
-                "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.runtime.RawExtension"
-              }
-            ],
-            "description": "Object is:\n * If Type is Added or Modified: the new state of the object.\n * If Type is Deleted: the state of the object immediately before deletion.\n * If Type is Error: *Status is recommended; other types may make sense\n   depending on context."
-          },
-          "type": {
-            "default": "",
-            "type": "string"
-          }
-        },
-        "required": [
-          "type",
-          "object"
-        ],
-        "type": "object",
-        "x-kubernetes-group-version-kind": [
-          {
-            "group": "",
-            "kind": "WatchEvent",
-            "version": "v1"
-          },
-          {
-            "group": "admission.k8s.io",
-            "kind": "WatchEvent",
-            "version": "v1"
-          },
-          {
-            "group": "admission.k8s.io",
-            "kind": "WatchEvent",
-            "version": "v1beta1"
-          },
-          {
-            "group": "admissionregistration.k8s.io",
-            "kind": "WatchEvent",
-            "version": "v1"
-          },
-          {
-            "group": "admissionregistration.k8s.io",
-            "kind": "WatchEvent",
-            "version": "v1alpha1"
-          },
-          {
-            "group": "admissionregistration.k8s.io",
-            "kind": "WatchEvent",
-            "version": "v1beta1"
-          },
-          {
-            "group": "apiextensions.k8s.io",
-            "kind": "WatchEvent",
-            "version": "v1"
-          },
-          {
-            "group": "apiextensions.k8s.io",
-            "kind": "WatchEvent",
-            "version": "v1beta1"
-          },
-          {
-            "group": "apiregistration.k8s.io",
-            "kind": "WatchEvent",
-            "version": "v1"
-          },
-          {
-            "group": "apiregistration.k8s.io",
-            "kind": "WatchEvent",
-            "version": "v1beta1"
-          },
-          {
-            "group": "apps",
-            "kind": "WatchEvent",
-            "version": "v1"
-          },
-          {
-            "group": "apps",
-            "kind": "WatchEvent",
-            "version": "v1beta1"
-          },
-          {
-            "group": "apps",
-            "kind": "WatchEvent",
-            "version": "v1beta2"
-          },
-          {
-            "group": "authentication.k8s.io",
-            "kind": "WatchEvent",
-            "version": "v1"
-          },
-          {
-            "group": "authentication.k8s.io",
-            "kind": "WatchEvent",
-            "version": "v1alpha1"
-          },
-          {
-            "group": "authentication.k8s.io",
-            "kind": "WatchEvent",
-            "version": "v1beta1"
-          },
-          {
-            "group": "authorization.k8s.io",
-            "kind": "WatchEvent",
-            "version": "v1"
-          },
-          {
-            "group": "authorization.k8s.io",
-            "kind": "WatchEvent",
-            "version": "v1beta1"
-          },
-          {
-            "group": "autoscaling",
-            "kind": "WatchEvent",
-            "version": "v1"
-          },
-          {
-            "group": "autoscaling",
-            "kind": "WatchEvent",
-            "version": "v2"
-          },
-          {
-            "group": "autoscaling",
-            "kind": "WatchEvent",
-            "version": "v2beta1"
-          },
-          {
-            "group": "autoscaling",
-            "kind": "WatchEvent",
-            "version": "v2beta2"
-          },
-          {
-            "group": "batch",
-            "kind": "WatchEvent",
-            "version": "v1"
-          },
-          {
-            "group": "batch",
-            "kind": "WatchEvent",
-            "version": "v1beta1"
-          },
-          {
-            "group": "certificates.k8s.io",
-            "kind": "WatchEvent",
-            "version": "v1"
-          },
-          {
-            "group": "certificates.k8s.io",
-            "kind": "WatchEvent",
-            "version": "v1alpha1"
-          },
-          {
-            "group": "certificates.k8s.io",
-            "kind": "WatchEvent",
-            "version": "v1beta1"
-          },
-          {
-            "group": "coordination.k8s.io",
-            "kind": "WatchEvent",
-            "version": "v1"
-          },
-          {
-            "group": "coordination.k8s.io",
-            "kind": "WatchEvent",
-            "version": "v1alpha2"
-          },
-          {
-            "group": "coordination.k8s.io",
-            "kind": "WatchEvent",
-            "version": "v1beta1"
-          },
-          {
-            "group": "discovery.k8s.io",
-            "kind": "WatchEvent",
-            "version": "v1"
-          },
-          {
-            "group": "discovery.k8s.io",
-            "kind": "WatchEvent",
-            "version": "v1beta1"
-          },
-          {
-            "group": "events.k8s.io",
-            "kind": "WatchEvent",
-            "version": "v1"
-          },
-          {
-            "group": "events.k8s.io",
-            "kind": "WatchEvent",
-            "version": "v1beta1"
-          },
-          {
-            "group": "extensions",
-            "kind": "WatchEvent",
-            "version": "v1beta1"
-          },
-          {
-            "group": "flowcontrol.apiserver.k8s.io",
-            "kind": "WatchEvent",
-            "version": "v1"
-          },
-          {
-            "group": "flowcontrol.apiserver.k8s.io",
-            "kind": "WatchEvent",
-            "version": "v1beta1"
-          },
-          {
-            "group": "flowcontrol.apiserver.k8s.io",
-            "kind": "WatchEvent",
-            "version": "v1beta2"
-          },
-          {
-            "group": "flowcontrol.apiserver.k8s.io",
-            "kind": "WatchEvent",
-            "version": "v1beta3"
-          },
-          {
-            "group": "imagepolicy.k8s.io",
-            "kind": "WatchEvent",
-            "version": "v1alpha1"
-          },
-          {
-            "group": "internal.apiserver.k8s.io",
-            "kind": "WatchEvent",
-            "version": "v1alpha1"
-          },
-          {
-            "group": "networking.k8s.io",
-            "kind": "WatchEvent",
-            "version": "v1"
-          },
-          {
-            "group": "networking.k8s.io",
-            "kind": "WatchEvent",
-            "version": "v1beta1"
-          },
-          {
-            "group": "node.k8s.io",
-            "kind": "WatchEvent",
-            "version": "v1"
-          },
-          {
-            "group": "node.k8s.io",
-            "kind": "WatchEvent",
-            "version": "v1alpha1"
-          },
-          {
-            "group": "node.k8s.io",
-            "kind": "WatchEvent",
-            "version": "v1beta1"
-          },
-          {
-            "group": "policy",
-            "kind": "WatchEvent",
-            "version": "v1"
-          },
-          {
-            "group": "policy",
-            "kind": "WatchEvent",
-            "version": "v1beta1"
-          },
-          {
-            "group": "rbac.authorization.k8s.io",
-            "kind": "WatchEvent",
-            "version": "v1"
-          },
-          {
-            "group": "rbac.authorization.k8s.io",
-            "kind": "WatchEvent",
-            "version": "v1alpha1"
-          },
-          {
-            "group": "rbac.authorization.k8s.io",
-            "kind": "WatchEvent",
-            "version": "v1beta1"
-          },
-          {
-            "group": "resource.k8s.io",
-            "kind": "WatchEvent",
-            "version": "v1"
-          },
-          {
-            "group": "resource.k8s.io",
-            "kind": "WatchEvent",
-            "version": "v1alpha3"
-          },
-          {
-            "group": "resource.k8s.io",
-            "kind": "WatchEvent",
-            "version": "v1beta1"
-          },
-          {
-            "group": "resource.k8s.io",
-            "kind": "WatchEvent",
-            "version": "v1beta2"
-          },
-          {
-            "group": "scheduling.k8s.io",
-            "kind": "WatchEvent",
-            "version": "v1"
-          },
-          {
-            "group": "scheduling.k8s.io",
-            "kind": "WatchEvent",
-            "version": "v1alpha1"
-          },
-          {
-            "group": "scheduling.k8s.io",
-            "kind": "WatchEvent",
-            "version": "v1beta1"
-          },
-          {
-            "group": "storage.k8s.io",
-            "kind": "WatchEvent",
-            "version": "v1"
-          },
-          {
-            "group": "storage.k8s.io",
-            "kind": "WatchEvent",
-            "version": "v1alpha1"
-          },
-          {
-            "group": "storage.k8s.io",
-            "kind": "WatchEvent",
-            "version": "v1beta1"
-          },
-          {
-            "group": "storagemigration.k8s.io",
-            "kind": "WatchEvent",
-            "version": "v1alpha1"
-          }
-        ]
-      },
-      "io.k8s.apimachinery.pkg.runtime.RawExtension": {
-        "description": "RawExtension is used to hold extensions in external versions.\n\nTo use this, make a field which has RawExtension as its type in your external, versioned struct, and Object in your internal struct. You also need to register your various plugin types.\n\n// Internal package:\n\n\ttype MyAPIObject struct {\n\t\truntime.TypeMeta `json:\",inline\"`\n\t\tMyPlugin runtime.Object `json:\"myPlugin\"`\n\t}\n\n\ttype PluginA struct {\n\t\tAOption string `json:\"aOption\"`\n\t}\n\n// External package:\n\n\ttype MyAPIObject struct {\n\t\truntime.TypeMeta `json:\",inline\"`\n\t\tMyPlugin runtime.RawExtension `json:\"myPlugin\"`\n\t}\n\n\ttype PluginA struct {\n\t\tAOption string `json:\"aOption\"`\n\t}\n\n// On the wire, the JSON will look something like this:\n\n\t{\n\t\t\"kind\":\"MyAPIObject\",\n\t\t\"apiVersion\":\"v1\",\n\t\t\"myPlugin\": {\n\t\t\t\"kind\":\"PluginA\",\n\t\t\t\"aOption\":\"foo\",\n\t\t},\n\t}\n\nSo what happens? Decode first uses json or yaml to unmarshal the serialized data into your external MyAPIObject. That causes the raw JSON to be stored, but not unpacked. The next step is to copy (using pkg/conversion) into the internal struct. The runtime package's DefaultScheme has conversion functions installed which will unpack the JSON stored in RawExtension, turning it into the correct object type, and storing it in the Object. (TODO: In the case where the object is of an unknown type, a runtime.Unknown object will be created and stored.)",
-        "type": "object"
-      }
-    },
-    "securitySchemes": {
-      "BearerToken": {
-        "description": "Bearer Token authentication",
-        "in": "header",
-        "name": "authorization",
-        "type": "apiKey"
-      }
-    }
-  },
-  "info": {
-    "title": "Kubernetes",
-    "version": "unversioned"
-  },
-  "openapi": "3.0.0",
-  "paths": {
-    "/apis/storage.k8s.io/v1alpha1/": {
-      "get": {
-        "description": "get available resources",
-        "operationId": "getStorageV1alpha1APIResources",
-        "responses": {
-          "200": {
-            "content": {
-              "application/cbor": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.APIResourceList"
-                }
-              },
-              "application/json": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.APIResourceList"
-                }
-              },
-              "application/vnd.kubernetes.protobuf": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.APIResourceList"
-                }
-              },
-              "application/yaml": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.APIResourceList"
-                }
-              }
-            },
-            "description": "OK"
-          },
-          "401": {
-            "description": "Unauthorized"
-          }
-        },
-        "tags": [
-          "storage_v1alpha1"
-        ]
-      }
-    },
-    "/apis/storage.k8s.io/v1alpha1/volumeattributesclasses": {
-      "delete": {
-        "description": "delete collection of VolumeAttributesClass",
-        "operationId": "deleteStorageV1alpha1CollectionVolumeAttributesClass",
-        "parameters": [
-          {
-            "description": "The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the \"next key\".\n\nThis field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications.",
-            "in": "query",
-            "name": "continue",
-            "schema": {
-              "type": "string",
-              "uniqueItems": true
-            }
-          },
-          {
-            "description": "When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed",
-            "in": "query",
-            "name": "dryRun",
-            "schema": {
-              "type": "string",
-              "uniqueItems": true
-            }
-          },
-          {
-            "description": "A selector to restrict the list of returned objects by their fields. Defaults to everything.",
-            "in": "query",
-            "name": "fieldSelector",
-            "schema": {
-              "type": "string",
-              "uniqueItems": true
-            }
-          },
-          {
-            "description": "The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately.",
-            "in": "query",
-            "name": "gracePeriodSeconds",
-            "schema": {
-              "type": "integer",
-              "uniqueItems": true
-            }
-          },
-          {
-            "description": "if set to true, it will trigger an unsafe deletion of the resource in case the normal deletion flow fails with a corrupt object error. A resource is considered corrupt if it can not be retrieved from the underlying storage successfully because of a) its data can not be transformed e.g. decryption failure, or b) it fails to decode into an object. NOTE: unsafe deletion ignores finalizer constraints, skips precondition checks, and removes the object from the storage. WARNING: This may potentially break the cluster if the workload associated with the resource being unsafe-deleted relies on normal deletion flow. Use only if you REALLY know what you are doing. The default value is false, and the user must opt in to enable it",
-            "in": "query",
-            "name": "ignoreStoreReadErrorWithClusterBreakingPotential",
-            "schema": {
-              "type": "boolean",
-              "uniqueItems": true
-            }
-          },
-          {
-            "description": "A selector to restrict the list of returned objects by their labels. Defaults to everything.",
-            "in": "query",
-            "name": "labelSelector",
-            "schema": {
-              "type": "string",
-              "uniqueItems": true
-            }
-          },
-          {
-            "description": "limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.\n\nThe server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned.",
-            "in": "query",
-            "name": "limit",
-            "schema": {
-              "type": "integer",
-              "uniqueItems": true
-            }
-          },
-          {
-            "description": "Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the \"orphan\" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both.",
-            "in": "query",
-            "name": "orphanDependents",
-            "schema": {
-              "type": "boolean",
-              "uniqueItems": true
-            }
-          },
-          {
-            "description": "Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground.",
-            "in": "query",
-            "name": "propagationPolicy",
-            "schema": {
-              "type": "string",
-              "uniqueItems": true
-            }
-          },
-          {
-            "description": "resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.\n\nDefaults to unset",
-            "in": "query",
-            "name": "resourceVersion",
-            "schema": {
-              "type": "string",
-              "uniqueItems": true
-            }
-          },
-          {
-            "description": "resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.\n\nDefaults to unset",
-            "in": "query",
-            "name": "resourceVersionMatch",
-            "schema": {
-              "type": "string",
-              "uniqueItems": true
-            }
-          },
-          {
-            "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
-            "in": "query",
-            "name": "sendInitialEvents",
-            "schema": {
-              "type": "boolean",
-              "uniqueItems": true
-            }
-          },
-          {
-            "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
-            "in": "query",
-            "name": "timeoutSeconds",
-            "schema": {
-              "type": "integer",
-              "uniqueItems": true
-            }
-          }
-        ],
-        "requestBody": {
-          "content": {
-            "*/*": {
-              "schema": {
-                "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptions"
-              }
-            }
-          }
-        },
-        "responses": {
-          "200": {
-            "content": {
-              "application/cbor": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.Status"
-                }
-              },
-              "application/json": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.Status"
-                }
-              },
-              "application/vnd.kubernetes.protobuf": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.Status"
-                }
-              },
-              "application/yaml": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.Status"
-                }
-              }
-            },
-            "description": "OK"
-          },
-          "401": {
-            "description": "Unauthorized"
-          }
-        },
-        "tags": [
-          "storage_v1alpha1"
-        ],
-        "x-kubernetes-action": "deletecollection",
-        "x-kubernetes-group-version-kind": {
-          "group": "storage.k8s.io",
-          "kind": "VolumeAttributesClass",
-          "version": "v1alpha1"
-        }
-      },
-      "get": {
-        "description": "list or watch objects of kind VolumeAttributesClass",
-        "operationId": "listStorageV1alpha1VolumeAttributesClass",
-        "parameters": [
-          {
-            "description": "allowWatchBookmarks requests watch events with type \"BOOKMARK\". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored.",
-            "in": "query",
-            "name": "allowWatchBookmarks",
-            "schema": {
-              "type": "boolean",
-              "uniqueItems": true
-            }
-          },
-          {
-            "description": "The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the \"next key\".\n\nThis field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications.",
-            "in": "query",
-            "name": "continue",
-            "schema": {
-              "type": "string",
-              "uniqueItems": true
-            }
-          },
-          {
-            "description": "A selector to restrict the list of returned objects by their fields. Defaults to everything.",
-            "in": "query",
-            "name": "fieldSelector",
-            "schema": {
-              "type": "string",
-              "uniqueItems": true
-            }
-          },
-          {
-            "description": "A selector to restrict the list of returned objects by their labels. Defaults to everything.",
-            "in": "query",
-            "name": "labelSelector",
-            "schema": {
-              "type": "string",
-              "uniqueItems": true
-            }
-          },
-          {
-            "description": "limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.\n\nThe server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned.",
-            "in": "query",
-            "name": "limit",
-            "schema": {
-              "type": "integer",
-              "uniqueItems": true
-            }
-          },
-          {
-            "description": "resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.\n\nDefaults to unset",
-            "in": "query",
-            "name": "resourceVersion",
-            "schema": {
-              "type": "string",
-              "uniqueItems": true
-            }
-          },
-          {
-            "description": "resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.\n\nDefaults to unset",
-            "in": "query",
-            "name": "resourceVersionMatch",
-            "schema": {
-              "type": "string",
-              "uniqueItems": true
-            }
-          },
-          {
-            "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
-            "in": "query",
-            "name": "sendInitialEvents",
-            "schema": {
-              "type": "boolean",
-              "uniqueItems": true
-            }
-          },
-          {
-            "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
-            "in": "query",
-            "name": "timeoutSeconds",
-            "schema": {
-              "type": "integer",
-              "uniqueItems": true
-            }
-          },
-          {
-            "description": "Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion.",
-            "in": "query",
-            "name": "watch",
-            "schema": {
-              "type": "boolean",
-              "uniqueItems": true
-            }
-          }
-        ],
-        "responses": {
-          "200": {
-            "content": {
-              "application/cbor": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.api.storage.v1alpha1.VolumeAttributesClassList"
-                }
-              },
-              "application/cbor-seq": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.api.storage.v1alpha1.VolumeAttributesClassList"
-                }
-              },
-              "application/json": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.api.storage.v1alpha1.VolumeAttributesClassList"
-                }
-              },
-              "application/json;stream=watch": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.api.storage.v1alpha1.VolumeAttributesClassList"
-                }
-              },
-              "application/vnd.kubernetes.protobuf": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.api.storage.v1alpha1.VolumeAttributesClassList"
-                }
-              },
-              "application/vnd.kubernetes.protobuf;stream=watch": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.api.storage.v1alpha1.VolumeAttributesClassList"
-                }
-              },
-              "application/yaml": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.api.storage.v1alpha1.VolumeAttributesClassList"
-                }
-              }
-            },
-            "description": "OK"
-          },
-          "401": {
-            "description": "Unauthorized"
-          }
-        },
-        "tags": [
-          "storage_v1alpha1"
-        ],
-        "x-kubernetes-action": "list",
-        "x-kubernetes-group-version-kind": {
-          "group": "storage.k8s.io",
-          "kind": "VolumeAttributesClass",
-          "version": "v1alpha1"
-        }
-      },
-      "parameters": [
-        {
-          "description": "If 'true', then the output is pretty printed. Defaults to 'false' unless the user-agent indicates a browser or command-line HTTP tool (curl and wget).",
-          "in": "query",
-          "name": "pretty",
-          "schema": {
-            "type": "string",
-            "uniqueItems": true
-          }
-        }
-      ],
-      "post": {
-        "description": "create a VolumeAttributesClass",
-        "operationId": "createStorageV1alpha1VolumeAttributesClass",
-        "parameters": [
-          {
-            "description": "When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed",
-            "in": "query",
-            "name": "dryRun",
-            "schema": {
-              "type": "string",
-              "uniqueItems": true
-            }
-          },
-          {
-            "description": "fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint.",
-            "in": "query",
-            "name": "fieldManager",
-            "schema": {
-              "type": "string",
-              "uniqueItems": true
-            }
-          },
-          {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
-            "in": "query",
-            "name": "fieldValidation",
-            "schema": {
-              "type": "string",
-              "uniqueItems": true
-            }
-          }
-        ],
-        "requestBody": {
-          "content": {
-            "*/*": {
-              "schema": {
-                "$ref": "#/components/schemas/io.k8s.api.storage.v1alpha1.VolumeAttributesClass"
-              }
-            }
-          },
-          "required": true
-        },
-        "responses": {
-          "200": {
-            "content": {
-              "application/cbor": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.api.storage.v1alpha1.VolumeAttributesClass"
-                }
-              },
-              "application/json": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.api.storage.v1alpha1.VolumeAttributesClass"
-                }
-              },
-              "application/vnd.kubernetes.protobuf": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.api.storage.v1alpha1.VolumeAttributesClass"
-                }
-              },
-              "application/yaml": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.api.storage.v1alpha1.VolumeAttributesClass"
-                }
-              }
-            },
-            "description": "OK"
-          },
-          "201": {
-            "content": {
-              "application/cbor": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.api.storage.v1alpha1.VolumeAttributesClass"
-                }
-              },
-              "application/json": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.api.storage.v1alpha1.VolumeAttributesClass"
-                }
-              },
-              "application/vnd.kubernetes.protobuf": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.api.storage.v1alpha1.VolumeAttributesClass"
-                }
-              },
-              "application/yaml": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.api.storage.v1alpha1.VolumeAttributesClass"
-                }
-              }
-            },
-            "description": "Created"
-          },
-          "202": {
-            "content": {
-              "application/cbor": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.api.storage.v1alpha1.VolumeAttributesClass"
-                }
-              },
-              "application/json": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.api.storage.v1alpha1.VolumeAttributesClass"
-                }
-              },
-              "application/vnd.kubernetes.protobuf": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.api.storage.v1alpha1.VolumeAttributesClass"
-                }
-              },
-              "application/yaml": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.api.storage.v1alpha1.VolumeAttributesClass"
-                }
-              }
-            },
-            "description": "Accepted"
-          },
-          "401": {
-            "description": "Unauthorized"
-          }
-        },
-        "tags": [
-          "storage_v1alpha1"
-        ],
-        "x-kubernetes-action": "post",
-        "x-kubernetes-group-version-kind": {
-          "group": "storage.k8s.io",
-          "kind": "VolumeAttributesClass",
-          "version": "v1alpha1"
-        }
-      }
-    },
-    "/apis/storage.k8s.io/v1alpha1/volumeattributesclasses/{name}": {
-      "delete": {
-        "description": "delete a VolumeAttributesClass",
-        "operationId": "deleteStorageV1alpha1VolumeAttributesClass",
-        "parameters": [
-          {
-            "description": "When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed",
-            "in": "query",
-            "name": "dryRun",
-            "schema": {
-              "type": "string",
-              "uniqueItems": true
-            }
-          },
-          {
-            "description": "The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately.",
-            "in": "query",
-            "name": "gracePeriodSeconds",
-            "schema": {
-              "type": "integer",
-              "uniqueItems": true
-            }
-          },
-          {
-            "description": "if set to true, it will trigger an unsafe deletion of the resource in case the normal deletion flow fails with a corrupt object error. A resource is considered corrupt if it can not be retrieved from the underlying storage successfully because of a) its data can not be transformed e.g. decryption failure, or b) it fails to decode into an object. NOTE: unsafe deletion ignores finalizer constraints, skips precondition checks, and removes the object from the storage. WARNING: This may potentially break the cluster if the workload associated with the resource being unsafe-deleted relies on normal deletion flow. Use only if you REALLY know what you are doing. The default value is false, and the user must opt in to enable it",
-            "in": "query",
-            "name": "ignoreStoreReadErrorWithClusterBreakingPotential",
-            "schema": {
-              "type": "boolean",
-              "uniqueItems": true
-            }
-          },
-          {
-            "description": "Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the \"orphan\" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both.",
-            "in": "query",
-            "name": "orphanDependents",
-            "schema": {
-              "type": "boolean",
-              "uniqueItems": true
-            }
-          },
-          {
-            "description": "Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground.",
-            "in": "query",
-            "name": "propagationPolicy",
-            "schema": {
-              "type": "string",
-              "uniqueItems": true
-            }
-          }
-        ],
-        "requestBody": {
-          "content": {
-            "*/*": {
-              "schema": {
-                "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptions"
-              }
-            }
-          }
-        },
-        "responses": {
-          "200": {
-            "content": {
-              "application/cbor": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.api.storage.v1alpha1.VolumeAttributesClass"
-                }
-              },
-              "application/json": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.api.storage.v1alpha1.VolumeAttributesClass"
-                }
-              },
-              "application/vnd.kubernetes.protobuf": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.api.storage.v1alpha1.VolumeAttributesClass"
-                }
-              },
-              "application/yaml": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.api.storage.v1alpha1.VolumeAttributesClass"
-                }
-              }
-            },
-            "description": "OK"
-          },
-          "202": {
-            "content": {
-              "application/cbor": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.api.storage.v1alpha1.VolumeAttributesClass"
-                }
-              },
-              "application/json": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.api.storage.v1alpha1.VolumeAttributesClass"
-                }
-              },
-              "application/vnd.kubernetes.protobuf": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.api.storage.v1alpha1.VolumeAttributesClass"
-                }
-              },
-              "application/yaml": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.api.storage.v1alpha1.VolumeAttributesClass"
-                }
-              }
-            },
-            "description": "Accepted"
-          },
-          "401": {
-            "description": "Unauthorized"
-          }
-        },
-        "tags": [
-          "storage_v1alpha1"
-        ],
-        "x-kubernetes-action": "delete",
-        "x-kubernetes-group-version-kind": {
-          "group": "storage.k8s.io",
-          "kind": "VolumeAttributesClass",
-          "version": "v1alpha1"
-        }
-      },
-      "get": {
-        "description": "read the specified VolumeAttributesClass",
-        "operationId": "readStorageV1alpha1VolumeAttributesClass",
-        "responses": {
-          "200": {
-            "content": {
-              "application/cbor": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.api.storage.v1alpha1.VolumeAttributesClass"
-                }
-              },
-              "application/json": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.api.storage.v1alpha1.VolumeAttributesClass"
-                }
-              },
-              "application/vnd.kubernetes.protobuf": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.api.storage.v1alpha1.VolumeAttributesClass"
-                }
-              },
-              "application/yaml": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.api.storage.v1alpha1.VolumeAttributesClass"
-                }
-              }
-            },
-            "description": "OK"
-          },
-          "401": {
-            "description": "Unauthorized"
-          }
-        },
-        "tags": [
-          "storage_v1alpha1"
-        ],
-        "x-kubernetes-action": "get",
-        "x-kubernetes-group-version-kind": {
-          "group": "storage.k8s.io",
-          "kind": "VolumeAttributesClass",
-          "version": "v1alpha1"
-        }
-      },
-      "parameters": [
-        {
-          "description": "name of the VolumeAttributesClass",
-          "in": "path",
-          "name": "name",
-          "required": true,
-          "schema": {
-            "type": "string",
-            "uniqueItems": true
-          }
-        },
-        {
-          "description": "If 'true', then the output is pretty printed. Defaults to 'false' unless the user-agent indicates a browser or command-line HTTP tool (curl and wget).",
-          "in": "query",
-          "name": "pretty",
-          "schema": {
-            "type": "string",
-            "uniqueItems": true
-          }
-        }
-      ],
-      "patch": {
-        "description": "partially update the specified VolumeAttributesClass",
-        "operationId": "patchStorageV1alpha1VolumeAttributesClass",
-        "parameters": [
-          {
-            "description": "When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed",
-            "in": "query",
-            "name": "dryRun",
-            "schema": {
-              "type": "string",
-              "uniqueItems": true
-            }
-          },
-          {
-            "description": "fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch).",
-            "in": "query",
-            "name": "fieldManager",
-            "schema": {
-              "type": "string",
-              "uniqueItems": true
-            }
-          },
-          {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
-            "in": "query",
-            "name": "fieldValidation",
-            "schema": {
-              "type": "string",
-              "uniqueItems": true
-            }
-          },
-          {
-            "description": "Force is going to \"force\" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests.",
-            "in": "query",
-            "name": "force",
-            "schema": {
-              "type": "boolean",
-              "uniqueItems": true
-            }
-          }
-        ],
-        "requestBody": {
-          "content": {
-            "application/apply-patch+cbor": {
-              "schema": {
-                "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.Patch"
-              }
-            },
-            "application/apply-patch+yaml": {
-              "schema": {
-                "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.Patch"
-              }
-            },
-            "application/json-patch+json": {
-              "schema": {
-                "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.Patch"
-              }
-            },
-            "application/merge-patch+json": {
-              "schema": {
-                "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.Patch"
-              }
-            },
-            "application/strategic-merge-patch+json": {
-              "schema": {
-                "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.Patch"
-              }
-            }
-          },
-          "required": true
-        },
-        "responses": {
-          "200": {
-            "content": {
-              "application/cbor": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.api.storage.v1alpha1.VolumeAttributesClass"
-                }
-              },
-              "application/json": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.api.storage.v1alpha1.VolumeAttributesClass"
-                }
-              },
-              "application/vnd.kubernetes.protobuf": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.api.storage.v1alpha1.VolumeAttributesClass"
-                }
-              },
-              "application/yaml": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.api.storage.v1alpha1.VolumeAttributesClass"
-                }
-              }
-            },
-            "description": "OK"
-          },
-          "201": {
-            "content": {
-              "application/cbor": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.api.storage.v1alpha1.VolumeAttributesClass"
-                }
-              },
-              "application/json": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.api.storage.v1alpha1.VolumeAttributesClass"
-                }
-              },
-              "application/vnd.kubernetes.protobuf": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.api.storage.v1alpha1.VolumeAttributesClass"
-                }
-              },
-              "application/yaml": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.api.storage.v1alpha1.VolumeAttributesClass"
-                }
-              }
-            },
-            "description": "Created"
-          },
-          "401": {
-            "description": "Unauthorized"
-          }
-        },
-        "tags": [
-          "storage_v1alpha1"
-        ],
-        "x-kubernetes-action": "patch",
-        "x-kubernetes-group-version-kind": {
-          "group": "storage.k8s.io",
-          "kind": "VolumeAttributesClass",
-          "version": "v1alpha1"
-        }
-      },
-      "put": {
-        "description": "replace the specified VolumeAttributesClass",
-        "operationId": "replaceStorageV1alpha1VolumeAttributesClass",
-        "parameters": [
-          {
-            "description": "When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed",
-            "in": "query",
-            "name": "dryRun",
-            "schema": {
-              "type": "string",
-              "uniqueItems": true
-            }
-          },
-          {
-            "description": "fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint.",
-            "in": "query",
-            "name": "fieldManager",
-            "schema": {
-              "type": "string",
-              "uniqueItems": true
-            }
-          },
-          {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
-            "in": "query",
-            "name": "fieldValidation",
-            "schema": {
-              "type": "string",
-              "uniqueItems": true
-            }
-          }
-        ],
-        "requestBody": {
-          "content": {
-            "*/*": {
-              "schema": {
-                "$ref": "#/components/schemas/io.k8s.api.storage.v1alpha1.VolumeAttributesClass"
-              }
-            }
-          },
-          "required": true
-        },
-        "responses": {
-          "200": {
-            "content": {
-              "application/cbor": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.api.storage.v1alpha1.VolumeAttributesClass"
-                }
-              },
-              "application/json": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.api.storage.v1alpha1.VolumeAttributesClass"
-                }
-              },
-              "application/vnd.kubernetes.protobuf": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.api.storage.v1alpha1.VolumeAttributesClass"
-                }
-              },
-              "application/yaml": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.api.storage.v1alpha1.VolumeAttributesClass"
-                }
-              }
-            },
-            "description": "OK"
-          },
-          "201": {
-            "content": {
-              "application/cbor": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.api.storage.v1alpha1.VolumeAttributesClass"
-                }
-              },
-              "application/json": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.api.storage.v1alpha1.VolumeAttributesClass"
-                }
-              },
-              "application/vnd.kubernetes.protobuf": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.api.storage.v1alpha1.VolumeAttributesClass"
-                }
-              },
-              "application/yaml": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.api.storage.v1alpha1.VolumeAttributesClass"
-                }
-              }
-            },
-            "description": "Created"
-          },
-          "401": {
-            "description": "Unauthorized"
-          }
-        },
-        "tags": [
-          "storage_v1alpha1"
-        ],
-        "x-kubernetes-action": "put",
-        "x-kubernetes-group-version-kind": {
-          "group": "storage.k8s.io",
-          "kind": "VolumeAttributesClass",
-          "version": "v1alpha1"
-        }
-      }
-    },
-    "/apis/storage.k8s.io/v1alpha1/watch/volumeattributesclasses": {
-      "get": {
-        "description": "watch individual changes to a list of VolumeAttributesClass. deprecated: use the 'watch' parameter with a list operation instead.",
-        "operationId": "watchStorageV1alpha1VolumeAttributesClassList",
-        "responses": {
-          "200": {
-            "content": {
-              "application/cbor": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"
-                }
-              },
-              "application/cbor-seq": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"
-                }
-              },
-              "application/json": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"
-                }
-              },
-              "application/json;stream=watch": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"
-                }
-              },
-              "application/vnd.kubernetes.protobuf": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"
-                }
-              },
-              "application/vnd.kubernetes.protobuf;stream=watch": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"
-                }
-              },
-              "application/yaml": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"
-                }
-              }
-            },
-            "description": "OK"
-          },
-          "401": {
-            "description": "Unauthorized"
-          }
-        },
-        "tags": [
-          "storage_v1alpha1"
-        ],
-        "x-kubernetes-action": "watchlist",
-        "x-kubernetes-group-version-kind": {
-          "group": "storage.k8s.io",
-          "kind": "VolumeAttributesClass",
-          "version": "v1alpha1"
-        }
-      },
-      "parameters": [
-        {
-          "description": "allowWatchBookmarks requests watch events with type \"BOOKMARK\". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored.",
-          "in": "query",
-          "name": "allowWatchBookmarks",
-          "schema": {
-            "type": "boolean",
-            "uniqueItems": true
-          }
-        },
-        {
-          "description": "The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the \"next key\".\n\nThis field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications.",
-          "in": "query",
-          "name": "continue",
-          "schema": {
-            "type": "string",
-            "uniqueItems": true
-          }
-        },
-        {
-          "description": "A selector to restrict the list of returned objects by their fields. Defaults to everything.",
-          "in": "query",
-          "name": "fieldSelector",
-          "schema": {
-            "type": "string",
-            "uniqueItems": true
-          }
-        },
-        {
-          "description": "A selector to restrict the list of returned objects by their labels. Defaults to everything.",
-          "in": "query",
-          "name": "labelSelector",
-          "schema": {
-            "type": "string",
-            "uniqueItems": true
-          }
-        },
-        {
-          "description": "limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.\n\nThe server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned.",
-          "in": "query",
-          "name": "limit",
-          "schema": {
-            "type": "integer",
-            "uniqueItems": true
-          }
-        },
-        {
-          "description": "If 'true', then the output is pretty printed. Defaults to 'false' unless the user-agent indicates a browser or command-line HTTP tool (curl and wget).",
-          "in": "query",
-          "name": "pretty",
-          "schema": {
-            "type": "string",
-            "uniqueItems": true
-          }
-        },
-        {
-          "description": "resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.\n\nDefaults to unset",
-          "in": "query",
-          "name": "resourceVersion",
-          "schema": {
-            "type": "string",
-            "uniqueItems": true
-          }
-        },
-        {
-          "description": "resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.\n\nDefaults to unset",
-          "in": "query",
-          "name": "resourceVersionMatch",
-          "schema": {
-            "type": "string",
-            "uniqueItems": true
-          }
-        },
-        {
-          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
-          "in": "query",
-          "name": "sendInitialEvents",
-          "schema": {
-            "type": "boolean",
-            "uniqueItems": true
-          }
-        },
-        {
-          "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
-          "in": "query",
-          "name": "timeoutSeconds",
-          "schema": {
-            "type": "integer",
-            "uniqueItems": true
-          }
-        },
-        {
-          "description": "Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion.",
-          "in": "query",
-          "name": "watch",
-          "schema": {
-            "type": "boolean",
-            "uniqueItems": true
-          }
-        }
-      ]
-    },
-    "/apis/storage.k8s.io/v1alpha1/watch/volumeattributesclasses/{name}": {
-      "get": {
-        "description": "watch changes to an object of kind VolumeAttributesClass. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.",
-        "operationId": "watchStorageV1alpha1VolumeAttributesClass",
-        "responses": {
-          "200": {
-            "content": {
-              "application/cbor": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"
-                }
-              },
-              "application/cbor-seq": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"
-                }
-              },
-              "application/json": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"
-                }
-              },
-              "application/json;stream=watch": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"
-                }
-              },
-              "application/vnd.kubernetes.protobuf": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"
-                }
-              },
-              "application/vnd.kubernetes.protobuf;stream=watch": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"
-                }
-              },
-              "application/yaml": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"
-                }
-              }
-            },
-            "description": "OK"
-          },
-          "401": {
-            "description": "Unauthorized"
-          }
-        },
-        "tags": [
-          "storage_v1alpha1"
-        ],
-        "x-kubernetes-action": "watch",
-        "x-kubernetes-group-version-kind": {
-          "group": "storage.k8s.io",
-          "kind": "VolumeAttributesClass",
-          "version": "v1alpha1"
-        }
-      },
-      "parameters": [
-        {
-          "description": "allowWatchBookmarks requests watch events with type \"BOOKMARK\". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored.",
-          "in": "query",
-          "name": "allowWatchBookmarks",
-          "schema": {
-            "type": "boolean",
-            "uniqueItems": true
-          }
-        },
-        {
-          "description": "The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the \"next key\".\n\nThis field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications.",
-          "in": "query",
-          "name": "continue",
-          "schema": {
-            "type": "string",
-            "uniqueItems": true
-          }
-        },
-        {
-          "description": "A selector to restrict the list of returned objects by their fields. Defaults to everything.",
-          "in": "query",
-          "name": "fieldSelector",
-          "schema": {
-            "type": "string",
-            "uniqueItems": true
-          }
-        },
-        {
-          "description": "A selector to restrict the list of returned objects by their labels. Defaults to everything.",
-          "in": "query",
-          "name": "labelSelector",
-          "schema": {
-            "type": "string",
-            "uniqueItems": true
-          }
-        },
-        {
-          "description": "limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.\n\nThe server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned.",
-          "in": "query",
-          "name": "limit",
-          "schema": {
-            "type": "integer",
-            "uniqueItems": true
-          }
-        },
-        {
-          "description": "name of the VolumeAttributesClass",
-          "in": "path",
-          "name": "name",
-          "required": true,
-          "schema": {
-            "type": "string",
-            "uniqueItems": true
-          }
-        },
-        {
-          "description": "If 'true', then the output is pretty printed. Defaults to 'false' unless the user-agent indicates a browser or command-line HTTP tool (curl and wget).",
-          "in": "query",
-          "name": "pretty",
-          "schema": {
-            "type": "string",
-            "uniqueItems": true
-          }
-        },
-        {
-          "description": "resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.\n\nDefaults to unset",
-          "in": "query",
-          "name": "resourceVersion",
-          "schema": {
-            "type": "string",
-            "uniqueItems": true
-          }
-        },
-        {
-          "description": "resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.\n\nDefaults to unset",
-          "in": "query",
-          "name": "resourceVersionMatch",
-          "schema": {
-            "type": "string",
-            "uniqueItems": true
-          }
-        },
-        {
-          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
-          "in": "query",
-          "name": "sendInitialEvents",
-          "schema": {
-            "type": "boolean",
-            "uniqueItems": true
-          }
-        },
-        {
-          "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
-          "in": "query",
-          "name": "timeoutSeconds",
-          "schema": {
-            "type": "integer",
-            "uniqueItems": true
-          }
-        },
-        {
-          "description": "Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion.",
-          "in": "query",
-          "name": "watch",
-          "schema": {
-            "type": "boolean",
-            "uniqueItems": true
-          }
-        }
-      ]
-    }
-  }
-}
diff --git a/api/openapi-spec/v3/apis__storage.k8s.io__v1beta1_openapi.json b/api/openapi-spec/v3/apis__storage.k8s.io__v1beta1_openapi.json
index d785e010cb018..0843bd9e9e178 100644
--- a/api/openapi-spec/v3/apis__storage.k8s.io__v1beta1_openapi.json
+++ b/api/openapi-spec/v3/apis__storage.k8s.io__v1beta1_openapi.json
@@ -562,7 +562,7 @@
           {
             "group": "storagemigration.k8s.io",
             "kind": "DeleteOptions",
-            "version": "v1alpha1"
+            "version": "v1beta1"
           }
         ]
       },
@@ -825,8 +825,7 @@
                 "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.StatusDetails"
               }
             ],
-            "description": "Extended data associated with the reason.  Each reason may define its own extended details. This field is optional and the data returned is not guaranteed to conform to any schema except that defined by the reason type.",
-            "x-kubernetes-list-type": "atomic"
+            "description": "Extended data associated with the reason.  Each reason may define its own extended details. This field is optional and the data returned is not guaranteed to conform to any schema except that defined by the reason type."
           },
           "kind": {
             "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
@@ -1256,7 +1255,7 @@
           {
             "group": "storagemigration.k8s.io",
             "kind": "WatchEvent",
-            "version": "v1alpha1"
+            "version": "v1beta1"
           }
         ]
       },
diff --git a/api/openapi-spec/v3/apis__storagemigration.k8s.io__v1alpha1_openapi.json b/api/openapi-spec/v3/apis__storagemigration.k8s.io__v1alpha1_openapi.json
deleted file mode 100644
index 33767db9a4712..0000000000000
--- a/api/openapi-spec/v3/apis__storagemigration.k8s.io__v1alpha1_openapi.json
+++ /dev/null
@@ -1,2975 +0,0 @@
-{
-  "components": {
-    "schemas": {
-      "io.k8s.api.storagemigration.v1alpha1.GroupVersionResource": {
-        "description": "The names of the group, the version, and the resource.",
-        "properties": {
-          "group": {
-            "description": "The name of the group.",
-            "type": "string"
-          },
-          "resource": {
-            "description": "The name of the resource.",
-            "type": "string"
-          },
-          "version": {
-            "description": "The name of the version.",
-            "type": "string"
-          }
-        },
-        "type": "object"
-      },
-      "io.k8s.api.storagemigration.v1alpha1.MigrationCondition": {
-        "description": "Describes the state of a migration at a certain point.",
-        "properties": {
-          "lastUpdateTime": {
-            "allOf": [
-              {
-                "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.Time"
-              }
-            ],
-            "description": "The last time this condition was updated."
-          },
-          "message": {
-            "description": "A human readable message indicating details about the transition.",
-            "type": "string"
-          },
-          "reason": {
-            "description": "The reason for the condition's last transition.",
-            "type": "string"
-          },
-          "status": {
-            "default": "",
-            "description": "Status of the condition, one of True, False, Unknown.",
-            "type": "string"
-          },
-          "type": {
-            "default": "",
-            "description": "Type of the condition.",
-            "type": "string"
-          }
-        },
-        "required": [
-          "type",
-          "status"
-        ],
-        "type": "object"
-      },
-      "io.k8s.api.storagemigration.v1alpha1.StorageVersionMigration": {
-        "description": "StorageVersionMigration represents a migration of stored data to the latest storage version.",
-        "properties": {
-          "apiVersion": {
-            "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
-            "type": "string"
-          },
-          "kind": {
-            "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
-            "type": "string"
-          },
-          "metadata": {
-            "allOf": [
-              {
-                "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"
-              }
-            ],
-            "default": {},
-            "description": "Standard object metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata"
-          },
-          "spec": {
-            "allOf": [
-              {
-                "$ref": "#/components/schemas/io.k8s.api.storagemigration.v1alpha1.StorageVersionMigrationSpec"
-              }
-            ],
-            "default": {},
-            "description": "Specification of the migration."
-          },
-          "status": {
-            "allOf": [
-              {
-                "$ref": "#/components/schemas/io.k8s.api.storagemigration.v1alpha1.StorageVersionMigrationStatus"
-              }
-            ],
-            "default": {},
-            "description": "Status of the migration."
-          }
-        },
-        "type": "object",
-        "x-kubernetes-group-version-kind": [
-          {
-            "group": "storagemigration.k8s.io",
-            "kind": "StorageVersionMigration",
-            "version": "v1alpha1"
-          }
-        ]
-      },
-      "io.k8s.api.storagemigration.v1alpha1.StorageVersionMigrationList": {
-        "description": "StorageVersionMigrationList is a collection of storage version migrations.",
-        "properties": {
-          "apiVersion": {
-            "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
-            "type": "string"
-          },
-          "items": {
-            "description": "Items is the list of StorageVersionMigration",
-            "items": {
-              "allOf": [
-                {
-                  "$ref": "#/components/schemas/io.k8s.api.storagemigration.v1alpha1.StorageVersionMigration"
-                }
-              ],
-              "default": {}
-            },
-            "type": "array",
-            "x-kubernetes-list-map-keys": [
-              "type"
-            ],
-            "x-kubernetes-list-type": "map",
-            "x-kubernetes-patch-merge-key": "type",
-            "x-kubernetes-patch-strategy": "merge"
-          },
-          "kind": {
-            "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
-            "type": "string"
-          },
-          "metadata": {
-            "allOf": [
-              {
-                "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"
-              }
-            ],
-            "default": {},
-            "description": "Standard list metadata More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata"
-          }
-        },
-        "required": [
-          "items"
-        ],
-        "type": "object",
-        "x-kubernetes-group-version-kind": [
-          {
-            "group": "storagemigration.k8s.io",
-            "kind": "StorageVersionMigrationList",
-            "version": "v1alpha1"
-          }
-        ]
-      },
-      "io.k8s.api.storagemigration.v1alpha1.StorageVersionMigrationSpec": {
-        "description": "Spec of the storage version migration.",
-        "properties": {
-          "continueToken": {
-            "description": "The token used in the list options to get the next chunk of objects to migrate. When the .status.conditions indicates the migration is \"Running\", users can use this token to check the progress of the migration.",
-            "type": "string"
-          },
-          "resource": {
-            "allOf": [
-              {
-                "$ref": "#/components/schemas/io.k8s.api.storagemigration.v1alpha1.GroupVersionResource"
-              }
-            ],
-            "default": {},
-            "description": "The resource that is being migrated. The migrator sends requests to the endpoint serving the resource. Immutable."
-          }
-        },
-        "required": [
-          "resource"
-        ],
-        "type": "object"
-      },
-      "io.k8s.api.storagemigration.v1alpha1.StorageVersionMigrationStatus": {
-        "description": "Status of the storage version migration.",
-        "properties": {
-          "conditions": {
-            "description": "The latest available observations of the migration's current state.",
-            "items": {
-              "allOf": [
-                {
-                  "$ref": "#/components/schemas/io.k8s.api.storagemigration.v1alpha1.MigrationCondition"
-                }
-              ],
-              "default": {}
-            },
-            "type": "array",
-            "x-kubernetes-list-map-keys": [
-              "type"
-            ],
-            "x-kubernetes-list-type": "map",
-            "x-kubernetes-patch-merge-key": "type",
-            "x-kubernetes-patch-strategy": "merge"
-          },
-          "resourceVersion": {
-            "description": "ResourceVersion to compare with the GC cache for performing the migration. This is the current resource version of given group, version and resource when kube-controller-manager first observes this StorageVersionMigration resource.",
-            "type": "string"
-          }
-        },
-        "type": "object"
-      },
-      "io.k8s.apimachinery.pkg.apis.meta.v1.APIResource": {
-        "description": "APIResource specifies the name of a resource and whether it is namespaced.",
-        "properties": {
-          "categories": {
-            "description": "categories is a list of the grouped resources this resource belongs to (e.g. 'all')",
-            "items": {
-              "default": "",
-              "type": "string"
-            },
-            "type": "array",
-            "x-kubernetes-list-type": "atomic"
-          },
-          "group": {
-            "description": "group is the preferred group of the resource.  Empty implies the group of the containing resource list. For subresources, this may have a different value, for example: Scale\".",
-            "type": "string"
-          },
-          "kind": {
-            "default": "",
-            "description": "kind is the kind for the resource (e.g. 'Foo' is the kind for a resource 'foo')",
-            "type": "string"
-          },
-          "name": {
-            "default": "",
-            "description": "name is the plural name of the resource.",
-            "type": "string"
-          },
-          "namespaced": {
-            "default": false,
-            "description": "namespaced indicates if a resource is namespaced or not.",
-            "type": "boolean"
-          },
-          "shortNames": {
-            "description": "shortNames is a list of suggested short names of the resource.",
-            "items": {
-              "default": "",
-              "type": "string"
-            },
-            "type": "array",
-            "x-kubernetes-list-type": "atomic"
-          },
-          "singularName": {
-            "default": "",
-            "description": "singularName is the singular name of the resource.  This allows clients to handle plural and singular opaquely. The singularName is more correct for reporting status on a single item and both singular and plural are allowed from the kubectl CLI interface.",
-            "type": "string"
-          },
-          "storageVersionHash": {
-            "description": "The hash value of the storage version, the version this resource is converted to when written to the data store. Value must be treated as opaque by clients. Only equality comparison on the value is valid. This is an alpha feature and may change or be removed in the future. The field is populated by the apiserver only if the StorageVersionHash feature gate is enabled. This field will remain optional even if it graduates.",
-            "type": "string"
-          },
-          "verbs": {
-            "description": "verbs is a list of supported kube verbs (this includes get, list, watch, create, update, patch, delete, deletecollection, and proxy)",
-            "items": {
-              "default": "",
-              "type": "string"
-            },
-            "type": "array"
-          },
-          "version": {
-            "description": "version is the preferred version of the resource.  Empty implies the version of the containing resource list For subresources, this may have a different value, for example: v1 (while inside a v1beta1 version of the core resource's group)\".",
-            "type": "string"
-          }
-        },
-        "required": [
-          "name",
-          "singularName",
-          "namespaced",
-          "kind",
-          "verbs"
-        ],
-        "type": "object"
-      },
-      "io.k8s.apimachinery.pkg.apis.meta.v1.APIResourceList": {
-        "description": "APIResourceList is a list of APIResource, it is used to expose the name of the resources supported in a specific group and version, and if the resource is namespaced.",
-        "properties": {
-          "apiVersion": {
-            "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
-            "type": "string"
-          },
-          "groupVersion": {
-            "default": "",
-            "description": "groupVersion is the group and version this APIResourceList is for.",
-            "type": "string"
-          },
-          "kind": {
-            "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
-            "type": "string"
-          },
-          "resources": {
-            "description": "resources contains the name of the resources and if they are namespaced.",
-            "items": {
-              "allOf": [
-                {
-                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.APIResource"
-                }
-              ],
-              "default": {}
-            },
-            "type": "array",
-            "x-kubernetes-list-type": "atomic"
-          }
-        },
-        "required": [
-          "groupVersion",
-          "resources"
-        ],
-        "type": "object",
-        "x-kubernetes-group-version-kind": [
-          {
-            "group": "",
-            "kind": "APIResourceList",
-            "version": "v1"
-          }
-        ]
-      },
-      "io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptions": {
-        "description": "DeleteOptions may be provided when deleting an API object.",
-        "properties": {
-          "apiVersion": {
-            "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
-            "type": "string"
-          },
-          "dryRun": {
-            "description": "When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed",
-            "items": {
-              "default": "",
-              "type": "string"
-            },
-            "type": "array",
-            "x-kubernetes-list-type": "atomic"
-          },
-          "gracePeriodSeconds": {
-            "description": "The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately.",
-            "format": "int64",
-            "type": "integer"
-          },
-          "ignoreStoreReadErrorWithClusterBreakingPotential": {
-            "description": "if set to true, it will trigger an unsafe deletion of the resource in case the normal deletion flow fails with a corrupt object error. A resource is considered corrupt if it can not be retrieved from the underlying storage successfully because of a) its data can not be transformed e.g. decryption failure, or b) it fails to decode into an object. NOTE: unsafe deletion ignores finalizer constraints, skips precondition checks, and removes the object from the storage. WARNING: This may potentially break the cluster if the workload associated with the resource being unsafe-deleted relies on normal deletion flow. Use only if you REALLY know what you are doing. The default value is false, and the user must opt in to enable it",
-            "type": "boolean"
-          },
-          "kind": {
-            "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
-            "type": "string"
-          },
-          "orphanDependents": {
-            "description": "Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the \"orphan\" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both.",
-            "type": "boolean"
-          },
-          "preconditions": {
-            "allOf": [
-              {
-                "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.Preconditions"
-              }
-            ],
-            "description": "Must be fulfilled before a deletion is carried out. If not possible, a 409 Conflict status will be returned."
-          },
-          "propagationPolicy": {
-            "description": "Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground.",
-            "type": "string"
-          }
-        },
-        "type": "object",
-        "x-kubernetes-group-version-kind": [
-          {
-            "group": "",
-            "kind": "DeleteOptions",
-            "version": "v1"
-          },
-          {
-            "group": "admission.k8s.io",
-            "kind": "DeleteOptions",
-            "version": "v1"
-          },
-          {
-            "group": "admission.k8s.io",
-            "kind": "DeleteOptions",
-            "version": "v1beta1"
-          },
-          {
-            "group": "admissionregistration.k8s.io",
-            "kind": "DeleteOptions",
-            "version": "v1"
-          },
-          {
-            "group": "admissionregistration.k8s.io",
-            "kind": "DeleteOptions",
-            "version": "v1alpha1"
-          },
-          {
-            "group": "admissionregistration.k8s.io",
-            "kind": "DeleteOptions",
-            "version": "v1beta1"
-          },
-          {
-            "group": "apiextensions.k8s.io",
-            "kind": "DeleteOptions",
-            "version": "v1"
-          },
-          {
-            "group": "apiextensions.k8s.io",
-            "kind": "DeleteOptions",
-            "version": "v1beta1"
-          },
-          {
-            "group": "apiregistration.k8s.io",
-            "kind": "DeleteOptions",
-            "version": "v1"
-          },
-          {
-            "group": "apiregistration.k8s.io",
-            "kind": "DeleteOptions",
-            "version": "v1beta1"
-          },
-          {
-            "group": "apps",
-            "kind": "DeleteOptions",
-            "version": "v1"
-          },
-          {
-            "group": "apps",
-            "kind": "DeleteOptions",
-            "version": "v1beta1"
-          },
-          {
-            "group": "apps",
-            "kind": "DeleteOptions",
-            "version": "v1beta2"
-          },
-          {
-            "group": "authentication.k8s.io",
-            "kind": "DeleteOptions",
-            "version": "v1"
-          },
-          {
-            "group": "authentication.k8s.io",
-            "kind": "DeleteOptions",
-            "version": "v1alpha1"
-          },
-          {
-            "group": "authentication.k8s.io",
-            "kind": "DeleteOptions",
-            "version": "v1beta1"
-          },
-          {
-            "group": "authorization.k8s.io",
-            "kind": "DeleteOptions",
-            "version": "v1"
-          },
-          {
-            "group": "authorization.k8s.io",
-            "kind": "DeleteOptions",
-            "version": "v1beta1"
-          },
-          {
-            "group": "autoscaling",
-            "kind": "DeleteOptions",
-            "version": "v1"
-          },
-          {
-            "group": "autoscaling",
-            "kind": "DeleteOptions",
-            "version": "v2"
-          },
-          {
-            "group": "autoscaling",
-            "kind": "DeleteOptions",
-            "version": "v2beta1"
-          },
-          {
-            "group": "autoscaling",
-            "kind": "DeleteOptions",
-            "version": "v2beta2"
-          },
-          {
-            "group": "batch",
-            "kind": "DeleteOptions",
-            "version": "v1"
-          },
-          {
-            "group": "batch",
-            "kind": "DeleteOptions",
-            "version": "v1beta1"
-          },
-          {
-            "group": "certificates.k8s.io",
-            "kind": "DeleteOptions",
-            "version": "v1"
-          },
-          {
-            "group": "certificates.k8s.io",
-            "kind": "DeleteOptions",
-            "version": "v1alpha1"
-          },
-          {
-            "group": "certificates.k8s.io",
-            "kind": "DeleteOptions",
-            "version": "v1beta1"
-          },
-          {
-            "group": "coordination.k8s.io",
-            "kind": "DeleteOptions",
-            "version": "v1"
-          },
-          {
-            "group": "coordination.k8s.io",
-            "kind": "DeleteOptions",
-            "version": "v1alpha2"
-          },
-          {
-            "group": "coordination.k8s.io",
-            "kind": "DeleteOptions",
-            "version": "v1beta1"
-          },
-          {
-            "group": "discovery.k8s.io",
-            "kind": "DeleteOptions",
-            "version": "v1"
-          },
-          {
-            "group": "discovery.k8s.io",
-            "kind": "DeleteOptions",
-            "version": "v1beta1"
-          },
-          {
-            "group": "events.k8s.io",
-            "kind": "DeleteOptions",
-            "version": "v1"
-          },
-          {
-            "group": "events.k8s.io",
-            "kind": "DeleteOptions",
-            "version": "v1beta1"
-          },
-          {
-            "group": "extensions",
-            "kind": "DeleteOptions",
-            "version": "v1beta1"
-          },
-          {
-            "group": "flowcontrol.apiserver.k8s.io",
-            "kind": "DeleteOptions",
-            "version": "v1"
-          },
-          {
-            "group": "flowcontrol.apiserver.k8s.io",
-            "kind": "DeleteOptions",
-            "version": "v1beta1"
-          },
-          {
-            "group": "flowcontrol.apiserver.k8s.io",
-            "kind": "DeleteOptions",
-            "version": "v1beta2"
-          },
-          {
-            "group": "flowcontrol.apiserver.k8s.io",
-            "kind": "DeleteOptions",
-            "version": "v1beta3"
-          },
-          {
-            "group": "imagepolicy.k8s.io",
-            "kind": "DeleteOptions",
-            "version": "v1alpha1"
-          },
-          {
-            "group": "internal.apiserver.k8s.io",
-            "kind": "DeleteOptions",
-            "version": "v1alpha1"
-          },
-          {
-            "group": "networking.k8s.io",
-            "kind": "DeleteOptions",
-            "version": "v1"
-          },
-          {
-            "group": "networking.k8s.io",
-            "kind": "DeleteOptions",
-            "version": "v1beta1"
-          },
-          {
-            "group": "node.k8s.io",
-            "kind": "DeleteOptions",
-            "version": "v1"
-          },
-          {
-            "group": "node.k8s.io",
-            "kind": "DeleteOptions",
-            "version": "v1alpha1"
-          },
-          {
-            "group": "node.k8s.io",
-            "kind": "DeleteOptions",
-            "version": "v1beta1"
-          },
-          {
-            "group": "policy",
-            "kind": "DeleteOptions",
-            "version": "v1"
-          },
-          {
-            "group": "policy",
-            "kind": "DeleteOptions",
-            "version": "v1beta1"
-          },
-          {
-            "group": "rbac.authorization.k8s.io",
-            "kind": "DeleteOptions",
-            "version": "v1"
-          },
-          {
-            "group": "rbac.authorization.k8s.io",
-            "kind": "DeleteOptions",
-            "version": "v1alpha1"
-          },
-          {
-            "group": "rbac.authorization.k8s.io",
-            "kind": "DeleteOptions",
-            "version": "v1beta1"
-          },
-          {
-            "group": "resource.k8s.io",
-            "kind": "DeleteOptions",
-            "version": "v1"
-          },
-          {
-            "group": "resource.k8s.io",
-            "kind": "DeleteOptions",
-            "version": "v1alpha3"
-          },
-          {
-            "group": "resource.k8s.io",
-            "kind": "DeleteOptions",
-            "version": "v1beta1"
-          },
-          {
-            "group": "resource.k8s.io",
-            "kind": "DeleteOptions",
-            "version": "v1beta2"
-          },
-          {
-            "group": "scheduling.k8s.io",
-            "kind": "DeleteOptions",
-            "version": "v1"
-          },
-          {
-            "group": "scheduling.k8s.io",
-            "kind": "DeleteOptions",
-            "version": "v1alpha1"
-          },
-          {
-            "group": "scheduling.k8s.io",
-            "kind": "DeleteOptions",
-            "version": "v1beta1"
-          },
-          {
-            "group": "storage.k8s.io",
-            "kind": "DeleteOptions",
-            "version": "v1"
-          },
-          {
-            "group": "storage.k8s.io",
-            "kind": "DeleteOptions",
-            "version": "v1alpha1"
-          },
-          {
-            "group": "storage.k8s.io",
-            "kind": "DeleteOptions",
-            "version": "v1beta1"
-          },
-          {
-            "group": "storagemigration.k8s.io",
-            "kind": "DeleteOptions",
-            "version": "v1alpha1"
-          }
-        ]
-      },
-      "io.k8s.apimachinery.pkg.apis.meta.v1.FieldsV1": {
-        "description": "FieldsV1 stores a set of fields in a data structure like a Trie, in JSON format.\n\nEach key is either a '.' representing the field itself, and will always map to an empty set, or a string representing a sub-field or item. The string will follow one of these four formats: 'f:<name>', where <name> is the name of a field in a struct, or key in a map 'v:<value>', where <value> is the exact json formatted value of a list item 'i:<index>', where <index> is position of a item in a list 'k:<keys>', where <keys> is a map of  a list item's key fields to their unique values If a key maps to an empty Fields value, the field that key represents is part of the set.\n\nThe exact format is defined in sigs.k8s.io/structured-merge-diff",
-        "type": "object"
-      },
-      "io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta": {
-        "description": "ListMeta describes metadata that synthetic resources must have, including lists and various status objects. A resource may have only one of {ObjectMeta, ListMeta}.",
-        "properties": {
-          "continue": {
-            "description": "continue may be set if the user set a limit on the number of items returned, and indicates that the server has more data available. The value is opaque and may be used to issue another request to the endpoint that served this list to retrieve the next set of available objects. Continuing a consistent list may not be possible if the server configuration has changed or more than a few minutes have passed. The resourceVersion field returned when using this continue value will be identical to the value in the first response, unless you have received this token from an error message.",
-            "type": "string"
-          },
-          "remainingItemCount": {
-            "description": "remainingItemCount is the number of subsequent items in the list which are not included in this list response. If the list request contained label or field selectors, then the number of remaining items is unknown and the field will be left unset and omitted during serialization. If the list is complete (either because it is not chunking or because this is the last chunk), then there are no more remaining items and this field will be left unset and omitted during serialization. Servers older than v1.15 do not set this field. The intended use of the remainingItemCount is *estimating* the size of a collection. Clients should not rely on the remainingItemCount to be set or to be exact.",
-            "format": "int64",
-            "type": "integer"
-          },
-          "resourceVersion": {
-            "description": "String that identifies the server's internal version of this object that can be used by clients to determine when objects have changed. Value must be treated as opaque by clients and passed unmodified back to the server. Populated by the system. Read-only. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency",
-            "type": "string"
-          },
-          "selfLink": {
-            "description": "Deprecated: selfLink is a legacy read-only field that is no longer populated by the system.",
-            "type": "string"
-          }
-        },
-        "type": "object"
-      },
-      "io.k8s.apimachinery.pkg.apis.meta.v1.ManagedFieldsEntry": {
-        "description": "ManagedFieldsEntry is a workflow-id, a FieldSet and the group version of the resource that the fieldset applies to.",
-        "properties": {
-          "apiVersion": {
-            "description": "APIVersion defines the version of this resource that this field set applies to. The format is \"group/version\" just like the top-level APIVersion field. It is necessary to track the version of a field set because it cannot be automatically converted.",
-            "type": "string"
-          },
-          "fieldsType": {
-            "description": "FieldsType is the discriminator for the different fields format and version. There is currently only one possible value: \"FieldsV1\"",
-            "type": "string"
-          },
-          "fieldsV1": {
-            "allOf": [
-              {
-                "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.FieldsV1"
-              }
-            ],
-            "description": "FieldsV1 holds the first JSON version format as described in the \"FieldsV1\" type."
-          },
-          "manager": {
-            "description": "Manager is an identifier of the workflow managing these fields.",
-            "type": "string"
-          },
-          "operation": {
-            "description": "Operation is the type of operation which lead to this ManagedFieldsEntry being created. The only valid values for this field are 'Apply' and 'Update'.",
-            "type": "string"
-          },
-          "subresource": {
-            "description": "Subresource is the name of the subresource used to update that object, or empty string if the object was updated through the main resource. The value of this field is used to distinguish between managers, even if they share the same name. For example, a status update will be distinct from a regular update using the same manager name. Note that the APIVersion field is not related to the Subresource field and it always corresponds to the version of the main resource.",
-            "type": "string"
-          },
-          "time": {
-            "allOf": [
-              {
-                "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.Time"
-              }
-            ],
-            "description": "Time is the timestamp of when the ManagedFields entry was added. The timestamp will also be updated if a field is added, the manager changes any of the owned fields value or removes a field. The timestamp does not update when a field is removed from the entry because another manager took it over."
-          }
-        },
-        "type": "object"
-      },
-      "io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta": {
-        "description": "ObjectMeta is metadata that all persisted resources must have, which includes all objects users must create.",
-        "properties": {
-          "annotations": {
-            "additionalProperties": {
-              "default": "",
-              "type": "string"
-            },
-            "description": "Annotations is an unstructured key value map stored with a resource that may be set by external tools to store and retrieve arbitrary metadata. They are not queryable and should be preserved when modifying objects. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations",
-            "type": "object"
-          },
-          "creationTimestamp": {
-            "allOf": [
-              {
-                "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.Time"
-              }
-            ],
-            "description": "CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.\n\nPopulated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata"
-          },
-          "deletionGracePeriodSeconds": {
-            "description": "Number of seconds allowed for this object to gracefully terminate before it will be removed from the system. Only set when deletionTimestamp is also set. May only be shortened. Read-only.",
-            "format": "int64",
-            "type": "integer"
-          },
-          "deletionTimestamp": {
-            "allOf": [
-              {
-                "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.Time"
-              }
-            ],
-            "description": "DeletionTimestamp is RFC 3339 date and time at which this resource will be deleted. This field is set by the server when a graceful deletion is requested by the user, and is not directly settable by a client. The resource is expected to be deleted (no longer visible from resource lists, and not reachable by name) after the time in this field, once the finalizers list is empty. As long as the finalizers list contains items, deletion is blocked. Once the deletionTimestamp is set, this value may not be unset or be set further into the future, although it may be shortened or the resource may be deleted prior to this time. For example, a user may request that a pod is deleted in 30 seconds. The Kubelet will react by sending a graceful termination signal to the containers in the pod. After that 30 seconds, the Kubelet will send a hard termination signal (SIGKILL) to the container and after cleanup, remove the pod from the API. In the presence of network partitions, this object may still exist after this timestamp, until an administrator or automated process can determine the resource is fully terminated. If not set, graceful deletion of the object has not been requested.\n\nPopulated by the system when a graceful deletion is requested. Read-only. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata"
-          },
-          "finalizers": {
-            "description": "Must be empty before the object is deleted from the registry. Each entry is an identifier for the responsible component that will remove the entry from the list. If the deletionTimestamp of the object is non-nil, entries in this list can only be removed. Finalizers may be processed and removed in any order.  Order is NOT enforced because it introduces significant risk of stuck finalizers. finalizers is a shared field, any actor with permission can reorder it. If the finalizer list is processed in order, then this can lead to a situation in which the component responsible for the first finalizer in the list is waiting for a signal (field value, external system, or other) produced by a component responsible for a finalizer later in the list, resulting in a deadlock. Without enforced ordering finalizers are free to order amongst themselves and are not vulnerable to ordering changes in the list.",
-            "items": {
-              "default": "",
-              "type": "string"
-            },
-            "type": "array",
-            "x-kubernetes-list-type": "set",
-            "x-kubernetes-patch-strategy": "merge"
-          },
-          "generateName": {
-            "description": "GenerateName is an optional prefix, used by the server, to generate a unique name ONLY IF the Name field has not been provided. If this field is used, the name returned to the client will be different than the name passed. This value will also be combined with a unique suffix. The provided value has the same validation rules as the Name field, and may be truncated by the length of the suffix required to make the value unique on the server.\n\nIf this field is specified and the generated name exists, the server will return a 409.\n\nApplied only if Name is not specified. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#idempotency",
-            "type": "string"
-          },
-          "generation": {
-            "description": "A sequence number representing a specific generation of the desired state. Populated by the system. Read-only.",
-            "format": "int64",
-            "type": "integer"
-          },
-          "labels": {
-            "additionalProperties": {
-              "default": "",
-              "type": "string"
-            },
-            "description": "Map of string keys and values that can be used to organize and categorize (scope and select) objects. May match selectors of replication controllers and services. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels",
-            "type": "object"
-          },
-          "managedFields": {
-            "description": "ManagedFields maps workflow-id and version to the set of fields that are managed by that workflow. This is mostly for internal housekeeping, and users typically shouldn't need to set or understand this field. A workflow can be the user's name, a controller's name, or the name of a specific apply path like \"ci-cd\". The set of fields is always in the version that the workflow used when modifying the object.",
-            "items": {
-              "allOf": [
-                {
-                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.ManagedFieldsEntry"
-                }
-              ],
-              "default": {}
-            },
-            "type": "array",
-            "x-kubernetes-list-type": "atomic"
-          },
-          "name": {
-            "description": "Name must be unique within a namespace. Is required when creating resources, although some resources may allow a client to request the generation of an appropriate name automatically. Name is primarily intended for creation idempotence and configuration definition. Cannot be updated. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names",
-            "type": "string"
-          },
-          "namespace": {
-            "description": "Namespace defines the space within which each name must be unique. An empty namespace is equivalent to the \"default\" namespace, but \"default\" is the canonical representation. Not all objects are required to be scoped to a namespace - the value of this field for those objects will be empty.\n\nMust be a DNS_LABEL. Cannot be updated. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces",
-            "type": "string"
-          },
-          "ownerReferences": {
-            "description": "List of objects depended by this object. If ALL objects in the list have been deleted, this object will be garbage collected. If this object is managed by a controller, then an entry in this list will point to this controller, with the controller field set to true. There cannot be more than one managing controller.",
-            "items": {
-              "allOf": [
-                {
-                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.OwnerReference"
-                }
-              ],
-              "default": {}
-            },
-            "type": "array",
-            "x-kubernetes-list-map-keys": [
-              "uid"
-            ],
-            "x-kubernetes-list-type": "map",
-            "x-kubernetes-patch-merge-key": "uid",
-            "x-kubernetes-patch-strategy": "merge"
-          },
-          "resourceVersion": {
-            "description": "An opaque value that represents the internal version of this object that can be used by clients to determine when objects have changed. May be used for optimistic concurrency, change detection, and the watch operation on a resource or set of resources. Clients must treat these values as opaque and passed unmodified back to the server. They may only be valid for a particular resource or set of resources.\n\nPopulated by the system. Read-only. Value must be treated as opaque by clients and . More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency",
-            "type": "string"
-          },
-          "selfLink": {
-            "description": "Deprecated: selfLink is a legacy read-only field that is no longer populated by the system.",
-            "type": "string"
-          },
-          "uid": {
-            "description": "UID is the unique in time and space value for this object. It is typically generated by the server on successful creation of a resource and is not allowed to change on PUT operations.\n\nPopulated by the system. Read-only. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids",
-            "type": "string"
-          }
-        },
-        "type": "object"
-      },
-      "io.k8s.apimachinery.pkg.apis.meta.v1.OwnerReference": {
-        "description": "OwnerReference contains enough information to let you identify an owning object. An owning object must be in the same namespace as the dependent, or be cluster-scoped, so there is no namespace field.",
-        "properties": {
-          "apiVersion": {
-            "default": "",
-            "description": "API version of the referent.",
-            "type": "string"
-          },
-          "blockOwnerDeletion": {
-            "description": "If true, AND if the owner has the \"foregroundDeletion\" finalizer, then the owner cannot be deleted from the key-value store until this reference is removed. See https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion for how the garbage collector interacts with this field and enforces the foreground deletion. Defaults to false. To set this field, a user needs \"delete\" permission of the owner, otherwise 422 (Unprocessable Entity) will be returned.",
-            "type": "boolean"
-          },
-          "controller": {
-            "description": "If true, this reference points to the managing controller.",
-            "type": "boolean"
-          },
-          "kind": {
-            "default": "",
-            "description": "Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
-            "type": "string"
-          },
-          "name": {
-            "default": "",
-            "description": "Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names",
-            "type": "string"
-          },
-          "uid": {
-            "default": "",
-            "description": "UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids",
-            "type": "string"
-          }
-        },
-        "required": [
-          "apiVersion",
-          "kind",
-          "name",
-          "uid"
-        ],
-        "type": "object",
-        "x-kubernetes-map-type": "atomic"
-      },
-      "io.k8s.apimachinery.pkg.apis.meta.v1.Patch": {
-        "description": "Patch is provided to give a concrete name and type to the Kubernetes PATCH request body.",
-        "type": "object"
-      },
-      "io.k8s.apimachinery.pkg.apis.meta.v1.Preconditions": {
-        "description": "Preconditions must be fulfilled before an operation (update, delete, etc.) is carried out.",
-        "properties": {
-          "resourceVersion": {
-            "description": "Specifies the target ResourceVersion",
-            "type": "string"
-          },
-          "uid": {
-            "description": "Specifies the target UID.",
-            "type": "string"
-          }
-        },
-        "type": "object"
-      },
-      "io.k8s.apimachinery.pkg.apis.meta.v1.Status": {
-        "description": "Status is a return value for calls that don't return other objects.",
-        "properties": {
-          "apiVersion": {
-            "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
-            "type": "string"
-          },
-          "code": {
-            "description": "Suggested HTTP return code for this status, 0 if not set.",
-            "format": "int32",
-            "type": "integer"
-          },
-          "details": {
-            "allOf": [
-              {
-                "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.StatusDetails"
-              }
-            ],
-            "description": "Extended data associated with the reason.  Each reason may define its own extended details. This field is optional and the data returned is not guaranteed to conform to any schema except that defined by the reason type.",
-            "x-kubernetes-list-type": "atomic"
-          },
-          "kind": {
-            "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
-            "type": "string"
-          },
-          "message": {
-            "description": "A human-readable description of the status of this operation.",
-            "type": "string"
-          },
-          "metadata": {
-            "allOf": [
-              {
-                "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"
-              }
-            ],
-            "default": {},
-            "description": "Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds"
-          },
-          "reason": {
-            "description": "A machine-readable description of why this operation is in the \"Failure\" status. If this value is empty there is no information available. A Reason clarifies an HTTP status code but does not override it.",
-            "type": "string"
-          },
-          "status": {
-            "description": "Status of the operation. One of: \"Success\" or \"Failure\". More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status",
-            "type": "string"
-          }
-        },
-        "type": "object",
-        "x-kubernetes-group-version-kind": [
-          {
-            "group": "",
-            "kind": "Status",
-            "version": "v1"
-          }
-        ]
-      },
-      "io.k8s.apimachinery.pkg.apis.meta.v1.StatusCause": {
-        "description": "StatusCause provides more information about an api.Status failure, including cases when multiple errors are encountered.",
-        "properties": {
-          "field": {
-            "description": "The field of the resource that has caused this error, as named by its JSON serialization. May include dot and postfix notation for nested attributes. Arrays are zero-indexed.  Fields may appear more than once in an array of causes due to fields having multiple errors. Optional.\n\nExamples:\n  \"name\" - the field \"name\" on the current resource\n  \"items[0].name\" - the field \"name\" on the first array entry in \"items\"",
-            "type": "string"
-          },
-          "message": {
-            "description": "A human-readable description of the cause of the error.  This field may be presented as-is to a reader.",
-            "type": "string"
-          },
-          "reason": {
-            "description": "A machine-readable description of the cause of the error. If this value is empty there is no information available.",
-            "type": "string"
-          }
-        },
-        "type": "object"
-      },
-      "io.k8s.apimachinery.pkg.apis.meta.v1.StatusDetails": {
-        "description": "StatusDetails is a set of additional properties that MAY be set by the server to provide additional information about a response. The Reason field of a Status object defines what attributes will be set. Clients must ignore fields that do not match the defined type of each attribute, and should assume that any attribute may be empty, invalid, or under defined.",
-        "properties": {
-          "causes": {
-            "description": "The Causes array includes more details associated with the StatusReason failure. Not all StatusReasons may provide detailed causes.",
-            "items": {
-              "allOf": [
-                {
-                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.StatusCause"
-                }
-              ],
-              "default": {}
-            },
-            "type": "array",
-            "x-kubernetes-list-type": "atomic"
-          },
-          "group": {
-            "description": "The group attribute of the resource associated with the status StatusReason.",
-            "type": "string"
-          },
-          "kind": {
-            "description": "The kind attribute of the resource associated with the status StatusReason. On some operations may differ from the requested resource Kind. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
-            "type": "string"
-          },
-          "name": {
-            "description": "The name attribute of the resource associated with the status StatusReason (when there is a single name which can be described).",
-            "type": "string"
-          },
-          "retryAfterSeconds": {
-            "description": "If specified, the time in seconds before the operation should be retried. Some errors may indicate the client must take an alternate action - for those errors this field may indicate how long to wait before taking the alternate action.",
-            "format": "int32",
-            "type": "integer"
-          },
-          "uid": {
-            "description": "UID of the resource. (when there is a single resource which can be described). More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids",
-            "type": "string"
-          }
-        },
-        "type": "object"
-      },
-      "io.k8s.apimachinery.pkg.apis.meta.v1.Time": {
-        "description": "Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON.  Wrappers are provided for many of the factory methods that the time package offers.",
-        "format": "date-time",
-        "type": "string"
-      },
-      "io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent": {
-        "description": "Event represents a single event to a watched resource.",
-        "properties": {
-          "object": {
-            "allOf": [
-              {
-                "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.runtime.RawExtension"
-              }
-            ],
-            "description": "Object is:\n * If Type is Added or Modified: the new state of the object.\n * If Type is Deleted: the state of the object immediately before deletion.\n * If Type is Error: *Status is recommended; other types may make sense\n   depending on context."
-          },
-          "type": {
-            "default": "",
-            "type": "string"
-          }
-        },
-        "required": [
-          "type",
-          "object"
-        ],
-        "type": "object",
-        "x-kubernetes-group-version-kind": [
-          {
-            "group": "",
-            "kind": "WatchEvent",
-            "version": "v1"
-          },
-          {
-            "group": "admission.k8s.io",
-            "kind": "WatchEvent",
-            "version": "v1"
-          },
-          {
-            "group": "admission.k8s.io",
-            "kind": "WatchEvent",
-            "version": "v1beta1"
-          },
-          {
-            "group": "admissionregistration.k8s.io",
-            "kind": "WatchEvent",
-            "version": "v1"
-          },
-          {
-            "group": "admissionregistration.k8s.io",
-            "kind": "WatchEvent",
-            "version": "v1alpha1"
-          },
-          {
-            "group": "admissionregistration.k8s.io",
-            "kind": "WatchEvent",
-            "version": "v1beta1"
-          },
-          {
-            "group": "apiextensions.k8s.io",
-            "kind": "WatchEvent",
-            "version": "v1"
-          },
-          {
-            "group": "apiextensions.k8s.io",
-            "kind": "WatchEvent",
-            "version": "v1beta1"
-          },
-          {
-            "group": "apiregistration.k8s.io",
-            "kind": "WatchEvent",
-            "version": "v1"
-          },
-          {
-            "group": "apiregistration.k8s.io",
-            "kind": "WatchEvent",
-            "version": "v1beta1"
-          },
-          {
-            "group": "apps",
-            "kind": "WatchEvent",
-            "version": "v1"
-          },
-          {
-            "group": "apps",
-            "kind": "WatchEvent",
-            "version": "v1beta1"
-          },
-          {
-            "group": "apps",
-            "kind": "WatchEvent",
-            "version": "v1beta2"
-          },
-          {
-            "group": "authentication.k8s.io",
-            "kind": "WatchEvent",
-            "version": "v1"
-          },
-          {
-            "group": "authentication.k8s.io",
-            "kind": "WatchEvent",
-            "version": "v1alpha1"
-          },
-          {
-            "group": "authentication.k8s.io",
-            "kind": "WatchEvent",
-            "version": "v1beta1"
-          },
-          {
-            "group": "authorization.k8s.io",
-            "kind": "WatchEvent",
-            "version": "v1"
-          },
-          {
-            "group": "authorization.k8s.io",
-            "kind": "WatchEvent",
-            "version": "v1beta1"
-          },
-          {
-            "group": "autoscaling",
-            "kind": "WatchEvent",
-            "version": "v1"
-          },
-          {
-            "group": "autoscaling",
-            "kind": "WatchEvent",
-            "version": "v2"
-          },
-          {
-            "group": "autoscaling",
-            "kind": "WatchEvent",
-            "version": "v2beta1"
-          },
-          {
-            "group": "autoscaling",
-            "kind": "WatchEvent",
-            "version": "v2beta2"
-          },
-          {
-            "group": "batch",
-            "kind": "WatchEvent",
-            "version": "v1"
-          },
-          {
-            "group": "batch",
-            "kind": "WatchEvent",
-            "version": "v1beta1"
-          },
-          {
-            "group": "certificates.k8s.io",
-            "kind": "WatchEvent",
-            "version": "v1"
-          },
-          {
-            "group": "certificates.k8s.io",
-            "kind": "WatchEvent",
-            "version": "v1alpha1"
-          },
-          {
-            "group": "certificates.k8s.io",
-            "kind": "WatchEvent",
-            "version": "v1beta1"
-          },
-          {
-            "group": "coordination.k8s.io",
-            "kind": "WatchEvent",
-            "version": "v1"
-          },
-          {
-            "group": "coordination.k8s.io",
-            "kind": "WatchEvent",
-            "version": "v1alpha2"
-          },
-          {
-            "group": "coordination.k8s.io",
-            "kind": "WatchEvent",
-            "version": "v1beta1"
-          },
-          {
-            "group": "discovery.k8s.io",
-            "kind": "WatchEvent",
-            "version": "v1"
-          },
-          {
-            "group": "discovery.k8s.io",
-            "kind": "WatchEvent",
-            "version": "v1beta1"
-          },
-          {
-            "group": "events.k8s.io",
-            "kind": "WatchEvent",
-            "version": "v1"
-          },
-          {
-            "group": "events.k8s.io",
-            "kind": "WatchEvent",
-            "version": "v1beta1"
-          },
-          {
-            "group": "extensions",
-            "kind": "WatchEvent",
-            "version": "v1beta1"
-          },
-          {
-            "group": "flowcontrol.apiserver.k8s.io",
-            "kind": "WatchEvent",
-            "version": "v1"
-          },
-          {
-            "group": "flowcontrol.apiserver.k8s.io",
-            "kind": "WatchEvent",
-            "version": "v1beta1"
-          },
-          {
-            "group": "flowcontrol.apiserver.k8s.io",
-            "kind": "WatchEvent",
-            "version": "v1beta2"
-          },
-          {
-            "group": "flowcontrol.apiserver.k8s.io",
-            "kind": "WatchEvent",
-            "version": "v1beta3"
-          },
-          {
-            "group": "imagepolicy.k8s.io",
-            "kind": "WatchEvent",
-            "version": "v1alpha1"
-          },
-          {
-            "group": "internal.apiserver.k8s.io",
-            "kind": "WatchEvent",
-            "version": "v1alpha1"
-          },
-          {
-            "group": "networking.k8s.io",
-            "kind": "WatchEvent",
-            "version": "v1"
-          },
-          {
-            "group": "networking.k8s.io",
-            "kind": "WatchEvent",
-            "version": "v1beta1"
-          },
-          {
-            "group": "node.k8s.io",
-            "kind": "WatchEvent",
-            "version": "v1"
-          },
-          {
-            "group": "node.k8s.io",
-            "kind": "WatchEvent",
-            "version": "v1alpha1"
-          },
-          {
-            "group": "node.k8s.io",
-            "kind": "WatchEvent",
-            "version": "v1beta1"
-          },
-          {
-            "group": "policy",
-            "kind": "WatchEvent",
-            "version": "v1"
-          },
-          {
-            "group": "policy",
-            "kind": "WatchEvent",
-            "version": "v1beta1"
-          },
-          {
-            "group": "rbac.authorization.k8s.io",
-            "kind": "WatchEvent",
-            "version": "v1"
-          },
-          {
-            "group": "rbac.authorization.k8s.io",
-            "kind": "WatchEvent",
-            "version": "v1alpha1"
-          },
-          {
-            "group": "rbac.authorization.k8s.io",
-            "kind": "WatchEvent",
-            "version": "v1beta1"
-          },
-          {
-            "group": "resource.k8s.io",
-            "kind": "WatchEvent",
-            "version": "v1"
-          },
-          {
-            "group": "resource.k8s.io",
-            "kind": "WatchEvent",
-            "version": "v1alpha3"
-          },
-          {
-            "group": "resource.k8s.io",
-            "kind": "WatchEvent",
-            "version": "v1beta1"
-          },
-          {
-            "group": "resource.k8s.io",
-            "kind": "WatchEvent",
-            "version": "v1beta2"
-          },
-          {
-            "group": "scheduling.k8s.io",
-            "kind": "WatchEvent",
-            "version": "v1"
-          },
-          {
-            "group": "scheduling.k8s.io",
-            "kind": "WatchEvent",
-            "version": "v1alpha1"
-          },
-          {
-            "group": "scheduling.k8s.io",
-            "kind": "WatchEvent",
-            "version": "v1beta1"
-          },
-          {
-            "group": "storage.k8s.io",
-            "kind": "WatchEvent",
-            "version": "v1"
-          },
-          {
-            "group": "storage.k8s.io",
-            "kind": "WatchEvent",
-            "version": "v1alpha1"
-          },
-          {
-            "group": "storage.k8s.io",
-            "kind": "WatchEvent",
-            "version": "v1beta1"
-          },
-          {
-            "group": "storagemigration.k8s.io",
-            "kind": "WatchEvent",
-            "version": "v1alpha1"
-          }
-        ]
-      },
-      "io.k8s.apimachinery.pkg.runtime.RawExtension": {
-        "description": "RawExtension is used to hold extensions in external versions.\n\nTo use this, make a field which has RawExtension as its type in your external, versioned struct, and Object in your internal struct. You also need to register your various plugin types.\n\n// Internal package:\n\n\ttype MyAPIObject struct {\n\t\truntime.TypeMeta `json:\",inline\"`\n\t\tMyPlugin runtime.Object `json:\"myPlugin\"`\n\t}\n\n\ttype PluginA struct {\n\t\tAOption string `json:\"aOption\"`\n\t}\n\n// External package:\n\n\ttype MyAPIObject struct {\n\t\truntime.TypeMeta `json:\",inline\"`\n\t\tMyPlugin runtime.RawExtension `json:\"myPlugin\"`\n\t}\n\n\ttype PluginA struct {\n\t\tAOption string `json:\"aOption\"`\n\t}\n\n// On the wire, the JSON will look something like this:\n\n\t{\n\t\t\"kind\":\"MyAPIObject\",\n\t\t\"apiVersion\":\"v1\",\n\t\t\"myPlugin\": {\n\t\t\t\"kind\":\"PluginA\",\n\t\t\t\"aOption\":\"foo\",\n\t\t},\n\t}\n\nSo what happens? Decode first uses json or yaml to unmarshal the serialized data into your external MyAPIObject. That causes the raw JSON to be stored, but not unpacked. The next step is to copy (using pkg/conversion) into the internal struct. The runtime package's DefaultScheme has conversion functions installed which will unpack the JSON stored in RawExtension, turning it into the correct object type, and storing it in the Object. (TODO: In the case where the object is of an unknown type, a runtime.Unknown object will be created and stored.)",
-        "type": "object"
-      }
-    },
-    "securitySchemes": {
-      "BearerToken": {
-        "description": "Bearer Token authentication",
-        "in": "header",
-        "name": "authorization",
-        "type": "apiKey"
-      }
-    }
-  },
-  "info": {
-    "title": "Kubernetes",
-    "version": "unversioned"
-  },
-  "openapi": "3.0.0",
-  "paths": {
-    "/apis/storagemigration.k8s.io/v1alpha1/": {
-      "get": {
-        "description": "get available resources",
-        "operationId": "getStoragemigrationV1alpha1APIResources",
-        "responses": {
-          "200": {
-            "content": {
-              "application/cbor": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.APIResourceList"
-                }
-              },
-              "application/json": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.APIResourceList"
-                }
-              },
-              "application/vnd.kubernetes.protobuf": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.APIResourceList"
-                }
-              },
-              "application/yaml": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.APIResourceList"
-                }
-              }
-            },
-            "description": "OK"
-          },
-          "401": {
-            "description": "Unauthorized"
-          }
-        },
-        "tags": [
-          "storagemigration_v1alpha1"
-        ]
-      }
-    },
-    "/apis/storagemigration.k8s.io/v1alpha1/storageversionmigrations": {
-      "delete": {
-        "description": "delete collection of StorageVersionMigration",
-        "operationId": "deleteStoragemigrationV1alpha1CollectionStorageVersionMigration",
-        "parameters": [
-          {
-            "description": "The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the \"next key\".\n\nThis field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications.",
-            "in": "query",
-            "name": "continue",
-            "schema": {
-              "type": "string",
-              "uniqueItems": true
-            }
-          },
-          {
-            "description": "When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed",
-            "in": "query",
-            "name": "dryRun",
-            "schema": {
-              "type": "string",
-              "uniqueItems": true
-            }
-          },
-          {
-            "description": "A selector to restrict the list of returned objects by their fields. Defaults to everything.",
-            "in": "query",
-            "name": "fieldSelector",
-            "schema": {
-              "type": "string",
-              "uniqueItems": true
-            }
-          },
-          {
-            "description": "The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately.",
-            "in": "query",
-            "name": "gracePeriodSeconds",
-            "schema": {
-              "type": "integer",
-              "uniqueItems": true
-            }
-          },
-          {
-            "description": "if set to true, it will trigger an unsafe deletion of the resource in case the normal deletion flow fails with a corrupt object error. A resource is considered corrupt if it can not be retrieved from the underlying storage successfully because of a) its data can not be transformed e.g. decryption failure, or b) it fails to decode into an object. NOTE: unsafe deletion ignores finalizer constraints, skips precondition checks, and removes the object from the storage. WARNING: This may potentially break the cluster if the workload associated with the resource being unsafe-deleted relies on normal deletion flow. Use only if you REALLY know what you are doing. The default value is false, and the user must opt in to enable it",
-            "in": "query",
-            "name": "ignoreStoreReadErrorWithClusterBreakingPotential",
-            "schema": {
-              "type": "boolean",
-              "uniqueItems": true
-            }
-          },
-          {
-            "description": "A selector to restrict the list of returned objects by their labels. Defaults to everything.",
-            "in": "query",
-            "name": "labelSelector",
-            "schema": {
-              "type": "string",
-              "uniqueItems": true
-            }
-          },
-          {
-            "description": "limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.\n\nThe server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned.",
-            "in": "query",
-            "name": "limit",
-            "schema": {
-              "type": "integer",
-              "uniqueItems": true
-            }
-          },
-          {
-            "description": "Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the \"orphan\" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both.",
-            "in": "query",
-            "name": "orphanDependents",
-            "schema": {
-              "type": "boolean",
-              "uniqueItems": true
-            }
-          },
-          {
-            "description": "Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground.",
-            "in": "query",
-            "name": "propagationPolicy",
-            "schema": {
-              "type": "string",
-              "uniqueItems": true
-            }
-          },
-          {
-            "description": "resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.\n\nDefaults to unset",
-            "in": "query",
-            "name": "resourceVersion",
-            "schema": {
-              "type": "string",
-              "uniqueItems": true
-            }
-          },
-          {
-            "description": "resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.\n\nDefaults to unset",
-            "in": "query",
-            "name": "resourceVersionMatch",
-            "schema": {
-              "type": "string",
-              "uniqueItems": true
-            }
-          },
-          {
-            "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
-            "in": "query",
-            "name": "sendInitialEvents",
-            "schema": {
-              "type": "boolean",
-              "uniqueItems": true
-            }
-          },
-          {
-            "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
-            "in": "query",
-            "name": "timeoutSeconds",
-            "schema": {
-              "type": "integer",
-              "uniqueItems": true
-            }
-          }
-        ],
-        "requestBody": {
-          "content": {
-            "*/*": {
-              "schema": {
-                "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptions"
-              }
-            }
-          }
-        },
-        "responses": {
-          "200": {
-            "content": {
-              "application/cbor": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.Status"
-                }
-              },
-              "application/json": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.Status"
-                }
-              },
-              "application/vnd.kubernetes.protobuf": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.Status"
-                }
-              },
-              "application/yaml": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.Status"
-                }
-              }
-            },
-            "description": "OK"
-          },
-          "401": {
-            "description": "Unauthorized"
-          }
-        },
-        "tags": [
-          "storagemigration_v1alpha1"
-        ],
-        "x-kubernetes-action": "deletecollection",
-        "x-kubernetes-group-version-kind": {
-          "group": "storagemigration.k8s.io",
-          "kind": "StorageVersionMigration",
-          "version": "v1alpha1"
-        }
-      },
-      "get": {
-        "description": "list or watch objects of kind StorageVersionMigration",
-        "operationId": "listStoragemigrationV1alpha1StorageVersionMigration",
-        "parameters": [
-          {
-            "description": "allowWatchBookmarks requests watch events with type \"BOOKMARK\". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored.",
-            "in": "query",
-            "name": "allowWatchBookmarks",
-            "schema": {
-              "type": "boolean",
-              "uniqueItems": true
-            }
-          },
-          {
-            "description": "The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the \"next key\".\n\nThis field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications.",
-            "in": "query",
-            "name": "continue",
-            "schema": {
-              "type": "string",
-              "uniqueItems": true
-            }
-          },
-          {
-            "description": "A selector to restrict the list of returned objects by their fields. Defaults to everything.",
-            "in": "query",
-            "name": "fieldSelector",
-            "schema": {
-              "type": "string",
-              "uniqueItems": true
-            }
-          },
-          {
-            "description": "A selector to restrict the list of returned objects by their labels. Defaults to everything.",
-            "in": "query",
-            "name": "labelSelector",
-            "schema": {
-              "type": "string",
-              "uniqueItems": true
-            }
-          },
-          {
-            "description": "limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.\n\nThe server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned.",
-            "in": "query",
-            "name": "limit",
-            "schema": {
-              "type": "integer",
-              "uniqueItems": true
-            }
-          },
-          {
-            "description": "resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.\n\nDefaults to unset",
-            "in": "query",
-            "name": "resourceVersion",
-            "schema": {
-              "type": "string",
-              "uniqueItems": true
-            }
-          },
-          {
-            "description": "resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.\n\nDefaults to unset",
-            "in": "query",
-            "name": "resourceVersionMatch",
-            "schema": {
-              "type": "string",
-              "uniqueItems": true
-            }
-          },
-          {
-            "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
-            "in": "query",
-            "name": "sendInitialEvents",
-            "schema": {
-              "type": "boolean",
-              "uniqueItems": true
-            }
-          },
-          {
-            "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
-            "in": "query",
-            "name": "timeoutSeconds",
-            "schema": {
-              "type": "integer",
-              "uniqueItems": true
-            }
-          },
-          {
-            "description": "Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion.",
-            "in": "query",
-            "name": "watch",
-            "schema": {
-              "type": "boolean",
-              "uniqueItems": true
-            }
-          }
-        ],
-        "responses": {
-          "200": {
-            "content": {
-              "application/cbor": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.api.storagemigration.v1alpha1.StorageVersionMigrationList"
-                }
-              },
-              "application/cbor-seq": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.api.storagemigration.v1alpha1.StorageVersionMigrationList"
-                }
-              },
-              "application/json": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.api.storagemigration.v1alpha1.StorageVersionMigrationList"
-                }
-              },
-              "application/json;stream=watch": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.api.storagemigration.v1alpha1.StorageVersionMigrationList"
-                }
-              },
-              "application/vnd.kubernetes.protobuf": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.api.storagemigration.v1alpha1.StorageVersionMigrationList"
-                }
-              },
-              "application/vnd.kubernetes.protobuf;stream=watch": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.api.storagemigration.v1alpha1.StorageVersionMigrationList"
-                }
-              },
-              "application/yaml": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.api.storagemigration.v1alpha1.StorageVersionMigrationList"
-                }
-              }
-            },
-            "description": "OK"
-          },
-          "401": {
-            "description": "Unauthorized"
-          }
-        },
-        "tags": [
-          "storagemigration_v1alpha1"
-        ],
-        "x-kubernetes-action": "list",
-        "x-kubernetes-group-version-kind": {
-          "group": "storagemigration.k8s.io",
-          "kind": "StorageVersionMigration",
-          "version": "v1alpha1"
-        }
-      },
-      "parameters": [
-        {
-          "description": "If 'true', then the output is pretty printed. Defaults to 'false' unless the user-agent indicates a browser or command-line HTTP tool (curl and wget).",
-          "in": "query",
-          "name": "pretty",
-          "schema": {
-            "type": "string",
-            "uniqueItems": true
-          }
-        }
-      ],
-      "post": {
-        "description": "create a StorageVersionMigration",
-        "operationId": "createStoragemigrationV1alpha1StorageVersionMigration",
-        "parameters": [
-          {
-            "description": "When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed",
-            "in": "query",
-            "name": "dryRun",
-            "schema": {
-              "type": "string",
-              "uniqueItems": true
-            }
-          },
-          {
-            "description": "fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint.",
-            "in": "query",
-            "name": "fieldManager",
-            "schema": {
-              "type": "string",
-              "uniqueItems": true
-            }
-          },
-          {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
-            "in": "query",
-            "name": "fieldValidation",
-            "schema": {
-              "type": "string",
-              "uniqueItems": true
-            }
-          }
-        ],
-        "requestBody": {
-          "content": {
-            "*/*": {
-              "schema": {
-                "$ref": "#/components/schemas/io.k8s.api.storagemigration.v1alpha1.StorageVersionMigration"
-              }
-            }
-          },
-          "required": true
-        },
-        "responses": {
-          "200": {
-            "content": {
-              "application/cbor": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.api.storagemigration.v1alpha1.StorageVersionMigration"
-                }
-              },
-              "application/json": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.api.storagemigration.v1alpha1.StorageVersionMigration"
-                }
-              },
-              "application/vnd.kubernetes.protobuf": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.api.storagemigration.v1alpha1.StorageVersionMigration"
-                }
-              },
-              "application/yaml": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.api.storagemigration.v1alpha1.StorageVersionMigration"
-                }
-              }
-            },
-            "description": "OK"
-          },
-          "201": {
-            "content": {
-              "application/cbor": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.api.storagemigration.v1alpha1.StorageVersionMigration"
-                }
-              },
-              "application/json": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.api.storagemigration.v1alpha1.StorageVersionMigration"
-                }
-              },
-              "application/vnd.kubernetes.protobuf": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.api.storagemigration.v1alpha1.StorageVersionMigration"
-                }
-              },
-              "application/yaml": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.api.storagemigration.v1alpha1.StorageVersionMigration"
-                }
-              }
-            },
-            "description": "Created"
-          },
-          "202": {
-            "content": {
-              "application/cbor": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.api.storagemigration.v1alpha1.StorageVersionMigration"
-                }
-              },
-              "application/json": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.api.storagemigration.v1alpha1.StorageVersionMigration"
-                }
-              },
-              "application/vnd.kubernetes.protobuf": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.api.storagemigration.v1alpha1.StorageVersionMigration"
-                }
-              },
-              "application/yaml": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.api.storagemigration.v1alpha1.StorageVersionMigration"
-                }
-              }
-            },
-            "description": "Accepted"
-          },
-          "401": {
-            "description": "Unauthorized"
-          }
-        },
-        "tags": [
-          "storagemigration_v1alpha1"
-        ],
-        "x-kubernetes-action": "post",
-        "x-kubernetes-group-version-kind": {
-          "group": "storagemigration.k8s.io",
-          "kind": "StorageVersionMigration",
-          "version": "v1alpha1"
-        }
-      }
-    },
-    "/apis/storagemigration.k8s.io/v1alpha1/storageversionmigrations/{name}": {
-      "delete": {
-        "description": "delete a StorageVersionMigration",
-        "operationId": "deleteStoragemigrationV1alpha1StorageVersionMigration",
-        "parameters": [
-          {
-            "description": "When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed",
-            "in": "query",
-            "name": "dryRun",
-            "schema": {
-              "type": "string",
-              "uniqueItems": true
-            }
-          },
-          {
-            "description": "The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately.",
-            "in": "query",
-            "name": "gracePeriodSeconds",
-            "schema": {
-              "type": "integer",
-              "uniqueItems": true
-            }
-          },
-          {
-            "description": "if set to true, it will trigger an unsafe deletion of the resource in case the normal deletion flow fails with a corrupt object error. A resource is considered corrupt if it can not be retrieved from the underlying storage successfully because of a) its data can not be transformed e.g. decryption failure, or b) it fails to decode into an object. NOTE: unsafe deletion ignores finalizer constraints, skips precondition checks, and removes the object from the storage. WARNING: This may potentially break the cluster if the workload associated with the resource being unsafe-deleted relies on normal deletion flow. Use only if you REALLY know what you are doing. The default value is false, and the user must opt in to enable it",
-            "in": "query",
-            "name": "ignoreStoreReadErrorWithClusterBreakingPotential",
-            "schema": {
-              "type": "boolean",
-              "uniqueItems": true
-            }
-          },
-          {
-            "description": "Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the \"orphan\" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both.",
-            "in": "query",
-            "name": "orphanDependents",
-            "schema": {
-              "type": "boolean",
-              "uniqueItems": true
-            }
-          },
-          {
-            "description": "Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground.",
-            "in": "query",
-            "name": "propagationPolicy",
-            "schema": {
-              "type": "string",
-              "uniqueItems": true
-            }
-          }
-        ],
-        "requestBody": {
-          "content": {
-            "*/*": {
-              "schema": {
-                "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptions"
-              }
-            }
-          }
-        },
-        "responses": {
-          "200": {
-            "content": {
-              "application/cbor": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.Status"
-                }
-              },
-              "application/json": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.Status"
-                }
-              },
-              "application/vnd.kubernetes.protobuf": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.Status"
-                }
-              },
-              "application/yaml": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.Status"
-                }
-              }
-            },
-            "description": "OK"
-          },
-          "202": {
-            "content": {
-              "application/cbor": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.Status"
-                }
-              },
-              "application/json": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.Status"
-                }
-              },
-              "application/vnd.kubernetes.protobuf": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.Status"
-                }
-              },
-              "application/yaml": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.Status"
-                }
-              }
-            },
-            "description": "Accepted"
-          },
-          "401": {
-            "description": "Unauthorized"
-          }
-        },
-        "tags": [
-          "storagemigration_v1alpha1"
-        ],
-        "x-kubernetes-action": "delete",
-        "x-kubernetes-group-version-kind": {
-          "group": "storagemigration.k8s.io",
-          "kind": "StorageVersionMigration",
-          "version": "v1alpha1"
-        }
-      },
-      "get": {
-        "description": "read the specified StorageVersionMigration",
-        "operationId": "readStoragemigrationV1alpha1StorageVersionMigration",
-        "responses": {
-          "200": {
-            "content": {
-              "application/cbor": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.api.storagemigration.v1alpha1.StorageVersionMigration"
-                }
-              },
-              "application/json": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.api.storagemigration.v1alpha1.StorageVersionMigration"
-                }
-              },
-              "application/vnd.kubernetes.protobuf": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.api.storagemigration.v1alpha1.StorageVersionMigration"
-                }
-              },
-              "application/yaml": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.api.storagemigration.v1alpha1.StorageVersionMigration"
-                }
-              }
-            },
-            "description": "OK"
-          },
-          "401": {
-            "description": "Unauthorized"
-          }
-        },
-        "tags": [
-          "storagemigration_v1alpha1"
-        ],
-        "x-kubernetes-action": "get",
-        "x-kubernetes-group-version-kind": {
-          "group": "storagemigration.k8s.io",
-          "kind": "StorageVersionMigration",
-          "version": "v1alpha1"
-        }
-      },
-      "parameters": [
-        {
-          "description": "name of the StorageVersionMigration",
-          "in": "path",
-          "name": "name",
-          "required": true,
-          "schema": {
-            "type": "string",
-            "uniqueItems": true
-          }
-        },
-        {
-          "description": "If 'true', then the output is pretty printed. Defaults to 'false' unless the user-agent indicates a browser or command-line HTTP tool (curl and wget).",
-          "in": "query",
-          "name": "pretty",
-          "schema": {
-            "type": "string",
-            "uniqueItems": true
-          }
-        }
-      ],
-      "patch": {
-        "description": "partially update the specified StorageVersionMigration",
-        "operationId": "patchStoragemigrationV1alpha1StorageVersionMigration",
-        "parameters": [
-          {
-            "description": "When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed",
-            "in": "query",
-            "name": "dryRun",
-            "schema": {
-              "type": "string",
-              "uniqueItems": true
-            }
-          },
-          {
-            "description": "fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch).",
-            "in": "query",
-            "name": "fieldManager",
-            "schema": {
-              "type": "string",
-              "uniqueItems": true
-            }
-          },
-          {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
-            "in": "query",
-            "name": "fieldValidation",
-            "schema": {
-              "type": "string",
-              "uniqueItems": true
-            }
-          },
-          {
-            "description": "Force is going to \"force\" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests.",
-            "in": "query",
-            "name": "force",
-            "schema": {
-              "type": "boolean",
-              "uniqueItems": true
-            }
-          }
-        ],
-        "requestBody": {
-          "content": {
-            "application/apply-patch+cbor": {
-              "schema": {
-                "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.Patch"
-              }
-            },
-            "application/apply-patch+yaml": {
-              "schema": {
-                "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.Patch"
-              }
-            },
-            "application/json-patch+json": {
-              "schema": {
-                "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.Patch"
-              }
-            },
-            "application/merge-patch+json": {
-              "schema": {
-                "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.Patch"
-              }
-            },
-            "application/strategic-merge-patch+json": {
-              "schema": {
-                "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.Patch"
-              }
-            }
-          },
-          "required": true
-        },
-        "responses": {
-          "200": {
-            "content": {
-              "application/cbor": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.api.storagemigration.v1alpha1.StorageVersionMigration"
-                }
-              },
-              "application/json": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.api.storagemigration.v1alpha1.StorageVersionMigration"
-                }
-              },
-              "application/vnd.kubernetes.protobuf": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.api.storagemigration.v1alpha1.StorageVersionMigration"
-                }
-              },
-              "application/yaml": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.api.storagemigration.v1alpha1.StorageVersionMigration"
-                }
-              }
-            },
-            "description": "OK"
-          },
-          "201": {
-            "content": {
-              "application/cbor": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.api.storagemigration.v1alpha1.StorageVersionMigration"
-                }
-              },
-              "application/json": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.api.storagemigration.v1alpha1.StorageVersionMigration"
-                }
-              },
-              "application/vnd.kubernetes.protobuf": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.api.storagemigration.v1alpha1.StorageVersionMigration"
-                }
-              },
-              "application/yaml": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.api.storagemigration.v1alpha1.StorageVersionMigration"
-                }
-              }
-            },
-            "description": "Created"
-          },
-          "401": {
-            "description": "Unauthorized"
-          }
-        },
-        "tags": [
-          "storagemigration_v1alpha1"
-        ],
-        "x-kubernetes-action": "patch",
-        "x-kubernetes-group-version-kind": {
-          "group": "storagemigration.k8s.io",
-          "kind": "StorageVersionMigration",
-          "version": "v1alpha1"
-        }
-      },
-      "put": {
-        "description": "replace the specified StorageVersionMigration",
-        "operationId": "replaceStoragemigrationV1alpha1StorageVersionMigration",
-        "parameters": [
-          {
-            "description": "When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed",
-            "in": "query",
-            "name": "dryRun",
-            "schema": {
-              "type": "string",
-              "uniqueItems": true
-            }
-          },
-          {
-            "description": "fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint.",
-            "in": "query",
-            "name": "fieldManager",
-            "schema": {
-              "type": "string",
-              "uniqueItems": true
-            }
-          },
-          {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
-            "in": "query",
-            "name": "fieldValidation",
-            "schema": {
-              "type": "string",
-              "uniqueItems": true
-            }
-          }
-        ],
-        "requestBody": {
-          "content": {
-            "*/*": {
-              "schema": {
-                "$ref": "#/components/schemas/io.k8s.api.storagemigration.v1alpha1.StorageVersionMigration"
-              }
-            }
-          },
-          "required": true
-        },
-        "responses": {
-          "200": {
-            "content": {
-              "application/cbor": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.api.storagemigration.v1alpha1.StorageVersionMigration"
-                }
-              },
-              "application/json": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.api.storagemigration.v1alpha1.StorageVersionMigration"
-                }
-              },
-              "application/vnd.kubernetes.protobuf": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.api.storagemigration.v1alpha1.StorageVersionMigration"
-                }
-              },
-              "application/yaml": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.api.storagemigration.v1alpha1.StorageVersionMigration"
-                }
-              }
-            },
-            "description": "OK"
-          },
-          "201": {
-            "content": {
-              "application/cbor": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.api.storagemigration.v1alpha1.StorageVersionMigration"
-                }
-              },
-              "application/json": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.api.storagemigration.v1alpha1.StorageVersionMigration"
-                }
-              },
-              "application/vnd.kubernetes.protobuf": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.api.storagemigration.v1alpha1.StorageVersionMigration"
-                }
-              },
-              "application/yaml": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.api.storagemigration.v1alpha1.StorageVersionMigration"
-                }
-              }
-            },
-            "description": "Created"
-          },
-          "401": {
-            "description": "Unauthorized"
-          }
-        },
-        "tags": [
-          "storagemigration_v1alpha1"
-        ],
-        "x-kubernetes-action": "put",
-        "x-kubernetes-group-version-kind": {
-          "group": "storagemigration.k8s.io",
-          "kind": "StorageVersionMigration",
-          "version": "v1alpha1"
-        }
-      }
-    },
-    "/apis/storagemigration.k8s.io/v1alpha1/storageversionmigrations/{name}/status": {
-      "get": {
-        "description": "read status of the specified StorageVersionMigration",
-        "operationId": "readStoragemigrationV1alpha1StorageVersionMigrationStatus",
-        "responses": {
-          "200": {
-            "content": {
-              "application/cbor": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.api.storagemigration.v1alpha1.StorageVersionMigration"
-                }
-              },
-              "application/json": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.api.storagemigration.v1alpha1.StorageVersionMigration"
-                }
-              },
-              "application/vnd.kubernetes.protobuf": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.api.storagemigration.v1alpha1.StorageVersionMigration"
-                }
-              },
-              "application/yaml": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.api.storagemigration.v1alpha1.StorageVersionMigration"
-                }
-              }
-            },
-            "description": "OK"
-          },
-          "401": {
-            "description": "Unauthorized"
-          }
-        },
-        "tags": [
-          "storagemigration_v1alpha1"
-        ],
-        "x-kubernetes-action": "get",
-        "x-kubernetes-group-version-kind": {
-          "group": "storagemigration.k8s.io",
-          "kind": "StorageVersionMigration",
-          "version": "v1alpha1"
-        }
-      },
-      "parameters": [
-        {
-          "description": "name of the StorageVersionMigration",
-          "in": "path",
-          "name": "name",
-          "required": true,
-          "schema": {
-            "type": "string",
-            "uniqueItems": true
-          }
-        },
-        {
-          "description": "If 'true', then the output is pretty printed. Defaults to 'false' unless the user-agent indicates a browser or command-line HTTP tool (curl and wget).",
-          "in": "query",
-          "name": "pretty",
-          "schema": {
-            "type": "string",
-            "uniqueItems": true
-          }
-        }
-      ],
-      "patch": {
-        "description": "partially update status of the specified StorageVersionMigration",
-        "operationId": "patchStoragemigrationV1alpha1StorageVersionMigrationStatus",
-        "parameters": [
-          {
-            "description": "When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed",
-            "in": "query",
-            "name": "dryRun",
-            "schema": {
-              "type": "string",
-              "uniqueItems": true
-            }
-          },
-          {
-            "description": "fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch).",
-            "in": "query",
-            "name": "fieldManager",
-            "schema": {
-              "type": "string",
-              "uniqueItems": true
-            }
-          },
-          {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
-            "in": "query",
-            "name": "fieldValidation",
-            "schema": {
-              "type": "string",
-              "uniqueItems": true
-            }
-          },
-          {
-            "description": "Force is going to \"force\" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests.",
-            "in": "query",
-            "name": "force",
-            "schema": {
-              "type": "boolean",
-              "uniqueItems": true
-            }
-          }
-        ],
-        "requestBody": {
-          "content": {
-            "application/apply-patch+cbor": {
-              "schema": {
-                "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.Patch"
-              }
-            },
-            "application/apply-patch+yaml": {
-              "schema": {
-                "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.Patch"
-              }
-            },
-            "application/json-patch+json": {
-              "schema": {
-                "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.Patch"
-              }
-            },
-            "application/merge-patch+json": {
-              "schema": {
-                "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.Patch"
-              }
-            },
-            "application/strategic-merge-patch+json": {
-              "schema": {
-                "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.Patch"
-              }
-            }
-          },
-          "required": true
-        },
-        "responses": {
-          "200": {
-            "content": {
-              "application/cbor": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.api.storagemigration.v1alpha1.StorageVersionMigration"
-                }
-              },
-              "application/json": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.api.storagemigration.v1alpha1.StorageVersionMigration"
-                }
-              },
-              "application/vnd.kubernetes.protobuf": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.api.storagemigration.v1alpha1.StorageVersionMigration"
-                }
-              },
-              "application/yaml": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.api.storagemigration.v1alpha1.StorageVersionMigration"
-                }
-              }
-            },
-            "description": "OK"
-          },
-          "201": {
-            "content": {
-              "application/cbor": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.api.storagemigration.v1alpha1.StorageVersionMigration"
-                }
-              },
-              "application/json": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.api.storagemigration.v1alpha1.StorageVersionMigration"
-                }
-              },
-              "application/vnd.kubernetes.protobuf": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.api.storagemigration.v1alpha1.StorageVersionMigration"
-                }
-              },
-              "application/yaml": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.api.storagemigration.v1alpha1.StorageVersionMigration"
-                }
-              }
-            },
-            "description": "Created"
-          },
-          "401": {
-            "description": "Unauthorized"
-          }
-        },
-        "tags": [
-          "storagemigration_v1alpha1"
-        ],
-        "x-kubernetes-action": "patch",
-        "x-kubernetes-group-version-kind": {
-          "group": "storagemigration.k8s.io",
-          "kind": "StorageVersionMigration",
-          "version": "v1alpha1"
-        }
-      },
-      "put": {
-        "description": "replace status of the specified StorageVersionMigration",
-        "operationId": "replaceStoragemigrationV1alpha1StorageVersionMigrationStatus",
-        "parameters": [
-          {
-            "description": "When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed",
-            "in": "query",
-            "name": "dryRun",
-            "schema": {
-              "type": "string",
-              "uniqueItems": true
-            }
-          },
-          {
-            "description": "fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint.",
-            "in": "query",
-            "name": "fieldManager",
-            "schema": {
-              "type": "string",
-              "uniqueItems": true
-            }
-          },
-          {
-            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
-            "in": "query",
-            "name": "fieldValidation",
-            "schema": {
-              "type": "string",
-              "uniqueItems": true
-            }
-          }
-        ],
-        "requestBody": {
-          "content": {
-            "*/*": {
-              "schema": {
-                "$ref": "#/components/schemas/io.k8s.api.storagemigration.v1alpha1.StorageVersionMigration"
-              }
-            }
-          },
-          "required": true
-        },
-        "responses": {
-          "200": {
-            "content": {
-              "application/cbor": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.api.storagemigration.v1alpha1.StorageVersionMigration"
-                }
-              },
-              "application/json": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.api.storagemigration.v1alpha1.StorageVersionMigration"
-                }
-              },
-              "application/vnd.kubernetes.protobuf": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.api.storagemigration.v1alpha1.StorageVersionMigration"
-                }
-              },
-              "application/yaml": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.api.storagemigration.v1alpha1.StorageVersionMigration"
-                }
-              }
-            },
-            "description": "OK"
-          },
-          "201": {
-            "content": {
-              "application/cbor": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.api.storagemigration.v1alpha1.StorageVersionMigration"
-                }
-              },
-              "application/json": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.api.storagemigration.v1alpha1.StorageVersionMigration"
-                }
-              },
-              "application/vnd.kubernetes.protobuf": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.api.storagemigration.v1alpha1.StorageVersionMigration"
-                }
-              },
-              "application/yaml": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.api.storagemigration.v1alpha1.StorageVersionMigration"
-                }
-              }
-            },
-            "description": "Created"
-          },
-          "401": {
-            "description": "Unauthorized"
-          }
-        },
-        "tags": [
-          "storagemigration_v1alpha1"
-        ],
-        "x-kubernetes-action": "put",
-        "x-kubernetes-group-version-kind": {
-          "group": "storagemigration.k8s.io",
-          "kind": "StorageVersionMigration",
-          "version": "v1alpha1"
-        }
-      }
-    },
-    "/apis/storagemigration.k8s.io/v1alpha1/watch/storageversionmigrations": {
-      "get": {
-        "description": "watch individual changes to a list of StorageVersionMigration. deprecated: use the 'watch' parameter with a list operation instead.",
-        "operationId": "watchStoragemigrationV1alpha1StorageVersionMigrationList",
-        "responses": {
-          "200": {
-            "content": {
-              "application/cbor": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"
-                }
-              },
-              "application/cbor-seq": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"
-                }
-              },
-              "application/json": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"
-                }
-              },
-              "application/json;stream=watch": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"
-                }
-              },
-              "application/vnd.kubernetes.protobuf": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"
-                }
-              },
-              "application/vnd.kubernetes.protobuf;stream=watch": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"
-                }
-              },
-              "application/yaml": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"
-                }
-              }
-            },
-            "description": "OK"
-          },
-          "401": {
-            "description": "Unauthorized"
-          }
-        },
-        "tags": [
-          "storagemigration_v1alpha1"
-        ],
-        "x-kubernetes-action": "watchlist",
-        "x-kubernetes-group-version-kind": {
-          "group": "storagemigration.k8s.io",
-          "kind": "StorageVersionMigration",
-          "version": "v1alpha1"
-        }
-      },
-      "parameters": [
-        {
-          "description": "allowWatchBookmarks requests watch events with type \"BOOKMARK\". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored.",
-          "in": "query",
-          "name": "allowWatchBookmarks",
-          "schema": {
-            "type": "boolean",
-            "uniqueItems": true
-          }
-        },
-        {
-          "description": "The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the \"next key\".\n\nThis field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications.",
-          "in": "query",
-          "name": "continue",
-          "schema": {
-            "type": "string",
-            "uniqueItems": true
-          }
-        },
-        {
-          "description": "A selector to restrict the list of returned objects by their fields. Defaults to everything.",
-          "in": "query",
-          "name": "fieldSelector",
-          "schema": {
-            "type": "string",
-            "uniqueItems": true
-          }
-        },
-        {
-          "description": "A selector to restrict the list of returned objects by their labels. Defaults to everything.",
-          "in": "query",
-          "name": "labelSelector",
-          "schema": {
-            "type": "string",
-            "uniqueItems": true
-          }
-        },
-        {
-          "description": "limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.\n\nThe server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned.",
-          "in": "query",
-          "name": "limit",
-          "schema": {
-            "type": "integer",
-            "uniqueItems": true
-          }
-        },
-        {
-          "description": "If 'true', then the output is pretty printed. Defaults to 'false' unless the user-agent indicates a browser or command-line HTTP tool (curl and wget).",
-          "in": "query",
-          "name": "pretty",
-          "schema": {
-            "type": "string",
-            "uniqueItems": true
-          }
-        },
-        {
-          "description": "resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.\n\nDefaults to unset",
-          "in": "query",
-          "name": "resourceVersion",
-          "schema": {
-            "type": "string",
-            "uniqueItems": true
-          }
-        },
-        {
-          "description": "resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.\n\nDefaults to unset",
-          "in": "query",
-          "name": "resourceVersionMatch",
-          "schema": {
-            "type": "string",
-            "uniqueItems": true
-          }
-        },
-        {
-          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
-          "in": "query",
-          "name": "sendInitialEvents",
-          "schema": {
-            "type": "boolean",
-            "uniqueItems": true
-          }
-        },
-        {
-          "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
-          "in": "query",
-          "name": "timeoutSeconds",
-          "schema": {
-            "type": "integer",
-            "uniqueItems": true
-          }
-        },
-        {
-          "description": "Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion.",
-          "in": "query",
-          "name": "watch",
-          "schema": {
-            "type": "boolean",
-            "uniqueItems": true
-          }
-        }
-      ]
-    },
-    "/apis/storagemigration.k8s.io/v1alpha1/watch/storageversionmigrations/{name}": {
-      "get": {
-        "description": "watch changes to an object of kind StorageVersionMigration. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.",
-        "operationId": "watchStoragemigrationV1alpha1StorageVersionMigration",
-        "responses": {
-          "200": {
-            "content": {
-              "application/cbor": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"
-                }
-              },
-              "application/cbor-seq": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"
-                }
-              },
-              "application/json": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"
-                }
-              },
-              "application/json;stream=watch": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"
-                }
-              },
-              "application/vnd.kubernetes.protobuf": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"
-                }
-              },
-              "application/vnd.kubernetes.protobuf;stream=watch": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"
-                }
-              },
-              "application/yaml": {
-                "schema": {
-                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"
-                }
-              }
-            },
-            "description": "OK"
-          },
-          "401": {
-            "description": "Unauthorized"
-          }
-        },
-        "tags": [
-          "storagemigration_v1alpha1"
-        ],
-        "x-kubernetes-action": "watch",
-        "x-kubernetes-group-version-kind": {
-          "group": "storagemigration.k8s.io",
-          "kind": "StorageVersionMigration",
-          "version": "v1alpha1"
-        }
-      },
-      "parameters": [
-        {
-          "description": "allowWatchBookmarks requests watch events with type \"BOOKMARK\". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored.",
-          "in": "query",
-          "name": "allowWatchBookmarks",
-          "schema": {
-            "type": "boolean",
-            "uniqueItems": true
-          }
-        },
-        {
-          "description": "The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the \"next key\".\n\nThis field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications.",
-          "in": "query",
-          "name": "continue",
-          "schema": {
-            "type": "string",
-            "uniqueItems": true
-          }
-        },
-        {
-          "description": "A selector to restrict the list of returned objects by their fields. Defaults to everything.",
-          "in": "query",
-          "name": "fieldSelector",
-          "schema": {
-            "type": "string",
-            "uniqueItems": true
-          }
-        },
-        {
-          "description": "A selector to restrict the list of returned objects by their labels. Defaults to everything.",
-          "in": "query",
-          "name": "labelSelector",
-          "schema": {
-            "type": "string",
-            "uniqueItems": true
-          }
-        },
-        {
-          "description": "limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.\n\nThe server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned.",
-          "in": "query",
-          "name": "limit",
-          "schema": {
-            "type": "integer",
-            "uniqueItems": true
-          }
-        },
-        {
-          "description": "name of the StorageVersionMigration",
-          "in": "path",
-          "name": "name",
-          "required": true,
-          "schema": {
-            "type": "string",
-            "uniqueItems": true
-          }
-        },
-        {
-          "description": "If 'true', then the output is pretty printed. Defaults to 'false' unless the user-agent indicates a browser or command-line HTTP tool (curl and wget).",
-          "in": "query",
-          "name": "pretty",
-          "schema": {
-            "type": "string",
-            "uniqueItems": true
-          }
-        },
-        {
-          "description": "resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.\n\nDefaults to unset",
-          "in": "query",
-          "name": "resourceVersion",
-          "schema": {
-            "type": "string",
-            "uniqueItems": true
-          }
-        },
-        {
-          "description": "resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.\n\nDefaults to unset",
-          "in": "query",
-          "name": "resourceVersionMatch",
-          "schema": {
-            "type": "string",
-            "uniqueItems": true
-          }
-        },
-        {
-          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
-          "in": "query",
-          "name": "sendInitialEvents",
-          "schema": {
-            "type": "boolean",
-            "uniqueItems": true
-          }
-        },
-        {
-          "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
-          "in": "query",
-          "name": "timeoutSeconds",
-          "schema": {
-            "type": "integer",
-            "uniqueItems": true
-          }
-        },
-        {
-          "description": "Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion.",
-          "in": "query",
-          "name": "watch",
-          "schema": {
-            "type": "boolean",
-            "uniqueItems": true
-          }
-        }
-      ]
-    }
-  }
-}
diff --git a/api/openapi-spec/v3/apis__storagemigration.k8s.io__v1beta1_openapi.json b/api/openapi-spec/v3/apis__storagemigration.k8s.io__v1beta1_openapi.json
new file mode 100644
index 0000000000000..537f1baccb5be
--- /dev/null
+++ b/api/openapi-spec/v3/apis__storagemigration.k8s.io__v1beta1_openapi.json
@@ -0,0 +1,2974 @@
+{
+  "components": {
+    "schemas": {
+      "io.k8s.api.storagemigration.v1beta1.StorageVersionMigration": {
+        "description": "StorageVersionMigration represents a migration of stored data to the latest storage version.",
+        "properties": {
+          "apiVersion": {
+            "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
+            "type": "string"
+          },
+          "kind": {
+            "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
+            "type": "string"
+          },
+          "metadata": {
+            "allOf": [
+              {
+                "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"
+              }
+            ],
+            "default": {},
+            "description": "Standard object metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata"
+          },
+          "spec": {
+            "allOf": [
+              {
+                "$ref": "#/components/schemas/io.k8s.api.storagemigration.v1beta1.StorageVersionMigrationSpec"
+              }
+            ],
+            "default": {},
+            "description": "Specification of the migration."
+          },
+          "status": {
+            "allOf": [
+              {
+                "$ref": "#/components/schemas/io.k8s.api.storagemigration.v1beta1.StorageVersionMigrationStatus"
+              }
+            ],
+            "default": {},
+            "description": "Status of the migration."
+          }
+        },
+        "type": "object",
+        "x-kubernetes-group-version-kind": [
+          {
+            "group": "storagemigration.k8s.io",
+            "kind": "StorageVersionMigration",
+            "version": "v1beta1"
+          }
+        ]
+      },
+      "io.k8s.api.storagemigration.v1beta1.StorageVersionMigrationList": {
+        "description": "StorageVersionMigrationList is a collection of storage version migrations.",
+        "properties": {
+          "apiVersion": {
+            "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
+            "type": "string"
+          },
+          "items": {
+            "description": "Items is the list of StorageVersionMigration",
+            "items": {
+              "allOf": [
+                {
+                  "$ref": "#/components/schemas/io.k8s.api.storagemigration.v1beta1.StorageVersionMigration"
+                }
+              ],
+              "default": {}
+            },
+            "type": "array"
+          },
+          "kind": {
+            "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
+            "type": "string"
+          },
+          "metadata": {
+            "allOf": [
+              {
+                "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"
+              }
+            ],
+            "default": {},
+            "description": "Standard list metadata More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata"
+          }
+        },
+        "required": [
+          "items"
+        ],
+        "type": "object",
+        "x-kubernetes-group-version-kind": [
+          {
+            "group": "storagemigration.k8s.io",
+            "kind": "StorageVersionMigrationList",
+            "version": "v1beta1"
+          }
+        ]
+      },
+      "io.k8s.api.storagemigration.v1beta1.StorageVersionMigrationSpec": {
+        "description": "Spec of the storage version migration.",
+        "properties": {
+          "resource": {
+            "allOf": [
+              {
+                "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.GroupResource"
+              }
+            ],
+            "default": {},
+            "description": "The resource that is being migrated. The migrator sends requests to the endpoint serving the resource. Immutable."
+          }
+        },
+        "required": [
+          "resource"
+        ],
+        "type": "object"
+      },
+      "io.k8s.api.storagemigration.v1beta1.StorageVersionMigrationStatus": {
+        "description": "Status of the storage version migration.",
+        "properties": {
+          "conditions": {
+            "description": "The latest available observations of the migration's current state.",
+            "items": {
+              "allOf": [
+                {
+                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.Condition"
+                }
+              ],
+              "default": {}
+            },
+            "type": "array",
+            "x-kubernetes-list-map-keys": [
+              "type"
+            ],
+            "x-kubernetes-list-type": "map",
+            "x-kubernetes-patch-merge-key": "type",
+            "x-kubernetes-patch-strategy": "merge"
+          },
+          "resourceVersion": {
+            "description": "ResourceVersion to compare with the GC cache for performing the migration. This is the current resource version of given group, version and resource when kube-controller-manager first observes this StorageVersionMigration resource.",
+            "type": "string"
+          }
+        },
+        "type": "object"
+      },
+      "io.k8s.apimachinery.pkg.apis.meta.v1.APIResource": {
+        "description": "APIResource specifies the name of a resource and whether it is namespaced.",
+        "properties": {
+          "categories": {
+            "description": "categories is a list of the grouped resources this resource belongs to (e.g. 'all')",
+            "items": {
+              "default": "",
+              "type": "string"
+            },
+            "type": "array",
+            "x-kubernetes-list-type": "atomic"
+          },
+          "group": {
+            "description": "group is the preferred group of the resource.  Empty implies the group of the containing resource list. For subresources, this may have a different value, for example: Scale\".",
+            "type": "string"
+          },
+          "kind": {
+            "default": "",
+            "description": "kind is the kind for the resource (e.g. 'Foo' is the kind for a resource 'foo')",
+            "type": "string"
+          },
+          "name": {
+            "default": "",
+            "description": "name is the plural name of the resource.",
+            "type": "string"
+          },
+          "namespaced": {
+            "default": false,
+            "description": "namespaced indicates if a resource is namespaced or not.",
+            "type": "boolean"
+          },
+          "shortNames": {
+            "description": "shortNames is a list of suggested short names of the resource.",
+            "items": {
+              "default": "",
+              "type": "string"
+            },
+            "type": "array",
+            "x-kubernetes-list-type": "atomic"
+          },
+          "singularName": {
+            "default": "",
+            "description": "singularName is the singular name of the resource.  This allows clients to handle plural and singular opaquely. The singularName is more correct for reporting status on a single item and both singular and plural are allowed from the kubectl CLI interface.",
+            "type": "string"
+          },
+          "storageVersionHash": {
+            "description": "The hash value of the storage version, the version this resource is converted to when written to the data store. Value must be treated as opaque by clients. Only equality comparison on the value is valid. This is an alpha feature and may change or be removed in the future. The field is populated by the apiserver only if the StorageVersionHash feature gate is enabled. This field will remain optional even if it graduates.",
+            "type": "string"
+          },
+          "verbs": {
+            "description": "verbs is a list of supported kube verbs (this includes get, list, watch, create, update, patch, delete, deletecollection, and proxy)",
+            "items": {
+              "default": "",
+              "type": "string"
+            },
+            "type": "array"
+          },
+          "version": {
+            "description": "version is the preferred version of the resource.  Empty implies the version of the containing resource list For subresources, this may have a different value, for example: v1 (while inside a v1beta1 version of the core resource's group)\".",
+            "type": "string"
+          }
+        },
+        "required": [
+          "name",
+          "singularName",
+          "namespaced",
+          "kind",
+          "verbs"
+        ],
+        "type": "object"
+      },
+      "io.k8s.apimachinery.pkg.apis.meta.v1.APIResourceList": {
+        "description": "APIResourceList is a list of APIResource, it is used to expose the name of the resources supported in a specific group and version, and if the resource is namespaced.",
+        "properties": {
+          "apiVersion": {
+            "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
+            "type": "string"
+          },
+          "groupVersion": {
+            "default": "",
+            "description": "groupVersion is the group and version this APIResourceList is for.",
+            "type": "string"
+          },
+          "kind": {
+            "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
+            "type": "string"
+          },
+          "resources": {
+            "description": "resources contains the name of the resources and if they are namespaced.",
+            "items": {
+              "allOf": [
+                {
+                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.APIResource"
+                }
+              ],
+              "default": {}
+            },
+            "type": "array",
+            "x-kubernetes-list-type": "atomic"
+          }
+        },
+        "required": [
+          "groupVersion",
+          "resources"
+        ],
+        "type": "object",
+        "x-kubernetes-group-version-kind": [
+          {
+            "group": "",
+            "kind": "APIResourceList",
+            "version": "v1"
+          }
+        ]
+      },
+      "io.k8s.apimachinery.pkg.apis.meta.v1.Condition": {
+        "description": "Condition contains details for one aspect of the current state of this API Resource.",
+        "properties": {
+          "lastTransitionTime": {
+            "allOf": [
+              {
+                "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.Time"
+              }
+            ],
+            "description": "lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable."
+          },
+          "message": {
+            "default": "",
+            "description": "message is a human readable message indicating details about the transition. This may be an empty string.",
+            "type": "string"
+          },
+          "observedGeneration": {
+            "description": "observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.",
+            "format": "int64",
+            "type": "integer"
+          },
+          "reason": {
+            "default": "",
+            "description": "reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.",
+            "type": "string"
+          },
+          "status": {
+            "default": "",
+            "description": "status of the condition, one of True, False, Unknown.",
+            "type": "string"
+          },
+          "type": {
+            "default": "",
+            "description": "type of condition in CamelCase or in foo.example.com/CamelCase.",
+            "type": "string"
+          }
+        },
+        "required": [
+          "type",
+          "status",
+          "lastTransitionTime",
+          "reason",
+          "message"
+        ],
+        "type": "object"
+      },
+      "io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptions": {
+        "description": "DeleteOptions may be provided when deleting an API object.",
+        "properties": {
+          "apiVersion": {
+            "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
+            "type": "string"
+          },
+          "dryRun": {
+            "description": "When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed",
+            "items": {
+              "default": "",
+              "type": "string"
+            },
+            "type": "array",
+            "x-kubernetes-list-type": "atomic"
+          },
+          "gracePeriodSeconds": {
+            "description": "The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately.",
+            "format": "int64",
+            "type": "integer"
+          },
+          "ignoreStoreReadErrorWithClusterBreakingPotential": {
+            "description": "if set to true, it will trigger an unsafe deletion of the resource in case the normal deletion flow fails with a corrupt object error. A resource is considered corrupt if it can not be retrieved from the underlying storage successfully because of a) its data can not be transformed e.g. decryption failure, or b) it fails to decode into an object. NOTE: unsafe deletion ignores finalizer constraints, skips precondition checks, and removes the object from the storage. WARNING: This may potentially break the cluster if the workload associated with the resource being unsafe-deleted relies on normal deletion flow. Use only if you REALLY know what you are doing. The default value is false, and the user must opt in to enable it",
+            "type": "boolean"
+          },
+          "kind": {
+            "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
+            "type": "string"
+          },
+          "orphanDependents": {
+            "description": "Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the \"orphan\" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both.",
+            "type": "boolean"
+          },
+          "preconditions": {
+            "allOf": [
+              {
+                "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.Preconditions"
+              }
+            ],
+            "description": "Must be fulfilled before a deletion is carried out. If not possible, a 409 Conflict status will be returned."
+          },
+          "propagationPolicy": {
+            "description": "Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground.",
+            "type": "string"
+          }
+        },
+        "type": "object",
+        "x-kubernetes-group-version-kind": [
+          {
+            "group": "",
+            "kind": "DeleteOptions",
+            "version": "v1"
+          },
+          {
+            "group": "admission.k8s.io",
+            "kind": "DeleteOptions",
+            "version": "v1"
+          },
+          {
+            "group": "admission.k8s.io",
+            "kind": "DeleteOptions",
+            "version": "v1beta1"
+          },
+          {
+            "group": "admissionregistration.k8s.io",
+            "kind": "DeleteOptions",
+            "version": "v1"
+          },
+          {
+            "group": "admissionregistration.k8s.io",
+            "kind": "DeleteOptions",
+            "version": "v1alpha1"
+          },
+          {
+            "group": "admissionregistration.k8s.io",
+            "kind": "DeleteOptions",
+            "version": "v1beta1"
+          },
+          {
+            "group": "apiextensions.k8s.io",
+            "kind": "DeleteOptions",
+            "version": "v1"
+          },
+          {
+            "group": "apiextensions.k8s.io",
+            "kind": "DeleteOptions",
+            "version": "v1beta1"
+          },
+          {
+            "group": "apiregistration.k8s.io",
+            "kind": "DeleteOptions",
+            "version": "v1"
+          },
+          {
+            "group": "apiregistration.k8s.io",
+            "kind": "DeleteOptions",
+            "version": "v1beta1"
+          },
+          {
+            "group": "apps",
+            "kind": "DeleteOptions",
+            "version": "v1"
+          },
+          {
+            "group": "apps",
+            "kind": "DeleteOptions",
+            "version": "v1beta1"
+          },
+          {
+            "group": "apps",
+            "kind": "DeleteOptions",
+            "version": "v1beta2"
+          },
+          {
+            "group": "authentication.k8s.io",
+            "kind": "DeleteOptions",
+            "version": "v1"
+          },
+          {
+            "group": "authentication.k8s.io",
+            "kind": "DeleteOptions",
+            "version": "v1alpha1"
+          },
+          {
+            "group": "authentication.k8s.io",
+            "kind": "DeleteOptions",
+            "version": "v1beta1"
+          },
+          {
+            "group": "authorization.k8s.io",
+            "kind": "DeleteOptions",
+            "version": "v1"
+          },
+          {
+            "group": "authorization.k8s.io",
+            "kind": "DeleteOptions",
+            "version": "v1beta1"
+          },
+          {
+            "group": "autoscaling",
+            "kind": "DeleteOptions",
+            "version": "v1"
+          },
+          {
+            "group": "autoscaling",
+            "kind": "DeleteOptions",
+            "version": "v2"
+          },
+          {
+            "group": "autoscaling",
+            "kind": "DeleteOptions",
+            "version": "v2beta1"
+          },
+          {
+            "group": "autoscaling",
+            "kind": "DeleteOptions",
+            "version": "v2beta2"
+          },
+          {
+            "group": "batch",
+            "kind": "DeleteOptions",
+            "version": "v1"
+          },
+          {
+            "group": "batch",
+            "kind": "DeleteOptions",
+            "version": "v1beta1"
+          },
+          {
+            "group": "certificates.k8s.io",
+            "kind": "DeleteOptions",
+            "version": "v1"
+          },
+          {
+            "group": "certificates.k8s.io",
+            "kind": "DeleteOptions",
+            "version": "v1alpha1"
+          },
+          {
+            "group": "certificates.k8s.io",
+            "kind": "DeleteOptions",
+            "version": "v1beta1"
+          },
+          {
+            "group": "coordination.k8s.io",
+            "kind": "DeleteOptions",
+            "version": "v1"
+          },
+          {
+            "group": "coordination.k8s.io",
+            "kind": "DeleteOptions",
+            "version": "v1alpha2"
+          },
+          {
+            "group": "coordination.k8s.io",
+            "kind": "DeleteOptions",
+            "version": "v1beta1"
+          },
+          {
+            "group": "discovery.k8s.io",
+            "kind": "DeleteOptions",
+            "version": "v1"
+          },
+          {
+            "group": "discovery.k8s.io",
+            "kind": "DeleteOptions",
+            "version": "v1beta1"
+          },
+          {
+            "group": "events.k8s.io",
+            "kind": "DeleteOptions",
+            "version": "v1"
+          },
+          {
+            "group": "events.k8s.io",
+            "kind": "DeleteOptions",
+            "version": "v1beta1"
+          },
+          {
+            "group": "extensions",
+            "kind": "DeleteOptions",
+            "version": "v1beta1"
+          },
+          {
+            "group": "flowcontrol.apiserver.k8s.io",
+            "kind": "DeleteOptions",
+            "version": "v1"
+          },
+          {
+            "group": "flowcontrol.apiserver.k8s.io",
+            "kind": "DeleteOptions",
+            "version": "v1beta1"
+          },
+          {
+            "group": "flowcontrol.apiserver.k8s.io",
+            "kind": "DeleteOptions",
+            "version": "v1beta2"
+          },
+          {
+            "group": "flowcontrol.apiserver.k8s.io",
+            "kind": "DeleteOptions",
+            "version": "v1beta3"
+          },
+          {
+            "group": "imagepolicy.k8s.io",
+            "kind": "DeleteOptions",
+            "version": "v1alpha1"
+          },
+          {
+            "group": "internal.apiserver.k8s.io",
+            "kind": "DeleteOptions",
+            "version": "v1alpha1"
+          },
+          {
+            "group": "networking.k8s.io",
+            "kind": "DeleteOptions",
+            "version": "v1"
+          },
+          {
+            "group": "networking.k8s.io",
+            "kind": "DeleteOptions",
+            "version": "v1beta1"
+          },
+          {
+            "group": "node.k8s.io",
+            "kind": "DeleteOptions",
+            "version": "v1"
+          },
+          {
+            "group": "node.k8s.io",
+            "kind": "DeleteOptions",
+            "version": "v1alpha1"
+          },
+          {
+            "group": "node.k8s.io",
+            "kind": "DeleteOptions",
+            "version": "v1beta1"
+          },
+          {
+            "group": "policy",
+            "kind": "DeleteOptions",
+            "version": "v1"
+          },
+          {
+            "group": "policy",
+            "kind": "DeleteOptions",
+            "version": "v1beta1"
+          },
+          {
+            "group": "rbac.authorization.k8s.io",
+            "kind": "DeleteOptions",
+            "version": "v1"
+          },
+          {
+            "group": "rbac.authorization.k8s.io",
+            "kind": "DeleteOptions",
+            "version": "v1alpha1"
+          },
+          {
+            "group": "rbac.authorization.k8s.io",
+            "kind": "DeleteOptions",
+            "version": "v1beta1"
+          },
+          {
+            "group": "resource.k8s.io",
+            "kind": "DeleteOptions",
+            "version": "v1"
+          },
+          {
+            "group": "resource.k8s.io",
+            "kind": "DeleteOptions",
+            "version": "v1alpha3"
+          },
+          {
+            "group": "resource.k8s.io",
+            "kind": "DeleteOptions",
+            "version": "v1beta1"
+          },
+          {
+            "group": "resource.k8s.io",
+            "kind": "DeleteOptions",
+            "version": "v1beta2"
+          },
+          {
+            "group": "scheduling.k8s.io",
+            "kind": "DeleteOptions",
+            "version": "v1"
+          },
+          {
+            "group": "scheduling.k8s.io",
+            "kind": "DeleteOptions",
+            "version": "v1alpha1"
+          },
+          {
+            "group": "scheduling.k8s.io",
+            "kind": "DeleteOptions",
+            "version": "v1beta1"
+          },
+          {
+            "group": "storage.k8s.io",
+            "kind": "DeleteOptions",
+            "version": "v1"
+          },
+          {
+            "group": "storage.k8s.io",
+            "kind": "DeleteOptions",
+            "version": "v1alpha1"
+          },
+          {
+            "group": "storage.k8s.io",
+            "kind": "DeleteOptions",
+            "version": "v1beta1"
+          },
+          {
+            "group": "storagemigration.k8s.io",
+            "kind": "DeleteOptions",
+            "version": "v1beta1"
+          }
+        ]
+      },
+      "io.k8s.apimachinery.pkg.apis.meta.v1.FieldsV1": {
+        "description": "FieldsV1 stores a set of fields in a data structure like a Trie, in JSON format.\n\nEach key is either a '.' representing the field itself, and will always map to an empty set, or a string representing a sub-field or item. The string will follow one of these four formats: 'f:<name>', where <name> is the name of a field in a struct, or key in a map 'v:<value>', where <value> is the exact json formatted value of a list item 'i:<index>', where <index> is position of a item in a list 'k:<keys>', where <keys> is a map of  a list item's key fields to their unique values If a key maps to an empty Fields value, the field that key represents is part of the set.\n\nThe exact format is defined in sigs.k8s.io/structured-merge-diff",
+        "type": "object"
+      },
+      "io.k8s.apimachinery.pkg.apis.meta.v1.GroupResource": {
+        "description": "GroupResource specifies a Group and a Resource, but does not force a version.  This is useful for identifying concepts during lookup stages without having partially valid types",
+        "properties": {
+          "group": {
+            "default": "",
+            "type": "string"
+          },
+          "resource": {
+            "default": "",
+            "type": "string"
+          }
+        },
+        "required": [
+          "group",
+          "resource"
+        ],
+        "type": "object"
+      },
+      "io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta": {
+        "description": "ListMeta describes metadata that synthetic resources must have, including lists and various status objects. A resource may have only one of {ObjectMeta, ListMeta}.",
+        "properties": {
+          "continue": {
+            "description": "continue may be set if the user set a limit on the number of items returned, and indicates that the server has more data available. The value is opaque and may be used to issue another request to the endpoint that served this list to retrieve the next set of available objects. Continuing a consistent list may not be possible if the server configuration has changed or more than a few minutes have passed. The resourceVersion field returned when using this continue value will be identical to the value in the first response, unless you have received this token from an error message.",
+            "type": "string"
+          },
+          "remainingItemCount": {
+            "description": "remainingItemCount is the number of subsequent items in the list which are not included in this list response. If the list request contained label or field selectors, then the number of remaining items is unknown and the field will be left unset and omitted during serialization. If the list is complete (either because it is not chunking or because this is the last chunk), then there are no more remaining items and this field will be left unset and omitted during serialization. Servers older than v1.15 do not set this field. The intended use of the remainingItemCount is *estimating* the size of a collection. Clients should not rely on the remainingItemCount to be set or to be exact.",
+            "format": "int64",
+            "type": "integer"
+          },
+          "resourceVersion": {
+            "description": "String that identifies the server's internal version of this object that can be used by clients to determine when objects have changed. Value must be treated as opaque by clients and passed unmodified back to the server. Populated by the system. Read-only. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency",
+            "type": "string"
+          },
+          "selfLink": {
+            "description": "Deprecated: selfLink is a legacy read-only field that is no longer populated by the system.",
+            "type": "string"
+          }
+        },
+        "type": "object"
+      },
+      "io.k8s.apimachinery.pkg.apis.meta.v1.ManagedFieldsEntry": {
+        "description": "ManagedFieldsEntry is a workflow-id, a FieldSet and the group version of the resource that the fieldset applies to.",
+        "properties": {
+          "apiVersion": {
+            "description": "APIVersion defines the version of this resource that this field set applies to. The format is \"group/version\" just like the top-level APIVersion field. It is necessary to track the version of a field set because it cannot be automatically converted.",
+            "type": "string"
+          },
+          "fieldsType": {
+            "description": "FieldsType is the discriminator for the different fields format and version. There is currently only one possible value: \"FieldsV1\"",
+            "type": "string"
+          },
+          "fieldsV1": {
+            "allOf": [
+              {
+                "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.FieldsV1"
+              }
+            ],
+            "description": "FieldsV1 holds the first JSON version format as described in the \"FieldsV1\" type."
+          },
+          "manager": {
+            "description": "Manager is an identifier of the workflow managing these fields.",
+            "type": "string"
+          },
+          "operation": {
+            "description": "Operation is the type of operation which lead to this ManagedFieldsEntry being created. The only valid values for this field are 'Apply' and 'Update'.",
+            "type": "string"
+          },
+          "subresource": {
+            "description": "Subresource is the name of the subresource used to update that object, or empty string if the object was updated through the main resource. The value of this field is used to distinguish between managers, even if they share the same name. For example, a status update will be distinct from a regular update using the same manager name. Note that the APIVersion field is not related to the Subresource field and it always corresponds to the version of the main resource.",
+            "type": "string"
+          },
+          "time": {
+            "allOf": [
+              {
+                "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.Time"
+              }
+            ],
+            "description": "Time is the timestamp of when the ManagedFields entry was added. The timestamp will also be updated if a field is added, the manager changes any of the owned fields value or removes a field. The timestamp does not update when a field is removed from the entry because another manager took it over."
+          }
+        },
+        "type": "object"
+      },
+      "io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta": {
+        "description": "ObjectMeta is metadata that all persisted resources must have, which includes all objects users must create.",
+        "properties": {
+          "annotations": {
+            "additionalProperties": {
+              "default": "",
+              "type": "string"
+            },
+            "description": "Annotations is an unstructured key value map stored with a resource that may be set by external tools to store and retrieve arbitrary metadata. They are not queryable and should be preserved when modifying objects. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations",
+            "type": "object"
+          },
+          "creationTimestamp": {
+            "allOf": [
+              {
+                "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.Time"
+              }
+            ],
+            "description": "CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.\n\nPopulated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata"
+          },
+          "deletionGracePeriodSeconds": {
+            "description": "Number of seconds allowed for this object to gracefully terminate before it will be removed from the system. Only set when deletionTimestamp is also set. May only be shortened. Read-only.",
+            "format": "int64",
+            "type": "integer"
+          },
+          "deletionTimestamp": {
+            "allOf": [
+              {
+                "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.Time"
+              }
+            ],
+            "description": "DeletionTimestamp is RFC 3339 date and time at which this resource will be deleted. This field is set by the server when a graceful deletion is requested by the user, and is not directly settable by a client. The resource is expected to be deleted (no longer visible from resource lists, and not reachable by name) after the time in this field, once the finalizers list is empty. As long as the finalizers list contains items, deletion is blocked. Once the deletionTimestamp is set, this value may not be unset or be set further into the future, although it may be shortened or the resource may be deleted prior to this time. For example, a user may request that a pod is deleted in 30 seconds. The Kubelet will react by sending a graceful termination signal to the containers in the pod. After that 30 seconds, the Kubelet will send a hard termination signal (SIGKILL) to the container and after cleanup, remove the pod from the API. In the presence of network partitions, this object may still exist after this timestamp, until an administrator or automated process can determine the resource is fully terminated. If not set, graceful deletion of the object has not been requested.\n\nPopulated by the system when a graceful deletion is requested. Read-only. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata"
+          },
+          "finalizers": {
+            "description": "Must be empty before the object is deleted from the registry. Each entry is an identifier for the responsible component that will remove the entry from the list. If the deletionTimestamp of the object is non-nil, entries in this list can only be removed. Finalizers may be processed and removed in any order.  Order is NOT enforced because it introduces significant risk of stuck finalizers. finalizers is a shared field, any actor with permission can reorder it. If the finalizer list is processed in order, then this can lead to a situation in which the component responsible for the first finalizer in the list is waiting for a signal (field value, external system, or other) produced by a component responsible for a finalizer later in the list, resulting in a deadlock. Without enforced ordering finalizers are free to order amongst themselves and are not vulnerable to ordering changes in the list.",
+            "items": {
+              "default": "",
+              "type": "string"
+            },
+            "type": "array",
+            "x-kubernetes-list-type": "set",
+            "x-kubernetes-patch-strategy": "merge"
+          },
+          "generateName": {
+            "description": "GenerateName is an optional prefix, used by the server, to generate a unique name ONLY IF the Name field has not been provided. If this field is used, the name returned to the client will be different than the name passed. This value will also be combined with a unique suffix. The provided value has the same validation rules as the Name field, and may be truncated by the length of the suffix required to make the value unique on the server.\n\nIf this field is specified and the generated name exists, the server will return a 409.\n\nApplied only if Name is not specified. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#idempotency",
+            "type": "string"
+          },
+          "generation": {
+            "description": "A sequence number representing a specific generation of the desired state. Populated by the system. Read-only.",
+            "format": "int64",
+            "type": "integer"
+          },
+          "labels": {
+            "additionalProperties": {
+              "default": "",
+              "type": "string"
+            },
+            "description": "Map of string keys and values that can be used to organize and categorize (scope and select) objects. May match selectors of replication controllers and services. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels",
+            "type": "object"
+          },
+          "managedFields": {
+            "description": "ManagedFields maps workflow-id and version to the set of fields that are managed by that workflow. This is mostly for internal housekeeping, and users typically shouldn't need to set or understand this field. A workflow can be the user's name, a controller's name, or the name of a specific apply path like \"ci-cd\". The set of fields is always in the version that the workflow used when modifying the object.",
+            "items": {
+              "allOf": [
+                {
+                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.ManagedFieldsEntry"
+                }
+              ],
+              "default": {}
+            },
+            "type": "array",
+            "x-kubernetes-list-type": "atomic"
+          },
+          "name": {
+            "description": "Name must be unique within a namespace. Is required when creating resources, although some resources may allow a client to request the generation of an appropriate name automatically. Name is primarily intended for creation idempotence and configuration definition. Cannot be updated. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names",
+            "type": "string"
+          },
+          "namespace": {
+            "description": "Namespace defines the space within which each name must be unique. An empty namespace is equivalent to the \"default\" namespace, but \"default\" is the canonical representation. Not all objects are required to be scoped to a namespace - the value of this field for those objects will be empty.\n\nMust be a DNS_LABEL. Cannot be updated. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces",
+            "type": "string"
+          },
+          "ownerReferences": {
+            "description": "List of objects depended by this object. If ALL objects in the list have been deleted, this object will be garbage collected. If this object is managed by a controller, then an entry in this list will point to this controller, with the controller field set to true. There cannot be more than one managing controller.",
+            "items": {
+              "allOf": [
+                {
+                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.OwnerReference"
+                }
+              ],
+              "default": {}
+            },
+            "type": "array",
+            "x-kubernetes-list-map-keys": [
+              "uid"
+            ],
+            "x-kubernetes-list-type": "map",
+            "x-kubernetes-patch-merge-key": "uid",
+            "x-kubernetes-patch-strategy": "merge"
+          },
+          "resourceVersion": {
+            "description": "An opaque value that represents the internal version of this object that can be used by clients to determine when objects have changed. May be used for optimistic concurrency, change detection, and the watch operation on a resource or set of resources. Clients must treat these values as opaque and passed unmodified back to the server. They may only be valid for a particular resource or set of resources.\n\nPopulated by the system. Read-only. Value must be treated as opaque by clients and . More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency",
+            "type": "string"
+          },
+          "selfLink": {
+            "description": "Deprecated: selfLink is a legacy read-only field that is no longer populated by the system.",
+            "type": "string"
+          },
+          "uid": {
+            "description": "UID is the unique in time and space value for this object. It is typically generated by the server on successful creation of a resource and is not allowed to change on PUT operations.\n\nPopulated by the system. Read-only. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids",
+            "type": "string"
+          }
+        },
+        "type": "object"
+      },
+      "io.k8s.apimachinery.pkg.apis.meta.v1.OwnerReference": {
+        "description": "OwnerReference contains enough information to let you identify an owning object. An owning object must be in the same namespace as the dependent, or be cluster-scoped, so there is no namespace field.",
+        "properties": {
+          "apiVersion": {
+            "default": "",
+            "description": "API version of the referent.",
+            "type": "string"
+          },
+          "blockOwnerDeletion": {
+            "description": "If true, AND if the owner has the \"foregroundDeletion\" finalizer, then the owner cannot be deleted from the key-value store until this reference is removed. See https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion for how the garbage collector interacts with this field and enforces the foreground deletion. Defaults to false. To set this field, a user needs \"delete\" permission of the owner, otherwise 422 (Unprocessable Entity) will be returned.",
+            "type": "boolean"
+          },
+          "controller": {
+            "description": "If true, this reference points to the managing controller.",
+            "type": "boolean"
+          },
+          "kind": {
+            "default": "",
+            "description": "Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
+            "type": "string"
+          },
+          "name": {
+            "default": "",
+            "description": "Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names",
+            "type": "string"
+          },
+          "uid": {
+            "default": "",
+            "description": "UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids",
+            "type": "string"
+          }
+        },
+        "required": [
+          "apiVersion",
+          "kind",
+          "name",
+          "uid"
+        ],
+        "type": "object",
+        "x-kubernetes-map-type": "atomic"
+      },
+      "io.k8s.apimachinery.pkg.apis.meta.v1.Patch": {
+        "description": "Patch is provided to give a concrete name and type to the Kubernetes PATCH request body.",
+        "type": "object"
+      },
+      "io.k8s.apimachinery.pkg.apis.meta.v1.Preconditions": {
+        "description": "Preconditions must be fulfilled before an operation (update, delete, etc.) is carried out.",
+        "properties": {
+          "resourceVersion": {
+            "description": "Specifies the target ResourceVersion",
+            "type": "string"
+          },
+          "uid": {
+            "description": "Specifies the target UID.",
+            "type": "string"
+          }
+        },
+        "type": "object"
+      },
+      "io.k8s.apimachinery.pkg.apis.meta.v1.Status": {
+        "description": "Status is a return value for calls that don't return other objects.",
+        "properties": {
+          "apiVersion": {
+            "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
+            "type": "string"
+          },
+          "code": {
+            "description": "Suggested HTTP return code for this status, 0 if not set.",
+            "format": "int32",
+            "type": "integer"
+          },
+          "details": {
+            "allOf": [
+              {
+                "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.StatusDetails"
+              }
+            ],
+            "description": "Extended data associated with the reason.  Each reason may define its own extended details. This field is optional and the data returned is not guaranteed to conform to any schema except that defined by the reason type."
+          },
+          "kind": {
+            "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
+            "type": "string"
+          },
+          "message": {
+            "description": "A human-readable description of the status of this operation.",
+            "type": "string"
+          },
+          "metadata": {
+            "allOf": [
+              {
+                "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"
+              }
+            ],
+            "default": {},
+            "description": "Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds"
+          },
+          "reason": {
+            "description": "A machine-readable description of why this operation is in the \"Failure\" status. If this value is empty there is no information available. A Reason clarifies an HTTP status code but does not override it.",
+            "type": "string"
+          },
+          "status": {
+            "description": "Status of the operation. One of: \"Success\" or \"Failure\". More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status",
+            "type": "string"
+          }
+        },
+        "type": "object",
+        "x-kubernetes-group-version-kind": [
+          {
+            "group": "",
+            "kind": "Status",
+            "version": "v1"
+          }
+        ]
+      },
+      "io.k8s.apimachinery.pkg.apis.meta.v1.StatusCause": {
+        "description": "StatusCause provides more information about an api.Status failure, including cases when multiple errors are encountered.",
+        "properties": {
+          "field": {
+            "description": "The field of the resource that has caused this error, as named by its JSON serialization. May include dot and postfix notation for nested attributes. Arrays are zero-indexed.  Fields may appear more than once in an array of causes due to fields having multiple errors. Optional.\n\nExamples:\n  \"name\" - the field \"name\" on the current resource\n  \"items[0].name\" - the field \"name\" on the first array entry in \"items\"",
+            "type": "string"
+          },
+          "message": {
+            "description": "A human-readable description of the cause of the error.  This field may be presented as-is to a reader.",
+            "type": "string"
+          },
+          "reason": {
+            "description": "A machine-readable description of the cause of the error. If this value is empty there is no information available.",
+            "type": "string"
+          }
+        },
+        "type": "object"
+      },
+      "io.k8s.apimachinery.pkg.apis.meta.v1.StatusDetails": {
+        "description": "StatusDetails is a set of additional properties that MAY be set by the server to provide additional information about a response. The Reason field of a Status object defines what attributes will be set. Clients must ignore fields that do not match the defined type of each attribute, and should assume that any attribute may be empty, invalid, or under defined.",
+        "properties": {
+          "causes": {
+            "description": "The Causes array includes more details associated with the StatusReason failure. Not all StatusReasons may provide detailed causes.",
+            "items": {
+              "allOf": [
+                {
+                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.StatusCause"
+                }
+              ],
+              "default": {}
+            },
+            "type": "array",
+            "x-kubernetes-list-type": "atomic"
+          },
+          "group": {
+            "description": "The group attribute of the resource associated with the status StatusReason.",
+            "type": "string"
+          },
+          "kind": {
+            "description": "The kind attribute of the resource associated with the status StatusReason. On some operations may differ from the requested resource Kind. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
+            "type": "string"
+          },
+          "name": {
+            "description": "The name attribute of the resource associated with the status StatusReason (when there is a single name which can be described).",
+            "type": "string"
+          },
+          "retryAfterSeconds": {
+            "description": "If specified, the time in seconds before the operation should be retried. Some errors may indicate the client must take an alternate action - for those errors this field may indicate how long to wait before taking the alternate action.",
+            "format": "int32",
+            "type": "integer"
+          },
+          "uid": {
+            "description": "UID of the resource. (when there is a single resource which can be described). More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids",
+            "type": "string"
+          }
+        },
+        "type": "object"
+      },
+      "io.k8s.apimachinery.pkg.apis.meta.v1.Time": {
+        "description": "Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON.  Wrappers are provided for many of the factory methods that the time package offers.",
+        "format": "date-time",
+        "type": "string"
+      },
+      "io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent": {
+        "description": "Event represents a single event to a watched resource.",
+        "properties": {
+          "object": {
+            "allOf": [
+              {
+                "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.runtime.RawExtension"
+              }
+            ],
+            "description": "Object is:\n * If Type is Added or Modified: the new state of the object.\n * If Type is Deleted: the state of the object immediately before deletion.\n * If Type is Error: *Status is recommended; other types may make sense\n   depending on context."
+          },
+          "type": {
+            "default": "",
+            "type": "string"
+          }
+        },
+        "required": [
+          "type",
+          "object"
+        ],
+        "type": "object",
+        "x-kubernetes-group-version-kind": [
+          {
+            "group": "",
+            "kind": "WatchEvent",
+            "version": "v1"
+          },
+          {
+            "group": "admission.k8s.io",
+            "kind": "WatchEvent",
+            "version": "v1"
+          },
+          {
+            "group": "admission.k8s.io",
+            "kind": "WatchEvent",
+            "version": "v1beta1"
+          },
+          {
+            "group": "admissionregistration.k8s.io",
+            "kind": "WatchEvent",
+            "version": "v1"
+          },
+          {
+            "group": "admissionregistration.k8s.io",
+            "kind": "WatchEvent",
+            "version": "v1alpha1"
+          },
+          {
+            "group": "admissionregistration.k8s.io",
+            "kind": "WatchEvent",
+            "version": "v1beta1"
+          },
+          {
+            "group": "apiextensions.k8s.io",
+            "kind": "WatchEvent",
+            "version": "v1"
+          },
+          {
+            "group": "apiextensions.k8s.io",
+            "kind": "WatchEvent",
+            "version": "v1beta1"
+          },
+          {
+            "group": "apiregistration.k8s.io",
+            "kind": "WatchEvent",
+            "version": "v1"
+          },
+          {
+            "group": "apiregistration.k8s.io",
+            "kind": "WatchEvent",
+            "version": "v1beta1"
+          },
+          {
+            "group": "apps",
+            "kind": "WatchEvent",
+            "version": "v1"
+          },
+          {
+            "group": "apps",
+            "kind": "WatchEvent",
+            "version": "v1beta1"
+          },
+          {
+            "group": "apps",
+            "kind": "WatchEvent",
+            "version": "v1beta2"
+          },
+          {
+            "group": "authentication.k8s.io",
+            "kind": "WatchEvent",
+            "version": "v1"
+          },
+          {
+            "group": "authentication.k8s.io",
+            "kind": "WatchEvent",
+            "version": "v1alpha1"
+          },
+          {
+            "group": "authentication.k8s.io",
+            "kind": "WatchEvent",
+            "version": "v1beta1"
+          },
+          {
+            "group": "authorization.k8s.io",
+            "kind": "WatchEvent",
+            "version": "v1"
+          },
+          {
+            "group": "authorization.k8s.io",
+            "kind": "WatchEvent",
+            "version": "v1beta1"
+          },
+          {
+            "group": "autoscaling",
+            "kind": "WatchEvent",
+            "version": "v1"
+          },
+          {
+            "group": "autoscaling",
+            "kind": "WatchEvent",
+            "version": "v2"
+          },
+          {
+            "group": "autoscaling",
+            "kind": "WatchEvent",
+            "version": "v2beta1"
+          },
+          {
+            "group": "autoscaling",
+            "kind": "WatchEvent",
+            "version": "v2beta2"
+          },
+          {
+            "group": "batch",
+            "kind": "WatchEvent",
+            "version": "v1"
+          },
+          {
+            "group": "batch",
+            "kind": "WatchEvent",
+            "version": "v1beta1"
+          },
+          {
+            "group": "certificates.k8s.io",
+            "kind": "WatchEvent",
+            "version": "v1"
+          },
+          {
+            "group": "certificates.k8s.io",
+            "kind": "WatchEvent",
+            "version": "v1alpha1"
+          },
+          {
+            "group": "certificates.k8s.io",
+            "kind": "WatchEvent",
+            "version": "v1beta1"
+          },
+          {
+            "group": "coordination.k8s.io",
+            "kind": "WatchEvent",
+            "version": "v1"
+          },
+          {
+            "group": "coordination.k8s.io",
+            "kind": "WatchEvent",
+            "version": "v1alpha2"
+          },
+          {
+            "group": "coordination.k8s.io",
+            "kind": "WatchEvent",
+            "version": "v1beta1"
+          },
+          {
+            "group": "discovery.k8s.io",
+            "kind": "WatchEvent",
+            "version": "v1"
+          },
+          {
+            "group": "discovery.k8s.io",
+            "kind": "WatchEvent",
+            "version": "v1beta1"
+          },
+          {
+            "group": "events.k8s.io",
+            "kind": "WatchEvent",
+            "version": "v1"
+          },
+          {
+            "group": "events.k8s.io",
+            "kind": "WatchEvent",
+            "version": "v1beta1"
+          },
+          {
+            "group": "extensions",
+            "kind": "WatchEvent",
+            "version": "v1beta1"
+          },
+          {
+            "group": "flowcontrol.apiserver.k8s.io",
+            "kind": "WatchEvent",
+            "version": "v1"
+          },
+          {
+            "group": "flowcontrol.apiserver.k8s.io",
+            "kind": "WatchEvent",
+            "version": "v1beta1"
+          },
+          {
+            "group": "flowcontrol.apiserver.k8s.io",
+            "kind": "WatchEvent",
+            "version": "v1beta2"
+          },
+          {
+            "group": "flowcontrol.apiserver.k8s.io",
+            "kind": "WatchEvent",
+            "version": "v1beta3"
+          },
+          {
+            "group": "imagepolicy.k8s.io",
+            "kind": "WatchEvent",
+            "version": "v1alpha1"
+          },
+          {
+            "group": "internal.apiserver.k8s.io",
+            "kind": "WatchEvent",
+            "version": "v1alpha1"
+          },
+          {
+            "group": "networking.k8s.io",
+            "kind": "WatchEvent",
+            "version": "v1"
+          },
+          {
+            "group": "networking.k8s.io",
+            "kind": "WatchEvent",
+            "version": "v1beta1"
+          },
+          {
+            "group": "node.k8s.io",
+            "kind": "WatchEvent",
+            "version": "v1"
+          },
+          {
+            "group": "node.k8s.io",
+            "kind": "WatchEvent",
+            "version": "v1alpha1"
+          },
+          {
+            "group": "node.k8s.io",
+            "kind": "WatchEvent",
+            "version": "v1beta1"
+          },
+          {
+            "group": "policy",
+            "kind": "WatchEvent",
+            "version": "v1"
+          },
+          {
+            "group": "policy",
+            "kind": "WatchEvent",
+            "version": "v1beta1"
+          },
+          {
+            "group": "rbac.authorization.k8s.io",
+            "kind": "WatchEvent",
+            "version": "v1"
+          },
+          {
+            "group": "rbac.authorization.k8s.io",
+            "kind": "WatchEvent",
+            "version": "v1alpha1"
+          },
+          {
+            "group": "rbac.authorization.k8s.io",
+            "kind": "WatchEvent",
+            "version": "v1beta1"
+          },
+          {
+            "group": "resource.k8s.io",
+            "kind": "WatchEvent",
+            "version": "v1"
+          },
+          {
+            "group": "resource.k8s.io",
+            "kind": "WatchEvent",
+            "version": "v1alpha3"
+          },
+          {
+            "group": "resource.k8s.io",
+            "kind": "WatchEvent",
+            "version": "v1beta1"
+          },
+          {
+            "group": "resource.k8s.io",
+            "kind": "WatchEvent",
+            "version": "v1beta2"
+          },
+          {
+            "group": "scheduling.k8s.io",
+            "kind": "WatchEvent",
+            "version": "v1"
+          },
+          {
+            "group": "scheduling.k8s.io",
+            "kind": "WatchEvent",
+            "version": "v1alpha1"
+          },
+          {
+            "group": "scheduling.k8s.io",
+            "kind": "WatchEvent",
+            "version": "v1beta1"
+          },
+          {
+            "group": "storage.k8s.io",
+            "kind": "WatchEvent",
+            "version": "v1"
+          },
+          {
+            "group": "storage.k8s.io",
+            "kind": "WatchEvent",
+            "version": "v1alpha1"
+          },
+          {
+            "group": "storage.k8s.io",
+            "kind": "WatchEvent",
+            "version": "v1beta1"
+          },
+          {
+            "group": "storagemigration.k8s.io",
+            "kind": "WatchEvent",
+            "version": "v1beta1"
+          }
+        ]
+      },
+      "io.k8s.apimachinery.pkg.runtime.RawExtension": {
+        "description": "RawExtension is used to hold extensions in external versions.\n\nTo use this, make a field which has RawExtension as its type in your external, versioned struct, and Object in your internal struct. You also need to register your various plugin types.\n\n// Internal package:\n\n\ttype MyAPIObject struct {\n\t\truntime.TypeMeta `json:\",inline\"`\n\t\tMyPlugin runtime.Object `json:\"myPlugin\"`\n\t}\n\n\ttype PluginA struct {\n\t\tAOption string `json:\"aOption\"`\n\t}\n\n// External package:\n\n\ttype MyAPIObject struct {\n\t\truntime.TypeMeta `json:\",inline\"`\n\t\tMyPlugin runtime.RawExtension `json:\"myPlugin\"`\n\t}\n\n\ttype PluginA struct {\n\t\tAOption string `json:\"aOption\"`\n\t}\n\n// On the wire, the JSON will look something like this:\n\n\t{\n\t\t\"kind\":\"MyAPIObject\",\n\t\t\"apiVersion\":\"v1\",\n\t\t\"myPlugin\": {\n\t\t\t\"kind\":\"PluginA\",\n\t\t\t\"aOption\":\"foo\",\n\t\t},\n\t}\n\nSo what happens? Decode first uses json or yaml to unmarshal the serialized data into your external MyAPIObject. That causes the raw JSON to be stored, but not unpacked. The next step is to copy (using pkg/conversion) into the internal struct. The runtime package's DefaultScheme has conversion functions installed which will unpack the JSON stored in RawExtension, turning it into the correct object type, and storing it in the Object. (TODO: In the case where the object is of an unknown type, a runtime.Unknown object will be created and stored.)",
+        "type": "object"
+      }
+    },
+    "securitySchemes": {
+      "BearerToken": {
+        "description": "Bearer Token authentication",
+        "in": "header",
+        "name": "authorization",
+        "type": "apiKey"
+      }
+    }
+  },
+  "info": {
+    "title": "Kubernetes",
+    "version": "unversioned"
+  },
+  "openapi": "3.0.0",
+  "paths": {
+    "/apis/storagemigration.k8s.io/v1beta1/": {
+      "get": {
+        "description": "get available resources",
+        "operationId": "getStoragemigrationV1beta1APIResources",
+        "responses": {
+          "200": {
+            "content": {
+              "application/cbor": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.APIResourceList"
+                }
+              },
+              "application/json": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.APIResourceList"
+                }
+              },
+              "application/vnd.kubernetes.protobuf": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.APIResourceList"
+                }
+              },
+              "application/yaml": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.APIResourceList"
+                }
+              }
+            },
+            "description": "OK"
+          },
+          "401": {
+            "description": "Unauthorized"
+          }
+        },
+        "tags": [
+          "storagemigration_v1beta1"
+        ]
+      }
+    },
+    "/apis/storagemigration.k8s.io/v1beta1/storageversionmigrations": {
+      "delete": {
+        "description": "delete collection of StorageVersionMigration",
+        "operationId": "deleteStoragemigrationV1beta1CollectionStorageVersionMigration",
+        "parameters": [
+          {
+            "description": "The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the \"next key\".\n\nThis field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications.",
+            "in": "query",
+            "name": "continue",
+            "schema": {
+              "type": "string",
+              "uniqueItems": true
+            }
+          },
+          {
+            "description": "When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed",
+            "in": "query",
+            "name": "dryRun",
+            "schema": {
+              "type": "string",
+              "uniqueItems": true
+            }
+          },
+          {
+            "description": "A selector to restrict the list of returned objects by their fields. Defaults to everything.",
+            "in": "query",
+            "name": "fieldSelector",
+            "schema": {
+              "type": "string",
+              "uniqueItems": true
+            }
+          },
+          {
+            "description": "The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately.",
+            "in": "query",
+            "name": "gracePeriodSeconds",
+            "schema": {
+              "type": "integer",
+              "uniqueItems": true
+            }
+          },
+          {
+            "description": "if set to true, it will trigger an unsafe deletion of the resource in case the normal deletion flow fails with a corrupt object error. A resource is considered corrupt if it can not be retrieved from the underlying storage successfully because of a) its data can not be transformed e.g. decryption failure, or b) it fails to decode into an object. NOTE: unsafe deletion ignores finalizer constraints, skips precondition checks, and removes the object from the storage. WARNING: This may potentially break the cluster if the workload associated with the resource being unsafe-deleted relies on normal deletion flow. Use only if you REALLY know what you are doing. The default value is false, and the user must opt in to enable it",
+            "in": "query",
+            "name": "ignoreStoreReadErrorWithClusterBreakingPotential",
+            "schema": {
+              "type": "boolean",
+              "uniqueItems": true
+            }
+          },
+          {
+            "description": "A selector to restrict the list of returned objects by their labels. Defaults to everything.",
+            "in": "query",
+            "name": "labelSelector",
+            "schema": {
+              "type": "string",
+              "uniqueItems": true
+            }
+          },
+          {
+            "description": "limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.\n\nThe server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned.",
+            "in": "query",
+            "name": "limit",
+            "schema": {
+              "type": "integer",
+              "uniqueItems": true
+            }
+          },
+          {
+            "description": "Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the \"orphan\" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both.",
+            "in": "query",
+            "name": "orphanDependents",
+            "schema": {
+              "type": "boolean",
+              "uniqueItems": true
+            }
+          },
+          {
+            "description": "Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground.",
+            "in": "query",
+            "name": "propagationPolicy",
+            "schema": {
+              "type": "string",
+              "uniqueItems": true
+            }
+          },
+          {
+            "description": "resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.\n\nDefaults to unset",
+            "in": "query",
+            "name": "resourceVersion",
+            "schema": {
+              "type": "string",
+              "uniqueItems": true
+            }
+          },
+          {
+            "description": "resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.\n\nDefaults to unset",
+            "in": "query",
+            "name": "resourceVersionMatch",
+            "schema": {
+              "type": "string",
+              "uniqueItems": true
+            }
+          },
+          {
+            "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+            "in": "query",
+            "name": "sendInitialEvents",
+            "schema": {
+              "type": "boolean",
+              "uniqueItems": true
+            }
+          },
+          {
+            "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
+            "in": "query",
+            "name": "timeoutSeconds",
+            "schema": {
+              "type": "integer",
+              "uniqueItems": true
+            }
+          }
+        ],
+        "requestBody": {
+          "content": {
+            "*/*": {
+              "schema": {
+                "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptions"
+              }
+            }
+          }
+        },
+        "responses": {
+          "200": {
+            "content": {
+              "application/cbor": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.Status"
+                }
+              },
+              "application/json": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.Status"
+                }
+              },
+              "application/vnd.kubernetes.protobuf": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.Status"
+                }
+              },
+              "application/yaml": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.Status"
+                }
+              }
+            },
+            "description": "OK"
+          },
+          "401": {
+            "description": "Unauthorized"
+          }
+        },
+        "tags": [
+          "storagemigration_v1beta1"
+        ],
+        "x-kubernetes-action": "deletecollection",
+        "x-kubernetes-group-version-kind": {
+          "group": "storagemigration.k8s.io",
+          "kind": "StorageVersionMigration",
+          "version": "v1beta1"
+        }
+      },
+      "get": {
+        "description": "list or watch objects of kind StorageVersionMigration",
+        "operationId": "listStoragemigrationV1beta1StorageVersionMigration",
+        "parameters": [
+          {
+            "description": "allowWatchBookmarks requests watch events with type \"BOOKMARK\". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored.",
+            "in": "query",
+            "name": "allowWatchBookmarks",
+            "schema": {
+              "type": "boolean",
+              "uniqueItems": true
+            }
+          },
+          {
+            "description": "The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the \"next key\".\n\nThis field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications.",
+            "in": "query",
+            "name": "continue",
+            "schema": {
+              "type": "string",
+              "uniqueItems": true
+            }
+          },
+          {
+            "description": "A selector to restrict the list of returned objects by their fields. Defaults to everything.",
+            "in": "query",
+            "name": "fieldSelector",
+            "schema": {
+              "type": "string",
+              "uniqueItems": true
+            }
+          },
+          {
+            "description": "A selector to restrict the list of returned objects by their labels. Defaults to everything.",
+            "in": "query",
+            "name": "labelSelector",
+            "schema": {
+              "type": "string",
+              "uniqueItems": true
+            }
+          },
+          {
+            "description": "limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.\n\nThe server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned.",
+            "in": "query",
+            "name": "limit",
+            "schema": {
+              "type": "integer",
+              "uniqueItems": true
+            }
+          },
+          {
+            "description": "resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.\n\nDefaults to unset",
+            "in": "query",
+            "name": "resourceVersion",
+            "schema": {
+              "type": "string",
+              "uniqueItems": true
+            }
+          },
+          {
+            "description": "resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.\n\nDefaults to unset",
+            "in": "query",
+            "name": "resourceVersionMatch",
+            "schema": {
+              "type": "string",
+              "uniqueItems": true
+            }
+          },
+          {
+            "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+            "in": "query",
+            "name": "sendInitialEvents",
+            "schema": {
+              "type": "boolean",
+              "uniqueItems": true
+            }
+          },
+          {
+            "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
+            "in": "query",
+            "name": "timeoutSeconds",
+            "schema": {
+              "type": "integer",
+              "uniqueItems": true
+            }
+          },
+          {
+            "description": "Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion.",
+            "in": "query",
+            "name": "watch",
+            "schema": {
+              "type": "boolean",
+              "uniqueItems": true
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "content": {
+              "application/cbor": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.storagemigration.v1beta1.StorageVersionMigrationList"
+                }
+              },
+              "application/cbor-seq": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.storagemigration.v1beta1.StorageVersionMigrationList"
+                }
+              },
+              "application/json": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.storagemigration.v1beta1.StorageVersionMigrationList"
+                }
+              },
+              "application/json;stream=watch": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.storagemigration.v1beta1.StorageVersionMigrationList"
+                }
+              },
+              "application/vnd.kubernetes.protobuf": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.storagemigration.v1beta1.StorageVersionMigrationList"
+                }
+              },
+              "application/vnd.kubernetes.protobuf;stream=watch": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.storagemigration.v1beta1.StorageVersionMigrationList"
+                }
+              },
+              "application/yaml": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.storagemigration.v1beta1.StorageVersionMigrationList"
+                }
+              }
+            },
+            "description": "OK"
+          },
+          "401": {
+            "description": "Unauthorized"
+          }
+        },
+        "tags": [
+          "storagemigration_v1beta1"
+        ],
+        "x-kubernetes-action": "list",
+        "x-kubernetes-group-version-kind": {
+          "group": "storagemigration.k8s.io",
+          "kind": "StorageVersionMigration",
+          "version": "v1beta1"
+        }
+      },
+      "parameters": [
+        {
+          "description": "If 'true', then the output is pretty printed. Defaults to 'false' unless the user-agent indicates a browser or command-line HTTP tool (curl and wget).",
+          "in": "query",
+          "name": "pretty",
+          "schema": {
+            "type": "string",
+            "uniqueItems": true
+          }
+        }
+      ],
+      "post": {
+        "description": "create a StorageVersionMigration",
+        "operationId": "createStoragemigrationV1beta1StorageVersionMigration",
+        "parameters": [
+          {
+            "description": "When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed",
+            "in": "query",
+            "name": "dryRun",
+            "schema": {
+              "type": "string",
+              "uniqueItems": true
+            }
+          },
+          {
+            "description": "fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint.",
+            "in": "query",
+            "name": "fieldManager",
+            "schema": {
+              "type": "string",
+              "uniqueItems": true
+            }
+          },
+          {
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "in": "query",
+            "name": "fieldValidation",
+            "schema": {
+              "type": "string",
+              "uniqueItems": true
+            }
+          }
+        ],
+        "requestBody": {
+          "content": {
+            "*/*": {
+              "schema": {
+                "$ref": "#/components/schemas/io.k8s.api.storagemigration.v1beta1.StorageVersionMigration"
+              }
+            }
+          },
+          "required": true
+        },
+        "responses": {
+          "200": {
+            "content": {
+              "application/cbor": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.storagemigration.v1beta1.StorageVersionMigration"
+                }
+              },
+              "application/json": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.storagemigration.v1beta1.StorageVersionMigration"
+                }
+              },
+              "application/vnd.kubernetes.protobuf": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.storagemigration.v1beta1.StorageVersionMigration"
+                }
+              },
+              "application/yaml": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.storagemigration.v1beta1.StorageVersionMigration"
+                }
+              }
+            },
+            "description": "OK"
+          },
+          "201": {
+            "content": {
+              "application/cbor": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.storagemigration.v1beta1.StorageVersionMigration"
+                }
+              },
+              "application/json": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.storagemigration.v1beta1.StorageVersionMigration"
+                }
+              },
+              "application/vnd.kubernetes.protobuf": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.storagemigration.v1beta1.StorageVersionMigration"
+                }
+              },
+              "application/yaml": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.storagemigration.v1beta1.StorageVersionMigration"
+                }
+              }
+            },
+            "description": "Created"
+          },
+          "202": {
+            "content": {
+              "application/cbor": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.storagemigration.v1beta1.StorageVersionMigration"
+                }
+              },
+              "application/json": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.storagemigration.v1beta1.StorageVersionMigration"
+                }
+              },
+              "application/vnd.kubernetes.protobuf": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.storagemigration.v1beta1.StorageVersionMigration"
+                }
+              },
+              "application/yaml": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.storagemigration.v1beta1.StorageVersionMigration"
+                }
+              }
+            },
+            "description": "Accepted"
+          },
+          "401": {
+            "description": "Unauthorized"
+          }
+        },
+        "tags": [
+          "storagemigration_v1beta1"
+        ],
+        "x-kubernetes-action": "post",
+        "x-kubernetes-group-version-kind": {
+          "group": "storagemigration.k8s.io",
+          "kind": "StorageVersionMigration",
+          "version": "v1beta1"
+        }
+      }
+    },
+    "/apis/storagemigration.k8s.io/v1beta1/storageversionmigrations/{name}": {
+      "delete": {
+        "description": "delete a StorageVersionMigration",
+        "operationId": "deleteStoragemigrationV1beta1StorageVersionMigration",
+        "parameters": [
+          {
+            "description": "When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed",
+            "in": "query",
+            "name": "dryRun",
+            "schema": {
+              "type": "string",
+              "uniqueItems": true
+            }
+          },
+          {
+            "description": "The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately.",
+            "in": "query",
+            "name": "gracePeriodSeconds",
+            "schema": {
+              "type": "integer",
+              "uniqueItems": true
+            }
+          },
+          {
+            "description": "if set to true, it will trigger an unsafe deletion of the resource in case the normal deletion flow fails with a corrupt object error. A resource is considered corrupt if it can not be retrieved from the underlying storage successfully because of a) its data can not be transformed e.g. decryption failure, or b) it fails to decode into an object. NOTE: unsafe deletion ignores finalizer constraints, skips precondition checks, and removes the object from the storage. WARNING: This may potentially break the cluster if the workload associated with the resource being unsafe-deleted relies on normal deletion flow. Use only if you REALLY know what you are doing. The default value is false, and the user must opt in to enable it",
+            "in": "query",
+            "name": "ignoreStoreReadErrorWithClusterBreakingPotential",
+            "schema": {
+              "type": "boolean",
+              "uniqueItems": true
+            }
+          },
+          {
+            "description": "Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the \"orphan\" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both.",
+            "in": "query",
+            "name": "orphanDependents",
+            "schema": {
+              "type": "boolean",
+              "uniqueItems": true
+            }
+          },
+          {
+            "description": "Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground.",
+            "in": "query",
+            "name": "propagationPolicy",
+            "schema": {
+              "type": "string",
+              "uniqueItems": true
+            }
+          }
+        ],
+        "requestBody": {
+          "content": {
+            "*/*": {
+              "schema": {
+                "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptions"
+              }
+            }
+          }
+        },
+        "responses": {
+          "200": {
+            "content": {
+              "application/cbor": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.Status"
+                }
+              },
+              "application/json": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.Status"
+                }
+              },
+              "application/vnd.kubernetes.protobuf": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.Status"
+                }
+              },
+              "application/yaml": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.Status"
+                }
+              }
+            },
+            "description": "OK"
+          },
+          "202": {
+            "content": {
+              "application/cbor": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.Status"
+                }
+              },
+              "application/json": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.Status"
+                }
+              },
+              "application/vnd.kubernetes.protobuf": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.Status"
+                }
+              },
+              "application/yaml": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.Status"
+                }
+              }
+            },
+            "description": "Accepted"
+          },
+          "401": {
+            "description": "Unauthorized"
+          }
+        },
+        "tags": [
+          "storagemigration_v1beta1"
+        ],
+        "x-kubernetes-action": "delete",
+        "x-kubernetes-group-version-kind": {
+          "group": "storagemigration.k8s.io",
+          "kind": "StorageVersionMigration",
+          "version": "v1beta1"
+        }
+      },
+      "get": {
+        "description": "read the specified StorageVersionMigration",
+        "operationId": "readStoragemigrationV1beta1StorageVersionMigration",
+        "responses": {
+          "200": {
+            "content": {
+              "application/cbor": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.storagemigration.v1beta1.StorageVersionMigration"
+                }
+              },
+              "application/json": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.storagemigration.v1beta1.StorageVersionMigration"
+                }
+              },
+              "application/vnd.kubernetes.protobuf": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.storagemigration.v1beta1.StorageVersionMigration"
+                }
+              },
+              "application/yaml": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.storagemigration.v1beta1.StorageVersionMigration"
+                }
+              }
+            },
+            "description": "OK"
+          },
+          "401": {
+            "description": "Unauthorized"
+          }
+        },
+        "tags": [
+          "storagemigration_v1beta1"
+        ],
+        "x-kubernetes-action": "get",
+        "x-kubernetes-group-version-kind": {
+          "group": "storagemigration.k8s.io",
+          "kind": "StorageVersionMigration",
+          "version": "v1beta1"
+        }
+      },
+      "parameters": [
+        {
+          "description": "name of the StorageVersionMigration",
+          "in": "path",
+          "name": "name",
+          "required": true,
+          "schema": {
+            "type": "string",
+            "uniqueItems": true
+          }
+        },
+        {
+          "description": "If 'true', then the output is pretty printed. Defaults to 'false' unless the user-agent indicates a browser or command-line HTTP tool (curl and wget).",
+          "in": "query",
+          "name": "pretty",
+          "schema": {
+            "type": "string",
+            "uniqueItems": true
+          }
+        }
+      ],
+      "patch": {
+        "description": "partially update the specified StorageVersionMigration",
+        "operationId": "patchStoragemigrationV1beta1StorageVersionMigration",
+        "parameters": [
+          {
+            "description": "When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed",
+            "in": "query",
+            "name": "dryRun",
+            "schema": {
+              "type": "string",
+              "uniqueItems": true
+            }
+          },
+          {
+            "description": "fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch).",
+            "in": "query",
+            "name": "fieldManager",
+            "schema": {
+              "type": "string",
+              "uniqueItems": true
+            }
+          },
+          {
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "in": "query",
+            "name": "fieldValidation",
+            "schema": {
+              "type": "string",
+              "uniqueItems": true
+            }
+          },
+          {
+            "description": "Force is going to \"force\" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests.",
+            "in": "query",
+            "name": "force",
+            "schema": {
+              "type": "boolean",
+              "uniqueItems": true
+            }
+          }
+        ],
+        "requestBody": {
+          "content": {
+            "application/apply-patch+cbor": {
+              "schema": {
+                "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.Patch"
+              }
+            },
+            "application/apply-patch+yaml": {
+              "schema": {
+                "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.Patch"
+              }
+            },
+            "application/json-patch+json": {
+              "schema": {
+                "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.Patch"
+              }
+            },
+            "application/merge-patch+json": {
+              "schema": {
+                "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.Patch"
+              }
+            },
+            "application/strategic-merge-patch+json": {
+              "schema": {
+                "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.Patch"
+              }
+            }
+          },
+          "required": true
+        },
+        "responses": {
+          "200": {
+            "content": {
+              "application/cbor": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.storagemigration.v1beta1.StorageVersionMigration"
+                }
+              },
+              "application/json": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.storagemigration.v1beta1.StorageVersionMigration"
+                }
+              },
+              "application/vnd.kubernetes.protobuf": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.storagemigration.v1beta1.StorageVersionMigration"
+                }
+              },
+              "application/yaml": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.storagemigration.v1beta1.StorageVersionMigration"
+                }
+              }
+            },
+            "description": "OK"
+          },
+          "201": {
+            "content": {
+              "application/cbor": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.storagemigration.v1beta1.StorageVersionMigration"
+                }
+              },
+              "application/json": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.storagemigration.v1beta1.StorageVersionMigration"
+                }
+              },
+              "application/vnd.kubernetes.protobuf": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.storagemigration.v1beta1.StorageVersionMigration"
+                }
+              },
+              "application/yaml": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.storagemigration.v1beta1.StorageVersionMigration"
+                }
+              }
+            },
+            "description": "Created"
+          },
+          "401": {
+            "description": "Unauthorized"
+          }
+        },
+        "tags": [
+          "storagemigration_v1beta1"
+        ],
+        "x-kubernetes-action": "patch",
+        "x-kubernetes-group-version-kind": {
+          "group": "storagemigration.k8s.io",
+          "kind": "StorageVersionMigration",
+          "version": "v1beta1"
+        }
+      },
+      "put": {
+        "description": "replace the specified StorageVersionMigration",
+        "operationId": "replaceStoragemigrationV1beta1StorageVersionMigration",
+        "parameters": [
+          {
+            "description": "When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed",
+            "in": "query",
+            "name": "dryRun",
+            "schema": {
+              "type": "string",
+              "uniqueItems": true
+            }
+          },
+          {
+            "description": "fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint.",
+            "in": "query",
+            "name": "fieldManager",
+            "schema": {
+              "type": "string",
+              "uniqueItems": true
+            }
+          },
+          {
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "in": "query",
+            "name": "fieldValidation",
+            "schema": {
+              "type": "string",
+              "uniqueItems": true
+            }
+          }
+        ],
+        "requestBody": {
+          "content": {
+            "*/*": {
+              "schema": {
+                "$ref": "#/components/schemas/io.k8s.api.storagemigration.v1beta1.StorageVersionMigration"
+              }
+            }
+          },
+          "required": true
+        },
+        "responses": {
+          "200": {
+            "content": {
+              "application/cbor": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.storagemigration.v1beta1.StorageVersionMigration"
+                }
+              },
+              "application/json": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.storagemigration.v1beta1.StorageVersionMigration"
+                }
+              },
+              "application/vnd.kubernetes.protobuf": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.storagemigration.v1beta1.StorageVersionMigration"
+                }
+              },
+              "application/yaml": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.storagemigration.v1beta1.StorageVersionMigration"
+                }
+              }
+            },
+            "description": "OK"
+          },
+          "201": {
+            "content": {
+              "application/cbor": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.storagemigration.v1beta1.StorageVersionMigration"
+                }
+              },
+              "application/json": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.storagemigration.v1beta1.StorageVersionMigration"
+                }
+              },
+              "application/vnd.kubernetes.protobuf": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.storagemigration.v1beta1.StorageVersionMigration"
+                }
+              },
+              "application/yaml": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.storagemigration.v1beta1.StorageVersionMigration"
+                }
+              }
+            },
+            "description": "Created"
+          },
+          "401": {
+            "description": "Unauthorized"
+          }
+        },
+        "tags": [
+          "storagemigration_v1beta1"
+        ],
+        "x-kubernetes-action": "put",
+        "x-kubernetes-group-version-kind": {
+          "group": "storagemigration.k8s.io",
+          "kind": "StorageVersionMigration",
+          "version": "v1beta1"
+        }
+      }
+    },
+    "/apis/storagemigration.k8s.io/v1beta1/storageversionmigrations/{name}/status": {
+      "get": {
+        "description": "read status of the specified StorageVersionMigration",
+        "operationId": "readStoragemigrationV1beta1StorageVersionMigrationStatus",
+        "responses": {
+          "200": {
+            "content": {
+              "application/cbor": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.storagemigration.v1beta1.StorageVersionMigration"
+                }
+              },
+              "application/json": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.storagemigration.v1beta1.StorageVersionMigration"
+                }
+              },
+              "application/vnd.kubernetes.protobuf": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.storagemigration.v1beta1.StorageVersionMigration"
+                }
+              },
+              "application/yaml": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.storagemigration.v1beta1.StorageVersionMigration"
+                }
+              }
+            },
+            "description": "OK"
+          },
+          "401": {
+            "description": "Unauthorized"
+          }
+        },
+        "tags": [
+          "storagemigration_v1beta1"
+        ],
+        "x-kubernetes-action": "get",
+        "x-kubernetes-group-version-kind": {
+          "group": "storagemigration.k8s.io",
+          "kind": "StorageVersionMigration",
+          "version": "v1beta1"
+        }
+      },
+      "parameters": [
+        {
+          "description": "name of the StorageVersionMigration",
+          "in": "path",
+          "name": "name",
+          "required": true,
+          "schema": {
+            "type": "string",
+            "uniqueItems": true
+          }
+        },
+        {
+          "description": "If 'true', then the output is pretty printed. Defaults to 'false' unless the user-agent indicates a browser or command-line HTTP tool (curl and wget).",
+          "in": "query",
+          "name": "pretty",
+          "schema": {
+            "type": "string",
+            "uniqueItems": true
+          }
+        }
+      ],
+      "patch": {
+        "description": "partially update status of the specified StorageVersionMigration",
+        "operationId": "patchStoragemigrationV1beta1StorageVersionMigrationStatus",
+        "parameters": [
+          {
+            "description": "When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed",
+            "in": "query",
+            "name": "dryRun",
+            "schema": {
+              "type": "string",
+              "uniqueItems": true
+            }
+          },
+          {
+            "description": "fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch).",
+            "in": "query",
+            "name": "fieldManager",
+            "schema": {
+              "type": "string",
+              "uniqueItems": true
+            }
+          },
+          {
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "in": "query",
+            "name": "fieldValidation",
+            "schema": {
+              "type": "string",
+              "uniqueItems": true
+            }
+          },
+          {
+            "description": "Force is going to \"force\" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests.",
+            "in": "query",
+            "name": "force",
+            "schema": {
+              "type": "boolean",
+              "uniqueItems": true
+            }
+          }
+        ],
+        "requestBody": {
+          "content": {
+            "application/apply-patch+cbor": {
+              "schema": {
+                "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.Patch"
+              }
+            },
+            "application/apply-patch+yaml": {
+              "schema": {
+                "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.Patch"
+              }
+            },
+            "application/json-patch+json": {
+              "schema": {
+                "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.Patch"
+              }
+            },
+            "application/merge-patch+json": {
+              "schema": {
+                "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.Patch"
+              }
+            },
+            "application/strategic-merge-patch+json": {
+              "schema": {
+                "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.Patch"
+              }
+            }
+          },
+          "required": true
+        },
+        "responses": {
+          "200": {
+            "content": {
+              "application/cbor": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.storagemigration.v1beta1.StorageVersionMigration"
+                }
+              },
+              "application/json": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.storagemigration.v1beta1.StorageVersionMigration"
+                }
+              },
+              "application/vnd.kubernetes.protobuf": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.storagemigration.v1beta1.StorageVersionMigration"
+                }
+              },
+              "application/yaml": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.storagemigration.v1beta1.StorageVersionMigration"
+                }
+              }
+            },
+            "description": "OK"
+          },
+          "201": {
+            "content": {
+              "application/cbor": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.storagemigration.v1beta1.StorageVersionMigration"
+                }
+              },
+              "application/json": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.storagemigration.v1beta1.StorageVersionMigration"
+                }
+              },
+              "application/vnd.kubernetes.protobuf": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.storagemigration.v1beta1.StorageVersionMigration"
+                }
+              },
+              "application/yaml": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.storagemigration.v1beta1.StorageVersionMigration"
+                }
+              }
+            },
+            "description": "Created"
+          },
+          "401": {
+            "description": "Unauthorized"
+          }
+        },
+        "tags": [
+          "storagemigration_v1beta1"
+        ],
+        "x-kubernetes-action": "patch",
+        "x-kubernetes-group-version-kind": {
+          "group": "storagemigration.k8s.io",
+          "kind": "StorageVersionMigration",
+          "version": "v1beta1"
+        }
+      },
+      "put": {
+        "description": "replace status of the specified StorageVersionMigration",
+        "operationId": "replaceStoragemigrationV1beta1StorageVersionMigrationStatus",
+        "parameters": [
+          {
+            "description": "When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed",
+            "in": "query",
+            "name": "dryRun",
+            "schema": {
+              "type": "string",
+              "uniqueItems": true
+            }
+          },
+          {
+            "description": "fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint.",
+            "in": "query",
+            "name": "fieldManager",
+            "schema": {
+              "type": "string",
+              "uniqueItems": true
+            }
+          },
+          {
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "in": "query",
+            "name": "fieldValidation",
+            "schema": {
+              "type": "string",
+              "uniqueItems": true
+            }
+          }
+        ],
+        "requestBody": {
+          "content": {
+            "*/*": {
+              "schema": {
+                "$ref": "#/components/schemas/io.k8s.api.storagemigration.v1beta1.StorageVersionMigration"
+              }
+            }
+          },
+          "required": true
+        },
+        "responses": {
+          "200": {
+            "content": {
+              "application/cbor": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.storagemigration.v1beta1.StorageVersionMigration"
+                }
+              },
+              "application/json": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.storagemigration.v1beta1.StorageVersionMigration"
+                }
+              },
+              "application/vnd.kubernetes.protobuf": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.storagemigration.v1beta1.StorageVersionMigration"
+                }
+              },
+              "application/yaml": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.storagemigration.v1beta1.StorageVersionMigration"
+                }
+              }
+            },
+            "description": "OK"
+          },
+          "201": {
+            "content": {
+              "application/cbor": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.storagemigration.v1beta1.StorageVersionMigration"
+                }
+              },
+              "application/json": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.storagemigration.v1beta1.StorageVersionMigration"
+                }
+              },
+              "application/vnd.kubernetes.protobuf": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.storagemigration.v1beta1.StorageVersionMigration"
+                }
+              },
+              "application/yaml": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.storagemigration.v1beta1.StorageVersionMigration"
+                }
+              }
+            },
+            "description": "Created"
+          },
+          "401": {
+            "description": "Unauthorized"
+          }
+        },
+        "tags": [
+          "storagemigration_v1beta1"
+        ],
+        "x-kubernetes-action": "put",
+        "x-kubernetes-group-version-kind": {
+          "group": "storagemigration.k8s.io",
+          "kind": "StorageVersionMigration",
+          "version": "v1beta1"
+        }
+      }
+    },
+    "/apis/storagemigration.k8s.io/v1beta1/watch/storageversionmigrations": {
+      "get": {
+        "description": "watch individual changes to a list of StorageVersionMigration. deprecated: use the 'watch' parameter with a list operation instead.",
+        "operationId": "watchStoragemigrationV1beta1StorageVersionMigrationList",
+        "responses": {
+          "200": {
+            "content": {
+              "application/cbor": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"
+                }
+              },
+              "application/cbor-seq": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"
+                }
+              },
+              "application/json": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"
+                }
+              },
+              "application/json;stream=watch": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"
+                }
+              },
+              "application/vnd.kubernetes.protobuf": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"
+                }
+              },
+              "application/vnd.kubernetes.protobuf;stream=watch": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"
+                }
+              },
+              "application/yaml": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"
+                }
+              }
+            },
+            "description": "OK"
+          },
+          "401": {
+            "description": "Unauthorized"
+          }
+        },
+        "tags": [
+          "storagemigration_v1beta1"
+        ],
+        "x-kubernetes-action": "watchlist",
+        "x-kubernetes-group-version-kind": {
+          "group": "storagemigration.k8s.io",
+          "kind": "StorageVersionMigration",
+          "version": "v1beta1"
+        }
+      },
+      "parameters": [
+        {
+          "description": "allowWatchBookmarks requests watch events with type \"BOOKMARK\". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored.",
+          "in": "query",
+          "name": "allowWatchBookmarks",
+          "schema": {
+            "type": "boolean",
+            "uniqueItems": true
+          }
+        },
+        {
+          "description": "The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the \"next key\".\n\nThis field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications.",
+          "in": "query",
+          "name": "continue",
+          "schema": {
+            "type": "string",
+            "uniqueItems": true
+          }
+        },
+        {
+          "description": "A selector to restrict the list of returned objects by their fields. Defaults to everything.",
+          "in": "query",
+          "name": "fieldSelector",
+          "schema": {
+            "type": "string",
+            "uniqueItems": true
+          }
+        },
+        {
+          "description": "A selector to restrict the list of returned objects by their labels. Defaults to everything.",
+          "in": "query",
+          "name": "labelSelector",
+          "schema": {
+            "type": "string",
+            "uniqueItems": true
+          }
+        },
+        {
+          "description": "limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.\n\nThe server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned.",
+          "in": "query",
+          "name": "limit",
+          "schema": {
+            "type": "integer",
+            "uniqueItems": true
+          }
+        },
+        {
+          "description": "If 'true', then the output is pretty printed. Defaults to 'false' unless the user-agent indicates a browser or command-line HTTP tool (curl and wget).",
+          "in": "query",
+          "name": "pretty",
+          "schema": {
+            "type": "string",
+            "uniqueItems": true
+          }
+        },
+        {
+          "description": "resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.\n\nDefaults to unset",
+          "in": "query",
+          "name": "resourceVersion",
+          "schema": {
+            "type": "string",
+            "uniqueItems": true
+          }
+        },
+        {
+          "description": "resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.\n\nDefaults to unset",
+          "in": "query",
+          "name": "resourceVersionMatch",
+          "schema": {
+            "type": "string",
+            "uniqueItems": true
+          }
+        },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "schema": {
+            "type": "boolean",
+            "uniqueItems": true
+          }
+        },
+        {
+          "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
+          "in": "query",
+          "name": "timeoutSeconds",
+          "schema": {
+            "type": "integer",
+            "uniqueItems": true
+          }
+        },
+        {
+          "description": "Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion.",
+          "in": "query",
+          "name": "watch",
+          "schema": {
+            "type": "boolean",
+            "uniqueItems": true
+          }
+        }
+      ]
+    },
+    "/apis/storagemigration.k8s.io/v1beta1/watch/storageversionmigrations/{name}": {
+      "get": {
+        "description": "watch changes to an object of kind StorageVersionMigration. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.",
+        "operationId": "watchStoragemigrationV1beta1StorageVersionMigration",
+        "responses": {
+          "200": {
+            "content": {
+              "application/cbor": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"
+                }
+              },
+              "application/cbor-seq": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"
+                }
+              },
+              "application/json": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"
+                }
+              },
+              "application/json;stream=watch": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"
+                }
+              },
+              "application/vnd.kubernetes.protobuf": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"
+                }
+              },
+              "application/vnd.kubernetes.protobuf;stream=watch": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"
+                }
+              },
+              "application/yaml": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"
+                }
+              }
+            },
+            "description": "OK"
+          },
+          "401": {
+            "description": "Unauthorized"
+          }
+        },
+        "tags": [
+          "storagemigration_v1beta1"
+        ],
+        "x-kubernetes-action": "watch",
+        "x-kubernetes-group-version-kind": {
+          "group": "storagemigration.k8s.io",
+          "kind": "StorageVersionMigration",
+          "version": "v1beta1"
+        }
+      },
+      "parameters": [
+        {
+          "description": "allowWatchBookmarks requests watch events with type \"BOOKMARK\". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored.",
+          "in": "query",
+          "name": "allowWatchBookmarks",
+          "schema": {
+            "type": "boolean",
+            "uniqueItems": true
+          }
+        },
+        {
+          "description": "The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the \"next key\".\n\nThis field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications.",
+          "in": "query",
+          "name": "continue",
+          "schema": {
+            "type": "string",
+            "uniqueItems": true
+          }
+        },
+        {
+          "description": "A selector to restrict the list of returned objects by their fields. Defaults to everything.",
+          "in": "query",
+          "name": "fieldSelector",
+          "schema": {
+            "type": "string",
+            "uniqueItems": true
+          }
+        },
+        {
+          "description": "A selector to restrict the list of returned objects by their labels. Defaults to everything.",
+          "in": "query",
+          "name": "labelSelector",
+          "schema": {
+            "type": "string",
+            "uniqueItems": true
+          }
+        },
+        {
+          "description": "limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.\n\nThe server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned.",
+          "in": "query",
+          "name": "limit",
+          "schema": {
+            "type": "integer",
+            "uniqueItems": true
+          }
+        },
+        {
+          "description": "name of the StorageVersionMigration",
+          "in": "path",
+          "name": "name",
+          "required": true,
+          "schema": {
+            "type": "string",
+            "uniqueItems": true
+          }
+        },
+        {
+          "description": "If 'true', then the output is pretty printed. Defaults to 'false' unless the user-agent indicates a browser or command-line HTTP tool (curl and wget).",
+          "in": "query",
+          "name": "pretty",
+          "schema": {
+            "type": "string",
+            "uniqueItems": true
+          }
+        },
+        {
+          "description": "resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.\n\nDefaults to unset",
+          "in": "query",
+          "name": "resourceVersion",
+          "schema": {
+            "type": "string",
+            "uniqueItems": true
+          }
+        },
+        {
+          "description": "resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.\n\nDefaults to unset",
+          "in": "query",
+          "name": "resourceVersionMatch",
+          "schema": {
+            "type": "string",
+            "uniqueItems": true
+          }
+        },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "schema": {
+            "type": "boolean",
+            "uniqueItems": true
+          }
+        },
+        {
+          "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
+          "in": "query",
+          "name": "timeoutSeconds",
+          "schema": {
+            "type": "integer",
+            "uniqueItems": true
+          }
+        },
+        {
+          "description": "Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion.",
+          "in": "query",
+          "name": "watch",
+          "schema": {
+            "type": "boolean",
+            "uniqueItems": true
+          }
+        }
+      ]
+    }
+  }
+}
diff --git a/build/README.md b/build/README.md
index 3efb2f869519d..f0fd3adf78e84 100644
--- a/build/README.md
+++ b/build/README.md
@@ -46,19 +46,14 @@ The following scripts are found in the [`build/`](.) directory.
   *  `build/run.sh make test`: Run all unit tests
   *  `build/run.sh make test-integration`: Run integration test
   *  `build/run.sh make test-cmd`: Run CLI tests
-* [`build/copy-output.sh`](copy-output.sh): This will copy the contents of `_output/dockerized/bin` from the Docker container to the local `_output/dockerized/bin`. It will also copy out specific file patterns that are generated as part of the build process. This is run automatically as part of `build/run.sh`.
 * [`build/make-clean.sh`](make-clean.sh): Clean out the contents of `_output`, remove any locally built container images and remove the data container.
 * [`build/shell.sh`](shell.sh): Drop into a `bash` shell in a build container with a snapshot of the current repo code.
 
 ## Basic Flow
 
-The scripts directly under [`build/`](.) are used to build and test.  They will ensure that the `kube-build` Docker image is built (based on [`build/build-image/Dockerfile`](build-image/Dockerfile) and after base image's `KUBE_BUILD_IMAGE_CROSS_TAG` from Dockerfile is replaced with one of those actual tags of the base image, like `v1.13.9-2`) and then execute the appropriate command in that container.  These scripts will both ensure that the right data is cached from run to run for incremental builds and will copy the results back out of the container. You can specify a different registry/name and version for `kube-cross` by setting `KUBE_CROSS_IMAGE` and `KUBE_CROSS_VERSION`, see [`common.sh`](common.sh) for more details.
-
-The `kube-build` container image is built by first creating a "context" directory in `_output/images/build-image`.  It is done there instead of at the root of the Kubernetes repo to minimize the amount of data we need to package up when building the image.
-
-There are 3 different containers instances that are run from this image.  The first is a "data" container to store all data that needs to persist across to support incremental builds. Next there is an "rsync" container that is used to transfer data in and out to the data container.  Lastly there is a "build" container that is used for actually doing build actions.  The data container persists across runs while the rsync and build containers are deleted after each use.
-
-`rsync` is used transparently behind the scenes to efficiently move data in and out of the container.  This will use an ephemeral port picked by Docker.  You can modify this by setting the `KUBE_RSYNC_PORT` env variable.
+The scripts directly under [`build/`](.) are used to build and test. 
+They will build using docker containers based on the `kube-cross` from https://git.k8s.io/release/tree/master/images/build/cross.
+You can specify a different registry/name and version for `kube-cross` by setting `KUBE_CROSS_IMAGE` and `KUBE_CROSS_VERSION`, see [`common.sh`](common.sh) for more details.
 
 All Docker names are suffixed with a hash derived from the file path (to allow concurrent usage on things like CI machines) and a version number.  When the version number changes all state is cleared and clean build is started.  This allows the build infrastructure to be changed and signal to CI systems that old artifacts need to be deleted.
 
diff --git a/build/build-image/Dockerfile b/build/build-image/Dockerfile
deleted file mode 100644
index 4473935769b76..0000000000000
--- a/build/build-image/Dockerfile
+++ /dev/null
@@ -1,57 +0,0 @@
-# Copyright 2016 The Kubernetes Authors.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-# This file creates a standard build environment for building Kubernetes
-ARG KUBE_CROSS_IMAGE
-ARG KUBE_CROSS_VERSION
-
-FROM ${KUBE_CROSS_IMAGE}:${KUBE_CROSS_VERSION}
-
-# Mark this as a kube-build container
-RUN touch /kube-build-image
-
-# To run as non-root we sometimes need to rebuild go stdlib packages.
-RUN chmod -R a+rwx /usr/local/go/pkg
-
-# For running integration tests /var/run/kubernetes is required
-# and should be writable by user
-RUN mkdir /var/run/kubernetes && chmod a+rwx /var/run/kubernetes
-
-# The kubernetes source is expected to be mounted here.  This will be the base
-# of operations.
-ENV HOME=/go/src/k8s.io/kubernetes
-WORKDIR ${HOME}
-
-# Make output from the dockerized build go someplace else
-ENV KUBE_OUTPUT_SUBPATH=_output/dockerized
-
-# Pick up version stuff here as we don't copy our .git over.
-ENV KUBE_GIT_VERSION_FILE=${HOME}/.dockerized-kube-version-defs
-
-# Add system-wide git user information
-RUN git config --system user.email "nobody@k8s.io" \
-  && git config --system user.name "kube-build-image"
-
-# Fix permissions on gopath
-RUN chmod -R a+rwx $GOPATH
-
-# Make log messages use the right timezone
-ADD localtime /etc/localtime
-RUN chmod a+r /etc/localtime
-
-# Set up rsyncd
-ADD rsyncd.password /
-RUN chmod a+r /rsyncd.password
-ADD rsyncd.sh /
-RUN chmod a+rx /rsyncd.sh
diff --git a/build/build-image/VERSION b/build/build-image/VERSION
deleted file mode 100644
index 7ed6ff82de6bc..0000000000000
--- a/build/build-image/VERSION
+++ /dev/null
@@ -1 +0,0 @@
-5
diff --git a/build/build-image/cross/VERSION b/build/build-image/cross/VERSION
index 14a4b84c2030d..43aec8a00f487 100644
--- a/build/build-image/cross/VERSION
+++ b/build/build-image/cross/VERSION
@@ -1 +1 @@
-v1.34.0-go1.24.9-bullseye.0
+v1.35.0-go1.25.6-bullseye.0
\ No newline at end of file
diff --git a/build/build-image/rsyncd.sh b/build/build-image/rsyncd.sh
deleted file mode 100755
index 2801fa6a38739..0000000000000
--- a/build/build-image/rsyncd.sh
+++ /dev/null
@@ -1,83 +0,0 @@
-#!/usr/bin/env bash
-
-# Copyright 2016 The Kubernetes Authors.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-# This script will set up and run rsyncd to allow data to move into and out of
-# our dockerized build system.  This is used for syncing sources and changes of
-# sources into the docker-build-container.  It is also used to transfer built binaries
-# and generated files back out.
-#
-# When run as root (rare) it'll preserve the file ids as sent from the client.
-# Usually it'll be run as non-dockerized UID/GID and end up translating all file
-# ownership to that.
-
-
-set -o errexit
-set -o nounset
-set -o pipefail
-
-# The directory that gets sync'd
-VOLUME=${HOME}
-
-# Assume that this is running in Docker on a bridge.  Allow connections from
-# anything on the local subnet.
-ALLOW=$(ip route | awk  '/^default via/ { reg = "^[0-9./]+ dev "$5 } ; $0 ~ reg { print $1 }')
-
-CONFDIR="/tmp/rsync.k8s"
-PIDFILE="${CONFDIR}/rsyncd.pid"
-CONFFILE="${CONFDIR}/rsyncd.conf"
-SECRETS="${CONFDIR}/rsyncd.secrets"
-
-mkdir -p "${CONFDIR}"
-
-if [[ -f "${PIDFILE}" ]]; then
-  PID=$(cat "${PIDFILE}")
-  echo "Cleaning up old PID file: ${PIDFILE}"
-  kill "${PID}" &> /dev/null || true
-  rm "${PIDFILE}"
-fi
-
-PASSWORD=$(</rsyncd.password)
-
-cat <<EOF >"${SECRETS}"
-k8s:${PASSWORD}
-EOF
-chmod go= "${SECRETS}"
-
-USER_CONFIG=
-if [[ "$(id -u)" == "0" ]]; then
-  USER_CONFIG="  uid = 0"$'\n'"  gid = 0"
-fi
-
-cat <<EOF >"${CONFFILE}"
-pid file = ${PIDFILE}
-use chroot = no
-log file = /dev/stdout
-reverse lookup = no
-munge symlinks = no
-port = 8730
-[k8s]
-  numeric ids = true
-  $USER_CONFIG
-  hosts deny = *
-  hosts allow = ${ALLOW} ${ALLOW_HOST-}
-  auth users = k8s
-  secrets file = ${SECRETS}
-  read only = false
-  path = ${VOLUME}
-  filter = - /_tmp/
-EOF
-
-exec /usr/bin/rsync --no-detach --daemon --config="${CONFFILE}" "$@"
diff --git a/build/common.sh b/build/common.sh
index 2bd3cd052272c..b7def19220e24 100755
--- a/build/common.sh
+++ b/build/common.sh
@@ -38,7 +38,6 @@ KUBE_ROOT=$(cd "$(dirname "${BASH_SOURCE[0]}")"/.. && pwd -P)
 source "${KUBE_ROOT}/hack/lib/init.sh"
 
 # Constants
-readonly KUBE_BUILD_IMAGE_REPO=kube-build
 KUBE_BUILD_IMAGE_CROSS_TAG="${KUBE_CROSS_VERSION:-"$(cat "${KUBE_ROOT}/build/build-image/cross/VERSION")"}"
 readonly KUBE_BUILD_IMAGE_CROSS_TAG
 
@@ -46,21 +45,13 @@ readonly KUBE_DOCKER_REGISTRY="${KUBE_DOCKER_REGISTRY:-registry.k8s.io}"
 KUBE_BASE_IMAGE_REGISTRY="${KUBE_BASE_IMAGE_REGISTRY:-registry.k8s.io/build-image}"
 readonly KUBE_BASE_IMAGE_REGISTRY
 
-# This version number is used to cause everyone to rebuild their data containers
-# and build image.  This is especially useful for automated build systems like
-# Jenkins.
-#
-# Increment/change this number if you change the build image (anything under
-# build/build-image) or change the set of volumes in the data container.
-KUBE_BUILD_IMAGE_VERSION_BASE="$(cat "${KUBE_ROOT}/build/build-image/VERSION")"
-readonly KUBE_BUILD_IMAGE_VERSION_BASE
-readonly KUBE_BUILD_IMAGE_VERSION="${KUBE_BUILD_IMAGE_VERSION_BASE}-${KUBE_BUILD_IMAGE_CROSS_TAG}"
-
 # Make it possible to override the `kube-cross` image, and tag independent of `KUBE_BASE_IMAGE_REGISTRY`
 KUBE_CROSS_IMAGE="${KUBE_CROSS_IMAGE:-"${KUBE_BASE_IMAGE_REGISTRY}/kube-cross"}"
 readonly KUBE_CROSS_IMAGE
 KUBE_CROSS_VERSION="${KUBE_CROSS_VERSION:-"${KUBE_BUILD_IMAGE_CROSS_TAG}"}"
 readonly KUBE_CROSS_VERSION
+KUBE_CROSS_CONTAINER_ROOT="/go/src/k8s.io/kubernetes"
+readonly KUBE_CROSS_CONTAINER_ROOT
 
 # Here we map the output directories across both the local and remote _output
 # directories:
@@ -88,26 +79,40 @@ readonly REMOTE_OUTPUT_SUBPATH="${REMOTE_OUTPUT_ROOT}/dockerized"
 readonly REMOTE_OUTPUT_BINPATH="${REMOTE_OUTPUT_SUBPATH}/bin"
 readonly REMOTE_OUTPUT_GOPATH="${REMOTE_OUTPUT_SUBPATH}/go"
 
-# This is the port on the workstation host to expose RSYNC on.  Set this if you
-# are doing something fancy with ssh tunneling.
-readonly KUBE_RSYNC_PORT="${KUBE_RSYNC_PORT:-}"
-
-# This is the port that rsync is running on *inside* the container. This may be
-# mapped to KUBE_RSYNC_PORT via docker networking.
-readonly KUBE_CONTAINER_RSYNC_PORT=8730
-
 # These are the default versions (image tags) for their respective base images.
-readonly __default_distroless_iptables_version=v0.7.11
-readonly __default_go_runner_version=v2.4.0-go1.24.9-bookworm.0
+readonly __default_distroless_iptables_version=v0.8.7
+readonly __default_go_runner_version=v2.4.0-go1.25.6-bookworm.0
 readonly __default_setcap_version=bookworm-v1.0.6
 
-# These are the base images for the Docker-wrapped binaries.
+# The default image for all binaries which are dynamically linked.
+# Includes everything that is required by kube-proxy, which uses it
+# by default. Other commands only use this when dynamically linking
+# them gets requested.
+readonly __default_dynamic_base_image="$KUBE_BASE_IMAGE_REGISTRY/distroless-iptables:$__default_distroless_iptables_version"
+
+# KUBE_GORUNNER_IMAGE is the default image for commands which are built statically.
+# It can be overridden to change the image for all such commands.
+# When the per-command env variable is set, that env variable is
+# used without considering KUBE_GORUNNER_IMAGE.
 readonly KUBE_GORUNNER_IMAGE="${KUBE_GORUNNER_IMAGE:-$KUBE_BASE_IMAGE_REGISTRY/go-runner:$__default_go_runner_version}"
-readonly KUBE_APISERVER_BASE_IMAGE="${KUBE_APISERVER_BASE_IMAGE:-$KUBE_GORUNNER_IMAGE}"
-readonly KUBE_CONTROLLER_MANAGER_BASE_IMAGE="${KUBE_CONTROLLER_MANAGER_BASE_IMAGE:-$KUBE_GORUNNER_IMAGE}"
-readonly KUBE_SCHEDULER_BASE_IMAGE="${KUBE_SCHEDULER_BASE_IMAGE:-$KUBE_GORUNNER_IMAGE}"
-readonly KUBE_PROXY_BASE_IMAGE="${KUBE_PROXY_BASE_IMAGE:-$KUBE_BASE_IMAGE_REGISTRY/distroless-iptables:$__default_distroless_iptables_version}"
-readonly KUBECTL_BASE_IMAGE="${KUBECTL_BASE_IMAGE:-$KUBE_GORUNNER_IMAGE}"
+
+# __default_base_image takes the canonical build target for a Kubernetes command (e.g. k8s.io/kubernetes/cmd/kube-scheduler)
+# and prints the right default base image for it, depending on whether that command gets built dynamically or statically.
+__default_base_image() {
+  if kube::golang::is_statically_linked "$1"; then
+    echo "$KUBE_GORUNNER_IMAGE"
+  else
+    echo "$__default_dynamic_base_image"
+  fi
+}
+
+# These are the base images for the Docker-wrapped binaries.
+# These can be overridden on a case-by-case basis.
+readonly KUBE_APISERVER_BASE_IMAGE="${KUBE_APISERVER_BASE_IMAGE:-$(__default_base_image k8s.io/kubernetes/cmd/kube-apiserver)}"
+readonly KUBE_CONTROLLER_MANAGER_BASE_IMAGE="${KUBE_CONTROLLER_MANAGER_BASE_IMAGE:-$(__default_base_image k8s.io/kubernetes/cmd/kube-controller-manager)}"
+readonly KUBE_SCHEDULER_BASE_IMAGE="${KUBE_SCHEDULER_BASE_IMAGE:-$(__default_base_image k8s.io/kubernetes/cmd/kube-scheduler)}"
+readonly KUBE_PROXY_BASE_IMAGE="${KUBE_PROXY_BASE_IMAGE:-$__default_dynamic_base_image}"
+readonly KUBECTL_BASE_IMAGE="${KUBECTL_BASE_IMAGE:-$(__default_base_image k8s.io/kubernetes/cmd/kubectl)}"
 
 # This is the image used in a multi-stage build to apply capabilities to Docker-wrapped binaries.
 readonly KUBE_BUILD_SETCAP_IMAGE="${KUBE_BUILD_SETCAP_IMAGE:-$KUBE_BASE_IMAGE_REGISTRY/setcap:$__default_setcap_version}"
@@ -136,6 +141,23 @@ kube::build::get_docker_wrapped_binaries() {
 # ---------------------------------------------------------------------------
 # Basic setup functions
 
+# Set up dynamic constants for build environment.
+# This function sets up variables that are needed by both verification and cleaning.
+#
+# Vars set:
+#   KUBE_ROOT_HASH
+#   KUBE_BUILD_CONTAINER_NAME_BASE
+#   KUBE_BUILD_CONTAINER_NAME
+function kube::build::setup_vars() {
+  KUBE_GIT_BRANCH=$(git symbolic-ref --short -q HEAD 2>/dev/null || true)
+  KUBE_ROOT_HASH=$(kube::build::short_hash "${HOSTNAME:-}:${KUBE_ROOT}:${KUBE_GIT_BRANCH}")
+  KUBE_BUILD_CONTAINER_NAME_BASE="kube-build-${KUBE_ROOT_HASH}"
+  # 6 here is out of a wild excess of caution to match previous behavior where
+  # this was the kube-build image version which surfaced in the name of the container
+  # the last real image version was 5
+  KUBE_BUILD_CONTAINER_NAME="${KUBE_BUILD_CONTAINER_NAME_BASE}-6"
+}
+
 # Verify that the right utilities and such are installed for building Kube. Set
 # up some dynamic constants.
 # Args:
@@ -143,23 +165,13 @@ kube::build::get_docker_wrapped_binaries() {
 #
 # Vars set:
 #   KUBE_ROOT_HASH
-#   KUBE_BUILD_IMAGE_TAG_BASE
-#   KUBE_BUILD_IMAGE_TAG
-#   KUBE_BUILD_IMAGE
 #   KUBE_BUILD_CONTAINER_NAME_BASE
 #   KUBE_BUILD_CONTAINER_NAME
-#   KUBE_DATA_CONTAINER_NAME_BASE
-#   KUBE_DATA_CONTAINER_NAME
-#   KUBE_RSYNC_CONTAINER_NAME_BASE
-#   KUBE_RSYNC_CONTAINER_NAME
-#   DOCKER_MOUNT_ARGS
-#   LOCAL_OUTPUT_BUILD_CONTEXT
 # shellcheck disable=SC2120 # optional parameters
 function kube::build::verify_prereqs() {
   local -r require_docker=${1:-true}
   kube::log::status "Verifying Prerequisites...."
   kube::build::ensure_tar || return 1
-  kube::build::ensure_rsync || return 1
   if ${require_docker}; then
     kube::build::ensure_docker_in_path || return 1
     if kube::build::is_osx; then
@@ -173,19 +185,7 @@ function kube::build::verify_prereqs() {
     fi
   fi
 
-  KUBE_GIT_BRANCH=$(git symbolic-ref --short -q HEAD 2>/dev/null || true)
-  KUBE_ROOT_HASH=$(kube::build::short_hash "${HOSTNAME:-}:${KUBE_ROOT}:${KUBE_GIT_BRANCH}")
-  KUBE_BUILD_IMAGE_TAG_BASE="build-${KUBE_ROOT_HASH}"
-  KUBE_BUILD_IMAGE_TAG="${KUBE_BUILD_IMAGE_TAG_BASE}-${KUBE_BUILD_IMAGE_VERSION}"
-  KUBE_BUILD_IMAGE="${KUBE_BUILD_IMAGE_REPO}:${KUBE_BUILD_IMAGE_TAG}"
-  KUBE_BUILD_CONTAINER_NAME_BASE="kube-build-${KUBE_ROOT_HASH}"
-  KUBE_BUILD_CONTAINER_NAME="${KUBE_BUILD_CONTAINER_NAME_BASE}-${KUBE_BUILD_IMAGE_VERSION}"
-  KUBE_RSYNC_CONTAINER_NAME_BASE="kube-rsync-${KUBE_ROOT_HASH}"
-  KUBE_RSYNC_CONTAINER_NAME="${KUBE_RSYNC_CONTAINER_NAME_BASE}-${KUBE_BUILD_IMAGE_VERSION}"
-  KUBE_DATA_CONTAINER_NAME_BASE="kube-build-data-${KUBE_ROOT_HASH}"
-  KUBE_DATA_CONTAINER_NAME="${KUBE_DATA_CONTAINER_NAME_BASE}-${KUBE_BUILD_IMAGE_VERSION}"
-  DOCKER_MOUNT_ARGS=(--volumes-from "${KUBE_DATA_CONTAINER_NAME}")
-  LOCAL_OUTPUT_BUILD_CONTEXT="${LOCAL_OUTPUT_IMAGE_STAGING}/${KUBE_BUILD_IMAGE}"
+  kube::build::setup_vars
 
   kube::version::get_version_vars
   kube::version::save_version_vars "${KUBE_ROOT}/.dockerized-kube-version-defs"
@@ -219,13 +219,6 @@ function kube::build::is_gnu_sed() {
   [[ $(sed --version 2>&1) == *GNU* ]]
 }
 
-function kube::build::ensure_rsync() {
-  if [[ -z "$(which rsync)" ]]; then
-    kube::log::error "Can't find 'rsync' in PATH, please fix and retry."
-    return 1
-  fi
-}
-
 function kube::build::ensure_docker_in_path() {
   if [[ -z "$(which docker)" ]]; then
     kube::log::error "Can't find 'docker' in PATH, please fix and retry."
@@ -276,29 +269,6 @@ function kube::build::docker_image_exists() {
   [[ $("${DOCKER[@]}" images -q "${1}:${2}") ]]
 }
 
-# Delete all images that match a tag prefix except for the "current" version
-#
-# $1: The image repo/name
-# $2: The tag base. We consider any image that matches $2*
-# $3: The current image not to delete if provided
-function kube::build::docker_delete_old_images() {
-  # In Docker 1.12, we can replace this with
-  #    docker images "$1" --format "{{.Tag}}"
-  for tag in $("${DOCKER[@]}" images "${1}" | tail -n +2 | awk '{print $2}') ; do
-    if [[ "${tag}" != "${2}"* ]] ; then
-      V=3 kube::log::status "Keeping image ${1}:${tag}"
-      continue
-    fi
-
-    if [[ -z "${3:-}" || "${tag}" != "${3}" ]] ; then
-      V=2 kube::log::status "Deleting image ${1}:${tag}"
-      "${DOCKER[@]}" rmi "${1}:${tag}" >/dev/null
-    else
-      V=3 kube::log::status "Keeping image ${1}:${tag}"
-    fi
-  done
-}
-
 # Stop and delete all containers that match a pattern
 #
 # $1: The base container prefix
@@ -352,6 +322,10 @@ function kube::build::destroy_container() {
   "${DOCKER[@]}" rm -f -v "$1" >/dev/null 2>&1 || true
 }
 
+function kube::build::is_docker_rootless() {
+  "${DOCKER[@]}" info --format '{{json .SecurityOptions}}' | grep -q "name=rootless"
+}
+
 # ---------------------------------------------------------------------------
 # Building
 
@@ -359,9 +333,6 @@ function kube::build::destroy_container() {
 function kube::build::clean() {
   if kube::build::has_docker ; then
     kube::build::docker_delete_old_containers "${KUBE_BUILD_CONTAINER_NAME_BASE}"
-    kube::build::docker_delete_old_containers "${KUBE_RSYNC_CONTAINER_NAME_BASE}"
-    kube::build::docker_delete_old_containers "${KUBE_DATA_CONTAINER_NAME_BASE}"
-    kube::build::docker_delete_old_images "${KUBE_BUILD_IMAGE_REPO}" "${KUBE_BUILD_IMAGE_TAG_BASE}"
 
     V=2 kube::log::status "Cleaning all untagged docker images"
     "${DOCKER[@]}" rmi "$("${DOCKER[@]}" images -q --filter 'dangling=true')" 2> /dev/null || true
@@ -369,117 +340,15 @@ function kube::build::clean() {
 
   if [[ -d "${LOCAL_OUTPUT_ROOT}" ]]; then
     kube::log::status "Removing _output directory"
-    # this ensures we can clean _output/local/go/cache which is not rw by default
-    chmod -R +w "${LOCAL_OUTPUT_ROOT}"
-    rm -rf "${LOCAL_OUTPUT_ROOT}"
-  fi
-}
-
-# Set up the context directory for the kube-build image and build it.
-function kube::build::build_image() {
-  mkdir -p "${LOCAL_OUTPUT_BUILD_CONTEXT}"
-  # Make sure the context directory owned by the right user for syncing sources to container.
-  chown -R "${USER_ID}":"${GROUP_ID}" "${LOCAL_OUTPUT_BUILD_CONTEXT}"
-
-  cp /etc/localtime "${LOCAL_OUTPUT_BUILD_CONTEXT}/"
-  chmod u+w "${LOCAL_OUTPUT_BUILD_CONTEXT}/localtime"
-
-  cp "${KUBE_ROOT}/build/build-image/Dockerfile" "${LOCAL_OUTPUT_BUILD_CONTEXT}/Dockerfile"
-  cp "${KUBE_ROOT}/build/build-image/rsyncd.sh" "${LOCAL_OUTPUT_BUILD_CONTEXT}/"
-  dd if=/dev/urandom bs=512 count=1 2>/dev/null | LC_ALL=C tr -dc 'A-Za-z0-9' | dd bs=32 count=1 2>/dev/null > "${LOCAL_OUTPUT_BUILD_CONTEXT}/rsyncd.password"
-  chmod go= "${LOCAL_OUTPUT_BUILD_CONTEXT}/rsyncd.password"
-
-  kube::build::docker_build "${KUBE_BUILD_IMAGE}" "${LOCAL_OUTPUT_BUILD_CONTEXT}" 'false' "--build-arg=KUBE_CROSS_IMAGE=${KUBE_CROSS_IMAGE} --build-arg=KUBE_CROSS_VERSION=${KUBE_CROSS_VERSION}"
-
-  # Clean up old versions of everything
-  kube::build::docker_delete_old_containers "${KUBE_BUILD_CONTAINER_NAME_BASE}" "${KUBE_BUILD_CONTAINER_NAME}"
-  kube::build::docker_delete_old_containers "${KUBE_RSYNC_CONTAINER_NAME_BASE}" "${KUBE_RSYNC_CONTAINER_NAME}"
-  kube::build::docker_delete_old_containers "${KUBE_DATA_CONTAINER_NAME_BASE}" "${KUBE_DATA_CONTAINER_NAME}"
-  kube::build::docker_delete_old_images "${KUBE_BUILD_IMAGE_REPO}" "${KUBE_BUILD_IMAGE_TAG_BASE}" "${KUBE_BUILD_IMAGE_TAG}"
-
-  kube::build::ensure_data_container
-  kube::build::sync_to_container
-}
-
-# Build a docker image from a Dockerfile.
-# $1 is the name of the image to build
-# $2 is the location of the "context" directory, with the Dockerfile at the root.
-# $3 is the value to set the --pull flag for docker build; true by default
-# $4 is the set of --build-args for docker.
-function kube::build::docker_build() {
-  kube::util::ensure-docker-buildx
-
-  local -r image=$1
-  local -r context_dir=$2
-  local -r pull="${3:-true}"
-  local build_args
-  IFS=" " read -r -a build_args <<< "$4"
-  readonly build_args
-  local -ra build_cmd=("${DOCKER[@]}" buildx build --load -t "${image}" "--pull=${pull}" "${build_args[@]}" "${context_dir}")
-
-  kube::log::status "Building Docker image ${image}"
-  local docker_output
-  docker_output=$(DOCKER_CLI_EXPERIMENTAL=enabled "${build_cmd[@]}" 2>&1) || {
-    cat <<EOF >&2
-+++ Docker build command failed for ${image}
-
-${docker_output}
-
-To retry manually, run:
-
-DOCKER_CLI_EXPERIMENTAL=enabled ${build_cmd[*]}
-
-EOF
-    return 1
-  }
-}
-
-function kube::build::ensure_data_container() {
-  # If the data container exists AND exited successfully, we can use it.
-  # Otherwise nuke it and start over.
-  local ret=0
-  local code=0
-
-  code=$(docker inspect \
-      -f '{{.State.ExitCode}}' \
-      "${KUBE_DATA_CONTAINER_NAME}" 2>/dev/null) || ret=$?
-  if [[ "${ret}" == 0 && "${code}" != 0 ]]; then
-    kube::build::destroy_container "${KUBE_DATA_CONTAINER_NAME}"
-    ret=1
-  fi
-  if [[ "${ret}" != 0 ]]; then
-    kube::log::status "Creating data container ${KUBE_DATA_CONTAINER_NAME}"
-    # We have to ensure the directory exists, or else the docker run will
-    # create it as root.
-    mkdir -p "${LOCAL_OUTPUT_GOPATH}"
-    # We want this to run as root to be able to chown, so non-root users can
-    # later use the result as a data container.  This run both creates the data
-    # container and chowns the GOPATH.
+    # This ensures we can clean _output/local/go/cache which is not rw by default.
     #
-    # The data container creates volumes for all of the directories that store
-    # intermediates for the Go build. This enables incremental builds across
-    # Docker sessions. The *_cgo paths are re-compiled versions of the go std
-    # libraries for true static building.
-    local -ra docker_cmd=(
-      "${DOCKER[@]}" run
-      --volume "${REMOTE_ROOT}"   # white-out the whole output dir
-      --volume /usr/local/go/pkg/linux_386_cgo
-      --volume /usr/local/go/pkg/linux_amd64_cgo
-      --volume /usr/local/go/pkg/linux_arm_cgo
-      --volume /usr/local/go/pkg/linux_arm64_cgo
-      --volume /usr/local/go/pkg/linux_ppc64le_cgo
-      --volume /usr/local/go/pkg/darwin_amd64_cgo
-      --volume /usr/local/go/pkg/darwin_386_cgo
-      --volume /usr/local/go/pkg/windows_amd64_cgo
-      --volume /usr/local/go/pkg/windows_386_cgo
-      --name "${KUBE_DATA_CONTAINER_NAME}"
-      --hostname "${HOSTNAME}"
-      "${KUBE_BUILD_IMAGE}"
-      chown -R "${USER_ID}":"${GROUP_ID}"
-        "${REMOTE_ROOT}"
-        /usr/local/go/pkg/
-    )
-    "${docker_cmd[@]}"
+    # We only do this path specifically instead of the entire output root
+    # because recursive chmod is slow.
+    # We don't need to do this at all for dockerized builds
+    if [[ -d "${LOCAL_OUTPUT_ROOT}/local/go/cache" ]]; then
+      chmod -R +w "${LOCAL_OUTPUT_ROOT}/local/go/cache"
+    fi
+    rm -rf "${LOCAL_OUTPUT_ROOT}"
   fi
 }
 
@@ -502,12 +371,12 @@ function kube::build::run_build_command_ex() {
 
   local -a docker_run_opts=(
     "--name=${container_name}"
-    "--user=$(id -u):$(id -g)"
     "--hostname=${HOSTNAME}"
     "-e=GOPROXY=${GOPROXY}"
-    "${DOCKER_MOUNT_ARGS[@]}"
   )
 
+  kube::build::is_docker_rootless || docker_run_opts+=("--user=$(id -u):$(id -g)")
+
   local detach=false
 
   [[ $# != 0 ]] || { echo "Invalid input - please specify docker arguments followed by --." >&2; return 4; }
@@ -540,14 +409,29 @@ function kube::build::run_build_command_ex() {
     --env "KUBE_BUILD_PLATFORMS=${KUBE_BUILD_PLATFORMS:-}"
     --env "KUBE_CGO_OVERRIDES=' ${KUBE_CGO_OVERRIDES[*]:-} '"
     --env "KUBE_STATIC_OVERRIDES=' ${KUBE_STATIC_OVERRIDES[*]:-} '"
+    --env "KUBE_RACE=${KUBE_RACE:-}"
     --env "FORCE_HOST_GO=${FORCE_HOST_GO:-}"
     --env "GO_VERSION=${GO_VERSION:-}"
     --env "GOTOOLCHAIN=${GOTOOLCHAIN:-}"
     --env "GOFLAGS=${GOFLAGS:-}"
     --env "GOGCFLAGS=${GOGCFLAGS:-}"
     --env "SOURCE_DATE_EPOCH=${SOURCE_DATE_EPOCH:-}"
+    # mount source code / output dir
+    --volume "${KUBE_ROOT}:${KUBE_CROSS_CONTAINER_ROOT}"
+    # env migrated from build-image, we could consider setting this in kube-cross
+    --env 'KUBE_OUTPUT_SUBPATH=_output/dockerized'
+    --workdir "${KUBE_CROSS_CONTAINER_ROOT}"
+    --env 'GIT_AUTHOR_EMAIL=nobody@k8s.io'
+    --env 'GIT_AUTHOR_NAME=kube-build-image'
   )
 
+  # if host has localtime, mount it so we log in local time
+  if [ -f /etc/localtime ]; then
+    docker_run_opts+=(
+      --mount 'type=bind,source=/etc/localtime,target=/etc/localtime,readonly'
+    )
+  fi
+
   # use GOLDFLAGS only if it is set explicitly.
   if [[ -v GOLDFLAGS ]]; then
     docker_run_opts+=(
@@ -560,6 +444,12 @@ function kube::build::run_build_command_ex() {
     docker_run_opts+=(--cgroup-parent "${DOCKER_CGROUP_PARENT}")
   fi
 
+  # copy KUBE_GIT_VERSION_FILE to .dockerized-kube-version-defs and set environment variable.
+  if [[ -n "${KUBE_GIT_VERSION_FILE:-}" ]]; then
+    cp "${KUBE_GIT_VERSION_FILE}" "${KUBE_ROOT}/.dockerized-kube-version-defs"
+    docker_run_opts+=(--env "KUBE_GIT_VERSION_FILE=${KUBE_CROSS_CONTAINER_ROOT}/.dockerized-kube-version-defs")
+  fi
+
   # If we have stdin we can run interactive.  This allows things like 'shell.sh'
   # to work.  However, if we run this way and don't have stdin, then it ends up
   # running in a daemon-ish mode.  So if we don't have a stdin, we explicitly
@@ -571,7 +461,7 @@ function kube::build::run_build_command_ex() {
   fi
 
   local -ra docker_cmd=(
-    "${DOCKER[@]}" run "${docker_run_opts[@]}" "${KUBE_BUILD_IMAGE}")
+    "${DOCKER[@]}" run "${docker_run_opts[@]}" "${KUBE_CROSS_IMAGE}:${KUBE_CROSS_VERSION}")
 
   # Clean up container from any previous run
   kube::build::destroy_container "${container_name}"
@@ -580,141 +470,3 @@ function kube::build::run_build_command_ex() {
     kube::build::destroy_container "${container_name}"
   fi
 }
-
-function kube::build::rsync_probe {
-  # Wait until rsync is up and running.
-  local tries=20
-  while (( tries > 0 )) ; do
-    if rsync "rsync://k8s@${1}:${2}/" \
-         --password-file="${LOCAL_OUTPUT_BUILD_CONTEXT}/rsyncd.password" \
-         &> /dev/null ; then
-      return 0
-    fi
-    tries=$(( tries - 1))
-    sleep 0.1
-  done
-
-  return 1
-}
-
-# Start up the rsync container in the background. This should be explicitly
-# stopped with kube::build::stop_rsyncd_container.
-#
-# This will set the global var KUBE_RSYNC_ADDR to the effective port that the
-# rsync daemon can be reached out.
-function kube::build::start_rsyncd_container() {
-  IPTOOL=ifconfig
-  if kube::build::has_ip ; then
-    IPTOOL="ip address"
-  fi
-  kube::build::stop_rsyncd_container
-  V=3 kube::log::status "Starting rsyncd container"
-  kube::build::run_build_command_ex \
-    "${KUBE_RSYNC_CONTAINER_NAME}" -p 127.0.0.1:"${KUBE_RSYNC_PORT}":"${KUBE_CONTAINER_RSYNC_PORT}" -d \
-    -e ALLOW_HOST="$(${IPTOOL} | grep -Eo 'inet (addr:)?([0-9]*\.){3}[0-9]*' | grep -Eo '([0-9]*\.){3}[0-9]*' | grep -v '127.0.0.1' | tr '\n' ' ')" \
-    -- /rsyncd.sh >/dev/null
-
-  local mapped_port
-  if ! mapped_port=$("${DOCKER[@]}" port "${KUBE_RSYNC_CONTAINER_NAME}" "${KUBE_CONTAINER_RSYNC_PORT}" 2> /dev/null | cut -d: -f 2) ; then
-    kube::log::error "Could not get effective rsync port"
-    return 1
-  fi
-
-  local container_ip
-  container_ip=$("${DOCKER[@]}" inspect --format '{{ .NetworkSettings.IPAddress }}' "${KUBE_RSYNC_CONTAINER_NAME}")
-
-  # Sometimes we can reach rsync through localhost and a NAT'd port.  Other
-  # times (when we are running in another docker container on the Jenkins
-  # machines) we have to talk directly to the container IP.  There is no one
-  # strategy that works in all cases so we test to figure out which situation we
-  # are in.
-  if kube::build::rsync_probe 127.0.0.1 "${mapped_port}"; then
-    KUBE_RSYNC_ADDR="127.0.0.1:${mapped_port}"
-    return 0
-  elif kube::build::rsync_probe "${container_ip}" "${KUBE_CONTAINER_RSYNC_PORT}"; then
-    KUBE_RSYNC_ADDR="${container_ip}:${KUBE_CONTAINER_RSYNC_PORT}"
-    return 0
-  fi
-
-  kube::log::error "Could not connect to rsync container."
-  return 1
-}
-
-function kube::build::stop_rsyncd_container() {
-  V=3 kube::log::status "Stopping any currently running rsyncd container"
-  unset KUBE_RSYNC_ADDR
-  kube::build::destroy_container "${KUBE_RSYNC_CONTAINER_NAME}"
-}
-
-function kube::build::rsync {
-  local -a rsync_opts=(
-    --archive
-    "--password-file=${LOCAL_OUTPUT_BUILD_CONTEXT}/rsyncd.password"
-  )
-  if (( KUBE_VERBOSE >= 6 )); then
-    rsync_opts+=("-iv")
-  fi
-  if (( KUBE_RSYNC_COMPRESS > 0 )); then
-     rsync_opts+=("--compress-level=${KUBE_RSYNC_COMPRESS}")
-  fi
-  V=3 kube::log::status "Running rsync"
-  rsync "${rsync_opts[@]}" "$@"
-}
-
-# This will launch rsyncd in a container and then sync the source tree to the
-# container over the local network.
-function kube::build::sync_to_container() {
-  kube::log::status "Syncing sources to container"
-
-  kube::build::start_rsyncd_container
-
-  # rsync filters are a bit confusing.  Here we are syncing everything except
-  # output only directories and things that are not necessary like the git
-  # directory and generated files. The '- /' filter prevents rsync
-  # from trying to set the uid/gid/perms on the root of the sync tree.
-  # As an exception, we need to sync generated files in staging/, because
-  # they will not be re-generated by 'make'. Note that the 'H' filtered files
-  # are hidden from rsync so they will be deleted in the target container if
-  # they exist. This will allow them to be re-created in the container if
-  # necessary.
-  kube::build::rsync \
-    --delete \
-    --filter='- /_tmp/' \
-    --filter='- /_output/' \
-    --filter='- /' \
-    "${KUBE_ROOT}/" "rsync://k8s@${KUBE_RSYNC_ADDR}/k8s/"
-
-  kube::build::stop_rsyncd_container
-}
-
-# Copy all build results back out.
-function kube::build::copy_output() {
-  kube::log::status "Syncing out of container"
-
-  kube::build::start_rsyncd_container
-
-  # The filter syntax for rsync is a little obscure. It filters on files and
-  # directories.  If you don't go in to a directory you won't find any files
-  # there.  Rules are evaluated in order.  The last two rules are a little
-  # magic. '+ */' says to go in to every directory and '- /**' says to ignore
-  # any file or directory that isn't already specifically allowed.
-  #
-  # We are looking to copy out all of the built binaries along with various
-  # generated files.
-  kube::build::rsync \
-    --prune-empty-dirs \
-    --filter='- /_temp/' \
-    --filter='+ /vendor/' \
-    --filter='+ /staging/***/Godeps/**' \
-    --filter='+ /_output/dockerized/bin/**' \
-    --filter='- /_output/dockerized/go/**' \
-    --filter='+ zz_generated.*' \
-    --filter='+ generated.proto' \
-    --filter='+ *.pb.go' \
-    --filter='+ types.go' \
-    --filter='+ */' \
-    --filter='- /**' \
-    "rsync://k8s@${KUBE_RSYNC_ADDR}/k8s/" "${KUBE_ROOT}"
-
-  kube::build::stop_rsyncd_container
-}
diff --git a/build/copy-output.sh b/build/copy-output.sh
deleted file mode 100755
index 5829e81f49b26..0000000000000
--- a/build/copy-output.sh
+++ /dev/null
@@ -1,26 +0,0 @@
-#!/usr/bin/env bash
-
-# Copyright 2014 The Kubernetes Authors.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-# Copies any built binaries (and other generated files) out of the Docker build container.
-set -o errexit
-set -o nounset
-set -o pipefail
-
-KUBE_ROOT=$(dirname "${BASH_SOURCE[0]}")/..
-source "${KUBE_ROOT}/build/common.sh"
-
-kube::build::verify_prereqs
-kube::build::copy_output
diff --git a/build/dependencies.yaml b/build/dependencies.yaml
index 3abc723bea0f9..bb37dcc3fa82e 100644
--- a/build/dependencies.yaml
+++ b/build/dependencies.yaml
@@ -18,7 +18,7 @@ dependencies:
 
   # CNI plugins
   - name: "cni"
-    version: 1.7.1
+    version: 1.8.0
     refPaths:
     - path: cluster/gce/config-common.sh
       match: WINDOWS_CNI_VERSION=
@@ -31,7 +31,7 @@ dependencies:
 
   # CoreDNS
   - name: "coredns-kube-up"
-    version: 1.12.1
+    version: 1.13.1
     refPaths:
     - path: cluster/addons/dns/coredns/coredns.yaml.base
       match: registry.k8s.io/coredns
@@ -41,14 +41,14 @@ dependencies:
       match: registry.k8s.io/coredns
 
   - name: "coredns-kubeadm"
-    version: 1.12.1
+    version: 1.13.1
     refPaths:
     - path: cmd/kubeadm/app/constants/constants.go
       match: CoreDNSVersion =
 
   # CRI Tools
   - name: "crictl"
-    version: 1.33.0
+    version: 1.34.0
     refPaths:
     - path: cluster/gce/windows/k8s-node-setup.psm1
       match: CRICTL_VERSION =
@@ -64,7 +64,7 @@ dependencies:
 
   # etcd
   - name: "etcd"
-    version: 3.6.5
+    version: 3.6.6
     refPaths:
     - path: cluster/gce/manifests/etcd.manifest
       match: etcd_docker_tag|etcd_version
@@ -74,6 +74,10 @@ dependencies:
       match: DefaultEtcdVersion =
     - path: hack/lib/etcd.sh
       match: ETCD_VERSION=
+    - path: staging/src/k8s.io/sample-apiserver/artifacts/example/deployment.yaml
+      match: registry.k8s.io/etcd
+    - path: test/utils/image/manifest.go
+      match: configs\[Etcd\] = Config{list\.GcEtcdRegistry, "etcd", "\d+\.\d+.\d+(-(alpha|beta|rc).\d+)?(-\d+)?"}
 
   - name: "etcd-image"
     version: 3.6.4
@@ -83,7 +87,7 @@ dependencies:
     - path: cluster/images/etcd/migrate/options.go
 
   - name: "node-problem-detector"
-    version: 0.8.21
+    version: 1.34.0
     refPaths:
     - path: test/e2e_node/image_list.go
       match: const defaultImage
@@ -113,31 +117,36 @@ dependencies:
   # Golang
   # TODO: this should really be eliminated and controlled by .go-version
   - name: "golang: upstream version"
-    version: 1.24.9
+    version: 1.25.6
     refPaths:
     - path: .go-version
-    - path: build/build-image/cross/VERSION
     - path: staging/publishing/rules.yaml
       match: 'default-go-version\: \d+.\d+(alpha|beta|rc)?\.?(\d+)?'
 
+  # This should ideally be updated to match the golang version
+  # but we can dynamically fetch go if the base image is out of date.
+  # This allows us to ship go updates more quickly.
+  #
+  # NOTE: To fully patch all binaries, go-runner and the related base images
+  # should also be updated, but go-runner is much harder to exploit and has
+  # far less relevancy to go updates for Kubernetes more generally.
+  - name: "registry.k8s.io/kube-cross: dependents"
+    version: v1.35.0-go1.25.6-bullseye.0
+    refPaths:
+    - path: build/build-image/cross/VERSION
+
   # Golang pre-releases are denoted as `1.y<pre-release stage>`
   # Example: go1.16rc1
   #
   # This entry is a stub of the major version to allow dependency checks to
   # pass when building Kubernetes using a pre-release of Golang.
-
   - name: "golang: 1.<major>"
-    version: 1.24
+    version: 1.25
     refPaths:
     - path: build/build-image/cross/VERSION
     - path: hack/lib/golang.sh
       match: minimum_go_version=go([0-9]+\.[0-9]+)
 
-  - name: "registry.k8s.io/kube-cross: dependents"
-    version: v1.34.0-go1.24.9-bullseye.0
-    refPaths:
-    - path: build/build-image/cross/VERSION
-
   # Base images
   - name: "registry.k8s.io/debian-base: dependents"
     version: bookworm-v1.0.6
@@ -170,7 +179,7 @@ dependencies:
       match: registry\.k8s\.io\/build-image\/debian-base:[a-zA-Z]+\-v((([0-9]+)\.([0-9]+)\.([0-9]+)(?:-([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?)(?:\+([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?)
 
   - name: "registry.k8s.io/distroless-iptables: dependents"
-    version: v0.7.11
+    version: v0.8.7
     refPaths:
     - path: build/common.sh
       match: __default_distroless_iptables_version=
@@ -178,7 +187,7 @@ dependencies:
       match: configs\[DistrolessIptables\] = Config{list\.BuildImageRegistry, "distroless-iptables", "v([0-9]+)\.([0-9]+)\.([0-9]+)"}
 
   - name: "registry.k8s.io/go-runner: dependents"
-    version: v2.4.0-go1.24.9-bookworm.0
+    version: v2.4.0-go1.25.6-bookworm.0
     refPaths:
     - path: build/common.sh
       match: __default_go_runner_version=
@@ -234,6 +243,8 @@ dependencies:
       match: registry.k8s.io\/pause:\d+\.\d+
     - path: test/utils/image/manifest.go
       match: configs\[Pause\] = Config{list\.GcRegistry, "pause", "\d+\.\d+(.\d+)?"}
+    - path: test/images/agnhost/fakeregistryserver/images.txt
+      match: pause\s
 
   - name: "registry.k8s.io/build-image/setcap: dependents"
     version: bookworm-v1.0.6
diff --git a/build/lib/release.sh b/build/lib/release.sh
index 1bf19257d5350..4a086bdb39d94 100644
--- a/build/lib/release.sh
+++ b/build/lib/release.sh
@@ -332,7 +332,7 @@ function kube::release::create_docker_images_for_server() {
           docker_file_path="${KUBE_ROOT}/build/server-image/${binary_name}/Dockerfile"
       fi
 
-      kube::log::status "Starting docker build for image: ${binary_name}-${arch}"
+      kube::log::status "Starting docker build for image: ${binary_name}-${arch} with base ${base_image}"
       (
         rm -rf "${docker_build_path}"
         mkdir -p "${docker_build_path}"
diff --git a/build/make-build-image.sh b/build/make-build-image.sh
deleted file mode 100755
index 9c7ba3a603f4b..0000000000000
--- a/build/make-build-image.sh
+++ /dev/null
@@ -1,31 +0,0 @@
-#!/usr/bin/env bash
-
-# Copyright 2014 The Kubernetes Authors.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-# Build the docker image necessary for building Kubernetes
-#
-# This script will package the parts of the repo that we need to build
-# Kubernetes into a tar file and put it in the right place in the output
-# directory.  It will then copy over the Dockerfile and build the kube-build
-# image.
-set -o errexit
-set -o nounset
-set -o pipefail
-
-KUBE_ROOT="$(dirname "${BASH_SOURCE[0]}")/.."
-source "${KUBE_ROOT}/build/common.sh"
-
-kube::build::verify_prereqs
-kube::build::build_image
diff --git a/build/make-clean.sh b/build/make-clean.sh
index b3f567490a6b8..7fc34751bc7a3 100755
--- a/build/make-clean.sh
+++ b/build/make-clean.sh
@@ -22,5 +22,5 @@ set -o pipefail
 KUBE_ROOT=$(dirname "${BASH_SOURCE[0]}")/..
 source "${KUBE_ROOT}/build/common.sh"
 
-kube::build::verify_prereqs false
+kube::build::setup_vars
 kube::build::clean
diff --git a/build/pause/Dockerfile.Rhel b/build/pause/Dockerfile.Rhel
index f73013e3160ef..6a404b4861813 100644
--- a/build/pause/Dockerfile.Rhel
+++ b/build/pause/Dockerfile.Rhel
@@ -1,4 +1,4 @@
-FROM registry.ci.openshift.org/ocp/builder:rhel-9-golang-1.24-openshift-4.21 AS builder
+FROM registry.ci.openshift.org/ocp/builder:rhel-9-golang-1.25-openshift-4.22 AS builder
 WORKDIR /go/src/github.com/openshift/kubernetes/build/pause
 COPY . .
 RUN mkdir -p bin && \
diff --git a/build/release-images.sh b/build/release-images.sh
index afaecb1864bb5..d275aa616c5cf 100755
--- a/build/release-images.sh
+++ b/build/release-images.sh
@@ -36,9 +36,5 @@ if [[ -n "${KUBE_EXTRA_WHAT:-}" ]]; then
 fi
 
 kube::build::verify_prereqs
-kube::build::build_image
 kube::build::run_build_command make all WHAT="${CMD_TARGETS}" KUBE_BUILD_PLATFORMS="${KUBE_SERVER_PLATFORMS[*]}" DBG="${DBG:-}"
-
-kube::build::copy_output
-
 kube::release::build_server_images
diff --git a/build/release.sh b/build/release.sh
index 20010d29aaa40..c2790e30525eb 100755
--- a/build/release.sh
+++ b/build/release.sh
@@ -32,7 +32,6 @@ source "${KUBE_ROOT}/build/lib/release.sh"
 KUBE_RELEASE_RUN_TESTS=${KUBE_RELEASE_RUN_TESTS-y}
 
 kube::build::verify_prereqs
-kube::build::build_image
 kube::build::run_build_command make cross
 
 if [[ $KUBE_RELEASE_RUN_TESTS =~ ^[yY]$ ]]; then
@@ -40,6 +39,4 @@ if [[ $KUBE_RELEASE_RUN_TESTS =~ ^[yY]$ ]]; then
   kube::build::run_build_command make test-integration
 fi
 
-kube::build::copy_output
-
 kube::release::package_tarballs
diff --git a/build/run.sh b/build/run.sh
index c0eb0b83270b0..e342d6d298f47 100755
--- a/build/run.sh
+++ b/build/run.sh
@@ -25,25 +25,18 @@ set -o pipefail
 KUBE_ROOT=$(dirname "${BASH_SOURCE[0]}")/..
 source "$KUBE_ROOT/build/common.sh"
 
+# This is no longer supported, warn if set to non-default value
+KUBE_RUN_COPY_OUTPUT="${KUBE_RUN_COPY_OUTPUT:-y}"
+# we previously accepted an explicit both y and Y
+if [[ ! "${KUBE_RUN_COPY_OUTPUT}" =~ ^[yY]$ ]]; then
+   kube::log::error "KUBE_RUN_COPY_OUTPUT no longer means anything as we bind-mount instead of rsyncing, so output is always persisted"
+fi
+
 # Allow running without docker (e.g. in openshift ci)
 if [[ "${OS_RUN_WITHOUT_DOCKER:-}" ]]; then
   "${@}"
   exit 0
 fi
 
-KUBE_RUN_COPY_OUTPUT="${KUBE_RUN_COPY_OUTPUT:-y}"
-
 kube::build::verify_prereqs
-kube::build::build_image
-
-if [[ ${KUBE_RUN_COPY_OUTPUT} =~ ^[yY]$ ]]; then
-  kube::log::status "Output from this container will be rsynced out upon completion. Set KUBE_RUN_COPY_OUTPUT=n to disable."
-else
-  kube::log::status "Output from this container will NOT be rsynced out upon completion. Set KUBE_RUN_COPY_OUTPUT=y to enable."
-fi
-
 kube::build::run_build_command "$@"
-
-if [[ ${KUBE_RUN_COPY_OUTPUT} =~ ^[yY]$ ]]; then
-  kube::build::copy_output
-fi
diff --git a/build/server-image/Dockerfile b/build/server-image/Dockerfile
index 78e01c3647457..09d2cd1e6916e 100644
--- a/build/server-image/Dockerfile
+++ b/build/server-image/Dockerfile
@@ -19,4 +19,4 @@ ARG BINARY
 
 
 FROM "${BASEIMAGE}"
-COPY ${BINARY} /usr/local/bin/${BINARY}
+COPY --chmod=755 ${BINARY} /usr/local/bin/${BINARY}
diff --git a/build/server-image/kube-apiserver/Dockerfile b/build/server-image/kube-apiserver/Dockerfile
index d5ac37d14f1bd..27129d29bd9d6 100644
--- a/build/server-image/kube-apiserver/Dockerfile
+++ b/build/server-image/kube-apiserver/Dockerfile
@@ -20,7 +20,7 @@ ARG SETCAP_IMAGE
 # to setup qemu for the builder.
 FROM --platform=linux/$BUILDARCH ${SETCAP_IMAGE}
 ARG BINARY
-COPY ${BINARY} /${BINARY}
+COPY --chmod=755 ${BINARY} /${BINARY}
 # We apply cap_net_bind_service so that kube-apiserver can be run as
 # non-root and still listen on port less than 1024
 RUN setcap cap_net_bind_service=+ep /${BINARY}
diff --git a/build/server-image/kubectl/Dockerfile b/build/server-image/kubectl/Dockerfile
index 0c93ca6a4e11b..df6073c5456f5 100644
--- a/build/server-image/kubectl/Dockerfile
+++ b/build/server-image/kubectl/Dockerfile
@@ -19,5 +19,5 @@ ARG BINARY
 
 
 FROM "${BASEIMAGE}"
-COPY ${BINARY} /bin/
+COPY --chmod=755 ${BINARY} /bin/
 ENTRYPOINT ["/bin/kubectl"]
diff --git a/build/tools.go b/build/tools.go
index 60e1880c8031f..ad60ce3a675e0 100644
--- a/build/tools.go
+++ b/build/tools.go
@@ -17,7 +17,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
-// This package imports things required by build scripts and test packages of submodules, to force `go mod` to see them as dependencies
+// This package imports things required by build scripts, to force `go mod` to see them as dependencies
 package tools
 
 import (
@@ -28,7 +28,4 @@ import (
 	_ "k8s.io/code-generator/cmd/go-to-protobuf"
 	_ "k8s.io/code-generator/cmd/go-to-protobuf/protoc-gen-gogo"
 	_ "k8s.io/kube-openapi/cmd/openapi-gen"
-
-	// submodule test dependencies
-	_ "github.com/armon/go-socks5" // for staging/src/k8s.io/apimachinery/pkg/util/httpstream/spdy/roundtripper_test.go
 )
diff --git a/cluster/addons/dns/coredns/coredns.yaml.base b/cluster/addons/dns/coredns/coredns.yaml.base
index df61a856d7eb3..9cce5c34537c0 100644
--- a/cluster/addons/dns/coredns/coredns.yaml.base
+++ b/cluster/addons/dns/coredns/coredns.yaml.base
@@ -133,7 +133,7 @@ spec:
         kubernetes.io/os: linux
       containers:
       - name: coredns
-        image: registry.k8s.io/coredns/coredns:v1.12.1
+        image: registry.k8s.io/coredns/coredns:v1.13.1
         imagePullPolicy: IfNotPresent
         resources:
           limits:
diff --git a/cluster/addons/dns/coredns/coredns.yaml.in b/cluster/addons/dns/coredns/coredns.yaml.in
index 525737b81a3a6..ee07de6c328ba 100644
--- a/cluster/addons/dns/coredns/coredns.yaml.in
+++ b/cluster/addons/dns/coredns/coredns.yaml.in
@@ -133,7 +133,7 @@ spec:
         kubernetes.io/os: linux
       containers:
       - name: coredns
-        image: registry.k8s.io/coredns/coredns:v1.12.1
+        image: registry.k8s.io/coredns/coredns:v1.13.1
         imagePullPolicy: IfNotPresent
         resources:
           limits:
diff --git a/cluster/addons/dns/coredns/coredns.yaml.sed b/cluster/addons/dns/coredns/coredns.yaml.sed
index 6504762d8e104..5df370800c978 100644
--- a/cluster/addons/dns/coredns/coredns.yaml.sed
+++ b/cluster/addons/dns/coredns/coredns.yaml.sed
@@ -133,7 +133,7 @@ spec:
         kubernetes.io/os: linux
       containers:
       - name: coredns
-        image: registry.k8s.io/coredns/coredns:v1.12.1
+        image: registry.k8s.io/coredns/coredns:v1.13.1
         imagePullPolicy: IfNotPresent
         resources:
           limits:
diff --git a/cluster/addons/ip-masq-agent/ip-masq-agent.yaml b/cluster/addons/ip-masq-agent/ip-masq-agent.yaml
index 341966825e631..60302036ec046 100644
--- a/cluster/addons/ip-masq-agent/ip-masq-agent.yaml
+++ b/cluster/addons/ip-masq-agent/ip-masq-agent.yaml
@@ -29,7 +29,7 @@ spec:
       hostNetwork: true
       containers:
       - name: ip-masq-agent
-        image: registry.k8s.io/networking/ip-masq-agent:v2.9.3
+        image: registry.k8s.io/networking/ip-masq-agent:v2.12.0
         args:
           - --masq-chain=IP-MASQ
           - --nomasq-all-reserved-ranges
diff --git a/cluster/addons/kube-network-policies/kube-network-policies.yaml b/cluster/addons/kube-network-policies/kube-network-policies.yaml
index 0dd1abd284903..de416a73dec11 100644
--- a/cluster/addons/kube-network-policies/kube-network-policies.yaml
+++ b/cluster/addons/kube-network-policies/kube-network-policies.yaml
@@ -27,7 +27,7 @@ spec:
       serviceAccountName: kube-network-policies
       containers:
       - name: kube-network-policies
-        image: registry.k8s.io/networking/kube-network-policies:v0.7.0
+        image: registry.k8s.io/networking/kube-network-policies:v0.9.2
         command:
         - /bin/netpol
         - --v=4
diff --git a/cluster/addons/metrics-server/metrics-server-deployment.yaml b/cluster/addons/metrics-server/metrics-server-deployment.yaml
index 89169d0f41763..b979e9f21e831 100644
--- a/cluster/addons/metrics-server/metrics-server-deployment.yaml
+++ b/cluster/addons/metrics-server/metrics-server-deployment.yaml
@@ -23,23 +23,23 @@ data:
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  name: metrics-server-v0.7.2
+  name: metrics-server-v0.8.0
   namespace: kube-system
   labels:
     k8s-app: metrics-server
     addonmanager.kubernetes.io/mode: Reconcile
-    version: v0.7.2
+    version: v0.8.0
 spec:
   selector:
     matchLabels:
       k8s-app: metrics-server
-      version: v0.7.2
+      version: v0.8.0
   template:
     metadata:
       name: metrics-server
       labels:
         k8s-app: metrics-server
-        version: v0.7.2
+        version: v0.8.0
     spec:
       securityContext:
         seccompProfile:
@@ -50,7 +50,7 @@ spec:
         kubernetes.io/os: linux
       containers:
       - name: metrics-server
-        image: registry.k8s.io/metrics-server/metrics-server:v0.7.2
+        image: registry.k8s.io/metrics-server/metrics-server:v0.8.0
         command:
         - /metrics-server
         - --metric-resolution=15s
@@ -81,7 +81,7 @@ spec:
         - mountPath: /tmp
           name: tmp-dir
       - name: metrics-server-nanny
-        image: registry.k8s.io/autoscaling/addon-resizer:1.8.14
+        image: registry.k8s.io/autoscaling/addon-resizer:1.8.20
         resources:
           limits:
             cpu: 100m
@@ -109,7 +109,7 @@ spec:
           - --memory={{ base_metrics_server_memory }}
           - --extra-memory={{ metrics_server_memory_per_node }}Mi
           - --threshold=5
-          - --deployment=metrics-server-v0.7.2
+          - --deployment=metrics-server-v0.8.0
           - --container=metrics-server
           - --poll-period=30000
           - --estimator=exponential
diff --git a/cluster/addons/node-problem-detector/npd.yaml b/cluster/addons/node-problem-detector/npd.yaml
index 20af9a1aa49d5..838106be1bf1f 100644
--- a/cluster/addons/node-problem-detector/npd.yaml
+++ b/cluster/addons/node-problem-detector/npd.yaml
@@ -30,24 +30,24 @@ metadata:
   namespace: kube-system
   labels:
     app.kubernetes.io/name: node-problem-detector
-    app.kubernetes.io/version: v0.8.21
+    app.kubernetes.io/version: v1.34.0
     addonmanager.kubernetes.io/mode: Reconcile
 spec:
   selector:
     matchLabels:
       app.kubernetes.io/name: node-problem-detector
-      app.kubernetes.io/version: v0.8.21
+      app.kubernetes.io/version: v1.34.0
   template:
     metadata:
       labels:
         app.kubernetes.io/name: node-problem-detector
-        app.kubernetes.io/version: v0.8.21
+        app.kubernetes.io/version: v1.34.0
     spec:
       nodeSelectors:
         kubernetes.io/os: linux
       containers:
       - name: node-problem-detector
-        image: registry.k8s.io/node-problem-detector/node-problem-detector:v0.8.21
+        image: registry.k8s.io/node-problem-detector/node-problem-detector:v1.34.0
         command:
         - "/bin/sh"
         - "-c"
diff --git a/cluster/gce/config-common.sh b/cluster/gce/config-common.sh
index 101848f3ffbfd..e50985fc54bcd 100644
--- a/cluster/gce/config-common.sh
+++ b/cluster/gce/config-common.sh
@@ -136,7 +136,7 @@ export WINDOWS_CNI_CONFIG_DIR="${WINDOWS_K8S_DIR}\cni\config"
 # CNI storage path for Windows nodes
 export WINDOWS_CNI_STORAGE_PATH="https://github.com/containernetworking/plugins/releases/download"
 # CNI version for Windows nodes
-export WINDOWS_CNI_VERSION="v1.7.1"
+export WINDOWS_CNI_VERSION="v1.8.0"
 # Pod manifests directory for Windows nodes on Windows nodes.
 export WINDOWS_MANIFESTS_DIR="${WINDOWS_K8S_DIR}\manifests"
 # Directory where cert/key files will be stores on Windows nodes.
diff --git a/cluster/gce/config-default.sh b/cluster/gce/config-default.sh
index 2e26d07786c0c..a104d3c1f8083 100755
--- a/cluster/gce/config-default.sh
+++ b/cluster/gce/config-default.sh
@@ -88,13 +88,14 @@ fi
 # By default, the latest image from the image family will be used unless an
 # explicit image will be set.
 GCI_VERSION=${KUBE_GCI_VERSION:-}
-IMAGE_FAMILY=${KUBE_IMAGE_FAMILY:-cos-121-lts}
+IMAGE_FAMILY=${KUBE_GCE_IMAGE_FAMILY:-cos-121-lts}
+IMAGE_PROJECT=${KUBE_GCE_IMAGE_PROJECT:-cos-cloud}
 export MASTER_IMAGE=${KUBE_GCE_MASTER_IMAGE:-}
 export MASTER_IMAGE_FAMILY=${KUBE_GCE_MASTER_IMAGE_FAMILY:-${IMAGE_FAMILY}}
-export MASTER_IMAGE_PROJECT=${KUBE_GCE_MASTER_PROJECT:-cos-cloud}
+export MASTER_IMAGE_PROJECT=${KUBE_GCE_MASTER_PROJECT:-${IMAGE_PROJECT}}
 export NODE_IMAGE=${KUBE_GCE_NODE_IMAGE:-${GCI_VERSION}}
 export NODE_IMAGE_FAMILY=${KUBE_GCE_NODE_IMAGE_FAMILY:-${IMAGE_FAMILY}}
-export NODE_IMAGE_PROJECT=${KUBE_GCE_NODE_PROJECT:-cos-cloud}
+export NODE_IMAGE_PROJECT=${KUBE_GCE_NODE_PROJECT:-${IMAGE_PROJECT}}
 export NODE_SERVICE_ACCOUNT=${KUBE_GCE_NODE_SERVICE_ACCOUNT:-default}
 
 # KUBELET_TEST_ARGS are extra arguments passed to kubelet.
@@ -109,8 +110,8 @@ export LOAD_IMAGE_COMMAND=${KUBE_LOAD_IMAGE_COMMAND:-ctr -n=k8s.io images import
 # if KUBE_UBUNTU_INSTALL_CONTAINERD_VERSION or KUBE_UBUNTU_INSTALL_RUNC_VERSION
 # is set to empty then we do not override the version(s) and just
 # use whatever is in the default installation of containerd package
-export UBUNTU_INSTALL_CONTAINERD_VERSION=${KUBE_UBUNTU_INSTALL_CONTAINERD_VERSION:-}
-export UBUNTU_INSTALL_RUNC_VERSION=${KUBE_UBUNTU_INSTALL_RUNC_VERSION:-}
+export UBUNTU_INSTALL_CONTAINERD_VERSION=${KUBE_UBUNTU_INSTALL_CONTAINERD_VERSION:-v2.1.4}
+export UBUNTU_INSTALL_RUNC_VERSION=${KUBE_UBUNTU_INSTALL_RUNC_VERSION:-v1.3.2}
 
 # Ability to inject custom versions (COS images ONLY)
 # if KUBE_COS_INSTALL_CONTAINERD_VERSION or KUBE_COS_INSTALL_RUNC_VERSION
diff --git a/cluster/gce/config-test.sh b/cluster/gce/config-test.sh
index 983898458478b..36bb207d6a47a 100755
--- a/cluster/gce/config-test.sh
+++ b/cluster/gce/config-test.sh
@@ -101,13 +101,14 @@ ALLOWED_NOTREADY_NODES=${ALLOWED_NOTREADY_NODES:-$(($(get-num-nodes) / 100))}
 # By default, the latest image from the image family will be used unless an
 # explicit image will be set.
 GCI_VERSION=${KUBE_GCI_VERSION:-}
-IMAGE_FAMILY=${KUBE_IMAGE_FAMILY:-cos-121-lts}
+IMAGE_FAMILY=${KUBE_GCE_IMAGE_FAMILY:-cos-121-lts}
+IMAGE_PROJECT=${KUBE_GCE_IMAGE_PROJECT:-cos-cloud}
 export MASTER_IMAGE=${KUBE_GCE_MASTER_IMAGE:-}
 export MASTER_IMAGE_FAMILY=${KUBE_GCE_MASTER_IMAGE_FAMILY:-${IMAGE_FAMILY}}
-export MASTER_IMAGE_PROJECT=${KUBE_GCE_MASTER_PROJECT:-cos-cloud}
+export MASTER_IMAGE_PROJECT=${KUBE_GCE_MASTER_PROJECT:-${IMAGE_PROJECT}}
 export NODE_IMAGE=${KUBE_GCE_NODE_IMAGE:-${GCI_VERSION}}
 export NODE_IMAGE_FAMILY=${KUBE_GCE_NODE_IMAGE_FAMILY:-${IMAGE_FAMILY}}
-export NODE_IMAGE_PROJECT=${KUBE_GCE_NODE_PROJECT:-cos-cloud}
+export NODE_IMAGE_PROJECT=${KUBE_GCE_NODE_PROJECT:-${IMAGE_PROJECT}}
 export NODE_SERVICE_ACCOUNT=${KUBE_GCE_NODE_SERVICE_ACCOUNT:-default}
 
 export CONTAINER_RUNTIME_ENDPOINT=${KUBE_CONTAINER_RUNTIME_ENDPOINT:-unix:///run/containerd/containerd.sock}
@@ -122,8 +123,8 @@ export GCI_DOCKER_VERSION=${KUBE_GCI_DOCKER_VERSION:-}
 # if KUBE_UBUNTU_INSTALL_CONTAINERD_VERSION or KUBE_UBUNTU_INSTALL_RUNC_VERSION
 # is set to empty then we do not override the version(s) and just
 # use whatever is in the default installation of containerd package
-export UBUNTU_INSTALL_CONTAINERD_VERSION=${KUBE_UBUNTU_INSTALL_CONTAINERD_VERSION:-}
-export UBUNTU_INSTALL_RUNC_VERSION=${KUBE_UBUNTU_INSTALL_RUNC_VERSION:-}
+export UBUNTU_INSTALL_CONTAINERD_VERSION=${KUBE_UBUNTU_INSTALL_CONTAINERD_VERSION:-v2.1.4}
+export UBUNTU_INSTALL_RUNC_VERSION=${KUBE_UBUNTU_INSTALL_RUNC_VERSION:-v1.3.2}
 
 # Ability to inject custom versions (COS images ONLY)
 # if KUBE_COS_INSTALL_CONTAINERD_VERSION or KUBE_COS_INSTALL_RUNC_VERSION
diff --git a/cluster/gce/gci/configure-helper.sh b/cluster/gce/gci/configure-helper.sh
index c57e8d253b785..67df1482d9f2b 100755
--- a/cluster/gce/gci/configure-helper.sh
+++ b/cluster/gce/gci/configure-helper.sh
@@ -1984,6 +1984,7 @@ def resolve(host):
     container_security_context="\"securityContext\": {\"runAsUser\": ${ETCD_RUNASUSER}, \"runAsGroup\": ${ETCD_RUNASGROUP}, \"allowPrivilegeEscalation\": false, \"capabilities\": {\"drop\": [\"all\"]}},"
   fi
   sed -i -e "s@{{security_context}}@${container_security_context}@g" "${temp_file}"
+
   mv "${temp_file}" /etc/kubernetes/manifests
 }
 
diff --git a/cluster/gce/gci/configure.sh b/cluster/gce/gci/configure.sh
index ab7082096148c..f6d6c1e8e8226 100644
--- a/cluster/gce/gci/configure.sh
+++ b/cluster/gce/gci/configure.sh
@@ -24,15 +24,15 @@ set -o nounset
 set -o pipefail
 
 ### Hardcoded constants
-DEFAULT_CNI_VERSION='v1.7.1'
+DEFAULT_CNI_VERSION='v1.8.0'
 # CNI HASH for amd64 sha512
-DEFAULT_CNI_HASH='22c1da53be05ecb8a1672c0a91b38f87d5218babeff0cd0f86e50fc127bf27970d977e748c7c8de765482ed353294b20a75392fb21885d6cae3da724b15c84d3'
-DEFAULT_NPD_VERSION='v0.8.21'
-DEFAULT_NPD_HASH_AMD64='2805ee1da97e06a4b209c198f21763e8687c499687f1b712e4e8e767a75aee4385c9d7fc54f0b190610ea693293a09eded6661ecf15af7af3e787475540fae71'
-DEFAULT_NPD_HASH_ARM64='e2291bbb06d4e831267c2b2a316a668bdff36a502e89826a355cd7f3beeba804e62a2b59a8ec666f4e83042032a379aba9592bcbddf0d57c5a81b3bc1913517c'
-DEFAULT_CRICTL_VERSION='v1.33.0'
-DEFAULT_CRICTL_AMD64_SHA512='9efd084f249bd59d9196e41c6c3c272b07ecac7dadad1b811f07d65ef46047c2886a4c345e84c9bc3252c8ab3bfd5c1429a30c0b61b97b8a7e5b8afb5efb20ec'
-DEFAULT_CRICTL_ARM64_SHA512='8e712080441d9ca3aa99070e55fc768d2050b6f343297286ecc1046281aa9c15191cf2ce5946728048871736fb6ae928f58c10fb1282689264d733fa0029f332'
+DEFAULT_CNI_HASH='a2696f937b3433eee4a0de44a0994190166b108f2b29adf9f7005fa4fbfff56e78cbe8a2fe2607d99d4bcc0d4a8183e0c27fa748c2f8fb08ae40b62f198fd45b'
+DEFAULT_NPD_VERSION='v1.34.0'
+DEFAULT_NPD_HASH_AMD64='3c55ff6ffadd77dbc3df3774d13164587103ca87c8b6914f5c71c87d8f498b78621e0c96538bb3c69f8f1b4194a6da553aa56b1b52001a7d9a67776ac24e80bd'
+DEFAULT_NPD_HASH_ARM64='ca1d34e64b80f6b2bdf86cfde95154122d6e14c707a748ea6fc414a55f391b1bb572a96b6b2c285996af0232917fa87e14e037125aa03a62247383af3e48c095'
+DEFAULT_CRICTL_VERSION='v1.34.0'
+DEFAULT_CRICTL_AMD64_SHA512='6b5669fe6c0dbcb8d0e0910529a4559e22154ef7f524fa15f3e13dfced6bea2c90a531d99786ac8b24fb4cc9ead1ef294387b52a230ba6fdf83278ab9dbd6133'
+DEFAULT_CRICTL_ARM64_SHA512='b2daa7f6b559cd32da6d3bcb82b356561c0bc2ffcf7dc5084547fbae6cb8570a96cf01c9bfaa6d868cf92d1c1fbbced2a32bf7e0328f62c420c180a86314278d'
 DEFAULT_MOUNTER_TAR_SHA='7956fd42523de6b3107ddc3ce0e75233d2fcb78436ff07a1389b6eaac91fb2b1b72a08f7a219eaf96ba1ca4da8d45271002e0d60e0644e796c665f99bb356516'
 AUTH_PROVIDER_GCP_HASH_LINUX_AMD64="${AUTH_PROVIDER_GCP_HASH_LINUX_AMD64:-156058e5b3994cba91c23831774033e0d505d6d8b80f43541ef6af91b320fd9dfaabe42ec8a8887b51d87104c2b57e1eb895649d681575ffc80dd9aee8e563db}"
 AUTH_PROVIDER_GCP_HASH_LINUX_ARM64="${AUTH_PROVIDER_GCP_HASH_LINUX_ARM64:-1aa3b0bea10a9755231989ffc150cbfa770f1d96932db7535473f7bfeb1108bafdae80202ae738d59495982512e716ff7366d5f414d0e76dd50519f98611f9ab}"
@@ -225,6 +225,36 @@ function download-or-bust {
   done
 }
 
+# Robust download with retry and exponential backoff
+function download-robust {
+  local description="$1" dest_dir="$2" url="$3"
+  
+  local max_attempts=5 attempt=1 delay=5
+  local file="${url##*/}"
+  local temp_file="${dest_dir}/.${file}.tmp"
+  
+  while [[ ${attempt} -le ${max_attempts} ]]; do
+    rm -f "${temp_file}"
+    
+    if curl --fail --location --silent --show-error --connect-timeout 20 --max-time 900 \
+       --retry 3 --retry-delay 2 -o "${temp_file}" "${url}"; then
+      mv "${temp_file}" "${dest_dir}/${file}"
+      echo "== Downloaded ${description} from ${url}"
+      return 0
+    fi
+    rm -f "${temp_file}"
+    
+    if [[ ${attempt} -lt ${max_attempts} ]]; then
+      sleep "${delay}"
+      delay=$((delay * 2))
+    fi
+    ((attempt++))
+  done
+  
+  echo "ERROR: Failed to download ${description} after ${max_attempts} attempts from ${url}"
+  return 1
+}
+
 function is-preloaded {
   local -r key=$1
   local -r value=$2
@@ -254,7 +284,7 @@ function install-gci-mounter-tools {
   mkdir -p "${CONTAINERIZED_MOUNTER_HOME}"
   chmod a+x "${CONTAINERIZED_MOUNTER_HOME}"
   mkdir -p "${CONTAINERIZED_MOUNTER_HOME}/rootfs"
-  download-or-bust "${mounter_tar_sha}" "https://storage.googleapis.com/kubernetes-release/gci-mounter/mounter.tar"
+  download-or-bust "${mounter_tar_sha}" "https://dl.k8s.io/gci-mounter/mounter.tar"
   cp "${KUBE_HOME}/kubernetes/server/bin/mounter" "${CONTAINERIZED_MOUNTER_HOME}/mounter"
   chmod a+x "${CONTAINERIZED_MOUNTER_HOME}/mounter"
   mv "${KUBE_HOME}/mounter.tar" /tmp/mounter.tar
@@ -498,6 +528,7 @@ function install-containerd-ubuntu {
     socat \
     curl \
     gnupg2 \
+    nfs-common \
     software-properties-common \
     lsb-release
 
@@ -521,22 +552,26 @@ function install-containerd-ubuntu {
   # Override to latest versions of containerd and runc
   systemctl stop containerd
   if [[ -n "${UBUNTU_INSTALL_CONTAINERD_VERSION:-}" ]]; then
-    # containerd versions have slightly different url(s), so try both
-    # shellcheck disable=SC2086
-    ( curl ${CURL_FLAGS} \
-        --location \
-        "https://github.com/containerd/containerd/releases/download/${UBUNTU_INSTALL_CONTAINERD_VERSION}/containerd-${UBUNTU_INSTALL_CONTAINERD_VERSION:1}-${HOST_PLATFORM}-${HOST_ARCH}.tar.gz" \
-      || curl ${CURL_FLAGS} \
-        --location \
-        "https://github.com/containerd/containerd/releases/download/${UBUNTU_INSTALL_CONTAINERD_VERSION}/containerd-${UBUNTU_INSTALL_CONTAINERD_VERSION:1}.${HOST_PLATFORM}-${HOST_ARCH}.tar.gz" ) \
-    | tar --overwrite -xzv -C /usr/
+    local temp_dir
+    temp_dir=$(mktemp -d)
+    
+    # Download containerd
+    if download-robust "containerd ${UBUNTU_INSTALL_CONTAINERD_VERSION}" "${temp_dir}" \
+       "https://github.com/containerd/containerd/releases/download/${UBUNTU_INSTALL_CONTAINERD_VERSION}/containerd-${UBUNTU_INSTALL_CONTAINERD_VERSION:1}-${HOST_PLATFORM}-${HOST_ARCH}.tar.gz"; then
+      tar --overwrite -xzv -C /usr/ -f "${temp_dir}"/containerd-*.tar.gz
+    fi
+    rm -rf "${temp_dir}"
   fi
   if [[ -n "${UBUNTU_INSTALL_RUNC_VERSION:-}" ]]; then
-    # shellcheck disable=SC2086
-    curl ${CURL_FLAGS} \
-      --location \
-      "https://github.com/opencontainers/runc/releases/download/${UBUNTU_INSTALL_RUNC_VERSION}/runc.${HOST_ARCH}" --output /usr/sbin/runc \
-    && chmod 755 /usr/sbin/runc
+    local temp_dir
+    temp_dir=$(mktemp -d)
+    
+    # Download and install runc
+    if download-robust "runc ${UBUNTU_INSTALL_RUNC_VERSION}" "${temp_dir}" \
+       "https://github.com/opencontainers/runc/releases/download/${UBUNTU_INSTALL_RUNC_VERSION}/runc.${HOST_ARCH}"; then
+      cp "${temp_dir}/runc.${HOST_ARCH}" /usr/sbin/runc && chmod 755 /usr/sbin/runc
+    fi
+    rm -rf "${temp_dir}"
   fi
   sudo systemctl start containerd
 }
@@ -555,27 +590,30 @@ function install-containerd-cos {
   mount --bind /home/containerd /home/containerd
   mount -o remount,exec /home/containerd
   if [[ -n "${COS_INSTALL_CONTAINERD_VERSION:-}" ]]; then
-    # containerd versions have slightly different url(s), so try both
-    # shellcheck disable=SC2086
-    ( curl ${CURL_FLAGS} \
-        --location \
-        "https://github.com/containerd/containerd/releases/download/${COS_INSTALL_CONTAINERD_VERSION}/containerd-${COS_INSTALL_CONTAINERD_VERSION:1}-${HOST_PLATFORM}-${HOST_ARCH}.tar.gz" \
-      || curl ${CURL_FLAGS} \
-        --location \
-        "https://github.com/containerd/containerd/releases/download/${COS_INSTALL_CONTAINERD_VERSION}/containerd-${COS_INSTALL_CONTAINERD_VERSION:1}.${HOST_PLATFORM}-${HOST_ARCH}.tar.gz" ) \
-    | tar --overwrite -xzv -C /home/containerd/
-    cp /usr/lib/systemd/system/containerd.service /etc/systemd/system/containerd.service
-    # fix the path of the new containerd binary
-    sed -i 's|ExecStart=.*|ExecStart=/home/containerd/bin/containerd|' /etc/systemd/system/containerd.service
+    local temp_dir
+    temp_dir=$(mktemp -d)
+    
+    # Download containerd
+    if download-robust "containerd ${COS_INSTALL_CONTAINERD_VERSION}" "${temp_dir}" \
+       "https://github.com/containerd/containerd/releases/download/${COS_INSTALL_CONTAINERD_VERSION}/containerd-${COS_INSTALL_CONTAINERD_VERSION:1}-${HOST_PLATFORM}-${HOST_ARCH}.tar.gz"; then
+      tar --overwrite -xzv -C /home/containerd/ -f "${temp_dir}"/containerd-*.tar.gz
+      cp /usr/lib/systemd/system/containerd.service /etc/systemd/system/containerd.service
+      sed -i 's|ExecStart=.*|ExecStart=/home/containerd/bin/containerd|' /etc/systemd/system/containerd.service
+    fi
+    rm -rf "${temp_dir}"
   fi
   if [[ -n "${COS_INSTALL_RUNC_VERSION:-}" ]]; then
-    # shellcheck disable=SC2086
-    curl ${CURL_FLAGS} \
-      --location \
-      "https://github.com/opencontainers/runc/releases/download/${COS_INSTALL_RUNC_VERSION}/runc.${HOST_ARCH}" --output /home/containerd/bin/runc \
-    && chmod 755 /home/containerd/bin/runc
-    # ensure runc gets picked up from the correct location
-    sed -i "/\[Service\]/a Environment=PATH=/home/containerd/bin:$PATH" /etc/systemd/system/containerd.service
+    local temp_dir
+    temp_dir=$(mktemp -d)
+    mkdir -p /home/containerd/bin
+    
+    # Download and install runc
+    if download-robust "runc ${COS_INSTALL_RUNC_VERSION}" "${temp_dir}" \
+       "https://github.com/opencontainers/runc/releases/download/${COS_INSTALL_RUNC_VERSION}/runc.${HOST_ARCH}"; then
+      cp "${temp_dir}/runc.${HOST_ARCH}" /home/containerd/bin/runc && chmod 755 /home/containerd/bin/runc
+      sed -i "/\[Service\]/a Environment=PATH=/home/containerd/bin:$PATH" /etc/systemd/system/containerd.service
+    fi
+    rm -rf "${temp_dir}"
   fi
   systemctl daemon-reload
   sudo systemctl start containerd
@@ -623,7 +661,7 @@ EOF
 
 function ensure-containerd-runtime {
   # Install containerd/runc if requested
-  if [[ -n "${UBUNTU_INSTALL_CONTAINERD_VERSION:-}" || -n "${UBUNTU_INSTALL_RUNC_VERSION:-}" ]]; then
+  if [[ ( -n "${UBUNTU_INSTALL_CONTAINERD_VERSION:-}" || -n "${UBUNTU_INSTALL_RUNC_VERSION:-}" ) && "$(lsb_release -si)" == "Ubuntu" ]]; then
     log-wrap "InstallContainerdUbuntu" install-containerd-ubuntu
   fi
   if [[ -n "${COS_INSTALL_CONTAINERD_VERSION:-}" || -n "${COS_INSTALL_RUNC_VERSION:-}" ]]; then
diff --git a/cluster/gce/manifests/etcd.manifest b/cluster/gce/manifests/etcd.manifest
index 02f6daf45b1ef..b73ee24a91fd4 100644
--- a/cluster/gce/manifests/etcd.manifest
+++ b/cluster/gce/manifests/etcd.manifest
@@ -18,7 +18,7 @@
     {
     "name": "etcd-container",
     {{security_context}}
-    "image": "{{ pillar.get('etcd_docker_repository', 'registry.k8s.io/etcd') }}:{{ pillar.get('etcd_docker_tag', '3.6.5-0') }}",
+    "image": "{{ pillar.get('etcd_docker_repository', 'registry.k8s.io/etcd') }}:{{ pillar.get('etcd_docker_tag', '3.6.6-0') }}",
     "resources": {
       "requests": {
         "cpu": {{ cpulimit }}
@@ -43,7 +43,7 @@
         "value": "{{ pillar.get('storage_backend', 'etcd3') }}"
       },
       { "name": "TARGET_VERSION",
-        "value": "{{ pillar.get('etcd_version', '3.6.5') }}"
+        "value": "{{ pillar.get('etcd_version', '3.6.6') }}"
       },
       {
         "name": "DO_NOT_MOVE_BINARIES",
diff --git a/cluster/gce/manifests/kube-addon-manager.yaml b/cluster/gce/manifests/kube-addon-manager.yaml
index bc943e80917d0..ed17b59282534 100644
--- a/cluster/gce/manifests/kube-addon-manager.yaml
+++ b/cluster/gce/manifests/kube-addon-manager.yaml
@@ -23,7 +23,7 @@ spec:
         - all
     # When updating version also bump it in:
     # - test/kubemark/resources/manifests/kube-addon-manager.yaml
-    image: registry.k8s.io/addon-manager/kube-addon-manager:v9.1.7
+    image: registry.k8s.io/addon-manager/kube-addon-manager:v9.1.8
     command:
     - /bin/bash
     - -c
diff --git a/cluster/gce/upgrade-aliases.sh b/cluster/gce/upgrade-aliases.sh
index fb88cd80cf652..b8f2f4648c7d3 100755
--- a/cluster/gce/upgrade-aliases.sh
+++ b/cluster/gce/upgrade-aliases.sh
@@ -170,8 +170,8 @@ export KUBE_GCE_ENABLE_IP_ALIASES=true
 export SECONDARY_RANGE_NAME="pods-default"
 export STORAGE_BACKEND="etcd3"
 export STORAGE_MEDIA_TYPE="application/vnd.kubernetes.protobuf"
-export ETCD_IMAGE=3.6.5-0
-export ETCD_VERSION=3.6.5
+export ETCD_IMAGE=3.6.6-0
+export ETCD_VERSION=3.6.6
 
 # Upgrade master with updated kube envs
 "${KUBE_ROOT}/cluster/gce/upgrade.sh" -M -l
diff --git a/cluster/gce/util.sh b/cluster/gce/util.sh
index 98f2002aac141..cbc361b0c7fcd 100755
--- a/cluster/gce/util.sh
+++ b/cluster/gce/util.sh
@@ -54,54 +54,36 @@ if [[ ${NODE_LOCAL_SSDS:-} -ge 1 ]] && [[ -n ${NODE_LOCAL_SSDS_EXT:-} ]] ; then
   exit 2
 fi
 
-if [[ "${MASTER_OS_DISTRIBUTION}" == "gci" ]]; then
-    DEFAULT_GCI_PROJECT=google-containers
-    if [[ "${GCI_VERSION}" == "cos"* ]] || [[ "${MASTER_IMAGE_FAMILY}" == "cos"* ]]; then
-        DEFAULT_GCI_PROJECT=cos-cloud
-    fi
-    export MASTER_IMAGE_PROJECT=${KUBE_GCE_MASTER_PROJECT:-${DEFAULT_GCI_PROJECT}}
+# If the master image is not set, we use the latest image based on image
+# family.
+kube_master_image="${KUBE_GCE_MASTER_IMAGE:-}"
+if [[ -z "${kube_master_image}" ]]; then
+  # remove architecture:X86_64 once we move on from ubuntu jammy as that image family has both X86_64 and ARM images
+  kube_master_image=$(gcloud compute images list --project="${MASTER_IMAGE_PROJECT}" --no-standard-images --filter="family:${MASTER_IMAGE_FAMILY} architecture:X86_64" --format 'value(name)')
+fi
 
-    # If the master image is not set, we use the latest image based on image
-    # family.
-    kube_master_image="${KUBE_GCE_MASTER_IMAGE:-${GCI_VERSION}}"
-    if [[ -z "${kube_master_image}" ]]; then
-      kube_master_image=$(gcloud compute images list --project="${MASTER_IMAGE_PROJECT}" --no-standard-images --filter="family:${MASTER_IMAGE_FAMILY}" --format 'value(name)')
-    fi
+echo "Using image: ${kube_master_image} from project: ${MASTER_IMAGE_PROJECT} as master image" >&2
+export MASTER_IMAGE="${kube_master_image}"
 
-    echo "Using image: ${kube_master_image} from project: ${MASTER_IMAGE_PROJECT} as master image" >&2
-    export MASTER_IMAGE="${kube_master_image}"
-fi
 
 # Sets node image based on the specified os distro. Currently this function only
 # supports gci and debian.
 #
-# Requires:
-#   NODE_OS_DISTRIBUTION
 # Sets:
-#   DEFAULT_GCI_PROJECT
 #   NODE_IMAGE
-#   NODE_IMAGE_PROJECT
 function set-linux-node-image() {
-  if [[ "${NODE_OS_DISTRIBUTION}" == "gci" ]]; then
-    DEFAULT_GCI_PROJECT=google-containers
-    if [[ "${GCI_VERSION}" == "cos"* ]] || [[ "${NODE_IMAGE_FAMILY}" == "cos"* ]]; then
-      DEFAULT_GCI_PROJECT=cos-cloud
-    fi
-
-    # If the node image is not set, we use the latest image based on image
-    # family.
-    # Otherwise, we respect whatever is set by the user.
-    NODE_IMAGE_PROJECT=${KUBE_GCE_NODE_PROJECT:-${DEFAULT_GCI_PROJECT}}
-    local kube_node_image
 
-    kube_node_image="${KUBE_GCE_NODE_IMAGE:-${GCI_VERSION}}"
-    if [[ -z "${kube_node_image}" ]]; then
-      kube_node_image=$(gcloud compute images list --project="${NODE_IMAGE_PROJECT}" --no-standard-images --filter="family:${NODE_IMAGE_FAMILY}" --format 'value(name)')
-    fi
+  # If the node image is not set, we use the latest image based on image
+  # family.
 
-    echo "Using image: ${kube_node_image} from project: ${NODE_IMAGE_PROJECT} as node image" >&2
-    export NODE_IMAGE="${kube_node_image}"
+  kube_node_image="${KUBE_GCE_NODE_IMAGE:-}"
+  if [[ -z "${kube_node_image}" ]]; then
+    # remove architecture:X86_64 once we move on from ubuntu jammy as that image family has both X86_64 and ARM images
+    kube_node_image=$(gcloud compute images list --project="${NODE_IMAGE_PROJECT}" --no-standard-images --filter="family:${NODE_IMAGE_FAMILY} architecture:X86_64" --format 'value(name)')
   fi
+
+  echo "Using image: ${kube_node_image} from project: ${NODE_IMAGE_PROJECT} as node image" >&2
+  export NODE_IMAGE="${kube_node_image}"
 }
 
 # Requires:
diff --git a/cluster/gce/windows/k8s-node-setup.psm1 b/cluster/gce/windows/k8s-node-setup.psm1
index 402c75d1cb698..af23449eaadf3 100644
--- a/cluster/gce/windows/k8s-node-setup.psm1
+++ b/cluster/gce/windows/k8s-node-setup.psm1
@@ -57,8 +57,8 @@ $GCE_METADATA_SERVER = "169.254.169.254"
 # exist until an initial HNS network has been created on the Windows node - see
 # Add_InitialHnsNetwork().
 $MGMT_ADAPTER_NAME = "vEthernet (Ethernet*"
-$CRICTL_VERSION = 'v1.33.0'
-$CRICTL_SHA512 = '81c91c76bb9059837e62b33b7df9f1503013a30525fceb248ca379b57c7ad8ba043dbb0432870224ebc42853c740caa422ddd62989b4a58829b66505f8e11969'
+$CRICTL_VERSION = 'v1.34.0'
+$CRICTL_SHA512 = 'b062756922dc5c5f41c5b13922dfea379cb9f4ce2431d1676c7dbace4f45c28a99ee71fd6cdd6c6f3d7679d33ac0ff052208207fc3f341b4ad047512dad756cb'
 
 Import-Module -Force C:\common.psm1
 
@@ -1013,7 +1013,6 @@ function Start-WorkerServices {
   # otherwise kubelet and kube-proxy will not be able to run properly.
   $instance_name = "$(Get-InstanceMetadata 'name' | Out-String)"
   $default_kubelet_args = @(`
-      "--pod-infra-container-image=${env:INFRA_CONTAINER}",
       "--hostname-override=${instance_name}"
   )
 
diff --git a/cluster/images/etcd-version-monitor/etcd-version-monitor.go b/cluster/images/etcd-version-monitor/etcd-version-monitor.go
index 5dea78eef371b..55ad6fcc17c3b 100644
--- a/cluster/images/etcd-version-monitor/etcd-version-monitor.go
+++ b/cluster/images/etcd-version-monitor/etcd-version-monitor.go
@@ -25,9 +25,9 @@ import (
 	"net/http"
 	"time"
 
-	"github.com/gogo/protobuf/proto"
 	dto "github.com/prometheus/client_model/go"
 	"github.com/spf13/pflag"
+	"google.golang.org/protobuf/proto"
 
 	"k8s.io/component-base/metrics"
 	"k8s.io/component-base/metrics/testutil"
diff --git a/cmd/kube-apiserver/app/aggregator.go b/cmd/kube-apiserver/app/aggregator.go
index 848f415b37f23..00f302e8e9b36 100644
--- a/cmd/kube-apiserver/app/aggregator.go
+++ b/cmd/kube-apiserver/app/aggregator.go
@@ -31,29 +31,30 @@ import (
 var apiVersionPriorities = merge(controlplaneapiserver.DefaultGenericAPIServicePriorities(), map[schema.GroupVersion]controlplaneapiserver.APIServicePriority{
 	{Group: "", Version: "v1"}: {Group: 18000, Version: 1},
 	// to my knowledge, nothing below here collides
-	{Group: "apps", Version: "v1"}:                   {Group: 17800, Version: 15},
-	{Group: "autoscaling", Version: "v1"}:            {Group: 17500, Version: 15},
-	{Group: "autoscaling", Version: "v2"}:            {Group: 17500, Version: 30},
-	{Group: "autoscaling", Version: "v2beta1"}:       {Group: 17500, Version: 9},
-	{Group: "autoscaling", Version: "v2beta2"}:       {Group: 17500, Version: 1},
-	{Group: "batch", Version: "v1"}:                  {Group: 17400, Version: 15},
-	{Group: "batch", Version: "v1beta1"}:             {Group: 17400, Version: 9},
-	{Group: "batch", Version: "v2alpha1"}:            {Group: 17400, Version: 9},
-	{Group: "networking.k8s.io", Version: "v1"}:      {Group: 17200, Version: 15},
-	{Group: "networking.k8s.io", Version: "v1beta1"}: {Group: 17200, Version: 9},
-	{Group: "policy", Version: "v1"}:                 {Group: 17100, Version: 15},
-	{Group: "policy", Version: "v1beta1"}:            {Group: 17100, Version: 9},
-	{Group: "storage.k8s.io", Version: "v1"}:         {Group: 16800, Version: 15},
-	{Group: "storage.k8s.io", Version: "v1beta1"}:    {Group: 16800, Version: 9},
-	{Group: "storage.k8s.io", Version: "v1alpha1"}:   {Group: 16800, Version: 1},
-	{Group: "scheduling.k8s.io", Version: "v1"}:      {Group: 16600, Version: 15},
-	{Group: "node.k8s.io", Version: "v1"}:            {Group: 16300, Version: 15},
-	{Group: "node.k8s.io", Version: "v1alpha1"}:      {Group: 16300, Version: 1},
-	{Group: "node.k8s.io", Version: "v1beta1"}:       {Group: 16300, Version: 9},
-	{Group: "resource.k8s.io", Version: "v1"}:        {Group: 16200, Version: 21},
-	{Group: "resource.k8s.io", Version: "v1beta2"}:   {Group: 16200, Version: 15},
-	{Group: "resource.k8s.io", Version: "v1beta1"}:   {Group: 16200, Version: 9},
-	{Group: "resource.k8s.io", Version: "v1alpha3"}:  {Group: 16200, Version: 1},
+	{Group: "apps", Version: "v1"}:                    {Group: 17800, Version: 15},
+	{Group: "autoscaling", Version: "v1"}:             {Group: 17500, Version: 15},
+	{Group: "autoscaling", Version: "v2"}:             {Group: 17500, Version: 30},
+	{Group: "autoscaling", Version: "v2beta1"}:        {Group: 17500, Version: 9},
+	{Group: "autoscaling", Version: "v2beta2"}:        {Group: 17500, Version: 1},
+	{Group: "batch", Version: "v1"}:                   {Group: 17400, Version: 15},
+	{Group: "batch", Version: "v1beta1"}:              {Group: 17400, Version: 9},
+	{Group: "batch", Version: "v2alpha1"}:             {Group: 17400, Version: 9},
+	{Group: "networking.k8s.io", Version: "v1"}:       {Group: 17200, Version: 15},
+	{Group: "networking.k8s.io", Version: "v1beta1"}:  {Group: 17200, Version: 9},
+	{Group: "policy", Version: "v1"}:                  {Group: 17100, Version: 15},
+	{Group: "policy", Version: "v1beta1"}:             {Group: 17100, Version: 9},
+	{Group: "storage.k8s.io", Version: "v1"}:          {Group: 16800, Version: 15},
+	{Group: "storage.k8s.io", Version: "v1beta1"}:     {Group: 16800, Version: 9},
+	{Group: "storage.k8s.io", Version: "v1alpha1"}:    {Group: 16800, Version: 1},
+	{Group: "scheduling.k8s.io", Version: "v1"}:       {Group: 16600, Version: 15},
+	{Group: "scheduling.k8s.io", Version: "v1alpha1"}: {Group: 16600, Version: 1},
+	{Group: "node.k8s.io", Version: "v1"}:             {Group: 16300, Version: 15},
+	{Group: "node.k8s.io", Version: "v1alpha1"}:       {Group: 16300, Version: 1},
+	{Group: "node.k8s.io", Version: "v1beta1"}:        {Group: 16300, Version: 9},
+	{Group: "resource.k8s.io", Version: "v1"}:         {Group: 16200, Version: 21},
+	{Group: "resource.k8s.io", Version: "v1beta2"}:    {Group: 16200, Version: 15},
+	{Group: "resource.k8s.io", Version: "v1beta1"}:    {Group: 16200, Version: 9},
+	{Group: "resource.k8s.io", Version: "v1alpha3"}:   {Group: 16200, Version: 1},
 	// Append a new group to the end of the list if unsure.
 	// You can use min(existing group)-100 as the initial value for a group.
 	// Version can be set to 9 (to have space around) for a new group.
diff --git a/cmd/kube-apiserver/app/options/options_test.go b/cmd/kube-apiserver/app/options/options_test.go
index 629bb3e00050c..da9063841604c 100644
--- a/cmd/kube-apiserver/app/options/options_test.go
+++ b/cmd/kube-apiserver/app/options/options_test.go
@@ -128,6 +128,7 @@ func TestAddFlags(t *testing.T) {
 		"--service-cluster-ip-range=192.168.128.0/17",
 		"--lease-reuse-duration-seconds=100",
 		"--emulated-version=test=1.31",
+		"--min-compatibility-version=test=1.29",
 		"--emulation-forward-compatible=true",
 		"--runtime-config-emulation-forward-compatible=true",
 		"--coordinated-leadership-lease-duration=10s",
@@ -358,4 +359,7 @@ func TestAddFlags(t *testing.T) {
 	if testEffectiveVersion.EmulationVersion().String() != "1.31" {
 		t.Errorf("Got emulation version %s, wanted %s", testEffectiveVersion.EmulationVersion().String(), "1.31")
 	}
+	if testEffectiveVersion.MinCompatibilityVersion().String() != "1.29" {
+		t.Errorf("Got min compatibility version %s, wanted %s", testEffectiveVersion.MinCompatibilityVersion().String(), "1.29")
+	}
 }
diff --git a/cmd/kube-apiserver/app/options/validation_test.go b/cmd/kube-apiserver/app/options/validation_test.go
index 452c4ff016377..78dcd0a4e7b7a 100644
--- a/cmd/kube-apiserver/app/options/validation_test.go
+++ b/cmd/kube-apiserver/app/options/validation_test.go
@@ -187,8 +187,10 @@ func TestClusterServiceIPRange(t *testing.T) {
 			if !tc.ipAllocatorGate {
 				featuregatetesting.SetFeatureGateEmulationVersionDuringTest(t, utilfeature.DefaultFeatureGate, version.MustParse("1.32"))
 			}
-			featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.MultiCIDRServiceAllocator, tc.ipAllocatorGate)
-			featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.DisableAllocatorDualWrite, tc.disableDualWriteGate)
+			featuregatetesting.SetFeatureGatesDuringTest(t, utilfeature.DefaultFeatureGate, featuregatetesting.FeatureOverrides{
+				features.MultiCIDRServiceAllocator: tc.ipAllocatorGate,
+				features.DisableAllocatorDualWrite: tc.disableDualWriteGate,
+			})
 
 			errs := validateClusterIPFlags(tc.options.Extra)
 			if len(errs) > 0 && !tc.expectErrors {
diff --git a/cmd/kube-apiserver/app/server.go b/cmd/kube-apiserver/app/server.go
index 129c64ed0e436..7a7df4a6bd03b 100644
--- a/cmd/kube-apiserver/app/server.go
+++ b/cmd/kube-apiserver/app/server.go
@@ -38,6 +38,7 @@ import (
 	genericapifilters "k8s.io/apiserver/pkg/endpoints/filters"
 	genericapiserver "k8s.io/apiserver/pkg/server"
 	"k8s.io/apiserver/pkg/server/egressselector"
+	"k8s.io/apiserver/pkg/server/flagz"
 	serverstorage "k8s.io/apiserver/pkg/server/storage"
 	utilfeature "k8s.io/apiserver/pkg/util/feature"
 	"k8s.io/apiserver/pkg/util/notfoundhandler"
@@ -55,7 +56,6 @@ import (
 	"k8s.io/component-base/term"
 	utilversion "k8s.io/component-base/version"
 	"k8s.io/component-base/version/verflag"
-	"k8s.io/component-base/zpages/flagz"
 	"k8s.io/klog/v2"
 	aggregatorapiserver "k8s.io/kube-aggregator/pkg/apiserver"
 	"k8s.io/kubernetes/cmd/kube-apiserver/app/options"
diff --git a/cmd/kube-apiserver/app/testing/testserver.go b/cmd/kube-apiserver/app/testing/testserver.go
index f14823e3d093b..fd55cb1c6028e 100644
--- a/cmd/kube-apiserver/app/testing/testserver.go
+++ b/cmd/kube-apiserver/app/testing/testserver.go
@@ -45,6 +45,8 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	utilerrors "k8s.io/apimachinery/pkg/util/errors"
 	"k8s.io/apimachinery/pkg/util/wait"
+	genericfeatures "k8s.io/apiserver/pkg/features"
+	"k8s.io/apiserver/pkg/server/flagz"
 	serveroptions "k8s.io/apiserver/pkg/server/options"
 	"k8s.io/apiserver/pkg/storage/storagebackend"
 	"k8s.io/apiserver/pkg/storageversion"
@@ -56,13 +58,12 @@ import (
 	"k8s.io/client-go/util/cert"
 	"k8s.io/client-go/util/keyutil"
 	basecompatibility "k8s.io/component-base/compatibility"
+	"k8s.io/component-base/featuregate"
 	featuregatetesting "k8s.io/component-base/featuregate/testing"
 	logsapi "k8s.io/component-base/logs/api/v1"
 	zpagesfeatures "k8s.io/component-base/zpages/features"
-	"k8s.io/component-base/zpages/flagz"
 	"k8s.io/klog/v2"
 	"k8s.io/kube-aggregator/pkg/apiserver"
-	"k8s.io/kubernetes/pkg/features"
 	testutil "k8s.io/kubernetes/test/utils"
 	"k8s.io/kubernetes/test/utils/ktesting"
 
@@ -198,6 +199,7 @@ func StartTestServer(t ktesting.TB, instanceOptions *TestServerInstanceOptions,
 		effectiveVersion = basecompatibility.NewEffectiveVersionFromString(instanceOptions.BinaryVersion, "", "")
 	}
 	effectiveVersion.SetEmulationVersion(featureGate.EmulationVersion())
+	effectiveVersion.SetMinCompatibilityVersion(featureGate.MinCompatibilityVersion())
 	componentGlobalsRegistry := basecompatibility.NewComponentGlobalsRegistry()
 	if err := componentGlobalsRegistry.Register(basecompatibility.DefaultKubeComponent, effectiveVersion, featureGate); err != nil {
 		return result, err
@@ -377,18 +379,22 @@ func StartTestServer(t ktesting.TB, instanceOptions *TestServerInstanceOptions,
 	// If the local ComponentGlobalsRegistry is changed by the flags,
 	// we need to copy the new feature values back to the DefaultFeatureGate because most feature checks still use the DefaultFeatureGate.
 	// We cannot directly use DefaultFeatureGate in ComponentGlobalsRegistry because the changes done by ComponentGlobalsRegistry.Set() will not be undone at the end of the test.
-	if !featureGate.EmulationVersion().EqualTo(utilfeature.DefaultMutableFeatureGate.EmulationVersion()) {
-		featuregatetesting.SetFeatureGateEmulationVersionDuringTest(t, utilfeature.DefaultMutableFeatureGate, effectiveVersion.EmulationVersion())
+	if !featureGate.EmulationVersion().EqualTo(utilfeature.DefaultMutableFeatureGate.EmulationVersion()) || !featureGate.MinCompatibilityVersion().EqualTo(utilfeature.DefaultMutableFeatureGate.MinCompatibilityVersion()) {
+		featuregatetesting.SetFeatureGateVersionsDuringTest(t, utilfeature.DefaultMutableFeatureGate, effectiveVersion.EmulationVersion(), effectiveVersion.MinCompatibilityVersion())
 	}
+	featureOverrides := map[featuregate.Feature]bool{}
 	for f := range utilfeature.DefaultMutableFeatureGate.GetAll() {
 		if featureGate.Enabled(f) != utilfeature.DefaultFeatureGate.Enabled(f) {
-			featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, f, featureGate.Enabled(f))
+			featureOverrides[f] = featureGate.Enabled(f)
 		}
 	}
+	if len(featureOverrides) > 0 {
+		featuregatetesting.SetFeatureGatesDuringTest(t, utilfeature.DefaultFeatureGate, featureOverrides)
+	}
 	utilfeature.DefaultMutableFeatureGate.AddMetrics()
 
 	if instanceOptions.EnableCertAuth {
-		if featureGate.Enabled(features.UnknownVersionInteroperabilityProxy) {
+		if featureGate.Enabled(genericfeatures.UnknownVersionInteroperabilityProxy) {
 			// TODO: set up a general clean up for testserver
 			if clientgotransport.DialerStopCh == wait.NeverStop {
 				ctx, cancel := context.WithTimeout(context.Background(), time.Hour)
diff --git a/cmd/kube-controller-manager/OWNERS b/cmd/kube-controller-manager/OWNERS
index 11416b81d12d6..f7c449bbe6465 100644
--- a/cmd/kube-controller-manager/OWNERS
+++ b/cmd/kube-controller-manager/OWNERS
@@ -33,6 +33,7 @@ reviewers:
   - thockin
   - wojtek-t
   - jpbetz
+  - jefftree
 labels:
   - sig/api-machinery
 emeritus_approvers:
diff --git a/cmd/kube-controller-manager/app/apps.go b/cmd/kube-controller-manager/app/apps.go
index b1f84a480de21..4c01a5e1154fa 100644
--- a/cmd/kube-controller-manager/app/apps.go
+++ b/cmd/kube-controller-manager/app/apps.go
@@ -25,7 +25,6 @@ import (
 	"time"
 
 	"k8s.io/client-go/util/flowcontrol"
-	"k8s.io/controller-manager/controller"
 	"k8s.io/kubernetes/cmd/kube-controller-manager/names"
 	"k8s.io/kubernetes/pkg/controller/daemon"
 	"k8s.io/kubernetes/pkg/controller/deployment"
@@ -35,12 +34,18 @@ import (
 
 func newDaemonSetControllerDescriptor() *ControllerDescriptor {
 	return &ControllerDescriptor{
-		name:     names.DaemonSetController,
-		aliases:  []string{"daemonset"},
-		initFunc: startDaemonSetController,
+		name:        names.DaemonSetController,
+		aliases:     []string{"daemonset"},
+		constructor: newDaemonSetController,
 	}
 }
-func startDaemonSetController(ctx context.Context, controllerContext ControllerContext, controllerName string) (controller.Interface, bool, error) {
+
+func newDaemonSetController(ctx context.Context, controllerContext ControllerContext, controllerName string) (Controller, error) {
+	client, err := controllerContext.NewClient("daemon-set-controller")
+	if err != nil {
+		return nil, err
+	}
+
 	dsc, err := daemon.NewNodeSelectorAwareDaemonSetsController(
 		ctx,
 		controllerContext.OpenShiftContext.OpenShiftDefaultProjectNodeSelector,
@@ -50,73 +55,97 @@ func startDaemonSetController(ctx context.Context, controllerContext ControllerC
 		controllerContext.InformerFactory.Apps().V1().ControllerRevisions(),
 		controllerContext.InformerFactory.Core().V1().Pods(),
 		controllerContext.InformerFactory.Core().V1().Nodes(),
-		controllerContext.ClientBuilder.ClientOrDie("daemon-set-controller"),
+		client,
 		flowcontrol.NewBackOff(1*time.Second, 15*time.Minute),
 	)
 	if err != nil {
-		return nil, true, fmt.Errorf("error creating DaemonSets controller: %v", err)
+		return nil, fmt.Errorf("error creating DaemonSets controller: %w", err)
 	}
-	go dsc.Run(ctx, int(controllerContext.ComponentConfig.DaemonSetController.ConcurrentDaemonSetSyncs))
-	return nil, true, nil
+
+	return newControllerLoop(func(ctx context.Context) {
+		dsc.Run(ctx, int(controllerContext.ComponentConfig.DaemonSetController.ConcurrentDaemonSetSyncs))
+	}, controllerName), nil
 }
 
 func newStatefulSetControllerDescriptor() *ControllerDescriptor {
 	return &ControllerDescriptor{
-		name:     names.StatefulSetController,
-		aliases:  []string{"statefulset"},
-		initFunc: startStatefulSetController,
+		name:        names.StatefulSetController,
+		aliases:     []string{"statefulset"},
+		constructor: newStatefulSetController,
 	}
 }
-func startStatefulSetController(ctx context.Context, controllerContext ControllerContext, controllerName string) (controller.Interface, bool, error) {
-	go statefulset.NewStatefulSetController(
+
+func newStatefulSetController(ctx context.Context, controllerContext ControllerContext, controllerName string) (Controller, error) {
+	client, err := controllerContext.NewClient("statefulset-controller")
+	if err != nil {
+		return nil, err
+	}
+
+	ssc := statefulset.NewStatefulSetController(
 		ctx,
 		controllerContext.InformerFactory.Core().V1().Pods(),
 		controllerContext.InformerFactory.Apps().V1().StatefulSets(),
 		controllerContext.InformerFactory.Core().V1().PersistentVolumeClaims(),
 		controllerContext.InformerFactory.Apps().V1().ControllerRevisions(),
-		controllerContext.ClientBuilder.ClientOrDie("statefulset-controller"),
-	).Run(ctx, int(controllerContext.ComponentConfig.StatefulSetController.ConcurrentStatefulSetSyncs))
-	return nil, true, nil
+		client,
+	)
+	return newControllerLoop(func(ctx context.Context) {
+		ssc.Run(ctx, int(controllerContext.ComponentConfig.StatefulSetController.ConcurrentStatefulSetSyncs))
+	}, controllerName), nil
 }
 
 func newReplicaSetControllerDescriptor() *ControllerDescriptor {
 	return &ControllerDescriptor{
-		name:     names.ReplicaSetController,
-		aliases:  []string{"replicaset"},
-		initFunc: startReplicaSetController,
+		name:        names.ReplicaSetController,
+		aliases:     []string{"replicaset"},
+		constructor: newReplicaSetController,
 	}
 }
 
-func startReplicaSetController(ctx context.Context, controllerContext ControllerContext, controllerName string) (controller.Interface, bool, error) {
-	go replicaset.NewReplicaSetController(
+func newReplicaSetController(ctx context.Context, controllerContext ControllerContext, controllerName string) (Controller, error) {
+	client, err := controllerContext.NewClient("replicaset-controller")
+	if err != nil {
+		return nil, err
+	}
+
+	rsc := replicaset.NewReplicaSetController(
 		ctx,
 		controllerContext.InformerFactory.Apps().V1().ReplicaSets(),
 		controllerContext.InformerFactory.Core().V1().Pods(),
-		controllerContext.ClientBuilder.ClientOrDie("replicaset-controller"),
+		client,
 		replicaset.BurstReplicas,
-	).Run(ctx, int(controllerContext.ComponentConfig.ReplicaSetController.ConcurrentRSSyncs))
-	return nil, true, nil
+	)
+	return newControllerLoop(func(ctx context.Context) {
+		rsc.Run(ctx, int(controllerContext.ComponentConfig.ReplicaSetController.ConcurrentRSSyncs))
+	}, controllerName), nil
 }
 
 func newDeploymentControllerDescriptor() *ControllerDescriptor {
 	return &ControllerDescriptor{
-		name:     names.DeploymentController,
-		aliases:  []string{"deployment"},
-		initFunc: startDeploymentController,
+		name:        names.DeploymentController,
+		aliases:     []string{"deployment"},
+		constructor: newDeploymentController,
 	}
 }
 
-func startDeploymentController(ctx context.Context, controllerContext ControllerContext, controllerName string) (controller.Interface, bool, error) {
+func newDeploymentController(ctx context.Context, controllerContext ControllerContext, controllerName string) (Controller, error) {
+	client, err := controllerContext.NewClient("deployment-controller")
+	if err != nil {
+		return nil, err
+	}
+
 	dc, err := deployment.NewDeploymentController(
 		ctx,
 		controllerContext.InformerFactory.Apps().V1().Deployments(),
 		controllerContext.InformerFactory.Apps().V1().ReplicaSets(),
 		controllerContext.InformerFactory.Core().V1().Pods(),
-		controllerContext.ClientBuilder.ClientOrDie("deployment-controller"),
+		client,
 	)
 	if err != nil {
-		return nil, true, fmt.Errorf("error creating Deployment controller: %v", err)
+		return nil, fmt.Errorf("error creating Deployment controller: %w", err)
 	}
-	go dc.Run(ctx, int(controllerContext.ComponentConfig.DeploymentController.ConcurrentDeploymentSyncs))
-	return nil, true, nil
+
+	return newControllerLoop(func(ctx context.Context) {
+		dc.Run(ctx, int(controllerContext.ComponentConfig.DeploymentController.ConcurrentDeploymentSyncs))
+	}, controllerName), nil
 }
diff --git a/cmd/kube-controller-manager/app/autoscaling.go b/cmd/kube-controller-manager/app/autoscaling.go
index ff0c6d60f30ea..f41592ffc1781 100644
--- a/cmd/kube-controller-manager/app/autoscaling.go
+++ b/cmd/kube-controller-manager/app/autoscaling.go
@@ -21,14 +21,12 @@ package app
 
 import (
 	"context"
-
+	"fmt"
 	"k8s.io/client-go/dynamic"
 	"k8s.io/client-go/scale"
-	"k8s.io/controller-manager/controller"
 	"k8s.io/kubernetes/cmd/kube-controller-manager/names"
 	"k8s.io/kubernetes/pkg/controller/podautoscaler"
 	"k8s.io/kubernetes/pkg/controller/podautoscaler/metrics"
-
 	resourceclient "k8s.io/metrics/pkg/client/clientset/versioned/typed/metrics/v1beta1"
 	"k8s.io/metrics/pkg/client/custom_metrics"
 	"k8s.io/metrics/pkg/client/external_metrics"
@@ -36,47 +34,50 @@ import (
 
 func newHorizontalPodAutoscalerControllerDescriptor() *ControllerDescriptor {
 	return &ControllerDescriptor{
-		name:     names.HorizontalPodAutoscalerController,
-		aliases:  []string{"horizontalpodautoscaling"},
-		initFunc: startHorizontalPodAutoscalerControllerWithRESTClient,
+		name:        names.HorizontalPodAutoscalerController,
+		aliases:     []string{"horizontalpodautoscaling"},
+		constructor: newHorizontalPodAutoscalerController,
 	}
 }
 
-func startHorizontalPodAutoscalerControllerWithRESTClient(ctx context.Context, controllerContext ControllerContext, controllerName string) (controller.Interface, bool, error) {
-
-	clientConfig := controllerContext.ClientBuilder.ConfigOrDie("horizontal-pod-autoscaler")
-	hpaClient := controllerContext.ClientBuilder.ClientOrDie("horizontal-pod-autoscaler")
-
-	apiVersionsGetter := custom_metrics.NewAvailableAPIsGetter(hpaClient.Discovery())
-	// invalidate the discovery information roughly once per resync interval our API
-	// information is *at most* two resync intervals old.
-	go custom_metrics.PeriodicallyInvalidate(
-		apiVersionsGetter,
-		controllerContext.ComponentConfig.HPAController.HorizontalPodAutoscalerSyncPeriod.Duration,
-		ctx.Done())
-
-	metricsClient := metrics.NewRESTMetricsClient(
-		resourceclient.NewForConfigOrDie(clientConfig),
-		custom_metrics.NewForConfig(clientConfig, controllerContext.RESTMapper, apiVersionsGetter),
-		external_metrics.NewForConfigOrDie(clientConfig),
-	)
-	return startHPAControllerWithMetricsClient(ctx, controllerContext, metricsClient)
-}
-
-func startHPAControllerWithMetricsClient(ctx context.Context, controllerContext ControllerContext, metricsClient metrics.MetricsClient) (controller.Interface, bool, error) {
+func newHorizontalPodAutoscalerController(ctx context.Context, controllerContext ControllerContext, controllerName string) (Controller, error) {
+	clientConfig, err := controllerContext.NewClientConfig("horizontal-pod-autoscaler")
+	if err != nil {
+		return nil, err
+	}
 
-	hpaClient := controllerContext.ClientBuilder.ClientOrDie("horizontal-pod-autoscaler")
-	hpaClientConfig := controllerContext.ClientBuilder.ConfigOrDie("horizontal-pod-autoscaler")
+	hpaClient, err := controllerContext.NewClient("horizontal-pod-autoscaler")
+	if err != nil {
+		return nil, err
+	}
 
 	// we don't use cached discovery because DiscoveryScaleKindResolver does its own caching,
 	// so we want to re-fetch every time when we actually ask for it
 	scaleKindResolver := scale.NewDiscoveryScaleKindResolver(hpaClient.Discovery())
-	scaleClient, err := scale.NewForConfig(hpaClientConfig, controllerContext.RESTMapper, dynamic.LegacyAPIPathResolverFunc, scaleKindResolver)
+	scaleClient, err := scale.NewForConfig(clientConfig, controllerContext.RESTMapper, dynamic.LegacyAPIPathResolverFunc, scaleKindResolver)
+	if err != nil {
+		return nil, fmt.Errorf("failed to init HPA scale client: %w", err)
+	}
+
+	apiVersionsGetter := custom_metrics.NewAvailableAPIsGetter(hpaClient.Discovery())
+
+	resourceClient, err := resourceclient.NewForConfig(clientConfig)
+	if err != nil {
+		return nil, fmt.Errorf("failed to init the resource client for %s: %w", controllerName, err)
+	}
+
+	externalMetricsClient, err := external_metrics.NewForConfig(clientConfig)
 	if err != nil {
-		return nil, false, err
+		return nil, fmt.Errorf("failed to init the external metrics client for %s: %w", controllerName, err)
 	}
 
-	go podautoscaler.NewHorizontalController(
+	metricsClient := metrics.NewRESTMetricsClient(
+		resourceClient,
+		custom_metrics.NewForConfig(clientConfig, controllerContext.RESTMapper, apiVersionsGetter),
+		externalMetricsClient,
+	)
+
+	pas := podautoscaler.NewHorizontalController(
 		ctx,
 		hpaClient.CoreV1(),
 		scaleClient,
@@ -90,6 +91,16 @@ func startHPAControllerWithMetricsClient(ctx context.Context, controllerContext
 		controllerContext.ComponentConfig.HPAController.HorizontalPodAutoscalerTolerance,
 		controllerContext.ComponentConfig.HPAController.HorizontalPodAutoscalerCPUInitializationPeriod.Duration,
 		controllerContext.ComponentConfig.HPAController.HorizontalPodAutoscalerInitialReadinessDelay.Duration,
-	).Run(ctx, int(controllerContext.ComponentConfig.HPAController.ConcurrentHorizontalPodAutoscalerSyncs))
-	return nil, true, nil
+	)
+	return newControllerLoop(concurrentRun(
+		func(ctx context.Context) {
+			custom_metrics.PeriodicallyInvalidate(
+				apiVersionsGetter,
+				controllerContext.ComponentConfig.HPAController.HorizontalPodAutoscalerSyncPeriod.Duration,
+				ctx.Done())
+		},
+		func(ctx context.Context) {
+			pas.Run(ctx, int(controllerContext.ComponentConfig.HPAController.ConcurrentHorizontalPodAutoscalerSyncs))
+		},
+	), controllerName), nil
 }
diff --git a/cmd/kube-controller-manager/app/batch.go b/cmd/kube-controller-manager/app/batch.go
index 159aebd82848f..a1ae796755c0c 100644
--- a/cmd/kube-controller-manager/app/batch.go
+++ b/cmd/kube-controller-manager/app/batch.go
@@ -23,7 +23,6 @@ import (
 	"context"
 	"fmt"
 
-	"k8s.io/controller-manager/controller"
 	"k8s.io/kubernetes/cmd/kube-controller-manager/names"
 	"k8s.io/kubernetes/pkg/controller/cronjob"
 	"k8s.io/kubernetes/pkg/controller/job"
@@ -31,43 +30,58 @@ import (
 
 func newJobControllerDescriptor() *ControllerDescriptor {
 	return &ControllerDescriptor{
-		name:     names.JobController,
-		aliases:  []string{"job"},
-		initFunc: startJobController,
+		name:        names.JobController,
+		aliases:     []string{"job"},
+		constructor: newJobController,
 	}
 }
 
-func startJobController(ctx context.Context, controllerContext ControllerContext, controllerName string) (controller.Interface, bool, error) {
-	jobController, err := job.NewController(
+func newJobController(ctx context.Context, controllerContext ControllerContext, controllerName string) (Controller, error) {
+	client, err := controllerContext.NewClient("job-controller")
+	if err != nil {
+		return nil, err
+	}
+
+	jc, err := job.NewController(
 		ctx,
 		controllerContext.InformerFactory.Core().V1().Pods(),
 		controllerContext.InformerFactory.Batch().V1().Jobs(),
-		controllerContext.ClientBuilder.ClientOrDie("job-controller"),
+		client,
 	)
 	if err != nil {
-		return nil, true, fmt.Errorf("creating Job controller: %v", err)
+		return nil, fmt.Errorf("creating Job controller: %w", err)
 	}
-	go jobController.Run(ctx, int(controllerContext.ComponentConfig.JobController.ConcurrentJobSyncs))
-	return nil, true, nil
+
+	return newControllerLoop(func(ctx context.Context) {
+		jc.Run(ctx, int(controllerContext.ComponentConfig.JobController.ConcurrentJobSyncs))
+	}, controllerName), nil
 }
 
 func newCronJobControllerDescriptor() *ControllerDescriptor {
 	return &ControllerDescriptor{
-		name:     names.CronJobController,
-		aliases:  []string{"cronjob"},
-		initFunc: startCronJobController,
+		name:        names.CronJobController,
+		aliases:     []string{"cronjob"},
+		constructor: newCronJobController,
 	}
 }
 
-func startCronJobController(ctx context.Context, controllerContext ControllerContext, controllerName string) (controller.Interface, bool, error) {
-	cj2c, err := cronjob.NewControllerV2(ctx, controllerContext.InformerFactory.Batch().V1().Jobs(),
+func newCronJobController(ctx context.Context, controllerContext ControllerContext, controllerName string) (Controller, error) {
+	client, err := controllerContext.NewClient("cronjob-controller")
+	if err != nil {
+		return nil, err
+	}
+
+	cj2c, err := cronjob.NewControllerV2(
+		ctx,
+		controllerContext.InformerFactory.Batch().V1().Jobs(),
 		controllerContext.InformerFactory.Batch().V1().CronJobs(),
-		controllerContext.ClientBuilder.ClientOrDie("cronjob-controller"),
+		client,
 	)
 	if err != nil {
-		return nil, true, fmt.Errorf("creating CronJob controller V2: %v", err)
+		return nil, fmt.Errorf("creating CronJob controller V2: %w", err)
 	}
 
-	go cj2c.Run(ctx, int(controllerContext.ComponentConfig.CronJobController.ConcurrentCronJobSyncs))
-	return nil, true, nil
+	return newControllerLoop(func(ctx context.Context) {
+		cj2c.Run(ctx, int(controllerContext.ComponentConfig.CronJobController.ConcurrentCronJobSyncs))
+	}, controllerName), nil
 }
diff --git a/cmd/kube-controller-manager/app/bootstrap.go b/cmd/kube-controller-manager/app/bootstrap.go
index aedaaf65aa03f..4a3aeb8ed441f 100644
--- a/cmd/kube-controller-manager/app/bootstrap.go
+++ b/cmd/kube-controller-manager/app/bootstrap.go
@@ -20,7 +20,6 @@ import (
 	"context"
 	"fmt"
 
-	"k8s.io/controller-manager/controller"
 	"k8s.io/kubernetes/cmd/kube-controller-manager/names"
 	"k8s.io/kubernetes/pkg/controller/bootstrap"
 )
@@ -29,41 +28,53 @@ func newBootstrapSignerControllerDescriptor() *ControllerDescriptor {
 	return &ControllerDescriptor{
 		name:                names.BootstrapSignerController,
 		aliases:             []string{"bootstrapsigner"},
-		initFunc:            startBootstrapSignerController,
+		constructor:         newBootstrapSignerController,
 		isDisabledByDefault: true,
 	}
 }
-func startBootstrapSignerController(ctx context.Context, controllerContext ControllerContext, controllerName string) (controller.Interface, bool, error) {
+
+func newBootstrapSignerController(ctx context.Context, controllerContext ControllerContext, controllerName string) (Controller, error) {
+	client, err := controllerContext.NewClient("bootstrap-signer")
+	if err != nil {
+		return nil, err
+	}
+
 	bsc, err := bootstrap.NewSigner(
-		controllerContext.ClientBuilder.ClientOrDie("bootstrap-signer"),
+		client,
 		controllerContext.InformerFactory.Core().V1().Secrets(),
 		controllerContext.InformerFactory.Core().V1().ConfigMaps(),
 		bootstrap.DefaultSignerOptions(),
 	)
 	if err != nil {
-		return nil, true, fmt.Errorf("error creating BootstrapSigner controller: %v", err)
+		return nil, fmt.Errorf("error creating BootstrapSigner controller: %w", err)
 	}
-	go bsc.Run(ctx)
-	return nil, true, nil
+
+	return newControllerLoop(bsc.Run, controllerName), nil
 }
 
 func newTokenCleanerControllerDescriptor() *ControllerDescriptor {
 	return &ControllerDescriptor{
 		name:                names.TokenCleanerController,
 		aliases:             []string{"tokencleaner"},
-		initFunc:            startTokenCleanerController,
+		constructor:         newTokenCleanerController,
 		isDisabledByDefault: true,
 	}
 }
-func startTokenCleanerController(ctx context.Context, controllerContext ControllerContext, controllerName string) (controller.Interface, bool, error) {
+
+func newTokenCleanerController(ctx context.Context, controllerContext ControllerContext, controllerName string) (Controller, error) {
+	client, err := controllerContext.NewClient("token-cleaner")
+	if err != nil {
+		return nil, err
+	}
+
 	tcc, err := bootstrap.NewTokenCleaner(
-		controllerContext.ClientBuilder.ClientOrDie("token-cleaner"),
+		client,
 		controllerContext.InformerFactory.Core().V1().Secrets(),
 		bootstrap.DefaultTokenCleanerOptions(),
 	)
 	if err != nil {
-		return nil, true, fmt.Errorf("error creating TokenCleaner controller: %v", err)
+		return nil, fmt.Errorf("error creating TokenCleaner controller: %w", err)
 	}
-	go tcc.Run(ctx)
-	return nil, true, nil
+
+	return newControllerLoop(tcc.Run, controllerName), nil
 }
diff --git a/cmd/kube-controller-manager/app/certificates.go b/cmd/kube-controller-manager/app/certificates.go
index 7b86633ea313e..a959afb081a60 100644
--- a/cmd/kube-controller-manager/app/certificates.go
+++ b/cmd/kube-controller-manager/app/certificates.go
@@ -29,10 +29,8 @@ import (
 	"k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/apiserver/pkg/server/dynamiccertificates"
-	utilfeature "k8s.io/apiserver/pkg/util/feature"
 	"k8s.io/client-go/kubernetes"
 	"k8s.io/component-base/featuregate"
-	"k8s.io/controller-manager/controller"
 	"k8s.io/klog/v2"
 	"k8s.io/kubernetes/cmd/kube-controller-manager/names"
 	"k8s.io/kubernetes/openshift-kube-controller-manager/servicecacertpublisher"
@@ -48,33 +46,41 @@ import (
 
 func newCertificateSigningRequestSigningControllerDescriptor() *ControllerDescriptor {
 	return &ControllerDescriptor{
-		name:     names.CertificateSigningRequestSigningController,
-		aliases:  []string{"csrsigning"},
-		initFunc: startCertificateSigningRequestSigningController,
+		name:        names.CertificateSigningRequestSigningController,
+		aliases:     []string{"csrsigning"},
+		constructor: newCertificateSigningRequestSigningController,
 	}
 }
 
-func startCertificateSigningRequestSigningController(ctx context.Context, controllerContext ControllerContext, controllerName string) (controller.Interface, bool, error) {
+func newCertificateSigningRequestSigningController(ctx context.Context, controllerContext ControllerContext, controllerName string) (Controller, error) {
 	logger := klog.FromContext(ctx)
 	missingSingleSigningFile := controllerContext.ComponentConfig.CSRSigningController.ClusterSigningCertFile == "" || controllerContext.ComponentConfig.CSRSigningController.ClusterSigningKeyFile == ""
 	if missingSingleSigningFile && !anySpecificFilesSet(controllerContext.ComponentConfig.CSRSigningController) {
 		logger.Info("Skipping CSR signer controller because no csr cert/key was specified")
-		return nil, false, nil
+		return nil, nil
 	}
 	if !missingSingleSigningFile && anySpecificFilesSet(controllerContext.ComponentConfig.CSRSigningController) {
-		return nil, false, fmt.Errorf("cannot specify default and per controller certs at the same time")
+		return nil, fmt.Errorf("cannot specify default and per controller certs at the same time")
+	}
+
+	c, err := controllerContext.NewClient("certificate-controller")
+	if err != nil {
+		return nil, err
 	}
 
-	c := controllerContext.ClientBuilder.ClientOrDie("certificate-controller")
 	csrInformer := controllerContext.InformerFactory.Certificates().V1().CertificateSigningRequests()
 	certTTL := controllerContext.ComponentConfig.CSRSigningController.ClusterSigningDuration.Duration
 
+	var rx []runFunc
 	if kubeletServingSignerCertFile, kubeletServingSignerKeyFile := getKubeletServingSignerFiles(controllerContext.ComponentConfig.CSRSigningController); len(kubeletServingSignerCertFile) > 0 || len(kubeletServingSignerKeyFile) > 0 {
 		kubeletServingSigner, err := signer.NewKubeletServingCSRSigningController(ctx, c, csrInformer, kubeletServingSignerCertFile, kubeletServingSignerKeyFile, certTTL)
 		if err != nil {
-			return nil, false, fmt.Errorf("failed to start kubernetes.io/kubelet-serving certificate controller: %v", err)
+			return nil, fmt.Errorf("failed to init kubernetes.io/kubelet-serving certificate controller: %w", err)
 		}
-		go kubeletServingSigner.Run(ctx, 5)
+
+		rx = append(rx, func(ctx context.Context) {
+			kubeletServingSigner.Run(ctx, 5)
+		})
 	} else {
 		logger.Info("Skipping CSR signer controller because specific files were specified for other signers and not this one", "controller", "kubernetes.io/kubelet-serving")
 	}
@@ -82,9 +88,12 @@ func startCertificateSigningRequestSigningController(ctx context.Context, contro
 	if kubeletClientSignerCertFile, kubeletClientSignerKeyFile := getKubeletClientSignerFiles(controllerContext.ComponentConfig.CSRSigningController); len(kubeletClientSignerCertFile) > 0 || len(kubeletClientSignerKeyFile) > 0 {
 		kubeletClientSigner, err := signer.NewKubeletClientCSRSigningController(ctx, c, csrInformer, kubeletClientSignerCertFile, kubeletClientSignerKeyFile, certTTL)
 		if err != nil {
-			return nil, false, fmt.Errorf("failed to start kubernetes.io/kube-apiserver-client-kubelet certificate controller: %v", err)
+			return nil, fmt.Errorf("failed to init kubernetes.io/kube-apiserver-client-kubelet certificate controller: %w", err)
 		}
-		go kubeletClientSigner.Run(ctx, 5)
+
+		rx = append(rx, func(ctx context.Context) {
+			kubeletClientSigner.Run(ctx, 5)
+		})
 	} else {
 		logger.Info("Skipping CSR signer controller because specific files were specified for other signers and not this one", "controller", "kubernetes.io/kube-apiserver-client-kubelet")
 	}
@@ -92,9 +101,12 @@ func startCertificateSigningRequestSigningController(ctx context.Context, contro
 	if kubeAPIServerSignerCertFile, kubeAPIServerSignerKeyFile := getKubeAPIServerClientSignerFiles(controllerContext.ComponentConfig.CSRSigningController); len(kubeAPIServerSignerCertFile) > 0 || len(kubeAPIServerSignerKeyFile) > 0 {
 		kubeAPIServerClientSigner, err := signer.NewKubeAPIServerClientCSRSigningController(ctx, c, csrInformer, kubeAPIServerSignerCertFile, kubeAPIServerSignerKeyFile, certTTL)
 		if err != nil {
-			return nil, false, fmt.Errorf("failed to start kubernetes.io/kube-apiserver-client certificate controller: %v", err)
+			return nil, fmt.Errorf("failed to init kubernetes.io/kube-apiserver-client certificate controller: %w", err)
 		}
-		go kubeAPIServerClientSigner.Run(ctx, 5)
+
+		rx = append(rx, func(ctx context.Context) {
+			kubeAPIServerClientSigner.Run(ctx, 5)
+		})
 	} else {
 		logger.Info("Skipping CSR signer controller because specific files were specified for other signers and not this one", "controller", "kubernetes.io/kube-apiserver-client")
 	}
@@ -102,14 +114,17 @@ func startCertificateSigningRequestSigningController(ctx context.Context, contro
 	if legacyUnknownSignerCertFile, legacyUnknownSignerKeyFile := getLegacyUnknownSignerFiles(controllerContext.ComponentConfig.CSRSigningController); len(legacyUnknownSignerCertFile) > 0 || len(legacyUnknownSignerKeyFile) > 0 {
 		legacyUnknownSigner, err := signer.NewLegacyUnknownCSRSigningController(ctx, c, csrInformer, legacyUnknownSignerCertFile, legacyUnknownSignerKeyFile, certTTL)
 		if err != nil {
-			return nil, false, fmt.Errorf("failed to start kubernetes.io/legacy-unknown certificate controller: %v", err)
+			return nil, fmt.Errorf("failed to init kubernetes.io/legacy-unknown certificate controller: %w", err)
 		}
-		go legacyUnknownSigner.Run(ctx, 5)
+
+		rx = append(rx, func(ctx context.Context) {
+			legacyUnknownSigner.Run(ctx, 5)
+		})
 	} else {
 		logger.Info("Skipping CSR signer controller because specific files were specified for other signers and not this one", "controller", "kubernetes.io/legacy-unknown")
 	}
 
-	return nil, true, nil
+	return newControllerLoop(concurrentRun(rx...), controllerName), nil
 }
 
 func areKubeletServingSignerFilesSpecified(config csrsigningconfig.CSRSigningControllerConfiguration) bool {
@@ -172,110 +187,130 @@ func getLegacyUnknownSignerFiles(config csrsigningconfig.CSRSigningControllerCon
 
 func newCertificateSigningRequestApprovingControllerDescriptor() *ControllerDescriptor {
 	return &ControllerDescriptor{
-		name:     names.CertificateSigningRequestApprovingController,
-		aliases:  []string{"csrapproving"},
-		initFunc: startCertificateSigningRequestApprovingController,
+		name:        names.CertificateSigningRequestApprovingController,
+		aliases:     []string{"csrapproving"},
+		constructor: newCertificateSigningRequestApprovingController,
 	}
 }
-func startCertificateSigningRequestApprovingController(ctx context.Context, controllerContext ControllerContext, controllerName string) (controller.Interface, bool, error) {
-	approver := approver.NewCSRApprovingController(
+func newCertificateSigningRequestApprovingController(ctx context.Context, controllerContext ControllerContext, controllerName string) (Controller, error) {
+	client, err := controllerContext.NewClient("certificate-controller")
+	if err != nil {
+		return nil, err
+	}
+
+	ac := approver.NewCSRApprovingController(
 		ctx,
-		controllerContext.ClientBuilder.ClientOrDie("certificate-controller"),
+		client,
 		controllerContext.InformerFactory.Certificates().V1().CertificateSigningRequests(),
 	)
-	go approver.Run(ctx, 5)
-
-	return nil, true, nil
+	return newControllerLoop(func(ctx context.Context) {
+		ac.Run(ctx, 5)
+	}, controllerName), nil
 }
 
 func newCertificateSigningRequestCleanerControllerDescriptor() *ControllerDescriptor {
 	return &ControllerDescriptor{
-		name:     names.CertificateSigningRequestCleanerController,
-		aliases:  []string{"csrcleaner"},
-		initFunc: startCertificateSigningRequestCleanerController,
+		name:        names.CertificateSigningRequestCleanerController,
+		aliases:     []string{"csrcleaner"},
+		constructor: newCertificateSigningRequestCleanerController,
 	}
 }
-func startCertificateSigningRequestCleanerController(ctx context.Context, controllerContext ControllerContext, controllerName string) (controller.Interface, bool, error) {
-	cleaner := cleaner.NewCSRCleanerController(
-		controllerContext.ClientBuilder.ClientOrDie("certificate-controller").CertificatesV1().CertificateSigningRequests(),
+func newCertificateSigningRequestCleanerController(ctx context.Context, controllerContext ControllerContext, controllerName string) (Controller, error) {
+	client, err := controllerContext.NewClient("certificate-controller")
+	if err != nil {
+		return nil, err
+	}
+
+	cc := cleaner.NewCSRCleanerController(
+		client.CertificatesV1().CertificateSigningRequests(),
 		controllerContext.InformerFactory.Certificates().V1().CertificateSigningRequests(),
 	)
-	go cleaner.Run(ctx, 1)
-	return nil, true, nil
+	return newControllerLoop(func(ctx context.Context) {
+		cc.Run(ctx, 1)
+	}, controllerName), nil
 }
 
 func newPodCertificateRequestCleanerControllerDescriptor() *ControllerDescriptor {
 	return &ControllerDescriptor{
-		name:     names.PodCertificateRequestCleanerController,
-		initFunc: startPodCertificateRequestCleanerController,
+		name:        names.PodCertificateRequestCleanerController,
+		constructor: newPodCertificateRequestCleanerController,
 		requiredFeatureGates: []featuregate.Feature{
 			features.PodCertificateRequest,
 		},
 	}
 }
 
-func startPodCertificateRequestCleanerController(ctx context.Context, controllerContext ControllerContext, controllerName string) (controller.Interface, bool, error) {
+func newPodCertificateRequestCleanerController(ctx context.Context, controllerContext ControllerContext, controllerName string) (Controller, error) {
 	cleaner := cleaner.NewPCRCleanerController(
 		controllerContext.ClientBuilder.ClientOrDie("podcertificaterequestcleaner"),
-		controllerContext.InformerFactory.Certificates().V1alpha1().PodCertificateRequests(),
+		controllerContext.InformerFactory.Certificates().V1beta1().PodCertificateRequests(),
 		clock.RealClock{},
 		15*time.Minute, // We expect all PodCertificateRequest flows to complete faster than this.
 		5*time.Minute,
 	)
-	go cleaner.Run(ctx, 1)
-	return nil, true, nil
+	return newControllerLoop(func(ctx context.Context) {
+		cleaner.Run(ctx, 1)
+	}, controllerName), nil
 }
 
 func newRootCACertificatePublisherControllerDescriptor() *ControllerDescriptor {
 	return &ControllerDescriptor{
-		name:     names.RootCACertificatePublisherController,
-		aliases:  []string{"root-ca-cert-publisher"},
-		initFunc: startRootCACertificatePublisherController,
+		name:        names.RootCACertificatePublisherController,
+		aliases:     []string{"root-ca-cert-publisher"},
+		constructor: newRootCACertificatePublisherController,
 	}
 }
 
-func startRootCACertificatePublisherController(ctx context.Context, controllerContext ControllerContext, controllerName string) (controller.Interface, bool, error) {
+func newRootCACertificatePublisherController(ctx context.Context, controllerContext ControllerContext, controllerName string) (Controller, error) {
 	rootCA, err := getKubeAPIServerCAFileContents(controllerContext)
 	if err != nil {
-		return nil, true, err
+		return nil, err
+	}
+
+	client, err := controllerContext.NewClient("root-ca-cert-publisher")
+	if err != nil {
+		return nil, err
 	}
 
 	sac, err := rootcacertpublisher.NewPublisher(
 		controllerContext.InformerFactory.Core().V1().ConfigMaps(),
 		controllerContext.InformerFactory.Core().V1().Namespaces(),
-		controllerContext.ClientBuilder.ClientOrDie("root-ca-cert-publisher"),
+		client,
 		rootCA,
 	)
 	if err != nil {
-		return nil, true, fmt.Errorf("error creating root CA certificate publisher: %v", err)
+		return nil, fmt.Errorf("error creating root CA certificate publisher: %w", err)
 	}
-	go sac.Run(ctx, 1)
-	return nil, true, nil
+
+	return newControllerLoop(func(ctx context.Context) {
+		sac.Run(ctx, 1)
+	}, controllerName), nil
 }
 
 func newKubeAPIServerSignerClusterTrustBundledPublisherDescriptor() *ControllerDescriptor {
 	return &ControllerDescriptor{
 		name:                 names.KubeAPIServerClusterTrustBundlePublisherController,
-		initFunc:             newKubeAPIServerSignerClusterTrustBundledPublisherController,
+		constructor:          newKubeAPIServerSignerClusterTrustBundledPublisherController,
 		requiredFeatureGates: []featuregate.Feature{features.ClusterTrustBundle},
 	}
 }
 
 type controllerConstructor func(string, dynamiccertificates.CAContentProvider, kubernetes.Interface) (ctbpublisher.PublisherRunner, error)
 
-func newKubeAPIServerSignerClusterTrustBundledPublisherController(ctx context.Context, controllerContext ControllerContext, controllerName string) (controller.Interface, bool, error) {
+func newKubeAPIServerSignerClusterTrustBundledPublisherController(
+	ctx context.Context, controllerContext ControllerContext, controllerName string,
+) (Controller, error) {
 	rootCA, err := getKubeAPIServerCAFileContents(controllerContext)
 	if err != nil {
-		return nil, false, err
+		return nil, err
 	}
-
-	if len(rootCA) == 0 || !utilfeature.DefaultFeatureGate.Enabled(features.ClusterTrustBundle) {
-		return nil, false, nil
+	if len(rootCA) == 0 {
+		return nil, nil
 	}
 
 	servingSigners, err := dynamiccertificates.NewStaticCAContent("kube-apiserver-serving", rootCA)
 	if err != nil {
-		return nil, false, fmt.Errorf("failed to create a static CA content provider for the kube-apiserver-serving signer: %w", err)
+		return nil, fmt.Errorf("failed to create a static CA content provider for the kube-apiserver-serving signer: %w", err)
 	}
 
 	schemaControllerMapping := map[schema.GroupVersion]controllerConstructor{
@@ -283,12 +318,16 @@ func newKubeAPIServerSignerClusterTrustBundledPublisherController(ctx context.Co
 		certificatesv1beta1.SchemeGroupVersion:  ctbpublisher.NewBetaClusterTrustBundlePublisher,
 	}
 
-	apiserverSignerClient := controllerContext.ClientBuilder.ClientOrDie("kube-apiserver-serving-clustertrustbundle-publisher")
+	apiserverSignerClient, err := controllerContext.NewClient("kube-apiserver-serving-clustertrustbundle-publisher")
+	if err != nil {
+		return nil, err
+	}
+
 	var runner ctbpublisher.PublisherRunner
 	for _, gv := range []schema.GroupVersion{certificatesv1beta1.SchemeGroupVersion, certificatesv1alpha1.SchemeGroupVersion} {
 		ctbAvailable, err := clusterTrustBundlesAvailable(apiserverSignerClient, gv)
 		if err != nil {
-			return nil, false, fmt.Errorf("discovery failed for ClusterTrustBundle: %w", err)
+			return nil, fmt.Errorf("discovery failed for ClusterTrustBundle: %w", err)
 		}
 
 		if !ctbAvailable {
@@ -301,18 +340,17 @@ func newKubeAPIServerSignerClusterTrustBundledPublisherController(ctx context.Co
 			apiserverSignerClient,
 		)
 		if err != nil {
-			return nil, false, fmt.Errorf("error creating kube-apiserver-serving signer certificates publisher: %w", err)
+			return nil, fmt.Errorf("error creating kube-apiserver-serving signer certificates publisher: %w", err)
 		}
 		break
 	}
 
 	if runner == nil {
 		klog.Info("no known scheme version was found for clustertrustbundles, cannot start kube-apiserver-serving-clustertrustbundle-publisher-controller")
-		return nil, false, nil
+		return nil, nil
 	}
 
-	go runner.Run(ctx)
-	return nil, true, nil
+	return newControllerLoop(runner.Run, controllerName), nil
 }
 
 func clusterTrustBundlesAvailable(client kubernetes.Interface, schemaVersion schema.GroupVersion) (bool, error) {
@@ -335,7 +373,11 @@ func clusterTrustBundlesAvailable(client kubernetes.Interface, schemaVersion sch
 
 func getKubeAPIServerCAFileContents(controllerContext ControllerContext) ([]byte, error) {
 	if controllerContext.ComponentConfig.SAController.RootCAFile == "" {
-		return controllerContext.ClientBuilder.ConfigOrDie("root-ca-cert-publisher").CAData, nil
+		config, err := controllerContext.NewClientConfig("root-ca-cert-publisher")
+		if err != nil {
+			return nil, err
+		}
+		return config.CAData, nil
 	}
 
 	rootCA, err := readCA(controllerContext.ComponentConfig.SAController.RootCAFile)
@@ -346,23 +388,24 @@ func getKubeAPIServerCAFileContents(controllerContext ControllerContext) ([]byte
 
 }
 
-func newServiceCACertPublisher() *ControllerDescriptor {
+func newServiceCACertPublisherControllerDescriptor() *ControllerDescriptor {
 	return &ControllerDescriptor{
-		name:     names.ServiceCACertificatePublisherController,
-		aliases:  []string{"service-ca-cert-publisher"},
-		initFunc: startServiceCACertPublisher,
+		name:        names.ServiceCACertificatePublisherController,
+		aliases:     []string{"service-ca-cert-publisher"},
+		constructor: newServiceCACertPublisherController,
 	}
 }
 
-func startServiceCACertPublisher(ctx context.Context, controllerContext ControllerContext, controllerName string) (controller.Interface, bool, error) {
+func newServiceCACertPublisherController(ctx context.Context, controllerContext ControllerContext, controllerName string) (Controller, error) {
 	sac, err := servicecacertpublisher.NewPublisher(
 		controllerContext.InformerFactory.Core().V1().ConfigMaps(),
 		controllerContext.InformerFactory.Core().V1().Namespaces(),
 		controllerContext.ClientBuilder.ClientOrDie("service-ca-cert-publisher"),
 	)
 	if err != nil {
-		return nil, true, fmt.Errorf("error creating service CA certificate publisher: %v", err)
+		return nil, fmt.Errorf("error creating service CA certificate publisher: %w", err)
 	}
-	go sac.Run(1, ctx.Done())
-	return nil, true, nil
+	return newControllerLoop(func(ctx context.Context) {
+		sac.Run(ctx, 1)
+	}, controllerName), nil
 }
diff --git a/cmd/kube-controller-manager/app/config/config.go b/cmd/kube-controller-manager/app/config/config.go
index 2e5b9ec78061e..56d09d2e54caf 100644
--- a/cmd/kube-controller-manager/app/config/config.go
+++ b/cmd/kube-controller-manager/app/config/config.go
@@ -18,12 +18,13 @@ package config
 
 import (
 	apiserver "k8s.io/apiserver/pkg/server"
+	"k8s.io/apiserver/pkg/server/flagz"
 	clientset "k8s.io/client-go/kubernetes"
 	restclient "k8s.io/client-go/rest"
 	"k8s.io/client-go/tools/record"
 	basecompatibility "k8s.io/component-base/compatibility"
-	"k8s.io/component-base/zpages/flagz"
 	kubectrlmgrconfig "k8s.io/kubernetes/pkg/controller/apis/config"
+	"time"
 )
 
 // Config is the main context object for the controller manager.
@@ -35,8 +36,6 @@ type Config struct {
 	ComponentConfig kubectrlmgrconfig.KubeControllerManagerConfiguration
 
 	SecureServing *apiserver.SecureServingInfo
-	// LoopbackClientConfig is a config for a privileged loopback connection
-	LoopbackClientConfig *restclient.Config
 
 	Authentication apiserver.AuthenticationInfo
 	Authorization  apiserver.AuthorizationInfo
@@ -50,6 +49,8 @@ type Config struct {
 	EventBroadcaster record.EventBroadcaster
 	EventRecorder    record.EventRecorder
 
+	ControllerShutdownTimeout time.Duration
+
 	// ComponentGlobalsRegistry is the registry where the effective versions and feature gates for all components are stored.
 	ComponentGlobalsRegistry basecompatibility.ComponentGlobalsRegistry
 }
@@ -68,7 +69,5 @@ type CompletedConfig struct {
 func (c *Config) Complete() *CompletedConfig {
 	cc := completedConfig{c}
 
-	apiserver.AuthorizeClientBearerToken(c.LoopbackClientConfig, &c.Authentication, &c.Authorization)
-
 	return &CompletedConfig{&cc}
 }
diff --git a/cmd/kube-controller-manager/app/controller_descriptor.go b/cmd/kube-controller-manager/app/controller_descriptor.go
new file mode 100644
index 0000000000000..30df1ee8aa65c
--- /dev/null
+++ b/cmd/kube-controller-manager/app/controller_descriptor.go
@@ -0,0 +1,248 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package app
+
+import (
+	"context"
+	"fmt"
+	"sort"
+
+	"k8s.io/apimachinery/pkg/util/sets"
+	utilfeature "k8s.io/apiserver/pkg/util/feature"
+	"k8s.io/component-base/featuregate"
+	"k8s.io/klog/v2"
+)
+
+// This file contains types and functions for wrapping controller implementations from downstream packages.
+// Every controller wrapper implements the Controller interface,
+// which is then associated with a ControllerDescriptor, which holds additional static metadata
+// needed so that the manager can manage Controllers properly.
+
+// Controller defines the base interface that all controller wrappers must implement.
+type Controller interface {
+	// Name returns the controller's canonical name.
+	Name() string
+
+	// Run runs the controller loop.
+	// When there is anything to be done, it blocks until the context is cancelled.
+	// Run must ensure all goroutines are terminated before returning.
+	Run(context.Context)
+}
+
+// ControllerConstructor is a constructor for a controller.
+// A nil Controller returned means that the associated controller is disabled.
+type ControllerConstructor func(ctx context.Context, controllerContext ControllerContext, controllerName string) (Controller, error)
+
+type ControllerDescriptor struct {
+	name                      string
+	constructor               ControllerConstructor
+	requiredFeatureGates      []featuregate.Feature
+	aliases                   []string
+	isDisabledByDefault       bool
+	isCloudProviderController bool
+	requiresSpecialHandling   bool
+}
+
+func (r *ControllerDescriptor) Name() string {
+	return r.name
+}
+
+func (r *ControllerDescriptor) GetControllerConstructor() ControllerConstructor {
+	return r.constructor
+}
+
+func (r *ControllerDescriptor) GetRequiredFeatureGates() []featuregate.Feature {
+	return append([]featuregate.Feature(nil), r.requiredFeatureGates...)
+}
+
+// GetAliases returns aliases to ensure backwards compatibility and should never be removed!
+// Only addition of new aliases is allowed, and only when a canonical name is changed (please see CHANGE POLICY of controller names)
+func (r *ControllerDescriptor) GetAliases() []string {
+	return append([]string(nil), r.aliases...)
+}
+
+func (r *ControllerDescriptor) IsDisabledByDefault() bool {
+	return r.isDisabledByDefault
+}
+
+func (r *ControllerDescriptor) IsCloudProviderController() bool {
+	return r.isCloudProviderController
+}
+
+// RequiresSpecialHandling should return true only in a special non-generic controllers like ServiceAccountTokenController
+func (r *ControllerDescriptor) RequiresSpecialHandling() bool {
+	return r.requiresSpecialHandling
+}
+
+// BuildController creates a controller based on the given descriptor.
+// The associated controller's constructor is called at the end, so the same contract applies for the return values here.
+func (r *ControllerDescriptor) BuildController(ctx context.Context, controllerCtx ControllerContext) (Controller, error) {
+	logger := klog.FromContext(ctx)
+	controllerName := r.Name()
+
+	for _, featureGate := range r.GetRequiredFeatureGates() {
+		if !utilfeature.DefaultFeatureGate.Enabled(featureGate) {
+			logger.Info("Controller is disabled by a feature gate",
+				"controller", controllerName,
+				"requiredFeatureGates", r.GetRequiredFeatureGates())
+			return nil, nil
+		}
+	}
+
+	if r.IsCloudProviderController() {
+		logger.Info("Skipping a cloud provider controller", "controller", controllerName)
+		return nil, nil
+	}
+
+	ctx = klog.NewContext(ctx, klog.LoggerWithName(logger, controllerName))
+	return r.GetControllerConstructor()(ctx, controllerCtx, controllerName)
+}
+
+// KnownControllers returns all known controllers' name
+func KnownControllers() []string {
+	return sets.StringKeySet(NewControllerDescriptors()).List()
+}
+
+// ControllerAliases returns a mapping of aliases to canonical controller names
+func ControllerAliases() map[string]string {
+	aliases := map[string]string{}
+	for name, c := range NewControllerDescriptors() {
+		for _, alias := range c.GetAliases() {
+			aliases[alias] = name
+		}
+	}
+	return aliases
+}
+
+func ControllersDisabledByDefault() []string {
+	var controllersDisabledByDefault []string
+
+	for name, c := range NewControllerDescriptors() {
+		if c.IsDisabledByDefault() {
+			controllersDisabledByDefault = append(controllersDisabledByDefault, name)
+		}
+	}
+
+	sort.Strings(controllersDisabledByDefault)
+
+	return controllersDisabledByDefault
+}
+
+// NewControllerDescriptors is a public map of named controller groups (you can start more than one in an init func)
+// paired to their ControllerDescriptor wrapper object that includes the associated controller constructor.
+// This allows for structured downstream composition and subdivision.
+func NewControllerDescriptors() map[string]*ControllerDescriptor {
+	controllers := map[string]*ControllerDescriptor{}
+	aliases := sets.NewString()
+
+	// All the controllers must fulfil common constraints, or else we will explode.
+	register := func(controllerDesc *ControllerDescriptor) {
+		if controllerDesc == nil {
+			panic("received nil controller for a registration")
+		}
+		name := controllerDesc.Name()
+		if len(name) == 0 {
+			panic("received controller without a name for a registration")
+		}
+		if _, found := controllers[name]; found {
+			panic(fmt.Sprintf("controller name %q was registered twice", name))
+		}
+		if controllerDesc.GetControllerConstructor() == nil {
+			panic(fmt.Sprintf("controller %q does not have a constructor specified", name))
+		}
+
+		for _, alias := range controllerDesc.GetAliases() {
+			if aliases.Has(alias) {
+				panic(fmt.Sprintf("controller %q has a duplicate alias %q", name, alias))
+			}
+			aliases.Insert(alias)
+		}
+
+		controllers[name] = controllerDesc
+	}
+
+	// First add "special" controllers that aren't initialized normally. These controllers cannot be initialized
+	// in the main controller loop initialization, so we add them here only for the metadata and duplication detection.
+	// app.ControllerDescriptor#RequiresSpecialHandling should return true for such controllers
+	// The only known special case is the ServiceAccountTokenController which *must* be started
+	// first to ensure that the SA tokens for future controllers will exist. Think very carefully before adding new
+	// special controllers.
+	register(newServiceAccountTokenControllerDescriptor(nil))
+
+	register(newEndpointsControllerDescriptor())
+	register(newEndpointSliceControllerDescriptor())
+	register(newEndpointSliceMirroringControllerDescriptor())
+	register(newReplicationControllerDescriptor())
+	register(newPodGarbageCollectorControllerDescriptor())
+	register(newResourceQuotaControllerDescriptor())
+	register(newNamespaceControllerDescriptor())
+	register(newServiceAccountControllerDescriptor())
+	register(newGarbageCollectorControllerDescriptor())
+	register(newDaemonSetControllerDescriptor())
+	register(newJobControllerDescriptor())
+	register(newDeploymentControllerDescriptor())
+	register(newReplicaSetControllerDescriptor())
+	register(newHorizontalPodAutoscalerControllerDescriptor())
+	register(newDisruptionControllerDescriptor())
+	register(newStatefulSetControllerDescriptor())
+	register(newCronJobControllerDescriptor())
+	register(newCertificateSigningRequestSigningControllerDescriptor())
+	register(newCertificateSigningRequestApprovingControllerDescriptor())
+	register(newCertificateSigningRequestCleanerControllerDescriptor())
+	register(newPodCertificateRequestCleanerControllerDescriptor())
+	register(newTTLControllerDescriptor())
+	register(newBootstrapSignerControllerDescriptor())
+	register(newTokenCleanerControllerDescriptor())
+	register(newNodeIpamControllerDescriptor())
+	register(newNodeLifecycleControllerDescriptor())
+
+	register(newServiceLBControllerDescriptor())          // cloud provider controller
+	register(newNodeRouteControllerDescriptor())          // cloud provider controller
+	register(newCloudNodeLifecycleControllerDescriptor()) // cloud provider controller
+
+	register(newPersistentVolumeBinderControllerDescriptor())
+	register(newPersistentVolumeAttachDetachControllerDescriptor())
+	register(newPersistentVolumeExpanderControllerDescriptor())
+	register(newClusterRoleAggregrationControllerDescriptor())
+	register(newPersistentVolumeClaimProtectionControllerDescriptor())
+	register(newPersistentVolumeProtectionControllerDescriptor())
+	register(newVolumeAttributesClassProtectionControllerDescriptor())
+	register(newTTLAfterFinishedControllerDescriptor())
+	register(newRootCACertificatePublisherControllerDescriptor())
+	register(newKubeAPIServerSignerClusterTrustBundledPublisherDescriptor())
+	register(newServiceCACertPublisherControllerDescriptor())
+	register(newEphemeralVolumeControllerDescriptor())
+
+	// feature gated
+	register(newStorageVersionGarbageCollectorControllerDescriptor())
+	register(newResourceClaimControllerDescriptor())
+	register(newDeviceTaintEvictionControllerDescriptor())
+	register(newLegacyServiceAccountTokenCleanerControllerDescriptor())
+	register(newValidatingAdmissionPolicyStatusControllerDescriptor())
+	register(newTaintEvictionControllerDescriptor())
+	register(newServiceCIDRsControllerDescriptor())
+	register(newStorageVersionMigratorControllerDescriptor())
+	register(newSELinuxWarningControllerDescriptor())
+
+	for _, alias := range aliases.UnsortedList() {
+		if _, ok := controllers[alias]; ok {
+			panic(fmt.Sprintf("alias %q conflicts with a controller name", alias))
+		}
+	}
+
+	return controllers
+}
diff --git a/cmd/kube-controller-manager/app/controller_utils.go b/cmd/kube-controller-manager/app/controller_utils.go
new file mode 100644
index 0000000000000..8a9ca1baa0e27
--- /dev/null
+++ b/cmd/kube-controller-manager/app/controller_utils.go
@@ -0,0 +1,67 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package app
+
+import (
+	"context"
+	"sync"
+)
+
+// This file contains utility functions for implementing controller wrappers,
+// i.e. turning whatever logic into a Controller.
+
+type runFunc func(ctx context.Context)
+
+type runFuncSlice []runFunc
+
+func (rx runFuncSlice) Run(ctx context.Context) {
+	var wg sync.WaitGroup
+	wg.Add(len(rx))
+	for _, fnc := range rx {
+		go func() {
+			defer wg.Done()
+			fnc(ctx)
+		}()
+	}
+	wg.Wait()
+}
+
+// concurrentRun returns a runFunc that wraps the given functions to run concurrently.
+func concurrentRun(rx ...runFunc) runFunc {
+	return runFuncSlice(rx).Run
+}
+
+// controllerLoop implements the Controller interface. It makes it easy to turn a function into a Controller.
+type controllerLoop struct {
+	name string
+	run  runFunc
+}
+
+func newControllerLoop(run runFunc, controllerName string) *controllerLoop {
+	return &controllerLoop{
+		name: controllerName,
+		run:  run,
+	}
+}
+
+func (loop *controllerLoop) Name() string {
+	return loop.name
+}
+
+func (loop *controllerLoop) Run(ctx context.Context) {
+	loop.run(ctx)
+}
diff --git a/cmd/kube-controller-manager/app/controllermanager.go b/cmd/kube-controller-manager/app/controllermanager.go
index 76f30faf844ad..182e41b852c27 100644
--- a/cmd/kube-controller-manager/app/controllermanager.go
+++ b/cmd/kube-controller-manager/app/controllermanager.go
@@ -25,7 +25,7 @@ import (
 	"math/rand"
 	"net/http"
 	"os"
-	"sort"
+	"sync"
 	"time"
 
 	"github.com/blang/semver/v4"
@@ -39,11 +39,14 @@ import (
 	"k8s.io/apimachinery/pkg/util/uuid"
 	"k8s.io/apimachinery/pkg/util/wait"
 	"k8s.io/apiserver/pkg/server"
+	"k8s.io/apiserver/pkg/server/flagz"
 	"k8s.io/apiserver/pkg/server/healthz"
 	"k8s.io/apiserver/pkg/server/mux"
+	"k8s.io/apiserver/pkg/server/statusz"
 	utilfeature "k8s.io/apiserver/pkg/util/feature"
 	cacheddiscovery "k8s.io/client-go/discovery/cached/memory"
 	"k8s.io/client-go/informers"
+	"k8s.io/client-go/kubernetes"
 	v1core "k8s.io/client-go/kubernetes/typed/core/v1"
 	"k8s.io/client-go/metadata"
 	"k8s.io/client-go/metadata/metadatainformer"
@@ -52,7 +55,6 @@ import (
 	"k8s.io/client-go/tools/leaderelection"
 	"k8s.io/client-go/tools/leaderelection/resourcelock"
 	certutil "k8s.io/client-go/util/cert"
-	"k8s.io/client-go/util/keyutil"
 	cliflag "k8s.io/component-base/cli/flag"
 	"k8s.io/component-base/cli/globalflag"
 	basecompatibility "k8s.io/component-base/compatibility"
@@ -67,8 +69,6 @@ import (
 	utilversion "k8s.io/component-base/version"
 	"k8s.io/component-base/version/verflag"
 	zpagesfeatures "k8s.io/component-base/zpages/features"
-	"k8s.io/component-base/zpages/flagz"
-	"k8s.io/component-base/zpages/statusz"
 	genericcontrollermanager "k8s.io/controller-manager/app"
 	"k8s.io/controller-manager/controller"
 	"k8s.io/controller-manager/pkg/clientbuilder"
@@ -81,9 +81,7 @@ import (
 	"k8s.io/kubernetes/cmd/kube-controller-manager/names"
 	kubectrlmgrconfig "k8s.io/kubernetes/pkg/controller/apis/config"
 	garbagecollector "k8s.io/kubernetes/pkg/controller/garbagecollector"
-	serviceaccountcontroller "k8s.io/kubernetes/pkg/controller/serviceaccount"
 	kubefeatures "k8s.io/kubernetes/pkg/features"
-	"k8s.io/kubernetes/pkg/serviceaccount"
 
 	libgorestclient "github.com/openshift/library-go/pkg/config/client"
 )
@@ -250,7 +248,14 @@ func Run(ctx context.Context, c *config.CompletedConfig, stopCh2 <-chan struct{}
 		}
 
 		if utilfeature.DefaultFeatureGate.Enabled(zpagesfeatures.ComponentStatusz) {
-			statusz.Install(unsecuredMux, kubeControllerManager, statusz.NewRegistry(c.ComponentGlobalsRegistry.EffectiveVersionFor(basecompatibility.DefaultKubeComponent)))
+			statusz.Install(
+				unsecuredMux,
+				kubeControllerManager,
+				statusz.NewRegistry(
+					c.ComponentGlobalsRegistry.EffectiveVersionFor(basecompatibility.DefaultKubeComponent),
+					statusz.WithListedPaths(unsecuredMux.ListedPaths()),
+				),
+			)
 		}
 
 		handler := genericcontrollermanager.BuildHandlerChain(unsecuredMux, &c.Authorization, &c.Authentication)
@@ -271,16 +276,27 @@ func Run(ctx context.Context, c *config.CompletedConfig, stopCh2 <-chan struct{}
 			klog.FlushAndExit(klog.ExitFlushTimeout, 1)
 		}
 
-		if err := StartControllers(ctx, controllerContext, controllerDescriptors, unsecuredMux, healthzHandler); err != nil {
-			logger.Error(err, "Error starting controllers")
+		// Prepare all controllers in advance.
+		controllers, err := BuildControllers(ctx, controllerContext, controllerDescriptors, unsecuredMux, healthzHandler)
+		if err != nil {
+			logger.Error(err, "Error building controllers")
 			klog.FlushAndExit(klog.ExitFlushTimeout, 1)
 		}
 
+		// Start the informers.
+		stopCh := ctx.Done()
 		controllerContext.InformerFactory.Start(stopCh)
 		controllerContext.ObjectOrMetadataInformerFactory.Start(stopCh)
 		close(controllerContext.InformersStarted)
 
-		<-ctx.Done()
+		// Actually start the controllers.
+		if len(controllers) > 0 {
+			if !RunControllers(ctx, controllerContext, controllers, ControllerStartJitter, c.ControllerShutdownTimeout) {
+				klog.FlushAndExit(klog.ExitFlushTimeout, 1)
+			}
+		} else {
+			<-ctx.Done()
+		}
 	}
 
 	// No leader election, run directly
@@ -309,14 +325,23 @@ func Run(ctx context.Context, c *config.CompletedConfig, stopCh2 <-chan struct{}
 		leaderMigrator = leadermigration.NewLeaderMigrator(&c.ComponentConfig.Generic.LeaderMigration,
 			kubeControllerManager)
 
-		// startSATokenControllerInit is the original InitFunc.
-		startSATokenControllerInit := saTokenControllerDescriptor.GetInitFunc()
+		// startSATokenControllerInit is the original constructor.
+		saTokenControllerInit := saTokenControllerDescriptor.GetControllerConstructor()
 
-		// Wrap saTokenControllerDescriptor to signal readiness for migration after starting
-		//  the controller.
-		saTokenControllerDescriptor.initFunc = func(ctx context.Context, controllerContext ControllerContext, controllerName string) (controller.Interface, bool, error) {
-			defer close(leaderMigrator.MigrationReady)
-			return startSATokenControllerInit(ctx, controllerContext, controllerName)
+		// Wrap saTokenControllerDescriptor to signal readiness for migration after starting the controller.
+		saTokenControllerDescriptor.constructor = func(ctx context.Context, controllerContext ControllerContext, controllerName string) (Controller, error) {
+			ctrl, err := saTokenControllerInit(ctx, controllerContext, controllerName)
+			if err != nil {
+				return nil, err
+			}
+
+			// This wrapping is not exactly flawless as RunControllers uses type casting,
+			// which is now not possible for the wrapped controller.
+			// This fortunately doesn't matter for this particular controller.
+			return newControllerLoop(func(ctx context.Context) {
+				close(leaderMigrator.MigrationReady)
+				ctrl.Run(ctx)
+			}, controllerName), nil
 		}
 	}
 
@@ -467,187 +492,22 @@ func (c ControllerContext) IsControllerEnabled(controllerDescriptor *ControllerD
 	return genericcontrollermanager.IsControllerEnabled(controllerDescriptor.Name(), controllersDisabledByDefault, c.ComponentConfig.Generic.Controllers)
 }
 
-// InitFunc is used to launch a particular controller. It returns a controller
-// that can optionally implement other interfaces so that the controller manager
-// can support the requested features.
-// The returned controller may be nil, which will be considered an anonymous controller
-// that requests no additional features from the controller manager.
-// Any error returned will cause the controller process to `Fatal`
-// The bool indicates whether the controller was enabled.
-type InitFunc func(ctx context.Context, controllerContext ControllerContext, controllerName string) (controller controller.Interface, enabled bool, err error)
-
-type ControllerDescriptor struct {
-	name                      string
-	initFunc                  InitFunc
-	requiredFeatureGates      []featuregate.Feature
-	aliases                   []string
-	isDisabledByDefault       bool
-	isCloudProviderController bool
-	requiresSpecialHandling   bool
-}
-
-func (r *ControllerDescriptor) Name() string {
-	return r.name
-}
-
-func (r *ControllerDescriptor) GetInitFunc() InitFunc {
-	return r.initFunc
-}
-
-func (r *ControllerDescriptor) GetRequiredFeatureGates() []featuregate.Feature {
-	return append([]featuregate.Feature(nil), r.requiredFeatureGates...)
-}
-
-// GetAliases returns aliases to ensure backwards compatibility and should never be removed!
-// Only addition of new aliases is allowed, and only when a canonical name is changed (please see CHANGE POLICY of controller names)
-func (r *ControllerDescriptor) GetAliases() []string {
-	return append([]string(nil), r.aliases...)
-}
-
-func (r *ControllerDescriptor) IsDisabledByDefault() bool {
-	return r.isDisabledByDefault
-}
-
-func (r *ControllerDescriptor) IsCloudProviderController() bool {
-	return r.isCloudProviderController
-}
-
-// RequiresSpecialHandling should return true only in a special non-generic controllers like ServiceAccountTokenController
-func (r *ControllerDescriptor) RequiresSpecialHandling() bool {
-	return r.requiresSpecialHandling
-}
-
-// KnownControllers returns all known controllers's name
-func KnownControllers() []string {
-	return sets.StringKeySet(NewControllerDescriptors()).List()
-}
-
-// ControllerAliases returns a mapping of aliases to canonical controller names
-func ControllerAliases() map[string]string {
-	aliases := map[string]string{}
-	for name, c := range NewControllerDescriptors() {
-		for _, alias := range c.GetAliases() {
-			aliases[alias] = name
-		}
-	}
-	return aliases
-}
-
-func ControllersDisabledByDefault() []string {
-	var controllersDisabledByDefault []string
-
-	for name, c := range NewControllerDescriptors() {
-		if c.IsDisabledByDefault() {
-			controllersDisabledByDefault = append(controllersDisabledByDefault, name)
-		}
+// NewClientConfig is a shortcut for ClientBuilder.Config. It wraps the error with an additional message.
+func (c ControllerContext) NewClientConfig(name string) (*restclient.Config, error) {
+	config, err := c.ClientBuilder.Config(name)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create Kubernetes client config for %q: %w", name, err)
 	}
-	sort.Strings(controllersDisabledByDefault)
-	return controllersDisabledByDefault
+	return config, nil
 }
 
-// NewControllerDescriptors is a public map of named controller groups (you can start more than one in an init func)
-// paired to their ControllerDescriptor wrapper object that includes InitFunc.
-// This allows for structured downstream composition and subdivision.
-func NewControllerDescriptors() map[string]*ControllerDescriptor {
-	controllers := map[string]*ControllerDescriptor{}
-	aliases := sets.NewString()
-
-	// All the controllers must fulfil common constraints, or else we will explode.
-	register := func(controllerDesc *ControllerDescriptor) {
-		if controllerDesc == nil {
-			panic("received nil controller for a registration")
-		}
-		name := controllerDesc.Name()
-		if len(name) == 0 {
-			panic("received controller without a name for a registration")
-		}
-		if _, found := controllers[name]; found {
-			panic(fmt.Sprintf("controller name %q was registered twice", name))
-		}
-		if controllerDesc.GetInitFunc() == nil {
-			panic(fmt.Sprintf("controller %q does not have an init function", name))
-		}
-
-		for _, alias := range controllerDesc.GetAliases() {
-			if aliases.Has(alias) {
-				panic(fmt.Sprintf("controller %q has a duplicate alias %q", name, alias))
-			}
-			aliases.Insert(alias)
-		}
-
-		controllers[name] = controllerDesc
-	}
-
-	// First add "special" controllers that aren't initialized normally. These controllers cannot be initialized
-	// in the main controller loop initialization, so we add them here only for the metadata and duplication detection.
-	// app.ControllerDescriptor#RequiresSpecialHandling should return true for such controllers
-	// The only known special case is the ServiceAccountTokenController which *must* be started
-	// first to ensure that the SA tokens for future controllers will exist. Think very carefully before adding new
-	// special controllers.
-	register(newServiceAccountTokenControllerDescriptor(nil))
-
-	register(newEndpointsControllerDescriptor())
-	register(newEndpointSliceControllerDescriptor())
-	register(newEndpointSliceMirroringControllerDescriptor())
-	register(newReplicationControllerDescriptor())
-	register(newPodGarbageCollectorControllerDescriptor())
-	register(newResourceQuotaControllerDescriptor())
-	register(newNamespaceControllerDescriptor())
-	register(newServiceAccountControllerDescriptor())
-	register(newGarbageCollectorControllerDescriptor())
-	register(newDaemonSetControllerDescriptor())
-	register(newJobControllerDescriptor())
-	register(newDeploymentControllerDescriptor())
-	register(newReplicaSetControllerDescriptor())
-	register(newHorizontalPodAutoscalerControllerDescriptor())
-	register(newDisruptionControllerDescriptor())
-	register(newStatefulSetControllerDescriptor())
-	register(newCronJobControllerDescriptor())
-	register(newCertificateSigningRequestSigningControllerDescriptor())
-	register(newCertificateSigningRequestApprovingControllerDescriptor())
-	register(newCertificateSigningRequestCleanerControllerDescriptor())
-	register(newPodCertificateRequestCleanerControllerDescriptor())
-	register(newTTLControllerDescriptor())
-	register(newBootstrapSignerControllerDescriptor())
-	register(newTokenCleanerControllerDescriptor())
-	register(newNodeIpamControllerDescriptor())
-	register(newNodeLifecycleControllerDescriptor())
-
-	register(newServiceLBControllerDescriptor())          // cloud provider controller
-	register(newNodeRouteControllerDescriptor())          // cloud provider controller
-	register(newCloudNodeLifecycleControllerDescriptor()) // cloud provider controller
-
-	register(newPersistentVolumeBinderControllerDescriptor())
-	register(newPersistentVolumeAttachDetachControllerDescriptor())
-	register(newPersistentVolumeExpanderControllerDescriptor())
-	register(newClusterRoleAggregrationControllerDescriptor())
-	register(newPersistentVolumeClaimProtectionControllerDescriptor())
-	register(newPersistentVolumeProtectionControllerDescriptor())
-	register(newVolumeAttributesClassProtectionControllerDescriptor())
-	register(newTTLAfterFinishedControllerDescriptor())
-	register(newRootCACertificatePublisherControllerDescriptor())
-	register(newKubeAPIServerSignerClusterTrustBundledPublisherDescriptor())
-	register(newServiceCACertPublisher())
-	register(newEphemeralVolumeControllerDescriptor())
-
-	// feature gated
-	register(newStorageVersionGarbageCollectorControllerDescriptor())
-	register(newResourceClaimControllerDescriptor())
-	register(newDeviceTaintEvictionControllerDescriptor())
-	register(newLegacyServiceAccountTokenCleanerControllerDescriptor())
-	register(newValidatingAdmissionPolicyStatusControllerDescriptor())
-	register(newTaintEvictionControllerDescriptor())
-	register(newServiceCIDRsControllerDescriptor())
-	register(newStorageVersionMigratorControllerDescriptor())
-	register(newSELinuxWarningControllerDescriptor())
-
-	for _, alias := range aliases.UnsortedList() {
-		if _, ok := controllers[alias]; ok {
-			panic(fmt.Sprintf("alias %q conflicts with a controller name", alias))
-		}
+// NewClient is a shortcut for ClientBuilder.Client. It wraps the error with an additional message.
+func (c ControllerContext) NewClient(name string) (kubernetes.Interface, error) {
+	client, err := c.ClientBuilder.Client(name)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create Kubernetes client for %q: %w", name, err)
 	}
-
-	return controllers
+	return client, nil
 }
 
 // CreateControllerContext creates a context struct containing references to resources needed by the
@@ -664,7 +524,11 @@ func CreateControllerContext(ctx context.Context, s *config.CompletedConfig, roo
 		return obj, nil
 	}
 
-	versionedClient := rootClientBuilder.ClientOrDie("shared-informers")
+	versionedClient, err := rootClientBuilder.Client("shared-informers")
+	if err != nil {
+		return ControllerContext{}, fmt.Errorf("failed to create Kubernetes client for %q: %w", "shared-informers", err)
+	}
+
 	var sharedInformers informers.SharedInformerFactory
 	if InformerFactoryOverride == nil {
 		sharedInformers = informers.NewSharedInformerFactoryWithOptions(versionedClient, ResyncPeriod(s)(), informers.WithTransform(trim))
@@ -672,17 +536,30 @@ func CreateControllerContext(ctx context.Context, s *config.CompletedConfig, roo
 		sharedInformers = InformerFactoryOverride
 	}
 
-	metadataClient := metadata.NewForConfigOrDie(rootClientBuilder.ConfigOrDie("metadata-informers"))
+	metadataConfig, err := rootClientBuilder.Config("metadata-informers")
+	if err != nil {
+		return ControllerContext{}, fmt.Errorf("failed to create metadata client config: %w", err)
+	}
+
+	metadataClient, err := metadata.NewForConfig(metadataConfig)
+	if err != nil {
+		return ControllerContext{}, fmt.Errorf("failed to create metadata client: %w", err)
+	}
+
 	metadataInformers := metadatainformer.NewSharedInformerFactoryWithOptions(metadataClient, ResyncPeriod(s)(), metadatainformer.WithTransform(trim))
 
 	// If apiserver is not running we should wait for some time and fail only then. This is particularly
 	// important when we start apiserver and controller manager at the same time.
 	if err := genericcontrollermanager.WaitForAPIServer(versionedClient, 10*time.Second); err != nil {
-		return ControllerContext{}, fmt.Errorf("failed to wait for apiserver being healthy: %v", err)
+		return ControllerContext{}, fmt.Errorf("failed to wait for apiserver being healthy: %w", err)
 	}
 
 	// Use a discovery client capable of being refreshed.
-	discoveryClient := rootClientBuilder.DiscoveryClientOrDie("controller-discovery")
+	discoveryClient, err := rootClientBuilder.DiscoveryClient("controller-discovery")
+	if err != nil {
+		return ControllerContext{}, fmt.Errorf("failed to create discovery client: %w", err)
+	}
+
 	cachedClient := cacheddiscovery.NewMemCacheClient(discoveryClient)
 	restMapper := restmapper.NewDeferredDiscoveryRESTMapper(cachedClient)
 	go wait.Until(func() {
@@ -722,27 +599,68 @@ func CreateControllerContext(ctx context.Context, s *config.CompletedConfig, roo
 	return controllerContext, nil
 }
 
-// StartControllers starts a set of controllers with a specified ControllerContext
-func StartControllers(ctx context.Context, controllerCtx ControllerContext, controllerDescriptors map[string]*ControllerDescriptor,
-	unsecuredMux *mux.PathRecorderMux, healthzHandler *controllerhealthz.MutableHealthzHandler) error {
-	var controllerChecks []healthz.HealthChecker
+// HealthCheckAdder is an interface to represent a healthz handler.
+// The extra level of indirection is useful for testing.
+type HealthCheckAdder interface {
+	AddHealthChecker(checks ...healthz.HealthChecker)
+}
 
-	// Always start the SA token controller first using a full-power client, since it needs to mint tokens for the rest
-	// If this fails, just return here and fail since other controllers won't be able to get credentials.
-	if serviceAccountTokenControllerDescriptor, ok := controllerDescriptors[names.ServiceAccountTokenController]; ok {
-		check, err := StartController(ctx, controllerCtx, serviceAccountTokenControllerDescriptor, unsecuredMux)
+// BuildControllers builds all controllers in the given descriptor map. Disabled controllers are obviously skipped.
+//
+// A health check is registered for each controller using the controller name. The default check always passes.
+// If the controller implements controller.HealthCheckable, though, the given check is used.
+// The controller can also implement controller.Debuggable, in which case the debug handler is registered with the given mux.
+func BuildControllers(ctx context.Context, controllerCtx ControllerContext, controllerDescriptors map[string]*ControllerDescriptor,
+	unsecuredMux *mux.PathRecorderMux, healthzHandler HealthCheckAdder) ([]Controller, error) {
+	logger := klog.FromContext(ctx)
+	var (
+		controllers []Controller
+		checks      []healthz.HealthChecker
+	)
+	buildController := func(controllerDesc *ControllerDescriptor) error {
+		controllerName := controllerDesc.Name()
+		ctrl, err := controllerDesc.BuildController(ctx, controllerCtx)
 		if err != nil {
+			logger.Error(err, "Error initializing a controller", "controller", controllerName)
 			return err
 		}
-		if check != nil {
-			// HealthChecker should be present when controller has started
-			controllerChecks = append(controllerChecks, check)
+		if ctrl == nil {
+			logger.Info("Warning: skipping controller", "controller", controllerName)
+			return nil
+		}
+
+		check := controllerhealthz.NamedPingChecker(controllerName)
+		// check if the controller supports and requests a debugHandler,
+		// and it needs the unsecuredMux to mount the handler onto.
+		if debuggable, ok := ctrl.(controller.Debuggable); ok && unsecuredMux != nil {
+			if debugHandler := debuggable.DebuggingHandler(); debugHandler != nil {
+				basePath := "/debug/controllers/" + controllerName
+				unsecuredMux.UnlistedHandle(basePath, http.StripPrefix(basePath, debugHandler))
+				unsecuredMux.UnlistedHandlePrefix(basePath+"/", http.StripPrefix(basePath, debugHandler))
+			}
+		}
+		if healthCheckable, ok := ctrl.(controller.HealthCheckable); ok {
+			if realCheck := healthCheckable.HealthChecker(); realCheck != nil {
+				check = controllerhealthz.NamedHealthChecker(controllerName, realCheck)
+			}
+		}
+
+		controllers = append(controllers, ctrl)
+		checks = append(checks, check)
+		return nil
+	}
+
+	// Always start the SA token controller first using a full-power client, since it needs to mint tokens for the rest
+	// If this fails, just return here and fail since other controllers won't be able to get credentials.
+	if serviceAccountTokenControllerDescriptor, ok := controllerDescriptors[names.ServiceAccountTokenController]; ok {
+		if err := buildController(serviceAccountTokenControllerDescriptor); err != nil {
+			return nil, err
 		}
 	}
 
 	// Each controller is passed a context where the logger has the name of
 	// the controller set through WithName. That name then becomes the prefix of
-	// of all log messages emitted by that controller.
+	// all log messages emitted by that controller.
 	//
 	// In StartController, an explicit "controller" key is used instead, for two reasons:
 	// - while contextual logging is alpha, klog.LoggerWithName is still a no-op,
@@ -754,139 +672,124 @@ func StartControllers(ctx context.Context, controllerCtx ControllerContext, cont
 			continue
 		}
 
-		check, err := StartController(ctx, controllerCtx, controllerDesc, unsecuredMux)
-		if err != nil {
-			return err
-		}
-		if check != nil {
-			// HealthChecker should be present when controller has started
-			controllerChecks = append(controllerChecks, check)
+		if !controllerCtx.IsControllerEnabled(controllerDesc) {
+			logger.Info("Warning: controller is disabled", "controller", controllerDesc.Name())
+			continue
 		}
-	}
-
-	healthzHandler.AddHealthChecker(controllerChecks...)
-
-	return nil
-}
-
-// StartController starts a controller with a specified ControllerContext
-// and performs required pre- and post- checks/actions
-func StartController(ctx context.Context, controllerCtx ControllerContext, controllerDescriptor *ControllerDescriptor,
-	unsecuredMux *mux.PathRecorderMux) (healthz.HealthChecker, error) {
-	logger := klog.FromContext(ctx)
-	controllerName := controllerDescriptor.Name()
 
-	for _, featureGate := range controllerDescriptor.GetRequiredFeatureGates() {
-		if !utilfeature.DefaultFeatureGate.Enabled(featureGate) {
-			logger.Info("Controller is disabled by a feature gate", "controller", controllerName, "requiredFeatureGates", controllerDescriptor.GetRequiredFeatureGates())
-			return nil, nil
+		if err := buildController(controllerDesc); err != nil {
+			return nil, err
 		}
 	}
 
-	if controllerDescriptor.IsCloudProviderController() {
-		logger.Info("Skipping a cloud provider controller", "controller", controllerName)
-		return nil, nil
-	}
-
-	if !controllerCtx.IsControllerEnabled(controllerDescriptor) {
-		logger.Info("Warning: controller is disabled", "controller", controllerName)
-		return nil, nil
+	// Register the checks.
+	if len(checks) > 0 {
+		healthzHandler.AddHealthChecker(checks...)
 	}
+	return controllers, nil
+}
 
-	time.Sleep(wait.Jitter(controllerCtx.ComponentConfig.Generic.ControllerStartInterval.Duration, ControllerStartJitter))
+// RunControllers runs all controllers concurrently and blocks until the context is cancelled and all controllers are terminated.
+//
+// Once the context is cancelled, RunControllers waits for shutdownTimeout for all controllers to terminate.
+// When the timeout is reached, the function unblocks and returns false.
+// Zero shutdown timeout means that there is no timeout.
+func RunControllers(ctx context.Context, controllerCtx ControllerContext, controllers []Controller,
+	controllerStartJitterMaxFactor float64, shutdownTimeout time.Duration) bool {
+	logger := klog.FromContext(ctx)
 
-	logger.V(1).Info("Starting controller", "controller", controllerName)
+	// We gather running controllers names for logging purposes.
+	// When the context is cancelled, the controllers still running are logged periodically.
+	runningControllers := sets.New[string]()
+	var runningControllersLock sync.Mutex
 
-	initFunc := controllerDescriptor.GetInitFunc()
-	ctrl, started, err := initFunc(klog.NewContext(ctx, klog.LoggerWithName(logger, controllerName)), controllerCtx, controllerName)
-	if err != nil {
-		logger.Error(err, "Error starting controller", "controller", controllerName)
-		return nil, err
-	}
-	if !started {
-		logger.Info("Warning: skipping controller", "controller", controllerName)
-		return nil, nil
-	}
+	loggingCtx, cancelLoggingCtx := context.WithCancel(context.Background())
+	defer cancelLoggingCtx()
+	go func() {
+		// Only start logging when terminating.
+		select {
+		case <-ctx.Done():
+		case <-loggingCtx.Done():
+			return
+		}
 
-	check := controllerhealthz.NamedPingChecker(controllerName)
-	if ctrl != nil {
-		// check if the controller supports and requests a debugHandler
-		// and it needs the unsecuredMux to mount the handler onto.
-		if debuggable, ok := ctrl.(controller.Debuggable); ok && unsecuredMux != nil {
-			if debugHandler := debuggable.DebuggingHandler(); debugHandler != nil {
-				basePath := "/debug/controllers/" + controllerName
-				unsecuredMux.UnlistedHandle(basePath, http.StripPrefix(basePath, debugHandler))
-				unsecuredMux.UnlistedHandlePrefix(basePath+"/", http.StripPrefix(basePath, debugHandler))
-			}
+		// Regularly print the controllers that still haven't returned.
+		logPeriod := shutdownTimeout / 3
+		if logPeriod == 0 {
+			logPeriod = 5 * time.Second
 		}
-		if healthCheckable, ok := ctrl.(controller.HealthCheckable); ok {
-			if realCheck := healthCheckable.HealthChecker(); realCheck != nil {
-				check = controllerhealthz.NamedHealthChecker(controllerName, realCheck)
+		ticker := time.NewTicker(logPeriod)
+		defer ticker.Stop()
+		for {
+			select {
+			case <-ticker.C:
+				runningControllersLock.Lock()
+				running := sets.List(runningControllers)
+				runningControllersLock.Unlock()
+
+				logger.Info("Still waiting for some controllers to terminate...", "runningControllers", running)
+
+			case <-loggingCtx.Done():
+				return
 			}
 		}
-	}
-
-	logger.Info("Started controller", "controller", controllerName)
-	return check, nil
-}
+	}()
 
-// serviceAccountTokenControllerStarter is special because it must run first to set up permissions for other controllers.
-// It cannot use the "normal" client builder, so it tracks its own.
-func newServiceAccountTokenControllerDescriptor(rootClientBuilder clientbuilder.ControllerClientBuilder) *ControllerDescriptor {
-	return &ControllerDescriptor{
-		name:    names.ServiceAccountTokenController,
-		aliases: []string{"serviceaccount-token"},
-		initFunc: func(ctx context.Context, controllerContext ControllerContext, controllerName string) (controller.Interface, bool, error) {
-			return startServiceAccountTokenController(ctx, controllerContext, controllerName, rootClientBuilder)
-		},
-		// will make sure it runs first before other controllers
-		requiresSpecialHandling: true,
-	}
-}
+	terminatedCh := make(chan struct{})
+	go func() {
+		defer close(terminatedCh)
+		var wg sync.WaitGroup
+		wg.Add(len(controllers))
+		for _, controller := range controllers {
+			go func() {
+				defer wg.Done()
+
+				// It would be better to unblock and return on context cancelled here,
+				// but that makes tests more flaky regarding timing.
+				time.Sleep(wait.Jitter(controllerCtx.ComponentConfig.Generic.ControllerStartInterval.Duration, controllerStartJitterMaxFactor))
+
+				logger.V(1).Info("Controller starting...", "controller", controller.Name())
+
+				runningControllersLock.Lock()
+				runningControllers.Insert(controller.Name())
+				runningControllersLock.Unlock()
+
+				defer func() {
+					logger.V(1).Info("Controller terminated", "controller", controller.Name())
+
+					runningControllersLock.Lock()
+					runningControllers.Delete(controller.Name())
+					runningControllersLock.Unlock()
+				}()
+				controller.Run(ctx)
+			}()
+		}
+		wg.Wait()
+		logger.Info("All controllers terminated")
+	}()
 
-func startServiceAccountTokenController(ctx context.Context, controllerContext ControllerContext, controllerName string, rootClientBuilder clientbuilder.ControllerClientBuilder) (controller.Interface, bool, error) {
-	logger := klog.FromContext(ctx)
-	if len(controllerContext.ComponentConfig.SAController.ServiceAccountKeyFile) == 0 {
-		logger.Info("Controller is disabled because there is no private key", "controller", controllerName)
-		return nil, false, nil
-	}
-	privateKey, err := keyutil.PrivateKeyFromFile(controllerContext.ComponentConfig.SAController.ServiceAccountKeyFile)
-	if err != nil {
-		return nil, true, fmt.Errorf("error reading key for service account token controller: %v", err)
+	// Wait for a signal to terminate.
+	select {
+	case <-ctx.Done():
+	case <-terminatedCh:
+		return true
 	}
 
-	var rootCA []byte
-	if controllerContext.ComponentConfig.SAController.RootCAFile != "" {
-		if rootCA, err = readCA(controllerContext.ComponentConfig.SAController.RootCAFile); err != nil {
-			return nil, true, fmt.Errorf("error parsing root-ca-file at %s: %v", controllerContext.ComponentConfig.SAController.RootCAFile, err)
-		}
-	} else {
-		rootCA = rootClientBuilder.ConfigOrDie("tokens-controller").CAData
+	// Wait for the shutdown timeout.
+	var shutdownCh <-chan time.Time
+	if shutdownTimeout > 0 {
+		shutdownCh = time.After(shutdownTimeout)
 	}
-
-	tokenGenerator, err := serviceaccount.JWTTokenGenerator(serviceaccount.LegacyIssuer, privateKey)
-	if err != nil {
-		return nil, false, fmt.Errorf("failed to build token generator: %v", err)
-	}
-	tokenController, err := serviceaccountcontroller.NewTokensController(
-		logger,
-		controllerContext.InformerFactory.Core().V1().ServiceAccounts(),
-		controllerContext.InformerFactory.Core().V1().Secrets(),
-		rootClientBuilder.ClientOrDie("tokens-controller"),
-		applyOpenShiftServiceServingCertCA(serviceaccountcontroller.TokensControllerOptions{
-			TokenGenerator: tokenGenerator,
-			RootCA:         rootCA,
-		}),
-	)
-	if err != nil {
-		return nil, true, fmt.Errorf("error creating Tokens controller: %v", err)
+	select {
+	case <-terminatedCh:
+		return true
+	case <-shutdownCh:
+		runningControllersLock.Lock()
+		running := sets.List(runningControllers)
+		runningControllersLock.Unlock()
+		logger.Info("Controller shutdown timeout reached", "timeout", shutdownTimeout, "runningControllers", running)
+		return false
 	}
-	go tokenController.Run(ctx, int(controllerContext.ComponentConfig.SAController.ConcurrentSATokenSyncs))
-
-	// start the first set of informers now so that other controllers can start
-	controllerContext.InformerFactory.Start(ctx.Done())
-
-	return nil, true, nil
 }
 
 func readCA(file string) ([]byte, error) {
diff --git a/cmd/kube-controller-manager/app/controllermanager_test.go b/cmd/kube-controller-manager/app/controllermanager_test.go
index 7753deefefa0f..bfb1b34f33180 100644
--- a/cmd/kube-controller-manager/app/controllermanager_test.go
+++ b/cmd/kube-controller-manager/app/controllermanager_test.go
@@ -21,16 +21,17 @@ import (
 	"regexp"
 	"strings"
 	"testing"
+	"time"
 
 	"github.com/google/go-cmp/cmp"
 
 	"k8s.io/apimachinery/pkg/util/sets"
 	"k8s.io/apimachinery/pkg/util/version"
+	"k8s.io/apiserver/pkg/server/healthz"
 	utilfeature "k8s.io/apiserver/pkg/util/feature"
 	cpnames "k8s.io/cloud-provider/names"
 	"k8s.io/component-base/featuregate"
 	featuregatetesting "k8s.io/component-base/featuregate/testing"
-	controllermanagercontroller "k8s.io/controller-manager/controller"
 	"k8s.io/klog/v2/ktesting"
 	"k8s.io/kubernetes/cmd/kube-controller-manager/names"
 	"k8s.io/kubernetes/pkg/features"
@@ -116,13 +117,18 @@ func TestNewControllerDescriptorsShouldNotPanic(t *testing.T) {
 }
 
 func TestNewControllerDescriptorsAlwaysReturnsDescriptorsForAllControllers(t *testing.T) {
-	featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, "AllAlpha", false)
-	featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, "AllBeta", false)
+	featuregatetesting.SetFeatureGatesDuringTest(t, utilfeature.DefaultFeatureGate, featuregatetesting.FeatureOverrides{
+		"AllAlpha": false,
+		"AllBeta":  false,
+	})
 
 	controllersWithoutFeatureGates := KnownControllers()
 
-	featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, "AllAlpha", true)
-	featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, "AllBeta", true)
+	// AllBeta must be enabled before AllAlpha to resolve dependencies.
+	featuregatetesting.SetFeatureGatesDuringTest(t, utilfeature.DefaultFeatureGate, featuregatetesting.FeatureOverrides{
+		"AllBeta":  true,
+		"AllAlpha": true,
+	})
 
 	controllersWithFeatureGates := KnownControllers()
 
@@ -207,19 +213,21 @@ func TestTaintEvictionControllerGating(t *testing.T) {
 			initFuncCalled := false
 
 			taintEvictionControllerDescriptor := NewControllerDescriptors()[names.TaintEvictionController]
-			taintEvictionControllerDescriptor.initFunc = func(ctx context.Context, controllerContext ControllerContext, controllerName string) (controller controllermanagercontroller.Interface, enabled bool, err error) {
+			taintEvictionControllerDescriptor.constructor = func(ctx context.Context, controllerContext ControllerContext, controllerName string) (Controller, error) {
 				initFuncCalled = true
-				return nil, true, nil
+				return newControllerLoop(func(ctx context.Context) {}, controllerName), nil
 			}
 
-			healthCheck, err := StartController(ctx, controllerCtx, taintEvictionControllerDescriptor, nil)
-			if err != nil {
+			var healthChecks mockHealthCheckAdder
+			if err := runControllers(ctx, controllerCtx, map[string]*ControllerDescriptor{
+				names.TaintEvictionController: taintEvictionControllerDescriptor,
+			}, &healthChecks); err != nil {
 				t.Errorf("starting a TaintEvictionController controller should not return an error")
 			}
 			if test.expectInitFuncCall != initFuncCalled {
 				t.Errorf("TaintEvictionController init call check failed: expected=%v, got=%v", test.expectInitFuncCall, initFuncCalled)
 			}
-			hasHealthCheck := healthCheck != nil
+			hasHealthCheck := len(healthChecks.Checks) > 0
 			expectHealthCheck := test.expectInitFuncCall
 			if expectHealthCheck != hasHealthCheck {
 				t.Errorf("TaintEvictionController healthCheck check failed: expected=%v, got=%v", expectHealthCheck, hasHealthCheck)
@@ -230,23 +238,96 @@ func TestTaintEvictionControllerGating(t *testing.T) {
 
 func TestNoCloudProviderControllerStarted(t *testing.T) {
 	_, ctx := ktesting.NewTestContext(t)
-	ctx, cancel := context.WithCancel(ctx)
-	defer cancel()
-
 	controllerCtx := ControllerContext{}
 	controllerCtx.ComponentConfig.Generic.Controllers = []string{"*"}
-	for _, controller := range NewControllerDescriptors() {
+	cpControllerDescriptors := make(map[string]*ControllerDescriptor)
+	for controllerName, controller := range NewControllerDescriptors() {
 		if !controller.IsCloudProviderController() {
 			continue
 		}
 
-		controllerName := controller.Name()
-		checker, err := StartController(ctx, controllerCtx, controller, nil)
-		if err != nil {
-			t.Errorf("Error starting controller %q: %v", controllerName, err)
-		}
-		if checker != nil {
-			t.Errorf("Controller %q should not be started", controllerName)
+		controller.constructor = func(ctx context.Context, controllerContext ControllerContext, controllerName string) (Controller, error) {
+			return newControllerLoop(func(ctx context.Context) {
+				t.Error("Controller should not be started:", controllerName)
+			}, controllerName), nil
 		}
+
+		cpControllerDescriptors[controllerName] = controller
+	}
+
+	var healthChecks mockHealthCheckAdder
+	if err := runControllers(ctx, controllerCtx, cpControllerDescriptors, &healthChecks); err != nil {
+		t.Error("Failed to start controllers:", err)
+	}
+}
+
+func TestRunControllers(t *testing.T) {
+	testCases := []struct {
+		name                     string
+		newController            func(ctx context.Context) Controller
+		shutdownTimeout          time.Duration
+		expectedCleanTermination bool
+	}{
+		{
+			name: "clean shutdown",
+			newController: func(testCtx context.Context) Controller {
+				return newControllerLoop(func(ctx context.Context) {
+					<-ctx.Done()
+				}, "controller-A")
+			},
+			shutdownTimeout:          10 * time.Second,
+			expectedCleanTermination: true,
+		},
+		{
+			name: "shutdown timeout",
+			newController: func(testCtx context.Context) Controller {
+				return newControllerLoop(func(ctx context.Context) {
+					<-testCtx.Done()
+				}, "controller-A")
+			},
+			shutdownTimeout:          50 * time.Millisecond,
+			expectedCleanTermination: false,
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			_, ctx := ktesting.NewTestContext(t)
+			controllerCtx := ControllerContext{}
+
+			// testCtx is used to make sure the controller failing to shut down can exit after the test is finished.
+			testCtx, cancelTest := context.WithCancel(ctx)
+			defer cancelTest()
+
+			// ctx is used to wait in the controller for shutdown and also to start the shutdown timeout in RunControllers.
+			// To start the shutdown timeout immediately, we start with a cancelled context already.
+			ctx, cancelController := context.WithCancel(ctx)
+			cancelController()
+
+			cleanShutdown := RunControllers(ctx, controllerCtx, []Controller{tc.newController(testCtx)}, 0, tc.shutdownTimeout)
+			if cleanShutdown != tc.expectedCleanTermination {
+				t.Errorf("expected clean shutdown %v, got %v", tc.expectedCleanTermination, cleanShutdown)
+			}
+		})
+	}
+}
+
+type mockHealthCheckAdder struct {
+	Checks []healthz.HealthChecker
+}
+
+func (m *mockHealthCheckAdder) AddHealthChecker(checks ...healthz.HealthChecker) {
+	m.Checks = append(m.Checks, checks...)
+}
+
+func runControllers(
+	ctx context.Context, controllerCtx ControllerContext,
+	controllerDescriptors map[string]*ControllerDescriptor, healthzChecks HealthCheckAdder,
+) error {
+	controllers, err := BuildControllers(ctx, controllerCtx, controllerDescriptors, nil, healthzChecks)
+	if err != nil {
+		return err
 	}
+	RunControllers(ctx, controllerCtx, controllers, 0, 0)
+	return nil
 }
diff --git a/cmd/kube-controller-manager/app/core.go b/cmd/kube-controller-manager/app/core.go
index 8cf5465578a9e..309286be8bbee 100644
--- a/cmd/kube-controller-manager/app/core.go
+++ b/cmd/kube-controller-manager/app/core.go
@@ -31,6 +31,7 @@ import (
 	genericfeatures "k8s.io/apiserver/pkg/features"
 	"k8s.io/apiserver/pkg/quota/v1/generic"
 	utilfeature "k8s.io/apiserver/pkg/util/feature"
+	"k8s.io/client-go/discovery"
 	clientset "k8s.io/client-go/kubernetes"
 	"k8s.io/client-go/metadata"
 	restclient "k8s.io/client-go/rest"
@@ -82,47 +83,43 @@ const (
 
 func newServiceLBControllerDescriptor() *ControllerDescriptor {
 	return &ControllerDescriptor{
-		name:                      cpnames.ServiceLBController,
-		aliases:                   []string{"service"},
-		initFunc:                  startServiceLBController,
+		name:    cpnames.ServiceLBController,
+		aliases: []string{"service"},
+		constructor: func(ctx context.Context, controllerContext ControllerContext, controllerName string) (Controller, error) {
+			logger := klog.FromContext(ctx)
+			logger.Info("Warning: service-controller is set, but no cloud provider functionality is available in kube-controller-manger (KEP-2395). Will not configure service controller.")
+			return nil, nil
+		},
 		isCloudProviderController: true,
 	}
 }
 
-func startServiceLBController(ctx context.Context, controllerContext ControllerContext, controllerName string) (controller.Interface, bool, error) {
-	logger := klog.FromContext(ctx)
-	logger.Info("Warning: service-controller is set, but no cloud provider functionality is available in kube-controller-manger (KEP-2395). Will not configure service controller.")
-	return nil, false, nil
-}
 func newNodeIpamControllerDescriptor() *ControllerDescriptor {
 	return &ControllerDescriptor{
-		name:     names.NodeIpamController,
-		aliases:  []string{"nodeipam"},
-		initFunc: startNodeIpamController,
+		name:        names.NodeIpamController,
+		aliases:     []string{"nodeipam"},
+		constructor: newNodeIpamController,
 	}
 }
 
-func startNodeIpamController(ctx context.Context, controllerContext ControllerContext, controllerName string) (controller.Interface, bool, error) {
-	var serviceCIDR *net.IPNet
-	var secondaryServiceCIDR *net.IPNet
-	logger := klog.FromContext(ctx)
-
-	// should we start nodeIPAM
+func newNodeIpamController(ctx context.Context, controllerContext ControllerContext, controllerName string) (Controller, error) {
 	if !controllerContext.ComponentConfig.KubeCloudShared.AllocateNodeCIDRs {
-		return nil, false, nil
+		return nil, nil
 	}
-
 	if controllerContext.ComponentConfig.KubeCloudShared.CIDRAllocatorType == string(ipam.CloudAllocatorType) {
 		// Cannot run cloud ipam controller if cloud provider is nil (--cloud-provider not set or set to 'external')
-		return nil, false, errors.New("--cidr-allocator-type is set to 'CloudAllocator' but cloud provider is not configured")
+		return nil, errors.New("--cidr-allocator-type is set to 'CloudAllocator' but cloud provider is not configured")
 	}
 
 	clusterCIDRs, err := validateCIDRs(controllerContext.ComponentConfig.KubeCloudShared.ClusterCIDR)
 	if err != nil {
-		return nil, false, err
+		return nil, err
 	}
 
 	// service cidr processing
+	var serviceCIDR *net.IPNet
+	var secondaryServiceCIDR *net.IPNet
+	logger := klog.FromContext(ctx)
 	if len(strings.TrimSpace(controllerContext.ComponentConfig.NodeIPAMController.ServiceCIDR)) != 0 {
 		_, serviceCIDR, err = netutils.ParseCIDRSloppy(controllerContext.ComponentConfig.NodeIPAMController.ServiceCIDR)
 		if err != nil {
@@ -142,10 +139,10 @@ func startNodeIpamController(ctx context.Context, controllerContext ControllerCo
 		// should be dual stack (from different IPFamilies)
 		dualstackServiceCIDR, err := netutils.IsDualStackCIDRs([]*net.IPNet{serviceCIDR, secondaryServiceCIDR})
 		if err != nil {
-			return nil, false, fmt.Errorf("failed to perform dualstack check on serviceCIDR and secondaryServiceCIDR error: %w", err)
+			return nil, fmt.Errorf("failed to perform dualstack check on serviceCIDR and secondaryServiceCIDR error: %w", err)
 		}
 		if !dualstackServiceCIDR {
-			return nil, false, fmt.Errorf("serviceCIDR and secondaryServiceCIDR are not dualstack (from different IPfamiles)")
+			return nil, fmt.Errorf("serviceCIDR and secondaryServiceCIDR are not dualstack (from different IPfamiles)")
 		}
 	}
 
@@ -153,14 +150,19 @@ func startNodeIpamController(ctx context.Context, controllerContext ControllerCo
 	// --node-cidr-mask-size flag is incompatible with dual stack clusters.
 	nodeCIDRMaskSizes, err := setNodeCIDRMaskSizes(controllerContext.ComponentConfig.NodeIPAMController, clusterCIDRs)
 	if err != nil {
-		return nil, false, err
+		return nil, err
+	}
+
+	client, err := controllerContext.NewClient("node-controller")
+	if err != nil {
+		return nil, err
 	}
 
 	nodeIpamController, err := nodeipamcontroller.NewNodeIpamController(
 		ctx,
 		controllerContext.InformerFactory.Core().V1().Nodes(),
 		nil, // no cloud provider on kube-controller-manager since v1.31 (KEP-2395)
-		controllerContext.ClientBuilder.ClientOrDie("node-controller"),
+		client,
 		clusterCIDRs,
 		serviceCIDR,
 		secondaryServiceCIDR,
@@ -168,29 +170,36 @@ func startNodeIpamController(ctx context.Context, controllerContext ControllerCo
 		ipam.CIDRAllocatorType(controllerContext.ComponentConfig.KubeCloudShared.CIDRAllocatorType),
 	)
 	if err != nil {
-		return nil, true, err
+		return nil, err
 	}
-	go nodeIpamController.RunWithMetrics(ctx, controllerContext.ControllerManagerMetrics)
-	return nil, true, nil
+
+	return newControllerLoop(func(ctx context.Context) {
+		nodeIpamController.RunWithMetrics(ctx, controllerContext.ControllerManagerMetrics)
+	}, controllerName), nil
 }
 
 func newNodeLifecycleControllerDescriptor() *ControllerDescriptor {
 	return &ControllerDescriptor{
-		name:     names.NodeLifecycleController,
-		aliases:  []string{"nodelifecycle"},
-		initFunc: startNodeLifecycleController,
+		name:        names.NodeLifecycleController,
+		aliases:     []string{"nodelifecycle"},
+		constructor: newNodeLifecycleController,
 	}
 }
 
-func startNodeLifecycleController(ctx context.Context, controllerContext ControllerContext, controllerName string) (controller.Interface, bool, error) {
-	lifecycleController, err := lifecyclecontroller.NewNodeLifecycleController(
+func newNodeLifecycleController(ctx context.Context, controllerContext ControllerContext, controllerName string) (Controller, error) {
+	client, err := controllerContext.NewClient("node-controller")
+	if err != nil {
+		return nil, err
+	}
+
+	nlc, err := lifecyclecontroller.NewNodeLifecycleController(
 		ctx,
 		controllerContext.InformerFactory.Coordination().V1().Leases(),
 		controllerContext.InformerFactory.Core().V1().Pods(),
 		controllerContext.InformerFactory.Core().V1().Nodes(),
 		controllerContext.InformerFactory.Apps().V1().DaemonSets(),
 		// node lifecycle controller uses existing cluster role from node-controller
-		controllerContext.ClientBuilder.ClientOrDie("node-controller"),
+		client,
 		controllerContext.ComponentConfig.KubeCloudShared.NodeMonitorPeriod.Duration,
 		controllerContext.ComponentConfig.NodeLifecycleController.NodeStartupGracePeriod.Duration,
 		controllerContext.ComponentConfig.NodeLifecycleController.NodeMonitorGracePeriod.Duration,
@@ -200,42 +209,49 @@ func startNodeLifecycleController(ctx context.Context, controllerContext Control
 		controllerContext.ComponentConfig.NodeLifecycleController.UnhealthyZoneThreshold,
 	)
 	if err != nil {
-		return nil, true, err
+		return nil, err
 	}
-	go lifecycleController.Run(ctx)
-	return nil, true, nil
+
+	return newControllerLoop(func(ctx context.Context) {
+		nlc.Run(ctx)
+	}, controllerName), nil
 }
 
 func newTaintEvictionControllerDescriptor() *ControllerDescriptor {
 	return &ControllerDescriptor{
-		name:     names.TaintEvictionController,
-		initFunc: startTaintEvictionController,
+		name:        names.TaintEvictionController,
+		constructor: newTaintEvictionController,
 		requiredFeatureGates: []featuregate.Feature{
 			features.SeparateTaintEvictionController,
 		},
 	}
 }
 
-func startTaintEvictionController(ctx context.Context, controllerContext ControllerContext, controllerName string) (controller.Interface, bool, error) {
-	taintEvictionController, err := tainteviction.New(
+func newTaintEvictionController(ctx context.Context, controllerContext ControllerContext, controllerName string) (Controller, error) {
+	// taint-manager uses existing cluster role from node-controller
+	client, err := controllerContext.NewClient("node-controller")
+	if err != nil {
+		return nil, err
+	}
+
+	tec, err := tainteviction.New(
 		ctx,
-		// taint-manager uses existing cluster role from node-controller
-		controllerContext.ClientBuilder.ClientOrDie("node-controller"),
+		client,
 		controllerContext.InformerFactory.Core().V1().Pods(),
 		controllerContext.InformerFactory.Core().V1().Nodes(),
 		controllerName,
 	)
 	if err != nil {
-		return nil, false, err
+		return nil, err
 	}
-	go taintEvictionController.Run(ctx)
-	return nil, true, nil
+
+	return newControllerLoop(tec.Run, controllerName), nil
 }
 
 func newDeviceTaintEvictionControllerDescriptor() *ControllerDescriptor {
 	return &ControllerDescriptor{
-		name:     names.DeviceTaintEvictionController,
-		initFunc: startDeviceTaintEvictionController,
+		name:        names.DeviceTaintEvictionController,
+		constructor: newDeviceTaintEvictionController,
 		requiredFeatureGates: []featuregate.Feature{
 			// TODO update app.TestFeatureGatedControllersShouldNotDefineAliases when removing these feature gates.
 			features.DynamicResourceAllocation,
@@ -244,9 +260,14 @@ func newDeviceTaintEvictionControllerDescriptor() *ControllerDescriptor {
 	}
 }
 
-func startDeviceTaintEvictionController(ctx context.Context, controllerContext ControllerContext, controllerName string) (controller.Interface, bool, error) {
+func newDeviceTaintEvictionController(ctx context.Context, controllerContext ControllerContext, controllerName string) (Controller, error) {
+	client, err := controllerContext.NewClient(names.DeviceTaintEvictionController)
+	if err != nil {
+		return nil, err
+	}
+
 	deviceTaintEvictionController := devicetainteviction.New(
-		controllerContext.ClientBuilder.ClientOrDie(names.DeviceTaintEvictionController),
+		client,
 		controllerContext.InformerFactory.Core().V1().Pods(),
 		controllerContext.InformerFactory.Resource().V1().ResourceClaims(),
 		controllerContext.InformerFactory.Resource().V1().ResourceSlices(),
@@ -254,61 +275,62 @@ func startDeviceTaintEvictionController(ctx context.Context, controllerContext C
 		controllerContext.InformerFactory.Resource().V1().DeviceClasses(),
 		controllerName,
 	)
-	go func() {
-		if err := deviceTaintEvictionController.Run(ctx); err != nil {
+	return newControllerLoop(func(ctx context.Context) {
+		if err := deviceTaintEvictionController.Run(ctx, int(controllerContext.ComponentConfig.DeviceTaintEvictionController.ConcurrentSyncs)); err != nil {
 			klog.FromContext(ctx).Error(err, "Device taint processing leading to Pod eviction failed and is now paused")
 		}
-	}()
-	return nil, true, nil
+		<-ctx.Done()
+	}, controllerName), nil
 }
 
 func newCloudNodeLifecycleControllerDescriptor() *ControllerDescriptor {
 	return &ControllerDescriptor{
-		name:                      cpnames.CloudNodeLifecycleController,
-		aliases:                   []string{"cloud-node-lifecycle"},
-		initFunc:                  startCloudNodeLifecycleController,
+		name:    cpnames.CloudNodeLifecycleController,
+		aliases: []string{"cloud-node-lifecycle"},
+		constructor: func(ctx context.Context, controllerContext ControllerContext, controllerName string) (Controller, error) {
+			logger := klog.FromContext(ctx)
+			logger.Info("Warning: node-controller is set, but no cloud provider functionality is available in kube-controller-manger (KEP-2395). Will not configure node lifecyle controller.")
+			return nil, nil
+		},
 		isCloudProviderController: true,
 	}
 }
 
-func startCloudNodeLifecycleController(ctx context.Context, controllerContext ControllerContext, controllerName string) (controller.Interface, bool, error) {
-	logger := klog.FromContext(ctx)
-	logger.Info("Warning: node-controller is set, but no cloud provider functionality is available in kube-controller-manger (KEP-2395). Will not configure node lifecyle controller.")
-	return nil, false, nil
-}
-
 func newNodeRouteControllerDescriptor() *ControllerDescriptor {
 	return &ControllerDescriptor{
-		name:                      cpnames.NodeRouteController,
-		aliases:                   []string{"route"},
-		initFunc:                  startNodeRouteController,
+		name:    cpnames.NodeRouteController,
+		aliases: []string{"route"},
+		constructor: func(ctx context.Context, controllerContext ControllerContext, controllerName string) (Controller, error) {
+			logger := klog.FromContext(ctx)
+			logger.Info("Warning: configure-cloud-routes is set, but no cloud provider functionality is available in kube-controller-manger (KEP-2395). Will not configure cloud provider routes.")
+			return nil, nil
+		},
 		isCloudProviderController: true,
 	}
 }
 
-func startNodeRouteController(ctx context.Context, controllerContext ControllerContext, controllerName string) (controller.Interface, bool, error) {
-	logger := klog.FromContext(ctx)
-	logger.Info("Warning: configure-cloud-routes is set, but no cloud provider functionality is available in kube-controller-manger (KEP-2395). Will not configure cloud provider routes.")
-	return nil, false, nil
-}
-
 func newPersistentVolumeBinderControllerDescriptor() *ControllerDescriptor {
 	return &ControllerDescriptor{
-		name:     names.PersistentVolumeBinderController,
-		aliases:  []string{"persistentvolume-binder"},
-		initFunc: startPersistentVolumeBinderController,
+		name:        names.PersistentVolumeBinderController,
+		aliases:     []string{"persistentvolume-binder"},
+		constructor: newPersistentVolumeBinderController,
 	}
 }
 
-func startPersistentVolumeBinderController(ctx context.Context, controllerContext ControllerContext, controllerName string) (controller.Interface, bool, error) {
+func newPersistentVolumeBinderController(ctx context.Context, controllerContext ControllerContext, controllerName string) (Controller, error) {
 	logger := klog.FromContext(ctx)
 	plugins, err := ProbeProvisionableRecyclableVolumePlugins(logger, controllerContext.ComponentConfig.PersistentVolumeBinderController.VolumeConfiguration)
 	if err != nil {
-		return nil, true, fmt.Errorf("failed to probe volume plugins when starting persistentvolume controller: %v", err)
+		return nil, fmt.Errorf("failed to probe volume plugins when starting persistentvolume controller: %w", err)
+	}
+
+	client, err := controllerContext.NewClient("persistent-volume-binder")
+	if err != nil {
+		return nil, err
 	}
 
 	params := persistentvolumecontroller.ControllerParameters{
-		KubeClient:                controllerContext.ClientBuilder.ClientOrDie("persistent-volume-binder"),
+		KubeClient:                client,
 		SyncPeriod:                controllerContext.ComponentConfig.PersistentVolumeBinderController.PVClaimBinderSyncPeriod.Duration,
 		VolumePlugins:             plugins,
 		VolumeInformer:            controllerContext.InformerFactory.Core().V1().PersistentVolumes(),
@@ -318,214 +340,264 @@ func startPersistentVolumeBinderController(ctx context.Context, controllerContex
 		NodeInformer:              controllerContext.InformerFactory.Core().V1().Nodes(),
 		EnableDynamicProvisioning: controllerContext.ComponentConfig.PersistentVolumeBinderController.VolumeConfiguration.EnableDynamicProvisioning,
 	}
-	volumeController, volumeControllerErr := persistentvolumecontroller.NewController(ctx, params)
-	if volumeControllerErr != nil {
-		return nil, true, fmt.Errorf("failed to construct persistentvolume controller: %v", volumeControllerErr)
+	volumeController, err := persistentvolumecontroller.NewController(ctx, params)
+	if err != nil {
+		return nil, fmt.Errorf("failed to construct persistentvolume controller: %w", err)
 	}
-	go volumeController.Run(ctx)
-	return nil, true, nil
+
+	return newControllerLoop(volumeController.Run, controllerName), nil
 }
 
 func newPersistentVolumeAttachDetachControllerDescriptor() *ControllerDescriptor {
 	return &ControllerDescriptor{
-		name:     names.PersistentVolumeAttachDetachController,
-		aliases:  []string{"attachdetach"},
-		initFunc: startPersistentVolumeAttachDetachController,
+		name:        names.PersistentVolumeAttachDetachController,
+		aliases:     []string{"attachdetach"},
+		constructor: newPersistentVolumeAttachDetachController,
 	}
 }
 
-func startPersistentVolumeAttachDetachController(ctx context.Context, controllerContext ControllerContext, controllerName string) (controller.Interface, bool, error) {
+func newPersistentVolumeAttachDetachController(ctx context.Context, controllerContext ControllerContext, controllerName string) (Controller, error) {
 	logger := klog.FromContext(ctx)
 	csiNodeInformer := controllerContext.InformerFactory.Storage().V1().CSINodes()
 	csiDriverInformer := controllerContext.InformerFactory.Storage().V1().CSIDrivers()
 
 	plugins, err := ProbeAttachableVolumePlugins(logger, controllerContext.ComponentConfig.PersistentVolumeBinderController.VolumeConfiguration)
 	if err != nil {
-		return nil, true, fmt.Errorf("failed to probe volume plugins when starting attach/detach controller: %v", err)
+		return nil, fmt.Errorf("failed to probe volume plugins when starting attach/detach controller: %w", err)
+	}
+
+	client, err := controllerContext.NewClient("attachdetach-controller")
+	if err != nil {
+		return nil, err
 	}
 
 	ctx = klog.NewContext(ctx, logger)
-	attachDetachController, attachDetachControllerErr :=
-		attachdetach.NewAttachDetachController(
-			ctx,
-			controllerContext.ClientBuilder.ClientOrDie("attachdetach-controller"),
-			controllerContext.InformerFactory.Core().V1().Pods(),
-			controllerContext.InformerFactory.Core().V1().Nodes(),
-			controllerContext.InformerFactory.Core().V1().PersistentVolumeClaims(),
-			controllerContext.InformerFactory.Core().V1().PersistentVolumes(),
-			csiNodeInformer,
-			csiDriverInformer,
-			controllerContext.InformerFactory.Storage().V1().VolumeAttachments(),
-			plugins,
-			GetDynamicPluginProber(controllerContext.ComponentConfig.PersistentVolumeBinderController.VolumeConfiguration),
-			controllerContext.ComponentConfig.AttachDetachController.DisableAttachDetachReconcilerSync,
-			controllerContext.ComponentConfig.AttachDetachController.ReconcilerSyncLoopPeriod.Duration,
-			controllerContext.ComponentConfig.AttachDetachController.DisableForceDetachOnTimeout,
-			attachdetach.DefaultTimerConfig,
-		)
-	if attachDetachControllerErr != nil {
-		return nil, true, fmt.Errorf("failed to start attach/detach controller: %v", attachDetachControllerErr)
-	}
-	go attachDetachController.Run(ctx)
-	return nil, true, nil
+	attachDetachController, err := attachdetach.NewAttachDetachController(
+		ctx,
+		client,
+		controllerContext.InformerFactory.Core().V1().Pods(),
+		controllerContext.InformerFactory.Core().V1().Nodes(),
+		controllerContext.InformerFactory.Core().V1().PersistentVolumeClaims(),
+		controllerContext.InformerFactory.Core().V1().PersistentVolumes(),
+		csiNodeInformer,
+		csiDriverInformer,
+		controllerContext.InformerFactory.Storage().V1().VolumeAttachments(),
+		plugins,
+		GetDynamicPluginProber(controllerContext.ComponentConfig.PersistentVolumeBinderController.VolumeConfiguration),
+		controllerContext.ComponentConfig.AttachDetachController.DisableAttachDetachReconcilerSync,
+		controllerContext.ComponentConfig.AttachDetachController.ReconcilerSyncLoopPeriod.Duration,
+		controllerContext.ComponentConfig.AttachDetachController.DisableForceDetachOnTimeout,
+		attachdetach.DefaultTimerConfig,
+	)
+	if err != nil {
+		return nil, fmt.Errorf("failed to start attach/detach controller: %w", err)
+	}
+
+	return newControllerLoop(attachDetachController.Run, controllerName), nil
 }
 
 func newPersistentVolumeExpanderControllerDescriptor() *ControllerDescriptor {
 	return &ControllerDescriptor{
-		name:     names.PersistentVolumeExpanderController,
-		aliases:  []string{"persistentvolume-expander"},
-		initFunc: startPersistentVolumeExpanderController,
+		name:        names.PersistentVolumeExpanderController,
+		aliases:     []string{"persistentvolume-expander"},
+		constructor: newPersistentVolumeExpanderController,
 	}
 }
 
-func startPersistentVolumeExpanderController(ctx context.Context, controllerContext ControllerContext, controllerName string) (controller.Interface, bool, error) {
+func newPersistentVolumeExpanderController(ctx context.Context, controllerContext ControllerContext, controllerName string) (Controller, error) {
 	logger := klog.FromContext(ctx)
 	plugins, err := ProbeExpandableVolumePlugins(logger, controllerContext.ComponentConfig.PersistentVolumeBinderController.VolumeConfiguration)
 	if err != nil {
-		return nil, true, fmt.Errorf("failed to probe volume plugins when starting volume expand controller: %v", err)
+		return nil, fmt.Errorf("failed to probe volume plugins when starting volume expand controller: %w", err)
 	}
 	csiTranslator := csitrans.New()
 
-	expandController, expandControllerErr := expand.NewExpandController(
+	client, err := controllerContext.NewClient("expand-controller")
+	if err != nil {
+		return nil, err
+	}
+
+	expandController, err := expand.NewExpandController(
 		ctx,
-		controllerContext.ClientBuilder.ClientOrDie("expand-controller"),
+		client,
 		controllerContext.InformerFactory.Core().V1().PersistentVolumeClaims(),
 		plugins,
 		csiTranslator,
 		csimigration.NewPluginManager(csiTranslator, utilfeature.DefaultFeatureGate),
 	)
-
-	if expandControllerErr != nil {
-		return nil, true, fmt.Errorf("failed to start volume expand controller: %v", expandControllerErr)
+	if err != nil {
+		return nil, fmt.Errorf("failed to init volume expand controller: %w", err)
 	}
-	go expandController.Run(ctx)
-	return nil, true, nil
+
+	return newControllerLoop(expandController.Run, controllerName), nil
 }
 
 func newEphemeralVolumeControllerDescriptor() *ControllerDescriptor {
 	return &ControllerDescriptor{
-		name:     names.EphemeralVolumeController,
-		aliases:  []string{"ephemeral-volume"},
-		initFunc: startEphemeralVolumeController,
+		name:        names.EphemeralVolumeController,
+		aliases:     []string{"ephemeral-volume"},
+		constructor: newEphemeralVolumeController,
 	}
 }
 
-func startEphemeralVolumeController(ctx context.Context, controllerContext ControllerContext, controllerName string) (controller.Interface, bool, error) {
+func newEphemeralVolumeController(ctx context.Context, controllerContext ControllerContext, controllerName string) (Controller, error) {
+	client, err := controllerContext.NewClient("ephemeral-volume-controller")
+	if err != nil {
+		return nil, err
+	}
+
 	ephemeralController, err := ephemeral.NewController(
 		ctx,
-		controllerContext.ClientBuilder.ClientOrDie("ephemeral-volume-controller"),
+		client,
 		controllerContext.InformerFactory.Core().V1().Pods(),
 		controllerContext.InformerFactory.Core().V1().PersistentVolumeClaims())
 	if err != nil {
-		return nil, true, fmt.Errorf("failed to start ephemeral volume controller: %v", err)
+		return nil, fmt.Errorf("failed to init ephemeral volume controller: %w", err)
 	}
-	go ephemeralController.Run(ctx, int(controllerContext.ComponentConfig.EphemeralVolumeController.ConcurrentEphemeralVolumeSyncs))
-	return nil, true, nil
+
+	return newControllerLoop(func(ctx context.Context) {
+		ephemeralController.Run(ctx, int(controllerContext.ComponentConfig.EphemeralVolumeController.ConcurrentEphemeralVolumeSyncs))
+	}, controllerName), nil
 }
 
 const defaultResourceClaimControllerWorkers = 50
 
 func newResourceClaimControllerDescriptor() *ControllerDescriptor {
 	return &ControllerDescriptor{
-		name:     names.ResourceClaimController,
-		aliases:  []string{"resource-claim-controller"},
-		initFunc: startResourceClaimController,
+		name:        names.ResourceClaimController,
+		aliases:     []string{"resource-claim-controller"},
+		constructor: newResourceClaimController,
 		requiredFeatureGates: []featuregate.Feature{
 			features.DynamicResourceAllocation, // TODO update app.TestFeatureGatedControllersShouldNotDefineAliases when removing this feature
 		},
 	}
 }
 
-func startResourceClaimController(ctx context.Context, controllerContext ControllerContext, controllerName string) (controller.Interface, bool, error) {
+func newResourceClaimController(ctx context.Context, controllerContext ControllerContext, controllerName string) (Controller, error) {
+	client, err := controllerContext.NewClient("resource-claim-controller")
+	if err != nil {
+		return nil, err
+	}
+
 	ephemeralController, err := resourceclaim.NewController(
 		klog.FromContext(ctx),
 		resourceclaim.Features{
 			AdminAccess:     utilfeature.DefaultFeatureGate.Enabled(features.DRAAdminAccess),
 			PrioritizedList: utilfeature.DefaultFeatureGate.Enabled(features.DRAPrioritizedList),
 		},
-		controllerContext.ClientBuilder.ClientOrDie("resource-claim-controller"),
+		client,
 		controllerContext.InformerFactory.Core().V1().Pods(),
 		controllerContext.InformerFactory.Resource().V1().ResourceClaims(),
 		controllerContext.InformerFactory.Resource().V1().ResourceClaimTemplates())
 	if err != nil {
-		return nil, true, fmt.Errorf("failed to start resource claim controller: %v", err)
+		return nil, fmt.Errorf("failed to init resource claim controller: %w", err)
 	}
-	go ephemeralController.Run(ctx, defaultResourceClaimControllerWorkers)
-	return nil, true, nil
+
+	return newControllerLoop(func(ctx context.Context) {
+		ephemeralController.Run(ctx, defaultResourceClaimControllerWorkers)
+	}, controllerName), nil
 }
 
 func newEndpointsControllerDescriptor() *ControllerDescriptor {
 	return &ControllerDescriptor{
-		name:     names.EndpointsController,
-		aliases:  []string{"endpoint"},
-		initFunc: startEndpointsController,
+		name:        names.EndpointsController,
+		aliases:     []string{"endpoint"},
+		constructor: newEndpointsController,
 	}
 }
 
-func startEndpointsController(ctx context.Context, controllerContext ControllerContext, controllerName string) (controller.Interface, bool, error) {
-	go endpointcontroller.NewEndpointController(
+func newEndpointsController(ctx context.Context, controllerContext ControllerContext, controllerName string) (Controller, error) {
+	client, err := controllerContext.NewClient("endpoint-controller")
+	if err != nil {
+		return nil, err
+	}
+
+	ec := endpointcontroller.NewEndpointController(
 		ctx,
 		controllerContext.InformerFactory.Core().V1().Pods(),
 		controllerContext.InformerFactory.Core().V1().Services(),
 		controllerContext.InformerFactory.Core().V1().Endpoints(),
-		controllerContext.ClientBuilder.ClientOrDie("endpoint-controller"),
+		client,
 		controllerContext.ComponentConfig.EndpointController.EndpointUpdatesBatchPeriod.Duration,
-	).Run(ctx, int(controllerContext.ComponentConfig.EndpointController.ConcurrentEndpointSyncs))
-	return nil, true, nil
+	)
+	return newControllerLoop(func(ctx context.Context) {
+		ec.Run(ctx, int(controllerContext.ComponentConfig.EndpointController.ConcurrentEndpointSyncs))
+	}, controllerName), nil
 }
 
 func newReplicationControllerDescriptor() *ControllerDescriptor {
 	return &ControllerDescriptor{
-		name:     names.ReplicationControllerController,
-		aliases:  []string{"replicationcontroller"},
-		initFunc: startReplicationController,
+		name:        names.ReplicationControllerController,
+		aliases:     []string{"replicationcontroller"},
+		constructor: newReplicationController,
 	}
 }
 
-func startReplicationController(ctx context.Context, controllerContext ControllerContext, controllerName string) (controller.Interface, bool, error) {
-	go replicationcontroller.NewReplicationManager(
+func newReplicationController(ctx context.Context, controllerContext ControllerContext, controllerName string) (Controller, error) {
+	client, err := controllerContext.NewClient("replication-controller")
+	if err != nil {
+		return nil, err
+	}
+
+	rc := replicationcontroller.NewReplicationManager(
 		ctx,
 		controllerContext.InformerFactory.Core().V1().Pods(),
 		controllerContext.InformerFactory.Core().V1().ReplicationControllers(),
-		controllerContext.ClientBuilder.ClientOrDie("replication-controller"),
+		client,
 		replicationcontroller.BurstReplicas,
-	).Run(ctx, int(controllerContext.ComponentConfig.ReplicationController.ConcurrentRCSyncs))
-	return nil, true, nil
+	)
+
+	return newControllerLoop(func(ctx context.Context) {
+		rc.Run(ctx, int(controllerContext.ComponentConfig.ReplicationController.ConcurrentRCSyncs))
+	}, controllerName), nil
 }
 
 func newPodGarbageCollectorControllerDescriptor() *ControllerDescriptor {
 	return &ControllerDescriptor{
-		name:     names.PodGarbageCollectorController,
-		aliases:  []string{"podgc"},
-		initFunc: startPodGarbageCollectorController,
+		name:        names.PodGarbageCollectorController,
+		aliases:     []string{"podgc"},
+		constructor: newPodGarbageCollectorController,
 	}
 }
 
-func startPodGarbageCollectorController(ctx context.Context, controllerContext ControllerContext, controllerName string) (controller.Interface, bool, error) {
-	go podgc.NewPodGC(
+func newPodGarbageCollectorController(ctx context.Context, controllerContext ControllerContext, controllerName string) (Controller, error) {
+	client, err := controllerContext.NewClient("pod-garbage-collector")
+	if err != nil {
+		return nil, err
+	}
+
+	pgcc := podgc.NewPodGC(
 		ctx,
-		controllerContext.ClientBuilder.ClientOrDie("pod-garbage-collector"),
+		client,
 		controllerContext.InformerFactory.Core().V1().Pods(),
 		controllerContext.InformerFactory.Core().V1().Nodes(),
 		int(controllerContext.ComponentConfig.PodGCController.TerminatedPodGCThreshold),
-	).Run(ctx)
-	return nil, true, nil
+	)
+	return newControllerLoop(pgcc.Run, controllerName), nil
 }
 
 func newResourceQuotaControllerDescriptor() *ControllerDescriptor {
 	return &ControllerDescriptor{
-		name:     names.ResourceQuotaController,
-		aliases:  []string{"resourcequota"},
-		initFunc: startResourceQuotaController,
+		name:        names.ResourceQuotaController,
+		aliases:     []string{"resourcequota"},
+		constructor: newResourceQuotaController,
 	}
 }
 
-func startResourceQuotaController(ctx context.Context, controllerContext ControllerContext, controllerName string) (controller.Interface, bool, error) {
-	resourceQuotaControllerClient := controllerContext.ClientBuilder.ClientOrDie("resourcequota-controller")
-	resourceQuotaControllerDiscoveryClient := controllerContext.ClientBuilder.DiscoveryClientOrDie("resourcequota-controller")
+func newResourceQuotaController(ctx context.Context, controllerContext ControllerContext, controllerName string) (Controller, error) {
+	resourceQuotaControllerClient, err := controllerContext.NewClient("resourcequota-controller")
+	if err != nil {
+		return nil, err
+	}
+
+	resourceQuotaControllerDiscoveryClient, err := controllerContext.ClientBuilder.DiscoveryClient("resourcequota-controller")
+	if err != nil {
+		return nil, fmt.Errorf("failed to create the discovery client: %w", err)
+	}
+
 	discoveryFunc := resourceQuotaControllerDiscoveryClient.ServerPreferredNamespacedResources
 	listerFuncForResource := generic.ListerFuncForResourceFunc(controllerContext.InformerFactory.ForResource)
-	quotaConfiguration := quotainstall.NewQuotaConfigurationForControllers(listerFuncForResource)
+	quotaConfiguration := quotainstall.NewQuotaConfigurationForControllers(listerFuncForResource, controllerContext.InformerFactory)
 
 	resourceQuotaControllerOptions := &resourcequotacontroller.ControllerOptions{
 		QuotaClient:               resourceQuotaControllerClient.CoreV1(),
@@ -541,40 +613,54 @@ func startResourceQuotaController(ctx context.Context, controllerContext Control
 	}
 	resourceQuotaController, err := resourcequotacontroller.NewController(ctx, resourceQuotaControllerOptions)
 	if err != nil {
-		return nil, false, err
+		return nil, err
 	}
-	go resourceQuotaController.Run(ctx, int(controllerContext.ComponentConfig.ResourceQuotaController.ConcurrentResourceQuotaSyncs))
 
-	// Periodically the quota controller to detect new resource types
-	go resourceQuotaController.Sync(ctx, discoveryFunc, 30*time.Second)
-
-	return nil, true, nil
+	return newControllerLoop(concurrentRun(
+		func(ctx context.Context) {
+			resourceQuotaController.Run(ctx, int(controllerContext.ComponentConfig.ResourceQuotaController.ConcurrentResourceQuotaSyncs))
+		},
+		func(ctx context.Context) {
+			resourceQuotaController.Sync(ctx, discoveryFunc, 30*time.Second)
+		},
+	), controllerName), nil
 }
 
 func newNamespaceControllerDescriptor() *ControllerDescriptor {
 	return &ControllerDescriptor{
-		name:     names.NamespaceController,
-		aliases:  []string{"namespace"},
-		initFunc: startNamespaceController,
+		name:        names.NamespaceController,
+		aliases:     []string{"namespace"},
+		constructor: newNamespaceController,
 	}
 }
 
-func startNamespaceController(ctx context.Context, controllerContext ControllerContext, controllerName string) (controller.Interface, bool, error) {
+func newNamespaceController(ctx context.Context, controllerContext ControllerContext, controllerName string) (Controller, error) {
 	// the namespace cleanup controller is very chatty.  It makes lots of discovery calls and then it makes lots of delete calls
 	// the ratelimiter negatively affects its speed.  Deleting 100 total items in a namespace (that's only a few of each resource
 	// including events), takes ~10 seconds by default.
-	nsKubeconfig := controllerContext.ClientBuilder.ConfigOrDie("namespace-controller")
+	nsKubeconfig, err := controllerContext.NewClientConfig("namespace-controller")
+	if err != nil {
+		return nil, err
+	}
+
 	nsKubeconfig.QPS *= 20
 	nsKubeconfig.Burst *= 100
-	namespaceKubeClient := clientset.NewForConfigOrDie(nsKubeconfig)
-	return startModifiedNamespaceController(ctx, controllerContext, namespaceKubeClient, nsKubeconfig)
-}
 
-func startModifiedNamespaceController(ctx context.Context, controllerContext ControllerContext, namespaceKubeClient clientset.Interface, nsKubeconfig *restclient.Config) (controller.Interface, bool, error) {
+	namespaceKubeClient, err := clientset.NewForConfig(nsKubeconfig)
+	if err != nil {
+		return nil, err
+	}
+
+	return newModifiedNamespaceController(ctx, controllerContext, controllerName, namespaceKubeClient, nsKubeconfig)
+}
 
+func newModifiedNamespaceController(
+	ctx context.Context, controllerContext ControllerContext, controllerName string,
+	namespaceKubeClient clientset.Interface, nsKubeconfig *restclient.Config,
+) (Controller, error) {
 	metadataClient, err := metadata.NewForConfig(nsKubeconfig)
 	if err != nil {
-		return nil, true, err
+		return nil, err
 	}
 
 	discoverResourcesFn := namespaceKubeClient.Discovery().ServerPreferredNamespacedResources
@@ -588,204 +674,291 @@ func startModifiedNamespaceController(ctx context.Context, controllerContext Con
 		controllerContext.ComponentConfig.NamespaceController.NamespaceSyncPeriod.Duration,
 		v1.FinalizerKubernetes,
 	)
-	go namespaceController.Run(ctx, int(controllerContext.ComponentConfig.NamespaceController.ConcurrentNamespaceSyncs))
-
-	return nil, true, nil
+	return newControllerLoop(func(ctx context.Context) {
+		namespaceController.Run(ctx, int(controllerContext.ComponentConfig.NamespaceController.ConcurrentNamespaceSyncs))
+	}, controllerName), nil
 }
 
 func newServiceAccountControllerDescriptor() *ControllerDescriptor {
 	return &ControllerDescriptor{
-		name:     names.ServiceAccountController,
-		aliases:  []string{"serviceaccount"},
-		initFunc: startServiceAccountController,
+		name:        names.ServiceAccountController,
+		aliases:     []string{"serviceaccount"},
+		constructor: newServiceAccountController,
 	}
 }
 
-func startServiceAccountController(ctx context.Context, controllerContext ControllerContext, controllerName string) (controller.Interface, bool, error) {
+func newServiceAccountController(ctx context.Context, controllerContext ControllerContext, controllerName string) (Controller, error) {
+	client, err := controllerContext.NewClient("service-account-controller")
+	if err != nil {
+		return nil, err
+	}
+	logger := klog.FromContext(ctx)
+
 	sac, err := serviceaccountcontroller.NewServiceAccountsController(
+		logger,
 		controllerContext.InformerFactory.Core().V1().ServiceAccounts(),
 		controllerContext.InformerFactory.Core().V1().Namespaces(),
-		controllerContext.ClientBuilder.ClientOrDie("service-account-controller"),
+		client,
 		serviceaccountcontroller.DefaultServiceAccountsControllerOptions(),
 	)
 	if err != nil {
-		return nil, true, fmt.Errorf("error creating ServiceAccount controller: %v", err)
+		return nil, fmt.Errorf("error creating ServiceAccount controller: %w", err)
 	}
-	go sac.Run(ctx, 1)
-	return nil, true, nil
+
+	return newControllerLoop(func(ctx context.Context) {
+		sac.Run(ctx, 1)
+	}, controllerName), nil
 }
 
 func newTTLControllerDescriptor() *ControllerDescriptor {
 	return &ControllerDescriptor{
-		name:     names.TTLController,
-		aliases:  []string{"ttl"},
-		initFunc: startTTLController,
+		name:        names.TTLController,
+		aliases:     []string{"ttl"},
+		constructor: newTTLController,
 	}
 }
 
-func startTTLController(ctx context.Context, controllerContext ControllerContext, controllerName string) (controller.Interface, bool, error) {
-	go ttlcontroller.NewTTLController(
+func newTTLController(ctx context.Context, controllerContext ControllerContext, controllerName string) (Controller, error) {
+	client, err := controllerContext.NewClient("ttl-controller")
+	if err != nil {
+		return nil, err
+	}
+
+	ttlc := ttlcontroller.NewTTLController(
 		ctx,
 		controllerContext.InformerFactory.Core().V1().Nodes(),
-		controllerContext.ClientBuilder.ClientOrDie("ttl-controller"),
-	).Run(ctx, 5)
-	return nil, true, nil
+		client,
+	)
+	return newControllerLoop(func(ctx context.Context) {
+		ttlc.Run(ctx, 5)
+	}, controllerName), nil
 }
 
 func newGarbageCollectorControllerDescriptor() *ControllerDescriptor {
 	return &ControllerDescriptor{
-		name:     names.GarbageCollectorController,
-		aliases:  []string{"garbagecollector"},
-		initFunc: startGarbageCollectorController,
+		name:        names.GarbageCollectorController,
+		aliases:     []string{"garbagecollector"},
+		constructor: newGarbageCollectorController,
 	}
 }
 
-func startGarbageCollectorController(ctx context.Context, controllerContext ControllerContext, controllerName string) (controller.Interface, bool, error) {
+type garbageCollectorController struct {
+	*garbagecollector.GarbageCollector
+	controllerContext ControllerContext
+	controllerName    string
+	discoveryClient   discovery.DiscoveryInterface
+}
+
+// Make sure we are propagating properly.
+var _ controller.Debuggable = (*garbageCollectorController)(nil)
+
+func newGarbageCollectorController(ctx context.Context, controllerContext ControllerContext, controllerName string) (Controller, error) {
 	if !controllerContext.ComponentConfig.GarbageCollectorController.EnableGarbageCollector {
-		return nil, false, nil
+		return nil, nil
+	}
+
+	client, err := controllerContext.NewClient("generic-garbage-collector")
+	if err != nil {
+		return nil, err
 	}
 
-	gcClientset := controllerContext.ClientBuilder.ClientOrDie("generic-garbage-collector")
-	discoveryClient := controllerContext.ClientBuilder.DiscoveryClientOrDie("generic-garbage-collector")
+	discoveryClient, err := controllerContext.ClientBuilder.DiscoveryClient("generic-garbage-collector")
+	if err != nil {
+		return nil, fmt.Errorf("failed to create the discovery client: %w", err)
+	}
+
+	config, err := controllerContext.NewClientConfig("generic-garbage-collector")
+	if err != nil {
+		return nil, err
+	}
 
-	config := controllerContext.ClientBuilder.ConfigOrDie("generic-garbage-collector")
 	// Increase garbage collector controller's throughput: each object deletion takes two API calls,
 	// so to get |config.QPS| deletion rate we need to allow 2x more requests for this controller.
 	config.QPS *= 2
 	metadataClient, err := metadata.NewForConfig(config)
 	if err != nil {
-		return nil, true, err
+		return nil, err
 	}
 
 	garbageCollector, err := garbagecollector.NewComposedGarbageCollector(
 		ctx,
-		gcClientset,
+		client,
 		metadataClient,
 		controllerContext.RESTMapper,
 		controllerContext.GraphBuilder,
 	)
 	if err != nil {
-		return nil, true, fmt.Errorf("failed to start the generic garbage collector: %w", err)
+		return nil, fmt.Errorf("failed to init the generic garbage collector: %w", err)
 	}
 
-	// Start the garbage collector.
-	workers := int(controllerContext.ComponentConfig.GarbageCollectorController.ConcurrentGCSyncs)
-	const syncPeriod = 30 * time.Second
-	go garbageCollector.Run(ctx, workers, syncPeriod)
+	return &garbageCollectorController{
+		GarbageCollector:  garbageCollector,
+		controllerName:    controllerName,
+		controllerContext: controllerContext,
+		discoveryClient:   discoveryClient,
+	}, nil
+}
 
-	// Periodically refresh the RESTMapper with new discovery information and sync
-	// the garbage collector.
-	go garbageCollector.Sync(ctx, discoveryClient, syncPeriod)
+// Name must be implemented explicitly as it collides with the embedded controller.
+func (c *garbageCollectorController) Name() string {
+	return c.controllerName
+}
 
-	return garbageCollector, true, nil
+func (c *garbageCollectorController) Run(ctx context.Context) {
+	workers := int(c.controllerContext.ComponentConfig.GarbageCollectorController.ConcurrentGCSyncs)
+	const syncPeriod = 30 * time.Second
+
+	concurrentRun(
+		func(ctx context.Context) {
+			c.GarbageCollector.Run(ctx, workers, syncPeriod)
+		},
+		func(ctx context.Context) {
+			// Periodically refresh the RESTMapper with new discovery information and sync the garbage collector.
+			c.Sync(ctx, c.discoveryClient, syncPeriod)
+		},
+	)(ctx)
 }
 
 func newPersistentVolumeClaimProtectionControllerDescriptor() *ControllerDescriptor {
 	return &ControllerDescriptor{
-		name:     names.PersistentVolumeClaimProtectionController,
-		aliases:  []string{"pvc-protection"},
-		initFunc: startPersistentVolumeClaimProtectionController,
+		name:        names.PersistentVolumeClaimProtectionController,
+		aliases:     []string{"pvc-protection"},
+		constructor: newPersistentVolumeClaimProtectionController,
 	}
 }
 
-func startPersistentVolumeClaimProtectionController(ctx context.Context, controllerContext ControllerContext, controllerName string) (controller.Interface, bool, error) {
+func newPersistentVolumeClaimProtectionController(ctx context.Context, controllerContext ControllerContext, controllerName string) (Controller, error) {
+	client, err := controllerContext.NewClient("pvc-protection-controller")
+	if err != nil {
+		return nil, err
+	}
+
 	pvcProtectionController, err := pvcprotection.NewPVCProtectionController(
 		klog.FromContext(ctx),
 		controllerContext.InformerFactory.Core().V1().PersistentVolumeClaims(),
 		controllerContext.InformerFactory.Core().V1().Pods(),
-		controllerContext.ClientBuilder.ClientOrDie("pvc-protection-controller"),
+		client,
 	)
 	if err != nil {
-		return nil, true, fmt.Errorf("failed to start the pvc protection controller: %v", err)
+		return nil, fmt.Errorf("failed to init the pvc protection controller: %w", err)
 	}
-	go pvcProtectionController.Run(ctx, 1)
-	return nil, true, nil
+
+	return newControllerLoop(func(ctx context.Context) {
+		pvcProtectionController.Run(ctx, 1)
+	}, controllerName), nil
 }
 
 func newPersistentVolumeProtectionControllerDescriptor() *ControllerDescriptor {
 	return &ControllerDescriptor{
-		name:     names.PersistentVolumeProtectionController,
-		aliases:  []string{"pv-protection"},
-		initFunc: startPersistentVolumeProtectionController,
+		name:        names.PersistentVolumeProtectionController,
+		aliases:     []string{"pv-protection"},
+		constructor: newPersistentVolumeProtectionController,
 	}
 }
 
-func startPersistentVolumeProtectionController(ctx context.Context, controllerContext ControllerContext, controllerName string) (controller.Interface, bool, error) {
-	go pvprotection.NewPVProtectionController(
+func newPersistentVolumeProtectionController(ctx context.Context, controllerContext ControllerContext, controllerName string) (Controller, error) {
+	client, err := controllerContext.NewClient("pv-protection-controller")
+	if err != nil {
+		return nil, err
+	}
+
+	pvpc := pvprotection.NewPVProtectionController(
 		klog.FromContext(ctx),
 		controllerContext.InformerFactory.Core().V1().PersistentVolumes(),
-		controllerContext.ClientBuilder.ClientOrDie("pv-protection-controller"),
-	).Run(ctx, 1)
-	return nil, true, nil
+		client,
+	)
+	return newControllerLoop(func(ctx context.Context) {
+		pvpc.Run(ctx, 1)
+	}, controllerName), nil
 }
 
 func newVolumeAttributesClassProtectionControllerDescriptor() *ControllerDescriptor {
 	return &ControllerDescriptor{
-		name:     names.VolumeAttributesClassProtectionController,
-		initFunc: startVolumeAttributesClassProtectionController,
+		name:        names.VolumeAttributesClassProtectionController,
+		constructor: newVolumeAttributesClassProtectionController,
 		requiredFeatureGates: []featuregate.Feature{
 			features.VolumeAttributesClass,
 		},
 	}
 }
 
-func startVolumeAttributesClassProtectionController(ctx context.Context, controllerContext ControllerContext, controllerName string) (controller.Interface, bool, error) {
+func newVolumeAttributesClassProtectionController(ctx context.Context, controllerContext ControllerContext, controllerName string) (Controller, error) {
+	client, err := controllerContext.NewClient("volumeattributesclass-protection-controller")
+	if err != nil {
+		return nil, err
+	}
+
 	vacProtectionController, err := vacprotection.NewVACProtectionController(
 		klog.FromContext(ctx),
-		controllerContext.ClientBuilder.ClientOrDie("volumeattributesclass-protection-controller"),
+		client,
 		controllerContext.InformerFactory.Core().V1().PersistentVolumeClaims(),
 		controllerContext.InformerFactory.Core().V1().PersistentVolumes(),
 		controllerContext.InformerFactory.Storage().V1().VolumeAttributesClasses(),
 	)
 	if err != nil {
-		return nil, true, fmt.Errorf("failed to start the vac protection controller: %w", err)
+		return nil, fmt.Errorf("failed to init the vac protection controller: %w", err)
 	}
-	go vacProtectionController.Run(ctx, 1)
-	return nil, true, nil
+
+	return newControllerLoop(func(ctx context.Context) {
+		vacProtectionController.Run(ctx, 1)
+	}, controllerName), nil
 }
 
 func newTTLAfterFinishedControllerDescriptor() *ControllerDescriptor {
 	return &ControllerDescriptor{
-		name:     names.TTLAfterFinishedController,
-		aliases:  []string{"ttl-after-finished"},
-		initFunc: startTTLAfterFinishedController,
+		name:        names.TTLAfterFinishedController,
+		aliases:     []string{"ttl-after-finished"},
+		constructor: newTTLAfterFinishedController,
 	}
 }
 
-func startTTLAfterFinishedController(ctx context.Context, controllerContext ControllerContext, controllerName string) (controller.Interface, bool, error) {
-	go ttlafterfinished.New(
+func newTTLAfterFinishedController(ctx context.Context, controllerContext ControllerContext, controllerName string) (Controller, error) {
+	client, err := controllerContext.NewClient("ttl-after-finished-controller")
+	if err != nil {
+		return nil, err
+	}
+
+	ttlc := ttlafterfinished.New(
 		ctx,
 		controllerContext.InformerFactory.Batch().V1().Jobs(),
-		controllerContext.ClientBuilder.ClientOrDie("ttl-after-finished-controller"),
-	).Run(ctx, int(controllerContext.ComponentConfig.TTLAfterFinishedController.ConcurrentTTLSyncs))
-	return nil, true, nil
+		client,
+	)
+	return newControllerLoop(func(ctx context.Context) {
+		ttlc.Run(ctx, int(controllerContext.ComponentConfig.TTLAfterFinishedController.ConcurrentTTLSyncs))
+	}, controllerName), nil
 }
 
 func newLegacyServiceAccountTokenCleanerControllerDescriptor() *ControllerDescriptor {
 	return &ControllerDescriptor{
-		name:     names.LegacyServiceAccountTokenCleanerController,
-		aliases:  []string{"legacy-service-account-token-cleaner"},
-		initFunc: startLegacyServiceAccountTokenCleanerController,
+		name:        names.LegacyServiceAccountTokenCleanerController,
+		aliases:     []string{"legacy-service-account-token-cleaner"},
+		constructor: newLegacyServiceAccountTokenCleanerController,
 	}
 }
 
-func startLegacyServiceAccountTokenCleanerController(ctx context.Context, controllerContext ControllerContext, controllerName string) (controller.Interface, bool, error) {
+func newLegacyServiceAccountTokenCleanerController(ctx context.Context, controllerContext ControllerContext, controllerName string) (Controller, error) {
+	client, err := controllerContext.NewClient("legacy-service-account-token-cleaner")
+	if err != nil {
+		return nil, err
+	}
+
 	cleanUpPeriod := controllerContext.ComponentConfig.LegacySATokenCleaner.CleanUpPeriod.Duration
 	legacySATokenCleaner, err := serviceaccountcontroller.NewLegacySATokenCleaner(
 		controllerContext.InformerFactory.Core().V1().ServiceAccounts(),
 		controllerContext.InformerFactory.Core().V1().Secrets(),
 		controllerContext.InformerFactory.Core().V1().Pods(),
-		controllerContext.ClientBuilder.ClientOrDie("legacy-service-account-token-cleaner"),
+		client,
 		clock.RealClock{},
 		serviceaccountcontroller.LegacySATokenCleanerOptions{
 			CleanUpPeriod: cleanUpPeriod,
 			SyncInterval:  serviceaccountcontroller.DefaultCleanerSyncInterval,
-		})
+		},
+	)
 	if err != nil {
-		return nil, true, fmt.Errorf("failed to start the legacy service account token cleaner: %v", err)
+		return nil, fmt.Errorf("failed to init the legacy service account token cleaner: %w", err)
 	}
-	go legacySATokenCleaner.Run(ctx)
-	return nil, true, nil
+
+	return newControllerLoop(legacySATokenCleaner.Run, controllerName), nil
 }
 
 // processCIDRs is a helper function that works on a comma separated cidrs and returns
@@ -906,9 +1079,9 @@ func setNodeCIDRMaskSizes(cfg nodeipamconfig.NodeIPAMControllerConfiguration, cl
 
 func newStorageVersionGarbageCollectorControllerDescriptor() *ControllerDescriptor {
 	return &ControllerDescriptor{
-		name:     names.StorageVersionGarbageCollectorController,
-		aliases:  []string{"storage-version-gc"},
-		initFunc: startStorageVersionGarbageCollectorController,
+		name:        names.StorageVersionGarbageCollectorController,
+		aliases:     []string{"storage-version-gc"},
+		constructor: newStorageVersionGarbageCollectorController,
 		requiredFeatureGates: []featuregate.Feature{
 			genericfeatures.APIServerIdentity,
 			genericfeatures.StorageVersionAPI,
@@ -916,20 +1089,25 @@ func newStorageVersionGarbageCollectorControllerDescriptor() *ControllerDescript
 	}
 }
 
-func startStorageVersionGarbageCollectorController(ctx context.Context, controllerContext ControllerContext, controllerName string) (controller.Interface, bool, error) {
-	go storageversiongc.NewStorageVersionGC(
+func newStorageVersionGarbageCollectorController(ctx context.Context, controllerContext ControllerContext, controllerName string) (Controller, error) {
+	client, err := controllerContext.NewClient("storage-version-garbage-collector")
+	if err != nil {
+		return nil, err
+	}
+
+	svgcc := storageversiongc.NewStorageVersionGC(
 		ctx,
-		controllerContext.ClientBuilder.ClientOrDie("storage-version-garbage-collector"),
+		client,
 		controllerContext.InformerFactory.Coordination().V1().Leases(),
 		controllerContext.InformerFactory.Internal().V1alpha1().StorageVersions(),
-	).Run(ctx)
-	return nil, true, nil
+	)
+	return newControllerLoop(svgcc.Run, controllerName), nil
 }
 
 func newSELinuxWarningControllerDescriptor() *ControllerDescriptor {
 	return &ControllerDescriptor{
 		name:                names.SELinuxWarningController,
-		initFunc:            startSELinuxWarningController,
+		constructor:         newSELinuxWarningController,
 		isDisabledByDefault: true,
 		requiredFeatureGates: []featuregate.Feature{
 			features.SELinuxChangePolicy,
@@ -937,32 +1115,34 @@ func newSELinuxWarningControllerDescriptor() *ControllerDescriptor {
 	}
 }
 
-func startSELinuxWarningController(ctx context.Context, controllerContext ControllerContext, controllerName string) (controller.Interface, bool, error) {
-	if !utilfeature.DefaultFeatureGate.Enabled(features.SELinuxChangePolicy) {
-		return nil, false, nil
+func newSELinuxWarningController(ctx context.Context, controllerContext ControllerContext, controllerName string) (Controller, error) {
+	client, err := controllerContext.NewClient(controllerName)
+	if err != nil {
+		return nil, err
 	}
 
 	logger := klog.FromContext(ctx)
 	csiDriverInformer := controllerContext.InformerFactory.Storage().V1().CSIDrivers()
 	plugins, err := ProbePersistentVolumePlugins(logger, controllerContext.ComponentConfig.PersistentVolumeBinderController.VolumeConfiguration)
 	if err != nil {
-		return nil, true, fmt.Errorf("failed to probe volume plugins when starting SELinux warning controller: %w", err)
+		return nil, fmt.Errorf("failed to probe volume plugins when starting SELinux warning controller: %w", err)
 	}
 
-	seLinuxController, err :=
-		selinuxwarning.NewController(
-			ctx,
-			controllerContext.ClientBuilder.ClientOrDie(controllerName),
-			controllerContext.InformerFactory.Core().V1().Pods(),
-			controllerContext.InformerFactory.Core().V1().PersistentVolumeClaims(),
-			controllerContext.InformerFactory.Core().V1().PersistentVolumes(),
-			csiDriverInformer,
-			plugins,
-			GetDynamicPluginProber(controllerContext.ComponentConfig.PersistentVolumeBinderController.VolumeConfiguration),
-		)
+	seLinuxController, err := selinuxwarning.NewController(
+		ctx,
+		client,
+		controllerContext.InformerFactory.Core().V1().Pods(),
+		controllerContext.InformerFactory.Core().V1().PersistentVolumeClaims(),
+		controllerContext.InformerFactory.Core().V1().PersistentVolumes(),
+		csiDriverInformer,
+		plugins,
+		GetDynamicPluginProber(controllerContext.ComponentConfig.PersistentVolumeBinderController.VolumeConfiguration),
+	)
 	if err != nil {
-		return nil, true, fmt.Errorf("failed to start SELinux warning controller: %w", err)
+		return nil, fmt.Errorf("failed to start SELinux warning controller: %w", err)
 	}
-	go seLinuxController.Run(ctx, 1)
-	return nil, true, nil
+
+	return newControllerLoop(func(ctx context.Context) {
+		seLinuxController.Run(ctx, 1)
+	}, controllerName), nil
 }
diff --git a/cmd/kube-controller-manager/app/core_test.go b/cmd/kube-controller-manager/app/core_test.go
index d66a768df8940..8808ce6bf811e 100644
--- a/cmd/kube-controller-manager/app/core_test.go
+++ b/cmd/kube-controller-manager/app/core_test.go
@@ -18,6 +18,7 @@ package app
 
 import (
 	"context"
+	"sync"
 	"testing"
 	"time"
 
@@ -28,6 +29,8 @@ import (
 	clientset "k8s.io/client-go/kubernetes"
 	fakeclientset "k8s.io/client-go/kubernetes/fake"
 	restclient "k8s.io/client-go/rest"
+
+	"k8s.io/kubernetes/cmd/kube-controller-manager/names"
 )
 
 // TestClientBuilder inherits ClientBuilder and can accept a given fake clientset.
@@ -35,12 +38,14 @@ type TestClientBuilder struct {
 	clientset clientset.Interface
 }
 
-func (TestClientBuilder) Config(name string) (*restclient.Config, error) { return nil, nil }
+func (TestClientBuilder) Config(name string) (*restclient.Config, error) {
+	return &restclient.Config{}, nil
+}
 func (TestClientBuilder) ConfigOrDie(name string) *restclient.Config {
 	return &restclient.Config{}
 }
 
-func (TestClientBuilder) Client(name string) (clientset.Interface, error) { return nil, nil }
+func (m TestClientBuilder) Client(name string) (clientset.Interface, error) { return m.clientset, nil }
 func (m TestClientBuilder) ClientOrDie(name string) clientset.Interface {
 	return m.clientset
 }
@@ -130,26 +135,44 @@ func TestController_DiscoveryError(t *testing.T) {
 		},
 	}
 	for name, test := range tcs {
-		testDiscovery := FakeDiscoveryWithError{Err: test.discoveryError, PossibleResources: test.possibleResources}
-		testClientset := NewFakeClientset(testDiscovery)
-		testClientBuilder := TestClientBuilder{clientset: testClientset}
-		testInformerFactory := informers.NewSharedInformerFactoryWithOptions(testClientset, time.Duration(1))
-		ctx := ControllerContext{
-			ClientBuilder:                   testClientBuilder,
-			InformerFactory:                 testInformerFactory,
-			ObjectOrMetadataInformerFactory: testInformerFactory,
-			InformersStarted:                make(chan struct{}),
-		}
-		for controllerName, controllerDesc := range controllerDescriptorMap {
-			_, _, err := controllerDesc.GetInitFunc()(context.TODO(), ctx, controllerName)
+		t.Run(name, func(t *testing.T) {
+			ctx := context.Background()
+			testDiscovery := FakeDiscoveryWithError{Err: test.discoveryError, PossibleResources: test.possibleResources}
+			testClientset := NewFakeClientset(testDiscovery)
+			testClientBuilder := TestClientBuilder{clientset: testClientset}
+			testInformerFactory := informers.NewSharedInformerFactoryWithOptions(testClientset, time.Duration(1))
+			controllerContext := ControllerContext{
+				ClientBuilder:                   testClientBuilder,
+				InformerFactory:                 testInformerFactory,
+				ObjectOrMetadataInformerFactory: testInformerFactory,
+				InformersStarted:                make(chan struct{}),
+			}
+			for controllerName, controllerDesc := range controllerDescriptorMap {
+				_, err := controllerDesc.GetControllerConstructor()(ctx, controllerContext, controllerName)
+				if test.expectedErr != (err != nil) {
+					t.Errorf("%v test failed for use case: %v", controllerName, name)
+				}
+			}
+
+			namespaceController, err := newModifiedNamespaceController(
+				ctx, controllerContext, names.NamespaceController,
+				testClientset, testClientBuilder.ConfigOrDie("namespace-controller"))
+			if err != nil {
+				t.Fatal(err)
+			}
+
+			ctx, cancel := context.WithCancel(ctx)
+			var wg sync.WaitGroup
+			wg.Add(1)
+			go func() {
+				defer wg.Done()
+				namespaceController.Run(ctx)
+			}()
+			cancel()
+			wg.Wait()
 			if test.expectedErr != (err != nil) {
-				t.Errorf("%v test failed for use case: %v", controllerName, name)
+				t.Errorf("Namespace Controller test failed for use case: %v", name)
 			}
-		}
-		_, _, err := startModifiedNamespaceController(
-			context.TODO(), ctx, testClientset, testClientBuilder.ConfigOrDie("namespace-controller"))
-		if test.expectedErr != (err != nil) {
-			t.Errorf("Namespace Controller test failed for use case: %v", name)
-		}
+		})
 	}
 }
diff --git a/cmd/kube-controller-manager/app/discovery.go b/cmd/kube-controller-manager/app/discovery.go
index e79fc9b2b932c..f749cc58e6cd8 100644
--- a/cmd/kube-controller-manager/app/discovery.go
+++ b/cmd/kube-controller-manager/app/discovery.go
@@ -22,7 +22,6 @@ package app
 import (
 	"context"
 
-	"k8s.io/controller-manager/controller"
 	"k8s.io/kubernetes/cmd/kube-controller-manager/names"
 	endpointslicecontroller "k8s.io/kubernetes/pkg/controller/endpointslice"
 	endpointslicemirroringcontroller "k8s.io/kubernetes/pkg/controller/endpointslicemirroring"
@@ -30,43 +29,57 @@ import (
 
 func newEndpointSliceControllerDescriptor() *ControllerDescriptor {
 	return &ControllerDescriptor{
-		name:     names.EndpointSliceController,
-		aliases:  []string{"endpointslice"},
-		initFunc: startEndpointSliceController,
+		name:        names.EndpointSliceController,
+		aliases:     []string{"endpointslice"},
+		constructor: newEndpointSliceController,
 	}
 }
 
-func startEndpointSliceController(ctx context.Context, controllerContext ControllerContext, controllerName string) (controller.Interface, bool, error) {
-	go endpointslicecontroller.NewController(
+func newEndpointSliceController(ctx context.Context, controllerContext ControllerContext, controllerName string) (Controller, error) {
+	client, err := controllerContext.NewClient("endpointslice-controller")
+	if err != nil {
+		return nil, err
+	}
+
+	esc := endpointslicecontroller.NewController(
 		ctx,
 		controllerContext.InformerFactory.Core().V1().Pods(),
 		controllerContext.InformerFactory.Core().V1().Services(),
 		controllerContext.InformerFactory.Core().V1().Nodes(),
 		controllerContext.InformerFactory.Discovery().V1().EndpointSlices(),
 		controllerContext.ComponentConfig.EndpointSliceController.MaxEndpointsPerSlice,
-		controllerContext.ClientBuilder.ClientOrDie("endpointslice-controller"),
+		client,
 		controllerContext.ComponentConfig.EndpointSliceController.EndpointUpdatesBatchPeriod.Duration,
-	).Run(ctx, int(controllerContext.ComponentConfig.EndpointSliceController.ConcurrentServiceEndpointSyncs))
-	return nil, true, nil
+	)
+	return newControllerLoop(func(ctx context.Context) {
+		esc.Run(ctx, int(controllerContext.ComponentConfig.EndpointSliceController.ConcurrentServiceEndpointSyncs))
+	}, controllerName), nil
 }
 
 func newEndpointSliceMirroringControllerDescriptor() *ControllerDescriptor {
 	return &ControllerDescriptor{
-		name:     names.EndpointSliceMirroringController,
-		aliases:  []string{"endpointslicemirroring"},
-		initFunc: startEndpointSliceMirroringController,
+		name:        names.EndpointSliceMirroringController,
+		aliases:     []string{"endpointslicemirroring"},
+		constructor: newEndpointSliceMirroringController,
 	}
 }
 
-func startEndpointSliceMirroringController(ctx context.Context, controllerContext ControllerContext, controllerName string) (controller.Interface, bool, error) {
-	go endpointslicemirroringcontroller.NewController(
+func newEndpointSliceMirroringController(ctx context.Context, controllerContext ControllerContext, controllerName string) (Controller, error) {
+	client, err := controllerContext.NewClient("endpointslicemirroring-controller")
+	if err != nil {
+		return nil, err
+	}
+
+	esmc := endpointslicemirroringcontroller.NewController(
 		ctx,
 		controllerContext.InformerFactory.Core().V1().Endpoints(),
 		controllerContext.InformerFactory.Discovery().V1().EndpointSlices(),
 		controllerContext.InformerFactory.Core().V1().Services(),
 		controllerContext.ComponentConfig.EndpointSliceMirroringController.MirroringMaxEndpointsPerSubset,
-		controllerContext.ClientBuilder.ClientOrDie("endpointslicemirroring-controller"),
+		client,
 		controllerContext.ComponentConfig.EndpointSliceMirroringController.MirroringEndpointUpdatesBatchPeriod.Duration,
-	).Run(ctx, int(controllerContext.ComponentConfig.EndpointSliceMirroringController.MirroringConcurrentServiceEndpointSyncs))
-	return nil, true, nil
+	)
+	return newControllerLoop(func(ctx context.Context) {
+		esmc.Run(ctx, int(controllerContext.ComponentConfig.EndpointSliceMirroringController.MirroringConcurrentServiceEndpointSyncs))
+	}, controllerName), nil
 }
diff --git a/cmd/kube-controller-manager/app/networking.go b/cmd/kube-controller-manager/app/networking.go
index aa1c3c9d1119a..ac4551d9dcd40 100644
--- a/cmd/kube-controller-manager/app/networking.go
+++ b/cmd/kube-controller-manager/app/networking.go
@@ -23,7 +23,6 @@ import (
 	"context"
 
 	"k8s.io/component-base/featuregate"
-	"k8s.io/controller-manager/controller"
 	"k8s.io/kubernetes/cmd/kube-controller-manager/names"
 	"k8s.io/kubernetes/pkg/controller/servicecidrs"
 	"k8s.io/kubernetes/pkg/features"
@@ -31,20 +30,28 @@ import (
 
 func newServiceCIDRsControllerDescriptor() *ControllerDescriptor {
 	return &ControllerDescriptor{
-		name:     names.ServiceCIDRController,
-		initFunc: startServiceCIDRsController,
+		name:        names.ServiceCIDRController,
+		constructor: newServiceCIDRsController,
 		requiredFeatureGates: []featuregate.Feature{
 			features.MultiCIDRServiceAllocator,
-		}}
+		},
+	}
 }
-func startServiceCIDRsController(ctx context.Context, controllerContext ControllerContext, controllerName string) (controller.Interface, bool, error) {
-	go servicecidrs.NewController(
+
+func newServiceCIDRsController(ctx context.Context, controllerContext ControllerContext, controllerName string) (Controller, error) {
+	client, err := controllerContext.NewClient("service-cidrs-controller")
+	if err != nil {
+		return nil, err
+	}
+
+	// TODO use component config
+	scc := servicecidrs.NewController(
 		ctx,
 		controllerContext.InformerFactory.Networking().V1().ServiceCIDRs(),
 		controllerContext.InformerFactory.Networking().V1().IPAddresses(),
-		controllerContext.ClientBuilder.ClientOrDie("service-cidrs-controller"),
-	).Run(ctx, 5)
-	// TODO use component config
-	return nil, true, nil
-
+		client,
+	)
+	return newControllerLoop(func(ctx context.Context) {
+		scc.Run(ctx, 5)
+	}, controllerName), nil
 }
diff --git a/cmd/kube-controller-manager/app/options/devicetaintevictioncontroller.go b/cmd/kube-controller-manager/app/options/devicetaintevictioncontroller.go
new file mode 100644
index 0000000000000..64bd263ed4dab
--- /dev/null
+++ b/cmd/kube-controller-manager/app/options/devicetaintevictioncontroller.go
@@ -0,0 +1,63 @@
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package options
+
+import (
+	"fmt"
+
+	"github.com/spf13/pflag"
+
+	devicetaintevictionconfig "k8s.io/kubernetes/pkg/controller/devicetainteviction/config"
+)
+
+// DeviceTaintEvictionControllerOptions holds the DeviceTaintEvictionController options.
+type DeviceTaintEvictionControllerOptions struct {
+	*devicetaintevictionconfig.DeviceTaintEvictionControllerConfiguration
+}
+
+// AddFlags adds flags related to DeviceTaintEvictionController for controller manager to the specified FlagSet.
+func (o *DeviceTaintEvictionControllerOptions) AddFlags(fs *pflag.FlagSet) {
+	if o == nil {
+		return
+	}
+
+	fs.Int32Var(&o.ConcurrentSyncs, "concurrent-device-taint-eviction-syncs", o.ConcurrentSyncs, "The number of operations (evicting pods, updating DeviceTaintRule status) allowed to run concurrently. Greater number = more responsive, but more CPU (and network) load")
+}
+
+// ApplyTo fills up DeviceTaintEvictionController config with options.
+func (o *DeviceTaintEvictionControllerOptions) ApplyTo(cfg *devicetaintevictionconfig.DeviceTaintEvictionControllerConfiguration) error {
+	if o == nil {
+		return nil
+	}
+
+	cfg.ConcurrentSyncs = o.ConcurrentSyncs
+
+	return nil
+}
+
+// Validate checks validation of DeviceTaintEvictionControllerOptions.
+func (o *DeviceTaintEvictionControllerOptions) Validate() []error {
+	if o == nil {
+		return nil
+	}
+
+	var errs []error
+	if o.ConcurrentSyncs <= 0 {
+		errs = append(errs, fmt.Errorf("concurrent-device-taint-eviction-syncs must be greater than zero, got %d", o.ConcurrentSyncs))
+	}
+	return errs
+}
diff --git a/cmd/kube-controller-manager/app/options/devicetaintevictioncontroller_test.go b/cmd/kube-controller-manager/app/options/devicetaintevictioncontroller_test.go
new file mode 100644
index 0000000000000..a804ad7675c46
--- /dev/null
+++ b/cmd/kube-controller-manager/app/options/devicetaintevictioncontroller_test.go
@@ -0,0 +1,219 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package options
+
+import (
+	"reflect"
+	"strings"
+	"testing"
+
+	"github.com/spf13/pflag"
+	utilerrors "k8s.io/apimachinery/pkg/util/errors"
+
+	devicetaintevictionconfig "k8s.io/kubernetes/pkg/controller/devicetainteviction/config"
+)
+
+func TestDeviceTaintEvictionControllerOptions_AddFlags(t *testing.T) {
+	fs := pflag.NewFlagSet("test", pflag.ContinueOnError)
+	opts := &DeviceTaintEvictionControllerOptions{
+		&devicetaintevictionconfig.DeviceTaintEvictionControllerConfiguration{
+			ConcurrentSyncs: 50,
+		},
+	}
+
+	opts.AddFlags(fs)
+
+	// Test that the flag was added
+	flag := fs.Lookup("concurrent-device-taint-eviction-syncs")
+	if flag == nil {
+		t.Error("concurrent-device-taint-eviction-syncs flag was not added")
+		return
+	}
+
+	// Test that the flag has the correct default value
+	if flag.DefValue != "50" {
+		t.Errorf("expected default value 50, got %s", flag.DefValue)
+	}
+
+	// Test flag parsing
+	args := []string{"--concurrent-device-taint-eviction-syncs=25"}
+	if err := fs.Parse(args); err != nil {
+		t.Errorf("failed to parse flags: %v", err)
+	}
+
+	if opts.ConcurrentSyncs != 25 {
+		t.Errorf("expected ConcurrentSyncs to be 25, got %d", opts.ConcurrentSyncs)
+	}
+}
+
+func TestDeviceTaintEvictionControllerOptions_AddFlags_Nil(t *testing.T) {
+	fs := pflag.NewFlagSet("test", pflag.ContinueOnError)
+	var opts *DeviceTaintEvictionControllerOptions
+
+	// Should not panic when options is nil
+	opts.AddFlags(fs)
+
+	// Flag should not be added
+	flag := fs.Lookup("concurrent-device-taint-eviction-syncs")
+	if flag != nil {
+		t.Error("concurrent-device-taint-eviction-syncs flag should not be added when options is nil")
+	}
+}
+
+func TestDeviceTaintEvictionControllerOptions_ApplyTo(t *testing.T) {
+	opts := &DeviceTaintEvictionControllerOptions{
+		&devicetaintevictionconfig.DeviceTaintEvictionControllerConfiguration{
+			ConcurrentSyncs: 75,
+		},
+	}
+
+	cfg := &devicetaintevictionconfig.DeviceTaintEvictionControllerConfiguration{}
+
+	err := opts.ApplyTo(cfg)
+	if err != nil {
+		t.Errorf("unexpected error: %v", err)
+	}
+
+	if cfg.ConcurrentSyncs != 75 {
+		t.Errorf("expected ConcurrentSyncs to be 75, got %d", cfg.ConcurrentSyncs)
+	}
+}
+
+func TestDeviceTaintEvictionControllerOptions_ApplyTo_Nil(t *testing.T) {
+	var opts *DeviceTaintEvictionControllerOptions
+	cfg := &devicetaintevictionconfig.DeviceTaintEvictionControllerConfiguration{
+		ConcurrentSyncs: 50,
+	}
+
+	err := opts.ApplyTo(cfg)
+	if err != nil {
+		t.Errorf("unexpected error: %v", err)
+	}
+
+	// Configuration should remain unchanged
+	if cfg.ConcurrentSyncs != 50 {
+		t.Errorf("expected ConcurrentSyncs to remain 50, got %d", cfg.ConcurrentSyncs)
+	}
+}
+
+func TestDeviceTaintEvictionControllerOptions_Validate(t *testing.T) {
+	testCases := []struct {
+		name                   string
+		concurrentSyncs        int32
+		expectErrors           bool
+		expectedErrorSubString string
+	}{
+		{
+			name:            "valid concurrent syncs",
+			concurrentSyncs: 50,
+			expectErrors:    false,
+		},
+		{
+			name:            "valid minimum concurrent syncs",
+			concurrentSyncs: 1,
+			expectErrors:    false,
+		},
+		{
+			name:                   "invalid zero concurrent syncs",
+			concurrentSyncs:        0,
+			expectErrors:           true,
+			expectedErrorSubString: "concurrent-device-taint-eviction-syncs must be greater than zero, got 0",
+		},
+		{
+			name:                   "invalid negative concurrent syncs",
+			concurrentSyncs:        -5,
+			expectErrors:           true,
+			expectedErrorSubString: "concurrent-device-taint-eviction-syncs must be greater than zero, got -5",
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			opts := &DeviceTaintEvictionControllerOptions{
+				&devicetaintevictionconfig.DeviceTaintEvictionControllerConfiguration{
+					ConcurrentSyncs: tc.concurrentSyncs,
+				},
+			}
+
+			errs := opts.Validate()
+
+			if tc.expectErrors && len(errs) == 0 {
+				t.Error("expected validation errors, but got none")
+			}
+
+			if !tc.expectErrors && len(errs) > 0 {
+				t.Errorf("expected no validation errors, but got: %v", errs)
+			}
+
+			if tc.expectErrors && len(errs) > 0 {
+				gotErr := utilerrors.NewAggregate(errs).Error()
+				if !strings.Contains(gotErr, tc.expectedErrorSubString) {
+					t.Errorf("expected error to contain %q, but got %q", tc.expectedErrorSubString, gotErr)
+				}
+			}
+		})
+	}
+}
+
+func TestDeviceTaintEvictionControllerOptions_Validate_Nil(t *testing.T) {
+	var opts *DeviceTaintEvictionControllerOptions
+
+	errs := opts.Validate()
+	if len(errs) != 0 {
+		t.Errorf("expected no validation errors for nil options, but got: %v", errs)
+	}
+}
+
+func TestDeviceTaintEvictionControllerOptions_Integration(t *testing.T) {
+	// Test the complete workflow: create options, set flags, apply to config
+	fs := pflag.NewFlagSet("test", pflag.ContinueOnError)
+	opts := &DeviceTaintEvictionControllerOptions{
+		&devicetaintevictionconfig.DeviceTaintEvictionControllerConfiguration{
+			ConcurrentSyncs: 50,
+		},
+	}
+
+	// Add flags
+	opts.AddFlags(fs)
+
+	// Parse flags with custom value
+	args := []string{"--concurrent-device-taint-eviction-syncs=100"}
+	if err := fs.Parse(args); err != nil {
+		t.Fatalf("failed to parse flags: %v", err)
+	}
+
+	// Validate
+	errs := opts.Validate()
+	if len(errs) > 0 {
+		t.Fatalf("validation failed: %v", errs)
+	}
+
+	// Apply to config
+	cfg := &devicetaintevictionconfig.DeviceTaintEvictionControllerConfiguration{}
+	if err := opts.ApplyTo(cfg); err != nil {
+		t.Fatalf("failed to apply options: %v", err)
+	}
+
+	// Verify final configuration
+	expected := &devicetaintevictionconfig.DeviceTaintEvictionControllerConfiguration{
+		ConcurrentSyncs: 100,
+	}
+
+	if !reflect.DeepEqual(cfg, expected) {
+		t.Errorf("expected config %+v, got %+v", expected, cfg)
+	}
+}
diff --git a/cmd/kube-controller-manager/app/options/options.go b/cmd/kube-controller-manager/app/options/options.go
index 08750ef76db8f..2a1e8000b12a9 100644
--- a/cmd/kube-controller-manager/app/options/options.go
+++ b/cmd/kube-controller-manager/app/options/options.go
@@ -21,11 +21,13 @@ import (
 	"context"
 	"fmt"
 	"net"
+	"time"
 
 	v1 "k8s.io/api/core/v1"
 	utilerrors "k8s.io/apimachinery/pkg/util/errors"
 	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
 	"k8s.io/apimachinery/pkg/util/version"
+	"k8s.io/apiserver/pkg/server/flagz"
 	apiserveroptions "k8s.io/apiserver/pkg/server/options"
 	"k8s.io/apiserver/pkg/util/compatibility"
 	utilfeature "k8s.io/apiserver/pkg/util/feature"
@@ -44,7 +46,6 @@ import (
 	"k8s.io/component-base/logs"
 	logsapi "k8s.io/component-base/logs/api/v1"
 	"k8s.io/component-base/metrics"
-	"k8s.io/component-base/zpages/flagz"
 	cmoptions "k8s.io/controller-manager/options"
 	kubectrlmgrconfigv1alpha1 "k8s.io/kube-controller-manager/config/v1alpha1"
 	kubecontrollerconfig "k8s.io/kubernetes/cmd/kube-controller-manager/app/config"
@@ -78,6 +79,7 @@ type KubeControllerManagerOptions struct {
 	CSRSigningController                      *CSRSigningControllerOptions
 	DaemonSetController                       *DaemonSetControllerOptions
 	DeploymentController                      *DeploymentControllerOptions
+	DeviceTaintEvictionController             *DeviceTaintEvictionControllerOptions
 	StatefulSetController                     *StatefulSetControllerOptions
 	DeprecatedFlags                           *DeprecatedControllerOptions
 	EndpointController                        *EndpointControllerOptions
@@ -101,7 +103,7 @@ type KubeControllerManagerOptions struct {
 	TTLAfterFinishedController                *TTLAfterFinishedControllerOptions
 	ValidatingAdmissionPolicyStatusController *ValidatingAdmissionPolicyStatusControllerOptions
 
-	SecureServing  *apiserveroptions.SecureServingOptionsWithLoopback
+	SecureServing  *apiserveroptions.SecureServingOptions
 	Authentication *apiserveroptions.DelegatingAuthenticationOptions
 	Authorization  *apiserveroptions.DelegatingAuthorizationOptions
 	Metrics        *metrics.Options
@@ -110,6 +112,8 @@ type KubeControllerManagerOptions struct {
 	Master                      string
 	ShowHiddenMetricsForVersion string
 
+	ControllerShutdownTimeout time.Duration
+
 	// ComponentGlobalsRegistry is the registry where the effective versions and feature gates for all components are stored.
 	ComponentGlobalsRegistry basecompatibility.ComponentGlobalsRegistry
 
@@ -152,6 +156,9 @@ func NewKubeControllerManagerOptions() (*KubeControllerManagerOptions, error) {
 		DeploymentController: &DeploymentControllerOptions{
 			&componentConfig.DeploymentController,
 		},
+		DeviceTaintEvictionController: &DeviceTaintEvictionControllerOptions{
+			&componentConfig.DeviceTaintEvictionController,
+		},
 		StatefulSetController: &StatefulSetControllerOptions{
 			&componentConfig.StatefulSetController,
 		},
@@ -218,7 +225,7 @@ func NewKubeControllerManagerOptions() (*KubeControllerManagerOptions, error) {
 		ValidatingAdmissionPolicyStatusController: &ValidatingAdmissionPolicyStatusControllerOptions{
 			&componentConfig.ValidatingAdmissionPolicyStatusController,
 		},
-		SecureServing:            apiserveroptions.NewSecureServingOptions().WithLoopback(),
+		SecureServing:            apiserveroptions.NewSecureServingOptions(),
 		Authentication:           apiserveroptions.NewDelegatingAuthenticationOptions(),
 		Authorization:            apiserveroptions.NewDelegatingAuthorizationOptions(),
 		Metrics:                  metrics.NewOptions(),
@@ -242,6 +249,8 @@ func NewKubeControllerManagerOptions() (*KubeControllerManagerOptions, error) {
 	s.GarbageCollectorController.GCIgnoredResources = gcIgnoredResources
 	s.Generic.LeaderElection.ResourceName = "kube-controller-manager"
 	s.Generic.LeaderElection.ResourceNamespace = "kube-system"
+
+	s.ControllerShutdownTimeout = 10 * time.Second
 	return &s, nil
 }
 
@@ -271,6 +280,7 @@ func (s *KubeControllerManagerOptions) Flags(allControllers []string, disabledBy
 	s.AttachDetachController.AddFlags(fss.FlagSet(names.PersistentVolumeAttachDetachController))
 	s.CSRSigningController.AddFlags(fss.FlagSet(names.CertificateSigningRequestSigningController))
 	s.DeploymentController.AddFlags(fss.FlagSet(names.DeploymentController))
+	s.DeviceTaintEvictionController.AddFlags(fss.FlagSet(names.DeviceTaintEvictionController))
 	s.StatefulSetController.AddFlags(fss.FlagSet(names.StatefulSetController))
 	s.DaemonSetController.AddFlags(fss.FlagSet(names.DaemonSetController))
 	s.DeprecatedFlags.AddFlags(fss.FlagSet("deprecated"))
@@ -302,6 +312,9 @@ func (s *KubeControllerManagerOptions) Flags(allControllers []string, disabledBy
 	fs.StringVar(&s.Master, "master", s.Master, "The address of the Kubernetes API server (overrides any value in kubeconfig).")
 	fs.StringVar(&s.Generic.ClientConnection.Kubeconfig, "kubeconfig", s.Generic.ClientConnection.Kubeconfig, "Path to kubeconfig file with authorization and master location information (the master location can be overridden by the master flag).")
 
+	fss.FlagSet("generic").DurationVar(&s.ControllerShutdownTimeout, "controller-shutdown-timeout",
+		s.ControllerShutdownTimeout, "Time to wait for the controllers to shut down before terminating the executable")
+
 	if !utilfeature.DefaultFeatureGate.Enabled(featuregate.Feature(clientgofeaturegate.WatchListClient)) {
 		ver := version.MustParse("1.34")
 		if err := utilfeature.DefaultMutableFeatureGate.OverrideDefaultAtVersion(featuregate.Feature(clientgofeaturegate.WatchListClient), true, ver); err != nil {
@@ -340,6 +353,9 @@ func (s *KubeControllerManagerOptions) ApplyTo(c *kubecontrollerconfig.Config, a
 	if err := s.DeploymentController.ApplyTo(&c.ComponentConfig.DeploymentController); err != nil {
 		return err
 	}
+	if err := s.DeviceTaintEvictionController.ApplyTo(&c.ComponentConfig.DeviceTaintEvictionController); err != nil {
+		return err
+	}
 	if err := s.StatefulSetController.ApplyTo(&c.ComponentConfig.StatefulSetController); err != nil {
 		return err
 	}
@@ -409,7 +425,7 @@ func (s *KubeControllerManagerOptions) ApplyTo(c *kubecontrollerconfig.Config, a
 	if err := s.ValidatingAdmissionPolicyStatusController.ApplyTo(&c.ComponentConfig.ValidatingAdmissionPolicyStatusController); err != nil {
 		return err
 	}
-	if err := s.SecureServing.ApplyTo(&c.SecureServing, &c.LoopbackClientConfig); err != nil {
+	if err := s.SecureServing.ApplyTo(&c.SecureServing); err != nil {
 		return err
 	}
 	if s.SecureServing.BindPort != 0 || s.SecureServing.Listener != nil {
@@ -420,6 +436,7 @@ func (s *KubeControllerManagerOptions) ApplyTo(c *kubecontrollerconfig.Config, a
 			return err
 		}
 	}
+	c.ControllerShutdownTimeout = s.ControllerShutdownTimeout
 
 	c.OpenShiftContext = s.OpenShiftContext
 
@@ -441,6 +458,7 @@ func (s *KubeControllerManagerOptions) Validate(allControllers []string, disable
 	errs = append(errs, s.CSRSigningController.Validate()...)
 	errs = append(errs, s.DaemonSetController.Validate()...)
 	errs = append(errs, s.DeploymentController.Validate()...)
+	errs = append(errs, s.DeviceTaintEvictionController.Validate()...)
 	errs = append(errs, s.StatefulSetController.Validate()...)
 	errs = append(errs, s.DeprecatedFlags.Validate()...)
 	errs = append(errs, s.EndpointController.Validate()...)
@@ -520,11 +538,12 @@ func (s KubeControllerManagerOptions) Config(ctx context.Context, allControllers
 	eventRecorder := eventBroadcaster.NewRecorder(clientgokubescheme.Scheme, v1.EventSource{Component: KubeControllerManagerUserAgent})
 
 	c := &kubecontrollerconfig.Config{
-		Client:                   client,
-		Kubeconfig:               kubeconfig,
-		EventBroadcaster:         eventBroadcaster,
-		EventRecorder:            eventRecorder,
-		ComponentGlobalsRegistry: s.ComponentGlobalsRegistry,
+		Client:                    client,
+		Kubeconfig:                kubeconfig,
+		EventBroadcaster:          eventBroadcaster,
+		EventRecorder:             eventRecorder,
+		ControllerShutdownTimeout: s.ControllerShutdownTimeout,
+		ComponentGlobalsRegistry:  s.ComponentGlobalsRegistry,
 	}
 	if err := s.ApplyTo(c, allControllers, disabledByDefaultControllers, controllerAliases); err != nil {
 		return nil, err
diff --git a/cmd/kube-controller-manager/app/options/options_test.go b/cmd/kube-controller-manager/app/options/options_test.go
index 8d19d2292efbc..d931170083250 100644
--- a/cmd/kube-controller-manager/app/options/options_test.go
+++ b/cmd/kube-controller-manager/app/options/options_test.go
@@ -56,6 +56,7 @@ import (
 	cronjobconfig "k8s.io/kubernetes/pkg/controller/cronjob/config"
 	daemonconfig "k8s.io/kubernetes/pkg/controller/daemon/config"
 	deploymentconfig "k8s.io/kubernetes/pkg/controller/deployment/config"
+	devicetaintevictionconfig "k8s.io/kubernetes/pkg/controller/devicetainteviction/config"
 	endpointconfig "k8s.io/kubernetes/pkg/controller/endpoint/config"
 	endpointsliceconfig "k8s.io/kubernetes/pkg/controller/endpointslice/config"
 	endpointslicemirroringconfig "k8s.io/kubernetes/pkg/controller/endpointslicemirroring/config"
@@ -98,6 +99,7 @@ var args = []string{
 	"--cluster-signing-legacy-unknown-cert-file=/cluster-signing-legacy-unknown/cert-file",
 	"--cluster-signing-legacy-unknown-key-file=/cluster-signing-legacy-unknown/key-file",
 	"--concurrent-deployment-syncs=10",
+	"--concurrent-device-taint-eviction-syncs=10",
 	"--concurrent-daemonset-syncs=10",
 	"--concurrent-horizontal-pod-autoscaler-syncs=10",
 	"--concurrent-statefulset-syncs=15",
@@ -273,6 +275,11 @@ func TestAddFlags(t *testing.T) {
 				ConcurrentDeploymentSyncs: 10,
 			},
 		},
+		DeviceTaintEvictionController: &DeviceTaintEvictionControllerOptions{
+			&devicetaintevictionconfig.DeviceTaintEvictionControllerConfiguration{
+				ConcurrentSyncs: 10,
+			},
+		},
 		StatefulSetController: &StatefulSetControllerOptions{
 			&statefulsetconfig.StatefulSetControllerConfiguration{
 				ConcurrentStatefulSetSyncs: 15,
@@ -423,7 +430,7 @@ func TestAddFlags(t *testing.T) {
 				PairName:      "kube-controller-manager",
 			},
 			HTTP2MaxStreamsPerConnection: 47,
-		}).WithLoopback(),
+		}),
 		Authentication: &apiserveroptions.DelegatingAuthenticationOptions{
 			CacheTTL:            10 * time.Second,
 			TokenRequestTimeout: 10 * time.Second,
@@ -447,9 +454,10 @@ func TestAddFlags(t *testing.T) {
 			AlwaysAllowPaths:             []string{"/healthz", "/readyz", "/livez"}, // note: this does not match /healthz/ or /healthz/*
 			AlwaysAllowGroups:            []string{"system:masters"},
 		},
-		Master:  "192.168.4.20",
-		Metrics: &metrics.Options{},
-		Logs:    logs.NewOptions(),
+		Master:                    "192.168.4.20",
+		ControllerShutdownTimeout: 10 * time.Second,
+		Metrics:                   &metrics.Options{},
+		Logs:                      logs.NewOptions(),
 		// ignores comparing ComponentGlobalsRegistry in this test.
 		ComponentGlobalsRegistry: s.ComponentGlobalsRegistry,
 	}
@@ -623,6 +631,9 @@ func TestApplyTo(t *testing.T) {
 			DeploymentController: deploymentconfig.DeploymentControllerConfiguration{
 				ConcurrentDeploymentSyncs: 10,
 			},
+			DeviceTaintEvictionController: devicetaintevictionconfig.DeviceTaintEvictionControllerConfiguration{
+				ConcurrentSyncs: 10,
+			},
 			StatefulSetController: statefulsetconfig.StatefulSetControllerConfiguration{
 				ConcurrentStatefulSetSyncs: 15,
 			},
@@ -722,6 +733,7 @@ func TestApplyTo(t *testing.T) {
 				ConcurrentPolicySyncs: 9,
 			},
 		},
+		ControllerShutdownTimeout: 10 * time.Second,
 	}
 
 	// Sort GCIgnoredResources because it's built from a map, which means the
@@ -1260,6 +1272,15 @@ func TestValidateControllersOptions(t *testing.T) {
 				},
 			},
 		},
+		{
+			name:         "DeviceTaintEvictionControllerOptions",
+			expectErrors: false,
+			options: &DeviceTaintEvictionControllerOptions{
+				&devicetaintevictionconfig.DeviceTaintEvictionControllerConfiguration{
+					ConcurrentSyncs: 10,
+				},
+			},
+		},
 		{
 			name:         "DeprecatedControllerOptions",
 			expectErrors: false,
diff --git a/cmd/kube-controller-manager/app/plugins.go b/cmd/kube-controller-manager/app/plugins.go
index 2c83e7e6b2a28..3ed1e35120bef 100644
--- a/cmd/kube-controller-manager/app/plugins.go
+++ b/cmd/kube-controller-manager/app/plugins.go
@@ -106,7 +106,7 @@ func probeControllerVolumePlugins(logger klog.Logger, config persistentvolumecon
 	}
 	if err := AttemptToLoadRecycler(config.PersistentVolumeRecyclerConfiguration.PodTemplateFilePathHostPath, &hostPathConfig); err != nil {
 		logger.Error(err, "Could not create hostpath recycler pod from file", "path", config.PersistentVolumeRecyclerConfiguration.PodTemplateFilePathHostPath)
-		klog.FlushAndExit(klog.ExitFlushTimeout, 1)
+		return nil, err
 	}
 	allPlugins = append(allPlugins, hostpath.ProbeVolumePlugins(hostPathConfig)...)
 
@@ -117,7 +117,7 @@ func probeControllerVolumePlugins(logger klog.Logger, config persistentvolumecon
 	}
 	if err := AttemptToLoadRecycler(config.PersistentVolumeRecyclerConfiguration.PodTemplateFilePathNFS, &nfsConfig); err != nil {
 		logger.Error(err, "Could not create NFS recycler pod from file", "path", config.PersistentVolumeRecyclerConfiguration.PodTemplateFilePathNFS)
-		klog.FlushAndExit(klog.ExitFlushTimeout, 1)
+		return nil, err
 	}
 	allPlugins = append(allPlugins, nfs.ProbeVolumePlugins(nfsConfig)...)
 	allPlugins = append(allPlugins, fc.ProbeVolumePlugins()...)
diff --git a/cmd/kube-controller-manager/app/plugins_providers.go b/cmd/kube-controller-manager/app/plugins_providers.go
index 9293c48f79da6..e76167242d36c 100644
--- a/cmd/kube-controller-manager/app/plugins_providers.go
+++ b/cmd/kube-controller-manager/app/plugins_providers.go
@@ -29,12 +29,10 @@ import (
 type probeFn func() []volume.VolumePlugin
 
 func appendPluginBasedOnFeatureFlags(logger klog.Logger, plugins []volume.VolumePlugin, inTreePluginName string, featureGate featuregate.FeatureGate, pluginInfo pluginInfo) ([]volume.VolumePlugin, error) {
-
 	_, err := csimigration.CheckMigrationFeatureFlags(featureGate, pluginInfo.pluginMigrationFeature, pluginInfo.pluginUnregisterFeature)
 	if err != nil {
 		logger.Error(err, "Unexpected CSI Migration Feature Flags combination detected. CSI Migration may not take effect")
-		klog.FlushAndExit(klog.ExitFlushTimeout, 1)
-		// TODO: fail and return here once alpha only tests can set the feature flags for a plugin correctly
+		return nil, err
 	}
 
 	// Skip appending the in-tree plugin to the list of plugins to be probed/initialized
diff --git a/cmd/kube-controller-manager/app/policy.go b/cmd/kube-controller-manager/app/policy.go
index 0db44ba6e4aca..7a6b7c004e3d5 100644
--- a/cmd/kube-controller-manager/app/policy.go
+++ b/cmd/kube-controller-manager/app/policy.go
@@ -21,32 +21,38 @@ package app
 
 import (
 	"context"
-
 	"k8s.io/client-go/dynamic"
 	"k8s.io/client-go/scale"
-	"k8s.io/controller-manager/controller"
 	"k8s.io/kubernetes/cmd/kube-controller-manager/names"
 	"k8s.io/kubernetes/pkg/controller/disruption"
 )
 
 func newDisruptionControllerDescriptor() *ControllerDescriptor {
 	return &ControllerDescriptor{
-		name:     names.DisruptionController,
-		aliases:  []string{"disruption"},
-		initFunc: startDisruptionController,
+		name:        names.DisruptionController,
+		aliases:     []string{"disruption"},
+		constructor: newDisruptionController,
 	}
 }
 
-func startDisruptionController(ctx context.Context, controllerContext ControllerContext, controllerName string) (controller.Interface, bool, error) {
-	client := controllerContext.ClientBuilder.ClientOrDie("disruption-controller")
-	config := controllerContext.ClientBuilder.ConfigOrDie("disruption-controller")
+func newDisruptionController(ctx context.Context, controllerContext ControllerContext, controllerName string) (Controller, error) {
+	client, err := controllerContext.NewClient("disruption-controller")
+	if err != nil {
+		return nil, err
+	}
+
+	config, err := controllerContext.NewClientConfig("disruption-controller")
+	if err != nil {
+		return nil, err
+	}
+
 	scaleKindResolver := scale.NewDiscoveryScaleKindResolver(client.Discovery())
 	scaleClient, err := scale.NewForConfig(config, controllerContext.RESTMapper, dynamic.LegacyAPIPathResolverFunc, scaleKindResolver)
 	if err != nil {
-		return nil, false, err
+		return nil, err
 	}
 
-	go disruption.NewDisruptionController(
+	dc := disruption.NewDisruptionController(
 		ctx,
 		controllerContext.InformerFactory.Core().V1().Pods(),
 		controllerContext.InformerFactory.Policy().V1().PodDisruptionBudgets(),
@@ -58,6 +64,6 @@ func startDisruptionController(ctx context.Context, controllerContext Controller
 		controllerContext.RESTMapper,
 		scaleClient,
 		client.Discovery(),
-	).Run(ctx)
-	return nil, true, nil
+	)
+	return newControllerLoop(dc.Run, controllerName), nil
 }
diff --git a/cmd/kube-controller-manager/app/rbac.go b/cmd/kube-controller-manager/app/rbac.go
index c63c61987b4fe..465ddba6bbad2 100644
--- a/cmd/kube-controller-manager/app/rbac.go
+++ b/cmd/kube-controller-manager/app/rbac.go
@@ -19,23 +19,29 @@ package app
 import (
 	"context"
 
-	"k8s.io/controller-manager/controller"
 	"k8s.io/kubernetes/cmd/kube-controller-manager/names"
 	"k8s.io/kubernetes/pkg/controller/clusterroleaggregation"
 )
 
 func newClusterRoleAggregrationControllerDescriptor() *ControllerDescriptor {
 	return &ControllerDescriptor{
-		name:     names.ClusterRoleAggregationController,
-		aliases:  []string{"clusterrole-aggregation"},
-		initFunc: startClusterRoleAggregationController,
+		name:        names.ClusterRoleAggregationController,
+		aliases:     []string{"clusterrole-aggregation"},
+		constructor: newClusterRoleAggregationController,
 	}
 }
 
-func startClusterRoleAggregationController(ctx context.Context, controllerContext ControllerContext, controllerName string) (controller.Interface, bool, error) {
-	go clusterroleaggregation.NewClusterRoleAggregation(
+func newClusterRoleAggregationController(ctx context.Context, controllerContext ControllerContext, controllerName string) (Controller, error) {
+	client, err := controllerContext.NewClient("clusterrole-aggregation-controller")
+	if err != nil {
+		return nil, err
+	}
+
+	crac := clusterroleaggregation.NewClusterRoleAggregation(
 		controllerContext.InformerFactory.Rbac().V1().ClusterRoles(),
-		controllerContext.ClientBuilder.ClientOrDie("clusterrole-aggregation-controller").RbacV1(),
-	).Run(ctx, 5)
-	return nil, true, nil
+		client.RbacV1(),
+	)
+	return newControllerLoop(func(ctx context.Context) {
+		crac.Run(ctx, 5)
+	}, controllerName), nil
 }
diff --git a/cmd/kube-controller-manager/app/service_accounts.go b/cmd/kube-controller-manager/app/service_accounts.go
new file mode 100644
index 0000000000000..1e843b7310273
--- /dev/null
+++ b/cmd/kube-controller-manager/app/service_accounts.go
@@ -0,0 +1,98 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package app
+
+import (
+	"context"
+	"fmt"
+
+	"k8s.io/client-go/util/keyutil"
+	"k8s.io/controller-manager/pkg/clientbuilder"
+	"k8s.io/klog/v2"
+	"k8s.io/kubernetes/cmd/kube-controller-manager/names"
+	serviceaccountcontroller "k8s.io/kubernetes/pkg/controller/serviceaccount"
+	"k8s.io/kubernetes/pkg/serviceaccount"
+)
+
+// serviceAccountTokenController is special because it must run first to set up permissions for other controllers.
+// It cannot use the "normal" client builder, so it tracks its own.
+func newServiceAccountTokenControllerDescriptor(rootClientBuilder clientbuilder.ControllerClientBuilder) *ControllerDescriptor {
+	return &ControllerDescriptor{
+		name:    names.ServiceAccountTokenController,
+		aliases: []string{"serviceaccount-token"},
+		constructor: func(ctx context.Context, controllerContext ControllerContext, controllerName string) (Controller, error) {
+			return newServiceAccountTokenController(ctx, controllerContext, controllerName, rootClientBuilder)
+		},
+		// This controller is started manually before any other controller.
+		requiresSpecialHandling: true,
+	}
+}
+
+func newServiceAccountTokenController(
+	ctx context.Context, controllerContext ControllerContext, controllerName string,
+	rootClientBuilder clientbuilder.ControllerClientBuilder,
+) (Controller, error) {
+	if len(controllerContext.ComponentConfig.SAController.ServiceAccountKeyFile) == 0 {
+		klog.FromContext(ctx).Info("Controller is disabled because there is no private key", "controller", controllerName)
+		return nil, nil
+	}
+
+	privateKey, err := keyutil.PrivateKeyFromFile(controllerContext.ComponentConfig.SAController.ServiceAccountKeyFile)
+	if err != nil {
+		return nil, fmt.Errorf("error reading key for service account token controller: %w", err)
+	}
+
+	var rootCA []byte
+	if controllerContext.ComponentConfig.SAController.RootCAFile != "" {
+		if rootCA, err = readCA(controllerContext.ComponentConfig.SAController.RootCAFile); err != nil {
+			return nil, fmt.Errorf("error parsing root-ca-file at %s: %w", controllerContext.ComponentConfig.SAController.RootCAFile, err)
+		}
+	} else {
+		config, err := rootClientBuilder.Config("tokens-controller")
+		if err != nil {
+			return nil, fmt.Errorf("failed to create Kubernetes client config for %q: %w", "tokens-controller", err)
+		}
+		rootCA = config.CAData
+	}
+
+	client, err := rootClientBuilder.Client("tokens-controller")
+	if err != nil {
+		return nil, fmt.Errorf("failed to create Kubernetes client for %q: %w", "tokens-controller", err)
+	}
+
+	tokenGenerator, err := serviceaccount.JWTTokenGenerator(serviceaccount.LegacyIssuer, privateKey)
+	if err != nil {
+		return nil, fmt.Errorf("failed to build token generator: %w", err)
+	}
+	tokenController, err := serviceaccountcontroller.NewTokensController(
+		klog.FromContext(ctx),
+		controllerContext.InformerFactory.Core().V1().ServiceAccounts(),
+		controllerContext.InformerFactory.Core().V1().Secrets(),
+		client,
+		applyOpenShiftServiceServingCertCA(serviceaccountcontroller.TokensControllerOptions{
+			TokenGenerator: tokenGenerator,
+			RootCA:         rootCA,
+		}),
+	)
+	if err != nil {
+		return nil, fmt.Errorf("error creating Tokens controller: %w", err)
+	}
+
+	return newControllerLoop(func(ctx context.Context) {
+		tokenController.Run(ctx, int(controllerContext.ComponentConfig.SAController.ConcurrentSATokenSyncs))
+	}, controllerName), nil
+}
diff --git a/cmd/kube-controller-manager/app/storageversionmigrator.go b/cmd/kube-controller-manager/app/storageversionmigrator.go
index 99cf02e09534e..42c3ea1bef166 100644
--- a/cmd/kube-controller-manager/app/storageversionmigrator.go
+++ b/cmd/kube-controller-manager/app/storageversionmigrator.go
@@ -20,77 +20,87 @@ import (
 	"context"
 	"fmt"
 
+	utilfeature "k8s.io/apiserver/pkg/util/feature"
 	"k8s.io/client-go/discovery"
 	"k8s.io/client-go/dynamic"
+	clientgofeaturegate "k8s.io/client-go/features"
 	"k8s.io/client-go/metadata"
-	"k8s.io/controller-manager/controller"
 	"k8s.io/kubernetes/cmd/kube-controller-manager/names"
-	"k8s.io/kubernetes/pkg/features"
-
-	utilfeature "k8s.io/apiserver/pkg/util/feature"
-	clientgofeaturegate "k8s.io/client-go/features"
 	svm "k8s.io/kubernetes/pkg/controller/storageversionmigrator"
+	"k8s.io/kubernetes/pkg/features"
 )
 
 func newStorageVersionMigratorControllerDescriptor() *ControllerDescriptor {
 	return &ControllerDescriptor{
-		name:     names.StorageVersionMigratorController,
-		aliases:  []string{"svm"},
-		initFunc: startSVMController,
+		name:        names.StorageVersionMigratorController,
+		aliases:     []string{"svm"},
+		constructor: newSVMController,
 	}
 }
 
-func startSVMController(
-	ctx context.Context,
-	controllerContext ControllerContext,
-	controllerName string,
-) (controller.Interface, bool, error) {
+func newSVMController(ctx context.Context, controllerContext ControllerContext, controllerName string) (Controller, error) {
 	if !utilfeature.DefaultFeatureGate.Enabled(features.StorageVersionMigrator) ||
 		!clientgofeaturegate.FeatureGates().Enabled(clientgofeaturegate.InformerResourceVersion) {
-		return nil, false, nil
+		return nil, nil
 	}
 
 	if !controllerContext.ComponentConfig.GarbageCollectorController.EnableGarbageCollector {
-		return nil, true, fmt.Errorf("storage version migrator requires garbage collector")
+		return nil, fmt.Errorf("storage version migrator requires garbage collector")
+	}
+
+	if !clientgofeaturegate.FeatureGates().Enabled(clientgofeaturegate.InOrderInformers) {
+		err := fmt.Errorf("storage version migrator requires the InOrderInformers feature gate to be enabled")
+		return nil, err
 	}
 
 	// svm controller can make a lot of requests during migration, keep it fast
-	config := controllerContext.ClientBuilder.ConfigOrDie(controllerName)
+	config, err := controllerContext.NewClientConfig(controllerName)
+	if err != nil {
+		return nil, err
+	}
+
 	config.QPS *= 20
 	config.Burst *= 100
 
-	client := controllerContext.ClientBuilder.ClientOrDie(controllerName)
-	informer := controllerContext.InformerFactory.Storagemigration().V1alpha1().StorageVersionMigrations()
+	client, err := controllerContext.NewClient(controllerName)
+	if err != nil {
+		return nil, err
+	}
+
+	informer := controllerContext.InformerFactory.Storagemigration().V1beta1().StorageVersionMigrations()
 
 	dynamicClient, err := dynamic.NewForConfig(config)
 	if err != nil {
-		return nil, false, err
+		return nil, err
 	}
 
 	discoveryClient, err := discovery.NewDiscoveryClientForConfig(config)
 	if err != nil {
-		return nil, false, err
+		return nil, err
+	}
+
+	metaClient, err := metadata.NewForConfig(config)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create metadata client for %s: %w", controllerName, err)
 	}
 
-	go svm.NewResourceVersionController(
-		ctx,
-		client,
-		discoveryClient,
-		metadata.NewForConfigOrDie(config),
-		informer,
-		controllerContext.RESTMapper,
-	).Run(ctx)
-
-	svmController := svm.NewSVMController(
-		ctx,
-		client,
-		dynamicClient,
-		informer,
-		controllerName,
-		controllerContext.RESTMapper,
-		controllerContext.GraphBuilder,
-	)
-	go svmController.Run(ctx)
-
-	return svmController, true, nil
+	return newControllerLoop(concurrentRun(
+		svm.NewSVMController(
+			ctx,
+			client,
+			dynamicClient,
+			informer,
+			controllerName,
+			controllerContext.RESTMapper,
+			controllerContext.GraphBuilder,
+		).Run,
+		svm.NewResourceVersionController(
+			ctx,
+			client,
+			discoveryClient,
+			metaClient,
+			informer,
+			controllerContext.RESTMapper,
+		).Run,
+	), controllerName), nil
 }
diff --git a/cmd/kube-controller-manager/app/testing/testserver.go b/cmd/kube-controller-manager/app/testing/testserver.go
index 1b94d26bbd3b2..b8d636b88b370 100644
--- a/cmd/kube-controller-manager/app/testing/testserver.go
+++ b/cmd/kube-controller-manager/app/testing/testserver.go
@@ -20,14 +20,18 @@ import (
 	"context"
 	"fmt"
 	"net"
-	"os"
+	"testing"
 	"time"
 
 	"github.com/spf13/pflag"
 
 	"k8s.io/apimachinery/pkg/util/wait"
+	utilcompatibility "k8s.io/apiserver/pkg/util/compatibility"
+	utilfeature "k8s.io/apiserver/pkg/util/feature"
 	"k8s.io/client-go/kubernetes"
-	restclient "k8s.io/client-go/rest"
+	"k8s.io/component-base/compatibility"
+	"k8s.io/component-base/featuregate"
+	featuregatetesting "k8s.io/component-base/featuregate/testing"
 	logsapi "k8s.io/component-base/logs/api/v1"
 	"k8s.io/klog/v2"
 	"k8s.io/kubernetes/cmd/kube-controller-manager/app"
@@ -47,11 +51,10 @@ type TearDownFunc func()
 
 // TestServer return values supplied by kube-test-ApiServer
 type TestServer struct {
-	LoopbackClientConfig *restclient.Config // Rest client config using the magic token
-	Options              *options.KubeControllerManagerOptions
-	Config               *kubecontrollerconfig.Config
-	TearDownFn           TearDownFunc // TearDown function
-	TmpDir               string       // Temp Dir used, by the apiserver
+	Options    *options.KubeControllerManagerOptions
+	Config     *kubecontrollerconfig.Config
+	TearDownFn TearDownFunc // TearDown function
+	TmpDir     string       // Temp Dir used, by the apiserver
 }
 
 // StartTestServer starts a kube-controller-manager. A rest client config and a tear-down func,
@@ -60,7 +63,7 @@ type TestServer struct {
 // Note: we return a tear-down func instead of a stop channel because the later will leak temporary
 // files that because Golang testing's call to os.Exit will not give a stop channel go routine
 // enough time to remove temporary files.
-func StartTestServer(ctx context.Context, customFlags []string) (result TestServer, err error) {
+func StartTestServer(t *testing.T, ctx context.Context, customFlags []string) (result TestServer, err error) {
 	logger := klog.FromContext(ctx)
 	ctx, cancel := context.WithCancel(ctx)
 	var errCh chan error
@@ -75,9 +78,6 @@ func StartTestServer(ctx context.Context, customFlags []string) (result TestServ
 				logger.Error(err, "Failed to shutdown test server cleanly")
 			}
 		}
-		if len(result.TmpDir) != 0 {
-			os.RemoveAll(result.TmpDir)
-		}
 	}
 	defer func() {
 		if result.TearDownFn == nil {
@@ -85,10 +85,7 @@ func StartTestServer(ctx context.Context, customFlags []string) (result TestServ
 		}
 	}()
 
-	result.TmpDir, err = os.MkdirTemp("", "kube-controller-manager")
-	if err != nil {
-		return result, fmt.Errorf("failed to create temp dir: %v", err)
-	}
+	result.TmpDir = t.TempDir()
 
 	fs := pflag.NewFlagSet("test", pflag.PanicOnError)
 
@@ -96,6 +93,17 @@ func StartTestServer(ctx context.Context, customFlags []string) (result TestServ
 	if err != nil {
 		return TestServer{}, err
 	}
+	// set up new instance of ComponentGlobalsRegistry instead of using the DefaultComponentGlobalsRegistry to avoid contention in parallel tests.
+	featureGate := utilfeature.DefaultMutableFeatureGate.DeepCopy()
+	effectiveVersion := utilcompatibility.DefaultKubeEffectiveVersionForTest()
+	effectiveVersion.SetEmulationVersion(featureGate.EmulationVersion())
+	effectiveVersion.SetMinCompatibilityVersion(featureGate.MinCompatibilityVersion())
+	componentGlobalsRegistry := compatibility.NewComponentGlobalsRegistry()
+	if err := componentGlobalsRegistry.Register(compatibility.DefaultKubeComponent, effectiveVersion, featureGate); err != nil {
+		return result, err
+	}
+	s.ComponentGlobalsRegistry = componentGlobalsRegistry
+
 	all, disabled, aliases := app.KnownControllers(), app.ControllersDisabledByDefault(), app.ControllerAliases()
 	namedFlagSets := s.Flags(all, disabled, aliases)
 	for _, f := range namedFlagSets.FlagSets {
@@ -104,6 +112,24 @@ func StartTestServer(ctx context.Context, customFlags []string) (result TestServ
 	fs.Parse(customFlags)
 	s.ParsedFlags = &namedFlagSets
 
+	if err := s.ComponentGlobalsRegistry.Set(); err != nil {
+		return result, err
+	}
+	// If the local ComponentGlobalsRegistry is changed by the flags,
+	// we need to copy the new feature values back to the DefaultFeatureGate because most feature checks still use the DefaultFeatureGate.
+	if !featureGate.EmulationVersion().EqualTo(utilfeature.DefaultMutableFeatureGate.EmulationVersion()) || !featureGate.MinCompatibilityVersion().EqualTo(utilfeature.DefaultMutableFeatureGate.MinCompatibilityVersion()) {
+		featuregatetesting.SetFeatureGateVersionsDuringTest(t, utilfeature.DefaultMutableFeatureGate, effectiveVersion.EmulationVersion(), effectiveVersion.MinCompatibilityVersion())
+	}
+	featureOverrides := map[featuregate.Feature]bool{}
+	for f := range utilfeature.DefaultMutableFeatureGate.GetAll() {
+		if featureGate.Enabled(f) != utilfeature.DefaultFeatureGate.Enabled(f) {
+			featureOverrides[f] = featureGate.Enabled(f)
+		}
+	}
+	if len(featureOverrides) > 0 {
+		featuregatetesting.SetFeatureGatesDuringTest(t, utilfeature.DefaultFeatureGate, featureOverrides)
+	}
+
 	if s.SecureServing.BindPort != 0 {
 		s.SecureServing.Listener, s.SecureServing.BindPort, err = createListenerOnFreePort()
 		if err != nil {
@@ -130,7 +156,7 @@ func StartTestServer(ctx context.Context, customFlags []string) (result TestServ
 	}(ctx)
 
 	logger.Info("Waiting for /healthz to be ok...")
-	client, err := kubernetes.NewForConfig(config.LoopbackClientConfig)
+	client, err := kubernetes.NewForConfig(config.Kubeconfig)
 	if err != nil {
 		return result, fmt.Errorf("failed to create a client: %v", err)
 	}
@@ -156,7 +182,6 @@ func StartTestServer(ctx context.Context, customFlags []string) (result TestServ
 	}
 
 	// from here the caller must call tearDown
-	result.LoopbackClientConfig = config.LoopbackClientConfig
 	result.Options = s
 	result.Config = config
 	result.TearDownFn = tearDown
@@ -165,13 +190,12 @@ func StartTestServer(ctx context.Context, customFlags []string) (result TestServ
 }
 
 // StartTestServerOrDie calls StartTestServer t.Fatal if it does not succeed.
-func StartTestServerOrDie(ctx context.Context, flags []string) *TestServer {
-	result, err := StartTestServer(ctx, flags)
-	if err == nil {
-		return &result
+func StartTestServerOrDie(t *testing.T, ctx context.Context, flags []string) *TestServer {
+	result, err := StartTestServer(t, ctx, flags)
+	if err != nil {
+		t.Fatalf("failed to launch server: %v", err)
 	}
-
-	panic(fmt.Errorf("failed to launch server: %v", err))
+	return &result
 }
 
 func createListenerOnFreePort() (net.Listener, int, error) {
diff --git a/cmd/kube-controller-manager/app/validatingadmissionpolicystatus.go b/cmd/kube-controller-manager/app/validatingadmissionpolicystatus.go
index ce6e58f693bd6..4ec1431658cf3 100644
--- a/cmd/kube-controller-manager/app/validatingadmissionpolicystatus.go
+++ b/cmd/kube-controller-manager/app/validatingadmissionpolicystatus.go
@@ -18,13 +18,13 @@ package app
 
 import (
 	"context"
+	"fmt"
 
 	apiextensionsscheme "k8s.io/apiextensions-apiserver/pkg/client/clientset/clientset/scheme"
 	pluginvalidatingadmissionpolicy "k8s.io/apiserver/pkg/admission/plugin/policy/validating"
 	"k8s.io/apiserver/pkg/cel/openapi/resolver"
 	k8sscheme "k8s.io/client-go/kubernetes/scheme"
 	"k8s.io/component-base/featuregate"
-	"k8s.io/controller-manager/controller"
 	"k8s.io/kubernetes/cmd/kube-controller-manager/names"
 	"k8s.io/kubernetes/pkg/controller/validatingadmissionpolicystatus"
 	"k8s.io/kubernetes/pkg/generated/openapi"
@@ -33,27 +33,40 @@ import (
 func newValidatingAdmissionPolicyStatusControllerDescriptor() *ControllerDescriptor {
 	return &ControllerDescriptor{
 		name:                 names.ValidatingAdmissionPolicyStatusController,
-		initFunc:             startValidatingAdmissionPolicyStatusController,
+		constructor:          newValidatingAdmissionPolicyStatusController,
 		requiredFeatureGates: []featuregate.Feature{},
 	}
 }
 
-func startValidatingAdmissionPolicyStatusController(ctx context.Context, controllerContext ControllerContext, controllerName string) (controller.Interface, bool, error) {
-	// KCM won't start the controller without the feature gate set.
+func newValidatingAdmissionPolicyStatusController(ctx context.Context, controllerContext ControllerContext, controllerName string) (Controller, error) {
+	discoveryClient, err := controllerContext.ClientBuilder.DiscoveryClient(names.ValidatingAdmissionPolicyStatusController)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create discovery client for %s: %w", controllerName, err)
+	}
 
 	schemaResolver := resolver.NewDefinitionsSchemaResolver(openapi.GetOpenAPIDefinitions, k8sscheme.Scheme, apiextensionsscheme.Scheme).
-		Combine(&resolver.ClientDiscoveryResolver{Discovery: controllerContext.ClientBuilder.DiscoveryClientOrDie(names.ValidatingAdmissionPolicyStatusController)})
+		Combine(&resolver.ClientDiscoveryResolver{Discovery: discoveryClient})
 
 	typeChecker := &pluginvalidatingadmissionpolicy.TypeChecker{
 		SchemaResolver: schemaResolver,
 		RestMapper:     controllerContext.RESTMapper,
 	}
+
+	client, err := controllerContext.NewClient(names.ValidatingAdmissionPolicyStatusController)
+	if err != nil {
+		return nil, err
+	}
+
 	c, err := validatingadmissionpolicystatus.NewController(
 		controllerContext.InformerFactory.Admissionregistration().V1().ValidatingAdmissionPolicies(),
-		controllerContext.ClientBuilder.ClientOrDie(names.ValidatingAdmissionPolicyStatusController).AdmissionregistrationV1().ValidatingAdmissionPolicies(),
+		client.AdmissionregistrationV1().ValidatingAdmissionPolicies(),
 		typeChecker,
 	)
+	if err != nil {
+		return nil, err
+	}
 
-	go c.Run(ctx, int(controllerContext.ComponentConfig.ValidatingAdmissionPolicyStatusController.ConcurrentPolicySyncs))
-	return nil, true, err
+	return newControllerLoop(func(ctx context.Context) {
+		c.Run(ctx, int(controllerContext.ComponentConfig.ValidatingAdmissionPolicyStatusController.ConcurrentPolicySyncs))
+	}, controllerName), nil
 }
diff --git a/cmd/kube-controller-manager/names/controller_names.go b/cmd/kube-controller-manager/names/controller_names.go
index a09b055ffceb1..216a35050a2e9 100644
--- a/cmd/kube-controller-manager/names/controller_names.go
+++ b/cmd/kube-controller-manager/names/controller_names.go
@@ -36,7 +36,6 @@ package names
 //     2.1. [TODO] logging should use a canonical controller name when referencing a controller (Eg. Starting X, Shutting down X)
 //     2.2. [TODO] emitted events should have an EventSource.Component set to the controller name (usually when initializing an EventRecorder)
 //     2.3. [TODO] registering ControllerManagerMetrics with ControllerStarted and ControllerStopped
-//     2.4. [TODO] calling WaitForNamedCacheSync
 //  3. defining controller options for "--help" command or generated documentation
 //     3.1. controller name should be used to create a pflag.FlagSet when registering controller options (the name is rendered in a controller flag group header) in options.KubeControllerManagerOptions
 //     3.2. when defined flag's help mentions a controller name
diff --git a/cmd/kube-proxy/app/conntrack.go b/cmd/kube-proxy/app/conntrack.go
index 8339512980798..b8a9eda6011dd 100644
--- a/cmd/kube-proxy/app/conntrack.go
+++ b/cmd/kube-proxy/app/conntrack.go
@@ -54,17 +54,12 @@ var errReadOnlySysFS = errors.New("readOnlySysFS")
 
 func (rct realConntracker) SetMax(ctx context.Context, max int) error {
 	logger := klog.FromContext(ctx)
+	logger.Info("Setting nf_conntrack_max", "nfConntrackMax", max)
 	if err := rct.setIntSysCtl(ctx, "nf_conntrack_max", max); err != nil {
 		return err
 	}
-	logger.Info("Setting nf_conntrack_max", "nfConntrackMax", max)
 
-	// Linux does not support writing to /sys/module/nf_conntrack/parameters/hashsize
-	// when the writer process is not in the initial network namespace
-	// (https://github.com/torvalds/linux/blob/v4.10/net/netfilter/nf_conntrack_core.c#L1795-L1796).
-	// Usually that's fine. But in some configurations such as with github.com/kinvolk/kubeadm-nspawn,
-	// kube-proxy is in another netns.
-	// Therefore, check if writing in hashsize is necessary and skip the writing if not.
+	// Check if hashsize is large enough for the nf_conntrack_max value.
 	hashsize, err := readIntStringFile("/sys/module/nf_conntrack/parameters/hashsize")
 	if err != nil {
 		return err
@@ -73,13 +68,12 @@ func (rct realConntracker) SetMax(ctx context.Context, max int) error {
 		return nil
 	}
 
-	// sysfs is expected to be mounted as 'rw'. However, it may be
-	// unexpectedly mounted as 'ro' by docker because of a known docker
-	// issue (https://github.com/docker/docker/issues/24000). Setting
-	// conntrack will fail when sysfs is readonly. When that happens, we
-	// don't set conntrack hashsize and return a special error
-	// errReadOnlySysFS here. The caller should deal with
-	// errReadOnlySysFS differently.
+	// sysfs is expected to be mounted as 'rw'. However, it may be unexpectedly
+	// mounted as 'ro' by docker because of known bugs (https://issues.k8s.io/134108).
+	// In that case we return a special error errReadOnlySysFS here, which the caller
+	// should deal with specially.
+	//
+	// TODO: this workaround can go away once we no longer support containerd 1.7.
 	writable, err := rct.isSysFSWritable(ctx)
 	if err != nil {
 		return err
@@ -87,7 +81,7 @@ func (rct realConntracker) SetMax(ctx context.Context, max int) error {
 	if !writable {
 		return errReadOnlySysFS
 	}
-	// TODO: generify this and sysctl to a new sysfs.WriteInt()
+
 	logger.Info("Setting conntrack hashsize", "conntrackHashsize", max/4)
 	return writeIntStringFile("/sys/module/nf_conntrack/parameters/hashsize", max/4)
 }
diff --git a/cmd/kube-proxy/app/options.go b/cmd/kube-proxy/app/options.go
index 0f33a0ac0bde3..ff7d349d2e9f5 100644
--- a/cmd/kube-proxy/app/options.go
+++ b/cmd/kube-proxy/app/options.go
@@ -28,11 +28,11 @@ import (
 
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/runtime/serializer"
+	"k8s.io/apiserver/pkg/server/flagz"
 	utilfeature "k8s.io/apiserver/pkg/util/feature"
 	cliflag "k8s.io/component-base/cli/flag"
 	logsapi "k8s.io/component-base/logs/api/v1"
 	zpagesfeatures "k8s.io/component-base/zpages/features"
-	"k8s.io/component-base/zpages/flagz"
 	"k8s.io/klog/v2"
 	"k8s.io/kube-proxy/config/v1alpha1"
 	"k8s.io/kubernetes/pkg/cluster/ports"
diff --git a/cmd/kube-proxy/app/server.go b/cmd/kube-proxy/app/server.go
index f5771e397cf5c..308e286e8fad2 100644
--- a/cmd/kube-proxy/app/server.go
+++ b/cmd/kube-proxy/app/server.go
@@ -34,14 +34,15 @@ import (
 	"k8s.io/apimachinery/pkg/fields"
 	"k8s.io/apimachinery/pkg/labels"
 	"k8s.io/apimachinery/pkg/selection"
-	"k8s.io/apimachinery/pkg/types"
 	utilerrors "k8s.io/apimachinery/pkg/util/errors"
 	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
 	"k8s.io/apimachinery/pkg/util/validation/field"
 	"k8s.io/apimachinery/pkg/util/wait"
+	"k8s.io/apiserver/pkg/server/flagz"
 	"k8s.io/apiserver/pkg/server/healthz"
 	"k8s.io/apiserver/pkg/server/mux"
 	"k8s.io/apiserver/pkg/server/routes"
+	"k8s.io/apiserver/pkg/server/statusz"
 	"k8s.io/apiserver/pkg/util/compatibility"
 	utilfeature "k8s.io/apiserver/pkg/util/feature"
 	"k8s.io/client-go/informers"
@@ -62,8 +63,6 @@ import (
 	"k8s.io/component-base/version"
 	"k8s.io/component-base/version/verflag"
 	zpagesfeatures "k8s.io/component-base/zpages/features"
-	"k8s.io/component-base/zpages/flagz"
-	"k8s.io/component-base/zpages/statusz"
 	nodeutil "k8s.io/component-helpers/node/util"
 	"k8s.io/klog/v2"
 	api "k8s.io/kubernetes/pkg/apis/core"
@@ -236,10 +235,10 @@ func newProxyServer(ctx context.Context, config *kubeproxyconfig.KubeProxyConfig
 	s.Recorder = s.Broadcaster.NewRecorder(proxyconfigscheme.Scheme, kubeProxy)
 
 	s.NodeRef = &v1.ObjectReference{
-		Kind:      "Node",
-		Name:      s.NodeName,
-		UID:       types.UID(s.NodeName),
-		Namespace: "",
+		APIVersion: "v1",
+		Kind:       "Node",
+		Name:       s.NodeName,
+		Namespace:  "",
 	}
 
 	if len(config.HealthzBindAddress) > 0 {
@@ -440,7 +439,7 @@ func serveHealthz(ctx context.Context, hz *healthcheck.ProxyHealthServer, errCh
 		return
 	}
 
-	fn := func() {
+	fn := func(ctx context.Context) {
 		err := hz.Run(ctx)
 		if err != nil {
 			logger.Error(err, "Healthz server failed")
@@ -454,7 +453,7 @@ func serveHealthz(ctx context.Context, hz *healthcheck.ProxyHealthServer, errCh
 			logger.Error(nil, "Healthz server returned without error")
 		}
 	}
-	go wait.Until(fn, 5*time.Second, ctx.Done())
+	go wait.UntilWithContext(ctx, fn, 5*time.Second)
 }
 
 func serveMetrics(ctx context.Context, bindAddress string, proxyMode kubeproxyconfig.ProxyMode, enableProfiling bool, flagzReader flagz.Reader, errCh chan error) {
@@ -486,15 +485,18 @@ func serveMetrics(ctx context.Context, bindAddress string, proxyMode kubeproxyco
 	}
 
 	if utilfeature.DefaultFeatureGate.Enabled(zpagesfeatures.ComponentStatusz) {
-		statusz.Install(proxyMux, kubeProxy, statusz.NewRegistry(compatibility.DefaultBuildEffectiveVersion()))
+		reg := statusz.NewRegistry(
+			compatibility.DefaultBuildEffectiveVersion(),
+			statusz.WithListedPaths(proxyMux.ListedPaths()),
+		)
+		statusz.Install(proxyMux, kubeProxy, reg)
 	}
 
-	fn := func() {
+	fn := func(ctx context.Context) {
 		var err error
 		defer func() {
 			if err != nil {
-				err = fmt.Errorf("starting metrics server failed: %w", err)
-				utilruntime.HandleError(err)
+				utilruntime.HandleErrorWithContext(ctx, err, "starting metrics server failed")
 				if errCh != nil {
 					errCh <- err
 					// if in hardfail mode, never retry again
@@ -516,7 +518,7 @@ func serveMetrics(ctx context.Context, bindAddress string, proxyMode kubeproxyco
 		}
 
 	}
-	go wait.Until(fn, 5*time.Second, wait.NeverStop)
+	go wait.UntilWithContext(ctx, fn, 5*time.Second)
 }
 
 // Run runs the specified ProxyServer.  This should never exit (unless CleanupAndExit is set).
diff --git a/cmd/kube-proxy/app/server_linux.go b/cmd/kube-proxy/app/server_linux.go
index d355d23746e52..d75d597dda1cf 100644
--- a/cmd/kube-proxy/app/server_linux.go
+++ b/cmd/kube-proxy/app/server_linux.go
@@ -90,17 +90,21 @@ func (s *ProxyServer) platformCheckSupported(ctx context.Context) (ipv4Supported
 
 	if isIPTablesBased(s.Config.Mode) {
 		// Check for the iptables and ip6tables binaries.
-		ipts, errDS := utiliptables.NewDualStack()
+		errv4 := utiliptables.New(utiliptables.ProtocolIPv4).Present()
+		errv6 := utiliptables.New(utiliptables.ProtocolIPv6).Present()
 
-		ipv4Supported = ipts[v1.IPv4Protocol] != nil
-		ipv6Supported = ipts[v1.IPv6Protocol] != nil
+		ipv4Supported = errv4 == nil
+		ipv6Supported = errv6 == nil
 
 		if !ipv4Supported && !ipv6Supported {
-			err = fmt.Errorf("iptables is not available on this host : %w", errDS)
+			// errv4 and errv6 are almost certainly the same underlying error
+			// ("iptables isn't installed" or "kernel modules not available")
+			// so it doesn't make sense to try to combine them.
+			err = fmt.Errorf("iptables is not available on this host : %w", errv4)
 		} else if !ipv4Supported {
-			logger.Info("No iptables support for family", "ipFamily", v1.IPv4Protocol, "error", errDS)
+			logger.Info("No iptables support for family", "ipFamily", v1.IPv4Protocol, "error", errv4)
 		} else if !ipv6Supported {
-			logger.Info("No iptables support for family", "ipFamily", v1.IPv6Protocol, "error", errDS)
+			logger.Info("No iptables support for family", "ipFamily", v1.IPv6Protocol, "error", errv6)
 		}
 	} else {
 		// The nft CLI always supports both families.
@@ -130,7 +134,7 @@ func (s *ProxyServer) createProxier(ctx context.Context, config *proxyconfigapi.
 
 	if config.Mode == proxyconfigapi.ProxyModeIPTables {
 		logger.Info("Using iptables Proxier")
-		ipts, _ := utiliptables.NewDualStack()
+		ipts := utiliptables.NewBestEffort()
 
 		if dualStack {
 			// TODO this has side effects that should only happen when Run() is invoked.
@@ -184,9 +188,12 @@ func (s *ProxyServer) createProxier(ctx context.Context, config *proxyconfigapi.
 		if err := ipvs.CanUseIPVSProxier(ctx, ipvsInterface, ipsetInterface, config.IPVS.Scheduler); err != nil {
 			return nil, fmt.Errorf("can't use the IPVS proxier: %v", err)
 		}
-		ipts, _ := utiliptables.NewDualStack()
+		ipts := utiliptables.NewBestEffort()
 
 		logger.Info("Using ipvs Proxier")
+		message := "The ipvs proxier is now deprecated and may be removed in a future release. Please use 'nftables' instead."
+		logger.Error(nil, message)
+		s.Recorder.Eventf(s.NodeRef, nil, v1.EventTypeWarning, "IPVSDeprecation", "StartKubeProxy", message)
 		if dualStack {
 			proxier, err = ipvs.NewDualStackProxier(
 				ctx,
@@ -300,13 +307,9 @@ func (s *ProxyServer) setupConntrack(ctx context.Context, ct Conntracker) error
 			if err != errReadOnlySysFS {
 				return err
 			}
-			// errReadOnlySysFS is caused by a known docker issue (https://github.com/docker/docker/issues/24000),
-			// the only remediation we know is to restart the docker daemon.
-			// Here we'll send an node event with specific reason and message, the
-			// administrator should decide whether and how to handle this issue,
-			// whether to drain the node and restart docker.  Occurs in other container runtimes
-			// as well.
-			// TODO(random-liu): Remove this when the docker bug is fixed.
+			// errReadOnlySysFS means we ran into a known container runtim bug
+			// (https://issues.k8s.io/134108). For historical reasons we ignore
+			// this problem and just alert the admin that it occurred.
 			const message = "CRI error: /sys is read-only: " +
 				"cannot modify conntrack limits, problems may arise later (If running Docker, see docker issue #24000)"
 			s.Recorder.Eventf(s.NodeRef, nil, v1.EventTypeWarning, err.Error(), "StartKubeProxy", message)
diff --git a/cmd/kube-proxy/app/server_test.go b/cmd/kube-proxy/app/server_test.go
index f95f55391a248..4c85915d91330 100644
--- a/cmd/kube-proxy/app/server_test.go
+++ b/cmd/kube-proxy/app/server_test.go
@@ -21,9 +21,16 @@ import (
 	"errors"
 	"fmt"
 	"net"
+	"net/http"
+	"net/http/httptest"
+	"strings"
 	"testing"
 	"time"
 
+	"k8s.io/apimachinery/pkg/util/sets"
+	"k8s.io/apiserver/pkg/server/statusz"
+	"k8s.io/apiserver/pkg/util/compatibility"
+
 	v1 "k8s.io/api/core/v1"
 	kubeproxyconfig "k8s.io/kubernetes/pkg/proxy/apis/config"
 	"k8s.io/kubernetes/test/utils/ktesting"
@@ -59,6 +66,23 @@ func (s *fakeProxyServerError) CleanupAndExit() error {
 	return errors.New("mocking error from ProxyServer.CleanupAndExit()")
 }
 
+// fakeMux matches the statusz mux interface used by statusz.Install:
+// it needs Handle(path, handler) and ListedPaths().
+type fakeMux struct {
+	handlers map[string]http.Handler
+	paths    []string
+}
+
+func newFakeMux(paths []string) *fakeMux {
+	return &fakeMux{
+		handlers: make(map[string]http.Handler),
+		paths:    paths,
+	}
+}
+
+func (m *fakeMux) Handle(path string, h http.Handler) { m.handlers[path] = h }
+func (m *fakeMux) ListedPaths() []string              { return m.paths }
+
 func Test_detectNodeIPs(t *testing.T) {
 	cases := []struct {
 		name           string
@@ -565,3 +589,58 @@ func Test_checkBadIPConfig(t *testing.T) {
 		})
 	}
 }
+func TestStatuszRegistryReceivesListedPaths(t *testing.T) {
+	wantPaths := []string{"/livez", "/readyz", "/healthz", statusz.DefaultStatuszPath}
+	m := newFakeMux(wantPaths)
+
+	reg := statusz.NewRegistry(
+		compatibility.DefaultBuildEffectiveVersion(),
+		statusz.WithListedPaths(m.ListedPaths()),
+	)
+	statusz.Install(m, "kube-proxy", reg)
+
+	h, ok := m.handlers[statusz.DefaultStatuszPath]
+	if !ok {
+		t.Fatalf("statusz handler not installed at %q", statusz.DefaultStatuszPath)
+	}
+
+	req := httptest.NewRequest(http.MethodGet, statusz.DefaultStatuszPath, nil)
+	req.Header.Add("Accept", "text/plain")
+	rr := httptest.NewRecorder()
+	h.ServeHTTP(rr, req)
+
+	if rr.Code != http.StatusOK {
+		t.Fatalf("expected 200 OK, got %d; body:\n%s", rr.Code, rr.Body.String())
+	}
+
+	body := rr.Body.String()
+
+	// Look for the "Paths" line manually instead of regex
+	lines := strings.Split(body, "\n")
+	var foundPathsLine string
+	for _, line := range lines {
+		line = strings.TrimSpace(line)
+		if strings.HasPrefix(line, "Paths") {
+			foundPathsLine = line
+			break
+		}
+	}
+	if foundPathsLine == "" {
+		t.Fatalf("failed to find Paths line in body:\n%s", body)
+	}
+
+	fields := strings.Fields(foundPathsLine)
+	if len(fields) < 2 {
+		t.Fatalf("unexpected format in Paths line: %q", foundPathsLine)
+	}
+	gotPaths := fields[1:]
+
+	// Use sets for order-independent comparison
+	wantSet := sets.New[string](wantPaths...)
+	gotSet := sets.New[string](gotPaths...)
+
+	if !wantSet.Equal(gotSet) {
+		t.Errorf("statusz listed paths mismatch.\nwant: %v\ngot:  %v\nbody:\n%s",
+			wantSet.UnsortedList(), gotSet.UnsortedList(), body)
+	}
+}
diff --git a/cmd/kube-scheduler/app/config/config.go b/cmd/kube-scheduler/app/config/config.go
index 2dbc07bdbe03f..8c91c23a60ed4 100644
--- a/cmd/kube-scheduler/app/config/config.go
+++ b/cmd/kube-scheduler/app/config/config.go
@@ -20,6 +20,7 @@ import (
 	"time"
 
 	apiserver "k8s.io/apiserver/pkg/server"
+	"k8s.io/apiserver/pkg/server/flagz"
 	"k8s.io/client-go/dynamic/dynamicinformer"
 	"k8s.io/client-go/informers"
 	clientset "k8s.io/client-go/kubernetes"
@@ -27,7 +28,6 @@ import (
 	"k8s.io/client-go/tools/events"
 	"k8s.io/client-go/tools/leaderelection"
 	basecompatibility "k8s.io/component-base/compatibility"
-	"k8s.io/component-base/zpages/flagz"
 	kubeschedulerconfig "k8s.io/kubernetes/pkg/scheduler/apis/config"
 )
 
@@ -39,9 +39,6 @@ type Config struct {
 	// ComponentConfig is the scheduler server's configuration object.
 	ComponentConfig kubeschedulerconfig.KubeSchedulerConfiguration
 
-	// LoopbackClientConfig is a config for a privileged loopback connection
-	LoopbackClientConfig *restclient.Config
-
 	Authentication apiserver.AuthenticationInfo
 	Authorization  apiserver.AuthorizationInfo
 	SecureServing  *apiserver.SecureServingInfo
@@ -84,7 +81,5 @@ type CompletedConfig struct {
 func (c *Config) Complete() CompletedConfig {
 	cc := completedConfig{c}
 
-	apiserver.AuthorizeClientBearerToken(c.LoopbackClientConfig, &c.Authentication, &c.Authorization)
-
 	return CompletedConfig{&cc}
 }
diff --git a/cmd/kube-scheduler/app/options/options.go b/cmd/kube-scheduler/app/options/options.go
index e29894dc7fd30..67bbd791c9d29 100644
--- a/cmd/kube-scheduler/app/options/options.go
+++ b/cmd/kube-scheduler/app/options/options.go
@@ -27,6 +27,7 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
 	"k8s.io/apimachinery/pkg/util/uuid"
+	"k8s.io/apiserver/pkg/server/flagz"
 	apiserveroptions "k8s.io/apiserver/pkg/server/options"
 	"k8s.io/apiserver/pkg/util/compatibility"
 	utilfeature "k8s.io/apiserver/pkg/util/feature"
@@ -47,7 +48,6 @@ import (
 	logsapi "k8s.io/component-base/logs/api/v1"
 	"k8s.io/component-base/metrics"
 	zpagesfeatures "k8s.io/component-base/zpages/features"
-	"k8s.io/component-base/zpages/flagz"
 	"k8s.io/klog/v2"
 	schedulerappconfig "k8s.io/kubernetes/cmd/kube-scheduler/app/config"
 	"k8s.io/kubernetes/pkg/scheduler"
@@ -63,7 +63,7 @@ type Options struct {
 	// The default values.
 	ComponentConfig *kubeschedulerconfig.KubeSchedulerConfiguration
 
-	SecureServing  *apiserveroptions.SecureServingOptionsWithLoopback
+	SecureServing  *apiserveroptions.SecureServingOptions
 	Authentication *apiserveroptions.DelegatingAuthenticationOptions
 	Authorization  *apiserveroptions.DelegatingAuthorizationOptions
 	Metrics        *metrics.Options
@@ -103,7 +103,7 @@ func NewOptions() *Options {
 
 func NewOptionsWithComponentGlobalsRegistry(componentGlobalsRegistry basecompatibility.ComponentGlobalsRegistry) *Options {
 	o := &Options{
-		SecureServing:  apiserveroptions.NewSecureServingOptions().WithLoopback(),
+		SecureServing:  apiserveroptions.NewSecureServingOptions(),
 		Authentication: apiserveroptions.NewDelegatingAuthenticationOptions(),
 		Authorization:  apiserveroptions.NewDelegatingAuthorizationOptions(),
 		Deprecated: &DeprecatedOptions{
@@ -260,7 +260,7 @@ func (o *Options) ApplyTo(logger klog.Logger, c *schedulerappconfig.Config) erro
 	}
 	c.KubeConfig = kubeConfig
 
-	if err := o.SecureServing.ApplyTo(&c.SecureServing, &c.LoopbackClientConfig); err != nil {
+	if err := o.SecureServing.ApplyTo(&c.SecureServing); err != nil {
 		return err
 	}
 	if o.SecureServing != nil && (o.SecureServing.BindPort != 0 || o.SecureServing.Listener != nil) {
diff --git a/cmd/kube-scheduler/app/options/options_test.go b/cmd/kube-scheduler/app/options/options_test.go
index 518daa0736b91..2e35f373f3271 100644
--- a/cmd/kube-scheduler/app/options/options_test.go
+++ b/cmd/kube-scheduler/app/options/options_test.go
@@ -306,7 +306,7 @@ profiles:
 						PairName:      "kube-scheduler",
 					},
 					HTTP2MaxStreamsPerConnection: 47,
-				}).WithLoopback(),
+				}),
 				Authentication: &apiserveroptions.DelegatingAuthenticationOptions{
 					CacheTTL:   10 * time.Second,
 					ClientCert: apiserveroptions.ClientCertAuthenticationOptions{},
@@ -413,7 +413,7 @@ profiles:
 						PairName:      "kube-scheduler",
 					},
 					HTTP2MaxStreamsPerConnection: 47,
-				}).WithLoopback(),
+				}),
 				Authentication: &apiserveroptions.DelegatingAuthenticationOptions{
 					CacheTTL:   10 * time.Second,
 					ClientCert: apiserveroptions.ClientCertAuthenticationOptions{},
@@ -487,7 +487,7 @@ profiles:
 						PairName:      "kube-scheduler",
 					},
 					HTTP2MaxStreamsPerConnection: 47,
-				}).WithLoopback(),
+				}),
 				Authentication: &apiserveroptions.DelegatingAuthenticationOptions{
 					CacheTTL: 10 * time.Second,
 					RequestHeader: apiserveroptions.RequestHeaderAuthenticationOptions{
diff --git a/cmd/kube-scheduler/app/server.go b/cmd/kube-scheduler/app/server.go
index 9a8eb04dacd01..0468a6921cd69 100644
--- a/cmd/kube-scheduler/app/server.go
+++ b/cmd/kube-scheduler/app/server.go
@@ -37,9 +37,11 @@ import (
 	apirequest "k8s.io/apiserver/pkg/endpoints/request"
 	"k8s.io/apiserver/pkg/server"
 	genericfilters "k8s.io/apiserver/pkg/server/filters"
+	"k8s.io/apiserver/pkg/server/flagz"
 	"k8s.io/apiserver/pkg/server/healthz"
 	"k8s.io/apiserver/pkg/server/mux"
 	"k8s.io/apiserver/pkg/server/routes"
+	"k8s.io/apiserver/pkg/server/statusz"
 	"k8s.io/apiserver/pkg/util/compatibility"
 	utilfeature "k8s.io/apiserver/pkg/util/feature"
 	"k8s.io/client-go/informers"
@@ -60,8 +62,6 @@ import (
 	utilversion "k8s.io/component-base/version"
 	"k8s.io/component-base/version/verflag"
 	zpagesfeatures "k8s.io/component-base/zpages/features"
-	"k8s.io/component-base/zpages/flagz"
-	"k8s.io/component-base/zpages/statusz"
 	"k8s.io/klog/v2"
 	schedulerserverconfig "k8s.io/kubernetes/cmd/kube-scheduler/app/config"
 	"k8s.io/kubernetes/cmd/kube-scheduler/app/options"
@@ -402,7 +402,7 @@ func newEndpointsHandler(config *kubeschedulerconfig.KubeSchedulerConfiguration,
 	}
 
 	if utilfeature.DefaultFeatureGate.Enabled(zpagesfeatures.ComponentStatusz) {
-		statusz.Install(pathRecorderMux, kubeScheduler, statusz.NewRegistry(compatibility.DefaultBuildEffectiveVersion()))
+		statusz.Install(pathRecorderMux, kubeScheduler, statusz.NewRegistry(compatibility.DefaultBuildEffectiveVersion(), statusz.WithListedPaths(pathRecorderMux.ListedPaths())))
 	}
 
 	return pathRecorderMux
diff --git a/cmd/kube-scheduler/app/server_test.go b/cmd/kube-scheduler/app/server_test.go
index 1d012a8c36a04..6e418cb8c1bf1 100644
--- a/cmd/kube-scheduler/app/server_test.go
+++ b/cmd/kube-scheduler/app/server_test.go
@@ -44,7 +44,6 @@ import (
 	"k8s.io/kubernetes/cmd/kube-scheduler/app/options"
 	"k8s.io/kubernetes/pkg/scheduler/apis/config"
 	"k8s.io/kubernetes/pkg/scheduler/apis/config/testing/defaults"
-	"k8s.io/kubernetes/pkg/scheduler/framework"
 )
 
 func TestSetup(t *testing.T) {
@@ -272,6 +271,7 @@ leaderElection:
 					plugins.Score.Enabled = []config.Plugin{
 						{Name: "InterPodAffinity", Weight: 1},
 						{Name: "TaintToleration", Weight: 1},
+						{Name: "DynamicResources", Weight: 1},
 					}
 					return plugins
 				}(),
@@ -510,22 +510,22 @@ leaderElection:
 // Simulates an out-of-tree plugin.
 type foo struct{}
 
-var _ framework.PreFilterPlugin = &foo{}
-var _ framework.FilterPlugin = &foo{}
+var _ fwk.PreFilterPlugin = &foo{}
+var _ fwk.FilterPlugin = &foo{}
 
 func (*foo) Name() string {
 	return "Foo"
 }
 
-func newFoo(_ context.Context, _ runtime.Object, _ framework.Handle) (framework.Plugin, error) {
+func newFoo(_ context.Context, _ runtime.Object, _ fwk.Handle) (fwk.Plugin, error) {
 	return &foo{}, nil
 }
 
-func (*foo) PreFilter(_ context.Context, _ fwk.CycleState, _ *v1.Pod, _ []fwk.NodeInfo) (*framework.PreFilterResult, *fwk.Status) {
+func (*foo) PreFilter(_ context.Context, _ fwk.CycleState, _ *v1.Pod, _ []fwk.NodeInfo) (*fwk.PreFilterResult, *fwk.Status) {
 	return nil, nil
 }
 
-func (*foo) PreFilterExtensions() framework.PreFilterExtensions {
+func (*foo) PreFilterExtensions() fwk.PreFilterExtensions {
 	return nil
 }
 
diff --git a/cmd/kube-scheduler/app/testing/testserver.go b/cmd/kube-scheduler/app/testing/testserver.go
index 28ce7bad9de27..f76bd4badf3e2 100644
--- a/cmd/kube-scheduler/app/testing/testserver.go
+++ b/cmd/kube-scheduler/app/testing/testserver.go
@@ -20,7 +20,7 @@ import (
 	"context"
 	"fmt"
 	"net"
-	"os"
+	"testing"
 	"time"
 
 	"github.com/spf13/pflag"
@@ -29,9 +29,10 @@ import (
 	utilcompatibility "k8s.io/apiserver/pkg/util/compatibility"
 	utilfeature "k8s.io/apiserver/pkg/util/feature"
 	"k8s.io/client-go/kubernetes"
-	restclient "k8s.io/client-go/rest"
 	"k8s.io/component-base/compatibility"
 	"k8s.io/component-base/configz"
+	"k8s.io/component-base/featuregate"
+	featuregatetesting "k8s.io/component-base/featuregate/testing"
 	logsapi "k8s.io/component-base/logs/api/v1"
 	"k8s.io/klog/v2"
 	"k8s.io/kubernetes/cmd/kube-scheduler/app"
@@ -51,11 +52,10 @@ type TearDownFunc func()
 
 // TestServer return values supplied by kube-test-ApiServer
 type TestServer struct {
-	LoopbackClientConfig *restclient.Config // Rest client config using the magic token
-	Options              *options.Options
-	Config               *kubeschedulerconfig.Config
-	TearDownFn           TearDownFunc // TearDown function
-	TmpDir               string       // Temp Dir used, by the apiserver
+	Options    *options.Options
+	Config     *kubeschedulerconfig.Config
+	TearDownFn TearDownFunc // TearDown function
+	TmpDir     string       // Temp Dir used, by the apiserver
 }
 
 // StartTestServer starts a kube-scheduler. A rest client config and a tear-down func,
@@ -65,7 +65,7 @@ type TestServer struct {
 //
 //	files that because Golang testing's call to os.Exit will not give a stop channel go routine
 //	enough time to remove temporary files.
-func StartTestServer(ctx context.Context, customFlags []string) (result TestServer, err error) {
+func StartTestServer(t *testing.T, ctx context.Context, customFlags []string) (result TestServer, err error) {
 	logger := klog.FromContext(ctx)
 	ctx, cancel := context.WithCancel(ctx)
 
@@ -81,9 +81,6 @@ func StartTestServer(ctx context.Context, customFlags []string) (result TestServ
 				logger.Error(err, "Failed to shutdown test server clearly")
 			}
 		}
-		if len(result.TmpDir) != 0 {
-			os.RemoveAll(result.TmpDir)
-		}
 		configz.Delete("componentconfig")
 	}
 	defer func() {
@@ -92,10 +89,7 @@ func StartTestServer(ctx context.Context, customFlags []string) (result TestServ
 		}
 	}()
 
-	result.TmpDir, err = os.MkdirTemp("", "kube-scheduler")
-	if err != nil {
-		return result, fmt.Errorf("failed to create temp dir: %v", err)
-	}
+	result.TmpDir = t.TempDir()
 
 	fs := pflag.NewFlagSet("test", pflag.PanicOnError)
 
@@ -104,6 +98,7 @@ func StartTestServer(ctx context.Context, customFlags []string) (result TestServ
 	featureGate := utilfeature.DefaultMutableFeatureGate.DeepCopy()
 	effectiveVersion := utilcompatibility.DefaultKubeEffectiveVersionForTest()
 	effectiveVersion.SetEmulationVersion(featureGate.EmulationVersion())
+	effectiveVersion.SetMinCompatibilityVersion(featureGate.MinCompatibilityVersion())
 	componentGlobalsRegistry := compatibility.NewComponentGlobalsRegistry()
 	if err := componentGlobalsRegistry.Register(compatibility.DefaultKubeComponent, effectiveVersion, featureGate); err != nil {
 		return result, err
@@ -120,18 +115,18 @@ func StartTestServer(ctx context.Context, customFlags []string) (result TestServ
 	}
 	// If the local ComponentGlobalsRegistry is changed by the flags,
 	// we need to copy the new feature values back to the DefaultFeatureGate because most feature checks still use the DefaultFeatureGate.
-	if !featureGate.EmulationVersion().EqualTo(utilfeature.DefaultMutableFeatureGate.EmulationVersion()) {
-		if err := utilfeature.DefaultMutableFeatureGate.SetEmulationVersion(effectiveVersion.EmulationVersion()); err != nil {
-			return result, err
-		}
+	if !featureGate.EmulationVersion().EqualTo(utilfeature.DefaultMutableFeatureGate.EmulationVersion()) || !featureGate.MinCompatibilityVersion().EqualTo(utilfeature.DefaultMutableFeatureGate.MinCompatibilityVersion()) {
+		featuregatetesting.SetFeatureGateVersionsDuringTest(t, utilfeature.DefaultMutableFeatureGate, effectiveVersion.EmulationVersion(), effectiveVersion.MinCompatibilityVersion())
 	}
+	featureOverrides := map[featuregate.Feature]bool{}
 	for f := range utilfeature.DefaultMutableFeatureGate.GetAll() {
 		if featureGate.Enabled(f) != utilfeature.DefaultFeatureGate.Enabled(f) {
-			if err := utilfeature.DefaultMutableFeatureGate.Set(fmt.Sprintf("%s=%v", f, featureGate.Enabled(f))); err != nil {
-				return result, err
-			}
+			featureOverrides[f] = featureGate.Enabled(f)
 		}
 	}
+	if len(featureOverrides) > 0 {
+		featuregatetesting.SetFeatureGatesDuringTest(t, utilfeature.DefaultFeatureGate, featureOverrides)
+	}
 
 	if opts.SecureServing.BindPort != 0 {
 		opts.SecureServing.Listener, opts.SecureServing.BindPort, err = createListenerOnFreePort()
@@ -143,6 +138,9 @@ func StartTestServer(ctx context.Context, customFlags []string) (result TestServ
 		logger.Info("kube-scheduler will listen securely", "port", opts.SecureServing.BindPort)
 	}
 
+	// Always exempt /healthz from authorization because we use it to verify startup below.
+	opts.Authorization.AlwaysAllowPaths = append(opts.Authorization.AlwaysAllowPaths, "/healthz")
+
 	cc, sched, err := app.Setup(ctx, opts)
 	if err != nil {
 		return result, fmt.Errorf("failed to create config from options: %v", err)
@@ -157,10 +155,22 @@ func StartTestServer(ctx context.Context, customFlags []string) (result TestServ
 	}(ctx)
 
 	logger.Info("Waiting for /healthz to be ok...")
-	client, err := kubernetes.NewForConfig(cc.LoopbackClientConfig)
+
+	// Cannot use cc.Kubeconfig since it is overwritten to point to kube-apiserver,
+	// build our own client instead.
+	serverCert, _ := cc.SecureServing.Cert.CurrentCertKeyContent()
+	clientConfig, err := cc.SecureServing.NewClientConfig(serverCert)
 	if err != nil {
-		return result, fmt.Errorf("failed to create a client: %v", err)
+		return result, fmt.Errorf("getting secure serving rest config %w", err)
 	}
+
+	// The server cert only includes IPv4 localhost, not IPv6.
+	clientConfig.TLSClientConfig.ServerName = "127.0.0.1"
+	client, err := kubernetes.NewForConfig(clientConfig)
+	if err != nil {
+		return result, fmt.Errorf("creating client: %w", err)
+	}
+
 	err = wait.PollUntilContextTimeout(ctx, 100*time.Millisecond, 30*time.Second, false, func(ctx context.Context) (bool, error) {
 		select {
 		case err := <-errCh:
@@ -168,12 +178,12 @@ func StartTestServer(ctx context.Context, customFlags []string) (result TestServ
 		default:
 		}
 
-		result := client.CoreV1().RESTClient().Get().AbsPath("/healthz").Do(ctx)
 		status := 0
-		result.StatusCode(&status)
+		client.CoreV1().RESTClient().Get().AbsPath("/healthz").Do(ctx).StatusCode(&status)
 		if status == 200 {
 			return true, nil
 		}
+
 		return false, nil
 	})
 	if err != nil {
@@ -181,7 +191,6 @@ func StartTestServer(ctx context.Context, customFlags []string) (result TestServ
 	}
 
 	// from here the caller must call tearDown
-	result.LoopbackClientConfig = cc.LoopbackClientConfig
 	result.Options = opts
 	result.Config = cc.Config
 	result.TearDownFn = tearDown
@@ -190,13 +199,12 @@ func StartTestServer(ctx context.Context, customFlags []string) (result TestServ
 }
 
 // StartTestServerOrDie calls StartTestServer panic if it does not succeed.
-func StartTestServerOrDie(ctx context.Context, flags []string) *TestServer {
-	result, err := StartTestServer(ctx, flags)
-	if err == nil {
-		return &result
+func StartTestServerOrDie(t *testing.T, ctx context.Context, flags []string) *TestServer {
+	result, err := StartTestServer(t, ctx, flags)
+	if err != nil {
+		t.Fatalf("failed to launch server: %v", err)
 	}
-
-	panic(fmt.Errorf("failed to launch server: %v", err))
+	return &result
 }
 
 func createListenerOnFreePort() (net.Listener, int, error) {
diff --git a/cmd/kubeadm/app/apis/kubeadm/fuzzer/fuzzer.go b/cmd/kubeadm/app/apis/kubeadm/fuzzer/fuzzer.go
index e7616542eafe2..3d311930e767f 100644
--- a/cmd/kubeadm/app/apis/kubeadm/fuzzer/fuzzer.go
+++ b/cmd/kubeadm/app/apis/kubeadm/fuzzer/fuzzer.go
@@ -37,6 +37,7 @@ func Funcs(codecs runtimeserializer.CodecFactory) []interface{} {
 		fuzzDNS,
 		fuzzNodeRegistration,
 		fuzzLocalEtcd,
+		fuzzExternalEtcd,
 		fuzzNetworking,
 		fuzzJoinConfiguration,
 		fuzzJoinControlPlane,
@@ -116,6 +117,15 @@ func fuzzLocalEtcd(obj *kubeadm.LocalEtcd, c randfill.Continue) {
 	obj.DataDir = "foo"
 }
 
+// TODO: Remove this once v1beta3 API was removed.
+func fuzzExternalEtcd(obj *kubeadm.ExternalEtcd, c randfill.Continue) {
+	c.FillNoCustom(obj)
+
+	// Ensure HTTPEndpoints equals Endpoints to maintain roundtrip compatibility
+	// with v1beta3 which doesn't have HTTPEndpoints field
+	obj.HTTPEndpoints = obj.Endpoints
+}
+
 func fuzzNetworking(obj *kubeadm.Networking, c randfill.Continue) {
 	c.FillNoCustom(obj)
 
diff --git a/cmd/kubeadm/app/apis/kubeadm/types.go b/cmd/kubeadm/app/apis/kubeadm/types.go
index ee693873f7dfd..4b7acc2fe325c 100644
--- a/cmd/kubeadm/app/apis/kubeadm/types.go
+++ b/cmd/kubeadm/app/apis/kubeadm/types.go
@@ -140,10 +140,12 @@ type ClusterConfiguration struct {
 	// +k8s:conversion-gen=false
 	CIImageRepository string
 
-	// FeatureGates enabled by the user.
+	// FeatureGates holds kubeadm-specific feature gates enabled by the user.
 	FeatureGates map[string]bool
 
-	// The cluster name
+	// The cluster name. This name will be used in kubeconfig files generated by kubeadm
+	// and will also be passed as a value to the kube-controller-manager's --cluster-name flag.
+	// Default value is 'kubernetes'.
 	ClusterName string
 
 	// EncryptionAlgorithm holds the type of asymmetric encryption algorithm used for keys and certificates.
@@ -165,6 +167,7 @@ type ControlPlaneComponent struct {
 	// An argument name in this list is the flag name as it appears on the
 	// command line except without leading dash(es). Extra arguments will override existing
 	// default arguments. Duplicate extra arguments are allowed.
+	// The default arguments are sorted alpha-numerically but the extra arguments are not.
 	ExtraArgs []Arg
 
 	// ExtraVolumes is an extra set of host volumes, mounted to the control plane component.
@@ -247,6 +250,7 @@ type NodeRegistrationOptions struct {
 	// Flags have higher priority when parsing. These values are local and specific to the node kubeadm is executing on.
 	// An argument name in this list is the flag name as it appears on the command line except without leading dash(es).
 	// Extra arguments will override existing default arguments. Duplicate extra arguments are allowed.
+	// The default arguments are sorted alpha-numerically but the extra arguments are not.
 	KubeletExtraArgs []Arg
 
 	// IgnorePreflightErrors provides a slice of pre-flight errors to be ignored when the current node is registered, e.g. 'IsPrivilegedUser,Swap'.
@@ -286,7 +290,8 @@ type Etcd struct {
 
 // LocalEtcd describes that kubeadm should run an etcd cluster locally
 type LocalEtcd struct {
-	// ImageMeta allows to customize the container used for etcd
+	// ImageMeta allows to customize the container image used for etcd. Passing a custom etcd image
+	// tells kubeadm upgrade that this image is user-managed and that its upgrade must be skipped.
 	ImageMeta `json:",inline"`
 
 	// DataDir is the directory etcd will place its data.
@@ -298,6 +303,7 @@ type LocalEtcd struct {
 	// An argument name in this list is the flag name as it appears on the
 	// command line except without leading dash(es). Extra arguments will override existing
 	// default arguments. Duplicate extra arguments are allowed.
+	// The default arguments are sorted alpha-numerically but the extra arguments are not.
 	ExtraArgs []Arg
 
 	// ExtraEnvs is an extra set of environment variables to pass to the control plane component.
@@ -313,10 +319,23 @@ type LocalEtcd struct {
 
 // ExternalEtcd describes an external etcd cluster
 type ExternalEtcd struct {
-
-	// Endpoints of etcd members. Useful for using external etcd.
-	// If not provided, kubeadm will run etcd in a static pod.
+	// Endpoints of etcd members. Required when using external etcd.
+	// Specifies the client URLs (usually gRPC endpoints) for etcd communication.
+	// By default, these endpoints handle both gRPC traffic (primary etcd protocol)
+	// and HTTP traffic (metrics, health checks). However, if HTTPEndpoints is configured,
+	// the gRPC and HTTP traffic can be separated for better security and performance.
+	// Corresponds to etcd's --listen-client-urls configuration.
 	Endpoints []string
+
+	// HTTPEndpoints are the dedicated HTTP endpoints for etcd communication.
+	// When configured, HTTP traffic (such as /metrics and /health endpoints) is separated
+	// from the gRPC traffic handled by Endpoints. This separation allows for better access
+	// control, as HTTP endpoints can be exposed without exposing the primary gRPC interface.
+	// Corresponds to etcd's --listen-client-http-urls configuration.
+	// If not provided, Endpoints will be used for both gRPC and HTTP traffic.
+	// +optional
+	HTTPEndpoints []string
+
 	// CAFile is an SSL Certificate Authority file used to secure etcd communication.
 	CAFile string
 	// CertFile is an SSL certification file used to secure etcd communication.
diff --git a/cmd/kubeadm/app/apis/kubeadm/v1beta3/conversion.go b/cmd/kubeadm/app/apis/kubeadm/v1beta3/conversion.go
index ee882cf669da8..5d9e6b6c0adba 100644
--- a/cmd/kubeadm/app/apis/kubeadm/v1beta3/conversion.go
+++ b/cmd/kubeadm/app/apis/kubeadm/v1beta3/conversion.go
@@ -161,3 +161,17 @@ func convertFromArgs(in []kubeadm.Arg) map[string]string {
 func Convert_v1beta3_APIServer_To_kubeadm_APIServer(in *APIServer, out *kubeadm.APIServer, s conversion.Scope) error {
 	return autoConvert_v1beta3_APIServer_To_kubeadm_APIServer(in, out, s)
 }
+
+// Convert_kubeadm_ExternalEtcd_To_v1beta3_ExternalEtcd converts a private ExternalEtcd to public ExternalEtcd.
+func Convert_kubeadm_ExternalEtcd_To_v1beta3_ExternalEtcd(in *kubeadm.ExternalEtcd, out *ExternalEtcd, s conversion.Scope) error {
+	return autoConvert_kubeadm_ExternalEtcd_To_v1beta3_ExternalEtcd(in, out, s)
+}
+
+// Convert_v1beta3_ExternalEtcd_To_kubeadm_ExternalEtcd converts a public ExternalEtcd to private ExternalEtcd.
+// It is required due to missing HTTPEndpoints in v1beta3.
+func Convert_v1beta3_ExternalEtcd_To_kubeadm_ExternalEtcd(in *ExternalEtcd, out *kubeadm.ExternalEtcd, s conversion.Scope) error {
+	// set the HTTPEndpoints to the same as the Endpoints
+	// this is to maintain backwards compatibility with the v1beta3 API
+	out.HTTPEndpoints = in.Endpoints
+	return autoConvert_v1beta3_ExternalEtcd_To_kubeadm_ExternalEtcd(in, out, s)
+}
diff --git a/cmd/kubeadm/app/apis/kubeadm/v1beta3/types.go b/cmd/kubeadm/app/apis/kubeadm/v1beta3/types.go
index f46ce0fdaef89..74aa4d79744d4 100644
--- a/cmd/kubeadm/app/apis/kubeadm/v1beta3/types.go
+++ b/cmd/kubeadm/app/apis/kubeadm/v1beta3/types.go
@@ -129,11 +129,13 @@ type ClusterConfiguration struct {
 	// +optional
 	ImageRepository string `json:"imageRepository,omitempty"`
 
-	// FeatureGates enabled by the user.
+	// FeatureGates holds kubeadm-specific feature gates enabled by the user.
 	// +optional
 	FeatureGates map[string]bool `json:"featureGates,omitempty"`
 
-	// The cluster name
+	// The cluster name. This name will be used in kubeconfig files generated by kubeadm
+	// and will also be passed as a value to the kube-controller-manager's --cluster-name flag.
+	// Default value is 'kubernetes'.
 	// +optional
 	ClusterName string `json:"clusterName,omitempty"`
 }
@@ -270,7 +272,8 @@ type Etcd struct {
 
 // LocalEtcd describes that kubeadm should run an etcd cluster locally
 type LocalEtcd struct {
-	// ImageMeta allows to customize the container used for etcd
+	// ImageMeta allows to customize the container image used for etcd. Passing a custom etcd image
+	// tells kubeadm upgrade that this image is user-managed and that its upgrade must be skipped.
 	ImageMeta `json:",inline"`
 
 	// DataDir is the directory etcd will place its data.
diff --git a/cmd/kubeadm/app/apis/kubeadm/v1beta3/zz_generated.conversion.go b/cmd/kubeadm/app/apis/kubeadm/v1beta3/zz_generated.conversion.go
index 3e8c3f69eb301..609d7d06389e8 100644
--- a/cmd/kubeadm/app/apis/kubeadm/v1beta3/zz_generated.conversion.go
+++ b/cmd/kubeadm/app/apis/kubeadm/v1beta3/zz_generated.conversion.go
@@ -89,16 +89,6 @@ func RegisterConversions(s *runtime.Scheme) error {
 	}); err != nil {
 		return err
 	}
-	if err := s.AddGeneratedConversionFunc((*ExternalEtcd)(nil), (*kubeadm.ExternalEtcd)(nil), func(a, b interface{}, scope conversion.Scope) error {
-		return Convert_v1beta3_ExternalEtcd_To_kubeadm_ExternalEtcd(a.(*ExternalEtcd), b.(*kubeadm.ExternalEtcd), scope)
-	}); err != nil {
-		return err
-	}
-	if err := s.AddGeneratedConversionFunc((*kubeadm.ExternalEtcd)(nil), (*ExternalEtcd)(nil), func(a, b interface{}, scope conversion.Scope) error {
-		return Convert_kubeadm_ExternalEtcd_To_v1beta3_ExternalEtcd(a.(*kubeadm.ExternalEtcd), b.(*ExternalEtcd), scope)
-	}); err != nil {
-		return err
-	}
 	if err := s.AddGeneratedConversionFunc((*FileDiscovery)(nil), (*kubeadm.FileDiscovery)(nil), func(a, b interface{}, scope conversion.Scope) error {
 		return Convert_v1beta3_FileDiscovery_To_kubeadm_FileDiscovery(a.(*FileDiscovery), b.(*kubeadm.FileDiscovery), scope)
 	}); err != nil {
@@ -174,6 +164,11 @@ func RegisterConversions(s *runtime.Scheme) error {
 	}); err != nil {
 		return err
 	}
+	if err := s.AddConversionFunc((*kubeadm.ExternalEtcd)(nil), (*ExternalEtcd)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_kubeadm_ExternalEtcd_To_v1beta3_ExternalEtcd(a.(*kubeadm.ExternalEtcd), b.(*ExternalEtcd), scope)
+	}); err != nil {
+		return err
+	}
 	if err := s.AddConversionFunc((*kubeadm.InitConfiguration)(nil), (*InitConfiguration)(nil), func(a, b interface{}, scope conversion.Scope) error {
 		return Convert_kubeadm_InitConfiguration_To_v1beta3_InitConfiguration(a.(*kubeadm.InitConfiguration), b.(*InitConfiguration), scope)
 	}); err != nil {
@@ -209,6 +204,11 @@ func RegisterConversions(s *runtime.Scheme) error {
 	}); err != nil {
 		return err
 	}
+	if err := s.AddConversionFunc((*ExternalEtcd)(nil), (*kubeadm.ExternalEtcd)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_v1beta3_ExternalEtcd_To_kubeadm_ExternalEtcd(a.(*ExternalEtcd), b.(*kubeadm.ExternalEtcd), scope)
+	}); err != nil {
+		return err
+	}
 	if err := s.AddConversionFunc((*InitConfiguration)(nil), (*kubeadm.InitConfiguration)(nil), func(a, b interface{}, scope conversion.Scope) error {
 		return Convert_v1beta3_InitConfiguration_To_kubeadm_InitConfiguration(a.(*InitConfiguration), b.(*kubeadm.InitConfiguration), scope)
 	}); err != nil {
@@ -435,7 +435,15 @@ func autoConvert_v1beta3_Etcd_To_kubeadm_Etcd(in *Etcd, out *kubeadm.Etcd, s con
 	} else {
 		out.Local = nil
 	}
-	out.External = (*kubeadm.ExternalEtcd)(unsafe.Pointer(in.External))
+	if in.External != nil {
+		in, out := &in.External, &out.External
+		*out = new(kubeadm.ExternalEtcd)
+		if err := Convert_v1beta3_ExternalEtcd_To_kubeadm_ExternalEtcd(*in, *out, s); err != nil {
+			return err
+		}
+	} else {
+		out.External = nil
+	}
 	return nil
 }
 
@@ -454,7 +462,15 @@ func autoConvert_kubeadm_Etcd_To_v1beta3_Etcd(in *kubeadm.Etcd, out *Etcd, s con
 	} else {
 		out.Local = nil
 	}
-	out.External = (*ExternalEtcd)(unsafe.Pointer(in.External))
+	if in.External != nil {
+		in, out := &in.External, &out.External
+		*out = new(ExternalEtcd)
+		if err := Convert_kubeadm_ExternalEtcd_To_v1beta3_ExternalEtcd(*in, *out, s); err != nil {
+			return err
+		}
+	} else {
+		out.External = nil
+	}
 	return nil
 }
 
@@ -471,24 +487,15 @@ func autoConvert_v1beta3_ExternalEtcd_To_kubeadm_ExternalEtcd(in *ExternalEtcd,
 	return nil
 }
 
-// Convert_v1beta3_ExternalEtcd_To_kubeadm_ExternalEtcd is an autogenerated conversion function.
-func Convert_v1beta3_ExternalEtcd_To_kubeadm_ExternalEtcd(in *ExternalEtcd, out *kubeadm.ExternalEtcd, s conversion.Scope) error {
-	return autoConvert_v1beta3_ExternalEtcd_To_kubeadm_ExternalEtcd(in, out, s)
-}
-
 func autoConvert_kubeadm_ExternalEtcd_To_v1beta3_ExternalEtcd(in *kubeadm.ExternalEtcd, out *ExternalEtcd, s conversion.Scope) error {
 	out.Endpoints = *(*[]string)(unsafe.Pointer(&in.Endpoints))
+	// WARNING: in.HTTPEndpoints requires manual conversion: does not exist in peer-type
 	out.CAFile = in.CAFile
 	out.CertFile = in.CertFile
 	out.KeyFile = in.KeyFile
 	return nil
 }
 
-// Convert_kubeadm_ExternalEtcd_To_v1beta3_ExternalEtcd is an autogenerated conversion function.
-func Convert_kubeadm_ExternalEtcd_To_v1beta3_ExternalEtcd(in *kubeadm.ExternalEtcd, out *ExternalEtcd, s conversion.Scope) error {
-	return autoConvert_kubeadm_ExternalEtcd_To_v1beta3_ExternalEtcd(in, out, s)
-}
-
 func autoConvert_v1beta3_FileDiscovery_To_kubeadm_FileDiscovery(in *FileDiscovery, out *kubeadm.FileDiscovery, s conversion.Scope) error {
 	out.KubeConfigPath = in.KubeConfigPath
 	return nil
diff --git a/cmd/kubeadm/app/apis/kubeadm/v1beta4/defaults.go b/cmd/kubeadm/app/apis/kubeadm/v1beta4/defaults.go
index 4f031ca6aabdf..bbf449092dd28 100644
--- a/cmd/kubeadm/app/apis/kubeadm/v1beta4/defaults.go
+++ b/cmd/kubeadm/app/apis/kubeadm/v1beta4/defaults.go
@@ -130,6 +130,19 @@ func SetDefaults_Etcd(obj *ClusterConfiguration) {
 			obj.Etcd.Local.DataDir = DefaultEtcdDataDir
 		}
 	}
+	if obj.Etcd.External != nil {
+		SetDefaults_ExternalEtcd(obj.Etcd.External)
+	}
+}
+
+// SetDefaults_ExternalEtcd assigns default values for the external etcd
+func SetDefaults_ExternalEtcd(obj *ExternalEtcd) {
+	// If HTTPEndpoints is not set, default it to Endpoints
+	// This allows HTTP traffic (metrics, health checks) to use the same endpoints as gRPC traffic
+	if len(obj.HTTPEndpoints) == 0 && len(obj.Endpoints) > 0 {
+		obj.HTTPEndpoints = make([]string, len(obj.Endpoints))
+		copy(obj.HTTPEndpoints, obj.Endpoints)
+	}
 }
 
 // SetDefaults_JoinConfiguration assigns default values to a regular node
diff --git a/cmd/kubeadm/app/apis/kubeadm/v1beta4/doc.go b/cmd/kubeadm/app/apis/kubeadm/v1beta4/doc.go
index 9f3e88e965f7c..70c5fba35564d 100644
--- a/cmd/kubeadm/app/apis/kubeadm/v1beta4/doc.go
+++ b/cmd/kubeadm/app/apis/kubeadm/v1beta4/doc.go
@@ -23,6 +23,12 @@ limitations under the License.
 // This version improves on the v1beta3 format by fixing some minor issues and adding a few new fields.
 //
 // A list of changes since v1beta3:
+// v1.35:
+//   - Add `HTTPEndpoints` field to `ClusterConfiguration.Etcd.ExternalEtcd` that can be used to configure the HTTP endpoints for etcd communication in v1beta4.
+//     This field is used to separate the HTTP traffic (such as /metrics and /health endpoints) from the gRPC traffic handled by Endpoints.
+//     This separation allows for better access control, as HTTP endpoints can be exposed without exposing the primary gRPC interface.
+//     Corresponds to etcd's --listen-client-http-urls configuration.
+//     If not provided, Endpoints will be used for both gRPC and HTTP traffic.
 //
 // v1.34:
 //   - Add "ECDSA-P384" to the allowed encryption algorithm options for `ClusterConfiguration.EncryptionAlgorithm`.
diff --git a/cmd/kubeadm/app/apis/kubeadm/v1beta4/types.go b/cmd/kubeadm/app/apis/kubeadm/v1beta4/types.go
index 9bac88d1d9ee0..7da4c05063e81 100644
--- a/cmd/kubeadm/app/apis/kubeadm/v1beta4/types.go
+++ b/cmd/kubeadm/app/apis/kubeadm/v1beta4/types.go
@@ -140,11 +140,13 @@ type ClusterConfiguration struct {
 	// +optional
 	ImageRepository string `json:"imageRepository,omitempty"`
 
-	// FeatureGates enabled by the user.
+	// FeatureGates holds kubeadm-specific feature gates enabled by the user.
 	// +optional
 	FeatureGates map[string]bool `json:"featureGates,omitempty"`
 
-	// The cluster name
+	// The cluster name. This name will be used in kubeconfig files generated by kubeadm
+	// and will also be passed as a value to the kube-controller-manager's --cluster-name flag.
+	// Default value is 'kubernetes'.
 	// +optional
 	ClusterName string `json:"clusterName,omitempty"`
 
@@ -170,6 +172,7 @@ type ControlPlaneComponent struct {
 	// An argument name in this list is the flag name as it appears on the
 	// command line except without leading dash(es). Extra arguments will override existing
 	// default arguments. Duplicate extra arguments are allowed.
+	// The default arguments are sorted alpha-numerically but the extra arguments are not.
 	// +optional
 	ExtraArgs []Arg `json:"extraArgs,omitempty"`
 
@@ -260,6 +263,7 @@ type NodeRegistrationOptions struct {
 	// Flags have higher priority when parsing. These values are local and specific to the node kubeadm is executing on.
 	// An argument name in this list is the flag name as it appears on the command line except without leading dash(es).
 	// Extra arguments will override existing default arguments. Duplicate extra arguments are allowed.
+	// The default arguments are sorted alpha-numerically but the extra arguments are not.
 	// +optional
 	KubeletExtraArgs []Arg `json:"kubeletExtraArgs,omitempty"`
 
@@ -309,7 +313,8 @@ type Etcd struct {
 
 // LocalEtcd describes that kubeadm should run an etcd cluster locally
 type LocalEtcd struct {
-	// ImageMeta allows to customize the container used for etcd
+	// ImageMeta allows to customize the container image used for etcd. Passing a custom etcd image
+	// tells kubeadm upgrade that this image is user-managed and that its upgrade must be skipped.
 	ImageMeta `json:",inline"`
 
 	// DataDir is the directory etcd will place its data.
@@ -321,6 +326,7 @@ type LocalEtcd struct {
 	// An argument name in this list is the flag name as it appears on the
 	// command line except without leading dash(es). Extra arguments will override existing
 	// default arguments. Duplicate extra arguments are allowed.
+	// The default arguments are sorted alpha-numerically but the extra arguments are not.
 	// +optional
 	ExtraArgs []Arg `json:"extraArgs,omitempty"`
 
@@ -340,9 +346,23 @@ type LocalEtcd struct {
 // ExternalEtcd describes an external etcd cluster.
 // Kubeadm has no knowledge of where certificate files live and they must be supplied.
 type ExternalEtcd struct {
-	// Endpoints of etcd members. Required for ExternalEtcd.
+	// Endpoints of etcd members. Required when using external etcd.
+	// Specifies the client URLs (usually gRPC endpoints) for etcd communication.
+	// By default, these endpoints handle both gRPC traffic (primary etcd protocol)
+	// and HTTP traffic (metrics, health checks). However, if HTTPEndpoints is configured,
+	// the gRPC and HTTP traffic can be separated for better security and performance.
+	// Corresponds to etcd's --listen-client-urls configuration.
 	Endpoints []string `json:"endpoints"`
 
+	// HTTPEndpoints are the dedicated HTTP endpoints for etcd communication.
+	// When configured, HTTP traffic (such as /metrics and /health endpoints) is separated
+	// from the gRPC traffic handled by Endpoints. This separation allows for better access
+	// control, as HTTP endpoints can be exposed without exposing the primary gRPC interface.
+	// Corresponds to etcd's --listen-client-http-urls configuration.
+	// If not provided, Endpoints will be used for both gRPC and HTTP traffic.
+	// +optional
+	HTTPEndpoints []string `json:"httpEndpoints,omitempty"`
+
 	// CAFile is an SSL Certificate Authority file used to secure etcd communication.
 	// Required if using a TLS connection.
 	CAFile string `json:"caFile"`
diff --git a/cmd/kubeadm/app/apis/kubeadm/v1beta4/zz_generated.conversion.go b/cmd/kubeadm/app/apis/kubeadm/v1beta4/zz_generated.conversion.go
index f781a06dd34de..c502378adcfee 100644
--- a/cmd/kubeadm/app/apis/kubeadm/v1beta4/zz_generated.conversion.go
+++ b/cmd/kubeadm/app/apis/kubeadm/v1beta4/zz_generated.conversion.go
@@ -609,6 +609,7 @@ func Convert_kubeadm_Etcd_To_v1beta4_Etcd(in *kubeadm.Etcd, out *Etcd, s convers
 
 func autoConvert_v1beta4_ExternalEtcd_To_kubeadm_ExternalEtcd(in *ExternalEtcd, out *kubeadm.ExternalEtcd, s conversion.Scope) error {
 	out.Endpoints = *(*[]string)(unsafe.Pointer(&in.Endpoints))
+	out.HTTPEndpoints = *(*[]string)(unsafe.Pointer(&in.HTTPEndpoints))
 	out.CAFile = in.CAFile
 	out.CertFile = in.CertFile
 	out.KeyFile = in.KeyFile
@@ -622,6 +623,7 @@ func Convert_v1beta4_ExternalEtcd_To_kubeadm_ExternalEtcd(in *ExternalEtcd, out
 
 func autoConvert_kubeadm_ExternalEtcd_To_v1beta4_ExternalEtcd(in *kubeadm.ExternalEtcd, out *ExternalEtcd, s conversion.Scope) error {
 	out.Endpoints = *(*[]string)(unsafe.Pointer(&in.Endpoints))
+	out.HTTPEndpoints = *(*[]string)(unsafe.Pointer(&in.HTTPEndpoints))
 	out.CAFile = in.CAFile
 	out.CertFile = in.CertFile
 	out.KeyFile = in.KeyFile
diff --git a/cmd/kubeadm/app/apis/kubeadm/v1beta4/zz_generated.deepcopy.go b/cmd/kubeadm/app/apis/kubeadm/v1beta4/zz_generated.deepcopy.go
index b888f2342f8bc..607e8973fa69b 100644
--- a/cmd/kubeadm/app/apis/kubeadm/v1beta4/zz_generated.deepcopy.go
+++ b/cmd/kubeadm/app/apis/kubeadm/v1beta4/zz_generated.deepcopy.go
@@ -279,6 +279,11 @@ func (in *ExternalEtcd) DeepCopyInto(out *ExternalEtcd) {
 		*out = make([]string, len(*in))
 		copy(*out, *in)
 	}
+	if in.HTTPEndpoints != nil {
+		in, out := &in.HTTPEndpoints, &out.HTTPEndpoints
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
 	return
 }
 
diff --git a/cmd/kubeadm/app/apis/kubeadm/v1beta4/zz_generated.defaults.go b/cmd/kubeadm/app/apis/kubeadm/v1beta4/zz_generated.defaults.go
index 8c3834d9649d1..d5a0dac530493 100644
--- a/cmd/kubeadm/app/apis/kubeadm/v1beta4/zz_generated.defaults.go
+++ b/cmd/kubeadm/app/apis/kubeadm/v1beta4/zz_generated.defaults.go
@@ -45,6 +45,9 @@ func SetObjectDefaults_ClusterConfiguration(in *ClusterConfiguration) {
 			SetDefaults_EnvVar(a)
 		}
 	}
+	if in.Etcd.External != nil {
+		SetDefaults_ExternalEtcd(in.Etcd.External)
+	}
 	for i := range in.APIServer.ControlPlaneComponent.ExtraEnvs {
 		a := &in.APIServer.ControlPlaneComponent.ExtraEnvs[i]
 		SetDefaults_EnvVar(a)
diff --git a/cmd/kubeadm/app/apis/kubeadm/validation/validation.go b/cmd/kubeadm/app/apis/kubeadm/validation/validation.go
index ec3cb843e5af4..967988aa2ca70 100644
--- a/cmd/kubeadm/app/apis/kubeadm/validation/validation.go
+++ b/cmd/kubeadm/app/apis/kubeadm/validation/validation.go
@@ -329,7 +329,14 @@ func ValidateEtcd(e *kubeadm.Etcd, fldPath *field.Path) field.ErrorList {
 			allErrs = append(allErrs, field.Invalid(externalPath, "", "setting .Etcd.External.CertFile and .Etcd.External.KeyFile requires .Etcd.External.CAFile"))
 		}
 
-		allErrs = append(allErrs, ValidateURLs(e.External.Endpoints, requireHTTPS, externalPath.Child("endpoints"))...)
+		if len(e.External.Endpoints) == 0 {
+			allErrs = append(allErrs, field.Invalid(externalPath.Child("endpoints"), "", "at least one endpoint must be specified"))
+		} else {
+			allErrs = append(allErrs, ValidateURLs(e.External.Endpoints, requireHTTPS, externalPath.Child("endpoints"))...)
+		}
+
+		allErrs = append(allErrs, ValidateURLs(e.External.HTTPEndpoints, false /* requireHTTPS */, externalPath.Child("httpEndpoints"))...)
+
 		if e.External.CAFile != "" {
 			allErrs = append(allErrs, ValidateAbsolutePath(e.External.CAFile, externalPath.Child("caFile"))...)
 		}
diff --git a/cmd/kubeadm/app/apis/kubeadm/zz_generated.deepcopy.go b/cmd/kubeadm/app/apis/kubeadm/zz_generated.deepcopy.go
index 188d34c7cdbd9..04761aa9f3811 100644
--- a/cmd/kubeadm/app/apis/kubeadm/zz_generated.deepcopy.go
+++ b/cmd/kubeadm/app/apis/kubeadm/zz_generated.deepcopy.go
@@ -318,6 +318,11 @@ func (in *ExternalEtcd) DeepCopyInto(out *ExternalEtcd) {
 		*out = make([]string, len(*in))
 		copy(*out, *in)
 	}
+	if in.HTTPEndpoints != nil {
+		in, out := &in.HTTPEndpoints, &out.HTTPEndpoints
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
 	return
 }
 
diff --git a/cmd/kubeadm/app/cmd/config.go b/cmd/kubeadm/app/cmd/config.go
index 3907b0651f0ec..be8d486b531a6 100644
--- a/cmd/kubeadm/app/cmd/config.go
+++ b/cmd/kubeadm/app/cmd/config.go
@@ -387,6 +387,7 @@ func newCmdConfigImagesPull() *cobra.Command {
 			if err := containerRuntime.Connect(); err != nil {
 				return err
 			}
+			defer containerRuntime.Close()
 			return PullControlPlaneImages(containerRuntime, &internalcfg.ClusterConfiguration)
 		},
 		Args: cobra.NoArgs,
diff --git a/cmd/kubeadm/app/cmd/init.go b/cmd/kubeadm/app/cmd/init.go
index e25b9dea49fa8..a52b2952cf0ed 100644
--- a/cmd/kubeadm/app/cmd/init.go
+++ b/cmd/kubeadm/app/cmd/init.go
@@ -353,11 +353,11 @@ func newInitData(cmd *cobra.Command, args []string, initOptions *initOptions, ou
 		return nil, err
 	}
 
-	// if dry running creates a temporary folder for saving kubeadm generated files
+	// If dry running creates a temporary directory for saving kubeadm generated files.
 	dryRunDir := ""
 	if initOptions.dryRun || cfg.DryRun {
 		if dryRunDir, err = kubeadmconstants.GetDryRunDir(kubeadmconstants.EnvVarInitDryRunDir, "kubeadm-init-dryrun", klog.Warningf); err != nil {
-			return nil, errors.Wrap(err, "couldn't create a temporary directory")
+			return nil, errors.Wrap(err, "could not create a temporary directory on dryrun")
 		}
 	}
 
@@ -477,7 +477,7 @@ func (d *initData) KubeConfig() (*clientcmdapi.Config, error) {
 	return d.kubeconfig, nil
 }
 
-// KubeConfigDir returns the path of the Kubernetes configuration folder or the temporary folder path in case of DryRun.
+// KubeConfigDir returns the Kubernetes configuration directory or the temporary directory if DryRun is true.
 func (d *initData) KubeConfigDir() string {
 	if d.dryRun {
 		return d.dryRunDir
@@ -493,7 +493,7 @@ func (d *initData) KubeConfigPath() string {
 	return d.kubeconfigPath
 }
 
-// ManifestDir returns the path where manifest should be stored or the temporary folder path in case of DryRun.
+// ManifestDir returns the path where manifest should be stored or the temporary directory if DryRun is true.
 func (d *initData) ManifestDir() string {
 	if d.dryRun {
 		return d.dryRunDir
@@ -501,7 +501,7 @@ func (d *initData) ManifestDir() string {
 	return kubeadmconstants.GetStaticPodDirectory()
 }
 
-// KubeletDir returns path of the kubelet configuration folder or the temporary folder in case of DryRun.
+// KubeletDir returns the kubelet configuration directory or the temporary directory if DryRun is true.
 func (d *initData) KubeletDir() string {
 	if d.dryRun {
 		return d.dryRunDir
diff --git a/cmd/kubeadm/app/cmd/join.go b/cmd/kubeadm/app/cmd/join.go
index 12fce4a1cc5ca..20920abe6e12d 100644
--- a/cmd/kubeadm/app/cmd/join.go
+++ b/cmd/kubeadm/app/cmd/join.go
@@ -465,11 +465,11 @@ func newJoinData(cmd *cobra.Command, args []string, opt *joinOptions, out io.Wri
 		}
 	}
 
-	// if dry running, creates a temporary folder to save kubeadm generated files
+	// If dry running creates a temporary directory for saving kubeadm generated files.
 	dryRunDir := ""
 	if opt.dryRun || cfg.DryRun {
 		if dryRunDir, err = kubeadmconstants.GetDryRunDir(kubeadmconstants.EnvVarJoinDryRunDir, "kubeadm-join-dryrun", klog.Warningf); err != nil {
-			return nil, errors.Wrap(err, "couldn't create a temporary directory on dryrun")
+			return nil, errors.Wrap(err, "could not create a temporary directory on dryrun")
 		}
 	}
 
@@ -502,7 +502,7 @@ func (j *joinData) DryRun() bool {
 	return j.dryRun
 }
 
-// KubeConfigDir returns the path of the Kubernetes configuration folder or the temporary folder path in case of DryRun.
+// KubeConfigDir returns the Kubernetes configuration directory or the temporary directory if DryRun is true.
 func (j *joinData) KubeConfigDir() string {
 	if j.dryRun {
 		return j.dryRunDir
@@ -510,7 +510,7 @@ func (j *joinData) KubeConfigDir() string {
 	return kubeadmconstants.KubernetesDir
 }
 
-// KubeletDir returns the path of the kubelet configuration folder or the temporary folder in case of DryRun.
+// KubeletDir returns the kubelet configuration directory or the temporary directory if DryRun is true.
 func (j *joinData) KubeletDir() string {
 	if j.dryRun {
 		return j.dryRunDir
@@ -518,7 +518,7 @@ func (j *joinData) KubeletDir() string {
 	return kubeadmconstants.KubeletRunDirectory
 }
 
-// ManifestDir returns the path where manifest should be stored or the temporary folder path in case of DryRun.
+// ManifestDir returns the path where manifest should be stored or the temporary directory if DryRun is true.
 func (j *joinData) ManifestDir() string {
 	if j.dryRun {
 		return j.dryRunDir
@@ -526,7 +526,7 @@ func (j *joinData) ManifestDir() string {
 	return kubeadmconstants.GetStaticPodDirectory()
 }
 
-// CertificateWriteDir returns the path where certs should be stored or the temporary folder path in case of DryRun.
+// CertificateWriteDir returns the path where certs should be stored or the temporary directory if DryRun is true.
 func (j *joinData) CertificateWriteDir() string {
 	if j.dryRun {
 		return j.dryRunDir
diff --git a/cmd/kubeadm/app/cmd/phases/init/kubeconfig.go b/cmd/kubeadm/app/cmd/phases/init/kubeconfig.go
index 2e95cd1990bc6..d8ce56ad360f2 100644
--- a/cmd/kubeadm/app/cmd/phases/init/kubeconfig.go
+++ b/cmd/kubeadm/app/cmd/phases/init/kubeconfig.go
@@ -24,7 +24,6 @@ import (
 	"k8s.io/kubernetes/cmd/kubeadm/app/cmd/phases/workflow"
 	cmdutil "k8s.io/kubernetes/cmd/kubeadm/app/cmd/util"
 	kubeadmconstants "k8s.io/kubernetes/cmd/kubeadm/app/constants"
-	"k8s.io/kubernetes/cmd/kubeadm/app/features"
 	kubeconfigphase "k8s.io/kubernetes/cmd/kubeadm/app/phases/kubeconfig"
 	kubeadmutil "k8s.io/kubernetes/cmd/kubeadm/app/util"
 	"k8s.io/kubernetes/cmd/kubeadm/app/util/errors"
@@ -158,11 +157,9 @@ func runKubeConfigFile(kubeConfigFileName string) func(workflow.RunData) error {
 
 		initConfiguration := data.Cfg().DeepCopy()
 
-		if features.Enabled(cfg.FeatureGates, features.ControlPlaneKubeletLocalMode) {
-			if kubeConfigFileName == kubeadmconstants.KubeletKubeConfigFileName {
-				// Unset the ControlPlaneEndpoint so the creation falls back to the LocalAPIEndpoint for the kubelet's kubeconfig.
-				initConfiguration.ControlPlaneEndpoint = ""
-			}
+		if kubeConfigFileName == kubeadmconstants.KubeletKubeConfigFileName {
+			// Unset the ControlPlaneEndpoint so the creation falls back to the LocalAPIEndpoint for the kubelet's kubeconfig.
+			initConfiguration.ControlPlaneEndpoint = ""
 		}
 
 		// creates the KubeConfig file (or use existing)
diff --git a/cmd/kubeadm/app/cmd/phases/join/controlplanejoin.go b/cmd/kubeadm/app/cmd/phases/join/controlplanejoin.go
index 860175e8adda1..c30df5f65779d 100644
--- a/cmd/kubeadm/app/cmd/phases/join/controlplanejoin.go
+++ b/cmd/kubeadm/app/cmd/phases/join/controlplanejoin.go
@@ -24,7 +24,6 @@ import (
 	"k8s.io/kubernetes/cmd/kubeadm/app/cmd/options"
 	"k8s.io/kubernetes/cmd/kubeadm/app/cmd/phases/workflow"
 	cmdutil "k8s.io/kubernetes/cmd/kubeadm/app/cmd/util"
-	"k8s.io/kubernetes/cmd/kubeadm/app/features"
 	etcdphase "k8s.io/kubernetes/cmd/kubeadm/app/phases/etcd"
 	markcontrolplanephase "k8s.io/kubernetes/cmd/kubeadm/app/phases/markcontrolplane"
 	"k8s.io/kubernetes/cmd/kubeadm/app/util/errors"
@@ -83,32 +82,26 @@ func NewControlPlaneJoinPhase() workflow.Phase {
 func NewEtcdJoinPhase() workflow.Phase {
 	return workflow.Phase{
 		Name:          "etcd-join",
-		Short:         fmt.Sprintf("[EXPERIMENTAL] Join etcd for control plane nodes (only used when feature gate %s is enabled)", features.ControlPlaneKubeletLocalMode),
+		Short:         "Join etcd for control plane nodes",
 		Run:           runEtcdPhase,
 		Example:       etcdJoinExample,
 		InheritFlags:  getControlPlaneJoinPhaseFlags("etcd"),
 		ArgsValidator: cobra.NoArgs,
-		// TODO: unhide this phase once ControlPlaneKubeletLocalMode goes GA:
-		// https://github.com/kubernetes/enhancements/issues/4471
-		Hidden: true,
-		// Only run this phase as if `ControlPlaneKubeletLocalMode` is activated.
-		RunIf: func(c workflow.RunData) (bool, error) {
-			return checkFeatureState(c, features.ControlPlaneKubeletLocalMode, true)
-		},
 	}
 }
 
+// TODO: Deprecated. Remove once ControlPlaneKubeletLocalMode is removed in 1.36.
+// https://github.com/kubernetes/kubeadm/issues/2271
 func newEtcdLocalSubphase() workflow.Phase {
 	return workflow.Phase{
 		Name:          "etcd",
-		Short:         "Add a new local etcd member",
+		Short:         "[DEPRECATED] Add a new local etcd member. Deprecated in favor of 'etcd-join' and will be removed in 1.36",
 		Run:           runEtcdPhase,
 		InheritFlags:  getControlPlaneJoinPhaseFlags("etcd"),
 		ArgsValidator: cobra.NoArgs,
-		// Only run this phase as subphase of control-plane-join phase if
-		// `ControlPlaneKubeletLocalMode` is deactivated.
+		Hidden:        true,
 		RunIf: func(c workflow.RunData) (bool, error) {
-			return checkFeatureState(c, features.ControlPlaneKubeletLocalMode, false)
+			return false, nil
 		},
 	}
 }
diff --git a/cmd/kubeadm/app/cmd/phases/join/data.go b/cmd/kubeadm/app/cmd/phases/join/data.go
index f6b3e769b22e8..9e04d9032f9fe 100644
--- a/cmd/kubeadm/app/cmd/phases/join/data.go
+++ b/cmd/kubeadm/app/cmd/phases/join/data.go
@@ -25,9 +25,6 @@ import (
 	clientcmdapi "k8s.io/client-go/tools/clientcmd/api"
 
 	kubeadmapi "k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm"
-	"k8s.io/kubernetes/cmd/kubeadm/app/cmd/phases/workflow"
-	"k8s.io/kubernetes/cmd/kubeadm/app/features"
-	"k8s.io/kubernetes/cmd/kubeadm/app/util/errors"
 )
 
 // JoinData is the interface to use for join phases.
@@ -48,17 +45,3 @@ type JoinData interface {
 	ManifestDir() string
 	CertificateWriteDir() string
 }
-
-func checkFeatureState(c workflow.RunData, featureGate string, state bool) (bool, error) {
-	data, ok := c.(JoinData)
-	if !ok {
-		return false, errors.New("control-plane-join phase invoked with an invalid data struct")
-	}
-
-	cfg, err := data.InitCfg()
-	if err != nil {
-		return false, err
-	}
-
-	return state == features.Enabled(cfg.FeatureGates, featureGate), nil
-}
diff --git a/cmd/kubeadm/app/cmd/phases/join/kubelet.go b/cmd/kubeadm/app/cmd/phases/join/kubelet.go
index 751ab305d5c4c..822bf7a509ff9 100644
--- a/cmd/kubeadm/app/cmd/phases/join/kubelet.go
+++ b/cmd/kubeadm/app/cmd/phases/join/kubelet.go
@@ -75,20 +75,13 @@ func NewKubeletStartPhase() workflow.Phase {
 func NewKubeletWaitBootstrapPhase() workflow.Phase {
 	return workflow.Phase{
 		Name:  "kubelet-wait-bootstrap",
-		Short: "[EXPERIMENTAL] Wait for the kubelet to bootstrap itself (only used when feature gate ControlPlaneKubeletLocalMode is enabled)",
+		Short: "Wait for the kubelet to bootstrap itself",
 		Run:   runKubeletWaitBootstrapPhase,
 		InheritFlags: []string{
 			options.CfgPath,
 			options.NodeCRISocket,
 			options.DryRun,
 		},
-		// TODO: unhide this phase once ControlPlaneKubeletLocalMode goes GA:
-		// https://github.com/kubernetes/enhancements/issues/4471
-		Hidden: true,
-		// Only run this phase as if `ControlPlaneKubeletLocalMode` is activated.
-		RunIf: func(c workflow.RunData) (bool, error) {
-			return checkFeatureState(c, features.ControlPlaneKubeletLocalMode, true)
-		},
 	}
 }
 
@@ -124,16 +117,6 @@ func runKubeletStartJoinPhase(c workflow.RunData) (returnErr error) {
 	}
 	bootstrapKubeConfigFile := filepath.Join(data.KubeConfigDir(), kubeadmconstants.KubeletBootstrapKubeConfigFileName)
 
-	// Do not delete the bootstrapKubeConfigFile at the end of this function when
-	// using ControlPlaneKubeletLocalMode. The KubeletWaitBootstrapPhase will delete
-	// it when the feature is enabled.
-	if !features.Enabled(initCfg.FeatureGates, features.ControlPlaneKubeletLocalMode) {
-		// Deletes the bootstrapKubeConfigFile, so the credential used for TLS bootstrap is removed from disk
-		defer func() {
-			_ = os.Remove(bootstrapKubeConfigFile)
-		}()
-	}
-
 	var client clientset.Interface
 	// If dry-use the client from joinData, else create a new bootstrap client
 	if data.DryRun() {
@@ -148,17 +131,15 @@ func runKubeletStartJoinPhase(c workflow.RunData) (returnErr error) {
 		}
 	}
 
-	if features.Enabled(initCfg.FeatureGates, features.ControlPlaneKubeletLocalMode) {
-		// Set the server url to LocalAPIEndpoint if the feature gate is enabled so the config
-		// which gets passed to the kubelet forces it to talk to the local kube-apiserver.
-		if cfg.ControlPlane != nil {
-			for c, conf := range tlsBootstrapCfg.Clusters {
-				conf.Server, err = kubeadmutil.GetLocalAPIEndpoint(&cfg.ControlPlane.LocalAPIEndpoint)
-				if err != nil {
-					return errors.Wrapf(err, "could not get LocalAPIEndpoint when %s is enabled", features.ControlPlaneKubeletLocalMode)
-				}
-				tlsBootstrapCfg.Clusters[c] = conf
+	// Set the server url to LocalAPIEndpoint if the feature gate is enabled so the config
+	// which gets passed to the kubelet forces it to talk to the local kube-apiserver.
+	if cfg.ControlPlane != nil {
+		for c, conf := range tlsBootstrapCfg.Clusters {
+			conf.Server, err = kubeadmutil.GetLocalAPIEndpoint(&cfg.ControlPlane.LocalAPIEndpoint)
+			if err != nil {
+				return errors.Wrapf(err, "could not get LocalAPIEndpoint")
 			}
+			tlsBootstrapCfg.Clusters[c] = conf
 		}
 	}
 
@@ -252,13 +233,6 @@ func runKubeletStartJoinPhase(c workflow.RunData) (returnErr error) {
 	fmt.Println("[kubelet-start] Starting the kubelet")
 	kubeletphase.TryStartKubelet()
 
-	// Run the same code as KubeletWaitBootstrapPhase would do if the ControlPlaneKubeletLocalMode feature gate is disabled.
-	if !features.Enabled(initCfg.FeatureGates, features.ControlPlaneKubeletLocalMode) {
-		if err := runKubeletWaitBootstrapPhase(c); err != nil {
-			return err
-		}
-	}
-
 	return nil
 }
 
diff --git a/cmd/kubeadm/app/cmd/phases/reset/cleanupnode.go b/cmd/kubeadm/app/cmd/phases/reset/cleanupnode.go
index 3a8a769edc48c..8a163a1686e55 100644
--- a/cmd/kubeadm/app/cmd/phases/reset/cleanupnode.go
+++ b/cmd/kubeadm/app/cmd/phases/reset/cleanupnode.go
@@ -138,6 +138,8 @@ func removeContainers(criSocketPath string) error {
 	if err := containerRuntime.Connect(); err != nil {
 		return err
 	}
+	defer containerRuntime.Close()
+
 	containers, err := containerRuntime.ListKubeContainers()
 	if err != nil {
 		return err
diff --git a/cmd/kubeadm/app/cmd/phases/upgrade/apply/data_test.go b/cmd/kubeadm/app/cmd/phases/upgrade/apply/data_test.go
index a5a55f1beb923..25ee332d16609 100644
--- a/cmd/kubeadm/app/cmd/phases/upgrade/apply/data_test.go
+++ b/cmd/kubeadm/app/cmd/phases/upgrade/apply/data_test.go
@@ -45,3 +45,5 @@ func (t *testData) SessionIsInteractive() bool              { return false }
 func (t *testData) AllowExperimentalUpgrades() bool         { return false }
 func (t *testData) AllowRCUpgrades() bool                   { return false }
 func (t *testData) ForceUpgrade() bool                      { return false }
+func (t *testData) KubeConfigDir() string                   { return "" }
+func (t *testData) KubeletDir() string                      { return "" }
diff --git a/cmd/kubeadm/app/cmd/phases/upgrade/apply/preflight.go b/cmd/kubeadm/app/cmd/phases/upgrade/apply/preflight.go
index ba0d8adc50fbd..06d45cea242a0 100644
--- a/cmd/kubeadm/app/cmd/phases/upgrade/apply/preflight.go
+++ b/cmd/kubeadm/app/cmd/phases/upgrade/apply/preflight.go
@@ -70,7 +70,7 @@ func runPreflight(c workflow.RunData) error {
 	if err := preflight.RunRootCheckOnly(ignorePreflightErrors); err != nil {
 		return err
 	}
-	if err := preflight.RunUpgradeChecks(ignorePreflightErrors); err != nil {
+	if err := preflight.RunUpgradeChecks(utilsexec.New(), initCfg, ignorePreflightErrors); err != nil {
 		return err
 	}
 
diff --git a/cmd/kubeadm/app/cmd/phases/upgrade/data.go b/cmd/kubeadm/app/cmd/phases/upgrade/data.go
index 6b299d8aaa916..016199c90f67d 100644
--- a/cmd/kubeadm/app/cmd/phases/upgrade/data.go
+++ b/cmd/kubeadm/app/cmd/phases/upgrade/data.go
@@ -38,4 +38,6 @@ type Data interface {
 	IgnorePreflightErrors() sets.Set[string]
 	PatchesDir() string
 	OutputWriter() io.Writer
+	KubeConfigDir() string
+	KubeletDir() string
 }
diff --git a/cmd/kubeadm/app/cmd/phases/upgrade/data_test.go b/cmd/kubeadm/app/cmd/phases/upgrade/data_test.go
index bc2f1ce0d9332..1684b20679472 100644
--- a/cmd/kubeadm/app/cmd/phases/upgrade/data_test.go
+++ b/cmd/kubeadm/app/cmd/phases/upgrade/data_test.go
@@ -41,3 +41,5 @@ func (t *testData) Client() clientset.Interface             { return nil }
 func (t *testData) IgnorePreflightErrors() sets.Set[string] { return nil }
 func (t *testData) PatchesDir() string                      { return "" }
 func (t *testData) OutputWriter() io.Writer                 { return nil }
+func (t *testData) KubeConfigDir() string                   { return "" }
+func (t *testData) KubeletDir() string                      { return "" }
diff --git a/cmd/kubeadm/app/cmd/phases/upgrade/kubeletconfig.go b/cmd/kubeadm/app/cmd/phases/upgrade/kubeletconfig.go
index 6b98aef5c40bf..876f068d08634 100644
--- a/cmd/kubeadm/app/cmd/phases/upgrade/kubeletconfig.go
+++ b/cmd/kubeadm/app/cmd/phases/upgrade/kubeletconfig.go
@@ -29,10 +29,6 @@ import (
 	"k8s.io/kubernetes/cmd/kubeadm/app/util/errors"
 )
 
-const (
-	kubeletConfigDir = ""
-)
-
 var (
 	kubeletConfigLongDesc = cmdutil.LongDesc(`
 		Upgrade the kubelet configuration for this node by downloading it from the kubelet-config ConfigMap stored in the cluster
@@ -65,7 +61,7 @@ func runKubeletConfigPhase(c workflow.RunData) error {
 	// Write the configuration for the kubelet down to disk and print the generated manifests instead of dry-running.
 	// If not dry-running, the kubelet config file will be backed up to the /etc/kubernetes/tmp/ dir, so that it could be
 	// recovered if anything goes wrong.
-	err := upgrade.WriteKubeletConfigFiles(data.InitCfg(), kubeletConfigDir, data.PatchesDir(), data.DryRun(), data.OutputWriter())
+	err := upgrade.WriteKubeletConfigFiles(data.InitCfg(), data.KubeletDir(), data.KubeConfigDir(), data.PatchesDir(), data.DryRun(), data.OutputWriter())
 	if err != nil {
 		return err
 	}
diff --git a/cmd/kubeadm/app/cmd/phases/upgrade/node/data_test.go b/cmd/kubeadm/app/cmd/phases/upgrade/node/data_test.go
index 6de8db579fd5a..6375a4cd04841 100644
--- a/cmd/kubeadm/app/cmd/phases/upgrade/node/data_test.go
+++ b/cmd/kubeadm/app/cmd/phases/upgrade/node/data_test.go
@@ -42,3 +42,5 @@ func (t *testData) IgnorePreflightErrors() sets.Set[string] { return nil }
 func (t *testData) PatchesDir() string                      { return "" }
 func (t *testData) KubeConfigPath() string                  { return "" }
 func (t *testData) OutputWriter() io.Writer                 { return nil }
+func (t *testData) KubeConfigDir() string                   { return "" }
+func (t *testData) KubeletDir() string                      { return "" }
diff --git a/cmd/kubeadm/app/cmd/phases/upgrade/node/preflight.go b/cmd/kubeadm/app/cmd/phases/upgrade/node/preflight.go
index 58d06b7c284dd..a9985884e52a6 100644
--- a/cmd/kubeadm/app/cmd/phases/upgrade/node/preflight.go
+++ b/cmd/kubeadm/app/cmd/phases/upgrade/node/preflight.go
@@ -53,7 +53,7 @@ func runPreflight(c workflow.RunData) error {
 	if err := preflight.RunRootCheckOnly(data.IgnorePreflightErrors()); err != nil {
 		return err
 	}
-	if err := preflight.RunUpgradeChecks(data.IgnorePreflightErrors()); err != nil {
+	if err := preflight.RunUpgradeChecks(utilsexec.New(), data.InitCfg(), data.IgnorePreflightErrors()); err != nil {
 		return err
 	}
 
diff --git a/cmd/kubeadm/app/cmd/phases/upgrade/postupgrade.go b/cmd/kubeadm/app/cmd/phases/upgrade/postupgrade.go
index f006000da18ae..cdb05a42c0868 100644
--- a/cmd/kubeadm/app/cmd/phases/upgrade/postupgrade.go
+++ b/cmd/kubeadm/app/cmd/phases/upgrade/postupgrade.go
@@ -20,6 +20,7 @@ package upgrade
 import (
 	"k8s.io/kubernetes/cmd/kubeadm/app/cmd/options"
 	"k8s.io/kubernetes/cmd/kubeadm/app/cmd/phases/workflow"
+	"k8s.io/kubernetes/cmd/kubeadm/app/phases/upgrade"
 	"k8s.io/kubernetes/cmd/kubeadm/app/util/errors"
 )
 
@@ -38,11 +39,24 @@ func NewPostUpgradePhase() workflow.Phase {
 }
 
 func runPostUpgrade(c workflow.RunData) error {
-	_, ok := c.(Data)
+	data, ok := c.(Data)
 	if !ok {
 		return errors.New("post-upgrade phase invoked with an invalid data struct")
 	}
 	// PLACEHOLDER: this phase should contain any release specific post-upgrade tasks.
 
+	// Rewrite the kubelet env file without unwanted flags to disk and print the remaining flags instead of dry-running.
+	// If not dry-running, the kubelet env file will be backed up to the /etc/kubernetes/tmp/ dir, so that it could be
+	// recovered if anything goes wrong.
+	unwantedFlags := []string{
+		// The flag has been deprecated and no longer served a purpose in the kubelet as the logic was migrated to CRI.
+		// TODO: Remove it from this list in 1.36: https://github.com/kubernetes/kubeadm/issues/3108
+		"pod-infra-container-image",
+	}
+	err := upgrade.RemoveKubeletArgsFromFile(data.KubeletDir(), data.KubeConfigDir(), unwantedFlags, data.DryRun(), data.OutputWriter())
+	if err != nil {
+		return err
+	}
+
 	return nil
 }
diff --git a/cmd/kubeadm/app/cmd/upgrade/apply.go b/cmd/kubeadm/app/cmd/upgrade/apply.go
index c6c61ed3ac621..f940639844902 100644
--- a/cmd/kubeadm/app/cmd/upgrade/apply.go
+++ b/cmd/kubeadm/app/cmd/upgrade/apply.go
@@ -63,6 +63,7 @@ type applyData struct {
 	nonInteractiveMode        bool
 	force                     bool
 	dryRun                    bool
+	dryRunDir                 string
 	etcdUpgrade               bool
 	renewCerts                bool
 	allowExperimentalUpgrades bool
@@ -195,6 +196,14 @@ func newApplyData(cmd *cobra.Command, args []string, applyFlags *applyFlags) (*a
 		return nil, cmdutil.TypeMismatchErr("dryRun", "bool")
 	}
 
+	// If dry running creates a temporary directory for saving kubeadm generated files.
+	dryRunDir := ""
+	if *dryRun {
+		if dryRunDir, err = constants.GetDryRunDir(constants.EnvVarUpgradeDryRunDir, "kubeadm-upgrade-apply-dryrun", klog.Warningf); err != nil {
+			return nil, errors.Wrap(err, "could not create a temporary directory on dryrun")
+		}
+	}
+
 	etcdUpgrade, ok := cmdutil.ValueFromFlagsOrConfig(cmd.Flags(), options.EtcdUpgrade, upgradeCfg.Apply.EtcdUpgrade, &applyFlags.etcdUpgrade).(*bool)
 	if !ok {
 		return nil, cmdutil.TypeMismatchErr("etcdUpgrade", "bool")
@@ -273,6 +282,7 @@ func newApplyData(cmd *cobra.Command, args []string, applyFlags *applyFlags) (*a
 		nonInteractiveMode:        applyFlags.nonInteractiveMode,
 		force:                     *force,
 		dryRun:                    *dryRun,
+		dryRunDir:                 dryRunDir,
 		etcdUpgrade:               *etcdUpgrade,
 		renewCerts:                *renewCerts,
 		allowExperimentalUpgrades: *allowExperimentalUpgrades,
@@ -357,3 +367,19 @@ func (d *applyData) IsControlPlaneNode() bool {
 	// `kubeadm upgrade apply` should always be executed on a control-plane node
 	return true
 }
+
+// KubeConfigDir returns the Kubernetes configuration directory or the temporary directory if DryRun is true.
+func (j *applyData) KubeConfigDir() string {
+	if j.dryRun {
+		return j.dryRunDir
+	}
+	return constants.KubernetesDir
+}
+
+// KubeletDir returns the kubelet configuration directory or the temporary directory if DryRun is true.
+func (j *applyData) KubeletDir() string {
+	if j.dryRun {
+		return j.dryRunDir
+	}
+	return constants.KubeletRunDirectory
+}
diff --git a/cmd/kubeadm/app/cmd/upgrade/node.go b/cmd/kubeadm/app/cmd/upgrade/node.go
index 1e3cd71041e8a..1c8ad80049e11 100644
--- a/cmd/kubeadm/app/cmd/upgrade/node.go
+++ b/cmd/kubeadm/app/cmd/upgrade/node.go
@@ -25,6 +25,7 @@ import (
 
 	"k8s.io/apimachinery/pkg/util/sets"
 	clientset "k8s.io/client-go/kubernetes"
+	"k8s.io/klog/v2"
 
 	kubeadmapi "k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm"
 	"k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm/v1beta4"
@@ -63,6 +64,7 @@ type nodeData struct {
 	etcdUpgrade           bool
 	renewCerts            bool
 	dryRun                bool
+	dryRunDir             string
 	cfg                   *kubeadmapi.UpgradeConfiguration
 	initCfg               *kubeadmapi.InitConfiguration
 	isControlPlaneNode    bool
@@ -185,6 +187,14 @@ func newNodeData(cmd *cobra.Command, nodeOptions *nodeOptions, out io.Writer) (*
 		return nil, cmdutil.TypeMismatchErr("dryRun", "bool")
 	}
 
+	// If dry running creates a temporary directory for saving kubeadm generated files.
+	dryRunDir := ""
+	if *dryRun {
+		if dryRunDir, err = constants.GetDryRunDir(constants.EnvVarUpgradeDryRunDir, "kubeadm-upgrade-node-dryrun", klog.Warningf); err != nil {
+			return nil, errors.Wrap(err, "could not create a temporary directory on dryrun")
+		}
+	}
+
 	printer := &output.TextPrinter{}
 	client, err := getClient(nodeOptions.kubeConfigPath, *dryRun, printer)
 	if err != nil {
@@ -217,6 +227,7 @@ func newNodeData(cmd *cobra.Command, nodeOptions *nodeOptions, out io.Writer) (*
 	return &nodeData{
 		cfg:                   upgradeCfg,
 		dryRun:                *dryRun,
+		dryRunDir:             dryRunDir,
 		initCfg:               initCfg,
 		client:                client,
 		isControlPlaneNode:    isControlPlaneNode,
@@ -282,3 +293,19 @@ func (d *nodeData) KubeConfigPath() string {
 func (d *nodeData) OutputWriter() io.Writer {
 	return d.outputWriter
 }
+
+// KubeConfigDir returns the Kubernetes configuration directory or the temporary directory if DryRun is true.
+func (j *nodeData) KubeConfigDir() string {
+	if j.dryRun {
+		return j.dryRunDir
+	}
+	return constants.KubernetesDir
+}
+
+// KubeletDir returns the kubelet configuration directory or the temporary directory if DryRun is true.
+func (j *nodeData) KubeletDir() string {
+	if j.dryRun {
+		return j.dryRunDir
+	}
+	return constants.KubeletRunDirectory
+}
diff --git a/cmd/kubeadm/app/cmd/upgrade/plan.go b/cmd/kubeadm/app/cmd/upgrade/plan.go
index 2aed7fa1366ea..af73aec8e3b77 100644
--- a/cmd/kubeadm/app/cmd/upgrade/plan.go
+++ b/cmd/kubeadm/app/cmd/upgrade/plan.go
@@ -120,7 +120,7 @@ func runPlan(flagSet *pflag.FlagSet, flags *planFlags, args []string, printer ou
 		return cmdutil.TypeMismatchErr("allowExperimentalUpgrades", "bool")
 	}
 
-	availUpgrades, err := upgrade.GetAvailableUpgrades(versionGetter, *allowExperimentalUpgrades, *allowRCUpgrades, client, printer)
+	availUpgrades, err := upgrade.GetAvailableUpgrades(versionGetter, *allowExperimentalUpgrades, *allowRCUpgrades, printer)
 	if err != nil {
 		return errors.Wrap(err, "[upgrade/versions] FATAL")
 	}
diff --git a/cmd/kubeadm/app/constants/constants.go b/cmd/kubeadm/app/constants/constants.go
index 4935f0530bfbc..fee98ece17c72 100644
--- a/cmd/kubeadm/app/constants/constants.go
+++ b/cmd/kubeadm/app/constants/constants.go
@@ -326,7 +326,7 @@ const (
 	MinExternalEtcdVersion = "3.5.24-0"
 
 	// DefaultEtcdVersion indicates the default etcd version that kubeadm uses
-	DefaultEtcdVersion = "3.6.5-0"
+	DefaultEtcdVersion = "3.6.6-0"
 
 	// Etcd defines variable used internally when referring to etcd component
 	Etcd = "etcd"
@@ -364,7 +364,7 @@ const (
 	CoreDNSImageName = "coredns"
 
 	// CoreDNSVersion is the version of CoreDNS to be deployed if it is used
-	CoreDNSVersion = "v1.12.1"
+	CoreDNSVersion = "v1.13.1"
 
 	// ClusterConfigurationKind is the string kind value for the ClusterConfiguration struct
 	ClusterConfigurationKind = "ClusterConfiguration"
@@ -497,11 +497,15 @@ var (
 	CurrentKubernetesVersion = getSkewedKubernetesVersion(0)
 
 	// SupportedEtcdVersion lists officially supported etcd versions with corresponding Kubernetes releases
+	// If you are updating the versions in this map, make sure to also update:
+	// - MinExternalEtcdVersion: with the minimum etcd version from this map.
+	// - DefaultEtcdVersion: with etcd version used for the current k8s release (0).
+	// The maximum length of the map should be 2, as kubeadm supports a maximum skew of -1
+	// with the control plane version.
 	SupportedEtcdVersion = map[uint8]string{
-		31: "3.5.24-0",
-		32: "3.5.24-0",
-		33: "3.5.24-0",
-		34: "3.6.5-0",
+		uint8(getSkewedKubernetesVersion(-2).Minor()): "3.5.24-0",
+		uint8(getSkewedKubernetesVersion(-1).Minor()): "3.6.6-0",
+		uint8(getSkewedKubernetesVersion(0).Minor()):  "3.6.6-0",
 	}
 
 	// KubeadmCertsClusterRoleName sets the name for the ClusterRole that allows
diff --git a/cmd/kubeadm/app/constants/constants_test.go b/cmd/kubeadm/app/constants/constants_test.go
index 779ec5fda9a42..dea843890e169 100644
--- a/cmd/kubeadm/app/constants/constants_test.go
+++ b/cmd/kubeadm/app/constants/constants_test.go
@@ -98,17 +98,9 @@ func TestGetStaticPodFilepath(t *testing.T) {
 	}
 }
 
-func TestEtcdSupportedVersionLength(t *testing.T) {
-	const max = 4
-	if len(SupportedEtcdVersion) > max {
-		t.Fatalf("SupportedEtcdVersion must not include more than %d versions", max)
-	}
-}
-
 func TestEtcdSupportedVersion(t *testing.T) {
 	var supportedEtcdVersion = map[uint8]string{
-		16: "3.3.17-0",
-		17: "3.4.3-0",
+		17: "3.3.17-0",
 		18: "3.4.3-0",
 	}
 	var tests = []struct {
@@ -136,13 +128,13 @@ func TestEtcdSupportedVersion(t *testing.T) {
 			expectedError:     false,
 		},
 		{
-			kubernetesVersion: "v1.16.0",
+			kubernetesVersion: "1.17.2",
 			expectedVersion:   version.MustParseSemantic("3.3.17-0"),
 			expectedWarning:   false,
 			expectedError:     false,
 		},
 		{
-			kubernetesVersion: "1.17.2",
+			kubernetesVersion: "1.18.1",
 			expectedVersion:   version.MustParseSemantic("3.4.3-0"),
 			expectedWarning:   false,
 			expectedError:     false,
diff --git a/cmd/kubeadm/app/discovery/file/file.go b/cmd/kubeadm/app/discovery/file/file.go
index 2cc7caeb269a2..536781b794b58 100644
--- a/cmd/kubeadm/app/discovery/file/file.go
+++ b/cmd/kubeadm/app/discovery/file/file.go
@@ -94,7 +94,7 @@ func ValidateConfigInfo(config *clientcmdapi.Config, discoveryTimeout time.Durat
 	err = wait.PollUntilContextTimeout(context.Background(),
 		constants.DiscoveryRetryInterval, discoveryTimeout,
 		true, func(_ context.Context) (bool, error) {
-			clusterinfoCM, lastError = client.CoreV1().ConfigMaps(metav1.NamespacePublic).Get(context.TODO(), bootstrapapi.ConfigMapClusterInfo, metav1.GetOptions{})
+			clusterinfoCM, lastError = client.CoreV1().ConfigMaps(metav1.NamespacePublic).Get(context.Background(), bootstrapapi.ConfigMapClusterInfo, metav1.GetOptions{})
 			if lastError != nil {
 				if apierrors.IsForbidden(lastError) {
 					// If the request fails with a forbidden error, the cluster admin has not granted access to the cluster info configmap for anonymous clients.
diff --git a/cmd/kubeadm/app/features/features.go b/cmd/kubeadm/app/features/features.go
index 5fcd7d7f415ae..e3fbe4bb6c998 100644
--- a/cmd/kubeadm/app/features/features.go
+++ b/cmd/kubeadm/app/features/features.go
@@ -45,9 +45,6 @@ const (
 
 	// RootlessControlPlane is expected to be in alpha in v1.22
 	RootlessControlPlane = "RootlessControlPlane"
-
-	// WaitForAllControlPlaneComponents is expected to be alpha in v1.30
-	WaitForAllControlPlaneComponents = "WaitForAllControlPlaneComponents"
 )
 
 // InitFeatureGates are the default feature gates for the init command
@@ -61,9 +58,8 @@ var InitFeatureGates = FeatureList{
 		DeprecationMessage: "Deprecated in favor of the core kubelet feature UserNamespacesSupport which is beta since 1.30." +
 			" Once UserNamespacesSupport graduates to GA, kubeadm will start using it and RootlessControlPlane will be removed.",
 	},
-	WaitForAllControlPlaneComponents: {FeatureSpec: featuregate.FeatureSpec{Default: true, PreRelease: featuregate.GA, LockToDefault: true}},
-	ControlPlaneKubeletLocalMode:     {FeatureSpec: featuregate.FeatureSpec{Default: true, PreRelease: featuregate.Beta}},
-	NodeLocalCRISocket:               {FeatureSpec: featuregate.FeatureSpec{Default: true, PreRelease: featuregate.Beta}},
+	ControlPlaneKubeletLocalMode: {FeatureSpec: featuregate.FeatureSpec{Default: true, PreRelease: featuregate.GA, LockToDefault: true}},
+	NodeLocalCRISocket:           {FeatureSpec: featuregate.FeatureSpec{Default: true, PreRelease: featuregate.Beta}},
 }
 
 // Feature represents a feature being gated
diff --git a/cmd/kubeadm/app/images/images.go b/cmd/kubeadm/app/images/images.go
index a9f4700707c78..2db5084a35f34 100644
--- a/cmd/kubeadm/app/images/images.go
+++ b/cmd/kubeadm/app/images/images.go
@@ -63,22 +63,22 @@ func GetDNSImage(cfg *kubeadmapi.ClusterConfiguration) string {
 }
 
 // GetEtcdImage generates and returns the image for etcd
-func GetEtcdImage(cfg *kubeadmapi.ClusterConfiguration) string {
+func GetEtcdImage(cfg *kubeadmapi.ClusterConfiguration, supportedEtcdVersion map[uint8]string) string {
 	// Etcd uses default image repository by default
 	etcdImageRepository := cfg.ImageRepository
 	// unless an override is specified
 	if cfg.Etcd.Local != nil && cfg.Etcd.Local.ImageRepository != "" {
 		etcdImageRepository = cfg.Etcd.Local.ImageRepository
 	}
-	etcdImageTag := GetEtcdImageTag(cfg)
+	etcdImageTag := GetEtcdImageTag(cfg, supportedEtcdVersion)
 	return GetGenericImage(etcdImageRepository, constants.Etcd, etcdImageTag)
 }
 
 // GetEtcdImageTag generates and returns the image tag for etcd
-func GetEtcdImageTag(cfg *kubeadmapi.ClusterConfiguration) string {
+func GetEtcdImageTag(cfg *kubeadmapi.ClusterConfiguration, supportedEtcdVersion map[uint8]string) string {
 	// Etcd uses an imageTag that corresponds to the etcd version matching the Kubernetes version
 	etcdImageTag := constants.DefaultEtcdVersion
-	etcdVersion, warning, err := constants.EtcdSupportedVersion(constants.SupportedEtcdVersion, cfg.KubernetesVersion)
+	etcdVersion, warning, err := constants.EtcdSupportedVersion(supportedEtcdVersion, cfg.KubernetesVersion)
 	if err == nil {
 		etcdImageTag = etcdVersion.String()
 	}
@@ -119,7 +119,7 @@ func GetControlPlaneImages(cfg *kubeadmapi.ClusterConfiguration) []string {
 
 	// if etcd is not external then add the image as it will be required
 	if cfg.Etcd.Local != nil {
-		images = append(images, GetEtcdImage(cfg))
+		images = append(images, GetEtcdImage(cfg, constants.SupportedEtcdVersion))
 	}
 
 	return images
diff --git a/cmd/kubeadm/app/images/images_test.go b/cmd/kubeadm/app/images/images_test.go
index 56f3f297a8db3..f7184bb0265aa 100644
--- a/cmd/kubeadm/app/images/images_test.go
+++ b/cmd/kubeadm/app/images/images_test.go
@@ -149,7 +149,7 @@ func TestGetEtcdImage(t *testing.T) {
 		},
 	}
 	for _, rt := range tests {
-		actual := GetEtcdImage(rt.cfg)
+		actual := GetEtcdImage(rt.cfg, constants.SupportedEtcdVersion)
 		if actual != rt.expected {
 			t.Errorf(
 				"failed GetEtcdImage:\n\texpected: %s\n\t  actual: %s",
diff --git a/cmd/kubeadm/app/phases/addons/dns/dns_test.go b/cmd/kubeadm/app/phases/addons/dns/dns_test.go
index 4d4186728bfe0..f1706973166c4 100644
--- a/cmd/kubeadm/app/phases/addons/dns/dns_test.go
+++ b/cmd/kubeadm/app/phases/addons/dns/dns_test.go
@@ -1454,7 +1454,7 @@ func TestDeployedDNSAddon(t *testing.T) {
 		},
 		{
 			name:           "with digest",
-			image:          "registry.k8s.io/coredns/coredns:v1.12.1@sha256:a0ead06651cf580044aeb0a0feba63591858fb2e43ade8c9dea45a6a89ae7e5e",
+			image:          fmt.Sprintf("registry.k8s.io/coredns/coredns:%s@sha256:1391544c978029fcddc65068f6ad67f396e55585b664ecccd7fefba029b9b706", kubeadmconstants.CoreDNSVersion),
 			deploymentSize: 1,
 			wantVersion:    kubeadmconstants.CoreDNSVersion,
 		},
diff --git a/cmd/kubeadm/app/phases/controlplane/manifests.go b/cmd/kubeadm/app/phases/controlplane/manifests.go
index bbb79d7bfe812..29556ebfd5bed 100644
--- a/cmd/kubeadm/app/phases/controlplane/manifests.go
+++ b/cmd/kubeadm/app/phases/controlplane/manifests.go
@@ -154,11 +154,9 @@ func CreateStaticPodFiles(manifestDir, patchesDir string, cfg *kubeadmapi.Cluste
 		if features.Enabled(cfg.FeatureGates, features.RootlessControlPlane) {
 			if isDryRun {
 				fmt.Printf("[control-plane] Would update static pod manifest for %q to run run as non-root\n", componentName)
-			} else {
-				if usersAndGroups != nil {
-					if err := staticpodutil.RunComponentAsNonRoot(componentName, &spec, usersAndGroups, cfg); err != nil {
-						return errors.Wrapf(err, "failed to run component %q as non-root", componentName)
-					}
+			} else if usersAndGroups != nil {
+				if err := staticpodutil.RunComponentAsNonRoot(componentName, &spec, usersAndGroups, cfg); err != nil {
+					return errors.Wrapf(err, "failed to run component %q as non-root", componentName)
 				}
 			}
 		}
diff --git a/cmd/kubeadm/app/phases/etcd/local.go b/cmd/kubeadm/app/phases/etcd/local.go
index b3728128a79da..e10aa9a76c877 100644
--- a/cmd/kubeadm/app/phases/etcd/local.go
+++ b/cmd/kubeadm/app/phases/etcd/local.go
@@ -205,8 +205,8 @@ func GetEtcdPodSpec(cfg *kubeadmapi.ClusterConfiguration, endpoint *kubeadmapi.A
 	return staticpodutil.ComponentPod(
 		v1.Container{
 			Name:            kubeadmconstants.Etcd,
-			Command:         getEtcdCommand(cfg, endpoint, nodeName, initialCluster),
-			Image:           images.GetEtcdImage(cfg),
+			Command:         getEtcdCommand(cfg, endpoint, nodeName, initialCluster, kubeadmconstants.SupportedEtcdVersion),
+			Image:           images.GetEtcdImage(cfg, kubeadmconstants.SupportedEtcdVersion),
 			ImagePullPolicy: v1.PullIfNotPresent,
 			// Mount the etcd datadir path read-write so etcd can store data in a more persistent manner
 			VolumeMounts: []v1.VolumeMount{
@@ -240,7 +240,7 @@ func GetEtcdPodSpec(cfg *kubeadmapi.ClusterConfiguration, endpoint *kubeadmapi.A
 }
 
 // getEtcdCommand builds the right etcd command from the given config object
-func getEtcdCommand(cfg *kubeadmapi.ClusterConfiguration, endpoint *kubeadmapi.APIEndpoint, nodeName string, initialCluster []etcdutil.Member) []string {
+func getEtcdCommand(cfg *kubeadmapi.ClusterConfiguration, endpoint *kubeadmapi.APIEndpoint, nodeName string, initialCluster []etcdutil.Member, supportedEtcdVersion map[uint8]string) []string {
 	// localhost IP family should be the same that the AdvertiseAddress
 	etcdLocalhostAddress := "127.0.0.1"
 	if utilsnet.IsIPv6String(endpoint.AdvertiseAddress) {
@@ -265,7 +265,7 @@ func getEtcdCommand(cfg *kubeadmapi.ClusterConfiguration, endpoint *kubeadmapi.A
 		{Name: "listen-metrics-urls", Value: fmt.Sprintf("http://%s", net.JoinHostPort(etcdLocalhostAddress, strconv.Itoa(kubeadmconstants.EtcdMetricsPort)))},
 	}
 
-	etcdImageTag := images.GetEtcdImageTag(cfg)
+	etcdImageTag := images.GetEtcdImageTag(cfg, supportedEtcdVersion)
 	if etcdVersion, err := version.ParseSemantic(etcdImageTag); err == nil && etcdVersion.AtLeast(version.MustParseSemantic("3.6.0")) {
 		// Arguments used by Etcd 3.6.0+.
 		// TODO: Start always using these once kubeadm only supports etcd >= 3.6.0 for all its supported k8s versions.
diff --git a/cmd/kubeadm/app/phases/etcd/local_test.go b/cmd/kubeadm/app/phases/etcd/local_test.go
index 16cd66ec948ea..aa0bc2d56c19e 100644
--- a/cmd/kubeadm/app/phases/etcd/local_test.go
+++ b/cmd/kubeadm/app/phases/etcd/local_test.go
@@ -285,14 +285,15 @@ func TestCreateLocalEtcdStaticPodManifestFileWithPatches(t *testing.T) {
 
 func TestGetEtcdCommand(t *testing.T) {
 	var tests = []struct {
-		name             string
-		advertiseAddress string
-		k8sVersion       string
-		etcdImageTag     string
-		nodeName         string
-		extraArgs        []kubeadmapi.Arg
-		initialCluster   []etcdutil.Member
-		expected         []string
+		name                 string
+		advertiseAddress     string
+		k8sVersion           string
+		etcdImageTag         string
+		nodeName             string
+		extraArgs            []kubeadmapi.Arg
+		initialCluster       []etcdutil.Member
+		supportedEtcdVersion map[uint8]string
+		expected             []string
 	}{
 		{
 			name:             "Default args - with empty etcd initial cluster",
@@ -416,6 +417,10 @@ func TestGetEtcdCommand(t *testing.T) {
 			advertiseAddress: "1.2.3.4",
 			k8sVersion:       "1.33.0",
 			nodeName:         "bar",
+			supportedEtcdVersion: map[uint8]string{
+				33: "3.5.24",
+				34: "3.6.5",
+			},
 			expected: []string{
 				"etcd",
 				"--name=bar",
@@ -514,7 +519,10 @@ func TestGetEtcdCommand(t *testing.T) {
 					},
 				},
 			}
-			actual := getEtcdCommand(cfg, endpoint, rt.nodeName, rt.initialCluster)
+			if len(rt.supportedEtcdVersion) == 0 {
+				rt.supportedEtcdVersion = kubeadmconstants.SupportedEtcdVersion
+			}
+			actual := getEtcdCommand(cfg, endpoint, rt.nodeName, rt.initialCluster, rt.supportedEtcdVersion)
 			sort.Strings(actual)
 			sort.Strings(rt.expected)
 			if !reflect.DeepEqual(actual, rt.expected) {
diff --git a/cmd/kubeadm/app/phases/kubelet/flags.go b/cmd/kubeadm/app/phases/kubelet/flags.go
index ed4e7b9a2cbf2..8abd742f8f68d 100644
--- a/cmd/kubeadm/app/phases/kubelet/flags.go
+++ b/cmd/kubeadm/app/phases/kubelet/flags.go
@@ -28,14 +28,12 @@ import (
 	kubeadmapi "k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm"
 	"k8s.io/kubernetes/cmd/kubeadm/app/constants"
 	"k8s.io/kubernetes/cmd/kubeadm/app/features"
-	"k8s.io/kubernetes/cmd/kubeadm/app/images"
 	kubeadmutil "k8s.io/kubernetes/cmd/kubeadm/app/util"
 	"k8s.io/kubernetes/cmd/kubeadm/app/util/errors"
 )
 
 type kubeletFlagsOpts struct {
 	nodeRegOpts              *kubeadmapi.NodeRegistrationOptions
-	pauseImage               string
 	registerTaintsUsingFlags bool
 	// TODO: remove this field once the feature NodeLocalCRISocket is GA.
 	criSocket string
@@ -64,7 +62,6 @@ func GetNodeNameAndHostname(cfg *kubeadmapi.NodeRegistrationOptions) (string, st
 func WriteKubeletDynamicEnvFile(cfg *kubeadmapi.ClusterConfiguration, nodeReg *kubeadmapi.NodeRegistrationOptions, registerTaintsUsingFlags bool, kubeletDir string) error {
 	flagOpts := kubeletFlagsOpts{
 		nodeRegOpts:              nodeReg,
-		pauseImage:               images.GetPauseImage(cfg),
 		registerTaintsUsingFlags: registerTaintsUsingFlags,
 		criSocket:                nodeReg.CRISocket,
 	}
@@ -92,12 +89,6 @@ func buildKubeletArgsCommon(opts kubeletFlagsOpts) []kubeadmapi.Arg {
 		kubeletFlags = append(kubeletFlags, kubeadmapi.Arg{Name: "container-runtime-endpoint", Value: opts.criSocket})
 	}
 
-	// This flag passes the pod infra container image (e.g. "pause" image) to the kubelet
-	// and prevents its garbage collection
-	if opts.pauseImage != "" {
-		kubeletFlags = append(kubeletFlags, kubeadmapi.Arg{Name: "pod-infra-container-image", Value: opts.pauseImage})
-	}
-
 	if opts.registerTaintsUsingFlags && opts.nodeRegOpts.Taints != nil && len(opts.nodeRegOpts.Taints) > 0 {
 		taintStrs := []string{}
 		for _, taint := range opts.nodeRegOpts.Taints {
@@ -163,7 +154,7 @@ func ReadKubeletDynamicEnvFile(kubeletEnvFilePath string) ([]string, error) {
 	// Split the flags string by whitespace to get individual arguments.
 	trimmedFlags := strings.Fields(flags)
 	if len(trimmedFlags) == 0 {
-		return nil, errors.Errorf("no flags found in file %q", kubeletEnvFilePath)
+		return nil, nil
 	}
 
 	var updatedFlags []string
diff --git a/cmd/kubeadm/app/phases/kubelet/flags_test.go b/cmd/kubeadm/app/phases/kubelet/flags_test.go
index b159b35021dc7..d2134086190ac 100644
--- a/cmd/kubeadm/app/phases/kubelet/flags_test.go
+++ b/cmd/kubeadm/app/phases/kubelet/flags_test.go
@@ -75,18 +75,6 @@ func TestBuildKubeletArgs(t *testing.T) {
 				{Name: "register-with-taints", Value: "foo=bar:baz,key=val:eff"},
 			},
 		},
-		{
-			name: "pause image is set",
-			opts: kubeletFlagsOpts{
-				nodeRegOpts: &kubeadmapi.NodeRegistrationOptions{},
-				criSocket:   "unix:///var/run/containerd/containerd.sock",
-				pauseImage:  "registry.k8s.io/pause:ver",
-			},
-			expected: []kubeadmapi.Arg{
-				{Name: "container-runtime-endpoint", Value: "unix:///var/run/containerd/containerd.sock"},
-				{Name: "pod-infra-container-image", Value: "registry.k8s.io/pause:ver"},
-			},
-		},
 	}
 
 	for _, test := range tests {
@@ -200,15 +188,15 @@ func TestReadKubeadmFlags(t *testing.T) {
 	}{
 		{
 			name:          "valid kubeadm flags with container-runtime-endpoint",
-			fileContent:   `KUBELET_KUBEADM_ARGS="--container-runtime-endpoint=unix:///var/run/containerd/containerd.sock --pod-infra-container-image=registry.k8s.io/pause:1.0"`,
-			expectedValue: []string{"--container-runtime-endpoint=unix:///var/run/containerd/containerd.sock", "--pod-infra-container-image=registry.k8s.io/pause:1.0"},
+			fileContent:   `KUBELET_KUBEADM_ARGS="--container-runtime-endpoint=unix:///var/run/containerd/containerd.sock"`,
+			expectedValue: []string{"--container-runtime-endpoint=unix:///var/run/containerd/containerd.sock"},
 			expectError:   false,
 		},
 		{
-			name:          "no container-runtime-endpoint found",
-			fileContent:   `KUBELET_KUBEADM_ARGS="--pod-infra-container-image=registry.k8s.io/pause:1.0"`,
-			expectedValue: []string{"--pod-infra-container-image=registry.k8s.io/pause:1.0"},
-			expectError:   true,
+			name:          "has KUBELET_KUBEADM_ARGS line but no args",
+			fileContent:   `KUBELET_KUBEADM_ARGS=""`,
+			expectedValue: nil,
+			expectError:   false,
 		},
 		{
 			name:          "no KUBELET_KUBEADM_ARGS line",
@@ -260,8 +248,8 @@ func TestReadKubeadmFlags(t *testing.T) {
 			}
 
 			value, err := ReadKubeletDynamicEnvFile(tmpFile.Name())
-			if !tt.expectError && err != nil {
-				t.Errorf("Unexpected error: %v", err)
+			if tt.expectError != (err != nil) {
+				t.Errorf("Expect error: %v, got: %v, error: %v", tt.expectError, err != nil, err)
 			}
 
 			assert.Equal(t, tt.expectedValue, value)
diff --git a/cmd/kubeadm/app/phases/upgrade/compute.go b/cmd/kubeadm/app/phases/upgrade/compute.go
index 3463b259d7eae..806de8dae83d3 100644
--- a/cmd/kubeadm/app/phases/upgrade/compute.go
+++ b/cmd/kubeadm/app/phases/upgrade/compute.go
@@ -21,11 +21,9 @@ import (
 	"strings"
 
 	versionutil "k8s.io/apimachinery/pkg/util/version"
-	clientset "k8s.io/client-go/kubernetes"
 	"k8s.io/klog/v2"
 
 	kubeadmconstants "k8s.io/kubernetes/cmd/kubeadm/app/constants"
-	"k8s.io/kubernetes/cmd/kubeadm/app/phases/addons/dns"
 	"k8s.io/kubernetes/cmd/kubeadm/app/util/output"
 )
 
@@ -74,7 +72,7 @@ type ClusterState struct {
 
 // GetAvailableUpgrades fetches all versions from the specified VersionGetter and computes which
 // kinds of upgrades can be performed
-func GetAvailableUpgrades(versionGetterImpl VersionGetter, experimentalUpgradesAllowed, rcUpgradesAllowed bool, client clientset.Interface, printer output.Printer) ([]Upgrade, error) {
+func GetAvailableUpgrades(versionGetterImpl VersionGetter, experimentalUpgradesAllowed, rcUpgradesAllowed bool, printer output.Printer) ([]Upgrade, error) {
 	printer.Printf("[upgrade] Fetching available versions to upgrade to\n")
 
 	// Collect the upgrades kubeadm can do in this list
@@ -145,7 +143,7 @@ func GetAvailableUpgrades(versionGetterImpl VersionGetter, experimentalUpgradesA
 	}
 	isExternalEtcd := len(etcdVersions) == 0
 
-	dnsVersion, err := dns.DeployedDNSAddon(client)
+	dnsVersion, err := versionGetterImpl.DNSAddonVersion()
 	if err != nil {
 		return nil, err
 	}
diff --git a/cmd/kubeadm/app/phases/upgrade/compute_test.go b/cmd/kubeadm/app/phases/upgrade/compute_test.go
index f6255728d24cb..7745b738d0aaf 100644
--- a/cmd/kubeadm/app/phases/upgrade/compute_test.go
+++ b/cmd/kubeadm/app/phases/upgrade/compute_test.go
@@ -17,19 +17,13 @@ limitations under the License.
 package upgrade
 
 import (
-	"context"
 	"fmt"
 	"strings"
 	"testing"
 
 	"github.com/google/go-cmp/cmp"
 
-	apps "k8s.io/api/apps/v1"
-	v1 "k8s.io/api/core/v1"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	versionutil "k8s.io/apimachinery/pkg/util/version"
-	clientsetfake "k8s.io/client-go/kubernetes/fake"
-
 	"k8s.io/kubernetes/cmd/kubeadm/app/constants"
 	"k8s.io/kubernetes/cmd/kubeadm/app/util/errors"
 	"k8s.io/kubernetes/cmd/kubeadm/app/util/output"
@@ -46,6 +40,8 @@ type fakeVersionGetter struct {
 	componentVersion       string
 	etcdVersion            string
 	isExternalEtcd         bool
+	coreDNSVersion         string
+	coreDNSError           error
 }
 
 var _ VersionGetter = &fakeVersionGetter{}
@@ -117,6 +113,10 @@ func (f *fakeVersionGetter) ComponentVersions(name string) (map[string][]string,
 	}, nil
 }
 
+func (f *fakeVersionGetter) DNSAddonVersion() (string, error) {
+	return f.coreDNSVersion, f.coreDNSError
+}
+
 const fakeCurrentEtcdVersion = "3.1.12"
 
 func getEtcdVersion(v *versionutil.Version) string {
@@ -158,22 +158,20 @@ func TestGetAvailableUpgrades(t *testing.T) {
 		expectedUpgrades            []Upgrade
 		allowExperimental, allowRCs bool
 		errExpected                 bool
-		beforeDNSVersion            string
-		deployDNSFailed             bool
 	}{
 		{
 			name: "no action needed, already up-to-date",
 			vg: &fakeVersionGetter{
-				clusterVersion:   v1Y0.String(),
-				componentVersion: v1Y0.String(),
-				kubeletVersion:   v1Y0.String(),
-				kubeadmVersion:   v1Y0.String(),
-				etcdVersion:      fakeCurrentEtcdVersion,
-
+				clusterVersion:     v1Y0.String(),
+				componentVersion:   v1Y0.String(),
+				kubeletVersion:     v1Y0.String(),
+				kubeadmVersion:     v1Y0.String(),
+				etcdVersion:        fakeCurrentEtcdVersion,
 				stablePatchVersion: v1Y0.String(),
 				stableVersion:      v1Y0.String(),
+				coreDNSVersion:     fakeCurrentCoreDNSVersion,
+				coreDNSError:       nil,
 			},
-			beforeDNSVersion:  fakeCurrentCoreDNSVersion,
 			expectedUpgrades:  nil,
 			allowExperimental: false,
 			errExpected:       false,
@@ -181,16 +179,16 @@ func TestGetAvailableUpgrades(t *testing.T) {
 		{
 			name: "get component version failed",
 			vg: &fakeVersionGetter{
-				clusterVersion:   v1Y0.String(),
-				componentVersion: "",
-				kubeletVersion:   v1Y0.String(),
-				kubeadmVersion:   v1Y0.String(),
-				etcdVersion:      fakeCurrentEtcdVersion,
-
+				clusterVersion:     v1Y0.String(),
+				componentVersion:   "",
+				kubeletVersion:     v1Y0.String(),
+				kubeadmVersion:     v1Y0.String(),
+				etcdVersion:        fakeCurrentEtcdVersion,
 				stablePatchVersion: v1Y0.String(),
 				stableVersion:      v1Y0.String(),
+				coreDNSVersion:     fakeCurrentCoreDNSVersion,
+				coreDNSError:       nil,
 			},
-			beforeDNSVersion:  fakeCurrentCoreDNSVersion,
 			expectedUpgrades:  nil,
 			allowExperimental: false,
 			errExpected:       true,
@@ -198,16 +196,16 @@ func TestGetAvailableUpgrades(t *testing.T) {
 		{
 			name: "there is version information about multiple components",
 			vg: &fakeVersionGetter{
-				clusterVersion:   v1Y0.String(),
-				componentVersion: "multiVersion",
-				kubeletVersion:   v1Y0.String(),
-				kubeadmVersion:   v1Y0.String(),
-				etcdVersion:      fakeCurrentEtcdVersion,
-
+				clusterVersion:     v1Y0.String(),
+				componentVersion:   "multiVersion",
+				kubeletVersion:     v1Y0.String(),
+				kubeadmVersion:     v1Y0.String(),
+				etcdVersion:        fakeCurrentEtcdVersion,
 				stablePatchVersion: v1Y0.String(),
 				stableVersion:      v1Y0.String(),
+				coreDNSVersion:     fakeCurrentCoreDNSVersion,
+				coreDNSError:       nil,
 			},
-			beforeDNSVersion:  fakeCurrentCoreDNSVersion,
 			expectedUpgrades:  nil,
 			allowExperimental: false,
 			errExpected:       true,
@@ -215,16 +213,16 @@ func TestGetAvailableUpgrades(t *testing.T) {
 		{
 			name: "get kubeadm version failed",
 			vg: &fakeVersionGetter{
-				clusterVersion:   v1Y0.String(),
-				componentVersion: v1Y0.String(),
-				kubeletVersion:   v1Y0.String(),
-				kubeadmVersion:   "",
-				etcdVersion:      fakeCurrentEtcdVersion,
-
+				clusterVersion:     v1Y0.String(),
+				componentVersion:   v1Y0.String(),
+				kubeletVersion:     v1Y0.String(),
+				kubeadmVersion:     "",
+				etcdVersion:        fakeCurrentEtcdVersion,
 				stablePatchVersion: v1Y0.String(),
 				stableVersion:      v1Y0.String(),
+				coreDNSVersion:     fakeCurrentCoreDNSVersion,
+				coreDNSError:       nil,
 			},
-			beforeDNSVersion:  fakeCurrentCoreDNSVersion,
 			expectedUpgrades:  nil,
 			allowExperimental: false,
 			errExpected:       true,
@@ -232,16 +230,16 @@ func TestGetAvailableUpgrades(t *testing.T) {
 		{
 			name: "get kubelet version failed",
 			vg: &fakeVersionGetter{
-				clusterVersion:   v1Y0.String(),
-				componentVersion: v1Y0.String(),
-				kubeletVersion:   "",
-				kubeadmVersion:   v1Y0.String(),
-				etcdVersion:      fakeCurrentEtcdVersion,
-
+				clusterVersion:     v1Y0.String(),
+				componentVersion:   v1Y0.String(),
+				kubeletVersion:     "",
+				kubeadmVersion:     v1Y0.String(),
+				etcdVersion:        fakeCurrentEtcdVersion,
 				stablePatchVersion: v1Y0.String(),
 				stableVersion:      v1Y0.String(),
+				coreDNSVersion:     fakeCurrentCoreDNSVersion,
+				coreDNSError:       nil,
 			},
-			beforeDNSVersion:  fakeCurrentCoreDNSVersion,
 			expectedUpgrades:  nil,
 			allowExperimental: false,
 			errExpected:       true,
@@ -249,16 +247,16 @@ func TestGetAvailableUpgrades(t *testing.T) {
 		{
 			name: "deploy DNS failed",
 			vg: &fakeVersionGetter{
-				clusterVersion:   v1Y0.String(),
-				componentVersion: v1Y0.String(),
-				kubeletVersion:   v1Y0.String(),
-				kubeadmVersion:   v1Y0.String(),
-				etcdVersion:      fakeCurrentEtcdVersion,
-
+				clusterVersion:     v1Y0.String(),
+				componentVersion:   v1Y0.String(),
+				kubeletVersion:     v1Y0.String(),
+				kubeadmVersion:     v1Y0.String(),
+				etcdVersion:        fakeCurrentEtcdVersion,
 				stablePatchVersion: v1Y0.String(),
 				stableVersion:      v1Y0.String(),
+				coreDNSVersion:     fakeCurrentCoreDNSVersion,
+				coreDNSError:       nil,
 			},
-			beforeDNSVersion: fakeCurrentCoreDNSVersion,
 
 			expectedUpgrades:  nil,
 			allowExperimental: false,
@@ -267,17 +265,16 @@ func TestGetAvailableUpgrades(t *testing.T) {
 		{
 			name: "get stable version from CI label failed",
 			vg: &fakeVersionGetter{
-				clusterVersion:   v1Y0.String(),
-				componentVersion: v1Y0.String(),
-				kubeletVersion:   v1Y0.String(),
-				kubeadmVersion:   v1Y0.String(),
-				etcdVersion:      fakeCurrentEtcdVersion,
-
+				clusterVersion:     v1Y0.String(),
+				componentVersion:   v1Y0.String(),
+				kubeletVersion:     v1Y0.String(),
+				kubeadmVersion:     v1Y0.String(),
+				etcdVersion:        fakeCurrentEtcdVersion,
 				stablePatchVersion: v1Y0.String(),
 				stableVersion:      "",
+				coreDNSVersion:     "",
+				coreDNSError:       errors.New("multiple DNS addon deployment"),
 			},
-			beforeDNSVersion:  fakeCurrentCoreDNSVersion,
-			deployDNSFailed:   true,
 			expectedUpgrades:  nil,
 			allowExperimental: false,
 			errExpected:       true,
@@ -285,16 +282,16 @@ func TestGetAvailableUpgrades(t *testing.T) {
 		{
 			name: "simple patch version upgrade",
 			vg: &fakeVersionGetter{
-				clusterVersion:   v1Y1.String(),
-				componentVersion: v1Y1.String(),
-				kubeletVersion:   v1Y1.String(), // the kubelet are on the same version as the control plane
-				kubeadmVersion:   v1Y2.String(),
-				etcdVersion:      fakeCurrentEtcdVersion,
-
+				clusterVersion:     v1Y1.String(),
+				componentVersion:   v1Y1.String(),
+				kubeletVersion:     v1Y1.String(), // the kubelet are on the same version as the control plane
+				kubeadmVersion:     v1Y2.String(),
+				etcdVersion:        fakeCurrentEtcdVersion,
 				stablePatchVersion: v1Y3.String(),
 				stableVersion:      v1Y3.String(),
+				coreDNSVersion:     fakeCurrentCoreDNSVersion,
+				coreDNSError:       nil,
 			},
-			beforeDNSVersion: fakeCurrentCoreDNSVersion,
 			expectedUpgrades: []Upgrade{
 				{
 					Description: fmt.Sprintf("version in the v%d.%d series", v1Y0.Major(), v1Y0.Minor()),
@@ -330,16 +327,16 @@ func TestGetAvailableUpgrades(t *testing.T) {
 		{
 			name: "simple patch version upgrade with external etcd",
 			vg: &fakeVersionGetter{
-				clusterVersion:   v1Y1.String(),
-				componentVersion: v1Y1.String(),
-				kubeletVersion:   v1Y1.String(), // the kubelet are on the same version as the control plane
-				kubeadmVersion:   v1Y2.String(),
-				isExternalEtcd:   true,
-
+				clusterVersion:     v1Y1.String(),
+				componentVersion:   v1Y1.String(),
+				kubeletVersion:     v1Y1.String(), // the kubelet are on the same version as the control plane
+				kubeadmVersion:     v1Y2.String(),
+				isExternalEtcd:     true,
 				stablePatchVersion: v1Y3.String(),
 				stableVersion:      v1Y3.String(),
+				coreDNSVersion:     fakeCurrentCoreDNSVersion,
+				coreDNSError:       nil,
 			},
-			beforeDNSVersion: fakeCurrentCoreDNSVersion,
 			expectedUpgrades: []Upgrade{
 				{
 					Description: fmt.Sprintf("version in the v%d.%d series", v1Y0.Major(), v1Y0.Minor()),
@@ -375,16 +372,16 @@ func TestGetAvailableUpgrades(t *testing.T) {
 		{
 			name: "no version provided to offline version getter does not change behavior",
 			vg: NewOfflineVersionGetter(&fakeVersionGetter{
-				clusterVersion:   v1Y1.String(),
-				componentVersion: v1Y1.String(),
-				kubeletVersion:   v1Y1.String(), // the kubelet are on the same version as the control plane
-				kubeadmVersion:   v1Y2.String(),
-				etcdVersion:      fakeCurrentEtcdVersion,
-
+				clusterVersion:     v1Y1.String(),
+				componentVersion:   v1Y1.String(),
+				kubeletVersion:     v1Y1.String(), // the kubelet are on the same version as the control plane
+				kubeadmVersion:     v1Y2.String(),
+				etcdVersion:        fakeCurrentEtcdVersion,
 				stablePatchVersion: v1Y3.String(),
 				stableVersion:      v1Y3.String(),
+				coreDNSVersion:     fakeCurrentCoreDNSVersion,
+				coreDNSError:       nil,
 			}, ""),
-			beforeDNSVersion: fakeCurrentCoreDNSVersion,
 			expectedUpgrades: []Upgrade{
 				{
 					Description: fmt.Sprintf("version in the v%d.%d series", v1Y0.Major(), v1Y0.Minor()),
@@ -420,16 +417,16 @@ func TestGetAvailableUpgrades(t *testing.T) {
 		{
 			name: "minor version upgrade only",
 			vg: &fakeVersionGetter{
-				clusterVersion:   v1Y1.String(),
-				componentVersion: v1Y1.String(),
-				kubeletVersion:   v1Y1.String(), // the kubelet are on the same version as the control plane
-				kubeadmVersion:   v1Z0.String(),
-				etcdVersion:      fakeCurrentEtcdVersion,
-
+				clusterVersion:     v1Y1.String(),
+				componentVersion:   v1Y1.String(),
+				kubeletVersion:     v1Y1.String(), // the kubelet are on the same version as the control plane
+				kubeadmVersion:     v1Z0.String(),
+				etcdVersion:        fakeCurrentEtcdVersion,
 				stablePatchVersion: v1Y1.String(),
 				stableVersion:      v1Z0.String(),
+				coreDNSVersion:     fakeCurrentCoreDNSVersion,
+				coreDNSError:       nil,
 			},
-			beforeDNSVersion: fakeCurrentCoreDNSVersion,
 			expectedUpgrades: []Upgrade{
 				{
 					Description: "stable version",
@@ -465,16 +462,16 @@ func TestGetAvailableUpgrades(t *testing.T) {
 		{
 			name: "both minor version upgrade and patch version upgrade available",
 			vg: &fakeVersionGetter{
-				clusterVersion:   v1Y3.String(),
-				componentVersion: v1Y3.String(),
-				kubeletVersion:   v1Y3.String(), // the kubelet are on the same version as the control plane
-				kubeadmVersion:   v1Y5.String(),
-				etcdVersion:      fakeCurrentEtcdVersion,
-
+				clusterVersion:     v1Y3.String(),
+				componentVersion:   v1Y3.String(),
+				kubeletVersion:     v1Y3.String(), // the kubelet are on the same version as the control plane
+				kubeadmVersion:     v1Y5.String(),
+				etcdVersion:        fakeCurrentEtcdVersion,
 				stablePatchVersion: v1Y5.String(),
 				stableVersion:      v1Z1.String(),
+				coreDNSVersion:     fakeCurrentCoreDNSVersion,
+				coreDNSError:       nil,
 			},
-			beforeDNSVersion: fakeCurrentCoreDNSVersion,
 			expectedUpgrades: []Upgrade{
 				{
 					Description: fmt.Sprintf("version in the v%d.%d series", v1Y0.Major(), v1Y0.Minor()),
@@ -537,17 +534,17 @@ func TestGetAvailableUpgrades(t *testing.T) {
 		{
 			name: "allow experimental upgrades, but no upgrade available",
 			vg: &fakeVersionGetter{
-				clusterVersion:   v1Z0alpha2.String(),
-				componentVersion: v1Z0alpha2.String(),
-				kubeletVersion:   v1Y5.String(),
-				kubeadmVersion:   v1Y5.String(),
-				etcdVersion:      fakeCurrentEtcdVersion,
-
+				clusterVersion:     v1Z0alpha2.String(),
+				componentVersion:   v1Z0alpha2.String(),
+				kubeletVersion:     v1Y5.String(),
+				kubeadmVersion:     v1Y5.String(),
+				etcdVersion:        fakeCurrentEtcdVersion,
 				stablePatchVersion: v1Y5.String(),
 				stableVersion:      v1Y5.String(),
 				latestVersion:      v1Z0alpha2.String(),
+				coreDNSVersion:     fakeCurrentCoreDNSVersion,
+				coreDNSError:       nil,
 			},
-			beforeDNSVersion:  fakeCurrentCoreDNSVersion,
 			expectedUpgrades:  nil,
 			allowExperimental: true,
 			errExpected:       false,
@@ -555,17 +552,17 @@ func TestGetAvailableUpgrades(t *testing.T) {
 		{
 			name: "upgrade to an unstable version should be supported",
 			vg: &fakeVersionGetter{
-				clusterVersion:   v1Y5.String(),
-				componentVersion: v1Y5.String(),
-				kubeletVersion:   v1Y5.String(),
-				kubeadmVersion:   v1Y5.String(),
-				etcdVersion:      fakeCurrentEtcdVersion,
-
+				clusterVersion:     v1Y5.String(),
+				componentVersion:   v1Y5.String(),
+				kubeletVersion:     v1Y5.String(),
+				kubeadmVersion:     v1Y5.String(),
+				etcdVersion:        fakeCurrentEtcdVersion,
 				stablePatchVersion: v1Y5.String(),
 				stableVersion:      v1Y5.String(),
 				latestVersion:      v1Z0alpha2.String(),
+				coreDNSVersion:     fakeCurrentCoreDNSVersion,
+				coreDNSError:       nil,
 			},
-			beforeDNSVersion: fakeCurrentCoreDNSVersion,
 			expectedUpgrades: []Upgrade{
 				{
 					Description: "experimental version",
@@ -601,17 +598,17 @@ func TestGetAvailableUpgrades(t *testing.T) {
 		{
 			name: "upgrade from an unstable version to an unstable version should be supported",
 			vg: &fakeVersionGetter{
-				clusterVersion:   v1Z0alpha1.String(),
-				componentVersion: v1Z0alpha1.String(),
-				kubeletVersion:   v1Y5.String(),
-				kubeadmVersion:   v1Y5.String(),
-				etcdVersion:      fakeCurrentEtcdVersion,
-
+				clusterVersion:     v1Z0alpha1.String(),
+				componentVersion:   v1Z0alpha1.String(),
+				kubeletVersion:     v1Y5.String(),
+				kubeadmVersion:     v1Y5.String(),
+				etcdVersion:        fakeCurrentEtcdVersion,
 				stablePatchVersion: v1Y5.String(),
 				stableVersion:      v1Y5.String(),
 				latestVersion:      v1Z0alpha2.String(),
+				coreDNSVersion:     fakeCurrentCoreDNSVersion,
+				coreDNSError:       nil,
 			},
-			beforeDNSVersion: fakeCurrentCoreDNSVersion,
 			expectedUpgrades: []Upgrade{
 				{
 					Description: "experimental version",
@@ -647,18 +644,18 @@ func TestGetAvailableUpgrades(t *testing.T) {
 		{
 			name: "v1.X.0-alpha.0 should be ignored",
 			vg: &fakeVersionGetter{
-				clusterVersion:   v1X5.String(),
-				componentVersion: v1X5.String(),
-				kubeletVersion:   v1X5.String(),
-				kubeadmVersion:   v1X5.String(),
-				etcdVersion:      fakeCurrentEtcdVersion,
-
+				clusterVersion:         v1X5.String(),
+				componentVersion:       v1X5.String(),
+				kubeletVersion:         v1X5.String(),
+				kubeadmVersion:         v1X5.String(),
+				etcdVersion:            fakeCurrentEtcdVersion,
 				stablePatchVersion:     v1X5.String(),
 				stableVersion:          v1X5.String(),
 				latestDevBranchVersion: v1Z0beta1.String(),
 				latestVersion:          v1Y0alpha0.String(),
+				coreDNSVersion:         fakeCurrentCoreDNSVersion,
+				coreDNSError:           nil,
 			},
-			beforeDNSVersion: fakeCurrentCoreDNSVersion,
 			expectedUpgrades: []Upgrade{
 				{
 					Description: "experimental version",
@@ -694,18 +691,18 @@ func TestGetAvailableUpgrades(t *testing.T) {
 		{
 			name: "upgrade to an RC version should be supported",
 			vg: &fakeVersionGetter{
-				clusterVersion:   v1X5.String(),
-				componentVersion: v1X5.String(),
-				kubeletVersion:   v1X5.String(),
-				kubeadmVersion:   v1X5.String(),
-				etcdVersion:      fakeCurrentEtcdVersion,
-
+				clusterVersion:         v1X5.String(),
+				componentVersion:       v1X5.String(),
+				kubeletVersion:         v1X5.String(),
+				kubeadmVersion:         v1X5.String(),
+				etcdVersion:            fakeCurrentEtcdVersion,
 				stablePatchVersion:     v1X5.String(),
 				stableVersion:          v1X5.String(),
 				latestDevBranchVersion: v1Z0rc1.String(),
 				latestVersion:          v1Y0alpha1.String(),
+				coreDNSVersion:         fakeCurrentCoreDNSVersion,
+				coreDNSError:           nil,
 			},
-			beforeDNSVersion: fakeCurrentCoreDNSVersion,
 			expectedUpgrades: []Upgrade{
 				{
 					Description: "release candidate version",
@@ -741,18 +738,18 @@ func TestGetAvailableUpgrades(t *testing.T) {
 		{
 			name: "it is possible (but very uncommon) that the latest version from the previous branch is an rc and the current latest version is alpha.0. In that case, show the RC",
 			vg: &fakeVersionGetter{
-				clusterVersion:   v1X5.String(),
-				componentVersion: v1X5.String(),
-				kubeletVersion:   v1X5.String(),
-				kubeadmVersion:   v1X5.String(),
-				etcdVersion:      fakeCurrentEtcdVersion,
-
+				clusterVersion:         v1X5.String(),
+				componentVersion:       v1X5.String(),
+				kubeletVersion:         v1X5.String(),
+				kubeadmVersion:         v1X5.String(),
+				etcdVersion:            fakeCurrentEtcdVersion,
 				stablePatchVersion:     v1X5.String(),
 				stableVersion:          v1X5.String(),
 				latestDevBranchVersion: v1Z0rc1.String(),
 				latestVersion:          v1Y0alpha0.String(),
+				coreDNSVersion:         fakeCurrentCoreDNSVersion,
+				coreDNSError:           nil,
 			},
-			beforeDNSVersion: fakeCurrentCoreDNSVersion,
 			expectedUpgrades: []Upgrade{
 				{
 					Description: "experimental version", // Note that this is considered an experimental version in this uncommon scenario
@@ -788,18 +785,18 @@ func TestGetAvailableUpgrades(t *testing.T) {
 		{
 			name: "upgrade to an RC version should be supported. There may also be an even newer unstable version.",
 			vg: &fakeVersionGetter{
-				clusterVersion:   v1X5.String(),
-				componentVersion: v1X5.String(),
-				kubeletVersion:   v1X5.String(),
-				kubeadmVersion:   v1X5.String(),
-				etcdVersion:      fakeCurrentEtcdVersion,
-
+				clusterVersion:         v1X5.String(),
+				componentVersion:       v1X5.String(),
+				kubeletVersion:         v1X5.String(),
+				kubeadmVersion:         v1X5.String(),
+				etcdVersion:            fakeCurrentEtcdVersion,
 				stablePatchVersion:     v1X5.String(),
 				stableVersion:          v1X5.String(),
 				latestDevBranchVersion: v1Z0rc1.String(),
 				latestVersion:          v1Y0alpha1.String(),
+				coreDNSVersion:         fakeCurrentCoreDNSVersion,
+				coreDNSError:           nil,
 			},
-			beforeDNSVersion: fakeCurrentCoreDNSVersion,
 			expectedUpgrades: []Upgrade{
 				{
 					Description: "release candidate version",
@@ -868,8 +865,9 @@ func TestGetAvailableUpgrades(t *testing.T) {
 				kubeletVersion:   v1Y0.String(),
 				kubeadmVersion:   v1Y1.String(),
 				etcdVersion:      fakeCurrentEtcdVersion,
+				coreDNSVersion:   fakeCurrentCoreDNSVersion,
+				coreDNSError:     nil,
 			}, v1Z1.String()),
-			beforeDNSVersion: fakeCurrentCoreDNSVersion,
 			expectedUpgrades: []Upgrade{
 				{
 					Description: fmt.Sprintf("version in the v%d.%d series", v1Y0.Major(), v1Y0.Minor()),
@@ -906,12 +904,7 @@ func TestGetAvailableUpgrades(t *testing.T) {
 	// Kubernetes release.
 	for _, rt := range tests {
 		t.Run(rt.name, func(t *testing.T) {
-
-			dnsName := constants.CoreDNSDeploymentName
-
-			client := newMockClientForTest(t, dnsName, rt.beforeDNSVersion, rt.deployDNSFailed)
-
-			actualUpgrades, actualErr := GetAvailableUpgrades(rt.vg, rt.allowExperimental, rt.allowRCs, client, &output.TextPrinter{})
+			actualUpgrades, actualErr := GetAvailableUpgrades(rt.vg, rt.allowExperimental, rt.allowRCs, &output.TextPrinter{})
 			if diff := cmp.Diff(rt.expectedUpgrades, actualUpgrades); len(diff) > 0 {
 				t.Errorf("failed TestGetAvailableUpgrades\n\texpected upgrades:\n%v\n\tgot:\n%v\n\tdiff:\n%v", rt.expectedUpgrades, actualUpgrades, diff)
 			}
@@ -1100,42 +1093,3 @@ func TestGetSuggestedEtcdVersion(t *testing.T) {
 		})
 	}
 }
-
-func newMockClientForTest(t *testing.T, dnsName string, dnsVersion string, multiDNS bool) *clientsetfake.Clientset {
-	client := clientsetfake.NewSimpleClientset()
-	createDeployment := func(name string) {
-		_, err := client.AppsV1().Deployments(metav1.NamespaceSystem).Create(context.TODO(), &apps.Deployment{
-			TypeMeta: metav1.TypeMeta{
-				Kind:       "Deployment",
-				APIVersion: "apps/v1",
-			},
-			ObjectMeta: metav1.ObjectMeta{
-				Name:      dnsName + name,
-				Namespace: "kube-system",
-				Labels: map[string]string{
-					"k8s-app": "kube-dns",
-				},
-			},
-			Spec: apps.DeploymentSpec{
-				Template: v1.PodTemplateSpec{
-					Spec: v1.PodSpec{
-						Containers: []v1.Container{
-							{
-								Image: "test:" + dnsVersion + name,
-							},
-						},
-					},
-				},
-			},
-		}, metav1.CreateOptions{})
-		if err != nil {
-			t.Fatalf("error creating deployment: %v", err)
-		}
-	}
-
-	createDeployment("")
-	if multiDNS {
-		createDeployment("dns2")
-	}
-	return client
-}
diff --git a/cmd/kubeadm/app/phases/upgrade/postupgrade.go b/cmd/kubeadm/app/phases/upgrade/postupgrade.go
index 5ffe1cdf2e728..53132b6b7cb5a 100644
--- a/cmd/kubeadm/app/phases/upgrade/postupgrade.go
+++ b/cmd/kubeadm/app/phases/upgrade/postupgrade.go
@@ -22,6 +22,7 @@ import (
 	"io"
 	"os"
 	"path/filepath"
+	"slices"
 
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/labels"
@@ -95,21 +96,9 @@ func UnupgradedControlPlaneInstances(client clientset.Interface, nodeName string
 }
 
 // WriteKubeletConfigFiles writes the kubelet config file to disk, but first creates a backup of any existing one.
-func WriteKubeletConfigFiles(cfg *kubeadmapi.InitConfiguration, kubeletConfigDir string, patchesDir string, dryRun bool, out io.Writer) error {
-	var (
-		err        error
-		kubeletDir = kubeadmconstants.KubeletRunDirectory
-	)
-	// If dry-running, this will return a directory under /etc/kubernetes/tmp or kubeletConfigDir.
-	if dryRun {
-		kubeletDir, err = kubeadmconstants.CreateTempDir(kubeletConfigDir, "kubeadm-upgrade-dryrun")
-	}
-	if err != nil {
-		// The error here should never occur in reality, would only be thrown if /tmp doesn't exist on the machine.
-		return err
-	}
-	// Create a copy of the kubelet config file in the /etc/kubernetes/tmp or kubeletConfigDir.
-	backupDir, err := kubeadmconstants.CreateTempDir(kubeletConfigDir, "kubeadm-kubelet-config")
+func WriteKubeletConfigFiles(cfg *kubeadmapi.InitConfiguration, kubeletDir string, kubeConfigDir string, patchesDir string, dryRun bool, out io.Writer) error {
+	// Create a copy of the kubelet config file in the /etc/kubernetes/tmp or kubeConfigDir.
+	backupDir, err := kubeadmconstants.CreateTimestampDir(kubeConfigDir, "kubeadm-kubelet-config")
 	if err != nil {
 		return err
 	}
@@ -120,13 +109,13 @@ func WriteKubeletConfigFiles(cfg *kubeadmapi.InitConfiguration, kubeletConfigDir
 	dest := filepath.Join(backupDir, kubeadmconstants.KubeletConfigurationFileName)
 
 	if !dryRun {
-		fmt.Printf("[upgrade] Backing up kubelet config file to %s\n", dest)
+		_, _ = fmt.Fprintf(out, "[upgrade] Backing up kubelet config file to %s\n", dest)
 		err := kubeadmutil.CopyFile(src, dest)
 		if err != nil {
 			return errors.Wrap(err, "error backing up the kubelet config file")
 		}
 	} else {
-		fmt.Printf("[dryrun] Would back up kubelet config file to %s\n", dest)
+		_, _ = fmt.Fprintf(out, "[dryrun] Would back up kubelet config file to %s\n", dest)
 	}
 
 	if features.Enabled(cfg.FeatureGates, features.NodeLocalCRISocket) {
@@ -154,7 +143,7 @@ func WriteKubeletConfigFiles(cfg *kubeadmapi.InitConfiguration, kubeletConfigDir
 					}
 				}
 			} else if dryRun {
-				fmt.Fprintf(os.Stdout, "[dryrun] would read the flag --container-runtime-endpoint value from %q, which is missing. "+
+				_, _ = fmt.Fprintf(out, "[dryrun] would read the flag --container-runtime-endpoint value from %q, which is missing. "+
 					"Using default socket %q instead", kubeadmconstants.KubeletEnvFileName, kubeadmconstants.DefaultCRISocket)
 				containerRuntimeEndpoint = kubeadmconstants.DefaultCRISocket
 			} else {
@@ -170,7 +159,7 @@ func WriteKubeletConfigFiles(cfg *kubeadmapi.InitConfiguration, kubeletConfigDir
 			}
 
 			if dryRun { // Print what contents would be written
-				err = dryrunutil.PrintDryRunFile(kubeadmconstants.KubeletInstanceConfigurationFileName, kubeletDir, kubeadmconstants.KubeletRunDirectory, os.Stdout)
+				err = dryrunutil.PrintDryRunFile(kubeadmconstants.KubeletInstanceConfigurationFileName, kubeletDir, kubeadmconstants.KubeletRunDirectory, out)
 				if err != nil {
 					return errors.Wrap(err, "error printing kubelet instance configuration file on dryrun")
 				}
@@ -184,7 +173,7 @@ func WriteKubeletConfigFiles(cfg *kubeadmapi.InitConfiguration, kubeletConfigDir
 	}
 
 	if dryRun { // Print what contents would be written
-		err := dryrunutil.PrintDryRunFile(kubeadmconstants.KubeletConfigurationFileName, kubeletDir, kubeadmconstants.KubeletRunDirectory, os.Stdout)
+		err := dryrunutil.PrintDryRunFile(kubeadmconstants.KubeletConfigurationFileName, kubeletDir, kubeadmconstants.KubeletRunDirectory, out)
 		if err != nil {
 			return errors.Wrap(err, "error printing kubelet configuration file on dryrun")
 		}
@@ -192,10 +181,59 @@ func WriteKubeletConfigFiles(cfg *kubeadmapi.InitConfiguration, kubeletConfigDir
 	return nil
 }
 
-// UpdateKubeletKubeconfigServer changes the Server URL in the kubelets kubeconfig if necessary depending on the
-// ControlPlaneKubeletLocalMode feature gate.
-// TODO: remove this function once ControlPlaneKubeletLocalMode goes GA and is hardcoded to be enabled by default:
-// https://github.com/kubernetes/kubeadm/issues/2271
+// RemoveKubeletArgsFromFile removes unwanted kubelet flags from the existing KubeletEnvFile file,
+// but first creates a backup of the existing file.
+func RemoveKubeletArgsFromFile(kubeletDir string, kubeConfigDir string, unwantedFlags []string, dryRun bool, out io.Writer) error {
+	// If there are no unwanted flags, do nothing.
+	if len(unwantedFlags) == 0 {
+		return nil
+	}
+
+	// For dry run mode, we can not access the real kubelet env file in the dry-run directory, so we only print the unwanted flags instead.
+	if dryRun {
+		_, _ = fmt.Fprintf(out, "[dryrun] Would remove unwanted kubelet flags %v from %s\n", unwantedFlags, kubeadmconstants.KubeletEnvFileName)
+		return nil
+	}
+
+	// Create a copy of the KubeletEnvFile in the /etc/kubernetes/tmp or kubeConfigDir.
+	backupDir, err := kubeadmconstants.CreateTempDir(kubeConfigDir, "kubeadm-kubelet-env")
+	if err != nil {
+		return err
+	}
+	klog.Warningf("Using temporary directory %s for kubelet env file. To override it set the environment variable %s",
+		backupDir, kubeadmconstants.EnvVarUpgradeDryRunDir)
+
+	src := filepath.Join(kubeletDir, kubeadmconstants.KubeletEnvFileName)
+	dest := filepath.Join(backupDir, kubeadmconstants.KubeletEnvFileName)
+
+	_, _ = fmt.Fprintf(out, "[upgrade] Backing up kubelet env file to %s\n", dest)
+	err = kubeadmutil.CopyFile(src, dest)
+	if err != nil {
+		return errors.Wrap(err, "error backing up the kubelet env file")
+	}
+
+	var kubeletFlags []kubeadmapi.Arg
+	command, err := kubeletphase.ReadKubeletDynamicEnvFile(src)
+	if err != nil {
+		return errors.Wrap(err, "error reading kubelet env file")
+	}
+	args := kubeadmutil.ArgumentsFromCommand(command)
+	for _, arg := range args {
+		if slices.Contains(unwantedFlags, arg.Name) {
+			continue
+		}
+		kubeletFlags = append(kubeletFlags, arg)
+	}
+	// Rewrite env file if needed
+	if len(args) != len(kubeletFlags) {
+		if err := kubeletphase.WriteKubeletArgsToFile(kubeletFlags, nil, kubeletDir); err != nil {
+			return errors.Wrap(err, "error writing kubelet env file")
+		}
+	}
+	return nil
+}
+
+// UpdateKubeletKubeconfigServer changes the Server URL in the kubelet's kubeconfig if necessary.
 func UpdateKubeletKubeconfigServer(cfg *kubeadmapi.InitConfiguration, dryRun bool) error {
 	kubeletKubeConfigFilePath := filepath.Join(kubeadmconstants.KubernetesDir, kubeadmconstants.KubeletKubeConfigFileName)
 
@@ -228,21 +266,12 @@ func UpdateKubeletKubeconfigServer(cfg *kubeadmapi.InitConfiguration, dryRun boo
 	}
 
 	var targetServer string
-	if features.Enabled(cfg.FeatureGates, features.ControlPlaneKubeletLocalMode) {
-		// Skip changing kubeconfig file if Server does not match the ControlPlaneEndpoint.
-		if config.Clusters[configContext.Cluster].Server != controlPlaneAPIEndpoint || controlPlaneAPIEndpoint == localAPIEndpoint {
-			klog.V(2).Infof("Skipping update of the Server URL in %s, because it's already not equal to %q or already matches the localAPIEndpoint", kubeletKubeConfigFilePath, controlPlaneAPIEndpoint)
-			return nil
-		}
-		targetServer = localAPIEndpoint
-	} else {
-		// Skip changing kubeconfig file if Server does not match the localAPIEndpoint.
-		if config.Clusters[configContext.Cluster].Server != localAPIEndpoint {
-			klog.V(2).Infof("Skipping update of the Server URL in %s, because it already matches the controlPlaneAPIEndpoint", kubeletKubeConfigFilePath)
-			return nil
-		}
-		targetServer = controlPlaneAPIEndpoint
+	// Skip changing kubeconfig file if Server does not match the ControlPlaneEndpoint.
+	if config.Clusters[configContext.Cluster].Server != controlPlaneAPIEndpoint || controlPlaneAPIEndpoint == localAPIEndpoint {
+		klog.V(2).Infof("Skipping update of the Server URL in %s, because it's already not equal to %q or already matches the localAPIEndpoint", kubeletKubeConfigFilePath, controlPlaneAPIEndpoint)
+		return nil
 	}
+	targetServer = localAPIEndpoint
 
 	if dryRun {
 		fmt.Printf("[dryrun] Would change the Server URL from %q to %q in %s and try to restart kubelet\n", config.Clusters[configContext.Cluster].Server, targetServer, kubeletKubeConfigFilePath)
diff --git a/cmd/kubeadm/app/phases/upgrade/postupgrade_test.go b/cmd/kubeadm/app/phases/upgrade/postupgrade_test.go
index 6dc145c71ab45..2178e7d068f48 100644
--- a/cmd/kubeadm/app/phases/upgrade/postupgrade_test.go
+++ b/cmd/kubeadm/app/phases/upgrade/postupgrade_test.go
@@ -17,6 +17,7 @@ limitations under the License.
 package upgrade
 
 import (
+	"io"
 	"os"
 	"path/filepath"
 	"reflect"
@@ -26,12 +27,14 @@ import (
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/util/diff"
 	errorsutil "k8s.io/apimachinery/pkg/util/errors"
 	"k8s.io/client-go/kubernetes/fake"
 
 	kubeadmapi "k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm"
 	"k8s.io/kubernetes/cmd/kubeadm/app/componentconfigs"
 	"k8s.io/kubernetes/cmd/kubeadm/app/constants"
+	kubeletphase "k8s.io/kubernetes/cmd/kubeadm/app/phases/kubelet"
 	"k8s.io/kubernetes/cmd/kubeadm/app/util/errors"
 )
 
@@ -142,13 +145,111 @@ func TestWriteKubeletConfigFiles(t *testing.T) {
 		},
 	}
 	for _, tc := range testCases {
-		err := WriteKubeletConfigFiles(tc.cfg, tempDir, tc.patchesDir, true, os.Stdout)
+		err := WriteKubeletConfigFiles(tc.cfg, tempDir, tempDir, tc.patchesDir, true, os.Stdout)
 		if (err != nil) != tc.expectedError {
 			t.Fatalf("expected error: %v, got: %v, error: %v", tc.expectedError, err != nil, err)
 		}
 	}
 }
 
+func TestRemoveKubeletArgsFromFile(t *testing.T) {
+	testCases := []struct {
+		name            string
+		kubeletFlags    []kubeadmapi.Arg
+		unwantedFlags   []string
+		wantErr         bool
+		wantFileContent string
+	}{
+		{
+			name: "remove an existing flag",
+			kubeletFlags: []kubeadmapi.Arg{
+				{Name: "node-ip", Value: "172.18.0.2"},
+				{Name: "node-labels", Value: ""},
+				{Name: "pod-infra-container-image", Value: "registry.k8s.io/pause:ver"},
+				{Name: "provider-id", Value: "kind://docker/kind/kind-control-plane"},
+			},
+			unwantedFlags: []string{
+				"pod-infra-container-image",
+			},
+			wantErr: false,
+			wantFileContent: `KUBELET_KUBEADM_ARGS="--node-ip=172.18.0.2 --node-labels= --provider-id=kind://docker/kind/kind-control-plane"
+`,
+		},
+		{
+			name: "remove multiple existing flags",
+			kubeletFlags: []kubeadmapi.Arg{
+				{Name: "node-ip", Value: "172.18.0.2"},
+				{Name: "node-labels", Value: ""},
+				{Name: "pod-infra-container-image", Value: "registry.k8s.io/pause:ver"},
+				{Name: "provider-id", Value: "kind://docker/kind/kind-control-plane"},
+			},
+			unwantedFlags: []string{
+				"pod-infra-container-image",
+				"node-labels",
+			},
+			wantErr: false,
+			wantFileContent: `KUBELET_KUBEADM_ARGS="--node-ip=172.18.0.2 --provider-id=kind://docker/kind/kind-control-plane"
+`,
+		},
+		{
+			name: "remove non-existing flags",
+			kubeletFlags: []kubeadmapi.Arg{
+				{Name: "node-ip", Value: "172.18.0.2"},
+				{Name: "node-labels", Value: ""},
+				{Name: "pod-infra-container-image", Value: "registry.k8s.io/pause:ver"},
+				{Name: "provider-id", Value: "kind://docker/kind/kind-control-plane"},
+			},
+			unwantedFlags: []string{
+				"foo",
+			},
+			wantErr: false,
+			wantFileContent: `KUBELET_KUBEADM_ARGS="--node-ip=172.18.0.2 --node-labels= --pod-infra-container-image=registry.k8s.io/pause:ver --provider-id=kind://docker/kind/kind-control-plane"
+`,
+		},
+		{
+			name: "remove multiple flags mixed with non-existing and existing flags",
+			kubeletFlags: []kubeadmapi.Arg{
+				{Name: "node-ip", Value: "172.18.0.2"},
+				{Name: "node-labels", Value: ""},
+				{Name: "pod-infra-container-image", Value: "registry.k8s.io/pause:ver"},
+				{Name: "provider-id", Value: "kind://docker/kind/kind-control-plane"},
+			},
+			unwantedFlags: []string{
+				"pod-infra-container-image",
+				"foo",
+			},
+			wantErr: false,
+			wantFileContent: `KUBELET_KUBEADM_ARGS="--node-ip=172.18.0.2 --node-labels= --provider-id=kind://docker/kind/kind-control-plane"
+`,
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			tempDir := t.TempDir()
+
+			err := kubeletphase.WriteKubeletArgsToFile(tc.kubeletFlags, nil, tempDir)
+			if err != nil {
+				t.Fatalf("Failed to write kubeadm-flags.env file: %v", err)
+			}
+
+			err = RemoveKubeletArgsFromFile(tempDir, tempDir, tc.unwantedFlags, false, io.Discard)
+			if (err != nil) != tc.wantErr {
+				t.Fatalf("expected error: %v, got: %v, error: %v", tc.wantErr, err != nil, err)
+			}
+
+			kubeletEnvFilePath := filepath.Join(tempDir, constants.KubeletEnvFileName)
+			fileContent, err := os.ReadFile(kubeletEnvFilePath)
+			if err != nil {
+				t.Fatalf("Failed to read kubelet.env file: %v", err)
+			}
+			if gotOut := string(fileContent); gotOut != tc.wantFileContent {
+				t.Fatalf("Actual modified content of RemoveKubeletArgsFromFile() does not match expected.\nActual:  %v\nExpected: %v\n, Diff: %v", gotOut, tc.wantFileContent, diff.Diff(gotOut, tc.wantFileContent))
+			}
+		})
+	}
+}
+
 func TestUnupgradedControlPlaneInstances(t *testing.T) {
 	testCases := []struct {
 		name          string
diff --git a/cmd/kubeadm/app/phases/upgrade/versiongetter.go b/cmd/kubeadm/app/phases/upgrade/versiongetter.go
index ef07a463cf9cb..f1b75c1547152 100644
--- a/cmd/kubeadm/app/phases/upgrade/versiongetter.go
+++ b/cmd/kubeadm/app/phases/upgrade/versiongetter.go
@@ -28,6 +28,7 @@ import (
 	"k8s.io/component-base/version"
 
 	"k8s.io/kubernetes/cmd/kubeadm/app/constants"
+	"k8s.io/kubernetes/cmd/kubeadm/app/phases/addons/dns"
 	kubeadmutil "k8s.io/kubernetes/cmd/kubeadm/app/util"
 	"k8s.io/kubernetes/cmd/kubeadm/app/util/errors"
 	"k8s.io/kubernetes/cmd/kubeadm/app/util/image"
@@ -46,6 +47,8 @@ type VersionGetter interface {
 	KubeletVersions() (map[string][]string, error)
 	// ComponentVersions should return a map with a version and a list of node names that describes how many a given control-plane components there are for that version
 	ComponentVersions(string) (map[string][]string, error)
+	// DNSAddonVersion returns, if deployed, the CoreDNS image tag
+	DNSAddonVersion() (string, error)
 }
 
 // KubeVersionGetter handles the version-fetching mechanism from external sources
@@ -130,6 +133,11 @@ func (g *KubeVersionGetter) KubeletVersions() (map[string][]string, error) {
 	return kubeletVersions, nil
 }
 
+// DNSAddonVersion returns the CoreDNS image deployed in the cluster, or an error in case of multiple instances.
+func (g *KubeVersionGetter) DNSAddonVersion() (string, error) {
+	return dns.DeployedDNSAddon(g.client)
+}
+
 // ComponentVersions gets the versions of the control-plane components in the cluster.
 // The name parameter is the name of the component to get the versions for.
 // The function returns a map with the version as the key and a list of node names as the value.
diff --git a/cmd/kubeadm/app/preflight/checks.go b/cmd/kubeadm/app/preflight/checks.go
index bc99a641bb66d..562c9cc87f23d 100644
--- a/cmd/kubeadm/app/preflight/checks.go
+++ b/cmd/kubeadm/app/preflight/checks.go
@@ -73,7 +73,10 @@ type Checker interface {
 
 // ContainerRuntimeCheck verifies the container runtime.
 type ContainerRuntimeCheck struct {
-	runtime utilruntime.ContainerRuntime
+	criSocket string
+
+	// stubbed out for testing
+	impl utilruntime.Impl
 }
 
 // Name returns label for RuntimeCheck.
@@ -84,12 +87,62 @@ func (ContainerRuntimeCheck) Name() string {
 // Check validates the container runtime
 func (crc ContainerRuntimeCheck) Check() (warnings, errorList []error) {
 	klog.V(1).Infoln("validating the container runtime")
-	if err := crc.runtime.IsRunning(); err != nil {
+	containerRuntime := utilruntime.NewContainerRuntime(crc.criSocket)
+	if crc.impl != nil {
+		containerRuntime.SetImpl(crc.impl)
+	}
+	if err := containerRuntime.Connect(); err != nil {
+		return nil, []error{errors.Wrap(err, "could not connect to the container runtime")}
+	}
+	defer containerRuntime.Close()
+
+	if err := containerRuntime.IsRunning(); err != nil {
 		errorList = append(errorList, err)
 	}
 	return warnings, errorList
 }
 
+// ContainerRuntimeVersionCheck verifies the version compatibility between installed container runtime and kubelet.
+type ContainerRuntimeVersionCheck struct {
+	criSocket string
+
+	// stubbed out for testing
+	impl utilruntime.Impl
+}
+
+// Name returns label for RuntimeCheck.
+func (ContainerRuntimeVersionCheck) Name() string {
+	return "ContainerRuntimeVersion"
+}
+
+// Check validates the container runtime version compatibility with kubelet.
+func (crvc ContainerRuntimeVersionCheck) Check() (warnings, errorList []error) {
+	klog.V(1).Infoln("validating the container runtime version compatibility")
+	containerRuntime := utilruntime.NewContainerRuntime(crvc.criSocket)
+	if crvc.impl != nil {
+		containerRuntime.SetImpl(crvc.impl)
+	}
+	if err := containerRuntime.Connect(); err != nil {
+		return nil, []error{errors.Wrap(err, "could not connect to the container runtime")}
+	}
+	defer containerRuntime.Close()
+
+	ok, err := containerRuntime.IsRuntimeConfigImplemented()
+	if err != nil {
+		return nil, []error{errors.Wrap(err, "could not check if the runtime config is available")}
+	}
+	if !ok {
+		// TODO: return an error once the kubelet version is 1.36 or higher.
+		// https://github.com/kubernetes/kubeadm/issues/3229
+		err := errors.New("You must update your container runtime to a version that supports the CRI method RuntimeConfig. " +
+			"Falling back to using cgroupDriver from kubelet config will be removed in 1.36. " +
+			"For more information, see https://git.k8s.io/enhancements/keps/sig-node/4033-group-driver-detection-over-cri")
+		warnings = append(warnings, err)
+	}
+
+	return warnings, errorList
+}
+
 // ServiceCheck verifies that the given service is enabled and active. If we do not
 // detect a supported init system however, all checks are skipped and a warning is
 // returned.
@@ -104,7 +157,7 @@ func (sc ServiceCheck) Name() string {
 	if sc.Label != "" {
 		return sc.Label
 	}
-	return fmt.Sprintf("Service-%s", strings.Title(sc.Service))
+	return fmt.Sprintf("Service-%s", sc.Service)
 }
 
 // Check validates if the service is enabled and active.
@@ -483,7 +536,10 @@ func (subnet HTTPProxyCIDRCheck) Check() (warnings, errorList []error) {
 }
 
 // SystemVerificationCheck defines struct used for running the system verification node check in test/e2e_node/system
-type SystemVerificationCheck struct{}
+type SystemVerificationCheck struct {
+	isUpgrade bool
+	exec      utilsexec.Interface
+}
 
 // Name will return SystemVerification as name for SystemVerificationCheck
 func (SystemVerificationCheck) Name() string {
@@ -492,7 +548,7 @@ func (SystemVerificationCheck) Name() string {
 
 // Check runs all individual checks
 func (sysver SystemVerificationCheck) Check() (warnings, errorList []error) {
-	klog.V(1).Infoln("running all checks")
+	klog.V(1).Infoln("running system verification checks")
 	// Create a buffered writer and choose a quite large value (1M) and suppose the output from the system verification test won't exceed the limit
 	// Run the system verification check, but write to out buffered writer instead of stdout
 	bufw := bufio.NewWriterSize(os.Stdout, 1*1024*1024)
@@ -504,7 +560,18 @@ func (sysver SystemVerificationCheck) Check() (warnings, errorList []error) {
 	var validators = []system.Validator{
 		&system.KernelValidator{Reporter: reporter}}
 
-	validators = addOSValidator(validators, reporter)
+	// Account for the KubeletVersion in the CgroupsValidator added
+	// as part of addOSValidator().
+	kubeletVersion, err := GetKubeletVersion(sysver.exec)
+	if err != nil {
+		return nil, []error{errors.Wrap(err, "couldn't get kubelet version")}
+	}
+	// During upgrade we want to check the next kubelet MINOR version.
+	// The below approach does not support k8s MAJOR version bumps.
+	if sysver.isUpgrade {
+		kubeletVersion = kubeletVersion.WithMinor(kubeletVersion.Minor() + 1)
+	}
+	validators = addOSValidator(validators, reporter, kubeletVersion.String())
 
 	// Run all validators
 	for _, v := range validators {
@@ -661,7 +728,7 @@ func (evc ExternalEtcdVersionCheck) Check() (warnings, errorList []error) {
 	klog.V(1).Infoln("validating the external etcd version")
 
 	// Return quickly if the user isn't using external etcd
-	if evc.Etcd.External.Endpoints == nil {
+	if len(evc.Etcd.External.HTTPEndpoints) == 0 {
 		return nil, nil
 	}
 
@@ -677,7 +744,7 @@ func (evc ExternalEtcdVersionCheck) Check() (warnings, errorList []error) {
 	}
 
 	client := evc.getHTTPClient(config)
-	for _, endpoint := range evc.Etcd.External.Endpoints {
+	for _, endpoint := range evc.Etcd.External.HTTPEndpoints {
 		if _, err := url.Parse(endpoint); err != nil {
 			errorList = append(errorList, errors.Wrapf(err, "failed to parse external etcd endpoint %s", endpoint))
 			continue
@@ -792,11 +859,14 @@ func getEtcdVersionResponse(client *http.Client, url string, target interface{})
 
 // ImagePullCheck will pull container images used by kubeadm
 type ImagePullCheck struct {
-	runtime         utilruntime.ContainerRuntime
+	criSocket       string
 	imageList       []string
 	sandboxImage    string
 	imagePullPolicy v1.PullPolicy
 	imagePullSerial bool
+
+	// stubbed out for testing
+	impl utilruntime.Impl
 }
 
 // Name returns the label for ImagePullCheck
@@ -806,6 +876,15 @@ func (ImagePullCheck) Name() string {
 
 // Check pulls images required by kubeadm. This is a mutating check
 func (ipc ImagePullCheck) Check() (warnings, errorList []error) {
+	containerRuntime := utilruntime.NewContainerRuntime(ipc.criSocket)
+	if ipc.impl != nil {
+		containerRuntime.SetImpl(ipc.impl)
+	}
+	if err := containerRuntime.Connect(); err != nil {
+		return nil, []error{errors.Wrap(err, "could not connect to the container runtime")}
+	}
+	defer containerRuntime.Close()
+
 	// Handle unsupported image pull policy and policy Never.
 	policy := ipc.imagePullPolicy
 	switch policy {
@@ -820,7 +899,7 @@ func (ipc ImagePullCheck) Check() (warnings, errorList []error) {
 	}
 
 	// Handle CRI sandbox image warnings.
-	criSandboxImage, err := ipc.runtime.SandboxImage()
+	criSandboxImage, err := containerRuntime.SandboxImage()
 	if err != nil {
 		klog.V(4).Infof("failed to detect the sandbox image for local container runtime, %v", err)
 	} else if criSandboxImage != ipc.sandboxImage {
@@ -830,7 +909,7 @@ func (ipc ImagePullCheck) Check() (warnings, errorList []error) {
 
 	// Perform parallel pulls.
 	if !ipc.imagePullSerial {
-		if err := ipc.runtime.PullImagesInParallel(ipc.imageList, policy == v1.PullIfNotPresent); err != nil {
+		if err := containerRuntime.PullImagesInParallel(ipc.imageList, policy == v1.PullIfNotPresent); err != nil {
 			errorList = append(errorList, err)
 		}
 		return warnings, errorList
@@ -840,14 +919,14 @@ func (ipc ImagePullCheck) Check() (warnings, errorList []error) {
 	for _, image := range ipc.imageList {
 		switch policy {
 		case v1.PullIfNotPresent:
-			if ipc.runtime.ImageExists(image) {
+			if containerRuntime.ImageExists(image) {
 				klog.V(1).Infof("image exists: %s", image)
 				continue
 			}
 			fallthrough // Proceed with pulling the image if it does not exist
 		case v1.PullAlways:
 			klog.V(1).Infof("pulling: %s", image)
-			if err := ipc.runtime.PullImage(image); err != nil {
+			if err := containerRuntime.PullImage(image); err != nil {
 				errorList = append(errorList, errors.WithMessagef(err, "failed to pull image %s", image))
 			}
 		}
@@ -1041,18 +1120,14 @@ func RunJoinNodeChecks(execer utilsexec.Interface, cfg *kubeadmapi.JoinConfigura
 // addCommonChecks is a helper function to duplicate checks that are common between both the
 // kubeadm init and join commands
 func addCommonChecks(execer utilsexec.Interface, k8sVersion string, nodeReg *kubeadmapi.NodeRegistrationOptions, checks []Checker) []Checker {
-	containerRuntime := utilruntime.NewContainerRuntime(nodeReg.CRISocket)
-	if err := containerRuntime.Connect(); err != nil {
-		klog.Warningf("[preflight] WARNING: Couldn't create the interface used for talking to the container runtime: %v\n", err)
-	} else {
-		checks = append(checks, ContainerRuntimeCheck{runtime: containerRuntime})
-	}
+	checks = append(checks, ContainerRuntimeCheck{criSocket: nodeReg.CRISocket})
+	checks = append(checks, ContainerRuntimeVersionCheck{criSocket: nodeReg.CRISocket})
 
 	// non-windows checks
 	checks = addSwapCheck(checks)
 	checks = addExecChecks(checks, execer, k8sVersion)
 	checks = append(checks,
-		SystemVerificationCheck{},
+		SystemVerificationCheck{isUpgrade: false, exec: execer},
 		HostnameCheck{nodeName: nodeReg.Name},
 		KubeletVersionCheck{KubernetesVersion: k8sVersion, exec: execer},
 		ServiceCheck{Service: "kubelet", CheckIfActive: false},
@@ -1070,9 +1145,10 @@ func RunRootCheckOnly(ignorePreflightErrors sets.Set[string]) error {
 }
 
 // RunUpgradeChecks initializes checks slice of structs and call RunChecks
-func RunUpgradeChecks(ignorePreflightErrors sets.Set[string]) error {
+func RunUpgradeChecks(execer utilsexec.Interface, cfg *kubeadmapi.InitConfiguration, ignorePreflightErrors sets.Set[string]) error {
 	checks := []Checker{
-		SystemVerificationCheck{},
+		SystemVerificationCheck{isUpgrade: true, exec: execer},
+		ContainerRuntimeVersionCheck{criSocket: cfg.NodeRegistration.CRISocket},
 	}
 
 	return RunChecks(checks, os.Stderr, ignorePreflightErrors)
@@ -1080,11 +1156,6 @@ func RunUpgradeChecks(ignorePreflightErrors sets.Set[string]) error {
 
 // RunPullImagesCheck will pull images kubeadm needs if they are not found on the system
 func RunPullImagesCheck(execer utilsexec.Interface, cfg *kubeadmapi.InitConfiguration, ignorePreflightErrors sets.Set[string]) error {
-	containerRuntime := utilruntime.NewContainerRuntime(cfg.NodeRegistration.CRISocket)
-	if err := containerRuntime.Connect(); err != nil {
-		return handleError(os.Stderr, err.Error())
-	}
-
 	serialPull := true
 	if cfg.NodeRegistration.ImagePullSerial != nil {
 		serialPull = *cfg.NodeRegistration.ImagePullSerial
@@ -1092,7 +1163,7 @@ func RunPullImagesCheck(execer utilsexec.Interface, cfg *kubeadmapi.InitConfigur
 
 	checks := []Checker{
 		ImagePullCheck{
-			runtime:         containerRuntime,
+			criSocket:       cfg.NodeRegistration.CRISocket,
 			imageList:       images.GetControlPlaneImages(&cfg.ClusterConfiguration),
 			sandboxImage:    images.GetPauseImage(&cfg.ClusterConfiguration),
 			imagePullPolicy: cfg.NodeRegistration.ImagePullPolicy,
diff --git a/cmd/kubeadm/app/preflight/checks_linux.go b/cmd/kubeadm/app/preflight/checks_linux.go
index 3e4bb702caf1a..e5aa7a907796b 100644
--- a/cmd/kubeadm/app/preflight/checks_linux.go
+++ b/cmd/kubeadm/app/preflight/checks_linux.go
@@ -46,8 +46,11 @@ func (mc MemCheck) Check() (warnings, errorList []error) {
 }
 
 // addOSValidator adds a new OSValidator
-func addOSValidator(validators []system.Validator, reporter *system.StreamReporter) []system.Validator {
-	validators = append(validators, &system.OSValidator{Reporter: reporter}, &system.CgroupsValidator{Reporter: reporter})
+func addOSValidator(validators []system.Validator, reporter *system.StreamReporter, kubeletVersion string) []system.Validator {
+	validators = append(validators,
+		&system.OSValidator{Reporter: reporter},
+		&system.CgroupsValidator{Reporter: reporter, KubeletVersion: kubeletVersion},
+	)
 	return validators
 }
 
diff --git a/cmd/kubeadm/app/preflight/checks_other.go b/cmd/kubeadm/app/preflight/checks_other.go
index d790d7d46f39e..9756849ac8c82 100644
--- a/cmd/kubeadm/app/preflight/checks_other.go
+++ b/cmd/kubeadm/app/preflight/checks_other.go
@@ -25,7 +25,7 @@ import (
 
 // addOSValidator adds a new OSValidator
 // No-op for Darwin (MacOS), Windows.
-func addOSValidator(validators []system.Validator, _ *system.StreamReporter) []system.Validator {
+func addOSValidator(validators []system.Validator, _ *system.StreamReporter, _ string) []system.Validator {
 	return validators
 }
 
diff --git a/cmd/kubeadm/app/preflight/checks_test.go b/cmd/kubeadm/app/preflight/checks_test.go
index 1720677797f8b..1f61802617b42 100644
--- a/cmd/kubeadm/app/preflight/checks_test.go
+++ b/cmd/kubeadm/app/preflight/checks_test.go
@@ -28,6 +28,8 @@ import (
 
 	"github.com/google/go-cmp/cmp"
 	"github.com/lithammer/dedent"
+	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/status"
 
 	"k8s.io/apimachinery/pkg/util/sets"
 	"k8s.io/apimachinery/pkg/util/version"
@@ -39,6 +41,7 @@ import (
 	kubeadmapiv1 "k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm/v1beta4"
 	configutil "k8s.io/kubernetes/cmd/kubeadm/app/util/config"
 	"k8s.io/kubernetes/cmd/kubeadm/app/util/errors"
+	utilruntime "k8s.io/kubernetes/cmd/kubeadm/app/util/runtime"
 )
 
 var (
@@ -1021,3 +1024,84 @@ func TestJoinIPCheck(t *testing.T) {
 		})
 	}
 }
+
+func TestContainerRuntimeCheck(t *testing.T) {
+	tests := []struct {
+		name           string
+		prepare        func(*utilruntime.FakeImpl)
+		expectErrors   int
+		expectWarnings int
+	}{
+		{
+			name: "ok",
+		},
+		{
+			name: "container runtime is not running",
+			prepare: func(mock *utilruntime.FakeImpl) {
+				mock.StatusReturns(nil, errors.New("not running"))
+			},
+			expectErrors: 1,
+		},
+	}
+
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			mock := &utilruntime.FakeImpl{}
+			if test.prepare != nil {
+				test.prepare(mock)
+			}
+
+			warnings, errors := ContainerRuntimeCheck{impl: mock}.Check()
+			if len(warnings) != test.expectWarnings {
+				t.Errorf("expected %d warning(s) but got %d: %q", test.expectWarnings, len(warnings), warnings)
+			}
+			if len(errors) != test.expectErrors {
+				t.Errorf("expected %d error(s) but got %d: %q", test.expectErrors, len(errors), errors)
+			}
+		})
+	}
+}
+
+func TestContainerRuntimeVersionCheck(t *testing.T) {
+	tests := []struct {
+		name           string
+		prepare        func(*utilruntime.FakeImpl)
+		expectErrors   int
+		expectWarnings int
+	}{
+		{
+			name: "ok",
+		},
+		{
+			name: "runtime config not implemented",
+			prepare: func(mock *utilruntime.FakeImpl) {
+				mock.RuntimeConfigReturns(nil, status.New(codes.Unimplemented, "not implemented").Err())
+			},
+			expectWarnings: 1,
+		},
+		{
+			name: "call RuntimeConfig fails",
+			prepare: func(mock *utilruntime.FakeImpl) {
+				mock.RuntimeConfigReturns(nil, status.New(codes.DeadlineExceeded, "deadline exceeded").Err())
+			},
+			expectErrors: 1,
+		},
+	}
+
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			mock := &utilruntime.FakeImpl{}
+			if test.prepare != nil {
+				test.prepare(mock)
+			}
+
+			warnings, errors := ContainerRuntimeVersionCheck{impl: mock}.Check()
+			if len(warnings) != test.expectWarnings {
+				t.Errorf("expected %d warning(s) but got %d: %q", test.expectWarnings, len(warnings), warnings)
+			}
+			if len(errors) != test.expectErrors {
+				t.Errorf("expected %d error(s) but got %d: %q", test.expectErrors, len(errors), errors)
+			}
+		})
+	}
+}
diff --git a/cmd/kubeadm/app/util/apiclient/dryrun.go b/cmd/kubeadm/app/util/apiclient/dryrun.go
index 1fa69d3931c65..b52e4aa6fd2e8 100644
--- a/cmd/kubeadm/app/util/apiclient/dryrun.go
+++ b/cmd/kubeadm/app/util/apiclient/dryrun.go
@@ -567,9 +567,6 @@ func getNode(name string) *corev1.Node {
 			Labels: map[string]string{
 				"kubernetes.io/hostname": name,
 			},
-			Annotations: map[string]string{
-				constants.AnnotationKubeadmCRISocket: "dry-run-cri-socket",
-			},
 		},
 	}
 }
diff --git a/cmd/kubeadm/app/util/apiclient/idempotency.go b/cmd/kubeadm/app/util/apiclient/idempotency.go
index 1e97385d6767f..d02b1b9c406fe 100644
--- a/cmd/kubeadm/app/util/apiclient/idempotency.go
+++ b/cmd/kubeadm/app/util/apiclient/idempotency.go
@@ -192,10 +192,7 @@ func PatchNodeOnce(client clientset.Interface, nodeName string, patchFn func(*v1
 
 		if _, err := client.CoreV1().Nodes().Patch(ctx, n.Name, types.StrategicMergePatchType, patchBytes, metav1.PatchOptions{}); err != nil {
 			*lastError = errors.Wrapf(err, "error patching Node %q", n.Name)
-			if apierrors.IsTimeout(err) || apierrors.IsConflict(err) || apierrors.IsServerTimeout(err) || apierrors.IsServiceUnavailable(err) {
-				return false, nil
-			}
-			return false, *lastError
+			return false, nil
 		}
 
 		return true, nil
diff --git a/cmd/kubeadm/app/util/apiclient/idempotency_test.go b/cmd/kubeadm/app/util/apiclient/idempotency_test.go
index 02a3a2ddcb51d..a9fac6b5ab8cf 100644
--- a/cmd/kubeadm/app/util/apiclient/idempotency_test.go
+++ b/cmd/kubeadm/app/util/apiclient/idempotency_test.go
@@ -386,54 +386,6 @@ func TestPatchNodeOnce(t *testing.T) {
 			},
 			success: false,
 		},
-		{
-			name:       "patch node when timeout",
-			lookupName: "testnode",
-			node: v1.Node{
-				ObjectMeta: metav1.ObjectMeta{
-					Name:   "testnode",
-					Labels: map[string]string{v1.LabelHostname: ""},
-				},
-			},
-			success:   false,
-			fakeError: apierrors.NewTimeoutError("fake timeout", -1),
-		},
-		{
-			name:       "patch node when conflict",
-			lookupName: "testnode",
-			node: v1.Node{
-				ObjectMeta: metav1.ObjectMeta{
-					Name:   "testnode",
-					Labels: map[string]string{v1.LabelHostname: ""},
-				},
-			},
-			success:   false,
-			fakeError: apierrors.NewConflict(schema.GroupResource{}, "fake conflict", nil),
-		},
-		{
-			name:       "patch node when there is a server timeout",
-			lookupName: "testnode",
-			node: v1.Node{
-				ObjectMeta: metav1.ObjectMeta{
-					Name:   "testnode",
-					Labels: map[string]string{v1.LabelHostname: ""},
-				},
-			},
-			success:   false,
-			fakeError: apierrors.NewServerTimeout(schema.GroupResource{}, "fake server timeout", 1),
-		},
-		{
-			name:       "patch node when the service is unavailable",
-			lookupName: "testnode",
-			node: v1.Node{
-				ObjectMeta: metav1.ObjectMeta{
-					Name:   "testnode",
-					Labels: map[string]string{v1.LabelHostname: ""},
-				},
-			},
-			success:   false,
-			fakeError: apierrors.NewServiceUnavailable("fake service unavailable"),
-		},
 		{
 			name:       "patch node failed with unknown error",
 			lookupName: "testnode",
diff --git a/cmd/kubeadm/app/util/apiclient/wait.go b/cmd/kubeadm/app/util/apiclient/wait.go
index 3938f35ec34ca..e55e432f1accb 100644
--- a/cmd/kubeadm/app/util/apiclient/wait.go
+++ b/cmd/kubeadm/app/util/apiclient/wait.go
@@ -36,6 +36,7 @@ import (
 	netutil "k8s.io/apimachinery/pkg/util/net"
 	"k8s.io/apimachinery/pkg/util/wait"
 	clientset "k8s.io/client-go/kubernetes"
+	"k8s.io/klog/v2"
 
 	"k8s.io/kubernetes/cmd/kubeadm/app/constants"
 	"k8s.io/kubernetes/cmd/kubeadm/app/util/errors"
@@ -279,12 +280,14 @@ func (w *KubeWaiter) WaitForControlPlaneComponents(podMap map[string]*v1.Pod, ap
 							Get().AbsPath(comp.endpoint).Do(ctx).StatusCode(&statusCode)
 						if err := result.Error(); err != nil {
 							lastError = errors.WithMessagef(err, "%s check failed at %s", comp.name, url)
+							klog.V(5).Info(lastError)
 							return false, nil
 						}
 					} else {
 						resp, err := client.Get(url)
 						if err != nil {
 							lastError = errors.WithMessagef(err, "%s check failed at %s", comp.name, url)
+							klog.V(5).Info(lastError)
 							return false, nil
 						}
 						defer func() {
@@ -296,6 +299,7 @@ func (w *KubeWaiter) WaitForControlPlaneComponents(podMap map[string]*v1.Pod, ap
 					if statusCode != http.StatusOK {
 						lastError = errors.Errorf("%s check failed at %s with status: %d",
 							comp.name, url, statusCode)
+						klog.V(5).Info(lastError)
 						return false, nil
 					}
 
@@ -328,7 +332,7 @@ func (w *KubeWaiter) WaitForPodsWithLabel(kvLabel string) error {
 		constants.KubernetesAPICallRetryInterval, w.timeout,
 		true, func(_ context.Context) (bool, error) {
 			listOpts := metav1.ListOptions{LabelSelector: kvLabel}
-			pods, err := w.client.CoreV1().Pods(metav1.NamespaceSystem).List(context.TODO(), listOpts)
+			pods, err := w.client.CoreV1().Pods(metav1.NamespaceSystem).List(context.Background(), listOpts)
 			if err != nil {
 				_, _ = fmt.Fprintf(w.writer, "[apiclient] Error getting Pods with label selector %q [%v]\n", kvLabel, err)
 				return false, nil
@@ -495,7 +499,7 @@ func (w *KubeWaiter) WaitForStaticPodHashChange(nodeName, component, previousHas
 func getStaticPodSingleHash(client clientset.Interface, nodeName string, component string) (string, error) {
 
 	staticPodName := fmt.Sprintf("%s-%s", component, nodeName)
-	staticPod, err := client.CoreV1().Pods(metav1.NamespaceSystem).Get(context.TODO(), staticPodName, metav1.GetOptions{})
+	staticPod, err := client.CoreV1().Pods(metav1.NamespaceSystem).Get(context.Background(), staticPodName, metav1.GetOptions{})
 	if err != nil {
 		return "", errors.Wrapf(err, "failed to obtain static Pod hash for component %s on Node %s", component, nodeName)
 	}
diff --git a/cmd/kubeadm/app/util/arguments.go b/cmd/kubeadm/app/util/arguments.go
index b70b9001d4dfc..6259d54b08b80 100644
--- a/cmd/kubeadm/app/util/arguments.go
+++ b/cmd/kubeadm/app/util/arguments.go
@@ -29,37 +29,34 @@ import (
 )
 
 // ArgumentsToCommand takes two Arg slices, one with the base arguments and one
-// with optional override arguments. In the return list override arguments will precede base
-// arguments. If an argument is present in the overrides, it will cause
+// with optional override arguments. In the return list, base arguments will precede
+// override arguments. If an argument is present in the overrides, it will cause
 // all instances of the same argument in the base list to be discarded, leaving
 // only the instances of this argument in the overrides to be applied.
-func ArgumentsToCommand(base []kubeadmapi.Arg, overrides []kubeadmapi.Arg) []string {
-	var command []string
-	// Copy the overrides arguments into a new slice.
-	args := make([]kubeadmapi.Arg, len(overrides))
-	copy(args, overrides)
+func ArgumentsToCommand(base, overrides []kubeadmapi.Arg) []string {
+	// Sort only the base.
+	sortArgsSlice(&base)
 
-	// overrideArgs is a set of args which will replace the args defined in the base
+	// Collect all overrides in a set.
 	overrideArgs := sets.New[string]()
 	for _, arg := range overrides {
 		overrideArgs.Insert(arg.Name)
 	}
 
+	// Append only the base args that do not have overrides.
+	args := make([]kubeadmapi.Arg, 0, len(base)+len(overrides))
 	for _, arg := range base {
 		if !overrideArgs.Has(arg.Name) {
 			args = append(args, arg)
 		}
 	}
 
-	sort.Slice(args, func(i, j int) bool {
-		if args[i].Name == args[j].Name {
-			return args[i].Value < args[j].Value
-		}
-		return args[i].Name < args[j].Name
-	})
+	// Append the overrides.
+	args = append(args, overrides...)
 
-	for _, arg := range args {
-		command = append(command, fmt.Sprintf("--%s=%s", arg.Name, arg.Value))
+	command := make([]string, len(args))
+	for i, arg := range args {
+		command[i] = fmt.Sprintf("--%s=%s", arg.Name, arg.Value)
 	}
 
 	return command
@@ -85,12 +82,8 @@ func ArgumentsFromCommand(command []string) []kubeadmapi.Arg {
 		args = append(args, kubeadmapi.Arg{Name: key, Value: val})
 	}
 
-	sort.Slice(args, func(i, j int) bool {
-		if args[i].Name == args[j].Name {
-			return args[i].Value < args[j].Value
-		}
-		return args[i].Name < args[j].Name
-	})
+	sortArgsSlice(&args)
+
 	return args
 }
 
@@ -117,3 +110,14 @@ func parseArgument(arg string) (string, string, error) {
 
 	return keyvalSlice[0], keyvalSlice[1], nil
 }
+
+// sortArgsSlice sorts a slice of Args alpha-numerically.
+func sortArgsSlice(argsPtr *[]kubeadmapi.Arg) {
+	args := *argsPtr
+	sort.Slice(args, func(i, j int) bool {
+		if args[i].Name == args[j].Name {
+			return args[i].Value < args[j].Value
+		}
+		return args[i].Name < args[j].Name
+	})
+}
diff --git a/cmd/kubeadm/app/util/arguments_test.go b/cmd/kubeadm/app/util/arguments_test.go
index a796293fb1dcf..da8b2fc5899d5 100644
--- a/cmd/kubeadm/app/util/arguments_test.go
+++ b/cmd/kubeadm/app/util/arguments_test.go
@@ -41,8 +41,8 @@ func TestArgumentsToCommand(t *testing.T) {
 				{Name: "admission-control", Value: "NamespaceLifecycle,LimitRanger"},
 			},
 			expected: []string{
-				"--admission-control=NamespaceLifecycle,LimitRanger",
 				"--allow-privileged=true",
+				"--admission-control=NamespaceLifecycle,LimitRanger",
 			},
 		},
 		{
@@ -56,9 +56,9 @@ func TestArgumentsToCommand(t *testing.T) {
 				{Name: "tls-sni-cert-key", Value: "/some/new/path/subpath"},
 			},
 			expected: []string{
+				"--token-auth-file=/token",
 				"--tls-sni-cert-key=/some/new/path",
 				"--tls-sni-cert-key=/some/new/path/subpath",
-				"--token-auth-file=/token",
 			},
 		},
 		{
@@ -72,8 +72,8 @@ func TestArgumentsToCommand(t *testing.T) {
 				{Name: "tls-sni-cert-key", Value: "/some/new/path"},
 			},
 			expected: []string{
-				"--tls-sni-cert-key=/some/new/path",
 				"--token-auth-file=/token",
+				"--tls-sni-cert-key=/some/new/path",
 			},
 		},
 		{
@@ -85,8 +85,8 @@ func TestArgumentsToCommand(t *testing.T) {
 				{Name: "admission-control", Value: "NamespaceLifecycle,LimitRanger"},
 			},
 			expected: []string{
-				"--admission-control=NamespaceLifecycle,LimitRanger",
 				"--allow-privileged=true",
+				"--admission-control=NamespaceLifecycle,LimitRanger",
 			},
 		},
 		{
@@ -99,9 +99,9 @@ func TestArgumentsToCommand(t *testing.T) {
 				{Name: "admission-control", Value: "NamespaceLifecycle,LimitRanger"},
 			},
 			expected: []string{
-				"--admission-control=NamespaceLifecycle,LimitRanger",
 				"--allow-privileged=true",
 				"--something-that-allows-empty-string=",
+				"--admission-control=NamespaceLifecycle,LimitRanger",
 			},
 		},
 		{
@@ -115,11 +115,31 @@ func TestArgumentsToCommand(t *testing.T) {
 				{Name: "something-that-allows-empty-string", Value: ""},
 			},
 			expected: []string{
-				"--admission-control=NamespaceLifecycle,LimitRanger",
 				"--allow-privileged=true",
+				"--admission-control=NamespaceLifecycle,LimitRanger",
 				"--something-that-allows-empty-string=",
 			},
 		},
+		{
+			name: "base are sorted and overrides are not",
+			base: []kubeadmapi.Arg{
+				{Name: "b", Value: "true"},
+				{Name: "c", Value: "true"},
+				{Name: "a", Value: "true"},
+			},
+			overrides: []kubeadmapi.Arg{
+				{Name: "e", Value: "true"},
+				{Name: "b", Value: "true"},
+				{Name: "d", Value: "true"},
+			},
+			expected: []string{
+				"--a=true",
+				"--c=true",
+				"--e=true",
+				"--b=true",
+				"--d=true",
+			},
+		},
 	}
 
 	for _, rt := range tests {
@@ -189,6 +209,21 @@ func TestArgumentsFromCommand(t *testing.T) {
 				{Name: "tls-sni-cert-key", Value: "/some/path/subpath"},
 			},
 		},
+		{
+			name: "args are sorted",
+			args: []string{
+				"--c=foo",
+				"--a=foo",
+				"--b=foo",
+				"--b=bar",
+			},
+			expected: []kubeadmapi.Arg{
+				{Name: "a", Value: "foo"},
+				{Name: "b", Value: "bar"},
+				{Name: "b", Value: "foo"},
+				{Name: "c", Value: "foo"},
+			},
+		},
 	}
 
 	for _, rt := range tests {
diff --git a/cmd/kubeadm/app/util/config/cluster.go b/cmd/kubeadm/app/util/config/cluster.go
index 40ba9b2dbd188..3297c3447e55d 100644
--- a/cmd/kubeadm/app/util/config/cluster.go
+++ b/cmd/kubeadm/app/util/config/cluster.go
@@ -29,7 +29,6 @@ import (
 	authv1 "k8s.io/api/authentication/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
-	errorsutil "k8s.io/apimachinery/pkg/util/errors"
 	"k8s.io/apimachinery/pkg/util/wait"
 	clientset "k8s.io/client-go/kubernetes"
 	"k8s.io/client-go/tools/clientcmd"
@@ -49,6 +48,7 @@ import (
 	"k8s.io/kubernetes/cmd/kubeadm/app/util/errors"
 	"k8s.io/kubernetes/cmd/kubeadm/app/util/kubeconfig"
 	"k8s.io/kubernetes/cmd/kubeadm/app/util/output"
+	kubeadmruntime "k8s.io/kubernetes/cmd/kubeadm/app/util/runtime"
 )
 
 // FetchInitConfigurationFromCluster fetches configuration from a ConfigMap in the cluster
@@ -116,7 +116,7 @@ func getInitConfigurationFromCluster(kubeconfigDir string, client clientset.Inte
 	if getNodeRegistration {
 		// gets the nodeRegistration for the current from the node object
 		kubeconfigFile := filepath.Join(kubeconfigDir, constants.KubeletKubeConfigFileName)
-		if err := GetNodeRegistration(kubeconfigFile, client, &initcfg.NodeRegistration, &initcfg.ClusterConfiguration); err != nil {
+		if err := GetNodeRegistration(kubeconfigFile, client, &initcfg.NodeRegistration); err != nil {
 			return nil, errors.Wrap(err, "failed to get node registration")
 		}
 	}
@@ -163,7 +163,7 @@ func GetNodeName(kubeconfigFile string) (string, error) {
 }
 
 // GetNodeRegistration returns the nodeRegistration for the current node
-func GetNodeRegistration(kubeconfigFile string, client clientset.Interface, nodeRegistration *kubeadmapi.NodeRegistrationOptions, clusterCfg *kubeadmapi.ClusterConfiguration) error {
+func GetNodeRegistration(kubeconfigFile string, client clientset.Interface, nodeRegistration *kubeadmapi.NodeRegistrationOptions) error {
 	// gets the name of the current node
 	nodeName, err := GetNodeName(kubeconfigFile)
 	if err != nil {
@@ -181,13 +181,21 @@ func GetNodeRegistration(kubeconfigFile string, client clientset.Interface, node
 		configFilePath := filepath.Join(constants.KubeletRunDirectory, constants.KubeletInstanceConfigurationFileName)
 		_, err := os.Stat(configFilePath)
 		if os.IsNotExist(err) {
-			return errors.Errorf("node %s doesn't have %s annotation, or kubelet instance config %s", nodeName, constants.AnnotationKubeadmCRISocket, configFilePath)
-		}
-		kubeletConfig, err := readKubeletConfig(constants.KubeletRunDirectory, constants.KubeletInstanceConfigurationFileName)
-		if err != nil {
-			return errors.Wrapf(err, "could not read kubelet instance configuration on node %q", nodeName)
+			klog.Warningf("node %q lacks annotation %q and kubelet config file %q; attempting auto-detection", nodeName, constants.AnnotationKubeadmCRISocket, configFilePath)
+			criSocket, err = kubeadmruntime.DetectCRISocket()
+			if err != nil {
+				klog.Warningf("auto-detection of CRI socket failed for node %q: %v; falling back to default %q", nodeName, err, constants.DefaultCRISocket)
+				criSocket = constants.DefaultCRISocket
+			}
+		} else if err != nil {
+			return err
+		} else {
+			kubeletConfig, err := readKubeletConfig(constants.KubeletRunDirectory, constants.KubeletInstanceConfigurationFileName)
+			if err != nil {
+				return errors.Wrapf(err, "could not read kubelet instance configuration on node %q", nodeName)
+			}
+			criSocket = kubeletConfig.ContainerRuntimeEndpoint
 		}
-		criSocket = kubeletConfig.ContainerRuntimeEndpoint
 	}
 
 	// returns the nodeRegistration attributes
@@ -268,14 +276,11 @@ func GetAPIEndpoint(client clientset.Interface, nodeName string, apiEndpoint *ku
 
 func getAPIEndpointWithRetry(client clientset.Interface, nodeName string, apiEndpoint *kubeadmapi.APIEndpoint,
 	interval, timeout time.Duration) error {
-	var err error
-	var errs []error
-
-	if err = getAPIEndpointFromPodAnnotation(client, nodeName, apiEndpoint, interval, timeout); err == nil {
-		return nil
+	err := getAPIEndpointFromPodAnnotation(client, nodeName, apiEndpoint, interval, timeout)
+	if err != nil {
+		return errors.WithMessagef(err, "could not retrieve API endpoints for node %q using pod annotations", nodeName)
 	}
-	errs = append(errs, errors.WithMessagef(err, "could not retrieve API endpoints for node %q using pod annotations", nodeName))
-	return errorsutil.NewAggregate(errs)
+	return nil
 }
 
 func getAPIEndpointFromPodAnnotation(client clientset.Interface, nodeName string, apiEndpoint *kubeadmapi.APIEndpoint,
diff --git a/cmd/kubeadm/app/util/config/cluster_test.go b/cmd/kubeadm/app/util/config/cluster_test.go
index 41329eee4588b..f57770c56699c 100644
--- a/cmd/kubeadm/app/util/config/cluster_test.go
+++ b/cmd/kubeadm/app/util/config/cluster_test.go
@@ -330,7 +330,7 @@ func TestGetNodeRegistration(t *testing.T) {
 			}
 
 			cfg := &kubeadmapi.InitConfiguration{}
-			err = GetNodeRegistration(cfgPath, client, &cfg.NodeRegistration, &cfg.ClusterConfiguration)
+			err = GetNodeRegistration(cfgPath, client, &cfg.NodeRegistration)
 			if rt.expectedError != (err != nil) {
 				t.Errorf("unexpected return err from getNodeRegistration: %v", err)
 				return
diff --git a/cmd/kubeadm/app/util/etcd/etcd.go b/cmd/kubeadm/app/util/etcd/etcd.go
index e5171c6ee8b93..d89e648a937b1 100644
--- a/cmd/kubeadm/app/util/etcd/etcd.go
+++ b/cmd/kubeadm/app/util/etcd/etcd.go
@@ -284,31 +284,42 @@ type Member struct {
 	PeerURL string
 }
 
+func (c *Client) listMembersOnce() (*clientv3.MemberListResponse, error) {
+	cli, err := c.newEtcdClient(c.Endpoints)
+	if err != nil {
+		return nil, err
+	}
+	defer func() { _ = cli.Close() }()
+
+	ctx, cancel := context.WithTimeout(context.Background(), etcdTimeout)
+	resp, err := cli.MemberList(ctx)
+	cancel()
+	if err == nil {
+		return resp, nil
+	}
+	klog.V(5).Infof("Failed to get etcd member list: %v", err)
+	return nil, err
+}
+
 func (c *Client) listMembers(timeout time.Duration) (*clientv3.MemberListResponse, error) {
 	// Gets the member list
-	var lastError error
-	var resp *clientv3.MemberListResponse
+	var (
+		err       error
+		lastError error
+		resp      *clientv3.MemberListResponse
+	)
+
 	if timeout == 0 {
 		timeout = kubeadmapi.GetActiveTimeouts().EtcdAPICall.Duration
 	}
-	err := wait.PollUntilContextTimeout(context.Background(), constants.EtcdAPICallRetryInterval, timeout,
+	err = wait.PollUntilContextTimeout(context.Background(), constants.EtcdAPICallRetryInterval, timeout,
 		true, func(_ context.Context) (bool, error) {
-			cli, err := c.newEtcdClient(c.Endpoints)
+			resp, err = c.listMembersOnce()
 			if err != nil {
 				lastError = err
-				return false, nil
-			}
-			defer func() { _ = cli.Close() }()
-
-			ctx, cancel := context.WithTimeout(context.Background(), etcdTimeout)
-			resp, err = cli.MemberList(ctx)
-			cancel()
-			if err == nil {
-				return true, nil
+				return false, err
 			}
-			klog.V(5).Infof("Failed to get etcd member list: %v", err)
-			lastError = err
-			return false, nil
+			return true, nil
 		})
 	if err != nil {
 		return nil, lastError
@@ -528,38 +539,74 @@ func (c *Client) addMember(name string, peerAddrs string, isLearner bool) ([]Mem
 	return ret, nil
 }
 
-// isLearner returns true if the given member ID is a learner.
-func (c *Client) isLearner(memberID uint64) (bool, error) {
-	resp, err := c.listMembersFunc(0)
+// getMemberStatus returns the status of the given member ID.
+// It returns whether the member is a learner and whether it is started.
+func (c *Client) getMemberStatus(memberID uint64) (isLearner bool, started bool, err error) {
+	resp, err := c.listMembersOnce()
 	if err != nil {
-		return false, err
+		return false, false, err
 	}
 
+	var m *etcdserverpb.Member
 	for _, member := range resp.Members {
-		if member.ID == memberID && member.IsLearner {
-			return true, nil
+		if member.ID == memberID {
+			m = member
+			break
 		}
 	}
-	return false, nil
+	if m == nil {
+		return false, false, fmt.Errorf("member %s not found", strconv.FormatUint(memberID, 16))
+	}
+
+	started = true
+	// There is no field for "started".
+	// If the member is not started, the Name and ClientURLs fields are set to their respective zero values.
+	if len(m.Name) == 0 {
+		started = false
+	}
+
+	return m.IsLearner, started, nil
 }
 
 // MemberPromote promotes a member as a voting member. If the given member ID is already a voting member this method
-// will return early and do nothing.
+// will return early and do nothing. It waits for the member to be started before attempting to promote.
 func (c *Client) MemberPromote(learnerID uint64) error {
-	isLearner, err := c.isLearner(learnerID)
+	var (
+		lastError     error
+		learnerIDUint = strconv.FormatUint(learnerID, 16)
+	)
+
+	klog.V(1).Infof("[etcd] Waiting for a learner to start: %s", learnerIDUint)
+
+	err := wait.PollUntilContextTimeout(context.Background(), constants.EtcdAPICallRetryInterval, kubeadmapi.GetActiveTimeouts().EtcdAPICall.Duration,
+		true, func(_ context.Context) (bool, error) {
+			isLearner, started, err := c.getMemberStatus(learnerID)
+			if err != nil {
+				lastError = errors.WithMessagef(err, "failed to get member %s status", learnerIDUint)
+				return false, nil
+			}
+			if !isLearner {
+				klog.V(1).Infof("[etcd] Member %s was already promoted.", learnerIDUint)
+				return true, nil
+			}
+			if !started {
+				klog.V(1).Infof("[etcd] Member %s is not started yet. Waiting for it to be started.", learnerIDUint)
+				lastError = errors.Errorf("the etcd member %s is not started", learnerIDUint)
+				return false, nil
+			}
+			return true, nil
+		})
 	if err != nil {
-		return err
-	}
-	if !isLearner {
-		klog.V(1).Infof("[etcd] Member %s already promoted.", strconv.FormatUint(learnerID, 16))
-		return nil
+		return lastError
 	}
 
-	klog.V(1).Infof("[etcd] Promoting a learner as a voting member: %s", strconv.FormatUint(learnerID, 16))
+	klog.V(1).Infof("[etcd] Promoting a learner as a voting member: %s", learnerIDUint)
+
 	cli, err := c.newEtcdClient(c.Endpoints)
 	if err != nil {
 		return err
 	}
+
 	defer func() { _ = cli.Close() }()
 
 	// TODO: warning logs from etcd client should be removed.
@@ -568,29 +615,16 @@ func (c *Client) MemberPromote(learnerID uint64) error {
 	// 2. context deadline exceeded
 	// 3. peer URLs already exists
 	// Once the client provides a way to check if the etcd learner is ready to promote, the retry logic can be revisited.
-	var (
-		lastError error
-	)
 	err = wait.PollUntilContextTimeout(context.Background(), constants.EtcdAPICallRetryInterval, kubeadmapi.GetActiveTimeouts().EtcdAPICall.Duration,
 		true, func(_ context.Context) (bool, error) {
 			ctx, cancel := context.WithTimeout(context.Background(), etcdTimeout)
 			defer cancel()
-
-			isLearner, err := c.isLearner(learnerID)
-			if err != nil {
-				return false, err
-			}
-			if !isLearner {
-				klog.V(1).Infof("[etcd] Member %s was already promoted.", strconv.FormatUint(learnerID, 16))
-				return true, nil
-			}
-
 			_, err = cli.MemberPromote(ctx, learnerID)
 			if err == nil {
-				klog.V(1).Infof("[etcd] The learner was promoted as a voting member: %s", strconv.FormatUint(learnerID, 16))
+				klog.V(1).Infof("[etcd] The learner was promoted as a voting member: %s", learnerIDUint)
 				return true, nil
 			}
-			klog.V(5).Infof("[etcd] Promoting the learner %s failed: %v", strconv.FormatUint(learnerID, 16), err)
+			klog.V(5).Infof("[etcd] Promoting the learner %s failed: %v", learnerIDUint, err)
 			lastError = err
 			return false, nil
 		})
diff --git a/cmd/kubeadm/app/util/etcd/etcd_test.go b/cmd/kubeadm/app/util/etcd/etcd_test.go
index 30c5436ea0d52..67671a994d29c 100644
--- a/cmd/kubeadm/app/util/etcd/etcd_test.go
+++ b/cmd/kubeadm/app/util/etcd/etcd_test.go
@@ -637,18 +637,19 @@ func TestListMembers(t *testing.T) {
 	}
 }
 
-func TestIsLearner(t *testing.T) {
+func TestGetMemberStatus(t *testing.T) {
 	type fields struct {
 		Endpoints       []string
 		newEtcdClient   func(endpoints []string) (etcdClient, error)
 		listMembersFunc func(timeout time.Duration) (*clientv3.MemberListResponse, error)
 	}
 	tests := []struct {
-		name      string
-		fields    fields
-		memberID  uint64
-		want      bool
-		wantError bool
+		name        string
+		fields      fields
+		memberID    uint64
+		wantLearner bool
+		wantStarted bool
+		wantError   bool
 	}{
 		{
 			name: "The specified member is not a learner",
@@ -670,8 +671,9 @@ func TestIsLearner(t *testing.T) {
 					return f, nil
 				},
 			},
-			memberID: 1,
-			want:     false,
+			memberID:    1,
+			wantLearner: false,
+			wantStarted: true,
 		},
 		{
 			name: "The specified member is a learner",
@@ -700,8 +702,9 @@ func TestIsLearner(t *testing.T) {
 					return f, nil
 				},
 			},
-			memberID: 1,
-			want:     true,
+			memberID:    1,
+			wantLearner: true,
+			wantStarted: true,
 		},
 		{
 			name: "The specified member does not exist",
@@ -714,8 +717,10 @@ func TestIsLearner(t *testing.T) {
 					return f, nil
 				},
 			},
-			memberID: 3,
-			want:     false,
+			memberID:    3,
+			wantLearner: false,
+			wantStarted: false,
+			wantError:   true,
 		},
 		{
 			name: "Learner ID is empty",
@@ -736,7 +741,32 @@ func TestIsLearner(t *testing.T) {
 					return f, nil
 				},
 			},
-			want: true,
+			wantLearner: true,
+			wantStarted: true,
+		},
+		{
+			name: "Learner member is not started (no name)",
+			fields: fields{
+				Endpoints: []string{},
+				newEtcdClient: func(endpoints []string) (etcdClient, error) {
+					f := &fakeEtcdClient{
+						members: []*pb.Member{
+							{
+								ID:   1,
+								Name: "",
+								PeerURLs: []string{
+									"https://member2:2380",
+								},
+								IsLearner: true,
+							},
+						},
+					}
+					return f, nil
+				},
+			},
+			memberID:    1,
+			wantLearner: true,
+			wantStarted: false,
 		},
 		{
 			name: "ListMembers returns an error",
@@ -760,8 +790,10 @@ func TestIsLearner(t *testing.T) {
 					return nil, errNotImplemented
 				},
 			},
-			want:      false,
-			wantError: true,
+			memberID:    1,
+			wantLearner: false,
+			wantStarted: false,
+			wantError:   true,
 		},
 	}
 	for _, tt := range tests {
@@ -778,12 +810,15 @@ func TestIsLearner(t *testing.T) {
 					return resp, nil
 				}
 			}
-			got, err := c.isLearner(tt.memberID)
-			if got != tt.want {
-				t.Errorf("isLearner() = %v, want %v", got, tt.want)
+			gotLearner, gotStarted, err := c.getMemberStatus(tt.memberID)
+			if gotLearner != tt.wantLearner {
+				t.Errorf("getMemberStatus() isLearner = %v, want %v", gotLearner, tt.wantLearner)
 			}
-			if (err != nil) != (tt.wantError) {
-				t.Errorf("isLearner() error = %v, wantError %v", err, tt.wantError)
+			if gotStarted != tt.wantStarted {
+				t.Errorf("getMemberStatus() started = %v, want %v", gotStarted, tt.wantStarted)
+			}
+			if (err != nil) != tt.wantError {
+				t.Errorf("getMemberStatus() error = %v, wantError %v", err, tt.wantError)
 			}
 		})
 	}
diff --git a/cmd/kubeadm/app/util/runtime/fake_impl.go b/cmd/kubeadm/app/util/runtime/fake_impl.go
new file mode 100644
index 0000000000000..b3bde5a3510b2
--- /dev/null
+++ b/cmd/kubeadm/app/util/runtime/fake_impl.go
@@ -0,0 +1,187 @@
+/*
+Copyright 2024 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package runtime
+
+import (
+	"context"
+	"time"
+
+	cri "k8s.io/cri-api/pkg/apis"
+	v1 "k8s.io/cri-api/pkg/apis/runtime/v1"
+)
+
+// FakeImpl is a fake implementation of the impl interface.
+type FakeImpl struct {
+	runtimeConfigReturns struct {
+		res *v1.RuntimeConfigResponse
+		err error
+	}
+	imageStatusReturns struct {
+		res *v1.ImageStatusResponse
+		err error
+	}
+	listPodSandboxReturns struct {
+		res []*v1.PodSandbox
+		err error
+	}
+	newRemoteImageServiceReturns struct {
+		res cri.ImageManagerService
+		err error
+	}
+	newRemoteRuntimeServiceReturns struct {
+		res cri.RuntimeService
+		err error
+	}
+	pullImageReturns struct {
+		res string
+		err error
+	}
+	removePodSandboxReturns struct {
+		res error
+	}
+	statusReturns struct {
+		res *v1.StatusResponse
+		err error
+	}
+	stopPodSandboxReturns struct {
+		res error
+	}
+}
+
+// ImageStatus returns the status of the image.
+func (fake *FakeImpl) ImageStatus(context.Context, cri.ImageManagerService, *v1.ImageSpec, bool) (*v1.ImageStatusResponse, error) {
+	fakeReturns := fake.imageStatusReturns
+	return fakeReturns.res, fakeReturns.err
+}
+
+// ImageStatusReturns sets the return values for the ImageStatus method.
+func (fake *FakeImpl) ImageStatusReturns(res *v1.ImageStatusResponse, err error) {
+	fake.imageStatusReturns = struct {
+		res *v1.ImageStatusResponse
+		err error
+	}{res, err}
+}
+
+// ListPodSandbox returns the list of pod sandboxes.
+func (fake *FakeImpl) ListPodSandbox(context.Context, cri.RuntimeService, *v1.PodSandboxFilter) ([]*v1.PodSandbox, error) {
+	fakeReturns := fake.listPodSandboxReturns
+	return fakeReturns.res, fakeReturns.err
+}
+
+// ListPodSandboxReturns sets the return values for the ListPodSandbox method.
+func (fake *FakeImpl) ListPodSandboxReturns(res []*v1.PodSandbox, err error) {
+	fake.listPodSandboxReturns = struct {
+		res []*v1.PodSandbox
+		err error
+	}{res, err}
+}
+
+// NewRemoteImageService returns the new remote image service.
+func (fake *FakeImpl) NewRemoteImageService(string, time.Duration) (cri.ImageManagerService, error) {
+	fakeReturns := fake.newRemoteImageServiceReturns
+	return fakeReturns.res, fakeReturns.err
+}
+
+// NewRemoteImageServiceReturns sets the return values for the NewRemoteImageService method.
+func (fake *FakeImpl) NewRemoteImageServiceReturns(res cri.ImageManagerService, err error) {
+	fake.newRemoteImageServiceReturns = struct {
+		res cri.ImageManagerService
+		err error
+	}{res, err}
+}
+
+// NewRemoteRuntimeService returns the new remote runtime service.
+func (fake *FakeImpl) NewRemoteRuntimeService(string, time.Duration) (cri.RuntimeService, error) {
+	fakeReturns := fake.newRemoteRuntimeServiceReturns
+	return fakeReturns.res, fakeReturns.err
+}
+
+// NewRemoteRuntimeServiceReturns sets the return values for the NewRemoteRuntimeService method.
+func (fake *FakeImpl) NewRemoteRuntimeServiceReturns(res cri.RuntimeService, err error) {
+	fake.newRemoteRuntimeServiceReturns = struct {
+		res cri.RuntimeService
+		err error
+	}{res, err}
+}
+
+// PullImage returns the pull image.
+func (fake *FakeImpl) PullImage(context.Context, cri.ImageManagerService, *v1.ImageSpec, *v1.AuthConfig, *v1.PodSandboxConfig) (string, error) {
+	fakeReturns := fake.pullImageReturns
+	return fakeReturns.res, fakeReturns.err
+}
+
+// PullImageReturns sets the return values for the PullImage method.
+func (fake *FakeImpl) PullImageReturns(res string, err error) {
+	fake.pullImageReturns = struct {
+		res string
+		err error
+	}{res, err}
+}
+
+// RemovePodSandbox removes the pod sandbox.
+func (fake *FakeImpl) RemovePodSandbox(context.Context, cri.RuntimeService, string) error {
+	fakeReturns := fake.removePodSandboxReturns
+	return fakeReturns.res
+}
+
+// RemovePodSandboxReturns sets the return values for the RemovePodSandbox method.
+func (fake *FakeImpl) RemovePodSandboxReturns(res error) {
+	fake.removePodSandboxReturns = struct {
+		res error
+	}{res}
+}
+
+// RuntimeConfig returns the runtime config.
+func (fake *FakeImpl) RuntimeConfig(context.Context, cri.RuntimeService) (*v1.RuntimeConfigResponse, error) {
+	fakeReturns := fake.runtimeConfigReturns
+	return fakeReturns.res, fakeReturns.err
+}
+
+// RuntimeConfigReturns sets the return values for the RuntimeConfig method.
+func (fake *FakeImpl) RuntimeConfigReturns(res *v1.RuntimeConfigResponse, err error) {
+	fake.runtimeConfigReturns = struct {
+		res *v1.RuntimeConfigResponse
+		err error
+	}{res, err}
+}
+
+// Status returns the status of the runtime.
+func (fake *FakeImpl) Status(context.Context, cri.RuntimeService, bool) (*v1.StatusResponse, error) {
+	fakeReturns := fake.statusReturns
+	return fakeReturns.res, fakeReturns.err
+}
+
+// StatusReturns sets the return values for the Status method.
+func (fake *FakeImpl) StatusReturns(res *v1.StatusResponse, err error) {
+	fake.statusReturns = struct {
+		res *v1.StatusResponse
+		err error
+	}{res, err}
+}
+
+// StopPodSandbox stops the pod sandbox.
+func (fake *FakeImpl) StopPodSandbox(context.Context, cri.RuntimeService, string) error {
+	fakeReturns := fake.stopPodSandboxReturns
+	return fakeReturns.res
+}
+
+// StopPodSandboxReturns sets the return values for the StopPodSandbox method.
+func (fake *FakeImpl) StopPodSandboxReturns(res error) {
+	fake.stopPodSandboxReturns = struct {
+		res error
+	}{res}
+}
diff --git a/cmd/kubeadm/app/util/runtime/impl.go b/cmd/kubeadm/app/util/runtime/impl.go
index b71f589d45c29..e44f56b382416 100644
--- a/cmd/kubeadm/app/util/runtime/impl.go
+++ b/cmd/kubeadm/app/util/runtime/impl.go
@@ -27,9 +27,11 @@ import (
 
 type defaultImpl struct{}
 
-type impl interface {
+// Impl is an interface for the container runtime implementation.
+type Impl interface {
 	NewRemoteRuntimeService(endpoint string, connectionTimeout time.Duration) (criapi.RuntimeService, error)
 	NewRemoteImageService(endpoint string, connectionTimeout time.Duration) (criapi.ImageManagerService, error)
+	RuntimeConfig(ctx context.Context, runtimeService criapi.RuntimeService) (*runtimeapi.RuntimeConfigResponse, error)
 	Status(ctx context.Context, runtimeService criapi.RuntimeService, verbose bool) (*runtimeapi.StatusResponse, error)
 	ListPodSandbox(ctx context.Context, runtimeService criapi.RuntimeService, filter *runtimeapi.PodSandboxFilter) ([]*runtimeapi.PodSandbox, error)
 	StopPodSandbox(ctx context.Context, runtimeService criapi.RuntimeService, sandboxID string) error
@@ -46,6 +48,10 @@ func (*defaultImpl) NewRemoteImageService(endpoint string, connectionTimeout tim
 	return criclient.NewRemoteImageService(endpoint, connectionTimeout, nil, nil)
 }
 
+func (*defaultImpl) RuntimeConfig(ctx context.Context, runtimeService criapi.RuntimeService) (*runtimeapi.RuntimeConfigResponse, error) {
+	return runtimeService.RuntimeConfig(ctx)
+}
+
 func (*defaultImpl) Status(ctx context.Context, runtimeService criapi.RuntimeService, verbose bool) (*runtimeapi.StatusResponse, error) {
 	return runtimeService.Status(ctx, verbose)
 }
diff --git a/cmd/kubeadm/app/util/runtime/runtime.go b/cmd/kubeadm/app/util/runtime/runtime.go
index 851af6f844a28..831d1478e8cd7 100644
--- a/cmd/kubeadm/app/util/runtime/runtime.go
+++ b/cmd/kubeadm/app/util/runtime/runtime.go
@@ -23,6 +23,9 @@ import (
 	"strings"
 	"time"
 
+	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/status"
+
 	errorsutil "k8s.io/apimachinery/pkg/util/errors"
 	criapi "k8s.io/cri-api/pkg/apis"
 	runtimeapi "k8s.io/cri-api/pkg/apis/runtime/v1"
@@ -42,7 +45,8 @@ var defaultKnownCRISockets = []string{
 // ContainerRuntime is an interface for working with container runtimes
 type ContainerRuntime interface {
 	Connect() error
-	SetImpl(impl)
+	Close()
+	SetImpl(Impl)
 	IsRunning() error
 	ListKubeContainers() ([]string, error)
 	RemoveContainers(containers []string) error
@@ -50,11 +54,12 @@ type ContainerRuntime interface {
 	PullImagesInParallel(images []string, ifNotPresent bool) error
 	ImageExists(image string) bool
 	SandboxImage() (string, error)
+	IsRuntimeConfigImplemented() (bool, error)
 }
 
 // CRIRuntime is a struct that interfaces with the CRI
 type CRIRuntime struct {
-	impl           impl
+	impl           Impl
 	criSocket      string
 	runtimeService criapi.RuntimeService
 	imageService   criapi.ImageManagerService
@@ -72,7 +77,7 @@ func NewContainerRuntime(criSocket string) ContainerRuntime {
 }
 
 // SetImpl can be used to set the internal implementation for testing purposes.
-func (runtime *CRIRuntime) SetImpl(impl impl) {
+func (runtime *CRIRuntime) SetImpl(impl Impl) {
 	runtime.impl = impl
 }
 
@@ -93,6 +98,20 @@ func (runtime *CRIRuntime) Connect() error {
 	return nil
 }
 
+// Close closes the connections to the runtime and image services.
+func (runtime *CRIRuntime) Close() {
+	if runtime.runtimeService != nil {
+		if err := runtime.runtimeService.Close(); err != nil {
+			klog.Warningf("failed to close runtime service: %v", err)
+		}
+	}
+	if runtime.imageService != nil {
+		if err := runtime.imageService.Close(); err != nil {
+			klog.Warningf("failed to close image service: %v", err)
+		}
+	}
+}
+
 // IsRunning checks if runtime is running.
 func (runtime *CRIRuntime) IsRunning() error {
 	ctx, cancel := defaultContext()
@@ -299,3 +318,18 @@ func (runtime *CRIRuntime) SandboxImage() (string, error) {
 
 	return c.SandboxImage, nil
 }
+
+// IsRuntimeConfigImplemented checks if the container runtime supports the RuntimeConfig gRPC method
+func (runtime *CRIRuntime) IsRuntimeConfigImplemented() (bool, error) {
+	ctx, cancel := defaultContext()
+	defer cancel()
+	_, err := runtime.impl.RuntimeConfig(ctx, runtime.runtimeService)
+	if err != nil {
+		s, ok := status.FromError(err)
+		if !ok || s.Code() != codes.Unimplemented {
+			return false, errors.Wrap(err, "failed to call RuntimeConfig gRPC method")
+		}
+		return false, nil
+	}
+	return true, nil
+}
diff --git a/cmd/kubeadm/app/util/runtime/runtime_fake_test.go b/cmd/kubeadm/app/util/runtime/runtime_fake_test.go
deleted file mode 100644
index e42e239e575f0..0000000000000
--- a/cmd/kubeadm/app/util/runtime/runtime_fake_test.go
+++ /dev/null
@@ -1,152 +0,0 @@
-/*
-Copyright 2024 The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package runtime
-
-import (
-	"context"
-	"time"
-
-	cri "k8s.io/cri-api/pkg/apis"
-	v1 "k8s.io/cri-api/pkg/apis/runtime/v1"
-)
-
-type fakeImpl struct {
-	imageStatusReturns struct {
-		res *v1.ImageStatusResponse
-		err error
-	}
-	listPodSandboxReturns struct {
-		res []*v1.PodSandbox
-		err error
-	}
-	newRemoteImageServiceReturns struct {
-		res cri.ImageManagerService
-		err error
-	}
-	newRemoteRuntimeServiceReturns struct {
-		res cri.RuntimeService
-		err error
-	}
-	pullImageReturns struct {
-		res string
-		err error
-	}
-	removePodSandboxReturns struct {
-		res error
-	}
-	statusReturns struct {
-		res *v1.StatusResponse
-		err error
-	}
-	stopPodSandboxReturns struct {
-		res error
-	}
-}
-
-func (fake *fakeImpl) ImageStatus(context.Context, cri.ImageManagerService, *v1.ImageSpec, bool) (*v1.ImageStatusResponse, error) {
-	fakeReturns := fake.imageStatusReturns
-	return fakeReturns.res, fakeReturns.err
-}
-
-func (fake *fakeImpl) ImageStatusReturns(res *v1.ImageStatusResponse, err error) {
-	fake.imageStatusReturns = struct {
-		res *v1.ImageStatusResponse
-		err error
-	}{res, err}
-}
-
-func (fake *fakeImpl) ListPodSandbox(context.Context, cri.RuntimeService, *v1.PodSandboxFilter) ([]*v1.PodSandbox, error) {
-	fakeReturns := fake.listPodSandboxReturns
-	return fakeReturns.res, fakeReturns.err
-}
-
-func (fake *fakeImpl) ListPodSandboxReturns(res []*v1.PodSandbox, err error) {
-	fake.listPodSandboxReturns = struct {
-		res []*v1.PodSandbox
-		err error
-	}{res, err}
-}
-
-func (fake *fakeImpl) NewRemoteImageService(string, time.Duration) (cri.ImageManagerService, error) {
-	fakeReturns := fake.newRemoteImageServiceReturns
-	return fakeReturns.res, fakeReturns.err
-}
-
-func (fake *fakeImpl) NewRemoteImageServiceReturns(res cri.ImageManagerService, err error) {
-	fake.newRemoteImageServiceReturns = struct {
-		res cri.ImageManagerService
-		err error
-	}{res, err}
-}
-
-func (fake *fakeImpl) NewRemoteRuntimeService(string, time.Duration) (cri.RuntimeService, error) {
-	fakeReturns := fake.newRemoteRuntimeServiceReturns
-	return fakeReturns.res, fakeReturns.err
-}
-
-func (fake *fakeImpl) NewRemoteRuntimeServiceReturns(res cri.RuntimeService, err error) {
-	fake.newRemoteRuntimeServiceReturns = struct {
-		res cri.RuntimeService
-		err error
-	}{res, err}
-}
-
-func (fake *fakeImpl) PullImage(context.Context, cri.ImageManagerService, *v1.ImageSpec, *v1.AuthConfig, *v1.PodSandboxConfig) (string, error) {
-	fakeReturns := fake.pullImageReturns
-	return fakeReturns.res, fakeReturns.err
-}
-
-func (fake *fakeImpl) PullImageReturns(res string, err error) {
-	fake.pullImageReturns = struct {
-		res string
-		err error
-	}{res, err}
-}
-
-func (fake *fakeImpl) RemovePodSandbox(context.Context, cri.RuntimeService, string) error {
-	fakeReturns := fake.removePodSandboxReturns
-	return fakeReturns.res
-}
-
-func (fake *fakeImpl) RemovePodSandboxReturns(res error) {
-	fake.removePodSandboxReturns = struct {
-		res error
-	}{res}
-}
-
-func (fake *fakeImpl) Status(context.Context, cri.RuntimeService, bool) (*v1.StatusResponse, error) {
-	fakeReturns := fake.statusReturns
-	return fakeReturns.res, fakeReturns.err
-}
-
-func (fake *fakeImpl) StatusReturns(res *v1.StatusResponse, err error) {
-	fake.statusReturns = struct {
-		res *v1.StatusResponse
-		err error
-	}{res, err}
-}
-
-func (fake *fakeImpl) StopPodSandbox(context.Context, cri.RuntimeService, string) error {
-	fakeReturns := fake.stopPodSandboxReturns
-	return fakeReturns.res
-}
-
-func (fake *fakeImpl) StopPodSandboxReturns(res error) {
-	fake.stopPodSandboxReturns = struct {
-		res error
-	}{res}
-}
diff --git a/cmd/kubeadm/app/util/runtime/runtime_test.go b/cmd/kubeadm/app/util/runtime/runtime_test.go
index b1048dc792d5a..7b6d60ebe8bc6 100644
--- a/cmd/kubeadm/app/util/runtime/runtime_test.go
+++ b/cmd/kubeadm/app/util/runtime/runtime_test.go
@@ -24,6 +24,8 @@ import (
 	"testing"
 
 	"github.com/stretchr/testify/assert"
+	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/status"
 
 	v1 "k8s.io/cri-api/pkg/apis/runtime/v1"
 
@@ -32,11 +34,12 @@ import (
 )
 
 var errTest = errors.New("test")
+var errNotImplemented = status.New(codes.Unimplemented, "not implemented").Err()
 
 func TestNewContainerRuntime(t *testing.T) {
 	for _, tc := range []struct {
 		name        string
-		prepare     func(*fakeImpl)
+		prepare     func(*FakeImpl)
 		shouldError bool
 	}{
 		{
@@ -45,14 +48,14 @@ func TestNewContainerRuntime(t *testing.T) {
 		},
 		{
 			name: "invalid: new runtime service fails",
-			prepare: func(mock *fakeImpl) {
+			prepare: func(mock *FakeImpl) {
 				mock.NewRemoteRuntimeServiceReturns(nil, errTest)
 			},
 			shouldError: true,
 		},
 		{
 			name: "invalid: new image service fails",
-			prepare: func(mock *fakeImpl) {
+			prepare: func(mock *FakeImpl) {
 				mock.NewRemoteImageServiceReturns(nil, errTest)
 			},
 			shouldError: true,
@@ -60,7 +63,7 @@ func TestNewContainerRuntime(t *testing.T) {
 	} {
 		t.Run(tc.name, func(t *testing.T) {
 			containerRuntime := NewContainerRuntime("")
-			mock := &fakeImpl{}
+			mock := &FakeImpl{}
 			if tc.prepare != nil {
 				tc.prepare(mock)
 			}
@@ -76,7 +79,7 @@ func TestNewContainerRuntime(t *testing.T) {
 func TestIsRunning(t *testing.T) {
 	for _, tc := range []struct {
 		name        string
-		prepare     func(*fakeImpl)
+		prepare     func(*FakeImpl)
 		shouldError bool
 	}{
 		{
@@ -85,14 +88,14 @@ func TestIsRunning(t *testing.T) {
 		},
 		{
 			name: "invalid: runtime status fails",
-			prepare: func(mock *fakeImpl) {
+			prepare: func(mock *FakeImpl) {
 				mock.StatusReturns(nil, errTest)
 			},
 			shouldError: true,
 		},
 		{
 			name: "invalid: runtime condition status not 'true'",
-			prepare: func(mock *fakeImpl) {
+			prepare: func(mock *FakeImpl) {
 				mock.StatusReturns(&v1.StatusResponse{Status: &v1.RuntimeStatus{
 					Conditions: []*v1.RuntimeCondition{
 						{
@@ -107,7 +110,7 @@ func TestIsRunning(t *testing.T) {
 		},
 		{
 			name: "valid: runtime condition type does not match",
-			prepare: func(mock *fakeImpl) {
+			prepare: func(mock *FakeImpl) {
 				mock.StatusReturns(&v1.StatusResponse{Status: &v1.RuntimeStatus{
 					Conditions: []*v1.RuntimeCondition{
 						{
@@ -123,7 +126,7 @@ func TestIsRunning(t *testing.T) {
 	} {
 		t.Run(tc.name, func(t *testing.T) {
 			containerRuntime := NewContainerRuntime("")
-			mock := &fakeImpl{}
+			mock := &FakeImpl{}
 			if tc.prepare != nil {
 				tc.prepare(mock)
 			}
@@ -140,12 +143,12 @@ func TestListKubeContainers(t *testing.T) {
 	for _, tc := range []struct {
 		name        string
 		expected    []string
-		prepare     func(*fakeImpl)
+		prepare     func(*FakeImpl)
 		shouldError bool
 	}{
 		{
 			name: "valid",
-			prepare: func(mock *fakeImpl) {
+			prepare: func(mock *FakeImpl) {
 				mock.ListPodSandboxReturns([]*v1.PodSandbox{
 					{Id: "first"},
 					{Id: "second"},
@@ -156,7 +159,7 @@ func TestListKubeContainers(t *testing.T) {
 		},
 		{
 			name: "invalid: list pod sandbox fails",
-			prepare: func(mock *fakeImpl) {
+			prepare: func(mock *FakeImpl) {
 				mock.ListPodSandboxReturns(nil, errTest)
 			},
 			shouldError: true,
@@ -164,7 +167,7 @@ func TestListKubeContainers(t *testing.T) {
 	} {
 		t.Run(tc.name, func(t *testing.T) {
 			containerRuntime := NewContainerRuntime("")
-			mock := &fakeImpl{}
+			mock := &FakeImpl{}
 			if tc.prepare != nil {
 				tc.prepare(mock)
 			}
@@ -181,12 +184,12 @@ func TestListKubeContainers(t *testing.T) {
 func TestSandboxImage(t *testing.T) {
 	for _, tc := range []struct {
 		name, expected string
-		prepare        func(*fakeImpl)
+		prepare        func(*FakeImpl)
 		shouldError    bool
 	}{
 		{
 			name: "valid",
-			prepare: func(mock *fakeImpl) {
+			prepare: func(mock *FakeImpl) {
 				mock.StatusReturns(&v1.StatusResponse{Info: map[string]string{
 					"config": `{"sandboxImage": "pause"}`,
 				}}, nil)
@@ -196,14 +199,14 @@ func TestSandboxImage(t *testing.T) {
 		},
 		{
 			name: "invalid: runtime status fails",
-			prepare: func(mock *fakeImpl) {
+			prepare: func(mock *FakeImpl) {
 				mock.StatusReturns(nil, errTest)
 			},
 			shouldError: true,
 		},
 		{
 			name: "invalid: no config JSON",
-			prepare: func(mock *fakeImpl) {
+			prepare: func(mock *FakeImpl) {
 				mock.StatusReturns(&v1.StatusResponse{Info: map[string]string{
 					"config": "wrong",
 				}}, nil)
@@ -212,7 +215,7 @@ func TestSandboxImage(t *testing.T) {
 		},
 		{
 			name: "invalid: no config",
-			prepare: func(mock *fakeImpl) {
+			prepare: func(mock *FakeImpl) {
 				mock.StatusReturns(&v1.StatusResponse{Info: map[string]string{}}, nil)
 			},
 			shouldError: true,
@@ -220,7 +223,7 @@ func TestSandboxImage(t *testing.T) {
 	} {
 		t.Run(tc.name, func(t *testing.T) {
 			containerRuntime := NewContainerRuntime("")
-			mock := &fakeImpl{}
+			mock := &FakeImpl{}
 			if tc.prepare != nil {
 				tc.prepare(mock)
 			}
@@ -238,7 +241,7 @@ func TestRemoveContainers(t *testing.T) {
 	for _, tc := range []struct {
 		name        string
 		containers  []string
-		prepare     func(*fakeImpl)
+		prepare     func(*FakeImpl)
 		shouldError bool
 	}{
 		{
@@ -252,7 +255,7 @@ func TestRemoveContainers(t *testing.T) {
 		{
 			name:       "invalid: remove pod sandbox fails",
 			containers: []string{"1"},
-			prepare: func(mock *fakeImpl) {
+			prepare: func(mock *FakeImpl) {
 				mock.RemovePodSandboxReturns(errTest)
 			},
 			shouldError: true,
@@ -260,7 +263,7 @@ func TestRemoveContainers(t *testing.T) {
 		{
 			name:       "invalid: stop pod sandbox fails",
 			containers: []string{"1"},
-			prepare: func(mock *fakeImpl) {
+			prepare: func(mock *FakeImpl) {
 				mock.StopPodSandboxReturns(errTest)
 			},
 			shouldError: true,
@@ -268,7 +271,7 @@ func TestRemoveContainers(t *testing.T) {
 	} {
 		t.Run(tc.name, func(t *testing.T) {
 			containerRuntime := NewContainerRuntime("")
-			mock := &fakeImpl{}
+			mock := &FakeImpl{}
 			if tc.prepare != nil {
 				tc.prepare(mock)
 			}
@@ -284,7 +287,7 @@ func TestRemoveContainers(t *testing.T) {
 func TestPullImage(t *testing.T) {
 	for _, tc := range []struct {
 		name        string
-		prepare     func(*fakeImpl)
+		prepare     func(*FakeImpl)
 		shouldError bool
 	}{
 		{
@@ -292,7 +295,7 @@ func TestPullImage(t *testing.T) {
 		},
 		{
 			name: "invalid: pull image fails",
-			prepare: func(mock *fakeImpl) {
+			prepare: func(mock *FakeImpl) {
 				mock.PullImageReturns("", errTest)
 			},
 			shouldError: true,
@@ -300,7 +303,7 @@ func TestPullImage(t *testing.T) {
 	} {
 		t.Run(tc.name, func(t *testing.T) {
 			containerRuntime := NewContainerRuntime("")
-			mock := &fakeImpl{}
+			mock := &FakeImpl{}
 			if tc.prepare != nil {
 				tc.prepare(mock)
 			}
@@ -317,11 +320,11 @@ func TestImageExists(t *testing.T) {
 	for _, tc := range []struct {
 		name     string
 		expected bool
-		prepare  func(*fakeImpl)
+		prepare  func(*FakeImpl)
 	}{
 		{
 			name: "valid",
-			prepare: func(mock *fakeImpl) {
+			prepare: func(mock *FakeImpl) {
 				mock.ImageStatusReturns(&v1.ImageStatusResponse{
 					Image: &v1.Image{},
 				}, nil)
@@ -330,7 +333,7 @@ func TestImageExists(t *testing.T) {
 		},
 		{
 			name: "invalid: image status fails",
-			prepare: func(mock *fakeImpl) {
+			prepare: func(mock *FakeImpl) {
 				mock.ImageStatusReturns(nil, errTest)
 			},
 			expected: false,
@@ -338,7 +341,7 @@ func TestImageExists(t *testing.T) {
 	} {
 		t.Run(tc.name, func(t *testing.T) {
 			containerRuntime := NewContainerRuntime("")
-			mock := &fakeImpl{}
+			mock := &FakeImpl{}
 			if tc.prepare != nil {
 				tc.prepare(mock)
 			}
@@ -466,7 +469,7 @@ func TestPullImagesInParallel(t *testing.T) {
 	for _, tc := range []struct {
 		name         string
 		ifNotPresent bool
-		prepare      func(*fakeImpl)
+		prepare      func(*FakeImpl)
 		shouldError  bool
 	}{
 		{
@@ -478,7 +481,7 @@ func TestPullImagesInParallel(t *testing.T) {
 		},
 		{
 			name: "invalid: pull fails",
-			prepare: func(mock *fakeImpl) {
+			prepare: func(mock *FakeImpl) {
 				mock.PullImageReturns("", errTest)
 			},
 			shouldError: true,
@@ -486,7 +489,7 @@ func TestPullImagesInParallel(t *testing.T) {
 	} {
 		t.Run(tc.name, func(t *testing.T) {
 			containerRuntime := NewContainerRuntime("")
-			mock := &fakeImpl{}
+			mock := &FakeImpl{}
 			if tc.prepare != nil {
 				tc.prepare(mock)
 			}
@@ -498,3 +501,51 @@ func TestPullImagesInParallel(t *testing.T) {
 		})
 	}
 }
+
+func TestIsRuntimeConfigEnabled(t *testing.T) {
+	for _, tc := range []struct {
+		name        string
+		prepare     func(*FakeImpl)
+		shouldError bool
+		expected    bool
+	}{
+		{
+			name: "valid: RuntimeConfig gRPC method is implemented",
+			prepare: func(mock *FakeImpl) {
+				mock.RuntimeConfigReturns(&v1.RuntimeConfigResponse{}, nil)
+			},
+			shouldError: false,
+			expected:    true,
+		},
+		{
+			name: "invalid: RuntimeConfig gRPC method is not implemented",
+			prepare: func(mock *FakeImpl) {
+				mock.RuntimeConfigReturns(nil, errNotImplemented)
+			},
+			shouldError: false,
+			expected:    false,
+		},
+		{
+			name: "invalid: RuntimeConfig gRPC method returns an error",
+			prepare: func(mock *FakeImpl) {
+				mock.RuntimeConfigReturns(nil, errTest)
+			},
+			shouldError: true,
+			expected:    false,
+		},
+	} {
+		t.Run(tc.name, func(t *testing.T) {
+			containerRuntime := NewContainerRuntime("")
+			mock := &FakeImpl{}
+			if tc.prepare != nil {
+				tc.prepare(mock)
+			}
+			containerRuntime.SetImpl(mock)
+
+			enabled, err := containerRuntime.IsRuntimeConfigImplemented()
+
+			assert.Equal(t, tc.shouldError, err != nil)
+			assert.Equal(t, tc.expected, enabled)
+		})
+	}
+}
diff --git a/cmd/kubeadm/app/util/staticpod/utils.go b/cmd/kubeadm/app/util/staticpod/utils.go
index b49940d6c9d09..c5110eb94c6ba 100644
--- a/cmd/kubeadm/app/util/staticpod/utils.go
+++ b/cmd/kubeadm/app/util/staticpod/utils.go
@@ -18,9 +18,9 @@ package staticpod
 
 import (
 	"bytes"
-	"crypto/md5"
 	"fmt"
 	"hash"
+	"hash/fnv"
 	"io"
 	"math"
 	"net/url"
@@ -373,7 +373,7 @@ func ManifestFilesAreEqual(path1, path2 string) (bool, string, error) {
 		return false, "", err
 	}
 
-	hasher := md5.New()
+	hasher := fnv.New128a()
 	DeepHashObject(hasher, pod1)
 	hash1 := hasher.Sum(nil)[0:]
 	DeepHashObject(hasher, pod2)
diff --git a/cmd/kubeadm/app/util/staticpod/utils_linux.go b/cmd/kubeadm/app/util/staticpod/utils_linux.go
index cdd371f1e7402..27003c46f37b4 100644
--- a/cmd/kubeadm/app/util/staticpod/utils_linux.go
+++ b/cmd/kubeadm/app/util/staticpod/utils_linux.go
@@ -17,6 +17,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
+// Package staticpod contains utilities for managing the static pod.
 package staticpod
 
 import (
diff --git a/cmd/kubeadm/app/util/staticpod/utils_others.go b/cmd/kubeadm/app/util/staticpod/utils_others.go
index c259f48b3ecc0..59e520d385679 100644
--- a/cmd/kubeadm/app/util/staticpod/utils_others.go
+++ b/cmd/kubeadm/app/util/staticpod/utils_others.go
@@ -17,6 +17,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
+// Package staticpod contains utilities for managing the static pod.
 package staticpod
 
 import (
diff --git a/cmd/kubeadm/app/util/users/users_linux.go b/cmd/kubeadm/app/util/users/users_linux.go
index 09308f98d83db..8c70bffbd9b2e 100644
--- a/cmd/kubeadm/app/util/users/users_linux.go
+++ b/cmd/kubeadm/app/util/users/users_linux.go
@@ -17,6 +17,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
+// Package users contains utilities for managing the users.
 package users
 
 import (
@@ -238,12 +239,17 @@ func addUsersAndGroupsImpl(pathLoginDef, pathUsers, pathGroups string) (*UsersAn
 	}
 
 	// Prepare the maps of users and groups.
-	usersConcat := append(users, usersToCreate...)
+	var usersConcat []*entry
+	usersConcat = append(usersConcat, users...)
+	usersConcat = append(usersConcat, usersToCreate...)
 	mapUsers, err := entriesToEntryMap(usersConcat, usersToCreateSpec)
 	if err != nil {
 		return nil, err
 	}
-	groupsConcat := append(groups, groupsToCreate...)
+
+	var groupsConcat []*entry
+	groupsConcat = append(groupsConcat, groups...)
+	groupsConcat = append(groupsConcat, groupsToCreate...)
 	mapGroups, err := entriesToEntryMap(groupsConcat, groupsToCreateSpec)
 	if err != nil {
 		return nil, err
@@ -593,15 +599,15 @@ func openFileWithLock(path string) (f *os.File, close func(), err error) {
 		}
 	}
 	if err != nil {
-		f.Close()
+		_ = f.Close()
 		return nil, nil, err
 	}
 	close = func() {
 		// This function should be called once operations with the file are finished.
 		// It unlocks the file and closes it.
 		unlock := syscall.Flock_t{Type: syscall.F_UNLCK}
-		syscall.FcntlFlock(f.Fd(), syscall.F_SETLK, &unlock)
-		f.Close()
+		_ = syscall.FcntlFlock(f.Fd(), syscall.F_SETLK, &unlock)
+		_ = f.Close()
 	}
 	return f, close, nil
 }
diff --git a/cmd/kubeadm/app/util/users/users_linux_test.go b/cmd/kubeadm/app/util/users/users_linux_test.go
index e0c1368ba0527..1baee04ceb990 100644
--- a/cmd/kubeadm/app/util/users/users_linux_test.go
+++ b/cmd/kubeadm/app/util/users/users_linux_test.go
@@ -579,7 +579,7 @@ func writeTempFile(t *testing.T, contents string) (string, func()) {
 		t.Fatalf("could not write file: %v", err)
 	}
 	close := func() {
-		os.Remove(file.Name())
+		_ = os.Remove(file.Name())
 	}
 	return file.Name(), close
 }
diff --git a/cmd/kubeadm/app/util/users/users_other.go b/cmd/kubeadm/app/util/users/users_other.go
index ba79ebfbb069a..6c2b51bda1f16 100644
--- a/cmd/kubeadm/app/util/users/users_other.go
+++ b/cmd/kubeadm/app/util/users/users_other.go
@@ -17,6 +17,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
+// Package users contains utilities for managing the users.
 package users
 
 // EntryMap is empty on non-Linux.
diff --git a/cmd/kubelet/app/auth_test.go b/cmd/kubelet/app/auth_test.go
new file mode 100644
index 0000000000000..06498486b9c38
--- /dev/null
+++ b/cmd/kubelet/app/auth_test.go
@@ -0,0 +1,208 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package app
+
+import (
+	"bytes"
+	"context"
+	"io"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+
+	"k8s.io/apiserver/pkg/authorization/authorizer"
+	authenticationv1client "k8s.io/client-go/kubernetes/typed/authentication/v1"
+	authorizationv1client "k8s.io/client-go/kubernetes/typed/authorization/v1"
+	"k8s.io/client-go/rest"
+	kubeletconfig "k8s.io/kubernetes/pkg/kubelet/apis/config"
+)
+
+func TestAuthzWebhookRequestEncoding(t *testing.T) {
+	testCases := []struct {
+		name                    string
+		ContentType             string
+		ExpectContentType       string
+		ExpectRequestBodyPrefix []byte
+	}{
+		{
+			name:                    "json",
+			ContentType:             "application/json",
+			ExpectContentType:       "application/json",
+			ExpectRequestBodyPrefix: []byte(`{`),
+		},
+		{
+			name:                    "empty",
+			ContentType:             "",
+			ExpectContentType:       "application/json",
+			ExpectRequestBodyPrefix: []byte(`{`),
+		},
+		{
+			name:                    "protobuf",
+			ContentType:             "application/vnd.kubernetes.protobuf",
+			ExpectContentType:       "application/vnd.kubernetes.protobuf",
+			ExpectRequestBodyPrefix: []byte("\x6b\x38\x73\x00"), // k8s protobuf magic number
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			handlerInvoked := make(chan struct{})
+			server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+				defer close(handlerInvoked)
+
+				if got := r.Header.Get("Content-Type"); got != tc.ExpectContentType {
+					t.Errorf("unexpected Content-Type: got %q, want %q", got, tc.ExpectContentType)
+				}
+
+				body, err := io.ReadAll(r.Body)
+				if err != nil {
+					t.Fatalf("failed to read request body: %v", err)
+				}
+				if !bytes.HasPrefix(body, tc.ExpectRequestBodyPrefix) {
+					t.Errorf("request body should have prefix %q, but got %q", tc.ExpectRequestBodyPrefix, body)
+				}
+
+				w.Header().Set("Content-Type", "application/json")
+				w.WriteHeader(http.StatusOK)
+				if _, err := w.Write([]byte(`{"kind":"SubjectAccessReview","apiVersion":"authorization.k8s.io/v1","status":{"allowed":true}}`)); err != nil {
+					t.Fatalf("unexpected response write failure: %v", err)
+				}
+			}))
+			defer server.Close()
+
+			cfg := &rest.Config{
+				Host: server.URL,
+				ContentConfig: rest.ContentConfig{
+					ContentType: tc.ContentType,
+				},
+			}
+
+			authzClient, err := authorizationv1client.NewForConfigAndClient(cfg, server.Client())
+			if err != nil {
+				t.Fatalf("failed to create authorization client: %v", err)
+			}
+
+			authz, err := BuildAuthz(authzClient, kubeletconfig.KubeletAuthorization{Mode: kubeletconfig.KubeletAuthorizationModeWebhook})
+			if err != nil {
+				t.Fatalf("failed to build authorizer: %v", err)
+			}
+
+			if _, _, err := authz.Authorize(context.Background(), &authorizer.AttributesRecord{}); err != nil {
+				t.Fatalf("Authorize failed: %v", err)
+			}
+
+			select {
+			case <-handlerInvoked:
+			default:
+				t.Fatal("webhook handler not invoked")
+			}
+		})
+	}
+}
+
+func TestAuthnWebhookRequestEncoding(t *testing.T) {
+	testCases := []struct {
+		name                    string
+		ContentType             string
+		ExpectContentType       string
+		ExpectRequestBodyPrefix []byte
+	}{
+		{
+			name:                    "json",
+			ContentType:             "application/json",
+			ExpectContentType:       "application/json",
+			ExpectRequestBodyPrefix: []byte(`{`),
+		},
+		{
+			name:                    "empty",
+			ContentType:             "",
+			ExpectContentType:       "application/json",
+			ExpectRequestBodyPrefix: []byte(`{`),
+		},
+		{
+			name:                    "protobuf",
+			ContentType:             "application/vnd.kubernetes.protobuf",
+			ExpectContentType:       "application/vnd.kubernetes.protobuf",
+			ExpectRequestBodyPrefix: []byte("\x6b\x38\x73\x00"), // k8s protobuf magic number
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			handlerInvoked := make(chan struct{})
+			server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+				defer close(handlerInvoked)
+
+				if got := r.Header.Get("Content-Type"); got != tc.ExpectContentType {
+					t.Errorf("unexpected Content-Type: got %q, want %q", got, tc.ExpectContentType)
+				}
+
+				body, err := io.ReadAll(r.Body)
+				if err != nil {
+					t.Fatalf("failed to read request body: %v", err)
+				}
+				if !bytes.HasPrefix(body, tc.ExpectRequestBodyPrefix) {
+					t.Errorf("request body should have prefix %q, but got %q", tc.ExpectRequestBodyPrefix, body)
+				}
+
+				w.Header().Set("Content-Type", "application/json")
+				w.WriteHeader(http.StatusOK)
+				if _, err := w.Write([]byte(`{"kind":"TokenReview","apiVersion":"authentication.k8s.io/v1","status":{"authenticated":true}}`)); err != nil {
+					t.Fatalf("unexpected response write failure: %v", err)
+				}
+			}))
+			defer server.Close()
+
+			cfg := &rest.Config{
+				Host: server.URL,
+				ContentConfig: rest.ContentConfig{
+					ContentType: tc.ContentType,
+				},
+			}
+
+			authnClient, err := authenticationv1client.NewForConfigAndClient(cfg, server.Client())
+			if err != nil {
+				t.Fatalf("failed to create authentication client: %v", err)
+			}
+
+			authn, _, err := BuildAuthn(authnClient, kubeletconfig.KubeletAuthentication{
+				Webhook: kubeletconfig.KubeletWebhookAuthentication{
+					Enabled: true,
+				},
+			})
+			if err != nil {
+				t.Fatalf("failed to build authenticator: %v", err)
+			}
+
+			request, err := http.NewRequestWithContext(context.TODO(), http.MethodGet, "/fooz", nil)
+			if err != nil {
+				t.Fatalf("failed to build test request: %v", err)
+			}
+			request.Header.Set("Authorization", "Bearer foo")
+
+			if _, _, err := authn.AuthenticateRequest(request); err != nil {
+				t.Fatalf("AuthenticateToken failed: %v", err)
+			}
+
+			select {
+			case <-handlerInvoked:
+			default:
+				t.Fatal("webhook handler not invoked")
+			}
+		})
+	}
+}
diff --git a/cmd/kubelet/app/options/options.go b/cmd/kubelet/app/options/options.go
index 2cd3b1639193e..7b6d6f7d2c047 100644
--- a/cmd/kubelet/app/options/options.go
+++ b/cmd/kubelet/app/options/options.go
@@ -34,10 +34,10 @@ import (
 	"k8s.io/kubelet/config/v1beta1"
 	kubeletapis "k8s.io/kubelet/pkg/apis"
 	"k8s.io/kubernetes/pkg/cluster/ports"
-	kubeletconfig "k8s.io/kubernetes/pkg/kubelet/apis/config"
+	kubeletconfigapi "k8s.io/kubernetes/pkg/kubelet/apis/config"
 	kubeletscheme "k8s.io/kubernetes/pkg/kubelet/apis/config/scheme"
 	kubeletconfigvalidation "k8s.io/kubernetes/pkg/kubelet/apis/config/validation"
-	"k8s.io/kubernetes/pkg/kubelet/config"
+	"k8s.io/kubernetes/pkg/kubelet/kubeletconfig"
 	utilflag "k8s.io/kubernetes/pkg/util/flag"
 )
 
@@ -63,7 +63,7 @@ type KubeletFlags struct {
 	NodeIP string
 
 	// Container-runtime-specific options.
-	config.ContainerRuntimeOptions
+	kubeletconfig.ContainerRuntimeOptions
 
 	// certDirectory is the directory where the TLS certs are located.
 	// If tlsCertFile and tlsPrivateKeyFile are provided, this flag will be ignored.
@@ -134,7 +134,7 @@ type KubeletFlags struct {
 // NewKubeletFlags will create a new KubeletFlags with default values
 func NewKubeletFlags() *KubeletFlags {
 	return &KubeletFlags{
-		ContainerRuntimeOptions: config.ContainerRuntimeOptions{},
+		ContainerRuntimeOptions: kubeletconfig.ContainerRuntimeOptions{},
 		CertDirectory:           "/var/lib/kubelet/pki",
 		RootDirectory:           filepath.Clean(defaultRootDir),
 		MaxContainerCount:       -1,
@@ -195,14 +195,14 @@ func getLabelNamespace(key string) string {
 }
 
 // NewKubeletConfiguration will create a new KubeletConfiguration with default values
-func NewKubeletConfiguration() (*kubeletconfig.KubeletConfiguration, error) {
+func NewKubeletConfiguration() (*kubeletconfigapi.KubeletConfiguration, error) {
 	scheme, _, err := kubeletscheme.NewSchemeAndCodecs()
 	if err != nil {
 		return nil, err
 	}
 	versioned := &v1beta1.KubeletConfiguration{}
 	scheme.Default(versioned)
-	config := &kubeletconfig.KubeletConfiguration{}
+	config := &kubeletconfigapi.KubeletConfiguration{}
 	if err := scheme.Convert(versioned, config, nil); err != nil {
 		return nil, err
 	}
@@ -213,13 +213,13 @@ func NewKubeletConfiguration() (*kubeletconfig.KubeletConfiguration, error) {
 // applyLegacyDefaults applies legacy default values to the KubeletConfiguration in order to
 // preserve the command line API. This is used to construct the baseline default KubeletConfiguration
 // before the first round of flag parsing.
-func applyLegacyDefaults(kc *kubeletconfig.KubeletConfiguration) {
+func applyLegacyDefaults(kc *kubeletconfigapi.KubeletConfiguration) {
 	// --anonymous-auth
 	kc.Authentication.Anonymous.Enabled = true
 	// --authentication-token-webhook
 	kc.Authentication.Webhook.Enabled = false
 	// --authorization-mode
-	kc.Authorization.Mode = kubeletconfig.KubeletAuthorizationModeAlwaysAllow
+	kc.Authorization.Mode = kubeletconfigapi.KubeletAuthorizationModeAlwaysAllow
 	// --read-only-port
 	kc.ReadOnlyPort = ports.KubeletReadOnlyPort
 }
@@ -228,7 +228,7 @@ func applyLegacyDefaults(kc *kubeletconfig.KubeletConfiguration) {
 // a kubelet. These can either be set via command line or directly.
 type KubeletServer struct {
 	KubeletFlags
-	kubeletconfig.KubeletConfiguration
+	kubeletconfigapi.KubeletConfiguration
 }
 
 // NewKubeletServer will create a new KubeletServer with default values.
@@ -276,7 +276,7 @@ func (f *KubeletFlags) AddFlags(mainfs *pflag.FlagSet) {
 		mainfs.AddFlagSet(fs)
 	}()
 
-	f.ContainerRuntimeOptions.AddFlags(fs)
+	addContainerRuntimeFlags(fs, &f.ContainerRuntimeOptions)
 	f.addOSFlags(fs)
 
 	fs.StringVar(&f.KubeletConfigFile, "config", f.KubeletConfigFile, "The Kubelet will load its initial configuration from this file. The path may be absolute or relative; relative paths start at the Kubelet's current working directory. Omit this flag to use the built-in default configuration values. Command-line flags override configuration from this file.")
@@ -320,8 +320,18 @@ func (f *KubeletFlags) AddFlags(mainfs *pflag.FlagSet) {
 	fs.MarkDeprecated("experimental-allocatable-ignore-eviction", "will be removed in 1.25 or later.")
 }
 
+// addContainerRuntimeFlags adds flags to the container runtime, according to ContainerRuntimeOptions.
+func addContainerRuntimeFlags(fs *pflag.FlagSet, o *kubeletconfig.ContainerRuntimeOptions) {
+	// General settings.
+	fs.StringVar(&o.RuntimeCgroups, "runtime-cgroups", o.RuntimeCgroups, "Optional absolute name of cgroups to create and run the runtime in.")
+
+	// Image credential provider settings.
+	fs.StringVar(&o.ImageCredentialProviderConfigPath, "image-credential-provider-config", o.ImageCredentialProviderConfigPath, "Path to a credential provider plugin config file (JSON/YAML/YML) or a directory of such files (merged in lexicographical order; non-recursive search).")
+	fs.StringVar(&o.ImageCredentialProviderBinDir, "image-credential-provider-bin-dir", o.ImageCredentialProviderBinDir, "The path to the directory where credential provider plugin binaries are located.")
+}
+
 // AddKubeletConfigFlags adds flags for a specific kubeletconfig.KubeletConfiguration to the specified FlagSet
-func AddKubeletConfigFlags(mainfs *pflag.FlagSet, c *kubeletconfig.KubeletConfiguration) {
+func AddKubeletConfigFlags(mainfs *pflag.FlagSet, c *kubeletconfigapi.KubeletConfiguration) {
 	fs := pflag.NewFlagSet("", pflag.ExitOnError)
 	defer func() {
 		// All KubeletConfiguration flags are now deprecated, and any new flags that point to
diff --git a/cmd/kubelet/app/options/options_test.go b/cmd/kubelet/app/options/options_test.go
index 3ec297cd17272..a229d812d5690 100644
--- a/cmd/kubelet/app/options/options_test.go
+++ b/cmd/kubelet/app/options/options_test.go
@@ -25,7 +25,7 @@ import (
 	"github.com/spf13/pflag"
 
 	cliflag "k8s.io/component-base/cli/flag"
-	"k8s.io/kubernetes/pkg/kubelet/config"
+	"k8s.io/kubernetes/pkg/kubelet/kubeletconfig"
 )
 
 func newKubeletServerOrDie() *KubeletServer {
@@ -179,7 +179,7 @@ func TestValidateKubeletFlags(t *testing.T) {
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			err := ValidateKubeletFlags(&KubeletFlags{
-				ContainerRuntimeOptions: config.ContainerRuntimeOptions{},
+				ContainerRuntimeOptions: kubeletconfig.ContainerRuntimeOptions{},
 				NodeLabels:              tt.labels,
 			})
 
diff --git a/cmd/kubelet/app/server.go b/cmd/kubelet/app/server.go
index 5397fa6738449..65174afad7c3b 100644
--- a/cmd/kubelet/app/server.go
+++ b/cmd/kubelet/app/server.go
@@ -35,6 +35,7 @@ import (
 	"time"
 
 	"github.com/coreos/go-systemd/v22/daemon"
+	"github.com/go-logr/logr"
 	"github.com/spf13/cobra"
 	"github.com/spf13/pflag"
 	"go.opentelemetry.io/otel"
@@ -64,6 +65,7 @@ import (
 	"k8s.io/apimachinery/pkg/util/validation/field"
 	"k8s.io/apimachinery/pkg/util/wait"
 	genericapiserver "k8s.io/apiserver/pkg/server"
+	"k8s.io/apiserver/pkg/server/flagz"
 	"k8s.io/apiserver/pkg/server/healthz"
 	utilfeature "k8s.io/apiserver/pkg/util/feature"
 	clientset "k8s.io/client-go/kubernetes"
@@ -86,7 +88,6 @@ import (
 	"k8s.io/component-base/version"
 	"k8s.io/component-base/version/verflag"
 	zpagesfeatures "k8s.io/component-base/zpages/features"
-	"k8s.io/component-base/zpages/flagz"
 	nodeutil "k8s.io/component-helpers/node/util"
 	runtimeapi "k8s.io/cri-api/pkg/apis/runtime/v1"
 	kubeletconfigv1beta1 "k8s.io/kubelet/config/v1beta1"
@@ -209,11 +210,6 @@ is checked every 20 seconds (also configurable with a flag).`,
 				return fmt.Errorf("failed to validate kubelet flags: %w", err)
 			}
 
-			if cleanFlagSet.Changed("pod-infra-container-image") {
-				logger.Info("--pod-infra-container-image will not be pruned by the image garbage collector in kubelet and should also be set in the remote runtime")
-				_ = cmd.Flags().MarkDeprecated("pod-infra-container-image", "--pod-infra-container-image will be removed in 1.35. Image garbage collector will get sandbox image information from CRI.")
-			}
-
 			// load kubelet config file, if provided
 			if len(kubeletFlags.KubeletConfigFile) > 0 {
 				kubeletConfig, err = loadConfigFile(ctx, kubeletFlags.KubeletConfigFile)
@@ -583,14 +579,14 @@ func makeEventRecorder(ctx context.Context, kubeDeps *kubelet.Dependencies, node
 	}
 }
 
-func getReservedCPUs(machineInfo *cadvisorapi.MachineInfo, cpus string) (cpuset.CPUSet, error) {
+func getReservedCPUs(logger logr.Logger, machineInfo *cadvisorapi.MachineInfo, cpus string) (cpuset.CPUSet, error) {
 	emptyCPUSet := cpuset.New()
 
 	if cpus == "" {
 		return emptyCPUSet, nil
 	}
 
-	topo, err := topology.Discover(machineInfo)
+	topo, err := topology.Discover(logger, machineInfo)
 	if err != nil {
 		return emptyCPUSet, fmt.Errorf("unable to discover CPU topology info: %s", err)
 	}
@@ -606,17 +602,15 @@ func getReservedCPUs(machineInfo *cadvisorapi.MachineInfo, cpus string) (cpuset.
 }
 
 func run(ctx context.Context, s *options.KubeletServer, kubeDeps *kubelet.Dependencies, featureGate featuregate.FeatureGate) (err error) {
-	if utilfeature.DefaultFeatureGate.Enabled(features.SystemdWatchdog) {
-		// NewHealthChecker returns an error indicating that the watchdog is configured but the configuration is incorrect,
-		// the kubelet will not be started.
-		healthChecker, err := watchdog.NewHealthChecker()
-		if err != nil {
-			return fmt.Errorf("create health checker: %w", err)
-		}
-		kubeDeps.HealthChecker = healthChecker
-		healthChecker.Start(ctx)
-	}
 	logger := klog.FromContext(ctx)
+	// NewHealthChecker returns an error indicating that the watchdog is configured but the configuration is incorrect,
+	// the kubelet will not be started.
+	healthChecker, err := watchdog.NewHealthChecker(logger)
+	if err != nil {
+		return fmt.Errorf("create health checker: %w", err)
+	}
+	kubeDeps.HealthChecker = healthChecker
+	healthChecker.Start(ctx)
 	// Set global feature gates based on the value on the initial KubeletServer
 	err = utilfeature.DefaultMutableFeatureGate.SetFromMap(s.KubeletConfiguration.FeatureGates)
 	if err != nil {
@@ -650,12 +644,6 @@ func run(ctx context.Context, s *options.KubeletServer, kubeDeps *kubelet.Depend
 		}
 	}
 
-	// Register current configuration with /configz endpoint
-	err = initConfigz(ctx, &s.KubeletConfiguration)
-	if err != nil {
-		logger.Error(err, "Failed to register kubelet configuration with configz")
-	}
-
 	if len(s.ShowHiddenMetricsForVersion) > 0 {
 		metrics.SetShowHidden()
 	}
@@ -745,10 +733,16 @@ func run(ctx context.Context, s *options.KubeletServer, kubeDeps *kubelet.Depend
 		return err
 	}
 
+	// Register current configuration with /configz endpoint
+	err = initConfigz(ctx, &s.KubeletConfiguration)
+	if err != nil {
+		logger.Error(err, "Failed to register kubelet configuration with configz")
+	}
+
 	var cgroupRoots []string
 	nodeAllocatableRoot := cm.NodeAllocatableRoot(s.CgroupRoot, s.CgroupsPerQOS, s.CgroupDriver)
 	cgroupRoots = append(cgroupRoots, nodeAllocatableRoot)
-	kubeletCgroup, err := cm.GetKubeletContainer(s.KubeletCgroups)
+	kubeletCgroup, err := cm.GetKubeletContainer(logger, s.KubeletCgroups)
 	if err != nil {
 		logger.Info("Failed to get the kubelet's cgroup. Kubelet system container metrics may be missing", "err", err)
 	} else if kubeletCgroup != "" {
@@ -792,7 +786,7 @@ func run(ctx context.Context, s *options.KubeletServer, kubeDeps *kubelet.Depend
 		if err != nil {
 			return err
 		}
-		reservedSystemCPUs, err := getReservedCPUs(machineInfo, s.ReservedSystemCPUs)
+		reservedSystemCPUs, err := getReservedCPUs(logger, machineInfo, s.ReservedSystemCPUs)
 		if err != nil {
 			return err
 		}
@@ -850,6 +844,7 @@ func run(ctx context.Context, s *options.KubeletServer, kubeDeps *kubelet.Depend
 		}
 
 		kubeDeps.ContainerManager, err = cm.NewContainerManager(
+			ctx,
 			kubeDeps.Mounter,
 			kubeDeps.CAdvisorInterface,
 			cm.NodeConfig{
@@ -960,7 +955,7 @@ func buildKubeletClientConfig(ctx context.Context, s *options.KubeletServer, tp
 		// bootstrap the cert manager with the contents of the initial client config.
 
 		logger.Info("Client rotation is on, will bootstrap in background")
-		certConfig, clientConfig, err := bootstrap.LoadClientConfig(s.KubeConfig, s.BootstrapKubeconfig, s.CertDirectory)
+		certConfig, clientConfig, err := bootstrap.LoadClientConfig(logger, s.KubeConfig, s.BootstrapKubeconfig, s.CertDirectory)
 		if err != nil {
 			return nil, nil, err
 		}
@@ -998,7 +993,7 @@ func buildKubeletClientConfig(ctx context.Context, s *options.KubeletServer, tp
 		// we set exitAfter to five minutes because we use this client configuration to request new certs - if we are unable
 		// to request new certs, we will be unable to continue normal operation. Exiting the process allows a wrapper
 		// or the bootstrapping credentials to potentially lay down new initial config.
-		closeAllConns, err := kubeletcertificate.UpdateTransport(wait.NeverStop, transportConfig, clientCertificateManager, 5*time.Minute)
+		closeAllConns, err := kubeletcertificate.UpdateTransport(logger, wait.NeverStop, transportConfig, clientCertificateManager, 5*time.Minute)
 		if err != nil {
 			return nil, nil, err
 		}
@@ -1276,10 +1271,10 @@ func startKubelet(ctx context.Context, k kubelet.Bootstrap, podCfg *config.PodCo
 
 	// start the kubelet server
 	if enableServer {
-		go k.ListenAndServe(kubeCfg, kubeDeps.TLSOptions, kubeDeps.Auth, kubeDeps.TracerProvider)
+		go k.ListenAndServe(ctx, kubeCfg, kubeDeps.TLSOptions, kubeDeps.Auth, kubeDeps.TracerProvider)
 	}
 	if kubeCfg.ReadOnlyPort > 0 {
-		go k.ListenAndServeReadOnly(netutils.ParseIPSloppy(kubeCfg.Address), uint(kubeCfg.ReadOnlyPort), kubeDeps.TracerProvider)
+		go k.ListenAndServeReadOnly(ctx, netutils.ParseIPSloppy(kubeCfg.Address), uint(kubeCfg.ReadOnlyPort), kubeDeps.TracerProvider)
 	}
 	go k.ListenAndServePodResources(ctx)
 }
diff --git a/cmd/kubelet/app/server_bootstrap_test.go b/cmd/kubelet/app/server_bootstrap_test.go
index 95c7475e52858..b7162920d5c78 100644
--- a/cmd/kubelet/app/server_bootstrap_test.go
+++ b/cmd/kubelet/app/server_bootstrap_test.go
@@ -38,8 +38,12 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/apimachinery/pkg/watch"
+	utilfeature "k8s.io/apiserver/pkg/util/feature"
+	clientfeatures "k8s.io/client-go/features"
 	restclient "k8s.io/client-go/rest"
 	certutil "k8s.io/client-go/util/cert"
+	"k8s.io/component-base/featuregate"
 	capihelper "k8s.io/kubernetes/pkg/apis/certificates/v1"
 	"k8s.io/kubernetes/pkg/controller/certificates/authority"
 )
@@ -350,6 +354,49 @@ func (s *csrSimulator) ServeHTTP(w http.ResponseWriter, req *http.Request) {
 		w.Header().Set("Content-Type", "application/json")
 		w.Write(data)
 
+	case utilfeature.DefaultFeatureGate.Enabled(featuregate.Feature(clientfeatures.WatchListClient)) && req.Method == http.MethodGet && req.URL.Path == "/apis/certificates.k8s.io/v1/certificatesigningrequests" && req.URL.RawQuery == "fieldSelector=metadata.name%3Dtest-csr&resourceVersionMatch=NotOlderThan&sendInitialEvents=true&watch=true":
+		// TODO(#115478): remove the list & watch cases above when WatchListClient FG is removed
+		if s.csr == nil {
+			t.Fatalf("no csr")
+		}
+		csr := &metav1.WatchEvent{
+			Type: string(watch.Added),
+			Object: runtime.RawExtension{
+				Raw: mustMarshal(s.csr.DeepCopy()),
+			},
+		}
+
+		bookmark := &metav1.WatchEvent{
+			Type: string(watch.Bookmark),
+			Object: runtime.RawExtension{
+				Raw: mustMarshal(&certapi.CertificateSigningRequest{
+					TypeMeta: metav1.TypeMeta{
+						Kind:       "CertificateSigningRequest",
+						APIVersion: "certificates.k8s.io/v1",
+					},
+					ObjectMeta: metav1.ObjectMeta{
+						Annotations: map[string]string{
+							metav1.InitialEventsAnnotationKey: "true",
+						},
+					},
+				}),
+			},
+		}
+
+		flusher, ok := w.(http.Flusher)
+		if !ok {
+			t.Fatal("http.ResponseWriter doesn't support http.Flusher")
+		}
+		w.Header().Set("Content-Type", "application/json")
+		w.WriteHeader(http.StatusOK)
+		if _, err := w.Write(mustMarshal(csr)); err != nil {
+			t.Fatal(err)
+		}
+		if _, err := w.Write(mustMarshal(bookmark)); err != nil {
+			t.Fatal(err)
+		}
+		flusher.Flush()
+
 	default:
 		t.Fatalf("unexpected request: %s %s", req.Method, req.URL)
 	}
diff --git a/cmd/kubelet/app/server_windows.go b/cmd/kubelet/app/server_windows.go
index 8441ca85980fc..781cd95cca9bf 100644
--- a/cmd/kubelet/app/server_windows.go
+++ b/cmd/kubelet/app/server_windows.go
@@ -38,7 +38,7 @@ func checkPermissions(ctx context.Context) error {
 
 	// For Windows user.UserName contains the login name and user.Name contains
 	// the user's display name - https://pkg.go.dev/os/user#User
-	logger.Info("Kubelet is running as", "login name", u.Username, "dispaly name", u.Name)
+	logger.Info("Kubelet is running as", "login name", u.Username, "display name", u.Name)
 
 	if !windows.GetCurrentProcessToken().IsElevated() {
 		return errors.New("kubelet needs to run with elevated permissions!")
diff --git a/go.mod b/go.mod
index fc77d8ff2d39f..164c725fe77a7 100644
--- a/go.mod
+++ b/go.mod
@@ -6,33 +6,31 @@
 
 module k8s.io/kubernetes
 
-go 1.24.0
+go 1.25.0
 
-godebug default=go1.24
+godebug default=go1.25
 
 require (
 	bitbucket.org/bertimus9/systemstat v0.5.0
 	github.com/JeffAshton/win_pdh v0.0.0-20161109143554-76bb4ee9f0ab
 	github.com/Microsoft/go-winio v0.6.2
-	github.com/Microsoft/hnslib v0.1.1
+	github.com/Microsoft/hnslib v0.1.2
 	github.com/armon/circbuf v0.0.0-20190214190532-5111143e8da2
-	github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5
 	github.com/blang/semver/v4 v4.0.0
 	github.com/container-storage-interface/spec v1.9.0
-	github.com/coredns/corefile-migration v1.0.26
+	github.com/coredns/corefile-migration v1.0.29
 	github.com/coreos/go-oidc v2.3.0+incompatible
 	github.com/coreos/go-systemd/v22 v22.5.0
 	github.com/cpuguy83/go-md2man/v2 v2.0.6
-	github.com/cyphar/filepath-securejoin v0.4.1
+	github.com/cyphar/filepath-securejoin v0.6.0
 	github.com/distribution/reference v0.6.0
 	github.com/docker/go-units v0.5.0
 	github.com/emicklei/go-restful/v3 v3.12.2
 	github.com/fsnotify/fsnotify v1.9.0
-	github.com/go-logr/logr v1.4.2
+	github.com/go-logr/logr v1.4.3
 	github.com/go-openapi/jsonreference v0.20.2
 	github.com/godbus/dbus/v5 v5.1.0
-	github.com/gogo/protobuf v1.3.2
-	github.com/google/cadvisor v0.52.1
+	github.com/google/cadvisor v0.53.0
 	github.com/google/cel-go v0.26.0
 	github.com/google/gnostic-models v0.7.0
 	github.com/google/go-cmp v0.7.0
@@ -44,78 +42,78 @@ require (
 	github.com/moby/sys/userns v0.1.0
 	github.com/mrunalp/fileutils v0.5.1
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822
-	github.com/onsi/ginkgo/v2 v2.21.0
-	github.com/onsi/gomega v1.35.1
+	github.com/onsi/ginkgo/v2 v2.25.1
+	github.com/onsi/gomega v1.38.2
 	github.com/opencontainers/cgroups v0.0.3
-	github.com/opencontainers/runc v1.2.5
-	github.com/opencontainers/selinux v1.11.1
-	github.com/openshift-eng/openshift-tests-extension v0.0.0-20250916161632-d81c09058835
-	github.com/openshift/api v0.0.0-20251214014457-bfa868a22401
-	github.com/openshift/apiserver-library-go v0.0.0-20251015164739-79d04067059d
-	github.com/openshift/client-go v0.0.0-20251205093018-96a6cbc1420c
-	github.com/openshift/library-go v0.0.0-20251015151611-6fc7a74b67c5
+	github.com/opencontainers/selinux v1.13.0
+	github.com/openshift-eng/openshift-tests-extension v0.0.0-20260127124016-0fed2b824818
+	github.com/openshift/api v0.0.0-20260211194905-f62f47eaf03d
+	github.com/openshift/apiserver-library-go v0.0.0-20260211203915-ee5ba89cd34b
+	github.com/openshift/client-go v0.0.0-20260211200652-3585e10bcc17
+	github.com/openshift/library-go v0.0.0-20260211202355-e615a1f60a34
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2
-	github.com/prometheus/client_golang v1.22.0
-	github.com/prometheus/client_model v0.6.1
-	github.com/prometheus/common v0.62.0
+	github.com/prometheus/client_golang v1.23.2
+	github.com/prometheus/client_model v0.6.2
+	github.com/prometheus/common v0.66.1
 	github.com/robfig/cron/v3 v3.0.1
-	github.com/spf13/cobra v1.9.1
-	github.com/spf13/pflag v1.0.6
-	github.com/stretchr/testify v1.10.0
+	github.com/spf13/cobra v1.10.0
+	github.com/spf13/pflag v1.0.9
+	github.com/stretchr/testify v1.11.1
 	github.com/vishvananda/netlink v1.3.1
 	github.com/vishvananda/netns v0.0.5
-	go.etcd.io/etcd/api/v3 v3.6.4
-	go.etcd.io/etcd/client/pkg/v3 v3.6.4
-	go.etcd.io/etcd/client/v3 v3.6.4
+	go.etcd.io/etcd/api/v3 v3.6.5
+	go.etcd.io/etcd/client/pkg/v3 v3.6.5
+	go.etcd.io/etcd/client/v3 v3.6.5
 	go.opentelemetry.io/contrib/instrumentation/github.com/emicklei/go-restful/otelrestful v0.44.0
-	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.58.0
-	go.opentelemetry.io/otel v1.35.0
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.61.0
+	go.opentelemetry.io/otel v1.36.0
 	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.34.0
-	go.opentelemetry.io/otel/metric v1.35.0
-	go.opentelemetry.io/otel/sdk v1.34.0
-	go.opentelemetry.io/otel/trace v1.35.0
+	go.opentelemetry.io/otel/metric v1.36.0
+	go.opentelemetry.io/otel/sdk v1.36.0
+	go.opentelemetry.io/otel/trace v1.36.0
 	go.opentelemetry.io/proto/otlp v1.5.0
 	go.uber.org/goleak v1.3.0
 	go.uber.org/zap v1.27.0
-	go.yaml.in/yaml/v2 v2.4.2
-	golang.org/x/crypto v0.42.0
-	golang.org/x/net v0.43.0
-	golang.org/x/oauth2 v0.27.0
-	golang.org/x/sync v0.17.0
-	golang.org/x/sys v0.36.0
-	golang.org/x/term v0.35.0
+	go.yaml.in/yaml/v2 v2.4.3
+	golang.org/x/crypto v0.45.0
+	golang.org/x/net v0.47.0
+	golang.org/x/oauth2 v0.30.0
+	golang.org/x/sync v0.18.0
+	golang.org/x/sys v0.38.0
+	golang.org/x/term v0.37.0
+	golang.org/x/text v0.31.0
 	golang.org/x/time v0.9.0
-	golang.org/x/tools v0.36.0
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20250303144028-a0af3efb3deb
-	google.golang.org/grpc v1.72.1
-	google.golang.org/protobuf v1.36.5
-	gopkg.in/evanphx/json-patch.v4 v4.12.0
+	golang.org/x/tools v0.38.0
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20250528174236-200df99c418a
+	google.golang.org/grpc v1.72.2
+	google.golang.org/protobuf v1.36.8
+	gopkg.in/evanphx/json-patch.v4 v4.13.0
 	gopkg.in/go-jose/go-jose.v2 v2.6.3
 	gopkg.in/natefinch/lumberjack.v2 v2.2.1
 	gopkg.in/yaml.v2 v2.4.0
-	k8s.io/api v0.34.1
-	k8s.io/apiextensions-apiserver v0.34.1
-	k8s.io/apimachinery v0.34.1
-	k8s.io/apiserver v0.34.1
+	k8s.io/api v0.35.1
+	k8s.io/apiextensions-apiserver v0.35.1
+	k8s.io/apimachinery v0.35.1
+	k8s.io/apiserver v0.35.1
 	k8s.io/cli-runtime v0.0.0
-	k8s.io/client-go v0.34.1
+	k8s.io/client-go v0.35.1
 	k8s.io/cloud-provider v0.0.0
 	k8s.io/cluster-bootstrap v0.0.0
-	k8s.io/code-generator v0.34.1
-	k8s.io/component-base v0.34.1
-	k8s.io/component-helpers v0.32.1
+	k8s.io/code-generator v0.35.1
+	k8s.io/component-base v0.35.1
+	k8s.io/component-helpers v0.35.0
 	k8s.io/controller-manager v0.32.1
 	k8s.io/cri-api v0.0.0
 	k8s.io/cri-client v0.0.0
 	k8s.io/csi-translation-lib v0.0.0
-	k8s.io/dynamic-resource-allocation v0.0.0
+	k8s.io/dynamic-resource-allocation v0.35.0
 	k8s.io/endpointslice v0.0.0
 	k8s.io/externaljwt v0.0.0
 	k8s.io/klog/v2 v2.130.1
-	k8s.io/kms v0.34.1
-	k8s.io/kube-aggregator v0.34.1
+	k8s.io/kms v0.35.1
+	k8s.io/kube-aggregator v0.35.1
 	k8s.io/kube-controller-manager v0.0.0
-	k8s.io/kube-openapi v0.0.0-20250710124328-f3f2b991d03b
+	k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912
 	k8s.io/kube-proxy v0.0.0
 	k8s.io/kube-scheduler v0.0.0
 	k8s.io/kubectl v0.0.0
@@ -124,9 +122,9 @@ require (
 	k8s.io/mount-utils v0.0.0
 	k8s.io/pod-security-admission v0.0.0
 	k8s.io/sample-apiserver v0.0.0
-	k8s.io/system-validators v1.10.2
-	k8s.io/utils v0.0.0-20250604170112-4c0f3b243397
-	sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8
+	k8s.io/system-validators v1.12.1
+	k8s.io/utils v0.0.0-20251002143259-bc988d571ff4
+	sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730
 	sigs.k8s.io/knftables v0.0.17
 	sigs.k8s.io/randfill v1.0.0
 	sigs.k8s.io/structured-merge-diff/v6 v6.3.0
@@ -135,21 +133,23 @@ require (
 
 require (
 	cel.dev/expr v0.24.0 // indirect
+	cyphar.com/go-pathrs v0.2.1 // indirect
 	github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161 // indirect
 	github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 // indirect
 	github.com/MakeNowJust/heredoc v1.0.0 // indirect
+	github.com/Masterminds/semver/v3 v3.4.0 // indirect
 	github.com/NYTimes/gziphandler v1.1.1 // indirect
 	github.com/antlr4-go/antlr/v4 v4.13.0 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/cenkalti/backoff/v4 v4.3.0 // indirect
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
 	github.com/chai2010/gettext-go v1.0.2 // indirect
-	github.com/containerd/containerd/api v1.8.0 // indirect
+	github.com/containerd/containerd/api v1.9.0 // indirect
 	github.com/containerd/errdefs v1.0.0 // indirect
 	github.com/containerd/errdefs/pkg v0.3.0 // indirect
 	github.com/containerd/log v0.1.0 // indirect
-	github.com/containerd/ttrpc v1.2.6 // indirect
-	github.com/containerd/typeurl/v2 v2.2.2 // indirect
+	github.com/containerd/ttrpc v1.2.7 // indirect
+	github.com/containerd/typeurl/v2 v2.2.3 // indirect
 	github.com/coredns/caddy v1.1.1 // indirect
 	github.com/coreos/go-semver v0.3.1 // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
@@ -167,10 +167,11 @@ require (
 	github.com/go-openapi/jsonpointer v0.21.0 // indirect
 	github.com/go-openapi/swag v0.23.0 // indirect
 	github.com/go-task/slim-sprig/v3 v3.0.0 // indirect
+	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang-jwt/jwt/v5 v5.2.2 // indirect
 	github.com/golang/protobuf v1.5.4 // indirect
 	github.com/google/btree v1.1.3 // indirect
-	github.com/google/pprof v0.0.0-20241029153458-d1b30febd7db // indirect
+	github.com/google/pprof v0.0.0-20250403155104-27863c87afa6 // indirect
 	github.com/gorilla/websocket v1.5.4-0.20250319132907-e064f32e3674 // indirect
 	github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79 // indirect
 	github.com/grpc-ecosystem/go-grpc-middleware/providers/prometheus v1.0.1 // indirect
@@ -197,11 +198,11 @@ require (
 	github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
 	github.com/opencontainers/image-spec v1.1.1 // indirect
-	github.com/opencontainers/runtime-spec v1.2.0 // indirect
+	github.com/opencontainers/runtime-spec v1.2.1 // indirect
 	github.com/peterbourgon/diskv v2.0.1+incompatible // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pquerna/cachecontrol v0.1.0 // indirect
-	github.com/prometheus/procfs v0.15.1 // indirect
+	github.com/prometheus/procfs v0.16.1 // indirect
 	github.com/russross/blackfriday/v2 v2.1.0 // indirect
 	github.com/sirupsen/logrus v1.9.3 // indirect
 	github.com/soheilhy/cmux v0.1.5 // indirect
@@ -211,9 +212,9 @@ require (
 	github.com/x448/float16 v0.8.4 // indirect
 	github.com/xiang90/probing v0.0.0-20221125231312-a49e3df8f510 // indirect
 	github.com/xlab/treeprint v1.2.0 // indirect
-	go.etcd.io/bbolt v1.4.2 // indirect
-	go.etcd.io/etcd/pkg/v3 v3.6.4 // indirect
-	go.etcd.io/etcd/server/v3 v3.6.4 // indirect
+	go.etcd.io/bbolt v1.4.3 // indirect
+	go.etcd.io/etcd/pkg/v3 v3.6.5 // indirect
+	go.etcd.io/etcd/server/v3 v3.6.5 // indirect
 	go.etcd.io/raft/v3 v3.6.0 // indirect
 	go.opentelemetry.io/auto/sdk v1.1.0 // indirect
 	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.60.0 // indirect
@@ -222,12 +223,11 @@ require (
 	go.uber.org/multierr v1.11.0 // indirect
 	go.yaml.in/yaml/v3 v3.0.4 // indirect
 	golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 // indirect
-	golang.org/x/mod v0.27.0 // indirect
-	golang.org/x/text v0.29.0 // indirect
+	golang.org/x/mod v0.29.0 // indirect
 	google.golang.org/genproto/googleapis/api v0.0.0-20250303144028-a0af3efb3deb // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
-	k8s.io/gengo/v2 v2.0.0-20250604051438-85fd79dbfd9f // indirect
+	k8s.io/gengo/v2 v2.0.0-20250922181213-ec3ebc5fd46b // indirect
 	sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.31.2 // indirect
 	sigs.k8s.io/kustomize/api v0.20.1 // indirect
 	sigs.k8s.io/kustomize/kustomize/v5 v5.7.1 // indirect
@@ -235,8 +235,11 @@ require (
 )
 
 replace (
-	github.com/google/cadvisor => github.com/openshift/google-cadvisor v0.52.1-openshift-4.21-1
-	github.com/onsi/ginkgo/v2 => github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251001123353-fd5b1fb35db1
+	github.com/onsi/ginkgo/v2 => github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251120221002-696928a6a0d7
+	github.com/openshift/api => github.com/jacobsee/openshift-api v0.0.0-20260211194905-f62f47eaf03d
+	github.com/openshift/apiserver-library-go => github.com/jacobsee/apiserver-library-go v0.0.0-20260211203915-ee5ba89cd34b
+	github.com/openshift/client-go => github.com/jacobsee/client-go v0.0.0-20260211200652-3585e10bcc17
+	github.com/openshift/library-go => github.com/jacobsee/library-go v0.0.0-20260211202355-e615a1f60a34
 	k8s.io/api => ./staging/src/k8s.io/api
 	k8s.io/apiextensions-apiserver => ./staging/src/k8s.io/apiextensions-apiserver
 	k8s.io/apimachinery => ./staging/src/k8s.io/apimachinery
diff --git a/go.sum b/go.sum
index 56a5c1b89c522..d5a16fda3cb41 100644
--- a/go.sum
+++ b/go.sum
@@ -3,7 +3,9 @@ bitbucket.org/bertimus9/systemstat v0.5.0/go.mod h1:EkUWPp8lKFPMXP8vnbpT5JDI0W/s
 buf.build/gen/go/bufbuild/protovalidate/protocolbuffers/go v1.36.4-20250130201111-63bb56e20495.1/go.mod h1:novQBstnxcGpfKf8qGRATqn1anQKwMJIbH5Q581jibU=
 cel.dev/expr v0.24.0 h1:56OvJKSH3hDGL0ml5uSxZmz3/3Pq4tJ+fb1unVLAFcY=
 cel.dev/expr v0.24.0/go.mod h1:hLPLo1W4QUmuYdA72RBX06QTs6MXw941piREPl3Yfiw=
-cloud.google.com/go/compute/metadata v0.6.0/go.mod h1:FjyFAW1MW0C203CEOMDTu3Dk1FlqW3Rga40jzHL4hfg=
+cloud.google.com/go/compute/metadata v0.7.0/go.mod h1:j5MvL9PprKL39t166CoB1uVHfQMs4tFQZZcKwksXUjo=
+cyphar.com/go-pathrs v0.2.1 h1:9nx1vOgwVvX1mNBWDu93+vaceedpbsDqo+XuBGL40b8=
+cyphar.com/go-pathrs v0.2.1/go.mod h1:y8f1EMG7r+hCuFf/rXsKqMJrJAUoADZGNh5/vZPKcGc=
 github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161 h1:L/gRVlceqvL25UVaW/CKtUDjefjrs0SPonmDGUVOYP0=
 github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E=
 github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 h1:mFRzDkZVAjdal+s7s0MwaRv9igoPqLRdzOLzw/8Xvq8=
@@ -13,10 +15,12 @@ github.com/JeffAshton/win_pdh v0.0.0-20161109143554-76bb4ee9f0ab h1:UKkYhof1njT1
 github.com/JeffAshton/win_pdh v0.0.0-20161109143554-76bb4ee9f0ab/go.mod h1:3VYc5hodBMJ5+l/7J4xAyMeuM2PNuepvHlGs8yilUCA=
 github.com/MakeNowJust/heredoc v1.0.0 h1:cXCdzVdstXyiTqTvfqk9SDHpKNjxuom+DOlyEeQ4pzQ=
 github.com/MakeNowJust/heredoc v1.0.0/go.mod h1:mG5amYoWBHf8vpLOuehzbGGw0EHxpZZ6lCpQ4fNJ8LE=
+github.com/Masterminds/semver/v3 v3.4.0 h1:Zog+i5UMtVoCU8oKka5P7i9q9HgrJeGzI9SA1Xbatp0=
+github.com/Masterminds/semver/v3 v3.4.0/go.mod h1:4V+yj/TJE1HU9XfppCwVMZq3I84lprf4nC11bSS5beM=
 github.com/Microsoft/go-winio v0.6.2 h1:F2VQgta7ecxGYO8k3ZZz3RS8fVIXVxONVUPlNERoyfY=
 github.com/Microsoft/go-winio v0.6.2/go.mod h1:yd8OoFMLzJbo9gZq8j5qaps8bJ9aShtEA8Ipt1oGCvU=
-github.com/Microsoft/hnslib v0.1.1 h1:JsZy681SnvSOUAfCZVAxkX4LgQGp+CZZwPbLV0/pdF8=
-github.com/Microsoft/hnslib v0.1.1/go.mod h1:DRQR4IjLae6WHYVhW7uqe44hmFUiNhmaWA+jwMbz5tM=
+github.com/Microsoft/hnslib v0.1.2 h1:CshjwTQsNx1o7BIA1XO8HtgDsiCqn+b6kGjL/tIxXQQ=
+github.com/Microsoft/hnslib v0.1.2/go.mod h1:5vTyBey4N/VI2ZTNh2gdWhkPMefSbCFYjpvVwye+qtI=
 github.com/NYTimes/gziphandler v1.1.1 h1:ZUDjpQae29j0ryrS0u/B8HZfJBtBQHjqw2rQ2cqUQ3I=
 github.com/NYTimes/gziphandler v1.1.1/go.mod h1:n/CVRwUEOgIxrgPvAQhUUr9oeUtvrhMomdKFjzJNB0c=
 github.com/RangelReale/osincli v0.0.0-20160924135400-fababb0555f2/go.mod h1:XyjUkMA8GN+tOOPXvnbi3XuRxWFvTJntqvTFnjmhzbk=
@@ -32,19 +36,19 @@ github.com/armon/circbuf v0.0.0-20190214190532-5111143e8da2 h1:7Ip0wMmLHLRJdrloD
 github.com/armon/circbuf v0.0.0-20190214190532-5111143e8da2/go.mod h1:3U/XgcO3hCbHZ8TKRvWD2dDTCfh9M9ya+I9JpbB7O8o=
 github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5 h1:0CwZNZbxp69SHPdPJAN/hZIm0C4OItdklCFmMRWYpio=
 github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkYZB8zMSxRWpUBQtwG5a7fFgvEO+odwuTv2gs=
-github.com/aws/aws-sdk-go-v2 v1.30.1/go.mod h1:nIQjQVp5sfpQcTc9mPSr1B0PaWK5ByX9MOoDadSN4lc=
-github.com/aws/aws-sdk-go-v2/config v1.27.24/go.mod h1:aXzi6QJTuQRVVusAO8/NxpdTeTyr/wRcybdDtfUwJSs=
-github.com/aws/aws-sdk-go-v2/credentials v1.17.24/go.mod h1:Hld7tmnAkoBQdTMNYZGzztzKRdA4fCdn9L83LOoigac=
-github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.9/go.mod h1:WQr3MY7AxGNxaqAtsDWn+fBxmd4XvLkzeqQ8P1VM0/w=
-github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.13/go.mod h1:+rdA6ZLpaSeM7tSg/B0IEDinCIBJGmW8rKDFkYpP04g=
-github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.13/go.mod h1:i+kbfa76PQbWw/ULoWnp51EYVWH4ENln76fLQE3lXT8=
-github.com/aws/aws-sdk-go-v2/internal/ini v1.8.0/go.mod h1:8tu/lYfQfFe6IGnaOdrpVgEL2IrrDOf6/m9RQum4NkY=
-github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.3/go.mod h1:GlAeCkHwugxdHaueRr4nhPuY+WW+gR8UjlcqzPr1SPI=
-github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.15/go.mod h1:9xWJ3Q/S6Ojusz1UIkfycgD1mGirJfLLKqq3LPT7WN8=
-github.com/aws/aws-sdk-go-v2/service/sso v1.22.1/go.mod h1:/vWdhoIoYA5hYoPZ6fm7Sv4d8701PiG5VKe8/pPJL60=
-github.com/aws/aws-sdk-go-v2/service/ssooidc v1.26.2/go.mod h1:xyFHA4zGxgYkdD73VeezHt3vSKEG9EmFnGwoKlP00u4=
-github.com/aws/aws-sdk-go-v2/service/sts v1.30.1/go.mod h1:jiNR3JqT15Dm+QWq2SRgh0x0bCNSRP2L25+CqPNpJlQ=
-github.com/aws/smithy-go v1.20.3/go.mod h1:krry+ya/rV9RDcV/Q16kpu6ypI4K2czasz0NC3qS14E=
+github.com/aws/aws-sdk-go-v2 v1.36.3/go.mod h1:LLXuLpgzEbD766Z5ECcRmi8AzSwfZItDtmABVkRLGzg=
+github.com/aws/aws-sdk-go-v2/config v1.29.14/go.mod h1:wVPHWcIFv3WO89w0rE10gzf17ZYy+UVS1Geq8Iei34g=
+github.com/aws/aws-sdk-go-v2/credentials v1.17.67/go.mod h1:p3C44m+cfnbv763s52gCqrjaqyPikj9Sg47kUVaNZQQ=
+github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.30/go.mod h1:Jpne2tDnYiFascUEs2AWHJL9Yp7A5ZVy3TNyxaAjD6M=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.34/go.mod h1:p4VfIceZokChbA9FzMbRGz5OV+lekcVtHlPKEO0gSZY=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.34/go.mod h1:dFZsC0BLo346mvKQLWmoJxT+Sjp+qcVR1tRVHQGOH9Q=
+github.com/aws/aws-sdk-go-v2/internal/ini v1.8.3/go.mod h1:H5O/EsxDWyU+LP/V8i5sm8cxoZgc2fdNR9bxlOFrQTo=
+github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.3/go.mod h1:0yKJC/kb8sAnmlYa6Zs3QVYqaC8ug2AbnNChv5Ox3uA=
+github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.15/go.mod h1:SwFBy2vjtA0vZbjjaFtfN045boopadnoVPhu4Fv66vY=
+github.com/aws/aws-sdk-go-v2/service/sso v1.25.3/go.mod h1:qs4a9T5EMLl/Cajiw2TcbNt2UNo/Hqlyp+GiuG4CFDI=
+github.com/aws/aws-sdk-go-v2/service/ssooidc v1.30.1/go.mod h1:MlYRNmYu/fGPoxBQVvBYr9nyr948aY/WLUvwBMBJubs=
+github.com/aws/aws-sdk-go-v2/service/sts v1.33.19/go.mod h1:cQnB8CUnxbMU82JvlqjKR2HBOm3fe9pWorWBza6MBJ4=
+github.com/aws/smithy-go v1.22.3/go.mod h1:t1ufH5HMublsJYulve2RKmHDC15xu1f26kHCp/HgceI=
 github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
 github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
 github.com/blang/semver/v4 v4.0.0 h1:1PFHFE6yCCTv8C1TeyNNarDzntLi7wMI5i/pzqYIsAM=
@@ -56,7 +60,6 @@ github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UF
 github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
 github.com/chai2010/gettext-go v1.0.2 h1:1Lwwip6Q2QGsAdl/ZKPCwTe9fe0CjlUbqj5bFNSjIRk=
 github.com/chai2010/gettext-go v1.0.2/go.mod h1:y+wnP2cHYaVj19NZhYKAwEMH2CI1gNHeQQ+5AjwawxA=
-github.com/checkpoint-restore/go-criu/v6 v6.3.0/go.mod h1:rrRTN/uSwY2X+BPRl/gkulo9gsKOSAeVp9/K2tv7xZI=
 github.com/chzyer/readline v1.5.1/go.mod h1:Eh+b79XXUwfKfcPLepksvw2tcLE/Ct21YObkaSkeBlk=
 github.com/cilium/ebpf v0.17.3/go.mod h1:G5EDHij8yiLzaqn0WjyfJHvRa+3aDlReIaLVRMvOyJk=
 github.com/cncf/xds/go v0.0.0-20250121191232-2f005788dc42/go.mod h1:W+zGtBO5Y1IgJhy4+A9GOqVhqLpfZi+vwmdNXUehLA8=
@@ -64,23 +67,22 @@ github.com/cockroachdb/datadriven v1.0.2 h1:H9MtNqVoVhvd9nCBwOyDjUEdZCREqbIdCJD9
 github.com/cockroachdb/datadriven v1.0.2/go.mod h1:a9RdTaap04u637JoCzcUoIcDmvwSUtcUFtT/C3kJlTU=
 github.com/container-storage-interface/spec v1.9.0 h1:zKtX4STsq31Knz3gciCYCi1SXtO2HJDecIjDVboYavY=
 github.com/container-storage-interface/spec v1.9.0/go.mod h1:ZfDu+3ZRyeVqxZM0Ds19MVLkN2d1XJ5MAfi1L3VjlT0=
-github.com/containerd/console v1.0.4/go.mod h1:YynlIjWYF8myEu6sdkwKIvGQq+cOckRm6So2avqoYAk=
-github.com/containerd/containerd/api v1.8.0 h1:hVTNJKR8fMc/2Tiw60ZRijntNMd1U+JVMyTRdsD2bS0=
-github.com/containerd/containerd/api v1.8.0/go.mod h1:dFv4lt6S20wTu/hMcP4350RL87qPWLVa/OHOwmmdnYc=
+github.com/containerd/containerd/api v1.9.0 h1:HZ/licowTRazus+wt9fM6r/9BQO7S0vD5lMcWspGIg0=
+github.com/containerd/containerd/api v1.9.0/go.mod h1:GhghKFmTR3hNtyznBoQ0EMWr9ju5AqHjcZPsSpTKutI=
 github.com/containerd/errdefs v1.0.0 h1:tg5yIfIlQIrxYtu9ajqY42W3lpS19XqdxRQeEwYG8PI=
 github.com/containerd/errdefs v1.0.0/go.mod h1:+YBYIdtsnF4Iw6nWZhJcqGSg/dwvV7tyJ/kCkyJ2k+M=
 github.com/containerd/errdefs/pkg v0.3.0 h1:9IKJ06FvyNlexW690DXuQNx2KA2cUJXx151Xdx3ZPPE=
 github.com/containerd/errdefs/pkg v0.3.0/go.mod h1:NJw6s9HwNuRhnjJhM7pylWwMyAkmCQvQ4GpJHEqRLVk=
 github.com/containerd/log v0.1.0 h1:TCJt7ioM2cr/tfR8GPbGf9/VRAX8D2B4PjzCpfX540I=
 github.com/containerd/log v0.1.0/go.mod h1:VRRf09a7mHDIRezVKTRCrOq78v577GXq3bSa3EhrzVo=
-github.com/containerd/ttrpc v1.2.6 h1:zG+Kn5EZ6MUYCS1t2Hmt2J4tMVaLSFEJVOraDQwNPC4=
-github.com/containerd/ttrpc v1.2.6/go.mod h1:YCXHsb32f+Sq5/72xHubdiJRQY9inL4a4ZQrAbN1q9o=
-github.com/containerd/typeurl/v2 v2.2.2 h1:3jN/k2ysKuPCsln5Qv8bzR9cxal8XjkxPogJfSNO31k=
-github.com/containerd/typeurl/v2 v2.2.2/go.mod h1:95ljDnPfD3bAbDJRugOiShd/DlAAsxGtUBhJxIn7SCk=
+github.com/containerd/ttrpc v1.2.7 h1:qIrroQvuOL9HQ1X6KHe2ohc7p+HP/0VE6XPU7elJRqQ=
+github.com/containerd/ttrpc v1.2.7/go.mod h1:YCXHsb32f+Sq5/72xHubdiJRQY9inL4a4ZQrAbN1q9o=
+github.com/containerd/typeurl/v2 v2.2.3 h1:yNA/94zxWdvYACdYO8zofhrTVuQY73fFU1y++dYSw40=
+github.com/containerd/typeurl/v2 v2.2.3/go.mod h1:95ljDnPfD3bAbDJRugOiShd/DlAAsxGtUBhJxIn7SCk=
 github.com/coredns/caddy v1.1.1 h1:2eYKZT7i6yxIfGP3qLJoJ7HAsDJqYB+X68g4NYjSrE0=
 github.com/coredns/caddy v1.1.1/go.mod h1:A6ntJQlAWuQfFlsd9hvigKbo2WS0VUs2l1e2F+BawD4=
-github.com/coredns/corefile-migration v1.0.26 h1:xiiEkVB1Dwolb24pkeDUDBfygV9/XsOSq79yFCrhptY=
-github.com/coredns/corefile-migration v1.0.26/go.mod h1:56DPqONc3njpVPsdilEnfijCwNGC3/kTJLl7i7SPavY=
+github.com/coredns/corefile-migration v1.0.29 h1:g4cPYMXXDDs9uLE2gFYrJaPBuUAR07eEMGyh9JBE13w=
+github.com/coredns/corefile-migration v1.0.29/go.mod h1:56DPqONc3njpVPsdilEnfijCwNGC3/kTJLl7i7SPavY=
 github.com/coreos/go-oidc v2.3.0+incompatible h1:+5vEsrgprdLjjQ9FzIKAzQz1wwPD+83hQRfUIPh7rO0=
 github.com/coreos/go-oidc v2.3.0+incompatible/go.mod h1:CgnwVTmzoESiwO9qyAFEMiHoZ1nMCKZlZ9V6mm3/LKc=
 github.com/coreos/go-semver v0.3.1 h1:yi21YpKnrx1gt5R+la8n5WgS0kCrsPp33dmEyHReZr4=
@@ -92,8 +94,8 @@ github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6N
 github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
 github.com/creack/pty v1.1.18 h1:n56/Zwd5o6whRC5PMGretI4IdRLlmBXYNjScPaBgsbY=
 github.com/creack/pty v1.1.18/go.mod h1:MOBLtS5ELjhRRrroQr9kyvTxUAFNvYEK993ew/Vr4O4=
-github.com/cyphar/filepath-securejoin v0.4.1 h1:JyxxyPEaktOD+GAnqIqTf9A8tHyAG22rowi7HkoSU1s=
-github.com/cyphar/filepath-securejoin v0.4.1/go.mod h1:Sdj7gXlvMcPZsbhwhQ33GguGLDGQL7h7bg04C/+u9jI=
+github.com/cyphar/filepath-securejoin v0.6.0 h1:BtGB77njd6SVO6VztOHfPxKitJvd/VPT+OFBFMOi1Is=
+github.com/cyphar/filepath-securejoin v0.6.0/go.mod h1:A8hd4EnAeyujCJRrICiOWqjS1AX0a9kM5XL+NwKoYSc=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM=
@@ -101,8 +103,8 @@ github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8Yc
 github.com/distribution/distribution/v3 v3.0.0-20230511163743-f7717b7855ca/go.mod h1:t1IxPNGdTGez+YGKyJyQrtSSqisfMIm1hnFhvMPlxtE=
 github.com/distribution/reference v0.6.0 h1:0IXCQ5g4/QMHHkarYzh5l+u8T3t73zM5QvfrDyIgxBk=
 github.com/distribution/reference v0.6.0/go.mod h1:BbU0aIcezP1/5jX/8MP0YiH4SdvB5Y4f/wlDRiLyi3E=
-github.com/docker/docker v26.1.4+incompatible h1:vuTpXDuoga+Z38m1OZHzl7NKisKWaWlhjQk7IDPSLsU=
-github.com/docker/docker v26.1.4+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
+github.com/docker/docker v28.2.2+incompatible h1:CjwRSksz8Yo4+RmQ339Dp/D2tGO5JxwYeqtMOEe0LDw=
+github.com/docker/docker v28.2.2+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
 github.com/docker/go-connections v0.5.0 h1:USnMq7hx7gwdVZq1L49hLXaFtUdTADjXGp+uj1Br63c=
 github.com/docker/go-connections v0.5.0/go.mod h1:ov60Kzw0kKElRwhNs9UlUHAE/F9Fe6GLaXnqyDdmEXc=
 github.com/docker/go-metrics v0.0.1/go.mod h1:cG1hvH2utMXtqgqqYE9plW6lDxS3/5ayHzueweSI3Vw=
@@ -132,6 +134,12 @@ github.com/fsnotify/fsnotify v1.9.0/go.mod h1:8jBTzvmWwFyi3Pb8djgCCO5IBqzKJ/Jwo8
 github.com/fvbommel/sortorder v1.1.0/go.mod h1:uk88iVf1ovNn1iLfgUVU2F9o5eO30ui720w+kxuqRs0=
 github.com/fxamacker/cbor/v2 v2.9.0 h1:NpKPmjDBgUfBms6tr6JZkTHtfFGcMKsw3eGcmD/sapM=
 github.com/fxamacker/cbor/v2 v2.9.0/go.mod h1:vM4b+DJCtHn+zz7h3FFp/hDAI9WNWCsZj23V5ytsSxQ=
+github.com/gkampitakis/ciinfo v0.3.2 h1:JcuOPk8ZU7nZQjdUhctuhQofk7BGHuIy0c9Ez8BNhXs=
+github.com/gkampitakis/ciinfo v0.3.2/go.mod h1:1NIwaOcFChN4fa/B0hEBdAb6npDlFL8Bwx4dfRLRqAo=
+github.com/gkampitakis/go-diff v1.3.2 h1:Qyn0J9XJSDTgnsgHRdz9Zp24RaJeKMUHg2+PDZZdC4M=
+github.com/gkampitakis/go-diff v1.3.2/go.mod h1:LLgOrpqleQe26cte8s36HTWcTmMEur6OPYerdAAS9tk=
+github.com/gkampitakis/go-snaps v0.5.15 h1:amyJrvM1D33cPHwVrjo9jQxX8g/7E2wYdZ+01KS3zGE=
+github.com/gkampitakis/go-snaps v0.5.15/go.mod h1:HNpx/9GoKisdhw9AFOBT1N7DBs9DiHo/hGheFGBZ+mc=
 github.com/go-asn1-ber/asn1-ber v1.5.8-0.20250403174932-29230038a667 h1:BP4M0CvQ4S3TGls2FvczZtj5Re/2ZzkV9VwqPHH/3Bo=
 github.com/go-asn1-ber/asn1-ber v1.5.8-0.20250403174932-29230038a667/go.mod h1:hEBeB/ic+5LoWskz+yKT7vGhhPYkProFKoKdwZRWMe0=
 github.com/go-errors/errors v1.4.2 h1:J6MZopCL4uSllY1OfXM374weqZFFItUbrImctkmUxIA=
@@ -140,8 +148,8 @@ github.com/go-jose/go-jose/v4 v4.0.4/go.mod h1:NKb5HO1EZccyMpiZNbdUw/14tiXNyUJh1
 github.com/go-ldap/ldap/v3 v3.4.11 h1:4k0Yxweg+a3OyBLjdYn5OKglv18JNvfDykSoI8bW0gU=
 github.com/go-ldap/ldap/v3 v3.4.11/go.mod h1:bY7t0FLK8OAVpp/vV6sSlpz3EQDGcQwc8pF0ujLgKvM=
 github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
-github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY=
-github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
+github.com/go-logr/logr v1.4.3 h1:CjnDlHq8ikf6E492q6eKboGOC0T8CDaOvkHCIg8idEI=
+github.com/go-logr/logr v1.4.3/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
 github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
 github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE=
 github.com/go-logr/zapr v1.3.0 h1:XGdV8XW8zdwFiwOA2Dryh1gj2KRQyOOoNmBy4EplIcQ=
@@ -156,6 +164,8 @@ github.com/go-openapi/swag v0.23.0 h1:vsEVJDUo2hPJ2tu0/Xc+4noaxyEffXNIs3cOULZ+Gr
 github.com/go-openapi/swag v0.23.0/go.mod h1:esZ8ITTYEsH1V2trKHjAN8Ai7xHb8RV+YSZ577vPjgQ=
 github.com/go-task/slim-sprig/v3 v3.0.0 h1:sUs3vkvUymDpBKi3qH1YSqBQk9+9D/8M2mN1vB6EwHI=
 github.com/go-task/slim-sprig/v3 v3.0.0/go.mod h1:W848ghGpv3Qj3dhTPRyJypKRiqCdHZiAzKg9hl15HA8=
+github.com/goccy/go-yaml v1.18.0 h1:8W7wMFS12Pcas7KU+VVkaiCng+kG8QiFeFwzFb+rwuw=
+github.com/goccy/go-yaml v1.18.0/go.mod h1:XBurs7gK8ATbW4ZPGKgcbrY1Br56PdM69F7LkFRi1kA=
 github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
 github.com/godbus/dbus/v5 v5.1.0 h1:4KLkAxT3aOY8Li4FRJe/KvhoNFFxo0m6fNuFUO8QJUk=
 github.com/godbus/dbus/v5 v5.1.0/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
@@ -175,6 +185,8 @@ github.com/gonum/lapack v0.0.0-20181123203213-e4cdc5a0bff9/go.mod h1:XA3DeT6rxh2
 github.com/gonum/matrix v0.0.0-20181209220409-c518dec07be9/go.mod h1:0EXg4mc1CNP0HCqCz+K4ts155PXIlUywf0wqN+GfPZw=
 github.com/google/btree v1.1.3 h1:CVpQJjYgC4VbzxeGVHfvZrv1ctoYCAI8vbl07Fcxlyg=
 github.com/google/btree v1.1.3/go.mod h1:qOPhT0dTNdNzV6Z/lhRX0YXUafgPLFUh+gZMl761Gm4=
+github.com/google/cadvisor v0.53.0 h1:pmveUw2VBlr/T2SBE9Fsp8gdLhKWyOBkECGbaas9mcI=
+github.com/google/cadvisor v0.53.0/go.mod h1:Tz3zf/exzFfdWd1T/U/9eNst0ZR2C6CIV62LJATj5tg=
 github.com/google/cel-go v0.26.0 h1:DPGjXackMpJWH680oGY4lZhYjIameYmR+/6RBdDGmaI=
 github.com/google/cel-go v0.26.0/go.mod h1:A9O8OU9rdvrK5MQyrqfIxo1a0u4g3sF8KB6PUIaryMM=
 github.com/google/gnostic-models v0.7.0 h1:qwTtogB15McXDaNqTZdzPJRHvaVJlAl+HVQnLmJEJxo=
@@ -182,8 +194,8 @@ github.com/google/gnostic-models v0.7.0/go.mod h1:whL5G0m6dmc5cPxKc5bdKdEN3UjI7O
 github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
 github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
-github.com/google/pprof v0.0.0-20241029153458-d1b30febd7db h1:097atOisP2aRj7vFgYQBbFN4U4JNXUNYpxael3UzMyo=
-github.com/google/pprof v0.0.0-20241029153458-d1b30febd7db/go.mod h1:vavhavw2zAxS5dIdcRluK6cSGGPlZynqzFM8NdvU144=
+github.com/google/pprof v0.0.0-20250403155104-27863c87afa6 h1:BHT72Gu3keYf3ZEu2J0b1vyeLSOYI8bm5wbJM/8yDe8=
+github.com/google/pprof v0.0.0-20250403155104-27863c87afa6/go.mod h1:boTsfXsheKC2y+lKOCMpSfarhxDeIzfZG1jqGcPl3cA=
 github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
@@ -211,6 +223,14 @@ github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2
 github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
 github.com/ishidawataru/sctp v0.0.0-20250521072954-ae8eb7fa7995 h1:GtGlZy0FQTUGKSGVhzFZixkUXnpRj7s1rKEegNZcy9Y=
 github.com/ishidawataru/sctp v0.0.0-20250521072954-ae8eb7fa7995/go.mod h1:co9pwDoBCm1kGxawmb4sPq0cSIOOWNPT4KnHotMP1Zg=
+github.com/jacobsee/apiserver-library-go v0.0.0-20260211203915-ee5ba89cd34b h1:26tupoJhzGhK5F178nHcRKaaQdgH5sFyjRT/UZ4HuZY=
+github.com/jacobsee/apiserver-library-go v0.0.0-20260211203915-ee5ba89cd34b/go.mod h1:BSskwbEaYqCCoSeqjv1S7Mw8IANCYzAVPtUXLzQ7SJA=
+github.com/jacobsee/client-go v0.0.0-20260211200652-3585e10bcc17 h1:fbl50zu3Ol4/FUSorOUD5xPqvXD94OvREGNacymXOgw=
+github.com/jacobsee/client-go v0.0.0-20260211200652-3585e10bcc17/go.mod h1:mCcIpR1nUVJvuLFKl7etbRLixUhJn4XjufJdfzv8Xsc=
+github.com/jacobsee/library-go v0.0.0-20260211202355-e615a1f60a34 h1:iCDeH9PliuQ4IL5NhQhZ1GcXxdlIiuiIed7hK5d5shw=
+github.com/jacobsee/library-go v0.0.0-20260211202355-e615a1f60a34/go.mod h1:mp92ELYoE9GHXRj+jJhp4I9KsFfS5c7WIi5k4RmkPYY=
+github.com/jacobsee/openshift-api v0.0.0-20260211194905-f62f47eaf03d h1:kqSuLRGP/BS1qyFXP8X9t+aZehk/yF853PFu2e1og0U=
+github.com/jacobsee/openshift-api v0.0.0-20260211194905-f62f47eaf03d/go.mod h1:u/qMsjN4RliFQwfk4bMEdF1lTjkagrlxPcZ/G9KIVuE=
 github.com/jcmturner/aescts/v2 v2.0.0 h1:9YKLH6ey7H4eDBXW8khjYslgyqG2xZikXP0EQFKrle8=
 github.com/jcmturner/aescts/v2 v2.0.0/go.mod h1:AiaICIRyfYg35RUkr8yESTqvSy7csK90qZ5xfvvsoNs=
 github.com/jcmturner/dnsutils/v2 v2.0.0 h1:lltnkeZGL0wILNvrNiVCR6Ro5PGU/SeBvVO/8c/iPbo=
@@ -227,6 +247,8 @@ github.com/jonboulle/clockwork v0.5.0 h1:Hyh9A8u51kptdkR+cqRpT1EebBwTn1oK9YfGYbd
 github.com/jonboulle/clockwork v0.5.0/go.mod h1:3mZlmanh0g2NDKO5TWZVJAfofYk64M7XN3SzBPjZF60=
 github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY=
 github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y=
+github.com/joshdk/go-junit v1.0.0 h1:S86cUKIdwBHWwA6xCmFlf3RTLfVXYQfvanM5Uh+K6GE=
+github.com/joshdk/go-junit v1.0.0/go.mod h1:TiiV0PqkaNfFXjEiyjWM3XXrhVyCa1K4Zfga6W52ung=
 github.com/jpillora/backoff v1.0.0/go.mod h1:J/6gKK9jxlEcS3zixgDgUAsiuZ7yrSoa/FX5e0EB2j4=
 github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM=
 github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo=
@@ -254,7 +276,11 @@ github.com/lithammer/dedent v1.1.0 h1:VNzHMVCBNG1j0fh3OrsFRkVUwStdDArbgBWoPAffkt
 github.com/lithammer/dedent v1.1.0/go.mod h1:jrXYCQtgg0nJiN+StA2KgR7w6CiQNv9Fd/Z9BP0jIOc=
 github.com/mailru/easyjson v0.7.7 h1:UGYAvKxe3sBsEDzO8ZeWOSlIQfWFlxbzLZe7hwFURr0=
 github.com/mailru/easyjson v0.7.7/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc=
+github.com/maruel/natural v1.1.1 h1:Hja7XhhmvEFhcByqDoHz9QZbkWey+COd9xWfCfn1ioo=
+github.com/maruel/natural v1.1.1/go.mod h1:v+Rfd79xlw1AgVBjbO0BEQmptqb5HvL/k9GRHB7ZKEg=
 github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0=
+github.com/mfridman/tparse v0.18.0 h1:wh6dzOKaIwkUGyKgOntDW4liXSo37qg5AXbIhkMV3vE=
+github.com/mfridman/tparse v0.18.0/go.mod h1:gEvqZTuCgEhPbYk/2lS3Kcxg1GmTxxU7kTC8DvP0i/A=
 github.com/mistifyio/go-zfs v2.1.2-0.20190413222219-f784269be439+incompatible h1:aKW/4cBs+yK6gpqU3K/oIwk9Q/XICqd3zOX/UFuvqmk=
 github.com/mistifyio/go-zfs v2.1.2-0.20190413222219-f784269be439+incompatible/go.mod h1:8AuVvqP/mXw1px98n46wfvcGfQ4ci2FwoAjKYxuo3Z4=
 github.com/mitchellh/go-wordwrap v1.0.1 h1:TLuKupo69TCn6TQSyGxwI1EblZZEsQ0vMlAFQflz0v0=
@@ -265,6 +291,7 @@ github.com/moby/ipvs v1.1.0 h1:ONN4pGaZQgAx+1Scz5RvWV4Q7Gb+mvfRh3NsPS+1XQQ=
 github.com/moby/ipvs v1.1.0/go.mod h1:4VJMWuf098bsUMmZEiD4Tjk/O7mOn3l1PTD3s4OoYAs=
 github.com/moby/spdystream v0.5.0 h1:7r0J1Si3QO/kjRitvSLVVFUjxMEb/YLj6S9FF62JBCU=
 github.com/moby/spdystream v0.5.0/go.mod h1:xBAYlnt/ay+11ShkdFKNAG7LsyK/tmNBVvVOwrfMgdI=
+github.com/moby/sys/atomicwriter v0.1.0/go.mod h1:Ul8oqv2ZMNHOceF643P6FKPXeCmYtlQMvpizfsSoaWs=
 github.com/moby/sys/mountinfo v0.7.2 h1:1shs6aH5s4o5H2zQLn796ADW1wMrIwHsyJ2v9KouLrg=
 github.com/moby/sys/mountinfo v0.7.2/go.mod h1:1YOa8w8Ih7uW0wALDUgT1dTTSBrZ+HiBLGws92L2RU4=
 github.com/moby/sys/user v0.4.0/go.mod h1:bG+tYYYJgaMtRKgEmuueC0hJEAZWwtIbZTB+85uoHjs=
@@ -290,35 +317,24 @@ github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8m
 github.com/mwitkow/go-conntrack v0.0.0-20190716064945-2f068394615f/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U=
 github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f h1:y5//uYreIhSUg3J1GEMiLbxo1LJaP8RfCpH6pymGZus=
 github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+o7JKHSa8/e818NopupXU1YMK5fe1lsApnBw=
-github.com/onsi/gomega v1.35.1 h1:Cwbd75ZBPxFSuZ6T+rN/WCb/gOc6YgFBXLlZLhC7Ds4=
-github.com/onsi/gomega v1.35.1/go.mod h1:PvZbdDc8J6XJEpDK4HCuRBm8a6Fzp9/DmhC9C7yFlog=
+github.com/onsi/gomega v1.38.2 h1:eZCjf2xjZAqe+LeWvKb5weQ+NcPwX84kqJ0cZNxok2A=
+github.com/onsi/gomega v1.38.2/go.mod h1:W2MJcYxRGV63b418Ai34Ud0hEdTVXq9NW9+Sx6uXf3k=
 github.com/opencontainers/cgroups v0.0.3 h1:Jc9dWh/0YLGjdy6J/9Ln8NM5BfTA4W2BY0GMozy3aDU=
 github.com/opencontainers/cgroups v0.0.3/go.mod h1:s8lktyhlGUqM7OSRL5P7eAW6Wb+kWPNvt4qvVfzA5vs=
 github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
 github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
 github.com/opencontainers/image-spec v1.1.1 h1:y0fUlFfIZhPF1W537XOLg0/fcx6zcHCJwooC2xJA040=
 github.com/opencontainers/image-spec v1.1.1/go.mod h1:qpqAh3Dmcf36wStyyWU+kCeDgrGnAve2nCC8+7h8Q0M=
-github.com/opencontainers/runc v1.2.5 h1:8KAkq3Wrem8bApgOHyhRI/8IeLXIfmZ6Qaw6DNSLnA4=
-github.com/opencontainers/runc v1.2.5/go.mod h1:dOQeFo29xZKBNeRBI0B19mJtfHv68YgCTh1X+YphA+4=
-github.com/opencontainers/runtime-spec v1.2.0 h1:z97+pHb3uELt/yiAWD691HNHQIF07bE7dzrbT927iTk=
-github.com/opencontainers/runtime-spec v1.2.0/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
-github.com/opencontainers/selinux v1.11.1 h1:nHFvthhM0qY8/m+vfhJylliSshm8G1jJ2jDMcgULaH8=
-github.com/opencontainers/selinux v1.11.1/go.mod h1:E5dMC3VPuVvVHDYmi78qvhJp8+M586T4DlDRYpFkyec=
-github.com/openshift-eng/openshift-tests-extension v0.0.0-20250916161632-d81c09058835 h1:rkqIIfdYYkasXbF2XKVgh/3f1mhjSQK9By8WtVMgYo8=
-github.com/openshift-eng/openshift-tests-extension v0.0.0-20250916161632-d81c09058835/go.mod h1:6gkP5f2HL0meusT0Aim8icAspcD1cG055xxBZ9yC68M=
-github.com/openshift/api v0.0.0-20251214014457-bfa868a22401 h1:goMf6pBtRFSQaVElFk6K+GIAqnv7O84p7PJHH6pDz/E=
-github.com/openshift/api v0.0.0-20251214014457-bfa868a22401/go.mod h1:d5uzF0YN2nQQFA0jIEWzzOZ+edmo6wzlGLvx5Fhz4uY=
-github.com/openshift/apiserver-library-go v0.0.0-20251015164739-79d04067059d h1:Mfya3RxHWvidOrKyHj3bmFn5x2B89DLZIvDAhwm+C2s=
-github.com/openshift/apiserver-library-go v0.0.0-20251015164739-79d04067059d/go.mod h1:zm2/rIUp0p83pz0/1kkSoKTqhTr3uUKSKQ9fP7Z3g7Y=
+github.com/opencontainers/runc v1.3.0/go.mod h1:9wbWt42gV+KRxKRVVugNP6D5+PQciRbenB4fLVsqGPs=
+github.com/opencontainers/runtime-spec v1.2.1 h1:S4k4ryNgEpxW1dzyqffOmhI1BHYcjzU8lpJfSlR0xww=
+github.com/opencontainers/runtime-spec v1.2.1/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
+github.com/opencontainers/selinux v1.13.0 h1:Zza88GWezyT7RLql12URvoxsbLfjFx988+LGaWfbL84=
+github.com/opencontainers/selinux v1.13.0/go.mod h1:XxWTed+A/s5NNq4GmYScVy+9jzXhGBVEOAyucdRUY8s=
+github.com/openshift-eng/openshift-tests-extension v0.0.0-20260127124016-0fed2b824818 h1:jJLE/aCAqDf8U4wc3bE1IEKgIxbb0ICjCNVFA49x/8s=
+github.com/openshift-eng/openshift-tests-extension v0.0.0-20260127124016-0fed2b824818/go.mod h1:6gkP5f2HL0meusT0Aim8icAspcD1cG055xxBZ9yC68M=
 github.com/openshift/build-machinery-go v0.0.0-20250530140348-dc5b2804eeee/go.mod h1:8jcm8UPtg2mCAsxfqKil1xrmRMI3a+XU2TZ9fF8A7TE=
-github.com/openshift/client-go v0.0.0-20251205093018-96a6cbc1420c h1:TBE0Gl+oCo/SNEhLKZQNNH/SWHXrpGyhAw7P0lAqdHg=
-github.com/openshift/client-go v0.0.0-20251205093018-96a6cbc1420c/go.mod h1:IsynOWZAfdH+BgWimcFQRtI41Id9sgdhsCEjIk8ACLw=
-github.com/openshift/google-cadvisor v0.52.1-openshift-4.21-1 h1:GNwO7gdyk6kAbFwIRo0T8NOTgxKYA2J6tSAtVMYavY0=
-github.com/openshift/google-cadvisor v0.52.1-openshift-4.21-1/go.mod h1:OAhPcx1nOm5YwMh/JhpUOMKyv1YKLRtS9KgzWPndHmA=
-github.com/openshift/library-go v0.0.0-20251015151611-6fc7a74b67c5 h1:bANtDc8SgetSK4nQehf59x3+H9FqVJCprgjs49/OTg0=
-github.com/openshift/library-go v0.0.0-20251015151611-6fc7a74b67c5/go.mod h1:OlFFws1AO51uzfc48MsStGE4SFMWlMZD0+f5a/zCtKI=
-github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251001123353-fd5b1fb35db1 h1:PMTgifBcBRLJJiM+LgSzPDTk9/Rx4qS09OUrfpY6GBQ=
-github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251001123353-fd5b1fb35db1/go.mod h1:7Du3c42kxCUegi0IImZ1wUQzMBVecgIHjR1C+NkhLQo=
+github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251120221002-696928a6a0d7 h1:02E4Ttpu+7yCQLQxtY42JfcfHU7TBGnje6uB2ytBSdU=
+github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251120221002-696928a6a0d7/go.mod h1:ArE1D/XhNXBXCBkKOLkbsb2c81dQHCRcF5zwn/ykDRo=
 github.com/peterbourgon/diskv v2.0.1+incompatible h1:UBdAOUP5p4RWqPBg048CAvpKN+vxiaj6gdUUzhl4XmI=
 github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
@@ -331,25 +347,24 @@ github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH
 github.com/pquerna/cachecontrol v0.1.0 h1:yJMy84ti9h/+OEWa752kBTKv4XC30OtVVHYv/8cTqKc=
 github.com/pquerna/cachecontrol v0.1.0/go.mod h1:NrUG3Z7Rdu85UNR3vm7SOsl1nFIeSiQnrHV5K9mBcUI=
 github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring v0.74.0/go.mod h1:wAR5JopumPtAZnu0Cjv2PSqV4p4QB09LMhc6fZZTXuA=
-github.com/prometheus/client_golang v1.22.0 h1:rb93p9lokFEsctTys46VnV1kLCDpVZ0a/Y92Vm0Zc6Q=
-github.com/prometheus/client_golang v1.22.0/go.mod h1:R7ljNsLXhuQXYZYtw6GAE9AZg8Y7vEW5scdCXrWRXC0=
-github.com/prometheus/client_model v0.6.1 h1:ZKSh/rekM+n3CeS952MLRAdFwIKqeY8b62p8ais2e9E=
-github.com/prometheus/client_model v0.6.1/go.mod h1:OrxVMOVHjw3lKMa8+x6HeMGkHMQyHDk9E3jmP2AmGiY=
-github.com/prometheus/common v0.62.0 h1:xasJaQlnWAeyHdUBeGjXmutelfJHWMRr+Fg4QszZ2Io=
-github.com/prometheus/common v0.62.0/go.mod h1:vyBcEuLSvWos9B1+CyL7JZ2up+uFzXhkqml0W5zIY1I=
-github.com/prometheus/procfs v0.15.1 h1:YagwOFzUgYfKKHX6Dr+sHT7km/hxC76UB0learggepc=
-github.com/prometheus/procfs v0.15.1/go.mod h1:fB45yRUv8NstnjriLhBQLuOUt+WW4BsoGhij/e3PBqk=
+github.com/prometheus/client_golang v1.23.2 h1:Je96obch5RDVy3FDMndoUsjAhG5Edi49h0RJWRi/o0o=
+github.com/prometheus/client_golang v1.23.2/go.mod h1:Tb1a6LWHB3/SPIzCoaDXI4I8UHKeFTEQ1YCr+0Gyqmg=
+github.com/prometheus/client_model v0.6.2 h1:oBsgwpGs7iVziMvrGhE53c/GrLUsZdHnqNwqPLxwZyk=
+github.com/prometheus/client_model v0.6.2/go.mod h1:y3m2F6Gdpfy6Ut/GBsUqTWZqCUvMVzSfMLjcu6wAwpE=
+github.com/prometheus/common v0.66.1 h1:h5E0h5/Y8niHc5DlaLlWLArTQI7tMrsfQjHV+d9ZoGs=
+github.com/prometheus/common v0.66.1/go.mod h1:gcaUsgf3KfRSwHY4dIMXLPV0K/Wg1oZ8+SbZk/HH/dA=
+github.com/prometheus/procfs v0.16.1 h1:hZ15bTNuirocR6u0JZ6BAHHmwS1p8B4P6MRqxtzMyRg=
+github.com/prometheus/procfs v0.16.1/go.mod h1:teAbpZRB1iIAJYREa1LsoWUXykVXA1KlTmWl8x/U+Is=
 github.com/robfig/cron v1.2.0/go.mod h1:JGuDeoQd7Z6yL4zQhZ3OPEVHB7fL6Ka6skscFHfmt2k=
 github.com/robfig/cron/v3 v3.0.1 h1:WdRxkvbJztn8LMz/QEvLN5sBU+xKpSqwwUO1Pjr4qDs=
 github.com/robfig/cron/v3 v3.0.1/go.mod h1:eQICP3HwyT7UooqI/z+Ov+PtYAWygg1TEWWzGIFLtro=
 github.com/rogpeppe/fastuuid v1.2.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6LYCDYWNEvQ=
-github.com/rogpeppe/go-internal v1.13.1 h1:KvO1DLK/DRN07sQ1LQKScxyZJuNnedQ5/wKSR38lUII=
-github.com/rogpeppe/go-internal v1.13.1/go.mod h1:uMEvuHeurkdAXX61udpOXGD/AzZDWNMNyH2VO9fmH0o=
+github.com/rogpeppe/go-internal v1.14.1 h1:UQB4HGPB6osV0SQTLymcB4TgvyWu6ZyliaW0tI/otEQ=
+github.com/rogpeppe/go-internal v1.14.1/go.mod h1:MaRKkUm5W0goXpeCfT7UZI6fk/L7L7so1lCWt35ZSgc=
 github.com/russross/blackfriday v1.6.0/go.mod h1:ti0ldHuxg49ri4ksnFxlkCfN+hvslNlmVHqNRXXJNAY=
 github.com/russross/blackfriday/v2 v2.1.0 h1:JIOH55/0cWyOuilr9/qlrm0BSXldqnqwMsf35Ld67mk=
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
 github.com/santhosh-tekuri/jsonschema/v5 v5.3.1/go.mod h1:uToXkOrWAZ6/Oc07xWQrPOhJotwFIyu2bBVN41fcDUY=
-github.com/seccomp/libseccomp-golang v0.10.0/go.mod h1:JA8cRccbGaA1s33RQf7Y1+q9gHmZX1yB/z9WDN1C6fg=
 github.com/sergi/go-diff v1.2.0 h1:XU+rvMAioB0UC3q1MFrIQy4Vo5/4VsRDQQXHsEya6xQ=
 github.com/sergi/go-diff v1.2.0/go.mod h1:STckp+ISIX8hZLjrqAeVduY0gWCT9IjLuqbuNXdaHfM=
 github.com/sirupsen/logrus v1.8.1/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0=
@@ -357,10 +372,11 @@ github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ
 github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
 github.com/soheilhy/cmux v0.1.5 h1:jjzc5WVemNEDTLwv9tlmemhC73tI08BNOIGwBOo10Js=
 github.com/soheilhy/cmux v0.1.5/go.mod h1:T7TcVDs9LWfQgPlPsdngu6I6QIoyIFZDDC6sNE1GqG0=
-github.com/spf13/cobra v1.9.1 h1:CXSaggrXdbHK9CF+8ywj8Amf7PBRmPCOJugH954Nnlo=
-github.com/spf13/cobra v1.9.1/go.mod h1:nDyEzZ8ogv936Cinf6g1RU9MRY64Ir93oCnqb9wxYW0=
-github.com/spf13/pflag v1.0.6 h1:jFzHGLGAlb3ruxLB8MhbI6A8+AQX/2eW4qeyNZXNp2o=
-github.com/spf13/pflag v1.0.6/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
+github.com/spf13/cobra v1.10.0 h1:a5/WeUlSDCvV5a45ljW2ZFtV0bTDpkfSAj3uqB6Sc+0=
+github.com/spf13/cobra v1.10.0/go.mod h1:9dhySC7dnTtEiqzmqfkLj47BslqLCUPMXjG2lj/NgoE=
+github.com/spf13/pflag v1.0.8/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
+github.com/spf13/pflag v1.0.9 h1:9exaQaMOCwffKiiiYk6/BndUBv+iRViNW+4lEMi0PvY=
+github.com/spf13/pflag v1.0.9/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/spiffe/go-spiffe/v2 v2.5.0/go.mod h1:P+NxobPc6wXhVtINNtFjNWGBTreew1GBUCwT2wPmb7g=
 github.com/stoewer/go-strcase v1.3.0 h1:g0eASXYtp+yvN9fK8sH94oCIk0fau9uV1/ZdJ0AVEzs=
 github.com/stoewer/go-strcase v1.3.0/go.mod h1:fAH5hQ5pehh+j3nZfvwdk2RgEgQjAoM8wodgtPmh1xo=
@@ -376,12 +392,18 @@ github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/
 github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
 github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
-github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
-github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
-github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635/go.mod h1:hkRG7XYTFWNJGYcbNJQlaLq0fg1yr4J4t/NcTQtrfww=
+github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
+github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
+github.com/tidwall/gjson v1.18.0 h1:FIDeeyB800efLX89e5a8Y0BNH+LOngJyGrIWxG2FKQY=
+github.com/tidwall/gjson v1.18.0/go.mod h1:/wbyibRr2FHMks5tjHJ5F8dMZh3AcwJEMf5vlfC0lxk=
+github.com/tidwall/match v1.1.1 h1:+Ho715JplO36QYgwN9PGYNhgZvoUSc9X2c80KVTi+GA=
+github.com/tidwall/match v1.1.1/go.mod h1:eRSPERbgtNPcGhD8UCthc6PmLEQXEWd3PRB5JTxsfmM=
+github.com/tidwall/pretty v1.2.1 h1:qjsOFOWWQl+N3RsoF5/ssm1pHmJJwhjlSbZ51I6wMl4=
+github.com/tidwall/pretty v1.2.1/go.mod h1:ITEVvHYasfjBbM0u2Pg8T2nJnzm8xPwvNhhsoaGGjNU=
+github.com/tidwall/sjson v1.2.5 h1:kLy8mja+1c9jlljvWTlSazM7cKDRfJuR/bOJhcY5NcY=
+github.com/tidwall/sjson v1.2.5/go.mod h1:Fvgq9kS/6ociJEDnK0Fk1cpYF4FIW6ZF7LAe+6jwd28=
 github.com/tmc/grpc-websocket-proxy v0.0.0-20220101234140-673ab2c3ae75 h1:6fotK7otjonDflCTK0BCfls4SPy3NcCVb5dqqmbRknE=
 github.com/tmc/grpc-websocket-proxy v0.0.0-20220101234140-673ab2c3ae75/go.mod h1:KO6IkyS8Y3j8OdNO85qEYBsRPuteD+YciPomcXdrMnk=
-github.com/urfave/cli v1.22.14/go.mod h1:X0eDS6pD6Exaclxm99NJ3FiCDRED7vIHpx2mDOHLvkA=
 github.com/vishvananda/netlink v1.3.1 h1:3AEMt62VKqz90r0tmNhog0r/PpWKmrEShJU0wJW6bV0=
 github.com/vishvananda/netlink v1.3.1/go.mod h1:ARtKouGSTGchR8aMwmkzC0qiNPrrWO5JS/XMVl45+b4=
 github.com/vishvananda/netns v0.0.5 h1:DfiHV+j8bA32MFM7bfEunvT8IAqQ/NzSJHtcmW5zdEY=
@@ -397,18 +419,18 @@ github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9de
 github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
 github.com/zeebo/errs v1.4.0/go.mod h1:sgbWHsvVuTPHcqJJGQ1WhI5KbWlHYz+2+2C/LSEtCw4=
-go.etcd.io/bbolt v1.4.2 h1:IrUHp260R8c+zYx/Tm8QZr04CX+qWS5PGfPdevhdm1I=
-go.etcd.io/bbolt v1.4.2/go.mod h1:Is8rSHO/b4f3XigBC0lL0+4FwAQv3HXEEIgFMuKHceM=
-go.etcd.io/etcd/api/v3 v3.6.4 h1:7F6N7toCKcV72QmoUKa23yYLiiljMrT4xCeBL9BmXdo=
-go.etcd.io/etcd/api/v3 v3.6.4/go.mod h1:eFhhvfR8Px1P6SEuLT600v+vrhdDTdcfMzmnxVXXSbk=
-go.etcd.io/etcd/client/pkg/v3 v3.6.4 h1:9HBYrjppeOfFjBjaMTRxT3R7xT0GLK8EJMVC4xg6ok0=
-go.etcd.io/etcd/client/pkg/v3 v3.6.4/go.mod h1:sbdzr2cl3HzVmxNw//PH7aLGVtY4QySjQFuaCgcRFAI=
-go.etcd.io/etcd/client/v3 v3.6.4 h1:YOMrCfMhRzY8NgtzUsHl8hC2EBSnuqbR3dh84Uryl7A=
-go.etcd.io/etcd/client/v3 v3.6.4/go.mod h1:jaNNHCyg2FdALyKWnd7hxZXZxZANb0+KGY+YQaEMISo=
-go.etcd.io/etcd/pkg/v3 v3.6.4 h1:fy8bmXIec1Q35/jRZ0KOes8vuFxbvdN0aAFqmEfJZWA=
-go.etcd.io/etcd/pkg/v3 v3.6.4/go.mod h1:kKcYWP8gHuBRcteyv6MXWSN0+bVMnfgqiHueIZnKMtE=
-go.etcd.io/etcd/server/v3 v3.6.4 h1:LsCA7CzjVt+8WGrdsnh6RhC0XqCsLkBly3ve5rTxMAU=
-go.etcd.io/etcd/server/v3 v3.6.4/go.mod h1:aYCL/h43yiONOv0QIR82kH/2xZ7m+IWYjzRmyQfnCAg=
+go.etcd.io/bbolt v1.4.3 h1:dEadXpI6G79deX5prL3QRNP6JB8UxVkqo4UPnHaNXJo=
+go.etcd.io/bbolt v1.4.3/go.mod h1:tKQlpPaYCVFctUIgFKFnAlvbmB3tpy1vkTnDWohtc0E=
+go.etcd.io/etcd/api/v3 v3.6.5 h1:pMMc42276sgR1j1raO/Qv3QI9Af/AuyQUW6CBAWuntA=
+go.etcd.io/etcd/api/v3 v3.6.5/go.mod h1:ob0/oWA/UQQlT1BmaEkWQzI0sJ1M0Et0mMpaABxguOQ=
+go.etcd.io/etcd/client/pkg/v3 v3.6.5 h1:Duz9fAzIZFhYWgRjp/FgNq2gO1jId9Yae/rLn3RrBP8=
+go.etcd.io/etcd/client/pkg/v3 v3.6.5/go.mod h1:8Wx3eGRPiy0qOFMZT/hfvdos+DjEaPxdIDiCDUv/FQk=
+go.etcd.io/etcd/client/v3 v3.6.5 h1:yRwZNFBx/35VKHTcLDeO7XVLbCBFbPi+XV4OC3QJf2U=
+go.etcd.io/etcd/client/v3 v3.6.5/go.mod h1:ZqwG/7TAFZ0BJ0jXRPoJjKQJtbFo/9NIY8uoFFKcCyo=
+go.etcd.io/etcd/pkg/v3 v3.6.5 h1:byxWB4AqIKI4SBmquZUG1WGtvMfMaorXFoCcFbVeoxM=
+go.etcd.io/etcd/pkg/v3 v3.6.5/go.mod h1:uqrXrzmMIJDEy5j00bCqhVLzR5jEJIwDp5wTlLwPGOU=
+go.etcd.io/etcd/server/v3 v3.6.5 h1:4RbUb1Bd4y1WkBHmuF+cZII83JNQMuNXzyjwigQ06y0=
+go.etcd.io/etcd/server/v3 v3.6.5/go.mod h1:PLuhyVXz8WWRhzXDsl3A3zv/+aK9e4A9lpQkqawIaH0=
 go.etcd.io/gofail v0.2.0/go.mod h1:nL3ILMGfkXTekKI3clMBNazKnjUZjYLKmBHzsVAnC1o=
 go.etcd.io/raft/v3 v3.6.0 h1:5NtvbDVYpnfZWcIHgGRk9DyzkBIXOi8j+DDp1IcnUWQ=
 go.etcd.io/raft/v3 v3.6.0/go.mod h1:nLvLevg6+xrVtHUmVaTcTz603gQPHfh7kUAwV6YpfGo=
@@ -419,65 +441,66 @@ go.opentelemetry.io/contrib/instrumentation/github.com/emicklei/go-restful/otelr
 go.opentelemetry.io/contrib/instrumentation/github.com/emicklei/go-restful/otelrestful v0.44.0/go.mod h1:uq8DrRaen3suIWTpdR/JNHCGpurSvMv9D5Nr5CU5TXc=
 go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.60.0 h1:x7wzEgXfnzJcHDwStJT+mxOz4etr2EcexjqhBvmoakw=
 go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.60.0/go.mod h1:rg+RlpR5dKwaS95IyyZqj5Wd4E13lk/msnTS0Xl9lJM=
-go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.58.0 h1:yd02MEjBdJkG3uabWP9apV+OuWRIXGDuJEUJbOHmCFU=
-go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.58.0/go.mod h1:umTcuxiv1n/s/S6/c2AT/g2CQ7u5C59sHDNmfSwgz7Q=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.61.0 h1:F7Jx+6hwnZ41NSFTO5q4LYDtJRXBf2PD0rNBkeB/lus=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.61.0/go.mod h1:UHB22Z8QsdRDrnAtX4PntOl36ajSxcdUMt1sF7Y6E7Q=
 go.opentelemetry.io/contrib/propagators/b3 v1.19.0 h1:ulz44cpm6V5oAeg5Aw9HyqGFMS6XM7untlMEhD7YzzA=
 go.opentelemetry.io/contrib/propagators/b3 v1.19.0/go.mod h1:OzCmE2IVS+asTI+odXQstRGVfXQ4bXv9nMBRK0nNyqQ=
-go.opentelemetry.io/otel v1.35.0 h1:xKWKPxrxB6OtMCbmMY021CqC45J+3Onta9MqjhnusiQ=
-go.opentelemetry.io/otel v1.35.0/go.mod h1:UEqy8Zp11hpkUrL73gSlELM0DupHoiq72dR+Zqel/+Y=
+go.opentelemetry.io/otel v1.36.0 h1:UumtzIklRBY6cI/lllNZlALOF5nNIzJVb16APdvgTXg=
+go.opentelemetry.io/otel v1.36.0/go.mod h1:/TcFMXYjyRNh8khOAO9ybYkqaDBb/70aVwkNML4pP8E=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.34.0 h1:OeNbIYk/2C15ckl7glBlOBp5+WlYsOElzTNmiPW/x60=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.34.0/go.mod h1:7Bept48yIeqxP2OZ9/AqIpYS94h2or0aB4FypJTc8ZM=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.34.0 h1:tgJ0uaNS4c98WRNUEx5U3aDlrDOI5Rs+1Vifcw4DJ8U=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.34.0/go.mod h1:U7HYyW0zt/a9x5J1Kjs+r1f/d4ZHnYFclhYY2+YbeoE=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.27.0/go.mod h1:HVkSiDhTM9BoUJU8qE6j2eSWLLXvi1USXjyd2BXT8PY=
-go.opentelemetry.io/otel/metric v1.35.0 h1:0znxYu2SNyuMSQT4Y9WDWej0VpcsxkuklLa4/siN90M=
-go.opentelemetry.io/otel/metric v1.35.0/go.mod h1:nKVFgxBZ2fReX6IlyW28MgZojkoAkJGaE8CpgeAU3oE=
-go.opentelemetry.io/otel/sdk v1.34.0 h1:95zS4k/2GOy069d321O8jWgYsW3MzVV+KuSPKp7Wr1A=
-go.opentelemetry.io/otel/sdk v1.34.0/go.mod h1:0e/pNiaMAqaykJGKbi+tSjWfNNHMTxoC9qANsCzbyxU=
-go.opentelemetry.io/otel/sdk/metric v1.34.0 h1:5CeK9ujjbFVL5c1PhLuStg1wxA7vQv7ce1EK0Gyvahk=
-go.opentelemetry.io/otel/sdk/metric v1.34.0/go.mod h1:jQ/r8Ze28zRKoNRdkjCZxfs6YvBTG1+YIqyFVFYec5w=
-go.opentelemetry.io/otel/trace v1.35.0 h1:dPpEfJu1sDIqruz7BHFG3c7528f6ddfSWfFDVt/xgMs=
-go.opentelemetry.io/otel/trace v1.35.0/go.mod h1:WUk7DtFp1Aw2MkvqGdwiXYDZZNvA/1J8o6xRXLrIkyc=
+go.opentelemetry.io/otel/metric v1.36.0 h1:MoWPKVhQvJ+eeXWHFBOPoBOi20jh6Iq2CcCREuTYufE=
+go.opentelemetry.io/otel/metric v1.36.0/go.mod h1:zC7Ks+yeyJt4xig9DEw9kuUFe5C3zLbVjV2PzT6qzbs=
+go.opentelemetry.io/otel/sdk v1.36.0 h1:b6SYIuLRs88ztox4EyrvRti80uXIFy+Sqzoh9kFULbs=
+go.opentelemetry.io/otel/sdk v1.36.0/go.mod h1:+lC+mTgD+MUWfjJubi2vvXWcVxyr9rmlshZni72pXeY=
+go.opentelemetry.io/otel/sdk/metric v1.36.0 h1:r0ntwwGosWGaa0CrSt8cuNuTcccMXERFwHX4dThiPis=
+go.opentelemetry.io/otel/sdk/metric v1.36.0/go.mod h1:qTNOhFDfKRwX0yXOqJYegL5WRaW376QbB7P4Pb0qva4=
+go.opentelemetry.io/otel/trace v1.36.0 h1:ahxWNuqZjpdiFAyrIoQ4GIiAIhxAunQR6MUoKrsNd4w=
+go.opentelemetry.io/otel/trace v1.36.0/go.mod h1:gQ+OnDZzrybY4k4seLzPAWNwVBBVlF2szhehOBB/tGA=
 go.opentelemetry.io/proto/otlp v1.5.0 h1:xJvq7gMzB31/d406fB8U5CBdyQGw4P399D1aQWU/3i4=
 go.opentelemetry.io/proto/otlp v1.5.0/go.mod h1:keN8WnHxOy8PG0rQZjJJ5A2ebUoafqWp0eVQ4yIXvJ4=
 go.uber.org/atomic v1.11.0 h1:ZvwS0R+56ePWxUNi+Atn9dWONBPp/AUETXlHW0DxSjE=
 go.uber.org/atomic v1.11.0/go.mod h1:LUxbIzbOniOlMKjJjyPfpl4v+PKK2cNJn91OQbhoJI0=
+go.uber.org/automaxprocs v1.6.0/go.mod h1:ifeIMSnPZuznNm6jmdzmU3/bfk01Fe2fotchwEFJ8r8=
 go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
 go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
 go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0=
 go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y=
 go.uber.org/zap v1.27.0 h1:aJMhYGrd5QSmlpLMr2MftRKl7t8J8PTZPA732ud/XR8=
 go.uber.org/zap v1.27.0/go.mod h1:GB2qFLM7cTU87MWRP2mPIjqfIDnGu+VIO4V/SdhGo2E=
-go.yaml.in/yaml/v2 v2.4.2 h1:DzmwEr2rDGHl7lsFgAHxmNz/1NlQ7xLIrlN2h5d1eGI=
-go.yaml.in/yaml/v2 v2.4.2/go.mod h1:081UH+NErpNdqlCXm3TtEran0rJZGxAYx9hb/ELlsPU=
+go.yaml.in/yaml/v2 v2.4.3 h1:6gvOSjQoTB3vt1l+CU+tSyi/HOjfOjRLJ4YwYZGwRO0=
+go.yaml.in/yaml/v2 v2.4.3/go.mod h1:zSxWcmIDjOzPXpjlTTbAsKokqkDNAVtZO0WOMiT90s8=
 go.yaml.in/yaml/v3 v3.0.4 h1:tfq32ie2Jv2UxXFdLJdh3jXuOzWiL1fo0bu/FbuKpbc=
 go.yaml.in/yaml/v3 v3.0.4/go.mod h1:DhzuOOF2ATzADvBadXxruRBLzYTpT36CKvDb3+aBEFg=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
-golang.org/x/crypto v0.42.0 h1:chiH31gIWm57EkTXpwnqf8qeuMUi0yekh6mT2AvFlqI=
-golang.org/x/crypto v0.42.0/go.mod h1:4+rDnOTJhQCx2q7/j6rAN5XDw8kPjeaXEUR2eL94ix8=
+golang.org/x/crypto v0.45.0 h1:jMBrvKuj23MTlT0bQEOBcAE0mjg8mK9RXFhRH6nyF3Q=
+golang.org/x/crypto v0.45.0/go.mod h1:XTGrrkGJve7CYK7J8PEww4aY7gM3qMCElcJQ8n8JdX4=
 golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 h1:2dVuKD2vS7b0QIHQbpyTISPd0LeHDbnYEryqj5Q1ug8=
 golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56/go.mod h1:M4RDyNAINzryxdtnbRXRL/OHtkFuWGRjvuhBJpk2IlY=
 golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.27.0 h1:kb+q2PyFnEADO2IEF935ehFUXlWiNjJWtRNgBLSfbxQ=
-golang.org/x/mod v0.27.0/go.mod h1:rWI627Fq0DEoudcK+MBkNkCe0EetEaDSwJJkCcjpazc=
+golang.org/x/mod v0.29.0 h1:HV8lRxZC4l2cr3Zq1LvtOsi/ThTgWnUk/y64QSs8GwA=
+golang.org/x/mod v0.29.0/go.mod h1:NyhrlYXJ2H4eJiRy/WDBO6HMqZQ6q9nk4JzS3NuCK+w=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
 golang.org/x/net v0.0.0-20201202161906-c7110b5ffcbb/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
 golang.org/x/net v0.0.0-20211123203042-d83791d6bcd9/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
-golang.org/x/net v0.43.0 h1:lat02VYK2j4aLzMzecihNvTlJNQUq316m2Mr9rnM6YE=
-golang.org/x/net v0.43.0/go.mod h1:vhO1fvI4dGsIjh73sWfUVjj3N7CA9WkKJNQm2svM6Jg=
-golang.org/x/oauth2 v0.27.0 h1:da9Vo7/tDv5RH/7nZDz1eMGS/q1Vv1N/7FCrBhI9I3M=
-golang.org/x/oauth2 v0.27.0/go.mod h1:onh5ek6nERTohokkhCD/y2cV4Do3fxFHFuAejCkRWT8=
+golang.org/x/net v0.47.0 h1:Mx+4dIFzqraBXUugkia1OOvlD6LemFo1ALMHjrXDOhY=
+golang.org/x/net v0.47.0/go.mod h1:/jNxtkgq5yWUGYkaZGqo27cfGZ1c5Nen03aYrrKpVRU=
+golang.org/x/oauth2 v0.30.0 h1:dnDm7JmhM45NNpd8FDDeLhK6FwqbOf4MLCM9zb1BOHI=
+golang.org/x/oauth2 v0.30.0/go.mod h1:B++QgG3ZKulg6sRPGD/mqlHQs5rB3Ml9erfeDY7xKlU=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.17.0 h1:l60nONMj9l5drqw6jlhIELNv9I0A4OFgRsG9k2oT9Ug=
-golang.org/x/sync v0.17.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
+golang.org/x/sync v0.18.0 h1:kr88TuHDroi+UVf+0hZnirlk8o8T+4MrK6mr60WkH/I=
+golang.org/x/sync v0.18.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -490,27 +513,27 @@ golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.10.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.27.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/sys v0.36.0 h1:KVRy2GtZBrk1cBYA7MKu5bEZFxQk4NIDV6RLVcC8o0k=
-golang.org/x/sys v0.36.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
-golang.org/x/telemetry v0.0.0-20250807160809-1a19826ec488/go.mod h1:fGb/2+tgXXjhjHsTNdVEEMZNWA0quBnfrO+AfoDSAKw=
+golang.org/x/sys v0.38.0 h1:3yZWxaJjBmCWXqhN1qh02AkOnCQ1poK6oF+a7xWL6Gc=
+golang.org/x/sys v0.38.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
+golang.org/x/telemetry v0.0.0-20251008203120-078029d740a8/go.mod h1:Pi4ztBfryZoJEkyFTI5/Ocsu2jXyDr6iSdgJiYE/uwE=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
-golang.org/x/term v0.35.0 h1:bZBVKBudEyhRcajGcNc3jIfWPqV4y/Kt2XcoigOWtDQ=
-golang.org/x/term v0.35.0/go.mod h1:TPGtkTLesOwf2DE8CgVYiZinHAOuy5AYUYT1lENIZnA=
+golang.org/x/term v0.37.0 h1:8EGAD0qCmHYZg6J17DvsMy9/wJ7/D/4pV/wfnld5lTU=
+golang.org/x/term v0.37.0/go.mod h1:5pB4lxRNYYVZuTLmy8oR2BH8dflOR+IbTYFD8fi3254=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.29.0 h1:1neNs90w9YzJ9BocxfsQNHKuAT4pkghyXc4nhZ6sJvk=
-golang.org/x/text v0.29.0/go.mod h1:7MhJOA9CD2qZyOKYazxdYMF85OwPdEr9jTtBpO7ydH4=
+golang.org/x/text v0.31.0 h1:aC8ghyu4JhP8VojJ2lEHBnochRno1sgL6nEi9WGFGMM=
+golang.org/x/text v0.31.0/go.mod h1:tKRAlv61yKIjGGHX/4tP1LTbc13YSec1pxVEWXzfoeM=
 golang.org/x/time v0.9.0 h1:EsRrnYcQiGH+5FfbgvV4AP7qEZstoyrHB0DzarOQ4ZY=
 golang.org/x/time v0.9.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
 golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
-golang.org/x/tools v0.36.0 h1:kWS0uv/zsvHEle1LbV5LE8QujrxB3wfQyxHfhOk0Qkg=
-golang.org/x/tools v0.36.0/go.mod h1:WBDiHKJK8YgLHlcQPYQzNCkUxUypCaa5ZegCVutKm+s=
-golang.org/x/tools/go/expect v0.1.0-deprecated h1:jY2C5HGYR5lqex3gEniOQL0r7Dq5+VGVgY1nudX5lXY=
-golang.org/x/tools/go/expect v0.1.0-deprecated/go.mod h1:eihoPOH+FgIqa3FpoTwguz/bVUSGBlGQU67vpBeOrBY=
+golang.org/x/tools v0.38.0 h1:Hx2Xv8hISq8Lm16jvBZ2VQf+RLmbd7wVUsALibYI/IQ=
+golang.org/x/tools v0.38.0/go.mod h1:yEsQ/d/YK8cjh0L6rZlY8tgtlKiBNTL14pGDJPJpYQs=
+golang.org/x/tools/go/expect v0.1.1-deprecated h1:jpBZDwmgPhXsKZC6WhL20P4b/wmnpsEAGHaNy0n/rJM=
+golang.org/x/tools/go/expect v0.1.1-deprecated/go.mod h1:eihoPOH+FgIqa3FpoTwguz/bVUSGBlGQU67vpBeOrBY=
 golang.org/x/tools/go/packages/packagestest v0.1.1-deprecated h1:1h2MnaIAIXISqTFKdENegdpAgUXz6NrPEsbIeWaBRvM=
 golang.org/x/tools/go/packages/packagestest v0.1.1-deprecated/go.mod h1:RVAQXBGNv1ib0J382/DPCRS/BPnsGebyM1Gj5VSDpG8=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
@@ -519,17 +542,17 @@ golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8T
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 google.golang.org/genproto/googleapis/api v0.0.0-20250303144028-a0af3efb3deb h1:p31xT4yrYrSM/G4Sn2+TNUkVhFCbG9y8itM2S6Th950=
 google.golang.org/genproto/googleapis/api v0.0.0-20250303144028-a0af3efb3deb/go.mod h1:jbe3Bkdp+Dh2IrslsFCklNhweNTBgSYanP1UXhJDhKg=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20250303144028-a0af3efb3deb h1:TLPQVbx1GJ8VKZxz52VAxl1EBgKXXbTiU9Fc5fZeLn4=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20250303144028-a0af3efb3deb/go.mod h1:LuRYeWDFV6WOn90g357N17oMCaxpgCnbi/44qJvDn2I=
-google.golang.org/grpc v1.72.1 h1:HR03wO6eyZ7lknl75XlxABNVLLFc2PAb6mHlYh756mA=
-google.golang.org/grpc v1.72.1/go.mod h1:wH5Aktxcg25y1I3w7H69nHfXdOG3UiadoBtjh3izSDM=
-google.golang.org/protobuf v1.36.5 h1:tPhr+woSbjfYvY6/GPufUoYizxw1cF/yFoxJ2fmpwlM=
-google.golang.org/protobuf v1.36.5/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20250528174236-200df99c418a h1:v2PbRU4K3llS09c7zodFpNePeamkAwG3mPrAery9VeE=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20250528174236-200df99c418a/go.mod h1:qQ0YXyHHx3XkvlzUtpXDkS29lDSafHMZBAZDc03LQ3A=
+google.golang.org/grpc v1.72.2 h1:TdbGzwb82ty4OusHWepvFWGLgIbNo1/SUynEN0ssqv8=
+google.golang.org/grpc v1.72.2/go.mod h1:wH5Aktxcg25y1I3w7H69nHfXdOG3UiadoBtjh3izSDM=
+google.golang.org/protobuf v1.36.8 h1:xHScyCOEuuwZEc6UtSOvPbAT4zRh0xcNRYekJwfqyMc=
+google.golang.org/protobuf v1.36.8/go.mod h1:fuxRtAxBytpl4zzqUh6/eyUujkJdNiuEkXntxiD/uRU=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
-gopkg.in/evanphx/json-patch.v4 v4.12.0 h1:n6jtcsulIzXPJaxegRbvFNNrZDjbij7ny3gmSPG+6V4=
-gopkg.in/evanphx/json-patch.v4 v4.12.0/go.mod h1:p8EYWUEYMpynmqDbY58zCKCFZw8pRWMG4EsWvDvM72M=
+gopkg.in/evanphx/json-patch.v4 v4.13.0 h1:czT3CmqEaQ1aanPc5SdlgQrrEIb8w/wwCvWWnfEbYzo=
+gopkg.in/evanphx/json-patch.v4 v4.13.0/go.mod h1:p8EYWUEYMpynmqDbY58zCKCFZw8pRWMG4EsWvDvM72M=
 gopkg.in/go-jose/go-jose.v2 v2.6.3 h1:nt80fvSDlhKWQgSWyHyy5CfmlQr+asih51R8PTWNKKs=
 gopkg.in/go-jose/go-jose.v2 v2.6.3/go.mod h1:zzZDPkNNw/c9IE7Z9jr11mBZQhKQTMzoEEIoEdZlFBI=
 gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc=
@@ -542,20 +565,20 @@ gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gotest.tools/v3 v3.0.2/go.mod h1:3SzNCllyD9/Y+b5r9JIKQ474KzkZyqLqEfYqMsX94Bk=
-k8s.io/gengo/v2 v2.0.0-20250604051438-85fd79dbfd9f h1:SLb+kxmzfA87x4E4brQzB33VBbT2+x7Zq9ROIHmGn9Q=
-k8s.io/gengo/v2 v2.0.0-20250604051438-85fd79dbfd9f/go.mod h1:EJykeLsmFC60UQbYJezXkEsG2FLrt0GPNkU5iK5GWxU=
+k8s.io/gengo/v2 v2.0.0-20250922181213-ec3ebc5fd46b h1:gMplByicHV/TJBizHd9aVEsTYoJBnnUAT5MHlTkbjhQ=
+k8s.io/gengo/v2 v2.0.0-20250922181213-ec3ebc5fd46b/go.mod h1:CgujABENc3KuTrcsdpGmrrASjtQsWCT7R99mEV4U/fM=
 k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk=
 k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE=
-k8s.io/kube-openapi v0.0.0-20250710124328-f3f2b991d03b h1:MloQ9/bdJyIu9lb1PzujOPolHyvO06MXG5TUIj2mNAA=
-k8s.io/kube-openapi v0.0.0-20250710124328-f3f2b991d03b/go.mod h1:UZ2yyWbFTpuhSbFhv24aGNOdoRdJZgsIObGBUaYVsts=
-k8s.io/system-validators v1.10.2 h1:7rC7VdrQCaM55E08Pw3I1v1Op9ObLxdKAu5Ff5hIPwY=
-k8s.io/system-validators v1.10.2/go.mod h1:awfSS706v9R12VC7u7K89FKfqVy44G+E0L1A0FX9Wmw=
-k8s.io/utils v0.0.0-20250604170112-4c0f3b243397 h1:hwvWFiBzdWw1FhfY1FooPn3kzWuJ8tmbZBHi4zVsl1Y=
-k8s.io/utils v0.0.0-20250604170112-4c0f3b243397/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
+k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912 h1:Y3gxNAuB0OBLImH611+UDZcmKS3g6CthxToOb37KgwE=
+k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912/go.mod h1:kdmbQkyfwUagLfXIad1y2TdrjPFWp2Q89B3qkRwf/pQ=
+k8s.io/system-validators v1.12.1 h1:AY1+COTLJN/Sj0w9QzH1H0yvyF3Kl6CguMnh32WlcUU=
+k8s.io/system-validators v1.12.1/go.mod h1:awfSS706v9R12VC7u7K89FKfqVy44G+E0L1A0FX9Wmw=
+k8s.io/utils v0.0.0-20251002143259-bc988d571ff4 h1:SjGebBtkBqHFOli+05xYbK8YF1Dzkbzn+gDM4X9T4Ck=
+k8s.io/utils v0.0.0-20251002143259-bc988d571ff4/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
 sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.31.2 h1:jpcvIRr3GLoUoEKRkHKSmGjxb6lWwrBlJsXc+eUYQHM=
 sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.31.2/go.mod h1:Ve9uj1L+deCXFrPOk1LpFXqTg7LCFzFso6PA48q/XZw=
-sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 h1:gBQPwqORJ8d8/YNZWEjoZs7npUVDpVXUUOFfW6CgAqE=
-sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8/go.mod h1:mdzfpAEoE6DHQEN0uh9ZbOCuHbLK5wOm7dK4ctXE9Tg=
+sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 h1:IpInykpT6ceI+QxKBbEflcR5EXP7sU1kvOlxwZh5txg=
+sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730/go.mod h1:mdzfpAEoE6DHQEN0uh9ZbOCuHbLK5wOm7dK4ctXE9Tg=
 sigs.k8s.io/knftables v0.0.17 h1:wGchTyRF/iGTIjd+vRaR1m676HM7jB8soFtyr/148ic=
 sigs.k8s.io/knftables v0.0.17/go.mod h1:f/5ZLKYEUPUhVjUCg6l80ACdL7CIIyeL0DxfgojGRTk=
 sigs.k8s.io/kube-storage-version-migrator v0.0.6-0.20230721195810-5c8923c5ff96/go.mod h1:EOBQyBowOUsd7U4CJnMHNE0ri+zCXyouGdLwC/jZU+I=
diff --git a/go.work b/go.work
index 092a6c8da38ae..bd119eefdea91 100644
--- a/go.work
+++ b/go.work
@@ -1,8 +1,8 @@
 // This is a generated file. Do not edit directly.
 
-go 1.24.0
+go 1.25.0
 
-godebug default=go1.24
+godebug default=go1.25
 
 use (
 	.
diff --git a/go.work.sum b/go.work.sum
index 6a276ef44e241..8e279418360e0 100644
--- a/go.work.sum
+++ b/go.work.sum
@@ -1,30 +1,28 @@
 buf.build/gen/go/bufbuild/protovalidate/protocolbuffers/go v1.36.4-20250130201111-63bb56e20495.1 h1:4erM3WLgEG/HIBrpBDmRbs1puhd7p0z7kNXDuhHthwM=
-cloud.google.com/go/compute/metadata v0.6.0 h1:A6hENjEsCDtC1k8byVsgwvVcioamEHvZ4j01OwKxG9I=
+cloud.google.com/go/compute/metadata v0.7.0 h1:PBWF+iiAerVNe8UCHxdOt6eHLVc3ydFeOCw78U8ytSU=
 github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp v1.26.0 h1:f2Qw/Ehhimh5uO1fayV0QIW7DShEQqhtUfhYc+cBPlw=
 github.com/RangelReale/osincli v0.0.0-20160924135400-fababb0555f2 h1:x8Brv0YNEe6jY3V/hQglIG2nd8g5E2Zj5ubGKkPQctQ=
 github.com/alecthomas/kingpin/v2 v2.4.0 h1:f48lwail6p8zpO1bC4TxtqACaGqHYA22qkHjHpqDjYY=
 github.com/alecthomas/units v0.0.0-20211218093645-b94a6e3cc137 h1:s6gZFSlWYmbqAuRjVTiNNhvNRfY2Wxp9nhfyel4rklc=
 github.com/antihax/optional v1.0.0 h1:xK2lYat7ZLaVVcIuj82J8kIro4V6kDe0AUDFboUCwcg=
 github.com/antlr/antlr4/runtime/Go/antlr/v4 v4.0.0-20230305170008-8188dc5388df h1:7RFfzj4SSt6nnvCPbCqijJi1nWCd+TqAT3bYCStRC18=
-github.com/aws/aws-sdk-go-v2 v1.30.1 h1:4y/5Dvfrhd1MxRDD77SrfsDaj8kUkkljU7XE83NPV+o=
-github.com/aws/aws-sdk-go-v2/config v1.27.24 h1:NM9XicZ5o1CBU/MZaHwFtimRpWx9ohAUAqkG6AqSqPo=
-github.com/aws/aws-sdk-go-v2/credentials v1.17.24 h1:YclAsrnb1/GTQNt2nzv+756Iw4mF8AOzcDfweWwwm/M=
-github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.9 h1:Aznqksmd6Rfv2HQN9cpqIV/lQRMaIpJkLLaJ1ZI76no=
-github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.13 h1:5SAoZ4jYpGH4721ZNoS1znQrhOfZinOhc4XuTXx/nVc=
-github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.13 h1:WIijqeaAO7TYFLbhsZmi2rgLEAtWOC1LhxCAVTJlSKw=
-github.com/aws/aws-sdk-go-v2/internal/ini v1.8.0 h1:hT8rVHwugYE2lEfdFE0QWVo81lF7jMrYJVDWI+f+VxU=
-github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.3 h1:dT3MqvGhSoaIhRseqw2I0yH81l7wiR2vjs57O51EAm8=
-github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.15 h1:I9zMeF107l0rJrpnHpjEiiTSCKYAIw8mALiXcPsGBiA=
-github.com/aws/aws-sdk-go-v2/service/sso v1.22.1 h1:p1GahKIjyMDZtiKoIn0/jAj/TkMzfzndDv5+zi2Mhgc=
-github.com/aws/aws-sdk-go-v2/service/ssooidc v1.26.2 h1:ORnrOK0C4WmYV/uYt3koHEWBLYsRDwk2Np+eEoyV4Z0=
-github.com/aws/aws-sdk-go-v2/service/sts v1.30.1 h1:+woJ607dllHJQtsnJLi52ycuqHMwlW+Wqm2Ppsfp4nQ=
-github.com/aws/smithy-go v1.20.3 h1:ryHwveWzPV5BIof6fyDvor6V3iUL7nTfiTKXHiW05nE=
+github.com/aws/aws-sdk-go-v2 v1.36.3 h1:mJoei2CxPutQVxaATCzDUjcZEjVRdpsiiXi2o38yqWM=
+github.com/aws/aws-sdk-go-v2/config v1.29.14 h1:f+eEi/2cKCg9pqKBoAIwRGzVb70MRKqWX4dg1BDcSJM=
+github.com/aws/aws-sdk-go-v2/credentials v1.17.67 h1:9KxtdcIA/5xPNQyZRgUSpYOE6j9Bc4+D7nZua0KGYOM=
+github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.30 h1:x793wxmUWVDhshP8WW2mlnXuFrO4cOd3HLBroh1paFw=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.34 h1:ZK5jHhnrioRkUNOc+hOgQKlUL5JeC3S6JgLxtQ+Rm0Q=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.34 h1:SZwFm17ZUNNg5Np0ioo/gq8Mn6u9w19Mri8DnJ15Jf0=
+github.com/aws/aws-sdk-go-v2/internal/ini v1.8.3 h1:bIqFDwgGXXN1Kpp99pDOdKMTTb5d2KyU5X/BZxjOkRo=
+github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.3 h1:eAh2A4b5IzM/lum78bZ590jy36+d/aFLgKF/4Vd1xPE=
+github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.15 h1:dM9/92u2F1JbDaGooxTq18wmmFzbJRfXfVfy96/1CXM=
+github.com/aws/aws-sdk-go-v2/service/sso v1.25.3 h1:1Gw+9ajCV1jogloEv1RRnvfRFia2cL6c9cuKV2Ps+G8=
+github.com/aws/aws-sdk-go-v2/service/ssooidc v1.30.1 h1:hXmVKytPfTy5axZ+fYbR5d0cFmC3JvwLm5kM83luako=
+github.com/aws/aws-sdk-go-v2/service/sts v1.33.19 h1:1XuUZ8mYJw9B6lzAkXhqHlJd/XvaX32evhproijJEZY=
+github.com/aws/smithy-go v1.22.3 h1:Z//5NuZCSW6R4PhQ93hShNbyBbn8BWCmCVCt+Q8Io5k=
 github.com/bufbuild/protovalidate-go v0.9.1 h1:cdrIA33994yCcJyEIZRL36ZGTe9UDM/WHs5MBHEimiE=
-github.com/checkpoint-restore/go-criu/v6 v6.3.0 h1:mIdrSO2cPNWQY1truPg6uHLXyKHk3Z5Odx4wjKOASzA=
 github.com/chzyer/readline v1.5.1 h1:upd/6fQk4src78LMRzh5vItIt361/o4uq553V8B5sGI=
 github.com/cilium/ebpf v0.17.3 h1:FnP4r16PWYSE4ux6zN+//jMcW4nMVRvuTLVTvCjyyjg=
 github.com/cncf/xds/go v0.0.0-20250121191232-2f005788dc42 h1:Om6kYQYDUk5wWbT0t0q6pvyM49i9XZAv9dDrkDA7gjk=
-github.com/containerd/console v1.0.4 h1:F2g4+oChYvBTsASRTz8NP6iIAi97J3TtSAsLbIFn4ro=
 github.com/distribution/distribution/v3 v3.0.0-20230511163743-f7717b7855ca h1:yGaIDzPWkgU+yRvI2x/rGdOU1hl6bLZzm0mETEUSHwk=
 github.com/docker/go-metrics v0.0.1 h1:AgB/0SvBxihN0X8OR4SjsblXkbMvalQ8cjmtKQ2rQV8=
 github.com/docker/libtrust v0.0.0-20160708172513-aabc10ec26b7 h1:UhxFibDNY/bfvqU5CAUmr9zpesgbU6SWc8/B4mflAE4=
@@ -56,9 +54,11 @@ github.com/kisielk/errcheck v1.5.0 h1:e8esj/e4R+SAOwFwN+n3zr0nYeCyeweozKfO23MvHz
 github.com/kisielk/gotool v1.0.0 h1:AV2c/EiW3KqPNT9ZKl07ehoAGi4C5/01Cfbblndcapg=
 github.com/kr/pty v1.1.1 h1:VkoXIwSboBpnk99O/KFauAEILuNHv5DVFKZMBN/gUgw=
 github.com/matttproud/golang_protobuf_extensions v1.0.1 h1:4hp9jkHxhMHkqkrB3Ix0jegS5sx/RkqARlsWZ6pIwiU=
+github.com/moby/sys/atomicwriter v0.1.0 h1:kw5D/EqkBwsBFi0ss9v1VG3wIkVhzGvLklJ+w3A14Sw=
 github.com/moby/sys/user v0.4.0 h1:jhcMKit7SA80hivmFJcbB1vqmw//wU61Zdui2eQXuMs=
 github.com/morikuni/aec v1.0.0 h1:nP9CBfwrvYnBRgY6qfDQkygYDmYwOilePFkwzv4dU8A=
 github.com/mwitkow/go-conntrack v0.0.0-20190716064945-2f068394615f h1:KUppIJq7/+SVif2QVs3tOP0zanoHgBEVAwHxUSIzRqU=
+github.com/opencontainers/runc v1.3.0 h1:cvP7xbEvD0QQAs0nZKLzkVog2OPZhI/V2w3WmTmUSXI=
 github.com/openshift/build-machinery-go v0.0.0-20250530140348-dc5b2804eeee h1:+Sp5GGnjHDhT/a/nQ1xdp43UscBMr7G5wxsYotyhzJ4=
 github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e h1:aoZm08cpOy4WuID//EZDgcC4zIxODThtZNPirFr42+A=
 github.com/pkg/profile v1.7.0 h1:hnbDkaNWPCLMO9wGLdBFTIZvzDrDfBM2072E1S9gJkA=
@@ -68,17 +68,15 @@ github.com/robfig/cron v1.2.0 h1:ZjScXvvxeQ63Dbyxy76Fj3AT3Ut0aKsyd2/tl3DTMuQ=
 github.com/rogpeppe/fastuuid v1.2.0 h1:Ppwyp6VYCF1nvBTXL3trRso7mXMlRrw9ooo375wvi2s=
 github.com/russross/blackfriday v1.6.0 h1:KqfZb0pUVN2lYqZUYRddxF4OR8ZMURnJIG5Y3VRLtww=
 github.com/santhosh-tekuri/jsonschema/v5 v5.3.1 h1:lZUw3E0/J3roVtGQ+SCrUrg3ON6NgVqpn3+iol9aGu4=
-github.com/seccomp/libseccomp-golang v0.10.0 h1:aA4bp+/Zzi0BnWZ2F1wgNBs5gTpm+na2rWM6M9YjLpY=
 github.com/spiffe/go-spiffe/v2 v2.5.0 h1:N2I01KCUkv1FAjZXJMwh95KK1ZIQLYbPfhaxw8WS0hE=
-github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635 h1:kdXcSzyDtseVEc4yCz2qF8ZrQvIDBJLl4S1c3GCXmoI=
-github.com/urfave/cli v1.22.14 h1:ebbhrRiGK2i4naQJr+1Xj92HXZCrK7MsyTS/ob3HnAk=
 github.com/xhit/go-str2duration/v2 v2.1.0 h1:lxklc02Drh6ynqX+DdPyp5pCKLUQpRT8bp8Ydu2Bstc=
 github.com/yuin/goldmark v1.4.13 h1:fVcFKWvrslecOb/tg+Cc05dkeYx540o0FuFt3nUVDoE=
 github.com/zeebo/errs v1.4.0 h1:XNdoD/RRMKP7HD0UhJnIzUy74ISdGGxURlYG8HSWSfM=
 go.etcd.io/gofail v0.2.0 h1:p19drv16FKK345a09a1iubchlw/vmRuksmRzgBIGjcA=
 go.opentelemetry.io/contrib/detectors/gcp v1.34.0 h1:JRxssobiPg23otYU5SbWtQC//snGVIM3Tx6QRzlQBao=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.27.0 h1:QY7/0NeRPKlzusf40ZE4t1VlMKbqSNT7cJRYzWuja0s=
-golang.org/x/telemetry v0.0.0-20250807160809-1a19826ec488 h1:3doPGa+Gg4snce233aCWnbZVFsyFMo/dR40KK/6skyE=
+go.uber.org/automaxprocs v1.6.0 h1:O3y2/QNTOdbF+e/dpXNNW7Rx2hZ4sTIPyybbxyNqTUs=
+golang.org/x/telemetry v0.0.0-20251008203120-078029d740a8 h1:LvzTn0GQhWuvKH/kVRS3R3bVAsdQWI7hvfLHGgh9+lU=
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 h1:go1bK/D/BFZV2I8cIQd1NKEZ+0owSTG1fDTci4IqFcE=
 gotest.tools/v3 v3.0.2 h1:kG1BFyqVHuQoVQiR1bWGnfz/fmHvvuiSPIV7rvl360E=
 sigs.k8s.io/kube-storage-version-migrator v0.0.6-0.20230721195810-5c8923c5ff96 h1:PFWFSkpArPNJxFX4ZKWAk9NSeRoZaXschn+ULa4xVek=
diff --git a/hack/_update-generated-proto-bindings-dockerized.sh b/hack/_update-generated-proto-bindings-dockerized.sh
index 9c7a7d28822a4..55cb70a650daa 100755
--- a/hack/_update-generated-proto-bindings-dockerized.sh
+++ b/hack/_update-generated-proto-bindings-dockerized.sh
@@ -27,12 +27,10 @@ source "${KUBE_ROOT}/hack/lib/protoc.sh"
 source "${KUBE_ROOT}/hack/lib/util.sh"
 
 if (( $# < 2 )); then
-    echo "usage: $0 [gogo|protoc] <api_dir>..."
+    echo "usage: $0 <api_dir>..."
     exit 1
 fi
 
-generator=$1; shift
-
 kube::protoc::check_protoc
 
 for api; do
@@ -49,16 +47,6 @@ for api; do
 
     for file in "${protos[@]}"; do
         dir="$(dirname "${file}")"
-        case "${generator}" in
-        gogo)
-          kube::protoc::generate_proto_gogo "${dir}"
-          ;;
-        protoc)
-          kube::protoc::generate_proto "${dir}"
-          ;;
-        *)
-          echo "Unknown generator ${generator}" >&2
-          exit 1
-        esac        
+        kube::protoc::generate_proto "${dir}"
     done
 done
diff --git a/hack/boilerplate/boilerplate.Dockerfile.txt b/hack/boilerplate/boilerplate.Dockerfile.txt
index 384f325abf324..069e282bc855a 100644
--- a/hack/boilerplate/boilerplate.Dockerfile.txt
+++ b/hack/boilerplate/boilerplate.Dockerfile.txt
@@ -1,4 +1,4 @@
-# Copyright YEAR The Kubernetes Authors.
+# Copyright The Kubernetes Authors.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
diff --git a/hack/boilerplate/boilerplate.Makefile.txt b/hack/boilerplate/boilerplate.Makefile.txt
index 384f325abf324..069e282bc855a 100644
--- a/hack/boilerplate/boilerplate.Makefile.txt
+++ b/hack/boilerplate/boilerplate.Makefile.txt
@@ -1,4 +1,4 @@
-# Copyright YEAR The Kubernetes Authors.
+# Copyright The Kubernetes Authors.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
diff --git a/hack/boilerplate/boilerplate.go.txt b/hack/boilerplate/boilerplate.go.txt
index 59e740c1ee4a4..b7c650da47014 100644
--- a/hack/boilerplate/boilerplate.go.txt
+++ b/hack/boilerplate/boilerplate.go.txt
@@ -1,5 +1,5 @@
 /*
-Copyright YEAR The Kubernetes Authors.
+Copyright The Kubernetes Authors.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
diff --git a/hack/boilerplate/boilerplate.py b/hack/boilerplate/boilerplate.py
index 65eb08b00ecbc..2e82e1e171024 100755
--- a/hack/boilerplate/boilerplate.py
+++ b/hack/boilerplate/boilerplate.py
@@ -103,26 +103,11 @@ def file_passes(filename, refs, regexs):
     # trim our file to the same number of lines as the reference file
     data = data[: len(ref)]
 
-    pattern = regexs["year"]
-    for line in data:
-        if pattern.search(line):
-            if generated:
-                print(
-                    f"File {filename} has the YEAR field, but it should not be in generated file",
-                    file=verbose_out,
-                )
-            else:
-                print(
-                    "File {filename} has the YEAR field, but missing the year of date",
-                    file=verbose_out,
-                )
-            return False
-
     if not generated:
-        # Replace all occurrences of the regex "2014|2015|2016|2017|2018" with "YEAR"
+        # Remove all occurrences of the year (regex "Copyright (2014|2015|2016|2017|2018) ")
         pattern = regexs["date"]
         for i, line in enumerate(data):
-            data[i], found = pattern.subn("YEAR", line)
+            data[i], found = pattern.subn("Copyright ", line)
             if found != 0:
                 break
 
@@ -203,18 +188,18 @@ def get_files(extensions):
 
 
 def get_dates():
-    years = datetime.datetime.now().year
-    return "(%s)" % "|".join(str(year) for year in range(2014, years + 1))
+    # After 2025, we no longer allow new files to include the year in the copyright header.
+    final_year = 2025
+    return " (%s) " % "|".join(str(year) for year in range(2014, final_year + 1))
 
 
 def get_regexs():
     regexs = {}
     # Search for "YEAR" which exists in the boilerplate, but shouldn't in the real thing
     regexs["year"] = re.compile("YEAR")
-    # get_dates return 2014, 2015, 2016, 2017, or 2018 until the current year
-    # as a regex like: "(2014|2015|2016|2017|2018)";
-    # company holder names can be anything
-    regexs["date"] = re.compile(get_dates())
+    # get_dates return 2014, 2015, 2016, 2017, ..., 2025
+    # as a regex like: "(2014|2015|2016|2017|2018|...|2025)";
+    regexs["date"] = re.compile("Copyright" + get_dates())
     # strip the following build constraints/tags:
     # //go:build
     # // +build \n\n
diff --git a/hack/boilerplate/boilerplate.py.txt b/hack/boilerplate/boilerplate.py.txt
index 384f325abf324..069e282bc855a 100644
--- a/hack/boilerplate/boilerplate.py.txt
+++ b/hack/boilerplate/boilerplate.py.txt
@@ -1,4 +1,4 @@
-# Copyright YEAR The Kubernetes Authors.
+# Copyright The Kubernetes Authors.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
diff --git a/hack/boilerplate/boilerplate.sh.txt b/hack/boilerplate/boilerplate.sh.txt
index 384f325abf324..069e282bc855a 100644
--- a/hack/boilerplate/boilerplate.sh.txt
+++ b/hack/boilerplate/boilerplate.sh.txt
@@ -1,4 +1,4 @@
-# Copyright YEAR The Kubernetes Authors.
+# Copyright The Kubernetes Authors.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
diff --git a/hack/boilerplate/boilerplate_test.py b/hack/boilerplate/boilerplate_test.py
index 8fc7e4cbcb1fa..cd8f532fd6770 100644
--- a/hack/boilerplate/boilerplate_test.py
+++ b/hack/boilerplate/boilerplate_test.py
@@ -50,4 +50,4 @@ class Args:
 
         sys.stdout = old_stdout
 
-        self.assertEqual(output, ["././fail.go", "././fail.py"])
+        self.assertEqual(output, ["././fail.go", "././fail.py", "././fail_2026.go"])
diff --git a/hack/boilerplate/test/fail_2026.go b/hack/boilerplate/test/fail_2026.go
new file mode 100644
index 0000000000000..1f9623be5b7c7
--- /dev/null
+++ b/hack/boilerplate/test/fail_2026.go
@@ -0,0 +1,17 @@
+/*
+Copyright 2026 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package test
diff --git a/hack/boilerplate/test/pass_no_year.go b/hack/boilerplate/test/pass_no_year.go
new file mode 100644
index 0000000000000..d4a36a26617f6
--- /dev/null
+++ b/hack/boilerplate/test/pass_no_year.go
@@ -0,0 +1,17 @@
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package test
diff --git a/hack/dev-push-conformance.sh b/hack/dev-push-conformance.sh
index 5ed6fe1e5c313..2287785372302 100755
--- a/hack/dev-push-conformance.sh
+++ b/hack/dev-push-conformance.sh
@@ -41,9 +41,6 @@ fi
 IMAGE="${REGISTRY}/conformance-amd64:${VERSION}"
 
 kube::build::verify_prereqs
-kube::build::build_image
 kube::build::run_build_command make WHAT="github.com/onsi/ginkgo/v2/ginkgo test/e2e/e2e.test cmd/kubectl test/conformance/image/go-runner"
-kube::build::copy_output
-
 make -C "${KUBE_ROOT}/test/conformance/image" build
 docker push "${IMAGE}"
diff --git a/hack/diff-protobuf.sh b/hack/diff-protobuf.sh
new file mode 100755
index 0000000000000..77dc503d14725
--- /dev/null
+++ b/hack/diff-protobuf.sh
@@ -0,0 +1,63 @@
+#!/usr/bin/env bash
+
+# Copyright 2025 The Kubernetes Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+if [[ $# -ne 2 ]]; then
+  echo "requires two arguments"
+  echo ""
+  echo "Examples:"
+  echo "  hack/diff-protobuf.sh staging/src/k8s.io/api/testdata/v1.22.0/core.v1.CreateOptions{,.after_roundtrip}.pb"
+  echo ""
+  echo "  git difftool -x hack/diff-protobuf.sh --no-prompt <git diff args...>"
+  echo "  git difftool -x hack/diff-protobuf.sh --no-prompt c0b7858946c253 4144c9294f7448 -- staging/src/k8s.io/api/testdata/HEAD/*.pb"
+  exit 1
+fi
+
+lhs="${1}"
+rhs="${2}"
+if [[ ! -f "${lhs}" && ! -f "${rhs}" ]]; then
+  echo "${lhs} and ${rhs} do not exist."
+  exit 1
+fi
+
+# simple case
+diffcmd="diff"
+if [ -t 1 ]; then
+  # if we're in a terminal, try to colorize
+  if diff --help | grep color >/dev/null; then
+    # diff supports --color
+    diffcmd="diff --color=always"
+  elif command -v colordiff &> /dev/null; then
+    # alternative color diff command
+    diffcmd="colordiff"
+  fi
+fi
+
+echo "${BASE}"
+if [[ "${lhs}" = *".pb" || "${rhs}" = *".pb" ]]; then
+  if ! command -v protoc &> /dev/null
+  then
+      echo "protoc command not found"
+      exit 1
+  fi
+
+  $diffcmd -u \
+    <(tail -c +5 "${lhs}" | protoc --decode_raw) \
+    <(tail -c +5 "${rhs}" | protoc --decode_raw) \
+  | tail -n +3
+else
+  $diffcmd -u "${lhs}" "${rhs}" | tail -n +3
+fi
+echo ""
diff --git a/hack/ginkgo-e2e.sh b/hack/ginkgo-e2e.sh
index b0fc78e6bca1b..1a4f97f18ab02 100755
--- a/hack/ginkgo-e2e.sh
+++ b/hack/ginkgo-e2e.sh
@@ -181,7 +181,16 @@ case "${E2E_TEST_DEBUG_TOOL:-ginkgo}" in
     if [[ -n "${GINKGO_PARALLEL_NODES:-}" ]]; then
       program+=("--nodes=${GINKGO_PARALLEL_NODES}")
     elif [[ ${GINKGO_PARALLEL} =~ ^[yY]$ ]]; then
-      program+=("--nodes=25")
+      if [[ "${KUBE_RACE:-}" == "-race" ]]; then
+        # When race detection is enabled, merely running 25 e2e.test instances was too much
+        # and the OOM killer shut down the Prow test pod because of the memory overhead.
+        #
+        # A CI job could control that via GINKGO_PARALLEL_NODES, but we should also have
+        # saner defaults which take this into account.
+        program+=("--nodes=10")
+      else
+        program+=("--nodes=25")
+      fi
     fi
     program+=("${ginkgo_args[@]:+${ginkgo_args[@]}}")
     ;;
diff --git a/hack/golangci-hints.yaml b/hack/golangci-hints.yaml
index 492f22d182174..5d54b511c5c86 100644
--- a/hack/golangci-hints.yaml
+++ b/hack/golangci-hints.yaml
@@ -124,6 +124,44 @@ linters:
         
       # Exceptions for kube-api-linter.
       # Exceptions are used for kube-api-linter to ignore existing issues that cannot be fixed without breaking changes.
+      
+      # Pre-existing issues from the conditions linter
+      
+      # Conditions generally should be a metav1.Condition, and should not use custom condition types.
+      - text: "Conditions field in StorageVersionStatus|StatefulSetStatus|DeploymentStatus|DaemonSetStatus|ReplicaSetStatus|HorizontalPodAutoscalerStatus|JobStatus|CertificateSigningRequestStatus|PersistentVolumeClaimStatus|ReplicationControllerStatus|ServiceStatus|NodeStatus|NamespaceStatus|ComponentStatus|PodStatus|FlowSchemaStatus|PriorityLevelConfigurationStatus|FlowSchemaStatus|PriorityLevelConfigurationStatus|PodDisruptionBudgetStatus|AllocatedDeviceStatus|Endpoint|StatefulSetStatus|DeploymentStatus|DaemonSetStatus|ReplicaSetStatus|HorizontalPodAutoscalerStatus|JobStatus|CertificateSigningRequestStatus|PersistentVolumeClaimStatus|ReplicationControllerStatus|ServiceStatus|NodeStatus|NamespaceStatus|ComponentStatus|PodStatus|FlowSchemaStatus|PriorityLevelConfigurationStatus|FlowSchemaStatus|PriorityLevelConfigurationStatus|PodDisruptionBudgetStatus|AllocatedDeviceStatus|Endpoint|StorageVersionMigrationStatus must be a slice of metav1.Condition"
+        path: "staging/src/k8s.io/api/"
+      
+      # Conditions should have patch strategy markers, but changing these after shipping a client is a breaking change.
+      # Clients would treat these as atomic, when the patch strategy should be merge.
+      - text: "Conditions field in ValidatingAdmissionPolicyStatus is missing the following markers: patchStrategy=merge, patchMergeKey=type"
+        path: "staging/src/k8s.io/api/admissionregistration/"
+      - text: "Conditions field in ValidatingAdmissionPolicyStatus has incorrect tags, should be: `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,3,rep,name=conditions\"`"
+        path: "staging/src/k8s.io/api/admissionregistration/"
+      - text: "Conditions field in PodDisruptionBudgetStatus has incorrect tags, should be: `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`"
+        path: "staging/src/k8s.io/api/policy/"
+      - text: "Conditions field in AllocatedDeviceStatus is missing the following markers: patchStrategy=merge, patchMergeKey=type"
+        path: "staging/src/k8s.io/api/resource/"
+      - text: "Conditions field in AllocatedDeviceStatus has incorrect tags, should be: `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,5,rep,name=conditions\"`"
+        path: "staging/src/k8s.io/api/resource/"
+      
+      # Commentstart - Ignore commentstart issues for existing API group
+      # TODO: For each existing API group, we aim to remove it over time.
+      - text: "godoc for field .* should start with '.* ...'"
+        path: "staging/src/k8s.io/api/(admissionregistration|apidiscovery|apiserverinternal|apps|authentication|authorization|autoscaling|batch|certificates|coordination|core|discovery|events|extensions|flowcontrol|imagepolicy|networking|node|policy|rbac|resource|scheduling|storage|storagemigration)"
+      - text: "field .* is missing godoc comment"
+        path: "staging/src/k8s.io/api/autoscaling/"
+      
+      # Pre-existing issues from the conflictmarkers linter
+      # The Error field in some older API types is marked as both optional and required.
+      # This is incorrect, but cannot be changed without breaking changes.
+      - text: "field PortStatus.Error has conflicting markers: optional_vs_required: {\\[optional\\], \\[kubebuilder:validation:Required\\]}. fields cannot be both optional and required"
+        path: "staging/src/k8s.io/api/core/v1/types.go"
+      - text: "field IngressPortStatus.Error has conflicting markers: optional_vs_required: {\\[optional\\], \\[kubebuilder:validation:Required\\]}. fields cannot be both optional and required"
+        path: "staging/src/k8s.io/api/extensions/v1beta1/types.go"
+      - text: "field IngressPortStatus.Error has conflicting markers: optional_vs_required: {\\[optional\\], \\[kubebuilder:validation:Required\\]}. fields cannot be both optional and required"
+        path: "staging/src/k8s.io/api/networking/v1/types.go"
+      - text: "field IngressPortStatus.Error has conflicting markers: optional_vs_required: {\\[optional\\], \\[kubebuilder:validation:Required\\]}. fields cannot be both optional and required"
+        path: "staging/src/k8s.io/api/networking/v1beta1/types.go"
 
   default: standard
   enable: # please keep this alphabetized
@@ -173,6 +211,7 @@ linters:
             structured k8s.io/kms/.*
             structured k8s.io/apiserver/pkg/storage/value/.*
             structured k8s.io/apiserver/pkg/server/options/encryptionconfig/.*
+            structured k8s.io/kubernetes/pkg/credentialprovider/plugin/.*
             
             # The following packages have been migrated to contextual logging.
             # Packages matched here do not have to be listed above because
@@ -200,17 +239,35 @@ linters:
             contextual k8s.io/kubernetes/cmd/kube-proxy/.*
             contextual k8s.io/kubernetes/cmd/kube-scheduler/.*
             contextual k8s.io/kubernetes/cmd/kubelet/.*
+            contextual k8s.io/kubernetes/pkg/api/.*
+            contextual k8s.io/kubernetes/pkg/apis/.*
+            contextual k8s.io/kubernetes/pkg/capabilities/.*
+            contextual k8s.io/kubernetes/pkg/client/.*
+            contextual k8s.io/kubernetes/pkg/cluster/.*
             contextual k8s.io/kubernetes/pkg/controller/.*
+            contextual k8s.io/kubernetes/pkg/features/.*
+            contextual k8s.io/kubernetes/pkg/fieldpath/.*
+            contextual k8s.io/kubernetes/pkg/generated/.*
+            contextual k8s.io/kubernetes/pkg/printers/.*
+            contextual k8s.io/kubernetes/pkg/quota/.*
             contextual k8s.io/kubernetes/pkg/scheduler/.*
+            contextual k8s.io/kubernetes/pkg/security/.*
+            contextual k8s.io/kubernetes/pkg/securitycontext/.*
             contextual k8s.io/kubernetes/test/e2e/dra/.*
+            contextual k8s.io/kubernetes/pkg/kubelet/certificate/.*
+            contextual k8s.io/kubernetes/pkg/kubelet/cm/devicemanager/.*
             contextual k8s.io/kubernetes/pkg/kubelet/cm/dra/.*
+            contextual k8s.io/kubernetes/pkg/kubelet/cm/cpumanager/.*
             contextual k8s.io/kubernetes/pkg/kubelet/cm/memorymanager/.*
+            contextual k8s.io/kubernetes/pkg/kubelet/cm/topologymanager/.*
             contextual k8s.io/kubernetes/pkg/kubelet/lifecycle/.*
             contextual k8s.io/kubernetes/pkg/kubelet/pleg/.*
             contextual k8s.io/kubernetes/pkg/kubelet/clustertrustbundle/.*
             contextual k8s.io/kubernetes/pkg/kubelet/token/.*
             contextual k8s.io/kubernetes/pkg/kubelet/cadvisor/.*
+            contextual k8s.io/kubernetes/pkg/kubelet/config/.*
             contextual k8s.io/kubernetes/pkg/kubelet/oom/.*
+            contextual k8s.io/kubernetes/pkg/kubelet/server/.*
             contextual k8s.io/kubernetes/pkg/kubelet/status/.*
             contextual k8s.io/kubernetes/pkg/kubelet/sysctl/.*
             contextual k8s.io/kubernetes/pkg/kubelet/winstats/.*
@@ -221,6 +278,9 @@ linters:
             contextual k8s.io/kubernetes/pkg/kubelet/pod/.*
             contextual k8s.io/kubernetes/pkg/kubelet/preemption/.*
             contextual k8s.io/kubernetes/pkg/kubelet/volumemanager/.*
+            contextual k8s.io/kubernetes/pkg/kubelet/util/.*
+            contextual k8s.io/kubernetes/pkg/kubelet/logs/.*
+            contextual k8s.io/kubernetes/test/images/sample-device-plugin/.*
             
             # As long as contextual logging is alpha or beta, all WithName, WithValues,
             # NewContext calls have to go through klog. Once it is GA, we can lift
@@ -251,8 +311,9 @@ linters:
             disable:
               - '*'
             enable:
-              # - "commentstart" # Ensure comments start with the serialized version of the field name.
-              # - "conditions" # Ensure conditions have the correct json tags and markers.
+              - "commentstart" # Ensure comments start with the serialized version of the field name.
+              - "conditions" # Ensure conditions have the correct json tags and markers.
+              - "conflictingmarkers" # Detect mutually exclusive markers on the same field.
               # - "integers" # Ensure only int32 and int64 are used for integers.
               # - "jsontags" # Ensure every field has a json tag.
               # - "maxlength" # Ensure all strings and arrays have maximum lengths/maximum items. ONLY for CRDs until declarative markers exist in core types.
@@ -260,22 +321,61 @@ linters:
               # - "nofloats" # Ensure floats are not used.
               # - "nomaps" # Ensure maps are not used, unless they are `map[string]string` (for labels/annotations/etc).
               # - "nophase" # Ensure field names do not have the word "phase" in them.
+              # - "notimestamp" # Ensure fields are not named "timestamp", prefer "time".
+              # - "optionalfields" # Ensure fields marked optional have omitempty and pointers.
               # - "optionalorrequired" # Every field should be marked as `+optional` xor `+required`.
-              # - "requiredfields" # Required fields should not be pointers, and should not have `omitempty`.
+              # - "requiredfields" # Required fields should only be pointers when required based on the validity of the zero value, they should always have `omitempty`.
+              - "ssatags" # Ensure lists have a listType tag.
+              # - "uniquemarkers" # Ensure markers are not duplicated across field and type definitions.
+              - "duplicatemarkers" #Prevent identical markers from being present on types and fields
           lintersConfig:
-            # conditions:
-            #   isFirstField: Warn # Require conditions to be the first field in the status struct.
-            #   usePatchStrategy: SuggestFix # Conditions should not use the patch strategy on CRDs.
-            #   useProtobuf: SuggestFix # We don't use protobuf, so protobuf tags are not required.
+            conditions:
+              isFirstField: Ignore
+              usePatchStrategy: SuggestFix
+              useProtobuf: SuggestFix
+            conflictingmarkers:
+              conflicts:
+              - name: "optional_vs_required"
+                sets:
+                - ["k8s:optional", "optional", "kubebuilder:validation:Optional"]
+                - ["k8s:required", "required", "kubebuilder:validation:Required"]
+                description: "fields cannot be both optional and required"
+              - name: "required_vs_default"
+                sets:
+                - ["k8s:required", "required", "kubebuilder:validation:Required"]
+                - ["default"]
+                description: "fields with default values are always optional"
             # jsonTags:
             #   jsonTagRegex: "^[a-z][a-z0-9]*(?:[A-Z][a-z0-9]*)*$" # The default regex is appropriate for our use case.
             # nomaps:
             #   policy: AllowStringToStringMaps # Determines how the linter should handle maps of basic types. Maps of objects are always disallowed.
+            # optionalFields:
+            #   policy: AllowOptionalFields # Determines how the linter should handle optional fields.optionalfields:
+            #  pointers:
+            #    preference: Always | WhenRequired # Whether to always require pointers, or only when required. Defaults to `Always`.
+            #    policy: SuggestFix | Warn # The policy for pointers in optional fields. Defaults to `SuggestFix`.
+            #  omitempty:
+            #      policy: SuggestFix | Warn | Ignore # The policy for omitempty in optional fields. Defaults to `SuggestFix`.
+            #  omitzero:
+            #      policy: SuggestFix | Warn | Forbid # The policy for omitzero in optional fields. Defaults to `SuggestFix`.
             # optionalOrRequired:
             #   preferredOptionalMarker: optional # The preferred optional marker to use, fixes will suggest to use this marker. Defaults to `optional`.
-            #   preferredRequiredMarker: required # The preferred required marker to use, fixes will suggest to use this marker. Defaults to `required`.
+            #   preferredRequiredMarker: required # The preferred required marker to use, fixes will suggest to use this marker. Defaults to `required`. 
+            #   policy: AllowOptionalFields # Determines how the linter should handle optional fields.
             # requiredFields:
-            #   pointerPolicy: SuggestFix # Defaults to `SuggestFix`. We want our required fields to not be pointers.
+            #   pointers:
+            #    policy: SuggestFix | Warn # The policy for pointers in required fields. Defaults to `SuggestFix`.
+            #  omitempty:
+            #      policy: SuggestFix | Warn | Ignore # The policy for omitempty in required fields. Defaults to `SuggestFix`.
+            #  omitzero:
+            #      policy: SuggestFix | Warn | Forbid # The policy for omitzero in required fields. Defaults to `SuggestFix`.
+            ssatags:
+             listTypeSetUsage: Ignore # The policy for listType=set usage on object arrays. Defaults to `Warn`.
+            # uniquemarkers:
+            #   customMarkers:
+            #     - identifier: custom:SomeCustomMarker
+            #       attributes:
+            #         - fruit
     depguard:
       rules:
         go-cmp:
@@ -293,6 +393,9 @@ linters:
     forbidigo:
       analyze-types: true
       forbid:
+        - pattern: md5\.*
+          # https://github.com/kubernetes/kubernetes/issues/129652
+          msg: md5 is oudated, insecure, prefer a secure hash (such as sha256) or a non-cryptographic hash
         - pattern: ^managedfields\.ExtractInto$
           pkg: ^k8s\.io/apimachinery/pkg/util/managedfields$
           msg: should not be used because managedFields was removed
@@ -317,5 +420,6 @@ linters:
     staticcheck:
       checks:
         - "all"
+        - "-QF1008"  # Omit embedded fields from selector expression
     testifylint:
       enable-all: true
diff --git a/hack/golangci.yaml b/hack/golangci.yaml
index 4c1725055e1cc..fa853d4afa5c3 100644
--- a/hack/golangci.yaml
+++ b/hack/golangci.yaml
@@ -126,12 +126,7 @@ linters:
 
       - linters:
           - gocritic
-        text: "append result not assigned to the same slice|put a space between `//` and comment text|sloppyLen|elseif|should rewrite switch statement to if statement|regexpMust|wrapperFunc: use strings.ReplaceAll|singleCaseSwitch|deprecatedComment|exitAfterDefer|captLocal|unlambda|underef|unslice|valSwap|typeSwitchVar"
-
-      # https://github.com/kubernetes/kubernetes/issues/117288#issuecomment-1507008918
-      - linters:
-          - gocritic
-        text: "assignOp:"
+        text: "wrapperFunc: use strings.ReplaceAll|should rewrite switch statement to if statement"
 
       # Kube-API-Linter should only be run on the API definitions
       - linters:
@@ -140,6 +135,44 @@ linters:
         
       # Exceptions for kube-api-linter.
       # Exceptions are used for kube-api-linter to ignore existing issues that cannot be fixed without breaking changes.
+      
+      # Pre-existing issues from the conditions linter
+      
+      # Conditions generally should be a metav1.Condition, and should not use custom condition types.
+      - text: "Conditions field in StorageVersionStatus|StatefulSetStatus|DeploymentStatus|DaemonSetStatus|ReplicaSetStatus|HorizontalPodAutoscalerStatus|JobStatus|CertificateSigningRequestStatus|PersistentVolumeClaimStatus|ReplicationControllerStatus|ServiceStatus|NodeStatus|NamespaceStatus|ComponentStatus|PodStatus|FlowSchemaStatus|PriorityLevelConfigurationStatus|FlowSchemaStatus|PriorityLevelConfigurationStatus|PodDisruptionBudgetStatus|AllocatedDeviceStatus|Endpoint|StatefulSetStatus|DeploymentStatus|DaemonSetStatus|ReplicaSetStatus|HorizontalPodAutoscalerStatus|JobStatus|CertificateSigningRequestStatus|PersistentVolumeClaimStatus|ReplicationControllerStatus|ServiceStatus|NodeStatus|NamespaceStatus|ComponentStatus|PodStatus|FlowSchemaStatus|PriorityLevelConfigurationStatus|FlowSchemaStatus|PriorityLevelConfigurationStatus|PodDisruptionBudgetStatus|AllocatedDeviceStatus|Endpoint|StorageVersionMigrationStatus must be a slice of metav1.Condition"
+        path: "staging/src/k8s.io/api/"
+      
+      # Conditions should have patch strategy markers, but changing these after shipping a client is a breaking change.
+      # Clients would treat these as atomic, when the patch strategy should be merge.
+      - text: "Conditions field in ValidatingAdmissionPolicyStatus is missing the following markers: patchStrategy=merge, patchMergeKey=type"
+        path: "staging/src/k8s.io/api/admissionregistration/"
+      - text: "Conditions field in ValidatingAdmissionPolicyStatus has incorrect tags, should be: `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,3,rep,name=conditions\"`"
+        path: "staging/src/k8s.io/api/admissionregistration/"
+      - text: "Conditions field in PodDisruptionBudgetStatus has incorrect tags, should be: `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`"
+        path: "staging/src/k8s.io/api/policy/"
+      - text: "Conditions field in AllocatedDeviceStatus is missing the following markers: patchStrategy=merge, patchMergeKey=type"
+        path: "staging/src/k8s.io/api/resource/"
+      - text: "Conditions field in AllocatedDeviceStatus has incorrect tags, should be: `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,5,rep,name=conditions\"`"
+        path: "staging/src/k8s.io/api/resource/"
+      
+      # Commentstart - Ignore commentstart issues for existing API group
+      # TODO: For each existing API group, we aim to remove it over time.
+      - text: "godoc for field .* should start with '.* ...'"
+        path: "staging/src/k8s.io/api/(admissionregistration|apidiscovery|apiserverinternal|apps|authentication|authorization|autoscaling|batch|certificates|coordination|core|discovery|events|extensions|flowcontrol|imagepolicy|networking|node|policy|rbac|resource|scheduling|storage|storagemigration)"
+      - text: "field .* is missing godoc comment"
+        path: "staging/src/k8s.io/api/autoscaling/"
+      
+      # Pre-existing issues from the conflictmarkers linter
+      # The Error field in some older API types is marked as both optional and required.
+      # This is incorrect, but cannot be changed without breaking changes.
+      - text: "field PortStatus.Error has conflicting markers: optional_vs_required: {\\[optional\\], \\[kubebuilder:validation:Required\\]}. fields cannot be both optional and required"
+        path: "staging/src/k8s.io/api/core/v1/types.go"
+      - text: "field IngressPortStatus.Error has conflicting markers: optional_vs_required: {\\[optional\\], \\[kubebuilder:validation:Required\\]}. fields cannot be both optional and required"
+        path: "staging/src/k8s.io/api/extensions/v1beta1/types.go"
+      - text: "field IngressPortStatus.Error has conflicting markers: optional_vs_required: {\\[optional\\], \\[kubebuilder:validation:Required\\]}. fields cannot be both optional and required"
+        path: "staging/src/k8s.io/api/networking/v1/types.go"
+      - text: "field IngressPortStatus.Error has conflicting markers: optional_vs_required: {\\[optional\\], \\[kubebuilder:validation:Required\\]}. fields cannot be both optional and required"
+        path: "staging/src/k8s.io/api/networking/v1beta1/types.go"
 
   default: none
   enable: # please keep this alphabetized
@@ -187,6 +220,7 @@ linters:
             structured k8s.io/kms/.*
             structured k8s.io/apiserver/pkg/storage/value/.*
             structured k8s.io/apiserver/pkg/server/options/encryptionconfig/.*
+            structured k8s.io/kubernetes/pkg/credentialprovider/plugin/.*
             
             # The following packages have been migrated to contextual logging.
             # Packages matched here do not have to be listed above because
@@ -214,17 +248,35 @@ linters:
             contextual k8s.io/kubernetes/cmd/kube-proxy/.*
             contextual k8s.io/kubernetes/cmd/kube-scheduler/.*
             contextual k8s.io/kubernetes/cmd/kubelet/.*
+            contextual k8s.io/kubernetes/pkg/api/.*
+            contextual k8s.io/kubernetes/pkg/apis/.*
+            contextual k8s.io/kubernetes/pkg/capabilities/.*
+            contextual k8s.io/kubernetes/pkg/client/.*
+            contextual k8s.io/kubernetes/pkg/cluster/.*
             contextual k8s.io/kubernetes/pkg/controller/.*
+            contextual k8s.io/kubernetes/pkg/features/.*
+            contextual k8s.io/kubernetes/pkg/fieldpath/.*
+            contextual k8s.io/kubernetes/pkg/generated/.*
+            contextual k8s.io/kubernetes/pkg/printers/.*
+            contextual k8s.io/kubernetes/pkg/quota/.*
             contextual k8s.io/kubernetes/pkg/scheduler/.*
+            contextual k8s.io/kubernetes/pkg/security/.*
+            contextual k8s.io/kubernetes/pkg/securitycontext/.*
             contextual k8s.io/kubernetes/test/e2e/dra/.*
+            contextual k8s.io/kubernetes/pkg/kubelet/certificate/.*
+            contextual k8s.io/kubernetes/pkg/kubelet/cm/devicemanager/.*
             contextual k8s.io/kubernetes/pkg/kubelet/cm/dra/.*
+            contextual k8s.io/kubernetes/pkg/kubelet/cm/cpumanager/.*
             contextual k8s.io/kubernetes/pkg/kubelet/cm/memorymanager/.*
+            contextual k8s.io/kubernetes/pkg/kubelet/cm/topologymanager/.*
             contextual k8s.io/kubernetes/pkg/kubelet/lifecycle/.*
             contextual k8s.io/kubernetes/pkg/kubelet/pleg/.*
             contextual k8s.io/kubernetes/pkg/kubelet/clustertrustbundle/.*
             contextual k8s.io/kubernetes/pkg/kubelet/token/.*
             contextual k8s.io/kubernetes/pkg/kubelet/cadvisor/.*
+            contextual k8s.io/kubernetes/pkg/kubelet/config/.*
             contextual k8s.io/kubernetes/pkg/kubelet/oom/.*
+            contextual k8s.io/kubernetes/pkg/kubelet/server/.*
             contextual k8s.io/kubernetes/pkg/kubelet/status/.*
             contextual k8s.io/kubernetes/pkg/kubelet/sysctl/.*
             contextual k8s.io/kubernetes/pkg/kubelet/winstats/.*
@@ -235,6 +287,9 @@ linters:
             contextual k8s.io/kubernetes/pkg/kubelet/pod/.*
             contextual k8s.io/kubernetes/pkg/kubelet/preemption/.*
             contextual k8s.io/kubernetes/pkg/kubelet/volumemanager/.*
+            contextual k8s.io/kubernetes/pkg/kubelet/util/.*
+            contextual k8s.io/kubernetes/pkg/kubelet/logs/.*
+            contextual k8s.io/kubernetes/test/images/sample-device-plugin/.*
             
             # As long as contextual logging is alpha or beta, all WithName, WithValues,
             # NewContext calls have to go through klog. Once it is GA, we can lift
@@ -265,8 +320,9 @@ linters:
             disable:
               - '*'
             enable:
-              # - "commentstart" # Ensure comments start with the serialized version of the field name.
-              # - "conditions" # Ensure conditions have the correct json tags and markers.
+              - "commentstart" # Ensure comments start with the serialized version of the field name.
+              - "conditions" # Ensure conditions have the correct json tags and markers.
+              - "conflictingmarkers" # Detect mutually exclusive markers on the same field.
               # - "integers" # Ensure only int32 and int64 are used for integers.
               # - "jsontags" # Ensure every field has a json tag.
               # - "maxlength" # Ensure all strings and arrays have maximum lengths/maximum items. ONLY for CRDs until declarative markers exist in core types.
@@ -274,22 +330,61 @@ linters:
               # - "nofloats" # Ensure floats are not used.
               # - "nomaps" # Ensure maps are not used, unless they are `map[string]string` (for labels/annotations/etc).
               # - "nophase" # Ensure field names do not have the word "phase" in them.
+              # - "notimestamp" # Ensure fields are not named "timestamp", prefer "time".
+              # - "optionalfields" # Ensure fields marked optional have omitempty and pointers.
               # - "optionalorrequired" # Every field should be marked as `+optional` xor `+required`.
-              # - "requiredfields" # Required fields should not be pointers, and should not have `omitempty`.
+              # - "requiredfields" # Required fields should only be pointers when required based on the validity of the zero value, they should always have `omitempty`.
+              - "ssatags" # Ensure lists have a listType tag.
+              # - "uniquemarkers" # Ensure markers are not duplicated across field and type definitions.
+              - "duplicatemarkers" #Prevent identical markers from being present on types and fields
           lintersConfig:
-            # conditions:
-            #   isFirstField: Warn # Require conditions to be the first field in the status struct.
-            #   usePatchStrategy: SuggestFix # Conditions should not use the patch strategy on CRDs.
-            #   useProtobuf: SuggestFix # We don't use protobuf, so protobuf tags are not required.
+            conditions:
+              isFirstField: Ignore
+              usePatchStrategy: SuggestFix
+              useProtobuf: SuggestFix
+            conflictingmarkers:
+              conflicts:
+              - name: "optional_vs_required"
+                sets:
+                - ["k8s:optional", "optional", "kubebuilder:validation:Optional"]
+                - ["k8s:required", "required", "kubebuilder:validation:Required"]
+                description: "fields cannot be both optional and required"
+              - name: "required_vs_default"
+                sets:
+                - ["k8s:required", "required", "kubebuilder:validation:Required"]
+                - ["default"]
+                description: "fields with default values are always optional"
             # jsonTags:
             #   jsonTagRegex: "^[a-z][a-z0-9]*(?:[A-Z][a-z0-9]*)*$" # The default regex is appropriate for our use case.
             # nomaps:
             #   policy: AllowStringToStringMaps # Determines how the linter should handle maps of basic types. Maps of objects are always disallowed.
+            # optionalFields:
+            #   policy: AllowOptionalFields # Determines how the linter should handle optional fields.optionalfields:
+            #  pointers:
+            #    preference: Always | WhenRequired # Whether to always require pointers, or only when required. Defaults to `Always`.
+            #    policy: SuggestFix | Warn # The policy for pointers in optional fields. Defaults to `SuggestFix`.
+            #  omitempty:
+            #      policy: SuggestFix | Warn | Ignore # The policy for omitempty in optional fields. Defaults to `SuggestFix`.
+            #  omitzero:
+            #      policy: SuggestFix | Warn | Forbid # The policy for omitzero in optional fields. Defaults to `SuggestFix`.
             # optionalOrRequired:
             #   preferredOptionalMarker: optional # The preferred optional marker to use, fixes will suggest to use this marker. Defaults to `optional`.
-            #   preferredRequiredMarker: required # The preferred required marker to use, fixes will suggest to use this marker. Defaults to `required`.
+            #   preferredRequiredMarker: required # The preferred required marker to use, fixes will suggest to use this marker. Defaults to `required`. 
+            #   policy: AllowOptionalFields # Determines how the linter should handle optional fields.
             # requiredFields:
-            #   pointerPolicy: SuggestFix # Defaults to `SuggestFix`. We want our required fields to not be pointers.
+            #   pointers:
+            #    policy: SuggestFix | Warn # The policy for pointers in required fields. Defaults to `SuggestFix`.
+            #  omitempty:
+            #      policy: SuggestFix | Warn | Ignore # The policy for omitempty in required fields. Defaults to `SuggestFix`.
+            #  omitzero:
+            #      policy: SuggestFix | Warn | Forbid # The policy for omitzero in required fields. Defaults to `SuggestFix`.
+            ssatags:
+             listTypeSetUsage: Ignore # The policy for listType=set usage on object arrays. Defaults to `Warn`.
+            # uniquemarkers:
+            #   customMarkers:
+            #     - identifier: custom:SomeCustomMarker
+            #       attributes:
+            #         - fruit
     depguard:
       rules:
         go-cmp:
@@ -307,6 +402,9 @@ linters:
     forbidigo:
       analyze-types: true
       forbid:
+        - pattern: md5\.*
+          # https://github.com/kubernetes/kubernetes/issues/129652
+          msg: md5 is oudated, insecure, prefer a secure hash (such as sha256) or a non-cryptographic hash
         - pattern: ^managedfields\.ExtractInto$
           pkg: ^k8s\.io/apimachinery/pkg/util/managedfields$
           msg: should not be used because managedFields was removed
@@ -316,10 +414,25 @@ linters:
         - pattern: \.Add$
           pkg: ^k8s\.io/component-base/featuregate$         
           msg: should not use Add, use AddVersioned instead
-    gocritic:	
-      enabled-checks:	
-        - equalFold	
+    gocritic:
+      enabled-checks: # These are in addition to the default checks - see https://golangci-lint.run/docs/linters/configuration/#gocritic
         - boolExprSimplify
+        - equalFold
+      disabled-checks: # This disables checks that are enabled by default (this can be combined with enabled-checks, contrary to the docs)
+        - appendAssign
+        - assignOp # https://github.com/kubernetes/kubernetes/issues/117288#issuecomment-1507008918
+        - captLocal
+        - commentFormatting
+        - deprecatedComment
+        - elseif
+        # The following have few (single-digit) occurrences left in k/k and wouldn't be too onerous to enable
+        - exitAfterDefer
+        - regexpMust
+        - sloppyLen
+        - typeSwitchVar
+        - underef
+        - unslice
+        - valSwap
     revive:
       # Only these rules are enabled.
       rules:
@@ -329,6 +442,7 @@ linters:
     staticcheck:
       checks:
         - "all"
+        - "-QF1008"  # Omit embedded fields from selector expression
         - "-QF1001"  # Apply De Morgan’s law
         - "-QF1002"  # Convert untagged switch to tagged switch
         - "-QF1003"  # Convert if/else-if chain to tagged switch
diff --git a/hack/golangci.yaml.in b/hack/golangci.yaml.in
index 0b6797cdcdb1c..13da763a9a8f3 100644
--- a/hack/golangci.yaml.in
+++ b/hack/golangci.yaml.in
@@ -141,12 +141,7 @@ linters:
 
       - linters:
           - gocritic
-        text: "append result not assigned to the same slice|put a space between `//` and comment text|sloppyLen|elseif|should rewrite switch statement to if statement|regexpMust|wrapperFunc: use strings.ReplaceAll|singleCaseSwitch|deprecatedComment|exitAfterDefer|captLocal|unlambda|underef|unslice|valSwap|typeSwitchVar"
-
-      # https://github.com/kubernetes/kubernetes/issues/117288#issuecomment-1507008918
-      - linters:
-          - gocritic
-        text: "assignOp:"
+        text: "wrapperFunc: use strings.ReplaceAll|should rewrite switch statement to if statement"
 
     {{- end}}
 
@@ -219,6 +214,9 @@ linters:
     forbidigo:
       analyze-types: true
       forbid:
+        - pattern: md5\.*
+          # https://github.com/kubernetes/kubernetes/issues/129652
+          msg: md5 is oudated, insecure, prefer a secure hash (such as sha256) or a non-cryptographic hash
         - pattern: ^managedfields\.ExtractInto$
           pkg: ^k8s\.io/apimachinery/pkg/util/managedfields$
           msg: should not be used because managedFields was removed
@@ -237,10 +235,25 @@ linters:
           msg: "it does not produce a good failure message - use BeFalseBecause with an explicit printf-style failure message instead, or plain Go: if ... { ginkgo.Fail(...) }"        
       {{- end}}
       {{- if .Base }}
-    gocritic:	
-      enabled-checks:	
-        - equalFold	
-        - boolExprSimplify	
+    gocritic:
+      enabled-checks: # These are in addition to the default checks - see https://golangci-lint.run/docs/linters/configuration/#gocritic
+        - boolExprSimplify
+        - equalFold
+      disabled-checks: # This disables checks that are enabled by default (this can be combined with enabled-checks, contrary to the docs)
+        - appendAssign
+        - assignOp # https://github.com/kubernetes/kubernetes/issues/117288#issuecomment-1507008918
+        - captLocal
+        - commentFormatting
+        - deprecatedComment
+        - elseif
+        # The following have few (single-digit) occurrences left in k/k and wouldn't be too onerous to enable
+        - exitAfterDefer
+        - regexpMust
+        - sloppyLen
+        - typeSwitchVar
+        - underef
+        - unslice
+        - valSwap
     {{- end}}
     revive:
       # Only these rules are enabled.
@@ -251,6 +264,7 @@ linters:
     staticcheck:
       checks:
         - "all"
+        - "-QF1008"  # Omit embedded fields from selector expression
         {{- if .Base }}
         - "-QF1001"  # Apply De Morgan’s law
         - "-QF1002"  # Convert untagged switch to tagged switch
diff --git a/hack/jenkins/test-cmd-dockerized.sh b/hack/jenkins/test-cmd-dockerized.sh
index 1dcb47a503c74..78792a574ecbb 100755
--- a/hack/jenkins/test-cmd-dockerized.sh
+++ b/hack/jenkins/test-cmd-dockerized.sh
@@ -17,7 +17,6 @@
 set -o errexit
 set -o nounset
 set -o pipefail
-set -o xtrace
 
 # Runs test-cmd, intended to be run in prow.k8s.io
 
diff --git a/hack/jenkins/test-dockerized.sh b/hack/jenkins/test-dockerized.sh
index 7a0c527beb29b..d118b3b3fdb42 100755
--- a/hack/jenkins/test-dockerized.sh
+++ b/hack/jenkins/test-dockerized.sh
@@ -17,7 +17,6 @@
 set -o errexit
 set -o nounset
 set -o pipefail
-set -o xtrace
 
 # Runs test-cmd and test-integration, intended to be run in prow.k8s.io
 
diff --git a/hack/jenkins/test-integration-dockerized.sh b/hack/jenkins/test-integration-dockerized.sh
index fe8c558ccece8..25f6f1b5fde44 100755
--- a/hack/jenkins/test-integration-dockerized.sh
+++ b/hack/jenkins/test-integration-dockerized.sh
@@ -17,7 +17,6 @@
 set -o errexit
 set -o nounset
 set -o pipefail
-set -o xtrace
 
 # Runs test-integration
 # This script is intended to be run from prow.k8s.io
diff --git a/hack/kube-api-linter/exceptions.yaml b/hack/kube-api-linter/exceptions.yaml
index 301d5f6738307..710819836f532 100644
--- a/hack/kube-api-linter/exceptions.yaml
+++ b/hack/kube-api-linter/exceptions.yaml
@@ -1,2 +1,40 @@
 # Exceptions for kube-api-linter.
 # Exceptions are used for kube-api-linter to ignore existing issues that cannot be fixed without breaking changes.
+
+# Pre-existing issues from the conditions linter
+
+# Conditions generally should be a metav1.Condition, and should not use custom condition types.
+- text: "Conditions field in StorageVersionStatus|StatefulSetStatus|DeploymentStatus|DaemonSetStatus|ReplicaSetStatus|HorizontalPodAutoscalerStatus|JobStatus|CertificateSigningRequestStatus|PersistentVolumeClaimStatus|ReplicationControllerStatus|ServiceStatus|NodeStatus|NamespaceStatus|ComponentStatus|PodStatus|FlowSchemaStatus|PriorityLevelConfigurationStatus|FlowSchemaStatus|PriorityLevelConfigurationStatus|PodDisruptionBudgetStatus|AllocatedDeviceStatus|Endpoint|StatefulSetStatus|DeploymentStatus|DaemonSetStatus|ReplicaSetStatus|HorizontalPodAutoscalerStatus|JobStatus|CertificateSigningRequestStatus|PersistentVolumeClaimStatus|ReplicationControllerStatus|ServiceStatus|NodeStatus|NamespaceStatus|ComponentStatus|PodStatus|FlowSchemaStatus|PriorityLevelConfigurationStatus|FlowSchemaStatus|PriorityLevelConfigurationStatus|PodDisruptionBudgetStatus|AllocatedDeviceStatus|Endpoint|StorageVersionMigrationStatus must be a slice of metav1.Condition"
+  path: "staging/src/k8s.io/api/"
+
+# Conditions should have patch strategy markers, but changing these after shipping a client is a breaking change.
+# Clients would treat these as atomic, when the patch strategy should be merge.
+- text: "Conditions field in ValidatingAdmissionPolicyStatus is missing the following markers: patchStrategy=merge, patchMergeKey=type"
+  path: "staging/src/k8s.io/api/admissionregistration/"
+- text: "Conditions field in ValidatingAdmissionPolicyStatus has incorrect tags, should be: `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,3,rep,name=conditions\"`"
+  path: "staging/src/k8s.io/api/admissionregistration/"
+- text: "Conditions field in PodDisruptionBudgetStatus has incorrect tags, should be: `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`"
+  path: "staging/src/k8s.io/api/policy/"
+- text: "Conditions field in AllocatedDeviceStatus is missing the following markers: patchStrategy=merge, patchMergeKey=type"
+  path: "staging/src/k8s.io/api/resource/"
+- text: "Conditions field in AllocatedDeviceStatus has incorrect tags, should be: `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,5,rep,name=conditions\"`"
+  path: "staging/src/k8s.io/api/resource/"
+
+# Commentstart - Ignore commentstart issues for existing API group
+# TODO: For each existing API group, we aim to remove it over time.
+- text: "godoc for field .* should start with '.* ...'"
+  path: "staging/src/k8s.io/api/(admissionregistration|apidiscovery|apiserverinternal|apps|authentication|authorization|autoscaling|batch|certificates|coordination|core|discovery|events|extensions|flowcontrol|imagepolicy|networking|node|policy|rbac|resource|scheduling|storage|storagemigration)"
+- text: "field .* is missing godoc comment"
+  path: "staging/src/k8s.io/api/autoscaling/"
+
+# Pre-existing issues from the conflictmarkers linter
+# The Error field in some older API types is marked as both optional and required.
+# This is incorrect, but cannot be changed without breaking changes.
+- text: "field PortStatus.Error has conflicting markers: optional_vs_required: {\\[optional\\], \\[kubebuilder:validation:Required\\]}. fields cannot be both optional and required"
+  path: "staging/src/k8s.io/api/core/v1/types.go"
+- text: "field IngressPortStatus.Error has conflicting markers: optional_vs_required: {\\[optional\\], \\[kubebuilder:validation:Required\\]}. fields cannot be both optional and required"
+  path: "staging/src/k8s.io/api/extensions/v1beta1/types.go"
+- text: "field IngressPortStatus.Error has conflicting markers: optional_vs_required: {\\[optional\\], \\[kubebuilder:validation:Required\\]}. fields cannot be both optional and required"
+  path: "staging/src/k8s.io/api/networking/v1/types.go"
+- text: "field IngressPortStatus.Error has conflicting markers: optional_vs_required: {\\[optional\\], \\[kubebuilder:validation:Required\\]}. fields cannot be both optional and required"
+  path: "staging/src/k8s.io/api/networking/v1beta1/types.go"
diff --git a/hack/kube-api-linter/kube-api-linter.yaml b/hack/kube-api-linter/kube-api-linter.yaml
index 2ad2fbdcd1237..0a6c0f839df7c 100644
--- a/hack/kube-api-linter/kube-api-linter.yaml
+++ b/hack/kube-api-linter/kube-api-linter.yaml
@@ -3,8 +3,9 @@ linters:
   disable:
     - '*'
   enable:
-    # - "commentstart" # Ensure comments start with the serialized version of the field name.
-    # - "conditions" # Ensure conditions have the correct json tags and markers.
+    - "commentstart" # Ensure comments start with the serialized version of the field name.
+    - "conditions" # Ensure conditions have the correct json tags and markers.
+    - "conflictingmarkers" # Detect mutually exclusive markers on the same field.
     # - "integers" # Ensure only int32 and int64 are used for integers.
     # - "jsontags" # Ensure every field has a json tag.
     # - "maxlength" # Ensure all strings and arrays have maximum lengths/maximum items. ONLY for CRDs until declarative markers exist in core types.
@@ -12,19 +13,58 @@ linters:
     # - "nofloats" # Ensure floats are not used.
     # - "nomaps" # Ensure maps are not used, unless they are `map[string]string` (for labels/annotations/etc).
     # - "nophase" # Ensure field names do not have the word "phase" in them.
+    # - "notimestamp" # Ensure fields are not named "timestamp", prefer "time".
+    # - "optionalfields" # Ensure fields marked optional have omitempty and pointers.
     # - "optionalorrequired" # Every field should be marked as `+optional` xor `+required`.
-    # - "requiredfields" # Required fields should not be pointers, and should not have `omitempty`.
+    # - "requiredfields" # Required fields should only be pointers when required based on the validity of the zero value, they should always have `omitempty`.
+    - "ssatags" # Ensure lists have a listType tag.
+    # - "uniquemarkers" # Ensure markers are not duplicated across field and type definitions.
+    - "duplicatemarkers" #Prevent identical markers from being present on types and fields
 lintersConfig:
-  # conditions:
-  #   isFirstField: Warn # Require conditions to be the first field in the status struct.
-  #   usePatchStrategy: SuggestFix # Conditions should not use the patch strategy on CRDs.
-  #   useProtobuf: SuggestFix # We don't use protobuf, so protobuf tags are not required.
+  conditions:
+    isFirstField: Ignore
+    usePatchStrategy: SuggestFix
+    useProtobuf: SuggestFix
+  conflictingmarkers:
+    conflicts:
+    - name: "optional_vs_required"
+      sets:
+      - ["k8s:optional", "optional", "kubebuilder:validation:Optional"]
+      - ["k8s:required", "required", "kubebuilder:validation:Required"]
+      description: "fields cannot be both optional and required"
+    - name: "required_vs_default"
+      sets:
+      - ["k8s:required", "required", "kubebuilder:validation:Required"]
+      - ["default"]
+      description: "fields with default values are always optional"
   # jsonTags:
   #   jsonTagRegex: "^[a-z][a-z0-9]*(?:[A-Z][a-z0-9]*)*$" # The default regex is appropriate for our use case.
   # nomaps:
   #   policy: AllowStringToStringMaps # Determines how the linter should handle maps of basic types. Maps of objects are always disallowed.
+  # optionalFields:
+  #   policy: AllowOptionalFields # Determines how the linter should handle optional fields.optionalfields:
+  #  pointers:
+  #    preference: Always | WhenRequired # Whether to always require pointers, or only when required. Defaults to `Always`.
+  #    policy: SuggestFix | Warn # The policy for pointers in optional fields. Defaults to `SuggestFix`.
+  #  omitempty:
+  #      policy: SuggestFix | Warn | Ignore # The policy for omitempty in optional fields. Defaults to `SuggestFix`.
+  #  omitzero:
+  #      policy: SuggestFix | Warn | Forbid # The policy for omitzero in optional fields. Defaults to `SuggestFix`.
   # optionalOrRequired:
   #   preferredOptionalMarker: optional # The preferred optional marker to use, fixes will suggest to use this marker. Defaults to `optional`.
-  #   preferredRequiredMarker: required # The preferred required marker to use, fixes will suggest to use this marker. Defaults to `required`.
+  #   preferredRequiredMarker: required # The preferred required marker to use, fixes will suggest to use this marker. Defaults to `required`. 
+  #   policy: AllowOptionalFields # Determines how the linter should handle optional fields.
   # requiredFields:
-  #   pointerPolicy: SuggestFix # Defaults to `SuggestFix`. We want our required fields to not be pointers.
+  #   pointers:
+  #    policy: SuggestFix | Warn # The policy for pointers in required fields. Defaults to `SuggestFix`.
+  #  omitempty:
+  #      policy: SuggestFix | Warn | Ignore # The policy for omitempty in required fields. Defaults to `SuggestFix`.
+  #  omitzero:
+  #      policy: SuggestFix | Warn | Forbid # The policy for omitzero in required fields. Defaults to `SuggestFix`.
+  ssatags:
+   listTypeSetUsage: Ignore # The policy for listType=set usage on object arrays. Defaults to `Warn`.
+  # uniquemarkers:
+  #   customMarkers:
+  #     - identifier: custom:SomeCustomMarker
+  #       attributes:
+  #         - fruit
diff --git a/hack/lib/etcd.sh b/hack/lib/etcd.sh
index 6e99d244c808b..d97de5206aa3f 100755
--- a/hack/lib/etcd.sh
+++ b/hack/lib/etcd.sh
@@ -16,7 +16,7 @@
 
 # A set of helpers for starting/running etcd for tests
 
-ETCD_VERSION=${ETCD_VERSION:-3.6.5}
+ETCD_VERSION=${ETCD_VERSION:-3.6.6}
 ETCD_HOST=${ETCD_HOST:-127.0.0.1}
 ETCD_PORT=${ETCD_PORT:-2379}
 # This is intentionally not called ETCD_LOG_LEVEL:
diff --git a/hack/lib/golang.sh b/hack/lib/golang.sh
index e9992e72eeb5b..c401de05800c2 100755
--- a/hack/lib/golang.sh
+++ b/hack/lib/golang.sh
@@ -519,7 +519,7 @@ EOF
   local go_version
   IFS=" " read -ra go_version <<< "$(GOFLAGS='' go version)"
   local minimum_go_version
-  minimum_go_version=go1.24
+  minimum_go_version=go1.25
   if [[ "${minimum_go_version}" != $(echo -e "${minimum_go_version}\n${go_version[2]}" | sort -s -t. -k 1,1 -k 2,2n -k 3,3n | head -n1) && "${go_version[2]}" != "devel" ]]; then
     kube::log::usage_from_stdin <<EOF
 Detected go version: ${go_version[*]}.
@@ -625,9 +625,15 @@ kube::golang::place_bins() {
     local platform_src="/${platform//\//_}"
     if [[ "${platform}" == "${host_platform}" ]]; then
       platform_src=""
-      rm -f "${THIS_PLATFORM_BIN}"
-      mkdir -p "$(dirname "${THIS_PLATFORM_BIN}")"
-      ln -s "${KUBE_OUTPUT_BIN}/${platform}" "${THIS_PLATFORM_BIN}"
+      # For compatibility with the old rsync behavior, only setup the symlink
+      # when we're doing a "local" build, not a "dockerized" build
+      # if KUBE_OUTPUT_SUBPATH is set then we're not writing to the default local path
+      if [[ -z "${KUBE_OUTPUT_SUBPATH+x}" ]]; then
+        V=4 kube::log::status "Creating ${THIS_PLATFORM_BIN} symlink for non-dockerized build"
+        rm -f "${THIS_PLATFORM_BIN}"
+        mkdir -p "$(dirname "${THIS_PLATFORM_BIN}")"
+        ln -s "../${_KUBE_OUTPUT_SUBPATH:?}/${_KUBE_OUTPUT_BIN_SUBPATH:?}/${platform}" "${THIS_PLATFORM_BIN}"
+      fi
     fi
 
     V=3 kube::log::status "Placing binaries for ${platform} in ${KUBE_OUTPUT_BIN}/${platform}"
@@ -635,7 +641,7 @@ kube::golang::place_bins() {
     if [[ -d "${full_binpath_src}" ]]; then
       mkdir -p "${KUBE_OUTPUT_BIN}/${platform}"
       find "${full_binpath_src}" -maxdepth 1 -type f -exec \
-        rsync -pc {} "${KUBE_OUTPUT_BIN}/${platform}" \;
+        cp -p {} "${KUBE_OUTPUT_BIN}/${platform}" \;
     fi
   done
 }
@@ -781,13 +787,13 @@ kube::golang::build_binaries_for_platform() {
   for binary in "${binaries[@]}"; do
     if [[ "${binary}" =~ ".test"$ ]]; then
       tests+=("${binary}")
-      kube::log::info "    ${binary} (test)"
+      kube::log::info "    ${binary} (test${KUBE_RACE:+, race detection})"
     elif kube::golang::is_statically_linked "${binary}"; then
       statics+=("${binary}")
       kube::log::info "    ${binary} (static)"
     else
       nonstatics+=("${binary}")
-      kube::log::info "    ${binary} (non-static)"
+      kube::log::info "    ${binary} (non-static${KUBE_RACE:+, race detection})"
     fi
    done
 
@@ -813,6 +819,9 @@ kube::golang::build_binaries_for_platform() {
       -ldflags="${goldflags}"
       -tags="${gotags:-}"
     )
+    if [[ -n "${KUBE_RACE:-}" ]]; then
+      build_args+=("${KUBE_RACE}")
+    fi
     kube::golang::build_some_binaries "${nonstatics[@]}"
   fi
 
@@ -822,13 +831,18 @@ kube::golang::build_binaries_for_platform() {
     testpkg=$(dirname "${test}")
 
     mkdir -p "$(dirname "${outfile}")"
-    go test -c \
-      ${goflags:+"${goflags[@]}"} \
-      -gcflags="${gogcflags}" \
-      -ldflags="${goldflags}" \
-      -tags="${gotags:-}" \
-      -o "${outfile}" \
-      "${testpkg}"
+    build_args=(
+      -c
+      ${goflags:+"${goflags[@]}"}
+      -gcflags="${gogcflags}"
+      -ldflags="${goldflags}"
+      -tags="${gotags:-}"
+      -o "${outfile}"
+    )
+    if [[ -n "${KUBE_RACE:-}" ]]; then
+      build_args+=("${KUBE_RACE}")
+    fi
+    go test "${build_args[@]}" "${testpkg}"
   done
 }
 
diff --git a/hack/lib/init.sh b/hack/lib/init.sh
index 083cf91d2cdfb..1470109018824 100755
--- a/hack/lib/init.sh
+++ b/hack/lib/init.sh
@@ -41,17 +41,10 @@ KUBE_ROOT="$(cd "$(dirname "${BASH_SOURCE[0]}")/../.." && pwd -P)"
 # If it is specified, we'll use it in KUBE_OUTPUT.
 _KUBE_OUTPUT_SUBPATH="${KUBE_OUTPUT_SUBPATH:-_output/local}"
 export KUBE_OUTPUT="${KUBE_ROOT}/${_KUBE_OUTPUT_SUBPATH}"
-export KUBE_OUTPUT_BIN="${KUBE_OUTPUT}/bin"
+readonly _KUBE_OUTPUT_BIN_SUBPATH="bin"
+export KUBE_OUTPUT_BIN="${KUBE_OUTPUT}/${_KUBE_OUTPUT_BIN_SUBPATH}"
 export THIS_PLATFORM_BIN="${KUBE_ROOT}/_output/bin"
 
-# This controls rsync compression. Set to a value > 0 to enable rsync
-# compression for build container
-KUBE_RSYNC_COMPRESS="${KUBE_RSYNC_COMPRESS:-0}"
-
-# Set no_proxy for localhost if behind a proxy, otherwise,
-# the connections to localhost in scripts will time out
-export no_proxy="127.0.0.1,localhost${no_proxy:+,${no_proxy}}"
-
 source "${KUBE_ROOT}/hack/lib/util.sh"
 source "${KUBE_ROOT}/hack/lib/logging.sh"
 
@@ -119,7 +112,7 @@ storage.k8s.io/v1beta1 \
 storage.k8s.io/v1 \
 storage.k8s.io/v1alpha1 \
 flowcontrol.apiserver.k8s.io/v1 \
-storagemigration.k8s.io/v1alpha1 \
+storagemigration.k8s.io/v1beta1 \
 flowcontrol.apiserver.k8s.io/v1beta1 \
 flowcontrol.apiserver.k8s.io/v1beta2 \
 flowcontrol.apiserver.k8s.io/v1beta3 \
diff --git a/hack/lib/logging.sh b/hack/lib/logging.sh
index 15a286cea7850..4b6428232a3e4 100644
--- a/hack/lib/logging.sh
+++ b/hack/lib/logging.sh
@@ -169,3 +169,13 @@ kube::log::status() {
     echo "    ${message}"
   done
 }
+
+# Log a command and run it. Uses a subshell which gets replaced by the command after logging.
+kube::log::run() (
+  V="${V:-0}"
+  if (( KUBE_VERBOSE >= V )); then
+    timestamp=$(date +"[%m%d %H:%M:%S]")
+    echo "+++ ${timestamp} ${*}"
+  fi
+  exec "${@}"
+)
diff --git a/hack/lib/protoc.sh b/hack/lib/protoc.sh
index c260ec011fa5a..a23dfffe0f5ce 100644
--- a/hack/lib/protoc.sh
+++ b/hack/lib/protoc.sh
@@ -42,20 +42,6 @@ function kube::protoc::generate_proto() {
   kube::protoc::format "${package}"
 }
 
-# Generates $1/api.pb.go from the protobuf file $1/api.proto
-# and formats it correctly
-# $1: Full path to the directory where the api.proto file is
-function kube::protoc::generate_proto_gogo() {
-  kube::golang::setup_env
-  GOPROXY=off go install k8s.io/code-generator/cmd/go-to-protobuf/protoc-gen-gogo
-
-  kube::protoc::check_protoc
-
-  local package=${1}
-  kube::protoc::protoc_gogo "${package}"
-  kube::protoc::format "${package}"
-}
-
 # Checks that the current protoc version matches the required version and
 # exit 1 if it's not the case
 function kube::protoc::check_protoc() {
@@ -70,29 +56,6 @@ function kube::protoc::check_protoc() {
 
 # Generates $1/api.pb.go from the protobuf file $1/api.proto
 # $1: Full path to the directory where the api.proto file is
-function kube::protoc::protoc_gogo() {
-  local package=${1}
-  gogopath=$(dirname "$(kube::util::find-binary "protoc-gen-gogo")")
-
-  (
-    cd "${package}"
-
-    # This invocation of --gogo_out produces its output in the current
-    # directory (despite gogo docs saying it would be source-relative, it
-    # isn't).  The inputs to this function do not all have a common root, so
-    # this works best for all inputs.
-    PATH="${gogopath}:${PATH}" protoc \
-      --proto_path="$(pwd -P)" \
-      --proto_path="${KUBE_ROOT}/vendor" \
-      --proto_path="${KUBE_ROOT}/staging/src" \
-      --proto_path="${KUBE_ROOT}/third_party/protobuf" \
-      --gogo_out=paths=source_relative,plugins=grpc:. \
-      api.proto
-  )
-}
-
-# Generates $1/api.pb.go from the protobuf file $1/api.proto without using gogo
-# $1: Full path to the directory where the api.proto file is
 function kube::protoc::protoc() {
   local package=${1}
 
diff --git a/hack/lib/util.sh b/hack/lib/util.sh
index cae8a499204d1..ed067cc7a30ba 100755
--- a/hack/lib/util.sh
+++ b/hack/lib/util.sh
@@ -720,22 +720,22 @@ function kube::util::ensure-gnu-sed {
   kube::util::sourced_variable "${SED}"
 }
 
-# kube::util::ensure-gnu-date
+# kube::util::ensure-gnu-compatible-date
 # Determines which date binary is gnu-date on linux/darwin
 #
 # Sets:
 #  DATE: The name of the gnu-date binary
 #
-function kube::util::ensure-gnu-date {
+function kube::util::ensure-gnu-compatible-date {
   # NOTE: the echo below is a workaround to ensure date is executed before the grep.
   # see: https://github.com/kubernetes/kubernetes/issues/87251
-  date_help="$(LANG=C date --help 2>&1 || true)"
-  if echo "${date_help}" | grep -q "GNU\|BusyBox"; then
+  date_version="$(LANG=C date --version 2>&1 || true)"
+  if echo "${date_version}" | grep -q "GNU\|BusyBox\|uutils"; then
     DATE="date"
   elif command -v gdate &>/dev/null; then
     DATE="gdate"
   else
-    kube::log::error "Failed to find GNU date as date or gdate. If you are on Mac: brew install coreutils." >&2
+    kube::log::error "Failed to find GNU-compatible date as date or gdate. If you are on Mac: brew install coreutils." >&2
     return 1
   fi
   kube::util::sourced_variable "${DATE}"
diff --git a/hack/lib/verify-generated.sh b/hack/lib/verify-generated.sh
index 4770f99ca5c47..c795c15a5149a 100755
--- a/hack/lib/verify-generated.sh
+++ b/hack/lib/verify-generated.sh
@@ -39,7 +39,7 @@ kube::verify::generated() {
 
     _tmpdir="$(kube::realpath "$(mktemp -d -t "verify-generated-$(basename "$1").XXXXXX")")"
     git worktree add -f -q "${_tmpdir}" HEAD
-    kube::util::trap_add "git worktree remove -f ${_tmpdir}" EXIT
+    kube::util::trap_add "git worktree remove -f ${_tmpdir:?}; rm -rf ${_tmpdir:?}" EXIT
     cd "${_tmpdir}"
 
     # Update generated files.
diff --git a/hack/lib/version.sh b/hack/lib/version.sh
index ae3853df3841a..9b6efaaff490f 100644
--- a/hack/lib/version.sh
+++ b/hack/lib/version.sh
@@ -163,7 +163,7 @@ kube::version::ldflags() {
     )
   }
 
-  kube::util::ensure-gnu-date
+  kube::util::ensure-gnu-compatible-date
 
   add_ldflag "buildDate" "$(${DATE} ${SOURCE_DATE_EPOCH:+"--date=@${SOURCE_DATE_EPOCH}"} -u +'%Y-%m-%dT%H:%M:%SZ')"
   if [[ -n ${KUBE_GIT_COMMIT-} ]]; then
diff --git a/hack/local-up-cluster.sh b/hack/local-up-cluster.sh
index fe6616f69ed0a..46491b223ff19 100755
--- a/hack/local-up-cluster.sh
+++ b/hack/local-up-cluster.sh
@@ -59,7 +59,7 @@ LIMITED_SWAP=${LIMITED_SWAP:-""}
 
 # required for cni installation
 CNI_CONFIG_DIR=${CNI_CONFIG_DIR:-/etc/cni/net.d}
-CNI_PLUGINS_VERSION=${CNI_PLUGINS_VERSION:-"v1.7.1"}
+CNI_PLUGINS_VERSION=${CNI_PLUGINS_VERSION:-"v1.8.0"}
 # The arch of the CNI binary, if not set, will be fetched based on the value of `uname -m`
 CNI_TARGETARCH=${CNI_TARGETARCH:-""}
 CNI_PLUGINS_URL="https://github.com/containernetworking/plugins/releases/download"
@@ -670,6 +670,7 @@ EOF
       --egress-selector-config-file="${EGRESS_SELECTOR_CONFIG_FILE:-}" \
       --client-ca-file="${CERT_DIR}/client-ca.crt" \
       --kubelet-client-certificate="${CERT_DIR}/client-kube-apiserver.crt" \
+      --kubelet-certificate-authority="${CLUSTER_SIGNING_CERT_FILE}" \
       --kubelet-client-key="${CERT_DIR}/client-kube-apiserver.key" \
       --kubelet-port="${KUBELET_PORT}" \
       --kubelet-read-only-port="${KUBELET_READ_ONLY_PORT}" \
@@ -794,6 +795,20 @@ function start_cloud_controller_manager {
     export CLOUD_CTLRMGR_PID=$!
 }
 
+function wait_node_csr() {
+  local interval_time=2
+  local csr_approved_time=300
+  local newline='"\n"'
+  local unapproved_csr_names="--field-selector='spec.signerName=kubernetes.io/kubelet-serving' -o go-template='{{range .items}}{{if not .status}}{{.metadata.name}}{{${newline}}}{{end}}{{end}}"
+  local csr_approved="${KUBECTL} --kubeconfig '${CERT_DIR}/admin.kubeconfig' get csr ${unapproved_csr_names}' | xargs --no-run-if-empty ${KUBECTL} --kubeconfig '${CERT_DIR}/admin.kubeconfig' certificate approve | grep csr"
+  kube::util::wait_for_success "$csr_approved_time" "$interval_time" "$csr_approved"
+  if [ $? == "1" ]; then
+    echo "time out on waiting for CSR approval"
+    exit 1
+  fi
+  echo "kubelet CSR approved"
+}
+
 function wait_node_ready(){
   if [[ -n "${DRY_RUN}" ]]; then
     return
@@ -923,6 +938,7 @@ readOnlyPort: ${KUBELET_READ_ONLY_PORT}
 healthzPort: ${KUBELET_HEALTHZ_PORT}
 healthzBindAddress: ${KUBELET_HOST}
 rotateCertificates: true
+serverTLSBootstrap: true
 runtimeRequestTimeout: "${RUNTIME_REQUEST_TIMEOUT}"
 staticPodPath: "${POD_MANIFEST_PATH}"
 resolvConf: "${KUBELET_RESOLV_CONF}"
@@ -1388,8 +1404,8 @@ if [[ "${KUBETEST_IN_DOCKER:-}" == "true" ]]; then
   # configure and start containerd
   echo "configuring containerd"
   containerd config default > /etc/containerd/config.toml
-  sed -ie 's|root = "/var/lib/containerd"|root = "/docker-graph/containerd/daemon"|' /etc/containerd/config.toml
-  sed -ie 's|state = "/run/containerd"|state = "/var/run/docker/containerd/daemon"|' /etc/containerd/config.toml
+  sed -ie 's|root = ./var/lib/containerd.|root = "/docker-graph/containerd/daemon"|' /etc/containerd/config.toml
+  sed -ie 's|state = ./run/containerd.|state = "/var/run/docker/containerd/daemon"|' /etc/containerd/config.toml
   sed -ie 's|enable_cdi = false|enable_cdi = true|' /etc/containerd/config.toml
 
   echo "starting containerd"
@@ -1457,6 +1473,7 @@ if [[ "${START_MODE}" != *"nokubelet"* ]]; then
       Linux)
         install_cni_if_needed
         start_kubelet
+        wait_node_csr
         ;;
       *)
         print_color "Unsupported host OS.  Must be Linux or Mac OS X, kubelet aborted."
diff --git a/hack/logcheck.conf b/hack/logcheck.conf
index 3fc412754c0c1..e8e3a11c4bae2 100644
--- a/hack/logcheck.conf
+++ b/hack/logcheck.conf
@@ -19,6 +19,7 @@ structured k8s.io/kubernetes/pkg/proxy/.*
 structured k8s.io/kms/.*
 structured k8s.io/apiserver/pkg/storage/value/.*
 structured k8s.io/apiserver/pkg/server/options/encryptionconfig/.*
+structured k8s.io/kubernetes/pkg/credentialprovider/plugin/.*
 
 # The following packages have been migrated to contextual logging.
 # Packages matched here do not have to be listed above because
@@ -46,17 +47,35 @@ contextual k8s.io/sample-controller/.*
 contextual k8s.io/kubernetes/cmd/kube-proxy/.*
 contextual k8s.io/kubernetes/cmd/kube-scheduler/.*
 contextual k8s.io/kubernetes/cmd/kubelet/.*
+contextual k8s.io/kubernetes/pkg/api/.*
+contextual k8s.io/kubernetes/pkg/apis/.*
+contextual k8s.io/kubernetes/pkg/capabilities/.*
+contextual k8s.io/kubernetes/pkg/client/.*
+contextual k8s.io/kubernetes/pkg/cluster/.*
 contextual k8s.io/kubernetes/pkg/controller/.*
+contextual k8s.io/kubernetes/pkg/features/.*
+contextual k8s.io/kubernetes/pkg/fieldpath/.*
+contextual k8s.io/kubernetes/pkg/generated/.*
+contextual k8s.io/kubernetes/pkg/printers/.*
+contextual k8s.io/kubernetes/pkg/quota/.*
 contextual k8s.io/kubernetes/pkg/scheduler/.*
+contextual k8s.io/kubernetes/pkg/security/.*
+contextual k8s.io/kubernetes/pkg/securitycontext/.*
 contextual k8s.io/kubernetes/test/e2e/dra/.*
+contextual k8s.io/kubernetes/pkg/kubelet/certificate/.*
+contextual k8s.io/kubernetes/pkg/kubelet/cm/devicemanager/.*
 contextual k8s.io/kubernetes/pkg/kubelet/cm/dra/.*
+contextual k8s.io/kubernetes/pkg/kubelet/cm/cpumanager/.*
 contextual k8s.io/kubernetes/pkg/kubelet/cm/memorymanager/.*
+contextual k8s.io/kubernetes/pkg/kubelet/cm/topologymanager/.*
 contextual k8s.io/kubernetes/pkg/kubelet/lifecycle/.*
 contextual k8s.io/kubernetes/pkg/kubelet/pleg/.*
 contextual k8s.io/kubernetes/pkg/kubelet/clustertrustbundle/.*
 contextual k8s.io/kubernetes/pkg/kubelet/token/.*
 contextual k8s.io/kubernetes/pkg/kubelet/cadvisor/.*
+contextual k8s.io/kubernetes/pkg/kubelet/config/.*
 contextual k8s.io/kubernetes/pkg/kubelet/oom/.*
+contextual k8s.io/kubernetes/pkg/kubelet/server/.*
 contextual k8s.io/kubernetes/pkg/kubelet/status/.*
 contextual k8s.io/kubernetes/pkg/kubelet/sysctl/.*
 contextual k8s.io/kubernetes/pkg/kubelet/winstats/.*
@@ -67,6 +86,9 @@ contextual k8s.io/kubernetes/pkg/kubelet/nodeshutdown/.*
 contextual k8s.io/kubernetes/pkg/kubelet/pod/.*
 contextual k8s.io/kubernetes/pkg/kubelet/preemption/.*
 contextual k8s.io/kubernetes/pkg/kubelet/volumemanager/.*
+contextual k8s.io/kubernetes/pkg/kubelet/util/.*
+contextual k8s.io/kubernetes/pkg/kubelet/logs/.*
+contextual k8s.io/kubernetes/test/images/sample-device-plugin/.*
 
 # As long as contextual logging is alpha or beta, all WithName, WithValues,
 # NewContext calls have to go through klog. Once it is GA, we can lift
diff --git a/hack/make-rules/test-e2e-node.sh b/hack/make-rules/test-e2e-node.sh
index 0ef5480c4daab..b42fd6d71318d 100755
--- a/hack/make-rules/test-e2e-node.sh
+++ b/hack/make-rules/test-e2e-node.sh
@@ -18,7 +18,6 @@ KUBE_ROOT=$(dirname "${BASH_SOURCE[0]}")/../..
 source "${KUBE_ROOT}/hack/lib/init.sh"
 
 kube::golang::setup_env
-kube::golang::setup_gomaxprocs
 
 # start the cache mutation detector by default so that cache mutators will be found
 KUBE_CACHE_MUTATION_DETECTOR="${KUBE_CACHE_MUTATION_DETECTOR:-true}"
diff --git a/hack/make-rules/test-integration.sh b/hack/make-rules/test-integration.sh
index ae208fa359115..716b3bf21af59 100755
--- a/hack/make-rules/test-integration.sh
+++ b/hack/make-rules/test-integration.sh
@@ -22,15 +22,17 @@ KUBE_ROOT=$(dirname "${BASH_SOURCE[0]}")/../..
 source "${KUBE_ROOT}/hack/lib/init.sh"
 
 kube::golang::setup_env
-kube::golang::setup_gomaxprocs
 kube::util::require-jq
 
+set -x
+
 # start the cache mutation detector by default so that cache mutators will be found
 KUBE_CACHE_MUTATION_DETECTOR="${KUBE_CACHE_MUTATION_DETECTOR:-true}"
 export KUBE_CACHE_MUTATION_DETECTOR
 
-# panic the server on watch decode errors since they are considered coder mistakes
-KUBE_PANIC_WATCH_DECODE_ERROR="${KUBE_PANIC_WATCH_DECODE_ERROR:-true}"
+# default set to "false" to avoid panic on decode errors.
+# integration tests intentionally insert data that cannot be decoded.
+KUBE_PANIC_WATCH_DECODE_ERROR="${KUBE_PANIC_WATCH_DECODE_ERROR:-false}"
 export KUBE_PANIC_WATCH_DECODE_ERROR
 
 KUBE_INTEGRATION_TEST_MAX_CONCURRENCY=${KUBE_INTEGRATION_TEST_MAX_CONCURRENCY:-"-1"}
@@ -47,6 +49,8 @@ KUBE_TEST_ARGS=${KUBE_TEST_ARGS:-}
 # Default glog module settings.
 KUBE_TEST_VMODULE=${KUBE_TEST_VMODULE:-""}
 
+set +x
+
 kube::test::find_integration_test_pkgs() {
   (
     cd "${KUBE_ROOT}"
diff --git a/hack/make-rules/test.sh b/hack/make-rules/test.sh
index 8536a18ab4c7f..db8d6df6c0ccb 100755
--- a/hack/make-rules/test.sh
+++ b/hack/make-rules/test.sh
@@ -22,7 +22,6 @@ KUBE_ROOT=$(dirname "${BASH_SOURCE[0]}")/../..
 source "${KUBE_ROOT}/hack/lib/init.sh"
 
 kube::golang::setup_env
-kube::golang::setup_gomaxprocs
 kube::util::require-jq
 
 # start the cache mutation detector by default so that cache mutators will be found
@@ -58,6 +57,8 @@ kube::test::find_go_packages() {
   )
 }
 
+set -x
+
 # TODO: This timeout should really be lower, this is a *long* time to test one
 # package, however pkg/api/testing in particular will fail with a lower timeout
 # currently. We should attempt to lower this over time.
@@ -86,6 +87,8 @@ KUBE_KEEP_VERBOSE_TEST_OUTPUT=${KUBE_KEEP_VERBOSE_TEST_OUTPUT:-n}
 # Set to 'false' to disable reduction of the JUnit file to only the top level tests.
 KUBE_PRUNE_JUNIT_TESTS=${KUBE_PRUNE_JUNIT_TESTS:-true}
 
+set +x
+
 kube::test::usage() {
   kube::log::usage_from_stdin <<EOF
 usage: $0 [OPTIONS] [TARGETS]
@@ -226,7 +229,7 @@ runTests() {
   fi
 
   kube::log::status "Running tests ${cover_msg} ${KUBE_RACE:+"and with ${KUBE_RACE}"}"
-  gotestsum --format="${gotestsum_format}" \
+  kube::log::run gotestsum --format="${gotestsum_format}" \
             --jsonfile="${jsonfile}" \
             --junitfile="${junit_filename_prefix:+"${junit_filename_prefix}.xml"}" \
             --raw-command \
diff --git a/hack/tools/go.mod b/hack/tools/go.mod
index 61a21552ee0c7..682ad6b005cdf 100644
--- a/hack/tools/go.mod
+++ b/hack/tools/go.mod
@@ -1,64 +1,84 @@
 module k8s.io/kubernetes/hack/tools
 
-go 1.24.0
+go 1.25.0
 
-godebug default=go1.24
+godebug default=go1.25
 
 require (
-	github.com/aojea/sloppy-netparser v0.0.0-20210819225411-1b3bd8b3b975
-	github.com/cespare/prettybench v0.0.0-20150116022406-03b8cfe5406c
-	github.com/golangci/misspell v0.6.0
-	github.com/jcchavezs/porto v0.6.0
-	github.com/vektra/mockery/v2 v2.53.3
-	go.uber.org/automaxprocs v1.6.0
-	golang.org/x/mod v0.24.0
-	golang.org/x/tools v0.32.0
-	google.golang.org/grpc/cmd/protoc-gen-go-grpc v1.5.1
-	google.golang.org/protobuf v1.36.4
-	gotest.tools/gotestsum v1.12.0
-	honnef.co/go/tools v0.6.1
+	golang.org/x/mod v0.27.0
 	k8s.io/publishing-bot v0.5.0
-	sigs.k8s.io/yaml v1.6.0
 )
 
 require (
 	github.com/BurntSushi/toml v1.5.0 // indirect
+	github.com/aojea/sloppy-netparser v0.0.0-20210819225411-1b3bd8b3b975 // indirect
 	github.com/bitfield/gotestdox v0.2.2 // indirect
-	github.com/chigopher/pathlib v0.19.1 // indirect
+	github.com/brunoga/deep v1.2.4 // indirect
+	github.com/cespare/prettybench v0.0.0-20150116022406-03b8cfe5406c // indirect
 	github.com/dnephin/pflag v1.0.7 // indirect
 	github.com/fatih/color v1.18.0 // indirect
+	github.com/fatih/structs v1.1.0 // indirect
 	github.com/fsnotify/fsnotify v1.8.0 // indirect
-	github.com/go-viper/mapstructure/v2 v2.2.1 // indirect
+	github.com/go-viper/mapstructure/v2 v2.3.0 // indirect
 	github.com/golang/glog v1.2.2 // indirect
+	github.com/golangci/misspell v0.6.0 // indirect
 	github.com/google/go-cmp v0.7.0 // indirect
 	github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect
-	github.com/huandu/xstrings v1.4.0 // indirect
-	github.com/iancoleman/strcase v0.3.0 // indirect
+	github.com/huandu/xstrings v1.5.0 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
-	github.com/jinzhu/copier v0.4.0 // indirect
+	github.com/jcchavezs/porto v0.6.0 // indirect
+	github.com/jedib0t/go-pretty/v6 v6.6.7 // indirect
+	github.com/knadh/koanf/maps v0.1.2 // indirect
+	github.com/knadh/koanf/parsers/yaml v0.1.0 // indirect
+	github.com/knadh/koanf/providers/env v1.0.0 // indirect
+	github.com/knadh/koanf/providers/file v1.1.2 // indirect
+	github.com/knadh/koanf/providers/posflag v0.1.0 // indirect
+	github.com/knadh/koanf/providers/structs v0.1.0 // indirect
+	github.com/knadh/koanf/v2 v2.2.1 // indirect
 	github.com/mattn/go-colorable v0.1.14 // indirect
 	github.com/mattn/go-isatty v0.0.20 // indirect
-	github.com/mitchellh/go-homedir v1.1.0 // indirect
-	github.com/mitchellh/mapstructure v1.5.0 // indirect
-	github.com/pelletier/go-toml/v2 v2.2.4 // indirect
+	github.com/mattn/go-runewidth v0.0.16 // indirect
+	github.com/mitchellh/copystructure v1.2.0 // indirect
+	github.com/mitchellh/reflectwalk v1.0.2 // indirect
+	github.com/rivo/uniseg v0.4.7 // indirect
 	github.com/rogpeppe/go-internal v1.14.1 // indirect
 	github.com/rs/zerolog v1.33.0 // indirect
-	github.com/sagikazarmark/locafero v0.7.0 // indirect
-	github.com/sourcegraph/conc v0.3.0 // indirect
-	github.com/spf13/afero v1.14.0 // indirect
-	github.com/spf13/cast v1.7.1 // indirect
 	github.com/spf13/cobra v1.9.1 // indirect
 	github.com/spf13/pflag v1.0.6 // indirect
-	github.com/spf13/viper v1.20.0 // indirect
-	github.com/subosito/gotenv v1.6.0 // indirect
-	go.uber.org/multierr v1.11.0 // indirect
+	github.com/vektra/mockery/v3 v3.5.4 // indirect
+	github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f // indirect
+	github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect
+	github.com/xeipuuv/gojsonschema v1.2.0 // indirect
 	go.yaml.in/yaml/v3 v3.0.3 // indirect
+	golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 // indirect
 	golang.org/x/exp/typeparams v0.0.0-20250210185358-939b2ce775ac // indirect
-	golang.org/x/sync v0.13.0 // indirect
-	golang.org/x/sys v0.32.0 // indirect
-	golang.org/x/term v0.29.0 // indirect
-	golang.org/x/text v0.24.0 // indirect
-	gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c // indirect
+	golang.org/x/sync v0.16.0 // indirect
+	golang.org/x/sys v0.35.0 // indirect
+	golang.org/x/term v0.32.0 // indirect
+	golang.org/x/text v0.25.0 // indirect
+	golang.org/x/tools v0.36.0 // indirect
+	golang.org/x/tools/go/expect v0.1.1-deprecated // indirect
+	google.golang.org/grpc/cmd/protoc-gen-go-grpc v1.5.1 // indirect
+	google.golang.org/protobuf v1.36.4 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
+	gotest.tools/gotestsum v1.12.0 // indirect
+	honnef.co/go/tools v0.6.1 // indirect
+	sigs.k8s.io/yaml v1.6.0 // indirect
+)
+
+tool (
+	github.com/aojea/sloppy-netparser
+	github.com/cespare/prettybench
+	github.com/golangci/misspell
+	github.com/jcchavezs/porto/cmd/porto
+	github.com/vektra/mockery/v3
+	golang.org/x/mod/modfile
+	golang.org/x/tools/cmd/goimports
+	google.golang.org/grpc/cmd/protoc-gen-go-grpc
+	google.golang.org/protobuf/cmd/protoc-gen-go
+	gotest.tools/gotestsum
+	honnef.co/go/tools/cmd/staticcheck
+	k8s.io/publishing-bot/cmd/publishing-bot/config
+	sigs.k8s.io/yaml/yamlfmt
 )
diff --git a/hack/tools/go.sum b/hack/tools/go.sum
index cb6a866c667c6..c0f7121c103d1 100644
--- a/hack/tools/go.sum
+++ b/hack/tools/go.sum
@@ -4,10 +4,10 @@ github.com/aojea/sloppy-netparser v0.0.0-20210819225411-1b3bd8b3b975 h1:3bpBhtHN
 github.com/aojea/sloppy-netparser v0.0.0-20210819225411-1b3bd8b3b975/go.mod h1:VP81Qd6FKAazakPswOou8ULXGU/j5QH0VcGPzehHx3s=
 github.com/bitfield/gotestdox v0.2.2 h1:x6RcPAbBbErKLnapz1QeAlf3ospg8efBsedU93CDsnE=
 github.com/bitfield/gotestdox v0.2.2/go.mod h1:D+gwtS0urjBrzguAkTM2wodsTQYFHdpx8eqRJ3N+9pY=
+github.com/brunoga/deep v1.2.4 h1:Aj9E9oUbE+ccbyh35VC/NHlzzjfIVU69BXu2mt2LmL8=
+github.com/brunoga/deep v1.2.4/go.mod h1:GDV6dnXqn80ezsLSZ5Wlv1PdKAWAO4L5PnKYtv2dgaI=
 github.com/cespare/prettybench v0.0.0-20150116022406-03b8cfe5406c h1:p8i+qCbr/dNhS2FoQhRpSS7X5+IlxTa94nRNYXu4fyo=
 github.com/cespare/prettybench v0.0.0-20150116022406-03b8cfe5406c/go.mod h1:Xe6ZsFhtM8HrDku0pxJ3/Lr51rwykrzgFwpmTzleatY=
-github.com/chigopher/pathlib v0.19.1 h1:RoLlUJc0CqBGwq239cilyhxPNLXTK+HXoASGyGznx5A=
-github.com/chigopher/pathlib v0.19.1/go.mod h1:tzC1dZLW8o33UQpWkNkhvPwL5n4yyFRFm/jL1YGWFvY=
 github.com/coreos/go-systemd/v22 v22.5.0/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc=
 github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
@@ -20,14 +20,14 @@ github.com/fatih/color v1.15.0/go.mod h1:0h5ZqXfHYED7Bhv2ZJamyIOUej9KtShiJESRwBD
 github.com/fatih/color v1.16.0/go.mod h1:fL2Sau1YI5c0pdGEVCbKQbLXB6edEj1ZgiY4NijnWvE=
 github.com/fatih/color v1.18.0 h1:S8gINlzdQ840/4pfAwic/ZE0djQEH3wM94VfqLTZcOM=
 github.com/fatih/color v1.18.0/go.mod h1:4FelSpRwEGDpQ12mAdzqdOukCy4u8WUtOY6lkT/6HfU=
-github.com/frankban/quicktest v1.14.6 h1:7Xjx+VpznH+oBnejlPUj8oUpdxnVs4f8XU8WnHkI4W8=
-github.com/frankban/quicktest v1.14.6/go.mod h1:4ptaffx2x8+WTWXmUCuVU6aPUX1/Mz7zb5vbUoiM6w0=
+github.com/fatih/structs v1.1.0 h1:Q7juDM0QtcnhCpeyLGQKyg4TOIghuNXrkL32pHAUMxo=
+github.com/fatih/structs v1.1.0/go.mod h1:9NiDSp5zOcgEDl+j00MP/WkGVPOlPRLejGD8Ga6PJ7M=
 github.com/fsnotify/fsnotify v1.7.0/go.mod h1:40Bi/Hjc2AVfZrqy+aj+yEI+/bRxZnMJyTJwOpGvigM=
 github.com/fsnotify/fsnotify v1.8.0 h1:dAwr6QBTBZIkG8roQaJjGof0pp0EeF+tNV7YBP3F/8M=
 github.com/fsnotify/fsnotify v1.8.0/go.mod h1:8jBTzvmWwFyi3Pb8djgCCO5IBqzKJ/Jwo8TRcHyHii0=
 github.com/go-logr/logr v0.1.0/go.mod h1:ixOQHD9gLJUVQQ2ZOR7zLEifBX6tGkNJF4QyIY7sIas=
-github.com/go-viper/mapstructure/v2 v2.2.1 h1:ZAaOCxANMuZx5RCeg0mBdEZk7DZasvvZIxtHqx8aGss=
-github.com/go-viper/mapstructure/v2 v2.2.1/go.mod h1:oJDH3BJKyqBA2TXFhDsKDGDTlndYOZ6rGS0BRZIxGhM=
+github.com/go-viper/mapstructure/v2 v2.3.0 h1:27XbWsHIqhbdR5TIC911OfYvgSaW93HM+dX7970Q7jk=
+github.com/go-viper/mapstructure/v2 v2.3.0/go.mod h1:oJDH3BJKyqBA2TXFhDsKDGDTlndYOZ6rGS0BRZIxGhM=
 github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
 github.com/golang/glog v1.2.2 h1:1+mZ9upx1Dh6FmUTFR1naJ77miKiXgALjWOZ3NVFPmY=
 github.com/golang/glog v1.2.2/go.mod h1:6AhwSGph0fcJtXVM/PEHPqZlFeoLxhs7/t5UDAwmO+w=
@@ -39,21 +39,30 @@ github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
 github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
 github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 h1:El6M4kTTCOh6aBiKaUGG7oYTSPP8MxqL4YI3kZKwcP4=
 github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510/go.mod h1:pupxD2MaaD3pAXIBCelhxNneeOaAeabZDe5s4K6zSpQ=
-github.com/huandu/xstrings v1.4.0 h1:D17IlohoQq4UcpqD7fDk80P7l+lwAmlFaBHgOipl2FU=
-github.com/huandu/xstrings v1.4.0/go.mod h1:y5/lhBue+AyNmUVz9RLU9xbLR0o4KIIExikq4ovT0aE=
-github.com/iancoleman/strcase v0.3.0 h1:nTXanmYxhfFAMjZL34Ov6gkzEsSJZ5DbhxWjvSASxEI=
-github.com/iancoleman/strcase v0.3.0/go.mod h1:iwCmte+B7n89clKwxIoIXy/HfoL7AsD47ZCWhYzw7ho=
+github.com/huandu/xstrings v1.5.0 h1:2ag3IFq9ZDANvthTwTiqSSZLjDc+BedvHPAp5tJy2TI=
+github.com/huandu/xstrings v1.5.0/go.mod h1:y5/lhBue+AyNmUVz9RLU9xbLR0o4KIIExikq4ovT0aE=
 github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
 github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
 github.com/jcchavezs/porto v0.6.0 h1:AgQLGwsXaxDkPj4Y+paFkVGLAR4n/1RRF0xV5UKinwg=
 github.com/jcchavezs/porto v0.6.0/go.mod h1:fESH0gzDHiutHRdX2hv27ojnOVFco37hg1W6E9EZF4A=
-github.com/jinzhu/copier v0.4.0 h1:w3ciUoD19shMCRargcpm0cm91ytaBhDvuRpz1ODO/U8=
-github.com/jinzhu/copier v0.4.0/go.mod h1:DfbEm0FYsaqBcKcFuvmOZb218JkPGtvSHsKg8S8hyyg=
-github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
+github.com/jedib0t/go-pretty/v6 v6.6.7 h1:m+LbHpm0aIAPLzLbMfn8dc3Ht8MW7lsSO4MPItz/Uuo=
+github.com/jedib0t/go-pretty/v6 v6.6.7/go.mod h1:YwC5CE4fJ1HFUDeivSV1r//AmANFHyqczZk+U6BDALU=
+github.com/knadh/koanf/maps v0.1.2 h1:RBfmAW5CnZT+PJ1CVc1QSJKf4Xu9kxfQgYVQSu8hpbo=
+github.com/knadh/koanf/maps v0.1.2/go.mod h1:npD/QZY3V6ghQDdcQzl1W4ICNVTkohC8E73eI2xW4yI=
+github.com/knadh/koanf/parsers/yaml v0.1.0 h1:ZZ8/iGfRLvKSaMEECEBPM1HQslrZADk8fP1XFUxVI5w=
+github.com/knadh/koanf/parsers/yaml v0.1.0/go.mod h1:cvbUDC7AL23pImuQP0oRw/hPuccrNBS2bps8asS0CwY=
+github.com/knadh/koanf/providers/env v1.0.0 h1:ufePaI9BnWH+ajuxGGiJ8pdTG0uLEUWC7/HDDPGLah0=
+github.com/knadh/koanf/providers/env v1.0.0/go.mod h1:mzFyRZueYhb37oPmC1HAv/oGEEuyvJDA98r3XAa8Gak=
+github.com/knadh/koanf/providers/file v1.1.2 h1:aCC36YGOgV5lTtAFz2qkgtWdeQsgfxUkxDOe+2nQY3w=
+github.com/knadh/koanf/providers/file v1.1.2/go.mod h1:/faSBcv2mxPVjFrXck95qeoyoZ5myJ6uxN8OOVNJJCI=
+github.com/knadh/koanf/providers/posflag v0.1.0 h1:mKJlLrKPcAP7Ootf4pBZWJ6J+4wHYujwipe7Ie3qW6U=
+github.com/knadh/koanf/providers/posflag v0.1.0/go.mod h1:SYg03v/t8ISBNrMBRMlojH8OsKowbkXV7giIbBVgbz0=
+github.com/knadh/koanf/providers/structs v0.1.0 h1:wJRteCNn1qvLtE5h8KQBvLJovidSdntfdyIbbCzEyE0=
+github.com/knadh/koanf/providers/structs v0.1.0/go.mod h1:sw2YZ3txUcqA3Z27gPlmmBzWn1h8Nt9O6EP/91MkcWE=
+github.com/knadh/koanf/v2 v2.2.1 h1:jaleChtw85y3UdBnI0wCqcg1sj1gPoz6D3caGNHtrNE=
+github.com/knadh/koanf/v2 v2.2.1/go.mod h1:PSFru3ufQgTsI7IF+95rf9s8XA1+aHxKuO/W+dPoHEY=
 github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
 github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
-github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
-github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
 github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovkB8vQcUbaXHg=
@@ -64,18 +73,19 @@ github.com/mattn/go-isatty v0.0.17/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/
 github.com/mattn/go-isatty v0.0.19/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
 github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
 github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
-github.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG+4E0Y=
-github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0=
-github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyuac5Z2hdY=
-github.com/mitchellh/mapstructure v1.5.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
-github.com/pelletier/go-toml/v2 v2.2.4 h1:mye9XuhQ6gvn5h28+VilKrrPoQVanw5PMw/TB0t5Ec4=
-github.com/pelletier/go-toml/v2 v2.2.4/go.mod h1:2gIqNv+qfxSVS7cM2xJQKtLSTLUE9V8t9Stt+h56mCY=
+github.com/mattn/go-runewidth v0.0.16 h1:E5ScNMtiwvlvB5paMFdw9p4kSQzbXFikJ5SQO6TULQc=
+github.com/mattn/go-runewidth v0.0.16/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh153qUoGf23w=
+github.com/mitchellh/copystructure v1.2.0 h1:vpKXTN4ewci03Vljg/q9QvCGUDttBOGBIa15WveJJGw=
+github.com/mitchellh/copystructure v1.2.0/go.mod h1:qLl+cE2AmVv+CoeAwDPye/v+N2HKCj9FbZEVFJRxO9s=
+github.com/mitchellh/reflectwalk v1.0.2 h1:G2LzWKi524PWgd3mLHV8Y5k7s6XUvT0Gef6zxSIeXaQ=
+github.com/mitchellh/reflectwalk v1.0.2/go.mod h1:mSTlrgnPZtwu0c4WaC2kGObEpuNDbx0jmZXqmk4esnw=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U=
 github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/prashantv/gostub v1.1.0 h1:BTyx3RfQjRHnUWaGF9oQos79AlQ5k8WNktv7VGvVH4g=
-github.com/prashantv/gostub v1.1.0/go.mod h1:A5zLQHz7ieHGG7is6LLXLz7I8+3LZzsrV0P1IAHhP5U=
+github.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc=
+github.com/rivo/uniseg v0.4.7 h1:WUdvkW8uEhrYfLC4ZzdpI2ztxP1I582+49Oc5Mq64VQ=
+github.com/rivo/uniseg v0.4.7/go.mod h1:FN3SvrM+Zdj16jyLfmOkMNblXMcoc8DfTHruCPUcx88=
 github.com/rogpeppe/go-internal v1.11.0/go.mod h1:ddIwULY96R17DhadqLgMfk9H9tvdUzkipdSkR5nkCZA=
 github.com/rogpeppe/go-internal v1.14.1 h1:UQB4HGPB6osV0SQTLymcB4TgvyWu6ZyliaW0tI/otEQ=
 github.com/rogpeppe/go-internal v1.14.1/go.mod h1:MaRKkUm5W0goXpeCfT7UZI6fk/L7L7so1lCWt35ZSgc=
@@ -83,21 +93,11 @@ github.com/rs/xid v1.5.0/go.mod h1:trrq9SKmegXys3aeAKXMUTdJsYXVwGY3RLcfgqegfbg=
 github.com/rs/zerolog v1.33.0 h1:1cU2KZkvPxNyfgEmhHAz/1A9Bz+llsdYzklWFzgp0r8=
 github.com/rs/zerolog v1.33.0/go.mod h1:/7mN4D5sKwJLZQ2b/znpjC3/GQWY/xaDXUM0kKWRHss=
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
-github.com/sagikazarmark/locafero v0.7.0 h1:5MqpDsTGNDhY8sGp0Aowyf0qKsPrhewaLSsFaodPcyo=
-github.com/sagikazarmark/locafero v0.7.0/go.mod h1:2za3Cg5rMaTMoG/2Ulr9AwtFaIppKXTRYnozin4aB5k=
-github.com/sourcegraph/conc v0.3.0 h1:OQTbbt6P72L20UqAkXXuLOj79LfEanQ+YQFNpLA9ySo=
-github.com/sourcegraph/conc v0.3.0/go.mod h1:Sdozi7LEKbFPqYX2/J+iBAM6HpqSLTASQIKqDmF7Mt0=
 github.com/spf13/afero v1.2.2/go.mod h1:9ZxEEn6pIJ8Rxe320qSDBk6AsU0r9pR7Q4OcevTdifk=
-github.com/spf13/afero v1.14.0 h1:9tH6MapGnn/j0eb0yIXiLjERO8RB6xIVZRDCX7PtqWA=
-github.com/spf13/afero v1.14.0/go.mod h1:acJQ8t0ohCGuMN3O+Pv0V0hgMxNYDlvdk+VTfyZmbYo=
-github.com/spf13/cast v1.7.1 h1:cuNEagBQEHWN1FnbGEjCXL2szYEXqfJPbP2HNUaca9Y=
-github.com/spf13/cast v1.7.1/go.mod h1:ancEpBxwJDODSW/UG4rDrAqiKolqNNh2DX3mk86cAdo=
 github.com/spf13/cobra v1.9.1 h1:CXSaggrXdbHK9CF+8ywj8Amf7PBRmPCOJugH954Nnlo=
 github.com/spf13/cobra v1.9.1/go.mod h1:nDyEzZ8ogv936Cinf6g1RU9MRY64Ir93oCnqb9wxYW0=
 github.com/spf13/pflag v1.0.6 h1:jFzHGLGAlb3ruxLB8MhbI6A8+AQX/2eW4qeyNZXNp2o=
 github.com/spf13/pflag v1.0.6/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
-github.com/spf13/viper v1.20.0 h1:zrxIyR3RQIOsarIrgL8+sAvALXul9jeEPa06Y0Ph6vY=
-github.com/spf13/viper v1.20.0/go.mod h1:P9Mdzt1zoHIG8m2eZQinpiBjo6kCmZSKBClNNqjJvu4=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.5.2 h1:xuMeJ0Sdp5ZMRXx/aWO6RZxdr3beISkG5/G/aIRr3pY=
 github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/8L+MA=
@@ -105,16 +105,16 @@ github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UV
 github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
 github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
-github.com/subosito/gotenv v1.6.0 h1:9NlTDc1FTs4qu0DDq7AEtTPNw6SVm7uBMsUCUjABIf8=
-github.com/subosito/gotenv v1.6.0/go.mod h1:Dk4QP5c2W3ibzajGcXpNraDfq2IrhjMIvMSWPKKo0FU=
-github.com/vektra/mockery/v2 v2.53.3 h1:yBU8XrzntcZdcNRRv+At0anXgSaFtgkyVUNm3f4an3U=
-github.com/vektra/mockery/v2 v2.53.3/go.mod h1:hIFFb3CvzPdDJJiU7J4zLRblUMv7OuezWsHPmswriwo=
+github.com/vektra/mockery/v3 v3.5.4 h1:AqbLKhw+H3U5OBqEAcUilxRIcLwHfFKzTbLlyfEqx9o=
+github.com/vektra/mockery/v3 v3.5.4/go.mod h1:6rmlzyACJQig1UFoUYyLMS/O+2aGz6BgKAO9C8t9/v0=
+github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f h1:J9EGpcZtP0E/raorCMxlFGSTBrsSlaDGf3jU/qvAE2c=
+github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f/go.mod h1:N2zxlSyiKSe5eX1tZViRH5QA0qijqEDrYZiPEAiq3wU=
+github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 h1:EzJWgHovont7NscjpAxXsDA8S8BMYve8Y5+7cuRE7R0=
+github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415/go.mod h1:GwrjFmJcFw6At/Gs6z4yjiIwzuJ1/+UwLxMQDVQXShQ=
+github.com/xeipuuv/gojsonschema v1.2.0 h1:LhYJRs+L4fBtjZUfuSZIKGeVu0QRy8e5Xi7D17UxZ74=
+github.com/xeipuuv/gojsonschema v1.2.0/go.mod h1:anYRn/JVcOK2ZgGU+IjEV4nwlhoK5sQluxsYJ78Id3Y=
 github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k=
 github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
-go.uber.org/automaxprocs v1.6.0 h1:O3y2/QNTOdbF+e/dpXNNW7Rx2hZ4sTIPyybbxyNqTUs=
-go.uber.org/automaxprocs v1.6.0/go.mod h1:ifeIMSnPZuznNm6jmdzmU3/bfk01Fe2fotchwEFJ8r8=
-go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0=
-go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y=
 go.yaml.in/yaml/v2 v2.4.2 h1:DzmwEr2rDGHl7lsFgAHxmNz/1NlQ7xLIrlN2h5d1eGI=
 go.yaml.in/yaml/v2 v2.4.2/go.mod h1:081UH+NErpNdqlCXm3TtEran0rJZGxAYx9hb/ELlsPU=
 go.yaml.in/yaml/v3 v3.0.3 h1:bXOww4E/J3f66rav3pX3m8w6jDE4knZjGOw8b5Y6iNE=
@@ -127,6 +127,8 @@ golang.org/x/crypto v0.11.0/go.mod h1:xgJhtzW8F9jGdVFWZESrid1U1bjeNy4zgy5cRr/CIi
 golang.org/x/crypto v0.13.0/go.mod h1:y6Z2r+Rw4iayiXXAIxJIDAJ1zMW4yaTpebo8fPOliYc=
 golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU=
 golang.org/x/crypto v0.21.0/go.mod h1:0BP7YvVV9gBbVKyeTG0Gyn+gZm94bibOW5BjDEYAOMs=
+golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 h1:2dVuKD2vS7b0QIHQbpyTISPd0LeHDbnYEryqj5Q1ug8=
+golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56/go.mod h1:M4RDyNAINzryxdtnbRXRL/OHtkFuWGRjvuhBJpk2IlY=
 golang.org/x/exp/typeparams v0.0.0-20250210185358-939b2ce775ac h1:TSSpLIG4v+p0rPv1pNOQtl1I8knsO4S9trOxNMOLVP4=
 golang.org/x/exp/typeparams v0.0.0-20250210185358-939b2ce775ac/go.mod h1:AbB0pIl9nAr9wVwH+Z2ZpaocVmF5I4GyWCDIsVjR0bk=
 golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
@@ -138,8 +140,8 @@ golang.org/x/mod v0.9.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/mod v0.12.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/mod v0.15.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
 golang.org/x/mod v0.16.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
-golang.org/x/mod v0.24.0 h1:ZfthKaKaT4NrhGVZHO1/WDTwGES4De8KtWO0SIbNJMU=
-golang.org/x/mod v0.24.0/go.mod h1:IXM97Txy2VM4PJ3gI61r1YEk/gAj6zAHN3AdZt6S9Ww=
+golang.org/x/mod v0.27.0 h1:kb+q2PyFnEADO2IEF935ehFUXlWiNjJWtRNgBLSfbxQ=
+golang.org/x/mod v0.27.0/go.mod h1:rWI627Fq0DEoudcK+MBkNkCe0EetEaDSwJJkCcjpazc=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
@@ -152,16 +154,16 @@ golang.org/x/net v0.12.0/go.mod h1:zEVYFnQC7m/vmpQFELhcD1EWkZlX69l4oqgmer6hfKA=
 golang.org/x/net v0.15.0/go.mod h1:idbUs1IY1+zTqbi8yxTbhexhEEk5ur9LInksu6HrEpk=
 golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44=
 golang.org/x/net v0.22.0/go.mod h1:JKghWKKOSdJwpW2GEx0Ja7fmaKnMsbu+MWVZTokSYmg=
-golang.org/x/net v0.39.0 h1:ZCu7HMWDxpXpaiKdhzIfaltL9Lp31x/3fCP11bc6/fY=
-golang.org/x/net v0.39.0/go.mod h1:X7NRbYVEA+ewNkCNyJ513WmMdQ3BineSwVtN2zD/d+E=
+golang.org/x/net v0.43.0 h1:lat02VYK2j4aLzMzecihNvTlJNQUq316m2Mr9rnM6YE=
+golang.org/x/net v0.43.0/go.mod h1:vhO1fvI4dGsIjh73sWfUVjj3N7CA9WkKJNQm2svM6Jg=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.3.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y=
 golang.org/x/sync v0.6.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
-golang.org/x/sync v0.13.0 h1:AauUjRAJ9OSnvULf/ARrrVywoJDy0YS2AwQ98I37610=
-golang.org/x/sync v0.13.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
+golang.org/x/sync v0.16.0 h1:ycBJEhp9p4vXvUZNszeOq0kGTPghopOL8q0fq3vstxw=
+golang.org/x/sync v0.16.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -181,8 +183,8 @@ golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.14.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.18.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/sys v0.32.0 h1:s77OFDvIQeibCmezSnk/q6iAfkdiQaJi4VzroCFrN20=
-golang.org/x/sys v0.32.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
+golang.org/x/sys v0.35.0 h1:vz1N37gP5bs89s7He8XuIYXpyY0+QlsKmzipCbUtyxI=
+golang.org/x/sys v0.35.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
 golang.org/x/telemetry v0.0.0-20240228155512-f48c80bd79b2/go.mod h1:TeRTkGYfJXctD9OcfyVLyj2J3IxLnKwHJR8f4D8a3YE=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
@@ -193,8 +195,8 @@ golang.org/x/term v0.10.0/go.mod h1:lpqdcUyK/oCiQxvxVrppt5ggO2KCZ5QblwqPnfZ6d5o=
 golang.org/x/term v0.12.0/go.mod h1:owVbMEjm3cBLCHdkQu9b1opXd4ETQWc3BhuQGKgXgvU=
 golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk=
 golang.org/x/term v0.18.0/go.mod h1:ILwASektA3OnRv7amZ1xhE/KTR+u50pbXfZ03+6Nx58=
-golang.org/x/term v0.29.0 h1:L6pJp37ocefwRRtYPKSWOWzOtWSxVajvz2ldH/xi3iU=
-golang.org/x/term v0.29.0/go.mod h1:6bl4lRlvVuDgSf3179VpIxBF0o10JUpXWOnI7nErv7s=
+golang.org/x/term v0.32.0 h1:DR4lr0TjUs3epypdhTOkMmuF5CDFJ/8pOnbzMZPQ7bg=
+golang.org/x/term v0.32.0/go.mod h1:uZG1FhGx848Sqfsq4/DlJr3xGGsYMu/L5GW4abiaEPQ=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
@@ -204,8 +206,8 @@ golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
 golang.org/x/text v0.11.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
 golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
 golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
-golang.org/x/text v0.24.0 h1:dd5Bzh4yt5KYA8f9CJHCP4FB4D51c2c6JvN37xJJkJ0=
-golang.org/x/text v0.24.0/go.mod h1:L8rBsPeo2pSS+xqN0d5u2ikmjtmoJbDBT1b7nHvFCdU=
+golang.org/x/text v0.25.0 h1:qVyWApTSYLk/drJRO5mDlNYskwQznZmkpV2c8q9zls4=
+golang.org/x/text v0.25.0/go.mod h1:WEdwpYrmk1qmdHvhkSTNPm3app7v4rsT8F2UD6+VHIA=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.1.5/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
@@ -215,8 +217,10 @@ golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
 golang.org/x/tools v0.11.0/go.mod h1:anzJrxPjNtfgiYQYirP2CPGzGLxrH2u2QBhn6Bf3qY8=
 golang.org/x/tools v0.13.0/go.mod h1:HvlwmtVNQAhOuCjW7xxvovg8wbNq7LwfXh/k7wXUl58=
 golang.org/x/tools v0.19.0/go.mod h1:qoJWxmGSIBmAeriMx19ogtrEPrGtDbPK634QFIcLAhc=
-golang.org/x/tools v0.32.0 h1:Q7N1vhpkQv7ybVzLFtTjvQya2ewbwNDZzUgfXGqtMWU=
-golang.org/x/tools v0.32.0/go.mod h1:ZxrU41P/wAbZD8EDa6dDCa6XfpkhJ7HFMjHJXfBDu8s=
+golang.org/x/tools v0.36.0 h1:kWS0uv/zsvHEle1LbV5LE8QujrxB3wfQyxHfhOk0Qkg=
+golang.org/x/tools v0.36.0/go.mod h1:WBDiHKJK8YgLHlcQPYQzNCkUxUypCaa5ZegCVutKm+s=
+golang.org/x/tools/go/expect v0.1.1-deprecated h1:jpBZDwmgPhXsKZC6WhL20P4b/wmnpsEAGHaNy0n/rJM=
+golang.org/x/tools/go/expect v0.1.1-deprecated/go.mod h1:eihoPOH+FgIqa3FpoTwguz/bVUSGBlGQU67vpBeOrBY=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
diff --git a/hack/tools/go.work b/hack/tools/go.work
index bc4290def2c27..ebdf3df29addb 100644
--- a/hack/tools/go.work
+++ b/hack/tools/go.work
@@ -1,8 +1,8 @@
 // This is a hack, but it prevents go from climbing further and trying to
 // reconcile the various deps across the "real" modules and this one.
 
-go 1.24.0
+go 1.25.0
 
-godebug default=go1.24
+godebug default=go1.25
 
 use .
diff --git a/hack/tools/golangci-lint/go.mod b/hack/tools/golangci-lint/go.mod
index db516bcef252b..fd5df6f6a91e7 100644
--- a/hack/tools/golangci-lint/go.mod
+++ b/hack/tools/golangci-lint/go.mod
@@ -1,6 +1,6 @@
 module k8s.io/kubernetes/hack/tools/golangci-lint
 
-go 1.24.0
+go 1.25.0
 
 tool (
 	github.com/golangci/golangci-lint/v2/cmd/golangci-lint
@@ -10,41 +10,48 @@ tool (
 
 require (
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2
-	golang.org/x/tools v0.34.0
+	golang.org/x/tools v0.37.0
 )
 
 require (
 	4d63.com/gocheckcompilerdirectives v1.3.0 // indirect
 	4d63.com/gochecknoglobals v0.2.2 // indirect
-	github.com/4meepo/tagalign v1.4.2 // indirect
-	github.com/Abirdcfly/dupword v0.1.3 // indirect
-	github.com/Antonboom/errname v1.1.0 // indirect
-	github.com/Antonboom/nilnil v1.1.0 // indirect
-	github.com/Antonboom/testifylint v1.6.1 // indirect
+	codeberg.org/chavacava/garif v0.2.0 // indirect
+	dev.gaijin.team/go/exhaustruct/v4 v4.0.0 // indirect
+	dev.gaijin.team/go/golib v0.6.0 // indirect
+	github.com/4meepo/tagalign v1.4.3 // indirect
+	github.com/Abirdcfly/dupword v0.1.6 // indirect
+	github.com/AdminBenni/iota-mixing v1.0.0 // indirect
+	github.com/AlwxSin/noinlineerr v1.0.5 // indirect
+	github.com/Antonboom/errname v1.1.1 // indirect
+	github.com/Antonboom/nilnil v1.1.1 // indirect
+	github.com/Antonboom/testifylint v1.6.4 // indirect
 	github.com/BurntSushi/toml v1.5.0 // indirect
-	github.com/Djarvur/go-err113 v0.0.0-20210108212216-aea10b59be24 // indirect
-	github.com/GaijinEntertainment/go-exhaustruct/v3 v3.3.1 // indirect
+	github.com/Djarvur/go-err113 v0.1.1 // indirect
 	github.com/Masterminds/semver/v3 v3.3.1 // indirect
+	github.com/MirrexOne/unqueryvet v1.2.1 // indirect
 	github.com/OpenPeeDeeP/depguard/v2 v2.2.1 // indirect
-	github.com/alecthomas/chroma/v2 v2.17.2 // indirect
+	github.com/alecthomas/chroma/v2 v2.20.0 // indirect
 	github.com/alecthomas/go-check-sumtype v0.3.1 // indirect
 	github.com/alexkohler/nakedret/v2 v2.0.6 // indirect
 	github.com/alexkohler/prealloc v1.0.0 // indirect
+	github.com/alfatraining/structtag v1.0.0 // indirect
 	github.com/alingse/asasalint v0.0.11 // indirect
 	github.com/alingse/nilnesserr v0.2.0 // indirect
-	github.com/ashanbrown/forbidigo v1.6.0 // indirect
-	github.com/ashanbrown/makezero v1.2.0 // indirect
+	github.com/ashanbrown/forbidigo/v2 v2.1.0 // indirect
+	github.com/ashanbrown/makezero/v2 v2.0.1 // indirect
 	github.com/aymanbagabas/go-osc52/v2 v2.0.1 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/bkielbasa/cyclop v1.2.3 // indirect
 	github.com/blizzy78/varnamelen v0.8.0 // indirect
 	github.com/bombsimon/wsl/v4 v4.7.0 // indirect
+	github.com/bombsimon/wsl/v5 v5.2.0 // indirect
 	github.com/breml/bidichk v0.3.3 // indirect
 	github.com/breml/errchkjson v0.4.1 // indirect
 	github.com/butuzov/ireturn v0.4.0 // indirect
 	github.com/butuzov/mirror v1.3.0 // indirect
 	github.com/catenacyber/perfsprint v0.9.1 // indirect
-	github.com/ccojocar/zxcvbn-go v1.0.2 // indirect
+	github.com/ccojocar/zxcvbn-go v1.0.4 // indirect
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
 	github.com/charithe/durationcheck v0.0.10 // indirect
 	github.com/charmbracelet/colorprofile v0.2.3-0.20250311203215-f60798e515dc // indirect
@@ -52,10 +59,9 @@ require (
 	github.com/charmbracelet/x/ansi v0.8.0 // indirect
 	github.com/charmbracelet/x/cellbuf v0.0.13-0.20250311204145-2c3ea96c31dd // indirect
 	github.com/charmbracelet/x/term v0.2.1 // indirect
-	github.com/chavacava/garif v0.1.0 // indirect
 	github.com/ckaznocha/intrange v0.3.1 // indirect
 	github.com/curioswitch/go-reassign v0.3.0 // indirect
-	github.com/daixiang0/gci v0.13.6 // indirect
+	github.com/daixiang0/gci v0.13.7 // indirect
 	github.com/dave/dst v0.27.3 // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/denis-tingaikin/go-header v0.5.0 // indirect
@@ -66,7 +72,7 @@ require (
 	github.com/firefart/nonamedreturns v1.0.6 // indirect
 	github.com/fsnotify/fsnotify v1.5.4 // indirect
 	github.com/fzipp/gocyclo v0.6.0 // indirect
-	github.com/ghostiam/protogetter v0.3.15 // indirect
+	github.com/ghostiam/protogetter v0.3.16 // indirect
 	github.com/go-critic/go-critic v0.13.0 // indirect
 	github.com/go-toolsmith/astcast v1.1.0 // indirect
 	github.com/go-toolsmith/astcopy v1.1.0 // indirect
@@ -75,52 +81,56 @@ require (
 	github.com/go-toolsmith/astp v1.1.0 // indirect
 	github.com/go-toolsmith/strparse v1.1.0 // indirect
 	github.com/go-toolsmith/typep v1.1.0 // indirect
-	github.com/go-viper/mapstructure/v2 v2.2.1 // indirect
+	github.com/go-viper/mapstructure/v2 v2.4.0 // indirect
 	github.com/go-xmlfmt/xmlfmt v1.1.3 // indirect
 	github.com/gobwas/glob v0.2.3 // indirect
+	github.com/godoc-lint/godoc-lint v0.10.0 // indirect
 	github.com/gofrs/flock v0.12.1 // indirect
 	github.com/golang/protobuf v1.5.4 // indirect
+	github.com/golangci/asciicheck v0.5.0 // indirect
 	github.com/golangci/dupl v0.0.0-20250308024227-f665c8d69b32 // indirect
-	github.com/golangci/go-printf-func-name v0.1.0 // indirect
+	github.com/golangci/go-printf-func-name v0.1.1 // indirect
 	github.com/golangci/gofmt v0.0.0-20250106114630-d62b90e6713d // indirect
-	github.com/golangci/golangci-lint/v2 v2.1.6 // indirect
+	github.com/golangci/golangci-lint/v2 v2.5.0 // indirect
 	github.com/golangci/golines v0.0.0-20250217134842-442fd0091d95 // indirect
-	github.com/golangci/misspell v0.6.0 // indirect
-	github.com/golangci/plugin-module-register v0.1.1 // indirect
+	github.com/golangci/misspell v0.7.0 // indirect
+	github.com/golangci/nilerr v0.0.0-20250918000102-015671e622fe // indirect
+	github.com/golangci/plugin-module-register v0.1.2 // indirect
 	github.com/golangci/revgrep v0.8.0 // indirect
+	github.com/golangci/swaggoswag v0.0.0-20250504205917-77f2aca3143e // indirect
 	github.com/golangci/unconvert v0.0.0-20250410112200-a129a6e6413e // indirect
 	github.com/google/go-cmp v0.7.0 // indirect
-	github.com/gordonklaus/ineffassign v0.1.0 // indirect
+	github.com/gordonklaus/ineffassign v0.2.0 // indirect
 	github.com/gostaticanalysis/analysisutil v0.7.1 // indirect
 	github.com/gostaticanalysis/comment v1.5.0 // indirect
 	github.com/gostaticanalysis/forcetypeassert v0.2.0 // indirect
-	github.com/gostaticanalysis/nilerr v0.1.1 // indirect
 	github.com/hashicorp/go-immutable-radix/v2 v2.1.0 // indirect
 	github.com/hashicorp/go-version v1.7.0 // indirect
 	github.com/hashicorp/golang-lru/v2 v2.0.7 // indirect
 	github.com/hashicorp/hcl v1.0.0 // indirect
 	github.com/hexops/gotextdiff v1.0.3 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
-	github.com/jgautheron/goconst v1.8.1 // indirect
+	github.com/jgautheron/goconst v1.8.2 // indirect
 	github.com/jingyugao/rowserrcheck v1.1.1 // indirect
-	github.com/jjti/go-spancheck v0.6.4 // indirect
+	github.com/jjti/go-spancheck v0.6.5 // indirect
 	github.com/julz/importas v0.2.0 // indirect
 	github.com/karamaru-alpha/copyloopvar v1.2.1 // indirect
 	github.com/kisielk/errcheck v1.9.0 // indirect
 	github.com/kkHAIKE/contextcheck v1.1.6 // indirect
-	github.com/kulti/thelper v0.6.3 // indirect
+	github.com/kulti/thelper v0.7.1 // indirect
 	github.com/kunwardeep/paralleltest v1.0.14 // indirect
 	github.com/lasiar/canonicalheader v1.1.2 // indirect
-	github.com/ldez/exptostd v0.4.3 // indirect
-	github.com/ldez/gomoddirectives v0.6.1 // indirect
-	github.com/ldez/grignotin v0.9.0 // indirect
-	github.com/ldez/tagliatelle v0.7.1 // indirect
-	github.com/ldez/usetesting v0.4.3 // indirect
+	github.com/ldez/exptostd v0.4.4 // indirect
+	github.com/ldez/gomoddirectives v0.7.0 // indirect
+	github.com/ldez/grignotin v0.10.1 // indirect
+	github.com/ldez/tagliatelle v0.7.2 // indirect
+	github.com/ldez/usetesting v0.5.0 // indirect
 	github.com/leonklingele/grouper v1.1.2 // indirect
 	github.com/lucasb-eyer/go-colorful v1.2.0 // indirect
 	github.com/macabu/inamedparam v0.2.0 // indirect
 	github.com/magiconair/properties v1.8.6 // indirect
-	github.com/manuelarte/funcorder v0.2.1 // indirect
+	github.com/manuelarte/embeddedstructfieldcheck v0.4.0 // indirect
+	github.com/manuelarte/funcorder v0.5.0 // indirect
 	github.com/maratori/testableexamples v1.0.0 // indirect
 	github.com/maratori/testpackage v1.1.1 // indirect
 	github.com/matoous/godox v1.1.0 // indirect
@@ -128,7 +138,7 @@ require (
 	github.com/mattn/go-isatty v0.0.20 // indirect
 	github.com/mattn/go-runewidth v0.0.16 // indirect
 	github.com/matttproud/golang_protobuf_extensions v1.0.1 // indirect
-	github.com/mgechev/revive v1.9.0 // indirect
+	github.com/mgechev/revive v1.12.0 // indirect
 	github.com/mitchellh/go-homedir v1.1.0 // indirect
 	github.com/mitchellh/mapstructure v1.5.0 // indirect
 	github.com/moricho/tparallel v0.3.2 // indirect
@@ -136,8 +146,7 @@ require (
 	github.com/nakabonne/nestif v0.3.1 // indirect
 	github.com/nishanths/exhaustive v0.12.0 // indirect
 	github.com/nishanths/predeclared v0.2.2 // indirect
-	github.com/nunnatsa/ginkgolinter v0.19.1 // indirect
-	github.com/olekukonko/tablewriter v0.0.5 // indirect
+	github.com/nunnatsa/ginkgolinter v0.21.0 // indirect
 	github.com/pelletier/go-toml v1.9.5 // indirect
 	github.com/pelletier/go-toml/v2 v2.2.4 // indirect
 	github.com/polyfloyd/go-errorlint v1.8.0 // indirect
@@ -156,27 +165,26 @@ require (
 	github.com/ryancurrah/gomodguard v1.4.1 // indirect
 	github.com/ryanrolds/sqlclosecheck v0.5.1 // indirect
 	github.com/sanposhiho/wastedassign/v2 v2.1.0 // indirect
-	github.com/santhosh-tekuri/jsonschema/v6 v6.0.1 // indirect
+	github.com/santhosh-tekuri/jsonschema/v6 v6.0.2 // indirect
 	github.com/sashamelentyev/interfacebloat v1.1.0 // indirect
-	github.com/sashamelentyev/usestdlibvars v1.28.0 // indirect
-	github.com/securego/gosec/v2 v2.22.3 // indirect
+	github.com/sashamelentyev/usestdlibvars v1.29.0 // indirect
+	github.com/securego/gosec/v2 v2.22.8 // indirect
 	github.com/sirupsen/logrus v1.9.3 // indirect
 	github.com/sivchari/containedctx v1.0.3 // indirect
-	github.com/sonatard/noctx v0.1.0 // indirect
+	github.com/sonatard/noctx v0.4.0 // indirect
 	github.com/sourcegraph/go-diff v0.7.0 // indirect
 	github.com/spf13/afero v1.14.0 // indirect
 	github.com/spf13/cast v1.5.0 // indirect
-	github.com/spf13/cobra v1.9.1 // indirect
+	github.com/spf13/cobra v1.10.1 // indirect
 	github.com/spf13/jwalterweatherman v1.1.0 // indirect
-	github.com/spf13/pflag v1.0.6 // indirect
+	github.com/spf13/pflag v1.0.10 // indirect
 	github.com/spf13/viper v1.12.0 // indirect
 	github.com/ssgreg/nlreturn/v2 v2.2.1 // indirect
 	github.com/stbenjam/no-sprintf-host-port v0.2.0 // indirect
 	github.com/stretchr/objx v0.5.2 // indirect
-	github.com/stretchr/testify v1.10.0 // indirect
+	github.com/stretchr/testify v1.11.1 // indirect
 	github.com/subosito/gotenv v1.4.1 // indirect
-	github.com/tdakkota/asciicheck v0.4.1 // indirect
-	github.com/tetafro/godot v1.5.1 // indirect
+	github.com/tetafro/godot v1.5.4 // indirect
 	github.com/timakin/bodyclose v0.0.0-20241222091800-1db5c5ca4d67 // indirect
 	github.com/timonwong/loggercheck v0.11.0 // indirect
 	github.com/tomarrell/wrapcheck/v2 v2.11.0 // indirect
@@ -184,34 +192,36 @@ require (
 	github.com/ultraware/funlen v0.2.0 // indirect
 	github.com/ultraware/whitespace v0.2.0 // indirect
 	github.com/uudashr/gocognit v1.2.0 // indirect
-	github.com/uudashr/iface v1.3.1 // indirect
+	github.com/uudashr/iface v1.4.1 // indirect
 	github.com/xen0n/gosmopolitan v1.3.0 // indirect
 	github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e // indirect
 	github.com/yagipy/maintidx v1.0.0 // indirect
 	github.com/yeya24/promlinter v0.3.0 // indirect
 	github.com/ykadowak/zerologlint v0.1.5 // indirect
 	gitlab.com/bosi/decorder v0.4.2 // indirect
-	go-simpler.org/musttag v0.13.1 // indirect
-	go-simpler.org/sloglint v0.11.0 // indirect
-	go.augendre.info/fatcontext v0.8.0 // indirect
-	go.uber.org/atomic v1.7.0 // indirect
+	go-simpler.org/musttag v0.14.0 // indirect
+	go-simpler.org/sloglint v0.11.1 // indirect
+	go.augendre.info/arangolint v0.2.0 // indirect
+	go.augendre.info/fatcontext v0.8.1 // indirect
 	go.uber.org/automaxprocs v1.6.0 // indirect
-	go.uber.org/multierr v1.6.0 // indirect
-	go.uber.org/zap v1.24.0 // indirect
+	go.uber.org/multierr v1.10.0 // indirect
+	go.uber.org/zap v1.27.0 // indirect
 	golang.org/x/exp v0.0.0-20240909161429-701f63a606c0 // indirect
-	golang.org/x/exp/typeparams v0.0.0-20250210185358-939b2ce775ac // indirect
-	golang.org/x/mod v0.25.0 // indirect
-	golang.org/x/sync v0.15.0 // indirect
-	golang.org/x/sys v0.33.0 // indirect
-	golang.org/x/text v0.24.0 // indirect
+	golang.org/x/exp/typeparams v0.0.0-20250911091902-df9299821621 // indirect
+	golang.org/x/mod v0.28.0 // indirect
+	golang.org/x/sync v0.17.0 // indirect
+	golang.org/x/sys v0.36.0 // indirect
+	golang.org/x/text v0.29.0 // indirect
 	google.golang.org/protobuf v1.36.6 // indirect
 	gopkg.in/ini.v1 v1.67.0 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 	honnef.co/go/tools v0.6.1 // indirect
 	k8s.io/apimachinery v0.32.3 // indirect
-	mvdan.cc/gofumpt v0.8.0 // indirect
+	k8s.io/utils v0.0.0-20241104100929-3ea5e8cea738 // indirect
+	mvdan.cc/gofumpt v0.9.1 // indirect
 	mvdan.cc/unparam v0.0.0-20250301125049-0df0534333a4 // indirect
-	sigs.k8s.io/kube-api-linter v0.0.0-20250516124914-6df69a12c92c // indirect
+	sigs.k8s.io/kube-api-linter v0.0.0-20251029172002-9992248f8813 // indirect
 	sigs.k8s.io/logtools v0.9.0 // indirect
+	sigs.k8s.io/yaml v1.4.0 // indirect
 )
diff --git a/hack/tools/golangci-lint/go.sum b/hack/tools/golangci-lint/go.sum
index 35af35819570d..76b82053aa859 100644
--- a/hack/tools/golangci-lint/go.sum
+++ b/hack/tools/golangci-lint/go.sum
@@ -34,37 +34,47 @@ cloud.google.com/go/storage v1.5.0/go.mod h1:tpKbwo567HUNpVclU5sGELwQWBDZ8gh0Zeo
 cloud.google.com/go/storage v1.6.0/go.mod h1:N7U0C8pVQ/+NIKOBQyamJIeKQKkZ+mxpohlUTyfDhBk=
 cloud.google.com/go/storage v1.8.0/go.mod h1:Wv1Oy7z6Yz3DshWRJFhqM/UCfaWIRTdp0RXyy7KQOVs=
 cloud.google.com/go/storage v1.10.0/go.mod h1:FLPqc6j+Ki4BU591ie1oL6qBQGu2Bl/tZ9ullr3+Kg0=
+codeberg.org/chavacava/garif v0.2.0 h1:F0tVjhYbuOCnvNcU3YSpO6b3Waw6Bimy4K0mM8y6MfY=
+codeberg.org/chavacava/garif v0.2.0/go.mod h1:P2BPbVbT4QcvLZrORc2T29szK3xEOlnl0GiPTJmEqBQ=
+dev.gaijin.team/go/exhaustruct/v4 v4.0.0 h1:873r7aNneqoBB3IaFIzhvt2RFYTuHgmMjoKfwODoI1Y=
+dev.gaijin.team/go/exhaustruct/v4 v4.0.0/go.mod h1:aZ/k2o4Y05aMJtiux15x8iXaumE88YdiB0Ai4fXOzPI=
+dev.gaijin.team/go/golib v0.6.0 h1:v6nnznFTs4bppib/NyU1PQxobwDHwCXXl15P7DV5Zgo=
+dev.gaijin.team/go/golib v0.6.0/go.mod h1:uY1mShx8Z/aNHWDyAkZTkX+uCi5PdX7KsG1eDQa2AVE=
 dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU=
-github.com/4meepo/tagalign v1.4.2 h1:0hcLHPGMjDyM1gHG58cS73aQF8J4TdVR96TZViorO9E=
-github.com/4meepo/tagalign v1.4.2/go.mod h1:+p4aMyFM+ra7nb41CnFG6aSDXqRxU/w1VQqScKqDARI=
-github.com/Abirdcfly/dupword v0.1.3 h1:9Pa1NuAsZvpFPi9Pqkd93I7LIYRURj+A//dFd5tgBeE=
-github.com/Abirdcfly/dupword v0.1.3/go.mod h1:8VbB2t7e10KRNdwTVoxdBaxla6avbhGzb8sCTygUMhw=
-github.com/Antonboom/errname v1.1.0 h1:A+ucvdpMwlo/myWrkHEUEBWc/xuXdud23S8tmTb/oAE=
-github.com/Antonboom/errname v1.1.0/go.mod h1:O1NMrzgUcVBGIfi3xlVuvX8Q/VP/73sseCaAppfjqZw=
-github.com/Antonboom/nilnil v1.1.0 h1:jGxJxjgYS3VUUtOTNk8Z1icwT5ESpLH/426fjmQG+ng=
-github.com/Antonboom/nilnil v1.1.0/go.mod h1:b7sAlogQjFa1wV8jUW3o4PMzDVFLbTux+xnQdvzdcIE=
-github.com/Antonboom/testifylint v1.6.1 h1:6ZSytkFWatT8mwZlmRCHkWz1gPi+q6UBSbieji2Gj/o=
-github.com/Antonboom/testifylint v1.6.1/go.mod h1:k+nEkathI2NFjKO6HvwmSrbzUcQ6FAnbZV+ZRrnXPLI=
+github.com/4meepo/tagalign v1.4.3 h1:Bnu7jGWwbfpAie2vyl63Zup5KuRv21olsPIha53BJr8=
+github.com/4meepo/tagalign v1.4.3/go.mod h1:00WwRjiuSbrRJnSVeGWPLp2epS5Q/l4UEy0apLLS37c=
+github.com/Abirdcfly/dupword v0.1.6 h1:qeL6u0442RPRe3mcaLcbaCi2/Y/hOcdtw6DE9odjz9c=
+github.com/Abirdcfly/dupword v0.1.6/go.mod h1:s+BFMuL/I4YSiFv29snqyjwzDp4b65W2Kvy+PKzZ6cw=
+github.com/AdminBenni/iota-mixing v1.0.0 h1:Os6lpjG2dp/AE5fYBPAA1zfa2qMdCAWwPMCgpwKq7wo=
+github.com/AdminBenni/iota-mixing v1.0.0/go.mod h1:i4+tpAaB+qMVIV9OK3m4/DAynOd5bQFaOu+2AhtBCNY=
+github.com/AlwxSin/noinlineerr v1.0.5 h1:RUjt63wk1AYWTXtVXbSqemlbVTb23JOSRiNsshj7TbY=
+github.com/AlwxSin/noinlineerr v1.0.5/go.mod h1:+QgkkoYrMH7RHvcdxdlI7vYYEdgeoFOVjU9sUhw/rQc=
+github.com/Antonboom/errname v1.1.1 h1:bllB7mlIbTVzO9jmSWVWLjxTEbGBVQ1Ff/ClQgtPw9Q=
+github.com/Antonboom/errname v1.1.1/go.mod h1:gjhe24xoxXp0ScLtHzjiXp0Exi1RFLKJb0bVBtWKCWQ=
+github.com/Antonboom/nilnil v1.1.1 h1:9Mdr6BYd8WHCDngQnNVV0b554xyisFioEKi30sksufQ=
+github.com/Antonboom/nilnil v1.1.1/go.mod h1:yCyAmSw3doopbOWhJlVci+HuyNRuHJKIv6V2oYQa8II=
+github.com/Antonboom/testifylint v1.6.4 h1:gs9fUEy+egzxkEbq9P4cpcMB6/G0DYdMeiFS87UiqmQ=
+github.com/Antonboom/testifylint v1.6.4/go.mod h1:YO33FROXX2OoUfwjz8g+gUxQXio5i9qpVy7nXGbxDD4=
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
 github.com/BurntSushi/toml v1.5.0 h1:W5quZX/G/csjUnuI8SUYlsHs9M38FC7znL0lIO+DvMg=
 github.com/BurntSushi/toml v1.5.0/go.mod h1:ukJfTF/6rtPPRCnwkur4qwRxa8vTRFBF0uk2lLoLwho=
 github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo=
-github.com/Djarvur/go-err113 v0.0.0-20210108212216-aea10b59be24 h1:sHglBQTwgx+rWPdisA5ynNEsoARbiCBOyGcJM4/OzsM=
-github.com/Djarvur/go-err113 v0.0.0-20210108212216-aea10b59be24/go.mod h1:4UJr5HIiMZrwgkSPdsjy2uOQExX/WEILpIrO9UPGuXs=
-github.com/GaijinEntertainment/go-exhaustruct/v3 v3.3.1 h1:Sz1JIXEcSfhz7fUi7xHnhpIE0thVASYjvosApmHuD2k=
-github.com/GaijinEntertainment/go-exhaustruct/v3 v3.3.1/go.mod h1:n/LSCXNuIYqVfBlVXyHfMQkZDdp1/mmxfSjADd3z1Zg=
+github.com/Djarvur/go-err113 v0.1.1 h1:eHfopDqXRwAi+YmCUas75ZE0+hoBHJ2GQNLYRSxao4g=
+github.com/Djarvur/go-err113 v0.1.1/go.mod h1:IaWJdYFLg76t2ihfflPZnM1LIQszWOsFDh2hhhAVF6k=
 github.com/Masterminds/semver/v3 v3.3.1 h1:QtNSWtVZ3nBfk8mAOu/B6v7FMJ+NHTIgUPi7rj+4nv4=
 github.com/Masterminds/semver/v3 v3.3.1/go.mod h1:4V+yj/TJE1HU9XfppCwVMZq3I84lprf4nC11bSS5beM=
+github.com/MirrexOne/unqueryvet v1.2.1 h1:M+zdXMq84g+E1YOLa7g7ExN3dWfZQrdDSTCM7gC+m/A=
+github.com/MirrexOne/unqueryvet v1.2.1/go.mod h1:IWwCwMQlSWjAIteW0t+28Q5vouyktfujzYznSIWiuOg=
 github.com/OpenPeeDeeP/depguard/v2 v2.2.1 h1:vckeWVESWp6Qog7UZSARNqfu/cZqvki8zsuj3piCMx4=
 github.com/OpenPeeDeeP/depguard/v2 v2.2.1/go.mod h1:q4DKzC4UcVaAvcfd41CZh0PWpGgzrVxUYBlgKNGquUo=
 github.com/alecthomas/assert/v2 v2.11.0 h1:2Q9r3ki8+JYXvGsDyBXwH3LcJ+WK5D0gc5E8vS6K3D0=
 github.com/alecthomas/assert/v2 v2.11.0/go.mod h1:Bze95FyfUr7x34QZrjL+XP+0qgp/zg8yS+TtBj1WA3k=
-github.com/alecthomas/chroma/v2 v2.17.2 h1:Rm81SCZ2mPoH+Q8ZCc/9YvzPUN/E7HgPiPJD8SLV6GI=
-github.com/alecthomas/chroma/v2 v2.17.2/go.mod h1:RVX6AvYm4VfYe/zsk7mjHueLDZor3aWCNE14TFlepBk=
+github.com/alecthomas/chroma/v2 v2.20.0 h1:sfIHpxPyR07/Oylvmcai3X/exDlE8+FA820NTz+9sGw=
+github.com/alecthomas/chroma/v2 v2.20.0/go.mod h1:e7tViK0xh/Nf4BYHl00ycY6rV7b8iXBksI9E359yNmA=
 github.com/alecthomas/go-check-sumtype v0.3.1 h1:u9aUvbGINJxLVXiFvHUlPEaD7VDULsrxJb4Aq31NLkU=
 github.com/alecthomas/go-check-sumtype v0.3.1/go.mod h1:A8TSiN3UPRw3laIgWEUOHHLPa6/r9MtoigdlP5h3K/E=
-github.com/alecthomas/repr v0.4.0 h1:GhI2A8MACjfegCPVq9f1FLvIBS+DrQ2KQBFZP1iFzXc=
-github.com/alecthomas/repr v0.4.0/go.mod h1:Fr0507jx4eOXV7AlPV6AVZLYrLIuIeSOWtW57eE/O/4=
+github.com/alecthomas/repr v0.5.1 h1:E3G4t2QbHTSNpPKBgMTln5KLkZHLOcU7r37J4pXBuIg=
+github.com/alecthomas/repr v0.5.1/go.mod h1:Fr0507jx4eOXV7AlPV6AVZLYrLIuIeSOWtW57eE/O/4=
 github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
 github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
 github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0=
@@ -74,18 +84,18 @@ github.com/alexkohler/nakedret/v2 v2.0.6 h1:ME3Qef1/KIKr3kWX3nti3hhgNxw6aqN5pZmQ
 github.com/alexkohler/nakedret/v2 v2.0.6/go.mod h1:l3RKju/IzOMQHmsEvXwkqMDzHHvurNQfAgE1eVmT40Q=
 github.com/alexkohler/prealloc v1.0.0 h1:Hbq0/3fJPQhNkN0dR95AVrr6R7tou91y0uHG5pOcUuw=
 github.com/alexkohler/prealloc v1.0.0/go.mod h1:VetnK3dIgFBBKmg0YnD9F9x6Icjd+9cvfHR56wJVlKE=
+github.com/alfatraining/structtag v1.0.0 h1:2qmcUqNcCoyVJ0up879K614L9PazjBSFruTB0GOFjCc=
+github.com/alfatraining/structtag v1.0.0/go.mod h1:p3Xi5SwzTi+Ryj64DqjLWz7XurHxbGsq6y3ubePJPus=
 github.com/alingse/asasalint v0.0.11 h1:SFwnQXJ49Kx/1GghOFz1XGqHYKp21Kq1nHad/0WQRnw=
 github.com/alingse/asasalint v0.0.11/go.mod h1:nCaoMhw7a9kSJObvQyVzNTPBDbNpdocqrSP7t/cW5+I=
 github.com/alingse/nilnesserr v0.2.0 h1:raLem5KG7EFVb4UIDAXgrv3N2JIaffeKNtcEXkEWd/w=
 github.com/alingse/nilnesserr v0.2.0/go.mod h1:1xJPrXonEtX7wyTq8Dytns5P2hNzoWymVUIaKm4HNFg=
-github.com/ashanbrown/forbidigo v1.6.0 h1:D3aewfM37Yb3pxHujIPSpTf6oQk9sc9WZi8gerOIVIY=
-github.com/ashanbrown/forbidigo v1.6.0/go.mod h1:Y8j9jy9ZYAEHXdu723cUlraTqbzjKF1MUyfOKL+AjcU=
-github.com/ashanbrown/makezero v1.2.0 h1:/2Lp1bypdmK9wDIq7uWBlDF1iMUpIIS4A+pF6C9IEUU=
-github.com/ashanbrown/makezero v1.2.0/go.mod h1:dxlPhHbDMC6N6xICzFBSK+4njQDdK8euNO0qjQMtGY4=
+github.com/ashanbrown/forbidigo/v2 v2.1.0 h1:NAxZrWqNUQiDz19FKScQ/xvwzmij6BiOw3S0+QUQ+Hs=
+github.com/ashanbrown/forbidigo/v2 v2.1.0/go.mod h1:0zZfdNAuZIL7rSComLGthgc/9/n2FqspBOH90xlCHdA=
+github.com/ashanbrown/makezero/v2 v2.0.1 h1:r8GtKetWOgoJ4sLyUx97UTwyt2dO7WkGFHizn/Lo8TY=
+github.com/ashanbrown/makezero/v2 v2.0.1/go.mod h1:kKU4IMxmYW1M4fiEHMb2vc5SFoPzXvgbMR9gIp5pjSw=
 github.com/aymanbagabas/go-osc52/v2 v2.0.1 h1:HwpRHbFMcZLEVr42D4p7XBqjyuxQH5SMiErDT4WkJ2k=
 github.com/aymanbagabas/go-osc52/v2 v2.0.1/go.mod h1:uYgXzlJ7ZpABp8OJ+exZzJJhRNQ2ASbcXHWsFqH8hp8=
-github.com/benbjohnson/clock v1.1.0 h1:Q92kusRqC1XV2MjkWETPvjJVqKetz1OzxZB7mHJLju8=
-github.com/benbjohnson/clock v1.1.0/go.mod h1:J11/hYXuz8f4ySSvYwY0FKfm+ezbsZBKZxNJlLklBHA=
 github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q=
 github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8=
 github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
@@ -96,6 +106,8 @@ github.com/blizzy78/varnamelen v0.8.0 h1:oqSblyuQvFsW1hbBHh1zfwrKe3kcSj0rnXkKzsQ
 github.com/blizzy78/varnamelen v0.8.0/go.mod h1:V9TzQZ4fLJ1DSrjVDfl89H7aMnTvKkApdHeyESmyR7k=
 github.com/bombsimon/wsl/v4 v4.7.0 h1:1Ilm9JBPRczjyUs6hvOPKvd7VL1Q++PL8M0SXBDf+jQ=
 github.com/bombsimon/wsl/v4 v4.7.0/go.mod h1:uV/+6BkffuzSAVYD+yGyld1AChO7/EuLrCF/8xTiapg=
+github.com/bombsimon/wsl/v5 v5.2.0 h1:PyCCwd3Q7abGs3e34IW4jLYlBS+FbsU6iK+Tb3NnDp4=
+github.com/bombsimon/wsl/v5 v5.2.0/go.mod h1:Gp8lD04z27wm3FANIUPZycXp+8huVsn0oxc+n4qfV9I=
 github.com/breml/bidichk v0.3.3 h1:WSM67ztRusf1sMoqH6/c4OBCUlRVTKq+CbSeo0R17sE=
 github.com/breml/bidichk v0.3.3/go.mod h1:ISbsut8OnjB367j5NseXEGGgO/th206dVa427kR8YTE=
 github.com/breml/errchkjson v0.4.1 h1:keFSS8D7A2T0haP9kzZTi7o26r7kE3vymjZNeNDRDwg=
@@ -106,8 +118,8 @@ github.com/butuzov/mirror v1.3.0 h1:HdWCXzmwlQHdVhwvsfBb2Au0r3HyINry3bDWLYXiKoc=
 github.com/butuzov/mirror v1.3.0/go.mod h1:AEij0Z8YMALaq4yQj9CPPVYOyJQyiexpQEQgihajRfI=
 github.com/catenacyber/perfsprint v0.9.1 h1:5LlTp4RwTooQjJCvGEFV6XksZvWE7wCOUvjD2z0vls0=
 github.com/catenacyber/perfsprint v0.9.1/go.mod h1:q//VWC2fWbcdSLEY1R3l8n0zQCDPdE4IjZwyY1HMunM=
-github.com/ccojocar/zxcvbn-go v1.0.2 h1:na/czXU8RrhXO4EZme6eQJLR4PzcGsahsBOAwU6I3Vg=
-github.com/ccojocar/zxcvbn-go v1.0.2/go.mod h1:g1qkXtUSvHP8lhHp5GrSmTz6uWALGRMQdw6Qnz/hi60=
+github.com/ccojocar/zxcvbn-go v1.0.4 h1:FWnCIRMXPj43ukfX000kvBZvV6raSxakYr1nzyNrUcc=
+github.com/ccojocar/zxcvbn-go v1.0.4/go.mod h1:3GxGX+rHmueTUMvm5ium7irpyjmm7ikxYFOSJB21Das=
 github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
 github.com/cespare/xxhash/v2 v2.1.1/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
 github.com/cespare/xxhash/v2 v2.1.2/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
@@ -125,8 +137,6 @@ github.com/charmbracelet/x/cellbuf v0.0.13-0.20250311204145-2c3ea96c31dd h1:vy0G
 github.com/charmbracelet/x/cellbuf v0.0.13-0.20250311204145-2c3ea96c31dd/go.mod h1:xe0nKWGd3eJgtqZRaN9RjMtK7xUYchjzPr7q6kcvCCs=
 github.com/charmbracelet/x/term v0.2.1 h1:AQeHeLZ1OqSXhrAWpYUtZyX1T3zVxfpZuEQMIQaGIAQ=
 github.com/charmbracelet/x/term v0.2.1/go.mod h1:oQ4enTYFV7QN4m0i9mzHrViD7TQKvNEEkHUMCmsxdUg=
-github.com/chavacava/garif v0.1.0 h1:2JHa3hbYf5D9dsgseMKAmc/MZ109otzgNFk5s87H9Pc=
-github.com/chavacava/garif v0.1.0/go.mod h1:XMyYCkEL58DF0oyW4qDjjnPWONs2HBqYKI+UIPD+Gww=
 github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI=
 github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI=
 github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU=
@@ -137,8 +147,8 @@ github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGX
 github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g=
 github.com/curioswitch/go-reassign v0.3.0 h1:dh3kpQHuADL3cobV/sSGETA8DOv457dwl+fbBAhrQPs=
 github.com/curioswitch/go-reassign v0.3.0/go.mod h1:nApPCCTtqLJN/s8HfItCcKV0jIPwluBOvZP+dsJGA88=
-github.com/daixiang0/gci v0.13.6 h1:RKuEOSkGpSadkGbvZ6hJ4ddItT3cVZ9Vn9Rybk6xjl8=
-github.com/daixiang0/gci v0.13.6/go.mod h1:12etP2OniiIdP4q+kjUGrC/rUagga7ODbqsom5Eo5Yk=
+github.com/daixiang0/gci v0.13.7 h1:+0bG5eK9vlI08J+J/NWGbWPTNiXPG4WhNLJOkSxWITQ=
+github.com/daixiang0/gci v0.13.7/go.mod h1:812WVN6JLFY9S6Tv76twqmNqevN0pa3SX3nih0brVzQ=
 github.com/dave/dst v0.27.3 h1:P1HPoMza3cMEquVf9kKy8yXsFirry4zEnWOdYPOoIzY=
 github.com/dave/dst v0.27.3/go.mod h1:jHh6EOibnHgcUW3WjKHisiooEkYwqpHLBSX1iOBhEyc=
 github.com/dave/jennifer v1.7.1 h1:B4jJJDHelWcDhlRQxWeo0Npa/pYKBLrirAQoTN45txo=
@@ -169,8 +179,8 @@ github.com/fsnotify/fsnotify v1.5.4 h1:jRbGcIw6P2Meqdwuo0H1p6JVLbL5DHKAKlYndzMwV
 github.com/fsnotify/fsnotify v1.5.4/go.mod h1:OVB6XrOHzAwXMpEM7uPOzcehqUV2UqJxmVXmkdnm1bU=
 github.com/fzipp/gocyclo v0.6.0 h1:lsblElZG7d3ALtGMx9fmxeTKZaLLpU8mET09yN4BBLo=
 github.com/fzipp/gocyclo v0.6.0/go.mod h1:rXPyn8fnlpa0R2csP/31uerbiVBugk5whMdlyaLkLoA=
-github.com/ghostiam/protogetter v0.3.15 h1:1KF5sXel0HE48zh1/vn0Loiw25A9ApyseLzQuif1mLY=
-github.com/ghostiam/protogetter v0.3.15/go.mod h1:WZ0nw9pfzsgxuRsPOFQomgDVSWtDLJRfQJEhsGbmQMA=
+github.com/ghostiam/protogetter v0.3.16 h1:UkrisuJBYLnZW6FcYUNBDJOqY3X22RtoYMlCsiNlFFA=
+github.com/ghostiam/protogetter v0.3.16/go.mod h1:4SRRIv6PcjkIMpUkRUsP4TsUTqO/N3Fmvwivuc/sCHA=
 github.com/go-critic/go-critic v0.13.0 h1:kJzM7wzltQasSUXtYyTl6UaPVySO6GkaR1thFnJ6afY=
 github.com/go-critic/go-critic v0.13.0/go.mod h1:M/YeuJ3vOCQDnP2SU+ZhjgRzwzcBW87JqLpMJLrZDLI=
 github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9AVAgeJqvqgH9Q5CA+iKCZ2gyEVpxRU=
@@ -182,8 +192,8 @@ github.com/go-kit/log v0.1.0/go.mod h1:zbhenjAZHb184qTLMA9ZjW7ThYL0H2mk7Q6pNt4vb
 github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9GBnD5lWE=
 github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V4qmtdjCk=
 github.com/go-logfmt/logfmt v0.5.0/go.mod h1:wCYkCAKZfumFQihp8CzCvQ3paCTfi41vtzG1KdI/P7A=
-github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY=
-github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
+github.com/go-logr/logr v1.4.3 h1:CjnDlHq8ikf6E492q6eKboGOC0T8CDaOvkHCIg8idEI=
+github.com/go-logr/logr v1.4.3/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
 github.com/go-quicktest/qt v1.101.0 h1:O1K29Txy5P2OK0dGo59b7b0LR6wKfIhttaAhHUyn7eI=
 github.com/go-quicktest/qt v1.101.0/go.mod h1:14Bz/f7NwaXPtdYEgzsx46kqSxVwTbzVZsDC26tQJow=
 github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY=
@@ -208,12 +218,14 @@ github.com/go-toolsmith/strparse v1.1.0 h1:GAioeZUK9TGxnLS+qfdqNbA4z0SSm5zVNtCQi
 github.com/go-toolsmith/strparse v1.1.0/go.mod h1:7ksGy58fsaQkGQlY8WVoBFNyEPMGuJin1rfoPS4lBSQ=
 github.com/go-toolsmith/typep v1.1.0 h1:fIRYDyF+JywLfqzyhdiHzRop/GQDxxNhLGQ6gFUNHus=
 github.com/go-toolsmith/typep v1.1.0/go.mod h1:fVIw+7zjdsMxDA3ITWnH1yOiw1rnTQKCsF/sk2H/qig=
-github.com/go-viper/mapstructure/v2 v2.2.1 h1:ZAaOCxANMuZx5RCeg0mBdEZk7DZasvvZIxtHqx8aGss=
-github.com/go-viper/mapstructure/v2 v2.2.1/go.mod h1:oJDH3BJKyqBA2TXFhDsKDGDTlndYOZ6rGS0BRZIxGhM=
+github.com/go-viper/mapstructure/v2 v2.4.0 h1:EBsztssimR/CONLSZZ04E8qAkxNYq4Qp9LvH92wZUgs=
+github.com/go-viper/mapstructure/v2 v2.4.0/go.mod h1:oJDH3BJKyqBA2TXFhDsKDGDTlndYOZ6rGS0BRZIxGhM=
 github.com/go-xmlfmt/xmlfmt v1.1.3 h1:t8Ey3Uy7jDSEisW2K3somuMKIpzktkWptA0iFCnRUWY=
 github.com/go-xmlfmt/xmlfmt v1.1.3/go.mod h1:aUCEOzzezBEjDBbFBoSiya/gduyIiWYRP6CnSFIV8AM=
 github.com/gobwas/glob v0.2.3 h1:A4xDbljILXROh+kObIiy5kIaPYD8e96x1tgBhUI5J+Y=
 github.com/gobwas/glob v0.2.3/go.mod h1:d3Ez4x06l9bZtSvzIay5+Yzi0fmZzPgnTbPcKjJAkT8=
+github.com/godoc-lint/godoc-lint v0.10.0 h1:OcyrziBi18sQSEpib6NesVHEJ/Xcng97NunePBA48g4=
+github.com/godoc-lint/godoc-lint v0.10.0/go.mod h1:KleLcHu/CGSvkjUH2RvZyoK1MBC7pDQg4NxMYLcBBsw=
 github.com/gofrs/flock v0.12.1 h1:MTLVXXHf8ekldpJk3AKicLij9MdwOWkZ+a/jHHZby9E=
 github.com/gofrs/flock v0.12.1/go.mod h1:9zxTsyu5xtJ9DK+1tFZyibEV7y3uwDxPPfbxeeHCoD0=
 github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=
@@ -246,22 +258,28 @@ github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaS
 github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
 github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek=
 github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps=
+github.com/golangci/asciicheck v0.5.0 h1:jczN/BorERZwK8oiFBOGvlGPknhvq0bjnysTj4nUfo0=
+github.com/golangci/asciicheck v0.5.0/go.mod h1:5RMNAInbNFw2krqN6ibBxN/zfRFa9S6tA1nPdM0l8qQ=
 github.com/golangci/dupl v0.0.0-20250308024227-f665c8d69b32 h1:WUvBfQL6EW/40l6OmeSBYQJNSif4O11+bmWEz+C7FYw=
 github.com/golangci/dupl v0.0.0-20250308024227-f665c8d69b32/go.mod h1:NUw9Zr2Sy7+HxzdjIULge71wI6yEg1lWQr7Evcu8K0E=
-github.com/golangci/go-printf-func-name v0.1.0 h1:dVokQP+NMTO7jwO4bwsRwLWeudOVUPPyAKJuzv8pEJU=
-github.com/golangci/go-printf-func-name v0.1.0/go.mod h1:wqhWFH5mUdJQhweRnldEywnR5021wTdZSNgwYceV14s=
+github.com/golangci/go-printf-func-name v0.1.1 h1:hIYTFJqAGp1iwoIfsNTpoq1xZAarogrvjO9AfiW3B4U=
+github.com/golangci/go-printf-func-name v0.1.1/go.mod h1:Es64MpWEZbh0UBtTAICOZiB+miW53w/K9Or/4QogJss=
 github.com/golangci/gofmt v0.0.0-20250106114630-d62b90e6713d h1:viFft9sS/dxoYY0aiOTsLKO2aZQAPT4nlQCsimGcSGE=
 github.com/golangci/gofmt v0.0.0-20250106114630-d62b90e6713d/go.mod h1:ivJ9QDg0XucIkmwhzCDsqcnxxlDStoTl89jDMIoNxKY=
-github.com/golangci/golangci-lint/v2 v2.1.6 h1:LXqShFfAGM5BDzEOWD2SL1IzJAgUOqES/HRBsfKjI+w=
-github.com/golangci/golangci-lint/v2 v2.1.6/go.mod h1:EPj+fgv4TeeBq3TcqaKZb3vkiV5dP4hHHKhXhEhzci8=
+github.com/golangci/golangci-lint/v2 v2.5.0 h1:BDRg4ASm4J1y/DSRY6zwJ5tr5Yy8ZqbZ79XrCeFxaQo=
+github.com/golangci/golangci-lint/v2 v2.5.0/go.mod h1:IJtWJBZkLbx7AVrIUzLd8Oi3ADtwaNpWbR3wthVWHcc=
 github.com/golangci/golines v0.0.0-20250217134842-442fd0091d95 h1:AkK+w9FZBXlU/xUmBtSJN1+tAI4FIvy5WtnUnY8e4p8=
 github.com/golangci/golines v0.0.0-20250217134842-442fd0091d95/go.mod h1:k9mmcyWKSTMcPPvQUCfRWWQ9VHJ1U9Dc0R7kaXAgtnQ=
-github.com/golangci/misspell v0.6.0 h1:JCle2HUTNWirNlDIAUO44hUsKhOFqGPoC4LZxlaSXDs=
-github.com/golangci/misspell v0.6.0/go.mod h1:keMNyY6R9isGaSAu+4Q8NMBwMPkh15Gtc8UCVoDtAWo=
-github.com/golangci/plugin-module-register v0.1.1 h1:TCmesur25LnyJkpsVrupv1Cdzo+2f7zX0H6Jkw1Ol6c=
-github.com/golangci/plugin-module-register v0.1.1/go.mod h1:TTpqoB6KkwOJMV8u7+NyXMrkwwESJLOkfl9TxR1DGFc=
+github.com/golangci/misspell v0.7.0 h1:4GOHr/T1lTW0hhR4tgaaV1WS/lJ+ncvYCoFKmqJsj0c=
+github.com/golangci/misspell v0.7.0/go.mod h1:WZyyI2P3hxPY2UVHs3cS8YcllAeyfquQcKfdeE9AFVg=
+github.com/golangci/nilerr v0.0.0-20250918000102-015671e622fe h1:F1pK9tBy41i7eesBFkSNMldwtiAaWiU+3fT/24sTnNI=
+github.com/golangci/nilerr v0.0.0-20250918000102-015671e622fe/go.mod h1:CtTxAluxD2ng9aIT9bPrVoMuISFWCD+SaxtvYtdWA2k=
+github.com/golangci/plugin-module-register v0.1.2 h1:e5WM6PO6NIAEcij3B053CohVp3HIYbzSuP53UAYgOpg=
+github.com/golangci/plugin-module-register v0.1.2/go.mod h1:1+QGTsKBvAIvPvoY/os+G5eoqxWn70HYDm2uvUyGuVw=
 github.com/golangci/revgrep v0.8.0 h1:EZBctwbVd0aMeRnNUsFogoyayvKHyxlV3CdUA46FX2s=
 github.com/golangci/revgrep v0.8.0/go.mod h1:U4R/s9dlXZsg8uJmaR1GrloUr14D7qDl8gi2iPXJH8k=
+github.com/golangci/swaggoswag v0.0.0-20250504205917-77f2aca3143e h1:ai0EfmVYE2bRA5htgAG9r7s3tHsfjIhN98WshBTJ9jM=
+github.com/golangci/swaggoswag v0.0.0-20250504205917-77f2aca3143e/go.mod h1:Vrn4B5oR9qRwM+f54koyeH3yzphlecwERs0el27Fr/s=
 github.com/golangci/unconvert v0.0.0-20250410112200-a129a6e6413e h1:gD6P7NEo7Eqtt0ssnqSJNNndxe69DOQ24A5h7+i3KpM=
 github.com/golangci/unconvert v0.0.0-20250410112200-a129a6e6413e/go.mod h1:h+wZwLjUTJnm/P2rwlbJdRPZXOzaT36/FwnPnY2inzc=
 github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
@@ -276,8 +294,8 @@ github.com/google/go-cmp v0.5.1/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/
 github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.4/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/google/go-cmp v0.5.6/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.8/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
+github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
 github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
@@ -290,23 +308,20 @@ github.com/google/pprof v0.0.0-20200212024743-f11f1df84d12/go.mod h1:ZgVRPoUq/hf
 github.com/google/pprof v0.0.0-20200229191704-1ebb73c60ed3/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM=
 github.com/google/pprof v0.0.0-20200430221834-fc25d7d30c6d/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM=
 github.com/google/pprof v0.0.0-20200708004538-1a94d8640e99/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM=
-github.com/google/pprof v0.0.0-20241210010833-40e02aabc2ad h1:a6HEuzUHeKH6hwfN/ZoQgRgVIWFJljSWa/zetS2WTvg=
-github.com/google/pprof v0.0.0-20241210010833-40e02aabc2ad/go.mod h1:vavhavw2zAxS5dIdcRluK6cSGGPlZynqzFM8NdvU144=
+github.com/google/pprof v0.0.0-20250607225305-033d6d78b36a h1://KbezygeMJZCSHH+HgUZiTeSoiuFspbMg1ge+eFj18=
+github.com/google/pprof v0.0.0-20250607225305-033d6d78b36a/go.mod h1:5hDyRhoBCxViHszMt12TnOpEI4VVi+U8Gm9iphldiMA=
 github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI=
 github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg=
 github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk=
-github.com/gordonklaus/ineffassign v0.1.0 h1:y2Gd/9I7MdY1oEIt+n+rowjBNDcLQq3RsH5hwJd0f9s=
-github.com/gordonklaus/ineffassign v0.1.0/go.mod h1:Qcp2HIAYhR7mNUVSIxZww3Guk4it82ghYcEXIAk+QT0=
+github.com/gordonklaus/ineffassign v0.2.0 h1:Uths4KnmwxNJNzq87fwQQDDnbNb7De00VOk9Nu0TySs=
+github.com/gordonklaus/ineffassign v0.2.0/go.mod h1:TIpymnagPSexySzs7F9FnO1XFTy8IT3a59vmZp5Y9Lw=
 github.com/gostaticanalysis/analysisutil v0.7.1 h1:ZMCjoue3DtDWQ5WyU16YbjbQEQ3VuzwxALrpYd+HeKk=
 github.com/gostaticanalysis/analysisutil v0.7.1/go.mod h1:v21E3hY37WKMGSnbsw2S/ojApNWb6C1//mXO48CXbVc=
-github.com/gostaticanalysis/comment v1.4.1/go.mod h1:ih6ZxzTHLdadaiSnF5WY3dxUoXfXAlTaRzuaNDlSado=
 github.com/gostaticanalysis/comment v1.4.2/go.mod h1:KLUTGDv6HOCotCH8h2erHKmpci2ZoR8VPu34YA2uzdM=
 github.com/gostaticanalysis/comment v1.5.0 h1:X82FLl+TswsUMpMh17srGRuKaaXprTaytmEpgnKIDu8=
 github.com/gostaticanalysis/comment v1.5.0/go.mod h1:V6eb3gpCv9GNVqb6amXzEUX3jXLVK/AdA+IrAMSqvEc=
 github.com/gostaticanalysis/forcetypeassert v0.2.0 h1:uSnWrrUEYDr86OCxWa4/Tp2jeYDlogZiZHzGkWFefTk=
 github.com/gostaticanalysis/forcetypeassert v0.2.0/go.mod h1:M5iPavzE9pPqWyeiVXSFghQjljW1+l/Uke3PXHS6ILY=
-github.com/gostaticanalysis/nilerr v0.1.1 h1:ThE+hJP0fEp4zWLkWHWcRyI2Od0p7DlgYG3Uqrmrcpk=
-github.com/gostaticanalysis/nilerr v0.1.1/go.mod h1:wZYb6YI5YAxxq0i1+VJbY0s2YONW0HU0GPE3+5PWN4A=
 github.com/gostaticanalysis/testutil v0.3.1-0.20210208050101-bfb5c8eec0e4/go.mod h1:D+FIZ+7OahH3ePw/izIEeH5I06eKs1IKI4Xr64/Am3M=
 github.com/gostaticanalysis/testutil v0.5.0 h1:Dq4wT1DdTwTGCQQv3rl3IvD5Ld0E6HiY+3Zh0sUGqw8=
 github.com/gostaticanalysis/testutil v0.5.0/go.mod h1:OLQSbuM6zw2EvCcXTz1lVq5unyoNft372msDY0nY5Hs=
@@ -328,12 +343,12 @@ github.com/hexops/gotextdiff v1.0.3/go.mod h1:pSWU5MAI3yDq+fZBTazCSJysOMbxWL1BSo
 github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
 github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
 github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
-github.com/jgautheron/goconst v1.8.1 h1:PPqCYp3K/xlOj5JmIe6O1Mj6r1DbkdbLtR3AJuZo414=
-github.com/jgautheron/goconst v1.8.1/go.mod h1:A0oxgBCHy55NQn6sYpO7UdnA9p+h7cPtoOZUmvNIako=
+github.com/jgautheron/goconst v1.8.2 h1:y0XF7X8CikZ93fSNT6WBTb/NElBu9IjaY7CCYQrCMX4=
+github.com/jgautheron/goconst v1.8.2/go.mod h1:A0oxgBCHy55NQn6sYpO7UdnA9p+h7cPtoOZUmvNIako=
 github.com/jingyugao/rowserrcheck v1.1.1 h1:zibz55j/MJtLsjP1OF4bSdgXxwL1b+Vn7Tjzq7gFzUs=
 github.com/jingyugao/rowserrcheck v1.1.1/go.mod h1:4yvlZSDb3IyDTUZJUmpZfm2Hwok+Dtp+nu2qOq+er9c=
-github.com/jjti/go-spancheck v0.6.4 h1:Tl7gQpYf4/TMU7AT84MN83/6PutY21Nb9fuQjFTpRRc=
-github.com/jjti/go-spancheck v0.6.4/go.mod h1:yAEYdKJ2lRkDA8g7X+oKUHXOWVAXSBJRv04OhF+QUjk=
+github.com/jjti/go-spancheck v0.6.5 h1:lmi7pKxa37oKYIMScialXUK6hP3iY5F1gu+mLBPgYB8=
+github.com/jjti/go-spancheck v0.6.5/go.mod h1:aEogkeatBrbYsyW6y5TgDfihCulDYciL1B7rG2vSsrU=
 github.com/jpillora/backoff v1.0.0/go.mod h1:J/6gKK9jxlEcS3zixgDgUAsiuZ7yrSoa/FX5e0EB2j4=
 github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU=
 github.com/json-iterator/go v1.1.10/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
@@ -362,22 +377,22 @@ github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
 github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
-github.com/kulti/thelper v0.6.3 h1:ElhKf+AlItIu+xGnI990no4cE2+XaSu1ULymV2Yulxs=
-github.com/kulti/thelper v0.6.3/go.mod h1:DsqKShOvP40epevkFrvIwkCMNYxMeTNjdWL4dqWHZ6I=
+github.com/kulti/thelper v0.7.1 h1:fI8QITAoFVLx+y+vSyuLBP+rcVIB8jKooNSCT2EiI98=
+github.com/kulti/thelper v0.7.1/go.mod h1:NsMjfQEy6sd+9Kfw8kCP61W1I0nerGSYSFnGaxQkcbs=
 github.com/kunwardeep/paralleltest v1.0.14 h1:wAkMoMeGX/kGfhQBPODT/BL8XhK23ol/nuQ3SwFaUw8=
 github.com/kunwardeep/paralleltest v1.0.14/go.mod h1:di4moFqtfz3ToSKxhNjhOZL+696QtJGCFe132CbBLGk=
 github.com/lasiar/canonicalheader v1.1.2 h1:vZ5uqwvDbyJCnMhmFYimgMZnJMjwljN5VGY0VKbMXb4=
 github.com/lasiar/canonicalheader v1.1.2/go.mod h1:qJCeLFS0G/QlLQ506T+Fk/fWMa2VmBUiEI2cuMK4djI=
-github.com/ldez/exptostd v0.4.3 h1:Ag1aGiq2epGePuRJhez2mzOpZ8sI9Gimcb4Sb3+pk9Y=
-github.com/ldez/exptostd v0.4.3/go.mod h1:iZBRYaUmcW5jwCR3KROEZ1KivQQp6PHXbDPk9hqJKCQ=
-github.com/ldez/gomoddirectives v0.6.1 h1:Z+PxGAY+217f/bSGjNZr/b2KTXcyYLgiWI6geMBN2Qc=
-github.com/ldez/gomoddirectives v0.6.1/go.mod h1:cVBiu3AHR9V31em9u2kwfMKD43ayN5/XDgr+cdaFaKs=
-github.com/ldez/grignotin v0.9.0 h1:MgOEmjZIVNn6p5wPaGp/0OKWyvq42KnzAt/DAb8O4Ow=
-github.com/ldez/grignotin v0.9.0/go.mod h1:uaVTr0SoZ1KBii33c47O1M8Jp3OP3YDwhZCmzT9GHEk=
-github.com/ldez/tagliatelle v0.7.1 h1:bTgKjjc2sQcsgPiT902+aadvMjCeMHrY7ly2XKFORIk=
-github.com/ldez/tagliatelle v0.7.1/go.mod h1:3zjxUpsNB2aEZScWiZTHrAXOl1x25t3cRmzfK1mlo2I=
-github.com/ldez/usetesting v0.4.3 h1:pJpN0x3fMupdTf/IapYjnkhiY1nSTN+pox1/GyBRw3k=
-github.com/ldez/usetesting v0.4.3/go.mod h1:eEs46T3PpQ+9RgN9VjpY6qWdiw2/QmfiDeWmdZdrjIQ=
+github.com/ldez/exptostd v0.4.4 h1:58AtQjnLcT/tI5W/1KU7xE/O7zW9RAWB6c/ScQAnfus=
+github.com/ldez/exptostd v0.4.4/go.mod h1:QfdzPw6oHjFVdNV7ILoPu5sw3OZ3OG1JS0I5JN3J4Js=
+github.com/ldez/gomoddirectives v0.7.0 h1:EOx8Dd56BZYSez11LVgdj025lKwlP0/E5OLSl9HDwsY=
+github.com/ldez/gomoddirectives v0.7.0/go.mod h1:wR4v8MN9J8kcwvrkzrx6sC9xe9Cp68gWYCsda5xvyGc=
+github.com/ldez/grignotin v0.10.1 h1:keYi9rYsgbvqAZGI1liek5c+jv9UUjbvdj3Tbn5fn4o=
+github.com/ldez/grignotin v0.10.1/go.mod h1:UlDbXFCARrXbWGNGP3S5vsysNXAPhnSuBufpTEbwOas=
+github.com/ldez/tagliatelle v0.7.2 h1:KuOlL70/fu9paxuxbeqlicJnCspCRjH0x8FW+NfgYUk=
+github.com/ldez/tagliatelle v0.7.2/go.mod h1:PtGgm163ZplJfZMZ2sf5nhUT170rSuPgBimoyYtdaSI=
+github.com/ldez/usetesting v0.5.0 h1:3/QtzZObBKLy1F4F8jLuKJiKBjjVFi1IavpoWbmqLwc=
+github.com/ldez/usetesting v0.5.0/go.mod h1:Spnb4Qppf8JTuRgblLrEWb7IE6rDmUpGvxY3iRrzvDQ=
 github.com/leonklingele/grouper v1.1.2 h1:o1ARBDLOmmasUaNDesWqWCIFH3u7hoFlM84YrjT3mIY=
 github.com/leonklingele/grouper v1.1.2/go.mod h1:6D0M/HVkhs2yRKRFZUoGjeDy7EZTfFBE9gl4kjmIGkA=
 github.com/lucasb-eyer/go-colorful v1.2.0 h1:1nnpGOrhyZZuNyfu1QjKiUICQ74+3FNCN69Aj6K7nkY=
@@ -386,8 +401,10 @@ github.com/macabu/inamedparam v0.2.0 h1:VyPYpOc10nkhI2qeNUdh3Zket4fcZjEWe35poddB
 github.com/macabu/inamedparam v0.2.0/go.mod h1:+Pee9/YfGe5LJ62pYXqB89lJ+0k5bsR8Wgz/C0Zlq3U=
 github.com/magiconair/properties v1.8.6 h1:5ibWZ6iY0NctNGWo87LalDlEZ6R41TqbbDamhfG/Qzo=
 github.com/magiconair/properties v1.8.6/go.mod h1:y3VJvCyxH9uVvJTWEGAELF3aiYNyPKd5NZ3oSwXrF60=
-github.com/manuelarte/funcorder v0.2.1 h1:7QJsw3qhljoZ5rH0xapIvjw31EcQeFbF31/7kQ/xS34=
-github.com/manuelarte/funcorder v0.2.1/go.mod h1:BQQ0yW57+PF9ZpjpeJDKOffEsQbxDFKW8F8zSMe/Zd0=
+github.com/manuelarte/embeddedstructfieldcheck v0.4.0 h1:3mAIyaGRtjK6EO9E73JlXLtiy7ha80b2ZVGyacxgfww=
+github.com/manuelarte/embeddedstructfieldcheck v0.4.0/go.mod h1:z8dFSyXqp+fC6NLDSljRJeNQJJDWnY7RoWFzV3PC6UM=
+github.com/manuelarte/funcorder v0.5.0 h1:llMuHXXbg7tD0i/LNw8vGnkDTHFpTnWqKPI85Rknc+8=
+github.com/manuelarte/funcorder v0.5.0/go.mod h1:Yt3CiUQthSBMBxjShjdXMexmzpP8YGvGLjrxJNkO2hA=
 github.com/maratori/testableexamples v1.0.0 h1:dU5alXRrD8WKSjOUnmJZuzdxWOEQ57+7s93SLMxb2vI=
 github.com/maratori/testableexamples v1.0.0/go.mod h1:4rhjL1n20TUTT4vdh3RDqSizKLyXp7K2u6HgraZCGzE=
 github.com/maratori/testpackage v1.1.1 h1:S58XVV5AD7HADMmD0fNnziNHqKvSdDuEKdPD1rNTU04=
@@ -400,13 +417,12 @@ github.com/mattn/go-colorable v0.1.14 h1:9A9LHSqF/7dyVVX6g0U9cwm9pG3kP9gSzcuIPHP
 github.com/mattn/go-colorable v0.1.14/go.mod h1:6LmQG8QLFO4G5z1gPvYEzlUgJ2wF+stgPZH1UqBm1s8=
 github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
 github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
-github.com/mattn/go-runewidth v0.0.9/go.mod h1:H031xJmbD/WCDINGzjvQ9THkh0rPKHF+m2gUSrubnMI=
 github.com/mattn/go-runewidth v0.0.16 h1:E5ScNMtiwvlvB5paMFdw9p4kSQzbXFikJ5SQO6TULQc=
 github.com/mattn/go-runewidth v0.0.16/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh153qUoGf23w=
 github.com/matttproud/golang_protobuf_extensions v1.0.1 h1:4hp9jkHxhMHkqkrB3Ix0jegS5sx/RkqARlsWZ6pIwiU=
 github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0=
-github.com/mgechev/revive v1.9.0 h1:8LaA62XIKrb8lM6VsBSQ92slt/o92z5+hTw3CmrvSrM=
-github.com/mgechev/revive v1.9.0/go.mod h1:LAPq3+MgOf7GcL5PlWIkHb0PT7XH4NuC2LdWymhb9Mo=
+github.com/mgechev/revive v1.12.0 h1:Q+/kkbbwerrVYPv9d9efaPGmAO/NsxwW/nE6ahpQaCU=
+github.com/mgechev/revive v1.12.0/go.mod h1:VXsY2LsTigk8XU9BpZauVLjVrhICMOV3k1lpB3CXrp8=
 github.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG+4E0Y=
 github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0=
 github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyuac5Z2hdY=
@@ -428,14 +444,12 @@ github.com/nishanths/exhaustive v0.12.0 h1:vIY9sALmw6T/yxiASewa4TQcFsVYZQQRUQJhK
 github.com/nishanths/exhaustive v0.12.0/go.mod h1:mEZ95wPIZW+x8kC4TgC+9YCUgiST7ecevsVDTgc2obs=
 github.com/nishanths/predeclared v0.2.2 h1:V2EPdZPliZymNAn79T8RkNApBjMmVKh5XRpLm/w98Vk=
 github.com/nishanths/predeclared v0.2.2/go.mod h1:RROzoN6TnGQupbC+lqggsOlcgysk3LMK/HI84Mp280c=
-github.com/nunnatsa/ginkgolinter v0.19.1 h1:mjwbOlDQxZi9Cal+KfbEJTCz327OLNfwNvoZ70NJ+c4=
-github.com/nunnatsa/ginkgolinter v0.19.1/go.mod h1:jkQ3naZDmxaZMXPWaS9rblH+i+GWXQCaS/JFIWcOH2s=
-github.com/olekukonko/tablewriter v0.0.5 h1:P2Ga83D34wi1o9J6Wh1mRuqd4mF/x/lgBS7N7AbDhec=
-github.com/olekukonko/tablewriter v0.0.5/go.mod h1:hPp6KlRPjbx+hW8ykQs1w3UBbZlj6HuIJcUGPhkA7kY=
-github.com/onsi/ginkgo/v2 v2.23.3 h1:edHxnszytJ4lD9D5Jjc4tiDkPBZ3siDeJJkUZJJVkp0=
-github.com/onsi/ginkgo/v2 v2.23.3/go.mod h1:zXTP6xIp3U8aVuXN8ENK9IXRaTjFnpVB9mGmaSRvxnM=
-github.com/onsi/gomega v1.36.3 h1:hID7cr8t3Wp26+cYnfcjR6HpJ00fdogN6dqZ1t6IylU=
-github.com/onsi/gomega v1.36.3/go.mod h1:8D9+Txp43QWKhM24yyOBEdpkzN8FvJyAwecBgsU4KU0=
+github.com/nunnatsa/ginkgolinter v0.21.0 h1:IYwuX+ajy3G1MezlMLB1BENRtFj16+Evyi4uki1NOOQ=
+github.com/nunnatsa/ginkgolinter v0.21.0/go.mod h1:QlzY9UP9zaqu58FjYxhp9bnjuwXwG1bfW5rid9ChNMw=
+github.com/onsi/ginkgo/v2 v2.23.4 h1:ktYTpKJAVZnDT4VjxSbiBenUjmlL/5QkBEocaWXiQus=
+github.com/onsi/ginkgo/v2 v2.23.4/go.mod h1:Bt66ApGPBFzHyR+JO10Zbt0Gsp4uWxu5mIOTusL46e8=
+github.com/onsi/gomega v1.38.0 h1:c/WX+w8SLAinvuKKQFh77WEucCnPk4j2OTUr7lt7BeY=
+github.com/onsi/gomega v1.38.0/go.mod h1:OcXcwId0b9QsE7Y49u+BTrL4IdKOBOKnD6VQNTJEB6o=
 github.com/otiai10/copy v1.2.0/go.mod h1:rrF5dJ5F0t/EWSYODDu4j9/vEeYHMkc8jt0zJChqQWw=
 github.com/otiai10/copy v1.14.0 h1:dCI/t1iTdYGtkvCuBG2BgR6KZa83PTclw4U5n2wAllU=
 github.com/otiai10/copy v1.14.0/go.mod h1:ECfuL02W+/FkTWZWgQqXPWZgW9oeKCSQ5qVfSc4qc4w=
@@ -449,7 +463,6 @@ github.com/pelletier/go-toml/v2 v2.2.4 h1:mye9XuhQ6gvn5h28+VilKrrPoQVanw5PMw/TB0
 github.com/pelletier/go-toml/v2 v2.2.4/go.mod h1:2gIqNv+qfxSVS7cM2xJQKtLSTLUE9V8t9Stt+h56mCY=
 github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
-github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U=
@@ -505,14 +518,14 @@ github.com/ryanrolds/sqlclosecheck v0.5.1 h1:dibWW826u0P8jNLsLN+En7+RqWWTYrjCB9f
 github.com/ryanrolds/sqlclosecheck v0.5.1/go.mod h1:2g3dUjoS6AL4huFdv6wn55WpLIDjY7ZgUR4J8HOO/XQ=
 github.com/sanposhiho/wastedassign/v2 v2.1.0 h1:crurBF7fJKIORrV85u9UUpePDYGWnwvv3+A96WvwXT0=
 github.com/sanposhiho/wastedassign/v2 v2.1.0/go.mod h1:+oSmSC+9bQ+VUAxA66nBb0Z7N8CK7mscKTDYC6aIek4=
-github.com/santhosh-tekuri/jsonschema/v6 v6.0.1 h1:PKK9DyHxif4LZo+uQSgXNqs0jj5+xZwwfKHgph2lxBw=
-github.com/santhosh-tekuri/jsonschema/v6 v6.0.1/go.mod h1:JXeL+ps8p7/KNMjDQk3TCwPpBy0wYklyWTfbkIzdIFU=
+github.com/santhosh-tekuri/jsonschema/v6 v6.0.2 h1:KRzFb2m7YtdldCEkzs6KqmJw4nqEVZGK7IN2kJkjTuQ=
+github.com/santhosh-tekuri/jsonschema/v6 v6.0.2/go.mod h1:JXeL+ps8p7/KNMjDQk3TCwPpBy0wYklyWTfbkIzdIFU=
 github.com/sashamelentyev/interfacebloat v1.1.0 h1:xdRdJp0irL086OyW1H/RTZTr1h/tMEOsumirXcOJqAw=
 github.com/sashamelentyev/interfacebloat v1.1.0/go.mod h1:+Y9yU5YdTkrNvoX0xHc84dxiN1iBi9+G8zZIhPVoNjQ=
-github.com/sashamelentyev/usestdlibvars v1.28.0 h1:jZnudE2zKCtYlGzLVreNp5pmCdOxXUzwsMDBkR21cyQ=
-github.com/sashamelentyev/usestdlibvars v1.28.0/go.mod h1:9nl0jgOfHKWNFS43Ojw0i7aRoS4j6EBye3YBhmAIRF8=
-github.com/securego/gosec/v2 v2.22.3 h1:mRrCNmRF2NgZp4RJ8oJ6yPJ7G4x6OCiAXHd8x4trLRc=
-github.com/securego/gosec/v2 v2.22.3/go.mod h1:42M9Xs0v1WseinaB/BmNGO8AVqG8vRfhC2686ACY48k=
+github.com/sashamelentyev/usestdlibvars v1.29.0 h1:8J0MoRrw4/NAXtjQqTHrbW9NN+3iMf7Knkq057v4XOQ=
+github.com/sashamelentyev/usestdlibvars v1.29.0/go.mod h1:8PpnjHMk5VdeWlVb4wCdrB8PNbLqZ3wBZTZWkrpZZL8=
+github.com/securego/gosec/v2 v2.22.8 h1:3NMpmfXO8wAVFZPNsd3EscOTa32Jyo6FLLlW53bexMI=
+github.com/securego/gosec/v2 v2.22.8/go.mod h1:ZAw8K2ikuH9qDlfdV87JmNghnVfKB1XC7+TVzk6Utto=
 github.com/sergi/go-diff v1.2.0 h1:XU+rvMAioB0UC3q1MFrIQy4Vo5/4VsRDQQXHsEya6xQ=
 github.com/sergi/go-diff v1.2.0/go.mod h1:STckp+ISIX8hZLjrqAeVduY0gWCT9IjLuqbuNXdaHfM=
 github.com/shurcooL/go v0.0.0-20180423040247-9e1955d9fb6e/go.mod h1:TDJrrUr11Vxrven61rcy3hJMUqaf/CLWYhHNPmT14Lk=
@@ -524,21 +537,22 @@ github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ
 github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
 github.com/sivchari/containedctx v1.0.3 h1:x+etemjbsh2fB5ewm5FeLNi5bUjK0V8n0RB+Wwfd0XE=
 github.com/sivchari/containedctx v1.0.3/go.mod h1:c1RDvCbnJLtH4lLcYD/GqwiBSSf4F5Qk0xld2rBqzJ4=
-github.com/sonatard/noctx v0.1.0 h1:JjqOc2WN16ISWAjAk8M5ej0RfExEXtkEyExl2hLW+OM=
-github.com/sonatard/noctx v0.1.0/go.mod h1:0RvBxqY8D4j9cTTTWE8ylt2vqj2EPI8fHmrxHdsaZ2c=
+github.com/sonatard/noctx v0.4.0 h1:7MC/5Gg4SQ4lhLYR6mvOP6mQVSxCrdyiExo7atBs27o=
+github.com/sonatard/noctx v0.4.0/go.mod h1:64XdbzFb18XL4LporKXp8poqZtPKbCrqQ402CV+kJas=
 github.com/sourcegraph/go-diff v0.7.0 h1:9uLlrd5T46OXs5qpp8L/MTltk0zikUGi0sNNyCpA8G0=
 github.com/sourcegraph/go-diff v0.7.0/go.mod h1:iBszgVvyxdc8SFZ7gm69go2KDdt3ag071iBaWPF6cjs=
 github.com/spf13/afero v1.14.0 h1:9tH6MapGnn/j0eb0yIXiLjERO8RB6xIVZRDCX7PtqWA=
 github.com/spf13/afero v1.14.0/go.mod h1:acJQ8t0ohCGuMN3O+Pv0V0hgMxNYDlvdk+VTfyZmbYo=
 github.com/spf13/cast v1.5.0 h1:rj3WzYc11XZaIZMPKmwP96zkFEnnAmV8s6XbB2aY32w=
 github.com/spf13/cast v1.5.0/go.mod h1:SpXXQ5YoyJw6s3/6cMTQuxvgRl3PCJiyaX9p6b155UU=
-github.com/spf13/cobra v1.9.1 h1:CXSaggrXdbHK9CF+8ywj8Amf7PBRmPCOJugH954Nnlo=
-github.com/spf13/cobra v1.9.1/go.mod h1:nDyEzZ8ogv936Cinf6g1RU9MRY64Ir93oCnqb9wxYW0=
+github.com/spf13/cobra v1.10.1 h1:lJeBwCfmrnXthfAupyUTzJ/J4Nc1RsHC/mSRU2dll/s=
+github.com/spf13/cobra v1.10.1/go.mod h1:7SmJGaTHFVBY0jW4NXGluQoLvhqFQM+6XSKD+P4XaB0=
 github.com/spf13/jwalterweatherman v1.1.0 h1:ue6voC5bR5F8YxI5S67j9i582FU4Qvo2bmqnqMYADFk=
 github.com/spf13/jwalterweatherman v1.1.0/go.mod h1:aNWZUN0dPAAO/Ljvb5BEdw96iTZ0EXowPYD95IqWIGo=
 github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
-github.com/spf13/pflag v1.0.6 h1:jFzHGLGAlb3ruxLB8MhbI6A8+AQX/2eW4qeyNZXNp2o=
-github.com/spf13/pflag v1.0.6/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
+github.com/spf13/pflag v1.0.9/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
+github.com/spf13/pflag v1.0.10 h1:4EBh2KAYBwaONj6b2Ye1GiHfwjqyROoF4RwYO+vPwFk=
+github.com/spf13/pflag v1.0.10/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/spf13/viper v1.12.0 h1:CZ7eSOd3kZoaYDLbXnmzgQI5RlciuXBMA+18HwHRfZQ=
 github.com/spf13/viper v1.12.0/go.mod h1:b6COn30jlNxbm/V2IqWiNWkJ+vZNiMNksliPCiuKtSI=
 github.com/ssgreg/nlreturn/v2 v2.2.1 h1:X4XDI7jstt3ySqGU86YGAURbxw3oTDPK9sPEi6YEwQ0=
@@ -547,30 +561,22 @@ github.com/stbenjam/no-sprintf-host-port v0.2.0 h1:i8pxvGrt1+4G0czLr/WnmyH7zbZ8B
 github.com/stbenjam/no-sprintf-host-port v0.2.0/go.mod h1:eL0bQ9PasS0hsyTyfTjjG+E80QIyPnBVQbYZyv20Jfk=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
-github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
-github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
 github.com/stretchr/objx v0.5.2 h1:xuMeJ0Sdp5ZMRXx/aWO6RZxdr3beISkG5/G/aIRr3pY=
 github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/8L+MA=
 github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
 github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
-github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA=
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
-github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
-github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
-github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
-github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
-github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
+github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
+github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
 github.com/subosito/gotenv v1.4.1 h1:jyEFiXpy21Wm81FBN71l9VoMMV8H8jG+qIK3GCpY6Qs=
 github.com/subosito/gotenv v1.4.1/go.mod h1:ayKnFf/c6rvx/2iiLrJUk1e6plDbT3edrFNGqEflhK0=
-github.com/tdakkota/asciicheck v0.4.1 h1:bm0tbcmi0jezRA2b5kg4ozmMuGAFotKI3RZfrhfovg8=
-github.com/tdakkota/asciicheck v0.4.1/go.mod h1:0k7M3rCfRXb0Z6bwgvkEIMleKH3kXNz9UqJ9Xuqopr8=
 github.com/tenntenn/modver v1.0.1 h1:2klLppGhDgzJrScMpkj9Ujy3rXPUspSjAcev9tSEBgA=
 github.com/tenntenn/modver v1.0.1/go.mod h1:bePIyQPb7UeioSRkw3Q0XeMhYZSMx9B8ePqg6SAMGH0=
 github.com/tenntenn/text/transform v0.0.0-20200319021203-7eef512accb3 h1:f+jULpRQGxTSkNYKJ51yaw6ChIqO+Je8UqsTKN/cDag=
 github.com/tenntenn/text/transform v0.0.0-20200319021203-7eef512accb3/go.mod h1:ON8b8w4BN/kE1EOhwT0o+d62W65a6aPw1nouo9LMgyY=
-github.com/tetafro/godot v1.5.1 h1:PZnjCol4+FqaEzvZg5+O8IY2P3hfY9JzRBNPv1pEDS4=
-github.com/tetafro/godot v1.5.1/go.mod h1:cCdPtEndkmqqrhiCfkmxDodMQJ/f3L1BCNskCUZdTwk=
+github.com/tetafro/godot v1.5.4 h1:u1ww+gqpRLiIA16yF2PV1CV1n/X3zhyezbNXC3E14Sg=
+github.com/tetafro/godot v1.5.4/go.mod h1:eOkMrVQurDui411nBY2FA05EYH01r14LuWY/NrVDVcU=
 github.com/timakin/bodyclose v0.0.0-20241222091800-1db5c5ca4d67 h1:9LPGD+jzxMlnk5r6+hJnar67cgpDIz/iyD+rfl5r2Vk=
 github.com/timakin/bodyclose v0.0.0-20241222091800-1db5c5ca4d67/go.mod h1:mkjARE7Yr8qU23YcGMSALbIxTQ9r9QBVahQOBRfU460=
 github.com/timonwong/loggercheck v0.11.0 h1:jdaMpYBl+Uq9mWPXv1r8jc5fC3gyXx4/WGwTnnNKn4M=
@@ -585,8 +591,8 @@ github.com/ultraware/whitespace v0.2.0 h1:TYowo2m9Nfj1baEQBjuHzvMRbp19i+RCcRYrSW
 github.com/ultraware/whitespace v0.2.0/go.mod h1:XcP1RLD81eV4BW8UhQlpaR+SDc2givTvyI8a586WjW8=
 github.com/uudashr/gocognit v1.2.0 h1:3BU9aMr1xbhPlvJLSydKwdLN3tEUUrzPSSM8S4hDYRA=
 github.com/uudashr/gocognit v1.2.0/go.mod h1:k/DdKPI6XBZO1q7HgoV2juESI2/Ofj9AcHPZhBBdrTU=
-github.com/uudashr/iface v1.3.1 h1:bA51vmVx1UIhiIsQFSNq6GZ6VPTk3WNMZgRiCe9R29U=
-github.com/uudashr/iface v1.3.1/go.mod h1:4QvspiRd3JLPAEXBQ9AiZpLbJlrWWgRChOKDJEuQTdg=
+github.com/uudashr/iface v1.4.1 h1:J16Xl1wyNX9ofhpHmQ9h9gk5rnv2A6lX/2+APLTo0zU=
+github.com/uudashr/iface v1.4.1/go.mod h1:pbeBPlbuU2qkNDn0mmfrxP2X+wjPMIQAy+r1MBXSXtg=
 github.com/xen0n/gosmopolitan v1.3.0 h1:zAZI1zefvo7gcpbCOrPSHJZJYA9ZgLfJqtKzZ5pHqQM=
 github.com/xen0n/gosmopolitan v1.3.0/go.mod h1:rckfr5T6o4lBtM1ga7mLGKZmLxswUoH1zxHgNXOsEt4=
 github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e h1:JVG44RsyaB9T2KIHavMF/ppJZNG9ZpyihvCd0w101no=
@@ -608,27 +614,27 @@ gitlab.com/bosi/decorder v0.4.2 h1:qbQaV3zgwnBZ4zPMhGLW4KZe7A7NwxEhJx39R3shffo=
 gitlab.com/bosi/decorder v0.4.2/go.mod h1:muuhHoaJkA9QLcYHq4Mj8FJUwDZ+EirSHRiaTcTf6T8=
 go-simpler.org/assert v0.9.0 h1:PfpmcSvL7yAnWyChSjOz6Sp6m9j5lyK8Ok9pEL31YkQ=
 go-simpler.org/assert v0.9.0/go.mod h1:74Eqh5eI6vCK6Y5l3PI8ZYFXG4Sa+tkr70OIPJAUr28=
-go-simpler.org/musttag v0.13.1 h1:lw2sJyu7S1X8lc8zWUAdH42y+afdcCnHhWpnkWvd6vU=
-go-simpler.org/musttag v0.13.1/go.mod h1:8r450ehpMLQgvpb6sg+hV5Ur47eH6olp/3yEanfG97k=
-go-simpler.org/sloglint v0.11.0 h1:JlR1X4jkbeaffiyjLtymeqmGDKBDO1ikC6rjiuFAOco=
-go-simpler.org/sloglint v0.11.0/go.mod h1:CFDO8R1i77dlciGfPEPvYke2ZMx4eyGiEIWkyeW2Pvw=
-go.augendre.info/fatcontext v0.8.0 h1:2dfk6CQbDGeu1YocF59Za5Pia7ULeAM6friJ3LP7lmk=
-go.augendre.info/fatcontext v0.8.0/go.mod h1:oVJfMgwngMsHO+KB2MdgzcO+RvtNdiCEOlWvSFtax/s=
+go-simpler.org/musttag v0.14.0 h1:XGySZATqQYSEV3/YTy+iX+aofbZZllJaqwFWs+RTtSo=
+go-simpler.org/musttag v0.14.0/go.mod h1:uP8EymctQjJ4Z1kUnjX0u2l60WfUdQxCwSNKzE1JEOE=
+go-simpler.org/sloglint v0.11.1 h1:xRbPepLT/MHPTCA6TS/wNfZrDzkGvCCqUv4Bdwc3H7s=
+go-simpler.org/sloglint v0.11.1/go.mod h1:2PowwiCOK8mjiF+0KGifVOT8ZsCNiFzvfyJeJOIt8MQ=
+go.augendre.info/arangolint v0.2.0 h1:2NP/XudpPmfBhQKX4rMk+zDYIj//qbt4hfZmSSTcpj8=
+go.augendre.info/arangolint v0.2.0/go.mod h1:Vx4KSJwu48tkE+8uxuf0cbBnAPgnt8O1KWiT7bljq7w=
+go.augendre.info/fatcontext v0.8.1 h1:/T4+cCjpL9g71gJpcFAgVo/K5VFpqlN+NPU7QXxD5+A=
+go.augendre.info/fatcontext v0.8.1/go.mod h1:r3Qz4ZOzex66wfyyj5VZ1xUcl81vzvHQ6/GWzzlMEwA=
 go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU=
 go.opencensus.io v0.22.0/go.mod h1:+kGneAE2xo2IficOXnaByMWTGM9T73dGwxeWcUqIpI8=
 go.opencensus.io v0.22.2/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
 go.opencensus.io v0.22.3/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
 go.opencensus.io v0.22.4/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
-go.uber.org/atomic v1.7.0 h1:ADUqmZGgLDDfbSL9ZmPxKTybcoEYHgpYfELNoN+7hsw=
-go.uber.org/atomic v1.7.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc=
 go.uber.org/automaxprocs v1.6.0 h1:O3y2/QNTOdbF+e/dpXNNW7Rx2hZ4sTIPyybbxyNqTUs=
 go.uber.org/automaxprocs v1.6.0/go.mod h1:ifeIMSnPZuznNm6jmdzmU3/bfk01Fe2fotchwEFJ8r8=
-go.uber.org/goleak v1.1.11 h1:wy28qYRKZgnJTxGxvye5/wgWr1EKjmUDGYox5mGlRlI=
-go.uber.org/goleak v1.1.11/go.mod h1:cwTWslyiVhfpKIDGSZEM2HlOvcqm+tG4zioyIeLoqMQ=
-go.uber.org/multierr v1.6.0 h1:y6IPFStTAIT5Ytl7/XYmHvzXQ7S3g/IeZW9hyZ5thw4=
-go.uber.org/multierr v1.6.0/go.mod h1:cdWPpRnG4AhwMwsgIHip0KRBQjJy5kYEpYjJxpXp9iU=
-go.uber.org/zap v1.24.0 h1:FiJd5l1UOLj0wCgbSE0rwwXHzEdAZS6hiiSnxJN/D60=
-go.uber.org/zap v1.24.0/go.mod h1:2kMP+WWQ8aoFoedH3T2sq6iJ2yDWpHbP0f6MQbS9Gkg=
+go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
+go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
+go.uber.org/multierr v1.10.0 h1:S0h4aNzvfcFsC3dRF1jLoaov7oRaKqRGC/pUEJ2yvPQ=
+go.uber.org/multierr v1.10.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y=
+go.uber.org/zap v1.27.0 h1:aJMhYGrd5QSmlpLMr2MftRKl7t8J8PTZPA732ud/XR8=
+go.uber.org/zap v1.27.0/go.mod h1:GB2qFLM7cTU87MWRP2mPIjqfIDnGu+VIO4V/SdhGo2E=
 golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
@@ -652,8 +658,8 @@ golang.org/x/exp v0.0.0-20240909161429-701f63a606c0 h1:e66Fs6Z+fZTbFBAxKfP3PALWB
 golang.org/x/exp v0.0.0-20240909161429-701f63a606c0/go.mod h1:2TbTHSBQa924w8M6Xs1QcRcFwyucIwBGpK1p2f1YFFY=
 golang.org/x/exp/typeparams v0.0.0-20220428152302-39d4317da171/go.mod h1:AbB0pIl9nAr9wVwH+Z2ZpaocVmF5I4GyWCDIsVjR0bk=
 golang.org/x/exp/typeparams v0.0.0-20230203172020-98cc5a0785f9/go.mod h1:AbB0pIl9nAr9wVwH+Z2ZpaocVmF5I4GyWCDIsVjR0bk=
-golang.org/x/exp/typeparams v0.0.0-20250210185358-939b2ce775ac h1:TSSpLIG4v+p0rPv1pNOQtl1I8knsO4S9trOxNMOLVP4=
-golang.org/x/exp/typeparams v0.0.0-20250210185358-939b2ce775ac/go.mod h1:AbB0pIl9nAr9wVwH+Z2ZpaocVmF5I4GyWCDIsVjR0bk=
+golang.org/x/exp/typeparams v0.0.0-20250911091902-df9299821621 h1:Yl4H5w2RV7L/dvSHp2GerziT5K2CORgFINPaMFxWGWw=
+golang.org/x/exp/typeparams v0.0.0-20250911091902-df9299821621/go.mod h1:4Mzdyp/6jzw9auFDJ3OMF5qksa7UvPnzKqTVGcb04ms=
 golang.org/x/image v0.0.0-20190227222117-0694c2d4d067/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js=
 golang.org/x/image v0.0.0-20190802002840-cff245a6509b/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0=
 golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
@@ -678,13 +684,11 @@ golang.org/x/mod v0.4.1/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.6.0-dev.0.20220106191415-9b9b3d81d5e3/go.mod h1:3p9vT2HGsQu2K1YbXdKPJLVgG5VJdoTa1poYQBtP1AY=
 golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
-golang.org/x/mod v0.7.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
-golang.org/x/mod v0.9.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/mod v0.12.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/mod v0.13.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
-golang.org/x/mod v0.25.0 h1:n7a+ZbQKQA/Ysbyb0/6IbB1H/X41mKgbhfv7AfG/44w=
-golang.org/x/mod v0.25.0/go.mod h1:IXM97Txy2VM4PJ3gI61r1YEk/gAj6zAHN3AdZt6S9Ww=
+golang.org/x/mod v0.28.0 h1:gQBtGhjxykdjY9YhZpSlZIsbnaE2+PgjfLWUQTnoZ1U=
+golang.org/x/mod v0.28.0/go.mod h1:yfB/L0NOf/kmEbXjzCPOx1iK1fRutOydrCMsqRhEBxI=
 golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20181114220301-adae6a3d119a/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
@@ -719,14 +723,12 @@ golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96b
 golang.org/x/net v0.0.0-20210525063256-abc453219eb5/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20211015210444-4f30a5c0130f/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
-golang.org/x/net v0.2.0/go.mod h1:KqCZLdyyvdV855qA2rE3GC2aiw5xGR5TEjj8smXukLY=
 golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
-golang.org/x/net v0.8.0/go.mod h1:QVkue5JL9kW//ek3r6jTKnTFis1tRmNAW2P1shuFdJc=
 golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
 golang.org/x/net v0.15.0/go.mod h1:idbUs1IY1+zTqbi8yxTbhexhEEk5ur9LInksu6HrEpk=
 golang.org/x/net v0.16.0/go.mod h1:NxSsAGuq816PNPmqtQdLE42eU2Fs7NoRIZrHJAlaCOE=
-golang.org/x/net v0.41.0 h1:vBTly1HeNPEn3wtREYfy4GZ/NECgw2Cnl+nK6Nz3uvw=
-golang.org/x/net v0.41.0/go.mod h1:B/K4NNqkfmg07DQYrbwvSluqCJOOXwUjeb/5lOisjbA=
+golang.org/x/net v0.44.0 h1:evd8IRDyfNBMBTTY5XRF1vaZlD+EmWx6x8PkhR04H/I=
+golang.org/x/net v0.44.0/go.mod h1:ECOoLqd5U3Lhyeyo/QDCEVQ4sNgYsqvCZ722XogGieY=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
@@ -748,8 +750,8 @@ golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJ
 golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.3.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y=
 golang.org/x/sync v0.4.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y=
-golang.org/x/sync v0.15.0 h1:KWH3jNZsfyT6xfAfKiz6MRNmd46ByHDYaZ7KSkCtdW8=
-golang.org/x/sync v0.15.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
+golang.org/x/sync v0.17.0 h1:l60nONMj9l5drqw6jlhIELNv9I0A4OFgRsG9k2oT9Ug=
+golang.org/x/sync v0.17.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
 golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
@@ -796,19 +798,16 @@ golang.org/x/sys v0.0.0-20220412211240-33da011f77ad/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.13.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.33.0 h1:q3i8TbbEz+JRD9ywIRlyRAQbM0qF7hu24q3teo2hbuw=
-golang.org/x/sys v0.33.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
+golang.org/x/sys v0.36.0 h1:KVRy2GtZBrk1cBYA7MKu5bEZFxQk4NIDV6RLVcC8o0k=
+golang.org/x/sys v0.36.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
-golang.org/x/term v0.2.0/go.mod h1:TVmDHMZPmdnySmBfhjOoOdhjzdE1h4u1VwSiw2l1Nuc=
 golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
-golang.org/x/term v0.6.0/go.mod h1:m6U89DPEgQRMq3DNkDClhWw02AUbt2daBVO4cn4Hv9U=
 golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo=
 golang.org/x/term v0.12.0/go.mod h1:owVbMEjm3cBLCHdkQu9b1opXd4ETQWc3BhuQGKgXgvU=
 golang.org/x/term v0.13.0/go.mod h1:LTmsnFJwVN6bCy1rVCoS+qHT1HhALEFxKncY3WNNh4U=
@@ -819,13 +818,11 @@ golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
-golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
 golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
-golang.org/x/text v0.8.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
 golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
 golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
-golang.org/x/text v0.24.0 h1:dd5Bzh4yt5KYA8f9CJHCP4FB4D51c2c6JvN37xJJkJ0=
-golang.org/x/text v0.24.0/go.mod h1:L8rBsPeo2pSS+xqN0d5u2ikmjtmoJbDBT1b7nHvFCdU=
+golang.org/x/text v0.29.0 h1:1neNs90w9YzJ9BocxfsQNHKuAT4pkghyXc4nhZ6sJvk=
+golang.org/x/text v0.29.0/go.mod h1:7MhJOA9CD2qZyOKYazxdYMF85OwPdEr9jTtBpO7ydH4=
 golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
@@ -861,7 +858,6 @@ golang.org/x/tools v0.0.0-20200224181240-023911ca70b2/go.mod h1:TB2adYChydJhpapK
 golang.org/x/tools v0.0.0-20200227222343-706bc42d1f0d/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
 golang.org/x/tools v0.0.0-20200304193943-95d2e580d8eb/go.mod h1:o4KQGtdN14AW+yjsvvwRTJJuXz8XRtIHtEnmAXLyFUw=
 golang.org/x/tools v0.0.0-20200312045724-11d5b4c81c7d/go.mod h1:o4KQGtdN14AW+yjsvvwRTJJuXz8XRtIHtEnmAXLyFUw=
-golang.org/x/tools v0.0.0-20200324003944-a576cf524670/go.mod h1:Sl4aGygMT6LrqrWclx+PTx3U+LnKx/seiNR+3G19Ar8=
 golang.org/x/tools v0.0.0-20200329025819-fd4102a86c65/go.mod h1:Sl4aGygMT6LrqrWclx+PTx3U+LnKx/seiNR+3G19Ar8=
 golang.org/x/tools v0.0.0-20200331025713-a30bf2db82d4/go.mod h1:Sl4aGygMT6LrqrWclx+PTx3U+LnKx/seiNR+3G19Ar8=
 golang.org/x/tools v0.0.0-20200501065659-ab2804fb9c9d/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
@@ -871,22 +867,21 @@ golang.org/x/tools v0.0.0-20200618134242-20370b0cb4b2/go.mod h1:EkVYQZoAsY45+roY
 golang.org/x/tools v0.0.0-20200724022722-7017fd6b1305/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA=
 golang.org/x/tools v0.0.0-20200729194436-6467de6f59a7/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA=
 golang.org/x/tools v0.0.0-20200804011535-6c149bb5ef0d/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA=
-golang.org/x/tools v0.0.0-20200820010801-b793a1359eac/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA=
 golang.org/x/tools v0.0.0-20200825202427-b303f430e36d/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA=
-golang.org/x/tools v0.0.0-20201023174141-c8cfbd0f21e6/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
 golang.org/x/tools v0.1.1-0.20210205202024-ef80cdb6ec6d/go.mod h1:9bzcO0MWcOuT0tm1iBGzDVPshzfwoVvREIui8C+MHqU=
 golang.org/x/tools v0.1.1-0.20210302220138-2ac05c832e1a/go.mod h1:9bzcO0MWcOuT0tm1iBGzDVPshzfwoVvREIui8C+MHqU=
 golang.org/x/tools v0.1.1/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
-golang.org/x/tools v0.1.5/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
 golang.org/x/tools v0.1.10/go.mod h1:Uh6Zz+xoGYZom868N8YTex3t7RhtHDBrE8Gzo9bV56E=
 golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
-golang.org/x/tools v0.3.0/go.mod h1:/rWhSS2+zyEVwoJf8YAX6L2f0ntZ7Kn/mGgAWcipA5k=
 golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
-golang.org/x/tools v0.7.0/go.mod h1:4pg6aUX35JBAogB10C9AtvVL+qowtN4pT3CGSQex14s=
 golang.org/x/tools v0.13.0/go.mod h1:HvlwmtVNQAhOuCjW7xxvovg8wbNq7LwfXh/k7wXUl58=
 golang.org/x/tools v0.14.0/go.mod h1:uYBEerGOWcJyEORxN+Ek8+TT266gXkNlHdJBwexUsBg=
-golang.org/x/tools v0.34.0 h1:qIpSLOxeCYGg9TrcJokLBG4KFA6d795g0xkBkiESGlo=
-golang.org/x/tools v0.34.0/go.mod h1:pAP9OwEaY1CAW3HOmg3hLZC5Z0CCmzjAF2UQMSqNARg=
+golang.org/x/tools v0.37.0 h1:DVSRzp7FwePZW356yEAChSdNcQo6Nsp+fex1SUW09lE=
+golang.org/x/tools v0.37.0/go.mod h1:MBN5QPQtLMHVdvsbtarmTNukZDdgwdwlO5qGacAzF0w=
+golang.org/x/tools/go/expect v0.1.1-deprecated h1:jpBZDwmgPhXsKZC6WhL20P4b/wmnpsEAGHaNy0n/rJM=
+golang.org/x/tools/go/expect v0.1.1-deprecated/go.mod h1:eihoPOH+FgIqa3FpoTwguz/bVUSGBlGQU67vpBeOrBY=
+golang.org/x/tools/go/packages/packagestest v0.1.1-deprecated h1:1h2MnaIAIXISqTFKdENegdpAgUXz6NrPEsbIeWaBRvM=
+golang.org/x/tools/go/packages/packagestest v0.1.1-deprecated/go.mod h1:RVAQXBGNv1ib0J382/DPCRS/BPnsGebyM1Gj5VSDpG8=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
@@ -998,14 +993,18 @@ honnef.co/go/tools v0.6.1 h1:R094WgE8K4JirYjBaOpz/AvTyUu/3wbmAoskKN/pxTI=
 honnef.co/go/tools v0.6.1/go.mod h1:3puzxxljPCe8RGJX7BIy1plGbxEOZni5mR2aXe3/uk4=
 k8s.io/apimachinery v0.32.3 h1:JmDuDarhDmA/Li7j3aPrwhpNBA94Nvk5zLeOge9HH1U=
 k8s.io/apimachinery v0.32.3/go.mod h1:GpHVgxoKlTxClKcteaeuF1Ul/lDVb74KpZcxcmLDElE=
-mvdan.cc/gofumpt v0.8.0 h1:nZUCeC2ViFaerTcYKstMmfysj6uhQrA2vJe+2vwGU6k=
-mvdan.cc/gofumpt v0.8.0/go.mod h1:vEYnSzyGPmjvFkqJWtXkh79UwPWP9/HMxQdGEXZHjpg=
+k8s.io/utils v0.0.0-20241104100929-3ea5e8cea738 h1:M3sRQVHv7vB20Xc2ybTt7ODCeFj6JSWYFzOFnYeS6Ro=
+k8s.io/utils v0.0.0-20241104100929-3ea5e8cea738/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
+mvdan.cc/gofumpt v0.9.1 h1:p5YT2NfFWsYyTieYgwcQ8aKV3xRvFH4uuN/zB2gBbMQ=
+mvdan.cc/gofumpt v0.9.1/go.mod h1:3xYtNemnKiXaTh6R4VtlqDATFwBbdXI8lJvH/4qk7mw=
 mvdan.cc/unparam v0.0.0-20250301125049-0df0534333a4 h1:WjUu4yQoT5BHT1w8Zu56SP8367OuBV5jvo+4Ulppyf8=
 mvdan.cc/unparam v0.0.0-20250301125049-0df0534333a4/go.mod h1:rthT7OuvRbaGcd5ginj6dA2oLE7YNlta9qhBNNdCaLE=
 rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8=
 rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0=
 rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA=
-sigs.k8s.io/kube-api-linter v0.0.0-20250516124914-6df69a12c92c h1:sybeA6NAACfxBiZLdY9iRNAT9jVs25TwBnLnqG+TyTs=
-sigs.k8s.io/kube-api-linter v0.0.0-20250516124914-6df69a12c92c/go.mod h1:tnzp9Oj2Qi0qPg5t5tbDrUixTlZLjPpEjzk1kxO/2EE=
+sigs.k8s.io/kube-api-linter v0.0.0-20251029172002-9992248f8813 h1:bn2rchbo/TdTln/RcJU3B49BjPBZTl7/+pj8RSVxLbY=
+sigs.k8s.io/kube-api-linter v0.0.0-20251029172002-9992248f8813/go.mod h1:TwxOEmBIjl8POuwDF2VfmrHZ5a4o2SIPjDyqtTX7T3Q=
 sigs.k8s.io/logtools v0.9.0 h1:IMP/HTDkfM6rg6os/tcEjmQeIHyOyu/enduM/cOPGNQ=
 sigs.k8s.io/logtools v0.9.0/go.mod h1:74Z5BP7ehrMHi/Q31W1gSf8YgwT/4GPjVH5xPSPeZA0=
+sigs.k8s.io/yaml v1.4.0 h1:Mk1wCc2gy/F0THH0TAp1QYyJNzRm2KCLy3o5ASXVI5E=
+sigs.k8s.io/yaml v1.4.0/go.mod h1:Ejl7/uTz7PSA4eKMyQCUTnhZYNmLIl+5c2lQPGR2BPY=
diff --git a/hack/tools/golangci-lint/go.work b/hack/tools/golangci-lint/go.work
index bc4290def2c27..ebdf3df29addb 100644
--- a/hack/tools/golangci-lint/go.work
+++ b/hack/tools/golangci-lint/go.work
@@ -1,8 +1,8 @@
 // This is a hack, but it prevents go from climbing further and trying to
 // reconcile the various deps across the "real" modules and this one.
 
-go 1.24.0
+go 1.25.0
 
-godebug default=go1.24
+godebug default=go1.25
 
 use .
diff --git a/hack/tools/ncpu/main.go b/hack/tools/ncpu/main.go
deleted file mode 100644
index edaeb98a8acf8..0000000000000
--- a/hack/tools/ncpu/main.go
+++ /dev/null
@@ -1,29 +0,0 @@
-/*
-Copyright 2023 The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package main
-
-import (
-	"fmt"
-	"runtime"
-
-	"go.uber.org/automaxprocs/maxprocs"
-)
-
-func main() {
-	maxprocs.Set()
-	fmt.Print(runtime.GOMAXPROCS(0))
-}
diff --git a/hack/tools/tools.go b/hack/tools/tools.go
deleted file mode 100644
index a990be8787941..0000000000000
--- a/hack/tools/tools.go
+++ /dev/null
@@ -1,51 +0,0 @@
-/*
-Copyright 2019 The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-// Package tools is used to track binary dependencies with go modules
-// https://github.com/golang/go/wiki/Modules#how-can-i-track-tool-dependencies-for-a-module
-package tools
-
-import (
-	// linting tools
-	_ "github.com/aojea/sloppy-netparser"
-	_ "github.com/golangci/misspell"
-	_ "github.com/jcchavezs/porto/cmd/porto"
-	_ "honnef.co/go/tools/cmd/staticcheck"
-
-	// benchmarking tools
-	_ "github.com/cespare/prettybench"
-	_ "gotest.tools/gotestsum"
-
-	// mockery
-	_ "github.com/vektra/mockery/v2"
-
-	// tools like cpu
-	_ "go.uber.org/automaxprocs"
-
-	// for publishing bot
-	_ "golang.org/x/mod/modfile"
-	_ "k8s.io/publishing-bot/cmd/publishing-bot/config"
-
-	// used by go-to-protobuf
-	_ "golang.org/x/tools/cmd/goimports"
-
-	// protobuf generation
-	_ "google.golang.org/grpc/cmd/protoc-gen-go-grpc"
-	_ "google.golang.org/protobuf/cmd/protoc-gen-go"
-
-	// yamlfmt
-	_ "sigs.k8s.io/yaml/yamlfmt"
-)
diff --git a/hack/unwanted-dependencies.json b/hack/unwanted-dependencies.json
index 675bdcab7d155..cb651e3a1868b 100644
--- a/hack/unwanted-dependencies.json
+++ b/hack/unwanted-dependencies.json
@@ -85,6 +85,7 @@
       "google.golang.org/appengine": "cloud dependency",
       "google.golang.org/genproto": "refer to #113366",
       "gopkg.in/square/go-jose.v2": "obsolete, use gopkg.in/go-jose/go-jose.v2",
+      "gopkg.in/evanphx/json-patch.v5": "refer to https://github.com/kubernetes/kubernetes/pull/91622#issuecomment-637087847",
       "gopkg.in/fsnotify.v1": "obsolete, use github.com/fsnotify/fsnotify",
       "gopkg.in/yaml.v2": "prefer sigs.k8s.io/yaml",
       "gopkg.in/yaml.v3": "prefer sigs.k8s.io/yaml/goyaml.v3",
@@ -146,16 +147,7 @@
         "go.etcd.io/etcd/client/v3",
         "go.etcd.io/etcd/server/v3",
         "go.etcd.io/raft/v3",
-        "k8s.io/api",
-        "k8s.io/apiextensions-apiserver",
-        "k8s.io/apimachinery",
-        "k8s.io/apiserver",
-        "k8s.io/client-go",
-        "k8s.io/code-generator",
-        "k8s.io/kube-aggregator",
-        "k8s.io/kubelet",
-        "k8s.io/kubernetes",
-        "k8s.io/metrics"
+        "k8s.io/code-generator"
       ],
       "github.com/golang/groupcache": [
         "go.etcd.io/etcd/server/v3"
@@ -216,7 +208,6 @@
         "sigs.k8s.io/structured-merge-diff/v6"
       ],
       "github.com/pkg/errors": [
-        "github.com/Microsoft/hnslib",
         "github.com/google/cadvisor",
         "sigs.k8s.io/kustomize/api",
         "sigs.k8s.io/kustomize/kustomize/v5"
@@ -229,11 +220,8 @@
         "github.com/google/cel-go",
         "github.com/grpc-ecosystem/go-grpc-middleware/v2"
       ],
-      "gopkg.in/yaml.v2": [
-        "github.com/prometheus/client_golang",
-        "github.com/prometheus/common"
-      ],
       "gopkg.in/yaml.v3": [
+        "github.com/containerd/containerd/api",
         "github.com/coreos/go-semver",
         "github.com/cyphar/filepath-securejoin",
         "github.com/go-logr/zapr",
@@ -245,8 +233,6 @@
         "github.com/grpc-ecosystem/go-grpc-middleware/providers/prometheus",
         "github.com/grpc-ecosystem/go-grpc-middleware/v2",
         "github.com/grpc-ecosystem/grpc-gateway/v2",
-        "github.com/onsi/ginkgo/v2",
-        "github.com/onsi/gomega",
         "github.com/prometheus/common",
         "github.com/spf13/cobra",
         "github.com/stretchr/objx",
@@ -287,7 +273,6 @@
       "github.com/mailru/easyjson",
       "github.com/modern-go/concurrent",
       "github.com/modern-go/reflect2",
-      "github.com/pkg/errors",
       "golang.org/x/exp",
       "gopkg.in/yaml.v3"
     ]
diff --git a/hack/update-codegen.sh b/hack/update-codegen.sh
index 5458e87f5ad43..2d13d305a8256 100755
--- a/hack/update-codegen.sh
+++ b/hack/update-codegen.sh
@@ -120,10 +120,6 @@ function codegen::protobuf() {
         return
     fi
 
-    # NOTE: All output from this script needs to be copied back to the calling
-    # source tree.  This is managed in kube::build::copy_output in build/common.sh.
-    # If the output set is changed update that function.
-
     local apis=()
     kube::util::read-array apis < <(
         git grep --untracked --null -l \
@@ -134,7 +130,7 @@ function codegen::protobuf() {
             | sed 's|^|k8s.io/kubernetes/|;s|k8s.io/kubernetes/staging/src/||' \
             | sort -u)
 
-    kube::log::status "protobufs: ${#apis[@]} targets"
+    kube::log::status "Generating protobufs for ${#apis[@]} targets"
     if [[ "${DBG_CODEGEN}" == 1 ]]; then
         kube::log::status "DBG: generating protobufs for:"
         for dir in "${apis[@]}"; do
@@ -145,6 +141,7 @@ function codegen::protobuf() {
     git_find -z \
         ':(glob)**/generated.proto' \
         ':(glob)**/generated.pb.go' \
+        ':(glob)**/generated.protomessage.pb.go' \
         | xargs -0 rm -f
 
     if kube::protoc::check_protoc >/dev/null; then
@@ -166,13 +163,6 @@ function codegen::protobuf() {
 #     register: generate deep-copy functions and register them with a
 #               scheme
 function codegen::deepcopy() {
-    if [[ -n "${LINT:-}" ]]; then                                                             
-        if [[ "${KUBE_VERBOSE}" -gt 2 ]]; then
-            kube::log::status "No linter for deepcopy codegen"
-        fi
-        return
-    fi
-
     # Build the tool.
     GOPROXY=off go install \
         k8s.io/code-generator/cmd/deepcopy-gen
@@ -198,7 +188,7 @@ function codegen::deepcopy() {
         tag_pkgs+=("./$dir")
     done
 
-    kube::log::status "deepcopy: ${#tag_pkgs[@]} targets"
+    kube::log::status "Generating deepcopy code for ${#tag_pkgs[@]} targets"
     if [[ "${DBG_CODEGEN}" == 1 ]]; then
         kube::log::status "DBG: running deepcopy-gen for:"
         for dir in "${tag_dirs[@]}"; do
@@ -274,13 +264,6 @@ EOF
 # Some of the later codegens depend on the results of this, so it needs to come
 # first in the case of regenerating everything.
 function codegen::swagger() {
-    if [[ -n "${LINT:-}" ]]; then                                                             
-        if [[ "${KUBE_VERBOSE}" -gt 2 ]]; then
-            kube::log::status "No linter for swagger codegen"
-        fi
-        return
-    fi
-
     # Build the tool
     GOPROXY=off go install \
         ./cmd/genswaggertypedocs
@@ -288,7 +271,7 @@ function codegen::swagger() {
     local group_versions=()
     IFS=" " read -r -a group_versions <<< "meta/v1 meta/v1beta1 ${KUBE_AVAILABLE_GROUP_VERSIONS}"
 
-    kube::log::status "swagger: ${#group_versions[@]} targets"
+    kube::log::status "Generating swagger for ${#group_versions[@]} targets"
 
     git_find -z ':(glob)**/types_swagger_doc_generated.go' | xargs -0 rm -f
 
@@ -304,13 +287,6 @@ function codegen::swagger() {
 # comment-tag in column 0 of one file of the form:
 #     // +k8s:prerelease-lifecycle-gen=true
 function codegen::prerelease() {
-    if [[ -n "${LINT:-}" ]]; then                                                             
-        if [[ "${KUBE_VERBOSE}" -gt 2 ]]; then
-            kube::log::status "No linter for prerelease codegen"
-        fi
-        return
-    fi
-
     # Build the tool.
     GOPROXY=off go install \
         k8s.io/code-generator/cmd/prerelease-lifecycle-gen
@@ -336,7 +312,7 @@ function codegen::prerelease() {
         tag_pkgs+=("./$dir")
     done
 
-    kube::log::status "prerelease-lifecycle: ${#tag_pkgs[@]} targets"
+    kube::log::status "Generating prerelease-lifecycle code for ${#tag_pkgs[@]} targets"
     if [[ "${DBG_CODEGEN}" == 1 ]]; then
         kube::log::status "DBG: running prerelease-lifecycle-gen for:"
         for dir in "${tag_dirs[@]}"; do
@@ -375,13 +351,6 @@ function codegen::prerelease() {
 #       FIELDNAME: any object with a field of this name is a candidate
 #                  for having a defaulter generated
 function codegen::defaults() {
-    if [[ -n "${LINT:-}" ]]; then                                                             
-        if [[ "${KUBE_VERBOSE}" -gt 2 ]]; then
-            kube::log::status "No linter for defaults codegen"
-        fi
-        return
-    fi
-
     # Build the tool.
     GOPROXY=off go install \
         k8s.io/code-generator/cmd/defaulter-gen
@@ -407,7 +376,7 @@ function codegen::defaults() {
         tag_pkgs+=("./$dir")
     done
 
-    kube::log::status "defaults: ${#tag_pkgs[@]} targets"
+    kube::log::status "Generating defaulter code for ${#tag_pkgs[@]} targets"
     if [[ "${DBG_CODEGEN}" == 1 ]]; then
         kube::log::status "DBG: running defaulter-gen for:"
         for dir in "${tag_dirs[@]}"; do
@@ -483,7 +452,7 @@ function codegen::validation() {
         time
     )
 
-    kube::log::status "validation: ${#tag_pkgs[@]} targets"
+    kube::log::status "Generating validation code for ${#tag_pkgs[@]} targets"
     if [[ "${DBG_CODEGEN}" == 1 ]]; then
         kube::log::status "DBG: running validation-gen for:"
         for dir in "${tag_dirs[@]}"; do
@@ -491,19 +460,13 @@ function codegen::validation() {
         done
     fi
 
-    local lint_flag=() # empty arrays expand to no-value (as opposed to "")
-    if [[ -n "${LINT:-}" ]]; then
-        lint_flag+=("--lint")
-    else
-        git_find -z ':(glob)**'/"${output_file}" | xargs -0 rm -f
-    fi
+    git_find -z ':(glob)**'/"${output_file}" | xargs -0 rm -f
 
     validation-gen \
         -v "${KUBE_VERBOSE}" \
         --go-header-file "${BOILERPLATE_FILENAME}" \
         --output-file "${output_file}" \
         $(printf -- " --readonly-pkg %s" "${readonly_pkgs[@]}") \
-        "${lint_flag[@]}" `# may expand to nothing` \
         "${tag_pkgs[@]}" \
         "$@"
 
@@ -534,13 +497,6 @@ function codegen::validation() {
 # TODO: it might be better in the long term to make peer-types explicit in the
 # IDL.
 function codegen::conversions() {
-    if [[ -n "${LINT:-}" ]]; then                                                             
-        if [[ "${KUBE_VERBOSE}" -gt 2 ]]; then
-            kube::log::status "No linter for conversions codegen"
-        fi
-        return
-    fi
-
     # Build the tool.
     GOPROXY=off go install \
         k8s.io/code-generator/cmd/conversion-gen
@@ -572,7 +528,7 @@ function codegen::conversions() {
         k8s.io/api/core/v1
     )
 
-    kube::log::status "conversion: ${#tag_pkgs[@]} targets"
+    kube::log::status "Generating conversion code for ${#tag_pkgs[@]} targets"
     if [[ "${DBG_CODEGEN}" == 1 ]]; then
         kube::log::status "DBG: running conversion-gen for:"
         for dir in "${tag_dirs[@]}"; do
@@ -602,13 +558,6 @@ function codegen::conversions() {
 #     // +k8s:register-gen=package
 #
 function codegen::register() {
-    if [[ -n "${LINT:-}" ]]; then                                                             
-        if [[ "${KUBE_VERBOSE}" -gt 2 ]]; then
-            kube::log::status "No linter for register codegen"
-        fi
-        return
-    fi
-
     # Build the tool.
     GOPROXY=off go install \
         k8s.io/code-generator/cmd/register-gen
@@ -634,7 +583,7 @@ function codegen::register() {
         tag_pkgs+=("./$dir")
     done
 
-    kube::log::status "register: ${#tag_pkgs[@]} targets"
+    kube::log::status "Generating register code for ${#tag_pkgs[@]} targets"
     if [[ "${DBG_CODEGEN}" == 1 ]]; then
         kube::log::status "DBG: running register-gen for:"
         for dir in "${tag_dirs[@]}"; do
@@ -680,13 +629,6 @@ function k8s_tag_files_except() {
 # comment-tag in column 0 of one file of the form:
 #     // +k8s:openapi-gen=true
 function codegen::openapi() {
-    if [[ -n "${LINT:-}" ]]; then                                                             
-        if [[ "${KUBE_VERBOSE}" -gt 2 ]]; then
-            kube::log::status "No linter for openapi codegen"
-        fi
-        return
-    fi
-
     # Build the tool.
     GOPROXY=off go install \
         k8s.io/kube-openapi/cmd/openapi-gen
@@ -694,6 +636,8 @@ function codegen::openapi() {
     # The result file, in each pkg, of open-api generation.
     local output_file="${GENERATED_FILE_PREFIX}openapi.go"
 
+    local output_model_name_file="${GENERATED_FILE_PREFIX}model_name.go"
+
     local output_dir="pkg/generated/openapi"
     local output_pkg="k8s.io/kubernetes/${output_dir}"
     local known_violations_file="${API_KNOWN_VIOLATIONS_DIR}/violation_exceptions.list"
@@ -718,7 +662,7 @@ function codegen::openapi() {
 
     local tag_dirs=()
     kube::util::read-array tag_dirs < <(
-        grep -l --null '+k8s:openapi-gen=' "${tag_files[@]}" \
+        grep -l --null '+k8s:openapi' "${tag_files[@]}" \
             | while read -r -d $'\0' F; do dirname "${F}"; done \
             | sort -u)
 
@@ -731,7 +675,7 @@ function codegen::openapi() {
         tag_pkgs+=("./$dir")
     done
 
-    kube::log::status "openapi: ${#tag_pkgs[@]} targets"
+    kube::log::status "Generating openapi code"
     if [[ "${DBG_CODEGEN}" == 1 ]]; then
         kube::log::status "DBG: running openapi-gen for:"
         for dir in "${tag_dirs[@]}"; do
@@ -740,6 +684,7 @@ function codegen::openapi() {
     fi
 
     git_find -z ':(glob)pkg/generated/**'/"${output_file}" | xargs -0 rm -f
+    git_find -z ':(glob)pkg/generated/**'/"${output_model_name_file}" | xargs -0 rm -f
 
     openapi-gen \
         -v "${KUBE_VERBOSE}" \
@@ -748,6 +693,7 @@ function codegen::openapi() {
         --output-dir "${output_dir}" \
         --output-pkg "${output_pkg}" \
         --report-filename "${report_file}" \
+        --output-model-name-file "${output_model_name_file}" \
         "${tag_pkgs[@]}" \
         "$@"
 
@@ -765,13 +711,6 @@ function codegen::openapi() {
 }
 
 function codegen::applyconfigs() {
-    if [[ -n "${LINT:-}" ]]; then                                                             
-        if [[ "${KUBE_VERBOSE}" -gt 2 ]]; then
-            kube::log::status "No linter for applyconfigs codegen"
-        fi
-        return
-    fi
-
     GOPROXY=off go install \
         k8s.io/kubernetes/pkg/generated/openapi/cmd/models-schema \
         k8s.io/code-generator/cmd/applyconfiguration-gen
@@ -784,7 +723,7 @@ function codegen::applyconfigs() {
             | sort -u)
     ext_apis+=("k8s.io/apimachinery/pkg/apis/meta/v1")
 
-    kube::log::status "apply-config: ${#ext_apis[@]} targets"
+    kube::log::status "Generating apply-config code for ${#ext_apis[@]} targets"
     if [[ "${DBG_CODEGEN}" == 1 ]]; then
         kube::log::status "DBG: running applyconfiguration-gen for:"
         for api in "${ext_apis[@]}"; do
@@ -814,13 +753,6 @@ function codegen::applyconfigs() {
 }
 
 function codegen::clients() {
-    if [[ -n "${LINT:-}" ]]; then                                                             
-        if [[ "${KUBE_VERBOSE}" -gt 2 ]]; then
-            kube::log::status "No linter for clients codegen"
-        fi
-        return
-    fi
-
     GOPROXY=off go install \
         k8s.io/code-generator/cmd/client-gen
 
@@ -842,7 +774,7 @@ function codegen::clients() {
         gv_dirs+=("${pkg_dir}")
     done
 
-    kube::log::status "clients: ${#gv_dirs[@]} targets"
+    kube::log::status "Generating client code for ${#gv_dirs[@]} targets"
     if [[ "${DBG_CODEGEN}" == 1 ]]; then
         kube::log::status "DBG: running client-gen for:"
         for dir in "${gv_dirs[@]}"; do
@@ -876,13 +808,6 @@ function codegen::clients() {
 }
 
 function codegen::listers() {
-    if [[ -n "${LINT:-}" ]]; then                                                             
-        if [[ "${KUBE_VERBOSE}" -gt 2 ]]; then
-            kube::log::status "No linter for listers codegen"
-        fi
-        return
-    fi
-
     GOPROXY=off go install \
         k8s.io/code-generator/cmd/lister-gen
 
@@ -893,7 +818,7 @@ function codegen::listers() {
             | while read -r -d $'\0' F; do dirname "${F}"; done \
             | sort -u)
 
-    kube::log::status "listers: ${#ext_apis[@]} targets"
+    kube::log::status "Generating lister code for ${#ext_apis[@]} targets"
     if [[ "${DBG_CODEGEN}" == 1 ]]; then
         kube::log::status "DBG: running lister-gen for:"
         for api in "${ext_apis[@]}"; do
@@ -923,13 +848,6 @@ function codegen::listers() {
 }
 
 function codegen::informers() {
-    if [[ -n "${LINT:-}" ]]; then                                                             
-        if [[ "${KUBE_VERBOSE}" -gt 2 ]]; then
-            kube::log::status "No linter for informers codegen"
-        fi
-        return
-    fi
-
     GOPROXY=off go install \
         k8s.io/code-generator/cmd/informer-gen
 
@@ -940,7 +858,7 @@ function codegen::informers() {
             | while read -r -d $'\0' F; do dirname "${F}"; done \
             | sort -u)
 
-    kube::log::status "informers: code for ${#ext_apis[@]} targets"
+    kube::log::status "Generating informer code for ${#ext_apis[@]} targets"
     if [[ "${DBG_CODEGEN}" == 1 ]]; then
         kube::log::status "DBG: running informer-gen for:"
         for api in "${ext_apis[@]}"; do
@@ -979,13 +897,6 @@ function indent() {
 }
 
 function codegen::subprojects() {
-    if [[ -n "${LINT:-}" ]]; then                                                             
-        if [[ "${KUBE_VERBOSE}" -gt 2 ]]; then
-            kube::log::status "No linter for subprojects codegen"
-        fi
-        return
-    fi
-
     # Call generation on sub-projects.
     local subs=(
         staging/src/k8s.io/code-generator/examples
@@ -1000,7 +911,7 @@ function codegen::subprojects() {
     local codegen
     codegen="${KUBE_ROOT}/staging/src/k8s.io/code-generator"
     for sub in "${subs[@]}"; do
-        kube::log::status "subproject ${sub}:"
+        kube::log::status "Generating code for subproject ${sub}"
         pushd "${sub}" >/dev/null
         CODEGEN_PKG="${codegen}" \
         UPDATE_API_KNOWN_VIOLATIONS="${UPDATE_API_KNOWN_VIOLATIONS}" \
@@ -1011,19 +922,10 @@ function codegen::subprojects() {
 }
 
 function codegen::protobindings() {
-    if [[ -n "${LINT:-}" ]]; then                                                             
-        if [[ "${KUBE_VERBOSE}" -gt 2 ]]; then
-            kube::log::status "No linter for protobindings codegen"
-        fi
-        return
-    fi
-
     # Each element of this array is a directory containing subdirectories which
     # eventually contain a file named "api.proto".
-    local apis_using_gogo=(
+    local apis=(
         "staging/src/k8s.io/kubelet/pkg/apis/dra"
-    )
-    local apis_using_protoc=(
         "staging/src/k8s.io/kubelet/pkg/apis/deviceplugin"
         "staging/src/k8s.io/kubelet/pkg/apis/podresources"
         "staging/src/k8s.io/kms/apis"
@@ -1034,9 +936,8 @@ function codegen::protobindings() {
         "staging/src/k8s.io/externaljwt/apis"
         "staging/src/k8s.io/kubelet/pkg/apis/dra-health"
     )
-    local apis=("${apis_using_gogo[@]}" "${apis_using_protoc[@]}")
 
-    kube::log::status "protobuf bindings: ${#apis[@]} targets"
+    kube::log::status "Generating protobuf bindings for ${#apis[@]} targets"
     if [[ "${DBG_CODEGEN}" == 1 ]]; then
         kube::log::status "DBG: generating protobuf bindings for:"
         for dir in "${apis[@]}"; do
@@ -1050,15 +951,11 @@ function codegen::protobindings() {
     done
 
     if kube::protoc::check_protoc >/dev/null; then
-      hack/_update-generated-proto-bindings-dockerized.sh gogo   "${apis_using_gogo[@]}"
-      hack/_update-generated-proto-bindings-dockerized.sh protoc "${apis_using_protoc[@]}"
+      hack/_update-generated-proto-bindings-dockerized.sh "${apis[@]}"
     else
       kube::log::status "protoc ${PROTOC_VERSION} not found (can install with hack/install-protoc.sh); generating containerized..."
-      # NOTE: All output from this script needs to be copied back to the calling
-      # source tree.  This is managed in kube::build::copy_output in build/common.sh.
-      # If the output set is changed update that function.
-      build/run.sh hack/_update-generated-proto-bindings-dockerized.sh gogo   "${apis_using_gogo[@]}"
-      build/run.sh hack/_update-generated-proto-bindings-dockerized.sh protoc "${apis_using_protoc[@]}"
+
+      build/run.sh hack/_update-generated-proto-bindings-dockerized.sh "${apis[@]}"
     fi
 }
 
diff --git a/hack/update-mocks.sh b/hack/update-mocks.sh
index eb2b9760b8f1b..f84bb36852199 100755
--- a/hack/update-mocks.sh
+++ b/hack/update-mocks.sh
@@ -27,7 +27,7 @@ source "${KUBE_ROOT}/hack/lib/init.sh"
 kube::golang::setup_env
 
 echo 'installing mockery'
-GOTOOLCHAIN="$(kube::golang::hack_tools_gotoolchain)" go -C "${KUBE_ROOT}/hack/tools" install github.com/vektra/mockery/v2
+GOTOOLCHAIN="$(kube::golang::hack_tools_gotoolchain)" go -C "${KUBE_ROOT}/hack/tools" install github.com/vektra/mockery/v3
 
 function git_grep() {
   git grep --untracked --exclude-standard \
@@ -42,7 +42,7 @@ function git_grep() {
 
 cd "${KUBE_ROOT}"
 
-GENERATED_MOCK_FILE_REGEX="^// Code generated by mockery v[0-9.]\+. DO NOT EDIT.$"
+GENERATED_MOCK_FILE_REGEX="^// Code generated by mockery.* DO NOT EDIT.$"
 
 git_grep -l -z "${GENERATED_MOCK_FILE_REGEX}" | xargs -0 rm -f
 
diff --git a/hack/verify-api-lint.sh b/hack/verify-api-lint.sh
deleted file mode 100755
index 10764686923af..0000000000000
--- a/hack/verify-api-lint.sh
+++ /dev/null
@@ -1,30 +0,0 @@
-#!/usr/bin/env bash
-
-# Copyright 2024 The Kubernetes Authors.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-# This script runs API lint tools.
-#
-# Usage: `hack/verify-api-lint.sh`.
-
-set -o errexit
-set -o nounset
-set -o pipefail
-
-KUBE_ROOT=$(dirname "${BASH_SOURCE[0]}")/..
-source "${KUBE_ROOT}/hack/lib/init.sh"
-
-cd "${KUBE_ROOT}"
-
-LINT=true hack/update-codegen.sh
diff --git a/hack/verify-e2e-images.sh b/hack/verify-e2e-images.sh
index faa28880e9b38..7c99a73d727b6 100755
--- a/hack/verify-e2e-images.sh
+++ b/hack/verify-e2e-images.sh
@@ -22,6 +22,7 @@ KUBE_ROOT=$(dirname "${BASH_SOURCE[0]}")/..
 cd "${KUBE_ROOT}"
 
 source hack/lib/init.sh
+ret=0
 
 # NOTE: Please do NOT add any to this list!!
 #
@@ -34,16 +35,37 @@ kube::util::read-array PERMITTED_IMAGES < <(sed '/^#/d' ./test/images/.permitted
 echo "Getting e2e image list ..."
 make WHAT=test/e2e/e2e.test
 e2e_test="$(kube::util::find-binary e2e.test)"
-kube::util::read-array IMAGES < <("${e2e_test}" --list-images | sed -E 's/^(.+):[^:]+$/\1/' | LC_ALL=C sort -u)
+
+# validate "e2e.test --list-images":
+# - no unexpected output (whether it's on stderr or stdout)
+# - zero exit code (indirectly ensures that tests are set up properly)
+output=$("${e2e_test}" --list-images 2>&1) || ret=$?
+if [[ $ret -ne 0 ]]; then
+  >&2 echo "FAIL: '${e2e_test} --list-images' failed:"
+  >&2 echo "${output}"
+  exit 1
+fi
+
+unexpected_output=$(echo "${output}" | grep -v -E '^([[:alnum:]/.-]+):[^:]+$' || true)
+if [[ -n "${unexpected_output}" ]]; then
+  >&2 echo "FAIL: '${e2e_test} --list-images' printed unexpected output:"
+  >&2 echo "${unexpected_output}"
+  exit 1
+fi
+
+# extract image names without the version
+kube::util::read-array IMAGES < <(echo "${output}" | sed -E 's/^([[:alnum:]/.-]+):[^:]+$/\1/' | LC_ALL=C sort -u)
 
 # diff versus known permitted images
-ret=0
 >&2 echo "Diffing e2e image list ..."
-diff -Naupr <(printf '%s\n' "${IMAGES[@]}") <(printf '%s\n' "${PERMITTED_IMAGES[@]}") || ret=$?
+# diff context is irrelevant here because of sorting.
+# Instead we want to know about old images (no longer in use, need to be removed)
+# and new images (should not get added).
+diff <(printf '%s\n' "${PERMITTED_IMAGES[@]}") <(printf '%s\n' "${IMAGES[@]}") | sed -E -e '/^---$/d' -e '/^[[:digit:]]+[acd][[:digit:]]+$/d' -e 's/^</obsolete image:/' -e 's/^>/forbidden image:/' >&2 || ret=$?
 if [[ $ret -eq 0 ]]; then
   >&2 echo "PASS: e2e images used are OK."
 else
-  >&2 echo "FAIL: e2e images do not match the approved list!"
+  >&2 echo "FAIL: current e2e images do not match the approved list in test/images/.permitted-images!"
   >&2 echo ""
   >&2 echo "Please use registry.k8s.io/e2e-test-images/agnhost wherever possible, we are consolidating test images."
   >&2 echo "See: test/images/agnhost/README.md"
diff --git a/hack/verify-golangci-lint-pr.sh b/hack/verify-golangci-lint-pr.sh
deleted file mode 100755
index 689028add309d..0000000000000
--- a/hack/verify-golangci-lint-pr.sh
+++ /dev/null
@@ -1,31 +0,0 @@
-#!/usr/bin/env bash
-
-# Copyright 2022 The Kubernetes Authors.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-# This script checks a PR for the coding style for the Go language files using
-# golangci-lint. It does nothing when invoked as part of a normal "make
-# verify".
-
-set -o nounset
-set -o pipefail
-
-if [ ! "${PULL_NUMBER:-}" ]; then
-  echo 'Not testing anything because this is not a pull request.'
-  exit 0
-fi
-
-KUBE_ROOT=$(dirname "${BASH_SOURCE[0]}")/..
-
-"${KUBE_ROOT}/hack/verify-golangci-lint.sh" -r "${PULL_BASE_SHA}" -s
diff --git a/hack/verify-golangci-lint.sh b/hack/verify-golangci-lint.sh
index 91550203cbe35..b2e00b9e8e572 100755
--- a/hack/verify-golangci-lint.sh
+++ b/hack/verify-golangci-lint.sh
@@ -21,7 +21,7 @@
 
 usage () {
   cat <<EOF >&2
-Usage: $0 [-r <revision>|-a] [-s] [-c none|<config>] [-- <golangci-lint run flags>] [packages]"
+Usage: $0 [-r <revision>|-a] [-c none|<config>] [-- <golangci-lint run flags>] [packages]"
    -r <revision>: only report issues in code added since that revision
    -a: automatically select the common base of origin/master and HEAD
        as revision
@@ -54,7 +54,7 @@ golangci_config="${KUBE_ROOT}/hack/golangci.yaml"
 base=
 hints=
 githubactions=
-while getopts "ar:sng:c:" o; do
+while getopts "ar:ng:c:" o; do
   case "${o}" in
     a)
       base="$(git merge-base origin/master HEAD)"
diff --git a/hack/verify-test-featuregates.sh b/hack/verify-test-featuregates.sh
index 80f7af87ac2d3..947fa250f6cdd 100755
--- a/hack/verify-test-featuregates.sh
+++ b/hack/verify-test-featuregates.sh
@@ -41,19 +41,4 @@ if [[ -n "${direct_sets}" ]]; then
   rc=1
 fi
 
-export LC_ALL=C
-# ensure all generic features are added in alphabetic order
-lines=$(git grep 'genericfeatures[.].*:' -- pkg/features/kube_features.go)
-sorted_lines=$(echo "$lines" | sort)
-if [[ "$lines" != "$sorted_lines" ]]; then
-  echo "Generic features in pkg/features/kube_features.go not sorted" >&2
-  echo >&2
-  echo "Expected:" >&2
-  echo "$sorted_lines" >&2
-  echo >&2
-  echo "Got:" >&2
-  echo "$lines" >&2
-  rc=1
-fi
-
 exit $rc
diff --git a/openshift-hack/cmd/k8s-tests-ext/disabled_tests.go b/openshift-hack/cmd/k8s-tests-ext/disabled_tests.go
index ff61abb8a2108..f3f6efc2d58ea 100644
--- a/openshift-hack/cmd/k8s-tests-ext/disabled_tests.go
+++ b/openshift-hack/cmd/k8s-tests-ext/disabled_tests.go
@@ -161,11 +161,23 @@ func filterOutDisabledSpecs(specs et.ExtensionTestSpecs) et.ExtensionTestSpecs {
 
 			// https://issues.redhat.com/browse/OCPBUGS-45275
 			"[sig-network] Connectivity Pod Lifecycle should be able to connect to other Pod from a terminating Pod",
+
+			// https://issues.redhat.com/browse/OCPBUGS-73813
+			"[sig-storage] MutableCSINodeAllocatableCount [FeatureGate:MutableCSINodeAllocatableCount] [Beta]",
+
+			// https://issues.redhat.com/browse/OCPBUGS-63132
+			"[sig-node] [Serial] Pod InPlace Resize Container (deferred-resizes) [FeatureGate:InPlacePodVerticalScaling] pod-resize-retry-deferred-test-3",
 		},
 		// tests that need to be temporarily disabled while the rebase is in progress.
 		"RebaseInProgress": {
+			// https://issues.redhat.com/browse/OCPBUGS-61515
+			"[sig-scheduling] SchedulerPreemption [Serial] validates various priority Pods preempt expectedly with the async preemption [Feature:SchedulerAsyncPreemption] [FeatureGate:SchedulerAsyncPreemption] [Beta]",
+
 			// https://issues.redhat.com/browse/OCPBUGS-61378
 			"[sig-network] Conntrack should be able to cleanup conntrack entries when UDP service target port changes for a NodePort service",
+
+			// https://issues.redhat.com/browse/OCPBUGS-77243
+			"[sig-node] Container Runtime blackbox test when running a container with a new image [Serial] should be able to pull from private registry with secret [NodeConformance]",
 		},
 		// tests that may work, but we don't support them
 		"Unsupported": {
diff --git a/openshift-hack/cmd/k8s-tests-ext/k8s-tests.go b/openshift-hack/cmd/k8s-tests-ext/k8s-tests.go
index 191956c54a11f..640062df5fc45 100644
--- a/openshift-hack/cmd/k8s-tests-ext/k8s-tests.go
+++ b/openshift-hack/cmd/k8s-tests-ext/k8s-tests.go
@@ -14,6 +14,7 @@ import (
 
 	"github.com/openshift-eng/openshift-tests-extension/pkg/cmd"
 	e "github.com/openshift-eng/openshift-tests-extension/pkg/extension"
+	ext "github.com/openshift-eng/openshift-tests-extension/pkg/extension/extensiontests"
 	g "github.com/openshift-eng/openshift-tests-extension/pkg/ginkgo"
 	v "github.com/openshift-eng/openshift-tests-extension/pkg/version"
 
@@ -88,8 +89,8 @@ func main() {
 	hpaTestTimeout := time.Minute * 30
 	kubeTestsExtension.AddSuite(e.Suite{
 		Name:        "kubernetes/autoscaling/hpa",
-		Qualifiers:  []string{"name.contains('[Feature:HPA]')"}, // Note that this does not use withExcludedTestsFilter to be able to run DedicatedJob labelled tests.
-		Parallelism: 3,                                          // HPA tests have high CPU + memory usage, so we cannot have a high level of parallelism here.
+		Qualifiers:  []string{"name.contains('[Feature:HPA]') || name.contains('[Feature:HPAConfigurableTolerance]')"}, // Note that this does not use withExcludedTestsFilter to be able to run DedicatedJob labelled tests.
+		Parallelism: 3,                                                                                                 // HPA tests have high CPU + memory usage, so we cannot have a high level of parallelism here.
 		TestTimeout: &hpaTestTimeout,
 	})
 
@@ -99,10 +100,10 @@ func main() {
 		kubeTestsExtension.RegisterImage(image)
 	}
 
-	//FIXME(stbenjam): what other suites does k8s-test contribute to?
+	// FIXME(stbenjam): what other suites does k8s-test contribute to?
 
 	// Build our specs from ginkgo
-	specs, err := g.BuildExtensionTestSpecsFromOpenShiftGinkgoSuite()
+	specs, err := g.BuildExtensionTestSpecsFromOpenShiftGinkgoSuite(ext.AllTestsIncludingVendored())
 	if err != nil {
 		panic(err)
 	}
diff --git a/openshift-hack/cmd/k8s-tests-ext/labels.go b/openshift-hack/cmd/k8s-tests-ext/labels.go
index f26cf2811edb3..9a03860704f50 100644
--- a/openshift-hack/cmd/k8s-tests-ext/labels.go
+++ b/openshift-hack/cmd/k8s-tests-ext/labels.go
@@ -49,6 +49,7 @@ func addLabelsToSpecs(specs et.ExtensionTestSpecs) {
 		// tests that will be configured to run manually through their own dedicated prow jobs
 		"[DedicatedJob]": {
 			"[Feature:HPA]",
+			"[Feature:HPAConfigurableTolerance]",
 		},
 	}
 
diff --git a/openshift-hack/images/hyperkube/Dockerfile.rhel b/openshift-hack/images/hyperkube/Dockerfile.rhel
index edb5597e82617..34752d13f7e6f 100644
--- a/openshift-hack/images/hyperkube/Dockerfile.rhel
+++ b/openshift-hack/images/hyperkube/Dockerfile.rhel
@@ -1,4 +1,4 @@
-FROM registry.ci.openshift.org/ocp/builder:rhel-9-golang-1.24-openshift-4.21 AS builder
+FROM registry.ci.openshift.org/ocp/builder:rhel-9-golang-1.25-openshift-4.22 AS builder
 ARG TAGS=""
 WORKDIR /go/src/k8s.io/kubernetes
 COPY . .
@@ -9,10 +9,10 @@ RUN make TAGS="${TAGS}" WHAT='cmd/kube-apiserver cmd/kube-controller-manager cmd
     /tmp/build && \
     gzip /tmp/build/k8s-tests-ext
 
-FROM registry.ci.openshift.org/ocp/4.21:base-rhel9
+FROM registry.ci.openshift.org/ocp/4.22:base-rhel9
 RUN yum install -y --setopt=tsflags=nodocs --setopt=skip_missing_names_on_install=False iproute && yum clean all
 COPY --from=builder /tmp/build/* /usr/bin/
 LABEL io.k8s.display-name="OpenShift Kubernetes Server Commands" \
       io.k8s.description="OpenShift is a platform for developing, building, and deploying containerized applications." \
       io.openshift.tags="openshift,hyperkube" \
-      io.openshift.build.versions="kubernetes=1.34.2"
\ No newline at end of file
+      io.openshift.build.versions="kubernetes=1.35.0"
\ No newline at end of file
diff --git a/openshift-hack/images/installer-kube-apiserver-artifacts/Dockerfile.rhel b/openshift-hack/images/installer-kube-apiserver-artifacts/Dockerfile.rhel
index 3c63939f5ca57..985ed96da373e 100644
--- a/openshift-hack/images/installer-kube-apiserver-artifacts/Dockerfile.rhel
+++ b/openshift-hack/images/installer-kube-apiserver-artifacts/Dockerfile.rhel
@@ -2,7 +2,7 @@
 # the kube-apiserver layered on top of the cluster-native Linux installer image.
 # The resulting image is used to build the openshift-install binary.
 
-FROM registry.ci.openshift.org/ocp/builder:rhel-9-golang-1.24-openshift-4.21 AS macbuilder
+FROM registry.ci.openshift.org/ocp/builder:rhel-9-golang-1.25-openshift-4.22 AS macbuilder
 ARG TAGS=""
 WORKDIR /go/src/k8s.io/kubernetes
 COPY . .
@@ -10,7 +10,7 @@ ENV KUBE_BUILD_PLATFORMS=darwin/amd64
 ENV KUBE_STATIC_OVERRIDES=kube-apiserver
 RUN make WHAT='cmd/kube-apiserver'
 
-FROM registry.ci.openshift.org/ocp/builder:rhel-9-golang-1.24-openshift-4.21 AS macarmbuilder
+FROM registry.ci.openshift.org/ocp/builder:rhel-9-golang-1.25-openshift-4.22 AS macarmbuilder
 ARG TAGS=""
 WORKDIR /go/src/k8s.io/kubernetes
 COPY . .
@@ -18,7 +18,7 @@ ENV KUBE_BUILD_PLATFORMS=darwin/arm64
 ENV KUBE_STATIC_OVERRIDES=kube-apiserver
 RUN make WHAT='cmd/kube-apiserver'
 
-FROM registry.ci.openshift.org/ocp/builder:rhel-9-golang-1.24-openshift-4.21 AS linuxbuilder
+FROM registry.ci.openshift.org/ocp/builder:rhel-9-golang-1.25-openshift-4.22 AS linuxbuilder
 ARG TAGS=""
 WORKDIR /go/src/k8s.io/kubernetes
 COPY . .
@@ -27,7 +27,7 @@ ENV KUBE_BUILD_PLATFORMS=linux/amd64
 ENV KUBE_STATIC_OVERRIDES=kube-apiserver
 RUN make WHAT='cmd/kube-apiserver'
 
-FROM registry.ci.openshift.org/ocp/builder:rhel-9-golang-1.24-openshift-4.21 AS linuxarmbuilder
+FROM registry.ci.openshift.org/ocp/builder:rhel-9-golang-1.25-openshift-4.22 AS linuxarmbuilder
 ARG TAGS=""
 WORKDIR /go/src/k8s.io/kubernetes
 COPY . .
@@ -36,7 +36,7 @@ ENV KUBE_BUILD_PLATFORMS=linux/arm64
 ENV KUBE_STATIC_OVERRIDES=kube-apiserver
 RUN make WHAT='cmd/kube-apiserver'
 
-FROM registry.ci.openshift.org/ocp/builder:rhel-9-golang-1.24-openshift-4.21 AS builder
+FROM registry.ci.openshift.org/ocp/builder:rhel-9-golang-1.25-openshift-4.22 AS builder
 ARG TAGS=""
 WORKDIR /go/src/k8s.io/kubernetes
 COPY . .
@@ -44,7 +44,7 @@ ENV GO_COMPLIANCE_EXCLUDE=".*"
 ENV KUBE_STATIC_OVERRIDES=kube-apiserver
 RUN make WHAT='cmd/kube-apiserver'
 
-FROM registry.ci.openshift.org/ocp/4.21:base-rhel9
+FROM registry.ci.openshift.org/ocp/4.22:base-rhel9
 COPY --from=macbuilder /go/src/k8s.io/kubernetes/_output/local/bin/darwin/amd64/kube-apiserver /usr/share/openshift/darwin/amd64/kube-apiserver
 COPY --from=macarmbuilder /go/src/k8s.io/kubernetes/_output/local/bin/darwin/arm64/kube-apiserver /usr/share/openshift/darwin/arm64/kube-apiserver
 COPY --from=linuxbuilder /go/src/k8s.io/kubernetes/_output/local/bin/linux/amd64/kube-apiserver /usr/share/openshift/linux/amd64/kube-apiserver
diff --git a/openshift-hack/images/kube-proxy/Dockerfile.rhel b/openshift-hack/images/kube-proxy/Dockerfile.rhel
index e1e7f5d18f777..29af8385c08a2 100644
--- a/openshift-hack/images/kube-proxy/Dockerfile.rhel
+++ b/openshift-hack/images/kube-proxy/Dockerfile.rhel
@@ -1,11 +1,11 @@
-FROM registry.ci.openshift.org/ocp/builder:rhel-9-golang-1.24-openshift-4.21 AS builder
+FROM registry.ci.openshift.org/ocp/builder:rhel-9-golang-1.25-openshift-4.22 AS builder
 WORKDIR /go/src/k8s.io/kubernetes
 COPY . .
 RUN make WHAT='cmd/kube-proxy' && \
     mkdir -p /tmp/build && \
     cp /go/src/k8s.io/kubernetes/_output/local/bin/linux/$(go env GOARCH)/kube-proxy /tmp/build
 
-FROM registry.ci.openshift.org/ocp/4.21:base-rhel9
+FROM registry.ci.openshift.org/ocp/4.22:base-rhel9
 RUN INSTALL_PKGS="conntrack-tools iptables nftables" && \
     yum install -y --setopt=tsflags=nodocs $INSTALL_PKGS && \
     yum clean all && rm -rf /var/cache/*
diff --git a/openshift-hack/images/tests/Dockerfile.rhel b/openshift-hack/images/tests/Dockerfile.rhel
index 10a2b280a2234..095050c337133 100644
--- a/openshift-hack/images/tests/Dockerfile.rhel
+++ b/openshift-hack/images/tests/Dockerfile.rhel
@@ -1,4 +1,4 @@
-FROM registry.ci.openshift.org/ocp/builder:rhel-9-golang-1.24-openshift-4.21 AS builder
+FROM registry.ci.openshift.org/ocp/builder:rhel-9-golang-1.25-openshift-4.22 AS builder
 WORKDIR /go/src/k8s.io/kubernetes
 COPY . .
 RUN make WHAT=openshift-hack/e2e/k8s-e2e.test; \
@@ -11,7 +11,7 @@ RUN make WHAT=openshift-hack/e2e/k8s-e2e.test; \
     cp /go/src/k8s.io/kubernetes/openshift-hack/test-kubernetes-e2e.sh /tmp/build/; \
     cp /go/src/k8s.io/kubernetes/openshift-hack/images/kube-proxy/test-kube-proxy.sh /tmp/build/
 
-FROM registry.ci.openshift.org/ocp/4.21:tools
+FROM registry.ci.openshift.org/ocp/4.22:tools
 COPY --from=builder /tmp/build/k8s-e2e.test /usr/bin/
 COPY --from=builder /tmp/build/ginkgo /usr/bin/
 COPY --from=builder /tmp/build/k8s-tests-ext /usr/bin/
diff --git a/openshift-kube-apiserver/admission/customresourcevalidation/dns/validate_dns.go b/openshift-kube-apiserver/admission/customresourcevalidation/dns/validate_dns.go
index 0ae18e8f7e684..4a7e02a5fcd1b 100644
--- a/openshift-kube-apiserver/admission/customresourcevalidation/dns/validate_dns.go
+++ b/openshift-kube-apiserver/admission/customresourcevalidation/dns/validate_dns.go
@@ -143,7 +143,7 @@ func validateTolerations(versionedTolerations []corev1.Toleration, fldPath *fiel
 			allErrors = append(allErrors, field.Invalid(fldPath.Index(i), unversionedTolerations[i], err.Error()))
 		}
 	}
-	allErrors = append(allErrors, apivalidation.ValidateTolerations(unversionedTolerations, fldPath)...)
+	allErrors = append(allErrors, apivalidation.ValidateTolerations(unversionedTolerations, fldPath, apivalidation.PodValidationOptions{})...)
 	return allErrors
 }
 
diff --git a/openshift-kube-apiserver/openshiftkubeapiserver/patch.go b/openshift-kube-apiserver/openshiftkubeapiserver/patch.go
index ce029240f67a9..7fd68e6468244 100644
--- a/openshift-kube-apiserver/openshiftkubeapiserver/patch.go
+++ b/openshift-kube-apiserver/openshiftkubeapiserver/patch.go
@@ -73,7 +73,7 @@ func OpenShiftKubeAPIServerConfigPatch(genericConfig *genericapiserver.Config, k
 		clusterresourcequota.NewInitializer(
 			openshiftInformers.getOpenshiftQuotaInformers().Quota().V1().ClusterResourceQuotas(),
 			clusterQuotaMappingController.GetClusterQuotaMapper(),
-			generic.NewRegistry(install.NewQuotaConfigurationForAdmission().Evaluators()),
+			generic.NewRegistry(install.NewQuotaConfigurationForAdmission(kubeInformers).Evaluators()),
 		),
 		nodeenv.NewInitializer(enablement.OpenshiftConfig().ProjectConfig.DefaultNodeSelector),
 		admissionrestconfig.NewInitializer(*rest.CopyConfig(genericConfig.LoopbackClientConfig)),
diff --git a/openshift-kube-controller-manager/servicecacertpublisher/publisher.go b/openshift-kube-controller-manager/servicecacertpublisher/publisher.go
index af17ee9802650..babef3fdc7cdb 100644
--- a/openshift-kube-controller-manager/servicecacertpublisher/publisher.go
+++ b/openshift-kube-controller-manager/servicecacertpublisher/publisher.go
@@ -73,22 +73,22 @@ type Publisher struct {
 }
 
 // Run starts process
-func (c *Publisher) Run(workers int, stopCh <-chan struct{}) {
+func (c *Publisher) Run(ctx context.Context, workers int) {
 	defer utilruntime.HandleCrash()
 	defer c.queue.ShutDown()
 
 	klog.Infof("Starting service CA certificate configmap publisher")
 	defer klog.Infof("Shutting down service CA certificate configmap publisher")
 
-	if !cache.WaitForNamedCacheSync("crt configmap", stopCh, c.cmListerSynced) {
+	if !cache.WaitForNamedCacheSync("crt configmap", ctx.Done(), c.cmListerSynced) {
 		return
 	}
 
 	for i := 0; i < workers; i++ {
-		go wait.Until(c.runWorker, time.Second, stopCh)
+		go wait.Until(c.runWorker, time.Second, ctx.Done())
 	}
 
-	<-stopCh
+	<-ctx.Done()
 }
 
 func (c *Publisher) configMapDeleted(obj interface{}) {
diff --git a/pkg/api/persistentvolumeclaim/util_test.go b/pkg/api/persistentvolumeclaim/util_test.go
index 61b6cb348447a..f28f63f3f9aa4 100644
--- a/pkg/api/persistentvolumeclaim/util_test.go
+++ b/pkg/api/persistentvolumeclaim/util_test.go
@@ -272,8 +272,10 @@ func TestDataSourceFilter(t *testing.T) {
 		t.Run(testName, func(t *testing.T) {
 			// TODO: this will be removed in 1.36
 			featuregatetesting.SetFeatureGateEmulationVersionDuringTest(t, utilfeature.DefaultFeatureGate, version.MustParse("1.32"))
-			featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.AnyVolumeDataSource, test.anyEnabled)
-			featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.CrossNamespaceVolumeDataSource, test.xnsEnabled)
+			featuregatetesting.SetFeatureGatesDuringTest(t, utilfeature.DefaultFeatureGate, featuregatetesting.FeatureOverrides{
+				features.AnyVolumeDataSource:            test.anyEnabled,
+				features.CrossNamespaceVolumeDataSource: test.xnsEnabled,
+			})
 			DropDisabledFields(&test.spec, &test.oldSpec)
 			if test.spec.DataSource != test.want {
 				t.Errorf("expected condition was not met, test: %s, anyEnabled: %v, xnsEnabled: %v, spec: %+v, expected DataSource: %+v",
@@ -370,8 +372,10 @@ func TestDataSourceRef(t *testing.T) {
 		},
 	}
 
-	featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.AnyVolumeDataSource, true)
-	featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.CrossNamespaceVolumeDataSource, true)
+	featuregatetesting.SetFeatureGatesDuringTest(t, utilfeature.DefaultFeatureGate, featuregatetesting.FeatureOverrides{
+		features.AnyVolumeDataSource:            true,
+		features.CrossNamespaceVolumeDataSource: true,
+	})
 
 	for testName, test := range tests {
 		t.Run(testName, func(t *testing.T) {
@@ -598,8 +602,10 @@ func TestDropDisabledFieldsFromStatus(t *testing.T) {
 
 	for _, test := range tests {
 		t.Run(test.name, func(t *testing.T) {
-			featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.RecoverVolumeExpansionFailure, test.enableRecoverVolumeExpansionFailure)
-			featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.VolumeAttributesClass, test.enableVolumeAttributesClass)
+			featuregatetesting.SetFeatureGatesDuringTest(t, utilfeature.DefaultFeatureGate, featuregatetesting.FeatureOverrides{
+				features.RecoverVolumeExpansionFailure: test.enableRecoverVolumeExpansionFailure,
+				features.VolumeAttributesClass:         test.enableVolumeAttributesClass,
+			})
 
 			DropDisabledFieldsFromStatus(test.pvc, test.oldPVC)
 
diff --git a/pkg/api/pod/testing/make.go b/pkg/api/pod/testing/make.go
index 552d795ff7861..e018a0a6371bf 100644
--- a/pkg/api/pod/testing/make.go
+++ b/pkg/api/pod/testing/make.go
@@ -250,6 +250,12 @@ func SetObjectMeta(objectMeta metav1.ObjectMeta) Tweak {
 	}
 }
 
+func SetWorkloadRef(workloadRef *api.WorkloadReference) Tweak {
+	return func(pod *api.Pod) {
+		pod.Spec.WorkloadRef = workloadRef
+	}
+}
+
 func MakeContainer(name string, tweaks ...TweakContainer) api.Container {
 	cnr := api.Container{
 		Name: name, Image: "image", ImagePullPolicy: "IfNotPresent",
diff --git a/pkg/api/pod/util.go b/pkg/api/pod/util.go
index 464e31a56c4d3..1d0ae2209b756 100644
--- a/pkg/api/pod/util.go
+++ b/pkg/api/pod/util.go
@@ -424,10 +424,13 @@ func GetValidationOptionsFromPodSpecAndMeta(podSpec, oldPodSpec *api.PodSpec, po
 		AllowSidecarResizePolicy:                            utilfeature.DefaultFeatureGate.Enabled(features.InPlacePodVerticalScaling),
 		AllowMatchLabelKeysInPodTopologySpread:              utilfeature.DefaultFeatureGate.Enabled(features.MatchLabelKeysInPodTopologySpread),
 		AllowMatchLabelKeysInPodTopologySpreadSelectorMerge: utilfeature.DefaultFeatureGate.Enabled(features.MatchLabelKeysInPodTopologySpreadSelectorMerge),
+		InPlacePodLevelResourcesVerticalScalingEnabled:      utilfeature.DefaultFeatureGate.Enabled(features.InPlacePodLevelResourcesVerticalScaling),
 		OldPodViolatesMatchLabelKeysValidation:              false,
 		OldPodViolatesLegacyMatchLabelKeysValidation:        false,
 		AllowContainerRestartPolicyRules:                    utilfeature.DefaultFeatureGate.Enabled(features.ContainerRestartRules),
 		AllowUserNamespacesWithVolumeDevices:                false,
+		// This also allows restart rules on sidecar containers.
+		AllowRestartAllContainers: utilfeature.DefaultFeatureGate.Enabled(features.RestartAllContainersOnContainerExits),
 	}
 
 	// If old spec uses relaxed validation or enabled the RelaxedEnvironmentVariableValidation feature gate,
@@ -435,8 +438,10 @@ func GetValidationOptionsFromPodSpecAndMeta(podSpec, oldPodSpec *api.PodSpec, po
 	opts.AllowRelaxedEnvironmentVariableValidation = useRelaxedEnvironmentVariableValidation(podSpec, oldPodSpec)
 	opts.AllowRelaxedDNSSearchValidation = useRelaxedDNSSearchValidation(oldPodSpec)
 	opts.AllowEnvFilesValidation = useAllowEnvFilesValidation(oldPodSpec)
+	opts.AllowUserNamespacesHostNetworkSupport = useAllowUserNamespacesHostNetworkSupport(oldPodSpec)
 
 	opts.AllowOnlyRecursiveSELinuxChangePolicy = useOnlyRecursiveSELinuxChangePolicy(oldPodSpec)
+	opts.AllowTaintTolerationComparisonOperators = allowTaintTolerationComparisonOperators(oldPodSpec)
 
 	if oldPodSpec != nil {
 		// if old spec used non-integer multiple of huge page unit size, we must allow it
@@ -474,6 +479,7 @@ func GetValidationOptionsFromPodSpecAndMeta(podSpec, oldPodSpec *api.PodSpec, po
 		opts.AllowSidecarResizePolicy = opts.AllowSidecarResizePolicy || hasRestartableInitContainerResizePolicy(oldPodSpec)
 
 		opts.AllowContainerRestartPolicyRules = opts.AllowContainerRestartPolicyRules || containerRestartRulesInUse(oldPodSpec)
+		opts.AllowRestartAllContainers = opts.AllowRestartAllContainers || restartAllContainersActionInUse(oldPodSpec)
 
 		// If old spec has userns and volume devices (doesn't work), we still allow
 		// modifications to it.
@@ -535,6 +541,23 @@ func hasDotOrUnderscore(searches []string) bool {
 	return false
 }
 
+func useAllowUserNamespacesHostNetworkSupport(oldPodSpec *api.PodSpec) bool {
+	// Return true early if feature gate is enabled
+	if utilfeature.DefaultFeatureGate.Enabled(features.UserNamespacesHostNetworkSupport) {
+		return true
+	}
+
+	if oldPodSpec == nil || oldPodSpec.SecurityContext == nil || oldPodSpec.SecurityContext.HostUsers == nil {
+		return false
+	}
+
+	// If a pod with user namespaces and hostNetwork already exists in the cluster,
+	// this allows it to continue using the UserNamespacesHostNetworkSupport
+	// validation logic even after the feature gate is disabled.
+	userNamespaces := !*oldPodSpec.SecurityContext.HostUsers
+	return oldPodSpec.SecurityContext.HostNetwork && userNamespaces
+}
+
 func useAllowEnvFilesValidation(oldPodSpec *api.PodSpec) bool {
 	// Return true early if feature gate is enabled
 	if utilfeature.DefaultFeatureGate.Enabled(features.EnvFiles) {
@@ -731,6 +754,7 @@ func dropDisabledFields(
 	dropDisabledDynamicResourceAllocationFields(podSpec, oldPodSpec)
 	dropDisabledClusterTrustBundleProjection(podSpec, oldPodSpec)
 	dropDisabledPodCertificateProjection(podSpec, oldPodSpec)
+	dropDisabledWorkloadRef(podSpec, oldPodSpec)
 
 	if !utilfeature.DefaultFeatureGate.Enabled(features.InPlacePodVerticalScaling) && !inPlacePodVerticalScalingInUse(oldPodSpec) {
 		// Drop ResizePolicy fields. Don't drop updates to Resources field as template.spec.resources
@@ -983,6 +1007,12 @@ func dropDisabledPodStatusFields(podStatus, oldPodStatus *api.PodStatus, podSpec
 		podStatus = &api.PodStatus{}
 	}
 
+	if !utilfeature.DefaultFeatureGate.Enabled(features.InPlacePodLevelResourcesVerticalScaling) && !podLevelStatusResourcesInUse(oldPodStatus) {
+		// Drop Resources and AllocatedResources fields from PodStatus
+		podStatus.Resources = nil
+		podStatus.AllocatedResources = nil
+	}
+
 	if !utilfeature.DefaultFeatureGate.Enabled(features.InPlacePodVerticalScaling) && !inPlacePodVerticalScalingInUse(oldPodSpec) {
 		// Drop Resources fields
 		dropResourcesField := func(csl []api.ContainerStatus) {
@@ -1303,6 +1333,16 @@ func podLevelResourcesInUse(podSpec *api.PodSpec) bool {
 	return false
 }
 
+// podLevelStatusResourcesInUse checks if AllocationResources or Resources are set
+// in PodStatus.
+func podLevelStatusResourcesInUse(podStatus *api.PodStatus) bool {
+	if podStatus == nil {
+		return false
+	}
+
+	return podStatus.Resources != nil || podStatus.AllocatedResources != nil
+}
+
 // inPlacePodVerticalScalingInUse returns true if pod spec is non-nil and ResizePolicy is set
 func inPlacePodVerticalScalingInUse(podSpec *api.PodSpec) bool {
 	if podSpec == nil {
@@ -1599,6 +1639,28 @@ func useOnlyRecursiveSELinuxChangePolicy(oldPodSpec *api.PodSpec) bool {
 	return true
 }
 
+func taintTolerationComparisonOperatorsInUse(podSpec *api.PodSpec) bool {
+	if podSpec == nil {
+		return false
+	}
+	for _, toleration := range podSpec.Tolerations {
+		if toleration.Operator == api.TolerationOpLt || toleration.Operator == api.TolerationOpGt {
+			return true
+		}
+	}
+	return false
+}
+
+func allowTaintTolerationComparisonOperators(oldPodSpec *api.PodSpec) bool {
+	// allow the operators if the feature gate is enabled or the old pod spec uses
+	// comparison operators
+	if utilfeature.DefaultFeatureGate.Enabled(features.TaintTolerationComparisonOperators) ||
+		taintTolerationComparisonOperatorsInUse(oldPodSpec) {
+		return true
+	}
+	return false
+}
+
 func hasUserNamespacesWithVolumeDevices(podSpec *api.PodSpec) bool {
 	if podSpec.SecurityContext == nil || podSpec.SecurityContext.HostUsers == nil || *podSpec.SecurityContext.HostUsers {
 		return false
@@ -1768,3 +1830,44 @@ func containerRestartRulesInUse(oldPodSpec *api.PodSpec) bool {
 	}
 	return false
 }
+
+// dropDisabledWorkloadRef removes pod workload reference from its spec
+// unless it is already used by the old pod spec.
+func dropDisabledWorkloadRef(podSpec, oldPodSpec *api.PodSpec) {
+	if !utilfeature.DefaultFeatureGate.Enabled(features.GenericWorkload) && !workloadRefInUse(oldPodSpec) {
+		podSpec.WorkloadRef = nil
+	}
+}
+
+func workloadRefInUse(podSpec *api.PodSpec) bool {
+	if podSpec == nil {
+		return false
+	}
+
+	return podSpec.WorkloadRef != nil
+}
+
+func restartAllContainersActionInUse(oldPodSpec *api.PodSpec) bool {
+	if oldPodSpec == nil {
+		return false
+	}
+	for _, c := range oldPodSpec.Containers {
+		for _, rule := range c.RestartPolicyRules {
+			if rule.Action == api.ContainerRestartRuleActionRestartAllContainers {
+				return true
+			}
+		}
+	}
+	for _, c := range oldPodSpec.InitContainers {
+		for _, rule := range c.RestartPolicyRules {
+			if rule.Action == api.ContainerRestartRuleActionRestartAllContainers {
+				return true
+			}
+		}
+		// This feature also allows sidecar containers to have rules.
+		if c.RestartPolicy != nil && *c.RestartPolicy == api.ContainerRestartPolicyAlways && len(c.RestartPolicyRules) > 0 {
+			return true
+		}
+	}
+	return false
+}
diff --git a/pkg/api/pod/util_test.go b/pkg/api/pod/util_test.go
index 1ad61379fcdfc..3701535c04952 100644
--- a/pkg/api/pod/util_test.go
+++ b/pkg/api/pod/util_test.go
@@ -1058,8 +1058,13 @@ func TestDropDynamicResourceAllocation(t *testing.T) {
 
 	for _, tc := range testcases {
 		t.Run(tc.description, func(t *testing.T) {
-			featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.DynamicResourceAllocation, tc.enabled)
-			featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.DRAExtendedResource, tc.extendedEnabled)
+			if !tc.enabled {
+				featuregatetesting.SetFeatureGateEmulationVersionDuringTest(t, utilfeature.DefaultFeatureGate, version.MustParse("1.34"))
+			}
+			featuregatetesting.SetFeatureGatesDuringTest(t, utilfeature.DefaultFeatureGate, featuregatetesting.FeatureOverrides{
+				features.DynamicResourceAllocation: tc.enabled,
+				features.DRAExtendedResource:       tc.extendedEnabled,
+			})
 
 			oldPod := tc.oldPod.DeepCopy()
 			newPod := tc.newPod.DeepCopy()
@@ -1229,97 +1234,47 @@ func TestDropDisabledPodStatusFields_ObservedGeneration(t *testing.T) {
 		name          string
 		podStatus     *api.PodStatus
 		oldPodStatus  *api.PodStatus
-		featureGateOn bool
 		wantPodStatus *api.PodStatus
 	}{
-		{
-			name:          "old=without, new=without / feature gate off",
-			oldPodStatus:  podWithoutObservedGen(),
-			podStatus:     podWithoutObservedGen(),
-			featureGateOn: false,
-			wantPodStatus: podWithoutObservedGen(),
-		},
 		{
 			name:          "old=without, new=without / feature gate on",
 			oldPodStatus:  podWithoutObservedGen(),
 			podStatus:     podWithoutObservedGen(),
-			featureGateOn: true,
-			wantPodStatus: podWithoutObservedGen(),
-		},
-		{
-			name:          "old=without, new=with / feature gate off",
-			oldPodStatus:  podWithoutObservedGen(),
-			podStatus:     podWithObservedGen(),
-			featureGateOn: false,
 			wantPodStatus: podWithoutObservedGen(),
 		},
 		{
 			name:          "old=with, new=without / feature gate on",
 			oldPodStatus:  podWithObservedGen(),
 			podStatus:     podWithoutObservedGen(),
-			featureGateOn: true,
 			wantPodStatus: podWithoutObservedGen(),
 		},
-		{
-			name:          "old=with, new=with / feature gate off",
-			oldPodStatus:  podWithObservedGen(),
-			podStatus:     podWithObservedGen(),
-			featureGateOn: false,
-			wantPodStatus: podWithObservedGen(),
-		},
 		{
 			name:          "old=with, new=with / feature gate on",
 			oldPodStatus:  podWithObservedGen(),
 			podStatus:     podWithObservedGen(),
-			featureGateOn: true,
 			wantPodStatus: podWithObservedGen(),
 		},
-		{
-			name:          "old=without, new=withInConditions / feature gate off",
-			oldPodStatus:  podWithoutObservedGen(),
-			podStatus:     podWithObservedGenInConditions(),
-			featureGateOn: false,
-			wantPodStatus: podWithoutObservedGen(),
-		},
 		{
 			name:          "old=without, new=withInConditions / feature gate on",
 			oldPodStatus:  podWithoutObservedGen(),
 			podStatus:     podWithObservedGenInConditions(),
-			featureGateOn: true,
 			wantPodStatus: podWithObservedGenInConditions(),
 		},
-		{
-			name:          "old=withInConditions, new=without / feature gate off",
-			oldPodStatus:  podWithObservedGenInConditions(),
-			podStatus:     podWithoutObservedGen(),
-			featureGateOn: false,
-			wantPodStatus: podWithoutObservedGen(),
-		},
 		{
 			name:          "old=withInConditions, new=without / feature gate on",
 			oldPodStatus:  podWithObservedGenInConditions(),
 			podStatus:     podWithoutObservedGen(),
-			featureGateOn: true,
 			wantPodStatus: podWithoutObservedGen(),
 		},
-		{
-			name:          "old=withInConditions, new=withInCondtions / feature gate off",
-			oldPodStatus:  podWithObservedGenInConditions(),
-			podStatus:     podWithObservedGenInConditions(),
-			featureGateOn: false,
-			wantPodStatus: podWithObservedGenInConditions(),
-		},
 		{
 			name:          "old=withInConditions, new=withInCondtions / feature gate on",
 			oldPodStatus:  podWithObservedGenInConditions(),
 			podStatus:     podWithObservedGenInConditions(),
-			featureGateOn: true,
 			wantPodStatus: podWithObservedGenInConditions(),
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.PodObservedGenerationTracking, tt.featureGateOn)
 			dropDisabledPodStatusFields(tt.podStatus, tt.oldPodStatus, &api.PodSpec{}, &api.PodSpec{})
 			if !reflect.DeepEqual(tt.podStatus, tt.wantPodStatus) {
 				t.Errorf("dropDisabledStatusFields() = %v, want %v", tt.podStatus, tt.wantPodStatus)
@@ -2790,8 +2745,10 @@ func TestOldPodViolatesMatchLabelKeysValidationOption(t *testing.T) {
 
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
-			featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.MatchLabelKeysInPodTopologySpread, tc.matchLabelKeysEnabled)
-			featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.MatchLabelKeysInPodTopologySpreadSelectorMerge, tc.matchLabelKeysSelectorMergeEnabled)
+			featuregatetesting.SetFeatureGatesDuringTest(t, utilfeature.DefaultFeatureGate, featuregatetesting.FeatureOverrides{
+				features.MatchLabelKeysInPodTopologySpread:              tc.matchLabelKeysEnabled,
+				features.MatchLabelKeysInPodTopologySpreadSelectorMerge: tc.matchLabelKeysSelectorMergeEnabled,
+			})
 			gotOptions := GetValidationOptionsFromPodSpecAndMeta(&api.PodSpec{}, tc.oldPodSpec, nil, nil)
 			if tc.wantOption != gotOptions.OldPodViolatesMatchLabelKeysValidation {
 				t.Errorf("Got OldPodViolatesMatchLabelKeysValidation=%t, want %t", gotOptions.OldPodViolatesMatchLabelKeysValidation, tc.wantOption)
@@ -2851,8 +2808,10 @@ func TestOldPodViolatesLegacyMatchLabelKeysValidationOption(t *testing.T) {
 
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
-			featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.MatchLabelKeysInPodTopologySpread, tc.matchLabelKeysEnabled)
-			featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.MatchLabelKeysInPodTopologySpreadSelectorMerge, tc.matchLabelKeysSelectorMergeEnabled)
+			featuregatetesting.SetFeatureGatesDuringTest(t, utilfeature.DefaultFeatureGate, featuregatetesting.FeatureOverrides{
+				features.MatchLabelKeysInPodTopologySpread:              tc.matchLabelKeysEnabled,
+				features.MatchLabelKeysInPodTopologySpreadSelectorMerge: tc.matchLabelKeysSelectorMergeEnabled,
+			})
 			gotOptions := GetValidationOptionsFromPodSpecAndMeta(&api.PodSpec{}, tc.oldPodSpec, nil, nil)
 			if tc.wantOption != gotOptions.OldPodViolatesLegacyMatchLabelKeysValidation {
 				t.Errorf("Got OldPodViolatesLegacyMatchLabelKeysValidation=%t, want %t", gotOptions.OldPodViolatesLegacyMatchLabelKeysValidation, tc.wantOption)
@@ -2943,6 +2902,7 @@ func TestValidateAllowNonLocalProjectedTokenPathOption(t *testing.T) {
 }
 
 func TestDropInPlacePodVerticalScaling(t *testing.T) {
+	featuregatetesting.SetFeatureGateEmulationVersionDuringTest(t, utilfeature.DefaultFeatureGate, version.MustParse("1.34"))
 	podWithInPlaceVerticalScaling := func() *api.Pod {
 		return &api.Pod{
 			Spec: api.PodSpec{
@@ -3331,6 +3291,8 @@ func TestDropSidecarContainers(t *testing.T) {
 }
 
 func TestDropClusterTrustBundleProjectedVolumes(t *testing.T) {
+	featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.ClusterTrustBundle, true)
+
 	testCases := []struct {
 		description                         string
 		clusterTrustBundleProjectionEnabled bool
@@ -4102,6 +4064,8 @@ func TestDropSupplementalGroupsPolicy(t *testing.T) {
 						"feature enabled=%v, old pod %v, new pod %v", enabled, oldPodInfo.description, newPodInfo.description,
 					),
 					func(t *testing.T) {
+						// Set emulation version so that the feature gate can be disabled in the test
+						featuregatetesting.SetFeatureGateEmulationVersionDuringTest(t, utilfeature.DefaultFeatureGate, version.MustParse("1.34"))
 						featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.SupplementalGroupsPolicy, enabled)
 
 						var oldPodSpec *api.PodSpec
@@ -4442,6 +4406,7 @@ func TestDropSELinuxChangePolicy(t *testing.T) {
 }
 
 func TestValidateAllowSidecarResizePolicy(t *testing.T) {
+	featuregatetesting.SetFeatureGateEmulationVersionDuringTest(t, utilfeature.DefaultFeatureGate, version.MustParse("1.34"))
 	restartPolicyAlways := api.ContainerRestartPolicyAlways
 	testCases := []struct {
 		name       string
@@ -6253,3 +6218,519 @@ func TestHasUserNamespacesWithVolumeDevices(t *testing.T) {
 		})
 	}
 }
+
+func TestTaintTolerationComparisonOperatorsInUse(t *testing.T) {
+	tests := []struct {
+		name     string
+		podSpec  *api.PodSpec
+		expected bool
+	}{
+		{
+			name:     "nil pod spec",
+			podSpec:  nil,
+			expected: false,
+		},
+		{
+			name: "no tolerations",
+			podSpec: &api.PodSpec{
+				Containers: []api.Container{{Name: "test"}},
+			},
+			expected: false,
+		},
+		{
+			name: "only Equal operator",
+			podSpec: &api.PodSpec{
+				Tolerations: []api.Toleration{
+					{Key: "key1", Operator: api.TolerationOpEqual, Value: "value1"},
+				},
+			},
+			expected: false,
+		},
+		{
+			name: "only Exists operator",
+			podSpec: &api.PodSpec{
+				Tolerations: []api.Toleration{
+					{Key: "key1", Operator: api.TolerationOpExists},
+				},
+			},
+			expected: false,
+		},
+		{
+			name: "Lt operator present",
+			podSpec: &api.PodSpec{
+				Tolerations: []api.Toleration{
+					{Key: "key1", Operator: api.TolerationOpLt, Value: "100"},
+				},
+			},
+			expected: true,
+		},
+		{
+			name: "Gt operator present",
+			podSpec: &api.PodSpec{
+				Tolerations: []api.Toleration{
+					{Key: "key1", Operator: api.TolerationOpGt, Value: "50"},
+				},
+			},
+			expected: true,
+		},
+		{
+			name: "mixed operators with Lt",
+			podSpec: &api.PodSpec{
+				Tolerations: []api.Toleration{
+					{Key: "key1", Operator: api.TolerationOpEqual, Value: "value1"},
+					{Key: "key2", Operator: api.TolerationOpLt, Value: "100"},
+					{Key: "key3", Operator: api.TolerationOpExists},
+				},
+			},
+			expected: true,
+		},
+		{
+			name: "mixed operators with Gt",
+			podSpec: &api.PodSpec{
+				Tolerations: []api.Toleration{
+					{Key: "key1", Operator: api.TolerationOpExists},
+					{Key: "key2", Operator: api.TolerationOpGt, Value: "200"},
+				},
+			},
+			expected: true,
+		},
+		{
+			name: "both Lt and Gt operators",
+			podSpec: &api.PodSpec{
+				Tolerations: []api.Toleration{
+					{Key: "key1", Operator: api.TolerationOpLt, Value: "100"},
+					{Key: "key2", Operator: api.TolerationOpGt, Value: "50"},
+				},
+			},
+			expected: true,
+		},
+	}
+
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			actual := taintTolerationComparisonOperatorsInUse(test.podSpec)
+			if test.expected != actual {
+				t.Errorf("expected %v, got %v", test.expected, actual)
+			}
+		})
+	}
+}
+
+func TestAllowTaintTolerationComparisonOperators(t *testing.T) {
+	tests := []struct {
+		name           string
+		featureEnabled bool
+		oldPodSpec     *api.PodSpec
+		expected       bool
+	}{
+		{
+			name:           "feature gate enabled, nil old pod spec",
+			featureEnabled: true,
+			oldPodSpec:     nil,
+			expected:       true,
+		},
+		{
+			name:           "feature gate enabled, old pod spec without comparison operators",
+			featureEnabled: true,
+			oldPodSpec: &api.PodSpec{
+				Tolerations: []api.Toleration{
+					{Key: "key1", Operator: api.TolerationOpEqual, Value: "value1"},
+				},
+			},
+			expected: true,
+		},
+		{
+			name:           "feature gate enabled, old pod spec with Lt operator",
+			featureEnabled: true,
+			oldPodSpec: &api.PodSpec{
+				Tolerations: []api.Toleration{
+					{Key: "key1", Operator: api.TolerationOpLt, Value: "100"},
+				},
+			},
+			expected: true,
+		},
+		{
+			name:           "feature gate disabled, nil old pod spec",
+			featureEnabled: false,
+			oldPodSpec:     nil,
+			expected:       false,
+		},
+		{
+			name:           "feature gate disabled, old pod spec without comparison operators",
+			featureEnabled: false,
+			oldPodSpec: &api.PodSpec{
+				Tolerations: []api.Toleration{
+					{Key: "key1", Operator: api.TolerationOpEqual, Value: "value1"},
+					{Key: "key2", Operator: api.TolerationOpExists},
+				},
+			},
+			expected: false,
+		},
+		{
+			name:           "feature gate disabled, old pod spec with Lt operator",
+			featureEnabled: false,
+			oldPodSpec: &api.PodSpec{
+				Tolerations: []api.Toleration{
+					{Key: "key1", Operator: api.TolerationOpLt, Value: "100"},
+				},
+			},
+			expected: true,
+		},
+		{
+			name:           "feature gate disabled, old pod spec with Gt operator",
+			featureEnabled: false,
+			oldPodSpec: &api.PodSpec{
+				Tolerations: []api.Toleration{
+					{Key: "key1", Operator: api.TolerationOpGt, Value: "50"},
+				},
+			},
+			expected: true,
+		},
+		{
+			name:           "feature gate disabled, old pod spec with mixed operators including Lt",
+			featureEnabled: false,
+			oldPodSpec: &api.PodSpec{
+				Tolerations: []api.Toleration{
+					{Key: "key1", Operator: api.TolerationOpEqual, Value: "value1"},
+					{Key: "key2", Operator: api.TolerationOpLt, Value: "100"},
+					{Key: "key3", Operator: api.TolerationOpExists},
+				},
+			},
+			expected: true,
+		},
+		{
+			name:           "feature gate disabled, empty old pod spec",
+			featureEnabled: false,
+			oldPodSpec:     &api.PodSpec{},
+			expected:       false,
+		},
+	}
+
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.TaintTolerationComparisonOperators, test.featureEnabled)
+			actual := allowTaintTolerationComparisonOperators(test.oldPodSpec)
+			if test.expected != actual {
+				t.Errorf("expected %v, got %v", test.expected, actual)
+			}
+		})
+	}
+}
+
+func TestDisabledWorkload(t *testing.T) {
+	podWithWorkload := &api.Pod{
+		Spec: api.PodSpec{
+			WorkloadRef: &api.WorkloadReference{
+				Name:     "w",
+				PodGroup: "pg",
+			},
+		},
+	}
+	podWithoutWorkload := &api.Pod{
+		Spec: api.PodSpec{},
+	}
+
+	tests := []struct {
+		name    string
+		enabled bool
+		oldPod  *api.Pod
+		newPod  *api.Pod
+		wantPod *api.Pod
+	}{
+		{
+			name:    "old with workload / new with workload / disabled",
+			oldPod:  podWithWorkload,
+			newPod:  podWithWorkload,
+			wantPod: podWithWorkload,
+		},
+		{
+			name:    "old without workload / new with workload / disabled",
+			oldPod:  podWithoutWorkload,
+			newPod:  podWithWorkload,
+			wantPod: podWithoutWorkload,
+		},
+		{
+			name:    "old with workload / new without workload / disabled",
+			oldPod:  podWithWorkload,
+			newPod:  podWithoutWorkload,
+			wantPod: podWithoutWorkload,
+		},
+		{
+			name:    "old without workload / new without workload / disabled",
+			oldPod:  podWithoutWorkload,
+			newPod:  podWithoutWorkload,
+			wantPod: podWithoutWorkload,
+		},
+		{
+			name:    "old with workload / new with workload / enabled",
+			enabled: true,
+			oldPod:  podWithWorkload,
+			newPod:  podWithWorkload,
+			wantPod: podWithWorkload,
+		},
+		{
+			name:    "old without workload / new with workload / enabled",
+			enabled: true,
+			oldPod:  podWithoutWorkload,
+			newPod:  podWithWorkload,
+			wantPod: podWithWorkload,
+		},
+		{
+			name:    "old with workload / new without workload / enabled",
+			enabled: true,
+			oldPod:  podWithWorkload,
+			newPod:  podWithoutWorkload,
+			wantPod: podWithoutWorkload,
+		},
+		{
+			name:    "old without workload / new without workload / enabled",
+			enabled: true,
+			oldPod:  podWithoutWorkload,
+			newPod:  podWithoutWorkload,
+			wantPod: podWithoutWorkload,
+		},
+	}
+
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.GenericWorkload, tc.enabled)
+
+			oldPod := tc.oldPod.DeepCopy()
+			newPod := tc.newPod.DeepCopy()
+			wantPod := tc.wantPod
+			DropDisabledPodFields(newPod, oldPod)
+
+			// Old pod should be never changed
+			if diff := cmp.Diff(oldPod, tc.oldPod); diff != "" {
+				t.Errorf("Old pod changed (-want,+got): %s", diff)
+			}
+
+			if diff := cmp.Diff(wantPod, newPod); diff != "" {
+				t.Errorf("New pod changed (-want,+got): %s", diff)
+			}
+		})
+	}
+}
+
+func TestValidateRestartAllContainersOption(t *testing.T) {
+	policyAlways := api.ContainerRestartPolicyAlways
+	testCases := []struct {
+		name           string
+		oldPodSpec     *api.PodSpec
+		featureEnabled bool
+		want           bool
+	}{
+		{
+			name:           "feature enabled",
+			featureEnabled: true,
+			want:           true,
+		},
+		{
+			name:           "feature disabled",
+			featureEnabled: false,
+			want:           false,
+		},
+		{
+			name: "old pod spec has container without action",
+			oldPodSpec: &api.PodSpec{
+				Containers: []api.Container{{
+					Name: "container",
+				}},
+			},
+			featureEnabled: false,
+			want:           false,
+		},
+		{
+			name: "old pod spec has container with action",
+			oldPodSpec: &api.PodSpec{
+				Containers: []api.Container{{
+					Name: "container",
+					RestartPolicyRules: []api.ContainerRestartRule{{
+						Action: api.ContainerRestartRuleActionRestartAllContainers,
+						ExitCodes: &api.ContainerRestartRuleOnExitCodes{
+							Operator: api.ContainerRestartRuleOnExitCodesOpIn,
+							Values:   []int32{42},
+						},
+					}},
+				}},
+			},
+			featureEnabled: false,
+			want:           true,
+		},
+		{
+			name: "old pod spec has sidecar containers with rules",
+			oldPodSpec: &api.PodSpec{
+				InitContainers: []api.Container{{
+					RestartPolicy: &policyAlways,
+					RestartPolicyRules: []api.ContainerRestartRule{{
+						Action: api.ContainerRestartRuleActionRestartAllContainers,
+						ExitCodes: &api.ContainerRestartRuleOnExitCodes{
+							Operator: api.ContainerRestartRuleOnExitCodesOpIn,
+							Values:   []int32{42},
+						},
+					}},
+				}},
+			},
+			featureEnabled: false,
+			want:           true,
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			featuregatetesting.SetFeatureGatesDuringTest(t, utilfeature.DefaultFeatureGate, featuregatetesting.FeatureOverrides{
+				features.ContainerRestartRules:                tc.featureEnabled,
+				features.NodeDeclaredFeatures:                 tc.featureEnabled,
+				features.RestartAllContainersOnContainerExits: tc.featureEnabled,
+			})
+			// The new pod doesn't impact the outcome.
+			gotOptions := GetValidationOptionsFromPodSpecAndMeta(nil, tc.oldPodSpec, nil, nil)
+			if tc.want != gotOptions.AllowRestartAllContainers {
+				t.Errorf("unexpected diff, want: %v, got: %v", tc.want, gotOptions.AllowRestartAllContainers)
+			}
+		})
+	}
+}
+
+func TestDropDisabledPodStatusFields_InPlacePodLevelResourcesVerticalScaling(t *testing.T) {
+	testCases := []struct {
+		description                                string
+		hasInPlacePodLevelResourcesVerticalScaling bool
+		pod                                        func() *api.Pod
+	}{
+		{
+			description: "without pod-level status resources",
+			hasInPlacePodLevelResourcesVerticalScaling: false,
+			pod: func() *api.Pod {
+				return &api.Pod{
+					Spec: api.PodSpec{
+						Containers: []api.Container{
+							{
+								Name:  "c1",
+								Image: "image",
+								Resources: api.ResourceRequirements{
+									Requests: api.ResourceList{api.ResourceCPU: resource.MustParse("100m")},
+									Limits:   api.ResourceList{api.ResourceCPU: resource.MustParse("200m")},
+								},
+								ResizePolicy: []api.ContainerResizePolicy{
+									{ResourceName: api.ResourceCPU, RestartPolicy: api.NotRequired},
+									{ResourceName: api.ResourceMemory, RestartPolicy: api.RestartContainer},
+								},
+							},
+						},
+					},
+					Status: api.PodStatus{
+						Resize: api.PodResizeStatusInProgress,
+						ContainerStatuses: []api.ContainerStatus{
+							{
+								Name:               "c1",
+								Image:              "image",
+								AllocatedResources: api.ResourceList{api.ResourceCPU: resource.MustParse("100m")},
+								Resources: &api.ResourceRequirements{
+									Requests: api.ResourceList{api.ResourceCPU: resource.MustParse("200m")},
+									Limits:   api.ResourceList{api.ResourceCPU: resource.MustParse("300m")},
+								},
+							},
+						},
+					},
+				}
+			},
+		},
+		{
+			description: "with pod-level status resources",
+			hasInPlacePodLevelResourcesVerticalScaling: true,
+			pod: func() *api.Pod {
+				return &api.Pod{
+					Spec: api.PodSpec{
+						Containers: []api.Container{
+							{
+								Name:  "c1",
+								Image: "image",
+								Resources: api.ResourceRequirements{
+									Requests: api.ResourceList{api.ResourceCPU: resource.MustParse("100m")},
+									Limits:   api.ResourceList{api.ResourceCPU: resource.MustParse("200m")},
+								},
+								ResizePolicy: []api.ContainerResizePolicy{
+									{ResourceName: api.ResourceCPU, RestartPolicy: api.NotRequired},
+									{ResourceName: api.ResourceMemory, RestartPolicy: api.RestartContainer},
+								},
+							},
+						},
+					},
+					Status: api.PodStatus{
+						Resources: &api.ResourceRequirements{
+							Requests: api.ResourceList{api.ResourceCPU: resource.MustParse("200m")},
+							Limits:   api.ResourceList{api.ResourceCPU: resource.MustParse("300m")},
+						},
+						AllocatedResources: api.ResourceList{api.ResourceCPU: resource.MustParse("100m")},
+						Resize:             api.PodResizeStatusInProgress,
+						ContainerStatuses: []api.ContainerStatus{
+							{
+								Name:               "c1",
+								Image:              "image",
+								AllocatedResources: api.ResourceList{api.ResourceCPU: resource.MustParse("100m")},
+								Resources: &api.ResourceRequirements{
+									Requests: api.ResourceList{api.ResourceCPU: resource.MustParse("200m")},
+									Limits:   api.ResourceList{api.ResourceCPU: resource.MustParse("300m")},
+								},
+							},
+						},
+					},
+				}
+			},
+		},
+		{
+			description: "is nil",
+			hasInPlacePodLevelResourcesVerticalScaling: false,
+			pod: func() *api.Pod { return nil },
+		},
+	}
+	featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.NodeDeclaredFeatures, true)
+	for _, ippvsEnabled := range []bool{true, false} {
+		t.Run(fmt.Sprintf("InPlacePodLevelResourcesVerticalScaling=%t", ippvsEnabled), func(t *testing.T) {
+			featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.InPlacePodLevelResourcesVerticalScaling, ippvsEnabled)
+			for _, oldPodInfo := range testCases {
+				for _, newPodInfo := range testCases {
+					oldPodHasInPlacePodLevelResourcesVerticalScaling, oldPod := oldPodInfo.hasInPlacePodLevelResourcesVerticalScaling, oldPodInfo.pod()
+					newPodHasInPlacePodLevelResourcesVerticalScaling, newPod := newPodInfo.hasInPlacePodLevelResourcesVerticalScaling, newPodInfo.pod()
+					if newPod == nil {
+						continue
+					}
+					t.Run(fmt.Sprintf("old pod %v, new pod %v", oldPodInfo.description, newPodInfo.description), func(t *testing.T) {
+						var oldPodSpec *api.PodSpec
+						var oldPodStatus *api.PodStatus
+						if oldPod != nil {
+							oldPodSpec = &oldPod.Spec
+							oldPodStatus = &oldPod.Status
+						}
+						dropDisabledPodStatusFields(&newPod.Status, oldPodStatus, &newPod.Spec, oldPodSpec)
+
+						// old pod should never be changed
+						if !reflect.DeepEqual(oldPod, oldPodInfo.pod()) {
+							t.Errorf("old pod changed: %v", cmp.Diff(oldPod, oldPodInfo.pod()))
+						}
+
+						switch {
+						case ippvsEnabled || oldPodHasInPlacePodLevelResourcesVerticalScaling:
+							// new pod shouldn't change if feature enabled
+							expected := newPodInfo.pod()
+							if !reflect.DeepEqual(newPod, expected) {
+								t.Errorf("new pod changed: %v %t", cmp.Diff(newPod, expected), ippvsEnabled)
+							}
+						case newPodHasInPlacePodLevelResourcesVerticalScaling:
+							// new pod should be changed
+							if reflect.DeepEqual(newPod, newPodInfo.pod()) {
+								t.Errorf("new pod was not changed")
+							}
+						default:
+							// new pod should not need to be changed
+							if !reflect.DeepEqual(newPod, newPodInfo.pod()) {
+								t.Errorf("new pod changed: %v %t", cmp.Diff(newPod, newPodInfo.pod()), newPodHasInPlacePodLevelResourcesVerticalScaling)
+							}
+						}
+					})
+				}
+			}
+		})
+	}
+}
diff --git a/pkg/api/resourceclaimspec/util.go b/pkg/api/resourceclaimspec/util.go
new file mode 100644
index 0000000000000..3c66d3dbeb28e
--- /dev/null
+++ b/pkg/api/resourceclaimspec/util.go
@@ -0,0 +1,177 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package resourceclaimspec
+
+import (
+	utilfeature "k8s.io/apiserver/pkg/util/feature"
+	"k8s.io/kubernetes/pkg/apis/resource"
+	"k8s.io/kubernetes/pkg/features"
+)
+
+// DropDisabledFields removes disabled fields from the spec unless they were in
+// use there before.
+//
+// Theoretically some features could be in use in an old ResourceClaim status
+// and not in use in the spec. This can only occur in a spec update, which is
+// currently prevented because the entire spec is immutable. Even if it was
+// allowed, preventing adding disabled fields to the spec is the right thing to
+// do regardless of what may have ended up in the status earlier.
+func DropDisabledFields(new, old *resource.ResourceClaimSpec) {
+	dropDisabledDRAPrioritizedListFields(new, old)
+	dropDisabledDRADeviceTaintsFields(new, old) // Intentionally after dropDisabledDRAPrioritizedListFields to avoid iterating over FirstAvailable slice which needs to be dropped.
+	dropDisabledDRAAdminAccessFields(new, old)
+	dropDisabledDRAResourceClaimConsumableCapacityFields(new, old)
+}
+
+func dropDisabledDRADeviceTaintsFields(new, old *resource.ResourceClaimSpec) {
+	if utilfeature.DefaultFeatureGate.Enabled(features.DRADeviceTaints) ||
+		draDeviceTaintsInUse(old) {
+		return
+	}
+
+	for i, req := range new.Devices.Requests {
+		if exactly := req.Exactly; exactly != nil {
+			exactly.Tolerations = nil
+		}
+		for e := range req.FirstAvailable {
+			new.Devices.Requests[i].FirstAvailable[e].Tolerations = nil
+		}
+	}
+}
+
+func draDeviceTaintsInUse(spec *resource.ResourceClaimSpec) bool {
+	if spec == nil {
+		return false
+	}
+
+	for _, req := range spec.Devices.Requests {
+		if exactly := req.Exactly; exactly != nil && len(exactly.Tolerations) > 0 {
+			return true
+		}
+		for _, sub := range req.FirstAvailable {
+			if len(sub.Tolerations) > 0 {
+				return true
+			}
+		}
+	}
+
+	return false
+}
+
+func dropDisabledDRAPrioritizedListFields(new, old *resource.ResourceClaimSpec) {
+	if utilfeature.DefaultFeatureGate.Enabled(features.DRAPrioritizedList) {
+		return
+	}
+	if draPrioritizedListFeatureInUse(old) {
+		return
+	}
+
+	for i := range new.Devices.Requests {
+		new.Devices.Requests[i].FirstAvailable = nil
+	}
+}
+
+func draPrioritizedListFeatureInUse(spec *resource.ResourceClaimSpec) bool {
+	if spec == nil {
+		return false
+	}
+
+	for _, request := range spec.Devices.Requests {
+		if len(request.FirstAvailable) > 0 {
+			return true
+		}
+	}
+
+	return false
+}
+
+func dropDisabledDRAAdminAccessFields(new, old *resource.ResourceClaimSpec) {
+	if utilfeature.DefaultFeatureGate.Enabled(features.DRAAdminAccess) ||
+		DRAAdminAccessFeatureInUse(old) {
+		// No need to drop anything.
+		return
+	}
+
+	for i := range new.Devices.Requests {
+		if new.Devices.Requests[i].Exactly != nil {
+			new.Devices.Requests[i].Exactly.AdminAccess = nil
+		}
+	}
+}
+
+// DRAAdminAccessFeatureInUse checks whether the feature is in use in the spec.
+func DRAAdminAccessFeatureInUse(spec *resource.ResourceClaimSpec) bool {
+	if spec == nil {
+		return false
+	}
+
+	for _, request := range spec.Devices.Requests {
+		if request.Exactly != nil && request.Exactly.AdminAccess != nil {
+			return true
+		}
+	}
+
+	return false
+}
+
+func dropDisabledDRAResourceClaimConsumableCapacityFields(new, old *resource.ResourceClaimSpec) {
+	if utilfeature.DefaultFeatureGate.Enabled(features.DRAConsumableCapacity) ||
+		DRAConsumableCapacityFeatureInUse(old) {
+		// No need to drop anything.
+		return
+	}
+
+	for i := range new.Devices.Constraints {
+		new.Devices.Constraints[i].DistinctAttribute = nil
+	}
+
+	for i := range new.Devices.Requests {
+		if new.Devices.Requests[i].Exactly != nil {
+			new.Devices.Requests[i].Exactly.Capacity = nil
+		}
+		request := new.Devices.Requests[i]
+		for j := range request.FirstAvailable {
+			new.Devices.Requests[i].FirstAvailable[j].Capacity = nil
+		}
+	}
+}
+
+// DRAConsumableCapacityFeatureInUse checks whether the feature is in use in the spec.
+func DRAConsumableCapacityFeatureInUse(spec *resource.ResourceClaimSpec) bool {
+	if spec == nil {
+		return false
+	}
+
+	for _, constaint := range spec.Devices.Constraints {
+		if constaint.DistinctAttribute != nil {
+			return true
+		}
+	}
+
+	for _, request := range spec.Devices.Requests {
+		if request.Exactly != nil && request.Exactly.Capacity != nil {
+			return true
+		}
+		for _, subRequest := range request.FirstAvailable {
+			if subRequest.Capacity != nil {
+				return true
+			}
+		}
+	}
+
+	return false
+}
diff --git a/pkg/api/resourceclaimspec/util_test.go b/pkg/api/resourceclaimspec/util_test.go
new file mode 100644
index 0000000000000..d1f69d425da93
--- /dev/null
+++ b/pkg/api/resourceclaimspec/util_test.go
@@ -0,0 +1,149 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package resourceclaimspec
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+
+	apiresource "k8s.io/apimachinery/pkg/api/resource"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/kubernetes/pkg/apis/resource"
+	"k8s.io/utils/ptr"
+)
+
+var testCapacity = map[resource.QualifiedName]apiresource.Quantity{
+	resource.QualifiedName("test-capacity"): apiresource.MustParse("1"),
+}
+
+var obj = &resource.ResourceClaim{
+	ObjectMeta: metav1.ObjectMeta{
+		Name:      "valid-claim",
+		Namespace: "kube-system",
+	},
+	Spec: resource.ResourceClaimSpec{
+		Devices: resource.DeviceClaim{
+			Requests: []resource.DeviceRequest{
+				{
+					Name: "req-0",
+					Exactly: &resource.ExactDeviceRequest{
+						DeviceClassName: "class",
+						AllocationMode:  resource.DeviceAllocationModeAll,
+					},
+				},
+			},
+		},
+	},
+}
+
+var objWithPrioritizedList = &resource.ResourceClaim{
+	ObjectMeta: metav1.ObjectMeta{
+		Name:      "valid-claim",
+		Namespace: "kube-system",
+	},
+	Spec: resource.ResourceClaimSpec{
+		Devices: resource.DeviceClaim{
+			Requests: []resource.DeviceRequest{
+				{
+					Name: "req-0",
+					FirstAvailable: []resource.DeviceSubRequest{
+						{
+							Name:            "subreq-0",
+							DeviceClassName: "class",
+							AllocationMode:  resource.DeviceAllocationModeExactCount,
+							Count:           1,
+						},
+					},
+				},
+			},
+		},
+	},
+}
+
+func modifySpecDeviceRequestWithCapacityRequests(resourceClaim *resource.ResourceClaim,
+	capacity map[resource.QualifiedName]apiresource.Quantity, prioritizedListFeature bool) {
+	if capacity != nil {
+		if prioritizedListFeature {
+			resourceClaim.Spec.Devices.Requests[0].FirstAvailable[0].Capacity = &resource.CapacityRequirements{
+				Requests: capacity,
+			}
+		} else {
+			resourceClaim.Spec.Devices.Requests[0].Exactly.Capacity = &resource.CapacityRequirements{
+				Requests: capacity,
+			}
+		}
+	}
+}
+
+func addDistinctAttribute(resourceClaim *resource.ResourceClaim) {
+	distinctConstraint := resource.DeviceConstraint{
+		Requests:          []string{"req-0"},
+		DistinctAttribute: ptr.To(resource.FullyQualifiedName("driver-a/attr")),
+	}
+	resourceClaim.Spec.Devices.Constraints = append(resourceClaim.Spec.Devices.Constraints, distinctConstraint)
+}
+
+func TestDRAConsumableCapacityFeatureInUse(t *testing.T) {
+	testcases := map[string]struct {
+		obj    *resource.ResourceClaim
+		expect bool
+	}{
+		"consumable-capacity-empty": {
+			obj:    nil,
+			expect: false,
+		},
+		"consumable-capacity-no-inuse": {
+			obj:    obj,
+			expect: false,
+		},
+		"consumable-capacity-with-inuse-fields": {
+			obj: func() *resource.ResourceClaim {
+				obj := obj.DeepCopy()
+				modifySpecDeviceRequestWithCapacityRequests(obj, testCapacity, false)
+				return obj
+			}(),
+			expect: true,
+		},
+		"consumable-capacity--with-inuse-fields-with-distinct-attribute": {
+			obj: func() *resource.ResourceClaim {
+				obj := obj.DeepCopy()
+				modifySpecDeviceRequestWithCapacityRequests(obj, testCapacity, false)
+				addDistinctAttribute(obj)
+				return obj
+			}(),
+			expect: true,
+		},
+		"consumable-capacity--with-inuse-fields-in-subrequests": {
+			obj: func() *resource.ResourceClaim {
+				obj := objWithPrioritizedList.DeepCopy()
+				modifySpecDeviceRequestWithCapacityRequests(obj, testCapacity, true)
+				return obj
+			}(),
+			expect: true,
+		},
+	}
+	for name, tc := range testcases {
+		t.Run(name, func(t *testing.T) {
+			var spec *resource.ResourceClaimSpec
+			if tc.obj != nil {
+				spec = &tc.obj.Spec
+			}
+			assert.Equal(t, DRAConsumableCapacityFeatureInUse(spec), tc.expect)
+		})
+	}
+}
diff --git a/pkg/api/service/warnings.go b/pkg/api/service/warnings.go
index 92fef3afa90dd..a9f0cdad25f0b 100644
--- a/pkg/api/service/warnings.go
+++ b/pkg/api/service/warnings.go
@@ -72,6 +72,10 @@ func GetWarningsForService(service, oldService *api.Service) []string {
 		warnings = append(warnings, fmt.Sprintf("spec.externalName is ignored when spec.type is not %q", api.ServiceTypeExternalName))
 	}
 
+	if service.Spec.TrafficDistribution != nil && *service.Spec.TrafficDistribution == api.ServiceTrafficDistributionPreferClose {
+		warnings = append(warnings, fmt.Sprintf("spec.trafficDistribution: %q is deprecated; use %q", api.ServiceTrafficDistributionPreferClose, api.ServiceTrafficDistributionPreferSameZone))
+	}
+
 	return warnings
 }
 
diff --git a/pkg/api/service/warnings_test.go b/pkg/api/service/warnings_test.go
index dcf2a2ade19da..3fe97f7d7cb1b 100644
--- a/pkg/api/service/warnings_test.go
+++ b/pkg/api/service/warnings_test.go
@@ -23,6 +23,7 @@ import (
 	"github.com/google/go-cmp/cmp"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	api "k8s.io/kubernetes/pkg/apis/core"
+	"k8s.io/utils/ptr"
 )
 
 func TestGetWarningsForService(t *testing.T) {
@@ -90,18 +91,31 @@ func TestGetWarningsForService(t *testing.T) {
 			s.Spec.SessionAffinity = api.ServiceAffinityNone
 		},
 		numWarnings: 0,
-	},
-		{
-			name: "ExternalIPs, LoadBalancerIP and SessionAffinity set when headless service",
-			tweakSvc: func(s *api.Service) {
-				s.Spec.Type = api.ServiceTypeClusterIP
-				s.Spec.ClusterIP = api.ClusterIPNone
-				s.Spec.ExternalIPs = []string{"1.2.3.4"}
-				s.Spec.LoadBalancerIP = "1.2.3.4"
-				s.Spec.SessionAffinity = api.ServiceAffinityClientIP
-			},
-			numWarnings: 3,
-		}}
+	}, {
+		name: "ExternalIPs, LoadBalancerIP and SessionAffinity set when headless service",
+		tweakSvc: func(s *api.Service) {
+			s.Spec.Type = api.ServiceTypeClusterIP
+			s.Spec.ClusterIP = api.ClusterIPNone
+			s.Spec.ExternalIPs = []string{"1.2.3.4"}
+			s.Spec.LoadBalancerIP = "1.2.3.4"
+			s.Spec.SessionAffinity = api.ServiceAffinityClientIP
+		},
+		numWarnings: 3,
+	}, {
+		name: "trafficDistribution: PreferSameZone",
+		tweakSvc: func(s *api.Service) {
+			s.Spec.Type = api.ServiceTypeClusterIP
+			s.Spec.TrafficDistribution = ptr.To(api.ServiceTrafficDistributionPreferSameZone)
+		},
+		numWarnings: 0,
+	}, {
+		name: "trafficDistribution: PreferClose",
+		tweakSvc: func(s *api.Service) {
+			s.Spec.Type = api.ServiceTypeClusterIP
+			s.Spec.TrafficDistribution = ptr.To(api.ServiceTrafficDistributionPreferClose)
+		},
+		numWarnings: 1,
+	}}
 
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
diff --git a/pkg/api/testing/OWNERS b/pkg/api/testing/OWNERS
index 9e252305ad200..23e6246b1d473 100644
--- a/pkg/api/testing/OWNERS
+++ b/pkg/api/testing/OWNERS
@@ -1,5 +1,7 @@
 # See the OWNERS docs at https://go.k8s.io/owners
 
+approvers:
+  - jpbetz
 reviewers:
   - thockin
   - smarterclayton
@@ -16,3 +18,7 @@ reviewers:
   - soltysh
   - jsafrane
   - rata
+  - jpbetz
+  - aaron-prindle
+  - lalitc375
+  - yongruilin
diff --git a/pkg/api/testing/defaulting_test.go b/pkg/api/testing/defaulting_test.go
index 73cee1fa4c22a..6805a5c76b139 100644
--- a/pkg/api/testing/defaulting_test.go
+++ b/pkg/api/testing/defaulting_test.go
@@ -93,8 +93,8 @@ func TestDefaulting(t *testing.T) {
 		{Group: "batch", Version: "v2alpha1", Kind: "CronJob"}:                                                     {},
 		{Group: "batch", Version: "v2alpha1", Kind: "CronJobList"}:                                                 {},
 		{Group: "batch", Version: "v2alpha1", Kind: "JobTemplate"}:                                                 {},
-		{Group: "certificates.k8s.io", Version: "v1alpha1", Kind: "PodCertificateRequest"}:                         {},
-		{Group: "certificates.k8s.io", Version: "v1alpha1", Kind: "PodCertificateRequestList"}:                     {},
+		{Group: "certificates.k8s.io", Version: "v1beta1", Kind: "PodCertificateRequest"}:                          {},
+		{Group: "certificates.k8s.io", Version: "v1beta1", Kind: "PodCertificateRequestList"}:                      {},
 		{Group: "certificates.k8s.io", Version: "v1beta1", Kind: "CertificateSigningRequest"}:                      {},
 		{Group: "certificates.k8s.io", Version: "v1beta1", Kind: "CertificateSigningRequestList"}:                  {},
 		{Group: "discovery.k8s.io", Version: "v1", Kind: "EndpointSlice"}:                                          {},
diff --git a/pkg/api/testing/serialization_proto_test.go b/pkg/api/testing/serialization_proto_test.go
index 6ba4a47e7406c..7cc03b9faffab 100644
--- a/pkg/api/testing/serialization_proto_test.go
+++ b/pkg/api/testing/serialization_proto_test.go
@@ -24,7 +24,6 @@ import (
 	"reflect"
 	"testing"
 
-	"github.com/gogo/protobuf/proto"
 	"github.com/google/go-cmp/cmp"
 
 	v1 "k8s.io/api/core/v1"
@@ -225,7 +224,7 @@ func BenchmarkDecodeCodecToInternalProtobuf(b *testing.B) {
 	b.StopTimer()
 }
 
-// BenchmarkDecodeJSON provides a baseline for regular JSON decode performance
+// BenchmarkDecodeIntoProtobuf provides a baseline for regular protobuf decode performance
 func BenchmarkDecodeIntoProtobuf(b *testing.B) {
 	items := benchmarkItems(b)
 	width := len(items)
@@ -237,14 +236,16 @@ func BenchmarkDecodeIntoProtobuf(b *testing.B) {
 		}
 		encoded[i] = data
 		validate := &v1.Pod{}
-		if err := proto.Unmarshal(data, validate); err != nil {
+		validate.Reset() // decode normally resets internally
+		if err := validate.Unmarshal(data); err != nil {
 			b.Fatalf("Failed to unmarshal %d: %v\n%#v", i, err, items[i])
 		}
 	}
 
 	for i := 0; i < b.N; i++ {
-		obj := v1.Pod{}
-		if err := proto.Unmarshal(encoded[i%width], &obj); err != nil {
+		obj := &v1.Pod{}
+		obj.Reset() // decode normally resets internally
+		if err := obj.Unmarshal(encoded[i%width]); err != nil {
 			b.Fatal(err)
 		}
 	}
diff --git a/pkg/api/testing/validation.go b/pkg/api/testing/validation.go
index ecf635f20d89d..e11ca144808c6 100644
--- a/pkg/api/testing/validation.go
+++ b/pkg/api/testing/validation.go
@@ -18,24 +18,65 @@ package testing
 
 import (
 	"bytes"
+	"context"
 	"sort"
 	"strconv"
 	"testing"
 
-	k8sruntime "k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	runtimetest "k8s.io/apimachinery/pkg/runtime/testing"
 	"k8s.io/apimachinery/pkg/util/validation/field"
+	"k8s.io/apiserver/pkg/features"
+	utilfeature "k8s.io/apiserver/pkg/util/feature"
+	featuregatetesting "k8s.io/component-base/featuregate/testing"
 	"k8s.io/kubernetes/pkg/api/legacyscheme"
 )
 
+// ValidateFunc is a function that runs validation.
+type ValidateFunc func(ctx context.Context, obj runtime.Object) field.ErrorList
+
+// ValidateUpdateFunc is a function that runs update validation.
+type ValidateUpdateFunc func(ctx context.Context, obj, old runtime.Object) field.ErrorList
+
 // VerifyVersionedValidationEquivalence tests that all versions of an API return equivalent validation errors.
-func VerifyVersionedValidationEquivalence(t *testing.T, obj, old k8sruntime.Object, subresources ...string) {
+// It accepts optional configuration to handle path normalization across API versions where structures differ.
+func VerifyVersionedValidationEquivalence(t *testing.T, obj, old runtime.Object, testConfigs ...ValidationTestConfig) {
 	t.Helper()
 
+	opts := &validationOption{}
+	for _, testcfg := range testConfigs {
+		testcfg(opts)
+	}
+
 	// Accumulate errors from all versioned validation, per version.
 	all := map[string]field.ErrorList{}
 	accumulate := func(t *testing.T, gv string, errs field.ErrorList) {
+		// If normalization rules are provided, apply them to the field paths of generated errors.
+		// This allows comparing errors between API versions that have structural differences
+		// (e.g. flattened vs nested fields).
+		// We must normalize in place before sorting.
+		for i := range errs {
+			currentPath := errs[i].Field
+			for _, rule := range opts.NormalizationRules {
+				normalized := rule.Regexp.ReplaceAllString(currentPath, rule.Replacement)
+				if normalized != currentPath {
+					errs[i].Field = normalized
+					// Apply only the first matching rule per error
+					break
+				}
+			}
+		}
+		// Re-sort the error list based primarily on the normalized field paths
+		// to ensure errors align correctly during index-by-index comparison,
+		// regardless of their original structure.
+		sort.Slice(errs, func(i, j int) bool {
+			if errs[i].Field != errs[j].Field {
+				return errs[i].Field < errs[j].Field
+			}
+			// Secondary sort by full error string for determinism when fields are equal
+			return errs[i].Error() < errs[j].Error()
+		})
 		all[gv] = errs
 	}
 	// Convert versioned object to internal format before validation.
@@ -48,7 +89,7 @@ func VerifyVersionedValidationEquivalence(t *testing.T, obj, old k8sruntime.Obje
 		return
 	}
 	if old == nil {
-		runtimetest.RunValidationForEachVersion(t, legacyscheme.Scheme, []string{}, internalObj, accumulate, subresources...)
+		runtimetest.RunValidationForEachVersion(t, legacyscheme.Scheme, []string{}, internalObj, accumulate, opts.SubResources...)
 	} else {
 		// Convert old versioned object to internal format before validation.
 		// runtimetest.RunUpdateValidationForEachVersion requires unversioned (internal) objects as input.
@@ -59,7 +100,7 @@ func VerifyVersionedValidationEquivalence(t *testing.T, obj, old k8sruntime.Obje
 		if internalOld == nil {
 			return
 		}
-		runtimetest.RunUpdateValidationForEachVersion(t, legacyscheme.Scheme, []string{}, internalObj, internalOld, accumulate, subresources...)
+		runtimetest.RunUpdateValidationForEachVersion(t, legacyscheme.Scheme, []string{}, internalObj, internalOld, accumulate, opts.SubResources...)
 	}
 
 	// Make a copy so we can modify it.
@@ -94,13 +135,19 @@ func VerifyVersionedValidationEquivalence(t *testing.T, obj, old k8sruntime.Obje
 			}
 			next := false
 			for i := range lv {
-				if l, r := lv[i], rv[i]; l.Type != r.Type || l.Detail != r.Detail {
-					t.Errorf("different errors\n%s: %v\n%s: %v", lk, fmtErrs(lv), rk, fmtErrs(rv))
+				// We don't use reflect.DeepEqual here because unversioned and versioned
+				// validation might have different bad values (e.g. pointer vs value).
+				// We also don't use ErrorMatcher here because it doesn't handle re-sorting
+				// required after normalization in multi-error scenarios within this specific loop structure.
+				l, r := lv[i], rv[i]
+				// Compare field (already normalized), type, detail, and origin.
+				if l.Type != r.Type || l.Field != r.Field || l.Detail != r.Detail || l.Origin != r.Origin {
+					t.Errorf("different errors at index %d\n%s: %v\n%s: %v", i, lk, l.Error(), rk, r.Error())
 					next = true
-					break
 				}
 			}
 			if next {
+				t.Errorf("complete error lists for context:\n%s: %v\n%s: %v", lk, fmtErrs(lv), rk, fmtErrs(rv))
 				continue
 			}
 		}
@@ -117,14 +164,14 @@ func fmtErrs(errs field.ErrorList) string {
 	}
 	buf := bytes.Buffer{}
 	for _, e := range errs {
-		buf.WriteString("\n")
+		buf.WriteString("\n\t")
 		buf.WriteString(strconv.Quote(e.Error()))
 	}
 
 	return buf.String()
 }
 
-func convertToInternal(t *testing.T, scheme *k8sruntime.Scheme, obj k8sruntime.Object) (k8sruntime.Object, error) {
+func convertToInternal(t *testing.T, scheme *runtime.Scheme, obj runtime.Object) (runtime.Object, error) {
 	t.Helper()
 
 	gvks, _, err := scheme.ObjectKinds(obj)
@@ -135,13 +182,164 @@ func convertToInternal(t *testing.T, scheme *k8sruntime.Scheme, obj k8sruntime.O
 		t.Fatal("no GVKs found for object")
 	}
 	gvk := gvks[0]
-	if gvk.Version == k8sruntime.APIVersionInternal {
+	if gvk.Version == runtime.APIVersionInternal {
 		return obj, nil
 	}
-	gvk.Version = k8sruntime.APIVersionInternal
+	gvk.Version = runtime.APIVersionInternal
 	if !scheme.Recognizes(gvk) {
 		t.Logf("no internal object found for GroupKind %s", gvk.GroupKind().String())
 		return nil, nil
 	}
-	return scheme.ConvertToVersion(obj, schema.GroupVersion{Group: gvk.Group, Version: k8sruntime.APIVersionInternal})
+	return scheme.ConvertToVersion(obj, schema.GroupVersion{Group: gvk.Group, Version: runtime.APIVersionInternal})
+}
+
+type ValidationTestConfig func(*validationOption)
+
+// validationOptions encapsulates optional parameters for validation equivalence tests.
+type validationOption struct {
+	// SubResources are the subresources to validate.
+	SubResources []string
+	// NormalizationRules are the rules to apply to field paths before comparison.
+	NormalizationRules []field.NormalizationRule
+}
+
+func WithSubResources(subResources ...string) ValidationTestConfig {
+	return func(o *validationOption) {
+		o.SubResources = subResources
+	}
+}
+
+func WithNormalizationRules(rules ...field.NormalizationRule) ValidationTestConfig {
+	return func(o *validationOption) {
+		o.NormalizationRules = rules
+	}
+}
+
+// VerifyValidationEquivalence provides a helper for testing the migration from
+// hand-written imperative validation to declarative validation. It ensures that
+// the validation logic remains consistent before and after the feature is enabled.
+//
+// The function operates by running the provided validation function under two scenarios:
+//  1. With DeclarativeValidation and DeclarativeValidationTakeover feature gates disabled,
+//     simulating the legacy hand-written validation.
+//  2. With both feature gates enabled, using the new declarative validation rules.
+//
+// It then asserts that the validation errors produced in both scenarios are equivalent,
+// guaranteeing a safe migration. It also checks the errors against an expected set.
+// It compares errors by field, origin and type; all three should match to be called equivalent.
+// It also make sure all versions of the given API returns equivalent errors.
+func VerifyValidationEquivalence(t *testing.T, ctx context.Context, obj runtime.Object, validateFn ValidateFunc, expectedErrs field.ErrorList, testConfigs ...ValidationTestConfig) {
+	t.Helper()
+	opts := &validationOption{}
+	for _, testcfg := range testConfigs {
+		testcfg(opts)
+	}
+	verifyValidationEquivalence(t, expectedErrs, func() field.ErrorList {
+		return validateFn(ctx, obj)
+	}, opts)
+	VerifyVersionedValidationEquivalence(t, obj, nil, testConfigs...)
+}
+
+// VerifyUpdateValidationEquivalence provides a helper for testing the migration from
+// hand-written imperative validation to declarative validation for update operations.
+// It ensures that the validation logic remains consistent before and after the feature is enabled.
+//
+// The function operates by running the provided validation function under two scenarios:
+//  1. With DeclarativeValidation and DeclarativeValidationTakeover feature gates disabled,
+//     simulating the legacy hand-written validation.
+//  2. With both feature gates enabled, using the new declarative validation rules.
+//
+// It then asserts that the validation errors produced in both scenarios are equivalent,
+// guaranteeing a safe migration. It also checks the errors against an expected set.
+// It compares errors by field, origin and type; all three should match to be called equivalent.
+// It also make sure all versions of the given API returns equivalent errors.
+func VerifyUpdateValidationEquivalence(t *testing.T, ctx context.Context, obj, old runtime.Object, validateUpdateFn ValidateUpdateFunc, expectedErrs field.ErrorList, testConfigs ...ValidationTestConfig) {
+	t.Helper()
+	opts := &validationOption{}
+	for _, testcfg := range testConfigs {
+		testcfg(opts)
+	}
+	verifyValidationEquivalence(t, expectedErrs, func() field.ErrorList {
+		return validateUpdateFn(ctx, obj, old)
+	}, opts)
+	VerifyVersionedValidationEquivalence(t, obj, old, testConfigs...)
+}
+
+// verifyValidationEquivalence is a generic helper that verifies validation equivalence with and without declarative validation.
+func verifyValidationEquivalence(t *testing.T, expectedErrs field.ErrorList, runValidations func() field.ErrorList, opt *validationOption) {
+	t.Helper()
+	var declarativeTakeoverErrs field.ErrorList
+	var imperativeErrs field.ErrorList
+
+	// The errOutputMatcher is used to verify the output matches the expected errors in test cases.
+	errOutputMatcher := field.ErrorMatcher{}.ByType().ByOrigin().ByFieldNormalized(opt.NormalizationRules)
+
+	// We only need to test both gate enabled and disabled together, because
+	// 1) the DeclarativeValidationTakeover won't take effect if DeclarativeValidation is disabled.
+	// 2) the validation output, when only DeclarativeValidation is enabled, is the same as when both gates are disabled.
+	t.Run("with declarative validation", func(t *testing.T) {
+		featuregatetesting.SetFeatureGatesDuringTest(t, utilfeature.DefaultFeatureGate, featuregatetesting.FeatureOverrides{
+			features.DeclarativeValidation:         true,
+			features.DeclarativeValidationTakeover: true,
+		})
+		declarativeTakeoverErrs = runValidations()
+
+		if len(expectedErrs) > 0 {
+			errOutputMatcher.Test(t, expectedErrs, declarativeTakeoverErrs)
+		} else if len(declarativeTakeoverErrs) != 0 {
+			t.Errorf("expected no errors, but got: %v", declarativeTakeoverErrs)
+		}
+	})
+
+	t.Run("hand written validation", func(t *testing.T) {
+		featuregatetesting.SetFeatureGatesDuringTest(t, utilfeature.DefaultFeatureGate, featuregatetesting.FeatureOverrides{
+			features.DeclarativeValidationTakeover: false,
+			features.DeclarativeValidation:         false,
+		})
+		imperativeErrs = runValidations()
+
+		if len(expectedErrs) > 0 {
+			errOutputMatcher.Test(t, expectedErrs, imperativeErrs)
+		} else if len(imperativeErrs) != 0 {
+			t.Errorf("expected no errors, but got: %v", imperativeErrs)
+		}
+	})
+
+	if t.Failed() {
+		// There is no point in moving forward, if any of above tests failed for any reason. Running follow up tests will return noise.
+		t.SkipNow()
+	}
+
+	// The equivalenceMatcher is used to verify the output errors from hand-written imperative validation
+	// are equivalent to the output errors when DeclarativeValidationTakeover is enabled.
+	equivalenceMatcher := field.ErrorMatcher{}.ByType().ByOrigin()
+	if len(opt.NormalizationRules) > 0 {
+		equivalenceMatcher = equivalenceMatcher.ByFieldNormalized(opt.NormalizationRules)
+	} else {
+		equivalenceMatcher = equivalenceMatcher.ByField()
+	}
+
+	// The imperative validation may produce duplicate errors, which is not supported by the ErrorMatcher.
+	// TODO: remove this once ErrorMatcher has been extended to handle this form of deduplication.
+	imperativeErrs = deDuplicateErrors(imperativeErrs, equivalenceMatcher)
+
+	equivalenceMatcher.Test(t, imperativeErrs, declarativeTakeoverErrs)
+}
+
+// deDuplicateErrors removes duplicate errors from an ErrorList based on the provided matcher.
+func deDuplicateErrors(errs field.ErrorList, matcher field.ErrorMatcher) field.ErrorList {
+	var deduped field.ErrorList
+	for _, err := range errs {
+		found := false
+		for _, existingErr := range deduped {
+			if matcher.Matches(existingErr, err) {
+				found = true
+				break
+			}
+		}
+		if !found {
+			deduped = append(deduped, err)
+		}
+	}
+	return deduped
 }
diff --git a/pkg/api/testing/validation_test.go b/pkg/api/testing/validation_test.go
index 922fb526f76c1..41ec078559180 100644
--- a/pkg/api/testing/validation_test.go
+++ b/pkg/api/testing/validation_test.go
@@ -24,6 +24,7 @@ import (
 	"k8s.io/apimachinery/pkg/api/apitesting/roundtrip"
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/kubernetes/pkg/api/legacyscheme"
+	resourcevalidation "k8s.io/kubernetes/pkg/apis/resource/validation"
 )
 
 // FIXME: Automatically finds all group/versions supporting declarative validation, or add
@@ -35,28 +36,41 @@ func TestVersionedValidationByFuzzing(t *testing.T) {
 		{Group: "certificates.k8s.io", Version: "v1"},
 		{Group: "certificates.k8s.io", Version: "v1alpha1"},
 		{Group: "certificates.k8s.io", Version: "v1beta1"},
+		{Group: "resource.k8s.io", Version: "v1beta1"},
+		{Group: "resource.k8s.io", Version: "v1beta2"},
+		{Group: "resource.k8s.io", Version: "v1"},
+		{Group: "storage.k8s.io", Version: "v1"},
+		{Group: "storage.k8s.io", Version: "v1beta1"},
+		{Group: "storage.k8s.io", Version: "v1alpha1"},
 	}
 
+	fuzzIters := *roundtrip.FuzzIters / 10 // TODO: Find a better way to manage test running time
+	f := fuzzer.FuzzerFor(FuzzerFuncs, rand.NewSource(rand.Int63()), legacyscheme.Codecs)
+
 	for _, gv := range typesWithDeclarativeValidation {
-		t.Run(gv.String(), func(t *testing.T) {
-			for i := 0; i < *roundtrip.FuzzIters; i++ {
-				f := fuzzer.FuzzerFor(FuzzerFuncs, rand.NewSource(rand.Int63()), legacyscheme.Codecs)
-				for kind := range legacyscheme.Scheme.KnownTypes(gv) {
-					obj, err := legacyscheme.Scheme.New(gv.WithKind(kind))
+		for kind := range legacyscheme.Scheme.KnownTypes(gv) {
+			gvk := gv.WithKind(kind)
+			t.Run(gvk.String(), func(t *testing.T) {
+				for i := 0; i < fuzzIters; i++ {
+					obj, err := legacyscheme.Scheme.New(gvk)
 					if err != nil {
 						t.Fatalf("could not create a %v: %s", kind, err)
 					}
 					f.Fill(obj)
-					VerifyVersionedValidationEquivalence(t, obj, nil)
+
+					var opts []ValidationTestConfig
+					opts = append(opts, WithNormalizationRules(resourcevalidation.ResourceNormalizationRules...))
+
+					VerifyVersionedValidationEquivalence(t, obj, nil, opts...)
 
 					old, err := legacyscheme.Scheme.New(gv.WithKind(kind))
 					if err != nil {
 						t.Fatalf("could not create a %v: %s", kind, err)
 					}
 					f.Fill(old)
-					VerifyVersionedValidationEquivalence(t, obj, old)
+					VerifyVersionedValidationEquivalence(t, obj, old, opts...)
 				}
-			}
-		})
+			})
+		}
 	}
 }
diff --git a/pkg/api/v1/endpoints/util.go b/pkg/api/v1/endpoints/util.go
index d0af83be2745d..f283230652eba 100644
--- a/pkg/api/v1/endpoints/util.go
+++ b/pkg/api/v1/endpoints/util.go
@@ -18,12 +18,12 @@ package endpoints
 
 import (
 	"bytes"
-	"crypto/md5"
 	"encoding/hex"
 	"hash"
+	"hash/fnv"
 	"sort"
 
-	"k8s.io/api/core/v1"
+	v1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/types"
 	hashutil "k8s.io/kubernetes/pkg/util/hash"
 )
@@ -154,7 +154,7 @@ func hashAddresses(addrs addressSet) string {
 		slice = append(slice, addrReady{k, ready})
 	}
 	sort.Sort(addrsReady(slice))
-	hasher := md5.New()
+	hasher := fnv.New128a()
 	hashutil.DeepHashObject(hasher, slice)
 	return hex.EncodeToString(hasher.Sum(nil)[0:])
 }
@@ -210,7 +210,7 @@ type subsetsByHash []v1.EndpointSubset
 func (sl subsetsByHash) Len() int      { return len(sl) }
 func (sl subsetsByHash) Swap(i, j int) { sl[i], sl[j] = sl[j], sl[i] }
 func (sl subsetsByHash) Less(i, j int) bool {
-	hasher := md5.New()
+	hasher := fnv.New128a()
 	h1 := hashObject(hasher, sl[i])
 	h2 := hashObject(hasher, sl[j])
 	return bytes.Compare(h1, h2) < 0
@@ -229,7 +229,7 @@ type portsByHash []v1.EndpointPort
 func (sl portsByHash) Len() int      { return len(sl) }
 func (sl portsByHash) Swap(i, j int) { sl[i], sl[j] = sl[j], sl[i] }
 func (sl portsByHash) Less(i, j int) bool {
-	hasher := md5.New()
+	hasher := fnv.New128a()
 	h1 := hashObject(hasher, sl[i])
 	h2 := hashObject(hasher, sl[j])
 	return bytes.Compare(h1, h2) < 0
diff --git a/pkg/api/v1/pod/util.go b/pkg/api/v1/pod/util.go
index 6d79457150cf7..6533b38ee890c 100644
--- a/pkg/api/v1/pod/util.go
+++ b/pkg/api/v1/pod/util.go
@@ -418,11 +418,16 @@ func IsContainerRestartable(pod v1.PodSpec, container v1.Container) bool {
 // level policy are specified, pod-level restart policy is used.
 func ContainerShouldRestart(container v1.Container, pod v1.PodSpec, exitCode int32) bool {
 	if container.RestartPolicy != nil {
-		rule, ok := findMatchingContainerRestartRule(container, exitCode)
+		rule, ok := FindMatchingContainerRestartRule(container, exitCode)
 		if ok {
 			switch rule.Action {
 			case v1.ContainerRestartRuleActionRestart:
 				return true
+			case v1.ContainerRestartRuleActionRestartAllContainers:
+				if utilfeature.DefaultFeatureGate.Enabled(features.RestartAllContainersOnContainerExits) {
+					return true
+				}
+				// If feature is not enabled, fallback to container-level policy.
 			default:
 				// Do nothing, fallback to container-level restart policy.
 			}
@@ -454,10 +459,10 @@ func ContainerShouldRestart(container v1.Container, pod v1.PodSpec, exitCode int
 	}
 }
 
-// findMatchingContainerRestartRule returns a rule and true if the exitCode matched
+// FindMatchingContainerRestartRule returns a rule and true if the exitCode matched
 // one of the restart rules for the given container. Returns and empty rule and
 // false if no rules matched.
-func findMatchingContainerRestartRule(container v1.Container, exitCode int32) (rule v1.ContainerRestartRule, found bool) {
+func FindMatchingContainerRestartRule(container v1.Container, exitCode int32) (rule v1.ContainerRestartRule, found bool) {
 	for _, rule := range container.RestartPolicyRules {
 		if rule.ExitCodes != nil {
 			exitCodeMatched := false
@@ -483,6 +488,30 @@ func findMatchingContainerRestartRule(container v1.Container, exitCode int32) (r
 	return v1.ContainerRestartRule{}, false
 }
 
+// AllContainersCouldRestart returns true if all containers could be restarted
+// for the given pod. This is true if any container has a RestartAllContainers
+// action.
+func AllContainersCouldRestart(pod *v1.PodSpec) bool {
+	if pod == nil {
+		return false
+	}
+	for _, container := range pod.InitContainers {
+		for _, rule := range container.RestartPolicyRules {
+			if rule.Action == v1.ContainerRestartRuleActionRestartAllContainers {
+				return true
+			}
+		}
+	}
+	for _, container := range pod.Containers {
+		for _, rule := range container.RestartPolicyRules {
+			if rule.Action == v1.ContainerRestartRuleActionRestartAllContainers {
+				return true
+			}
+		}
+	}
+	return false
+}
+
 // CalculatePodStatusObservedGeneration calculates the observedGeneration for the pod status.
 // This is used to track the generation of the pod that was observed by the kubelet.
 // The observedGeneration is set to the pod's generation when the feature gate
diff --git a/pkg/api/v1/pod/util_test.go b/pkg/api/v1/pod/util_test.go
index 50c3e05461e5d..bd3044e195ef2 100644
--- a/pkg/api/v1/pod/util_test.go
+++ b/pkg/api/v1/pod/util_test.go
@@ -29,7 +29,6 @@ import (
 	"k8s.io/apimachinery/pkg/util/sets"
 	"k8s.io/apimachinery/pkg/util/validation/field"
 	utilfeature "k8s.io/apiserver/pkg/util/feature"
-	"k8s.io/component-base/featuregate"
 	featuregatetesting "k8s.io/component-base/featuregate/testing"
 	"k8s.io/kubernetes/pkg/features"
 )
@@ -1015,21 +1014,8 @@ func TestCalculatePodStatusObservedGeneration(t *testing.T) {
 	tests := []struct {
 		name     string
 		pod      *v1.Pod
-		features map[featuregate.Feature]bool
 		expected int64
 	}{
-		{
-			name: "pod with no observedGeneration/PodObservedGenerationTracking=false",
-			pod: &v1.Pod{
-				ObjectMeta: metav1.ObjectMeta{
-					Generation: 5,
-				},
-			},
-			features: map[featuregate.Feature]bool{
-				features.PodObservedGenerationTracking: false,
-			},
-			expected: 0,
-		},
 		{
 			name: "pod with no observedGeneration/PodObservedGenerationTracking=true",
 			pod: &v1.Pod{
@@ -1037,24 +1023,6 @@ func TestCalculatePodStatusObservedGeneration(t *testing.T) {
 					Generation: 5,
 				},
 			},
-			features: map[featuregate.Feature]bool{
-				features.PodObservedGenerationTracking: true,
-			},
-			expected: 5,
-		},
-		{
-			name: "pod with observedGeneration/PodObservedGenerationTracking=false",
-			pod: &v1.Pod{
-				ObjectMeta: metav1.ObjectMeta{
-					Generation: 5,
-				},
-				Status: v1.PodStatus{
-					ObservedGeneration: 5,
-				},
-			},
-			features: map[featuregate.Feature]bool{
-				features.PodObservedGenerationTracking: false,
-			},
 			expected: 5,
 		},
 		{
@@ -1067,18 +1035,12 @@ func TestCalculatePodStatusObservedGeneration(t *testing.T) {
 					ObservedGeneration: 5,
 				},
 			},
-			features: map[featuregate.Feature]bool{
-				features.PodObservedGenerationTracking: true,
-			},
 			expected: 5,
 		},
 	}
 
 	for _, tc := range tests {
 		t.Run(tc.name, func(t *testing.T) {
-			for f, v := range tc.features {
-				featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, f, v)
-			}
 			assert.Equal(t, tc.expected, CalculatePodStatusObservedGeneration(tc.pod))
 		})
 	}
@@ -1088,26 +1050,8 @@ func TestCalculatePodConditionObservedGeneration(t *testing.T) {
 	tests := []struct {
 		name     string
 		pod      *v1.Pod
-		features map[featuregate.Feature]bool
 		expected int64
 	}{
-		{
-			name: "pod with no observedGeneration/PodObservedGenerationTracking=false",
-			pod: &v1.Pod{
-				ObjectMeta: metav1.ObjectMeta{
-					Generation: 5,
-				},
-				Status: v1.PodStatus{
-					Conditions: []v1.PodCondition{{
-						Type: v1.PodReady,
-					}},
-				},
-			},
-			features: map[featuregate.Feature]bool{
-				features.PodObservedGenerationTracking: false,
-			},
-			expected: 0,
-		},
 		{
 			name: "pod with no observedGeneration/PodObservedGenerationTracking=true",
 			pod: &v1.Pod{
@@ -1120,27 +1064,6 @@ func TestCalculatePodConditionObservedGeneration(t *testing.T) {
 					}},
 				},
 			},
-			features: map[featuregate.Feature]bool{
-				features.PodObservedGenerationTracking: true,
-			},
-			expected: 5,
-		},
-		{
-			name: "pod with observedGeneration/PodObservedGenerationTracking=false",
-			pod: &v1.Pod{
-				ObjectMeta: metav1.ObjectMeta{
-					Generation: 5,
-				},
-				Status: v1.PodStatus{
-					Conditions: []v1.PodCondition{{
-						Type:               v1.PodReady,
-						ObservedGeneration: 5,
-					}},
-				},
-			},
-			features: map[featuregate.Feature]bool{
-				features.PodObservedGenerationTracking: false,
-			},
 			expected: 5,
 		},
 		{
@@ -1156,18 +1079,12 @@ func TestCalculatePodConditionObservedGeneration(t *testing.T) {
 					}},
 				},
 			},
-			features: map[featuregate.Feature]bool{
-				features.PodObservedGenerationTracking: true,
-			},
 			expected: 5,
 		},
 	}
 
 	for _, tc := range tests {
 		t.Run(tc.name, func(t *testing.T) {
-			for f, v := range tc.features {
-				featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, f, v)
-			}
 			assert.Equal(t, tc.expected, CalculatePodConditionObservedGeneration(&tc.pod.Status, tc.pod.Generation, v1.PodReady))
 		})
 	}
@@ -1268,6 +1185,7 @@ func TestContainerHasRestartablePolicy(t *testing.T) {
 		name      string
 		container v1.Container
 		podSpec   v1.PodSpec
+		podStatus v1.PodStatus
 		exitCode  int32
 		expected  bool
 	}{
@@ -1305,6 +1223,23 @@ func TestContainerHasRestartablePolicy(t *testing.T) {
 			exitCode: 99,
 			expected: true,
 		},
+		{
+			name: "Rule: 'In' operator matches with 'RestartAllContainers' action",
+			container: v1.Container{
+				RestartPolicy: &containerRestartPolicyNever,
+				RestartPolicyRules: []v1.ContainerRestartRule{
+					{
+						Action: v1.ContainerRestartRuleActionRestartAllContainers,
+						ExitCodes: &v1.ContainerRestartRuleOnExitCodes{
+							Operator: v1.ContainerRestartRuleOnExitCodesOpIn,
+							Values:   []int32{42, 50, 60},
+						},
+					},
+				},
+			},
+			exitCode: 42,
+			expected: true,
+		},
 		{
 			name: "Rule: 'In' operator does not match, should fall back to container policy",
 			container: v1.Container{
@@ -1397,6 +1332,11 @@ func TestContainerHasRestartablePolicy(t *testing.T) {
 			expected:  true,
 		},
 	}
+	featuregatetesting.SetFeatureGatesDuringTest(t, utilfeature.DefaultFeatureGate, featuregatetesting.FeatureOverrides{
+		features.ContainerRestartRules:                true,
+		features.NodeDeclaredFeatures:                 true,
+		features.RestartAllContainersOnContainerExits: true,
+	})
 
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
@@ -1411,6 +1351,90 @@ func TestContainerHasRestartablePolicy(t *testing.T) {
 	}
 }
 
+func TestAllContainersCouldRestart(t *testing.T) {
+	restartPolicyAlways := v1.ContainerRestartPolicyAlways
+
+	testCases := []struct {
+		name     string
+		podSpec  *v1.PodSpec
+		expected bool
+	}{
+		{
+			name: "Pod with rules in init containers",
+			podSpec: &v1.PodSpec{
+				InitContainers: []v1.Container{
+					{
+						RestartPolicyRules: []v1.ContainerRestartRule{
+							{
+								Action: v1.ContainerRestartRuleActionRestartAllContainers,
+								ExitCodes: &v1.ContainerRestartRuleOnExitCodes{
+									Operator: v1.ContainerRestartRuleOnExitCodesOpIn,
+									Values:   []int32{1},
+								},
+							},
+						},
+					},
+				},
+			},
+			expected: true,
+		},
+		{
+			name: "Pod with rules in sidecar containers",
+			podSpec: &v1.PodSpec{
+				InitContainers: []v1.Container{
+					{
+						RestartPolicy: &restartPolicyAlways,
+						RestartPolicyRules: []v1.ContainerRestartRule{
+							{
+								Action: v1.ContainerRestartRuleActionRestartAllContainers,
+								ExitCodes: &v1.ContainerRestartRuleOnExitCodes{
+									Operator: v1.ContainerRestartRuleOnExitCodesOpIn,
+									Values:   []int32{1},
+								},
+							},
+						},
+					},
+				},
+			},
+			expected: true,
+		},
+		{
+			name: "Pod with rules in regular containers",
+			podSpec: &v1.PodSpec{
+				Containers: []v1.Container{
+					{
+						RestartPolicy: &restartPolicyAlways,
+						RestartPolicyRules: []v1.ContainerRestartRule{
+							{
+								Action: v1.ContainerRestartRuleActionRestartAllContainers,
+								ExitCodes: &v1.ContainerRestartRuleOnExitCodes{
+									Operator: v1.ContainerRestartRuleOnExitCodesOpIn,
+									Values:   []int32{1},
+								},
+							},
+						},
+					},
+				},
+			},
+			expected: true,
+		},
+		{
+			name:     "Pod without rules",
+			podSpec:  &v1.PodSpec{},
+			expected: false,
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			got := AllContainersCouldRestart(tc.podSpec)
+			if got != tc.expected {
+				t.Errorf("AllContainersRestarting() = %v, want %v", got, tc.expected)
+			}
+		})
+	}
+}
+
 func TestFindMatchingContainerRestartRule(t *testing.T) {
 	ruleIn := v1.ContainerRestartRule{
 		Action: v1.ContainerRestartRuleActionRestart,
@@ -1489,7 +1513,7 @@ func TestFindMatchingContainerRestartRule(t *testing.T) {
 
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
-			rule, found := findMatchingContainerRestartRule(tc.container, tc.exitCode)
+			rule, found := FindMatchingContainerRestartRule(tc.container, tc.exitCode)
 			if found != tc.expectedFound {
 				t.Errorf("FindMatchingContainerRestartRule() found = %v, want %v", found, tc.expectedFound)
 			}
diff --git a/pkg/apis/abac/v1beta1/doc.go b/pkg/apis/abac/v1beta1/doc.go
index 07647ddc3575a..f114c84f1c0b4 100644
--- a/pkg/apis/abac/v1beta1/doc.go
+++ b/pkg/apis/abac/v1beta1/doc.go
@@ -18,6 +18,7 @@ limitations under the License.
 // +k8s:conversion-gen=k8s.io/kubernetes/pkg/apis/abac
 // +k8s:openapi-gen=true
 // +k8s:defaulter-gen=TypeMeta
+// +k8s:openapi-model-package=pkg.apis.abac.v1beta1
 
 // +groupName=abac.authorization.kubernetes.io
 
diff --git a/pkg/apis/abac/v1beta1/zz_generated.model_name.go b/pkg/apis/abac/v1beta1/zz_generated.model_name.go
new file mode 100644
index 0000000000000..811049c7f43ab
--- /dev/null
+++ b/pkg/apis/abac/v1beta1/zz_generated.model_name.go
@@ -0,0 +1,32 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by openapi-gen. DO NOT EDIT.
+
+package v1beta1
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in Policy) OpenAPIModelName() string {
+	return "pkg.apis.abac.v1beta1.Policy"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in PolicySpec) OpenAPIModelName() string {
+	return "pkg.apis.abac.v1beta1.PolicySpec"
+}
diff --git a/pkg/apis/admissionregistration/types.go b/pkg/apis/admissionregistration/types.go
index 1665d38a26ff3..dad928096d8ce 100644
--- a/pkg/apis/admissionregistration/types.go
+++ b/pkg/apis/admissionregistration/types.go
@@ -1033,16 +1033,18 @@ type MutatingWebhook struct {
 	MatchConditions []MatchCondition
 }
 
-// ReinvocationPolicyType specifies what type of policy the admission hook uses.
+// ReinvocationPolicyType specifies what type of policy is used when other admission plugins also perform
+// modifications.
+// +enum
 type ReinvocationPolicyType string
 
 var (
-	// NeverReinvocationPolicy indicates that the webhook must not be called more than once in a
+	// NeverReinvocationPolicy indicates that the mutation must not be called more than once in a
 	// single admission evaluation.
 	NeverReinvocationPolicy ReinvocationPolicyType = "Never"
-	// IfNeededReinvocationPolicy indicates that the webhook may be called at least one
+	// IfNeededReinvocationPolicy indicates that the mutation may be called at least one
 	// additional time as part of the admission evaluation if the object being admitted is
-	// modified by other admission plugins after the initial webhook call.
+	// modified by other admission plugins after the initial mutation call.
 	IfNeededReinvocationPolicy ReinvocationPolicyType = "IfNeeded"
 )
 
diff --git a/pkg/apis/admissionregistration/validation/validation.go b/pkg/apis/admissionregistration/validation/validation.go
index 7a225b4e31893..815f51a497aea 100644
--- a/pkg/apis/admissionregistration/validation/validation.go
+++ b/pkg/apis/admissionregistration/validation/validation.go
@@ -38,8 +38,6 @@ import (
 	"k8s.io/apiserver/pkg/admission/plugin/webhook/matchconditions"
 	"k8s.io/apiserver/pkg/cel"
 	"k8s.io/apiserver/pkg/cel/environment"
-	"k8s.io/apiserver/pkg/features"
-	utilfeature "k8s.io/apiserver/pkg/util/feature"
 	"k8s.io/apiserver/pkg/util/webhook"
 	"k8s.io/client-go/util/jsonpath"
 
@@ -226,7 +224,6 @@ func ValidateValidatingWebhookConfiguration(e *admissionregistration.ValidatingW
 		requireRecognizedAdmissionReviewVersion: true,
 		requireUniqueWebhookNames:               true,
 		allowInvalidLabelValueInSelector:        false,
-		strictCostEnforcement:                   utilfeature.DefaultFeatureGate.Enabled(features.StrictCostEnforcementForWebhooks),
 	})
 }
 
@@ -256,7 +253,6 @@ func ValidateMutatingWebhookConfiguration(e *admissionregistration.MutatingWebho
 		requireRecognizedAdmissionReviewVersion: true,
 		requireUniqueWebhookNames:               true,
 		allowInvalidLabelValueInSelector:        false,
-		strictCostEnforcement:                   utilfeature.DefaultFeatureGate.Enabled(features.StrictCostEnforcementForWebhooks),
 	})
 }
 
@@ -268,7 +264,6 @@ type validationOptions struct {
 	requireUniqueWebhookNames               bool
 	allowInvalidLabelValueInSelector        bool
 	preexistingExpressions                  preexistingExpressions
-	strictCostEnforcement                   bool
 }
 
 type preexistingExpressions struct {
@@ -739,7 +734,6 @@ func ValidateValidatingWebhookConfigurationUpdate(newC, oldC *admissionregistrat
 		requireUniqueWebhookNames:               validatingHasUniqueWebhookNames(oldC.Webhooks),
 		allowInvalidLabelValueInSelector:        validatingWebhookHasInvalidLabelValueInSelector(oldC.Webhooks),
 		preexistingExpressions:                  findValidatingPreexistingExpressions(oldC),
-		strictCostEnforcement:                   utilfeature.DefaultFeatureGate.Enabled(features.StrictCostEnforcementForWebhooks),
 	})
 }
 
@@ -753,7 +747,6 @@ func ValidateMutatingWebhookConfigurationUpdate(newC, oldC *admissionregistratio
 		requireUniqueWebhookNames:               mutatingHasUniqueWebhookNames(oldC.Webhooks),
 		allowInvalidLabelValueInSelector:        mutatingWebhookHasInvalidLabelValueInSelector(oldC.Webhooks),
 		preexistingExpressions:                  findMutatingPreexistingExpressions(oldC),
-		strictCostEnforcement:                   utilfeature.DefaultFeatureGate.Enabled(features.StrictCostEnforcementForWebhooks),
 	})
 }
 
@@ -767,7 +760,7 @@ const (
 
 // ValidateValidatingAdmissionPolicy validates a ValidatingAdmissionPolicy before creation.
 func ValidateValidatingAdmissionPolicy(p *admissionregistration.ValidatingAdmissionPolicy) field.ErrorList {
-	return validateValidatingAdmissionPolicy(p, validationOptions{ignoreMatchConditions: false, strictCostEnforcement: utilfeature.DefaultFeatureGate.Enabled(features.StrictCostEnforcementForVAP)})
+	return validateValidatingAdmissionPolicy(p, validationOptions{ignoreMatchConditions: false})
 }
 
 func validateValidatingAdmissionPolicy(p *admissionregistration.ValidatingAdmissionPolicy, opts validationOptions) field.ErrorList {
@@ -782,7 +775,7 @@ func validateValidatingAdmissionPolicySpec(meta metav1.ObjectMeta, spec *admissi
 	getCompiler := func() plugincel.Compiler {
 		if compiler == nil {
 			needsComposition := len(spec.Variables) > 0
-			compiler = createCompiler(needsComposition, opts.strictCostEnforcement)
+			compiler = createCompiler(needsComposition)
 		}
 		return compiler
 	}
@@ -1027,7 +1020,6 @@ func validateVariable(compiler plugincel.Compiler, v *admissionregistration.Vari
 			result := compiler.CompileAndStoreVariable(variable, plugincel.OptionalVariableDeclarations{
 				HasParams:     paramKind != nil,
 				HasAuthorizer: true,
-				StrictCost:    opts.strictCostEnforcement,
 			}, envType)
 			if result.Error != nil {
 				allErrors = append(allErrors, convertCELErrorToValidationError(fldPath.Child("expression"), variable, result.Error))
@@ -1102,7 +1094,6 @@ func validateValidationExpression(compiler plugincel.Compiler, expression string
 	}, plugincel.OptionalVariableDeclarations{
 		HasParams:     hasParams,
 		HasAuthorizer: true,
-		StrictCost:    opts.strictCostEnforcement,
 	}, envType, fldPath)
 }
 
@@ -1112,17 +1103,12 @@ func validateMatchConditionsExpression(expression string, opts validationOptions
 		envType = environment.StoredExpressions
 	}
 	var compiler plugincel.Compiler
-	if opts.strictCostEnforcement {
-		compiler = getStrictStatelessCELCompiler()
-	} else {
-		compiler = getNonStrictStatelessCELCompiler()
-	}
+	compiler = getStrictStatelessCELCompiler()
 	return validateCELCondition(compiler, &matchconditions.MatchCondition{
 		Expression: expression,
 	}, plugincel.OptionalVariableDeclarations{
 		HasParams:     opts.allowParamsInMatchConditions,
 		HasAuthorizer: true,
-		StrictCost:    opts.strictCostEnforcement,
 	}, envType, fldPath)
 }
 
@@ -1136,7 +1122,6 @@ func validateMessageExpression(compiler plugincel.Compiler, expression string, o
 	}, plugincel.OptionalVariableDeclarations{
 		HasParams:     opts.allowParamsInMatchConditions,
 		HasAuthorizer: false,
-		StrictCost:    opts.strictCostEnforcement,
 	}, envType, fldPath)
 }
 
@@ -1161,7 +1146,7 @@ func validateAuditAnnotation(compiler plugincel.Compiler, meta metav1.ObjectMeta
 		}
 		result := compiler.CompileCELExpression(&validatingadmissionpolicy.AuditAnnotationCondition{
 			ValueExpression: trimmedValueExpression,
-		}, plugincel.OptionalVariableDeclarations{HasParams: paramKind != nil, HasAuthorizer: true, StrictCost: opts.strictCostEnforcement}, envType)
+		}, plugincel.OptionalVariableDeclarations{HasParams: paramKind != nil, HasAuthorizer: true}, envType)
 		if result.Error != nil {
 			switch result.Error.Type {
 			case cel.ErrorTypeRequired:
@@ -1255,7 +1240,6 @@ func ValidateValidatingAdmissionPolicyUpdate(newC, oldC *admissionregistration.V
 	return validateValidatingAdmissionPolicy(newC, validationOptions{
 		ignoreMatchConditions:  ignoreValidatingAdmissionPolicyMatchConditions(newC, oldC),
 		preexistingExpressions: findValidatingPolicyPreexistingExpressions(oldC),
-		strictCostEnforcement:  utilfeature.DefaultFeatureGate.Enabled(features.StrictCostEnforcementForVAP),
 	})
 }
 
@@ -1320,38 +1304,24 @@ func validateFieldRef(fieldRef string, fldPath *field.Path) field.ErrorList {
 var (
 	lazyStrictStatelessCELCompilerInit sync.Once
 	lazyStrictStatelessCELCompiler     plugincel.Compiler
-
-	lazyNonStrictStatelessCELCompilerInit sync.Once
-	lazyNonStrictStatelessCELCompiler     plugincel.Compiler
 )
 
 func getStrictStatelessCELCompiler() plugincel.Compiler {
 	lazyStrictStatelessCELCompilerInit.Do(func() {
-		lazyStrictStatelessCELCompiler = plugincel.NewCompiler(environment.MustBaseEnvSet(environment.DefaultCompatibilityVersion(), true))
+		lazyStrictStatelessCELCompiler = plugincel.NewCompiler(environment.MustBaseEnvSet(environment.DefaultCompatibilityVersion()))
 	})
 	return lazyStrictStatelessCELCompiler
 }
 
-func getNonStrictStatelessCELCompiler() plugincel.Compiler {
-	lazyNonStrictStatelessCELCompilerInit.Do(func() {
-		lazyNonStrictStatelessCELCompiler = plugincel.NewCompiler(environment.MustBaseEnvSet(environment.DefaultCompatibilityVersion(), false))
-	})
-	return lazyNonStrictStatelessCELCompiler
-}
-
-func createCompiler(allowComposition, strictCost bool) plugincel.Compiler {
+func createCompiler(allowComposition bool) plugincel.Compiler {
 	if !allowComposition {
-		if strictCost {
-			return getStrictStatelessCELCompiler()
-		} else {
-			return getNonStrictStatelessCELCompiler()
-		}
+		return getStrictStatelessCELCompiler()
 	}
-	compiler, err := plugincel.NewCompositedCompiler(environment.MustBaseEnvSet(environment.DefaultCompatibilityVersion(), strictCost))
+	compiler, err := plugincel.NewCompositedCompiler(environment.MustBaseEnvSet(environment.DefaultCompatibilityVersion()))
 	if err != nil {
 		// should never happen, but cannot panic either.
 		utilruntime.HandleError(err)
-		return plugincel.NewCompiler(environment.MustBaseEnvSet(environment.DefaultCompatibilityVersion(), strictCost))
+		return plugincel.NewCompiler(environment.MustBaseEnvSet(environment.DefaultCompatibilityVersion()))
 	}
 	return compiler
 }
@@ -1380,7 +1350,6 @@ func ValidateMutatingAdmissionPolicyUpdate(newC, oldC *admissionregistration.Mut
 	return validateMutatingAdmissionPolicy(newC, validationOptions{
 		ignoreMatchConditions:  ignoreMutatingAdmissionPolicyMatchConditions(newC, oldC),
 		preexistingExpressions: findMutatingPolicyPreexistingExpressions(oldC),
-		strictCostEnforcement:  true,
 	})
 }
 
@@ -1391,7 +1360,7 @@ func ValidateMutatingAdmissionPolicyBindingUpdate(newC, oldC *admissionregistrat
 
 // ValidateMutatingAdmissionPolicy validates a MutatingAdmissionPolicy before creation.
 func ValidateMutatingAdmissionPolicy(p *admissionregistration.MutatingAdmissionPolicy) field.ErrorList {
-	return validateMutatingAdmissionPolicy(p, validationOptions{ignoreMatchConditions: false, strictCostEnforcement: true})
+	return validateMutatingAdmissionPolicy(p, validationOptions{ignoreMatchConditions: false})
 }
 
 func validateMutatingAdmissionPolicy(p *admissionregistration.MutatingAdmissionPolicy, opts validationOptions) field.ErrorList {
@@ -1403,7 +1372,7 @@ func validateMutatingAdmissionPolicy(p *admissionregistration.MutatingAdmissionP
 func validateMutatingAdmissionPolicySpec(meta metav1.ObjectMeta, spec *admissionregistration.MutatingAdmissionPolicySpec, opts validationOptions, fldPath *field.Path) field.ErrorList {
 	var allErrors field.ErrorList
 
-	compiler := createCompiler(true, true)
+	compiler := createCompiler(true)
 
 	if spec.FailurePolicy == nil {
 		allErrors = append(allErrors, field.Required(fldPath.Child("failurePolicy"), ""))
@@ -1496,7 +1465,7 @@ func validateApplyConfiguration(compiler plugincel.Compiler, applyConfig *admiss
 		accessor := &patch.ApplyConfigurationCondition{
 			Expression: trimmedExpression,
 		}
-		opts := plugincel.OptionalVariableDeclarations{HasParams: paramKind != nil, HasAuthorizer: true, StrictCost: true, HasPatchTypes: true}
+		opts := plugincel.OptionalVariableDeclarations{HasParams: paramKind != nil, HasAuthorizer: true, HasPatchTypes: true}
 		result := compiler.CompileCELExpression(accessor, opts, envType)
 
 		if result.Error != nil {
@@ -1519,7 +1488,7 @@ func validateJSONPatch(compiler plugincel.Compiler, jsonPatch *admissionregistra
 		accessor := &patch.JSONPatchCondition{
 			Expression: trimmedExpression,
 		}
-		opts := plugincel.OptionalVariableDeclarations{HasParams: paramKind != nil, HasAuthorizer: true, StrictCost: true, HasPatchTypes: true}
+		opts := plugincel.OptionalVariableDeclarations{HasParams: paramKind != nil, HasAuthorizer: true, HasPatchTypes: true}
 		result := compiler.CompileCELExpression(accessor, opts, envType)
 
 		if result.Error != nil {
diff --git a/pkg/apis/admissionregistration/validation/validation_test.go b/pkg/apis/admissionregistration/validation/validation_test.go
index ee4fbbc90660d..2b1211b8877af 100644
--- a/pkg/apis/admissionregistration/validation/validation_test.go
+++ b/pkg/apis/admissionregistration/validation/validation_test.go
@@ -29,8 +29,6 @@ import (
 	plugincel "k8s.io/apiserver/pkg/admission/plugin/cel"
 	"k8s.io/apiserver/pkg/cel/environment"
 	"k8s.io/apiserver/pkg/cel/library"
-	"k8s.io/apiserver/pkg/features"
-	utilfeature "k8s.io/apiserver/pkg/util/feature"
 	"k8s.io/kubernetes/pkg/apis/admissionregistration"
 	"k8s.io/utils/ptr"
 )
@@ -3409,9 +3407,8 @@ func TestValidateValidatingAdmissionPolicyUpdate(t *testing.T) {
 		},
 		// TODO: CustomAuditAnnotations: string valueExpression with {oldObject} is allowed
 	}
-	strictCost := utilfeature.DefaultFeatureGate.Enabled(features.StrictCostEnforcementForVAP)
 	// Include the test library, which includes the test() function in the storage environment during test
-	base := environment.MustBaseEnvSet(environment.DefaultCompatibilityVersion(), strictCost)
+	base := environment.MustBaseEnvSet(environment.DefaultCompatibilityVersion())
 	extended, err := base.Extend(environment.VersionedOptions{
 		IntroducedVersion: version.MustParseGeneric("1.999"),
 		EnvOptions:        []cel.EnvOption{library.Test()},
@@ -3419,19 +3416,11 @@ func TestValidateValidatingAdmissionPolicyUpdate(t *testing.T) {
 	if err != nil {
 		t.Fatal(err)
 	}
-	if strictCost {
-		originalCompiler := getStrictStatelessCELCompiler()
-		lazyStrictStatelessCELCompiler = plugincel.NewCompiler(extended)
-		defer func() {
-			lazyStrictStatelessCELCompiler = originalCompiler
-		}()
-	} else {
-		originalCompiler := getNonStrictStatelessCELCompiler()
-		lazyNonStrictStatelessCELCompiler = plugincel.NewCompiler(extended)
-		defer func() {
-			lazyNonStrictStatelessCELCompiler = originalCompiler
-		}()
-	}
+	originalCompiler := getStrictStatelessCELCompiler()
+	lazyStrictStatelessCELCompiler = plugincel.NewCompiler(extended)
+	defer func() {
+		lazyStrictStatelessCELCompiler = originalCompiler
+	}()
 
 	for _, test := range tests {
 		t.Run(test.name, func(t *testing.T) {
diff --git a/pkg/apis/apps/fuzzer/fuzzer.go b/pkg/apis/apps/fuzzer/fuzzer.go
index 1e5aa0a344ba1..70c058f3f4021 100644
--- a/pkg/apis/apps/fuzzer/fuzzer.go
+++ b/pkg/apis/apps/fuzzer/fuzzer.go
@@ -26,6 +26,7 @@ import (
 	runtimeserializer "k8s.io/apimachinery/pkg/runtime/serializer"
 	"k8s.io/apimachinery/pkg/util/intstr"
 	"k8s.io/kubernetes/pkg/apis/apps"
+	"k8s.io/utils/ptr"
 )
 
 // Funcs returns the fuzzer functions for the apps api group.
@@ -71,6 +72,9 @@ var Funcs = func(codecs runtimeserializer.CodecFactory) []interface{} {
 			if len(s.Labels) == 0 {
 				s.Labels = s.Spec.Template.Labels
 			}
+			if s.Spec.UpdateStrategy.RollingUpdate != nil && s.Spec.UpdateStrategy.RollingUpdate.MaxUnavailable == nil {
+				s.Spec.UpdateStrategy.RollingUpdate.MaxUnavailable = ptr.To(intstr.FromInt32(1))
+			}
 		},
 		func(j *apps.Deployment, c randfill.Continue) {
 			c.FillNoCustom(j)
diff --git a/pkg/apis/apps/types.go b/pkg/apis/apps/types.go
index 7e4bf6d49bd63..b8d8a1e8648fc 100644
--- a/pkg/apis/apps/types.go
+++ b/pkg/apis/apps/types.go
@@ -101,10 +101,12 @@ type RollingUpdateStatefulSetStrategy struct {
 	// The maximum number of pods that can be unavailable during the update.
 	// Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%).
 	// Absolute number is calculated from percentage by rounding up. This can not be 0.
-	// Defaults to 1. This field is alpha-level and is only honored by servers that enable the
-	// MaxUnavailableStatefulSet feature. The field applies to all pods in the range 0 to
+	// Defaults to 1. This field is beta-level and is enabled by default. The field applies to all pods in the range 0 to
 	// Replicas-1. That means if there is any unavailable pod in the range 0 to Replicas-1, it
 	// will be counted towards MaxUnavailable.
+	// This setting might not be effective for the OrderedReady podManagementPolicy. That policy ensures pods are created and become ready one at a time.
+	//
+	// +featureGate=MaxUnavailableStatefulSet
 	// +optional
 	MaxUnavailable *intstr.IntOrString
 }
@@ -229,9 +231,12 @@ type StatefulSetSpec struct {
 	// +optional
 	MinReadySeconds int32
 
-	// PersistentVolumeClaimRetentionPolicy describes the policy used for PVCs created from
-	// the StatefulSet VolumeClaimTemplates. This requires the
-	// StatefulSetAutoDeletePVC feature gate to be enabled, which is beta and default on from 1.27.
+	// persistentVolumeClaimRetentionPolicy describes the lifecycle of persistent
+	// volume claims created from volumeClaimTemplates. By default, all persistent
+	// volume claims are created as needed and retained until manually deleted. This
+	// policy allows the lifecycle to be altered, for example by deleting persistent
+	// volume claims when their stateful set is deleted, or when their pod is scaled
+	// down.
 	// +optional
 	PersistentVolumeClaimRetentionPolicy *StatefulSetPersistentVolumeClaimRetentionPolicy
 
@@ -533,7 +538,7 @@ type DeploymentStatus struct {
 	// Total number of terminating pods targeted by this deployment. Terminating pods have a non-null
 	// .metadata.deletionTimestamp and have not yet reached the Failed or Succeeded .status.phase.
 	//
-	// This is an alpha field. Enable DeploymentReplicaSetTerminatingReplicas to be able to use this field.
+	// This is a beta field and requires enabling DeploymentReplicaSetTerminatingReplicas feature (enabled by default).
 	// +optional
 	TerminatingReplicas *int32
 
@@ -892,7 +897,7 @@ type ReplicaSetStatus struct {
 	// The number of terminating pods for this replica set. Terminating pods have a non-null .metadata.deletionTimestamp
 	// and have not yet reached the Failed or Succeeded .status.phase.
 	//
-	// This is an alpha field. Enable DeploymentReplicaSetTerminatingReplicas to be able to use this field.
+	// This is a beta field and requires enabling DeploymentReplicaSetTerminatingReplicas feature (enabled by default).
 	// +optional
 	TerminatingReplicas *int32
 
diff --git a/pkg/apis/apps/v1/defaults.go b/pkg/apis/apps/v1/defaults.go
index 2179d0238443b..b52fa0a28f636 100644
--- a/pkg/apis/apps/v1/defaults.go
+++ b/pkg/apis/apps/v1/defaults.go
@@ -124,16 +124,14 @@ func SetDefaults_StatefulSet(obj *appsv1.StatefulSet) {
 		}
 	}
 
-	if utilfeature.DefaultFeatureGate.Enabled(features.StatefulSetAutoDeletePVC) {
-		if obj.Spec.PersistentVolumeClaimRetentionPolicy == nil {
-			obj.Spec.PersistentVolumeClaimRetentionPolicy = &appsv1.StatefulSetPersistentVolumeClaimRetentionPolicy{}
-		}
-		if len(obj.Spec.PersistentVolumeClaimRetentionPolicy.WhenDeleted) == 0 {
-			obj.Spec.PersistentVolumeClaimRetentionPolicy.WhenDeleted = appsv1.RetainPersistentVolumeClaimRetentionPolicyType
-		}
-		if len(obj.Spec.PersistentVolumeClaimRetentionPolicy.WhenScaled) == 0 {
-			obj.Spec.PersistentVolumeClaimRetentionPolicy.WhenScaled = appsv1.RetainPersistentVolumeClaimRetentionPolicyType
-		}
+	if obj.Spec.PersistentVolumeClaimRetentionPolicy == nil {
+		obj.Spec.PersistentVolumeClaimRetentionPolicy = &appsv1.StatefulSetPersistentVolumeClaimRetentionPolicy{}
+	}
+	if len(obj.Spec.PersistentVolumeClaimRetentionPolicy.WhenDeleted) == 0 {
+		obj.Spec.PersistentVolumeClaimRetentionPolicy.WhenDeleted = appsv1.RetainPersistentVolumeClaimRetentionPolicyType
+	}
+	if len(obj.Spec.PersistentVolumeClaimRetentionPolicy.WhenScaled) == 0 {
+		obj.Spec.PersistentVolumeClaimRetentionPolicy.WhenScaled = appsv1.RetainPersistentVolumeClaimRetentionPolicyType
 	}
 
 	if obj.Spec.Replicas == nil {
diff --git a/pkg/apis/apps/v1/defaults_test.go b/pkg/apis/apps/v1/defaults_test.go
index 1b5c6cdc27e10..73935213e6141 100644
--- a/pkg/apis/apps/v1/defaults_test.go
+++ b/pkg/apis/apps/v1/defaults_test.go
@@ -27,7 +27,6 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/util/intstr"
-	"k8s.io/apimachinery/pkg/util/version"
 	utilfeature "k8s.io/apiserver/pkg/util/feature"
 	featuregatetesting "k8s.io/component-base/featuregate/testing"
 	"k8s.io/kubernetes/pkg/api/legacyscheme"
@@ -201,7 +200,6 @@ func TestSetDefaultStatefulSet(t *testing.T) {
 		original                   *appsv1.StatefulSet
 		expected                   *appsv1.StatefulSet
 		enableMaxUnavailablePolicy bool
-		disablePVCDeletionPolicy   bool
 	}{
 		{
 			name: "labels and default update strategy",
@@ -594,76 +592,11 @@ func TestSetDefaultStatefulSet(t *testing.T) {
 			},
 			enableMaxUnavailablePolicy: true,
 		},
-		{
-			name: "PVCDeletionPolicy disabled",
-			original: &appsv1.StatefulSet{
-				Spec: appsv1.StatefulSetSpec{
-					Template: defaultTemplate,
-				},
-			},
-			expected: &appsv1.StatefulSet{
-				ObjectMeta: metav1.ObjectMeta{
-					Labels: defaultLabels,
-				},
-				Spec: appsv1.StatefulSetSpec{
-					Replicas:            &defaultReplicas,
-					MinReadySeconds:     int32(0),
-					Template:            defaultTemplate,
-					PodManagementPolicy: appsv1.OrderedReadyPodManagement,
-					UpdateStrategy: appsv1.StatefulSetUpdateStrategy{
-						Type: appsv1.RollingUpdateStatefulSetStrategyType,
-						RollingUpdate: &appsv1.RollingUpdateStatefulSetStrategy{
-							Partition: &defaultPartition,
-						},
-					},
-					RevisionHistoryLimit: ptr.To[int32](10),
-				},
-			},
-			disablePVCDeletionPolicy: true,
-		},
-		{
-			name: "PVCDeletionPolicy disabled, scaledown set",
-			original: &appsv1.StatefulSet{
-				Spec: appsv1.StatefulSetSpec{
-					Template: defaultTemplate,
-					PersistentVolumeClaimRetentionPolicy: &appsv1.StatefulSetPersistentVolumeClaimRetentionPolicy{
-						WhenScaled: appsv1.DeletePersistentVolumeClaimRetentionPolicyType,
-					},
-				},
-			},
-			expected: &appsv1.StatefulSet{
-				ObjectMeta: metav1.ObjectMeta{
-					Labels: defaultLabels,
-				},
-				Spec: appsv1.StatefulSetSpec{
-					Replicas:        &defaultReplicas,
-					MinReadySeconds: int32(0),
-					Template:        defaultTemplate,
-					PersistentVolumeClaimRetentionPolicy: &appsv1.StatefulSetPersistentVolumeClaimRetentionPolicy{
-						WhenScaled: appsv1.DeletePersistentVolumeClaimRetentionPolicyType,
-					},
-					PodManagementPolicy: appsv1.OrderedReadyPodManagement,
-					UpdateStrategy: appsv1.StatefulSetUpdateStrategy{
-						Type: appsv1.RollingUpdateStatefulSetStrategyType,
-						RollingUpdate: &appsv1.RollingUpdateStatefulSetStrategy{
-							Partition: &defaultPartition,
-						},
-					},
-					RevisionHistoryLimit: ptr.To[int32](10),
-				},
-			},
-			disablePVCDeletionPolicy: true,
-		},
 	}
 
 	for _, test := range tests {
 		test := test
 		t.Run(test.name, func(t *testing.T) {
-			if test.disablePVCDeletionPolicy {
-				// TODO: this will be removed in 1.35
-				featuregatetesting.SetFeatureGateEmulationVersionDuringTest(t, utilfeature.DefaultFeatureGate, version.MustParse("1.31"))
-				featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.StatefulSetAutoDeletePVC, false)
-			}
 			featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.MaxUnavailableStatefulSet, test.enableMaxUnavailablePolicy)
 
 			obj2 := roundTrip(t, runtime.Object(test.original))
diff --git a/pkg/apis/apps/v1beta1/defaults.go b/pkg/apis/apps/v1beta1/defaults.go
index 0c5e18a73a07b..46db30b6a3d7d 100644
--- a/pkg/apis/apps/v1beta1/defaults.go
+++ b/pkg/apis/apps/v1beta1/defaults.go
@@ -50,16 +50,14 @@ func SetDefaults_StatefulSet(obj *appsv1beta1.StatefulSet) {
 		}
 	}
 
-	if utilfeature.DefaultFeatureGate.Enabled(features.StatefulSetAutoDeletePVC) {
-		if obj.Spec.PersistentVolumeClaimRetentionPolicy == nil {
-			obj.Spec.PersistentVolumeClaimRetentionPolicy = &appsv1beta1.StatefulSetPersistentVolumeClaimRetentionPolicy{}
-		}
-		if len(obj.Spec.PersistentVolumeClaimRetentionPolicy.WhenDeleted) == 0 {
-			obj.Spec.PersistentVolumeClaimRetentionPolicy.WhenDeleted = appsv1beta1.RetainPersistentVolumeClaimRetentionPolicyType
-		}
-		if len(obj.Spec.PersistentVolumeClaimRetentionPolicy.WhenScaled) == 0 {
-			obj.Spec.PersistentVolumeClaimRetentionPolicy.WhenScaled = appsv1beta1.RetainPersistentVolumeClaimRetentionPolicyType
-		}
+	if obj.Spec.PersistentVolumeClaimRetentionPolicy == nil {
+		obj.Spec.PersistentVolumeClaimRetentionPolicy = &appsv1beta1.StatefulSetPersistentVolumeClaimRetentionPolicy{}
+	}
+	if len(obj.Spec.PersistentVolumeClaimRetentionPolicy.WhenDeleted) == 0 {
+		obj.Spec.PersistentVolumeClaimRetentionPolicy.WhenDeleted = appsv1beta1.RetainPersistentVolumeClaimRetentionPolicyType
+	}
+	if len(obj.Spec.PersistentVolumeClaimRetentionPolicy.WhenScaled) == 0 {
+		obj.Spec.PersistentVolumeClaimRetentionPolicy.WhenScaled = appsv1beta1.RetainPersistentVolumeClaimRetentionPolicyType
 	}
 
 	if obj.Spec.Replicas == nil {
diff --git a/pkg/apis/apps/v1beta1/defaults_test.go b/pkg/apis/apps/v1beta1/defaults_test.go
index d9019f8adcc8f..245d81aa2a827 100644
--- a/pkg/apis/apps/v1beta1/defaults_test.go
+++ b/pkg/apis/apps/v1beta1/defaults_test.go
@@ -27,7 +27,6 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/util/intstr"
-	"k8s.io/apimachinery/pkg/util/version"
 	utilfeature "k8s.io/apiserver/pkg/util/feature"
 	featuregatetesting "k8s.io/component-base/featuregate/testing"
 	"k8s.io/kubernetes/pkg/api/legacyscheme"
@@ -226,7 +225,6 @@ func TestSetDefaultStatefulSet(t *testing.T) {
 		original                   *appsv1beta1.StatefulSet
 		expected                   *appsv1beta1.StatefulSet
 		enableMaxUnavailablePolicy bool
-		disablePVCDeletionPolicy   bool
 	}{
 		{
 			name: "labels and default update strategy",
@@ -491,80 +489,11 @@ func TestSetDefaultStatefulSet(t *testing.T) {
 			},
 			enableMaxUnavailablePolicy: true,
 		},
-		{
-			name: "PVCDeletionPolicy disabled",
-			original: &appsv1beta1.StatefulSet{
-				Spec: appsv1beta1.StatefulSetSpec{
-					Template: defaultTemplate,
-				},
-			},
-			expected: &appsv1beta1.StatefulSet{
-				ObjectMeta: metav1.ObjectMeta{
-					Labels: defaultLabels,
-				},
-				Spec: appsv1beta1.StatefulSetSpec{
-					Replicas:            &defaultReplicas,
-					MinReadySeconds:     int32(0),
-					Template:            defaultTemplate,
-					PodManagementPolicy: appsv1beta1.OrderedReadyPodManagement,
-					Selector: &metav1.LabelSelector{
-						MatchLabels:      map[string]string{"foo": "bar"},
-						MatchExpressions: []metav1.LabelSelectorRequirement{},
-					},
-					UpdateStrategy: appsv1beta1.StatefulSetUpdateStrategy{
-						Type:          appsv1beta1.OnDeleteStatefulSetStrategyType,
-						RollingUpdate: nil,
-					},
-					RevisionHistoryLimit: ptr.To[int32](10),
-				},
-			},
-			disablePVCDeletionPolicy: true,
-		},
-		{
-			name: "PVCDeletionPolicy disabled, scaledown set",
-			original: &appsv1beta1.StatefulSet{
-				Spec: appsv1beta1.StatefulSetSpec{
-					Template: defaultTemplate,
-					PersistentVolumeClaimRetentionPolicy: &appsv1beta1.StatefulSetPersistentVolumeClaimRetentionPolicy{
-						WhenScaled: appsv1beta1.DeletePersistentVolumeClaimRetentionPolicyType,
-					},
-				},
-			},
-			expected: &appsv1beta1.StatefulSet{
-				ObjectMeta: metav1.ObjectMeta{
-					Labels: defaultLabels,
-				},
-				Spec: appsv1beta1.StatefulSetSpec{
-					Replicas:        &defaultReplicas,
-					MinReadySeconds: int32(0),
-					Template:        defaultTemplate,
-					PersistentVolumeClaimRetentionPolicy: &appsv1beta1.StatefulSetPersistentVolumeClaimRetentionPolicy{
-						WhenScaled: appsv1beta1.DeletePersistentVolumeClaimRetentionPolicyType,
-					},
-					PodManagementPolicy: appsv1beta1.OrderedReadyPodManagement,
-					Selector: &metav1.LabelSelector{
-						MatchLabels:      map[string]string{"foo": "bar"},
-						MatchExpressions: []metav1.LabelSelectorRequirement{},
-					},
-					UpdateStrategy: appsv1beta1.StatefulSetUpdateStrategy{
-						Type:          appsv1beta1.OnDeleteStatefulSetStrategyType,
-						RollingUpdate: nil,
-					},
-					RevisionHistoryLimit: ptr.To[int32](10),
-				},
-			},
-			disablePVCDeletionPolicy: true,
-		},
 	}
 
 	for _, test := range tests {
 		test := test
 		t.Run(test.name, func(t *testing.T) {
-			if test.disablePVCDeletionPolicy {
-				// TODO: this will be removed in 1.35
-				featuregatetesting.SetFeatureGateEmulationVersionDuringTest(t, utilfeature.DefaultFeatureGate, version.MustParse("1.31"))
-				featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.StatefulSetAutoDeletePVC, false)
-			}
 			featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.MaxUnavailableStatefulSet, test.enableMaxUnavailablePolicy)
 			obj2 := roundTrip(t, runtime.Object(test.original))
 			got, ok := obj2.(*appsv1beta1.StatefulSet)
diff --git a/pkg/apis/apps/v1beta1/zz_generated.validations.go b/pkg/apis/apps/v1beta1/zz_generated.validations.go
index d3e13a4f9d9e5..cc6f631c8e2a8 100644
--- a/pkg/apis/apps/v1beta1/zz_generated.validations.go
+++ b/pkg/apis/apps/v1beta1/zz_generated.validations.go
@@ -38,6 +38,7 @@ func init() { localSchemeBuilder.Register(RegisterValidations) }
 // RegisterValidations adds validation functions to the given scheme.
 // Public to allow building arbitrary schemes.
 func RegisterValidations(scheme *runtime.Scheme) error {
+	// type Scale
 	scheme.AddValidationFunc((*appsv1beta1.Scale)(nil), func(ctx context.Context, op operation.Operation, obj, oldObj interface{}) field.ErrorList {
 		switch op.Request.SubresourcePath() {
 		case "/scale":
@@ -48,32 +49,43 @@ func RegisterValidations(scheme *runtime.Scheme) error {
 	return nil
 }
 
+// Validate_Scale validates an instance of Scale according
+// to declarative validation rules in the API schema.
 func Validate_Scale(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *appsv1beta1.Scale) (errs field.ErrorList) {
 	// field appsv1beta1.Scale.TypeMeta has no validation
 	// field appsv1beta1.Scale.ObjectMeta has no validation
 
 	// field appsv1beta1.Scale.Spec
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *appsv1beta1.ScaleSpec) (errs field.ErrorList) {
+		func(fldPath *field.Path, obj, oldObj *appsv1beta1.ScaleSpec, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call the type's validation function
 			errs = append(errs, Validate_ScaleSpec(ctx, op, fldPath, obj, oldObj)...)
 			return
-		}(fldPath.Child("spec"), &obj.Spec, safe.Field(oldObj, func(oldObj *appsv1beta1.Scale) *appsv1beta1.ScaleSpec { return &oldObj.Spec }))...)
+		}(fldPath.Child("spec"), &obj.Spec, safe.Field(oldObj, func(oldObj *appsv1beta1.Scale) *appsv1beta1.ScaleSpec { return &oldObj.Spec }), oldObj != nil)...)
 
 	// field appsv1beta1.Scale.Status has no validation
 	return errs
 }
 
+// Validate_ScaleSpec validates an instance of ScaleSpec according
+// to declarative validation rules in the API schema.
 func Validate_ScaleSpec(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *appsv1beta1.ScaleSpec) (errs field.ErrorList) {
 	// field appsv1beta1.ScaleSpec.Replicas
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *int32) (errs field.ErrorList) {
+		func(fldPath *field.Path, obj, oldObj *int32, oldValueCorrelated bool) (errs field.ErrorList) {
 			// optional value-type fields with zero-value defaults are purely documentation
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.Minimum(ctx, op, fldPath, obj, oldObj, 0)...)
 			return
-		}(fldPath.Child("replicas"), &obj.Replicas, safe.Field(oldObj, func(oldObj *appsv1beta1.ScaleSpec) *int32 { return &oldObj.Replicas }))...)
+		}(fldPath.Child("replicas"), &obj.Replicas, safe.Field(oldObj, func(oldObj *appsv1beta1.ScaleSpec) *int32 { return &oldObj.Replicas }), oldObj != nil)...)
 
 	return errs
 }
diff --git a/pkg/apis/apps/v1beta2/defaults.go b/pkg/apis/apps/v1beta2/defaults.go
index 1ed7190fb8c13..d1598d9f7aeba 100644
--- a/pkg/apis/apps/v1beta2/defaults.go
+++ b/pkg/apis/apps/v1beta2/defaults.go
@@ -81,16 +81,14 @@ func SetDefaults_StatefulSet(obj *appsv1beta2.StatefulSet) {
 		}
 	}
 
-	if utilfeature.DefaultFeatureGate.Enabled(features.StatefulSetAutoDeletePVC) {
-		if obj.Spec.PersistentVolumeClaimRetentionPolicy == nil {
-			obj.Spec.PersistentVolumeClaimRetentionPolicy = &appsv1beta2.StatefulSetPersistentVolumeClaimRetentionPolicy{}
-		}
-		if len(obj.Spec.PersistentVolumeClaimRetentionPolicy.WhenDeleted) == 0 {
-			obj.Spec.PersistentVolumeClaimRetentionPolicy.WhenDeleted = appsv1beta2.RetainPersistentVolumeClaimRetentionPolicyType
-		}
-		if len(obj.Spec.PersistentVolumeClaimRetentionPolicy.WhenScaled) == 0 {
-			obj.Spec.PersistentVolumeClaimRetentionPolicy.WhenScaled = appsv1beta2.RetainPersistentVolumeClaimRetentionPolicyType
-		}
+	if obj.Spec.PersistentVolumeClaimRetentionPolicy == nil {
+		obj.Spec.PersistentVolumeClaimRetentionPolicy = &appsv1beta2.StatefulSetPersistentVolumeClaimRetentionPolicy{}
+	}
+	if len(obj.Spec.PersistentVolumeClaimRetentionPolicy.WhenDeleted) == 0 {
+		obj.Spec.PersistentVolumeClaimRetentionPolicy.WhenDeleted = appsv1beta2.RetainPersistentVolumeClaimRetentionPolicyType
+	}
+	if len(obj.Spec.PersistentVolumeClaimRetentionPolicy.WhenScaled) == 0 {
+		obj.Spec.PersistentVolumeClaimRetentionPolicy.WhenScaled = appsv1beta2.RetainPersistentVolumeClaimRetentionPolicyType
 	}
 
 	if obj.Spec.Replicas == nil {
diff --git a/pkg/apis/apps/v1beta2/defaults_test.go b/pkg/apis/apps/v1beta2/defaults_test.go
index 43ac5c518bc33..6cfc54c8e9ba5 100644
--- a/pkg/apis/apps/v1beta2/defaults_test.go
+++ b/pkg/apis/apps/v1beta2/defaults_test.go
@@ -27,7 +27,6 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/util/intstr"
-	"k8s.io/apimachinery/pkg/util/version"
 	utilfeature "k8s.io/apiserver/pkg/util/feature"
 	featuregatetesting "k8s.io/component-base/featuregate/testing"
 	"k8s.io/kubernetes/pkg/api/legacyscheme"
@@ -201,7 +200,6 @@ func TestSetDefaultStatefulSet(t *testing.T) {
 		original                   *appsv1beta2.StatefulSet
 		expected                   *appsv1beta2.StatefulSet
 		enableMaxUnavailablePolicy bool
-		disablePVCDeletionPolicy   bool
 	}{
 		{
 			name: "labels and default update strategy",
@@ -466,76 +464,11 @@ func TestSetDefaultStatefulSet(t *testing.T) {
 			},
 			enableMaxUnavailablePolicy: true,
 		},
-		{
-			name: "PVCDeletionPolicy disabled",
-			original: &appsv1beta2.StatefulSet{
-				Spec: appsv1beta2.StatefulSetSpec{
-					Template: defaultTemplate,
-				},
-			},
-			expected: &appsv1beta2.StatefulSet{
-				ObjectMeta: metav1.ObjectMeta{
-					Labels: defaultLabels,
-				},
-				Spec: appsv1beta2.StatefulSetSpec{
-					Replicas:            &defaultReplicas,
-					MinReadySeconds:     int32(0),
-					Template:            defaultTemplate,
-					PodManagementPolicy: appsv1beta2.OrderedReadyPodManagement,
-					UpdateStrategy: appsv1beta2.StatefulSetUpdateStrategy{
-						Type: appsv1beta2.RollingUpdateStatefulSetStrategyType,
-						RollingUpdate: &appsv1beta2.RollingUpdateStatefulSetStrategy{
-							Partition: &defaultPartition,
-						},
-					},
-					RevisionHistoryLimit: ptr.To[int32](10),
-				},
-			},
-			disablePVCDeletionPolicy: true,
-		},
-		{
-			name: "PVCDeletionPolicy disabled, scaledown set",
-			original: &appsv1beta2.StatefulSet{
-				Spec: appsv1beta2.StatefulSetSpec{
-					Template: defaultTemplate,
-					PersistentVolumeClaimRetentionPolicy: &appsv1beta2.StatefulSetPersistentVolumeClaimRetentionPolicy{
-						WhenScaled: appsv1beta2.DeletePersistentVolumeClaimRetentionPolicyType,
-					},
-				},
-			},
-			expected: &appsv1beta2.StatefulSet{
-				ObjectMeta: metav1.ObjectMeta{
-					Labels: defaultLabels,
-				},
-				Spec: appsv1beta2.StatefulSetSpec{
-					Replicas:        &defaultReplicas,
-					MinReadySeconds: int32(0),
-					Template:        defaultTemplate,
-					PersistentVolumeClaimRetentionPolicy: &appsv1beta2.StatefulSetPersistentVolumeClaimRetentionPolicy{
-						WhenScaled: appsv1beta2.DeletePersistentVolumeClaimRetentionPolicyType,
-					},
-					PodManagementPolicy: appsv1beta2.OrderedReadyPodManagement,
-					UpdateStrategy: appsv1beta2.StatefulSetUpdateStrategy{
-						Type: appsv1beta2.RollingUpdateStatefulSetStrategyType,
-						RollingUpdate: &appsv1beta2.RollingUpdateStatefulSetStrategy{
-							Partition: &defaultPartition,
-						},
-					},
-					RevisionHistoryLimit: ptr.To[int32](10),
-				},
-			},
-			disablePVCDeletionPolicy: true,
-		},
 	}
 
 	for _, test := range tests {
 		test := test
 		t.Run(test.name, func(t *testing.T) {
-			if test.disablePVCDeletionPolicy {
-				// TODO: this will be removed in 1.35
-				featuregatetesting.SetFeatureGateEmulationVersionDuringTest(t, utilfeature.DefaultFeatureGate, version.MustParse("1.31"))
-				featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.StatefulSetAutoDeletePVC, false)
-			}
 			featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.MaxUnavailableStatefulSet, test.enableMaxUnavailablePolicy)
 			obj2 := roundTrip(t, runtime.Object(test.original))
 			got, ok := obj2.(*appsv1beta2.StatefulSet)
diff --git a/pkg/apis/apps/v1beta2/zz_generated.validations.go b/pkg/apis/apps/v1beta2/zz_generated.validations.go
index 3c16d10b67441..0499add423c40 100644
--- a/pkg/apis/apps/v1beta2/zz_generated.validations.go
+++ b/pkg/apis/apps/v1beta2/zz_generated.validations.go
@@ -38,6 +38,7 @@ func init() { localSchemeBuilder.Register(RegisterValidations) }
 // RegisterValidations adds validation functions to the given scheme.
 // Public to allow building arbitrary schemes.
 func RegisterValidations(scheme *runtime.Scheme) error {
+	// type Scale
 	scheme.AddValidationFunc((*appsv1beta2.Scale)(nil), func(ctx context.Context, op operation.Operation, obj, oldObj interface{}) field.ErrorList {
 		switch op.Request.SubresourcePath() {
 		case "/scale":
@@ -48,32 +49,43 @@ func RegisterValidations(scheme *runtime.Scheme) error {
 	return nil
 }
 
+// Validate_Scale validates an instance of Scale according
+// to declarative validation rules in the API schema.
 func Validate_Scale(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *appsv1beta2.Scale) (errs field.ErrorList) {
 	// field appsv1beta2.Scale.TypeMeta has no validation
 	// field appsv1beta2.Scale.ObjectMeta has no validation
 
 	// field appsv1beta2.Scale.Spec
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *appsv1beta2.ScaleSpec) (errs field.ErrorList) {
+		func(fldPath *field.Path, obj, oldObj *appsv1beta2.ScaleSpec, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call the type's validation function
 			errs = append(errs, Validate_ScaleSpec(ctx, op, fldPath, obj, oldObj)...)
 			return
-		}(fldPath.Child("spec"), &obj.Spec, safe.Field(oldObj, func(oldObj *appsv1beta2.Scale) *appsv1beta2.ScaleSpec { return &oldObj.Spec }))...)
+		}(fldPath.Child("spec"), &obj.Spec, safe.Field(oldObj, func(oldObj *appsv1beta2.Scale) *appsv1beta2.ScaleSpec { return &oldObj.Spec }), oldObj != nil)...)
 
 	// field appsv1beta2.Scale.Status has no validation
 	return errs
 }
 
+// Validate_ScaleSpec validates an instance of ScaleSpec according
+// to declarative validation rules in the API schema.
 func Validate_ScaleSpec(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *appsv1beta2.ScaleSpec) (errs field.ErrorList) {
 	// field appsv1beta2.ScaleSpec.Replicas
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *int32) (errs field.ErrorList) {
+		func(fldPath *field.Path, obj, oldObj *int32, oldValueCorrelated bool) (errs field.ErrorList) {
 			// optional value-type fields with zero-value defaults are purely documentation
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.Minimum(ctx, op, fldPath, obj, oldObj, 0)...)
 			return
-		}(fldPath.Child("replicas"), &obj.Replicas, safe.Field(oldObj, func(oldObj *appsv1beta2.ScaleSpec) *int32 { return &oldObj.Replicas }))...)
+		}(fldPath.Child("replicas"), &obj.Replicas, safe.Field(oldObj, func(oldObj *appsv1beta2.ScaleSpec) *int32 { return &oldObj.Replicas }), oldObj != nil)...)
 
 	return errs
 }
diff --git a/pkg/apis/autoscaling/types.go b/pkg/apis/autoscaling/types.go
index db9ac44083b04..b8802a992b2af 100644
--- a/pkg/apis/autoscaling/types.go
+++ b/pkg/apis/autoscaling/types.go
@@ -149,7 +149,7 @@ const (
 //
 // The tolerance is applied to the metric values and prevents scaling too
 // eagerly for small metric variations. (Note that setting a tolerance requires
-// enabling the alpha HPAConfigurableTolerance feature gate.)
+// the beta HPAConfigurableTolerance feature gate to be enabled.)
 type HPAScalingRules struct {
 	// StabilizationWindowSeconds is the number of seconds for which past recommendations should be
 	// considered while scaling up or scaling down.
@@ -178,8 +178,8 @@ type HPAScalingRules struct {
 	// and scale-down and scale-up tolerances of 5% and 1% respectively, scaling will be
 	// triggered when the actual consumption falls below 95Mi or exceeds 101Mi.
 	//
-	// This is an alpha field and requires enabling the HPAConfigurableTolerance
-	// feature gate.
+	// This is an beta field and requires the HPAConfigurableTolerance feature
+	// gate to be enabled.
 	//
 	// +featureGate=HPAConfigurableTolerance
 	// +optional
diff --git a/pkg/apis/autoscaling/v1/zz_generated.validations.go b/pkg/apis/autoscaling/v1/zz_generated.validations.go
index 1c71f7f80e537..cfb0a3cd4b3c3 100644
--- a/pkg/apis/autoscaling/v1/zz_generated.validations.go
+++ b/pkg/apis/autoscaling/v1/zz_generated.validations.go
@@ -38,6 +38,7 @@ func init() { localSchemeBuilder.Register(RegisterValidations) }
 // RegisterValidations adds validation functions to the given scheme.
 // Public to allow building arbitrary schemes.
 func RegisterValidations(scheme *runtime.Scheme) error {
+	// type Scale
 	scheme.AddValidationFunc((*autoscalingv1.Scale)(nil), func(ctx context.Context, op operation.Operation, obj, oldObj interface{}) field.ErrorList {
 		switch op.Request.SubresourcePath() {
 		case "/scale":
@@ -48,32 +49,43 @@ func RegisterValidations(scheme *runtime.Scheme) error {
 	return nil
 }
 
+// Validate_Scale validates an instance of Scale according
+// to declarative validation rules in the API schema.
 func Validate_Scale(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *autoscalingv1.Scale) (errs field.ErrorList) {
 	// field autoscalingv1.Scale.TypeMeta has no validation
 	// field autoscalingv1.Scale.ObjectMeta has no validation
 
 	// field autoscalingv1.Scale.Spec
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *autoscalingv1.ScaleSpec) (errs field.ErrorList) {
+		func(fldPath *field.Path, obj, oldObj *autoscalingv1.ScaleSpec, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call the type's validation function
 			errs = append(errs, Validate_ScaleSpec(ctx, op, fldPath, obj, oldObj)...)
 			return
-		}(fldPath.Child("spec"), &obj.Spec, safe.Field(oldObj, func(oldObj *autoscalingv1.Scale) *autoscalingv1.ScaleSpec { return &oldObj.Spec }))...)
+		}(fldPath.Child("spec"), &obj.Spec, safe.Field(oldObj, func(oldObj *autoscalingv1.Scale) *autoscalingv1.ScaleSpec { return &oldObj.Spec }), oldObj != nil)...)
 
 	// field autoscalingv1.Scale.Status has no validation
 	return errs
 }
 
+// Validate_ScaleSpec validates an instance of ScaleSpec according
+// to declarative validation rules in the API schema.
 func Validate_ScaleSpec(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *autoscalingv1.ScaleSpec) (errs field.ErrorList) {
 	// field autoscalingv1.ScaleSpec.Replicas
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *int32) (errs field.ErrorList) {
+		func(fldPath *field.Path, obj, oldObj *int32, oldValueCorrelated bool) (errs field.ErrorList) {
 			// optional value-type fields with zero-value defaults are purely documentation
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.Minimum(ctx, op, fldPath, obj, oldObj, 0)...)
 			return
-		}(fldPath.Child("replicas"), &obj.Replicas, safe.Field(oldObj, func(oldObj *autoscalingv1.ScaleSpec) *int32 { return &oldObj.Replicas }))...)
+		}(fldPath.Child("replicas"), &obj.Replicas, safe.Field(oldObj, func(oldObj *autoscalingv1.ScaleSpec) *int32 { return &oldObj.Replicas }), oldObj != nil)...)
 
 	return errs
 }
diff --git a/pkg/apis/autoscaling/validation/declarative_validation_test.go b/pkg/apis/autoscaling/validation/declarative_validation_test.go
index 1e46787be2512..514bb9c70397b 100644
--- a/pkg/apis/autoscaling/validation/declarative_validation_test.go
+++ b/pkg/apis/autoscaling/validation/declarative_validation_test.go
@@ -17,27 +17,27 @@ limitations under the License.
 package validation
 
 import (
-	"fmt"
 	"testing"
 
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/apimachinery/pkg/util/validation/field"
 	genericapirequest "k8s.io/apiserver/pkg/endpoints/request"
-	"k8s.io/apiserver/pkg/registry/rest"
-	utilfeature "k8s.io/apiserver/pkg/util/feature"
-	featuregatetesting "k8s.io/component-base/featuregate/testing"
 	"k8s.io/kubernetes/pkg/api/legacyscheme"
 	apitesting "k8s.io/kubernetes/pkg/api/testing"
 	"k8s.io/kubernetes/pkg/apis/autoscaling"
-	"k8s.io/kubernetes/pkg/features"
 )
 
-func TestValidateScaleForDeclarative(t *testing.T) {
+// TestScaleDeclarativeValidation verifies that the validation rules that are applied uniformly to the Scale API.
+func TestScaleDeclarativeValidation(t *testing.T) {
+	apiGroup := "autoscaling"
+	apiVersion := "v1"
 	ctx := genericapirequest.WithRequestInfo(genericapirequest.NewDefaultContext(), &genericapirequest.RequestInfo{
-		APIGroup:    "autoscaling",
-		APIVersion:  "v1",
+		APIGroup:    apiGroup,
+		APIVersion:  apiVersion,
 		Subresource: "scale",
 	})
+
 	testCases := map[string]struct {
 		input        autoscaling.Scale
 		expectedErrs field.ErrorList
@@ -58,37 +58,15 @@ func TestValidateScaleForDeclarative(t *testing.T) {
 	}
 	for k, tc := range testCases {
 		t.Run(k, func(t *testing.T) {
-			var declarativeTakeoverErrs field.ErrorList
-			var imperativeErrs field.ErrorList
-			for _, gateVal := range []bool{true, false} {
-				t.Run(fmt.Sprintf("gates=%v", gateVal), func(t *testing.T) {
-					// We only need to test both gate enabled and disabled together, because
-					// 1) the DeclarativeValidationTakeover won't take effect if DeclarativeValidation is disabled.
-					// 2) the validation output, when only DeclarativeValidation is enabled, is the same as when both gates are disabled.
-					featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.DeclarativeValidation, gateVal)
-					featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.DeclarativeValidationTakeover, gateVal)
-
-					errs := rest.ValidateDeclaratively(ctx, legacyscheme.Scheme, &tc.input)
-					if gateVal {
-						declarativeTakeoverErrs = errs
-					} else {
-						imperativeErrs = errs
-					}
-					// The errOutputMatcher is used to verify the output matches the expected errors in test cases.
-					errOutputMatcher := field.ErrorMatcher{}.ByType().ByField().ByOrigin()
-					if len(tc.expectedErrs) > 0 {
-						errOutputMatcher.Test(t, tc.expectedErrs, errs)
-					} else if len(errs) != 0 {
-						t.Errorf("expected no errors, but got: %v", errs)
-					}
-				})
-			}
-			// The equivalenceMatcher is used to verify the output errors from handwritten imperative validation
-			// are equivalent to the output errors when DeclarativeValidationTakeover is enabled.
-			equivalenceMatcher := field.ErrorMatcher{}.ByType().ByField().ByOrigin()
-			equivalenceMatcher.Test(t, imperativeErrs, declarativeTakeoverErrs)
+			// The Scale API has no handwritten validation to compare against. So we simply test that all the versions
+			// of the Scale subresource are correct for our test cases.
+			// All resources that have a scale subresource are expected to test Scale validation against any handwritten
+			// validation code defined on that resource.
+			tester := field.ErrorMatcher{}.ByType().ByField().ByOrigin()
+			obj, _ := legacyscheme.Scheme.ConvertToVersion(&tc.input, schema.GroupVersion{Group: apiGroup, Version: apiVersion})
+			tester.Test(t, tc.expectedErrs, legacyscheme.Scheme.Validate(ctx, nil, obj, "scale"))
 
-			apitesting.VerifyVersionedValidationEquivalence(t, &tc.input, nil, "scale")
+			apitesting.VerifyVersionedValidationEquivalence(t, &tc.input, nil, apitesting.WithSubResources("scale"))
 		})
 	}
 }
diff --git a/pkg/apis/autoscaling/validation/validation.go b/pkg/apis/autoscaling/validation/validation.go
index 2b34e46f32f76..524212f53a105 100644
--- a/pkg/apis/autoscaling/validation/validation.go
+++ b/pkg/apis/autoscaling/validation/validation.go
@@ -50,7 +50,7 @@ func ValidateScale(scale *autoscaling.Scale) field.ErrorList {
 
 // ValidateHorizontalPodAutoscalerName can be used to check whether the given autoscaler name is valid.
 // Prefix indicates this name will be used as part of generation, in which case trailing dashes are allowed.
-var ValidateHorizontalPodAutoscalerName = apivalidation.ValidateReplicationControllerName
+var ValidateHorizontalPodAutoscalerName = apimachineryvalidation.NameIsDNSSubdomain
 
 func validateHorizontalPodAutoscalerSpec(autoscaler autoscaling.HorizontalPodAutoscalerSpec, fldPath *field.Path, opts HorizontalPodAutoscalerSpecValidationOptions) field.ErrorList {
 	allErrs := field.ErrorList{}
diff --git a/pkg/apis/batch/types.go b/pkg/apis/batch/types.go
index 7350bc7c1728d..5fb3d8f82339f 100644
--- a/pkg/apis/batch/types.go
+++ b/pkg/apis/batch/types.go
@@ -212,6 +212,7 @@ type PodFailurePolicyOnPodConditionsPattern struct {
 	// Specifies the required Pod condition status. To match a pod condition
 	// it is required that the specified status equals the pod condition status.
 	// Defaults to True.
+	// +optional
 	Status api.ConditionStatus
 }
 
@@ -466,9 +467,6 @@ type JobSpec struct {
 	// by RFC 1123. All characters trailing the first "/" must be valid HTTP Path
 	// characters as defined by RFC 3986. The value cannot exceed 63 characters.
 	// This field is immutable.
-	//
-	// This field is beta-level. The job controller accepts setting the field
-	// when the feature gate JobManagedBy is enabled (enabled by default).
 	// +optional
 	ManagedBy *string
 }
diff --git a/pkg/apis/batch/validation/validation.go b/pkg/apis/batch/validation/validation.go
index 17ffbbe4b4b4a..6e7e093145531 100644
--- a/pkg/apis/batch/validation/validation.go
+++ b/pkg/apis/batch/validation/validation.go
@@ -23,9 +23,8 @@ import (
 	"strings"
 	"time"
 
-	"github.com/robfig/cron/v3"
-
 	apiequality "k8s.io/apimachinery/pkg/api/equality"
+	apimachineryapivalidation "k8s.io/apimachinery/pkg/api/validation"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	unversionedvalidation "k8s.io/apimachinery/pkg/apis/meta/v1/validation"
 	"k8s.io/apimachinery/pkg/labels"
@@ -36,6 +35,7 @@ import (
 	"k8s.io/kubernetes/pkg/apis/batch"
 	api "k8s.io/kubernetes/pkg/apis/core"
 	apivalidation "k8s.io/kubernetes/pkg/apis/core/validation"
+	"k8s.io/kubernetes/pkg/util/parsers"
 	"k8s.io/utils/ptr"
 )
 
@@ -150,7 +150,7 @@ func validateGeneratedSelector(obj *batch.Job, validateBatchLabels bool) field.E
 // ValidateJob validates a Job and returns an ErrorList with any errors.
 func ValidateJob(job *batch.Job, opts JobValidationOptions) field.ErrorList {
 	// Jobs and rcs have the same name validation
-	allErrs := apivalidation.ValidateObjectMeta(&job.ObjectMeta, true, apivalidation.ValidateReplicationControllerName, field.NewPath("metadata"))
+	allErrs := apivalidation.ValidateObjectMeta(&job.ObjectMeta, true, apimachineryapivalidation.NameIsDNSSubdomain, field.NewPath("metadata"))
 	allErrs = append(allErrs, validateGeneratedSelector(job, opts.RequirePrefixedLabels)...)
 	allErrs = append(allErrs, ValidateJobSpec(&job.Spec, field.NewPath("spec"), opts.PodValidationOptions)...)
 	if job.Spec.CompletionMode != nil && *job.Spec.CompletionMode == batch.IndexedCompletion && job.Spec.Completions != nil && *job.Spec.Completions > 0 {
@@ -660,7 +660,49 @@ func validatePodTemplateUpdate(spec, oldSpec batch.JobSpec, fldPath *field.Path,
 		oldTemplate.Labels = template.Labels                             // +k8s:verify-mutation:reason=clone
 		oldTemplate.Spec.SchedulingGates = template.Spec.SchedulingGates // +k8s:verify-mutation:reason=clone
 	}
-	allErrs = append(allErrs, apivalidation.ValidateImmutableField(template, oldTemplate, fldPath.Child("template"))...)
+	suspended := oldSpec.Suspend != nil && *oldSpec.Suspend
+	if !suspended {
+		// if the job isn't suspended, then we cannot allow any mutation of the template
+		allErrs = append(allErrs, apivalidation.ValidateImmutableField(template, oldTemplate, fldPath.Child("template"))...)
+	} else {
+		if !opts.AllowMutablePodResources {
+			allErrs = append(allErrs, apivalidation.ValidateImmutableField(template, oldTemplate, fldPath.Child("template"))...)
+		} else {
+			// Only allow container resource updates when AllowMutablePodResources is true
+			allErrs = append(allErrs, validatePodResourceUpdatesOnly(template.Spec, oldTemplate.Spec, fldPath.Child("template.spec"))...)
+		}
+	}
+	return allErrs
+}
+
+// validatePodResourceUpdatesOnly will validate that only container resources are updated.
+func validatePodResourceUpdatesOnly(newPod api.PodSpec, oldPod api.PodSpec, fldPath *field.Path) field.ErrorList {
+	allErrs := field.ErrorList{}
+
+	// Create a deep copy of the old pod spec to modify
+	oldPodCopy := oldPod.DeepCopy()
+	// Update container resources in the copy to match the new pod spec
+	if len(newPod.Containers) == len(oldPodCopy.Containers) {
+		for i := range newPod.Containers {
+			if oldPodCopy.Containers[i].Name == newPod.Containers[i].Name {
+				oldPodCopy.Containers[i].Resources = newPod.Containers[i].Resources // +k8s:verify-mutation:reason=clone
+			}
+		}
+	}
+
+	// Update init container resources in the copy to match the new pod spec
+	if len(newPod.InitContainers) == len(oldPodCopy.InitContainers) {
+		for i := range newPod.InitContainers {
+			if oldPodCopy.InitContainers[i].Name == newPod.InitContainers[i].Name {
+				oldPodCopy.InitContainers[i].Resources = newPod.InitContainers[i].Resources // +k8s:verify-mutation:reason=clone
+			}
+		}
+	}
+
+	// Validate that the modified copy is identical to the new pod spec
+	// This ensures only container resources were changed
+	allErrs = append(allErrs, apivalidation.ValidateImmutableField(newPod, *oldPodCopy, fldPath)...)
+
 	return allErrs
 }
 
@@ -714,7 +756,7 @@ func ValidateJobStatusUpdate(job, oldJob *batch.Job, opts JobStatusValidationOpt
 // ValidateCronJobCreate validates a CronJob on creation and returns an ErrorList with any errors.
 func ValidateCronJobCreate(cronJob *batch.CronJob, opts apivalidation.PodValidationOptions) field.ErrorList {
 	// CronJobs and rcs have the same name validation
-	allErrs := apivalidation.ValidateObjectMeta(&cronJob.ObjectMeta, true, apivalidation.ValidateReplicationControllerName, field.NewPath("metadata"))
+	allErrs := apivalidation.ValidateObjectMeta(&cronJob.ObjectMeta, true, apimachineryapivalidation.NameIsDNSSubdomain, field.NewPath("metadata"))
 	allErrs = append(allErrs, validateCronJobSpec(&cronJob.Spec, nil, field.NewPath("spec"), opts)...)
 	if len(cronJob.ObjectMeta.Name) > apimachineryvalidation.DNS1035LabelMaxLength-11 {
 		// The cronjob controller appends a 11-character suffix to the cronjob (`-$TIMESTAMP`) when
@@ -790,7 +832,8 @@ func validateConcurrencyPolicy(concurrencyPolicy *batch.ConcurrencyPolicy, fldPa
 
 func validateScheduleFormat(schedule string, allowTZInSchedule bool, timeZone *string, fldPath *field.Path) field.ErrorList {
 	allErrs := field.ErrorList{}
-	if _, err := cron.ParseStandard(schedule); err != nil {
+
+	if _, err := parsers.ParseCronScheduleWithPanicRecovery(schedule); err != nil {
 		allErrs = append(allErrs, field.Invalid(fldPath, schedule, err.Error()))
 	}
 	switch {
@@ -1022,6 +1065,8 @@ type JobValidationOptions struct {
 	AllowMutableSchedulingDirectives bool
 	// Require Job to have the label on batch.kubernetes.io/job-name and batch.kubernetes.io/controller-uid
 	RequirePrefixedLabels bool
+	// Allow mutable pod resources
+	AllowMutablePodResources bool
 }
 
 type JobStatusValidationOptions struct {
diff --git a/pkg/apis/batch/validation/validation_test.go b/pkg/apis/batch/validation/validation_test.go
index 2e30d0e1998fa..3bf0791852db1 100644
--- a/pkg/apis/batch/validation/validation_test.go
+++ b/pkg/apis/batch/validation/validation_test.go
@@ -18,15 +18,15 @@ package validation
 
 import (
 	"errors"
-	_ "time/tzdata"
-
 	"fmt"
 	"strings"
 	"testing"
+	_ "time/tzdata"
 
 	"github.com/google/go-cmp/cmp"
 	"github.com/google/go-cmp/cmp/cmpopts"
 
+	"k8s.io/apimachinery/pkg/api/resource"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/validation/field"
@@ -2243,6 +2243,326 @@ func TestValidateJobUpdate(t *testing.T) {
 				job.Spec.Parallelism = ptr.To[int32](3)
 			},
 		},
+		"allow container resource updates only": {
+			old: batch.Job{
+				ObjectMeta: metav1.ObjectMeta{Name: "abc", Namespace: metav1.NamespaceDefault},
+				Spec: batch.JobSpec{
+					Selector: validGeneratedSelector,
+					Template: validPodTemplateSpecForGenerated,
+					Suspend:  ptr.To(true),
+				},
+			},
+			update: func(job *batch.Job) {
+				job.Spec.Template.Spec.Containers[0].Resources = api.ResourceRequirements{
+					Requests: api.ResourceList{
+						api.ResourceCPU:    resource.MustParse("200m"),
+						api.ResourceMemory: resource.MustParse("256Mi"),
+					},
+					Limits: api.ResourceList{
+						api.ResourceCPU:    resource.MustParse("500m"),
+						api.ResourceMemory: resource.MustParse("512Mi"),
+					},
+				}
+			},
+			opts: JobValidationOptions{
+				AllowMutablePodResources: true,
+			},
+		},
+		"reject container resource updates only with feature gate off": {
+			old: batch.Job{
+				ObjectMeta: metav1.ObjectMeta{Name: "abc", Namespace: metav1.NamespaceDefault},
+				Spec: batch.JobSpec{
+					Selector: validGeneratedSelector,
+					Template: validPodTemplateSpecForGenerated,
+					Suspend:  ptr.To(true),
+				},
+			},
+			update: func(job *batch.Job) {
+				job.Spec.Template.Spec.Containers[0].Resources = api.ResourceRequirements{
+					Requests: api.ResourceList{
+						api.ResourceCPU:    resource.MustParse("200m"),
+						api.ResourceMemory: resource.MustParse("256Mi"),
+					},
+					Limits: api.ResourceList{
+						api.ResourceCPU:    resource.MustParse("500m"),
+						api.ResourceMemory: resource.MustParse("512Mi"),
+					},
+				}
+			},
+			opts: JobValidationOptions{
+				AllowMutablePodResources: false,
+			},
+			err: &field.Error{
+				Type:  field.ErrorTypeInvalid,
+				Field: "spec.template",
+			},
+		},
+		"allow init container resource updates only": {
+			old: batch.Job{
+				ObjectMeta: metav1.ObjectMeta{Name: "abc", Namespace: metav1.NamespaceDefault},
+				Spec: batch.JobSpec{
+					Suspend:  ptr.To(true),
+					Selector: validGeneratedSelector,
+					Template: func() api.PodTemplateSpec {
+						template := getValidPodTemplateSpecForGenerated(validGeneratedSelector)
+						template.Spec.InitContainers = []api.Container{
+							podtest.MakeContainer("init-container", podtest.SetContainerResources(api.ResourceRequirements{
+								Requests: api.ResourceList{
+									api.ResourceCPU:    resource.MustParse("100m"),
+									api.ResourceMemory: resource.MustParse("64Mi"),
+								},
+							})),
+						}
+						return template
+					}(),
+				},
+			},
+			update: func(job *batch.Job) {
+				job.Spec.Template.Spec.InitContainers[0].Resources = api.ResourceRequirements{
+					Requests: api.ResourceList{
+						api.ResourceCPU:    resource.MustParse("200m"),
+						api.ResourceMemory: resource.MustParse("128Mi"),
+					},
+					Limits: api.ResourceList{
+						api.ResourceCPU:    resource.MustParse("400m"),
+						api.ResourceMemory: resource.MustParse("256Mi"),
+					},
+				}
+			},
+			opts: JobValidationOptions{
+				AllowMutablePodResources: true,
+			},
+		},
+		"allow both container and init container resource updates": {
+			old: batch.Job{
+				ObjectMeta: metav1.ObjectMeta{Name: "abc", Namespace: metav1.NamespaceDefault},
+				Spec: batch.JobSpec{
+					Suspend:  ptr.To(true),
+					Selector: validGeneratedSelector,
+					Template: func() api.PodTemplateSpec {
+						template := getValidPodTemplateSpecForGenerated(validGeneratedSelector)
+						template.Spec.InitContainers = []api.Container{
+							podtest.MakeContainer("init-container", podtest.SetContainerResources(api.ResourceRequirements{
+								Requests: api.ResourceList{
+									api.ResourceCPU:    resource.MustParse("100m"),
+									api.ResourceMemory: resource.MustParse("64Mi"),
+								},
+							})),
+						}
+						return template
+					}(),
+				},
+			},
+			update: func(job *batch.Job) {
+				job.Spec.Template.Spec.Containers[0].Resources = api.ResourceRequirements{
+					Requests: api.ResourceList{
+						api.ResourceCPU:    resource.MustParse("200m"),
+						api.ResourceMemory: resource.MustParse("256Mi"),
+					},
+				}
+				job.Spec.Template.Spec.InitContainers[0].Resources = api.ResourceRequirements{
+					Requests: api.ResourceList{
+						api.ResourceCPU:    resource.MustParse("150m"),
+						api.ResourceMemory: resource.MustParse("128Mi"),
+					},
+				}
+			},
+			opts: JobValidationOptions{
+				AllowMutablePodResources: true,
+			},
+		},
+		"reject container resource update with other field changes": {
+			old: batch.Job{
+				ObjectMeta: metav1.ObjectMeta{Name: "abc", Namespace: metav1.NamespaceDefault},
+				Spec: batch.JobSpec{
+					Suspend:  ptr.To(true),
+					Selector: validGeneratedSelector,
+					Template: validPodTemplateSpecForGenerated,
+				},
+			},
+			update: func(job *batch.Job) {
+				// Update container resources
+				job.Spec.Template.Spec.Containers[0].Resources = api.ResourceRequirements{
+					Requests: api.ResourceList{
+						api.ResourceCPU:    resource.MustParse("200m"),
+						api.ResourceMemory: resource.MustParse("256Mi"),
+					},
+				}
+				// Also update another field (should cause validation failure)
+				job.Spec.Template.Spec.Containers[0].Image = "nginx:latest"
+			},
+			opts: JobValidationOptions{
+				AllowMutablePodResources: true,
+			},
+			err: &field.Error{
+				Type:  field.ErrorTypeInvalid,
+				Field: "spec.template.spec",
+			},
+		},
+		"reject non-resource field updates when AllowMutablePodResources is true": {
+			old: batch.Job{
+
+				ObjectMeta: metav1.ObjectMeta{Name: "abc", Namespace: metav1.NamespaceDefault},
+				Spec: batch.JobSpec{
+					Suspend:  ptr.To(true),
+					Selector: validGeneratedSelector,
+					Template: validPodTemplateSpecForGenerated,
+				},
+			},
+			update: func(job *batch.Job) {
+				// Update only a non-resource field
+				job.Spec.Template.Spec.Containers[0].Image = "nginx:latest"
+			},
+			opts: JobValidationOptions{
+				AllowMutablePodResources: true,
+			},
+			err: &field.Error{
+				Type:  field.ErrorTypeInvalid,
+				Field: "spec.template.spec",
+			},
+		},
+		"reject pod spec changes when container count differs": {
+			old: batch.Job{
+				ObjectMeta: metav1.ObjectMeta{Name: "abc", Namespace: metav1.NamespaceDefault},
+				Spec: batch.JobSpec{
+					Suspend:  ptr.To(true),
+					Selector: validGeneratedSelector,
+					Template: validPodTemplateSpecForGenerated,
+				},
+			},
+			update: func(job *batch.Job) {
+				// Add a new container (changes container count)
+				job.Spec.Template.Spec.Containers = append(job.Spec.Template.Spec.Containers, podtest.MakeContainer("sidecar"))
+			},
+			opts: JobValidationOptions{
+				AllowMutablePodResources: true,
+			},
+			err: &field.Error{
+				Type:  field.ErrorTypeInvalid,
+				Field: "spec.template.spec",
+			},
+		},
+		"reject pod spec changes when init container count differs": {
+			old: batch.Job{
+				ObjectMeta: metav1.ObjectMeta{Name: "abc", Namespace: metav1.NamespaceDefault},
+				Spec: batch.JobSpec{
+					Suspend:  ptr.To(true),
+					Selector: validGeneratedSelector,
+					Template: validPodTemplateSpecForGenerated,
+				},
+			},
+			update: func(job *batch.Job) {
+				// Add an init container (changes init container count)
+				job.Spec.Template.Spec.InitContainers = []api.Container{
+					podtest.MakeContainer("init-container"),
+				}
+			},
+			opts: JobValidationOptions{
+				AllowMutablePodResources: true,
+			},
+			err: &field.Error{
+				Type:  field.ErrorTypeInvalid,
+				Field: "spec.template.spec",
+			},
+		},
+		"reject pod spec changes if update reorders init containers": {
+			old: batch.Job{
+				ObjectMeta: metav1.ObjectMeta{Name: "abc", Namespace: metav1.NamespaceDefault},
+				Spec: batch.JobSpec{
+					Suspend:  ptr.To(true),
+					Selector: validGeneratedSelector,
+					Template: func() api.PodTemplateSpec {
+						template := getValidPodTemplateSpecForGenerated(validGeneratedSelector)
+						template.Spec.InitContainers = []api.Container{
+							podtest.MakeContainer("init-container", podtest.SetContainerResources(api.ResourceRequirements{
+								Requests: api.ResourceList{
+									api.ResourceCPU:    resource.MustParse("100m"),
+									api.ResourceMemory: resource.MustParse("64Mi"),
+								},
+							})),
+							podtest.MakeContainer("init-container-2", podtest.SetContainerResources(api.ResourceRequirements{
+								Requests: api.ResourceList{
+									api.ResourceCPU:    resource.MustParse("100m"),
+									api.ResourceMemory: resource.MustParse("64Mi"),
+								},
+							})),
+						}
+						return template
+					}(),
+				},
+			},
+			update: func(job *batch.Job) {
+				// Reorder init container (changes init container count)
+				job.Spec.Template.Spec.InitContainers[0] = podtest.MakeContainer("init-container-2", podtest.SetContainerResources(api.ResourceRequirements{
+					Requests: api.ResourceList{
+						api.ResourceCPU:    resource.MustParse("100m"),
+						api.ResourceMemory: resource.MustParse("64Mi"),
+					},
+				}))
+				job.Spec.Template.Spec.InitContainers[1] = podtest.MakeContainer("init-container", podtest.SetContainerResources(api.ResourceRequirements{
+					Requests: api.ResourceList{
+						api.ResourceCPU:    resource.MustParse("100m"),
+						api.ResourceMemory: resource.MustParse("64Mi"),
+					},
+				}))
+			},
+			opts: JobValidationOptions{
+				AllowMutablePodResources: true,
+			},
+			err: &field.Error{
+				Type:  field.ErrorTypeInvalid,
+				Field: "spec.template.spec",
+			},
+		},
+		"reject pod spec changes if update reorders containers": {
+			old: batch.Job{
+				ObjectMeta: metav1.ObjectMeta{Name: "abc", Namespace: metav1.NamespaceDefault},
+				Spec: batch.JobSpec{
+					Suspend:  ptr.To(true),
+					Selector: validGeneratedSelector,
+					Template: func() api.PodTemplateSpec {
+						template := getValidPodTemplateSpecForGenerated(validGeneratedSelector)
+						template.Spec.Containers = []api.Container{
+							podtest.MakeContainer("container", podtest.SetContainerResources(api.ResourceRequirements{
+								Requests: api.ResourceList{
+									api.ResourceCPU:    resource.MustParse("100m"),
+									api.ResourceMemory: resource.MustParse("64Mi"),
+								},
+							})),
+							podtest.MakeContainer("container-2", podtest.SetContainerResources(api.ResourceRequirements{
+								Requests: api.ResourceList{
+									api.ResourceCPU:    resource.MustParse("100m"),
+									api.ResourceMemory: resource.MustParse("64Mi"),
+								},
+							})),
+						}
+						return template
+					}(),
+				},
+			},
+			update: func(job *batch.Job) {
+				// Reorder init container (changes init container count)
+				job.Spec.Template.Spec.Containers[0] = podtest.MakeContainer("container-2", podtest.SetContainerResources(api.ResourceRequirements{
+					Requests: api.ResourceList{
+						api.ResourceCPU:    resource.MustParse("100m"),
+						api.ResourceMemory: resource.MustParse("64Mi"),
+					},
+				}))
+				job.Spec.Template.Spec.Containers[1] = podtest.MakeContainer("container", podtest.SetContainerResources(api.ResourceRequirements{
+					Requests: api.ResourceList{
+						api.ResourceCPU:    resource.MustParse("100m"),
+						api.ResourceMemory: resource.MustParse("64Mi"),
+					},
+				}))
+			},
+			opts: JobValidationOptions{
+				AllowMutablePodResources: true,
+			},
+			err: &field.Error{
+				Type:  field.ErrorTypeInvalid,
+				Field: "spec.template.spec",
+			},
+		},
 	}
 	ignoreValueAndDetail := cmpopts.IgnoreFields(field.Error{}, "BadValue", "Detail")
 	for k, tc := range cases {
@@ -4002,3 +4322,132 @@ func TestValidateFailedIndexesNotOverlapCompleted(t *testing.T) {
 		})
 	}
 }
+
+// TestValidateScheduleFormatPanicRecovery tests that validateScheduleFormat
+// properly recovers from panics in cron.ParseStandard and returns validation errors
+func TestValidateScheduleFormatPanicRecovery(t *testing.T) {
+	testCases := []struct {
+		name     string
+		schedule string
+		expected string
+	}{
+		{
+			name:     "TZ=0 without space should not panic",
+			schedule: "TZ=0",
+			expected: "invalid schedule format",
+		},
+		{
+			name:     "TZ= without value should not panic",
+			schedule: "TZ=",
+			expected: "invalid schedule format",
+		},
+		{
+			name:     "CRON_TZ= without space should not panic",
+			schedule: "CRON_TZ=UTC",
+			expected: "invalid schedule format",
+		},
+		{
+			name:     "malformed timezone spec should not panic",
+			schedule: "TZ=Invalid/Timezone",
+			expected: "invalid schedule format",
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			// This should not panic and should return a validation error
+			errs := validateScheduleFormat(tc.schedule, false, nil, field.NewPath("spec", "schedule"))
+
+			if len(errs) == 0 {
+				t.Errorf("Expected validation error for schedule %q, but got none", tc.schedule)
+				return
+			}
+
+			// Check that the error message contains expected text
+			errMsg := errs[0].Error()
+			if !strings.Contains(errMsg, tc.expected) {
+				t.Errorf("Expected error message to contain %q, but got: %s", tc.expected, errMsg)
+			}
+
+			// Verify it's an Invalid field error
+			if errs[0].Type != field.ErrorTypeInvalid {
+				t.Errorf("Expected ErrorTypeInvalid, but got: %v", errs[0].Type)
+			}
+		})
+	}
+}
+
+// TestValidateScheduleFormatNormalCases tests normal validation cases
+// to ensure panic recovery doesn't interfere with normal operation
+func TestValidateScheduleFormatNormalCases(t *testing.T) {
+	testCases := []struct {
+		name              string
+		schedule          string
+		allowTZInSchedule bool
+		timeZone          *string
+		expectError       bool
+		expectedError     string
+	}{
+		{
+			name:              "valid schedule without timezone",
+			schedule:          "0 0 * * *",
+			allowTZInSchedule: false,
+			timeZone:          nil,
+			expectError:       false,
+		},
+		{
+			name:              "valid schedule with timezone field",
+			schedule:          "0 0 * * *",
+			allowTZInSchedule: false,
+			timeZone:          &timeZoneUTC,
+			expectError:       false,
+		},
+		{
+			name:              "TZ in schedule when not allowed",
+			schedule:          "TZ=UTC 0 0 * * *",
+			allowTZInSchedule: false,
+			timeZone:          nil,
+			expectError:       true,
+			expectedError:     "cannot use TZ or CRON_TZ in schedule",
+		},
+		{
+			name:              "TZ in schedule when allowed",
+			schedule:          "TZ=UTC 0 0 * * *",
+			allowTZInSchedule: true,
+			timeZone:          nil,
+			expectError:       false,
+		},
+		{
+			name:              "TZ in schedule with timezone field",
+			schedule:          "TZ=UTC 0 0 * * *",
+			allowTZInSchedule: true,
+			timeZone:          &timeZoneUTC,
+			expectError:       true,
+			expectedError:     "cannot use both timeZone field and TZ or CRON_TZ in schedule",
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			errs := validateScheduleFormat(tc.schedule, tc.allowTZInSchedule, tc.timeZone, field.NewPath("spec", "schedule"))
+
+			if tc.expectError {
+				if len(errs) == 0 {
+					t.Errorf("Expected validation error for schedule %q, but got none", tc.schedule)
+					return
+				}
+
+				if tc.expectedError != "" {
+					errMsg := errs[0].Error()
+					if !strings.Contains(errMsg, tc.expectedError) {
+						t.Errorf("Expected error message to contain %q, but got: %s", tc.expectedError, errMsg)
+					}
+				}
+			} else {
+				if len(errs) > 0 {
+					t.Errorf("Expected no validation errors for schedule %q, but got: %v", tc.schedule, errs)
+				}
+			}
+		})
+	}
+}
diff --git a/pkg/apis/certificates/types.go b/pkg/apis/certificates/types.go
index 61922c20103c0..1f7e345406b64 100644
--- a/pkg/apis/certificates/types.go
+++ b/pkg/apis/certificates/types.go
@@ -375,6 +375,18 @@ type PodCertificateRequestSpec struct {
 	// [ED25519 Specification](https://ed25519.cr.yp.to/) (as implemented by the
 	// golang library crypto/ed25519.Sign).
 	ProofOfPossession []byte
+
+	// unverifiedUserAnnotations allow pod authors to pass additional information to
+	// the signer implementation. Kubernetes does not restrict or validate this
+	// metadata in any way.
+	//
+	// Entries are subject to the same validation as object metadata annotations,
+	// with the addition that all keys must be domain-prefixed. No restrictions
+	// are placed on values, except an overall size limitation on the entire field.
+	//
+	// Signers should document the keys and values they support. Signers should
+	// deny requests that contain keys they do not recognize.
+	UnverifiedUserAnnotations map[string]string
 }
 
 type PodCertificateRequestStatus struct {
@@ -458,6 +470,11 @@ const (
 	// UnsupportedKeyType should be set on "Denied" conditions when the signer
 	// doesn't support the key type of publicKey.
 	PodCertificateRequestConditionUnsupportedKeyType string = "UnsupportedKeyType"
+
+	// InvalidUnverifiedUserAnnotations should be set on "Denied" conditions when the signer
+	// does not recognize one of the keys passed in userConfig, or if the signer
+	// otherwise considers the userConfig of the request to be invalid.
+	PodCertificateRequestConditionInvalidUserConfig string = "InvalidUnverifiedUserAnnotations"
 )
 
 const (
diff --git a/pkg/apis/certificates/v1/zz_generated.validations.go b/pkg/apis/certificates/v1/zz_generated.validations.go
index 42a1716c4d9b0..0e462a1700dc0 100644
--- a/pkg/apis/certificates/v1/zz_generated.validations.go
+++ b/pkg/apis/certificates/v1/zz_generated.validations.go
@@ -39,6 +39,7 @@ func init() { localSchemeBuilder.Register(RegisterValidations) }
 // RegisterValidations adds validation functions to the given scheme.
 // Public to allow building arbitrary schemes.
 func RegisterValidations(scheme *runtime.Scheme) error {
+	// type CertificateSigningRequest
 	scheme.AddValidationFunc((*certificatesv1.CertificateSigningRequest)(nil), func(ctx context.Context, op operation.Operation, obj, oldObj interface{}) field.ErrorList {
 		switch op.Request.SubresourcePath() {
 		case "/", "/approval", "/status":
@@ -46,6 +47,7 @@ func RegisterValidations(scheme *runtime.Scheme) error {
 		}
 		return field.ErrorList{field.InternalError(nil, fmt.Errorf("no validation found for %T, subresource: %v", obj, op.Request.SubresourcePath()))}
 	})
+	// type CertificateSigningRequestList
 	scheme.AddValidationFunc((*certificatesv1.CertificateSigningRequestList)(nil), func(ctx context.Context, op operation.Operation, obj, oldObj interface{}) field.ErrorList {
 		switch op.Request.SubresourcePath() {
 		case "/":
@@ -56,6 +58,8 @@ func RegisterValidations(scheme *runtime.Scheme) error {
 	return nil
 }
 
+// Validate_CertificateSigningRequest validates an instance of CertificateSigningRequest according
+// to declarative validation rules in the API schema.
 func Validate_CertificateSigningRequest(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *certificatesv1.CertificateSigningRequest) (errs field.ErrorList) {
 	// field certificatesv1.CertificateSigningRequest.TypeMeta has no validation
 	// field certificatesv1.CertificateSigningRequest.ObjectMeta has no validation
@@ -63,48 +67,66 @@ func Validate_CertificateSigningRequest(ctx context.Context, op operation.Operat
 
 	// field certificatesv1.CertificateSigningRequest.Status
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *certificatesv1.CertificateSigningRequestStatus) (errs field.ErrorList) {
+		func(fldPath *field.Path, obj, oldObj *certificatesv1.CertificateSigningRequestStatus, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// call the type's validation function
 			errs = append(errs, Validate_CertificateSigningRequestStatus(ctx, op, fldPath, obj, oldObj)...)
 			return
 		}(fldPath.Child("status"), &obj.Status, safe.Field(oldObj, func(oldObj *certificatesv1.CertificateSigningRequest) *certificatesv1.CertificateSigningRequestStatus {
 			return &oldObj.Status
-		}))...)
+		}), oldObj != nil)...)
 
 	return errs
 }
 
+// Validate_CertificateSigningRequestList validates an instance of CertificateSigningRequestList according
+// to declarative validation rules in the API schema.
 func Validate_CertificateSigningRequestList(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *certificatesv1.CertificateSigningRequestList) (errs field.ErrorList) {
 	// field certificatesv1.CertificateSigningRequestList.TypeMeta has no validation
 	// field certificatesv1.CertificateSigningRequestList.ListMeta has no validation
 
 	// field certificatesv1.CertificateSigningRequestList.Items
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj []certificatesv1.CertificateSigningRequest) (errs field.ErrorList) {
-			if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj []certificatesv1.CertificateSigningRequest, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
 			}
+			// iterate the list and call the type's validation function
 			errs = append(errs, validate.EachSliceVal(ctx, op, fldPath, obj, oldObj, nil, nil, Validate_CertificateSigningRequest)...)
 			return
 		}(fldPath.Child("items"), obj.Items, safe.Field(oldObj, func(oldObj *certificatesv1.CertificateSigningRequestList) []certificatesv1.CertificateSigningRequest {
 			return oldObj.Items
-		}))...)
+		}), oldObj != nil)...)
 
 	return errs
 }
 
-var zeroOrOneOfMembershipFor_k8s_io_api_certificates_v1_CertificateSigningRequestStatus_Conditions_ = validate.NewUnionMembership([2]string{"Conditions[{\"type\": \"Approved\"}]", ""}, [2]string{"Conditions[{\"type\": \"Denied\"}]", ""})
+var zeroOrOneOfMembershipFor_k8s_io_api_certificates_v1_CertificateSigningRequestStatus_conditions_ = validate.NewUnionMembership(validate.NewUnionMember("conditions[{\"type\": \"Approved\"}]"), validate.NewUnionMember("conditions[{\"type\": \"Denied\"}]"))
 
+// Validate_CertificateSigningRequestStatus validates an instance of CertificateSigningRequestStatus according
+// to declarative validation rules in the API schema.
 func Validate_CertificateSigningRequestStatus(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *certificatesv1.CertificateSigningRequestStatus) (errs field.ErrorList) {
 	// field certificatesv1.CertificateSigningRequestStatus.Conditions
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj []certificatesv1.CertificateSigningRequestCondition) (errs field.ErrorList) {
-			if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj []certificatesv1.CertificateSigningRequestCondition, oldValueCorrelated bool) (errs field.ErrorList) {
+			// Uniqueness validation is implemented via custom, handwritten validation
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
 			}
+			// call field-attached validations
+			earlyReturn := false
 			if e := validate.OptionalSlice(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				earlyReturn = true
+			}
+			if earlyReturn {
 				return // do not proceed
 			}
-			errs = append(errs, validate.ZeroOrOneOfUnion(ctx, op, fldPath, obj, oldObj, zeroOrOneOfMembershipFor_k8s_io_api_certificates_v1_CertificateSigningRequestStatus_Conditions_, func(list []certificatesv1.CertificateSigningRequestCondition) bool {
+			errs = append(errs, validate.ZeroOrOneOfUnion(ctx, op, fldPath, obj, oldObj, zeroOrOneOfMembershipFor_k8s_io_api_certificates_v1_CertificateSigningRequestStatus_conditions_, func(list []certificatesv1.CertificateSigningRequestCondition) bool {
 				for i := range list {
 					if list[i].Type == "Approved" {
 						return true
@@ -122,7 +144,7 @@ func Validate_CertificateSigningRequestStatus(ctx context.Context, op operation.
 			return
 		}(fldPath.Child("conditions"), obj.Conditions, safe.Field(oldObj, func(oldObj *certificatesv1.CertificateSigningRequestStatus) []certificatesv1.CertificateSigningRequestCondition {
 			return oldObj.Conditions
-		}))...)
+		}), oldObj != nil)...)
 
 	// field certificatesv1.CertificateSigningRequestStatus.Certificate has no validation
 	return errs
diff --git a/pkg/apis/certificates/v1alpha1/zz_generated.conversion.go b/pkg/apis/certificates/v1alpha1/zz_generated.conversion.go
index da331bf930a33..f7f490e725983 100644
--- a/pkg/apis/certificates/v1alpha1/zz_generated.conversion.go
+++ b/pkg/apis/certificates/v1alpha1/zz_generated.conversion.go
@@ -25,10 +25,8 @@ import (
 	unsafe "unsafe"
 
 	certificatesv1alpha1 "k8s.io/api/certificates/v1alpha1"
-	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	conversion "k8s.io/apimachinery/pkg/conversion"
 	runtime "k8s.io/apimachinery/pkg/runtime"
-	types "k8s.io/apimachinery/pkg/types"
 	certificates "k8s.io/kubernetes/pkg/apis/certificates"
 )
 
@@ -69,46 +67,6 @@ func RegisterConversions(s *runtime.Scheme) error {
 	}); err != nil {
 		return err
 	}
-	if err := s.AddGeneratedConversionFunc((*certificatesv1alpha1.PodCertificateRequest)(nil), (*certificates.PodCertificateRequest)(nil), func(a, b interface{}, scope conversion.Scope) error {
-		return Convert_v1alpha1_PodCertificateRequest_To_certificates_PodCertificateRequest(a.(*certificatesv1alpha1.PodCertificateRequest), b.(*certificates.PodCertificateRequest), scope)
-	}); err != nil {
-		return err
-	}
-	if err := s.AddGeneratedConversionFunc((*certificates.PodCertificateRequest)(nil), (*certificatesv1alpha1.PodCertificateRequest)(nil), func(a, b interface{}, scope conversion.Scope) error {
-		return Convert_certificates_PodCertificateRequest_To_v1alpha1_PodCertificateRequest(a.(*certificates.PodCertificateRequest), b.(*certificatesv1alpha1.PodCertificateRequest), scope)
-	}); err != nil {
-		return err
-	}
-	if err := s.AddGeneratedConversionFunc((*certificatesv1alpha1.PodCertificateRequestList)(nil), (*certificates.PodCertificateRequestList)(nil), func(a, b interface{}, scope conversion.Scope) error {
-		return Convert_v1alpha1_PodCertificateRequestList_To_certificates_PodCertificateRequestList(a.(*certificatesv1alpha1.PodCertificateRequestList), b.(*certificates.PodCertificateRequestList), scope)
-	}); err != nil {
-		return err
-	}
-	if err := s.AddGeneratedConversionFunc((*certificates.PodCertificateRequestList)(nil), (*certificatesv1alpha1.PodCertificateRequestList)(nil), func(a, b interface{}, scope conversion.Scope) error {
-		return Convert_certificates_PodCertificateRequestList_To_v1alpha1_PodCertificateRequestList(a.(*certificates.PodCertificateRequestList), b.(*certificatesv1alpha1.PodCertificateRequestList), scope)
-	}); err != nil {
-		return err
-	}
-	if err := s.AddGeneratedConversionFunc((*certificatesv1alpha1.PodCertificateRequestSpec)(nil), (*certificates.PodCertificateRequestSpec)(nil), func(a, b interface{}, scope conversion.Scope) error {
-		return Convert_v1alpha1_PodCertificateRequestSpec_To_certificates_PodCertificateRequestSpec(a.(*certificatesv1alpha1.PodCertificateRequestSpec), b.(*certificates.PodCertificateRequestSpec), scope)
-	}); err != nil {
-		return err
-	}
-	if err := s.AddGeneratedConversionFunc((*certificates.PodCertificateRequestSpec)(nil), (*certificatesv1alpha1.PodCertificateRequestSpec)(nil), func(a, b interface{}, scope conversion.Scope) error {
-		return Convert_certificates_PodCertificateRequestSpec_To_v1alpha1_PodCertificateRequestSpec(a.(*certificates.PodCertificateRequestSpec), b.(*certificatesv1alpha1.PodCertificateRequestSpec), scope)
-	}); err != nil {
-		return err
-	}
-	if err := s.AddGeneratedConversionFunc((*certificatesv1alpha1.PodCertificateRequestStatus)(nil), (*certificates.PodCertificateRequestStatus)(nil), func(a, b interface{}, scope conversion.Scope) error {
-		return Convert_v1alpha1_PodCertificateRequestStatus_To_certificates_PodCertificateRequestStatus(a.(*certificatesv1alpha1.PodCertificateRequestStatus), b.(*certificates.PodCertificateRequestStatus), scope)
-	}); err != nil {
-		return err
-	}
-	if err := s.AddGeneratedConversionFunc((*certificates.PodCertificateRequestStatus)(nil), (*certificatesv1alpha1.PodCertificateRequestStatus)(nil), func(a, b interface{}, scope conversion.Scope) error {
-		return Convert_certificates_PodCertificateRequestStatus_To_v1alpha1_PodCertificateRequestStatus(a.(*certificates.PodCertificateRequestStatus), b.(*certificatesv1alpha1.PodCertificateRequestStatus), scope)
-	}); err != nil {
-		return err
-	}
 	return nil
 }
 
@@ -181,123 +139,3 @@ func autoConvert_certificates_ClusterTrustBundleSpec_To_v1alpha1_ClusterTrustBun
 func Convert_certificates_ClusterTrustBundleSpec_To_v1alpha1_ClusterTrustBundleSpec(in *certificates.ClusterTrustBundleSpec, out *certificatesv1alpha1.ClusterTrustBundleSpec, s conversion.Scope) error {
 	return autoConvert_certificates_ClusterTrustBundleSpec_To_v1alpha1_ClusterTrustBundleSpec(in, out, s)
 }
-
-func autoConvert_v1alpha1_PodCertificateRequest_To_certificates_PodCertificateRequest(in *certificatesv1alpha1.PodCertificateRequest, out *certificates.PodCertificateRequest, s conversion.Scope) error {
-	out.ObjectMeta = in.ObjectMeta
-	if err := Convert_v1alpha1_PodCertificateRequestSpec_To_certificates_PodCertificateRequestSpec(&in.Spec, &out.Spec, s); err != nil {
-		return err
-	}
-	if err := Convert_v1alpha1_PodCertificateRequestStatus_To_certificates_PodCertificateRequestStatus(&in.Status, &out.Status, s); err != nil {
-		return err
-	}
-	return nil
-}
-
-// Convert_v1alpha1_PodCertificateRequest_To_certificates_PodCertificateRequest is an autogenerated conversion function.
-func Convert_v1alpha1_PodCertificateRequest_To_certificates_PodCertificateRequest(in *certificatesv1alpha1.PodCertificateRequest, out *certificates.PodCertificateRequest, s conversion.Scope) error {
-	return autoConvert_v1alpha1_PodCertificateRequest_To_certificates_PodCertificateRequest(in, out, s)
-}
-
-func autoConvert_certificates_PodCertificateRequest_To_v1alpha1_PodCertificateRequest(in *certificates.PodCertificateRequest, out *certificatesv1alpha1.PodCertificateRequest, s conversion.Scope) error {
-	out.ObjectMeta = in.ObjectMeta
-	if err := Convert_certificates_PodCertificateRequestSpec_To_v1alpha1_PodCertificateRequestSpec(&in.Spec, &out.Spec, s); err != nil {
-		return err
-	}
-	if err := Convert_certificates_PodCertificateRequestStatus_To_v1alpha1_PodCertificateRequestStatus(&in.Status, &out.Status, s); err != nil {
-		return err
-	}
-	return nil
-}
-
-// Convert_certificates_PodCertificateRequest_To_v1alpha1_PodCertificateRequest is an autogenerated conversion function.
-func Convert_certificates_PodCertificateRequest_To_v1alpha1_PodCertificateRequest(in *certificates.PodCertificateRequest, out *certificatesv1alpha1.PodCertificateRequest, s conversion.Scope) error {
-	return autoConvert_certificates_PodCertificateRequest_To_v1alpha1_PodCertificateRequest(in, out, s)
-}
-
-func autoConvert_v1alpha1_PodCertificateRequestList_To_certificates_PodCertificateRequestList(in *certificatesv1alpha1.PodCertificateRequestList, out *certificates.PodCertificateRequestList, s conversion.Scope) error {
-	out.ListMeta = in.ListMeta
-	out.Items = *(*[]certificates.PodCertificateRequest)(unsafe.Pointer(&in.Items))
-	return nil
-}
-
-// Convert_v1alpha1_PodCertificateRequestList_To_certificates_PodCertificateRequestList is an autogenerated conversion function.
-func Convert_v1alpha1_PodCertificateRequestList_To_certificates_PodCertificateRequestList(in *certificatesv1alpha1.PodCertificateRequestList, out *certificates.PodCertificateRequestList, s conversion.Scope) error {
-	return autoConvert_v1alpha1_PodCertificateRequestList_To_certificates_PodCertificateRequestList(in, out, s)
-}
-
-func autoConvert_certificates_PodCertificateRequestList_To_v1alpha1_PodCertificateRequestList(in *certificates.PodCertificateRequestList, out *certificatesv1alpha1.PodCertificateRequestList, s conversion.Scope) error {
-	out.ListMeta = in.ListMeta
-	out.Items = *(*[]certificatesv1alpha1.PodCertificateRequest)(unsafe.Pointer(&in.Items))
-	return nil
-}
-
-// Convert_certificates_PodCertificateRequestList_To_v1alpha1_PodCertificateRequestList is an autogenerated conversion function.
-func Convert_certificates_PodCertificateRequestList_To_v1alpha1_PodCertificateRequestList(in *certificates.PodCertificateRequestList, out *certificatesv1alpha1.PodCertificateRequestList, s conversion.Scope) error {
-	return autoConvert_certificates_PodCertificateRequestList_To_v1alpha1_PodCertificateRequestList(in, out, s)
-}
-
-func autoConvert_v1alpha1_PodCertificateRequestSpec_To_certificates_PodCertificateRequestSpec(in *certificatesv1alpha1.PodCertificateRequestSpec, out *certificates.PodCertificateRequestSpec, s conversion.Scope) error {
-	out.SignerName = in.SignerName
-	out.PodName = in.PodName
-	out.PodUID = types.UID(in.PodUID)
-	out.ServiceAccountName = in.ServiceAccountName
-	out.ServiceAccountUID = types.UID(in.ServiceAccountUID)
-	out.NodeName = types.NodeName(in.NodeName)
-	out.NodeUID = types.UID(in.NodeUID)
-	out.MaxExpirationSeconds = (*int32)(unsafe.Pointer(in.MaxExpirationSeconds))
-	out.PKIXPublicKey = *(*[]byte)(unsafe.Pointer(&in.PKIXPublicKey))
-	out.ProofOfPossession = *(*[]byte)(unsafe.Pointer(&in.ProofOfPossession))
-	return nil
-}
-
-// Convert_v1alpha1_PodCertificateRequestSpec_To_certificates_PodCertificateRequestSpec is an autogenerated conversion function.
-func Convert_v1alpha1_PodCertificateRequestSpec_To_certificates_PodCertificateRequestSpec(in *certificatesv1alpha1.PodCertificateRequestSpec, out *certificates.PodCertificateRequestSpec, s conversion.Scope) error {
-	return autoConvert_v1alpha1_PodCertificateRequestSpec_To_certificates_PodCertificateRequestSpec(in, out, s)
-}
-
-func autoConvert_certificates_PodCertificateRequestSpec_To_v1alpha1_PodCertificateRequestSpec(in *certificates.PodCertificateRequestSpec, out *certificatesv1alpha1.PodCertificateRequestSpec, s conversion.Scope) error {
-	out.SignerName = in.SignerName
-	out.PodName = in.PodName
-	out.PodUID = types.UID(in.PodUID)
-	out.ServiceAccountName = in.ServiceAccountName
-	out.ServiceAccountUID = types.UID(in.ServiceAccountUID)
-	out.NodeName = types.NodeName(in.NodeName)
-	out.NodeUID = types.UID(in.NodeUID)
-	out.MaxExpirationSeconds = (*int32)(unsafe.Pointer(in.MaxExpirationSeconds))
-	out.PKIXPublicKey = *(*[]byte)(unsafe.Pointer(&in.PKIXPublicKey))
-	out.ProofOfPossession = *(*[]byte)(unsafe.Pointer(&in.ProofOfPossession))
-	return nil
-}
-
-// Convert_certificates_PodCertificateRequestSpec_To_v1alpha1_PodCertificateRequestSpec is an autogenerated conversion function.
-func Convert_certificates_PodCertificateRequestSpec_To_v1alpha1_PodCertificateRequestSpec(in *certificates.PodCertificateRequestSpec, out *certificatesv1alpha1.PodCertificateRequestSpec, s conversion.Scope) error {
-	return autoConvert_certificates_PodCertificateRequestSpec_To_v1alpha1_PodCertificateRequestSpec(in, out, s)
-}
-
-func autoConvert_v1alpha1_PodCertificateRequestStatus_To_certificates_PodCertificateRequestStatus(in *certificatesv1alpha1.PodCertificateRequestStatus, out *certificates.PodCertificateRequestStatus, s conversion.Scope) error {
-	out.Conditions = *(*[]v1.Condition)(unsafe.Pointer(&in.Conditions))
-	out.CertificateChain = in.CertificateChain
-	out.NotBefore = (*v1.Time)(unsafe.Pointer(in.NotBefore))
-	out.BeginRefreshAt = (*v1.Time)(unsafe.Pointer(in.BeginRefreshAt))
-	out.NotAfter = (*v1.Time)(unsafe.Pointer(in.NotAfter))
-	return nil
-}
-
-// Convert_v1alpha1_PodCertificateRequestStatus_To_certificates_PodCertificateRequestStatus is an autogenerated conversion function.
-func Convert_v1alpha1_PodCertificateRequestStatus_To_certificates_PodCertificateRequestStatus(in *certificatesv1alpha1.PodCertificateRequestStatus, out *certificates.PodCertificateRequestStatus, s conversion.Scope) error {
-	return autoConvert_v1alpha1_PodCertificateRequestStatus_To_certificates_PodCertificateRequestStatus(in, out, s)
-}
-
-func autoConvert_certificates_PodCertificateRequestStatus_To_v1alpha1_PodCertificateRequestStatus(in *certificates.PodCertificateRequestStatus, out *certificatesv1alpha1.PodCertificateRequestStatus, s conversion.Scope) error {
-	out.Conditions = *(*[]v1.Condition)(unsafe.Pointer(&in.Conditions))
-	out.CertificateChain = in.CertificateChain
-	out.NotBefore = (*v1.Time)(unsafe.Pointer(in.NotBefore))
-	out.BeginRefreshAt = (*v1.Time)(unsafe.Pointer(in.BeginRefreshAt))
-	out.NotAfter = (*v1.Time)(unsafe.Pointer(in.NotAfter))
-	return nil
-}
-
-// Convert_certificates_PodCertificateRequestStatus_To_v1alpha1_PodCertificateRequestStatus is an autogenerated conversion function.
-func Convert_certificates_PodCertificateRequestStatus_To_v1alpha1_PodCertificateRequestStatus(in *certificates.PodCertificateRequestStatus, out *certificatesv1alpha1.PodCertificateRequestStatus, s conversion.Scope) error {
-	return autoConvert_certificates_PodCertificateRequestStatus_To_v1alpha1_PodCertificateRequestStatus(in, out, s)
-}
diff --git a/pkg/apis/certificates/v1alpha1/zz_generated.defaults.go b/pkg/apis/certificates/v1alpha1/zz_generated.defaults.go
index bc8d9f8c2fe1d..5070cb91b90f1 100644
--- a/pkg/apis/certificates/v1alpha1/zz_generated.defaults.go
+++ b/pkg/apis/certificates/v1alpha1/zz_generated.defaults.go
@@ -22,7 +22,6 @@ limitations under the License.
 package v1alpha1
 
 import (
-	certificatesv1alpha1 "k8s.io/api/certificates/v1alpha1"
 	runtime "k8s.io/apimachinery/pkg/runtime"
 )
 
@@ -30,25 +29,5 @@ import (
 // Public to allow building arbitrary schemes.
 // All generated defaulters are covering - they call all nested defaulters.
 func RegisterDefaults(scheme *runtime.Scheme) error {
-	scheme.AddTypeDefaultingFunc(&certificatesv1alpha1.PodCertificateRequest{}, func(obj interface{}) {
-		SetObjectDefaults_PodCertificateRequest(obj.(*certificatesv1alpha1.PodCertificateRequest))
-	})
-	scheme.AddTypeDefaultingFunc(&certificatesv1alpha1.PodCertificateRequestList{}, func(obj interface{}) {
-		SetObjectDefaults_PodCertificateRequestList(obj.(*certificatesv1alpha1.PodCertificateRequestList))
-	})
 	return nil
 }
-
-func SetObjectDefaults_PodCertificateRequest(in *certificatesv1alpha1.PodCertificateRequest) {
-	if in.Spec.MaxExpirationSeconds == nil {
-		var ptrVar1 int32 = 86400
-		in.Spec.MaxExpirationSeconds = &ptrVar1
-	}
-}
-
-func SetObjectDefaults_PodCertificateRequestList(in *certificatesv1alpha1.PodCertificateRequestList) {
-	for i := range in.Items {
-		a := &in.Items[i]
-		SetObjectDefaults_PodCertificateRequest(a)
-	}
-}
diff --git a/pkg/apis/certificates/v1beta1/conversion.go b/pkg/apis/certificates/v1beta1/conversion.go
index f7fb6907a7373..a269a36c41e64 100644
--- a/pkg/apis/certificates/v1beta1/conversion.go
+++ b/pkg/apis/certificates/v1beta1/conversion.go
@@ -39,15 +39,35 @@ func addConversionFuncs(scheme *runtime.Scheme) error {
 		return err
 	}
 
-	return scheme.AddFieldLabelConversionFunc(SchemeGroupVersion.WithKind("ClusterTrustBundle"),
+	err = scheme.AddFieldLabelConversionFunc(
+		SchemeGroupVersion.WithKind("ClusterTrustBundle"),
 		func(label, value string) (string, string, error) {
 			switch label {
-			case "metadata.name",
-				"spec.signerName":
+			case "metadata.name", "spec.signerName":
+				return label, value, nil
+			default:
+				return "", "", fmt.Errorf("field label not supported: %s", label)
+			}
+		},
+	)
+	if err != nil {
+		return fmt.Errorf("while adding ClusterTrustBundle field label conversion func: %w", err)
+	}
+
+	err = scheme.AddFieldLabelConversionFunc(
+		SchemeGroupVersion.WithKind("PodCertificateRequest"),
+		func(label, value string) (string, string, error) {
+			switch label {
+			case "metadata.name", "spec.signerName", "spec.podName", "spec.nodeName":
 				return label, value, nil
 			default:
 				return "", "", fmt.Errorf("field label not supported: %s", label)
 			}
 		},
 	)
+	if err != nil {
+		return fmt.Errorf("while adding PodCertificateRequest field label conversion func: %w", err)
+	}
+
+	return nil
 }
diff --git a/pkg/apis/certificates/v1beta1/zz_generated.conversion.go b/pkg/apis/certificates/v1beta1/zz_generated.conversion.go
index 2bdc84a2c9e27..32315f49b16ba 100644
--- a/pkg/apis/certificates/v1beta1/zz_generated.conversion.go
+++ b/pkg/apis/certificates/v1beta1/zz_generated.conversion.go
@@ -29,6 +29,7 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	conversion "k8s.io/apimachinery/pkg/conversion"
 	runtime "k8s.io/apimachinery/pkg/runtime"
+	types "k8s.io/apimachinery/pkg/types"
 	certificates "k8s.io/kubernetes/pkg/apis/certificates"
 	core "k8s.io/kubernetes/pkg/apis/core"
 )
@@ -120,6 +121,46 @@ func RegisterConversions(s *runtime.Scheme) error {
 	}); err != nil {
 		return err
 	}
+	if err := s.AddGeneratedConversionFunc((*certificatesv1beta1.PodCertificateRequest)(nil), (*certificates.PodCertificateRequest)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_v1beta1_PodCertificateRequest_To_certificates_PodCertificateRequest(a.(*certificatesv1beta1.PodCertificateRequest), b.(*certificates.PodCertificateRequest), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddGeneratedConversionFunc((*certificates.PodCertificateRequest)(nil), (*certificatesv1beta1.PodCertificateRequest)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_certificates_PodCertificateRequest_To_v1beta1_PodCertificateRequest(a.(*certificates.PodCertificateRequest), b.(*certificatesv1beta1.PodCertificateRequest), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddGeneratedConversionFunc((*certificatesv1beta1.PodCertificateRequestList)(nil), (*certificates.PodCertificateRequestList)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_v1beta1_PodCertificateRequestList_To_certificates_PodCertificateRequestList(a.(*certificatesv1beta1.PodCertificateRequestList), b.(*certificates.PodCertificateRequestList), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddGeneratedConversionFunc((*certificates.PodCertificateRequestList)(nil), (*certificatesv1beta1.PodCertificateRequestList)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_certificates_PodCertificateRequestList_To_v1beta1_PodCertificateRequestList(a.(*certificates.PodCertificateRequestList), b.(*certificatesv1beta1.PodCertificateRequestList), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddGeneratedConversionFunc((*certificatesv1beta1.PodCertificateRequestSpec)(nil), (*certificates.PodCertificateRequestSpec)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_v1beta1_PodCertificateRequestSpec_To_certificates_PodCertificateRequestSpec(a.(*certificatesv1beta1.PodCertificateRequestSpec), b.(*certificates.PodCertificateRequestSpec), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddGeneratedConversionFunc((*certificates.PodCertificateRequestSpec)(nil), (*certificatesv1beta1.PodCertificateRequestSpec)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_certificates_PodCertificateRequestSpec_To_v1beta1_PodCertificateRequestSpec(a.(*certificates.PodCertificateRequestSpec), b.(*certificatesv1beta1.PodCertificateRequestSpec), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddGeneratedConversionFunc((*certificatesv1beta1.PodCertificateRequestStatus)(nil), (*certificates.PodCertificateRequestStatus)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_v1beta1_PodCertificateRequestStatus_To_certificates_PodCertificateRequestStatus(a.(*certificatesv1beta1.PodCertificateRequestStatus), b.(*certificates.PodCertificateRequestStatus), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddGeneratedConversionFunc((*certificates.PodCertificateRequestStatus)(nil), (*certificatesv1beta1.PodCertificateRequestStatus)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_certificates_PodCertificateRequestStatus_To_v1beta1_PodCertificateRequestStatus(a.(*certificates.PodCertificateRequestStatus), b.(*certificatesv1beta1.PodCertificateRequestStatus), scope)
+	}); err != nil {
+		return err
+	}
 	return nil
 }
 
@@ -356,3 +397,125 @@ func autoConvert_certificates_ClusterTrustBundleSpec_To_v1beta1_ClusterTrustBund
 func Convert_certificates_ClusterTrustBundleSpec_To_v1beta1_ClusterTrustBundleSpec(in *certificates.ClusterTrustBundleSpec, out *certificatesv1beta1.ClusterTrustBundleSpec, s conversion.Scope) error {
 	return autoConvert_certificates_ClusterTrustBundleSpec_To_v1beta1_ClusterTrustBundleSpec(in, out, s)
 }
+
+func autoConvert_v1beta1_PodCertificateRequest_To_certificates_PodCertificateRequest(in *certificatesv1beta1.PodCertificateRequest, out *certificates.PodCertificateRequest, s conversion.Scope) error {
+	out.ObjectMeta = in.ObjectMeta
+	if err := Convert_v1beta1_PodCertificateRequestSpec_To_certificates_PodCertificateRequestSpec(&in.Spec, &out.Spec, s); err != nil {
+		return err
+	}
+	if err := Convert_v1beta1_PodCertificateRequestStatus_To_certificates_PodCertificateRequestStatus(&in.Status, &out.Status, s); err != nil {
+		return err
+	}
+	return nil
+}
+
+// Convert_v1beta1_PodCertificateRequest_To_certificates_PodCertificateRequest is an autogenerated conversion function.
+func Convert_v1beta1_PodCertificateRequest_To_certificates_PodCertificateRequest(in *certificatesv1beta1.PodCertificateRequest, out *certificates.PodCertificateRequest, s conversion.Scope) error {
+	return autoConvert_v1beta1_PodCertificateRequest_To_certificates_PodCertificateRequest(in, out, s)
+}
+
+func autoConvert_certificates_PodCertificateRequest_To_v1beta1_PodCertificateRequest(in *certificates.PodCertificateRequest, out *certificatesv1beta1.PodCertificateRequest, s conversion.Scope) error {
+	out.ObjectMeta = in.ObjectMeta
+	if err := Convert_certificates_PodCertificateRequestSpec_To_v1beta1_PodCertificateRequestSpec(&in.Spec, &out.Spec, s); err != nil {
+		return err
+	}
+	if err := Convert_certificates_PodCertificateRequestStatus_To_v1beta1_PodCertificateRequestStatus(&in.Status, &out.Status, s); err != nil {
+		return err
+	}
+	return nil
+}
+
+// Convert_certificates_PodCertificateRequest_To_v1beta1_PodCertificateRequest is an autogenerated conversion function.
+func Convert_certificates_PodCertificateRequest_To_v1beta1_PodCertificateRequest(in *certificates.PodCertificateRequest, out *certificatesv1beta1.PodCertificateRequest, s conversion.Scope) error {
+	return autoConvert_certificates_PodCertificateRequest_To_v1beta1_PodCertificateRequest(in, out, s)
+}
+
+func autoConvert_v1beta1_PodCertificateRequestList_To_certificates_PodCertificateRequestList(in *certificatesv1beta1.PodCertificateRequestList, out *certificates.PodCertificateRequestList, s conversion.Scope) error {
+	out.ListMeta = in.ListMeta
+	out.Items = *(*[]certificates.PodCertificateRequest)(unsafe.Pointer(&in.Items))
+	return nil
+}
+
+// Convert_v1beta1_PodCertificateRequestList_To_certificates_PodCertificateRequestList is an autogenerated conversion function.
+func Convert_v1beta1_PodCertificateRequestList_To_certificates_PodCertificateRequestList(in *certificatesv1beta1.PodCertificateRequestList, out *certificates.PodCertificateRequestList, s conversion.Scope) error {
+	return autoConvert_v1beta1_PodCertificateRequestList_To_certificates_PodCertificateRequestList(in, out, s)
+}
+
+func autoConvert_certificates_PodCertificateRequestList_To_v1beta1_PodCertificateRequestList(in *certificates.PodCertificateRequestList, out *certificatesv1beta1.PodCertificateRequestList, s conversion.Scope) error {
+	out.ListMeta = in.ListMeta
+	out.Items = *(*[]certificatesv1beta1.PodCertificateRequest)(unsafe.Pointer(&in.Items))
+	return nil
+}
+
+// Convert_certificates_PodCertificateRequestList_To_v1beta1_PodCertificateRequestList is an autogenerated conversion function.
+func Convert_certificates_PodCertificateRequestList_To_v1beta1_PodCertificateRequestList(in *certificates.PodCertificateRequestList, out *certificatesv1beta1.PodCertificateRequestList, s conversion.Scope) error {
+	return autoConvert_certificates_PodCertificateRequestList_To_v1beta1_PodCertificateRequestList(in, out, s)
+}
+
+func autoConvert_v1beta1_PodCertificateRequestSpec_To_certificates_PodCertificateRequestSpec(in *certificatesv1beta1.PodCertificateRequestSpec, out *certificates.PodCertificateRequestSpec, s conversion.Scope) error {
+	out.SignerName = in.SignerName
+	out.PodName = in.PodName
+	out.PodUID = types.UID(in.PodUID)
+	out.ServiceAccountName = in.ServiceAccountName
+	out.ServiceAccountUID = types.UID(in.ServiceAccountUID)
+	out.NodeName = types.NodeName(in.NodeName)
+	out.NodeUID = types.UID(in.NodeUID)
+	out.MaxExpirationSeconds = (*int32)(unsafe.Pointer(in.MaxExpirationSeconds))
+	out.PKIXPublicKey = *(*[]byte)(unsafe.Pointer(&in.PKIXPublicKey))
+	out.ProofOfPossession = *(*[]byte)(unsafe.Pointer(&in.ProofOfPossession))
+	out.UnverifiedUserAnnotations = *(*map[string]string)(unsafe.Pointer(&in.UnverifiedUserAnnotations))
+	return nil
+}
+
+// Convert_v1beta1_PodCertificateRequestSpec_To_certificates_PodCertificateRequestSpec is an autogenerated conversion function.
+func Convert_v1beta1_PodCertificateRequestSpec_To_certificates_PodCertificateRequestSpec(in *certificatesv1beta1.PodCertificateRequestSpec, out *certificates.PodCertificateRequestSpec, s conversion.Scope) error {
+	return autoConvert_v1beta1_PodCertificateRequestSpec_To_certificates_PodCertificateRequestSpec(in, out, s)
+}
+
+func autoConvert_certificates_PodCertificateRequestSpec_To_v1beta1_PodCertificateRequestSpec(in *certificates.PodCertificateRequestSpec, out *certificatesv1beta1.PodCertificateRequestSpec, s conversion.Scope) error {
+	out.SignerName = in.SignerName
+	out.PodName = in.PodName
+	out.PodUID = types.UID(in.PodUID)
+	out.ServiceAccountName = in.ServiceAccountName
+	out.ServiceAccountUID = types.UID(in.ServiceAccountUID)
+	out.NodeName = types.NodeName(in.NodeName)
+	out.NodeUID = types.UID(in.NodeUID)
+	out.MaxExpirationSeconds = (*int32)(unsafe.Pointer(in.MaxExpirationSeconds))
+	out.PKIXPublicKey = *(*[]byte)(unsafe.Pointer(&in.PKIXPublicKey))
+	out.ProofOfPossession = *(*[]byte)(unsafe.Pointer(&in.ProofOfPossession))
+	out.UnverifiedUserAnnotations = *(*map[string]string)(unsafe.Pointer(&in.UnverifiedUserAnnotations))
+	return nil
+}
+
+// Convert_certificates_PodCertificateRequestSpec_To_v1beta1_PodCertificateRequestSpec is an autogenerated conversion function.
+func Convert_certificates_PodCertificateRequestSpec_To_v1beta1_PodCertificateRequestSpec(in *certificates.PodCertificateRequestSpec, out *certificatesv1beta1.PodCertificateRequestSpec, s conversion.Scope) error {
+	return autoConvert_certificates_PodCertificateRequestSpec_To_v1beta1_PodCertificateRequestSpec(in, out, s)
+}
+
+func autoConvert_v1beta1_PodCertificateRequestStatus_To_certificates_PodCertificateRequestStatus(in *certificatesv1beta1.PodCertificateRequestStatus, out *certificates.PodCertificateRequestStatus, s conversion.Scope) error {
+	out.Conditions = *(*[]metav1.Condition)(unsafe.Pointer(&in.Conditions))
+	out.CertificateChain = in.CertificateChain
+	out.NotBefore = (*metav1.Time)(unsafe.Pointer(in.NotBefore))
+	out.BeginRefreshAt = (*metav1.Time)(unsafe.Pointer(in.BeginRefreshAt))
+	out.NotAfter = (*metav1.Time)(unsafe.Pointer(in.NotAfter))
+	return nil
+}
+
+// Convert_v1beta1_PodCertificateRequestStatus_To_certificates_PodCertificateRequestStatus is an autogenerated conversion function.
+func Convert_v1beta1_PodCertificateRequestStatus_To_certificates_PodCertificateRequestStatus(in *certificatesv1beta1.PodCertificateRequestStatus, out *certificates.PodCertificateRequestStatus, s conversion.Scope) error {
+	return autoConvert_v1beta1_PodCertificateRequestStatus_To_certificates_PodCertificateRequestStatus(in, out, s)
+}
+
+func autoConvert_certificates_PodCertificateRequestStatus_To_v1beta1_PodCertificateRequestStatus(in *certificates.PodCertificateRequestStatus, out *certificatesv1beta1.PodCertificateRequestStatus, s conversion.Scope) error {
+	out.Conditions = *(*[]metav1.Condition)(unsafe.Pointer(&in.Conditions))
+	out.CertificateChain = in.CertificateChain
+	out.NotBefore = (*metav1.Time)(unsafe.Pointer(in.NotBefore))
+	out.BeginRefreshAt = (*metav1.Time)(unsafe.Pointer(in.BeginRefreshAt))
+	out.NotAfter = (*metav1.Time)(unsafe.Pointer(in.NotAfter))
+	return nil
+}
+
+// Convert_certificates_PodCertificateRequestStatus_To_v1beta1_PodCertificateRequestStatus is an autogenerated conversion function.
+func Convert_certificates_PodCertificateRequestStatus_To_v1beta1_PodCertificateRequestStatus(in *certificates.PodCertificateRequestStatus, out *certificatesv1beta1.PodCertificateRequestStatus, s conversion.Scope) error {
+	return autoConvert_certificates_PodCertificateRequestStatus_To_v1beta1_PodCertificateRequestStatus(in, out, s)
+}
diff --git a/pkg/apis/certificates/v1beta1/zz_generated.defaults.go b/pkg/apis/certificates/v1beta1/zz_generated.defaults.go
index 8f7d90d12f800..9a7c907d7d704 100644
--- a/pkg/apis/certificates/v1beta1/zz_generated.defaults.go
+++ b/pkg/apis/certificates/v1beta1/zz_generated.defaults.go
@@ -36,6 +36,12 @@ func RegisterDefaults(scheme *runtime.Scheme) error {
 	scheme.AddTypeDefaultingFunc(&certificatesv1beta1.CertificateSigningRequestList{}, func(obj interface{}) {
 		SetObjectDefaults_CertificateSigningRequestList(obj.(*certificatesv1beta1.CertificateSigningRequestList))
 	})
+	scheme.AddTypeDefaultingFunc(&certificatesv1beta1.PodCertificateRequest{}, func(obj interface{}) {
+		SetObjectDefaults_PodCertificateRequest(obj.(*certificatesv1beta1.PodCertificateRequest))
+	})
+	scheme.AddTypeDefaultingFunc(&certificatesv1beta1.PodCertificateRequestList{}, func(obj interface{}) {
+		SetObjectDefaults_PodCertificateRequestList(obj.(*certificatesv1beta1.PodCertificateRequestList))
+	})
 	return nil
 }
 
@@ -53,3 +59,17 @@ func SetObjectDefaults_CertificateSigningRequestList(in *certificatesv1beta1.Cer
 		SetObjectDefaults_CertificateSigningRequest(a)
 	}
 }
+
+func SetObjectDefaults_PodCertificateRequest(in *certificatesv1beta1.PodCertificateRequest) {
+	if in.Spec.MaxExpirationSeconds == nil {
+		var ptrVar1 int32 = 86400
+		in.Spec.MaxExpirationSeconds = &ptrVar1
+	}
+}
+
+func SetObjectDefaults_PodCertificateRequestList(in *certificatesv1beta1.PodCertificateRequestList) {
+	for i := range in.Items {
+		a := &in.Items[i]
+		SetObjectDefaults_PodCertificateRequest(a)
+	}
+}
diff --git a/pkg/apis/certificates/v1beta1/zz_generated.validations.go b/pkg/apis/certificates/v1beta1/zz_generated.validations.go
index 99d3dc0267b10..f103482ea7c3e 100644
--- a/pkg/apis/certificates/v1beta1/zz_generated.validations.go
+++ b/pkg/apis/certificates/v1beta1/zz_generated.validations.go
@@ -39,6 +39,7 @@ func init() { localSchemeBuilder.Register(RegisterValidations) }
 // RegisterValidations adds validation functions to the given scheme.
 // Public to allow building arbitrary schemes.
 func RegisterValidations(scheme *runtime.Scheme) error {
+	// type CertificateSigningRequest
 	scheme.AddValidationFunc((*certificatesv1beta1.CertificateSigningRequest)(nil), func(ctx context.Context, op operation.Operation, obj, oldObj interface{}) field.ErrorList {
 		switch op.Request.SubresourcePath() {
 		case "/", "/approval", "/status":
@@ -46,6 +47,7 @@ func RegisterValidations(scheme *runtime.Scheme) error {
 		}
 		return field.ErrorList{field.InternalError(nil, fmt.Errorf("no validation found for %T, subresource: %v", obj, op.Request.SubresourcePath()))}
 	})
+	// type CertificateSigningRequestList
 	scheme.AddValidationFunc((*certificatesv1beta1.CertificateSigningRequestList)(nil), func(ctx context.Context, op operation.Operation, obj, oldObj interface{}) field.ErrorList {
 		switch op.Request.SubresourcePath() {
 		case "/":
@@ -56,6 +58,8 @@ func RegisterValidations(scheme *runtime.Scheme) error {
 	return nil
 }
 
+// Validate_CertificateSigningRequest validates an instance of CertificateSigningRequest according
+// to declarative validation rules in the API schema.
 func Validate_CertificateSigningRequest(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *certificatesv1beta1.CertificateSigningRequest) (errs field.ErrorList) {
 	// field certificatesv1beta1.CertificateSigningRequest.TypeMeta has no validation
 	// field certificatesv1beta1.CertificateSigningRequest.ObjectMeta has no validation
@@ -63,48 +67,66 @@ func Validate_CertificateSigningRequest(ctx context.Context, op operation.Operat
 
 	// field certificatesv1beta1.CertificateSigningRequest.Status
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *certificatesv1beta1.CertificateSigningRequestStatus) (errs field.ErrorList) {
+		func(fldPath *field.Path, obj, oldObj *certificatesv1beta1.CertificateSigningRequestStatus, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// call the type's validation function
 			errs = append(errs, Validate_CertificateSigningRequestStatus(ctx, op, fldPath, obj, oldObj)...)
 			return
 		}(fldPath.Child("status"), &obj.Status, safe.Field(oldObj, func(oldObj *certificatesv1beta1.CertificateSigningRequest) *certificatesv1beta1.CertificateSigningRequestStatus {
 			return &oldObj.Status
-		}))...)
+		}), oldObj != nil)...)
 
 	return errs
 }
 
+// Validate_CertificateSigningRequestList validates an instance of CertificateSigningRequestList according
+// to declarative validation rules in the API schema.
 func Validate_CertificateSigningRequestList(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *certificatesv1beta1.CertificateSigningRequestList) (errs field.ErrorList) {
 	// field certificatesv1beta1.CertificateSigningRequestList.TypeMeta has no validation
 	// field certificatesv1beta1.CertificateSigningRequestList.ListMeta has no validation
 
 	// field certificatesv1beta1.CertificateSigningRequestList.Items
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj []certificatesv1beta1.CertificateSigningRequest) (errs field.ErrorList) {
-			if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj []certificatesv1beta1.CertificateSigningRequest, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
 			}
+			// iterate the list and call the type's validation function
 			errs = append(errs, validate.EachSliceVal(ctx, op, fldPath, obj, oldObj, nil, nil, Validate_CertificateSigningRequest)...)
 			return
 		}(fldPath.Child("items"), obj.Items, safe.Field(oldObj, func(oldObj *certificatesv1beta1.CertificateSigningRequestList) []certificatesv1beta1.CertificateSigningRequest {
 			return oldObj.Items
-		}))...)
+		}), oldObj != nil)...)
 
 	return errs
 }
 
-var zeroOrOneOfMembershipFor_k8s_io_api_certificates_v1beta1_CertificateSigningRequestStatus_Conditions_ = validate.NewUnionMembership([2]string{"Conditions[{\"type\": \"Approved\"}]", ""}, [2]string{"Conditions[{\"type\": \"Denied\"}]", ""})
+var zeroOrOneOfMembershipFor_k8s_io_api_certificates_v1beta1_CertificateSigningRequestStatus_conditions_ = validate.NewUnionMembership(validate.NewUnionMember("conditions[{\"type\": \"Approved\"}]"), validate.NewUnionMember("conditions[{\"type\": \"Denied\"}]"))
 
+// Validate_CertificateSigningRequestStatus validates an instance of CertificateSigningRequestStatus according
+// to declarative validation rules in the API schema.
 func Validate_CertificateSigningRequestStatus(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *certificatesv1beta1.CertificateSigningRequestStatus) (errs field.ErrorList) {
 	// field certificatesv1beta1.CertificateSigningRequestStatus.Conditions
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj []certificatesv1beta1.CertificateSigningRequestCondition) (errs field.ErrorList) {
-			if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj []certificatesv1beta1.CertificateSigningRequestCondition, oldValueCorrelated bool) (errs field.ErrorList) {
+			// Uniqueness validation is implemented via custom, handwritten validation
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
 			}
+			// call field-attached validations
+			earlyReturn := false
 			if e := validate.OptionalSlice(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				earlyReturn = true
+			}
+			if earlyReturn {
 				return // do not proceed
 			}
-			errs = append(errs, validate.ZeroOrOneOfUnion(ctx, op, fldPath, obj, oldObj, zeroOrOneOfMembershipFor_k8s_io_api_certificates_v1beta1_CertificateSigningRequestStatus_Conditions_, func(list []certificatesv1beta1.CertificateSigningRequestCondition) bool {
+			errs = append(errs, validate.ZeroOrOneOfUnion(ctx, op, fldPath, obj, oldObj, zeroOrOneOfMembershipFor_k8s_io_api_certificates_v1beta1_CertificateSigningRequestStatus_conditions_, func(list []certificatesv1beta1.CertificateSigningRequestCondition) bool {
 				for i := range list {
 					if list[i].Type == "Approved" {
 						return true
@@ -122,7 +144,7 @@ func Validate_CertificateSigningRequestStatus(ctx context.Context, op operation.
 			return
 		}(fldPath.Child("conditions"), obj.Conditions, safe.Field(oldObj, func(oldObj *certificatesv1beta1.CertificateSigningRequestStatus) []certificatesv1beta1.CertificateSigningRequestCondition {
 			return oldObj.Conditions
-		}))...)
+		}), oldObj != nil)...)
 
 	// field certificatesv1beta1.CertificateSigningRequestStatus.Certificate has no validation
 	return errs
diff --git a/pkg/apis/certificates/validation/validation.go b/pkg/apis/certificates/validation/validation.go
index ad3ad80ee304f..0b2b6046bbdd6 100644
--- a/pkg/apis/certificates/validation/validation.go
+++ b/pkg/apis/certificates/validation/validation.go
@@ -27,7 +27,9 @@ import (
 	"crypto/x509"
 	"encoding/pem"
 	"fmt"
+	"net/mail"
 	"strconv"
+	"strings"
 	"time"
 
 	v1 "k8s.io/api/core/v1"
@@ -595,6 +597,11 @@ func ValidatePodCertificateRequestCreate(req *certificates.PodCertificateRequest
 	signerNameErrors := apivalidation.ValidateSignerName(field.NewPath("spec", "signerName"), req.Spec.SignerName)
 	allErrors = append(allErrors, signerNameErrors...)
 
+	if req.Spec.UnverifiedUserAnnotations != nil {
+		userAnnotationsErrors := apivalidation.ValidateUserAnnotations(req.Spec.UnverifiedUserAnnotations, field.NewPath("spec", "unverifiedUserAnnotations"))
+		allErrors = append(allErrors, userAnnotationsErrors...)
+	}
+
 	for _, msg := range apivalidation.ValidatePodName(req.Spec.PodName, false) {
 		allErrors = append(allErrors, field.Invalid(field.NewPath("spec", "podName"), req.Spec.PodName, msg))
 	}
@@ -802,6 +809,22 @@ func ValidatePodCertificateRequestStatusUpdate(newReq, oldReq *certificates.PodC
 			allErrors = append(allErrors, field.Invalid(certChainPath, newReq.Status.CertificateChain, "leaf certificate does not parse as valid X.509"))
 			return allErrors
 		}
+		for _, dnsName := range leafCert.DNSNames {
+			if dnsName == "" {
+				allErrors = append(allErrors, field.Invalid(certChainPath, dnsName, "leaf certificate should not contain empty DNSName"))
+			}
+			if strings.Contains(dnsName, "..") {
+				allErrors = append(allErrors, field.Invalid(certChainPath, dnsName, "leaf certificate's DNSName should not contain '..'"))
+			}
+			if strings.HasPrefix(dnsName, ".") || strings.HasSuffix(dnsName, ".") {
+				allErrors = append(allErrors, field.Invalid(certChainPath, dnsName, "leaf certificate's DNSName should not start or end with '.'"))
+			}
+		}
+		for _, emailAddress := range leafCert.EmailAddresses {
+			if _, err := mail.ParseAddress(emailAddress); err != nil {
+				allErrors = append(allErrors, field.Invalid(certChainPath, emailAddress, "leaf certificate should not contain invalid EmailAddress"))
+			}
+		}
 
 		// Was the certificate issued to the public key in the spec?
 		wantPKAny, err := x509.ParsePKIXPublicKey(oldReq.Spec.PKIXPublicKey)
diff --git a/pkg/apis/certificates/validation/validation_test.go b/pkg/apis/certificates/validation/validation_test.go
index d22c637c2fb27..717251d188f4e 100644
--- a/pkg/apis/certificates/validation/validation_test.go
+++ b/pkg/apis/certificates/validation/validation_test.go
@@ -36,6 +36,7 @@ import (
 	"time"
 
 	"github.com/google/go-cmp/cmp"
+	apimachineryvalidation "k8s.io/apimachinery/pkg/api/validation"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/sets"
@@ -2217,6 +2218,81 @@ func TestValidatePodCertificateRequestCreate(t *testing.T) {
 				field.TooLong(field.NewPath("spec", "proofOfPossession"), make([]byte, capi.MaxProofOfPossessionSize+1), capi.MaxProofOfPossessionSize),
 			},
 		},
+		{
+			description: "bad user annotations key name",
+			pcr: &capi.PodCertificateRequest{
+				ObjectMeta: metav1.ObjectMeta{
+					Namespace: "foo",
+					Name:      "bar",
+				},
+				Spec: capi.PodCertificateRequestSpec{
+					SignerName:                "foo.com/abc",
+					PodName:                   "pod-1",
+					PodUID:                    types.UID(podUID1),
+					ServiceAccountName:        "sa-1",
+					ServiceAccountUID:         "sa-uid-1",
+					NodeName:                  "node-1",
+					NodeUID:                   "node-uid-1",
+					MaxExpirationSeconds:      ptr.To[int32](86400),
+					PKIXPublicKey:             ed25519PubPKIX1,
+					ProofOfPossession:         ed25519Proof1,
+					UnverifiedUserAnnotations: map[string]string{"test/domain/foo": "bar"},
+				},
+			},
+			wantErrors: field.ErrorList{
+				field.Invalid(field.NewPath("spec", "unverifiedUserAnnotations"), "test/domain/foo", "a valid label key must consist of alphanumeric characters, '-', '_' or '.', and must start and end with an alphanumeric character (e.g. 'MyName',  or 'my.name',  or '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')"),
+			},
+		},
+		{
+			description: "bad user annotations key prefix too long",
+			pcr: &capi.PodCertificateRequest{
+				ObjectMeta: metav1.ObjectMeta{
+					Namespace: "foo",
+					Name:      "bar",
+				},
+				Spec: capi.PodCertificateRequestSpec{
+					SignerName:                "foo.com/abc",
+					PodName:                   "pod-1",
+					PodUID:                    types.UID(podUID1),
+					ServiceAccountName:        "sa-1",
+					ServiceAccountUID:         "sa-uid-1",
+					NodeName:                  "node-1",
+					NodeUID:                   "node-uid-1",
+					MaxExpirationSeconds:      ptr.To[int32](86400),
+					PKIXPublicKey:             ed25519PubPKIX1,
+					ProofOfPossession:         ed25519Proof1,
+					UnverifiedUserAnnotations: map[string]string{strings.Repeat("a", 254) + "/foo": "bar"},
+				},
+			},
+			wantErrors: field.ErrorList{
+				field.Invalid(field.NewPath("spec", "unverifiedUserAnnotations"), strings.Repeat("a", 254)+"/foo", "prefix part must be no more than 253 bytes"),
+			},
+		},
+		{
+			description: "bad user annotations key/value total size too long",
+			pcr: &capi.PodCertificateRequest{
+				ObjectMeta: metav1.ObjectMeta{
+					Namespace: "foo",
+					Name:      "bar",
+				},
+				Spec: capi.PodCertificateRequestSpec{
+					SignerName:                "foo.com/abc",
+					PodName:                   "pod-1",
+					PodUID:                    types.UID(podUID1),
+					ServiceAccountName:        "sa-1",
+					ServiceAccountUID:         "sa-uid-1",
+					NodeName:                  "node-1",
+					NodeUID:                   "node-uid-1",
+					MaxExpirationSeconds:      ptr.To[int32](86400),
+					PKIXPublicKey:             ed25519PubPKIX1,
+					ProofOfPossession:         ed25519Proof1,
+					UnverifiedUserAnnotations: map[string]string{"foo/bar": strings.Repeat("d", apimachineryvalidation.TotalAnnotationSizeLimitB)},
+				},
+			},
+			wantErrors: field.ErrorList{
+				field.TooLong(field.NewPath("spec", "unverifiedUserAnnotations"), "", apimachineryvalidation.TotalAnnotationSizeLimitB),
+			},
+		},
 	}
 
 	for _, tc := range testCases {
@@ -2248,16 +2324,17 @@ func TestValidatePodCertificateRequestUpdate(t *testing.T) {
 					Name:      "bar",
 				},
 				Spec: capi.PodCertificateRequestSpec{
-					SignerName:           "foo.com/abc",
-					PodName:              "pod-1",
-					PodUID:               types.UID(podUID1),
-					ServiceAccountName:   "sa-1",
-					ServiceAccountUID:    "sa-uid-1",
-					NodeName:             "node-1",
-					NodeUID:              "node-uid-1",
-					MaxExpirationSeconds: ptr.To[int32](86400),
-					PKIXPublicKey:        pubPKIX1,
-					ProofOfPossession:    proof1,
+					SignerName:                "foo.com/abc",
+					PodName:                   "pod-1",
+					PodUID:                    types.UID(podUID1),
+					ServiceAccountName:        "sa-1",
+					ServiceAccountUID:         "sa-uid-1",
+					NodeName:                  "node-1",
+					NodeUID:                   "node-uid-1",
+					MaxExpirationSeconds:      ptr.To[int32](86400),
+					PKIXPublicKey:             pubPKIX1,
+					ProofOfPossession:         proof1,
+					UnverifiedUserAnnotations: map[string]string{"test.domain/foo": "bar"},
 				},
 			},
 			newPCR: &capi.PodCertificateRequest{
@@ -2266,32 +2343,34 @@ func TestValidatePodCertificateRequestUpdate(t *testing.T) {
 					Name:      "bar",
 				},
 				Spec: capi.PodCertificateRequestSpec{
-					SignerName:           "foo.com/new",
-					PodName:              "new",
-					PodUID:               types.UID("new"),
-					ServiceAccountName:   "new",
-					ServiceAccountUID:    "new",
-					NodeName:             "new",
-					NodeUID:              "new",
-					MaxExpirationSeconds: ptr.To[int32](86401),
-					PKIXPublicKey:        pubPKIX1,
-					ProofOfPossession:    proof1,
+					SignerName:                "foo.com/new",
+					PodName:                   "new",
+					PodUID:                    types.UID("new"),
+					ServiceAccountName:        "new",
+					ServiceAccountUID:         "new",
+					NodeName:                  "new",
+					NodeUID:                   "new",
+					MaxExpirationSeconds:      ptr.To[int32](86401),
+					PKIXPublicKey:             pubPKIX1,
+					ProofOfPossession:         proof1,
+					UnverifiedUserAnnotations: map[string]string{"test.domain/foo": "foo"},
 				},
 			},
 			wantErrors: field.ErrorList{
 				field.Invalid(
 					field.NewPath("spec"),
 					capi.PodCertificateRequestSpec{
-						SignerName:           "foo.com/new",
-						PodName:              "new",
-						PodUID:               types.UID("new"),
-						ServiceAccountName:   "new",
-						ServiceAccountUID:    "new",
-						NodeName:             "new",
-						NodeUID:              "new",
-						MaxExpirationSeconds: ptr.To[int32](86401),
-						PKIXPublicKey:        pubPKIX1,
-						ProofOfPossession:    proof1,
+						SignerName:                "foo.com/new",
+						PodName:                   "new",
+						PodUID:                    types.UID("new"),
+						ServiceAccountName:        "new",
+						ServiceAccountUID:         "new",
+						NodeName:                  "new",
+						NodeUID:                   "new",
+						MaxExpirationSeconds:      ptr.To[int32](86401),
+						PKIXPublicKey:             pubPKIX1,
+						ProofOfPossession:         proof1,
+						UnverifiedUserAnnotations: map[string]string{"test.domain/foo": "foo"},
 					},
 					"field is immutable",
 				),
@@ -2319,12 +2398,17 @@ func TestValidatePodCertificateRequestStatusUpdate(t *testing.T) {
 	podUID1 := "pod-uid-1"
 	_, pub1, pubPKIX1, proof1 := mustMakeEd25519KeyAndProof(t, []byte(podUID1))
 
-	pod1Cert1 := mustSignCertForPublicKey(t, 24*time.Hour, pub1, caCertDER, caPrivKey)
-	pod1Cert2 := mustSignCertForPublicKey(t, 18*time.Hour, pub1, caCertDER, caPrivKey)
-	badCertTooShort := mustSignCertForPublicKey(t, 50*time.Minute, pub1, caCertDER, caPrivKey)
-	badCertTooLong := mustSignCertForPublicKey(t, 25*time.Hour, pub1, caCertDER, caPrivKey)
+	pod1Cert1 := mustSignCertForPublicKey(t, 24*time.Hour, pub1, caCertDER, caPrivKey, false, "", "")
+	pod1Cert2 := mustSignCertForPublicKey(t, 18*time.Hour, pub1, caCertDER, caPrivKey, false, "", "")
+	badCertTooShort := mustSignCertForPublicKey(t, 50*time.Minute, pub1, caCertDER, caPrivKey, false, "", "")
+	badCertTooLong := mustSignCertForPublicKey(t, 25*time.Hour, pub1, caCertDER, caPrivKey, false, "", "")
+	certWithBadDNSName1 := mustSignCertForPublicKey(t, 24*time.Hour, pub1, caCertDER, caPrivKey, true, "", "")
+	certWithBadDNSName2 := mustSignCertForPublicKey(t, 24*time.Hour, pub1, caCertDER, caPrivKey, true, "test-name..example", "")
+	certWithBadDNSName3 := mustSignCertForPublicKey(t, 24*time.Hour, pub1, caCertDER, caPrivKey, true, ".example", "")
+	certWithBadDNSName4 := mustSignCertForPublicKey(t, 24*time.Hour, pub1, caCertDER, caPrivKey, true, "example.", "")
+	certWithBadEmailAddress := mustSignCertForPublicKey(t, 24*time.Hour, pub1, caCertDER, caPrivKey, false, "", "email@@address")
 
-	certFromIntermediate := mustSignCertForPublicKey(t, 24*time.Hour, pub1, intermediateCACertDER, intermediateCAPrivKey)
+	certFromIntermediate := mustSignCertForPublicKey(t, 24*time.Hour, pub1, intermediateCACertDER, intermediateCAPrivKey, false, "", "")
 
 	testCases := []struct {
 		description    string
@@ -3997,6 +4081,291 @@ func TestValidatePodCertificateRequestStatusUpdate(t *testing.T) {
 				field.Invalid(field.NewPath("status", "certificateChain"), 25*time.Hour, "leaf certificate lifetime must be <= spec.maxExpirationSeconds (86400)"),
 			},
 		},
+		{
+			description: "leaf cert can not contain empty DNSName",
+			oldPCR: &capi.PodCertificateRequest{
+				ObjectMeta: metav1.ObjectMeta{
+					Namespace: "foo",
+					Name:      "bar",
+				},
+				Spec: capi.PodCertificateRequestSpec{
+					SignerName:           "foo.com/abc",
+					PodName:              "pod-1",
+					PodUID:               types.UID(podUID1),
+					ServiceAccountName:   "sa-1",
+					ServiceAccountUID:    "sa-uid-1",
+					NodeName:             "node-1",
+					NodeUID:              "node-uid-1",
+					MaxExpirationSeconds: ptr.To[int32](86400),
+					PKIXPublicKey:        pubPKIX1,
+					ProofOfPossession:    proof1,
+				},
+			},
+			newPCR: &capi.PodCertificateRequest{
+				ObjectMeta: metav1.ObjectMeta{
+					Namespace: "foo",
+					Name:      "bar",
+				},
+				Spec: capi.PodCertificateRequestSpec{
+					SignerName:           "foo.com/abc",
+					PodName:              "pod-1",
+					PodUID:               types.UID(podUID1),
+					ServiceAccountName:   "sa-1",
+					ServiceAccountUID:    "sa-uid-1",
+					NodeName:             "node-1",
+					NodeUID:              "node-uid-1",
+					MaxExpirationSeconds: ptr.To[int32](86400),
+					PKIXPublicKey:        pubPKIX1,
+					ProofOfPossession:    proof1,
+				},
+				Status: capi.PodCertificateRequestStatus{
+					Conditions: []metav1.Condition{
+						{
+							Type:               capi.PodCertificateRequestConditionTypeIssued,
+							Status:             metav1.ConditionTrue,
+							Reason:             "Whatever",
+							Message:            "Foo message",
+							LastTransitionTime: metav1.NewTime(time.Now()),
+						},
+					},
+					CertificateChain: certWithBadDNSName1,
+					NotBefore:        ptr.To(metav1.NewTime(mustParseTime(t, "1970-01-01T00:00:00Z"))),
+					BeginRefreshAt:   ptr.To(metav1.NewTime(mustParseTime(t, "1970-01-01T12:00:00Z"))),
+					NotAfter:         ptr.To(metav1.NewTime(mustParseTime(t, "1970-01-02T00:00:00Z"))),
+				},
+			},
+			wantErrors: field.ErrorList{
+				field.Invalid(field.NewPath("status", "certificateChain"), "", "leaf certificate should not contain empty DNSName"),
+			},
+		},
+		{
+			description: "leaf cert can not contain DNSName contains '..'",
+			oldPCR: &capi.PodCertificateRequest{
+				ObjectMeta: metav1.ObjectMeta{
+					Namespace: "foo",
+					Name:      "bar",
+				},
+				Spec: capi.PodCertificateRequestSpec{
+					SignerName:           "foo.com/abc",
+					PodName:              "pod-1",
+					PodUID:               types.UID(podUID1),
+					ServiceAccountName:   "sa-1",
+					ServiceAccountUID:    "sa-uid-1",
+					NodeName:             "node-1",
+					NodeUID:              "node-uid-1",
+					MaxExpirationSeconds: ptr.To[int32](86400),
+					PKIXPublicKey:        pubPKIX1,
+					ProofOfPossession:    proof1,
+				},
+			},
+			newPCR: &capi.PodCertificateRequest{
+				ObjectMeta: metav1.ObjectMeta{
+					Namespace: "foo",
+					Name:      "bar",
+				},
+				Spec: capi.PodCertificateRequestSpec{
+					SignerName:           "foo.com/abc",
+					PodName:              "pod-1",
+					PodUID:               types.UID(podUID1),
+					ServiceAccountName:   "sa-1",
+					ServiceAccountUID:    "sa-uid-1",
+					NodeName:             "node-1",
+					NodeUID:              "node-uid-1",
+					MaxExpirationSeconds: ptr.To[int32](86400),
+					PKIXPublicKey:        pubPKIX1,
+					ProofOfPossession:    proof1,
+				},
+				Status: capi.PodCertificateRequestStatus{
+					Conditions: []metav1.Condition{
+						{
+							Type:               capi.PodCertificateRequestConditionTypeIssued,
+							Status:             metav1.ConditionTrue,
+							Reason:             "Whatever",
+							Message:            "Foo message",
+							LastTransitionTime: metav1.NewTime(time.Now()),
+						},
+					},
+					CertificateChain: certWithBadDNSName2,
+					NotBefore:        ptr.To(metav1.NewTime(mustParseTime(t, "1970-01-01T00:00:00Z"))),
+					BeginRefreshAt:   ptr.To(metav1.NewTime(mustParseTime(t, "1970-01-01T12:00:00Z"))),
+					NotAfter:         ptr.To(metav1.NewTime(mustParseTime(t, "1970-01-02T00:00:00Z"))),
+				},
+			},
+			wantErrors: field.ErrorList{
+				field.Invalid(field.NewPath("status", "certificateChain"), "test-name..example", "leaf certificate's DNSName should not contain '..'"),
+			},
+		},
+		{
+			description: "leaf cert can not contain DNSName start with '.'",
+			oldPCR: &capi.PodCertificateRequest{
+				ObjectMeta: metav1.ObjectMeta{
+					Namespace: "foo",
+					Name:      "bar",
+				},
+				Spec: capi.PodCertificateRequestSpec{
+					SignerName:           "foo.com/abc",
+					PodName:              "pod-1",
+					PodUID:               types.UID(podUID1),
+					ServiceAccountName:   "sa-1",
+					ServiceAccountUID:    "sa-uid-1",
+					NodeName:             "node-1",
+					NodeUID:              "node-uid-1",
+					MaxExpirationSeconds: ptr.To[int32](86400),
+					PKIXPublicKey:        pubPKIX1,
+					ProofOfPossession:    proof1,
+				},
+			},
+			newPCR: &capi.PodCertificateRequest{
+				ObjectMeta: metav1.ObjectMeta{
+					Namespace: "foo",
+					Name:      "bar",
+				},
+				Spec: capi.PodCertificateRequestSpec{
+					SignerName:           "foo.com/abc",
+					PodName:              "pod-1",
+					PodUID:               types.UID(podUID1),
+					ServiceAccountName:   "sa-1",
+					ServiceAccountUID:    "sa-uid-1",
+					NodeName:             "node-1",
+					NodeUID:              "node-uid-1",
+					MaxExpirationSeconds: ptr.To[int32](86400),
+					PKIXPublicKey:        pubPKIX1,
+					ProofOfPossession:    proof1,
+				},
+				Status: capi.PodCertificateRequestStatus{
+					Conditions: []metav1.Condition{
+						{
+							Type:               capi.PodCertificateRequestConditionTypeIssued,
+							Status:             metav1.ConditionTrue,
+							Reason:             "Whatever",
+							Message:            "Foo message",
+							LastTransitionTime: metav1.NewTime(time.Now()),
+						},
+					},
+					CertificateChain: certWithBadDNSName3,
+					NotBefore:        ptr.To(metav1.NewTime(mustParseTime(t, "1970-01-01T00:00:00Z"))),
+					BeginRefreshAt:   ptr.To(metav1.NewTime(mustParseTime(t, "1970-01-01T12:00:00Z"))),
+					NotAfter:         ptr.To(metav1.NewTime(mustParseTime(t, "1970-01-02T00:00:00Z"))),
+				},
+			},
+			wantErrors: field.ErrorList{
+				field.Invalid(field.NewPath("status", "certificateChain"), ".example", "leaf certificate's DNSName should not start or end with '.'"),
+			},
+		},
+		{
+			description: "leaf cert can not contain DNSName end with '.'",
+			oldPCR: &capi.PodCertificateRequest{
+				ObjectMeta: metav1.ObjectMeta{
+					Namespace: "foo",
+					Name:      "bar",
+				},
+				Spec: capi.PodCertificateRequestSpec{
+					SignerName:           "foo.com/abc",
+					PodName:              "pod-1",
+					PodUID:               types.UID(podUID1),
+					ServiceAccountName:   "sa-1",
+					ServiceAccountUID:    "sa-uid-1",
+					NodeName:             "node-1",
+					NodeUID:              "node-uid-1",
+					MaxExpirationSeconds: ptr.To[int32](86400),
+					PKIXPublicKey:        pubPKIX1,
+					ProofOfPossession:    proof1,
+				},
+			},
+			newPCR: &capi.PodCertificateRequest{
+				ObjectMeta: metav1.ObjectMeta{
+					Namespace: "foo",
+					Name:      "bar",
+				},
+				Spec: capi.PodCertificateRequestSpec{
+					SignerName:           "foo.com/abc",
+					PodName:              "pod-1",
+					PodUID:               types.UID(podUID1),
+					ServiceAccountName:   "sa-1",
+					ServiceAccountUID:    "sa-uid-1",
+					NodeName:             "node-1",
+					NodeUID:              "node-uid-1",
+					MaxExpirationSeconds: ptr.To[int32](86400),
+					PKIXPublicKey:        pubPKIX1,
+					ProofOfPossession:    proof1,
+				},
+				Status: capi.PodCertificateRequestStatus{
+					Conditions: []metav1.Condition{
+						{
+							Type:               capi.PodCertificateRequestConditionTypeIssued,
+							Status:             metav1.ConditionTrue,
+							Reason:             "Whatever",
+							Message:            "Foo message",
+							LastTransitionTime: metav1.NewTime(time.Now()),
+						},
+					},
+					CertificateChain: certWithBadDNSName4,
+					NotBefore:        ptr.To(metav1.NewTime(mustParseTime(t, "1970-01-01T00:00:00Z"))),
+					BeginRefreshAt:   ptr.To(metav1.NewTime(mustParseTime(t, "1970-01-01T12:00:00Z"))),
+					NotAfter:         ptr.To(metav1.NewTime(mustParseTime(t, "1970-01-02T00:00:00Z"))),
+				},
+			},
+			wantErrors: field.ErrorList{
+				field.Invalid(field.NewPath("status", "certificateChain"), "example.", "leaf certificate's DNSName should not start or end with '.'"),
+			},
+		},
+		{
+			description: "leaf cert can not contain bad email address",
+			oldPCR: &capi.PodCertificateRequest{
+				ObjectMeta: metav1.ObjectMeta{
+					Namespace: "foo",
+					Name:      "bar",
+				},
+				Spec: capi.PodCertificateRequestSpec{
+					SignerName:           "foo.com/abc",
+					PodName:              "pod-1",
+					PodUID:               types.UID(podUID1),
+					ServiceAccountName:   "sa-1",
+					ServiceAccountUID:    "sa-uid-1",
+					NodeName:             "node-1",
+					NodeUID:              "node-uid-1",
+					MaxExpirationSeconds: ptr.To[int32](86400),
+					PKIXPublicKey:        pubPKIX1,
+					ProofOfPossession:    proof1,
+				},
+			},
+			newPCR: &capi.PodCertificateRequest{
+				ObjectMeta: metav1.ObjectMeta{
+					Namespace: "foo",
+					Name:      "bar",
+				},
+				Spec: capi.PodCertificateRequestSpec{
+					SignerName:           "foo.com/abc",
+					PodName:              "pod-1",
+					PodUID:               types.UID(podUID1),
+					ServiceAccountName:   "sa-1",
+					ServiceAccountUID:    "sa-uid-1",
+					NodeName:             "node-1",
+					NodeUID:              "node-uid-1",
+					MaxExpirationSeconds: ptr.To[int32](86400),
+					PKIXPublicKey:        pubPKIX1,
+					ProofOfPossession:    proof1,
+				},
+				Status: capi.PodCertificateRequestStatus{
+					Conditions: []metav1.Condition{
+						{
+							Type:               capi.PodCertificateRequestConditionTypeIssued,
+							Status:             metav1.ConditionTrue,
+							Reason:             "Whatever",
+							Message:            "Foo message",
+							LastTransitionTime: metav1.NewTime(time.Now()),
+						},
+					},
+					CertificateChain: certWithBadEmailAddress,
+					NotBefore:        ptr.To(metav1.NewTime(mustParseTime(t, "1970-01-01T00:00:00Z"))),
+					BeginRefreshAt:   ptr.To(metav1.NewTime(mustParseTime(t, "1970-01-01T12:00:00Z"))),
+					NotAfter:         ptr.To(metav1.NewTime(mustParseTime(t, "1970-01-02T00:00:00Z"))),
+				},
+			},
+			wantErrors: field.ErrorList{
+				field.Invalid(field.NewPath("status", "certificateChain"), "email@@address", "leaf certificate should not contain invalid EmailAddress"),
+			},
+		},
 	}
 
 	for _, tc := range testCases {
@@ -4114,7 +4483,7 @@ func mustMakeRSAKeyAndProof(t *testing.T, modulusSize int, toBeSigned []byte) (*
 	return priv, &priv.PublicKey, pubPKIX, sig
 }
 
-func mustSignCertForPublicKey(t *testing.T, validity time.Duration, subjectPublicKey crypto.PublicKey, caCertDER []byte, caPrivateKey crypto.PrivateKey) string {
+func mustSignCertForPublicKey(t *testing.T, validity time.Duration, subjectPublicKey crypto.PublicKey, caCertDER []byte, caPrivateKey crypto.PrivateKey, usebadDNSName bool, badDNSName, badEmailAddress string) string {
 	certTemplate := &x509.Certificate{
 		Subject: pkix.Name{
 			CommonName: "foo",
@@ -4124,6 +4493,12 @@ func mustSignCertForPublicKey(t *testing.T, validity time.Duration, subjectPubli
 		NotBefore:   mustParseTime(t, "1970-01-01T00:00:00Z"),
 		NotAfter:    mustParseTime(t, "1970-01-01T00:00:00Z").Add(validity),
 	}
+	if usebadDNSName {
+		certTemplate.DNSNames = append(certTemplate.DNSNames, badDNSName)
+	}
+	if badEmailAddress != "" {
+		certTemplate.EmailAddresses = append(certTemplate.EmailAddresses, badEmailAddress)
+	}
 
 	caCert, err := x509.ParseCertificate(caCertDER)
 	if err != nil {
diff --git a/pkg/apis/certificates/zz_generated.deepcopy.go b/pkg/apis/certificates/zz_generated.deepcopy.go
index 87927df41b1a2..9a526c246c6bb 100644
--- a/pkg/apis/certificates/zz_generated.deepcopy.go
+++ b/pkg/apis/certificates/zz_generated.deepcopy.go
@@ -359,6 +359,13 @@ func (in *PodCertificateRequestSpec) DeepCopyInto(out *PodCertificateRequestSpec
 		*out = make([]byte, len(*in))
 		copy(*out, *in)
 	}
+	if in.UnverifiedUserAnnotations != nil {
+		in, out := &in.UnverifiedUserAnnotations, &out.UnverifiedUserAnnotations
+		*out = make(map[string]string, len(*in))
+		for key, val := range *in {
+			(*out)[key] = val
+		}
+	}
 	return
 }
 
diff --git a/pkg/apis/core/types.go b/pkg/apis/core/types.go
index f62c07024b6f0..1de0cf4495ca4 100644
--- a/pkg/apis/core/types.go
+++ b/pkg/apis/core/types.go
@@ -398,6 +398,7 @@ type PersistentVolumeSpec struct {
 	VolumeMode *PersistentVolumeMode
 	// NodeAffinity defines constraints that limit what nodes this volume can be accessed from.
 	// This field influences the scheduling of pods that use this volume.
+	// This field is mutable if MutablePVNodeAffinity feature gate is enabled.
 	// +optional
 	NodeAffinity *VolumeNodeAffinity
 	// Name of VolumeAttributesClass to which this persistent volume belongs. Empty value
@@ -724,9 +725,6 @@ type PersistentVolumeClaimStatus struct {
 	// should ignore the update for the purpose it was designed. For example - a controller that
 	// only is responsible for resizing capacity of the volume, should ignore PVC updates that change other valid
 	// resources associated with PVC.
-	//
-	// This is an alpha field and requires enabling RecoverVolumeExpansionFailure feature.
-	// +featureGate=RecoverVolumeExpansionFailure
 	// +optional
 	AllocatedResources ResourceList
 	// AllocatedResourceStatuses stores status of resource being resized for the given PVC.
@@ -762,9 +760,6 @@ type PersistentVolumeClaimStatus struct {
 	// should ignore the update for the purpose it was designed. For example - a controller that
 	// only is responsible for resizing capacity of the volume, should ignore PVC updates that change other valid
 	// resources associated with PVC.
-	//
-	// This is an alpha field and requires enabling RecoverVolumeExpansionFailure feature.
-	// +featureGate=RecoverVolumeExpansionFailure
 	// +mapType=granular
 	// +optional
 	AllocatedResourceStatuses map[ResourceName]ClaimResourceStatus
@@ -1904,6 +1899,21 @@ type PodCertificateProjection struct {
 
 	// Write the certificate chain at this path in the projected volume.
 	CertificateChainPath string
+
+	// userAnnotations allow pod authors to pass additional information to
+	// the signer implementation.  Kubernetes does not restrict or validate this
+	// metadata in any way.
+	//
+	// These values are copied verbatim into the `spec.unverifiedUserAnnotations` field of
+	// the PodCertificateRequest objects that Kubelet creates.
+	//
+	// Entries are subject to the same validation as object metadata annotations,
+	// with the addition that all keys must be domain-prefixed. No restrictions
+	// are placed on values, except an overall size limitation on the entire field.
+	//
+	// Signers should document the keys and values they support. Signers should
+	// deny requests that contain keys they do not recognize.
+	UserAnnotations map[string]string
 }
 
 // ProjectedVolumeSource represents a projected volume source
@@ -2153,8 +2163,6 @@ type VolumeMount struct {
 	// None (or be unspecified, which defaults to None).
 	//
 	// If this field is not specified, it is treated as an equivalent of Disabled.
-	//
-	// +featureGate=RecursiveReadOnlyMounts
 	// +optional
 	RecursiveReadOnly *RecursiveReadOnlyMode
 	// Required. If the path is not an absolute path (e.g. some/path) it
@@ -2647,6 +2655,7 @@ type Container struct {
 	// +optional
 	Resources ResourceRequirements
 	// Resources resize policy for the container.
+	// This field cannot be set on ephemeral containers.
 	// +featureGate=InPlacePodVerticalScaling
 	// +optional
 	ResizePolicy []ContainerResizePolicy
@@ -2670,7 +2679,6 @@ type Container struct {
 	// container. Instead, the next init container starts immediately after this
 	// init container is started, or after any startupProbe has successfully
 	// completed.
-	// +featureGate=SidecarContainers
 	// +optional
 	RestartPolicy *ContainerRestartPolicy
 	// Represents a list of rules to be checked to determine if the
@@ -2758,7 +2766,6 @@ type LifecycleHandler struct {
 	// +optional
 	TCPSocket *TCPSocketAction
 	// Sleep represents the duration that the container should sleep before being terminated.
-	// +featureGate=PodLifecycleSleepAction
 	// +optional
 	Sleep *SleepAction
 }
@@ -3000,7 +3007,6 @@ type ContainerStatus struct {
 	// Status of volume mounts.
 	// +listType=atomic
 	// +optional
-	// +featureGate=RecursiveReadOnlyMounts
 	VolumeMounts []VolumeMountStatus
 	// User represents user identity information initially attached to the first process of the container
 	// +featureGate=SupplementalGroupsPolicy
@@ -3148,6 +3154,8 @@ const (
 	// If both PodResizePending and PodResizeInProgress are set, it means that a new resize was
 	// requested in the middle of a previous pod resize that is still in progress.
 	PodResizeInProgress PodConditionType = "PodResizeInProgress"
+	// AllContainersRestarting indicates that all containers of the pod is being restarted.
+	AllContainersRestarting PodConditionType = "AllContainersRestarting"
 )
 
 // PodCondition represents pod's condition
@@ -3191,7 +3199,6 @@ type VolumeMountStatus struct {
 	// RecursiveReadOnly must be set to Disabled, Enabled, or unspecified (for non-readonly mounts).
 	// An IfPossible value in the original VolumeMount must be translated to Disabled or Enabled,
 	// depending on the mount result.
-	// +featureGate=RecursiveReadOnlyMounts
 	// +optional
 	RecursiveReadOnly *RecursiveReadOnlyMode
 }
@@ -3236,9 +3243,15 @@ type ContainerRestartRule struct {
 // container exits.
 type ContainerRestartRuleAction string
 
-// The only valid action is Restart.
+// These are valid restart rule actions.
 const (
+	// The container will be restarted if the rule matches. Only valid on normal init container and
+	// regular containers. Not valid on sidecar containers and ephemeral containers.
 	ContainerRestartRuleActionRestart ContainerRestartRuleAction = "Restart"
+	// All containers (except ephemeral containers) inside the pod will be terminated and restarted.
+	// Valid on normal init container, sidecar containers, and regular containers. Not valid on
+	// ephemeral containers.
+	ContainerRestartRuleActionRestartAllContainers ContainerRestartRuleAction = "RestartAllContainers"
 )
 
 // ContainerRestartRuleOnExitCodes describes the condition
@@ -3616,9 +3629,10 @@ type Toleration struct {
 	// +optional
 	Key string
 	// Operator represents a key's relationship to the value.
-	// Valid operators are Exists and Equal. Defaults to Equal.
+	// Valid operators are Exists, Equal, Lt, and Gt. Defaults to Equal.
 	// Exists is equivalent to wildcard for value, so that a pod can
 	// tolerate all taints of a particular category.
+	// Lt and Gt perform numeric comparisons (requires feature gate TaintTolerationComparisonOperators).
 	// +optional
 	Operator TolerationOperator
 	// Value is the taint value the toleration matches to.
@@ -3644,6 +3658,8 @@ type TolerationOperator string
 const (
 	TolerationOpExists TolerationOperator = "Exists"
 	TolerationOpEqual  TolerationOperator = "Equal"
+	TolerationOpLt     TolerationOperator = "Lt"
+	TolerationOpGt     TolerationOperator = "Gt"
 )
 
 // PodReadinessGate contains the reference to a pod condition
@@ -3847,8 +3863,8 @@ type PodSpec struct {
 	// will be made available to those containers which consume them
 	// by name.
 	//
-	// This is an alpha field and requires enabling the
-	// DynamicResourceAllocation feature gate.
+	// This is a stable field but requires that the
+	// DynamicResourceAllocation feature gate is enabled.
 	//
 	// This field is immutable.
 	//
@@ -3883,6 +3899,17 @@ type PodSpec struct {
 	// +featureGate=HostnameOverride
 	// +optional
 	HostnameOverride *string
+	// WorkloadRef provides a reference to the Workload object that this Pod belongs to.
+	// This field is used by the scheduler to identify the PodGroup and apply the
+	// correct group scheduling policies. The Workload object referenced
+	// by this field may not exist at the time the Pod is created.
+	// This field is immutable, but a Workload object with the same name
+	// may be recreated with different policies. Doing this during pod scheduling
+	// may result in the placement not conforming to the expected policies.
+	//
+	// +featureGate=GenericWorkload
+	// +optional
+	WorkloadRef *WorkloadReference
 }
 
 // PodResourceClaim references exactly one ResourceClaim through a ClaimSource.
@@ -3981,6 +4008,36 @@ type PodSchedulingGate struct {
 	Name string
 }
 
+// WorkloadReference identifies the Workload object and PodGroup membership
+// that a Pod belongs to. The scheduler uses this information to apply
+// workload-aware scheduling semantics.
+type WorkloadReference struct {
+	// Name defines the name of the Workload object this Pod belongs to.
+	// Workload must be in the same namespace as the Pod.
+	// If it doesn't match any existing Workload, the Pod will remain unschedulable
+	// until a Workload object is created and observed by the kube-scheduler.
+	// It must be a DNS subdomain.
+	//
+	// +required
+	Name string
+
+	// PodGroup is the name of the PodGroup within the Workload that this Pod
+	// belongs to. If it doesn't match any existing PodGroup within the Workload,
+	// the Pod will remain unschedulable until the Workload object is recreated
+	// and observed by the kube-scheduler. It must be a DNS label.
+	//
+	// +required
+	PodGroup string
+
+	// PodGroupReplicaKey specifies the replica key of the PodGroup to which this
+	// Pod belongs. It is used to distinguish pods belonging to different replicas
+	// of the same pod group. The pod group policy is applied separately to each replica.
+	// When set, it must be a DNS label.
+	//
+	// +optional
+	PodGroupReplicaKey string
+}
+
 // HostAlias holds the mapping between IP and hostnames that will be injected as an entry in the
 // pod's hosts file.
 type HostAlias struct {
@@ -4372,7 +4429,6 @@ type EphemeralContainerCommon struct {
 	// Restart policy for the container to manage the restart behavior of each
 	// container within a pod. Must be specified if restartPolicyRules are used.
 	// You cannot set this field on ephemeral containers.
-	// +featureGate=SidecarContainers
 	// +optional
 	RestartPolicy *ContainerRestartPolicy
 	// Represents a list of rules to be checked to determine if the
@@ -4461,7 +4517,7 @@ type EphemeralContainer struct {
 // state of a system.
 type PodStatus struct {
 	// If set, this represents the .metadata.generation that the pod status was set based upon.
-	// This is an alpha field. Enable PodObservedGenerationTracking to be able to use this field.
+	// The PodObservedGenerationTracking feature gate must be enabled to use this field.
 	// +featureGate=PodObservedGenerationTracking
 	// +optional
 	ObservedGeneration int64
@@ -4562,6 +4618,19 @@ type PodStatus struct {
 	// +featureGate=DRAExtendedResource
 	// +optional
 	ExtendedResourceClaimStatus *PodExtendedResourceClaimStatus
+
+	// AllocatedResources is the total requests allocated for this pod by the node.
+	// If pod-level requests are not set, this will be the total requests aggregated
+	// across containers in the pod.
+	// +featureGate=InPlacePodLevelResourcesVerticalScaling
+	// +optional
+	AllocatedResources ResourceList
+
+	// Resources represents the compute resource requests and limits that have been
+	// applied at the pod level
+	// +featureGate=InPlacePodLevelResourcesVerticalScaling
+	// +optional
+	Resources *ResourceRequirements
 }
 
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
@@ -4851,27 +4920,25 @@ const (
 
 // These are valid values for the TrafficDistribution field of a Service.
 const (
-	// Indicates a preference for routing traffic to endpoints that are in the same
-	// zone as the client. Users should not set this value unless they have ensured
-	// that clients and endpoints are distributed in such a way that the "same zone"
-	// preference will not result in endpoints getting overloaded.
-	ServiceTrafficDistributionPreferClose = "PreferClose"
-
-	// Indicates a preference for routing traffic to endpoints that are in the same
-	// zone as the client. Users should not set this value unless they have ensured
-	// that clients and endpoints are distributed in such a way that the "same zone"
-	// preference will not result in endpoints getting overloaded.
-	// This is an alias for "PreferClose", but it is an Alpha feature and is only
-	// recognized if the PreferSameTrafficDistribution feature gate is enabled.
+	// ServiceTrafficDistributionPreferSameZone indicates a preference for routing
+	// traffic to endpoints that are in the same zone as the client. Users should only
+	// set this value if they have ensured that clients and endpoints are distributed
+	// in such a way that the "same zone" preference will not result in endpoints
+	// getting overloaded.
 	ServiceTrafficDistributionPreferSameZone = "PreferSameZone"
 
-	// Indicates a preference for routing traffic to endpoints that are on the same
-	// node as the client. Users should not set this value unless they have ensured
-	// that clients and endpoints are distributed in such a way that the "same node"
-	// preference will not result in endpoints getting overloaded.
-	// This is an Alpha feature and is only recognized if the
-	// PreferSameTrafficDistribution feature gate is enabled.
+	// ServiceTrafficDistributionPreferSameNode indicates a preference for routing
+	// traffic to endpoints that are on the same node as the client. Users should only
+	// set this value if they have ensured that clients and endpoints are distributed
+	// in such a way that the "same node" preference will not result in endpoints
+	// getting overloaded.
 	ServiceTrafficDistributionPreferSameNode = "PreferSameNode"
+
+	// ServiceTrafficDistributionPreferClose is the original name of "PreferSameZone".
+	// Despite the generic-sounding name, it has exactly the same meaning as
+	// "PreferSameZone".
+	// Deprecated: use "PreferSameZone" instead.
+	ServiceTrafficDistributionPreferClose = "PreferClose"
 )
 
 // These are the valid conditions of a service.
@@ -5439,7 +5506,6 @@ type NodeDaemonEndpoints struct {
 // NodeRuntimeHandlerFeatures is a set of features implemented by the runtime handler.
 type NodeRuntimeHandlerFeatures struct {
 	// RecursiveReadOnlyMounts is set to true if the runtime handler supports RecursiveReadOnlyMounts.
-	// +featureGate=RecursiveReadOnlyMounts
 	// +optional
 	RecursiveReadOnlyMounts *bool
 	// UserNamespaces is set to true if the runtime handler supports UserNamespaces, including for volumes.
@@ -5588,7 +5654,6 @@ type NodeStatus struct {
 	// +optional
 	Config *NodeConfigStatus
 	// The available runtime handlers.
-	// +featureGate=RecursiveReadOnlyMounts
 	// +featureGate=UserNamespacesSupport
 	// +optional
 	RuntimeHandlers []NodeRuntimeHandler
@@ -5596,6 +5661,10 @@ type NodeStatus struct {
 	// +featureGate=SupplementalGroupsPolicy
 	// +optional
 	Features *NodeFeatures
+	// DeclaredFeatures represents the declared features of a node.
+	// +featureGate=NodeDeclaredFeatures
+	// +optional
+	DeclaredFeatures []string
 }
 
 // UniqueVolumeName defines the name of attached volume
diff --git a/pkg/apis/core/v1/defaults.go b/pkg/apis/core/v1/defaults.go
index 74dbc832d4ab3..a6b5e551bb89e 100644
--- a/pkg/apis/core/v1/defaults.go
+++ b/pkg/apis/core/v1/defaults.go
@@ -152,13 +152,10 @@ func SetDefaults_Service(obj *v1.Service) {
 	}
 
 	if obj.Spec.Type == v1.ServiceTypeLoadBalancer {
-		if utilfeature.DefaultFeatureGate.Enabled(features.LoadBalancerIPMode) {
-			ipMode := v1.LoadBalancerIPModeVIP
-
-			for i, ing := range obj.Status.LoadBalancer.Ingress {
-				if ing.IP != "" && ing.IPMode == nil {
-					obj.Status.LoadBalancer.Ingress[i].IPMode = &ipMode
-				}
+		ipMode := v1.LoadBalancerIPModeVIP
+		for i, ing := range obj.Status.LoadBalancer.Ingress {
+			if ing.IP != "" && ing.IPMode == nil {
+				obj.Status.LoadBalancer.Ingress[i].IPMode = &ipMode
 			}
 		}
 	}
diff --git a/pkg/apis/core/v1/defaults_test.go b/pkg/apis/core/v1/defaults_test.go
index 9f070a49650c6..dc0a0baccc515 100644
--- a/pkg/apis/core/v1/defaults_test.go
+++ b/pkg/apis/core/v1/defaults_test.go
@@ -31,7 +31,6 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/util/intstr"
-	"k8s.io/apimachinery/pkg/util/version"
 	utilfeature "k8s.io/apiserver/pkg/util/feature"
 	featuregatetesting "k8s.io/component-base/featuregate/testing"
 	"k8s.io/kubernetes/pkg/api/legacyscheme"
@@ -49,12 +48,7 @@ func TestWorkloadDefaults(t *testing.T) {
 	t.Run("disabled_features", func(t *testing.T) { testWorkloadDefaults(t, false) })
 }
 func testWorkloadDefaults(t *testing.T, featuresEnabled bool) {
-	allFeatures := utilfeature.DefaultFeatureGate.DeepCopy().GetAll()
-	for feature, featureSpec := range allFeatures {
-		if !featureSpec.LockToDefault {
-			featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, feature, featuresEnabled)
-		}
-	}
+	setAllFeatures(t, featuresEnabled)
 	// New defaults under PodTemplateSpec are only acceptable if they would not be applied when reading data from a previous release.
 	// Forbidden: adding a new field `MyField *bool` and defaulting it to a non-nil value
 	// Forbidden: defaulting an existing field `MyField *bool` when it was previously not defaulted
@@ -240,12 +234,7 @@ func TestPodDefaults(t *testing.T) {
 	t.Run("disabled_features", func(t *testing.T) { testPodDefaults(t, false) })
 }
 func testPodDefaults(t *testing.T, featuresEnabled bool) {
-	features := utilfeature.DefaultFeatureGate.DeepCopy().GetAll()
-	for feature, featureSpec := range features {
-		if !featureSpec.LockToDefault {
-			featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, feature, featuresEnabled)
-		}
-	}
+	setAllFeatures(t, featuresEnabled)
 	pod := &v1.Pod{}
 	// New defaults under PodSpec are only acceptable if they would not be applied when reading data from a previous release.
 	// Forbidden: adding a new field `MyField *bool` and defaulting it to a non-nil value
@@ -2447,26 +2436,11 @@ func TestSetDefaultServiceLoadbalancerIPMode(t *testing.T) {
 	modeProxy := v1.LoadBalancerIPModeProxy
 	testCases := []struct {
 		name           string
-		ipModeEnabled  bool
 		svc            *v1.Service
 		expectedIPMode []*v1.LoadBalancerIPMode
 	}{
 		{
-			name:          "Set IP but not set IPMode with LoadbalancerIPMode disabled",
-			ipModeEnabled: false,
-			svc: &v1.Service{
-				Spec: v1.ServiceSpec{Type: v1.ServiceTypeLoadBalancer},
-				Status: v1.ServiceStatus{
-					LoadBalancer: v1.LoadBalancerStatus{
-						Ingress: []v1.LoadBalancerIngress{{
-							IP: "1.2.3.4",
-						}},
-					},
-				}},
-			expectedIPMode: []*v1.LoadBalancerIPMode{nil},
-		}, {
-			name:          "Set IP but bot set IPMode with LoadbalancerIPMode enabled",
-			ipModeEnabled: true,
+			name: "Set IP but not set IPMode",
 			svc: &v1.Service{
 				Spec: v1.ServiceSpec{Type: v1.ServiceTypeLoadBalancer},
 				Status: v1.ServiceStatus{
@@ -2478,8 +2452,7 @@ func TestSetDefaultServiceLoadbalancerIPMode(t *testing.T) {
 				}},
 			expectedIPMode: []*v1.LoadBalancerIPMode{&modeVIP},
 		}, {
-			name:          "Both IP and IPMode are set with LoadbalancerIPMode enabled",
-			ipModeEnabled: true,
+			name: "Both IP and IPMode are set",
 			svc: &v1.Service{
 				Spec: v1.ServiceSpec{Type: v1.ServiceTypeLoadBalancer},
 				Status: v1.ServiceStatus{
@@ -2496,10 +2469,6 @@ func TestSetDefaultServiceLoadbalancerIPMode(t *testing.T) {
 
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
-			if !tc.ipModeEnabled {
-				featuregatetesting.SetFeatureGateEmulationVersionDuringTest(t, utilfeature.DefaultFeatureGate, version.MustParse("1.31"))
-			}
-			featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.LoadBalancerIPMode, tc.ipModeEnabled)
 			obj := roundTrip(t, runtime.Object(tc.svc))
 			svc := obj.(*v1.Service)
 			for i, s := range svc.Status.LoadBalancer.Ingress {
@@ -3395,3 +3364,13 @@ func TestSetDefaults_PodLogOptions(t *testing.T) {
 		})
 	}
 }
+
+func setAllFeatures(t *testing.T, featuresEnabled bool) {
+	features := featuregatetesting.FeatureOverrides{}
+	for feature, featureSpec := range utilfeature.DefaultFeatureGate.DeepCopy().GetAll() {
+		if !featureSpec.LockToDefault {
+			features[feature] = featuresEnabled
+		}
+	}
+	featuregatetesting.SetFeatureGatesDuringTest(t, utilfeature.DefaultFeatureGate, features)
+}
diff --git a/pkg/apis/core/v1/helper/helpers.go b/pkg/apis/core/v1/helper/helpers.go
index 96accbd3f699f..87fc484c8eda7 100644
--- a/pkg/apis/core/v1/helper/helpers.go
+++ b/pkg/apis/core/v1/helper/helpers.go
@@ -18,6 +18,7 @@ package helper
 
 import (
 	"fmt"
+	"k8s.io/klog/v2"
 	"strings"
 
 	v1 "k8s.io/api/core/v1"
@@ -25,7 +26,9 @@ import (
 	"k8s.io/apimachinery/pkg/labels"
 	"k8s.io/apimachinery/pkg/selection"
 	"k8s.io/apimachinery/pkg/util/validation"
+	utilfeature "k8s.io/apiserver/pkg/util/feature"
 	"k8s.io/kubernetes/pkg/apis/core/helper"
+	"k8s.io/kubernetes/pkg/features"
 )
 
 // IsExtendedResourceName returns true if:
@@ -287,18 +290,19 @@ func AddOrUpdateTolerationInPodSpec(spec *v1.PodSpec, toleration *v1.Toleration)
 }
 
 // GetMatchingTolerations returns true and list of Tolerations matching all Taints if all are tolerated, or false otherwise.
-func GetMatchingTolerations(taints []v1.Taint, tolerations []v1.Toleration) (bool, []v1.Toleration) {
+func GetMatchingTolerations(logger klog.Logger, taints []v1.Taint, tolerations []v1.Toleration) (bool, []v1.Toleration) {
 	if len(taints) == 0 {
 		return true, []v1.Toleration{}
 	}
 	if len(tolerations) == 0 && len(taints) > 0 {
 		return false, []v1.Toleration{}
 	}
+	enableComparisonOperators := utilfeature.DefaultFeatureGate.Enabled(features.TaintTolerationComparisonOperators)
 	result := []v1.Toleration{}
 	for i := range taints {
 		tolerated := false
 		for j := range tolerations {
-			if tolerations[j].ToleratesTaint(&taints[i]) {
+			if tolerations[j].ToleratesTaint(logger, &taints[i], enableComparisonOperators) {
 				result = append(result, tolerations[j])
 				tolerated = true
 				break
diff --git a/pkg/apis/core/v1/zz_generated.conversion.go b/pkg/apis/core/v1/zz_generated.conversion.go
index 6806244953a25..3770ea1916b7b 100644
--- a/pkg/apis/core/v1/zz_generated.conversion.go
+++ b/pkg/apis/core/v1/zz_generated.conversion.go
@@ -2337,6 +2337,16 @@ func RegisterConversions(s *runtime.Scheme) error {
 	}); err != nil {
 		return err
 	}
+	if err := s.AddGeneratedConversionFunc((*corev1.WorkloadReference)(nil), (*core.WorkloadReference)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_v1_WorkloadReference_To_core_WorkloadReference(a.(*corev1.WorkloadReference), b.(*core.WorkloadReference), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddGeneratedConversionFunc((*core.WorkloadReference)(nil), (*corev1.WorkloadReference)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_core_WorkloadReference_To_v1_WorkloadReference(a.(*core.WorkloadReference), b.(*corev1.WorkloadReference), scope)
+	}); err != nil {
+		return err
+	}
 	if err := s.AddGeneratedConversionFunc((*url.Values)(nil), (*corev1.NodeProxyOptions)(nil), func(a, b interface{}, scope conversion.Scope) error {
 		return Convert_url_Values_To_v1_NodeProxyOptions(a.(*url.Values), b.(*corev1.NodeProxyOptions), scope)
 	}); err != nil {
@@ -5559,6 +5569,7 @@ func autoConvert_v1_NodeStatus_To_core_NodeStatus(in *corev1.NodeStatus, out *co
 	out.Config = (*core.NodeConfigStatus)(unsafe.Pointer(in.Config))
 	out.RuntimeHandlers = *(*[]core.NodeRuntimeHandler)(unsafe.Pointer(&in.RuntimeHandlers))
 	out.Features = (*core.NodeFeatures)(unsafe.Pointer(in.Features))
+	out.DeclaredFeatures = *(*[]string)(unsafe.Pointer(&in.DeclaredFeatures))
 	return nil
 }
 
@@ -5585,6 +5596,7 @@ func autoConvert_core_NodeStatus_To_v1_NodeStatus(in *core.NodeStatus, out *core
 	out.Config = (*corev1.NodeConfigStatus)(unsafe.Pointer(in.Config))
 	out.RuntimeHandlers = *(*[]corev1.NodeRuntimeHandler)(unsafe.Pointer(&in.RuntimeHandlers))
 	out.Features = (*corev1.NodeFeatures)(unsafe.Pointer(in.Features))
+	out.DeclaredFeatures = *(*[]string)(unsafe.Pointer(&in.DeclaredFeatures))
 	return nil
 }
 
@@ -6306,6 +6318,7 @@ func autoConvert_v1_PodCertificateProjection_To_core_PodCertificateProjection(in
 	out.CredentialBundlePath = in.CredentialBundlePath
 	out.KeyPath = in.KeyPath
 	out.CertificateChainPath = in.CertificateChainPath
+	out.UserAnnotations = *(*map[string]string)(unsafe.Pointer(&in.UserAnnotations))
 	return nil
 }
 
@@ -6321,6 +6334,7 @@ func autoConvert_core_PodCertificateProjection_To_v1_PodCertificateProjection(in
 	out.CredentialBundlePath = in.CredentialBundlePath
 	out.KeyPath = in.KeyPath
 	out.CertificateChainPath = in.CertificateChainPath
+	out.UserAnnotations = *(*map[string]string)(unsafe.Pointer(&in.UserAnnotations))
 	return nil
 }
 
@@ -7002,6 +7016,7 @@ func autoConvert_v1_PodSpec_To_core_PodSpec(in *corev1.PodSpec, out *core.PodSpe
 	out.ResourceClaims = *(*[]core.PodResourceClaim)(unsafe.Pointer(&in.ResourceClaims))
 	out.Resources = (*core.ResourceRequirements)(unsafe.Pointer(in.Resources))
 	out.HostnameOverride = (*string)(unsafe.Pointer(in.HostnameOverride))
+	out.WorkloadRef = (*core.WorkloadReference)(unsafe.Pointer(in.WorkloadRef))
 	return nil
 }
 
@@ -7059,6 +7074,7 @@ func autoConvert_core_PodSpec_To_v1_PodSpec(in *core.PodSpec, out *corev1.PodSpe
 	out.ResourceClaims = *(*[]corev1.PodResourceClaim)(unsafe.Pointer(&in.ResourceClaims))
 	out.Resources = (*corev1.ResourceRequirements)(unsafe.Pointer(in.Resources))
 	out.HostnameOverride = (*string)(unsafe.Pointer(in.HostnameOverride))
+	out.WorkloadRef = (*corev1.WorkloadReference)(unsafe.Pointer(in.WorkloadRef))
 	return nil
 }
 
@@ -7081,6 +7097,8 @@ func autoConvert_v1_PodStatus_To_core_PodStatus(in *corev1.PodStatus, out *core.
 	out.Resize = core.PodResizeStatus(in.Resize)
 	out.ResourceClaimStatuses = *(*[]core.PodResourceClaimStatus)(unsafe.Pointer(&in.ResourceClaimStatuses))
 	out.ExtendedResourceClaimStatus = (*core.PodExtendedResourceClaimStatus)(unsafe.Pointer(in.ExtendedResourceClaimStatus))
+	out.AllocatedResources = *(*core.ResourceList)(unsafe.Pointer(&in.AllocatedResources))
+	out.Resources = (*core.ResourceRequirements)(unsafe.Pointer(in.Resources))
 	return nil
 }
 
@@ -7102,6 +7120,8 @@ func autoConvert_core_PodStatus_To_v1_PodStatus(in *core.PodStatus, out *corev1.
 	out.Resize = corev1.PodResizeStatus(in.Resize)
 	out.ResourceClaimStatuses = *(*[]corev1.PodResourceClaimStatus)(unsafe.Pointer(&in.ResourceClaimStatuses))
 	out.ExtendedResourceClaimStatus = (*corev1.PodExtendedResourceClaimStatus)(unsafe.Pointer(in.ExtendedResourceClaimStatus))
+	out.AllocatedResources = *(*corev1.ResourceList)(unsafe.Pointer(&in.AllocatedResources))
+	out.Resources = (*corev1.ResourceRequirements)(unsafe.Pointer(in.Resources))
 	return nil
 }
 
@@ -9358,3 +9378,27 @@ func autoConvert_core_WindowsSecurityContextOptions_To_v1_WindowsSecurityContext
 func Convert_core_WindowsSecurityContextOptions_To_v1_WindowsSecurityContextOptions(in *core.WindowsSecurityContextOptions, out *corev1.WindowsSecurityContextOptions, s conversion.Scope) error {
 	return autoConvert_core_WindowsSecurityContextOptions_To_v1_WindowsSecurityContextOptions(in, out, s)
 }
+
+func autoConvert_v1_WorkloadReference_To_core_WorkloadReference(in *corev1.WorkloadReference, out *core.WorkloadReference, s conversion.Scope) error {
+	out.Name = in.Name
+	out.PodGroup = in.PodGroup
+	out.PodGroupReplicaKey = in.PodGroupReplicaKey
+	return nil
+}
+
+// Convert_v1_WorkloadReference_To_core_WorkloadReference is an autogenerated conversion function.
+func Convert_v1_WorkloadReference_To_core_WorkloadReference(in *corev1.WorkloadReference, out *core.WorkloadReference, s conversion.Scope) error {
+	return autoConvert_v1_WorkloadReference_To_core_WorkloadReference(in, out, s)
+}
+
+func autoConvert_core_WorkloadReference_To_v1_WorkloadReference(in *core.WorkloadReference, out *corev1.WorkloadReference, s conversion.Scope) error {
+	out.Name = in.Name
+	out.PodGroup = in.PodGroup
+	out.PodGroupReplicaKey = in.PodGroupReplicaKey
+	return nil
+}
+
+// Convert_core_WorkloadReference_To_v1_WorkloadReference is an autogenerated conversion function.
+func Convert_core_WorkloadReference_To_v1_WorkloadReference(in *core.WorkloadReference, out *corev1.WorkloadReference, s conversion.Scope) error {
+	return autoConvert_core_WorkloadReference_To_v1_WorkloadReference(in, out, s)
+}
diff --git a/pkg/apis/core/v1/zz_generated.defaults.go b/pkg/apis/core/v1/zz_generated.defaults.go
index 0156add916394..988066254a226 100644
--- a/pkg/apis/core/v1/zz_generated.defaults.go
+++ b/pkg/apis/core/v1/zz_generated.defaults.go
@@ -546,6 +546,11 @@ func SetObjectDefaults_Pod(in *corev1.Pod) {
 			SetDefaults_ResourceList(&a.Resources.Requests)
 		}
 	}
+	SetDefaults_ResourceList(&in.Status.AllocatedResources)
+	if in.Status.Resources != nil {
+		SetDefaults_ResourceList(&in.Status.Resources.Limits)
+		SetDefaults_ResourceList(&in.Status.Resources.Requests)
+	}
 }
 
 func SetObjectDefaults_PodList(in *corev1.PodList) {
@@ -584,6 +589,11 @@ func SetObjectDefaults_PodStatusResult(in *corev1.PodStatusResult) {
 			SetDefaults_ResourceList(&a.Resources.Requests)
 		}
 	}
+	SetDefaults_ResourceList(&in.Status.AllocatedResources)
+	if in.Status.Resources != nil {
+		SetDefaults_ResourceList(&in.Status.Resources.Limits)
+		SetDefaults_ResourceList(&in.Status.Resources.Requests)
+	}
 }
 
 func SetObjectDefaults_PodTemplate(in *corev1.PodTemplate) {
diff --git a/pkg/apis/core/v1/zz_generated.validations.go b/pkg/apis/core/v1/zz_generated.validations.go
index b7cb065edda70..7e39374b6b2c6 100644
--- a/pkg/apis/core/v1/zz_generated.validations.go
+++ b/pkg/apis/core/v1/zz_generated.validations.go
@@ -30,6 +30,7 @@ import (
 	operation "k8s.io/apimachinery/pkg/api/operation"
 	safe "k8s.io/apimachinery/pkg/api/safe"
 	validate "k8s.io/apimachinery/pkg/api/validate"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	runtime "k8s.io/apimachinery/pkg/runtime"
 	field "k8s.io/apimachinery/pkg/util/validation/field"
 )
@@ -39,6 +40,7 @@ func init() { localSchemeBuilder.Register(RegisterValidations) }
 // RegisterValidations adds validation functions to the given scheme.
 // Public to allow building arbitrary schemes.
 func RegisterValidations(scheme *runtime.Scheme) error {
+	// type ReplicationController
 	scheme.AddValidationFunc((*corev1.ReplicationController)(nil), func(ctx context.Context, op operation.Operation, obj, oldObj interface{}) field.ErrorList {
 		switch op.Request.SubresourcePath() {
 		case "/", "/scale":
@@ -46,6 +48,7 @@ func RegisterValidations(scheme *runtime.Scheme) error {
 		}
 		return field.ErrorList{field.InternalError(nil, fmt.Errorf("no validation found for %T, subresource: %v", obj, op.Request.SubresourcePath()))}
 	})
+	// type ReplicationControllerList
 	scheme.AddValidationFunc((*corev1.ReplicationControllerList)(nil), func(ctx context.Context, op operation.Operation, obj, oldObj interface{}) field.ErrorList {
 		switch op.Request.SubresourcePath() {
 		case "/":
@@ -56,64 +59,105 @@ func RegisterValidations(scheme *runtime.Scheme) error {
 	return nil
 }
 
+// Validate_ReplicationController validates an instance of ReplicationController according
+// to declarative validation rules in the API schema.
 func Validate_ReplicationController(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *corev1.ReplicationController) (errs field.ErrorList) {
 	// field corev1.ReplicationController.TypeMeta has no validation
-	// field corev1.ReplicationController.ObjectMeta has no validation
+
+	// field corev1.ReplicationController.ObjectMeta
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *metav1.ObjectMeta, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// call field-attached validations
+			func() { // cohort name
+				earlyReturn := false
+				if e := validate.Subfield(ctx, op, fldPath, obj, oldObj, "name", func(o *metav1.ObjectMeta) *string { return &o.Name }, validate.DirectEqualPtr, validate.OptionalValue); len(e) != 0 {
+					earlyReturn = true
+				}
+				if earlyReturn {
+					return // do not proceed
+				}
+				errs = append(errs, validate.Subfield(ctx, op, fldPath, obj, oldObj, "name", func(o *metav1.ObjectMeta) *string { return &o.Name }, validate.DirectEqualPtr, validate.LongName)...)
+			}()
+			return
+		}(fldPath.Child("metadata"), &obj.ObjectMeta, safe.Field(oldObj, func(oldObj *corev1.ReplicationController) *metav1.ObjectMeta { return &oldObj.ObjectMeta }), oldObj != nil)...)
 
 	// field corev1.ReplicationController.Spec
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *corev1.ReplicationControllerSpec) (errs field.ErrorList) {
+		func(fldPath *field.Path, obj, oldObj *corev1.ReplicationControllerSpec, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// call the type's validation function
 			errs = append(errs, Validate_ReplicationControllerSpec(ctx, op, fldPath, obj, oldObj)...)
 			return
-		}(fldPath.Child("spec"), &obj.Spec, safe.Field(oldObj, func(oldObj *corev1.ReplicationController) *corev1.ReplicationControllerSpec { return &oldObj.Spec }))...)
+		}(fldPath.Child("spec"), &obj.Spec, safe.Field(oldObj, func(oldObj *corev1.ReplicationController) *corev1.ReplicationControllerSpec { return &oldObj.Spec }), oldObj != nil)...)
 
 	// field corev1.ReplicationController.Status has no validation
 	return errs
 }
 
+// Validate_ReplicationControllerList validates an instance of ReplicationControllerList according
+// to declarative validation rules in the API schema.
 func Validate_ReplicationControllerList(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *corev1.ReplicationControllerList) (errs field.ErrorList) {
 	// field corev1.ReplicationControllerList.TypeMeta has no validation
 	// field corev1.ReplicationControllerList.ListMeta has no validation
 
 	// field corev1.ReplicationControllerList.Items
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj []corev1.ReplicationController) (errs field.ErrorList) {
-			if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj []corev1.ReplicationController, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
 			}
+			// iterate the list and call the type's validation function
 			errs = append(errs, validate.EachSliceVal(ctx, op, fldPath, obj, oldObj, nil, nil, Validate_ReplicationController)...)
 			return
-		}(fldPath.Child("items"), obj.Items, safe.Field(oldObj, func(oldObj *corev1.ReplicationControllerList) []corev1.ReplicationController { return oldObj.Items }))...)
+		}(fldPath.Child("items"), obj.Items, safe.Field(oldObj, func(oldObj *corev1.ReplicationControllerList) []corev1.ReplicationController { return oldObj.Items }), oldObj != nil)...)
 
 	return errs
 }
 
+// Validate_ReplicationControllerSpec validates an instance of ReplicationControllerSpec according
+// to declarative validation rules in the API schema.
 func Validate_ReplicationControllerSpec(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *corev1.ReplicationControllerSpec) (errs field.ErrorList) {
 	// field corev1.ReplicationControllerSpec.Replicas
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *int32) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *int32, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
 			}
+			// call field-attached validations
+			earlyReturn := false
 			// optional fields with default values are effectively required
 			if e := validate.RequiredPointer(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
 				errs = append(errs, e...)
+				earlyReturn = true
+			}
+			if earlyReturn {
 				return // do not proceed
 			}
 			errs = append(errs, validate.Minimum(ctx, op, fldPath, obj, oldObj, 0)...)
 			return
-		}(fldPath.Child("replicas"), obj.Replicas, safe.Field(oldObj, func(oldObj *corev1.ReplicationControllerSpec) *int32 { return oldObj.Replicas }))...)
+		}(fldPath.Child("replicas"), obj.Replicas, safe.Field(oldObj, func(oldObj *corev1.ReplicationControllerSpec) *int32 { return oldObj.Replicas }), oldObj != nil)...)
 
 	// field corev1.ReplicationControllerSpec.MinReadySeconds
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *int32) (errs field.ErrorList) {
+		func(fldPath *field.Path, obj, oldObj *int32, oldValueCorrelated bool) (errs field.ErrorList) {
 			// optional value-type fields with zero-value defaults are purely documentation
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.Minimum(ctx, op, fldPath, obj, oldObj, 0)...)
 			return
-		}(fldPath.Child("minReadySeconds"), &obj.MinReadySeconds, safe.Field(oldObj, func(oldObj *corev1.ReplicationControllerSpec) *int32 { return &oldObj.MinReadySeconds }))...)
+		}(fldPath.Child("minReadySeconds"), &obj.MinReadySeconds, safe.Field(oldObj, func(oldObj *corev1.ReplicationControllerSpec) *int32 { return &oldObj.MinReadySeconds }), oldObj != nil)...)
 
 	// field corev1.ReplicationControllerSpec.Selector has no validation
 	// field corev1.ReplicationControllerSpec.Template has no validation
diff --git a/pkg/apis/core/validation/validation.go b/pkg/apis/core/validation/validation.go
index 9f1ec62259d39..fbb62132d630d 100644
--- a/pkg/apis/core/validation/validation.go
+++ b/pkg/apis/core/validation/validation.go
@@ -17,6 +17,7 @@ limitations under the License.
 package validation
 
 import (
+	"context"
 	"encoding/json"
 	"fmt"
 	"math"
@@ -26,6 +27,7 @@ import (
 	"reflect"
 	"regexp"
 	"slices"
+	"strconv"
 	"strings"
 	"sync"
 	"unicode"
@@ -35,7 +37,10 @@ import (
 
 	v1 "k8s.io/api/core/v1"
 	apiequality "k8s.io/apimachinery/pkg/api/equality"
+	"k8s.io/apimachinery/pkg/api/operation"
 	"k8s.io/apimachinery/pkg/api/resource"
+	"k8s.io/apimachinery/pkg/api/validate"
+	"k8s.io/apimachinery/pkg/api/validate/content"
 	apimachineryvalidation "k8s.io/apimachinery/pkg/api/validation"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	unversionedvalidation "k8s.io/apimachinery/pkg/apis/meta/v1/validation"
@@ -77,6 +82,10 @@ var fileModeErrorMsg = "must be a number between 0 and 0777 (octal), both inclus
 // BannedOwners is a black list of object that are not allowed to be owners.
 var BannedOwners = apimachineryvalidation.BannedOwners
 
+// nodeDeclaredFeatureRegexp defines the allowed format for feature names.
+// The first segment must be in UpperCamelCase. Subsequent segments (separated by '/')
+// can be in either UpperCamelCase or lowerCamelCase.
+var nodeDeclaredFeatureRegexp = regexp.MustCompile(`^[A-Z][a-zA-Z0-9]*(\/[a-zA-Z][a-zA-Z0-9]*)*$`)
 var iscsiInitiatorIqnRegex = regexp.MustCompile(`iqn\.\d{4}-\d{2}\.([[:alnum:]-.]+)(:[^,;*&$|\s]+)$`)
 var iscsiInitiatorEuiRegex = regexp.MustCompile(`^eui.[[:alnum:]]{16}$`)
 var iscsiInitiatorNaaRegex = regexp.MustCompile(`^naa.[[:alnum:]]{32}$`)
@@ -133,10 +142,23 @@ func ValidateAnnotations(annotations map[string]string, fldPath *field.Path) fie
 	return apimachineryvalidation.ValidateAnnotations(annotations, fldPath)
 }
 
+// ValidateUserAnnotations validates that the UserAnnotations are correctly defined.
+func ValidateUserAnnotations(userAnnotations map[string]string, fldPath *field.Path) field.ErrorList {
+	allErrs := field.ErrorList{}
+	for k := range userAnnotations {
+		// The case doesn't matter, so convert to lowercase before checking.
+		allErrs = append(allErrs, validation.IsDomainPrefixedKey(fldPath, strings.ToLower(k))...)
+	}
+	if err := apimachineryvalidation.ValidateAnnotationsSize(userAnnotations); err != nil {
+		allErrs = append(allErrs, field.TooLong(fldPath, "" /*unused*/, apimachineryvalidation.TotalAnnotationSizeLimitB))
+	}
+	return allErrs
+}
+
 func ValidateDNS1123Label(value string, fldPath *field.Path) field.ErrorList {
 	allErrs := field.ErrorList{}
 	for _, msg := range validation.IsDNS1123Label(value) {
-		allErrs = append(allErrs, field.Invalid(fldPath, value, msg).WithOrigin("format=dns-label"))
+		allErrs = append(allErrs, field.Invalid(fldPath, value, msg).WithOrigin("format=k8s-short-name"))
 	}
 	return allErrs
 }
@@ -154,7 +176,7 @@ func ValidateQualifiedName(value string, fldPath *field.Path) field.ErrorList {
 func ValidateDNS1123SubdomainWithUnderScore(value string, fldPath *field.Path) field.ErrorList {
 	allErrs := field.ErrorList{}
 	for _, msg := range validation.IsDNS1123SubdomainWithUnderscore(value) {
-		allErrs = append(allErrs, field.Invalid(fldPath, value, msg))
+		allErrs = append(allErrs, field.Invalid(fldPath, value, msg)).WithOrigin("format=k8s-dns-subdomain-with-underscore")
 	}
 	return allErrs
 }
@@ -163,7 +185,7 @@ func ValidateDNS1123SubdomainWithUnderScore(value string, fldPath *field.Path) f
 func ValidateDNS1123Subdomain(value string, fldPath *field.Path) field.ErrorList {
 	allErrs := field.ErrorList{}
 	for _, msg := range validation.IsDNS1123Subdomain(value) {
-		allErrs = append(allErrs, field.Invalid(fldPath, value, msg))
+		allErrs = append(allErrs, field.Invalid(fldPath, value, msg)).WithOrigin("format=k8s-long-name")
 	}
 	return allErrs
 }
@@ -178,7 +200,7 @@ func ValidatePodSpecificAnnotations(annotations map[string]string, spec *core.Po
 	}
 
 	if annotations[core.TolerationsAnnotationKey] != "" {
-		allErrs = append(allErrs, ValidateTolerationsInPodAnnotations(annotations, fldPath)...)
+		allErrs = append(allErrs, ValidateTolerationsInPodAnnotations(annotations, fldPath, opts)...)
 	}
 
 	if !opts.AllowInvalidPodDeletionCost {
@@ -194,7 +216,7 @@ func ValidatePodSpecificAnnotations(annotations map[string]string, spec *core.Po
 }
 
 // ValidateTolerationsInPodAnnotations tests that the serialized tolerations in Pod.Annotations has valid data
-func ValidateTolerationsInPodAnnotations(annotations map[string]string, fldPath *field.Path) field.ErrorList {
+func ValidateTolerationsInPodAnnotations(annotations map[string]string, fldPath *field.Path, opts PodValidationOptions) field.ErrorList {
 	allErrs := field.ErrorList{}
 
 	tolerations, err := helper.GetTolerationsFromPodAnnotations(annotations)
@@ -204,7 +226,7 @@ func ValidateTolerationsInPodAnnotations(annotations map[string]string, fldPath
 	}
 
 	if len(tolerations) > 0 {
-		allErrs = append(allErrs, ValidateTolerations(tolerations, fldPath.Child(core.TolerationsAnnotationKey))...)
+		allErrs = append(allErrs, ValidateTolerations(tolerations, fldPath.Child(core.TolerationsAnnotationKey), opts)...)
 	}
 
 	return allErrs
@@ -253,17 +275,15 @@ func ValidateEndpointsSpecificAnnotations(annotations map[string]string, fldPath
 // value that were not valid.  Otherwise this returns an empty list or nil.
 type ValidateNameFunc apimachineryvalidation.ValidateNameFunc
 
+// ValidateNameFuncWithErrors validates that the provided name is valid for a
+// given resource type.
+type ValidateNameFuncWithErrors = apimachineryvalidation.ValidateNameFuncWithErrors
+
 // ValidatePodName can be used to check whether the given pod name is valid.
 // Prefix indicates this name will be used as part of generation, in which case
 // trailing dashes are allowed.
 var ValidatePodName = apimachineryvalidation.NameIsDNSSubdomain
 
-// ValidateReplicationControllerName can be used to check whether the given replication
-// controller name is valid.
-// Prefix indicates this name will be used as part of generation, in which case
-// trailing dashes are allowed.
-var ValidateReplicationControllerName = apimachineryvalidation.NameIsDNSSubdomain
-
 // ValidateServiceName can be used to check whether the given service name is valid.
 // Prefix indicates this name will be used as part of generation, in which case
 // trailing dashes are allowed.
@@ -322,6 +342,18 @@ var ValidateResourceClaimName = apimachineryvalidation.NameIsDNSSubdomain
 // name for a ResourceClaimTemplate is valid.
 var ValidateResourceClaimTemplateName = apimachineryvalidation.NameIsDNSSubdomain
 
+// ValidateWorkloadName can be used to check whether the given
+// name for a Workload is valid.
+var ValidateWorkloadName = apimachineryvalidation.NameIsDNSSubdomain
+
+// ValidatePodGroupName can be used to check whether the given
+// name for a PodGroup is valid.
+var ValidatePodGroupName = apimachineryvalidation.NameIsDNSLabel
+
+// ValidatePodGroupReplicaKey can be used to check whether the given
+// PodGroupReplicaKey is valid.
+var ValidatePodGroupReplicaKey = apimachineryvalidation.NameIsDNSLabel
+
 // ValidateRuntimeClassName can be used to check whether the given RuntimeClass name is valid.
 // Prefix indicates this name will be used as part of generation, in which case
 // trailing dashes are allowed.
@@ -384,9 +416,19 @@ func ValidateImmutableAnnotation(newVal string, oldVal string, annotation string
 	return allErrs
 }
 
+// ValidateObjectMetaWithOpts validates an object's metadata on creation. It expects that name generation has already
+// been performed.
+func ValidateObjectMetaWithOpts(meta *metav1.ObjectMeta, isNamespaced bool, nameFn ValidateNameFuncWithErrors, fldPath *field.Path) field.ErrorList {
+	allErrs := apimachineryvalidation.ValidateObjectMetaWithOpts(meta, isNamespaced, nameFn, fldPath)
+	// run additional checks for the finalizer name
+	for i := range meta.Finalizers {
+		allErrs = append(allErrs, validateKubeFinalizerName(string(meta.Finalizers[i]), fldPath.Child("finalizers").Index(i))...)
+	}
+	return allErrs
+}
+
 // ValidateObjectMeta validates an object's metadata on creation. It expects that name generation has already
 // been performed.
-// It doesn't return an error for rootscoped resources with namespace, because namespace should already be cleared before.
 // TODO: Remove calls to this method scattered in validations of specific resources, e.g., ValidatePodUpdate.
 func ValidateObjectMeta(meta *metav1.ObjectMeta, requiresNamespace bool, nameFn ValidateNameFunc, fldPath *field.Path) field.ErrorList {
 	allErrs := apimachineryvalidation.ValidateObjectMeta(meta, requiresNamespace, apimachineryvalidation.ValidateNameFunc(nameFn), fldPath)
@@ -1255,6 +1297,11 @@ func validateProjectionSources(projection *core.ProjectedVolumeSource, projectio
 
 			allErrs = append(allErrs, ValidateSignerName(projPath.Child("signerName"), source.PodCertificate.SignerName)...)
 
+			if source.PodCertificate.UserAnnotations != nil {
+				userAnnotationsErrors := ValidateUserAnnotations(source.PodCertificate.UserAnnotations, projPath.Child("userAnnotations"))
+				allErrs = append(allErrs, userAnnotationsErrors...)
+			}
+
 			switch source.PodCertificate.KeyType {
 			case "RSA3072", "RSA4096", "ECDSAP256", "ECDSAP384", "ECDSAP521", "ED25519":
 				// ok
@@ -1753,19 +1800,46 @@ func validatePVSecretReference(secretRef *core.SecretReference, fldPath *field.P
 	return allErrs
 }
 
-func ValidateCSIDriverName(driverName string, fldPath *field.Path) field.ErrorList {
+// ValidateCSIDriverNameOption is an option for ValidateCSIDriverName.
+// These options are for marking if a validation error message is covered
+// by declarative validation
+type ValidateCSIDriverNameOption int
+
+const (
+	// The required check is covered by declarative validation
+	RequiredCovered ValidateCSIDriverNameOption = iota
+	// The list size check is covered by declarative validation.
+	SizeCovered
+	// The format check is covered by declarative validation.
+	FormatCovered
+)
+
+func ValidateCSIDriverName(driverName string, fldPath *field.Path, opts ...ValidateCSIDriverNameOption) field.ErrorList {
 	allErrs := field.ErrorList{}
 
 	if len(driverName) == 0 {
-		allErrs = append(allErrs, field.Required(fldPath, ""))
+		err := field.Required(fldPath, "")
+		if slices.Contains(opts, RequiredCovered) {
+			err = err.MarkCoveredByDeclarative()
+		}
+		allErrs = append(allErrs, err)
+		return allErrs
 	}
 
 	if len(driverName) > 63 {
-		allErrs = append(allErrs, field.TooLong(fldPath, "" /*unused*/, 63))
+		err := field.TooLong(fldPath, "" /*unused*/, 63)
+		if slices.Contains(opts, SizeCovered) {
+			err = err.MarkCoveredByDeclarative()
+		}
+		allErrs = append(allErrs, err)
 	}
 
 	for _, msg := range validation.IsDNS1123Subdomain(strings.ToLower(driverName)) {
-		allErrs = append(allErrs, field.Invalid(fldPath, driverName, msg))
+		err := field.Invalid(fldPath, driverName, msg)
+		if slices.Contains(opts, FormatCovered) {
+			err = err.WithOrigin("format=k8s-long-name-caseless").MarkCoveredByDeclarative()
+		}
+		allErrs = append(allErrs, err)
 	}
 
 	return allErrs
@@ -2212,7 +2286,8 @@ func ValidatePersistentVolumeUpdate(newPv, oldPv *core.PersistentVolume, opts Pe
 	allErrs = append(allErrs, ValidateImmutableField(newPv.Spec.VolumeMode, oldPv.Spec.VolumeMode, field.NewPath("volumeMode"))...)
 
 	// Allow setting NodeAffinity if oldPv NodeAffinity was not set
-	if oldPv.Spec.NodeAffinity != nil {
+	if !utilfeature.DefaultFeatureGate.Enabled(features.MutablePVNodeAffinity) &&
+		oldPv.Spec.NodeAffinity != nil {
 		allErrs = append(allErrs, validatePvNodeAffinity(newPv.Spec.NodeAffinity, oldPv.Spec.NodeAffinity, field.NewPath("nodeAffinity"))...)
 	}
 
@@ -3243,17 +3318,21 @@ func validateInitContainerRestartPolicy(restartPolicy *core.ContainerRestartPoli
 	var allErrors field.ErrorList
 
 	if restartPolicy == nil {
+		if len(restartRules) > 0 {
+			allErrors = append(allErrors, field.Required(fldPath.Child("restartPolicy"), "must specify restartPolicy when restart rules are used"))
+		}
 		return allErrors
 	}
 	if opts.AllowContainerRestartPolicyRules {
 		switch *restartPolicy {
 		case core.ContainerRestartPolicyAlways:
-			// Sidecar containers should not have restart policy rules
-			if len(restartRules) > 0 {
+			if opts.AllowRestartAllContainers {
+				allErrors = append(allErrors, validateContainerRestartPolicy(restartPolicy, restartRules, fldPath, opts)...)
+			} else if len(restartRules) > 0 {
 				allErrors = append(allErrors, field.Forbidden(fldPath.Child("restartPolicyRules"), "restartPolicyRules are not allowed for init containers with restart policy Always"))
 			}
 		default:
-			allErrors = append(allErrors, validateContainerRestartPolicy(restartPolicy, restartRules, fldPath)...)
+			allErrors = append(allErrors, validateContainerRestartPolicy(restartPolicy, restartRules, fldPath, opts)...)
 		}
 	} else {
 		switch *restartPolicy {
@@ -3591,9 +3670,17 @@ var supportedContainerRestartPolicyOperators = sets.New(
 	core.ContainerRestartRuleOnExitCodesOpNotIn,
 )
 
+// Supported actions depend on whether corresponding feature gates are enabled.
+var (
+	// Without AllowRestartAllContainers
+	supportedContainerRestartRuleActions = sets.New(core.ContainerRestartRuleActionRestart)
+	// With AllowRestartAllContainers
+	supportedContainerRestartRuleActionsWithRestartAllContainers = sets.New(core.ContainerRestartRuleActionRestart, core.ContainerRestartRuleActionRestartAllContainers)
+)
+
 // validateContainerRestartPolicy checks the container-level restartPolicy and restartPolicyRules are valid for
-// regular containers and non-sidecar init containers.
-func validateContainerRestartPolicy(policy *core.ContainerRestartPolicy, rules []core.ContainerRestartRule, fldPath *field.Path) field.ErrorList {
+// regular containers, init containers, and sidecar containers.
+func validateContainerRestartPolicy(policy *core.ContainerRestartPolicy, rules []core.ContainerRestartRule, fldPath *field.Path, opts PodValidationOptions) field.ErrorList {
 	var allErrs field.ErrorList
 	restartPolicyFld := fldPath.Child("restartPolicy")
 	if policy == nil {
@@ -3611,10 +3698,12 @@ func validateContainerRestartPolicy(policy *core.ContainerRestartPolicy, rules [
 	}
 	for i, rule := range rules {
 		policyRulesFld := fldPath.Child("restartPolicyRules").Index(i)
-
-		if rule.Action != core.ContainerRestartRuleActionRestart {
-			validActions := []core.ContainerRestartRuleAction{core.ContainerRestartRuleActionRestart}
-			allErrs = append(allErrs, field.NotSupported(policyRulesFld.Child("action"), rule.Action, validActions))
+		allowedActions := supportedContainerRestartRuleActions
+		if opts.AllowRestartAllContainers {
+			allowedActions = supportedContainerRestartRuleActionsWithRestartAllContainers
+		}
+		if !allowedActions.Has(rule.Action) {
+			allErrs = append(allErrs, field.NotSupported(policyRulesFld.Child("action"), rule.Action, sets.List(supportedContainerRestartRuleActions)))
 		}
 
 		if rule.ExitCodes != nil {
@@ -3733,8 +3822,8 @@ func validateInitContainers(containers []core.Container, os *core.PodOS, regular
 
 		restartAlways := false
 		// Apply the validation specific to init containers
+		allErrs = append(allErrs, validateInitContainerRestartPolicy(ctr.RestartPolicy, ctr.RestartPolicyRules, idxPath, opts)...)
 		if ctr.RestartPolicy != nil {
-			allErrs = append(allErrs, validateInitContainerRestartPolicy(ctr.RestartPolicy, ctr.RestartPolicyRules, idxPath, opts)...)
 			restartAlways = *ctr.RestartPolicy == core.ContainerRestartPolicyAlways
 		}
 
@@ -3842,9 +3931,12 @@ func validateHostUsers(spec *core.PodSpec, fldPath *field.Path, opts PodValidati
 	// know of any good use case and we can always enable them later.
 
 	// Note we already validated above spec.SecurityContext is not nil.
-	if spec.SecurityContext.HostNetwork {
-		allErrs = append(allErrs, field.Forbidden(fldPath.Child("hostNetwork"), "when `hostUsers` is false"))
+	if !opts.AllowUserNamespacesHostNetworkSupport {
+		if spec.SecurityContext.HostNetwork {
+			allErrs = append(allErrs, field.Forbidden(fldPath.Child("hostNetwork"), "when `hostUsers` is false"))
+		}
 	}
+
 	if spec.SecurityContext.HostPID {
 		allErrs = append(allErrs, field.Forbidden(fldPath.Child("HostPID"), "when `hostUsers` is false"))
 	}
@@ -3965,7 +4057,7 @@ func validateContainers(containers []core.Container, os *core.PodOS, volumes map
 		allErrs = append(allErrs, validateStartupProbe(ctr.StartupProbe, gracePeriod, path.Child("startupProbe"), opts)...)
 
 		if opts.AllowContainerRestartPolicyRules {
-			allErrs = append(allErrs, validateContainerRestartPolicy(ctr.RestartPolicy, ctr.RestartPolicyRules, path)...)
+			allErrs = append(allErrs, validateContainerRestartPolicy(ctr.RestartPolicy, ctr.RestartPolicyRules, path, opts)...)
 		} else if ctr.RestartPolicy != nil {
 			allErrs = append(allErrs, field.Forbidden(path.Child("restartPolicy"), "may not be set for non-init containers"))
 		}
@@ -4208,7 +4300,7 @@ func validateTaintEffect(effect *core.TaintEffect, allowEmpty bool, fldPath *fie
 }
 
 // validateOnlyAddedTolerations validates updated pod tolerations.
-func validateOnlyAddedTolerations(newTolerations []core.Toleration, oldTolerations []core.Toleration, fldPath *field.Path) field.ErrorList {
+func validateOnlyAddedTolerations(newTolerations []core.Toleration, oldTolerations []core.Toleration, fldPath *field.Path, opts PodValidationOptions) field.ErrorList {
 	allErrs := field.ErrorList{}
 	for _, old := range oldTolerations {
 		found := false
@@ -4227,7 +4319,7 @@ func validateOnlyAddedTolerations(newTolerations []core.Toleration, oldToleratio
 		}
 	}
 
-	allErrs = append(allErrs, ValidateTolerations(newTolerations, fldPath)...)
+	allErrs = append(allErrs, ValidateTolerations(newTolerations, fldPath, opts)...)
 	return allErrs
 }
 
@@ -4265,7 +4357,7 @@ func ValidateHostAliases(hostAliases []core.HostAlias, fldPath *field.Path) fiel
 }
 
 // ValidateTolerations tests if given tolerations have valid data.
-func ValidateTolerations(tolerations []core.Toleration, fldPath *field.Path) field.ErrorList {
+func ValidateTolerations(tolerations []core.Toleration, fldPath *field.Path, opts PodValidationOptions) field.ErrorList {
 	allErrors := field.ErrorList{}
 	for i, toleration := range tolerations {
 		idxPath := fldPath.Index(i)
@@ -4296,6 +4388,23 @@ func ValidateTolerations(tolerations []core.Toleration, fldPath *field.Path) fie
 			if len(toleration.Value) > 0 {
 				allErrors = append(allErrors, field.Invalid(idxPath.Child("operator"), toleration.Value, "value must be empty when `operator` is 'Exists'"))
 			}
+		case core.TolerationOpLt, core.TolerationOpGt:
+			// Numeric comparison operators require validation option
+			if !opts.AllowTaintTolerationComparisonOperators {
+				validValues := []core.TolerationOperator{core.TolerationOpEqual, core.TolerationOpExists, core.TolerationOpLt, core.TolerationOpGt}
+				allErrors = append(allErrors, field.NotSupported(idxPath.Child("operator"), toleration.Operator, validValues))
+				break
+			}
+
+			// validate value is decimal integer
+			for _, msg := range content.IsDecimalInteger(toleration.Value) {
+				allErrors = append(allErrors, field.Invalid(idxPath.Child("value"), toleration.Value, msg))
+			}
+
+			// validate value is within int64 range
+			if _, err := strconv.ParseInt(toleration.Value, 10, 64); err != nil {
+				allErrors = append(allErrors, field.Invalid(idxPath.Child("value"), toleration.Value, err.Error()))
+			}
 		default:
 			validValues := []core.TolerationOperator{core.TolerationOpEqual, core.TolerationOpExists}
 			allErrors = append(allErrors, field.NotSupported(idxPath.Child("operator"), toleration.Operator, validValues))
@@ -4357,6 +4466,9 @@ type PodValidationOptions struct {
 	AllowOnlyRecursiveSELinuxChangePolicy bool
 	// Indicates whether PodLevelResources feature is enabled or disabled.
 	PodLevelResourcesEnabled bool
+	// Indicates whether InPlacePodLevelResourcesVerticalScaling feature is enabled
+	// or disabled.
+	InPlacePodLevelResourcesVerticalScalingEnabled bool
 	// Allow sidecar containers resize policy for backward compatibility
 	AllowSidecarResizePolicy bool
 	// Allow invalid label-value in RequiredNodeSelector
@@ -4375,6 +4487,12 @@ type PodValidationOptions struct {
 	AllowContainerRestartPolicyRules bool
 	// Allow user namespaces with volume devices, even though they will not function properly (should only be tolerated in updates of objects which already have this invalid configuration).
 	AllowUserNamespacesWithVolumeDevices bool
+	// Allow taint toleration comparison operators (Lt, Gt)
+	AllowTaintTolerationComparisonOperators bool
+	// Allow hostNetwork pods to use user namespaces
+	AllowUserNamespacesHostNetworkSupport bool
+	// Allow containers to have restart policy rule with RestartAllContainers action, applicable for init, sidecar, and regular containers.
+	AllowRestartAllContainers bool
 }
 
 // validatePodMetadataAndSpec tests if required fields in the pod.metadata and pod.spec are set,
@@ -4570,7 +4688,7 @@ func ValidatePodSpec(spec *core.PodSpec, podMeta *metav1.ObjectMeta, fldPath *fi
 	}
 
 	if len(spec.Tolerations) > 0 {
-		allErrs = append(allErrs, ValidateTolerations(spec.Tolerations, fldPath.Child("tolerations"))...)
+		allErrs = append(allErrs, ValidateTolerations(spec.Tolerations, fldPath.Child("tolerations"), opts)...)
 	}
 
 	if len(spec.HostAliases) > 0 {
@@ -4607,6 +4725,10 @@ func ValidatePodSpec(spec *core.PodSpec, podMeta *metav1.ObjectMeta, fldPath *fi
 		}
 	}
 
+	if spec.WorkloadRef != nil {
+		allErrs = append(allErrs, validateWorkloadReference(spec.WorkloadRef, fldPath.Child("workloadRef"))...)
+	}
+
 	allErrs = append(allErrs, validateFileKeyRefVolumes(spec, fldPath)...)
 	return allErrs
 }
@@ -4855,7 +4977,7 @@ func ValidateNodeSelectorRequirement(rq core.NodeSelectorRequirement, allowInval
 		path := fldPath.Child("values")
 		for valueIndex, value := range rq.Values {
 			for _, msg := range validation.IsValidLabelValue(value) {
-				allErrs = append(allErrs, field.Invalid(path.Index(valueIndex), value, msg))
+				allErrs = append(allErrs, field.Invalid(path.Index(valueIndex), value, msg)).WithOrigin("format=k8s-label-value")
 			}
 		}
 	}
@@ -5616,7 +5738,7 @@ func ValidatePodUpdate(newPod, oldPod *core.Pod, opts PodValidationOptions) fiel
 	}
 
 	// Allow only additions to tolerations updates.
-	allErrs = append(allErrs, validateOnlyAddedTolerations(newPod.Spec.Tolerations, oldPod.Spec.Tolerations, specPath.Child("tolerations"))...)
+	allErrs = append(allErrs, validateOnlyAddedTolerations(newPod.Spec.Tolerations, oldPod.Spec.Tolerations, specPath.Child("tolerations"), opts)...)
 
 	// Allow only deletions to schedulingGates updates.
 	allErrs = append(allErrs, validateOnlyDeletedSchedulingGates(newPod.Spec.SchedulingGates, oldPod.Spec.SchedulingGates, specPath.Child("schedulingGates"))...)
@@ -5716,14 +5838,24 @@ func ValidatePodUpdate(newPod, oldPod *core.Pod, opts PodValidationOptions) fiel
 }
 
 // ValidateContainerStateTransition test to if any illegal container state transitions are being attempted
-func ValidateContainerStateTransition(newStatuses, oldStatuses []core.ContainerStatus, fldPath *field.Path, podSpec core.PodSpec) field.ErrorList {
+func ValidateContainerStateTransition(newStatuses, oldStatuses []core.ContainerStatus, fldPath *field.Path, podSpec core.PodSpec, opts PodValidationOptions) field.ErrorList {
 	allErrs := field.ErrorList{}
-	if utilfeature.DefaultFeatureGate.Enabled(features.ContainerRestartRules) {
+	if opts.AllowContainerRestartPolicyRules {
+		// Convert the *core.PodSpec to *v1.PodSpec to satisfy the call to AllContainersCouldRestart and
+		// ContainerShouldRestart methods in the subsequent lines, which requires a *v1.PodSpec object.
 		v1PodSpec := &v1.PodSpec{}
 		err := corev1.Convert_core_PodSpec_To_v1_PodSpec(&podSpec, v1PodSpec, nil)
 		if err != nil {
 			allErrs = append(allErrs, field.InternalError(fldPath, fmt.Errorf("invalid %q: %v", fldPath, err.Error())))
 		}
+		if opts.AllowRestartAllContainers {
+			// If any container has a restart rule action of RestartAllContainer, it means all container
+			// could be restarted, no matter their own restart policy. Therefore, all container could transition
+			// from terminated to non-terminated states.
+			if podutil.AllContainersCouldRestart(v1PodSpec) {
+				return allErrs
+			}
+		}
 		for i, oldStatus := range oldStatuses {
 			// Skip any container that is not terminated
 			if oldStatus.State.Terminated == nil {
@@ -5771,8 +5903,47 @@ func ValidateContainerStateTransition(newStatuses, oldStatuses []core.ContainerS
 }
 
 // ValidateInitContainerStateTransition test to if any illegal init container state transitions are being attempted
-func ValidateInitContainerStateTransition(newStatuses, oldStatuses []core.ContainerStatus, fldpath *field.Path, podSpec *core.PodSpec) field.ErrorList {
+func ValidateInitContainerStateTransition(newStatuses, oldStatuses []core.ContainerStatus, fldpath *field.Path, podSpec core.PodSpec, opts PodValidationOptions) field.ErrorList {
 	allErrs := field.ErrorList{}
+	if opts.AllowContainerRestartPolicyRules {
+		// Convert the *core.PodSpec to *v1.PodSpec to satisfy the call to AllContainersCouldRestart and
+		// ContainerShouldRestart methods in the subsequent lines, which requires a *v1.PodSpec object.
+		v1PodSpec := &v1.PodSpec{}
+		err := corev1.Convert_core_PodSpec_To_v1_PodSpec(&podSpec, v1PodSpec, nil)
+		if err != nil {
+			allErrs = append(allErrs, field.InternalError(fldpath, fmt.Errorf("invalid %q: %v", fldpath, err.Error())))
+		}
+		if opts.AllowRestartAllContainers {
+			// If any container has a restart rule action of RestartAllContainer, it means all container
+			// could be restarted, no matter their own restart policy. Therefore, all container could transition
+			// from terminated to non-terminated states.
+			if podutil.AllContainersCouldRestart(v1PodSpec) {
+				return allErrs
+			}
+		}
+		for i, oldStatus := range oldStatuses {
+			// Skip any container that is not terminated
+			if oldStatus.State.Terminated == nil {
+				continue
+			}
+			for _, newStatus := range newStatuses {
+				if newStatus.Name == oldStatus.Name && newStatus.State.Terminated == nil {
+					allowed := false
+					for _, c := range v1PodSpec.InitContainers {
+						if c.Name == oldStatus.Name {
+							allowed = podutil.ContainerShouldRestart(c, *v1PodSpec, oldStatus.State.Terminated.ExitCode)
+							break
+						}
+					}
+					if !allowed {
+						allErrs = append(allErrs, field.Forbidden(fldpath.Index(i).Child("state"), "may not be transitioned to non-terminated state"))
+					}
+					break
+				}
+			}
+		}
+		return allErrs
+	}
 	// If we should always restart, containers are allowed to leave the terminated state
 	if podSpec.RestartPolicy == core.RestartPolicyAlways {
 		return allErrs
@@ -5869,8 +6040,8 @@ func ValidatePodStatusUpdate(newPod, oldPod *core.Pod, opts PodValidationOptions
 	//
 	// If pod should not restart, make sure the status update does not transition
 	// any terminated containers to a non-terminated state.
-	allErrs = append(allErrs, ValidateContainerStateTransition(newPod.Status.ContainerStatuses, oldPod.Status.ContainerStatuses, fldPath.Child("containerStatuses"), oldPod.Spec)...)
-	allErrs = append(allErrs, ValidateInitContainerStateTransition(newPod.Status.InitContainerStatuses, oldPod.Status.InitContainerStatuses, fldPath.Child("initContainerStatuses"), &oldPod.Spec)...)
+	allErrs = append(allErrs, ValidateContainerStateTransition(newPod.Status.ContainerStatuses, oldPod.Status.ContainerStatuses, fldPath.Child("containerStatuses"), oldPod.Spec, opts)...)
+	allErrs = append(allErrs, ValidateInitContainerStateTransition(newPod.Status.InitContainerStatuses, oldPod.Status.InitContainerStatuses, fldPath.Child("initContainerStatuses"), oldPod.Spec, opts)...)
 	allErrs = append(allErrs, ValidateEphemeralContainerStateTransition(newPod.Status.EphemeralContainerStatuses, oldPod.Status.EphemeralContainerStatuses, fldPath.Child("ephemeralContainerStatuses"))...)
 	allErrs = append(allErrs, validatePodResourceClaimStatuses(newPod.Status.ResourceClaimStatuses, newPod.Spec.ResourceClaims, fldPath.Child("resourceClaimStatuses"))...)
 	allErrs = append(allErrs, validatePodExtendedResourceClaimStatus(newPod.Status.ExtendedResourceClaimStatus, &newPod.Spec, fldPath.Child("extendedResourceClaimStatus"))...)
@@ -5964,6 +6135,7 @@ func validatePodExtendedResourceClaimStatus(status *core.PodExtendedResourceClai
 	type key struct {
 		container string
 		resource  string
+		request   string
 	}
 	seen := map[key]struct{}{}
 	for i, rm := range status.RequestMappings {
@@ -5977,10 +6149,11 @@ func validatePodExtendedResourceClaimStatus(status *core.PodExtendedResourceClai
 			allErrs = append(allErrs, field.Invalid(idxPath.Child("containerName"), rm.ContainerName, "must match the name of an entry in spec.initContainers.name or spec.containers.name"))
 		}
 		allErrs = append(allErrs, ValidateDNS1123Label(rm.RequestName, fldPath.Child("requestName"))...)
-		k := key{container: rm.ContainerName, resource: rm.ResourceName}
+		k := key{container: rm.ContainerName, resource: rm.ResourceName, request: rm.RequestName}
 		if _, ok := seen[k]; ok {
 			allErrs = append(allErrs, field.Duplicate(idxPath.Child("containerName"), rm.ContainerName))
 			allErrs = append(allErrs, field.Duplicate(idxPath.Child("resourceName"), rm.ResourceName))
+			allErrs = append(allErrs, field.Duplicate(idxPath.Child("requestName"), rm.RequestName))
 		}
 		seen[k] = struct{}{}
 	}
@@ -6038,7 +6211,7 @@ func ValidatePodEphemeralContainersUpdate(newPod, oldPod *core.Pod, opts PodVali
 	return allErrs
 }
 
-// ValidatePodResize tests that a user update to pod container resources is valid.
+// ValidatePodResize tests that an update to pod container resources is valid.
 // newPod and oldPod must only differ in their Containers[*].Resources and
 // Containers[*].ResizePolicy field.
 func ValidatePodResize(newPod, oldPod *core.Pod, opts PodValidationOptions) field.ErrorList {
@@ -6047,16 +6220,6 @@ func ValidatePodResize(newPod, oldPod *core.Pod, opts PodValidationOptions) fiel
 	allErrs := ValidateObjectMetaUpdate(&newPod.ObjectMeta, &oldPod.ObjectMeta, fldPath)
 	allErrs = append(allErrs, validatePodMetadataAndSpec(newPod, opts)...)
 
-	// pods with pod-level resources cannot be resized
-	isPodLevelResourcesSet := func(pod *core.Pod) bool {
-		return pod.Spec.Resources != nil &&
-			(len(pod.Spec.Resources.Requests)+len(pod.Spec.Resources.Limits) > 0)
-	}
-
-	if isPodLevelResourcesSet(oldPod) || isPodLevelResourcesSet(newPod) {
-		return field.ErrorList{field.Forbidden(field.NewPath(""), "pods with pod-level resources cannot be resized")}
-	}
-
 	// static pods cannot be resized.
 	if _, ok := oldPod.Annotations[core.MirrorPodAnnotationKey]; ok {
 		return field.ErrorList{field.Forbidden(field.NewPath(""), "static pods cannot be resized")}
@@ -6067,9 +6230,6 @@ func ValidatePodResize(newPod, oldPod *core.Pod, opts PodValidationOptions) fiel
 		return field.ErrorList{field.Forbidden(field.NewPath(""), "windows pods cannot be resized")}
 	}
 
-	// Part 2: Validate that the changes between oldPod.Spec.Containers[].Resources and
-	// newPod.Spec.Containers[].Resources are allowed. Also validate that the changes between oldPod.Spec.InitContainers[].Resources and
-	// newPod.Spec.InitContainers[].Resources are allowed.
 	specPath := field.NewPath("spec")
 	if qos.GetPodQOS(oldPod) != qos.ComputePodQOS(newPod) {
 		allErrs = append(allErrs, field.Invalid(specPath, newPod.Status.QOSClass, "Pod QOS Class may not change as a result of resizing"))
@@ -6079,6 +6239,34 @@ func ValidatePodResize(newPod, oldPod *core.Pod, opts PodValidationOptions) fiel
 		allErrs = append(allErrs, field.Forbidden(specPath, "Pod running on node without support for resize"))
 	}
 
+	// Part 2: Validate that changes between pod-level resources in oldPod.Spec.Resources and
+	// newPod.Spec.Resources are allowed.
+
+	isPodLevelResourcesSet := func(pod *core.Pod) bool {
+		return pod.Spec.Resources != nil &&
+			(len(pod.Spec.Resources.Requests)+len(pod.Spec.Resources.Limits) > 0)
+	}
+
+	newPodSpecCopy := *newPod.Spec.DeepCopy()
+
+	if isPodLevelResourcesSet(oldPod) || isPodLevelResourcesSet(newPod) {
+		// pods with pod-level resources cannot be resized without
+		// InPlacePodLevelResourcesVerticalScaling feature gate being enabled.
+		if !opts.InPlacePodLevelResourcesVerticalScalingEnabled {
+			allErrs = append(allErrs, field.Forbidden(field.NewPath(""), "resize of pods with pod-level resources is forbidden when InPlacePodLevelResourcesVerticalScalingEnabled feature gate is disabled"))
+			return allErrs
+		}
+
+		// newPodSpecCopy is passed by reference to allow
+		// newPodSpecCopy.Resources to be mutated which is required for an
+		// intermediate validation step.
+		allErrs = append(allErrs, validatePodLevelResourcesResize(newPod, oldPod, &newPodSpecCopy, specPath, opts)...)
+	}
+
+	// Part 3: Validate that the changes between oldPod.Spec.Containers[].Resources and
+	// newPod.Spec.Containers[].Resources are allowed. Also validate that the changes between oldPod.Spec.InitContainers[].Resources and
+	// newPod.Spec.InitContainers[].Resources are allowed.
+
 	// The rest of the validation assumes that the containers are in the same order,
 	// so we proceed only if that assumption is true.
 	containerOrderErrs := validatePodResizeContainerOrdering(newPod, oldPod, specPath)
@@ -6109,9 +6297,8 @@ func ValidatePodResize(newPod, oldPod *core.Pod, opts PodValidationOptions) fiel
 	}
 
 	// Ensure that only CPU and memory resources are mutable for regular containers.
-	originalCPUMemPodSpec := *newPod.Spec.DeepCopy()
 	var newContainers []core.Container
-	for ix, container := range originalCPUMemPodSpec.Containers {
+	for ix, container := range newPodSpecCopy.Containers {
 		dropCPUMemoryResourcesFromContainer(&container, &oldPod.Spec.Containers[ix])
 		if !apiequality.Semantic.DeepEqual(container, oldPod.Spec.Containers[ix]) {
 			// This likely means that the user has made changes to resources other than CPU and memory for regular container.
@@ -6120,13 +6307,13 @@ func ValidatePodResize(newPod, oldPod *core.Pod, opts PodValidationOptions) fiel
 		}
 		newContainers = append(newContainers, container)
 	}
-	originalCPUMemPodSpec.Containers = newContainers
+	newPodSpecCopy.Containers = newContainers
 
 	// Ensure that only CPU and memory resources are mutable for restartable init containers.
 	// Also ensure that resources are immutable for non-restartable init containers.
 	var newInitContainers []core.Container
 	if utilfeature.DefaultFeatureGate.Enabled(features.SidecarContainers) {
-		for ix, container := range originalCPUMemPodSpec.InitContainers {
+		for ix, container := range newPodSpecCopy.InitContainers {
 			if isRestartableInitContainer(&container) { // restartable init container
 				dropCPUMemoryResourcesFromContainer(&container, &oldPod.Spec.InitContainers[ix])
 				if !apiequality.Semantic.DeepEqual(container, oldPod.Spec.InitContainers[ix]) {
@@ -6141,14 +6328,14 @@ func ValidatePodResize(newPod, oldPod *core.Pod, opts PodValidationOptions) fiel
 			}
 			newInitContainers = append(newInitContainers, container)
 		}
-		originalCPUMemPodSpec.InitContainers = newInitContainers
+		newPodSpecCopy.InitContainers = newInitContainers
 	}
 
 	if len(allErrs) > 0 {
 		return allErrs
 	}
 
-	if !apiequality.Semantic.DeepEqual(originalCPUMemPodSpec, oldPod.Spec) {
+	if !apiequality.Semantic.DeepEqual(newPodSpecCopy, oldPod.Spec) {
 		// This likely means that the user has made changes to resources other than CPU and Memory.
 		errs := field.Forbidden(specPath, "only cpu and memory resources are mutable")
 		allErrs = append(allErrs, errs)
@@ -6181,33 +6368,113 @@ func validatePodResizeContainerOrdering(newPod, oldPod *core.Pod, specPath *fiel
 	return allErrs
 }
 
-// dropCPUMemoryResourcesFromContainer deletes the cpu and memory resources from the container, and copies them from the old pod container resources if present.
-func dropCPUMemoryResourcesFromContainer(container *core.Container, oldPodSpecContainer *core.Container) {
-	dropCPUMemoryUpdates := func(resourceList, oldResourceList core.ResourceList) core.ResourceList {
-		if oldResourceList == nil {
-			return nil
-		}
-		var mungedResourceList core.ResourceList
-		if resourceList == nil {
-			mungedResourceList = make(core.ResourceList)
-		} else {
-			mungedResourceList = resourceList.DeepCopy()
+// validatePodLevelResourcesResize validates updates to pod-level resource requests/limits
+// for in-place resizing, and is intentionally designed to mutate the
+// podSpecToMutate, which is a deep copy of newPod.Spec
+//
+// The function performs a masking operation on its .Resources field:
+//
+// 1. Masking/Equalization: It modifies .Resources by dropping CPU/Memory
+// resource values in podSpecToMutate, and then copying specific CPU/Memory resource
+// values to match oldPod.Spec.Resources.
+// 2. Integrity Check: The resulting mutated spec is used to perform an equality
+// comparison (DeepEqual) against oldPod.Spec. If the specs match after masking,
+// it guarantees that no changes were made other than the allowed resource modifications
+// needed for the resize.
+func validatePodLevelResourcesResize(newPod, oldPod *core.Pod, podSpecToMutate *core.PodSpec, specPath *field.Path, opts PodValidationOptions) field.ErrorList {
+	var allErrs field.ErrorList
+
+	if oldPod.Spec.Resources != nil && newPod.Spec.Resources == nil {
+		return append(allErrs, field.Forbidden(specPath.Child("resources"), "pod-level resources cannot be removed"))
+	}
+
+	if oldPod.Spec.Resources != nil {
+		if resourcesRemoved(newPod.Spec.Resources.Requests, oldPod.Spec.Resources.Requests) {
+			allErrs = append(allErrs, field.Forbidden(specPath.Child("resources").Child("requests"), "pod-level resource requests cannot be removed"))
 		}
-		delete(mungedResourceList, core.ResourceCPU)
-		delete(mungedResourceList, core.ResourceMemory)
-		if cpu, found := oldResourceList[core.ResourceCPU]; found {
-			mungedResourceList[core.ResourceCPU] = cpu
+
+		if resourcesRemoved(newPod.Spec.Resources.Limits, oldPod.Spec.Resources.Limits) {
+			allErrs = append(allErrs, field.Forbidden(specPath.Child("resources").Child("limits"), "pod-level resource limits cannot be removed"))
 		}
-		if mem, found := oldResourceList[core.ResourceMemory]; found {
-			mungedResourceList[core.ResourceMemory] = mem
+
+	}
+
+	podSpecToMutate.Resources = dropCPUMemoryResourceRequirementsUpdates(podSpecToMutate.Resources, oldPod.Spec.Resources)
+
+	if !apiequality.Semantic.DeepEqual(podSpecToMutate.Resources, oldPod.Spec.Resources) {
+		// This likely means that the user has made changes to pod-level resources other
+		// than CPU and memory.
+		errs := field.Forbidden(specPath, "only cpu and memory resources are mutable at pod-level")
+		allErrs = append(allErrs, errs)
+	}
+
+	return allErrs
+}
+
+func dropCPUMemoryUpdates(resourceList, oldResourceList core.ResourceList) core.ResourceList {
+	var mungedResourceList core.ResourceList
+	if resourceList == nil {
+		if oldResourceList == nil {
+			return nil
 		}
-		return mungedResourceList
+		mungedResourceList = make(core.ResourceList)
+	} else {
+		mungedResourceList = resourceList.DeepCopy()
 	}
+	delete(mungedResourceList, core.ResourceCPU)
+	delete(mungedResourceList, core.ResourceMemory)
+	if cpu, found := oldResourceList[core.ResourceCPU]; found {
+		mungedResourceList[core.ResourceCPU] = cpu
+	}
+	if mem, found := oldResourceList[core.ResourceMemory]; found {
+		mungedResourceList[core.ResourceMemory] = mem
+	}
+	return mungedResourceList
+}
+
+// dropCPUMemoryResourcesFromContainer deletes the cpu and memory resources from the
+// container, and copies them from the old pod container resources if present.
+// TODO(ndixita): refactor to reuse dropCPUMemoryResourceRequirementsUpdates
+func dropCPUMemoryResourcesFromContainer(container *core.Container, oldPodSpecContainer *core.Container) {
 	lim := dropCPUMemoryUpdates(container.Resources.Limits, oldPodSpecContainer.Resources.Limits)
 	req := dropCPUMemoryUpdates(container.Resources.Requests, oldPodSpecContainer.Resources.Requests)
 	container.Resources = core.ResourceRequirements{Limits: lim, Requests: req}
 }
 
+// dropCPUMemoryResourceRequirementsUpdates deletes the cpu and memory resources
+// from the `resources` field, and copies them from old Pod spec's resources field
+// if present.
+func dropCPUMemoryResourceRequirementsUpdates(resources *core.ResourceRequirements, oldPodResources *core.ResourceRequirements) *core.ResourceRequirements {
+	if resources == nil {
+		return resources
+	}
+
+	var oldReqs, oldLims core.ResourceList
+	if oldPodResources != nil && oldPodResources.Requests != nil {
+		oldReqs = oldPodResources.Requests // +k8s:verify-mutation:reason=clone'
+	}
+
+	if oldPodResources != nil && oldPodResources.Limits != nil {
+		oldLims = oldPodResources.Limits // +k8s:verify-mutation:reason=clone'
+	}
+
+	resources.Requests = dropCPUMemoryUpdates(resources.Requests, oldReqs)
+	resources.Limits = dropCPUMemoryUpdates(resources.Limits, oldLims)
+
+	// Set the entire Resources block to nil if two conditions are met:
+	// 1. The old PodSpec Resources lacked any Resources
+	// 2. The masked resources has only empty Requests/Limits
+	//    (i.e., any prior CPU/Memory defaults have been dropped) AND no immutable Claims are set.
+	// This ensures that an empty Resources block (which would typically only contain
+	// empty CPU/Memory after masking) is safely set to nil, unless Claims are present.
+	if oldPodResources == nil {
+		if len(resources.Requests) == 0 && len(resources.Limits) == 0 && len(resources.Claims) == 0 {
+			resources = nil
+		}
+	}
+	return resources
+}
+
 // isPodResizeRequestSupported checks whether the pod is running on a node with InPlacePodVerticalScaling enabled.
 func isPodResizeRequestSupported(pod core.Pod) bool {
 	// TODO: Remove this after GA+3 releases of InPlacePodVerticalScaling
@@ -6700,7 +6967,10 @@ func ValidateServiceStatusUpdate(service, oldService *core.Service) field.ErrorL
 
 // ValidateReplicationController tests if required fields in the replication controller are set.
 func ValidateReplicationController(controller *core.ReplicationController, opts PodValidationOptions) field.ErrorList {
-	allErrs := ValidateObjectMeta(&controller.ObjectMeta, true, ValidateReplicationControllerName, field.NewPath("metadata"))
+	validateLongName := func(fldPath *field.Path, name string) field.ErrorList {
+		return validate.LongName(context.Background(), operation.Operation{}, fldPath, &name, nil).MarkCoveredByDeclarative()
+	}
+	allErrs := ValidateObjectMetaWithOpts(&controller.ObjectMeta, true, validateLongName, field.NewPath("metadata"))
 	allErrs = append(allErrs, ValidateReplicationControllerSpec(&controller.Spec, nil, field.NewPath("spec"), opts)...)
 	return allErrs
 }
@@ -6873,6 +7143,37 @@ func ValidateNodeSpecificAnnotations(annotations map[string]string, fldPath *fie
 	return allErrs
 }
 
+// validateNodeDeclaredFeatureName checks if a declared feature name is valid.
+func validateNodeDeclaredFeatureName(featureName string) error {
+	if len(featureName) > validation.DNS1123SubdomainMaxLength {
+		return fmt.Errorf("invalid feature name %q: must be no more than %d characters", featureName, validation.DNS1123SubdomainMaxLength)
+	}
+	if !nodeDeclaredFeatureRegexp.MatchString(featureName) {
+		return fmt.Errorf("invalid feature name %q: must start with an UpperCamelCase segment, with subsequent segments separated by '/' (e.g., MyFeature or MyFeature/mySubFeature), and contain only alphanumeric characters and slashes", featureName)
+	}
+	return nil
+}
+
+func validateNodeDeclaredFeatures(nodeFeatures []string, fldPath *field.Path) field.ErrorList {
+	allErrs := field.ErrorList{}
+	// We do not need to check feature gate again here as we do it in dropDisabledFields() (pkg/registry/core/node/strategy.go)
+	featureCount := len(nodeFeatures)
+	for i, feature := range nodeFeatures {
+		if err := validateNodeDeclaredFeatureName(feature); err != nil {
+			allErrs = append(allErrs, field.Invalid(fldPath.Index(i), feature, err.Error()))
+		}
+		if i+1 < featureCount {
+			nextFeature := nodeFeatures[i+1]
+			if feature == nextFeature {
+				allErrs = append(allErrs, field.Duplicate(fldPath.Index(i+1), nextFeature))
+			} else if feature > nextFeature {
+				allErrs = append(allErrs, field.Invalid(fldPath.Index(i+1), nextFeature, "list must be sorted alphabetically"))
+			}
+		}
+	}
+	return allErrs
+}
+
 // ValidateNode tests if required fields in the node are set.
 func ValidateNode(node *core.Node) field.ErrorList {
 	fldPath := field.NewPath("metadata")
@@ -6887,6 +7188,8 @@ func ValidateNode(node *core.Node) field.ErrorList {
 	// That said, if specified, we need to ensure they are valid.
 	allErrs = append(allErrs, ValidateNodeResources(node)...)
 	allErrs = append(allErrs, validateNodeSwapStatus(node.Status.NodeInfo.Swap, fldPath.Child("nodeSwapStatus"))...)
+	statusField := field.NewPath("status")
+	allErrs = append(allErrs, validateNodeDeclaredFeatures(node.Status.DeclaredFeatures, statusField.Child("declaredFeatures"))...)
 
 	// validate PodCIDRS only if we need to
 	if len(node.Spec.PodCIDRs) > 0 {
@@ -6935,15 +7238,17 @@ func ValidateNodeUpdate(node, oldNode *core.Node) field.ErrorList {
 	fldPath := field.NewPath("metadata")
 	allErrs := ValidateObjectMetaUpdate(&node.ObjectMeta, &oldNode.ObjectMeta, fldPath)
 	allErrs = append(allErrs, ValidateNodeSpecificAnnotations(node.ObjectMeta.Annotations, fldPath.Child("annotations"))...)
-
 	// TODO: Enable the code once we have better core object.status update model. Currently,
 	// anyone can update node status.
 	// if !apiequality.Semantic.DeepEqual(node.Status, core.NodeStatus{}) {
 	// 	allErrs = append(allErrs, field.Invalid("status", node.Status, "must be empty"))
 	// }
-
 	allErrs = append(allErrs, ValidateNodeResources(node)...)
 
+	// TODO: dedup the validation checks in ValidateNode() and ValidateNodeUpdate() since both these functions get called during node update.
+	statusField := field.NewPath("status")
+	allErrs = append(allErrs, validateNodeDeclaredFeatures(node.Status.DeclaredFeatures, statusField.Child("declaredFeatures"))...)
+
 	// Validate no duplicate addresses in node status.
 	addresses := make(map[core.NodeAddress]bool)
 	for i, address := range node.Status.Addresses {
@@ -8353,7 +8658,7 @@ var (
 func ValidateLoadBalancerStatus(status, oldStatus *core.LoadBalancerStatus, fldPath *field.Path, spec *core.ServiceSpec) field.ErrorList {
 	allErrs := field.ErrorList{}
 	ingrPath := fldPath.Child("ingress")
-	if !utilfeature.DefaultFeatureGate.Enabled(features.AllowServiceLBStatusOnNonLB) && spec.Type != core.ServiceTypeLoadBalancer && len(status.Ingress) != 0 {
+	if spec.Type != core.ServiceTypeLoadBalancer && len(status.Ingress) != 0 {
 		allErrs = append(allErrs, field.Forbidden(ingrPath, "may only be used when `spec.type` is 'LoadBalancer'"))
 	} else {
 		var existingIngressIPs []string
@@ -8371,7 +8676,7 @@ func ValidateLoadBalancerStatus(status, oldStatus *core.LoadBalancerStatus, fldP
 				allErrs = append(allErrs, IsValidIPForLegacyField(idxPath.Child("ip"), ingress.IP, existingIngressIPs)...)
 			}
 
-			if utilfeature.DefaultFeatureGate.Enabled(features.LoadBalancerIPMode) && ingress.IPMode == nil {
+			if ingress.IPMode == nil {
 				if len(ingress.IP) > 0 {
 					allErrs = append(allErrs, field.Required(idxPath.Child("ipMode"), "must be specified when `ip` is set"))
 				}
@@ -8385,7 +8690,7 @@ func ValidateLoadBalancerStatus(status, oldStatus *core.LoadBalancerStatus, fldP
 				for _, msg := range validation.IsDNS1123Subdomain(ingress.Hostname) {
 					allErrs = append(allErrs, field.Invalid(idxPath.Child("hostname"), ingress.Hostname, msg))
 				}
-				if isIP := (netutils.ParseIPSloppy(ingress.Hostname) != nil); isIP {
+				if isIP := netutils.ParseIPSloppy(ingress.Hostname) != nil; isIP {
 					allErrs = append(allErrs, field.Invalid(idxPath.Child("hostname"), ingress.Hostname, "must be a DNS name, not an IP address"))
 				}
 			}
@@ -9282,3 +9587,19 @@ func validateNodeSwapStatus(nodeSwapStatus *core.NodeSwapStatus, fldPath *field.
 
 	return allErrors
 }
+
+func validateWorkloadReference(workloadRef *core.WorkloadReference, fldPath *field.Path) field.ErrorList {
+	var allErrs field.ErrorList
+	for _, detail := range ValidateWorkloadName(workloadRef.Name, false) {
+		allErrs = append(allErrs, field.Invalid(fldPath.Child("name"), workloadRef.Name, detail))
+	}
+	for _, detail := range ValidatePodGroupName(workloadRef.PodGroup, false) {
+		allErrs = append(allErrs, field.Invalid(fldPath.Child("podGroup"), workloadRef.PodGroup, detail))
+	}
+	if workloadRef.PodGroupReplicaKey != "" {
+		for _, detail := range ValidatePodGroupReplicaKey(workloadRef.PodGroupReplicaKey, false) {
+			allErrs = append(allErrs, field.Invalid(fldPath.Child("podGroupReplicaKey"), workloadRef.PodGroupReplicaKey, detail))
+		}
+	}
+	return allErrs
+}
diff --git a/pkg/apis/core/validation/validation_test.go b/pkg/apis/core/validation/validation_test.go
index 15aed1b0a5610..97073c06c629f 100644
--- a/pkg/apis/core/validation/validation_test.go
+++ b/pkg/apis/core/validation/validation_test.go
@@ -34,6 +34,7 @@ import (
 
 	v1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/resource"
+	apimachineryvalidation "k8s.io/apimachinery/pkg/api/validation"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/util/intstr"
 	"k8s.io/apimachinery/pkg/util/sets"
@@ -42,6 +43,7 @@ import (
 	"k8s.io/apimachinery/pkg/util/version"
 	utilfeature "k8s.io/apiserver/pkg/util/feature"
 	featuregatetesting "k8s.io/component-base/featuregate/testing"
+	ndf "k8s.io/component-helpers/nodedeclaredfeatures/features"
 	kubeletapis "k8s.io/kubelet/pkg/apis"
 	podtest "k8s.io/kubernetes/pkg/api/pod/testing"
 	"k8s.io/kubernetes/pkg/apis/core"
@@ -1081,6 +1083,7 @@ func pvcWithDataSource(dataSource *core.TypedLocalObjectReference) *core.Persist
 		},
 	}
 }
+
 func pvcWithDataSourceRef(ref *core.TypedObjectReference) *core.PersistentVolumeClaim {
 	return &core.PersistentVolumeClaim{
 		Spec: core.PersistentVolumeClaimSpec{
@@ -1238,9 +1241,10 @@ func multipleVolumeNodeAffinity(terms [][]topologyPair) *core.VolumeNodeAffinity
 
 func TestValidateVolumeNodeAffinityUpdate(t *testing.T) {
 	scenarios := map[string]struct {
-		isExpectedFailure bool
-		oldPV             *core.PersistentVolume
-		newPV             *core.PersistentVolume
+		mutablePVNodeAffinity bool
+		isExpectedFailure     bool
+		oldPV                 *core.PersistentVolume
+		newPV                 *core.PersistentVolume
 	}{
 		"nil-nothing-changed": {
 			isExpectedFailure: false,
@@ -1505,9 +1509,16 @@ func TestValidateVolumeNodeAffinityUpdate(t *testing.T) {
 			oldPV:             testVolumeWithNodeAffinity(simpleVolumeNodeAffinity(v1.LabelInstanceType, "-1")),
 			newPV:             testVolumeWithNodeAffinity(simpleVolumeNodeAffinity(v1.LabelInstanceTypeStable, "-1")),
 		},
+		"MutablePVNodeAffinity": {
+			mutablePVNodeAffinity: true,
+			isExpectedFailure:     false,
+			oldPV:                 testVolumeWithNodeAffinity(simpleVolumeNodeAffinity("foo", "bar")),
+			newPV:                 testVolumeWithNodeAffinity(simpleVolumeNodeAffinity("foo", "baz")),
+		},
 	}
 
 	for name, scenario := range scenarios {
+		featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.MutablePVNodeAffinity, scenario.mutablePVNodeAffinity)
 		originalNewPV := scenario.newPV.DeepCopy()
 		originalOldPV := scenario.oldPV.DeepCopy()
 		opts := ValidationOptionsForPersistentVolume(scenario.newPV, scenario.oldPV)
@@ -3104,8 +3115,10 @@ func TestValidatePersistentVolumeClaimUpdate(t *testing.T) {
 
 	for name, scenario := range scenarios {
 		t.Run(name, func(t *testing.T) {
-			featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.RecoverVolumeExpansionFailure, scenario.enableRecoverFromExpansion)
-			featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.VolumeAttributesClass, scenario.enableVolumeAttributesClass)
+			featuregatetesting.SetFeatureGatesDuringTest(t, utilfeature.DefaultFeatureGate, featuregatetesting.FeatureOverrides{
+				features.RecoverVolumeExpansionFailure: scenario.enableRecoverFromExpansion,
+				features.VolumeAttributesClass:         scenario.enableVolumeAttributesClass,
+			})
 
 			scenario.oldClaim.ResourceVersion = "1"
 			scenario.newClaim.ResourceVersion = "1"
@@ -7100,13 +7113,7 @@ func TestValidateEnvVarValueFromFileKeyRef(t *testing.T) {
 			},
 			opts: PodValidationOptions{},
 			expectedErrs: field.ErrorList{
-				{
-					Type:     field.ErrorTypeInvalid,
-					Field:    field.NewPath("valueFrom.fileKeyRef.volumeName").String(),
-					BadValue: "INVALID_NAME!",
-					Detail:   "a lowercase RFC 1123 label must consist of",
-					Origin:   "format=dns-label",
-				},
+				field.Invalid(field.NewPath("valueFrom.fileKeyRef.volumeName"), "INVALID_NAME!", "").WithOrigin("format=k8s-short-name"),
 			},
 		},
 		{
@@ -7158,13 +7165,7 @@ func TestValidateEnvVarValueFromFileKeyRef(t *testing.T) {
 			opts: PodValidationOptions{},
 			expectedErrs: field.ErrorList{
 				field.Invalid(field.NewPath("valueFrom.fileKeyRef.key"), "bad=key", "environment variable"),
-				{
-					Type:     field.ErrorTypeInvalid,
-					Field:    field.NewPath("valueFrom.fileKeyRef.volumeName").String(),
-					BadValue: "!badname",
-					Detail:   "a lowercase RFC 1123 label must consist of",
-					Origin:   "format=dns-label",
-				},
+				field.Invalid(field.NewPath("valueFrom.fileKeyRef.volumeName"), "!badname", "").WithOrigin("format=k8s-short-name"),
 				field.Invalid(field.NewPath("valueFrom.fileKeyRef.path"), "../badpath", "must not contain '..'"),
 			},
 		},
@@ -11203,6 +11204,27 @@ func TestValidatePod(t *testing.T) {
 				},
 			}),
 		),
+		"valid PodCertificate projected volume source, user config is not nil": *podtest.MakePod("valid-podcertificate-5",
+			podtest.SetVolumes(core.Volume{
+				Name: "projected-volume",
+				VolumeSource: core.VolumeSource{
+					Projected: &core.ProjectedVolumeSource{
+						Sources: []core.VolumeProjection{
+							{
+								PodCertificate: &core.PodCertificateProjection{
+									SignerName:           "example.com/foo",
+									KeyType:              "ED25519",
+									MaxExpirationSeconds: ptr.To[int32](3600),
+									KeyPath:              "key.pem",
+									CertificateChainPath: "certificates.pem",
+									UserAnnotations:      map[string]string{"test.domain/attribute": "test-value"},
+								},
+							},
+						},
+					},
+				},
+			}),
+		),
 		"ephemeral volume + PVC, no conflict between them": *podtest.MakePod("valid-extended",
 			podtest.SetVolumes(
 				core.Volume{Name: "pvc", VolumeSource: core.VolumeSource{PersistentVolumeClaim: &core.PersistentVolumeClaimVolumeSource{ClaimName: "my-pvc"}}},
@@ -12224,6 +12246,18 @@ func TestValidatePod(t *testing.T) {
 				podtest.SetTolerations(core.Toleration{Key: "node.kubernetes.io/not-ready", Operator: "Exists", Effect: "NoSchedule", TolerationSeconds: &[]int64{20}[0]}),
 			),
 		},
+		"numeric operator Lt requires feature gate (gate disabled)": {
+			expectedError: "Unsupported value: \"Lt\"",
+			spec: *podtest.MakePod("123",
+				podtest.SetTolerations(core.Toleration{Key: "node.kubernetes.io/sla", Operator: "Lt", Value: "950", Effect: "NoSchedule"}),
+			),
+		},
+		"numeric operator Gt requires feature gate (gate disabled)": {
+			expectedError: "Unsupported value: \"Gt\"",
+			spec: *podtest.MakePod("123",
+				podtest.SetTolerations(core.Toleration{Key: "node.kubernetes.io/sla", Operator: "Gt", Value: "950", Effect: "NoSchedule"}),
+			),
+		},
 		"must be a valid pod seccomp profile": {
 			expectedError: "must be a valid seccomp profile",
 			spec: *podtest.MakePod("123",
@@ -12851,6 +12885,75 @@ func TestValidatePod(t *testing.T) {
 				}),
 			),
 		},
+		"PodCertificate projected volume with bad user annotations, invalid key": {
+			expectedError: "regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an optional DNS subdomain prefix",
+			spec: *podtest.MakePod("pod1",
+				podtest.SetVolumes(core.Volume{
+					Name: "projected-volume",
+					VolumeSource: core.VolumeSource{
+						Projected: &core.ProjectedVolumeSource{
+							Sources: []core.VolumeProjection{
+								{
+									PodCertificate: &core.PodCertificateProjection{
+										SignerName:           "example.com/foo",
+										KeyType:              "ED25519",
+										KeyPath:              "key.pem",
+										CertificateChainPath: "certificates.pem",
+										UserAnnotations:      map[string]string{"only/one/slash": "bar"},
+									},
+								},
+							},
+						},
+					},
+				}),
+			),
+		},
+		"PodCertificate projected volume with bad user annotations, too long key prefix size": {
+			expectedError: "prefix part must be no more than 253 bytes",
+			spec: *podtest.MakePod("pod1",
+				podtest.SetVolumes(core.Volume{
+					Name: "projected-volume",
+					VolumeSource: core.VolumeSource{
+						Projected: &core.ProjectedVolumeSource{
+							Sources: []core.VolumeProjection{
+								{
+									PodCertificate: &core.PodCertificateProjection{
+										SignerName:           "example.com/foo",
+										KeyType:              "ED25519",
+										KeyPath:              "key.pem",
+										CertificateChainPath: "certificates.pem",
+										UserAnnotations:      map[string]string{strings.Repeat("a", 254) + "/foo": "bar"},
+									},
+								},
+							},
+						},
+					},
+				}),
+			),
+		},
+		"PodCertificate projected volume with bad user annotations, too long total key/value size": {
+			expectedError: "may not be more than 262144 bytes",
+			spec: *podtest.MakePod("pod1",
+				podtest.SetVolumes(core.Volume{
+					Name: "projected-volume",
+					VolumeSource: core.VolumeSource{
+						Projected: &core.ProjectedVolumeSource{
+							Sources: []core.VolumeProjection{
+								{
+									PodCertificate: &core.PodCertificateProjection{
+										SignerName:           "example.com/foo",
+										KeyType:              "ED25519",
+										KeyPath:              "key.pem",
+										CertificateChainPath: "certificates.pem",
+										UserAnnotations:      map[string]string{"domain/a": strings.Repeat("d", apimachineryvalidation.TotalAnnotationSizeLimitB)},
+									},
+								},
+							},
+						},
+					},
+				}),
+			),
+		},
 		"final PVC name for ephemeral volume must be valid": {
 			expectedError: "spec.volumes[1].name: Invalid value: \"" + longVolName + "\": PVC name \"" + longPodName + "-" + longVolName + "\": must be no more than 253 characters",
 			spec: *podtest.MakePod(longPodName,
@@ -14452,6 +14555,21 @@ func TestValidatePodUpdate(t *testing.T) {
 			),
 			err:  "pod updates may not change fields other than",
 			test: "memory limit change with pod-level resources",
+		}, {
+			new: *podtest.MakePod("pod",
+				podtest.SetWorkloadRef(&core.WorkloadReference{
+					Name:     "w",
+					PodGroup: "pg",
+				}),
+			),
+			old: *podtest.MakePod("pod",
+				podtest.SetWorkloadRef(&core.WorkloadReference{
+					Name:     "w2",
+					PodGroup: "pg",
+				}),
+			),
+			err:  "pod updates may not change fields other than",
+			test: "updated workloadRef",
 		},
 	}
 
@@ -15202,7 +15320,37 @@ func TestValidatePodStatusUpdate(t *testing.T) {
 		),
 		old:  *podtest.MakePod("foo"),
 		err:  "Duplicate value: \"ctr\"",
-		test: "invalid container name and extended resource name in requestMapping in ExtendedResourceClaimStatus",
+		test: "invalid duplicate container name,, extended resource name, and request name in requestMapping in ExtendedResourceClaimStatus",
+	}, {
+		new: *podtest.MakePod("foo",
+			podtest.SetContainers(podtest.MakeContainer("ctr", podtest.SetContainerResources(
+				podtest.MakeResourceRequirements(
+					map[string]string{
+						string("example.com/gpu"): "1",
+					},
+					map[string]string{
+						string("example.com/gpu"): "1",
+					})))),
+			podtest.SetStatus(core.PodStatus{
+				ExtendedResourceClaimStatus: &core.PodExtendedResourceClaimStatus{
+					ResourceClaimName: "xyz",
+					RequestMappings: []core.ContainerExtendedResourceRequest{
+						{
+							ContainerName: "ctr",
+							ResourceName:  "example.com/gpu",
+							RequestName:   "container-0-request-0",
+						},
+						{
+							ContainerName: "ctr",
+							ResourceName:  "example.com/gpu",
+							RequestName:   "container-1-request-0",
+						},
+					},
+				},
+			}),
+		),
+		old:  *podtest.MakePod("foo"),
+		test: "valid duplicate container name,, extended resource name in requestMapping in ExtendedResourceClaimStatus",
 	}, {
 		new: *podtest.MakePod("foo",
 			podtest.SetContainers(podtest.MakeContainer("ctr", podtest.SetContainerResources(
@@ -15855,6 +16003,16 @@ func TestValidatePodStatusUpdate(t *testing.T) {
 		),
 		err:  `status.ephemeralContainerStatuses[0].user.linux: Forbidden: cannot be set for a windows pod`,
 		test: "containerUser cannot be set for windows pod in ephemeralContainerStatuses",
+	}, {
+		new: *podtest.MakePod("foo",
+			podtest.SetStatus(core.PodStatus{
+				Conditions: []core.PodCondition{{
+					Type:   core.AllContainersRestarting,
+					Status: core.ConditionTrue,
+				}},
+			}),
+		),
+		old: *podtest.MakePod("foo"),
 	},
 	}
 
@@ -17578,9 +17736,14 @@ func TestValidateServiceCreate(t *testing.T) {
 
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
-			featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.PreferSameTrafficDistribution, tc.newTrafficDist)
-			featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.RelaxedServiceNameValidation, tc.relaxedServiceNames)
-			featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.StrictIPCIDRValidation, !tc.legacyIPs)
+			if !tc.newTrafficDist {
+				featuregatetesting.SetFeatureGateEmulationVersionDuringTest(t, utilfeature.DefaultFeatureGate, version.MustParse("1.34"))
+			}
+			featuregatetesting.SetFeatureGatesDuringTest(t, utilfeature.DefaultFeatureGate, featuregatetesting.FeatureOverrides{
+				features.PreferSameTrafficDistribution: tc.newTrafficDist,
+				features.RelaxedServiceNameValidation:  tc.relaxedServiceNames,
+				features.StrictIPCIDRValidation:        !tc.legacyIPs,
+			})
 			svc := makeValidService()
 			tc.tweakSvc(&svc)
 			errs := ValidateServiceCreate(&svc)
@@ -17964,7 +18127,7 @@ func TestValidateReplicationControllerUpdate(t *testing.T) {
 				rc.Spec.Selector = invalid
 			}),
 			expectedErrs: field.ErrorList{
-				field.Invalid(field.NewPath("spec.template.labels"), nil, "").WithOrigin("labelKey"),
+				field.Invalid(field.NewPath("spec.template.labels"), nil, "").WithOrigin("format=k8s-label-key"),
 			},
 		},
 		"invalid pod": {
@@ -18113,7 +18276,7 @@ func TestValidateReplicationController(t *testing.T) {
 				}
 			}),
 			expectedErrs: field.ErrorList{
-				field.Invalid(field.NewPath("metadata.labels"), nil, "").WithOrigin("labelKey"),
+				field.Invalid(field.NewPath("metadata.labels"), nil, "").WithOrigin("format=k8s-label-key"),
 			},
 		},
 		"invalid label 2": {
@@ -18124,7 +18287,7 @@ func TestValidateReplicationController(t *testing.T) {
 			}),
 			expectedErrs: field.ErrorList{
 				field.Invalid(field.NewPath("spec.template.metadata.labels"), nil, "does not match template"),
-				field.Invalid(field.NewPath("spec.template.labels"), nil, "").WithOrigin("labelKey"),
+				field.Invalid(field.NewPath("spec.template.labels"), nil, "").WithOrigin("format=k8s-label-key"),
 			},
 		},
 		"invalid annotation": {
@@ -18134,7 +18297,7 @@ func TestValidateReplicationController(t *testing.T) {
 				}
 			}),
 			expectedErrs: field.ErrorList{
-				field.Invalid(field.NewPath("metadata.annotations"), nil, "name part must consist of"),
+				field.Invalid(field.NewPath("metadata.annotations"), nil, "").WithOrigin("format=k8s-label-key"),
 			},
 		},
 		"invalid restart policy 1": {
@@ -20302,8 +20465,10 @@ func TestValidateServiceUpdate(t *testing.T) {
 
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
-			featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.StrictIPCIDRValidation, true)
-			featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.RelaxedServiceNameValidation, tc.relaxedServiceNames)
+			featuregatetesting.SetFeatureGatesDuringTest(t, utilfeature.DefaultFeatureGate, featuregatetesting.FeatureOverrides{
+				features.StrictIPCIDRValidation:       true,
+				features.RelaxedServiceNameValidation: tc.relaxedServiceNames,
+			})
 
 			oldSvc := makeValidService()
 			newSvc := makeValidService()
@@ -22824,6 +22989,7 @@ func TestValidateOSFields(t *testing.T) {
 		"Overhead",
 		"Tolerations",
 		"TopologySpreadConstraints",
+		"WorkloadRef",
 	)
 
 	expect := sets.NewString().Union(osSpecificFields).Union(osNeutralFields)
@@ -24207,8 +24373,10 @@ func TestCrossNamespaceSource(t *testing.T) {
 	}
 
 	for _, tc := range testCases {
-		featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.AnyVolumeDataSource, true)
-		featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.CrossNamespaceVolumeDataSource, true)
+		featuregatetesting.SetFeatureGatesDuringTest(t, utilfeature.DefaultFeatureGate, featuregatetesting.FeatureOverrides{
+			features.AnyVolumeDataSource:            true,
+			features.CrossNamespaceVolumeDataSource: true,
+		})
 		opts := PersistentVolumeClaimSpecValidationOptions{}
 		if tc.expectedFail {
 			if errs := ValidatePersistentVolumeClaimSpec(tc.claimSpec, field.NewPath("spec"), opts); len(errs) == 0 {
@@ -24469,7 +24637,7 @@ func TestValidateTopologySpreadConstraints(t *testing.T) {
 			MatchLabelKeys:    []string{"/simple"},
 		}},
 		wantFieldErrors: field.ErrorList{
-			field.Invalid(fieldPathMatchLabelKeys.Index(0), nil, "").WithOrigin("labelKey"),
+			field.Invalid(fieldPathMatchLabelKeys.Index(0), nil, "").WithOrigin("format=k8s-label-key"),
 		},
 		opts: PodValidationOptions{
 			AllowMatchLabelKeysInPodTopologySpread:              true,
@@ -24485,7 +24653,7 @@ func TestValidateTopologySpreadConstraints(t *testing.T) {
 			MatchLabelKeys:    []string{"/simple"},
 		}},
 		wantFieldErrors: field.ErrorList{
-			field.Invalid(fieldPathMatchLabelKeys.Index(0), nil, "").WithOrigin("labelKey"),
+			field.Invalid(fieldPathMatchLabelKeys.Index(0), nil, "").WithOrigin("format=k8s-label-key"),
 		},
 		opts: PodValidationOptions{
 			AllowMatchLabelKeysInPodTopologySpread:              true,
@@ -24584,7 +24752,7 @@ func TestValidateTopologySpreadConstraints(t *testing.T) {
 			LabelSelector:     &metav1.LabelSelector{MatchLabels: map[string]string{"NoUppercaseOrSpecialCharsLike=Equals": "foo"}},
 		}},
 		wantFieldErrors: field.ErrorList{
-			field.Invalid(labelSelectorField.Child("matchLabels"), nil, "").WithOrigin("labelKey"),
+			field.Invalid(labelSelectorField.Child("matchLabels"), nil, "").WithOrigin("format=k8s-label-key"),
 		},
 		opts: PodValidationOptions{
 			AllowMatchLabelKeysInPodTopologySpread:              true,
@@ -26093,7 +26261,7 @@ func TestValidatePodHostName(t *testing.T) {
 				HostnameOverride: ptr.To(""),
 			},
 			expectedErrs: field.ErrorList{
-				field.Invalid(field.NewPath("spec.hostnameOverride"), "", "RFC 1123"),
+				field.Invalid(field.NewPath("spec.hostnameOverride"), nil, "").WithOrigin("format=k8s-long-name"),
 			},
 		},
 		{
@@ -26132,7 +26300,7 @@ func TestValidatePodHostName(t *testing.T) {
 				HostnameOverride: ptr.To("Not-RFC1123"),
 			},
 			expectedErrs: field.ErrorList{
-				field.Invalid(field.NewPath("spec.hostnameOverride"), "", "RFC 1123"),
+				field.Invalid(field.NewPath("spec.hostnameOverride"), nil, "").WithOrigin("format=k8s-long-name"),
 			},
 		},
 		{
@@ -26912,17 +27080,14 @@ func TestValidateLoadBalancerStatus(t *testing.T) {
 
 	testCases := []struct {
 		name             string
-		ipModeEnabled    bool
 		legacyIPs        bool
-		nonLBAllowed     bool
 		tweakOldLBStatus func(s *core.LoadBalancerStatus)
 		tweakLBStatus    func(s *core.LoadBalancerStatus)
 		tweakSvcSpec     func(s *core.ServiceSpec)
 		numErrs          int
 	}{
 		{
-			name:         "type is not LB",
-			nonLBAllowed: false,
+			name: "type is not LB",
 			tweakSvcSpec: func(s *core.ServiceSpec) {
 				s.Type = core.ServiceTypeClusterIP
 			},
@@ -26933,20 +27098,7 @@ func TestValidateLoadBalancerStatus(t *testing.T) {
 			},
 			numErrs: 1,
 		}, {
-			name:         "type is not LB. back-compat",
-			nonLBAllowed: true,
-			tweakSvcSpec: func(s *core.ServiceSpec) {
-				s.Type = core.ServiceTypeClusterIP
-			},
-			tweakLBStatus: func(s *core.LoadBalancerStatus) {
-				s.Ingress = []core.LoadBalancerIngress{{
-					IP: "1.2.3.4",
-				}}
-			},
-			numErrs: 0,
-		}, {
-			name:          "valid vip ipMode",
-			ipModeEnabled: true,
+			name: "valid vip ipMode",
 			tweakLBStatus: func(s *core.LoadBalancerStatus) {
 				s.Ingress = []core.LoadBalancerIngress{{
 					IP:     "1.2.3.4",
@@ -26955,8 +27107,7 @@ func TestValidateLoadBalancerStatus(t *testing.T) {
 			},
 			numErrs: 0,
 		}, {
-			name:          "valid proxy ipMode",
-			ipModeEnabled: true,
+			name: "valid proxy ipMode",
 			tweakLBStatus: func(s *core.LoadBalancerStatus) {
 				s.Ingress = []core.LoadBalancerIngress{{
 					IP:     "1.2.3.4",
@@ -26965,8 +27116,7 @@ func TestValidateLoadBalancerStatus(t *testing.T) {
 			},
 			numErrs: 0,
 		}, {
-			name:          "invalid ipMode",
-			ipModeEnabled: true,
+			name: "invalid ipMode",
 			tweakLBStatus: func(s *core.LoadBalancerStatus) {
 				s.Ingress = []core.LoadBalancerIngress{{
 					IP:     "1.2.3.4",
@@ -26975,8 +27125,7 @@ func TestValidateLoadBalancerStatus(t *testing.T) {
 			},
 			numErrs: 1,
 		}, {
-			name:          "missing ipMode with LoadbalancerIPMode enabled",
-			ipModeEnabled: true,
+			name: "missing ipMode",
 			tweakLBStatus: func(s *core.LoadBalancerStatus) {
 				s.Ingress = []core.LoadBalancerIngress{{
 					IP: "1.2.3.4",
@@ -26984,17 +27133,7 @@ func TestValidateLoadBalancerStatus(t *testing.T) {
 			},
 			numErrs: 1,
 		}, {
-			name:          "missing ipMode with LoadbalancerIPMode disabled",
-			ipModeEnabled: false,
-			tweakLBStatus: func(s *core.LoadBalancerStatus) {
-				s.Ingress = []core.LoadBalancerIngress{{
-					IP: "1.2.3.4",
-				}}
-			},
-			numErrs: 0,
-		}, {
-			name:          "missing ip with ipMode present",
-			ipModeEnabled: true,
+			name: "missing ip with ipMode present",
 			tweakLBStatus: func(s *core.LoadBalancerStatus) {
 				s.Ingress = []core.LoadBalancerIngress{{
 					IPMode: &ipModeProxy,
@@ -27002,9 +27141,8 @@ func TestValidateLoadBalancerStatus(t *testing.T) {
 			},
 			numErrs: 1,
 		}, {
-			name:          "legacy IP with legacy validation",
-			ipModeEnabled: true,
-			legacyIPs:     true,
+			name:      "legacy IP with legacy validation",
+			legacyIPs: true,
 			tweakLBStatus: func(s *core.LoadBalancerStatus) {
 				s.Ingress = []core.LoadBalancerIngress{{
 					IP:     "001.002.003.004",
@@ -27013,8 +27151,7 @@ func TestValidateLoadBalancerStatus(t *testing.T) {
 			},
 			numErrs: 0,
 		}, {
-			name:          "legacy IP with strict validation",
-			ipModeEnabled: true,
+			name: "legacy IP with strict validation",
 			tweakLBStatus: func(s *core.LoadBalancerStatus) {
 				s.Ingress = []core.LoadBalancerIngress{{
 					IP:     "001.002.003.004",
@@ -27074,15 +27211,7 @@ func TestValidateLoadBalancerStatus(t *testing.T) {
 	}
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
-			if !tc.ipModeEnabled {
-				featuregatetesting.SetFeatureGateEmulationVersionDuringTest(t, utilfeature.DefaultFeatureGate, version.MustParse("1.31"))
-			} else {
-				// (This feature gate doesn't exist in 1.31 so we can't set it
-				// when testing !ipModeEnabled.)
-				featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.StrictIPCIDRValidation, !tc.legacyIPs)
-			}
-			featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.LoadBalancerIPMode, tc.ipModeEnabled)
-			featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.AllowServiceLBStatusOnNonLB, tc.nonLBAllowed)
+			featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.StrictIPCIDRValidation, !tc.legacyIPs)
 			oldStatus := core.LoadBalancerStatus{}
 			if tc.tweakOldLBStatus != nil {
 				tc.tweakOldLBStatus(&oldStatus)
@@ -27857,6 +27986,60 @@ func TestValidatePodResize(t *testing.T) {
 		new  *core.Pod
 		err  string
 	}{
+		{
+			test: "pod-level resources resize with nil resources in old pod",
+			new: podtest.MakePod("pod",
+				podtest.SetContainers(podtest.MakeContainer("container",
+					podtest.SetContainerResources(core.ResourceRequirements{
+						Limits: getResources("100m", "100Mi", "", ""),
+					}))),
+				podtest.SetPodResources(&core.ResourceRequirements{Limits: getResources("100m", "200Mi", "", "")}),
+			),
+			old: podtest.MakePod("pod",
+				podtest.SetContainers(podtest.MakeContainer("container",
+					podtest.SetContainerResources(core.ResourceRequirements{
+						Limits: getResources("200m", "", "", ""),
+					}))),
+				podtest.SetPodResources(nil),
+			),
+			err: "",
+		},
+		{
+			test: "pod-level resources resize with nil requests in old pod",
+			new: podtest.MakePod("pod",
+				podtest.SetContainers(podtest.MakeContainer("container",
+					podtest.SetContainerResources(core.ResourceRequirements{
+						Limits: getResources("100m", "100Mi", "", ""),
+					}))),
+				podtest.SetPodResources(&core.ResourceRequirements{Limits: getResources("100m", "200Mi", "", "")}),
+			),
+			old: podtest.MakePod("pod",
+				podtest.SetContainers(podtest.MakeContainer("container",
+					podtest.SetContainerResources(core.ResourceRequirements{
+						Limits: getResources("", "", "", ""),
+					}))),
+				podtest.SetPodResources(&core.ResourceRequirements{Limits: getResources("", "200Mi", "", "")}),
+			),
+			err: "",
+		},
+		{
+			test: "pod-level resources resize with nil limits in old pod",
+			new: podtest.MakePod("pod",
+				podtest.SetContainers(podtest.MakeContainer("container",
+					podtest.SetContainerResources(core.ResourceRequirements{
+						Limits: getResources("100m", "100Mi", "", ""),
+					}))),
+				podtest.SetPodResources(&core.ResourceRequirements{Requests: getResources("100m", "200Mi", "", "")}),
+			),
+			old: podtest.MakePod("pod",
+				podtest.SetContainers(podtest.MakeContainer("container",
+					podtest.SetContainerResources(core.ResourceRequirements{
+						Limits: getResources("", "", "", ""),
+					}))),
+				podtest.SetPodResources(&core.ResourceRequirements{Requests: getResources("", "200Mi", "", "")}),
+			),
+			err: "",
+		},
 		{
 			test: "pod-level resources with container cpu limit change",
 			new: podtest.MakePod("pod",
@@ -27873,7 +28056,7 @@ func TestValidatePodResize(t *testing.T) {
 					}))),
 				podtest.SetPodResources(&core.ResourceRequirements{Limits: getResources("100m", "200Mi", "", "")}),
 			),
-			err: "pods with pod-level resources cannot be resized",
+			err: "",
 		}, {
 			test: "pod-level resources with container memory limit change",
 			new: podtest.MakePod("pod",
@@ -27890,7 +28073,7 @@ func TestValidatePodResize(t *testing.T) {
 					}))),
 				podtest.SetPodResources(&core.ResourceRequirements{Limits: getResources("100m", "200Mi", "", "")}),
 			),
-			err: "pods with pod-level resources cannot be resized",
+			err: "",
 		},
 		{
 			test: "pod-level resources with container cpu request change",
@@ -27908,7 +28091,7 @@ func TestValidatePodResize(t *testing.T) {
 					}))),
 				podtest.SetPodResources(&core.ResourceRequirements{Limits: getResources("100m", "200Mi", "", "")}),
 			),
-			err: "pods with pod-level resources cannot be resized",
+			err: "",
 		}, {
 			test: "pod-level resources with container memory request change",
 			new: podtest.MakePod("pod",
@@ -27925,7 +28108,7 @@ func TestValidatePodResize(t *testing.T) {
 					}))),
 				podtest.SetPodResources(&core.ResourceRequirements{Limits: getResources("100m", "200Mi", "", "")}),
 			),
-			err: "pods with pod-level resources cannot be resized",
+			err: "",
 		},
 		{
 			test: "pod-level resources with pod-level memory limit change",
@@ -27943,7 +28126,7 @@ func TestValidatePodResize(t *testing.T) {
 					}))),
 				podtest.SetPodResources(&core.ResourceRequirements{Limits: getResources("200m", "100Mi", "", "")}),
 			),
-			err: "pods with pod-level resources cannot be resized",
+			err: "",
 		},
 		{
 			test: "pod-level resources with pod-level memory request change",
@@ -27961,7 +28144,7 @@ func TestValidatePodResize(t *testing.T) {
 					}))),
 				podtest.SetPodResources(&core.ResourceRequirements{Requests: getResources("200m", "100Mi", "", "")}),
 			),
-			err: "pods with pod-level resources cannot be resized",
+			err: "",
 		},
 		{
 			test: "pod-level resources with pod-level cpu limit change",
@@ -27979,7 +28162,7 @@ func TestValidatePodResize(t *testing.T) {
 					}))),
 				podtest.SetPodResources(&core.ResourceRequirements{Limits: getResources("100m", "200Mi", "", "")}),
 			),
-			err: "pods with pod-level resources cannot be resized",
+			err: "",
 		},
 		{
 			test: "pod-level resources with pod-level cpu request change",
@@ -27997,7 +28180,31 @@ func TestValidatePodResize(t *testing.T) {
 					}))),
 				podtest.SetPodResources(&core.ResourceRequirements{Requests: getResources("200m", "200Mi", "", "")}),
 			),
-			err: "pods with pod-level resources cannot be resized",
+			err: "",
+		},
+		{
+			test: "pod-level resources with pod-level storage changes",
+			new: podtest.MakePod("pod",
+				podtest.SetContainers(podtest.MakeContainer("container",
+					podtest.SetContainerResources(core.ResourceRequirements{Requests: getResources("100m", "100Mi", "", "")}),
+					podtest.SetContainerResizePolicy(core.ContainerResizePolicy{ResourceName: core.ResourceMemory, RestartPolicy: core.NotRequired}),
+				)),
+				podtest.SetPodResources(&core.ResourceRequirements{
+					Requests: getResources("100m", "100Mi", "", "200Mi"),
+					Limits:   getResources("100m", "100Mi", "", ""),
+				}),
+			),
+			old: podtest.MakePod("pod",
+				podtest.SetContainers(podtest.MakeContainer("container",
+					podtest.SetContainerResources(core.ResourceRequirements{Requests: getResources("100m", "100Mi", "", "")}),
+					podtest.SetContainerResizePolicy(core.ContainerResizePolicy{ResourceName: core.ResourceMemory, RestartPolicy: core.NotRequired}),
+				)),
+				podtest.SetPodResources(&core.ResourceRequirements{
+					Requests: getResources("200m", "100Mi", "", "100Mi"),
+					Limits:   getResources("100m", "200Mi", "", ""),
+				}),
+			),
+			err: "spec: Forbidden: only cpu and memory resources are mutable",
 		},
 		{
 			test: "cpu limit change",
@@ -28241,6 +28448,11 @@ func TestValidatePodResize(t *testing.T) {
 			old:  mkPodWithInitContainers(core.ResourceList{}, getResources("100m", "200Mi", "", ""), core.ContainerRestartPolicyAlways),
 			new:  mkPodWithInitContainers(core.ResourceList{}, getResources("100m", "100Mi", "", ""), core.ContainerRestartPolicyAlways),
 			err:  "",
+		}, {
+			test: "memory limit decrease for sidecar containers, resize policy RestartContainer",
+			old:  mkPodWithInitContainers(core.ResourceList{}, getResources("100m", "200Mi", "", ""), core.ContainerRestartPolicyAlways, resizePolicy(core.ResourceMemory, core.RestartContainer)),
+			new:  mkPodWithInitContainers(core.ResourceList{}, getResources("100m", "100Mi", "", ""), core.ContainerRestartPolicyAlways, resizePolicy(core.ResourceMemory, core.RestartContainer)),
+			err:  "",
 		}, {
 			test: "storage limit change for sidecar containers",
 			old:  mkPodWithInitContainers(core.ResourceList{}, getResources("100m", "100Mi", "2Gi", ""), core.ContainerRestartPolicyAlways),
@@ -28348,6 +28560,21 @@ func TestValidatePodResize(t *testing.T) {
 			old:  mkPodWithInitContainers(getResources("100m", "0", "1Gi", ""), core.ResourceList{}, core.ContainerRestartPolicyAlways, resizePolicy(core.ResourceMemory, core.RestartContainer)),
 			new:  mkPodWithInitContainers(getResources("100m", "0", "2Gi", ""), core.ResourceList{}, core.ContainerRestartPolicyAlways, resizePolicy(core.ResourceMemory, core.NotRequired)),
 			err:  "spec: Forbidden: only cpu and memory resources are mutable",
+		}, {
+			test: "invalid: adding non-resizable resources to a container without resources",
+			old: podtest.MakePod("pod", podtest.SetContainers(
+				podtest.MakeContainer("c1"),
+			)),
+			new: podtest.MakePod("pod", podtest.SetContainers(
+				podtest.MakeContainer("c1",
+					podtest.SetContainerResources(core.ResourceRequirements{
+						Requests: core.ResourceList{
+							core.ResourceEphemeralStorage: resource.MustParse("10Gi"),
+						},
+					}),
+				),
+			)),
+			err: "spec: Forbidden: only cpu and memory resources are mutable",
 		},
 	}
 
@@ -28378,7 +28605,8 @@ func TestValidatePodResize(t *testing.T) {
 				test.old.Spec.RestartPolicy = "Always"
 			}
 
-			errs := ValidatePodResize(test.new, test.old, PodValidationOptions{AllowSidecarResizePolicy: true})
+			errs := ValidatePodResize(test.new, test.old, PodValidationOptions{AllowSidecarResizePolicy: true, InPlacePodLevelResourcesVerticalScalingEnabled: true, PodLevelResourcesEnabled: true})
+
 			if test.err == "" {
 				if len(errs) != 0 {
 					t.Errorf("unexpected invalid: (%+v)\nA: %+v\nB: %+v", errs, test.new, test.old)
@@ -29073,9 +29301,10 @@ func TestValidateContainerRestartPolicy(t *testing.T) {
 	podRestartPolicyAlways := core.RestartPolicyAlways
 
 	successCases := []struct {
-		Name               string
-		RestartPolicy      *core.ContainerRestartPolicy
-		RestartPolicyRules []core.ContainerRestartRule
+		Name                      string
+		RestartPolicy             *core.ContainerRestartPolicy
+		RestartPolicyRules        []core.ContainerRestartRule
+		AllowRestartAllContainers bool
 	}{
 		{
 			Name: "no-restart-policy-and-rules",
@@ -29099,6 +29328,17 @@ func TestValidateContainerRestartPolicy(t *testing.T) {
 					Values:   []int32{42},
 				},
 			}},
+		}, {
+			Name:          "restart-all-containers",
+			RestartPolicy: &containerRestartPolicyNever,
+			RestartPolicyRules: []core.ContainerRestartRule{{
+				Action: "RestartAllContainers",
+				ExitCodes: &core.ContainerRestartRuleOnExitCodes{
+					Operator: "In",
+					Values:   []int32{42},
+				},
+			}},
+			AllowRestartAllContainers: true,
 		},
 	}
 
@@ -29114,6 +29354,7 @@ func TestValidateContainerRestartPolicy(t *testing.T) {
 			}}
 			opts := PodValidationOptions{
 				AllowContainerRestartPolicyRules: true,
+				AllowRestartAllContainers:        tc.AllowRestartAllContainers,
 			}
 			errs := validateContainers(containers, podOS, volumeDevices, nil, defaultGracePeriod, field.NewPath("containers"), opts, &podRestartPolicyAlways, noUserNamespace)
 			if len(errs) > 0 {
@@ -29262,28 +29503,71 @@ func TestValidateContainerRestartPolicy(t *testing.T) {
 		})
 	}
 
-	// test cases sidecar containers
+	containerRestartPolicyAlways := core.ContainerRestartPolicyAlways
+	// test cases init containers
 	cases := []struct {
 		title              string
+		restartPolicy      *core.ContainerRestartPolicy
 		restartPolicyRules []core.ContainerRestartRule
+		opts               PodValidationOptions
 		expectedErrors     field.ErrorList
 	}{
 		{
 			"sidecar containers without restart policy rules",
+			&containerRestartPolicyAlways,
 			nil,
+			PodValidationOptions{
+				AllowContainerRestartPolicyRules: true,
+			},
 			nil,
 		},
 		{
-			"restart policy rules are not supported with restart policy Always",
+			"restart policy rules are supported with restart policy Always with option",
+			&containerRestartPolicyAlways,
 			[]core.ContainerRestartRule{{
-				Action: core.ContainerRestartRuleActionRestart,
+				Action: core.ContainerRestartRuleActionRestartAllContainers,
+				ExitCodes: &core.ContainerRestartRuleOnExitCodes{
+					Operator: core.ContainerRestartRuleOnExitCodesOpIn,
+					Values:   []int32{1},
+				},
+			}},
+			PodValidationOptions{
+				AllowContainerRestartPolicyRules: true,
+				AllowRestartAllContainers:        true,
+			},
+			nil,
+		},
+		{
+			"restart policy rules are not supported with restart policy Always without option",
+			&containerRestartPolicyAlways,
+			[]core.ContainerRestartRule{{
+				Action: core.ContainerRestartRuleActionRestartAllContainers,
 				ExitCodes: &core.ContainerRestartRuleOnExitCodes{
 					Operator: core.ContainerRestartRuleOnExitCodesOpIn,
 					Values:   []int32{1},
 				},
 			}},
+			PodValidationOptions{
+				AllowContainerRestartPolicyRules: true,
+			},
 			field.ErrorList{{Type: field.ErrorTypeForbidden, Field: "initContainers[0].restartPolicyRules", BadValue: ""}},
 		},
+		{
+			"restart policy rules are not supported if no restart policy is set",
+			nil,
+			[]core.ContainerRestartRule{{
+				Action: core.ContainerRestartRuleActionRestartAllContainers,
+				ExitCodes: &core.ContainerRestartRuleOnExitCodes{
+					Operator: core.ContainerRestartRuleOnExitCodesOpIn,
+					Values:   []int32{1},
+				},
+			}},
+			PodValidationOptions{
+				AllowContainerRestartPolicyRules: true,
+				AllowRestartAllContainers:        true,
+			},
+			field.ErrorList{{Type: field.ErrorTypeRequired, Field: "initContainers[0].restartPolicy", BadValue: ""}},
+		},
 	}
 
 	for _, tc := range cases {
@@ -29293,13 +29577,10 @@ func TestValidateContainerRestartPolicy(t *testing.T) {
 				Image:                    "image",
 				ImagePullPolicy:          "IfNotPresent",
 				TerminationMessagePolicy: "File",
-				RestartPolicy:            &containerRestartPolicyAlways,
+				RestartPolicy:            tc.restartPolicy,
 				RestartPolicyRules:       tc.restartPolicyRules,
 			}}
-			opts := PodValidationOptions{
-				AllowContainerRestartPolicyRules: true,
-			}
-			errs := validateInitContainers(containers, podOS, nil, volumeDevices, nil, defaultGracePeriod, field.NewPath("initContainers"), opts, &podRestartPolicyAlways, noUserNamespace)
+			errs := validateInitContainers(containers, podOS, nil, volumeDevices, nil, defaultGracePeriod, field.NewPath("initContainers"), tc.opts, &podRestartPolicyAlways, noUserNamespace)
 			if tc.expectedErrors == nil {
 				if len(errs) > 0 {
 					t.Errorf("unexpected errors: %v", prettyErrorList(errs))
@@ -29414,13 +29695,258 @@ func TestValidateContainerStateTransition(t *testing.T) {
 			newStatuses: []core.ContainerStatus{{Name: "c1", State: runningState}},
 			expectErr:   true,
 		},
+		{
+			name: "restart allowed if the container have RestartAllContainers actions",
+			podSpec: core.PodSpec{
+				RestartPolicy: core.RestartPolicyNever,
+				Containers: []core.Container{
+					{
+						Name:          "c1",
+						Image:         "image",
+						RestartPolicy: &containerRestartPolicyNever,
+						RestartPolicyRules: []core.ContainerRestartRule{
+							{
+								Action: core.ContainerRestartRuleActionRestartAllContainers,
+								ExitCodes: &core.ContainerRestartRuleOnExitCodes{
+									Operator: core.ContainerRestartRuleOnExitCodesOpIn,
+									Values:   []int32{42},
+								},
+							},
+						},
+					},
+				},
+			},
+			oldStatuses: []core.ContainerStatus{{Name: "c1", State: terminatedState(1)}},
+			newStatuses: []core.ContainerStatus{{Name: "c1", State: runningState}},
+		},
+		{
+			name: "restart allowed if other container have RestartAllContainers actions",
+			podSpec: core.PodSpec{
+				RestartPolicy: core.RestartPolicyNever,
+				Containers: []core.Container{
+					container1RestartNever,
+					{
+						Name:          "c2",
+						Image:         "image",
+						RestartPolicy: &containerRestartPolicyNever,
+						RestartPolicyRules: []core.ContainerRestartRule{
+							{
+								Action: core.ContainerRestartRuleActionRestartAllContainers,
+								ExitCodes: &core.ContainerRestartRuleOnExitCodes{
+									Operator: core.ContainerRestartRuleOnExitCodesOpIn,
+									Values:   []int32{42},
+								},
+							},
+						},
+					},
+				},
+			},
+			oldStatuses: []core.ContainerStatus{{Name: "c1", State: terminatedState(1)}},
+			newStatuses: []core.ContainerStatus{{Name: "c1", State: runningState}},
+		},
 	}
 
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
-			featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.ContainerRestartRules, true)
+			opts := PodValidationOptions{
+				AllowContainerRestartPolicyRules: true,
+				AllowRestartAllContainers:        true,
+			}
+			errs := ValidateContainerStateTransition(tc.newStatuses, tc.oldStatuses, field.NewPath("field"), tc.podSpec, opts)
 
-			errs := ValidateContainerStateTransition(tc.newStatuses, tc.oldStatuses, field.NewPath("field"), tc.podSpec)
+			if tc.expectErr && len(errs) == 0 {
+				t.Errorf("Unexpected success")
+			}
+			if !tc.expectErr && len(errs) > 0 {
+				t.Errorf("Unexpected error(s): %v", errs)
+			}
+		})
+	}
+}
+
+func TestValidateInitContainerStateTransition(t *testing.T) {
+	var (
+		containerRestartPolicyAlways = core.ContainerRestartPolicyAlways
+		containerRestartPolicyNever  = core.ContainerRestartPolicyNever
+	)
+	runningState := core.ContainerState{Running: &core.ContainerStateRunning{}}
+	terminatedState := func(exitCode int32) core.ContainerState {
+		return core.ContainerState{Terminated: &core.ContainerStateTerminated{ExitCode: exitCode}}
+	}
+
+	container1 := core.Container{Name: "c1", Image: "image"}
+	container1RestartNever := core.Container{Name: "c1", Image: "image", RestartPolicy: &containerRestartPolicyNever}
+	container1RestartAlways := core.Container{Name: "c1", Image: "image", RestartPolicy: &containerRestartPolicyAlways}
+	container1RestartRuleIn42 := core.Container{
+		Name:          "c1",
+		Image:         "image",
+		RestartPolicy: &containerRestartPolicyNever,
+		RestartPolicyRules: []core.ContainerRestartRule{
+			{
+				Action: core.ContainerRestartRuleActionRestart,
+				ExitCodes: &core.ContainerRestartRuleOnExitCodes{
+					Operator: "In",
+					Values:   []int32{42},
+				},
+			},
+		},
+	}
+
+	testCases := []struct {
+		name        string
+		podSpec     core.PodSpec
+		oldStatuses []core.ContainerStatus
+		newStatuses []core.ContainerStatus
+		expectErr   bool
+	}{
+		{
+			name: "feature enabled, not terminated",
+			podSpec: core.PodSpec{
+				RestartPolicy:  core.RestartPolicyNever,
+				InitContainers: []core.Container{container1RestartNever},
+			},
+			oldStatuses: []core.ContainerStatus{{Name: "c1", State: runningState}},
+			newStatuses: []core.ContainerStatus{{Name: "c1", State: runningState}},
+			expectErr:   false,
+		},
+		{
+			name: "feature enabled, restart allowed by pod policy 'Always'",
+			podSpec: core.PodSpec{
+				RestartPolicy:  core.RestartPolicyAlways,
+				InitContainers: []core.Container{container1},
+			},
+			oldStatuses: []core.ContainerStatus{{Name: "c1", State: terminatedState(0)}},
+			newStatuses: []core.ContainerStatus{{Name: "c1", State: runningState}},
+			expectErr:   false,
+		},
+		{
+			name: "feature enabled, restart allowed by pod policy 'OnFailure' with exit 1",
+			podSpec: core.PodSpec{
+				RestartPolicy:  core.RestartPolicyOnFailure,
+				InitContainers: []core.Container{container1},
+			},
+			oldStatuses: []core.ContainerStatus{{Name: "c1", State: terminatedState(1)}},
+			newStatuses: []core.ContainerStatus{{Name: "c1", State: runningState}},
+			expectErr:   false,
+		},
+		{
+			name: "feature enabled, restart not allowed by pod policy 'OnFailure' with exit 0",
+			podSpec: core.PodSpec{
+				RestartPolicy:  core.RestartPolicyOnFailure,
+				InitContainers: []core.Container{container1},
+			},
+			oldStatuses: []core.ContainerStatus{{Name: "c1", State: terminatedState(0)}},
+			newStatuses: []core.ContainerStatus{{Name: "c1", State: runningState}},
+			expectErr:   true,
+		},
+		{
+			name: "feature enabled, restart not allowed by pod policy 'Never', with transition",
+			podSpec: core.PodSpec{
+				RestartPolicy:  core.RestartPolicyNever,
+				InitContainers: []core.Container{container1},
+			},
+			oldStatuses: []core.ContainerStatus{{Name: "c1", State: terminatedState(0)}},
+			newStatuses: []core.ContainerStatus{{Name: "c1", State: runningState}},
+			expectErr:   true,
+		},
+		{
+			name: "feature enabled, restart allowed by container policy 'Always'",
+			podSpec: core.PodSpec{
+				RestartPolicy:  core.RestartPolicyNever,
+				InitContainers: []core.Container{container1RestartAlways},
+			},
+			oldStatuses: []core.ContainerStatus{{Name: "c1", State: terminatedState(0)}},
+			newStatuses: []core.ContainerStatus{{Name: "c1", State: runningState}},
+			expectErr:   false,
+		},
+		{
+			name: "feature enabled, restart not allowed by container policy 'Never'",
+			podSpec: core.PodSpec{
+				RestartPolicy:  core.RestartPolicyAlways,
+				InitContainers: []core.Container{container1RestartNever},
+			},
+			oldStatuses: []core.ContainerStatus{{Name: "c1", State: terminatedState(0)}},
+			newStatuses: []core.ContainerStatus{{Name: "c1", State: runningState}},
+			expectErr:   true,
+		},
+		{
+			name: "feature enabled, restart allowed by container rule",
+			podSpec: core.PodSpec{
+				RestartPolicy:  core.RestartPolicyNever,
+				InitContainers: []core.Container{container1RestartRuleIn42},
+			},
+			oldStatuses: []core.ContainerStatus{{Name: "c1", State: terminatedState(42)}},
+			newStatuses: []core.ContainerStatus{{Name: "c1", State: runningState}},
+			expectErr:   false,
+		},
+		{
+			name: "feature enabled, restart not allowed by container rule mismatch",
+			podSpec: core.PodSpec{
+				RestartPolicy:  core.RestartPolicyNever,
+				InitContainers: []core.Container{container1RestartRuleIn42},
+			},
+			oldStatuses: []core.ContainerStatus{{Name: "c1", State: terminatedState(1)}},
+			newStatuses: []core.ContainerStatus{{Name: "c1", State: runningState}},
+			expectErr:   true,
+		},
+		{
+			name: "restart allowed if the container have RestartAllContainers actions",
+			podSpec: core.PodSpec{
+				RestartPolicy: core.RestartPolicyNever,
+				InitContainers: []core.Container{
+					{
+						Name:          "c1",
+						Image:         "image",
+						RestartPolicy: &containerRestartPolicyNever,
+						RestartPolicyRules: []core.ContainerRestartRule{
+							{
+								Action: core.ContainerRestartRuleActionRestartAllContainers,
+								ExitCodes: &core.ContainerRestartRuleOnExitCodes{
+									Operator: core.ContainerRestartRuleOnExitCodesOpIn,
+									Values:   []int32{42},
+								},
+							},
+						},
+					},
+				},
+			},
+			oldStatuses: []core.ContainerStatus{{Name: "c1", State: terminatedState(1)}},
+			newStatuses: []core.ContainerStatus{{Name: "c1", State: runningState}},
+		},
+		{
+			name: "restart allowed if other container have RestartAllContainers actions",
+			podSpec: core.PodSpec{
+				RestartPolicy: core.RestartPolicyNever,
+				InitContainers: []core.Container{
+					container1RestartNever,
+					{
+						Name:          "c2",
+						Image:         "image",
+						RestartPolicy: &containerRestartPolicyNever,
+						RestartPolicyRules: []core.ContainerRestartRule{
+							{
+								Action: core.ContainerRestartRuleActionRestartAllContainers,
+								ExitCodes: &core.ContainerRestartRuleOnExitCodes{
+									Operator: core.ContainerRestartRuleOnExitCodesOpIn,
+									Values:   []int32{42},
+								},
+							},
+						},
+					},
+				},
+			},
+			oldStatuses: []core.ContainerStatus{{Name: "c1", State: terminatedState(1)}},
+			newStatuses: []core.ContainerStatus{{Name: "c1", State: runningState}},
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			opts := PodValidationOptions{
+				AllowContainerRestartPolicyRules: true,
+				AllowRestartAllContainers:        true,
+			}
+			errs := ValidateInitContainerStateTransition(tc.newStatuses, tc.oldStatuses, field.NewPath("field"), tc.podSpec, opts)
 
 			if tc.expectErr && len(errs) == 0 {
 				t.Errorf("Unexpected success")
@@ -29431,3 +29957,392 @@ func TestValidateContainerStateTransition(t *testing.T) {
 		})
 	}
 }
+
+func TestNumericTolerationsWithFeatureGate(t *testing.T) {
+	testCases := []struct {
+		name          string
+		toleration    core.Toleration
+		featureGateOn bool
+		errorMsg      string
+	}{
+		{
+			name: "Gt operator with valid numeric value and feature gate enabled",
+			toleration: core.Toleration{
+				Key:      "node.kubernetes.io/sla",
+				Operator: core.TolerationOpGt,
+				Value:    "950",
+				Effect:   core.TaintEffectNoSchedule,
+			},
+			featureGateOn: true,
+		},
+		{
+			name: "Lt operator with valid numeric value and feature gate enabled",
+			toleration: core.Toleration{
+				Key:      "node.kubernetes.io/sla",
+				Operator: core.TolerationOpLt,
+				Value:    "800",
+				Effect:   core.TaintEffectNoSchedule,
+			},
+			featureGateOn: true,
+		},
+		{
+			name: "Gt operator with negative numeric value and feature gate enabled",
+			toleration: core.Toleration{
+				Key:      "test-key",
+				Operator: core.TolerationOpGt,
+				Value:    "-100",
+				Effect:   core.TaintEffectNoSchedule,
+			},
+			featureGateOn: true,
+		},
+		{
+			name: "Gt operator with non-numeric value and feature gate enabled",
+			toleration: core.Toleration{
+				Key:      "node.kubernetes.io/sla",
+				Operator: core.TolerationOpGt,
+				Value:    "high",
+				Effect:   core.TaintEffectNoSchedule,
+			},
+			featureGateOn: true,
+			errorMsg:      fmt.Sprintf("tolerations[0].value: Invalid value: %q: must be a valid decimal integer in canonical form", "high"),
+		},
+		{
+			name: "Gt operator with leading zeros and feature gate enabled (invalid - strict validation)",
+			toleration: core.Toleration{
+				Key:      "node.kubernetes.io/sla",
+				Operator: core.TolerationOpGt,
+				Value:    "0950",
+				Effect:   core.TaintEffectNoSchedule,
+			},
+			featureGateOn: true,
+			errorMsg:      fmt.Sprintf("tolerations[0].value: Invalid value: %q: must be a valid decimal integer in canonical form", "0950"),
+		},
+		{
+			name: "Gt operator with value '0' and feature gate enabled (valid)",
+			toleration: core.Toleration{
+				Key:      "test-key",
+				Operator: core.TolerationOpGt,
+				Value:    "0",
+				Effect:   core.TaintEffectNoSchedule,
+			},
+			featureGateOn: true,
+		},
+		{
+			name: "Gt operator with decimal value and feature gate enabled",
+			toleration: core.Toleration{
+				Key:      "node.kubernetes.io/sla",
+				Operator: core.TolerationOpGt,
+				Value:    "95.5",
+				Effect:   core.TaintEffectNoSchedule,
+			},
+			featureGateOn: true,
+			errorMsg:      fmt.Sprintf("tolerations[0].value: Invalid value: %q: must be a valid decimal integer in canonical form", "95.5"),
+		},
+		{
+			name: "Gt operator with just minus sign and feature gate enabled",
+			toleration: core.Toleration{
+				Key:      "test-key",
+				Operator: core.TolerationOpGt,
+				Value:    "-",
+				Effect:   core.TaintEffectNoSchedule,
+			},
+			featureGateOn: true,
+			errorMsg:      fmt.Sprintf("tolerations[0].value: Invalid value: %q: must be a valid decimal integer in canonical form", "-"),
+		},
+		{
+			name: "Gt operator with plus sign and feature gate enabled (invalid - strict validation)",
+			toleration: core.Toleration{
+				Key:      "test-key",
+				Operator: core.TolerationOpGt,
+				Value:    "+100",
+				Effect:   core.TaintEffectNoSchedule,
+			},
+			featureGateOn: true,
+			errorMsg:      fmt.Sprintf("tolerations[0].value: Invalid value: %q: must be a valid decimal integer in canonical form", "+100"),
+		},
+		{
+			name: "Gt operator with space in value and feature gate enabled",
+			toleration: core.Toleration{
+				Key:      "test-key",
+				Operator: core.TolerationOpGt,
+				Value:    "95 0",
+				Effect:   core.TaintEffectNoSchedule,
+			},
+			featureGateOn: true,
+			errorMsg:      fmt.Sprintf("tolerations[0].value: Invalid value: %q: must be a valid decimal integer in canonical form", "95 0"),
+		},
+		{
+			name: "Gt operator with empty value and feature gate enabled",
+			toleration: core.Toleration{
+				Key:      "test-key",
+				Operator: core.TolerationOpGt,
+				Value:    "",
+				Effect:   core.TaintEffectNoSchedule,
+			},
+			featureGateOn: true,
+			errorMsg:      fmt.Sprintf("tolerations[0].value: Invalid value: %q: must be non-empty", ""),
+		},
+		{
+			name: "Lt operator with feature gate disabled",
+			toleration: core.Toleration{
+				Key:      "node.kubernetes.io/sla",
+				Operator: core.TolerationOpLt,
+				Value:    "950",
+				Effect:   core.TaintEffectNoSchedule,
+			},
+			featureGateOn: false,
+			errorMsg:      "Unsupported value",
+		},
+		{
+			name: "Gt operator with max int64 value and feature gate enabled",
+			toleration: core.Toleration{
+				Key:      "test-key",
+				Operator: core.TolerationOpGt,
+				Value:    "9223372036854775807",
+				Effect:   core.TaintEffectNoSchedule,
+			},
+			featureGateOn: true,
+		},
+		{
+			name: "Gt operator with overflow value and feature gate enabled",
+			toleration: core.Toleration{
+				Key:      "test-key",
+				Operator: core.TolerationOpGt,
+				Value:    "9223372036854775808", // max int64 + 1
+				Effect:   core.TaintEffectNoSchedule,
+			},
+			featureGateOn: true,
+			errorMsg:      fmt.Sprintf("tolerations[0].value: Invalid value: %q: strconv.ParseInt: parsing %q: value out of range", "9223372036854775808", "9223372036854775808"),
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.TaintTolerationComparisonOperators, tc.featureGateOn)
+
+			opts := PodValidationOptions{
+				AllowTaintTolerationComparisonOperators: tc.featureGateOn,
+			}
+			errs := ValidateTolerations([]core.Toleration{tc.toleration}, field.NewPath("tolerations"), opts)
+
+			if tc.errorMsg != "" {
+				if len(errs) == 0 {
+					t.Errorf("Expected error but got none")
+				} else if !strings.Contains(errs.ToAggregate().Error(), tc.errorMsg) {
+					t.Errorf("Expected error message to contain %q, got %q", tc.errorMsg, errs.ToAggregate().Error())
+				}
+			} else {
+				if len(errs) > 0 {
+					t.Errorf("Unexpected error(s): %v", errs)
+				}
+			}
+		})
+	}
+}
+
+func TestAllRegistedNodeDeclaredFeatures(t *testing.T) {
+	// Test that feature registry is valid.
+	for _, feature := range ndf.AllFeatures {
+		if err := validateNodeDeclaredFeatureName(feature.Name()); err != nil {
+			t.Fatalf("ValidateFeatures() = %v, want nil", err)
+		}
+	}
+	// Soft limit to catch potential uncontrolled growth of node registered features.
+	const maxNodeDeclaredFeatures = 128
+	if len(ndf.AllFeatures) > maxNodeDeclaredFeatures {
+		t.Errorf("Number of registered node declared features (%d) exceeds the limit of %d. Please review if this is expected and update the threshold if necessary.", len(ndf.AllFeatures), maxNodeDeclaredFeatures)
+	}
+}
+
+func TestValidateNodeDeclaredFeatures(t *testing.T) {
+	makeNode := func(declaredFeatures []string) *core.Node {
+		node := makeNode("test-node", nil)
+		node.Status.DeclaredFeatures = declaredFeatures
+		node.ObjectMeta.ResourceVersion = "1"
+		return &node
+	}
+	testCases := []struct {
+		name             string
+		declaredFeatures []string
+		expectErr        bool
+		expectedErrType  field.ErrorType
+		expectedErrPath  string
+		expectedErrMsg   string
+	}{
+		{
+			name:             "empty feature list",
+			declaredFeatures: []string{},
+			expectErr:        false,
+		},
+		{
+			name:             "valid features",
+			declaredFeatures: []string{"AnotherFeature", "MyFeature", "MyFeature/SubFeature"},
+			expectErr:        false,
+		},
+		{
+			name:             "duplicate feature names",
+			declaredFeatures: []string{"MyFeature", "MyFeature"},
+			expectErr:        true,
+			expectedErrType:  field.ErrorTypeDuplicate,
+			expectedErrPath:  "status.declaredFeatures[1]",
+			expectedErrMsg:   "Duplicate value",
+		},
+		{
+			name:             "unsorted feature names",
+			declaredFeatures: []string{"MyFeature", "AnotherFeature"},
+			expectErr:        true,
+			expectedErrType:  field.ErrorTypeInvalid,
+			expectedErrPath:  "status.declaredFeatures[1]",
+			expectedErrMsg:   "list must be sorted alphabetically",
+		},
+		{
+			name:             "mixed valid and invalid",
+			declaredFeatures: []string{"AnotherFeature", "invalid", "MyFeature"},
+			expectErr:        true,
+		},
+		{
+			name:             "invalid feature name format",
+			declaredFeatures: []string{"myFeature"},
+			expectErr:        true,
+			expectedErrType:  field.ErrorTypeInvalid,
+			expectedErrPath:  "status.declaredFeatures[0]",
+			expectedErrMsg:   "invalid feature name",
+		},
+		{
+			name:             "invalid feature name - kebab-case",
+			declaredFeatures: []string{"Feature-name"},
+			expectErr:        true,
+			expectedErrType:  field.ErrorTypeInvalid,
+			expectedErrPath:  "status.declaredFeatures[0]",
+			expectedErrMsg:   "invalid feature name",
+		},
+		{
+			name:             "invalid feature name - ends with slash",
+			declaredFeatures: []string{"FeatureA/"},
+			expectErr:        true,
+			expectedErrType:  field.ErrorTypeInvalid,
+			expectedErrPath:  "status.declaredFeatures[0]",
+			expectedErrMsg:   "invalid feature name",
+		},
+		{
+			name:             "invalid feature name - name too long",
+			declaredFeatures: []string{"F" + strings.Repeat("e", validation.DNS1123SubdomainMaxLength)},
+			expectErr:        true,
+			expectedErrType:  field.ErrorTypeInvalid,
+			expectedErrPath:  "status.declaredFeatures[0]",
+			expectedErrMsg:   "invalid feature name",
+		},
+	}
+
+	for _, tc := range testCases {
+		for _, op := range []string{"create", "update"} {
+			t.Run(strings.Join([]string{tc.name, op}, "-"), func(t *testing.T) {
+				var errs field.ErrorList
+				if op == "create" {
+					errs = ValidateNode(makeNode(tc.declaredFeatures))
+				} else {
+					errs = ValidateNodeUpdate(makeNode(tc.declaredFeatures), makeNode([]string{}))
+				}
+				if tc.expectErr {
+					if len(errs) == 0 {
+						t.Errorf("Expected error but got none")
+					} else {
+						found := false
+						for _, err := range errs {
+							t.Logf("DEBUG: tc.expectedErrType: %v err.Type:%v err.Field :%v  tc.expectedErrPath:%v", tc.expectedErrType, err.Type, err.Field, tc.expectedErrPath)
+							t.Logf("DEBUG: err.Type == tc.expectedErrType:%v err.Field == tc.expectedErrPath:%v", err.Type == tc.expectedErrType, err.Field == tc.expectedErrPath)
+							t.Logf("DEBUG: tc.expectedErrMsg: %v err.Error() :%v contains:%v", tc.expectedErrMsg, err.Error(), strings.Contains(err.Error(), tc.expectedErrMsg))
+							if tc.expectedErrType != "" && err.Type == tc.expectedErrType && err.Field == tc.expectedErrPath {
+								if tc.expectedErrMsg != "" && strings.Contains(err.Error(), tc.expectedErrMsg) {
+									found = true
+									break
+								} else if tc.expectedErrMsg == "" {
+									found = true
+									break
+								}
+							} else if tc.expectedErrType == "" {
+								found = true
+								break
+							}
+						}
+						if !found && tc.expectErr {
+							t.Errorf("Expected error with type `%s` on field `%s` containing `%q` but got `%v`", tc.expectedErrType, tc.expectedErrPath, tc.expectedErrMsg, errs)
+						}
+					}
+				} else if len(errs) > 0 {
+					t.Errorf("Unexpected error: %v", errs)
+				}
+			})
+		}
+	}
+}
+
+func TestValidateWorkloadReference(t *testing.T) {
+	successCases := map[string]*core.Pod{
+		"correct": podtest.MakePod("", podtest.SetWorkloadRef(&core.WorkloadReference{
+			Name:               "workload",
+			PodGroup:           "group",
+			PodGroupReplicaKey: "replica",
+		})),
+		"no replica key": podtest.MakePod("", podtest.SetWorkloadRef(&core.WorkloadReference{
+			Name:               "workload",
+			PodGroup:           "group",
+			PodGroupReplicaKey: "",
+		})),
+	}
+	for name, pod := range successCases {
+		errs := ValidatePodSpec(&pod.Spec, &pod.ObjectMeta, field.NewPath("field"), PodValidationOptions{})
+		if len(errs) != 0 {
+			t.Errorf("Expected success for %q: %v", name, errs)
+		}
+	}
+
+	failureCases := map[string]*core.Pod{
+		"empty workload name": podtest.MakePod("", podtest.SetWorkloadRef(&core.WorkloadReference{
+			Name:               "",
+			PodGroup:           "group",
+			PodGroupReplicaKey: "replica",
+		})),
+		"incorrect workload name": podtest.MakePod("", podtest.SetWorkloadRef(&core.WorkloadReference{
+			Name:               ".workload",
+			PodGroup:           "group",
+			PodGroupReplicaKey: "replica",
+		})),
+		"too long workload name": podtest.MakePod("", podtest.SetWorkloadRef(&core.WorkloadReference{
+			Name:               strings.Repeat("w", 254),
+			PodGroup:           "group",
+			PodGroupReplicaKey: "replica",
+		})),
+		"empty pod group": podtest.MakePod("", podtest.SetWorkloadRef(&core.WorkloadReference{
+			Name:               "workload",
+			PodGroup:           "",
+			PodGroupReplicaKey: "replica",
+		})),
+		"incorrect pod group": podtest.MakePod("", podtest.SetWorkloadRef(&core.WorkloadReference{
+			Name:               "workload",
+			PodGroup:           ".group",
+			PodGroupReplicaKey: "replica",
+		})),
+		"too long pod group": podtest.MakePod("", podtest.SetWorkloadRef(&core.WorkloadReference{
+			Name:               "workload",
+			PodGroup:           strings.Repeat("g", 64),
+			PodGroupReplicaKey: "replica",
+		})),
+		"incorrect replica key": podtest.MakePod("", podtest.SetWorkloadRef(&core.WorkloadReference{
+			Name:               "workload",
+			PodGroup:           "group",
+			PodGroupReplicaKey: ".replica",
+		})),
+		"too long replica key": podtest.MakePod("", podtest.SetWorkloadRef(&core.WorkloadReference{
+			Name:               "workload",
+			PodGroup:           "group",
+			PodGroupReplicaKey: strings.Repeat("r", 64),
+		})),
+	}
+	for name, pod := range failureCases {
+		errs := ValidatePodSpec(&pod.Spec, &pod.ObjectMeta, field.NewPath("field"), PodValidationOptions{})
+		if len(errs) == 0 {
+			t.Errorf("Expected failure for %q", name)
+		}
+	}
+}
diff --git a/pkg/apis/core/zz_generated.deepcopy.go b/pkg/apis/core/zz_generated.deepcopy.go
index de1b33b9b82f9..017ac70cd420a 100644
--- a/pkg/apis/core/zz_generated.deepcopy.go
+++ b/pkg/apis/core/zz_generated.deepcopy.go
@@ -3147,6 +3147,11 @@ func (in *NodeStatus) DeepCopyInto(out *NodeStatus) {
 		*out = new(NodeFeatures)
 		(*in).DeepCopyInto(*out)
 	}
+	if in.DeclaredFeatures != nil {
+		in, out := &in.DeclaredFeatures, &out.DeclaredFeatures
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
 	return
 }
 
@@ -3905,6 +3910,13 @@ func (in *PodCertificateProjection) DeepCopyInto(out *PodCertificateProjection)
 		*out = new(int32)
 		**out = **in
 	}
+	if in.UserAnnotations != nil {
+		in, out := &in.UserAnnotations, &out.UserAnnotations
+		*out = make(map[string]string, len(*in))
+		for key, val := range *in {
+			(*out)[key] = val
+		}
+	}
 	return
 }
 
@@ -4559,6 +4571,11 @@ func (in *PodSpec) DeepCopyInto(out *PodSpec) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.WorkloadRef != nil {
+		in, out := &in.WorkloadRef, &out.WorkloadRef
+		*out = new(WorkloadReference)
+		**out = **in
+	}
 	return
 }
 
@@ -4629,6 +4646,18 @@ func (in *PodStatus) DeepCopyInto(out *PodStatus) {
 		*out = new(PodExtendedResourceClaimStatus)
 		(*in).DeepCopyInto(*out)
 	}
+	if in.AllocatedResources != nil {
+		in, out := &in.AllocatedResources, &out.AllocatedResources
+		*out = make(ResourceList, len(*in))
+		for key, val := range *in {
+			(*out)[key] = val.DeepCopy()
+		}
+	}
+	if in.Resources != nil {
+		in, out := &in.Resources, &out.Resources
+		*out = new(ResourceRequirements)
+		(*in).DeepCopyInto(*out)
+	}
 	return
 }
 
@@ -6834,3 +6863,19 @@ func (in *WindowsSecurityContextOptions) DeepCopy() *WindowsSecurityContextOptio
 	in.DeepCopyInto(out)
 	return out
 }
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *WorkloadReference) DeepCopyInto(out *WorkloadReference) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WorkloadReference.
+func (in *WorkloadReference) DeepCopy() *WorkloadReference {
+	if in == nil {
+		return nil
+	}
+	out := new(WorkloadReference)
+	in.DeepCopyInto(out)
+	return out
+}
diff --git a/pkg/apis/discovery/types.go b/pkg/apis/discovery/types.go
index c31c8f19ee83f..de78ceeed28d5 100644
--- a/pkg/apis/discovery/types.go
+++ b/pkg/apis/discovery/types.go
@@ -138,10 +138,7 @@ type EndpointHints struct {
 	ForZones []ForZone
 
 	// forNodes indicates the node(s) this endpoint should be consumed by when
-	// using topology aware routing.
-	// This is an Alpha feature and is only used when the PreferSameTrafficDistribution
-	// feature gate is enabled. May contain a maximum of 8 entries.
-	// +featureGate=PreferSameTrafficDistribution
+	// using topology aware routing. May contain a maximum of 8 entries.
 	ForNodes []ForNode
 }
 
diff --git a/pkg/apis/networking/validation/validation.go b/pkg/apis/networking/validation/validation.go
index 511adaf5d6977..31e5b29a2f59b 100644
--- a/pkg/apis/networking/validation/validation.go
+++ b/pkg/apis/networking/validation/validation.go
@@ -707,7 +707,20 @@ func allowRelaxedServiceNameValidation(oldIngress *networking.Ingress) bool {
 	if oldIngress == nil {
 		return false
 	}
-	// If feature gate is disabled, check if any service names in the old Ingresss
+
+	// Check if default backend service names in the old Ingress
+	if oldIngress.Spec.DefaultBackend != nil && oldIngress.Spec.DefaultBackend.Service != nil {
+		serviceName := oldIngress.Spec.DefaultBackend.Service.Name
+		// If a name doesn't validate with apimachineryvalidation.NameIsDNS1035Label, but does validate with apimachineryvalidation.NameIsDNSLabel,
+		// then we allow it to be used as a Service name in an Ingress.
+		dnsLabelValidationErrors := apimachineryvalidation.NameIsDNSLabel(serviceName, false)
+		dns1035LabelValidationErrors := apimachineryvalidation.NameIsDNS1035Label(serviceName, false)
+		if len(dnsLabelValidationErrors) == 0 && len(dns1035LabelValidationErrors) > 0 {
+			return true
+		}
+	}
+
+	// If feature gate is disabled, check if any service names in the old Ingress
 	for _, rule := range oldIngress.Spec.Rules {
 		if rule.HTTP == nil {
 			continue
diff --git a/pkg/apis/networking/validation/validation_test.go b/pkg/apis/networking/validation/validation_test.go
index 888904e693784..43a48de45e61c 100644
--- a/pkg/apis/networking/validation/validation_test.go
+++ b/pkg/apis/networking/validation/validation_test.go
@@ -1663,6 +1663,23 @@ func TestValidateIngressUpdate(t *testing.T) {
 			},
 			expectedErrs: field.ErrorList{field.Invalid(field.NewPath("spec").Child("rules").Index(0).Child("http").Child("paths").Index(0).Child("backend").Child("service").Child("name"), "1-test-service", `a DNS-1035 label must consist of lower case alphanumeric characters or '-', start with an alphabetic character, and end with an alphanumeric character (e.g. 'my-name',  or 'abc-123', regex used for validation is '[a-z]([-a-z0-9]*[a-z0-9])?')`)},
 		},
+		"update defaultBackend service to conform to relaxed service name - RelaxedServiceNameValidation disabled": {
+			tweakIngresses: func(newIngress, oldIngress *networking.Ingress) {
+				oldIngress.Spec.DefaultBackend = &networking.IngressBackend{
+					Service: &networking.IngressServiceBackend{
+						Name: "test-service",
+						Port: networking.ServiceBackendPort{Number: 80},
+					},
+				}
+				newIngress.Spec.DefaultBackend = &networking.IngressBackend{
+					Service: &networking.IngressServiceBackend{
+						Name: "1-test-service",
+						Port: networking.ServiceBackendPort{Number: 80},
+					},
+				}
+			},
+			expectedErrs: field.ErrorList{field.Invalid(field.NewPath("spec").Child("defaultBackend").Child("service").Child("name"), "1-test-service", `a DNS-1035 label must consist of lower case alphanumeric characters or '-', start with an alphabetic character, and end with an alphanumeric character (e.g. 'my-name',  or 'abc-123', regex used for validation is '[a-z]([-a-z0-9]*[a-z0-9])?')`)},
+		},
 		"update service to conform to relaxed service name - RelaxedServiceNameValidation enabled": {
 			tweakIngresses: func(newIngress, oldIngress *networking.Ingress) {
 				oldIngress.Spec.Rules = []networking.IngressRule{{
@@ -1702,6 +1719,23 @@ func TestValidateIngressUpdate(t *testing.T) {
 			},
 			relaxedServiceName: true,
 		},
+		"update defaultBackend service to conform to relaxed service name - RelaxedServiceNameValidation enabled": {
+			tweakIngresses: func(newIngress, oldIngress *networking.Ingress) {
+				oldIngress.Spec.DefaultBackend = &networking.IngressBackend{
+					Service: &networking.IngressServiceBackend{
+						Name: "test-service",
+						Port: networking.ServiceBackendPort{Number: 80},
+					},
+				}
+				newIngress.Spec.DefaultBackend = &networking.IngressBackend{
+					Service: &networking.IngressServiceBackend{
+						Name: "1-test-service",
+						Port: networking.ServiceBackendPort{Number: 80},
+					},
+				}
+			},
+			relaxedServiceName: true,
+		},
 		"updating an already existing relaxed validation service name with RelaxedServiceNameValidation disabled": {
 			tweakIngresses: func(newIngress, oldIngress *networking.Ingress) {
 				oldIngress.Spec.Rules = []networking.IngressRule{{
@@ -1740,6 +1774,22 @@ func TestValidateIngressUpdate(t *testing.T) {
 				}}
 			},
 		},
+		"updating an already existing relaxed validation defaultBackend service name with RelaxedServiceNameValidation disabled": {
+			tweakIngresses: func(newIngress, oldIngress *networking.Ingress) {
+				oldIngress.Spec.DefaultBackend = &networking.IngressBackend{
+					Service: &networking.IngressServiceBackend{
+						Name: "1-test-service",
+						Port: networking.ServiceBackendPort{Number: 80},
+					},
+				}
+				newIngress.Spec.DefaultBackend = &networking.IngressBackend{
+					Service: &networking.IngressServiceBackend{
+						Name: "2-test-service",
+						Port: networking.ServiceBackendPort{Number: 80},
+					},
+				}
+			},
+		},
 		"updating an already existing relaxed validation service name to a non-relaxed name with RelaxedServiceNameValidation disabled": {
 			tweakIngresses: func(newIngress, oldIngress *networking.Ingress) {
 				oldIngress.Spec.Rules = []networking.IngressRule{{
@@ -1778,6 +1828,22 @@ func TestValidateIngressUpdate(t *testing.T) {
 				}}
 			},
 		},
+		"updating an already existing relaxed validation defaultBackend service name to a non-relaxed name with RelaxedServiceNameValidation disabled": {
+			tweakIngresses: func(newIngress, oldIngress *networking.Ingress) {
+				oldIngress.Spec.DefaultBackend = &networking.IngressBackend{
+					Service: &networking.IngressServiceBackend{
+						Name: "1-test-service",
+						Port: networking.ServiceBackendPort{Number: 80},
+					},
+				}
+				newIngress.Spec.DefaultBackend = &networking.IngressBackend{
+					Service: &networking.IngressServiceBackend{
+						Name: "test-service",
+						Port: networking.ServiceBackendPort{Number: 80},
+					},
+				}
+			},
+		},
 	}
 
 	for name, testCase := range testCases {
@@ -2896,6 +2962,19 @@ func TestAllowRelaxedServiceNameValidation(t *testing.T) {
 		return &networking.Ingress{Spec: networking.IngressSpec{Rules: rules}}
 	}
 
+	ingressWithDefaultBackend := func(defaultBackendName string, ruleServiceNames ...string) *networking.Ingress {
+		ing := basicIngress(ruleServiceNames...)
+		if defaultBackendName != "" {
+			ing.Spec.DefaultBackend = &networking.IngressBackend{
+				Service: &networking.IngressServiceBackend{
+					Name: defaultBackendName,
+					Port: networking.ServiceBackendPort{Number: 80},
+				},
+			}
+		}
+		return ing
+	}
+
 	tests := []struct {
 		name    string
 		ingress *networking.Ingress
@@ -2926,14 +3005,43 @@ func TestAllowRelaxedServiceNameValidation(t *testing.T) {
 			ingress: basicIngress("validname", "1abc-def"),
 			expect:  true,
 		},
+		{
+			name:    "defaultBackend with valid DNS1035 name",
+			ingress: ingressWithDefaultBackend("validname"),
+			expect:  false,
+		},
+		{
+			name:    "defaultBackend with DNS1123 valid but DNS1035 invalid name (starts with digit)",
+			ingress: ingressWithDefaultBackend("1-default-service"),
+			expect:  true,
+		},
+		{
+			name:    "defaultBackend relaxed name with valid rules",
+			ingress: ingressWithDefaultBackend("1-default", "valid-rule-service"),
+			expect:  true,
+		},
+		{
+			name:    "only rules have relaxed name, defaultBackend is valid",
+			ingress: ingressWithDefaultBackend("valid-default", "1-rule-service"),
+			expect:  true,
+		},
 	}
 
 	for _, tc := range tests {
 		t.Run(tc.name, func(t *testing.T) {
+			// Test feature with gate disabled
+			featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.RelaxedServiceNameValidation, false)
 			got := allowRelaxedServiceNameValidation(tc.ingress)
 			if got != tc.expect {
 				t.Errorf("allowRelaxedServiceNameValidation() = %v, want %v", got, tc.expect)
 			}
+
+			// Test feature with gate enabled - it should always return true
+			featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.RelaxedServiceNameValidation, true)
+			got = allowRelaxedServiceNameValidation(tc.ingress)
+			if got != true {
+				t.Errorf("allowRelaxedServiceNameValidation() = %v, want %v", got, true)
+			}
 		})
 	}
 }
diff --git a/pkg/apis/node/validation/validation.go b/pkg/apis/node/validation/validation.go
index d66e82b93825f..58b80b55f1cee 100644
--- a/pkg/apis/node/validation/validation.go
+++ b/pkg/apis/node/validation/validation.go
@@ -68,7 +68,7 @@ func validateScheduling(s *node.Scheduling, fldPath *field.Path) field.ErrorList
 }
 
 func validateTolerations(tolerations []core.Toleration, fldPath *field.Path) field.ErrorList {
-	allErrs := corevalidation.ValidateTolerations(tolerations, fldPath.Child("tolerations"))
+	allErrs := corevalidation.ValidateTolerations(tolerations, fldPath, corevalidation.PodValidationOptions{})
 	// Ensure uniquenes of tolerations.
 	tolerationSet := map[core.Toleration]bool{}
 	for i, t := range tolerations {
diff --git a/pkg/apis/rbac/v1/doc.go b/pkg/apis/rbac/v1/doc.go
index ab4d30713847d..73977b4234e37 100644
--- a/pkg/apis/rbac/v1/doc.go
+++ b/pkg/apis/rbac/v1/doc.go
@@ -19,6 +19,8 @@ limitations under the License.
 // +k8s:defaulter-gen=TypeMeta
 // +k8s:defaulter-gen-input=k8s.io/api/rbac/v1
 // +k8s:deepcopy-gen=package
+// +k8s:validation-gen=TypeMeta
+// +k8s:validation-gen-input=k8s.io/api/rbac/v1
 
 // +groupName=rbac.authorization.k8s.io
 
diff --git a/pkg/apis/rbac/v1/zz_generated.validations.go b/pkg/apis/rbac/v1/zz_generated.validations.go
new file mode 100644
index 0000000000000..0e53d6e0b7e57
--- /dev/null
+++ b/pkg/apis/rbac/v1/zz_generated.validations.go
@@ -0,0 +1,240 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by validation-gen. DO NOT EDIT.
+
+package v1
+
+import (
+	context "context"
+	fmt "fmt"
+
+	rbacv1 "k8s.io/api/rbac/v1"
+	equality "k8s.io/apimachinery/pkg/api/equality"
+	operation "k8s.io/apimachinery/pkg/api/operation"
+	safe "k8s.io/apimachinery/pkg/api/safe"
+	validate "k8s.io/apimachinery/pkg/api/validate"
+	runtime "k8s.io/apimachinery/pkg/runtime"
+	field "k8s.io/apimachinery/pkg/util/validation/field"
+)
+
+func init() { localSchemeBuilder.Register(RegisterValidations) }
+
+// RegisterValidations adds validation functions to the given scheme.
+// Public to allow building arbitrary schemes.
+func RegisterValidations(scheme *runtime.Scheme) error {
+	// type ClusterRoleBinding
+	scheme.AddValidationFunc((*rbacv1.ClusterRoleBinding)(nil), func(ctx context.Context, op operation.Operation, obj, oldObj interface{}) field.ErrorList {
+		switch op.Request.SubresourcePath() {
+		case "/":
+			return Validate_ClusterRoleBinding(ctx, op, nil /* fldPath */, obj.(*rbacv1.ClusterRoleBinding), safe.Cast[*rbacv1.ClusterRoleBinding](oldObj))
+		}
+		return field.ErrorList{field.InternalError(nil, fmt.Errorf("no validation found for %T, subresource: %v", obj, op.Request.SubresourcePath()))}
+	})
+	// type ClusterRoleBindingList
+	scheme.AddValidationFunc((*rbacv1.ClusterRoleBindingList)(nil), func(ctx context.Context, op operation.Operation, obj, oldObj interface{}) field.ErrorList {
+		switch op.Request.SubresourcePath() {
+		case "/":
+			return Validate_ClusterRoleBindingList(ctx, op, nil /* fldPath */, obj.(*rbacv1.ClusterRoleBindingList), safe.Cast[*rbacv1.ClusterRoleBindingList](oldObj))
+		}
+		return field.ErrorList{field.InternalError(nil, fmt.Errorf("no validation found for %T, subresource: %v", obj, op.Request.SubresourcePath()))}
+	})
+	// type RoleBinding
+	scheme.AddValidationFunc((*rbacv1.RoleBinding)(nil), func(ctx context.Context, op operation.Operation, obj, oldObj interface{}) field.ErrorList {
+		switch op.Request.SubresourcePath() {
+		case "/":
+			return Validate_RoleBinding(ctx, op, nil /* fldPath */, obj.(*rbacv1.RoleBinding), safe.Cast[*rbacv1.RoleBinding](oldObj))
+		}
+		return field.ErrorList{field.InternalError(nil, fmt.Errorf("no validation found for %T, subresource: %v", obj, op.Request.SubresourcePath()))}
+	})
+	// type RoleBindingList
+	scheme.AddValidationFunc((*rbacv1.RoleBindingList)(nil), func(ctx context.Context, op operation.Operation, obj, oldObj interface{}) field.ErrorList {
+		switch op.Request.SubresourcePath() {
+		case "/":
+			return Validate_RoleBindingList(ctx, op, nil /* fldPath */, obj.(*rbacv1.RoleBindingList), safe.Cast[*rbacv1.RoleBindingList](oldObj))
+		}
+		return field.ErrorList{field.InternalError(nil, fmt.Errorf("no validation found for %T, subresource: %v", obj, op.Request.SubresourcePath()))}
+	})
+	return nil
+}
+
+// Validate_ClusterRoleBinding validates an instance of ClusterRoleBinding according
+// to declarative validation rules in the API schema.
+func Validate_ClusterRoleBinding(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *rbacv1.ClusterRoleBinding) (errs field.ErrorList) {
+	// field rbacv1.ClusterRoleBinding.TypeMeta has no validation
+	// field rbacv1.ClusterRoleBinding.ObjectMeta has no validation
+
+	// field rbacv1.ClusterRoleBinding.Subjects
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj []rbacv1.Subject, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// iterate the list and call the type's validation function
+			errs = append(errs, validate.EachSliceVal(ctx, op, fldPath, obj, oldObj, nil, nil, Validate_Subject)...)
+			return
+		}(fldPath.Child("subjects"), obj.Subjects, safe.Field(oldObj, func(oldObj *rbacv1.ClusterRoleBinding) []rbacv1.Subject { return oldObj.Subjects }), oldObj != nil)...)
+
+	// field rbacv1.ClusterRoleBinding.RoleRef
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *rbacv1.RoleRef, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call the type's validation function
+			errs = append(errs, Validate_RoleRef(ctx, op, fldPath, obj, oldObj)...)
+			return
+		}(fldPath.Child("roleRef"), &obj.RoleRef, safe.Field(oldObj, func(oldObj *rbacv1.ClusterRoleBinding) *rbacv1.RoleRef { return &oldObj.RoleRef }), oldObj != nil)...)
+
+	return errs
+}
+
+// Validate_ClusterRoleBindingList validates an instance of ClusterRoleBindingList according
+// to declarative validation rules in the API schema.
+func Validate_ClusterRoleBindingList(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *rbacv1.ClusterRoleBindingList) (errs field.ErrorList) {
+	// field rbacv1.ClusterRoleBindingList.TypeMeta has no validation
+	// field rbacv1.ClusterRoleBindingList.ListMeta has no validation
+
+	// field rbacv1.ClusterRoleBindingList.Items
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj []rbacv1.ClusterRoleBinding, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// iterate the list and call the type's validation function
+			errs = append(errs, validate.EachSliceVal(ctx, op, fldPath, obj, oldObj, nil, nil, Validate_ClusterRoleBinding)...)
+			return
+		}(fldPath.Child("items"), obj.Items, safe.Field(oldObj, func(oldObj *rbacv1.ClusterRoleBindingList) []rbacv1.ClusterRoleBinding { return oldObj.Items }), oldObj != nil)...)
+
+	return errs
+}
+
+// Validate_RoleBinding validates an instance of RoleBinding according
+// to declarative validation rules in the API schema.
+func Validate_RoleBinding(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *rbacv1.RoleBinding) (errs field.ErrorList) {
+	// field rbacv1.RoleBinding.TypeMeta has no validation
+	// field rbacv1.RoleBinding.ObjectMeta has no validation
+
+	// field rbacv1.RoleBinding.Subjects
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj []rbacv1.Subject, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// iterate the list and call the type's validation function
+			errs = append(errs, validate.EachSliceVal(ctx, op, fldPath, obj, oldObj, nil, nil, Validate_Subject)...)
+			return
+		}(fldPath.Child("subjects"), obj.Subjects, safe.Field(oldObj, func(oldObj *rbacv1.RoleBinding) []rbacv1.Subject { return oldObj.Subjects }), oldObj != nil)...)
+
+	// field rbacv1.RoleBinding.RoleRef
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *rbacv1.RoleRef, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call the type's validation function
+			errs = append(errs, Validate_RoleRef(ctx, op, fldPath, obj, oldObj)...)
+			return
+		}(fldPath.Child("roleRef"), &obj.RoleRef, safe.Field(oldObj, func(oldObj *rbacv1.RoleBinding) *rbacv1.RoleRef { return &oldObj.RoleRef }), oldObj != nil)...)
+
+	return errs
+}
+
+// Validate_RoleBindingList validates an instance of RoleBindingList according
+// to declarative validation rules in the API schema.
+func Validate_RoleBindingList(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *rbacv1.RoleBindingList) (errs field.ErrorList) {
+	// field rbacv1.RoleBindingList.TypeMeta has no validation
+	// field rbacv1.RoleBindingList.ListMeta has no validation
+
+	// field rbacv1.RoleBindingList.Items
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj []rbacv1.RoleBinding, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// iterate the list and call the type's validation function
+			errs = append(errs, validate.EachSliceVal(ctx, op, fldPath, obj, oldObj, nil, nil, Validate_RoleBinding)...)
+			return
+		}(fldPath.Child("items"), obj.Items, safe.Field(oldObj, func(oldObj *rbacv1.RoleBindingList) []rbacv1.RoleBinding { return oldObj.Items }), oldObj != nil)...)
+
+	return errs
+}
+
+// Validate_RoleRef validates an instance of RoleRef according
+// to declarative validation rules in the API schema.
+func Validate_RoleRef(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *rbacv1.RoleRef) (errs field.ErrorList) {
+	// field rbacv1.RoleRef.APIGroup has no validation
+	// field rbacv1.RoleRef.Kind has no validation
+
+	// field rbacv1.RoleRef.Name
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *string, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.RequiredValue(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				errs = append(errs, e...)
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
+			}
+			return
+		}(fldPath.Child("name"), &obj.Name, safe.Field(oldObj, func(oldObj *rbacv1.RoleRef) *string { return &oldObj.Name }), oldObj != nil)...)
+
+	return errs
+}
+
+// Validate_Subject validates an instance of Subject according
+// to declarative validation rules in the API schema.
+func Validate_Subject(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *rbacv1.Subject) (errs field.ErrorList) {
+	// field rbacv1.Subject.Kind has no validation
+	// field rbacv1.Subject.APIGroup has no validation
+
+	// field rbacv1.Subject.Name
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *string, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.RequiredValue(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				errs = append(errs, e...)
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
+			}
+			return
+		}(fldPath.Child("name"), &obj.Name, safe.Field(oldObj, func(oldObj *rbacv1.Subject) *string { return &oldObj.Name }), oldObj != nil)...)
+
+	// field rbacv1.Subject.Namespace has no validation
+	return errs
+}
diff --git a/pkg/apis/rbac/v1alpha1/doc.go b/pkg/apis/rbac/v1alpha1/doc.go
index 77246de7585ce..ab97d04370614 100644
--- a/pkg/apis/rbac/v1alpha1/doc.go
+++ b/pkg/apis/rbac/v1alpha1/doc.go
@@ -18,6 +18,8 @@ limitations under the License.
 // +k8s:conversion-gen-external-types=k8s.io/api/rbac/v1alpha1
 // +k8s:defaulter-gen=TypeMeta
 // +k8s:defaulter-gen-input=k8s.io/api/rbac/v1alpha1
+// +k8s:validation-gen=TypeMeta
+// +k8s:validation-gen-input=k8s.io/api/rbac/v1alpha1
 
 // +groupName=rbac.authorization.k8s.io
 
diff --git a/pkg/apis/rbac/v1alpha1/zz_generated.validations.go b/pkg/apis/rbac/v1alpha1/zz_generated.validations.go
new file mode 100644
index 0000000000000..0f517283ac189
--- /dev/null
+++ b/pkg/apis/rbac/v1alpha1/zz_generated.validations.go
@@ -0,0 +1,242 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by validation-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	context "context"
+	fmt "fmt"
+
+	rbacv1alpha1 "k8s.io/api/rbac/v1alpha1"
+	equality "k8s.io/apimachinery/pkg/api/equality"
+	operation "k8s.io/apimachinery/pkg/api/operation"
+	safe "k8s.io/apimachinery/pkg/api/safe"
+	validate "k8s.io/apimachinery/pkg/api/validate"
+	runtime "k8s.io/apimachinery/pkg/runtime"
+	field "k8s.io/apimachinery/pkg/util/validation/field"
+)
+
+func init() { localSchemeBuilder.Register(RegisterValidations) }
+
+// RegisterValidations adds validation functions to the given scheme.
+// Public to allow building arbitrary schemes.
+func RegisterValidations(scheme *runtime.Scheme) error {
+	// type ClusterRoleBinding
+	scheme.AddValidationFunc((*rbacv1alpha1.ClusterRoleBinding)(nil), func(ctx context.Context, op operation.Operation, obj, oldObj interface{}) field.ErrorList {
+		switch op.Request.SubresourcePath() {
+		case "/":
+			return Validate_ClusterRoleBinding(ctx, op, nil /* fldPath */, obj.(*rbacv1alpha1.ClusterRoleBinding), safe.Cast[*rbacv1alpha1.ClusterRoleBinding](oldObj))
+		}
+		return field.ErrorList{field.InternalError(nil, fmt.Errorf("no validation found for %T, subresource: %v", obj, op.Request.SubresourcePath()))}
+	})
+	// type ClusterRoleBindingList
+	scheme.AddValidationFunc((*rbacv1alpha1.ClusterRoleBindingList)(nil), func(ctx context.Context, op operation.Operation, obj, oldObj interface{}) field.ErrorList {
+		switch op.Request.SubresourcePath() {
+		case "/":
+			return Validate_ClusterRoleBindingList(ctx, op, nil /* fldPath */, obj.(*rbacv1alpha1.ClusterRoleBindingList), safe.Cast[*rbacv1alpha1.ClusterRoleBindingList](oldObj))
+		}
+		return field.ErrorList{field.InternalError(nil, fmt.Errorf("no validation found for %T, subresource: %v", obj, op.Request.SubresourcePath()))}
+	})
+	// type RoleBinding
+	scheme.AddValidationFunc((*rbacv1alpha1.RoleBinding)(nil), func(ctx context.Context, op operation.Operation, obj, oldObj interface{}) field.ErrorList {
+		switch op.Request.SubresourcePath() {
+		case "/":
+			return Validate_RoleBinding(ctx, op, nil /* fldPath */, obj.(*rbacv1alpha1.RoleBinding), safe.Cast[*rbacv1alpha1.RoleBinding](oldObj))
+		}
+		return field.ErrorList{field.InternalError(nil, fmt.Errorf("no validation found for %T, subresource: %v", obj, op.Request.SubresourcePath()))}
+	})
+	// type RoleBindingList
+	scheme.AddValidationFunc((*rbacv1alpha1.RoleBindingList)(nil), func(ctx context.Context, op operation.Operation, obj, oldObj interface{}) field.ErrorList {
+		switch op.Request.SubresourcePath() {
+		case "/":
+			return Validate_RoleBindingList(ctx, op, nil /* fldPath */, obj.(*rbacv1alpha1.RoleBindingList), safe.Cast[*rbacv1alpha1.RoleBindingList](oldObj))
+		}
+		return field.ErrorList{field.InternalError(nil, fmt.Errorf("no validation found for %T, subresource: %v", obj, op.Request.SubresourcePath()))}
+	})
+	return nil
+}
+
+// Validate_ClusterRoleBinding validates an instance of ClusterRoleBinding according
+// to declarative validation rules in the API schema.
+func Validate_ClusterRoleBinding(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *rbacv1alpha1.ClusterRoleBinding) (errs field.ErrorList) {
+	// field rbacv1alpha1.ClusterRoleBinding.TypeMeta has no validation
+	// field rbacv1alpha1.ClusterRoleBinding.ObjectMeta has no validation
+
+	// field rbacv1alpha1.ClusterRoleBinding.Subjects
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj []rbacv1alpha1.Subject, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// iterate the list and call the type's validation function
+			errs = append(errs, validate.EachSliceVal(ctx, op, fldPath, obj, oldObj, nil, nil, Validate_Subject)...)
+			return
+		}(fldPath.Child("subjects"), obj.Subjects, safe.Field(oldObj, func(oldObj *rbacv1alpha1.ClusterRoleBinding) []rbacv1alpha1.Subject { return oldObj.Subjects }), oldObj != nil)...)
+
+	// field rbacv1alpha1.ClusterRoleBinding.RoleRef
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *rbacv1alpha1.RoleRef, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call the type's validation function
+			errs = append(errs, Validate_RoleRef(ctx, op, fldPath, obj, oldObj)...)
+			return
+		}(fldPath.Child("roleRef"), &obj.RoleRef, safe.Field(oldObj, func(oldObj *rbacv1alpha1.ClusterRoleBinding) *rbacv1alpha1.RoleRef { return &oldObj.RoleRef }), oldObj != nil)...)
+
+	return errs
+}
+
+// Validate_ClusterRoleBindingList validates an instance of ClusterRoleBindingList according
+// to declarative validation rules in the API schema.
+func Validate_ClusterRoleBindingList(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *rbacv1alpha1.ClusterRoleBindingList) (errs field.ErrorList) {
+	// field rbacv1alpha1.ClusterRoleBindingList.TypeMeta has no validation
+	// field rbacv1alpha1.ClusterRoleBindingList.ListMeta has no validation
+
+	// field rbacv1alpha1.ClusterRoleBindingList.Items
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj []rbacv1alpha1.ClusterRoleBinding, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// iterate the list and call the type's validation function
+			errs = append(errs, validate.EachSliceVal(ctx, op, fldPath, obj, oldObj, nil, nil, Validate_ClusterRoleBinding)...)
+			return
+		}(fldPath.Child("items"), obj.Items, safe.Field(oldObj, func(oldObj *rbacv1alpha1.ClusterRoleBindingList) []rbacv1alpha1.ClusterRoleBinding {
+			return oldObj.Items
+		}), oldObj != nil)...)
+
+	return errs
+}
+
+// Validate_RoleBinding validates an instance of RoleBinding according
+// to declarative validation rules in the API schema.
+func Validate_RoleBinding(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *rbacv1alpha1.RoleBinding) (errs field.ErrorList) {
+	// field rbacv1alpha1.RoleBinding.TypeMeta has no validation
+	// field rbacv1alpha1.RoleBinding.ObjectMeta has no validation
+
+	// field rbacv1alpha1.RoleBinding.Subjects
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj []rbacv1alpha1.Subject, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// iterate the list and call the type's validation function
+			errs = append(errs, validate.EachSliceVal(ctx, op, fldPath, obj, oldObj, nil, nil, Validate_Subject)...)
+			return
+		}(fldPath.Child("subjects"), obj.Subjects, safe.Field(oldObj, func(oldObj *rbacv1alpha1.RoleBinding) []rbacv1alpha1.Subject { return oldObj.Subjects }), oldObj != nil)...)
+
+	// field rbacv1alpha1.RoleBinding.RoleRef
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *rbacv1alpha1.RoleRef, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call the type's validation function
+			errs = append(errs, Validate_RoleRef(ctx, op, fldPath, obj, oldObj)...)
+			return
+		}(fldPath.Child("roleRef"), &obj.RoleRef, safe.Field(oldObj, func(oldObj *rbacv1alpha1.RoleBinding) *rbacv1alpha1.RoleRef { return &oldObj.RoleRef }), oldObj != nil)...)
+
+	return errs
+}
+
+// Validate_RoleBindingList validates an instance of RoleBindingList according
+// to declarative validation rules in the API schema.
+func Validate_RoleBindingList(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *rbacv1alpha1.RoleBindingList) (errs field.ErrorList) {
+	// field rbacv1alpha1.RoleBindingList.TypeMeta has no validation
+	// field rbacv1alpha1.RoleBindingList.ListMeta has no validation
+
+	// field rbacv1alpha1.RoleBindingList.Items
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj []rbacv1alpha1.RoleBinding, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// iterate the list and call the type's validation function
+			errs = append(errs, validate.EachSliceVal(ctx, op, fldPath, obj, oldObj, nil, nil, Validate_RoleBinding)...)
+			return
+		}(fldPath.Child("items"), obj.Items, safe.Field(oldObj, func(oldObj *rbacv1alpha1.RoleBindingList) []rbacv1alpha1.RoleBinding { return oldObj.Items }), oldObj != nil)...)
+
+	return errs
+}
+
+// Validate_RoleRef validates an instance of RoleRef according
+// to declarative validation rules in the API schema.
+func Validate_RoleRef(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *rbacv1alpha1.RoleRef) (errs field.ErrorList) {
+	// field rbacv1alpha1.RoleRef.APIGroup has no validation
+	// field rbacv1alpha1.RoleRef.Kind has no validation
+
+	// field rbacv1alpha1.RoleRef.Name
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *string, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.RequiredValue(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				errs = append(errs, e...)
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
+			}
+			return
+		}(fldPath.Child("name"), &obj.Name, safe.Field(oldObj, func(oldObj *rbacv1alpha1.RoleRef) *string { return &oldObj.Name }), oldObj != nil)...)
+
+	return errs
+}
+
+// Validate_Subject validates an instance of Subject according
+// to declarative validation rules in the API schema.
+func Validate_Subject(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *rbacv1alpha1.Subject) (errs field.ErrorList) {
+	// field rbacv1alpha1.Subject.Kind has no validation
+	// field rbacv1alpha1.Subject.APIVersion has no validation
+
+	// field rbacv1alpha1.Subject.Name
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *string, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.RequiredValue(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				errs = append(errs, e...)
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
+			}
+			return
+		}(fldPath.Child("name"), &obj.Name, safe.Field(oldObj, func(oldObj *rbacv1alpha1.Subject) *string { return &oldObj.Name }), oldObj != nil)...)
+
+	// field rbacv1alpha1.Subject.Namespace has no validation
+	return errs
+}
diff --git a/pkg/apis/rbac/v1beta1/doc.go b/pkg/apis/rbac/v1beta1/doc.go
index b3474dc74b5b5..815253236c41d 100644
--- a/pkg/apis/rbac/v1beta1/doc.go
+++ b/pkg/apis/rbac/v1beta1/doc.go
@@ -18,6 +18,8 @@ limitations under the License.
 // +k8s:conversion-gen-external-types=k8s.io/api/rbac/v1beta1
 // +k8s:defaulter-gen=TypeMeta
 // +k8s:defaulter-gen-input=k8s.io/api/rbac/v1beta1
+// +k8s:validation-gen=TypeMeta
+// +k8s:validation-gen-input=k8s.io/api/rbac/v1beta1
 
 // +groupName=rbac.authorization.k8s.io
 
diff --git a/pkg/apis/rbac/v1beta1/zz_generated.validations.go b/pkg/apis/rbac/v1beta1/zz_generated.validations.go
new file mode 100644
index 0000000000000..82e44b20bc192
--- /dev/null
+++ b/pkg/apis/rbac/v1beta1/zz_generated.validations.go
@@ -0,0 +1,240 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by validation-gen. DO NOT EDIT.
+
+package v1beta1
+
+import (
+	context "context"
+	fmt "fmt"
+
+	rbacv1beta1 "k8s.io/api/rbac/v1beta1"
+	equality "k8s.io/apimachinery/pkg/api/equality"
+	operation "k8s.io/apimachinery/pkg/api/operation"
+	safe "k8s.io/apimachinery/pkg/api/safe"
+	validate "k8s.io/apimachinery/pkg/api/validate"
+	runtime "k8s.io/apimachinery/pkg/runtime"
+	field "k8s.io/apimachinery/pkg/util/validation/field"
+)
+
+func init() { localSchemeBuilder.Register(RegisterValidations) }
+
+// RegisterValidations adds validation functions to the given scheme.
+// Public to allow building arbitrary schemes.
+func RegisterValidations(scheme *runtime.Scheme) error {
+	// type ClusterRoleBinding
+	scheme.AddValidationFunc((*rbacv1beta1.ClusterRoleBinding)(nil), func(ctx context.Context, op operation.Operation, obj, oldObj interface{}) field.ErrorList {
+		switch op.Request.SubresourcePath() {
+		case "/":
+			return Validate_ClusterRoleBinding(ctx, op, nil /* fldPath */, obj.(*rbacv1beta1.ClusterRoleBinding), safe.Cast[*rbacv1beta1.ClusterRoleBinding](oldObj))
+		}
+		return field.ErrorList{field.InternalError(nil, fmt.Errorf("no validation found for %T, subresource: %v", obj, op.Request.SubresourcePath()))}
+	})
+	// type ClusterRoleBindingList
+	scheme.AddValidationFunc((*rbacv1beta1.ClusterRoleBindingList)(nil), func(ctx context.Context, op operation.Operation, obj, oldObj interface{}) field.ErrorList {
+		switch op.Request.SubresourcePath() {
+		case "/":
+			return Validate_ClusterRoleBindingList(ctx, op, nil /* fldPath */, obj.(*rbacv1beta1.ClusterRoleBindingList), safe.Cast[*rbacv1beta1.ClusterRoleBindingList](oldObj))
+		}
+		return field.ErrorList{field.InternalError(nil, fmt.Errorf("no validation found for %T, subresource: %v", obj, op.Request.SubresourcePath()))}
+	})
+	// type RoleBinding
+	scheme.AddValidationFunc((*rbacv1beta1.RoleBinding)(nil), func(ctx context.Context, op operation.Operation, obj, oldObj interface{}) field.ErrorList {
+		switch op.Request.SubresourcePath() {
+		case "/":
+			return Validate_RoleBinding(ctx, op, nil /* fldPath */, obj.(*rbacv1beta1.RoleBinding), safe.Cast[*rbacv1beta1.RoleBinding](oldObj))
+		}
+		return field.ErrorList{field.InternalError(nil, fmt.Errorf("no validation found for %T, subresource: %v", obj, op.Request.SubresourcePath()))}
+	})
+	// type RoleBindingList
+	scheme.AddValidationFunc((*rbacv1beta1.RoleBindingList)(nil), func(ctx context.Context, op operation.Operation, obj, oldObj interface{}) field.ErrorList {
+		switch op.Request.SubresourcePath() {
+		case "/":
+			return Validate_RoleBindingList(ctx, op, nil /* fldPath */, obj.(*rbacv1beta1.RoleBindingList), safe.Cast[*rbacv1beta1.RoleBindingList](oldObj))
+		}
+		return field.ErrorList{field.InternalError(nil, fmt.Errorf("no validation found for %T, subresource: %v", obj, op.Request.SubresourcePath()))}
+	})
+	return nil
+}
+
+// Validate_ClusterRoleBinding validates an instance of ClusterRoleBinding according
+// to declarative validation rules in the API schema.
+func Validate_ClusterRoleBinding(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *rbacv1beta1.ClusterRoleBinding) (errs field.ErrorList) {
+	// field rbacv1beta1.ClusterRoleBinding.TypeMeta has no validation
+	// field rbacv1beta1.ClusterRoleBinding.ObjectMeta has no validation
+
+	// field rbacv1beta1.ClusterRoleBinding.Subjects
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj []rbacv1beta1.Subject, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// iterate the list and call the type's validation function
+			errs = append(errs, validate.EachSliceVal(ctx, op, fldPath, obj, oldObj, nil, nil, Validate_Subject)...)
+			return
+		}(fldPath.Child("subjects"), obj.Subjects, safe.Field(oldObj, func(oldObj *rbacv1beta1.ClusterRoleBinding) []rbacv1beta1.Subject { return oldObj.Subjects }), oldObj != nil)...)
+
+	// field rbacv1beta1.ClusterRoleBinding.RoleRef
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *rbacv1beta1.RoleRef, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call the type's validation function
+			errs = append(errs, Validate_RoleRef(ctx, op, fldPath, obj, oldObj)...)
+			return
+		}(fldPath.Child("roleRef"), &obj.RoleRef, safe.Field(oldObj, func(oldObj *rbacv1beta1.ClusterRoleBinding) *rbacv1beta1.RoleRef { return &oldObj.RoleRef }), oldObj != nil)...)
+
+	return errs
+}
+
+// Validate_ClusterRoleBindingList validates an instance of ClusterRoleBindingList according
+// to declarative validation rules in the API schema.
+func Validate_ClusterRoleBindingList(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *rbacv1beta1.ClusterRoleBindingList) (errs field.ErrorList) {
+	// field rbacv1beta1.ClusterRoleBindingList.TypeMeta has no validation
+	// field rbacv1beta1.ClusterRoleBindingList.ListMeta has no validation
+
+	// field rbacv1beta1.ClusterRoleBindingList.Items
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj []rbacv1beta1.ClusterRoleBinding, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// iterate the list and call the type's validation function
+			errs = append(errs, validate.EachSliceVal(ctx, op, fldPath, obj, oldObj, nil, nil, Validate_ClusterRoleBinding)...)
+			return
+		}(fldPath.Child("items"), obj.Items, safe.Field(oldObj, func(oldObj *rbacv1beta1.ClusterRoleBindingList) []rbacv1beta1.ClusterRoleBinding { return oldObj.Items }), oldObj != nil)...)
+
+	return errs
+}
+
+// Validate_RoleBinding validates an instance of RoleBinding according
+// to declarative validation rules in the API schema.
+func Validate_RoleBinding(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *rbacv1beta1.RoleBinding) (errs field.ErrorList) {
+	// field rbacv1beta1.RoleBinding.TypeMeta has no validation
+	// field rbacv1beta1.RoleBinding.ObjectMeta has no validation
+
+	// field rbacv1beta1.RoleBinding.Subjects
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj []rbacv1beta1.Subject, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// iterate the list and call the type's validation function
+			errs = append(errs, validate.EachSliceVal(ctx, op, fldPath, obj, oldObj, nil, nil, Validate_Subject)...)
+			return
+		}(fldPath.Child("subjects"), obj.Subjects, safe.Field(oldObj, func(oldObj *rbacv1beta1.RoleBinding) []rbacv1beta1.Subject { return oldObj.Subjects }), oldObj != nil)...)
+
+	// field rbacv1beta1.RoleBinding.RoleRef
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *rbacv1beta1.RoleRef, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call the type's validation function
+			errs = append(errs, Validate_RoleRef(ctx, op, fldPath, obj, oldObj)...)
+			return
+		}(fldPath.Child("roleRef"), &obj.RoleRef, safe.Field(oldObj, func(oldObj *rbacv1beta1.RoleBinding) *rbacv1beta1.RoleRef { return &oldObj.RoleRef }), oldObj != nil)...)
+
+	return errs
+}
+
+// Validate_RoleBindingList validates an instance of RoleBindingList according
+// to declarative validation rules in the API schema.
+func Validate_RoleBindingList(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *rbacv1beta1.RoleBindingList) (errs field.ErrorList) {
+	// field rbacv1beta1.RoleBindingList.TypeMeta has no validation
+	// field rbacv1beta1.RoleBindingList.ListMeta has no validation
+
+	// field rbacv1beta1.RoleBindingList.Items
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj []rbacv1beta1.RoleBinding, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// iterate the list and call the type's validation function
+			errs = append(errs, validate.EachSliceVal(ctx, op, fldPath, obj, oldObj, nil, nil, Validate_RoleBinding)...)
+			return
+		}(fldPath.Child("items"), obj.Items, safe.Field(oldObj, func(oldObj *rbacv1beta1.RoleBindingList) []rbacv1beta1.RoleBinding { return oldObj.Items }), oldObj != nil)...)
+
+	return errs
+}
+
+// Validate_RoleRef validates an instance of RoleRef according
+// to declarative validation rules in the API schema.
+func Validate_RoleRef(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *rbacv1beta1.RoleRef) (errs field.ErrorList) {
+	// field rbacv1beta1.RoleRef.APIGroup has no validation
+	// field rbacv1beta1.RoleRef.Kind has no validation
+
+	// field rbacv1beta1.RoleRef.Name
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *string, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.RequiredValue(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				errs = append(errs, e...)
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
+			}
+			return
+		}(fldPath.Child("name"), &obj.Name, safe.Field(oldObj, func(oldObj *rbacv1beta1.RoleRef) *string { return &oldObj.Name }), oldObj != nil)...)
+
+	return errs
+}
+
+// Validate_Subject validates an instance of Subject according
+// to declarative validation rules in the API schema.
+func Validate_Subject(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *rbacv1beta1.Subject) (errs field.ErrorList) {
+	// field rbacv1beta1.Subject.Kind has no validation
+	// field rbacv1beta1.Subject.APIGroup has no validation
+
+	// field rbacv1beta1.Subject.Name
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *string, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.RequiredValue(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				errs = append(errs, e...)
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
+			}
+			return
+		}(fldPath.Child("name"), &obj.Name, safe.Field(oldObj, func(oldObj *rbacv1beta1.Subject) *string { return &oldObj.Name }), oldObj != nil)...)
+
+	// field rbacv1beta1.Subject.Namespace has no validation
+	return errs
+}
diff --git a/pkg/apis/rbac/validation/validation.go b/pkg/apis/rbac/validation/validation.go
index b65ac19f72e2b..fcc672dbd2a84 100644
--- a/pkg/apis/rbac/validation/validation.go
+++ b/pkg/apis/rbac/validation/validation.go
@@ -143,7 +143,7 @@ func ValidateRoleBinding(roleBinding *rbac.RoleBinding) field.ErrorList {
 	}
 
 	if len(roleBinding.RoleRef.Name) == 0 {
-		allErrs = append(allErrs, field.Required(field.NewPath("roleRef", "name"), ""))
+		allErrs = append(allErrs, field.Required(field.NewPath("roleRef", "name"), "").MarkCoveredByDeclarative())
 	} else {
 		for _, msg := range ValidateRBACName(roleBinding.RoleRef.Name, false) {
 			allErrs = append(allErrs, field.Invalid(field.NewPath("roleRef", "name"), roleBinding.RoleRef.Name, msg))
@@ -187,7 +187,7 @@ func ValidateClusterRoleBinding(roleBinding *rbac.ClusterRoleBinding) field.Erro
 	}
 
 	if len(roleBinding.RoleRef.Name) == 0 {
-		allErrs = append(allErrs, field.Required(field.NewPath("roleRef", "name"), ""))
+		allErrs = append(allErrs, field.Required(field.NewPath("roleRef", "name"), "").MarkCoveredByDeclarative())
 	} else {
 		for _, msg := range ValidateRBACName(roleBinding.RoleRef.Name, false) {
 			allErrs = append(allErrs, field.Invalid(field.NewPath("roleRef", "name"), roleBinding.RoleRef.Name, msg))
@@ -218,7 +218,7 @@ func ValidateRoleBindingSubject(subject rbac.Subject, isNamespaced bool, fldPath
 	allErrs := field.ErrorList{}
 
 	if len(subject.Name) == 0 {
-		allErrs = append(allErrs, field.Required(fldPath.Child("name"), ""))
+		allErrs = append(allErrs, field.Required(fldPath.Child("name"), "").MarkCoveredByDeclarative())
 	}
 
 	switch subject.Kind {
diff --git a/pkg/apis/resource/install/install.go b/pkg/apis/resource/install/install.go
index a747f62003dc7..ab936326c5ff4 100644
--- a/pkg/apis/resource/install/install.go
+++ b/pkg/apis/resource/install/install.go
@@ -40,6 +40,5 @@ func Install(scheme *runtime.Scheme) {
 	utilruntime.Must(v1beta1.AddToScheme(scheme))
 	utilruntime.Must(v1beta2.AddToScheme(scheme))
 	utilruntime.Must(v1.AddToScheme(scheme))
-	// TODO (https://github.com/kubernetes/kubernetes/issues/133131): put v1 first in 1.35
-	utilruntime.Must(scheme.SetVersionPriority(v1beta2.SchemeGroupVersion, v1.SchemeGroupVersion, v1beta1.SchemeGroupVersion, v1alpha3.SchemeGroupVersion))
+	utilruntime.Must(scheme.SetVersionPriority(v1.SchemeGroupVersion, v1beta2.SchemeGroupVersion, v1beta1.SchemeGroupVersion, v1alpha3.SchemeGroupVersion))
 }
diff --git a/pkg/apis/resource/types.go b/pkg/apis/resource/types.go
index faac04e6dc8f5..35933110d67ec 100644
--- a/pkg/apis/resource/types.go
+++ b/pkg/apis/resource/types.go
@@ -145,10 +145,13 @@ type ResourceSliceSpec struct {
 
 	// Devices lists some or all of the devices in this pool.
 	//
-	// Must not have more than 128 entries.
+	// Must not have more than 128 entries. If any device uses taints or consumes counters the limit is 64.
+	//
+	// Only one of Devices and SharedCounters can be set in a ResourceSlice.
 	//
 	// +optional
 	// +listType=atomic
+	// +zeroOrOneOf=ResourceSliceType
 	Devices []Device
 
 	// PerDeviceNodeSelection defines whether the access from nodes to
@@ -166,19 +169,22 @@ type ResourceSliceSpec struct {
 	// SharedCounters defines a list of counter sets, each of which
 	// has a name and a list of counters available.
 	//
-	// The names of the SharedCounters must be unique in the ResourceSlice.
+	// The names of the counter sets must be unique in the ResourcePool.
+	//
+	// Only one of Devices and SharedCounters can be set in a ResourceSlice.
 	//
-	// The maximum number of counters in all sets is 32.
+	// The maximum number of counter sets is 8.
 	//
 	// +optional
 	// +listType=atomic
 	// +featureGate=DRAPartitionableDevices
+	// +zeroOrOneOf=ResourceSliceType
 	SharedCounters []CounterSet
 }
 
 // CounterSet defines a named set of counters
 // that are available to be used by devices defined in the
-// ResourceSlice.
+// ResourcePool.
 //
 // The counters are not allocatable by themselves, but
 // can be referenced by devices. When a device is allocated,
@@ -194,7 +200,7 @@ type CounterSet struct {
 	// Counters defines the set of counters for this CounterSet
 	// The name of each counter must be unique in that set and must be a DNS label.
 	//
-	// The maximum number of counters in all sets is 32.
+	// The maximum number of counters is 32.
 	//
 	// +required
 	Counters map[string]Counter
@@ -243,13 +249,27 @@ type ResourcePool struct {
 
 const ResourceSliceMaxSharedCapacity = 128
 const ResourceSliceMaxDevices = 128
+const ResourceSliceMaxDevicesWithTaintsOrConsumesCounters = 64
 const PoolNameMaxLength = validation.DNS1123SubdomainMaxLength // Same as for a single node name.
 const BindingConditionsMaxSize = 4
 const BindingFailureConditionsMaxSize = 4
 
-// Defines the max number of shared counters that can be specified
-// in a ResourceSlice. The number is summed up across all sets.
-const ResourceSliceMaxSharedCounters = 32
+// Defines the maximum number of counter sets (through the
+// SharedCounters field) that can be defined in a ResourceSlice.
+const ResourceSliceMaxCounterSets = 8
+
+// Defines the maximum number of counters that can be defined
+// in a counter set.
+const ResourceSliceMaxCountersPerCounterSet = 32
+
+// Defines the maximum number of device counter consumptions
+// (through the ConsumesCounters field) that can be defined per
+// device.
+const ResourceSliceMaxDeviceCounterConsumptionsPerDevice = 2
+
+// Defines the maximum number of counters that can be defined
+// per device counter consumption.
+const ResourceSliceMaxCountersPerDeviceCounterConsumption = 32
 
 // Device represents one individual hardware instance that can be selected based
 // on its attributes. Besides the name, exactly one field must be set.
@@ -282,10 +302,8 @@ type Device struct {
 	//
 	// There can only be a single entry per counterSet.
 	//
-	// The total number of device counter consumption entries
-	// must be <= 32. In addition, the total number in the
-	// entire ResourceSlice must be <= 1024 (for example,
-	// 64 devices with 16 counters each).
+	// The maximum number of device counter consumptions per
+	// device is 2.
 	//
 	// +optional
 	// +listType=atomic
@@ -326,7 +344,9 @@ type Device struct {
 
 	// If specified, these are the driver-defined taints.
 	//
-	// The maximum number of taints is 4.
+	// The maximum number of taints is 16. If taints are set for
+	// any device in a ResourceSlice, then the maximum number of
+	// allowed devices per ResourceSlice is 64 instead of 128.
 	//
 	// This is an alpha field and requires enabling the DRADeviceTaints
 	// feature gate.
@@ -402,10 +422,7 @@ type DeviceCounterConsumption struct {
 
 	// Counters defines the counters that will be consumed by the device.
 	//
-	// The maximum number counters in a device is 32.
-	// In addition, the maximum number of all counters
-	// in all devices is 1024 (for example, 64 devices with
-	// 16 counters each).
+	// The maximum number of counters is 32.
 	//
 	// +required
 	Counters map[string]Counter
@@ -531,14 +548,6 @@ type CapacityRequestPolicyRange struct {
 // Limit for the sum of the number of entries in both attributes and capacity.
 const ResourceSliceMaxAttributesAndCapacitiesPerDevice = 32
 
-// Limit for the total number of counters in each device.
-const ResourceSliceMaxCountersPerDevice = 32
-
-// Limit for the total number of counters defined in devices in
-// a ResourceSlice. We want to allow up to 64 devices to specify
-// up to 16 counters, so the limit for the ResourceSlice will be 1024.
-const ResourceSliceMaxDeviceCountersPerSlice = 1024 // 64 * 16
-
 // QualifiedName is the name of a device attribute or capacity.
 //
 // Attributes and capacities are defined either by the owner of the specific
@@ -601,8 +610,8 @@ type DeviceAttribute struct {
 // DeviceAttributeMaxValueLength is the maximum length of a string or version attribute value.
 const DeviceAttributeMaxValueLength = 64
 
-// DeviceTaintsMaxLength is the maximum number of taints per device.
-const DeviceTaintsMaxLength = 4
+// DeviceTaintsMaxLength is the maximum number of taints per Device.
+const DeviceTaintsMaxLength = 16
 
 // The device this taint is attached to has the "effect" on
 // any claim which does not tolerate the taint and, through the claim,
@@ -622,8 +631,10 @@ type DeviceTaint struct {
 
 	// The effect of the taint on claims that do not tolerate the taint
 	// and through such claims on the pods using them.
-	// Valid effects are NoSchedule and NoExecute. PreferNoSchedule as used for
-	// nodes is not valid here.
+	//
+	// Valid effects are None, NoSchedule and NoExecute. PreferNoSchedule as used for
+	// nodes is not valid here. More effects may get added in the future.
+	// Consumers must treat unknown effects like None.
 	//
 	// +required
 	Effect DeviceTaintEffect
@@ -632,6 +643,14 @@ type DeviceTaint struct {
 	//
 	// Implementing PreferNoSchedule would depend on a scoring solution for DRA.
 	// It might get added as part of that.
+	//
+	// A possible future new effect is NoExecuteWithPodDisruptionBudget:
+	// honor the pod disruption budget instead of simply deleting pods.
+	// This is currently undecided, it could also be a separate field.
+	//
+	// Validation must be prepared to allow unknown enums in stored objects,
+	// which will enable adding new enums within a single release without
+	// ratcheting.
 
 	// TimeAdded represents the time at which the taint was added.
 	// Added automatically during create or update if not set.
@@ -650,6 +669,9 @@ type DeviceTaint struct {
 type DeviceTaintEffect string
 
 const (
+	// No effect, the taint is purely informational.
+	DeviceTaintEffectNone DeviceTaintEffect = "None"
+
 	// Do not allow new pods to schedule which use a tainted device unless they tolerate the taint,
 	// but allow all pods submitted to Kubelet without going through the scheduler
 	// to start, and allow all already-running pods to continue running.
@@ -1602,8 +1624,8 @@ type AllocationConfigSource string
 
 // Valid [DeviceAllocationConfiguration.Source] values.
 const (
-	AllocationConfigSourceClass = "FromClass"
-	AllocationConfigSourceClaim = "FromClaim"
+	AllocationConfigSourceClass AllocationConfigSource = "FromClass"
+	AllocationConfigSourceClaim AllocationConfigSource = "FromClaim"
 )
 
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
@@ -1876,18 +1898,16 @@ type DeviceTaintRule struct {
 	// Changing the spec automatically increments the metadata.generation number.
 	Spec DeviceTaintRuleSpec
 
-	// ^^^
-	// A spec gets added because adding a status seems likely.
-	// Such a status could provide feedback on applying the
-	// eviction and/or statistics (number of matching devices,
-	// affected allocated claims, pods remaining to be evicted,
-	// etc.).
+	// Status provides information about what was requested in the spec.
+	//
+	// +optional
+	Status DeviceTaintRuleStatus
 }
 
 // DeviceTaintRuleSpec specifies the selector and one taint.
 type DeviceTaintRuleSpec struct {
 	// DeviceSelector defines which device(s) the taint is applied to.
-	// All selector criteria must be satified for a device to
+	// All selector criteria must be satisfied for a device to
 	// match. The empty selector matches all devices. Without
 	// a selector, no devices are matches.
 	//
@@ -1904,13 +1924,6 @@ type DeviceTaintRuleSpec struct {
 // The empty selector matches all devices. Without a selector, no devices
 // are matched.
 type DeviceTaintSelector struct {
-	// If DeviceClassName is set, the selectors defined there must be
-	// satisfied by a device to be selected. This field corresponds
-	// to class.metadata.name.
-	//
-	// +optional
-	DeviceClassName *string
-
 	// If driver is set, only devices from that driver are selected.
 	// This fields corresponds to slice.spec.driver.
 	//
@@ -1937,16 +1950,43 @@ type DeviceTaintSelector struct {
 	//
 	// +optional
 	Device *string
+}
 
-	// Selectors contains the same selection criteria as a ResourceClaim.
-	// Currently, CEL expressions are supported. All of these selectors
-	// must be satisfied.
+// DeviceTaintRuleStatus provides information about an on-going pod eviction.
+type DeviceTaintRuleStatus struct {
+	// Conditions provide information about the state of the DeviceTaintRule
+	// and the cluster at some point in time,
+	// in a machine-readable and human-readable format.
+	//
+	// The following condition is currently defined as part of this API, more may
+	// get added:
+	// - Type: EvictionInProgress
+	// - Status: True if there are currently pods which need to be evicted, False otherwise
+	//   (includes the effects which don't cause eviction).
+	// - Reason: not specified, may change
+	// - Message: includes information about number of pending pods and already evicted pods
+	//   in a human-readable format, updated periodically, may change
+	//
+	// For `effect: None`, the condition above gets set once for each change to
+	// the spec, with the message containing information about what would happen
+	// if the effect was `NoExecute`. This feedback can be used to decide whether
+	// changing the effect to `NoExecute` will work as intended. It only gets
+	// set once to avoid having to constantly update the status.
+	//
+	// Must have 8 or less entries.
 	//
 	// +optional
-	// +listType=atomic
-	Selectors []DeviceSelector
+	// +listType=map
+	// +listMapKey=type
+	Conditions []metav1.Condition
 }
 
+// DeviceTaintRuleStatusMaxConditions is the maximum number of conditions in DeviceTaintRuleStatus.
+const DeviceTaintRuleStatusMaxConditions = 8
+
+// DeviceTaintConditionEvictionInProgress is the publicly documented condition type for the DeviceTaintRuleStatus.
+const DeviceTaintConditionEvictionInProgress = "EvictionInProgress"
+
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
 
 // DeviceTaintRuleList is a collection of DeviceTaintRules.
diff --git a/pkg/apis/resource/v1/doc.go b/pkg/apis/resource/v1/doc.go
index 9166fefdbd613..d608dbef1ef4d 100644
--- a/pkg/apis/resource/v1/doc.go
+++ b/pkg/apis/resource/v1/doc.go
@@ -18,6 +18,8 @@ limitations under the License.
 // +k8s:conversion-gen-external-types=k8s.io/api/resource/v1
 // +k8s:defaulter-gen=TypeMeta
 // +k8s:defaulter-gen-input=k8s.io/api/resource/v1
+// +k8s:validation-gen=TypeMeta
+// +k8s:validation-gen-input=k8s.io/api/resource/v1
 
 // Package v1 is the v1 version of the resource API.
 package v1
diff --git a/pkg/apis/resource/v1/zz_generated.validations.go b/pkg/apis/resource/v1/zz_generated.validations.go
new file mode 100644
index 0000000000000..a3e1655353dc7
--- /dev/null
+++ b/pkg/apis/resource/v1/zz_generated.validations.go
@@ -0,0 +1,1822 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by validation-gen. DO NOT EDIT.
+
+package v1
+
+import (
+	context "context"
+	fmt "fmt"
+
+	resourcev1 "k8s.io/api/resource/v1"
+	equality "k8s.io/apimachinery/pkg/api/equality"
+	operation "k8s.io/apimachinery/pkg/api/operation"
+	safe "k8s.io/apimachinery/pkg/api/safe"
+	validate "k8s.io/apimachinery/pkg/api/validate"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	runtime "k8s.io/apimachinery/pkg/runtime"
+	types "k8s.io/apimachinery/pkg/types"
+	sets "k8s.io/apimachinery/pkg/util/sets"
+	field "k8s.io/apimachinery/pkg/util/validation/field"
+)
+
+func init() { localSchemeBuilder.Register(RegisterValidations) }
+
+// RegisterValidations adds validation functions to the given scheme.
+// Public to allow building arbitrary schemes.
+func RegisterValidations(scheme *runtime.Scheme) error {
+	// type DeviceClass
+	scheme.AddValidationFunc((*resourcev1.DeviceClass)(nil), func(ctx context.Context, op operation.Operation, obj, oldObj interface{}) field.ErrorList {
+		switch op.Request.SubresourcePath() {
+		case "/":
+			return Validate_DeviceClass(ctx, op, nil /* fldPath */, obj.(*resourcev1.DeviceClass), safe.Cast[*resourcev1.DeviceClass](oldObj))
+		}
+		return field.ErrorList{field.InternalError(nil, fmt.Errorf("no validation found for %T, subresource: %v", obj, op.Request.SubresourcePath()))}
+	})
+	// type DeviceClassList
+	scheme.AddValidationFunc((*resourcev1.DeviceClassList)(nil), func(ctx context.Context, op operation.Operation, obj, oldObj interface{}) field.ErrorList {
+		switch op.Request.SubresourcePath() {
+		case "/":
+			return Validate_DeviceClassList(ctx, op, nil /* fldPath */, obj.(*resourcev1.DeviceClassList), safe.Cast[*resourcev1.DeviceClassList](oldObj))
+		}
+		return field.ErrorList{field.InternalError(nil, fmt.Errorf("no validation found for %T, subresource: %v", obj, op.Request.SubresourcePath()))}
+	})
+	// type ResourceClaim
+	scheme.AddValidationFunc((*resourcev1.ResourceClaim)(nil), func(ctx context.Context, op operation.Operation, obj, oldObj interface{}) field.ErrorList {
+		switch op.Request.SubresourcePath() {
+		case "/", "/status":
+			return Validate_ResourceClaim(ctx, op, nil /* fldPath */, obj.(*resourcev1.ResourceClaim), safe.Cast[*resourcev1.ResourceClaim](oldObj))
+		}
+		return field.ErrorList{field.InternalError(nil, fmt.Errorf("no validation found for %T, subresource: %v", obj, op.Request.SubresourcePath()))}
+	})
+	// type ResourceClaimList
+	scheme.AddValidationFunc((*resourcev1.ResourceClaimList)(nil), func(ctx context.Context, op operation.Operation, obj, oldObj interface{}) field.ErrorList {
+		switch op.Request.SubresourcePath() {
+		case "/":
+			return Validate_ResourceClaimList(ctx, op, nil /* fldPath */, obj.(*resourcev1.ResourceClaimList), safe.Cast[*resourcev1.ResourceClaimList](oldObj))
+		}
+		return field.ErrorList{field.InternalError(nil, fmt.Errorf("no validation found for %T, subresource: %v", obj, op.Request.SubresourcePath()))}
+	})
+	// type ResourceClaimTemplate
+	scheme.AddValidationFunc((*resourcev1.ResourceClaimTemplate)(nil), func(ctx context.Context, op operation.Operation, obj, oldObj interface{}) field.ErrorList {
+		switch op.Request.SubresourcePath() {
+		case "/":
+			return Validate_ResourceClaimTemplate(ctx, op, nil /* fldPath */, obj.(*resourcev1.ResourceClaimTemplate), safe.Cast[*resourcev1.ResourceClaimTemplate](oldObj))
+		}
+		return field.ErrorList{field.InternalError(nil, fmt.Errorf("no validation found for %T, subresource: %v", obj, op.Request.SubresourcePath()))}
+	})
+	// type ResourceClaimTemplateList
+	scheme.AddValidationFunc((*resourcev1.ResourceClaimTemplateList)(nil), func(ctx context.Context, op operation.Operation, obj, oldObj interface{}) field.ErrorList {
+		switch op.Request.SubresourcePath() {
+		case "/":
+			return Validate_ResourceClaimTemplateList(ctx, op, nil /* fldPath */, obj.(*resourcev1.ResourceClaimTemplateList), safe.Cast[*resourcev1.ResourceClaimTemplateList](oldObj))
+		}
+		return field.ErrorList{field.InternalError(nil, fmt.Errorf("no validation found for %T, subresource: %v", obj, op.Request.SubresourcePath()))}
+	})
+	// type ResourceSlice
+	scheme.AddValidationFunc((*resourcev1.ResourceSlice)(nil), func(ctx context.Context, op operation.Operation, obj, oldObj interface{}) field.ErrorList {
+		switch op.Request.SubresourcePath() {
+		case "/":
+			return Validate_ResourceSlice(ctx, op, nil /* fldPath */, obj.(*resourcev1.ResourceSlice), safe.Cast[*resourcev1.ResourceSlice](oldObj))
+		}
+		return field.ErrorList{field.InternalError(nil, fmt.Errorf("no validation found for %T, subresource: %v", obj, op.Request.SubresourcePath()))}
+	})
+	// type ResourceSliceList
+	scheme.AddValidationFunc((*resourcev1.ResourceSliceList)(nil), func(ctx context.Context, op operation.Operation, obj, oldObj interface{}) field.ErrorList {
+		switch op.Request.SubresourcePath() {
+		case "/":
+			return Validate_ResourceSliceList(ctx, op, nil /* fldPath */, obj.(*resourcev1.ResourceSliceList), safe.Cast[*resourcev1.ResourceSliceList](oldObj))
+		}
+		return field.ErrorList{field.InternalError(nil, fmt.Errorf("no validation found for %T, subresource: %v", obj, op.Request.SubresourcePath()))}
+	})
+	return nil
+}
+
+// Validate_AllocatedDeviceStatus validates an instance of AllocatedDeviceStatus according
+// to declarative validation rules in the API schema.
+func Validate_AllocatedDeviceStatus(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *resourcev1.AllocatedDeviceStatus) (errs field.ErrorList) {
+	// field resourcev1.AllocatedDeviceStatus.Driver has no validation
+	// field resourcev1.AllocatedDeviceStatus.Pool has no validation
+	// field resourcev1.AllocatedDeviceStatus.Device has no validation
+
+	// field resourcev1.AllocatedDeviceStatus.ShareID
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *string, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.OptionalPointer(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
+			}
+			errs = append(errs, validate.UUID(ctx, op, fldPath, obj, oldObj)...)
+			return
+		}(fldPath.Child("shareID"), obj.ShareID, safe.Field(oldObj, func(oldObj *resourcev1.AllocatedDeviceStatus) *string { return oldObj.ShareID }), oldObj != nil)...)
+
+	// field resourcev1.AllocatedDeviceStatus.Conditions has no validation
+	// field resourcev1.AllocatedDeviceStatus.Data has no validation
+
+	// field resourcev1.AllocatedDeviceStatus.NetworkData
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *resourcev1.NetworkDeviceData, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.OptionalPointer(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
+			}
+			// call the type's validation function
+			errs = append(errs, Validate_NetworkDeviceData(ctx, op, fldPath, obj, oldObj)...)
+			return
+		}(fldPath.Child("networkData"), obj.NetworkData, safe.Field(oldObj, func(oldObj *resourcev1.AllocatedDeviceStatus) *resourcev1.NetworkDeviceData {
+			return oldObj.NetworkData
+		}), oldObj != nil)...)
+
+	return errs
+}
+
+var symbolsForAllocationConfigSource = sets.New(resourcev1.AllocationConfigSourceClaim, resourcev1.AllocationConfigSourceClass)
+
+// Validate_AllocationConfigSource validates an instance of AllocationConfigSource according
+// to declarative validation rules in the API schema.
+func Validate_AllocationConfigSource(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *resourcev1.AllocationConfigSource) (errs field.ErrorList) {
+	errs = append(errs, validate.Enum(ctx, op, fldPath, obj, oldObj, symbolsForAllocationConfigSource, nil)...)
+
+	return errs
+}
+
+// Validate_AllocationResult validates an instance of AllocationResult according
+// to declarative validation rules in the API schema.
+func Validate_AllocationResult(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *resourcev1.AllocationResult) (errs field.ErrorList) {
+	// field resourcev1.AllocationResult.Devices
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *resourcev1.DeviceAllocationResult, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// call the type's validation function
+			errs = append(errs, Validate_DeviceAllocationResult(ctx, op, fldPath, obj, oldObj)...)
+			return
+		}(fldPath.Child("devices"), &obj.Devices, safe.Field(oldObj, func(oldObj *resourcev1.AllocationResult) *resourcev1.DeviceAllocationResult { return &oldObj.Devices }), oldObj != nil)...)
+
+	// field resourcev1.AllocationResult.NodeSelector has no validation
+	// field resourcev1.AllocationResult.AllocationTimestamp has no validation
+	return errs
+}
+
+// Validate_CounterSet validates an instance of CounterSet according
+// to declarative validation rules in the API schema.
+func Validate_CounterSet(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *resourcev1.CounterSet) (errs field.ErrorList) {
+	// field resourcev1.CounterSet.Name
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *string, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.RequiredValue(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				errs = append(errs, e...)
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
+			}
+			errs = append(errs, validate.ShortName(ctx, op, fldPath, obj, oldObj)...)
+			return
+		}(fldPath.Child("name"), &obj.Name, safe.Field(oldObj, func(oldObj *resourcev1.CounterSet) *string { return &oldObj.Name }), oldObj != nil)...)
+
+	// field resourcev1.CounterSet.Counters has no validation
+	return errs
+}
+
+// Validate_Device validates an instance of Device according
+// to declarative validation rules in the API schema.
+func Validate_Device(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *resourcev1.Device) (errs field.ErrorList) {
+	// field resourcev1.Device.Name has no validation
+
+	// field resourcev1.Device.Attributes
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj map[resourcev1.QualifiedName]resourcev1.DeviceAttribute, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// iterate the map and call the value type's validation function
+			errs = append(errs, validate.EachMapVal(ctx, op, fldPath, obj, oldObj, validate.SemanticDeepEqual, Validate_DeviceAttribute)...)
+			return
+		}(fldPath.Child("attributes"), obj.Attributes, safe.Field(oldObj, func(oldObj *resourcev1.Device) map[resourcev1.QualifiedName]resourcev1.DeviceAttribute {
+			return oldObj.Attributes
+		}), oldObj != nil)...)
+
+	// field resourcev1.Device.Capacity has no validation
+
+	// field resourcev1.Device.ConsumesCounters
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj []resourcev1.DeviceCounterConsumption, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.MaxItems(ctx, op, fldPath, obj, oldObj, 2); len(e) != 0 {
+				errs = append(errs, e...)
+				earlyReturn = true
+			}
+			if e := validate.OptionalSlice(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
+			}
+			// lists with map semantics require unique keys
+			errs = append(errs, validate.Unique(ctx, op, fldPath, obj, oldObj, func(a resourcev1.DeviceCounterConsumption, b resourcev1.DeviceCounterConsumption) bool {
+				return a.CounterSet == b.CounterSet
+			})...)
+			// iterate the list and call the type's validation function
+			errs = append(errs, validate.EachSliceVal(ctx, op, fldPath, obj, oldObj, func(a resourcev1.DeviceCounterConsumption, b resourcev1.DeviceCounterConsumption) bool {
+				return a.CounterSet == b.CounterSet
+			}, validate.SemanticDeepEqual, Validate_DeviceCounterConsumption)...)
+			return
+		}(fldPath.Child("consumesCounters"), obj.ConsumesCounters, safe.Field(oldObj, func(oldObj *resourcev1.Device) []resourcev1.DeviceCounterConsumption { return oldObj.ConsumesCounters }), oldObj != nil)...)
+
+	// field resourcev1.Device.NodeName has no validation
+	// field resourcev1.Device.NodeSelector has no validation
+	// field resourcev1.Device.AllNodes has no validation
+
+	// field resourcev1.Device.Taints
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj []resourcev1.DeviceTaint, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// iterate the list and call the type's validation function
+			errs = append(errs, validate.EachSliceVal(ctx, op, fldPath, obj, oldObj, nil, nil, Validate_DeviceTaint)...)
+			return
+		}(fldPath.Child("taints"), obj.Taints, safe.Field(oldObj, func(oldObj *resourcev1.Device) []resourcev1.DeviceTaint { return oldObj.Taints }), oldObj != nil)...)
+
+	// field resourcev1.Device.BindsToNode has no validation
+
+	// field resourcev1.Device.BindingConditions
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj []string, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.MaxItems(ctx, op, fldPath, obj, oldObj, 4); len(e) != 0 {
+				errs = append(errs, e...)
+				earlyReturn = true
+			}
+			if e := validate.OptionalSlice(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
+			}
+			return
+		}(fldPath.Child("bindingConditions"), obj.BindingConditions, safe.Field(oldObj, func(oldObj *resourcev1.Device) []string { return oldObj.BindingConditions }), oldObj != nil)...)
+
+	// field resourcev1.Device.BindingFailureConditions
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj []string, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.MaxItems(ctx, op, fldPath, obj, oldObj, 4); len(e) != 0 {
+				errs = append(errs, e...)
+				earlyReturn = true
+			}
+			if e := validate.OptionalSlice(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
+			}
+			return
+		}(fldPath.Child("bindingFailureConditions"), obj.BindingFailureConditions, safe.Field(oldObj, func(oldObj *resourcev1.Device) []string { return oldObj.BindingFailureConditions }), oldObj != nil)...)
+
+	// field resourcev1.Device.AllowMultipleAllocations has no validation
+	return errs
+}
+
+// Validate_DeviceAllocationConfiguration validates an instance of DeviceAllocationConfiguration according
+// to declarative validation rules in the API schema.
+func Validate_DeviceAllocationConfiguration(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *resourcev1.DeviceAllocationConfiguration) (errs field.ErrorList) {
+	// field resourcev1.DeviceAllocationConfiguration.Source
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *resourcev1.AllocationConfigSource, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.RequiredValue(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				errs = append(errs, e...)
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
+			}
+			// call the type's validation function
+			errs = append(errs, Validate_AllocationConfigSource(ctx, op, fldPath, obj, oldObj)...)
+			return
+		}(fldPath.Child("source"), &obj.Source, safe.Field(oldObj, func(oldObj *resourcev1.DeviceAllocationConfiguration) *resourcev1.AllocationConfigSource {
+			return &oldObj.Source
+		}), oldObj != nil)...)
+
+	// field resourcev1.DeviceAllocationConfiguration.Requests
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj []string, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.MaxItems(ctx, op, fldPath, obj, oldObj, 32); len(e) != 0 {
+				errs = append(errs, e...)
+				earlyReturn = true
+			}
+			if e := validate.OptionalSlice(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
+			}
+			// lists with set semantics require unique values
+			errs = append(errs, validate.Unique(ctx, op, fldPath, obj, oldObj, validate.DirectEqual)...)
+			return
+		}(fldPath.Child("requests"), obj.Requests, safe.Field(oldObj, func(oldObj *resourcev1.DeviceAllocationConfiguration) []string { return oldObj.Requests }), oldObj != nil)...)
+
+	// field resourcev1.DeviceAllocationConfiguration.DeviceConfiguration
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *resourcev1.DeviceConfiguration, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// call the type's validation function
+			errs = append(errs, Validate_DeviceConfiguration(ctx, op, fldPath, obj, oldObj)...)
+			return
+		}(safe.Value(fldPath, func() *field.Path { return fldPath.Child("resourcev1.DeviceConfiguration") }), &obj.DeviceConfiguration, safe.Field(oldObj, func(oldObj *resourcev1.DeviceAllocationConfiguration) *resourcev1.DeviceConfiguration {
+			return &oldObj.DeviceConfiguration
+		}), oldObj != nil)...)
+
+	return errs
+}
+
+var symbolsForDeviceAllocationMode = sets.New(resourcev1.DeviceAllocationModeAll, resourcev1.DeviceAllocationModeExactCount)
+
+// Validate_DeviceAllocationMode validates an instance of DeviceAllocationMode according
+// to declarative validation rules in the API schema.
+func Validate_DeviceAllocationMode(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *resourcev1.DeviceAllocationMode) (errs field.ErrorList) {
+	errs = append(errs, validate.Enum(ctx, op, fldPath, obj, oldObj, symbolsForDeviceAllocationMode, nil)...)
+
+	return errs
+}
+
+// Validate_DeviceAllocationResult validates an instance of DeviceAllocationResult according
+// to declarative validation rules in the API schema.
+func Validate_DeviceAllocationResult(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *resourcev1.DeviceAllocationResult) (errs field.ErrorList) {
+	// field resourcev1.DeviceAllocationResult.Results
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj []resourcev1.DeviceRequestAllocationResult, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.MaxItems(ctx, op, fldPath, obj, oldObj, 32); len(e) != 0 {
+				errs = append(errs, e...)
+				earlyReturn = true
+			}
+			if e := validate.OptionalSlice(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
+			}
+			// iterate the list and call the type's validation function
+			errs = append(errs, validate.EachSliceVal(ctx, op, fldPath, obj, oldObj, nil, nil, Validate_DeviceRequestAllocationResult)...)
+			return
+		}(fldPath.Child("results"), obj.Results, safe.Field(oldObj, func(oldObj *resourcev1.DeviceAllocationResult) []resourcev1.DeviceRequestAllocationResult {
+			return oldObj.Results
+		}), oldObj != nil)...)
+
+	// field resourcev1.DeviceAllocationResult.Config
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj []resourcev1.DeviceAllocationConfiguration, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.MaxItems(ctx, op, fldPath, obj, oldObj, 64); len(e) != 0 {
+				errs = append(errs, e...)
+				earlyReturn = true
+			}
+			if e := validate.OptionalSlice(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
+			}
+			// iterate the list and call the type's validation function
+			errs = append(errs, validate.EachSliceVal(ctx, op, fldPath, obj, oldObj, nil, nil, Validate_DeviceAllocationConfiguration)...)
+			return
+		}(fldPath.Child("config"), obj.Config, safe.Field(oldObj, func(oldObj *resourcev1.DeviceAllocationResult) []resourcev1.DeviceAllocationConfiguration {
+			return oldObj.Config
+		}), oldObj != nil)...)
+
+	return errs
+}
+
+var unionMembershipFor_k8s_io_api_resource_v1_DeviceAttribute_ = validate.NewUnionMembership(validate.NewUnionMember("int"), validate.NewUnionMember("bool"), validate.NewUnionMember("string"), validate.NewUnionMember("version"))
+
+// Validate_DeviceAttribute validates an instance of DeviceAttribute according
+// to declarative validation rules in the API schema.
+func Validate_DeviceAttribute(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *resourcev1.DeviceAttribute) (errs field.ErrorList) {
+	errs = append(errs, validate.Union(ctx, op, fldPath, obj, oldObj, unionMembershipFor_k8s_io_api_resource_v1_DeviceAttribute_, func(obj *resourcev1.DeviceAttribute) bool {
+		if obj == nil {
+			return false
+		}
+		return obj.IntValue != nil
+	}, func(obj *resourcev1.DeviceAttribute) bool {
+		if obj == nil {
+			return false
+		}
+		return obj.BoolValue != nil
+	}, func(obj *resourcev1.DeviceAttribute) bool {
+		if obj == nil {
+			return false
+		}
+		return obj.StringValue != nil
+	}, func(obj *resourcev1.DeviceAttribute) bool {
+		if obj == nil {
+			return false
+		}
+		return obj.VersionValue != nil
+	})...)
+
+	// field resourcev1.DeviceAttribute.IntValue
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *int64, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.OptionalPointer(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
+			}
+			return
+		}(fldPath.Child("int"), obj.IntValue, safe.Field(oldObj, func(oldObj *resourcev1.DeviceAttribute) *int64 { return oldObj.IntValue }), oldObj != nil)...)
+
+	// field resourcev1.DeviceAttribute.BoolValue
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *bool, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.OptionalPointer(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
+			}
+			return
+		}(fldPath.Child("bool"), obj.BoolValue, safe.Field(oldObj, func(oldObj *resourcev1.DeviceAttribute) *bool { return oldObj.BoolValue }), oldObj != nil)...)
+
+	// field resourcev1.DeviceAttribute.StringValue
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *string, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.OptionalPointer(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
+			}
+			return
+		}(fldPath.Child("string"), obj.StringValue, safe.Field(oldObj, func(oldObj *resourcev1.DeviceAttribute) *string { return oldObj.StringValue }), oldObj != nil)...)
+
+	// field resourcev1.DeviceAttribute.VersionValue
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *string, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.OptionalPointer(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
+			}
+			return
+		}(fldPath.Child("version"), obj.VersionValue, safe.Field(oldObj, func(oldObj *resourcev1.DeviceAttribute) *string { return oldObj.VersionValue }), oldObj != nil)...)
+
+	return errs
+}
+
+// Validate_DeviceClaim validates an instance of DeviceClaim according
+// to declarative validation rules in the API schema.
+func Validate_DeviceClaim(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *resourcev1.DeviceClaim) (errs field.ErrorList) {
+	// field resourcev1.DeviceClaim.Requests
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj []resourcev1.DeviceRequest, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.MaxItems(ctx, op, fldPath, obj, oldObj, 32); len(e) != 0 {
+				errs = append(errs, e...)
+				earlyReturn = true
+			}
+			if e := validate.OptionalSlice(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
+			}
+			// lists with map semantics require unique keys
+			errs = append(errs, validate.Unique(ctx, op, fldPath, obj, oldObj, func(a resourcev1.DeviceRequest, b resourcev1.DeviceRequest) bool { return a.Name == b.Name })...)
+			// iterate the list and call the type's validation function
+			errs = append(errs, validate.EachSliceVal(ctx, op, fldPath, obj, oldObj, func(a resourcev1.DeviceRequest, b resourcev1.DeviceRequest) bool { return a.Name == b.Name }, validate.SemanticDeepEqual, Validate_DeviceRequest)...)
+			return
+		}(fldPath.Child("requests"), obj.Requests, safe.Field(oldObj, func(oldObj *resourcev1.DeviceClaim) []resourcev1.DeviceRequest { return oldObj.Requests }), oldObj != nil)...)
+
+	// field resourcev1.DeviceClaim.Constraints
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj []resourcev1.DeviceConstraint, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.MaxItems(ctx, op, fldPath, obj, oldObj, 32); len(e) != 0 {
+				errs = append(errs, e...)
+				earlyReturn = true
+			}
+			if e := validate.OptionalSlice(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
+			}
+			// iterate the list and call the type's validation function
+			errs = append(errs, validate.EachSliceVal(ctx, op, fldPath, obj, oldObj, nil, nil, Validate_DeviceConstraint)...)
+			return
+		}(fldPath.Child("constraints"), obj.Constraints, safe.Field(oldObj, func(oldObj *resourcev1.DeviceClaim) []resourcev1.DeviceConstraint { return oldObj.Constraints }), oldObj != nil)...)
+
+	// field resourcev1.DeviceClaim.Config
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj []resourcev1.DeviceClaimConfiguration, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.MaxItems(ctx, op, fldPath, obj, oldObj, 32); len(e) != 0 {
+				errs = append(errs, e...)
+				earlyReturn = true
+			}
+			if e := validate.OptionalSlice(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
+			}
+			// iterate the list and call the type's validation function
+			errs = append(errs, validate.EachSliceVal(ctx, op, fldPath, obj, oldObj, nil, nil, Validate_DeviceClaimConfiguration)...)
+			return
+		}(fldPath.Child("config"), obj.Config, safe.Field(oldObj, func(oldObj *resourcev1.DeviceClaim) []resourcev1.DeviceClaimConfiguration { return oldObj.Config }), oldObj != nil)...)
+
+	return errs
+}
+
+// Validate_DeviceClaimConfiguration validates an instance of DeviceClaimConfiguration according
+// to declarative validation rules in the API schema.
+func Validate_DeviceClaimConfiguration(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *resourcev1.DeviceClaimConfiguration) (errs field.ErrorList) {
+	// field resourcev1.DeviceClaimConfiguration.Requests
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj []string, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.MaxItems(ctx, op, fldPath, obj, oldObj, 32); len(e) != 0 {
+				errs = append(errs, e...)
+				earlyReturn = true
+			}
+			if e := validate.OptionalSlice(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
+			}
+			// lists with set semantics require unique values
+			errs = append(errs, validate.Unique(ctx, op, fldPath, obj, oldObj, validate.DirectEqual)...)
+			return
+		}(fldPath.Child("requests"), obj.Requests, safe.Field(oldObj, func(oldObj *resourcev1.DeviceClaimConfiguration) []string { return oldObj.Requests }), oldObj != nil)...)
+
+	// field resourcev1.DeviceClaimConfiguration.DeviceConfiguration
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *resourcev1.DeviceConfiguration, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// call the type's validation function
+			errs = append(errs, Validate_DeviceConfiguration(ctx, op, fldPath, obj, oldObj)...)
+			return
+		}(safe.Value(fldPath, func() *field.Path { return fldPath.Child("resourcev1.DeviceConfiguration") }), &obj.DeviceConfiguration, safe.Field(oldObj, func(oldObj *resourcev1.DeviceClaimConfiguration) *resourcev1.DeviceConfiguration {
+			return &oldObj.DeviceConfiguration
+		}), oldObj != nil)...)
+
+	return errs
+}
+
+// Validate_DeviceClass validates an instance of DeviceClass according
+// to declarative validation rules in the API schema.
+func Validate_DeviceClass(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *resourcev1.DeviceClass) (errs field.ErrorList) {
+	// field resourcev1.DeviceClass.TypeMeta has no validation
+
+	// field resourcev1.DeviceClass.ObjectMeta
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *metav1.ObjectMeta, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// call field-attached validations
+			func() { // cohort name
+				earlyReturn := false
+				if e := validate.Subfield(ctx, op, fldPath, obj, oldObj, "name", func(o *metav1.ObjectMeta) *string { return &o.Name }, validate.DirectEqualPtr, validate.OptionalValue); len(e) != 0 {
+					earlyReturn = true
+				}
+				if earlyReturn {
+					return // do not proceed
+				}
+				errs = append(errs, validate.Subfield(ctx, op, fldPath, obj, oldObj, "name", func(o *metav1.ObjectMeta) *string { return &o.Name }, validate.DirectEqualPtr, validate.LongName)...)
+			}()
+			return
+		}(fldPath.Child("metadata"), &obj.ObjectMeta, safe.Field(oldObj, func(oldObj *resourcev1.DeviceClass) *metav1.ObjectMeta { return &oldObj.ObjectMeta }), oldObj != nil)...)
+
+	// field resourcev1.DeviceClass.Spec
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *resourcev1.DeviceClassSpec, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// call the type's validation function
+			errs = append(errs, Validate_DeviceClassSpec(ctx, op, fldPath, obj, oldObj)...)
+			return
+		}(fldPath.Child("spec"), &obj.Spec, safe.Field(oldObj, func(oldObj *resourcev1.DeviceClass) *resourcev1.DeviceClassSpec { return &oldObj.Spec }), oldObj != nil)...)
+
+	return errs
+}
+
+// Validate_DeviceClassConfiguration validates an instance of DeviceClassConfiguration according
+// to declarative validation rules in the API schema.
+func Validate_DeviceClassConfiguration(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *resourcev1.DeviceClassConfiguration) (errs field.ErrorList) {
+	// field resourcev1.DeviceClassConfiguration.DeviceConfiguration
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *resourcev1.DeviceConfiguration, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// call the type's validation function
+			errs = append(errs, Validate_DeviceConfiguration(ctx, op, fldPath, obj, oldObj)...)
+			return
+		}(safe.Value(fldPath, func() *field.Path { return fldPath.Child("resourcev1.DeviceConfiguration") }), &obj.DeviceConfiguration, safe.Field(oldObj, func(oldObj *resourcev1.DeviceClassConfiguration) *resourcev1.DeviceConfiguration {
+			return &oldObj.DeviceConfiguration
+		}), oldObj != nil)...)
+
+	return errs
+}
+
+// Validate_DeviceClassList validates an instance of DeviceClassList according
+// to declarative validation rules in the API schema.
+func Validate_DeviceClassList(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *resourcev1.DeviceClassList) (errs field.ErrorList) {
+	// field resourcev1.DeviceClassList.TypeMeta has no validation
+	// field resourcev1.DeviceClassList.ListMeta has no validation
+
+	// field resourcev1.DeviceClassList.Items
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj []resourcev1.DeviceClass, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// iterate the list and call the type's validation function
+			errs = append(errs, validate.EachSliceVal(ctx, op, fldPath, obj, oldObj, nil, nil, Validate_DeviceClass)...)
+			return
+		}(fldPath.Child("items"), obj.Items, safe.Field(oldObj, func(oldObj *resourcev1.DeviceClassList) []resourcev1.DeviceClass { return oldObj.Items }), oldObj != nil)...)
+
+	return errs
+}
+
+// Validate_DeviceClassSpec validates an instance of DeviceClassSpec according
+// to declarative validation rules in the API schema.
+func Validate_DeviceClassSpec(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *resourcev1.DeviceClassSpec) (errs field.ErrorList) {
+	// field resourcev1.DeviceClassSpec.Selectors
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj []resourcev1.DeviceSelector, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.MaxItems(ctx, op, fldPath, obj, oldObj, 32); len(e) != 0 {
+				errs = append(errs, e...)
+				earlyReturn = true
+			}
+			if e := validate.OptionalSlice(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
+			}
+			return
+		}(fldPath.Child("selectors"), obj.Selectors, safe.Field(oldObj, func(oldObj *resourcev1.DeviceClassSpec) []resourcev1.DeviceSelector { return oldObj.Selectors }), oldObj != nil)...)
+
+	// field resourcev1.DeviceClassSpec.Config
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj []resourcev1.DeviceClassConfiguration, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.MaxItems(ctx, op, fldPath, obj, oldObj, 32); len(e) != 0 {
+				errs = append(errs, e...)
+				earlyReturn = true
+			}
+			if e := validate.OptionalSlice(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
+			}
+			// iterate the list and call the type's validation function
+			errs = append(errs, validate.EachSliceVal(ctx, op, fldPath, obj, oldObj, nil, nil, Validate_DeviceClassConfiguration)...)
+			return
+		}(fldPath.Child("config"), obj.Config, safe.Field(oldObj, func(oldObj *resourcev1.DeviceClassSpec) []resourcev1.DeviceClassConfiguration { return oldObj.Config }), oldObj != nil)...)
+
+	// field resourcev1.DeviceClassSpec.ExtendedResourceName
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *string, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.OptionalPointer(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
+			}
+			errs = append(errs, validate.ExtendedResourceName(ctx, op, fldPath, obj, oldObj)...)
+			return
+		}(fldPath.Child("extendedResourceName"), obj.ExtendedResourceName, safe.Field(oldObj, func(oldObj *resourcev1.DeviceClassSpec) *string { return oldObj.ExtendedResourceName }), oldObj != nil)...)
+
+	return errs
+}
+
+// Validate_DeviceConfiguration validates an instance of DeviceConfiguration according
+// to declarative validation rules in the API schema.
+func Validate_DeviceConfiguration(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *resourcev1.DeviceConfiguration) (errs field.ErrorList) {
+	// field resourcev1.DeviceConfiguration.Opaque
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *resourcev1.OpaqueDeviceConfiguration, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.OptionalPointer(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
+			}
+			// call the type's validation function
+			errs = append(errs, Validate_OpaqueDeviceConfiguration(ctx, op, fldPath, obj, oldObj)...)
+			return
+		}(fldPath.Child("opaque"), obj.Opaque, safe.Field(oldObj, func(oldObj *resourcev1.DeviceConfiguration) *resourcev1.OpaqueDeviceConfiguration {
+			return oldObj.Opaque
+		}), oldObj != nil)...)
+
+	return errs
+}
+
+// Validate_DeviceConstraint validates an instance of DeviceConstraint according
+// to declarative validation rules in the API schema.
+func Validate_DeviceConstraint(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *resourcev1.DeviceConstraint) (errs field.ErrorList) {
+	// field resourcev1.DeviceConstraint.Requests
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj []string, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.MaxItems(ctx, op, fldPath, obj, oldObj, 32); len(e) != 0 {
+				errs = append(errs, e...)
+				earlyReturn = true
+			}
+			if e := validate.OptionalSlice(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
+			}
+			// lists with set semantics require unique values
+			errs = append(errs, validate.Unique(ctx, op, fldPath, obj, oldObj, validate.DirectEqual)...)
+			return
+		}(fldPath.Child("requests"), obj.Requests, safe.Field(oldObj, func(oldObj *resourcev1.DeviceConstraint) []string { return oldObj.Requests }), oldObj != nil)...)
+
+	// field resourcev1.DeviceConstraint.MatchAttribute
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *resourcev1.FullyQualifiedName, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.OptionalPointer(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
+			}
+			errs = append(errs, validate.ResourceFullyQualifiedName(ctx, op, fldPath, obj, oldObj)...)
+			return
+		}(fldPath.Child("matchAttribute"), obj.MatchAttribute, safe.Field(oldObj, func(oldObj *resourcev1.DeviceConstraint) *resourcev1.FullyQualifiedName { return oldObj.MatchAttribute }), oldObj != nil)...)
+
+	// field resourcev1.DeviceConstraint.DistinctAttribute has no validation
+	return errs
+}
+
+// Validate_DeviceCounterConsumption validates an instance of DeviceCounterConsumption according
+// to declarative validation rules in the API schema.
+func Validate_DeviceCounterConsumption(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *resourcev1.DeviceCounterConsumption) (errs field.ErrorList) {
+	// field resourcev1.DeviceCounterConsumption.CounterSet
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *string, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.RequiredValue(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				errs = append(errs, e...)
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
+			}
+			errs = append(errs, validate.ShortName(ctx, op, fldPath, obj, oldObj)...)
+			return
+		}(fldPath.Child("counterSet"), &obj.CounterSet, safe.Field(oldObj, func(oldObj *resourcev1.DeviceCounterConsumption) *string { return &oldObj.CounterSet }), oldObj != nil)...)
+
+	// field resourcev1.DeviceCounterConsumption.Counters has no validation
+	return errs
+}
+
+// Validate_DeviceRequest validates an instance of DeviceRequest according
+// to declarative validation rules in the API schema.
+func Validate_DeviceRequest(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *resourcev1.DeviceRequest) (errs field.ErrorList) {
+	// field resourcev1.DeviceRequest.Name has no validation
+
+	// field resourcev1.DeviceRequest.Exactly
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *resourcev1.ExactDeviceRequest, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.OptionalPointer(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
+			}
+			// call the type's validation function
+			errs = append(errs, Validate_ExactDeviceRequest(ctx, op, fldPath, obj, oldObj)...)
+			return
+		}(fldPath.Child("exactly"), obj.Exactly, safe.Field(oldObj, func(oldObj *resourcev1.DeviceRequest) *resourcev1.ExactDeviceRequest { return oldObj.Exactly }), oldObj != nil)...)
+
+	// field resourcev1.DeviceRequest.FirstAvailable
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj []resourcev1.DeviceSubRequest, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.MaxItems(ctx, op, fldPath, obj, oldObj, 8); len(e) != 0 {
+				errs = append(errs, e...)
+				earlyReturn = true
+			}
+			if e := validate.OptionalSlice(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
+			}
+			// lists with map semantics require unique keys
+			errs = append(errs, validate.Unique(ctx, op, fldPath, obj, oldObj, func(a resourcev1.DeviceSubRequest, b resourcev1.DeviceSubRequest) bool { return a.Name == b.Name })...)
+			// iterate the list and call the type's validation function
+			errs = append(errs, validate.EachSliceVal(ctx, op, fldPath, obj, oldObj, func(a resourcev1.DeviceSubRequest, b resourcev1.DeviceSubRequest) bool { return a.Name == b.Name }, validate.SemanticDeepEqual, Validate_DeviceSubRequest)...)
+			return
+		}(fldPath.Child("firstAvailable"), obj.FirstAvailable, safe.Field(oldObj, func(oldObj *resourcev1.DeviceRequest) []resourcev1.DeviceSubRequest { return oldObj.FirstAvailable }), oldObj != nil)...)
+
+	return errs
+}
+
+// Validate_DeviceRequestAllocationResult validates an instance of DeviceRequestAllocationResult according
+// to declarative validation rules in the API schema.
+func Validate_DeviceRequestAllocationResult(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *resourcev1.DeviceRequestAllocationResult) (errs field.ErrorList) {
+	// field resourcev1.DeviceRequestAllocationResult.Request has no validation
+
+	// field resourcev1.DeviceRequestAllocationResult.Driver
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *string, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.RequiredValue(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				errs = append(errs, e...)
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
+			}
+			errs = append(errs, validate.LongNameCaseless(ctx, op, fldPath, obj, oldObj)...)
+			return
+		}(fldPath.Child("driver"), &obj.Driver, safe.Field(oldObj, func(oldObj *resourcev1.DeviceRequestAllocationResult) *string { return &oldObj.Driver }), oldObj != nil)...)
+
+	// field resourcev1.DeviceRequestAllocationResult.Pool
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *string, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.RequiredValue(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				errs = append(errs, e...)
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
+			}
+			errs = append(errs, validate.ResourcePoolName(ctx, op, fldPath, obj, oldObj)...)
+			return
+		}(fldPath.Child("pool"), &obj.Pool, safe.Field(oldObj, func(oldObj *resourcev1.DeviceRequestAllocationResult) *string { return &oldObj.Pool }), oldObj != nil)...)
+
+	// field resourcev1.DeviceRequestAllocationResult.Device has no validation
+	// field resourcev1.DeviceRequestAllocationResult.AdminAccess has no validation
+
+	// field resourcev1.DeviceRequestAllocationResult.Tolerations
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj []resourcev1.DeviceToleration, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// iterate the list and call the type's validation function
+			errs = append(errs, validate.EachSliceVal(ctx, op, fldPath, obj, oldObj, nil, nil, Validate_DeviceToleration)...)
+			return
+		}(fldPath.Child("tolerations"), obj.Tolerations, safe.Field(oldObj, func(oldObj *resourcev1.DeviceRequestAllocationResult) []resourcev1.DeviceToleration {
+			return oldObj.Tolerations
+		}), oldObj != nil)...)
+
+	// field resourcev1.DeviceRequestAllocationResult.BindingConditions
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj []string, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.MaxItems(ctx, op, fldPath, obj, oldObj, 4); len(e) != 0 {
+				errs = append(errs, e...)
+				earlyReturn = true
+			}
+			if e := validate.OptionalSlice(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
+			}
+			return
+		}(fldPath.Child("bindingConditions"), obj.BindingConditions, safe.Field(oldObj, func(oldObj *resourcev1.DeviceRequestAllocationResult) []string { return oldObj.BindingConditions }), oldObj != nil)...)
+
+	// field resourcev1.DeviceRequestAllocationResult.BindingFailureConditions
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj []string, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.MaxItems(ctx, op, fldPath, obj, oldObj, 4); len(e) != 0 {
+				errs = append(errs, e...)
+				earlyReturn = true
+			}
+			if e := validate.OptionalSlice(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
+			}
+			return
+		}(fldPath.Child("bindingFailureConditions"), obj.BindingFailureConditions, safe.Field(oldObj, func(oldObj *resourcev1.DeviceRequestAllocationResult) []string {
+			return oldObj.BindingFailureConditions
+		}), oldObj != nil)...)
+
+	// field resourcev1.DeviceRequestAllocationResult.ShareID
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *types.UID, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.OptionalPointer(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
+			}
+			errs = append(errs, validate.UUID(ctx, op, fldPath, obj, oldObj)...)
+			return
+		}(fldPath.Child("shareID"), obj.ShareID, safe.Field(oldObj, func(oldObj *resourcev1.DeviceRequestAllocationResult) *types.UID { return oldObj.ShareID }), oldObj != nil)...)
+
+	// field resourcev1.DeviceRequestAllocationResult.ConsumedCapacity has no validation
+	return errs
+}
+
+// Validate_DeviceSubRequest validates an instance of DeviceSubRequest according
+// to declarative validation rules in the API schema.
+func Validate_DeviceSubRequest(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *resourcev1.DeviceSubRequest) (errs field.ErrorList) {
+	// field resourcev1.DeviceSubRequest.Name has no validation
+
+	// field resourcev1.DeviceSubRequest.DeviceClassName
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *string, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.RequiredValue(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				errs = append(errs, e...)
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
+			}
+			errs = append(errs, validate.LongName(ctx, op, fldPath, obj, oldObj)...)
+			return
+		}(fldPath.Child("deviceClassName"), &obj.DeviceClassName, safe.Field(oldObj, func(oldObj *resourcev1.DeviceSubRequest) *string { return &oldObj.DeviceClassName }), oldObj != nil)...)
+
+	// field resourcev1.DeviceSubRequest.Selectors
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj []resourcev1.DeviceSelector, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.MaxItems(ctx, op, fldPath, obj, oldObj, 32); len(e) != 0 {
+				errs = append(errs, e...)
+				earlyReturn = true
+			}
+			if e := validate.OptionalSlice(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
+			}
+			return
+		}(fldPath.Child("selectors"), obj.Selectors, safe.Field(oldObj, func(oldObj *resourcev1.DeviceSubRequest) []resourcev1.DeviceSelector { return oldObj.Selectors }), oldObj != nil)...)
+
+	// field resourcev1.DeviceSubRequest.AllocationMode
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *resourcev1.DeviceAllocationMode, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call the type's validation function
+			errs = append(errs, Validate_DeviceAllocationMode(ctx, op, fldPath, obj, oldObj)...)
+			return
+		}(fldPath.Child("allocationMode"), &obj.AllocationMode, safe.Field(oldObj, func(oldObj *resourcev1.DeviceSubRequest) *resourcev1.DeviceAllocationMode {
+			return &oldObj.AllocationMode
+		}), oldObj != nil)...)
+
+	// field resourcev1.DeviceSubRequest.Count has no validation
+
+	// field resourcev1.DeviceSubRequest.Tolerations
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj []resourcev1.DeviceToleration, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// iterate the list and call the type's validation function
+			errs = append(errs, validate.EachSliceVal(ctx, op, fldPath, obj, oldObj, nil, nil, Validate_DeviceToleration)...)
+			return
+		}(fldPath.Child("tolerations"), obj.Tolerations, safe.Field(oldObj, func(oldObj *resourcev1.DeviceSubRequest) []resourcev1.DeviceToleration { return oldObj.Tolerations }), oldObj != nil)...)
+
+	// field resourcev1.DeviceSubRequest.Capacity has no validation
+	return errs
+}
+
+// Validate_DeviceTaint validates an instance of DeviceTaint according
+// to declarative validation rules in the API schema.
+func Validate_DeviceTaint(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *resourcev1.DeviceTaint) (errs field.ErrorList) {
+	// field resourcev1.DeviceTaint.Key has no validation
+	// field resourcev1.DeviceTaint.Value has no validation
+
+	// field resourcev1.DeviceTaint.Effect
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *resourcev1.DeviceTaintEffect, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.RequiredValue(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				errs = append(errs, e...)
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
+			}
+			// call the type's validation function
+			errs = append(errs, Validate_DeviceTaintEffect(ctx, op, fldPath, obj, oldObj)...)
+			return
+		}(fldPath.Child("effect"), &obj.Effect, safe.Field(oldObj, func(oldObj *resourcev1.DeviceTaint) *resourcev1.DeviceTaintEffect { return &oldObj.Effect }), oldObj != nil)...)
+
+	// field resourcev1.DeviceTaint.TimeAdded has no validation
+	return errs
+}
+
+var symbolsForDeviceTaintEffect = sets.New(resourcev1.DeviceTaintEffectNoExecute, resourcev1.DeviceTaintEffectNoSchedule, resourcev1.DeviceTaintEffectNone)
+
+// Validate_DeviceTaintEffect validates an instance of DeviceTaintEffect according
+// to declarative validation rules in the API schema.
+func Validate_DeviceTaintEffect(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *resourcev1.DeviceTaintEffect) (errs field.ErrorList) {
+	errs = append(errs, validate.Enum(ctx, op, fldPath, obj, oldObj, symbolsForDeviceTaintEffect, nil)...)
+
+	return errs
+}
+
+// Validate_DeviceToleration validates an instance of DeviceToleration according
+// to declarative validation rules in the API schema.
+func Validate_DeviceToleration(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *resourcev1.DeviceToleration) (errs field.ErrorList) {
+	// field resourcev1.DeviceToleration.Key
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *string, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.OptionalValue(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
+			}
+			errs = append(errs, validate.LabelKey(ctx, op, fldPath, obj, oldObj)...)
+			return
+		}(fldPath.Child("key"), &obj.Key, safe.Field(oldObj, func(oldObj *resourcev1.DeviceToleration) *string { return &oldObj.Key }), oldObj != nil)...)
+
+	// field resourcev1.DeviceToleration.Operator
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *resourcev1.DeviceTolerationOperator, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call the type's validation function
+			errs = append(errs, Validate_DeviceTolerationOperator(ctx, op, fldPath, obj, oldObj)...)
+			return
+		}(fldPath.Child("operator"), &obj.Operator, safe.Field(oldObj, func(oldObj *resourcev1.DeviceToleration) *resourcev1.DeviceTolerationOperator {
+			return &oldObj.Operator
+		}), oldObj != nil)...)
+
+	// field resourcev1.DeviceToleration.Value has no validation
+
+	// field resourcev1.DeviceToleration.Effect
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *resourcev1.DeviceTaintEffect, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call the type's validation function
+			errs = append(errs, Validate_DeviceTaintEffect(ctx, op, fldPath, obj, oldObj)...)
+			return
+		}(fldPath.Child("effect"), &obj.Effect, safe.Field(oldObj, func(oldObj *resourcev1.DeviceToleration) *resourcev1.DeviceTaintEffect { return &oldObj.Effect }), oldObj != nil)...)
+
+	// field resourcev1.DeviceToleration.TolerationSeconds has no validation
+	return errs
+}
+
+var symbolsForDeviceTolerationOperator = sets.New(resourcev1.DeviceTolerationOpEqual, resourcev1.DeviceTolerationOpExists)
+
+// Validate_DeviceTolerationOperator validates an instance of DeviceTolerationOperator according
+// to declarative validation rules in the API schema.
+func Validate_DeviceTolerationOperator(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *resourcev1.DeviceTolerationOperator) (errs field.ErrorList) {
+	errs = append(errs, validate.Enum(ctx, op, fldPath, obj, oldObj, symbolsForDeviceTolerationOperator, nil)...)
+
+	return errs
+}
+
+// Validate_ExactDeviceRequest validates an instance of ExactDeviceRequest according
+// to declarative validation rules in the API schema.
+func Validate_ExactDeviceRequest(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *resourcev1.ExactDeviceRequest) (errs field.ErrorList) {
+	// field resourcev1.ExactDeviceRequest.DeviceClassName has no validation
+
+	// field resourcev1.ExactDeviceRequest.Selectors
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj []resourcev1.DeviceSelector, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.MaxItems(ctx, op, fldPath, obj, oldObj, 32); len(e) != 0 {
+				errs = append(errs, e...)
+				earlyReturn = true
+			}
+			if e := validate.OptionalSlice(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
+			}
+			return
+		}(fldPath.Child("selectors"), obj.Selectors, safe.Field(oldObj, func(oldObj *resourcev1.ExactDeviceRequest) []resourcev1.DeviceSelector { return oldObj.Selectors }), oldObj != nil)...)
+
+	// field resourcev1.ExactDeviceRequest.AllocationMode
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *resourcev1.DeviceAllocationMode, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.OptionalValue(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
+			}
+			// call the type's validation function
+			errs = append(errs, Validate_DeviceAllocationMode(ctx, op, fldPath, obj, oldObj)...)
+			return
+		}(fldPath.Child("allocationMode"), &obj.AllocationMode, safe.Field(oldObj, func(oldObj *resourcev1.ExactDeviceRequest) *resourcev1.DeviceAllocationMode {
+			return &oldObj.AllocationMode
+		}), oldObj != nil)...)
+
+	// field resourcev1.ExactDeviceRequest.Count has no validation
+	// field resourcev1.ExactDeviceRequest.AdminAccess has no validation
+
+	// field resourcev1.ExactDeviceRequest.Tolerations
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj []resourcev1.DeviceToleration, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// iterate the list and call the type's validation function
+			errs = append(errs, validate.EachSliceVal(ctx, op, fldPath, obj, oldObj, nil, nil, Validate_DeviceToleration)...)
+			return
+		}(fldPath.Child("tolerations"), obj.Tolerations, safe.Field(oldObj, func(oldObj *resourcev1.ExactDeviceRequest) []resourcev1.DeviceToleration { return oldObj.Tolerations }), oldObj != nil)...)
+
+	// field resourcev1.ExactDeviceRequest.Capacity has no validation
+	return errs
+}
+
+// Validate_NetworkDeviceData validates an instance of NetworkDeviceData according
+// to declarative validation rules in the API schema.
+func Validate_NetworkDeviceData(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *resourcev1.NetworkDeviceData) (errs field.ErrorList) {
+	// field resourcev1.NetworkDeviceData.InterfaceName
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *string, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.OptionalValue(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
+			}
+			errs = append(errs, validate.MaxLength(ctx, op, fldPath, obj, oldObj, 256)...)
+			return
+		}(fldPath.Child("interfaceName"), &obj.InterfaceName, safe.Field(oldObj, func(oldObj *resourcev1.NetworkDeviceData) *string { return &oldObj.InterfaceName }), oldObj != nil)...)
+
+	// field resourcev1.NetworkDeviceData.IPs
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj []string, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.MaxItems(ctx, op, fldPath, obj, oldObj, 16); len(e) != 0 {
+				errs = append(errs, e...)
+				earlyReturn = true
+			}
+			if e := validate.OptionalSlice(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
+			}
+			// lists with set semantics require unique values
+			errs = append(errs, validate.Unique(ctx, op, fldPath, obj, oldObj, validate.DirectEqual)...)
+			return
+		}(fldPath.Child("ips"), obj.IPs, safe.Field(oldObj, func(oldObj *resourcev1.NetworkDeviceData) []string { return oldObj.IPs }), oldObj != nil)...)
+
+	// field resourcev1.NetworkDeviceData.HardwareAddress
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *string, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.OptionalValue(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
+			}
+			errs = append(errs, validate.MaxLength(ctx, op, fldPath, obj, oldObj, 128)...)
+			return
+		}(fldPath.Child("hardwareAddress"), &obj.HardwareAddress, safe.Field(oldObj, func(oldObj *resourcev1.NetworkDeviceData) *string { return &oldObj.HardwareAddress }), oldObj != nil)...)
+
+	return errs
+}
+
+// Validate_OpaqueDeviceConfiguration validates an instance of OpaqueDeviceConfiguration according
+// to declarative validation rules in the API schema.
+func Validate_OpaqueDeviceConfiguration(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *resourcev1.OpaqueDeviceConfiguration) (errs field.ErrorList) {
+	// field resourcev1.OpaqueDeviceConfiguration.Driver
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *string, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.RequiredValue(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				errs = append(errs, e...)
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
+			}
+			errs = append(errs, validate.LongNameCaseless(ctx, op, fldPath, obj, oldObj)...)
+			return
+		}(fldPath.Child("driver"), &obj.Driver, safe.Field(oldObj, func(oldObj *resourcev1.OpaqueDeviceConfiguration) *string { return &oldObj.Driver }), oldObj != nil)...)
+
+	// field resourcev1.OpaqueDeviceConfiguration.Parameters has no validation
+	return errs
+}
+
+// Validate_ResourceClaim validates an instance of ResourceClaim according
+// to declarative validation rules in the API schema.
+func Validate_ResourceClaim(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *resourcev1.ResourceClaim) (errs field.ErrorList) {
+	// field resourcev1.ResourceClaim.TypeMeta has no validation
+	// field resourcev1.ResourceClaim.ObjectMeta has no validation
+
+	// field resourcev1.ResourceClaim.Spec
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *resourcev1.ResourceClaimSpec, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.Immutable(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				errs = append(errs, e...)
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
+			}
+			// call the type's validation function
+			errs = append(errs, Validate_ResourceClaimSpec(ctx, op, fldPath, obj, oldObj)...)
+			return
+		}(fldPath.Child("spec"), &obj.Spec, safe.Field(oldObj, func(oldObj *resourcev1.ResourceClaim) *resourcev1.ResourceClaimSpec { return &oldObj.Spec }), oldObj != nil)...)
+
+	// field resourcev1.ResourceClaim.Status
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *resourcev1.ResourceClaimStatus, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// call the type's validation function
+			errs = append(errs, Validate_ResourceClaimStatus(ctx, op, fldPath, obj, oldObj)...)
+			return
+		}(fldPath.Child("status"), &obj.Status, safe.Field(oldObj, func(oldObj *resourcev1.ResourceClaim) *resourcev1.ResourceClaimStatus { return &oldObj.Status }), oldObj != nil)...)
+
+	return errs
+}
+
+// Validate_ResourceClaimList validates an instance of ResourceClaimList according
+// to declarative validation rules in the API schema.
+func Validate_ResourceClaimList(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *resourcev1.ResourceClaimList) (errs field.ErrorList) {
+	// field resourcev1.ResourceClaimList.TypeMeta has no validation
+	// field resourcev1.ResourceClaimList.ListMeta has no validation
+
+	// field resourcev1.ResourceClaimList.Items
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj []resourcev1.ResourceClaim, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// iterate the list and call the type's validation function
+			errs = append(errs, validate.EachSliceVal(ctx, op, fldPath, obj, oldObj, nil, nil, Validate_ResourceClaim)...)
+			return
+		}(fldPath.Child("items"), obj.Items, safe.Field(oldObj, func(oldObj *resourcev1.ResourceClaimList) []resourcev1.ResourceClaim { return oldObj.Items }), oldObj != nil)...)
+
+	return errs
+}
+
+// Validate_ResourceClaimSpec validates an instance of ResourceClaimSpec according
+// to declarative validation rules in the API schema.
+func Validate_ResourceClaimSpec(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *resourcev1.ResourceClaimSpec) (errs field.ErrorList) {
+	// field resourcev1.ResourceClaimSpec.Devices
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *resourcev1.DeviceClaim, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// call the type's validation function
+			errs = append(errs, Validate_DeviceClaim(ctx, op, fldPath, obj, oldObj)...)
+			return
+		}(fldPath.Child("devices"), &obj.Devices, safe.Field(oldObj, func(oldObj *resourcev1.ResourceClaimSpec) *resourcev1.DeviceClaim { return &oldObj.Devices }), oldObj != nil)...)
+
+	return errs
+}
+
+// Validate_ResourceClaimStatus validates an instance of ResourceClaimStatus according
+// to declarative validation rules in the API schema.
+func Validate_ResourceClaimStatus(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *resourcev1.ResourceClaimStatus) (errs field.ErrorList) {
+	// field resourcev1.ResourceClaimStatus.Allocation
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *resourcev1.AllocationResult, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.OptionalPointer(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				earlyReturn = true
+			}
+			if e := validate.UpdatePointer(ctx, op, fldPath, obj, oldObj, validate.NoModify); len(e) != 0 {
+				errs = append(errs, e...)
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
+			}
+			// call the type's validation function
+			errs = append(errs, Validate_AllocationResult(ctx, op, fldPath, obj, oldObj)...)
+			return
+		}(fldPath.Child("allocation"), obj.Allocation, safe.Field(oldObj, func(oldObj *resourcev1.ResourceClaimStatus) *resourcev1.AllocationResult { return oldObj.Allocation }), oldObj != nil)...)
+
+	// field resourcev1.ResourceClaimStatus.ReservedFor
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj []resourcev1.ResourceClaimConsumerReference, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.MaxItems(ctx, op, fldPath, obj, oldObj, 256); len(e) != 0 {
+				errs = append(errs, e...)
+				earlyReturn = true
+			}
+			if e := validate.OptionalSlice(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
+			}
+			// lists with map semantics require unique keys
+			errs = append(errs, validate.Unique(ctx, op, fldPath, obj, oldObj, func(a resourcev1.ResourceClaimConsumerReference, b resourcev1.ResourceClaimConsumerReference) bool {
+				return a.UID == b.UID
+			})...)
+			return
+		}(fldPath.Child("reservedFor"), obj.ReservedFor, safe.Field(oldObj, func(oldObj *resourcev1.ResourceClaimStatus) []resourcev1.ResourceClaimConsumerReference {
+			return oldObj.ReservedFor
+		}), oldObj != nil)...)
+
+	// field resourcev1.ResourceClaimStatus.Devices
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj []resourcev1.AllocatedDeviceStatus, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.OptionalSlice(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
+			}
+			// lists with map semantics require unique keys
+			errs = append(errs, validate.Unique(ctx, op, fldPath, obj, oldObj, func(a resourcev1.AllocatedDeviceStatus, b resourcev1.AllocatedDeviceStatus) bool {
+				return a.Driver == b.Driver && a.Device == b.Device && a.Pool == b.Pool && ((a.ShareID == nil && b.ShareID == nil) || (a.ShareID != nil && b.ShareID != nil && *a.ShareID == *b.ShareID))
+			})...)
+			// iterate the list and call the type's validation function
+			errs = append(errs, validate.EachSliceVal(ctx, op, fldPath, obj, oldObj, func(a resourcev1.AllocatedDeviceStatus, b resourcev1.AllocatedDeviceStatus) bool {
+				return a.Driver == b.Driver && a.Device == b.Device && a.Pool == b.Pool && ((a.ShareID == nil && b.ShareID == nil) || (a.ShareID != nil && b.ShareID != nil && *a.ShareID == *b.ShareID))
+			}, validate.SemanticDeepEqual, Validate_AllocatedDeviceStatus)...)
+			return
+		}(fldPath.Child("devices"), obj.Devices, safe.Field(oldObj, func(oldObj *resourcev1.ResourceClaimStatus) []resourcev1.AllocatedDeviceStatus { return oldObj.Devices }), oldObj != nil)...)
+
+	return errs
+}
+
+// Validate_ResourceClaimTemplate validates an instance of ResourceClaimTemplate according
+// to declarative validation rules in the API schema.
+func Validate_ResourceClaimTemplate(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *resourcev1.ResourceClaimTemplate) (errs field.ErrorList) {
+	// field resourcev1.ResourceClaimTemplate.TypeMeta has no validation
+	// field resourcev1.ResourceClaimTemplate.ObjectMeta has no validation
+
+	// field resourcev1.ResourceClaimTemplate.Spec
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *resourcev1.ResourceClaimTemplateSpec, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// call the type's validation function
+			errs = append(errs, Validate_ResourceClaimTemplateSpec(ctx, op, fldPath, obj, oldObj)...)
+			return
+		}(fldPath.Child("spec"), &obj.Spec, safe.Field(oldObj, func(oldObj *resourcev1.ResourceClaimTemplate) *resourcev1.ResourceClaimTemplateSpec {
+			return &oldObj.Spec
+		}), oldObj != nil)...)
+
+	return errs
+}
+
+// Validate_ResourceClaimTemplateList validates an instance of ResourceClaimTemplateList according
+// to declarative validation rules in the API schema.
+func Validate_ResourceClaimTemplateList(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *resourcev1.ResourceClaimTemplateList) (errs field.ErrorList) {
+	// field resourcev1.ResourceClaimTemplateList.TypeMeta has no validation
+	// field resourcev1.ResourceClaimTemplateList.ListMeta has no validation
+
+	// field resourcev1.ResourceClaimTemplateList.Items
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj []resourcev1.ResourceClaimTemplate, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// iterate the list and call the type's validation function
+			errs = append(errs, validate.EachSliceVal(ctx, op, fldPath, obj, oldObj, nil, nil, Validate_ResourceClaimTemplate)...)
+			return
+		}(fldPath.Child("items"), obj.Items, safe.Field(oldObj, func(oldObj *resourcev1.ResourceClaimTemplateList) []resourcev1.ResourceClaimTemplate {
+			return oldObj.Items
+		}), oldObj != nil)...)
+
+	return errs
+}
+
+// Validate_ResourceClaimTemplateSpec validates an instance of ResourceClaimTemplateSpec according
+// to declarative validation rules in the API schema.
+func Validate_ResourceClaimTemplateSpec(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *resourcev1.ResourceClaimTemplateSpec) (errs field.ErrorList) {
+	// field resourcev1.ResourceClaimTemplateSpec.ObjectMeta has no validation
+
+	// field resourcev1.ResourceClaimTemplateSpec.Spec
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *resourcev1.ResourceClaimSpec, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// call the type's validation function
+			errs = append(errs, Validate_ResourceClaimSpec(ctx, op, fldPath, obj, oldObj)...)
+			return
+		}(fldPath.Child("spec"), &obj.Spec, safe.Field(oldObj, func(oldObj *resourcev1.ResourceClaimTemplateSpec) *resourcev1.ResourceClaimSpec { return &oldObj.Spec }), oldObj != nil)...)
+
+	return errs
+}
+
+// Validate_ResourceSlice validates an instance of ResourceSlice according
+// to declarative validation rules in the API schema.
+func Validate_ResourceSlice(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *resourcev1.ResourceSlice) (errs field.ErrorList) {
+	// field resourcev1.ResourceSlice.TypeMeta has no validation
+	// field resourcev1.ResourceSlice.ObjectMeta has no validation
+
+	// field resourcev1.ResourceSlice.Spec
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *resourcev1.ResourceSliceSpec, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// call the type's validation function
+			errs = append(errs, Validate_ResourceSliceSpec(ctx, op, fldPath, obj, oldObj)...)
+			return
+		}(fldPath.Child("spec"), &obj.Spec, safe.Field(oldObj, func(oldObj *resourcev1.ResourceSlice) *resourcev1.ResourceSliceSpec { return &oldObj.Spec }), oldObj != nil)...)
+
+	return errs
+}
+
+// Validate_ResourceSliceList validates an instance of ResourceSliceList according
+// to declarative validation rules in the API schema.
+func Validate_ResourceSliceList(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *resourcev1.ResourceSliceList) (errs field.ErrorList) {
+	// field resourcev1.ResourceSliceList.TypeMeta has no validation
+	// field resourcev1.ResourceSliceList.ListMeta has no validation
+
+	// field resourcev1.ResourceSliceList.Items
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj []resourcev1.ResourceSlice, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// iterate the list and call the type's validation function
+			errs = append(errs, validate.EachSliceVal(ctx, op, fldPath, obj, oldObj, nil, nil, Validate_ResourceSlice)...)
+			return
+		}(fldPath.Child("items"), obj.Items, safe.Field(oldObj, func(oldObj *resourcev1.ResourceSliceList) []resourcev1.ResourceSlice { return oldObj.Items }), oldObj != nil)...)
+
+	return errs
+}
+
+// Validate_ResourceSliceSpec validates an instance of ResourceSliceSpec according
+// to declarative validation rules in the API schema.
+func Validate_ResourceSliceSpec(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *resourcev1.ResourceSliceSpec) (errs field.ErrorList) {
+	// field resourcev1.ResourceSliceSpec.Driver has no validation
+	// field resourcev1.ResourceSliceSpec.Pool has no validation
+	// field resourcev1.ResourceSliceSpec.NodeName has no validation
+	// field resourcev1.ResourceSliceSpec.NodeSelector has no validation
+	// field resourcev1.ResourceSliceSpec.AllNodes has no validation
+
+	// field resourcev1.ResourceSliceSpec.Devices
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj []resourcev1.Device, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.OptionalSlice(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
+			}
+			// iterate the list and call the type's validation function
+			errs = append(errs, validate.EachSliceVal(ctx, op, fldPath, obj, oldObj, nil, nil, Validate_Device)...)
+			return
+		}(fldPath.Child("devices"), obj.Devices, safe.Field(oldObj, func(oldObj *resourcev1.ResourceSliceSpec) []resourcev1.Device { return oldObj.Devices }), oldObj != nil)...)
+
+	// field resourcev1.ResourceSliceSpec.PerDeviceNodeSelection has no validation
+
+	// field resourcev1.ResourceSliceSpec.SharedCounters
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj []resourcev1.CounterSet, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.MaxItems(ctx, op, fldPath, obj, oldObj, 8); len(e) != 0 {
+				errs = append(errs, e...)
+				earlyReturn = true
+			}
+			if e := validate.OptionalSlice(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
+			}
+			// lists with map semantics require unique keys
+			errs = append(errs, validate.Unique(ctx, op, fldPath, obj, oldObj, func(a resourcev1.CounterSet, b resourcev1.CounterSet) bool { return a.Name == b.Name })...)
+			// iterate the list and call the type's validation function
+			errs = append(errs, validate.EachSliceVal(ctx, op, fldPath, obj, oldObj, func(a resourcev1.CounterSet, b resourcev1.CounterSet) bool { return a.Name == b.Name }, validate.SemanticDeepEqual, Validate_CounterSet)...)
+			return
+		}(fldPath.Child("sharedCounters"), obj.SharedCounters, safe.Field(oldObj, func(oldObj *resourcev1.ResourceSliceSpec) []resourcev1.CounterSet { return oldObj.SharedCounters }), oldObj != nil)...)
+
+	return errs
+}
diff --git a/pkg/apis/resource/v1alpha3/zz_generated.conversion.go b/pkg/apis/resource/v1alpha3/zz_generated.conversion.go
index aac8aca97cf82..e5c6ee21cf91f 100644
--- a/pkg/apis/resource/v1alpha3/zz_generated.conversion.go
+++ b/pkg/apis/resource/v1alpha3/zz_generated.conversion.go
@@ -98,6 +98,16 @@ func RegisterConversions(s *runtime.Scheme) error {
 	}); err != nil {
 		return err
 	}
+	if err := s.AddGeneratedConversionFunc((*resourcev1alpha3.DeviceTaintRuleStatus)(nil), (*resource.DeviceTaintRuleStatus)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_v1alpha3_DeviceTaintRuleStatus_To_resource_DeviceTaintRuleStatus(a.(*resourcev1alpha3.DeviceTaintRuleStatus), b.(*resource.DeviceTaintRuleStatus), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddGeneratedConversionFunc((*resource.DeviceTaintRuleStatus)(nil), (*resourcev1alpha3.DeviceTaintRuleStatus)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_resource_DeviceTaintRuleStatus_To_v1alpha3_DeviceTaintRuleStatus(a.(*resource.DeviceTaintRuleStatus), b.(*resourcev1alpha3.DeviceTaintRuleStatus), scope)
+	}); err != nil {
+		return err
+	}
 	if err := s.AddGeneratedConversionFunc((*resourcev1alpha3.DeviceTaintSelector)(nil), (*resource.DeviceTaintSelector)(nil), func(a, b interface{}, scope conversion.Scope) error {
 		return Convert_v1alpha3_DeviceTaintSelector_To_resource_DeviceTaintSelector(a.(*resourcev1alpha3.DeviceTaintSelector), b.(*resource.DeviceTaintSelector), scope)
 	}); err != nil {
@@ -182,6 +192,9 @@ func autoConvert_v1alpha3_DeviceTaintRule_To_resource_DeviceTaintRule(in *resour
 	if err := Convert_v1alpha3_DeviceTaintRuleSpec_To_resource_DeviceTaintRuleSpec(&in.Spec, &out.Spec, s); err != nil {
 		return err
 	}
+	if err := Convert_v1alpha3_DeviceTaintRuleStatus_To_resource_DeviceTaintRuleStatus(&in.Status, &out.Status, s); err != nil {
+		return err
+	}
 	return nil
 }
 
@@ -195,6 +208,9 @@ func autoConvert_resource_DeviceTaintRule_To_v1alpha3_DeviceTaintRule(in *resour
 	if err := Convert_resource_DeviceTaintRuleSpec_To_v1alpha3_DeviceTaintRuleSpec(&in.Spec, &out.Spec, s); err != nil {
 		return err
 	}
+	if err := Convert_resource_DeviceTaintRuleStatus_To_v1alpha3_DeviceTaintRuleStatus(&in.Status, &out.Status, s); err != nil {
+		return err
+	}
 	return nil
 }
 
@@ -251,12 +267,30 @@ func Convert_resource_DeviceTaintRuleSpec_To_v1alpha3_DeviceTaintRuleSpec(in *re
 	return autoConvert_resource_DeviceTaintRuleSpec_To_v1alpha3_DeviceTaintRuleSpec(in, out, s)
 }
 
+func autoConvert_v1alpha3_DeviceTaintRuleStatus_To_resource_DeviceTaintRuleStatus(in *resourcev1alpha3.DeviceTaintRuleStatus, out *resource.DeviceTaintRuleStatus, s conversion.Scope) error {
+	out.Conditions = *(*[]v1.Condition)(unsafe.Pointer(&in.Conditions))
+	return nil
+}
+
+// Convert_v1alpha3_DeviceTaintRuleStatus_To_resource_DeviceTaintRuleStatus is an autogenerated conversion function.
+func Convert_v1alpha3_DeviceTaintRuleStatus_To_resource_DeviceTaintRuleStatus(in *resourcev1alpha3.DeviceTaintRuleStatus, out *resource.DeviceTaintRuleStatus, s conversion.Scope) error {
+	return autoConvert_v1alpha3_DeviceTaintRuleStatus_To_resource_DeviceTaintRuleStatus(in, out, s)
+}
+
+func autoConvert_resource_DeviceTaintRuleStatus_To_v1alpha3_DeviceTaintRuleStatus(in *resource.DeviceTaintRuleStatus, out *resourcev1alpha3.DeviceTaintRuleStatus, s conversion.Scope) error {
+	out.Conditions = *(*[]v1.Condition)(unsafe.Pointer(&in.Conditions))
+	return nil
+}
+
+// Convert_resource_DeviceTaintRuleStatus_To_v1alpha3_DeviceTaintRuleStatus is an autogenerated conversion function.
+func Convert_resource_DeviceTaintRuleStatus_To_v1alpha3_DeviceTaintRuleStatus(in *resource.DeviceTaintRuleStatus, out *resourcev1alpha3.DeviceTaintRuleStatus, s conversion.Scope) error {
+	return autoConvert_resource_DeviceTaintRuleStatus_To_v1alpha3_DeviceTaintRuleStatus(in, out, s)
+}
+
 func autoConvert_v1alpha3_DeviceTaintSelector_To_resource_DeviceTaintSelector(in *resourcev1alpha3.DeviceTaintSelector, out *resource.DeviceTaintSelector, s conversion.Scope) error {
-	out.DeviceClassName = (*string)(unsafe.Pointer(in.DeviceClassName))
 	out.Driver = (*string)(unsafe.Pointer(in.Driver))
 	out.Pool = (*string)(unsafe.Pointer(in.Pool))
 	out.Device = (*string)(unsafe.Pointer(in.Device))
-	out.Selectors = *(*[]resource.DeviceSelector)(unsafe.Pointer(&in.Selectors))
 	return nil
 }
 
@@ -266,11 +300,9 @@ func Convert_v1alpha3_DeviceTaintSelector_To_resource_DeviceTaintSelector(in *re
 }
 
 func autoConvert_resource_DeviceTaintSelector_To_v1alpha3_DeviceTaintSelector(in *resource.DeviceTaintSelector, out *resourcev1alpha3.DeviceTaintSelector, s conversion.Scope) error {
-	out.DeviceClassName = (*string)(unsafe.Pointer(in.DeviceClassName))
 	out.Driver = (*string)(unsafe.Pointer(in.Driver))
 	out.Pool = (*string)(unsafe.Pointer(in.Pool))
 	out.Device = (*string)(unsafe.Pointer(in.Device))
-	out.Selectors = *(*[]resourcev1alpha3.DeviceSelector)(unsafe.Pointer(&in.Selectors))
 	return nil
 }
 
diff --git a/pkg/apis/resource/v1beta1/defaults.go b/pkg/apis/resource/v1beta1/defaults.go
index 4e959c7d768dd..7d43132522d5e 100644
--- a/pkg/apis/resource/v1beta1/defaults.go
+++ b/pkg/apis/resource/v1beta1/defaults.go
@@ -35,6 +35,10 @@ func SetDefaults_DeviceRequest(obj *resourceapi.DeviceRequest) {
 	if obj.DeviceClassName == "" {
 		return
 	}
+	// Declarative defaulting (+default) is not used for AllocationMode here because
+	// v1beta1 uses a bespoke union structure. Applying an unconditional default
+	// would make valid "FirstAvailable" requests (where this field must be empty) invalid.
+	// Therefore, we rely on this manual defaulting logic.
 	if obj.AllocationMode == "" {
 		obj.AllocationMode = resourceapi.DeviceAllocationModeExactCount
 	}
diff --git a/pkg/apis/resource/v1beta1/doc.go b/pkg/apis/resource/v1beta1/doc.go
index f014667f8da2e..f95eb5f3c9f0d 100644
--- a/pkg/apis/resource/v1beta1/doc.go
+++ b/pkg/apis/resource/v1beta1/doc.go
@@ -18,6 +18,8 @@ limitations under the License.
 // +k8s:conversion-gen-external-types=k8s.io/api/resource/v1beta1
 // +k8s:defaulter-gen=TypeMeta
 // +k8s:defaulter-gen-input=k8s.io/api/resource/v1beta1
+// +k8s:validation-gen=TypeMeta
+// +k8s:validation-gen-input=k8s.io/api/resource/v1beta1
 
 // Package v1beta1 is the v1beta1 version of the resource API.
 package v1beta1
diff --git a/pkg/apis/resource/v1beta1/zz_generated.validations.go b/pkg/apis/resource/v1beta1/zz_generated.validations.go
new file mode 100644
index 0000000000000..f96f7aeaed4b4
--- /dev/null
+++ b/pkg/apis/resource/v1beta1/zz_generated.validations.go
@@ -0,0 +1,1860 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by validation-gen. DO NOT EDIT.
+
+package v1beta1
+
+import (
+	context "context"
+	fmt "fmt"
+
+	resourcev1beta1 "k8s.io/api/resource/v1beta1"
+	equality "k8s.io/apimachinery/pkg/api/equality"
+	operation "k8s.io/apimachinery/pkg/api/operation"
+	safe "k8s.io/apimachinery/pkg/api/safe"
+	validate "k8s.io/apimachinery/pkg/api/validate"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	runtime "k8s.io/apimachinery/pkg/runtime"
+	types "k8s.io/apimachinery/pkg/types"
+	sets "k8s.io/apimachinery/pkg/util/sets"
+	field "k8s.io/apimachinery/pkg/util/validation/field"
+)
+
+func init() { localSchemeBuilder.Register(RegisterValidations) }
+
+// RegisterValidations adds validation functions to the given scheme.
+// Public to allow building arbitrary schemes.
+func RegisterValidations(scheme *runtime.Scheme) error {
+	// type DeviceClass
+	scheme.AddValidationFunc((*resourcev1beta1.DeviceClass)(nil), func(ctx context.Context, op operation.Operation, obj, oldObj interface{}) field.ErrorList {
+		switch op.Request.SubresourcePath() {
+		case "/":
+			return Validate_DeviceClass(ctx, op, nil /* fldPath */, obj.(*resourcev1beta1.DeviceClass), safe.Cast[*resourcev1beta1.DeviceClass](oldObj))
+		}
+		return field.ErrorList{field.InternalError(nil, fmt.Errorf("no validation found for %T, subresource: %v", obj, op.Request.SubresourcePath()))}
+	})
+	// type DeviceClassList
+	scheme.AddValidationFunc((*resourcev1beta1.DeviceClassList)(nil), func(ctx context.Context, op operation.Operation, obj, oldObj interface{}) field.ErrorList {
+		switch op.Request.SubresourcePath() {
+		case "/":
+			return Validate_DeviceClassList(ctx, op, nil /* fldPath */, obj.(*resourcev1beta1.DeviceClassList), safe.Cast[*resourcev1beta1.DeviceClassList](oldObj))
+		}
+		return field.ErrorList{field.InternalError(nil, fmt.Errorf("no validation found for %T, subresource: %v", obj, op.Request.SubresourcePath()))}
+	})
+	// type ResourceClaim
+	scheme.AddValidationFunc((*resourcev1beta1.ResourceClaim)(nil), func(ctx context.Context, op operation.Operation, obj, oldObj interface{}) field.ErrorList {
+		switch op.Request.SubresourcePath() {
+		case "/", "/status":
+			return Validate_ResourceClaim(ctx, op, nil /* fldPath */, obj.(*resourcev1beta1.ResourceClaim), safe.Cast[*resourcev1beta1.ResourceClaim](oldObj))
+		}
+		return field.ErrorList{field.InternalError(nil, fmt.Errorf("no validation found for %T, subresource: %v", obj, op.Request.SubresourcePath()))}
+	})
+	// type ResourceClaimList
+	scheme.AddValidationFunc((*resourcev1beta1.ResourceClaimList)(nil), func(ctx context.Context, op operation.Operation, obj, oldObj interface{}) field.ErrorList {
+		switch op.Request.SubresourcePath() {
+		case "/":
+			return Validate_ResourceClaimList(ctx, op, nil /* fldPath */, obj.(*resourcev1beta1.ResourceClaimList), safe.Cast[*resourcev1beta1.ResourceClaimList](oldObj))
+		}
+		return field.ErrorList{field.InternalError(nil, fmt.Errorf("no validation found for %T, subresource: %v", obj, op.Request.SubresourcePath()))}
+	})
+	// type ResourceClaimTemplate
+	scheme.AddValidationFunc((*resourcev1beta1.ResourceClaimTemplate)(nil), func(ctx context.Context, op operation.Operation, obj, oldObj interface{}) field.ErrorList {
+		switch op.Request.SubresourcePath() {
+		case "/":
+			return Validate_ResourceClaimTemplate(ctx, op, nil /* fldPath */, obj.(*resourcev1beta1.ResourceClaimTemplate), safe.Cast[*resourcev1beta1.ResourceClaimTemplate](oldObj))
+		}
+		return field.ErrorList{field.InternalError(nil, fmt.Errorf("no validation found for %T, subresource: %v", obj, op.Request.SubresourcePath()))}
+	})
+	// type ResourceClaimTemplateList
+	scheme.AddValidationFunc((*resourcev1beta1.ResourceClaimTemplateList)(nil), func(ctx context.Context, op operation.Operation, obj, oldObj interface{}) field.ErrorList {
+		switch op.Request.SubresourcePath() {
+		case "/":
+			return Validate_ResourceClaimTemplateList(ctx, op, nil /* fldPath */, obj.(*resourcev1beta1.ResourceClaimTemplateList), safe.Cast[*resourcev1beta1.ResourceClaimTemplateList](oldObj))
+		}
+		return field.ErrorList{field.InternalError(nil, fmt.Errorf("no validation found for %T, subresource: %v", obj, op.Request.SubresourcePath()))}
+	})
+	// type ResourceSlice
+	scheme.AddValidationFunc((*resourcev1beta1.ResourceSlice)(nil), func(ctx context.Context, op operation.Operation, obj, oldObj interface{}) field.ErrorList {
+		switch op.Request.SubresourcePath() {
+		case "/":
+			return Validate_ResourceSlice(ctx, op, nil /* fldPath */, obj.(*resourcev1beta1.ResourceSlice), safe.Cast[*resourcev1beta1.ResourceSlice](oldObj))
+		}
+		return field.ErrorList{field.InternalError(nil, fmt.Errorf("no validation found for %T, subresource: %v", obj, op.Request.SubresourcePath()))}
+	})
+	// type ResourceSliceList
+	scheme.AddValidationFunc((*resourcev1beta1.ResourceSliceList)(nil), func(ctx context.Context, op operation.Operation, obj, oldObj interface{}) field.ErrorList {
+		switch op.Request.SubresourcePath() {
+		case "/":
+			return Validate_ResourceSliceList(ctx, op, nil /* fldPath */, obj.(*resourcev1beta1.ResourceSliceList), safe.Cast[*resourcev1beta1.ResourceSliceList](oldObj))
+		}
+		return field.ErrorList{field.InternalError(nil, fmt.Errorf("no validation found for %T, subresource: %v", obj, op.Request.SubresourcePath()))}
+	})
+	return nil
+}
+
+// Validate_AllocatedDeviceStatus validates an instance of AllocatedDeviceStatus according
+// to declarative validation rules in the API schema.
+func Validate_AllocatedDeviceStatus(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *resourcev1beta1.AllocatedDeviceStatus) (errs field.ErrorList) {
+	// field resourcev1beta1.AllocatedDeviceStatus.Driver has no validation
+	// field resourcev1beta1.AllocatedDeviceStatus.Pool has no validation
+	// field resourcev1beta1.AllocatedDeviceStatus.Device has no validation
+
+	// field resourcev1beta1.AllocatedDeviceStatus.ShareID
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *string, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.OptionalPointer(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
+			}
+			errs = append(errs, validate.UUID(ctx, op, fldPath, obj, oldObj)...)
+			return
+		}(fldPath.Child("shareID"), obj.ShareID, safe.Field(oldObj, func(oldObj *resourcev1beta1.AllocatedDeviceStatus) *string { return oldObj.ShareID }), oldObj != nil)...)
+
+	// field resourcev1beta1.AllocatedDeviceStatus.Conditions has no validation
+	// field resourcev1beta1.AllocatedDeviceStatus.Data has no validation
+
+	// field resourcev1beta1.AllocatedDeviceStatus.NetworkData
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *resourcev1beta1.NetworkDeviceData, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.OptionalPointer(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
+			}
+			// call the type's validation function
+			errs = append(errs, Validate_NetworkDeviceData(ctx, op, fldPath, obj, oldObj)...)
+			return
+		}(fldPath.Child("networkData"), obj.NetworkData, safe.Field(oldObj, func(oldObj *resourcev1beta1.AllocatedDeviceStatus) *resourcev1beta1.NetworkDeviceData {
+			return oldObj.NetworkData
+		}), oldObj != nil)...)
+
+	return errs
+}
+
+var symbolsForAllocationConfigSource = sets.New(resourcev1beta1.AllocationConfigSourceClaim, resourcev1beta1.AllocationConfigSourceClass)
+
+// Validate_AllocationConfigSource validates an instance of AllocationConfigSource according
+// to declarative validation rules in the API schema.
+func Validate_AllocationConfigSource(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *resourcev1beta1.AllocationConfigSource) (errs field.ErrorList) {
+	errs = append(errs, validate.Enum(ctx, op, fldPath, obj, oldObj, symbolsForAllocationConfigSource, nil)...)
+
+	return errs
+}
+
+// Validate_AllocationResult validates an instance of AllocationResult according
+// to declarative validation rules in the API schema.
+func Validate_AllocationResult(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *resourcev1beta1.AllocationResult) (errs field.ErrorList) {
+	// field resourcev1beta1.AllocationResult.Devices
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *resourcev1beta1.DeviceAllocationResult, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// call the type's validation function
+			errs = append(errs, Validate_DeviceAllocationResult(ctx, op, fldPath, obj, oldObj)...)
+			return
+		}(fldPath.Child("devices"), &obj.Devices, safe.Field(oldObj, func(oldObj *resourcev1beta1.AllocationResult) *resourcev1beta1.DeviceAllocationResult {
+			return &oldObj.Devices
+		}), oldObj != nil)...)
+
+	// field resourcev1beta1.AllocationResult.NodeSelector has no validation
+	// field resourcev1beta1.AllocationResult.AllocationTimestamp has no validation
+	return errs
+}
+
+// Validate_BasicDevice validates an instance of BasicDevice according
+// to declarative validation rules in the API schema.
+func Validate_BasicDevice(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *resourcev1beta1.BasicDevice) (errs field.ErrorList) {
+	// field resourcev1beta1.BasicDevice.Attributes
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj map[resourcev1beta1.QualifiedName]resourcev1beta1.DeviceAttribute, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// iterate the map and call the value type's validation function
+			errs = append(errs, validate.EachMapVal(ctx, op, fldPath, obj, oldObj, validate.SemanticDeepEqual, Validate_DeviceAttribute)...)
+			return
+		}(fldPath.Child("attributes"), obj.Attributes, safe.Field(oldObj, func(oldObj *resourcev1beta1.BasicDevice) map[resourcev1beta1.QualifiedName]resourcev1beta1.DeviceAttribute {
+			return oldObj.Attributes
+		}), oldObj != nil)...)
+
+	// field resourcev1beta1.BasicDevice.Capacity has no validation
+
+	// field resourcev1beta1.BasicDevice.ConsumesCounters
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj []resourcev1beta1.DeviceCounterConsumption, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.MaxItems(ctx, op, fldPath, obj, oldObj, 2); len(e) != 0 {
+				errs = append(errs, e...)
+				earlyReturn = true
+			}
+			if e := validate.OptionalSlice(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
+			}
+			// lists with map semantics require unique keys
+			errs = append(errs, validate.Unique(ctx, op, fldPath, obj, oldObj, func(a resourcev1beta1.DeviceCounterConsumption, b resourcev1beta1.DeviceCounterConsumption) bool {
+				return a.CounterSet == b.CounterSet
+			})...)
+			// iterate the list and call the type's validation function
+			errs = append(errs, validate.EachSliceVal(ctx, op, fldPath, obj, oldObj, func(a resourcev1beta1.DeviceCounterConsumption, b resourcev1beta1.DeviceCounterConsumption) bool {
+				return a.CounterSet == b.CounterSet
+			}, validate.SemanticDeepEqual, Validate_DeviceCounterConsumption)...)
+			return
+		}(fldPath.Child("consumesCounters"), obj.ConsumesCounters, safe.Field(oldObj, func(oldObj *resourcev1beta1.BasicDevice) []resourcev1beta1.DeviceCounterConsumption {
+			return oldObj.ConsumesCounters
+		}), oldObj != nil)...)
+
+	// field resourcev1beta1.BasicDevice.NodeName has no validation
+	// field resourcev1beta1.BasicDevice.NodeSelector has no validation
+	// field resourcev1beta1.BasicDevice.AllNodes has no validation
+
+	// field resourcev1beta1.BasicDevice.Taints
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj []resourcev1beta1.DeviceTaint, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// iterate the list and call the type's validation function
+			errs = append(errs, validate.EachSliceVal(ctx, op, fldPath, obj, oldObj, nil, nil, Validate_DeviceTaint)...)
+			return
+		}(fldPath.Child("taints"), obj.Taints, safe.Field(oldObj, func(oldObj *resourcev1beta1.BasicDevice) []resourcev1beta1.DeviceTaint { return oldObj.Taints }), oldObj != nil)...)
+
+	// field resourcev1beta1.BasicDevice.BindsToNode has no validation
+
+	// field resourcev1beta1.BasicDevice.BindingConditions
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj []string, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.MaxItems(ctx, op, fldPath, obj, oldObj, 4); len(e) != 0 {
+				errs = append(errs, e...)
+				earlyReturn = true
+			}
+			if e := validate.OptionalSlice(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
+			}
+			return
+		}(fldPath.Child("bindingConditions"), obj.BindingConditions, safe.Field(oldObj, func(oldObj *resourcev1beta1.BasicDevice) []string { return oldObj.BindingConditions }), oldObj != nil)...)
+
+	// field resourcev1beta1.BasicDevice.BindingFailureConditions
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj []string, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.MaxItems(ctx, op, fldPath, obj, oldObj, 4); len(e) != 0 {
+				errs = append(errs, e...)
+				earlyReturn = true
+			}
+			if e := validate.OptionalSlice(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
+			}
+			return
+		}(fldPath.Child("bindingFailureConditions"), obj.BindingFailureConditions, safe.Field(oldObj, func(oldObj *resourcev1beta1.BasicDevice) []string { return oldObj.BindingFailureConditions }), oldObj != nil)...)
+
+	// field resourcev1beta1.BasicDevice.AllowMultipleAllocations has no validation
+	return errs
+}
+
+// Validate_CounterSet validates an instance of CounterSet according
+// to declarative validation rules in the API schema.
+func Validate_CounterSet(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *resourcev1beta1.CounterSet) (errs field.ErrorList) {
+	// field resourcev1beta1.CounterSet.Name
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *string, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.RequiredValue(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				errs = append(errs, e...)
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
+			}
+			errs = append(errs, validate.ShortName(ctx, op, fldPath, obj, oldObj)...)
+			return
+		}(fldPath.Child("name"), &obj.Name, safe.Field(oldObj, func(oldObj *resourcev1beta1.CounterSet) *string { return &oldObj.Name }), oldObj != nil)...)
+
+	// field resourcev1beta1.CounterSet.Counters has no validation
+	return errs
+}
+
+// Validate_Device validates an instance of Device according
+// to declarative validation rules in the API schema.
+func Validate_Device(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *resourcev1beta1.Device) (errs field.ErrorList) {
+	// field resourcev1beta1.Device.Name has no validation
+
+	// field resourcev1beta1.Device.Basic
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *resourcev1beta1.BasicDevice, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// call the type's validation function
+			errs = append(errs, Validate_BasicDevice(ctx, op, fldPath, obj, oldObj)...)
+			return
+		}(fldPath.Child("basic"), obj.Basic, safe.Field(oldObj, func(oldObj *resourcev1beta1.Device) *resourcev1beta1.BasicDevice { return oldObj.Basic }), oldObj != nil)...)
+
+	return errs
+}
+
+// Validate_DeviceAllocationConfiguration validates an instance of DeviceAllocationConfiguration according
+// to declarative validation rules in the API schema.
+func Validate_DeviceAllocationConfiguration(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *resourcev1beta1.DeviceAllocationConfiguration) (errs field.ErrorList) {
+	// field resourcev1beta1.DeviceAllocationConfiguration.Source
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *resourcev1beta1.AllocationConfigSource, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.RequiredValue(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				errs = append(errs, e...)
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
+			}
+			// call the type's validation function
+			errs = append(errs, Validate_AllocationConfigSource(ctx, op, fldPath, obj, oldObj)...)
+			return
+		}(fldPath.Child("source"), &obj.Source, safe.Field(oldObj, func(oldObj *resourcev1beta1.DeviceAllocationConfiguration) *resourcev1beta1.AllocationConfigSource {
+			return &oldObj.Source
+		}), oldObj != nil)...)
+
+	// field resourcev1beta1.DeviceAllocationConfiguration.Requests
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj []string, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.MaxItems(ctx, op, fldPath, obj, oldObj, 32); len(e) != 0 {
+				errs = append(errs, e...)
+				earlyReturn = true
+			}
+			if e := validate.OptionalSlice(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
+			}
+			// lists with set semantics require unique values
+			errs = append(errs, validate.Unique(ctx, op, fldPath, obj, oldObj, validate.DirectEqual)...)
+			return
+		}(fldPath.Child("requests"), obj.Requests, safe.Field(oldObj, func(oldObj *resourcev1beta1.DeviceAllocationConfiguration) []string { return oldObj.Requests }), oldObj != nil)...)
+
+	// field resourcev1beta1.DeviceAllocationConfiguration.DeviceConfiguration
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *resourcev1beta1.DeviceConfiguration, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// call the type's validation function
+			errs = append(errs, Validate_DeviceConfiguration(ctx, op, fldPath, obj, oldObj)...)
+			return
+		}(safe.Value(fldPath, func() *field.Path { return fldPath.Child("resourcev1beta1.DeviceConfiguration") }), &obj.DeviceConfiguration, safe.Field(oldObj, func(oldObj *resourcev1beta1.DeviceAllocationConfiguration) *resourcev1beta1.DeviceConfiguration {
+			return &oldObj.DeviceConfiguration
+		}), oldObj != nil)...)
+
+	return errs
+}
+
+var symbolsForDeviceAllocationMode = sets.New(resourcev1beta1.DeviceAllocationModeAll, resourcev1beta1.DeviceAllocationModeExactCount)
+
+// Validate_DeviceAllocationMode validates an instance of DeviceAllocationMode according
+// to declarative validation rules in the API schema.
+func Validate_DeviceAllocationMode(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *resourcev1beta1.DeviceAllocationMode) (errs field.ErrorList) {
+	errs = append(errs, validate.Enum(ctx, op, fldPath, obj, oldObj, symbolsForDeviceAllocationMode, nil)...)
+
+	return errs
+}
+
+// Validate_DeviceAllocationResult validates an instance of DeviceAllocationResult according
+// to declarative validation rules in the API schema.
+func Validate_DeviceAllocationResult(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *resourcev1beta1.DeviceAllocationResult) (errs field.ErrorList) {
+	// field resourcev1beta1.DeviceAllocationResult.Results
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj []resourcev1beta1.DeviceRequestAllocationResult, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.MaxItems(ctx, op, fldPath, obj, oldObj, 32); len(e) != 0 {
+				errs = append(errs, e...)
+				earlyReturn = true
+			}
+			if e := validate.OptionalSlice(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
+			}
+			// iterate the list and call the type's validation function
+			errs = append(errs, validate.EachSliceVal(ctx, op, fldPath, obj, oldObj, nil, nil, Validate_DeviceRequestAllocationResult)...)
+			return
+		}(fldPath.Child("results"), obj.Results, safe.Field(oldObj, func(oldObj *resourcev1beta1.DeviceAllocationResult) []resourcev1beta1.DeviceRequestAllocationResult {
+			return oldObj.Results
+		}), oldObj != nil)...)
+
+	// field resourcev1beta1.DeviceAllocationResult.Config
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj []resourcev1beta1.DeviceAllocationConfiguration, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.MaxItems(ctx, op, fldPath, obj, oldObj, 64); len(e) != 0 {
+				errs = append(errs, e...)
+				earlyReturn = true
+			}
+			if e := validate.OptionalSlice(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
+			}
+			// iterate the list and call the type's validation function
+			errs = append(errs, validate.EachSliceVal(ctx, op, fldPath, obj, oldObj, nil, nil, Validate_DeviceAllocationConfiguration)...)
+			return
+		}(fldPath.Child("config"), obj.Config, safe.Field(oldObj, func(oldObj *resourcev1beta1.DeviceAllocationResult) []resourcev1beta1.DeviceAllocationConfiguration {
+			return oldObj.Config
+		}), oldObj != nil)...)
+
+	return errs
+}
+
+var unionMembershipFor_k8s_io_api_resource_v1beta1_DeviceAttribute_ = validate.NewUnionMembership(validate.NewUnionMember("int"), validate.NewUnionMember("bool"), validate.NewUnionMember("string"), validate.NewUnionMember("version"))
+
+// Validate_DeviceAttribute validates an instance of DeviceAttribute according
+// to declarative validation rules in the API schema.
+func Validate_DeviceAttribute(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *resourcev1beta1.DeviceAttribute) (errs field.ErrorList) {
+	errs = append(errs, validate.Union(ctx, op, fldPath, obj, oldObj, unionMembershipFor_k8s_io_api_resource_v1beta1_DeviceAttribute_, func(obj *resourcev1beta1.DeviceAttribute) bool {
+		if obj == nil {
+			return false
+		}
+		return obj.IntValue != nil
+	}, func(obj *resourcev1beta1.DeviceAttribute) bool {
+		if obj == nil {
+			return false
+		}
+		return obj.BoolValue != nil
+	}, func(obj *resourcev1beta1.DeviceAttribute) bool {
+		if obj == nil {
+			return false
+		}
+		return obj.StringValue != nil
+	}, func(obj *resourcev1beta1.DeviceAttribute) bool {
+		if obj == nil {
+			return false
+		}
+		return obj.VersionValue != nil
+	})...)
+
+	// field resourcev1beta1.DeviceAttribute.IntValue
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *int64, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.OptionalPointer(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
+			}
+			return
+		}(fldPath.Child("int"), obj.IntValue, safe.Field(oldObj, func(oldObj *resourcev1beta1.DeviceAttribute) *int64 { return oldObj.IntValue }), oldObj != nil)...)
+
+	// field resourcev1beta1.DeviceAttribute.BoolValue
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *bool, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.OptionalPointer(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
+			}
+			return
+		}(fldPath.Child("bool"), obj.BoolValue, safe.Field(oldObj, func(oldObj *resourcev1beta1.DeviceAttribute) *bool { return oldObj.BoolValue }), oldObj != nil)...)
+
+	// field resourcev1beta1.DeviceAttribute.StringValue
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *string, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.OptionalPointer(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
+			}
+			return
+		}(fldPath.Child("string"), obj.StringValue, safe.Field(oldObj, func(oldObj *resourcev1beta1.DeviceAttribute) *string { return oldObj.StringValue }), oldObj != nil)...)
+
+	// field resourcev1beta1.DeviceAttribute.VersionValue
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *string, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.OptionalPointer(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
+			}
+			return
+		}(fldPath.Child("version"), obj.VersionValue, safe.Field(oldObj, func(oldObj *resourcev1beta1.DeviceAttribute) *string { return oldObj.VersionValue }), oldObj != nil)...)
+
+	return errs
+}
+
+// Validate_DeviceClaim validates an instance of DeviceClaim according
+// to declarative validation rules in the API schema.
+func Validate_DeviceClaim(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *resourcev1beta1.DeviceClaim) (errs field.ErrorList) {
+	// field resourcev1beta1.DeviceClaim.Requests
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj []resourcev1beta1.DeviceRequest, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.MaxItems(ctx, op, fldPath, obj, oldObj, 32); len(e) != 0 {
+				errs = append(errs, e...)
+				earlyReturn = true
+			}
+			if e := validate.OptionalSlice(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
+			}
+			// lists with map semantics require unique keys
+			errs = append(errs, validate.Unique(ctx, op, fldPath, obj, oldObj, func(a resourcev1beta1.DeviceRequest, b resourcev1beta1.DeviceRequest) bool { return a.Name == b.Name })...)
+			// iterate the list and call the type's validation function
+			errs = append(errs, validate.EachSliceVal(ctx, op, fldPath, obj, oldObj, func(a resourcev1beta1.DeviceRequest, b resourcev1beta1.DeviceRequest) bool { return a.Name == b.Name }, validate.SemanticDeepEqual, Validate_DeviceRequest)...)
+			return
+		}(fldPath.Child("requests"), obj.Requests, safe.Field(oldObj, func(oldObj *resourcev1beta1.DeviceClaim) []resourcev1beta1.DeviceRequest { return oldObj.Requests }), oldObj != nil)...)
+
+	// field resourcev1beta1.DeviceClaim.Constraints
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj []resourcev1beta1.DeviceConstraint, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.MaxItems(ctx, op, fldPath, obj, oldObj, 32); len(e) != 0 {
+				errs = append(errs, e...)
+				earlyReturn = true
+			}
+			if e := validate.OptionalSlice(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
+			}
+			// iterate the list and call the type's validation function
+			errs = append(errs, validate.EachSliceVal(ctx, op, fldPath, obj, oldObj, nil, nil, Validate_DeviceConstraint)...)
+			return
+		}(fldPath.Child("constraints"), obj.Constraints, safe.Field(oldObj, func(oldObj *resourcev1beta1.DeviceClaim) []resourcev1beta1.DeviceConstraint {
+			return oldObj.Constraints
+		}), oldObj != nil)...)
+
+	// field resourcev1beta1.DeviceClaim.Config
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj []resourcev1beta1.DeviceClaimConfiguration, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.MaxItems(ctx, op, fldPath, obj, oldObj, 32); len(e) != 0 {
+				errs = append(errs, e...)
+				earlyReturn = true
+			}
+			if e := validate.OptionalSlice(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
+			}
+			// iterate the list and call the type's validation function
+			errs = append(errs, validate.EachSliceVal(ctx, op, fldPath, obj, oldObj, nil, nil, Validate_DeviceClaimConfiguration)...)
+			return
+		}(fldPath.Child("config"), obj.Config, safe.Field(oldObj, func(oldObj *resourcev1beta1.DeviceClaim) []resourcev1beta1.DeviceClaimConfiguration {
+			return oldObj.Config
+		}), oldObj != nil)...)
+
+	return errs
+}
+
+// Validate_DeviceClaimConfiguration validates an instance of DeviceClaimConfiguration according
+// to declarative validation rules in the API schema.
+func Validate_DeviceClaimConfiguration(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *resourcev1beta1.DeviceClaimConfiguration) (errs field.ErrorList) {
+	// field resourcev1beta1.DeviceClaimConfiguration.Requests
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj []string, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.MaxItems(ctx, op, fldPath, obj, oldObj, 32); len(e) != 0 {
+				errs = append(errs, e...)
+				earlyReturn = true
+			}
+			if e := validate.OptionalSlice(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
+			}
+			// lists with set semantics require unique values
+			errs = append(errs, validate.Unique(ctx, op, fldPath, obj, oldObj, validate.DirectEqual)...)
+			return
+		}(fldPath.Child("requests"), obj.Requests, safe.Field(oldObj, func(oldObj *resourcev1beta1.DeviceClaimConfiguration) []string { return oldObj.Requests }), oldObj != nil)...)
+
+	// field resourcev1beta1.DeviceClaimConfiguration.DeviceConfiguration
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *resourcev1beta1.DeviceConfiguration, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// call the type's validation function
+			errs = append(errs, Validate_DeviceConfiguration(ctx, op, fldPath, obj, oldObj)...)
+			return
+		}(safe.Value(fldPath, func() *field.Path { return fldPath.Child("resourcev1beta1.DeviceConfiguration") }), &obj.DeviceConfiguration, safe.Field(oldObj, func(oldObj *resourcev1beta1.DeviceClaimConfiguration) *resourcev1beta1.DeviceConfiguration {
+			return &oldObj.DeviceConfiguration
+		}), oldObj != nil)...)
+
+	return errs
+}
+
+// Validate_DeviceClass validates an instance of DeviceClass according
+// to declarative validation rules in the API schema.
+func Validate_DeviceClass(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *resourcev1beta1.DeviceClass) (errs field.ErrorList) {
+	// field resourcev1beta1.DeviceClass.TypeMeta has no validation
+
+	// field resourcev1beta1.DeviceClass.ObjectMeta
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *v1.ObjectMeta, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// call field-attached validations
+			func() { // cohort name
+				earlyReturn := false
+				if e := validate.Subfield(ctx, op, fldPath, obj, oldObj, "name", func(o *v1.ObjectMeta) *string { return &o.Name }, validate.DirectEqualPtr, validate.OptionalValue); len(e) != 0 {
+					earlyReturn = true
+				}
+				if earlyReturn {
+					return // do not proceed
+				}
+				errs = append(errs, validate.Subfield(ctx, op, fldPath, obj, oldObj, "name", func(o *v1.ObjectMeta) *string { return &o.Name }, validate.DirectEqualPtr, validate.LongName)...)
+			}()
+			return
+		}(fldPath.Child("metadata"), &obj.ObjectMeta, safe.Field(oldObj, func(oldObj *resourcev1beta1.DeviceClass) *v1.ObjectMeta { return &oldObj.ObjectMeta }), oldObj != nil)...)
+
+	// field resourcev1beta1.DeviceClass.Spec
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *resourcev1beta1.DeviceClassSpec, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// call the type's validation function
+			errs = append(errs, Validate_DeviceClassSpec(ctx, op, fldPath, obj, oldObj)...)
+			return
+		}(fldPath.Child("spec"), &obj.Spec, safe.Field(oldObj, func(oldObj *resourcev1beta1.DeviceClass) *resourcev1beta1.DeviceClassSpec { return &oldObj.Spec }), oldObj != nil)...)
+
+	return errs
+}
+
+// Validate_DeviceClassConfiguration validates an instance of DeviceClassConfiguration according
+// to declarative validation rules in the API schema.
+func Validate_DeviceClassConfiguration(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *resourcev1beta1.DeviceClassConfiguration) (errs field.ErrorList) {
+	// field resourcev1beta1.DeviceClassConfiguration.DeviceConfiguration
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *resourcev1beta1.DeviceConfiguration, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// call the type's validation function
+			errs = append(errs, Validate_DeviceConfiguration(ctx, op, fldPath, obj, oldObj)...)
+			return
+		}(safe.Value(fldPath, func() *field.Path { return fldPath.Child("resourcev1beta1.DeviceConfiguration") }), &obj.DeviceConfiguration, safe.Field(oldObj, func(oldObj *resourcev1beta1.DeviceClassConfiguration) *resourcev1beta1.DeviceConfiguration {
+			return &oldObj.DeviceConfiguration
+		}), oldObj != nil)...)
+
+	return errs
+}
+
+// Validate_DeviceClassList validates an instance of DeviceClassList according
+// to declarative validation rules in the API schema.
+func Validate_DeviceClassList(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *resourcev1beta1.DeviceClassList) (errs field.ErrorList) {
+	// field resourcev1beta1.DeviceClassList.TypeMeta has no validation
+	// field resourcev1beta1.DeviceClassList.ListMeta has no validation
+
+	// field resourcev1beta1.DeviceClassList.Items
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj []resourcev1beta1.DeviceClass, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// iterate the list and call the type's validation function
+			errs = append(errs, validate.EachSliceVal(ctx, op, fldPath, obj, oldObj, nil, nil, Validate_DeviceClass)...)
+			return
+		}(fldPath.Child("items"), obj.Items, safe.Field(oldObj, func(oldObj *resourcev1beta1.DeviceClassList) []resourcev1beta1.DeviceClass { return oldObj.Items }), oldObj != nil)...)
+
+	return errs
+}
+
+// Validate_DeviceClassSpec validates an instance of DeviceClassSpec according
+// to declarative validation rules in the API schema.
+func Validate_DeviceClassSpec(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *resourcev1beta1.DeviceClassSpec) (errs field.ErrorList) {
+	// field resourcev1beta1.DeviceClassSpec.Selectors
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj []resourcev1beta1.DeviceSelector, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.MaxItems(ctx, op, fldPath, obj, oldObj, 32); len(e) != 0 {
+				errs = append(errs, e...)
+				earlyReturn = true
+			}
+			if e := validate.OptionalSlice(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
+			}
+			return
+		}(fldPath.Child("selectors"), obj.Selectors, safe.Field(oldObj, func(oldObj *resourcev1beta1.DeviceClassSpec) []resourcev1beta1.DeviceSelector {
+			return oldObj.Selectors
+		}), oldObj != nil)...)
+
+	// field resourcev1beta1.DeviceClassSpec.Config
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj []resourcev1beta1.DeviceClassConfiguration, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.MaxItems(ctx, op, fldPath, obj, oldObj, 32); len(e) != 0 {
+				errs = append(errs, e...)
+				earlyReturn = true
+			}
+			if e := validate.OptionalSlice(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
+			}
+			// iterate the list and call the type's validation function
+			errs = append(errs, validate.EachSliceVal(ctx, op, fldPath, obj, oldObj, nil, nil, Validate_DeviceClassConfiguration)...)
+			return
+		}(fldPath.Child("config"), obj.Config, safe.Field(oldObj, func(oldObj *resourcev1beta1.DeviceClassSpec) []resourcev1beta1.DeviceClassConfiguration {
+			return oldObj.Config
+		}), oldObj != nil)...)
+
+	// field resourcev1beta1.DeviceClassSpec.ExtendedResourceName
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *string, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.OptionalPointer(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
+			}
+			errs = append(errs, validate.ExtendedResourceName(ctx, op, fldPath, obj, oldObj)...)
+			return
+		}(fldPath.Child("extendedResourceName"), obj.ExtendedResourceName, safe.Field(oldObj, func(oldObj *resourcev1beta1.DeviceClassSpec) *string { return oldObj.ExtendedResourceName }), oldObj != nil)...)
+
+	return errs
+}
+
+// Validate_DeviceConfiguration validates an instance of DeviceConfiguration according
+// to declarative validation rules in the API schema.
+func Validate_DeviceConfiguration(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *resourcev1beta1.DeviceConfiguration) (errs field.ErrorList) {
+	// field resourcev1beta1.DeviceConfiguration.Opaque
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *resourcev1beta1.OpaqueDeviceConfiguration, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.OptionalPointer(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
+			}
+			// call the type's validation function
+			errs = append(errs, Validate_OpaqueDeviceConfiguration(ctx, op, fldPath, obj, oldObj)...)
+			return
+		}(fldPath.Child("opaque"), obj.Opaque, safe.Field(oldObj, func(oldObj *resourcev1beta1.DeviceConfiguration) *resourcev1beta1.OpaqueDeviceConfiguration {
+			return oldObj.Opaque
+		}), oldObj != nil)...)
+
+	return errs
+}
+
+// Validate_DeviceConstraint validates an instance of DeviceConstraint according
+// to declarative validation rules in the API schema.
+func Validate_DeviceConstraint(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *resourcev1beta1.DeviceConstraint) (errs field.ErrorList) {
+	// field resourcev1beta1.DeviceConstraint.Requests
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj []string, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.MaxItems(ctx, op, fldPath, obj, oldObj, 32); len(e) != 0 {
+				errs = append(errs, e...)
+				earlyReturn = true
+			}
+			if e := validate.OptionalSlice(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
+			}
+			// lists with set semantics require unique values
+			errs = append(errs, validate.Unique(ctx, op, fldPath, obj, oldObj, validate.DirectEqual)...)
+			return
+		}(fldPath.Child("requests"), obj.Requests, safe.Field(oldObj, func(oldObj *resourcev1beta1.DeviceConstraint) []string { return oldObj.Requests }), oldObj != nil)...)
+
+	// field resourcev1beta1.DeviceConstraint.MatchAttribute
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *resourcev1beta1.FullyQualifiedName, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.OptionalPointer(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
+			}
+			errs = append(errs, validate.ResourceFullyQualifiedName(ctx, op, fldPath, obj, oldObj)...)
+			return
+		}(fldPath.Child("matchAttribute"), obj.MatchAttribute, safe.Field(oldObj, func(oldObj *resourcev1beta1.DeviceConstraint) *resourcev1beta1.FullyQualifiedName {
+			return oldObj.MatchAttribute
+		}), oldObj != nil)...)
+
+	// field resourcev1beta1.DeviceConstraint.DistinctAttribute has no validation
+	return errs
+}
+
+// Validate_DeviceCounterConsumption validates an instance of DeviceCounterConsumption according
+// to declarative validation rules in the API schema.
+func Validate_DeviceCounterConsumption(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *resourcev1beta1.DeviceCounterConsumption) (errs field.ErrorList) {
+	// field resourcev1beta1.DeviceCounterConsumption.CounterSet
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *string, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.RequiredValue(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				errs = append(errs, e...)
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
+			}
+			errs = append(errs, validate.ShortName(ctx, op, fldPath, obj, oldObj)...)
+			return
+		}(fldPath.Child("counterSet"), &obj.CounterSet, safe.Field(oldObj, func(oldObj *resourcev1beta1.DeviceCounterConsumption) *string { return &oldObj.CounterSet }), oldObj != nil)...)
+
+	// field resourcev1beta1.DeviceCounterConsumption.Counters has no validation
+	return errs
+}
+
+// Validate_DeviceRequest validates an instance of DeviceRequest according
+// to declarative validation rules in the API schema.
+func Validate_DeviceRequest(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *resourcev1beta1.DeviceRequest) (errs field.ErrorList) {
+	// field resourcev1beta1.DeviceRequest.Name has no validation
+	// field resourcev1beta1.DeviceRequest.DeviceClassName has no validation
+
+	// field resourcev1beta1.DeviceRequest.Selectors
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj []resourcev1beta1.DeviceSelector, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.MaxItems(ctx, op, fldPath, obj, oldObj, 32); len(e) != 0 {
+				errs = append(errs, e...)
+				earlyReturn = true
+			}
+			if e := validate.OptionalSlice(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
+			}
+			return
+		}(fldPath.Child("selectors"), obj.Selectors, safe.Field(oldObj, func(oldObj *resourcev1beta1.DeviceRequest) []resourcev1beta1.DeviceSelector { return oldObj.Selectors }), oldObj != nil)...)
+
+	// field resourcev1beta1.DeviceRequest.AllocationMode
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *resourcev1beta1.DeviceAllocationMode, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.OptionalValue(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
+			}
+			// call the type's validation function
+			errs = append(errs, Validate_DeviceAllocationMode(ctx, op, fldPath, obj, oldObj)...)
+			return
+		}(fldPath.Child("allocationMode"), &obj.AllocationMode, safe.Field(oldObj, func(oldObj *resourcev1beta1.DeviceRequest) *resourcev1beta1.DeviceAllocationMode {
+			return &oldObj.AllocationMode
+		}), oldObj != nil)...)
+
+	// field resourcev1beta1.DeviceRequest.Count has no validation
+	// field resourcev1beta1.DeviceRequest.AdminAccess has no validation
+
+	// field resourcev1beta1.DeviceRequest.FirstAvailable
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj []resourcev1beta1.DeviceSubRequest, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.MaxItems(ctx, op, fldPath, obj, oldObj, 8); len(e) != 0 {
+				errs = append(errs, e...)
+				earlyReturn = true
+			}
+			if e := validate.OptionalSlice(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
+			}
+			// lists with map semantics require unique keys
+			errs = append(errs, validate.Unique(ctx, op, fldPath, obj, oldObj, func(a resourcev1beta1.DeviceSubRequest, b resourcev1beta1.DeviceSubRequest) bool {
+				return a.Name == b.Name
+			})...)
+			// iterate the list and call the type's validation function
+			errs = append(errs, validate.EachSliceVal(ctx, op, fldPath, obj, oldObj, func(a resourcev1beta1.DeviceSubRequest, b resourcev1beta1.DeviceSubRequest) bool {
+				return a.Name == b.Name
+			}, validate.SemanticDeepEqual, Validate_DeviceSubRequest)...)
+			return
+		}(fldPath.Child("firstAvailable"), obj.FirstAvailable, safe.Field(oldObj, func(oldObj *resourcev1beta1.DeviceRequest) []resourcev1beta1.DeviceSubRequest {
+			return oldObj.FirstAvailable
+		}), oldObj != nil)...)
+
+	// field resourcev1beta1.DeviceRequest.Tolerations
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj []resourcev1beta1.DeviceToleration, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// iterate the list and call the type's validation function
+			errs = append(errs, validate.EachSliceVal(ctx, op, fldPath, obj, oldObj, nil, nil, Validate_DeviceToleration)...)
+			return
+		}(fldPath.Child("tolerations"), obj.Tolerations, safe.Field(oldObj, func(oldObj *resourcev1beta1.DeviceRequest) []resourcev1beta1.DeviceToleration {
+			return oldObj.Tolerations
+		}), oldObj != nil)...)
+
+	// field resourcev1beta1.DeviceRequest.Capacity has no validation
+	return errs
+}
+
+// Validate_DeviceRequestAllocationResult validates an instance of DeviceRequestAllocationResult according
+// to declarative validation rules in the API schema.
+func Validate_DeviceRequestAllocationResult(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *resourcev1beta1.DeviceRequestAllocationResult) (errs field.ErrorList) {
+	// field resourcev1beta1.DeviceRequestAllocationResult.Request has no validation
+
+	// field resourcev1beta1.DeviceRequestAllocationResult.Driver
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *string, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.RequiredValue(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				errs = append(errs, e...)
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
+			}
+			errs = append(errs, validate.LongNameCaseless(ctx, op, fldPath, obj, oldObj)...)
+			return
+		}(fldPath.Child("driver"), &obj.Driver, safe.Field(oldObj, func(oldObj *resourcev1beta1.DeviceRequestAllocationResult) *string { return &oldObj.Driver }), oldObj != nil)...)
+
+	// field resourcev1beta1.DeviceRequestAllocationResult.Pool
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *string, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.RequiredValue(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				errs = append(errs, e...)
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
+			}
+			errs = append(errs, validate.ResourcePoolName(ctx, op, fldPath, obj, oldObj)...)
+			return
+		}(fldPath.Child("pool"), &obj.Pool, safe.Field(oldObj, func(oldObj *resourcev1beta1.DeviceRequestAllocationResult) *string { return &oldObj.Pool }), oldObj != nil)...)
+
+	// field resourcev1beta1.DeviceRequestAllocationResult.Device has no validation
+	// field resourcev1beta1.DeviceRequestAllocationResult.AdminAccess has no validation
+
+	// field resourcev1beta1.DeviceRequestAllocationResult.Tolerations
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj []resourcev1beta1.DeviceToleration, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.MaxItems(ctx, op, fldPath, obj, oldObj, 16); len(e) != 0 {
+				errs = append(errs, e...)
+				earlyReturn = true
+			}
+			if e := validate.OptionalSlice(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
+			}
+			// iterate the list and call the type's validation function
+			errs = append(errs, validate.EachSliceVal(ctx, op, fldPath, obj, oldObj, nil, nil, Validate_DeviceToleration)...)
+			return
+		}(fldPath.Child("tolerations"), obj.Tolerations, safe.Field(oldObj, func(oldObj *resourcev1beta1.DeviceRequestAllocationResult) []resourcev1beta1.DeviceToleration {
+			return oldObj.Tolerations
+		}), oldObj != nil)...)
+
+	// field resourcev1beta1.DeviceRequestAllocationResult.BindingConditions
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj []string, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.MaxItems(ctx, op, fldPath, obj, oldObj, 4); len(e) != 0 {
+				errs = append(errs, e...)
+				earlyReturn = true
+			}
+			if e := validate.OptionalSlice(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
+			}
+			return
+		}(fldPath.Child("bindingConditions"), obj.BindingConditions, safe.Field(oldObj, func(oldObj *resourcev1beta1.DeviceRequestAllocationResult) []string { return oldObj.BindingConditions }), oldObj != nil)...)
+
+	// field resourcev1beta1.DeviceRequestAllocationResult.BindingFailureConditions
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj []string, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.MaxItems(ctx, op, fldPath, obj, oldObj, 4); len(e) != 0 {
+				errs = append(errs, e...)
+				earlyReturn = true
+			}
+			if e := validate.OptionalSlice(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
+			}
+			return
+		}(fldPath.Child("bindingFailureConditions"), obj.BindingFailureConditions, safe.Field(oldObj, func(oldObj *resourcev1beta1.DeviceRequestAllocationResult) []string {
+			return oldObj.BindingFailureConditions
+		}), oldObj != nil)...)
+
+	// field resourcev1beta1.DeviceRequestAllocationResult.ShareID
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *types.UID, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.OptionalPointer(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
+			}
+			errs = append(errs, validate.UUID(ctx, op, fldPath, obj, oldObj)...)
+			return
+		}(fldPath.Child("shareID"), obj.ShareID, safe.Field(oldObj, func(oldObj *resourcev1beta1.DeviceRequestAllocationResult) *types.UID { return oldObj.ShareID }), oldObj != nil)...)
+
+	// field resourcev1beta1.DeviceRequestAllocationResult.ConsumedCapacity has no validation
+	return errs
+}
+
+// Validate_DeviceSubRequest validates an instance of DeviceSubRequest according
+// to declarative validation rules in the API schema.
+func Validate_DeviceSubRequest(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *resourcev1beta1.DeviceSubRequest) (errs field.ErrorList) {
+	// field resourcev1beta1.DeviceSubRequest.Name has no validation
+
+	// field resourcev1beta1.DeviceSubRequest.DeviceClassName
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *string, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.RequiredValue(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				errs = append(errs, e...)
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
+			}
+			errs = append(errs, validate.LongName(ctx, op, fldPath, obj, oldObj)...)
+			return
+		}(fldPath.Child("deviceClassName"), &obj.DeviceClassName, safe.Field(oldObj, func(oldObj *resourcev1beta1.DeviceSubRequest) *string { return &oldObj.DeviceClassName }), oldObj != nil)...)
+
+	// field resourcev1beta1.DeviceSubRequest.Selectors
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj []resourcev1beta1.DeviceSelector, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.MaxItems(ctx, op, fldPath, obj, oldObj, 32); len(e) != 0 {
+				errs = append(errs, e...)
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
+			}
+			return
+		}(fldPath.Child("selectors"), obj.Selectors, safe.Field(oldObj, func(oldObj *resourcev1beta1.DeviceSubRequest) []resourcev1beta1.DeviceSelector {
+			return oldObj.Selectors
+		}), oldObj != nil)...)
+
+	// field resourcev1beta1.DeviceSubRequest.AllocationMode
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *resourcev1beta1.DeviceAllocationMode, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call the type's validation function
+			errs = append(errs, Validate_DeviceAllocationMode(ctx, op, fldPath, obj, oldObj)...)
+			return
+		}(fldPath.Child("allocationMode"), &obj.AllocationMode, safe.Field(oldObj, func(oldObj *resourcev1beta1.DeviceSubRequest) *resourcev1beta1.DeviceAllocationMode {
+			return &oldObj.AllocationMode
+		}), oldObj != nil)...)
+
+	// field resourcev1beta1.DeviceSubRequest.Count has no validation
+
+	// field resourcev1beta1.DeviceSubRequest.Tolerations
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj []resourcev1beta1.DeviceToleration, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// iterate the list and call the type's validation function
+			errs = append(errs, validate.EachSliceVal(ctx, op, fldPath, obj, oldObj, nil, nil, Validate_DeviceToleration)...)
+			return
+		}(fldPath.Child("tolerations"), obj.Tolerations, safe.Field(oldObj, func(oldObj *resourcev1beta1.DeviceSubRequest) []resourcev1beta1.DeviceToleration {
+			return oldObj.Tolerations
+		}), oldObj != nil)...)
+
+	// field resourcev1beta1.DeviceSubRequest.Capacity has no validation
+	return errs
+}
+
+// Validate_DeviceTaint validates an instance of DeviceTaint according
+// to declarative validation rules in the API schema.
+func Validate_DeviceTaint(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *resourcev1beta1.DeviceTaint) (errs field.ErrorList) {
+	// field resourcev1beta1.DeviceTaint.Key has no validation
+	// field resourcev1beta1.DeviceTaint.Value has no validation
+
+	// field resourcev1beta1.DeviceTaint.Effect
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *resourcev1beta1.DeviceTaintEffect, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.RequiredValue(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				errs = append(errs, e...)
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
+			}
+			// call the type's validation function
+			errs = append(errs, Validate_DeviceTaintEffect(ctx, op, fldPath, obj, oldObj)...)
+			return
+		}(fldPath.Child("effect"), &obj.Effect, safe.Field(oldObj, func(oldObj *resourcev1beta1.DeviceTaint) *resourcev1beta1.DeviceTaintEffect { return &oldObj.Effect }), oldObj != nil)...)
+
+	// field resourcev1beta1.DeviceTaint.TimeAdded has no validation
+	return errs
+}
+
+var symbolsForDeviceTaintEffect = sets.New(resourcev1beta1.DeviceTaintEffectNoExecute, resourcev1beta1.DeviceTaintEffectNoSchedule, resourcev1beta1.DeviceTaintEffectNone)
+
+// Validate_DeviceTaintEffect validates an instance of DeviceTaintEffect according
+// to declarative validation rules in the API schema.
+func Validate_DeviceTaintEffect(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *resourcev1beta1.DeviceTaintEffect) (errs field.ErrorList) {
+	errs = append(errs, validate.Enum(ctx, op, fldPath, obj, oldObj, symbolsForDeviceTaintEffect, nil)...)
+
+	return errs
+}
+
+// Validate_DeviceToleration validates an instance of DeviceToleration according
+// to declarative validation rules in the API schema.
+func Validate_DeviceToleration(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *resourcev1beta1.DeviceToleration) (errs field.ErrorList) {
+	// field resourcev1beta1.DeviceToleration.Key
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *string, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.OptionalValue(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
+			}
+			errs = append(errs, validate.LabelKey(ctx, op, fldPath, obj, oldObj)...)
+			return
+		}(fldPath.Child("key"), &obj.Key, safe.Field(oldObj, func(oldObj *resourcev1beta1.DeviceToleration) *string { return &oldObj.Key }), oldObj != nil)...)
+
+	// field resourcev1beta1.DeviceToleration.Operator
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *resourcev1beta1.DeviceTolerationOperator, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call the type's validation function
+			errs = append(errs, Validate_DeviceTolerationOperator(ctx, op, fldPath, obj, oldObj)...)
+			return
+		}(fldPath.Child("operator"), &obj.Operator, safe.Field(oldObj, func(oldObj *resourcev1beta1.DeviceToleration) *resourcev1beta1.DeviceTolerationOperator {
+			return &oldObj.Operator
+		}), oldObj != nil)...)
+
+	// field resourcev1beta1.DeviceToleration.Value has no validation
+
+	// field resourcev1beta1.DeviceToleration.Effect
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *resourcev1beta1.DeviceTaintEffect, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call the type's validation function
+			errs = append(errs, Validate_DeviceTaintEffect(ctx, op, fldPath, obj, oldObj)...)
+			return
+		}(fldPath.Child("effect"), &obj.Effect, safe.Field(oldObj, func(oldObj *resourcev1beta1.DeviceToleration) *resourcev1beta1.DeviceTaintEffect {
+			return &oldObj.Effect
+		}), oldObj != nil)...)
+
+	// field resourcev1beta1.DeviceToleration.TolerationSeconds has no validation
+	return errs
+}
+
+var symbolsForDeviceTolerationOperator = sets.New(resourcev1beta1.DeviceTolerationOpEqual, resourcev1beta1.DeviceTolerationOpExists)
+
+// Validate_DeviceTolerationOperator validates an instance of DeviceTolerationOperator according
+// to declarative validation rules in the API schema.
+func Validate_DeviceTolerationOperator(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *resourcev1beta1.DeviceTolerationOperator) (errs field.ErrorList) {
+	errs = append(errs, validate.Enum(ctx, op, fldPath, obj, oldObj, symbolsForDeviceTolerationOperator, nil)...)
+
+	return errs
+}
+
+// Validate_NetworkDeviceData validates an instance of NetworkDeviceData according
+// to declarative validation rules in the API schema.
+func Validate_NetworkDeviceData(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *resourcev1beta1.NetworkDeviceData) (errs field.ErrorList) {
+	// field resourcev1beta1.NetworkDeviceData.InterfaceName
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *string, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.OptionalValue(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
+			}
+			errs = append(errs, validate.MaxLength(ctx, op, fldPath, obj, oldObj, 256)...)
+			return
+		}(fldPath.Child("interfaceName"), &obj.InterfaceName, safe.Field(oldObj, func(oldObj *resourcev1beta1.NetworkDeviceData) *string { return &oldObj.InterfaceName }), oldObj != nil)...)
+
+	// field resourcev1beta1.NetworkDeviceData.IPs
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj []string, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.MaxItems(ctx, op, fldPath, obj, oldObj, 16); len(e) != 0 {
+				errs = append(errs, e...)
+				earlyReturn = true
+			}
+			if e := validate.OptionalSlice(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
+			}
+			// lists with set semantics require unique values
+			errs = append(errs, validate.Unique(ctx, op, fldPath, obj, oldObj, validate.DirectEqual)...)
+			return
+		}(fldPath.Child("ips"), obj.IPs, safe.Field(oldObj, func(oldObj *resourcev1beta1.NetworkDeviceData) []string { return oldObj.IPs }), oldObj != nil)...)
+
+	// field resourcev1beta1.NetworkDeviceData.HardwareAddress
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *string, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.OptionalValue(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
+			}
+			errs = append(errs, validate.MaxLength(ctx, op, fldPath, obj, oldObj, 128)...)
+			return
+		}(fldPath.Child("hardwareAddress"), &obj.HardwareAddress, safe.Field(oldObj, func(oldObj *resourcev1beta1.NetworkDeviceData) *string { return &oldObj.HardwareAddress }), oldObj != nil)...)
+
+	return errs
+}
+
+// Validate_OpaqueDeviceConfiguration validates an instance of OpaqueDeviceConfiguration according
+// to declarative validation rules in the API schema.
+func Validate_OpaqueDeviceConfiguration(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *resourcev1beta1.OpaqueDeviceConfiguration) (errs field.ErrorList) {
+	// field resourcev1beta1.OpaqueDeviceConfiguration.Driver
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *string, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.RequiredValue(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				errs = append(errs, e...)
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
+			}
+			errs = append(errs, validate.LongNameCaseless(ctx, op, fldPath, obj, oldObj)...)
+			return
+		}(fldPath.Child("driver"), &obj.Driver, safe.Field(oldObj, func(oldObj *resourcev1beta1.OpaqueDeviceConfiguration) *string { return &oldObj.Driver }), oldObj != nil)...)
+
+	// field resourcev1beta1.OpaqueDeviceConfiguration.Parameters has no validation
+	return errs
+}
+
+// Validate_ResourceClaim validates an instance of ResourceClaim according
+// to declarative validation rules in the API schema.
+func Validate_ResourceClaim(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *resourcev1beta1.ResourceClaim) (errs field.ErrorList) {
+	// field resourcev1beta1.ResourceClaim.TypeMeta has no validation
+	// field resourcev1beta1.ResourceClaim.ObjectMeta has no validation
+
+	// field resourcev1beta1.ResourceClaim.Spec
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *resourcev1beta1.ResourceClaimSpec, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.Immutable(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				errs = append(errs, e...)
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
+			}
+			// call the type's validation function
+			errs = append(errs, Validate_ResourceClaimSpec(ctx, op, fldPath, obj, oldObj)...)
+			return
+		}(fldPath.Child("spec"), &obj.Spec, safe.Field(oldObj, func(oldObj *resourcev1beta1.ResourceClaim) *resourcev1beta1.ResourceClaimSpec { return &oldObj.Spec }), oldObj != nil)...)
+
+	// field resourcev1beta1.ResourceClaim.Status
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *resourcev1beta1.ResourceClaimStatus, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// call the type's validation function
+			errs = append(errs, Validate_ResourceClaimStatus(ctx, op, fldPath, obj, oldObj)...)
+			return
+		}(fldPath.Child("status"), &obj.Status, safe.Field(oldObj, func(oldObj *resourcev1beta1.ResourceClaim) *resourcev1beta1.ResourceClaimStatus {
+			return &oldObj.Status
+		}), oldObj != nil)...)
+
+	return errs
+}
+
+// Validate_ResourceClaimList validates an instance of ResourceClaimList according
+// to declarative validation rules in the API schema.
+func Validate_ResourceClaimList(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *resourcev1beta1.ResourceClaimList) (errs field.ErrorList) {
+	// field resourcev1beta1.ResourceClaimList.TypeMeta has no validation
+	// field resourcev1beta1.ResourceClaimList.ListMeta has no validation
+
+	// field resourcev1beta1.ResourceClaimList.Items
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj []resourcev1beta1.ResourceClaim, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// iterate the list and call the type's validation function
+			errs = append(errs, validate.EachSliceVal(ctx, op, fldPath, obj, oldObj, nil, nil, Validate_ResourceClaim)...)
+			return
+		}(fldPath.Child("items"), obj.Items, safe.Field(oldObj, func(oldObj *resourcev1beta1.ResourceClaimList) []resourcev1beta1.ResourceClaim { return oldObj.Items }), oldObj != nil)...)
+
+	return errs
+}
+
+// Validate_ResourceClaimSpec validates an instance of ResourceClaimSpec according
+// to declarative validation rules in the API schema.
+func Validate_ResourceClaimSpec(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *resourcev1beta1.ResourceClaimSpec) (errs field.ErrorList) {
+	// field resourcev1beta1.ResourceClaimSpec.Devices
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *resourcev1beta1.DeviceClaim, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// call the type's validation function
+			errs = append(errs, Validate_DeviceClaim(ctx, op, fldPath, obj, oldObj)...)
+			return
+		}(fldPath.Child("devices"), &obj.Devices, safe.Field(oldObj, func(oldObj *resourcev1beta1.ResourceClaimSpec) *resourcev1beta1.DeviceClaim { return &oldObj.Devices }), oldObj != nil)...)
+
+	return errs
+}
+
+// Validate_ResourceClaimStatus validates an instance of ResourceClaimStatus according
+// to declarative validation rules in the API schema.
+func Validate_ResourceClaimStatus(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *resourcev1beta1.ResourceClaimStatus) (errs field.ErrorList) {
+	// field resourcev1beta1.ResourceClaimStatus.Allocation
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *resourcev1beta1.AllocationResult, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.OptionalPointer(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				earlyReturn = true
+			}
+			if e := validate.UpdatePointer(ctx, op, fldPath, obj, oldObj, validate.NoModify); len(e) != 0 {
+				errs = append(errs, e...)
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
+			}
+			// call the type's validation function
+			errs = append(errs, Validate_AllocationResult(ctx, op, fldPath, obj, oldObj)...)
+			return
+		}(fldPath.Child("allocation"), obj.Allocation, safe.Field(oldObj, func(oldObj *resourcev1beta1.ResourceClaimStatus) *resourcev1beta1.AllocationResult {
+			return oldObj.Allocation
+		}), oldObj != nil)...)
+
+	// field resourcev1beta1.ResourceClaimStatus.ReservedFor
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj []resourcev1beta1.ResourceClaimConsumerReference, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.MaxItems(ctx, op, fldPath, obj, oldObj, 256); len(e) != 0 {
+				errs = append(errs, e...)
+				earlyReturn = true
+			}
+			if e := validate.OptionalSlice(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
+			}
+			// lists with map semantics require unique keys
+			errs = append(errs, validate.Unique(ctx, op, fldPath, obj, oldObj, func(a resourcev1beta1.ResourceClaimConsumerReference, b resourcev1beta1.ResourceClaimConsumerReference) bool {
+				return a.UID == b.UID
+			})...)
+			return
+		}(fldPath.Child("reservedFor"), obj.ReservedFor, safe.Field(oldObj, func(oldObj *resourcev1beta1.ResourceClaimStatus) []resourcev1beta1.ResourceClaimConsumerReference {
+			return oldObj.ReservedFor
+		}), oldObj != nil)...)
+
+	// field resourcev1beta1.ResourceClaimStatus.Devices
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj []resourcev1beta1.AllocatedDeviceStatus, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.OptionalSlice(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
+			}
+			// lists with map semantics require unique keys
+			errs = append(errs, validate.Unique(ctx, op, fldPath, obj, oldObj, func(a resourcev1beta1.AllocatedDeviceStatus, b resourcev1beta1.AllocatedDeviceStatus) bool {
+				return a.Driver == b.Driver && a.Device == b.Device && a.Pool == b.Pool && ((a.ShareID == nil && b.ShareID == nil) || (a.ShareID != nil && b.ShareID != nil && *a.ShareID == *b.ShareID))
+			})...)
+			// iterate the list and call the type's validation function
+			errs = append(errs, validate.EachSliceVal(ctx, op, fldPath, obj, oldObj, func(a resourcev1beta1.AllocatedDeviceStatus, b resourcev1beta1.AllocatedDeviceStatus) bool {
+				return a.Driver == b.Driver && a.Device == b.Device && a.Pool == b.Pool && ((a.ShareID == nil && b.ShareID == nil) || (a.ShareID != nil && b.ShareID != nil && *a.ShareID == *b.ShareID))
+			}, validate.SemanticDeepEqual, Validate_AllocatedDeviceStatus)...)
+			return
+		}(fldPath.Child("devices"), obj.Devices, safe.Field(oldObj, func(oldObj *resourcev1beta1.ResourceClaimStatus) []resourcev1beta1.AllocatedDeviceStatus {
+			return oldObj.Devices
+		}), oldObj != nil)...)
+
+	return errs
+}
+
+// Validate_ResourceClaimTemplate validates an instance of ResourceClaimTemplate according
+// to declarative validation rules in the API schema.
+func Validate_ResourceClaimTemplate(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *resourcev1beta1.ResourceClaimTemplate) (errs field.ErrorList) {
+	// field resourcev1beta1.ResourceClaimTemplate.TypeMeta has no validation
+	// field resourcev1beta1.ResourceClaimTemplate.ObjectMeta has no validation
+
+	// field resourcev1beta1.ResourceClaimTemplate.Spec
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *resourcev1beta1.ResourceClaimTemplateSpec, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// call the type's validation function
+			errs = append(errs, Validate_ResourceClaimTemplateSpec(ctx, op, fldPath, obj, oldObj)...)
+			return
+		}(fldPath.Child("spec"), &obj.Spec, safe.Field(oldObj, func(oldObj *resourcev1beta1.ResourceClaimTemplate) *resourcev1beta1.ResourceClaimTemplateSpec {
+			return &oldObj.Spec
+		}), oldObj != nil)...)
+
+	return errs
+}
+
+// Validate_ResourceClaimTemplateList validates an instance of ResourceClaimTemplateList according
+// to declarative validation rules in the API schema.
+func Validate_ResourceClaimTemplateList(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *resourcev1beta1.ResourceClaimTemplateList) (errs field.ErrorList) {
+	// field resourcev1beta1.ResourceClaimTemplateList.TypeMeta has no validation
+	// field resourcev1beta1.ResourceClaimTemplateList.ListMeta has no validation
+
+	// field resourcev1beta1.ResourceClaimTemplateList.Items
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj []resourcev1beta1.ResourceClaimTemplate, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// iterate the list and call the type's validation function
+			errs = append(errs, validate.EachSliceVal(ctx, op, fldPath, obj, oldObj, nil, nil, Validate_ResourceClaimTemplate)...)
+			return
+		}(fldPath.Child("items"), obj.Items, safe.Field(oldObj, func(oldObj *resourcev1beta1.ResourceClaimTemplateList) []resourcev1beta1.ResourceClaimTemplate {
+			return oldObj.Items
+		}), oldObj != nil)...)
+
+	return errs
+}
+
+// Validate_ResourceClaimTemplateSpec validates an instance of ResourceClaimTemplateSpec according
+// to declarative validation rules in the API schema.
+func Validate_ResourceClaimTemplateSpec(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *resourcev1beta1.ResourceClaimTemplateSpec) (errs field.ErrorList) {
+	// field resourcev1beta1.ResourceClaimTemplateSpec.ObjectMeta has no validation
+
+	// field resourcev1beta1.ResourceClaimTemplateSpec.Spec
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *resourcev1beta1.ResourceClaimSpec, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// call the type's validation function
+			errs = append(errs, Validate_ResourceClaimSpec(ctx, op, fldPath, obj, oldObj)...)
+			return
+		}(fldPath.Child("spec"), &obj.Spec, safe.Field(oldObj, func(oldObj *resourcev1beta1.ResourceClaimTemplateSpec) *resourcev1beta1.ResourceClaimSpec {
+			return &oldObj.Spec
+		}), oldObj != nil)...)
+
+	return errs
+}
+
+// Validate_ResourceSlice validates an instance of ResourceSlice according
+// to declarative validation rules in the API schema.
+func Validate_ResourceSlice(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *resourcev1beta1.ResourceSlice) (errs field.ErrorList) {
+	// field resourcev1beta1.ResourceSlice.TypeMeta has no validation
+	// field resourcev1beta1.ResourceSlice.ObjectMeta has no validation
+
+	// field resourcev1beta1.ResourceSlice.Spec
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *resourcev1beta1.ResourceSliceSpec, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// call the type's validation function
+			errs = append(errs, Validate_ResourceSliceSpec(ctx, op, fldPath, obj, oldObj)...)
+			return
+		}(fldPath.Child("spec"), &obj.Spec, safe.Field(oldObj, func(oldObj *resourcev1beta1.ResourceSlice) *resourcev1beta1.ResourceSliceSpec { return &oldObj.Spec }), oldObj != nil)...)
+
+	return errs
+}
+
+// Validate_ResourceSliceList validates an instance of ResourceSliceList according
+// to declarative validation rules in the API schema.
+func Validate_ResourceSliceList(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *resourcev1beta1.ResourceSliceList) (errs field.ErrorList) {
+	// field resourcev1beta1.ResourceSliceList.TypeMeta has no validation
+	// field resourcev1beta1.ResourceSliceList.ListMeta has no validation
+
+	// field resourcev1beta1.ResourceSliceList.Items
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj []resourcev1beta1.ResourceSlice, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// iterate the list and call the type's validation function
+			errs = append(errs, validate.EachSliceVal(ctx, op, fldPath, obj, oldObj, nil, nil, Validate_ResourceSlice)...)
+			return
+		}(fldPath.Child("items"), obj.Items, safe.Field(oldObj, func(oldObj *resourcev1beta1.ResourceSliceList) []resourcev1beta1.ResourceSlice { return oldObj.Items }), oldObj != nil)...)
+
+	return errs
+}
+
+// Validate_ResourceSliceSpec validates an instance of ResourceSliceSpec according
+// to declarative validation rules in the API schema.
+func Validate_ResourceSliceSpec(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *resourcev1beta1.ResourceSliceSpec) (errs field.ErrorList) {
+	// field resourcev1beta1.ResourceSliceSpec.Driver has no validation
+	// field resourcev1beta1.ResourceSliceSpec.Pool has no validation
+	// field resourcev1beta1.ResourceSliceSpec.NodeName has no validation
+	// field resourcev1beta1.ResourceSliceSpec.NodeSelector has no validation
+	// field resourcev1beta1.ResourceSliceSpec.AllNodes has no validation
+
+	// field resourcev1beta1.ResourceSliceSpec.Devices
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj []resourcev1beta1.Device, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.OptionalSlice(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
+			}
+			// iterate the list and call the type's validation function
+			errs = append(errs, validate.EachSliceVal(ctx, op, fldPath, obj, oldObj, nil, nil, Validate_Device)...)
+			return
+		}(fldPath.Child("devices"), obj.Devices, safe.Field(oldObj, func(oldObj *resourcev1beta1.ResourceSliceSpec) []resourcev1beta1.Device { return oldObj.Devices }), oldObj != nil)...)
+
+	// field resourcev1beta1.ResourceSliceSpec.PerDeviceNodeSelection has no validation
+
+	// field resourcev1beta1.ResourceSliceSpec.SharedCounters
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj []resourcev1beta1.CounterSet, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.MaxItems(ctx, op, fldPath, obj, oldObj, 8); len(e) != 0 {
+				errs = append(errs, e...)
+				earlyReturn = true
+			}
+			if e := validate.OptionalSlice(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
+			}
+			// lists with map semantics require unique keys
+			errs = append(errs, validate.Unique(ctx, op, fldPath, obj, oldObj, func(a resourcev1beta1.CounterSet, b resourcev1beta1.CounterSet) bool { return a.Name == b.Name })...)
+			// iterate the list and call the type's validation function
+			errs = append(errs, validate.EachSliceVal(ctx, op, fldPath, obj, oldObj, func(a resourcev1beta1.CounterSet, b resourcev1beta1.CounterSet) bool { return a.Name == b.Name }, validate.SemanticDeepEqual, Validate_CounterSet)...)
+			return
+		}(fldPath.Child("sharedCounters"), obj.SharedCounters, safe.Field(oldObj, func(oldObj *resourcev1beta1.ResourceSliceSpec) []resourcev1beta1.CounterSet {
+			return oldObj.SharedCounters
+		}), oldObj != nil)...)
+
+	return errs
+}
diff --git a/pkg/apis/resource/v1beta2/doc.go b/pkg/apis/resource/v1beta2/doc.go
index beea4f266b95f..ca447ac715443 100644
--- a/pkg/apis/resource/v1beta2/doc.go
+++ b/pkg/apis/resource/v1beta2/doc.go
@@ -18,6 +18,8 @@ limitations under the License.
 // +k8s:conversion-gen-external-types=k8s.io/api/resource/v1beta2
 // +k8s:defaulter-gen=TypeMeta
 // +k8s:defaulter-gen-input=k8s.io/api/resource/v1beta2
+// +k8s:validation-gen=TypeMeta
+// +k8s:validation-gen-input=k8s.io/api/resource/v1beta2
 
 // Package v1beta2 is the v1beta2 version of the resource API.
 package v1beta2
diff --git a/pkg/apis/resource/v1beta2/zz_generated.validations.go b/pkg/apis/resource/v1beta2/zz_generated.validations.go
new file mode 100644
index 0000000000000..2960f5fa78b6d
--- /dev/null
+++ b/pkg/apis/resource/v1beta2/zz_generated.validations.go
@@ -0,0 +1,1862 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by validation-gen. DO NOT EDIT.
+
+package v1beta2
+
+import (
+	context "context"
+	fmt "fmt"
+
+	resourcev1beta2 "k8s.io/api/resource/v1beta2"
+	equality "k8s.io/apimachinery/pkg/api/equality"
+	operation "k8s.io/apimachinery/pkg/api/operation"
+	safe "k8s.io/apimachinery/pkg/api/safe"
+	validate "k8s.io/apimachinery/pkg/api/validate"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	runtime "k8s.io/apimachinery/pkg/runtime"
+	types "k8s.io/apimachinery/pkg/types"
+	sets "k8s.io/apimachinery/pkg/util/sets"
+	field "k8s.io/apimachinery/pkg/util/validation/field"
+)
+
+func init() { localSchemeBuilder.Register(RegisterValidations) }
+
+// RegisterValidations adds validation functions to the given scheme.
+// Public to allow building arbitrary schemes.
+func RegisterValidations(scheme *runtime.Scheme) error {
+	// type DeviceClass
+	scheme.AddValidationFunc((*resourcev1beta2.DeviceClass)(nil), func(ctx context.Context, op operation.Operation, obj, oldObj interface{}) field.ErrorList {
+		switch op.Request.SubresourcePath() {
+		case "/":
+			return Validate_DeviceClass(ctx, op, nil /* fldPath */, obj.(*resourcev1beta2.DeviceClass), safe.Cast[*resourcev1beta2.DeviceClass](oldObj))
+		}
+		return field.ErrorList{field.InternalError(nil, fmt.Errorf("no validation found for %T, subresource: %v", obj, op.Request.SubresourcePath()))}
+	})
+	// type DeviceClassList
+	scheme.AddValidationFunc((*resourcev1beta2.DeviceClassList)(nil), func(ctx context.Context, op operation.Operation, obj, oldObj interface{}) field.ErrorList {
+		switch op.Request.SubresourcePath() {
+		case "/":
+			return Validate_DeviceClassList(ctx, op, nil /* fldPath */, obj.(*resourcev1beta2.DeviceClassList), safe.Cast[*resourcev1beta2.DeviceClassList](oldObj))
+		}
+		return field.ErrorList{field.InternalError(nil, fmt.Errorf("no validation found for %T, subresource: %v", obj, op.Request.SubresourcePath()))}
+	})
+	// type ResourceClaim
+	scheme.AddValidationFunc((*resourcev1beta2.ResourceClaim)(nil), func(ctx context.Context, op operation.Operation, obj, oldObj interface{}) field.ErrorList {
+		switch op.Request.SubresourcePath() {
+		case "/", "/status":
+			return Validate_ResourceClaim(ctx, op, nil /* fldPath */, obj.(*resourcev1beta2.ResourceClaim), safe.Cast[*resourcev1beta2.ResourceClaim](oldObj))
+		}
+		return field.ErrorList{field.InternalError(nil, fmt.Errorf("no validation found for %T, subresource: %v", obj, op.Request.SubresourcePath()))}
+	})
+	// type ResourceClaimList
+	scheme.AddValidationFunc((*resourcev1beta2.ResourceClaimList)(nil), func(ctx context.Context, op operation.Operation, obj, oldObj interface{}) field.ErrorList {
+		switch op.Request.SubresourcePath() {
+		case "/":
+			return Validate_ResourceClaimList(ctx, op, nil /* fldPath */, obj.(*resourcev1beta2.ResourceClaimList), safe.Cast[*resourcev1beta2.ResourceClaimList](oldObj))
+		}
+		return field.ErrorList{field.InternalError(nil, fmt.Errorf("no validation found for %T, subresource: %v", obj, op.Request.SubresourcePath()))}
+	})
+	// type ResourceClaimTemplate
+	scheme.AddValidationFunc((*resourcev1beta2.ResourceClaimTemplate)(nil), func(ctx context.Context, op operation.Operation, obj, oldObj interface{}) field.ErrorList {
+		switch op.Request.SubresourcePath() {
+		case "/":
+			return Validate_ResourceClaimTemplate(ctx, op, nil /* fldPath */, obj.(*resourcev1beta2.ResourceClaimTemplate), safe.Cast[*resourcev1beta2.ResourceClaimTemplate](oldObj))
+		}
+		return field.ErrorList{field.InternalError(nil, fmt.Errorf("no validation found for %T, subresource: %v", obj, op.Request.SubresourcePath()))}
+	})
+	// type ResourceClaimTemplateList
+	scheme.AddValidationFunc((*resourcev1beta2.ResourceClaimTemplateList)(nil), func(ctx context.Context, op operation.Operation, obj, oldObj interface{}) field.ErrorList {
+		switch op.Request.SubresourcePath() {
+		case "/":
+			return Validate_ResourceClaimTemplateList(ctx, op, nil /* fldPath */, obj.(*resourcev1beta2.ResourceClaimTemplateList), safe.Cast[*resourcev1beta2.ResourceClaimTemplateList](oldObj))
+		}
+		return field.ErrorList{field.InternalError(nil, fmt.Errorf("no validation found for %T, subresource: %v", obj, op.Request.SubresourcePath()))}
+	})
+	// type ResourceSlice
+	scheme.AddValidationFunc((*resourcev1beta2.ResourceSlice)(nil), func(ctx context.Context, op operation.Operation, obj, oldObj interface{}) field.ErrorList {
+		switch op.Request.SubresourcePath() {
+		case "/":
+			return Validate_ResourceSlice(ctx, op, nil /* fldPath */, obj.(*resourcev1beta2.ResourceSlice), safe.Cast[*resourcev1beta2.ResourceSlice](oldObj))
+		}
+		return field.ErrorList{field.InternalError(nil, fmt.Errorf("no validation found for %T, subresource: %v", obj, op.Request.SubresourcePath()))}
+	})
+	// type ResourceSliceList
+	scheme.AddValidationFunc((*resourcev1beta2.ResourceSliceList)(nil), func(ctx context.Context, op operation.Operation, obj, oldObj interface{}) field.ErrorList {
+		switch op.Request.SubresourcePath() {
+		case "/":
+			return Validate_ResourceSliceList(ctx, op, nil /* fldPath */, obj.(*resourcev1beta2.ResourceSliceList), safe.Cast[*resourcev1beta2.ResourceSliceList](oldObj))
+		}
+		return field.ErrorList{field.InternalError(nil, fmt.Errorf("no validation found for %T, subresource: %v", obj, op.Request.SubresourcePath()))}
+	})
+	return nil
+}
+
+// Validate_AllocatedDeviceStatus validates an instance of AllocatedDeviceStatus according
+// to declarative validation rules in the API schema.
+func Validate_AllocatedDeviceStatus(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *resourcev1beta2.AllocatedDeviceStatus) (errs field.ErrorList) {
+	// field resourcev1beta2.AllocatedDeviceStatus.Driver has no validation
+	// field resourcev1beta2.AllocatedDeviceStatus.Pool has no validation
+	// field resourcev1beta2.AllocatedDeviceStatus.Device has no validation
+
+	// field resourcev1beta2.AllocatedDeviceStatus.ShareID
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *string, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.OptionalPointer(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
+			}
+			errs = append(errs, validate.UUID(ctx, op, fldPath, obj, oldObj)...)
+			return
+		}(fldPath.Child("shareID"), obj.ShareID, safe.Field(oldObj, func(oldObj *resourcev1beta2.AllocatedDeviceStatus) *string { return oldObj.ShareID }), oldObj != nil)...)
+
+	// field resourcev1beta2.AllocatedDeviceStatus.Conditions has no validation
+	// field resourcev1beta2.AllocatedDeviceStatus.Data has no validation
+
+	// field resourcev1beta2.AllocatedDeviceStatus.NetworkData
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *resourcev1beta2.NetworkDeviceData, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.OptionalPointer(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
+			}
+			// call the type's validation function
+			errs = append(errs, Validate_NetworkDeviceData(ctx, op, fldPath, obj, oldObj)...)
+			return
+		}(fldPath.Child("networkData"), obj.NetworkData, safe.Field(oldObj, func(oldObj *resourcev1beta2.AllocatedDeviceStatus) *resourcev1beta2.NetworkDeviceData {
+			return oldObj.NetworkData
+		}), oldObj != nil)...)
+
+	return errs
+}
+
+var symbolsForAllocationConfigSource = sets.New(resourcev1beta2.AllocationConfigSourceClaim, resourcev1beta2.AllocationConfigSourceClass)
+
+// Validate_AllocationConfigSource validates an instance of AllocationConfigSource according
+// to declarative validation rules in the API schema.
+func Validate_AllocationConfigSource(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *resourcev1beta2.AllocationConfigSource) (errs field.ErrorList) {
+	errs = append(errs, validate.Enum(ctx, op, fldPath, obj, oldObj, symbolsForAllocationConfigSource, nil)...)
+
+	return errs
+}
+
+// Validate_AllocationResult validates an instance of AllocationResult according
+// to declarative validation rules in the API schema.
+func Validate_AllocationResult(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *resourcev1beta2.AllocationResult) (errs field.ErrorList) {
+	// field resourcev1beta2.AllocationResult.Devices
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *resourcev1beta2.DeviceAllocationResult, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// call the type's validation function
+			errs = append(errs, Validate_DeviceAllocationResult(ctx, op, fldPath, obj, oldObj)...)
+			return
+		}(fldPath.Child("devices"), &obj.Devices, safe.Field(oldObj, func(oldObj *resourcev1beta2.AllocationResult) *resourcev1beta2.DeviceAllocationResult {
+			return &oldObj.Devices
+		}), oldObj != nil)...)
+
+	// field resourcev1beta2.AllocationResult.NodeSelector has no validation
+	// field resourcev1beta2.AllocationResult.AllocationTimestamp has no validation
+	return errs
+}
+
+// Validate_CounterSet validates an instance of CounterSet according
+// to declarative validation rules in the API schema.
+func Validate_CounterSet(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *resourcev1beta2.CounterSet) (errs field.ErrorList) {
+	// field resourcev1beta2.CounterSet.Name
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *string, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.RequiredValue(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				errs = append(errs, e...)
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
+			}
+			errs = append(errs, validate.ShortName(ctx, op, fldPath, obj, oldObj)...)
+			return
+		}(fldPath.Child("name"), &obj.Name, safe.Field(oldObj, func(oldObj *resourcev1beta2.CounterSet) *string { return &oldObj.Name }), oldObj != nil)...)
+
+	// field resourcev1beta2.CounterSet.Counters has no validation
+	return errs
+}
+
+// Validate_Device validates an instance of Device according
+// to declarative validation rules in the API schema.
+func Validate_Device(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *resourcev1beta2.Device) (errs field.ErrorList) {
+	// field resourcev1beta2.Device.Name has no validation
+
+	// field resourcev1beta2.Device.Attributes
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj map[resourcev1beta2.QualifiedName]resourcev1beta2.DeviceAttribute, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// iterate the map and call the value type's validation function
+			errs = append(errs, validate.EachMapVal(ctx, op, fldPath, obj, oldObj, validate.SemanticDeepEqual, Validate_DeviceAttribute)...)
+			return
+		}(fldPath.Child("attributes"), obj.Attributes, safe.Field(oldObj, func(oldObj *resourcev1beta2.Device) map[resourcev1beta2.QualifiedName]resourcev1beta2.DeviceAttribute {
+			return oldObj.Attributes
+		}), oldObj != nil)...)
+
+	// field resourcev1beta2.Device.Capacity has no validation
+
+	// field resourcev1beta2.Device.ConsumesCounters
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj []resourcev1beta2.DeviceCounterConsumption, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.MaxItems(ctx, op, fldPath, obj, oldObj, 2); len(e) != 0 {
+				errs = append(errs, e...)
+				earlyReturn = true
+			}
+			if e := validate.OptionalSlice(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
+			}
+			// lists with map semantics require unique keys
+			errs = append(errs, validate.Unique(ctx, op, fldPath, obj, oldObj, func(a resourcev1beta2.DeviceCounterConsumption, b resourcev1beta2.DeviceCounterConsumption) bool {
+				return a.CounterSet == b.CounterSet
+			})...)
+			// iterate the list and call the type's validation function
+			errs = append(errs, validate.EachSliceVal(ctx, op, fldPath, obj, oldObj, func(a resourcev1beta2.DeviceCounterConsumption, b resourcev1beta2.DeviceCounterConsumption) bool {
+				return a.CounterSet == b.CounterSet
+			}, validate.SemanticDeepEqual, Validate_DeviceCounterConsumption)...)
+			return
+		}(fldPath.Child("consumesCounters"), obj.ConsumesCounters, safe.Field(oldObj, func(oldObj *resourcev1beta2.Device) []resourcev1beta2.DeviceCounterConsumption {
+			return oldObj.ConsumesCounters
+		}), oldObj != nil)...)
+
+	// field resourcev1beta2.Device.NodeName has no validation
+	// field resourcev1beta2.Device.NodeSelector has no validation
+	// field resourcev1beta2.Device.AllNodes has no validation
+
+	// field resourcev1beta2.Device.Taints
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj []resourcev1beta2.DeviceTaint, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// iterate the list and call the type's validation function
+			errs = append(errs, validate.EachSliceVal(ctx, op, fldPath, obj, oldObj, nil, nil, Validate_DeviceTaint)...)
+			return
+		}(fldPath.Child("taints"), obj.Taints, safe.Field(oldObj, func(oldObj *resourcev1beta2.Device) []resourcev1beta2.DeviceTaint { return oldObj.Taints }), oldObj != nil)...)
+
+	// field resourcev1beta2.Device.BindsToNode has no validation
+
+	// field resourcev1beta2.Device.BindingConditions
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj []string, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.MaxItems(ctx, op, fldPath, obj, oldObj, 4); len(e) != 0 {
+				errs = append(errs, e...)
+				earlyReturn = true
+			}
+			if e := validate.OptionalSlice(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
+			}
+			return
+		}(fldPath.Child("bindingConditions"), obj.BindingConditions, safe.Field(oldObj, func(oldObj *resourcev1beta2.Device) []string { return oldObj.BindingConditions }), oldObj != nil)...)
+
+	// field resourcev1beta2.Device.BindingFailureConditions
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj []string, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.MaxItems(ctx, op, fldPath, obj, oldObj, 4); len(e) != 0 {
+				errs = append(errs, e...)
+				earlyReturn = true
+			}
+			if e := validate.OptionalSlice(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
+			}
+			return
+		}(fldPath.Child("bindingFailureConditions"), obj.BindingFailureConditions, safe.Field(oldObj, func(oldObj *resourcev1beta2.Device) []string { return oldObj.BindingFailureConditions }), oldObj != nil)...)
+
+	// field resourcev1beta2.Device.AllowMultipleAllocations has no validation
+	return errs
+}
+
+// Validate_DeviceAllocationConfiguration validates an instance of DeviceAllocationConfiguration according
+// to declarative validation rules in the API schema.
+func Validate_DeviceAllocationConfiguration(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *resourcev1beta2.DeviceAllocationConfiguration) (errs field.ErrorList) {
+	// field resourcev1beta2.DeviceAllocationConfiguration.Source
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *resourcev1beta2.AllocationConfigSource, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.RequiredValue(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				errs = append(errs, e...)
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
+			}
+			// call the type's validation function
+			errs = append(errs, Validate_AllocationConfigSource(ctx, op, fldPath, obj, oldObj)...)
+			return
+		}(fldPath.Child("source"), &obj.Source, safe.Field(oldObj, func(oldObj *resourcev1beta2.DeviceAllocationConfiguration) *resourcev1beta2.AllocationConfigSource {
+			return &oldObj.Source
+		}), oldObj != nil)...)
+
+	// field resourcev1beta2.DeviceAllocationConfiguration.Requests
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj []string, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.MaxItems(ctx, op, fldPath, obj, oldObj, 32); len(e) != 0 {
+				errs = append(errs, e...)
+				earlyReturn = true
+			}
+			if e := validate.OptionalSlice(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
+			}
+			// lists with set semantics require unique values
+			errs = append(errs, validate.Unique(ctx, op, fldPath, obj, oldObj, validate.DirectEqual)...)
+			return
+		}(fldPath.Child("requests"), obj.Requests, safe.Field(oldObj, func(oldObj *resourcev1beta2.DeviceAllocationConfiguration) []string { return oldObj.Requests }), oldObj != nil)...)
+
+	// field resourcev1beta2.DeviceAllocationConfiguration.DeviceConfiguration
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *resourcev1beta2.DeviceConfiguration, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// call the type's validation function
+			errs = append(errs, Validate_DeviceConfiguration(ctx, op, fldPath, obj, oldObj)...)
+			return
+		}(safe.Value(fldPath, func() *field.Path { return fldPath.Child("resourcev1beta2.DeviceConfiguration") }), &obj.DeviceConfiguration, safe.Field(oldObj, func(oldObj *resourcev1beta2.DeviceAllocationConfiguration) *resourcev1beta2.DeviceConfiguration {
+			return &oldObj.DeviceConfiguration
+		}), oldObj != nil)...)
+
+	return errs
+}
+
+var symbolsForDeviceAllocationMode = sets.New(resourcev1beta2.DeviceAllocationModeAll, resourcev1beta2.DeviceAllocationModeExactCount)
+
+// Validate_DeviceAllocationMode validates an instance of DeviceAllocationMode according
+// to declarative validation rules in the API schema.
+func Validate_DeviceAllocationMode(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *resourcev1beta2.DeviceAllocationMode) (errs field.ErrorList) {
+	errs = append(errs, validate.Enum(ctx, op, fldPath, obj, oldObj, symbolsForDeviceAllocationMode, nil)...)
+
+	return errs
+}
+
+// Validate_DeviceAllocationResult validates an instance of DeviceAllocationResult according
+// to declarative validation rules in the API schema.
+func Validate_DeviceAllocationResult(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *resourcev1beta2.DeviceAllocationResult) (errs field.ErrorList) {
+	// field resourcev1beta2.DeviceAllocationResult.Results
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj []resourcev1beta2.DeviceRequestAllocationResult, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.MaxItems(ctx, op, fldPath, obj, oldObj, 32); len(e) != 0 {
+				errs = append(errs, e...)
+				earlyReturn = true
+			}
+			if e := validate.OptionalSlice(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
+			}
+			// iterate the list and call the type's validation function
+			errs = append(errs, validate.EachSliceVal(ctx, op, fldPath, obj, oldObj, nil, nil, Validate_DeviceRequestAllocationResult)...)
+			return
+		}(fldPath.Child("results"), obj.Results, safe.Field(oldObj, func(oldObj *resourcev1beta2.DeviceAllocationResult) []resourcev1beta2.DeviceRequestAllocationResult {
+			return oldObj.Results
+		}), oldObj != nil)...)
+
+	// field resourcev1beta2.DeviceAllocationResult.Config
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj []resourcev1beta2.DeviceAllocationConfiguration, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.MaxItems(ctx, op, fldPath, obj, oldObj, 64); len(e) != 0 {
+				errs = append(errs, e...)
+				earlyReturn = true
+			}
+			if e := validate.OptionalSlice(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
+			}
+			// iterate the list and call the type's validation function
+			errs = append(errs, validate.EachSliceVal(ctx, op, fldPath, obj, oldObj, nil, nil, Validate_DeviceAllocationConfiguration)...)
+			return
+		}(fldPath.Child("config"), obj.Config, safe.Field(oldObj, func(oldObj *resourcev1beta2.DeviceAllocationResult) []resourcev1beta2.DeviceAllocationConfiguration {
+			return oldObj.Config
+		}), oldObj != nil)...)
+
+	return errs
+}
+
+var unionMembershipFor_k8s_io_api_resource_v1beta2_DeviceAttribute_ = validate.NewUnionMembership(validate.NewUnionMember("int"), validate.NewUnionMember("bool"), validate.NewUnionMember("string"), validate.NewUnionMember("version"))
+
+// Validate_DeviceAttribute validates an instance of DeviceAttribute according
+// to declarative validation rules in the API schema.
+func Validate_DeviceAttribute(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *resourcev1beta2.DeviceAttribute) (errs field.ErrorList) {
+	errs = append(errs, validate.Union(ctx, op, fldPath, obj, oldObj, unionMembershipFor_k8s_io_api_resource_v1beta2_DeviceAttribute_, func(obj *resourcev1beta2.DeviceAttribute) bool {
+		if obj == nil {
+			return false
+		}
+		return obj.IntValue != nil
+	}, func(obj *resourcev1beta2.DeviceAttribute) bool {
+		if obj == nil {
+			return false
+		}
+		return obj.BoolValue != nil
+	}, func(obj *resourcev1beta2.DeviceAttribute) bool {
+		if obj == nil {
+			return false
+		}
+		return obj.StringValue != nil
+	}, func(obj *resourcev1beta2.DeviceAttribute) bool {
+		if obj == nil {
+			return false
+		}
+		return obj.VersionValue != nil
+	})...)
+
+	// field resourcev1beta2.DeviceAttribute.IntValue
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *int64, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.OptionalPointer(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
+			}
+			return
+		}(fldPath.Child("int"), obj.IntValue, safe.Field(oldObj, func(oldObj *resourcev1beta2.DeviceAttribute) *int64 { return oldObj.IntValue }), oldObj != nil)...)
+
+	// field resourcev1beta2.DeviceAttribute.BoolValue
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *bool, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.OptionalPointer(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
+			}
+			return
+		}(fldPath.Child("bool"), obj.BoolValue, safe.Field(oldObj, func(oldObj *resourcev1beta2.DeviceAttribute) *bool { return oldObj.BoolValue }), oldObj != nil)...)
+
+	// field resourcev1beta2.DeviceAttribute.StringValue
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *string, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.OptionalPointer(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
+			}
+			return
+		}(fldPath.Child("string"), obj.StringValue, safe.Field(oldObj, func(oldObj *resourcev1beta2.DeviceAttribute) *string { return oldObj.StringValue }), oldObj != nil)...)
+
+	// field resourcev1beta2.DeviceAttribute.VersionValue
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *string, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.OptionalPointer(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
+			}
+			return
+		}(fldPath.Child("version"), obj.VersionValue, safe.Field(oldObj, func(oldObj *resourcev1beta2.DeviceAttribute) *string { return oldObj.VersionValue }), oldObj != nil)...)
+
+	return errs
+}
+
+// Validate_DeviceClaim validates an instance of DeviceClaim according
+// to declarative validation rules in the API schema.
+func Validate_DeviceClaim(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *resourcev1beta2.DeviceClaim) (errs field.ErrorList) {
+	// field resourcev1beta2.DeviceClaim.Requests
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj []resourcev1beta2.DeviceRequest, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.MaxItems(ctx, op, fldPath, obj, oldObj, 32); len(e) != 0 {
+				errs = append(errs, e...)
+				earlyReturn = true
+			}
+			if e := validate.OptionalSlice(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
+			}
+			// lists with map semantics require unique keys
+			errs = append(errs, validate.Unique(ctx, op, fldPath, obj, oldObj, func(a resourcev1beta2.DeviceRequest, b resourcev1beta2.DeviceRequest) bool { return a.Name == b.Name })...)
+			// iterate the list and call the type's validation function
+			errs = append(errs, validate.EachSliceVal(ctx, op, fldPath, obj, oldObj, func(a resourcev1beta2.DeviceRequest, b resourcev1beta2.DeviceRequest) bool { return a.Name == b.Name }, validate.SemanticDeepEqual, Validate_DeviceRequest)...)
+			return
+		}(fldPath.Child("requests"), obj.Requests, safe.Field(oldObj, func(oldObj *resourcev1beta2.DeviceClaim) []resourcev1beta2.DeviceRequest { return oldObj.Requests }), oldObj != nil)...)
+
+	// field resourcev1beta2.DeviceClaim.Constraints
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj []resourcev1beta2.DeviceConstraint, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.MaxItems(ctx, op, fldPath, obj, oldObj, 32); len(e) != 0 {
+				errs = append(errs, e...)
+				earlyReturn = true
+			}
+			if e := validate.OptionalSlice(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
+			}
+			// iterate the list and call the type's validation function
+			errs = append(errs, validate.EachSliceVal(ctx, op, fldPath, obj, oldObj, nil, nil, Validate_DeviceConstraint)...)
+			return
+		}(fldPath.Child("constraints"), obj.Constraints, safe.Field(oldObj, func(oldObj *resourcev1beta2.DeviceClaim) []resourcev1beta2.DeviceConstraint {
+			return oldObj.Constraints
+		}), oldObj != nil)...)
+
+	// field resourcev1beta2.DeviceClaim.Config
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj []resourcev1beta2.DeviceClaimConfiguration, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.MaxItems(ctx, op, fldPath, obj, oldObj, 32); len(e) != 0 {
+				errs = append(errs, e...)
+				earlyReturn = true
+			}
+			if e := validate.OptionalSlice(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
+			}
+			// iterate the list and call the type's validation function
+			errs = append(errs, validate.EachSliceVal(ctx, op, fldPath, obj, oldObj, nil, nil, Validate_DeviceClaimConfiguration)...)
+			return
+		}(fldPath.Child("config"), obj.Config, safe.Field(oldObj, func(oldObj *resourcev1beta2.DeviceClaim) []resourcev1beta2.DeviceClaimConfiguration {
+			return oldObj.Config
+		}), oldObj != nil)...)
+
+	return errs
+}
+
+// Validate_DeviceClaimConfiguration validates an instance of DeviceClaimConfiguration according
+// to declarative validation rules in the API schema.
+func Validate_DeviceClaimConfiguration(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *resourcev1beta2.DeviceClaimConfiguration) (errs field.ErrorList) {
+	// field resourcev1beta2.DeviceClaimConfiguration.Requests
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj []string, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.MaxItems(ctx, op, fldPath, obj, oldObj, 32); len(e) != 0 {
+				errs = append(errs, e...)
+				earlyReturn = true
+			}
+			if e := validate.OptionalSlice(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
+			}
+			// lists with set semantics require unique values
+			errs = append(errs, validate.Unique(ctx, op, fldPath, obj, oldObj, validate.DirectEqual)...)
+			return
+		}(fldPath.Child("requests"), obj.Requests, safe.Field(oldObj, func(oldObj *resourcev1beta2.DeviceClaimConfiguration) []string { return oldObj.Requests }), oldObj != nil)...)
+
+	// field resourcev1beta2.DeviceClaimConfiguration.DeviceConfiguration
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *resourcev1beta2.DeviceConfiguration, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// call the type's validation function
+			errs = append(errs, Validate_DeviceConfiguration(ctx, op, fldPath, obj, oldObj)...)
+			return
+		}(safe.Value(fldPath, func() *field.Path { return fldPath.Child("resourcev1beta2.DeviceConfiguration") }), &obj.DeviceConfiguration, safe.Field(oldObj, func(oldObj *resourcev1beta2.DeviceClaimConfiguration) *resourcev1beta2.DeviceConfiguration {
+			return &oldObj.DeviceConfiguration
+		}), oldObj != nil)...)
+
+	return errs
+}
+
+// Validate_DeviceClass validates an instance of DeviceClass according
+// to declarative validation rules in the API schema.
+func Validate_DeviceClass(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *resourcev1beta2.DeviceClass) (errs field.ErrorList) {
+	// field resourcev1beta2.DeviceClass.TypeMeta has no validation
+
+	// field resourcev1beta2.DeviceClass.ObjectMeta
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *v1.ObjectMeta, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// call field-attached validations
+			func() { // cohort name
+				earlyReturn := false
+				if e := validate.Subfield(ctx, op, fldPath, obj, oldObj, "name", func(o *v1.ObjectMeta) *string { return &o.Name }, validate.DirectEqualPtr, validate.OptionalValue); len(e) != 0 {
+					earlyReturn = true
+				}
+				if earlyReturn {
+					return // do not proceed
+				}
+				errs = append(errs, validate.Subfield(ctx, op, fldPath, obj, oldObj, "name", func(o *v1.ObjectMeta) *string { return &o.Name }, validate.DirectEqualPtr, validate.LongName)...)
+			}()
+			return
+		}(fldPath.Child("metadata"), &obj.ObjectMeta, safe.Field(oldObj, func(oldObj *resourcev1beta2.DeviceClass) *v1.ObjectMeta { return &oldObj.ObjectMeta }), oldObj != nil)...)
+
+	// field resourcev1beta2.DeviceClass.Spec
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *resourcev1beta2.DeviceClassSpec, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// call the type's validation function
+			errs = append(errs, Validate_DeviceClassSpec(ctx, op, fldPath, obj, oldObj)...)
+			return
+		}(fldPath.Child("spec"), &obj.Spec, safe.Field(oldObj, func(oldObj *resourcev1beta2.DeviceClass) *resourcev1beta2.DeviceClassSpec { return &oldObj.Spec }), oldObj != nil)...)
+
+	return errs
+}
+
+// Validate_DeviceClassConfiguration validates an instance of DeviceClassConfiguration according
+// to declarative validation rules in the API schema.
+func Validate_DeviceClassConfiguration(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *resourcev1beta2.DeviceClassConfiguration) (errs field.ErrorList) {
+	// field resourcev1beta2.DeviceClassConfiguration.DeviceConfiguration
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *resourcev1beta2.DeviceConfiguration, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// call the type's validation function
+			errs = append(errs, Validate_DeviceConfiguration(ctx, op, fldPath, obj, oldObj)...)
+			return
+		}(safe.Value(fldPath, func() *field.Path { return fldPath.Child("resourcev1beta2.DeviceConfiguration") }), &obj.DeviceConfiguration, safe.Field(oldObj, func(oldObj *resourcev1beta2.DeviceClassConfiguration) *resourcev1beta2.DeviceConfiguration {
+			return &oldObj.DeviceConfiguration
+		}), oldObj != nil)...)
+
+	return errs
+}
+
+// Validate_DeviceClassList validates an instance of DeviceClassList according
+// to declarative validation rules in the API schema.
+func Validate_DeviceClassList(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *resourcev1beta2.DeviceClassList) (errs field.ErrorList) {
+	// field resourcev1beta2.DeviceClassList.TypeMeta has no validation
+	// field resourcev1beta2.DeviceClassList.ListMeta has no validation
+
+	// field resourcev1beta2.DeviceClassList.Items
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj []resourcev1beta2.DeviceClass, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// iterate the list and call the type's validation function
+			errs = append(errs, validate.EachSliceVal(ctx, op, fldPath, obj, oldObj, nil, nil, Validate_DeviceClass)...)
+			return
+		}(fldPath.Child("items"), obj.Items, safe.Field(oldObj, func(oldObj *resourcev1beta2.DeviceClassList) []resourcev1beta2.DeviceClass { return oldObj.Items }), oldObj != nil)...)
+
+	return errs
+}
+
+// Validate_DeviceClassSpec validates an instance of DeviceClassSpec according
+// to declarative validation rules in the API schema.
+func Validate_DeviceClassSpec(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *resourcev1beta2.DeviceClassSpec) (errs field.ErrorList) {
+	// field resourcev1beta2.DeviceClassSpec.Selectors
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj []resourcev1beta2.DeviceSelector, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.MaxItems(ctx, op, fldPath, obj, oldObj, 32); len(e) != 0 {
+				errs = append(errs, e...)
+				earlyReturn = true
+			}
+			if e := validate.OptionalSlice(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
+			}
+			return
+		}(fldPath.Child("selectors"), obj.Selectors, safe.Field(oldObj, func(oldObj *resourcev1beta2.DeviceClassSpec) []resourcev1beta2.DeviceSelector {
+			return oldObj.Selectors
+		}), oldObj != nil)...)
+
+	// field resourcev1beta2.DeviceClassSpec.Config
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj []resourcev1beta2.DeviceClassConfiguration, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.MaxItems(ctx, op, fldPath, obj, oldObj, 32); len(e) != 0 {
+				errs = append(errs, e...)
+				earlyReturn = true
+			}
+			if e := validate.OptionalSlice(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
+			}
+			// iterate the list and call the type's validation function
+			errs = append(errs, validate.EachSliceVal(ctx, op, fldPath, obj, oldObj, nil, nil, Validate_DeviceClassConfiguration)...)
+			return
+		}(fldPath.Child("config"), obj.Config, safe.Field(oldObj, func(oldObj *resourcev1beta2.DeviceClassSpec) []resourcev1beta2.DeviceClassConfiguration {
+			return oldObj.Config
+		}), oldObj != nil)...)
+
+	// field resourcev1beta2.DeviceClassSpec.ExtendedResourceName
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *string, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.OptionalPointer(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
+			}
+			errs = append(errs, validate.ExtendedResourceName(ctx, op, fldPath, obj, oldObj)...)
+			return
+		}(fldPath.Child("extendedResourceName"), obj.ExtendedResourceName, safe.Field(oldObj, func(oldObj *resourcev1beta2.DeviceClassSpec) *string { return oldObj.ExtendedResourceName }), oldObj != nil)...)
+
+	return errs
+}
+
+// Validate_DeviceConfiguration validates an instance of DeviceConfiguration according
+// to declarative validation rules in the API schema.
+func Validate_DeviceConfiguration(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *resourcev1beta2.DeviceConfiguration) (errs field.ErrorList) {
+	// field resourcev1beta2.DeviceConfiguration.Opaque
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *resourcev1beta2.OpaqueDeviceConfiguration, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.OptionalPointer(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
+			}
+			// call the type's validation function
+			errs = append(errs, Validate_OpaqueDeviceConfiguration(ctx, op, fldPath, obj, oldObj)...)
+			return
+		}(fldPath.Child("opaque"), obj.Opaque, safe.Field(oldObj, func(oldObj *resourcev1beta2.DeviceConfiguration) *resourcev1beta2.OpaqueDeviceConfiguration {
+			return oldObj.Opaque
+		}), oldObj != nil)...)
+
+	return errs
+}
+
+// Validate_DeviceConstraint validates an instance of DeviceConstraint according
+// to declarative validation rules in the API schema.
+func Validate_DeviceConstraint(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *resourcev1beta2.DeviceConstraint) (errs field.ErrorList) {
+	// field resourcev1beta2.DeviceConstraint.Requests
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj []string, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.MaxItems(ctx, op, fldPath, obj, oldObj, 32); len(e) != 0 {
+				errs = append(errs, e...)
+				earlyReturn = true
+			}
+			if e := validate.OptionalSlice(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
+			}
+			// lists with set semantics require unique values
+			errs = append(errs, validate.Unique(ctx, op, fldPath, obj, oldObj, validate.DirectEqual)...)
+			return
+		}(fldPath.Child("requests"), obj.Requests, safe.Field(oldObj, func(oldObj *resourcev1beta2.DeviceConstraint) []string { return oldObj.Requests }), oldObj != nil)...)
+
+	// field resourcev1beta2.DeviceConstraint.MatchAttribute
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *resourcev1beta2.FullyQualifiedName, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.OptionalPointer(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
+			}
+			errs = append(errs, validate.ResourceFullyQualifiedName(ctx, op, fldPath, obj, oldObj)...)
+			return
+		}(fldPath.Child("matchAttribute"), obj.MatchAttribute, safe.Field(oldObj, func(oldObj *resourcev1beta2.DeviceConstraint) *resourcev1beta2.FullyQualifiedName {
+			return oldObj.MatchAttribute
+		}), oldObj != nil)...)
+
+	// field resourcev1beta2.DeviceConstraint.DistinctAttribute has no validation
+	return errs
+}
+
+// Validate_DeviceCounterConsumption validates an instance of DeviceCounterConsumption according
+// to declarative validation rules in the API schema.
+func Validate_DeviceCounterConsumption(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *resourcev1beta2.DeviceCounterConsumption) (errs field.ErrorList) {
+	// field resourcev1beta2.DeviceCounterConsumption.CounterSet
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *string, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.RequiredValue(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				errs = append(errs, e...)
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
+			}
+			errs = append(errs, validate.ShortName(ctx, op, fldPath, obj, oldObj)...)
+			return
+		}(fldPath.Child("counterSet"), &obj.CounterSet, safe.Field(oldObj, func(oldObj *resourcev1beta2.DeviceCounterConsumption) *string { return &oldObj.CounterSet }), oldObj != nil)...)
+
+	// field resourcev1beta2.DeviceCounterConsumption.Counters has no validation
+	return errs
+}
+
+// Validate_DeviceRequest validates an instance of DeviceRequest according
+// to declarative validation rules in the API schema.
+func Validate_DeviceRequest(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *resourcev1beta2.DeviceRequest) (errs field.ErrorList) {
+	// field resourcev1beta2.DeviceRequest.Name has no validation
+
+	// field resourcev1beta2.DeviceRequest.Exactly
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *resourcev1beta2.ExactDeviceRequest, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.OptionalPointer(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
+			}
+			// call the type's validation function
+			errs = append(errs, Validate_ExactDeviceRequest(ctx, op, fldPath, obj, oldObj)...)
+			return
+		}(fldPath.Child("exactly"), obj.Exactly, safe.Field(oldObj, func(oldObj *resourcev1beta2.DeviceRequest) *resourcev1beta2.ExactDeviceRequest { return oldObj.Exactly }), oldObj != nil)...)
+
+	// field resourcev1beta2.DeviceRequest.FirstAvailable
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj []resourcev1beta2.DeviceSubRequest, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.MaxItems(ctx, op, fldPath, obj, oldObj, 8); len(e) != 0 {
+				errs = append(errs, e...)
+				earlyReturn = true
+			}
+			if e := validate.OptionalSlice(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
+			}
+			// lists with map semantics require unique keys
+			errs = append(errs, validate.Unique(ctx, op, fldPath, obj, oldObj, func(a resourcev1beta2.DeviceSubRequest, b resourcev1beta2.DeviceSubRequest) bool {
+				return a.Name == b.Name
+			})...)
+			// iterate the list and call the type's validation function
+			errs = append(errs, validate.EachSliceVal(ctx, op, fldPath, obj, oldObj, func(a resourcev1beta2.DeviceSubRequest, b resourcev1beta2.DeviceSubRequest) bool {
+				return a.Name == b.Name
+			}, validate.SemanticDeepEqual, Validate_DeviceSubRequest)...)
+			return
+		}(fldPath.Child("firstAvailable"), obj.FirstAvailable, safe.Field(oldObj, func(oldObj *resourcev1beta2.DeviceRequest) []resourcev1beta2.DeviceSubRequest {
+			return oldObj.FirstAvailable
+		}), oldObj != nil)...)
+
+	return errs
+}
+
+// Validate_DeviceRequestAllocationResult validates an instance of DeviceRequestAllocationResult according
+// to declarative validation rules in the API schema.
+func Validate_DeviceRequestAllocationResult(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *resourcev1beta2.DeviceRequestAllocationResult) (errs field.ErrorList) {
+	// field resourcev1beta2.DeviceRequestAllocationResult.Request has no validation
+
+	// field resourcev1beta2.DeviceRequestAllocationResult.Driver
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *string, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.RequiredValue(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				errs = append(errs, e...)
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
+			}
+			errs = append(errs, validate.LongNameCaseless(ctx, op, fldPath, obj, oldObj)...)
+			return
+		}(fldPath.Child("driver"), &obj.Driver, safe.Field(oldObj, func(oldObj *resourcev1beta2.DeviceRequestAllocationResult) *string { return &oldObj.Driver }), oldObj != nil)...)
+
+	// field resourcev1beta2.DeviceRequestAllocationResult.Pool
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *string, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.RequiredValue(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				errs = append(errs, e...)
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
+			}
+			errs = append(errs, validate.ResourcePoolName(ctx, op, fldPath, obj, oldObj)...)
+			return
+		}(fldPath.Child("pool"), &obj.Pool, safe.Field(oldObj, func(oldObj *resourcev1beta2.DeviceRequestAllocationResult) *string { return &oldObj.Pool }), oldObj != nil)...)
+
+	// field resourcev1beta2.DeviceRequestAllocationResult.Device has no validation
+	// field resourcev1beta2.DeviceRequestAllocationResult.AdminAccess has no validation
+
+	// field resourcev1beta2.DeviceRequestAllocationResult.Tolerations
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj []resourcev1beta2.DeviceToleration, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// iterate the list and call the type's validation function
+			errs = append(errs, validate.EachSliceVal(ctx, op, fldPath, obj, oldObj, nil, nil, Validate_DeviceToleration)...)
+			return
+		}(fldPath.Child("tolerations"), obj.Tolerations, safe.Field(oldObj, func(oldObj *resourcev1beta2.DeviceRequestAllocationResult) []resourcev1beta2.DeviceToleration {
+			return oldObj.Tolerations
+		}), oldObj != nil)...)
+
+	// field resourcev1beta2.DeviceRequestAllocationResult.BindingConditions
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj []string, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.MaxItems(ctx, op, fldPath, obj, oldObj, 4); len(e) != 0 {
+				errs = append(errs, e...)
+				earlyReturn = true
+			}
+			if e := validate.OptionalSlice(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
+			}
+			return
+		}(fldPath.Child("bindingConditions"), obj.BindingConditions, safe.Field(oldObj, func(oldObj *resourcev1beta2.DeviceRequestAllocationResult) []string { return oldObj.BindingConditions }), oldObj != nil)...)
+
+	// field resourcev1beta2.DeviceRequestAllocationResult.BindingFailureConditions
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj []string, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.MaxItems(ctx, op, fldPath, obj, oldObj, 4); len(e) != 0 {
+				errs = append(errs, e...)
+				earlyReturn = true
+			}
+			if e := validate.OptionalSlice(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
+			}
+			return
+		}(fldPath.Child("bindingFailureConditions"), obj.BindingFailureConditions, safe.Field(oldObj, func(oldObj *resourcev1beta2.DeviceRequestAllocationResult) []string {
+			return oldObj.BindingFailureConditions
+		}), oldObj != nil)...)
+
+	// field resourcev1beta2.DeviceRequestAllocationResult.ShareID
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *types.UID, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.OptionalPointer(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
+			}
+			errs = append(errs, validate.UUID(ctx, op, fldPath, obj, oldObj)...)
+			return
+		}(fldPath.Child("shareID"), obj.ShareID, safe.Field(oldObj, func(oldObj *resourcev1beta2.DeviceRequestAllocationResult) *types.UID { return oldObj.ShareID }), oldObj != nil)...)
+
+	// field resourcev1beta2.DeviceRequestAllocationResult.ConsumedCapacity has no validation
+	return errs
+}
+
+// Validate_DeviceSubRequest validates an instance of DeviceSubRequest according
+// to declarative validation rules in the API schema.
+func Validate_DeviceSubRequest(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *resourcev1beta2.DeviceSubRequest) (errs field.ErrorList) {
+	// field resourcev1beta2.DeviceSubRequest.Name has no validation
+
+	// field resourcev1beta2.DeviceSubRequest.DeviceClassName
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *string, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.RequiredValue(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				errs = append(errs, e...)
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
+			}
+			errs = append(errs, validate.LongName(ctx, op, fldPath, obj, oldObj)...)
+			return
+		}(fldPath.Child("deviceClassName"), &obj.DeviceClassName, safe.Field(oldObj, func(oldObj *resourcev1beta2.DeviceSubRequest) *string { return &oldObj.DeviceClassName }), oldObj != nil)...)
+
+	// field resourcev1beta2.DeviceSubRequest.Selectors
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj []resourcev1beta2.DeviceSelector, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.MaxItems(ctx, op, fldPath, obj, oldObj, 32); len(e) != 0 {
+				errs = append(errs, e...)
+				earlyReturn = true
+			}
+			if e := validate.OptionalSlice(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
+			}
+			return
+		}(fldPath.Child("selectors"), obj.Selectors, safe.Field(oldObj, func(oldObj *resourcev1beta2.DeviceSubRequest) []resourcev1beta2.DeviceSelector {
+			return oldObj.Selectors
+		}), oldObj != nil)...)
+
+	// field resourcev1beta2.DeviceSubRequest.AllocationMode
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *resourcev1beta2.DeviceAllocationMode, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call the type's validation function
+			errs = append(errs, Validate_DeviceAllocationMode(ctx, op, fldPath, obj, oldObj)...)
+			return
+		}(fldPath.Child("allocationMode"), &obj.AllocationMode, safe.Field(oldObj, func(oldObj *resourcev1beta2.DeviceSubRequest) *resourcev1beta2.DeviceAllocationMode {
+			return &oldObj.AllocationMode
+		}), oldObj != nil)...)
+
+	// field resourcev1beta2.DeviceSubRequest.Count has no validation
+
+	// field resourcev1beta2.DeviceSubRequest.Tolerations
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj []resourcev1beta2.DeviceToleration, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// iterate the list and call the type's validation function
+			errs = append(errs, validate.EachSliceVal(ctx, op, fldPath, obj, oldObj, nil, nil, Validate_DeviceToleration)...)
+			return
+		}(fldPath.Child("tolerations"), obj.Tolerations, safe.Field(oldObj, func(oldObj *resourcev1beta2.DeviceSubRequest) []resourcev1beta2.DeviceToleration {
+			return oldObj.Tolerations
+		}), oldObj != nil)...)
+
+	// field resourcev1beta2.DeviceSubRequest.Capacity has no validation
+	return errs
+}
+
+// Validate_DeviceTaint validates an instance of DeviceTaint according
+// to declarative validation rules in the API schema.
+func Validate_DeviceTaint(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *resourcev1beta2.DeviceTaint) (errs field.ErrorList) {
+	// field resourcev1beta2.DeviceTaint.Key has no validation
+	// field resourcev1beta2.DeviceTaint.Value has no validation
+
+	// field resourcev1beta2.DeviceTaint.Effect
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *resourcev1beta2.DeviceTaintEffect, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.RequiredValue(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				errs = append(errs, e...)
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
+			}
+			// call the type's validation function
+			errs = append(errs, Validate_DeviceTaintEffect(ctx, op, fldPath, obj, oldObj)...)
+			return
+		}(fldPath.Child("effect"), &obj.Effect, safe.Field(oldObj, func(oldObj *resourcev1beta2.DeviceTaint) *resourcev1beta2.DeviceTaintEffect { return &oldObj.Effect }), oldObj != nil)...)
+
+	// field resourcev1beta2.DeviceTaint.TimeAdded has no validation
+	return errs
+}
+
+var symbolsForDeviceTaintEffect = sets.New(resourcev1beta2.DeviceTaintEffectNoExecute, resourcev1beta2.DeviceTaintEffectNoSchedule, resourcev1beta2.DeviceTaintEffectNone)
+
+// Validate_DeviceTaintEffect validates an instance of DeviceTaintEffect according
+// to declarative validation rules in the API schema.
+func Validate_DeviceTaintEffect(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *resourcev1beta2.DeviceTaintEffect) (errs field.ErrorList) {
+	errs = append(errs, validate.Enum(ctx, op, fldPath, obj, oldObj, symbolsForDeviceTaintEffect, nil)...)
+
+	return errs
+}
+
+// Validate_DeviceToleration validates an instance of DeviceToleration according
+// to declarative validation rules in the API schema.
+func Validate_DeviceToleration(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *resourcev1beta2.DeviceToleration) (errs field.ErrorList) {
+	// field resourcev1beta2.DeviceToleration.Key
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *string, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.OptionalValue(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
+			}
+			errs = append(errs, validate.LabelKey(ctx, op, fldPath, obj, oldObj)...)
+			return
+		}(fldPath.Child("key"), &obj.Key, safe.Field(oldObj, func(oldObj *resourcev1beta2.DeviceToleration) *string { return &oldObj.Key }), oldObj != nil)...)
+
+	// field resourcev1beta2.DeviceToleration.Operator
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *resourcev1beta2.DeviceTolerationOperator, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call the type's validation function
+			errs = append(errs, Validate_DeviceTolerationOperator(ctx, op, fldPath, obj, oldObj)...)
+			return
+		}(fldPath.Child("operator"), &obj.Operator, safe.Field(oldObj, func(oldObj *resourcev1beta2.DeviceToleration) *resourcev1beta2.DeviceTolerationOperator {
+			return &oldObj.Operator
+		}), oldObj != nil)...)
+
+	// field resourcev1beta2.DeviceToleration.Value has no validation
+
+	// field resourcev1beta2.DeviceToleration.Effect
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *resourcev1beta2.DeviceTaintEffect, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call the type's validation function
+			errs = append(errs, Validate_DeviceTaintEffect(ctx, op, fldPath, obj, oldObj)...)
+			return
+		}(fldPath.Child("effect"), &obj.Effect, safe.Field(oldObj, func(oldObj *resourcev1beta2.DeviceToleration) *resourcev1beta2.DeviceTaintEffect {
+			return &oldObj.Effect
+		}), oldObj != nil)...)
+
+	// field resourcev1beta2.DeviceToleration.TolerationSeconds has no validation
+	return errs
+}
+
+var symbolsForDeviceTolerationOperator = sets.New(resourcev1beta2.DeviceTolerationOpEqual, resourcev1beta2.DeviceTolerationOpExists)
+
+// Validate_DeviceTolerationOperator validates an instance of DeviceTolerationOperator according
+// to declarative validation rules in the API schema.
+func Validate_DeviceTolerationOperator(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *resourcev1beta2.DeviceTolerationOperator) (errs field.ErrorList) {
+	errs = append(errs, validate.Enum(ctx, op, fldPath, obj, oldObj, symbolsForDeviceTolerationOperator, nil)...)
+
+	return errs
+}
+
+// Validate_ExactDeviceRequest validates an instance of ExactDeviceRequest according
+// to declarative validation rules in the API schema.
+func Validate_ExactDeviceRequest(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *resourcev1beta2.ExactDeviceRequest) (errs field.ErrorList) {
+	// field resourcev1beta2.ExactDeviceRequest.DeviceClassName has no validation
+
+	// field resourcev1beta2.ExactDeviceRequest.Selectors
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj []resourcev1beta2.DeviceSelector, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.MaxItems(ctx, op, fldPath, obj, oldObj, 32); len(e) != 0 {
+				errs = append(errs, e...)
+				earlyReturn = true
+			}
+			if e := validate.OptionalSlice(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
+			}
+			return
+		}(fldPath.Child("selectors"), obj.Selectors, safe.Field(oldObj, func(oldObj *resourcev1beta2.ExactDeviceRequest) []resourcev1beta2.DeviceSelector {
+			return oldObj.Selectors
+		}), oldObj != nil)...)
+
+	// field resourcev1beta2.ExactDeviceRequest.AllocationMode
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *resourcev1beta2.DeviceAllocationMode, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.OptionalValue(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
+			}
+			// call the type's validation function
+			errs = append(errs, Validate_DeviceAllocationMode(ctx, op, fldPath, obj, oldObj)...)
+			return
+		}(fldPath.Child("allocationMode"), &obj.AllocationMode, safe.Field(oldObj, func(oldObj *resourcev1beta2.ExactDeviceRequest) *resourcev1beta2.DeviceAllocationMode {
+			return &oldObj.AllocationMode
+		}), oldObj != nil)...)
+
+	// field resourcev1beta2.ExactDeviceRequest.Count has no validation
+	// field resourcev1beta2.ExactDeviceRequest.AdminAccess has no validation
+
+	// field resourcev1beta2.ExactDeviceRequest.Tolerations
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj []resourcev1beta2.DeviceToleration, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// iterate the list and call the type's validation function
+			errs = append(errs, validate.EachSliceVal(ctx, op, fldPath, obj, oldObj, nil, nil, Validate_DeviceToleration)...)
+			return
+		}(fldPath.Child("tolerations"), obj.Tolerations, safe.Field(oldObj, func(oldObj *resourcev1beta2.ExactDeviceRequest) []resourcev1beta2.DeviceToleration {
+			return oldObj.Tolerations
+		}), oldObj != nil)...)
+
+	// field resourcev1beta2.ExactDeviceRequest.Capacity has no validation
+	return errs
+}
+
+// Validate_NetworkDeviceData validates an instance of NetworkDeviceData according
+// to declarative validation rules in the API schema.
+func Validate_NetworkDeviceData(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *resourcev1beta2.NetworkDeviceData) (errs field.ErrorList) {
+	// field resourcev1beta2.NetworkDeviceData.InterfaceName
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *string, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.OptionalValue(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
+			}
+			errs = append(errs, validate.MaxLength(ctx, op, fldPath, obj, oldObj, 256)...)
+			return
+		}(fldPath.Child("interfaceName"), &obj.InterfaceName, safe.Field(oldObj, func(oldObj *resourcev1beta2.NetworkDeviceData) *string { return &oldObj.InterfaceName }), oldObj != nil)...)
+
+	// field resourcev1beta2.NetworkDeviceData.IPs
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj []string, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.MaxItems(ctx, op, fldPath, obj, oldObj, 16); len(e) != 0 {
+				errs = append(errs, e...)
+				earlyReturn = true
+			}
+			if e := validate.OptionalSlice(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
+			}
+			// lists with set semantics require unique values
+			errs = append(errs, validate.Unique(ctx, op, fldPath, obj, oldObj, validate.DirectEqual)...)
+			return
+		}(fldPath.Child("ips"), obj.IPs, safe.Field(oldObj, func(oldObj *resourcev1beta2.NetworkDeviceData) []string { return oldObj.IPs }), oldObj != nil)...)
+
+	// field resourcev1beta2.NetworkDeviceData.HardwareAddress
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *string, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.OptionalValue(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
+			}
+			errs = append(errs, validate.MaxLength(ctx, op, fldPath, obj, oldObj, 128)...)
+			return
+		}(fldPath.Child("hardwareAddress"), &obj.HardwareAddress, safe.Field(oldObj, func(oldObj *resourcev1beta2.NetworkDeviceData) *string { return &oldObj.HardwareAddress }), oldObj != nil)...)
+
+	return errs
+}
+
+// Validate_OpaqueDeviceConfiguration validates an instance of OpaqueDeviceConfiguration according
+// to declarative validation rules in the API schema.
+func Validate_OpaqueDeviceConfiguration(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *resourcev1beta2.OpaqueDeviceConfiguration) (errs field.ErrorList) {
+	// field resourcev1beta2.OpaqueDeviceConfiguration.Driver
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *string, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.RequiredValue(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				errs = append(errs, e...)
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
+			}
+			errs = append(errs, validate.LongNameCaseless(ctx, op, fldPath, obj, oldObj)...)
+			return
+		}(fldPath.Child("driver"), &obj.Driver, safe.Field(oldObj, func(oldObj *resourcev1beta2.OpaqueDeviceConfiguration) *string { return &oldObj.Driver }), oldObj != nil)...)
+
+	// field resourcev1beta2.OpaqueDeviceConfiguration.Parameters has no validation
+	return errs
+}
+
+// Validate_ResourceClaim validates an instance of ResourceClaim according
+// to declarative validation rules in the API schema.
+func Validate_ResourceClaim(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *resourcev1beta2.ResourceClaim) (errs field.ErrorList) {
+	// field resourcev1beta2.ResourceClaim.TypeMeta has no validation
+	// field resourcev1beta2.ResourceClaim.ObjectMeta has no validation
+
+	// field resourcev1beta2.ResourceClaim.Spec
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *resourcev1beta2.ResourceClaimSpec, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.Immutable(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				errs = append(errs, e...)
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
+			}
+			// call the type's validation function
+			errs = append(errs, Validate_ResourceClaimSpec(ctx, op, fldPath, obj, oldObj)...)
+			return
+		}(fldPath.Child("spec"), &obj.Spec, safe.Field(oldObj, func(oldObj *resourcev1beta2.ResourceClaim) *resourcev1beta2.ResourceClaimSpec { return &oldObj.Spec }), oldObj != nil)...)
+
+	// field resourcev1beta2.ResourceClaim.Status
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *resourcev1beta2.ResourceClaimStatus, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// call the type's validation function
+			errs = append(errs, Validate_ResourceClaimStatus(ctx, op, fldPath, obj, oldObj)...)
+			return
+		}(fldPath.Child("status"), &obj.Status, safe.Field(oldObj, func(oldObj *resourcev1beta2.ResourceClaim) *resourcev1beta2.ResourceClaimStatus {
+			return &oldObj.Status
+		}), oldObj != nil)...)
+
+	return errs
+}
+
+// Validate_ResourceClaimList validates an instance of ResourceClaimList according
+// to declarative validation rules in the API schema.
+func Validate_ResourceClaimList(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *resourcev1beta2.ResourceClaimList) (errs field.ErrorList) {
+	// field resourcev1beta2.ResourceClaimList.TypeMeta has no validation
+	// field resourcev1beta2.ResourceClaimList.ListMeta has no validation
+
+	// field resourcev1beta2.ResourceClaimList.Items
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj []resourcev1beta2.ResourceClaim, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// iterate the list and call the type's validation function
+			errs = append(errs, validate.EachSliceVal(ctx, op, fldPath, obj, oldObj, nil, nil, Validate_ResourceClaim)...)
+			return
+		}(fldPath.Child("items"), obj.Items, safe.Field(oldObj, func(oldObj *resourcev1beta2.ResourceClaimList) []resourcev1beta2.ResourceClaim { return oldObj.Items }), oldObj != nil)...)
+
+	return errs
+}
+
+// Validate_ResourceClaimSpec validates an instance of ResourceClaimSpec according
+// to declarative validation rules in the API schema.
+func Validate_ResourceClaimSpec(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *resourcev1beta2.ResourceClaimSpec) (errs field.ErrorList) {
+	// field resourcev1beta2.ResourceClaimSpec.Devices
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *resourcev1beta2.DeviceClaim, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// call the type's validation function
+			errs = append(errs, Validate_DeviceClaim(ctx, op, fldPath, obj, oldObj)...)
+			return
+		}(fldPath.Child("devices"), &obj.Devices, safe.Field(oldObj, func(oldObj *resourcev1beta2.ResourceClaimSpec) *resourcev1beta2.DeviceClaim { return &oldObj.Devices }), oldObj != nil)...)
+
+	return errs
+}
+
+// Validate_ResourceClaimStatus validates an instance of ResourceClaimStatus according
+// to declarative validation rules in the API schema.
+func Validate_ResourceClaimStatus(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *resourcev1beta2.ResourceClaimStatus) (errs field.ErrorList) {
+	// field resourcev1beta2.ResourceClaimStatus.Allocation
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *resourcev1beta2.AllocationResult, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.OptionalPointer(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				earlyReturn = true
+			}
+			if e := validate.UpdatePointer(ctx, op, fldPath, obj, oldObj, validate.NoModify); len(e) != 0 {
+				errs = append(errs, e...)
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
+			}
+			// call the type's validation function
+			errs = append(errs, Validate_AllocationResult(ctx, op, fldPath, obj, oldObj)...)
+			return
+		}(fldPath.Child("allocation"), obj.Allocation, safe.Field(oldObj, func(oldObj *resourcev1beta2.ResourceClaimStatus) *resourcev1beta2.AllocationResult {
+			return oldObj.Allocation
+		}), oldObj != nil)...)
+
+	// field resourcev1beta2.ResourceClaimStatus.ReservedFor
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj []resourcev1beta2.ResourceClaimConsumerReference, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.MaxItems(ctx, op, fldPath, obj, oldObj, 256); len(e) != 0 {
+				errs = append(errs, e...)
+				earlyReturn = true
+			}
+			if e := validate.OptionalSlice(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
+			}
+			// lists with map semantics require unique keys
+			errs = append(errs, validate.Unique(ctx, op, fldPath, obj, oldObj, func(a resourcev1beta2.ResourceClaimConsumerReference, b resourcev1beta2.ResourceClaimConsumerReference) bool {
+				return a.UID == b.UID
+			})...)
+			return
+		}(fldPath.Child("reservedFor"), obj.ReservedFor, safe.Field(oldObj, func(oldObj *resourcev1beta2.ResourceClaimStatus) []resourcev1beta2.ResourceClaimConsumerReference {
+			return oldObj.ReservedFor
+		}), oldObj != nil)...)
+
+	// field resourcev1beta2.ResourceClaimStatus.Devices
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj []resourcev1beta2.AllocatedDeviceStatus, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.OptionalSlice(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
+			}
+			// lists with map semantics require unique keys
+			errs = append(errs, validate.Unique(ctx, op, fldPath, obj, oldObj, func(a resourcev1beta2.AllocatedDeviceStatus, b resourcev1beta2.AllocatedDeviceStatus) bool {
+				return a.Driver == b.Driver && a.Device == b.Device && a.Pool == b.Pool && ((a.ShareID == nil && b.ShareID == nil) || (a.ShareID != nil && b.ShareID != nil && *a.ShareID == *b.ShareID))
+			})...)
+			// iterate the list and call the type's validation function
+			errs = append(errs, validate.EachSliceVal(ctx, op, fldPath, obj, oldObj, func(a resourcev1beta2.AllocatedDeviceStatus, b resourcev1beta2.AllocatedDeviceStatus) bool {
+				return a.Driver == b.Driver && a.Device == b.Device && a.Pool == b.Pool && ((a.ShareID == nil && b.ShareID == nil) || (a.ShareID != nil && b.ShareID != nil && *a.ShareID == *b.ShareID))
+			}, validate.SemanticDeepEqual, Validate_AllocatedDeviceStatus)...)
+			return
+		}(fldPath.Child("devices"), obj.Devices, safe.Field(oldObj, func(oldObj *resourcev1beta2.ResourceClaimStatus) []resourcev1beta2.AllocatedDeviceStatus {
+			return oldObj.Devices
+		}), oldObj != nil)...)
+
+	return errs
+}
+
+// Validate_ResourceClaimTemplate validates an instance of ResourceClaimTemplate according
+// to declarative validation rules in the API schema.
+func Validate_ResourceClaimTemplate(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *resourcev1beta2.ResourceClaimTemplate) (errs field.ErrorList) {
+	// field resourcev1beta2.ResourceClaimTemplate.TypeMeta has no validation
+	// field resourcev1beta2.ResourceClaimTemplate.ObjectMeta has no validation
+
+	// field resourcev1beta2.ResourceClaimTemplate.Spec
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *resourcev1beta2.ResourceClaimTemplateSpec, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// call the type's validation function
+			errs = append(errs, Validate_ResourceClaimTemplateSpec(ctx, op, fldPath, obj, oldObj)...)
+			return
+		}(fldPath.Child("spec"), &obj.Spec, safe.Field(oldObj, func(oldObj *resourcev1beta2.ResourceClaimTemplate) *resourcev1beta2.ResourceClaimTemplateSpec {
+			return &oldObj.Spec
+		}), oldObj != nil)...)
+
+	return errs
+}
+
+// Validate_ResourceClaimTemplateList validates an instance of ResourceClaimTemplateList according
+// to declarative validation rules in the API schema.
+func Validate_ResourceClaimTemplateList(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *resourcev1beta2.ResourceClaimTemplateList) (errs field.ErrorList) {
+	// field resourcev1beta2.ResourceClaimTemplateList.TypeMeta has no validation
+	// field resourcev1beta2.ResourceClaimTemplateList.ListMeta has no validation
+
+	// field resourcev1beta2.ResourceClaimTemplateList.Items
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj []resourcev1beta2.ResourceClaimTemplate, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// iterate the list and call the type's validation function
+			errs = append(errs, validate.EachSliceVal(ctx, op, fldPath, obj, oldObj, nil, nil, Validate_ResourceClaimTemplate)...)
+			return
+		}(fldPath.Child("items"), obj.Items, safe.Field(oldObj, func(oldObj *resourcev1beta2.ResourceClaimTemplateList) []resourcev1beta2.ResourceClaimTemplate {
+			return oldObj.Items
+		}), oldObj != nil)...)
+
+	return errs
+}
+
+// Validate_ResourceClaimTemplateSpec validates an instance of ResourceClaimTemplateSpec according
+// to declarative validation rules in the API schema.
+func Validate_ResourceClaimTemplateSpec(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *resourcev1beta2.ResourceClaimTemplateSpec) (errs field.ErrorList) {
+	// field resourcev1beta2.ResourceClaimTemplateSpec.ObjectMeta has no validation
+
+	// field resourcev1beta2.ResourceClaimTemplateSpec.Spec
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *resourcev1beta2.ResourceClaimSpec, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// call the type's validation function
+			errs = append(errs, Validate_ResourceClaimSpec(ctx, op, fldPath, obj, oldObj)...)
+			return
+		}(fldPath.Child("spec"), &obj.Spec, safe.Field(oldObj, func(oldObj *resourcev1beta2.ResourceClaimTemplateSpec) *resourcev1beta2.ResourceClaimSpec {
+			return &oldObj.Spec
+		}), oldObj != nil)...)
+
+	return errs
+}
+
+// Validate_ResourceSlice validates an instance of ResourceSlice according
+// to declarative validation rules in the API schema.
+func Validate_ResourceSlice(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *resourcev1beta2.ResourceSlice) (errs field.ErrorList) {
+	// field resourcev1beta2.ResourceSlice.TypeMeta has no validation
+	// field resourcev1beta2.ResourceSlice.ObjectMeta has no validation
+
+	// field resourcev1beta2.ResourceSlice.Spec
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *resourcev1beta2.ResourceSliceSpec, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// call the type's validation function
+			errs = append(errs, Validate_ResourceSliceSpec(ctx, op, fldPath, obj, oldObj)...)
+			return
+		}(fldPath.Child("spec"), &obj.Spec, safe.Field(oldObj, func(oldObj *resourcev1beta2.ResourceSlice) *resourcev1beta2.ResourceSliceSpec { return &oldObj.Spec }), oldObj != nil)...)
+
+	return errs
+}
+
+// Validate_ResourceSliceList validates an instance of ResourceSliceList according
+// to declarative validation rules in the API schema.
+func Validate_ResourceSliceList(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *resourcev1beta2.ResourceSliceList) (errs field.ErrorList) {
+	// field resourcev1beta2.ResourceSliceList.TypeMeta has no validation
+	// field resourcev1beta2.ResourceSliceList.ListMeta has no validation
+
+	// field resourcev1beta2.ResourceSliceList.Items
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj []resourcev1beta2.ResourceSlice, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// iterate the list and call the type's validation function
+			errs = append(errs, validate.EachSliceVal(ctx, op, fldPath, obj, oldObj, nil, nil, Validate_ResourceSlice)...)
+			return
+		}(fldPath.Child("items"), obj.Items, safe.Field(oldObj, func(oldObj *resourcev1beta2.ResourceSliceList) []resourcev1beta2.ResourceSlice { return oldObj.Items }), oldObj != nil)...)
+
+	return errs
+}
+
+// Validate_ResourceSliceSpec validates an instance of ResourceSliceSpec according
+// to declarative validation rules in the API schema.
+func Validate_ResourceSliceSpec(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *resourcev1beta2.ResourceSliceSpec) (errs field.ErrorList) {
+	// field resourcev1beta2.ResourceSliceSpec.Driver has no validation
+	// field resourcev1beta2.ResourceSliceSpec.Pool has no validation
+	// field resourcev1beta2.ResourceSliceSpec.NodeName has no validation
+	// field resourcev1beta2.ResourceSliceSpec.NodeSelector has no validation
+	// field resourcev1beta2.ResourceSliceSpec.AllNodes has no validation
+
+	// field resourcev1beta2.ResourceSliceSpec.Devices
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj []resourcev1beta2.Device, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.OptionalSlice(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
+			}
+			// iterate the list and call the type's validation function
+			errs = append(errs, validate.EachSliceVal(ctx, op, fldPath, obj, oldObj, nil, nil, Validate_Device)...)
+			return
+		}(fldPath.Child("devices"), obj.Devices, safe.Field(oldObj, func(oldObj *resourcev1beta2.ResourceSliceSpec) []resourcev1beta2.Device { return oldObj.Devices }), oldObj != nil)...)
+
+	// field resourcev1beta2.ResourceSliceSpec.PerDeviceNodeSelection has no validation
+
+	// field resourcev1beta2.ResourceSliceSpec.SharedCounters
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj []resourcev1beta2.CounterSet, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.MaxItems(ctx, op, fldPath, obj, oldObj, 8); len(e) != 0 {
+				errs = append(errs, e...)
+				earlyReturn = true
+			}
+			if e := validate.OptionalSlice(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
+			}
+			// lists with map semantics require unique keys
+			errs = append(errs, validate.Unique(ctx, op, fldPath, obj, oldObj, func(a resourcev1beta2.CounterSet, b resourcev1beta2.CounterSet) bool { return a.Name == b.Name })...)
+			// iterate the list and call the type's validation function
+			errs = append(errs, validate.EachSliceVal(ctx, op, fldPath, obj, oldObj, func(a resourcev1beta2.CounterSet, b resourcev1beta2.CounterSet) bool { return a.Name == b.Name }, validate.SemanticDeepEqual, Validate_CounterSet)...)
+			return
+		}(fldPath.Child("sharedCounters"), obj.SharedCounters, safe.Field(oldObj, func(oldObj *resourcev1beta2.ResourceSliceSpec) []resourcev1beta2.CounterSet {
+			return oldObj.SharedCounters
+		}), oldObj != nil)...)
+
+	return errs
+}
diff --git a/pkg/apis/resource/validation/validation.go b/pkg/apis/resource/validation/validation.go
index b06472a453756..ef2b4cfe82603 100644
--- a/pkg/apis/resource/validation/validation.go
+++ b/pkg/apis/resource/validation/validation.go
@@ -17,17 +17,23 @@ limitations under the License.
 package validation
 
 import (
+	"context"
 	"encoding/json"
 	"errors"
 	"fmt"
 	"regexp"
+	"slices"
 	"strconv"
 	"strings"
 
 	"github.com/google/uuid"
+
 	corev1 "k8s.io/api/core/v1"
 	apiequality "k8s.io/apimachinery/pkg/api/equality"
+	"k8s.io/apimachinery/pkg/api/operation"
 	apiresource "k8s.io/apimachinery/pkg/api/resource"
+	"k8s.io/apimachinery/pkg/api/validate"
+	"k8s.io/apimachinery/pkg/api/validate/content"
 	apimachineryvalidation "k8s.io/apimachinery/pkg/api/validation"
 	metav1validation "k8s.io/apimachinery/pkg/apis/meta/v1/validation"
 	"k8s.io/apimachinery/pkg/runtime"
@@ -46,6 +52,20 @@ import (
 	"k8s.io/kubernetes/pkg/features"
 )
 
+// ResourceNormalizationRules handles the structural differences between v1beta1
+// (flattened fields) and v1/v1beta2 (fields under 'exactly') for validation error paths.
+var ResourceNormalizationRules = []field.NormalizationRule{
+	{
+		Regexp:      regexp.MustCompile(`spec.devices\.requests\[(\d+)\]\.(deviceClassName|selectors|allocationMode|count|adminAccess|tolerations)`),
+		Replacement: "spec.devices.requests[$1].exactly.$2",
+	},
+	{
+		// This v1beta1 'basic' to flattened rule is to support ResourceSlice
+		Regexp:      regexp.MustCompile(`spec.devices\[(\d+)\]\.basic\.`),
+		Replacement: "spec.devices[$1].",
+	},
+}
+
 var (
 	// validateResourceDriverName reuses the validation of a CSI driver because
 	// the allowed values are exactly the same.
@@ -65,11 +85,11 @@ func validatePoolName(name string, fldPath *field.Path) field.ErrorList {
 		allErrs = append(allErrs, field.Required(fldPath, ""))
 	} else {
 		if len(name) > resource.PoolNameMaxLength {
-			allErrs = append(allErrs, field.TooLong(fldPath, "" /*unused*/, resource.PoolNameMaxLength))
+			allErrs = append(allErrs, field.TooLong(fldPath, "" /*unused*/, resource.PoolNameMaxLength).WithOrigin("format=k8s-resource-pool-name"))
 		}
 		parts := strings.Split(name, "/")
 		for _, part := range parts {
-			allErrs = append(allErrs, corevalidation.ValidateDNS1123Subdomain(part, fldPath)...)
+			allErrs = append(allErrs, corevalidation.ValidateDNS1123Subdomain(part, fldPath).WithOrigin("format=k8s-resource-pool-name")...)
 		}
 	}
 	return allErrs
@@ -82,7 +102,7 @@ func validateUID(uid string, fldPath *field.Path) field.ErrorList {
 	} else if len(uid) != 36 || uid != strings.ToLower(uid) {
 		allErrs = append(allErrs, field.Invalid(fldPath, uid, "uid must be in RFC 4122 normalized form, `xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx` with lowercase hexadecimal characters"))
 	}
-	return allErrs
+	return allErrs.WithOrigin("format=k8s-uuid")
 }
 
 // ValidateResourceClaim validates a ResourceClaim.
@@ -94,12 +114,12 @@ func ValidateResourceClaim(resourceClaim *resource.ResourceClaim) field.ErrorLis
 
 // ValidateResourceClaimUpdate tests if an update to ResourceClaim is valid.
 func ValidateResourceClaimUpdate(resourceClaim, oldClaim *resource.ResourceClaim) field.ErrorList {
-	allErrs := corevalidation.ValidateObjectMetaUpdate(&resourceClaim.ObjectMeta, &oldClaim.ObjectMeta, field.NewPath("metadata"))
-	allErrs = append(allErrs, apimachineryvalidation.ValidateImmutableField(resourceClaim.Spec, oldClaim.Spec, field.NewPath("spec"))...)
-	// Because the spec is immutable, all CEL expressions in it must have been stored.
-	// If the user tries an update, this is not true and checking is less strict, but
-	// as there are errors, it doesn't matter.
-	allErrs = append(allErrs, validateResourceClaimSpec(&resourceClaim.Spec, field.NewPath("spec"), true)...)
+	allErrs := corevalidation.ValidateObjectMeta(&resourceClaim.ObjectMeta, true, corevalidation.ValidateResourceClaimName, field.NewPath("metadata"))
+	allErrs = append(allErrs, corevalidation.ValidateObjectMetaUpdate(&resourceClaim.ObjectMeta, &oldClaim.ObjectMeta, field.NewPath("metadata"))...)
+	// The spec is immutable. On update, we only check for immutability.
+	// Re-validating other fields is skipped because the user cannot change them;
+	// the only actionable error is for the immutability violation.
+	allErrs = append(allErrs, apimachineryvalidation.ValidateImmutableField(resourceClaim.Spec, oldClaim.Spec, field.NewPath("spec")).WithOrigin("immutable").MarkCoveredByDeclarative()...)
 	return allErrs
 }
 
@@ -124,18 +144,18 @@ func validateDeviceClaim(deviceClaim *resource.DeviceClaim, fldPath *field.Path,
 		func(request resource.DeviceRequest, fldPath *field.Path) field.ErrorList {
 			return validateDeviceRequest(request, fldPath, stored)
 		},
-		func(request resource.DeviceRequest) (string, string) {
-			return request.Name, "name"
+		func(request resource.DeviceRequest) string {
+			return request.Name
 		},
-		fldPath.Child("requests"))...)
+		fldPath.Child("requests"), sizeCovered, uniquenessCovered)...)
 	allErrs = append(allErrs, validateSlice(deviceClaim.Constraints, resource.DeviceConstraintsMaxSize,
 		func(constraint resource.DeviceConstraint, fldPath *field.Path) field.ErrorList {
 			return validateDeviceConstraint(constraint, fldPath, requestNames)
-		}, fldPath.Child("constraints"))...)
+		}, fldPath.Child("constraints"), sizeCovered)...)
 	allErrs = append(allErrs, validateSlice(deviceClaim.Config, resource.DeviceConfigMaxSize,
 		func(config resource.DeviceClaimConfiguration, fldPath *field.Path) field.ErrorList {
 			return validateDeviceClaimConfiguration(config, fldPath, requestNames, stored)
-		}, fldPath.Child("config"))...)
+		}, fldPath.Child("config"), sizeCovered)...)
 	return allErrs
 }
 
@@ -191,38 +211,41 @@ func gatherAllocatedDevices(allocationResult *resource.DeviceAllocationResult) s
 
 func validateDeviceRequest(request resource.DeviceRequest, fldPath *field.Path, stored bool) field.ErrorList {
 	allErrs := validateRequestName(request.Name, fldPath.Child("name"))
-
 	numDeviceRequestType := 0
-	if len(request.FirstAvailable) > 0 {
+
+	hasFirstAvailable := len(request.FirstAvailable) > 0
+	hasExactly := request.Exactly != nil
+
+	if hasFirstAvailable {
 		numDeviceRequestType++
-		allErrs = append(allErrs, validateSet(request.FirstAvailable, resource.FirstAvailableDeviceRequestMaxSize,
-			func(subRequest resource.DeviceSubRequest, fldPath *field.Path) field.ErrorList {
-				return validateDeviceSubRequest(subRequest, fldPath, stored)
-			},
-			func(subRequest resource.DeviceSubRequest) (string, string) {
-				return subRequest.Name, "name"
-			},
-			fldPath.Child("firstAvailable"))...)
 	}
-
-	if request.Exactly != nil {
+	if hasExactly {
 		numDeviceRequestType++
-		allErrs = append(allErrs, validateExactDeviceRequest(*request.Exactly, fldPath.Child("exactly"), stored)...)
 	}
 
-	switch numDeviceRequestType {
-	case 0:
+	switch {
+	case numDeviceRequestType == 0:
 		allErrs = append(allErrs, field.Required(fldPath, "exactly one of `exactly` or `firstAvailable` is required"))
-	case 1:
-	default:
+	case numDeviceRequestType > 1:
 		allErrs = append(allErrs, field.Invalid(fldPath, nil, "exactly one of `exactly` or `firstAvailable` is required, but multiple fields are set"))
+	case hasFirstAvailable:
+		allErrs = append(allErrs, validateSet(request.FirstAvailable, resource.FirstAvailableDeviceRequestMaxSize,
+			func(subRequest resource.DeviceSubRequest, fldPath *field.Path) field.ErrorList {
+				return validateDeviceSubRequest(subRequest, fldPath, stored)
+			},
+			func(subRequest resource.DeviceSubRequest) string {
+				return subRequest.Name
+			},
+			fldPath.Child("firstAvailable"), sizeCovered, uniquenessCovered)...)
+	case hasExactly:
+		allErrs = append(allErrs, validateExactDeviceRequest(*request.Exactly, fldPath.Child("exactly"), stored)...)
 	}
 	return allErrs
 }
 
 func validateDeviceSubRequest(subRequest resource.DeviceSubRequest, fldPath *field.Path, stored bool) field.ErrorList {
 	allErrs := validateRequestName(subRequest.Name, fldPath.Child("name"))
-	allErrs = append(allErrs, validateDeviceClass(subRequest.DeviceClassName, fldPath.Child("deviceClassName"))...)
+	allErrs = append(allErrs, validateDeviceClass(subRequest.DeviceClassName, fldPath.Child("deviceClassName")).MarkCoveredByDeclarative()...)
 	allErrs = append(allErrs, validateSelectorSlice(subRequest.Selectors, fldPath.Child("selectors"), stored)...)
 	allErrs = append(allErrs, validateDeviceAllocationMode(subRequest.AllocationMode, subRequest.Count, fldPath.Child("allocationMode"), fldPath.Child("count"))...)
 	for i, toleration := range subRequest.Tolerations {
@@ -254,7 +277,10 @@ func validateDeviceAllocationMode(deviceAllocationMode resource.DeviceAllocation
 			allErrs = append(allErrs, field.Invalid(countFldPath, count, "must be greater than zero"))
 		}
 	default:
-		allErrs = append(allErrs, field.NotSupported(allocModeFldPath, deviceAllocationMode, []resource.DeviceAllocationMode{resource.DeviceAllocationModeAll, resource.DeviceAllocationModeExactCount}))
+		// NOTE: Declarative validation does not (yet) enforce the real requiredness of this field
+		// because v1beta1 uses a bespoke form of union which makes this field truly optional
+		// in some cases and truly required in others. DO NOT REMOVE THIS CODE UNLESS THAT IS RESOLVED.
+		allErrs = append(allErrs, field.NotSupported(allocModeFldPath, deviceAllocationMode, []resource.DeviceAllocationMode{resource.DeviceAllocationModeAll, resource.DeviceAllocationModeExactCount}).MarkCoveredByDeclarative())
 	}
 	return allErrs
 }
@@ -274,7 +300,7 @@ func validateSelectorSlice(selectors []resource.DeviceSelector, fldPath *field.P
 		func(selector resource.DeviceSelector, fldPath *field.Path) field.ErrorList {
 			return validateSelector(selector, fldPath, stored)
 		},
-		fldPath)
+		fldPath, sizeCovered)
 }
 
 func validateSelector(selector resource.DeviceSelector, fldPath *field.Path, stored bool) field.ErrorList {
@@ -330,9 +356,9 @@ func validateDeviceConstraint(constraint resource.DeviceConstraint, fldPath *fie
 		func(name string, fldPath *field.Path) field.ErrorList {
 			return validateRequestNameRef(name, fldPath, requestNames)
 		},
-		stringKey, fldPath.Child("requests"))...)
+		stringKey, fldPath.Child("requests"), sizeCovered, uniquenessCovered)...)
 	if constraint.MatchAttribute != nil {
-		allErrs = append(allErrs, validateFullyQualifiedName(*constraint.MatchAttribute, fldPath.Child("matchAttribute"))...)
+		allErrs = append(allErrs, validateFullyQualifiedName(*constraint.MatchAttribute, fldPath.Child("matchAttribute")).MarkCoveredByDeclarative()...)
 	} else if constraint.DistinctAttribute != nil {
 		allErrs = append(allErrs, validateFullyQualifiedName(*constraint.DistinctAttribute, fldPath.Child("distinctAttribute"))...)
 	} else if utilfeature.DefaultFeatureGate.Enabled(features.DRAConsumableCapacity) {
@@ -348,7 +374,7 @@ func validateDeviceClaimConfiguration(config resource.DeviceClaimConfiguration,
 	allErrs = append(allErrs, validateSet(config.Requests, resource.DeviceRequestsMaxSize,
 		func(name string, fldPath *field.Path) field.ErrorList {
 			return validateRequestNameRef(name, fldPath, requestNames)
-		}, stringKey, fldPath.Child("requests"))...)
+		}, stringKey, fldPath.Child("requests"), sizeCovered, uniquenessCovered)...)
 	allErrs = append(allErrs, validateDeviceConfiguration(config.DeviceConfiguration, fldPath, stored)...)
 	return allErrs
 }
@@ -383,7 +409,7 @@ func validateDeviceConfiguration(config resource.DeviceConfiguration, fldPath *f
 
 func validateOpaqueConfiguration(config resource.OpaqueDeviceConfiguration, fldPath *field.Path, stored bool) field.ErrorList {
 	var allErrs field.ErrorList
-	allErrs = append(allErrs, validateDriverName(config.Driver, fldPath.Child("driver"))...)
+	allErrs = append(allErrs, validateDriverName(config.Driver, fldPath.Child("driver"), corevalidation.RequiredCovered, corevalidation.FormatCovered)...)
 	allErrs = append(allErrs, validateRawExtension(config.Parameters, fldPath.Child("parameters"), stored, resource.OpaqueParametersMaxLength)...)
 	return allErrs
 }
@@ -392,8 +418,8 @@ func validateResourceClaimStatusUpdate(status, oldStatus *resource.ResourceClaim
 	var allErrs field.ErrorList
 	allErrs = append(allErrs, validateSet(status.ReservedFor, resource.ResourceClaimReservedForMaxSize,
 		validateResourceClaimUserReference,
-		func(consumer resource.ResourceClaimConsumerReference) (types.UID, string) { return consumer.UID, "uid" },
-		fldPath.Child("reservedFor"))...)
+		func(consumer resource.ResourceClaimConsumerReference) types.UID { return consumer.UID },
+		fldPath.Child("reservedFor"), sizeCovered, uniquenessCovered)...)
 
 	var allocatedDevices sets.Set[structured.SharedDeviceID]
 	if status.Allocation != nil {
@@ -403,11 +429,11 @@ func validateResourceClaimStatusUpdate(status, oldStatus *resource.ResourceClaim
 		func(device resource.AllocatedDeviceStatus, fldPath *field.Path) field.ErrorList {
 			return validateDeviceStatus(device, fldPath, allocatedDevices)
 		},
-		func(device resource.AllocatedDeviceStatus) (structured.SharedDeviceID, string) {
+		func(device resource.AllocatedDeviceStatus) structured.SharedDeviceID {
 			deviceID := structured.MakeDeviceID(device.Driver, device.Pool, device.Device)
-			return structured.MakeSharedDeviceID(deviceID, (*types.UID)(device.ShareID)), "deviceID"
+			return structured.MakeSharedDeviceID(deviceID, (*types.UID)(device.ShareID))
 		},
-		fldPath.Child("devices"))...)
+		fldPath.Child("devices"), uniquenessCovered)...)
 
 	// Now check for invariants that must be valid for a ResourceClaim.
 	if len(status.ReservedFor) > 0 {
@@ -432,7 +458,7 @@ func validateResourceClaimStatusUpdate(status, oldStatus *resource.ResourceClaim
 	// in this particular case, must not be validated again because
 	// validation for new results is tighter than it was before.
 	if oldStatus.Allocation != nil && status.Allocation != nil {
-		allErrs = append(allErrs, apimachineryvalidation.ValidateImmutableField(status.Allocation, oldStatus.Allocation, fldPath.Child("allocation"))...)
+		allErrs = append(allErrs, apimachineryvalidation.ValidateImmutableField(status.Allocation, oldStatus.Allocation, fldPath.Child("allocation")).WithOrigin("update").MarkCoveredByDeclarative()...)
 	} else if status.Allocation != nil {
 		allErrs = append(allErrs, validateAllocationResult(status.Allocation, fldPath.Child("allocation"), requestNames, false)...)
 	}
@@ -471,11 +497,11 @@ func validateDeviceAllocationResult(allocation resource.DeviceAllocationResult,
 	allErrs = append(allErrs, validateSlice(allocation.Results, resource.AllocationResultsMaxSize,
 		func(result resource.DeviceRequestAllocationResult, fldPath *field.Path) field.ErrorList {
 			return validateDeviceRequestAllocationResult(result, fldPath, requestNames)
-		}, fldPath.Child("results"))...)
+		}, fldPath.Child("results"), sizeCovered)...)
 	allErrs = append(allErrs, validateSlice(allocation.Config, 2*resource.DeviceConfigMaxSize, /* class + claim */
 		func(config resource.DeviceAllocationConfiguration, fldPath *field.Path) field.ErrorList {
 			return validateDeviceAllocationConfiguration(config, fldPath, requestNames, stored)
-		}, fldPath.Child("config"))...)
+		}, fldPath.Child("config"), sizeCovered)...)
 
 	return allErrs
 }
@@ -483,12 +509,12 @@ func validateDeviceAllocationResult(allocation resource.DeviceAllocationResult,
 func validateDeviceRequestAllocationResult(result resource.DeviceRequestAllocationResult, fldPath *field.Path, requestNames requestNames) field.ErrorList {
 	var allErrs field.ErrorList
 	allErrs = append(allErrs, validateRequestNameRef(result.Request, fldPath.Child("request"), requestNames)...)
-	allErrs = append(allErrs, validateDriverName(result.Driver, fldPath.Child("driver"))...)
-	allErrs = append(allErrs, validatePoolName(result.Pool, fldPath.Child("pool"))...)
+	allErrs = append(allErrs, validateDriverName(result.Driver, fldPath.Child("driver"), corevalidation.RequiredCovered, corevalidation.FormatCovered)...)
+	allErrs = append(allErrs, validatePoolName(result.Pool, fldPath.Child("pool")).MarkCoveredByDeclarative()...)
 	allErrs = append(allErrs, validateDeviceName(result.Device, fldPath.Child("device"))...)
 	allErrs = append(allErrs, validateDeviceBindingParameters(result.BindingConditions, result.BindingFailureConditions, fldPath)...)
 	if result.ShareID != nil {
-		allErrs = append(allErrs, validateUID(string(*result.ShareID), fldPath.Child("shareID"))...)
+		allErrs = append(allErrs, validateUID(string(*result.ShareID), fldPath.Child("shareID")).MarkCoveredByDeclarative()...)
 	}
 	return allErrs
 }
@@ -499,7 +525,7 @@ func validateDeviceAllocationConfiguration(config resource.DeviceAllocationConfi
 	allErrs = append(allErrs, validateSet(config.Requests, resource.DeviceRequestsMaxSize,
 		func(name string, fldPath *field.Path) field.ErrorList {
 			return validateRequestNameRef(name, fldPath, requestNames)
-		}, stringKey, fldPath.Child("requests"))...)
+		}, stringKey, fldPath.Child("requests"), sizeCovered, uniquenessCovered)...)
 	allErrs = append(allErrs, validateDeviceConfiguration(config.DeviceConfiguration, fldPath, stored)...)
 	return allErrs
 }
@@ -508,24 +534,34 @@ func validateAllocationConfigSource(source resource.AllocationConfigSource, fldP
 	var allErrs field.ErrorList
 	switch source {
 	case "":
-		allErrs = append(allErrs, field.Required(fldPath, ""))
+		allErrs = append(allErrs, field.Required(fldPath, "").MarkCoveredByDeclarative())
 	case resource.AllocationConfigSourceClaim, resource.AllocationConfigSourceClass:
 	default:
-		allErrs = append(allErrs, field.NotSupported(fldPath, source, []resource.AllocationConfigSource{resource.AllocationConfigSourceClaim, resource.AllocationConfigSourceClass}))
+		allErrs = append(allErrs, field.NotSupported(fldPath, source, []resource.AllocationConfigSource{resource.AllocationConfigSourceClaim, resource.AllocationConfigSourceClass}).MarkCoveredByDeclarative())
 	}
 	return allErrs
 }
 
 // ValidateDeviceClass validates a DeviceClass.
 func ValidateDeviceClass(class *resource.DeviceClass) field.ErrorList {
-	allErrs := corevalidation.ValidateObjectMeta(&class.ObjectMeta, false, corevalidation.ValidateClassName, field.NewPath("metadata"))
+	validateClassName := func(fldPath *field.Path, name string) field.ErrorList {
+		// validate.LongName doesn't respect operation type currently (CREATE or UPDATE)
+		// so it is ok to use operation.Operation{} here
+		return validate.LongName(context.Background(), operation.Operation{}, fldPath, &name, nil).MarkCoveredByDeclarative()
+	}
+	allErrs := corevalidation.ValidateObjectMetaWithOpts(&class.ObjectMeta, false, validateClassName, field.NewPath("metadata"))
 	allErrs = append(allErrs, validateDeviceClassSpec(&class.Spec, nil, field.NewPath("spec"))...)
 	return allErrs
 }
 
 // ValidateDeviceClassUpdate tests if an update to DeviceClass is valid.
 func ValidateDeviceClassUpdate(class, oldClass *resource.DeviceClass) field.ErrorList {
-	allErrs := corevalidation.ValidateObjectMetaUpdate(&class.ObjectMeta, &oldClass.ObjectMeta, field.NewPath("metadata"))
+	validateClassName := func(fldPath *field.Path, name string) field.ErrorList {
+		return validate.LongName(context.Background(), operation.Operation{}, fldPath, &name, nil).MarkCoveredByDeclarative()
+	}
+	// TODO(lalitc375): Remove this if decided in https://github.com/kubernetes/kubernetes/issues/134444.
+	allErrs := corevalidation.ValidateObjectMetaWithOpts(&class.ObjectMeta, false, validateClassName, field.NewPath("metadata"))
+	allErrs = append(allErrs, corevalidation.ValidateObjectMetaUpdate(&class.ObjectMeta, &oldClass.ObjectMeta, field.NewPath("metadata"))...)
 	allErrs = append(allErrs, validateDeviceClassSpec(&class.Spec, &oldClass.Spec, field.NewPath("spec"))...)
 	return allErrs
 }
@@ -543,8 +579,9 @@ func validateDeviceClassSpec(spec, oldSpec *resource.DeviceClassSpec, fldPath *f
 		func(selector resource.DeviceSelector, fldPath *field.Path) field.ErrorList {
 			return validateSelector(selector, fldPath, stored)
 		},
-		fldPath.Child("selectors"))...)
+		fldPath.Child("selectors"), sizeCovered)...)
 	// Same logic as above for configs.
+	stored = false
 	if oldSpec != nil {
 		stored = apiequality.Semantic.DeepEqual(spec.Config, oldSpec.Config)
 	}
@@ -552,10 +589,10 @@ func validateDeviceClassSpec(spec, oldSpec *resource.DeviceClassSpec, fldPath *f
 		func(config resource.DeviceClassConfiguration, fldPath *field.Path) field.ErrorList {
 			return validateDeviceClassConfiguration(config, fldPath, stored)
 		},
-		fldPath.Child("config"))...)
+		fldPath.Child("config"), sizeCovered)...)
 	if spec.ExtendedResourceName != nil && !v1helper.IsExtendedResourceName(corev1.ResourceName(*spec.ExtendedResourceName)) {
 		allErrs = append(allErrs, field.Invalid(fldPath.Child("extendedResourceName"), *spec.ExtendedResourceName,
-			"must be a valid extended resource name"))
+			"must be a valid extended resource name").MarkCoveredByDeclarative().WithOrigin("format=k8s-extended-resource-name"))
 	}
 	return allErrs
 }
@@ -580,11 +617,10 @@ func validateResourceClaimTemplateSpec(spec *resource.ResourceClaimTemplateSpec,
 // ValidateResourceClaimTemplateUpdate tests if an update to template is valid.
 func ValidateResourceClaimTemplateUpdate(template, oldTemplate *resource.ResourceClaimTemplate) field.ErrorList {
 	allErrs := corevalidation.ValidateObjectMetaUpdate(&template.ObjectMeta, &oldTemplate.ObjectMeta, field.NewPath("metadata"))
+	// The spec is immutable. On update, we only check for immutability.
+	// Re-validating other fields is skipped because the user cannot change them;
+	// the only actionable error is for the immutability violation.
 	allErrs = append(allErrs, apimachineryvalidation.ValidateImmutableField(template.Spec, oldTemplate.Spec, field.NewPath("spec"))...)
-	// Because the spec is immutable, all CEL expressions in it must have been stored.
-	// If the user tries an update, this is not true and checking is less strict, but
-	// as there are errors, it doesn't matter.
-	allErrs = append(allErrs, validateResourceClaimTemplateSpec(&template.Spec, field.NewPath("spec"), true)...)
 	return allErrs
 }
 
@@ -667,73 +703,89 @@ func validateResourceSliceSpec(spec, oldSpec *resource.ResourceSliceSpec, fldPat
 			"exactly one of `nodeName`, `nodeSelector`, `allNodes`, `perDeviceNodeSelection` is required, but multiple fields are set"))
 	}
 
-	sharedCounterToCounterNames := gatherSharedCounterCounterNames(spec.SharedCounters)
-	allErrs = append(allErrs, validateSet(spec.Devices, resource.ResourceSliceMaxDevices,
+	if spec.SharedCounters != nil && spec.Devices != nil {
+		allErrs = append(allErrs, field.Invalid(fldPath, "", "only one of `sharedCounters` or `devices` is allowed"))
+	}
+
+	maxDevices := resource.ResourceSliceMaxDevices
+	if haveDeviceTaints(spec) || haveConsumesCounters(spec) {
+		maxDevices = resource.ResourceSliceMaxDevicesWithTaintsOrConsumesCounters
+	}
+	allErrs = append(allErrs, validateSet(spec.Devices, maxDevices,
 		func(device resource.Device, fldPath *field.Path) field.ErrorList {
-			return validateDevice(device, fldPath, sharedCounterToCounterNames, spec.PerDeviceNodeSelection)
+			oldDevice := lookupDevice(oldSpec, device.Name)
+			return validateDevice(device, oldDevice, fldPath, spec.PerDeviceNodeSelection)
 		},
-		func(device resource.Device) (string, string) {
-			return device.Name, "name"
+		func(device resource.Device) string {
+			return device.Name
 		}, fldPath.Child("devices"))...)
 
-	// Size limit for total number of counters in devices enforced here.
-	numDeviceCounters := 0
+	allErrs = append(allErrs, validateSet(spec.SharedCounters, resource.ResourceSliceMaxCounterSets,
+		validateCounterSet,
+		func(counterSet resource.CounterSet) string {
+			return counterSet.Name
+		}, fldPath.Child("sharedCounters"), sizeCovered, uniquenessCovered)...)
+
+	return allErrs
+}
+
+func haveDeviceTaints(spec *resource.ResourceSliceSpec) bool {
+	if spec == nil {
+		return false
+	}
+
 	for _, device := range spec.Devices {
-		for _, c := range device.ConsumesCounters {
-			numDeviceCounters += len(c.Counters)
+		if len(device.Taints) > 0 {
+			return true
 		}
 	}
-	if numDeviceCounters > resource.ResourceSliceMaxDeviceCountersPerSlice {
-		allErrs = append(allErrs, field.Invalid(fldPath.Child("devices"), numDeviceCounters, fmt.Sprintf("the total number of counters in devices must not exceed %d", resource.ResourceSliceMaxDeviceCountersPerSlice)))
-	}
+	return false
+}
 
-	// Size limit for all shared counters enforced here.
-	numCounters := 0
-	for _, set := range spec.SharedCounters {
-		numCounters += len(set.Counters)
+func haveConsumesCounters(spec *resource.ResourceSliceSpec) bool {
+	if spec == nil {
+		return false
 	}
-	if numCounters > resource.ResourceSliceMaxSharedCounters {
-		allErrs = append(allErrs, field.Invalid(fldPath.Child("sharedCounters"), numCounters, fmt.Sprintf("the total number of shared counters must not exceed %d", resource.ResourceSliceMaxSharedCounters)))
+
+	for _, device := range spec.Devices {
+		if len(device.ConsumesCounters) > 0 {
+			return true
+		}
 	}
-	allErrs = append(allErrs, validateSet(spec.SharedCounters, -1,
-		validateCounterSet,
-		func(counterSet resource.CounterSet) (string, string) {
-			return counterSet.Name, "name"
-		}, fldPath.Child("sharedCounters"))...)
+	return false
+}
 
-	return allErrs
+func lookupDevice(spec *resource.ResourceSliceSpec, deviceName string) *resource.Device {
+	if spec == nil {
+		return nil
+	}
+	for i := range spec.Devices {
+		device := &spec.Devices[i]
+		if device.Name == deviceName {
+			return device
+		}
+	}
+	return nil
 }
 
 func validateCounterSet(counterSet resource.CounterSet, fldPath *field.Path) field.ErrorList {
 	var allErrs field.ErrorList
 	if counterSet.Name == "" {
-		allErrs = append(allErrs, field.Required(fldPath.Child("name"), ""))
+		allErrs = append(allErrs, field.Required(fldPath.Child("name"), "").MarkCoveredByDeclarative())
 	} else {
-		allErrs = append(allErrs, validateCounterName(counterSet.Name, fldPath.Child("name"))...)
+		allErrs = append(allErrs, validateCounterName(counterSet.Name, fldPath.Child("name"))...).MarkCoveredByDeclarative()
 	}
 	if len(counterSet.Counters) == 0 {
 		allErrs = append(allErrs, field.Required(fldPath.Child("counters"), ""))
 	} else {
 		// The size limit is enforced for across all sets by the caller.
-		allErrs = append(allErrs, validateMap(counterSet.Counters, -1, validation.DNS1123LabelMaxLength,
+		allErrs = append(allErrs, validateMap(counterSet.Counters, resource.ResourceSliceMaxCountersPerCounterSet, validation.DNS1123LabelMaxLength,
 			validateCounterName, validateDeviceCounter, fldPath.Child("counters"))...)
 	}
 
 	return allErrs
 }
 
-func gatherSharedCounterCounterNames(sharedCounters []resource.CounterSet) map[string]sets.Set[string] {
-	sharedCounterToCounterMap := make(map[string]sets.Set[string])
-	for _, counterSet := range sharedCounters {
-		counterNames := sets.New[string]()
-		for counterName := range counterSet.Counters {
-			counterNames.Insert(counterName)
-		}
-		sharedCounterToCounterMap[counterSet.Name] = counterNames
-	}
-	return sharedCounterToCounterMap
-}
-
 func validateResourcePool(pool resource.ResourcePool, fldPath *field.Path) field.ErrorList {
 	var allErrs field.ErrorList
 	allErrs = append(allErrs, validatePoolName(pool.Name, fldPath.Child("name"))...)
@@ -746,7 +798,7 @@ func validateResourcePool(pool resource.ResourcePool, fldPath *field.Path) field
 	return allErrs
 }
 
-func validateDevice(device resource.Device, fldPath *field.Path, sharedCounterToCounterNames map[string]sets.Set[string], perDeviceNodeSelection *bool) field.ErrorList {
+func validateDevice(device resource.Device, oldDevice *resource.Device, fldPath *field.Path, perDeviceNodeSelection *bool) field.ErrorList {
 	var allErrs field.ErrorList
 	allowMultipleAllocations := device.AllowMultipleAllocations != nil && *device.AllowMultipleAllocations
 	allErrs = append(allErrs, validateDeviceName(device.Name, fldPath.Child("name"))...)
@@ -763,35 +815,21 @@ func validateDevice(device resource.Device, fldPath *field.Path, sharedCounterTo
 	} else {
 		allErrs = append(allErrs, validateMap(device.Capacity, -1, attributeAndCapacityMaxKeyLength, validateQualifiedName, validateSingleAllocatableDeviceCapacity, fldPath.Child("capacity"))...)
 	}
-	allErrs = append(allErrs, validateSlice(device.Taints, resource.DeviceTaintsMaxLength, validateDeviceTaint, fldPath.Child("taints"))...)
-
-	allErrs = append(allErrs, validateSet(device.ConsumesCounters, -1,
-		validateDeviceCounterConsumption,
-		func(deviceCapacityConsumption resource.DeviceCounterConsumption) (string, string) {
-			return deviceCapacityConsumption.CounterSet, "counterSet"
-		}, fldPath.Child("consumesCounters"))...)
-
-	var countersLength int
-	for _, set := range device.ConsumesCounters {
-		countersLength += len(set.Counters)
-	}
-	if countersLength > resource.ResourceSliceMaxCountersPerDevice {
-		allErrs = append(allErrs, field.Invalid(fldPath, countersLength, fmt.Sprintf("the total number of counters must not exceed %d", resource.ResourceSliceMaxCountersPerDevice)))
+	// If the entire set is the same as before then validation can be skipped.
+	// We could also do the DeepEqual on the entire spec, but here it is a bit cheaper.
+	if oldDevice == nil || !apiequality.Semantic.DeepEqual(oldDevice.Taints, device.Taints) {
+		allErrs = append(allErrs, validateSlice(device.Taints, resource.DeviceTaintsMaxLength,
+			func(taint resource.DeviceTaint, fldPath *field.Path) field.ErrorList {
+				return validateDeviceTaint(taint, nil, fldPath)
+			},
+			fldPath.Child("taints"))...)
 	}
 
-	for i, deviceCounterConsumption := range device.ConsumesCounters {
-		if capacityNames, exists := sharedCounterToCounterNames[deviceCounterConsumption.CounterSet]; exists {
-			for capacityName := range deviceCounterConsumption.Counters {
-				if !capacityNames.Has(string(capacityName)) {
-					allErrs = append(allErrs, field.Invalid(fldPath.Child("consumesCounters").Index(i).Child("counters"),
-						capacityName, "must reference a counter defined in the ResourceSlice sharedCounters"))
-				}
-			}
-		} else {
-			allErrs = append(allErrs, field.Invalid(fldPath.Child("consumesCounters").Index(i).Child("counterSet"),
-				deviceCounterConsumption.CounterSet, "must reference a counterSet defined in the ResourceSlice sharedCounters"))
-		}
-	}
+	allErrs = append(allErrs, validateSet(device.ConsumesCounters, resource.ResourceSliceMaxDeviceCounterConsumptionsPerDevice,
+		validateDeviceCounterConsumption,
+		func(deviceCapacityConsumption resource.DeviceCounterConsumption) string {
+			return deviceCapacityConsumption.CounterSet
+		}, fldPath.Child("consumesCounters"), sizeCovered, uniquenessCovered)...)
 
 	if perDeviceNodeSelection != nil && *perDeviceNodeSelection {
 		setFields := make([]string, 0, 3)
@@ -834,14 +872,15 @@ func validateDeviceCounterConsumption(deviceCounterConsumption resource.DeviceCo
 	var allErrs field.ErrorList
 
 	if len(deviceCounterConsumption.CounterSet) == 0 {
-		allErrs = append(allErrs, field.Required(fldPath.Child("counterSet"), ""))
+		allErrs = append(allErrs, field.Required(fldPath.Child("counterSet"), "").MarkCoveredByDeclarative())
+	} else {
+		allErrs = append(allErrs, validateCounterName(deviceCounterConsumption.CounterSet, fldPath.Child("counterSet"))...).MarkCoveredByDeclarative()
 	}
 	if len(deviceCounterConsumption.Counters) == 0 {
 		allErrs = append(allErrs, field.Required(fldPath.Child("counters"), ""))
 	} else {
-		// The size limit is enforced for the entire device.
-		allErrs = append(allErrs, validateMap(deviceCounterConsumption.Counters, -1, validation.DNS1123LabelMaxLength,
-			validateCounterName, validateDeviceCounter, fldPath.Child("counters"))...)
+		allErrs = append(allErrs, validateMap(deviceCounterConsumption.Counters, resource.ResourceSliceMaxCountersPerDeviceCounterConsumption,
+			validation.DNS1123LabelMaxLength, validateCounterName, validateDeviceCounter, fldPath.Child("counters"))...)
 	}
 	return allErrs
 }
@@ -886,11 +925,11 @@ func validateDeviceAttribute(attribute resource.DeviceAttribute, fldPath *field.
 
 	switch numFields {
 	case 0:
-		allErrs = append(allErrs, field.Required(fldPath, "exactly one value must be specified"))
+		allErrs = append(allErrs, field.Invalid(fldPath, "", "exactly one value must be specified").MarkCoveredByDeclarative())
 	case 1:
 		// Okay.
 	default:
-		allErrs = append(allErrs, field.Invalid(fldPath, attribute, "exactly one value must be specified"))
+		allErrs = append(allErrs, field.Invalid(fldPath, attribute, "exactly one value must be specified").MarkCoveredByDeclarative())
 	}
 	return allErrs
 }
@@ -1052,38 +1091,46 @@ func validateDeviceCounter(counter resource.Counter, fldPath *field.Path) field.
 
 func validateQualifiedName(name resource.QualifiedName, fldPath *field.Path) field.ErrorList {
 	var allErrs field.ErrorList
-	if name == "" {
-		allErrs = append(allErrs, field.Required(fldPath, "name required"))
-		return allErrs
-	}
-
 	parts := strings.Split(string(name), "/")
 	switch len(parts) {
 	case 1:
 		allErrs = append(allErrs, validateCIdentifier(parts[0], fldPath)...)
 	case 2:
 		if len(parts[0]) == 0 {
-			allErrs = append(allErrs, field.Required(fldPath, "the domain must not be empty"))
+			allErrs = append(allErrs, field.Invalid(fldPath, "", "the domain must not be empty"))
 		} else {
 			allErrs = append(allErrs, validateDriverName(parts[0], fldPath)...)
 		}
 		if len(parts[1]) == 0 {
-			allErrs = append(allErrs, field.Required(fldPath, "the name must not be empty"))
+			allErrs = append(allErrs, field.Invalid(fldPath, "", "the name must not be empty"))
 		} else {
 			allErrs = append(allErrs, validateCIdentifier(parts[1], fldPath)...)
 		}
+		// TODO: This validation is incomplete. It should reject qualified names
+		// that contain more than one slash. Currently, names like "a/b/c" are not
+		// handled and are implicitly accepted.
+		//
+		// This needs to be fixed in two places:
+		// 1. Here in this function.
+		// 2. In the corresponding declarative validation utility `resourcesQualifiedName`
+		//    in `staging/src/k8s.io/apimachinery/pkg/api/validate/strfmt.go`.
+		//
+		// The fix should be introduced carefully, possibly using ratcheting to avoid
+		// breaking existing, non-compliant objects.
 	}
+
 	return allErrs
 }
 
 func validateFullyQualifiedName(name resource.FullyQualifiedName, fldPath *field.Path) field.ErrorList {
-	allErrs := validateQualifiedName(resource.QualifiedName(name), fldPath)
-	// validateQualifiedName checks that the name isn't empty and both parts are valid.
+	var allErrs field.ErrorList
+	allErrs = append(allErrs, validateQualifiedName(resource.QualifiedName(name), fldPath)...)
+	// validateQualifiedName checks that both parts are valid.
 	// What we need to enforce here is that there really is a domain.
-	if name != "" && !strings.Contains(string(name), "/") {
-		allErrs = append(allErrs, field.Invalid(fldPath, name, "must include a domain"))
+	if !strings.Contains(string(name), "/") {
+		allErrs = append(allErrs, field.Invalid(fldPath, name, "a fully qualified name must be a domain and a name separated by a slash"))
 	}
-	return allErrs
+	return allErrs.WithOrigin("format=k8s-resource-fully-qualified-name")
 }
 
 func validateCIdentifier(id string, fldPath *field.Path) field.ErrorList {
@@ -1091,44 +1138,84 @@ func validateCIdentifier(id string, fldPath *field.Path) field.ErrorList {
 	if len(id) > resource.DeviceMaxIDLength {
 		allErrs = append(allErrs, field.TooLong(fldPath, "" /*unused*/, resource.DeviceMaxIDLength))
 	}
-	for _, msg := range validation.IsCIdentifier(id) {
+	for _, msg := range content.IsCIdentifier(id) {
 		allErrs = append(allErrs, field.Invalid(fldPath, id, msg))
 	}
 	return allErrs
 }
 
-// validateSlice ensures that a slice does not exceed a certain maximum size
-// and that all entries are valid.
-// A negative maxSize disables the length check.
-func validateSlice[T any](slice []T, maxSize int, validateItem func(T, *field.Path) field.ErrorList, fldPath *field.Path) field.ErrorList {
+// validationOption is an option for validation.
+type validationOption int
+
+const (
+	// The validation of each item is covered by declarative validation.
+	itemsCovered validationOption = iota
+	// The list size check is covered by declarative validation.
+	sizeCovered
+	// The uniqueness check is covered by declarative validation.
+	uniquenessCovered
+)
+
+// validateItems validates each item in a slice.
+func validateItems[T any](slice []T, validateItem func(T, *field.Path) field.ErrorList, fldPath *field.Path, opts ...validationOption) field.ErrorList {
 	var allErrs field.ErrorList
 	for i, item := range slice {
 		idxPath := fldPath.Index(i)
-		allErrs = append(allErrs, validateItem(item, idxPath)...)
+		errs := validateItem(item, idxPath)
+		if slices.Contains(opts, itemsCovered) {
+			errs = errs.MarkCoveredByDeclarative()
+		}
+		allErrs = append(allErrs, errs...)
 	}
+	return allErrs
+}
+
+// validateSlice ensures that a slice does not exceed a certain maximum size
+// and that all entries are valid.
+// A negative maxSize disables the length check.
+func validateSlice[T any](slice []T, maxSize int, validateItem func(T, *field.Path) field.ErrorList, fldPath *field.Path, opts ...validationOption) field.ErrorList {
 	if maxSize >= 0 && len(slice) > maxSize {
 		// Dumping the entire field into the error message is likely to be too long,
 		// in particular when it is already beyond the maximum size. Instead this
 		// just shows the number of entries.
-		allErrs = append(allErrs, field.TooMany(fldPath, len(slice), maxSize))
+		err := field.TooMany(fldPath, len(slice), maxSize).WithOrigin("maxItems")
+		if slices.Contains(opts, sizeCovered) {
+			err = err.MarkCoveredByDeclarative()
+		}
+		// maxSize check short-circuits for DOS protection
+		return field.ErrorList{err}
 	}
-	return allErrs
+	return validateItems(slice, validateItem, fldPath, opts...)
 }
 
 // validateSet ensures that a slice contains no duplicates, does not
 // exceed a certain maximum size and that all entries are valid.
-func validateSet[T any, K comparable](slice []T, maxSize int, validateItem func(item T, fldPath *field.Path) field.ErrorList, itemKey func(T) (K, string), fldPath *field.Path) field.ErrorList {
-	allErrs := validateSlice(slice, maxSize, validateItem, fldPath)
+func validateSet[T any, K comparable](slice []T, maxSize int, validateItem func(item T, fldPath *field.Path) field.ErrorList, itemKey func(T) K, fldPath *field.Path, opts ...validationOption) field.ErrorList {
+	if maxSize >= 0 && len(slice) > maxSize {
+		// Dumping the entire field into the error message is likely to be too long,
+		// in particular when it is already beyond the maximum size. Instead this
+		// just shows the number of entries.
+		err := field.TooMany(fldPath, len(slice), maxSize).WithOrigin("maxItems")
+		if slices.Contains(opts, sizeCovered) {
+			err = err.MarkCoveredByDeclarative()
+		}
+		// maxSize check short-circuits for DOS protection
+		return field.ErrorList{err}
+	}
+
+	allErrs := validateItems(slice, validateItem, fldPath, opts...)
+
 	allItems := sets.New[K]()
 	for i, item := range slice {
 		idxPath := fldPath.Index(i)
-		key, fieldName := itemKey(item)
+		key := itemKey(item)
 		childPath := idxPath
-		if fieldName != "" {
-			childPath = childPath.Child(fieldName)
-		}
 		if allItems.Has(key) {
-			allErrs = append(allErrs, field.Duplicate(childPath, key))
+			err := field.Duplicate(childPath, key)
+			if slices.Contains(opts, uniquenessCovered) {
+				err = err.MarkCoveredByDeclarative()
+			}
+			allErrs = append(allErrs, err)
 		} else {
 			allItems.Insert(key)
 		}
@@ -1137,13 +1224,13 @@ func validateSet[T any, K comparable](slice []T, maxSize int, validateItem func(
 }
 
 // stringKey uses the item itself as a key for validateSet.
-func stringKey(item string) (string, string) {
-	return item, ""
+func stringKey(item string) string {
+	return item
 }
 
 // quantityKey uses the item itself as a key for validateSet.
-func quantityKey(item apiresource.Quantity) (string, string) {
-	return strconv.FormatInt(item.Value(), 10), ""
+func quantityKey(item apiresource.Quantity) string {
+	return strconv.FormatInt(item.Value(), 10)
 }
 
 // validateMap validates keys, items and the maximum length of a map.
@@ -1157,6 +1244,8 @@ func validateMap[K ~string, T any](m map[K]T, maxSize, truncateKeyLen int, valid
 	var allErrs field.ErrorList
 	if maxSize >= 0 && len(m) > maxSize {
 		allErrs = append(allErrs, field.TooMany(fldPath, len(m), maxSize))
+		// maxSize check short-circuits for DOS protection
+		return allErrs
 	}
 	for key, item := range m {
 		keyPath := fldPath.Key(truncateIfTooLong(string(key), truncateKeyLen))
@@ -1186,7 +1275,7 @@ func validateDeviceStatus(device resource.AllocatedDeviceStatus, fldPath *field.
 	allErrs = append(allErrs, validatePoolName(device.Pool, fldPath.Child("pool"))...)
 	allErrs = append(allErrs, validateDeviceName(device.Device, fldPath.Child("device"))...)
 	if device.ShareID != nil {
-		allErrs = append(allErrs, validateUID(*device.ShareID, fldPath.Child("shareID"))...)
+		allErrs = append(allErrs, validateUID(*device.ShareID, fldPath.Child("shareID")).MarkCoveredByDeclarative()...)
 	}
 	deviceID := structured.MakeDeviceID(device.Driver, device.Pool, device.Device)
 	sharedDeviceID := structured.MakeSharedDeviceID(deviceID, (*types.UID)(device.ShareID))
@@ -1233,17 +1322,17 @@ func validateNetworkDeviceData(networkDeviceData *resource.NetworkDeviceData, fl
 	}
 
 	if len(networkDeviceData.InterfaceName) > resource.NetworkDeviceDataInterfaceNameMaxLength {
-		allErrs = append(allErrs, field.TooLong(fldPath.Child("interfaceName"), "" /* unused */, resource.NetworkDeviceDataInterfaceNameMaxLength))
+		allErrs = append(allErrs, field.TooLong(fldPath.Child("interfaceName"), "" /* unused */, resource.NetworkDeviceDataInterfaceNameMaxLength).WithOrigin("maxLength").MarkCoveredByDeclarative())
 	}
 
 	if len(networkDeviceData.HardwareAddress) > resource.NetworkDeviceDataHardwareAddressMaxLength {
-		allErrs = append(allErrs, field.TooLong(fldPath.Child("hardwareAddress"), "" /* unused */, resource.NetworkDeviceDataHardwareAddressMaxLength))
+		allErrs = append(allErrs, field.TooLong(fldPath.Child("hardwareAddress"), "" /* unused */, resource.NetworkDeviceDataHardwareAddressMaxLength).WithOrigin("maxLength").MarkCoveredByDeclarative())
 	}
 
 	allErrs = append(allErrs, validateSet(networkDeviceData.IPs, resource.NetworkDeviceDataMaxIPs,
 		func(address string, fldPath *field.Path) field.ErrorList {
 			return validation.IsValidInterfaceAddress(fldPath, address)
-		}, stringKey, fldPath.Child("ips"))...)
+		}, stringKey, fldPath.Child("ips"), sizeCovered, uniquenessCovered)...)
 	return allErrs
 }
 
@@ -1269,7 +1358,11 @@ func validateDeviceTaintRuleSpec(spec, oldSpec *resource.DeviceTaintRuleSpec, fl
 		oldFilter = oldSpec.DeviceSelector // +k8s:verify-mutation:reason=clone
 	}
 	allErrs = append(allErrs, validateDeviceTaintSelector(spec.DeviceSelector, oldFilter, fldPath.Child("deviceSelector"))...)
-	allErrs = append(allErrs, validateDeviceTaint(spec.Taint, fldPath.Child("taint"))...)
+	var oldTaint *resource.DeviceTaint
+	if oldSpec != nil {
+		oldTaint = &oldSpec.Taint // +k8s:verify-mutation:reason=clone
+	}
+	allErrs = append(allErrs, validateDeviceTaint(spec.Taint, oldTaint, fldPath.Child("taint"))...)
 	return allErrs
 }
 
@@ -1279,9 +1372,6 @@ func validateDeviceTaintSelector(filter, oldFilter *resource.DeviceTaintSelector
 	if filter == nil {
 		return allErrs
 	}
-	if filter.DeviceClassName != nil {
-		allErrs = append(allErrs, validateDeviceClassName(*filter.DeviceClassName, fldPath.Child("deviceClassName"))...)
-	}
 	if filter.Driver != nil {
 		allErrs = append(allErrs, validateDriverName(*filter.Driver, fldPath.Child("driver"))...)
 	}
@@ -1292,37 +1382,26 @@ func validateDeviceTaintSelector(filter, oldFilter *resource.DeviceTaintSelector
 		allErrs = append(allErrs, validateDeviceName(*filter.Device, fldPath.Child("device"))...)
 	}
 
-	// If the selectors are exactly as before, we treat the CEL expressions as "stored".
-	// Any change, including merely reordering selectors, triggers validation as new
-	// expressions.
-	stored := false
-	if oldFilter != nil {
-		stored = apiequality.Semantic.DeepEqual(filter.Selectors, oldFilter.Selectors)
-	}
-	allErrs = append(allErrs, validateSlice(filter.Selectors, resource.DeviceSelectorsMaxSize,
-		func(selector resource.DeviceSelector, fldPath *field.Path) field.ErrorList {
-			return validateSelector(selector, fldPath, stored)
-		},
-		fldPath.Child("selectors"))...)
-
 	return allErrs
 }
 
 var validDeviceTolerationOperators = []resource.DeviceTolerationOperator{resource.DeviceTolerationOpEqual, resource.DeviceTolerationOpExists}
-var validDeviceTaintEffects = sets.New(resource.DeviceTaintEffectNoSchedule, resource.DeviceTaintEffectNoExecute)
+var validDeviceTaintEffects = sets.New(resource.DeviceTaintEffectNoSchedule, resource.DeviceTaintEffectNoExecute, resource.DeviceTaintEffectNone)
 
-func validateDeviceTaint(taint resource.DeviceTaint, fldPath *field.Path) field.ErrorList {
+func validateDeviceTaint(taint resource.DeviceTaint, oldTaint *resource.DeviceTaint, fldPath *field.Path) field.ErrorList {
 	var allErrs field.ErrorList
 
 	allErrs = append(allErrs, metav1validation.ValidateLabelName(taint.Key, fldPath.Child("key"))...) // Includes checking for non-empty.
 	if taint.Value != "" {
 		allErrs = append(allErrs, validateLabelValue(taint.Value, fldPath.Child("value"))...)
 	}
-	switch {
-	case taint.Effect == "":
-		allErrs = append(allErrs, field.Required(fldPath.Child("effect"), "")) // Required in a taint.
-	case !validDeviceTaintEffects.Has(taint.Effect):
-		allErrs = append(allErrs, field.NotSupported(fldPath.Child("effect"), taint.Effect, sets.List(validDeviceTaintEffects)))
+	if oldTaint == nil || oldTaint.Effect != taint.Effect {
+		switch {
+		case taint.Effect == "":
+			allErrs = append(allErrs, field.Required(fldPath.Child("effect"), "").MarkCoveredByDeclarative()) // Required in a taint.
+		case !validDeviceTaintEffects.Has(taint.Effect):
+			allErrs = append(allErrs, field.NotSupported(fldPath.Child("effect"), taint.Effect, sets.List(validDeviceTaintEffects)).MarkCoveredByDeclarative())
+		}
 	}
 
 	return allErrs
@@ -1332,7 +1411,7 @@ func validateDeviceToleration(toleration resource.DeviceToleration, fldPath *fie
 	var allErrs field.ErrorList
 
 	if toleration.Key != "" {
-		allErrs = append(allErrs, metav1validation.ValidateLabelName(toleration.Key, fldPath.Child("key"))...)
+		allErrs = append(allErrs, metav1validation.ValidateLabelName(toleration.Key, fldPath.Child("key")).MarkCoveredByDeclarative()...)
 	}
 	switch toleration.Operator {
 	case resource.DeviceTolerationOpExists:
@@ -1344,13 +1423,13 @@ func validateDeviceToleration(toleration resource.DeviceToleration, fldPath *fie
 	case "":
 		allErrs = append(allErrs, field.Required(fldPath.Child("operator"), ""))
 	default:
-		allErrs = append(allErrs, field.NotSupported(fldPath.Child("operator"), toleration.Operator, validDeviceTolerationOperators))
+		allErrs = append(allErrs, field.NotSupported(fldPath.Child("operator"), toleration.Operator, validDeviceTolerationOperators).MarkCoveredByDeclarative())
 	}
 	switch {
 	case toleration.Effect == "":
 		// Optional in a toleration.
 	case !validDeviceTaintEffects.Has(toleration.Effect):
-		allErrs = append(allErrs, field.NotSupported(fldPath.Child("effect"), toleration.Effect, sets.List(validDeviceTaintEffects)))
+		allErrs = append(allErrs, field.NotSupported(fldPath.Child("effect"), toleration.Effect, sets.List(validDeviceTaintEffects)).MarkCoveredByDeclarative())
 	}
 
 	return allErrs
@@ -1370,10 +1449,10 @@ func validateLabelValue(value string, fldPath *field.Path) field.ErrorList {
 func validateDeviceBindingParameters(bindingConditions, bindingFailureConditions []string, fldPath *field.Path) field.ErrorList {
 	var allErrs field.ErrorList
 	allErrs = append(allErrs, validateSlice(bindingConditions, resource.BindingConditionsMaxSize,
-		metav1validation.ValidateLabelName, fldPath.Child("bindingConditions"))...)
+		metav1validation.ValidateLabelName, fldPath.Child("bindingConditions"), sizeCovered)...)
 
 	allErrs = append(allErrs, validateSlice(bindingFailureConditions, resource.BindingFailureConditionsMaxSize,
-		metav1validation.ValidateLabelName, fldPath.Child("bindingFailureConditions"))...)
+		metav1validation.ValidateLabelName, fldPath.Child("bindingFailureConditions"), sizeCovered)...)
 
 	// ensure BindingConditions and BindingFailureConditions contain no duplicate items and do not overlap with each other
 	conditionsSet := sets.New[string]()
@@ -1405,3 +1484,17 @@ func validateDeviceBindingParameters(bindingConditions, bindingFailureConditions
 
 	return allErrs
 }
+
+// ValidateDeviceTaintRuleStatusUpdate tests if a DeviceTaintRule status update is valid.
+func ValidateDeviceTaintRuleStatusUpdate(rule, oldRule *resource.DeviceTaintRule) field.ErrorList {
+	var allErrs field.ErrorList
+
+	fldPath := field.NewPath("status")
+	allErrs = corevalidation.ValidateObjectMetaUpdate(&rule.ObjectMeta, &oldRule.ObjectMeta, field.NewPath("metadata")) // Covers invalid name changes.
+	allErrs = append(allErrs, metav1validation.ValidateConditions(rule.Status.Conditions, fldPath.Child("conditions"))...)
+	if len(rule.Status.Conditions) > resource.DeviceTaintRuleStatusMaxConditions {
+		allErrs = append(allErrs, field.TooMany(fldPath.Child("conditions"), len(rule.Status.Conditions), resource.DeviceTaintRuleStatusMaxConditions))
+	}
+
+	return allErrs
+}
diff --git a/pkg/apis/resource/validation/validation_deviceclass_test.go b/pkg/apis/resource/validation/validation_deviceclass_test.go
index 34de83bcbe935..1491a0920e01e 100644
--- a/pkg/apis/resource/validation/validation_deviceclass_test.go
+++ b/pkg/apis/resource/validation/validation_deviceclass_test.go
@@ -53,7 +53,7 @@ func TestValidateClass(t *testing.T) {
 			class:        testClass(""),
 		},
 		"bad-name": {
-			wantFailures: field.ErrorList{field.Invalid(field.NewPath("metadata", "name"), badName, "a lowercase RFC 1123 subdomain must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character (e.g. 'example.com', regex used for validation is '[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*')")},
+			wantFailures: field.ErrorList{field.Invalid(field.NewPath("metadata", "name"), badName, "a lowercase RFC 1123 subdomain must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character (e.g. 'example.com', regex used for validation is '[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*')").MarkCoveredByDeclarative()},
 			class:        testClass(badName),
 		},
 		"generate-name": {
@@ -181,7 +181,7 @@ func TestValidateClass(t *testing.T) {
 			}(),
 		},
 		"bad-extended-resource-name": {
-			wantFailures: field.ErrorList{field.Invalid(field.NewPath("spec", "extendedResourceName"), "example.com", "must be a valid extended resource name")},
+			wantFailures: field.ErrorList{field.Invalid(field.NewPath("spec", "extendedResourceName"), "example.com", "must be a valid extended resource name").MarkCoveredByDeclarative().WithOrigin("format=k8s-extended-resource-name")},
 			class: func() *resource.DeviceClass {
 				class := testClass(goodName)
 				class.Spec.ExtendedResourceName = ptr.To(string("example.com"))
@@ -219,7 +219,7 @@ func TestValidateClass(t *testing.T) {
 		},
 		"too-many-selectors": {
 			wantFailures: field.ErrorList{
-				field.TooMany(field.NewPath("spec", "selectors"), resource.DeviceSelectorsMaxSize+1, resource.DeviceSelectorsMaxSize),
+				field.TooMany(field.NewPath("spec", "selectors"), resource.DeviceSelectorsMaxSize+1, resource.DeviceSelectorsMaxSize).WithOrigin("maxItems").MarkCoveredByDeclarative(),
 			},
 			class: func() *resource.DeviceClass {
 				class := testClass(goodName)
@@ -236,8 +236,7 @@ func TestValidateClass(t *testing.T) {
 		},
 		"configuration": {
 			wantFailures: field.ErrorList{
-				field.Required(field.NewPath("spec", "config").Index(1).Child("opaque", "driver"), ""),
-				field.Invalid(field.NewPath("spec", "config").Index(1).Child("opaque", "driver"), "", "a lowercase RFC 1123 subdomain must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character (e.g. 'example.com', regex used for validation is '[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*')"),
+				field.Required(field.NewPath("spec", "config").Index(1).Child("opaque", "driver"), "").MarkCoveredByDeclarative(),
 				field.Required(field.NewPath("spec", "config").Index(1).Child("opaque", "parameters"), ""),
 				field.Invalid(field.NewPath("spec", "config").Index(2).Child("opaque", "parameters"), "<value omitted>", "error parsing data as JSON: invalid character 'x' looking for beginning of value"),
 				field.Invalid(field.NewPath("spec", "config").Index(3).Child("opaque", "parameters"), "<value omitted>", "must be a valid JSON object"),
@@ -314,7 +313,7 @@ func TestValidateClass(t *testing.T) {
 		},
 		"too-many-configs": {
 			wantFailures: field.ErrorList{
-				field.TooMany(field.NewPath("spec", "config"), resource.DeviceConfigMaxSize+1, resource.DeviceConfigMaxSize),
+				field.TooMany(field.NewPath("spec", "config"), resource.DeviceConfigMaxSize+1, resource.DeviceConfigMaxSize).WithOrigin("maxItems").MarkCoveredByDeclarative(),
 			},
 			class: func() *resource.DeviceClass {
 				class := testClass(goodName)
diff --git a/pkg/apis/resource/validation/validation_devicetaintrule_test.go b/pkg/apis/resource/validation/validation_devicetaintrule_test.go
index 9851c272bbcf3..815b6c515e4d4 100644
--- a/pkg/apis/resource/validation/validation_devicetaintrule_test.go
+++ b/pkg/apis/resource/validation/validation_devicetaintrule_test.go
@@ -17,7 +17,6 @@ limitations under the License.
 package validation
 
 import (
-	"strings"
 	"testing"
 
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -37,10 +36,9 @@ func testDeviceTaintRule(name string, spec resourceapi.DeviceTaintRuleSpec) *res
 
 var validDeviceTaintRuleSpec = resourceapi.DeviceTaintRuleSpec{
 	DeviceSelector: &resourceapi.DeviceTaintSelector{
-		DeviceClassName: ptr.To(goodName),
-		Driver:          ptr.To("test.example.com"),
-		Pool:            ptr.To(goodName),
-		Device:          ptr.To(goodName),
+		Driver: ptr.To("test.example.com"),
+		Pool:   ptr.To(goodName),
+		Device: ptr.To(goodName),
 	},
 	Taint: resourceapi.DeviceTaint{
 		Key:    "example.com/taint",
@@ -187,14 +185,6 @@ func TestValidateDeviceTaint(t *testing.T) {
 				return taintRule
 			}(),
 		},
-		"bad-class": {
-			wantFailures: field.ErrorList{field.Invalid(field.NewPath("spec", "deviceSelector", "deviceClassName"), badName, "a lowercase RFC 1123 subdomain must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character (e.g. 'example.com', regex used for validation is '[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*')")},
-			taintRule: func() *resourceapi.DeviceTaintRule {
-				taintRule := testDeviceTaintRule(goodName, validDeviceTaintRuleSpec)
-				taintRule.Spec.DeviceSelector.DeviceClassName = ptr.To(badName)
-				return taintRule
-			}(),
-		},
 		"bad-driver": {
 			wantFailures: field.ErrorList{field.Invalid(field.NewPath("spec", "deviceSelector", "driver"), badName, "a lowercase RFC 1123 subdomain must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character (e.g. 'example.com', regex used for validation is '[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*')")},
 			taintRule: func() *resourceapi.DeviceTaintRule {
@@ -219,91 +209,41 @@ func TestValidateDeviceTaint(t *testing.T) {
 				return taintRule
 			}(),
 		},
-		"CEL-compile-errors": {
-			wantFailures: field.ErrorList{
-				field.Invalid(field.NewPath("spec", "deviceSelector", "selectors").Index(1).Child("cel", "expression"), `device.attributes[true].someBoolean`, "compilation failed: ERROR: <input>:1:18: found no matching overload for '_[_]' applied to '(map(string, map(string, any)), bool)'\n | device.attributes[true].someBoolean\n | .................^"),
-			},
-			taintRule: func() *resourceapi.DeviceTaintRule {
-				taintRule := testDeviceTaintRule(goodName, validDeviceTaintRuleSpec)
-				taintRule.Spec.DeviceSelector.Selectors = []resourceapi.DeviceSelector{
-					{
-						// Good selector.
-						CEL: &resourceapi.CELDeviceSelector{
-							Expression: `device.driver == "dra.example.com"`,
-						},
-					},
-					{
-						// Bad selector.
-						CEL: &resourceapi.CELDeviceSelector{
-							Expression: `device.attributes[true].someBoolean`,
-						},
-					},
-				}
-				return taintRule
-			}(),
-		},
-		"CEL-length": {
-			wantFailures: field.ErrorList{
-				field.TooLong(field.NewPath("spec", "deviceSelector", "selectors").Index(1).Child("cel", "expression"), "" /*unused*/, resourceapi.CELSelectorExpressionMaxLength),
-			},
-			taintRule: func() *resourceapi.DeviceTaintRule {
-				taintRule := testDeviceTaintRule(goodName, validDeviceTaintRuleSpec)
-				expression := `device.driver == ""`
-				taintRule.Spec.DeviceSelector.Selectors = []resourceapi.DeviceSelector{
-					{
-						// Good selector.
-						CEL: &resourceapi.CELDeviceSelector{
-							Expression: strings.ReplaceAll(expression, `""`, `"`+strings.Repeat("x", resourceapi.CELSelectorExpressionMaxLength-len(expression))+`"`),
-						},
-					},
-					{
-						// Too long by one selector.
-						CEL: &resourceapi.CELDeviceSelector{
-							Expression: strings.ReplaceAll(expression, `""`, `"`+strings.Repeat("x", resourceapi.CELSelectorExpressionMaxLength-len(expression)+1)+`"`),
-						},
-					},
-				}
-				return taintRule
-			}(),
-		},
-		"CEL-cost": {
-			wantFailures: field.ErrorList{
-				field.Forbidden(field.NewPath("spec", "deviceSelector", "selectors").Index(0).Child("cel", "expression"), "too complex, exceeds cost limit"),
-			},
+		// Minimal tests for DeviceTaint. Full coverage of validateDeviceTaint is in ResourceSlice test.
+		"valid-taint": {
 			taintRule: func() *resourceapi.DeviceTaintRule {
 				claim := testDeviceTaintRule(goodName, validDeviceTaintRuleSpec)
-				claim.Spec.DeviceSelector.Selectors = []resourceapi.DeviceSelector{
-					{
-						CEL: &resourceapi.CELDeviceSelector{
-							// From https://github.com/kubernetes/kubernetes/blob/50fc400f178d2078d0ca46aee955ee26375fc437/test/integration/apiserver/cel/validatingadmissionpolicy_test.go#L2150.
-							Expression: `[1, 2, 3, 4, 5, 6, 7, 8, 9, 10].all(x, [1, 2, 3, 4, 5, 6, 7, 8, 9, 10].all(y, [1, 2, 3, 4, 5, 6, 7, 8, 9, 10].all(z, [1, 2, 3, 4, 5, 6, 7, 8, 9, 10].all(z2, [1, 2, 3, 4, 5, 6, 7, 8, 9, 10].all(z3, [1, 2, 3, 4, 5, 6, 7, 8, 9, 10].all(z4, [1, 2, 3, 4, 5, 6, 7, 8, 9, 10].all(z5, int('1'.find('[0-9]*')) < 100)))))))`,
-						},
-					},
+				claim.Spec.Taint = resourceapi.DeviceTaint{
+					Key:    goodName,
+					Value:  goodName,
+					Effect: resourceapi.DeviceTaintEffectNoExecute,
 				}
 				return claim
 			}(),
 		},
-		"valid-taint": {
+		"required-taint": {
+			wantFailures: field.ErrorList{
+				field.Required(field.NewPath("spec", "taint", "effect"), "").MarkCoveredByDeclarative(),
+			},
 			taintRule: func() *resourceapi.DeviceTaintRule {
 				claim := testDeviceTaintRule(goodName, validDeviceTaintRuleSpec)
 				claim.Spec.Taint = resourceapi.DeviceTaint{
-					Key:    goodName,
-					Value:  goodName,
-					Effect: resourceapi.DeviceTaintEffectNoExecute,
+					Key:   goodName,
+					Value: goodName,
 				}
 				return claim
 			}(),
 		},
 		"invalid-taint": {
 			wantFailures: field.ErrorList{
-				field.Required(field.NewPath("spec", "taint", "effect"), ""),
+				field.NotSupported(field.NewPath("spec", "taint", "effect"), resourceapi.DeviceTaintEffect("some-other-effect"), []resourceapi.DeviceTaintEffect{resourceapi.DeviceTaintEffectNoExecute, resourceapi.DeviceTaintEffectNoSchedule, resourceapi.DeviceTaintEffectNone}).MarkCoveredByDeclarative(),
 			},
 			taintRule: func() *resourceapi.DeviceTaintRule {
 				claim := testDeviceTaintRule(goodName, validDeviceTaintRuleSpec)
 				claim.Spec.Taint = resourceapi.DeviceTaint{
-					// Minimal test. Full coverage of validateDeviceTaint is in ResourceSlice test.
-					Key:   goodName,
-					Value: goodName,
+					Effect: "some-other-effect",
+					Key:    goodName,
+					Value:  goodName,
 				}
 				return claim
 			}(),
@@ -321,6 +261,8 @@ func TestValidateDeviceTaint(t *testing.T) {
 func TestValidateDeviceTaintUpdate(t *testing.T) {
 	name := "valid"
 	validTaintRule := testDeviceTaintRule(name, validDeviceTaintRuleSpec)
+	invalidTaintEffectRule := validTaintRule.DeepCopy()
+	invalidTaintEffectRule.Spec.Taint.Effect = "some-other-effect"
 
 	scenarios := map[string]struct {
 		old          *resourceapi.DeviceTaintRule
@@ -339,6 +281,21 @@ func TestValidateDeviceTaintUpdate(t *testing.T) {
 				return taintRule
 			},
 		},
+		"valid-existing-unknown-effect": {
+			old: invalidTaintEffectRule,
+			update: func(taintRule *resourceapi.DeviceTaintRule) *resourceapi.DeviceTaintRule {
+				taintRule.Labels = map[string]string{"a": "b"}
+				return taintRule
+			},
+		},
+		"invalid-new-unknown-effect": {
+			wantFailures: field.ErrorList{field.NotSupported(field.NewPath("spec", "taint", "effect"), resourceapi.DeviceTaintEffect("some-other-effect"), []resourceapi.DeviceTaintEffect{resourceapi.DeviceTaintEffectNoExecute, resourceapi.DeviceTaintEffectNoSchedule, resourceapi.DeviceTaintEffectNone})}.MarkCoveredByDeclarative(),
+			old:          validTaintRule,
+			update: func(taintRule *resourceapi.DeviceTaintRule) *resourceapi.DeviceTaintRule {
+				taintRule.Spec.Taint.Effect = "some-other-effect"
+				return taintRule
+			},
+		},
 	}
 
 	for name, scenario := range scenarios {
diff --git a/pkg/apis/resource/validation/validation_resourceclaim_test.go b/pkg/apis/resource/validation/validation_resourceclaim_test.go
index 96100b328d8a8..9a6cffb82598c 100644
--- a/pkg/apis/resource/validation/validation_resourceclaim_test.go
+++ b/pkg/apis/resource/validation/validation_resourceclaim_test.go
@@ -257,19 +257,51 @@ func TestValidateClaim(t *testing.T) {
 				return claim
 			}(),
 		},
-		"invalid-request": {
+		"invalid-request-without-max-size-short-circuit": {
 			wantFailures: field.ErrorList{
-				field.TooMany(field.NewPath("spec", "devices", "requests"), resource.DeviceRequestsMaxSize+1, resource.DeviceRequestsMaxSize),
 				field.Invalid(field.NewPath("spec", "devices", "constraints").Index(0).Child("requests").Index(1), badName, "a lowercase RFC 1123 label must consist of lower case alphanumeric characters or '-', and must start and end with an alphanumeric character (e.g. 'my-name',  or '123-abc', regex used for validation is '[a-z0-9]([-a-z0-9]*[a-z0-9])?')"),
 				field.Invalid(field.NewPath("spec", "devices", "constraints").Index(0).Child("requests").Index(1), badName, "must be the name of a request in the claim or the name of a request and a subrequest separated by '/'"),
-				field.Invalid(field.NewPath("spec", "devices", "constraints").Index(0).Child("matchAttribute"), "missing-domain", "a valid C identifier must start with alphabetic character or '_', followed by a string of alphanumeric characters or '_' (e.g. 'my_name',  or 'MY_NAME',  or 'MyName', regex used for validation is '[A-Za-z_][A-Za-z0-9_]*')"),
-				field.Invalid(field.NewPath("spec", "devices", "constraints").Index(0).Child("matchAttribute"), resource.FullyQualifiedName("missing-domain"), "must include a domain"),
-				field.Required(field.NewPath("spec", "devices", "constraints").Index(1).Child("matchAttribute"), "name required"),
+				field.Invalid(field.NewPath("spec", "devices", "constraints").Index(0).Child("matchAttribute"), "missing-domain", "a valid C identifier must start with alphabetic character or '_', followed by a string of alphanumeric characters or '_' (e.g. 'my_name',  or 'MY_NAME',  or 'MyName', regex used for validation is '[A-Za-z_][A-Za-z0-9_]*')").MarkCoveredByDeclarative(),
+				field.Invalid(field.NewPath("spec", "devices", "constraints").Index(0).Child("matchAttribute"), resource.FullyQualifiedName("missing-domain"), "a fully qualified name must be a domain and a name separated by a slash").MarkCoveredByDeclarative(),
+				field.Invalid(field.NewPath("spec", "devices", "constraints").Index(1).Child("matchAttribute"), "", "a valid C identifier must start with alphabetic character or '_', followed by a string of alphanumeric characters or '_' (e.g. 'my_name',  or 'MY_NAME',  or 'MyName', regex used for validation is '[A-Za-z_][A-Za-z0-9_]*')").MarkCoveredByDeclarative(),
+				field.Invalid(field.NewPath("spec", "devices", "constraints").Index(1).Child("matchAttribute"), resource.FullyQualifiedName(""), "a fully qualified name must be a domain and a name separated by a slash").MarkCoveredByDeclarative(),
 				field.Required(field.NewPath("spec", "devices", "constraints").Index(2).Child("matchAttribute"), ""),
-				field.TooMany(field.NewPath("spec", "devices", "constraints"), resource.DeviceConstraintsMaxSize+1, resource.DeviceConstraintsMaxSize),
 				field.Invalid(field.NewPath("spec", "devices", "config").Index(0).Child("requests").Index(1), badName, "a lowercase RFC 1123 label must consist of lower case alphanumeric characters or '-', and must start and end with an alphanumeric character (e.g. 'my-name',  or '123-abc', regex used for validation is '[a-z0-9]([-a-z0-9]*[a-z0-9])?')"),
 				field.Invalid(field.NewPath("spec", "devices", "config").Index(0).Child("requests").Index(1), badName, "must be the name of a request in the claim or the name of a request and a subrequest separated by '/'"),
-				field.TooMany(field.NewPath("spec", "devices", "config"), resource.DeviceConfigMaxSize+1, resource.DeviceConfigMaxSize),
+			},
+			claim: func() *resource.ResourceClaim {
+				claim := testClaim(goodName, goodNS, validClaimSpec)
+				claim.Spec.Devices.Constraints = []resource.DeviceConstraint{
+					{
+						Requests:       []string{claim.Spec.Devices.Requests[0].Name, badName},
+						MatchAttribute: ptr.To(resource.FullyQualifiedName("missing-domain")),
+					},
+					{
+						MatchAttribute: ptr.To(resource.FullyQualifiedName("")),
+					},
+					{
+						MatchAttribute: nil,
+					},
+				}
+				claim.Spec.Devices.Config = []resource.DeviceClaimConfiguration{{
+					Requests: []string{claim.Spec.Devices.Requests[0].Name, badName},
+					DeviceConfiguration: resource.DeviceConfiguration{
+						Opaque: &resource.OpaqueDeviceConfiguration{
+							Driver: "dra.example.com",
+							Parameters: runtime.RawExtension{
+								Raw: []byte(`{"kind": "foo", "apiVersion": "dra.example.com/v1"}`),
+							},
+						},
+					},
+				}}
+				return claim
+			}(),
+		},
+		"invalid-request-with-max-size-short-circuit": {
+			wantFailures: field.ErrorList{
+				field.TooMany(field.NewPath("spec", "devices", "requests"), resource.DeviceRequestsMaxSize+1, resource.DeviceRequestsMaxSize).MarkCoveredByDeclarative(),
+				field.TooMany(field.NewPath("spec", "devices", "constraints"), resource.DeviceConstraintsMaxSize+1, resource.DeviceConstraintsMaxSize).MarkCoveredByDeclarative(),
+				field.TooMany(field.NewPath("spec", "devices", "config"), resource.DeviceConfigMaxSize+1, resource.DeviceConfigMaxSize).MarkCoveredByDeclarative(),
 			},
 			claim: func() *resource.ResourceClaim {
 				claim := testClaim(goodName, goodNS, validClaimSpec)
@@ -322,8 +354,9 @@ func TestValidateClaim(t *testing.T) {
 		"invalid-distinct-constraint": {
 			wantFailures: field.ErrorList{
 				field.Invalid(field.NewPath("spec", "devices", "constraints").Index(0).Child("distinctAttribute"), "missing-domain", "a valid C identifier must start with alphabetic character or '_', followed by a string of alphanumeric characters or '_' (e.g. 'my_name',  or 'MY_NAME',  or 'MyName', regex used for validation is '[A-Za-z_][A-Za-z0-9_]*')"),
-				field.Invalid(field.NewPath("spec", "devices", "constraints").Index(0).Child("distinctAttribute"), resource.FullyQualifiedName("missing-domain"), "must include a domain"),
-				field.Required(field.NewPath("spec", "devices", "constraints").Index(1).Child("distinctAttribute"), "name required"),
+				field.Invalid(field.NewPath("spec", "devices", "constraints").Index(0).Child("distinctAttribute"), resource.FullyQualifiedName("missing-domain"), "a fully qualified name must be a domain and a name separated by a slash"),
+				field.Invalid(field.NewPath("spec", "devices", "constraints").Index(1).Child("distinctAttribute"), "", "a valid C identifier must start with alphabetic character or '_', followed by a string of alphanumeric characters or '_' (e.g. 'my_name',  or 'MY_NAME',  or 'MyName', regex used for validation is '[A-Za-z_][A-Za-z0-9_]*')"),
+				field.Invalid(field.NewPath("spec", "devices", "constraints").Index(1).Child("distinctAttribute"), resource.FullyQualifiedName(""), "a fully qualified name must be a domain and a name separated by a slash"),
 				field.Required(field.NewPath("spec", "devices", "constraints").Index(2), `exactly one of "matchAttribute" or "distinctAttribute" is required, but multiple fields are set`)},
 			claim: func() *resource.ResourceClaim {
 				claim := testClaim(goodName, goodNS, validClaimSpec)
@@ -374,9 +407,10 @@ func TestValidateClaim(t *testing.T) {
 			wantFailures: field.ErrorList{
 				field.Invalid(field.NewPath("spec", "devices", "constraints").Index(0).Child("requests").Index(1), badName, "a lowercase RFC 1123 label must consist of lower case alphanumeric characters or '-', and must start and end with an alphanumeric character (e.g. 'my-name',  or '123-abc', regex used for validation is '[a-z0-9]([-a-z0-9]*[a-z0-9])?')"),
 				field.Invalid(field.NewPath("spec", "devices", "constraints").Index(0).Child("requests").Index(1), badName, "must be the name of a request in the claim or the name of a request and a subrequest separated by '/'"),
-				field.Invalid(field.NewPath("spec", "devices", "constraints").Index(0).Child("matchAttribute"), "missing-domain", "a valid C identifier must start with alphabetic character or '_', followed by a string of alphanumeric characters or '_' (e.g. 'my_name',  or 'MY_NAME',  or 'MyName', regex used for validation is '[A-Za-z_][A-Za-z0-9_]*')"),
-				field.Invalid(field.NewPath("spec", "devices", "constraints").Index(0).Child("matchAttribute"), resource.FullyQualifiedName("missing-domain"), "must include a domain"),
-				field.Required(field.NewPath("spec", "devices", "constraints").Index(1).Child("matchAttribute"), "name required"),
+				field.Invalid(field.NewPath("spec", "devices", "constraints").Index(0).Child("matchAttribute"), "missing-domain", "a valid C identifier must start with alphabetic character or '_', followed by a string of alphanumeric characters or '_' (e.g. 'my_name',  or 'MY_NAME',  or 'MyName', regex used for validation is '[A-Za-z_][A-Za-z0-9_]*')").MarkCoveredByDeclarative(),
+				field.Invalid(field.NewPath("spec", "devices", "constraints").Index(0).Child("matchAttribute"), resource.FullyQualifiedName("missing-domain"), "a fully qualified name must be a domain and a name separated by a slash").MarkCoveredByDeclarative(),
+				field.Invalid(field.NewPath("spec", "devices", "constraints").Index(1).Child("matchAttribute"), "", "a valid C identifier must start with alphabetic character or '_', followed by a string of alphanumeric characters or '_' (e.g. 'my_name',  or 'MY_NAME',  or 'MyName', regex used for validation is '[A-Za-z_][A-Za-z0-9_]*')").MarkCoveredByDeclarative(),
+				field.Invalid(field.NewPath("spec", "devices", "constraints").Index(1).Child("matchAttribute"), resource.FullyQualifiedName(""), "a fully qualified name must be a domain and a name separated by a slash").MarkCoveredByDeclarative(),
 				field.Required(field.NewPath("spec", "devices", "constraints").Index(2).Child("matchAttribute"), ""),
 				field.Invalid(field.NewPath("spec", "devices", "config").Index(0).Child("requests").Index(1), badName, "a lowercase RFC 1123 label must consist of lower case alphanumeric characters or '-', and must start and end with an alphanumeric character (e.g. 'my-name',  or '123-abc', regex used for validation is '[a-z0-9]([-a-z0-9]*[a-z0-9])?')"),
 				field.Invalid(field.NewPath("spec", "devices", "config").Index(0).Child("requests").Index(1), badName, "must be the name of a request in the claim or the name of a request and a subrequest separated by '/'"),
@@ -412,9 +446,9 @@ func TestValidateClaim(t *testing.T) {
 		"allocation-mode": {
 			wantFailures: field.ErrorList{
 				field.Invalid(field.NewPath("spec", "devices", "requests").Index(2).Child("exactly", "count"), int64(-1), "must be greater than zero"),
-				field.NotSupported(field.NewPath("spec", "devices", "requests").Index(3).Child("exactly", "allocationMode"), resource.DeviceAllocationMode("other"), []resource.DeviceAllocationMode{resource.DeviceAllocationModeAll, resource.DeviceAllocationModeExactCount}),
+				field.NotSupported(field.NewPath("spec", "devices", "requests").Index(3).Child("exactly", "allocationMode"), resource.DeviceAllocationMode("other"), []resource.DeviceAllocationMode{resource.DeviceAllocationModeAll, resource.DeviceAllocationModeExactCount}).MarkCoveredByDeclarative(),
 				field.Invalid(field.NewPath("spec", "devices", "requests").Index(4).Child("exactly", "count"), int64(2), "must not be specified when allocationMode is 'All'"),
-				field.Duplicate(field.NewPath("spec", "devices", "requests").Index(5).Child("name"), "foo"),
+				field.Duplicate(field.NewPath("spec", "devices", "requests").Index(5), "foo").MarkCoveredByDeclarative(),
 			},
 			claim: func() *resource.ResourceClaim {
 				claim := testClaim(goodName, goodNS, validClaimSpec)
@@ -622,11 +656,21 @@ func TestValidateClaim(t *testing.T) {
 				return claim
 			}(),
 		},
+		"first-available-with-zero-exactly-fails-old-validation": {
+			wantFailures: field.ErrorList{
+				field.Invalid(field.NewPath("spec", "devices", "requests").Index(0), nil, "exactly one of `exactly` or `firstAvailable` is required, but multiple fields are set"),
+			},
+			claim: func() *resource.ResourceClaim {
+				claim := testClaim(goodName, goodNS, validClaimSpecWithFirstAvailable)
+				claim.Spec.Devices.Requests[0].Exactly = &resource.ExactDeviceRequest{}
+				return claim
+			}(),
+		},
 		"prioritized-list-invalid-nested-request": {
 			wantFailures: field.ErrorList{
 				field.Invalid(field.NewPath("spec", "devices", "requests").Index(0).Child("firstAvailable").Index(0).Child("name"), badName, "a lowercase RFC 1123 label must consist of lower case alphanumeric characters or '-', and must start and end with an alphanumeric character (e.g. 'my-name',  or '123-abc', regex used for validation is '[a-z0-9]([-a-z0-9]*[a-z0-9])?')"),
-				field.Required(field.NewPath("spec", "devices", "requests").Index(0).Child("firstAvailable").Index(0).Child("deviceClassName"), ""),
-				field.NotSupported(field.NewPath("spec", "devices", "requests").Index(0).Child("firstAvailable").Index(0).Child("allocationMode"), resource.DeviceAllocationMode(""), []resource.DeviceAllocationMode{resource.DeviceAllocationModeAll, resource.DeviceAllocationModeExactCount}),
+				field.Required(field.NewPath("spec", "devices", "requests").Index(0).Child("firstAvailable").Index(0).Child("deviceClassName"), "").MarkCoveredByDeclarative(),
+				field.NotSupported(field.NewPath("spec", "devices", "requests").Index(0).Child("firstAvailable").Index(0).Child("allocationMode"), resource.DeviceAllocationMode(""), []resource.DeviceAllocationMode{resource.DeviceAllocationModeAll, resource.DeviceAllocationModeExactCount}).MarkCoveredByDeclarative(),
 			},
 			claim: func() *resource.ResourceClaim {
 				claim := testClaim(goodName, goodNS, validClaimSpecWithFirstAvailable)
@@ -638,7 +682,7 @@ func TestValidateClaim(t *testing.T) {
 		},
 		"prioritized-list-nested-requests-same-name": {
 			wantFailures: field.ErrorList{
-				field.Duplicate(field.NewPath("spec", "devices", "requests").Index(0).Child("firstAvailable").Index(1).Child("name"), "foo"),
+				field.Duplicate(field.NewPath("spec", "devices", "requests").Index(0).Child("firstAvailable").Index(1), "foo").MarkCoveredByDeclarative(),
 			},
 			claim: func() *resource.ResourceClaim {
 				claim := testClaim(goodName, goodNS, validClaimSpecWithFirstAvailable)
@@ -648,7 +692,7 @@ func TestValidateClaim(t *testing.T) {
 		},
 		"prioritized-list-too-many-subrequests": {
 			wantFailures: field.ErrorList{
-				field.TooMany(field.NewPath("spec", "devices", "requests").Index(0).Child("firstAvailable"), 9, 8),
+				field.TooMany(field.NewPath("spec", "devices", "requests").Index(0).Child("firstAvailable"), 9, 8).MarkCoveredByDeclarative(),
 			},
 			claim: func() *resource.ResourceClaim {
 				claim := testClaim(goodName, goodNS, validClaimSpec)
@@ -776,11 +820,11 @@ func TestValidateClaim(t *testing.T) {
 				allErrs = append(allErrs,
 					field.Required(fldPath.Index(3).Child("operator"), ""),
 
-					field.NotSupported(fldPath.Index(4).Child("operator"), resource.DeviceTolerationOperator("some-other-op"), []resource.DeviceTolerationOperator{resource.DeviceTolerationOpEqual, resource.DeviceTolerationOpExists}),
+					field.NotSupported(fldPath.Index(4).Child("operator"), resource.DeviceTolerationOperator("some-other-op"), []resource.DeviceTolerationOperator{resource.DeviceTolerationOpEqual, resource.DeviceTolerationOpExists}).MarkCoveredByDeclarative(),
 
-					field.Invalid(fldPath.Index(5).Child("key"), badName, "name part must consist of alphanumeric characters, '-', '_' or '.', and must start and end with an alphanumeric character (e.g. 'MyName',  or 'my.name',  or '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]')"),
+					field.Invalid(fldPath.Index(5).Child("key"), badName, "name part must consist of alphanumeric characters, '-', '_' or '.', and must start and end with an alphanumeric character (e.g. 'MyName',  or 'my.name',  or '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]')").MarkCoveredByDeclarative(),
 					field.Invalid(fldPath.Index(5).Child("value"), badName, "a valid label must be an empty string or consist of alphanumeric characters, '-', '_' or '.', and must start and end with an alphanumeric character (e.g. 'MyValue',  or 'my_value',  or '12345', regex used for validation is '(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?')"),
-					field.NotSupported(fldPath.Index(5).Child("effect"), resource.DeviceTaintEffect("some-other-effect"), []resource.DeviceTaintEffect{resource.DeviceTaintEffectNoExecute, resource.DeviceTaintEffectNoSchedule}),
+					field.NotSupported(fldPath.Index(5).Child("effect"), resource.DeviceTaintEffect("some-other-effect"), []resource.DeviceTaintEffect{resource.DeviceTaintEffectNoExecute, resource.DeviceTaintEffectNoSchedule, resource.DeviceTaintEffectNone}).MarkCoveredByDeclarative(),
 				)
 				return allErrs
 			}(),
@@ -855,7 +899,7 @@ func TestValidateClaimUpdate(t *testing.T) {
 				spec := validClaim.Spec.DeepCopy()
 				spec.Devices.Requests[0].Exactly.DeviceClassName += "2"
 				return *spec
-			}(), "field is immutable")},
+			}(), "field is immutable")}.MarkCoveredByDeclarative(),
 			oldClaim: validClaim,
 			update: func(claim *resource.ResourceClaim) *resource.ResourceClaim {
 				claim.Spec.Devices.Requests[0].Exactly.DeviceClassName += "2"
@@ -1049,7 +1093,7 @@ func TestValidateClaimStatusUpdate(t *testing.T) {
 			},
 		},
 		"invalid-reserved-for-too-large": {
-			wantFailures: field.ErrorList{field.TooMany(field.NewPath("status", "reservedFor"), resource.ResourceClaimReservedForMaxSize+1, resource.ResourceClaimReservedForMaxSize)},
+			wantFailures: field.ErrorList{field.TooMany(field.NewPath("status", "reservedFor"), resource.ResourceClaimReservedForMaxSize+1, resource.ResourceClaimReservedForMaxSize).MarkCoveredByDeclarative()},
 			oldClaim:     validAllocatedClaim,
 			update: func(claim *resource.ResourceClaim) *resource.ResourceClaim {
 				for i := 0; i < resource.ResourceClaimReservedForMaxSize+1; i++ {
@@ -1064,7 +1108,7 @@ func TestValidateClaimStatusUpdate(t *testing.T) {
 			},
 		},
 		"invalid-reserved-for-duplicate": {
-			wantFailures: field.ErrorList{field.Duplicate(field.NewPath("status", "reservedFor").Index(1).Child("uid"), types.UID("1"))},
+			wantFailures: field.ErrorList{field.Duplicate(field.NewPath("status", "reservedFor").Index(1), types.UID("1")).MarkCoveredByDeclarative()},
 			oldClaim:     validAllocatedClaim,
 			update: func(claim *resource.ResourceClaim) *resource.ResourceClaim {
 				for i := 0; i < 2; i++ {
@@ -1155,7 +1199,7 @@ func TestValidateClaimStatusUpdate(t *testing.T) {
 				claim := validAllocatedClaim.DeepCopy()
 				claim.Status.Allocation.Devices.Results[0].Driver += "-2"
 				return claim.Status.Allocation
-			}(), "field is immutable")},
+			}(), "field is immutable").MarkCoveredByDeclarative()},
 			oldClaim: validAllocatedClaim,
 			update: func(claim *resource.ResourceClaim) *resource.ResourceClaim {
 				claim.Status.Allocation.Devices.Results[0].Driver += "-2"
@@ -1186,13 +1230,35 @@ func TestValidateClaimStatusUpdate(t *testing.T) {
 				return claim
 			},
 		},
+		"invalid-duplicate-request-name": {
+			wantFailures: field.ErrorList{
+				field.Duplicate(field.NewPath("status", "allocation", "devices", "config").Index(0).Child("requests").Index(1), "foo").MarkCoveredByDeclarative(),
+			},
+			oldClaim: validClaim,
+			update: func(claim *resource.ResourceClaim) *resource.ResourceClaim {
+				claim = claim.DeepCopy()
+				claim.Status.Allocation = validAllocatedClaim.Status.Allocation.DeepCopy()
+				claim.Status.Allocation.Devices.Config = []resource.DeviceAllocationConfiguration{{
+					Source:   resource.AllocationConfigSourceClaim,
+					Requests: []string{claim.Spec.Devices.Requests[0].Name, claim.Spec.Devices.Requests[0].Name},
+					DeviceConfiguration: resource.DeviceConfiguration{
+						Opaque: &resource.OpaqueDeviceConfiguration{
+							Driver: "dra.example.com",
+							Parameters: runtime.RawExtension{
+								Raw: []byte(`{"kind": "foo", "apiVersion": "dra.example.com/v1"}`),
+							},
+						},
+					},
+				}}
+				return claim
+			},
+		},
 		"configuration": {
 			wantFailures: field.ErrorList{
-				field.Required(field.NewPath("status", "allocation", "devices", "config").Index(1).Child("source"), ""),
-				field.NotSupported(field.NewPath("status", "allocation", "devices", "config").Index(2).Child("source"), resource.AllocationConfigSource("no-such-source"), []resource.AllocationConfigSource{resource.AllocationConfigSourceClaim, resource.AllocationConfigSourceClass}),
+				field.Required(field.NewPath("status", "allocation", "devices", "config").Index(1).Child("source"), "").MarkCoveredByDeclarative(),
+				field.NotSupported(field.NewPath("status", "allocation", "devices", "config").Index(2).Child("source"), resource.AllocationConfigSource("no-such-source"), []resource.AllocationConfigSource{resource.AllocationConfigSourceClaim, resource.AllocationConfigSourceClass}).MarkCoveredByDeclarative(),
 				field.Required(field.NewPath("status", "allocation", "devices", "config").Index(3).Child("opaque"), ""),
-				field.Required(field.NewPath("status", "allocation", "devices", "config").Index(4).Child("opaque", "driver"), ""),
-				field.Invalid(field.NewPath("status", "allocation", "devices", "config").Index(4).Child("opaque", "driver"), "", "a lowercase RFC 1123 subdomain must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character (e.g. 'example.com', regex used for validation is '[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*')"),
+				field.Required(field.NewPath("status", "allocation", "devices", "config").Index(4).Child("opaque", "driver"), "").MarkCoveredByDeclarative(),
 				field.Required(field.NewPath("status", "allocation", "devices", "config").Index(4).Child("opaque", "parameters"), ""),
 				field.TooLong(field.NewPath("status", "allocation", "devices", "config").Index(6).Child("opaque", "parameters"), "" /* unused */, resource.OpaqueParametersMaxLength),
 			},
@@ -1330,8 +1396,8 @@ func TestValidateClaimStatusUpdate(t *testing.T) {
 		},
 		"invalid-device-status-duplicate": {
 			wantFailures: field.ErrorList{
-				field.Duplicate(field.NewPath("status", "devices").Index(0).Child("networkData", "ips").Index(1), "2001:db8::1/64"),
-				field.Duplicate(field.NewPath("status", "devices").Index(1).Child("deviceID"), structured.MakeSharedDeviceID(structured.MakeDeviceID(goodName, goodName, goodName), nil)),
+				field.Duplicate(field.NewPath("status", "devices").Index(0).Child("networkData", "ips").Index(1), "2001:db8::1/64").MarkCoveredByDeclarative(),
+				field.Duplicate(field.NewPath("status", "devices").Index(1), structured.MakeSharedDeviceID(structured.MakeDeviceID(goodName, goodName, goodName), nil)).MarkCoveredByDeclarative(),
 			},
 			oldClaim: func() *resource.ResourceClaim { return validAllocatedClaim }(),
 			update: func(claim *resource.ResourceClaim) *resource.ResourceClaim {
@@ -1359,8 +1425,8 @@ func TestValidateClaimStatusUpdate(t *testing.T) {
 		},
 		"invalid-device-status-duplicate-with-share-id": {
 			wantFailures: field.ErrorList{
-				field.Duplicate(field.NewPath("status", "devices").Index(1).Child("deviceID"),
-					structured.MakeSharedDeviceID(structured.MakeDeviceID(goodName, goodName, goodName), ptr.To(goodShareID))),
+				field.Duplicate(field.NewPath("status", "devices").Index(1),
+					structured.MakeSharedDeviceID(structured.MakeDeviceID(goodName, goodName, goodName), ptr.To(goodShareID))).MarkCoveredByDeclarative(),
 			},
 			oldClaim: func() *resource.ResourceClaim {
 				claim := validAllocatedClaim.DeepCopy()
@@ -1389,8 +1455,8 @@ func TestValidateClaimStatusUpdate(t *testing.T) {
 		},
 		"invalid-network-device-status": {
 			wantFailures: field.ErrorList{
-				field.TooLong(field.NewPath("status", "devices").Index(0).Child("networkData", "interfaceName"), "", resource.NetworkDeviceDataInterfaceNameMaxLength),
-				field.TooLong(field.NewPath("status", "devices").Index(0).Child("networkData", "hardwareAddress"), "", resource.NetworkDeviceDataHardwareAddressMaxLength),
+				field.TooLong(field.NewPath("status", "devices").Index(0).Child("networkData", "interfaceName"), "", resource.NetworkDeviceDataInterfaceNameMaxLength).MarkCoveredByDeclarative(),
+				field.TooLong(field.NewPath("status", "devices").Index(0).Child("networkData", "hardwareAddress"), "", resource.NetworkDeviceDataHardwareAddressMaxLength).MarkCoveredByDeclarative(),
 				field.Invalid(field.NewPath("status", "devices").Index(0).Child("networkData", "ips").Index(0), "300.9.8.0/24", "must be a valid address in CIDR form, (e.g. 10.9.8.7/24 or 2001:db8::1/64)"),
 				field.Invalid(field.NewPath("status", "devices").Index(0).Child("networkData", "ips").Index(1), "010.009.008.000/24", "must be in canonical form (\"10.9.8.0/24\")"),
 				field.Invalid(field.NewPath("status", "devices").Index(0).Child("networkData", "ips").Index(2), "2001:0db8::1/64", "must be in canonical form (\"2001:db8::1/64\")"),
@@ -1441,7 +1507,7 @@ func TestValidateClaimStatusUpdate(t *testing.T) {
 			wantFailures: field.ErrorList{
 				field.TooMany(field.NewPath("status", "devices").Index(0).Child("conditions"), resource.AllocatedDeviceStatusMaxConditions+1, resource.AllocatedDeviceStatusMaxConditions),
 				field.TooLong(field.NewPath("status", "devices").Index(0).Child("data"), "" /* unused */, resource.AllocatedDeviceStatusDataMaxLength),
-				field.TooMany(field.NewPath("status", "devices").Index(0).Child("networkData", "ips"), resource.NetworkDeviceDataMaxIPs+1, resource.NetworkDeviceDataMaxIPs),
+				field.TooMany(field.NewPath("status", "devices").Index(0).Child("networkData", "ips"), resource.NetworkDeviceDataMaxIPs+1, resource.NetworkDeviceDataMaxIPs).MarkCoveredByDeclarative(),
 			},
 			oldClaim: func() *resource.ResourceClaim { return validAllocatedClaim }(),
 			update: func(claim *resource.ResourceClaim) *resource.ResourceClaim {
@@ -1493,8 +1559,8 @@ func TestValidateClaimStatusUpdate(t *testing.T) {
 		},
 		"invalid-device-status-duplicate-disabled-feature-gate": {
 			wantFailures: field.ErrorList{
-				field.Duplicate(field.NewPath("status", "devices").Index(0).Child("networkData", "ips").Index(1), "2001:db8::1/64"),
-				field.Duplicate(field.NewPath("status", "devices").Index(1).Child("deviceID"), structured.MakeSharedDeviceID(structured.MakeDeviceID(goodName, goodName, goodName), nil)),
+				field.Duplicate(field.NewPath("status", "devices").Index(0).Child("networkData", "ips").Index(1), "2001:db8::1/64").MarkCoveredByDeclarative(),
+				field.Duplicate(field.NewPath("status", "devices").Index(1), structured.MakeSharedDeviceID(structured.MakeDeviceID(goodName, goodName, goodName), nil)).MarkCoveredByDeclarative(),
 			},
 			oldClaim: func() *resource.ResourceClaim { return validAllocatedClaim }(),
 			update: func(claim *resource.ResourceClaim) *resource.ResourceClaim {
@@ -1522,8 +1588,8 @@ func TestValidateClaimStatusUpdate(t *testing.T) {
 		},
 		"invalid-device-status-duplicate-with-share-id-disabled-feature-gate": {
 			wantFailures: field.ErrorList{
-				field.Duplicate(field.NewPath("status", "devices").Index(1).Child("deviceID"),
-					structured.MakeSharedDeviceID(structured.MakeDeviceID(goodName, goodName, goodName), ptr.To(goodShareID))),
+				field.Duplicate(field.NewPath("status", "devices").Index(1),
+					structured.MakeSharedDeviceID(structured.MakeDeviceID(goodName, goodName, goodName), ptr.To(goodShareID))).MarkCoveredByDeclarative(),
 			},
 			oldClaim: func() *resource.ResourceClaim {
 				claim := validAllocatedClaim.DeepCopy()
@@ -1552,8 +1618,8 @@ func TestValidateClaimStatusUpdate(t *testing.T) {
 		},
 		"invalid-network-device-status-disabled-feature-gate": {
 			wantFailures: field.ErrorList{
-				field.TooLong(field.NewPath("status", "devices").Index(0).Child("networkData", "interfaceName"), "", resource.NetworkDeviceDataInterfaceNameMaxLength),
-				field.TooLong(field.NewPath("status", "devices").Index(0).Child("networkData", "hardwareAddress"), "", resource.NetworkDeviceDataHardwareAddressMaxLength),
+				field.TooLong(field.NewPath("status", "devices").Index(0).Child("networkData", "interfaceName"), "", resource.NetworkDeviceDataInterfaceNameMaxLength).MarkCoveredByDeclarative(),
+				field.TooLong(field.NewPath("status", "devices").Index(0).Child("networkData", "hardwareAddress"), "", resource.NetworkDeviceDataHardwareAddressMaxLength).MarkCoveredByDeclarative(),
 				field.Invalid(field.NewPath("status", "devices").Index(0).Child("networkData", "ips").Index(0), "300.9.8.0/24", "must be a valid address in CIDR form, (e.g. 10.9.8.7/24 or 2001:db8::1/64)"),
 			},
 			oldClaim: func() *resource.ResourceClaim { return validAllocatedClaim }(),
@@ -1600,7 +1666,7 @@ func TestValidateClaimStatusUpdate(t *testing.T) {
 			wantFailures: field.ErrorList{
 				field.TooMany(field.NewPath("status", "devices").Index(0).Child("conditions"), resource.AllocatedDeviceStatusMaxConditions+1, resource.AllocatedDeviceStatusMaxConditions),
 				field.TooLong(field.NewPath("status", "devices").Index(0).Child("data"), "" /* unused */, resource.AllocatedDeviceStatusDataMaxLength),
-				field.TooMany(field.NewPath("status", "devices").Index(0).Child("networkData", "ips"), resource.NetworkDeviceDataMaxIPs+1, resource.NetworkDeviceDataMaxIPs),
+				field.TooMany(field.NewPath("status", "devices").Index(0).Child("networkData", "ips"), resource.NetworkDeviceDataMaxIPs+1, resource.NetworkDeviceDataMaxIPs).MarkCoveredByDeclarative(),
 			},
 			oldClaim: func() *resource.ResourceClaim { return validAllocatedClaim }(),
 			update: func(claim *resource.ResourceClaim) *resource.ResourceClaim {
@@ -1819,7 +1885,7 @@ func TestValidateClaimStatusUpdate(t *testing.T) {
 			},
 		},
 		"too-many-binding-conditions": {
-			wantFailures: field.ErrorList{field.TooMany(field.NewPath("status", "allocation", "devices", "results").Index(0).Child("bindingConditions"), 5, 4)},
+			wantFailures: field.ErrorList{field.TooMany(field.NewPath("status", "allocation", "devices", "results").Index(0).Child("bindingConditions"), 5, 4).MarkCoveredByDeclarative()},
 			oldClaim:     validClaim,
 			update: func(claim *resource.ResourceClaim) *resource.ResourceClaim {
 				claim.Status.Allocation = &resource.AllocationResult{
@@ -1839,7 +1905,7 @@ func TestValidateClaimStatusUpdate(t *testing.T) {
 			},
 		},
 		"too-many-binding-failure-conditions": {
-			wantFailures: field.ErrorList{field.TooMany(field.NewPath("status", "allocation", "devices", "results").Index(0).Child("bindingFailureConditions"), 5, 4)},
+			wantFailures: field.ErrorList{field.TooMany(field.NewPath("status", "allocation", "devices", "results").Index(0).Child("bindingFailureConditions"), 5, 4).MarkCoveredByDeclarative()},
 			oldClaim:     validClaim,
 			update: func(claim *resource.ResourceClaim) *resource.ResourceClaim {
 				claim.Status.Allocation = &resource.AllocationResult{
@@ -2158,10 +2224,10 @@ func TestValidateClaimStatusUpdate(t *testing.T) {
 		},
 		"invalid-add-allocated-status-invalid-share-id": {
 			wantFailures: field.ErrorList{
-				field.Invalid(field.NewPath("status", "devices").Index(0).Child("shareID"), badLengthShareIDStr, "error validating uid: invalid UUID length: 1"),
-				field.Invalid(field.NewPath("status", "devices").Index(1).Child("shareID"), badFormatShareIDStr, "uid must be in RFC 4122 normalized form, `xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx` with lowercase hexadecimal characters"),
-				field.Invalid(field.NewPath("status", "allocation", "devices", "results").Index(0).Child("shareID"), badLengthShareIDStr, "error validating uid: invalid UUID length: 1"),
-				field.Invalid(field.NewPath("status", "allocation", "devices", "results").Index(1).Child("shareID"), badFormatShareIDStr, "uid must be in RFC 4122 normalized form, `xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx` with lowercase hexadecimal characters"),
+				field.Invalid(field.NewPath("status", "devices").Index(0).Child("shareID"), badLengthShareIDStr, "error validating uid: invalid UUID length: 1").MarkCoveredByDeclarative(),
+				field.Invalid(field.NewPath("status", "devices").Index(1).Child("shareID"), badFormatShareIDStr, "uid must be in RFC 4122 normalized form, `xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx` with lowercase hexadecimal characters").MarkCoveredByDeclarative(),
+				field.Invalid(field.NewPath("status", "allocation", "devices", "results").Index(0).Child("shareID"), badLengthShareIDStr, "error validating uid: invalid UUID length: 1").MarkCoveredByDeclarative(),
+				field.Invalid(field.NewPath("status", "allocation", "devices", "results").Index(1).Child("shareID"), badFormatShareIDStr, "uid must be in RFC 4122 normalized form, `xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx` with lowercase hexadecimal characters").MarkCoveredByDeclarative(),
 			},
 			oldClaim: testClaim(goodName, goodNS, validClaimSpec),
 			update: func(claim *resource.ResourceClaim) *resource.ResourceClaim {
@@ -2240,10 +2306,12 @@ func TestValidateClaimStatusUpdate(t *testing.T) {
 
 	for name, scenario := range scenarios {
 		t.Run(name, func(t *testing.T) {
-			featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.DRAAdminAccess, scenario.adminAccess)
-			featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.DRAResourceClaimDeviceStatus, scenario.deviceStatusFeatureGate)
-			featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.DRAPrioritizedList, scenario.prioritizedListFeatureGate)
-			featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.DRAConsumableCapacity, scenario.consumableCapacityFeatureGate)
+			featuregatetesting.SetFeatureGatesDuringTest(t, utilfeature.DefaultFeatureGate, featuregatetesting.FeatureOverrides{
+				features.DRAAdminAccess:               scenario.adminAccess,
+				features.DRAResourceClaimDeviceStatus: scenario.deviceStatusFeatureGate,
+				features.DRAPrioritizedList:           scenario.prioritizedListFeatureGate,
+				features.DRAConsumableCapacity:        scenario.consumableCapacityFeatureGate,
+			})
 
 			scenario.oldClaim.ResourceVersion = "1"
 			errs := ValidateResourceClaimStatusUpdate(scenario.update(scenario.oldClaim.DeepCopy()), scenario.oldClaim)
diff --git a/pkg/apis/resource/validation/validation_resourceclaimtemplate_test.go b/pkg/apis/resource/validation/validation_resourceclaimtemplate_test.go
index a35e02882a31a..7cf5b185064a8 100644
--- a/pkg/apis/resource/validation/validation_resourceclaimtemplate_test.go
+++ b/pkg/apis/resource/validation/validation_resourceclaimtemplate_test.go
@@ -203,7 +203,7 @@ func TestValidateClaimTemplate(t *testing.T) {
 			}(),
 		},
 		"prioritized-list-bad-class-name-on-subrequest": {
-			wantFailures: field.ErrorList{field.Invalid(field.NewPath("spec", "spec", "devices", "requests").Index(0).Child("firstAvailable").Index(0).Child("deviceClassName"), badName, "a lowercase RFC 1123 subdomain must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character (e.g. 'example.com', regex used for validation is '[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*')")},
+			wantFailures: field.ErrorList{field.Invalid(field.NewPath("spec", "spec", "devices", "requests").Index(0).Child("firstAvailable").Index(0).Child("deviceClassName"), badName, "a lowercase RFC 1123 subdomain must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character (e.g. 'example.com', regex used for validation is '[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*')").MarkCoveredByDeclarative()},
 			template: func() *resource.ResourceClaimTemplate {
 				template := testClaimTemplate(goodName, goodNS, validClaimSpecWithFirstAvailable)
 				template.Spec.Spec.Devices.Requests[0].FirstAvailable[0].DeviceClassName = badName
diff --git a/pkg/apis/resource/validation/validation_resourceslice_test.go b/pkg/apis/resource/validation/validation_resourceslice_test.go
index 7669cf15fa4c1..7a867b6bdd538 100644
--- a/pkg/apis/resource/validation/validation_resourceslice_test.go
+++ b/pkg/apis/resource/validation/validation_resourceslice_test.go
@@ -55,6 +55,14 @@ func testCounters() map[string]resourceapi.Counter {
 	}
 }
 
+func testMultipleCounters(count int) map[string]resourceapi.Counter {
+	counters := make(map[string]resourceapi.Counter)
+	for i := 0; i < count; i++ {
+		counters[fmt.Sprintf("memory-%d", i)] = resourceapi.Counter{Value: resource.MustParse("1Gi")}
+	}
+	return counters
+}
+
 func testResourceSlice(name, nodeName, driverName string, numDevices int) *resourceapi.ResourceSlice {
 	slice := &resourceapi.ResourceSlice{
 		ObjectMeta: metav1.ObjectMeta{
@@ -80,6 +88,19 @@ func testResourceSlice(name, nodeName, driverName string, numDevices int) *resou
 	return slice
 }
 
+func testResourceSliceWithSharedCounters(name, poolName, driverName string, numCounterSets int) *resourceapi.ResourceSlice {
+	slice := testResourceSlice(name, poolName, driverName, 1)
+	slice.Spec.Devices = nil
+	for i := 0; i < numCounterSets; i++ {
+		counterSet := resourceapi.CounterSet{
+			Name:     fmt.Sprintf("counterset-%d", i),
+			Counters: testCounters(),
+		}
+		slice.Spec.SharedCounters = append(slice.Spec.SharedCounters, counterSet)
+	}
+	return slice
+}
+
 func testResourceSliceWithBindingConditions(name, nodeName, driverName string, numDevices int, bindingConditions, bindingFailureConditions []string) *resourceapi.ResourceSlice {
 	slice := testResourceSlice(name, nodeName, driverName, numDevices)
 	for i := range slice.Spec.Devices {
@@ -108,6 +129,25 @@ func TestValidateResourceSlice(t *testing.T) {
 			wantFailures: field.ErrorList{field.TooMany(field.NewPath("spec", "devices"), resourceapi.ResourceSliceMaxDevices+1, resourceapi.ResourceSliceMaxDevices)},
 			slice:        testResourceSlice(goodName, goodName, goodName, resourceapi.ResourceSliceMaxDevices+1),
 		},
+		"good-taints": {
+			slice: func() *resourceapi.ResourceSlice {
+				slice := testResourceSlice(goodName, goodName, goodName, resourceapi.ResourceSliceMaxDevicesWithTaintsOrConsumesCounters)
+				for i := range slice.Spec.Devices {
+					slice.Spec.Devices[i].Taints = []resourceapi.DeviceTaint{{Key: "example.com/taint", Effect: resourceapi.DeviceTaintEffectNoExecute}}
+				}
+				return slice
+			}(),
+		},
+		"too-large-taints": {
+			wantFailures: field.ErrorList{field.TooMany(field.NewPath("spec", "devices"), resourceapi.ResourceSliceMaxDevicesWithTaintsOrConsumesCounters+1, resourceapi.ResourceSliceMaxDevicesWithTaintsOrConsumesCounters)},
+			slice: func() *resourceapi.ResourceSlice {
+				slice := testResourceSlice(goodName, goodName, goodName, resourceapi.ResourceSliceMaxDevicesWithTaintsOrConsumesCounters+1)
+				for i := range slice.Spec.Devices {
+					slice.Spec.Devices[i].Taints = []resourceapi.DeviceTaint{{Key: "example.com/taint", Effect: resourceapi.DeviceTaintEffectNoExecute}}
+				}
+				return slice
+			}(),
+		},
 		"missing-name": {
 			wantFailures: field.ErrorList{field.Required(field.NewPath("metadata", "name"), "name or generateName is required")},
 			slice:        testResourceSlice("", goodName, driverName, 1),
@@ -323,6 +363,21 @@ func TestValidateResourceSlice(t *testing.T) {
 			wantFailures: field.ErrorList{field.Invalid(field.NewPath("spec", "driver"), badName, "a lowercase RFC 1123 subdomain must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character (e.g. 'example.com', regex used for validation is '[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*')")},
 			slice:        testResourceSlice(goodName, goodName, badName, 1),
 		},
+		"both-shared-counters-and-devices": {
+			wantFailures: field.ErrorList{
+				field.Invalid(field.NewPath("spec"), "", "only one of `sharedCounters` or `devices` is allowed"),
+			},
+			slice: func() *resourceapi.ResourceSlice {
+				slice := testResourceSlice(goodName, goodName, driverName, 1)
+				slice.Spec.SharedCounters = []resourceapi.CounterSet{
+					{
+						Name:     "counterset",
+						Counters: testCounters(),
+					},
+				}
+				return slice
+			}(),
+		},
 		"bad-devices": {
 			wantFailures: field.ErrorList{
 				field.Invalid(field.NewPath("spec", "devices").Index(1).Child("name"), badName, "a lowercase RFC 1123 label must consist of lower case alphanumeric characters or '-', and must start and end with an alphanumeric character (e.g. 'my-name',  or '123-abc', regex used for validation is '[a-z0-9]([-a-z0-9]*[a-z0-9])?')"),
@@ -336,8 +391,8 @@ func TestValidateResourceSlice(t *testing.T) {
 		"bad-attribute": {
 			wantFailures: field.ErrorList{
 				field.Invalid(field.NewPath("spec", "devices").Index(1).Child("attributes").Key(badName), badName, "a valid C identifier must start with alphabetic character or '_', followed by a string of alphanumeric characters or '_' (e.g. 'my_name',  or 'MY_NAME',  or 'MyName', regex used for validation is '[A-Za-z_][A-Za-z0-9_]*')"),
-				field.Required(field.NewPath("spec", "devices").Index(1).Child("attributes").Key(badName), "exactly one value must be specified"),
-				field.Invalid(field.NewPath("spec", "devices").Index(2).Child("attributes").Key(goodName), resourceapi.DeviceAttribute{StringValue: ptr.To("x"), VersionValue: ptr.To("1.2.3")}, "exactly one value must be specified"),
+				field.Invalid(field.NewPath("spec", "devices").Index(1).Child("attributes").Key(badName), "", "exactly one value must be specified").MarkCoveredByDeclarative(),
+				field.Invalid(field.NewPath("spec", "devices").Index(2).Child("attributes").Key(goodName), resourceapi.DeviceAttribute{StringValue: ptr.To("x"), VersionValue: ptr.To("1.2.3")}, "exactly one value must be specified").MarkCoveredByDeclarative(),
 				field.Invalid(field.NewPath("spec", "devices").Index(3).Child("attributes").Key(goodName).Child("version"), strings.Repeat("x", resourceapi.DeviceAttributeMaxValueLength+1), "must be a string compatible with semver.org spec 2.0.0"),
 				field.TooLongMaxLength(field.NewPath("spec", "devices").Index(3).Child("attributes").Key(goodName).Child("version"), strings.Repeat("x", resourceapi.DeviceAttributeMaxValueLength+1), resourceapi.DeviceAttributeMaxValueLength),
 				field.TooLongMaxLength(field.NewPath("spec", "devices").Index(4).Child("attributes").Key(goodName).Child("string"), strings.Repeat("x", resourceapi.DeviceAttributeMaxValueLength+1), resourceapi.DeviceAttributeMaxValueLength),
@@ -410,8 +465,8 @@ func TestValidateResourceSlice(t *testing.T) {
 		},
 		"bad-attribute-empty-domain-and-c-identifier": {
 			wantFailures: field.ErrorList{
-				field.Required(field.NewPath("spec", "devices").Index(1).Child("attributes").Key("/"), "the domain must not be empty"),
-				field.Required(field.NewPath("spec", "devices").Index(1).Child("attributes").Key("/"), "the name must not be empty"),
+				field.Invalid(field.NewPath("spec", "devices").Index(1).Child("attributes").Key("/"), "", "the domain must not be empty"),
+				field.Invalid(field.NewPath("spec", "devices").Index(1).Child("attributes").Key("/"), "", "the name must not be empty"),
 			},
 			slice: func() *resourceapi.ResourceSlice {
 				slice := testResourceSlice(goodName, goodName, goodName, 2)
@@ -493,11 +548,11 @@ func TestValidateResourceSlice(t *testing.T) {
 				return field.ErrorList{
 					field.Invalid(fldPath.Index(2).Child("key"), "", "name part must be non-empty"),
 					field.Invalid(fldPath.Index(2).Child("key"), "", "name part must consist of alphanumeric characters, '-', '_' or '.', and must start and end with an alphanumeric character (e.g. 'MyName',  or 'my.name',  or '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]')"),
-					field.Required(fldPath.Index(2).Child("effect"), ""),
+					field.Required(fldPath.Index(2).Child("effect"), "").MarkCoveredByDeclarative(),
 
 					field.Invalid(fldPath.Index(3).Child("key"), badName, "name part must consist of alphanumeric characters, '-', '_' or '.', and must start and end with an alphanumeric character (e.g. 'MyName',  or 'my.name',  or '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]')"),
 					field.Invalid(fldPath.Index(3).Child("value"), badName, "a valid label must be an empty string or consist of alphanumeric characters, '-', '_' or '.', and must start and end with an alphanumeric character (e.g. 'MyValue',  or 'my_value',  or '12345', regex used for validation is '(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?')"),
-					field.NotSupported(fldPath.Index(3).Child("effect"), resourceapi.DeviceTaintEffect("some-other-op"), []resourceapi.DeviceTaintEffect{resourceapi.DeviceTaintEffectNoExecute, resourceapi.DeviceTaintEffectNoSchedule}),
+					field.NotSupported(fldPath.Index(3).Child("effect"), resourceapi.DeviceTaintEffect("some-other-effect"), []resourceapi.DeviceTaintEffect{resourceapi.DeviceTaintEffectNoExecute, resourceapi.DeviceTaintEffectNoSchedule, resourceapi.DeviceTaintEffectNone}).MarkCoveredByDeclarative(),
 				}
 			}(),
 			slice: func() *resourceapi.ResourceSlice {
@@ -522,7 +577,7 @@ func TestValidateResourceSlice(t *testing.T) {
 						// Invalid strings.
 						Key:    badName,
 						Value:  badName,
-						Effect: "some-other-op",
+						Effect: "some-other-effect",
 					},
 				}
 				return slice
@@ -646,47 +701,61 @@ func TestValidateResourceSlice(t *testing.T) {
 				return slice
 			}(),
 		},
+		"missing-name-shared-counters": {
+			wantFailures: field.ErrorList{
+				field.Required(field.NewPath("spec", "sharedCounters").Index(0).Child("name"), "").MarkCoveredByDeclarative(),
+			},
+			slice: func() *resourceapi.ResourceSlice {
+				slice := testResourceSliceWithSharedCounters(goodName, goodName, driverName, 1)
+				slice.Spec.SharedCounters = []resourceapi.CounterSet{
+					{
+						Counters: testCounters(),
+					},
+				}
+				return slice
+			}(),
+		},
 		"bad-name-shared-counters": {
 			wantFailures: field.ErrorList{
-				field.Invalid(field.NewPath("spec", "sharedCounters").Index(0).Child("name"), badName, "a lowercase RFC 1123 label must consist of lower case alphanumeric characters or '-', and must start and end with an alphanumeric character (e.g. 'my-name',  or '123-abc', regex used for validation is '[a-z0-9]([-a-z0-9]*[a-z0-9])?')"),
-				field.Required(field.NewPath("spec", "sharedCounters").Index(0).Child("counters"), ""),
+				field.Invalid(field.NewPath("spec", "sharedCounters").Index(0).Child("name"), badName, "a lowercase RFC 1123 label must consist of lower case alphanumeric characters or '-', and must start and end with an alphanumeric character (e.g. 'my-name',  or '123-abc', regex used for validation is '[a-z0-9]([-a-z0-9]*[a-z0-9])?')").MarkCoveredByDeclarative(),
 			},
 			slice: func() *resourceapi.ResourceSlice {
-				slice := testResourceSlice(goodName, goodName, driverName, 1)
+				slice := testResourceSliceWithSharedCounters(goodName, goodName, driverName, 0)
 				slice.Spec.SharedCounters = []resourceapi.CounterSet{
 					{
-						Name: badName,
+						Name:     badName,
+						Counters: testCounters(),
 					},
 				}
 				return slice
 			}(),
 		},
-		"bad-countername-shared-counters": {
+		"missing-counter-shared-counters": {
 			wantFailures: field.ErrorList{
-				field.Invalid(field.NewPath("spec", "sharedCounters").Index(0).Child("counters").Key(badName), badName, "a lowercase RFC 1123 label must consist of lower case alphanumeric characters or '-', and must start and end with an alphanumeric character (e.g. 'my-name',  or '123-abc', regex used for validation is '[a-z0-9]([-a-z0-9]*[a-z0-9])?')"),
+				field.Required(field.NewPath("spec", "sharedCounters").Index(0).Child("counters"), ""),
 			},
 			slice: func() *resourceapi.ResourceSlice {
-				slice := testResourceSlice(goodName, goodName, driverName, 1)
+				slice := testResourceSliceWithSharedCounters(goodName, goodName, driverName, 0)
 				slice.Spec.SharedCounters = []resourceapi.CounterSet{
 					{
 						Name: goodName,
-						Counters: map[string]resourceapi.Counter{
-							badName: {Value: resource.MustParse("1Gi")},
-						},
 					},
 				}
 				return slice
 			}(),
 		},
-		"missing-name-shared-counters": {
+		"bad-countername-shared-counters": {
 			wantFailures: field.ErrorList{
-				field.Required(field.NewPath("spec", "sharedCounters").Index(0).Child("name"), ""),
+				field.Invalid(field.NewPath("spec", "sharedCounters").Index(0).Child("counters").Key(badName), badName, "a lowercase RFC 1123 label must consist of lower case alphanumeric characters or '-', and must start and end with an alphanumeric character (e.g. 'my-name',  or '123-abc', regex used for validation is '[a-z0-9]([-a-z0-9]*[a-z0-9])?')"),
 			},
 			slice: func() *resourceapi.ResourceSlice {
-				slice := testResourceSlice(goodName, goodName, driverName, 1)
+				slice := testResourceSliceWithSharedCounters(goodName, goodName, driverName, 1)
 				slice.Spec.SharedCounters = []resourceapi.CounterSet{
 					{
-						Counters: testCounters(),
+						Name: goodName,
+						Counters: map[string]resourceapi.Counter{
+							badName: {Value: resource.MustParse("1Gi")},
+						},
 					},
 				}
 				return slice
@@ -694,10 +763,10 @@ func TestValidateResourceSlice(t *testing.T) {
 		},
 		"duplicate-shared-counters": {
 			wantFailures: field.ErrorList{
-				field.Duplicate(field.NewPath("spec", "sharedCounters").Index(1).Child("name"), goodName),
+				field.Duplicate(field.NewPath("spec", "sharedCounters").Index(1), goodName).MarkCoveredByDeclarative(),
 			},
 			slice: func() *resourceapi.ResourceSlice {
-				slice := testResourceSlice(goodName, goodName, driverName, 1)
+				slice := testResourceSliceWithSharedCounters(goodName, goodName, driverName, 1)
 				slice.Spec.SharedCounters = []resourceapi.CounterSet{
 					{
 						Name:     goodName,
@@ -711,24 +780,46 @@ func TestValidateResourceSlice(t *testing.T) {
 				return slice
 			}(),
 		},
-		"too-large-shared-counters": {
+		"max-shared-counters": {
+			slice: func() *resourceapi.ResourceSlice {
+				slice := testResourceSliceWithSharedCounters(goodName, goodName, driverName, 1)
+				slice.Spec.SharedCounters = createSharedCounters(resourceapi.ResourceSliceMaxCounterSets)
+				return slice
+			}(),
+		},
+		"too-many-shared-counters": {
 			wantFailures: field.ErrorList{
-				field.Invalid(field.NewPath("spec", "sharedCounters"), resourceapi.ResourceSliceMaxSharedCounters+1, fmt.Sprintf("the total number of shared counters must not exceed %d", resourceapi.ResourceSliceMaxSharedCounters)),
+				field.TooMany(field.NewPath("spec", "sharedCounters"), resourceapi.ResourceSliceMaxCounterSets+1, resourceapi.ResourceSliceMaxCounterSets).MarkCoveredByDeclarative(),
 			},
 			slice: func() *resourceapi.ResourceSlice {
-				slice := testResourceSlice(goodName, goodName, driverName, 1)
-				slice.Spec.SharedCounters = createSharedCounters(resourceapi.ResourceSliceMaxSharedCounters + 1)
+				slice := testResourceSliceWithSharedCounters(goodName, goodName, driverName, 1)
+				slice.Spec.SharedCounters = createSharedCounters(resourceapi.ResourceSliceMaxCounterSets + 1)
+				return slice
+			}(),
+		},
+		"max-counters-in-counter-set": {
+			slice: func() *resourceapi.ResourceSlice {
+				slice := testResourceSliceWithSharedCounters(goodName, goodName, driverName, 1)
+				slice.Spec.SharedCounters[0].Counters = testMultipleCounters(resourceapi.ResourceSliceMaxCountersPerCounterSet)
+				return slice
+			}(),
+		},
+		"too-many-counters-in-counter-set": {
+			wantFailures: field.ErrorList{
+				field.TooMany(field.NewPath("spec", "sharedCounters").Index(0).Child("counters"), resourceapi.ResourceSliceMaxCountersPerCounterSet+1, resourceapi.ResourceSliceMaxCountersPerCounterSet),
+			},
+			slice: func() *resourceapi.ResourceSlice {
+				slice := testResourceSliceWithSharedCounters(goodName, goodName, driverName, 1)
+				slice.Spec.SharedCounters[0].Counters = testMultipleCounters(resourceapi.ResourceSliceMaxCountersPerCounterSet + 1)
 				return slice
 			}(),
 		},
-		"missing-counterset-consumes-counter": {
+		"missing-name-counterset-consumes-counter": {
 			wantFailures: field.ErrorList{
-				field.Required(field.NewPath("spec", "devices").Index(0).Child("consumesCounters").Index(0).Child("counterSet"), ""),
-				field.Invalid(field.NewPath("spec", "devices").Index(0).Child("consumesCounters").Index(0).Child("counterSet"), "", "must reference a counterSet defined in the ResourceSlice sharedCounters"),
+				field.Required(field.NewPath("spec", "devices").Index(0).Child("consumesCounters").Index(0).Child("counterSet"), "").MarkCoveredByDeclarative(),
 			},
 			slice: func() *resourceapi.ResourceSlice {
 				slice := testResourceSlice(goodName, goodName, driverName, 1)
-				slice.Spec.SharedCounters = createSharedCounters(1)
 				slice.Spec.Devices[0].ConsumesCounters = []resourceapi.DeviceCounterConsumption{
 					{
 						Counters: testCounters(),
@@ -737,80 +828,129 @@ func TestValidateResourceSlice(t *testing.T) {
 				return slice
 			}(),
 		},
-		"missing-counter-consumes-counter": {
+		"bad-name-counterset-consumes-counter": {
 			wantFailures: field.ErrorList{
-				field.Required(field.NewPath("spec", "devices").Index(0).Child("consumesCounters").Index(0).Child("counters"), ""),
+				field.Invalid(field.NewPath("spec", "devices").Index(0).Child("consumesCounters").Index(0).Child("counterSet"), badName, "a lowercase RFC 1123 label must consist of lower case alphanumeric characters or '-', and must start and end with an alphanumeric character (e.g. 'my-name',  or '123-abc', regex used for validation is '[a-z0-9]([-a-z0-9]*[a-z0-9])?')").MarkCoveredByDeclarative(),
 			},
 			slice: func() *resourceapi.ResourceSlice {
 				slice := testResourceSlice(goodName, goodName, driverName, 1)
-				slice.Spec.SharedCounters = createSharedCounters(1)
 				slice.Spec.Devices[0].ConsumesCounters = []resourceapi.DeviceCounterConsumption{
 					{
-						CounterSet: "counterset-0",
+						CounterSet: badName,
+						Counters:   testCounters(),
 					},
 				}
 				return slice
 			}(),
 		},
-		"wrong-counterref-consumes-counter": {
+		"duplicate-counterset-consumes-counter": {
 			wantFailures: field.ErrorList{
-				field.Invalid(field.NewPath("spec", "devices").Index(0).Child("consumesCounters").Index(0).Child("counters"), "fake", "must reference a counter defined in the ResourceSlice sharedCounters"),
-			},
+				field.Duplicate(field.NewPath("spec", "devices").Index(0).Child("consumesCounters").Index(1), goodName).MarkCoveredByDeclarative()},
 			slice: func() *resourceapi.ResourceSlice {
 				slice := testResourceSlice(goodName, goodName, driverName, 1)
-				slice.Spec.SharedCounters = createSharedCounters(1)
 				slice.Spec.Devices[0].ConsumesCounters = []resourceapi.DeviceCounterConsumption{
 					{
-						Counters: map[string]resourceapi.Counter{
-							"fake": {Value: resource.MustParse("1Gi")},
-						},
-						CounterSet: "counterset-0",
+						CounterSet: goodName,
+						Counters:   testCounters(),
+					},
+					{
+						CounterSet: goodName,
+						Counters:   testCounters(),
 					},
 				}
 				return slice
 			}(),
 		},
-		"wrong-sharedcounterref-consumes-counter": {
+		"missing-counter-consumes-counter": {
 			wantFailures: field.ErrorList{
-				field.Invalid(field.NewPath("spec", "devices").Index(0).Child("consumesCounters").Index(0).Child("counterSet"), "fake", "must reference a counterSet defined in the ResourceSlice sharedCounters"),
+				field.Required(field.NewPath("spec", "devices").Index(0).Child("consumesCounters").Index(0).Child("counters"), ""),
 			},
 			slice: func() *resourceapi.ResourceSlice {
 				slice := testResourceSlice(goodName, goodName, driverName, 1)
-				slice.Spec.SharedCounters = createSharedCounters(1)
 				slice.Spec.Devices[0].ConsumesCounters = []resourceapi.DeviceCounterConsumption{
 					{
-						Counters:   testCounters(),
-						CounterSet: "fake",
+						CounterSet: "counterset-0",
 					},
 				}
 				return slice
 			}(),
 		},
-		"too-large-consumes-counter": {
+		"max-device-counter-consumption-for-device": {
+			slice: func() *resourceapi.ResourceSlice {
+				slice := testResourceSlice(goodName, goodName, driverName, 1)
+				slice.Spec.Devices[0].Attributes = nil
+				slice.Spec.Devices[0].Capacity = nil
+				slice.Spec.Devices[0].ConsumesCounters = createConsumesCounters(resourceapi.ResourceSliceMaxDeviceCounterConsumptionsPerDevice)
+				return slice
+			}(),
+		},
+		"too-many-device-counter-consumption-for-device": {
 			wantFailures: field.ErrorList{
-				field.Invalid(field.NewPath("spec", "devices").Index(0), resourceapi.ResourceSliceMaxCountersPerDevice+1, fmt.Sprintf("the total number of counters must not exceed %d", resourceapi.ResourceSliceMaxCountersPerDevice)),
-				field.Invalid(field.NewPath("spec", "sharedCounters"), resourceapi.ResourceSliceMaxSharedCounters+1, fmt.Sprintf("the total number of shared counters must not exceed %d", resourceapi.ResourceSliceMaxSharedCounters)),
+				field.TooMany(field.NewPath("spec", "devices").Index(0).Child("consumesCounters"), resourceapi.ResourceSliceMaxDeviceCounterConsumptionsPerDevice+1, resourceapi.ResourceSliceMaxDeviceCounterConsumptionsPerDevice).MarkCoveredByDeclarative(),
 			},
 			slice: func() *resourceapi.ResourceSlice {
 				slice := testResourceSlice(goodName, goodName, driverName, 1)
-				slice.Spec.SharedCounters = createSharedCounters(resourceapi.ResourceSliceMaxSharedCounters + 1)
 				slice.Spec.Devices[0].Attributes = nil
 				slice.Spec.Devices[0].Capacity = nil
-				slice.Spec.Devices[0].ConsumesCounters = createConsumesCounters(resourceapi.ResourceSliceMaxCountersPerDevice + 1)
+				slice.Spec.Devices[0].ConsumesCounters = createConsumesCounters(resourceapi.ResourceSliceMaxDeviceCounterConsumptionsPerDevice + 1)
 				return slice
 			}(),
 		},
-		"too-many-device-counters-in-slice": {
+		"max-counters-in-device-counter-consumption": {
+			slice: func() *resourceapi.ResourceSlice {
+				slice := testResourceSlice(goodName, goodName, driverName, 1)
+				slice.Spec.Devices[0].Attributes = nil
+				slice.Spec.Devices[0].Capacity = nil
+				slice.Spec.Devices[0].ConsumesCounters = []resourceapi.DeviceCounterConsumption{
+					{
+						CounterSet: "counterset-0",
+						Counters:   testMultipleCounters(resourceapi.ResourceSliceMaxCountersPerDeviceCounterConsumption),
+					},
+				}
+				return slice
+			}(),
+		},
+		"too-many-counters-in-device-counter-consumption": {
 			wantFailures: field.ErrorList{
-				field.Invalid(field.NewPath("spec", "devices"), resourceapi.ResourceSliceMaxDeviceCountersPerSlice+1, fmt.Sprintf("the total number of counters in devices must not exceed %d", resourceapi.ResourceSliceMaxDeviceCountersPerSlice)),
+				field.TooMany(field.NewPath("spec", "devices").Index(0).Child("consumesCounters").Index(0).Child("counters"), resourceapi.ResourceSliceMaxCountersPerDeviceCounterConsumption+1, resourceapi.ResourceSliceMaxCountersPerDeviceCounterConsumption),
 			},
 			slice: func() *resourceapi.ResourceSlice {
-				slice := testResourceSlice(goodName, goodName, driverName, 65)
-				slice.Spec.SharedCounters = createSharedCounters(16)
-				for i := 0; i < 64; i++ {
-					slice.Spec.Devices[i].ConsumesCounters = createConsumesCounters(16)
+				slice := testResourceSlice(goodName, goodName, driverName, 1)
+				slice.Spec.Devices[0].Attributes = nil
+				slice.Spec.Devices[0].Capacity = nil
+				slice.Spec.Devices[0].ConsumesCounters = []resourceapi.DeviceCounterConsumption{
+					{
+						CounterSet: "counterset-0",
+						Counters:   testMultipleCounters(resourceapi.ResourceSliceMaxCountersPerDeviceCounterConsumption + 1),
+					},
+				}
+				return slice
+			}(),
+		},
+		"max-number-of-devices-with-consumes-counters": {
+			slice: func() *resourceapi.ResourceSlice {
+				slice := testResourceSlice(goodName, goodName, goodName, resourceapi.ResourceSliceMaxDevicesWithTaintsOrConsumesCounters)
+				for i := range slice.Spec.Devices {
+					slice.Spec.Devices[i].ConsumesCounters = []resourceapi.DeviceCounterConsumption{
+						{
+							CounterSet: "counterset-0",
+							Counters:   testCounters(),
+						},
+					}
+				}
+				return slice
+			}(),
+		},
+		"too-many-devices-with-consumes-counters": {
+			wantFailures: field.ErrorList{field.TooMany(field.NewPath("spec", "devices"), resourceapi.ResourceSliceMaxDevicesWithTaintsOrConsumesCounters+1, resourceapi.ResourceSliceMaxDevicesWithTaintsOrConsumesCounters)},
+			slice: func() *resourceapi.ResourceSlice {
+				slice := testResourceSlice(goodName, goodName, goodName, resourceapi.ResourceSliceMaxDevicesWithTaintsOrConsumesCounters+1)
+				slice.Spec.Devices[0].ConsumesCounters = []resourceapi.DeviceCounterConsumption{
+					{
+						CounterSet: "counterset-0",
+						Counters:   testCounters(),
+					},
 				}
-				slice.Spec.Devices[64].ConsumesCounters = createConsumesCounters(1)
 				return slice
 			}(),
 		},
@@ -818,11 +958,11 @@ func TestValidateResourceSlice(t *testing.T) {
 			slice: testResourceSliceWithBindingConditions(goodName, goodName, driverName, 1, []string{"example.com/condition1", "condition2"}, []string{"example.com/condition3", "condition4"}),
 		},
 		"too-many-binding-conditions": {
-			wantFailures: field.ErrorList{field.TooMany(field.NewPath("spec", "devices").Index(0).Child("bindingConditions"), resourceapi.BindingConditionsMaxSize+1, resourceapi.BindingConditionsMaxSize)},
+			wantFailures: field.ErrorList{field.TooMany(field.NewPath("spec", "devices").Index(0).Child("bindingConditions"), resourceapi.BindingConditionsMaxSize+1, resourceapi.BindingConditionsMaxSize).MarkCoveredByDeclarative()},
 			slice:        testResourceSliceWithBindingConditions(goodName, goodName, driverName, 1, []string{"condition1", "condition2", "condition3", "condition4", "condition5"}, []string{"condition6", "condition7"}),
 		},
 		"too-many-binding-failure-conditions": {
-			wantFailures: field.ErrorList{field.TooMany(field.NewPath("spec", "devices").Index(0).Child("bindingFailureConditions"), resourceapi.BindingConditionsMaxSize+1, resourceapi.BindingConditionsMaxSize)},
+			wantFailures: field.ErrorList{field.TooMany(field.NewPath("spec", "devices").Index(0).Child("bindingFailureConditions"), resourceapi.BindingConditionsMaxSize+1, resourceapi.BindingConditionsMaxSize).MarkCoveredByDeclarative()},
 			slice:        testResourceSliceWithBindingConditions(goodName, goodName, driverName, 1, []string{"condition1", "condition2"}, []string{"condition3", "condition4", "condition5", "condition6", "condition7"}),
 		},
 		"invalid-binding-conditions": {
@@ -867,6 +1007,17 @@ func TestValidateResourceSlice(t *testing.T) {
 func TestValidateResourceSliceUpdate(t *testing.T) {
 	name := "valid"
 	validResourceSlice := testResourceSlice(name, name, name, 1)
+	invalidResourceSliceWithTaints := validResourceSlice.DeepCopy()
+	invalidResourceSliceWithTaints.Spec.Devices[0].Taints = []resourceapi.DeviceTaint{
+		{
+			Key:    "unhealthy-power",
+			Effect: resourceapi.DeviceTaintEffectNoExecute,
+		},
+		{
+			Key:    "unhealthy-mem",
+			Effect: "some-other-effect",
+		},
+	}
 
 	scenarios := map[string]struct {
 		oldResourceSlice *resourceapi.ResourceSlice
@@ -938,6 +1089,31 @@ func TestValidateResourceSliceUpdate(t *testing.T) {
 				return slice
 			},
 		},
+		"invalid-new-effect-in-old-device": {
+			wantFailures:     field.ErrorList{field.NotSupported(field.NewPath("spec", "devices").Index(0).Child("taints").Index(1).Child("effect"), resourceapi.DeviceTaintEffect("some-other-effect"), []resourceapi.DeviceTaintEffect{resourceapi.DeviceTaintEffectNoExecute, resourceapi.DeviceTaintEffectNoSchedule, resourceapi.DeviceTaintEffectNone})}.MarkCoveredByDeclarative(),
+			oldResourceSlice: validResourceSlice,
+			update: func(slice *resourceapi.ResourceSlice) *resourceapi.ResourceSlice {
+				slice.Spec.Devices[0].Taints = invalidResourceSliceWithTaints.Spec.Devices[0].Taints
+				return slice
+			},
+		},
+		"valid-old-effect": {
+			oldResourceSlice: invalidResourceSliceWithTaints,
+			update: func(slice *resourceapi.ResourceSlice) *resourceapi.ResourceSlice {
+				slice.Spec.Devices[0].Attributes["foo"] = resourceapi.DeviceAttribute{StringValue: ptr.To("bar")}
+				return slice
+			},
+		},
+		"invalid-new-effect-in-new-device": {
+			wantFailures:     field.ErrorList{field.NotSupported(field.NewPath("spec", "devices").Index(1).Child("taints").Index(1).Child("effect"), resourceapi.DeviceTaintEffect("some-other-effect"), []resourceapi.DeviceTaintEffect{resourceapi.DeviceTaintEffectNoExecute, resourceapi.DeviceTaintEffectNoSchedule, resourceapi.DeviceTaintEffectNone})}.MarkCoveredByDeclarative(),
+			oldResourceSlice: invalidResourceSliceWithTaints,
+			update: func(slice *resourceapi.ResourceSlice) *resourceapi.ResourceSlice {
+				device := slice.Spec.Devices[0].DeepCopy()
+				device.Name += "-other"
+				slice.Spec.Devices = append(slice.Spec.Devices, *device)
+				return slice
+			},
+		},
 	}
 
 	for name, scenario := range scenarios {
diff --git a/pkg/apis/resource/zz_generated.deepcopy.go b/pkg/apis/resource/zz_generated.deepcopy.go
index 937d5a5b35a3c..1b869906e0556 100644
--- a/pkg/apis/resource/zz_generated.deepcopy.go
+++ b/pkg/apis/resource/zz_generated.deepcopy.go
@@ -831,6 +831,7 @@ func (in *DeviceTaintRule) DeepCopyInto(out *DeviceTaintRule) {
 	out.TypeMeta = in.TypeMeta
 	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
 	in.Spec.DeepCopyInto(&out.Spec)
+	in.Status.DeepCopyInto(&out.Status)
 	return
 }
 
@@ -908,13 +909,31 @@ func (in *DeviceTaintRuleSpec) DeepCopy() *DeviceTaintRuleSpec {
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *DeviceTaintSelector) DeepCopyInto(out *DeviceTaintSelector) {
+func (in *DeviceTaintRuleStatus) DeepCopyInto(out *DeviceTaintRuleStatus) {
 	*out = *in
-	if in.DeviceClassName != nil {
-		in, out := &in.DeviceClassName, &out.DeviceClassName
-		*out = new(string)
-		**out = **in
+	if in.Conditions != nil {
+		in, out := &in.Conditions, &out.Conditions
+		*out = make([]v1.Condition, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DeviceTaintRuleStatus.
+func (in *DeviceTaintRuleStatus) DeepCopy() *DeviceTaintRuleStatus {
+	if in == nil {
+		return nil
 	}
+	out := new(DeviceTaintRuleStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *DeviceTaintSelector) DeepCopyInto(out *DeviceTaintSelector) {
+	*out = *in
 	if in.Driver != nil {
 		in, out := &in.Driver, &out.Driver
 		*out = new(string)
@@ -930,13 +949,6 @@ func (in *DeviceTaintSelector) DeepCopyInto(out *DeviceTaintSelector) {
 		*out = new(string)
 		**out = **in
 	}
-	if in.Selectors != nil {
-		in, out := &in.Selectors, &out.Selectors
-		*out = make([]DeviceSelector, len(*in))
-		for i := range *in {
-			(*in)[i].DeepCopyInto(&(*out)[i])
-		}
-	}
 	return
 }
 
diff --git a/pkg/apis/scheduling/OWNERS b/pkg/apis/scheduling/OWNERS
new file mode 100644
index 0000000000000..0c9596d13a877
--- /dev/null
+++ b/pkg/apis/scheduling/OWNERS
@@ -0,0 +1,7 @@
+# See the OWNERS docs at https://go.k8s.io/owners
+
+reviewers:
+  - sig-scheduling-maintainers
+  - sig-scheduling
+labels:
+  - sig/scheduling
diff --git a/pkg/apis/scheduling/register.go b/pkg/apis/scheduling/register.go
index 664b5bd251261..ae4c71a6ca473 100644
--- a/pkg/apis/scheduling/register.go
+++ b/pkg/apis/scheduling/register.go
@@ -48,6 +48,8 @@ func addKnownTypes(scheme *runtime.Scheme) error {
 	scheme.AddKnownTypes(SchemeGroupVersion,
 		&PriorityClass{},
 		&PriorityClassList{},
+		&Workload{},
+		&WorkloadList{},
 	)
 	return nil
 }
diff --git a/pkg/apis/scheduling/types.go b/pkg/apis/scheduling/types.go
index 68daf016811e7..12730404c5f76 100644
--- a/pkg/apis/scheduling/types.go
+++ b/pkg/apis/scheduling/types.go
@@ -88,3 +88,129 @@ type PriorityClassList struct {
 	// items is the list of PriorityClasses.
 	Items []PriorityClass
 }
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// Workload allows for expressing scheduling constraints that should be used
+// when managing lifecycle of workloads from scheduling perspective,
+// including scheduling, preemption, eviction and other phases.
+type Workload struct {
+	metav1.TypeMeta
+	// Standard object's metadata.
+	// Name must be a DNS subdomain.
+	//
+	// +optional
+	metav1.ObjectMeta
+
+	// Spec defines the desired behavior of a Workload.
+	//
+	// +required
+	Spec WorkloadSpec
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// WorkloadList contains a list of Workload resources.
+type WorkloadList struct {
+	metav1.TypeMeta
+	// Standard list metadata.
+	//
+	// +optional
+	metav1.ListMeta
+
+	// Items is the list of Workloads.
+	Items []Workload
+}
+
+// WorkloadMaxPodGroups is the maximum number of pod groups per Workload.
+const WorkloadMaxPodGroups = 8
+
+// WorkloadSpec defines the desired state of a Workload.
+type WorkloadSpec struct {
+	// ControllerRef is an optional reference to the controlling object, such as a
+	// Deployment or Job. This field is intended for use by tools like CLIs
+	// to provide a link back to the original workload definition.
+	// When set, it cannot be changed.
+	//
+	// +optional
+	ControllerRef *TypedLocalObjectReference
+
+	// PodGroups is the list of pod groups that make up the Workload.
+	// The maximum number of pod groups is 8. This field is immutable.
+	//
+	// +required
+	// +listType=map
+	// +listMapKey=name
+	PodGroups []PodGroup
+}
+
+// TypedLocalObjectReference allows to reference typed object inside the same namespace.
+type TypedLocalObjectReference struct {
+	// APIGroup is the group for the resource being referenced.
+	// If APIGroup is empty, the specified Kind must be in the core API group.
+	// For any other third-party types, setting APIGroup is required.
+	// It must be a DNS subdomain.
+	//
+	// +optional
+	APIGroup string
+	// Kind is the type of resource being referenced.
+	// It must be a path segment name.
+	//
+	// +required
+	Kind string
+	// Name is the name of resource being referenced.
+	// It must be a path segment name.
+	//
+	// +required
+	Name string
+}
+
+// PodGroup represents a set of pods with a common scheduling policy.
+type PodGroup struct {
+	// Name is a unique identifier for the PodGroup within the Workload.
+	// It must be a DNS label. This field is immutable.
+	//
+	// +required
+	Name string
+
+	// Policy defines the scheduling policy for this PodGroup.
+	//
+	// +required
+	Policy PodGroupPolicy
+}
+
+// PodGroupPolicy defines the scheduling configuration for a PodGroup.
+type PodGroupPolicy struct {
+	// Basic specifies that the pods in this group should be scheduled using
+	// standard Kubernetes scheduling behavior.
+	//
+	// +optional
+	// +oneOf=PolicySelection
+	Basic *BasicSchedulingPolicy
+
+	// Gang specifies that the pods in this group should be scheduled using
+	// all-or-nothing semantics.
+	//
+	// +optional
+	// +oneOf=PolicySelection
+	Gang *GangSchedulingPolicy
+}
+
+// BasicSchedulingPolicy indicates that standard Kubernetes
+// scheduling behavior should be used.
+type BasicSchedulingPolicy struct {
+	// This is intentionally empty. Its presence indicates that the basic
+	// scheduling policy should be applied. In the future, new fields may appear,
+	// describing such constraints on a pod group level without "all or nothing"
+	// (gang) scheduling.
+}
+
+// GangSchedulingPolicy defines the parameters for gang scheduling.
+type GangSchedulingPolicy struct {
+	// MinCount is the minimum number of pods that must be schedulable or scheduled
+	// at the same time for the scheduler to admit the entire group.
+	// It must be a positive integer.
+	//
+	// +required
+	MinCount int32
+}
diff --git a/pkg/apis/scheduling/v1/helpers.go b/pkg/apis/scheduling/v1/helpers.go
index d4af4933cfa69..907014a7f4254 100644
--- a/pkg/apis/scheduling/v1/helpers.go
+++ b/pkg/apis/scheduling/v1/helpers.go
@@ -43,16 +43,29 @@ var systemPriorityClasses = []*v1.PriorityClass{
 	},
 }
 
-// SystemPriorityClasses returns the list of system priority classes.
-// NOTE: be careful not to modify any of elements of the returned array directly.
+// SystemPriorityClasses returns a deep copy of the list of system priority classes.
+// If only the names are needed, use SystemPriorityClassNames().
 func SystemPriorityClasses() []*v1.PriorityClass {
-	return systemPriorityClasses
+	retval := make([]*v1.PriorityClass, 0, len(systemPriorityClasses))
+	for _, c := range systemPriorityClasses {
+		retval = append(retval, c.DeepCopy())
+	}
+	return retval
+}
+
+// SystemPriorityClassNames returns the names of system priority classes.
+func SystemPriorityClassNames() []string {
+	retval := make([]string, 0, len(systemPriorityClasses))
+	for _, c := range systemPriorityClasses {
+		retval = append(retval, c.Name)
+	}
+	return retval
 }
 
 // IsKnownSystemPriorityClass returns true if there's any of the system priority classes exactly
 // matches "name", "value", "globalDefault". otherwise it will return an error.
 func IsKnownSystemPriorityClass(name string, value int32, globalDefault bool) (bool, error) {
-	for _, spc := range SystemPriorityClasses() {
+	for _, spc := range systemPriorityClasses {
 		if spc.Name == name {
 			if spc.Value != value {
 				return false, fmt.Errorf("value of %v PriorityClass must be %v", spc.Name, spc.Value)
diff --git a/pkg/apis/scheduling/v1alpha1/zz_generated.conversion.go b/pkg/apis/scheduling/v1alpha1/zz_generated.conversion.go
index fb1c3b4203d6f..994deb7e22add 100644
--- a/pkg/apis/scheduling/v1alpha1/zz_generated.conversion.go
+++ b/pkg/apis/scheduling/v1alpha1/zz_generated.conversion.go
@@ -39,6 +39,46 @@ func init() {
 // RegisterConversions adds conversion functions to the given scheme.
 // Public to allow building arbitrary schemes.
 func RegisterConversions(s *runtime.Scheme) error {
+	if err := s.AddGeneratedConversionFunc((*schedulingv1alpha1.BasicSchedulingPolicy)(nil), (*scheduling.BasicSchedulingPolicy)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_v1alpha1_BasicSchedulingPolicy_To_scheduling_BasicSchedulingPolicy(a.(*schedulingv1alpha1.BasicSchedulingPolicy), b.(*scheduling.BasicSchedulingPolicy), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddGeneratedConversionFunc((*scheduling.BasicSchedulingPolicy)(nil), (*schedulingv1alpha1.BasicSchedulingPolicy)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_scheduling_BasicSchedulingPolicy_To_v1alpha1_BasicSchedulingPolicy(a.(*scheduling.BasicSchedulingPolicy), b.(*schedulingv1alpha1.BasicSchedulingPolicy), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddGeneratedConversionFunc((*schedulingv1alpha1.GangSchedulingPolicy)(nil), (*scheduling.GangSchedulingPolicy)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_v1alpha1_GangSchedulingPolicy_To_scheduling_GangSchedulingPolicy(a.(*schedulingv1alpha1.GangSchedulingPolicy), b.(*scheduling.GangSchedulingPolicy), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddGeneratedConversionFunc((*scheduling.GangSchedulingPolicy)(nil), (*schedulingv1alpha1.GangSchedulingPolicy)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_scheduling_GangSchedulingPolicy_To_v1alpha1_GangSchedulingPolicy(a.(*scheduling.GangSchedulingPolicy), b.(*schedulingv1alpha1.GangSchedulingPolicy), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddGeneratedConversionFunc((*schedulingv1alpha1.PodGroup)(nil), (*scheduling.PodGroup)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_v1alpha1_PodGroup_To_scheduling_PodGroup(a.(*schedulingv1alpha1.PodGroup), b.(*scheduling.PodGroup), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddGeneratedConversionFunc((*scheduling.PodGroup)(nil), (*schedulingv1alpha1.PodGroup)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_scheduling_PodGroup_To_v1alpha1_PodGroup(a.(*scheduling.PodGroup), b.(*schedulingv1alpha1.PodGroup), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddGeneratedConversionFunc((*schedulingv1alpha1.PodGroupPolicy)(nil), (*scheduling.PodGroupPolicy)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_v1alpha1_PodGroupPolicy_To_scheduling_PodGroupPolicy(a.(*schedulingv1alpha1.PodGroupPolicy), b.(*scheduling.PodGroupPolicy), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddGeneratedConversionFunc((*scheduling.PodGroupPolicy)(nil), (*schedulingv1alpha1.PodGroupPolicy)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_scheduling_PodGroupPolicy_To_v1alpha1_PodGroupPolicy(a.(*scheduling.PodGroupPolicy), b.(*schedulingv1alpha1.PodGroupPolicy), scope)
+	}); err != nil {
+		return err
+	}
 	if err := s.AddGeneratedConversionFunc((*schedulingv1alpha1.PriorityClass)(nil), (*scheduling.PriorityClass)(nil), func(a, b interface{}, scope conversion.Scope) error {
 		return Convert_v1alpha1_PriorityClass_To_scheduling_PriorityClass(a.(*schedulingv1alpha1.PriorityClass), b.(*scheduling.PriorityClass), scope)
 	}); err != nil {
@@ -59,9 +99,135 @@ func RegisterConversions(s *runtime.Scheme) error {
 	}); err != nil {
 		return err
 	}
+	if err := s.AddGeneratedConversionFunc((*schedulingv1alpha1.TypedLocalObjectReference)(nil), (*scheduling.TypedLocalObjectReference)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_v1alpha1_TypedLocalObjectReference_To_scheduling_TypedLocalObjectReference(a.(*schedulingv1alpha1.TypedLocalObjectReference), b.(*scheduling.TypedLocalObjectReference), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddGeneratedConversionFunc((*scheduling.TypedLocalObjectReference)(nil), (*schedulingv1alpha1.TypedLocalObjectReference)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_scheduling_TypedLocalObjectReference_To_v1alpha1_TypedLocalObjectReference(a.(*scheduling.TypedLocalObjectReference), b.(*schedulingv1alpha1.TypedLocalObjectReference), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddGeneratedConversionFunc((*schedulingv1alpha1.Workload)(nil), (*scheduling.Workload)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_v1alpha1_Workload_To_scheduling_Workload(a.(*schedulingv1alpha1.Workload), b.(*scheduling.Workload), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddGeneratedConversionFunc((*scheduling.Workload)(nil), (*schedulingv1alpha1.Workload)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_scheduling_Workload_To_v1alpha1_Workload(a.(*scheduling.Workload), b.(*schedulingv1alpha1.Workload), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddGeneratedConversionFunc((*schedulingv1alpha1.WorkloadList)(nil), (*scheduling.WorkloadList)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_v1alpha1_WorkloadList_To_scheduling_WorkloadList(a.(*schedulingv1alpha1.WorkloadList), b.(*scheduling.WorkloadList), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddGeneratedConversionFunc((*scheduling.WorkloadList)(nil), (*schedulingv1alpha1.WorkloadList)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_scheduling_WorkloadList_To_v1alpha1_WorkloadList(a.(*scheduling.WorkloadList), b.(*schedulingv1alpha1.WorkloadList), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddGeneratedConversionFunc((*schedulingv1alpha1.WorkloadSpec)(nil), (*scheduling.WorkloadSpec)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_v1alpha1_WorkloadSpec_To_scheduling_WorkloadSpec(a.(*schedulingv1alpha1.WorkloadSpec), b.(*scheduling.WorkloadSpec), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddGeneratedConversionFunc((*scheduling.WorkloadSpec)(nil), (*schedulingv1alpha1.WorkloadSpec)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_scheduling_WorkloadSpec_To_v1alpha1_WorkloadSpec(a.(*scheduling.WorkloadSpec), b.(*schedulingv1alpha1.WorkloadSpec), scope)
+	}); err != nil {
+		return err
+	}
+	return nil
+}
+
+func autoConvert_v1alpha1_BasicSchedulingPolicy_To_scheduling_BasicSchedulingPolicy(in *schedulingv1alpha1.BasicSchedulingPolicy, out *scheduling.BasicSchedulingPolicy, s conversion.Scope) error {
+	return nil
+}
+
+// Convert_v1alpha1_BasicSchedulingPolicy_To_scheduling_BasicSchedulingPolicy is an autogenerated conversion function.
+func Convert_v1alpha1_BasicSchedulingPolicy_To_scheduling_BasicSchedulingPolicy(in *schedulingv1alpha1.BasicSchedulingPolicy, out *scheduling.BasicSchedulingPolicy, s conversion.Scope) error {
+	return autoConvert_v1alpha1_BasicSchedulingPolicy_To_scheduling_BasicSchedulingPolicy(in, out, s)
+}
+
+func autoConvert_scheduling_BasicSchedulingPolicy_To_v1alpha1_BasicSchedulingPolicy(in *scheduling.BasicSchedulingPolicy, out *schedulingv1alpha1.BasicSchedulingPolicy, s conversion.Scope) error {
+	return nil
+}
+
+// Convert_scheduling_BasicSchedulingPolicy_To_v1alpha1_BasicSchedulingPolicy is an autogenerated conversion function.
+func Convert_scheduling_BasicSchedulingPolicy_To_v1alpha1_BasicSchedulingPolicy(in *scheduling.BasicSchedulingPolicy, out *schedulingv1alpha1.BasicSchedulingPolicy, s conversion.Scope) error {
+	return autoConvert_scheduling_BasicSchedulingPolicy_To_v1alpha1_BasicSchedulingPolicy(in, out, s)
+}
+
+func autoConvert_v1alpha1_GangSchedulingPolicy_To_scheduling_GangSchedulingPolicy(in *schedulingv1alpha1.GangSchedulingPolicy, out *scheduling.GangSchedulingPolicy, s conversion.Scope) error {
+	out.MinCount = in.MinCount
+	return nil
+}
+
+// Convert_v1alpha1_GangSchedulingPolicy_To_scheduling_GangSchedulingPolicy is an autogenerated conversion function.
+func Convert_v1alpha1_GangSchedulingPolicy_To_scheduling_GangSchedulingPolicy(in *schedulingv1alpha1.GangSchedulingPolicy, out *scheduling.GangSchedulingPolicy, s conversion.Scope) error {
+	return autoConvert_v1alpha1_GangSchedulingPolicy_To_scheduling_GangSchedulingPolicy(in, out, s)
+}
+
+func autoConvert_scheduling_GangSchedulingPolicy_To_v1alpha1_GangSchedulingPolicy(in *scheduling.GangSchedulingPolicy, out *schedulingv1alpha1.GangSchedulingPolicy, s conversion.Scope) error {
+	out.MinCount = in.MinCount
+	return nil
+}
+
+// Convert_scheduling_GangSchedulingPolicy_To_v1alpha1_GangSchedulingPolicy is an autogenerated conversion function.
+func Convert_scheduling_GangSchedulingPolicy_To_v1alpha1_GangSchedulingPolicy(in *scheduling.GangSchedulingPolicy, out *schedulingv1alpha1.GangSchedulingPolicy, s conversion.Scope) error {
+	return autoConvert_scheduling_GangSchedulingPolicy_To_v1alpha1_GangSchedulingPolicy(in, out, s)
+}
+
+func autoConvert_v1alpha1_PodGroup_To_scheduling_PodGroup(in *schedulingv1alpha1.PodGroup, out *scheduling.PodGroup, s conversion.Scope) error {
+	out.Name = in.Name
+	if err := Convert_v1alpha1_PodGroupPolicy_To_scheduling_PodGroupPolicy(&in.Policy, &out.Policy, s); err != nil {
+		return err
+	}
+	return nil
+}
+
+// Convert_v1alpha1_PodGroup_To_scheduling_PodGroup is an autogenerated conversion function.
+func Convert_v1alpha1_PodGroup_To_scheduling_PodGroup(in *schedulingv1alpha1.PodGroup, out *scheduling.PodGroup, s conversion.Scope) error {
+	return autoConvert_v1alpha1_PodGroup_To_scheduling_PodGroup(in, out, s)
+}
+
+func autoConvert_scheduling_PodGroup_To_v1alpha1_PodGroup(in *scheduling.PodGroup, out *schedulingv1alpha1.PodGroup, s conversion.Scope) error {
+	out.Name = in.Name
+	if err := Convert_scheduling_PodGroupPolicy_To_v1alpha1_PodGroupPolicy(&in.Policy, &out.Policy, s); err != nil {
+		return err
+	}
 	return nil
 }
 
+// Convert_scheduling_PodGroup_To_v1alpha1_PodGroup is an autogenerated conversion function.
+func Convert_scheduling_PodGroup_To_v1alpha1_PodGroup(in *scheduling.PodGroup, out *schedulingv1alpha1.PodGroup, s conversion.Scope) error {
+	return autoConvert_scheduling_PodGroup_To_v1alpha1_PodGroup(in, out, s)
+}
+
+func autoConvert_v1alpha1_PodGroupPolicy_To_scheduling_PodGroupPolicy(in *schedulingv1alpha1.PodGroupPolicy, out *scheduling.PodGroupPolicy, s conversion.Scope) error {
+	out.Basic = (*scheduling.BasicSchedulingPolicy)(unsafe.Pointer(in.Basic))
+	out.Gang = (*scheduling.GangSchedulingPolicy)(unsafe.Pointer(in.Gang))
+	return nil
+}
+
+// Convert_v1alpha1_PodGroupPolicy_To_scheduling_PodGroupPolicy is an autogenerated conversion function.
+func Convert_v1alpha1_PodGroupPolicy_To_scheduling_PodGroupPolicy(in *schedulingv1alpha1.PodGroupPolicy, out *scheduling.PodGroupPolicy, s conversion.Scope) error {
+	return autoConvert_v1alpha1_PodGroupPolicy_To_scheduling_PodGroupPolicy(in, out, s)
+}
+
+func autoConvert_scheduling_PodGroupPolicy_To_v1alpha1_PodGroupPolicy(in *scheduling.PodGroupPolicy, out *schedulingv1alpha1.PodGroupPolicy, s conversion.Scope) error {
+	out.Basic = (*schedulingv1alpha1.BasicSchedulingPolicy)(unsafe.Pointer(in.Basic))
+	out.Gang = (*schedulingv1alpha1.GangSchedulingPolicy)(unsafe.Pointer(in.Gang))
+	return nil
+}
+
+// Convert_scheduling_PodGroupPolicy_To_v1alpha1_PodGroupPolicy is an autogenerated conversion function.
+func Convert_scheduling_PodGroupPolicy_To_v1alpha1_PodGroupPolicy(in *scheduling.PodGroupPolicy, out *schedulingv1alpha1.PodGroupPolicy, s conversion.Scope) error {
+	return autoConvert_scheduling_PodGroupPolicy_To_v1alpha1_PodGroupPolicy(in, out, s)
+}
+
 func autoConvert_v1alpha1_PriorityClass_To_scheduling_PriorityClass(in *schedulingv1alpha1.PriorityClass, out *scheduling.PriorityClass, s conversion.Scope) error {
 	out.ObjectMeta = in.ObjectMeta
 	out.Value = in.Value
@@ -111,3 +277,97 @@ func autoConvert_scheduling_PriorityClassList_To_v1alpha1_PriorityClassList(in *
 func Convert_scheduling_PriorityClassList_To_v1alpha1_PriorityClassList(in *scheduling.PriorityClassList, out *schedulingv1alpha1.PriorityClassList, s conversion.Scope) error {
 	return autoConvert_scheduling_PriorityClassList_To_v1alpha1_PriorityClassList(in, out, s)
 }
+
+func autoConvert_v1alpha1_TypedLocalObjectReference_To_scheduling_TypedLocalObjectReference(in *schedulingv1alpha1.TypedLocalObjectReference, out *scheduling.TypedLocalObjectReference, s conversion.Scope) error {
+	out.APIGroup = in.APIGroup
+	out.Kind = in.Kind
+	out.Name = in.Name
+	return nil
+}
+
+// Convert_v1alpha1_TypedLocalObjectReference_To_scheduling_TypedLocalObjectReference is an autogenerated conversion function.
+func Convert_v1alpha1_TypedLocalObjectReference_To_scheduling_TypedLocalObjectReference(in *schedulingv1alpha1.TypedLocalObjectReference, out *scheduling.TypedLocalObjectReference, s conversion.Scope) error {
+	return autoConvert_v1alpha1_TypedLocalObjectReference_To_scheduling_TypedLocalObjectReference(in, out, s)
+}
+
+func autoConvert_scheduling_TypedLocalObjectReference_To_v1alpha1_TypedLocalObjectReference(in *scheduling.TypedLocalObjectReference, out *schedulingv1alpha1.TypedLocalObjectReference, s conversion.Scope) error {
+	out.APIGroup = in.APIGroup
+	out.Kind = in.Kind
+	out.Name = in.Name
+	return nil
+}
+
+// Convert_scheduling_TypedLocalObjectReference_To_v1alpha1_TypedLocalObjectReference is an autogenerated conversion function.
+func Convert_scheduling_TypedLocalObjectReference_To_v1alpha1_TypedLocalObjectReference(in *scheduling.TypedLocalObjectReference, out *schedulingv1alpha1.TypedLocalObjectReference, s conversion.Scope) error {
+	return autoConvert_scheduling_TypedLocalObjectReference_To_v1alpha1_TypedLocalObjectReference(in, out, s)
+}
+
+func autoConvert_v1alpha1_Workload_To_scheduling_Workload(in *schedulingv1alpha1.Workload, out *scheduling.Workload, s conversion.Scope) error {
+	out.ObjectMeta = in.ObjectMeta
+	if err := Convert_v1alpha1_WorkloadSpec_To_scheduling_WorkloadSpec(&in.Spec, &out.Spec, s); err != nil {
+		return err
+	}
+	return nil
+}
+
+// Convert_v1alpha1_Workload_To_scheduling_Workload is an autogenerated conversion function.
+func Convert_v1alpha1_Workload_To_scheduling_Workload(in *schedulingv1alpha1.Workload, out *scheduling.Workload, s conversion.Scope) error {
+	return autoConvert_v1alpha1_Workload_To_scheduling_Workload(in, out, s)
+}
+
+func autoConvert_scheduling_Workload_To_v1alpha1_Workload(in *scheduling.Workload, out *schedulingv1alpha1.Workload, s conversion.Scope) error {
+	out.ObjectMeta = in.ObjectMeta
+	if err := Convert_scheduling_WorkloadSpec_To_v1alpha1_WorkloadSpec(&in.Spec, &out.Spec, s); err != nil {
+		return err
+	}
+	return nil
+}
+
+// Convert_scheduling_Workload_To_v1alpha1_Workload is an autogenerated conversion function.
+func Convert_scheduling_Workload_To_v1alpha1_Workload(in *scheduling.Workload, out *schedulingv1alpha1.Workload, s conversion.Scope) error {
+	return autoConvert_scheduling_Workload_To_v1alpha1_Workload(in, out, s)
+}
+
+func autoConvert_v1alpha1_WorkloadList_To_scheduling_WorkloadList(in *schedulingv1alpha1.WorkloadList, out *scheduling.WorkloadList, s conversion.Scope) error {
+	out.ListMeta = in.ListMeta
+	out.Items = *(*[]scheduling.Workload)(unsafe.Pointer(&in.Items))
+	return nil
+}
+
+// Convert_v1alpha1_WorkloadList_To_scheduling_WorkloadList is an autogenerated conversion function.
+func Convert_v1alpha1_WorkloadList_To_scheduling_WorkloadList(in *schedulingv1alpha1.WorkloadList, out *scheduling.WorkloadList, s conversion.Scope) error {
+	return autoConvert_v1alpha1_WorkloadList_To_scheduling_WorkloadList(in, out, s)
+}
+
+func autoConvert_scheduling_WorkloadList_To_v1alpha1_WorkloadList(in *scheduling.WorkloadList, out *schedulingv1alpha1.WorkloadList, s conversion.Scope) error {
+	out.ListMeta = in.ListMeta
+	out.Items = *(*[]schedulingv1alpha1.Workload)(unsafe.Pointer(&in.Items))
+	return nil
+}
+
+// Convert_scheduling_WorkloadList_To_v1alpha1_WorkloadList is an autogenerated conversion function.
+func Convert_scheduling_WorkloadList_To_v1alpha1_WorkloadList(in *scheduling.WorkloadList, out *schedulingv1alpha1.WorkloadList, s conversion.Scope) error {
+	return autoConvert_scheduling_WorkloadList_To_v1alpha1_WorkloadList(in, out, s)
+}
+
+func autoConvert_v1alpha1_WorkloadSpec_To_scheduling_WorkloadSpec(in *schedulingv1alpha1.WorkloadSpec, out *scheduling.WorkloadSpec, s conversion.Scope) error {
+	out.ControllerRef = (*scheduling.TypedLocalObjectReference)(unsafe.Pointer(in.ControllerRef))
+	out.PodGroups = *(*[]scheduling.PodGroup)(unsafe.Pointer(&in.PodGroups))
+	return nil
+}
+
+// Convert_v1alpha1_WorkloadSpec_To_scheduling_WorkloadSpec is an autogenerated conversion function.
+func Convert_v1alpha1_WorkloadSpec_To_scheduling_WorkloadSpec(in *schedulingv1alpha1.WorkloadSpec, out *scheduling.WorkloadSpec, s conversion.Scope) error {
+	return autoConvert_v1alpha1_WorkloadSpec_To_scheduling_WorkloadSpec(in, out, s)
+}
+
+func autoConvert_scheduling_WorkloadSpec_To_v1alpha1_WorkloadSpec(in *scheduling.WorkloadSpec, out *schedulingv1alpha1.WorkloadSpec, s conversion.Scope) error {
+	out.ControllerRef = (*schedulingv1alpha1.TypedLocalObjectReference)(unsafe.Pointer(in.ControllerRef))
+	out.PodGroups = *(*[]schedulingv1alpha1.PodGroup)(unsafe.Pointer(&in.PodGroups))
+	return nil
+}
+
+// Convert_scheduling_WorkloadSpec_To_v1alpha1_WorkloadSpec is an autogenerated conversion function.
+func Convert_scheduling_WorkloadSpec_To_v1alpha1_WorkloadSpec(in *scheduling.WorkloadSpec, out *schedulingv1alpha1.WorkloadSpec, s conversion.Scope) error {
+	return autoConvert_scheduling_WorkloadSpec_To_v1alpha1_WorkloadSpec(in, out, s)
+}
diff --git a/pkg/apis/scheduling/validation/validation.go b/pkg/apis/scheduling/validation/validation.go
index 2812f9acbfd7a..6ca22364544d3 100644
--- a/pkg/apis/scheduling/validation/validation.go
+++ b/pkg/apis/scheduling/validation/validation.go
@@ -21,6 +21,9 @@ import (
 	"strings"
 
 	apimachineryvalidation "k8s.io/apimachinery/pkg/api/validation"
+	pathvalidation "k8s.io/apimachinery/pkg/api/validation/path"
+	"k8s.io/apimachinery/pkg/util/sets"
+	"k8s.io/apimachinery/pkg/util/validation"
 	"k8s.io/apimachinery/pkg/util/validation/field"
 	apivalidation "k8s.io/kubernetes/pkg/apis/core/validation"
 	"k8s.io/kubernetes/pkg/apis/scheduling"
@@ -61,3 +64,120 @@ func ValidatePriorityClassUpdate(pc, oldPc *scheduling.PriorityClass) field.Erro
 	allErrs = append(allErrs, apivalidation.ValidateImmutableField(pc.PreemptionPolicy, oldPc.PreemptionPolicy, field.NewPath("preemptionPolicy"))...)
 	return allErrs
 }
+
+// ValidateWorkload tests if all fields in a Workload are set correctly.
+func ValidateWorkload(workload *scheduling.Workload) field.ErrorList {
+	allErrs := apivalidation.ValidateObjectMeta(&workload.ObjectMeta, true, apivalidation.ValidateWorkloadName, field.NewPath("metadata"))
+	allErrs = append(allErrs, validateWorkloadSpec(&workload.Spec, field.NewPath("spec"))...)
+	return allErrs
+}
+
+func validateWorkloadSpec(spec *scheduling.WorkloadSpec, fldPath *field.Path) field.ErrorList {
+	var allErrs field.ErrorList
+	if spec.ControllerRef != nil {
+		allErrs = append(allErrs, validateControllerRef(spec.ControllerRef, fldPath.Child("controllerRef"))...)
+	}
+	existingPodGroups := sets.New[string]()
+	podGroupsPath := fldPath.Child("podGroups")
+	if len(spec.PodGroups) == 0 {
+		allErrs = append(allErrs, field.Required(podGroupsPath, "must have at least one item"))
+	} else if len(spec.PodGroups) > scheduling.WorkloadMaxPodGroups {
+		allErrs = append(allErrs, field.TooMany(fldPath.Child("podGroups"), len(spec.PodGroups), scheduling.WorkloadMaxPodGroups))
+	} else {
+		for i := range spec.PodGroups {
+			allErrs = append(allErrs, validatePodGroup(&spec.PodGroups[i], podGroupsPath.Index(i), existingPodGroups)...)
+		}
+	}
+	return allErrs
+}
+
+func validateControllerRef(ref *scheduling.TypedLocalObjectReference, fldPath *field.Path) field.ErrorList {
+	var allErrs = field.ErrorList{}
+	if ref.APIGroup != "" {
+		for _, msg := range validation.IsDNS1123Subdomain(ref.APIGroup) {
+			allErrs = append(allErrs, field.Invalid(fldPath.Child("apiGroup"), ref.APIGroup, msg))
+		}
+	}
+	if ref.Kind == "" {
+		allErrs = append(allErrs, field.Required(fldPath.Child("kind"), ""))
+	} else {
+		for _, msg := range pathvalidation.IsValidPathSegmentName(ref.Kind) {
+			allErrs = append(allErrs, field.Invalid(fldPath.Child("kind"), ref.Kind, msg))
+		}
+	}
+	if ref.Name == "" {
+		allErrs = append(allErrs, field.Required(fldPath.Child("name"), ""))
+	} else {
+		for _, msg := range pathvalidation.IsValidPathSegmentName(ref.Name) {
+			allErrs = append(allErrs, field.Invalid(fldPath.Child("name"), ref.Name, msg))
+		}
+	}
+	return allErrs
+}
+
+func validatePodGroup(podGroup *scheduling.PodGroup, fldPath *field.Path, existingPodGroups sets.Set[string]) field.ErrorList {
+	var allErrs field.ErrorList
+	for _, detail := range apivalidation.ValidatePodGroupName(podGroup.Name, false) {
+		allErrs = append(allErrs, field.Invalid(fldPath.Child("name"), podGroup.Name, detail))
+	}
+	if existingPodGroups.Has(podGroup.Name) {
+		allErrs = append(allErrs, field.Duplicate(fldPath.Child("name"), podGroup.Name))
+	} else {
+		existingPodGroups.Insert(podGroup.Name)
+	}
+	allErrs = append(allErrs, validatePodGroupPolicy(&podGroup.Policy, fldPath.Child("policy"))...)
+	return allErrs
+}
+
+func validatePodGroupPolicy(policy *scheduling.PodGroupPolicy, fldPath *field.Path) field.ErrorList {
+	var allErrs field.ErrorList
+	var setFields []string
+
+	if policy.Basic != nil {
+		setFields = append(setFields, "`basic`")
+	}
+	if policy.Gang != nil {
+		setFields = append(setFields, "`gang`")
+	}
+
+	switch {
+	case len(setFields) == 0:
+		allErrs = append(allErrs, field.Required(fldPath, "exactly one of `basic`, `gang` is required"))
+	case len(setFields) > 1:
+		allErrs = append(allErrs, field.Invalid(fldPath, fmt.Sprintf("{%s}", strings.Join(setFields, ", ")),
+			"exactly one of `basic`, `gang` is required, but multiple fields are set"))
+	case policy.Basic != nil:
+		allErrs = append(allErrs, validatBasicSchedulingPolicy(policy.Basic, fldPath.Child("basic"))...)
+	case policy.Gang != nil:
+		allErrs = append(allErrs, validateGangSchedulingPolicy(policy.Gang, fldPath.Child("gang"))...)
+	}
+
+	return allErrs
+}
+
+func validatBasicSchedulingPolicy(policy *scheduling.BasicSchedulingPolicy, fldPath *field.Path) field.ErrorList {
+	// BasicSchedulingPolicy has no fields.
+	return nil
+}
+
+func validateGangSchedulingPolicy(policy *scheduling.GangSchedulingPolicy, fldPath *field.Path) field.ErrorList {
+	allErrs := apivalidation.ValidatePositiveField(int64(policy.MinCount), fldPath.Child("minCount"))
+	return allErrs
+}
+
+// ValidateWorkloadUpdate tests if an update to Workload is valid.
+func ValidateWorkloadUpdate(workload, oldWorkload *scheduling.Workload) field.ErrorList {
+	allErrs := apivalidation.ValidateObjectMetaUpdate(&workload.ObjectMeta, &oldWorkload.ObjectMeta, field.NewPath("metadata"))
+	allErrs = append(allErrs, validateWorkloadSpec(&workload.Spec, field.NewPath("spec"))...)
+	allErrs = append(allErrs, validateWorkloadSpecUpdate(&workload.Spec, &oldWorkload.Spec, field.NewPath("spec"))...)
+	return allErrs
+}
+
+func validateWorkloadSpecUpdate(spec, oldSpec *scheduling.WorkloadSpec, fldPath *field.Path) field.ErrorList {
+	var allErrs field.ErrorList
+	if oldSpec.ControllerRef != nil {
+		allErrs = apimachineryvalidation.ValidateImmutableField(spec.ControllerRef, oldSpec.ControllerRef, field.NewPath("controllerRef"))
+	}
+	allErrs = append(allErrs, apivalidation.ValidateImmutableField(spec.PodGroups, oldSpec.PodGroups, field.NewPath("podGroups"))...)
+	return allErrs
+}
diff --git a/pkg/apis/scheduling/validation/validation_test.go b/pkg/apis/scheduling/validation/validation_test.go
index 1316b519c2eeb..8372169b5ae15 100644
--- a/pkg/apis/scheduling/validation/validation_test.go
+++ b/pkg/apis/scheduling/validation/validation_test.go
@@ -17,6 +17,8 @@ limitations under the License.
 package validation
 
 import (
+	"fmt"
+	"strings"
 	"testing"
 
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -180,3 +182,230 @@ func TestValidatePriorityClassUpdate(t *testing.T) {
 		}
 	}
 }
+
+func TestValidateWorkload(t *testing.T) {
+	successCases := map[string]*scheduling.Workload{
+		"basic and gang policies": mkWorkload(),
+		"no controllerRef": mkWorkload(func(w *scheduling.Workload) {
+			w.Spec.ControllerRef = nil
+		}),
+		"no controllerRef apiGroup": mkWorkload(func(w *scheduling.Workload) {
+			w.Spec.ControllerRef.APIGroup = ""
+		}),
+	}
+	for name, workload := range successCases {
+		errs := ValidateWorkload(workload)
+		if len(errs) != 0 {
+			t.Errorf("Expected success for %q: %v", name, errs)
+		}
+	}
+
+	failureCases := map[string]*scheduling.Workload{
+		"no name": mkWorkload(func(w *scheduling.Workload) {
+			w.Name = ""
+		}),
+		"invalid name": mkWorkload(func(w *scheduling.Workload) {
+			w.Name = ".workload"
+		}),
+		"too long name": mkWorkload(func(w *scheduling.Workload) {
+			w.Name = strings.Repeat("w", 254)
+		}),
+		"no namespace": mkWorkload(func(w *scheduling.Workload) {
+			w.Namespace = ""
+		}),
+		"invalid namespace": mkWorkload(func(w *scheduling.Workload) {
+			w.Namespace = ".ns"
+		}),
+		"too long namespace": mkWorkload(func(w *scheduling.Workload) {
+			w.Namespace = strings.Repeat("n", 64)
+		}),
+		"invalid controllerRef apiGroup": mkWorkload(func(w *scheduling.Workload) {
+			w.Spec.ControllerRef.APIGroup = ".group"
+		}),
+		"too long controllerRef apiGroup": mkWorkload(func(w *scheduling.Workload) {
+			w.Spec.ControllerRef.APIGroup = strings.Repeat("g", 254)
+		}),
+		"no controllerRef kind": mkWorkload(func(w *scheduling.Workload) {
+			w.Spec.ControllerRef.Kind = ""
+		}),
+		"invalid controllerRef kind": mkWorkload(func(w *scheduling.Workload) {
+			w.Spec.ControllerRef.Kind = "/foo"
+		}),
+		"no controllerRef name": mkWorkload(func(w *scheduling.Workload) {
+			w.Spec.ControllerRef.Name = ""
+		}),
+		"invalid controllerRef name": mkWorkload(func(w *scheduling.Workload) {
+			w.Spec.ControllerRef.Name = "/baz"
+		}),
+		"no pod groups": mkWorkload(func(w *scheduling.Workload) {
+			w.Spec.PodGroups = nil
+		}),
+		"too many pod groups": mkWorkload(func(w *scheduling.Workload) {
+			w.Spec.PodGroups = nil
+			for i := 0; i < scheduling.WorkloadMaxPodGroups+1; i++ {
+				w.Spec.PodGroups = append(w.Spec.PodGroups, scheduling.PodGroup{
+					Name: fmt.Sprintf("group-%v", i),
+					Policy: scheduling.PodGroupPolicy{
+						Basic: &scheduling.BasicSchedulingPolicy{},
+					},
+				})
+			}
+		}),
+		"no pod group name": mkWorkload(func(w *scheduling.Workload) {
+			w.Spec.PodGroups[0].Name = ""
+		}),
+		"invalid pod group name": mkWorkload(func(w *scheduling.Workload) {
+			w.Spec.PodGroups[0].Name = ".group1"
+		}),
+		"too long pod group name": mkWorkload(func(w *scheduling.Workload) {
+			w.Spec.PodGroups[0].Name = strings.Repeat("g", 64)
+		}),
+		"no policy set": mkWorkload(func(w *scheduling.Workload) {
+			w.Spec.PodGroups[0].Policy = scheduling.PodGroupPolicy{}
+		}),
+		"two policies": mkWorkload(func(w *scheduling.Workload) {
+			w.Spec.PodGroups[0].Policy.Gang = &scheduling.GangSchedulingPolicy{
+				MinCount: 2,
+			}
+		}),
+		"zero min count in gang": mkWorkload(func(w *scheduling.Workload) {
+			w.Spec.PodGroups[1].Policy.Gang.MinCount = 0
+		}),
+		"negative min count in gang": mkWorkload(func(w *scheduling.Workload) {
+			w.Spec.PodGroups[1].Policy.Gang.MinCount = -1
+		}),
+		"two pod groups with the same name": mkWorkload(func(w *scheduling.Workload) {
+			w.Spec.PodGroups[1].Name = w.Spec.PodGroups[0].Name
+		}),
+	}
+	for name, workload := range failureCases {
+		errs := ValidateWorkload(workload)
+		if len(errs) == 0 {
+			t.Errorf("Expected failure for %q", name)
+		}
+	}
+}
+
+func TestValidateWorkloadUpdate(t *testing.T) {
+	successCases := map[string]struct {
+		old    *scheduling.Workload
+		update *scheduling.Workload
+	}{
+		"no change": {
+			old:    mkWorkload(),
+			update: mkWorkload(),
+		},
+		"set controller ref": {
+			old: mkWorkload(func(w *scheduling.Workload) {
+				w.Spec.ControllerRef = nil
+			}),
+			update: mkWorkload(),
+		},
+	}
+	for name, tc := range successCases {
+		tc.old.ResourceVersion = "0"
+		tc.update.ResourceVersion = "1"
+		errs := ValidateWorkloadUpdate(tc.update, tc.old)
+		if len(errs) != 0 {
+			t.Errorf("Expected success for %q: %v", name, errs)
+		}
+	}
+
+	failureCases := map[string]struct {
+		old    *scheduling.Workload
+		update *scheduling.Workload
+	}{
+		"change name": {
+			old: mkWorkload(),
+			update: mkWorkload(func(w *scheduling.Workload) {
+				w.Name += "bar"
+			}),
+		},
+		"change namespace": {
+			old: mkWorkload(),
+			update: mkWorkload(func(w *scheduling.Workload) {
+				w.Namespace += "bar"
+			}),
+		},
+		"change pod group name": {
+			old: mkWorkload(),
+			update: mkWorkload(func(w *scheduling.Workload) {
+				w.Spec.PodGroups[0].Name += "bar"
+			}),
+		},
+		"add pod group": {
+			old: mkWorkload(),
+			update: mkWorkload(func(w *scheduling.Workload) {
+				w.Spec.PodGroups = append(w.Spec.PodGroups, scheduling.PodGroup{
+					Name: "group3",
+					Policy: scheduling.PodGroupPolicy{
+						Basic: &scheduling.BasicSchedulingPolicy{},
+					},
+				})
+			}),
+		},
+		"delete pod group": {
+			old: mkWorkload(),
+			update: mkWorkload(func(w *scheduling.Workload) {
+				w.Spec.PodGroups = w.Spec.PodGroups[:1]
+			}),
+		},
+		"change gang min count": {
+			old: mkWorkload(),
+			update: mkWorkload(func(w *scheduling.Workload) {
+				w.Spec.PodGroups[1].Policy.Gang.MinCount = 5
+			}),
+		},
+		"change controllerRef": {
+			old: mkWorkload(),
+			update: mkWorkload(func(w *scheduling.Workload) {
+				w.Spec.ControllerRef.Kind += "bar"
+			}),
+		},
+		"delete controllerRef": {
+			old: mkWorkload(),
+			update: mkWorkload(func(w *scheduling.Workload) {
+				w.Spec.ControllerRef = nil
+			}),
+		},
+	}
+	for name, tc := range failureCases {
+		tc.old.ResourceVersion = "0"
+		tc.update.ResourceVersion = "1"
+		errs := ValidateWorkloadUpdate(tc.update, tc.old)
+		if len(errs) == 0 {
+			t.Errorf("Expected failure for %q", name)
+		}
+	}
+}
+
+// mkWorkload produces a Workload which passes validation with no tweaks.
+func mkWorkload(tweaks ...func(w *scheduling.Workload)) *scheduling.Workload {
+	w := &scheduling.Workload{
+		ObjectMeta: metav1.ObjectMeta{Name: "workload", Namespace: "ns"},
+		Spec: scheduling.WorkloadSpec{
+			ControllerRef: &scheduling.TypedLocalObjectReference{
+				APIGroup: "group",
+				Kind:     "foo",
+				Name:     "baz",
+			},
+			PodGroups: []scheduling.PodGroup{{
+				Name: "group1",
+				Policy: scheduling.PodGroupPolicy{
+					Basic: &scheduling.BasicSchedulingPolicy{},
+				},
+			}, {
+				Name: "group2",
+				Policy: scheduling.PodGroupPolicy{
+					Gang: &scheduling.GangSchedulingPolicy{
+						MinCount: 2,
+					},
+				},
+			}},
+		},
+	}
+	for _, tweak := range tweaks {
+		tweak(w)
+	}
+	return w
+}
diff --git a/pkg/apis/scheduling/zz_generated.deepcopy.go b/pkg/apis/scheduling/zz_generated.deepcopy.go
index 04ab256185d82..853afd8c1c468 100644
--- a/pkg/apis/scheduling/zz_generated.deepcopy.go
+++ b/pkg/apis/scheduling/zz_generated.deepcopy.go
@@ -26,6 +26,81 @@ import (
 	core "k8s.io/kubernetes/pkg/apis/core"
 )
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *BasicSchedulingPolicy) DeepCopyInto(out *BasicSchedulingPolicy) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BasicSchedulingPolicy.
+func (in *BasicSchedulingPolicy) DeepCopy() *BasicSchedulingPolicy {
+	if in == nil {
+		return nil
+	}
+	out := new(BasicSchedulingPolicy)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *GangSchedulingPolicy) DeepCopyInto(out *GangSchedulingPolicy) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GangSchedulingPolicy.
+func (in *GangSchedulingPolicy) DeepCopy() *GangSchedulingPolicy {
+	if in == nil {
+		return nil
+	}
+	out := new(GangSchedulingPolicy)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *PodGroup) DeepCopyInto(out *PodGroup) {
+	*out = *in
+	in.Policy.DeepCopyInto(&out.Policy)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PodGroup.
+func (in *PodGroup) DeepCopy() *PodGroup {
+	if in == nil {
+		return nil
+	}
+	out := new(PodGroup)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *PodGroupPolicy) DeepCopyInto(out *PodGroupPolicy) {
+	*out = *in
+	if in.Basic != nil {
+		in, out := &in.Basic, &out.Basic
+		*out = new(BasicSchedulingPolicy)
+		**out = **in
+	}
+	if in.Gang != nil {
+		in, out := &in.Gang, &out.Gang
+		*out = new(GangSchedulingPolicy)
+		**out = **in
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PodGroupPolicy.
+func (in *PodGroupPolicy) DeepCopy() *PodGroupPolicy {
+	if in == nil {
+		return nil
+	}
+	out := new(PodGroupPolicy)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *PriorityClass) DeepCopyInto(out *PriorityClass) {
 	*out = *in
@@ -89,3 +164,107 @@ func (in *PriorityClassList) DeepCopyObject() runtime.Object {
 	}
 	return nil
 }
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *TypedLocalObjectReference) DeepCopyInto(out *TypedLocalObjectReference) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TypedLocalObjectReference.
+func (in *TypedLocalObjectReference) DeepCopy() *TypedLocalObjectReference {
+	if in == nil {
+		return nil
+	}
+	out := new(TypedLocalObjectReference)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *Workload) DeepCopyInto(out *Workload) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Workload.
+func (in *Workload) DeepCopy() *Workload {
+	if in == nil {
+		return nil
+	}
+	out := new(Workload)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *Workload) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *WorkloadList) DeepCopyInto(out *WorkloadList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]Workload, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WorkloadList.
+func (in *WorkloadList) DeepCopy() *WorkloadList {
+	if in == nil {
+		return nil
+	}
+	out := new(WorkloadList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *WorkloadList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *WorkloadSpec) DeepCopyInto(out *WorkloadSpec) {
+	*out = *in
+	if in.ControllerRef != nil {
+		in, out := &in.ControllerRef, &out.ControllerRef
+		*out = new(TypedLocalObjectReference)
+		**out = **in
+	}
+	if in.PodGroups != nil {
+		in, out := &in.PodGroups, &out.PodGroups
+		*out = make([]PodGroup, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WorkloadSpec.
+func (in *WorkloadSpec) DeepCopy() *WorkloadSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(WorkloadSpec)
+	in.DeepCopyInto(out)
+	return out
+}
diff --git a/pkg/apis/storage/types.go b/pkg/apis/storage/types.go
index 9590c64c22a56..02aa225f34161 100644
--- a/pkg/apis/storage/types.go
+++ b/pkg/apis/storage/types.go
@@ -433,6 +433,31 @@ type CSIDriverSpec struct {
 	// +featureGate=MutableCSINodeAllocatableCount
 	// +optional
 	NodeAllocatableUpdatePeriodSeconds *int64
+
+	// serviceAccountTokenInSecrets is an opt-in for CSI drivers to indicate that
+	// service account tokens should be passed via the Secrets field in NodePublishVolumeRequest
+	// instead of the VolumeContext field. The CSI specification provides a dedicated Secrets
+	// field for sensitive information like tokens, which is the appropriate mechanism for
+	// handling credentials. This addresses security concerns where sensitive tokens were being
+	// logged as part of volume context, leading to vulnerabilities like CVE-2023-2878 and
+	// CVE-2024-3744.
+	//
+	// When "true", kubelet will pass the tokens only in the Secrets field with the key
+	// "csi.storage.k8s.io/serviceAccount.tokens". The CSI driver must be updated to read
+	// tokens from the Secrets field instead of VolumeContext.
+	//
+	// When "false" or not set, kubelet will pass the tokens in VolumeContext with the key
+	// "csi.storage.k8s.io/serviceAccount.tokens" (existing behavior). This maintains backward
+	// compatibility with existing CSI drivers.
+	//
+	// This field can only be set when TokenRequests is configured. The API server will reject
+	// CSIDriver specs that set this field without TokenRequests.
+	//
+	// Default is "false".
+	//
+	// +featureGate=CSIServiceAccountTokenSecrets
+	// +optional
+	ServiceAccountTokenInSecrets *bool
 }
 
 // FSGroupPolicy specifies if a CSI Driver supports modifying
diff --git a/pkg/apis/storage/v1/doc.go b/pkg/apis/storage/v1/doc.go
index 455fd010a1f6d..7c35db3b1f2e9 100644
--- a/pkg/apis/storage/v1/doc.go
+++ b/pkg/apis/storage/v1/doc.go
@@ -19,5 +19,7 @@ limitations under the License.
 // +groupName=storage.k8s.io
 // +k8s:defaulter-gen=TypeMeta
 // +k8s:defaulter-gen-input=k8s.io/api/storage/v1
+// +k8s:validation-gen=TypeMeta
+// +k8s:validation-gen-input=k8s.io/api/storage/v1
 
 package v1
diff --git a/pkg/apis/storage/v1/zz_generated.conversion.go b/pkg/apis/storage/v1/zz_generated.conversion.go
index 2183e32ae7081..98b90848128c3 100644
--- a/pkg/apis/storage/v1/zz_generated.conversion.go
+++ b/pkg/apis/storage/v1/zz_generated.conversion.go
@@ -333,6 +333,7 @@ func autoConvert_v1_CSIDriverSpec_To_storage_CSIDriverSpec(in *storagev1.CSIDriv
 	out.RequiresRepublish = (*bool)(unsafe.Pointer(in.RequiresRepublish))
 	out.SELinuxMount = (*bool)(unsafe.Pointer(in.SELinuxMount))
 	out.NodeAllocatableUpdatePeriodSeconds = (*int64)(unsafe.Pointer(in.NodeAllocatableUpdatePeriodSeconds))
+	out.ServiceAccountTokenInSecrets = (*bool)(unsafe.Pointer(in.ServiceAccountTokenInSecrets))
 	return nil
 }
 
@@ -351,6 +352,7 @@ func autoConvert_storage_CSIDriverSpec_To_v1_CSIDriverSpec(in *storage.CSIDriver
 	out.RequiresRepublish = (*bool)(unsafe.Pointer(in.RequiresRepublish))
 	out.SELinuxMount = (*bool)(unsafe.Pointer(in.SELinuxMount))
 	out.NodeAllocatableUpdatePeriodSeconds = (*int64)(unsafe.Pointer(in.NodeAllocatableUpdatePeriodSeconds))
+	out.ServiceAccountTokenInSecrets = (*bool)(unsafe.Pointer(in.ServiceAccountTokenInSecrets))
 	return nil
 }
 
diff --git a/pkg/apis/storage/v1/zz_generated.validations.go b/pkg/apis/storage/v1/zz_generated.validations.go
new file mode 100644
index 0000000000000..7122d64164dc8
--- /dev/null
+++ b/pkg/apis/storage/v1/zz_generated.validations.go
@@ -0,0 +1,114 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by validation-gen. DO NOT EDIT.
+
+package v1
+
+import (
+	context "context"
+	fmt "fmt"
+
+	storagev1 "k8s.io/api/storage/v1"
+	equality "k8s.io/apimachinery/pkg/api/equality"
+	operation "k8s.io/apimachinery/pkg/api/operation"
+	safe "k8s.io/apimachinery/pkg/api/safe"
+	validate "k8s.io/apimachinery/pkg/api/validate"
+	runtime "k8s.io/apimachinery/pkg/runtime"
+	field "k8s.io/apimachinery/pkg/util/validation/field"
+)
+
+func init() { localSchemeBuilder.Register(RegisterValidations) }
+
+// RegisterValidations adds validation functions to the given scheme.
+// Public to allow building arbitrary schemes.
+func RegisterValidations(scheme *runtime.Scheme) error {
+	// type StorageClass
+	scheme.AddValidationFunc((*storagev1.StorageClass)(nil), func(ctx context.Context, op operation.Operation, obj, oldObj interface{}) field.ErrorList {
+		switch op.Request.SubresourcePath() {
+		case "/":
+			return Validate_StorageClass(ctx, op, nil /* fldPath */, obj.(*storagev1.StorageClass), safe.Cast[*storagev1.StorageClass](oldObj))
+		}
+		return field.ErrorList{field.InternalError(nil, fmt.Errorf("no validation found for %T, subresource: %v", obj, op.Request.SubresourcePath()))}
+	})
+	// type StorageClassList
+	scheme.AddValidationFunc((*storagev1.StorageClassList)(nil), func(ctx context.Context, op operation.Operation, obj, oldObj interface{}) field.ErrorList {
+		switch op.Request.SubresourcePath() {
+		case "/":
+			return Validate_StorageClassList(ctx, op, nil /* fldPath */, obj.(*storagev1.StorageClassList), safe.Cast[*storagev1.StorageClassList](oldObj))
+		}
+		return field.ErrorList{field.InternalError(nil, fmt.Errorf("no validation found for %T, subresource: %v", obj, op.Request.SubresourcePath()))}
+	})
+	return nil
+}
+
+// Validate_StorageClass validates an instance of StorageClass according
+// to declarative validation rules in the API schema.
+func Validate_StorageClass(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *storagev1.StorageClass) (errs field.ErrorList) {
+	// field storagev1.StorageClass.TypeMeta has no validation
+	// field storagev1.StorageClass.ObjectMeta has no validation
+
+	// field storagev1.StorageClass.Provisioner
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *string, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.RequiredValue(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				errs = append(errs, e...)
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
+			}
+			return
+		}(fldPath.Child("provisioner"), &obj.Provisioner, safe.Field(oldObj, func(oldObj *storagev1.StorageClass) *string { return &oldObj.Provisioner }), oldObj != nil)...)
+
+	// field storagev1.StorageClass.Parameters has no validation
+	// field storagev1.StorageClass.ReclaimPolicy has no validation
+	// field storagev1.StorageClass.MountOptions has no validation
+	// field storagev1.StorageClass.AllowVolumeExpansion has no validation
+	// field storagev1.StorageClass.VolumeBindingMode has no validation
+	// field storagev1.StorageClass.AllowedTopologies has no validation
+	return errs
+}
+
+// Validate_StorageClassList validates an instance of StorageClassList according
+// to declarative validation rules in the API schema.
+func Validate_StorageClassList(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *storagev1.StorageClassList) (errs field.ErrorList) {
+	// field storagev1.StorageClassList.TypeMeta has no validation
+	// field storagev1.StorageClassList.ListMeta has no validation
+
+	// field storagev1.StorageClassList.Items
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj []storagev1.StorageClass, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// iterate the list and call the type's validation function
+			errs = append(errs, validate.EachSliceVal(ctx, op, fldPath, obj, oldObj, nil, nil, Validate_StorageClass)...)
+			return
+		}(fldPath.Child("items"), obj.Items, safe.Field(oldObj, func(oldObj *storagev1.StorageClassList) []storagev1.StorageClass { return oldObj.Items }), oldObj != nil)...)
+
+	return errs
+}
diff --git a/pkg/apis/storage/v1alpha1/doc.go b/pkg/apis/storage/v1alpha1/doc.go
index e0e102acc6c63..6bbf17394571b 100644
--- a/pkg/apis/storage/v1alpha1/doc.go
+++ b/pkg/apis/storage/v1alpha1/doc.go
@@ -19,5 +19,7 @@ limitations under the License.
 // +groupName=storage.k8s.io
 // +k8s:defaulter-gen=TypeMeta
 // +k8s:defaulter-gen-input=k8s.io/api/storage/v1alpha1
+// +k8s:validation-gen=TypeMeta
+// +k8s:validation-gen-input=k8s.io/api/storage/v1alpha1
 
 package v1alpha1
diff --git a/pkg/apis/storage/v1alpha1/zz_generated.validations.go b/pkg/apis/storage/v1alpha1/zz_generated.validations.go
new file mode 100644
index 0000000000000..483365f8c94a1
--- /dev/null
+++ b/pkg/apis/storage/v1alpha1/zz_generated.validations.go
@@ -0,0 +1,34 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by validation-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	runtime "k8s.io/apimachinery/pkg/runtime"
+)
+
+func init() { localSchemeBuilder.Register(RegisterValidations) }
+
+// RegisterValidations adds validation functions to the given scheme.
+// Public to allow building arbitrary schemes.
+func RegisterValidations(scheme *runtime.Scheme) error {
+	return nil
+}
diff --git a/pkg/apis/storage/v1beta1/doc.go b/pkg/apis/storage/v1beta1/doc.go
index 60f550386b24a..ee186a821dc49 100644
--- a/pkg/apis/storage/v1beta1/doc.go
+++ b/pkg/apis/storage/v1beta1/doc.go
@@ -19,5 +19,7 @@ limitations under the License.
 // +groupName=storage.k8s.io
 // +k8s:defaulter-gen=TypeMeta
 // +k8s:defaulter-gen-input=k8s.io/api/storage/v1beta1
+// +k8s:validation-gen=TypeMeta
+// +k8s:validation-gen-input=k8s.io/api/storage/v1beta1
 
 package v1beta1
diff --git a/pkg/apis/storage/v1beta1/zz_generated.conversion.go b/pkg/apis/storage/v1beta1/zz_generated.conversion.go
index c6c30e3634cf5..e72efb43aaa0c 100644
--- a/pkg/apis/storage/v1beta1/zz_generated.conversion.go
+++ b/pkg/apis/storage/v1beta1/zz_generated.conversion.go
@@ -333,6 +333,7 @@ func autoConvert_v1beta1_CSIDriverSpec_To_storage_CSIDriverSpec(in *storagev1bet
 	out.RequiresRepublish = (*bool)(unsafe.Pointer(in.RequiresRepublish))
 	out.SELinuxMount = (*bool)(unsafe.Pointer(in.SELinuxMount))
 	out.NodeAllocatableUpdatePeriodSeconds = (*int64)(unsafe.Pointer(in.NodeAllocatableUpdatePeriodSeconds))
+	out.ServiceAccountTokenInSecrets = (*bool)(unsafe.Pointer(in.ServiceAccountTokenInSecrets))
 	return nil
 }
 
@@ -351,6 +352,7 @@ func autoConvert_storage_CSIDriverSpec_To_v1beta1_CSIDriverSpec(in *storage.CSID
 	out.RequiresRepublish = (*bool)(unsafe.Pointer(in.RequiresRepublish))
 	out.SELinuxMount = (*bool)(unsafe.Pointer(in.SELinuxMount))
 	out.NodeAllocatableUpdatePeriodSeconds = (*int64)(unsafe.Pointer(in.NodeAllocatableUpdatePeriodSeconds))
+	out.ServiceAccountTokenInSecrets = (*bool)(unsafe.Pointer(in.ServiceAccountTokenInSecrets))
 	return nil
 }
 
diff --git a/pkg/apis/storage/v1beta1/zz_generated.validations.go b/pkg/apis/storage/v1beta1/zz_generated.validations.go
new file mode 100644
index 0000000000000..fcb28065d2189
--- /dev/null
+++ b/pkg/apis/storage/v1beta1/zz_generated.validations.go
@@ -0,0 +1,114 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by validation-gen. DO NOT EDIT.
+
+package v1beta1
+
+import (
+	context "context"
+	fmt "fmt"
+
+	storagev1beta1 "k8s.io/api/storage/v1beta1"
+	equality "k8s.io/apimachinery/pkg/api/equality"
+	operation "k8s.io/apimachinery/pkg/api/operation"
+	safe "k8s.io/apimachinery/pkg/api/safe"
+	validate "k8s.io/apimachinery/pkg/api/validate"
+	runtime "k8s.io/apimachinery/pkg/runtime"
+	field "k8s.io/apimachinery/pkg/util/validation/field"
+)
+
+func init() { localSchemeBuilder.Register(RegisterValidations) }
+
+// RegisterValidations adds validation functions to the given scheme.
+// Public to allow building arbitrary schemes.
+func RegisterValidations(scheme *runtime.Scheme) error {
+	// type StorageClass
+	scheme.AddValidationFunc((*storagev1beta1.StorageClass)(nil), func(ctx context.Context, op operation.Operation, obj, oldObj interface{}) field.ErrorList {
+		switch op.Request.SubresourcePath() {
+		case "/":
+			return Validate_StorageClass(ctx, op, nil /* fldPath */, obj.(*storagev1beta1.StorageClass), safe.Cast[*storagev1beta1.StorageClass](oldObj))
+		}
+		return field.ErrorList{field.InternalError(nil, fmt.Errorf("no validation found for %T, subresource: %v", obj, op.Request.SubresourcePath()))}
+	})
+	// type StorageClassList
+	scheme.AddValidationFunc((*storagev1beta1.StorageClassList)(nil), func(ctx context.Context, op operation.Operation, obj, oldObj interface{}) field.ErrorList {
+		switch op.Request.SubresourcePath() {
+		case "/":
+			return Validate_StorageClassList(ctx, op, nil /* fldPath */, obj.(*storagev1beta1.StorageClassList), safe.Cast[*storagev1beta1.StorageClassList](oldObj))
+		}
+		return field.ErrorList{field.InternalError(nil, fmt.Errorf("no validation found for %T, subresource: %v", obj, op.Request.SubresourcePath()))}
+	})
+	return nil
+}
+
+// Validate_StorageClass validates an instance of StorageClass according
+// to declarative validation rules in the API schema.
+func Validate_StorageClass(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *storagev1beta1.StorageClass) (errs field.ErrorList) {
+	// field storagev1beta1.StorageClass.TypeMeta has no validation
+	// field storagev1beta1.StorageClass.ObjectMeta has no validation
+
+	// field storagev1beta1.StorageClass.Provisioner
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *string, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.RequiredValue(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				errs = append(errs, e...)
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
+			}
+			return
+		}(fldPath.Child("provisioner"), &obj.Provisioner, safe.Field(oldObj, func(oldObj *storagev1beta1.StorageClass) *string { return &oldObj.Provisioner }), oldObj != nil)...)
+
+	// field storagev1beta1.StorageClass.Parameters has no validation
+	// field storagev1beta1.StorageClass.ReclaimPolicy has no validation
+	// field storagev1beta1.StorageClass.MountOptions has no validation
+	// field storagev1beta1.StorageClass.AllowVolumeExpansion has no validation
+	// field storagev1beta1.StorageClass.VolumeBindingMode has no validation
+	// field storagev1beta1.StorageClass.AllowedTopologies has no validation
+	return errs
+}
+
+// Validate_StorageClassList validates an instance of StorageClassList according
+// to declarative validation rules in the API schema.
+func Validate_StorageClassList(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *storagev1beta1.StorageClassList) (errs field.ErrorList) {
+	// field storagev1beta1.StorageClassList.TypeMeta has no validation
+	// field storagev1beta1.StorageClassList.ListMeta has no validation
+
+	// field storagev1beta1.StorageClassList.Items
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj []storagev1beta1.StorageClass, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// iterate the list and call the type's validation function
+			errs = append(errs, validate.EachSliceVal(ctx, op, fldPath, obj, oldObj, nil, nil, Validate_StorageClass)...)
+			return
+		}(fldPath.Child("items"), obj.Items, safe.Field(oldObj, func(oldObj *storagev1beta1.StorageClassList) []storagev1beta1.StorageClass { return oldObj.Items }), oldObj != nil)...)
+
+	return errs
+}
diff --git a/pkg/apis/storage/validation/validation.go b/pkg/apis/storage/validation/validation.go
index 6378066bae590..e103b613aae58 100644
--- a/pkg/apis/storage/validation/validation.go
+++ b/pkg/apis/storage/validation/validation.go
@@ -88,7 +88,7 @@ func ValidateStorageClassUpdate(storageClass, oldStorageClass *storage.StorageCl
 func validateProvisioner(provisioner string, fldPath *field.Path) field.ErrorList {
 	allErrs := field.ErrorList{}
 	if len(provisioner) == 0 {
-		allErrs = append(allErrs, field.Required(fldPath, provisioner))
+		allErrs = append(allErrs, field.Required(fldPath, provisioner)).MarkCoveredByDeclarative()
 	}
 	if len(provisioner) > 0 {
 		allErrs = append(allErrs, apivalidation.ValidateQualifiedName(strings.ToLower(provisioner), fldPath)...)
@@ -456,6 +456,7 @@ func validateCSIDriverSpec(
 	allErrs = append(allErrs, validateVolumeLifecycleModes(spec.VolumeLifecycleModes, fldPath.Child("volumeLifecycleModes"))...)
 	allErrs = append(allErrs, validateSELinuxMount(spec.SELinuxMount, fldPath.Child("seLinuxMount"))...)
 	allErrs = append(allErrs, validateNodeAllocatableUpdatePeriodSeconds(spec.NodeAllocatableUpdatePeriodSeconds, fldPath.Child("nodeAllocatableUpdatePeriodSeconds"))...)
+	allErrs = append(allErrs, validateServiceAccountTokenInSecrets(spec.ServiceAccountTokenInSecrets, spec.TokenRequests, fldPath.Child("serviceAccountTokenInSecrets"))...)
 	return allErrs
 }
 
@@ -572,6 +573,16 @@ func validateSELinuxMount(seLinuxMount *bool, fldPath *field.Path) field.ErrorLi
 	return allErrs
 }
 
+// validvalidateServiceAccountTokenInSecrets validates serviceAccountTokenInSecrets and its relation to tokenRequests.
+func validateServiceAccountTokenInSecrets(serviceAccountTokenInSecrets *bool, tokenRequests []storage.TokenRequest, fldPath *field.Path) field.ErrorList {
+	allErrs := field.ErrorList{}
+	if serviceAccountTokenInSecrets != nil && len(tokenRequests) == 0 {
+		allErrs = append(allErrs, field.Invalid(fldPath, serviceAccountTokenInSecrets, "serviceAccountTokenInSecrets is set but no tokenRequests are specified"))
+	}
+
+	return allErrs
+}
+
 // ValidateStorageCapacityName checks that a name is appropriate for a
 // CSIStorageCapacity object.
 var ValidateStorageCapacityName = apimachineryvalidation.NameIsDNSSubdomain
diff --git a/pkg/apis/storage/validation/validation_test.go b/pkg/apis/storage/validation/validation_test.go
index 0c4cd15de45f5..61b0c99d7de60 100644
--- a/pkg/apis/storage/validation/validation_test.go
+++ b/pkg/apis/storage/validation/validation_test.go
@@ -1523,6 +1523,7 @@ func TestCSIDriverValidation(t *testing.T) {
 	featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.SELinuxMountReadWriteOncePod, true)
 	// assume this feature is on for this test, detailed enabled/disabled tests in TestMutableCSINodeAllocatableCountEnabledDisabled
 	featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.MutableCSINodeAllocatableCount, true)
+	featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.CSIServiceAccountTokenSecrets, true)
 
 	driverName := "test-driver"
 	longName := "my-a-b-c-d-c-f-g-h-i-j-k-l-m-n-o-p-q-r-s-t-u-v-w-x-y-z-ABCDEFGHIJKLMNOPQRSTUVWXYZ-driver"
@@ -1536,10 +1537,13 @@ func TestCSIDriverValidation(t *testing.T) {
 	notStorageCapacity := false
 	seLinuxMount := true
 	notSELinuxMount := false
+	serviceAccountTokenInSecrets := true
+	notServiceAccountTokenInSecrets := false
 	supportedFSGroupPolicy := storage.FileFSGroupPolicy
 	invalidFSGroupPolicy := storage.FSGroupPolicy("invalid-mode")
 	validNodeAllocatableUpdatePeriodSeconds := int64(10)
 	invalidNodeAllocatableUpdatePeriodSeconds := int64(9)
+	tokenRequests := []storage.TokenRequest{{Audience: "test-audience"}}
 	successCases := []storage.CSIDriver{{
 		ObjectMeta: metav1.ObjectMeta{Name: driverName},
 		Spec: storage.CSIDriverSpec{
@@ -1709,6 +1713,41 @@ func TestCSIDriverValidation(t *testing.T) {
 			SELinuxMount:                       &seLinuxMount,
 			NodeAllocatableUpdatePeriodSeconds: &validNodeAllocatableUpdatePeriodSeconds,
 		},
+	}, {
+		// With ServiceAccountTokenInSecrets set to true with TokenRequests
+		ObjectMeta: metav1.ObjectMeta{Name: driverName},
+		Spec: storage.CSIDriverSpec{
+			AttachRequired:               &attachNotRequired,
+			PodInfoOnMount:               &notPodInfoOnMount,
+			RequiresRepublish:            &notRequiresRepublish,
+			StorageCapacity:              &storageCapacity,
+			SELinuxMount:                 &seLinuxMount,
+			ServiceAccountTokenInSecrets: &serviceAccountTokenInSecrets,
+			TokenRequests:                tokenRequests,
+		},
+	}, {
+		// With ServiceAccountTokenInSecrets set to false with TokenRequests
+		ObjectMeta: metav1.ObjectMeta{Name: driverName},
+		Spec: storage.CSIDriverSpec{
+			AttachRequired:               &attachNotRequired,
+			PodInfoOnMount:               &notPodInfoOnMount,
+			RequiresRepublish:            &notRequiresRepublish,
+			StorageCapacity:              &storageCapacity,
+			SELinuxMount:                 &seLinuxMount,
+			ServiceAccountTokenInSecrets: &notServiceAccountTokenInSecrets,
+			TokenRequests:                tokenRequests,
+		},
+	}, {
+		// With ServiceAccountTokenInSecrets set to nil (not set)
+		ObjectMeta: metav1.ObjectMeta{Name: driverName},
+		Spec: storage.CSIDriverSpec{
+			AttachRequired:               &attachNotRequired,
+			PodInfoOnMount:               &notPodInfoOnMount,
+			RequiresRepublish:            &notRequiresRepublish,
+			StorageCapacity:              &storageCapacity,
+			SELinuxMount:                 &seLinuxMount,
+			ServiceAccountTokenInSecrets: nil,
+		},
 	}}
 
 	for _, csiDriver := range successCases {
@@ -1799,6 +1838,16 @@ func TestCSIDriverValidation(t *testing.T) {
 			SELinuxMount:                       &seLinuxMount,
 			NodeAllocatableUpdatePeriodSeconds: &invalidNodeAllocatableUpdatePeriodSeconds,
 		},
+	}, {
+		// ServiceAccountTokenInSecrets set without TokenRequests (invalid)
+		ObjectMeta: metav1.ObjectMeta{Name: driverName},
+		Spec: storage.CSIDriverSpec{
+			AttachRequired:               &attachNotRequired,
+			PodInfoOnMount:               &notPodInfoOnMount,
+			StorageCapacity:              &storageCapacity,
+			SELinuxMount:                 &seLinuxMount,
+			ServiceAccountTokenInSecrets: &serviceAccountTokenInSecrets,
+		},
 	}}
 
 	for _, csiDriver := range errorCases {
@@ -1813,6 +1862,7 @@ func TestCSIDriverValidationUpdate(t *testing.T) {
 	featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.SELinuxMountReadWriteOncePod, true)
 	// assume this feature is on for this test, detailed enabled/disabled tests in TestMutableCSINodeAllocatableCountEnabledDisabled
 	featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.MutableCSINodeAllocatableCount, true)
+	featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.CSIServiceAccountTokenSecrets, true)
 
 	driverName := "test-driver"
 	longName := "my-a-b-c-d-c-f-g-h-i-j-k-l-m-n-o-p-q-r-s-t-u-v-w-x-y-z-ABCDEFGHIJKLMNOPQRSTUVWXYZ-driver"
@@ -1828,8 +1878,11 @@ func TestCSIDriverValidationUpdate(t *testing.T) {
 	notStorageCapacity := false
 	seLinuxMount := true
 	notSELinuxMount := false
+	serviceAccountTokenInSecrets := true
+	notServiceAccountTokenInSecrets := false
 	validNodeAllocatableUpdatePeriodSeconds := int64(10)
 	invalidNodeAllocatableUpdatePeriodSeconds := int64(9)
+	tokenRequests := []storage.TokenRequest{{Audience: "test-audience"}}
 
 	old := storage.CSIDriver{
 		ObjectMeta: metav1.ObjectMeta{Name: driverName, ResourceVersion: "1"},
@@ -1888,6 +1941,26 @@ func TestCSIDriverValidationUpdate(t *testing.T) {
 		modify: func(new *storage.CSIDriver) {
 			new.Spec.NodeAllocatableUpdatePeriodSeconds = &validNodeAllocatableUpdatePeriodSeconds
 		},
+	}, {
+		name: "change ServiceAccountTokenInSecrets from nil to true with TokenRequests",
+		modify: func(new *storage.CSIDriver) {
+			new.Spec.ServiceAccountTokenInSecrets = &serviceAccountTokenInSecrets
+			new.Spec.TokenRequests = tokenRequests
+		},
+	}, {
+		name: "change ServiceAccountTokenInSecrets from nil to false with TokenRequests",
+		modify: func(new *storage.CSIDriver) {
+			new.Spec.ServiceAccountTokenInSecrets = &notServiceAccountTokenInSecrets
+			new.Spec.TokenRequests = tokenRequests
+		},
+	}, {
+		name: "change ServiceAccountTokenInSecrets from true to false",
+		modify: func(new *storage.CSIDriver) {
+			new.Spec.ServiceAccountTokenInSecrets = &serviceAccountTokenInSecrets
+			new.Spec.TokenRequests = tokenRequests
+			old := new.DeepCopy()
+			old.Spec.ServiceAccountTokenInSecrets = &notServiceAccountTokenInSecrets
+		},
 	}}
 
 	for _, test := range successCases {
@@ -1980,6 +2053,11 @@ func TestCSIDriverValidationUpdate(t *testing.T) {
 		modify: func(new *storage.CSIDriver) {
 			new.Spec.NodeAllocatableUpdatePeriodSeconds = &invalidNodeAllocatableUpdatePeriodSeconds
 		},
+	}, {
+		name: "ServiceAccountTokenInSecrets set without TokenRequests",
+		modify: func(new *storage.CSIDriver) {
+			new.Spec.ServiceAccountTokenInSecrets = &serviceAccountTokenInSecrets
+		},
 	}}
 
 	for _, test := range errorCases {
diff --git a/pkg/apis/storage/zz_generated.deepcopy.go b/pkg/apis/storage/zz_generated.deepcopy.go
index 331352db3b108..f76e0695da70b 100644
--- a/pkg/apis/storage/zz_generated.deepcopy.go
+++ b/pkg/apis/storage/zz_generated.deepcopy.go
@@ -137,6 +137,11 @@ func (in *CSIDriverSpec) DeepCopyInto(out *CSIDriverSpec) {
 		*out = new(int64)
 		**out = **in
 	}
+	if in.ServiceAccountTokenInSecrets != nil {
+		in, out := &in.ServiceAccountTokenInSecrets, &out.ServiceAccountTokenInSecrets
+		*out = new(bool)
+		**out = **in
+	}
 	return
 }
 
diff --git a/pkg/apis/storagemigration/install/install.go b/pkg/apis/storagemigration/install/install.go
index f5d972a817b59..da100b960d2ac 100644
--- a/pkg/apis/storagemigration/install/install.go
+++ b/pkg/apis/storagemigration/install/install.go
@@ -20,7 +20,7 @@ import (
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/kubernetes/pkg/api/legacyscheme"
 	"k8s.io/kubernetes/pkg/apis/storagemigration"
-	"k8s.io/kubernetes/pkg/apis/storagemigration/v1alpha1"
+	"k8s.io/kubernetes/pkg/apis/storagemigration/v1beta1"
 
 	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
 )
@@ -32,6 +32,6 @@ func init() {
 // Install registers the API group and adds types to a scheme
 func Install(scheme *runtime.Scheme) {
 	utilruntime.Must(storagemigration.AddToScheme(scheme))
-	utilruntime.Must(v1alpha1.AddToScheme(scheme))
-	utilruntime.Must(scheme.SetVersionPriority(v1alpha1.SchemeGroupVersion))
+	utilruntime.Must(v1beta1.AddToScheme(scheme))
+	utilruntime.Must(scheme.SetVersionPriority(v1beta1.SchemeGroupVersion))
 }
diff --git a/pkg/apis/storagemigration/types.go b/pkg/apis/storagemigration/types.go
index bc7ecb9e9dace..5944b67657d5e 100644
--- a/pkg/apis/storagemigration/types.go
+++ b/pkg/apis/storagemigration/types.go
@@ -17,7 +17,6 @@ limitations under the License.
 package storagemigration
 
 import (
-	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
@@ -47,25 +46,7 @@ type StorageVersionMigrationSpec struct {
 	// The resource that is being migrated. The migrator sends requests to
 	// the endpoint serving the resource.
 	// Immutable.
-	Resource GroupVersionResource
-	// The token used in the list options to get the next chunk of objects
-	// to migrate. When the .status.conditions indicates the migration is
-	// "Running", users can use this token to check the progress of the
-	// migration.
-	// +optional
-	ContinueToken string
-	// TODO: consider recording the storage version hash when the migration
-	// is created. It can avoid races.
-}
-
-// The names of the group, the version, and the resource.
-type GroupVersionResource struct {
-	// The name of the group.
-	Group string
-	// The name of the version.
-	Version string
-	// The name of the resource.
-	Resource string
+	Resource metav1.GroupResource
 }
 
 type MigrationConditionType string
@@ -79,23 +60,6 @@ const (
 	MigrationFailed MigrationConditionType = "Failed"
 )
 
-// Describes the state of a migration at a certain point.
-type MigrationCondition struct {
-	// Type of the condition.
-	Type MigrationConditionType
-	// Status of the condition, one of True, False, Unknown.
-	Status corev1.ConditionStatus
-	// The last time this condition was updated.
-	// +optional
-	LastUpdateTime metav1.Time
-	// The reason for the condition's last transition.
-	// +optional
-	Reason string
-	// A human readable message indicating details about the transition.
-	// +optional
-	Message string
-}
-
 // Status of the storage version migration.
 type StorageVersionMigrationStatus struct {
 	// The latest available observations of the migration's current state.
@@ -104,7 +68,7 @@ type StorageVersionMigrationStatus struct {
 	// +listType=map
 	// +listMapKey=type
 	// +optional
-	Conditions []MigrationCondition
+	Conditions []metav1.Condition
 	// ResourceVersion to compare with the GC cache for performing the migration.
 	// This is the current resource version of given group, version and resource when
 	// kube-controller-manager first observes this StorageVersionMigration resource.
@@ -123,9 +87,5 @@ type StorageVersionMigrationList struct {
 	// +optional
 	metav1.ListMeta
 	// Items is the list of StorageVersionMigration
-	// +patchMergeKey=type
-	// +patchStrategy=merge
-	// +listType=map
-	// +listMapKey=type
 	Items []StorageVersionMigration
 }
diff --git a/pkg/apis/storagemigration/v1alpha1/doc.go b/pkg/apis/storagemigration/v1alpha1/doc.go
deleted file mode 100644
index 67db57a3b543b..0000000000000
--- a/pkg/apis/storagemigration/v1alpha1/doc.go
+++ /dev/null
@@ -1,23 +0,0 @@
-/*
-Copyright 2024 The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-// +k8s:conversion-gen=k8s.io/kubernetes/pkg/apis/storagemigration
-// +k8s:conversion-gen-external-types=k8s.io/api/storagemigration/v1alpha1
-// +groupName=storagemigration.k8s.io
-// +k8s:defaulter-gen=TypeMeta
-// +k8s:defaulter-gen-input=k8s.io/api/storagemigration/v1alpha1
-
-package v1alpha1
diff --git a/pkg/apis/storagemigration/v1alpha1/register.go b/pkg/apis/storagemigration/v1alpha1/register.go
deleted file mode 100644
index 4eb8af72ce2ed..0000000000000
--- a/pkg/apis/storagemigration/v1alpha1/register.go
+++ /dev/null
@@ -1,39 +0,0 @@
-/*
-Copyright 2024 The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package v1alpha1
-
-import (
-	"k8s.io/apimachinery/pkg/runtime/schema"
-
-	svmv1alpha1 "k8s.io/api/storagemigration/v1alpha1"
-)
-
-// GroupName is the group name use in this package
-const GroupName = "storagemigration.k8s.io"
-
-// SchemeGroupVersion is group version used to register these objects
-var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1alpha1"}
-
-// Resource takes an unqualified resource and returns a Group qualified GroupResource
-func Resource(resource string) schema.GroupResource {
-	return SchemeGroupVersion.WithResource(resource).GroupResource()
-}
-
-var (
-	localSchemeBuilder = &svmv1alpha1.SchemeBuilder
-	AddToScheme        = localSchemeBuilder.AddToScheme
-)
diff --git a/pkg/apis/storagemigration/v1alpha1/zz_generated.conversion.go b/pkg/apis/storagemigration/v1alpha1/zz_generated.conversion.go
deleted file mode 100644
index 2830a7fe1fea6..0000000000000
--- a/pkg/apis/storagemigration/v1alpha1/zz_generated.conversion.go
+++ /dev/null
@@ -1,256 +0,0 @@
-//go:build !ignore_autogenerated
-// +build !ignore_autogenerated
-
-/*
-Copyright The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-// Code generated by conversion-gen. DO NOT EDIT.
-
-package v1alpha1
-
-import (
-	unsafe "unsafe"
-
-	v1 "k8s.io/api/core/v1"
-	storagemigrationv1alpha1 "k8s.io/api/storagemigration/v1alpha1"
-	conversion "k8s.io/apimachinery/pkg/conversion"
-	runtime "k8s.io/apimachinery/pkg/runtime"
-	storagemigration "k8s.io/kubernetes/pkg/apis/storagemigration"
-)
-
-func init() {
-	localSchemeBuilder.Register(RegisterConversions)
-}
-
-// RegisterConversions adds conversion functions to the given scheme.
-// Public to allow building arbitrary schemes.
-func RegisterConversions(s *runtime.Scheme) error {
-	if err := s.AddGeneratedConversionFunc((*storagemigrationv1alpha1.GroupVersionResource)(nil), (*storagemigration.GroupVersionResource)(nil), func(a, b interface{}, scope conversion.Scope) error {
-		return Convert_v1alpha1_GroupVersionResource_To_storagemigration_GroupVersionResource(a.(*storagemigrationv1alpha1.GroupVersionResource), b.(*storagemigration.GroupVersionResource), scope)
-	}); err != nil {
-		return err
-	}
-	if err := s.AddGeneratedConversionFunc((*storagemigration.GroupVersionResource)(nil), (*storagemigrationv1alpha1.GroupVersionResource)(nil), func(a, b interface{}, scope conversion.Scope) error {
-		return Convert_storagemigration_GroupVersionResource_To_v1alpha1_GroupVersionResource(a.(*storagemigration.GroupVersionResource), b.(*storagemigrationv1alpha1.GroupVersionResource), scope)
-	}); err != nil {
-		return err
-	}
-	if err := s.AddGeneratedConversionFunc((*storagemigrationv1alpha1.MigrationCondition)(nil), (*storagemigration.MigrationCondition)(nil), func(a, b interface{}, scope conversion.Scope) error {
-		return Convert_v1alpha1_MigrationCondition_To_storagemigration_MigrationCondition(a.(*storagemigrationv1alpha1.MigrationCondition), b.(*storagemigration.MigrationCondition), scope)
-	}); err != nil {
-		return err
-	}
-	if err := s.AddGeneratedConversionFunc((*storagemigration.MigrationCondition)(nil), (*storagemigrationv1alpha1.MigrationCondition)(nil), func(a, b interface{}, scope conversion.Scope) error {
-		return Convert_storagemigration_MigrationCondition_To_v1alpha1_MigrationCondition(a.(*storagemigration.MigrationCondition), b.(*storagemigrationv1alpha1.MigrationCondition), scope)
-	}); err != nil {
-		return err
-	}
-	if err := s.AddGeneratedConversionFunc((*storagemigrationv1alpha1.StorageVersionMigration)(nil), (*storagemigration.StorageVersionMigration)(nil), func(a, b interface{}, scope conversion.Scope) error {
-		return Convert_v1alpha1_StorageVersionMigration_To_storagemigration_StorageVersionMigration(a.(*storagemigrationv1alpha1.StorageVersionMigration), b.(*storagemigration.StorageVersionMigration), scope)
-	}); err != nil {
-		return err
-	}
-	if err := s.AddGeneratedConversionFunc((*storagemigration.StorageVersionMigration)(nil), (*storagemigrationv1alpha1.StorageVersionMigration)(nil), func(a, b interface{}, scope conversion.Scope) error {
-		return Convert_storagemigration_StorageVersionMigration_To_v1alpha1_StorageVersionMigration(a.(*storagemigration.StorageVersionMigration), b.(*storagemigrationv1alpha1.StorageVersionMigration), scope)
-	}); err != nil {
-		return err
-	}
-	if err := s.AddGeneratedConversionFunc((*storagemigrationv1alpha1.StorageVersionMigrationList)(nil), (*storagemigration.StorageVersionMigrationList)(nil), func(a, b interface{}, scope conversion.Scope) error {
-		return Convert_v1alpha1_StorageVersionMigrationList_To_storagemigration_StorageVersionMigrationList(a.(*storagemigrationv1alpha1.StorageVersionMigrationList), b.(*storagemigration.StorageVersionMigrationList), scope)
-	}); err != nil {
-		return err
-	}
-	if err := s.AddGeneratedConversionFunc((*storagemigration.StorageVersionMigrationList)(nil), (*storagemigrationv1alpha1.StorageVersionMigrationList)(nil), func(a, b interface{}, scope conversion.Scope) error {
-		return Convert_storagemigration_StorageVersionMigrationList_To_v1alpha1_StorageVersionMigrationList(a.(*storagemigration.StorageVersionMigrationList), b.(*storagemigrationv1alpha1.StorageVersionMigrationList), scope)
-	}); err != nil {
-		return err
-	}
-	if err := s.AddGeneratedConversionFunc((*storagemigrationv1alpha1.StorageVersionMigrationSpec)(nil), (*storagemigration.StorageVersionMigrationSpec)(nil), func(a, b interface{}, scope conversion.Scope) error {
-		return Convert_v1alpha1_StorageVersionMigrationSpec_To_storagemigration_StorageVersionMigrationSpec(a.(*storagemigrationv1alpha1.StorageVersionMigrationSpec), b.(*storagemigration.StorageVersionMigrationSpec), scope)
-	}); err != nil {
-		return err
-	}
-	if err := s.AddGeneratedConversionFunc((*storagemigration.StorageVersionMigrationSpec)(nil), (*storagemigrationv1alpha1.StorageVersionMigrationSpec)(nil), func(a, b interface{}, scope conversion.Scope) error {
-		return Convert_storagemigration_StorageVersionMigrationSpec_To_v1alpha1_StorageVersionMigrationSpec(a.(*storagemigration.StorageVersionMigrationSpec), b.(*storagemigrationv1alpha1.StorageVersionMigrationSpec), scope)
-	}); err != nil {
-		return err
-	}
-	if err := s.AddGeneratedConversionFunc((*storagemigrationv1alpha1.StorageVersionMigrationStatus)(nil), (*storagemigration.StorageVersionMigrationStatus)(nil), func(a, b interface{}, scope conversion.Scope) error {
-		return Convert_v1alpha1_StorageVersionMigrationStatus_To_storagemigration_StorageVersionMigrationStatus(a.(*storagemigrationv1alpha1.StorageVersionMigrationStatus), b.(*storagemigration.StorageVersionMigrationStatus), scope)
-	}); err != nil {
-		return err
-	}
-	if err := s.AddGeneratedConversionFunc((*storagemigration.StorageVersionMigrationStatus)(nil), (*storagemigrationv1alpha1.StorageVersionMigrationStatus)(nil), func(a, b interface{}, scope conversion.Scope) error {
-		return Convert_storagemigration_StorageVersionMigrationStatus_To_v1alpha1_StorageVersionMigrationStatus(a.(*storagemigration.StorageVersionMigrationStatus), b.(*storagemigrationv1alpha1.StorageVersionMigrationStatus), scope)
-	}); err != nil {
-		return err
-	}
-	return nil
-}
-
-func autoConvert_v1alpha1_GroupVersionResource_To_storagemigration_GroupVersionResource(in *storagemigrationv1alpha1.GroupVersionResource, out *storagemigration.GroupVersionResource, s conversion.Scope) error {
-	out.Group = in.Group
-	out.Version = in.Version
-	out.Resource = in.Resource
-	return nil
-}
-
-// Convert_v1alpha1_GroupVersionResource_To_storagemigration_GroupVersionResource is an autogenerated conversion function.
-func Convert_v1alpha1_GroupVersionResource_To_storagemigration_GroupVersionResource(in *storagemigrationv1alpha1.GroupVersionResource, out *storagemigration.GroupVersionResource, s conversion.Scope) error {
-	return autoConvert_v1alpha1_GroupVersionResource_To_storagemigration_GroupVersionResource(in, out, s)
-}
-
-func autoConvert_storagemigration_GroupVersionResource_To_v1alpha1_GroupVersionResource(in *storagemigration.GroupVersionResource, out *storagemigrationv1alpha1.GroupVersionResource, s conversion.Scope) error {
-	out.Group = in.Group
-	out.Version = in.Version
-	out.Resource = in.Resource
-	return nil
-}
-
-// Convert_storagemigration_GroupVersionResource_To_v1alpha1_GroupVersionResource is an autogenerated conversion function.
-func Convert_storagemigration_GroupVersionResource_To_v1alpha1_GroupVersionResource(in *storagemigration.GroupVersionResource, out *storagemigrationv1alpha1.GroupVersionResource, s conversion.Scope) error {
-	return autoConvert_storagemigration_GroupVersionResource_To_v1alpha1_GroupVersionResource(in, out, s)
-}
-
-func autoConvert_v1alpha1_MigrationCondition_To_storagemigration_MigrationCondition(in *storagemigrationv1alpha1.MigrationCondition, out *storagemigration.MigrationCondition, s conversion.Scope) error {
-	out.Type = storagemigration.MigrationConditionType(in.Type)
-	out.Status = v1.ConditionStatus(in.Status)
-	out.LastUpdateTime = in.LastUpdateTime
-	out.Reason = in.Reason
-	out.Message = in.Message
-	return nil
-}
-
-// Convert_v1alpha1_MigrationCondition_To_storagemigration_MigrationCondition is an autogenerated conversion function.
-func Convert_v1alpha1_MigrationCondition_To_storagemigration_MigrationCondition(in *storagemigrationv1alpha1.MigrationCondition, out *storagemigration.MigrationCondition, s conversion.Scope) error {
-	return autoConvert_v1alpha1_MigrationCondition_To_storagemigration_MigrationCondition(in, out, s)
-}
-
-func autoConvert_storagemigration_MigrationCondition_To_v1alpha1_MigrationCondition(in *storagemigration.MigrationCondition, out *storagemigrationv1alpha1.MigrationCondition, s conversion.Scope) error {
-	out.Type = storagemigrationv1alpha1.MigrationConditionType(in.Type)
-	out.Status = v1.ConditionStatus(in.Status)
-	out.LastUpdateTime = in.LastUpdateTime
-	out.Reason = in.Reason
-	out.Message = in.Message
-	return nil
-}
-
-// Convert_storagemigration_MigrationCondition_To_v1alpha1_MigrationCondition is an autogenerated conversion function.
-func Convert_storagemigration_MigrationCondition_To_v1alpha1_MigrationCondition(in *storagemigration.MigrationCondition, out *storagemigrationv1alpha1.MigrationCondition, s conversion.Scope) error {
-	return autoConvert_storagemigration_MigrationCondition_To_v1alpha1_MigrationCondition(in, out, s)
-}
-
-func autoConvert_v1alpha1_StorageVersionMigration_To_storagemigration_StorageVersionMigration(in *storagemigrationv1alpha1.StorageVersionMigration, out *storagemigration.StorageVersionMigration, s conversion.Scope) error {
-	out.ObjectMeta = in.ObjectMeta
-	if err := Convert_v1alpha1_StorageVersionMigrationSpec_To_storagemigration_StorageVersionMigrationSpec(&in.Spec, &out.Spec, s); err != nil {
-		return err
-	}
-	if err := Convert_v1alpha1_StorageVersionMigrationStatus_To_storagemigration_StorageVersionMigrationStatus(&in.Status, &out.Status, s); err != nil {
-		return err
-	}
-	return nil
-}
-
-// Convert_v1alpha1_StorageVersionMigration_To_storagemigration_StorageVersionMigration is an autogenerated conversion function.
-func Convert_v1alpha1_StorageVersionMigration_To_storagemigration_StorageVersionMigration(in *storagemigrationv1alpha1.StorageVersionMigration, out *storagemigration.StorageVersionMigration, s conversion.Scope) error {
-	return autoConvert_v1alpha1_StorageVersionMigration_To_storagemigration_StorageVersionMigration(in, out, s)
-}
-
-func autoConvert_storagemigration_StorageVersionMigration_To_v1alpha1_StorageVersionMigration(in *storagemigration.StorageVersionMigration, out *storagemigrationv1alpha1.StorageVersionMigration, s conversion.Scope) error {
-	out.ObjectMeta = in.ObjectMeta
-	if err := Convert_storagemigration_StorageVersionMigrationSpec_To_v1alpha1_StorageVersionMigrationSpec(&in.Spec, &out.Spec, s); err != nil {
-		return err
-	}
-	if err := Convert_storagemigration_StorageVersionMigrationStatus_To_v1alpha1_StorageVersionMigrationStatus(&in.Status, &out.Status, s); err != nil {
-		return err
-	}
-	return nil
-}
-
-// Convert_storagemigration_StorageVersionMigration_To_v1alpha1_StorageVersionMigration is an autogenerated conversion function.
-func Convert_storagemigration_StorageVersionMigration_To_v1alpha1_StorageVersionMigration(in *storagemigration.StorageVersionMigration, out *storagemigrationv1alpha1.StorageVersionMigration, s conversion.Scope) error {
-	return autoConvert_storagemigration_StorageVersionMigration_To_v1alpha1_StorageVersionMigration(in, out, s)
-}
-
-func autoConvert_v1alpha1_StorageVersionMigrationList_To_storagemigration_StorageVersionMigrationList(in *storagemigrationv1alpha1.StorageVersionMigrationList, out *storagemigration.StorageVersionMigrationList, s conversion.Scope) error {
-	out.ListMeta = in.ListMeta
-	out.Items = *(*[]storagemigration.StorageVersionMigration)(unsafe.Pointer(&in.Items))
-	return nil
-}
-
-// Convert_v1alpha1_StorageVersionMigrationList_To_storagemigration_StorageVersionMigrationList is an autogenerated conversion function.
-func Convert_v1alpha1_StorageVersionMigrationList_To_storagemigration_StorageVersionMigrationList(in *storagemigrationv1alpha1.StorageVersionMigrationList, out *storagemigration.StorageVersionMigrationList, s conversion.Scope) error {
-	return autoConvert_v1alpha1_StorageVersionMigrationList_To_storagemigration_StorageVersionMigrationList(in, out, s)
-}
-
-func autoConvert_storagemigration_StorageVersionMigrationList_To_v1alpha1_StorageVersionMigrationList(in *storagemigration.StorageVersionMigrationList, out *storagemigrationv1alpha1.StorageVersionMigrationList, s conversion.Scope) error {
-	out.ListMeta = in.ListMeta
-	out.Items = *(*[]storagemigrationv1alpha1.StorageVersionMigration)(unsafe.Pointer(&in.Items))
-	return nil
-}
-
-// Convert_storagemigration_StorageVersionMigrationList_To_v1alpha1_StorageVersionMigrationList is an autogenerated conversion function.
-func Convert_storagemigration_StorageVersionMigrationList_To_v1alpha1_StorageVersionMigrationList(in *storagemigration.StorageVersionMigrationList, out *storagemigrationv1alpha1.StorageVersionMigrationList, s conversion.Scope) error {
-	return autoConvert_storagemigration_StorageVersionMigrationList_To_v1alpha1_StorageVersionMigrationList(in, out, s)
-}
-
-func autoConvert_v1alpha1_StorageVersionMigrationSpec_To_storagemigration_StorageVersionMigrationSpec(in *storagemigrationv1alpha1.StorageVersionMigrationSpec, out *storagemigration.StorageVersionMigrationSpec, s conversion.Scope) error {
-	if err := Convert_v1alpha1_GroupVersionResource_To_storagemigration_GroupVersionResource(&in.Resource, &out.Resource, s); err != nil {
-		return err
-	}
-	out.ContinueToken = in.ContinueToken
-	return nil
-}
-
-// Convert_v1alpha1_StorageVersionMigrationSpec_To_storagemigration_StorageVersionMigrationSpec is an autogenerated conversion function.
-func Convert_v1alpha1_StorageVersionMigrationSpec_To_storagemigration_StorageVersionMigrationSpec(in *storagemigrationv1alpha1.StorageVersionMigrationSpec, out *storagemigration.StorageVersionMigrationSpec, s conversion.Scope) error {
-	return autoConvert_v1alpha1_StorageVersionMigrationSpec_To_storagemigration_StorageVersionMigrationSpec(in, out, s)
-}
-
-func autoConvert_storagemigration_StorageVersionMigrationSpec_To_v1alpha1_StorageVersionMigrationSpec(in *storagemigration.StorageVersionMigrationSpec, out *storagemigrationv1alpha1.StorageVersionMigrationSpec, s conversion.Scope) error {
-	if err := Convert_storagemigration_GroupVersionResource_To_v1alpha1_GroupVersionResource(&in.Resource, &out.Resource, s); err != nil {
-		return err
-	}
-	out.ContinueToken = in.ContinueToken
-	return nil
-}
-
-// Convert_storagemigration_StorageVersionMigrationSpec_To_v1alpha1_StorageVersionMigrationSpec is an autogenerated conversion function.
-func Convert_storagemigration_StorageVersionMigrationSpec_To_v1alpha1_StorageVersionMigrationSpec(in *storagemigration.StorageVersionMigrationSpec, out *storagemigrationv1alpha1.StorageVersionMigrationSpec, s conversion.Scope) error {
-	return autoConvert_storagemigration_StorageVersionMigrationSpec_To_v1alpha1_StorageVersionMigrationSpec(in, out, s)
-}
-
-func autoConvert_v1alpha1_StorageVersionMigrationStatus_To_storagemigration_StorageVersionMigrationStatus(in *storagemigrationv1alpha1.StorageVersionMigrationStatus, out *storagemigration.StorageVersionMigrationStatus, s conversion.Scope) error {
-	out.Conditions = *(*[]storagemigration.MigrationCondition)(unsafe.Pointer(&in.Conditions))
-	out.ResourceVersion = in.ResourceVersion
-	return nil
-}
-
-// Convert_v1alpha1_StorageVersionMigrationStatus_To_storagemigration_StorageVersionMigrationStatus is an autogenerated conversion function.
-func Convert_v1alpha1_StorageVersionMigrationStatus_To_storagemigration_StorageVersionMigrationStatus(in *storagemigrationv1alpha1.StorageVersionMigrationStatus, out *storagemigration.StorageVersionMigrationStatus, s conversion.Scope) error {
-	return autoConvert_v1alpha1_StorageVersionMigrationStatus_To_storagemigration_StorageVersionMigrationStatus(in, out, s)
-}
-
-func autoConvert_storagemigration_StorageVersionMigrationStatus_To_v1alpha1_StorageVersionMigrationStatus(in *storagemigration.StorageVersionMigrationStatus, out *storagemigrationv1alpha1.StorageVersionMigrationStatus, s conversion.Scope) error {
-	out.Conditions = *(*[]storagemigrationv1alpha1.MigrationCondition)(unsafe.Pointer(&in.Conditions))
-	out.ResourceVersion = in.ResourceVersion
-	return nil
-}
-
-// Convert_storagemigration_StorageVersionMigrationStatus_To_v1alpha1_StorageVersionMigrationStatus is an autogenerated conversion function.
-func Convert_storagemigration_StorageVersionMigrationStatus_To_v1alpha1_StorageVersionMigrationStatus(in *storagemigration.StorageVersionMigrationStatus, out *storagemigrationv1alpha1.StorageVersionMigrationStatus, s conversion.Scope) error {
-	return autoConvert_storagemigration_StorageVersionMigrationStatus_To_v1alpha1_StorageVersionMigrationStatus(in, out, s)
-}
diff --git a/pkg/apis/storagemigration/v1beta1/doc.go b/pkg/apis/storagemigration/v1beta1/doc.go
new file mode 100644
index 0000000000000..d414f83bd5b0a
--- /dev/null
+++ b/pkg/apis/storagemigration/v1beta1/doc.go
@@ -0,0 +1,23 @@
+/*
+Copyright 2024 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// +k8s:conversion-gen=k8s.io/kubernetes/pkg/apis/storagemigration
+// +k8s:conversion-gen-external-types=k8s.io/api/storagemigration/v1beta1
+// +groupName=storagemigration.k8s.io
+// +k8s:defaulter-gen=TypeMeta
+// +k8s:defaulter-gen-input=k8s.io/api/storagemigration/v1beta1
+
+package v1beta1
diff --git a/pkg/apis/storagemigration/v1beta1/register.go b/pkg/apis/storagemigration/v1beta1/register.go
new file mode 100644
index 0000000000000..e8747fc637a86
--- /dev/null
+++ b/pkg/apis/storagemigration/v1beta1/register.go
@@ -0,0 +1,39 @@
+/*
+Copyright 2024 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1beta1
+
+import (
+	"k8s.io/apimachinery/pkg/runtime/schema"
+
+	svmv1beta1 "k8s.io/api/storagemigration/v1beta1"
+)
+
+// GroupName is the group name use in this package
+const GroupName = "storagemigration.k8s.io"
+
+// SchemeGroupVersion is group version used to register these objects
+var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1beta1"}
+
+// Resource takes an unqualified resource and returns a Group qualified GroupResource
+func Resource(resource string) schema.GroupResource {
+	return SchemeGroupVersion.WithResource(resource).GroupResource()
+}
+
+var (
+	localSchemeBuilder = &svmv1beta1.SchemeBuilder
+	AddToScheme        = localSchemeBuilder.AddToScheme
+)
diff --git a/pkg/apis/storagemigration/v1beta1/zz_generated.conversion.go b/pkg/apis/storagemigration/v1beta1/zz_generated.conversion.go
new file mode 100644
index 0000000000000..9b1b160f71c6c
--- /dev/null
+++ b/pkg/apis/storagemigration/v1beta1/zz_generated.conversion.go
@@ -0,0 +1,178 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by conversion-gen. DO NOT EDIT.
+
+package v1beta1
+
+import (
+	unsafe "unsafe"
+
+	storagemigrationv1beta1 "k8s.io/api/storagemigration/v1beta1"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	conversion "k8s.io/apimachinery/pkg/conversion"
+	runtime "k8s.io/apimachinery/pkg/runtime"
+	storagemigration "k8s.io/kubernetes/pkg/apis/storagemigration"
+)
+
+func init() {
+	localSchemeBuilder.Register(RegisterConversions)
+}
+
+// RegisterConversions adds conversion functions to the given scheme.
+// Public to allow building arbitrary schemes.
+func RegisterConversions(s *runtime.Scheme) error {
+	if err := s.AddGeneratedConversionFunc((*storagemigrationv1beta1.StorageVersionMigration)(nil), (*storagemigration.StorageVersionMigration)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_v1beta1_StorageVersionMigration_To_storagemigration_StorageVersionMigration(a.(*storagemigrationv1beta1.StorageVersionMigration), b.(*storagemigration.StorageVersionMigration), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddGeneratedConversionFunc((*storagemigration.StorageVersionMigration)(nil), (*storagemigrationv1beta1.StorageVersionMigration)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_storagemigration_StorageVersionMigration_To_v1beta1_StorageVersionMigration(a.(*storagemigration.StorageVersionMigration), b.(*storagemigrationv1beta1.StorageVersionMigration), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddGeneratedConversionFunc((*storagemigrationv1beta1.StorageVersionMigrationList)(nil), (*storagemigration.StorageVersionMigrationList)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_v1beta1_StorageVersionMigrationList_To_storagemigration_StorageVersionMigrationList(a.(*storagemigrationv1beta1.StorageVersionMigrationList), b.(*storagemigration.StorageVersionMigrationList), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddGeneratedConversionFunc((*storagemigration.StorageVersionMigrationList)(nil), (*storagemigrationv1beta1.StorageVersionMigrationList)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_storagemigration_StorageVersionMigrationList_To_v1beta1_StorageVersionMigrationList(a.(*storagemigration.StorageVersionMigrationList), b.(*storagemigrationv1beta1.StorageVersionMigrationList), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddGeneratedConversionFunc((*storagemigrationv1beta1.StorageVersionMigrationSpec)(nil), (*storagemigration.StorageVersionMigrationSpec)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_v1beta1_StorageVersionMigrationSpec_To_storagemigration_StorageVersionMigrationSpec(a.(*storagemigrationv1beta1.StorageVersionMigrationSpec), b.(*storagemigration.StorageVersionMigrationSpec), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddGeneratedConversionFunc((*storagemigration.StorageVersionMigrationSpec)(nil), (*storagemigrationv1beta1.StorageVersionMigrationSpec)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_storagemigration_StorageVersionMigrationSpec_To_v1beta1_StorageVersionMigrationSpec(a.(*storagemigration.StorageVersionMigrationSpec), b.(*storagemigrationv1beta1.StorageVersionMigrationSpec), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddGeneratedConversionFunc((*storagemigrationv1beta1.StorageVersionMigrationStatus)(nil), (*storagemigration.StorageVersionMigrationStatus)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_v1beta1_StorageVersionMigrationStatus_To_storagemigration_StorageVersionMigrationStatus(a.(*storagemigrationv1beta1.StorageVersionMigrationStatus), b.(*storagemigration.StorageVersionMigrationStatus), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddGeneratedConversionFunc((*storagemigration.StorageVersionMigrationStatus)(nil), (*storagemigrationv1beta1.StorageVersionMigrationStatus)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_storagemigration_StorageVersionMigrationStatus_To_v1beta1_StorageVersionMigrationStatus(a.(*storagemigration.StorageVersionMigrationStatus), b.(*storagemigrationv1beta1.StorageVersionMigrationStatus), scope)
+	}); err != nil {
+		return err
+	}
+	return nil
+}
+
+func autoConvert_v1beta1_StorageVersionMigration_To_storagemigration_StorageVersionMigration(in *storagemigrationv1beta1.StorageVersionMigration, out *storagemigration.StorageVersionMigration, s conversion.Scope) error {
+	out.ObjectMeta = in.ObjectMeta
+	if err := Convert_v1beta1_StorageVersionMigrationSpec_To_storagemigration_StorageVersionMigrationSpec(&in.Spec, &out.Spec, s); err != nil {
+		return err
+	}
+	if err := Convert_v1beta1_StorageVersionMigrationStatus_To_storagemigration_StorageVersionMigrationStatus(&in.Status, &out.Status, s); err != nil {
+		return err
+	}
+	return nil
+}
+
+// Convert_v1beta1_StorageVersionMigration_To_storagemigration_StorageVersionMigration is an autogenerated conversion function.
+func Convert_v1beta1_StorageVersionMigration_To_storagemigration_StorageVersionMigration(in *storagemigrationv1beta1.StorageVersionMigration, out *storagemigration.StorageVersionMigration, s conversion.Scope) error {
+	return autoConvert_v1beta1_StorageVersionMigration_To_storagemigration_StorageVersionMigration(in, out, s)
+}
+
+func autoConvert_storagemigration_StorageVersionMigration_To_v1beta1_StorageVersionMigration(in *storagemigration.StorageVersionMigration, out *storagemigrationv1beta1.StorageVersionMigration, s conversion.Scope) error {
+	out.ObjectMeta = in.ObjectMeta
+	if err := Convert_storagemigration_StorageVersionMigrationSpec_To_v1beta1_StorageVersionMigrationSpec(&in.Spec, &out.Spec, s); err != nil {
+		return err
+	}
+	if err := Convert_storagemigration_StorageVersionMigrationStatus_To_v1beta1_StorageVersionMigrationStatus(&in.Status, &out.Status, s); err != nil {
+		return err
+	}
+	return nil
+}
+
+// Convert_storagemigration_StorageVersionMigration_To_v1beta1_StorageVersionMigration is an autogenerated conversion function.
+func Convert_storagemigration_StorageVersionMigration_To_v1beta1_StorageVersionMigration(in *storagemigration.StorageVersionMigration, out *storagemigrationv1beta1.StorageVersionMigration, s conversion.Scope) error {
+	return autoConvert_storagemigration_StorageVersionMigration_To_v1beta1_StorageVersionMigration(in, out, s)
+}
+
+func autoConvert_v1beta1_StorageVersionMigrationList_To_storagemigration_StorageVersionMigrationList(in *storagemigrationv1beta1.StorageVersionMigrationList, out *storagemigration.StorageVersionMigrationList, s conversion.Scope) error {
+	out.ListMeta = in.ListMeta
+	out.Items = *(*[]storagemigration.StorageVersionMigration)(unsafe.Pointer(&in.Items))
+	return nil
+}
+
+// Convert_v1beta1_StorageVersionMigrationList_To_storagemigration_StorageVersionMigrationList is an autogenerated conversion function.
+func Convert_v1beta1_StorageVersionMigrationList_To_storagemigration_StorageVersionMigrationList(in *storagemigrationv1beta1.StorageVersionMigrationList, out *storagemigration.StorageVersionMigrationList, s conversion.Scope) error {
+	return autoConvert_v1beta1_StorageVersionMigrationList_To_storagemigration_StorageVersionMigrationList(in, out, s)
+}
+
+func autoConvert_storagemigration_StorageVersionMigrationList_To_v1beta1_StorageVersionMigrationList(in *storagemigration.StorageVersionMigrationList, out *storagemigrationv1beta1.StorageVersionMigrationList, s conversion.Scope) error {
+	out.ListMeta = in.ListMeta
+	out.Items = *(*[]storagemigrationv1beta1.StorageVersionMigration)(unsafe.Pointer(&in.Items))
+	return nil
+}
+
+// Convert_storagemigration_StorageVersionMigrationList_To_v1beta1_StorageVersionMigrationList is an autogenerated conversion function.
+func Convert_storagemigration_StorageVersionMigrationList_To_v1beta1_StorageVersionMigrationList(in *storagemigration.StorageVersionMigrationList, out *storagemigrationv1beta1.StorageVersionMigrationList, s conversion.Scope) error {
+	return autoConvert_storagemigration_StorageVersionMigrationList_To_v1beta1_StorageVersionMigrationList(in, out, s)
+}
+
+func autoConvert_v1beta1_StorageVersionMigrationSpec_To_storagemigration_StorageVersionMigrationSpec(in *storagemigrationv1beta1.StorageVersionMigrationSpec, out *storagemigration.StorageVersionMigrationSpec, s conversion.Scope) error {
+	out.Resource = in.Resource
+	return nil
+}
+
+// Convert_v1beta1_StorageVersionMigrationSpec_To_storagemigration_StorageVersionMigrationSpec is an autogenerated conversion function.
+func Convert_v1beta1_StorageVersionMigrationSpec_To_storagemigration_StorageVersionMigrationSpec(in *storagemigrationv1beta1.StorageVersionMigrationSpec, out *storagemigration.StorageVersionMigrationSpec, s conversion.Scope) error {
+	return autoConvert_v1beta1_StorageVersionMigrationSpec_To_storagemigration_StorageVersionMigrationSpec(in, out, s)
+}
+
+func autoConvert_storagemigration_StorageVersionMigrationSpec_To_v1beta1_StorageVersionMigrationSpec(in *storagemigration.StorageVersionMigrationSpec, out *storagemigrationv1beta1.StorageVersionMigrationSpec, s conversion.Scope) error {
+	out.Resource = in.Resource
+	return nil
+}
+
+// Convert_storagemigration_StorageVersionMigrationSpec_To_v1beta1_StorageVersionMigrationSpec is an autogenerated conversion function.
+func Convert_storagemigration_StorageVersionMigrationSpec_To_v1beta1_StorageVersionMigrationSpec(in *storagemigration.StorageVersionMigrationSpec, out *storagemigrationv1beta1.StorageVersionMigrationSpec, s conversion.Scope) error {
+	return autoConvert_storagemigration_StorageVersionMigrationSpec_To_v1beta1_StorageVersionMigrationSpec(in, out, s)
+}
+
+func autoConvert_v1beta1_StorageVersionMigrationStatus_To_storagemigration_StorageVersionMigrationStatus(in *storagemigrationv1beta1.StorageVersionMigrationStatus, out *storagemigration.StorageVersionMigrationStatus, s conversion.Scope) error {
+	out.Conditions = *(*[]v1.Condition)(unsafe.Pointer(&in.Conditions))
+	out.ResourceVersion = in.ResourceVersion
+	return nil
+}
+
+// Convert_v1beta1_StorageVersionMigrationStatus_To_storagemigration_StorageVersionMigrationStatus is an autogenerated conversion function.
+func Convert_v1beta1_StorageVersionMigrationStatus_To_storagemigration_StorageVersionMigrationStatus(in *storagemigrationv1beta1.StorageVersionMigrationStatus, out *storagemigration.StorageVersionMigrationStatus, s conversion.Scope) error {
+	return autoConvert_v1beta1_StorageVersionMigrationStatus_To_storagemigration_StorageVersionMigrationStatus(in, out, s)
+}
+
+func autoConvert_storagemigration_StorageVersionMigrationStatus_To_v1beta1_StorageVersionMigrationStatus(in *storagemigration.StorageVersionMigrationStatus, out *storagemigrationv1beta1.StorageVersionMigrationStatus, s conversion.Scope) error {
+	out.Conditions = *(*[]v1.Condition)(unsafe.Pointer(&in.Conditions))
+	out.ResourceVersion = in.ResourceVersion
+	return nil
+}
+
+// Convert_storagemigration_StorageVersionMigrationStatus_To_v1beta1_StorageVersionMigrationStatus is an autogenerated conversion function.
+func Convert_storagemigration_StorageVersionMigrationStatus_To_v1beta1_StorageVersionMigrationStatus(in *storagemigration.StorageVersionMigrationStatus, out *storagemigrationv1beta1.StorageVersionMigrationStatus, s conversion.Scope) error {
+	return autoConvert_storagemigration_StorageVersionMigrationStatus_To_v1beta1_StorageVersionMigrationStatus(in, out, s)
+}
diff --git a/pkg/apis/storagemigration/v1alpha1/zz_generated.defaults.go b/pkg/apis/storagemigration/v1beta1/zz_generated.defaults.go
similarity index 98%
rename from pkg/apis/storagemigration/v1alpha1/zz_generated.defaults.go
rename to pkg/apis/storagemigration/v1beta1/zz_generated.defaults.go
index 5070cb91b90f1..198b5be4af534 100644
--- a/pkg/apis/storagemigration/v1alpha1/zz_generated.defaults.go
+++ b/pkg/apis/storagemigration/v1beta1/zz_generated.defaults.go
@@ -19,7 +19,7 @@ limitations under the License.
 
 // Code generated by defaulter-gen. DO NOT EDIT.
 
-package v1alpha1
+package v1beta1
 
 import (
 	runtime "k8s.io/apimachinery/pkg/runtime"
diff --git a/pkg/apis/storagemigration/validation/validation.go b/pkg/apis/storagemigration/validation/validation.go
index 404acac980a80..efcfb3618e755 100644
--- a/pkg/apis/storagemigration/validation/validation.go
+++ b/pkg/apis/storagemigration/validation/validation.go
@@ -18,18 +18,17 @@ package validation
 
 import (
 	"fmt"
-	"regexp"
-	"strconv"
+	"strings"
 
-	"k8s.io/apimachinery/pkg/util/sets"
-	"k8s.io/apimachinery/pkg/util/validation"
+	"k8s.io/apimachinery/pkg/util/resourceversion"
 	"k8s.io/apimachinery/pkg/util/validation/field"
 	"k8s.io/kubernetes/pkg/apis/storagemigration"
 
-	corev1 "k8s.io/api/core/v1"
+	metaconditions "k8s.io/apimachinery/pkg/api/meta"
 	apimachineryvalidation "k8s.io/apimachinery/pkg/api/validation"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	metav1validation "k8s.io/apimachinery/pkg/apis/meta/v1/validation"
+	utilvalidation "k8s.io/apimachinery/pkg/util/validation"
 	apivalidation "k8s.io/kubernetes/pkg/apis/core/validation"
 )
 
@@ -37,8 +36,20 @@ func ValidateStorageVersionMigration(svm *storagemigration.StorageVersionMigrati
 	allErrs := field.ErrorList{}
 	allErrs = append(allErrs, apivalidation.ValidateObjectMeta(&svm.ObjectMeta, false, apimachineryvalidation.NameIsDNSSubdomain, field.NewPath("metadata"))...)
 
-	allErrs = checkAndAppendError(allErrs, field.NewPath("spec", "resource", "resource"), svm.Spec.Resource.Resource, "resource is required")
-	allErrs = checkAndAppendError(allErrs, field.NewPath("spec", "resource", "version"), svm.Spec.Resource.Version, "version is required")
+	if len(svm.Spec.Resource.Resource) == 0 {
+		allErrs = append(allErrs, field.Required(field.NewPath("spec", "resource", "resource"), "resource is required to be set"))
+	} else {
+		// Same validations as APIService, Group must be a DNS1123 Subdomain and Resource must be DNS1035
+		if errs := utilvalidation.IsDNS1035Label(svm.Spec.Resource.Resource); len(errs) > 0 {
+			allErrs = append(allErrs, field.Invalid(field.NewPath("spec", "resource", "resource"), svm.Spec.Resource.Resource, strings.Join(errs, ",")))
+		}
+	}
+
+	if len(svm.Spec.Resource.Group) != 0 {
+		if errs := utilvalidation.IsDNS1123Subdomain(svm.Spec.Resource.Group); len(errs) > 0 {
+			allErrs = append(allErrs, field.Invalid(field.NewPath("spec", "resource", "group"), svm.Spec.Resource.Group, strings.Join(errs, ",")))
+		}
+	}
 
 	return allErrs
 }
@@ -47,16 +58,8 @@ func ValidateStorageVersionMigrationUpdate(newSVMBundle, oldSVMBundle *storagemi
 	allErrs := ValidateStorageVersionMigration(newSVMBundle)
 	allErrs = append(allErrs, apivalidation.ValidateObjectMetaUpdate(&newSVMBundle.ObjectMeta, &oldSVMBundle.ObjectMeta, field.NewPath("metadata"))...)
 
-	// prevent changes to the group, version and resource
-	if newSVMBundle.Spec.Resource.Group != oldSVMBundle.Spec.Resource.Group {
-		allErrs = append(allErrs, field.Invalid(field.NewPath("group"), newSVMBundle.Spec.Resource.Group, "field is immutable"))
-	}
-	if newSVMBundle.Spec.Resource.Version != oldSVMBundle.Spec.Resource.Version {
-		allErrs = append(allErrs, field.Invalid(field.NewPath("version"), newSVMBundle.Spec.Resource.Version, "field is immutable"))
-	}
-	if newSVMBundle.Spec.Resource.Resource != oldSVMBundle.Spec.Resource.Resource {
-		allErrs = append(allErrs, field.Invalid(field.NewPath("resource"), newSVMBundle.Spec.Resource.Resource, "field is immutable"))
-	}
+	// prevent changes to the spec
+	allErrs = append(allErrs, apivalidation.ValidateImmutableField(newSVMBundle.Spec, oldSVMBundle.Spec, field.NewPath("spec"))...)
 
 	return allErrs
 }
@@ -67,14 +70,15 @@ func ValidateStorageVersionMigrationStatusUpdate(newSVMBundle, oldSVMBundle *sto
 	fldPath := field.NewPath("status")
 
 	// resource version should be a non-negative integer
-	rvInt, err := convertResourceVersionToInt(newSVMBundle.Status.ResourceVersion)
-	if err != nil {
+	cmp, err := resourceversion.CompareResourceVersion(newSVMBundle.Status.ResourceVersion, newSVMBundle.Status.ResourceVersion)
+	if err != nil || cmp != 0 {
+		if err == nil {
+			err = fmt.Errorf("unable to compare resource versions, %s is not equal to %s", newSVMBundle.Status.ResourceVersion, newSVMBundle.Status.ResourceVersion)
+		}
 		allErrs = append(allErrs, field.Invalid(fldPath.Child("resourceVersion"), newSVMBundle.Status.ResourceVersion, err.Error()))
 	}
-	allErrs = append(allErrs, apivalidation.ValidateNonnegativeField(rvInt, fldPath.Child("resourceVersion"))...)
 
-	// TODO: after switching to metav1.Conditions in beta replace this validation with metav1.ValidateConditions
-	allErrs = append(allErrs, validateConditions(newSVMBundle.Status.Conditions, fldPath.Child("conditions"))...)
+	allErrs = append(allErrs, metav1validation.ValidateConditions(newSVMBundle.Status.Conditions, fldPath.Child("conditions"))...)
 
 	// resource version should not change once it has been set
 	if len(oldSVMBundle.Status.ResourceVersion) != 0 && oldSVMBundle.Status.ResourceVersion != newSVMBundle.Status.ResourceVersion {
@@ -108,120 +112,25 @@ func ValidateStorageVersionMigrationStatusUpdate(newSVMBundle, oldSVMBundle *sto
 }
 
 func isSuccessful(svm *storagemigration.StorageVersionMigration) bool {
-	successCondition := getCondition(svm, storagemigration.MigrationSucceeded)
-	if successCondition != nil && successCondition.Status == corev1.ConditionTrue {
+	successCondition := metaconditions.FindStatusCondition(svm.Status.Conditions, string(storagemigration.MigrationSucceeded))
+	if successCondition != nil && successCondition.Status == metav1.ConditionTrue {
 		return true
 	}
 	return false
 }
 
 func isFailed(svm *storagemigration.StorageVersionMigration) bool {
-	failedCondition := getCondition(svm, storagemigration.MigrationFailed)
-	if failedCondition != nil && failedCondition.Status == corev1.ConditionTrue {
+	failedCondition := metaconditions.FindStatusCondition(svm.Status.Conditions, string(storagemigration.MigrationFailed))
+	if failedCondition != nil && failedCondition.Status == metav1.ConditionTrue {
 		return true
 	}
 	return false
 }
 
 func isRunning(svm *storagemigration.StorageVersionMigration) bool {
-	runningCondition := getCondition(svm, storagemigration.MigrationRunning)
-	if runningCondition != nil && runningCondition.Status == corev1.ConditionTrue {
+	runningCondition := metaconditions.FindStatusCondition(svm.Status.Conditions, string(storagemigration.MigrationRunning))
+	if runningCondition != nil && runningCondition.Status == metav1.ConditionTrue {
 		return true
 	}
 	return false
 }
-
-func getCondition(svm *storagemigration.StorageVersionMigration, conditionType storagemigration.MigrationConditionType) *storagemigration.MigrationCondition {
-	for _, c := range svm.Status.Conditions {
-		if c.Type == conditionType {
-			return &c
-		}
-	}
-
-	return nil
-}
-
-func validateConditions(conditions []storagemigration.MigrationCondition, fldPath *field.Path) field.ErrorList {
-	var allErrs field.ErrorList
-
-	conditionTypeToFirstIndex := map[string]int{}
-	for i, condition := range conditions {
-		if _, ok := conditionTypeToFirstIndex[string(condition.Type)]; ok {
-			allErrs = append(allErrs, field.Duplicate(fldPath.Index(i).Child("type"), condition.Type))
-		} else {
-			conditionTypeToFirstIndex[string(condition.Type)] = i
-		}
-
-		allErrs = append(allErrs, validateCondition(condition, fldPath.Index(i))...)
-	}
-
-	return allErrs
-}
-
-func validateCondition(condition storagemigration.MigrationCondition, fldPath *field.Path) field.ErrorList {
-	var allErrs field.ErrorList
-	var validConditionStatuses = sets.NewString(string(metav1.ConditionTrue), string(metav1.ConditionFalse), string(metav1.ConditionUnknown))
-
-	// type is set and is a valid format
-	allErrs = append(allErrs, metav1validation.ValidateLabelName(string(condition.Type), fldPath.Child("type"))...)
-
-	// status is set and is an accepted value
-	if !validConditionStatuses.Has(string(condition.Status)) {
-		allErrs = append(allErrs, field.NotSupported(fldPath.Child("status"), condition.Status, validConditionStatuses.List()))
-	}
-
-	if condition.LastUpdateTime.IsZero() {
-		allErrs = append(allErrs, field.Required(fldPath.Child("lastTransitionTime"), ""))
-	}
-
-	if len(condition.Reason) == 0 {
-		allErrs = append(allErrs, field.Required(fldPath.Child("reason"), ""))
-	} else {
-		for _, currErr := range isValidConditionReason(condition.Reason) {
-			allErrs = append(allErrs, field.Invalid(fldPath.Child("reason"), condition.Reason, currErr))
-		}
-
-		const maxReasonLen int = 1 * 1024 // 1024
-		if len(condition.Reason) > maxReasonLen {
-			allErrs = append(allErrs, field.TooLong(fldPath.Child("reason"), "" /*unused*/, maxReasonLen))
-		}
-	}
-
-	const maxMessageLen int = 32 * 1024 // 32768
-	if len(condition.Message) > maxMessageLen {
-		allErrs = append(allErrs, field.TooLong(fldPath.Child("message"), "" /*unused*/, maxMessageLen))
-	}
-
-	return allErrs
-}
-func isValidConditionReason(value string) []string {
-	const conditionReasonFmt string = "[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?"
-	const conditionReasonErrMsg string = "a condition reason must start with alphabetic character, optionally followed by a string of alphanumeric characters or '_,:', and must end with an alphanumeric character or '_'"
-	var conditionReasonRegexp = regexp.MustCompile("^" + conditionReasonFmt + "$")
-
-	if !conditionReasonRegexp.MatchString(value) {
-		return []string{validation.RegexError(conditionReasonErrMsg, conditionReasonFmt, "my_name", "MY_NAME", "MyName", "ReasonA,ReasonB", "ReasonA:ReasonB")}
-	}
-	return nil
-}
-
-func checkAndAppendError(allErrs field.ErrorList, fieldPath *field.Path, value string, message string) field.ErrorList {
-	if len(value) == 0 {
-		allErrs = append(allErrs, field.Required(fieldPath, message))
-	}
-	return allErrs
-}
-
-func convertResourceVersionToInt(rv string) (int64, error) {
-	// initial value of RV is expected to be empty, which means the resource version is not set
-	if len(rv) == 0 {
-		return 0, nil
-	}
-
-	resourceVersion, err := strconv.ParseInt(rv, 10, 64)
-	if err != nil {
-		return 0, fmt.Errorf("failed to parse resource version %q: %w", rv, err)
-	}
-
-	return resourceVersion, nil
-}
diff --git a/pkg/apis/storagemigration/validation/validation_test.go b/pkg/apis/storagemigration/validation/validation_test.go
index bb1e95aa3d429..e6dabecca30df 100644
--- a/pkg/apis/storagemigration/validation/validation_test.go
+++ b/pkg/apis/storagemigration/validation/validation_test.go
@@ -17,6 +17,8 @@ limitations under the License.
 package validation
 
 import (
+	"fmt"
+	"strings"
 	"testing"
 
 	"k8s.io/kubernetes/pkg/apis/storagemigration"
@@ -24,6 +26,9 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
+const dns1035ErrMsg = "a DNS-1035 label must consist of lower case alphanumeric characters or '-', start with an alphabetic character, and end with an alphanumeric character (e.g. 'my-name',  or 'abc-123', regex used for validation is '[a-z]([-a-z0-9]*[a-z0-9])?')"
+const dns1123ErrMsg = "a lowercase RFC 1123 subdomain must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character (e.g. 'example.com', regex used for validation is '[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*')"
+
 // TestValidateStorageVersionMigration tests the ValidateStorageVersionMigration function
 func TestValidateStorageVersionMigration(t *testing.T) {
 	tests := []struct {
@@ -38,9 +43,8 @@ func TestValidateStorageVersionMigration(t *testing.T) {
 					Name: "test-svm",
 				},
 				Spec: storagemigration.StorageVersionMigrationSpec{
-					Resource: storagemigration.GroupVersionResource{
+					Resource: metav1.GroupResource{
 						Group:    "non-empty",
-						Version:  "non-empty",
 						Resource: "non-empty",
 					},
 				},
@@ -54,14 +58,13 @@ func TestValidateStorageVersionMigration(t *testing.T) {
 					Name: "test-svm",
 				},
 				Spec: storagemigration.StorageVersionMigrationSpec{
-					Resource: storagemigration.GroupVersionResource{
+					Resource: metav1.GroupResource{
 						Group:    "",
-						Version:  "",
 						Resource: "",
 					},
 				},
 			},
-			errorString: "[spec.resource.resource: Required value: resource is required, spec.resource.version: Required value: version is required]",
+			errorString: "spec.resource.resource: Required value: resource is required to be set",
 		},
 		{
 			name: "when resource is empty",
@@ -70,30 +73,43 @@ func TestValidateStorageVersionMigration(t *testing.T) {
 					Name: "test-svm",
 				},
 				Spec: storagemigration.StorageVersionMigrationSpec{
-					Resource: storagemigration.GroupVersionResource{
+					Resource: metav1.GroupResource{
 						Group:    "non-empty",
-						Version:  "non-empty",
 						Resource: "",
 					},
 				},
 			},
-			errorString: "spec.resource.resource: Required value: resource is required",
+			errorString: "spec.resource.resource: Required value: resource is required to be set",
 		},
 		{
-			name: "when version is empty",
+			name: "when resource is invalid",
 			svm: &storagemigration.StorageVersionMigration{
 				ObjectMeta: metav1.ObjectMeta{
 					Name: "test-svm",
 				},
 				Spec: storagemigration.StorageVersionMigrationSpec{
-					Resource: storagemigration.GroupVersionResource{
+					Resource: metav1.GroupResource{
 						Group:    "non-empty",
-						Version:  "",
+						Resource: ".",
+					},
+				},
+			},
+			errorString: fmt.Sprintf("spec.resource.resource: Invalid value: \".\": %s", dns1035ErrMsg),
+		},
+		{
+			name: "when group is invalid",
+			svm: &storagemigration.StorageVersionMigration{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "test-svm",
+				},
+				Spec: storagemigration.StorageVersionMigrationSpec{
+					Resource: metav1.GroupResource{
+						Group:    "-",
 						Resource: "non-empty",
 					},
 				},
 			},
-			errorString: "spec.resource.version: Required value: version is required",
+			errorString: fmt.Sprintf("spec.resource.group: Invalid value: \"-\": %s", dns1123ErrMsg),
 		},
 	}
 
@@ -114,3 +130,212 @@ func TestValidateStorageVersionMigration(t *testing.T) {
 		})
 	}
 }
+func TestValidateStorageVersionMigrationUpdate(t *testing.T) {
+	validSVM := &storagemigration.StorageVersionMigration{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:            "test-svm",
+			ResourceVersion: "1",
+		},
+		Spec: storagemigration.StorageVersionMigrationSpec{
+			Resource: metav1.GroupResource{
+				Group:    "example.com",
+				Resource: "myresources",
+			},
+		},
+	}
+
+	tests := []struct {
+		name           string
+		newSVM         *storagemigration.StorageVersionMigration
+		oldSVM         *storagemigration.StorageVersionMigration
+		errorSubstring string
+	}{
+		{
+			name:           "valid update (no change)",
+			newSVM:         validSVM.DeepCopy(),
+			oldSVM:         validSVM.DeepCopy(),
+			errorSubstring: "",
+		},
+		{
+			name: "valid update (metadata change)",
+			newSVM: func() *storagemigration.StorageVersionMigration {
+				svm := validSVM.DeepCopy()
+				svm.ObjectMeta.Labels = map[string]string{"a": "b"}
+				return svm
+			}(),
+			oldSVM:         validSVM.DeepCopy(),
+			errorSubstring: "",
+		},
+		{
+			name: "invalid update (spec changed)",
+			newSVM: func() *storagemigration.StorageVersionMigration {
+				svm := validSVM.DeepCopy()
+				svm.Spec.Resource.Group = "new.example.com"
+				return svm
+			}(),
+			oldSVM:         validSVM.DeepCopy(),
+			errorSubstring: "spec: Invalid value",
+		},
+		{
+			name: "invalid update (new object is invalid)",
+			newSVM: func() *storagemigration.StorageVersionMigration {
+				svm := validSVM.DeepCopy()
+				svm.Spec.Resource.Resource = ""
+				return svm
+			}(),
+			oldSVM:         validSVM.DeepCopy(),
+			errorSubstring: "spec.resource.resource: Required value",
+		},
+	}
+
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			errors := ValidateStorageVersionMigrationUpdate(test.newSVM, test.oldSVM)
+
+			if test.errorSubstring == "" {
+				if len(errors) != 0 {
+					t.Errorf("Expected no error, got %s", errors.ToAggregate().Error())
+				}
+			} else {
+				if len(errors) == 0 {
+					t.Errorf("Expected error containing %q, got no error", test.errorSubstring)
+				} else if !strings.Contains(errors.ToAggregate().Error(), test.errorSubstring) {
+					t.Errorf("Expected error containing %q, got %s", test.errorSubstring, errors.ToAggregate().Error())
+				}
+			}
+		})
+	}
+}
+
+var (
+	// Add a time variable
+	now = metav1.Now()
+
+	// Add LastTransitionTime to all conditions
+	runningCond   = metav1.Condition{Type: string(storagemigration.MigrationRunning), Status: metav1.ConditionTrue, Reason: "Running", LastTransitionTime: now}
+	succeededCond = metav1.Condition{Type: string(storagemigration.MigrationSucceeded), Status: metav1.ConditionTrue, Reason: "Succeeded", LastTransitionTime: now}
+	failedCond    = metav1.Condition{Type: string(storagemigration.MigrationFailed), Status: metav1.ConditionTrue, Reason: "Failed", LastTransitionTime: now}
+
+	runningFalseCond   = metav1.Condition{Type: string(storagemigration.MigrationRunning), Status: metav1.ConditionFalse, Reason: "NotRunning", LastTransitionTime: now}
+	succeededFalseCond = metav1.Condition{Type: string(storagemigration.MigrationSucceeded), Status: metav1.ConditionFalse, Reason: "NotSucceeded", LastTransitionTime: now}
+	failedFalseCond    = metav1.Condition{Type: string(storagemigration.MigrationFailed), Status: metav1.ConditionFalse, Reason: "NotFailed", LastTransitionTime: now}
+)
+
+func newTestSVM(rv string, conditions ...metav1.Condition) *storagemigration.StorageVersionMigration {
+	return &storagemigration.StorageVersionMigration{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:            "test-svm",
+			ResourceVersion: "1",
+		},
+		Spec: storagemigration.StorageVersionMigrationSpec{
+			Resource: metav1.GroupResource{
+				Group:    "example.com",
+				Resource: "myresources",
+			},
+		},
+		Status: storagemigration.StorageVersionMigrationStatus{
+			ResourceVersion: rv,
+			Conditions:      conditions,
+		},
+	}
+}
+
+func TestValidateStorageVersionMigrationStatusUpdate(t *testing.T) {
+	tests := []struct {
+		name           string
+		newSVM         *storagemigration.StorageVersionMigration
+		oldSVM         *storagemigration.StorageVersionMigration
+		errorSubstring string
+	}{
+		{
+			name:           "valid: initial status set with RV",
+			newSVM:         newTestSVM("123", runningCond),
+			oldSVM:         newTestSVM(""),
+			errorSubstring: "",
+		},
+		{
+			name:           "valid: transition running to succeeded",
+			newSVM:         newTestSVM("123", runningFalseCond, succeededCond),
+			oldSVM:         newTestSVM("123", runningCond),
+			errorSubstring: "",
+		},
+		{
+			name:           "valid: transition running to failed",
+			newSVM:         newTestSVM("123", runningFalseCond, failedCond),
+			oldSVM:         newTestSVM("123", runningCond),
+			errorSubstring: "",
+		},
+		{
+			name:           "valid: succeeded stays succeeded",
+			newSVM:         newTestSVM("123", succeededCond),
+			oldSVM:         newTestSVM("123", succeededCond),
+			errorSubstring: "",
+		},
+		{
+			name:           "valid: failed stays failed",
+			newSVM:         newTestSVM("123", failedCond),
+			oldSVM:         newTestSVM("123", failedCond),
+			errorSubstring: "",
+		},
+		{
+			name:           "invalid: resource version change",
+			newSVM:         newTestSVM("456", runningCond),
+			oldSVM:         newTestSVM("123", runningCond),
+			errorSubstring: "status.resourceVersion: Invalid value: \"456\": field is immutable",
+		},
+		{
+			name:           "invalid: bad resource version format",
+			newSVM:         newTestSVM("abc", runningCond),
+			oldSVM:         newTestSVM(""),
+			errorSubstring: "status.resourceVersion: Invalid value: \"abc\": resource version is not well formed: abc",
+		},
+		{
+			name:           "invalid: both succeeded and failed are true",
+			newSVM:         newTestSVM("123", succeededCond, failedCond),
+			oldSVM:         newTestSVM("123", runningCond),
+			errorSubstring: "Both success and failed conditions cannot be true at the same time",
+		},
+		{
+			name:           "invalid: both succeeded and running are true",
+			newSVM:         newTestSVM("123", succeededCond, runningCond),
+			oldSVM:         newTestSVM("123", runningCond),
+			errorSubstring: "Running condition cannot be true when success condition is true",
+		},
+		{
+			name:           "invalid: both failed and running are true",
+			newSVM:         newTestSVM("123", failedCond, runningCond),
+			oldSVM:         newTestSVM("123", runningCond),
+			errorSubstring: "Running condition cannot be true when failed condition is true",
+		},
+		{
+			name:           "invalid: succeeded changed from true to false",
+			newSVM:         newTestSVM("123", succeededFalseCond),
+			oldSVM:         newTestSVM("123", succeededCond),
+			errorSubstring: "Success condition cannot be set to false once it is true",
+		},
+		{
+			name:           "invalid: failed changed from true to false",
+			newSVM:         newTestSVM("123", failedFalseCond),
+			oldSVM:         newTestSVM("123", failedCond),
+			errorSubstring: "Failed condition cannot be set to false once it is true",
+		},
+	}
+
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			errors := ValidateStorageVersionMigrationStatusUpdate(test.newSVM, test.oldSVM)
+
+			if test.errorSubstring == "" {
+				if len(errors) != 0 {
+					t.Errorf("Expected no error, got %s", errors.ToAggregate().Error())
+				}
+			} else {
+				if len(errors) == 0 {
+					t.Errorf("Expected error containing %q, got no error", test.errorSubstring)
+				} else if !strings.Contains(errors.ToAggregate().Error(), test.errorSubstring) {
+					t.Errorf("Expected error containing %q, got %s", test.errorSubstring, errors.ToAggregate().Error())
+				}
+			}
+		})
+	}
+}
diff --git a/pkg/apis/storagemigration/zz_generated.deepcopy.go b/pkg/apis/storagemigration/zz_generated.deepcopy.go
index 59b4383e110c5..d31dd7a293cb6 100644
--- a/pkg/apis/storagemigration/zz_generated.deepcopy.go
+++ b/pkg/apis/storagemigration/zz_generated.deepcopy.go
@@ -22,42 +22,10 @@ limitations under the License.
 package storagemigration
 
 import (
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	runtime "k8s.io/apimachinery/pkg/runtime"
 )
 
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *GroupVersionResource) DeepCopyInto(out *GroupVersionResource) {
-	*out = *in
-	return
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GroupVersionResource.
-func (in *GroupVersionResource) DeepCopy() *GroupVersionResource {
-	if in == nil {
-		return nil
-	}
-	out := new(GroupVersionResource)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *MigrationCondition) DeepCopyInto(out *MigrationCondition) {
-	*out = *in
-	in.LastUpdateTime.DeepCopyInto(&out.LastUpdateTime)
-	return
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MigrationCondition.
-func (in *MigrationCondition) DeepCopy() *MigrationCondition {
-	if in == nil {
-		return nil
-	}
-	out := new(MigrationCondition)
-	in.DeepCopyInto(out)
-	return out
-}
-
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *StorageVersionMigration) DeepCopyInto(out *StorageVersionMigration) {
 	*out = *in
@@ -141,7 +109,7 @@ func (in *StorageVersionMigrationStatus) DeepCopyInto(out *StorageVersionMigrati
 	*out = *in
 	if in.Conditions != nil {
 		in, out := &in.Conditions, &out.Conditions
-		*out = make([]MigrationCondition, len(*in))
+		*out = make([]v1.Condition, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
diff --git a/pkg/controller/OWNERS b/pkg/controller/OWNERS
index 88cecd8f96060..be732c048fbc9 100644
--- a/pkg/controller/OWNERS
+++ b/pkg/controller/OWNERS
@@ -12,6 +12,7 @@ reviewers:
   - andrewsykim
   - deads2k
   - cheftako
+  - jefftree
   - sig-apps-reviewers
 labels:
   - sig/apps
diff --git a/pkg/controller/apis/config/types.go b/pkg/controller/apis/config/types.go
index 880a4fd4928b2..3be7f98a5c4e6 100644
--- a/pkg/controller/apis/config/types.go
+++ b/pkg/controller/apis/config/types.go
@@ -25,6 +25,7 @@ import (
 	cronjobconfig "k8s.io/kubernetes/pkg/controller/cronjob/config"
 	daemonconfig "k8s.io/kubernetes/pkg/controller/daemon/config"
 	deploymentconfig "k8s.io/kubernetes/pkg/controller/deployment/config"
+	devicetaintevictionconfig "k8s.io/kubernetes/pkg/controller/devicetainteviction/config"
 	endpointconfig "k8s.io/kubernetes/pkg/controller/endpoint/config"
 	endpointsliceconfig "k8s.io/kubernetes/pkg/controller/endpointslice/config"
 	endpointslicemirroringconfig "k8s.io/kubernetes/pkg/controller/endpointslicemirroring/config"
@@ -62,6 +63,9 @@ type KubeControllerManagerConfiguration struct {
 	// AttachDetachControllerConfiguration holds configuration for
 	// AttachDetachController related features.
 	AttachDetachController attachdetachconfig.AttachDetachControllerConfiguration
+	// CronJobControllerConfiguration holds configuration for CronJobController
+	// related features.
+	CronJobController cronjobconfig.CronJobControllerConfiguration
 	// CSRSigningControllerConfiguration holds configuration for
 	// CSRSigningController related features.
 	CSRSigningController csrsigningconfig.CSRSigningControllerConfiguration
@@ -71,9 +75,8 @@ type KubeControllerManagerConfiguration struct {
 	// DeploymentControllerConfiguration holds configuration for
 	// DeploymentController related features.
 	DeploymentController deploymentconfig.DeploymentControllerConfiguration
-	// StatefulSetControllerConfiguration holds configuration for
-	// StatefulSetController related features.
-	StatefulSetController statefulsetconfig.StatefulSetControllerConfiguration
+	// DeviceTaintEvictionControllerConfiguration contains elements configuring the device taint eviction controller.
+	DeviceTaintEvictionController devicetaintevictionconfig.DeviceTaintEvictionControllerConfiguration
 	// DeprecatedControllerConfiguration holds configuration for some deprecated
 	// features.
 	DeprecatedController DeprecatedControllerConfiguration
@@ -96,9 +99,6 @@ type KubeControllerManagerConfiguration struct {
 	HPAController poautosclerconfig.HPAControllerConfiguration
 	// JobControllerConfiguration holds configuration for JobController related features.
 	JobController jobconfig.JobControllerConfiguration
-	// CronJobControllerConfiguration holds configuration for CronJobController
-	// related features.
-	CronJobController cronjobconfig.CronJobControllerConfiguration
 	// LegacySATokenCleanerConfiguration holds configuration for LegacySATokenCleaner related features.
 	LegacySATokenCleaner serviceaccountconfig.LegacySATokenCleanerConfiguration
 	// NamespaceControllerConfiguration holds configuration for NamespaceController
@@ -130,6 +130,9 @@ type KubeControllerManagerConfiguration struct {
 	// ServiceControllerConfiguration holds configuration for ServiceController
 	// related features.
 	ServiceController serviceconfig.ServiceControllerConfiguration
+	// StatefulSetControllerConfiguration holds configuration for
+	// StatefulSetController related features.
+	StatefulSetController statefulsetconfig.StatefulSetControllerConfiguration
 	// TTLAfterFinishedControllerConfiguration holds configuration for
 	// TTLAfterFinishedController related features.
 	TTLAfterFinishedController ttlafterfinishedconfig.TTLAfterFinishedControllerConfiguration
diff --git a/pkg/controller/apis/config/v1alpha1/defaults.go b/pkg/controller/apis/config/v1alpha1/defaults.go
index c5a6ccef62fc9..d0d4fd160ae45 100644
--- a/pkg/controller/apis/config/v1alpha1/defaults.go
+++ b/pkg/controller/apis/config/v1alpha1/defaults.go
@@ -25,6 +25,7 @@ import (
 	cronjobconfigv1alpha1 "k8s.io/kubernetes/pkg/controller/cronjob/config/v1alpha1"
 	daemonconfigv1alpha1 "k8s.io/kubernetes/pkg/controller/daemon/config/v1alpha1"
 	deploymentconfigv1alpha1 "k8s.io/kubernetes/pkg/controller/deployment/config/v1alpha1"
+	devicetaintevictionconfigv1alpha1 "k8s.io/kubernetes/pkg/controller/devicetainteviction/config/v1alpha1"
 	endpointconfigv1alpha1 "k8s.io/kubernetes/pkg/controller/endpoint/config/v1alpha1"
 	endpointsliceconfigv1alpha1 "k8s.io/kubernetes/pkg/controller/endpointslice/config/v1alpha1"
 	endpointslicemirroringconfigv1alpha1 "k8s.io/kubernetes/pkg/controller/endpointslicemirroring/config/v1alpha1"
@@ -71,6 +72,8 @@ func SetDefaults_KubeControllerManagerConfiguration(obj *kubectrlmgrconfigv1alph
 	daemonconfigv1alpha1.RecommendedDefaultDaemonSetControllerConfiguration(&obj.DaemonSetController)
 	// Use the default RecommendedDefaultDeploymentControllerConfiguration options
 	deploymentconfigv1alpha1.RecommendedDefaultDeploymentControllerConfiguration(&obj.DeploymentController)
+	// Use the default RecommendedDefaultDeviceTaintEvictionControllerConfiguration options
+	devicetaintevictionconfigv1alpha1.RecommendedDefaultDeviceTaintEvictionControllerConfiguration(&obj.DeviceTaintEvictionController)
 	// Use the default RecommendedDefaultStatefulSetControllerConfiguration options
 	statefulsetconfigv1alpha1.RecommendedDefaultStatefulSetControllerConfiguration(&obj.StatefulSetController)
 	// Use the default RecommendedDefaultEndpointControllerConfiguration options
diff --git a/pkg/controller/apis/config/v1alpha1/zz_generated.conversion.go b/pkg/controller/apis/config/v1alpha1/zz_generated.conversion.go
index 383177ba91488..b9b276389aabd 100644
--- a/pkg/controller/apis/config/v1alpha1/zz_generated.conversion.go
+++ b/pkg/controller/apis/config/v1alpha1/zz_generated.conversion.go
@@ -34,6 +34,7 @@ import (
 	cronjobconfigv1alpha1 "k8s.io/kubernetes/pkg/controller/cronjob/config/v1alpha1"
 	daemonconfigv1alpha1 "k8s.io/kubernetes/pkg/controller/daemon/config/v1alpha1"
 	deploymentconfigv1alpha1 "k8s.io/kubernetes/pkg/controller/deployment/config/v1alpha1"
+	devicetaintevictionconfigv1alpha1 "k8s.io/kubernetes/pkg/controller/devicetainteviction/config/v1alpha1"
 	endpointconfigv1alpha1 "k8s.io/kubernetes/pkg/controller/endpoint/config/v1alpha1"
 	endpointsliceconfigv1alpha1 "k8s.io/kubernetes/pkg/controller/endpointslice/config/v1alpha1"
 	endpointslicemirroringconfigv1alpha1 "k8s.io/kubernetes/pkg/controller/endpointslicemirroring/config/v1alpha1"
@@ -224,6 +225,9 @@ func autoConvert_v1alpha1_KubeControllerManagerConfiguration_To_config_KubeContr
 	if err := validatingadmissionpolicystatusconfigv1alpha1.Convert_v1alpha1_ValidatingAdmissionPolicyStatusControllerConfiguration_To_config_ValidatingAdmissionPolicyStatusControllerConfiguration(&in.ValidatingAdmissionPolicyStatusController, &out.ValidatingAdmissionPolicyStatusController, s); err != nil {
 		return err
 	}
+	if err := devicetaintevictionconfigv1alpha1.Convert_v1alpha1_DeviceTaintEvictionControllerConfiguration_To_config_DeviceTaintEvictionControllerConfiguration(&in.DeviceTaintEvictionController, &out.DeviceTaintEvictionController, s); err != nil {
+		return err
+	}
 	return nil
 }
 
@@ -242,6 +246,9 @@ func autoConvert_config_KubeControllerManagerConfiguration_To_v1alpha1_KubeContr
 	if err := attachdetachconfigv1alpha1.Convert_config_AttachDetachControllerConfiguration_To_v1alpha1_AttachDetachControllerConfiguration(&in.AttachDetachController, &out.AttachDetachController, s); err != nil {
 		return err
 	}
+	if err := cronjobconfigv1alpha1.Convert_config_CronJobControllerConfiguration_To_v1alpha1_CronJobControllerConfiguration(&in.CronJobController, &out.CronJobController, s); err != nil {
+		return err
+	}
 	if err := signerconfigv1alpha1.Convert_config_CSRSigningControllerConfiguration_To_v1alpha1_CSRSigningControllerConfiguration(&in.CSRSigningController, &out.CSRSigningController, s); err != nil {
 		return err
 	}
@@ -251,7 +258,7 @@ func autoConvert_config_KubeControllerManagerConfiguration_To_v1alpha1_KubeContr
 	if err := deploymentconfigv1alpha1.Convert_config_DeploymentControllerConfiguration_To_v1alpha1_DeploymentControllerConfiguration(&in.DeploymentController, &out.DeploymentController, s); err != nil {
 		return err
 	}
-	if err := statefulsetconfigv1alpha1.Convert_config_StatefulSetControllerConfiguration_To_v1alpha1_StatefulSetControllerConfiguration(&in.StatefulSetController, &out.StatefulSetController, s); err != nil {
+	if err := devicetaintevictionconfigv1alpha1.Convert_config_DeviceTaintEvictionControllerConfiguration_To_v1alpha1_DeviceTaintEvictionControllerConfiguration(&in.DeviceTaintEvictionController, &out.DeviceTaintEvictionController, s); err != nil {
 		return err
 	}
 	if err := Convert_config_DeprecatedControllerConfiguration_To_v1alpha1_DeprecatedControllerConfiguration(&in.DeprecatedController, &out.DeprecatedController, s); err != nil {
@@ -278,9 +285,6 @@ func autoConvert_config_KubeControllerManagerConfiguration_To_v1alpha1_KubeContr
 	if err := jobconfigv1alpha1.Convert_config_JobControllerConfiguration_To_v1alpha1_JobControllerConfiguration(&in.JobController, &out.JobController, s); err != nil {
 		return err
 	}
-	if err := cronjobconfigv1alpha1.Convert_config_CronJobControllerConfiguration_To_v1alpha1_CronJobControllerConfiguration(&in.CronJobController, &out.CronJobController, s); err != nil {
-		return err
-	}
 	if err := serviceaccountconfigv1alpha1.Convert_config_LegacySATokenCleanerConfiguration_To_v1alpha1_LegacySATokenCleanerConfiguration(&in.LegacySATokenCleaner, &out.LegacySATokenCleaner, s); err != nil {
 		return err
 	}
@@ -314,6 +318,9 @@ func autoConvert_config_KubeControllerManagerConfiguration_To_v1alpha1_KubeContr
 	if err := serviceconfigv1alpha1.Convert_config_ServiceControllerConfiguration_To_v1alpha1_ServiceControllerConfiguration(&in.ServiceController, &out.ServiceController, s); err != nil {
 		return err
 	}
+	if err := statefulsetconfigv1alpha1.Convert_config_StatefulSetControllerConfiguration_To_v1alpha1_StatefulSetControllerConfiguration(&in.StatefulSetController, &out.StatefulSetController, s); err != nil {
+		return err
+	}
 	if err := ttlafterfinishedconfigv1alpha1.Convert_config_TTLAfterFinishedControllerConfiguration_To_v1alpha1_TTLAfterFinishedControllerConfiguration(&in.TTLAfterFinishedController, &out.TTLAfterFinishedController, s); err != nil {
 		return err
 	}
diff --git a/pkg/controller/apis/config/zz_generated.deepcopy.go b/pkg/controller/apis/config/zz_generated.deepcopy.go
index 0393df7d99e2f..82d905bbe210f 100644
--- a/pkg/controller/apis/config/zz_generated.deepcopy.go
+++ b/pkg/controller/apis/config/zz_generated.deepcopy.go
@@ -48,10 +48,11 @@ func (in *KubeControllerManagerConfiguration) DeepCopyInto(out *KubeControllerMa
 	in.Generic.DeepCopyInto(&out.Generic)
 	out.KubeCloudShared = in.KubeCloudShared
 	out.AttachDetachController = in.AttachDetachController
+	out.CronJobController = in.CronJobController
 	out.CSRSigningController = in.CSRSigningController
 	out.DaemonSetController = in.DaemonSetController
 	out.DeploymentController = in.DeploymentController
-	out.StatefulSetController = in.StatefulSetController
+	out.DeviceTaintEvictionController = in.DeviceTaintEvictionController
 	out.DeprecatedController = in.DeprecatedController
 	out.EndpointController = in.EndpointController
 	out.EndpointSliceController = in.EndpointSliceController
@@ -60,7 +61,6 @@ func (in *KubeControllerManagerConfiguration) DeepCopyInto(out *KubeControllerMa
 	in.GarbageCollectorController.DeepCopyInto(&out.GarbageCollectorController)
 	out.HPAController = in.HPAController
 	out.JobController = in.JobController
-	out.CronJobController = in.CronJobController
 	out.LegacySATokenCleaner = in.LegacySATokenCleaner
 	out.NamespaceController = in.NamespaceController
 	out.NodeIPAMController = in.NodeIPAMController
@@ -72,6 +72,7 @@ func (in *KubeControllerManagerConfiguration) DeepCopyInto(out *KubeControllerMa
 	out.ResourceQuotaController = in.ResourceQuotaController
 	out.SAController = in.SAController
 	out.ServiceController = in.ServiceController
+	out.StatefulSetController = in.StatefulSetController
 	out.TTLAfterFinishedController = in.TTLAfterFinishedController
 	out.ValidatingAdmissionPolicyStatusController = in.ValidatingAdmissionPolicyStatusController
 	return
diff --git a/pkg/controller/bootstrap/bootstrapsigner.go b/pkg/controller/bootstrap/bootstrapsigner.go
index b0472eddeee78..be18ed2f0ab01 100644
--- a/pkg/controller/bootstrap/bootstrapsigner.go
+++ b/pkg/controller/bootstrap/bootstrapsigner.go
@@ -19,6 +19,7 @@ package bootstrap
 import (
 	"context"
 	"strings"
+	"sync"
 	"time"
 
 	"k8s.io/klog/v2"
@@ -155,19 +156,26 @@ func NewSigner(cl clientset.Interface, secrets informers.SecretInformer, configM
 
 // Run runs controller loops and returns when they are done
 func (e *Signer) Run(ctx context.Context) {
-	// Shut down queues
 	defer utilruntime.HandleCrash()
-	defer e.syncQueue.ShutDown()
 
-	if !cache.WaitForNamedCacheSync("bootstrap_signer", ctx.Done(), e.configMapSynced, e.secretSynced) {
+	logger := klog.FromContext(ctx)
+	logger.V(5).Info("Starting")
+
+	var wg sync.WaitGroup
+	defer func() {
+		logger.V(1).Info("Shutting down")
+		e.syncQueue.ShutDown()
+		wg.Wait()
+	}()
+
+	if !cache.WaitForNamedCacheSyncWithContext(ctx, e.configMapSynced, e.secretSynced) {
 		return
 	}
 
-	logger := klog.FromContext(ctx)
-	logger.V(5).Info("Starting workers")
-	go wait.UntilWithContext(ctx, e.serviceConfigMapQueue, 0)
+	wg.Go(func() {
+		wait.UntilWithContext(ctx, e.serviceConfigMapQueue, 0)
+	})
 	<-ctx.Done()
-	logger.V(1).Info("Shutting down")
 }
 
 func (e *Signer) pokeConfigMapSync() {
diff --git a/pkg/controller/bootstrap/tokencleaner.go b/pkg/controller/bootstrap/tokencleaner.go
index 52fa81bd49e6a..a949cbbe69657 100644
--- a/pkg/controller/bootstrap/tokencleaner.go
+++ b/pkg/controller/bootstrap/tokencleaner.go
@@ -19,6 +19,7 @@ package bootstrap
 import (
 	"context"
 	"fmt"
+	"sync"
 	"time"
 
 	v1 "k8s.io/api/core/v1"
@@ -111,18 +112,24 @@ func NewTokenCleaner(cl clientset.Interface, secrets coreinformers.SecretInforme
 // Run runs controller loops and returns when they are done
 func (tc *TokenCleaner) Run(ctx context.Context) {
 	defer utilruntime.HandleCrash()
-	defer tc.queue.ShutDown()
 
 	logger := klog.FromContext(ctx)
 	logger.Info("Starting token cleaner controller")
-	defer logger.Info("Shutting down token cleaner controller")
 
-	if !cache.WaitForNamedCacheSync("token_cleaner", ctx.Done(), tc.secretSynced) {
+	var wg sync.WaitGroup
+	defer func() {
+		logger.Info("Shutting down token cleaner controller")
+		tc.queue.ShutDown()
+		wg.Wait()
+	}()
+
+	if !cache.WaitForNamedCacheSyncWithContext(ctx, tc.secretSynced) {
 		return
 	}
 
-	go wait.UntilWithContext(ctx, tc.worker, 10*time.Second)
-
+	wg.Go(func() {
+		wait.UntilWithContext(ctx, tc.worker, 10*time.Second)
+	})
 	<-ctx.Done()
 }
 
diff --git a/pkg/controller/certificates/certificate_controller.go b/pkg/controller/certificates/certificate_controller.go
index 1306eef892b9e..dbfa3e4ad5429 100644
--- a/pkg/controller/certificates/certificate_controller.go
+++ b/pkg/controller/certificates/certificate_controller.go
@@ -21,6 +21,7 @@ package certificates
 import (
 	"context"
 	"fmt"
+	"sync"
 	"time"
 
 	"golang.org/x/time/rate"
@@ -114,20 +115,26 @@ func NewCertificateController(
 // Run the main goroutine responsible for watching and syncing jobs.
 func (cc *CertificateController) Run(ctx context.Context, workers int) {
 	defer utilruntime.HandleCrash()
-	defer cc.queue.ShutDown()
 
 	logger := klog.FromContext(ctx)
 	logger.Info("Starting certificate controller", "name", cc.name)
-	defer logger.Info("Shutting down certificate controller", "name", cc.name)
 
-	if !cache.WaitForNamedCacheSync(fmt.Sprintf("certificate-%s", cc.name), ctx.Done(), cc.csrsSynced) {
+	var wg sync.WaitGroup
+	defer func() {
+		logger.Info("Shutting down certificate controller", "name", cc.name)
+		cc.queue.ShutDown()
+		wg.Wait()
+	}()
+
+	if !cache.WaitForNamedCacheSyncWithContext(ctx, cc.csrsSynced) {
 		return
 	}
 
 	for i := 0; i < workers; i++ {
-		go wait.UntilWithContext(ctx, cc.worker, time.Second)
+		wg.Go(func() {
+			wait.UntilWithContext(ctx, cc.worker, time.Second)
+		})
 	}
-
 	<-ctx.Done()
 }
 
diff --git a/pkg/controller/certificates/cleaner/cleaner.go b/pkg/controller/certificates/cleaner/cleaner.go
index 32c0830d1d580..b63321de958e7 100644
--- a/pkg/controller/certificates/cleaner/cleaner.go
+++ b/pkg/controller/certificates/cleaner/cleaner.go
@@ -25,10 +25,9 @@ import (
 	"crypto/x509"
 	"encoding/pem"
 	"fmt"
+	"sync"
 	"time"
 
-	"k8s.io/klog/v2"
-
 	capi "k8s.io/api/certificates/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/labels"
@@ -37,6 +36,7 @@ import (
 	certificatesinformers "k8s.io/client-go/informers/certificates/v1"
 	csrclient "k8s.io/client-go/kubernetes/typed/certificates/v1"
 	certificateslisters "k8s.io/client-go/listers/certificates/v1"
+	"k8s.io/klog/v2"
 )
 
 const (
@@ -81,12 +81,18 @@ func (ccc *CSRCleanerController) Run(ctx context.Context, workers int) {
 
 	logger := klog.FromContext(ctx)
 	logger.Info("Starting CSR cleaner controller")
-	defer logger.Info("Shutting down CSR cleaner controller")
+
+	var wg sync.WaitGroup
+	defer func() {
+		logger.Info("Shutting down CSR cleaner controller")
+		wg.Wait()
+	}()
 
 	for i := 0; i < workers; i++ {
-		go wait.UntilWithContext(ctx, ccc.worker, pollingInterval)
+		wg.Go(func() {
+			wait.UntilWithContext(ctx, ccc.worker, pollingInterval)
+		})
 	}
-
 	<-ctx.Done()
 }
 
@@ -107,7 +113,12 @@ func (ccc *CSRCleanerController) worker(ctx context.Context) {
 
 func (ccc *CSRCleanerController) handle(ctx context.Context, csr *capi.CertificateSigningRequest) error {
 	logger := klog.FromContext(ctx)
-	if isIssuedPastDeadline(logger, csr) || isDeniedPastDeadline(logger, csr) || isFailedPastDeadline(logger, csr) || isPendingPastDeadline(logger, csr) || isIssuedExpired(logger, csr) {
+	if isIssuedPastDeadline(logger, csr) ||
+		isDeniedPastDeadline(logger, csr) ||
+		isFailedPastDeadline(logger, csr) ||
+		isPendingPastDeadline(logger, csr) ||
+		isIssuedExpired(logger, csr) ||
+		isApprovedUnissuedPastDeadline(logger, csr) {
 		if err := ccc.csrClient.Delete(ctx, csr.Name, metav1.DeleteOptions{}); err != nil {
 			return fmt.Errorf("unable to delete CSR %q: %v", csr.Name, err)
 		}
@@ -170,8 +181,11 @@ func isFailedPastDeadline(logger klog.Logger, csr *capi.CertificateSigningReques
 // creation time of the CSR is passed the deadline that issued requests are
 // maintained for.
 func isIssuedPastDeadline(logger klog.Logger, csr *capi.CertificateSigningRequest) bool {
+	if !isIssued(csr) {
+		return false
+	}
 	for _, c := range csr.Status.Conditions {
-		if c.Type == capi.CertificateApproved && isIssued(csr) && isOlderThan(c.LastUpdateTime, approvedExpiration) {
+		if c.Type == capi.CertificateApproved && isOlderThan(c.LastUpdateTime, approvedExpiration) {
 			logger.Info("Cleaning CSR as it is more than approvedExpiration duration old and approved.", "csr", csr.Name, "approvedExpiration", approvedExpiration)
 			return true
 		}
@@ -179,6 +193,22 @@ func isIssuedPastDeadline(logger klog.Logger, csr *capi.CertificateSigningReques
 	return false
 }
 
+// isApprovedUnissuedPastDeadline checks if the certificate has an Approved status but
+// no certificate has been issued, and the approval time has passed the deadline
+// that pending requests are maintained for.
+func isApprovedUnissuedPastDeadline(logger klog.Logger, csr *capi.CertificateSigningRequest) bool {
+	if isIssued(csr) {
+		return false
+	}
+	for _, c := range csr.Status.Conditions {
+		if c.Type == capi.CertificateApproved && isOlderThan(c.LastUpdateTime, pendingExpiration) {
+			logger.Info("Cleaning CSR as it is approved but unissued for more than pendingExpiration duration.", "csr", csr.Name, "pendingExpiration", pendingExpiration)
+			return true
+		}
+	}
+	return false
+}
+
 // isOlderThan checks that t is a non-zero and older than d from time.Now().
 func isOlderThan(t metav1.Time, d time.Duration) bool {
 	return !t.IsZero() && time.Since(t.Time) > d
diff --git a/pkg/controller/certificates/cleaner/cleaner_test.go b/pkg/controller/certificates/cleaner/cleaner_test.go
index 6faeeb7bdf0b8..bb7c3a7d172a0 100644
--- a/pkg/controller/certificates/cleaner/cleaner_test.go
+++ b/pkg/controller/certificates/cleaner/cleaner_test.go
@@ -171,6 +171,30 @@ func TestCleanerWithApprovedExpiredCSR(t *testing.T) {
 			[]capi.CertificateSigningRequestCondition{},
 			[]string{"delete"},
 		},
+		{
+			"delete approved unissued past deadline",
+			metav1.NewTime(time.Now().Add(-1 * time.Minute)),
+			nil,
+			[]capi.CertificateSigningRequestCondition{
+				{
+					Type:           capi.CertificateApproved,
+					LastUpdateTime: metav1.NewTime(time.Now().Add(-25 * time.Hour)),
+				},
+			},
+			[]string{"delete"},
+		},
+		{
+			"no delete approved unissued not past deadline",
+			metav1.NewTime(time.Now().Add(-1 * time.Minute)),
+			nil,
+			[]capi.CertificateSigningRequestCondition{
+				{
+					Type:           capi.CertificateApproved,
+					LastUpdateTime: metav1.NewTime(time.Now().Add(-5 * time.Hour)),
+				},
+			},
+			[]string{},
+		},
 		{
 			"no delete approved not passed deadline unexpired",
 			metav1.NewTime(time.Now().Add(-1 * time.Minute)),
diff --git a/pkg/controller/certificates/cleaner/pcrcleaner.go b/pkg/controller/certificates/cleaner/pcrcleaner.go
index 9a2107c744f75..93a154136b62f 100644
--- a/pkg/controller/certificates/cleaner/pcrcleaner.go
+++ b/pkg/controller/certificates/cleaner/pcrcleaner.go
@@ -21,15 +21,15 @@ import (
 	"fmt"
 	"time"
 
-	certsv1alpha1 "k8s.io/api/certificates/v1alpha1"
+	certsv1beta1 "k8s.io/api/certificates/v1beta1"
 	k8serrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/labels"
 	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
 	"k8s.io/apimachinery/pkg/util/wait"
-	certinformersv1alpha1 "k8s.io/client-go/informers/certificates/v1alpha1"
+	certinformersv1beta1 "k8s.io/client-go/informers/certificates/v1beta1"
 	"k8s.io/client-go/kubernetes"
-	certlistersv1alpha1 "k8s.io/client-go/listers/certificates/v1alpha1"
+	certlistersv1beta1 "k8s.io/client-go/listers/certificates/v1beta1"
 	"k8s.io/klog/v2"
 	"k8s.io/utils/clock"
 	"k8s.io/utils/ptr"
@@ -39,7 +39,7 @@ import (
 // minutes.
 type PCRCleanerController struct {
 	client          kubernetes.Interface
-	pcrLister       certlistersv1alpha1.PodCertificateRequestLister
+	pcrLister       certlistersv1beta1.PodCertificateRequestLister
 	clock           clock.PassiveClock
 	threshold       time.Duration
 	pollingInterval time.Duration
@@ -48,7 +48,7 @@ type PCRCleanerController struct {
 // NewPCRCleanerController creates a PCRCleanerController.
 func NewPCRCleanerController(
 	client kubernetes.Interface,
-	pcrLister certinformersv1alpha1.PodCertificateRequestInformer,
+	pcrLister certinformersv1beta1.PodCertificateRequestInformer,
 	clock clock.PassiveClock,
 	threshold time.Duration,
 	pollingInterval time.Duration,
@@ -69,9 +69,7 @@ func (c *PCRCleanerController) Run(ctx context.Context, workers int) {
 	logger.Info("Starting PodCertificateRequest cleaner controller")
 	defer logger.Info("Shutting down PodCertificateRequest cleaner controller")
 
-	go wait.UntilWithContext(ctx, c.worker, c.pollingInterval)
-
-	<-ctx.Done()
+	wait.UntilWithContext(ctx, c.worker, c.pollingInterval)
 }
 
 func (c *PCRCleanerController) worker(ctx context.Context) {
@@ -87,7 +85,7 @@ func (c *PCRCleanerController) worker(ctx context.Context) {
 	}
 }
 
-func (c PCRCleanerController) handle(ctx context.Context, pcr *certsv1alpha1.PodCertificateRequest) error {
+func (c PCRCleanerController) handle(ctx context.Context, pcr *certsv1beta1.PodCertificateRequest) error {
 	if c.clock.Now().Before(pcr.ObjectMeta.CreationTimestamp.Time.Add(c.threshold)) {
 		return nil
 	}
@@ -98,7 +96,7 @@ func (c PCRCleanerController) handle(ctx context.Context, pcr *certsv1alpha1.Pod
 		},
 	}
 
-	err := c.client.CertificatesV1alpha1().PodCertificateRequests(pcr.ObjectMeta.Namespace).Delete(ctx, pcr.ObjectMeta.Name, opts)
+	err := c.client.CertificatesV1beta1().PodCertificateRequests(pcr.ObjectMeta.Namespace).Delete(ctx, pcr.ObjectMeta.Name, opts)
 	if k8serrors.IsNotFound(err) {
 		// This is OK, we don't care if someone else already deleted it.
 		return nil
diff --git a/pkg/controller/certificates/cleaner/pcrcleaner_test.go b/pkg/controller/certificates/cleaner/pcrcleaner_test.go
index a544401432d7b..1eca4f42e81d1 100644
--- a/pkg/controller/certificates/cleaner/pcrcleaner_test.go
+++ b/pkg/controller/certificates/cleaner/pcrcleaner_test.go
@@ -24,7 +24,7 @@ import (
 	"testing"
 	"time"
 
-	certsv1alpha1 "k8s.io/api/certificates/v1alpha1"
+	certsv1beta1 "k8s.io/api/certificates/v1beta1"
 	k8serrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
@@ -42,18 +42,18 @@ func TestPCRCleaner(t *testing.T) {
 
 	testCases := []struct {
 		desc              string
-		pcr               *certsv1alpha1.PodCertificateRequest
+		pcr               *certsv1beta1.PodCertificateRequest
 		wantErrRecognizer func(error) bool
 	}{
 		{
 			desc: "Pending request within the threshold should be left alone",
-			pcr: &certsv1alpha1.PodCertificateRequest{
+			pcr: &certsv1beta1.PodCertificateRequest{
 				ObjectMeta: metav1.ObjectMeta{
 					Namespace:         "foo",
 					Name:              "bar",
 					CreationTimestamp: metav1.NewTime(mustParseRFC3339(t, "2025-01-01T00:15:01Z")),
 				},
-				Spec: certsv1alpha1.PodCertificateRequestSpec{
+				Spec: certsv1beta1.PodCertificateRequestSpec{
 					SignerName:           "foo.com/abc",
 					PodName:              "pod-1",
 					PodUID:               types.UID(podUID1),
@@ -70,13 +70,13 @@ func TestPCRCleaner(t *testing.T) {
 		},
 		{
 			desc: "Pending request outside the threshold should be deleted",
-			pcr: &certsv1alpha1.PodCertificateRequest{
+			pcr: &certsv1beta1.PodCertificateRequest{
 				ObjectMeta: metav1.ObjectMeta{
 					Namespace:         "foo",
 					Name:              "bar",
 					CreationTimestamp: metav1.NewTime(mustParseRFC3339(t, "2025-01-01T00:14:59Z")),
 				},
-				Spec: certsv1alpha1.PodCertificateRequestSpec{
+				Spec: certsv1beta1.PodCertificateRequestSpec{
 					SignerName:           "foo.com/abc",
 					PodName:              "pod-1",
 					PodUID:               types.UID(podUID1),
@@ -93,13 +93,13 @@ func TestPCRCleaner(t *testing.T) {
 		},
 		{
 			desc: "Terminal request within the threshold should be left alone",
-			pcr: &certsv1alpha1.PodCertificateRequest{
+			pcr: &certsv1beta1.PodCertificateRequest{
 				ObjectMeta: metav1.ObjectMeta{
 					Namespace:         "foo",
 					Name:              "bar",
 					CreationTimestamp: metav1.NewTime(mustParseRFC3339(t, "2025-01-01T00:15:01Z")),
 				},
-				Spec: certsv1alpha1.PodCertificateRequestSpec{
+				Spec: certsv1beta1.PodCertificateRequestSpec{
 					SignerName:           "foo.com/abc",
 					PodName:              "pod-1",
 					PodUID:               types.UID(podUID1),
@@ -111,10 +111,10 @@ func TestPCRCleaner(t *testing.T) {
 					PKIXPublicKey:        pubPKIX1,
 					ProofOfPossession:    proof1,
 				},
-				Status: certsv1alpha1.PodCertificateRequestStatus{
+				Status: certsv1beta1.PodCertificateRequestStatus{
 					Conditions: []metav1.Condition{
 						{
-							Type:    certsv1alpha1.PodCertificateRequestConditionTypeDenied,
+							Type:    certsv1beta1.PodCertificateRequestConditionTypeDenied,
 							Status:  metav1.ConditionTrue,
 							Reason:  "Foo",
 							Message: "abc",
@@ -126,13 +126,13 @@ func TestPCRCleaner(t *testing.T) {
 		},
 		{
 			desc: "Terminal request outside the threshold should be deleted",
-			pcr: &certsv1alpha1.PodCertificateRequest{
+			pcr: &certsv1beta1.PodCertificateRequest{
 				ObjectMeta: metav1.ObjectMeta{
 					Namespace:         "foo",
 					Name:              "bar",
 					CreationTimestamp: metav1.NewTime(mustParseRFC3339(t, "2025-01-01T00:14:59Z")),
 				},
-				Spec: certsv1alpha1.PodCertificateRequestSpec{
+				Spec: certsv1beta1.PodCertificateRequestSpec{
 					SignerName:           "foo.com/abc",
 					PodName:              "pod-1",
 					PodUID:               types.UID(podUID1),
@@ -144,10 +144,10 @@ func TestPCRCleaner(t *testing.T) {
 					PKIXPublicKey:        pubPKIX1,
 					ProofOfPossession:    proof1,
 				},
-				Status: certsv1alpha1.PodCertificateRequestStatus{
+				Status: certsv1beta1.PodCertificateRequestStatus{
 					Conditions: []metav1.Condition{
 						{
-							Type:    certsv1alpha1.PodCertificateRequestConditionTypeDenied,
+							Type:    certsv1beta1.PodCertificateRequestConditionTypeDenied,
 							Status:  metav1.ConditionTrue,
 							Reason:  "Foo",
 							Message: "abc",
@@ -173,7 +173,7 @@ func TestPCRCleaner(t *testing.T) {
 			// Simulate a pass of the cleaner worker by listing all PCRs and
 			// calling handle() on them.
 
-			pcrList, err := kc.CertificatesV1alpha1().PodCertificateRequests(metav1.NamespaceAll).List(ctx, metav1.ListOptions{})
+			pcrList, err := kc.CertificatesV1beta1().PodCertificateRequests(metav1.NamespaceAll).List(ctx, metav1.ListOptions{})
 			if err != nil {
 				t.Fatalf("Unexpected error listing PCRs: %v", err)
 			}
@@ -185,7 +185,7 @@ func TestPCRCleaner(t *testing.T) {
 
 			// Now check on the test case's PCR, to see if it was deleted or not
 			// according to our expectation.
-			_, err = kc.CertificatesV1alpha1().PodCertificateRequests(tc.pcr.ObjectMeta.Namespace).Get(ctx, tc.pcr.ObjectMeta.Name, metav1.GetOptions{})
+			_, err = kc.CertificatesV1beta1().PodCertificateRequests(tc.pcr.ObjectMeta.Namespace).Get(ctx, tc.pcr.ObjectMeta.Name, metav1.GetOptions{})
 			if !tc.wantErrRecognizer(err) {
 				t.Errorf("Bad error output: %v", err)
 			}
diff --git a/pkg/controller/certificates/clustertrustbundlepublisher/publisher.go b/pkg/controller/certificates/clustertrustbundlepublisher/publisher.go
index f5293b0583ea9..f39ac0fa41217 100644
--- a/pkg/controller/certificates/clustertrustbundlepublisher/publisher.go
+++ b/pkg/controller/certificates/clustertrustbundlepublisher/publisher.go
@@ -21,6 +21,7 @@ import (
 	"crypto/sha256"
 	"fmt"
 	"strings"
+	"sync"
 	"time"
 
 	certificatesv1alpha1 "k8s.io/api/certificates/v1alpha1"
@@ -272,22 +273,29 @@ func (p *ClusterTrustBundlePublisher[T]) caContentChangedListener() dynamiccerti
 
 func (p *ClusterTrustBundlePublisher[T]) Run(ctx context.Context) {
 	defer utilruntime.HandleCrash()
-	defer p.queue.ShutDown()
 
 	logger := klog.FromContext(ctx)
 	logger.Info("Starting ClusterTrustBundle CA cert publisher controller")
-	defer logger.Info("Shutting down ClusterTrustBundle CA cert publisher controller")
 
-	go p.ctbInformer.Run(ctx.Done())
+	var wg sync.WaitGroup
+	defer func() {
+		logger.Info("Shutting down ClusterTrustBundle CA cert publisher controller")
+		p.queue.ShutDown()
+		wg.Wait()
+	}()
+
+	wg.Go(func() {
+		p.ctbInformer.Run(ctx.Done())
+	})
 
-	if !cache.WaitForNamedCacheSync("cluster trust bundle", ctx.Done(), p.ctbListerSynced) {
+	if !cache.WaitForNamedCacheSyncWithContext(ctx, p.ctbListerSynced) {
 		return
 	}
 
-	// init the signer syncer
 	p.queue.Add("")
-	go wait.UntilWithContext(ctx, p.runWorker(), time.Second)
-
+	wg.Go(func() {
+		wait.UntilWithContext(ctx, p.runWorker(), time.Second)
+	})
 	<-ctx.Done()
 }
 
diff --git a/pkg/controller/certificates/rootcacertpublisher/publisher.go b/pkg/controller/certificates/rootcacertpublisher/publisher.go
index 36127e883e3ad..6c2bc0bfd8305 100644
--- a/pkg/controller/certificates/rootcacertpublisher/publisher.go
+++ b/pkg/controller/certificates/rootcacertpublisher/publisher.go
@@ -20,6 +20,7 @@ import (
 	"context"
 	"fmt"
 	"reflect"
+	"sync"
 	"time"
 
 	v1 "k8s.io/api/core/v1"
@@ -101,20 +102,26 @@ type Publisher struct {
 // Run starts process
 func (c *Publisher) Run(ctx context.Context, workers int) {
 	defer utilruntime.HandleCrash()
-	defer c.queue.ShutDown()
 
 	logger := klog.FromContext(ctx)
 	logger.Info("Starting root CA cert publisher controller")
-	defer logger.Info("Shutting down root CA cert publisher controller")
 
-	if !cache.WaitForNamedCacheSync("crt configmap", ctx.Done(), c.cmListerSynced) {
+	var wg sync.WaitGroup
+	defer func() {
+		logger.Info("Shutting down root CA cert publisher controller")
+		c.queue.ShutDown()
+		wg.Wait()
+	}()
+
+	if !cache.WaitForNamedCacheSyncWithContext(ctx, c.cmListerSynced) {
 		return
 	}
 
 	for i := 0; i < workers; i++ {
-		go wait.UntilWithContext(ctx, c.runWorker, time.Second)
+		wg.Go(func() {
+			wait.UntilWithContext(ctx, c.runWorker, time.Second)
+		})
 	}
-
 	<-ctx.Done()
 }
 
diff --git a/pkg/controller/certificates/signer/signer.go b/pkg/controller/certificates/signer/signer.go
index 0f0d146e3414d..9695b4d2f6305 100644
--- a/pkg/controller/certificates/signer/signer.go
+++ b/pkg/controller/certificates/signer/signer.go
@@ -22,6 +22,7 @@ import (
 	"crypto/x509"
 	"encoding/pem"
 	"fmt"
+	"sync"
 	"time"
 
 	capi "k8s.io/api/certificates/v1"
@@ -111,9 +112,14 @@ func NewCSRSigningController(
 
 // Run the main goroutine responsible for watching and syncing jobs.
 func (c *CSRSigningController) Run(ctx context.Context, workers int) {
-	go c.dynamicCertReloader.Run(ctx, workers)
-
-	c.certificateController.Run(ctx, workers)
+	var wg sync.WaitGroup
+	wg.Go(func() {
+		c.dynamicCertReloader.Run(ctx, workers)
+	})
+	wg.Go(func() {
+		c.certificateController.Run(ctx, workers)
+	})
+	wg.Wait()
 }
 
 type isRequestForSignerFunc func(req *x509.CertificateRequest, usages []capi.KeyUsage, signerName string) (bool, error)
diff --git a/pkg/controller/clusterroleaggregation/clusterroleaggregation_controller.go b/pkg/controller/clusterroleaggregation/clusterroleaggregation_controller.go
index bebc45160ebaa..2b27994f8e7b7 100644
--- a/pkg/controller/clusterroleaggregation/clusterroleaggregation_controller.go
+++ b/pkg/controller/clusterroleaggregation/clusterroleaggregation_controller.go
@@ -20,6 +20,7 @@ import (
 	"context"
 	"fmt"
 	"sort"
+	"sync"
 	"time"
 
 	rbacv1ac "k8s.io/client-go/applyconfigurations/rbac/v1"
@@ -188,20 +189,26 @@ func ruleExists(haystack []rbacv1.PolicyRule, needle rbacv1.PolicyRule) bool {
 // Run starts the controller and blocks until stopCh is closed.
 func (c *ClusterRoleAggregationController) Run(ctx context.Context, workers int) {
 	defer utilruntime.HandleCrash()
-	defer c.queue.ShutDown()
 
 	logger := klog.FromContext(ctx)
 	logger.Info("Starting ClusterRoleAggregator controller")
-	defer logger.Info("Shutting down ClusterRoleAggregator controller")
 
-	if !cache.WaitForNamedCacheSync("ClusterRoleAggregator", ctx.Done(), c.clusterRolesSynced) {
+	var wg sync.WaitGroup
+	defer func() {
+		logger.Info("Shutting down ClusterRoleAggregator controller")
+		c.queue.ShutDown()
+		wg.Wait()
+	}()
+
+	if !cache.WaitForNamedCacheSyncWithContext(ctx, c.clusterRolesSynced) {
 		return
 	}
 
 	for i := 0; i < workers; i++ {
-		go wait.UntilWithContext(ctx, c.runWorker, time.Second)
+		wg.Go(func() {
+			wait.UntilWithContext(ctx, c.runWorker, time.Second)
+		})
 	}
-
 	<-ctx.Done()
 }
 
diff --git a/pkg/controller/controller_utils_test.go b/pkg/controller/controller_utils_test.go
index 20fb8056418a3..63a7e2768ae33 100644
--- a/pkg/controller/controller_utils_test.go
+++ b/pkg/controller/controller_utils_test.go
@@ -863,8 +863,10 @@ func TestSortingActivePodsWithRanks(t *testing.T) {
 
 	for i, test := range inequalityTests {
 		t.Run(fmt.Sprintf("Inequality tests %d", i), func(t *testing.T) {
-			featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.PodDeletionCost, !test.disablePodDeletioncost)
-			featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.LogarithmicScaleDown, !test.disableLogarithmicScaleDown)
+			featuregatetesting.SetFeatureGatesDuringTest(t, utilfeature.DefaultFeatureGate, featuregatetesting.FeatureOverrides{
+				features.PodDeletionCost:      !test.disablePodDeletioncost,
+				features.LogarithmicScaleDown: !test.disableLogarithmicScaleDown,
+			})
 
 			podsWithRanks := ActivePodsWithRanks{
 				Pods: []*v1.Pod{test.lesser.pod, test.greater.pod},
diff --git a/pkg/controller/cronjob/cronjob_controllerv2.go b/pkg/controller/cronjob/cronjob_controllerv2.go
index f67bd466ba213..89ebd0b098998 100644
--- a/pkg/controller/cronjob/cronjob_controllerv2.go
+++ b/pkg/controller/cronjob/cronjob_controllerv2.go
@@ -22,10 +22,9 @@ import (
 	"reflect"
 	"sort"
 	"strings"
+	"sync"
 	"time"
 
-	"github.com/robfig/cron/v3"
-
 	batchv1 "k8s.io/api/batch/v1"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/errors"
@@ -48,6 +47,7 @@ import (
 	"k8s.io/kubernetes/pkg/controller"
 	"k8s.io/kubernetes/pkg/controller/cronjob/metrics"
 	jobutil "k8s.io/kubernetes/pkg/controller/job/util"
+	"k8s.io/kubernetes/pkg/util/parsers"
 	"k8s.io/utils/ptr"
 )
 
@@ -139,20 +139,25 @@ func (jm *ControllerV2) Run(ctx context.Context, workers int) {
 	jm.broadcaster.StartRecordingToSink(&corev1client.EventSinkImpl{Interface: jm.kubeClient.CoreV1().Events("")})
 	defer jm.broadcaster.Shutdown()
 
-	defer jm.queue.ShutDown()
-
 	logger := klog.FromContext(ctx)
 	logger.Info("Starting cronjob controller v2")
-	defer logger.Info("Shutting down cronjob controller v2")
 
-	if !cache.WaitForNamedCacheSync("cronjob", ctx.Done(), jm.jobListerSynced, jm.cronJobListerSynced) {
+	var wg sync.WaitGroup
+	defer func() {
+		logger.Info("Shutting down cronjob controller v2")
+		jm.queue.ShutDown()
+		wg.Wait()
+	}()
+
+	if !cache.WaitForNamedCacheSyncWithContext(ctx, jm.jobListerSynced, jm.cronJobListerSynced) {
 		return
 	}
 
 	for i := 0; i < workers; i++ {
-		go wait.UntilWithContext(ctx, jm.worker, time.Second)
+		wg.Go(func() {
+			wait.UntilWithContext(ctx, jm.worker, time.Second)
+		})
 	}
-
 	<-ctx.Done()
 }
 
@@ -391,7 +396,7 @@ func (jm *ControllerV2) updateCronJob(logger klog.Logger, old interface{}, curr
 	// the sync loop will essentially be a no-op for the already queued key with old schedule.
 	if oldCJ.Spec.Schedule != newCJ.Spec.Schedule || !ptr.Equal(oldCJ.Spec.TimeZone, newCJ.Spec.TimeZone) {
 		// schedule changed, change the requeue time, pass nil recorder so that syncCronJob will output any warnings
-		sched, err := cron.ParseStandard(formatSchedule(newCJ, nil))
+		sched, err := parsers.ParseCronScheduleWithPanicRecovery(formatSchedule(newCJ, nil))
 		if err != nil {
 			// this is likely a user error in defining the spec value
 			// we should log the error and not reconcile this cronjob until an update to spec
@@ -511,7 +516,7 @@ func (jm *ControllerV2) syncCronJob(
 		return nil, updateStatus, nil
 	}
 
-	sched, err := cron.ParseStandard(formatSchedule(cronJob, jm.recorder))
+	sched, err := parsers.ParseCronScheduleWithPanicRecovery(formatSchedule(cronJob, jm.recorder))
 	if err != nil {
 		// this is likely a user error in defining the spec value
 		// we should log the error and not reconcile this cronjob until an update to spec
diff --git a/pkg/controller/cronjob/utils.go b/pkg/controller/cronjob/utils.go
index 78b4ab7ab0eeb..47d740763ad6f 100644
--- a/pkg/controller/cronjob/utils.go
+++ b/pkg/controller/cronjob/utils.go
@@ -27,10 +27,8 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/labels"
 	"k8s.io/apimachinery/pkg/types"
-	utilfeature "k8s.io/apiserver/pkg/util/feature"
 	"k8s.io/client-go/tools/record"
 	"k8s.io/klog/v2"
-	"k8s.io/kubernetes/pkg/features"
 	"k8s.io/utils/ptr"
 )
 
@@ -245,19 +243,15 @@ func copyAnnotations(template *batchv1.JobTemplateSpec) labels.Set {
 // granularity of 1 minute for scheduling job.
 func getJobFromTemplate2(cj *batchv1.CronJob, scheduledTime time.Time) (*batchv1.Job, error) {
 	labels := copyLabels(&cj.Spec.JobTemplate)
-	annotations := copyAnnotations(&cj.Spec.JobTemplate)
 	// We want job names for a given nominal start time to have a deterministic name to avoid the same job being created twice
 	name := getJobName(cj, scheduledTime)
-
-	if utilfeature.DefaultFeatureGate.Enabled(features.CronJobsScheduledAnnotation) {
-
-		timeZoneLocation, err := time.LoadLocation(ptr.Deref(cj.Spec.TimeZone, ""))
-		if err != nil {
-			return nil, err
-		}
-		// Append job creation timestamp to the cronJob annotations. The time will be in RFC3339 form.
-		annotations[batchv1.CronJobScheduledTimestampAnnotation] = scheduledTime.In(timeZoneLocation).Format(time.RFC3339)
+	annotations := copyAnnotations(&cj.Spec.JobTemplate)
+	timeZoneLocation, err := time.LoadLocation(ptr.Deref(cj.Spec.TimeZone, ""))
+	if err != nil {
+		return nil, err
 	}
+	// Append job creation timestamp to the cronJob annotations. The time will be in RFC3339 form.
+	annotations[batchv1.CronJobScheduledTimestampAnnotation] = scheduledTime.In(timeZoneLocation).Format(time.RFC3339)
 
 	job := &batchv1.Job{
 		ObjectMeta: metav1.ObjectMeta{
diff --git a/pkg/controller/cronjob/utils_test.go b/pkg/controller/cronjob/utils_test.go
index 7be27e23b0084..6d6e4820d735d 100644
--- a/pkg/controller/cronjob/utils_test.go
+++ b/pkg/controller/cronjob/utils_test.go
@@ -28,11 +28,8 @@ import (
 	v1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
-	utilfeature "k8s.io/apiserver/pkg/util/feature"
 	"k8s.io/client-go/tools/record"
-	featuregatetesting "k8s.io/component-base/featuregate/testing"
 	"k8s.io/klog/v2/ktesting"
-	"k8s.io/kubernetes/pkg/features"
 	"k8s.io/utils/ptr"
 )
 
@@ -47,8 +44,6 @@ func TestGetJobFromTemplate2(t *testing.T) {
 		scheduledTime   = *topOfTheHour()
 	)
 
-	featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.CronJobsScheduledAnnotation, true)
-
 	cj := batchv1.CronJob{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      "mycronjob",
diff --git a/pkg/controller/daemon/daemon_controller.go b/pkg/controller/daemon/daemon_controller.go
index 0ab4290ae55cf..5bcf013020741 100644
--- a/pkg/controller/daemon/daemon_controller.go
+++ b/pkg/controller/daemon/daemon_controller.go
@@ -33,6 +33,7 @@ import (
 	utilerrors "k8s.io/apimachinery/pkg/util/errors"
 	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
 	"k8s.io/apimachinery/pkg/util/wait"
+	utilfeature "k8s.io/apiserver/pkg/util/feature"
 	appsinformers "k8s.io/client-go/informers/apps/v1"
 	coreinformers "k8s.io/client-go/informers/core/v1"
 	clientset "k8s.io/client-go/kubernetes"
@@ -51,6 +52,7 @@ import (
 	podutil "k8s.io/kubernetes/pkg/api/v1/pod"
 	"k8s.io/kubernetes/pkg/controller"
 	"k8s.io/kubernetes/pkg/controller/daemon/util"
+	"k8s.io/kubernetes/pkg/features"
 )
 
 const (
@@ -309,14 +311,18 @@ func (dsc *DaemonSetsController) Run(ctx context.Context, workers int) {
 	dsc.eventBroadcaster.StartRecordingToSink(&v1core.EventSinkImpl{Interface: dsc.kubeClient.CoreV1().Events("")})
 	defer dsc.eventBroadcaster.Shutdown()
 
-	defer dsc.queue.ShutDown()
-	defer dsc.nodeUpdateQueue.ShutDown()
-
 	logger := klog.FromContext(ctx)
 	logger.Info("Starting daemon sets controller")
-	defer logger.Info("Shutting down daemon sets controller")
 
-	if !cache.WaitForNamedCacheSync("daemon sets", ctx.Done(), dsc.podStoreSynced, dsc.nodeStoreSynced, dsc.historyStoreSynced, dsc.dsStoreSynced) {
+	var wg sync.WaitGroup
+	defer func() {
+		logger.Info("Shutting down daemon sets controller")
+		dsc.queue.ShutDown()
+		dsc.nodeUpdateQueue.ShutDown()
+		wg.Wait()
+	}()
+
+	if !cache.WaitForNamedCacheSyncWithContext(ctx, dsc.podStoreSynced, dsc.nodeStoreSynced, dsc.historyStoreSynced, dsc.dsStoreSynced) {
 		return
 	}
 	if dsc.namespaceStoreSynced != nil {
@@ -326,12 +332,16 @@ func (dsc *DaemonSetsController) Run(ctx context.Context, workers int) {
 	}
 
 	for i := 0; i < workers; i++ {
-		go wait.UntilWithContext(ctx, dsc.runWorker, time.Second)
-		go wait.UntilWithContext(ctx, dsc.runNodeUpdateWorker, time.Second)
+		wg.Go(func() {
+			wait.UntilWithContext(ctx, dsc.runWorker, time.Second)
+		})
+		wg.Go(func() {
+			wait.UntilWithContext(ctx, dsc.runNodeUpdateWorker, time.Second)
+		})
 	}
-
-	go wait.Until(dsc.failedPodsBackoff.GC, BackoffGCInterval, ctx.Done())
-
+	wg.Go(func() {
+		wait.Until(dsc.failedPodsBackoff.GC, BackoffGCInterval, ctx.Done())
+	})
 	<-ctx.Done()
 }
 
@@ -797,7 +807,7 @@ func (dsc *DaemonSetsController) podsShouldBeOnNode(
 	hash string,
 ) (nodesNeedingDaemonPods, podsToDelete []string) {
 
-	shouldRun, shouldContinueRunning := dsc.nodeShouldRunDaemonPod(node, ds)
+	shouldRun, shouldContinueRunning := dsc.nodeShouldRunDaemonPod(logger, node, ds)
 	daemonPods, exists := nodeToDaemonPods[node.Name]
 
 	switch {
@@ -1152,7 +1162,7 @@ func (dsc *DaemonSetsController) updateDaemonSetStatus(ctx context.Context, ds *
 	var desiredNumberScheduled, currentNumberScheduled, numberMisscheduled, numberReady, updatedNumberScheduled, numberAvailable int
 	now := dsc.failedPodsBackoff.Clock.Now()
 	for _, node := range nodeList {
-		shouldRun, _ := dsc.nodeShouldRunDaemonPod(node, ds)
+		shouldRun, _ := dsc.nodeShouldRunDaemonPod(logger, node, ds)
 		scheduled := len(nodeToDaemonPods[node.Name]) > 0
 
 		if shouldRun {
@@ -1291,7 +1301,7 @@ func (dsc *DaemonSetsController) syncDaemonSet(ctx context.Context, key string)
 //   - shouldContinueRunning:
 //     Returns true when a daemonset should continue running on a node if a daemonset pod is already
 //     running on that node.
-func NodeShouldRunDaemonPod(node *v1.Node, ds *apps.DaemonSet) (bool, bool) {
+func NodeShouldRunDaemonPod(logger klog.Logger, node *v1.Node, ds *apps.DaemonSet) (bool, bool) {
 	pod := NewPod(ds, node.Name)
 
 	// If the daemon set specifies a node name, check that it matches with node.Name.
@@ -1300,16 +1310,16 @@ func NodeShouldRunDaemonPod(node *v1.Node, ds *apps.DaemonSet) (bool, bool) {
 	}
 
 	taints := node.Spec.Taints
-	fitsNodeName, fitsNodeAffinity, fitsTaints := predicates(pod, node, taints)
+	fitsNodeName, fitsNodeAffinity, fitsTaints := predicates(logger, pod, node, taints)
 	if !fitsNodeName || !fitsNodeAffinity {
 		return false, false
 	}
 
 	if !fitsTaints {
 		// Scheduled daemon pods should continue running if they tolerate NoExecute taint.
-		_, hasUntoleratedTaint := v1helper.FindMatchingUntoleratedTaint(taints, pod.Spec.Tolerations, func(t *v1.Taint) bool {
+		_, hasUntoleratedTaint := v1helper.FindMatchingUntoleratedTaint(logger, taints, pod.Spec.Tolerations, func(t *v1.Taint) bool {
 			return t.Effect == v1.TaintEffectNoExecute
-		})
+		}, utilfeature.DefaultFeatureGate.Enabled(features.TaintTolerationComparisonOperators))
 		return false, !hasUntoleratedTaint
 	}
 
@@ -1317,13 +1327,13 @@ func NodeShouldRunDaemonPod(node *v1.Node, ds *apps.DaemonSet) (bool, bool) {
 }
 
 // predicates checks if a DaemonSet's pod can run on a node.
-func predicates(pod *v1.Pod, node *v1.Node, taints []v1.Taint) (fitsNodeName, fitsNodeAffinity, fitsTaints bool) {
+func predicates(logger klog.Logger, pod *v1.Pod, node *v1.Node, taints []v1.Taint) (fitsNodeName, fitsNodeAffinity, fitsTaints bool) {
 	fitsNodeName = len(pod.Spec.NodeName) == 0 || pod.Spec.NodeName == node.Name
 	// Ignore parsing errors for backwards compatibility.
 	fitsNodeAffinity, _ = nodeaffinity.GetRequiredNodeAffinity(pod).Match(node)
-	_, hasUntoleratedTaint := v1helper.FindMatchingUntoleratedTaint(taints, pod.Spec.Tolerations, func(t *v1.Taint) bool {
+	_, hasUntoleratedTaint := v1helper.FindMatchingUntoleratedTaint(logger, taints, pod.Spec.Tolerations, func(t *v1.Taint) bool {
 		return t.Effect == v1.TaintEffectNoExecute || t.Effect == v1.TaintEffectNoSchedule
-	})
+	}, utilfeature.DefaultFeatureGate.Enabled(features.TaintTolerationComparisonOperators))
 	fitsTaints = !hasUntoleratedTaint
 	return
 }
@@ -1447,7 +1457,7 @@ func (dsc *DaemonSetsController) syncNodeUpdate(ctx context.Context, nodeName st
 	}
 
 	for _, ds := range dsList {
-		shouldRun, shouldContinueRunning := dsc.nodeShouldRunDaemonPod(node, ds)
+		shouldRun, shouldContinueRunning := dsc.nodeShouldRunDaemonPod(logger, node, ds)
 
 		dsKey, err := controller.KeyFunc(ds)
 		if err != nil {
diff --git a/pkg/controller/daemon/daemon_controller_test.go b/pkg/controller/daemon/daemon_controller_test.go
index 1f26d2a416b29..221ee3b9acbb0 100644
--- a/pkg/controller/daemon/daemon_controller_test.go
+++ b/pkg/controller/daemon/daemon_controller_test.go
@@ -2376,7 +2376,7 @@ func TestNodeShouldRunDaemonPod(t *testing.T) {
 			node.Status.Conditions = append(node.Status.Conditions, c.nodeCondition...)
 			node.Status.Allocatable = allocatableResources("100M", "1")
 			node.Spec.Unschedulable = c.nodeUnschedulable
-			_, ctx := ktesting.NewTestContext(t)
+			logger, ctx := ktesting.NewTestContext(t)
 			manager, _, _, err := newTestController(ctx)
 			if err != nil {
 				t.Fatalf("error creating DaemonSets controller: %v", err)
@@ -2387,7 +2387,7 @@ func TestNodeShouldRunDaemonPod(t *testing.T) {
 				manager.podStore.Add(p)
 			}
 			c.ds.Spec.UpdateStrategy = *strategy
-			shouldRun, shouldContinueRunning := NodeShouldRunDaemonPod(node, c.ds)
+			shouldRun, shouldContinueRunning := NodeShouldRunDaemonPod(logger, node, c.ds)
 
 			if shouldRun != c.shouldRun {
 				t.Errorf("[%v] strategy: %v, predicateName: %v expected shouldRun: %v, got: %v", i, c.ds.Spec.UpdateStrategy.Type, c.predicateName, c.shouldRun, shouldRun)
diff --git a/pkg/controller/daemon/patch_nodeselector.go b/pkg/controller/daemon/patch_nodeselector.go
index 356437dd52299..cd59823a5fa86 100644
--- a/pkg/controller/daemon/patch_nodeselector.go
+++ b/pkg/controller/daemon/patch_nodeselector.go
@@ -12,6 +12,7 @@ import (
 	coreinformers "k8s.io/client-go/informers/core/v1"
 	clientset "k8s.io/client-go/kubernetes"
 	"k8s.io/client-go/util/flowcontrol"
+	"k8s.io/klog/v2"
 
 	projectv1 "github.com/openshift/api/project/v1"
 )
@@ -42,8 +43,8 @@ func NewNodeSelectorAwareDaemonSetsController(ctx context.Context, openshiftDefa
 	return controller, nil
 }
 
-func (dsc *DaemonSetsController) nodeShouldRunDaemonPod(node *v1.Node, ds *appsv1.DaemonSet) (bool, bool) {
-	shouldRun, shouldContinueRunning := NodeShouldRunDaemonPod(node, ds)
+func (dsc *DaemonSetsController) nodeShouldRunDaemonPod(logger klog.Logger, node *v1.Node, ds *appsv1.DaemonSet) (bool, bool) {
+	shouldRun, shouldContinueRunning := NodeShouldRunDaemonPod(logger, node, ds)
 	if shouldRun && shouldContinueRunning {
 		if matches, matchErr := dsc.namespaceNodeSelectorMatches(node, ds); !matches || matchErr != nil {
 			return false, false
diff --git a/pkg/controller/daemon/update.go b/pkg/controller/daemon/update.go
index c18e09f54ad03..926c9c9dd43e9 100644
--- a/pkg/controller/daemon/update.go
+++ b/pkg/controller/daemon/update.go
@@ -179,7 +179,7 @@ func (dsc *DaemonSetsController) rollingUpdate(ctx context.Context, ds *apps.Dae
 				if err != nil {
 					return fmt.Errorf("couldn't get node for nodeName %q: %v", nodeName, err)
 				}
-				if shouldRun, _ := dsc.nodeShouldRunDaemonPod(node, ds); !shouldRun {
+				if shouldRun, _ := dsc.nodeShouldRunDaemonPod(logger, node, ds); !shouldRun {
 					logger.V(5).Info("DaemonSet pod on node is not available and does not match scheduling constraints, remove old pod", "daemonset", klog.KObj(ds), "node", nodeName, "oldPod", klog.KObj(oldPod))
 					oldPodsToDelete = append(oldPodsToDelete, oldPod.Name)
 					continue
@@ -196,7 +196,7 @@ func (dsc *DaemonSetsController) rollingUpdate(ctx context.Context, ds *apps.Dae
 				if err != nil {
 					return fmt.Errorf("couldn't get node for nodeName %q: %v", nodeName, err)
 				}
-				if shouldRun, _ := dsc.nodeShouldRunDaemonPod(node, ds); !shouldRun {
+				if shouldRun, _ := dsc.nodeShouldRunDaemonPod(logger, node, ds); !shouldRun {
 					shouldNotRunPodsToDelete = append(shouldNotRunPodsToDelete, oldPod.Name)
 					continue
 				}
@@ -586,7 +586,7 @@ func (dsc *DaemonSetsController) updatedDesiredNodeCounts(ctx context.Context, d
 	logger := klog.FromContext(ctx)
 	for i := range nodeList {
 		node := nodeList[i]
-		wantToRun, _ := dsc.nodeShouldRunDaemonPod(node, ds)
+		wantToRun, _ := dsc.nodeShouldRunDaemonPod(logger, node, ds)
 		if !wantToRun {
 			continue
 		}
diff --git a/pkg/controller/deployment/deployment_controller.go b/pkg/controller/deployment/deployment_controller.go
index ec63afd24fbe2..8c5412b868c0d 100644
--- a/pkg/controller/deployment/deployment_controller.go
+++ b/pkg/controller/deployment/deployment_controller.go
@@ -24,6 +24,7 @@ import (
 	"context"
 	"fmt"
 	"reflect"
+	"sync"
 	"time"
 
 	apps "k8s.io/api/apps/v1"
@@ -167,20 +168,25 @@ func (dc *DeploymentController) Run(ctx context.Context, workers int) {
 	dc.eventBroadcaster.StartRecordingToSink(&v1core.EventSinkImpl{Interface: dc.client.CoreV1().Events("")})
 	defer dc.eventBroadcaster.Shutdown()
 
-	defer dc.queue.ShutDown()
-
 	logger := klog.FromContext(ctx)
 	logger.Info("Starting controller", "controller", "deployment")
-	defer logger.Info("Shutting down controller", "controller", "deployment")
 
-	if !cache.WaitForNamedCacheSync("deployment", ctx.Done(), dc.dListerSynced, dc.rsListerSynced, dc.podListerSynced) {
+	var wg sync.WaitGroup
+	defer func() {
+		logger.Info("Shutting down controller", "controller", "deployment")
+		dc.queue.ShutDown()
+		wg.Wait()
+	}()
+
+	if !cache.WaitForNamedCacheSyncWithContext(ctx, dc.dListerSynced, dc.rsListerSynced, dc.podListerSynced) {
 		return
 	}
 
 	for i := 0; i < workers; i++ {
-		go wait.UntilWithContext(ctx, dc.worker, time.Second)
+		wg.Go(func() {
+			wait.UntilWithContext(ctx, dc.worker, time.Second)
+		})
 	}
-
 	<-ctx.Done()
 }
 
diff --git a/pkg/controller/deployment/progress.go b/pkg/controller/deployment/progress.go
index 279e201b7063f..f7963a6b59ee6 100644
--- a/pkg/controller/deployment/progress.go
+++ b/pkg/controller/deployment/progress.go
@@ -152,7 +152,7 @@ func (dc *DeploymentController) getReplicaFailures(allRSs []*apps.ReplicaSet, ne
 }
 
 // used for unit testing
-var nowFn = func() time.Time { return time.Now() }
+var nowFn = time.Now
 
 // requeueStuckDeployment checks whether the provided deployment needs to be synced for a progress
 // check. It returns the time after the deployment will be requeued for the progress check, 0 if it
diff --git a/pkg/controller/deployment/util/deployment_util.go b/pkg/controller/deployment/util/deployment_util.go
index 473812a120ded..e49b5a94208ed 100644
--- a/pkg/controller/deployment/util/deployment_util.go
+++ b/pkg/controller/deployment/util/deployment_util.go
@@ -766,7 +766,7 @@ func DeploymentProgressing(deployment *apps.Deployment, newStatus *apps.Deployme
 }
 
 // used for unit testing
-var nowFn = func() time.Time { return time.Now() }
+var nowFn = time.Now
 
 // DeploymentTimedOut considers a deployment to have timed out once its condition that reports progress
 // is older than progressDeadlineSeconds or a Progressing condition with a TimedOutReason reason already
diff --git a/pkg/controller/devicetainteviction/config/doc.go b/pkg/controller/devicetainteviction/config/doc.go
new file mode 100644
index 0000000000000..e605045a40158
--- /dev/null
+++ b/pkg/controller/devicetainteviction/config/doc.go
@@ -0,0 +1,19 @@
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// +k8s:deepcopy-gen=package
+
+package config
diff --git a/pkg/controller/devicetainteviction/config/types.go b/pkg/controller/devicetainteviction/config/types.go
new file mode 100644
index 0000000000000..8bc0544ae0ea1
--- /dev/null
+++ b/pkg/controller/devicetainteviction/config/types.go
@@ -0,0 +1,26 @@
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package config
+
+// DeviceTaintEvictionControllerConfiguration contains elements configuring the device taint eviction controller.
+type DeviceTaintEvictionControllerConfiguration struct {
+	// ConcurrentSyncs is the number of operations (deleting a pod, updating a ResourcClaim status, etc.)
+	// that will be done concurrently. Larger number = processing, but more CPU (and network) load.
+	//
+	// The default is 10.
+	ConcurrentSyncs int32
+}
diff --git a/pkg/controller/devicetainteviction/config/v1alpha1/conversion.go b/pkg/controller/devicetainteviction/config/v1alpha1/conversion.go
new file mode 100644
index 0000000000000..6b441c434c1ca
--- /dev/null
+++ b/pkg/controller/devicetainteviction/config/v1alpha1/conversion.go
@@ -0,0 +1,40 @@
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha1
+
+import (
+	"k8s.io/apimachinery/pkg/conversion"
+	"k8s.io/kube-controller-manager/config/v1alpha1"
+	"k8s.io/kubernetes/pkg/controller/devicetainteviction/config"
+)
+
+// Important! The public back-and-forth conversion functions for the types in this package
+// with DeviceTaintEvictionControllerConfiguration types need to be manually exposed like this in order for
+// other packages that reference this package to be able to call these conversion functions
+// in an autogenerated manner.
+// TODO: Fix the bug in conversion-gen so it automatically discovers these Convert_* functions
+// in autogenerated code as well.
+
+// Convert_v1alpha1_DeviceTaintEvictionControllerConfiguration_To_config_DeviceTaintEvictionControllerConfiguration is an autogenerated conversion function.
+func Convert_v1alpha1_DeviceTaintEvictionControllerConfiguration_To_config_DeviceTaintEvictionControllerConfiguration(in *v1alpha1.DeviceTaintEvictionControllerConfiguration, out *config.DeviceTaintEvictionControllerConfiguration, s conversion.Scope) error {
+	return autoConvert_v1alpha1_DeviceTaintEvictionControllerConfiguration_To_config_DeviceTaintEvictionControllerConfiguration(in, out, s)
+}
+
+// Convert_config_DeviceTaintEvictionControllerConfiguration_To_v1alpha1_DeviceTaintEvictionControllerConfiguration is an autogenerated conversion function.
+func Convert_config_DeviceTaintEvictionControllerConfiguration_To_v1alpha1_DeviceTaintEvictionControllerConfiguration(in *config.DeviceTaintEvictionControllerConfiguration, out *v1alpha1.DeviceTaintEvictionControllerConfiguration, s conversion.Scope) error {
+	return autoConvert_config_DeviceTaintEvictionControllerConfiguration_To_v1alpha1_DeviceTaintEvictionControllerConfiguration(in, out, s)
+}
diff --git a/pkg/controller/devicetainteviction/config/v1alpha1/defaults.go b/pkg/controller/devicetainteviction/config/v1alpha1/defaults.go
new file mode 100644
index 0000000000000..e9295e561f733
--- /dev/null
+++ b/pkg/controller/devicetainteviction/config/v1alpha1/defaults.go
@@ -0,0 +1,41 @@
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha1
+
+import (
+	kubectrlmgrconfigv1alpha1 "k8s.io/kube-controller-manager/config/v1alpha1"
+)
+
+// RecommendedDefaultDeviceTaintEvictionControllerConfiguration defaults a pointer to a
+// DeviceTaintEvictionControllerConfiguration struct. This will set the recommended default
+// values, but they may be subject to change between API versions. This function
+// is intentionally not registered in the scheme as a "normal" `SetDefaults_Foo`
+// function to allow consumers of this type to set whatever defaults for their
+// embedded configs. Forcing consumers to use these defaults would be problematic
+// as defaulting in the scheme is done as part of the conversion, and there would
+// be no easy way to opt-out. Instead, if you want to use this defaulting method
+// run it in your wrapper struct of this type in its `SetDefaults_` method.
+func RecommendedDefaultDeviceTaintEvictionControllerConfiguration(obj *kubectrlmgrconfigv1alpha1.DeviceTaintEvictionControllerConfiguration) {
+	if obj.ConcurrentSyncs == 0 {
+		// This is a compromise between getting work done and not overwhelming the apiserver
+		// and pod informers. Integration testing with 100 workers modified pods so quickly
+		// that a watch in the integration test couldn't keep up:
+		//   cacher.go:855] cacher (pods): 100 objects queued in incoming channel.
+		//   cache_watcher.go:203] Forcing pods watcher close due to unresponsiveness: key: "/pods/", labels: "", fields: "". len(c.input) = 10, len(c.result) = 10, graceful = false
+		obj.ConcurrentSyncs = 8
+	}
+}
diff --git a/pkg/controller/devicetainteviction/config/v1alpha1/defaults_test.go b/pkg/controller/devicetainteviction/config/v1alpha1/defaults_test.go
new file mode 100644
index 0000000000000..7f07f608407af
--- /dev/null
+++ b/pkg/controller/devicetainteviction/config/v1alpha1/defaults_test.go
@@ -0,0 +1,31 @@
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha1
+
+import (
+	"testing"
+
+	kubectrlmgrconfigv1alpha1 "k8s.io/kube-controller-manager/config/v1alpha1"
+)
+
+func TestRecommendedDefaultDeviceTaintEvictionControllerConfiguration(t *testing.T) {
+	config := new(kubectrlmgrconfigv1alpha1.DeviceTaintEvictionControllerConfiguration)
+	RecommendedDefaultDeviceTaintEvictionControllerConfiguration(config)
+	if config.ConcurrentSyncs != 8 {
+		t.Errorf("incorrect default value, expected 8 but got %v", config.ConcurrentSyncs)
+	}
+}
diff --git a/pkg/controller/devicetainteviction/config/v1alpha1/doc.go b/pkg/controller/devicetainteviction/config/v1alpha1/doc.go
new file mode 100644
index 0000000000000..67b6807837536
--- /dev/null
+++ b/pkg/controller/devicetainteviction/config/v1alpha1/doc.go
@@ -0,0 +1,21 @@
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// +k8s:deepcopy-gen=package
+// +k8s:conversion-gen=k8s.io/kubernetes/pkg/controller/devicetainteviction/config
+// +k8s:conversion-gen-external-types=k8s.io/kube-controller-manager/config/v1alpha1
+
+package v1alpha1
diff --git a/pkg/controller/devicetainteviction/config/v1alpha1/register.go b/pkg/controller/devicetainteviction/config/v1alpha1/register.go
new file mode 100644
index 0000000000000..85bbf3effe499
--- /dev/null
+++ b/pkg/controller/devicetainteviction/config/v1alpha1/register.go
@@ -0,0 +1,31 @@
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha1
+
+import (
+	"k8s.io/apimachinery/pkg/runtime"
+)
+
+var (
+	// SchemeBuilder is the scheme builder with scheme init functions to run for this API package
+	SchemeBuilder runtime.SchemeBuilder
+	// localSchemeBuilder extends the SchemeBuilder instance with the external types. In this package,
+	// defaulting and conversion init funcs are registered as well.
+	localSchemeBuilder = &SchemeBuilder
+	// AddToScheme is a global function that registers this API group & version to a scheme
+	AddToScheme = localSchemeBuilder.AddToScheme
+)
diff --git a/pkg/controller/devicetainteviction/config/v1alpha1/zz_generated.conversion.go b/pkg/controller/devicetainteviction/config/v1alpha1/zz_generated.conversion.go
new file mode 100644
index 0000000000000..ec6654aa75d96
--- /dev/null
+++ b/pkg/controller/devicetainteviction/config/v1alpha1/zz_generated.conversion.go
@@ -0,0 +1,92 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by conversion-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	conversion "k8s.io/apimachinery/pkg/conversion"
+	runtime "k8s.io/apimachinery/pkg/runtime"
+	configv1alpha1 "k8s.io/kube-controller-manager/config/v1alpha1"
+	config "k8s.io/kubernetes/pkg/controller/devicetainteviction/config"
+)
+
+func init() {
+	localSchemeBuilder.Register(RegisterConversions)
+}
+
+// RegisterConversions adds conversion functions to the given scheme.
+// Public to allow building arbitrary schemes.
+func RegisterConversions(s *runtime.Scheme) error {
+	if err := s.AddGeneratedConversionFunc((*configv1alpha1.GroupResource)(nil), (*v1.GroupResource)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_v1alpha1_GroupResource_To_v1_GroupResource(a.(*configv1alpha1.GroupResource), b.(*v1.GroupResource), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddGeneratedConversionFunc((*v1.GroupResource)(nil), (*configv1alpha1.GroupResource)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_v1_GroupResource_To_v1alpha1_GroupResource(a.(*v1.GroupResource), b.(*configv1alpha1.GroupResource), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddConversionFunc((*config.DeviceTaintEvictionControllerConfiguration)(nil), (*configv1alpha1.DeviceTaintEvictionControllerConfiguration)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_config_DeviceTaintEvictionControllerConfiguration_To_v1alpha1_DeviceTaintEvictionControllerConfiguration(a.(*config.DeviceTaintEvictionControllerConfiguration), b.(*configv1alpha1.DeviceTaintEvictionControllerConfiguration), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddConversionFunc((*configv1alpha1.DeviceTaintEvictionControllerConfiguration)(nil), (*config.DeviceTaintEvictionControllerConfiguration)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_v1alpha1_DeviceTaintEvictionControllerConfiguration_To_config_DeviceTaintEvictionControllerConfiguration(a.(*configv1alpha1.DeviceTaintEvictionControllerConfiguration), b.(*config.DeviceTaintEvictionControllerConfiguration), scope)
+	}); err != nil {
+		return err
+	}
+	return nil
+}
+
+func autoConvert_v1alpha1_DeviceTaintEvictionControllerConfiguration_To_config_DeviceTaintEvictionControllerConfiguration(in *configv1alpha1.DeviceTaintEvictionControllerConfiguration, out *config.DeviceTaintEvictionControllerConfiguration, s conversion.Scope) error {
+	out.ConcurrentSyncs = in.ConcurrentSyncs
+	return nil
+}
+
+func autoConvert_config_DeviceTaintEvictionControllerConfiguration_To_v1alpha1_DeviceTaintEvictionControllerConfiguration(in *config.DeviceTaintEvictionControllerConfiguration, out *configv1alpha1.DeviceTaintEvictionControllerConfiguration, s conversion.Scope) error {
+	out.ConcurrentSyncs = in.ConcurrentSyncs
+	return nil
+}
+
+func autoConvert_v1alpha1_GroupResource_To_v1_GroupResource(in *configv1alpha1.GroupResource, out *v1.GroupResource, s conversion.Scope) error {
+	out.Group = in.Group
+	out.Resource = in.Resource
+	return nil
+}
+
+// Convert_v1alpha1_GroupResource_To_v1_GroupResource is an autogenerated conversion function.
+func Convert_v1alpha1_GroupResource_To_v1_GroupResource(in *configv1alpha1.GroupResource, out *v1.GroupResource, s conversion.Scope) error {
+	return autoConvert_v1alpha1_GroupResource_To_v1_GroupResource(in, out, s)
+}
+
+func autoConvert_v1_GroupResource_To_v1alpha1_GroupResource(in *v1.GroupResource, out *configv1alpha1.GroupResource, s conversion.Scope) error {
+	out.Group = in.Group
+	out.Resource = in.Resource
+	return nil
+}
+
+// Convert_v1_GroupResource_To_v1alpha1_GroupResource is an autogenerated conversion function.
+func Convert_v1_GroupResource_To_v1alpha1_GroupResource(in *v1.GroupResource, out *configv1alpha1.GroupResource, s conversion.Scope) error {
+	return autoConvert_v1_GroupResource_To_v1alpha1_GroupResource(in, out, s)
+}
diff --git a/pkg/controller/devicetainteviction/config/v1alpha1/zz_generated.deepcopy.go b/pkg/controller/devicetainteviction/config/v1alpha1/zz_generated.deepcopy.go
new file mode 100644
index 0000000000000..61f6555edfc5a
--- /dev/null
+++ b/pkg/controller/devicetainteviction/config/v1alpha1/zz_generated.deepcopy.go
@@ -0,0 +1,22 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by deepcopy-gen. DO NOT EDIT.
+
+package v1alpha1
diff --git a/pkg/controller/devicetainteviction/config/zz_generated.deepcopy.go b/pkg/controller/devicetainteviction/config/zz_generated.deepcopy.go
new file mode 100644
index 0000000000000..a42fadcd4a353
--- /dev/null
+++ b/pkg/controller/devicetainteviction/config/zz_generated.deepcopy.go
@@ -0,0 +1,38 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by deepcopy-gen. DO NOT EDIT.
+
+package config
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *DeviceTaintEvictionControllerConfiguration) DeepCopyInto(out *DeviceTaintEvictionControllerConfiguration) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DeviceTaintEvictionControllerConfiguration.
+func (in *DeviceTaintEvictionControllerConfiguration) DeepCopy() *DeviceTaintEvictionControllerConfiguration {
+	if in == nil {
+		return nil
+	}
+	out := new(DeviceTaintEvictionControllerConfiguration)
+	in.DeepCopyInto(out)
+	return out
+}
diff --git a/pkg/controller/devicetainteviction/device_taint_eviction.go b/pkg/controller/devicetainteviction/device_taint_eviction.go
index d3198e66f1f38..d6075e98b3157 100644
--- a/pkg/controller/devicetainteviction/device_taint_eviction.go
+++ b/pkg/controller/devicetainteviction/device_taint_eviction.go
@@ -18,8 +18,9 @@ package devicetainteviction
 
 import (
 	"context"
-	"errors"
 	"fmt"
+	"iter"
+	"maps"
 	"math"
 	"slices"
 	"strings"
@@ -29,14 +30,18 @@ import (
 
 	v1 "k8s.io/api/core/v1"
 	resourceapi "k8s.io/api/resource/v1"
+	resourcealpha "k8s.io/api/resource/v1alpha3"
 	apiequality "k8s.io/apimachinery/pkg/api/equality"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/labels"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/diff"
 	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
 	"k8s.io/apimachinery/pkg/util/sets"
 	utilfeature "k8s.io/apiserver/pkg/util/feature"
+	metav1ac "k8s.io/client-go/applyconfigurations/meta/v1"
+	resourceac "k8s.io/client-go/applyconfigurations/resource/v1alpha3"
 	coreinformers "k8s.io/client-go/informers/core/v1"
 	resourceinformers "k8s.io/client-go/informers/resource/v1"
 	resourcealphainformers "k8s.io/client-go/informers/resource/v1alpha3"
@@ -44,10 +49,11 @@ import (
 	"k8s.io/client-go/kubernetes/scheme"
 	v1core "k8s.io/client-go/kubernetes/typed/core/v1"
 	corelisters "k8s.io/client-go/listers/core/v1"
+	resourcealphalisters "k8s.io/client-go/listers/resource/v1alpha3"
 	"k8s.io/client-go/tools/cache"
 	"k8s.io/client-go/tools/record"
+	"k8s.io/client-go/util/workqueue"
 	"k8s.io/dynamic-resource-allocation/resourceclaim"
-	resourceslicetracker "k8s.io/dynamic-resource-allocation/resourceslice/tracker"
 	"k8s.io/klog/v2"
 	apipod "k8s.io/kubernetes/pkg/api/v1/pod"
 	"k8s.io/kubernetes/pkg/controller/devicetainteviction/metrics"
@@ -57,9 +63,10 @@ import (
 )
 
 const (
-	// retries is the number of times that the controller tries to delete a pod
-	// that needs to be evicted.
-	retries = 5
+	// ruleStatusPeriod is the shortest time between DeviceTaintRule status
+	// updates while eviction is in progress. Once it is done, it no longer gets
+	// updated until in progress again.
+	ruleStatusPeriod = 10 * time.Second
 )
 
 // Controller listens to Taint changes of DRA devices and Toleration changes of ResourceClaims,
@@ -90,18 +97,29 @@ type Controller struct {
 	podLister     corelisters.PodLister
 	claimInformer resourceinformers.ResourceClaimInformer
 	sliceInformer resourceinformers.ResourceSliceInformer
-	taintInformer resourcealphainformers.DeviceTaintRuleInformer
+	ruleInformer  resourcealphainformers.DeviceTaintRuleInformer
 	classInformer resourceinformers.DeviceClassInformer
+	ruleLister    resourcealphalisters.DeviceTaintRuleLister
 	haveSynced    []cache.InformerSynced
+	hasSynced     atomic.Int32
 	metrics       metrics.Metrics
+	workqueue     workqueue.TypedRateLimitingInterface[workItem]
 
-	// evictPod ensures that the pod gets evicted at the specified time.
-	// It doesn't block.
-	evictPod func(pod tainteviction.NamespacedObject, fireAt time.Time)
+	evictPodHook    func(pod tainteviction.NamespacedObject, eviction evictionAndReason)
+	cancelEvictHook func(pod tainteviction.NamespacedObject) bool
 
-	// cancelEvict cancels eviction set up with evictPod earlier.
-	// Idempotent, returns false if there was nothing to cancel.
-	cancelEvict func(pod tainteviction.NamespacedObject) bool
+	// mutex protects the following shared data structures.
+	mutex sync.Mutex
+
+	// deletePodAt maps a pod to the time when it is meant to be evicted.
+	//
+	// The entry for pod gets deleted when eviction is no longer necessary
+	// and updated when the time changes.
+	deletePodAt map[tainteviction.NamespacedObject]evictionAndReason
+
+	// maybeDeletePodCount counts how often a worker checked a pod.
+	// This is useful for unit testing, but probably not a good public metric.
+	maybeDeletePodCount int64
 
 	// allocatedClaims holds all currently known allocated claims.
 	allocatedClaims map[types.NamespacedName]allocatedClaim // A value is slightly more efficient in BenchmarkTaintUntaint (less allocations!).
@@ -109,7 +127,19 @@ type Controller struct {
 	// pools indexes all slices by driver and pool name.
 	pools map[poolID]pool
 
-	hasSynced atomic.Int32
+	// evictingRules tracks all DeviceTaintRules by name which cause pod eviction.
+	evictingRules map[string]*resourcealpha.DeviceTaintRule
+
+	// taintRuleStats tracks information about work that was done for a specific DeviceTaintRule instance.
+	//
+	// This is potentially a different set of rules than in evictingRules because a rule which is no
+	// longer evicting might have evicted in the past and thus can have some relevant stats.
+	taintRuleStats map[types.UID]taintRuleStats
+}
+
+type taintRuleStats struct {
+	// numEvictedPods is the number of pods evicted because of this rule since starting the controller.
+	numEvictedPods int64
 }
 
 type poolID struct {
@@ -117,7 +147,8 @@ type poolID struct {
 }
 
 type pool struct {
-	slices        sets.Set[*resourceapi.ResourceSlice]
+	// slices maps the global name to the current instance under that name.
+	slices        map[string]*resourceapi.ResourceSlice
 	maxGeneration int64
 }
 
@@ -127,10 +158,10 @@ func (p *pool) addSlice(slice *resourceapi.ResourceSlice) {
 		return
 	}
 	if p.slices == nil {
-		p.slices = sets.New[*resourceapi.ResourceSlice]()
+		p.slices = make(map[string]*resourceapi.ResourceSlice)
 		p.maxGeneration = math.MinInt64
 	}
-	p.slices.Insert(slice)
+	p.slices[slice.Name] = slice
 
 	// Adding a slice can only increase the generation.
 	if slice.Spec.Pool.Generation > p.maxGeneration {
@@ -143,13 +174,13 @@ func (p *pool) removeSlice(slice *resourceapi.ResourceSlice) {
 	if slice == nil {
 		return
 	}
-	p.slices.Delete(slice)
+	delete(p.slices, slice.Name)
 
 	// Removing a slice might have decreased the generation to
 	// that of some other slice.
 	if slice.Spec.Pool.Generation == p.maxGeneration {
 		maxGeneration := int64(math.MinInt64)
-		for slice := range p.slices {
+		for _, slice := range p.slices {
 			if slice.Spec.Pool.Generation > maxGeneration {
 				maxGeneration = slice.Spec.Pool.Generation
 			}
@@ -162,7 +193,7 @@ func (p *pool) removeSlice(slice *resourceapi.ResourceSlice) {
 // The result is sorted by device name.
 func (p pool) getTaintedDevices() []taintedDevice {
 	var buffer []taintedDevice
-	for slice := range p.slices {
+	for _, slice := range p.slices {
 		if slice.Spec.Pool.Generation != p.maxGeneration {
 			continue
 		}
@@ -184,19 +215,19 @@ func (p pool) getTaintedDevices() []taintedDevice {
 }
 
 // getDevice looks up one device by name. Out-dated slices are ignored.
-func (p pool) getDevice(deviceName string) *resourceapi.Device {
-	for slice := range p.slices {
+func (p pool) getDevice(deviceName string) (*resourceapi.ResourceSlice, *resourceapi.Device) {
+	for _, slice := range p.slices {
 		if slice.Spec.Pool.Generation != p.maxGeneration {
 			continue
 		}
 		for i := range slice.Spec.Devices {
 			if slice.Spec.Devices[i].Name == deviceName {
-				return &slice.Spec.Devices[i]
+				return slice, &slice.Spec.Devices[i]
 			}
 		}
 	}
 
-	return nil
+	return nil, nil
 }
 
 type taintedDevice struct {
@@ -209,38 +240,209 @@ type taintedDevice struct {
 type allocatedClaim struct {
 	*resourceapi.ResourceClaim
 
-	// evictionTime, if non-nil, is the time at which pods using this claim need to be evicted.
+	// eviction, if non-nil, is the time at which pods using this claim need to be evicted.
 	// This is the smallest value of all such per-device values.
 	// For each device, the value is calculated as `<time of setting the taint> +
 	// <toleration seconds, 0 if not set>`.
-	evictionTime *metav1.Time
+	eviction *evictionAndReason
 }
 
-func (tc *Controller) deletePodHandler(c clientset.Interface, emitEventFunc func(tainteviction.NamespacedObject)) func(ctx context.Context, fireAt time.Time, args *tainteviction.WorkArgs) error {
-	return func(ctx context.Context, fireAt time.Time, args *tainteviction.WorkArgs) error {
-		klog.FromContext(ctx).Info("Deleting pod", "pod", args.Object)
-		var err error
-		for i := 0; i < retries; i++ {
-			err = addConditionAndDeletePod(ctx, c, args.Object, &emitEventFunc)
-			if apierrors.IsNotFound(err) {
-				// Not a problem, the work is done.
-				// But we didn't do it, so don't
-				// bump the metric.
-				return nil
-			}
-			if err == nil {
-				tc.metrics.PodDeletionsTotal.Inc()
-				tc.metrics.PodDeletionsLatency.Observe(float64(time.Since(fireAt).Seconds()))
-				return nil
-			}
-			time.Sleep(10 * time.Millisecond)
+// evictionAndReason combines the time when eviction needs to start with all reasons
+// why eviction needs to start.
+type evictionAndReason struct {
+	when   metav1.Time
+	reason evictionReason
+}
+
+func (et evictionAndReason) String() string {
+	return fmt.Sprintf("%s (%s)", et.when, et.reason)
+}
+
+func (et *evictionAndReason) equal(other *evictionAndReason) bool {
+	if (et == nil) != (other == nil) ||
+		et == nil {
+		return false
+	}
+	return et.when.Equal(&other.when) &&
+		slices.Equal(et.reason, other.reason)
+}
+
+// evictionReason collects all taints which caused eviction.
+// It supports pretty-printing for logging and inclusion in
+// user-facing descriptions
+type evictionReason []trackedTaint
+
+func (er evictionReason) String() string {
+	var parts []string
+	for _, taint := range er {
+		parts = append(parts, taint.String())
+	}
+	return strings.Join(parts, ", ")
+}
+
+// trackedTaint augments a DeviceTaint with a pointer to its origin.
+// rule and slice are mutually exclusive. Exactly one of them is always set.
+type trackedTaint struct {
+	rule  *resourcealpha.DeviceTaintRule
+	slice sliceDeviceTaint
+}
+
+func (tt trackedTaint) deviceTaint() *resourceapi.DeviceTaint {
+	if tt.rule != nil {
+		// TODO when GA: directly point to rule.Spec.Taint.
+		return &resourceapi.DeviceTaint{
+			Key:       tt.rule.Spec.Taint.Key,
+			Value:     tt.rule.Spec.Taint.Value,
+			Effect:    resourceapi.DeviceTaintEffect(tt.rule.Spec.Taint.Effect),
+			TimeAdded: tt.rule.Spec.Taint.TimeAdded,
 		}
-		return err
 	}
+	if tt.slice.slice != nil {
+		index := slices.IndexFunc(tt.slice.slice.Spec.Devices, func(d resourceapi.Device) bool { return d.Name == tt.slice.deviceName })
+		return &tt.slice.slice.Spec.Devices[index].Taints[tt.slice.taintIndex]
+	}
+
+	// Huh?
+	return nil
+}
+
+func (tt trackedTaint) String() string {
+	if tt.rule != nil {
+		return fmt.Sprintf("DeviceTaintRule %s", newObject(tt.rule))
+	}
+	return fmt.Sprintf("ResourceSlice %s %s/%s/%s taint #%d", newObject(tt.slice.slice), tt.slice.slice.Spec.Driver, tt.slice.slice.Spec.Pool.Name, tt.slice.deviceName, tt.slice.taintIndex)
 }
 
-func addConditionAndDeletePod(ctx context.Context, c clientset.Interface, podRef tainteviction.NamespacedObject, emitEventFunc *func(tainteviction.NamespacedObject)) (err error) {
-	pod, err := c.CoreV1().Pods(podRef.Namespace).Get(ctx, podRef.Name, metav1.GetOptions{})
+func (tt trackedTaint) Compare(b trackedTaint) int {
+	// Rules first...
+	if tt.rule != nil && b.rule == nil {
+		return -1
+	}
+	if tt.rule == nil && b.rule != nil {
+		return 1
+	}
+	if tt.rule != nil {
+		// By rule name.
+		return strings.Compare(tt.rule.Name, b.rule.Name)
+	}
+
+	if tt.slice.slice != nil && b.slice.slice != nil {
+		// Sort by driver/pool/device, then taint index.
+		if cmp := strings.Compare(tt.slice.slice.Spec.Driver, b.slice.slice.Spec.Driver); cmp != 0 {
+			return cmp
+		}
+		if cmp := strings.Compare(tt.slice.slice.Spec.Pool.Name, b.slice.slice.Spec.Pool.Name); cmp != 0 {
+			return cmp
+		}
+		if cmp := strings.Compare(tt.slice.deviceName, b.slice.deviceName); cmp != 0 {
+			return cmp
+		}
+		return tt.slice.taintIndex - b.slice.taintIndex
+	}
+
+	// Both empty? Either way, we cannot compare further.
+	return 0
+}
+
+// sliceDeviceTaint references one taint entry in a ResourceSlice device.
+type sliceDeviceTaint struct {
+	slice      *resourceapi.ResourceSlice
+	deviceName string
+	taintIndex int
+}
+
+// workItem is stored in a workqueue and describes some piece of work which
+// needs to be done.
+type workItem struct {
+	// podRef, if not empty, references a pod which may need to be deleted.
+	//
+	// Controller.deletePodAt is the source of truth for if and when the pod really needs to be removed.
+	podRef tainteviction.NamespacedObject
+
+	// ruleRef, if not empty, is a DeviceTaintRule whose status may have to be updated.
+	//
+	// The initial update is done as quickly as possible to give immediate feedback,
+	// then following updates are done at regular intervals (see ruleStatusPeriod).
+	ruleRef tainteviction.NamespacedObject
+}
+
+func workItemForRule(rule *resourcealpha.DeviceTaintRule) workItem {
+	return workItem{ruleRef: tainteviction.NamespacedObject{NamespacedName: types.NamespacedName{Name: rule.Name}, UID: rule.UID}}
+}
+
+// maybeDeletePod checks whether the pod needs to be deleted now and if so, does it.
+// Three results are possible:
+// - an error if anything goes wrong and the operation needs to be repeated
+// - a positive delay if the operation needs to be repeated in the future
+// - a zero delay if the deletion is done or no longer necessary
+func (tc *Controller) maybeDeletePod(ctx context.Context, podRef tainteviction.NamespacedObject) (againAfter time.Duration, finalErr error) {
+	logger := klog.FromContext(ctx)
+	logger = klog.LoggerWithValues(logger, "pod", podRef)
+
+	// We must not hold this mutex while doing blocking API calls.
+	tc.mutex.Lock()
+	tc.maybeDeletePodCount++
+	eviction, ok := tc.deletePodAt[podRef]
+	tc.mutex.Unlock()
+	logger.V(5).Info("Processing pod deletion work item", "active", ok, "eviction", eviction)
+
+	if !ok {
+		logger.V(5).Info("Work item for pod deletion obsolete, nothing to do")
+		return 0, nil
+	}
+
+	now := time.Now()
+	againAfter = eviction.when.Sub(now)
+	if againAfter > 0 {
+		// Not yet. Maybe the fireAt time got updated.
+		return againAfter, nil
+	}
+
+	defer func() {
+		if finalErr == nil {
+			// Forget the deletion time, we are done.
+			tc.mutex.Lock()
+			delete(tc.deletePodAt, podRef)
+			tc.mutex.Unlock()
+		}
+	}()
+
+	err := tc.addConditionAndDeletePod(ctx, podRef)
+	if apierrors.IsNotFound(err) {
+		// Not a problem, the work is done.
+		// But we didn't do it, so don't
+		// bump the metric.
+		return 0, nil
+	}
+	if err != nil {
+		return 0, err
+	}
+
+	podDeletionLatency := time.Since(eviction.when.Time)
+	logger.V(2).Info("Evicted pod by deleting it", "latency", podDeletionLatency, "reason", eviction.reason)
+	tc.metrics.PodDeletionsTotal.Inc()
+	tc.metrics.PodDeletionsLatency.Observe(float64(podDeletionLatency.Seconds()))
+	tc.mutex.Lock()
+	defer tc.mutex.Unlock()
+	for _, reason := range eviction.reason {
+		if reason.rule != nil {
+			stats := tc.taintRuleStats[reason.rule.UID]
+			stats.numEvictedPods++
+			tc.taintRuleStats[reason.rule.UID] = stats
+
+			// Ensure that the status gets updated eventually.
+			// Doing this immediately is not useful because
+			// it would just race with the informers update
+			// (rule status reads from cache!).
+			tc.workqueue.AddAfter(workItemForRule(reason.rule), ruleStatusPeriod)
+		}
+	}
+
+	return 0, nil
+}
+
+func (tc *Controller) addConditionAndDeletePod(ctx context.Context, podRef tainteviction.NamespacedObject) (err error) {
+	pod, err := tc.client.CoreV1().Pods(podRef.Namespace).Get(ctx, podRef.Name, metav1.GetOptions{})
 	if err != nil {
 		return err
 	}
@@ -252,12 +454,14 @@ func addConditionAndDeletePod(ctx context.Context, c clientset.Interface, podRef
 		return apierrors.NewNotFound(v1.SchemeGroupVersion.WithResource("pods").GroupResource(), pod.Name)
 	}
 
-	// Emit the event only once, and only if we are actually doing something.
-	if *emitEventFunc != nil {
-		(*emitEventFunc)(podRef)
-		*emitEventFunc = nil
+	if pod.DeletionTimestamp != nil {
+		// Already deleted, no need to evict.
+		return nil
 	}
 
+	// Emit the event only if we are actually doing something.
+	tc.emitPodDeletionEvent(podRef)
+
 	newStatus := pod.Status.DeepCopy()
 	updated := apipod.UpdatePodCondition(newStatus, &v1.PodCondition{
 		Type:    v1.DisruptionTarget,
@@ -266,7 +470,7 @@ func addConditionAndDeletePod(ctx context.Context, c clientset.Interface, podRef
 		Message: "Device Taint manager: deleting due to NoExecute taint",
 	})
 	if updated {
-		if _, _, _, err := utilpod.PatchPodStatus(ctx, c, pod.Namespace, pod.Name, pod.UID, pod.Status, *newStatus); err != nil {
+		if _, _, _, err := utilpod.PatchPodStatus(ctx, tc.client, pod.Namespace, pod.Name, pod.UID, pod.Status, *newStatus); err != nil {
 			return err
 		}
 	}
@@ -274,16 +478,243 @@ func addConditionAndDeletePod(ctx context.Context, c clientset.Interface, podRef
 	// another pod using the same name in the meantime. Include a precondition
 	// to prevent that race. This delete attempt then fails and the next one detects
 	// the new pod and stops retrying.
-	return c.CoreV1().Pods(podRef.Namespace).Delete(ctx, podRef.Name, metav1.DeleteOptions{
+	return tc.client.CoreV1().Pods(podRef.Namespace).Delete(ctx, podRef.Name, metav1.DeleteOptions{
 		Preconditions: &metav1.Preconditions{
 			UID: &podRef.UID,
 		},
 	})
 }
 
+func (tc *Controller) maybeUpdateRuleStatus(ctx context.Context, ruleRef tainteviction.NamespacedObject) (time.Duration, error) {
+	logger := klog.FromContext(ctx)
+	logger = klog.LoggerWithValues(logger, "deviceTaintRule", ruleRef)
+	logger.V(5).Info("Processing DeviceTaintRule status work item")
+
+	tc.mutex.Lock()
+	defer tc.mutex.Unlock()
+
+	rule, err := tc.ruleLister.Get(ruleRef.Name)
+	if apierrors.IsNotFound(err) {
+		logger.V(5).Info("DeviceTaintRule got deleted, removing from work queue")
+		return 0, nil
+	}
+	if err != nil {
+		return 0, fmt.Errorf("get DeviceTaintRule %s: %w", ruleRef.Name, err)
+	}
+	if rule.UID != ruleRef.UID {
+		logger.V(5).Info("DeviceTaintRule got replaced, removing old one from work queue")
+		return 0, nil
+	}
+
+	// Already set?
+	index := slices.IndexFunc(rule.Status.Conditions, func(condition metav1.Condition) bool {
+		return condition.Type == resourcealpha.DeviceTaintConditionEvictionInProgress
+	})
+
+	// LastTransitionTime gets bumped each time we make any change to the condition,
+	// even if it is only a change of the message. We use this to track when it is
+	// time for another update.
+	//
+	// This is intentionally checked before counting pending pods because that might
+	// be expensive. The effect is that "eviction in progress" gets set to false
+	// only with a certain delay instead of immediately after deleting the last
+	// pod.
+	var existingCondition metav1.Condition
+	now := metav1.Now()
+	if index >= 0 {
+		existingCondition = rule.Status.Conditions[index]
+		since := now.Time.Sub(existingCondition.LastTransitionTime.Time)
+		if existingCondition.ObservedGeneration == rule.Generation &&
+			since < ruleStatusPeriod {
+			// Don't update quite yet.
+			return ruleStatusPeriod - since, nil
+		}
+	}
+
+	// Checking all pods might be expensive. Only do it if really needed.
+	var numTaintedSliceDevices, numTaintedAllocatedDevices, numPendingPods, numPendingNamespaces int64
+	switch rule.Spec.Taint.Effect {
+	case resourcealpha.DeviceTaintEffectNone:
+		// Temporarily change the effect from None to NoExecute to simulate.
+		// We pretend to do that through informer events. We hold the lock,
+		// so there is no race with real informer events or other goroutines.
+		//
+		// To avoid having a lasting impact on the real controller instance
+		// we make a temporary copy.
+		ruleEvict := rule.DeepCopy()
+		ruleEvict.Spec.Taint.Effect = resourcealpha.DeviceTaintEffectNoExecute
+		tc := &Controller{
+			logger:          klog.LoggerWithName(logger, "simulation"),
+			podLister:       tc.podLister,
+			ruleLister:      nil, // Replaced by simulateRule.
+			deletePodAt:     make(map[tainteviction.NamespacedObject]evictionAndReason),
+			allocatedClaims: maps.Clone(tc.allocatedClaims),
+			pools:           tc.pools,
+			evictingRules:   make(map[string]*resourcealpha.DeviceTaintRule),
+			workqueue:       &NOPQueue[workItem]{},
+		}
+		defer tc.workqueue.ShutDown()
+
+		tc.handleRuleChange(rule, ruleEvict)
+		numPendingPods, numPendingNamespaces, err = tc.countPendingPods(rule)
+		numTaintedSliceDevices, numTaintedAllocatedDevices = tc.countTaintedDevices(rule)
+	case resourcealpha.DeviceTaintEffectNoExecute:
+		numPendingPods, numPendingNamespaces, err = tc.countPendingPods(rule)
+	default:
+		err = nil
+	}
+	if err != nil {
+		return 0, fmt.Errorf("determine pending pods: %w", err)
+	}
+
+	// Some fields are tentative and get updated below.
+	newCondition := metav1.Condition{
+		Type:               resourcealpha.DeviceTaintConditionEvictionInProgress,
+		Status:             metav1.ConditionFalse,
+		Reason:             string("Effect" + rule.Spec.Taint.Effect),
+		ObservedGeneration: rule.Generation,
+		LastTransitionTime: existingCondition.LastTransitionTime, // To avoid a false "is different" in the comparison, gets updated later.
+	}
+	switch rule.Spec.Taint.Effect {
+	case resourcealpha.DeviceTaintEffectNoExecute:
+		switch {
+		case numPendingPods > 0:
+			newCondition.Reason = "PodsPendingEviction"
+			newCondition.Status = metav1.ConditionTrue
+			if numPendingPods == 1 {
+				newCondition.Message = "1 pod needs to be evicted in "
+			} else {
+				newCondition.Message = fmt.Sprintf("%d pods need to be evicted in ", numPendingPods)
+			}
+			if numPendingNamespaces == 1 {
+				newCondition.Message += "1 namespace."
+			} else {
+				newCondition.Message += fmt.Sprintf("%d different namespaces.", numPendingNamespaces)
+			}
+		case tc.taintRuleStats[rule.UID].numEvictedPods > 0:
+			newCondition.Reason = "Completed"
+		default:
+			newCondition.Reason = "NotStarted"
+		}
+	case resourcealpha.DeviceTaintEffectNone:
+		newCondition.Reason = "NoEffect"
+		if numTaintedSliceDevices == 1 {
+			newCondition.Message += "1 published device selected. "
+		} else {
+			newCondition.Message += fmt.Sprintf("%d published devices selected. ", numTaintedSliceDevices)
+		}
+		if numTaintedAllocatedDevices == 1 {
+			newCondition.Message += "1 allocated device selected. "
+		} else {
+			newCondition.Message += fmt.Sprintf("%d allocated devices selected. ", numTaintedAllocatedDevices)
+		}
+		if numPendingPods == 1 {
+			newCondition.Message += "1 pod would be evicted in "
+		} else {
+			newCondition.Message += fmt.Sprintf("%d pods would be evicted in ", numPendingPods)
+		}
+		if numPendingNamespaces == 1 {
+			newCondition.Message += "1 namespace "
+		} else {
+			newCondition.Message += fmt.Sprintf("%d different namespaces ", numPendingNamespaces)
+		}
+		newCondition.Message += "if the effect was NoExecute. This information will not be updated again. Recreate the DeviceTaintRule to trigger an update."
+	default:
+		newCondition.Reason = "OtherEffect"
+		newCondition.Message = "Eviction only happens for the NoExecute effect."
+	}
+	if numEvictedPods := tc.taintRuleStats[rule.UID].numEvictedPods; numEvictedPods > 0 {
+		if newCondition.Message != "" {
+			newCondition.Message += " "
+		}
+		if numEvictedPods == 1 {
+			newCondition.Message += "1 pod "
+		} else {
+			newCondition.Message += fmt.Sprintf("%d pods ", numEvictedPods)
+		}
+		newCondition.Message += "evicted since starting the controller."
+	}
+
+	if newCondition != existingCondition {
+		newCondition.LastTransitionTime = now
+		logger.V(4).Info("Calculated new condition", "condition", newCondition)
+
+		// Apply the new condition, but only if the UID matches.
+		ruleAC := resourceac.DeviceTaintRule(rule.Name).WithUID(rule.UID).WithStatus(resourceac.DeviceTaintRuleStatus().WithConditions(&metav1ac.ConditionApplyConfiguration{
+			Type:               &newCondition.Type,
+			Status:             &newCondition.Status,
+			Reason:             &newCondition.Reason,
+			Message:            &newCondition.Message,
+			ObservedGeneration: &newCondition.ObservedGeneration,
+			LastTransitionTime: &newCondition.LastTransitionTime,
+		}))
+		if _, err := tc.client.ResourceV1alpha3().DeviceTaintRules().ApplyStatus(ctx, ruleAC, metav1.ApplyOptions{FieldManager: tc.name, Force: true}); err != nil {
+			return 0, fmt.Errorf("add condition to DeviceTaintRule status: %w", err)
+		}
+	}
+
+	// No further updates needed until some more pods get evicted or ready for eviction.
+	return 0, nil
+}
+
+func (tc *Controller) countPendingPods(rule *resourcealpha.DeviceTaintRule) (int64, int64, error) {
+	pods, err := tc.podLister.List(labels.Everything())
+	if err != nil {
+		return -1, -1, fmt.Errorf("list pod: %w", err)
+	}
+
+	namespaces := sets.New[string]()
+	var numPendingPods int64
+	for _, pod := range pods {
+		if pod.DeletionTimestamp != nil {
+			continue
+		}
+		eviction := tc.podEvictionTime(pod)
+		if eviction == nil {
+			continue
+		}
+		for _, reason := range eviction.reason {
+			if reason.rule != nil &&
+				reason.rule.UID == rule.UID {
+				numPendingPods++
+				namespaces.Insert(pod.Namespace)
+			}
+		}
+	}
+
+	return numPendingPods, int64(namespaces.Len()), nil
+}
+
+// countTaintedDevices determines the number of devices in slices matching the rule and
+// the number of allocated devices matching the rule.
+func (tc *Controller) countTaintedDevices(rule *resourcealpha.DeviceTaintRule) (numTaintedSliceDevices int64, numTaintedAllocatedDevices int64) {
+	for poolID, pool := range tc.pools {
+		for _, slice := range pool.slices {
+			if slice.Spec.Pool.Generation != pool.maxGeneration {
+				continue
+			}
+			for _, device := range slice.Spec.Devices {
+				if ruleMatchesDevice(rule, poolID.driverName, poolID.poolName, device.Name) {
+					numTaintedSliceDevices++
+				}
+			}
+		}
+	}
+
+	for _, claim := range tc.allocatedClaims {
+		for _, allocatedDevice := range claim.Status.Allocation.Devices.Results {
+			if ruleMatchesDevice(rule, allocatedDevice.Driver, allocatedDevice.Pool, allocatedDevice.Device) {
+				numTaintedAllocatedDevices++
+			}
+		}
+	}
+
+	return
+}
+
 // New creates a new Controller that will use passed clientset to communicate with the API server.
 // Spawns no goroutines. That happens in Run.
-func New(c clientset.Interface, podInformer coreinformers.PodInformer, claimInformer resourceinformers.ResourceClaimInformer, sliceInformer resourceinformers.ResourceSliceInformer, taintInformer resourcealphainformers.DeviceTaintRuleInformer, classInformer resourceinformers.DeviceClassInformer, controllerName string) *Controller {
+func New(c clientset.Interface, podInformer coreinformers.PodInformer, claimInformer resourceinformers.ResourceClaimInformer, sliceInformer resourceinformers.ResourceSliceInformer, ruleInformer resourcealphainformers.DeviceTaintRuleInformer, classInformer resourceinformers.DeviceClassInformer, controllerName string) *Controller {
 	metrics.Register() // It would be nicer to pass the controller name here, but that probably would break generating https://kubernetes.io/docs/reference/instrumentation/metrics.
 
 	tc := &Controller{
@@ -294,33 +725,46 @@ func New(c clientset.Interface, podInformer coreinformers.PodInformer, claimInfo
 		podLister:       podInformer.Lister(),
 		claimInformer:   claimInformer,
 		sliceInformer:   sliceInformer,
-		taintInformer:   taintInformer,
 		classInformer:   classInformer,
+		deletePodAt:     make(map[tainteviction.NamespacedObject]evictionAndReason),
 		allocatedClaims: make(map[types.NamespacedName]allocatedClaim),
 		pools:           make(map[poolID]pool),
+		evictingRules:   make(map[string]*resourcealpha.DeviceTaintRule),
+		taintRuleStats:  make(map[types.UID]taintRuleStats),
 		// Instantiate all informers now to ensure that they get started.
 		haveSynced: []cache.InformerSynced{
 			podInformer.Informer().HasSynced,
 			claimInformer.Informer().HasSynced,
 			sliceInformer.Informer().HasSynced,
-			taintInformer.Informer().HasSynced,
 			classInformer.Informer().HasSynced,
 		},
 		metrics: metrics.Global,
 	}
 
+	// The informer for DeviceTaintRules only gets instantiated if the corresponding
+	// feature is enabled. If disabled, nothings is done with (eviction) or for (status)
+	// any DeviceTaintRule.
+	if utilfeature.DefaultFeatureGate.Enabled(features.DRADeviceTaintRules) {
+		tc.ruleInformer = ruleInformer
+		tc.ruleLister = ruleInformer.Lister()
+		tc.haveSynced = append(tc.haveSynced, ruleInformer.Informer().HasSynced)
+	}
+
 	return tc
 }
 
 // Run starts the controller which will run until the context is done.
 // An error is returned for startup problems.
-func (tc *Controller) Run(ctx context.Context) error {
+func (tc *Controller) Run(ctx context.Context, numWorkers int) error {
 	defer utilruntime.HandleCrash()
 	logger := klog.FromContext(ctx)
-	logger.Info("Starting", "controller", tc.name)
-	defer logger.Info("Shutting down controller", "controller", tc.name)
+	logger.Info("Starting", "controller", tc.name, "numWorkers", numWorkers)
+	defer logger.Info("Shut down controller", "controller", tc.name, "reason", context.Cause(ctx))
 	tc.logger = logger
 
+	var wg sync.WaitGroup
+	defer wg.Wait()
+
 	// Doing debug logging?
 	if loggerV := logger.V(6); loggerV.Enabled() {
 		tc.eventLogger = &loggerV
@@ -334,22 +778,22 @@ func (tc *Controller) Run(ctx context.Context) error {
 	tc.recorder = eventBroadcaster.NewRecorder(scheme.Scheme, v1.EventSource{Component: tc.name}).WithLogger(logger)
 	defer eventBroadcaster.Shutdown()
 
-	taintEvictionQueue := tainteviction.CreateWorkerQueue(tc.deletePodHandler(tc.client, tc.emitPodDeletionEvent))
-	evictPod := tc.evictPod
-	tc.evictPod = func(podRef tainteviction.NamespacedObject, fireAt time.Time) {
-		// Only relevant for testing.
-		if evictPod != nil {
-			evictPod(podRef, fireAt)
-		}
-		taintEvictionQueue.UpdateWork(ctx, &tainteviction.WorkArgs{Object: podRef}, time.Now(), fireAt)
-	}
-	cancelEvict := tc.cancelEvict
-	tc.cancelEvict = func(podRef tainteviction.NamespacedObject) bool {
-		if cancelEvict != nil {
-			cancelEvict(podRef)
-		}
-		return taintEvictionQueue.CancelWork(logger, podRef.NamespacedName.String())
-	}
+	queueLogger := klog.LoggerWithName(logger, "workqueue")
+	delayingQueue := workqueue.NewTypedDelayingQueueWithConfig(workqueue.TypedDelayingQueueConfig[workItem]{
+		Logger: &queueLogger,
+		Name:   tc.name,
+	})
+	tc.workqueue = workqueue.NewTypedRateLimitingQueueWithConfig(
+		workqueue.DefaultTypedControllerRateLimiter[workItem](),
+		workqueue.TypedRateLimitingQueueConfig[workItem]{
+			Name:          tc.name,
+			DelayingQueue: delayingQueue,
+		},
+	)
+	defer func() {
+		logger.V(3).Info("Shutting down work queue")
+		tc.workqueue.ShutDown()
+	}()
 
 	// Start events processing pipeline.
 	eventBroadcaster.StartStructuredLogging(3)
@@ -362,9 +806,6 @@ func (tc *Controller) Run(ctx context.Context) error {
 	}
 	defer eventBroadcaster.Shutdown()
 
-	// mutex serializes event processing.
-	var mutex sync.Mutex
-
 	claimHandler, err := tc.claimInformer.Informer().AddEventHandler(cache.ResourceEventHandlerFuncs{
 		AddFunc: func(obj any) {
 			claim, ok := obj.(*resourceapi.ResourceClaim)
@@ -372,8 +813,8 @@ func (tc *Controller) Run(ctx context.Context) error {
 				logger.Error(nil, "Expected ResourceClaim", "actual", fmt.Sprintf("%T", obj))
 				return
 			}
-			mutex.Lock()
-			defer mutex.Unlock()
+			tc.mutex.Lock()
+			defer tc.mutex.Unlock()
 			tc.handleClaimChange(nil, claim)
 		},
 		UpdateFunc: func(oldObj, newObj any) {
@@ -386,8 +827,8 @@ func (tc *Controller) Run(ctx context.Context) error {
 			if !ok {
 				logger.Error(nil, "Expected ResourceClaim", "actual", fmt.Sprintf("%T", newObj))
 			}
-			mutex.Lock()
-			defer mutex.Unlock()
+			tc.mutex.Lock()
+			defer tc.mutex.Unlock()
 			tc.handleClaimChange(oldClaim, newClaim)
 		},
 		DeleteFunc: func(obj any) {
@@ -399,8 +840,8 @@ func (tc *Controller) Run(ctx context.Context) error {
 				logger.Error(nil, "Expected ResourceClaim", "actual", fmt.Sprintf("%T", obj))
 				return
 			}
-			mutex.Lock()
-			defer mutex.Unlock()
+			tc.mutex.Lock()
+			defer tc.mutex.Unlock()
 			tc.handleClaimChange(claim, nil)
 		},
 	})
@@ -416,11 +857,11 @@ func (tc *Controller) Run(ctx context.Context) error {
 		AddFunc: func(obj any) {
 			pod, ok := obj.(*v1.Pod)
 			if !ok {
-				logger.Error(nil, "Expected ResourcePod", "actual", fmt.Sprintf("%T", obj))
+				logger.Error(nil, "Expected Pod", "actual", fmt.Sprintf("%T", obj))
 				return
 			}
-			mutex.Lock()
-			defer mutex.Unlock()
+			tc.mutex.Lock()
+			defer tc.mutex.Unlock()
 			tc.handlePodChange(nil, pod)
 		},
 		UpdateFunc: func(oldObj, newObj any) {
@@ -433,8 +874,8 @@ func (tc *Controller) Run(ctx context.Context) error {
 			if !ok {
 				logger.Error(nil, "Expected Pod", "actual", fmt.Sprintf("%T", newObj))
 			}
-			mutex.Lock()
-			defer mutex.Unlock()
+			tc.mutex.Lock()
+			defer tc.mutex.Unlock()
 			tc.handlePodChange(oldPod, newPod)
 		},
 		DeleteFunc: func(obj any) {
@@ -446,8 +887,8 @@ func (tc *Controller) Run(ctx context.Context) error {
 				logger.Error(nil, "Expected Pod", "actual", fmt.Sprintf("%T", obj))
 				return
 			}
-			mutex.Lock()
-			defer mutex.Unlock()
+			tc.mutex.Lock()
+			defer tc.mutex.Unlock()
 			tc.handlePodChange(pod, nil)
 		},
 	})
@@ -459,39 +900,64 @@ func (tc *Controller) Run(ctx context.Context) error {
 	}()
 	tc.haveSynced = append(tc.haveSynced, podHandler.HasSynced)
 
-	opts := resourceslicetracker.Options{
-		EnableDeviceTaints:       true,
-		EnableConsumableCapacity: utilfeature.DefaultFeatureGate.Enabled(features.DRAConsumableCapacity),
-		SliceInformer:            tc.sliceInformer,
-		TaintInformer:            tc.taintInformer,
-		ClassInformer:            tc.classInformer,
-		KubeClient:               tc.client,
-	}
-	sliceTracker, err := resourceslicetracker.StartTracker(ctx, opts)
-	if err != nil {
-		return fmt.Errorf("initialize ResourceSlice tracker: %w", err)
-	}
-	tc.haveSynced = append(tc.haveSynced, sliceTracker.HasSynced)
-	defer sliceTracker.Stop()
-
-	// Wait for tracker to sync before we react to events.
-	// This doesn't have to be perfect, it merely avoids unnecessary
-	// work which might be done as events get emitted for intermediate
-	// state.
-	if !cache.WaitForNamedCacheSyncWithContext(ctx, tc.haveSynced...) {
-		return errors.New("wait for cache sync timed out")
+	if tc.ruleInformer != nil {
+		ruleHandler, err := tc.ruleInformer.Informer().AddEventHandler(cache.ResourceEventHandlerFuncs{
+			AddFunc: func(obj any) {
+				rule, ok := obj.(*resourcealpha.DeviceTaintRule)
+				if !ok {
+					logger.Error(nil, "Expected DeviceTaintRule", "actual", fmt.Sprintf("%T", obj))
+					return
+				}
+				tc.mutex.Lock()
+				defer tc.mutex.Unlock()
+				tc.handleRuleChange(nil, rule)
+			},
+			UpdateFunc: func(oldObj, newObj any) {
+				oldRule, ok := oldObj.(*resourcealpha.DeviceTaintRule)
+				if !ok {
+					logger.Error(nil, "Expected DeviceTaintRule", "actual", fmt.Sprintf("%T", oldObj))
+					return
+				}
+				newRule, ok := newObj.(*resourcealpha.DeviceTaintRule)
+				if !ok {
+					logger.Error(nil, "Expected DeviceTaintRule", "actual", fmt.Sprintf("%T", newObj))
+				}
+				tc.mutex.Lock()
+				defer tc.mutex.Unlock()
+				tc.handleRuleChange(oldRule, newRule)
+			},
+			DeleteFunc: func(obj any) {
+				if tombstone, ok := obj.(cache.DeletedFinalStateUnknown); ok {
+					obj = tombstone.Obj
+				}
+				rule, ok := obj.(*resourcealpha.DeviceTaintRule)
+				if !ok {
+					logger.Error(nil, "Expected DeviceTaintRule", "actual", fmt.Sprintf("%T", obj))
+					return
+				}
+				tc.mutex.Lock()
+				defer tc.mutex.Unlock()
+				tc.handleRuleChange(rule, nil)
+			},
+		})
+		if err != nil {
+			return fmt.Errorf("adding DeviceTaintRule event handler: %w", err)
+		}
+		defer func() {
+			_ = tc.ruleInformer.Informer().RemoveEventHandler(ruleHandler)
+		}()
+		tc.haveSynced = append(tc.haveSynced, ruleHandler.HasSynced)
 	}
-	logger.V(1).Info("Underlying informers have synced")
 
-	_, err = sliceTracker.AddEventHandler(cache.ResourceEventHandlerFuncs{
+	sliceHandler, err := tc.sliceInformer.Informer().AddEventHandler(cache.ResourceEventHandlerFuncs{
 		AddFunc: func(obj any) {
 			slice, ok := obj.(*resourceapi.ResourceSlice)
 			if !ok {
 				logger.Error(nil, "Expected ResourceSlice", "actual", fmt.Sprintf("%T", obj))
 				return
 			}
-			mutex.Lock()
-			defer mutex.Unlock()
+			tc.mutex.Lock()
+			defer tc.mutex.Unlock()
 			tc.handleSliceChange(nil, slice)
 		},
 		UpdateFunc: func(oldObj, newObj any) {
@@ -504,8 +970,8 @@ func (tc *Controller) Run(ctx context.Context) error {
 			if !ok {
 				logger.Error(nil, "Expected ResourceSlice", "actual", fmt.Sprintf("%T", newObj))
 			}
-			mutex.Lock()
-			defer mutex.Unlock()
+			tc.mutex.Lock()
+			defer tc.mutex.Unlock()
 			tc.handleSliceChange(oldSlice, newSlice)
 		},
 		DeleteFunc: func(obj any) {
@@ -515,23 +981,103 @@ func (tc *Controller) Run(ctx context.Context) error {
 				logger.Error(nil, "Expected ResourceSlice", "actual", fmt.Sprintf("%T", obj))
 				return
 			}
-			mutex.Lock()
-			defer mutex.Unlock()
+			tc.mutex.Lock()
+			defer tc.mutex.Unlock()
 			tc.handleSliceChange(slice, nil)
 		},
 	})
 	if err != nil {
-		return fmt.Errorf("add slice event handler: %w", err)
+		return fmt.Errorf("adding slice event handler: %w", err)
 	}
+	defer func() {
+		_ = tc.sliceInformer.Informer().RemoveEventHandler(sliceHandler)
+	}()
+	tc.haveSynced = append(tc.haveSynced, sliceHandler.HasSynced)
 
-	// sliceTracker.AddEventHandler blocked while delivering events for all known
-	// ResourceSlices. Therefore our own state is up-to-date once we get here.
+	if !cache.WaitForNamedCacheSyncWithContext(ctx, tc.haveSynced...) {
+		// If we get here, the caller canceled the context. This is not an error.
+		return nil
+	}
+	logger.V(1).Info("Underlying informers have synced")
 	tc.hasSynced.Store(1)
 
+	for i := range numWorkers {
+		wg.Go(func() {
+			tc.worker(klog.NewContext(ctx, klog.LoggerWithName(queueLogger, fmt.Sprintf("worker-%d", i))))
+		})
+	}
+
 	<-ctx.Done()
 	return nil
 }
 
+// evictPod ensures that the pod gets evicted at the specified time.
+// It doesn't block.
+func (tc *Controller) evictPod(podRef tainteviction.NamespacedObject, eviction evictionAndReason) {
+	tc.deletePodAt[podRef] = eviction
+	now := time.Now()
+	tc.workqueue.AddAfter(workItem{podRef: podRef}, eviction.when.Sub(now))
+
+	if tc.evictPodHook != nil {
+		tc.evictPodHook(podRef, eviction)
+	}
+}
+
+// cancelEvict cancels eviction set up with evictPod earlier.
+// Idempotent, returns false if there was nothing to cancel.
+func (tc *Controller) cancelEvict(podRef tainteviction.NamespacedObject) bool {
+	_, ok := tc.deletePodAt[podRef]
+	if !ok {
+		// Nothing to cancel.
+		return false
+	}
+	delete(tc.deletePodAt, podRef)
+
+	if tc.cancelEvictHook != nil {
+		tc.cancelEvictHook(podRef)
+	}
+
+	// Cannot remove from a work queue. The worker will detect that the entry is obsolete by checking deletePodAt.
+	return true
+}
+
+// worker blocks until the workqueue is shut down.
+// Cancellation of the context only aborts on-going work.
+func (tc *Controller) worker(ctx context.Context) {
+	logger := klog.FromContext(ctx)
+	defer utilruntime.HandleCrashWithLogger(logger)
+
+	for {
+		item, shutdown := tc.workqueue.Get()
+		if shutdown {
+			return
+		}
+
+		func() {
+			defer tc.workqueue.Done(item)
+
+			againAfter, err := tc.handleWork(ctx, item)
+			switch {
+			case err != nil:
+				logger.V(3).Info("Processing work item failed, will retry", "err", err)
+				tc.workqueue.AddRateLimited(item)
+			case againAfter > 0:
+				logger.V(5).Info("Checking work item again later", "delay", againAfter)
+				tc.workqueue.AddAfter(item, againAfter)
+			default:
+				tc.workqueue.Forget(item)
+			}
+		}()
+	}
+}
+
+func (tc *Controller) handleWork(ctx context.Context, item workItem) (time.Duration, error) {
+	if item.podRef.Name != "" {
+		return tc.maybeDeletePod(ctx, item.podRef)
+	}
+	return tc.maybeUpdateRuleStatus(ctx, item.ruleRef)
+}
+
 func (tc *Controller) handleClaimChange(oldClaim, newClaim *resourceapi.ResourceClaim) {
 	claim := newClaim
 	if claim == nil {
@@ -557,7 +1103,7 @@ func (tc *Controller) handleClaimChange(oldClaim, newClaim *resourceapi.Resource
 		}
 		tc.allocatedClaims[name] = allocatedClaim{
 			ResourceClaim: claim,
-			evictionTime:  tc.evictionTime(claim.Status.Allocation),
+			eviction:      tc.claimEvictionTime(claim),
 		}
 		tc.handlePods(claim)
 		return
@@ -586,7 +1132,7 @@ func (tc *Controller) handleClaimChange(oldClaim, newClaim *resourceapi.Resource
 	if oldClaim.Status.Allocation == nil && newClaim.Status.Allocation != nil {
 		tc.allocatedClaims[name] = allocatedClaim{
 			ResourceClaim: claim,
-			evictionTime:  tc.evictionTime(claim.Status.Allocation),
+			eviction:      tc.claimEvictionTime(claim),
 		}
 		syncBothClaims()
 		return
@@ -605,7 +1151,7 @@ func (tc *Controller) handleClaimChange(oldClaim, newClaim *resourceapi.Resource
 		// time. Storing the newer claim is enough.
 		tc.allocatedClaims[name] = allocatedClaim{
 			ResourceClaim: claim,
-			evictionTime:  tc.allocatedClaims[name].evictionTime,
+			eviction:      tc.allocatedClaims[name].eviction,
 		}
 		syncBothClaims()
 		return
@@ -614,30 +1160,25 @@ func (tc *Controller) handleClaimChange(oldClaim, newClaim *resourceapi.Resource
 	// If we get here, nothing changed.
 }
 
-// evictionTime returns the earliest TimeAdded of any NoExecute taint in any allocated device
-// unless that taint is tolerated, nil if none.
-func (tc *Controller) evictionTime(allocation *resourceapi.AllocationResult) *metav1.Time {
-	var evictionTime *metav1.Time
+// claimEvictionTime returns the earliest TimeAdded of any NoExecute taint in any allocated device
+// unless that taint is tolerated, nil if none. May only be called for allocated claims.
+func (tc *Controller) claimEvictionTime(claim *resourceapi.ResourceClaim) *evictionAndReason {
+	var when *metav1.Time
+	var taints sets.Set[trackedTaint]
 
+	allocation := claim.Status.Allocation
 	for _, allocatedDevice := range allocation.Devices.Results {
-		device := tc.pools[poolID{driverName: allocatedDevice.Driver, poolName: allocatedDevice.Pool}].getDevice(allocatedDevice.Device)
-		if device == nil {
-			// Unknown device? Can't be tainted...
-			continue
-		}
+		id := poolID{driverName: allocatedDevice.Driver, poolName: allocatedDevice.Pool}
+		slice, device := tc.pools[id].getDevice(allocatedDevice.Device)
 
 	nextTaint:
-		for _, taint := range device.Taints {
-			if taint.Effect != resourceapi.DeviceTaintEffectNoExecute {
-				continue
-			}
-
-			newEvictionTime := taint.TimeAdded
+		for taint := range tc.allEvictingDeviceTaints(allocatedDevice, slice, device) {
+			newEvictionTime := taint.deviceTaint().TimeAdded
 			haveToleration := false
 			tolerationSeconds := int64(math.MaxInt64)
 			for _, toleration := range allocatedDevice.Tolerations {
 				if toleration.Effect == resourceapi.DeviceTaintEffectNoExecute &&
-					resourceclaim.ToleratesTaint(toleration, taint) {
+					resourceclaim.ToleratesTaint(toleration, *taint.deviceTaint()) {
 					if toleration.TolerationSeconds == nil {
 						// Tolerate forever -> ignore taint.
 						continue nextTaint
@@ -655,18 +1196,122 @@ func (tc *Controller) evictionTime(allocation *resourceapi.AllocationResult) *me
 			if haveToleration {
 				newEvictionTime = &metav1.Time{Time: newEvictionTime.Add(time.Duration(tolerationSeconds) * time.Second)}
 			}
+			if taints == nil {
+				taints = sets.New[trackedTaint]()
+			}
+			taints.Insert(taint)
+			if when == nil {
+				when = newEvictionTime
+				tc.logger.V(5).Info("Claim is affected by device taint", "claim", klog.KObj(claim), "device", allocatedDevice, "taint", taint, "evictionTime", when)
+				continue
+			}
+			if newEvictionTime != nil && newEvictionTime.Before(when) {
+				when = newEvictionTime
+				tc.logger.V(5).Info("Claim is affected by device taint", "claim", klog.KObj(claim), "device", allocatedDevice, "taint", taint, "evictionTime", when)
+			}
+		}
+	}
 
-			if evictionTime == nil {
-				evictionTime = newEvictionTime
+	if when == nil {
+		return nil
+	}
+	eviction := &evictionAndReason{when: *when, reason: taints.UnsortedList()}
+	slices.SortFunc(eviction.reason, func(a, b trackedTaint) int { return a.Compare(b) })
+	return eviction
+}
+
+// allEvictingDeviceTaints allows iterating over all DeviceTaintRules with NoExecute effect which affect the allocated device.
+// A taint may come from either the ResourceSlice informer (not the tracker!) or from a DeviceTaintRule, but not both.
+func (tc *Controller) allEvictingDeviceTaints(allocatedDevice resourceapi.DeviceRequestAllocationResult, slice *resourceapi.ResourceSlice, device *resourceapi.Device) iter.Seq[trackedTaint] {
+	evictingRules := tc.evictingRules
+
+	return func(yield func(trackedTaint) bool) {
+		if device != nil {
+			for i := range device.Taints {
+				taint := &device.Taints[i]
+				if taint.Effect != resourceapi.DeviceTaintEffectNoExecute {
+					continue
+				}
+				if !yield(trackedTaint{slice: sliceDeviceTaint{slice: slice, deviceName: device.Name, taintIndex: i}}) {
+					return
+				}
+			}
+		}
+
+		for _, rule := range evictingRules {
+			if !ruleMatchesDevice(rule, allocatedDevice.Driver, allocatedDevice.Pool, allocatedDevice.Device) {
 				continue
 			}
-			if newEvictionTime != nil && newEvictionTime.Before(evictionTime) {
-				evictionTime = newEvictionTime
+
+			if !yield(trackedTaint{rule: rule}) {
+				return
 			}
 		}
 	}
+}
+
+func ruleMatchesDevice(rule *resourcealpha.DeviceTaintRule, driverName, poolName, deviceName string) bool {
+	selector := rule.Spec.DeviceSelector
+	if selector == nil {
+		return false
+	}
+	if selector.Driver != nil && *selector.Driver != driverName ||
+		selector.Pool != nil && *selector.Pool != poolName ||
+		selector.Device != nil && *selector.Device != deviceName {
+		return false
+	}
+	return true
+}
+
+func (tc *Controller) handleRuleChange(oldRule, newRule *resourcealpha.DeviceTaintRule) {
+	rule := newRule
+	if rule == nil {
+		rule = oldRule
+	}
+	name := newNamespacedName(rule)
+	if tc.eventLogger != nil {
+		// This is intentionally very verbose for debugging.
+		tc.eventLogger.Info("DeviceTaintRule changed", "ruleObject", name, "oldRule", klog.Format(oldRule), "newRule", klog.Format(newRule), "diff", diff.Diff(oldRule, newRule))
+	}
+
+	if oldRule == nil {
+		// Update the status at least once.
+		tc.workqueue.Add(workItemForRule(newRule))
+	}
 
-	return evictionTime
+	if newRule == nil {
+		// Clean up to avoid memory leak.
+		delete(tc.taintRuleStats, oldRule.UID)
+		delete(tc.evictingRules, oldRule.Name)
+		// Removal from the work queue is handled when a worker handles the work item.
+		// A work queue does not support canceling work.
+	}
+
+	if oldRule != nil &&
+		newRule != nil &&
+		oldRule.UID == newRule.UID &&
+		apiequality.Semantic.DeepEqual(&oldRule.Spec, &newRule.Spec) {
+		return
+	}
+
+	// Rule spec changes should be rare. Simply do a brute-force re-evaluation of all allocated claims.
+	// Same with trying to avoid delete+add in evictingRules, the logic just becomes unnecessarily complex.
+	if oldRule != nil && oldRule.Spec.Taint.Effect == resourcealpha.DeviceTaintEffectNoExecute {
+		delete(tc.evictingRules, oldRule.Name)
+	}
+	if newRule != nil && newRule.Spec.Taint.Effect == resourcealpha.DeviceTaintEffectNoExecute {
+		tc.evictingRules[newRule.Name] = newRule
+	}
+	for name, oldAllocatedClaim := range tc.allocatedClaims {
+		newAllocatedClaim := allocatedClaim{
+			ResourceClaim: oldAllocatedClaim.ResourceClaim,
+			eviction:      tc.claimEvictionTime(oldAllocatedClaim.ResourceClaim),
+		}
+		tc.allocatedClaims[name] = newAllocatedClaim
+		if !newAllocatedClaim.eviction.equal(oldAllocatedClaim.eviction) {
+			tc.handlePods(newAllocatedClaim.ResourceClaim)
+		}
+	}
 }
 
 func (tc *Controller) handleSliceChange(oldSlice, newSlice *resourceapi.ResourceSlice) {
@@ -686,9 +1331,6 @@ func (tc *Controller) handleSliceChange(oldSlice, newSlice *resourceapi.Resource
 	// Determine old and new device taints. Only devices
 	// where something changes trigger additional checks for claims
 	// using them.
-	//
-	// The pre-allocated slices are small enough to be allocated on
-	// the stack (https://stackoverflow.com/a/69187698/222305).
 	p := tc.pools[poolID]
 	oldDeviceTaints := p.getTaintedDevices()
 	p.removeSlice(oldSlice)
@@ -745,12 +1387,12 @@ func (tc *Controller) handleSliceChange(oldSlice, newSlice *resourceapi.Resource
 		if !usesDevice(claim.Status.Allocation, poolID, modifiedDevices) {
 			continue
 		}
-		newEvictionTime := tc.evictionTime(claim.ResourceClaim.Status.Allocation)
-		if newEvictionTime.Equal(claim.evictionTime) {
+		newEvictionTime := tc.claimEvictionTime(claim.ResourceClaim)
+		if newEvictionTime.equal(claim.eviction) {
 			// No change.
 			continue
 		}
-		claim.evictionTime = newEvictionTime
+		claim.eviction = newEvictionTime
 		tc.allocatedClaims[name] = claim
 		// We could collect pods which depend on claims with changes.
 		// In practice, most pods probably depend on one claim, so
@@ -805,7 +1447,7 @@ func (tc *Controller) handlePodChange(oldPod, newPod *v1.Pod) {
 func (tc *Controller) handlePods(claim *resourceapi.ResourceClaim) {
 	for _, consumer := range claim.Status.ReservedFor {
 		if consumer.APIGroup == "" && consumer.Resource == "pods" {
-			pod, err := tc.podInformer.Lister().Pods(claim.Namespace).Get(consumer.Name)
+			pod, err := tc.podLister.Pods(claim.Namespace).Get(consumer.Name)
 			if err != nil {
 				if apierrors.IsNotFound(err) {
 					return
@@ -824,14 +1466,35 @@ func (tc *Controller) handlePods(claim *resourceapi.ResourceClaim) {
 }
 
 func (tc *Controller) handlePod(pod *v1.Pod) {
+	eviction := tc.podEvictionTime(pod)
+	podRef := newObject(pod)
+	if eviction == nil {
+		if tc.cancelWorkWithEvent(podRef) {
+			tc.logger.V(3).Info("Canceled pod eviction", "pod", podRef)
+		}
+		return
+	}
+
+	tc.logger.V(3).Info("Going to evict pod", "pod", podRef, "eviction", eviction)
+	tc.evictPod(podRef, *eviction)
+
+	// If any reason is because of a taint, then eviction is in progress and the status may need to be updated.
+	for _, reason := range eviction.reason {
+		if reason.rule != nil {
+			tc.workqueue.Add(workItemForRule(reason.rule))
+		}
+	}
+}
+
+func (tc *Controller) podEvictionTime(pod *v1.Pod) *evictionAndReason {
 	// Not scheduled yet? No need to evict.
 	if pod.Spec.NodeName == "" {
-		return
+		return nil
 	}
 
 	// If any claim in use by the pod is tainted such that the taint is not tolerated,
 	// the pod needs to be evicted.
-	var evictionTime *metav1.Time
+	var eviction *evictionAndReason
 	for i := range pod.Spec.ResourceClaims {
 		claimName, mustCheckOwner, err := resourceclaim.Name(pod, &pod.Spec.ResourceClaims[i])
 		if err != nil {
@@ -857,26 +1520,45 @@ func (tc *Controller) handlePod(pod *v1.Pod) {
 			// replacement under the same name. Either way, ignore.
 			continue
 		}
-		if allocatedClaim.evictionTime == nil {
+		if allocatedClaim.eviction == nil {
 			continue
 		}
-		if evictionTime == nil || allocatedClaim.evictionTime.Before(evictionTime) {
-			evictionTime = allocatedClaim.evictionTime
+		if eviction == nil {
+			// Use the new eviction time as-is.
+			eviction = allocatedClaim.eviction
+		} else {
+			// Join reasons and figure out the new time.
+			// Might not actually lead to any change.
+			newEvictionTime := &evictionAndReason{
+				when:   allocatedClaim.eviction.when,
+				reason: slices.Clone(allocatedClaim.eviction.reason),
+			}
+			// Multiple reasons affecting the same pod should be so rare,
+			// a simple insertion sort is fine.
+			for _, reason := range eviction.reason {
+				index, found := slices.BinarySearchFunc(newEvictionTime.reason, reason, func(a, b trackedTaint) int { return a.Compare(b) })
+				if !found {
+					newEvictionTime.reason = slices.Insert(newEvictionTime.reason, index, reason)
+				}
+			}
+			if eviction.when.Before(&newEvictionTime.when) {
+				newEvictionTime.when = eviction.when
+			}
+			if !eviction.equal(newEvictionTime) {
+				eviction = newEvictionTime
+			}
 		}
 	}
 
-	podRef := newObject(pod)
-	if evictionTime != nil {
-		tc.evictPod(podRef, evictionTime.Time)
-	} else {
-		tc.cancelWorkWithEvent(podRef)
-	}
+	return eviction
 }
 
-func (tc *Controller) cancelWorkWithEvent(podRef tainteviction.NamespacedObject) {
+func (tc *Controller) cancelWorkWithEvent(podRef tainteviction.NamespacedObject) bool {
 	if tc.cancelEvict(podRef) {
 		tc.emitCancelPodDeletionEvent(podRef)
+		return true
 	}
+	return false
 }
 
 func (tc *Controller) emitPodDeletionEvent(podRef tainteviction.NamespacedObject) {
@@ -914,7 +1596,11 @@ func newNamespacedName(obj metav1.Object) types.NamespacedName {
 	}
 }
 
+// TODO: replace with klog.ObjectInstance (https://github.com/kubernetes/klog/issues/422#issuecomment-3454948091).
 func newObject(obj metav1.Object) tainteviction.NamespacedObject {
+	if obj == nil {
+		return tainteviction.NamespacedObject{}
+	}
 	return tainteviction.NamespacedObject{
 		NamespacedName: newNamespacedName(obj),
 		UID:            obj.GetUID(),
diff --git a/pkg/controller/devicetainteviction/device_taint_eviction_test.go b/pkg/controller/devicetainteviction/device_taint_eviction_test.go
index 1aee69fbfe686..3549be58ab2ab 100644
--- a/pkg/controller/devicetainteviction/device_taint_eviction_test.go
+++ b/pkg/controller/devicetainteviction/device_taint_eviction_test.go
@@ -19,9 +19,10 @@ package devicetainteviction
 import (
 	"errors"
 	"fmt"
+	"maps"
 	"math"
+	"reflect"
 	"slices"
-	"sort"
 	"strings"
 	"sync"
 	"sync/atomic"
@@ -35,32 +36,65 @@ import (
 	gomegatypes "github.com/onsi/gomega/types"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
-	"k8s.io/apimachinery/pkg/watch"
 
 	v1 "k8s.io/api/core/v1"
 	resourceapi "k8s.io/api/resource/v1"
+	resourcealpha "k8s.io/api/resource/v1alpha3"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/types"
-	"k8s.io/apimachinery/pkg/util/sets"
+	"k8s.io/apimachinery/pkg/watch"
+	utilfeature "k8s.io/apiserver/pkg/util/feature"
 	"k8s.io/client-go/informers"
 	"k8s.io/client-go/kubernetes/fake"
 	core "k8s.io/client-go/testing"
+	featuregatetesting "k8s.io/component-base/featuregate/testing"
 	metricstestutil "k8s.io/component-base/metrics/testutil"
 	"k8s.io/klog/v2"
 	"k8s.io/kubernetes/pkg/controller/devicetainteviction/metrics"
 	"k8s.io/kubernetes/pkg/controller/tainteviction"
 	controllertestutil "k8s.io/kubernetes/pkg/controller/testutil"
+	"k8s.io/kubernetes/pkg/features"
 	st "k8s.io/kubernetes/pkg/scheduler/testing"
 	"k8s.io/kubernetes/test/utils/ktesting"
 	"k8s.io/utils/ptr"
 )
 
+// Reduce typing with some constructors.
+
+func metav1Time(time time.Time) *metav1.Time {
+	return &metav1.Time{Time: time}
+}
+
+func ac(claim *resourceapi.ResourceClaim, eviction ...*evictionAndReason) allocatedClaim {
+	ac := allocatedClaim{
+		ResourceClaim: claim,
+	}
+	switch len(eviction) {
+	case 1:
+		ac.eviction = eviction[0]
+	case 0:
+	default:
+		panic("wrong number of evictions")
+	}
+	return ac
+}
+
+func l[T any](items ...T) []T {
+	return items
+}
+
 // setup creates a controller which is ready to have its handle* methods called.
-func setup(tb testing.TB) *testContext {
-	tCtx := ktesting.Init(tb)
-	fakeClientset := fake.NewSimpleClientset()
+func setup(tCtx ktesting.TContext) *testContext {
+	featuregatetesting.SetFeatureGatesDuringTest(tCtx, utilfeature.DefaultFeatureGate,
+		featuregatetesting.FeatureOverrides{
+			features.DRADeviceTaints:     true,
+			features.DRADeviceTaintRules: true,
+		},
+	)
+
+	fakeClientset := fake.NewClientset()
 	informerFactory := informers.NewSharedInformerFactory(fakeClientset, 0)
 	controller := New(fakeClientset,
 		informerFactory.Core().V1().Pods(),
@@ -77,38 +111,10 @@ func setup(tb testing.TB) *testContext {
 		client:          fakeClientset,
 		informerFactory: informerFactory,
 	}
+	controller.workqueue = &tContext.mockQueue
 	tContext.logger = tCtx.Logger()
 	// Always log, not matter what the -v value is.
 	controller.eventLogger = &tContext.logger
-	tContext.evictPod = func(podRef tainteviction.NamespacedObject, fireAt time.Time) {
-		// Always replace an existing entry for the same pod.
-		index := slices.IndexFunc(tContext.evicting, func(e evictAt) bool {
-			return e.podRef == podRef
-		})
-		e := evictAt{podRef, fireAt}
-		if index == -1 {
-			tContext.evicting = append(tContext.evicting, e)
-		} else {
-			tContext.evicting[index] = e
-		}
-		sort.Slice(tContext.evicting, func(i, j int) bool {
-			switch strings.Compare(tContext.evicting[i].podRef.Namespace, tContext.evicting[j].podRef.Namespace) {
-			case 1:
-				return false
-			case -1:
-				return true
-			}
-			return tContext.evicting[i].podRef.Name < tContext.evicting[j].podRef.Name
-		})
-	}
-	tContext.cancelEvict = func(pod tainteviction.NamespacedObject) bool {
-		index := slices.IndexFunc(tContext.evicting, func(e evictAt) bool { return e.podRef == pod })
-		if index >= 0 {
-			tContext.evicting = slices.Delete(tContext.evicting, index, index+1)
-			return true
-		}
-		return false
-	}
 	tContext.Controller.recorder = tContext.recorder
 
 	return tContext
@@ -117,24 +123,43 @@ func setup(tb testing.TB) *testContext {
 type testContext struct {
 	ktesting.TContext
 	*Controller
-	evicting        []evictAt // sorted by namespace, name
+	mockQueue       Mock[workItem]
 	recorder        *controllertestutil.FakeRecorder
 	client          *fake.Clientset
 	informerFactory informers.SharedInformerFactory
 }
 
-type evictAt struct {
-	podRef tainteviction.NamespacedObject
-	fireAt time.Time
-}
-
 type state struct {
 	pods            []*v1.Pod
 	allocatedClaims []allocatedClaim
 	slices          []*resourceapi.ResourceSlice
-	evicting        []evictAt
+	rules           []*resourcealpha.DeviceTaintRule
+	ruleStats       map[types.UID]taintRuleStats
+
+	// Pods might have been queued in the past and then not removed when removing from deletePodAt.
+	// Therefore we need to describe the expected state separately for both fields.
+
+	deletePodAt evictMap
+	queued      MockState[workItem]
+}
+
+// step describes a state after handling ready work items and how much to move time forward.
+type step struct {
+	pods        []*v1.Pod
+	rules       []*resourcealpha.DeviceTaintRule
+	ruleStats   map[types.UID]taintRuleStats
+	deletePodAt evictMap
+
+	// queuedProcessed is the state after handling all ready items.
+	queuedProcessed MockState[workItem]
+	// Move time forward.
+	advance time.Duration
+	// queuedShifted is the state after reducing the delay for future items.
+	queuedShifted MockState[workItem]
 }
 
+type evictMap map[tainteviction.NamespacedObject]evictionAndReason
+
 func (s state) allocatedClaimsAsMap() map[types.NamespacedName]allocatedClaim {
 	claims := make(map[types.NamespacedName]allocatedClaim)
 	for _, claim := range s.allocatedClaims {
@@ -149,14 +174,14 @@ func (s state) slicesAsMap() map[poolID]pool {
 		id := poolID{driverName: slice.Spec.Driver, poolName: slice.Spec.Pool.Name}
 		pool := pools[id]
 		if pool.slices == nil {
-			pool.slices = sets.New[*resourceapi.ResourceSlice]()
+			pool.slices = make(map[string]*resourceapi.ResourceSlice)
 		}
-		pool.slices.Insert(slice)
+		pool.slices[slice.Name] = slice
 		pools[id] = pool
 	}
 	for id, pool := range pools {
 		maxGeneration := int64(math.MinInt64)
-		for slice := range pool.slices {
+		for _, slice := range pool.slices {
 			if slice.Spec.Pool.Generation > maxGeneration {
 				maxGeneration = slice.Spec.Pool.Generation
 			}
@@ -167,6 +192,24 @@ func (s state) slicesAsMap() map[poolID]pool {
 	return pools
 }
 
+// assertEqual uses cmp.Diff instead of spew+diff like testify's Equal.
+// This provides a full context for a modified field.
+// Allows comparing unexported fields, empty and nil maps/slices are equal.
+func assertEqual[T any](t interface {
+	Helper()
+	Errorf(string, ...any)
+}, expected, actual T, what string, opts ...cmp.Option) bool {
+	t.Helper()
+
+	opts = append(opts, cmp.Exporter(func(reflect.Type) bool { return true }), cmpopts.EquateEmpty())
+
+	if diff := cmp.Diff(expected, actual, opts...); diff != "" {
+		t.Errorf("Unexpected diff for %s (-expected, +actual):\n%s", what, diff)
+		return false
+	}
+	return true
+}
+
 type testCase struct {
 	initialState state
 
@@ -181,7 +224,14 @@ type testCase struct {
 	// in each event entry.
 	events []any
 
+	// finalState represents the result of feeding the event handlers.
 	finalState state
+
+	// process represents the result of processing all of the ready work queue items,
+	// potentially multiple times. After each flush the time advances and pending
+	// work items become ready. The default is []step{{}}.
+	process []step
+
 	wantEvents []*v1.Event
 }
 
@@ -208,16 +258,23 @@ var (
 	resourceName = "my-resource"
 	claimName    = podName + "-" + resourceName
 	namespace    = "default"
-	taintTime    = metav1.Now() // This cannot be a fixed value in the past, otherwise the "seconds since taint time" delta overflows.
-	taintKey     = "example.com/taint"
-	taintValue   = "something"
-	simpleSlice  = st.MakeResourceSlice(nodeName, driver).
+	// taintTime is the start time of a synctest bubble.
+	// All tests run inside such a bubble and thus have a deterministic
+	// delta between this taint time and their current clock.
+	taintTime  = metav1Time(time.Date(2000, 1, 1, 0, 0, 0, 0, time.UTC))
+	taintKey   = "example.com/taint"
+	taintValue = "something"
+
+	// All slices use the internal format.
+	// For client-go they get converted back to the v1 API.
+
+	simpleSlice = st.MakeResourceSlice(nodeName, driver).
 			Device("instance").
 			Obj()
 	slice = st.MakeResourceSlice(nodeName, driver).
 		Device("instance").
 		Device("instance-no-schedule", resourceapi.DeviceTaint{Key: taintKey, Effect: resourceapi.DeviceTaintEffectNoSchedule}).
-		Device("instance-no-execute", resourceapi.DeviceTaint{Key: taintKey, Effect: resourceapi.DeviceTaintEffectNoExecute, TimeAdded: &taintTime}).
+		Device("instance-no-execute", resourceapi.DeviceTaint{Key: taintKey, Effect: resourceapi.DeviceTaintEffectNone, TimeAdded: taintTime}, resourceapi.DeviceTaint{Key: taintKey, Effect: resourceapi.DeviceTaintEffectNoExecute, TimeAdded: taintTime}).
 		Obj()
 	sliceReplaced = func() *resourceapi.ResourceSlice {
 		slice := slice.DeepCopy()
@@ -232,9 +289,10 @@ var (
 		}
 		return slice
 	}()
+	taint        = &resourceapi.DeviceTaint{Key: taintKey, Effect: resourceapi.DeviceTaintEffectNoExecute, Value: taintValue, TimeAdded: taintTime}
 	sliceTainted = func() *resourceapi.ResourceSlice {
 		slice := slice.DeepCopy()
-		slice.Spec.Devices[0].Taints = []resourceapi.DeviceTaint{{Key: taintKey, Effect: resourceapi.DeviceTaintEffectNoExecute, Value: taintValue, TimeAdded: &taintTime}}
+		slice.Spec.Devices[0].Taints = []resourceapi.DeviceTaint{*taint}
 		return slice
 	}()
 	sliceTaintedExtended = func() *resourceapi.ResourceSlice {
@@ -243,30 +301,44 @@ var (
 		slice.Spec.Devices[len(slice.Spec.Devices)-1].Name += "-other"
 		return slice
 	}()
-	sliceTaintedNoSchedule = func() *resourceapi.ResourceSlice {
+	sliceTaintedNone = func() *resourceapi.ResourceSlice {
 		slice := sliceTainted.DeepCopy()
 		for i := range slice.Spec.Devices {
 			for j := range slice.Spec.Devices[i].Taints {
-				slice.Spec.Devices[i].Taints[j].Effect = resourceapi.DeviceTaintEffectNoSchedule
+				slice.Spec.Devices[i].Taints[j].Effect = resourceapi.DeviceTaintEffectNone
 			}
 		}
 		return slice
 	}()
-	sliceTaintedValueOther = func() *resourceapi.ResourceSlice {
+	sliceTaintedUnknown = func() *resourceapi.ResourceSlice {
+		slice := sliceTainted.DeepCopy()
+		for i := range slice.Spec.Devices {
+			for j := range slice.Spec.Devices[i].Taints {
+				slice.Spec.Devices[i].Taints[j].Effect = resourceapi.DeviceTaintEffect("unknown-effect")
+			}
+		}
+		return slice
+	}()
+	sliceTaintedNoSchedule = func() *resourceapi.ResourceSlice {
 		slice := sliceTainted.DeepCopy()
 		for i := range slice.Spec.Devices {
 			for j := range slice.Spec.Devices[i].Taints {
-				slice.Spec.Devices[i].Taints[j].Value += "-other"
+				slice.Spec.Devices[i].Taints[j].Effect = resourceapi.DeviceTaintEffectNoSchedule
 			}
 		}
 		return slice
 	}()
+	taintOther             = &resourceapi.DeviceTaint{Key: taintKey, Effect: resourceapi.DeviceTaintEffectNoExecute, Value: taintValue + "-other", TimeAdded: taintTime}
+	sliceTaintedValueOther = func() *resourceapi.ResourceSlice {
+		slice := sliceTainted.DeepCopy()
+		slice.Spec.Devices[0].Taints[0] = *taintOther
+		return slice
+	}()
+	taint1            = &resourceapi.DeviceTaint{Key: taintKey, Effect: resourceapi.DeviceTaintEffectNoExecute, TimeAdded: taintTime}
+	taint2            = &resourceapi.DeviceTaint{Key: taintKey + "-other", Effect: resourceapi.DeviceTaintEffectNoExecute, TimeAdded: taintTime}
 	sliceTaintedTwice = func() *resourceapi.ResourceSlice {
 		slice := slice.DeepCopy()
-		slice.Spec.Devices[0].Taints = []resourceapi.DeviceTaint{
-			{Key: taintKey, Effect: resourceapi.DeviceTaintEffectNoExecute, TimeAdded: &taintTime},
-			{Key: taintKey + "-other", Effect: resourceapi.DeviceTaintEffectNoExecute, TimeAdded: &taintTime},
-		}
+		slice.Spec.Devices[0].Taints = []resourceapi.DeviceTaint{*taint1, *taint2}
 		return slice
 	}()
 	sliceUntainted = func() *resourceapi.ResourceSlice {
@@ -283,6 +355,99 @@ var (
 		slice.Spec.Pool.Generation++
 		return slice
 	}()
+	ruleEvict = &resourcealpha.DeviceTaintRule{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: "evict",
+			UID:  "1234",
+		},
+
+		Spec: resourcealpha.DeviceTaintRuleSpec{
+			DeviceSelector: &resourcealpha.DeviceTaintSelector{
+				Driver: ptr.To(driver),
+			},
+			Taint: resourcealpha.DeviceTaint{
+				Key:       taint.Key,
+				Value:     taint.Value,
+				Effect:    resourcealpha.DeviceTaintEffect(taint.Effect),
+				TimeAdded: taint.TimeAdded,
+			},
+		},
+	}
+	ruleEvictInstance1 = &resourcealpha.DeviceTaintRule{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: "evict-instance",
+			UID:  "1234",
+		},
+
+		Spec: resourcealpha.DeviceTaintRuleSpec{
+			DeviceSelector: &resourcealpha.DeviceTaintSelector{
+				Driver: ptr.To(driver),
+				Device: ptr.To("instance"),
+			},
+			Taint: resourcealpha.DeviceTaint{
+				Key:       taint.Key,
+				Value:     taint.Value,
+				Effect:    resourcealpha.DeviceTaintEffect(taint.Effect),
+				TimeAdded: taintTime,
+			},
+		},
+	}
+	taintTimeLater          = metav1Time(taintTime.Add(40 * time.Second))
+	ruleEvictInstance2Later = &resourcealpha.DeviceTaintRule{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: "evict-instance-no-execute",
+			UID:  "5678",
+		},
+
+		Spec: resourcealpha.DeviceTaintRuleSpec{
+			DeviceSelector: &resourcealpha.DeviceTaintSelector{
+				Driver: ptr.To(driver),
+				Device: ptr.To("instance-no-execute"),
+			},
+			Taint: resourcealpha.DeviceTaint{
+				Key:       taint.Key,
+				Value:     taint.Value,
+				Effect:    resourcealpha.DeviceTaintEffect(taint.Effect),
+				TimeAdded: taintTimeLater,
+			},
+		},
+	}
+	ruleNone = &resourcealpha.DeviceTaintRule{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: "evict",
+			UID:  "1234",
+		},
+
+		Spec: resourcealpha.DeviceTaintRuleSpec{
+			DeviceSelector: &resourcealpha.DeviceTaintSelector{
+				Driver: ptr.To(driver),
+			},
+			Taint: resourcealpha.DeviceTaint{
+				Key:       taint.Key,
+				Value:     taint.Value,
+				Effect:    resourcealpha.DeviceTaintEffectNone,
+				TimeAdded: taint.TimeAdded,
+			},
+		},
+	}
+	ruleEvictOther = &resourcealpha.DeviceTaintRule{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: "evict-other",
+			UID:  "1234-other",
+		},
+
+		Spec: resourcealpha.DeviceTaintRuleSpec{
+			DeviceSelector: &resourcealpha.DeviceTaintSelector{
+				Device: ptr.To("instance"),
+			},
+			Taint: resourcealpha.DeviceTaint{
+				Key:       taint.Key,
+				Value:     taint.Value,
+				Effect:    resourcealpha.DeviceTaintEffect(taint.Effect),
+				TimeAdded: taint.TimeAdded,
+			},
+		},
+	}
 	claim = st.MakeResourceClaim().
 		Name(claimName).
 		Namespace(namespace).
@@ -298,11 +463,47 @@ var (
 			}},
 		},
 	}
+	allocationResultOtherDevices = &resourceapi.AllocationResult{
+		Devices: resourceapi.DeviceAllocationResult{
+			Results: []resourceapi.DeviceRequestAllocationResult{
+				{
+					Driver:  driver,
+					Pool:    nodeName,
+					Device:  "instance-no-schedule",
+					Request: "req-1",
+				},
+				{
+					Driver:  driver,
+					Pool:    nodeName,
+					Device:  "instance-no-execute",
+					Request: "req-1",
+				},
+			},
+		},
+	}
 	inUseClaim = st.FromResourceClaim(claim).
 			OwnerReference(podName, podUID, podKind).
 			Allocation(allocationResult).
 			ReservedForPod(podName, types.UID(podUID)).
 			Obj()
+	inUseClaimOtherNamespace = st.FromResourceClaim(claim).
+					Namespace(namespace+"-other").
+					OwnerReference(podName, podUID+"-2", podKind). // podWithClaimNameOtherNamespace below.
+					Allocation(allocationResultOtherDevices).
+					ReservedForPod(podName, types.UID(podUID+"-2")).
+					Obj()
+	inUseClaimOtherName = st.FromResourceClaim(claim).
+				Name(claimName+"-other").
+				OwnerReference(podName+"-other", podUID+"-3", podKind). // podWithClaimNameOtherName below.
+				Allocation(allocationResultOtherDevices).
+				ReservedForPod(podName+"-other", types.UID(podUID+"-3")).
+				Obj()
+	inUseClaimOtherNameShared = st.FromResourceClaim(claim).
+					Name(claimName+"-other").
+					OwnerReference(podName+"-other", podUID+"-3", podKind). // podWithClaimNameOtherName below.
+					Allocation(allocationResultOtherDevices).
+					ReservedFor(resourceapi.ResourceClaimConsumerReference{Resource: "pods", Name: podName, UID: types.UID(podUID)}, resourceapi.ResourceClaimConsumerReference{Resource: "pods", Name: podName + "-other", UID: types.UID(podUID + "-3")}).
+					Obj()
 	// A test may run for an hour without reaching the end of this period.
 	tolerationDuration       = 60 * 60 * time.Second
 	inUseClaimWithToleration = func() *resourceapi.ResourceClaim {
@@ -329,11 +530,27 @@ var (
 				PodResourceClaims(v1.PodResourceClaim{Name: resourceName, ResourceClaimName: &claimName}).
 				Node(nodeName).
 				Obj()
-	podWithClaimNameOther = st.MakePod().Name(podName).Namespace(namespace).
-				UID(podUID + "-other").
-				PodResourceClaims(v1.PodResourceClaim{Name: resourceName, ResourceClaimName: &claimName}).
+	podWithTwoClaimNames = st.MakePod().Name(podName).Namespace(namespace).
+				UID(podUID).
+				PodResourceClaims(v1.PodResourceClaim{Name: resourceName, ResourceClaimName: &inUseClaim.Name}).
+				PodResourceClaims(v1.PodResourceClaim{Name: resourceName + "-other", ResourceClaimName: &inUseClaimOtherName.Name}).
 				Node(nodeName).
 				Obj()
+	podWithClaimNameOtherUID = st.MakePod().Name(podName).Namespace(namespace).
+					UID(podUID + "-other").
+					PodResourceClaims(v1.PodResourceClaim{Name: resourceName, ResourceClaimName: &claimName}).
+					Node(nodeName).
+					Obj()
+	podWithClaimNameOtherNamespace = st.MakePod().Name(podName).Namespace(namespace + "-other").
+					UID(podUID + "-2").
+					PodResourceClaims(v1.PodResourceClaim{Name: resourceName, ResourceClaimName: &claimName}).
+					Node(nodeName).
+					Obj()
+	podWithClaimNameOtherName = st.MakePod().Name(podName + "-other").Namespace(namespace).
+					UID(podUID + "-3").
+					PodResourceClaims(v1.PodResourceClaim{Name: resourceName, ResourceClaimName: &inUseClaimOtherName.Name}).
+					Node(nodeName).
+					Obj()
 	podWithClaimTemplate = st.MakePod().Name(podName).Namespace(namespace).
 				UID(podUID).
 				PodResourceClaims(v1.PodResourceClaim{Name: resourceName, ResourceClaimTemplateName: &claimName}).
@@ -377,8 +594,114 @@ var (
 		},
 		Count: 1,
 	}
+	deletePodEvent = &v1.Event{
+		InvolvedObject: v1.ObjectReference{
+			Kind:       "Pod",
+			APIVersion: "v1",
+			Namespace:  namespace,
+			Name:       podName,
+			UID:        types.UID(podUID),
+		},
+		Reason:  "DeviceTaintManagerEviction",
+		Message: "Marking for deletion",
+		Type:    v1.EventTypeNormal,
+		Source: v1.EventSource{
+			Component: "nodeControllerTest",
+		},
+		Count: 1,
+	}
+	deletePodEventOtherNamespace = &v1.Event{
+		InvolvedObject: v1.ObjectReference{
+			Kind:       "Pod",
+			APIVersion: "v1",
+			Namespace:  namespace + "-other",
+			Name:       podName,
+			UID:        types.UID(podUID + "-2"),
+		},
+		Reason:  "DeviceTaintManagerEviction",
+		Message: "Marking for deletion",
+		Type:    v1.EventTypeNormal,
+		Source: v1.EventSource{
+			Component: "nodeControllerTest",
+		},
+		Count: 1,
+	}
+	deletePodEventOtherName = &v1.Event{
+		InvolvedObject: v1.ObjectReference{
+			Kind:       "Pod",
+			APIVersion: "v1",
+			Namespace:  namespace,
+			Name:       podName + "-other",
+			UID:        types.UID(podUID + "-3"),
+		},
+		Reason:  "DeviceTaintManagerEviction",
+		Message: "Marking for deletion",
+		Type:    v1.EventTypeNormal,
+		Source: v1.EventSource{
+			Component: "nodeControllerTest",
+		},
+		Count: 1,
+	}
 )
 
+func newEvictionTime(when *metav1.Time, args ...any) *evictionAndReason {
+	if when == nil {
+		return nil
+	}
+
+	var reason []trackedTaint
+	i := 0
+	for i < len(args) {
+		switch obj := args[i].(type) {
+		case *resourceapi.ResourceSlice:
+			reason = append(reason, trackedTaint{slice: sliceDeviceTaint{slice: obj, deviceName: args[i+1].(string), taintIndex: args[i+2].(int)}})
+			i += 3
+		case *resourcealpha.DeviceTaintRule:
+			reason = append(reason, trackedTaint{rule: obj})
+			i++
+		default:
+			panic(fmt.Sprintf("unsupported argument type %T", args[i]))
+		}
+	}
+
+	return &evictionAndReason{
+		when:   *when,
+		reason: reason,
+	}
+}
+
+func newWorkItems(objs ...metav1.Object) []workItem {
+	var items []workItem
+	for _, obj := range objs {
+		items = append(items, newWorkItem(obj))
+	}
+	return items
+}
+
+func newWorkItem(obj metav1.Object) workItem {
+	ref := newObject(obj)
+	var item workItem
+	switch obj.(type) {
+	case *resourcealpha.DeviceTaintRule:
+		item.ruleRef = ref
+	case *v1.Pod:
+		item.podRef = ref
+	default:
+		panic(fmt.Sprintf("invalid type %T", obj))
+	}
+	return item
+}
+
+func newDelayedWorkItems(objsAndDelay ...any) []MockDelayedItem[workItem] {
+	var items []MockDelayedItem[workItem]
+	for i := 0; i < len(objsAndDelay); i += 2 {
+		item := newWorkItem(objsAndDelay[i].(metav1.Object))
+		delay := objsAndDelay[i+1].(time.Duration)
+		items = append(items, MockDelayedItem[workItem]{item, delay})
+	}
+	return items
+}
+
 func matchDeletionEvent() gomegatypes.GomegaMatcher {
 	return matchEvent("Marking for deletion")
 }
@@ -409,14 +732,35 @@ func listEvents(tCtx ktesting.TContext) []v1.Event {
 	return events.Items
 }
 
-// TestHandlers covers the event handler logic. Each test case starts with
+func inProgress(rule *resourcealpha.DeviceTaintRule, status bool, reason, message string, when *metav1.Time) *resourcealpha.DeviceTaintRule {
+	rule = rule.DeepCopy()
+	condition := metav1.Condition{
+		Type:               resourcealpha.DeviceTaintConditionEvictionInProgress,
+		Status:             metav1.ConditionFalse,
+		Reason:             reason,
+		Message:            message,
+		ObservedGeneration: rule.Generation,
+		LastTransitionTime: *when,
+	}
+	if status {
+		condition.Status = metav1.ConditionTrue
+	}
+	rule.Status.Conditions = []metav1.Condition{condition}
+	return rule
+}
+
+// TestController covers the event handler logic and handling work.
+//
+// It runs inside a synctest bubble without actually starting the
+// controller. Each test case starts with
 // some known state, applies a sequence of independent events in all
 // permutations of their order, then checks against the expected final
 // state. The final state must be the same in all permutations. This simulates
 // the random order in which informer updates can be perceived.
-func TestHandlers(t *testing.T) {
-	t.Parallel()
-
+//
+// Then pending work gets handled, potentially multiple times after
+// advancing time to reach "later" work items.
+func TestController(t *testing.T) {
 	for name, tc := range map[string]testCase{
 		"empty": {},
 		"populate-pools": {
@@ -425,19 +769,19 @@ func TestHandlers(t *testing.T) {
 				add(slice2),
 			},
 			finalState: state{
-				slices: []*resourceapi.ResourceSlice{slice, slice2},
+				slices: l(slice, slice2),
 			},
 		},
 		"update-pools": {
 			initialState: state{
-				slices: []*resourceapi.ResourceSlice{slice, slice2},
+				slices: l(slice, slice2),
 			},
 			events: []any{
 				update(slice, sliceUntainted),
 				remove(slice2),
 			},
 			finalState: state{
-				slices: []*resourceapi.ResourceSlice{sliceUntainted},
+				slices: l(sliceUntainted),
 			},
 		},
 		"untainted-claim": {
@@ -447,20 +791,44 @@ func TestHandlers(t *testing.T) {
 				add(inUseClaim),
 			},
 			finalState: state{
-				slices:          []*resourceapi.ResourceSlice{slice, slice2},
-				allocatedClaims: []allocatedClaim{{ResourceClaim: inUseClaim}},
+				slices:          l(slice, slice2),
+				allocatedClaims: l(ac(inUseClaim)),
 			},
 		},
-		"tainted-claim": {
+		"tainted-claim-through-resourceslice": {
 			events: []any{
 				add(sliceTainted),
 				add(slice2),
 				add(inUseClaim),
 			},
 			finalState: state{
-				slices:          []*resourceapi.ResourceSlice{sliceTainted, slice2},
-				allocatedClaims: []allocatedClaim{{ResourceClaim: inUseClaim, evictionTime: &taintTime}},
+				slices:          l(sliceTainted, slice2),
+				allocatedClaims: l(ac(inUseClaim, newEvictionTime(taintTime, sliceTainted, sliceTainted.Spec.Devices[0].Name, 0))),
+			},
+		},
+		"rule-status": {
+			events: []any{
+				add(ruleEvict),
+			},
+			finalState: state{
+				queued: MockState[workItem]{Ready: newWorkItems(ruleEvict)},
+			},
+			process: []step{{
+				rules: l(inProgress(ruleEvict, false, "NotStarted", "", taintTime)),
+			}},
+		},
+		"tainted-claim-through-rule": {
+			events: []any{
+				add(ruleEvict),
+				add(inUseClaim),
+			},
+			finalState: state{
+				allocatedClaims: l(ac(inUseClaim, newEvictionTime(taintTime, ruleEvict))),
+				queued:          MockState[workItem]{Ready: newWorkItems(ruleEvict)},
 			},
+			process: []step{{
+				rules: l(inProgress(ruleEvict, false, "NotStarted", "", taintTime)),
+			}},
 		},
 		"evict-pod-resourceclaim": {
 			events: []any{
@@ -470,25 +838,321 @@ func TestHandlers(t *testing.T) {
 				add(podWithClaimName),
 			},
 			finalState: state{
-				slices:          []*resourceapi.ResourceSlice{sliceTainted, slice2},
-				allocatedClaims: []allocatedClaim{{ResourceClaim: inUseClaim, evictionTime: &taintTime}},
-				evicting:        []evictAt{{newObject(podWithClaimName), taintTime.Time}},
+				slices:          l(sliceTainted, slice2),
+				allocatedClaims: l(ac(inUseClaim, newEvictionTime(taintTime, sliceTainted, sliceTainted.Spec.Devices[0].Name, 0))),
+				deletePodAt:     evictMap{newObject(podWithClaimName): *newEvictionTime(taintTime, sliceTainted, sliceTainted.Spec.Devices[0].Name, 0)},
+				queued:          MockState[workItem]{Ready: newWorkItems(podWithClaimName)},
+			},
+			wantEvents: l(deletePodEvent),
+		},
+		"evict-pod-rule": {
+			events: []any{
+				add(inUseClaim),
+				add(podWithClaimName),
+				add(ruleEvict),
+			},
+			finalState: state{
+				allocatedClaims: l(ac(inUseClaim, newEvictionTime(taintTime, ruleEvict))),
+				deletePodAt:     evictMap{newObject(podWithClaimName): *newEvictionTime(taintTime, ruleEvict)},
+				queued:          MockState[workItem]{Ready: newWorkItems(ruleEvict, podWithClaimName)},
+			},
+			process: []step{
+				{
+					ruleStats: map[types.UID]taintRuleStats{ruleEvict.UID: {numEvictedPods: 1}},
+					// Initial update.
+					rules:           l(inProgress(ruleEvict, true, "PodsPendingEviction", "1 pod needs to be evicted in 1 namespace.", taintTime)),
+					queuedProcessed: MockState[workItem]{Later: newDelayedWorkItems(ruleEvict, ruleStatusPeriod)},
+					advance:         ruleStatusPeriod,
+					queuedShifted:   MockState[workItem]{Ready: newWorkItems(ruleEvict)},
+				},
+				{
+					ruleStats: map[types.UID]taintRuleStats{ruleEvict.UID: {numEvictedPods: 1}},
+					// Final update.
+					rules: l(inProgress(ruleEvict, false, "Completed", "1 pod evicted since starting the controller.", metav1Time(taintTime.Add(ruleStatusPeriod)))),
+				},
+			},
+			wantEvents: l(deletePodEvent),
+		},
+		"evict-pod-rule-later": {
+			events: []any{
+				add(inUseClaimWithToleration),
+				add(podWithClaimName),
+				add(ruleEvict),
+			},
+			finalState: state{
+				allocatedClaims: l(ac(inUseClaimWithToleration, newEvictionTime(metav1Time(taintTime.Add(tolerationDuration)), ruleEvict))),
+				deletePodAt:     evictMap{newObject(podWithClaimName): *newEvictionTime(metav1Time(taintTime.Add(tolerationDuration)), ruleEvict)},
+				queued:          MockState[workItem]{Ready: newWorkItems(ruleEvict), Later: newDelayedWorkItems(podWithClaimName, tolerationDuration)},
+			},
+			process: []step{
+				{
+					// Initial update.
+					deletePodAt: evictMap{newObject(podWithClaimName): *newEvictionTime(metav1Time(taintTime.Add(tolerationDuration)), ruleEvict)},
+					pods:        l(podWithClaimName),
+					rules:       l(inProgress(ruleEvict, true, "PodsPendingEviction", "1 pod needs to be evicted in 1 namespace.", taintTime)),
+
+					queuedProcessed: MockState[workItem]{Later: newDelayedWorkItems(podWithClaimName, tolerationDuration)},
+					advance:         tolerationDuration,
+					queuedShifted:   MockState[workItem]{Ready: newWorkItems(podWithClaimName)},
+				},
+				{
+					// Deleted, but condition not updated yet.
+					ruleStats:       map[types.UID]taintRuleStats{ruleEvict.UID: {numEvictedPods: 1}},
+					rules:           l(inProgress(ruleEvict, true, "PodsPendingEviction", "1 pod needs to be evicted in 1 namespace.", taintTime)),
+					queuedProcessed: MockState[workItem]{Later: newDelayedWorkItems(ruleEvict, ruleStatusPeriod)},
+					advance:         ruleStatusPeriod,
+					queuedShifted:   MockState[workItem]{Ready: newWorkItems(ruleEvict)},
+				},
+				{
+					// Final update.
+					ruleStats: map[types.UID]taintRuleStats{ruleEvict.UID: {numEvictedPods: 1}},
+					rules:     l(inProgress(ruleEvict, false, "Completed", "1 pod evicted since starting the controller.", metav1Time(taintTime.Add(tolerationDuration+ruleStatusPeriod)))),
+				},
+			},
+			wantEvents: l(deletePodEvent),
+		},
+		"evict-many-pods-many-namespaces": {
+			events: []any{
+				add(inUseClaim),
+				add(podWithClaimName),
+				add(inUseClaimOtherNamespace),
+				add(podWithClaimNameOtherNamespace),
+				add(ruleEvict),
+			},
+			finalState: state{
+				allocatedClaims: l(ac(inUseClaim, newEvictionTime(taintTime, ruleEvict)), ac(inUseClaimOtherNamespace, newEvictionTime(taintTime, ruleEvict))),
+				deletePodAt:     evictMap{newObject(podWithClaimName): *newEvictionTime(taintTime, ruleEvict), newObject(podWithClaimNameOtherNamespace): *newEvictionTime(taintTime, ruleEvict)},
+				queued:          MockState[workItem]{Ready: newWorkItems(ruleEvict, podWithClaimName, podWithClaimNameOtherNamespace)},
+			},
+			process: []step{
+				{
+					ruleStats: map[types.UID]taintRuleStats{ruleEvict.UID: {numEvictedPods: 2}},
+					// Initial update.
+					rules:           l(inProgress(ruleEvict, true, "PodsPendingEviction", "2 pods need to be evicted in 2 different namespaces.", taintTime)),
+					queuedProcessed: MockState[workItem]{Later: newDelayedWorkItems(ruleEvict, ruleStatusPeriod)},
+					advance:         ruleStatusPeriod,
+					queuedShifted:   MockState[workItem]{Ready: newWorkItems(ruleEvict)},
+				},
+				{
+					ruleStats: map[types.UID]taintRuleStats{ruleEvict.UID: {numEvictedPods: 2}},
+					// Final update.
+					rules: l(inProgress(ruleEvict, false, "Completed", "2 pods evicted since starting the controller.", metav1Time(taintTime.Add(ruleStatusPeriod)))),
+				},
+			},
+			wantEvents: l(deletePodEvent, deletePodEventOtherNamespace),
+		},
+		"evict-many-pods-same-namespace": {
+			events: []any{
+				add(inUseClaim),
+				add(podWithClaimName),
+				add(inUseClaimOtherName),
+				add(podWithClaimNameOtherName),
+				add(ruleEvict),
+			},
+			finalState: state{
+				allocatedClaims: l(ac(inUseClaim, newEvictionTime(taintTime, ruleEvict)), ac(inUseClaimOtherName, newEvictionTime(taintTime, ruleEvict))),
+				deletePodAt:     evictMap{newObject(podWithClaimName): *newEvictionTime(taintTime, ruleEvict), newObject(podWithClaimNameOtherName): *newEvictionTime(taintTime, ruleEvict)},
+				queued:          MockState[workItem]{Ready: newWorkItems(ruleEvict, podWithClaimName, podWithClaimNameOtherName)},
+			},
+			process: []step{
+				{
+					ruleStats: map[types.UID]taintRuleStats{ruleEvict.UID: {numEvictedPods: 2}},
+					// Initial update.
+					rules:           l(inProgress(ruleEvict, true, "PodsPendingEviction", "2 pods need to be evicted in 1 namespace.", taintTime)),
+					queuedProcessed: MockState[workItem]{Later: newDelayedWorkItems(ruleEvict, ruleStatusPeriod)},
+					advance:         ruleStatusPeriod,
+					queuedShifted:   MockState[workItem]{Ready: newWorkItems(ruleEvict)},
+				},
+				{
+					ruleStats: map[types.UID]taintRuleStats{ruleEvict.UID: {numEvictedPods: 2}},
+					// Final update.
+					rules: l(inProgress(ruleEvict, false, "Completed", "2 pods evicted since starting the controller.", metav1Time(taintTime.Add(ruleStatusPeriod)))),
+				},
+			},
+			wantEvents: l(deletePodEvent, deletePodEventOtherName),
+		},
+		"none-pod-rule": {
+			events: []any{
+				add(slice),
+				add(inUseClaim),
+				add(podWithClaimName),
+				add(ruleNone),
+			},
+			finalState: state{
+				slices:          l(slice),
+				allocatedClaims: l(ac(inUseClaim)),
+				queued:          MockState[workItem]{Ready: newWorkItems(ruleNone)},
+			},
+			process: []step{
+				{
+					pods:  l(podWithClaimName),
+					rules: l(inProgress(ruleNone, false, "NoEffect", "3 published devices selected. 1 allocated device selected. 1 pod would be evicted in 1 namespace if the effect was NoExecute. This information will not be updated again. Recreate the DeviceTaintRule to trigger an update.", taintTime)),
+				},
+			},
+		},
+		"none-many-pods-many-namespaces": {
+			events: []any{
+				add(inUseClaim),
+				add(podWithClaimName),
+				add(inUseClaimOtherNamespace),
+				add(podWithClaimNameOtherNamespace),
+				add(ruleNone),
+			},
+			finalState: state{
+				allocatedClaims: l(ac(inUseClaim), ac(inUseClaimOtherNamespace)),
+				queued:          MockState[workItem]{Ready: newWorkItems(ruleNone)},
+			},
+			process: []step{
+				{
+					pods:  l(podWithClaimName, podWithClaimNameOtherNamespace),
+					rules: l(inProgress(ruleNone, false, "NoEffect", "0 published devices selected. 3 allocated devices selected. 2 pods would be evicted in 2 different namespaces if the effect was NoExecute. This information will not be updated again. Recreate the DeviceTaintRule to trigger an update.", taintTime)),
+				},
+			},
+		},
+		"none-many-pods-same-namespace": {
+			events: []any{
+				add(inUseClaim),
+				add(podWithClaimName),
+				add(inUseClaimOtherName),
+				add(podWithClaimNameOtherName),
+				add(ruleNone),
+			},
+			finalState: state{
+				allocatedClaims: l(ac(inUseClaim), ac(inUseClaimOtherName)),
+				queued:          MockState[workItem]{Ready: newWorkItems(ruleNone)},
+			},
+			process: []step{
+				{
+					pods:  l(podWithClaimName, podWithClaimNameOtherName),
+					rules: l(inProgress(ruleNone, false, "NoEffect", "0 published devices selected. 3 allocated devices selected. 2 pods would be evicted in 1 namespace if the effect was NoExecute. This information will not be updated again. Recreate the DeviceTaintRule to trigger an update.", taintTime)),
+				},
+			},
+		},
+		"multiple-claims-same-rule": {
+			events: []any{
+				add(inUseClaim),
+				add(inUseClaimOtherNameShared),
+				add(podWithTwoClaimNames),
+				add(ruleEvict),
+			},
+			finalState: state{
+				allocatedClaims: l(ac(inUseClaim, newEvictionTime(taintTime, ruleEvict)), ac(inUseClaimOtherNameShared, newEvictionTime(taintTime, ruleEvict))),
+				deletePodAt:     evictMap{newObject(podWithTwoClaimNames): *newEvictionTime(taintTime, ruleEvict)},
+				queued:          MockState[workItem]{Ready: newWorkItems(ruleEvict, podWithTwoClaimNames)},
+			},
+			process: []step{
+				{
+					ruleStats: map[types.UID]taintRuleStats{ruleEvict.UID: {numEvictedPods: 1}},
+					// Initial update.
+					rules:           l(inProgress(ruleEvict, true, "PodsPendingEviction", "1 pod needs to be evicted in 1 namespace.", taintTime)),
+					queuedProcessed: MockState[workItem]{Later: newDelayedWorkItems(ruleEvict, ruleStatusPeriod)},
+					advance:         ruleStatusPeriod,
+					queuedShifted:   MockState[workItem]{Ready: newWorkItems(ruleEvict)},
+				},
+				{
+					ruleStats: map[types.UID]taintRuleStats{ruleEvict.UID: {numEvictedPods: 1}},
+					// Final update.
+					rules: l(inProgress(ruleEvict, false, "Completed", "1 pod evicted since starting the controller.", metav1Time(taintTime.Add(ruleStatusPeriod)))),
+				},
+			},
+			wantEvents: l(deletePodEvent),
+		},
+		"multiple-claims-different-rules-order-1": {
+			// Different rules cause eviction at different times because the second one gets added a bit in the future.
+			// It's debatable whether eviction of the pod should then be attributed to both rules. That is
+			// how it is currently implemented, based on the rationale that the second rule would have caused
+			// eviction eventually if it just had been given more time.
+			//
+			// The order matters here: the work queue gets populate differently depending on what is observed first,
+			// see next case. The `queued` state is compared without considering the order, so the actual
+			// order of the queue is not visible in the tests. Typically it doesn't matter, but here it does.
+			events: []any{
+				[]any{
+					add(inUseClaim),
+					add(inUseClaimOtherNameShared),
+					add(podWithTwoClaimNames),
+					add(ruleEvictInstance1),
+					add(ruleEvictInstance2Later),
+				},
+			},
+			finalState: state{
+				allocatedClaims: l(ac(inUseClaim, newEvictionTime(taintTime, ruleEvictInstance1)), ac(inUseClaimOtherNameShared, newEvictionTime(taintTimeLater, ruleEvictInstance2Later))),
+				deletePodAt:     evictMap{newObject(podWithTwoClaimNames): *newEvictionTime(taintTime, ruleEvictInstance1, ruleEvictInstance2Later)},
+				queued:          MockState[workItem]{Ready: newWorkItems(ruleEvictInstance1, ruleEvictInstance2Later, podWithTwoClaimNames)},
+			},
+			process: []step{
+				{
+					ruleStats: map[types.UID]taintRuleStats{ruleEvictInstance1.UID: {numEvictedPods: 1}, ruleEvictInstance2Later.UID: {numEvictedPods: 1}},
+					// Initial update of ruleEvictInstance1 before eviction, then update of ruleEvictInstance2Later.
+					rules:           l(inProgress(ruleEvictInstance1, true, "PodsPendingEviction", "1 pod needs to be evicted in 1 namespace.", taintTime), inProgress(ruleEvictInstance2Later, false, "Completed", "1 pod evicted since starting the controller.", taintTime)),
+					queuedProcessed: MockState[workItem]{Later: newDelayedWorkItems(ruleEvictInstance1, ruleStatusPeriod, ruleEvictInstance2Later, ruleStatusPeriod)},
+					advance:         ruleStatusPeriod,
+					queuedShifted:   MockState[workItem]{Ready: newWorkItems(ruleEvictInstance1, ruleEvictInstance2Later)},
+				},
+				{
+					ruleStats: map[types.UID]taintRuleStats{ruleEvict.UID: {numEvictedPods: 1}, ruleEvictInstance2Later.UID: {numEvictedPods: 1}},
+					// Final update.
+					rules: l(inProgress(ruleEvictInstance1, false, "Completed", "1 pod evicted since starting the controller.", metav1Time(taintTime.Add(ruleStatusPeriod))), inProgress(ruleEvictInstance2Later, false, "Completed", "1 pod evicted since starting the controller.", metav1Time(taintTime.Add(ruleStatusPeriod)))),
+				},
+			},
+			wantEvents: l(deletePodEvent),
+		},
+		"multiple-claims-different-rules-order-2": {
+			events: []any{
+				[]any{
+					add(inUseClaim),
+					add(inUseClaimOtherNameShared),
+					add(podWithTwoClaimNames),
+					add(ruleEvictInstance2Later), // Reversed, so now the pod gets scheduled for delayed eviction, which cannot get canceled.
+					add(ruleEvictInstance1),
+				},
 			},
+			finalState: state{
+				allocatedClaims: l(ac(inUseClaim, newEvictionTime(taintTime, ruleEvictInstance1)), ac(inUseClaimOtherNameShared, newEvictionTime(taintTimeLater, ruleEvictInstance2Later))),
+				deletePodAt:     evictMap{newObject(podWithTwoClaimNames): *newEvictionTime(taintTime, ruleEvictInstance1, ruleEvictInstance2Later)},
+				queued:          MockState[workItem]{Ready: newWorkItems(ruleEvictInstance1, ruleEvictInstance2Later, podWithTwoClaimNames), Later: newDelayedWorkItems(podWithTwoClaimNames, ruleEvictInstance2Later.Spec.Taint.TimeAdded.Sub(taintTime.Time))},
+			},
+			process: []step{
+				// The pod is scheduled for much later and time needs to advance a few times before it gets processed.
+				{
+					ruleStats: map[types.UID]taintRuleStats{ruleEvictInstance1.UID: {numEvictedPods: 1}, ruleEvictInstance2Later.UID: {numEvictedPods: 1}},
+					// Initial update of both rules before eviction.
+					rules:           l(inProgress(ruleEvictInstance1, true, "PodsPendingEviction", "1 pod needs to be evicted in 1 namespace.", taintTime), inProgress(ruleEvictInstance2Later, true, "PodsPendingEviction", "1 pod needs to be evicted in 1 namespace.", taintTime)),
+					queuedProcessed: MockState[workItem]{Later: newDelayedWorkItems(podWithTwoClaimNames, ruleEvictInstance2Later.Spec.Taint.TimeAdded.Sub(taintTime.Time), ruleEvictInstance1, ruleStatusPeriod, ruleEvictInstance2Later, ruleStatusPeriod)},
+					advance:         ruleStatusPeriod,
+					queuedShifted:   MockState[workItem]{Ready: newWorkItems(ruleEvictInstance1, ruleEvictInstance2Later), Later: newDelayedWorkItems(podWithTwoClaimNames, ruleEvictInstance2Later.Spec.Taint.TimeAdded.Sub(taintTime.Time)-ruleStatusPeriod)},
+				},
+				{
+					ruleStats: map[types.UID]taintRuleStats{ruleEvict.UID: {numEvictedPods: 1}, ruleEvictInstance2Later.UID: {numEvictedPods: 1}},
+					// Final update.
+					rules:           l(inProgress(ruleEvictInstance1, false, "Completed", "1 pod evicted since starting the controller.", metav1Time(taintTime.Add(ruleStatusPeriod))), inProgress(ruleEvictInstance2Later, false, "Completed", "1 pod evicted since starting the controller.", metav1Time(taintTime.Add(ruleStatusPeriod)))),
+					queuedProcessed: MockState[workItem]{Later: newDelayedWorkItems(podWithTwoClaimNames, ruleEvictInstance2Later.Spec.Taint.TimeAdded.Sub(taintTime.Time)-ruleStatusPeriod)},
+					advance:         ruleEvictInstance2Later.Spec.Taint.TimeAdded.Sub(taintTime.Time) - ruleStatusPeriod,
+					queuedShifted:   MockState[workItem]{Ready: newWorkItems(podWithTwoClaimNames)},
+				},
+				{
+					ruleStats: map[types.UID]taintRuleStats{ruleEvict.UID: {numEvictedPods: 1}, ruleEvictInstance2Later.UID: {numEvictedPods: 1}},
+					rules:     l(inProgress(ruleEvictInstance1, false, "Completed", "1 pod evicted since starting the controller.", metav1Time(taintTime.Add(ruleStatusPeriod))), inProgress(ruleEvictInstance2Later, false, "Completed", "1 pod evicted since starting the controller.", metav1Time(taintTime.Add(ruleStatusPeriod)))),
+					// The pod gets removed from the work queue without doing anything.
+				},
+			},
+			wantEvents: l(deletePodEvent),
 		},
 		"evict-pod-resourceclaim-again": {
 			initialState: state{
-				pods:            []*v1.Pod{podWithClaimName},
-				slices:          []*resourceapi.ResourceSlice{sliceTainted, slice2},
-				allocatedClaims: []allocatedClaim{{ResourceClaim: inUseClaim, evictionTime: &taintTime}},
-				evicting:        []evictAt{{newObject(podWithClaimName), taintTime.Time}},
+				pods:            l(podWithClaimName),
+				slices:          l(sliceTainted, slice2),
+				allocatedClaims: l(ac(inUseClaim, newEvictionTime(taintTime, sliceTainted, sliceTainted.Spec.Devices[0].Name, 0))),
+				deletePodAt:     evictMap{newObject(podWithClaimName): *newEvictionTime(taintTime, sliceTainted, sliceTainted.Spec.Devices[0].Name, 0)},
 			},
 			events: []any{
 				[]any{remove(sliceTainted), add(sliceTainted)},
 			},
 			finalState: state{
-				slices:          []*resourceapi.ResourceSlice{sliceTainted, slice2},
-				allocatedClaims: []allocatedClaim{{ResourceClaim: inUseClaim, evictionTime: &taintTime}},
-				evicting:        []evictAt{{newObject(podWithClaimName), taintTime.Time}},
+				slices:          l(sliceTainted, slice2),
+				allocatedClaims: l(ac(inUseClaim, newEvictionTime(taintTime, sliceTainted, sliceTainted.Spec.Devices[0].Name, 0))),
+				deletePodAt:     evictMap{newObject(podWithClaimName): *newEvictionTime(taintTime, sliceTainted, sliceTainted.Spec.Devices[0].Name, 0)},
+				queued:          MockState[workItem]{Ready: newWorkItems(podWithClaimName)},
 			},
 			// It is debatable whether the controller should react
 			// to slice changes (a deletion in this case)
@@ -498,13 +1162,13 @@ func TestHandlers(t *testing.T) {
 			// an event, as in this test case.
 			//
 			// At the moment, the code reliably cancels right away.
-			wantEvents: []*v1.Event{cancelPodEviction},
+			wantEvents: l(cancelPodEviction, deletePodEvent),
 		},
 		"evict-pod-after-scheduling": {
 			initialState: state{
-				pods:            []*v1.Pod{unscheduledPodWithClaimName},
-				slices:          []*resourceapi.ResourceSlice{sliceTainted, slice2},
-				allocatedClaims: []allocatedClaim{{ResourceClaim: inUseClaim, evictionTime: &taintTime}},
+				pods:            l(unscheduledPodWithClaimName),
+				slices:          l(sliceTainted, slice2),
+				allocatedClaims: l(ac(inUseClaim, newEvictionTime(taintTime, sliceTainted, sliceTainted.Spec.Devices[0].Name, 0))),
 			},
 			events: []any{
 				// Normally the scheduler shouldn't schedule when there is a taint,
@@ -512,17 +1176,19 @@ func TestHandlers(t *testing.T) {
 				update(unscheduledPodWithClaimName, podWithClaimName),
 			},
 			finalState: state{
-				slices:          []*resourceapi.ResourceSlice{sliceTainted, slice2},
-				allocatedClaims: []allocatedClaim{{ResourceClaim: inUseClaim, evictionTime: &taintTime}},
-				evicting:        []evictAt{{newObject(podWithClaimName), taintTime.Time}},
+				slices:          l(sliceTainted, slice2),
+				allocatedClaims: l(ac(inUseClaim, newEvictionTime(taintTime, sliceTainted, sliceTainted.Spec.Devices[0].Name, 0))),
+				deletePodAt:     evictMap{newObject(podWithClaimName): *newEvictionTime(taintTime, sliceTainted, sliceTainted.Spec.Devices[0].Name, 0)},
+				queued:          MockState[workItem]{Ready: newWorkItems(podWithClaimName)},
 			},
+			wantEvents: l(deletePodEvent),
 		},
 		"evict-pod-resourceclaim-unrelated-changes": {
 			initialState: state{
-				pods:            []*v1.Pod{podWithClaimName},
-				slices:          []*resourceapi.ResourceSlice{sliceTainted, slice2},
-				allocatedClaims: []allocatedClaim{{ResourceClaim: inUseClaim, evictionTime: &taintTime}},
-				evicting:        []evictAt{{newObject(podWithClaimName), taintTime.Time}},
+				pods:            l(podWithClaimName),
+				slices:          l(sliceTainted, slice2),
+				allocatedClaims: l(ac(inUseClaim, newEvictionTime(taintTime, sliceTainted, sliceTainted.Spec.Devices[0].Name, 0))),
+				deletePodAt:     evictMap{newObject(podWithClaimName): *newEvictionTime(taintTime, sliceTainted, sliceTainted.Spec.Devices[0].Name, 0)},
 			},
 			events: []any{
 				update(sliceTainted, sliceTaintedExtended),
@@ -530,10 +1196,12 @@ func TestHandlers(t *testing.T) {
 				update(podWithClaimName, podWithClaimName), // Same here.
 			},
 			finalState: state{
-				slices:          []*resourceapi.ResourceSlice{sliceTaintedExtended, slice2},
-				allocatedClaims: []allocatedClaim{{ResourceClaim: inUseClaim, evictionTime: &taintTime}},
-				evicting:        []evictAt{{newObject(podWithClaimName), taintTime.Time}},
+				slices:          l(sliceTaintedExtended, slice2),
+				allocatedClaims: l(ac(inUseClaim, newEvictionTime(taintTime, sliceTainted, sliceTainted.Spec.Devices[0].Name, 0))),
+				deletePodAt:     evictMap{newObject(podWithClaimName): *newEvictionTime(taintTime, sliceTainted, sliceTainted.Spec.Devices[0].Name, 0)},
+				queued:          MockState[workItem]{Ready: newWorkItems(podWithClaimName)},
 			},
+			wantEvents: l(deletePodEvent),
 		},
 		"evict-pod-resourceclaimtemplate": {
 			events: []any{
@@ -543,10 +1211,12 @@ func TestHandlers(t *testing.T) {
 				add(podWithClaimTemplateInStatus),
 			},
 			finalState: state{
-				slices:          []*resourceapi.ResourceSlice{sliceTainted, slice2},
-				allocatedClaims: []allocatedClaim{{ResourceClaim: inUseClaim, evictionTime: &taintTime}},
-				evicting:        []evictAt{{newObject(podWithClaimTemplateInStatus), taintTime.Time}},
+				slices:          l(sliceTainted, slice2),
+				allocatedClaims: l(ac(inUseClaim, newEvictionTime(taintTime, sliceTainted, sliceTainted.Spec.Devices[0].Name, 0))),
+				deletePodAt:     evictMap{newObject(podWithClaimTemplateInStatus): *newEvictionTime(taintTime, sliceTainted, sliceTainted.Spec.Devices[0].Name, 0)},
+				queued:          MockState[workItem]{Ready: newWorkItems(podWithClaimTemplateInStatus)},
 			},
+			wantEvents: l(deletePodEvent),
 		},
 		"evict-pod-later": {
 			events: []any{
@@ -556,10 +1226,23 @@ func TestHandlers(t *testing.T) {
 				add(podWithClaimName),
 			},
 			finalState: state{
-				slices:          []*resourceapi.ResourceSlice{sliceTainted, slice2},
-				allocatedClaims: []allocatedClaim{{ResourceClaim: inUseClaimWithToleration, evictionTime: &metav1.Time{Time: taintTime.Add(tolerationDuration)}}},
-				evicting:        []evictAt{{newObject(podWithClaimName), taintTime.Time.Add(tolerationDuration)}},
-			},
+				slices:          l(sliceTainted, slice2),
+				allocatedClaims: l(ac(inUseClaimWithToleration, newEvictionTime(metav1Time(taintTime.Add(tolerationDuration)), sliceTainted, sliceTainted.Spec.Devices[0].Name, 0))),
+				deletePodAt:     evictMap{newObject(podWithClaimName): *newEvictionTime(metav1Time(taintTime.Add(tolerationDuration)), sliceTainted, sliceTainted.Spec.Devices[0].Name, 0)},
+				queued:          MockState[workItem]{Later: newDelayedWorkItems(podWithClaimName, tolerationDuration)},
+			},
+			process: []step{
+				// First advance time, then delete.
+				{
+					deletePodAt:     evictMap{newObject(podWithClaimName): *newEvictionTime(metav1Time(taintTime.Add(tolerationDuration)), sliceTainted, sliceTainted.Spec.Devices[0].Name, 0)},
+					pods:            l(podWithClaimName),
+					queuedProcessed: MockState[workItem]{Later: newDelayedWorkItems(podWithClaimName, tolerationDuration)},
+					advance:         tolerationDuration,
+					queuedShifted:   MockState[workItem]{Ready: newWorkItems(podWithClaimName)},
+				},
+				{},
+			},
+			wantEvents: l(deletePodEvent),
 		},
 		"evict-pod-later-many": {
 			events: []any{
@@ -591,8 +1274,8 @@ func TestHandlers(t *testing.T) {
 				add(podWithClaimName),
 			},
 			finalState: state{
-				slices: []*resourceapi.ResourceSlice{sliceTainted, slice2},
-				allocatedClaims: []allocatedClaim{{ResourceClaim: func() *resourceapi.ResourceClaim {
+				slices: l(sliceTainted, slice2),
+				allocatedClaims: l(ac(func() *resourceapi.ResourceClaim {
 					claim := inUseClaim.DeepCopy()
 					claim.Status.Allocation.Devices.Results[0].Tolerations = []resourceapi.DeviceToleration{
 						{
@@ -614,9 +1297,22 @@ func TestHandlers(t *testing.T) {
 						},
 					}
 					return claim
-				}(), evictionTime: &metav1.Time{Time: taintTime.Add(30 * time.Second)}}},
-				evicting: []evictAt{{newObject(podWithClaimName), taintTime.Time.Add(30 * time.Second)}},
-			},
+				}(), newEvictionTime(metav1Time(taintTime.Add(30*time.Second)), sliceTainted, sliceTainted.Spec.Devices[0].Name, 0))),
+				deletePodAt: evictMap{newObject(podWithClaimName): *newEvictionTime(metav1Time(taintTime.Add(30*time.Second)), sliceTainted, sliceTainted.Spec.Devices[0].Name, 0)},
+				queued:      MockState[workItem]{Later: newDelayedWorkItems(podWithClaimName, 30*time.Second)},
+			},
+			process: []step{
+				// First advance time, then delete.
+				{
+					deletePodAt:     evictMap{newObject(podWithClaimName): *newEvictionTime(metav1Time(taintTime.Add(30*time.Second)), sliceTainted, sliceTainted.Spec.Devices[0].Name, 0)},
+					pods:            l(podWithClaimName),
+					queuedProcessed: MockState[workItem]{Later: newDelayedWorkItems(podWithClaimName, 30*time.Second)},
+					advance:         30 * time.Second,
+					queuedShifted:   MockState[workItem]{Ready: newWorkItems(podWithClaimName)},
+				},
+				{},
+			},
+			wantEvents: l(deletePodEvent),
 		},
 		"evict-pod-toleration-mismatch": {
 			events: []any{
@@ -636,8 +1332,8 @@ func TestHandlers(t *testing.T) {
 				add(podWithClaimName),
 			},
 			finalState: state{
-				slices: []*resourceapi.ResourceSlice{sliceTainted, slice2},
-				allocatedClaims: []allocatedClaim{{ResourceClaim: func() *resourceapi.ResourceClaim {
+				slices: l(sliceTainted, slice2),
+				allocatedClaims: l(ac(func() *resourceapi.ResourceClaim {
 					claim := inUseClaim.DeepCopy()
 					claim.Status.Allocation.Devices.Results[0].Tolerations = []resourceapi.DeviceToleration{{
 						Key:               taintKey + "-other",
@@ -647,9 +1343,11 @@ func TestHandlers(t *testing.T) {
 						TolerationSeconds: ptr.To(int64(60)),
 					}}
 					return claim
-				}(), evictionTime: &metav1.Time{Time: taintTime.Time}}},
-				evicting: []evictAt{{newObject(podWithClaimName), taintTime.Time}},
+				}(), newEvictionTime(taintTime, sliceTainted, sliceTainted.Spec.Devices[0].Name, 0))),
+				deletePodAt: evictMap{newObject(podWithClaimName): *newEvictionTime(taintTime, sliceTainted, sliceTainted.Spec.Devices[0].Name, 0)},
+				queued:      MockState[workItem]{Ready: newWorkItems(podWithClaimName)},
 			},
+			wantEvents: l(deletePodEvent),
 		},
 		"no-evict-pod-toleration-forever": {
 			events: []any{
@@ -666,16 +1364,17 @@ func TestHandlers(t *testing.T) {
 				add(podWithClaimName),
 			},
 			finalState: state{
-				slices: []*resourceapi.ResourceSlice{sliceTainted, slice2},
-				allocatedClaims: []allocatedClaim{{ResourceClaim: func() *resourceapi.ResourceClaim {
+				slices: l(sliceTainted, slice2),
+				allocatedClaims: l(ac(func() *resourceapi.ResourceClaim {
 					claim := inUseClaim.DeepCopy()
 					claim.Status.Allocation.Devices.Results[0].Tolerations = []resourceapi.DeviceToleration{{
 						Operator: resourceapi.DeviceTolerationOpExists,
 						Effect:   resourceapi.DeviceTaintEffectNoExecute,
 					}}
 					return claim
-				}()}},
+				}())),
 			},
+			process: []step{{pods: l(podWithClaimName)}},
 		},
 		"no-evict-pod-toleration-forever-many": {
 			events: []any{
@@ -699,8 +1398,8 @@ func TestHandlers(t *testing.T) {
 				add(podWithClaimName),
 			},
 			finalState: state{
-				slices: []*resourceapi.ResourceSlice{sliceTainted, slice2},
-				allocatedClaims: []allocatedClaim{{ResourceClaim: func() *resourceapi.ResourceClaim {
+				slices: l(sliceTainted, slice2),
+				allocatedClaims: l(ac(func() *resourceapi.ResourceClaim {
 					claim := inUseClaim.DeepCopy()
 					claim.Status.Allocation.Devices.Results[0].Tolerations = []resourceapi.DeviceToleration{
 						{
@@ -714,8 +1413,9 @@ func TestHandlers(t *testing.T) {
 						},
 					}
 					return claim
-				}()}},
+				}())),
 			},
+			process: []step{{pods: l(podWithClaimName)}},
 		},
 		"evict-pod-partial-toleration": {
 			events: []any{
@@ -725,7 +1425,7 @@ func TestHandlers(t *testing.T) {
 					claim := inUseClaim.DeepCopy()
 					claim.Status.Allocation.Devices.Results[0].Tolerations = []resourceapi.DeviceToleration{{
 						Operator: resourceapi.DeviceTolerationOpExists,
-						Key:      taintKey,
+						Key:      taint1.Key,
 						Effect:   resourceapi.DeviceTaintEffectNoExecute,
 					}}
 					return claim
@@ -733,21 +1433,25 @@ func TestHandlers(t *testing.T) {
 				add(podWithClaimName),
 			},
 			finalState: state{
-				slices: []*resourceapi.ResourceSlice{sliceTaintedTwice, slice2},
-				allocatedClaims: []allocatedClaim{{ResourceClaim: func() *resourceapi.ResourceClaim {
+				slices: l(sliceTaintedTwice, slice2),
+				allocatedClaims: l(ac(func() *resourceapi.ResourceClaim {
 					claim := inUseClaim.DeepCopy()
 					claim.Status.Allocation.Devices.Results[0].Tolerations = []resourceapi.DeviceToleration{{
 						Operator: resourceapi.DeviceTolerationOpExists,
-						Key:      taintKey,
+						Key:      taint1.Key,
 						Effect:   resourceapi.DeviceTaintEffectNoExecute,
 					}}
 					return claim
-				}(), evictionTime: &taintTime}},
-				evicting: []evictAt{{newObject(podWithClaimName), taintTime.Time}},
+				}(), newEvictionTime(taintTime, sliceTaintedTwice, sliceTainted.Spec.Devices[0].Name, 1))),
+				deletePodAt: evictMap{newObject(podWithClaimName): *newEvictionTime(taintTime, sliceTaintedTwice, sliceTainted.Spec.Devices[0].Name, 1)},
+				queued:      MockState[workItem]{Ready: newWorkItems(podWithClaimName)},
 			},
+			wantEvents: l(deletePodEvent),
 		},
 		"evict-pod-many-taints": {
 			events: []any{
+				add(ruleEvict),
+				add(ruleEvictOther),
 				add(sliceTaintedTwice),
 				add(slice2),
 				add(func() *resourceapi.ResourceClaim {
@@ -755,13 +1459,13 @@ func TestHandlers(t *testing.T) {
 					claim.Status.Allocation.Devices.Results[0].Tolerations = []resourceapi.DeviceToleration{
 						{
 							Operator:          resourceapi.DeviceTolerationOpExists,
-							Key:               taintKey,
+							Key:               taint1.Key,
 							Effect:            resourceapi.DeviceTaintEffectNoExecute,
 							TolerationSeconds: ptr.To(int64(60)),
 						},
 						{
 							Operator:          resourceapi.DeviceTolerationOpExists,
-							Key:               taintKey + "-other",
+							Key:               taint2.Key,
 							Effect:            resourceapi.DeviceTaintEffectNoExecute,
 							TolerationSeconds: ptr.To(int64(30)),
 						},
@@ -771,27 +1475,54 @@ func TestHandlers(t *testing.T) {
 				add(podWithClaimName),
 			},
 			finalState: state{
-				slices: []*resourceapi.ResourceSlice{sliceTaintedTwice, slice2},
-				allocatedClaims: []allocatedClaim{{ResourceClaim: func() *resourceapi.ResourceClaim {
+				slices: l(sliceTaintedTwice, slice2),
+				allocatedClaims: l(ac(func() *resourceapi.ResourceClaim {
 					claim := inUseClaim.DeepCopy()
 					claim.Status.Allocation.Devices.Results[0].Tolerations = []resourceapi.DeviceToleration{
 						{
 							Operator:          resourceapi.DeviceTolerationOpExists,
-							Key:               taintKey,
+							Key:               taint1.Key,
 							Effect:            resourceapi.DeviceTaintEffectNoExecute,
 							TolerationSeconds: ptr.To(int64(60)),
 						},
 						{
 							Operator:          resourceapi.DeviceTolerationOpExists,
-							Key:               taintKey + "-other",
+							Key:               taint2.Key,
 							Effect:            resourceapi.DeviceTaintEffectNoExecute,
 							TolerationSeconds: ptr.To(int64(30)),
 						},
 					}
 					return claim
-				}(), evictionTime: &metav1.Time{Time: taintTime.Add(30 * time.Second)}}},
-				evicting: []evictAt{{newObject(podWithClaimName), taintTime.Time.Add(30 * time.Second)}},
-			},
+				}(), newEvictionTime(metav1Time(taintTime.Add(30*time.Second)), ruleEvict, ruleEvictOther, sliceTaintedTwice, sliceTaintedTwice.Spec.Devices[0].Name, 0, sliceTaintedTwice, sliceTaintedTwice.Spec.Devices[0].Name, 1))),
+				deletePodAt: evictMap{newObject(podWithClaimName): *newEvictionTime(metav1Time(taintTime.Add(30*time.Second)), ruleEvict, ruleEvictOther, sliceTaintedTwice, sliceTaintedTwice.Spec.Devices[0].Name, 0, sliceTaintedTwice, sliceTaintedTwice.Spec.Devices[0].Name, 1)},
+				queued:      MockState[workItem]{Ready: newWorkItems(ruleEvict, ruleEvictOther), Later: newDelayedWorkItems(podWithClaimName, 30*time.Second)},
+			},
+			process: []step{
+				// First advance time, then delete.
+				{
+					deletePodAt:     evictMap{newObject(podWithClaimName): *newEvictionTime(metav1Time(taintTime.Add(30*time.Second)), ruleEvict, ruleEvictOther, sliceTaintedTwice, sliceTaintedTwice.Spec.Devices[0].Name, 0, sliceTaintedTwice, sliceTaintedTwice.Spec.Devices[0].Name, 1)},
+					pods:            l(podWithClaimName),
+					rules:           l(inProgress(ruleEvict, true, "PodsPendingEviction", "1 pod needs to be evicted in 1 namespace.", taintTime), inProgress(ruleEvictOther, true, "PodsPendingEviction", "1 pod needs to be evicted in 1 namespace.", taintTime)),
+					queuedProcessed: MockState[workItem]{Later: newDelayedWorkItems(podWithClaimName, 30*time.Second)},
+					advance:         30 * time.Second,
+					queuedShifted:   MockState[workItem]{Ready: newWorkItems(podWithClaimName)},
+				},
+				{
+					ruleStats: map[types.UID]taintRuleStats{ruleEvict.UID: {numEvictedPods: 1}, ruleEvictOther.UID: {numEvictedPods: 1}},
+					// Not updated yet.
+					rules:           l(inProgress(ruleEvict, true, "PodsPendingEviction", "1 pod needs to be evicted in 1 namespace.", taintTime), inProgress(ruleEvictOther, true, "PodsPendingEviction", "1 pod needs to be evicted in 1 namespace.", taintTime)),
+					queuedProcessed: MockState[workItem]{Later: newDelayedWorkItems(ruleEvict, ruleStatusPeriod, ruleEvictOther, ruleStatusPeriod)},
+					advance:         ruleStatusPeriod,
+					queuedShifted:   MockState[workItem]{Ready: newWorkItems(ruleEvict, ruleEvictOther)},
+				},
+				{
+					ruleStats: map[types.UID]taintRuleStats{ruleEvict.UID: {numEvictedPods: 1}, ruleEvictOther.UID: {numEvictedPods: 1}},
+
+					// Final update.
+					rules: l(inProgress(ruleEvict, false, "Completed", "1 pod evicted since starting the controller.", metav1Time(taintTime.Add(30*time.Second+ruleStatusPeriod))), inProgress(ruleEvictOther, false, "Completed", "1 pod evicted since starting the controller.", metav1Time(taintTime.Add(30*time.Second+ruleStatusPeriod)))),
+				},
+			},
+			wantEvents: l(deletePodEvent),
 		},
 		"no-evict-pod-not-scheduled": {
 			events: []any{
@@ -805,8 +1536,8 @@ func TestHandlers(t *testing.T) {
 				}()),
 			},
 			finalState: state{
-				slices:          []*resourceapi.ResourceSlice{sliceTainted, slice2},
-				allocatedClaims: []allocatedClaim{{ResourceClaim: inUseClaim, evictionTime: &taintTime}},
+				slices:          l(sliceTainted, slice2),
+				allocatedClaims: l(ac(inUseClaim, newEvictionTime(taintTime, sliceTainted, sliceTainted.Spec.Devices[0].Name, 0))),
 			},
 		},
 		"no-evict-no-taint": {
@@ -816,22 +1547,22 @@ func TestHandlers(t *testing.T) {
 				add(podWithClaimName),
 			},
 			finalState: state{
-				slices:          []*resourceapi.ResourceSlice{simpleSlice},
-				allocatedClaims: []allocatedClaim{{ResourceClaim: inUseClaim}},
+				slices:          l(simpleSlice),
+				allocatedClaims: l(ac(inUseClaim)),
 			},
 		},
 		"no-evict-no-taint-update": {
 			initialState: state{
-				pods:            []*v1.Pod{podWithClaimName},
-				slices:          []*resourceapi.ResourceSlice{simpleSlice},
-				allocatedClaims: []allocatedClaim{{ResourceClaim: inUseClaim}},
+				pods:            l(podWithClaimName),
+				slices:          l(simpleSlice),
+				allocatedClaims: l(ac(inUseClaim)),
 			},
 			events: []any{
 				update(simpleSlice, simpleSlice),
 			},
 			finalState: state{
-				slices:          []*resourceapi.ResourceSlice{simpleSlice},
-				allocatedClaims: []allocatedClaim{{ResourceClaim: inUseClaim}},
+				slices:          l(simpleSlice),
+				allocatedClaims: l(ac(inUseClaim)),
 			},
 		},
 		"no-evict-pod-resourceclaimtemplate-no-status": {
@@ -842,8 +1573,8 @@ func TestHandlers(t *testing.T) {
 				add(podWithClaimTemplate),
 			},
 			finalState: state{
-				slices:          []*resourceapi.ResourceSlice{sliceTainted, slice2},
-				allocatedClaims: []allocatedClaim{{ResourceClaim: inUseClaim, evictionTime: &taintTime}},
+				slices:          l(sliceTainted, slice2),
+				allocatedClaims: l(ac(inUseClaim, newEvictionTime(taintTime, sliceTainted, sliceTainted.Spec.Devices[0].Name, 0))),
 			},
 		},
 		"no-evict-pod-resourceclaimtemplate-no-claim": {
@@ -856,8 +1587,8 @@ func TestHandlers(t *testing.T) {
 				add(podWithClaimTemplateNoClaimInStatus),
 			},
 			finalState: state{
-				slices:          []*resourceapi.ResourceSlice{sliceTainted, slice2},
-				allocatedClaims: []allocatedClaim{{ResourceClaim: inUseClaim, evictionTime: &taintTime}},
+				slices:          l(sliceTainted, slice2),
+				allocatedClaims: l(ac(inUseClaim, newEvictionTime(taintTime, sliceTainted, sliceTainted.Spec.Devices[0].Name, 0))),
 			},
 		},
 		"no-evict-other-device": {
@@ -868,8 +1599,8 @@ func TestHandlers(t *testing.T) {
 				add(podWithClaimTemplateInStatus),
 			},
 			finalState: state{
-				slices:          []*resourceapi.ResourceSlice{sliceOtherDevices, slice2},
-				allocatedClaims: []allocatedClaim{{ResourceClaim: inUseClaim}},
+				slices:          l(sliceOtherDevices, slice2),
+				allocatedClaims: l(ac(inUseClaim)),
 			},
 		},
 		"no-evict-wrong-pod": {
@@ -877,83 +1608,109 @@ func TestHandlers(t *testing.T) {
 				add(sliceTainted),
 				add(slice2),
 				add(inUseClaim),
-				add(podWithClaimNameOther),
+				add(podWithClaimNameOtherUID),
 			},
 			finalState: state{
-				slices:          []*resourceapi.ResourceSlice{sliceTainted, slice2},
-				allocatedClaims: []allocatedClaim{{ResourceClaim: inUseClaim, evictionTime: &taintTime}},
+				slices:          l(sliceTainted, slice2),
+				allocatedClaims: l(ac(inUseClaim, newEvictionTime(taintTime, sliceTainted, sliceTainted.Spec.Devices[0].Name, 0))),
 			},
 		},
 		"evict-wrong-pod-replaced": {
 			initialState: state{
-				pods:            []*v1.Pod{podWithClaimNameOther},
-				slices:          []*resourceapi.ResourceSlice{sliceTainted, slice2},
-				allocatedClaims: []allocatedClaim{{ResourceClaim: inUseClaim, evictionTime: &taintTime}},
+				pods:            l(podWithClaimNameOtherUID),
+				slices:          l(sliceTainted, slice2),
+				allocatedClaims: l(ac(inUseClaim, newEvictionTime(taintTime, sliceTainted, sliceTainted.Spec.Devices[0].Name, 0))),
 			},
 			events: []any{
-				[]any{remove(podWithClaimNameOther), add(podWithClaimName)},
+				[]any{remove(podWithClaimNameOtherUID), add(podWithClaimName)},
 			},
 			finalState: state{
-				slices:          []*resourceapi.ResourceSlice{sliceTainted, slice2},
-				allocatedClaims: []allocatedClaim{{ResourceClaim: inUseClaim, evictionTime: &taintTime}},
-				evicting:        []evictAt{{newObject(podWithClaimName), taintTime.Time}},
+				slices:          l(sliceTainted, slice2),
+				allocatedClaims: l(ac(inUseClaim, newEvictionTime(taintTime, sliceTainted, sliceTainted.Spec.Devices[0].Name, 0))),
+				deletePodAt:     evictMap{newObject(podWithClaimName): *newEvictionTime(taintTime, sliceTainted, sliceTainted.Spec.Devices[0].Name, 0)},
+				queued:          MockState[workItem]{Ready: newWorkItems(podWithClaimName)},
 			},
+			wantEvents: l(deletePodEvent),
 		},
 		"cancel-eviction-remove-taint": {
 			initialState: state{
-				pods:            []*v1.Pod{podWithClaimTemplateInStatus},
-				slices:          []*resourceapi.ResourceSlice{sliceTainted, slice2},
-				allocatedClaims: []allocatedClaim{{ResourceClaim: inUseClaim, evictionTime: &taintTime}},
-				evicting:        []evictAt{{newObject(podWithClaimTemplateInStatus), taintTime.Time}},
+				pods:            l(podWithClaimTemplateInStatus),
+				slices:          l(sliceTainted, slice2),
+				allocatedClaims: l(ac(inUseClaim, newEvictionTime(taintTime, sliceTainted, sliceTainted.Spec.Devices[0].Name, 0))),
+				deletePodAt:     evictMap{newObject(podWithClaimTemplateInStatus): *newEvictionTime(taintTime, sliceTainted, sliceTainted.Spec.Devices[0].Name, 0)},
 			},
 			events: []any{
 				update(sliceTainted, slice),
 			},
 			finalState: state{
-				slices:          []*resourceapi.ResourceSlice{slice, slice2},
-				allocatedClaims: []allocatedClaim{{ResourceClaim: inUseClaim}},
+				slices:          l(slice, slice2),
+				allocatedClaims: l(ac(inUseClaim)),
 			},
-			wantEvents: []*v1.Event{cancelPodEviction},
+			wantEvents: l(cancelPodEviction),
 		},
 		"cancel-eviction-reduce-taint": {
 			initialState: state{
-				pods:            []*v1.Pod{podWithClaimTemplateInStatus},
-				slices:          []*resourceapi.ResourceSlice{sliceTainted, slice2},
-				allocatedClaims: []allocatedClaim{{ResourceClaim: inUseClaim, evictionTime: &taintTime}},
-				evicting:        []evictAt{{newObject(podWithClaimTemplateInStatus), taintTime.Time}},
+				pods:            l(podWithClaimTemplateInStatus),
+				slices:          l(sliceTainted, slice2),
+				allocatedClaims: l(ac(inUseClaim, newEvictionTime(taintTime, sliceTainted, sliceTainted.Spec.Devices[0].Name, 0))),
+				deletePodAt:     evictMap{newObject(podWithClaimTemplateInStatus): *newEvictionTime(taintTime, sliceTainted, sliceTainted.Spec.Devices[0].Name, 0)},
 			},
 			events: []any{
 				update(sliceTainted, sliceTaintedNoSchedule),
 			},
 			finalState: state{
-				slices:          []*resourceapi.ResourceSlice{sliceTaintedNoSchedule, slice2},
-				allocatedClaims: []allocatedClaim{{ResourceClaim: inUseClaim}},
+				slices:          l(sliceTaintedNoSchedule, slice2),
+				allocatedClaims: l(ac(inUseClaim)),
+			},
+			wantEvents: l(cancelPodEviction),
+		},
+		"ignore-none-effect": {
+			initialState: state{
+				pods:            l(podWithClaimTemplateInStatus),
+				slices:          l(sliceTaintedNone, slice2),
+				allocatedClaims: l(ac(inUseClaim)),
+			},
+			finalState: state{
+				slices:          l(sliceTaintedNone, slice2),
+				allocatedClaims: l(ac(inUseClaim)),
+			},
+		},
+		"ignore-unknown-effect": {
+			initialState: state{
+				pods:            l(podWithClaimTemplateInStatus),
+				slices:          l(sliceTaintedUnknown, slice2),
+				allocatedClaims: l(ac(inUseClaim)),
+			},
+			finalState: state{
+				slices:          l(sliceTaintedUnknown, slice2),
+				allocatedClaims: l(ac(inUseClaim)),
 			},
-			wantEvents: []*v1.Event{cancelPodEviction},
 		},
 		"eviction-change-taint": {
 			initialState: state{
-				pods:            []*v1.Pod{podWithClaimTemplateInStatus},
-				slices:          []*resourceapi.ResourceSlice{sliceTainted, slice2},
-				allocatedClaims: []allocatedClaim{{ResourceClaim: inUseClaimWithToleration, evictionTime: &metav1.Time{Time: taintTime.Add(tolerationDuration)}}},
-				evicting:        []evictAt{{newObject(podWithClaimTemplateInStatus), taintTime.Time.Add(tolerationDuration)}},
+				pods:            l(podWithClaimTemplateInStatus),
+				slices:          l(sliceTainted, slice2),
+				allocatedClaims: l(ac(inUseClaimWithToleration, newEvictionTime(metav1Time(taintTime.Add(tolerationDuration)), sliceTainted, sliceTainted.Spec.Devices[0].Name, 0))),
+				deletePodAt:     evictMap{newObject(podWithClaimTemplateInStatus): *newEvictionTime(metav1Time(taintTime.Add(tolerationDuration)), sliceTainted, sliceTainted.Spec.Devices[0].Name, 0)},
 			},
 			events: []any{
 				// Going from a taint which is tolerated for 60 seconds to one which isn't.
 				update(sliceTainted, sliceTaintedValueOther),
 			},
 			finalState: state{
-				slices:          []*resourceapi.ResourceSlice{sliceTaintedValueOther, slice2},
-				allocatedClaims: []allocatedClaim{{ResourceClaim: inUseClaimWithToleration, evictionTime: &taintTime}},
-				evicting:        []evictAt{{newObject(podWithClaimTemplateInStatus), taintTime.Time}},
+				slices:          l(sliceTaintedValueOther, slice2),
+				allocatedClaims: l(ac(inUseClaimWithToleration, newEvictionTime(taintTime, sliceTaintedValueOther, sliceTainted.Spec.Devices[0].Name, 0))),
+				deletePodAt:     evictMap{newObject(podWithClaimTemplateInStatus): *newEvictionTime(taintTime, sliceTaintedValueOther, sliceTainted.Spec.Devices[0].Name, 0)},
+				queued:          MockState[workItem]{Ready: newWorkItems(podWithClaimName)},
 			},
+			wantEvents: l(deletePodEvent),
 		},
 		"cancel-eviction-remove-taint-in-new-slice": {
 			initialState: state{
-				pods:            []*v1.Pod{podWithClaimTemplateInStatus},
-				slices:          []*resourceapi.ResourceSlice{sliceTainted, slice2},
-				allocatedClaims: []allocatedClaim{{ResourceClaim: inUseClaim, evictionTime: &taintTime}},
-				evicting:        []evictAt{{newObject(podWithClaimTemplateInStatus), taintTime.Time}},
+				pods:            l(podWithClaimTemplateInStatus),
+				slices:          l(sliceTainted, slice2),
+				allocatedClaims: l(ac(inUseClaim, newEvictionTime(taintTime, sliceTainted, sliceTainted.Spec.Devices[0].Name, 0))),
+				deletePodAt:     evictMap{newObject(podWithClaimTemplateInStatus): *newEvictionTime(taintTime, sliceTainted, sliceTainted.Spec.Devices[0].Name, 0)},
 			},
 			events: []any{
 				// This moves the in-use device from one slice to another and removes the taint at the same time.
@@ -961,32 +1718,32 @@ func TestHandlers(t *testing.T) {
 				add(sliceReplaced),
 			},
 			finalState: state{
-				slices:          []*resourceapi.ResourceSlice{sliceReplaced, slice2},
-				allocatedClaims: []allocatedClaim{{ResourceClaim: inUseClaim}},
+				slices:          l(sliceReplaced, slice2),
+				allocatedClaims: l(ac(inUseClaim)),
 			},
-			wantEvents: []*v1.Event{cancelPodEviction},
+			wantEvents: l(cancelPodEviction),
 		},
 		"cancel-eviction-remove-slice": {
 			initialState: state{
-				pods:            []*v1.Pod{podWithClaimTemplateInStatus},
-				slices:          []*resourceapi.ResourceSlice{sliceTainted, slice2},
-				allocatedClaims: []allocatedClaim{{ResourceClaim: inUseClaim, evictionTime: &taintTime}},
-				evicting:        []evictAt{{newObject(podWithClaimTemplateInStatus), taintTime.Time}},
+				pods:            l(podWithClaimTemplateInStatus),
+				slices:          l(sliceTainted, slice2),
+				allocatedClaims: l(ac(inUseClaim, newEvictionTime(taintTime, sliceTainted, sliceTainted.Spec.Devices[0].Name, 0))),
+				deletePodAt:     evictMap{newObject(podWithClaimTemplateInStatus): *newEvictionTime(taintTime, sliceTainted, sliceTainted.Spec.Devices[0].Name, 0)},
 			},
 			events: []any{
 				remove(sliceTainted),
 			},
 			finalState: state{
-				slices:          []*resourceapi.ResourceSlice{slice2},
-				allocatedClaims: []allocatedClaim{{ResourceClaim: inUseClaim}},
+				slices:          l(slice2),
+				allocatedClaims: l(ac(inUseClaim)),
 			},
-			wantEvents: []*v1.Event{cancelPodEviction},
+			wantEvents: l(cancelPodEviction),
 		},
 		"cancel-eviction-pod-deletion": {
 			initialState: state{
-				pods:   []*v1.Pod{podWithClaimName},
-				slices: []*resourceapi.ResourceSlice{sliceTainted, slice2},
-				allocatedClaims: []allocatedClaim{{ResourceClaim: func() *resourceapi.ResourceClaim {
+				pods:   l(podWithClaimName),
+				slices: l(sliceTainted, slice2),
+				allocatedClaims: l(ac(func() *resourceapi.ResourceClaim {
 					claim := inUseClaim.DeepCopy()
 					claim.Status.Allocation.Devices.Results[0].Tolerations = []resourceapi.DeviceToleration{{
 						Operator:          resourceapi.DeviceTolerationOpExists,
@@ -994,15 +1751,15 @@ func TestHandlers(t *testing.T) {
 						TolerationSeconds: ptr.To(int64(60)),
 					}}
 					return claim
-				}(), evictionTime: &metav1.Time{Time: taintTime.Add(60 * time.Second)}}},
-				evicting: []evictAt{{newObject(podWithClaimName), taintTime.Time.Add(60 * time.Second)}},
+				}(), newEvictionTime(metav1Time(taintTime.Add(60*time.Second))))),
+				deletePodAt: evictMap{newObject(podWithClaimName): *newEvictionTime(metav1Time(taintTime.Add(60 * time.Second)))},
 			},
 			events: []any{
 				remove(podWithClaimName),
 			},
 			finalState: state{
-				slices: []*resourceapi.ResourceSlice{sliceTainted, slice2},
-				allocatedClaims: []allocatedClaim{{ResourceClaim: func() *resourceapi.ResourceClaim {
+				slices: l(sliceTainted, slice2),
+				allocatedClaims: l(ac(func() *resourceapi.ResourceClaim {
 					claim := inUseClaim.DeepCopy()
 					claim.Status.Allocation.Devices.Results[0].Tolerations = []resourceapi.DeviceToleration{{
 						Operator:          resourceapi.DeviceTolerationOpExists,
@@ -1010,7 +1767,7 @@ func TestHandlers(t *testing.T) {
 						TolerationSeconds: ptr.To(int64(60)),
 					}}
 					return claim
-				}(), evictionTime: &metav1.Time{Time: taintTime.Add(60 * time.Second)}}},
+				}(), newEvictionTime(metav1Time(taintTime.Add(60*time.Second))))),
 			},
 		},
 		"no-evict-wrong-resourceclaim": {
@@ -1021,31 +1778,33 @@ func TestHandlers(t *testing.T) {
 				add(podWithClaimTemplateInStatus),
 			},
 			finalState: state{
-				slices:          []*resourceapi.ResourceSlice{sliceTainted, slice2},
-				allocatedClaims: []allocatedClaim{{ResourceClaim: inUseClaimOld, evictionTime: &taintTime}},
+				slices:          l(sliceTainted, slice2),
+				allocatedClaims: l(ac(inUseClaimOld, newEvictionTime(taintTime, sliceTainted, sliceTainted.Spec.Devices[0].Name, 0))),
 			},
 		},
 		"evict-wrong-resourceclaim-replaced": {
 			initialState: state{
-				pods:            []*v1.Pod{podWithClaimTemplateInStatus},
-				slices:          []*resourceapi.ResourceSlice{sliceTainted, slice2},
-				allocatedClaims: []allocatedClaim{{ResourceClaim: inUseClaimOld, evictionTime: &taintTime}},
+				pods:            l(podWithClaimTemplateInStatus),
+				slices:          l(sliceTainted, slice2),
+				allocatedClaims: l(ac(inUseClaimOld, newEvictionTime(taintTime, sliceTainted, sliceTainted.Spec.Devices[0].Name, 0))),
 			},
 			events: []any{
 				update(inUseClaimOld, inUseClaim),
 			},
 			finalState: state{
-				slices:          []*resourceapi.ResourceSlice{sliceTainted, slice2},
-				allocatedClaims: []allocatedClaim{{ResourceClaim: inUseClaim, evictionTime: &taintTime}},
-				evicting:        []evictAt{{newObject(podWithClaimTemplateInStatus), taintTime.Time}},
+				slices:          l(sliceTainted, slice2),
+				allocatedClaims: l(ac(inUseClaim, newEvictionTime(taintTime, sliceTainted, sliceTainted.Spec.Devices[0].Name, 0))),
+				deletePodAt:     evictMap{newObject(podWithClaimTemplateInStatus): *newEvictionTime(taintTime, sliceTainted, sliceTainted.Spec.Devices[0].Name, 0)},
+				queued:          MockState[workItem]{Ready: newWorkItems(podWithClaimTemplateInStatus)},
 			},
+			wantEvents: l(deletePodEvent),
 		},
 		"no-evict-resourceclaim-deallocated": {
 			initialState: state{
-				pods:            []*v1.Pod{podWithClaimTemplateInStatus},
-				slices:          []*resourceapi.ResourceSlice{sliceTainted, slice2},
-				allocatedClaims: []allocatedClaim{{ResourceClaim: inUseClaim, evictionTime: &taintTime}},
-				evicting:        []evictAt{{newObject(podWithClaimTemplateInStatus), taintTime.Time}},
+				pods:            l(podWithClaimTemplateInStatus),
+				slices:          l(sliceTainted, slice2),
+				allocatedClaims: l(ac(inUseClaim, newEvictionTime(taintTime, sliceTainted, sliceTainted.Spec.Devices[0].Name, 0))),
+				deletePodAt:     evictMap{newObject(podWithClaimTemplateInStatus): *newEvictionTime(taintTime, sliceTainted, sliceTainted.Spec.Devices[0].Name, 0)},
 			},
 			events: []any{
 				// This removes the allocation while the pod is scheduled.
@@ -1061,16 +1820,16 @@ func TestHandlers(t *testing.T) {
 				update(inUseClaim, claim),
 			},
 			finalState: state{
-				slices: []*resourceapi.ResourceSlice{sliceTainted, slice2},
+				slices: l(sliceTainted, slice2),
 			},
-			wantEvents: []*v1.Event{cancelPodEviction},
+			wantEvents: l(cancelPodEviction),
 		},
 		"no-evict-resourceclaim-deleted": {
 			initialState: state{
-				pods:            []*v1.Pod{podWithClaimTemplateInStatus},
-				slices:          []*resourceapi.ResourceSlice{sliceTainted, slice2},
-				allocatedClaims: []allocatedClaim{{ResourceClaim: inUseClaim, evictionTime: &taintTime}},
-				evicting:        []evictAt{{newObject(podWithClaimTemplateInStatus), taintTime.Time}},
+				pods:            l(podWithClaimTemplateInStatus),
+				slices:          l(sliceTainted, slice2),
+				allocatedClaims: l(ac(inUseClaim, newEvictionTime(taintTime, sliceTainted, sliceTainted.Spec.Devices[0].Name, 0))),
+				deletePodAt:     evictMap{newObject(podWithClaimTemplateInStatus): *newEvictionTime(taintTime, sliceTainted, sliceTainted.Spec.Devices[0].Name, 0)},
 			},
 			events: []any{
 				// Same as for "no-evict-resourceclaim-deallocated" this can be normal
@@ -1078,17 +1837,21 @@ func TestHandlers(t *testing.T) {
 				remove(inUseClaim),
 			},
 			finalState: state{
-				slices: []*resourceapi.ResourceSlice{sliceTainted, slice2},
+				slices: l(sliceTainted, slice2),
 			},
-			wantEvents: []*v1.Event{cancelPodEviction},
+			wantEvents: l(cancelPodEviction),
 		},
 	} {
-		t.Run(name, func(t *testing.T) {
+		tCtx := ktesting.Init(t)
+
+		tCtx.Run(name, func(tCtx ktesting.TContext) {
 			numEvents := len(tc.events)
 			if numEvents <= 1 {
 				// No permutations.
-				tContext := setup(t)
-				testHandlers(tContext, tc)
+				tCtx.SyncTest("", func(tCtx ktesting.TContext) {
+					tContext := setup(tCtx)
+					testHandlers(tContext, tc)
+				})
 				return
 			}
 
@@ -1104,8 +1867,8 @@ func TestHandlers(t *testing.T) {
 					tc := tc
 					tc.events = events
 					name := strings.Trim(fmt.Sprintf("%v", permutation), "[]")
-					t.Run(name, func(t *testing.T) {
-						tContext := setup(t)
+					tCtx.SyncTest(name, func(tCtx ktesting.TContext) {
+						tContext := setup(tCtx)
 						testHandlers(tContext, tc)
 					})
 					return
@@ -1127,16 +1890,38 @@ func TestHandlers(t *testing.T) {
 }
 
 func testHandlers(tContext *testContext, tc testCase) {
+	assertEqual(tContext, MockState[workItem]{}, tc.initialState.queued, "initial work queue state")
+	tContext.taintRuleStats = tc.initialState.ruleStats
+	if tContext.taintRuleStats == nil {
+		tContext.taintRuleStats = make(map[types.UID]taintRuleStats)
+	}
+
 	// Shallow copy of slice and maps is sufficient for now.
-	tContext.evicting = slices.Clone(tc.initialState.evicting)
+	if len(tc.initialState.deletePodAt) > 0 {
+		tContext.deletePodAt = maps.Clone(tc.initialState.deletePodAt)
+	}
 	tContext.allocatedClaims = tc.initialState.allocatedClaimsAsMap()
 	tContext.pools = tc.initialState.slicesAsMap()
 
-	// Pods are the only items which get retrieved from the informer cache,
-	// so for those (and only those) we have to keep the store up-to-date.
-	store := tContext.informerFactory.Core().V1().Pods().Informer().GetStore()
+	// Pods and DeviceTaintRules are the only items which get retrieved from the informer cache,
+	// so for those (and only those) we have to keep the podStore up-to-date.
+	// Same for the fake store. Because the informers are not running, API calls
+	// must directly get mirrored in the caches.
+	podStore := tContext.informerFactory.Core().V1().Pods().Informer().GetStore()
 	for _, pod := range tc.initialState.pods {
-		tContext.ExpectNoError(store.Add(pod))
+		tContext.ExpectNoError(podStore.Add(pod))
+		tContext.ExpectNoError(tContext.client.Tracker().Add(pod))
+	}
+	tContext.client.PrependReactor("delete", "pods", func(action core.Action) (handled bool, ret runtime.Object, err error) {
+		if err := podStore.Delete(&v1.Pod{ObjectMeta: metav1.ObjectMeta{Namespace: action.GetNamespace(), Name: action.(core.DeleteAction).GetName()}}); err != nil {
+			return false, nil, fmt.Errorf("delete pod in informer cache: %w", err)
+		}
+		return false, nil, nil
+	})
+	ruleStore := tContext.informerFactory.Resource().V1alpha3().DeviceTaintRules().Informer().GetStore()
+	for _, rule := range tc.initialState.rules {
+		tContext.ExpectNoError(ruleStore.Add(rule))
+		tContext.ExpectNoError(tContext.client.Tracker().Add(rule))
 	}
 
 	for _, event := range tc.events {
@@ -1150,48 +1935,132 @@ func testHandlers(tContext *testContext, tc testCase) {
 		}
 	}
 
-	// Use nil instead of empty map or slice to avoid nil vs. empty differences.
-	if len(tContext.evicting) == 0 {
-		tContext.evicting = nil
-	}
-	if len(tContext.recorder.Events) == 0 {
-		tContext.recorder.Events = nil
-	}
-	assert.Equal(tContext, tc.finalState.evicting, tContext.evicting, "evicting pods")
-	assert.Equal(tContext, tc.finalState.allocatedClaimsAsMap(), tContext.allocatedClaims, "allocated claims")
-	if !assert.Equal(tContext, tc.finalState.slicesAsMap(), tContext.pools, "pools") {
+	assertEqual(tContext, tc.finalState.ruleStats, tContext.taintRuleStats, "taintRuleStats")
+	assertEqual(tContext, tc.finalState.deletePodAt, tContext.deletePodAt, "deletePodAt")
+	assertEqual(tContext, tc.finalState.allocatedClaimsAsMap(), tContext.allocatedClaims, "allocated claims")
+	if !assertEqual(tContext, tc.finalState.slicesAsMap(), tContext.pools, "pools") {
 		for key := range tContext.pools {
 			assert.Equal(tContext, tc.finalState.slicesAsMap()[key], tContext.pools[key], "pool")
 		}
 	}
-	if diff := cmp.Diff(tc.wantEvents, tContext.recorder.Events, cmpopts.IgnoreTypes(metav1.ObjectMeta{}, metav1.Time{})); diff != "" {
-		tContext.Errorf("unexpected events (-want, +got):\n%s", diff)
+	assertEqual(tContext, tc.finalState.queued, tContext.mockQueue.State(), "work queue after event handlers", cmpopts.SortSlices(compareWorkItems))
+	assert.Empty(tContext, tc.finalState.pods, "pods not checked for final state")
+	assert.Empty(tContext, tc.finalState.rules, "rules not checked for final state")
+
+	process := tc.process
+	if process == nil && len(tc.finalState.queued.Ready) > 0 {
+		// Expect to clear workqueue and delete pods.
+		process = []step{{}}
 	}
+	for i, state := range process {
+		prefix := fmt.Sprintf("process #%d: ", i)
+
+		// This runs until the "Ready" queue is empty.
+		// Some state may have changed (e.g. rule status), some must remain the same (allocated claims).
+		tContext.Log(prefix + "handling ready work items")
+		tContext.Controller.worker(tContext)
+
+		assertEqual(tContext, state.ruleStats, tContext.taintRuleStats, prefix+"taintRuleStats")
+		assertEqual(tContext, state.deletePodAt, tContext.deletePodAt, prefix+"deletePodAt")
+		assertEqual(tContext, tc.finalState.allocatedClaimsAsMap(), tContext.allocatedClaims, prefix+"allocated claims")
+		pods, err := tContext.client.CoreV1().Pods("").List(tContext, metav1.ListOptions{})
+		tContext.ExpectNoError(err, prefix+"list pods")
+		assertEqual(tContext, state.pods, trimPods(pods.Items), prefix+"pods after flushing work queue")
+		rules, err := tContext.client.ResourceV1alpha3().DeviceTaintRules().List(tContext, metav1.ListOptions{})
+		tContext.ExpectNoError(err, prefix+"list rules")
+		actualRules := trimRules(rules.Items)
+		assertEqual(tContext, state.rules, actualRules, prefix+"rules after flushing work queue")
+
+		// Advance time and potentially make pending work items ready.
+		assertEqual(tContext, state.queuedProcessed, tContext.mockQueue.State(), prefix+"work queue after processing", cmpopts.SortSlices(compareWorkItems))
+		time.Sleep(state.advance)
+		for _, item := range tContext.mockQueue.State().Later {
+			tContext.mockQueue.CancelAfter(item.Item)
+			tContext.mockQueue.AddAfter(item.Item, item.Duration-state.advance)
+		}
+		assertEqual(tContext, state.queuedShifted, tContext.mockQueue.State(), prefix+"work queue after moving time forward", cmpopts.SortSlices(compareWorkItems))
+	}
+
+	assertEqual(tContext, tc.wantEvents, tContext.recorder.Events, "overall events",
+		cmpopts.IgnoreTypes(metav1.ObjectMeta{}, metav1.Time{}),
+		cmpopts.SortSlices(compareEvents))
 }
 
-func applyEventPair(tContext *testContext, event any) {
-	store := tContext.informerFactory.Core().V1().Pods().Informer().GetStore()
+// More fields might be needed for these compare functions in the future, but for now this is enough.
 
+func compareEvents(a, b *v1.Event) int {
+	if cmp := strings.Compare(string(a.InvolvedObject.UID), string(b.InvolvedObject.UID)); cmp != 0 {
+		return cmp
+	}
+	return strings.Compare(a.Kind, b.Kind)
+}
+
+func compareWorkItems(a, b workItem) int {
+	if cmp := strings.Compare(string(a.podRef.UID), string(b.podRef.UID)); cmp != 0 {
+		return cmp
+	}
+	return strings.Compare(string(a.ruleRef.UID), string(b.ruleRef.UID))
+}
+
+func applyEventPair(tContext *testContext, event any) {
 	switch pair := event.(type) {
 	case [2]*resourceapi.ResourceSlice:
 		tContext.handleSliceChange(pair[0], pair[1])
 	case [2]*resourceapi.ResourceClaim:
 		tContext.handleClaimChange(pair[0], pair[1])
 	case [2]*v1.Pod:
+		store := tContext.informerFactory.Core().V1().Pods().Informer().GetStore()
 		switch {
 		case pair[0] != nil && pair[1] != nil:
 			tContext.ExpectNoError(store.Update(pair[1]))
+			tContext.ExpectNoError(tContext.client.Tracker().Update(v1.SchemeGroupVersion.WithResource("pods"), pair[1], pair[1].Namespace))
 		case pair[0] != nil:
 			tContext.ExpectNoError(store.Delete(pair[0]))
+			tContext.ExpectNoError(tContext.client.Tracker().Delete(v1.SchemeGroupVersion.WithResource("pods"), pair[0].Namespace, pair[0].Name))
 		default:
 			tContext.ExpectNoError(store.Add(pair[1]))
+			tContext.ExpectNoError(tContext.client.Tracker().Add(pair[1]))
 		}
 		tContext.handlePodChange(pair[0], pair[1])
+	case [2]*resourcealpha.DeviceTaintRule:
+		store := tContext.informerFactory.Resource().V1alpha3().DeviceTaintRules().Informer().GetStore()
+		switch {
+		case pair[0] != nil && pair[1] != nil:
+			tContext.ExpectNoError(store.Update(pair[1]))
+			tContext.ExpectNoError(tContext.client.Tracker().Update(resourcealpha.SchemeGroupVersion.WithResource("devicetaintrules"), pair[1], pair[1].Namespace))
+		case pair[0] != nil:
+			tContext.ExpectNoError(store.Delete(pair[0]))
+			tContext.ExpectNoError(tContext.client.Tracker().Delete(resourcealpha.SchemeGroupVersion.WithResource("devicetaintrules"), pair[0].Namespace, pair[0].Name))
+		default:
+			tContext.ExpectNoError(store.Add(pair[1]))
+			tContext.ExpectNoError(tContext.client.Tracker().Add(pair[1]))
+		}
+		tContext.handleRuleChange(pair[0], pair[1])
 	default:
 		tContext.Fatalf("unexpected event type %T", event)
 	}
 }
 
+func trimPods(objs []v1.Pod) (trimmed []*v1.Pod) {
+	for _, in := range objs {
+		out := in.DeepCopy()
+		out.ManagedFields = nil
+		trimmed = append(trimmed, out)
+	}
+	return trimmed
+}
+
+func trimRules(objs []resourcealpha.DeviceTaintRule) (trimmed []*resourcealpha.DeviceTaintRule) {
+	for _, in := range objs {
+		out := in.DeepCopy()
+		out.ManagedFields = nil
+		out.Kind = ""
+		out.APIVersion = ""
+		trimmed = append(trimmed, out)
+	}
+	return trimmed
+}
+
 func newTestController(tCtx ktesting.TContext, clientSet *fake.Clientset) *Controller {
 	// fake.Clientset suffers from a race condition related to informers:
 	// it does not implement resource version support in its Watch
@@ -1224,6 +2093,12 @@ func newTestController(tCtx ktesting.TContext, clientSet *fake.Clientset) *Contr
 
 	informerFactory := informers.NewSharedInformerFactory(clientSet, 0)
 
+	featuregatetesting.SetFeatureGatesDuringTest(tCtx, utilfeature.DefaultFeatureGate,
+		featuregatetesting.FeatureOverrides{
+			features.DRADeviceTaints:     true,
+			features.DRADeviceTaintRules: true,
+		},
+	)
 	controller := New(tCtx.Client(),
 		informerFactory.Core().V1().Pods(),
 		informerFactory.Resource().V1().ResourceClaims(),
@@ -1232,7 +2107,7 @@ func newTestController(tCtx ktesting.TContext, clientSet *fake.Clientset) *Contr
 		informerFactory.Resource().V1().DeviceClasses(),
 		"device-taint-eviction",
 	)
-	controller.metrics = metrics.New(300 /* one large initial bucket for testing */)
+	controller.metrics = metrics.New(300 /* one large initial bucket for testing */) // TODO: inside a synctest bubble we should have deterministic delays and shouldn't need this trick. The remaining uncertainty comes from polling for informer cache sync.
 	// Always log, not matter what the -v value is.
 	logger := klog.FromContext(tCtx)
 	controller.eventLogger = &logger
@@ -1240,9 +2115,16 @@ func newTestController(tCtx ktesting.TContext, clientSet *fake.Clientset) *Contr
 	informerFactory.Start(tCtx.Done())
 	tCtx.Cleanup(informerFactory.Shutdown)
 
-	ktesting.Eventually(tCtx, func(tCtx ktesting.TContext) int32 {
-		return numWatches.Load()
-	}).WithTimeout(5*time.Second).Should(gomega.Equal(int32(5)), "All watches should be registered.")
+	tCtx.Log("starting to wait for watches")
+	if tCtx.IsSyncTest() {
+		tCtx.Wait()
+		require.Equal(tCtx, int32(5), numWatches.Load(), "All watches should be registered.")
+	} else {
+		ktesting.Eventually(tCtx, func(tCtx ktesting.TContext) int32 {
+			return numWatches.Load()
+		}).WithTimeout(5*time.Second).Should(gomega.Equal(int32(5)), "All watches should be registered.")
+	}
+	tCtx.Log("done waiting for watches")
 
 	return controller
 }
@@ -1284,10 +2166,11 @@ device_taint_eviction_controller_pod_deletions_total %[1]d
 // This scenario is the same as "evict-pod-resourceclaim" above. It also covers all
 // event handlers by leading to the same end state through several different combinations
 // of initial objects and add/update/delete calls.
+//
+// This runs in a bubble (https://pkg.go.dev/testing/synctest), so we can wait for goroutine
+// activity to settle down and then check the state.
 func TestEviction(t *testing.T) {
 	tCtx := ktesting.Init(t)
-	tCtx.Parallel()
-
 	do := func(tCtx ktesting.TContext, what string, action func(tCtx ktesting.TContext) error) {
 		tCtx.Log(what)
 		err := action(tCtx)
@@ -1376,30 +2259,32 @@ func TestEviction(t *testing.T) {
 			},
 		},
 	} {
-		tCtx.Run(name, func(tCtx ktesting.TContext) {
-			tCtx.Parallel()
-			fakeClientset := fake.NewSimpleClientset(tt.initialObjects...)
+		tCtx.SyncTest(name, func(tCtx ktesting.TContext) {
+			start := time.Now()
+			fakeClientset := fake.NewClientset(tt.initialObjects...)
 			tCtx = ktesting.WithClients(tCtx, nil, nil, fakeClientset, nil, nil)
 
-			var mutex sync.Mutex
+			var podGets int
 			var podUpdates int
 			var updatedPod *v1.Pod
 			var podDeletions int
 
+			fakeClientset.PrependReactor("get", "pods", func(action core.Action) (handled bool, ret runtime.Object, err error) {
+				podGets++
+				podName := action.(core.GetAction).GetName()
+				assert.Equal(t, podWithClaimName.Name, podName, "name of pod to patch")
+				return false, nil, nil
+			})
 			fakeClientset.PrependReactor("patch", "pods", func(action core.Action) (handled bool, ret runtime.Object, err error) {
-				mutex.Lock()
-				defer mutex.Unlock()
 				podUpdates++
 				podName := action.(core.PatchAction).GetName()
-				assert.Equal(t, podWithClaimName.Name, podName, "name of patched pod")
+				assert.Equal(t, podWithClaimName.Name, podName, "name of pod to get")
 				return false, nil, nil
 			})
 			fakeClientset.PrependReactor("delete", "pods", func(action core.Action) (handled bool, ret runtime.Object, err error) {
-				mutex.Lock()
-				defer mutex.Unlock()
 				podDeletions++
 				podName := action.(core.DeleteAction).GetName()
-				assert.Equal(t, podWithClaimName.Name, podName, "name of deleted pod")
+				assert.Equal(t, podWithClaimName.Name, podName, "name of pod to delete")
 				obj, err := fakeClientset.Tracker().Get(v1.SchemeGroupVersion.WithResource("pods"), pod.Namespace, pod.Name)
 				require.NoError(tCtx, err)
 				updatedPod = obj.(*v1.Pod)
@@ -1416,22 +2301,46 @@ func TestEviction(t *testing.T) {
 			wg.Add(1)
 			go func() {
 				defer wg.Done()
-				assert.NoError(tCtx, controller.Run(tCtx), "eviction controller failed")
+				assert.NoError(tCtx, controller.Run(tCtx, 10 /* workers */), "eviction controller failed")
 			}()
 
 			// Eventually the controller should have synced it's informers.
-			ktesting.Eventually(tCtx, func(tCtx ktesting.TContext) bool {
-				return controller.hasSynced.Load() > 0
-			}).WithTimeout(30 * time.Second).Should(gomega.BeTrueBecause("controller synced"))
-			if tt.afterSync != nil {
-				tt.afterSync(tCtx)
+			if false {
+				// This feels like it should work (controller should run until it has started up, then block durably), but it doesn't.
+				// Time progresses while the controller is blocked in cache.WaitForNamedCacheSyncWithContext, so this is
+				// probably a good place to start looking.
+				// TODO: make "wait for cache sync" block on a channel. Alternatively, use a context and let `context.Cause`
+				// report success or failure (might be too hacky).
+				tCtx.Wait()
+				if controller.hasSynced.Load() <= 0 {
+					tCtx.Fatal("controller should have synced")
+				}
+			} else {
+				ktesting.Eventually(tCtx, func(tCtx ktesting.TContext) bool {
+					return controller.hasSynced.Load() > 0
+				}).WithTimeout(30 * time.Second).Should(gomega.BeTrueBecause("controller synced"))
+				if tt.afterSync != nil {
+					tt.afterSync(tCtx)
+				}
 			}
 
-			// Eventually the pod gets deleted (= evicted).
-			ktesting.Eventually(tCtx, func(tCtx ktesting.TContext) bool {
-				_, err := fakeClientset.CoreV1().Pods(pod.Namespace).Get(tCtx, pod.Name, metav1.GetOptions{})
-				return apierrors.IsNotFound(err)
-			}).WithTimeout(30 * time.Second).Should(gomega.BeTrueBecause("pod evicted"))
+			// We can wait for the controller to be idle.
+			tCtx.Wait()
+
+			// The number of API calls is deterministic.
+			assert.Equal(tCtx, 1, podGets, "get pod once")
+			assert.Equal(tCtx, 1, podUpdates, "update pod once")
+			assert.Equal(tCtx, 1, podDeletions, "delete pod once")
+
+			_, err := fakeClientset.CoreV1().Pods(pod.Namespace).Get(tCtx, pod.Name, metav1.GetOptions{})
+			switch {
+			case err == nil:
+				tCtx.Fatalf("Pod should have been deleted, it still exists")
+			case apierrors.IsNotFound(err):
+				// Okay.
+			default:
+				tCtx.Fatalf("Retrieving pod failed: %v", err)
+			}
 
 			pod := pod.DeepCopy()
 			pod.Status.Conditions = []v1.PodCondition{{
@@ -1440,42 +2349,133 @@ func TestEviction(t *testing.T) {
 				Reason:  "DeletionByDeviceTaintManager",
 				Message: "Device Taint manager: deleting due to NoExecute taint",
 			}}
-			if diff := cmp.Diff(pod, updatedPod, cmpopts.IgnoreTypes(metav1.Time{})); diff != "" {
+			if diff := cmp.Diff(pod, updatedPod, cmpopts.IgnoreTypes(metav1.Time{}, metav1.TypeMeta{}), cmpopts.IgnoreFields(metav1.ObjectMeta{}, "ManagedFields")); diff != "" {
 				tCtx.Errorf("unexpected modified pod (-want, +got):\n%s", diff)
 			}
 
 			// Shortly after deletion we should also see updated metrics.
 			// This is the last thing the controller does for a pod.
-			// However, actually creating the event on the server is asynchronous,
-			// so we also have to wait for that.
-			ktesting.Eventually(tCtx, func(tCtx ktesting.TContext) error {
-				gomega.NewWithT(tCtx).Expect(listEvents(tCtx)).Should(matchDeletionEvent())
-				return testPodDeletionsMetrics(controller, 1)
-			}).WithTimeout(30*time.Second).Should(gomega.Succeed(), "pod eviction done")
-
-			// We also don't want any other events, in particular not a cancellation event
-			// because the pod deletion was observed or another occurrence of the same event.
-			ktesting.Consistently(tCtx, func(tCtx ktesting.TContext) error {
-				mutex.Lock()
-				defer mutex.Unlock()
-				assert.Equal(tCtx, 1, podUpdates, "number of pod update calls")
-				assert.Equal(tCtx, 1, podDeletions, "number of pod delete calls")
-				gomega.NewWithT(tCtx).Expect(listEvents(tCtx)).Should(matchDeletionEvent())
-				tCtx.ExpectNoError(testPodDeletionsMetrics(controller, 1))
-				return nil
-			}).WithTimeout(5 * time.Second).Should(gomega.Succeed())
+			// Because of Wait we know that all goroutines are durably blocked and won't
+			// wake up again to change the metrics => no need for a "Consistently"!
+			gomega.NewWithT(tCtx).Expect(listEvents(tCtx)).Should(matchDeletionEvent())
+			tCtx.ExpectNoError(testPodDeletionsMetrics(controller, 1), "pod eviction done")
+
+			// Depending on timing, some of the "wait for cache synced" polling sleep a bit more or less,
+			// so there is a certain delta of uncertainty about the overall duration. Without that polling
+			// we probably could assert zero runtime here.
+			tCtx.Logf("eviction duration: %s", time.Since(start))
+			delta := time.Second
+			require.WithinRange(tCtx, time.Now(), start, start.Add(delta), "time to evict pod")
 		})
 	}
 }
 
+// TestDeviceTaintRule runs through the full flow of simulating eviction with the None effect,
+// updating the rule with NoExecute, and then evicting the pod.
+//
+// This runs in a bubble (https://pkg.go.dev/testing/synctest), so we can wait for goroutine
+// activity to settle down and then check the state.
+func TestDeviceTaintRule(t *testing.T) {
+	tCtx := ktesting.Init(t)
+	tCtx.SyncTest("", testDeviceTaintRule)
+}
+
+func testDeviceTaintRule(tCtx ktesting.TContext) {
+	rule := ruleNone.DeepCopy()
+	fakeClientset := fake.NewClientset(podWithClaimName, inUseClaim, rule)
+	tCtx = ktesting.WithClients(tCtx, nil, nil, fakeClientset, nil, nil)
+	controller := newTestController(tCtx, fakeClientset)
+
+	var wg sync.WaitGroup
+	defer func() {
+		tCtx.Log("Waiting for goroutine termination...")
+		tCtx.Cancel("time to stop")
+		wg.Wait()
+	}()
+	wg.Go(func() {
+		assert.NoError(tCtx, controller.Run(tCtx, 10 /* workers */), "eviction controller failed")
+	})
+
+	// Eventually the controller should have synced it's informers.
+	if false {
+		// This feels like it should work (controller should run until it has started up, then block durably), but it doesn't.
+		// Time progresses while the controller is blocked in cache.WaitForNamedCacheSyncWithContext, so this is
+		// probably a good place to start looking.
+		// TODO: make "wait for cache sync" block on a channel. Alternatively, use a context and let `context.Cause`
+		// report success or failure (might be too hacky).
+		tCtx.Wait()
+		if controller.hasSynced.Load() <= 0 {
+			tCtx.Fatal("controller should have synced")
+		}
+	} else {
+		ktesting.Eventually(tCtx, func(tCtx ktesting.TContext) bool {
+			return controller.hasSynced.Load() > 0
+		}).WithTimeout(30 * time.Second).Should(gomega.BeTrueBecause("controller synced"))
+	}
+
+	// We can wait for the controller to be idle.
+	tCtx.Wait()
+	start := metav1.Now()
+	tCtx.Logf("TIME: start at %s", start)
+	check(tCtx, "initial processing: ", l(inProgress(ruleNone, false, "NoEffect", "0 published devices selected. 1 allocated device selected. 1 pod would be evicted in 1 namespace if the effect was NoExecute. This information will not be updated again. Recreate the DeviceTaintRule to trigger an update.", &start /* processed before waiting for cache sync completion */)), l(podWithClaimName))
+
+	// Move time forward to ensure that we get different time stamps.
+	time.Sleep(20 * time.Second)
+	rule.Spec.Taint.Effect = resourcealpha.DeviceTaintEffectNoExecute
+	rule, err := tCtx.Client().ResourceV1alpha3().DeviceTaintRules().Update(tCtx, rule, metav1.UpdateOptions{})
+	tCtx.ExpectNoError(err, "update rule")
+
+	// Wait for eviction. The rule gets updated with another delay.
+	tCtx.Wait()
+	evicted := metav1.Now()
+	tCtx.Logf("TIME: eviction done at %s", evicted)
+	check(tCtx, "evict: ", l(inProgress(rule, true, "PodsPendingEviction", "1 pod needs to be evicted in 1 namespace.", &evicted)), nil)
+
+	// AddAfter does not move time forward. Do it ourselves...
+	time.Sleep(ruleStatusPeriod)
+	slept := metav1.Now()
+	tCtx.Logf("TIME: slept till %s", slept)
+	tCtx.Wait()
+	done := metav1.Now()
+	tCtx.Logf("TIME: done at %s", done)
+	check(tCtx, "done: ", l(inProgress(rule, false, "Completed", "1 pod evicted since starting the controller.", &slept)), nil)
+	assertEqual(tCtx, map[types.UID]taintRuleStats{rule.UID: {numEvictedPods: 1}}, controller.taintRuleStats, "taint rule statistics should have counted the pod")
+
+	// Delete the rule and verify that we don't leak memory by still tracking it.
+	err = tCtx.Client().ResourceV1alpha3().DeviceTaintRules().Delete(tCtx, rule.Name, metav1.DeleteOptions{})
+	tCtx.ExpectNoError(err, "delete rule")
+	tCtx.Wait()
+	deleted := metav1.Now()
+	tCtx.Logf("TIME: deleted at %s", deleted)
+	assert.Empty(tCtx, controller.taintRuleStats, "taint rule statistics should have dropped the deleted rule")
+}
+
+func check(tCtx ktesting.TContext, prefix string, expectRules []*resourcealpha.DeviceTaintRule, expectPods []*v1.Pod) {
+	tCtx.Helper()
+
+	opts := []cmp.Option{
+		// Expected objects don't have managed fields, API objects do.
+		cmpopts.IgnoreFields(metav1.ObjectMeta{}, "ManagedFields"),
+		// metav1.Time gets rounded to seconds during serialization.
+		cmpopts.AcyclicTransformer("RoundTime", func(t metav1.Time) metav1.Time {
+			return metav1.Time{Time: t.Round(time.Second)}
+		}),
+	}
+
+	actualPods, err := tCtx.Client().CoreV1().Pods("").List(tCtx, metav1.ListOptions{})
+	tCtx.ExpectNoError(err, prefix+"list pods")
+	assertEqual(tCtx, expectPods, trimPods(actualPods.Items), prefix+"pods", opts...)
+	rules, err := tCtx.Client().ResourceV1alpha3().DeviceTaintRules().List(tCtx, metav1.ListOptions{})
+	tCtx.ExpectNoError(err, prefix+"list rules")
+	assertEqual(tCtx, expectRules, trimRules(rules.Items), prefix+"rules", opts...)
+}
+
 // TestCancelEviction deletes the pod before the controller deletes it
 // or removes the slice. Either way, eviction gets cancelled.
 func TestCancelEviction(t *testing.T) {
 	tCtx := ktesting.Init(t)
-	tCtx.Parallel()
-
-	tCtx.Run("pod-deleted", func(tCtx ktesting.TContext) { testCancelEviction(tCtx, true) })
-	tCtx.Run("slice-deleted", func(tCtx ktesting.TContext) { testCancelEviction(tCtx, false) })
+	tCtx.SyncTest("pod-deleted", func(tCtx ktesting.TContext) { testCancelEviction(tCtx, true) })
+	tCtx.SyncTest("slice-deleted", func(tCtx ktesting.TContext) { testCancelEviction(tCtx, false) })
 }
 
 func testCancelEviction(tCtx ktesting.TContext, deletePod bool) {
@@ -1483,35 +2483,58 @@ func testCancelEviction(tCtx ktesting.TContext, deletePod bool) {
 	// do something which cancels eviction.
 	pod := podWithClaimName.DeepCopy()
 	slice := sliceTainted.DeepCopy()
-	slice.Spec.Devices[0].Taints[0].TimeAdded = &metav1.Time{Time: time.Now()}
+	slice.Spec.Devices[0].Taints[0].TimeAdded = metav1Time(time.Now())
 	claim := inUseClaim.DeepCopy()
+	tolerationSeconds := int64(60)
 	claim.Status.Allocation.Devices.Results[0].Tolerations = []resourceapi.DeviceToleration{{
 		Operator:          resourceapi.DeviceTolerationOpExists,
 		Effect:            resourceapi.DeviceTaintEffectNoExecute,
-		TolerationSeconds: ptr.To(int64(60)),
+		TolerationSeconds: &tolerationSeconds,
 	}}
-	fakeClientset := fake.NewSimpleClientset(
+	fakeClientset := fake.NewClientset(
 		slice,
 		claim,
 		pod,
 	)
-	tCtx = ktesting.WithClients(tCtx, nil, nil, fakeClientset, nil, nil)
-
 	pod, err := fakeClientset.CoreV1().Pods(pod.Namespace).Get(tCtx, pod.Name, metav1.GetOptions{})
 	require.NoError(tCtx, err, "get pod before eviction")
 	assert.Equal(tCtx, podWithClaimName, pod, "test pod")
 
+	var podGets int
+	var podUpdates int
+	var podDeletions int
+
+	fakeClientset.PrependReactor("get", "pods", func(action core.Action) (handled bool, ret runtime.Object, err error) {
+		podGets++
+		podName := action.(core.GetAction).GetName()
+		assert.Equal(tCtx, podWithClaimName.Name, podName, "name of pod to patch")
+		return false, nil, nil
+	})
+	fakeClientset.PrependReactor("patch", "pods", func(action core.Action) (handled bool, ret runtime.Object, err error) {
+		podUpdates++
+		podName := action.(core.PatchAction).GetName()
+		assert.Equal(tCtx, podWithClaimName.Name, podName, "name of pod to get")
+		return false, nil, nil
+	})
+	fakeClientset.PrependReactor("delete", "pods", func(action core.Action) (handled bool, ret runtime.Object, err error) {
+		podDeletions++
+		podName := action.(core.DeleteAction).GetName()
+		assert.Equal(tCtx, podWithClaimName.Name, podName, "name of pod to delete")
+		return false, nil, nil
+	})
+
+	tCtx = ktesting.WithClients(tCtx, nil, nil, fakeClientset, nil, nil)
 	controller := newTestController(tCtx, fakeClientset)
 
 	var mutex sync.Mutex
 	podEvicting := false
-	controller.evictPod = func(podRef tainteviction.NamespacedObject, fireAt time.Time) {
+	controller.evictPodHook = func(podRef tainteviction.NamespacedObject, eviction evictionAndReason) {
 		assert.Equal(tCtx, newObject(pod), podRef)
 		mutex.Lock()
 		defer mutex.Unlock()
 		podEvicting = true
 	}
-	controller.cancelEvict = func(podRef tainteviction.NamespacedObject) bool {
+	controller.cancelEvictHook = func(podRef tainteviction.NamespacedObject) bool {
 		assert.Equal(tCtx, newObject(pod), podRef)
 		mutex.Lock()
 		defer mutex.Unlock()
@@ -1528,7 +2551,7 @@ func testCancelEviction(tCtx ktesting.TContext, deletePod bool) {
 	wg.Add(1)
 	go func() {
 		defer wg.Done()
-		assert.NoError(tCtx, controller.Run(tCtx), "eviction controller failed")
+		assert.NoError(tCtx, controller.Run(tCtx, 10 /* workers */), "eviction controller failed")
 	}()
 
 	// Eventually the pod gets scheduled for eviction.
@@ -1557,15 +2580,32 @@ func testCancelEviction(tCtx ktesting.TContext, deletePod bool) {
 	if !deletePod {
 		ktesting.Eventually(tCtx, listEvents).WithTimeout(30 * time.Second).Should(matchCancellationEvent())
 	}
-	ktesting.Consistently(tCtx, func(tCtx ktesting.TContext) error {
-		matchEvents := matchCancellationEvent()
-		if deletePod {
-			matchEvents = gomega.BeEmpty()
-		}
-		gomega.NewWithT(tCtx).Expect(listEvents(tCtx)).Should(matchEvents)
-		tCtx.ExpectNoError(testPodDeletionsMetrics(controller, 0))
-		return nil
-	}).WithTimeout(5 * time.Second).Should(gomega.Succeed())
+	tCtx.Wait()
+
+	matchEvents := matchCancellationEvent()
+	if deletePod {
+		matchEvents = gomega.BeEmpty()
+		assert.Equal(tCtx, 1, podDeletions, "Pod should have been deleted exactly once by test.")
+	} else {
+		assert.Equal(tCtx, 0, podDeletions, "Pod should not have been deleted.")
+	}
+
+	// Naively (?) one could expect synctest.Wait to have blocked until the work item added via AddAfter
+	// got processed because before that the overall state isn't stable yet. But the workqueue package
+	// seems to implement AddAfter in a way which is not detected as "blocking on time to pass" by
+	// by synctest and therefore it returns without advancing time enough.
+	//
+	// Here we trigger that manually as a workaround (?). The factor doesn't really matter.
+	// Commenting this out causes the controller.maybeDeletePodCount check to fail.
+	time.Sleep(10 * time.Duration(tolerationSeconds) * time.Second)
+	tCtx.Wait()
+
+	assert.Equal(tCtx, 0, podGets, "Worker should not have needed to get the pod.")
+	assert.Equal(tCtx, 0, podUpdates, "Worker should not have needed to update the pod.")
+	assert.Equal(tCtx, 0, controller.workqueue.Len(), "Work queue should be empty now.")
+	assert.Equal(tCtx, int64(1), controller.maybeDeletePodCount, "Work queue should have processed pod.")
+	gomega.NewWithT(tCtx).Expect(listEvents(tCtx)).Should(matchEvents)
+	tCtx.ExpectNoError(testPodDeletionsMetrics(controller, 0))
 }
 
 // TestParallelPodDeletion covers the scenario that a pod gets deleted right before
@@ -1574,230 +2614,154 @@ func TestParallelPodDeletion(t *testing.T) {
 	tCtx := ktesting.Init(t)
 	tCtx.Parallel()
 
-	// This scenario is the same as "evict-pod-resourceclaim" above.
-	pod := podWithClaimName.DeepCopy()
-	fakeClientset := fake.NewSimpleClientset(
-		sliceTainted,
-		slice2,
-		inUseClaim,
-		pod,
-	)
-	tCtx = ktesting.WithClients(tCtx, nil, nil, fakeClientset, nil, nil)
-
-	pod, err := fakeClientset.CoreV1().Pods(pod.Namespace).Get(tCtx, pod.Name, metav1.GetOptions{})
-	require.NoError(tCtx, err, "get pod before eviction")
-	assert.Equal(tCtx, podWithClaimName, pod, "test pod")
-
-	var mutex sync.Mutex
-	var podGets int
-	var podDeletions int
-
-	fakeClientset.PrependReactor("get", "pods", func(action core.Action) (handled bool, ret runtime.Object, err error) {
-		mutex.Lock()
-		defer mutex.Unlock()
-		podGets++
-		podName := action.(core.GetAction).GetName()
-		assert.Equal(t, podWithClaimName.Name, podName, "name of patched pod")
-
-		// This gets called directly before eviction. Pretend that it is deleted.
-		err = fakeClientset.Tracker().Delete(v1.SchemeGroupVersion.WithResource("pods"), pod.Namespace, pod.Name)
-		assert.NoError(tCtx, err, "delete pod") //nolint:testifylint // Here recording an unknown error and continuing is okay.
-		return true, nil, apierrors.NewNotFound(v1.SchemeGroupVersion.WithResource("pods").GroupResource(), pod.Name)
-	})
-	fakeClientset.PrependReactor("delete", "pods", func(action core.Action) (handled bool, ret runtime.Object, err error) {
-		mutex.Lock()
-		defer mutex.Unlock()
-		podDeletions++
-		podName := action.(core.DeleteAction).GetName()
-		assert.Equal(t, podWithClaimName.Name, podName, "name of deleted pod")
-		return false, nil, nil
-	})
-	controller := newTestController(tCtx, fakeClientset)
-
-	var wg sync.WaitGroup
-	defer func() {
-		tCtx.Log("Waiting for goroutine termination...")
-		tCtx.Cancel("time to stop")
-		wg.Wait()
-	}()
-	wg.Add(1)
-	go func() {
-		defer wg.Done()
-		assert.NoError(tCtx, controller.Run(tCtx), "eviction controller failed")
-	}()
-
-	// Eventually the pod gets deleted, in this test by us.
-	ktesting.Eventually(tCtx, func(tCtx ktesting.TContext) bool {
-		mutex.Lock()
-		defer mutex.Unlock()
-		return podGets >= 1
-	}).WithTimeout(30 * time.Second).Should(gomega.BeTrueBecause("pod eviction started"))
-
-	// We don't want any events.
-	ktesting.Consistently(tCtx, func(tCtx ktesting.TContext) error {
-		mutex.Lock()
-		defer mutex.Unlock()
+	tCtx.SyncTest("", func(tCtx ktesting.TContext) {
+		// This scenario is the same as "evict-pod-resourceclaim" above.
+		pod := podWithClaimName.DeepCopy()
+		fakeClientset := fake.NewClientset(
+			sliceTainted,
+			slice2,
+			inUseClaim,
+			pod,
+		)
+		tCtx = ktesting.WithClients(tCtx, nil, nil, fakeClientset, nil, nil)
+
+		pod, err := fakeClientset.CoreV1().Pods(pod.Namespace).Get(tCtx, pod.Name, metav1.GetOptions{})
+		require.NoError(tCtx, err, "get pod before eviction")
+		assert.Equal(tCtx, podWithClaimName, pod, "test pod")
+
+		var mutex sync.Mutex
+		var podGets int
+		var podDeletions int
+
+		fakeClientset.PrependReactor("get", "pods", func(action core.Action) (handled bool, ret runtime.Object, err error) {
+			mutex.Lock()
+			defer mutex.Unlock()
+			podGets++
+			podName := action.(core.GetAction).GetName()
+			assert.Equal(t, podWithClaimName.Name, podName, "name of patched pod")
+
+			// This gets called directly before eviction. Pretend that it is deleted.
+			err = fakeClientset.Tracker().Delete(v1.SchemeGroupVersion.WithResource("pods"), pod.Namespace, pod.Name)
+			assert.NoError(tCtx, err, "delete pod") //nolint:testifylint // Here recording an unknown error and continuing is okay.
+			return true, nil, apierrors.NewNotFound(v1.SchemeGroupVersion.WithResource("pods").GroupResource(), pod.Name)
+		})
+		fakeClientset.PrependReactor("delete", "pods", func(action core.Action) (handled bool, ret runtime.Object, err error) {
+			mutex.Lock()
+			defer mutex.Unlock()
+			podDeletions++
+			podName := action.(core.DeleteAction).GetName()
+			assert.Equal(t, podWithClaimName.Name, podName, "name of deleted pod")
+			return false, nil, nil
+		})
+		controller := newTestController(tCtx, fakeClientset)
+
+		var wg sync.WaitGroup
+		defer func() {
+			tCtx.Log("Waiting for goroutine termination...")
+			tCtx.Cancel("time to stop")
+			wg.Wait()
+		}()
+		wg.Add(1)
+		go func() {
+			defer wg.Done()
+			assert.NoError(tCtx, controller.Run(tCtx, 10 /* workers */), "eviction controller failed")
+		}()
+
+		// Eventually the pod gets deleted, in this test by us.
+		ktesting.Eventually(tCtx, func(tCtx ktesting.TContext) bool {
+			mutex.Lock()
+			defer mutex.Unlock()
+			return podGets >= 1
+		}).WithTimeout(30 * time.Second).Should(gomega.BeTrueBecause("pod eviction started"))
+
+		// We don't want any events.
+		tCtx.Wait()
 		assert.Equal(tCtx, 1, podGets, "number of pod get calls")
 		assert.Equal(tCtx, 0, podDeletions, "number of pod delete calls")
 		gomega.NewWithT(tCtx).Expect(listEvents(tCtx)).Should(gomega.BeEmpty())
 		tCtx.ExpectNoError(testPodDeletionsMetrics(controller, 0))
-		return nil
-	}).WithTimeout(5 * time.Second).Should(gomega.Succeed())
+	})
 }
 
 // TestRetry covers the scenario that an eviction attempt must be retried.
 func TestRetry(t *testing.T) {
 	tCtx := ktesting.Init(t)
-	tCtx.Parallel()
-
-	// This scenario is the same as "evict-pod-resourceclaim" above.
-	pod := podWithClaimName.DeepCopy()
-	fakeClientset := fake.NewSimpleClientset(
-		sliceTainted,
-		slice2,
-		inUseClaim,
-		pod,
-	)
-	tCtx = ktesting.WithClients(tCtx, nil, nil, fakeClientset, nil, nil)
-
-	pod, err := fakeClientset.CoreV1().Pods(pod.Namespace).Get(tCtx, pod.Name, metav1.GetOptions{})
-	require.NoError(tCtx, err, "get pod before eviction")
-	assert.Equal(tCtx, podWithClaimName, pod, "test pod")
-
-	var mutex sync.Mutex
-	var podGets int
-	var podDeletions int
-
-	fakeClientset.PrependReactor("get", "pods", func(action core.Action) (handled bool, ret runtime.Object, err error) {
-		mutex.Lock()
-		defer mutex.Unlock()
-		podGets++
-		podName := action.(core.GetAction).GetName()
-		assert.Equal(t, podWithClaimName.Name, podName, "name of patched pod")
-
-		// This gets called directly before eviction. Pretend that there is an intermittent error.
-		if podGets == 1 {
-			return true, nil, apierrors.NewInternalError(errors.New("fake error"))
-		}
-		return false, nil, nil
-	})
-	fakeClientset.PrependReactor("delete", "pods", func(action core.Action) (handled bool, ret runtime.Object, err error) {
-		mutex.Lock()
-		defer mutex.Unlock()
-		podDeletions++
-		podName := action.(core.DeleteAction).GetName()
-		assert.Equal(t, podWithClaimName.Name, podName, "name of deleted pod")
-		return false, nil, nil
-	})
-	controller := newTestController(tCtx, fakeClientset)
 
-	var wg sync.WaitGroup
-	defer func() {
-		t.Log("Waiting for goroutine termination...")
-		tCtx.Cancel("time to stop")
-		wg.Wait()
-	}()
-	wg.Add(1)
-	go func() {
-		defer wg.Done()
-		assert.NoError(tCtx, controller.Run(tCtx), "eviction controller failed")
-	}()
-
-	// Eventually the pod gets deleted and the event is recorded.
-	ktesting.Eventually(tCtx, func(tCtx ktesting.TContext) error {
-		gomega.NewWithT(tCtx).Expect(listEvents(tCtx)).Should(matchDeletionEvent())
-		return testPodDeletionsMetrics(controller, 1)
-	}).WithTimeout(30*time.Second).Should(gomega.Succeed(), "pod eviction done")
-
-	// Now we can check the API calls.
-	ktesting.Consistently(tCtx, func(tCtx ktesting.TContext) error {
-		mutex.Lock()
-		defer mutex.Unlock()
+	tCtx.SyncTest("", func(tCtx ktesting.TContext) {
+		// This scenario is the same as "evict-pod-resourceclaim" above.
+		pod := podWithClaimName.DeepCopy()
+		fakeClientset := fake.NewClientset(
+			sliceTainted,
+			slice2,
+			inUseClaim,
+			pod,
+		)
+		tCtx = ktesting.WithClients(tCtx, nil, nil, fakeClientset, nil, nil)
+
+		pod, err := fakeClientset.CoreV1().Pods(pod.Namespace).Get(tCtx, pod.Name, metav1.GetOptions{})
+		require.NoError(tCtx, err, "get pod before eviction")
+		assert.Equal(tCtx, podWithClaimName, pod, "test pod")
+
+		var mutex sync.Mutex
+		var podGets int
+		var podDeletions int
+
+		fakeClientset.PrependReactor("get", "pods", func(action core.Action) (handled bool, ret runtime.Object, err error) {
+			mutex.Lock()
+			defer mutex.Unlock()
+			podGets++
+			podName := action.(core.GetAction).GetName()
+			assert.Equal(t, podWithClaimName.Name, podName, "name of patched pod")
+
+			// This gets called directly before eviction. Pretend that there is an intermittent error.
+			if podGets == 1 {
+				return true, nil, apierrors.NewInternalError(errors.New("fake error"))
+			}
+			return false, nil, nil
+		})
+		fakeClientset.PrependReactor("delete", "pods", func(action core.Action) (handled bool, ret runtime.Object, err error) {
+			mutex.Lock()
+			defer mutex.Unlock()
+			podDeletions++
+			podName := action.(core.DeleteAction).GetName()
+			assert.Equal(t, podWithClaimName.Name, podName, "name of deleted pod")
+			return false, nil, nil
+		})
+		controller := newTestController(tCtx, fakeClientset)
+
+		var wg sync.WaitGroup
+		defer func() {
+			t.Log("Waiting for goroutine termination...")
+			tCtx.Cancel("time to stop")
+			wg.Wait()
+		}()
+		wg.Add(1)
+		go func() {
+			defer wg.Done()
+			assert.NoError(tCtx, controller.Run(tCtx, 10 /* workers */), "eviction controller failed")
+		}()
+
+		// Eventually the pod gets deleted and the event is recorded.
+		ktesting.Eventually(tCtx, func(tCtx ktesting.TContext) error {
+			gomega.NewWithT(tCtx).Expect(listEvents(tCtx)).Should(matchDeletionEvent())
+			return testPodDeletionsMetrics(controller, 1)
+		}).WithTimeout(30*time.Second).Should(gomega.Succeed(), "pod eviction done")
+
+		// Now we can check the API calls.
+		tCtx.Wait()
 		assert.Equal(tCtx, 2, podGets, "number of pod get calls")
 		assert.Equal(tCtx, 1, podDeletions, "number of pod delete calls")
 		gomega.NewWithT(tCtx).Expect(listEvents(tCtx)).Should(matchDeletionEvent())
 		tCtx.ExpectNoError(testPodDeletionsMetrics(controller, 1))
-		return nil
-	}).WithTimeout(5 * time.Second).Should(gomega.Succeed())
-}
-
-// TestRetry covers the scenario that an eviction attempt fails.
-func TestEvictionFailure(t *testing.T) {
-	tCtx := ktesting.Init(t)
-	tCtx.Parallel()
-
-	// This scenario is the same as "evict-pod-resourceclaim" above.
-	pod := podWithClaimName.DeepCopy()
-	fakeClientset := fake.NewSimpleClientset(
-		sliceTainted,
-		slice2,
-		inUseClaim,
-		pod,
-	)
-	tCtx = ktesting.WithClients(tCtx, nil, nil, fakeClientset, nil, nil)
-
-	pod, err := fakeClientset.CoreV1().Pods(pod.Namespace).Get(tCtx, pod.Name, metav1.GetOptions{})
-	require.NoError(tCtx, err, "get pod before eviction")
-	assert.Equal(tCtx, podWithClaimName, pod, "test pod")
-
-	var mutex sync.Mutex
-	var podGets int
-	var podDeletions int
-
-	fakeClientset.PrependReactor("get", "pods", func(action core.Action) (handled bool, ret runtime.Object, err error) {
-		mutex.Lock()
-		defer mutex.Unlock()
-		podGets++
-		podName := action.(core.GetAction).GetName()
-		assert.Equal(t, podWithClaimName.Name, podName, "name of patched pod")
-		return false, nil, nil
-	})
-	fakeClientset.PrependReactor("delete", "pods", func(action core.Action) (handled bool, ret runtime.Object, err error) {
-		mutex.Lock()
-		defer mutex.Unlock()
-		podDeletions++
-		podName := action.(core.DeleteAction).GetName()
-		assert.Equal(t, podWithClaimName.Name, podName, "name of deleted pod")
-		return true, nil, apierrors.NewInternalError(errors.New("fake error"))
 	})
-	controller := newTestController(tCtx, fakeClientset)
-
-	var wg sync.WaitGroup
-	defer func() {
-		t.Log("Waiting for goroutine termination...")
-		tCtx.Cancel("time to stop")
-		wg.Wait()
-	}()
-	wg.Add(1)
-	go func() {
-		defer wg.Done()
-		assert.NoError(tCtx, controller.Run(tCtx), "eviction controller failed")
-	}()
-
-	// Eventually deletion is attempted a few times.
-	ktesting.Eventually(tCtx, func(tCtx ktesting.TContext) int {
-		mutex.Lock()
-		defer mutex.Unlock()
-		return podDeletions
-	}).WithTimeout(30*time.Second).Should(gomega.BeNumerically(">=", retries), "pod eviction failed")
-
-	// Now we can check the API calls.
-	ktesting.Consistently(tCtx, func(tCtx ktesting.TContext) error {
-		mutex.Lock()
-		defer mutex.Unlock()
-		assert.Equal(tCtx, retries, podGets, "number of pod get calls")
-		assert.Equal(tCtx, retries, podDeletions, "number of pod delete calls")
-		gomega.NewWithT(tCtx).Expect(listEvents(tCtx)).Should(matchDeletionEvent())
-		tCtx.ExpectNoError(testPodDeletionsMetrics(controller, 0))
-		return nil
-	}).WithTimeout(5 * time.Second).Should(gomega.Succeed())
 }
 
 // BenchTaintUntaint checks the full flow of detecting a claim as
 // tainted because of a new DeviceTaintRule, starting to evict its
 // consumer, and then undoing that when the DeviceTaintRule is removed.
 func BenchmarkTaintUntaint(b *testing.B) {
-	tContext := setup(b)
+	tCtx := ktesting.Init(b)
+	tContext := setup(tCtx)
 	podStore := tContext.informerFactory.Core().V1().Pods().Informer().GetStore()
 	// No output, comment out if output is desired.
 	tContext.Controller.eventLogger = nil
@@ -1809,17 +2773,17 @@ func BenchmarkTaintUntaint(b *testing.B) {
 		tContext.handleClaimChange(nil, inUseClaimWithToleration)
 		require.NoError(tContext, podStore.Add(podWithClaimName), "add pod")
 		tContext.handlePodChange(nil, podWithClaimName)
-		require.Empty(tContext, tContext.evicting)
+		require.Empty(tContext, tContext.deletePodAt)
 
 		// Now evict.
 		tContext.handleSliceChange(slice, sliceTainted)
 
 		// Because informer event handlers are synchronous, we get the expected result immediately.
-		require.NotEmpty(tContext, tContext.evicting)
+		require.NotEmpty(tContext, tContext.deletePodAt)
 
 		// ... and remove them again.
 		tContext.handleSliceChange(sliceTainted, slice)
-		require.Empty(tContext, tContext.evicting)
+		require.Empty(tContext, tContext.deletePodAt)
 
 		tContext.handlePodChange(podWithClaimName, nil)
 		require.NoError(tContext, podStore.Delete(podWithClaimName), "remove pod")
diff --git a/pkg/controller/devicetainteviction/mockqueue_test.go b/pkg/controller/devicetainteviction/mockqueue_test.go
new file mode 100644
index 0000000000000..e40f3b285b0eb
--- /dev/null
+++ b/pkg/controller/devicetainteviction/mockqueue_test.go
@@ -0,0 +1,257 @@
+/*
+Copyright 2024 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package devicetainteviction
+
+import (
+	"maps"
+	"slices"
+	"sync"
+	"time"
+
+	"k8s.io/client-go/util/workqueue"
+)
+
+// TODO (pohly): move this to k8s.io/client-go/util/workqueue/mockqueue.go
+// if it turns out to be generally useful. Doc comments are already written
+// as if the code was there.
+
+// MockQueue is an implementation of [TypedRateLimitingInterface] which
+// can be used to test a function which pulls work items out of a queue
+// and processes them. It is thread-safe.
+//
+// A null instance is directly usable. The usual usage is:
+//
+//	var m workqueue.Mock[string]
+//	m.SyncOne("some-item", func(queue workqueue.TypedRateLimitingInterface[string]) { ... } )
+//	if diff := cmp.Diff(workqueue.MockState[string]{}, m.State()); diff != "" {
+//	    t.Errorf("unexpected state of mock work queue after sync (-want, +got):\n%s", diff)
+//	}
+//
+// All slices get reset to nil when they become empty, so there are no spurious
+// differences because of nil vs. empty slice.
+type Mock[T comparable] struct {
+	mutex sync.Mutex
+	state MockState[T]
+}
+
+type MockState[T comparable] struct {
+	// Ready contains the items which are ready for processing.
+	Ready []T
+
+	// InFlight contains the items which are currently being processed (= Get
+	// was called, Done not yet).
+	InFlight []T
+
+	// MismatchedDone contains the items for which Done was called without
+	// a matching Get.
+	MismatchedDone []T
+
+	// Later contains the items which are meant to be added to the queue after
+	// a certain delay (= AddAfter was called for them). They appear in the
+	// order in which AddAfter got called.
+	Later []MockDelayedItem[T]
+
+	// Failures contains the items and their retry count which failed to be
+	// processed (AddRateLimited called at least once, Forget not yet).
+	// The retry count is always larger than zero.
+	Failures map[T]int
+
+	// ShutDownCalled tracks how often ShutDown got called.
+	ShutDownCalled int
+
+	// ShutDownWithDrainCalled tracks how often ShutDownWithDrain got called.
+	ShutDownWithDrainCalled int
+}
+
+// DeepCopy takes a snapshot of all slices. It cannot do a deep copy of the items in those slices,
+// but typically those keys are immutable.
+func (m MockState[T]) DeepCopy() *MockState[T] {
+	m.Ready = slices.Clone(m.Ready)
+	m.InFlight = slices.Clone(m.InFlight)
+	m.MismatchedDone = slices.Clone(m.MismatchedDone)
+	m.Later = slices.Clone(m.Later)
+	m.Failures = maps.Clone(m.Failures)
+	return &m
+}
+
+// MockDelayedItem is an item which was queue for later processing.
+type MockDelayedItem[T comparable] struct {
+	Item     T
+	Duration time.Duration
+}
+
+// SyncOne adds the item to the work queue and calls sync.
+// That sync function can pull one or more items from the work
+// queue until the queue is empty. Then it is told that the queue
+// is shutting down, which must cause it to return.
+//
+// The test can then retrieve the state of the queue to check the result.
+func (m *Mock[T]) SyncOne(item T, sync func(workqueue.TypedRateLimitingInterface[T])) {
+	// sync must run with the mutex not locked.
+	defer sync(m)
+	m.mutex.Lock()
+	defer m.mutex.Unlock()
+
+	m.state.Ready = append(m.state.Ready, item)
+}
+
+// State returns the current state of the queue.
+func (m *Mock[T]) State() MockState[T] {
+	m.mutex.Lock()
+	defer m.mutex.Unlock()
+
+	return *m.state.DeepCopy()
+}
+
+// Add implements [TypedInterface].
+func (m *Mock[T]) Add(item T) {
+	m.mutex.Lock()
+	defer m.mutex.Unlock()
+
+	if !slices.Contains(m.state.Ready, item) {
+		m.state.Ready = append(m.state.Ready, item)
+	}
+}
+
+// Len implements [TypedInterface].
+func (m *Mock[T]) Len() int {
+	m.mutex.Lock()
+	defer m.mutex.Unlock()
+
+	return len(m.state.Ready)
+}
+
+// Get implements [TypedInterface].
+func (m *Mock[T]) Get() (item T, shutdown bool) {
+	m.mutex.Lock()
+	defer m.mutex.Unlock()
+
+	if len(m.state.Ready) == 0 {
+		shutdown = true
+		return
+	}
+	item = m.state.Ready[0]
+	m.state.Ready = m.state.Ready[1:]
+	if len(m.state.Ready) == 0 {
+		m.state.Ready = nil
+	}
+	m.state.InFlight = append(m.state.InFlight, item)
+	return item, false
+}
+
+// Done implements [TypedInterface].
+func (m *Mock[T]) Done(item T) {
+	m.mutex.Lock()
+	defer m.mutex.Unlock()
+
+	index := slices.Index(m.state.InFlight, item)
+	if index < 0 {
+		m.state.MismatchedDone = append(m.state.MismatchedDone, item)
+	}
+	m.state.InFlight = slices.Delete(m.state.InFlight, index, index+1)
+	if len(m.state.InFlight) == 0 {
+		m.state.InFlight = nil
+	}
+}
+
+// ShutDown implements [TypedInterface].
+func (m *Mock[T]) ShutDown() {
+	m.mutex.Lock()
+	defer m.mutex.Unlock()
+
+	m.state.ShutDownCalled++
+}
+
+// ShutDownWithDrain implements [TypedInterface].
+func (m *Mock[T]) ShutDownWithDrain() {
+	m.mutex.Lock()
+	defer m.mutex.Unlock()
+
+	m.state.ShutDownWithDrainCalled++
+}
+
+// ShuttingDown implements [TypedInterface].
+func (m *Mock[T]) ShuttingDown() bool {
+	m.mutex.Lock()
+	defer m.mutex.Unlock()
+
+	return m.state.ShutDownCalled > 0 || m.state.ShutDownWithDrainCalled > 0
+}
+
+// AddAfter implements [TypedDelayingInterface.AddAfter]
+func (m *Mock[T]) AddAfter(item T, duration time.Duration) {
+	if duration == 0 {
+		m.Add(item)
+		return
+	}
+
+	m.mutex.Lock()
+	defer m.mutex.Unlock()
+
+	for i := range m.state.Later {
+		if m.state.Later[i].Item == item {
+			// https://github.com/kubernetes/client-go/blob/270e5ab1714527c455865953da8ceba2810dbb50/util/workqueue/delaying_queue.go#L340-L349
+			// only shortens the delay for an existing item. It does not make it longer.
+			if m.state.Later[i].Duration > duration {
+				m.state.Later[i].Duration = duration
+			}
+			return
+		}
+	}
+
+	m.state.Later = append(m.state.Later, MockDelayedItem[T]{Item: item, Duration: duration})
+}
+
+// CancelAfter is an extension of the TypedDelayingInterface: it allows a test to remove an item that may or may not have been added before via AddAfter.
+func (m *Mock[T]) CancelAfter(item T) {
+	m.mutex.Lock()
+	defer m.mutex.Unlock()
+
+	m.state.Later = slices.DeleteFunc(m.state.Later, func(later MockDelayedItem[T]) bool {
+		return later.Item == item
+	})
+}
+
+// AddRateLimited implements [TypedRateLimitingInterface.AddRateLimited].
+func (m *Mock[T]) AddRateLimited(item T) {
+	m.mutex.Lock()
+	defer m.mutex.Unlock()
+
+	if m.state.Failures == nil {
+		m.state.Failures = make(map[T]int)
+	}
+	m.state.Failures[item]++
+}
+
+// Forget implements [TypedRateLimitingInterface.Forget].
+func (m *Mock[T]) Forget(item T) {
+	m.mutex.Lock()
+	defer m.mutex.Unlock()
+
+	if m.state.Failures == nil {
+		return
+	}
+	delete(m.state.Failures, item)
+}
+
+// NumRequeues implements [TypedRateLimitingInterface.NumRequeues].
+func (m *Mock[T]) NumRequeues(item T) int {
+	m.mutex.Lock()
+	defer m.mutex.Unlock()
+
+	return m.state.Failures[item]
+}
diff --git a/pkg/controller/devicetainteviction/nopqueue.go b/pkg/controller/devicetainteviction/nopqueue.go
new file mode 100644
index 0000000000000..97e9ef89dc67f
--- /dev/null
+++ b/pkg/controller/devicetainteviction/nopqueue.go
@@ -0,0 +1,79 @@
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package devicetainteviction
+
+import (
+	"time"
+
+	"k8s.io/client-go/util/workqueue"
+)
+
+// NOPQueue is an implementation of [TypedRateLimitingInterface] which
+// doesn't do anything.
+type NOPQueue[T comparable] struct {
+}
+
+var _ workqueue.TypedRateLimitingInterface[int] = &NOPQueue[int]{}
+
+// Add implements [TypedInterface].
+func (m *NOPQueue[T]) Add(item T) {
+}
+
+// Len implements [TypedInterface].
+func (m *NOPQueue[T]) Len() int {
+	return 0
+}
+
+// Get implements [TypedInterface].
+func (m *NOPQueue[T]) Get() (item T, shutdown bool) {
+	shutdown = true
+	return
+}
+
+// Done implements [TypedInterface].
+func (m *NOPQueue[T]) Done(item T) {
+}
+
+// ShutDown implements [TypedInterface].
+func (m *NOPQueue[T]) ShutDown() {
+}
+
+// ShutDownWithDrain implements [TypedInterface].
+func (m *NOPQueue[T]) ShutDownWithDrain() {
+}
+
+// ShuttingDown implements [TypedInterface].
+func (m *NOPQueue[T]) ShuttingDown() bool {
+	return true
+}
+
+// AddAfter implements [TypedDelayingInterface.AddAfter]
+func (m *NOPQueue[T]) AddAfter(item T, duration time.Duration) {
+}
+
+// AddRateLimited implements [TypedRateLimitingInterface.AddRateLimited].
+func (m *NOPQueue[T]) AddRateLimited(item T) {
+}
+
+// Forget implements [TypedRateLimitingInterface.Forget].
+func (m *NOPQueue[T]) Forget(item T) {
+}
+
+// NumRequeues implements [TypedRateLimitingInterface.NumRequeues].
+func (m *NOPQueue[T]) NumRequeues(item T) int {
+	return 0
+}
diff --git a/pkg/controller/disruption/disruption.go b/pkg/controller/disruption/disruption.go
index 05f9aa8166efe..4475f3cbf7a67 100644
--- a/pkg/controller/disruption/disruption.go
+++ b/pkg/controller/disruption/disruption.go
@@ -19,6 +19,7 @@ package disruption
 import (
 	"context"
 	"fmt"
+	"sync"
 	"time"
 
 	apps "k8s.io/api/apps/v1beta1"
@@ -461,21 +462,30 @@ func (dc *DisruptionController) Run(ctx context.Context) {
 	}
 	defer dc.broadcaster.Shutdown()
 
-	defer dc.queue.ShutDown()
-	defer dc.recheckQueue.ShutDown()
-	defer dc.stalePodDisruptionQueue.ShutDown()
-
 	logger.Info("Starting disruption controller")
-	defer logger.Info("Shutting down disruption controller")
 
-	if !cache.WaitForNamedCacheSync("disruption", ctx.Done(), dc.podListerSynced, dc.pdbListerSynced, dc.rcListerSynced, dc.rsListerSynced, dc.dListerSynced, dc.ssListerSynced) {
+	var wg sync.WaitGroup
+	defer func() {
+		logger.Info("Shutting down disruption controller")
+		dc.queue.ShutDown()
+		dc.recheckQueue.ShutDown()
+		dc.stalePodDisruptionQueue.ShutDown()
+		wg.Wait()
+	}()
+
+	if !cache.WaitForNamedCacheSyncWithContext(ctx, dc.podListerSynced, dc.pdbListerSynced, dc.rcListerSynced, dc.rsListerSynced, dc.dListerSynced, dc.ssListerSynced) {
 		return
 	}
 
-	go wait.UntilWithContext(ctx, dc.worker, time.Second)
-	go wait.Until(dc.recheckWorker, time.Second, ctx.Done())
-	go wait.UntilWithContext(ctx, dc.stalePodDisruptionWorker, time.Second)
-
+	wg.Go(func() {
+		wait.UntilWithContext(ctx, dc.worker, time.Second)
+	})
+	wg.Go(func() {
+		wait.Until(dc.recheckWorker, time.Second, ctx.Done())
+	})
+	wg.Go(func() {
+		wait.UntilWithContext(ctx, dc.stalePodDisruptionWorker, time.Second)
+	})
 	<-ctx.Done()
 }
 
@@ -813,7 +823,7 @@ func (dc *DisruptionController) getExpectedPodCount(ctx context.Context, pdb *po
 	// handled the same way for integer and percentage minAvailable
 
 	if pdb.Spec.MaxUnavailable != nil {
-		expectedCount, unmanagedPods, err = dc.getExpectedScale(ctx, pdb, pods)
+		expectedCount, unmanagedPods, err = dc.getExpectedScale(ctx, pods)
 		if err != nil {
 			return
 		}
@@ -831,7 +841,7 @@ func (dc *DisruptionController) getExpectedPodCount(ctx context.Context, pdb *po
 			desiredHealthy = pdb.Spec.MinAvailable.IntVal
 			expectedCount = int32(len(pods))
 		} else if pdb.Spec.MinAvailable.Type == intstr.String {
-			expectedCount, unmanagedPods, err = dc.getExpectedScale(ctx, pdb, pods)
+			expectedCount, unmanagedPods, err = dc.getExpectedScale(ctx, pods)
 			if err != nil {
 				return
 			}
@@ -847,7 +857,7 @@ func (dc *DisruptionController) getExpectedPodCount(ctx context.Context, pdb *po
 	return
 }
 
-func (dc *DisruptionController) getExpectedScale(ctx context.Context, pdb *policy.PodDisruptionBudget, pods []*v1.Pod) (expectedCount int32, unmanagedPods []string, err error) {
+func (dc *DisruptionController) getExpectedScale(ctx context.Context, pods []*v1.Pod) (expectedCount int32, unmanagedPods []string, err error) {
 	// When the user specifies a fraction of pods that must be available, we
 	// use as the fraction's denominator
 	// SUM_{all c in C} scale(c)
diff --git a/pkg/controller/disruption/disruption_test.go b/pkg/controller/disruption/disruption_test.go
index 01c77371bdf43..4f9fa4b8996f6 100644
--- a/pkg/controller/disruption/disruption_test.go
+++ b/pkg/controller/disruption/disruption_test.go
@@ -625,7 +625,7 @@ func TestTotalUnmanagedPods(t *testing.T) {
 	dc.sync(ctx, pdbName)
 	var pods []*v1.Pod
 	pods = append(pods, pod)
-	_, unmanagedPods, _ := dc.getExpectedScale(ctx, pdb, pods)
+	_, unmanagedPods, _ := dc.getExpectedScale(ctx, pods)
 	if len(unmanagedPods) != 1 {
 		t.Fatalf("expected one pod to be unmanaged pod but found %d", len(unmanagedPods))
 	}
diff --git a/pkg/controller/endpoint/endpoints_controller.go b/pkg/controller/endpoint/endpoints_controller.go
index 3624c1aa7d64d..fe1c5f40832c7 100644
--- a/pkg/controller/endpoint/endpoints_controller.go
+++ b/pkg/controller/endpoint/endpoints_controller.go
@@ -20,6 +20,7 @@ import (
 	"context"
 	"fmt"
 	"math"
+	"sync"
 	"time"
 
 	v1 "k8s.io/api/core/v1"
@@ -89,6 +90,7 @@ func NewEndpointController(ctx context.Context, podInformer coreinformers.PodInf
 				Name: "endpoint",
 			},
 		),
+		podQueue:         workqueue.NewTypedRateLimitingQueue(workqueue.DefaultTypedControllerRateLimiter[*endpointsliceutil.PodProjectionKey]()),
 		workerLoopPeriod: time.Second,
 	}
 
@@ -103,9 +105,9 @@ func NewEndpointController(ctx context.Context, podInformer coreinformers.PodInf
 	e.servicesSynced = serviceInformer.Informer().HasSynced
 
 	podInformer.Informer().AddEventHandler(cache.ResourceEventHandlerFuncs{
-		AddFunc:    e.addPod,
-		UpdateFunc: e.updatePod,
-		DeleteFunc: e.deletePod,
+		AddFunc:    func(obj interface{}) { e.onPodUpdate(nil, obj) },
+		UpdateFunc: e.onPodUpdate,
+		DeleteFunc: func(obj interface{}) { e.onPodUpdate(obj, nil) },
 	})
 	e.podLister = podInformer.Lister()
 	e.podsSynced = podInformer.Informer().HasSynced
@@ -162,6 +164,11 @@ type Controller struct {
 	// necessary.
 	queue workqueue.TypedRateLimitingInterface[string]
 
+	// podQueue is used to compute pod->services mapping and drive matching services into the service queue.
+	// This operation can be expensive when large number of services exist in the pod's namespace and
+	// label selection logic has to be evaluated against each service.
+	podQueue workqueue.TypedRateLimitingInterface[*endpointsliceutil.PodProjectionKey]
+
 	// workerLoopPeriod is the time between worker runs. The workers process the queue of service and pod changes.
 	workerLoopPeriod time.Duration
 
@@ -182,42 +189,35 @@ func (e *Controller) Run(ctx context.Context, workers int) {
 	e.eventBroadcaster.StartRecordingToSink(&v1core.EventSinkImpl{Interface: e.client.CoreV1().Events("")})
 	defer e.eventBroadcaster.Shutdown()
 
-	defer e.queue.ShutDown()
-
 	logger := klog.FromContext(ctx)
 	logger.Info("Starting endpoint controller")
-	defer logger.Info("Shutting down endpoint controller")
 
-	if !cache.WaitForNamedCacheSync("endpoint", ctx.Done(), e.podsSynced, e.servicesSynced, e.endpointsSynced) {
+	var wg sync.WaitGroup
+	defer func() {
+		logger.Info("Shutting down endpoint controller")
+		e.queue.ShutDown()
+		e.podQueue.ShutDown()
+		wg.Wait()
+	}()
+
+	if !cache.WaitForNamedCacheSyncWithContext(ctx, e.podsSynced, e.servicesSynced, e.endpointsSynced) {
 		return
 	}
 
 	for i := 0; i < workers; i++ {
-		go wait.UntilWithContext(ctx, e.worker, e.workerLoopPeriod)
+		wg.Go(func() {
+			wait.UntilWithContext(ctx, e.worker, e.workerLoopPeriod)
+		})
+		wg.Go(func() {
+			wait.UntilWithContext(ctx, e.podWorker, e.workerLoopPeriod)
+		})
 	}
-
-	go func() {
-		defer utilruntime.HandleCrash()
+	wg.Go(func() {
 		e.checkLeftoverEndpoints()
-	}()
-
+	})
 	<-ctx.Done()
 }
 
-// When a pod is added, figure out what services it will be a member of and
-// enqueue them. obj must have *v1.Pod type.
-func (e *Controller) addPod(obj interface{}) {
-	pod := obj.(*v1.Pod)
-	services, err := endpointsliceutil.GetPodServiceMemberships(e.serviceLister, pod)
-	if err != nil {
-		utilruntime.HandleError(fmt.Errorf("Unable to get pod %s/%s's service memberships: %v", pod.Namespace, pod.Name, err))
-		return
-	}
-	for key := range services {
-		e.queue.AddAfter(key, e.endpointUpdatesBatchPeriod)
-	}
-}
-
 func podToEndpointAddressForService(svc *v1.Service, pod *v1.Pod) (*v1.EndpointAddress, error) {
 	var endpointIP string
 
@@ -249,25 +249,6 @@ func podToEndpointAddressForService(svc *v1.Service, pod *v1.Pod) (*v1.EndpointA
 	}, nil
 }
 
-// When a pod is updated, figure out what services it used to be a member of
-// and what services it will be a member of, and enqueue the union of these.
-// old and cur must be *v1.Pod types.
-func (e *Controller) updatePod(old, cur interface{}) {
-	services := endpointsliceutil.GetServicesToUpdateOnPodChange(e.serviceLister, old, cur)
-	for key := range services {
-		e.queue.AddAfter(key, e.endpointUpdatesBatchPeriod)
-	}
-}
-
-// When a pod is deleted, enqueue the services the pod used to be a member of.
-// obj could be an *v1.Pod, or a DeletionFinalStateUnknown marker item.
-func (e *Controller) deletePod(obj interface{}) {
-	pod := endpointsliceutil.GetPodFromDeleteAction(obj)
-	if pod != nil {
-		e.addPod(pod)
-	}
-}
-
 // onServiceUpdate updates the Service Selector in the cache and queues the Service for processing.
 func (e *Controller) onServiceUpdate(obj interface{}) {
 	key, err := controller.KeyFunc(obj)
@@ -288,6 +269,14 @@ func (e *Controller) onServiceDelete(obj interface{}) {
 	e.queue.Add(key)
 }
 
+// onPodUpdate enqueues the pod's projection key on Add/Update/Delete events, to find matching services later.
+func (e *Controller) onPodUpdate(old, cur interface{}) {
+	key := endpointsliceutil.GetPodUpdateProjectionKey(old, cur)
+	if key != nil {
+		e.podQueue.Add(key)
+	}
+}
+
 func (e *Controller) onEndpointsDelete(obj interface{}) {
 	key, err := controller.KeyFunc(obj)
 	if err != nil {
@@ -469,7 +458,10 @@ func (e *Controller) syncService(ctx context.Context, key string) error {
 	// When comparing the subsets, we ignore the difference in ResourceVersion of Pod to avoid unnecessary Endpoints
 	// updates caused by Pod updates that we don't care, e.g. annotation update.
 	if !createEndpoints &&
-		endpointSubsetsEqualIgnoreResourceVersion(currentEndpoints.Subsets, subsets) &&
+		(endpointSubsetsEqualIgnoreResourceVersion(currentEndpoints.Subsets, subsets) ||
+			// If the comparison fails, try again after repacking, it may be a difference in the hash algorithm
+			// For more context: https://github.com/kubernetes/kubernetes/issues/129652#issuecomment-3264035333
+			endpointSubsetsEqualIgnoreResourceVersion(endpoints.RepackSubsets(currentEndpoints.Subsets), subsets)) &&
 		labelsCorrectForEndpoints(currentEndpoints.Labels, service.Labels) &&
 		capacityAnnotationSetCorrectly(currentEndpoints.Annotations, currentEndpoints.Subsets) {
 		logger.V(5).Info("endpoints are equal, skipping update", "service", klog.KObj(service))
@@ -549,6 +541,60 @@ func (e *Controller) syncService(ctx context.Context, key string) error {
 	return nil
 }
 
+func (e *Controller) podWorker(ctx context.Context) {
+	for e.processNextPodWorkItem(ctx) {
+	}
+}
+
+func (e *Controller) processNextPodWorkItem(ctx context.Context) bool {
+	eKey, quit := e.podQueue.Get()
+	if quit {
+		return false
+	}
+	defer e.podQueue.Done(eKey)
+
+	logger := klog.FromContext(ctx)
+	err := e.syncPod(logger, eKey)
+	e.handlePodErr(logger, err, eKey)
+
+	return true
+}
+
+func (e *Controller) handlePodErr(logger klog.Logger, err error, key *endpointsliceutil.PodProjectionKey) {
+	if err == nil {
+		e.podQueue.Forget(key)
+		return
+	}
+
+	if e.podQueue.NumRequeues(key) < maxRetries {
+		logger.V(2).Info("Error syncing pod, retrying", "PodProjectionKey", *key)
+		e.podQueue.AddRateLimited(key)
+		return
+	}
+
+	logger.Info("Dropping pod out of the queue", "PodProjectionKey", *key)
+	e.podQueue.Forget(key)
+	utilruntime.HandleError(err)
+}
+
+func (e *Controller) syncPod(logger klog.Logger, key *endpointsliceutil.PodProjectionKey) error {
+	startTime := time.Now()
+	defer func() {
+		logger.V(4).Info("Finished syncing pod", "PodProjectionKey", *key, "elapsedTime", time.Since(startTime))
+	}()
+
+	servicesToUpdate, err := endpointsliceutil.GetServicesToUpdate(e.serviceLister, key)
+	if err != nil {
+		return err
+	}
+
+	for service := range servicesToUpdate {
+		e.queue.AddAfter(service, e.endpointUpdatesBatchPeriod)
+	}
+
+	return nil
+}
+
 // checkLeftoverEndpoints lists all currently existing endpoints and adds their
 // service to the queue. This will detect endpoints that exist with no
 // corresponding service; these endpoints need to be deleted. We only need to
diff --git a/pkg/controller/endpoint/endpoints_controller_test.go b/pkg/controller/endpoint/endpoints_controller_test.go
index 3ca945d6b1109..bead9c2f6494a 100644
--- a/pkg/controller/endpoint/endpoints_controller_test.go
+++ b/pkg/controller/endpoint/endpoints_controller_test.go
@@ -1008,6 +1008,63 @@ func TestSyncEndpointsItemsPreexistingIdentical(t *testing.T) {
 	endpointsHandler.ValidateRequestCount(t, 0)
 }
 
+func TestSyncEndpointsItemsPreexistingIdenticalUnsorted(t *testing.T) {
+	ns := metav1.NamespaceDefault
+	testServer, endpointsHandler := makeTestServer(t, ns)
+	defer testServer.Close()
+	tCtx := ktesting.Init(t)
+	endpoints := newController(tCtx, testServer.URL, 0*time.Second)
+	pod0 := testPod(ns, 0, 1, true, ipv4only)
+	pod1 := testPod(ns, 1, 1, true, ipv4only)
+
+	subsets := []v1.EndpointSubset{{
+		Addresses: []v1.EndpointAddress{
+			// known to not be packed correctly according to the current hash
+			{IP: pod1.Status.PodIPs[0].IP, NodeName: &emptyNodeName, TargetRef: &v1.ObjectReference{Kind: "Pod", Name: pod1.Name, Namespace: ns}},
+			{IP: pod0.Status.PodIPs[0].IP, NodeName: &emptyNodeName, TargetRef: &v1.ObjectReference{Kind: "Pod", Name: pod0.Name, Namespace: ns}},
+		},
+		Ports: []v1.EndpointPort{{Port: 8080, Protocol: "TCP"}},
+	}}
+
+	// Assert that endpoints are not repacked correctly according to the current hash.
+	// We want to prove that this does not cause a re-sync.
+	repacked := endptspkg.RepackSubsets(subsets)
+	if reflect.DeepEqual(subsets, repacked) {
+		t.Errorf("subsets were already in sorted order")
+	}
+
+	endpoints.endpointsStore.Add(&v1.Endpoints{
+		ObjectMeta: metav1.ObjectMeta{
+			ResourceVersion: "1",
+			Name:            "foo",
+			Namespace:       ns,
+			Labels: map[string]string{
+				LabelManagedBy: ControllerName,
+			},
+		},
+		Subsets: subsets,
+	})
+
+	endpoints.podStore.Add(pod0)
+	endpoints.podStore.Add(pod1)
+
+	endpoints.serviceStore.Add(&v1.Service{
+		ObjectMeta: metav1.ObjectMeta{Name: "foo", Namespace: metav1.NamespaceDefault},
+		Spec: v1.ServiceSpec{
+			Selector:   map[string]string{"foo": "bar"},
+			Ports:      []v1.ServicePort{{Port: 80, Protocol: "TCP", TargetPort: intstr.FromInt32(8080)}},
+			IPFamilies: []v1.IPFamily{v1.IPv4Protocol},
+		},
+	})
+	err := endpoints.syncService(tCtx, ns+"/foo")
+	if err != nil {
+		t.Errorf("Unexpected error syncing service %v", err)
+	}
+
+	// syncing should've been a no-op
+	endpointsHandler.ValidateRequestCount(t, 0)
+}
+
 func TestSyncEndpointsItems(t *testing.T) {
 	ns := "other"
 	testServer, endpointsHandler := makeTestServer(t, ns)
@@ -1930,7 +1987,7 @@ func TestPodUpdatesBatching(t *testing.T) {
 				resourceVersion++
 
 				endpoints.podStore.Update(newPod)
-				endpoints.updatePod(oldPod, newPod)
+				endpoints.onPodUpdate(oldPod, newPod)
 			}
 
 			time.Sleep(tc.finalDelay)
@@ -2039,7 +2096,7 @@ func TestPodAddsBatching(t *testing.T) {
 
 				p := testPod(ns, i, 1, true, ipv4only)
 				endpoints.podStore.Add(p)
-				endpoints.addPod(p)
+				endpoints.onPodUpdate(nil, p)
 			}
 
 			time.Sleep(tc.finalDelay)
@@ -2170,7 +2227,7 @@ func TestPodDeleteBatching(t *testing.T) {
 					t.Fatalf("Pod %q doesn't exist", update.podName)
 				}
 				endpoints.podStore.Delete(old)
-				endpoints.deletePod(old)
+				endpoints.onPodUpdate(old, nil)
 			}
 
 			time.Sleep(tc.finalDelay)
@@ -2582,7 +2639,7 @@ func TestMultiplePodChanges(t *testing.T) {
 	pod2.ResourceVersion = "2"
 	pod2.Status.Conditions[0].Status = v1.ConditionFalse
 	_ = controller.podStore.Update(pod2)
-	controller.updatePod(pod, pod2)
+	controller.onPodUpdate(pod, pod2)
 	// blockNextAction should eventually unblock once server gets endpoints request.
 	waitForChanReceive(t, 1*time.Second, blockNextAction, "Pod Update should have caused a request to be sent to the test server")
 	// The endpoints update hasn't been applied to the cache yet.
@@ -2590,7 +2647,7 @@ func TestMultiplePodChanges(t *testing.T) {
 	pod3.ResourceVersion = "3"
 	pod3.Status.Conditions[0].Status = v1.ConditionTrue
 	_ = controller.podStore.Update(pod3)
-	controller.updatePod(pod2, pod3)
+	controller.onPodUpdate(pod2, pod3)
 	// It shouldn't get endpoints request as the endpoints in the cache is out-of-date.
 	timer := time.NewTimer(100 * time.Millisecond)
 	select {
diff --git a/pkg/controller/endpointslice/endpointslice_controller.go b/pkg/controller/endpointslice/endpointslice_controller.go
index 5e01fd334dcd2..2f424437b8327 100644
--- a/pkg/controller/endpointslice/endpointslice_controller.go
+++ b/pkg/controller/endpointslice/endpointslice_controller.go
@@ -19,6 +19,7 @@ package endpointslice
 import (
 	"context"
 	"fmt"
+	"sync"
 	"time"
 
 	"golang.org/x/time/rate"
@@ -113,9 +114,8 @@ func NewController(ctx context.Context, podInformer coreinformers.PodInformer,
 				Name: "endpoint_slice",
 			},
 		),
-		topologyQueue: workqueue.NewTypedRateLimitingQueue[string](
-			workqueue.DefaultTypedControllerRateLimiter[string](),
-		),
+		podQueue:         workqueue.NewTypedRateLimitingQueue(workqueue.DefaultTypedControllerRateLimiter[*endpointsliceutil.PodProjectionKey]()),
+		topologyQueue:    workqueue.NewTypedRateLimitingQueue(workqueue.DefaultTypedControllerRateLimiter[string]()),
 		workerLoopPeriod: time.Second,
 	}
 
@@ -130,9 +130,9 @@ func NewController(ctx context.Context, podInformer coreinformers.PodInformer,
 	c.servicesSynced = serviceInformer.Informer().HasSynced
 
 	podInformer.Informer().AddEventHandler(cache.ResourceEventHandlerFuncs{
-		AddFunc:    c.addPod,
-		UpdateFunc: c.updatePod,
-		DeleteFunc: c.deletePod,
+		AddFunc:    func(obj interface{}) { c.onPodUpdate(nil, obj) },
+		UpdateFunc: c.onPodUpdate,
+		DeleteFunc: func(obj interface{}) { c.onPodUpdate(obj, nil) },
 	})
 	c.podLister = podInformer.Lister()
 	c.podsSynced = podInformer.Informer().HasSynced
@@ -244,6 +244,11 @@ type Controller struct {
 	// necessary.
 	serviceQueue workqueue.TypedRateLimitingInterface[string]
 
+	// podQueue is used to compute pod->services mapping and drive matching services into serviceQueue.
+	// This operation can be expensive when large number of services exist in the pod's namespace and
+	// label selection logic has to be evaluated against each service.
+	podQueue workqueue.TypedRateLimitingInterface[*endpointsliceutil.PodProjectionKey]
+
 	// topologyQueue is used to trigger a topology cache update and checking node
 	// topology distribution.
 	topologyQueue workqueue.TypedRateLimitingInterface[string]
@@ -274,24 +279,36 @@ func (c *Controller) Run(ctx context.Context, workers int) {
 	c.eventBroadcaster.StartRecordingToSink(&v1core.EventSinkImpl{Interface: c.client.CoreV1().Events("")})
 	defer c.eventBroadcaster.Shutdown()
 
-	defer c.serviceQueue.ShutDown()
-	defer c.topologyQueue.ShutDown()
-
 	logger := klog.FromContext(ctx)
 	logger.Info("Starting endpoint slice controller")
-	defer logger.Info("Shutting down endpoint slice controller")
 
-	if !cache.WaitForNamedCacheSync("endpoint_slice", ctx.Done(), c.podsSynced, c.servicesSynced, c.endpointSlicesSynced, c.nodesSynced) {
+	var wg sync.WaitGroup
+	defer func() {
+		logger.Info("Shutting down endpoint slice controller")
+		c.serviceQueue.ShutDown()
+		c.podQueue.ShutDown()
+		c.topologyQueue.ShutDown()
+		wg.Wait()
+	}()
+
+	if !cache.WaitForNamedCacheSyncWithContext(ctx, c.podsSynced, c.servicesSynced, c.endpointSlicesSynced, c.nodesSynced) {
 		return
 	}
 
 	logger.V(2).Info("Starting service queue worker threads", "total", workers)
 	for i := 0; i < workers; i++ {
-		go wait.Until(func() { c.serviceQueueWorker(logger) }, c.workerLoopPeriod, ctx.Done())
+		wg.Go(func() {
+			wait.Until(func() { c.serviceQueueWorker(logger) }, c.workerLoopPeriod, ctx.Done())
+		})
+		wg.Go(func() {
+			wait.Until(func() { c.podQueueWorker(logger) }, c.workerLoopPeriod, ctx.Done())
+		})
 	}
-	logger.V(2).Info("Starting topology queue worker threads", "total", 1)
-	go wait.Until(func() { c.topologyQueueWorker(logger) }, c.workerLoopPeriod, ctx.Done())
 
+	logger.V(2).Info("Starting topology queue worker threads", "total", 1)
+	wg.Go(func() {
+		wait.Until(func() { c.topologyQueueWorker(logger) }, c.workerLoopPeriod, ctx.Done())
+	})
 	<-ctx.Done()
 }
 
@@ -436,6 +453,59 @@ func (c *Controller) syncService(logger klog.Logger, key string) error {
 	return nil
 }
 
+func (c *Controller) podQueueWorker(logger klog.Logger) {
+	for c.processNextPodWorkItem(logger) {
+	}
+}
+
+func (c *Controller) processNextPodWorkItem(logger klog.Logger) bool {
+	cKey, quit := c.podQueue.Get()
+	if quit {
+		return false
+	}
+	defer c.podQueue.Done(cKey)
+
+	err := c.syncPod(logger, cKey)
+	c.handlePodErr(logger, err, cKey)
+
+	return true
+}
+
+func (c *Controller) handlePodErr(logger klog.Logger, err error, key *endpointsliceutil.PodProjectionKey) {
+	if err == nil {
+		c.podQueue.Forget(key)
+		return
+	}
+
+	if c.podQueue.NumRequeues(key) < maxRetries {
+		logger.V(2).Info("Error syncing pod, retrying", "PodProjectionKey", *key)
+		c.podQueue.AddRateLimited(key)
+		return
+	}
+
+	logger.Info("Dropping pod out of the queue", "PodProjectionKey", *key)
+	c.podQueue.Forget(key)
+	utilruntime.HandleError(err)
+}
+
+func (c *Controller) syncPod(logger klog.Logger, key *endpointsliceutil.PodProjectionKey) error {
+	startTime := time.Now()
+	defer func() {
+		logger.V(4).Info("Finished syncing pod", "PodProjectionKey", *key, "elapsedTime", time.Since(startTime))
+	}()
+
+	servicesToUpdate, err := endpointsliceutil.GetServicesToUpdate(c.serviceLister, key)
+	if err != nil {
+		return err
+	}
+
+	for service := range servicesToUpdate {
+		c.serviceQueue.AddAfter(service, c.endpointUpdatesBatchPeriod)
+	}
+
+	return nil
+}
+
 // onServiceUpdate updates the Service Selector in the cache and queues the Service for processing.
 func (c *Controller) onServiceUpdate(obj interface{}) {
 	key, err := controller.KeyFunc(obj)
@@ -458,6 +528,14 @@ func (c *Controller) onServiceDelete(obj interface{}) {
 	c.serviceQueue.Add(key)
 }
 
+// onPodUpdate enqueues the pod's projection key on Add/Update/Delete events, to find matching services later.
+func (c *Controller) onPodUpdate(old, cur interface{}) {
+	key := endpointsliceutil.GetPodUpdateProjectionKey(old, cur)
+	if key != nil {
+		c.podQueue.Add(key)
+	}
+}
+
 // onEndpointSliceAdd queues a sync for the relevant Service for a sync if the
 // EndpointSlice resource version does not match the expected version in the
 // endpointSliceTracker.
@@ -531,34 +609,6 @@ func (c *Controller) queueServiceForEndpointSlice(endpointSlice *discovery.Endpo
 	c.serviceQueue.AddAfter(key, delay)
 }
 
-func (c *Controller) addPod(obj interface{}) {
-	pod := obj.(*v1.Pod)
-	services, err := endpointsliceutil.GetPodServiceMemberships(c.serviceLister, pod)
-	if err != nil {
-		utilruntime.HandleError(fmt.Errorf("Unable to get pod %s/%s's service memberships: %v", pod.Namespace, pod.Name, err))
-		return
-	}
-	for key := range services {
-		c.serviceQueue.AddAfter(key, c.endpointUpdatesBatchPeriod)
-	}
-}
-
-func (c *Controller) updatePod(old, cur interface{}) {
-	services := endpointsliceutil.GetServicesToUpdateOnPodChange(c.serviceLister, old, cur)
-	for key := range services {
-		c.serviceQueue.AddAfter(key, c.endpointUpdatesBatchPeriod)
-	}
-}
-
-// When a pod is deleted, enqueue the services the pod used to be a member of
-// obj could be an *v1.Pod, or a DeletionFinalStateUnknown marker item.
-func (c *Controller) deletePod(obj interface{}) {
-	pod := endpointsliceutil.GetPodFromDeleteAction(obj)
-	if pod != nil {
-		c.addPod(pod)
-	}
-}
-
 func (c *Controller) addNode() {
 	c.topologyQueue.Add(topologyQueueItemKey)
 }
diff --git a/pkg/controller/endpointslice/endpointslice_controller_test.go b/pkg/controller/endpointslice/endpointslice_controller_test.go
index 96ca3a38c17a9..de24c1eedf93d 100644
--- a/pkg/controller/endpointslice/endpointslice_controller_test.go
+++ b/pkg/controller/endpointslice/endpointslice_controller_test.go
@@ -1410,7 +1410,7 @@ func TestPodAddsBatching(t *testing.T) {
 
 				p := newPod(i, ns, true, 0, false)
 				esController.podStore.Add(p)
-				esController.addPod(p)
+				esController.onPodUpdate(nil, p)
 			}
 
 			time.Sleep(tc.finalDelay)
@@ -1559,7 +1559,7 @@ func TestPodUpdatesBatching(t *testing.T) {
 				resourceVersion++
 
 				esController.podStore.Update(newPod)
-				esController.updatePod(oldPod, newPod)
+				esController.onPodUpdate(oldPod, newPod)
 			}
 
 			time.Sleep(tc.finalDelay)
@@ -1687,7 +1687,7 @@ func TestPodDeleteBatching(t *testing.T) {
 				require.NoError(t, err, "error while retrieving old value of %q: %v", update.podName, err)
 				assert.True(t, exists, "pod should exist")
 				esController.podStore.Delete(old)
-				esController.deletePod(old)
+				esController.onPodUpdate(old, nil)
 			}
 
 			time.Sleep(tc.finalDelay)
diff --git a/pkg/controller/endpointslicemirroring/endpointslicemirroring_controller.go b/pkg/controller/endpointslicemirroring/endpointslicemirroring_controller.go
index 7262dc1015eed..9f943e6719f28 100644
--- a/pkg/controller/endpointslicemirroring/endpointslicemirroring_controller.go
+++ b/pkg/controller/endpointslicemirroring/endpointslicemirroring_controller.go
@@ -19,6 +19,7 @@ package endpointslicemirroring
 import (
 	"context"
 	"fmt"
+	"sync"
 	"time"
 
 	"golang.org/x/time/rate"
@@ -221,21 +222,27 @@ func (c *Controller) Run(ctx context.Context, workers int) {
 	c.eventBroadcaster.StartRecordingToSink(&v1core.EventSinkImpl{Interface: c.client.CoreV1().Events("")})
 	defer c.eventBroadcaster.Shutdown()
 
-	defer c.queue.ShutDown()
-
 	logger := klog.FromContext(ctx)
 	logger.Info("Starting EndpointSliceMirroring controller")
-	defer logger.Info("Shutting down EndpointSliceMirroring controller")
 
-	if !cache.WaitForNamedCacheSync("endpoint_slice_mirroring", ctx.Done(), c.endpointsSynced, c.endpointSlicesSynced, c.servicesSynced) {
+	var wg sync.WaitGroup
+	defer func() {
+		logger.Info("Shutting down EndpointSliceMirroring controller")
+		c.queue.ShutDown()
+		wg.Wait()
+	}()
+
+	if !cache.WaitForNamedCacheSyncWithContext(ctx, c.endpointsSynced, c.endpointSlicesSynced, c.servicesSynced) {
 		return
 	}
 
 	logger.V(2).Info("Starting worker threads", "total", workers)
+
 	for i := 0; i < workers; i++ {
-		go wait.Until(func() { c.worker(logger) }, c.workerLoopPeriod, ctx.Done())
+		wg.Go(func() {
+			wait.Until(func() { c.worker(logger) }, c.workerLoopPeriod, ctx.Done())
+		})
 	}
-
 	<-ctx.Done()
 }
 
diff --git a/pkg/controller/garbagecollector/OWNERS b/pkg/controller/garbagecollector/OWNERS
index 34fb0de529694..488b8c7c18421 100644
--- a/pkg/controller/garbagecollector/OWNERS
+++ b/pkg/controller/garbagecollector/OWNERS
@@ -1,13 +1,11 @@
 # See the OWNERS docs at https://go.k8s.io/owners
 
 approvers:
-  - caesarxuchao
-  - deads2k
+  - sig-api-machinery-approvers
 reviewers:
-  - caesarxuchao
-  - deads2k
-  - jpbetz
+  - sig-api-machinery-reviewers
 labels:
   - sig/api-machinery
 emeritus_approvers:
+  - caesarxuchao
   - lavalamp
diff --git a/pkg/controller/garbagecollector/garbagecollector.go b/pkg/controller/garbagecollector/garbagecollector.go
index a829714b4b9b5..bea3f2c66f5b0 100644
--- a/pkg/controller/garbagecollector/garbagecollector.go
+++ b/pkg/controller/garbagecollector/garbagecollector.go
@@ -131,9 +131,6 @@ func (gc *GarbageCollector) resyncMonitors(logger klog.Logger, deletableResource
 // Run starts garbage collector workers.
 func (gc *GarbageCollector) Run(ctx context.Context, workers int, initialSyncTimeout time.Duration) {
 	defer utilruntime.HandleCrash()
-	defer gc.attemptToDelete.ShutDown()
-	defer gc.attemptToOrphan.ShutDown()
-	defer gc.dependencyGraphBuilder.graphChanges.ShutDown()
 
 	// Start events processing pipeline.
 	gc.eventBroadcaster.StartStructuredLogging(3)
@@ -142,11 +139,26 @@ func (gc *GarbageCollector) Run(ctx context.Context, workers int, initialSyncTim
 
 	logger := klog.FromContext(ctx)
 	logger.Info("Starting controller", "controller", "garbagecollector")
-	defer logger.Info("Shutting down controller", "controller", "garbagecollector")
 
-	go gc.dependencyGraphBuilder.Run(ctx)
+	var wg sync.WaitGroup
+	defer func() {
+		logger.Info("Shutting down controller", "controller", "garbagecollector")
+		gc.dependencyGraphBuilder.graphChanges.ShutDown()
+		gc.attemptToOrphan.ShutDown()
+		gc.attemptToDelete.ShutDown()
+		wg.Wait()
+	}()
+
+	// Start dependency graph builder.
+	wg.Go(func() {
+		gc.dependencyGraphBuilder.Run(ctx)
+	})
+
+	// Create a new context that is cancelled after the initialSyncTimeout.
+	syncCtx, cancel := context.WithTimeout(ctx, initialSyncTimeout)
+	defer cancel()
 
-	if !cache.WaitForNamedCacheSync("garbage collector", waitForStopOrTimeout(ctx.Done(), initialSyncTimeout), func() bool {
+	if !cache.WaitForNamedCacheSyncWithContext(syncCtx, func() bool {
 		return gc.dependencyGraphBuilder.IsSynced(logger)
 	}) {
 		logger.Info("Garbage collector: not all resource monitors could be synced, proceeding anyways")
@@ -158,10 +170,13 @@ func (gc *GarbageCollector) Run(ctx context.Context, workers int, initialSyncTim
 
 	// gc workers
 	for i := 0; i < workers; i++ {
-		go wait.UntilWithContext(ctx, gc.runAttemptToDeleteWorker, 1*time.Second)
-		go wait.Until(func() { gc.runAttemptToOrphanWorker(logger) }, 1*time.Second, ctx.Done())
+		wg.Go(func() {
+			wait.UntilWithContext(ctx, gc.runAttemptToDeleteWorker, 1*time.Second)
+		})
+		wg.Go(func() {
+			wait.Until(func() { gc.runAttemptToOrphanWorker(logger) }, 1*time.Second, ctx.Done())
+		})
 	}
-
 	<-ctx.Done()
 }
 
@@ -227,8 +242,11 @@ func (gc *GarbageCollector) Sync(ctx context.Context, discoveryClient discovery.
 		}
 		logger.V(4).Info("resynced monitors")
 
+		syncCtx, cancel := context.WithTimeout(ctx, period)
+		defer cancel()
+
 		// gc worker no longer waits for cache to be synced, but we will keep the periodical check to provide logs & metrics
-		cacheSynced := cache.WaitForNamedCacheSync("garbage collector", waitForStopOrTimeout(ctx.Done(), period), func() bool {
+		cacheSynced := cache.WaitForNamedCacheSyncWithContext(syncCtx, func() bool {
 			return gc.dependencyGraphBuilder.IsSynced(logger)
 		})
 		if cacheSynced {
@@ -262,19 +280,6 @@ func printDiff(oldResources, newResources map[schema.GroupVersionResource]struct
 	return fmt.Sprintf("added: %v, removed: %v", added.List(), removed.List())
 }
 
-// waitForStopOrTimeout returns a stop channel that closes when the provided stop channel closes or when the specified timeout is reached
-func waitForStopOrTimeout(stopCh <-chan struct{}, timeout time.Duration) <-chan struct{} {
-	stopChWithTimeout := make(chan struct{})
-	go func() {
-		select {
-		case <-stopCh:
-		case <-time.After(timeout):
-		}
-		close(stopChWithTimeout)
-	}()
-	return stopChWithTimeout
-}
-
 // IsSynced returns true if dependencyGraphBuilder is synced.
 func (gc *GarbageCollector) IsSynced(logger klog.Logger) bool {
 	return gc.dependencyGraphBuilder.IsSynced(logger)
diff --git a/pkg/controller/garbagecollector/garbagecollector_test.go b/pkg/controller/garbagecollector/garbagecollector_test.go
index 8e6b9ac09038b..8663e6c24a868 100644
--- a/pkg/controller/garbagecollector/garbagecollector_test.go
+++ b/pkg/controller/garbagecollector/garbagecollector_test.go
@@ -818,6 +818,14 @@ func TestGetDeletableResources(t *testing.T) {
 	}
 }
 
+type wrappedKubeClientWithUnsupportedWatchListSemantics struct {
+	kubernetes.Interface
+}
+
+func (c *wrappedKubeClientWithUnsupportedWatchListSemantics) IsWatchListSemanticsUnSupported() bool {
+	return true
+}
+
 // TestGarbageCollectorSync ensures that a discovery client error
 // or an informer sync error will not cause the garbage collector
 // to block infinitely.
@@ -889,10 +897,12 @@ func TestGarbageCollectorSync(t *testing.T) {
 	srv, clientConfig := testServerAndClientConfig(alternativeTestHandler)
 	defer srv.Close()
 	clientConfig.ContentConfig.NegotiatedSerializer = nil
-	client, err := kubernetes.NewForConfig(clientConfig)
+	kubeClient, err := kubernetes.NewForConfig(clientConfig)
 	if err != nil {
 		t.Fatal(err)
 	}
+	// TODO(#115478): migrate this test to use fakeClient instead of the real client.
+	client := &wrappedKubeClientWithUnsupportedWatchListSemantics{kubeClient}
 
 	tweakableRM := meta.NewDefaultRESTMapper(nil)
 	tweakableRM.AddSpecific(schema.GroupVersionKind{Version: "v1", Kind: "Pod"}, schema.GroupVersionResource{Version: "v1", Resource: "pods"}, schema.GroupVersionResource{Version: "v1", Resource: "pod"}, meta.RESTScopeNamespace)
@@ -906,17 +916,24 @@ func TestGarbageCollectorSync(t *testing.T) {
 
 	sharedInformers := informers.NewSharedInformerFactory(client, 0)
 
+	var wg sync.WaitGroup
+	defer wg.Wait()
+
 	logger, tCtx := ktesting.NewTestContext(t)
 	defer tCtx.Cancel("test has completed")
+
 	alwaysStarted := make(chan struct{})
 	close(alwaysStarted)
+
 	gc, err := NewGarbageCollector(tCtx, client, metadataClient, rm, map[schema.GroupResource]struct{}{}, sharedInformers, alwaysStarted)
 	if err != nil {
 		t.Fatal(err)
 	}
 
 	syncPeriod := 200 * time.Millisecond
-	go gc.Run(tCtx, 1, syncPeriod)
+	wg.Go(func() {
+		gc.Run(tCtx, 1, syncPeriod)
+	})
 	// The pseudo-code of GarbageCollector.Sync():
 	// GarbageCollector.Sync(client, period, stopCh):
 	//    wait.Until() loops with `period` until the `stopCh` is closed :
@@ -931,7 +948,9 @@ func TestGarbageCollectorSync(t *testing.T) {
 	// The 1s sleep in the test allows GetDeletableResources and
 	// gc.resyncMonitors to run ~5 times to ensure the changes to the
 	// fakeDiscoveryClient are picked up.
-	go gc.Sync(tCtx, fakeDiscoveryClient, syncPeriod)
+	wg.Go(func() {
+		gc.Sync(tCtx, fakeDiscoveryClient, syncPeriod)
+	})
 
 	// Wait until the sync discovers the initial resources
 	time.Sleep(1 * time.Second)
diff --git a/pkg/controller/garbagecollector/graph.go b/pkg/controller/garbagecollector/graph.go
index de017b4c40ba7..77715309729e1 100644
--- a/pkg/controller/garbagecollector/graph.go
+++ b/pkg/controller/garbagecollector/graph.go
@@ -206,10 +206,17 @@ func ownerReferenceMatchesCoordinates(a, b metav1.OwnerReference) bool {
 }
 
 // String renders node as a string using fmt. Acquires a read lock to ensure the
-// reflective dump of dependents doesn't race with any concurrent writes.
+// reflective dump of fields doesn't race with any concurrent writes.
 func (n *node) String() string {
+	n.beingDeletedLock.RLock()
+	defer n.beingDeletedLock.RUnlock()
+
+	n.virtualLock.RLock()
+	defer n.virtualLock.RUnlock()
+
 	n.dependentsLock.RLock()
 	defer n.dependentsLock.RUnlock()
+
 	return fmt.Sprintf("%#v", n)
 }
 
diff --git a/pkg/controller/garbagecollector/graph_builder.go b/pkg/controller/garbagecollector/graph_builder.go
index d608b37cbc115..9b3b7fc4844a3 100644
--- a/pkg/controller/garbagecollector/graph_builder.go
+++ b/pkg/controller/garbagecollector/graph_builder.go
@@ -85,6 +85,7 @@ type GraphBuilder struct {
 	// dependencyGraphBuilder
 	monitors    monitors
 	monitorLock sync.RWMutex
+	monitorWG   sync.WaitGroup
 	// informersStarted is closed after all of the controllers have been initialized and are running.
 	// After that it is safe to start them here, before that it is not.
 	informersStarted <-chan struct{}
@@ -93,8 +94,9 @@ type GraphBuilder struct {
 	// This channel is also protected by monitorLock.
 	stopCh <-chan struct{}
 
-	// running tracks whether Run() has been called.
-	// it is protected by monitorLock.
+	// running is set to true when the Run() function has been called.
+	// It will revert to false when the Run() function receives a cancellation.
+	// It is protected by monitorLock.
 	running bool
 
 	eventRecorder    record.EventRecorder
@@ -307,13 +309,44 @@ func (gb *GraphBuilder) startMonitors(logger klog.Logger) {
 		if monitor.stopCh == nil {
 			monitor.stopCh = make(chan struct{})
 			gb.sharedInformers.Start(gb.stopCh)
-			go monitor.Run()
+			gb.monitorWG.Go(monitor.Run)
 			started++
 		}
 	}
 	logger.V(4).Info("started new monitors", "new", started, "current", len(monitors))
 }
 
+// stopMonitors terminates all running monitors.
+// stopMonitors should be called after startMonitors to do cleanup.
+//
+// This function panics unless the running flag is set to false.
+func (gb *GraphBuilder) stopMonitors(logger klog.Logger) {
+	var total, stopped int
+
+	func() {
+		gb.monitorLock.Lock()
+		defer gb.monitorLock.Unlock()
+
+		if gb.running {
+			panic("must not call stopMonitors while still marked as running")
+		}
+
+		total = len(gb.monitors)
+		for _, monitor := range gb.monitors {
+			if monitor.stopCh != nil {
+				stopped++
+				close(monitor.stopCh)
+			}
+		}
+
+		// reset monitors so that the graph builder can be safely re-run/synced.
+		gb.monitors = nil
+	}()
+
+	gb.monitorWG.Wait()
+	logger.Info("stopped monitors", "stopped", stopped, "total", total)
+}
+
 // IsResourceSynced returns true if a monitor exists for the given resource and has synced
 func (gb *GraphBuilder) IsResourceSynced(resource schema.GroupVersionResource) bool {
 	gb.monitorLock.Lock()
@@ -347,6 +380,8 @@ func (gb *GraphBuilder) IsSynced(logger klog.Logger) bool {
 // Run sets the stop channel and starts monitor execution until stopCh is
 // closed. Any running monitors will be stopped before Run returns.
 func (gb *GraphBuilder) Run(ctx context.Context) {
+	defer utilruntime.HandleCrashWithContext(ctx)
+
 	logger := klog.FromContext(ctx)
 	logger.Info("Running", "component", "GraphBuilder")
 	defer logger.Info("Stopping", "component", "GraphBuilder")
@@ -357,26 +392,19 @@ func (gb *GraphBuilder) Run(ctx context.Context) {
 	gb.running = true
 	gb.monitorLock.Unlock()
 
-	// Start monitors and begin change processing until the stop channel is
-	// closed.
+	// Start monitors and begin change processing until the stop channel is closed.
 	gb.startMonitors(logger)
 	wait.Until(func() { gb.runProcessGraphChanges(logger) }, 1*time.Second, ctx.Done())
 
-	// Stop any running monitors.
+	// Mark as not running so that no new monitors can be started.
+	// Not doing this here could cause goroutine leaks and deadlocks since it would make it possible for startMonitors
+	// to proceed and start new monitors after stopMonitors has been called.
 	gb.monitorLock.Lock()
-	defer gb.monitorLock.Unlock()
-	monitors := gb.monitors
-	stopped := 0
-	for _, monitor := range monitors {
-		if monitor.stopCh != nil {
-			stopped++
-			close(monitor.stopCh)
-		}
-	}
+	gb.running = false
+	gb.monitorLock.Unlock()
 
-	// reset monitors so that the graph builder can be safely re-run/synced.
-	gb.monitors = nil
-	logger.Info("stopped monitors", "stopped", stopped, "total", len(monitors))
+	// Stop the currently running monitors.
+	gb.stopMonitors(logger)
 }
 
 var ignoredResources = map[schema.GroupResource]struct{}{
@@ -994,27 +1022,15 @@ type Monitor struct {
 	Controller cache.Controller
 }
 
-// GetMonitor returns a monitor for the given resource.
-// If the monitor is not synced, it will return an error and the monitor to allow the caller to decide whether to retry.
-// If the monitor is not found, it will return only an error.
-func (gb *GraphBuilder) GetMonitor(ctx context.Context, resource schema.GroupVersionResource) (*Monitor, error) {
+// GetMonitor returns a monitor for the given resource. It will return the
+// monitor and whether or not the monitor has been synced yet.
+func (gb *GraphBuilder) GetMonitor(ctx context.Context, resource schema.GroupVersionResource) (*Monitor, bool, error) {
 	gb.monitorLock.RLock()
 	defer gb.monitorLock.RUnlock()
 
-	var monitor *monitor
-	if m, ok := gb.monitors[resource]; ok {
-		monitor = m
-	} else {
-		for monitorGVR, m := range gb.monitors {
-			if monitorGVR.Group == resource.Group && monitorGVR.Resource == resource.Resource {
-				monitor = m
-				break
-			}
-		}
-	}
-
-	if monitor == nil {
-		return nil, fmt.Errorf("no monitor found for resource %s", resource.String())
+	monitor, ok := gb.monitors[resource]
+	if !ok {
+		return nil, false, fmt.Errorf("no monitor found for resource %s", resource.String())
 	}
 
 	resourceMonitor := &Monitor{
@@ -1022,18 +1038,16 @@ func (gb *GraphBuilder) GetMonitor(ctx context.Context, resource schema.GroupVer
 		Controller: monitor.controller,
 	}
 
-	if !cache.WaitForNamedCacheSync(
-		gb.Name(),
-		ctx.Done(),
+	if !cache.WaitForNamedCacheSyncWithContext(
+		ctx,
 		func() bool {
 			return monitor.controller.HasSynced()
 		},
 	) {
-		// returning monitor to allow the caller to decide whether to retry as it can be synced later
-		return resourceMonitor, fmt.Errorf("dependency graph for resource %s is not synced", resource.String())
+		return nil, false, nil
 	}
 
-	return resourceMonitor, nil
+	return resourceMonitor, true, nil
 }
 
 func (gb *GraphBuilder) Name() string {
diff --git a/pkg/controller/job/indexed_job_utils.go b/pkg/controller/job/indexed_job_utils.go
index 921c679d41df1..afc8b0ce8d73f 100644
--- a/pkg/controller/job/indexed_job_utils.go
+++ b/pkg/controller/job/indexed_job_utils.go
@@ -467,12 +467,7 @@ func addCompletionIndexEnvVariable(container *v1.Container) {
 			return
 		}
 	}
-	var fieldPath string
-	if feature.DefaultFeatureGate.Enabled(features.PodIndexLabel) {
-		fieldPath = fmt.Sprintf("metadata.labels['%s']", batch.JobCompletionIndexAnnotation)
-	} else {
-		fieldPath = fmt.Sprintf("metadata.annotations['%s']", batch.JobCompletionIndexAnnotation)
-	}
+	fieldPath := fmt.Sprintf("metadata.labels['%s']", batch.JobCompletionIndexAnnotation)
 	container.Env = append(container.Env, v1.EnvVar{
 		Name: completionIndexEnvName,
 		ValueFrom: &v1.EnvVarSource{
diff --git a/pkg/controller/job/job_controller.go b/pkg/controller/job/job_controller.go
index 4de4bdc302a59..1ace380fc1244 100644
--- a/pkg/controller/job/job_controller.go
+++ b/pkg/controller/job/job_controller.go
@@ -244,28 +244,35 @@ func newControllerWithClock(ctx context.Context, podInformer coreinformers.PodIn
 // Run the main goroutine responsible for watching and syncing jobs.
 func (jm *Controller) Run(ctx context.Context, workers int) {
 	defer utilruntime.HandleCrash()
-	logger := klog.FromContext(ctx)
 
 	// Start events processing pipeline.
 	jm.broadcaster.StartStructuredLogging(3)
 	jm.broadcaster.StartRecordingToSink(&v1core.EventSinkImpl{Interface: jm.kubeClient.CoreV1().Events("")})
 	defer jm.broadcaster.Shutdown()
 
-	defer jm.queue.ShutDown()
-	defer jm.orphanQueue.ShutDown()
-
+	logger := klog.FromContext(ctx)
 	logger.Info("Starting job controller")
-	defer logger.Info("Shutting down job controller")
 
-	if !cache.WaitForNamedCacheSync("job", ctx.Done(), jm.podStoreSynced, jm.jobStoreSynced) {
+	var wg sync.WaitGroup
+	defer func() {
+		logger.Info("Shutting down job controller")
+		jm.queue.ShutDown()
+		jm.orphanQueue.ShutDown()
+		wg.Wait()
+	}()
+
+	if !cache.WaitForNamedCacheSyncWithContext(ctx, jm.podStoreSynced, jm.jobStoreSynced) {
 		return
 	}
 
 	for i := 0; i < workers; i++ {
-		go wait.UntilWithContext(ctx, jm.worker, time.Second)
-		go wait.UntilWithContext(ctx, jm.orphanWorker, time.Second)
+		wg.Go(func() {
+			wait.UntilWithContext(ctx, jm.worker, time.Second)
+		})
+		wg.Go(func() {
+			wait.UntilWithContext(ctx, jm.orphanWorker, time.Second)
+		})
 	}
-
 	<-ctx.Done()
 }
 
@@ -1040,6 +1047,9 @@ func (jm *Controller) syncJob(ctx context.Context, key string) (rErr error) {
 				if isUpdated {
 					suspendCondChanged = true
 					jm.recorder.Event(&job, v1.EventTypeNormal, "Suspended", "Job suspended")
+					if feature.DefaultFeatureGate.Enabled(features.MutableSchedulingDirectivesForSuspendedJobs) {
+						job.Status.StartTime = nil
+					}
 				}
 			} else {
 				// Job not suspended.
@@ -1782,10 +1792,7 @@ func (jm *Controller) manageJob(ctx context.Context, job *batch.Job, jobCtx *syn
 					if completionIndex != unknownCompletionIndex {
 						template = podTemplate.DeepCopy()
 						addCompletionIndexAnnotation(template, completionIndex)
-
-						if feature.DefaultFeatureGate.Enabled(features.PodIndexLabel) {
-							addCompletionIndexLabel(template, completionIndex)
-						}
+						addCompletionIndexLabel(template, completionIndex)
 						template.Spec.Hostname = fmt.Sprintf("%s-%d", job.Name, completionIndex)
 						generateName = podGenerateNameWithIndex(job.Name, completionIndex)
 						if hasBackoffLimitPerIndex(job) {
diff --git a/pkg/controller/job/job_controller_test.go b/pkg/controller/job/job_controller_test.go
index b2970f94149a1..a580b80b76872 100644
--- a/pkg/controller/job/job_controller_test.go
+++ b/pkg/controller/job/job_controller_test.go
@@ -290,7 +290,6 @@ func TestControllerSyncJob(t *testing.T) {
 		expectedPodPatches     int
 
 		// features
-		podIndexLabelDisabled   bool
 		jobPodReplacementPolicy bool
 		jobSuccessPolicy        bool
 		jobManagedBy            bool
@@ -1146,17 +1145,6 @@ func TestControllerSyncJob(t *testing.T) {
 			expectedReady:           ptr.To[int32](0),
 			expectedTerminating:     ptr.To[int32](0),
 		},
-		"indexed job with podIndexLabel feature disabled": {
-			parallelism:            2,
-			completions:            5,
-			backoffLimit:           6,
-			completionMode:         batch.IndexedCompletion,
-			expectedCreations:      2,
-			expectedActive:         2,
-			expectedCreatedIndexes: sets.New(0, 1),
-			podIndexLabelDisabled:  true,
-			expectedReady:          ptr.To[int32](0),
-		},
 		"FailureTarget=False condition added manually is ignored": {
 			parallelism: 1,
 			completions: 1,
@@ -1251,20 +1239,18 @@ func TestControllerSyncJob(t *testing.T) {
 	for name, tc := range testCases {
 		t.Run(name, func(t *testing.T) {
 			logger, _ := ktesting.NewTestContext(t)
-			if tc.podIndexLabelDisabled {
-				// TODO: this will be removed in 1.35 when 1.31 will fall out of support matrix
-				featuregatetesting.SetFeatureGateEmulationVersionDuringTest(t, feature.DefaultFeatureGate, utilversion.MustParse("1.31"))
-			} else if !tc.jobSuccessPolicy {
+			if !tc.jobSuccessPolicy {
 				// TODO: this will be removed in 1.36.
 				featuregatetesting.SetFeatureGateEmulationVersionDuringTest(t, feature.DefaultFeatureGate, utilversion.MustParse("1.32"))
 			} else if !tc.jobPodReplacementPolicy {
 				// TODO: this will be removed in 1.37.
 				featuregatetesting.SetFeatureGateEmulationVersionDuringTest(t, feature.DefaultFeatureGate, utilversion.MustParse("1.33"))
 			}
-			featuregatetesting.SetFeatureGateDuringTest(t, feature.DefaultFeatureGate, features.PodIndexLabel, !tc.podIndexLabelDisabled)
-			featuregatetesting.SetFeatureGateDuringTest(t, feature.DefaultFeatureGate, features.JobPodReplacementPolicy, tc.jobPodReplacementPolicy)
-			featuregatetesting.SetFeatureGateDuringTest(t, feature.DefaultFeatureGate, features.JobSuccessPolicy, tc.jobSuccessPolicy)
-			featuregatetesting.SetFeatureGateDuringTest(t, feature.DefaultFeatureGate, features.JobManagedBy, tc.jobManagedBy)
+			featuregatetesting.SetFeatureGatesDuringTest(t, feature.DefaultFeatureGate, featuregatetesting.FeatureOverrides{
+				features.JobPodReplacementPolicy: tc.jobPodReplacementPolicy,
+				features.JobSuccessPolicy:        tc.jobSuccessPolicy,
+				features.JobManagedBy:            tc.jobManagedBy,
+			})
 			// job manager setup
 			clientSet := clientset.NewForConfigOrDie(&restclient.Config{Host: "", ContentConfig: restclient.ContentConfig{GroupVersion: &schema.GroupVersion{Group: "", Version: "v1"}}})
 
@@ -1352,7 +1338,7 @@ func TestControllerSyncJob(t *testing.T) {
 				t.Errorf("Unexpected number of creates.  Expected %d, saw %d\n", tc.expectedCreations, len(fakePodControl.Templates))
 			}
 			if tc.completionMode == batch.IndexedCompletion {
-				checkIndexedJobPods(t, &fakePodControl, tc.expectedCreatedIndexes, job.Name, tc.podIndexLabelDisabled)
+				checkIndexedJobPods(t, &fakePodControl, tc.expectedCreatedIndexes, job.Name)
 			} else {
 				for _, p := range fakePodControl.Templates {
 					// Fake pod control doesn't add generate name from the owner reference.
@@ -1433,14 +1419,12 @@ func TestControllerSyncJob(t *testing.T) {
 	}
 }
 
-func checkIndexedJobPods(t *testing.T, control *controller.FakePodControl, wantIndexes sets.Set[int], jobName string, podIndexLabelDisabled bool) {
+func checkIndexedJobPods(t *testing.T, control *controller.FakePodControl, wantIndexes sets.Set[int], jobName string) {
 	t.Helper()
 	gotIndexes := sets.New[int]()
 	for _, p := range control.Templates {
-		checkJobCompletionEnvVariable(t, &p.Spec, podIndexLabelDisabled)
-		if !podIndexLabelDisabled {
-			checkJobCompletionLabel(t, &p)
-		}
+		checkJobCompletionEnvVariable(t, &p.Spec)
+		checkJobCompletionLabel(t, &p)
 		ix := getCompletionIndex(p.Annotations)
 		if ix == -1 {
 			t.Errorf("Created pod %s didn't have completion index", p.Name)
@@ -2448,10 +2432,12 @@ func TestTrackJobStatusAndRemoveFinalizers(t *testing.T) {
 				// TODO: this will be removed in 1.36
 				featuregatetesting.SetFeatureGateEmulationVersionDuringTest(t, feature.DefaultFeatureGate, utilversion.MustParse("1.32"))
 			}
-			featuregatetesting.SetFeatureGateDuringTest(t, feature.DefaultFeatureGate, features.JobBackoffLimitPerIndex, tc.enableJobBackoffLimitPerIndex)
-			featuregatetesting.SetFeatureGateDuringTest(t, feature.DefaultFeatureGate, features.JobSuccessPolicy, tc.enableJobSuccessPolicy)
-			featuregatetesting.SetFeatureGateDuringTest(t, feature.DefaultFeatureGate, features.JobPodReplacementPolicy, tc.enableJobPodReplacementPolicy)
-			featuregatetesting.SetFeatureGateDuringTest(t, feature.DefaultFeatureGate, features.JobManagedBy, tc.enableJobManagedBy)
+			featuregatetesting.SetFeatureGatesDuringTest(t, feature.DefaultFeatureGate, featuregatetesting.FeatureOverrides{
+				features.JobBackoffLimitPerIndex: tc.enableJobBackoffLimitPerIndex,
+				features.JobSuccessPolicy:        tc.enableJobSuccessPolicy,
+				features.JobPodReplacementPolicy: tc.enableJobPodReplacementPolicy,
+				features.JobManagedBy:            tc.enableJobManagedBy,
+			})
 
 			clientSet := clientset.NewForConfigOrDie(&restclient.Config{Host: "", ContentConfig: restclient.ContentConfig{GroupVersion: &schema.GroupVersion{Group: "", Version: "v1"}}})
 			manager, _ := newControllerFromClientWithClock(ctx, t, clientSet, controller.NoResyncPeriodFunc, fakeClock)
@@ -2704,9 +2690,14 @@ func TestSyncJobPastDeadline(t *testing.T) {
 			if !tc.enableJobPodReplacementPolicy {
 				// TODO: this will be removed in 1.37.
 				featuregatetesting.SetFeatureGateEmulationVersionDuringTest(t, feature.DefaultFeatureGate, utilversion.MustParse("1.33"))
+			} else if !tc.enableJobManagedBy {
+				// TODO: this will be removed in 1.38.
+				featuregatetesting.SetFeatureGateEmulationVersionDuringTest(t, feature.DefaultFeatureGate, utilversion.MustParse("1.34"))
 			}
-			featuregatetesting.SetFeatureGateDuringTest(t, feature.DefaultFeatureGate, features.JobManagedBy, tc.enableJobManagedBy)
-			featuregatetesting.SetFeatureGateDuringTest(t, feature.DefaultFeatureGate, features.JobPodReplacementPolicy, tc.enableJobPodReplacementPolicy)
+			featuregatetesting.SetFeatureGatesDuringTest(t, feature.DefaultFeatureGate, featuregatetesting.FeatureOverrides{
+				features.JobManagedBy:            tc.enableJobManagedBy,
+				features.JobPodReplacementPolicy: tc.enableJobPodReplacementPolicy,
+			})
 			// job manager setup
 			clientSet := clientset.NewForConfigOrDie(&restclient.Config{Host: "", ContentConfig: restclient.ContentConfig{GroupVersion: &schema.GroupVersion{Group: "", Version: "v1"}}})
 			manager, sharedInformerFactory := newControllerFromClient(ctx, t, clientSet, controller.NoResyncPeriodFunc)
@@ -3034,6 +3025,8 @@ func TestSyncJobWhenManagedBy(t *testing.T) {
 	}
 	for name, tc := range testCases {
 		t.Run(name, func(t *testing.T) {
+			// TODO: this will be removed in 1.38.
+			featuregatetesting.SetFeatureGateEmulationVersionDuringTest(t, feature.DefaultFeatureGate, utilversion.MustParse("1.34"))
 			featuregatetesting.SetFeatureGateDuringTest(t, feature.DefaultFeatureGate, features.JobManagedBy, tc.enableJobManagedBy)
 
 			clientset := clientset.NewForConfigOrDie(&restclient.Config{Host: "", ContentConfig: restclient.ContentConfig{GroupVersion: &schema.GroupVersion{Group: "", Version: "v1"}}})
@@ -4182,8 +4175,10 @@ func TestSyncJobWithJobPodFailurePolicy(t *testing.T) {
 				// TODO: this will be removed in 1.37.
 				featuregatetesting.SetFeatureGateEmulationVersionDuringTest(t, feature.DefaultFeatureGate, utilversion.MustParse("1.33"))
 			}
-			featuregatetesting.SetFeatureGateDuringTest(t, feature.DefaultFeatureGate, features.JobPodReplacementPolicy, tc.enableJobPodReplacementPolicy)
-			featuregatetesting.SetFeatureGateDuringTest(t, feature.DefaultFeatureGate, features.JobManagedBy, tc.enableJobManagedBy)
+			featuregatetesting.SetFeatureGatesDuringTest(t, feature.DefaultFeatureGate, featuregatetesting.FeatureOverrides{
+				features.JobPodReplacementPolicy: tc.enableJobPodReplacementPolicy,
+				features.JobManagedBy:            tc.enableJobManagedBy,
+			})
 
 			if tc.job.Spec.PodReplacementPolicy == nil {
 				tc.job.Spec.PodReplacementPolicy = podReplacementPolicy(batch.Failed)
@@ -5194,11 +5189,16 @@ func TestSyncJobWithJobSuccessPolicy(t *testing.T) {
 			if !tc.enableBackoffLimitPerIndex || !tc.enableJobSuccessPolicy {
 				// TODO: this will be removed in 1.36
 				featuregatetesting.SetFeatureGateEmulationVersionDuringTest(t, feature.DefaultFeatureGate, utilversion.MustParse("1.32"))
+			} else if !tc.enableJobManagedBy {
+				// TODO: this will be remove in 1.38
+				featuregatetesting.SetFeatureGateEmulationVersionDuringTest(t, feature.DefaultFeatureGate, utilversion.MustParse("1.34"))
 			}
-			featuregatetesting.SetFeatureGateDuringTest(t, feature.DefaultFeatureGate, features.JobBackoffLimitPerIndex, tc.enableBackoffLimitPerIndex)
-			featuregatetesting.SetFeatureGateDuringTest(t, feature.DefaultFeatureGate, features.JobSuccessPolicy, tc.enableJobSuccessPolicy)
-			featuregatetesting.SetFeatureGateDuringTest(t, feature.DefaultFeatureGate, features.JobPodReplacementPolicy, tc.enableJobPodReplacementPolicy)
-			featuregatetesting.SetFeatureGateDuringTest(t, feature.DefaultFeatureGate, features.JobManagedBy, tc.enableJobManagedBy)
+			featuregatetesting.SetFeatureGatesDuringTest(t, feature.DefaultFeatureGate, featuregatetesting.FeatureOverrides{
+				features.JobBackoffLimitPerIndex: tc.enableBackoffLimitPerIndex,
+				features.JobSuccessPolicy:        tc.enableJobSuccessPolicy,
+				features.JobPodReplacementPolicy: tc.enableJobPodReplacementPolicy,
+				features.JobManagedBy:            tc.enableJobManagedBy,
+			})
 
 			clientSet := clientset.NewForConfigOrDie(&restclient.Config{Host: "", ContentConfig: restclient.ContentConfig{GroupVersion: &schema.GroupVersion{Group: "", Version: "v1"}}})
 			fakeClock := clocktesting.NewFakeClock(now)
@@ -5879,10 +5879,15 @@ func TestSyncJobWithJobBackoffLimitPerIndex(t *testing.T) {
 			} else if !tc.enableJobPodReplacementPolicy {
 				// TODO: this will be removed in 1.37.
 				featuregatetesting.SetFeatureGateEmulationVersionDuringTest(t, feature.DefaultFeatureGate, utilversion.MustParse("1.33"))
+			} else if !tc.enableJobManagedBy {
+				// TODO: this will be removed in 1.38.
+				featuregatetesting.SetFeatureGateEmulationVersionDuringTest(t, feature.DefaultFeatureGate, utilversion.MustParse("1.34"))
 			}
-			featuregatetesting.SetFeatureGateDuringTest(t, feature.DefaultFeatureGate, features.JobBackoffLimitPerIndex, tc.enableJobBackoffLimitPerIndex)
-			featuregatetesting.SetFeatureGateDuringTest(t, feature.DefaultFeatureGate, features.JobPodReplacementPolicy, tc.enableJobPodReplacementPolicy)
-			featuregatetesting.SetFeatureGateDuringTest(t, feature.DefaultFeatureGate, features.JobManagedBy, tc.enableJobManagedBy)
+			featuregatetesting.SetFeatureGatesDuringTest(t, feature.DefaultFeatureGate, featuregatetesting.FeatureOverrides{
+				features.JobBackoffLimitPerIndex: tc.enableJobBackoffLimitPerIndex,
+				features.JobPodReplacementPolicy: tc.enableJobPodReplacementPolicy,
+				features.JobManagedBy:            tc.enableJobManagedBy,
+			})
 			clientset := clientset.NewForConfigOrDie(&restclient.Config{Host: "", ContentConfig: restclient.ContentConfig{GroupVersion: &schema.GroupVersion{Group: "", Version: "v1"}}})
 			fakeClock := clocktesting.NewFakeClock(now)
 			manager, sharedInformerFactory := newControllerFromClientWithClock(ctx, t, clientset, controller.NoResyncPeriodFunc, fakeClock)
@@ -6673,7 +6678,7 @@ func TestWatchPods(t *testing.T) {
 	}
 	// Start only the pod watcher and the workqueue, send a watch event,
 	// and make sure it hits the sync method for the right job.
-	go sharedInformerFactory.Core().V1().Pods().Informer().Run(ctx.Done())
+	go sharedInformerFactory.Core().V1().Pods().Informer().RunWithContext(ctx)
 	go manager.Run(ctx, 1)
 
 	pods := newPodList(1, v1.PodRunning, testJob)
@@ -6699,7 +6704,7 @@ func TestWatchOrphanPods(t *testing.T) {
 	manager.jobStoreSynced = alwaysReady
 
 	podInformer := sharedInformers.Core().V1().Pods().Informer()
-	go podInformer.Run(ctx.Done())
+	go podInformer.RunWithContext(ctx)
 	cache.WaitForCacheSync(ctx.Done(), podInformer.HasSynced)
 	go manager.Run(ctx, 1)
 
@@ -6770,7 +6775,7 @@ func TestSyncOrphanPod(t *testing.T) {
 	manager.jobStoreSynced = alwaysReady
 
 	podInformer := sharedInformers.Core().V1().Pods().Informer()
-	go podInformer.Run(ctx.Done())
+	go podInformer.RunWithContext(ctx)
 	cache.WaitForCacheSync(ctx.Done(), podInformer.HasSynced)
 	go manager.Run(ctx, 1)
 
@@ -7384,9 +7389,14 @@ func TestJobBackoffForOnFailure(t *testing.T) {
 			if !tc.enableJobPodReplacementPolicy {
 				// TODO: this will be removed in 1.37.
 				featuregatetesting.SetFeatureGateEmulationVersionDuringTest(t, feature.DefaultFeatureGate, utilversion.MustParse("1.33"))
+			} else if !tc.enableJobManagedBy {
+				// TODO: this will be removed in 1.38.
+				featuregatetesting.SetFeatureGateEmulationVersionDuringTest(t, feature.DefaultFeatureGate, utilversion.MustParse("1.34"))
 			}
-			featuregatetesting.SetFeatureGateDuringTest(t, feature.DefaultFeatureGate, features.JobPodReplacementPolicy, tc.enableJobPodReplacementPolicy)
-			featuregatetesting.SetFeatureGateDuringTest(t, feature.DefaultFeatureGate, features.JobManagedBy, tc.enableJobManagedBy)
+			featuregatetesting.SetFeatureGatesDuringTest(t, feature.DefaultFeatureGate, featuregatetesting.FeatureOverrides{
+				features.JobPodReplacementPolicy: tc.enableJobPodReplacementPolicy,
+				features.JobManagedBy:            tc.enableJobManagedBy,
+			})
 			// job manager setup
 			clientset := clientset.NewForConfigOrDie(&restclient.Config{Host: "", ContentConfig: restclient.ContentConfig{GroupVersion: &schema.GroupVersion{Group: "", Version: "v1"}}})
 			manager, sharedInformerFactory := newControllerFromClient(ctx, t, clientset, controller.NoResyncPeriodFunc)
@@ -7721,7 +7731,7 @@ func TestFinalizersRemovedExpectations(t *testing.T) {
 		t.Errorf("Different expectations for removed finalizers after syncJob (-want,+got):\n%s", diff)
 	}
 
-	go sharedInformers.Core().V1().Pods().Informer().Run(ctx.Done())
+	go sharedInformers.Core().V1().Pods().Informer().RunWithContext(ctx)
 	cache.WaitForCacheSync(ctx.Done(), podInformer.HasSynced)
 
 	// Make sure the first syncJob sets the expectations, even after the caches synced.
@@ -7865,14 +7875,9 @@ func checkJobCompletionLabel(t *testing.T, p *v1.PodTemplateSpec) {
 	}
 }
 
-func checkJobCompletionEnvVariable(t *testing.T, spec *v1.PodSpec, podIndexLabelDisabled bool) {
+func checkJobCompletionEnvVariable(t *testing.T, spec *v1.PodSpec) {
 	t.Helper()
-	var fieldPath string
-	if podIndexLabelDisabled {
-		fieldPath = fmt.Sprintf("metadata.annotations['%s']", batch.JobCompletionIndexAnnotation)
-	} else {
-		fieldPath = fmt.Sprintf("metadata.labels['%s']", batch.JobCompletionIndexAnnotation)
-	}
+	fieldPath := fmt.Sprintf("metadata.labels['%s']", batch.JobCompletionIndexAnnotation)
 	want := []v1.EnvVar{
 		{
 			Name: "JOB_COMPLETION_INDEX",
diff --git a/pkg/controller/namespace/OWNERS b/pkg/controller/namespace/OWNERS
index 3bf5f7aeacb1c..45e55d9916435 100644
--- a/pkg/controller/namespace/OWNERS
+++ b/pkg/controller/namespace/OWNERS
@@ -1,7 +1,10 @@
 # See the OWNERS docs at https://go.k8s.io/owners
 
+approvers:
+  - sig-api-machinery-approvers
 reviewers:
   - derekwaynecarr
   - smarterclayton
+  - sig-api-machinery-reviewers
 labels:
   - sig/api-machinery
diff --git a/pkg/controller/namespace/deletion/namespaced_resources_deleter.go b/pkg/controller/namespace/deletion/namespaced_resources_deleter.go
index 8d9af4a235764..f4ac1f5a612a4 100644
--- a/pkg/controller/namespace/deletion/namespaced_resources_deleter.go
+++ b/pkg/controller/namespace/deletion/namespaced_resources_deleter.go
@@ -161,7 +161,7 @@ func (d *namespacedResourcesDeleter) initOpCache(ctx context.Context) {
 	// TODO(sttts): get rid of opCache and http 405 logic around it and trust discovery info
 	resources, err := d.discoverResourcesFn()
 	if err != nil {
-		utilruntime.HandleError(fmt.Errorf("unable to get all supported resources from server: %v", err))
+		utilruntime.HandleErrorWithContext(ctx, err, "Unable to get all supported resources from server")
 	}
 	logger := klog.FromContext(ctx)
 	if len(resources) == 0 {
@@ -555,7 +555,7 @@ func (d *namespacedResourcesDeleter) deleteAllContent(ctx context.Context, ns *v
 			logger.V(5).Info("Namespace controller - pods still remain, delaying deletion of other resources", "namespace", namespace)
 			if hasChanged := conditionUpdater.Update(ns); hasChanged {
 				if _, err = d.nsClient.UpdateStatus(ctx, ns, metav1.UpdateOptions{}); err != nil {
-					utilruntime.HandleError(fmt.Errorf("couldn't update status condition for namespace %q: %w", namespace, err))
+					utilruntime.HandleErrorWithContext(ctx, err, "Couldn't update status condition for namespace", "namespace", namespace)
 				}
 			}
 			return estimate, utilerrors.NewAggregate(errs)
@@ -595,7 +595,7 @@ func (d *namespacedResourcesDeleter) deleteAllContent(ctx context.Context, ns *v
 	// NOT remove the resource instance.
 	if hasChanged := conditionUpdater.Update(ns); hasChanged {
 		if _, err = d.nsClient.UpdateStatus(ctx, ns, metav1.UpdateOptions{}); err != nil {
-			utilruntime.HandleError(fmt.Errorf("couldn't update status condition for namespace %q: %v", namespace, err))
+			utilruntime.HandleErrorWithContext(ctx, err, "Couldn't update status condition for namespace", "namespace", namespace)
 		}
 	}
 
diff --git a/pkg/controller/namespace/namespace_controller.go b/pkg/controller/namespace/namespace_controller.go
index 9f2c0d85e972f..51ac86a03fee2 100644
--- a/pkg/controller/namespace/namespace_controller.go
+++ b/pkg/controller/namespace/namespace_controller.go
@@ -18,7 +18,7 @@ package namespace
 
 import (
 	"context"
-	"fmt"
+	"sync"
 	"time"
 
 	"golang.org/x/time/rate"
@@ -88,11 +88,11 @@ func NewNamespaceController(
 		cache.ResourceEventHandlerFuncs{
 			AddFunc: func(obj interface{}) {
 				namespace := obj.(*v1.Namespace)
-				namespaceController.enqueueNamespace(namespace)
+				namespaceController.enqueueNamespace(ctx, namespace)
 			},
 			UpdateFunc: func(oldObj, newObj interface{}) {
 				namespace := newObj.(*v1.Namespace)
-				namespaceController.enqueueNamespace(namespace)
+				namespaceController.enqueueNamespace(ctx, namespace)
 			},
 		},
 		resyncPeriod,
@@ -117,10 +117,10 @@ func nsControllerRateLimiter() workqueue.TypedRateLimiter[string] {
 
 // enqueueNamespace adds an object to the controller work queue
 // obj could be an *v1.Namespace, or a DeletionFinalStateUnknown item.
-func (nm *NamespaceController) enqueueNamespace(obj interface{}) {
+func (nm *NamespaceController) enqueueNamespace(ctx context.Context, obj interface{}) {
 	key, err := controller.KeyFunc(obj)
 	if err != nil {
-		utilruntime.HandleError(fmt.Errorf("Couldn't get key for object %+v: %v", obj, err))
+		utilruntime.HandleErrorWithContext(ctx, err, "Couldn't get key for object", "object", obj)
 		return
 	}
 
@@ -161,7 +161,7 @@ func (nm *NamespaceController) worker(ctx context.Context) {
 		} else {
 			// rather than wait for a full resync, re-add the namespace to the queue to be processed
 			nm.queue.AddRateLimited(key)
-			utilruntime.HandleError(fmt.Errorf("deletion of namespace %v failed: %v", key, err))
+			utilruntime.HandleErrorWithContext(ctx, err, "Deletion of namespace failed", "namespace", key)
 		}
 		return false
 	}
@@ -188,7 +188,7 @@ func (nm *NamespaceController) syncNamespaceFromKey(ctx context.Context, key str
 		return nil
 	}
 	if err != nil {
-		utilruntime.HandleError(fmt.Errorf("Unable to retrieve namespace %v from store: %v", key, err))
+		utilruntime.HandleErrorWithContext(ctx, err, "Unable to retrieve namespace from store", "namespace", key)
 		return err
 	}
 	return nm.namespacedResourcesDeleter.Delete(ctx, namespace.Name)
@@ -196,19 +196,28 @@ func (nm *NamespaceController) syncNamespaceFromKey(ctx context.Context, key str
 
 // Run starts observing the system with the specified number of workers.
 func (nm *NamespaceController) Run(ctx context.Context, workers int) {
-	defer utilruntime.HandleCrash()
-	defer nm.queue.ShutDown()
+	defer utilruntime.HandleCrashWithContext(ctx)
+
 	logger := klog.FromContext(ctx)
 	logger.Info("Starting namespace controller")
-	defer logger.Info("Shutting down namespace controller")
 
-	if !cache.WaitForNamedCacheSync("namespace", ctx.Done(), nm.listerSynced) {
+	var wg sync.WaitGroup
+	defer func() {
+		logger.Info("Shutting down namespace controller")
+		nm.queue.ShutDown()
+		wg.Wait()
+	}()
+
+	if !cache.WaitForNamedCacheSyncWithContext(ctx, nm.listerSynced) {
 		return
 	}
 
 	logger.V(5).Info("Starting workers of namespace controller")
+
 	for i := 0; i < workers; i++ {
-		go wait.UntilWithContext(ctx, nm.worker, time.Second)
+		wg.Go(func() {
+			wait.UntilWithContext(ctx, nm.worker, time.Second)
+		})
 	}
 	<-ctx.Done()
 }
diff --git a/pkg/controller/nodeipam/ipam/range_allocator.go b/pkg/controller/nodeipam/ipam/range_allocator.go
index 50df3de49ce41..30daaee0ba1b5 100644
--- a/pkg/controller/nodeipam/ipam/range_allocator.go
+++ b/pkg/controller/nodeipam/ipam/range_allocator.go
@@ -20,6 +20,7 @@ import (
 	"context"
 	"fmt"
 	"net"
+	"sync"
 	"time"
 
 	v1 "k8s.io/api/core/v1"
@@ -149,18 +150,17 @@ func NewCIDRRangeAllocator(ctx context.Context, client clientset.Interface, node
 			if !ok {
 				tombstone, ok := obj.(cache.DeletedFinalStateUnknown)
 				if !ok {
-					utilruntime.HandleError(fmt.Errorf("unexpected object type: %v", obj))
+					utilruntime.HandleErrorWithContext(ctx, nil, "Could not get object from tombstone", "obj", obj)
 					return
 				}
 				node, ok = tombstone.Obj.(*v1.Node)
 				if !ok {
-					utilruntime.HandleError(fmt.Errorf("unexpected object types: %v", obj))
+					utilruntime.HandleErrorWithContext(ctx, nil, "Tombstone contained object that is not a node", "type", fmt.Sprintf("%T", obj))
 					return
 				}
 			}
 			if err := ra.ReleaseCIDR(logger, node); err != nil {
-				utilruntime.HandleError(fmt.Errorf("error while processing CIDR Release: %w", err))
-
+				utilruntime.HandleErrorWithContext(ctx, err, "Error while processing CIDR Release")
 			}
 		},
 	})
@@ -169,7 +169,7 @@ func NewCIDRRangeAllocator(ctx context.Context, client clientset.Interface, node
 }
 
 func (r *rangeAllocator) Run(ctx context.Context) {
-	defer utilruntime.HandleCrash()
+	defer utilruntime.HandleCrashWithContext(ctx)
 
 	// Start event processing pipeline.
 	r.broadcaster.StartStructuredLogging(3)
@@ -178,19 +178,24 @@ func (r *rangeAllocator) Run(ctx context.Context) {
 	r.broadcaster.StartRecordingToSink(&v1core.EventSinkImpl{Interface: r.client.CoreV1().Events("")})
 	defer r.broadcaster.Shutdown()
 
-	defer r.queue.ShutDown()
-
 	logger.Info("Starting range CIDR allocator")
-	defer logger.Info("Shutting down range CIDR allocator")
 
-	if !cache.WaitForNamedCacheSync("cidrallocator", ctx.Done(), r.nodesSynced) {
+	var wg sync.WaitGroup
+	defer func() {
+		logger.Info("Shutting down range CIDR allocator")
+		r.queue.ShutDown()
+		wg.Wait()
+	}()
+
+	if !cache.WaitForNamedCacheSyncWithContext(ctx, r.nodesSynced) {
 		return
 	}
 
 	for i := 0; i < cidrUpdateWorkers; i++ {
-		go wait.UntilWithContext(ctx, r.runWorker, time.Second)
+		wg.Go(func() {
+			wait.UntilWithContext(ctx, r.runWorker, time.Second)
+		})
 	}
-
 	<-ctx.Done()
 }
 
@@ -231,7 +236,7 @@ func (r *rangeAllocator) processNextNodeWorkItem(ctx context.Context) bool {
 			// Forget here else we'd go into a loop of attempting to
 			// process a work item that is invalid.
 			r.queue.Forget(obj)
-			utilruntime.HandleError(fmt.Errorf("expected string in workNodeQueue but got %#v", obj))
+			utilruntime.HandleErrorWithContext(ctx, nil, "Expected string but got unexpected type in work node queue", "type", fmt.Sprintf("%T", obj))
 			return nil
 		}
 		// Run the syncHandler, passing it the namespace/name string of the
@@ -249,7 +254,7 @@ func (r *rangeAllocator) processNextNodeWorkItem(ctx context.Context) bool {
 	}(klog.FromContext(ctx), obj)
 
 	if err != nil {
-		utilruntime.HandleError(err)
+		utilruntime.HandleErrorWithContext(ctx, err, "Error processing node work item")
 		return true
 	}
 
diff --git a/pkg/controller/nodeipam/node_ipam_controller.go b/pkg/controller/nodeipam/node_ipam_controller.go
index 27b079839d041..109921fb44663 100644
--- a/pkg/controller/nodeipam/node_ipam_controller.go
+++ b/pkg/controller/nodeipam/node_ipam_controller.go
@@ -19,6 +19,8 @@ package nodeipam
 import (
 	"context"
 	"fmt"
+	"net"
+
 	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
 	coreinformers "k8s.io/client-go/informers/core/v1"
 	clientset "k8s.io/client-go/kubernetes"
@@ -30,7 +32,6 @@ import (
 	controllersmetrics "k8s.io/component-base/metrics/prometheus/controllers"
 	"k8s.io/klog/v2"
 	"k8s.io/kubernetes/pkg/controller/nodeipam/ipam"
-	"net"
 )
 
 // ipamController is an interface abstracting an interface for
@@ -132,7 +133,7 @@ func NewNodeIpamController(
 
 // Run starts an asynchronous loop that monitors the status of cluster nodes.
 func (nc *Controller) Run(ctx context.Context) {
-	defer utilruntime.HandleCrash()
+	defer utilruntime.HandleCrashWithContext(ctx)
 
 	// Start event processing pipeline.
 	nc.eventBroadcaster.StartStructuredLogging(3)
@@ -141,17 +142,15 @@ func (nc *Controller) Run(ctx context.Context) {
 	klog.FromContext(ctx).Info("Starting ipam controller")
 	defer klog.FromContext(ctx).Info("Shutting down ipam controller")
 
-	if !cache.WaitForNamedCacheSync("node", ctx.Done(), nc.nodeInformerSynced) {
+	if !cache.WaitForNamedCacheSyncWithContext(ctx, nc.nodeInformerSynced) {
 		return
 	}
 
 	if nc.allocatorType == ipam.IPAMFromClusterAllocatorType || nc.allocatorType == ipam.IPAMFromCloudAllocatorType {
-		go nc.legacyIPAM.Run(ctx)
+		nc.legacyIPAM.Run(ctx)
 	} else {
-		go nc.cidrAllocator.Run(ctx)
+		nc.cidrAllocator.Run(ctx)
 	}
-
-	<-ctx.Done()
 }
 
 // RunWithMetrics is a wrapper for Run that also tracks starting and stopping of the nodeipam controller with additional metric
diff --git a/pkg/controller/nodelifecycle/node_lifecycle_controller.go b/pkg/controller/nodelifecycle/node_lifecycle_controller.go
index 3aff066e83262..f92e7c0a0c941 100644
--- a/pkg/controller/nodelifecycle/node_lifecycle_controller.go
+++ b/pkg/controller/nodelifecycle/node_lifecycle_controller.go
@@ -445,7 +445,7 @@ func NewNodeLifecycleController(
 
 // Run starts an asynchronous loop that monitors the status of cluster nodes.
 func (nc *Controller) Run(ctx context.Context) {
-	defer utilruntime.HandleCrash()
+	defer utilruntime.HandleCrashWithContext(ctx)
 
 	// Start events processing pipeline.
 	nc.broadcaster.StartStructuredLogging(3)
@@ -457,20 +457,26 @@ func (nc *Controller) Run(ctx context.Context) {
 		})
 	defer nc.broadcaster.Shutdown()
 
-	// Close node update queue to cleanup go routine.
-	defer nc.nodeUpdateQueue.ShutDown()
-	defer nc.podUpdateQueue.ShutDown()
-
 	logger.Info("Starting node controller")
-	defer logger.Info("Shutting down node controller")
 
-	if !cache.WaitForNamedCacheSync("taint", ctx.Done(), nc.leaseInformerSynced, nc.nodeInformerSynced, nc.podInformerSynced, nc.daemonSetInformerSynced) {
+	// Close node update queue to cleanup go routine.
+	var wg sync.WaitGroup
+	defer func() {
+		logger.Info("Shutting down node controller")
+		nc.nodeUpdateQueue.ShutDown()
+		nc.podUpdateQueue.ShutDown()
+		wg.Wait()
+	}()
+
+	if !cache.WaitForNamedCacheSyncWithContext(ctx, nc.leaseInformerSynced, nc.nodeInformerSynced, nc.podInformerSynced, nc.daemonSetInformerSynced) {
 		return
 	}
 
 	if !utilfeature.DefaultFeatureGate.Enabled(features.SeparateTaintEvictionController) {
 		logger.Info("Starting", "controller", taintEvictionController)
-		go nc.taintManager.Run(ctx)
+		wg.Go(func() {
+			nc.taintManager.Run(ctx)
+		})
 	}
 
 	// Start workers to reconcile labels and/or update NoSchedule taint for nodes.
@@ -479,24 +485,31 @@ func (nc *Controller) Run(ctx context.Context) {
 		// the item is flagged when got from queue: if new event come, the new item will
 		// be re-queued until "Done", so no more than one worker handle the same item and
 		// no event missed.
-		go wait.UntilWithContext(ctx, nc.doNodeProcessingPassWorker, time.Second)
+		wg.Go(func() {
+			wait.UntilWithContext(ctx, nc.doNodeProcessingPassWorker, time.Second)
+		})
 	}
 
 	for i := 0; i < podUpdateWorkerSize; i++ {
-		go wait.UntilWithContext(ctx, nc.doPodProcessingWorker, time.Second)
+		wg.Go(func() {
+			wait.UntilWithContext(ctx, nc.doPodProcessingWorker, time.Second)
+		})
 	}
 
 	// Handling taint based evictions. Because we don't want a dedicated logic in TaintManager for NC-originated
 	// taints and we normally don't rate limit evictions caused by taints, we need to rate limit adding taints.
-	go wait.UntilWithContext(ctx, nc.doNoExecuteTaintingPass, scheduler.NodeEvictionPeriod)
+	wg.Go(func() {
+		wait.UntilWithContext(ctx, nc.doNoExecuteTaintingPass, scheduler.NodeEvictionPeriod)
+	})
 
 	// Incorporate the results of node health signal pushed from kubelet to master.
-	go wait.UntilWithContext(ctx, func(ctx context.Context) {
-		if err := nc.monitorNodeHealth(ctx); err != nil {
-			logger.Error(err, "Error monitoring node health")
-		}
-	}, nc.nodeMonitorPeriod)
-
+	wg.Go(func() {
+		wait.UntilWithContext(ctx, func(ctx context.Context) {
+			if err := nc.monitorNodeHealth(ctx); err != nil {
+				logger.Error(err, "Error monitoring node health")
+			}
+		}, nc.nodeMonitorPeriod)
+	})
 	<-ctx.Done()
 }
 
@@ -725,7 +738,7 @@ func (nc *Controller) monitorNodeHealth(ctx context.Context) error {
 		if currentReadyCondition != nil {
 			pods, err := nc.getPodsAssignedToNode(node.Name)
 			if err != nil {
-				utilruntime.HandleError(fmt.Errorf("unable to list pods of node %v: %v", node.Name, err))
+				utilruntime.HandleErrorWithContext(ctx, err, "Unable to list pods of node", node.Name)
 				if currentReadyCondition.Status != v1.ConditionTrue && observedReadyCondition.Status == v1.ConditionTrue {
 					// If error happened during node status transition (Ready -> NotReady)
 					// we need to mark node for retry to force MarkPodsNotReady execution
@@ -744,7 +757,7 @@ func (nc *Controller) monitorNodeHealth(ctx context.Context) error {
 				fallthrough
 			case needsRetry && observedReadyCondition.Status != v1.ConditionTrue:
 				if err = controllerutil.MarkPodsNotReady(ctx, nc.kubeClient, nc.recorder, pods, node.Name); err != nil {
-					utilruntime.HandleError(fmt.Errorf("unable to mark all pods NotReady on node %v: %v; queuing for retry", node.Name, err))
+					utilruntime.HandleErrorWithContext(ctx, err, "Unable to mark all pods NotReady on node; queuing for retry", "node", node.Name)
 					nc.nodesToRetry.Store(node.Name, struct{}{})
 					return
 				}
@@ -1259,7 +1272,8 @@ func (nc *Controller) markNodeAsReachable(ctx context.Context, node *v1.Node) (b
 	return nc.zoneNoExecuteTainter[nodetopology.GetZoneKey(node)].Remove(node.Name), nil
 }
 
-// ComputeZoneState returns a slice of NodeReadyConditions for all Nodes in a given zone.
+// ComputeZoneState computes the state of a zone based on node ready conditions.
+// It returns the number of not-ready nodes and the zone state.
 // The zone is considered:
 // - fullyDisrupted if there're no Ready Nodes,
 // - partiallyDisrupted if at least than nc.unhealthyZoneThreshold percent of Nodes are not Ready,
diff --git a/pkg/controller/podautoscaler/horizontal.go b/pkg/controller/podautoscaler/horizontal.go
index 8e4aac1a433ab..def3366018347 100644
--- a/pkg/controller/podautoscaler/horizontal.go
+++ b/pkg/controller/podautoscaler/horizontal.go
@@ -199,20 +199,26 @@ func NewHorizontalController(
 // Run begins watching and syncing.
 func (a *HorizontalController) Run(ctx context.Context, workers int) {
 	defer utilruntime.HandleCrash()
-	defer a.queue.ShutDown()
 
 	logger := klog.FromContext(ctx)
 	logger.Info("Starting HPA controller")
-	defer logger.Info("Shutting down HPA controller")
 
-	if !cache.WaitForNamedCacheSync("HPA", ctx.Done(), a.hpaListerSynced, a.podListerSynced) {
+	var wg sync.WaitGroup
+	defer func() {
+		logger.Info("Shutting down HPA controller")
+		a.queue.ShutDown()
+		wg.Wait()
+	}()
+
+	if !cache.WaitForNamedCacheSyncWithContext(ctx, a.hpaListerSynced, a.podListerSynced) {
 		return
 	}
 
 	for i := 0; i < workers; i++ {
-		go wait.UntilWithContext(ctx, a.worker, time.Second)
+		wg.Go(func() {
+			wait.UntilWithContext(ctx, a.worker, time.Second)
+		})
 	}
-
 	<-ctx.Done()
 }
 
@@ -241,6 +247,8 @@ func (a *HorizontalController) enqueueHPA(obj interface{}) {
 	defer a.hpaSelectorsMux.Unlock()
 	if hpaKey := selectors.Parse(key); !a.hpaSelectors.SelectorExists(hpaKey) {
 		a.hpaSelectors.PutSelector(hpaKey, labels.Nothing())
+		// Observe HPA addition - only when it's a new HPA
+		a.monitor.ObserveHPAAddition()
 	}
 }
 
@@ -258,6 +266,8 @@ func (a *HorizontalController) deleteHPA(obj interface{}) {
 	a.hpaSelectorsMux.Lock()
 	defer a.hpaSelectorsMux.Unlock()
 	a.hpaSelectors.DeleteSelector(selectors.Parse(key))
+	// Observe HPA deletion
+	a.monitor.ObserveHPADeletion()
 }
 
 func (a *HorizontalController) worker(ctx context.Context) {
@@ -936,15 +946,22 @@ func (a *HorizontalController) reconcileAutoscaler(ctx context.Context, hpaShare
 			actionLabel = monitor.ActionLabelScaleDown
 		}
 	} else {
+		lastScaleTime := ""
+		if hpa.Status.LastScaleTime != nil {
+			lastScaleTime = hpa.Status.LastScaleTime.String()
+		}
 		logger.V(4).Info("Decided not to scale",
 			"scaleTarget", reference,
 			"desiredReplicas", desiredReplicas,
-			"lastScaleTime", hpa.Status.LastScaleTime)
+			"lastScaleTime", lastScaleTime)
 		desiredReplicas = currentReplicas
 	}
 
 	a.setStatus(hpa, currentReplicas, desiredReplicas, metricStatuses, rescale)
 
+	// Monitor the desired replicas
+	a.monitor.ObserveDesiredReplicas(hpa.Namespace, hpa.Name, desiredReplicas)
+
 	err = a.updateStatusIfNeeded(ctx, hpaStatusOriginal, hpa)
 	if err != nil {
 		// we can overwrite retErr in this case because it's an internal error.
diff --git a/pkg/controller/podautoscaler/horizontal_test.go b/pkg/controller/podautoscaler/horizontal_test.go
index 1c9070c15ba21..6e7c5ee6a42fb 100644
--- a/pkg/controller/podautoscaler/horizontal_test.go
+++ b/pkg/controller/podautoscaler/horizontal_test.go
@@ -93,7 +93,7 @@ func statusOkWithOverrides(overrides ...autoscalingv2.HorizontalPodAutoscalerCon
 	resv1 := make([]autoscalingv2.HorizontalPodAutoscalerCondition, len(resv2))
 	for i, cond := range resv2 {
 		resv1[i] = autoscalingv2.HorizontalPodAutoscalerCondition{
-			Type:   autoscalingv2.HorizontalPodAutoscalerConditionType(cond.Type),
+			Type:   cond.Type,
 			Status: cond.Status,
 			Reason: cond.Reason,
 		}
@@ -146,6 +146,7 @@ type testCase struct {
 	expectedReportedReconciliationErrorLabel      monitor.ErrorLabel
 	expectedReportedMetricComputationActionLabels map[autoscalingv2.MetricSourceType]monitor.ActionLabel
 	expectedReportedMetricComputationErrorLabels  map[autoscalingv2.MetricSourceType]monitor.ErrorLabel
+	checkDesiredReplicaMetric                     bool
 
 	// Target resource information.
 	resource *fakeResource
@@ -727,6 +728,14 @@ func (tc *testCase) verifyRecordedMetric(ctx context.Context, t *testing.T, m *m
 		}
 		assert.Equal(t, l, m.metricComputationErrorLabels[metricType][0], "the metric computation error should be recorded in monitor expectedly")
 	}
+
+	// TODO: Retrieve the namespace and HPA names from the test case (tc) to replace hardcoded values below (and check).
+	if tc.checkDesiredReplicaMetric {
+		currentValue := m.GetDesiredReplicasValue("test-namespace", "test-hpa")
+		assert.Equal(t, tc.expectedDesiredReplicas, currentValue,
+			"the desired replicas should be recorded in monitor expectedly")
+	}
+
 }
 
 func (tc *testCase) setupController(t *testing.T) (*HorizontalController, informers.SharedInformerFactory) {
@@ -816,9 +825,14 @@ func coolCPUCreationTime() metav1.Time {
 
 func (tc *testCase) runTestWithController(t *testing.T, hpaController *HorizontalController, informerFactory informers.SharedInformerFactory) {
 	ctx, cancel := context.WithCancel(context.Background())
-	defer cancel()
 	informerFactory.Start(ctx.Done())
-	go hpaController.Run(ctx, 5)
+
+	var wg sync.WaitGroup
+	wg.Go(func() {
+		hpaController.Run(ctx, 5)
+	})
+	defer wg.Wait()
+	defer cancel()
 
 	tc.Lock()
 	shouldWait := tc.verifyEvents
@@ -861,12 +875,15 @@ type mockMonitor struct {
 
 	metricComputationActionLabels map[autoscalingv2.MetricSourceType][]monitor.ActionLabel
 	metricComputationErrorLabels  map[autoscalingv2.MetricSourceType][]monitor.ErrorLabel
+	metricObjectsCount            int
+	desiredReplicasValues         map[string]int32 // key is "namespace/name"
 }
 
 func newMockMonitor() *mockMonitor {
 	return &mockMonitor{
 		metricComputationActionLabels: make(map[autoscalingv2.MetricSourceType][]monitor.ActionLabel),
 		metricComputationErrorLabels:  make(map[autoscalingv2.MetricSourceType][]monitor.ErrorLabel),
+		desiredReplicasValues:         make(map[string]int32),
 	}
 }
 
@@ -899,6 +916,39 @@ func (m *mockMonitor) waitUntilRecorded(ctx context.Context, t *testing.T) {
 	}
 }
 
+func (m *mockMonitor) ObserveHPAAddition() {
+	m.Lock()
+	defer m.Unlock()
+	m.metricObjectsCount++
+}
+
+func (m *mockMonitor) ObserveHPADeletion() {
+	m.Lock()
+	defer m.Unlock()
+	m.metricObjectsCount--
+}
+
+func (m *mockMonitor) GetObjectsCount() int {
+	m.RLock()
+	defer m.RUnlock()
+	return m.metricObjectsCount
+}
+
+func (m *mockMonitor) ObserveDesiredReplicas(namespace, hpaName string, desiredReplicas int32) {
+	fmt.Printf("putting %s/%s with %v", namespace, hpaName, desiredReplicas)
+	m.Lock()
+	defer m.Unlock()
+	key := fmt.Sprintf("%s/%s", namespace, hpaName)
+	m.desiredReplicasValues[key] = desiredReplicas
+}
+
+func (m *mockMonitor) GetDesiredReplicasValue(namespace, hpaName string) int32 {
+	m.RLock()
+	defer m.RUnlock()
+	key := fmt.Sprintf("%s/%s", namespace, hpaName)
+	return m.desiredReplicasValues[key]
+}
+
 func TestScaleUp(t *testing.T) {
 	tc := testCase{
 		minReplicas:             2,
@@ -919,6 +969,7 @@ func TestScaleUp(t *testing.T) {
 		expectedReportedMetricComputationErrorLabels: map[autoscalingv2.MetricSourceType]monitor.ErrorLabel{
 			autoscalingv2.ResourceMetricSourceType: monitor.ErrorLabelNone,
 		},
+		checkDesiredReplicaMetric: true,
 	}
 	tc.runTest(t)
 }
@@ -4003,7 +4054,7 @@ func TestCalculateScaleDownLimitWithBehaviors(t *testing.T) {
 func generateScalingRules(pods, podsPeriod, percent, percentPeriod, stabilizationWindow int32) *autoscalingv2.HPAScalingRules {
 	policy := autoscalingv2.MaxChangePolicySelect
 	directionBehavior := autoscalingv2.HPAScalingRules{
-		StabilizationWindowSeconds: ptr.To(int32(stabilizationWindow)),
+		StabilizationWindowSeconds: ptr.To(stabilizationWindow),
 		SelectPolicy:               &policy,
 	}
 	if pods != 0 {
@@ -5150,6 +5201,11 @@ func TestMultipleHPAs(t *testing.T) {
 	testClient := &fake.Clientset{}
 	testScaleClient := &scalefake.FakeScaleClient{}
 	testMetricsClient := &metricsfake.Clientset{}
+	hpaWatcher := watch.NewFake()
+	podWatcher := watch.NewFake()
+
+	testClient.AddWatchReactor("horizontalpodautoscalers", core.DefaultWatchReactor(hpaWatcher, nil))
+	testClient.AddWatchReactor("pods", core.DefaultWatchReactor(podWatcher, nil))
 
 	hpaList := [hpaCount]autoscalingv2.HorizontalPodAutoscaler{}
 	scaleUpEventsMap := map[string][]timestampedScaleEvent{}
@@ -5389,6 +5445,7 @@ func TestMultipleHPAs(t *testing.T) {
 	)
 	hpaController.scaleUpEvents = scaleUpEventsMap
 	hpaController.scaleDownEvents = scaleDownEventsMap
+	hpaController.monitor = newMockMonitor()
 
 	informerFactory.Start(tCtx.Done())
 	go hpaController.Run(tCtx, 5)
@@ -5406,6 +5463,15 @@ func TestMultipleHPAs(t *testing.T) {
 	}
 
 	assert.Len(t, processedHPA, hpaCount, "Expected to process all HPAs")
+	assert.Equal(t, hpaCount, hpaController.monitor.(*mockMonitor).GetObjectsCount(), "Expected objects count to match number of HPAs")
+
+	// Simulate the watch event for deletion
+	hpaWatcher.Delete(&hpaList[0])
+
+	// Give the controller time to process the deletion and update the monitor
+	assert.Eventually(t, func() bool {
+		return hpaController.monitor.(*mockMonitor).GetObjectsCount() == hpaCount-1
+	}, 5*time.Second, 100*time.Millisecond, "Expected objects count to be hpaCount-1 after an HPA was deleted")
 }
 
 func TestHPARescaleWithSuccessfulConflictRetry(t *testing.T) {
diff --git a/pkg/controller/podautoscaler/metrics/client.go b/pkg/controller/podautoscaler/metrics/client.go
index 71f2cc616bb41..437f5337b3a99 100644
--- a/pkg/controller/podautoscaler/metrics/client.go
+++ b/pkg/controller/podautoscaler/metrics/client.go
@@ -159,10 +159,8 @@ func (c *customMetricsClient) GetRawMetric(metricName string, namespace string,
 		res[m.DescribedObject.Name] = PodMetric{
 			Timestamp: m.Timestamp.Time,
 			Window:    window,
-			Value:     int64(m.Value.MilliValue()),
+			Value:     m.Value.MilliValue(),
 		}
-
-		m.Value.MilliValue()
 	}
 
 	timestamp := metrics.Items[0].Timestamp.Time
diff --git a/pkg/controller/podautoscaler/metrics/client_test.go b/pkg/controller/podautoscaler/metrics/client_test.go
index 59fbcc804aad3..cf81d20fa92f5 100644
--- a/pkg/controller/podautoscaler/metrics/client_test.go
+++ b/pkg/controller/podautoscaler/metrics/client_test.go
@@ -241,7 +241,7 @@ func (tc *restClientTestCase) runTest(t *testing.T) {
 	isResource := len(tc.resourceName) > 0
 	isExternal := tc.metricSelector != nil
 	if isResource {
-		info, timestamp, err := metricsClient.GetResourceMetric(context.TODO(), v1.ResourceName(tc.resourceName), tc.namespace, tc.selector, tc.container)
+		info, timestamp, err := metricsClient.GetResourceMetric(context.TODO(), tc.resourceName, tc.namespace, tc.selector, tc.container)
 		tc.verifyResults(t, info, timestamp, err)
 	} else if isExternal {
 		tc.metricLabelSelector, err = metav1.LabelSelectorAsSelector(tc.metricSelector)
diff --git a/pkg/controller/podautoscaler/monitor/metrics.go b/pkg/controller/podautoscaler/monitor/metrics.go
index 01f48e02b685c..d91b11f058de5 100644
--- a/pkg/controller/podautoscaler/monitor/metrics.go
+++ b/pkg/controller/podautoscaler/monitor/metrics.go
@@ -37,7 +37,6 @@ var (
 			Help:           "Number of reconciliations of HPA controller. The label 'action' should be either 'scale_down', 'scale_up', or 'none'. Also, the label 'error' should be either 'spec', 'internal', or 'none'. Note that if both spec and internal errors happen during a reconciliation, the first one to occur is reported in `error` label.",
 			StabilityLevel: metrics.ALPHA,
 		}, []string{"action", "error"})
-
 	reconciliationsDuration = metrics.NewHistogramVec(
 		&metrics.HistogramOpts{
 			Subsystem:      hpaControllerSubsystem,
@@ -61,12 +60,29 @@ var (
 			Buckets:        metrics.ExponentialBuckets(0.001, 2, 15),
 			StabilityLevel: metrics.ALPHA,
 		}, []string{"action", "error", "metric_type"})
+	numHorizontalPodAutoscalers = metrics.NewGauge(
+		&metrics.GaugeOpts{
+			Subsystem:      hpaControllerSubsystem,
+			Name:           "num_horizontal_pod_autoscalers",
+			Help:           "Current number of controlled HPA objects.",
+			StabilityLevel: metrics.ALPHA,
+		},
+	)
+	desiredReplicasCount = metrics.NewGaugeVec(
+		&metrics.GaugeOpts{
+			Subsystem:      hpaControllerSubsystem,
+			Name:           "desired_replicas",
+			Help:           "Current desired replica count for HPA objects.",
+			StabilityLevel: metrics.ALPHA,
+		}, []string{"namespace", "hpa_name"})
 
 	metricsList = []metrics.Registerable{
 		reconciliationsTotal,
 		reconciliationsDuration,
 		metricComputationTotal,
 		metricComputationDuration,
+		numHorizontalPodAutoscalers,
+		desiredReplicasCount,
 	}
 )
 
diff --git a/pkg/controller/podautoscaler/monitor/monitor.go b/pkg/controller/podautoscaler/monitor/monitor.go
index 39f9fb8441bed..e5d5b75f5ace8 100644
--- a/pkg/controller/podautoscaler/monitor/monitor.go
+++ b/pkg/controller/podautoscaler/monitor/monitor.go
@@ -41,6 +41,9 @@ const (
 type Monitor interface {
 	ObserveReconciliationResult(action ActionLabel, err ErrorLabel, duration time.Duration)
 	ObserveMetricComputationResult(action ActionLabel, err ErrorLabel, duration time.Duration, metricType v2.MetricSourceType)
+	ObserveHPAAddition()
+	ObserveHPADeletion()
+	ObserveDesiredReplicas(namespace, hpaName string, desiredReplicas int32)
 }
 
 type monitor struct{}
@@ -60,3 +63,18 @@ func (r *monitor) ObserveMetricComputationResult(action ActionLabel, err ErrorLa
 	metricComputationTotal.WithLabelValues(string(action), string(err), string(metricType)).Inc()
 	metricComputationDuration.WithLabelValues(string(action), string(err), string(metricType)).Observe(duration.Seconds())
 }
+
+// ObserveHPAAddition observes the addition of an HPA object.
+func (r *monitor) ObserveHPAAddition() {
+	numHorizontalPodAutoscalers.Inc()
+}
+
+// ObserveHPADeletion observes the deletion of an HPA object.
+func (r *monitor) ObserveHPADeletion() {
+	numHorizontalPodAutoscalers.Dec()
+}
+
+// ObserveDesiredReplicas records the desired replica count for an HPA object.
+func (r *monitor) ObserveDesiredReplicas(namespace, hpaName string, desiredReplicas int32) {
+	desiredReplicasCount.WithLabelValues(namespace, hpaName).Set(float64(desiredReplicas))
+}
diff --git a/pkg/controller/podautoscaler/replica_calculator.go b/pkg/controller/podautoscaler/replica_calculator.go
index 656cf3ca51cde..00ae980d47a78 100644
--- a/pkg/controller/podautoscaler/replica_calculator.go
+++ b/pkg/controller/podautoscaler/replica_calculator.go
@@ -185,7 +185,7 @@ func (c *ReplicaCalculator) GetMetricReplicas(currentReplicas int32, targetUsage
 		return 0, 0, time.Time{}, fmt.Errorf("unable to get metric %s: %v", metricName, err)
 	}
 
-	replicaCount, usage, err = c.calcPlainMetricReplicas(metrics, currentReplicas, targetUsage, tolerances, namespace, selector, v1.ResourceName(""))
+	replicaCount, usage, err = c.calcPlainMetricReplicas(metrics, currentReplicas, targetUsage, tolerances, namespace, selector, "")
 	return replicaCount, usage, timestamp, err
 }
 
@@ -290,7 +290,14 @@ func (c *ReplicaCalculator) getUsageRatioReplicaCount(currentReplicas int32, usa
 		if err != nil {
 			return 0, time.Time{}, fmt.Errorf("unable to calculate ready pods: %s", err)
 		}
-		replicaCount = int32(math.Ceil(usageRatio * float64(readyPodCount)))
+		// Calculate replicaCount as float64 first
+		replicaCountFloat := usageRatio * float64(readyPodCount)
+		// Check if replicaCount exceeds max int32
+		if replicaCountFloat > math.MaxInt32 {
+			replicaCount = math.MaxInt32
+		} else {
+			replicaCount = int32(math.Ceil(replicaCountFloat))
+		}
 	} else {
 		// Scale to zero or n pods depending on usageRatio
 		replicaCount = int32(math.Ceil(usageRatio))
@@ -353,8 +360,14 @@ func (c *ReplicaCalculator) GetExternalMetricReplicas(currentReplicas int32, tar
 	if err != nil {
 		return 0, 0, time.Time{}, fmt.Errorf("unable to get external metric %s/%s/%+v: %s", namespace, metricName, metricSelector, err)
 	}
+
 	usage = 0
 	for _, val := range metrics {
+		// Cap at MaxInt64 for positive overflow
+		if val > 0 && usage > math.MaxInt64-val {
+			usage = math.MaxInt64
+			break
+		}
 		usage = usage + val
 	}
 
@@ -501,7 +514,6 @@ func calculatePodLevelRequests(pod *v1.Pod, resource v1.ResourceName) (int64, er
 // resource by summing requests from all containers in the pod.
 // If a container name is specified, it uses only that container.
 func calculatePodRequestsFromContainers(pod *v1.Pod, container string, resource v1.ResourceName) (int64, error) {
-	// Calculate all regular containers and restartable init containers requests.
 	containers := append([]v1.Container{}, pod.Spec.Containers...)
 	for _, c := range pod.Spec.InitContainers {
 		if c.RestartPolicy != nil && *c.RestartPolicy == v1.ContainerRestartPolicyAlways {
@@ -518,7 +530,17 @@ func calculatePodRequestsFromContainers(pod *v1.Pod, container string, resource
 			}
 			request += containerRequest.MilliValue()
 		}
+		// container names are unique inside the pod
+		if container == c.Name {
+			return request, nil
+		}
 	}
+
+	// If we're looking for a specific container and didn't find it
+	if container != "" {
+		return 0, fmt.Errorf("container %s not found in Pod %s", container, pod.Name)
+	}
+
 	return request, nil
 }
 
diff --git a/pkg/controller/podautoscaler/replica_calculator_test.go b/pkg/controller/podautoscaler/replica_calculator_test.go
index fc164f7c6ab95..2a903b5bb566f 100644
--- a/pkg/controller/podautoscaler/replica_calculator_test.go
+++ b/pkg/controller/podautoscaler/replica_calculator_test.go
@@ -41,6 +41,7 @@ import (
 	"k8s.io/kubernetes/pkg/controller"
 	metricsclient "k8s.io/kubernetes/pkg/controller/podautoscaler/metrics"
 	"k8s.io/kubernetes/pkg/features"
+	"k8s.io/kubernetes/test/utils/ktesting"
 	cmapi "k8s.io/metrics/pkg/apis/custom_metrics/v1beta2"
 	emapi "k8s.io/metrics/pkg/apis/external_metrics/v1beta1"
 	metricsapi "k8s.io/metrics/pkg/apis/metrics/v1beta1"
@@ -287,7 +288,7 @@ func (tc *replicaCalcTestCase) prepareTestCMClient(t *testing.T) *cmfake.FakeCus
 				Metric: cmapi.MetricIdentifier{
 					Name: tc.metric.name,
 				},
-				Value: *resource.NewMilliQuantity(int64(tc.metric.levels[0]), resource.DecimalSI),
+				Value: *resource.NewMilliQuantity(tc.metric.levels[0], resource.DecimalSI),
 			},
 		}
 
@@ -341,6 +342,9 @@ func (tc *replicaCalcTestCase) prepareTestClient(t *testing.T) (*fake.Clientset,
 }
 
 func (tc *replicaCalcTestCase) runTest(t *testing.T) {
+	// Create the special test-aware context.
+	tCtx := ktesting.Init(t)
+
 	testClient, testMetricsClient, testCMClient, testEMClient := tc.prepareTestClient(t)
 	metricsClient := metricsclient.NewRESTMetricsClient(testMetricsClient.MetricsV1beta1(), testCMClient, testEMClient)
 
@@ -349,11 +353,15 @@ func (tc *replicaCalcTestCase) runTest(t *testing.T) {
 
 	replicaCalc := NewReplicaCalculator(metricsClient, informer.Lister(), defaultTestingCPUInitializationPeriod, defaultTestingDelayOfInitialReadinessStatus)
 
-	stop := make(chan struct{})
-	defer close(stop)
-	informerFactory.Start(stop)
-	if !cache.WaitForNamedCacheSync("HPA", stop, informer.Informer().HasSynced) {
-		return
+	// Use the test context's Done() channel to manage the informer's lifecycle.
+	informerFactory.Start(tCtx.Done())
+
+	// Create a new context specifically for the cache sync operation with a timeout.
+	syncCtx, cancel := context.WithTimeout(tCtx, 10*time.Second)
+	defer cancel()
+
+	if !cache.WaitForNamedCacheSyncWithContext(syncCtx, informer.Informer().HasSynced) {
+		tCtx.Fatal("Failed to sync informer cache within the 10s timeout")
 	}
 
 	selector, err := metav1.LabelSelectorAsSelector(&metav1.LabelSelector{
@@ -368,7 +376,7 @@ func (tc *replicaCalcTestCase) runTest(t *testing.T) {
 	}
 
 	if tc.resource != nil {
-		outReplicas, outUtilization, outRawValue, outTimestamp, err := replicaCalc.GetResourceReplicas(context.TODO(), tc.currentReplicas, tc.resource.targetUtilization, tc.resource.name, tolerances, testNamespace, selector, tc.container)
+		outReplicas, outUtilization, outRawValue, outTimestamp, err := replicaCalc.GetResourceReplicas(tCtx, tc.currentReplicas, tc.resource.targetUtilization, tc.resource.name, tolerances, testNamespace, selector, tc.container)
 
 		if tc.expectedError != nil {
 			require.Error(t, err, "there should be an error calculating the replica count")
@@ -509,6 +517,26 @@ func TestReplicaCalcScaleUpUnreadyLessScale(t *testing.T) {
 	tc.runTest(t)
 }
 
+func TestReplicaCalcScaleUpOverflow(t *testing.T) {
+	tc := replicaCalcTestCase{
+		currentReplicas:  3,
+		expectedReplicas: math.MaxInt32,
+		metric: &metricInfo{
+			name:          "qps",
+			levels:        []int64{math.MaxInt64}, // Use MaxInt64 to ensure a very large value
+			targetUsage:   1,                      // Set a very low target to force high scaling
+			metricType:    objectMetric,
+			expectedUsage: math.MaxInt64,
+			singleObject: &autoscalingv2.CrossVersionObjectReference{
+				Kind:       "Deployment",
+				APIVersion: "apps/v1",
+				Name:       "some-deployment",
+			},
+		},
+	}
+	tc.runTest(t)
+}
+
 func TestReplicaCalcScaleUpContainerHotCpuLessScale(t *testing.T) {
 	tc := replicaCalcTestCase{
 		currentReplicas:  3,
@@ -2430,3 +2458,48 @@ func TestCalculateRequests(t *testing.T) {
 		})
 	}
 }
+func TestCalculatePodRequestsFromContainers_NonExistentContainer(t *testing.T) {
+	pod := &v1.Pod{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "test-pod",
+			Namespace: testNamespace,
+		},
+		Spec: v1.PodSpec{
+			Containers: []v1.Container{
+				{
+					Name: "container1",
+					Resources: v1.ResourceRequirements{
+						Requests: v1.ResourceList{
+							v1.ResourceCPU: resource.MustParse("100m"),
+						},
+					},
+				},
+			},
+		},
+	}
+
+	request, err := calculatePodRequestsFromContainers(pod, "non-existent-container", v1.ResourceCPU)
+
+	require.Error(t, err, "expected error for non-existent container")
+	expectedErr := "container non-existent-container not found in Pod test-pod"
+	assert.Equal(t, expectedErr, err.Error(), "error message should match expected format")
+	assert.Equal(t, int64(0), request, "request should be 0 when container does not exist")
+}
+
+func TestReplicaCalcExternalMetricUsageOverflow(t *testing.T) {
+	tc := replicaCalcTestCase{
+		currentReplicas:  3,
+		expectedReplicas: 3,
+		metric: &metricInfo{
+			name: "qps",
+			// Two values that when added together will overflow int64
+			levels:        []int64{math.MaxInt64/2 + 1, math.MaxInt64/2 + 1},
+			targetUsage:   math.MaxInt64, // Set high target
+			metricType:    externalMetric,
+			selector:      &metav1.LabelSelector{MatchLabels: map[string]string{"label": "value"}},
+			expectedUsage: math.MaxInt64, // expect capped value
+
+		},
+	}
+	tc.runTest(t)
+}
diff --git a/pkg/controller/podgc/gc_controller.go b/pkg/controller/podgc/gc_controller.go
index 305543e9192bc..d3de05039d9d2 100644
--- a/pkg/controller/podgc/gc_controller.go
+++ b/pkg/controller/podgc/gc_controller.go
@@ -92,20 +92,25 @@ func NewPodGCInternal(ctx context.Context, kubeClient clientset.Interface, podIn
 }
 
 func (gcc *PodGCController) Run(ctx context.Context) {
-	logger := klog.FromContext(ctx)
-
-	defer utilruntime.HandleCrash()
+	defer utilruntime.HandleCrashWithContext(ctx)
 
+	logger := klog.FromContext(ctx)
 	logger.Info("Starting GC controller")
-	defer gcc.nodeQueue.ShutDown()
-	defer logger.Info("Shutting down GC controller")
 
-	if !cache.WaitForNamedCacheSync("GC", ctx.Done(), gcc.podListerSynced, gcc.nodeListerSynced) {
+	var wg sync.WaitGroup
+	defer func() {
+		logger.Info("Shutting down GC controller")
+		gcc.nodeQueue.ShutDown()
+		wg.Wait()
+	}()
+
+	if !cache.WaitForNamedCacheSyncWithContext(ctx, gcc.podListerSynced, gcc.nodeListerSynced) {
 		return
 	}
 
-	go wait.UntilWithContext(ctx, gcc.gc, gcc.gcCheckPeriod)
-
+	wg.Go(func() {
+		wait.UntilWithContext(ctx, gcc.gc, gcc.gcCheckPeriod)
+	})
 	<-ctx.Done()
 }
 
@@ -177,7 +182,7 @@ func (gcc *PodGCController) gcTerminating(ctx context.Context, pods []*v1.Pod) {
 			metrics.DeletingPodsTotal.WithLabelValues(pod.Namespace, metrics.PodGCReasonTerminatingOutOfService).Inc()
 			if err := gcc.markFailedAndDeletePod(ctx, pod); err != nil {
 				// ignore not founds
-				utilruntime.HandleError(err)
+				utilruntime.HandleErrorWithContext(ctx, err, "Failed to delete terminating pod on out-of-service node", "pod", klog.KObj(pod))
 				metrics.DeletingPodsErrorTotal.WithLabelValues(pod.Namespace, metrics.PodGCReasonTerminatingOutOfService).Inc()
 			}
 		}(terminatingPods[i])
@@ -211,7 +216,7 @@ func (gcc *PodGCController) gcTerminated(ctx context.Context, pods []*v1.Pod) {
 			defer wait.Done()
 			if err := gcc.markFailedAndDeletePod(ctx, pod); err != nil {
 				// ignore not founds
-				defer utilruntime.HandleError(err)
+				defer utilruntime.HandleErrorWithContext(ctx, err, "Failed to delete terminated pod", "pod", klog.KObj(pod))
 				metrics.DeletingPodsErrorTotal.WithLabelValues(pod.Namespace, metrics.PodGCReasonTerminated).Inc()
 			}
 			metrics.DeletingPodsTotal.WithLabelValues(pod.Namespace, metrics.PodGCReasonTerminated).Inc()
@@ -253,7 +258,7 @@ func (gcc *PodGCController) gcOrphaned(ctx context.Context, pods []*v1.Pod, node
 			Message:            "PodGC: node no longer exists",
 		}
 		if err := gcc.markFailedAndDeletePodWithCondition(ctx, pod, condition); err != nil {
-			utilruntime.HandleError(err)
+			utilruntime.HandleErrorWithContext(ctx, err, "Failed to delete orphaned pod", "pod", klog.KObj(pod))
 			metrics.DeletingPodsErrorTotal.WithLabelValues(pod.Namespace, metrics.PodGCReasonOrphaned).Inc()
 		} else {
 			logger.Info("Forced deletion of orphaned Pod succeeded", "pod", klog.KObj(pod))
@@ -305,7 +310,7 @@ func (gcc *PodGCController) gcUnscheduledTerminating(ctx context.Context, pods [
 
 		logger.V(2).Info("Found unscheduled terminating Pod not assigned to any Node, deleting", "pod", klog.KObj(pod))
 		if err := gcc.markFailedAndDeletePod(ctx, pod); err != nil {
-			utilruntime.HandleError(err)
+			utilruntime.HandleErrorWithContext(ctx, err, "Failed to delete unscheduled terminating pod", "pod", klog.KObj(pod))
 			metrics.DeletingPodsErrorTotal.WithLabelValues(pod.Namespace, metrics.PodGCReasonTerminatingUnscheduled).Inc()
 		} else {
 			logger.Info("Forced deletion of unscheduled terminating Pod succeeded", "pod", klog.KObj(pod))
diff --git a/pkg/controller/replicaset/replica_set.go b/pkg/controller/replicaset/replica_set.go
index 204f4c46a6dd8..d29bdca2480ff 100644
--- a/pkg/controller/replicaset/replica_set.go
+++ b/pkg/controller/replicaset/replica_set.go
@@ -236,21 +236,26 @@ func (rsc *ReplicaSetController) Run(ctx context.Context, workers int) {
 	rsc.eventBroadcaster.StartRecordingToSink(&v1core.EventSinkImpl{Interface: rsc.kubeClient.CoreV1().Events("")})
 	defer rsc.eventBroadcaster.Shutdown()
 
-	defer rsc.queue.ShutDown()
-
 	controllerName := strings.ToLower(rsc.Kind)
 	logger := klog.FromContext(ctx)
 	logger.Info("Starting controller", "name", controllerName)
-	defer logger.Info("Shutting down controller", "name", controllerName)
 
-	if !cache.WaitForNamedCacheSync(rsc.Kind, ctx.Done(), rsc.podListerSynced, rsc.rsListerSynced) {
+	var wg sync.WaitGroup
+	defer func() {
+		logger.Info("Shutting down controller", "name", controllerName)
+		rsc.queue.ShutDown()
+		wg.Wait()
+	}()
+
+	if !cache.WaitForNamedCacheSyncWithContext(ctx, rsc.podListerSynced, rsc.rsListerSynced) {
 		return
 	}
 
 	for i := 0; i < workers; i++ {
-		go wait.UntilWithContext(ctx, rsc.worker, time.Second)
+		wg.Go(func() {
+			wait.UntilWithContext(ctx, rsc.worker, time.Second)
+		})
 	}
-
 	<-ctx.Done()
 }
 
diff --git a/pkg/controller/replicaset/replica_set_test.go b/pkg/controller/replicaset/replica_set_test.go
index 9637adce8dc28..d221366c2934c 100644
--- a/pkg/controller/replicaset/replica_set_test.go
+++ b/pkg/controller/replicaset/replica_set_test.go
@@ -42,6 +42,7 @@ import (
 	"k8s.io/apimachinery/pkg/util/uuid"
 	"k8s.io/apimachinery/pkg/util/wait"
 	"k8s.io/apimachinery/pkg/watch"
+	utilfeature "k8s.io/apiserver/pkg/util/feature"
 	"k8s.io/client-go/informers"
 	clientset "k8s.io/client-go/kubernetes"
 	"k8s.io/client-go/kubernetes/fake"
@@ -53,6 +54,7 @@ import (
 	"k8s.io/klog/v2"
 	"k8s.io/kubernetes/pkg/controller"
 	. "k8s.io/kubernetes/pkg/controller/testutil"
+	"k8s.io/kubernetes/pkg/features"
 	"k8s.io/kubernetes/pkg/securitycontext"
 	"k8s.io/kubernetes/test/utils/ktesting"
 	"k8s.io/utils/ptr"
@@ -334,6 +336,7 @@ func TestSyncReplicaSetDormancy(t *testing.T) {
 	rsSpec.Status.Replicas = 1
 	rsSpec.Status.ReadyReplicas = 1
 	rsSpec.Status.AvailableReplicas = 1
+	rsSpec.Status.TerminatingReplicas = ptr.To[int32](0)
 	manager.syncReplicaSet(ctx, GetKey(rsSpec, t))
 	err := validateSyncReplicaSet(&fakePodControl, 1, 0, 0)
 	if err != nil {
@@ -710,7 +713,7 @@ func TestWatchPods(t *testing.T) {
 
 	// Start only the pod watcher and the workqueue, send a watch event,
 	// and make sure it hits the sync method for the right ReplicaSet.
-	go informers.Core().V1().Pods().Informer().Run(stopCh)
+	go informers.Core().V1().Pods().Informer().RunWithContext(ctx)
 	go manager.Run(ctx, 1)
 
 	pods := newPodList(nil, 1, v1.PodRunning, labelMap, testRSSpec, "pod")
@@ -1235,6 +1238,14 @@ func TestExpectationsOnRecreate(t *testing.T) {
 		t.Fatal("queue is shutting down")
 	}
 
+	if utilfeature.DefaultFeatureGate.Enabled(features.DeploymentReplicaSetTerminatingReplicas) {
+		// DeploymentReplicaSetTerminatingReplicas feature results in the "terminatingReplicas nil->0" update, so we need to do empty sync.
+		ok = manager.processNextWorkItem(tCtx)
+		if !ok {
+			t.Fatal("queue is shutting down")
+		}
+	}
+
 	err = validateSyncReplicaSet(&fakePodControl, 1, 0, 0)
 	if err != nil {
 		t.Fatal(err)
diff --git a/pkg/controller/resourceclaim/controller.go b/pkg/controller/resourceclaim/controller.go
index 099994b29ba5f..2d7d33e0c20d8 100644
--- a/pkg/controller/resourceclaim/controller.go
+++ b/pkg/controller/resourceclaim/controller.go
@@ -22,6 +22,7 @@ import (
 	"fmt"
 	"slices"
 	"strings"
+	"sync"
 	"time"
 
 	v1 "k8s.io/api/core/v1"
@@ -223,7 +224,15 @@ func (ec *Controller) enqueuePod(logger klog.Logger, obj interface{}, deleted bo
 		return
 	}
 
-	if len(pod.Spec.ResourceClaims) == 0 {
+	// Check if pod has any resource claims to process.
+	// Extended resource claims are stored in pod.Status.ExtendedResourceClaimStatus,
+	// not in pod.Spec.ResourceClaims, so we need to check both locations.
+	hasResourceClaims := len(pod.Spec.ResourceClaims) > 0
+	// For cleanup of extended resource claims, we must consider claims present
+	// in pod status regardless of the current feature gate state. The claim may
+	// have been created when the feature was enabled and still needs cleanup.
+	hasExtendedResourceClaims := pod.Status.ExtendedResourceClaimStatus != nil
+	if !hasResourceClaims && !hasExtendedResourceClaims {
 		// Nothing to do for it at all.
 		return
 	}
@@ -257,6 +266,18 @@ func (ec *Controller) enqueuePod(logger klog.Logger, obj interface{}, deleted bo
 				logger.V(6).Info("Nothing to do for skipped claim during pod change", "pod", klog.KObj(pod), "podClaim", podClaim.Name, "reason", reason)
 			}
 		}
+
+		// Process extended resource claims for completed/deleted pods.
+		// Extended resource claims are created by the scheduler and stored in
+		// pod.Status.ExtendedResourceClaimStatus, not in pod.Spec.ResourceClaims.
+		// Without this, extended resource claims would never be cleaned up when
+		// pods complete, causing device resources to remain allocated indefinitely.
+		if hasExtendedResourceClaims {
+			claimName := pod.Status.ExtendedResourceClaimStatus.ResourceClaimName
+			key := claimKeyPrefix + pod.Namespace + "/" + claimName
+			logger.V(6).Info("Process extended resource claim", "pod", klog.KObj(pod), "claim", klog.KRef(pod.Namespace, claimName), "key", key, "reason", reason)
+			ec.queue.Add(key)
+		}
 	}
 
 	needsWork, reason := ec.podNeedsWork(pod)
@@ -390,12 +411,7 @@ func (ec *Controller) enqueueResourceClaim(logger klog.Logger, oldObj, newObj in
 }
 
 func (ec *Controller) Run(ctx context.Context, workers int) {
-	defer runtime.HandleCrash()
-	defer ec.queue.ShutDown()
-
-	logger := klog.FromContext(ctx)
-	logger.Info("Starting resource claim controller")
-	defer logger.Info("Shutting down resource claim controller")
+	defer runtime.HandleCrashWithContext(ctx)
 
 	eventBroadcaster := record.NewBroadcaster(record.WithContext(ctx))
 	eventBroadcaster.StartLogging(klog.Infof)
@@ -403,14 +419,25 @@ func (ec *Controller) Run(ctx context.Context, workers int) {
 	ec.recorder = eventBroadcaster.NewRecorder(scheme.Scheme, v1.EventSource{Component: "resource_claim"})
 	defer eventBroadcaster.Shutdown()
 
-	if !cache.WaitForNamedCacheSync("resource_claim", ctx.Done(), ec.podSynced, ec.claimsSynced, ec.templatesSynced) {
+	logger := klog.FromContext(ctx)
+	logger.Info("Starting resource claim controller")
+
+	var wg sync.WaitGroup
+	defer func() {
+		logger.Info("Shutting down resource claim controller")
+		ec.queue.ShutDown()
+		wg.Wait()
+	}()
+
+	if !cache.WaitForNamedCacheSyncWithContext(ctx, ec.podSynced, ec.claimsSynced, ec.templatesSynced) {
 		return
 	}
 
 	for i := 0; i < workers; i++ {
-		go wait.UntilWithContext(ctx, ec.runWorker, time.Second)
+		wg.Go(func() {
+			wait.UntilWithContext(ctx, ec.runWorker, time.Second)
+		})
 	}
-
 	<-ctx.Done()
 }
 
@@ -432,7 +459,7 @@ func (ec *Controller) processNextWorkItem(ctx context.Context) bool {
 		return true
 	}
 
-	runtime.HandleError(fmt.Errorf("%v failed with: %v", key, err))
+	runtime.HandleErrorWithContext(ctx, err, "Work item failed", "item", key)
 	ec.queue.AddRateLimited(key)
 
 	return true
@@ -639,12 +666,11 @@ func (ec *Controller) handleClaim(ctx context.Context, pod *v1.Pod, podClaim v1.
 				GenerateName: generateName,
 				OwnerReferences: []metav1.OwnerReference{
 					{
-						APIVersion:         "v1",
-						Kind:               "Pod",
-						Name:               pod.Name,
-						UID:                pod.UID,
-						Controller:         &isTrue,
-						BlockOwnerDeletion: &isTrue,
+						APIVersion: "v1",
+						Kind:       "Pod",
+						Name:       pod.Name,
+						UID:        pod.UID,
+						Controller: &isTrue,
 					},
 				},
 				Annotations: annotations,
@@ -1010,7 +1036,7 @@ func (collector *customCollector) DescribeWithStability(ch chan<- *metrics.Desc)
 }
 
 func (collector *customCollector) CollectWithStability(ch chan<- metrics.Metric) {
-	allocateMetrics := make(map[string]map[string]int)
+	rcMetrics := make(map[resourceclaimmetrics.NumResourceClaimLabels]int)
 	rcList, err := collector.rcLister.List(labels.Everything())
 	if err != nil {
 		collector.logger.Error(err, "failed to list resource claims for metrics collection")
@@ -1023,14 +1049,22 @@ func (collector *customCollector) CollectWithStability(ch chan<- metrics.Metric)
 			allocated = "true"
 		}
 		adminAccess := collector.adminAccessFunc(rc)
-		if allocateMetrics[allocated] == nil {
-			allocateMetrics[allocated] = make(map[string]int)
-		}
-		allocateMetrics[allocated][adminAccess]++
-	}
-	for allocated, adminAccessMap := range allocateMetrics {
-		for adminAccess, count := range adminAccessMap {
-			ch <- metrics.NewLazyConstMetric(resourceclaimmetrics.NumResourceClaimsDesc, metrics.GaugeValue, float64(count), allocated, adminAccess)
+		source := ""
+		if val, ok := rc.Annotations[resourceapi.ExtendedResourceClaimAnnotation]; ok && val == "true" {
+			source = "extended_resource"
+		} else if val, ok := rc.Annotations[podResourceClaimAnnotation]; ok && val != "" {
+			source = "resource_claim_template"
 		}
+		rcMetrics[resourceclaimmetrics.NumResourceClaimLabels{Allocated: allocated, AdminAccess: adminAccess, Source: source}]++
+	}
+	for rcLabels, count := range rcMetrics {
+		ch <- metrics.NewLazyConstMetric(
+			resourceclaimmetrics.NumResourceClaimsDesc,
+			metrics.GaugeValue,
+			float64(count),
+			rcLabels.Allocated,
+			rcLabels.AdminAccess,
+			rcLabels.Source,
+		)
 	}
 }
diff --git a/pkg/controller/resourceclaim/controller_test.go b/pkg/controller/resourceclaim/controller_test.go
index bdcda37be32ef..33e207effd7c8 100644
--- a/pkg/controller/resourceclaim/controller_test.go
+++ b/pkg/controller/resourceclaim/controller_test.go
@@ -34,15 +34,18 @@ import (
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/diff"
+	utilfeature "k8s.io/apiserver/pkg/util/feature"
 	"k8s.io/client-go/informers"
 	"k8s.io/client-go/kubernetes/fake"
 	resourcelisters "k8s.io/client-go/listers/resource/v1"
 	k8stesting "k8s.io/client-go/testing"
+	featuregatetesting "k8s.io/component-base/featuregate/testing"
 	"k8s.io/component-base/metrics"
 	"k8s.io/component-base/metrics/testutil"
 	"k8s.io/klog/v2"
 	"k8s.io/kubernetes/pkg/controller"
 	resourceclaimmetrics "k8s.io/kubernetes/pkg/controller/resourceclaim/metrics"
+	"k8s.io/kubernetes/pkg/features"
 	"k8s.io/kubernetes/test/utils/ktesting"
 	"k8s.io/utils/ptr"
 )
@@ -68,12 +71,15 @@ var (
 	testClaimReservedTwice = reserveClaim(testClaimReserved, otherTestPod)
 	testClaimKey           = claimKeyPrefix + testClaim.Namespace + "/" + testClaim.Name
 
-	generatedTestClaim          = makeGeneratedClaim(podResourceClaimName, testPodName+"-"+podResourceClaimName+"-", testNamespace, className, 1, makeOwnerReference(testPodWithResource, true), nil)
-	generatedTestClaimAllocated = allocateClaim(generatedTestClaim)
-	generatedTestClaimReserved  = reserveClaim(generatedTestClaimAllocated, testPodWithResource)
+	templatedTestClaim          = makeTemplatedClaim(podResourceClaimName, testPodName+"-"+podResourceClaimName+"-", testNamespace, className, 1, makeOwnerReference(testPodWithResource, true), nil)
+	templatedTestClaimAllocated = allocateClaim(templatedTestClaim)
+	templatedTestClaimReserved  = reserveClaim(templatedTestClaimAllocated, testPodWithResource)
 
-	generatedTestClaimWithAdmin          = makeGeneratedClaim(podResourceClaimName, testPodName+"-"+podResourceClaimName+"-", testNamespace, className, 1, makeOwnerReference(testPodWithResource, true), ptr.To(true))
-	generatedTestClaimWithAdminAllocated = allocateClaim(generatedTestClaimWithAdmin)
+	templatedTestClaimWithAdmin          = makeTemplatedClaim(podResourceClaimName, testPodName+"-"+podResourceClaimName+"-", testNamespace, className, 1, makeOwnerReference(testPodWithResource, true), ptr.To(true))
+	templatedTestClaimWithAdminAllocated = allocateClaim(templatedTestClaimWithAdmin)
+
+	extendedTestClaim          = makeExtendedResourceClaim(testPodName, testNamespace, 1, makeOwnerReference(testPodWithResource, true))
+	extendedTestClaimAllocated = allocateClaim(extendedTestClaim)
 
 	conflictingClaim        = makeClaim(testPodName+"-"+podResourceClaimName, testNamespace, className, nil)
 	otherNamespaceClaim     = makeClaim(testPodName+"-"+podResourceClaimName, otherNamespace, className, nil)
@@ -85,7 +91,7 @@ var (
 		pod.Spec.NodeName = nodeName
 		pod.Status.ResourceClaimStatuses = append(pod.Status.ResourceClaimStatuses, v1.PodResourceClaimStatus{
 			Name:              pod.Spec.ResourceClaims[0].Name,
-			ResourceClaimName: &generatedTestClaim.Name,
+			ResourceClaimName: &templatedTestClaim.Name,
 		})
 		return pod
 	}()
@@ -113,10 +119,10 @@ func TestSyncHandler(t *testing.T) {
 			pods:           []*v1.Pod{testPodWithResource},
 			templates:      []*resourceapi.ResourceClaimTemplate{template},
 			key:            podKey(testPodWithResource),
-			expectedClaims: []resourceapi.ResourceClaim{*generatedTestClaim},
+			expectedClaims: []resourceapi.ResourceClaim{*templatedTestClaim},
 			expectedStatuses: map[string][]v1.PodResourceClaimStatus{
 				testPodWithResource.Name: {
-					{Name: testPodWithResource.Spec.ResourceClaims[0].Name, ResourceClaimName: &generatedTestClaim.Name},
+					{Name: testPodWithResource.Spec.ResourceClaims[0].Name, ResourceClaimName: &templatedTestClaim.Name},
 				},
 			},
 			expectedMetrics: expectedMetrics{1, 0, 0, 0},
@@ -133,10 +139,10 @@ func TestSyncHandler(t *testing.T) {
 			pods:           []*v1.Pod{testPodWithResource},
 			templates:      []*resourceapi.ResourceClaimTemplate{templateWithAdminAccess},
 			key:            podKey(testPodWithResource),
-			expectedClaims: []resourceapi.ResourceClaim{*generatedTestClaimWithAdmin},
+			expectedClaims: []resourceapi.ResourceClaim{*templatedTestClaimWithAdmin},
 			expectedStatuses: map[string][]v1.PodResourceClaimStatus{
 				testPodWithResource.Name: {
-					{Name: testPodWithResource.Spec.ResourceClaims[0].Name, ResourceClaimName: &generatedTestClaimWithAdmin.Name},
+					{Name: testPodWithResource.Spec.ResourceClaims[0].Name, ResourceClaimName: &templatedTestClaimWithAdmin.Name},
 				},
 			},
 			adminAccessEnabled: true,
@@ -147,17 +153,17 @@ func TestSyncHandler(t *testing.T) {
 			pods: []*v1.Pod{func() *v1.Pod {
 				pod := testPodWithResource.DeepCopy()
 				pod.Status.ResourceClaimStatuses = []v1.PodResourceClaimStatus{
-					{Name: testPodWithResource.Spec.ResourceClaims[0].Name, ResourceClaimName: &generatedTestClaim.Name},
+					{Name: testPodWithResource.Spec.ResourceClaims[0].Name, ResourceClaimName: &templatedTestClaim.Name},
 				}
 				return pod
 			}()},
 			templates:      []*resourceapi.ResourceClaimTemplate{template},
 			key:            podKey(testPodWithResource),
-			claims:         []*resourceapi.ResourceClaim{generatedTestClaim},
-			expectedClaims: []resourceapi.ResourceClaim{*generatedTestClaim},
+			claims:         []*resourceapi.ResourceClaim{templatedTestClaim},
+			expectedClaims: []resourceapi.ResourceClaim{*templatedTestClaim},
 			expectedStatuses: map[string][]v1.PodResourceClaimStatus{
 				testPodWithResource.Name: {
-					{Name: testPodWithResource.Spec.ResourceClaims[0].Name, ResourceClaimName: &generatedTestClaim.Name},
+					{Name: testPodWithResource.Spec.ResourceClaims[0].Name, ResourceClaimName: &templatedTestClaim.Name},
 				},
 			},
 			expectedMetrics: expectedMetrics{0, 0, 0, 0},
@@ -167,16 +173,16 @@ func TestSyncHandler(t *testing.T) {
 			pods: []*v1.Pod{func() *v1.Pod {
 				pod := testPodWithResource.DeepCopy()
 				pod.Status.ResourceClaimStatuses = []v1.PodResourceClaimStatus{
-					{Name: testPodWithResource.Spec.ResourceClaims[0].Name, ResourceClaimName: &generatedTestClaim.Name},
+					{Name: testPodWithResource.Spec.ResourceClaims[0].Name, ResourceClaimName: &templatedTestClaim.Name},
 				}
 				return pod
 			}()},
 			templates:      []*resourceapi.ResourceClaimTemplate{template},
 			key:            podKey(testPodWithResource),
-			expectedClaims: []resourceapi.ResourceClaim{*generatedTestClaim},
+			expectedClaims: []resourceapi.ResourceClaim{*templatedTestClaim},
 			expectedStatuses: map[string][]v1.PodResourceClaimStatus{
 				testPodWithResource.Name: {
-					{Name: testPodWithResource.Spec.ResourceClaims[0].Name, ResourceClaimName: &generatedTestClaim.Name},
+					{Name: testPodWithResource.Spec.ResourceClaims[0].Name, ResourceClaimName: &templatedTestClaim.Name},
 				},
 			},
 			expectedMetrics: expectedMetrics{1, 0, 0, 0},
@@ -192,11 +198,11 @@ func TestSyncHandler(t *testing.T) {
 			name:           "find-existing-claim-by-label",
 			pods:           []*v1.Pod{testPodWithResource},
 			key:            podKey(testPodWithResource),
-			claims:         []*resourceapi.ResourceClaim{generatedTestClaim},
-			expectedClaims: []resourceapi.ResourceClaim{*generatedTestClaim},
+			claims:         []*resourceapi.ResourceClaim{templatedTestClaim},
+			expectedClaims: []resourceapi.ResourceClaim{*templatedTestClaim},
 			expectedStatuses: map[string][]v1.PodResourceClaimStatus{
 				testPodWithResource.Name: {
-					{Name: testPodWithResource.Spec.ResourceClaims[0].Name, ResourceClaimName: &generatedTestClaim.Name},
+					{Name: testPodWithResource.Spec.ResourceClaims[0].Name, ResourceClaimName: &templatedTestClaim.Name},
 				},
 			},
 			expectedMetrics: expectedMetrics{0, 0, 0, 0},
@@ -205,10 +211,10 @@ func TestSyncHandler(t *testing.T) {
 			name:          "find-created-claim-in-cache",
 			pods:          []*v1.Pod{testPodWithResource},
 			key:           podKey(testPodWithResource),
-			claimsInCache: []*resourceapi.ResourceClaim{generatedTestClaim},
+			claimsInCache: []*resourceapi.ResourceClaim{templatedTestClaim},
 			expectedStatuses: map[string][]v1.PodResourceClaimStatus{
 				testPodWithResource.Name: {
-					{Name: testPodWithResource.Spec.ResourceClaims[0].Name, ResourceClaimName: &generatedTestClaim.Name},
+					{Name: testPodWithResource.Spec.ResourceClaims[0].Name, ResourceClaimName: &templatedTestClaim.Name},
 				},
 			},
 			expectedMetrics: expectedMetrics{0, 0, 0, 0},
@@ -238,10 +244,10 @@ func TestSyncHandler(t *testing.T) {
 			templates:      []*resourceapi.ResourceClaimTemplate{template},
 			key:            podKey(testPodWithResource),
 			claims:         []*resourceapi.ResourceClaim{otherNamespaceClaim},
-			expectedClaims: []resourceapi.ResourceClaim{*otherNamespaceClaim, *generatedTestClaim},
+			expectedClaims: []resourceapi.ResourceClaim{*otherNamespaceClaim, *templatedTestClaim},
 			expectedStatuses: map[string][]v1.PodResourceClaimStatus{
 				testPodWithResource.Name: {
-					{Name: testPodWithResource.Spec.ResourceClaims[0].Name, ResourceClaimName: &generatedTestClaim.Name},
+					{Name: testPodWithResource.Spec.ResourceClaims[0].Name, ResourceClaimName: &templatedTestClaim.Name},
 				},
 			},
 			expectedMetrics: expectedMetrics{1, 0, 0, 0},
@@ -384,11 +390,11 @@ func TestSyncHandler(t *testing.T) {
 			pods:           []*v1.Pod{testPodWithNodeName},
 			key:            podKey(testPodWithNodeName),
 			templates:      []*resourceapi.ResourceClaimTemplate{template},
-			claims:         []*resourceapi.ResourceClaim{generatedTestClaimAllocated},
-			expectedClaims: []resourceapi.ResourceClaim{*generatedTestClaimReserved},
+			claims:         []*resourceapi.ResourceClaim{templatedTestClaimAllocated},
+			expectedClaims: []resourceapi.ResourceClaim{*templatedTestClaimReserved},
 			expectedStatuses: map[string][]v1.PodResourceClaimStatus{
 				testPodWithNodeName.Name: {
-					{Name: testPodWithNodeName.Spec.ResourceClaims[0].Name, ResourceClaimName: &generatedTestClaim.Name},
+					{Name: testPodWithNodeName.Spec.ResourceClaims[0].Name, ResourceClaimName: &templatedTestClaim.Name},
 				},
 			},
 			expectedMetrics: expectedMetrics{0, 0, 0, 0},
@@ -514,7 +520,7 @@ func TestResourceClaimEventHandler(t *testing.T) {
 	}
 	defer stopInformers()
 
-	em := newNumMetrics(claimInformer.Lister(), 0, 0, 0, 0)
+	em := newNumMetrics(claimInformer.Lister())
 
 	expectQueue := func(tCtx ktesting.TContext, expectedKeys []string) {
 		g := gomega.NewWithT(tCtx)
@@ -552,7 +558,7 @@ func TestResourceClaimEventHandler(t *testing.T) {
 	expectQueue(tCtx, []string{})
 
 	_, err = claimClient.Create(tCtx, testClaim, metav1.CreateOptions{})
-	em = em.withUpdates(1, 0, 0, 0)
+	em = em.withUpdates(resourceclaimmetrics.NumResourceClaimLabels{Allocated: "false", AdminAccess: "false", Source: ""}, 1)
 	ktesting.Step(tCtx, "create claim", func(tCtx ktesting.TContext) {
 		tCtx.ExpectNoError(err)
 		em.Eventually(tCtx)
@@ -569,7 +575,8 @@ func TestResourceClaimEventHandler(t *testing.T) {
 	})
 
 	_, err = claimClient.Update(tCtx, testClaimAllocated, metav1.UpdateOptions{})
-	em = em.withUpdates(-1, 0, 1, 0)
+	em = em.withUpdates(resourceclaimmetrics.NumResourceClaimLabels{Allocated: "false", AdminAccess: "false", Source: ""}, -1)
+	em = em.withUpdates(resourceclaimmetrics.NumResourceClaimLabels{Allocated: "true", AdminAccess: "false", Source: ""}, 1)
 	ktesting.Step(tCtx, "allocate claim", func(tCtx ktesting.TContext) {
 		tCtx.ExpectNoError(err)
 		em.Eventually(tCtx)
@@ -588,7 +595,7 @@ func TestResourceClaimEventHandler(t *testing.T) {
 	otherClaimAllocated := testClaimAllocated.DeepCopy()
 	otherClaimAllocated.Name += "2"
 	_, err = claimClient.Create(tCtx, otherClaimAllocated, metav1.CreateOptions{})
-	em = em.withUpdates(0, 0, 1, 0)
+	em = em.withUpdates(resourceclaimmetrics.NumResourceClaimLabels{Allocated: "true", AdminAccess: "false", Source: ""}, 1)
 	ktesting.Step(tCtx, "create allocated claim", func(tCtx ktesting.TContext) {
 		tCtx.ExpectNoError(err)
 		em.Eventually(tCtx)
@@ -596,7 +603,8 @@ func TestResourceClaimEventHandler(t *testing.T) {
 	})
 
 	_, err = claimClient.Update(tCtx, testClaim, metav1.UpdateOptions{})
-	em = em.withUpdates(1, 0, -1, 0)
+	em = em.withUpdates(resourceclaimmetrics.NumResourceClaimLabels{Allocated: "false", AdminAccess: "false", Source: ""}, 1)
+	em = em.withUpdates(resourceclaimmetrics.NumResourceClaimLabels{Allocated: "true", AdminAccess: "false", Source: ""}, -1)
 	ktesting.Step(tCtx, "deallocate claim", func(tCtx ktesting.TContext) {
 		tCtx.ExpectNoError(err)
 		em.Eventually(tCtx)
@@ -604,7 +612,7 @@ func TestResourceClaimEventHandler(t *testing.T) {
 	})
 
 	err = claimClient.Delete(tCtx, testClaim.Name, metav1.DeleteOptions{})
-	em = em.withUpdates(-1, 0, 0, 0)
+	em = em.withUpdates(resourceclaimmetrics.NumResourceClaimLabels{Allocated: "false", AdminAccess: "false", Source: ""}, -1)
 	ktesting.Step(tCtx, "delete deallocated claim", func(tCtx ktesting.TContext) {
 		tCtx.ExpectNoError(err)
 		em.Eventually(tCtx)
@@ -612,21 +620,21 @@ func TestResourceClaimEventHandler(t *testing.T) {
 	})
 
 	err = claimClient.Delete(tCtx, otherClaimAllocated.Name, metav1.DeleteOptions{})
-	em = em.withUpdates(0, 0, -1, 0)
+	em = em.withUpdates(resourceclaimmetrics.NumResourceClaimLabels{Allocated: "true", AdminAccess: "false", Source: ""}, -1)
 	ktesting.Step(tCtx, "delete allocated claim", func(tCtx ktesting.TContext) {
 		tCtx.ExpectNoError(err)
 		em.Eventually(tCtx)
 		expectQueue(tCtx, []string{})
 	})
 
-	_, err = claimClient.Create(tCtx, generatedTestClaimWithAdmin, metav1.CreateOptions{})
-	em = em.withUpdates(0, 1, 0, 0)
+	_, err = claimClient.Create(tCtx, templatedTestClaimWithAdmin, metav1.CreateOptions{})
+	em = em.withUpdates(resourceclaimmetrics.NumResourceClaimLabels{Allocated: "false", AdminAccess: "true", Source: "resource_claim_template"}, 1)
 	ktesting.Step(tCtx, "create claim with admin access", func(tCtx ktesting.TContext) {
 		tCtx.ExpectNoError(err)
 		em.Eventually(tCtx)
 	})
 
-	modifiedClaim = generatedTestClaimWithAdmin.DeepCopy()
+	modifiedClaim = templatedTestClaimWithAdmin.DeepCopy()
 	modifiedClaim.Labels = map[string]string{"foo": "bar"}
 	_, err = claimClient.Update(tCtx, modifiedClaim, metav1.UpdateOptions{})
 	ktesting.Step(tCtx, "modify claim", func(tCtx ktesting.TContext) {
@@ -634,14 +642,15 @@ func TestResourceClaimEventHandler(t *testing.T) {
 		em.Consistently(tCtx)
 	})
 
-	_, err = claimClient.Update(tCtx, generatedTestClaimWithAdminAllocated, metav1.UpdateOptions{})
-	em = em.withUpdates(0, -1, 0, 1)
+	_, err = claimClient.Update(tCtx, templatedTestClaimWithAdminAllocated, metav1.UpdateOptions{})
+	em = em.withUpdates(resourceclaimmetrics.NumResourceClaimLabels{Allocated: "false", AdminAccess: "true", Source: "resource_claim_template"}, -1)
+	em = em.withUpdates(resourceclaimmetrics.NumResourceClaimLabels{Allocated: "true", AdminAccess: "true", Source: "resource_claim_template"}, 1)
 	ktesting.Step(tCtx, "allocate claim with admin access", func(tCtx ktesting.TContext) {
 		tCtx.ExpectNoError(err)
 		em.Eventually(tCtx)
 	})
 
-	modifiedClaim = generatedTestClaimWithAdminAllocated.DeepCopy()
+	modifiedClaim = templatedTestClaimWithAdminAllocated.DeepCopy()
 	modifiedClaim.Labels = map[string]string{"foo": "bar2"}
 	_, err = claimClient.Update(tCtx, modifiedClaim, metav1.UpdateOptions{})
 	ktesting.Step(tCtx, "modify claim", func(tCtx ktesting.TContext) {
@@ -649,36 +658,67 @@ func TestResourceClaimEventHandler(t *testing.T) {
 		em.Consistently(tCtx)
 	})
 
-	otherClaimAllocated = generatedTestClaimWithAdminAllocated.DeepCopy()
+	otherClaimAllocated = templatedTestClaimWithAdminAllocated.DeepCopy()
 	otherClaimAllocated.Name += "2"
 	_, err = claimClient.Create(tCtx, otherClaimAllocated, metav1.CreateOptions{})
-	em = em.withUpdates(0, 0, 0, 1)
+	em = em.withUpdates(resourceclaimmetrics.NumResourceClaimLabels{Allocated: "true", AdminAccess: "true", Source: "resource_claim_template"}, 1)
 	ktesting.Step(tCtx, "create allocated claim with admin access", func(tCtx ktesting.TContext) {
 		tCtx.ExpectNoError(err)
 		em.Eventually(tCtx)
 	})
 
-	_, err = claimClient.Update(tCtx, generatedTestClaimWithAdmin, metav1.UpdateOptions{})
-	em = em.withUpdates(0, 1, 0, -1)
+	_, err = claimClient.Update(tCtx, templatedTestClaimWithAdmin, metav1.UpdateOptions{})
+	em = em.withUpdates(resourceclaimmetrics.NumResourceClaimLabels{Allocated: "false", AdminAccess: "true", Source: "resource_claim_template"}, 1)
+	em = em.withUpdates(resourceclaimmetrics.NumResourceClaimLabels{Allocated: "true", AdminAccess: "true", Source: "resource_claim_template"}, -1)
 	ktesting.Step(tCtx, "deallocate claim with admin access", func(tCtx ktesting.TContext) {
 		tCtx.ExpectNoError(err)
 		em.Eventually(tCtx)
 	})
 
-	err = claimClient.Delete(tCtx, generatedTestClaimWithAdmin.Name, metav1.DeleteOptions{})
-	em = em.withUpdates(0, -1, 0, 0)
+	err = claimClient.Delete(tCtx, templatedTestClaimWithAdmin.Name, metav1.DeleteOptions{})
+	em = em.withUpdates(resourceclaimmetrics.NumResourceClaimLabels{Allocated: "false", AdminAccess: "true", Source: "resource_claim_template"}, -1)
 	ktesting.Step(tCtx, "delete deallocated claim with admin access", func(tCtx ktesting.TContext) {
 		tCtx.ExpectNoError(err)
 		em.Eventually(tCtx)
 	})
 
 	err = claimClient.Delete(tCtx, otherClaimAllocated.Name, metav1.DeleteOptions{})
-	em = em.withUpdates(0, 0, 0, -1)
+	em = em.withUpdates(resourceclaimmetrics.NumResourceClaimLabels{Allocated: "true", AdminAccess: "true", Source: "resource_claim_template"}, -1)
 	ktesting.Step(tCtx, "delete allocated claim with admin access", func(tCtx ktesting.TContext) {
 		tCtx.ExpectNoError(err)
 		em.Eventually(tCtx)
 	})
 
+	_, err = claimClient.Create(tCtx, extendedTestClaim, metav1.CreateOptions{})
+	em = em.withUpdates(resourceclaimmetrics.NumResourceClaimLabels{Allocated: "false", AdminAccess: "false", Source: "extended_resource"}, 1)
+	ktesting.Step(tCtx, "create extended resource claim", func(tCtx ktesting.TContext) {
+		tCtx.ExpectNoError(err)
+		em.Eventually(tCtx)
+	})
+
+	_, err = claimClient.Update(tCtx, extendedTestClaimAllocated, metav1.UpdateOptions{})
+	em = em.withUpdates(resourceclaimmetrics.NumResourceClaimLabels{Allocated: "false", AdminAccess: "false", Source: "extended_resource"}, -1)
+	em = em.withUpdates(resourceclaimmetrics.NumResourceClaimLabels{Allocated: "true", AdminAccess: "false", Source: "extended_resource"}, 1)
+	ktesting.Step(tCtx, "allocate extended resource claim", func(tCtx ktesting.TContext) {
+		tCtx.ExpectNoError(err)
+		em.Eventually(tCtx)
+	})
+
+	_, err = claimClient.Update(tCtx, extendedTestClaim, metav1.UpdateOptions{})
+	em = em.withUpdates(resourceclaimmetrics.NumResourceClaimLabels{Allocated: "false", AdminAccess: "false", Source: "extended_resource"}, 1)
+	em = em.withUpdates(resourceclaimmetrics.NumResourceClaimLabels{Allocated: "true", AdminAccess: "false", Source: "extended_resource"}, -1)
+	ktesting.Step(tCtx, "deallocate extended resource claim", func(tCtx ktesting.TContext) {
+		tCtx.ExpectNoError(err)
+		em.Eventually(tCtx)
+	})
+
+	err = claimClient.Delete(tCtx, extendedTestClaim.Name, metav1.DeleteOptions{})
+	em = em.withUpdates(resourceclaimmetrics.NumResourceClaimLabels{Allocated: "false", AdminAccess: "false", Source: "extended_resource"}, -1)
+	ktesting.Step(tCtx, "delete extended resource claim", func(tCtx ktesting.TContext) {
+		tCtx.ExpectNoError(err)
+		em.Eventually(tCtx)
+	})
+
 	em.Consistently(tCtx)
 }
 
@@ -820,7 +860,7 @@ func makeClaim(name, namespace, classname string, owner *metav1.OwnerReference)
 	return claim
 }
 
-func makeGeneratedClaim(podClaimName, generateName, namespace, classname string, createCounter int, owner *metav1.OwnerReference, adminAccess *bool) *resourceapi.ResourceClaim {
+func makeTemplatedClaim(podClaimName, generateName, namespace, classname string, createCounter int, owner *metav1.OwnerReference, adminAccess *bool) *resourceapi.ResourceClaim {
 	claim := &resourceapi.ResourceClaim{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:         fmt.Sprintf("%s-%d", generateName, createCounter),
@@ -851,6 +891,23 @@ func makeGeneratedClaim(podClaimName, generateName, namespace, classname string,
 	return claim
 }
 
+func makeExtendedResourceClaim(podName, namespace string, createCounter int, owner *metav1.OwnerReference) *resourceapi.ResourceClaim {
+	generateName := podName + "-extended-resources-"
+	claim := &resourceapi.ResourceClaim{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:         fmt.Sprintf("%s-%d", generateName, createCounter),
+			GenerateName: generateName,
+			Namespace:    namespace,
+			Annotations:  map[string]string{"resource.kubernetes.io/extended-resource-claim": "true"},
+		},
+	}
+	if owner != nil {
+		claim.OwnerReferences = []metav1.OwnerReference{*owner}
+	}
+
+	return claim
+}
+
 func allocateClaim(claim *resourceapi.ResourceClaim) *resourceapi.ResourceClaim {
 	claim = claim.DeepCopy()
 	claim.Status.Allocation = &resourceapi.AllocationResult{}
@@ -928,14 +985,12 @@ func claimKey(claim *resourceapi.ResourceClaim) string {
 }
 
 func makeOwnerReference(pod *v1.Pod, isController bool) *metav1.OwnerReference {
-	isTrue := true
 	return &metav1.OwnerReference{
-		APIVersion:         "v1",
-		Kind:               "Pod",
-		Name:               pod.Name,
-		UID:                pod.UID,
-		Controller:         &isController,
-		BlockOwnerDeletion: &isTrue,
+		APIVersion: "v1",
+		Kind:       "Pod",
+		Name:       pod.Name,
+		UID:        pod.UID,
+		Controller: &isController,
 	}
 }
 
@@ -981,11 +1036,8 @@ func createResourceClaimReactor() func(action k8stesting.Action) (handled bool,
 }
 
 type numMetrics struct {
-	notAllocated                float64
-	notAllocatedWithAdminAccess float64
-	allocated                   float64
-	allocatedWithAdminAccess    float64
-	lister                      resourcelisters.ResourceClaimLister
+	metrics map[resourceclaimmetrics.NumResourceClaimLabels]float64
+	lister  resourcelisters.ResourceClaimLister
 }
 
 func getNumMetric(lister resourcelisters.ResourceClaimLister, logger klog.Logger) (em numMetrics, err error) {
@@ -1005,6 +1057,8 @@ func getNumMetric(lister resourcelisters.ResourceClaimLister, logger klog.Logger
 
 	metricName := "resourceclaim_controller_resource_claims"
 
+	em = newNumMetrics(lister)
+
 	for _, mf := range gatheredMetrics {
 		if mf.GetName() != metricName {
 			continue
@@ -1017,18 +1071,14 @@ func getNumMetric(lister resourcelisters.ResourceClaimLister, logger klog.Logger
 
 			allocated := labels["allocated"]
 			adminAccess := labels["admin_access"]
+			source := labels["source"]
 			value := metric.GetGauge().GetValue()
 
-			switch {
-			case allocated == "false" && adminAccess == "false":
-				em.notAllocated = value
-			case allocated == "false" && adminAccess == "true":
-				em.notAllocatedWithAdminAccess = value
-			case allocated == "true" && adminAccess == "false":
-				em.allocated = value
-			case allocated == "true" && adminAccess == "true":
-				em.allocatedWithAdminAccess = value
-			}
+			em.metrics[resourceclaimmetrics.NumResourceClaimLabels{
+				Allocated:   allocated,
+				AdminAccess: adminAccess,
+				Source:      source,
+			}] = value
 		}
 	}
 
@@ -1108,22 +1158,221 @@ func setupMetrics() {
 	resourceclaimmetrics.ResourceClaimCreate.Reset()
 }
 
-func newNumMetrics(lister resourcelisters.ResourceClaimLister, notAllocated, notAllocatedWithAdmin, allocated, allocatedWithAdmin float64) numMetrics {
+func newNumMetrics(lister resourcelisters.ResourceClaimLister) numMetrics {
+	metrics := make(map[resourceclaimmetrics.NumResourceClaimLabels]float64)
+	for _, allocated := range []string{"false", "true"} {
+		for _, adminAccess := range []string{"false", "true"} {
+			for _, source := range []string{"", "extended_resource", "resource_claim_template"} {
+				metrics[resourceclaimmetrics.NumResourceClaimLabels{
+					Allocated:   allocated,
+					AdminAccess: adminAccess,
+					Source:      source,
+				}] = 0
+			}
+		}
+	}
 	return numMetrics{
-		notAllocated:                notAllocated,
-		notAllocatedWithAdminAccess: notAllocatedWithAdmin,
-		allocated:                   allocated,
-		allocatedWithAdminAccess:    allocatedWithAdmin,
-		lister:                      lister,
+		metrics: metrics,
+		lister:  lister,
 	}
 }
 
-func (em numMetrics) withUpdates(notAllocatedDelta, notAllocatedWithAdminDelta, allocatedDelta, allocatedWithAdminDelta float64) numMetrics {
+func (em numMetrics) withUpdates(rcLabels resourceclaimmetrics.NumResourceClaimLabels, n float64) numMetrics {
+	em.metrics[rcLabels] += n
 	return numMetrics{
-		notAllocated:                em.notAllocated + notAllocatedDelta,
-		notAllocatedWithAdminAccess: em.notAllocatedWithAdminAccess + notAllocatedWithAdminDelta,
-		allocated:                   em.allocated + allocatedDelta,
-		allocatedWithAdminAccess:    em.allocatedWithAdminAccess + allocatedWithAdminDelta,
-		lister:                      em.lister,
+		metrics: em.metrics,
+		lister:  em.lister,
+	}
+}
+
+func TestEnqueuePodExtendedResourceClaims(t *testing.T) {
+	tests := []struct {
+		name                        string
+		pod                         *v1.Pod
+		featureGateEnabled          bool
+		deleted                     bool
+		expectEarlyReturn           bool
+		expectExtendedClaimEnqueued bool
+	}{
+		{
+			name: "pod with no resource claims",
+			pod: &v1.Pod{
+				ObjectMeta: metav1.ObjectMeta{Name: "test-pod", Namespace: "default"},
+				Spec:       v1.PodSpec{},
+				Status:     v1.PodStatus{},
+			},
+			featureGateEnabled:          true,
+			expectEarlyReturn:           true,
+			expectExtendedClaimEnqueued: false,
+		},
+		{
+			name: "pod with regular resource claims only",
+			pod: &v1.Pod{
+				ObjectMeta: metav1.ObjectMeta{Name: "test-pod", Namespace: "default"},
+				Spec: v1.PodSpec{
+					ResourceClaims: []v1.PodResourceClaim{{Name: "regular-claim"}},
+				},
+				Status: v1.PodStatus{Phase: v1.PodRunning},
+			},
+			featureGateEnabled:          true,
+			expectEarlyReturn:           false,
+			expectExtendedClaimEnqueued: false,
+		},
+		{
+			name: "pod with extended resource claim, feature enabled, running pod",
+			pod: &v1.Pod{
+				ObjectMeta: metav1.ObjectMeta{Name: "test-pod", Namespace: "default"},
+				Spec:       v1.PodSpec{},
+				Status: v1.PodStatus{
+					Phase: v1.PodRunning,
+					ExtendedResourceClaimStatus: &v1.PodExtendedResourceClaimStatus{
+						ResourceClaimName: "test-extended-claim",
+					},
+				},
+			},
+			featureGateEnabled:          true,
+			expectEarlyReturn:           false,
+			expectExtendedClaimEnqueued: false,
+		},
+		{
+			name: "pod with extended resource claim, feature enabled, completed pod",
+			pod: &v1.Pod{
+				ObjectMeta: metav1.ObjectMeta{Name: "test-pod", Namespace: "default"},
+				Spec:       v1.PodSpec{},
+				Status: v1.PodStatus{
+					Phase: v1.PodSucceeded,
+					ExtendedResourceClaimStatus: &v1.PodExtendedResourceClaimStatus{
+						ResourceClaimName: "test-extended-claim",
+					},
+				},
+			},
+			featureGateEnabled:          true,
+			expectEarlyReturn:           false,
+			expectExtendedClaimEnqueued: true,
+		},
+		{
+			name: "pod with extended resource claim, feature enabled, failed pod",
+			pod: &v1.Pod{
+				ObjectMeta: metav1.ObjectMeta{Name: "test-pod", Namespace: "default"},
+				Spec:       v1.PodSpec{},
+				Status: v1.PodStatus{
+					Phase: v1.PodFailed, // Failed pod
+					ExtendedResourceClaimStatus: &v1.PodExtendedResourceClaimStatus{
+						ResourceClaimName: "test-extended-claim",
+					},
+				},
+			},
+			featureGateEnabled:          true,
+			expectEarlyReturn:           false,
+			expectExtendedClaimEnqueued: true,
+		},
+		{
+			name: "pod with extended resource claim, feature disabled",
+			pod: &v1.Pod{
+				ObjectMeta: metav1.ObjectMeta{Name: "test-pod", Namespace: "default"},
+				Spec:       v1.PodSpec{},
+				Status: v1.PodStatus{
+					Phase: v1.PodSucceeded,
+					ExtendedResourceClaimStatus: &v1.PodExtendedResourceClaimStatus{
+						ResourceClaimName: "test-extended-claim",
+					},
+				},
+			},
+			featureGateEnabled:          false,
+			expectEarlyReturn:           false,
+			expectExtendedClaimEnqueued: true,
+		},
+		{
+			name: "deleted pod with extended resource claim",
+			pod: &v1.Pod{
+				ObjectMeta: metav1.ObjectMeta{Name: "test-pod", Namespace: "default"},
+				Spec:       v1.PodSpec{},
+				Status: v1.PodStatus{
+					Phase: v1.PodSucceeded,
+					ExtendedResourceClaimStatus: &v1.PodExtendedResourceClaimStatus{
+						ResourceClaimName: "test-extended-claim",
+					},
+				},
+			},
+			featureGateEnabled:          true,
+			deleted:                     true,
+			expectEarlyReturn:           false,
+			expectExtendedClaimEnqueued: true,
+		},
+		{
+			name: "pod with both regular and extended resource claims, completed",
+			pod: &v1.Pod{
+				ObjectMeta: metav1.ObjectMeta{Name: "test-pod", Namespace: "default"},
+				Spec: v1.PodSpec{
+					ResourceClaims: []v1.PodResourceClaim{{Name: "regular-claim"}},
+				},
+				Status: v1.PodStatus{
+					Phase: v1.PodSucceeded,
+					ExtendedResourceClaimStatus: &v1.PodExtendedResourceClaimStatus{
+						ResourceClaimName: "test-extended-claim",
+					},
+				},
+			},
+			featureGateEnabled:          true,
+			expectEarlyReturn:           false,
+			expectExtendedClaimEnqueued: true,
+		},
+	}
+
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.DRAExtendedResource, test.featureGateEnabled)
+
+			tCtx := ktesting.Init(t)
+			tCtx = ktesting.WithCancel(tCtx)
+
+			fakeKubeClient := createTestClient()
+			informerFactory := informers.NewSharedInformerFactory(fakeKubeClient, controller.NoResyncPeriodFunc())
+			podInformer := informerFactory.Core().V1().Pods()
+			claimInformer := informerFactory.Resource().V1().ResourceClaims()
+			templateInformer := informerFactory.Resource().V1().ResourceClaimTemplates()
+
+			setupMetrics()
+
+			ec, err := NewController(tCtx.Logger(), Features{}, fakeKubeClient, podInformer, claimInformer, templateInformer)
+			if err != nil {
+				t.Fatalf("error creating controller: %v", err)
+			}
+
+			ec.enqueuePod(tCtx.Logger(), test.pod, test.deleted)
+
+			var keys []string
+			for ec.queue.Len() > 0 {
+				k, _ := ec.queue.Get()
+				keys = append(keys, k)
+				ec.queue.Forget(k)
+				ec.queue.Done(k)
+			}
+
+			if test.expectEarlyReturn {
+				if len(keys) != 0 {
+					t.Errorf("expected no keys enqueued on early return, got: %v", keys)
+				}
+				return
+			}
+
+			var expectedClaimKey string
+			if test.pod.Status.ExtendedResourceClaimStatus != nil {
+				expectedClaimKey = claimKeyPrefix + test.pod.Namespace + "/" + test.pod.Status.ExtendedResourceClaimStatus.ResourceClaimName
+			}
+			found := false
+			for _, k := range keys {
+				if k == expectedClaimKey {
+					found = true
+					break
+				}
+			}
+			if test.expectExtendedClaimEnqueued && !found {
+				t.Errorf("expected extended claim key %q to be enqueued, got keys: %v", expectedClaimKey, keys)
+			}
+			if !test.expectExtendedClaimEnqueued && found {
+				t.Errorf("did not expect extended claim key %q to be enqueued, got keys: %v", expectedClaimKey, keys)
+			}
+		})
 	}
 }
diff --git a/pkg/controller/resourceclaim/metrics/metrics.go b/pkg/controller/resourceclaim/metrics/metrics.go
index f9fe6f78fa7e7..293b3f80b8371 100644
--- a/pkg/controller/resourceclaim/metrics/metrics.go
+++ b/pkg/controller/resourceclaim/metrics/metrics.go
@@ -26,6 +26,12 @@ import (
 // ResourceClaimSubsystem - subsystem name used for ResourceClaim creation
 const ResourceClaimSubsystem = "resourceclaim_controller"
 
+type NumResourceClaimLabels struct {
+	Allocated   string
+	AdminAccess string
+	Source      string
+}
+
 var (
 	// ResourceClaimCreate tracks the total number of
 	// ResourceClaims creation requests
@@ -41,10 +47,15 @@ var (
 	)
 
 	// NumResourceClaimsDesc tracks the number of ResourceClaims,
-	// categorized by their allocation status and admin access.
-	NumResourceClaimsDesc = metrics.NewDesc(ResourceClaimSubsystem+"_resource_claims",
-		"Number of ResourceClaims, categorized by allocation status and admin access",
-		[]string{"allocated", "admin_access"}, nil,
+	// categorized by their allocation status, admin access, and source.
+	// Source can be 'resource_claim_template' (created from a template),
+	// 'extended_resource' (extended resources), or empty (manually created by a user).
+	NumResourceClaimsDesc = metrics.NewDesc(
+		metrics.BuildFQName("", ResourceClaimSubsystem, "resource_claims"),
+		"Number of ResourceClaims, categorized by allocation status, admin access, and source. "+
+			"Source can be 'resource_claim_template' (created from a template), "+
+			"'extended_resource' (extended resources), or empty (manually created by a user).",
+		[]string{"allocated", "admin_access", "source"}, nil,
 		metrics.ALPHA, "")
 )
 
diff --git a/pkg/controller/resourcequota/resource_quota_controller.go b/pkg/controller/resourcequota/resource_quota_controller.go
index dcfd6c6a88ef0..e78c6ddfd40c1 100644
--- a/pkg/controller/resourcequota/resource_quota_controller.go
+++ b/pkg/controller/resourcequota/resource_quota_controller.go
@@ -172,13 +172,13 @@ func NewController(ctx context.Context, options *ControllerOptions) (*Controller
 		// do initial quota monitor setup.  If we have a discovery failure here, it's ok. We'll discover more resources when a later sync happens.
 		resources, err := GetQuotableResources(options.DiscoveryFunc)
 		if discovery.IsGroupDiscoveryFailedError(err) {
-			utilruntime.HandleError(fmt.Errorf("initial discovery check failure, continuing and counting on future sync update: %v", err))
+			utilruntime.HandleErrorWithContext(ctx, err, "Initial discovery check failure, continuing and counting on future sync update")
 		} else if err != nil {
 			return nil, err
 		}
 
 		if err = qm.SyncMonitors(ctx, resources); err != nil {
-			utilruntime.HandleError(fmt.Errorf("initial monitor sync has error: %v", err))
+			utilruntime.HandleErrorWithContext(ctx, err, "Initial monitor sync has error")
 		}
 
 		// only start quota once all informers synced
@@ -196,13 +196,13 @@ func (rq *Controller) enqueueAll(ctx context.Context) {
 	defer logger.V(4).Info("Resource quota controller queued all resource quota for full calculation of usage")
 	rqs, err := rq.rqLister.List(labels.Everything())
 	if err != nil {
-		utilruntime.HandleError(fmt.Errorf("unable to enqueue all - error listing resource quotas: %v", err))
+		utilruntime.HandleErrorWithContext(ctx, err, "Unable to enqueue all - error listing resource quotas")
 		return
 	}
 	for i := range rqs {
 		key, err := controller.KeyFunc(rqs[i])
 		if err != nil {
-			utilruntime.HandleError(fmt.Errorf("couldn't get key for object %+v: %v", rqs[i], err))
+			utilruntime.HandleErrorWithContext(ctx, err, "Couldn't get key for object", "object", klog.KObj(rqs[i]))
 			continue
 		}
 		rq.queue.Add(key)
@@ -273,7 +273,7 @@ func (rq *Controller) worker(queue workqueue.TypedRateLimitingInterface[string])
 			return false
 		}
 
-		utilruntime.HandleError(err)
+		utilruntime.HandleErrorWithContext(ctx, err, "Error processing resource quota work item")
 		queue.AddRateLimited(key)
 
 		return false
@@ -291,34 +291,48 @@ func (rq *Controller) worker(queue workqueue.TypedRateLimitingInterface[string])
 
 // Run begins quota controller using the specified number of workers
 func (rq *Controller) Run(ctx context.Context, workers int) {
-	defer utilruntime.HandleCrash()
-	defer rq.queue.ShutDown()
-	defer rq.missingUsageQueue.ShutDown()
+	defer utilruntime.HandleCrashWithContext(ctx)
 
 	logger := klog.FromContext(ctx)
-
 	logger.Info("Starting resource quota controller")
-	defer logger.Info("Shutting down resource quota controller")
+
+	var wg sync.WaitGroup
+	defer func() {
+		logger.Info("Shutting down resource quota controller")
+		rq.missingUsageQueue.ShutDown()
+		rq.queue.ShutDown()
+		wg.Wait()
+	}()
 
 	if rq.quotaMonitor != nil {
-		go rq.quotaMonitor.Run(ctx)
+		wg.Go(func() {
+			rq.quotaMonitor.Run(ctx)
+		})
 	}
 
-	if !cache.WaitForNamedCacheSync("resource quota", ctx.Done(), rq.informerSyncedFuncs...) {
+	if !cache.WaitForNamedCacheSyncWithContext(ctx, rq.informerSyncedFuncs...) {
 		return
 	}
 
 	// the workers that chug through the quota calculation backlog
 	for i := 0; i < workers; i++ {
-		go wait.UntilWithContext(ctx, rq.worker(rq.queue), time.Second)
-		go wait.UntilWithContext(ctx, rq.worker(rq.missingUsageQueue), time.Second)
+		wg.Go(func() {
+			wait.UntilWithContext(ctx, rq.worker(rq.queue), time.Second)
+		})
+		wg.Go(func() {
+			wait.UntilWithContext(ctx, rq.worker(rq.missingUsageQueue), time.Second)
+		})
 	}
+
 	// the timer for how often we do a full recalculation across all quotas
 	if rq.resyncPeriod() > 0 {
-		go wait.UntilWithContext(ctx, rq.enqueueAll, rq.resyncPeriod())
+		wg.Go(func() {
+			wait.UntilWithContext(ctx, rq.enqueueAll, rq.resyncPeriod())
+		})
 	} else {
 		logger.Info("periodic quota controller resync disabled")
 	}
+
 	<-ctx.Done()
 }
 
@@ -411,11 +425,11 @@ func (rq *Controller) replenishQuota(ctx context.Context, groupResource schema.G
 	// check if this namespace even has a quota...
 	resourceQuotas, err := rq.rqLister.ResourceQuotas(namespace).List(labels.Everything())
 	if errors.IsNotFound(err) {
-		utilruntime.HandleError(fmt.Errorf("quota controller could not find ResourceQuota associated with namespace: %s, could take up to %v before a quota replenishes", namespace, rq.resyncPeriod()))
+		utilruntime.HandleErrorWithContext(ctx, nil, "Quota controller could not find ResourceQuota associated with namespace", "namespace", namespace, "resyncPeriod", rq.resyncPeriod())
 		return
 	}
 	if err != nil {
-		utilruntime.HandleError(fmt.Errorf("error checking to see if namespace %s has any ResourceQuota associated with it: %v", namespace, err))
+		utilruntime.HandleErrorWithContext(ctx, err, "Error checking to see if namespace has any ResourceQuota associated with it", "namespace", namespace)
 		return
 	}
 	if len(resourceQuotas) == 0 {
@@ -443,7 +457,7 @@ func (rq *Controller) Sync(ctx context.Context, discoveryFunc NamespacedResource
 		// Get the current resource list from discovery.
 		newResources, err := GetQuotableResources(discoveryFunc)
 		if err != nil {
-			utilruntime.HandleError(err)
+			utilruntime.HandleErrorWithContext(ctx, err, "Error during resource discovery")
 
 			if groupLookupFailures, isLookupFailure := discovery.GroupDiscoveryFailedErrorGroups(err); isLookupFailure && len(newResources) > 0 {
 				// In partial discovery cases, preserve existing informers for resources in the failed groups, so resyncMonitors will only add informers for newly seen resources
@@ -478,7 +492,7 @@ func (rq *Controller) Sync(ctx context.Context, discoveryFunc NamespacedResource
 
 		// Perform the monitor resync and wait for controllers to report cache sync.
 		if err := rq.resyncMonitors(ctx, newResources); err != nil {
-			utilruntime.HandleError(fmt.Errorf("failed to sync resource monitors: %v", err))
+			utilruntime.HandleErrorWithContext(ctx, err, "Failed to sync resource monitors")
 			return
 		}
 
@@ -489,14 +503,17 @@ func (rq *Controller) Sync(ctx context.Context, discoveryFunc NamespacedResource
 		// this protects us from deadlocks where available resources changed and one of our informer caches will never fill.
 		// informers keep attempting to sync in the background, so retrying doesn't interrupt them.
 		// the call to resyncMonitors on the reattempt will no-op for resources that still exist.
-		if rq.quotaMonitor != nil &&
-			!cache.WaitForNamedCacheSync(
-				"resource quota",
-				waitForStopOrTimeout(ctx.Done(), period),
+		if rq.quotaMonitor != nil {
+			syncCtx, cancel := context.WithTimeout(ctx, period)
+			defer cancel()
+
+			if !cache.WaitForNamedCacheSyncWithContext(
+				syncCtx,
 				func() bool { return rq.quotaMonitor.IsSynced(ctx) },
 			) {
-			utilruntime.HandleError(fmt.Errorf("timed out waiting for quota monitor sync"))
-			return
+				utilruntime.HandleErrorWithContext(ctx, nil, "Timed out waiting for quota monitor sync")
+				return
+			}
 		}
 
 		logger.V(2).Info("synced quota controller")
@@ -520,19 +537,6 @@ func printDiff(oldResources, newResources map[schema.GroupVersionResource]struct
 	return fmt.Sprintf("added: %v, removed: %v", added.List(), removed.List())
 }
 
-// waitForStopOrTimeout returns a stop channel that closes when the provided stop channel closes or when the specified timeout is reached
-func waitForStopOrTimeout(stopCh <-chan struct{}, timeout time.Duration) <-chan struct{} {
-	stopChWithTimeout := make(chan struct{})
-	go func() {
-		defer close(stopChWithTimeout)
-		select {
-		case <-stopCh:
-		case <-time.After(timeout):
-		}
-	}()
-	return stopChWithTimeout
-}
-
 // resyncMonitors starts or stops quota monitors as needed to ensure that all
 // (and only) those resources present in the map are monitored.
 func (rq *Controller) resyncMonitors(ctx context.Context, resources map[schema.GroupVersionResource]struct{}) error {
diff --git a/pkg/controller/resourcequota/resource_quota_controller_test.go b/pkg/controller/resourcequota/resource_quota_controller_test.go
index af02d8947405c..f58b7cdf27d02 100644
--- a/pkg/controller/resourcequota/resource_quota_controller_test.go
+++ b/pkg/controller/resourcequota/resource_quota_controller_test.go
@@ -111,7 +111,7 @@ type quotaController struct {
 
 func setupQuotaController(t *testing.T, kubeClient kubernetes.Interface, lister quota.ListerForResourceFunc, discoveryFunc NamespacedResourcesFunc) quotaController {
 	informerFactory := informers.NewSharedInformerFactory(kubeClient, controller.NoResyncPeriodFunc())
-	quotaConfiguration := install.NewQuotaConfigurationForControllers(lister)
+	quotaConfiguration := install.NewQuotaConfigurationForControllers(lister, informerFactory)
 	alwaysStarted := make(chan struct{})
 	close(alwaysStarted)
 	resourceQuotaControllerOptions := &ControllerOptions{
diff --git a/pkg/controller/resourcequota/resource_quota_monitor.go b/pkg/controller/resourcequota/resource_quota_monitor.go
index d0d0f30b97551..28aef8be53967 100644
--- a/pkg/controller/resourcequota/resource_quota_monitor.go
+++ b/pkg/controller/resourcequota/resource_quota_monitor.go
@@ -69,6 +69,7 @@ type event struct {
 type QuotaMonitor struct {
 	// each monitor list/watches a resource and determines if we should replenish quota
 	monitors    monitors
+	monitorWG   sync.WaitGroup
 	monitorLock sync.RWMutex
 	// informersStarted is closed after all the controllers have been initialized and are running.
 	// After that it is safe to start them here, before that it is not.
@@ -78,8 +79,9 @@ type QuotaMonitor struct {
 	// This channel is also protected by monitorLock.
 	stopCh <-chan struct{}
 
-	// running tracks whether Run() has been called.
-	// it is protected by monitorLock.
+	// running is set to true when the Run() function has been called.
+	// It will revert to false when the Run() function receives a cancellation.
+	// It is protected by monitorLock.
 	running bool
 
 	// monitors are the producer of the resourceChanges queue
@@ -267,7 +269,7 @@ func (qm *QuotaMonitor) StartMonitors(ctx context.Context) {
 		if monitor.stopCh == nil {
 			monitor.stopCh = make(chan struct{})
 			qm.informerFactory.Start(qm.stopCh)
-			go monitor.Run()
+			qm.monitorWG.Go(monitor.Run)
 			started++
 		}
 	}
@@ -301,12 +303,10 @@ func (qm *QuotaMonitor) IsSynced(ctx context.Context) bool {
 // Run sets the stop channel and starts monitor execution until stopCh is
 // closed. Any running monitors will be stopped before Run returns.
 func (qm *QuotaMonitor) Run(ctx context.Context) {
-	defer utilruntime.HandleCrash()
+	defer utilruntime.HandleCrashWithContext(ctx)
 
 	logger := klog.FromContext(ctx)
-
 	logger.Info("QuotaMonitor running")
-	defer logger.Info("QuotaMonitor stopping")
 
 	// Set up the stop channel.
 	qm.monitorLock.Lock()
@@ -314,23 +314,30 @@ func (qm *QuotaMonitor) Run(ctx context.Context) {
 	qm.running = true
 	qm.monitorLock.Unlock()
 
-	// Start monitors and begin change processing until the stop channel is
-	// closed.
+	// Start monitors and begin change processing until the stop channel is closed.
 	qm.StartMonitors(ctx)
 
-	// The following workers are hanging forever until the queue is
-	// shutted down, so we need to shut it down in a separate goroutine.
-	go func() {
-		defer utilruntime.HandleCrash()
-		defer qm.resourceChanges.ShutDown()
-
-		<-ctx.Done()
+	var wg sync.WaitGroup
+	defer func() {
+		logger.Info("QuotaMonitor stopping")
+		qm.resourceChanges.ShutDown()
+		wg.Wait()
 	}()
-	wait.UntilWithContext(ctx, qm.runProcessResourceChanges, 1*time.Second)
+
+	wg.Go(func() {
+		wait.UntilWithContext(ctx, qm.runProcessResourceChanges, 1*time.Second)
+	})
+
+	// Keep running until cancelled.
+	<-ctx.Done()
 
 	// Stop any running monitors.
 	qm.monitorLock.Lock()
 	defer qm.monitorLock.Unlock()
+	// Mark as not running so that no new monitors can be started.
+	// Not doing this here could cause goroutine leaks and deadlocks since it would make it possible for startMonitors
+	// to proceed and start new monitors after stopMonitors has been called.
+	qm.running = false
 	monitors := qm.monitors
 	stopped := 0
 	for _, monitor := range monitors {
@@ -339,6 +346,8 @@ func (qm *QuotaMonitor) Run(ctx context.Context) {
 			close(monitor.stopCh)
 		}
 	}
+	qm.monitors = nil
+	qm.monitorWG.Wait()
 	logger.Info("QuotaMonitor stopped monitors", "stopped", stopped, "total", len(monitors))
 }
 
@@ -358,7 +367,7 @@ func (qm *QuotaMonitor) processResourceChanges(ctx context.Context) bool {
 	obj := event.obj
 	accessor, err := meta.Accessor(obj)
 	if err != nil {
-		utilruntime.HandleError(fmt.Errorf("cannot access obj: %v", err))
+		utilruntime.HandleErrorWithContext(ctx, err, "Cannot access object")
 		return true
 	}
 	klog.FromContext(ctx).V(4).Info("QuotaMonitor process object",
diff --git a/pkg/controller/serviceaccount/legacy_serviceaccount_token_cleaner.go b/pkg/controller/serviceaccount/legacy_serviceaccount_token_cleaner.go
index 1f6bb88a850b9..801e4c1b9448a 100644
--- a/pkg/controller/serviceaccount/legacy_serviceaccount_token_cleaner.go
+++ b/pkg/controller/serviceaccount/legacy_serviceaccount_token_cleaner.go
@@ -97,19 +97,17 @@ func NewLegacySATokenCleaner(saInformer coreinformers.ServiceAccountInformer, se
 }
 
 func (tc *LegacySATokenCleaner) Run(ctx context.Context) {
-	defer utilruntime.HandleCrash()
+	defer utilruntime.HandleCrashWithContext(ctx)
 
 	logger := klog.FromContext(ctx)
 	logger.Info("Starting legacy service account token cleaner controller")
 	defer logger.Info("Shutting down legacy service account token cleaner controller")
 
-	if !cache.WaitForNamedCacheSync("legacy-service-account-token-cleaner", ctx.Done(), tc.saInformerSynced, tc.secretInformerSynced, tc.podInformerSynced) {
+	if !cache.WaitForNamedCacheSyncWithContext(ctx, tc.saInformerSynced, tc.secretInformerSynced, tc.podInformerSynced) {
 		return
 	}
 
-	go wait.UntilWithContext(ctx, tc.evaluateSATokens, tc.syncInterval)
-
-	<-ctx.Done()
+	wait.UntilWithContext(ctx, tc.evaluateSATokens, tc.syncInterval)
 }
 
 func (tc *LegacySATokenCleaner) evaluateSATokens(ctx context.Context) {
diff --git a/pkg/controller/serviceaccount/serviceaccounts_controller.go b/pkg/controller/serviceaccount/serviceaccounts_controller.go
index 4395136d066dd..7aee3c3ccbb62 100644
--- a/pkg/controller/serviceaccount/serviceaccounts_controller.go
+++ b/pkg/controller/serviceaccount/serviceaccounts_controller.go
@@ -19,6 +19,7 @@ package serviceaccount
 import (
 	"context"
 	"fmt"
+	"sync"
 	"time"
 
 	v1 "k8s.io/api/core/v1"
@@ -61,7 +62,7 @@ func DefaultServiceAccountsControllerOptions() ServiceAccountsControllerOptions
 }
 
 // NewServiceAccountsController returns a new *ServiceAccountsController.
-func NewServiceAccountsController(saInformer coreinformers.ServiceAccountInformer, nsInformer coreinformers.NamespaceInformer, cl clientset.Interface, options ServiceAccountsControllerOptions) (*ServiceAccountsController, error) {
+func NewServiceAccountsController(logger klog.Logger, saInformer coreinformers.ServiceAccountInformer, nsInformer coreinformers.NamespaceInformer, cl clientset.Interface, options ServiceAccountsControllerOptions) (*ServiceAccountsController, error) {
 	e := &ServiceAccountsController{
 		client:                  cl,
 		serviceAccountsToEnsure: options.ServiceAccounts,
@@ -72,7 +73,9 @@ func NewServiceAccountsController(saInformer coreinformers.ServiceAccountInforme
 	}
 
 	saHandler, _ := saInformer.Informer().AddEventHandlerWithResyncPeriod(cache.ResourceEventHandlerFuncs{
-		DeleteFunc: e.serviceAccountDeleted,
+		DeleteFunc: func(obj interface{}) {
+			e.serviceAccountDeleted(logger, obj)
+		},
 	}, options.ServiceAccountResync)
 	e.saLister = saInformer.Lister()
 	e.saListerSynced = saHandler.HasSynced
@@ -108,35 +111,42 @@ type ServiceAccountsController struct {
 
 // Run runs the ServiceAccountsController blocks until receiving signal from stopCh.
 func (c *ServiceAccountsController) Run(ctx context.Context, workers int) {
-	defer utilruntime.HandleCrash()
-	defer c.queue.ShutDown()
+	defer utilruntime.HandleCrashWithContext(ctx)
 
-	klog.FromContext(ctx).Info("Starting service account controller")
-	defer klog.FromContext(ctx).Info("Shutting down service account controller")
+	logger := klog.FromContext(ctx)
+	logger.Info("Starting service account controller")
 
-	if !cache.WaitForNamedCacheSync("service account", ctx.Done(), c.saListerSynced, c.nsListerSynced) {
+	var wg sync.WaitGroup
+	defer func() {
+		logger.Info("Shutting down service account controller")
+		c.queue.ShutDown()
+		wg.Wait()
+	}()
+
+	if !cache.WaitForNamedCacheSyncWithContext(ctx, c.saListerSynced, c.nsListerSynced) {
 		return
 	}
 
 	for i := 0; i < workers; i++ {
-		go wait.UntilWithContext(ctx, c.runWorker, time.Second)
+		wg.Go(func() {
+			wait.UntilWithContext(ctx, c.runWorker, time.Second)
+		})
 	}
-
 	<-ctx.Done()
 }
 
 // serviceAccountDeleted reacts to a ServiceAccount deletion by recreating a default ServiceAccount in the namespace if needed
-func (c *ServiceAccountsController) serviceAccountDeleted(obj interface{}) {
+func (c *ServiceAccountsController) serviceAccountDeleted(logger klog.Logger, obj interface{}) {
 	sa, ok := obj.(*v1.ServiceAccount)
 	if !ok {
 		tombstone, ok := obj.(cache.DeletedFinalStateUnknown)
 		if !ok {
-			utilruntime.HandleError(fmt.Errorf("Couldn't get object from tombstone %#v", obj))
+			utilruntime.HandleErrorWithLogger(logger, nil, "Couldn't get object from tombstone", "obj", obj)
 			return
 		}
 		sa, ok = tombstone.Obj.(*v1.ServiceAccount)
 		if !ok {
-			utilruntime.HandleError(fmt.Errorf("Tombstone contained object that is not a ServiceAccount %#v", obj))
+			utilruntime.HandleErrorWithLogger(logger, nil, "Tombstone contained object that is not a ServiceAccount", "type", fmt.Sprintf("%T", obj))
 			return
 		}
 	}
@@ -174,7 +184,7 @@ func (c *ServiceAccountsController) processNextWorkItem(ctx context.Context) boo
 		return true
 	}
 
-	utilruntime.HandleError(fmt.Errorf("%v failed with : %v", key, err))
+	utilruntime.HandleErrorWithContext(ctx, err, "Service account work item failed", "item", key)
 	c.queue.AddRateLimited(key)
 
 	return true
diff --git a/pkg/controller/serviceaccount/serviceaccounts_controller_test.go b/pkg/controller/serviceaccount/serviceaccounts_controller_test.go
index 6ed9a842b7adc..3057418a5acc9 100644
--- a/pkg/controller/serviceaccount/serviceaccounts_controller_test.go
+++ b/pkg/controller/serviceaccount/serviceaccounts_controller_test.go
@@ -18,16 +18,18 @@ package serviceaccount
 
 import (
 	"context"
+	"sync"
 	"testing"
 	"time"
 
-	"k8s.io/api/core/v1"
+	v1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/util/sets"
 	"k8s.io/client-go/informers"
 	"k8s.io/client-go/kubernetes/fake"
 	core "k8s.io/client-go/testing"
 	"k8s.io/kubernetes/pkg/controller"
+	"k8s.io/kubernetes/test/utils/ktesting"
 )
 
 func TestServiceAccountCreation(t *testing.T) {
@@ -152,86 +154,98 @@ func TestServiceAccountCreation(t *testing.T) {
 	}
 
 	for k, tc := range testcases {
-		client := fake.NewSimpleClientset(defaultServiceAccount, managedServiceAccount)
-		informers := informers.NewSharedInformerFactory(fake.NewSimpleClientset(), controller.NoResyncPeriodFunc())
-		options := DefaultServiceAccountsControllerOptions()
-		options.ServiceAccounts = []v1.ServiceAccount{
-			{ObjectMeta: metav1.ObjectMeta{Name: defaultName}},
-			{ObjectMeta: metav1.ObjectMeta{Name: managedName}},
-		}
-		saInformer := informers.Core().V1().ServiceAccounts()
-		nsInformer := informers.Core().V1().Namespaces()
-		controller, err := NewServiceAccountsController(
-			saInformer,
-			nsInformer,
-			client,
-			options,
-		)
-		if err != nil {
-			t.Fatalf("error creating ServiceAccounts controller: %v", err)
-		}
-		controller.saListerSynced = alwaysReady
-		controller.nsListerSynced = alwaysReady
-
-		saStore := saInformer.Informer().GetStore()
-		nsStore := nsInformer.Informer().GetStore()
-
-		syncCalls := make(chan struct{}, 1)
-		controller.syncHandler = func(ctx context.Context, key string) error {
-			err := controller.syncNamespace(ctx, key)
+		t.Run(k, func(t *testing.T) {
+			client := fake.NewClientset(defaultServiceAccount, managedServiceAccount)
+			informers := informers.NewSharedInformerFactory(fake.NewClientset(), controller.NoResyncPeriodFunc())
+			options := DefaultServiceAccountsControllerOptions()
+			options.ServiceAccounts = []v1.ServiceAccount{
+				{ObjectMeta: metav1.ObjectMeta{Name: defaultName}},
+				{ObjectMeta: metav1.ObjectMeta{Name: managedName}},
+			}
+			saInformer := informers.Core().V1().ServiceAccounts()
+			nsInformer := informers.Core().V1().Namespaces()
+
+			var wg sync.WaitGroup
+			defer wg.Wait()
+
+			logger, ctx := ktesting.NewTestContext(t)
+			defer ctx.Cancel("test case terminating")
+
+			controller, err := NewServiceAccountsController(
+				logger,
+				saInformer,
+				nsInformer,
+				client,
+				options,
+			)
 			if err != nil {
-				t.Logf("%s: %v", k, err)
+				t.Fatalf("error creating ServiceAccounts controller: %v", err)
+			}
+			controller.saListerSynced = alwaysReady
+			controller.nsListerSynced = alwaysReady
+
+			saStore := saInformer.Informer().GetStore()
+			nsStore := nsInformer.Informer().GetStore()
+
+			syncCalls := make(chan struct{}, 1)
+			controller.syncHandler = func(ctx context.Context, key string) error {
+				err := controller.syncNamespace(ctx, key)
+				if err != nil {
+					t.Logf("%s: %v", k, err)
+				}
+
+				syncCalls <- struct{}{}
+				return err
+			}
+			stopCh := make(chan struct{})
+			defer close(stopCh)
+			wg.Go(func() {
+				controller.Run(ctx, 1)
+			})
+
+			if tc.ExistingNamespace != nil {
+				nsStore.Add(tc.ExistingNamespace) //nolint:errcheck
+			}
+			for _, s := range tc.ExistingServiceAccounts {
+				saStore.Add(s) //nolint:errcheck
+			}
+
+			if tc.AddedNamespace != nil {
+				nsStore.Add(tc.AddedNamespace) //nolint:errcheck
+				controller.namespaceAdded(tc.AddedNamespace)
+			}
+			if tc.UpdatedNamespace != nil {
+				nsStore.Add(tc.UpdatedNamespace) //nolint:errcheck
+				controller.namespaceUpdated(nil, tc.UpdatedNamespace)
+			}
+			if tc.DeletedServiceAccount != nil {
+				controller.serviceAccountDeleted(logger, tc.DeletedServiceAccount)
+			}
+
+			// wait to be called
+			select {
+			case <-syncCalls:
+			case <-time.After(10 * time.Second):
+				t.Errorf("%s: took too long", k)
 			}
 
-			syncCalls <- struct{}{}
-			return err
-		}
-		stopCh := make(chan struct{})
-		defer close(stopCh)
-		go controller.Run(context.TODO(), 1)
-
-		if tc.ExistingNamespace != nil {
-			nsStore.Add(tc.ExistingNamespace)
-		}
-		for _, s := range tc.ExistingServiceAccounts {
-			saStore.Add(s)
-		}
-
-		if tc.AddedNamespace != nil {
-			nsStore.Add(tc.AddedNamespace)
-			controller.namespaceAdded(tc.AddedNamespace)
-		}
-		if tc.UpdatedNamespace != nil {
-			nsStore.Add(tc.UpdatedNamespace)
-			controller.namespaceUpdated(nil, tc.UpdatedNamespace)
-		}
-		if tc.DeletedServiceAccount != nil {
-			controller.serviceAccountDeleted(tc.DeletedServiceAccount)
-		}
-
-		// wait to be called
-		select {
-		case <-syncCalls:
-		case <-time.After(10 * time.Second):
-			t.Errorf("%s: took too long", k)
-		}
-
-		actions := client.Actions()
-		if len(tc.ExpectCreatedServiceAccounts) != len(actions) {
-			t.Errorf("%s: Expected to create accounts %#v. Actual actions were: %#v", k, tc.ExpectCreatedServiceAccounts, actions)
-			continue
-		}
-		for i, expectedName := range tc.ExpectCreatedServiceAccounts {
-			action := actions[i]
-			if !action.Matches("create", "serviceaccounts") {
-				t.Errorf("%s: Unexpected action %s", k, action)
-				break
+			actions := client.Actions()
+			if len(tc.ExpectCreatedServiceAccounts) != len(actions) {
+				t.Errorf("%s: Expected to create accounts %#v. Actual actions were: %#v", k, tc.ExpectCreatedServiceAccounts, actions)
+				return
 			}
-			createdAccount := action.(core.CreateAction).GetObject().(*v1.ServiceAccount)
-			if createdAccount.Name != expectedName {
-				t.Errorf("%s: Expected %s to be created, got %s", k, expectedName, createdAccount.Name)
+			for i, expectedName := range tc.ExpectCreatedServiceAccounts {
+				action := actions[i]
+				if !action.Matches("create", "serviceaccounts") {
+					t.Errorf("%s: Unexpected action %s", k, action)
+					break
+				}
+				createdAccount := action.(core.CreateAction).GetObject().(*v1.ServiceAccount)
+				if createdAccount.Name != expectedName {
+					t.Errorf("%s: Expected %s to be created, got %s", k, expectedName, createdAccount.Name)
+				}
 			}
-		}
+		})
 	}
 }
 
diff --git a/pkg/controller/serviceaccount/tokens_controller.go b/pkg/controller/serviceaccount/tokens_controller.go
index bdceb39b35aaf..60f69d1aa1e87 100644
--- a/pkg/controller/serviceaccount/tokens_controller.go
+++ b/pkg/controller/serviceaccount/tokens_controller.go
@@ -20,11 +20,13 @@ import (
 	"bytes"
 	"context"
 	"fmt"
+	"sync"
 	"time"
 
 	v1 "k8s.io/api/core/v1"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/labels"
 	"k8s.io/apimachinery/pkg/types"
 	utilerrors "k8s.io/apimachinery/pkg/util/errors"
 	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
@@ -109,8 +111,7 @@ func NewTokensController(logger klog.Logger, serviceAccounts informers.ServiceAc
 		options.ServiceAccountResync,
 	)
 
-	secretCache := secrets.Informer().GetIndexer()
-	e.updatedSecrets = cache.NewIntegerResourceVersionMutationCache(logger, secretCache, secretCache, 60*time.Second, true)
+	e.secrets = secrets.Lister()
 	e.secretSynced = secrets.Informer().HasSynced
 	secrets.Informer().AddEventHandlerWithOptions(
 		cache.FilteringResourceEventHandler{
@@ -119,7 +120,7 @@ func NewTokensController(logger klog.Logger, serviceAccounts informers.ServiceAc
 				case *v1.Secret:
 					return t.Type == v1.SecretTypeServiceAccountToken
 				default:
-					utilruntime.HandleError(fmt.Errorf("object passed to %T that is not expected: %T", e, obj))
+					utilruntime.HandleErrorWithLogger(logger, nil, "Unexpected object type passed to tokens controller", "type", fmt.Sprintf("%T", obj))
 					return false
 				}
 			},
@@ -147,10 +148,7 @@ type TokensController struct {
 	serviceServingCA []byte
 
 	serviceAccounts listersv1.ServiceAccountLister
-	// updatedSecrets is a wrapper around the shared cache which allows us to record
-	// and return our local mutations (since we're very likely to act on an updated
-	// secret before the watch reports it).
-	updatedSecrets cache.MutationCache
+	secrets         listersv1.SecretLister
 
 	// Since we join two objects, we'll watch both of them with controllers.
 	serviceAccountSynced cache.InformerSynced
@@ -173,23 +171,31 @@ type TokensController struct {
 
 // Run runs controller blocks until stopCh is closed
 func (e *TokensController) Run(ctx context.Context, workers int) {
-	// Shut down queues
-	defer utilruntime.HandleCrash()
-	defer e.syncServiceAccountQueue.ShutDown()
-	defer e.syncSecretQueue.ShutDown()
+	defer utilruntime.HandleCrashWithContext(ctx)
+	logger := klog.FromContext(ctx)
+
+	var wg sync.WaitGroup
+	defer func() {
+		logger.V(1).Info("Shutting down")
+		e.syncServiceAccountQueue.ShutDown()
+		e.syncSecretQueue.ShutDown()
+		wg.Wait()
+	}()
 
-	if !cache.WaitForNamedCacheSync("tokens", ctx.Done(), e.serviceAccountSynced, e.secretSynced) {
+	if !cache.WaitForNamedCacheSyncWithContext(ctx, e.serviceAccountSynced, e.secretSynced) {
 		return
 	}
 
-	logger := klog.FromContext(ctx)
 	logger.V(5).Info("Starting workers")
 	for i := 0; i < workers; i++ {
-		go wait.UntilWithContext(ctx, e.syncServiceAccount, 0)
-		go wait.UntilWithContext(ctx, e.syncSecret, 0)
+		wg.Go(func() {
+			wait.UntilWithContext(ctx, e.syncServiceAccount, 0)
+		})
+		wg.Go(func() {
+			wait.UntilWithContext(ctx, e.syncSecret, 0)
+		})
 	}
 	<-ctx.Done()
-	logger.V(1).Info("Shutting down")
 }
 
 func (e *TokensController) queueServiceAccountSync(obj interface{}) {
@@ -288,7 +294,7 @@ func (e *TokensController) syncSecret(ctx context.Context) {
 		return
 	}
 
-	secret, err := e.getSecret(secretInfo.namespace, secretInfo.name, secretInfo.uid, false)
+	secret, err := e.getSecret(secretInfo.namespace, secretInfo.name, secretInfo.uid)
 	switch {
 	case err != nil:
 		logger.Error(err, "Getting secret")
@@ -521,54 +527,34 @@ func (e *TokensController) getServiceAccount(ns string, name string, uid types.U
 	return nil, nil
 }
 
-func (e *TokensController) getSecret(ns string, name string, uid types.UID, fetchOnCacheMiss bool) (*v1.Secret, error) {
+func (e *TokensController) getSecret(ns string, name string, uid types.UID) (*v1.Secret, error) {
 	// Look up in cache
-	obj, exists, err := e.updatedSecrets.GetByKey(makeCacheKey(ns, name))
+	secret, err := e.secrets.Secrets(ns).Get(name)
 	if err != nil {
-		return nil, err
-	}
-	if exists {
-		secret, ok := obj.(*v1.Secret)
-		if !ok {
-			return nil, fmt.Errorf("expected *v1.Secret, got %#v", secret)
+		if apierrors.IsNotFound(err) {
+			return nil, nil
 		}
-		// Ensure UID matches if given
-		if len(uid) == 0 || uid == secret.UID {
-			return secret, nil
-		}
-	}
-
-	if !fetchOnCacheMiss {
-		return nil, nil
-	}
-
-	// Live lookup
-	secret, err := e.client.CoreV1().Secrets(ns).Get(context.TODO(), name, metav1.GetOptions{})
-	if apierrors.IsNotFound(err) {
-		return nil, nil
-	}
-	if err != nil {
 		return nil, err
 	}
+
 	// Ensure UID matches if given
 	if len(uid) == 0 || uid == secret.UID {
 		return secret, nil
 	}
+
 	return nil, nil
 }
 
-// listTokenSecrets returns a list of all of the ServiceAccountToken secrets that
+// listTokenSecrets returns a list of all the ServiceAccountToken secrets that
 // reference the given service account's name and uid
 func (e *TokensController) listTokenSecrets(serviceAccount *v1.ServiceAccount) ([]*v1.Secret, error) {
-	namespaceSecrets, err := e.updatedSecrets.ByIndex("namespace", serviceAccount.Namespace)
+	namespaceSecrets, err := e.secrets.Secrets(serviceAccount.Namespace).List(labels.Everything())
 	if err != nil {
 		return nil, err
 	}
 
 	items := []*v1.Secret{}
-	for _, obj := range namespaceSecrets {
-		secret := obj.(*v1.Secret)
-
+	for _, secret := range namespaceSecrets {
 		if apiserverserviceaccount.IsServiceAccountToken(secret, serviceAccount) {
 			items = append(items, secret)
 		}
@@ -638,8 +624,3 @@ func parseSecretQueueKey(key interface{}) (secretQueueKey, error) {
 	}
 	return queueKey, nil
 }
-
-// produce the same key format as cache.MetaNamespaceKeyFunc
-func makeCacheKey(namespace, name string) string {
-	return namespace + "/" + name
-}
diff --git a/pkg/controller/serviceaccount/tokens_controller_test.go b/pkg/controller/serviceaccount/tokens_controller_test.go
index 5b7b14901c367..e1fef1128614c 100644
--- a/pkg/controller/serviceaccount/tokens_controller_test.go
+++ b/pkg/controller/serviceaccount/tokens_controller_test.go
@@ -180,7 +180,6 @@ func TestTokenCreation(t *testing.T) {
 		UpdatedServiceAccount *v1.ServiceAccount
 		DeletedServiceAccount *v1.ServiceAccount
 		AddedSecret           *v1.Secret
-		AddedSecretLocal      *v1.Secret
 		UpdatedSecret         *v1.Secret
 		DeletedSecret         *v1.Secret
 
@@ -198,13 +197,6 @@ func TestTokenCreation(t *testing.T) {
 			AddedServiceAccount: serviceAccount(missingSecretReferences()),
 			ExpectedActions:     []core.Action{},
 		},
-		"new serviceaccount with missing secrets and a local secret in the cache": {
-			ClientObjects: []runtime.Object{serviceAccount(missingSecretReferences())},
-
-			AddedServiceAccount: serviceAccount(tokenSecretReferences()),
-			AddedSecretLocal:    serviceAccountTokenSecret(),
-			ExpectedActions:     []core.Action{},
-		},
 		"new serviceaccount with non-token secrets": {
 			ClientObjects: []runtime.Object{serviceAccount(regularSecretReferences()), opaqueSecret()},
 
@@ -483,9 +475,6 @@ func TestTokenCreation(t *testing.T) {
 				secrets.Add(tc.AddedSecret)
 				controller.queueSecretSync(tc.AddedSecret)
 			}
-			if tc.AddedSecretLocal != nil {
-				controller.updatedSecrets.Mutation(tc.AddedSecretLocal)
-			}
 			if tc.UpdatedSecret != nil {
 				secrets.Add(tc.UpdatedSecret)
 				controller.queueSecretUpdateSync(nil, tc.UpdatedSecret)
diff --git a/pkg/controller/servicecidrs/servicecidrs_controller.go b/pkg/controller/servicecidrs/servicecidrs_controller.go
index 4700c42fa74a0..8a563cb0a7946 100644
--- a/pkg/controller/servicecidrs/servicecidrs_controller.go
+++ b/pkg/controller/servicecidrs/servicecidrs_controller.go
@@ -20,6 +20,7 @@ import (
 	"context"
 	"encoding/json"
 	"net/netip"
+	"sync"
 	"time"
 
 	v1 "k8s.io/api/core/v1"
@@ -125,24 +126,30 @@ type Controller struct {
 
 // Run will not return until stopCh is closed.
 func (c *Controller) Run(ctx context.Context, workers int) {
-	defer utilruntime.HandleCrash()
-	defer c.queue.ShutDown()
+	defer utilruntime.HandleCrashWithContext(ctx)
 
 	c.eventBroadcaster.StartStructuredLogging(3)
 	c.eventBroadcaster.StartRecordingToSink(&v1core.EventSinkImpl{Interface: c.client.CoreV1().Events("")})
 	defer c.eventBroadcaster.Shutdown()
 
 	logger := klog.FromContext(ctx)
-
 	logger.Info("Starting", "controller", controllerName)
-	defer logger.Info("Shutting down", "controller", controllerName)
 
-	if !cache.WaitForNamedCacheSync(controllerName, ctx.Done(), c.serviceCIDRsSynced, c.ipAddressSynced) {
+	var wg sync.WaitGroup
+	defer func() {
+		logger.Info("Shutting down", "controller", controllerName)
+		c.queue.ShutDown()
+		wg.Wait()
+	}()
+
+	if !cache.WaitForNamedCacheSyncWithContext(ctx, c.serviceCIDRsSynced, c.ipAddressSynced) {
 		return
 	}
 
 	for i := 0; i < workers; i++ {
-		go wait.UntilWithContext(ctx, c.worker, c.workerLoopPeriod)
+		wg.Go(func() {
+			wait.UntilWithContext(ctx, c.worker, c.workerLoopPeriod)
+		})
 	}
 	<-ctx.Done()
 }
@@ -270,7 +277,7 @@ func (c *Controller) processNext(ctx context.Context) bool {
 	} else {
 		logger.Info("Dropping ServiceCIDR out of the queue", "ServiceCIDR", key, "err", err)
 		c.queue.Forget(key)
-		utilruntime.HandleError(err)
+		utilruntime.HandleErrorWithContext(ctx, err, "ServiceCIDR sync failed after max retries")
 	}
 	return true
 }
diff --git a/pkg/controller/statefulset/metrics/metrics.go b/pkg/controller/statefulset/metrics/metrics.go
new file mode 100644
index 0000000000000..ff530a3426258
--- /dev/null
+++ b/pkg/controller/statefulset/metrics/metrics.go
@@ -0,0 +1,74 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package metrics
+
+import (
+	"sync"
+
+	"k8s.io/component-base/metrics"
+	"k8s.io/component-base/metrics/legacyregistry"
+)
+
+const StatefulSetControllerSubsystem = "statefulset_controller"
+
+var (
+	// MaxUnavailable tracks the current .spec.updateStrategy.rollingUpdate.maxUnavailable value with the
+	// MaxUnavailableStatefulSet feature enabled. This gauge reflects the configured maximum number of pods
+	// that can be unavailable during rolling updates, providing visibility into the availability constraints.
+	// The metric is set to 1 by default.
+	//
+	// Sample monitoring queries:
+	// - Current maxUnavailable setting: statefulset_max_unavailable
+	// - Compare with actual unavailable: statefulset_unavailable_replicas - statefulset_max_unavailable
+	// - Alert when exceeding limit: statefulset_unavailable_replicas > statefulset_max_unavailable
+	// - Monitor configuration changes: changes(statefulset_max_unavailable[1h])
+	MaxUnavailable = metrics.NewGaugeVec(
+		&metrics.GaugeOpts{
+			Subsystem:      StatefulSetControllerSubsystem,
+			Name:           "statefulset_max_unavailable",
+			Help:           "Maximum number of unavailable pods allowed during StatefulSet rolling updates",
+			StabilityLevel: metrics.ALPHA,
+		}, []string{"statefulset_namespace", "statefulset_name", "pod_management_policy"},
+	)
+
+	// UnavailableReplicas tracks the current number of unavailable pods in a StatefulSet.
+	// This gauge reflects the real-time count of pods that are either missing or unavailable
+	// (i.e., not ready for .spec.minReadySeconds).
+	//
+	// Sample monitoring queries:
+	// - Current unavailable pods: statefulset_unavailable_replicas
+	// - Availability percentage: (statefulset_replicas - statefulset_unavailable_replicas) / statefulset_replicas * 100
+	// - Alert on high unavailability: statefulset_unavailable_replicas > statefulset_max_unavailable
+	// - Monitor availability trends: statefulset_unavailable_replicas
+	UnavailableReplicas = metrics.NewGaugeVec(
+		&metrics.GaugeOpts{
+			Subsystem:      StatefulSetControllerSubsystem,
+			Name:           "statefulset_unavailable_replicas",
+			Help:           "Current number of unavailable pods in StatefulSet",
+			StabilityLevel: metrics.ALPHA,
+		}, []string{"statefulset_namespace", "statefulset_name", "pod_management_policy"},
+	)
+)
+
+var registerMetrics sync.Once
+
+func Register() {
+	registerMetrics.Do(func() {
+		legacyregistry.MustRegister(MaxUnavailable)
+		legacyregistry.MustRegister(UnavailableReplicas)
+	})
+}
diff --git a/pkg/controller/statefulset/stateful_pod_control.go b/pkg/controller/statefulset/stateful_pod_control.go
index 76945d336932e..b272b66759fd7 100644
--- a/pkg/controller/statefulset/stateful_pod_control.go
+++ b/pkg/controller/statefulset/stateful_pod_control.go
@@ -19,21 +19,20 @@ package statefulset
 import (
 	"context"
 	"fmt"
-	"strings"
 
+	"golang.org/x/text/cases"
+	"golang.org/x/text/language"
 	apps "k8s.io/api/apps/v1"
 	v1 "k8s.io/api/core/v1"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	errorutils "k8s.io/apimachinery/pkg/util/errors"
 	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
-	utilfeature "k8s.io/apiserver/pkg/util/feature"
 	clientset "k8s.io/client-go/kubernetes"
 	corelisters "k8s.io/client-go/listers/core/v1"
 	"k8s.io/client-go/tools/record"
 	"k8s.io/client-go/util/retry"
 	"k8s.io/klog/v2"
-	"k8s.io/kubernetes/pkg/features"
 )
 
 // StatefulPodControlObjectManager abstracts the manipulation of Pods and PVCs. The real controller implements this
@@ -124,12 +123,10 @@ func (spc *StatefulPodControl) CreateStatefulPod(ctx context.Context, set *apps.
 	if apierrors.IsAlreadyExists(err) {
 		return err
 	}
-	if utilfeature.DefaultFeatureGate.Enabled(features.StatefulSetAutoDeletePVC) {
-		// Set PVC policy as much as is possible at this point.
-		if err := spc.UpdatePodClaimForRetentionPolicy(ctx, set, pod); err != nil {
-			spc.recordPodEvent("update", set, pod, err)
-			return err
-		}
+	// Set PVC policy as much as is possible at this point.
+	if err := spc.UpdatePodClaimForRetentionPolicy(ctx, set, pod); err != nil {
+		spc.recordPodEvent("update", set, pod, err)
+		return err
 	}
 	spc.recordPodEvent("create", set, pod, err)
 	return err
@@ -155,19 +152,17 @@ func (spc *StatefulPodControl) UpdateStatefulPod(ctx context.Context, set *apps.
 				return err
 			}
 		}
-		if utilfeature.DefaultFeatureGate.Enabled(features.StatefulSetAutoDeletePVC) {
-			// if the Pod's PVCs are not consistent with the StatefulSet's PVC deletion policy, update the PVC
-			// and dirty the pod.
-			if match, err := spc.ClaimsMatchRetentionPolicy(ctx, set, pod); err != nil {
+		// if the Pod's PVCs are not consistent with the StatefulSet's PVC deletion policy, update the PVC
+		// and dirty the pod.
+		if match, err := spc.ClaimsMatchRetentionPolicy(ctx, set, pod); err != nil {
+			spc.recordPodEvent("update", set, pod, err)
+			return err
+		} else if !match {
+			if err := spc.UpdatePodClaimForRetentionPolicy(ctx, set, pod); err != nil {
 				spc.recordPodEvent("update", set, pod, err)
 				return err
-			} else if !match {
-				if err := spc.UpdatePodClaimForRetentionPolicy(ctx, set, pod); err != nil {
-					spc.recordPodEvent("update", set, pod, err)
-					return err
-				}
-				consistent = false
 			}
+			consistent = false
 		}
 
 		// if the Pod is not dirty, do nothing
@@ -187,7 +182,7 @@ func (spc *StatefulPodControl) UpdateStatefulPod(ctx context.Context, set *apps.
 			// make a copy so we don't mutate the shared cache
 			pod = updated.DeepCopy()
 		} else {
-			utilruntime.HandleError(fmt.Errorf("error getting updated Pod %s/%s: %w", set.Namespace, pod.Name, err))
+			utilruntime.HandleErrorWithContext(ctx, err, "Error getting updated Pod from lister", "pod", klog.KRef(set.Namespace, pod.Name))
 		}
 
 		return updateErr
@@ -289,14 +284,14 @@ func (spc *StatefulPodControl) PodClaimIsStale(set *apps.StatefulSet, pod *v1.Po
 // have a reason of v1.EventTypeNormal. If err is not nil the generated event will have a reason of v1.EventTypeWarning.
 func (spc *StatefulPodControl) recordPodEvent(verb string, set *apps.StatefulSet, pod *v1.Pod, err error) {
 	if err == nil {
-		reason := fmt.Sprintf("Successful%s", strings.Title(verb))
+		reason := fmt.Sprintf("Successful%s", cases.Title(language.English).String(verb))
 		message := fmt.Sprintf("%s Pod %s in StatefulSet %s successful",
-			strings.ToLower(verb), pod.Name, set.Name)
+			cases.Title(language.English).String(verb), pod.Name, set.Name)
 		spc.recorder.Event(set, v1.EventTypeNormal, reason, message)
 	} else {
-		reason := fmt.Sprintf("Failed%s", strings.Title(verb))
+		reason := fmt.Sprintf("Failed%s", cases.Title(language.English).String(verb))
 		message := fmt.Sprintf("%s Pod %s in StatefulSet %s failed error: %s",
-			strings.ToLower(verb), pod.Name, set.Name, err)
+			cases.Title(language.English).String(verb), pod.Name, set.Name, err)
 		spc.recorder.Event(set, v1.EventTypeWarning, reason, message)
 	}
 }
@@ -306,14 +301,14 @@ func (spc *StatefulPodControl) recordPodEvent(verb string, set *apps.StatefulSet
 // reason of v1.EventTypeWarning.
 func (spc *StatefulPodControl) recordClaimEvent(verb string, set *apps.StatefulSet, pod *v1.Pod, claim *v1.PersistentVolumeClaim, err error) {
 	if err == nil {
-		reason := fmt.Sprintf("Successful%s", strings.Title(verb))
+		reason := fmt.Sprintf("Successful%s", cases.Title(language.English).String(verb))
 		message := fmt.Sprintf("%s Claim %s Pod %s in StatefulSet %s success",
-			strings.ToLower(verb), claim.Name, pod.Name, set.Name)
+			cases.Title(language.English).String(verb), claim.Name, pod.Name, set.Name)
 		spc.recorder.Event(set, v1.EventTypeNormal, reason, message)
 	} else {
-		reason := fmt.Sprintf("Failed%s", strings.Title(verb))
+		reason := fmt.Sprintf("Failed%s", cases.Title(language.English).String(verb))
 		message := fmt.Sprintf("%s Claim %s for Pod %s in StatefulSet %s failed error: %s",
-			strings.ToLower(verb), claim.Name, pod.Name, set.Name, err)
+			cases.Title(language.English).String(verb), claim.Name, pod.Name, set.Name, err)
 		spc.recorder.Event(set, v1.EventTypeWarning, reason, message)
 	}
 }
@@ -323,13 +318,10 @@ func (spc *StatefulPodControl) createMissingPersistentVolumeClaims(ctx context.C
 	if err := spc.createPersistentVolumeClaims(set, pod); err != nil {
 		return err
 	}
-
-	if utilfeature.DefaultFeatureGate.Enabled(features.StatefulSetAutoDeletePVC) {
-		// Set PVC policy as much as is possible at this point.
-		if err := spc.UpdatePodClaimForRetentionPolicy(ctx, set, pod); err != nil {
-			spc.recordPodEvent("update", set, pod, err)
-			return err
-		}
+	// Set PVC policy as much as is possible at this point.
+	if err := spc.UpdatePodClaimForRetentionPolicy(ctx, set, pod); err != nil {
+		spc.recordPodEvent("update", set, pod, err)
+		return err
 	}
 	return nil
 }
diff --git a/pkg/controller/statefulset/stateful_pod_control_test.go b/pkg/controller/statefulset/stateful_pod_control_test.go
index 6925b53e4c7d3..27528e77e0f51 100644
--- a/pkg/controller/statefulset/stateful_pod_control_test.go
+++ b/pkg/controller/statefulset/stateful_pod_control_test.go
@@ -30,18 +30,14 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/types"
-	"k8s.io/apimachinery/pkg/util/version"
-	utilfeature "k8s.io/apiserver/pkg/util/feature"
 	"k8s.io/client-go/kubernetes/fake"
 	corelisters "k8s.io/client-go/listers/core/v1"
 	core "k8s.io/client-go/testing"
 	"k8s.io/client-go/tools/cache"
 	"k8s.io/client-go/tools/record"
-	featuregatetesting "k8s.io/component-base/featuregate/testing"
 	"k8s.io/klog/v2/ktesting"
 	_ "k8s.io/kubernetes/pkg/apis/apps/install"
 	_ "k8s.io/kubernetes/pkg/apis/core/install"
-	"k8s.io/kubernetes/pkg/features"
 	"k8s.io/utils/ptr"
 )
 
@@ -541,81 +537,65 @@ func TestStatefulPodControlClaimsMatchDeletionPolcy(t *testing.T) {
 func TestStatefulPodControlUpdatePodClaimForRetentionPolicy(t *testing.T) {
 	// All the update conditions are tested exhaustively in stateful_set_utils_test. This
 	// tests the wiring from the pod control to that method.
+	_, ctx := ktesting.NewTestContext(t)
+	testCases := []struct {
+		name      string
+		ownerRef  []metav1.OwnerReference
+		expectRef bool
+	}{
+		{
+			name:      "bare PVC",
+			expectRef: true,
+		},
+		{
+			name:      "PVC already controller",
+			ownerRef:  []metav1.OwnerReference{{Controller: ptr.To(true), Name: "foobar"}},
+			expectRef: false,
+		},
+	}
 
-	testFn := func(t *testing.T) {
-		_, ctx := ktesting.NewTestContext(t)
-		testCases := []struct {
-			name      string
-			ownerRef  []metav1.OwnerReference
-			expectRef bool
-		}{
-			{
-				name:      "bare PVC",
-				expectRef: true,
-			},
-			{
-				name:      "PVC already controller",
-				ownerRef:  []metav1.OwnerReference{{Controller: ptr.To(true), Name: "foobar"}},
-				expectRef: false,
-			},
-		}
-
-		for _, tc := range testCases {
-			fakeClient := &fake.Clientset{}
-			indexer := cache.NewIndexer(cache.MetaNamespaceKeyFunc, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc})
-			claimLister := corelisters.NewPersistentVolumeClaimLister(indexer)
-			fakeClient.AddReactor("update", "persistentvolumeclaims", func(action core.Action) (bool, runtime.Object, error) {
-				update := action.(core.UpdateAction)
-				if err := indexer.Update(update.GetObject()); err != nil {
-					t.Fatalf("could not update index: %v", err)
-				}
-				return true, update.GetObject(), nil
-			})
-			set := newStatefulSet(3)
-			set.GetObjectMeta().SetUID("set-123")
-			pod0 := newStatefulSetPod(set, 0)
-			claims0 := getPersistentVolumeClaims(set, pod0)
-			for k := range claims0 {
-				claim := claims0[k]
-				if tc.ownerRef != nil {
-					claim.SetOwnerReferences(tc.ownerRef)
-				}
-				if err := indexer.Add(&claim); err != nil {
-					t.Errorf("Could not add claim %s: %v", k, err)
-				}
+	for _, tc := range testCases {
+		fakeClient := &fake.Clientset{}
+		indexer := cache.NewIndexer(cache.MetaNamespaceKeyFunc, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc})
+		claimLister := corelisters.NewPersistentVolumeClaimLister(indexer)
+		fakeClient.AddReactor("update", "persistentvolumeclaims", func(action core.Action) (bool, runtime.Object, error) {
+			update := action.(core.UpdateAction)
+			if err := indexer.Update(update.GetObject()); err != nil {
+				t.Fatalf("could not update index: %v", err)
 			}
-			control := NewStatefulPodControl(fakeClient, nil, claimLister, &noopRecorder{})
-			set.Spec.PersistentVolumeClaimRetentionPolicy = &apps.StatefulSetPersistentVolumeClaimRetentionPolicy{
-				WhenDeleted: apps.DeletePersistentVolumeClaimRetentionPolicyType,
-				WhenScaled:  apps.RetainPersistentVolumeClaimRetentionPolicyType,
+			return true, update.GetObject(), nil
+		})
+		set := newStatefulSet(3)
+		set.GetObjectMeta().SetUID("set-123")
+		pod0 := newStatefulSetPod(set, 0)
+		claims0 := getPersistentVolumeClaims(set, pod0)
+		for k := range claims0 {
+			claim := claims0[k]
+			if tc.ownerRef != nil {
+				claim.SetOwnerReferences(tc.ownerRef)
 			}
-			if utilfeature.DefaultFeatureGate.Enabled(features.StatefulSetAutoDeletePVC) {
-				if err := control.UpdatePodClaimForRetentionPolicy(ctx, set, pod0); err != nil {
-					t.Errorf("Unexpected error for UpdatePodClaimForRetentionPolicy (retain), pod0: %v", err)
-				}
+			if err := indexer.Add(&claim); err != nil {
+				t.Errorf("Could not add claim %s: %v", k, err)
 			}
-			expectRef := tc.expectRef && utilfeature.DefaultFeatureGate.Enabled(features.StatefulSetAutoDeletePVC)
-			for k := range claims0 {
-				claim, err := claimLister.PersistentVolumeClaims(claims0[k].Namespace).Get(claims0[k].Name)
-				if err != nil {
-					t.Errorf("Unexpected error getting Claim %s/%s: %v", claim.Namespace, claim.Name, err)
-				}
-				if hasOwnerRef(claim, set) != expectRef {
-					t.Errorf("%s: Claim %s/%s bad set owner ref", tc.name, claim.Namespace, claim.Name)
-				}
+		}
+		control := NewStatefulPodControl(fakeClient, nil, claimLister, &noopRecorder{})
+		set.Spec.PersistentVolumeClaimRetentionPolicy = &apps.StatefulSetPersistentVolumeClaimRetentionPolicy{
+			WhenDeleted: apps.DeletePersistentVolumeClaimRetentionPolicyType,
+			WhenScaled:  apps.RetainPersistentVolumeClaimRetentionPolicyType,
+		}
+		if err := control.UpdatePodClaimForRetentionPolicy(ctx, set, pod0); err != nil {
+			t.Errorf("Unexpected error for UpdatePodClaimForRetentionPolicy (retain), pod0: %v", err)
+		}
+		for k := range claims0 {
+			claim, err := claimLister.PersistentVolumeClaims(claims0[k].Namespace).Get(claims0[k].Name)
+			if err != nil {
+				t.Errorf("Unexpected error getting Claim %s/%s: %v", claim.Namespace, claim.Name, err)
+			}
+			if hasOwnerRef(claim, set) != tc.expectRef {
+				t.Errorf("%s: Claim %s/%s bad set owner ref", tc.name, claim.Namespace, claim.Name)
 			}
 		}
 	}
-	t.Run("StatefulSetAutoDeletePVCEnabled", func(t *testing.T) {
-		featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.StatefulSetAutoDeletePVC, true)
-		testFn(t)
-	})
-	t.Run("StatefulSetAutoDeletePVCDisabled", func(t *testing.T) {
-		// TODO: this will be removed in 1.35
-		featuregatetesting.SetFeatureGateEmulationVersionDuringTest(t, utilfeature.DefaultFeatureGate, version.MustParse("1.31"))
-		featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.StatefulSetAutoDeletePVC, false)
-		testFn(t)
-	})
 }
 
 func TestPodClaimIsStale(t *testing.T) {
@@ -730,66 +710,48 @@ func TestPodClaimIsStale(t *testing.T) {
 }
 
 func TestStatefulPodControlRetainDeletionPolicyUpdate(t *testing.T) {
-	testFn := func(t *testing.T) {
-		_, ctx := ktesting.NewTestContext(t)
-		recorder := record.NewFakeRecorder(10)
-		set := newStatefulSet(1)
-		set.Spec.PersistentVolumeClaimRetentionPolicy = &apps.StatefulSetPersistentVolumeClaimRetentionPolicy{
-			WhenDeleted: apps.RetainPersistentVolumeClaimRetentionPolicyType,
-			WhenScaled:  apps.RetainPersistentVolumeClaimRetentionPolicyType,
-		}
-		pod := newStatefulSetPod(set, 0)
-		fakeClient := &fake.Clientset{}
-		podIndexer := cache.NewIndexer(cache.MetaNamespaceKeyFunc, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc})
-		podLister := corelisters.NewPodLister(podIndexer)
-		claimIndexer := cache.NewIndexer(cache.MetaNamespaceKeyFunc, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc})
-		claimLister := corelisters.NewPersistentVolumeClaimLister(claimIndexer)
-		if err := podIndexer.Add(pod); err != nil {
-			t.Errorf("couldn't add %s to index: %v", pod.GetName(), err)
-		}
-		claims := getPersistentVolumeClaims(set, pod)
-		if len(claims) < 1 {
-			t.Errorf("Unexpected missing PVCs")
-		}
-		for k := range claims {
-			claim := claims[k]
-			// This ownerRef should be removed in the update.
-			claim.SetOwnerReferences(addControllerRef(claim.GetOwnerReferences(), set, controllerKind))
-			if err := claimIndexer.Add(&claim); err != nil {
-				t.Errorf("couldn't add %s to index: %v", claim.GetName(), err)
-			}
-		}
-		control := NewStatefulPodControl(fakeClient, podLister, claimLister, recorder)
-		if err := control.UpdateStatefulPod(ctx, set, pod); err != nil {
-			t.Errorf("Successful update returned an error: %s", err)
-		}
-		for k := range claims {
-			claim := claims[k]
-			if hasOwnerRef(&claim, set) {
-				t.Errorf("ownerRef not removed: %s/%s", claim.Namespace, claim.Name)
-			}
+	_, ctx := ktesting.NewTestContext(t)
+	recorder := record.NewFakeRecorder(10)
+	set := newStatefulSet(1)
+	set.Spec.PersistentVolumeClaimRetentionPolicy = &apps.StatefulSetPersistentVolumeClaimRetentionPolicy{
+		WhenDeleted: apps.RetainPersistentVolumeClaimRetentionPolicyType,
+		WhenScaled:  apps.RetainPersistentVolumeClaimRetentionPolicyType,
+	}
+	pod := newStatefulSetPod(set, 0)
+	fakeClient := &fake.Clientset{}
+	podIndexer := cache.NewIndexer(cache.MetaNamespaceKeyFunc, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc})
+	podLister := corelisters.NewPodLister(podIndexer)
+	claimIndexer := cache.NewIndexer(cache.MetaNamespaceKeyFunc, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc})
+	claimLister := corelisters.NewPersistentVolumeClaimLister(claimIndexer)
+	if err := podIndexer.Add(pod); err != nil {
+		t.Errorf("couldn't add %s to index: %v", pod.GetName(), err)
+	}
+	claims := getPersistentVolumeClaims(set, pod)
+	if len(claims) < 1 {
+		t.Errorf("Unexpected missing PVCs")
+	}
+	for k := range claims {
+		claim := claims[k]
+		// This ownerRef should be removed in the update.
+		claim.SetOwnerReferences(addControllerRef(claim.GetOwnerReferences(), set, controllerKind))
+		if err := claimIndexer.Add(&claim); err != nil {
+			t.Errorf("couldn't add %s to index: %v", claim.GetName(), err)
 		}
-		events := collectEvents(recorder.Events)
-		if utilfeature.DefaultFeatureGate.Enabled(features.StatefulSetAutoDeletePVC) {
-			if eventCount := len(events); eventCount != 1 {
-				t.Errorf("delete failed: got %d events, but want 1", eventCount)
-			}
-		} else {
-			if len(events) != 0 {
-				t.Errorf("delete failed: expected no events, but got %v", events)
-			}
+	}
+	control := NewStatefulPodControl(fakeClient, podLister, claimLister, recorder)
+	if err := control.UpdateStatefulPod(ctx, set, pod); err != nil {
+		t.Errorf("Successful update returned an error: %s", err)
+	}
+	for k := range claims {
+		claim := claims[k]
+		if hasOwnerRef(&claim, set) {
+			t.Errorf("ownerRef not removed: %s/%s", claim.Namespace, claim.Name)
 		}
 	}
-	t.Run("StatefulSetAutoDeletePVCEnabled", func(t *testing.T) {
-		featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.StatefulSetAutoDeletePVC, true)
-		testFn(t)
-	})
-	t.Run("StatefulSetAutoDeletePVCDisabled", func(t *testing.T) {
-		// TODO: this will be removed in 1.35
-		featuregatetesting.SetFeatureGateEmulationVersionDuringTest(t, utilfeature.DefaultFeatureGate, version.MustParse("1.31"))
-		featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.StatefulSetAutoDeletePVC, false)
-		testFn(t)
-	})
+	events := collectEvents(recorder.Events)
+	if eventCount := len(events); eventCount != 1 {
+		t.Errorf("delete failed: got %d events, but want 1", eventCount)
+	}
 }
 
 func TestStatefulPodControlRetentionPolicyUpdate(t *testing.T) {
diff --git a/pkg/controller/statefulset/stateful_set.go b/pkg/controller/statefulset/stateful_set.go
index 007766df25d5c..922df499c1cc8 100644
--- a/pkg/controller/statefulset/stateful_set.go
+++ b/pkg/controller/statefulset/stateful_set.go
@@ -20,6 +20,7 @@ import (
 	"context"
 	"fmt"
 	"reflect"
+	"sync"
 	"time"
 
 	apps "k8s.io/api/apps/v1"
@@ -42,6 +43,9 @@ import (
 	podutil "k8s.io/kubernetes/pkg/api/v1/pod"
 	"k8s.io/kubernetes/pkg/controller"
 	"k8s.io/kubernetes/pkg/controller/history"
+	"k8s.io/kubernetes/pkg/controller/statefulset/metrics"
+	"k8s.io/utils/clock"
+	"k8s.io/utils/ptr"
 
 	"k8s.io/klog/v2"
 )
@@ -79,6 +83,7 @@ type StatefulSetController struct {
 	queue workqueue.TypedRateLimitingInterface[string]
 	// eventBroadcaster is the core of event processing pipeline.
 	eventBroadcaster record.EventBroadcaster
+	clock            clock.PassiveClock
 }
 
 // NewStatefulSetController creates a new statefulset controller.
@@ -93,6 +98,9 @@ func NewStatefulSetController(
 	logger := klog.FromContext(ctx)
 	eventBroadcaster := record.NewBroadcaster(record.WithContext(ctx))
 	recorder := eventBroadcaster.NewRecorder(scheme.Scheme, v1.EventSource{Component: "statefulset-controller"})
+
+	// Register metrics
+	metrics.Register()
 	ssc := &StatefulSetController{
 		kubeClient: kubeClient,
 		control: NewDefaultStatefulSetControl(
@@ -113,6 +121,7 @@ func NewStatefulSetController(
 		podControl: controller.RealPodControl{KubeClient: kubeClient, Recorder: recorder},
 
 		eventBroadcaster: eventBroadcaster,
+		clock:            clock.RealClock{},
 	}
 
 	podInformer.Informer().AddEventHandler(cache.ResourceEventHandlerFuncs{
@@ -135,16 +144,20 @@ func NewStatefulSetController(
 	ssc.podIndexer = podInformer.Informer().GetIndexer()
 	setInformer.Informer().AddEventHandler(
 		cache.ResourceEventHandlerFuncs{
-			AddFunc: ssc.enqueueStatefulSet,
+			AddFunc: func(obj interface{}) {
+				ssc.enqueueStatefulSet(logger, obj)
+			},
 			UpdateFunc: func(old, cur interface{}) {
 				oldPS := old.(*apps.StatefulSet)
 				curPS := cur.(*apps.StatefulSet)
 				if oldPS.Status.Replicas != curPS.Status.Replicas {
 					logger.V(4).Info("Observed updated replica count for StatefulSet", "statefulSet", klog.KObj(curPS), "oldReplicas", oldPS.Status.Replicas, "newReplicas", curPS.Status.Replicas)
 				}
-				ssc.enqueueStatefulSet(cur)
+				ssc.enqueueStatefulSet(logger, cur)
+			},
+			DeleteFunc: func(obj interface{}) {
+				ssc.enqueueStatefulSet(logger, obj)
 			},
-			DeleteFunc: ssc.enqueueStatefulSet,
 		},
 	)
 	ssc.setLister = setInformer.Lister()
@@ -156,27 +169,32 @@ func NewStatefulSetController(
 
 // Run runs the statefulset controller.
 func (ssc *StatefulSetController) Run(ctx context.Context, workers int) {
-	defer utilruntime.HandleCrash()
+	defer utilruntime.HandleCrashWithContext(ctx)
 
 	// Start events processing pipeline.
 	ssc.eventBroadcaster.StartStructuredLogging(3)
 	ssc.eventBroadcaster.StartRecordingToSink(&v1core.EventSinkImpl{Interface: ssc.kubeClient.CoreV1().Events("")})
 	defer ssc.eventBroadcaster.Shutdown()
 
-	defer ssc.queue.ShutDown()
-
 	logger := klog.FromContext(ctx)
 	logger.Info("Starting stateful set controller")
-	defer logger.Info("Shutting down statefulset controller")
 
-	if !cache.WaitForNamedCacheSync("stateful set", ctx.Done(), ssc.podListerSynced, ssc.setListerSynced, ssc.pvcListerSynced, ssc.revListerSynced) {
+	var wg sync.WaitGroup
+	defer func() {
+		logger.Info("Shutting down statefulset controller")
+		ssc.queue.ShutDown()
+		wg.Wait()
+	}()
+
+	if !cache.WaitForNamedCacheSyncWithContext(ctx, ssc.podListerSynced, ssc.setListerSynced, ssc.pvcListerSynced, ssc.revListerSynced) {
 		return
 	}
 
 	for i := 0; i < workers; i++ {
-		go wait.UntilWithContext(ctx, ssc.worker, time.Second)
+		wg.Go(func() {
+			wait.UntilWithContext(ctx, ssc.worker, time.Second)
+		})
 	}
-
 	<-ctx.Done()
 }
 
@@ -198,19 +216,19 @@ func (ssc *StatefulSetController) addPod(logger klog.Logger, obj interface{}) {
 			return
 		}
 		logger.V(4).Info("Pod created with labels", "pod", klog.KObj(pod), "labels", pod.Labels)
-		ssc.enqueueStatefulSet(set)
+		ssc.enqueueStatefulSet(logger, set)
 		return
 	}
 
 	// Otherwise, it's an orphan. Get a list of all matching controllers and sync
 	// them to see if anyone wants to adopt it.
-	sets := ssc.getStatefulSetsForPod(pod)
+	sets := ssc.getStatefulSetsForPod(logger, pod)
 	if len(sets) == 0 {
 		return
 	}
 	logger.V(4).Info("Orphan Pod created with labels", "pod", klog.KObj(pod), "labels", pod.Labels)
 	for _, set := range sets {
-		ssc.enqueueStatefulSet(set)
+		ssc.enqueueStatefulSet(logger, set)
 	}
 }
 
@@ -232,7 +250,7 @@ func (ssc *StatefulSetController) updatePod(logger klog.Logger, old, cur interfa
 	if controllerRefChanged && oldControllerRef != nil {
 		// The ControllerRef was changed. Sync the old controller, if any.
 		if set := ssc.resolveControllerRef(oldPod.Namespace, oldControllerRef); set != nil {
-			ssc.enqueueStatefulSet(set)
+			ssc.enqueueStatefulSet(logger, set)
 		}
 	}
 
@@ -246,15 +264,16 @@ func (ssc *StatefulSetController) updatePod(logger klog.Logger, old, cur interfa
 		if oldPod.Status.Phase != curPod.Status.Phase {
 			logger.V(4).Info("StatefulSet Pod phase changed", "pod", klog.KObj(curPod), "statefulSet", klog.KObj(set), "podPhase", curPod.Status.Phase)
 		}
-		ssc.enqueueStatefulSet(set)
+		ssc.enqueueStatefulSet(logger, set)
 		// TODO: MinReadySeconds in the Pod will generate an Available condition to be added in
 		// the Pod status which in turn will trigger a requeue of the owning replica set thus
 		// having its status updated with the newly available replica.
 		if !podutil.IsPodReady(oldPod) && podutil.IsPodReady(curPod) && set.Spec.MinReadySeconds > 0 {
 			logger.V(2).Info("StatefulSet will be enqueued after minReadySeconds for availability check", "statefulSet", klog.KObj(set), "minReadySeconds", set.Spec.MinReadySeconds)
-			// Add a second to avoid milliseconds skew in AddAfter.
-			// See https://github.com/kubernetes/kubernetes/issues/39785#issuecomment-279959133 for more info.
-			ssc.enqueueSSAfter(set, (time.Duration(set.Spec.MinReadySeconds)*time.Second)+time.Second)
+			// If there are multiple pods with varying readiness times, we cannot correctly track it
+			// with the current queue. Further resyncs are attempted at the end of the syncStatefulSet
+			// function.
+			ssc.enqueueSSAfter(logger, set, time.Duration(set.Spec.MinReadySeconds)*time.Second)
 		}
 		return
 	}
@@ -262,13 +281,13 @@ func (ssc *StatefulSetController) updatePod(logger klog.Logger, old, cur interfa
 	// Otherwise, it's an orphan. If anything changed, sync matching controllers
 	// to see if anyone wants to adopt it now.
 	if labelChanged || controllerRefChanged {
-		sets := ssc.getStatefulSetsForPod(curPod)
+		sets := ssc.getStatefulSetsForPod(logger, curPod)
 		if len(sets) == 0 {
 			return
 		}
 		logger.V(4).Info("Orphan Pod objectMeta updated", "pod", klog.KObj(curPod), "oldObjectMeta", oldPod.ObjectMeta, "newObjectMeta", curPod.ObjectMeta)
 		for _, set := range sets {
-			ssc.enqueueStatefulSet(set)
+			ssc.enqueueStatefulSet(logger, set)
 		}
 	}
 }
@@ -283,12 +302,12 @@ func (ssc *StatefulSetController) deletePod(logger klog.Logger, obj interface{})
 	if !ok {
 		tombstone, ok := obj.(cache.DeletedFinalStateUnknown)
 		if !ok {
-			utilruntime.HandleError(fmt.Errorf("couldn't get object from tombstone %+v", obj))
+			utilruntime.HandleErrorWithLogger(logger, nil, "Couldn't get object from tombstone", "obj", obj)
 			return
 		}
 		pod, ok = tombstone.Obj.(*v1.Pod)
 		if !ok {
-			utilruntime.HandleError(fmt.Errorf("tombstone contained object that is not a pod %+v", obj))
+			utilruntime.HandleErrorWithLogger(logger, nil, "Tombstone contained object that is not a pod", "type", fmt.Sprintf("%T", obj))
 			return
 		}
 	}
@@ -303,7 +322,7 @@ func (ssc *StatefulSetController) deletePod(logger klog.Logger, obj interface{})
 		return
 	}
 	logger.V(4).Info("Pod deleted.", "pod", klog.KObj(pod), "caller", utilruntime.GetCaller())
-	ssc.enqueueStatefulSet(set)
+	ssc.enqueueStatefulSet(logger, set)
 }
 
 // getPodsForStatefulSet returns the Pods that a given StatefulSet should manage.
@@ -365,7 +384,7 @@ func (ssc *StatefulSetController) adoptOrphanRevisions(ctx context.Context, set
 
 // getStatefulSetsForPod returns a list of StatefulSets that potentially match
 // a given pod.
-func (ssc *StatefulSetController) getStatefulSetsForPod(pod *v1.Pod) []*apps.StatefulSet {
+func (ssc *StatefulSetController) getStatefulSetsForPod(logger klog.Logger, pod *v1.Pod) []*apps.StatefulSet {
 	sets, err := ssc.setLister.GetPodStatefulSets(pod)
 	if err != nil {
 		return nil
@@ -378,10 +397,7 @@ func (ssc *StatefulSetController) getStatefulSetsForPod(pod *v1.Pod) []*apps.Sta
 		for _, s := range sets {
 			setNames = append(setNames, s.Name)
 		}
-		utilruntime.HandleError(
-			fmt.Errorf(
-				"user error: more than one StatefulSet is selecting pods with labels: %+v. Sets: %v",
-				pod.Labels, setNames))
+		utilruntime.HandleErrorWithLogger(logger, nil, "More than one StatefulSet is selecting pods with same labels", "podLabels", pod.Labels, "sets", setNames)
 	}
 	return sets
 }
@@ -408,20 +424,20 @@ func (ssc *StatefulSetController) resolveControllerRef(namespace string, control
 }
 
 // enqueueStatefulSet enqueues the given statefulset in the work queue.
-func (ssc *StatefulSetController) enqueueStatefulSet(obj interface{}) {
+func (ssc *StatefulSetController) enqueueStatefulSet(logger klog.Logger, obj interface{}) {
 	key, err := controller.KeyFunc(obj)
 	if err != nil {
-		utilruntime.HandleError(fmt.Errorf("couldn't get key for object %+v: %v", obj, err))
+		utilruntime.HandleErrorWithLogger(logger, err, "Couldn't get key for object", "object", obj)
 		return
 	}
 	ssc.queue.Add(key)
 }
 
 // enqueueStatefulSet enqueues the given statefulset in the work queue after given time
-func (ssc *StatefulSetController) enqueueSSAfter(ss *apps.StatefulSet, duration time.Duration) {
+func (ssc *StatefulSetController) enqueueSSAfter(logger klog.Logger, ss *apps.StatefulSet, duration time.Duration) {
 	key, err := controller.KeyFunc(ss)
 	if err != nil {
-		utilruntime.HandleError(fmt.Errorf("couldn't get key for object %#v: %v", ss, err))
+		utilruntime.HandleErrorWithLogger(logger, err, "Couldn't get key for StatefulSet object", "statefulSet", klog.KObj(ss))
 		return
 	}
 	ssc.queue.AddAfter(key, duration)
@@ -436,7 +452,7 @@ func (ssc *StatefulSetController) processNextWorkItem(ctx context.Context) bool
 	}
 	defer ssc.queue.Done(key)
 	if err := ssc.sync(ctx, key); err != nil {
-		utilruntime.HandleError(fmt.Errorf("error syncing StatefulSet %v, requeuing: %w", key, err))
+		utilruntime.HandleErrorWithContext(ctx, err, "Error syncing StatefulSet, requeuing", "key", key)
 		ssc.queue.AddRateLimited(key)
 	} else {
 		ssc.queue.Forget(key)
@@ -452,7 +468,7 @@ func (ssc *StatefulSetController) worker(ctx context.Context) {
 
 // sync syncs the given statefulset.
 func (ssc *StatefulSetController) sync(ctx context.Context, key string) error {
-	startTime := time.Now()
+	startTime := ssc.clock.Now()
 	logger := klog.FromContext(ctx)
 	defer func() {
 		logger.V(4).Info("Finished syncing statefulset", "key", key, "time", time.Since(startTime))
@@ -468,13 +484,13 @@ func (ssc *StatefulSetController) sync(ctx context.Context, key string) error {
 		return nil
 	}
 	if err != nil {
-		utilruntime.HandleError(fmt.Errorf("unable to retrieve StatefulSet %v from store: %v", key, err))
+		utilruntime.HandleErrorWithContext(ctx, err, "Unable to retrieve StatefulSet from store", "key", key)
 		return err
 	}
 
 	selector, err := metav1.LabelSelectorAsSelector(set.Spec.Selector)
 	if err != nil {
-		utilruntime.HandleError(fmt.Errorf("error converting StatefulSet %v selector: %v", key, err))
+		utilruntime.HandleErrorWithContext(ctx, err, "Error converting StatefulSet selector", "key", key)
 		// This is a non-transient error, so don't retry.
 		return nil
 	}
@@ -496,16 +512,27 @@ func (ssc *StatefulSetController) syncStatefulSet(ctx context.Context, set *apps
 	logger := klog.FromContext(ctx)
 	logger.V(4).Info("Syncing StatefulSet with pods", "statefulSet", klog.KObj(set), "pods", len(pods))
 	var status *apps.StatefulSetStatus
+	var nextSyncDuration *time.Duration
 	var err error
-	status, err = ssc.control.UpdateStatefulSet(ctx, set, pods)
+	// Use the same time for calculating status and nextSyncDuration.
+	now := ssc.clock.Now()
+	status, err = ssc.control.UpdateStatefulSet(ctx, set, pods, now)
 	if err != nil {
 		return err
 	}
 	logger.V(4).Info("Successfully synced StatefulSet", "statefulSet", klog.KObj(set))
-	// One more sync to handle the clock skew. This is also helping in requeuing right after status update
-	if set.Spec.MinReadySeconds > 0 && status != nil && status.AvailableReplicas != *set.Spec.Replicas {
-		ssc.enqueueSSAfter(set, time.Duration(set.Spec.MinReadySeconds)*time.Second)
+	// Plan the next availability check as a last line of defense against queue preemption (we have one queue key for checking availability of all the pods)
+	// or early sync (see https://github.com/kubernetes/kubernetes/issues/39785#issuecomment-279959133 for more info).
+	if set.Spec.MinReadySeconds > 0 && status != nil && status.ReadyReplicas != status.AvailableReplicas {
+		// Safeguard fallback to the .spec.minReadySeconds to ensure that we always end up with .status.availableReplicas updated.
+		nextSyncDuration = ptr.To(time.Duration(set.Spec.MinReadySeconds) * time.Second)
+		// Use the same point in time (now) for calculating status and nextSyncDuration to get matching availability for the pods.
+		if nextCheck := controller.FindMinNextPodAvailabilityCheck(pods, set.Spec.MinReadySeconds, now, ssc.clock); nextCheck != nil {
+			nextSyncDuration = nextCheck
+		}
+	}
+	if nextSyncDuration != nil {
+		ssc.enqueueSSAfter(logger, set, *nextSyncDuration)
 	}
-
 	return nil
 }
diff --git a/pkg/controller/statefulset/stateful_set_control.go b/pkg/controller/statefulset/stateful_set_control.go
index 78dd40081e5ea..dd339cc7814fc 100644
--- a/pkg/controller/statefulset/stateful_set_control.go
+++ b/pkg/controller/statefulset/stateful_set_control.go
@@ -20,6 +20,7 @@ import (
 	"context"
 	"sort"
 	"sync"
+	"time"
 
 	"k8s.io/klog/v2"
 	"k8s.io/utils/lru"
@@ -33,6 +34,7 @@ import (
 	utilfeature "k8s.io/apiserver/pkg/util/feature"
 	"k8s.io/kubernetes/pkg/api/legacyscheme"
 	"k8s.io/kubernetes/pkg/controller/history"
+	"k8s.io/kubernetes/pkg/controller/statefulset/metrics"
 	"k8s.io/kubernetes/pkg/features"
 )
 
@@ -47,7 +49,7 @@ type StatefulSetControlInterface interface {
 	// If an implementation returns a non-nil error, the invocation will be retried using a rate-limited strategy.
 	// Implementors should sink any errors that they do not wish to trigger a retry, and they may feel free to
 	// exit exceptionally at any point provided they wish the update to be re-run at a later point in time.
-	UpdateStatefulSet(ctx context.Context, set *apps.StatefulSet, pods []*v1.Pod) (*apps.StatefulSetStatus, error)
+	UpdateStatefulSet(ctx context.Context, set *apps.StatefulSet, pods []*v1.Pod, now time.Time) (*apps.StatefulSetStatus, error)
 	// ListRevisions returns a array of the ControllerRevisions that represent the revisions of set. If the returned
 	// error is nil, the returns slice of ControllerRevisions is valid.
 	ListRevisions(set *apps.StatefulSet) ([]*apps.ControllerRevision, error)
@@ -82,7 +84,7 @@ type defaultStatefulSetControl struct {
 // strategy allows these constraints to be relaxed - pods will be created and deleted eagerly and
 // in no particular order. Clients using the burst strategy should be careful to ensure they
 // understand the consistency implications of having unpredictable numbers of pods available.
-func (ssc *defaultStatefulSetControl) UpdateStatefulSet(ctx context.Context, set *apps.StatefulSet, pods []*v1.Pod) (*apps.StatefulSetStatus, error) {
+func (ssc *defaultStatefulSetControl) UpdateStatefulSet(ctx context.Context, set *apps.StatefulSet, pods []*v1.Pod, now time.Time) (*apps.StatefulSetStatus, error) {
 	set = set.DeepCopy() // set is modified when a new revision is created in performUpdate. Make a copy now to avoid mutation errors.
 
 	// list all revisions and sort them
@@ -92,7 +94,7 @@ func (ssc *defaultStatefulSetControl) UpdateStatefulSet(ctx context.Context, set
 	}
 	history.SortControllerRevisions(revisions)
 
-	currentRevision, updateRevision, status, err := ssc.performUpdate(ctx, set, pods, revisions)
+	currentRevision, updateRevision, status, err := ssc.performUpdate(ctx, set, pods, revisions, now)
 	if err != nil {
 		errs := []error{err}
 		if agg, ok := err.(utilerrors.Aggregate); ok {
@@ -106,7 +108,7 @@ func (ssc *defaultStatefulSetControl) UpdateStatefulSet(ctx context.Context, set
 }
 
 func (ssc *defaultStatefulSetControl) performUpdate(
-	ctx context.Context, set *apps.StatefulSet, pods []*v1.Pod, revisions []*apps.ControllerRevision) (*apps.ControllerRevision, *apps.ControllerRevision, *apps.StatefulSetStatus, error) {
+	ctx context.Context, set *apps.StatefulSet, pods []*v1.Pod, revisions []*apps.ControllerRevision, now time.Time) (*apps.ControllerRevision, *apps.ControllerRevision, *apps.StatefulSetStatus, error) {
 	var currentStatus *apps.StatefulSetStatus
 	logger := klog.FromContext(ctx)
 	// get the current, and update revisions
@@ -116,7 +118,7 @@ func (ssc *defaultStatefulSetControl) performUpdate(
 	}
 
 	// perform the main update function and get the status
-	currentStatus, err = ssc.updateStatefulSet(ctx, set, currentRevision, updateRevision, collisionCount, pods)
+	currentStatus, err = ssc.updateStatefulSet(ctx, set, currentRevision, updateRevision, collisionCount, pods, now)
 	if err != nil && currentStatus == nil {
 		return currentRevision, updateRevision, nil, err
 	}
@@ -366,7 +368,7 @@ type replicaStatus struct {
 	updatedReplicas   int32
 }
 
-func computeReplicaStatus(pods []*v1.Pod, minReadySeconds int32, currentRevision, updateRevision *apps.ControllerRevision) replicaStatus {
+func computeReplicaStatus(pods []*v1.Pod, minReadySeconds int32, currentRevision, updateRevision *apps.ControllerRevision, now time.Time) replicaStatus {
 	status := replicaStatus{}
 	for _, pod := range pods {
 		if isCreated(pod) {
@@ -377,7 +379,7 @@ func computeReplicaStatus(pods []*v1.Pod, minReadySeconds int32, currentRevision
 		if isRunningAndReady(pod) {
 			status.readyReplicas++
 			// count the number of running and available replicas
-			if isRunningAndAvailable(pod, minReadySeconds) {
+			if isRunningAndAvailable(pod, minReadySeconds, now) {
 				status.availableReplicas++
 			}
 
@@ -397,14 +399,14 @@ func computeReplicaStatus(pods []*v1.Pod, minReadySeconds int32, currentRevision
 	return status
 }
 
-func updateStatus(status *apps.StatefulSetStatus, minReadySeconds int32, currentRevision, updateRevision *apps.ControllerRevision, podLists ...[]*v1.Pod) {
+func updateStatus(status *apps.StatefulSetStatus, minReadySeconds int32, currentRevision, updateRevision *apps.ControllerRevision, now time.Time, podLists ...[]*v1.Pod) {
 	status.Replicas = 0
 	status.ReadyReplicas = 0
 	status.AvailableReplicas = 0
 	status.CurrentReplicas = 0
 	status.UpdatedReplicas = 0
 	for _, list := range podLists {
-		replicaStatus := computeReplicaStatus(list, minReadySeconds, currentRevision, updateRevision)
+		replicaStatus := computeReplicaStatus(list, minReadySeconds, currentRevision, updateRevision, now)
 		status.Replicas += replicaStatus.replicas
 		status.ReadyReplicas += replicaStatus.readyReplicas
 		status.AvailableReplicas += replicaStatus.availableReplicas
@@ -413,13 +415,7 @@ func updateStatus(status *apps.StatefulSetStatus, minReadySeconds int32, current
 	}
 }
 
-func (ssc *defaultStatefulSetControl) processReplica(
-	ctx context.Context,
-	set *apps.StatefulSet,
-	updateSet *apps.StatefulSet,
-	monotonic bool,
-	replicas []*v1.Pod,
-	i int) (bool, error) {
+func (ssc *defaultStatefulSetControl) processReplica(ctx context.Context, set *apps.StatefulSet, updateSet *apps.StatefulSet, monotonic bool, replicas []*v1.Pod, i int, now time.Time) (bool, error) {
 	logger := klog.FromContext(ctx)
 
 	// Note that pods with phase Succeeded will also trigger this event. This is
@@ -438,13 +434,11 @@ func (ssc *defaultStatefulSetControl) processReplica(
 	}
 	// If we find a Pod that has not been created we create the Pod
 	if !isCreated(replicas[i]) {
-		if utilfeature.DefaultFeatureGate.Enabled(features.StatefulSetAutoDeletePVC) {
-			if isStale, err := ssc.podControl.PodClaimIsStale(set, replicas[i]); err != nil {
-				return true, err
-			} else if isStale {
-				// If a pod has a stale PVC, no more work can be done this round.
-				return true, err
-			}
+		if isStale, err := ssc.podControl.PodClaimIsStale(set, replicas[i]); err != nil {
+			return true, err
+		} else if isStale {
+			// If a pod has a stale PVC, no more work can be done this round.
+			return true, err
 		}
 		if err := ssc.podControl.CreateStatefulPod(ctx, set, replicas[i]); err != nil {
 			return true, err
@@ -485,21 +479,17 @@ func (ssc *defaultStatefulSetControl) processReplica(
 	// If we have a Pod that has been created but is not available we can not make progress.
 	// We must ensure that all for each Pod, when we create it, all of its predecessors, with respect to its
 	// ordinal, are Available.
-	if !isRunningAndAvailable(replicas[i], set.Spec.MinReadySeconds) && monotonic {
+	if !isRunningAndAvailable(replicas[i], set.Spec.MinReadySeconds, now) && monotonic {
 		logger.V(4).Info("StatefulSet is waiting for Pod to be Available",
 			"statefulSet", klog.KObj(set), "pod", klog.KObj(replicas[i]))
 		return true, nil
 	}
 
 	// Enforce the StatefulSet invariants
-	retentionMatch := true
-	if utilfeature.DefaultFeatureGate.Enabled(features.StatefulSetAutoDeletePVC) {
-		var err error
-		retentionMatch, err = ssc.podControl.ClaimsMatchRetentionPolicy(ctx, updateSet, replicas[i])
-		// An error is expected if the pod is not yet fully updated, and so return is treated as matching.
-		if err != nil {
-			retentionMatch = true
-		}
+	retentionMatch, err := ssc.podControl.ClaimsMatchRetentionPolicy(ctx, updateSet, replicas[i])
+	// An error is expected if the pod is not yet fully updated, and so return is treated as matching.
+	if err != nil {
+		retentionMatch = true
 	}
 
 	if identityMatches(set, replicas[i]) && storageMatches(set, replicas[i]) && retentionMatch {
@@ -515,7 +505,7 @@ func (ssc *defaultStatefulSetControl) processReplica(
 	return false, nil
 }
 
-func (ssc *defaultStatefulSetControl) processCondemned(ctx context.Context, set *apps.StatefulSet, firstUnhealthyPod *v1.Pod, monotonic bool, condemned []*v1.Pod, i int) (bool, error) {
+func (ssc *defaultStatefulSetControl) processCondemned(ctx context.Context, set *apps.StatefulSet, firstUnhealthyPod *v1.Pod, monotonic bool, condemned []*v1.Pod, i int, now time.Time) (bool, error) {
 	logger := klog.FromContext(ctx)
 	if isTerminating(condemned[i]) {
 		// if we are in monotonic mode, block and wait for terminating pods to expire
@@ -533,7 +523,7 @@ func (ssc *defaultStatefulSetControl) processCondemned(ctx context.Context, set
 		return true, nil
 	}
 	// if we are in monotonic mode and the condemned target is not the first unhealthy Pod, block.
-	if !isRunningAndAvailable(condemned[i], set.Spec.MinReadySeconds) && monotonic && condemned[i] != firstUnhealthyPod {
+	if !isRunningAndAvailable(condemned[i], set.Spec.MinReadySeconds, now) && monotonic && condemned[i] != firstUnhealthyPod {
 		logger.V(4).Info("StatefulSet is waiting for Pod to be Available prior to scale down",
 			"statefulSet", klog.KObj(set), "pod", klog.KObj(firstUnhealthyPod))
 		return true, nil
@@ -568,13 +558,7 @@ func runForAll(pods []*v1.Pod, fn func(i int) (bool, error), monotonic bool) (bo
 // all Pods with ordinal less than UpdateStrategy.Partition.Ordinal must be at Status.CurrentRevision and all other
 // Pods must be at Status.UpdateRevision. If the returned error is nil, the returned StatefulSetStatus is valid and the
 // update must be recorded. If the error is not nil, the method should be retried until successful.
-func (ssc *defaultStatefulSetControl) updateStatefulSet(
-	ctx context.Context,
-	set *apps.StatefulSet,
-	currentRevision *apps.ControllerRevision,
-	updateRevision *apps.ControllerRevision,
-	collisionCount int32,
-	pods []*v1.Pod) (*apps.StatefulSetStatus, error) {
+func (ssc *defaultStatefulSetControl) updateStatefulSet(ctx context.Context, set *apps.StatefulSet, currentRevision *apps.ControllerRevision, updateRevision *apps.ControllerRevision, collisionCount int32, pods []*v1.Pod, now time.Time) (*apps.StatefulSetStatus, error) {
 	logger := klog.FromContext(ctx)
 	// get the current and update revisions of the set.
 	currentSet, err := ApplyRevision(set, currentRevision)
@@ -594,7 +578,7 @@ func (ssc *defaultStatefulSetControl) updateStatefulSet(
 	status.CollisionCount = new(int32)
 	*status.CollisionCount = collisionCount
 
-	updateStatus(&status, set.Spec.MinReadySeconds, currentRevision, updateRevision, pods)
+	updateStatus(&status, set.Spec.MinReadySeconds, currentRevision, updateRevision, now, pods)
 
 	replicaCount := int(*set.Spec.Replicas)
 	// slice that will contain all Pods such that getStartOrdinal(set) <= getOrdinal(pod) <= getEndOrdinal(set)
@@ -635,7 +619,7 @@ func (ssc *defaultStatefulSetControl) updateStatefulSet(
 
 	// find the first unhealthy Pod
 	for i := range replicas {
-		if isUnavailable(replicas[i], set.Spec.MinReadySeconds) {
+		if isUnavailable(replicas[i], set.Spec.MinReadySeconds, now) {
 			unavailable++
 			if firstUnavailablePod == nil {
 				firstUnavailablePod = replicas[i]
@@ -645,7 +629,7 @@ func (ssc *defaultStatefulSetControl) updateStatefulSet(
 
 	// or the first unhealthy condemned Pod (condemned are sorted in descending order for ease of use)
 	for i := len(condemned) - 1; i >= 0; i-- {
-		if isUnavailable(condemned[i], set.Spec.MinReadySeconds) {
+		if isUnavailable(condemned[i], set.Spec.MinReadySeconds, now) {
 			unavailable++
 			if firstUnavailablePod == nil {
 				firstUnavailablePod = condemned[i]
@@ -667,29 +651,27 @@ func (ssc *defaultStatefulSetControl) updateStatefulSet(
 
 	// First, process each living replica. Exit if we run into an error or something blocking in monotonic mode.
 	processReplicaFn := func(i int) (bool, error) {
-		return ssc.processReplica(ctx, set, updateSet, monotonic, replicas, i)
+		return ssc.processReplica(ctx, set, updateSet, monotonic, replicas, i, now)
 	}
 	if shouldExit, err := runForAll(replicas, processReplicaFn, monotonic); shouldExit || err != nil {
-		updateStatus(&status, set.Spec.MinReadySeconds, currentRevision, updateRevision, replicas, condemned)
+		updateStatus(&status, set.Spec.MinReadySeconds, currentRevision, updateRevision, now, replicas, condemned)
 		return &status, err
 	}
 
 	// Fix pod claims for condemned pods, if necessary.
-	if utilfeature.DefaultFeatureGate.Enabled(features.StatefulSetAutoDeletePVC) {
-		fixPodClaim := func(i int) (bool, error) {
-			if matchPolicy, err := ssc.podControl.ClaimsMatchRetentionPolicy(ctx, updateSet, condemned[i]); err != nil {
+	fixPodClaim := func(i int) (bool, error) {
+		if matchPolicy, err := ssc.podControl.ClaimsMatchRetentionPolicy(ctx, updateSet, condemned[i]); err != nil {
+			return true, err
+		} else if !matchPolicy {
+			if err := ssc.podControl.UpdatePodClaimForRetentionPolicy(ctx, updateSet, condemned[i]); err != nil {
 				return true, err
-			} else if !matchPolicy {
-				if err := ssc.podControl.UpdatePodClaimForRetentionPolicy(ctx, updateSet, condemned[i]); err != nil {
-					return true, err
-				}
 			}
-			return false, nil
-		}
-		if shouldExit, err := runForAll(condemned, fixPodClaim, monotonic); shouldExit || err != nil {
-			updateStatus(&status, set.Spec.MinReadySeconds, currentRevision, updateRevision, replicas, condemned)
-			return &status, err
 		}
+		return false, nil
+	}
+	if shouldExit, err := runForAll(condemned, fixPodClaim, monotonic); shouldExit || err != nil {
+		updateStatus(&status, set.Spec.MinReadySeconds, currentRevision, updateRevision, now, replicas, condemned)
+		return &status, err
 	}
 
 	// At this point, in monotonic mode all of the current Replicas are Running, Ready and Available,
@@ -699,14 +681,14 @@ func (ssc *defaultStatefulSetControl) updateStatefulSet(
 	// Note that we do not resurrect Pods in this interval. Also note that scaling will take precedence over
 	// updates.
 	processCondemnedFn := func(i int) (bool, error) {
-		return ssc.processCondemned(ctx, set, firstUnavailablePod, monotonic, condemned, i)
+		return ssc.processCondemned(ctx, set, firstUnavailablePod, monotonic, condemned, i, now)
 	}
 	if shouldExit, err := runForAll(condemned, processCondemnedFn, monotonic); shouldExit || err != nil {
-		updateStatus(&status, set.Spec.MinReadySeconds, currentRevision, updateRevision, replicas, condemned)
+		updateStatus(&status, set.Spec.MinReadySeconds, currentRevision, updateRevision, now, replicas, condemned)
 		return &status, err
 	}
 
-	updateStatus(&status, set.Spec.MinReadySeconds, currentRevision, updateRevision, replicas, condemned)
+	updateStatus(&status, set.Spec.MinReadySeconds, currentRevision, updateRevision, now, replicas, condemned)
 
 	// for the OnDelete strategy we short circuit. Pods will be updated when they are manually deleted.
 	if set.Spec.UpdateStrategy.Type == apps.OnDeleteStatefulSetStrategyType {
@@ -720,6 +702,7 @@ func (ssc *defaultStatefulSetControl) updateStatefulSet(
 			replicas,
 			updateRevision,
 			status,
+			now,
 		)
 	}
 
@@ -745,7 +728,7 @@ func (ssc *defaultStatefulSetControl) updateStatefulSet(
 		}
 
 		// wait for unavailable Pods on update
-		if isUnavailable(replicas[target], set.Spec.MinReadySeconds) {
+		if isUnavailable(replicas[target], set.Spec.MinReadySeconds, now) {
 			logger.V(4).Info("StatefulSet is waiting for Pod to update",
 				"statefulSet", klog.KObj(set), "pod", klog.KObj(replicas[target]))
 			return &status, nil
@@ -755,18 +738,11 @@ func (ssc *defaultStatefulSetControl) updateStatefulSet(
 	return &status, nil
 }
 
-func updateStatefulSetAfterInvariantEstablished(
-	ctx context.Context,
-	ssc *defaultStatefulSetControl,
-	set *apps.StatefulSet,
-	replicas []*v1.Pod,
-	updateRevision *apps.ControllerRevision,
-	status apps.StatefulSetStatus,
-) (*apps.StatefulSetStatus, error) {
+func updateStatefulSetAfterInvariantEstablished(ctx context.Context, ssc *defaultStatefulSetControl, set *apps.StatefulSet, replicas []*v1.Pod, updateRevision *apps.ControllerRevision, status apps.StatefulSetStatus, now time.Time) (*apps.StatefulSetStatus, error) {
 
 	logger := klog.FromContext(ctx)
 	replicaCount := int(*set.Spec.Replicas)
-
+	podManagementPolicy := string(set.Spec.PodManagementPolicy)
 	// we compute the minimum ordinal of the target sequence for a destructive update based on the strategy.
 	updateMin := 0
 	maxUnavailable := 1
@@ -788,17 +764,23 @@ func updateStatefulSetAfterInvariantEstablished(
 	// (MaxUnavailable - Unavailable) Pods, in order with respect to their ordinal for termination. Delete
 	// those pods and count the successful deletions. Update the status with the correct number of deletions.
 	unavailablePods := 0
+
 	for target := len(replicas) - 1; target >= 0; target-- {
-		if isUnavailable(replicas[target], set.Spec.MinReadySeconds) {
+		if isUnavailable(replicas[target], set.Spec.MinReadySeconds, now) {
 			unavailablePods++
 		}
 	}
+	metrics.UnavailableReplicas.WithLabelValues(set.Namespace, set.Name, podManagementPolicy).Set(float64(unavailablePods))
 
 	if unavailablePods >= maxUnavailable {
-		logger.V(2).Info("StatefulSet found unavailablePods, more than or equal to allowed maxUnavailable",
-			"statefulSet", klog.KObj(set),
-			"unavailablePods", unavailablePods,
-			"maxUnavailable", maxUnavailable)
+		// log only when a true violation occurs.
+		if unavailablePods > maxUnavailable {
+			logger.V(4).Info("StatefulSet found unavailablePods, more than the allowed maxUnavailable",
+				"statefulSet", klog.KObj(set),
+				"unavailablePods", unavailablePods,
+				"maxUnavailable", maxUnavailable)
+		}
+
 		return &status, nil
 	}
 
@@ -809,9 +791,9 @@ func updateStatefulSetAfterInvariantEstablished(
 	deletedPods := 0
 	for target := len(replicas) - 1; target >= updateMin && deletedPods < podsToDelete; target-- {
 
-		// delete the Pod if it is healthy and the revision doesnt match the target
+		// delete the Pod if it is healthy and the revision does not match the target
 		if getPodRevision(replicas[target]) != updateRevision.Name && !isTerminating(replicas[target]) {
-			// delete the Pod if it is healthy and the revision doesnt match the target
+			// delete the Pod if it is healthy and the revision does not match the target
 			logger.V(2).Info("StatefulSet terminating Pod for update",
 				"statefulSet", klog.KObj(set),
 				"pod", klog.KObj(replicas[target]))
@@ -837,6 +819,21 @@ func (ssc *defaultStatefulSetControl) updateStatefulSetStatus(
 	// complete any in progress rolling update if necessary
 	completeRollingUpdate(set, status)
 
+	if utilfeature.DefaultFeatureGate.Enabled(features.MaxUnavailableStatefulSet) {
+		// Update metrics - this ensures metrics are always updated regardless of update strategy
+		podManagementPolicy := string(set.Spec.PodManagementPolicy)
+		replicaCount := int(*set.Spec.Replicas)
+
+		var err error
+		maxUnavailable := 1
+		if set.Spec.UpdateStrategy.RollingUpdate != nil {
+			maxUnavailable, err = getStatefulSetMaxUnavailable(set.Spec.UpdateStrategy.RollingUpdate.MaxUnavailable, replicaCount)
+			if err != nil {
+				return err
+			}
+		}
+		metrics.MaxUnavailable.WithLabelValues(set.Namespace, set.Name, podManagementPolicy).Set(float64(maxUnavailable))
+	}
 	// if the status is not inconsistent do not perform an update
 	if !inconsistentStatus(set, status) {
 		return nil
diff --git a/pkg/controller/statefulset/stateful_set_control_test.go b/pkg/controller/statefulset/stateful_set_control_test.go
index a1c6356f52b80..734572e86d4c3 100644
--- a/pkg/controller/statefulset/stateful_set_control_test.go
+++ b/pkg/controller/statefulset/stateful_set_control_test.go
@@ -42,7 +42,6 @@ import (
 	"k8s.io/apimachinery/pkg/types"
 	utilerrors "k8s.io/apimachinery/pkg/util/errors"
 	"k8s.io/apimachinery/pkg/util/intstr"
-	utilversion "k8s.io/apimachinery/pkg/util/version"
 	utilfeature "k8s.io/apiserver/pkg/util/feature"
 	"k8s.io/client-go/informers"
 	appsinformers "k8s.io/client-go/informers/apps/v1"
@@ -52,9 +51,11 @@ import (
 	corelisters "k8s.io/client-go/listers/core/v1"
 	"k8s.io/client-go/tools/cache"
 	featuregatetesting "k8s.io/component-base/featuregate/testing"
+	"k8s.io/component-base/metrics/testutil"
 	podutil "k8s.io/kubernetes/pkg/api/v1/pod"
 	"k8s.io/kubernetes/pkg/controller"
 	"k8s.io/kubernetes/pkg/controller/history"
+	"k8s.io/kubernetes/pkg/controller/statefulset/metrics"
 	"k8s.io/kubernetes/pkg/features"
 )
 
@@ -99,14 +100,7 @@ func setMinReadySeconds(set *apps.StatefulSet, minReadySeconds int32) *apps.Stat
 }
 
 func runTestOverPVCRetentionPolicies(t *testing.T, testName string, testFn func(*testing.T, *apps.StatefulSetPersistentVolumeClaimRetentionPolicy)) {
-	subtestName := "StatefulSetAutoDeletePVCDisabled"
-	if testName != "" {
-		subtestName = fmt.Sprintf("%s/%s", testName, subtestName)
-	}
-	t.Run(subtestName, func(t *testing.T) {
-		// TODO: this will be removed in 1.35
-		featuregatetesting.SetFeatureGateEmulationVersionDuringTest(t, utilfeature.DefaultFeatureGate, utilversion.MustParse("1.31"))
-		featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.StatefulSetAutoDeletePVC, false)
+	t.Run(testName, func(t *testing.T) {
 		testFn(t, &apps.StatefulSetPersistentVolumeClaimRetentionPolicy{
 			WhenScaled:  apps.RetainPersistentVolumeClaimRetentionPolicyType,
 			WhenDeleted: apps.RetainPersistentVolumeClaimRetentionPolicyType,
@@ -132,7 +126,7 @@ func runTestOverPVCRetentionPolicies(t *testing.T, testName string, testFn func(
 		// tests the case when no policy is set.
 		nil,
 	} {
-		subtestName := pvcDeletePolicyString(policy) + "/StatefulSetAutoDeletePVCEnabled"
+		subtestName := pvcDeletePolicyString(policy)
 		if testName != "" {
 			subtestName = fmt.Sprintf("%s/%s", testName, subtestName)
 		}
@@ -169,8 +163,7 @@ func TestStatefulSetControl(t *testing.T) {
 		fn  func(*testing.T, *apps.StatefulSet, invariantFunc)
 		obj func() *apps.StatefulSet
 	}{
-		{CreatesPodsWithPodIndexLabelFeature, simpleSetFn},
-		{CreatesPodsWithoutPodIndexLabelFeature, simpleSetFn},
+		{CreatePods, simpleSetFn},
 		{ScalesUp, simpleSetFn},
 		{ScalesDown, simpleSetFn},
 		{ReplacesPods, largeSetFn},
@@ -213,20 +206,7 @@ func TestStatefulSetControl(t *testing.T) {
 	}
 }
 
-func CreatesPodsWithPodIndexLabelFeature(t *testing.T, set *apps.StatefulSet, invariants invariantFunc) {
-	createPods(t, set, invariants, true)
-}
-
-func CreatesPodsWithoutPodIndexLabelFeature(t *testing.T, set *apps.StatefulSet, invariants invariantFunc) {
-	createPods(t, set, invariants, false)
-}
-
-func createPods(t *testing.T, set *apps.StatefulSet, invariants invariantFunc, isPodIndexLabelEnabled bool) {
-	if !isPodIndexLabelEnabled {
-		// TODO: this will be removed in 1.35
-		featuregatetesting.SetFeatureGateEmulationVersionDuringTest(t, utilfeature.DefaultFeatureGate, utilversion.MustParse("1.31"))
-	}
-	featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.PodIndexLabel, isPodIndexLabelEnabled)
+func CreatePods(t *testing.T, set *apps.StatefulSet, invariants invariantFunc) {
 	client := fake.NewSimpleClientset(set)
 	om, _, ssc := setupController(client)
 
@@ -261,22 +241,14 @@ func createPods(t *testing.T, set *apps.StatefulSet, invariants invariantFunc, i
 		t.Errorf("Expected 3 pods, got %d", len(pods))
 	}
 	for _, pod := range pods {
-		if isPodIndexLabelEnabled {
-			podIndexFromLabel, exists := pod.Labels[apps.PodIndexLabel]
-			if !exists {
-				t.Errorf("Missing pod index label: %s", apps.PodIndexLabel)
-				continue
-			}
-			podIndexFromName := strconv.Itoa(getOrdinal(pod))
-			if podIndexFromLabel != podIndexFromName {
-				t.Errorf("Pod index label value (%s) does not match pod index in pod name (%s)", podIndexFromLabel, podIndexFromName)
-			}
-		} else {
-			_, exists := pod.Labels[apps.PodIndexLabel]
-			if exists {
-				t.Errorf("Pod index label should not exist when feature gate is disabled: %s", apps.PodIndexLabel)
-				continue
-			}
+		podIndexFromLabel, exists := pod.Labels[apps.PodIndexLabel]
+		if !exists {
+			t.Errorf("Missing pod index label: %s", apps.PodIndexLabel)
+			continue
+		}
+		podIndexFromName := strconv.Itoa(getOrdinal(pod))
+		if podIndexFromLabel != podIndexFromName {
+			t.Errorf("Pod index label value (%s) does not match pod index in pod name (%s)", podIndexFromLabel, podIndexFromName)
 		}
 	}
 }
@@ -387,7 +359,7 @@ func ReplacesPods(t *testing.T, set *apps.StatefulSet, invariants invariantFunc)
 		if err != nil {
 			t.Error(err)
 		}
-		if _, err = ssc.UpdateStatefulSet(context.TODO(), set, pods); err != nil {
+		if _, err = ssc.UpdateStatefulSet(context.TODO(), set, pods, time.Now()); err != nil {
 			t.Errorf("Failed to update StatefulSet : %s", err)
 		}
 		set, err = om.setsLister.StatefulSets(set.Namespace).Get(set.Name)
@@ -397,14 +369,14 @@ func ReplacesPods(t *testing.T, set *apps.StatefulSet, invariants invariantFunc)
 		if pods, err = om.setPodRunning(set, i); err != nil {
 			t.Error(err)
 		}
-		if _, err = ssc.UpdateStatefulSet(context.TODO(), set, pods); err != nil {
+		if _, err = ssc.UpdateStatefulSet(context.TODO(), set, pods, time.Now()); err != nil {
 			t.Errorf("Failed to update StatefulSet : %s", err)
 		}
 		set, err = om.setsLister.StatefulSets(set.Namespace).Get(set.Name)
 		if err != nil {
 			t.Fatalf("Error getting updated StatefulSet: %v", err)
 		}
-		if _, err = om.setPodReady(set, i); err != nil {
+		if _, err = om.setPodReadyCondition(set, i, true); err != nil {
 			t.Error(err)
 		}
 	}
@@ -412,7 +384,7 @@ func ReplacesPods(t *testing.T, set *apps.StatefulSet, invariants invariantFunc)
 	if err != nil {
 		t.Error(err)
 	}
-	if _, err := ssc.UpdateStatefulSet(context.TODO(), set, pods); err != nil {
+	if _, err := ssc.UpdateStatefulSet(context.TODO(), set, pods, time.Now()); err != nil {
 		t.Errorf("Failed to update StatefulSet : %s", err)
 	}
 	set, err = om.setsLister.StatefulSets(set.Namespace).Get(set.Name)
@@ -436,7 +408,7 @@ func recreatesPod(t *testing.T, set *apps.StatefulSet, invariants invariantFunc,
 	if err != nil {
 		t.Error(err)
 	}
-	if _, err := ssc.UpdateStatefulSet(context.TODO(), set, pods); err != nil {
+	if _, err := ssc.UpdateStatefulSet(context.TODO(), set, pods, time.Now()); err != nil {
 		t.Errorf("Error updating StatefulSet %s", err)
 	}
 	if err := invariants(set, om); err != nil {
@@ -470,7 +442,7 @@ func recreatesPod(t *testing.T, set *apps.StatefulSet, invariants invariantFunc,
 		// Expect pod deletion failure
 		om.SetDeleteStatefulPodError(apierrors.NewInternalError(errors.New("API server failed")), 0)
 		expectedNumOfDeleteRequests++
-		if _, err = ssc.UpdateStatefulSet(context.TODO(), set, pods); !isOrHasInternalError(err) {
+		if _, err = ssc.UpdateStatefulSet(context.TODO(), set, pods, time.Now()); !isOrHasInternalError(err) {
 			t.Errorf("StatefulSetControl did not return InternalError, found %s", err)
 		}
 		if err := invariants(set, om); err != nil {
@@ -486,7 +458,7 @@ func recreatesPod(t *testing.T, set *apps.StatefulSet, invariants invariantFunc,
 
 	// Expect pod deletion
 	expectedNumOfDeleteRequests++
-	if _, err := ssc.UpdateStatefulSet(context.TODO(), set, pods); err != nil {
+	if _, err := ssc.UpdateStatefulSet(context.TODO(), set, pods, time.Now()); err != nil {
 		t.Errorf("Error updating StatefulSet %s", err)
 	}
 	if err := invariants(set, om); err != nil {
@@ -500,7 +472,7 @@ func recreatesPod(t *testing.T, set *apps.StatefulSet, invariants invariantFunc,
 	}
 
 	// Expect no additional delete calls and expect pod creation
-	if _, err := ssc.UpdateStatefulSet(context.TODO(), set, pods); err != nil {
+	if _, err := ssc.UpdateStatefulSet(context.TODO(), set, pods, time.Now()); err != nil {
 		t.Errorf("Error updating StatefulSet %s", err)
 	}
 	if err := invariants(set, om); err != nil {
@@ -612,7 +584,7 @@ func UpdatePodFailure(t *testing.T, set *apps.StatefulSet, invariants invariantF
 	om.podsIndexer.Update(pods[0])
 
 	// now it should fail
-	if _, err := ssc.UpdateStatefulSet(context.TODO(), set, pods); !isOrHasInternalError(err) {
+	if _, err := ssc.UpdateStatefulSet(context.TODO(), set, pods, time.Now()); !isOrHasInternalError(err) {
 		t.Errorf("StatefulSetControl did not return InternalError, found %s", err)
 	}
 }
@@ -685,7 +657,7 @@ func NewRevisionDeletePodFailure(t *testing.T, set *apps.StatefulSet, invariants
 
 	// delete fails
 	om.SetDeleteStatefulPodError(apierrors.NewInternalError(errors.New("API server failed")), 0)
-	_, err = ssc.UpdateStatefulSet(context.TODO(), set, pods)
+	_, err = ssc.UpdateStatefulSet(context.TODO(), set, pods, time.Now())
 	if err == nil {
 		t.Error("Expected err in update StatefulSet when deleting a pod")
 	}
@@ -706,7 +678,7 @@ func NewRevisionDeletePodFailure(t *testing.T, set *apps.StatefulSet, invariants
 
 	// delete works
 	om.SetDeleteStatefulPodError(nil, 0)
-	status, err := ssc.UpdateStatefulSet(context.TODO(), set, pods)
+	status, err := ssc.UpdateStatefulSet(context.TODO(), set, pods, time.Now())
 	if err != nil {
 		t.Fatalf("Unexpected err in update StatefulSet: %v", err)
 	}
@@ -795,7 +767,7 @@ func RecreatesPVCForPendingPod(t *testing.T, set *apps.StatefulSet, invariants i
 	if err != nil {
 		t.Error(err)
 	}
-	if _, err := ssc.UpdateStatefulSet(context.TODO(), set, pods); err != nil {
+	if _, err := ssc.UpdateStatefulSet(context.TODO(), set, pods, time.Now()); err != nil {
 		t.Errorf("Error updating StatefulSet %s", err)
 	}
 	if err := invariants(set, om); err != nil {
@@ -810,7 +782,7 @@ func RecreatesPVCForPendingPod(t *testing.T, set *apps.StatefulSet, invariants i
 	}
 	pods[0].Status.Phase = v1.PodPending
 	om.podsIndexer.Update(pods[0])
-	if _, err := ssc.UpdateStatefulSet(context.TODO(), set, pods); err != nil {
+	if _, err := ssc.UpdateStatefulSet(context.TODO(), set, pods, time.Now()); err != nil {
 		t.Errorf("Error updating StatefulSet %s", err)
 	}
 	// invariants check if there any missing PVCs for the Pods
@@ -1018,12 +990,11 @@ func TestStatefulSetControlRollingUpdateWithMaxUnavailable(t *testing.T) {
 			t.Fatalf("Expected create pods 4/5, got pods %v", len(pods))
 		}
 
-		// if pod 4 ready, start to update pod 3, even though 5 is not ready
+		// if pod 4 ready, start to update pod 3.
 		spc.setPodRunning(set, 4)
-		spc.setPodRunning(set, 5)
-		originalPods, _ := spc.setPodReady(set, 4)
+		originalPods, _ := spc.setPodReadyCondition(set, 4, true)
 		sort.Sort(ascendingOrdinal(originalPods))
-		if _, err := ssc.UpdateStatefulSet(context.TODO(), set, originalPods); err != nil {
+		if _, err := ssc.UpdateStatefulSet(context.TODO(), set, originalPods, time.Now()); err != nil {
 			t.Fatal(err)
 		}
 		pods, err := spc.podsLister.Pods(set.Namespace).List(selector)
@@ -1037,7 +1008,7 @@ func TestStatefulSetControlRollingUpdateWithMaxUnavailable(t *testing.T) {
 		}
 
 		// create new pod 3
-		if _, err = ssc.UpdateStatefulSet(context.TODO(), set, pods); err != nil {
+		if _, err = ssc.UpdateStatefulSet(context.TODO(), set, pods, time.Now()); err != nil {
 			t.Fatal(err)
 		}
 		pods, err = spc.podsLister.Pods(set.Namespace).List(selector)
@@ -1063,10 +1034,10 @@ func TestStatefulSetControlRollingUpdateWithMaxUnavailable(t *testing.T) {
 			t.Fatalf("Expected create pods 5, got pods %v", len(pods))
 		}
 		spc.setPodRunning(set, 4)
-		pods, _ = spc.setPodReady(set, 4)
+		spc.setPodReadyCondition(set, 4, true)
 
-		// create new pods 4(only one pod gets created at a time due to OrderedReady)
-		if _, err := ssc.UpdateStatefulSet(context.TODO(), set, pods); err != nil {
+		// create new pod 4 (only one pod gets created at a time due to OrderedReady)
+		if _, err := ssc.UpdateStatefulSet(context.TODO(), set, pods, time.Now()); err != nil {
 			t.Fatal(err)
 		}
 		pods, err := spc.podsLister.Pods(set.Namespace).List(selector)
@@ -1074,37 +1045,9 @@ func TestStatefulSetControlRollingUpdateWithMaxUnavailable(t *testing.T) {
 			t.Fatal(err)
 		}
 
-		if len(pods) != totalPods {
-			t.Fatalf("Expected create pods 4, got pods %v", len(pods))
-		}
-		// if pod 4 ready, start to update pod 3
-		spc.setPodRunning(set, 5)
-		originalPods, _ := spc.setPodReady(set, 5)
-		sort.Sort(ascendingOrdinal(originalPods))
-		if _, err = ssc.UpdateStatefulSet(context.TODO(), set, originalPods); err != nil {
-			t.Fatal(err)
-		}
-		pods, err = spc.podsLister.Pods(set.Namespace).List(selector)
-		if err != nil {
-			t.Fatal(err)
-		}
-		sort.Sort(ascendingOrdinal(pods))
-
-		// verify the remaining pods are 0,1,2,4,5 (3 got deleted)
-		if !reflect.DeepEqual(pods, append(originalPods[:3], originalPods[4:]...)) {
-			t.Fatalf("Expected pods %v, got pods %v", append(originalPods[:3], originalPods[4:]...), pods)
-		}
-
-		// create new pod 3
-		if _, err = ssc.UpdateStatefulSet(context.TODO(), set, pods); err != nil {
-			t.Fatal(err)
-		}
-		pods, err = spc.podsLister.Pods(set.Namespace).List(selector)
-		if err != nil {
-			t.Fatal(err)
-		}
-		if len(pods) != totalPods {
-			t.Fatalf("Expected create pods 2/3, got pods %v", pods)
+		// In OrderedReady mode, only 4 pods exist at this point (pod 5 not created yet)
+		if len(pods) != totalPods-1 {
+			t.Fatalf("Expected create pods %d, got pods %v", totalPods-1, len(pods))
 		}
 
 		return pods
@@ -1163,7 +1106,7 @@ func TestStatefulSetControlRollingUpdateWithMaxUnavailable(t *testing.T) {
 		sort.Sort(ascendingOrdinal(originalPods))
 
 		// since maxUnavailable is 2, update pods 4 and 5, this will delete the pod 4 and 5,
-		if _, err = ssc.UpdateStatefulSet(context.TODO(), set, originalPods); err != nil {
+		if _, err = ssc.UpdateStatefulSet(context.TODO(), set, originalPods, time.Now()); err != nil {
 			t.Fatal(err)
 		}
 		pods, err := spc.podsLister.Pods(set.Namespace).List(selector)
@@ -1179,7 +1122,7 @@ func TestStatefulSetControlRollingUpdateWithMaxUnavailable(t *testing.T) {
 		}
 
 		// create new pods
-		if _, err = ssc.UpdateStatefulSet(context.TODO(), set, pods); err != nil {
+		if _, err = ssc.UpdateStatefulSet(context.TODO(), set, pods, time.Now()); err != nil {
 			t.Fatal(err)
 		}
 		pods, err = spc.podsLister.Pods(set.Namespace).List(selector)
@@ -1192,10 +1135,10 @@ func TestStatefulSetControlRollingUpdateWithMaxUnavailable(t *testing.T) {
 		// pods 3/4/5 ready, should not update other pods
 		spc.setPodRunning(set, 3)
 		spc.setPodRunning(set, 5)
-		spc.setPodReady(set, 5)
-		originalPods, _ = spc.setPodReady(set, 3)
+		spc.setPodReadyCondition(set, 5, true)
+		originalPods, _ = spc.setPodReadyCondition(set, 3, true)
 		sort.Sort(ascendingOrdinal(originalPods))
-		if _, err = ssc.UpdateStatefulSet(context.TODO(), set, originalPods); err != nil {
+		if _, err = ssc.UpdateStatefulSet(context.TODO(), set, originalPods, time.Now()); err != nil {
 			t.Fatal(err)
 		}
 		pods, err = spc.podsLister.Pods(set.Namespace).List(selector)
@@ -1291,7 +1234,7 @@ func TestStatefulSetControlRollingUpdateWithMaxUnavailableInOrderedModeVerifyInv
 
 			// try to update the statefulset
 			// this function is only called in main code when feature gate is enabled
-			if _, err = updateStatefulSetAfterInvariantEstablished(context.TODO(), ssc.(*defaultStatefulSetControl), set, originalPods, updateRevision, status); err != nil {
+			if _, err = updateStatefulSetAfterInvariantEstablished(context.TODO(), ssc.(*defaultStatefulSetControl), set, originalPods, updateRevision, status, time.Now()); err != nil {
 				t.Fatal(err)
 			}
 			pods, err := spc.podsLister.Pods(set.Namespace).List(selector)
@@ -2026,7 +1969,7 @@ func TestStatefulSetControlLimitsHistory(t *testing.T) {
 			if err != nil {
 				t.Fatalf("%s: %s", test.name, err)
 			}
-			_, err = ssc.UpdateStatefulSet(context.TODO(), set, pods)
+			_, err = ssc.UpdateStatefulSet(context.TODO(), set, pods, time.Now())
 			if err != nil {
 				t.Fatalf("%s: %s", test.name, err)
 			}
@@ -2393,7 +2336,7 @@ func TestStatefulSetAvailability(t *testing.T) {
 		if err != nil {
 			t.Fatalf("%s: %s", test.name, err)
 		}
-		status, err := ssc.UpdateStatefulSet(context.TODO(), set, pods)
+		status, err := ssc.UpdateStatefulSet(context.TODO(), set, pods, time.Now())
 		if err != nil {
 			t.Fatalf("%s: %s", test.name, err)
 		}
@@ -2464,7 +2407,7 @@ func TestStatefulSetStatusUpdate(t *testing.T) {
 			if err != nil {
 				t.Error(err)
 			}
-			_, err = ssc.UpdateStatefulSet(context.TODO(), set, pods)
+			_, err = ssc.UpdateStatefulSet(context.TODO(), set, pods, time.Now())
 			if ssu.updateStatusTracker.requests != 1 {
 				t.Errorf("Did not update status")
 			}
@@ -2691,7 +2634,7 @@ func (om *fakeObjectManager) setPodRunning(set *apps.StatefulSet, ordinal int) (
 	return om.podsLister.Pods(set.Namespace).List(selector)
 }
 
-func (om *fakeObjectManager) setPodReady(set *apps.StatefulSet, ordinal int) ([]*v1.Pod, error) {
+func (om *fakeObjectManager) setPodReadyCondition(set *apps.StatefulSet, ordinal int, ready bool) ([]*v1.Pod, error) {
 	selector, err := metav1.LabelSelectorAsSelector(set.Spec.Selector)
 	if err != nil {
 		return nil, err
@@ -2702,9 +2645,15 @@ func (om *fakeObjectManager) setPodReady(set *apps.StatefulSet, ordinal int) ([]
 	}
 	pod := findPodByOrdinal(pods, ordinal)
 	if pod == nil {
-		return nil, fmt.Errorf("setPodReady: pod ordinal %d not found", ordinal)
+		return nil, fmt.Errorf("setPodReadyCondition: pod ordinal %d not found", ordinal)
 	}
-	condition := v1.PodCondition{Type: v1.PodReady, Status: v1.ConditionTrue}
+	var condition v1.PodCondition
+	if ready {
+		condition = v1.PodCondition{Type: v1.PodReady, Status: v1.ConditionTrue}
+	} else {
+		condition = v1.PodCondition{Type: v1.PodReady, Status: v1.ConditionFalse}
+	}
+
 	podutil.UpdatePodCondition(&pod.Status, &condition)
 	fakeResourceVersion(pod)
 	om.podsIndexer.Update(pod)
@@ -2930,7 +2879,7 @@ func checkClaimInvarients(set *apps.StatefulSet, pod *v1.Pod, claim *v1.Persiste
 		WhenScaled:  apps.RetainPersistentVolumeClaimRetentionPolicyType,
 		WhenDeleted: apps.RetainPersistentVolumeClaimRetentionPolicyType,
 	}
-	if set.Spec.PersistentVolumeClaimRetentionPolicy != nil && utilfeature.DefaultFeatureGate.Enabled(features.StatefulSetAutoDeletePVC) {
+	if set.Spec.PersistentVolumeClaimRetentionPolicy != nil {
 		policy = *set.Spec.PersistentVolumeClaimRetentionPolicy
 	}
 	claimShouldBeRetained := policy.WhenScaled == apps.RetainPersistentVolumeClaimRetentionPolicyType
@@ -3128,7 +3077,7 @@ func parallelScaleUpStatefulSetControl(set *apps.StatefulSet,
 		}
 
 		// run the controller once and check invariants
-		_, err = ssc.UpdateStatefulSet(context.TODO(), set, pods)
+		_, err = ssc.UpdateStatefulSet(context.TODO(), set, pods, time.Now())
 		if err != nil {
 			return err
 		}
@@ -3164,14 +3113,14 @@ func parallelScaleDownStatefulSetControl(set *apps.StatefulSet, ssc StatefulSetC
 			return err
 		}
 		sort.Sort(ascendingOrdinal(pods))
-		if _, err := ssc.UpdateStatefulSet(context.TODO(), set, pods); err != nil {
+		if _, err := ssc.UpdateStatefulSet(context.TODO(), set, pods, time.Now()); err != nil {
 			return err
 		}
 		set, err = om.setsLister.StatefulSets(set.Namespace).Get(set.Name)
 		if err != nil {
 			return err
 		}
-		if _, err = ssc.UpdateStatefulSet(context.TODO(), set, pods); err != nil {
+		if _, err = ssc.UpdateStatefulSet(context.TODO(), set, pods, time.Now()); err != nil {
 			return err
 		}
 	}
@@ -3222,7 +3171,7 @@ func scaleUpStatefulSetControl(set *apps.StatefulSet,
 					return err
 				}
 			case v1.PodRunning:
-				if pods, err = om.setPodReady(set, getOrdinal(pod)); err != nil {
+				if pods, err = om.setPodReadyCondition(set, getOrdinal(pod), true); err != nil {
 					return err
 				}
 			default:
@@ -3230,7 +3179,7 @@ func scaleUpStatefulSetControl(set *apps.StatefulSet,
 			}
 		}
 		// run the controller once and check invariants
-		_, err = ssc.UpdateStatefulSet(context.TODO(), set, pods)
+		_, err = ssc.UpdateStatefulSet(context.TODO(), set, pods, time.Now())
 		if err != nil {
 			return err
 		}
@@ -3258,7 +3207,7 @@ func scaleDownStatefulSetControl(set *apps.StatefulSet, ssc StatefulSetControlIn
 		}
 		sort.Sort(ascendingOrdinal(pods))
 		if idx := len(pods) - 1; idx >= 0 {
-			if _, err := ssc.UpdateStatefulSet(context.TODO(), set, pods); err != nil {
+			if _, err := ssc.UpdateStatefulSet(context.TODO(), set, pods, time.Now()); err != nil {
 				return err
 			}
 			set, err = om.setsLister.StatefulSets(set.Namespace).Get(set.Name)
@@ -3268,7 +3217,7 @@ func scaleDownStatefulSetControl(set *apps.StatefulSet, ssc StatefulSetControlIn
 			if pods, err = om.addTerminatingPod(set, getOrdinal(pods[idx])); err != nil {
 				return err
 			}
-			if _, err = ssc.UpdateStatefulSet(context.TODO(), set, pods); err != nil {
+			if _, err = ssc.UpdateStatefulSet(context.TODO(), set, pods, time.Now()); err != nil {
 				return err
 			}
 			set, err = om.setsLister.StatefulSets(set.Namespace).Get(set.Name)
@@ -3285,7 +3234,7 @@ func scaleDownStatefulSetControl(set *apps.StatefulSet, ssc StatefulSetControlIn
 				om.podsIndexer.Delete(pods[len(pods)-1])
 			}
 		}
-		if _, err := ssc.UpdateStatefulSet(context.TODO(), set, pods); err != nil {
+		if _, err := ssc.UpdateStatefulSet(context.TODO(), set, pods, time.Now()); err != nil {
 			return err
 		}
 		set, err = om.setsLister.StatefulSets(set.Namespace).Get(set.Name)
@@ -3378,7 +3327,7 @@ func updateStatefulSetControl(set *apps.StatefulSet,
 	if err != nil {
 		return err
 	}
-	if _, err = ssc.UpdateStatefulSet(context.TODO(), set, pods); err != nil {
+	if _, err = ssc.UpdateStatefulSet(context.TODO(), set, pods, time.Now()); err != nil {
 		return err
 	}
 
@@ -3418,7 +3367,7 @@ func updateStatefulSetControl(set *apps.StatefulSet,
 					return err
 				}
 			case v1.PodRunning:
-				if pods, err = om.setPodReady(set, getOrdinal(pod)); err != nil {
+				if pods, err = om.setPodReadyCondition(set, getOrdinal(pod), true); err != nil {
 					return err
 				}
 			default:
@@ -3426,7 +3375,7 @@ func updateStatefulSetControl(set *apps.StatefulSet,
 			}
 		}
 
-		if _, err = ssc.UpdateStatefulSet(context.TODO(), set, pods); err != nil {
+		if _, err = ssc.UpdateStatefulSet(context.TODO(), set, pods, time.Now()); err != nil {
 			return err
 		}
 		set, err = om.setsLister.StatefulSets(set.Namespace).Get(set.Name)
@@ -3504,7 +3453,7 @@ func TestStatefulSetRollingUpdateRespectsMinReadySeconds(t *testing.T) {
 	}
 
 	// Perform update - should be blocked because pods haven't been ready for 30 seconds
-	status, err := ssc.UpdateStatefulSet(context.TODO(), set, pods)
+	status, err := ssc.UpdateStatefulSet(context.TODO(), set, pods, time.Now())
 	if err != nil {
 		t.Fatalf("failed to update StatefulSet: %s", err)
 	}
@@ -3534,7 +3483,7 @@ func TestStatefulSetRollingUpdateRespectsMinReadySeconds(t *testing.T) {
 	}
 
 	// Perform update again - now should proceed
-	status, err = ssc.UpdateStatefulSet(context.TODO(), set, pods)
+	status, err = ssc.UpdateStatefulSet(context.TODO(), set, pods, time.Now())
 	if err != nil {
 		t.Fatalf("failed to update StatefulSet: %s", err)
 	}
@@ -3588,7 +3537,7 @@ func TestStatefulSetScaleDownRespectsMinReadySeconds(t *testing.T) {
 	}
 
 	// Scale down should be blocked because pods haven't been available for 30 seconds
-	status, err := ssc.UpdateStatefulSet(context.TODO(), set, pods)
+	status, err := ssc.UpdateStatefulSet(context.TODO(), set, pods, time.Now())
 	if err != nil {
 		t.Fatalf("failed to update StatefulSet: %s", err)
 	}
@@ -3651,7 +3600,7 @@ func TestStatefulSetOnDeleteStrategyIgnoresMinReadySeconds(t *testing.T) {
 	}
 
 	// OnDelete strategy should complete regardless of MinReadySeconds
-	status, err := ssc.UpdateStatefulSet(context.TODO(), set, pods)
+	status, err := ssc.UpdateStatefulSet(context.TODO(), set, pods, time.Now())
 	if err != nil {
 		t.Fatalf("failed to update StatefulSet: %s", err)
 	}
@@ -3696,7 +3645,7 @@ func TestStatefulSetZeroMinReadySeconds(t *testing.T) {
 	}
 
 	// With zero MinReadySeconds, pods should be immediately available
-	status, err := ssc.UpdateStatefulSet(context.TODO(), set, pods)
+	status, err := ssc.UpdateStatefulSet(context.TODO(), set, pods, time.Now())
 	if err != nil {
 		t.Fatalf("failed to update StatefulSet: %s", err)
 	}
@@ -3746,7 +3695,7 @@ func TestStatefulSetPartitionRollingUpdateWithMinReadySeconds(t *testing.T) {
 	}
 
 	// Rolling update should be blocked because pods haven't been available for 30 seconds
-	status, err := ssc.UpdateStatefulSet(context.TODO(), set, pods)
+	status, err := ssc.UpdateStatefulSet(context.TODO(), set, pods, time.Now())
 	if err != nil {
 		t.Fatalf("failed to update StatefulSet: %s", err)
 	}
@@ -3764,3 +3713,255 @@ func TestStatefulSetPartitionRollingUpdateWithMinReadySeconds(t *testing.T) {
 		t.Errorf("expected 4 pods to still exist (partition update blocked), got %d", len(newPods))
 	}
 }
+
+func TestStatefulSetMetrics(t *testing.T) {
+	featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.MaxUnavailableStatefulSet, true)
+	metrics.Register()
+
+	type testcase struct {
+		name                             string
+		totalPods                        int32
+		maxUnavailable                   *intstr.IntOrString
+		updateStrategy                   apps.StatefulSetUpdateStrategyType
+		podManagementPolicy              apps.PodManagementPolicyType
+		unavailablePodCount              int
+		expectedMaxUnavailableValue      int
+		expectedUnavailableReplicasValue int
+	}
+
+	testFn := func(test *testcase, t *testing.T) {
+
+		// Create StatefulSet
+		set := newStatefulSet(test.totalPods)
+		if test.updateStrategy == apps.RollingUpdateStatefulSetStrategyType {
+			var partition int32 = 0
+			set.Spec.UpdateStrategy = apps.StatefulSetUpdateStrategy{
+				Type: apps.RollingUpdateStatefulSetStrategyType,
+				RollingUpdate: &apps.RollingUpdateStatefulSetStrategy{
+					Partition:      &partition,
+					MaxUnavailable: test.maxUnavailable,
+				},
+			}
+		} else {
+			set.Spec.UpdateStrategy = apps.StatefulSetUpdateStrategy{
+				Type: test.updateStrategy,
+			}
+		}
+		set = setupPodManagementPolicy(test.podManagementPolicy, set)
+		set.Status.CollisionCount = new(int32)
+
+		// Setup controller
+		client := fake.NewClientset(set)
+		spc, _, ssc := setupController(client)
+
+		// Scale up StatefulSet
+		if err := scaleUpStatefulSetControl(set, ssc, spc, assertBurstInvariants); err != nil {
+			t.Fatal(err)
+		}
+		set, err := spc.setsLister.StatefulSets(set.Namespace).Get(set.Name)
+		if err != nil {
+			t.Fatal(err)
+		}
+
+		// Change the image to trigger an update
+		set.Spec.Template.Spec.Containers[0].Image = "foo"
+
+		// Get selector
+		selector, err := metav1.LabelSelectorAsSelector(set.Spec.Selector)
+		if err != nil {
+			t.Fatal(err)
+		}
+
+		// Make some pods unavailable
+		var pods []*v1.Pod
+		for i := 0; i < test.unavailablePodCount; i++ {
+			if test.podManagementPolicy == apps.OrderedReadyPodManagement {
+				_, _ = spc.setPodRunning(set, i)
+				pods, _ = spc.setPodReadyCondition(set, i, false)
+			} else {
+				pods, _ = spc.addTerminatingPod(set, i)
+			}
+		}
+
+		// Make remaining pods ready
+		for i := test.unavailablePodCount; i < int(test.totalPods); i++ {
+			_, _ = spc.setPodRunning(set, i)
+			pods, _ = spc.setPodReadyCondition(set, i, true)
+		}
+		sort.Sort(ascendingOrdinal(pods))
+
+		// Update StatefulSet
+		// Calculate ready replicas based on the test setup
+		readyReplicas := test.totalPods - int32(test.unavailablePodCount)
+		status := apps.StatefulSetStatus{
+			Replicas:      test.totalPods,
+			ReadyReplicas: readyReplicas,
+		}
+		updateRevision := &apps.ControllerRevision{}
+		_, err = updateStatefulSetAfterInvariantEstablished(context.TODO(), ssc.(*defaultStatefulSetControl), set, pods, updateRevision, status, time.Now())
+		if err != nil {
+			t.Fatal(err)
+		}
+
+		// Also call updateStatefulSetStatus to ensure metrics are updated
+		err = ssc.(*defaultStatefulSetControl).updateStatefulSetStatus(context.TODO(), set, &status)
+		if err != nil {
+			t.Fatal(err)
+		}
+
+		// Get updated pods
+		pods, err = spc.podsLister.Pods(set.Namespace).List(selector)
+		if err != nil {
+			t.Fatal(err)
+		}
+		sort.Sort(ascendingOrdinal(pods))
+
+		// Verify metrics
+		maxUnavailableValue, err := testutil.GetGaugeMetricValue(
+			metrics.MaxUnavailable.WithLabelValues(set.Namespace, set.Name, string(test.podManagementPolicy)))
+		if err != nil {
+			t.Fatal(err)
+		}
+		if int(maxUnavailableValue) != test.expectedMaxUnavailableValue {
+			t.Errorf("Expected MaxUnavailable gauge value %d, got %d", test.expectedMaxUnavailableValue, int(maxUnavailableValue))
+		}
+
+		unavailableReplicasValue, err := testutil.GetGaugeMetricValue(
+			metrics.UnavailableReplicas.WithLabelValues(set.Namespace, set.Name, string(test.podManagementPolicy)))
+		if err != nil {
+			t.Fatal(err)
+		}
+		if int(unavailableReplicasValue) != test.expectedUnavailableReplicasValue {
+			t.Errorf("Expected UnavailableReplicas gauge value %d, got %d", test.expectedUnavailableReplicasValue, int(unavailableReplicasValue))
+		}
+	}
+
+	tests := []testcase{
+		{
+			name:                             "ordered pods within limit",
+			totalPods:                        5,
+			maxUnavailable:                   &intstr.IntOrString{Type: intstr.Int, IntVal: 2},
+			updateStrategy:                   apps.RollingUpdateStatefulSetStrategyType,
+			podManagementPolicy:              apps.OrderedReadyPodManagement,
+			unavailablePodCount:              1,
+			expectedMaxUnavailableValue:      2,
+			expectedUnavailableReplicasValue: 1,
+		},
+		{
+			name:                             "parallel pods exceeding limit",
+			totalPods:                        10,
+			maxUnavailable:                   &intstr.IntOrString{Type: intstr.String, StrVal: "20%"},
+			updateStrategy:                   apps.RollingUpdateStatefulSetStrategyType,
+			podManagementPolicy:              apps.ParallelPodManagement,
+			unavailablePodCount:              3, // (20% of 10), violation but gauge shows current values
+			expectedMaxUnavailableValue:      2,
+			expectedUnavailableReplicasValue: 3,
+		},
+		{
+			name:                             "ordered pods exactly at limit",
+			totalPods:                        6,
+			maxUnavailable:                   &intstr.IntOrString{Type: intstr.Int, IntVal: 3},
+			updateStrategy:                   apps.RollingUpdateStatefulSetStrategyType,
+			podManagementPolicy:              apps.OrderedReadyPodManagement,
+			unavailablePodCount:              3, // exactly at limit
+			expectedMaxUnavailableValue:      3,
+			expectedUnavailableReplicasValue: 3,
+		},
+		{
+			name:                             "parallel pods all available",
+			totalPods:                        4,
+			maxUnavailable:                   &intstr.IntOrString{Type: intstr.Int, IntVal: 1},
+			updateStrategy:                   apps.RollingUpdateStatefulSetStrategyType,
+			podManagementPolicy:              apps.ParallelPodManagement,
+			unavailablePodCount:              0, // all pods available
+			expectedMaxUnavailableValue:      1,
+			expectedUnavailableReplicasValue: 0,
+		},
+		{
+			name:                             "ordered pods with percentage maxUnavailable",
+			totalPods:                        8,
+			maxUnavailable:                   &intstr.IntOrString{Type: intstr.String, StrVal: "25%"},
+			updateStrategy:                   apps.RollingUpdateStatefulSetStrategyType,
+			podManagementPolicy:              apps.OrderedReadyPodManagement,
+			unavailablePodCount:              1, // (25% of 8), within limit
+			expectedMaxUnavailableValue:      2,
+			expectedUnavailableReplicasValue: 1,
+		},
+		{
+			name:                             "parallel pods with large percentage",
+			totalPods:                        5,
+			maxUnavailable:                   &intstr.IntOrString{Type: intstr.String, StrVal: "80%"},
+			updateStrategy:                   apps.RollingUpdateStatefulSetStrategyType,
+			podManagementPolicy:              apps.ParallelPodManagement,
+			unavailablePodCount:              4, // (80% of 5), exactly at limit
+			expectedMaxUnavailableValue:      4,
+			expectedUnavailableReplicasValue: 4,
+		},
+		{
+			name:                             "small statefulset with maxUnavailable 1",
+			totalPods:                        2,
+			maxUnavailable:                   &intstr.IntOrString{Type: intstr.Int, IntVal: 1},
+			updateStrategy:                   apps.RollingUpdateStatefulSetStrategyType,
+			podManagementPolicy:              apps.OrderedReadyPodManagement,
+			unavailablePodCount:              1, // exactly at limit
+			expectedMaxUnavailableValue:      1,
+			expectedUnavailableReplicasValue: 1,
+		},
+		{
+			name:                             "single pod statefulset",
+			totalPods:                        1,
+			maxUnavailable:                   &intstr.IntOrString{Type: intstr.Int, IntVal: 1},
+			updateStrategy:                   apps.RollingUpdateStatefulSetStrategyType,
+			podManagementPolicy:              apps.ParallelPodManagement,
+			unavailablePodCount:              1, // single pod unavailable
+			expectedMaxUnavailableValue:      1,
+			expectedUnavailableReplicasValue: 1,
+		},
+		{
+			name:                             "OnDelete strategy defaults to maxUnavailable 1",
+			totalPods:                        3,
+			maxUnavailable:                   nil, // OnDelete doesn't use maxUnavailable
+			updateStrategy:                   apps.OnDeleteStatefulSetStrategyType,
+			podManagementPolicy:              apps.OrderedReadyPodManagement,
+			unavailablePodCount:              2,
+			expectedMaxUnavailableValue:      1, // default value
+			expectedUnavailableReplicasValue: 2,
+		},
+		{
+			name:                             "OnDelete strategy with parallel management",
+			totalPods:                        4,
+			maxUnavailable:                   nil, // OnDelete doesn't use maxUnavailable
+			updateStrategy:                   apps.OnDeleteStatefulSetStrategyType,
+			podManagementPolicy:              apps.ParallelPodManagement,
+			unavailablePodCount:              1,
+			expectedMaxUnavailableValue:      1,
+			expectedUnavailableReplicasValue: 1,
+		},
+		{
+			name:                             "RollingUpdate with nil maxUnavailable defaults to 1",
+			totalPods:                        5,
+			maxUnavailable:                   nil, // nil should default to 1
+			updateStrategy:                   apps.RollingUpdateStatefulSetStrategyType,
+			podManagementPolicy:              apps.OrderedReadyPodManagement,
+			unavailablePodCount:              2,
+			expectedMaxUnavailableValue:      1,
+			expectedUnavailableReplicasValue: 2,
+		},
+		{
+			name:                             "RollingUpdate with nil maxUnavailable and parallel pods",
+			totalPods:                        6,
+			maxUnavailable:                   nil, // nil should default to 1
+			updateStrategy:                   apps.RollingUpdateStatefulSetStrategyType,
+			podManagementPolicy:              apps.ParallelPodManagement,
+			unavailablePodCount:              0,
+			expectedMaxUnavailableValue:      1,
+			expectedUnavailableReplicasValue: 0,
+		},
+	}
+
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			testFn(&test, t)
+		})
+	}
+}
diff --git a/pkg/controller/statefulset/stateful_set_status_updater.go b/pkg/controller/statefulset/stateful_set_status_updater.go
index a71c5455148de..409ad92e20fc3 100644
--- a/pkg/controller/statefulset/stateful_set_status_updater.go
+++ b/pkg/controller/statefulset/stateful_set_status_updater.go
@@ -18,7 +18,6 @@ package statefulset
 
 import (
 	"context"
-	"fmt"
 
 	apps "k8s.io/api/apps/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -26,6 +25,7 @@ import (
 	clientset "k8s.io/client-go/kubernetes"
 	appslisters "k8s.io/client-go/listers/apps/v1"
 	"k8s.io/client-go/util/retry"
+	"k8s.io/klog/v2"
 )
 
 // StatefulSetStatusUpdaterInterface is an interface used to update the StatefulSetStatus associated with a StatefulSet.
@@ -53,6 +53,7 @@ func (ssu *realStatefulSetStatusUpdater) UpdateStatefulSetStatus(
 	ctx context.Context,
 	set *apps.StatefulSet,
 	status *apps.StatefulSetStatus) error {
+	logger := klog.FromContext(ctx)
 	// don't wait due to limited number of clients, but backoff after the default number of steps
 	return retry.RetryOnConflict(retry.DefaultRetry, func() error {
 		set.Status = *status
@@ -65,7 +66,7 @@ func (ssu *realStatefulSetStatusUpdater) UpdateStatefulSetStatus(
 			// make a copy so we don't mutate the shared cache
 			set = updated.DeepCopy()
 		} else {
-			utilruntime.HandleError(fmt.Errorf("error getting updated StatefulSet %s/%s from lister: %v", set.Namespace, set.Name, err))
+			utilruntime.HandleErrorWithLogger(logger, nil, "Error getting updated StatefulSet from lister", "StatefulSet", klog.KObj(set))
 		}
 
 		return updateErr
diff --git a/pkg/controller/statefulset/stateful_set_test.go b/pkg/controller/statefulset/stateful_set_test.go
index 8cd5875251800..cad55da0445ad 100644
--- a/pkg/controller/statefulset/stateful_set_test.go
+++ b/pkg/controller/statefulset/stateful_set_test.go
@@ -23,6 +23,9 @@ import (
 	"fmt"
 	"sort"
 	"testing"
+	"time"
+
+	"github.com/onsi/gomega"
 
 	apps "k8s.io/api/apps/v1"
 	v1 "k8s.io/api/core/v1"
@@ -37,9 +40,9 @@ import (
 	core "k8s.io/client-go/testing"
 	"k8s.io/client-go/tools/cache"
 	"k8s.io/klog/v2"
-	"k8s.io/klog/v2/ktesting"
 	"k8s.io/kubernetes/pkg/controller"
 	"k8s.io/kubernetes/pkg/controller/history"
+	"k8s.io/kubernetes/test/utils/ktesting"
 )
 
 var parentKind = apps.SchemeGroupVersion.WithKind("StatefulSet")
@@ -166,7 +169,7 @@ func TestStatefulSetControllerBlocksScaling(t *testing.T) {
 	if err != nil {
 		t.Error("Failed to set pod terminated at ordinal 0")
 	}
-	ssc.enqueueStatefulSet(set)
+	ssc.enqueueStatefulSet(logger, set)
 	fakeWorker(ssc)
 	selector, err := metav1.LabelSelectorAsSelector(set.Spec.Selector)
 	if err != nil {
@@ -181,7 +184,7 @@ func TestStatefulSetControllerBlocksScaling(t *testing.T) {
 	}
 	sort.Sort(ascendingOrdinal(pods))
 	spc.DeleteStatefulPod(set, pods[0])
-	ssc.enqueueStatefulSet(set)
+	ssc.enqueueStatefulSet(logger, set)
 	fakeWorker(ssc)
 	pods, err = om.podsLister.Pods(set.Namespace).List(selector)
 	if err != nil {
@@ -193,7 +196,7 @@ func TestStatefulSetControllerBlocksScaling(t *testing.T) {
 }
 
 func TestStatefulSetControllerDeletionTimestamp(t *testing.T) {
-	_, ctx := ktesting.NewTestContext(t)
+	logger, ctx := ktesting.NewTestContext(t)
 	set := newStatefulSet(3)
 	set.DeletionTimestamp = new(metav1.Time)
 	ssc, _, om, _ := newFakeStatefulSetController(ctx, set)
@@ -201,7 +204,7 @@ func TestStatefulSetControllerDeletionTimestamp(t *testing.T) {
 	om.setsIndexer.Add(set)
 
 	// Force a sync. It should not try to create any Pods.
-	ssc.enqueueStatefulSet(set)
+	ssc.enqueueStatefulSet(logger, set)
 	fakeWorker(ssc)
 
 	selector, err := metav1.LabelSelectorAsSelector(set.Spec.Selector)
@@ -218,7 +221,7 @@ func TestStatefulSetControllerDeletionTimestamp(t *testing.T) {
 }
 
 func TestStatefulSetControllerDeletionTimestampRace(t *testing.T) {
-	_, ctx := ktesting.NewTestContext(t)
+	logger, ctx := ktesting.NewTestContext(t)
 	set := newStatefulSet(3)
 	// The bare client says it IS deleted.
 	set.DeletionTimestamp = new(metav1.Time)
@@ -245,7 +248,7 @@ func TestStatefulSetControllerDeletionTimestampRace(t *testing.T) {
 	}
 
 	// Force a sync. It should not try to create any Pods.
-	ssc.enqueueStatefulSet(set)
+	ssc.enqueueStatefulSet(logger, set)
 	fakeWorker(ssc)
 
 	selector, err := metav1.LabelSelectorAsSelector(set.Spec.Selector)
@@ -526,7 +529,7 @@ func TestStatefulSetControllerDeletePodTombstone(t *testing.T) {
 }
 
 func TestStatefulSetControllerGetStatefulSetsForPod(t *testing.T) {
-	_, ctx := ktesting.NewTestContext(t)
+	logger, ctx := ktesting.NewTestContext(t)
 	ssc, _, om, _ := newFakeStatefulSetController(ctx)
 	set1 := newStatefulSet(3)
 	set2 := newStatefulSet(3)
@@ -535,7 +538,7 @@ func TestStatefulSetControllerGetStatefulSetsForPod(t *testing.T) {
 	om.setsIndexer.Add(set1)
 	om.setsIndexer.Add(set2)
 	om.podsIndexer.Add(pod)
-	sets := ssc.getStatefulSetsForPod(pod)
+	sets := ssc.getStatefulSetsForPod(logger, pod)
 	if got, want := len(sets), 2; got != want {
 		t.Errorf("len(sets) = %v, want %v", got, want)
 	}
@@ -671,7 +674,7 @@ func TestOrphanedPodsWithPVCDeletePolicy(t *testing.T) {
 		*set.Spec.Replicas = 2
 		set.Spec.PersistentVolumeClaimRetentionPolicy.WhenScaled = scaledownPolicy
 		set.Spec.PersistentVolumeClaimRetentionPolicy.WhenDeleted = deletionPolicy
-		_, ctx := ktesting.NewTestContext(t)
+		logger, ctx := ktesting.NewTestContext(t)
 		ssc, _, om, _ := newFakeStatefulSetController(ctx, set)
 		om.setsIndexer.Add(set)
 
@@ -721,7 +724,7 @@ func TestOrphanedPodsWithPVCDeletePolicy(t *testing.T) {
 		}
 
 		for i := range pods {
-			if _, err := om.setPodReady(set, i); err != nil {
+			if _, err := om.setPodReadyCondition(set, i, true); err != nil {
 				t.Errorf("%d: %v", i, err)
 			}
 			if _, err := om.setPodRunning(set, i); err != nil {
@@ -730,10 +733,10 @@ func TestOrphanedPodsWithPVCDeletePolicy(t *testing.T) {
 		}
 
 		// First sync to manage orphaned pod, then set replicas.
-		ssc.enqueueStatefulSet(set)
+		ssc.enqueueStatefulSet(logger, set)
 		fakeWorker(ssc)
 		*set.Spec.Replicas = 0 // Put an ownerRef for all scale-down deleted PVCs.
-		ssc.enqueueStatefulSet(set)
+		ssc.enqueueStatefulSet(logger, set)
 		fakeWorker(ssc)
 
 		hasNamedOwnerRef := func(claim *v1.PersistentVolumeClaim, name string) bool {
@@ -907,6 +910,66 @@ func TestStaleOwnerRefOnScaleup(t *testing.T) {
 	}
 }
 
+func TestStatefulSetAvailabilityCheck(t *testing.T) {
+	_, ctx := ktesting.NewTestContext(t)
+
+	set := setMinReadySeconds(newStatefulSet(4), int32(5)) // 5 seconds
+	set = setupPodManagementPolicy(apps.ParallelPodManagement, set)
+	ssc, _, om, _ := newFakeStatefulSetController(ctx, set)
+	if err := om.setsIndexer.Add(set); err != nil {
+		t.Fatalf("could not add set to the cache: %v", err)
+	}
+	now := time.Now()
+
+	pods := []*v1.Pod{}
+	pods = append(pods, newStatefulSetPod(set, 0))
+	pods = append(pods, newStatefulSetPod(set, 1))
+	pods[1].Status.Conditions = []v1.PodCondition{{Type: v1.PodReady, Status: v1.ConditionTrue, LastTransitionTime: metav1.Time{Time: now}}}
+	pods = append(pods, newStatefulSetPod(set, 2))
+	pods[2].Status.Conditions = []v1.PodCondition{{Type: v1.PodReady, Status: v1.ConditionTrue, LastTransitionTime: metav1.Time{Time: now.Add(-2 * time.Second)}}}
+	pods = append(pods, newStatefulSetPod(set, 3))
+	pods[3].Status.Conditions = []v1.PodCondition{{Type: v1.PodReady, Status: v1.ConditionTrue, LastTransitionTime: metav1.Time{Time: now.Add(-4300 * time.Millisecond)}}}
+
+	for i, pod := range pods {
+		if err := om.podsIndexer.Add(pod); err != nil {
+			t.Fatalf("could not add pod to the cache %d: %v", i, err)
+		}
+		var err error
+		if pods, err = om.setPodRunning(set, i); err != nil {
+			t.Fatalf("%d: %v", i, err)
+		}
+	}
+	err := ssc.syncStatefulSet(ctx, set, pods)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if set, err = om.setsLister.StatefulSets(set.Namespace).Get(set.Name); err != nil {
+		t.Fatalf("Could not get StatefulSet: %v", err)
+	}
+
+	// one pod is not ready
+	if set.Status.ReadyReplicas != 3 {
+		t.Errorf("Expected updated StatefulSet to contain ready replicas %v, got %v instead",
+			3, set.Status.ReadyReplicas)
+	}
+	if set.Status.AvailableReplicas != 0 {
+		t.Errorf("Expected updated StatefulSet to contain available replicas %v, got %v instead",
+			0, set.Status.AvailableReplicas)
+	}
+
+	if got, want := ssc.queue.Len(), 0; got != want {
+		t.Errorf("queue.Len() = %v, want %v", got, want)
+	}
+
+	// RS should be re-queued after 700ms to recompute .status.availableReplicas (200ms extra for the test).
+	ktesting.Eventually(ctx, func(tCtx ktesting.TContext) int {
+		return ssc.queue.Len()
+	}).WithTimeout(900*time.Millisecond).
+		WithPolling(10*time.Millisecond).
+		Should(gomega.Equal(1), " StatefulSet should be re-queued to recompute .status.availableReplicas")
+}
+
 func newFakeStatefulSetController(ctx context.Context, initialObjects ...runtime.Object) (*StatefulSetController, *StatefulPodControl, *fakeObjectManager, history.Interface) {
 	client := fake.NewSimpleClientset(initialObjects...)
 	informerFactory := informers.NewSharedInformerFactory(client, controller.NoResyncPeriodFunc())
@@ -950,7 +1013,7 @@ func scaleUpStatefulSetController(logger klog.Logger, set *apps.StatefulSet, ssc
 
 func scaleUpStatefulSetControllerBounded(logger klog.Logger, set *apps.StatefulSet, ssc *StatefulSetController, spc *StatefulPodControl, om *fakeObjectManager, maxIterations int) error {
 	om.setsIndexer.Add(set)
-	ssc.enqueueStatefulSet(set)
+	ssc.enqueueStatefulSet(logger, set)
 	fakeWorker(ssc)
 	selector, err := metav1.LabelSelectorAsSelector(set.Spec.Selector)
 	if err != nil {
@@ -980,7 +1043,7 @@ func scaleUpStatefulSetControllerBounded(logger klog.Logger, set *apps.StatefulS
 		fakeWorker(ssc)
 		pod = getPodAtOrdinal(pods, ord)
 		prev = *pod
-		if pods, err = om.setPodReady(set, ord); err != nil {
+		if pods, err = om.setPodReadyCondition(set, ord, true); err != nil {
 			return err
 		}
 		pod = getPodAtOrdinal(pods, ord)
@@ -1013,7 +1076,7 @@ func scaleDownStatefulSetController(logger klog.Logger, set *apps.StatefulSet, s
 	prev := *pod
 	fakeResourceVersion(set)
 	om.setsIndexer.Add(set)
-	ssc.enqueueStatefulSet(set)
+	ssc.enqueueStatefulSet(logger, set)
 	fakeWorker(ssc)
 	pods, err = om.addTerminatingPod(set, ord)
 	if err != nil {
diff --git a/pkg/controller/statefulset/stateful_set_utils.go b/pkg/controller/statefulset/stateful_set_utils.go
index 11136d63c7981..b63aa62dfdabf 100644
--- a/pkg/controller/statefulset/stateful_set_utils.go
+++ b/pkg/controller/statefulset/stateful_set_utils.go
@@ -21,6 +21,7 @@ import (
 	"fmt"
 	"regexp"
 	"strconv"
+	"time"
 
 	apps "k8s.io/api/apps/v1"
 	v1 "k8s.io/api/core/v1"
@@ -29,13 +30,11 @@ import (
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/apimachinery/pkg/util/intstr"
 	"k8s.io/apimachinery/pkg/util/strategicpatch"
-	utilfeature "k8s.io/apiserver/pkg/util/feature"
 	"k8s.io/client-go/kubernetes/scheme"
 	"k8s.io/klog/v2"
 	podutil "k8s.io/kubernetes/pkg/api/v1/pod"
 	"k8s.io/kubernetes/pkg/controller"
 	"k8s.io/kubernetes/pkg/controller/history"
-	"k8s.io/kubernetes/pkg/features"
 )
 
 var patchCodec = scheme.Codecs.LegacyCodec(apps.SchemeGroupVersion)
@@ -451,9 +450,7 @@ func updateIdentity(set *apps.StatefulSet, pod *v1.Pod) {
 		pod.Labels = make(map[string]string)
 	}
 	pod.Labels[apps.StatefulSetPodNameLabel] = pod.Name
-	if utilfeature.DefaultFeatureGate.Enabled(features.PodIndexLabel) {
-		pod.Labels[apps.PodIndexLabel] = strconv.Itoa(ordinal)
-	}
+	pod.Labels[apps.PodIndexLabel] = strconv.Itoa(ordinal)
 }
 
 // isRunningAndReady returns true if pod is in the PodRunning Phase, if it has a condition of PodReady.
@@ -461,8 +458,8 @@ func isRunningAndReady(pod *v1.Pod) bool {
 	return pod.Status.Phase == v1.PodRunning && podutil.IsPodReady(pod)
 }
 
-func isRunningAndAvailable(pod *v1.Pod, minReadySeconds int32) bool {
-	return podutil.IsPodAvailable(pod, minReadySeconds, metav1.Now())
+func isRunningAndAvailable(pod *v1.Pod, minReadySeconds int32, now time.Time) bool {
+	return podutil.IsPodAvailable(pod, minReadySeconds, metav1.Time{Time: now})
 }
 
 // isCreated returns true if pod has been created and is maintained by the API server
@@ -491,8 +488,8 @@ func isTerminating(pod *v1.Pod) bool {
 }
 
 // isUnavailable returns true if pod is not available or if it is terminating
-func isUnavailable(pod *v1.Pod, minReadySeconds int32) bool {
-	return !isRunningAndAvailable(pod, minReadySeconds) || isTerminating(pod)
+func isUnavailable(pod *v1.Pod, minReadySeconds int32, now time.Time) bool {
+	return !podutil.IsPodAvailable(pod, minReadySeconds, metav1.Time{Time: now}) || isTerminating(pod)
 }
 
 // allowsBurst is true if the alpha burst annotation is set.
diff --git a/pkg/controller/storageversiongc/OWNERS b/pkg/controller/storageversiongc/OWNERS
new file mode 100644
index 0000000000000..45ddeb77e1343
--- /dev/null
+++ b/pkg/controller/storageversiongc/OWNERS
@@ -0,0 +1,9 @@
+# See the OWNERS docs at https://go.k8s.io/owners
+
+approvers:
+  - enj
+  - sig-api-machinery-approvers
+reviewers:
+  - sig-api-machinery-reviewers
+labels:
+  - sig/api-machinery
diff --git a/pkg/controller/storageversiongc/gc_controller.go b/pkg/controller/storageversiongc/gc_controller.go
index 71be919c0a60f..8abdf7b3769f1 100644
--- a/pkg/controller/storageversiongc/gc_controller.go
+++ b/pkg/controller/storageversiongc/gc_controller.go
@@ -19,6 +19,7 @@ package storageversiongc
 import (
 	"context"
 	"fmt"
+	"sync"
 	"time"
 
 	apiserverinternalv1alpha1 "k8s.io/api/apiserverinternal/v1alpha1"
@@ -92,14 +93,19 @@ func NewStorageVersionGC(ctx context.Context, clientset kubernetes.Interface, le
 
 // Run starts one worker.
 func (c *Controller) Run(ctx context.Context) {
-	logger := klog.FromContext(ctx)
 	defer utilruntime.HandleCrash()
-	defer c.leaseQueue.ShutDown()
-	defer c.storageVersionQueue.ShutDown()
-	defer logger.Info("Shutting down storage version garbage collector")
 
+	logger := klog.FromContext(ctx)
 	logger.Info("Starting storage version garbage collector")
 
+	var wg sync.WaitGroup
+	defer func() {
+		logger.Info("Shutting down storage version garbage collector")
+		c.leaseQueue.ShutDown()
+		c.storageVersionQueue.ShutDown()
+		wg.Wait()
+	}()
+
 	if !cache.WaitForCacheSync(ctx.Done(), c.leasesSynced, c.storageVersionSynced) {
 		utilruntime.HandleError(fmt.Errorf("timed out waiting for caches to sync"))
 		return
@@ -110,9 +116,12 @@ func (c *Controller) Run(ctx context.Context) {
 	// runLeaseWorker handles legit identity lease deletion, while runStorageVersionWorker
 	// handles storageversion creation/update with non-existing id. The latter should rarely
 	// happen. It's okay for the two workers to conflict on update.
-	go wait.UntilWithContext(ctx, c.runLeaseWorker, time.Second)
-	go wait.UntilWithContext(ctx, c.runStorageVersionWorker, time.Second)
-
+	wg.Go(func() {
+		wait.UntilWithContext(ctx, c.runLeaseWorker, time.Second)
+	})
+	wg.Go(func() {
+		wait.UntilWithContext(ctx, c.runStorageVersionWorker, time.Second)
+	})
 	<-ctx.Done()
 }
 
diff --git a/pkg/controller/storageversiongc/gc_controller_test.go b/pkg/controller/storageversiongc/gc_controller_test.go
index c92ed304522f8..283945104da56 100644
--- a/pkg/controller/storageversiongc/gc_controller_test.go
+++ b/pkg/controller/storageversiongc/gc_controller_test.go
@@ -18,6 +18,7 @@ package storageversiongc
 
 import (
 	"context"
+	"fmt"
 	"reflect"
 	"testing"
 	"time"
@@ -26,9 +27,11 @@ import (
 	coordinationv1 "k8s.io/api/coordination/v1"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/util/wait"
 	"k8s.io/client-go/informers"
 	"k8s.io/client-go/kubernetes"
 	"k8s.io/client-go/kubernetes/fake"
+	"k8s.io/client-go/tools/cache"
 	"k8s.io/klog/v2/ktesting"
 	"k8s.io/utils/ptr"
 )
@@ -39,8 +42,12 @@ func setupController(ctx context.Context, clientset kubernetes.Interface) {
 	storageVersionInformer := informerFactory.Internal().V1alpha1().StorageVersions()
 
 	controller := NewStorageVersionGC(ctx, clientset, leaseInformer, storageVersionInformer)
+	informerFactory.Start(ctx.Done())
+	// Using this ensure informer caches are fully populated before starting the controller.
+	if !cache.WaitForCacheSync(ctx.Done(), controller.leasesSynced, controller.storageVersionSynced) {
+		panic("timed out waiting for caches to sync")
+	}
 	go controller.Run(context.Background())
-	informerFactory.Start(nil)
 }
 
 func newKubeApiserverLease(name, holderIdentity string) *coordinationv1.Lease {
@@ -93,7 +100,7 @@ func Test_StorageVersionUpdatedWithAllEncodingVersionsEqualOnLeaseDeletion(t *te
 		},
 	}
 
-	clientset := fake.NewSimpleClientset(lease1, lease2, lease3, storageVersion)
+	clientset := fake.NewClientset(lease1, lease2, lease3, storageVersion)
 	_, ctx := ktesting.NewTestContext(t)
 	setupController(ctx, clientset)
 
@@ -102,14 +109,6 @@ func Test_StorageVersionUpdatedWithAllEncodingVersionsEqualOnLeaseDeletion(t *te
 		t.Fatalf("error deleting lease object: %v", err)
 	}
 
-	// add a delay to ensure controller had a chance to reconcile
-	time.Sleep(2 * time.Second)
-
-	storageVersion, err := clientset.InternalV1alpha1().StorageVersions().Get(context.Background(), "k8s.test.resources", metav1.GetOptions{})
-	if err != nil {
-		t.Fatalf("error getting StorageVersion: %v", err)
-	}
-
 	expectedServerStorageVersions := []apiserverinternalv1alpha1.ServerStorageVersion{
 		{
 			APIServerID:       "kube-apiserver-2",
@@ -122,29 +121,47 @@ func Test_StorageVersionUpdatedWithAllEncodingVersionsEqualOnLeaseDeletion(t *te
 			DecodableVersions: []string{"v2"},
 		},
 	}
+	var lastErr error
+
+	// Wait up to 5 seconds, checking every 100ms to ensure controller had a chance to reconcile
+	err := wait.PollUntilContextTimeout(ctx, 100*time.Millisecond, 5*time.Second, true, func(ctx context.Context) (bool, error) {
+		storageVersion, err := clientset.InternalV1alpha1().StorageVersions().Get(
+			ctx, "k8s.test.resources", metav1.GetOptions{},
+		)
+		if err != nil {
+			lastErr = fmt.Errorf("failed to get StorageVersion: %w", err)
+			return false, err
+		}
+
+		if !reflect.DeepEqual(storageVersion.Status.StorageVersions, expectedServerStorageVersions) {
+			lastErr = fmt.Errorf("storage versions mismatch: got %+v, expected %+v", storageVersion.Status.StorageVersions, expectedServerStorageVersions)
+			return false, err
+		}
+		if *storageVersion.Status.CommonEncodingVersion != "v2" {
+			t.Errorf("unexpected common encoding version")
+			t.Logf("got: %q", *storageVersion.Status.CommonEncodingVersion)
+			t.Logf("expected: %q", "v2")
+			return false, err
+		}
+		if len(storageVersion.Status.Conditions) != 1 {
+			lastErr = fmt.Errorf("CommonEncodingVersion mismatch: got %v, expected %q", storageVersion.Status.CommonEncodingVersion, "v2")
+			return false, err
+		}
+
+		if storageVersion.Status.Conditions[0].Type != apiserverinternalv1alpha1.AllEncodingVersionsEqual {
+			lastErr = fmt.Errorf("expected condition type 'AllEncodingVersionsEqual', got: %q", storageVersion.Status.Conditions[0].Type)
+			return false, nil
+		}
+
+		if storageVersion.Status.Conditions[0].Status != apiserverinternalv1alpha1.ConditionTrue {
+			lastErr = fmt.Errorf("expected condition status 'True', got: %q", storageVersion.Status.Conditions[0].Status)
+			return false, nil
+		}
+		return true, nil
+	})
 
-	if !reflect.DeepEqual(storageVersion.Status.StorageVersions, expectedServerStorageVersions) {
-		t.Error("unexpected storage version object")
-		t.Logf("got: %+v", storageVersion)
-		t.Logf("expected: %+v", expectedServerStorageVersions)
-	}
-
-	if *storageVersion.Status.CommonEncodingVersion != "v2" {
-		t.Errorf("unexpected common encoding version")
-		t.Logf("got: %q", *storageVersion.Status.CommonEncodingVersion)
-		t.Logf("expected: %q", "v2")
-	}
-
-	if len(storageVersion.Status.Conditions) != 1 {
-		t.Errorf("expected 1 condition, got: %d", len(storageVersion.Status.Conditions))
-	}
-
-	if storageVersion.Status.Conditions[0].Type != apiserverinternalv1alpha1.AllEncodingVersionsEqual {
-		t.Errorf("expected condition type 'AllEncodingVersionsEqual', got: %q", storageVersion.Status.Conditions[0].Type)
-	}
-
-	if storageVersion.Status.Conditions[0].Status != apiserverinternalv1alpha1.ConditionTrue {
-		t.Errorf("expected condition status 'True', got: %q", storageVersion.Status.Conditions[0].Status)
+	if err != nil {
+		t.Fatalf("controller did not reconcile storage version in time: %v\nLast mismatch: %v", err, lastErr)
 	}
 }
 
@@ -328,7 +345,7 @@ func Test_StorageVersionDeletedOnLeaseDeletion(t *testing.T) {
 		},
 	}
 
-	clientset := fake.NewSimpleClientset(lease1, storageVersion)
+	clientset := fake.NewClientset(lease1, storageVersion)
 	_, ctx := ktesting.NewTestContext(t)
 	setupController(ctx, clientset)
 
@@ -337,12 +354,12 @@ func Test_StorageVersionDeletedOnLeaseDeletion(t *testing.T) {
 		t.Fatalf("error deleting lease object: %v", err)
 	}
 
-	// add a delay to ensure controller had a chance to reconcile
-	time.Sleep(2 * time.Second)
-
-	// expect deleted
-	_, err := clientset.InternalV1alpha1().StorageVersions().Get(context.Background(), "k8s.test.resources", metav1.GetOptions{})
-	if !apierrors.IsNotFound(err) {
-		t.Fatalf("expected IsNotFound error, got: %v", err)
+	err := wait.PollUntilContextTimeout(context.Background(), time.Second, 5*time.Second, true, func(ctx context.Context) (bool, error) {
+		// expect deleted
+		_, err := clientset.InternalV1alpha1().StorageVersions().Get(context.Background(), "k8s.test.resources", metav1.GetOptions{})
+		return apierrors.IsNotFound(err), nil
+	})
+	if err != nil {
+		t.Fatalf("expected IsNotFound error, but got error: %v", err)
 	}
 }
diff --git a/pkg/controller/storageversionmigrator/OWNERS b/pkg/controller/storageversionmigrator/OWNERS
new file mode 100644
index 0000000000000..de90ab2d77207
--- /dev/null
+++ b/pkg/controller/storageversionmigrator/OWNERS
@@ -0,0 +1,10 @@
+# See the OWNERS docs at https://go.k8s.io/owners
+
+approvers:
+  - enj
+  - sig-api-machinery-approvers
+reviewers:
+  - michaelasp
+  - sig-api-machinery-reviewers
+labels:
+  - sig/api-machinery
diff --git a/pkg/controller/storageversionmigrator/resourceversion.go b/pkg/controller/storageversionmigrator/resourceversion.go
index 7ce40ba4113a4..2c708288933ee 100644
--- a/pkg/controller/storageversionmigrator/resourceversion.go
+++ b/pkg/controller/storageversionmigrator/resourceversion.go
@@ -19,10 +19,13 @@ package storageversionmigrator
 import (
 	"context"
 	"fmt"
+	"sync"
 	"time"
 
 	"k8s.io/apimachinery/pkg/api/meta"
 	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/apimachinery/pkg/util/resourceversion"
+	"k8s.io/apimachinery/pkg/util/sets"
 	"k8s.io/apimachinery/pkg/util/wait"
 	"k8s.io/client-go/discovery"
 	"k8s.io/client-go/metadata"
@@ -31,13 +34,13 @@ import (
 	"k8s.io/klog/v2"
 	"k8s.io/kubernetes/pkg/controller"
 
-	svmv1alpha1 "k8s.io/api/storagemigration/v1alpha1"
+	svmv1beta1 "k8s.io/api/storagemigration/v1beta1"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
-	svminformers "k8s.io/client-go/informers/storagemigration/v1alpha1"
+	svminformers "k8s.io/client-go/informers/storagemigration/v1beta1"
 	clientset "k8s.io/client-go/kubernetes"
-	svmlisters "k8s.io/client-go/listers/storagemigration/v1alpha1"
+	svmlisters "k8s.io/client-go/listers/storagemigration/v1beta1"
 )
 
 const (
@@ -46,26 +49,28 @@ const (
 	ResourceVersionControllerName string = "resource-version-controller"
 )
 
+var verbsRequiredForMigration = []string{"update", "patch", "list"}
+
 // ResourceVersionController adds the resource version obtained from a randomly nonexistent namespace
 // to the SVM status before the migration is initiated. This resource version is utilized for checking
 // freshness of GC cache before the migration is initiated.
 type ResourceVersionController struct {
-	discoveryClient *discovery.DiscoveryClient
+	discoveryClient discovery.DiscoveryInterface
 	metadataClient  metadata.Interface
 	svmListers      svmlisters.StorageVersionMigrationLister
 	svmSynced       cache.InformerSynced
 	queue           workqueue.TypedRateLimitingInterface[string]
 	kubeClient      clientset.Interface
-	mapper          meta.ResettableRESTMapper
+	mapper          meta.RESTMapper
 }
 
 func NewResourceVersionController(
 	ctx context.Context,
 	kubeClient clientset.Interface,
-	discoveryClient *discovery.DiscoveryClient,
+	discoveryClient discovery.DiscoveryInterface,
 	metadataClient metadata.Interface,
 	svmInformer svminformers.StorageVersionMigrationInformer,
-	mapper meta.ResettableRESTMapper,
+	mapper meta.RESTMapper,
 ) *ResourceVersionController {
 	logger := klog.FromContext(ctx)
 
@@ -95,19 +100,19 @@ func NewResourceVersionController(
 }
 
 func (rv *ResourceVersionController) addSVM(logger klog.Logger, obj interface{}) {
-	svm := obj.(*svmv1alpha1.StorageVersionMigration)
+	svm := obj.(*svmv1beta1.StorageVersionMigration)
 	logger.V(4).Info("Adding", "svm", klog.KObj(svm))
 	rv.enqueue(svm)
 }
 
 func (rv *ResourceVersionController) updateSVM(logger klog.Logger, oldObj, newObj interface{}) {
-	oldSVM := oldObj.(*svmv1alpha1.StorageVersionMigration)
-	newSVM := newObj.(*svmv1alpha1.StorageVersionMigration)
+	oldSVM := oldObj.(*svmv1beta1.StorageVersionMigration)
+	newSVM := newObj.(*svmv1beta1.StorageVersionMigration)
 	logger.V(4).Info("Updating", "svm", klog.KObj(oldSVM))
 	rv.enqueue(newSVM)
 }
 
-func (rv *ResourceVersionController) enqueue(svm *svmv1alpha1.StorageVersionMigration) {
+func (rv *ResourceVersionController) enqueue(svm *svmv1beta1.StorageVersionMigration) {
 	key, err := controller.KeyFunc(svm)
 	if err != nil {
 		utilruntime.HandleError(fmt.Errorf("couldn't get key for object %#v: %w", svm, err))
@@ -119,18 +124,24 @@ func (rv *ResourceVersionController) enqueue(svm *svmv1alpha1.StorageVersionMigr
 
 func (rv *ResourceVersionController) Run(ctx context.Context) {
 	defer utilruntime.HandleCrash()
-	defer rv.queue.ShutDown()
 
 	logger := klog.FromContext(ctx)
 	logger.Info("Starting", "controller", ResourceVersionControllerName)
-	defer logger.Info("Shutting down", "controller", ResourceVersionControllerName)
 
-	if !cache.WaitForNamedCacheSync(ResourceVersionControllerName, ctx.Done(), rv.svmSynced) {
+	var wg sync.WaitGroup
+	defer func() {
+		logger.Info("Shutting down", "controller", ResourceVersionControllerName)
+		rv.queue.ShutDown()
+		wg.Wait()
+	}()
+
+	if !cache.WaitForNamedCacheSyncWithContext(ctx, rv.svmSynced) {
 		return
 	}
 
-	go wait.UntilWithContext(ctx, rv.worker, time.Second)
-
+	wg.Go(func() {
+		wait.UntilWithContext(ctx, rv.worker, time.Second)
+	})
 	<-ctx.Done()
 }
 
@@ -178,9 +189,10 @@ func (rv *ResourceVersionController) sync(ctx context.Context, key string) error
 	}
 	// working with copy to avoid race condition between this and migration controller
 	toBeProcessedSVM := svm.DeepCopy()
-	gvr := getGVRFromResource(toBeProcessedSVM)
+	gr := toBeProcessedSVM.Spec.Resource
 
-	if IsConditionTrue(toBeProcessedSVM, svmv1alpha1.MigrationSucceeded) || IsConditionTrue(toBeProcessedSVM, svmv1alpha1.MigrationFailed) {
+	if meta.IsStatusConditionTrue(toBeProcessedSVM.Status.Conditions, string(svmv1beta1.MigrationSucceeded)) ||
+		meta.IsStatusConditionTrue(toBeProcessedSVM.Status.Conditions, string(svmv1beta1.MigrationFailed)) {
 		logger.V(4).Info("Migration has already succeeded or failed previously, skipping", "svm", name)
 		return nil
 	}
@@ -190,31 +202,44 @@ func (rv *ResourceVersionController) sync(ctx context.Context, key string) error
 		return nil
 	}
 
-	exists, err := rv.resourceExists(gvr)
+	gvr, exists, err := resourceFor(rv.mapper, gr)
 	if err != nil {
 		return err
 	}
 	if !exists {
-		_, err = rv.kubeClient.StoragemigrationV1alpha1().
-			StorageVersionMigrations().
-			UpdateStatus(
-				ctx,
-				setStatusConditions(toBeProcessedSVM, svmv1alpha1.MigrationFailed, migrationFailedStatusReason, "resource does not exist in discovery"),
-				metav1.UpdateOptions{},
-			)
-		if err != nil {
-			return err
+		// our GC cache could be missing a recently created custom resource, so give it some time to catch up
+		// we resync discovery every 30 seconds so twice that should be sufficient
+		if toBeProcessedSVM.CreationTimestamp.Add(time.Minute).After(time.Now()) {
+			return fmt.Errorf("resource does not exist in our rest mapper, requeuing to attempt again")
 		}
+		return rv.failMigration(ctx, toBeProcessedSVM, "resource does not exist in discovery")
+	}
 
-		return nil
+	isMigratable, err := rv.isResourceMigratable(*gvr)
+	if err != nil {
+		return err
+	}
+	// The resource does not support CRUD operations for migration.
+	if !isMigratable {
+		err := fmt.Errorf("resource %q does not support discovery operations: %v", gvr.String(), verbsRequiredForMigration)
+		logger.Error(err, "resource is not able to be migrated, not retrying", "gvr", gvr.String())
+		return rv.failMigration(ctx, toBeProcessedSVM, err.Error())
 	}
 
-	toBeProcessedSVM.Status.ResourceVersion, err = rv.getLatestResourceVersion(gvr, ctx)
+	latestRV, err := rv.getLatestResourceVersion(*gvr, ctx)
 	if err != nil {
 		return err
 	}
 
-	_, err = rv.kubeClient.StoragemigrationV1alpha1().
+	// Compare the resource version against itself, if it fails then it is not a
+	// well formed RV and we should fail migration.
+	if _, err := resourceversion.CompareResourceVersion(latestRV, latestRV); err != nil {
+		err := fmt.Errorf("latest resourceVersion for %s is not valid: %w", gvr.String(), err)
+		return rv.failMigration(ctx, toBeProcessedSVM, err.Error())
+	}
+	toBeProcessedSVM.Status.ResourceVersion = latestRV
+
+	_, err = rv.kubeClient.StoragemigrationV1beta1().
 		StorageVersionMigrations().
 		UpdateStatus(ctx, toBeProcessedSVM, metav1.UpdateOptions{})
 	if err != nil {
@@ -253,21 +278,26 @@ func (rv *ResourceVersionController) getLatestResourceVersion(gvr schema.GroupVe
 	return randomList.GetResourceVersion(), err
 }
 
-func (rv *ResourceVersionController) resourceExists(gvr schema.GroupVersionResource) (bool, error) {
-	mapperGVRs, err := rv.mapper.ResourcesFor(gvr)
+func resourceFor(mapper meta.RESTMapper, gr metav1.GroupResource) (*schema.GroupVersionResource, bool, error) {
+	partial := schema.GroupVersionResource{
+		Group:    gr.Group,
+		Resource: gr.Resource,
+	}
+	mapperGVRs, err := mapper.ResourcesFor(partial)
+	if meta.IsNoMatchError(err) {
+		return nil, false, nil
+	}
 	if err != nil {
-		return false, err
+		return nil, false, err
 	}
 
 	for _, mapperGVR := range mapperGVRs {
-		if mapperGVR.Group == gvr.Group &&
-			mapperGVR.Version == gvr.Version &&
-			mapperGVR.Resource == gvr.Resource {
-			return true, nil
+		if mapperGVR.Group == gr.Group && mapperGVR.Resource == gr.Resource {
+			return &mapperGVR, true, nil
 		}
 	}
 
-	return false, nil
+	return nil, false, nil
 }
 
 func (rv *ResourceVersionController) isResourceNamespaceScoped(gvr schema.GroupVersionResource) (bool, error) {
@@ -284,3 +314,46 @@ func (rv *ResourceVersionController) isResourceNamespaceScoped(gvr schema.GroupV
 
 	return false, fmt.Errorf("resource %q not found", gvr.String())
 }
+
+// isResourceMigratable checks if the GVR has the list of verbs required for
+// migration. Returns true if all verbs are in the discovery document and false
+// otherwise. If there is an error querying the discovery client or we fail to
+// get the GVR, return an error.
+func (rv *ResourceVersionController) isResourceMigratable(gvr schema.GroupVersionResource) (bool, error) {
+	resourceList, err := rv.discoveryClient.ServerResourcesForGroupVersion(gvr.GroupVersion().String())
+	if apierrors.IsNotFound(err) {
+		return false, nil
+	}
+
+	if resourceList != nil {
+		// even in case of an error above there might be a partial list for APIs that
+		// were already successfully discovered.
+		for _, resource := range resourceList.APIResources {
+			if resource.Name == gvr.Resource {
+				if resource.Verbs != nil && sets.NewString(resource.Verbs...).HasAll(verbsRequiredForMigration...) {
+					return true, nil
+				}
+				return false, nil
+			}
+		}
+	}
+
+	if err != nil {
+		return false, err
+	}
+	return false, fmt.Errorf("resource %q not found in discovery", gvr.String())
+}
+
+func (rv *ResourceVersionController) failMigration(ctx context.Context, svm *svmv1beta1.StorageVersionMigration, message string) error {
+	_, err := rv.kubeClient.StoragemigrationV1beta1().
+		StorageVersionMigrations().
+		UpdateStatus(
+			ctx,
+			setStatusConditions(svm, svmv1beta1.MigrationFailed, migrationFailedStatusReason, message),
+			metav1.UpdateOptions{},
+		)
+	if err != nil {
+		return err
+	}
+	return nil
+}
diff --git a/pkg/controller/storageversionmigrator/resourceversion_test.go b/pkg/controller/storageversionmigrator/resourceversion_test.go
new file mode 100644
index 0000000000000..60e4bd40cc1a8
--- /dev/null
+++ b/pkg/controller/storageversionmigrator/resourceversion_test.go
@@ -0,0 +1,455 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package storageversionmigrator
+
+import (
+	"context"
+	"fmt"
+	"net/http"
+	"net/http/httptest"
+	"strings"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+	svmv1beta1 "k8s.io/api/storagemigration/v1beta1"
+	"k8s.io/apimachinery/pkg/api/meta"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/client-go/discovery"
+	fakediscovery "k8s.io/client-go/discovery/fake"
+	"k8s.io/client-go/informers"
+	svminformers "k8s.io/client-go/informers/storagemigration/v1beta1"
+	"k8s.io/client-go/kubernetes"
+	kubefake "k8s.io/client-go/kubernetes/fake"
+	"k8s.io/client-go/metadata"
+	metadatafake "k8s.io/client-go/metadata/fake"
+	kubetesting "k8s.io/client-go/testing"
+)
+
+func TestIsResourceMigratable(t *testing.T) {
+	tcs := []struct {
+		name      string
+		resources []*metav1.APIResourceList
+		resource  schema.GroupVersionResource
+		want      bool
+		wantErr   string
+	}{
+		{
+			name: "migratable resource",
+			resources: []*metav1.APIResourceList{
+				{
+					GroupVersion: "v1",
+					APIResources: []metav1.APIResource{
+						{Name: "pods", Namespaced: true, Kind: "Pod", Verbs: []string{"get", "list", "watch", "create", "update", "patch", "delete"}},
+						{Name: "events", Namespaced: true, Kind: "Event", Verbs: []string{"get", "list", "watch", "create", "delete"}},
+						{Name: "configmaps", Namespaced: true, Kind: "Event", Verbs: []string{"get", "watch", "create", "delete", "update", "patch", "delete"}},
+					},
+				},
+			},
+			resource: schema.GroupVersionResource{Group: "", Version: "v1", Resource: "pods"},
+			want:     true,
+		},
+		{
+			name: "non-updatable resource",
+			resources: []*metav1.APIResourceList{
+				{
+					GroupVersion: "v1",
+					APIResources: []metav1.APIResource{
+						{Name: "pods", Namespaced: true, Kind: "Pod", Verbs: []string{"get", "list", "watch", "create", "update", "patch", "delete"}},
+						{Name: "events", Namespaced: true, Kind: "Event", Verbs: []string{"get", "list", "watch", "create", "delete"}},
+						{Name: "configmaps", Namespaced: true, Kind: "Event", Verbs: []string{"get", "watch", "create", "delete", "update", "patch", "delete"}},
+					},
+				},
+			},
+			resource: schema.GroupVersionResource{Group: "", Version: "v1", Resource: "events"},
+			want:     false,
+		},
+		{
+			name: "non-patchable resource",
+			resources: []*metav1.APIResourceList{
+				{
+					GroupVersion: "v1",
+					APIResources: []metav1.APIResource{
+						{Name: "pods", Namespaced: true, Kind: "Pod", Verbs: []string{"get", "list", "watch", "create", "update", "patch", "delete"}},
+						{Name: "events", Namespaced: true, Kind: "Event", Verbs: []string{"get", "list", "watch", "create", "delete"}},
+						{Name: "configmaps", Namespaced: true, Kind: "Configmap", Verbs: []string{"get", "watch", "create", "delete", "update", "patch", "delete"}},
+						{Name: "secrets", Namespaced: true, Kind: "Secret", Verbs: []string{"get", "watch", "create", "delete", "update", "delete"}},
+					},
+				},
+			},
+			resource: schema.GroupVersionResource{Group: "", Version: "v1", Resource: "secrets"},
+			want:     false,
+		},
+		{
+			name: "non-listable resource",
+			resources: []*metav1.APIResourceList{
+				{
+					GroupVersion: "v1",
+					APIResources: []metav1.APIResource{
+						{Name: "pods", Namespaced: true, Kind: "Pod", Verbs: []string{"get", "list", "watch", "create", "update", "patch", "delete"}},
+						{Name: "events", Namespaced: true, Kind: "Event", Verbs: []string{"get", "list", "watch", "create", "delete"}},
+						{Name: "configmaps", Namespaced: true, Kind: "Event", Verbs: []string{"get", "watch", "create", "delete", "update", "patch", "delete"}},
+					},
+				},
+			},
+			resource: schema.GroupVersionResource{Group: "", Version: "v1", Resource: "configmaps"},
+			want:     false,
+		},
+		{
+			name: "unknown resource",
+			resources: []*metav1.APIResourceList{
+				{
+					GroupVersion: "v1",
+					APIResources: []metav1.APIResource{
+						{Name: "pods", Namespaced: true, Kind: "Pod", Verbs: []string{"get", "list", "watch", "create", "update", "patch", "delete"}},
+						{Name: "events", Namespaced: true, Kind: "Event", Verbs: []string{"get", "list", "watch", "create", "delete"}},
+						{Name: "configmaps", Namespaced: true, Kind: "Configmap", Verbs: []string{"get", "watch", "create", "delete", "update", "patch", "delete"}},
+					},
+				},
+			},
+			resource: schema.GroupVersionResource{Group: "", Version: "v1", Resource: "foo"},
+			wantErr:  "resource \"/v1, Resource=foo\" not found in discovery",
+		},
+		{
+			name: "multiple versions",
+			resources: []*metav1.APIResourceList{
+				{
+					GroupVersion: "v1",
+					APIResources: []metav1.APIResource{
+						{Name: "foo", Namespaced: true, Kind: "Pod", Verbs: []string{"get", "list", "watch", "create", "update", "patch", "delete"}},
+					},
+				},
+				{
+					GroupVersion: "v1alpha1",
+					APIResources: []metav1.APIResource{
+						{Name: "foo", Namespaced: true, Kind: "Pod", Verbs: []string{"get", "watch", "create", "update", "patch", "delete"}},
+					},
+				},
+			},
+			resource: schema.GroupVersionResource{Group: "", Version: "v1alpha", Resource: "foo"},
+			want:     false,
+		},
+		{
+			name: "multiple versions and groups",
+			resources: []*metav1.APIResourceList{
+				{
+					GroupVersion: "v1",
+					APIResources: []metav1.APIResource{
+						{Name: "foo", Namespaced: true, Kind: "Foo", Verbs: []string{"get", "list", "watch", "create", "update", "patch", "delete"}},
+					},
+				},
+				{
+					GroupVersion: "v1alpha1",
+					APIResources: []metav1.APIResource{
+						{Name: "foo", Namespaced: true, Kind: "Foo", Verbs: []string{"get", "list", "watch", "create", "update", "patch", "delete"}},
+					},
+				},
+				{
+					GroupVersion: "bar/v1alpha1",
+					APIResources: []metav1.APIResource{
+						{Name: "foo", Namespaced: true, Kind: "Foo", Group: "bar", Verbs: []string{"get", "watch", "create", "update", "patch", "delete"}},
+					},
+				},
+			},
+			resource: schema.GroupVersionResource{Group: "bar", Version: "v1alpha1", Resource: "foo"},
+			want:     false,
+		},
+	}
+
+	for _, tc := range tcs {
+		t.Run(tc.name, func(t *testing.T) {
+			server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {}))
+			defer server.Close()
+			discoveryClient := fakediscovery.FakeDiscovery{Fake: &kubetesting.Fake{}}
+			discoveryClient.Resources = tc.resources
+			rvController := ResourceVersionController{
+				discoveryClient: &discoveryClient,
+			}
+
+			isMigratable, err := rvController.isResourceMigratable(tc.resource)
+			if err != nil {
+				if !strings.Contains(err.Error(), tc.wantErr) {
+					t.Errorf("Unexpected error: %v, want: %v", err, tc.wantErr)
+				}
+				return
+			}
+			if isMigratable != tc.want {
+				t.Errorf("Expected %v, got %v", tc.want, isMigratable)
+			}
+		})
+	}
+}
+
+func TestRVSync(t *testing.T) {
+	testCases := []struct {
+		name               string
+		key                string
+		svm                *svmv1beta1.StorageVersionMigration
+		discoveryResources *metav1.APIResourceList
+		metadataList       *metav1.List
+		metadataErr        bool
+		expectErr          string
+		expectKubeActions  []kubetesting.Action
+	}{
+		{
+			name: "Successful RV acquisition",
+			key:  "test-svm",
+			svm:  newSVM("test-svm", ""),
+			discoveryResources: &metav1.APIResourceList{
+				GroupVersion: "apps/v1",
+				APIResources: []metav1.APIResource{
+					{Name: "deployments", Namespaced: true, Kind: "Deployment", Verbs: []string{"list", "update", "patch"}},
+				},
+			},
+			metadataList: &metav1.List{
+				ListMeta: metav1.ListMeta{
+					ResourceVersion: "12345",
+				},
+			},
+			expectKubeActions: []kubetesting.Action{
+				kubetesting.NewUpdateAction(
+					svmv1beta1.SchemeGroupVersion.WithResource("storageversionmigrations"),
+					"",
+					newSVM("test-svm", "12345"),
+				),
+			},
+		},
+		{
+			name: "SVM not found",
+			key:  "non-existent-svm",
+			svm:  nil,
+		},
+		{
+			name: "SVM already succeeded",
+			key:  "succeeded-svm",
+			svm: newSVMWithConditions("succeeded-svm", "100", []metav1.Condition{
+				{
+					Type:   string(svmv1beta1.MigrationSucceeded),
+					Status: metav1.ConditionTrue,
+				},
+			}),
+		},
+		{
+			name: "SVM already failed",
+			key:  "failed-svm",
+			svm: newSVMWithConditions("failed-svm", "100", []metav1.Condition{
+				{
+					Type:   string(svmv1beta1.MigrationFailed),
+					Status: metav1.ConditionTrue,
+				},
+			}),
+		},
+		{
+			name: "RV already set",
+			key:  "rv-set-svm",
+			svm:  newSVM("rv-set-svm", "123"),
+		},
+		{
+			name: "Resource not migratable",
+			key:  "not-migratable-svm",
+			svm:  newSVM("not-migratable-svm", ""),
+			discoveryResources: &metav1.APIResourceList{
+				GroupVersion: "apps/v1",
+				APIResources: []metav1.APIResource{
+					{Name: "deployments", Namespaced: true, Kind: "Deployment", Verbs: []string{"update", "patch"}}, // Missing "list"
+				},
+			},
+			expectKubeActions: []kubetesting.Action{
+				kubetesting.NewUpdateAction(
+					svmv1beta1.SchemeGroupVersion.WithResource("storageversionmigrations"),
+					"",
+					newSVMWithConditions("not-migratable-svm", "", []metav1.Condition{
+						{
+							Type:   string(svmv1beta1.MigrationFailed),
+							Status: metav1.ConditionTrue,
+						},
+					}),
+				),
+			},
+		},
+		{
+			name: "Metadata list error",
+			key:  "metadata-error-svm",
+			svm:  newSVM("metadata-error-svm", ""),
+			discoveryResources: &metav1.APIResourceList{
+				GroupVersion: "apps/v1",
+				APIResources: []metav1.APIResource{
+					{Name: "deployments", Namespaced: true, Kind: "Deployment", Verbs: []string{"list", "update", "patch"}},
+				},
+			},
+			metadataList: &metav1.List{},
+			metadataErr:  true,
+			expectErr:    "error getting latest resourceVersion for apps/v1",
+		},
+		{
+			name: "Invalid RV returned",
+			key:  "invalid-rv-svm",
+			svm:  newSVM("invalid-rv-svm", ""),
+			discoveryResources: &metav1.APIResourceList{
+				GroupVersion: "apps/v1",
+				APIResources: []metav1.APIResource{
+					{Name: "deployments", Namespaced: true, Kind: "Deployment", Verbs: []string{"list", "update", "patch"}},
+				},
+			},
+			metadataList: &metav1.List{
+				ListMeta: metav1.ListMeta{
+					ResourceVersion: "abcde",
+				},
+			},
+			expectKubeActions: []kubetesting.Action{
+				kubetesting.NewUpdateAction(
+					svmv1beta1.SchemeGroupVersion.WithResource("storageversionmigrations"),
+					"",
+					newSVMWithConditions("invalid-rv-svm", "", []metav1.Condition{
+						{
+							Type:   string(svmv1beta1.MigrationFailed),
+							Status: metav1.ConditionTrue,
+						},
+					}),
+				),
+			},
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			ctx := context.Background()
+			var initialSVMs []runtime.Object
+			if tc.svm != nil {
+				initialSVMs = append(initialSVMs, tc.svm)
+			}
+			kubeClient := kubefake.NewClientset(initialSVMs...)
+			kubeInformerFactory := informers.NewSharedInformerFactory(kubeClient, 0)
+			svmInformer := kubeInformerFactory.Storagemigration().V1beta1().StorageVersionMigrations()
+
+			if tc.svm != nil {
+				err := svmInformer.Informer().GetStore().Add(tc.svm)
+				require.NoError(t, err)
+			}
+
+			// Setup fake discovery client
+			discoveryClient := &fakediscovery.FakeDiscovery{Fake: &kubetesting.Fake{}}
+			if tc.discoveryResources != nil {
+				discoveryClient.Resources = []*metav1.APIResourceList{tc.discoveryResources}
+			}
+
+			// Setup fake metadata client
+			metadatascheme := metadatafake.NewTestScheme()
+			err := svmv1beta1.AddToScheme(metadatascheme)
+			require.NoError(t, err)
+			err = metav1.AddMetaToScheme(metadatascheme)
+			require.NoError(t, err)
+			metadataClient := metadatafake.NewSimpleMetadataClient(metadatascheme)
+
+			metadataClient.Fake.PrependReactor("list", "*", func(action kubetesting.Action) (handled bool, ret runtime.Object, err error) {
+				listAction, ok := action.(kubetesting.ListAction)
+				require.True(t, ok, "expected ListAction")
+
+				require.Equal(t, testGVR, listAction.GetResource(), "GVR in metadata list action does not match testGVR")
+
+				isNamespaced := false
+				if tc.discoveryResources != nil && len(tc.discoveryResources.APIResources) > 0 {
+					isNamespaced = tc.discoveryResources.APIResources[0].Namespaced
+				}
+
+				if isNamespaced {
+					require.Equal(t, fakeSVMNamespaceName, listAction.GetNamespace(), "expected list on fake namespace")
+				} else {
+					require.Empty(t, listAction.GetNamespace(), "expected cluster-scoped list")
+				}
+
+				if tc.metadataErr {
+					return true, nil, fmt.Errorf("failed to list")
+				}
+				return true, tc.metadataList, nil
+			})
+
+			controller := newTestRVController(kubeClient, discoveryClient, metadataClient, svmInformer)
+
+			err = controller.sync(ctx, tc.key)
+
+			if tc.expectErr != "" {
+				require.ErrorContains(t, err, tc.expectErr)
+			} else {
+				require.NoError(t, err)
+			}
+
+			kubeActions := filterListWatchActions(kubeClient.Actions())
+			if tc.expectKubeActions == nil {
+				require.Empty(t, kubeActions, "expected zero kube client actions")
+				return
+			}
+
+			require.Len(t, kubeActions, len(tc.expectKubeActions), "mismatched number of kube client actions")
+			for i, expected := range tc.expectKubeActions {
+				actual := kubeActions[i]
+				require.Equal(t, expected.GetVerb(), actual.GetVerb(), "kube action %d: verb mismatch", i)
+				require.Equal(t, expected.GetResource(), actual.GetResource(), "kube action %d: resource mismatch", i)
+
+				actualSvm := actual.(kubetesting.UpdateAction).GetObject().(*svmv1beta1.StorageVersionMigration)
+				expectedSvm := expected.(kubetesting.UpdateAction).GetObject().(*svmv1beta1.StorageVersionMigration)
+
+				// Check the important parts: ResourceVersion and Conditions
+				require.Equal(t, expectedSvm.Status.ResourceVersion, actualSvm.Status.ResourceVersion, "kube action %d: status.resourceVersion mismatch", i)
+
+				expectedConditions := expectedSvm.Status.Conditions
+				actualConditions := actualSvm.Status.Conditions
+				require.Len(t, actualConditions, len(expectedConditions), "kube action %d: conditions length mismatch", i)
+
+				for j, expectedCondition := range expectedConditions {
+					actualCondition := actualConditions[j]
+					require.Equal(t, expectedCondition.Type, actualCondition.Type, "kube action %d: condition %d type mismatch", i, j)
+					require.Equal(t, expectedCondition.Status, actualCondition.Status, "kube action %d: condition %d status mismatch", i, j)
+				}
+			}
+		})
+	}
+}
+
+// filterListWatchActions filters out list/watch actions from the client-go fake client.
+func filterListWatchActions(actions []kubetesting.Action) []kubetesting.Action {
+	var filteredActions []kubetesting.Action
+	for _, action := range actions {
+		if action.GetVerb() == "list" || action.GetVerb() == "watch" {
+			continue
+		}
+		filteredActions = append(filteredActions, action)
+	}
+	return filteredActions
+}
+
+// newTestRVController creates a new ResourceVersionController for testing.
+func newTestRVController(
+	kubeClient kubernetes.Interface,
+	discoveryClient discovery.DiscoveryInterface,
+	metadataClient metadata.Interface,
+	svmInformer svminformers.StorageVersionMigrationInformer,
+) *ResourceVersionController {
+	mapper := meta.NewDefaultRESTMapper([]schema.GroupVersion{testGVK.GroupVersion()})
+	mapper.Add(testGVK, meta.RESTScopeNamespace)
+
+	rvController := &ResourceVersionController{
+		kubeClient:      kubeClient,
+		discoveryClient: discoveryClient,
+		metadataClient:  metadataClient,
+		svmListers:      svmInformer.Lister(),
+		svmSynced:       func() bool { return true },
+		mapper:          mapper,
+	}
+	return rvController
+}
diff --git a/pkg/controller/storageversionmigrator/storageversionmigrator.go b/pkg/controller/storageversionmigrator/storageversionmigrator.go
index e90653751d7d5..8d88c2892681a 100644
--- a/pkg/controller/storageversionmigrator/storageversionmigrator.go
+++ b/pkg/controller/storageversionmigrator/storageversionmigrator.go
@@ -20,12 +20,16 @@ import (
 	"context"
 	"encoding/json"
 	"fmt"
+	"sync"
 	"time"
 
 	"k8s.io/klog/v2"
 
 	"k8s.io/apimachinery/pkg/api/meta"
+	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/apimachinery/pkg/types"
+	utilnet "k8s.io/apimachinery/pkg/util/net"
+	"k8s.io/apimachinery/pkg/util/resourceversion"
 	"k8s.io/apimachinery/pkg/util/wait"
 	"k8s.io/client-go/dynamic"
 	"k8s.io/client-go/kubernetes"
@@ -34,12 +38,12 @@ import (
 	"k8s.io/kubernetes/pkg/controller"
 	"k8s.io/kubernetes/pkg/controller/garbagecollector"
 
-	svmv1alpha1 "k8s.io/api/storagemigration/v1alpha1"
+	svmv1beta1 "k8s.io/api/storagemigration/v1beta1"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
-	svminformers "k8s.io/client-go/informers/storagemigration/v1alpha1"
-	svmlisters "k8s.io/client-go/listers/storagemigration/v1alpha1"
+	svminformers "k8s.io/client-go/informers/storagemigration/v1beta1"
+	svmlisters "k8s.io/client-go/listers/storagemigration/v1beta1"
 )
 
 const (
@@ -49,15 +53,20 @@ const (
 	migrationFailedStatusReason  = "StorageVersionMigrationFailed"
 )
 
+type graphBuilder interface {
+	GetMonitor(ctx context.Context, gvr schema.GroupVersionResource) (*garbagecollector.Monitor, bool, error)
+}
+
 type SVMController struct {
 	controllerName         string
 	kubeClient             kubernetes.Interface
-	dynamicClient          *dynamic.DynamicClient
+	dynamicClient          dynamic.Interface
 	svmListers             svmlisters.StorageVersionMigrationLister
 	svmSynced              cache.InformerSynced
 	queue                  workqueue.TypedRateLimitingInterface[string]
+	rateLimiter            workqueue.TypedRateLimiter[string]
 	restMapper             meta.RESTMapper
-	dependencyGraphBuilder *garbagecollector.GraphBuilder
+	dependencyGraphBuilder graphBuilder
 }
 
 func NewSVMController(
@@ -70,6 +79,7 @@ func NewSVMController(
 	dependencyGraphBuilder *garbagecollector.GraphBuilder,
 ) *SVMController {
 	logger := klog.FromContext(ctx)
+	rateLimiter := workqueue.DefaultTypedControllerRateLimiter[string]()
 
 	svmController := &SVMController{
 		kubeClient:             kubeClient,
@@ -80,9 +90,10 @@ func NewSVMController(
 		restMapper:             mapper,
 		dependencyGraphBuilder: dependencyGraphBuilder,
 		queue: workqueue.NewTypedRateLimitingQueueWithConfig(
-			workqueue.DefaultTypedControllerRateLimiter[string](),
+			rateLimiter,
 			workqueue.TypedRateLimitingQueueConfig[string]{Name: controllerName},
 		),
+		rateLimiter: rateLimiter,
 	}
 
 	_, _ = svmInformer.Informer().AddEventHandler(cache.ResourceEventHandlerFuncs{
@@ -102,19 +113,19 @@ func (svmc *SVMController) Name() string {
 }
 
 func (svmc *SVMController) addSVM(logger klog.Logger, obj interface{}) {
-	svm := obj.(*svmv1alpha1.StorageVersionMigration)
+	svm := obj.(*svmv1beta1.StorageVersionMigration)
 	logger.V(4).Info("Adding", "svm", klog.KObj(svm))
 	svmc.enqueue(svm)
 }
 
 func (svmc *SVMController) updateSVM(logger klog.Logger, oldObj, newObj interface{}) {
-	oldSVM := oldObj.(*svmv1alpha1.StorageVersionMigration)
-	newSVM := newObj.(*svmv1alpha1.StorageVersionMigration)
+	oldSVM := oldObj.(*svmv1beta1.StorageVersionMigration)
+	newSVM := newObj.(*svmv1beta1.StorageVersionMigration)
 	logger.V(4).Info("Updating", "svm", klog.KObj(oldSVM))
 	svmc.enqueue(newSVM)
 }
 
-func (svmc *SVMController) enqueue(svm *svmv1alpha1.StorageVersionMigration) {
+func (svmc *SVMController) enqueue(svm *svmv1beta1.StorageVersionMigration) {
 	key, err := controller.KeyFunc(svm)
 	if err != nil {
 		utilruntime.HandleError(fmt.Errorf("couldn't get key for object %#v: %w", svm, err))
@@ -126,20 +137,26 @@ func (svmc *SVMController) enqueue(svm *svmv1alpha1.StorageVersionMigration) {
 
 func (svmc *SVMController) Run(ctx context.Context) {
 	defer utilruntime.HandleCrash()
-	defer svmc.queue.ShutDown()
 
 	logger := klog.FromContext(ctx)
 	logger.Info("Starting", "controller", svmc.controllerName)
-	defer logger.Info("Shutting down", "controller", svmc.controllerName)
 
-	if !cache.WaitForNamedCacheSync(svmc.controllerName, ctx.Done(), svmc.svmSynced) {
+	var wg sync.WaitGroup
+	defer func() {
+		logger.Info("Shutting down", "controller", svmc.controllerName)
+		svmc.queue.ShutDown()
+		wg.Wait()
+	}()
+
+	if !cache.WaitForNamedCacheSyncWithContext(ctx, svmc.svmSynced) {
 		return
 	}
 
 	for i := 0; i < workers; i++ {
-		go wait.UntilWithContext(ctx, svmc.worker, time.Second)
+		wg.Go(func() {
+			wait.UntilWithContext(ctx, svmc.worker, time.Second)
+		})
 	}
-
 	<-ctx.Done()
 }
 
@@ -162,6 +179,10 @@ func (svmc *SVMController) processNext(ctx context.Context) bool {
 	}
 
 	klog.FromContext(ctx).V(2).Info("Error syncing SVM resource, retrying", "svm", key, "err", err)
+	if suggestDelay, ok := apierrors.SuggestsClientDelay(err); ok {
+		svmc.queue.AddAfter(key, max(time.Second*time.Duration(suggestDelay), svmc.rateLimiter.When(key)))
+		return true
+	}
 	svmc.queue.AddRateLimited(key)
 
 	return true
@@ -171,11 +192,6 @@ func (svmc *SVMController) sync(ctx context.Context, key string) error {
 	logger := klog.FromContext(ctx)
 	startTime := time.Now()
 
-	if svmc.dependencyGraphBuilder == nil {
-		logger.V(4).Info("dependency graph builder is not set. we will skip migration")
-		return nil
-	}
-
 	// SVM is a cluster scoped resource so we don't care about the namespace
 	_, name, err := cache.SplitMetaNamespaceKey(key)
 	if err != nil {
@@ -193,7 +209,8 @@ func (svmc *SVMController) sync(ctx context.Context, key string) error {
 	// working with a copy to avoid race condition between this and resource version controller
 	toBeProcessedSVM := svm.DeepCopy()
 
-	if IsConditionTrue(toBeProcessedSVM, svmv1alpha1.MigrationSucceeded) || IsConditionTrue(toBeProcessedSVM, svmv1alpha1.MigrationFailed) {
+	if meta.IsStatusConditionTrue(toBeProcessedSVM.Status.Conditions, string(svmv1beta1.MigrationSucceeded)) ||
+		meta.IsStatusConditionTrue(toBeProcessedSVM.Status.Conditions, string(svmv1beta1.MigrationFailed)) {
 		logger.V(4).Info("Migration has already succeeded or failed previously, skipping", "svm", name)
 		return nil
 	}
@@ -202,74 +219,101 @@ func (svmc *SVMController) sync(ctx context.Context, key string) error {
 		logger.V(4).Info("The latest resource version is empty. We will attempt to migrate once the resource version is available.")
 		return nil
 	}
-	gvr := getGVRFromResource(toBeProcessedSVM)
+	gvr, exists, err := resourceFor(svmc.restMapper, toBeProcessedSVM.Spec.Resource)
+	if err != nil {
+		return err
+	}
+	if !exists {
+		logger.V(4).Error(err, "resource does not exist in our rest mapper", "gvr", gvr.String())
+		if toBeProcessedSVM.CreationTimestamp.Add(time.Minute).After(time.Now()) {
+			return fmt.Errorf("resource does not exist in rest mapper, requeuing to attempt again: %w", err)
+		}
+		return svmc.failMigration(ctx, toBeProcessedSVM, fmt.Errorf("unable to obtain GVR from discovery"))
+	}
 
 	// prevent unsynced monitor from blocking forever
 	// use a short timeout so that we can fail quickly and possibly handle other migrations while this monitor gets ready.
 	monCtx, monCtxCancel := context.WithTimeout(ctx, 10*time.Second)
 	defer monCtxCancel()
-	resourceMonitor, errMonitor := svmc.dependencyGraphBuilder.GetMonitor(monCtx, gvr)
-	if resourceMonitor != nil {
-		if errMonitor != nil {
-			// non nil monitor indicates that error is due to resource not being synced
-			return fmt.Errorf("dependency graph is not synced, requeuing to attempt again: %w", errMonitor)
-		}
-	} else {
+
+	resourceMonitor, hasSynced, errMonitor := svmc.dependencyGraphBuilder.GetMonitor(monCtx, *gvr)
+	if errMonitor != nil {
+		return errMonitor
+	}
+	if !hasSynced {
 		logger.V(4).Error(errMonitor, "resource does not exist in GC", "gvr", gvr.String())
 
-		// our GC cache could be missing a recently created custom resource, so give it some time to catch up
+		// our mapper could be missing a recently created custom resource, so give it some time to catch up
 		// we resync discovery every 30 seconds so twice that should be sufficient
 		if toBeProcessedSVM.CreationTimestamp.Add(time.Minute).After(time.Now()) {
 			return fmt.Errorf("resource does not exist in GC, requeuing to attempt again: %w", errMonitor)
 		}
+		return svmc.failMigration(ctx, toBeProcessedSVM, fmt.Errorf("resource does not exist in GC: %w", errMonitor))
+	}
 
-		// we can't migrate a resource that doesn't exist in the GC
-		_, errStatus := svmc.kubeClient.StoragemigrationV1alpha1().
-			StorageVersionMigrations().
-			UpdateStatus(
-				ctx,
-				setStatusConditions(toBeProcessedSVM, svmv1alpha1.MigrationFailed, migrationFailedStatusReason, "resource not found"),
-				metav1.UpdateOptions{},
-			)
+	gcListResourceVersion := resourceMonitor.Controller.LastSyncResourceVersion()
+	listResourceVersion := toBeProcessedSVM.Status.ResourceVersion
 
-		return errStatus
+	rvCmp, err := resourceversion.CompareResourceVersion(gcListResourceVersion, listResourceVersion)
+	if err != nil {
+		return svmc.failMigration(ctx, toBeProcessedSVM, fmt.Errorf("error comparing resource versions between GC and SVM resource: %w", err))
+	}
+	if rvCmp == -1 {
+		return fmt.Errorf("GC cache is not up to date, requeuing to attempt again. gcListResourceVersion: %s, listResourceVersion: %s", gcListResourceVersion, listResourceVersion)
 	}
 
-	gcListResourceVersion, err := convertResourceVersionToInt(resourceMonitor.Controller.LastSyncResourceVersion())
+	toBeProcessedSVM, err = svmc.kubeClient.StoragemigrationV1beta1().
+		StorageVersionMigrations().
+		UpdateStatus(
+			ctx,
+			setStatusConditions(toBeProcessedSVM, svmv1beta1.MigrationRunning, migrationRunningStatusReason, ""),
+			metav1.UpdateOptions{},
+		)
 	if err != nil {
 		return err
 	}
-	listResourceVersion, err := convertResourceVersionToInt(toBeProcessedSVM.Status.ResourceVersion)
+
+	err, failedMigration := svmc.runMigration(ctx, logger, *gvr, resourceMonitor, toBeProcessedSVM, listResourceVersion)
 	if err != nil {
 		return err
 	}
-
-	if gcListResourceVersion < listResourceVersion {
-		return fmt.Errorf("GC cache is not up to date, requeuing to attempt again. gcListResourceVersion: %d, listResourceVersion: %d", gcListResourceVersion, listResourceVersion)
+	if failedMigration {
+		return nil
 	}
 
-	toBeProcessedSVM, err = svmc.kubeClient.StoragemigrationV1alpha1().
+	_, err = svmc.kubeClient.StoragemigrationV1beta1().
 		StorageVersionMigrations().
 		UpdateStatus(
 			ctx,
-			setStatusConditions(toBeProcessedSVM, svmv1alpha1.MigrationRunning, migrationRunningStatusReason, ""),
+			setStatusConditions(toBeProcessedSVM, svmv1beta1.MigrationSucceeded, migrationSuccessStatusReason, ""),
 			metav1.UpdateOptions{},
 		)
 	if err != nil {
 		return err
 	}
 
+	logger.V(4).Info("Finished syncing svm resource", "key", key, "gr", toBeProcessedSVM.Spec.Resource.String(), "elapsed", time.Since(startTime))
+	return nil
+}
+
+func (svmc *SVMController) runMigration(ctx context.Context, logger klog.Logger, gvr schema.GroupVersionResource, resourceMonitor *garbagecollector.Monitor, toBeProcessedSVM *svmv1beta1.StorageVersionMigration, listResourceVersion string) (err error, failed bool) {
 	gvk, err := svmc.restMapper.KindFor(gvr)
 	if err != nil {
-		return err
+		return svmc.failMigration(ctx, toBeProcessedSVM, err), true
 	}
-
-	// ToDo: implement a mechanism to resume migration from the last migrated resource in case of a failure
-	// process storage migration
 	for _, obj := range resourceMonitor.Store.List() {
 		accessor, err := meta.Accessor(obj)
 		if err != nil {
-			return err
+			return svmc.failMigration(ctx, toBeProcessedSVM, err), true
+		}
+		rvCmp, err := resourceversion.CompareResourceVersion(accessor.GetResourceVersion(), listResourceVersion)
+		if err != nil {
+			logger.V(4).Error(err, "Unable to compare the resource version of the resource", "namespace", accessor.GetNamespace(), "name", accessor.GetName(), "gvr", gvr.String(), "accessorRV", accessor.GetResourceVersion(), "listResourceVersion", listResourceVersion, "error", err.Error())
+			return svmc.failMigration(ctx, toBeProcessedSVM, err), true
+		}
+		if rvCmp == 1 {
+			logger.V(6).Info("Resource ignored due to resource version being greater than the SVM checkpoint", "namespace", accessor.GetNamespace(), "name", accessor.GetName(), "gvr", gvr.String(), "accessorRV", accessor.GetResourceVersion(), "listResourceVersion", listResourceVersion)
+			continue
 		}
 
 		typeMeta := typeMetaUIDRV{}
@@ -284,7 +328,7 @@ func (svmc *SVMController) sync(ctx context.Context, key string) error {
 		typeMeta.ResourceVersion = accessor.GetResourceVersion()
 		data, err := json.Marshal(typeMeta)
 		if err != nil {
-			return err
+			return svmc.failMigration(ctx, toBeProcessedSVM, err), true
 		}
 
 		_, errPatch := svmc.dynamicClient.Resource(gvr).
@@ -307,36 +351,44 @@ func (svmc *SVMController) sync(ctx context.Context, key string) error {
 			continue
 		}
 
+		// in case of retriable errors like server throttling, we can return an error since that will cause the migration to be reattempted.
+		if isRetriableError(errPatch) {
+			logger.V(6).Info("Resource patch failed due to an error that can be retried", "namespace", accessor.GetNamespace(), "name", accessor.GetName(), "gvr", gvr.String(), "err", errPatch)
+			return errPatch, false
+		}
+
 		if errPatch != nil {
 			logger.V(4).Error(errPatch, "Failed to migrate the resource", "namespace", accessor.GetNamespace(), "name", accessor.GetName(), "gvr", gvr.String(), "reason", apierrors.ReasonForError(errPatch))
-
-			_, errStatus := svmc.kubeClient.StoragemigrationV1alpha1().
-				StorageVersionMigrations().
-				UpdateStatus(
-					ctx,
-					setStatusConditions(toBeProcessedSVM, svmv1alpha1.MigrationFailed, migrationFailedStatusReason, "migration encountered unhandled error"),
-					metav1.UpdateOptions{},
-				)
-
-			return errStatus
-			// Todo: add retry for scenarios where API server returns rate limiting error
+			errStatus := svmc.failMigration(ctx, toBeProcessedSVM, errPatch)
+			return errStatus, true
 		}
 		logger.V(4).Info("Successfully migrated the resource", "namespace", accessor.GetNamespace(), "name", accessor.GetName(), "gvr", gvr.String())
 	}
+	return nil, false
+}
+
+func isRetriableError(k8sError error) bool {
+	return utilnet.IsConnectionReset(k8sError) ||
+		utilnet.IsHTTP2ConnectionLost(k8sError) ||
+		utilnet.IsProbableEOF(k8sError) ||
+		apierrors.IsServerTimeout(k8sError) ||
+		apierrors.IsTooManyRequests(k8sError) ||
+		apierrors.IsServiceUnavailable(k8sError) ||
+		apierrors.IsInternalError(k8sError) ||
+		apierrors.IsTimeout(k8sError)
+}
 
-	_, err = svmc.kubeClient.StoragemigrationV1alpha1().
+func (svmc *SVMController) failMigration(ctx context.Context, toBeProcessedSVM *svmv1beta1.StorageVersionMigration, err error) error {
+	errMsg := fmt.Sprintf("migration encountered unhandled error: %s", err)
+
+	_, errStatus := svmc.kubeClient.StoragemigrationV1beta1().
 		StorageVersionMigrations().
 		UpdateStatus(
 			ctx,
-			setStatusConditions(toBeProcessedSVM, svmv1alpha1.MigrationSucceeded, migrationSuccessStatusReason, ""),
+			setStatusConditions(toBeProcessedSVM, svmv1beta1.MigrationFailed, migrationFailedStatusReason, errMsg),
 			metav1.UpdateOptions{},
 		)
-	if err != nil {
-		return err
-	}
-
-	logger.V(4).Info("Finished syncing svm resource", "key", key, "gvr", gvr.String(), "elapsed", time.Since(startTime))
-	return nil
+	return errStatus
 }
 
 type typeMetaUIDRV struct {
diff --git a/pkg/controller/storageversionmigrator/storageversionmigrator_test.go b/pkg/controller/storageversionmigrator/storageversionmigrator_test.go
new file mode 100644
index 0000000000000..01abee132482d
--- /dev/null
+++ b/pkg/controller/storageversionmigrator/storageversionmigrator_test.go
@@ -0,0 +1,553 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package storageversionmigrator
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"sort"
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/require"
+	svmv1beta1 "k8s.io/api/storagemigration/v1beta1"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
+	"k8s.io/apimachinery/pkg/api/meta"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/apimachinery/pkg/types"
+	dynamicfake "k8s.io/client-go/dynamic/fake"
+	"k8s.io/client-go/informers"
+	svminformers "k8s.io/client-go/informers/storagemigration/v1beta1"
+	"k8s.io/client-go/kubernetes"
+	kubefake "k8s.io/client-go/kubernetes/fake"
+	k8stesting "k8s.io/client-go/testing"
+	"k8s.io/client-go/tools/cache"
+	"k8s.io/kubernetes/pkg/controller/garbagecollector"
+)
+
+var (
+	testGVR = schema.GroupVersionResource{Group: "apps", Version: "v1", Resource: "deployments"}
+	testGVK = schema.GroupVersionKind{Group: "apps", Version: "v1", Kind: "Deployment"}
+)
+
+type mockGraphBuilder struct {
+	monitor  *mockMonitor
+	notFound bool
+	err      error
+}
+
+func (m *mockGraphBuilder) GetMonitor(_ context.Context, _ schema.GroupVersionResource) (*garbagecollector.Monitor, bool, error) {
+	if m.monitor != nil {
+		return &m.monitor.Monitor, !m.notFound, m.err
+	}
+	return nil, !m.notFound, m.err
+}
+
+type mockMonitor struct {
+	garbagecollector.Monitor
+}
+
+type mockResourceSyncer struct {
+	cache.Controller
+	lastSyncRV string
+}
+
+func (m *mockResourceSyncer) LastSyncResourceVersion() string {
+	return m.lastSyncRV
+}
+
+func newMockMonitor(lastSyncRV string, items []runtime.Object) *mockMonitor {
+	store := cache.NewStore(cache.DeletionHandlingMetaNamespaceKeyFunc)
+	for _, item := range items {
+		_ = store.Add(item)
+	}
+
+	return &mockMonitor{
+		Monitor: garbagecollector.Monitor{
+			Store: store,
+			Controller: &mockResourceSyncer{
+				lastSyncRV: lastSyncRV,
+			},
+		},
+	}
+}
+
+func newTestSVMController(
+	kubeClient kubernetes.Interface,
+	svmInformer svminformers.StorageVersionMigrationInformer,
+	graphBuilder *mockGraphBuilder,
+) *SVMController {
+	dynamicClient := dynamicfake.NewSimpleDynamicClient(runtime.NewScheme())
+	mapper := meta.NewDefaultRESTMapper([]schema.GroupVersion{testGVK.GroupVersion()})
+	mapper.Add(testGVK, meta.RESTScopeNamespace)
+
+	return &SVMController{
+		controllerName:         "test-svm-controller",
+		kubeClient:             kubeClient,
+		dynamicClient:          dynamicClient,
+		svmListers:             svmInformer.Lister(),
+		svmSynced:              func() bool { return true },
+		restMapper:             mapper,
+		dependencyGraphBuilder: graphBuilder,
+	}
+}
+
+func newSVM(name, resourceVersion string, conditions ...metav1.Condition) *svmv1beta1.StorageVersionMigration {
+	return &svmv1beta1.StorageVersionMigration{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:              name,
+			CreationTimestamp: metav1.Now(),
+		},
+		Spec: svmv1beta1.StorageVersionMigrationSpec{
+			Resource: metav1.GroupResource{
+				Group:    testGVR.Group,
+				Resource: testGVR.Resource,
+			},
+		},
+		Status: svmv1beta1.StorageVersionMigrationStatus{
+			ResourceVersion: resourceVersion,
+			Conditions:      conditions,
+		},
+	}
+}
+
+func newSVMWithConditions(name, resourceVersion string, conditions []metav1.Condition) *svmv1beta1.StorageVersionMigration {
+	svm := newSVM(name, resourceVersion)
+	svm.Status.Conditions = conditions
+	return svm
+}
+
+func TestSync(t *testing.T) {
+	newResource := func(name, namespace, rv, uid string) *unstructured.Unstructured {
+		return &unstructured.Unstructured{
+			Object: map[string]interface{}{
+				"apiVersion": "apps/v1",
+				"kind":       "Deployment",
+				"metadata": map[string]interface{}{
+					"name":            name,
+					"namespace":       namespace,
+					"resourceVersion": rv,
+					"uid":             uid,
+				},
+			},
+		}
+	}
+
+	// TODO: Add mock discovery
+	testCases := []struct {
+		name                 string
+		key                  string
+		svm                  *svmv1beta1.StorageVersionMigration
+		graphBuilder         *mockGraphBuilder
+		expectErr            bool
+		expectKubeActions    []k8stesting.Action
+		expectDynamicActions []k8stesting.Action
+		dynamicClientErrors  map[string]error
+	}{
+		{
+			name: "Successful migration",
+			key:  "test-svm",
+			svm:  newSVM("test-svm", "100"),
+			graphBuilder: &mockGraphBuilder{
+				monitor: newMockMonitor("100", []runtime.Object{
+					newResource("res1", "ns1", "90", "uid1"),
+					newResource("res2", "ns1", "100", "uid2"),
+					newResource("res3", "ns2", "101", "uid3"), // Should be skipped
+				}),
+			},
+			expectErr: false,
+			expectKubeActions: []k8stesting.Action{
+				k8stesting.NewUpdateAction(
+					svmv1beta1.SchemeGroupVersion.WithResource("storageversionmigrations"),
+					"",
+					newSVMWithConditions("test-svm", "100", []metav1.Condition{{
+						Type:   string(svmv1beta1.MigrationRunning),
+						Status: metav1.ConditionTrue,
+					}}),
+				),
+				k8stesting.NewUpdateAction(
+					svmv1beta1.SchemeGroupVersion.WithResource("storageversionmigrations"),
+					"",
+					newSVMWithConditions("test-svm", "100", []metav1.Condition{
+						{
+							Type:   string(svmv1beta1.MigrationRunning),
+							Status: metav1.ConditionFalse,
+						},
+						{
+							Type:   string(svmv1beta1.MigrationSucceeded),
+							Status: metav1.ConditionTrue,
+						},
+					}),
+				),
+			},
+			expectDynamicActions: []k8stesting.Action{
+				k8stesting.NewPatchAction(testGVR, "ns1", "res1", types.ApplyPatchType, mustMarshal(t, typeMetaUIDRV{
+					TypeMeta:           metav1.TypeMeta{APIVersion: "apps/v1", Kind: "Deployment"},
+					objectMetaUIDandRV: objectMetaUIDandRV{UID: "uid1", ResourceVersion: "90"},
+				})),
+				k8stesting.NewPatchAction(testGVR, "ns1", "res2", types.ApplyPatchType, mustMarshal(t, typeMetaUIDRV{
+					TypeMeta:           metav1.TypeMeta{APIVersion: "apps/v1", Kind: "Deployment"},
+					objectMetaUIDandRV: objectMetaUIDandRV{UID: "uid2", ResourceVersion: "100"},
+				})),
+			},
+		},
+		{
+			name:      "SVM not found",
+			key:       "non-existent-svm",
+			svm:       nil,
+			expectErr: false,
+		},
+		{
+			name: "SVM already succeeded",
+			key:  "succeeded-svm",
+			svm: newSVM("succeeded-svm", "100", metav1.Condition{
+				Type:   string(svmv1beta1.MigrationSucceeded),
+				Status: metav1.ConditionTrue,
+			}),
+			expectErr: false,
+		},
+		{
+			name: "GC cache is not up to date",
+			key:  "stale-gc-svm",
+			svm:  newSVM("stale-gc-svm", "100"),
+			graphBuilder: &mockGraphBuilder{
+				monitor: newMockMonitor("99", []runtime.Object{}), // GC RV is less than SVM RV
+			},
+			expectErr: true,
+		},
+		{
+			name: "Resource not in GC",
+			key:  "no-resource",
+			svm: func() *svmv1beta1.StorageVersionMigration {
+				s := newSVM("no-resource", "100")
+				s.CreationTimestamp = metav1.NewTime(time.Now().Add(-2 * time.Minute))
+				return s
+			}(),
+			graphBuilder: &mockGraphBuilder{
+				monitor:  newMockMonitor("99", []runtime.Object{}),
+				notFound: true,
+			},
+			expectErr: false,
+			expectKubeActions: []k8stesting.Action{
+				k8stesting.NewUpdateAction(
+					svmv1beta1.SchemeGroupVersion.WithResource("storageversionmigrations"),
+					"",
+					newSVMWithConditions("test-svm", "100", []metav1.Condition{{
+						Type:   string(svmv1beta1.MigrationFailed),
+						Status: metav1.ConditionTrue,
+					}}),
+				),
+			},
+		},
+		{
+			name: "Fatal patch error fails migration",
+			key:  "fatal-error-svm",
+			svm:  newSVM("fatal-error-svm", "100"),
+			graphBuilder: &mockGraphBuilder{
+				monitor: newMockMonitor("100", []runtime.Object{
+					newResource("res1", "ns1", "90", "uid1"),
+				}),
+			},
+			expectErr: false,
+			expectKubeActions: []k8stesting.Action{
+				k8stesting.NewUpdateAction(
+					svmv1beta1.SchemeGroupVersion.WithResource("storageversionmigrations"),
+					"",
+					newSVMWithConditions("test-svm", "100", []metav1.Condition{{
+						Type:   string(svmv1beta1.MigrationRunning),
+						Status: metav1.ConditionTrue,
+					}}),
+				),
+				k8stesting.NewUpdateAction(
+					svmv1beta1.SchemeGroupVersion.WithResource("storageversionmigrations"),
+					"",
+					newSVMWithConditions("test-svm", "100", []metav1.Condition{
+						{
+							Type:   string(svmv1beta1.MigrationRunning),
+							Status: metav1.ConditionFalse,
+						},
+						{
+							Type:   string(svmv1beta1.MigrationFailed),
+							Status: metav1.ConditionTrue,
+						},
+					}),
+				),
+			},
+			dynamicClientErrors: map[string]error{
+				"ns1/res1": fmt.Errorf("fatal error"),
+			},
+		},
+		{
+			name: "Conflict on patch is ignored",
+			key:  "conflict-svm",
+			svm:  newSVM("conflict-svm", "100"),
+			graphBuilder: &mockGraphBuilder{
+				monitor: newMockMonitor("100", []runtime.Object{
+					newResource("res1", "ns1", "90", "uid1"),
+					newResource("res2", "ns2", "95", "uid2"),
+				}),
+			},
+			expectErr: false,
+			expectKubeActions: []k8stesting.Action{
+				k8stesting.NewUpdateAction(
+					svmv1beta1.SchemeGroupVersion.WithResource("storageversionmigrations"),
+					"",
+					newSVMWithConditions("test-svm", "100", []metav1.Condition{
+						{
+							Type:   string(svmv1beta1.MigrationRunning),
+							Status: metav1.ConditionTrue,
+						},
+					}),
+				),
+				k8stesting.NewUpdateAction(
+					svmv1beta1.SchemeGroupVersion.WithResource("storageversionmigrations"),
+					"",
+					newSVMWithConditions("test-svm", "100", []metav1.Condition{
+						{
+							Type:   string(svmv1beta1.MigrationRunning),
+							Status: metav1.ConditionFalse,
+						},
+						{
+							Type:   string(svmv1beta1.MigrationSucceeded),
+							Status: metav1.ConditionTrue,
+						},
+					}),
+				),
+			},
+			expectDynamicActions: []k8stesting.Action{
+				k8stesting.NewPatchAction(testGVR, "ns1", "res1", types.ApplyPatchType, mustMarshal(t, typeMetaUIDRV{
+					TypeMeta:           metav1.TypeMeta{APIVersion: "apps/v1", Kind: "Deployment"},
+					objectMetaUIDandRV: objectMetaUIDandRV{UID: "uid1", ResourceVersion: "90"},
+				})),
+				k8stesting.NewPatchAction(testGVR, "ns2", "res2", types.ApplyPatchType, mustMarshal(t, typeMetaUIDRV{
+					TypeMeta:           metav1.TypeMeta{APIVersion: "apps/v1", Kind: "Deployment"},
+					objectMetaUIDandRV: objectMetaUIDandRV{UID: "uid2", ResourceVersion: "95"},
+				})),
+			},
+			dynamicClientErrors: map[string]error{
+				"ns1/res1": apierrors.NewConflict(schema.GroupResource{Group: "apps", Resource: "deployments"}, "res1", nil),
+			},
+		},
+		{
+			name: "Retriable patch error is returned directly",
+			key:  "retriable-error-svm",
+			svm:  newSVM("retriable-error-svm", "100"),
+			graphBuilder: &mockGraphBuilder{
+				monitor: newMockMonitor("100", []runtime.Object{
+					newResource("res1", "ns1", "90", "uid1"),
+				}),
+			},
+			dynamicClientErrors: map[string]error{
+				"ns1/res1": apierrors.NewTooManyRequests("simulating throttling", 1),
+			},
+			expectErr: true,
+			expectKubeActions: []k8stesting.Action{
+				k8stesting.NewUpdateAction(
+					svmv1beta1.SchemeGroupVersion.WithResource("storageversionmigrations"),
+					"",
+					newSVMWithConditions("test-svm", "100", []metav1.Condition{
+						{
+							Type:   string(svmv1beta1.MigrationRunning),
+							Status: metav1.ConditionTrue,
+						},
+					}),
+				),
+			},
+			expectDynamicActions: []k8stesting.Action{
+				k8stesting.NewPatchAction(testGVR, "ns1", "res1", types.ApplyPatchType, mustMarshal(t, typeMetaUIDRV{
+					TypeMeta:           metav1.TypeMeta{APIVersion: "apps/v1", Kind: "Deployment"},
+					objectMetaUIDandRV: objectMetaUIDandRV{UID: "uid1", ResourceVersion: "90"},
+				})),
+			},
+		},
+		{
+			name: "Incomparable resource version for gc fails migration",
+			key:  "incomparable-resource",
+			svm: func() *svmv1beta1.StorageVersionMigration {
+				s := newSVM("incomparable-resource", "100")
+				s.CreationTimestamp = metav1.NewTime(time.Now().Add(-2 * time.Minute))
+				return s
+			}(),
+			graphBuilder: &mockGraphBuilder{
+				monitor: newMockMonitor("abc", []runtime.Object{
+					newResource("res1", "ns1", "90", "uid1"),
+				}),
+			},
+			expectErr: false,
+			expectKubeActions: []k8stesting.Action{
+				k8stesting.NewUpdateAction(
+					svmv1beta1.SchemeGroupVersion.WithResource("storageversionmigrations"),
+					"",
+					newSVMWithConditions("test-svm", "100", []metav1.Condition{{
+						Type:   string(svmv1beta1.MigrationFailed),
+						Status: metav1.ConditionTrue,
+					}}),
+				),
+			},
+		},
+		{
+			name: "Incomparable resource version for object fails migration",
+			key:  "incomparable-resource-obj",
+			svm: func() *svmv1beta1.StorageVersionMigration {
+				s := newSVM("incomparable-resource-obj", "100")
+				s.CreationTimestamp = metav1.NewTime(time.Now().Add(-2 * time.Minute))
+				return s
+			}(),
+			graphBuilder: &mockGraphBuilder{
+				monitor: newMockMonitor("100", []runtime.Object{
+					newResource("res1", "ns1", "abc", "uid1"),
+				}),
+			},
+			expectErr: false,
+			expectKubeActions: []k8stesting.Action{
+				k8stesting.NewUpdateAction(
+					svmv1beta1.SchemeGroupVersion.WithResource("storageversionmigrations"),
+					"",
+					newSVMWithConditions("test-svm", "100", []metav1.Condition{
+						{
+							Type:   string(svmv1beta1.MigrationRunning),
+							Status: metav1.ConditionTrue,
+						},
+					}),
+				),
+				k8stesting.NewUpdateAction(
+					svmv1beta1.SchemeGroupVersion.WithResource("storageversionmigrations"),
+					"",
+					newSVMWithConditions("test-svm", "100", []metav1.Condition{
+						{
+							Type:   string(svmv1beta1.MigrationRunning),
+							Status: metav1.ConditionFalse,
+						},
+						{
+							Type:   string(svmv1beta1.MigrationFailed),
+							Status: metav1.ConditionTrue,
+						},
+					}),
+				),
+			},
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			ctx := context.Background()
+			var initialSVMs []runtime.Object
+			if tc.svm != nil {
+				initialSVMs = append(initialSVMs, tc.svm)
+			}
+			kubeClient := kubefake.NewClientset(initialSVMs...)
+			kubeInformerFactory := informers.NewSharedInformerFactory(kubeClient, 0)
+			svmInformer := kubeInformerFactory.Storagemigration().V1beta1().StorageVersionMigrations()
+
+			if tc.svm != nil {
+				err := svmInformer.Informer().GetStore().Add(tc.svm)
+				require.NoError(t, err)
+			}
+
+			controller := newTestSVMController(kubeClient, svmInformer, tc.graphBuilder)
+
+			dynamicClient := controller.dynamicClient.(*dynamicfake.FakeDynamicClient)
+			dynamicClient.PrependReactor("patch", "*", func(action k8stesting.Action) (handled bool, ret runtime.Object, err error) {
+				patchAction := action.(k8stesting.PatchAction)
+				key := fmt.Sprintf("%s/%s", patchAction.GetNamespace(), patchAction.GetName())
+				if err, found := tc.dynamicClientErrors[key]; found {
+					return true, nil, err
+				}
+				return true, nil, nil
+			})
+
+			err := controller.sync(ctx, tc.key)
+
+			if tc.expectErr {
+				require.Error(t, err)
+			} else {
+				require.NoError(t, err)
+			}
+
+			if tc.expectKubeActions != nil {
+				kubeActions := filterActions(kubeClient.Actions())
+				require.Len(t, kubeActions, len(tc.expectKubeActions), "mismatched number of kube client actions")
+
+				for i, expected := range tc.expectKubeActions {
+					actual := kubeActions[i]
+					require.Equal(t, expected.GetVerb(), actual.GetVerb(), "kube action %d: verb mismatch", i)
+					require.Equal(t, expected.GetResource(), actual.GetResource(), "kube action %d: resource mismatch", i)
+
+					actualSvm := actual.(k8stesting.UpdateAction).GetObject().(*svmv1beta1.StorageVersionMigration)
+					expectedSvm := expected.(k8stesting.UpdateAction).GetObject().(*svmv1beta1.StorageVersionMigration)
+					expectedConditions := expectedSvm.Status.Conditions
+					actualConditions := actualSvm.Status.Conditions
+					require.Len(t, expectedConditions, len(actualConditions), "kube action %d: conditions mismatch", i)
+					for j, expectedCondition := range expectedConditions {
+						actualCondition := actualConditions[j]
+						require.Equal(t, expectedCondition.Type, actualCondition.Type, "kube action %d: condition type mismatch", i)
+						require.Equal(t, expectedCondition.Status, actualCondition.Status, "kube action %d: condition status mismatch", i)
+					}
+				}
+			}
+
+			if tc.expectDynamicActions != nil {
+				dynamicActions := filterActions(dynamicClient.Actions())
+				require.Len(t, dynamicActions, len(tc.expectDynamicActions), "mismatched number of dynamic client actions")
+				sortPatchActions(dynamicActions)
+				sortPatchActions(tc.expectDynamicActions)
+
+				for i, expected := range tc.expectDynamicActions {
+					actual := dynamicActions[i]
+					require.Equal(t, expected.GetVerb(), actual.GetVerb(), "dynamic action %d: verb mismatch", i)
+					require.Equal(t, expected.GetResource(), actual.GetResource(), "dynamic action %d: resource mismatch", i)
+
+					if expectedPatch, ok := expected.(k8stesting.PatchAction); ok {
+						actualPatch := actual.(k8stesting.PatchAction)
+						require.Equal(t, string(expectedPatch.GetPatch()), string(actualPatch.GetPatch()), "dynamic action %d: patch payload mismatch", i)
+					}
+				}
+			}
+		})
+	}
+}
+
+func mustMarshal(t *testing.T, obj interface{}) []byte {
+	data, err := json.Marshal(obj)
+	require.NoError(t, err)
+	return data
+}
+
+func filterActions(actions []k8stesting.Action) []k8stesting.Action {
+	var relevantActions []k8stesting.Action
+	for _, action := range actions {
+		if action.GetVerb() == "update" || action.GetVerb() == "patch" {
+			relevantActions = append(relevantActions, action)
+		}
+	}
+	return relevantActions
+}
+
+func sortPatchActions(actions []k8stesting.Action) {
+	sort.Slice(actions, func(i, j int) bool {
+		actionI := actions[i].(k8stesting.PatchAction)
+		actionJ := actions[j].(k8stesting.PatchAction)
+		if actionI.GetNamespace() != actionJ.GetNamespace() {
+			return actionI.GetNamespace() < actionJ.GetNamespace()
+		}
+		return actionI.GetName() < actionJ.GetName()
+	})
+}
diff --git a/pkg/controller/storageversionmigrator/util.go b/pkg/controller/storageversionmigrator/util.go
index 816f85f1b39d7..78f64e605e0ea 100644
--- a/pkg/controller/storageversionmigrator/util.go
+++ b/pkg/controller/storageversionmigrator/util.go
@@ -17,69 +17,38 @@ limitations under the License.
 package storageversionmigrator
 
 import (
-	"fmt"
-	"strconv"
+	"k8s.io/apimachinery/pkg/api/meta"
 
-	"k8s.io/apimachinery/pkg/runtime/schema"
-
-	corev1 "k8s.io/api/core/v1"
-	svmv1alpha1 "k8s.io/api/storagemigration/v1alpha1"
+	svmv1beta1 "k8s.io/api/storagemigration/v1beta1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
-func convertResourceVersionToInt(rv string) (int64, error) {
-	resourceVersion, err := strconv.ParseInt(rv, 10, 64)
-	if err != nil {
-		return 0, fmt.Errorf("failed to parse resource version %q: %w", rv, err)
-	}
-
-	return resourceVersion, nil
-}
-
-func getGVRFromResource(svm *svmv1alpha1.StorageVersionMigration) schema.GroupVersionResource {
-	return schema.GroupVersionResource{
-		Group:    svm.Spec.Resource.Group,
-		Version:  svm.Spec.Resource.Version,
-		Resource: svm.Spec.Resource.Resource,
+func setStatusConditions(
+	toBeUpdatedSVM *svmv1beta1.StorageVersionMigration,
+	conditionType svmv1beta1.MigrationConditionType,
+	reason, message string,
+) *svmv1beta1.StorageVersionMigration {
+	// Cannot set the condition twice.
+	if meta.IsStatusConditionTrue(toBeUpdatedSVM.Status.Conditions, string(conditionType)) ||
+		meta.IsStatusConditionFalse(toBeUpdatedSVM.Status.Conditions, string(conditionType)) {
+		return toBeUpdatedSVM
 	}
-}
 
-// IsConditionTrue returns true if the StorageVersionMigration has the given condition
-// It is exported for use in tests
-func IsConditionTrue(svm *svmv1alpha1.StorageVersionMigration, conditionType svmv1alpha1.MigrationConditionType) bool {
-	return indexOfCondition(svm, conditionType) != -1
-}
-
-func indexOfCondition(svm *svmv1alpha1.StorageVersionMigration, conditionType svmv1alpha1.MigrationConditionType) int {
-	for i, c := range svm.Status.Conditions {
-		if c.Type == conditionType && c.Status == corev1.ConditionTrue {
-			return i
+	if conditionType == svmv1beta1.MigrationSucceeded || conditionType == svmv1beta1.MigrationFailed {
+		// set running condition to false if we're finished
+		runningCond := meta.FindStatusCondition(toBeUpdatedSVM.Status.Conditions, string(svmv1beta1.MigrationRunning))
+		if runningCond != nil {
+			runningCond.Status = metav1.ConditionFalse
 		}
 	}
-	return -1
-}
-
-func setStatusConditions(
-	toBeUpdatedSVM *svmv1alpha1.StorageVersionMigration,
-	conditionType svmv1alpha1.MigrationConditionType,
-	reason, message string,
-) *svmv1alpha1.StorageVersionMigration {
-	if !IsConditionTrue(toBeUpdatedSVM, conditionType) {
-		if conditionType == svmv1alpha1.MigrationSucceeded || conditionType == svmv1alpha1.MigrationFailed {
-			runningConditionIdx := indexOfCondition(toBeUpdatedSVM, svmv1alpha1.MigrationRunning)
-			if runningConditionIdx != -1 {
-				toBeUpdatedSVM.Status.Conditions[runningConditionIdx].Status = corev1.ConditionFalse
-			}
-		}
 
-		toBeUpdatedSVM.Status.Conditions = append(toBeUpdatedSVM.Status.Conditions, svmv1alpha1.MigrationCondition{
-			Type:           conditionType,
-			Status:         corev1.ConditionTrue,
-			LastUpdateTime: metav1.Now(),
-			Reason:         reason,
-			Message:        message,
-		})
-	}
+	toBeUpdatedSVM.Status.Conditions = append(toBeUpdatedSVM.Status.Conditions, metav1.Condition{
+		Type:               string(conditionType),
+		Status:             metav1.ConditionTrue,
+		LastTransitionTime: metav1.Now(),
+		Reason:             reason,
+		Message:            message,
+	})
 
 	return toBeUpdatedSVM
 }
diff --git a/pkg/controller/tainteviction/taint_eviction.go b/pkg/controller/tainteviction/taint_eviction.go
index 4e505c06ffe46..2f0a291cacc06 100644
--- a/pkg/controller/tainteviction/taint_eviction.go
+++ b/pkg/controller/tainteviction/taint_eviction.go
@@ -278,25 +278,27 @@ func New(ctx context.Context, c clientset.Interface, podInformer corev1informers
 // Run starts the controller which will run in loop until `stopCh` is closed.
 func (tc *Controller) Run(ctx context.Context) {
 	defer utilruntime.HandleCrash()
+
 	logger := klog.FromContext(ctx)
 	logger.Info("Starting", "controller", tc.name)
-	defer logger.Info("Shutting down controller", "controller", tc.name)
 
 	// Start events processing pipeline.
 	tc.broadcaster.StartStructuredLogging(3)
-	if tc.client != nil {
-		logger.Info("Sending events to api server")
-		tc.broadcaster.StartRecordingToSink(&v1core.EventSinkImpl{Interface: tc.client.CoreV1().Events("")})
-	} else {
-		logger.Error(nil, "kubeClient is nil", "controller", tc.name)
-		klog.FlushAndExit(klog.ExitFlushTimeout, 1)
-	}
+	tc.broadcaster.StartRecordingToSink(&v1core.EventSinkImpl{Interface: tc.client.CoreV1().Events("")})
+	logger.Info("Sending events to API server")
 	defer tc.broadcaster.Shutdown()
-	defer tc.nodeUpdateQueue.ShutDown()
-	defer tc.podUpdateQueue.ShutDown()
+
+	var wg sync.WaitGroup
+	defer func() {
+		logger.Info("Shutting down controller", "controller", tc.name)
+		tc.nodeUpdateQueue.ShutDown()
+		tc.podUpdateQueue.ShutDown()
+		tc.taintEvictionQueue.CancelAndWait()
+		wg.Wait()
+	}()
 
 	// wait for the cache to be synced
-	if !cache.WaitForNamedCacheSync(tc.name, ctx.Done(), tc.podListerSynced, tc.nodeListerSynced) {
+	if !cache.WaitForNamedCacheSyncWithContext(ctx, tc.podListerSynced, tc.nodeListerSynced) {
 		return
 	}
 
@@ -305,9 +307,8 @@ func (tc *Controller) Run(ctx context.Context) {
 		tc.podUpdateChannels = append(tc.podUpdateChannels, make(chan podUpdateItem, podUpdateChannelSize))
 	}
 
-	// Functions that are responsible for taking work items out of the workqueues and putting them
-	// into channels.
-	go func(stopCh <-chan struct{}) {
+	// Functions that are responsible for taking work items out of the workqueues and putting them into channels.
+	wg.Go(func() {
 		for {
 			nodeUpdate, shutdown := tc.nodeUpdateQueue.Get()
 			if shutdown {
@@ -315,16 +316,16 @@ func (tc *Controller) Run(ctx context.Context) {
 			}
 			hash := hash(nodeUpdate.nodeName, UpdateWorkerSize)
 			select {
-			case <-stopCh:
+			case <-ctx.Done():
 				tc.nodeUpdateQueue.Done(nodeUpdate)
 				return
 			case tc.nodeUpdateChannels[hash] <- nodeUpdate:
 				// tc.nodeUpdateQueue.Done is called by the nodeUpdateChannels worker
 			}
 		}
-	}(ctx.Done())
+	})
 
-	go func(stopCh <-chan struct{}) {
+	wg.Go(func() {
 		for {
 			podUpdate, shutdown := tc.podUpdateQueue.Get()
 			if shutdown {
@@ -336,33 +337,31 @@ func (tc *Controller) Run(ctx context.Context) {
 			// It's possible that even without this assumption this code is still correct.
 			hash := hash(podUpdate.nodeName, UpdateWorkerSize)
 			select {
-			case <-stopCh:
+			case <-ctx.Done():
 				tc.podUpdateQueue.Done(podUpdate)
 				return
 			case tc.podUpdateChannels[hash] <- podUpdate:
 				// tc.podUpdateQueue.Done is called by the podUpdateChannels worker
 			}
 		}
-	}(ctx.Done())
+	})
 
-	wg := sync.WaitGroup{}
-	wg.Add(UpdateWorkerSize)
 	for i := 0; i < UpdateWorkerSize; i++ {
-		go tc.worker(ctx, i, wg.Done, ctx.Done())
+		wg.Go(func() {
+			tc.worker(ctx, i)
+		})
 	}
-	wg.Wait()
+	<-ctx.Done()
 }
 
-func (tc *Controller) worker(ctx context.Context, worker int, done func(), stopCh <-chan struct{}) {
-	defer done()
-
+func (tc *Controller) worker(ctx context.Context, worker int) {
 	// When processing events we want to prioritize Node updates over Pod updates,
 	// as NodeUpdates that interest the controller should be handled as soon as possible -
 	// we don't want user (or system) to wait until PodUpdate queue is drained before it can
 	// start evicting Pods from tainted Nodes.
 	for {
 		select {
-		case <-stopCh:
+		case <-ctx.Done():
 			return
 		case nodeUpdate := <-tc.nodeUpdateChannels[worker]:
 			tc.handleNodeUpdate(ctx, nodeUpdate)
@@ -461,7 +460,7 @@ func (tc *Controller) processPodOnNode(
 	if len(taints) == 0 {
 		tc.cancelWorkWithEvent(logger, podNamespacedName)
 	}
-	allTolerated, usedTolerations := v1helper.GetMatchingTolerations(taints, tolerations)
+	allTolerated, usedTolerations := v1helper.GetMatchingTolerations(logger, taints, tolerations)
 	if !allTolerated {
 		logger.V(2).Info("Not all taints are tolerated after update for pod on node", "pod", podNamespacedName.String(), "node", klog.KRef("", nodeName))
 		// We're canceling scheduled work (if any), as we're going to delete the Pod right away.
diff --git a/pkg/controller/tainteviction/taint_eviction_test.go b/pkg/controller/tainteviction/taint_eviction_test.go
index 6c933d5f23d10..38773a156ca8b 100644
--- a/pkg/controller/tainteviction/taint_eviction_test.go
+++ b/pkg/controller/tainteviction/taint_eviction_test.go
@@ -21,6 +21,7 @@ import (
 	"fmt"
 	goruntime "runtime"
 	"sort"
+	"sync"
 	"testing"
 	"time"
 
@@ -192,13 +193,20 @@ func TestCreatePod(t *testing.T) {
 
 	for _, item := range testCases {
 		t.Run(item.description, func(t *testing.T) {
+			var wg sync.WaitGroup
+			defer wg.Wait()
 			ctx, cancel := context.WithCancel(context.Background())
+			defer cancel()
+
 			fakeClientset := fake.NewSimpleClientset(&corev1.PodList{Items: []corev1.Pod{*item.pod}})
 			controller, podIndexer, _ := setupNewController(ctx, fakeClientset)
 			controller.recorder = testutil.NewFakeRecorder()
-			go controller.Run(ctx)
 			controller.taintedNodes = item.taintedNodes
 
+			wg.Go(func() {
+				controller.Run(ctx)
+			})
+
 			podIndexer.Add(item.pod)
 			controller.PodUpdated(nil, item.pod)
 
@@ -210,13 +218,17 @@ func TestCreatePod(t *testing.T) {
 }
 
 func TestDeletePod(t *testing.T) {
+	var wg sync.WaitGroup
+	defer wg.Wait()
 	ctx, cancel := context.WithCancel(context.Background())
 	defer cancel()
 
 	fakeClientset := fake.NewSimpleClientset()
 	controller, _, _ := setupNewController(ctx, fakeClientset)
 	controller.recorder = testutil.NewFakeRecorder()
-	go controller.Run(ctx)
+	wg.Go(func() {
+		controller.Run(ctx)
+	})
 	controller.taintedNodes = map[string][]corev1.Taint{
 		"node1": {createNoExecuteTaint(1)},
 	}
@@ -286,12 +298,20 @@ func TestUpdatePod(t *testing.T) {
 				// TODO: remove skip once the flaking test has been fixed.
 				t.Skip("Skip flaking test on Windows.")
 			}
+
+			var wg sync.WaitGroup
+			defer wg.Wait()
 			ctx, cancel := context.WithCancel(context.Background())
+			defer cancel()
+
 			fakeClientset := fake.NewSimpleClientset(&corev1.PodList{Items: []corev1.Pod{*item.prevPod}})
 			controller, podIndexer, _ := setupNewController(context.TODO(), fakeClientset)
 			controller.recorder = testutil.NewFakeRecorder()
 			controller.taintedNodes = item.taintedNodes
-			go controller.Run(ctx)
+
+			wg.Go(func() {
+				controller.Run(ctx)
+			})
 
 			podIndexer.Add(item.prevPod)
 			controller.PodUpdated(nil, item.prevPod)
@@ -354,29 +374,49 @@ func TestCreateNode(t *testing.T) {
 	}
 
 	for _, item := range testCases {
-		ctx, cancel := context.WithCancel(context.Background())
-		fakeClientset := fake.NewSimpleClientset(&corev1.PodList{Items: item.pods})
-		controller, _, nodeIndexer := setupNewController(ctx, fakeClientset)
-		nodeIndexer.Add(item.node)
-		controller.recorder = testutil.NewFakeRecorder()
-		go controller.Run(ctx)
-		controller.NodeUpdated(nil, item.node)
+		t.Run(item.description, func(t *testing.T) {
+			var wg sync.WaitGroup
+			defer wg.Wait()
+			ctx, cancel := context.WithCancel(context.Background())
+			defer cancel()
 
-		verifyPodActions(t, item.description, fakeClientset, item.expectPatch, item.expectDelete)
+			fakeClientset := fake.NewClientset(&corev1.PodList{Items: item.pods})
+			controller, _, nodeIndexer := setupNewController(ctx, fakeClientset)
+			if err := nodeIndexer.Add(item.node); err != nil {
+				t.Fatalf("Failed to add node %q: %v", item.node.GetName(), err)
+			}
+			controller.recorder = testutil.NewFakeRecorder()
+
+			wg.Go(func() {
+				controller.Run(ctx)
+			})
+
+			controller.NodeUpdated(nil, item.node)
+
+			verifyPodActions(t, item.description, fakeClientset, item.expectPatch, item.expectDelete)
 
-		cancel()
+			cancel()
+		})
 	}
 }
 
 func TestDeleteNode(t *testing.T) {
+	var wg sync.WaitGroup
+	defer wg.Wait()
 	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel()
+
 	fakeClientset := fake.NewSimpleClientset()
 	controller, _, _ := setupNewController(ctx, fakeClientset)
 	controller.recorder = testutil.NewFakeRecorder()
 	controller.taintedNodes = map[string][]corev1.Taint{
 		"node1": {createNoExecuteTaint(1)},
 	}
-	go controller.Run(ctx)
+
+	wg.Go(func() {
+		controller.Run(ctx)
+	})
+
 	controller.NodeUpdated(testutil.NewNode("node1"), nil)
 
 	// await until controller.taintedNodes is empty
@@ -389,7 +429,6 @@ func TestDeleteNode(t *testing.T) {
 	if err != nil {
 		t.Errorf("Failed to await for processing node deleted: %q", err)
 	}
-	cancel()
 }
 
 func TestUpdateNode(t *testing.T) {
@@ -475,6 +514,8 @@ func TestUpdateNode(t *testing.T) {
 
 	for _, item := range testCases {
 		t.Run(item.description, func(t *testing.T) {
+			var wg sync.WaitGroup
+			defer wg.Wait()
 			ctx, cancel := context.WithCancel(context.Background())
 			defer cancel()
 
@@ -482,7 +523,11 @@ func TestUpdateNode(t *testing.T) {
 			controller, _, nodeIndexer := setupNewController(ctx, fakeClientset)
 			nodeIndexer.Add(item.newNode)
 			controller.recorder = testutil.NewFakeRecorder()
-			go controller.Run(ctx)
+
+			wg.Go(func() {
+				controller.Run(ctx)
+			})
+
 			controller.NodeUpdated(item.oldNode, item.newNode)
 
 			if item.additionalSleep > 0 {
@@ -514,11 +559,18 @@ func TestUpdateNodeWithMultipleTaints(t *testing.T) {
 	singleTaintedNode := testutil.NewNode("node1")
 	singleTaintedNode.Spec.Taints = []corev1.Taint{taint1}
 
-	ctx, cancel := context.WithCancel(context.TODO())
+	var wg sync.WaitGroup
+	defer wg.Wait()
+	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel()
+
 	fakeClientset := fake.NewSimpleClientset(pod)
 	controller, _, nodeIndexer := setupNewController(ctx, fakeClientset)
 	controller.recorder = testutil.NewFakeRecorder()
-	go controller.Run(ctx)
+
+	wg.Go(func() {
+		controller.Run(ctx)
+	})
 
 	// no taint
 	nodeIndexer.Add(untaintedNode)
@@ -558,7 +610,6 @@ func TestUpdateNodeWithMultipleTaints(t *testing.T) {
 			t.Error("Unexpected deletion")
 		}
 	}
-	cancel()
 }
 
 func TestUpdateNodeWithMultiplePods(t *testing.T) {
@@ -601,6 +652,9 @@ func TestUpdateNodeWithMultiplePods(t *testing.T) {
 	for _, item := range testCases {
 		t.Run(item.description, func(t *testing.T) {
 			t.Logf("Starting testcase %q", item.description)
+
+			var wg sync.WaitGroup
+			defer wg.Wait()
 			ctx, cancel := context.WithCancel(context.Background())
 			defer cancel()
 
@@ -609,7 +663,11 @@ func TestUpdateNodeWithMultiplePods(t *testing.T) {
 			controller, _, nodeIndexer := setupNewController(ctx, fakeClientset)
 			nodeIndexer.Add(item.newNode)
 			controller.recorder = testutil.NewFakeRecorder()
-			go controller.Run(ctx)
+
+			wg.Go(func() {
+				controller.Run(ctx)
+			})
+
 			controller.NodeUpdated(item.oldNode, item.newNode)
 
 			startedAt := time.Now()
@@ -809,6 +867,8 @@ func TestEventualConsistency(t *testing.T) {
 
 	for _, item := range testCases {
 		t.Run(item.description, func(t *testing.T) {
+			var wg sync.WaitGroup
+			defer wg.Wait()
 			ctx, cancel := context.WithCancel(context.Background())
 			defer cancel()
 
@@ -816,7 +876,10 @@ func TestEventualConsistency(t *testing.T) {
 			controller, podIndexer, nodeIndexer := setupNewController(ctx, fakeClientset)
 			nodeIndexer.Add(item.newNode)
 			controller.recorder = testutil.NewFakeRecorder()
-			go controller.Run(ctx)
+
+			wg.Go(func() {
+				controller.Run(ctx)
+			})
 
 			if item.prevPod != nil {
 				podIndexer.Add(item.prevPod)
diff --git a/pkg/controller/tainteviction/timed_workers.go b/pkg/controller/tainteviction/timed_workers.go
index 3bb2e48d0a7b3..bd9b4a326cacb 100644
--- a/pkg/controller/tainteviction/timed_workers.go
+++ b/pkg/controller/tainteviction/timed_workers.go
@@ -19,6 +19,7 @@ package tainteviction
 import (
 	"context"
 	"sync"
+	"sync/atomic"
 	"time"
 
 	"k8s.io/apimachinery/pkg/types"
@@ -54,35 +55,54 @@ type TimedWorker struct {
 	CreatedAt time.Time
 	FireAt    time.Time
 	Timer     clock.Timer
+	cancelled atomic.Bool
 }
 
 // createWorker creates a TimedWorker that will execute `f` not earlier than `fireAt`.
 // Returns nil if the work was started immediately and doesn't need a timer.
-func createWorker(ctx context.Context, args *WorkArgs, createdAt time.Time, fireAt time.Time, f func(ctx context.Context, fireAt time.Time, args *WorkArgs) error, clock clock.WithDelayedExecution) *TimedWorker {
+func createWorker(ctx context.Context, wg *sync.WaitGroup, args *WorkArgs, createdAt time.Time, fireAt time.Time, f func(ctx context.Context, fireAt time.Time, args *WorkArgs) error, clock clock.WithDelayedExecution) *TimedWorker {
 	delay := fireAt.Sub(createdAt)
 	logger := klog.FromContext(ctx)
-	fWithErrorLogging := func() {
-		err := f(ctx, fireAt, args)
-		if err != nil {
-			logger.Error(err, "TaintEvictionController: timed worker failed")
-		}
-	}
-	if delay <= 0 {
-		go fWithErrorLogging()
-		return nil
-	}
-	timer := clock.AfterFunc(delay, fWithErrorLogging)
-	return &TimedWorker{
+
+	worker := TimedWorker{
 		WorkItem:  args,
 		CreatedAt: createdAt,
 		FireAt:    fireAt,
-		Timer:     timer,
 	}
+
+	// This dance with the cancelled flag is here so that we can be sure that once TimedWorker.Cancel returns,
+	// we either never get to any processing, or the thread is already registered with the WaitGroup.
+	// Otherwise, the following sequence can happen:
+	//   1. TimedWorker.Timer fires and gets to go wrapper().
+	//   2. TimedWorker.Cancel is called to stop the timer, but a goroutine is already running.
+	//      It's started, but wg.Go hasn't been called yet to register the goroutine.
+	//   3. We call wg.Wait, which unblocks, because the inner wg.Go hasn't been called yet.
+	//      This causes wg.Wait to unblock after TimedWorker.Cancel is called and still start a goroutine.
+	// So in our case we can still get to starting an unregistered goroutine, but it will exit immediately.
+	wrapper := func() {
+		wg.Go(func() {
+			if worker.cancelled.Load() {
+				return
+			}
+			if err := f(ctx, fireAt, args); err != nil {
+				logger.Error(err, "TaintEvictionController: timed worker failed")
+			}
+		})
+	}
+	if delay <= 0 {
+		wrapper()
+		return nil
+	}
+	worker.Timer = clock.AfterFunc(delay, wrapper)
+	return &worker
 }
 
 // Cancel cancels the execution of function by the `TimedWorker`
 func (w *TimedWorker) Cancel() {
 	if w != nil {
+		// Mark the worker as cancelled.
+		// This ensures the worker is either already running or unstarted on return from Cancel.
+		w.cancelled.Store(true)
 		w.Timer.Stop()
 	}
 }
@@ -93,6 +113,7 @@ type TimedWorkerQueue struct {
 	// map of workers keyed by string returned by 'KeyFromWorkArgs' from the given worker.
 	// Entries may be nil if the work didn't need a timer and is already running.
 	workers  map[string]*TimedWorker
+	workerWG sync.WaitGroup
 	workFunc func(ctx context.Context, fireAt time.Time, args *WorkArgs) error
 	clock    clock.WithDelayedExecution
 }
@@ -134,7 +155,7 @@ func (q *TimedWorkerQueue) AddWork(ctx context.Context, args *WorkArgs, createdA
 		return
 	}
 	logger.V(4).Info("Adding TimedWorkerQueue item and to be fired at firedTime", "item", key, "createTime", createdAt, "firedTime", fireAt)
-	worker := createWorker(ctx, args, createdAt, fireAt, q.getWrappedWorkerFunc(key), q.clock)
+	worker := createWorker(ctx, &q.workerWG, args, createdAt, fireAt, q.getWrappedWorkerFunc(key), q.clock)
 	q.workers[key] = worker
 }
 
@@ -159,7 +180,7 @@ func (q *TimedWorkerQueue) UpdateWork(ctx context.Context, args *WorkArgs, creat
 		worker.Cancel()
 	}
 	logger.V(4).Info("Adding TimedWorkerQueue item and to be fired at firedTime", "item", key, "createTime", createdAt, "firedTime", fireAt)
-	worker := createWorker(ctx, args, createdAt, fireAt, q.getWrappedWorkerFunc(key), q.clock)
+	worker := createWorker(ctx, &q.workerWG, args, createdAt, fireAt, q.getWrappedWorkerFunc(key), q.clock)
 	q.workers[key] = worker
 }
 
@@ -189,3 +210,15 @@ func (q *TimedWorkerQueue) GetWorkerUnsafe(key string) *TimedWorker {
 	defer q.Unlock()
 	return q.workers[key]
 }
+
+// CancelAndWait cancels all workers and waits for all running threads to terminate before returning.
+func (q *TimedWorkerQueue) CancelAndWait() {
+	// Wait must be called after Unlock, otherwise this hangs.
+	defer q.workerWG.Wait()
+	q.Lock()
+	defer q.Unlock()
+	for _, worker := range q.workers {
+		worker.Cancel()
+	}
+	q.workers = make(map[string]*TimedWorker)
+}
diff --git a/pkg/controller/tainteviction/timed_workers_test.go b/pkg/controller/tainteviction/timed_workers_test.go
index d39acaed44351..89e2e6e4ffd5a 100644
--- a/pkg/controller/tainteviction/timed_workers_test.go
+++ b/pkg/controller/tainteviction/timed_workers_test.go
@@ -116,7 +116,7 @@ func TestCancel(t *testing.T) {
 	}
 }
 
-func TestCancelAndReadd(t *testing.T) {
+func TestCancelAndRead(t *testing.T) {
 	logger, ctx := ktesting.NewTestContext(t)
 	testVal := int32(0)
 	wg := sync.WaitGroup{}
diff --git a/pkg/controller/ttl/ttl_controller.go b/pkg/controller/ttl/ttl_controller.go
index c85758bcf6820..31a2d1cfdf850 100644
--- a/pkg/controller/ttl/ttl_controller.go
+++ b/pkg/controller/ttl/ttl_controller.go
@@ -122,19 +122,26 @@ var (
 // Run begins watching and syncing.
 func (ttlc *Controller) Run(ctx context.Context, workers int) {
 	defer utilruntime.HandleCrash()
-	defer ttlc.queue.ShutDown()
+
 	logger := klog.FromContext(ctx)
 	logger.Info("Starting TTL controller")
-	defer logger.Info("Shutting down TTL controller")
 
-	if !cache.WaitForNamedCacheSync("TTL", ctx.Done(), ttlc.hasSynced) {
+	var wg sync.WaitGroup
+	defer func() {
+		logger.Info("Shutting down TTL controller")
+		ttlc.queue.ShutDown()
+		wg.Wait()
+	}()
+
+	if !cache.WaitForNamedCacheSyncWithContext(ctx, ttlc.hasSynced) {
 		return
 	}
 
 	for i := 0; i < workers; i++ {
-		go wait.UntilWithContext(ctx, ttlc.worker, time.Second)
+		wg.Go(func() {
+			wait.UntilWithContext(ctx, ttlc.worker, time.Second)
+		})
 	}
-
 	<-ctx.Done()
 }
 
diff --git a/pkg/controller/ttlafterfinished/ttlafterfinished_controller.go b/pkg/controller/ttlafterfinished/ttlafterfinished_controller.go
index 0ca68cb6e0b13..07fc52558f870 100644
--- a/pkg/controller/ttlafterfinished/ttlafterfinished_controller.go
+++ b/pkg/controller/ttlafterfinished/ttlafterfinished_controller.go
@@ -19,6 +19,7 @@ package ttlafterfinished
 import (
 	"context"
 	"fmt"
+	"sync"
 	"time"
 
 	batch "k8s.io/api/batch/v1"
@@ -106,20 +107,26 @@ func New(ctx context.Context, jobInformer batchinformers.JobInformer, client cli
 // Run starts the workers to clean up Jobs.
 func (tc *Controller) Run(ctx context.Context, workers int) {
 	defer utilruntime.HandleCrash()
-	defer tc.queue.ShutDown()
 
 	logger := klog.FromContext(ctx)
 	logger.Info("Starting TTL after finished controller")
-	defer logger.Info("Shutting down TTL after finished controller")
 
-	if !cache.WaitForNamedCacheSync("TTL after finished", ctx.Done(), tc.jListerSynced) {
+	var wg sync.WaitGroup
+	defer func() {
+		logger.Info("Shutting down TTL after finished controller")
+		tc.queue.ShutDown()
+		wg.Wait()
+	}()
+
+	if !cache.WaitForNamedCacheSyncWithContext(ctx, tc.jListerSynced) {
 		return
 	}
 
 	for i := 0; i < workers; i++ {
-		go wait.UntilWithContext(ctx, tc.worker, time.Second)
+		wg.Go(func() {
+			wait.UntilWithContext(ctx, tc.worker, time.Second)
+		})
 	}
-
 	<-ctx.Done()
 }
 
diff --git a/pkg/controller/validatingadmissionpolicystatus/OWNERS b/pkg/controller/validatingadmissionpolicystatus/OWNERS
index 8667a8f834bc0..c8127545b0e47 100644
--- a/pkg/controller/validatingadmissionpolicystatus/OWNERS
+++ b/pkg/controller/validatingadmissionpolicystatus/OWNERS
@@ -1,6 +1,8 @@
 # See the OWNERS docs at https://go.k8s.io/owners
 
+approvers:
+  - sig-api-machinery-approvers
 reviewers:
-  - jiahuif
+  - sig-api-machinery-reviewers
 labels:
   - sig/api-machinery
diff --git a/pkg/controller/validatingadmissionpolicystatus/controller.go b/pkg/controller/validatingadmissionpolicystatus/controller.go
index 4e9bf280c387b..11778e7feef6f 100644
--- a/pkg/controller/validatingadmissionpolicystatus/controller.go
+++ b/pkg/controller/validatingadmissionpolicystatus/controller.go
@@ -19,6 +19,7 @@ package validatingadmissionpolicystatus
 import (
 	"context"
 	"fmt"
+	"sync"
 	"time"
 
 	"k8s.io/api/admissionregistration/v1"
@@ -54,15 +55,21 @@ type Controller struct {
 func (c *Controller) Run(ctx context.Context, workers int) {
 	defer utilruntime.HandleCrash()
 
-	if !cache.WaitForNamedCacheSync(ControllerName, ctx.Done(), c.policySynced) {
+	var wg sync.WaitGroup
+	defer func() {
+		c.policyQueue.ShutDown()
+		wg.Wait()
+	}()
+
+	if !cache.WaitForNamedCacheSyncWithContext(ctx, c.policySynced) {
 		return
 	}
 
-	defer c.policyQueue.ShutDown()
 	for i := 0; i < workers; i++ {
-		go wait.UntilWithContext(ctx, c.runWorker, time.Second)
+		wg.Go(func() {
+			wait.UntilWithContext(ctx, c.runWorker, time.Second)
+		})
 	}
-
 	<-ctx.Done()
 }
 
diff --git a/pkg/controller/volume/attachdetach/attach_detach_controller.go b/pkg/controller/volume/attachdetach/attach_detach_controller.go
index 1c98c6159c967..be2f737e153d0 100644
--- a/pkg/controller/volume/attachdetach/attach_detach_controller.go
+++ b/pkg/controller/volume/attachdetach/attach_detach_controller.go
@@ -21,11 +21,9 @@ package attachdetach
 import (
 	"context"
 	"fmt"
+	"sync"
 	"time"
 
-	"k8s.io/klog/v2"
-	"k8s.io/mount-utils"
-
 	authenticationv1 "k8s.io/api/authentication/v1"
 	v1 "k8s.io/api/core/v1"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
@@ -45,6 +43,7 @@ import (
 	"k8s.io/client-go/tools/record"
 	"k8s.io/client-go/util/workqueue"
 	csitrans "k8s.io/csi-translation-lib"
+	"k8s.io/klog/v2"
 	"k8s.io/kubernetes/pkg/controller/volume/attachdetach/cache"
 	"k8s.io/kubernetes/pkg/controller/volume/attachdetach/metrics"
 	"k8s.io/kubernetes/pkg/controller/volume/attachdetach/populator"
@@ -59,6 +58,7 @@ import (
 	"k8s.io/kubernetes/pkg/volume/util/operationexecutor"
 	"k8s.io/kubernetes/pkg/volume/util/subpath"
 	"k8s.io/kubernetes/pkg/volume/util/volumepathhandler"
+	"k8s.io/mount-utils"
 )
 
 // TimerConfig contains configuration of internal attach/detach timers and
@@ -325,7 +325,6 @@ type attachDetachController struct {
 
 func (adc *attachDetachController) Run(ctx context.Context) {
 	defer runtime.HandleCrash()
-	defer adc.pvcQueue.ShutDown()
 
 	// Start events processing pipeline.
 	adc.broadcaster.StartStructuredLogging(3)
@@ -334,11 +333,17 @@ func (adc *attachDetachController) Run(ctx context.Context) {
 
 	logger := klog.FromContext(ctx)
 	logger.Info("Starting attach detach controller")
-	defer logger.Info("Shutting down attach detach controller")
+
+	var wg sync.WaitGroup
+	defer func() {
+		logger.Info("Shutting down attach detach controller")
+		adc.pvcQueue.ShutDown()
+		wg.Wait()
+	}()
 
 	synced := []kcache.InformerSynced{adc.podsSynced, adc.nodesSynced, adc.pvcsSynced, adc.pvsSynced,
 		adc.csiNodeSynced, adc.csiDriversSynced, adc.volumeAttachmentSynced}
-	if !kcache.WaitForNamedCacheSync("attach detach", ctx.Done(), synced...) {
+	if !kcache.WaitForNamedCacheSyncWithContext(ctx, synced...) {
 		return
 	}
 
@@ -350,18 +355,27 @@ func (adc *attachDetachController) Run(ctx context.Context) {
 	if err != nil {
 		logger.Error(err, "Error populating the desired state of world")
 	}
-	go adc.reconciler.Run(ctx)
-	go adc.desiredStateOfWorldPopulator.Run(ctx)
-	go wait.UntilWithContext(ctx, adc.pvcWorker, time.Second)
-	metrics.Register(adc.pvcLister,
+
+	metrics.Register(
+		adc.pvcLister,
 		adc.pvLister,
 		adc.podLister,
 		adc.actualStateOfWorld,
 		adc.desiredStateOfWorld,
 		&adc.volumePluginMgr,
 		adc.csiMigratedPluginManager,
-		adc.intreeToCSITranslator)
+		adc.intreeToCSITranslator,
+	)
 
+	wg.Go(func() {
+		adc.reconciler.Run(ctx)
+	})
+	wg.Go(func() {
+		adc.desiredStateOfWorldPopulator.Run(ctx)
+	})
+	wg.Go(func() {
+		wait.UntilWithContext(ctx, adc.pvcWorker, time.Second)
+	})
 	<-ctx.Done()
 }
 
diff --git a/pkg/controller/volume/attachdetach/attach_detach_controller_test.go b/pkg/controller/volume/attachdetach/attach_detach_controller_test.go
index 52ff5348125d1..f2d19bd111f9b 100644
--- a/pkg/controller/volume/attachdetach/attach_detach_controller_test.go
+++ b/pkg/controller/volume/attachdetach/attach_detach_controller_test.go
@@ -20,6 +20,7 @@ import (
 	"context"
 	"fmt"
 	"runtime"
+	"sync"
 	"testing"
 	"time"
 
@@ -288,7 +289,11 @@ func attachDetachRecoveryTestCase(t *testing.T, extraPods1 []*v1.Pod, extraPods2
 	var podsNum, extraPodsNum, nodesNum, i int
 
 	// Create the controller
+	var wg sync.WaitGroup
+	defer wg.Wait()
 	logger, tCtx := ktesting.NewTestContext(t)
+	defer tCtx.Cancel("test case terminating")
+
 	adcObj, err := NewAttachDetachController(
 		tCtx,
 		fakeKubeClient,
@@ -344,7 +349,7 @@ func attachDetachRecoveryTestCase(t *testing.T, extraPods1 []*v1.Pod, extraPods2
 
 	informerFactory.Start(tCtx.Done())
 
-	if !kcache.WaitForNamedCacheSync("attach detach", tCtx.Done(),
+	if !kcache.WaitForNamedCacheSyncWithContext(tCtx,
 		informerFactory.Core().V1().Pods().Informer().HasSynced,
 		informerFactory.Core().V1().Nodes().Informer().HasSynced,
 		informerFactory.Storage().V1().CSINodes().Informer().HasSynced) {
@@ -425,8 +430,12 @@ func attachDetachRecoveryTestCase(t *testing.T, extraPods1 []*v1.Pod, extraPods2
 		podInformer.GetIndexer().Add(newPod)
 	}
 
-	go adc.reconciler.Run(tCtx)
-	go adc.desiredStateOfWorldPopulator.Run(tCtx)
+	wg.Go(func() {
+		adc.reconciler.Run(tCtx)
+	})
+	wg.Go(func() {
+		adc.desiredStateOfWorldPopulator.Run(tCtx)
+	})
 
 	time.Sleep(time.Second * 1) // Wait so the reconciler calls sync at least once
 
@@ -457,7 +466,6 @@ func attachDetachRecoveryTestCase(t *testing.T, extraPods1 []*v1.Pod, extraPods2
 	if testPlugin.GetErrorEncountered() {
 		t.Fatalf("Fatal error encountered in the testing volume plugin")
 	}
-
 }
 
 type vaTest struct {
@@ -539,7 +547,11 @@ func volumeAttachmentRecoveryTestCase(t *testing.T, tc vaTest) {
 	vaInformer := informerFactory.Storage().V1().VolumeAttachments().Informer()
 
 	// Create the controller
+	var wg sync.WaitGroup
+	defer wg.Wait()
 	logger, tCtx := ktesting.NewTestContext(t)
+	defer tCtx.Cancel("test case terminating")
+
 	adc := createADC(t, tCtx, fakeKubeClient, informerFactory, plugins)
 
 	// Add existing objects (created by testplugin) to the respective informers
@@ -622,7 +634,7 @@ func volumeAttachmentRecoveryTestCase(t *testing.T, tc vaTest) {
 	// Makesure the informer cache is synced
 	informerFactory.Start(tCtx.Done())
 
-	if !kcache.WaitForNamedCacheSync("attach detach", tCtx.Done(),
+	if !kcache.WaitForNamedCacheSyncWithContext(tCtx,
 		informerFactory.Core().V1().Pods().Informer().HasSynced,
 		informerFactory.Core().V1().Nodes().Informer().HasSynced,
 		informerFactory.Core().V1().PersistentVolumes().Informer().HasSynced,
@@ -642,8 +654,12 @@ func volumeAttachmentRecoveryTestCase(t *testing.T, tc vaTest) {
 		t.Fatalf("Run failed with error. Expected: <no error> Actual: %v", err)
 	}
 	// Run reconciler and DSW populator loops
-	go adc.reconciler.Run(tCtx)
-	go adc.desiredStateOfWorldPopulator.Run(tCtx)
+	wg.Go(func() {
+		adc.reconciler.Run(tCtx)
+	})
+	wg.Go(func() {
+		adc.desiredStateOfWorldPopulator.Run(tCtx)
+	})
 	if tc.csiMigration {
 		verifyExpectedVolumeState(t, adc, tc)
 	} else {
@@ -651,7 +667,6 @@ func volumeAttachmentRecoveryTestCase(t *testing.T, tc vaTest) {
 		testPlugin := plugins[0].(*controllervolumetesting.TestPlugin)
 		verifyAttachDetachCalls(t, testPlugin, tc)
 	}
-
 }
 
 func verifyExpectedVolumeState(t *testing.T, adc *attachDetachController, tc vaTest) {
diff --git a/pkg/controller/volume/attachdetach/reconciler/reconciler.go b/pkg/controller/volume/attachdetach/reconciler/reconciler.go
index c5090957f36bc..b79ad1c7f362e 100644
--- a/pkg/controller/volume/attachdetach/reconciler/reconciler.go
+++ b/pkg/controller/volume/attachdetach/reconciler/reconciler.go
@@ -222,11 +222,11 @@ func (rc *reconciler) reconcile(ctx context.Context) {
 
 			// Force detach volumes from unhealthy nodes after maxWaitForUnmountDuration if force detach is enabled
 			// Ensure that the timeout condition checks this correctly so that the correct metric is updated below
-			forceDetatchTimeoutExpired := maxWaitForUnmountDurationExpired && !rc.disableForceDetachOnTimeout
+			forceDetachTimeoutExpired := maxWaitForUnmountDurationExpired && !rc.disableForceDetachOnTimeout
 			if maxWaitForUnmountDurationExpired && rc.disableForceDetachOnTimeout {
 				logger.V(5).Info("Drain timeout expired for volume but disableForceDetachOnTimeout was set", "node", klog.KRef("", string(attachedVolume.NodeName)), "volumeName", attachedVolume.VolumeName)
 			}
-			forceDetach := !isHealthy && forceDetatchTimeoutExpired
+			forceDetach := !isHealthy && forceDetachTimeoutExpired
 
 			hasOutOfServiceTaint, err := rc.hasOutOfServiceTaint(attachedVolume.NodeName)
 			if err != nil {
@@ -266,19 +266,19 @@ func (rc *reconciler) reconcile(ctx context.Context) {
 			}
 
 			// Trigger detach volume which requires verifying safe to detach step
-			// If forceDetatchTimeoutExpired is true, skip verifySafeToDetach check
+			// If forceDetachTimeoutExpired is true, skip verifySafeToDetach check
 			// If the node has node.kubernetes.io/out-of-service taint with NoExecute effect, skip verifySafeToDetach check
 			logger.V(5).Info("Starting attacherDetacher.DetachVolume", "node", klog.KRef("", string(attachedVolume.NodeName)), "volumeName", attachedVolume.VolumeName)
 			if hasOutOfServiceTaint {
 				logger.V(4).Info("node has out-of-service taint", "node", klog.KRef("", string(attachedVolume.NodeName)))
 			}
-			verifySafeToDetach := !(forceDetatchTimeoutExpired || hasOutOfServiceTaint)
+			verifySafeToDetach := !forceDetachTimeoutExpired && !hasOutOfServiceTaint
 			err = rc.attacherDetacher.DetachVolume(logger, attachedVolume.AttachedVolume, verifySafeToDetach, rc.actualStateOfWorld)
 			if err == nil {
 				if verifySafeToDetach { // normal detach
 					logger.Info("attacherDetacher.DetachVolume started", "node", klog.KRef("", string(attachedVolume.NodeName)), "volumeName", attachedVolume.VolumeName)
 				} else { // force detach
-					if forceDetatchTimeoutExpired {
+					if forceDetachTimeoutExpired {
 						metrics.RecordForcedDetachMetric(metrics.ForceDetachReasonTimeout)
 						logger.Info("attacherDetacher.DetachVolume started: this volume is not safe to detach, but maxWaitForUnmountDuration expired, force detaching",
 							"duration", rc.maxWaitForUnmountDuration,
diff --git a/pkg/controller/volume/ephemeral/controller.go b/pkg/controller/volume/ephemeral/controller.go
index c4ff709dd3cb1..ccca2c57b53b1 100644
--- a/pkg/controller/volume/ephemeral/controller.go
+++ b/pkg/controller/volume/ephemeral/controller.go
@@ -19,6 +19,7 @@ package ephemeral
 import (
 	"context"
 	"fmt"
+	"sync"
 	"time"
 
 	"k8s.io/klog/v2"
@@ -168,19 +169,26 @@ func (ec *ephemeralController) onPVCDelete(obj interface{}) {
 
 func (ec *ephemeralController) Run(ctx context.Context, workers int) {
 	defer runtime.HandleCrash()
-	defer ec.queue.ShutDown()
+
 	logger := klog.FromContext(ctx)
 	logger.Info("Starting ephemeral volume controller")
-	defer logger.Info("Shutting down ephemeral volume controller")
 
-	if !cache.WaitForNamedCacheSync("ephemeral", ctx.Done(), ec.podSynced, ec.pvcsSynced) {
+	var wg sync.WaitGroup
+	defer func() {
+		logger.Info("Shutting down ephemeral volume controller")
+		ec.queue.ShutDown()
+		wg.Wait()
+	}()
+
+	if !cache.WaitForNamedCacheSyncWithContext(ctx, ec.podSynced, ec.pvcsSynced) {
 		return
 	}
 
 	for i := 0; i < workers; i++ {
-		go wait.UntilWithContext(ctx, ec.runWorker, time.Second)
+		wg.Go(func() {
+			wait.UntilWithContext(ctx, ec.runWorker, time.Second)
+		})
 	}
-
 	<-ctx.Done()
 }
 
diff --git a/pkg/controller/volume/expand/expand_controller.go b/pkg/controller/volume/expand/expand_controller.go
index d3c85747abcf9..3d8ca84a7a988 100644
--- a/pkg/controller/volume/expand/expand_controller.go
+++ b/pkg/controller/volume/expand/expand_controller.go
@@ -20,6 +20,7 @@ import (
 	"context"
 	"errors"
 	"fmt"
+	"sync"
 	"time"
 
 	"k8s.io/klog/v2"
@@ -322,19 +323,26 @@ func (expc *expandController) expand(logger klog.Logger, pvc *v1.PersistentVolum
 // TODO make concurrency configurable (workers argument). previously, nestedpendingoperations spawned unlimited goroutines
 func (expc *expandController) Run(ctx context.Context) {
 	defer runtime.HandleCrash()
-	defer expc.queue.ShutDown()
+
 	logger := klog.FromContext(ctx)
 	logger.Info("Starting expand controller")
-	defer logger.Info("Shutting down expand controller")
 
-	if !cache.WaitForNamedCacheSync("expand", ctx.Done(), expc.pvcsSynced) {
+	var wg sync.WaitGroup
+	defer func() {
+		logger.Info("Shutting down expand controller")
+		expc.queue.ShutDown()
+		wg.Wait()
+	}()
+
+	if !cache.WaitForNamedCacheSyncWithContext(ctx, expc.pvcsSynced) {
 		return
 	}
 
 	for i := 0; i < defaultWorkerCount; i++ {
-		go wait.UntilWithContext(ctx, expc.runWorker, time.Second)
+		wg.Go(func() {
+			wait.UntilWithContext(ctx, expc.runWorker, time.Second)
+		})
 	}
-
 	<-ctx.Done()
 }
 
diff --git a/pkg/controller/volume/persistentvolume/pv_controller_base.go b/pkg/controller/volume/persistentvolume/pv_controller_base.go
index 87620399096b1..e8628a41be9c7 100644
--- a/pkg/controller/volume/persistentvolume/pv_controller_base.go
+++ b/pkg/controller/volume/persistentvolume/pv_controller_base.go
@@ -21,6 +21,7 @@ import (
 	"fmt"
 	"strconv"
 	"strings"
+	"sync"
 	"time"
 
 	v1 "k8s.io/api/core/v1"
@@ -296,8 +297,6 @@ func (ctrl *PersistentVolumeController) deleteClaim(ctx context.Context, claim *
 // Run starts all of this controller's control loops
 func (ctrl *PersistentVolumeController) Run(ctx context.Context) {
 	defer utilruntime.HandleCrash()
-	defer ctrl.claimQueue.ShutDown()
-	defer ctrl.volumeQueue.ShutDown()
 
 	// Start events processing pipeline.
 	ctrl.eventBroadcaster.StartStructuredLogging(3)
@@ -306,20 +305,31 @@ func (ctrl *PersistentVolumeController) Run(ctx context.Context) {
 
 	logger := klog.FromContext(ctx)
 	logger.Info("Starting persistent volume controller")
-	defer logger.Info("Shutting down persistent volume controller")
 
-	if !cache.WaitForNamedCacheSync("persistent volume", ctx.Done(), ctrl.volumeListerSynced, ctrl.claimListerSynced, ctrl.classListerSynced, ctrl.podListerSynced, ctrl.NodeListerSynced) {
+	var wg sync.WaitGroup
+	defer func() {
+		logger.Info("Shutting down persistent volume controller")
+		ctrl.claimQueue.ShutDown()
+		ctrl.volumeQueue.ShutDown()
+		wg.Wait()
+	}()
+
+	if !cache.WaitForNamedCacheSyncWithContext(ctx, ctrl.volumeListerSynced, ctrl.claimListerSynced, ctrl.classListerSynced, ctrl.podListerSynced, ctrl.NodeListerSynced) {
 		return
 	}
 
 	ctrl.initializeCaches(logger, ctrl.volumeLister, ctrl.claimLister)
-
-	go wait.Until(func() { ctrl.resync(ctx) }, ctrl.resyncPeriod, ctx.Done())
-	go wait.UntilWithContext(ctx, ctrl.volumeWorker, time.Second)
-	go wait.UntilWithContext(ctx, ctrl.claimWorker, time.Second)
-
 	metrics.Register(ctrl.volumes.store, ctrl.claims, &ctrl.volumePluginMgr)
 
+	wg.Go(func() {
+		wait.Until(func() { ctrl.resync(ctx) }, ctrl.resyncPeriod, ctx.Done())
+	})
+	wg.Go(func() {
+		wait.UntilWithContext(ctx, ctrl.volumeWorker, time.Second)
+	})
+	wg.Go(func() {
+		wait.UntilWithContext(ctx, ctrl.claimWorker, time.Second)
+	})
 	<-ctx.Done()
 }
 
diff --git a/pkg/controller/volume/persistentvolume/pv_controller_test.go b/pkg/controller/volume/persistentvolume/pv_controller_test.go
index 8414c28fc5703..3618b1b11a025 100644
--- a/pkg/controller/volume/persistentvolume/pv_controller_test.go
+++ b/pkg/controller/volume/persistentvolume/pv_controller_test.go
@@ -20,6 +20,7 @@ import (
 	"context"
 	"errors"
 	"reflect"
+	"sync"
 	"testing"
 	"time"
 
@@ -361,10 +362,17 @@ func TestControllerSync(t *testing.T) {
 		}
 
 		// Start the controller
+		var wg sync.WaitGroup
+		defer wg.Wait()
 		ctx, cancel := context.WithCancel(context.TODO())
+		defer cancel()
+
 		informers.Start(ctx.Done())
 		informers.WaitForCacheSync(ctx.Done())
-		go ctrl.Run(ctx)
+
+		wg.Go(func() {
+			ctrl.Run(ctx)
+		})
 
 		// Wait for the controller to pass initial sync and fill its caches.
 		err = wait.Poll(10*time.Millisecond, wait.ForeverTestTimeout, func() (bool, error) {
@@ -389,7 +397,6 @@ func TestControllerSync(t *testing.T) {
 		if err != nil {
 			t.Errorf("Failed to run test %s: %v", test.name, err)
 		}
-		cancel()
 
 		evaluateTestResults(ctx, ctrl, reactor.VolumeReactor, test, t)
 	}
diff --git a/pkg/controller/volume/pvcprotection/pvc_protection_controller.go b/pkg/controller/volume/pvcprotection/pvc_protection_controller.go
index 005a15d4b5128..526016d1dc024 100644
--- a/pkg/controller/volume/pvcprotection/pvc_protection_controller.go
+++ b/pkg/controller/volume/pvcprotection/pvc_protection_controller.go
@@ -161,22 +161,30 @@ func NewPVCProtectionController(logger klog.Logger, pvcInformer coreinformers.Pe
 // Run runs the controller goroutines.
 func (c *Controller) Run(ctx context.Context, workers int) {
 	defer utilruntime.HandleCrash()
-	defer c.queue.ShutDown()
-	defer c.pvcProcessingStore.namespaceQueue.ShutDown()
 
 	logger := klog.FromContext(ctx)
 	logger.Info("Starting PVC protection controller")
-	defer logger.Info("Shutting down PVC protection controller")
 
-	if !cache.WaitForNamedCacheSync("PVC protection", ctx.Done(), c.pvcListerSynced, c.podListerSynced) {
+	var wg sync.WaitGroup
+	defer func() {
+		logger.Info("Shutting down PVC protection controller")
+		c.queue.ShutDown()
+		c.pvcProcessingStore.namespaceQueue.ShutDown()
+		wg.Wait()
+	}()
+
+	if !cache.WaitForNamedCacheSyncWithContext(ctx, c.pvcListerSynced, c.podListerSynced) {
 		return
 	}
 
-	go wait.UntilWithContext(ctx, c.runMainWorker, time.Second)
+	wg.Go(func() {
+		wait.UntilWithContext(ctx, c.runMainWorker, time.Second)
+	})
 	for i := 0; i < workers; i++ {
-		go wait.UntilWithContext(ctx, c.runProcessNamespaceWorker, time.Second)
+		wg.Go(func() {
+			wait.UntilWithContext(ctx, c.runProcessNamespaceWorker, time.Second)
+		})
 	}
-
 	<-ctx.Done()
 }
 
diff --git a/pkg/controller/volume/pvprotection/pv_protection_controller.go b/pkg/controller/volume/pvprotection/pv_protection_controller.go
index 8f29f383f9c2e..1b748226d04bd 100644
--- a/pkg/controller/volume/pvprotection/pv_protection_controller.go
+++ b/pkg/controller/volume/pvprotection/pv_protection_controller.go
@@ -19,6 +19,7 @@ package pvprotection
 import (
 	"context"
 	"fmt"
+	"sync"
 	"time"
 
 	v1 "k8s.io/api/core/v1"
@@ -75,20 +76,26 @@ func NewPVProtectionController(logger klog.Logger, pvInformer coreinformers.Pers
 // Run runs the controller goroutines.
 func (c *Controller) Run(ctx context.Context, workers int) {
 	defer utilruntime.HandleCrash()
-	defer c.queue.ShutDown()
 
 	logger := klog.FromContext(ctx)
 	logger.Info("Starting PV protection controller")
-	defer logger.Info("Shutting down PV protection controller")
 
-	if !cache.WaitForNamedCacheSync("PV protection", ctx.Done(), c.pvListerSynced) {
+	var wg sync.WaitGroup
+	defer func() {
+		logger.Info("Shutting down PV protection controller")
+		c.queue.ShutDown()
+		wg.Wait()
+	}()
+
+	if !cache.WaitForNamedCacheSyncWithContext(ctx, c.pvListerSynced) {
 		return
 	}
 
 	for i := 0; i < workers; i++ {
-		go wait.UntilWithContext(ctx, c.runWorker, time.Second)
+		wg.Go(func() {
+			wait.UntilWithContext(ctx, c.runWorker, time.Second)
+		})
 	}
-
 	<-ctx.Done()
 }
 
diff --git a/pkg/controller/volume/selinuxwarning/cache/volumecache.go b/pkg/controller/volume/selinuxwarning/cache/volumecache.go
index dfa129dae9064..4b19c985c866e 100644
--- a/pkg/controller/volume/selinuxwarning/cache/volumecache.go
+++ b/pkg/controller/volume/selinuxwarning/cache/volumecache.go
@@ -114,11 +114,19 @@ func (c *volumeCache) AddVolume(logger klog.Logger, volumeName v1.UniqueVolumeNa
 	}
 
 	// The volume is already known
-	// Add the pod to the cache or update its properties
-	volume.pods[podKey] = podInfo{
+	podInfo := podInfo{
 		seLinuxLabel: label,
 		changePolicy: changePolicy,
 	}
+	oldPodInfo, found := volume.pods[podKey]
+	if found && oldPodInfo == podInfo {
+		// The Pod is already known too and nothing changed since the last update.
+		// All conflicts were already reported when the Pod was added / updated in the cache last time.
+		return conflicts
+	}
+
+	// Add the updated pod info to the cache
+	volume.pods[podKey] = podInfo
 
 	// Emit conflicts for the pod
 	for otherPodKey, otherPodInfo := range volume.pods {
diff --git a/pkg/controller/volume/selinuxwarning/selinux_warning_controller.go b/pkg/controller/volume/selinuxwarning/selinux_warning_controller.go
index e5049e05abc39..1281074dc06af 100644
--- a/pkg/controller/volume/selinuxwarning/selinux_warning_controller.go
+++ b/pkg/controller/volume/selinuxwarning/selinux_warning_controller.go
@@ -20,6 +20,7 @@ import (
 	"context"
 	"errors"
 	"fmt"
+	"sync"
 	"time"
 
 	v1 "k8s.io/api/core/v1"
@@ -140,9 +141,9 @@ func NewController(
 
 	logger := klog.FromContext(ctx)
 	_, err = podInformer.Informer().AddEventHandler(cache.ResourceEventHandlerFuncs{
-		AddFunc:    func(obj interface{}) { c.addPod(logger, obj) },
-		DeleteFunc: func(obj interface{}) { c.deletePod(logger, obj) },
-		// Not watching updates: Pod volumes and SecurityContext are immutable after creation
+		AddFunc:    func(obj interface{}) { c.enqueuePod(logger, obj) },
+		UpdateFunc: func(oldObj, newObj interface{}) { c.updatePod(logger, oldObj, newObj) },
+		DeleteFunc: func(obj interface{}) { c.enqueuePod(logger, obj) },
 	})
 	if err != nil {
 		return nil, err
@@ -178,7 +179,7 @@ func NewController(
 	return c, nil
 }
 
-func (c *Controller) addPod(_ klog.Logger, obj interface{}) {
+func (c *Controller) enqueuePod(_ klog.Logger, obj interface{}) {
 	podRef, err := cache.DeletionHandlingObjectToName(obj)
 	if err != nil {
 		utilruntime.HandleError(fmt.Errorf("couldn't get key for pod %#v: %w", obj, err))
@@ -186,12 +187,29 @@ func (c *Controller) addPod(_ klog.Logger, obj interface{}) {
 	c.queue.Add(podRef)
 }
 
-func (c *Controller) deletePod(_ klog.Logger, obj interface{}) {
-	podRef, err := cache.DeletionHandlingObjectToName(obj)
-	if err != nil {
-		utilruntime.HandleError(fmt.Errorf("couldn't get key for pod %#v: %w", obj, err))
+func (c *Controller) updatePod(logger klog.Logger, oldObj, newObj interface{}) {
+	// Pod.Spec fields that are relevant to this controller are immutable after creation (i.e.
+	// pod volumes, SELinux labels, privileged flag). React to update only when the Pod
+	// reaches its final state - kubelet will unmount the Pod volumes and the controller should
+	// therefore remove them from the cache.
+	oldPod, ok := oldObj.(*v1.Pod)
+	if !ok {
+		return
 	}
-	c.queue.Add(podRef)
+	newPod, ok := newObj.(*v1.Pod)
+	if !ok {
+		return
+	}
+
+	// This is an optimization. In theory, passing most pod updates to the controller queue should lead to noop.
+	// To save some CPU, pass only pod updates that can cause any action in the controller
+	if oldPod.Status.Phase == newPod.Status.Phase {
+		return
+	}
+	if newPod.Status.Phase != v1.PodFailed && newPod.Status.Phase != v1.PodSucceeded {
+		return
+	}
+	c.enqueuePod(logger, newObj)
 }
 
 func (c *Controller) addPVC(logger klog.Logger, obj interface{}) {
@@ -277,11 +295,7 @@ func (c *Controller) enqueueAllPodsForPVC(logger klog.Logger, namespace, name st
 		return
 	}
 	for _, obj := range objs {
-		podRef, err := cache.DeletionHandlingObjectToName(obj)
-		if err != nil {
-			utilruntime.HandleError(fmt.Errorf("couldn't get key for pod %#v: %w", obj, err))
-		}
-		c.queue.Add(podRef)
+		c.enqueuePod(logger, obj)
 	}
 }
 
@@ -343,23 +357,30 @@ func (c *Controller) enqueueAllPodsForCSIDriver(csiDriverName string) {
 
 func (c *Controller) Run(ctx context.Context, workers int) {
 	defer utilruntime.HandleCrash()
-	defer c.queue.ShutDown()
+
 	logger := klog.FromContext(ctx)
 	logger.Info("Starting SELinux warning controller")
-	defer logger.Info("Shutting down SELinux warning controller")
+
+	var wg sync.WaitGroup
+	defer func() {
+		logger.Info("Shutting down SELinux warning controller")
+		c.queue.ShutDown()
+		wg.Wait()
+	}()
 
 	c.eventBroadcaster.StartStructuredLogging(3) // verbosity level 3 is used by the other KCM controllers
 	c.eventBroadcaster.StartRecordingToSink(&v1core.EventSinkImpl{Interface: c.kubeClient.CoreV1().Events("")})
 	defer c.eventBroadcaster.Shutdown()
 
-	if !cache.WaitForNamedCacheSync("selinux_warning", ctx.Done(), c.podsSynced, c.pvcsSynced, c.pvsSynced, c.csiDriversSynced) {
+	if !cache.WaitForNamedCacheSyncWithContext(ctx, c.podsSynced, c.pvcsSynced, c.pvsSynced, c.csiDriversSynced) {
 		return
 	}
 
 	for i := 0; i < workers; i++ {
-		go wait.UntilWithContext(ctx, c.runWorker, time.Second)
+		wg.Go(func() {
+			wait.UntilWithContext(ctx, c.runWorker, time.Second)
+		})
 	}
-
 	<-ctx.Done()
 }
 
@@ -401,6 +422,11 @@ func (c *Controller) sync(ctx context.Context, podRef cache.ObjectName) error {
 		logger.V(5).Info("Error getting pod from informer", "pod", klog.KObj(pod), "podUID", pod.UID, "err", err)
 		return err
 	}
+	if pod.Status.Phase == v1.PodFailed || pod.Status.Phase == v1.PodSucceeded {
+		// The pod has reached its final state and kubelet is unmounting is volumes.
+		// Remove them from the cache.
+		return c.syncPodDelete(ctx, podRef)
+	}
 
 	return c.syncPod(ctx, pod)
 }
@@ -481,8 +507,15 @@ func (c *Controller) syncVolume(logger klog.Logger, pod *v1.Pod, spec *volume.Sp
 	changePolicy := v1.SELinuxChangePolicyMountOption
 	if pod.Spec.SecurityContext != nil && pod.Spec.SecurityContext.SELinuxChangePolicy != nil {
 		changePolicy = *pod.Spec.SecurityContext.SELinuxChangePolicy
+		logger.V(5).Info("Using Pod SELinux change policy", "pod", klog.KObj(pod), "changePolicy", changePolicy)
 	}
-	if !pluginSupportsSELinuxContextMount {
+	if !pluginSupportsSELinuxContextMount && changePolicy != v1.SELinuxChangePolicyRecursive {
+		logger.V(5).Info("Volume does not support SELinux context mount, setting changePolicy to Recursive", "pod", klog.KObj(pod), "volume", spec.Name())
+		changePolicy = v1.SELinuxChangePolicyRecursive
+	}
+
+	if seLinuxLabel == "" && changePolicy != v1.SELinuxChangePolicyRecursive {
+		logger.V(5).Info("Pod has empty SELinux label, setting changePolicy to Recursive", "pod", klog.KObj(pod))
 		changePolicy = v1.SELinuxChangePolicyRecursive
 	}
 
diff --git a/pkg/controller/volume/selinuxwarning/selinux_warning_controller_test.go b/pkg/controller/volume/selinuxwarning/selinux_warning_controller_test.go
index 3f863cac8abb4..9d9998bc62a9f 100644
--- a/pkg/controller/volume/selinuxwarning/selinux_warning_controller_test.go
+++ b/pkg/controller/volume/selinuxwarning/selinux_warning_controller_test.go
@@ -17,8 +17,10 @@ limitations under the License.
 package selinuxwarning
 
 import (
+	"context"
 	"reflect"
 	"sort"
+	"sync"
 	"testing"
 
 	v1 "k8s.io/api/core/v1"
@@ -54,31 +56,34 @@ func TestSELinuxWarningController_Sync(t *testing.T) {
 		existingCSIDrivers []*storagev1.CSIDriver
 		existingPods       []*v1.Pod
 
-		pod                  cache.ObjectName
-		conflicts            []volumecache.Conflict
-		expectError          bool
-		expectedAddedVolumes []addedVolume
-		expectedEvents       []string
-		expectedDeletedPods  []cache.ObjectName
+		pod                     cache.ObjectName
+		csiDriverSELinuxEnabled bool
+		conflicts               []volumecache.Conflict
+		expectError             bool
+		expectedAddedVolumes    []addedVolume
+		expectedEvents          []string
+		expectedDeletedPods     []cache.ObjectName
 	}{
 		{
 			name: "existing pod with no volumes",
 			existingPods: []*v1.Pod{
-				pod("pod1", "s0:c1,c2", nil),
+				pod("pod1", "s0:c1,c2", nil).build(),
 			},
-			pod:                  cache.ObjectName{Namespace: namespace, Name: "pod1"},
-			expectedEvents:       nil,
-			expectedAddedVolumes: nil,
+			pod:                     cache.ObjectName{Namespace: namespace, Name: "pod1"},
+			csiDriverSELinuxEnabled: true,
+			expectedEvents:          nil,
+			expectedAddedVolumes:    nil,
 		},
 		{
 			name: "existing pod with unbound PVC",
 			existingPods: []*v1.Pod{
-				podWithPVC("pod1", "s0:c1,c2", nil, "non-existing-pvc", "vol1"),
+				pod("pod1", "s0:c1,c2", nil).withPVC("non-existing-pvc", "vol1").build(),
 			},
-			pod:                  cache.ObjectName{Namespace: namespace, Name: "pod1"},
-			expectError:          true, // PVC is missing, add back to queue with exp. backoff
-			expectedEvents:       nil,
-			expectedAddedVolumes: nil,
+			pod:                     cache.ObjectName{Namespace: namespace, Name: "pod1"},
+			csiDriverSELinuxEnabled: true,
+			expectError:             true, // PVC is missing, add back to queue with exp. backoff
+			expectedEvents:          nil,
+			expectedAddedVolumes:    nil,
 		},
 		{
 			name: "existing pod with fully bound PVC",
@@ -89,10 +94,11 @@ func TestSELinuxWarningController_Sync(t *testing.T) {
 				pvBoundToPVC("pv1", "pvc1"),
 			},
 			existingPods: []*v1.Pod{
-				podWithPVC("pod1", "s0:c1,c2", nil, "pvc1", "vol1"),
+				pod("pod1", "s0:c1,c2", nil).withPVC("pvc1", "vol1").build(),
 			},
-			pod:            cache.ObjectName{Namespace: namespace, Name: "pod1"},
-			expectedEvents: nil,
+			pod:                     cache.ObjectName{Namespace: namespace, Name: "pod1"},
+			csiDriverSELinuxEnabled: true,
+			expectedEvents:          nil,
 			expectedAddedVolumes: []addedVolume{
 				{
 					volumeName:   "fake-plugin/pv1",
@@ -112,10 +118,11 @@ func TestSELinuxWarningController_Sync(t *testing.T) {
 				pvBoundToPVC("pv1", "pvc1"),
 			},
 			existingPods: []*v1.Pod{
-				podWithPVC("pod1", "s0:c1,c2", ptr.To(v1.SELinuxChangePolicyRecursive), "pvc1", "vol1"),
+				pod("pod1", "s0:c1,c2", ptr.To(v1.SELinuxChangePolicyRecursive)).withPVC("pvc1", "vol1").build(),
 			},
-			pod:            cache.ObjectName{Namespace: namespace, Name: "pod1"},
-			expectedEvents: nil,
+			pod:                     cache.ObjectName{Namespace: namespace, Name: "pod1"},
+			csiDriverSELinuxEnabled: true,
+			expectedEvents:          nil,
 			expectedAddedVolumes: []addedVolume{
 				{
 					volumeName:   "fake-plugin/pv1",
@@ -135,10 +142,11 @@ func TestSELinuxWarningController_Sync(t *testing.T) {
 				pvBoundToPVC("pv1", "pvc1"),
 			},
 			existingPods: []*v1.Pod{
-				addInlineVolume(pod("pod1", "s0:c1,c2", nil)),
+				pod("pod1", "s0:c1,c2", nil).withInlineVolume().build(),
 			},
-			pod:            cache.ObjectName{Namespace: namespace, Name: "pod1"},
-			expectedEvents: nil,
+			pod:                     cache.ObjectName{Namespace: namespace, Name: "pod1"},
+			csiDriverSELinuxEnabled: true,
+			expectedEvents:          nil,
 			expectedAddedVolumes: []addedVolume{
 				{
 					volumeName:   "fake-plugin/ebs.csi.aws.com-inlinevol1",
@@ -158,10 +166,11 @@ func TestSELinuxWarningController_Sync(t *testing.T) {
 				pvBoundToPVC("pv1", "pvc1"),
 			},
 			existingPods: []*v1.Pod{
-				addInlineVolume(podWithPVC("pod1", "s0:c1,c2", nil, "pvc1", "vol1")),
+				pod("pod1", "s0:c1,c2", nil).withPVC("pvc1", "vol1").withInlineVolume().build(),
 			},
-			pod:            cache.ObjectName{Namespace: namespace, Name: "pod1"},
-			expectedEvents: nil,
+			pod:                     cache.ObjectName{Namespace: namespace, Name: "pod1"},
+			csiDriverSELinuxEnabled: true,
+			expectedEvents:          nil,
 			expectedAddedVolumes: []addedVolume{
 				{
 					volumeName:   "fake-plugin/pv1",
@@ -188,10 +197,11 @@ func TestSELinuxWarningController_Sync(t *testing.T) {
 				pvBoundToPVC("pv1", "pvc1"),
 			},
 			existingPods: []*v1.Pod{
-				podWithPVC("pod1", "s0:c1,c2", nil, "pvc1", "vol1"),
-				pod("pod2", "s0:c98,c99", nil),
+				pod("pod1", "s0:c1,c2", nil).withPVC("pvc1", "vol1").build(),
+				pod("pod2", "s0:c98,c99", nil).build(),
 			},
-			pod: cache.ObjectName{Namespace: namespace, Name: "pod1"},
+			pod:                     cache.ObjectName{Namespace: namespace, Name: "pod1"},
+			csiDriverSELinuxEnabled: true,
 			conflicts: []volumecache.Conflict{
 				{
 					PropertyName:       "SELinuxLabel",
@@ -233,11 +243,12 @@ func TestSELinuxWarningController_Sync(t *testing.T) {
 				pvBoundToPVC("pv1", "pvc1"),
 			},
 			existingPods: []*v1.Pod{
-				podWithPVC("pod1", "s0:c1,c2", ptr.To(v1.SELinuxChangePolicyRecursive), "pvc1", "vol1"),
-				pod("pod2", "s0:c98,c99", ptr.To(v1.SELinuxChangePolicyRecursive)),
+				pod("pod1", "s0:c1,c2", ptr.To(v1.SELinuxChangePolicyRecursive)).withPVC("pvc1", "vol1").build(),
+				pod("pod2", "s0:c98,c99", ptr.To(v1.SELinuxChangePolicyRecursive)).build(),
 			},
-			pod:       cache.ObjectName{Namespace: namespace, Name: "pod1"},
-			conflicts: []volumecache.Conflict{},
+			pod:                     cache.ObjectName{Namespace: namespace, Name: "pod1"},
+			csiDriverSELinuxEnabled: true,
+			conflicts:               []volumecache.Conflict{},
 			expectedAddedVolumes: []addedVolume{
 				{
 					volumeName:   "fake-plugin/pv1",
@@ -257,10 +268,11 @@ func TestSELinuxWarningController_Sync(t *testing.T) {
 				pvBoundToPVC("pv1", "pvc1"),
 			},
 			existingPods: []*v1.Pod{
-				podWithPVC("pod1", "s0:c1,c2", ptr.To(v1.SELinuxChangePolicyRecursive), "pvc1", "vol1"),
-				podWithPVC("pod2", "s0:c98,c99", ptr.To(v1.SELinuxChangePolicyMountOption), "pvc1", "vol1"),
+				pod("pod1", "s0:c1,c2", ptr.To(v1.SELinuxChangePolicyRecursive)).withPVC("pvc1", "vol1").build(),
+				pod("pod2", "s0:c98,c99", ptr.To(v1.SELinuxChangePolicyMountOption)).withPVC("pvc1", "vol1").build(),
 			},
-			pod: cache.ObjectName{Namespace: namespace, Name: "pod1"},
+			pod:                     cache.ObjectName{Namespace: namespace, Name: "pod1"},
+			csiDriverSELinuxEnabled: true,
 			conflicts: []volumecache.Conflict{
 				{
 					PropertyName:       "SELinuxChangePolicy",
@@ -302,10 +314,11 @@ func TestSELinuxWarningController_Sync(t *testing.T) {
 				pvBoundToPVC("pv1", "pvc1"),
 			},
 			existingPods: []*v1.Pod{
-				podWithPVC("pod1", "s0:c1,c2", nil, "pvc1", "vol1"),
+				pod("pod1", "s0:c1,c2", nil).withPVC("pvc1", "vol1").build(),
 				// "pod2" does not exist
 			},
-			pod: cache.ObjectName{Namespace: namespace, Name: "pod1"},
+			pod:                     cache.ObjectName{Namespace: namespace, Name: "pod1"},
+			csiDriverSELinuxEnabled: true,
 			conflicts: []volumecache.Conflict{
 				{
 					PropertyName:       "SELinuxLabel",
@@ -338,16 +351,147 @@ func TestSELinuxWarningController_Sync(t *testing.T) {
 				`Normal SELinuxLabelConflict SELinuxLabel ":::s0:c1,c2" conflicts with pod pod2 that uses the same volume as this pod with SELinuxLabel ":::s0:c98,c99". If both pods land on the same node, only one of them may access the volume.`,
 			},
 		},
+		{
+			name: "empty label implies Recursive policy",
+			existingPVCs: []*v1.PersistentVolumeClaim{
+				pvcBoundToPV("pv1", "pvc1"),
+			},
+			existingPVs: []*v1.PersistentVolume{
+				pvBoundToPVC("pv1", "pvc1"),
+			},
+			existingPods: []*v1.Pod{
+				pod("pod1", "", ptr.To(v1.SELinuxChangePolicyMountOption)).withPVC("pvc1", "vol1").build(),
+			},
+			pod:                     cache.ObjectName{Namespace: namespace, Name: "pod1"},
+			csiDriverSELinuxEnabled: true,
+			conflicts:               []volumecache.Conflict{},
+			expectedAddedVolumes: []addedVolume{
+				{
+					volumeName:   "fake-plugin/pv1",
+					podKey:       cache.ObjectName{Namespace: namespace, Name: "pod1"},
+					label:        "",
+					changePolicy: v1.SELinuxChangePolicyRecursive, // Reset to Recursive when the label is empty
+					csiDriver:    "ebs.csi.aws.com",
+				},
+			},
+		},
+		{
+			name: "pending pod is processed",
+			existingPVCs: []*v1.PersistentVolumeClaim{
+				pvcBoundToPV("pv1", "pvc1"),
+			},
+			existingPVs: []*v1.PersistentVolume{
+				pvBoundToPVC("pv1", "pvc1"),
+			},
+			existingPods: []*v1.Pod{
+				pod("pod1", "s0:c1,c2", nil).withPVC("pvc1", "vol1").withPhase(v1.PodPending).build(),
+			},
+			pod:                     cache.ObjectName{Namespace: namespace, Name: "pod1"},
+			csiDriverSELinuxEnabled: true,
+			expectedEvents:          nil,
+			expectedAddedVolumes: []addedVolume{
+				{
+					volumeName:   "fake-plugin/pv1",
+					podKey:       cache.ObjectName{Namespace: namespace, Name: "pod1"},
+					label:        ":::s0:c1,c2",
+					changePolicy: v1.SELinuxChangePolicyMountOption,
+					csiDriver:    "ebs.csi.aws.com",
+				},
+			},
+		},
+		{
+			name: "unknown pod is processed",
+			existingPVCs: []*v1.PersistentVolumeClaim{
+				pvcBoundToPV("pv1", "pvc1"),
+			},
+			existingPVs: []*v1.PersistentVolume{
+				pvBoundToPVC("pv1", "pvc1"),
+			},
+			existingPods: []*v1.Pod{
+				pod("pod1", "s0:c1,c2", nil).withPVC("pvc1", "vol1").withPhase(v1.PodUnknown).build(),
+			},
+			pod:                     cache.ObjectName{Namespace: namespace, Name: "pod1"},
+			csiDriverSELinuxEnabled: true,
+			expectedEvents:          nil,
+			expectedAddedVolumes: []addedVolume{
+				{
+					volumeName:   "fake-plugin/pv1",
+					podKey:       cache.ObjectName{Namespace: namespace, Name: "pod1"},
+					label:        ":::s0:c1,c2",
+					changePolicy: v1.SELinuxChangePolicyMountOption,
+					csiDriver:    "ebs.csi.aws.com",
+				},
+			},
+		},
+		{
+			name: "succeeded pod is removed from the cache",
+			existingPVCs: []*v1.PersistentVolumeClaim{
+				pvcBoundToPV("pv1", "pvc1"),
+			},
+			existingPVs: []*v1.PersistentVolume{
+				pvBoundToPVC("pv1", "pvc1"),
+			},
+			existingPods: []*v1.Pod{
+				pod("pod1", "s0:c1,c2", nil).withPVC("pvc1", "vol1").withPhase(v1.PodSucceeded).build(),
+			},
+			pod:                     cache.ObjectName{Namespace: namespace, Name: "pod1"},
+			csiDriverSELinuxEnabled: true,
+			expectedEvents:          nil,
+			expectedAddedVolumes:    nil,
+			expectedDeletedPods:     []cache.ObjectName{{Namespace: namespace, Name: "pod1"}},
+		},
+		{
+			name: "failed pod is removed from the cache",
+			existingPVCs: []*v1.PersistentVolumeClaim{
+				pvcBoundToPV("pv1", "pvc1"),
+			},
+			existingPVs: []*v1.PersistentVolume{
+				pvBoundToPVC("pv1", "pvc1"),
+			},
+			existingPods: []*v1.Pod{
+				pod("pod1", "s0:c1,c2", nil).withPVC("pvc1", "vol1").withPhase(v1.PodFailed).build(),
+			},
+			pod:                     cache.ObjectName{Namespace: namespace, Name: "pod1"},
+			csiDriverSELinuxEnabled: true,
+			expectedEvents:          nil,
+			expectedAddedVolumes:    nil,
+			expectedDeletedPods:     []cache.ObjectName{{Namespace: namespace, Name: "pod1"}},
+		},
 		{
 			name:         "deleted pod",
 			existingPods: []*v1.Pod{
 				// "pod1" does not exist in the informer
 			},
-			pod:                  cache.ObjectName{Namespace: namespace, Name: "pod1"},
-			expectError:          false,
-			expectedEvents:       nil,
-			expectedAddedVolumes: nil,
-			expectedDeletedPods:  []cache.ObjectName{{Namespace: namespace, Name: "pod1"}},
+			pod:                     cache.ObjectName{Namespace: namespace, Name: "pod1"},
+			csiDriverSELinuxEnabled: true,
+			expectError:             false,
+			expectedEvents:          nil,
+			expectedAddedVolumes:    nil,
+			expectedDeletedPods:     []cache.ObjectName{{Namespace: namespace, Name: "pod1"}},
+		},
+		{
+			name: "existing pod with fully bound PVC and CSIDriver.SELinuxMount disabled",
+			existingPVCs: []*v1.PersistentVolumeClaim{
+				pvcBoundToPV("pv1", "pvc1"),
+			},
+			existingPVs: []*v1.PersistentVolume{
+				pvBoundToPVC("pv1", "pvc1"),
+			},
+			existingPods: []*v1.Pod{
+				pod("pod1", "s0:c1,c2", nil).withPVC("pvc1", "vol1").build(),
+			},
+			pod:                     cache.ObjectName{Namespace: namespace, Name: "pod1"},
+			csiDriverSELinuxEnabled: false,
+			expectedEvents:          nil,
+			expectedAddedVolumes: []addedVolume{
+				{
+					volumeName:   "fake-plugin/pv1",
+					podKey:       cache.ObjectName{Namespace: namespace, Name: "pod1"},
+					label:        "",                              // Label is cleared when the CSI driver does not support SELinuxMount
+					changePolicy: v1.SELinuxChangePolicyRecursive, // Reset to Recursive when the CSI driver does not support SELinuxMount
+					csiDriver:    "ebs.csi.aws.com",               // The PV is a fake EBS volume
+				},
+			},
 		},
 	}
 
@@ -355,9 +499,14 @@ func TestSELinuxWarningController_Sync(t *testing.T) {
 		t.Run(tt.name, func(t *testing.T) {
 			featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.SELinuxChangePolicy, true)
 
+			var wg sync.WaitGroup
+			defer wg.Wait()
 			_, ctx := ktesting.NewTestContext(t)
+			ctx, cancel := context.WithCancel(ctx)
+			defer cancel()
+
 			_, plugin := volumetesting.GetTestKubeletVolumePluginMgr(t)
-			plugin.SupportsSELinux = true
+			plugin.SupportsSELinux = tt.csiDriverSELinuxEnabled
 
 			fakeClient := fake.NewClientset()
 			fakeInformerFactory := informers.NewSharedInformerFactory(fakeClient, controller.NoResyncPeriodFunc())
@@ -393,7 +542,9 @@ func TestSELinuxWarningController_Sync(t *testing.T) {
 			fakeInformerFactory.Start(ctx.Done())
 			fakeInformerFactory.WaitForCacheSync(ctx.Done())
 			// Start the controller
-			go c.Run(ctx, 1)
+			wg.Go(func() {
+				c.Run(ctx, 1)
+			})
 
 			// Inject fake existing objects
 			for _, pvc := range tt.existingPVCs {
@@ -490,49 +641,63 @@ func pvcBoundToPV(pvName, pvcName string) *v1.PersistentVolumeClaim {
 	return pvc
 }
 
-func pod(podName, level string, changePolicy *v1.PodSELinuxChangePolicy) *v1.Pod {
+type podBuilder struct {
+	pod *v1.Pod
+}
+
+func pod(podName, level string, changePolicy *v1.PodSELinuxChangePolicy) *podBuilder {
 	var opts *v1.SELinuxOptions
 	if level != "" {
 		opts = &v1.SELinuxOptions{
 			Level: level,
 		}
 	}
-	return &v1.Pod{
-		ObjectMeta: metav1.ObjectMeta{
-			Namespace: "ns1",
-			Name:      podName,
-		},
-		Spec: v1.PodSpec{
-			Containers: []v1.Container{
-				{
-					Name:  "container1",
-					Image: "image1",
-					VolumeMounts: []v1.VolumeMount{
-						{
-							Name:      "vol1",
-							MountPath: "/mnt",
+	return &podBuilder{
+		pod: &v1.Pod{
+			ObjectMeta: metav1.ObjectMeta{
+				Namespace: "ns1",
+				Name:      podName,
+			},
+			Spec: v1.PodSpec{
+				Containers: []v1.Container{
+					{
+						Name:  "container1",
+						Image: "image1",
+						VolumeMounts: []v1.VolumeMount{
+							{
+								Name:      "vol1",
+								MountPath: "/mnt",
+							},
 						},
 					},
 				},
-			},
-			SecurityContext: &v1.PodSecurityContext{
-				SELinuxChangePolicy: changePolicy,
-				SELinuxOptions:      opts,
-			},
-			Volumes: []v1.Volume{
-				{
-					Name: "emptyDir1",
-					VolumeSource: v1.VolumeSource{
-						EmptyDir: &v1.EmptyDirVolumeSource{},
+				SecurityContext: &v1.PodSecurityContext{
+					SELinuxChangePolicy: changePolicy,
+					SELinuxOptions:      opts,
+				},
+				Volumes: []v1.Volume{
+					{
+						Name: "emptyDir1",
+						VolumeSource: v1.VolumeSource{
+							EmptyDir: &v1.EmptyDirVolumeSource{},
+						},
 					},
 				},
 			},
+			Status: v1.PodStatus{
+				Phase: v1.PodRunning,
+			},
 		},
 	}
 }
 
-func addInlineVolume(pod *v1.Pod) *v1.Pod {
-	pod.Spec.Volumes = append(pod.Spec.Volumes, v1.Volume{
+func (b *podBuilder) withPhase(phase v1.PodPhase) *podBuilder {
+	b.pod.Status.Phase = phase
+	return b
+}
+
+func (b *podBuilder) withInlineVolume() *podBuilder {
+	b.pod.Spec.Volumes = append(b.pod.Spec.Volumes, v1.Volume{
 		Name: "inlineVolume",
 		VolumeSource: v1.VolumeSource{
 			AWSElasticBlockStore: &v1.AWSElasticBlockStoreVolumeSource{
@@ -540,17 +705,15 @@ func addInlineVolume(pod *v1.Pod) *v1.Pod {
 			},
 		},
 	})
-	pod.Spec.Containers[0].VolumeMounts = append(pod.Spec.Containers[0].VolumeMounts, v1.VolumeMount{
+	b.pod.Spec.Containers[0].VolumeMounts = append(b.pod.Spec.Containers[0].VolumeMounts, v1.VolumeMount{
 		Name:      "inlineVolume",
 		MountPath: "/mnt",
 	})
-
-	return pod
+	return b
 }
 
-func podWithPVC(podName, label string, changePolicy *v1.PodSELinuxChangePolicy, pvcName, volumeName string) *v1.Pod {
-	pod := pod(podName, label, changePolicy)
-	pod.Spec.Volumes = append(pod.Spec.Volumes, v1.Volume{
+func (b *podBuilder) withPVC(pvcName, volumeName string) *podBuilder {
+	b.pod.Spec.Volumes = append(b.pod.Spec.Volumes, v1.Volume{
 		Name: volumeName,
 		VolumeSource: v1.VolumeSource{
 			PersistentVolumeClaim: &v1.PersistentVolumeClaimVolumeSource{
@@ -558,11 +721,15 @@ func podWithPVC(podName, label string, changePolicy *v1.PodSELinuxChangePolicy,
 			},
 		},
 	})
-	pod.Spec.Containers[0].VolumeMounts = append(pod.Spec.Containers[0].VolumeMounts, v1.VolumeMount{
+	b.pod.Spec.Containers[0].VolumeMounts = append(b.pod.Spec.Containers[0].VolumeMounts, v1.VolumeMount{
 		Name:      volumeName,
 		MountPath: "/mnt",
 	})
-	return pod
+	return b
+}
+
+func (b *podBuilder) build() *v1.Pod {
+	return b.pod
 }
 
 type addedVolume struct {
diff --git a/pkg/controller/volume/vacprotection/vac_protection_controller.go b/pkg/controller/volume/vacprotection/vac_protection_controller.go
index 51b082571b90d..a9ede7f5da862 100644
--- a/pkg/controller/volume/vacprotection/vac_protection_controller.go
+++ b/pkg/controller/volume/vacprotection/vac_protection_controller.go
@@ -19,6 +19,7 @@ package vacprotection
 import (
 	"context"
 	"fmt"
+	"sync"
 	"time"
 
 	v1 "k8s.io/api/core/v1"
@@ -200,20 +201,26 @@ func NewVACProtectionController(logger klog.Logger,
 // Run runs the controller goroutines.
 func (c *Controller) Run(ctx context.Context, workers int) {
 	defer utilruntime.HandleCrash()
-	defer c.queue.ShutDown()
 
 	logger := klog.FromContext(ctx)
 	logger.Info("Starting VAC protection controller")
-	defer logger.Info("Shutting down VAC protection controller")
 
-	if !cache.WaitForNamedCacheSync("VAC protection", ctx.Done(), c.pvSynced, c.pvcSynced, c.vacSynced) {
+	var wg sync.WaitGroup
+	defer func() {
+		logger.Info("Shutting down VAC protection controller")
+		c.queue.ShutDown()
+		wg.Wait()
+	}()
+
+	if !cache.WaitForNamedCacheSyncWithContext(ctx, c.pvSynced, c.pvcSynced, c.vacSynced) {
 		return
 	}
 
 	for i := 0; i < workers; i++ {
-		go wait.UntilWithContext(ctx, c.runWorker, time.Second)
+		wg.Go(func() {
+			wait.UntilWithContext(ctx, c.runWorker, time.Second)
+		})
 	}
-
 	<-ctx.Done()
 }
 
diff --git a/pkg/controlplane/apiserver/admission/config.go b/pkg/controlplane/apiserver/admission/config.go
index 1fa77f36934f2..55269b12a9cfe 100644
--- a/pkg/controlplane/apiserver/admission/config.go
+++ b/pkg/controlplane/apiserver/admission/config.go
@@ -43,7 +43,7 @@ func (c *Config) New(proxyTransport *http.Transport, egressSelector *egressselec
 	webhookPluginInitializer := webhookinit.NewPluginInitializer(webhookAuthResolverWrapper, serviceResolver)
 
 	kubePluginInitializer := NewPluginInitializer(
-		quotainstall.NewQuotaConfigurationForAdmission(),
+		quotainstall.NewQuotaConfigurationForAdmission(c.ExternalInformers),
 		exclusion.Excluded(),
 	)
 
diff --git a/pkg/controlplane/apiserver/aggregator.go b/pkg/controlplane/apiserver/aggregator.go
index 37d5265d59dbf..690bcae56cf75 100644
--- a/pkg/controlplane/apiserver/aggregator.go
+++ b/pkg/controlplane/apiserver/aggregator.go
@@ -22,6 +22,7 @@ import (
 	"strings"
 	"sync"
 
+	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 	apiextensionsinformers "k8s.io/apiextensions-apiserver/pkg/client/informers/externalversions/apiextensions/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
@@ -116,6 +117,7 @@ func CreateAggregatorConfig(
 			ServiceResolver:           serviceResolver,
 			ProxyTransport:            proxyTransport,
 			RejectForwardingRedirects: commandOptions.AggregatorRejectForwardingRedirects,
+			PeerProxy:                 peerProxy,
 		},
 	}
 
@@ -131,6 +133,20 @@ func CreateAggregatorServer(aggregatorConfig aggregatorapiserver.CompletedConfig
 		return nil, err
 	}
 
+	// Set informers for peer proxy handler to exclude CRD and APIService GVs
+	// from peer proxying and peer-aggregated discovery.
+	if aggregatorConfig.ExtraConfig.PeerProxy != nil {
+		if err := aggregatorConfig.ExtraConfig.PeerProxy.RegisterCRDInformerHandlers(crds.Informer(), crdExtractor); err != nil {
+			return nil, err
+		}
+		if err := aggregatorConfig.ExtraConfig.PeerProxy.RegisterAPIServiceInformerHandlers(
+			aggregatorServer.APIRegistrationInformers.Apiregistration().V1().APIServices().Informer(),
+			apiServiceExtractor,
+		); err != nil {
+			return nil, err
+		}
+	}
+
 	// create controllers for auto-registration
 	apiRegistrationClient, err := apiregistrationclient.NewForConfig(aggregatorConfig.GenericConfig.LoopbackClientConfig)
 	if err != nil {
@@ -194,6 +210,38 @@ func CreateAggregatorServer(aggregatorConfig aggregatorapiserver.CompletedConfig
 	return aggregatorServer, nil
 }
 
+// crdExtractor extracts group-versions from CustomResourceDefinition objects
+// for use in the peer proxy exclusion filter.
+func crdExtractor(obj interface{}) []schema.GroupVersion {
+	crd, ok := obj.(*apiextensionsv1.CustomResourceDefinition)
+	if !ok {
+		klog.Errorf("Expected CustomResourceDefinition but got %T", obj)
+		return nil
+	}
+	var gvs []schema.GroupVersion
+	for _, v := range crd.Spec.Versions {
+		gvs = append(gvs, schema.GroupVersion{Group: crd.Spec.Group, Version: v.Name})
+	}
+	return gvs
+}
+
+// apiServiceExtractor extracts group-versions from APIService objects
+// for use in the peer proxy exclusion filter. Only aggregated APIs
+// (those with a Service reference) are excluded.
+func apiServiceExtractor(obj interface{}) []schema.GroupVersion {
+	apiService, ok := obj.(*v1.APIService)
+	if !ok {
+		klog.Errorf("Expected APIService but got %T", obj)
+		return nil
+	}
+	// Only exclude if the APIService points to a service, implying it's an aggregated API
+	if apiService.Spec.Service == nil {
+		return nil
+	}
+	gv := schema.GroupVersion{Group: apiService.Spec.Group, Version: apiService.Spec.Version}
+	return []schema.GroupVersion{gv}
+}
+
 func makeAPIService(gv schema.GroupVersion, apiVersionPriorities map[schema.GroupVersion]APIServicePriority) *v1.APIService {
 	apiServicePriority, ok := apiVersionPriorities[gv]
 	if !ok {
@@ -296,7 +344,7 @@ func DefaultGenericAPIServicePriorities() map[schema.GroupVersion]APIServicePrio
 		{Group: "flowcontrol.apiserver.k8s.io", Version: "v1alpha1"}: {Group: 16100, Version: 9},
 		{Group: "internal.apiserver.k8s.io", Version: "v1alpha1"}:    {Group: 16000, Version: 9},
 		{Group: "resource.k8s.io", Version: "v1alpha3"}:              {Group: 15900, Version: 9},
-		{Group: "storagemigration.k8s.io", Version: "v1alpha1"}:      {Group: 15800, Version: 9},
+		{Group: "storagemigration.k8s.io", Version: "v1beta1"}:       {Group: 15800, Version: 9},
 		// Append a new group to the end of the list if unsure.
 		// You can use min(existing group)-100 as the initial value for a group.
 		// Version can be set to 9 (to have space around) for a new group.
diff --git a/pkg/controlplane/apiserver/config.go b/pkg/controlplane/apiserver/config.go
index f3c4ce6f6e538..f284b48c7ec81 100644
--- a/pkg/controlplane/apiserver/config.go
+++ b/pkg/controlplane/apiserver/config.go
@@ -45,6 +45,7 @@ import (
 	"k8s.io/apiserver/pkg/server/egressselector"
 	"k8s.io/apiserver/pkg/server/filters"
 	serverstorage "k8s.io/apiserver/pkg/server/storage"
+	"k8s.io/apiserver/pkg/util/compatibility"
 	utilfeature "k8s.io/apiserver/pkg/util/feature"
 	"k8s.io/apiserver/pkg/util/openapi"
 	utilpeerproxy "k8s.io/apiserver/pkg/util/peerproxy"
@@ -52,14 +53,13 @@ import (
 	clientgoinformers "k8s.io/client-go/informers"
 	clientgoclientset "k8s.io/client-go/kubernetes"
 	"k8s.io/client-go/util/keyutil"
+	basecompatibility "k8s.io/component-base/compatibility"
 	aggregatorapiserver "k8s.io/kube-aggregator/pkg/apiserver"
 	openapicommon "k8s.io/kube-openapi/pkg/common"
-
 	"k8s.io/kubernetes/pkg/api/legacyscheme"
 	controlplaneadmission "k8s.io/kubernetes/pkg/controlplane/apiserver/admission"
 	"k8s.io/kubernetes/pkg/controlplane/apiserver/options"
 	"k8s.io/kubernetes/pkg/controlplane/controller/clusterauthenticationtrust"
-	"k8s.io/kubernetes/pkg/features"
 	"k8s.io/kubernetes/pkg/kubeapiserver"
 	"k8s.io/kubernetes/pkg/kubeapiserver/authorizer/modes"
 	rbacrest "k8s.io/kubernetes/pkg/registry/rbac/rest"
@@ -328,7 +328,7 @@ func CreateConfig(
 		},
 	}
 
-	if utilfeature.DefaultFeatureGate.Enabled(features.UnknownVersionInteroperabilityProxy) {
+	if utilfeature.DefaultFeatureGate.Enabled(genericfeatures.UnknownVersionInteroperabilityProxy) {
 		var err error
 		config.PeerEndpointLeaseReconciler, err = CreatePeerEndpointLeaseReconciler(*genericConfig, storageFactory)
 		if err != nil {
@@ -402,6 +402,7 @@ func CreateConfig(
 		clientgoExternalClient,
 		dynamicExternalClient,
 		utilfeature.DefaultFeatureGate,
+		compatibility.DefaultComponentGlobalsRegistry.EffectiveVersionFor(basecompatibility.DefaultKubeComponent),
 		append(genericInitializers, additionalInitializers...)...,
 	)
 	if err != nil {
diff --git a/pkg/controlplane/apiserver/options/options.go b/pkg/controlplane/apiserver/options/options.go
index b409f595808e1..cce8f3e77a7eb 100644
--- a/pkg/controlplane/apiserver/options/options.go
+++ b/pkg/controlplane/apiserver/options/options.go
@@ -27,6 +27,7 @@ import (
 
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	peerreconcilers "k8s.io/apiserver/pkg/reconcilers"
+	"k8s.io/apiserver/pkg/server/flagz"
 	genericoptions "k8s.io/apiserver/pkg/server/options"
 	"k8s.io/apiserver/pkg/storage/storagebackend"
 	"k8s.io/client-go/util/keyutil"
@@ -34,7 +35,6 @@ import (
 	"k8s.io/component-base/logs"
 	logsapi "k8s.io/component-base/logs/api/v1"
 	"k8s.io/component-base/metrics"
-	"k8s.io/component-base/zpages/flagz"
 	"k8s.io/klog/v2"
 	netutil "k8s.io/utils/net"
 
diff --git a/pkg/controlplane/apiserver/options/options_test.go b/pkg/controlplane/apiserver/options/options_test.go
index 91d450fd25bb5..97e78054aa6ba 100644
--- a/pkg/controlplane/apiserver/options/options_test.go
+++ b/pkg/controlplane/apiserver/options/options_test.go
@@ -123,6 +123,7 @@ func TestAddFlags(t *testing.T) {
 		"--storage-backend=etcd3",
 		"--lease-reuse-duration-seconds=100",
 		"--emulated-version=test=1.31",
+		"--min-compatibility-version=test=1.29",
 		"--coordinated-leadership-lease-duration=10s",
 		"--coordinated-leadership-renew-deadline=5s",
 		"--coordinated-leadership-retry-period=1s",
@@ -322,6 +323,9 @@ func TestAddFlags(t *testing.T) {
 	if testEffectiveVersion.EmulationVersion().String() != "1.31" {
 		t.Errorf("Got emulation version %s, wanted %s", testEffectiveVersion.EmulationVersion().String(), "1.31")
 	}
+	if testEffectiveVersion.MinCompatibilityVersion().String() != "1.29" {
+		t.Errorf("Got min compatibility version %s, wanted %s", testEffectiveVersion.MinCompatibilityVersion().String(), "1.29")
+	}
 }
 
 func TestCompleteForServiceAccount(t *testing.T) {
diff --git a/pkg/controlplane/apiserver/options/validation.go b/pkg/controlplane/apiserver/options/validation.go
index deb9c6dbe1877..4107e260c9e70 100644
--- a/pkg/controlplane/apiserver/options/validation.go
+++ b/pkg/controlplane/apiserver/options/validation.go
@@ -23,7 +23,7 @@ import (
 	"strings"
 
 	apiextensionsapiserver "k8s.io/apiextensions-apiserver/pkg/apiserver"
-	genericfeatures "k8s.io/apiserver/pkg/features"
+	apiserverfeatures "k8s.io/apiserver/pkg/features"
 	utilfeature "k8s.io/apiserver/pkg/util/feature"
 	aggregatorscheme "k8s.io/kube-aggregator/pkg/apiserver/scheme"
 	"k8s.io/kubernetes/pkg/features"
@@ -71,23 +71,9 @@ func validateAPIPriorityAndFairness(options *Options) []error {
 	return nil
 }
 
-func validateNodeSelectorAuthorizationFeature() []error {
-	if utilfeature.DefaultFeatureGate.Enabled(features.AuthorizeNodeWithSelectors) && !utilfeature.DefaultFeatureGate.Enabled(genericfeatures.AuthorizeWithSelectors) {
-		return []error{fmt.Errorf("AuthorizeNodeWithSelectors feature requires AuthorizeWithSelectors feature to be enabled")}
-	}
-	return nil
-}
-
-func validatePodCertificateRequestFeature() []error {
-	if utilfeature.DefaultFeatureGate.Enabled(features.PodCertificateRequest) && !utilfeature.DefaultFeatureGate.Enabled(features.AuthorizeNodeWithSelectors) {
-		return []error{fmt.Errorf("PodCertificateRequest feature requires AuthorizeNodeWithSelectors feature to be enabled")}
-	}
-	return nil
-}
-
 func validateUnknownVersionInteroperabilityProxyFlags(options *Options) []error {
 	err := []error{}
-	if !utilfeature.DefaultFeatureGate.Enabled(features.UnknownVersionInteroperabilityProxy) {
+	if !utilfeature.DefaultFeatureGate.Enabled(apiserverfeatures.UnknownVersionInteroperabilityProxy) {
 		if options.PeerCAFile != "" {
 			err = append(err, fmt.Errorf("--peer-ca-file requires UnknownVersionInteroperabilityProxy feature to be turned on"))
 		}
@@ -151,8 +137,6 @@ func (s *Options) Validate() []error {
 	errs = append(errs, validateTokenRequest(s)...)
 	errs = append(errs, s.Metrics.Validate()...)
 	errs = append(errs, validateUnknownVersionInteroperabilityProxyFlags(s)...)
-	errs = append(errs, validateNodeSelectorAuthorizationFeature()...)
-	errs = append(errs, validatePodCertificateRequestFeature()...)
 	errs = append(errs, validateServiceAccountTokenSigningConfig(s)...)
 	errs = append(errs, validateCoordinatedLeadershipFlags(s)...)
 
diff --git a/pkg/controlplane/apiserver/options/validation_test.go b/pkg/controlplane/apiserver/options/validation_test.go
index be3ff76a069ba..2799b79212212 100644
--- a/pkg/controlplane/apiserver/options/validation_test.go
+++ b/pkg/controlplane/apiserver/options/validation_test.go
@@ -23,6 +23,7 @@ import (
 	"testing"
 
 	kubeapiserveradmission "k8s.io/apiserver/pkg/admission"
+	genericfeatures "k8s.io/apiserver/pkg/features"
 	genericoptions "k8s.io/apiserver/pkg/server/options"
 	utilfeature "k8s.io/apiserver/pkg/util/feature"
 	basecompatibility "k8s.io/component-base/compatibility"
@@ -150,7 +151,7 @@ func TestValidateUnknownVersionInteroperabilityProxy(t *testing.T) {
 				PeerAdvertiseAddress: test.peerAdvertiseAddress,
 			}
 			if test.featureEnabled {
-				featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.UnknownVersionInteroperabilityProxy, true)
+				featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, genericfeatures.UnknownVersionInteroperabilityProxy, true)
 			}
 			var errMessageGot string
 			if errs := validateUnknownVersionInteroperabilityProxyFlags(options); len(errs) > 0 {
diff --git a/pkg/controlplane/apiserver/samples/generic/server/admission_test.go b/pkg/controlplane/apiserver/samples/generic/server/admission_test.go
index a16a257840a31..b9aab2fd49c2a 100644
--- a/pkg/controlplane/apiserver/samples/generic/server/admission_test.go
+++ b/pkg/controlplane/apiserver/samples/generic/server/admission_test.go
@@ -23,6 +23,7 @@ import (
 	kubeoptions "k8s.io/kubernetes/pkg/kubeapiserver/options"
 	"k8s.io/kubernetes/plugin/pkg/admission/limitranger"
 	"k8s.io/kubernetes/plugin/pkg/admission/network/defaultingressclass"
+	"k8s.io/kubernetes/plugin/pkg/admission/nodedeclaredfeatures"
 	"k8s.io/kubernetes/plugin/pkg/admission/nodetaint"
 	"k8s.io/kubernetes/plugin/pkg/admission/podtopologylabels"
 	podpriority "k8s.io/kubernetes/plugin/pkg/admission/priority"
@@ -44,6 +45,7 @@ var intentionallyOffPlugins = sets.New[string](
 	defaultingressclass.PluginName,          // DefaultIngressClass
 	podsecurity.PluginName,                  // PodSecurity
 	podtopologylabels.PluginName,            // PodTopologyLabels
+	nodedeclaredfeatures.PluginName,         // NodeDeclaredFeatures
 )
 
 func TestDefaultOffAdmissionPlugins(t *testing.T) {
diff --git a/pkg/controlplane/apiserver/samples/generic/server/testing/testserver.go b/pkg/controlplane/apiserver/samples/generic/server/testing/testserver.go
index 16a0667711b00..8b2600988a41b 100644
--- a/pkg/controlplane/apiserver/samples/generic/server/testing/testserver.go
+++ b/pkg/controlplane/apiserver/samples/generic/server/testing/testserver.go
@@ -36,6 +36,7 @@ import (
 	utilerrors "k8s.io/apimachinery/pkg/util/errors"
 	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
 	"k8s.io/apimachinery/pkg/util/wait"
+	"k8s.io/apiserver/pkg/server/flagz"
 	"k8s.io/apiserver/pkg/storage/storagebackend"
 	utilfeature "k8s.io/apiserver/pkg/util/feature"
 	"k8s.io/client-go/kubernetes"
@@ -43,7 +44,6 @@ import (
 	cliflag "k8s.io/component-base/cli/flag"
 	logsapi "k8s.io/component-base/logs/api/v1"
 	zpagesfeatures "k8s.io/component-base/zpages/features"
-	"k8s.io/component-base/zpages/flagz"
 	"k8s.io/klog/v2"
 	controlplaneapiserver "k8s.io/kubernetes/pkg/controlplane/apiserver/options"
 	"k8s.io/kubernetes/test/utils/ktesting"
diff --git a/pkg/controlplane/apiserver/server.go b/pkg/controlplane/apiserver/server.go
index 78bf8933a1d2e..614c0fe4559c4 100644
--- a/pkg/controlplane/apiserver/server.go
+++ b/pkg/controlplane/apiserver/server.go
@@ -34,12 +34,12 @@ import (
 	genericregistry "k8s.io/apiserver/pkg/registry/generic"
 	genericapiserver "k8s.io/apiserver/pkg/server"
 	"k8s.io/apiserver/pkg/server/dynamiccertificates"
+	"k8s.io/apiserver/pkg/server/flagz"
 	serverstorage "k8s.io/apiserver/pkg/server/storage"
 	utilfeature "k8s.io/apiserver/pkg/util/feature"
 	clientgoinformers "k8s.io/client-go/informers"
 	"k8s.io/client-go/kubernetes"
 	zpagesfeatures "k8s.io/component-base/zpages/features"
-	"k8s.io/component-base/zpages/flagz"
 	"k8s.io/component-helpers/apimachinery/lease"
 	"k8s.io/klog/v2"
 	"k8s.io/utils/clock"
@@ -49,7 +49,6 @@ import (
 	"k8s.io/kubernetes/pkg/controlplane/controller/leaderelection"
 	"k8s.io/kubernetes/pkg/controlplane/controller/legacytokentracking"
 	"k8s.io/kubernetes/pkg/controlplane/controller/systemnamespaces"
-	"k8s.io/kubernetes/pkg/features"
 	"k8s.io/kubernetes/pkg/routes"
 	"k8s.io/kubernetes/pkg/serviceaccount"
 )
@@ -198,7 +197,7 @@ func (c completedConfig) New(name string, delegationTarget genericapiserver.Dele
 		})
 	}
 
-	if utilfeature.DefaultFeatureGate.Enabled(features.UnknownVersionInteroperabilityProxy) {
+	if utilfeature.DefaultFeatureGate.Enabled(apiserverfeatures.UnknownVersionInteroperabilityProxy) {
 		peeraddress := getPeerAddress(c.Extra.PeerAdvertiseAddress, c.Generic.PublicAddress, publicServicePort)
 		peerEndpointCtrl := peerreconcilers.New(
 			c.Generic.APIServerID,
@@ -217,22 +216,36 @@ func (c completedConfig) New(name string, delegationTarget genericapiserver.Dele
 				return nil
 			})
 		if c.Extra.PeerProxy != nil {
+			// Wait for handler to be ready
+			s.GenericAPIServer.AddPostStartHookOrDie("mixed-version-proxy-handler", func(context genericapiserver.PostStartHookContext) error {
+				err := c.Extra.PeerProxy.WaitForCacheSync(context.Done())
+				return err
+			})
+
 			// Run local-discovery sync loop
 			s.GenericAPIServer.AddPostStartHookOrDie("local-discovery-cache-sync", func(context genericapiserver.PostStartHookContext) error {
 				err := c.Extra.PeerProxy.RunLocalDiscoveryCacheSync(context.Done())
 				return err
 			})
 
-			// Run peer-discovery sync loop.
+			// Run peer-discovery sync loop
 			s.GenericAPIServer.AddPostStartHookOrDie("peer-discovery-cache-sync", func(context genericapiserver.PostStartHookContext) error {
 				go c.Extra.PeerProxy.RunPeerDiscoveryCacheSync(context, 1)
 				return nil
 			})
 
-			// Wait for handler to be ready.
-			s.GenericAPIServer.AddPostStartHookOrDie("mixed-version-proxy-handler", func(context genericapiserver.PostStartHookContext) error {
-				err := c.Extra.PeerProxy.WaitForCacheSync(context.Done())
-				return err
+			// RunGVDeletionWorkers processes GVs from deleted CRDs/APIServices. If a GV is no longer in use,
+			// it is marked for removal from peer-discovery (with a deletion timestamp), triggering a grace period before cleanup.
+			s.GenericAPIServer.AddPostStartHookOrDie("gv-deletion-workers", func(context genericapiserver.PostStartHookContext) error {
+				go c.Extra.PeerProxy.RunGVDeletionWorkers(context, 1)
+				return nil
+			})
+
+			// RunExcludedGVsReaper removes GVs from the peer-discovery exclusion list after their grace period expires.
+			// This ensures we don't include stale CRDs/aggregated APIs from peer discovery in the aggregated discovery.
+			s.GenericAPIServer.AddPostStartHookOrDie("excluded-groups-reaper", func(context genericapiserver.PostStartHookContext) error {
+				go c.Extra.PeerProxy.RunExcludedGVsReaper(context.Done())
+				return nil
 			})
 		}
 	}
@@ -266,26 +279,31 @@ func (c completedConfig) New(name string, delegationTarget genericapiserver.Dele
 	})
 
 	if utilfeature.DefaultFeatureGate.Enabled(apiserverfeatures.APIServerIdentity) {
-		s.GenericAPIServer.AddPostStartHookOrDie("start-kube-apiserver-identity-lease-controller", func(hookContext genericapiserver.PostStartHookContext) error {
-			leaseName := s.GenericAPIServer.APIServerID
-			holderIdentity := s.GenericAPIServer.APIServerID + "_" + string(uuid.NewUUID())
+		leaseName := s.GenericAPIServer.APIServerID
+		holderIdentity := s.GenericAPIServer.APIServerID + "_" + string(uuid.NewUUID())
+		peeraddress := getPeerAddress(c.Extra.PeerAdvertiseAddress, c.Generic.PublicAddress, publicServicePort)
 
-			peeraddress := getPeerAddress(c.Extra.PeerAdvertiseAddress, c.Generic.PublicAddress, publicServicePort)
-			// must replace ':,[]' in [ip:port] to be able to store this as a valid label value
-			controller := lease.NewController(
-				clock.RealClock{},
-				client,
-				holderIdentity,
-				int32(IdentityLeaseDurationSeconds),
-				nil,
-				IdentityLeaseRenewIntervalPeriod,
-				leaseName,
-				metav1.NamespaceSystem,
-				// TODO: receive identity label value as a parameter when post start hook is moved to generic apiserver.
-				labelAPIServerHeartbeatFunc(name, peeraddress))
-			go controller.Run(hookContext)
+		// must replace ':,[]' in [ip:port] to be able to store this as a valid label value
+		controller := lease.NewController(
+			clock.RealClock{},
+			client,
+			holderIdentity,
+			int32(IdentityLeaseDurationSeconds),
+			nil,
+			IdentityLeaseRenewIntervalPeriod,
+			leaseName,
+			metav1.NamespaceSystem,
+			// TODO: receive identity label value as a parameter when post start hook is moved to generic apiserver.
+			labelAPIServerHeartbeatFunc(name, peeraddress),
+		)
+		s.GenericAPIServer.AddPostStartHookOrDie("start-kube-apiserver-identity-lease-controller", func(hookContext genericapiserver.PostStartHookContext) error {
+			return controller.Start(hookContext.Done())
+		})
+		s.GenericAPIServer.AddPreShutdownHookOrDie("stop-kube-apiserver-identity-lease-controller", func() error {
+			controller.Stop()
 			return nil
 		})
+
 		// TODO: move this into generic apiserver and make the lease identity value configurable
 		s.GenericAPIServer.AddPostStartHookOrDie("start-kube-apiserver-identity-lease-garbage-collector", func(hookContext genericapiserver.PostStartHookContext) error {
 			go apiserverleasegc.NewAPIServerLeaseGC(
@@ -293,7 +311,7 @@ func (c completedConfig) New(name string, delegationTarget genericapiserver.Dele
 				IdentityLeaseGCPeriod,
 				metav1.NamespaceSystem,
 				IdentityLeaseComponentLabelKey+"="+name,
-			).Run(hookContext.Done())
+			).RunWithContext(hookContext)
 			return nil
 		})
 	}
@@ -303,7 +321,7 @@ func (c completedConfig) New(name string, delegationTarget genericapiserver.Dele
 	}
 
 	s.GenericAPIServer.AddPostStartHookOrDie("start-legacy-token-tracking-controller", func(hookContext genericapiserver.PostStartHookContext) error {
-		go legacytokentracking.NewController(client).Run(hookContext.Done())
+		go legacytokentracking.NewController(client).RunWithContext(hookContext)
 		return nil
 	})
 
@@ -332,7 +350,7 @@ func labelAPIServerHeartbeatFunc(identity string, peeraddress string) lease.Proc
 		lease.Labels[apiv1.LabelHostname] = hostname
 
 		// Include apiserver network location <ip_port> used by peers to proxy requests between kube-apiservers
-		if utilfeature.DefaultFeatureGate.Enabled(features.UnknownVersionInteroperabilityProxy) {
+		if utilfeature.DefaultFeatureGate.Enabled(apiserverfeatures.UnknownVersionInteroperabilityProxy) {
 			if peeraddress != "" {
 				lease.Annotations[apiv1.AnnotationPeerAdvertiseAddress] = peeraddress
 			}
diff --git a/pkg/controlplane/controller/apiserverleasegc/gc_controller.go b/pkg/controlplane/controller/apiserverleasegc/gc_controller.go
index 814fedad1be5c..c406467aa8e0e 100644
--- a/pkg/controlplane/controller/apiserverleasegc/gc_controller.go
+++ b/pkg/controlplane/controller/apiserverleasegc/gc_controller.go
@@ -18,7 +18,6 @@ package apiserverleasegc
 
 import (
 	"context"
-	"fmt"
 	"time"
 
 	v1 "k8s.io/api/coordination/v1"
@@ -71,29 +70,38 @@ func NewAPIServerLeaseGC(clientset kubernetes.Interface, gcCheckPeriod time.Dura
 }
 
 // Run starts one worker.
+//
+//logcheck:context // RunWithContext should be used instead of Run in code which supports contextual logging.
 func (c *Controller) Run(stopCh <-chan struct{}) {
-	defer utilruntime.HandleCrash()
-	defer klog.Infof("Shutting down apiserver lease garbage collector")
+	c.RunWithContext(wait.ContextForChannel(stopCh))
+}
+
+// RunWithContext starts one worker with a context.
+func (c *Controller) RunWithContext(ctx context.Context) {
+	logger := klog.FromContext(ctx)
+	defer utilruntime.HandleCrashWithContext(ctx)
+	defer logger.Info("Shutting down apiserver lease garbage collector")
 
-	klog.Infof("Starting apiserver lease garbage collector")
+	logger.Info("Starting apiserver lease garbage collector")
 
 	// we have a personal informer that is narrowly scoped, start it.
-	go c.leaseInformer.Run(stopCh)
+	go c.leaseInformer.RunWithContext(ctx)
 
-	if !cache.WaitForCacheSync(stopCh, c.leasesSynced) {
-		utilruntime.HandleError(fmt.Errorf("timed out waiting for caches to sync"))
+	if !cache.WaitForNamedCacheSyncWithContext(ctx, c.leasesSynced) {
+		utilruntime.HandleErrorWithContext(ctx, nil, "Timed out waiting for caches to sync")
 		return
 	}
 
-	go wait.Until(c.gc, c.gcCheckPeriod, stopCh)
+	go wait.UntilWithContext(ctx, c.gc, c.gcCheckPeriod)
 
-	<-stopCh
+	<-ctx.Done()
 }
 
-func (c *Controller) gc() {
+func (c *Controller) gc(ctx context.Context) {
 	leases, err := c.leaseLister.Leases(c.leaseNamespace).List(labels.Everything())
+	logger := klog.FromContext(ctx)
 	if err != nil {
-		klog.ErrorS(err, "Error while listing apiserver leases")
+		logger.Error(err, "Error while listing apiserver leases")
 		return
 	}
 	for _, lease := range leases {
@@ -102,16 +110,16 @@ func (c *Controller) gc() {
 			continue
 		}
 		// double check latest lease from apiserver before deleting
-		lease, err := c.kubeclientset.CoordinationV1().Leases(c.leaseNamespace).Get(context.TODO(), lease.Name, metav1.GetOptions{})
+		lease, err := c.kubeclientset.CoordinationV1().Leases(c.leaseNamespace).Get(ctx, lease.Name, metav1.GetOptions{})
 		if err != nil && !errors.IsNotFound(err) {
-			klog.ErrorS(err, "Error getting lease")
+			logger.Error(err, "Error getting lease")
 			continue
 		}
 		if errors.IsNotFound(err) || lease == nil {
 			// In an HA cluster, this can happen if the lease was deleted
 			// by the same GC controller in another apiserver, which is legit.
 			// We don't expect other components to delete the lease.
-			klog.V(4).InfoS("Cannot find apiserver lease", "err", err)
+			logger.V(4).Info("Cannot find apiserver lease", "err", err)
 			continue
 		}
 		// evaluate lease from apiserver
@@ -119,14 +127,14 @@ func (c *Controller) gc() {
 			continue
 		}
 		if err := c.kubeclientset.CoordinationV1().Leases(c.leaseNamespace).Delete(
-			context.TODO(), lease.Name, metav1.DeleteOptions{}); err != nil {
+			ctx, lease.Name, metav1.DeleteOptions{}); err != nil {
 			if errors.IsNotFound(err) {
 				// In an HA cluster, this can happen if the lease was deleted
 				// by the same GC controller in another apiserver, which is legit.
 				// We don't expect other components to delete the lease.
-				klog.V(4).InfoS("Apiserver lease is gone already", "err", err)
+				logger.V(4).Info("Apiserver lease is gone already", "err", err)
 			} else {
-				klog.ErrorS(err, "Error deleting lease")
+				logger.Error(err, "Error deleting lease")
 			}
 		}
 	}
diff --git a/pkg/controlplane/controller/clusterauthenticationtrust/cluster_authentication_trust_controller.go b/pkg/controlplane/controller/clusterauthenticationtrust/cluster_authentication_trust_controller.go
index 10d45d80e5301..c3fe7ffe58aa0 100644
--- a/pkg/controlplane/controller/clusterauthenticationtrust/cluster_authentication_trust_controller.go
+++ b/pkg/controlplane/controller/clusterauthenticationtrust/cluster_authentication_trust_controller.go
@@ -463,7 +463,7 @@ func (c *Controller) Run(ctx context.Context, workers int) {
 	go c.kubeSystemConfigMapInformer.Run(ctx.Done())
 
 	// wait for your secondary caches to fill before starting your work
-	if !cache.WaitForNamedCacheSync("cluster_authentication_trust_controller", ctx.Done(), c.preRunCaches...) {
+	if !cache.WaitForNamedCacheSyncWithContext(ctx, c.preRunCaches...) {
 		return
 	}
 
diff --git a/pkg/controlplane/controller/defaultservicecidr/default_servicecidr_controller.go b/pkg/controlplane/controller/defaultservicecidr/default_servicecidr_controller.go
index 6d0bb0a0b89a3..0cc5d71e098f8 100644
--- a/pkg/controlplane/controller/defaultservicecidr/default_servicecidr_controller.go
+++ b/pkg/controlplane/controller/defaultservicecidr/default_servicecidr_controller.go
@@ -106,10 +106,13 @@ func (c *Controller) Start(ctx context.Context) {
 	c.eventRecorder = c.eventBroadcaster.NewRecorder(scheme.Scheme, v1.EventSource{Component: controllerName})
 	c.eventBroadcaster.StartStructuredLogging(0)
 	c.eventBroadcaster.StartRecordingToSink(&v1core.EventSinkImpl{Interface: c.client.CoreV1().Events("")})
-	defer c.eventBroadcaster.Shutdown()
 
 	klog.Infof("Starting %s", controllerName)
-	defer klog.Infof("Shutting down %s", controllerName)
+	go func() {
+		<-ctx.Done()
+		klog.Infof("Shutting down %s", controllerName)
+		c.eventBroadcaster.Shutdown()
+	}()
 
 	go c.serviceCIDRInformer.Run(stopCh)
 	if !cache.WaitForNamedCacheSync(controllerName, stopCh, c.serviceCIDRsSynced) {
diff --git a/pkg/controlplane/controller/leaderelection/OWNERS b/pkg/controlplane/controller/leaderelection/OWNERS
new file mode 100644
index 0000000000000..29219fbb070a4
--- /dev/null
+++ b/pkg/controlplane/controller/leaderelection/OWNERS
@@ -0,0 +1,8 @@
+# See the OWNERS docs at https://go.k8s.io/owners
+
+approvers:
+  - jefftree
+reviewers:
+  - jefftree
+labels:
+  - sig/api-machinery
diff --git a/pkg/controlplane/controller/leaderelection/leaderelection_controller.go b/pkg/controlplane/controller/leaderelection/leaderelection_controller.go
index 0df141a29ae90..3b44c30e452f9 100644
--- a/pkg/controlplane/controller/leaderelection/leaderelection_controller.go
+++ b/pkg/controlplane/controller/leaderelection/leaderelection_controller.go
@@ -88,7 +88,7 @@ func (c *Controller) Run(ctx context.Context, workers int) {
 		}
 	}()
 
-	if !cache.WaitForNamedCacheSync(controllerName, ctx.Done(), c.leaseRegistration.HasSynced, c.leaseCandidateRegistration.HasSynced) {
+	if !cache.WaitForNamedCacheSyncWithContext(ctx, c.leaseRegistration.HasSynced, c.leaseCandidateRegistration.HasSynced) {
 		return
 	}
 
diff --git a/pkg/controlplane/controller/legacytokentracking/controller.go b/pkg/controlplane/controller/legacytokentracking/controller.go
index 512db25096acb..31ef0dc08ad85 100644
--- a/pkg/controlplane/controller/legacytokentracking/controller.go
+++ b/pkg/controlplane/controller/legacytokentracking/controller.go
@@ -18,7 +18,6 @@ package legacytokentracking
 
 import (
 	"context"
-	"fmt"
 	"time"
 
 	"golang.org/x/time/rate"
@@ -112,40 +111,49 @@ func (c *Controller) enqueue() {
 }
 
 // Run starts the controller sync loop.
+//
+//logcheck:context // RunWithContext should be used instead of Run in code which supports contextual logging.
 func (c *Controller) Run(stopCh <-chan struct{}) {
+	c.RunWithContext(wait.ContextForChannel(stopCh))
+}
+
+// RunWithContext starts the controller sync loop with a context.
+func (c *Controller) RunWithContext(ctx context.Context) {
 	defer utilruntime.HandleCrash()
 	defer c.queue.ShutDown()
 
-	klog.Info("Starting legacy_token_tracking_controller")
-	defer klog.Infof("Shutting down legacy_token_tracking_controller")
+	logger := klog.FromContext(ctx)
+
+	logger.Info("Starting legacy_token_tracking_controller")
+	defer logger.Info("Shutting down legacy_token_tracking_controller")
 
-	go c.configMapInformer.Run(stopCh)
-	if !cache.WaitForNamedCacheSync("configmaps", stopCh, c.configMapSynced) {
+	go c.configMapInformer.Run(ctx.Done())
+	if !cache.WaitForNamedCacheSyncWithContext(ctx, c.configMapSynced) {
 		return
 	}
 
-	go wait.Until(c.runWorker, time.Second, stopCh)
+	go wait.UntilWithContext(ctx, c.runWorker, time.Second)
 
 	c.queue.Add(queueKey)
 
-	<-stopCh
-	klog.Info("Ending legacy_token_tracking_controller")
+	<-ctx.Done()
+	logger.Info("Ending legacy_token_tracking_controller")
 }
 
-func (c *Controller) runWorker() {
-	for c.processNext() {
+func (c *Controller) runWorker(ctx context.Context) {
+	for c.processNext(ctx) {
 	}
 }
 
-func (c *Controller) processNext() bool {
+func (c *Controller) processNext(ctx context.Context) bool {
 	key, quit := c.queue.Get()
 	if quit {
 		return false
 	}
 	defer c.queue.Done(key)
 
-	if err := c.syncConfigMap(); err != nil {
-		utilruntime.HandleError(fmt.Errorf("while syncing ConfigMap %q, err: %w", key, err))
+	if err := c.syncConfigMap(ctx); err != nil {
+		utilruntime.HandleErrorWithContext(ctx, err, "Error while syncing ConfigMap", "configmap", key)
 		c.queue.AddRateLimited(key)
 		return true
 	}
@@ -153,7 +161,7 @@ func (c *Controller) processNext() bool {
 	return true
 }
 
-func (c *Controller) syncConfigMap() error {
+func (c *Controller) syncConfigMap(ctx context.Context) error {
 	obj, exists, err := c.configMapCache.GetByKey(queueKey)
 	if err != nil {
 		return err
@@ -168,7 +176,7 @@ func (c *Controller) syncConfigMap() error {
 			return nil
 		}
 
-		if _, err = c.configMapClient.ConfigMaps(metav1.NamespaceSystem).Create(context.TODO(), &corev1.ConfigMap{
+		if _, err = c.configMapClient.ConfigMaps(metav1.NamespaceSystem).Create(ctx, &corev1.ConfigMap{
 			ObjectMeta: metav1.ObjectMeta{Namespace: metav1.NamespaceSystem, Name: ConfigMapName},
 			Data:       map[string]string{ConfigMapDataKey: now.UTC().Format(dateFormat)},
 		}, metav1.CreateOptions{}); err != nil {
@@ -187,7 +195,7 @@ func (c *Controller) syncConfigMap() error {
 				configMap.Data = map[string]string{}
 			}
 			configMap.Data[ConfigMapDataKey] = now.UTC().Format(dateFormat)
-			if _, err = c.configMapClient.ConfigMaps(metav1.NamespaceSystem).Update(context.TODO(), configMap, metav1.UpdateOptions{}); err != nil {
+			if _, err = c.configMapClient.ConfigMaps(metav1.NamespaceSystem).Update(ctx, configMap, metav1.UpdateOptions{}); err != nil {
 				if apierrors.IsNotFound(err) || apierrors.IsConflict(err) {
 					return nil
 				}
diff --git a/pkg/controlplane/controller/legacytokentracking/controller_test.go b/pkg/controlplane/controller/legacytokentracking/controller_test.go
index a05146e6c5914..bb292476d9e3e 100644
--- a/pkg/controlplane/controller/legacytokentracking/controller_test.go
+++ b/pkg/controlplane/controller/legacytokentracking/controller_test.go
@@ -29,6 +29,7 @@ import (
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/client-go/kubernetes/fake"
 	core "k8s.io/client-go/testing"
+	"k8s.io/kubernetes/test/utils/ktesting"
 	testingclock "k8s.io/utils/clock/testing"
 )
 
@@ -126,6 +127,7 @@ func TestSyncConfigMap(t *testing.T) {
 			},
 		},
 	}
+	_, ctx := ktesting.NewTestContext(t)
 	for _, test := range tests {
 		t.Run(test.name, func(t *testing.T) {
 			client := fake.NewSimpleClientset(test.clientObjects...)
@@ -135,7 +137,7 @@ func TestSyncConfigMap(t *testing.T) {
 				controller.configMapCache.Add(test.existingConfigMap)
 			}
 
-			if err := controller.syncConfigMap(); err != nil {
+			if err := controller.syncConfigMap(ctx); err != nil {
 				t.Errorf("Failed to sync ConfigMap, err: %v", err)
 			}
 
@@ -145,7 +147,7 @@ func TestSyncConfigMap(t *testing.T) {
 					ObjectMeta: metav1.ObjectMeta{Namespace: metav1.NamespaceSystem, Name: ConfigMapName},
 				})
 				controller.clock.(*testingclock.FakeClock).SetTime(createAt)
-				if err := controller.syncConfigMap(); err != nil {
+				if err := controller.syncConfigMap(ctx); err != nil {
 					t.Errorf("Failed to sync ConfigMap, err: %v", err)
 				}
 			}
diff --git a/pkg/controlplane/import_known_versions_test.go b/pkg/controlplane/import_known_versions_test.go
index 1bdeb8b03c4fb..11a247d7d58ae 100644
--- a/pkg/controlplane/import_known_versions_test.go
+++ b/pkg/controlplane/import_known_versions_test.go
@@ -69,6 +69,7 @@ var typesAllowedTags = map[reflect.Type]bool{
 	reflect.TypeOf(metav1.GetOptions{}):               true,
 	reflect.TypeOf(metav1.ListOptions{}):              true,
 	reflect.TypeOf(metav1.DeleteOptions{}):            true,
+	reflect.TypeOf(metav1.GroupResource{}):            true,
 	reflect.TypeOf(metav1.GroupVersionKind{}):         true,
 	reflect.TypeOf(metav1.GroupVersionResource{}):     true,
 	reflect.TypeOf(metav1.Status{}):                   true,
diff --git a/pkg/controlplane/instance.go b/pkg/controlplane/instance.go
index e209618e36ffe..49c3da79dcf7a 100644
--- a/pkg/controlplane/instance.go
+++ b/pkg/controlplane/instance.go
@@ -54,10 +54,11 @@ import (
 	resourcev1beta1 "k8s.io/api/resource/v1beta1"
 	resourcev1beta2 "k8s.io/api/resource/v1beta2"
 	schedulingapiv1 "k8s.io/api/scheduling/v1"
+	schedulingapiv1alpha1 "k8s.io/api/scheduling/v1alpha1"
 	storageapiv1 "k8s.io/api/storage/v1"
 	storageapiv1alpha1 "k8s.io/api/storage/v1alpha1"
 	storageapiv1beta1 "k8s.io/api/storage/v1beta1"
-	svmv1alpha1 "k8s.io/api/storagemigration/v1alpha1"
+	svmv1beta1 "k8s.io/api/storagemigration/v1beta1"
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	utilnet "k8s.io/apimachinery/pkg/util/net"
 	"k8s.io/apiserver/pkg/endpoints/discovery"
@@ -396,7 +397,7 @@ func (c CompletedConfig) StorageProviders(client *kubernetes.Clientset) ([]contr
 			NodePortRange:           c.Extra.ServiceNodePortRange,
 			IPRepairInterval:        c.Extra.RepairServicesInterval,
 		},
-	})
+	}, c.ControlPlane.Generic.Authorization.Authorizer)
 	if err != nil {
 		return nil, err
 	}
@@ -479,6 +480,7 @@ var (
 		networkingapiv1beta1.SchemeGroupVersion,
 		resourcev1beta1.SchemeGroupVersion,
 		resourcev1beta2.SchemeGroupVersion,
+		svmv1beta1.SchemeGroupVersion,
 	}
 
 	// alphaAPIGroupVersionsDisabledByDefault holds the alpha APIs we have.  They are always disabled by default.
@@ -490,8 +492,8 @@ var (
 		coordinationv1alpha2.SchemeGroupVersion,
 		resourcev1alpha3.SchemeGroupVersion,
 		certificatesv1alpha1.SchemeGroupVersion,
+		schedulingapiv1alpha1.SchemeGroupVersion,
 		storageapiv1alpha1.SchemeGroupVersion,
-		svmv1alpha1.SchemeGroupVersion,
 	}
 )
 
diff --git a/pkg/controlplane/instance_test.go b/pkg/controlplane/instance_test.go
index 1d11482174057..4d941e8e5f316 100644
--- a/pkg/controlplane/instance_test.go
+++ b/pkg/controlplane/instance_test.go
@@ -180,7 +180,7 @@ func TestLegacyRestStorageStrategies(t *testing.T) {
 			ClusterIPRange: apiserverCfg.Extra.ServiceIPRange,
 			NodePortRange:  apiserverCfg.Extra.ServiceNodePortRange,
 		},
-	})
+	}, nil)
 	if err != nil {
 		t.Fatalf("unexpected error from REST storage: %v", err)
 	}
diff --git a/pkg/controlplane/reconcilers/lease.go b/pkg/controlplane/reconcilers/lease.go
index 5a2aff1b9e968..a6c5782900013 100644
--- a/pkg/controlplane/reconcilers/lease.go
+++ b/pkg/controlplane/reconcilers/lease.go
@@ -132,9 +132,9 @@ func (s *storageLeases) Destroy() {
 
 // NewLeases creates a new etcd-based Leases implementation.
 func NewLeases(config *storagebackend.ConfigForResource, baseKey string, leaseTime time.Duration) (Leases, error) {
-	// note that newFunc, newListFunc and resourcePrefix
+	// note that newFunc, newListFunc
 	// can be left blank unless the storage.Watch method is used
-	leaseStorage, destroyFn, err := storagefactory.Create(*config, nil, nil, "")
+	leaseStorage, destroyFn, err := storagefactory.Create(*config, nil, nil, baseKey)
 	if err != nil {
 		return nil, fmt.Errorf("error creating storage factory: %v", err)
 	}
diff --git a/pkg/controlplane/reconcilers/lease_test.go b/pkg/controlplane/reconcilers/lease_test.go
index 1e9d3ce13ae1d..3fb912a92dc45 100644
--- a/pkg/controlplane/reconcilers/lease_test.go
+++ b/pkg/controlplane/reconcilers/lease_test.go
@@ -62,18 +62,12 @@ type fakeLeases struct {
 
 var _ Leases = &fakeLeases{}
 
-func newFakeLeases(t *testing.T, s storage.Interface) *fakeLeases {
-	// use the same base key used by the controlplane, but add a random
-	// prefix so we can reuse the etcd instance for subtests independently.
-	// pkg/controlplane/instance.go:268:
-	// masterLeases, err := reconcilers.NewLeases(config, "/masterleases/", ttl)
-	// ref: https://issues.k8s.io/114049
-	base := "/" + uuid.New().String() + "/masterleases/"
+func newFakeLeases(t *testing.T, baseKey string, s storage.Interface) *fakeLeases {
 	return &fakeLeases{
 		storageLeases{
 			storage:   s,
 			destroyFn: func() {},
-			baseKey:   base,
+			baseKey:   baseKey,
 			leaseTime: 1 * time.Minute, // avoid the lease to timeout on tests
 		},
 	}
@@ -96,12 +90,6 @@ func TestLeaseEndpointReconciler(t *testing.T) {
 	newListFunc := func() runtime.Object { return &corev1.EndpointsList{} }
 	sc.Codec = apitesting.TestStorageCodec(codecs, corev1.SchemeGroupVersion)
 
-	s, dFunc, err := factory.Create(*sc.ForResource(schema.GroupResource{Resource: "endpoints"}), newFunc, newListFunc, "")
-	if err != nil {
-		t.Fatalf("Error creating storage: %v", err)
-	}
-	t.Cleanup(dFunc)
-
 	reconcileTests := []struct {
 		testName      string
 		serviceName   string
@@ -341,8 +329,19 @@ func TestLeaseEndpointReconciler(t *testing.T) {
 	}
 	for _, test := range reconcileTests {
 		t.Run(test.testName, func(t *testing.T) {
-			fakeLeases := newFakeLeases(t, s)
-			err := fakeLeases.SetKeys(test.endpointKeys)
+			// use the same base key used by the controlplane, but add a random
+			// prefix so we can reuse the etcd instance for subtests independently.
+			// pkg/controlplane/instance.go:268:
+			// masterLeases, err := reconcilers.NewLeases(config, "/masterleases/", ttl)
+			// ref: https://issues.k8s.io/114049
+			baseKey := "/" + uuid.New().String() + "/masterleases/"
+			s, dFunc, err := factory.Create(*sc.ForResource(schema.GroupResource{Resource: "endpoints"}), newFunc, newListFunc, baseKey)
+			if err != nil {
+				t.Fatalf("Error creating storage: %v", err)
+			}
+			t.Cleanup(dFunc)
+			fakeLeases := newFakeLeases(t, baseKey, s)
+			err = fakeLeases.SetKeys(test.endpointKeys)
 			if err != nil {
 				t.Errorf("unexpected error creating keys: %v", err)
 			}
@@ -420,8 +419,19 @@ func TestLeaseEndpointReconciler(t *testing.T) {
 	}
 	for _, test := range nonReconcileTests {
 		t.Run(test.testName, func(t *testing.T) {
-			fakeLeases := newFakeLeases(t, s)
-			err := fakeLeases.SetKeys(test.endpointKeys)
+			// use the same base key used by the controlplane, but add a random
+			// prefix so we can reuse the etcd instance for subtests independently.
+			// pkg/controlplane/instance.go:268:
+			// masterLeases, err := reconcilers.NewLeases(config, "/masterleases/", ttl)
+			// ref: https://issues.k8s.io/114049
+			baseKey := "/" + uuid.New().String() + "/masterleases/"
+			s, dFunc, err := factory.Create(*sc.ForResource(schema.GroupResource{Resource: "endpoints"}), newFunc, newListFunc, baseKey)
+			if err != nil {
+				t.Fatalf("Error creating storage: %v", err)
+			}
+			t.Cleanup(dFunc)
+			fakeLeases := newFakeLeases(t, baseKey, s)
+			err = fakeLeases.SetKeys(test.endpointKeys)
 			if err != nil {
 				t.Errorf("unexpected error creating keys: %v", err)
 			}
@@ -460,12 +470,6 @@ func TestLeaseRemoveEndpoints(t *testing.T) {
 	newListFunc := func() runtime.Object { return &corev1.EndpointsList{} }
 	sc.Codec = apitesting.TestStorageCodec(codecs, corev1.SchemeGroupVersion)
 
-	s, dFunc, err := factory.Create(*sc.ForResource(schema.GroupResource{Resource: "pods"}), newFunc, newListFunc, "")
-	if err != nil {
-		t.Fatalf("Error creating storage: %v", err)
-	}
-	t.Cleanup(dFunc)
-
 	stopTests := []struct {
 		testName         string
 		serviceName      string
@@ -530,8 +534,19 @@ func TestLeaseRemoveEndpoints(t *testing.T) {
 	}
 	for _, test := range stopTests {
 		t.Run(test.testName, func(t *testing.T) {
-			fakeLeases := newFakeLeases(t, s)
-			err := fakeLeases.SetKeys(test.endpointKeys)
+			// use the same base key used by the controlplane, but add a random
+			// prefix so we can reuse the etcd instance for subtests independently.
+			// pkg/controlplane/instance.go:268:
+			// masterLeases, err := reconcilers.NewLeases(config, "/masterleases/", ttl)
+			// ref: https://issues.k8s.io/114049
+			baseKey := "/" + uuid.New().String() + "/masterleases/"
+			s, dFunc, err := factory.Create(*sc.ForResource(schema.GroupResource{Resource: "pods"}), newFunc, newListFunc, baseKey)
+			if err != nil {
+				t.Fatalf("Error creating storage: %v", err)
+			}
+			t.Cleanup(dFunc)
+			fakeLeases := newFakeLeases(t, baseKey, s)
+			err = fakeLeases.SetKeys(test.endpointKeys)
 			if err != nil {
 				t.Errorf("unexpected error creating keys: %v", err)
 			}
@@ -587,12 +602,6 @@ func TestApiserverShutdown(t *testing.T) {
 	newListFunc := func() runtime.Object { return &corev1.EndpointsList{} }
 	sc.Codec = apitesting.TestStorageCodec(codecs, corev1.SchemeGroupVersion)
 
-	s, dFunc, err := factory.Create(*sc.ForResource(schema.GroupResource{Resource: "endpoints"}), newFunc, newListFunc, "")
-	if err != nil {
-		t.Fatalf("Error creating storage: %v", err)
-	}
-	t.Cleanup(dFunc)
-
 	reconcileTests := []struct {
 		testName                string
 		serviceName             string
@@ -651,8 +660,19 @@ func TestApiserverShutdown(t *testing.T) {
 	}
 	for _, test := range reconcileTests {
 		t.Run(test.testName, func(t *testing.T) {
-			fakeLeases := newFakeLeases(t, s)
-			err := fakeLeases.SetKeys(test.endpointKeys)
+			// use the same base key used by the controlplane, but add a random
+			// prefix so we can reuse the etcd instance for subtests independently.
+			// pkg/controlplane/instance.go:268:
+			// masterLeases, err := reconcilers.NewLeases(config, "/masterleases/", ttl)
+			// ref: https://issues.k8s.io/114049
+			baseKey := "/" + uuid.New().String() + "/masterleases/"
+			s, dFunc, err := factory.Create(*sc.ForResource(schema.GroupResource{Resource: "endpoints"}), newFunc, newListFunc, baseKey)
+			if err != nil {
+				t.Fatalf("Error creating storage: %v", err)
+			}
+			t.Cleanup(dFunc)
+			fakeLeases := newFakeLeases(t, baseKey, s)
+			err = fakeLeases.SetKeys(test.endpointKeys)
 			if err != nil {
 				t.Errorf("unexpected error creating keys: %v", err)
 			}
diff --git a/pkg/controlplane/storageversionhashdata/data.go b/pkg/controlplane/storageversionhashdata/data.go
index 028fc75f03c63..eef787a688c21 100644
--- a/pkg/controlplane/storageversionhashdata/data.go
+++ b/pkg/controlplane/storageversionhashdata/data.go
@@ -70,10 +70,10 @@ var GVRToStorageVersionHash = map[string]string{
 	"rbac.authorization.k8s.io/v1/clusterroles":                         "bYE5ZWDrJ44=",
 	"rbac.authorization.k8s.io/v1/rolebindings":                         "eGsCzGH6b1g=",
 	"rbac.authorization.k8s.io/v1/roles":                                "7FuwZcIIItM=",
-	"resource.k8s.io/v1/deviceclasses":                                  "weQRMT6DeYM=",
-	"resource.k8s.io/v1/resourceclaims":                                 "EJAWH5WrAYg=",
-	"resource.k8s.io/v1/resourceclaimtemplates":                         "24m0okHrUtk=",
-	"resource.k8s.io/v1/resourceslices":                                 "z6Bc9vgk6yE=",
+	"resource.k8s.io/v1/deviceclasses":                                  "Yk2PTc1Ybxk=",
+	"resource.k8s.io/v1/resourceclaims":                                 "wgAZaHcZxUg=",
+	"resource.k8s.io/v1/resourceclaimtemplates":                         "TuzjC49aUfM=",
+	"resource.k8s.io/v1/resourceslices":                                 "KsC072WgaEY=",
 	"scheduling.k8s.io/v1/priorityclasses":                              "1QwjyaZjj3Y=",
 	"storage.k8s.io/v1/csidrivers":                                      "hL6j/rwBV5w=",
 	"storage.k8s.io/v1/csinodes":                                        "Pe62DkZtjuo=",
diff --git a/pkg/credentialprovider/plugin/plugin.go b/pkg/credentialprovider/plugin/plugin.go
index 5c38823c8f1fc..8033b5944fb42 100644
--- a/pkg/credentialprovider/plugin/plugin.go
+++ b/pkg/credentialprovider/plugin/plugin.go
@@ -210,6 +210,7 @@ func newPluginProvider(pluginBinDir string, provider kubeletconfig.CredentialPro
 
 	clock := clock.RealClock{}
 	return &pluginProvider{
+		name:                 provider.Name,
 		clock:                clock,
 		matchImages:          provider.MatchImages,
 		cache:                cache.NewExpirationStore(cacheKeyFunc, &cacheExpirationPolicy{clock: clock}),
@@ -230,6 +231,7 @@ func newPluginProvider(pluginBinDir string, provider kubeletconfig.CredentialPro
 
 // pluginProvider is the plugin-based implementation of the DockerConfigProvider interface.
 type pluginProvider struct {
+	name  string
 	clock clock.Clock
 
 	sync.Mutex
@@ -390,8 +392,6 @@ func (c *cacheExpirationPolicy) IsExpired(entry *cache.TimestampedEntry) bool {
 // that the plugin can use this information to get the pod's service account and generate bound service account tokens
 // for plugins running in service account token mode.
 type perPodPluginProvider struct {
-	name string
-
 	provider *pluginProvider
 
 	podNamespace string
@@ -406,7 +406,19 @@ type perPodPluginProvider struct {
 // context was used (e.g., the plugin is not operating in service account token mode or no service
 // account was provided for the request).
 func (p *perPodPluginProvider) provideWithCoordinates(image string) (credentialprovider.DockerConfig, *credentialprovider.ServiceAccountCoordinates) {
-	return p.provider.provide(image, p.podNamespace, p.podName, p.podUID, p.serviceAccountName)
+	credentials, coordinates, err := p.provider.provide(image, p.podNamespace, p.podName, p.podUID, p.serviceAccountName)
+	if err == nil {
+		return credentials, coordinates
+	}
+
+	// If there was an error providing credentials, we log the error but do not return it.
+	if p.provider.serviceAccountProvider != nil {
+		klog.ErrorS(err, "Failed to provide credentials for image", "provider", p.provider.name, "image", image, "pod", klog.KRef(p.podNamespace, p.podName), "podUID", p.podUID, "serviceAccount", klog.KRef(p.podNamespace, p.serviceAccountName))
+	} else {
+		klog.ErrorS(err, "Failed to provide credentials for image", "provider", p.provider.name, "image", image)
+	}
+
+	return credentialprovider.DockerConfig{}, nil
 }
 
 // provide returns a credentialprovider.DockerConfig based on the credentials returned
@@ -414,9 +426,9 @@ func (p *perPodPluginProvider) provideWithCoordinates(image string) (credentialp
 // If ServiceAccountCoordinates is nil, it means no service account context was used
 // (e.g., the plugin is not operating in service account token mode or no service account
 // was provided for the request).
-func (p *pluginProvider) provide(image, podNamespace, podName string, podUID types.UID, serviceAccountName string) (credentialprovider.DockerConfig, *credentialprovider.ServiceAccountCoordinates) {
+func (p *pluginProvider) provide(image, podNamespace, podName string, podUID types.UID, serviceAccountName string) (credentialprovider.DockerConfig, *credentialprovider.ServiceAccountCoordinates, error) {
 	if !p.isImageAllowed(image) {
-		return credentialprovider.DockerConfig{}, nil
+		return credentialprovider.DockerConfig{}, nil, nil
 	}
 
 	var serviceAccountUID types.UID
@@ -429,8 +441,8 @@ func (p *pluginProvider) provide(image, podNamespace, podName string, podUID typ
 
 	if p.serviceAccountProvider != nil {
 		if len(serviceAccountName) == 0 && p.serviceAccountProvider.requireServiceAccount {
-			klog.V(5).Infof("Service account name is empty for pod %s/%s", podNamespace, podName)
-			return credentialprovider.DockerConfig{}, nil
+			klog.V(5).InfoS("Service account name is empty", "provider", p.name, "image", image, "pod", klog.KRef(podNamespace, podName), "podUID", podUID)
+			return credentialprovider.DockerConfig{}, nil, nil
 		}
 
 		// If the service account name is empty and the plugin has indicated that invoking the plugin
@@ -443,17 +455,15 @@ func (p *pluginProvider) provide(image, podNamespace, podName string, podUID typ
 					// The required annotation could be a mechanism for individual workloads to opt in to using service account tokens
 					// for image pull. If any of the required annotation is missing, we will not invoke the plugin. We will log the error
 					// at higher verbosity level as it could be noisy.
-					klog.V(5).Infof("Failed to get service account data %s/%s: %v", podNamespace, serviceAccountName, err)
-					return credentialprovider.DockerConfig{}, nil
+					klog.V(5).ErrorS(err, "Failed to get service account data", "provider", p.name, "image", image, "pod", klog.KRef(podNamespace, podName), "podUID", podUID, "serviceAccount", klog.KRef(podNamespace, serviceAccountName))
+					return credentialprovider.DockerConfig{}, nil, nil
 				}
 
-				klog.Errorf("Failed to get service account %s/%s: %v", podNamespace, serviceAccountName, err)
-				return credentialprovider.DockerConfig{}, nil
+				return credentialprovider.DockerConfig{}, nil, fmt.Errorf("failed to get service account: %w", err)
 			}
 
 			if serviceAccountToken, err = p.serviceAccountProvider.getServiceAccountToken(podNamespace, podName, serviceAccountName, serviceAccountUID, podUID); err != nil {
-				klog.Errorf("Error getting service account token %s/%s: %v", podNamespace, serviceAccountName, err)
-				return credentialprovider.DockerConfig{}, nil
+				return credentialprovider.DockerConfig{}, nil, fmt.Errorf("failed to get service account token: %w", err)
 			}
 			serviceAccountTokenHash = getHashIfNotEmpty(serviceAccountToken)
 
@@ -470,8 +480,7 @@ func (p *pluginProvider) provide(image, podNamespace, podName string, podUID typ
 
 			serviceAccountCacheKey, err = generateServiceAccountCacheKey(c)
 			if err != nil {
-				klog.Errorf("Error generating service account cache key: %v", err)
-				return credentialprovider.DockerConfig{}, nil
+				return credentialprovider.DockerConfig{}, nil, fmt.Errorf("error generating service account cache key: %w", err)
 			}
 
 			serviceAccountCoordinates = &credentialprovider.ServiceAccountCoordinates{
@@ -485,12 +494,11 @@ func (p *pluginProvider) provide(image, podNamespace, podName string, podUID typ
 	// Check if the credentials are cached and return them if found.
 	cachedConfig, found, errCache := p.getCachedCredentials(image, serviceAccountCacheKey)
 	if errCache != nil {
-		klog.Errorf("Failed to get cached docker config: %v", err)
-		return credentialprovider.DockerConfig{}, nil
+		return credentialprovider.DockerConfig{}, nil, fmt.Errorf("failed to get cached docker config: %w", errCache)
 	}
 
 	if found {
-		return cachedConfig, serviceAccountCoordinates
+		return cachedConfig, serviceAccountCoordinates, nil
 	}
 
 	// ExecPlugin is wrapped in single flight to exec plugin once for concurrent same image request.
@@ -508,8 +516,7 @@ func (p *pluginProvider) provide(image, podNamespace, podName string, podUID typ
 		// This does mean the singleflight key is different for each image pull request (even if the image is the same)
 		// and the workload is using the same service account.
 		if singleFlightKey, err = generateSingleFlightKey(image, serviceAccountTokenHash, saAnnotations); err != nil {
-			klog.Errorf("Error generating singleflight key: %v", err)
-			return credentialprovider.DockerConfig{}, nil
+			return credentialprovider.DockerConfig{}, nil, fmt.Errorf("error generating singleflight key: %w", err)
 		}
 	}
 	res, err, _ := p.group.Do(singleFlightKey, func() (interface{}, error) {
@@ -517,14 +524,12 @@ func (p *pluginProvider) provide(image, podNamespace, podName string, podUID typ
 	})
 
 	if err != nil {
-		klog.Errorf("Failed getting credential from external registry credential provider: %v", err)
-		return credentialprovider.DockerConfig{}, nil
+		return credentialprovider.DockerConfig{}, nil, fmt.Errorf("failed to get credential from external registry credential provider: %w", err)
 	}
 
 	response, ok := res.(*credentialproviderapi.CredentialProviderResponse)
 	if !ok {
-		klog.Errorf("Invalid response type returned by external credential provider")
-		return credentialprovider.DockerConfig{}, nil
+		return credentialprovider.DockerConfig{}, nil, fmt.Errorf("invalid response type returned by external credential provider: %T", res)
 	}
 	if len(serviceAccountToken) > 0 && p.serviceAccountProvider.cacheType != kubeletconfig.TokenServiceAccountTokenCacheType {
 		// validate that the response credentials are not the echoed token back verbatim when cache
@@ -532,8 +537,7 @@ func (p *pluginProvider) provide(image, podNamespace, podName string, podUID typ
 		// is returned as the registry credentials.
 		for _, authConfig := range response.Auth {
 			if authConfig.Password == serviceAccountToken {
-				klog.Errorf("Credential provider plugin returned the service account token as the password for image %q, which is not allowed when service account cache type is not set to 'Token'", image)
-				return credentialprovider.DockerConfig{}, nil
+				return credentialprovider.DockerConfig{}, nil, fmt.Errorf("credential provider plugin returned the service account token as the password which is not allowed when service account cache type is not set to 'Token'")
 			}
 		}
 	}
@@ -548,8 +552,7 @@ func (p *pluginProvider) provide(image, podNamespace, podName string, podUID typ
 	case credentialproviderapi.GlobalPluginCacheKeyType:
 		cacheKey = globalCacheKey
 	default:
-		klog.Errorf("credential provider plugin did not return a valid cacheKeyType: %q", cacheKeyType)
-		return credentialprovider.DockerConfig{}, nil
+		return credentialprovider.DockerConfig{}, nil, fmt.Errorf("credential provider plugin did not return a valid cacheKeyType: %s", cacheKeyType)
 	}
 
 	dockerConfig := make(credentialprovider.DockerConfig, len(response.Auth))
@@ -562,14 +565,14 @@ func (p *pluginProvider) provide(image, podNamespace, podName string, podUID typ
 
 	// cache duration was explicitly 0 so don't cache this response at all.
 	if response.CacheDuration != nil && response.CacheDuration.Duration == 0 {
-		return dockerConfig, serviceAccountCoordinates
+		return dockerConfig, serviceAccountCoordinates, nil
 	}
 
 	var expiresAt time.Time
 	// nil cache duration means use the default cache duration
 	if response.CacheDuration == nil {
 		if p.defaultCacheDuration == 0 {
-			return dockerConfig, serviceAccountCoordinates
+			return dockerConfig, serviceAccountCoordinates, nil
 		}
 		expiresAt = p.clock.Now().Add(p.defaultCacheDuration)
 	} else {
@@ -578,8 +581,7 @@ func (p *pluginProvider) provide(image, podNamespace, podName string, podUID typ
 
 	cacheKey, err = generateCacheKey(cacheKey, serviceAccountCacheKey)
 	if err != nil {
-		klog.Errorf("Error generating cache key: %v", err)
-		return credentialprovider.DockerConfig{}, nil
+		return credentialprovider.DockerConfig{}, nil, fmt.Errorf("error generating cache key: %w", err)
 	}
 
 	cachedEntry := &cacheEntry{
@@ -589,10 +591,12 @@ func (p *pluginProvider) provide(image, podNamespace, podName string, podUID typ
 	}
 
 	if err := p.cache.Add(cachedEntry); err != nil {
-		klog.Errorf("Error adding auth entry to cache: %v", err)
+		// If we fail to add the credentials to the cache, we still return the credentials
+		// to the caller, but we log an error.
+		return dockerConfig, serviceAccountCoordinates, fmt.Errorf("failed to add credentials to cache: %w", err)
 	}
 
-	return dockerConfig, serviceAccountCoordinates
+	return dockerConfig, serviceAccountCoordinates, nil
 }
 
 // isImageAllowed returns true if the image matches against the list of allowed matches by the plugin.
@@ -680,7 +684,7 @@ type execPlugin struct {
 // The plugin is expected to receive the CredentialProviderRequest API via stdin from the kubelet and
 // return CredentialProviderResponse via stdout.
 func (e *execPlugin) ExecPlugin(ctx context.Context, image, serviceAccountToken string, serviceAccountAnnotations map[string]string) (*credentialproviderapi.CredentialProviderResponse, error) {
-	klog.V(5).Infof("Getting image %s credentials from external exec plugin %s", image, e.name)
+	klog.V(5).InfoS("Getting image credentials from external exec plugin", "pluginName", e.name, "image", image)
 
 	authRequest := &credentialproviderapi.CredentialProviderRequest{Image: image, ServiceAccountToken: serviceAccountToken, ServiceAccountAnnotations: serviceAccountAnnotations}
 	data, err := e.encodeRequest(authRequest)
diff --git a/pkg/credentialprovider/plugin/plugin_test.go b/pkg/credentialprovider/plugin/plugin_test.go
index ab088e99989b6..5f940964eb498 100644
--- a/pkg/credentialprovider/plugin/plugin_test.go
+++ b/pkg/credentialprovider/plugin/plugin_test.go
@@ -373,6 +373,7 @@ func Test_ProvideWithCoordinates(t *testing.T) {
 			name: "[service account mode] sa name required but empty",
 			pluginProvider: &perPodPluginProvider{
 				provider: &pluginProvider{
+					name:        "test-plugin",
 					matchImages: []string{"test.registry.io"},
 					serviceAccountProvider: &serviceAccountProvider{
 						requireServiceAccount: true,
@@ -380,15 +381,17 @@ func Test_ProvideWithCoordinates(t *testing.T) {
 				},
 				podName:      "pod-name",
 				podNamespace: "ns",
+				podUID:       "pod-uid",
 			},
 			image:        "test.registry.io/foo/bar",
 			dockerconfig: credentialprovider.DockerConfig{},
-			wantLog:      "Service account name is empty for pod ns/pod-name",
+			wantLog:      `Service account name is empty" provider="test-plugin" image="test.registry.io/foo/bar" pod="ns/pod-name" podUID="pod-uid"`,
 		},
 		{
 			name: "[service account mode] sa does not have required annotations",
 			pluginProvider: &perPodPluginProvider{
 				provider: &pluginProvider{
+					name:        "test-plugin",
 					matchImages: []string{"test.registry.io"},
 					serviceAccountProvider: &serviceAccountProvider{
 						requireServiceAccount: true,
@@ -408,16 +411,18 @@ func Test_ProvideWithCoordinates(t *testing.T) {
 				},
 				podName:            "pod-name",
 				podNamespace:       "ns",
+				podUID:             "pod-uid",
 				serviceAccountName: "sa-name",
 			},
 			image:        "test.registry.io/foo/bar",
 			dockerconfig: credentialprovider.DockerConfig{},
-			wantLog:      "Failed to get service account data ns/sa-name: required annotation domain.io/identity-id not found",
+			wantLog:      `"Failed to get service account data" err="required annotation domain.io/identity-id not found" provider="test-plugin" image="test.registry.io/foo/bar" pod="ns/pod-name" podUID="pod-uid" serviceAccount="ns/sa-name"`,
 		},
 		{
 			name: "[service account mode] failed to get service account token",
 			pluginProvider: &perPodPluginProvider{
 				provider: &pluginProvider{
+					name:        "test-plugin",
 					matchImages: []string{"test.registry.io"},
 					serviceAccountProvider: &serviceAccountProvider{
 						requireServiceAccount: true,
@@ -445,16 +450,18 @@ func Test_ProvideWithCoordinates(t *testing.T) {
 				},
 				podName:            "pod-name",
 				podNamespace:       "ns",
+				podUID:             "pod-uid",
 				serviceAccountName: "sa-name",
 			},
 			image:        "test.registry.io/foo/bar",
 			dockerconfig: credentialprovider.DockerConfig{},
-			wantLog:      "Error getting service account token ns/sa-name: failed to get token",
+			wantLog:      `"Failed to provide credentials for image" err="failed to get service account token: failed to get token" provider="test-plugin" image="test.registry.io/foo/bar" pod="ns/pod-name" podUID="pod-uid" serviceAccount="ns/sa-name"`,
 		},
 		{
 			name: "[service account mode] cache type not token but service account echoed back",
 			pluginProvider: &perPodPluginProvider{
 				provider: &pluginProvider{
+					name:           "test-plugin",
 					clock:          tclock,
 					lastCachePurge: tclock.Now(),
 					matchImages:    []string{"test.registry.io"},
@@ -494,11 +501,12 @@ func Test_ProvideWithCoordinates(t *testing.T) {
 				},
 				podName:            "pod-name",
 				podNamespace:       "ns",
+				podUID:             "pod-uid",
 				serviceAccountName: "sa-name",
 			},
 			image:        "test.registry.io/foo/bar",
 			dockerconfig: credentialprovider.DockerConfig{},
-			wantLog:      `Credential provider plugin returned the service account token as the password for image "test.registry.io/foo/bar", which is not allowed when service account cache type is not set to 'Token'`,
+			wantLog:      `"Failed to provide credentials for image" err="credential provider plugin returned the service account token as the password which is not allowed when service account cache type is not set to 'Token'" provider="test-plugin" image="test.registry.io/foo/bar" pod="ns/pod-name" podUID="pod-uid" serviceAccount="ns/sa-name"`,
 		},
 		{
 			name: "[service account mode] exact image match",
@@ -588,6 +596,7 @@ func Test_ProvideWithCoordinates(t *testing.T) {
 			capturedOutput := buf.String()
 
 			if len(testcase.wantLog) > 0 && !strings.Contains(capturedOutput, testcase.wantLog) {
+				t.Log("Captured output:", capturedOutput)
 				t.Errorf("expected log message %q not found in captured output: %q", testcase.wantLog, capturedOutput)
 			}
 		})
diff --git a/pkg/credentialprovider/plugin/plugins.go b/pkg/credentialprovider/plugin/plugins.go
index e37d908e1a53a..e3f97cc09c8b4 100644
--- a/pkg/credentialprovider/plugin/plugins.go
+++ b/pkg/credentialprovider/plugin/plugins.go
@@ -52,7 +52,7 @@ func registerCredentialProviderPlugin(name string, p *pluginProvider) {
 	seenProviderNames.Insert(name)
 
 	providers = append(providers, provider{name, p})
-	klog.V(4).Infof("Registered credential provider %q", name)
+	klog.V(4).InfoS("Registered credential provider", "provider", name)
 }
 
 type externalCredentialProviderKeyring struct {
@@ -69,7 +69,6 @@ func NewExternalCredentialProviderDockerKeyring(podNamespace, podName, podUID, s
 
 	for _, p := range providers {
 		pp := &perPodPluginProvider{
-			name:     p.name,
 			provider: p.impl,
 		}
 		if utilfeature.DefaultFeatureGate.Enabled(features.KubeletServiceAccountTokenForCredentialProviders) {
diff --git a/pkg/features/client_adapter.go b/pkg/features/client_adapter.go
index 00a0fd92ab4cb..d07f7d4aeb57a 100644
--- a/pkg/features/client_adapter.go
+++ b/pkg/features/client_adapter.go
@@ -39,7 +39,7 @@ func (a *clientAdapter) Enabled(name clientfeatures.Feature) bool {
 	return a.mfg.Enabled(featuregate.Feature(name))
 }
 
-var _ clientfeatures.Registry = &clientAdapter{}
+var _ clientfeatures.VersionedRegistry = &clientAdapter{}
 
 func (a *clientAdapter) Add(in map[clientfeatures.Feature]clientfeatures.FeatureSpec) error {
 	out := map[featuregate.Feature]featuregate.FeatureSpec{}
@@ -65,7 +65,45 @@ func (a *clientAdapter) Add(in map[clientfeatures.Feature]clientfeatures.Feature
 		}
 		out[featuregate.Feature(name)] = converted
 	}
-	return a.mfg.Add(out) //nolint:forbidigo // No need to support versioned feature gates in client adapter
+	return a.mfg.Add(out) //nolint:forbidigo
+}
+
+// AddVersioned adds the provided versioned feature gates.
+func (a *clientAdapter) AddVersioned(in map[clientfeatures.Feature]clientfeatures.VersionedSpecs) error {
+	mvfg, ok := a.mfg.(featuregate.MutableVersionedFeatureGate)
+	if !ok {
+		return fmt.Errorf("feature gate does not support versioning")
+	}
+
+	out := make(map[featuregate.Feature]featuregate.VersionedSpecs)
+	for name, specs := range in {
+		convertedSpecs := make(featuregate.VersionedSpecs, len(specs))
+		for i, spec := range specs {
+			converted := featuregate.FeatureSpec{
+				Default:       spec.Default,
+				LockToDefault: spec.LockToDefault,
+				Version:       spec.Version,
+			}
+			switch spec.PreRelease {
+			case clientfeatures.Alpha:
+				converted.PreRelease = featuregate.Alpha
+			case clientfeatures.Beta:
+				converted.PreRelease = featuregate.Beta
+			case clientfeatures.GA:
+				converted.PreRelease = featuregate.GA
+			case clientfeatures.Deprecated:
+				converted.PreRelease = featuregate.Deprecated
+			default:
+				// The default case implies programmer error.  The same set of prerelease
+				// constants must exist in both component-base and client-go, and each one
+				// must have a case here.
+				panic(fmt.Sprintf("unrecognized prerelease %q of feature %q", spec.PreRelease, name))
+			}
+			convertedSpecs[i] = converted
+		}
+		out[featuregate.Feature(name)] = convertedSpecs
+	}
+	return mvfg.AddVersioned(out)
 }
 
 // Set implements the unexported interface that client-go feature gate testing expects for
diff --git a/pkg/features/client_adapter_test.go b/pkg/features/client_adapter_test.go
index cae067ca99cfa..0eba10fe28f77 100644
--- a/pkg/features/client_adapter_test.go
+++ b/pkg/features/client_adapter_test.go
@@ -21,6 +21,7 @@ import (
 
 	"github.com/google/go-cmp/cmp"
 	"github.com/google/go-cmp/cmp/cmpopts"
+	"k8s.io/apimachinery/pkg/util/version"
 	clientfeatures "k8s.io/client-go/features"
 	"k8s.io/component-base/featuregate"
 )
@@ -80,7 +81,7 @@ func TestClientAdapterAdd(t *testing.T) {
 			t.Errorf("expected feature %q not found", name)
 			continue
 		}
-		if diff := cmp.Diff(actual, expected, cmpopts.IgnoreFields(featuregate.FeatureSpec{}, "Version")); diff != "" {
+		if diff := cmp.Diff(actual, expected, cmpopts.IgnoreFields(featuregate.FeatureSpec{}, "Version", "MinCompatibilityVersion")); diff != "" {
 			t.Errorf("expected feature %q spec %#v, got spec %#v", name, expected, actual)
 		}
 	}
@@ -98,3 +99,68 @@ func TestClientAdapterAdd(t *testing.T) {
 		t.Error("expected panic when adding feature with unknown prerelease")
 	}
 }
+
+func TestClientAdapterAddVersioned(t *testing.T) {
+	fg := featuregate.NewVersionedFeatureGate(version.MustParse("1.29"))
+	a := &clientAdapter{fg}
+	defaults := fg.GetAllVersioned()
+
+	clientFeatures := map[clientfeatures.Feature]clientfeatures.VersionedSpecs{
+		"FeatureA": {
+			{Version: version.MustParse("1.28"), PreRelease: clientfeatures.Beta, Default: true},
+		},
+		"FeatureB": {
+			{Version: version.MustParse("1.28"), PreRelease: clientfeatures.Alpha, Default: false},
+			{Version: version.MustParse("1.30"), PreRelease: clientfeatures.Beta, Default: true},
+		},
+	}
+
+	if err := a.AddVersioned(clientFeatures); err != nil {
+		t.Fatal(err)
+	}
+	all := fg.GetAllVersioned()
+	allexpected := map[featuregate.Feature]featuregate.VersionedSpecs{
+		"FeatureA": {
+			{Version: version.MustParse("1.28"), PreRelease: featuregate.Beta, Default: true},
+		},
+		"FeatureB": {
+			{Version: version.MustParse("1.28"), PreRelease: featuregate.Alpha, Default: false},
+			{Version: version.MustParse("1.30"), PreRelease: featuregate.Beta, Default: true},
+		},
+	}
+	for name, spec := range defaults {
+		allexpected[name] = spec
+	}
+	if len(all) != len(allexpected) {
+		t.Errorf("expected %d registered features, got %d", len(allexpected), len(all))
+	}
+	for name, expected := range allexpected {
+		actual, ok := all[name]
+		if !ok {
+			t.Errorf("expected feature %q not found", name)
+			continue
+		}
+		if diff := cmp.Diff(actual, expected, cmpopts.IgnoreFields(featuregate.FeatureSpec{}, "Version")); diff != "" {
+			t.Errorf("feature %q spec mismatch (-want +got):\n%s", name, diff)
+		}
+	}
+
+	var r interface{}
+	func() {
+		defer func() {
+			r = recover()
+		}()
+		_ = a.AddVersioned(map[clientfeatures.Feature]clientfeatures.VersionedSpecs{
+			"FeaturePanic": {{PreRelease: "foobar"}},
+		})
+	}()
+	if r == nil {
+		t.Error("expected panic when adding feature with unknown prerelease")
+	}
+	if !a.Enabled("FeatureA") {
+		t.Error("expected Enabled(\"FeatureA\") to return true")
+	}
+	if a.Enabled("FeatureB") {
+		t.Error("expected Enabled(\"FeatureB\") to return false")
+	}
+}
diff --git a/pkg/features/kube_features.go b/pkg/features/kube_features.go
index 5b7794431e557..5a6ee84351e2d 100644
--- a/pkg/features/kube_features.go
+++ b/pkg/features/kube_features.go
@@ -56,12 +56,6 @@ const (
 	// Allow spec.terminationGracePeriodSeconds to be overridden by MaxPodGracePeriodSeconds in soft evictions.
 	AllowOverwriteTerminationGracePeriodSeconds featuregate.Feature = "AllowOverwriteTerminationGracePeriodSeconds"
 
-	// owner: @thockin
-	//
-	// Enables Service.status.ingress.loadBanace to be set on
-	// services of types other than LoadBalancer.
-	AllowServiceLBStatusOnNonLB featuregate.Feature = "AllowServiceLBStatusOnNonLB"
-
 	// owner: @bswartz
 	//
 	// Enables usage of any object for volume data source in PVCs
@@ -74,6 +68,13 @@ const (
 	// Requires AuthorizeWithSelectors to be enabled.
 	AuthorizeNodeWithSelectors featuregate.Feature = "AuthorizeNodeWithSelectors"
 
+	// owner: @seans3
+	// kep: http://kep.k8s.io/4006
+	//
+	// Forces authorization of the "create" verb for pod subresources like exec, attach, and portforward.
+	// See: https://github.com/kubernetes/kubernetes/issues/133515
+	AuthorizePodWebsocketUpgradeCreatePermission featuregate.Feature = "AuthorizePodWebsocketUpgradeCreatePermission"
+
 	// owner: @szuecs
 	//
 	// Enable nodes to change CPUCFSQuotaPeriod
@@ -115,11 +116,23 @@ const (
 	// Enables the Portworx in-tree driver to Portworx migration feature.
 	CSIMigrationPortworx featuregate.Feature = "CSIMigrationPortworx"
 
+	// owner: @aramase
+	// kep:  http://kep.k8s.io/5538
+	//
+	// Enables CSI drivers to opt-in for receiving service account tokens from kubelet
+	// through the dedicated secrets field in NodePublishVolumeRequest instead of the volume_context field.
+	CSIServiceAccountTokenSecrets featuregate.Feature = "CSIServiceAccountTokenSecrets"
+
 	// owner: @fengzixu
 	//
 	// Enables kubelet to detect CSI volume condition and send the event of the abnormal volume to the corresponding pod that is using it.
 	CSIVolumeHealth featuregate.Feature = "CSIVolumeHealth"
 
+	// owner: @HirazawaUi
+	//
+	// Enabling this feature gate will cause the pod's status to change due to a kubelet restart.
+	ChangeContainerStatusOnKubeletRestart = "ChangeContainerStatusOnKubeletRestart"
+
 	// owner: @sanposhiho @wojtek-t
 	// kep: https://kep.k8s.io/5278
 	//
@@ -161,12 +174,6 @@ const (
 	// Enables coordinated leader election in the API server
 	CoordinatedLeaderElection featuregate.Feature = "CoordinatedLeaderElection"
 
-	// owner: @helayoty
-	// kep: https://kep.k8s.io/4026
-	//
-	// Set the scheduled time as an annotation in the job.
-	CronJobsScheduledAnnotation featuregate.Feature = "CronJobsScheduledAnnotation"
-
 	// owner: @ttakahashi21 @mkimuram
 	// kep: https://kep.k8s.io/3294
 	//
@@ -198,6 +205,12 @@ const (
 	// enabled.
 	DRADeviceBindingConditions featuregate.Feature = "DRADeviceBindingConditions"
 
+	// owner: @pohly
+	// kep: http://kep.k8s.io/5055
+	//
+	// DeviceTaintRules allow administrators to add taints to devices.
+	DRADeviceTaintRules featuregate.Feature = "DRADeviceTaintRules"
+
 	// owner: @pohly
 	// kep: http://kep.k8s.io/5055
 	//
@@ -242,28 +255,6 @@ const (
 	// scheduler plugin configuration).
 	DRASchedulerFilterTimeout featuregate.Feature = "DRASchedulerFilterTimeout"
 
-	// owner: @jpbetz @aaron-prindle @yongruilin
-	// kep: http://kep.k8s.io/5073
-	// beta: v1.33
-	//
-	// Enables running declarative validation of APIs, where declared. When enabled, APIs with
-	// declarative validation rules will validate objects using the generated
-	// declarative validation code and compare the results to the regular imperative validation.
-	// See DeclarativeValidationTakeover for more.
-	DeclarativeValidation featuregate.Feature = "DeclarativeValidation"
-
-	// owner: @jpbetz @aaron-prindle @yongruilin
-	// kep: http://kep.k8s.io/5073
-	// beta: v1.33
-	//
-	// When enabled, declarative validation errors are returned directly to the caller,
-	// replacing hand-written validation errors for rules that have declarative implementations.
-	// When disabled, hand-written validation errors are always returned, effectively putting
-	// declarative validation in a "shadow mode" that monitors but does not affect API responses.
-	// Note: Although declarative validation aims for functional equivalence with hand-written validation,
-	// the exact number, format, and content of error messages may differ between the two approaches.
-	DeclarativeValidationTakeover featuregate.Feature = "DeclarativeValidationTakeover"
-
 	// owner: @atiratree
 	// kep: http://kep.k8s.io/3973
 	//
@@ -327,7 +318,7 @@ const (
 	//
 	// Ensure kubelet respects exec probe timeouts. Feature gate exists in-case existing workloads
 	// may depend on old behavior where exec probe timeouts were ignored.
-	// Lock to default and remove after v1.22 based on user feedback that should be reflected in KEP #1972 update
+	// Locked to default, will remove in v1.38. Progress is reflected in KEP #1972 update
 	ExecProbeTimeout featuregate.Feature = "ExecProbeTimeout"
 
 	// owner: @HarshalNeelkamal
@@ -336,6 +327,16 @@ const (
 	// If enabled, it allows passing --service-account-signing-endpoint flag to configure external signer.
 	ExternalServiceAccountTokenSigner featuregate.Feature = "ExternalServiceAccountTokenSigner"
 
+	// owner: @erictune @wojtek-t
+	//
+	// Enables support for gang scheduling in kube-scheduler.
+	GangScheduling featuregate.Feature = "GangScheduling"
+
+	// owner: @erictune @wojtek-t
+	//
+	// Enables support for generic Workload API.
+	GenericWorkload featuregate.Feature = "GenericWorkload"
+
 	// owner: @vinayakankugoyal @thockin
 	//
 	// Controls if the gitRepo volume plugin is supported or not.
@@ -387,6 +388,12 @@ const (
 	// Enables the image volume source.
 	ImageVolume featuregate.Feature = "ImageVolume"
 
+	// owner: @ndixita
+	// kep: https://kep.k8s.io/5419
+	//
+	// Enables specifying resources at pod-level.
+	InPlacePodLevelResourcesVerticalScaling featuregate.Feature = "InPlacePodLevelResourcesVerticalScaling"
+
 	// owner: @vinaykul,@tallclair
 	// kep: http://kep.k8s.io/1287
 	//
@@ -455,8 +462,8 @@ const (
 	// fallback to using it's cgroupDriver option.
 	KubeletCgroupDriverFromCRI featuregate.Feature = "KubeletCgroupDriverFromCRI"
 
-	// owner: @lauralorenz
-	// kep: https://kep.k8s.io/4603
+	// owner: @lauralorenz @hankfreund
+	// kep: https://kep.k8s.io/5593
 	//
 	// Enables support for configurable per-node backoff maximums for restarting
 	// containers (aka containers in CrashLoopBackOff)
@@ -545,11 +552,6 @@ const (
 	// Add support for distributed tracing in the kubelet
 	KubeletTracing featuregate.Feature = "KubeletTracing"
 
-	// owner: @Sh4d1,@RyanAoh,@rikatz
-	// kep: http://kep.k8s.io/1860
-	// LoadBalancerIPMode enables the IPMode field in the LoadBalancerIngress status of a Service
-	LoadBalancerIPMode featuregate.Feature = "LoadBalancerIPMode"
-
 	// owner: @RobertKrawitz
 	//
 	// Allow use of filesystems for ephemeral storage monitoring.
@@ -581,6 +583,7 @@ const (
 	MatchLabelKeysInPodTopologySpreadSelectorMerge featuregate.Feature = "MatchLabelKeysInPodTopologySpreadSelectorMerge"
 
 	// owner: @krmayankk
+	// kep: https://kep.k8s.io/961
 	//
 	// Enables maxUnavailable for StatefulSet
 	MaxUnavailableStatefulSet featuregate.Feature = "MaxUnavailableStatefulSet"
@@ -609,12 +612,37 @@ const (
 	// update the number of volumes that can be allocated on a node
 	MutableCSINodeAllocatableCount featuregate.Feature = "MutableCSINodeAllocatableCount"
 
+	// owner: huww98
+	// kep: https://kep.k8s.io/5381
+	//
+	// Makes PersistentVolume.Spec.NodeAffinity mutable, allowing CSI drivers to
+	// update the topology info when the data is migrated
+	MutablePVNodeAffinity featuregate.Feature = "MutablePVNodeAffinity"
+
+	// owner: @kannon92
+	// kep: https://kep.k8s.io/5440
+	//
+	// Enables mutable pod resources for suspended Jobs, regardless of whether they have started before.
+	MutablePodResourcesForSuspendedJobs featuregate.Feature = "MutablePodResourcesForSuspendedJobs"
+
+	// owner: @mimowo
+	// kep: https://kep.k8s.io/5440
+	//
+	// Enables mutable scheduling directives for suspended Jobs, regardless of whether they have started before.
+	MutableSchedulingDirectivesForSuspendedJobs featuregate.Feature = "MutableSchedulingDirectivesForSuspendedJobs"
+
 	// owner: @danwinship
 	// kep: https://kep.k8s.io/3866
 	//
 	// Allows running kube-proxy with `--mode nftables`.
 	NFTablesProxyMode featuregate.Feature = "NFTablesProxyMode"
 
+	// owner: @pravk03, @tallclair
+	// kep: https://kep.k8s.io/5328
+	//
+	// Enables the DeclaredFeatures API in the NodeStatus, populated by the Kubelet. Also enables the scheduler filter using DeclaredFeatures.
+	NodeDeclaredFeatures featuregate.Feature = "NodeDeclaredFeatures"
+
 	// owner: @kerthcet
 	// kep: https://kep.k8s.io/3094
 	//
@@ -645,6 +673,12 @@ const (
 	// resume work after restarts.
 	NominatedNodeNameForExpectation featuregate.Feature = "NominatedNodeNameForExpectation"
 
+	// owner: @bwsalmon
+	// kep: https://kep.k8s.io/5598
+	//
+	// Enables opportunistic batching in the scheduler.
+	OpportunisticBatching featuregate.Feature = "OpportunisticBatching"
+
 	// owner: @cici37
 	// kep: https://kep.k8s.io/5080
 	//
@@ -669,12 +703,6 @@ const (
 	// Enables controlling pod ranking on replicaset scale-down.
 	PodDeletionCost featuregate.Feature = "PodDeletionCost"
 
-	// owner: @danielvegamyhre
-	// kep: https://kep.k8s.io/4017
-	//
-	// Set pod completion index as a pod label for Indexed Jobs.
-	PodIndexLabel featuregate.Feature = "PodIndexLabel"
-
 	// owner: @ndixita
 	// key: https://kep.k8s.io/2837
 	//
@@ -720,6 +748,7 @@ const (
 	// owner: @munnerz
 	// kep: https://kep.k8s.io/4742
 	// alpha: v1.33
+	// beta: v1.35
 	//
 	// Enables the PodTopologyLabelsAdmission admission plugin that mutates `pod/binding`
 	// requests by copying the `topology.kubernetes.io/{zone,region}` labels from the assigned
@@ -748,12 +777,6 @@ const (
 	// Denies pod admission if static pods reference other API objects.
 	PreventStaticPodAPIReferences featuregate.Feature = "PreventStaticPodAPIReferences"
 
-	// owner: @tssurya
-	// kep: https://kep.k8s.io/4559
-	//
-	// Enables probe host enforcement for Pod Security Standards.
-	ProbeHostPodSecurityStandards featuregate.Feature = "ProbeHostPodSecurityStandards"
-
 	// owner: @jessfraz
 	//
 	// Enables control over ProcMountType for containers.
@@ -815,6 +838,12 @@ const (
 	// Adds the AllocatedResourcesStatus to the container status.
 	ResourceHealthStatus featuregate.Feature = "ResourceHealthStatus"
 
+	// owner: @yuanwang04
+	// kep: https://kep.k8s.io/5532
+	//
+	// Restart the pod in-place on the same node.
+	RestartAllContainersOnContainerExits featuregate.Feature = "RestartAllContainersOnContainerExits"
+
 	// owner: @mikedanese
 	//
 	// Gets a server certificate for the kubelet from the Certificate Signing
@@ -929,18 +958,6 @@ const (
 	// pod's lifecycle and will not block pod termination.
 	SidecarContainers featuregate.Feature = "SidecarContainers"
 
-	// owner: @derekwaynecarr
-	//
-	// Enables kubelet support to size memory backed volumes
-	// This is a kubelet only feature gate.
-	// Code can be removed in 1.35 without any consideration for emulated versions.
-	SizeMemoryBackedVolumes featuregate.Feature = "SizeMemoryBackedVolumes"
-
-	// owner: @mattcary
-	//
-	// Enables policies controlling deletion of PVCs created by a StatefulSet.
-	StatefulSetAutoDeletePVC featuregate.Feature = "StatefulSetAutoDeletePVC"
-
 	// owner: @liggitt
 	//
 	// Mitigates spurious statefulset rollouts due to controller revision comparison mismatches
@@ -960,7 +977,7 @@ const (
 	// Superseded by BtreeWatchCache.
 	StorageNamespaceIndex featuregate.Feature = "StorageNamespaceIndex"
 
-	// owner: @nilekhc
+	// owner: @enj, @michaelasp
 	// kep: https://kep.k8s.io/4192
 	//
 	// Enables support for the StorageVersionMigrator controller.
@@ -995,6 +1012,12 @@ const (
 	// if the system supports the systemd watchdog feature and has it configured properly.
 	SystemdWatchdog = featuregate.Feature("SystemdWatchdog")
 
+	// owner: @helayoty
+	// kep: https://kep.k8s.io/5471
+	//
+	// Enables numeric comparison operators (Lt, Gt) for tolerations to match taints with threshold-based values.
+	TaintTolerationComparisonOperators featuregate.Feature = "TaintTolerationComparisonOperators"
+
 	// owner: @robscott
 	// kep: https://kep.k8s.io/2433
 	//
@@ -1033,21 +1056,11 @@ const (
 	// version of the RemoteCommand subprotocol that supports the "close" signal.
 	TranslateStreamCloseWebsocketRequests featuregate.Feature = "TranslateStreamCloseWebsocketRequests"
 
-	// owner: @richabanker
-	//
-	// Proxies client to an apiserver capable of serving the request in the event of version skew.
-	UnknownVersionInteroperabilityProxy featuregate.Feature = "UnknownVersionInteroperabilityProxy"
-
-	// owner: @saschagrunert
+	// owner: @HirazawaUi
+	// kep: https://kep.k8s.io/5607
 	//
-	// Enables user namespace support for Pod Security Standards. Enabling this
-	// feature will modify all Pod Security Standard rules to allow setting:
-	// spec[.*].securityContext.[runAsNonRoot,runAsUser]
-	// This feature gate should only be enabled if all nodes in the cluster
-	// support the user namespace feature and have it enabled. The feature gate
-	// will not graduate or be enabled by default in future Kubernetes
-	// releases.
-	UserNamespacesPodSecurityStandards featuregate.Feature = "UserNamespacesPodSecurityStandards"
+	// Allow hostNetwork pods to use user namespaces
+	UserNamespacesHostNetworkSupport featuregate.Feature = "UserNamespacesHostNetworkSupport"
 
 	// owner: @rata, @giuseppe
 	// kep: https://kep.k8s.io/127
@@ -1061,6 +1074,13 @@ const (
 	// Enables user specified volume attributes for persistent volumes, like iops and throughput.
 	VolumeAttributesClass featuregate.Feature = "VolumeAttributesClass"
 
+	// owner: @gnufied
+	// kep: https://kep.k8s.io/5030
+	//
+	// Enables volume limit scaling for CSI drivers. This allows scheduler to
+	// co-ordinate better with cluster-autoscaler for storage limits.
+	VolumeLimitScaling featuregate.Feature = "VolumeLimitScaling"
+
 	// owner: @ksubrmnn
 	//
 	// Allows kube-proxy to create DSR loadbalancers for Windows
@@ -1114,12 +1134,7 @@ var defaultVersionedKubernetesFeatureGates = map[featuregate.Feature]featuregate
 	AllowOverwriteTerminationGracePeriodSeconds: {
 		{Version: version.MustParse("1.0"), Default: true, PreRelease: featuregate.GA},
 		{Version: version.MustParse("1.32"), Default: false, PreRelease: featuregate.Deprecated},
-	},
-
-	AllowServiceLBStatusOnNonLB: {
-		{Version: version.MustParse("1.0"), Default: true, PreRelease: featuregate.GA},
-		{Version: version.MustParse("1.29"), Default: false, PreRelease: featuregate.Deprecated},
-		{Version: version.MustParse("1.32"), Default: false, PreRelease: featuregate.Deprecated, LockToDefault: true}, // remove in 1.35
+		{Version: version.MustParse("1.35"), Default: false, PreRelease: featuregate.Deprecated, LockToDefault: true}, // remove in 1.38
 	},
 
 	AnyVolumeDataSource: {
@@ -1134,6 +1149,10 @@ var defaultVersionedKubernetesFeatureGates = map[featuregate.Feature]featuregate
 		{Version: version.MustParse("1.34"), Default: true, PreRelease: featuregate.GA, LockToDefault: true}, // remove in 1.37
 	},
 
+	AuthorizePodWebsocketUpgradeCreatePermission: {
+		{Version: version.MustParse("1.35"), Default: true, PreRelease: featuregate.Beta},
+	},
+
 	CPUCFSQuotaPeriod: {
 		{Version: version.MustParse("1.12"), Default: false, PreRelease: featuregate.Alpha},
 	},
@@ -1159,12 +1178,22 @@ var defaultVersionedKubernetesFeatureGates = map[featuregate.Feature]featuregate
 		{Version: version.MustParse("1.33"), Default: true, PreRelease: featuregate.GA, LockToDefault: true}, // remove in 1.36
 	},
 
+	CSIServiceAccountTokenSecrets: {
+		{Version: version.MustParse("1.35"), Default: true, PreRelease: featuregate.Beta},
+	},
+
 	CSIVolumeHealth: {
 		{Version: version.MustParse("1.21"), Default: false, PreRelease: featuregate.Alpha},
 	},
 
+	ChangeContainerStatusOnKubeletRestart: {
+		{Version: version.MustParse("1.0"), Default: true, PreRelease: featuregate.GA},
+		{Version: version.MustParse("1.35"), Default: false, PreRelease: featuregate.Deprecated},
+	},
+
 	ClearingNominatedNodeNameAfterBinding: {
 		{Version: version.MustParse("1.34"), Default: false, PreRelease: featuregate.Alpha},
+		{Version: version.MustParse("1.35"), Default: true, PreRelease: featuregate.Beta},
 	},
 
 	ClusterTrustBundle: {
@@ -1184,17 +1213,13 @@ var defaultVersionedKubernetesFeatureGates = map[featuregate.Feature]featuregate
 
 	ContainerRestartRules: {
 		{Version: version.MustParse("1.34"), Default: false, PreRelease: featuregate.Alpha},
+		{Version: version.MustParse("1.35"), Default: true, PreRelease: featuregate.Beta},
 	},
 
 	ContainerStopSignals: {
 		{Version: version.MustParse("1.33"), Default: false, PreRelease: featuregate.Alpha},
 	},
 
-	CronJobsScheduledAnnotation: {
-		{Version: version.MustParse("1.28"), Default: true, PreRelease: featuregate.Beta},
-		{Version: version.MustParse("1.32"), Default: true, PreRelease: featuregate.GA, LockToDefault: true}, // remove in 1.35
-	},
-
 	CrossNamespaceVolumeDataSource: {
 		{Version: version.MustParse("1.26"), Default: false, PreRelease: featuregate.Alpha},
 	},
@@ -1212,6 +1237,10 @@ var defaultVersionedKubernetesFeatureGates = map[featuregate.Feature]featuregate
 		{Version: version.MustParse("1.34"), Default: false, PreRelease: featuregate.Alpha},
 	},
 
+	DRADeviceTaintRules: {
+		{Version: version.MustParse("1.35"), Default: false, PreRelease: featuregate.Alpha},
+	},
+
 	DRADeviceTaints: {
 		{Version: version.MustParse("1.33"), Default: false, PreRelease: featuregate.Alpha},
 	},
@@ -1238,22 +1267,16 @@ var defaultVersionedKubernetesFeatureGates = map[featuregate.Feature]featuregate
 		{Version: version.MustParse("1.34"), Default: true, PreRelease: featuregate.Beta},
 	},
 
-	DeclarativeValidation: {
-		{Version: version.MustParse("1.33"), Default: true, PreRelease: featuregate.Beta},
-	},
-
-	DeclarativeValidationTakeover: {
-		{Version: version.MustParse("1.33"), Default: false, PreRelease: featuregate.Beta},
-	},
-
 	DeploymentReplicaSetTerminatingReplicas: {
 		{Version: version.MustParse("1.33"), Default: false, PreRelease: featuregate.Alpha},
+		{Version: version.MustParse("1.35"), Default: true, PreRelease: featuregate.Beta},
 	},
 
 	DisableAllocatorDualWrite: {
 		{Version: version.MustParse("1.31"), Default: false, PreRelease: featuregate.Alpha},
 		{Version: version.MustParse("1.33"), Default: false, PreRelease: featuregate.Beta},
-		{Version: version.MustParse("1.34"), Default: true, PreRelease: featuregate.GA}, // remove after MultiCIDRServiceAllocator is GA
+		{Version: version.MustParse("1.34"), Default: true, PreRelease: featuregate.GA},
+		{Version: version.MustParse("1.35"), Default: true, PreRelease: featuregate.GA, LockToDefault: true}, // remove after MultiCIDRServiceAllocator is GA
 	},
 
 	DisableCPUQuotaWithExclusiveCPUs: {
@@ -1269,17 +1292,21 @@ var defaultVersionedKubernetesFeatureGates = map[featuregate.Feature]featuregate
 	DynamicResourceAllocation: {
 		{Version: version.MustParse("1.26"), Default: false, PreRelease: featuregate.Alpha},
 		{Version: version.MustParse("1.32"), Default: false, PreRelease: featuregate.Beta},
-		{Version: version.MustParse("1.34"), Default: true, PreRelease: featuregate.GA}, // lock to default in 1.35
+		{Version: version.MustParse("1.34"), Default: true, PreRelease: featuregate.GA},
+		{Version: version.MustParse("1.35"), Default: true, PreRelease: featuregate.GA, LockToDefault: true},
+		// TODO (https://github.com/kubernetes/kubernetes/issues/134459): remove completely in 1.38
 	},
 	EnvFiles: {
 		{Version: version.MustParse("1.34"), Default: false, PreRelease: featuregate.Alpha},
+		{Version: version.MustParse("1.35"), Default: true, PreRelease: featuregate.Beta},
 	},
 	EventedPLEG: {
 		{Version: version.MustParse("1.26"), Default: false, PreRelease: featuregate.Alpha},
 	},
 
 	ExecProbeTimeout: {
-		{Version: version.MustParse("1.20"), Default: true, PreRelease: featuregate.GA}, // lock to default and remove after v1.22 based on KEP #1972 update
+		{Version: version.MustParse("1.20"), Default: true, PreRelease: featuregate.GA},
+		{Version: version.MustParse("1.35"), Default: true, PreRelease: featuregate.GA, LockToDefault: true}, // remove in v1.38
 	},
 
 	ExternalServiceAccountTokenSigner: {
@@ -1287,6 +1314,14 @@ var defaultVersionedKubernetesFeatureGates = map[featuregate.Feature]featuregate
 		{Version: version.MustParse("1.34"), Default: true, PreRelease: featuregate.Beta},
 	},
 
+	GangScheduling: {
+		{Version: version.MustParse("1.35"), Default: false, PreRelease: featuregate.Alpha},
+	},
+
+	GenericWorkload: {
+		{Version: version.MustParse("1.35"), Default: false, PreRelease: featuregate.Alpha},
+	},
+
 	GitRepoVolumeDriver: {
 		{Version: version.MustParse("1.0"), Default: true, PreRelease: featuregate.GA},
 		{Version: version.MustParse("1.33"), Default: false, PreRelease: featuregate.Deprecated},
@@ -1304,6 +1339,7 @@ var defaultVersionedKubernetesFeatureGates = map[featuregate.Feature]featuregate
 
 	HPAConfigurableTolerance: {
 		{Version: version.MustParse("1.33"), Default: false, PreRelease: featuregate.Alpha},
+		{Version: version.MustParse("1.35"), Default: true, PreRelease: featuregate.Beta},
 	},
 
 	HPAScaleToZero: {
@@ -1318,21 +1354,29 @@ var defaultVersionedKubernetesFeatureGates = map[featuregate.Feature]featuregate
 
 	HostnameOverride: {
 		{Version: version.MustParse("1.34"), Default: false, PreRelease: featuregate.Alpha},
+		{Version: version.MustParse("1.35"), Default: true, PreRelease: featuregate.Beta},
 	},
 
 	ImageMaximumGCAge: {
 		{Version: version.MustParse("1.29"), Default: false, PreRelease: featuregate.Alpha},
 		{Version: version.MustParse("1.30"), Default: true, PreRelease: featuregate.Beta},
+		{Version: version.MustParse("1.35"), Default: true, PreRelease: featuregate.GA, LockToDefault: true}, // remove in 1.38
 	},
 
 	ImageVolume: {
 		{Version: version.MustParse("1.31"), Default: false, PreRelease: featuregate.Alpha},
 		{Version: version.MustParse("1.33"), Default: false, PreRelease: featuregate.Beta},
+		{Version: version.MustParse("1.35"), Default: true, PreRelease: featuregate.Beta},
+	},
+
+	InPlacePodLevelResourcesVerticalScaling: {
+		{Version: version.MustParse("1.35"), Default: false, PreRelease: featuregate.Alpha},
 	},
 
 	InPlacePodVerticalScaling: {
 		{Version: version.MustParse("1.27"), Default: false, PreRelease: featuregate.Alpha},
 		{Version: version.MustParse("1.33"), Default: true, PreRelease: featuregate.Beta},
+		{Version: version.MustParse("1.35"), Default: true, PreRelease: featuregate.GA, LockToDefault: true}, // remove in 1.38
 	},
 
 	InPlacePodVerticalScalingAllocatedStatus: {
@@ -1361,6 +1405,7 @@ var defaultVersionedKubernetesFeatureGates = map[featuregate.Feature]featuregate
 	JobManagedBy: {
 		{Version: version.MustParse("1.30"), Default: false, PreRelease: featuregate.Alpha},
 		{Version: version.MustParse("1.32"), Default: true, PreRelease: featuregate.Beta},
+		{Version: version.MustParse("1.35"), Default: true, PreRelease: featuregate.GA, LockToDefault: true}, // remove in 1.38
 	},
 
 	JobPodReplacementPolicy: {
@@ -1383,10 +1428,12 @@ var defaultVersionedKubernetesFeatureGates = map[featuregate.Feature]featuregate
 
 	KubeletCrashLoopBackOffMax: {
 		{Version: version.MustParse("1.32"), Default: false, PreRelease: featuregate.Alpha},
+		{Version: version.MustParse("1.35"), Default: true, PreRelease: featuregate.Beta},
 	},
 
 	KubeletEnsureSecretPulledImages: {
 		{Version: version.MustParse("1.33"), Default: false, PreRelease: featuregate.Alpha},
+		{Version: version.MustParse("1.35"), Default: true, PreRelease: featuregate.Beta},
 	},
 
 	KubeletFineGrainedAuthz: {
@@ -1439,12 +1486,6 @@ var defaultVersionedKubernetesFeatureGates = map[featuregate.Feature]featuregate
 		{Version: version.MustParse("1.34"), Default: true, PreRelease: featuregate.GA, LockToDefault: true}, // remove in 1.37
 	},
 
-	LoadBalancerIPMode: {
-		{Version: version.MustParse("1.29"), Default: false, PreRelease: featuregate.Alpha},
-		{Version: version.MustParse("1.30"), Default: true, PreRelease: featuregate.Beta},
-		{Version: version.MustParse("1.32"), Default: true, PreRelease: featuregate.GA, LockToDefault: true},
-	},
-
 	LocalStorageCapacityIsolationFSQuotaMonitoring: {
 		{Version: version.MustParse("1.15"), Default: false, PreRelease: featuregate.Alpha},
 		{Version: version.MustParse("1.31"), Default: false, PreRelease: featuregate.Beta},
@@ -1473,6 +1514,7 @@ var defaultVersionedKubernetesFeatureGates = map[featuregate.Feature]featuregate
 
 	MaxUnavailableStatefulSet: {
 		{Version: version.MustParse("1.24"), Default: false, PreRelease: featuregate.Alpha},
+		{Version: version.MustParse("1.35"), Default: true, PreRelease: featuregate.Beta},
 	},
 
 	MemoryManager: {
@@ -1495,6 +1537,19 @@ var defaultVersionedKubernetesFeatureGates = map[featuregate.Feature]featuregate
 	MutableCSINodeAllocatableCount: {
 		{Version: version.MustParse("1.33"), Default: false, PreRelease: featuregate.Alpha},
 		{Version: version.MustParse("1.34"), Default: false, PreRelease: featuregate.Beta},
+		{Version: version.MustParse("1.35"), Default: true, PreRelease: featuregate.Beta},
+	},
+
+	MutablePVNodeAffinity: {
+		{Version: version.MustParse("1.35"), Default: false, PreRelease: featuregate.Alpha},
+	},
+
+	MutablePodResourcesForSuspendedJobs: {
+		{Version: version.MustParse("1.35"), Default: false, PreRelease: featuregate.Alpha},
+	},
+
+	MutableSchedulingDirectivesForSuspendedJobs: {
+		{Version: version.MustParse("1.35"), Default: false, PreRelease: featuregate.Alpha},
 	},
 
 	NFTablesProxyMode: {
@@ -1503,6 +1558,10 @@ var defaultVersionedKubernetesFeatureGates = map[featuregate.Feature]featuregate
 		{Version: version.MustParse("1.33"), Default: true, PreRelease: featuregate.GA, LockToDefault: true},
 	},
 
+	NodeDeclaredFeatures: {
+		{Version: version.MustParse("1.35"), Default: false, PreRelease: featuregate.Alpha},
+	},
+
 	NodeInclusionPolicyInPodTopologySpread: {
 		{Version: version.MustParse("1.25"), Default: false, PreRelease: featuregate.Alpha},
 		{Version: version.MustParse("1.26"), Default: true, PreRelease: featuregate.Beta},
@@ -1523,6 +1582,11 @@ var defaultVersionedKubernetesFeatureGates = map[featuregate.Feature]featuregate
 
 	NominatedNodeNameForExpectation: {
 		{Version: version.MustParse("1.34"), Default: false, PreRelease: featuregate.Alpha},
+		{Version: version.MustParse("1.35"), Default: true, PreRelease: featuregate.Beta},
+	},
+
+	OpportunisticBatching: {
+		{Version: version.MustParse("1.35"), Default: true, PreRelease: featuregate.Beta},
 	},
 
 	OrderedNamespaceDeletion: {
@@ -1537,6 +1601,7 @@ var defaultVersionedKubernetesFeatureGates = map[featuregate.Feature]featuregate
 
 	PodCertificateRequest: {
 		{Version: version.MustParse("1.34"), Default: false, PreRelease: featuregate.Alpha},
+		{Version: version.MustParse("1.35"), Default: false, PreRelease: featuregate.Beta},
 	},
 
 	PodDeletionCost: {
@@ -1544,11 +1609,6 @@ var defaultVersionedKubernetesFeatureGates = map[featuregate.Feature]featuregate
 		{Version: version.MustParse("1.22"), Default: true, PreRelease: featuregate.Beta},
 	},
 
-	PodIndexLabel: {
-		{Version: version.MustParse("1.28"), Default: true, PreRelease: featuregate.Beta},
-		{Version: version.MustParse("1.32"), Default: true, PreRelease: featuregate.GA, LockToDefault: true}, // remove in 1.35
-	},
-
 	PodLevelResources: {
 		{Version: version.MustParse("1.32"), Default: false, PreRelease: featuregate.Alpha},
 		{Version: version.MustParse("1.34"), Default: true, PreRelease: featuregate.Beta},
@@ -1573,6 +1633,7 @@ var defaultVersionedKubernetesFeatureGates = map[featuregate.Feature]featuregate
 	PodObservedGenerationTracking: {
 		{Version: version.MustParse("1.33"), Default: false, PreRelease: featuregate.Alpha},
 		{Version: version.MustParse("1.34"), Default: true, PreRelease: featuregate.Beta},
+		{Version: version.MustParse("1.35"), Default: true, PreRelease: featuregate.GA, LockToDefault: true}, // GA in 1.35, remove in 1.38
 	},
 
 	PodReadyToStartContainersCondition: {
@@ -1588,6 +1649,7 @@ var defaultVersionedKubernetesFeatureGates = map[featuregate.Feature]featuregate
 
 	PodTopologyLabelsAdmission: {
 		{Version: version.MustParse("1.33"), Default: false, PreRelease: featuregate.Alpha},
+		{Version: version.MustParse("1.35"), Default: true, PreRelease: featuregate.Beta},
 	},
 
 	PortForwardWebsockets: {
@@ -1598,17 +1660,13 @@ var defaultVersionedKubernetesFeatureGates = map[featuregate.Feature]featuregate
 	PreferSameTrafficDistribution: {
 		{Version: version.MustParse("1.33"), Default: false, PreRelease: featuregate.Alpha},
 		{Version: version.MustParse("1.34"), Default: true, PreRelease: featuregate.Beta},
+		{Version: version.MustParse("1.35"), Default: true, PreRelease: featuregate.GA, LockToDefault: true},
 	},
 
 	PreventStaticPodAPIReferences: {
 		{Version: version.MustParse("1.34"), Default: true, PreRelease: featuregate.Beta},
 	},
 
-	// Policy is GA in first release, this gate only exists to disable the enforcement when emulating older minors
-	ProbeHostPodSecurityStandards: {
-		{Version: version.MustParse("1.34"), Default: true, PreRelease: featuregate.GA, LockToDefault: true},
-	},
-
 	ProcMountType: {
 		{Version: version.MustParse("1.12"), Default: false, PreRelease: featuregate.Alpha},
 		{Version: version.MustParse("1.31"), Default: false, PreRelease: featuregate.Beta},
@@ -1659,6 +1717,10 @@ var defaultVersionedKubernetesFeatureGates = map[featuregate.Feature]featuregate
 		{Version: version.MustParse("1.31"), Default: false, PreRelease: featuregate.Alpha},
 	},
 
+	RestartAllContainersOnContainerExits: {
+		{Version: version.MustParse("1.35"), Default: false, PreRelease: featuregate.Alpha},
+	},
+
 	RotateKubeletServerCertificate: {
 		{Version: version.MustParse("1.7"), Default: false, PreRelease: featuregate.Alpha},
 		{Version: version.MustParse("1.12"), Default: true, PreRelease: featuregate.Beta},
@@ -1749,18 +1811,6 @@ var defaultVersionedKubernetesFeatureGates = map[featuregate.Feature]featuregate
 		{Version: version.MustParse("1.33"), Default: true, LockToDefault: true, PreRelease: featuregate.GA}, // GA in 1.33 remove in 1.36
 	},
 
-	SizeMemoryBackedVolumes: {
-		{Version: version.MustParse("1.20"), Default: false, PreRelease: featuregate.Alpha},
-		{Version: version.MustParse("1.22"), Default: true, PreRelease: featuregate.Beta},
-		{Version: version.MustParse("1.32"), Default: true, LockToDefault: true, PreRelease: featuregate.GA},
-	},
-
-	StatefulSetAutoDeletePVC: {
-		{Version: version.MustParse("1.23"), Default: false, PreRelease: featuregate.Alpha},
-		{Version: version.MustParse("1.27"), Default: true, PreRelease: featuregate.Beta},
-		{Version: version.MustParse("1.32"), Default: true, PreRelease: featuregate.GA, LockToDefault: true}, // GA in 1.32, remove in 1.35
-	},
-
 	StatefulSetSemanticRevisionComparison: {
 		// This is a mitigation for a 1.34 regression due to serialization differences that cannot be feature-gated,
 		// so this mitigation should not auto-disable even if emulating versions prior to 1.34 with --emulation-version.
@@ -1778,6 +1828,7 @@ var defaultVersionedKubernetesFeatureGates = map[featuregate.Feature]featuregate
 
 	StorageVersionMigrator: {
 		{Version: version.MustParse("1.30"), Default: false, PreRelease: featuregate.Alpha},
+		{Version: version.MustParse("1.35"), Default: false, PreRelease: featuregate.Beta},
 	},
 
 	StreamingCollectionEncodingToJSON: {
@@ -1797,10 +1848,16 @@ var defaultVersionedKubernetesFeatureGates = map[featuregate.Feature]featuregate
 	SupplementalGroupsPolicy: {
 		{Version: version.MustParse("1.31"), Default: false, PreRelease: featuregate.Alpha},
 		{Version: version.MustParse("1.33"), Default: true, PreRelease: featuregate.Beta},
+		{Version: version.MustParse("1.35"), Default: true, PreRelease: featuregate.GA, LockToDefault: true}, // remove in 1.38
 	},
 
 	SystemdWatchdog: {
 		{Version: version.MustParse("1.32"), Default: true, PreRelease: featuregate.Beta},
+		{Version: version.MustParse("1.35"), Default: true, PreRelease: featuregate.GA, LockToDefault: true}, // remov in 1.37
+	},
+
+	TaintTolerationComparisonOperators: {
+		{Version: version.MustParse("1.35"), Default: false, PreRelease: featuregate.Alpha},
 	},
 
 	TopologyAwareHints: {
@@ -1830,12 +1887,8 @@ var defaultVersionedKubernetesFeatureGates = map[featuregate.Feature]featuregate
 		{Version: version.MustParse("1.30"), Default: true, PreRelease: featuregate.Beta},
 	},
 
-	UnknownVersionInteroperabilityProxy: {
-		{Version: version.MustParse("1.28"), Default: false, PreRelease: featuregate.Alpha},
-	},
-
-	UserNamespacesPodSecurityStandards: {
-		{Version: version.MustParse("1.29"), Default: false, PreRelease: featuregate.Alpha},
+	UserNamespacesHostNetworkSupport: {
+		{Version: version.MustParse("1.35"), Default: false, PreRelease: featuregate.Alpha},
 	},
 
 	UserNamespacesSupport: {
@@ -1850,6 +1903,10 @@ var defaultVersionedKubernetesFeatureGates = map[featuregate.Feature]featuregate
 		{Version: version.MustParse("1.34"), Default: true, PreRelease: featuregate.GA},
 	},
 
+	VolumeLimitScaling: {
+		{Version: version.MustParse("1.35"), Default: false, PreRelease: featuregate.Alpha},
+	},
+
 	WinDSR: {
 		{Version: version.MustParse("1.14"), Default: false, PreRelease: featuregate.Alpha},
 		{Version: version.MustParse("1.33"), Default: true, PreRelease: featuregate.Beta},
@@ -1876,6 +1933,10 @@ var defaultVersionedKubernetesFeatureGates = map[featuregate.Feature]featuregate
 		{Version: version.MustParse("1.33"), Default: false, PreRelease: featuregate.Deprecated},
 	},
 
+	apiextensionsfeatures.CRDObservedGenerationTracking: {
+		{Version: version.MustParse("1.35"), Default: false, PreRelease: featuregate.Beta},
+	},
+
 	apiextensionsfeatures.CRDValidationRatcheting: {
 		{Version: version.MustParse("1.28"), Default: false, PreRelease: featuregate.Alpha},
 		{Version: version.MustParse("1.30"), Default: true, PreRelease: featuregate.Beta},
@@ -1911,6 +1972,7 @@ var defaultVersionedKubernetesFeatureGates = map[featuregate.Feature]featuregate
 	genericfeatures.AggregatedDiscoveryRemoveBetaType: {
 		{Version: version.MustParse("1.0"), Default: false, PreRelease: featuregate.GA},
 		{Version: version.MustParse("1.33"), Default: true, PreRelease: featuregate.Deprecated},
+		{Version: version.MustParse("1.35"), Default: true, PreRelease: featuregate.Deprecated, LockToDefault: true},
 	},
 
 	genericfeatures.AllowParsingUserUIDFromCertAuth: {
@@ -1952,11 +2014,23 @@ var defaultVersionedKubernetesFeatureGates = map[featuregate.Feature]featuregate
 		{Version: version.MustParse("1.34"), Default: true, PreRelease: featuregate.GA, LockToDefault: true},
 	},
 
+	genericfeatures.ConstrainedImpersonation: {
+		{Version: version.MustParse("1.35"), Default: false, PreRelease: featuregate.Alpha},
+	},
+
 	genericfeatures.CoordinatedLeaderElection: {
 		{Version: version.MustParse("1.31"), Default: false, PreRelease: featuregate.Alpha},
 		{Version: version.MustParse("1.33"), Default: false, PreRelease: featuregate.Beta},
 	},
 
+	genericfeatures.DeclarativeValidation: {
+		{Version: version.MustParse("1.33"), Default: true, PreRelease: featuregate.Beta},
+	},
+
+	genericfeatures.DeclarativeValidationTakeover: {
+		{Version: version.MustParse("1.33"), Default: false, PreRelease: featuregate.Beta},
+	},
+
 	genericfeatures.DetectCacheInconsistency: {
 		{Version: version.MustParse("1.34"), Default: true, PreRelease: featuregate.Beta},
 	},
@@ -2016,16 +2090,6 @@ var defaultVersionedKubernetesFeatureGates = map[featuregate.Feature]featuregate
 		{Version: version.MustParse("1.15"), Default: true, PreRelease: featuregate.Beta},
 	},
 
-	genericfeatures.StrictCostEnforcementForVAP: {
-		{Version: version.MustParse("1.30"), Default: false, PreRelease: featuregate.Beta},
-		{Version: version.MustParse("1.32"), Default: true, PreRelease: featuregate.GA, LockToDefault: true},
-	},
-
-	genericfeatures.StrictCostEnforcementForWebhooks: {
-		{Version: version.MustParse("1.30"), Default: false, PreRelease: featuregate.Beta},
-		{Version: version.MustParse("1.32"), Default: true, PreRelease: featuregate.GA, LockToDefault: true},
-	},
-
 	genericfeatures.StructuredAuthenticationConfiguration: {
 		{Version: version.MustParse("1.29"), Default: false, PreRelease: featuregate.Alpha},
 		{Version: version.MustParse("1.30"), Default: true, PreRelease: featuregate.Beta},
@@ -2036,6 +2100,10 @@ var defaultVersionedKubernetesFeatureGates = map[featuregate.Feature]featuregate
 		{Version: version.MustParse("1.34"), Default: true, PreRelease: featuregate.Beta},
 	},
 
+	genericfeatures.StructuredAuthenticationConfigurationJWKSMetrics: {
+		{Version: version.MustParse("1.35"), Default: true, PreRelease: featuregate.Beta},
+	},
+
 	genericfeatures.StructuredAuthorizationConfiguration: {
 		{Version: version.MustParse("1.29"), Default: false, PreRelease: featuregate.Alpha},
 		{Version: version.MustParse("1.30"), Default: true, PreRelease: featuregate.Beta},
@@ -2051,6 +2119,10 @@ var defaultVersionedKubernetesFeatureGates = map[featuregate.Feature]featuregate
 		{Version: version.MustParse("1.29"), Default: true, PreRelease: featuregate.Beta},
 	},
 
+	genericfeatures.UnknownVersionInteroperabilityProxy: {
+		{Version: version.MustParse("1.28"), Default: false, PreRelease: featuregate.Alpha},
+	},
+
 	genericfeatures.WatchCacheInitializationPostStartHook: {
 		{Version: version.MustParse("1.31"), Default: false, PreRelease: featuregate.Beta},
 	},
@@ -2068,6 +2140,10 @@ var defaultVersionedKubernetesFeatureGates = map[featuregate.Feature]featuregate
 		{Version: version.MustParse("1.34"), Default: true, PreRelease: featuregate.Beta},
 	},
 
+	kcmfeatures.CloudControllerManagerWatchBasedRoutesReconciliation: {
+		{Version: version.MustParse("1.35"), Default: false, PreRelease: featuregate.Alpha},
+	},
+
 	kcmfeatures.CloudControllerManagerWebhook: {
 		{Version: version.MustParse("1.27"), Default: false, PreRelease: featuregate.Alpha},
 	},
@@ -2081,9 +2157,434 @@ var defaultVersionedKubernetesFeatureGates = map[featuregate.Feature]featuregate
 	},
 }
 
+// defaultKubernetesFeatureGateDependencies enumerates the dependencies of any feature gate that
+// depends on another. Dependencies ensure that a dependent feature gate can only be enabled if all
+// of its dependencies are also enabled, and ensures a feature at a higher stability level cannot
+// depend on a less stable feature.
+//
+// Entries are alphabetized.
+var defaultKubernetesFeatureGateDependencies = map[featuregate.Feature][]featuregate.Feature{
+	AllowDNSOnlyNodeCSR: {},
+
+	AllowInsecureKubeletCertificateSigningRequests: {},
+
+	AllowOverwriteTerminationGracePeriodSeconds: {},
+
+	AnyVolumeDataSource: {},
+
+	AuthorizeNodeWithSelectors: {genericfeatures.AuthorizeWithSelectors},
+
+	AuthorizePodWebsocketUpgradeCreatePermission: {},
+
+	CPUCFSQuotaPeriod: {},
+
+	CPUManagerPolicyAlphaOptions: {},
+
+	CPUManagerPolicyBetaOptions: {},
+
+	CPUManagerPolicyOptions: {},
+
+	CSIMigrationPortworx: {},
+
+	CSIServiceAccountTokenSecrets: {},
+
+	CSIVolumeHealth: {},
+
+	ChangeContainerStatusOnKubeletRestart: {},
+
+	ClearingNominatedNodeNameAfterBinding: {},
+
+	ClusterTrustBundle: {},
+
+	ClusterTrustBundleProjection: {ClusterTrustBundle},
+
+	ContainerCheckpoint: {},
+
+	ContainerRestartRules: {},
+
+	ContainerStopSignals: {},
+
+	CoordinatedLeaderElection: {},
+
+	CrossNamespaceVolumeDataSource: {},
+
+	DRAAdminAccess: {DynamicResourceAllocation},
+
+	DRAConsumableCapacity: {DynamicResourceAllocation},
+
+	DRADeviceBindingConditions: {DynamicResourceAllocation, DRAResourceClaimDeviceStatus},
+
+	DRADeviceTaintRules: {DRADeviceTaints}, // DynamicResourceAllocation is indirect.
+
+	DRADeviceTaints: {DynamicResourceAllocation},
+
+	DRAExtendedResource: {DynamicResourceAllocation},
+
+	DRAPartitionableDevices: {DynamicResourceAllocation},
+
+	DRAPrioritizedList: {DynamicResourceAllocation},
+
+	DRAResourceClaimDeviceStatus: {}, // Soft dependency on DynamicResourceAllocation due to on/off-by-default conflict.
+
+	DRASchedulerFilterTimeout: {DynamicResourceAllocation},
+
+	DeploymentReplicaSetTerminatingReplicas: {},
+
+	DisableAllocatorDualWrite: {MultiCIDRServiceAllocator},
+
+	DisableCPUQuotaWithExclusiveCPUs: {},
+
+	DisableNodeKubeProxyVersion: {},
+
+	DynamicResourceAllocation: {},
+
+	EnvFiles: {},
+
+	EventedPLEG: {},
+
+	ExecProbeTimeout: {},
+
+	ExternalServiceAccountTokenSigner: {},
+
+	GangScheduling: {GenericWorkload},
+
+	GenericWorkload: {},
+
+	GitRepoVolumeDriver: {},
+
+	GracefulNodeShutdown: {},
+
+	GracefulNodeShutdownBasedOnPodPriority: {GracefulNodeShutdown},
+
+	HPAConfigurableTolerance: {},
+
+	HPAScaleToZero: {},
+
+	HonorPVReclaimPolicy: {},
+
+	HostnameOverride: {},
+
+	ImageMaximumGCAge: {},
+
+	ImageVolume: {},
+
+	InPlacePodLevelResourcesVerticalScaling: {InPlacePodVerticalScaling, PodLevelResources, NodeDeclaredFeatures},
+
+	InPlacePodVerticalScaling: {},
+
+	InPlacePodVerticalScalingAllocatedStatus: {InPlacePodVerticalScaling},
+
+	InPlacePodVerticalScalingExclusiveCPUs: {InPlacePodVerticalScaling},
+
+	InPlacePodVerticalScalingExclusiveMemory: {InPlacePodVerticalScaling, MemoryManager},
+
+	InTreePluginPortworxUnregister: {},
+
+	JobBackoffLimitPerIndex: {},
+
+	JobManagedBy: {},
+
+	JobPodReplacementPolicy: {},
+
+	JobSuccessPolicy: {},
+
+	KubeletCgroupDriverFromCRI: {},
+
+	KubeletCrashLoopBackOffMax: {},
+
+	KubeletEnsureSecretPulledImages: {},
+
+	KubeletFineGrainedAuthz: {},
+
+	KubeletInUserNamespace: {},
+
+	KubeletPSI: {},
+
+	KubeletPodResourcesDynamicResources: {},
+
+	KubeletPodResourcesGet: {},
+
+	KubeletPodResourcesListUseActivePods: {},
+
+	KubeletRegistrationGetOnExistsOnly: {},
+
+	KubeletSeparateDiskGC: {},
+
+	KubeletServiceAccountTokenForCredentialProviders: {},
+
+	KubeletTracing: {},
+
+	LocalStorageCapacityIsolationFSQuotaMonitoring: {},
+
+	LogarithmicScaleDown: {},
+
+	MatchLabelKeysInPodAffinity: {},
+
+	MatchLabelKeysInPodTopologySpread: {},
+
+	MatchLabelKeysInPodTopologySpreadSelectorMerge: {MatchLabelKeysInPodTopologySpread},
+
+	MaxUnavailableStatefulSet: {},
+
+	MemoryManager: {},
+
+	MemoryQoS: {},
+
+	MultiCIDRServiceAllocator: {},
+
+	MutableCSINodeAllocatableCount: {},
+
+	MutablePVNodeAffinity: {},
+
+	MutablePodResourcesForSuspendedJobs: {},
+
+	MutableSchedulingDirectivesForSuspendedJobs: {},
+
+	NFTablesProxyMode: {},
+
+	NodeDeclaredFeatures: {},
+
+	NodeInclusionPolicyInPodTopologySpread: {},
+
+	NodeLogQuery: {},
+
+	NodeSwap: {},
+
+	NominatedNodeNameForExpectation: {},
+
+	OpportunisticBatching: {},
+
+	OrderedNamespaceDeletion: {},
+
+	PodAndContainerStatsFromCRI: {},
+
+	PodCertificateRequest: {AuthorizeNodeWithSelectors},
+
+	PodDeletionCost: {},
+
+	PodLevelResources: {},
+
+	PodLifecycleSleepAction: {},
+
+	PodLifecycleSleepActionAllowZero: {PodLifecycleSleepAction},
+
+	PodLogsQuerySplitStreams: {},
+
+	PodObservedGenerationTracking: {},
+
+	PodReadyToStartContainersCondition: {},
+
+	PodSchedulingReadiness: {},
+
+	PodTopologyLabelsAdmission: {},
+
+	PortForwardWebsockets: {},
+
+	PreferSameTrafficDistribution: {},
+
+	PreventStaticPodAPIReferences: {},
+
+	ProcMountType: {UserNamespacesSupport},
+
+	QOSReserved: {},
+
+	RecoverVolumeExpansionFailure: {},
+
+	RecursiveReadOnlyMounts: {},
+
+	ReduceDefaultCrashLoopBackOffDecay: {},
+
+	RelaxedDNSSearchValidation: {},
+
+	RelaxedEnvironmentVariableValidation: {},
+
+	RelaxedServiceNameValidation: {},
+
+	ReloadKubeletServerCertificateFile: {},
+
+	ResourceHealthStatus: {DynamicResourceAllocation},
+
+	// RestartAllContainersOnContainerExits introduces a new container restart rule action.
+	// All restart rules will be dropped by API if ContainerRestartRules feature is not enabled.
+	RestartAllContainersOnContainerExits: {ContainerRestartRules, NodeDeclaredFeatures},
+
+	RotateKubeletServerCertificate: {},
+
+	RuntimeClassInImageCriAPI: {},
+
+	SELinuxChangePolicy: {},
+
+	SELinuxMount: {},
+
+	SELinuxMountReadWriteOncePod: {},
+
+	SchedulerAsyncAPICalls: {},
+
+	SchedulerAsyncPreemption: {},
+
+	SchedulerPopFromBackoffQ: {},
+
+	SchedulerQueueingHints: {},
+
+	SeparateTaintEvictionController: {},
+
+	ServiceAccountNodeAudienceRestriction: {},
+
+	ServiceAccountTokenJTI: {},
+
+	ServiceAccountTokenNodeBinding: {ServiceAccountTokenNodeBindingValidation},
+
+	ServiceAccountTokenNodeBindingValidation: {},
+
+	ServiceAccountTokenPodNodeInfo: {},
+
+	ServiceTrafficDistribution: {},
+
+	SidecarContainers: {},
+
+	StatefulSetSemanticRevisionComparison: {},
+
+	StorageCapacityScoring: {},
+
+	StorageNamespaceIndex: {},
+
+	StorageVersionMigrator: {},
+
+	StreamingCollectionEncodingToJSON: {},
+
+	StreamingCollectionEncodingToProtobuf: {},
+
+	StrictIPCIDRValidation: {},
+
+	SupplementalGroupsPolicy: {},
+
+	SystemdWatchdog: {},
+
+	TaintTolerationComparisonOperators: {},
+
+	TopologyAwareHints: {},
+
+	TopologyManagerPolicyAlphaOptions: {},
+
+	TopologyManagerPolicyBetaOptions: {},
+
+	TopologyManagerPolicyOptions: {},
+
+	TranslateStreamCloseWebsocketRequests: {},
+
+	UserNamespacesHostNetworkSupport: {UserNamespacesSupport},
+
+	UserNamespacesSupport: {},
+
+	VolumeAttributesClass: {},
+
+	VolumeLimitScaling: {},
+
+	WinDSR: {},
+
+	WinOverlay: {},
+
+	WindowsCPUAndMemoryAffinity: {MemoryManager},
+
+	WindowsGracefulNodeShutdown: {GracefulNodeShutdown},
+
+	WindowsHostNetwork: {},
+
+	apiextensionsfeatures.CRDObservedGenerationTracking: {},
+
+	apiextensionsfeatures.CRDValidationRatcheting: {},
+
+	apiextensionsfeatures.CustomResourceFieldSelectors: {},
+
+	genericfeatures.APIResponseCompression: {},
+
+	genericfeatures.APIServerIdentity: {},
+
+	genericfeatures.APIServerTracing: {},
+
+	genericfeatures.APIServingWithRoutine: {},
+
+	genericfeatures.AggregatedDiscoveryRemoveBetaType: {},
+
+	genericfeatures.AllowParsingUserUIDFromCertAuth: {},
+
+	genericfeatures.AllowUnsafeMalformedObjectDeletion: {},
+
+	genericfeatures.AnonymousAuthConfigurableEndpoints: {},
+
+	genericfeatures.AuthorizeWithSelectors: {},
+
+	genericfeatures.BtreeWatchCache: {},
+
+	genericfeatures.CBORServingAndStorage: {},
+
+	genericfeatures.ConcurrentWatchObjectDecode: {},
+
+	genericfeatures.ConsistentListFromCache: {},
+
+	genericfeatures.ConstrainedImpersonation: {},
+
+	genericfeatures.DeclarativeValidation: {},
+
+	genericfeatures.DeclarativeValidationTakeover: {genericfeatures.DeclarativeValidation},
+
+	genericfeatures.DetectCacheInconsistency: {},
+
+	genericfeatures.KMSv1: {},
+
+	genericfeatures.ListFromCacheSnapshot: {},
+
+	genericfeatures.MutatingAdmissionPolicy: {},
+
+	genericfeatures.OpenAPIEnums: {},
+
+	genericfeatures.RemoteRequestHeaderUID: {},
+
+	genericfeatures.ResilientWatchCacheInitialization: {},
+
+	genericfeatures.RetryGenerateName: {},
+
+	genericfeatures.SeparateCacheWatchRPC: {},
+
+	genericfeatures.SizeBasedListCostEstimate: {},
+
+	genericfeatures.StorageVersionAPI: {genericfeatures.APIServerIdentity},
+
+	genericfeatures.StorageVersionHash: {},
+
+	genericfeatures.StructuredAuthenticationConfiguration: {},
+
+	genericfeatures.StructuredAuthenticationConfigurationEgressSelector: {genericfeatures.StructuredAuthenticationConfiguration},
+
+	genericfeatures.StructuredAuthenticationConfigurationJWKSMetrics: {genericfeatures.StructuredAuthenticationConfiguration},
+
+	genericfeatures.StructuredAuthorizationConfiguration: {},
+
+	genericfeatures.TokenRequestServiceAccountUIDValidation: {},
+
+	genericfeatures.UnauthenticatedHTTP2DOSMitigation: {},
+
+	genericfeatures.UnknownVersionInteroperabilityProxy: {genericfeatures.APIServerIdentity},
+
+	genericfeatures.WatchCacheInitializationPostStartHook: {},
+
+	genericfeatures.WatchFromStorageWithoutResourceVersion: {},
+
+	genericfeatures.WatchList: {},
+
+	kcmfeatures.CloudControllerManagerWatchBasedRoutesReconciliation: {},
+
+	kcmfeatures.CloudControllerManagerWebhook: {},
+
+	zpagesfeatures.ComponentFlagz: {},
+
+	zpagesfeatures.ComponentStatusz: {},
+}
+
 func init() {
 	registerOpenshiftFeatures()
 	runtime.Must(utilfeature.DefaultMutableFeatureGate.AddVersioned(defaultVersionedKubernetesFeatureGates))
+	runtime.Must(utilfeature.DefaultMutableFeatureGate.AddDependencies(defaultKubernetesFeatureGateDependencies))
 	runtime.Must(zpagesfeatures.AddFeatureGates(utilfeature.DefaultMutableFeatureGate))
 
 	// Register all client-go features with kube's feature gate instance and make all client-go
@@ -2092,6 +2593,6 @@ func init() {
 	// are. Further, client-go features automatically support the existing mechanisms for
 	// feature enablement metrics and test overrides.
 	ca := &clientAdapter{utilfeature.DefaultMutableFeatureGate}
-	runtime.Must(clientfeatures.AddFeaturesToExistingFeatureGates(ca))
+	runtime.Must(clientfeatures.AddVersionedFeaturesToExistingFeatureGates(ca))
 	clientfeatures.ReplaceFeatureGates(ca)
 }
diff --git a/pkg/features/kube_features_test.go b/pkg/features/kube_features_test.go
index 3967c2942574e..828ab0ec13c2b 100644
--- a/pkg/features/kube_features_test.go
+++ b/pkg/features/kube_features_test.go
@@ -17,6 +17,8 @@ limitations under the License.
 package features
 
 import (
+	"maps"
+	"slices"
 	"testing"
 
 	utilfeature "k8s.io/apiserver/pkg/util/feature"
@@ -95,3 +97,12 @@ func TestEnsureAlphaGatesAreNotSwitchedOnByDefault(t *testing.T) {
 		}
 	}
 }
+
+func TestAllDependenciesRegistered(t *testing.T) {
+	registeredDependencies := utilfeature.DefaultFeatureGate.Dependencies()
+	for _, f := range slices.Sorted(maps.Keys(defaultVersionedKubernetesFeatureGates)) {
+		if _, depsRegistered := registeredDependencies[f]; !depsRegistered {
+			t.Errorf("Feature %s did not register dependencies. All features must record explicit feature dependencies, even if there are none.", f)
+		}
+	}
+}
diff --git a/pkg/features/openshift_features.go b/pkg/features/openshift_features.go
index 51bbe0b37b2b0..434781ba97ef7 100644
--- a/pkg/features/openshift_features.go
+++ b/pkg/features/openshift_features.go
@@ -5,9 +5,11 @@ import (
 	"k8s.io/component-base/featuregate"
 )
 
-var RouteExternalCertificate featuregate.Feature = "RouteExternalCertificate"
-var MinimumKubeletVersion featuregate.Feature = "MinimumKubeletVersion"
-var StoragePerformantSecurityPolicy featuregate.Feature = "StoragePerformantSecurityPolicy"
+var (
+	RouteExternalCertificate        featuregate.Feature = "RouteExternalCertificate"
+	MinimumKubeletVersion           featuregate.Feature = "MinimumKubeletVersion"
+	StoragePerformantSecurityPolicy featuregate.Feature = "StoragePerformantSecurityPolicy"
+)
 
 // registerOpenshiftFeatures injects openshift-specific feature gates
 func registerOpenshiftFeatures() {
@@ -23,4 +25,8 @@ func registerOpenshiftFeatures() {
 	defaultVersionedKubernetesFeatureGates[StoragePerformantSecurityPolicy] = featuregate.VersionedSpecs{
 		{Version: version.MustParse("1.33"), Default: false, PreRelease: featuregate.Alpha},
 	}
+
+	defaultKubernetesFeatureGateDependencies[RouteExternalCertificate] = []featuregate.Feature{}
+	defaultKubernetesFeatureGateDependencies[MinimumKubeletVersion] = []featuregate.Feature{}
+	defaultKubernetesFeatureGateDependencies[StoragePerformantSecurityPolicy] = []featuregate.Feature{}
 }
diff --git a/pkg/generated/openapi/cmd/models-schema/main.go b/pkg/generated/openapi/cmd/models-schema/main.go
index 1ea02a2036eeb..e3ca808c8e432 100644
--- a/pkg/generated/openapi/cmd/models-schema/main.go
+++ b/pkg/generated/openapi/cmd/models-schema/main.go
@@ -22,7 +22,6 @@ import (
 	"os"
 
 	"k8s.io/kube-openapi/pkg/common"
-	"k8s.io/kube-openapi/pkg/util"
 	"k8s.io/kube-openapi/pkg/validation/spec"
 	"k8s.io/kubernetes/pkg/generated/openapi"
 )
@@ -38,7 +37,7 @@ func main() {
 
 func output() error {
 	refFunc := func(name string) spec.Ref {
-		return spec.MustCreateRef(fmt.Sprintf("#/definitions/%s", util.ToRESTFriendlyName(name)))
+		return spec.MustCreateRef(fmt.Sprintf("#/definitions/%s", name))
 	}
 	defs := openapi.GetOpenAPIDefinitions(refFunc)
 	schemaDefs := make(map[string]spec.Schema, len(defs))
@@ -50,12 +49,12 @@ func output() error {
 		// the type.
 		if schema, ok := v.Schema.Extensions[common.ExtensionV2Schema]; ok {
 			if v2Schema, isOpenAPISchema := schema.(spec.Schema); isOpenAPISchema {
-				schemaDefs[util.ToRESTFriendlyName(k)] = v2Schema
+				schemaDefs[k] = v2Schema
 				continue
 			}
 		}
 
-		schemaDefs[util.ToRESTFriendlyName(k)] = v.Schema
+		schemaDefs[k] = v.Schema
 	}
 	data, err := json.Marshal(&spec.Swagger{
 		SwaggerProps: spec.SwaggerProps{
diff --git a/pkg/generated/openapi/zz_generated.openapi.go b/pkg/generated/openapi/zz_generated.openapi.go
index 1e27dfc6b6e81..9b4f5c04533d9 100644
--- a/pkg/generated/openapi/zz_generated.openapi.go
+++ b/pkg/generated/openapi/zz_generated.openapi.go
@@ -22,1380 +22,1493 @@ limitations under the License.
 package openapi
 
 import (
-	v1 "k8s.io/api/core/v1"
+	v1 "k8s.io/api/admissionregistration/v1"
+	v1alpha1 "k8s.io/api/admissionregistration/v1alpha1"
+	v1beta1 "k8s.io/api/admissionregistration/v1beta1"
+	v2 "k8s.io/api/apidiscovery/v2"
+	v2beta1 "k8s.io/api/apidiscovery/v2beta1"
+	apiserverinternalv1alpha1 "k8s.io/api/apiserverinternal/v1alpha1"
+	appsv1 "k8s.io/api/apps/v1"
+	appsv1beta1 "k8s.io/api/apps/v1beta1"
+	v1beta2 "k8s.io/api/apps/v1beta2"
+	authenticationv1 "k8s.io/api/authentication/v1"
+	authenticationv1alpha1 "k8s.io/api/authentication/v1alpha1"
+	authenticationv1beta1 "k8s.io/api/authentication/v1beta1"
+	authorizationv1 "k8s.io/api/authorization/v1"
+	authorizationv1beta1 "k8s.io/api/authorization/v1beta1"
+	autoscalingv1 "k8s.io/api/autoscaling/v1"
+	autoscalingv2 "k8s.io/api/autoscaling/v2"
+	autoscalingv2beta1 "k8s.io/api/autoscaling/v2beta1"
+	v2beta2 "k8s.io/api/autoscaling/v2beta2"
+	batchv1 "k8s.io/api/batch/v1"
+	batchv1beta1 "k8s.io/api/batch/v1beta1"
+	certificatesv1 "k8s.io/api/certificates/v1"
+	certificatesv1alpha1 "k8s.io/api/certificates/v1alpha1"
+	certificatesv1beta1 "k8s.io/api/certificates/v1beta1"
+	coordinationv1 "k8s.io/api/coordination/v1"
+	v1alpha2 "k8s.io/api/coordination/v1alpha2"
+	coordinationv1beta1 "k8s.io/api/coordination/v1beta1"
+	corev1 "k8s.io/api/core/v1"
+	discoveryv1 "k8s.io/api/discovery/v1"
+	discoveryv1beta1 "k8s.io/api/discovery/v1beta1"
+	eventsv1 "k8s.io/api/events/v1"
+	eventsv1beta1 "k8s.io/api/events/v1beta1"
+	extensionsv1beta1 "k8s.io/api/extensions/v1beta1"
+	flowcontrolv1 "k8s.io/api/flowcontrol/v1"
+	flowcontrolv1beta1 "k8s.io/api/flowcontrol/v1beta1"
+	flowcontrolv1beta2 "k8s.io/api/flowcontrol/v1beta2"
+	v1beta3 "k8s.io/api/flowcontrol/v1beta3"
+	imagepolicyv1alpha1 "k8s.io/api/imagepolicy/v1alpha1"
+	networkingv1 "k8s.io/api/networking/v1"
+	networkingv1beta1 "k8s.io/api/networking/v1beta1"
+	nodev1 "k8s.io/api/node/v1"
+	nodev1alpha1 "k8s.io/api/node/v1alpha1"
+	nodev1beta1 "k8s.io/api/node/v1beta1"
+	policyv1 "k8s.io/api/policy/v1"
+	policyv1beta1 "k8s.io/api/policy/v1beta1"
+	rbacv1 "k8s.io/api/rbac/v1"
+	rbacv1alpha1 "k8s.io/api/rbac/v1alpha1"
+	rbacv1beta1 "k8s.io/api/rbac/v1beta1"
+	resourcev1 "k8s.io/api/resource/v1"
+	v1alpha3 "k8s.io/api/resource/v1alpha3"
+	resourcev1beta1 "k8s.io/api/resource/v1beta1"
+	resourcev1beta2 "k8s.io/api/resource/v1beta2"
+	schedulingv1 "k8s.io/api/scheduling/v1"
+	schedulingv1alpha1 "k8s.io/api/scheduling/v1alpha1"
+	schedulingv1beta1 "k8s.io/api/scheduling/v1beta1"
+	storagev1 "k8s.io/api/storage/v1"
+	storagev1alpha1 "k8s.io/api/storage/v1alpha1"
+	storagev1beta1 "k8s.io/api/storage/v1beta1"
+	storagemigrationv1beta1 "k8s.io/api/storagemigration/v1beta1"
 	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
-	v1beta1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1"
+	apiextensionsv1beta1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1"
 	resource "k8s.io/apimachinery/pkg/api/resource"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	metav1beta1 "k8s.io/apimachinery/pkg/apis/meta/v1beta1"
+	testapigroupv1 "k8s.io/apimachinery/pkg/apis/testapigroup/v1"
+	runtime "k8s.io/apimachinery/pkg/runtime"
 	intstr "k8s.io/apimachinery/pkg/util/intstr"
+	version "k8s.io/apimachinery/pkg/version"
+	auditv1 "k8s.io/apiserver/pkg/apis/audit/v1"
+	apiv1alpha1 "k8s.io/apiserver/pkg/server/flagz/api/v1alpha1"
+	statuszapiv1alpha1 "k8s.io/apiserver/pkg/server/statusz/api/v1alpha1"
+	clientauthenticationv1 "k8s.io/client-go/pkg/apis/clientauthentication/v1"
+	clientauthenticationv1beta1 "k8s.io/client-go/pkg/apis/clientauthentication/v1beta1"
+	configv1alpha1 "k8s.io/cloud-provider/config/v1alpha1"
+	nodeconfigv1alpha1 "k8s.io/cloud-provider/controllers/node/config/v1alpha1"
+	serviceconfigv1alpha1 "k8s.io/cloud-provider/controllers/service/config/v1alpha1"
+	componentbaseconfigv1alpha1 "k8s.io/component-base/config/v1alpha1"
+	logsapiv1 "k8s.io/component-base/logs/api/v1"
+	apiv1 "k8s.io/component-base/tracing/api/v1"
+	controllermanagerconfigv1alpha1 "k8s.io/controller-manager/config/v1alpha1"
+	configv1beta1 "k8s.io/controller-manager/config/v1beta1"
+	apiregistrationv1 "k8s.io/kube-aggregator/pkg/apis/apiregistration/v1"
+	apiregistrationv1beta1 "k8s.io/kube-aggregator/pkg/apis/apiregistration/v1beta1"
+	kubecontrollermanagerconfigv1alpha1 "k8s.io/kube-controller-manager/config/v1alpha1"
 	common "k8s.io/kube-openapi/pkg/common"
 	spec "k8s.io/kube-openapi/pkg/validation/spec"
+	kubeproxyconfigv1alpha1 "k8s.io/kube-proxy/config/v1alpha1"
+	configv1 "k8s.io/kube-scheduler/config/v1"
+	pkgconfigv1alpha1 "k8s.io/kubectl/pkg/config/v1alpha1"
+	pkgconfigv1beta1 "k8s.io/kubectl/pkg/config/v1beta1"
+	kubeletconfigv1 "k8s.io/kubelet/config/v1"
+	kubeletconfigv1alpha1 "k8s.io/kubelet/config/v1alpha1"
+	kubeletconfigv1beta1 "k8s.io/kubelet/config/v1beta1"
+	abacv1beta1 "k8s.io/kubernetes/pkg/apis/abac/v1beta1"
+	custommetricsv1beta1 "k8s.io/metrics/pkg/apis/custom_metrics/v1beta1"
+	custommetricsv1beta2 "k8s.io/metrics/pkg/apis/custom_metrics/v1beta2"
+	externalmetricsv1beta1 "k8s.io/metrics/pkg/apis/external_metrics/v1beta1"
+	metricsv1alpha1 "k8s.io/metrics/pkg/apis/metrics/v1alpha1"
+	metricsv1beta1 "k8s.io/metrics/pkg/apis/metrics/v1beta1"
 )
 
 func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenAPIDefinition {
 	return map[string]common.OpenAPIDefinition{
-		"k8s.io/api/admissionregistration/v1.AuditAnnotation":                                                   schema_k8sio_api_admissionregistration_v1_AuditAnnotation(ref),
-		"k8s.io/api/admissionregistration/v1.ExpressionWarning":                                                 schema_k8sio_api_admissionregistration_v1_ExpressionWarning(ref),
-		"k8s.io/api/admissionregistration/v1.MatchCondition":                                                    schema_k8sio_api_admissionregistration_v1_MatchCondition(ref),
-		"k8s.io/api/admissionregistration/v1.MatchResources":                                                    schema_k8sio_api_admissionregistration_v1_MatchResources(ref),
-		"k8s.io/api/admissionregistration/v1.MutatingWebhook":                                                   schema_k8sio_api_admissionregistration_v1_MutatingWebhook(ref),
-		"k8s.io/api/admissionregistration/v1.MutatingWebhookConfiguration":                                      schema_k8sio_api_admissionregistration_v1_MutatingWebhookConfiguration(ref),
-		"k8s.io/api/admissionregistration/v1.MutatingWebhookConfigurationList":                                  schema_k8sio_api_admissionregistration_v1_MutatingWebhookConfigurationList(ref),
-		"k8s.io/api/admissionregistration/v1.NamedRuleWithOperations":                                           schema_k8sio_api_admissionregistration_v1_NamedRuleWithOperations(ref),
-		"k8s.io/api/admissionregistration/v1.ParamKind":                                                         schema_k8sio_api_admissionregistration_v1_ParamKind(ref),
-		"k8s.io/api/admissionregistration/v1.ParamRef":                                                          schema_k8sio_api_admissionregistration_v1_ParamRef(ref),
-		"k8s.io/api/admissionregistration/v1.Rule":                                                              schema_k8sio_api_admissionregistration_v1_Rule(ref),
-		"k8s.io/api/admissionregistration/v1.RuleWithOperations":                                                schema_k8sio_api_admissionregistration_v1_RuleWithOperations(ref),
-		"k8s.io/api/admissionregistration/v1.ServiceReference":                                                  schema_k8sio_api_admissionregistration_v1_ServiceReference(ref),
-		"k8s.io/api/admissionregistration/v1.TypeChecking":                                                      schema_k8sio_api_admissionregistration_v1_TypeChecking(ref),
-		"k8s.io/api/admissionregistration/v1.ValidatingAdmissionPolicy":                                         schema_k8sio_api_admissionregistration_v1_ValidatingAdmissionPolicy(ref),
-		"k8s.io/api/admissionregistration/v1.ValidatingAdmissionPolicyBinding":                                  schema_k8sio_api_admissionregistration_v1_ValidatingAdmissionPolicyBinding(ref),
-		"k8s.io/api/admissionregistration/v1.ValidatingAdmissionPolicyBindingList":                              schema_k8sio_api_admissionregistration_v1_ValidatingAdmissionPolicyBindingList(ref),
-		"k8s.io/api/admissionregistration/v1.ValidatingAdmissionPolicyBindingSpec":                              schema_k8sio_api_admissionregistration_v1_ValidatingAdmissionPolicyBindingSpec(ref),
-		"k8s.io/api/admissionregistration/v1.ValidatingAdmissionPolicyList":                                     schema_k8sio_api_admissionregistration_v1_ValidatingAdmissionPolicyList(ref),
-		"k8s.io/api/admissionregistration/v1.ValidatingAdmissionPolicySpec":                                     schema_k8sio_api_admissionregistration_v1_ValidatingAdmissionPolicySpec(ref),
-		"k8s.io/api/admissionregistration/v1.ValidatingAdmissionPolicyStatus":                                   schema_k8sio_api_admissionregistration_v1_ValidatingAdmissionPolicyStatus(ref),
-		"k8s.io/api/admissionregistration/v1.ValidatingWebhook":                                                 schema_k8sio_api_admissionregistration_v1_ValidatingWebhook(ref),
-		"k8s.io/api/admissionregistration/v1.ValidatingWebhookConfiguration":                                    schema_k8sio_api_admissionregistration_v1_ValidatingWebhookConfiguration(ref),
-		"k8s.io/api/admissionregistration/v1.ValidatingWebhookConfigurationList":                                schema_k8sio_api_admissionregistration_v1_ValidatingWebhookConfigurationList(ref),
-		"k8s.io/api/admissionregistration/v1.Validation":                                                        schema_k8sio_api_admissionregistration_v1_Validation(ref),
-		"k8s.io/api/admissionregistration/v1.Variable":                                                          schema_k8sio_api_admissionregistration_v1_Variable(ref),
-		"k8s.io/api/admissionregistration/v1.WebhookClientConfig":                                               schema_k8sio_api_admissionregistration_v1_WebhookClientConfig(ref),
-		"k8s.io/api/admissionregistration/v1alpha1.ApplyConfiguration":                                          schema_k8sio_api_admissionregistration_v1alpha1_ApplyConfiguration(ref),
-		"k8s.io/api/admissionregistration/v1alpha1.AuditAnnotation":                                             schema_k8sio_api_admissionregistration_v1alpha1_AuditAnnotation(ref),
-		"k8s.io/api/admissionregistration/v1alpha1.ExpressionWarning":                                           schema_k8sio_api_admissionregistration_v1alpha1_ExpressionWarning(ref),
-		"k8s.io/api/admissionregistration/v1alpha1.JSONPatch":                                                   schema_k8sio_api_admissionregistration_v1alpha1_JSONPatch(ref),
-		"k8s.io/api/admissionregistration/v1alpha1.MatchCondition":                                              schema_k8sio_api_admissionregistration_v1alpha1_MatchCondition(ref),
-		"k8s.io/api/admissionregistration/v1alpha1.MatchResources":                                              schema_k8sio_api_admissionregistration_v1alpha1_MatchResources(ref),
-		"k8s.io/api/admissionregistration/v1alpha1.MutatingAdmissionPolicy":                                     schema_k8sio_api_admissionregistration_v1alpha1_MutatingAdmissionPolicy(ref),
-		"k8s.io/api/admissionregistration/v1alpha1.MutatingAdmissionPolicyBinding":                              schema_k8sio_api_admissionregistration_v1alpha1_MutatingAdmissionPolicyBinding(ref),
-		"k8s.io/api/admissionregistration/v1alpha1.MutatingAdmissionPolicyBindingList":                          schema_k8sio_api_admissionregistration_v1alpha1_MutatingAdmissionPolicyBindingList(ref),
-		"k8s.io/api/admissionregistration/v1alpha1.MutatingAdmissionPolicyBindingSpec":                          schema_k8sio_api_admissionregistration_v1alpha1_MutatingAdmissionPolicyBindingSpec(ref),
-		"k8s.io/api/admissionregistration/v1alpha1.MutatingAdmissionPolicyList":                                 schema_k8sio_api_admissionregistration_v1alpha1_MutatingAdmissionPolicyList(ref),
-		"k8s.io/api/admissionregistration/v1alpha1.MutatingAdmissionPolicySpec":                                 schema_k8sio_api_admissionregistration_v1alpha1_MutatingAdmissionPolicySpec(ref),
-		"k8s.io/api/admissionregistration/v1alpha1.Mutation":                                                    schema_k8sio_api_admissionregistration_v1alpha1_Mutation(ref),
-		"k8s.io/api/admissionregistration/v1alpha1.NamedRuleWithOperations":                                     schema_k8sio_api_admissionregistration_v1alpha1_NamedRuleWithOperations(ref),
-		"k8s.io/api/admissionregistration/v1alpha1.ParamKind":                                                   schema_k8sio_api_admissionregistration_v1alpha1_ParamKind(ref),
-		"k8s.io/api/admissionregistration/v1alpha1.ParamRef":                                                    schema_k8sio_api_admissionregistration_v1alpha1_ParamRef(ref),
-		"k8s.io/api/admissionregistration/v1alpha1.TypeChecking":                                                schema_k8sio_api_admissionregistration_v1alpha1_TypeChecking(ref),
-		"k8s.io/api/admissionregistration/v1alpha1.ValidatingAdmissionPolicy":                                   schema_k8sio_api_admissionregistration_v1alpha1_ValidatingAdmissionPolicy(ref),
-		"k8s.io/api/admissionregistration/v1alpha1.ValidatingAdmissionPolicyBinding":                            schema_k8sio_api_admissionregistration_v1alpha1_ValidatingAdmissionPolicyBinding(ref),
-		"k8s.io/api/admissionregistration/v1alpha1.ValidatingAdmissionPolicyBindingList":                        schema_k8sio_api_admissionregistration_v1alpha1_ValidatingAdmissionPolicyBindingList(ref),
-		"k8s.io/api/admissionregistration/v1alpha1.ValidatingAdmissionPolicyBindingSpec":                        schema_k8sio_api_admissionregistration_v1alpha1_ValidatingAdmissionPolicyBindingSpec(ref),
-		"k8s.io/api/admissionregistration/v1alpha1.ValidatingAdmissionPolicyList":                               schema_k8sio_api_admissionregistration_v1alpha1_ValidatingAdmissionPolicyList(ref),
-		"k8s.io/api/admissionregistration/v1alpha1.ValidatingAdmissionPolicySpec":                               schema_k8sio_api_admissionregistration_v1alpha1_ValidatingAdmissionPolicySpec(ref),
-		"k8s.io/api/admissionregistration/v1alpha1.ValidatingAdmissionPolicyStatus":                             schema_k8sio_api_admissionregistration_v1alpha1_ValidatingAdmissionPolicyStatus(ref),
-		"k8s.io/api/admissionregistration/v1alpha1.Validation":                                                  schema_k8sio_api_admissionregistration_v1alpha1_Validation(ref),
-		"k8s.io/api/admissionregistration/v1alpha1.Variable":                                                    schema_k8sio_api_admissionregistration_v1alpha1_Variable(ref),
-		"k8s.io/api/admissionregistration/v1beta1.ApplyConfiguration":                                           schema_k8sio_api_admissionregistration_v1beta1_ApplyConfiguration(ref),
-		"k8s.io/api/admissionregistration/v1beta1.AuditAnnotation":                                              schema_k8sio_api_admissionregistration_v1beta1_AuditAnnotation(ref),
-		"k8s.io/api/admissionregistration/v1beta1.ExpressionWarning":                                            schema_k8sio_api_admissionregistration_v1beta1_ExpressionWarning(ref),
-		"k8s.io/api/admissionregistration/v1beta1.JSONPatch":                                                    schema_k8sio_api_admissionregistration_v1beta1_JSONPatch(ref),
-		"k8s.io/api/admissionregistration/v1beta1.MatchCondition":                                               schema_k8sio_api_admissionregistration_v1beta1_MatchCondition(ref),
-		"k8s.io/api/admissionregistration/v1beta1.MatchResources":                                               schema_k8sio_api_admissionregistration_v1beta1_MatchResources(ref),
-		"k8s.io/api/admissionregistration/v1beta1.MutatingAdmissionPolicy":                                      schema_k8sio_api_admissionregistration_v1beta1_MutatingAdmissionPolicy(ref),
-		"k8s.io/api/admissionregistration/v1beta1.MutatingAdmissionPolicyBinding":                               schema_k8sio_api_admissionregistration_v1beta1_MutatingAdmissionPolicyBinding(ref),
-		"k8s.io/api/admissionregistration/v1beta1.MutatingAdmissionPolicyBindingList":                           schema_k8sio_api_admissionregistration_v1beta1_MutatingAdmissionPolicyBindingList(ref),
-		"k8s.io/api/admissionregistration/v1beta1.MutatingAdmissionPolicyBindingSpec":                           schema_k8sio_api_admissionregistration_v1beta1_MutatingAdmissionPolicyBindingSpec(ref),
-		"k8s.io/api/admissionregistration/v1beta1.MutatingAdmissionPolicyList":                                  schema_k8sio_api_admissionregistration_v1beta1_MutatingAdmissionPolicyList(ref),
-		"k8s.io/api/admissionregistration/v1beta1.MutatingAdmissionPolicySpec":                                  schema_k8sio_api_admissionregistration_v1beta1_MutatingAdmissionPolicySpec(ref),
-		"k8s.io/api/admissionregistration/v1beta1.MutatingWebhook":                                              schema_k8sio_api_admissionregistration_v1beta1_MutatingWebhook(ref),
-		"k8s.io/api/admissionregistration/v1beta1.MutatingWebhookConfiguration":                                 schema_k8sio_api_admissionregistration_v1beta1_MutatingWebhookConfiguration(ref),
-		"k8s.io/api/admissionregistration/v1beta1.MutatingWebhookConfigurationList":                             schema_k8sio_api_admissionregistration_v1beta1_MutatingWebhookConfigurationList(ref),
-		"k8s.io/api/admissionregistration/v1beta1.Mutation":                                                     schema_k8sio_api_admissionregistration_v1beta1_Mutation(ref),
-		"k8s.io/api/admissionregistration/v1beta1.NamedRuleWithOperations":                                      schema_k8sio_api_admissionregistration_v1beta1_NamedRuleWithOperations(ref),
-		"k8s.io/api/admissionregistration/v1beta1.ParamKind":                                                    schema_k8sio_api_admissionregistration_v1beta1_ParamKind(ref),
-		"k8s.io/api/admissionregistration/v1beta1.ParamRef":                                                     schema_k8sio_api_admissionregistration_v1beta1_ParamRef(ref),
-		"k8s.io/api/admissionregistration/v1beta1.ServiceReference":                                             schema_k8sio_api_admissionregistration_v1beta1_ServiceReference(ref),
-		"k8s.io/api/admissionregistration/v1beta1.TypeChecking":                                                 schema_k8sio_api_admissionregistration_v1beta1_TypeChecking(ref),
-		"k8s.io/api/admissionregistration/v1beta1.ValidatingAdmissionPolicy":                                    schema_k8sio_api_admissionregistration_v1beta1_ValidatingAdmissionPolicy(ref),
-		"k8s.io/api/admissionregistration/v1beta1.ValidatingAdmissionPolicyBinding":                             schema_k8sio_api_admissionregistration_v1beta1_ValidatingAdmissionPolicyBinding(ref),
-		"k8s.io/api/admissionregistration/v1beta1.ValidatingAdmissionPolicyBindingList":                         schema_k8sio_api_admissionregistration_v1beta1_ValidatingAdmissionPolicyBindingList(ref),
-		"k8s.io/api/admissionregistration/v1beta1.ValidatingAdmissionPolicyBindingSpec":                         schema_k8sio_api_admissionregistration_v1beta1_ValidatingAdmissionPolicyBindingSpec(ref),
-		"k8s.io/api/admissionregistration/v1beta1.ValidatingAdmissionPolicyList":                                schema_k8sio_api_admissionregistration_v1beta1_ValidatingAdmissionPolicyList(ref),
-		"k8s.io/api/admissionregistration/v1beta1.ValidatingAdmissionPolicySpec":                                schema_k8sio_api_admissionregistration_v1beta1_ValidatingAdmissionPolicySpec(ref),
-		"k8s.io/api/admissionregistration/v1beta1.ValidatingAdmissionPolicyStatus":                              schema_k8sio_api_admissionregistration_v1beta1_ValidatingAdmissionPolicyStatus(ref),
-		"k8s.io/api/admissionregistration/v1beta1.ValidatingWebhook":                                            schema_k8sio_api_admissionregistration_v1beta1_ValidatingWebhook(ref),
-		"k8s.io/api/admissionregistration/v1beta1.ValidatingWebhookConfiguration":                               schema_k8sio_api_admissionregistration_v1beta1_ValidatingWebhookConfiguration(ref),
-		"k8s.io/api/admissionregistration/v1beta1.ValidatingWebhookConfigurationList":                           schema_k8sio_api_admissionregistration_v1beta1_ValidatingWebhookConfigurationList(ref),
-		"k8s.io/api/admissionregistration/v1beta1.Validation":                                                   schema_k8sio_api_admissionregistration_v1beta1_Validation(ref),
-		"k8s.io/api/admissionregistration/v1beta1.Variable":                                                     schema_k8sio_api_admissionregistration_v1beta1_Variable(ref),
-		"k8s.io/api/admissionregistration/v1beta1.WebhookClientConfig":                                          schema_k8sio_api_admissionregistration_v1beta1_WebhookClientConfig(ref),
-		"k8s.io/api/apidiscovery/v2.APIGroupDiscovery":                                                          schema_k8sio_api_apidiscovery_v2_APIGroupDiscovery(ref),
-		"k8s.io/api/apidiscovery/v2.APIGroupDiscoveryList":                                                      schema_k8sio_api_apidiscovery_v2_APIGroupDiscoveryList(ref),
-		"k8s.io/api/apidiscovery/v2.APIResourceDiscovery":                                                       schema_k8sio_api_apidiscovery_v2_APIResourceDiscovery(ref),
-		"k8s.io/api/apidiscovery/v2.APISubresourceDiscovery":                                                    schema_k8sio_api_apidiscovery_v2_APISubresourceDiscovery(ref),
-		"k8s.io/api/apidiscovery/v2.APIVersionDiscovery":                                                        schema_k8sio_api_apidiscovery_v2_APIVersionDiscovery(ref),
-		"k8s.io/api/apidiscovery/v2beta1.APIGroupDiscovery":                                                     schema_k8sio_api_apidiscovery_v2beta1_APIGroupDiscovery(ref),
-		"k8s.io/api/apidiscovery/v2beta1.APIGroupDiscoveryList":                                                 schema_k8sio_api_apidiscovery_v2beta1_APIGroupDiscoveryList(ref),
-		"k8s.io/api/apidiscovery/v2beta1.APIResourceDiscovery":                                                  schema_k8sio_api_apidiscovery_v2beta1_APIResourceDiscovery(ref),
-		"k8s.io/api/apidiscovery/v2beta1.APISubresourceDiscovery":                                               schema_k8sio_api_apidiscovery_v2beta1_APISubresourceDiscovery(ref),
-		"k8s.io/api/apidiscovery/v2beta1.APIVersionDiscovery":                                                   schema_k8sio_api_apidiscovery_v2beta1_APIVersionDiscovery(ref),
-		"k8s.io/api/apiserverinternal/v1alpha1.ServerStorageVersion":                                            schema_k8sio_api_apiserverinternal_v1alpha1_ServerStorageVersion(ref),
-		"k8s.io/api/apiserverinternal/v1alpha1.StorageVersion":                                                  schema_k8sio_api_apiserverinternal_v1alpha1_StorageVersion(ref),
-		"k8s.io/api/apiserverinternal/v1alpha1.StorageVersionCondition":                                         schema_k8sio_api_apiserverinternal_v1alpha1_StorageVersionCondition(ref),
-		"k8s.io/api/apiserverinternal/v1alpha1.StorageVersionList":                                              schema_k8sio_api_apiserverinternal_v1alpha1_StorageVersionList(ref),
-		"k8s.io/api/apiserverinternal/v1alpha1.StorageVersionSpec":                                              schema_k8sio_api_apiserverinternal_v1alpha1_StorageVersionSpec(ref),
-		"k8s.io/api/apiserverinternal/v1alpha1.StorageVersionStatus":                                            schema_k8sio_api_apiserverinternal_v1alpha1_StorageVersionStatus(ref),
-		"k8s.io/api/apps/v1.ControllerRevision":                                                                 schema_k8sio_api_apps_v1_ControllerRevision(ref),
-		"k8s.io/api/apps/v1.ControllerRevisionList":                                                             schema_k8sio_api_apps_v1_ControllerRevisionList(ref),
-		"k8s.io/api/apps/v1.DaemonSet":                                                                          schema_k8sio_api_apps_v1_DaemonSet(ref),
-		"k8s.io/api/apps/v1.DaemonSetCondition":                                                                 schema_k8sio_api_apps_v1_DaemonSetCondition(ref),
-		"k8s.io/api/apps/v1.DaemonSetList":                                                                      schema_k8sio_api_apps_v1_DaemonSetList(ref),
-		"k8s.io/api/apps/v1.DaemonSetSpec":                                                                      schema_k8sio_api_apps_v1_DaemonSetSpec(ref),
-		"k8s.io/api/apps/v1.DaemonSetStatus":                                                                    schema_k8sio_api_apps_v1_DaemonSetStatus(ref),
-		"k8s.io/api/apps/v1.DaemonSetUpdateStrategy":                                                            schema_k8sio_api_apps_v1_DaemonSetUpdateStrategy(ref),
-		"k8s.io/api/apps/v1.Deployment":                                                                         schema_k8sio_api_apps_v1_Deployment(ref),
-		"k8s.io/api/apps/v1.DeploymentCondition":                                                                schema_k8sio_api_apps_v1_DeploymentCondition(ref),
-		"k8s.io/api/apps/v1.DeploymentList":                                                                     schema_k8sio_api_apps_v1_DeploymentList(ref),
-		"k8s.io/api/apps/v1.DeploymentSpec":                                                                     schema_k8sio_api_apps_v1_DeploymentSpec(ref),
-		"k8s.io/api/apps/v1.DeploymentStatus":                                                                   schema_k8sio_api_apps_v1_DeploymentStatus(ref),
-		"k8s.io/api/apps/v1.DeploymentStrategy":                                                                 schema_k8sio_api_apps_v1_DeploymentStrategy(ref),
-		"k8s.io/api/apps/v1.ReplicaSet":                                                                         schema_k8sio_api_apps_v1_ReplicaSet(ref),
-		"k8s.io/api/apps/v1.ReplicaSetCondition":                                                                schema_k8sio_api_apps_v1_ReplicaSetCondition(ref),
-		"k8s.io/api/apps/v1.ReplicaSetList":                                                                     schema_k8sio_api_apps_v1_ReplicaSetList(ref),
-		"k8s.io/api/apps/v1.ReplicaSetSpec":                                                                     schema_k8sio_api_apps_v1_ReplicaSetSpec(ref),
-		"k8s.io/api/apps/v1.ReplicaSetStatus":                                                                   schema_k8sio_api_apps_v1_ReplicaSetStatus(ref),
-		"k8s.io/api/apps/v1.RollingUpdateDaemonSet":                                                             schema_k8sio_api_apps_v1_RollingUpdateDaemonSet(ref),
-		"k8s.io/api/apps/v1.RollingUpdateDeployment":                                                            schema_k8sio_api_apps_v1_RollingUpdateDeployment(ref),
-		"k8s.io/api/apps/v1.RollingUpdateStatefulSetStrategy":                                                   schema_k8sio_api_apps_v1_RollingUpdateStatefulSetStrategy(ref),
-		"k8s.io/api/apps/v1.StatefulSet":                                                                        schema_k8sio_api_apps_v1_StatefulSet(ref),
-		"k8s.io/api/apps/v1.StatefulSetCondition":                                                               schema_k8sio_api_apps_v1_StatefulSetCondition(ref),
-		"k8s.io/api/apps/v1.StatefulSetList":                                                                    schema_k8sio_api_apps_v1_StatefulSetList(ref),
-		"k8s.io/api/apps/v1.StatefulSetOrdinals":                                                                schema_k8sio_api_apps_v1_StatefulSetOrdinals(ref),
-		"k8s.io/api/apps/v1.StatefulSetPersistentVolumeClaimRetentionPolicy":                                    schema_k8sio_api_apps_v1_StatefulSetPersistentVolumeClaimRetentionPolicy(ref),
-		"k8s.io/api/apps/v1.StatefulSetSpec":                                                                    schema_k8sio_api_apps_v1_StatefulSetSpec(ref),
-		"k8s.io/api/apps/v1.StatefulSetStatus":                                                                  schema_k8sio_api_apps_v1_StatefulSetStatus(ref),
-		"k8s.io/api/apps/v1.StatefulSetUpdateStrategy":                                                          schema_k8sio_api_apps_v1_StatefulSetUpdateStrategy(ref),
-		"k8s.io/api/apps/v1beta1.ControllerRevision":                                                            schema_k8sio_api_apps_v1beta1_ControllerRevision(ref),
-		"k8s.io/api/apps/v1beta1.ControllerRevisionList":                                                        schema_k8sio_api_apps_v1beta1_ControllerRevisionList(ref),
-		"k8s.io/api/apps/v1beta1.Deployment":                                                                    schema_k8sio_api_apps_v1beta1_Deployment(ref),
-		"k8s.io/api/apps/v1beta1.DeploymentCondition":                                                           schema_k8sio_api_apps_v1beta1_DeploymentCondition(ref),
-		"k8s.io/api/apps/v1beta1.DeploymentList":                                                                schema_k8sio_api_apps_v1beta1_DeploymentList(ref),
-		"k8s.io/api/apps/v1beta1.DeploymentRollback":                                                            schema_k8sio_api_apps_v1beta1_DeploymentRollback(ref),
-		"k8s.io/api/apps/v1beta1.DeploymentSpec":                                                                schema_k8sio_api_apps_v1beta1_DeploymentSpec(ref),
-		"k8s.io/api/apps/v1beta1.DeploymentStatus":                                                              schema_k8sio_api_apps_v1beta1_DeploymentStatus(ref),
-		"k8s.io/api/apps/v1beta1.DeploymentStrategy":                                                            schema_k8sio_api_apps_v1beta1_DeploymentStrategy(ref),
-		"k8s.io/api/apps/v1beta1.RollbackConfig":                                                                schema_k8sio_api_apps_v1beta1_RollbackConfig(ref),
-		"k8s.io/api/apps/v1beta1.RollingUpdateDeployment":                                                       schema_k8sio_api_apps_v1beta1_RollingUpdateDeployment(ref),
-		"k8s.io/api/apps/v1beta1.RollingUpdateStatefulSetStrategy":                                              schema_k8sio_api_apps_v1beta1_RollingUpdateStatefulSetStrategy(ref),
-		"k8s.io/api/apps/v1beta1.Scale":                                                                         schema_k8sio_api_apps_v1beta1_Scale(ref),
-		"k8s.io/api/apps/v1beta1.ScaleSpec":                                                                     schema_k8sio_api_apps_v1beta1_ScaleSpec(ref),
-		"k8s.io/api/apps/v1beta1.ScaleStatus":                                                                   schema_k8sio_api_apps_v1beta1_ScaleStatus(ref),
-		"k8s.io/api/apps/v1beta1.StatefulSet":                                                                   schema_k8sio_api_apps_v1beta1_StatefulSet(ref),
-		"k8s.io/api/apps/v1beta1.StatefulSetCondition":                                                          schema_k8sio_api_apps_v1beta1_StatefulSetCondition(ref),
-		"k8s.io/api/apps/v1beta1.StatefulSetList":                                                               schema_k8sio_api_apps_v1beta1_StatefulSetList(ref),
-		"k8s.io/api/apps/v1beta1.StatefulSetOrdinals":                                                           schema_k8sio_api_apps_v1beta1_StatefulSetOrdinals(ref),
-		"k8s.io/api/apps/v1beta1.StatefulSetPersistentVolumeClaimRetentionPolicy":                               schema_k8sio_api_apps_v1beta1_StatefulSetPersistentVolumeClaimRetentionPolicy(ref),
-		"k8s.io/api/apps/v1beta1.StatefulSetSpec":                                                               schema_k8sio_api_apps_v1beta1_StatefulSetSpec(ref),
-		"k8s.io/api/apps/v1beta1.StatefulSetStatus":                                                             schema_k8sio_api_apps_v1beta1_StatefulSetStatus(ref),
-		"k8s.io/api/apps/v1beta1.StatefulSetUpdateStrategy":                                                     schema_k8sio_api_apps_v1beta1_StatefulSetUpdateStrategy(ref),
-		"k8s.io/api/apps/v1beta2.ControllerRevision":                                                            schema_k8sio_api_apps_v1beta2_ControllerRevision(ref),
-		"k8s.io/api/apps/v1beta2.ControllerRevisionList":                                                        schema_k8sio_api_apps_v1beta2_ControllerRevisionList(ref),
-		"k8s.io/api/apps/v1beta2.DaemonSet":                                                                     schema_k8sio_api_apps_v1beta2_DaemonSet(ref),
-		"k8s.io/api/apps/v1beta2.DaemonSetCondition":                                                            schema_k8sio_api_apps_v1beta2_DaemonSetCondition(ref),
-		"k8s.io/api/apps/v1beta2.DaemonSetList":                                                                 schema_k8sio_api_apps_v1beta2_DaemonSetList(ref),
-		"k8s.io/api/apps/v1beta2.DaemonSetSpec":                                                                 schema_k8sio_api_apps_v1beta2_DaemonSetSpec(ref),
-		"k8s.io/api/apps/v1beta2.DaemonSetStatus":                                                               schema_k8sio_api_apps_v1beta2_DaemonSetStatus(ref),
-		"k8s.io/api/apps/v1beta2.DaemonSetUpdateStrategy":                                                       schema_k8sio_api_apps_v1beta2_DaemonSetUpdateStrategy(ref),
-		"k8s.io/api/apps/v1beta2.Deployment":                                                                    schema_k8sio_api_apps_v1beta2_Deployment(ref),
-		"k8s.io/api/apps/v1beta2.DeploymentCondition":                                                           schema_k8sio_api_apps_v1beta2_DeploymentCondition(ref),
-		"k8s.io/api/apps/v1beta2.DeploymentList":                                                                schema_k8sio_api_apps_v1beta2_DeploymentList(ref),
-		"k8s.io/api/apps/v1beta2.DeploymentSpec":                                                                schema_k8sio_api_apps_v1beta2_DeploymentSpec(ref),
-		"k8s.io/api/apps/v1beta2.DeploymentStatus":                                                              schema_k8sio_api_apps_v1beta2_DeploymentStatus(ref),
-		"k8s.io/api/apps/v1beta2.DeploymentStrategy":                                                            schema_k8sio_api_apps_v1beta2_DeploymentStrategy(ref),
-		"k8s.io/api/apps/v1beta2.ReplicaSet":                                                                    schema_k8sio_api_apps_v1beta2_ReplicaSet(ref),
-		"k8s.io/api/apps/v1beta2.ReplicaSetCondition":                                                           schema_k8sio_api_apps_v1beta2_ReplicaSetCondition(ref),
-		"k8s.io/api/apps/v1beta2.ReplicaSetList":                                                                schema_k8sio_api_apps_v1beta2_ReplicaSetList(ref),
-		"k8s.io/api/apps/v1beta2.ReplicaSetSpec":                                                                schema_k8sio_api_apps_v1beta2_ReplicaSetSpec(ref),
-		"k8s.io/api/apps/v1beta2.ReplicaSetStatus":                                                              schema_k8sio_api_apps_v1beta2_ReplicaSetStatus(ref),
-		"k8s.io/api/apps/v1beta2.RollingUpdateDaemonSet":                                                        schema_k8sio_api_apps_v1beta2_RollingUpdateDaemonSet(ref),
-		"k8s.io/api/apps/v1beta2.RollingUpdateDeployment":                                                       schema_k8sio_api_apps_v1beta2_RollingUpdateDeployment(ref),
-		"k8s.io/api/apps/v1beta2.RollingUpdateStatefulSetStrategy":                                              schema_k8sio_api_apps_v1beta2_RollingUpdateStatefulSetStrategy(ref),
-		"k8s.io/api/apps/v1beta2.Scale":                                                                         schema_k8sio_api_apps_v1beta2_Scale(ref),
-		"k8s.io/api/apps/v1beta2.ScaleSpec":                                                                     schema_k8sio_api_apps_v1beta2_ScaleSpec(ref),
-		"k8s.io/api/apps/v1beta2.ScaleStatus":                                                                   schema_k8sio_api_apps_v1beta2_ScaleStatus(ref),
-		"k8s.io/api/apps/v1beta2.StatefulSet":                                                                   schema_k8sio_api_apps_v1beta2_StatefulSet(ref),
-		"k8s.io/api/apps/v1beta2.StatefulSetCondition":                                                          schema_k8sio_api_apps_v1beta2_StatefulSetCondition(ref),
-		"k8s.io/api/apps/v1beta2.StatefulSetList":                                                               schema_k8sio_api_apps_v1beta2_StatefulSetList(ref),
-		"k8s.io/api/apps/v1beta2.StatefulSetOrdinals":                                                           schema_k8sio_api_apps_v1beta2_StatefulSetOrdinals(ref),
-		"k8s.io/api/apps/v1beta2.StatefulSetPersistentVolumeClaimRetentionPolicy":                               schema_k8sio_api_apps_v1beta2_StatefulSetPersistentVolumeClaimRetentionPolicy(ref),
-		"k8s.io/api/apps/v1beta2.StatefulSetSpec":                                                               schema_k8sio_api_apps_v1beta2_StatefulSetSpec(ref),
-		"k8s.io/api/apps/v1beta2.StatefulSetStatus":                                                             schema_k8sio_api_apps_v1beta2_StatefulSetStatus(ref),
-		"k8s.io/api/apps/v1beta2.StatefulSetUpdateStrategy":                                                     schema_k8sio_api_apps_v1beta2_StatefulSetUpdateStrategy(ref),
-		"k8s.io/api/authentication/v1.BoundObjectReference":                                                     schema_k8sio_api_authentication_v1_BoundObjectReference(ref),
-		"k8s.io/api/authentication/v1.SelfSubjectReview":                                                        schema_k8sio_api_authentication_v1_SelfSubjectReview(ref),
-		"k8s.io/api/authentication/v1.SelfSubjectReviewStatus":                                                  schema_k8sio_api_authentication_v1_SelfSubjectReviewStatus(ref),
-		"k8s.io/api/authentication/v1.TokenRequest":                                                             schema_k8sio_api_authentication_v1_TokenRequest(ref),
-		"k8s.io/api/authentication/v1.TokenRequestSpec":                                                         schema_k8sio_api_authentication_v1_TokenRequestSpec(ref),
-		"k8s.io/api/authentication/v1.TokenRequestStatus":                                                       schema_k8sio_api_authentication_v1_TokenRequestStatus(ref),
-		"k8s.io/api/authentication/v1.TokenReview":                                                              schema_k8sio_api_authentication_v1_TokenReview(ref),
-		"k8s.io/api/authentication/v1.TokenReviewSpec":                                                          schema_k8sio_api_authentication_v1_TokenReviewSpec(ref),
-		"k8s.io/api/authentication/v1.TokenReviewStatus":                                                        schema_k8sio_api_authentication_v1_TokenReviewStatus(ref),
-		"k8s.io/api/authentication/v1.UserInfo":                                                                 schema_k8sio_api_authentication_v1_UserInfo(ref),
-		"k8s.io/api/authentication/v1alpha1.SelfSubjectReview":                                                  schema_k8sio_api_authentication_v1alpha1_SelfSubjectReview(ref),
-		"k8s.io/api/authentication/v1alpha1.SelfSubjectReviewStatus":                                            schema_k8sio_api_authentication_v1alpha1_SelfSubjectReviewStatus(ref),
-		"k8s.io/api/authentication/v1beta1.SelfSubjectReview":                                                   schema_k8sio_api_authentication_v1beta1_SelfSubjectReview(ref),
-		"k8s.io/api/authentication/v1beta1.SelfSubjectReviewStatus":                                             schema_k8sio_api_authentication_v1beta1_SelfSubjectReviewStatus(ref),
-		"k8s.io/api/authentication/v1beta1.TokenReview":                                                         schema_k8sio_api_authentication_v1beta1_TokenReview(ref),
-		"k8s.io/api/authentication/v1beta1.TokenReviewSpec":                                                     schema_k8sio_api_authentication_v1beta1_TokenReviewSpec(ref),
-		"k8s.io/api/authentication/v1beta1.TokenReviewStatus":                                                   schema_k8sio_api_authentication_v1beta1_TokenReviewStatus(ref),
-		"k8s.io/api/authentication/v1beta1.UserInfo":                                                            schema_k8sio_api_authentication_v1beta1_UserInfo(ref),
-		"k8s.io/api/authorization/v1.FieldSelectorAttributes":                                                   schema_k8sio_api_authorization_v1_FieldSelectorAttributes(ref),
-		"k8s.io/api/authorization/v1.LabelSelectorAttributes":                                                   schema_k8sio_api_authorization_v1_LabelSelectorAttributes(ref),
-		"k8s.io/api/authorization/v1.LocalSubjectAccessReview":                                                  schema_k8sio_api_authorization_v1_LocalSubjectAccessReview(ref),
-		"k8s.io/api/authorization/v1.NonResourceAttributes":                                                     schema_k8sio_api_authorization_v1_NonResourceAttributes(ref),
-		"k8s.io/api/authorization/v1.NonResourceRule":                                                           schema_k8sio_api_authorization_v1_NonResourceRule(ref),
-		"k8s.io/api/authorization/v1.ResourceAttributes":                                                        schema_k8sio_api_authorization_v1_ResourceAttributes(ref),
-		"k8s.io/api/authorization/v1.ResourceRule":                                                              schema_k8sio_api_authorization_v1_ResourceRule(ref),
-		"k8s.io/api/authorization/v1.SelfSubjectAccessReview":                                                   schema_k8sio_api_authorization_v1_SelfSubjectAccessReview(ref),
-		"k8s.io/api/authorization/v1.SelfSubjectAccessReviewSpec":                                               schema_k8sio_api_authorization_v1_SelfSubjectAccessReviewSpec(ref),
-		"k8s.io/api/authorization/v1.SelfSubjectRulesReview":                                                    schema_k8sio_api_authorization_v1_SelfSubjectRulesReview(ref),
-		"k8s.io/api/authorization/v1.SelfSubjectRulesReviewSpec":                                                schema_k8sio_api_authorization_v1_SelfSubjectRulesReviewSpec(ref),
-		"k8s.io/api/authorization/v1.SubjectAccessReview":                                                       schema_k8sio_api_authorization_v1_SubjectAccessReview(ref),
-		"k8s.io/api/authorization/v1.SubjectAccessReviewSpec":                                                   schema_k8sio_api_authorization_v1_SubjectAccessReviewSpec(ref),
-		"k8s.io/api/authorization/v1.SubjectAccessReviewStatus":                                                 schema_k8sio_api_authorization_v1_SubjectAccessReviewStatus(ref),
-		"k8s.io/api/authorization/v1.SubjectRulesReviewStatus":                                                  schema_k8sio_api_authorization_v1_SubjectRulesReviewStatus(ref),
-		"k8s.io/api/authorization/v1beta1.LocalSubjectAccessReview":                                             schema_k8sio_api_authorization_v1beta1_LocalSubjectAccessReview(ref),
-		"k8s.io/api/authorization/v1beta1.NonResourceAttributes":                                                schema_k8sio_api_authorization_v1beta1_NonResourceAttributes(ref),
-		"k8s.io/api/authorization/v1beta1.NonResourceRule":                                                      schema_k8sio_api_authorization_v1beta1_NonResourceRule(ref),
-		"k8s.io/api/authorization/v1beta1.ResourceAttributes":                                                   schema_k8sio_api_authorization_v1beta1_ResourceAttributes(ref),
-		"k8s.io/api/authorization/v1beta1.ResourceRule":                                                         schema_k8sio_api_authorization_v1beta1_ResourceRule(ref),
-		"k8s.io/api/authorization/v1beta1.SelfSubjectAccessReview":                                              schema_k8sio_api_authorization_v1beta1_SelfSubjectAccessReview(ref),
-		"k8s.io/api/authorization/v1beta1.SelfSubjectAccessReviewSpec":                                          schema_k8sio_api_authorization_v1beta1_SelfSubjectAccessReviewSpec(ref),
-		"k8s.io/api/authorization/v1beta1.SelfSubjectRulesReview":                                               schema_k8sio_api_authorization_v1beta1_SelfSubjectRulesReview(ref),
-		"k8s.io/api/authorization/v1beta1.SelfSubjectRulesReviewSpec":                                           schema_k8sio_api_authorization_v1beta1_SelfSubjectRulesReviewSpec(ref),
-		"k8s.io/api/authorization/v1beta1.SubjectAccessReview":                                                  schema_k8sio_api_authorization_v1beta1_SubjectAccessReview(ref),
-		"k8s.io/api/authorization/v1beta1.SubjectAccessReviewSpec":                                              schema_k8sio_api_authorization_v1beta1_SubjectAccessReviewSpec(ref),
-		"k8s.io/api/authorization/v1beta1.SubjectAccessReviewStatus":                                            schema_k8sio_api_authorization_v1beta1_SubjectAccessReviewStatus(ref),
-		"k8s.io/api/authorization/v1beta1.SubjectRulesReviewStatus":                                             schema_k8sio_api_authorization_v1beta1_SubjectRulesReviewStatus(ref),
-		"k8s.io/api/autoscaling/v1.ContainerResourceMetricSource":                                               schema_k8sio_api_autoscaling_v1_ContainerResourceMetricSource(ref),
-		"k8s.io/api/autoscaling/v1.ContainerResourceMetricStatus":                                               schema_k8sio_api_autoscaling_v1_ContainerResourceMetricStatus(ref),
-		"k8s.io/api/autoscaling/v1.CrossVersionObjectReference":                                                 schema_k8sio_api_autoscaling_v1_CrossVersionObjectReference(ref),
-		"k8s.io/api/autoscaling/v1.ExternalMetricSource":                                                        schema_k8sio_api_autoscaling_v1_ExternalMetricSource(ref),
-		"k8s.io/api/autoscaling/v1.ExternalMetricStatus":                                                        schema_k8sio_api_autoscaling_v1_ExternalMetricStatus(ref),
-		"k8s.io/api/autoscaling/v1.HorizontalPodAutoscaler":                                                     schema_k8sio_api_autoscaling_v1_HorizontalPodAutoscaler(ref),
-		"k8s.io/api/autoscaling/v1.HorizontalPodAutoscalerCondition":                                            schema_k8sio_api_autoscaling_v1_HorizontalPodAutoscalerCondition(ref),
-		"k8s.io/api/autoscaling/v1.HorizontalPodAutoscalerList":                                                 schema_k8sio_api_autoscaling_v1_HorizontalPodAutoscalerList(ref),
-		"k8s.io/api/autoscaling/v1.HorizontalPodAutoscalerSpec":                                                 schema_k8sio_api_autoscaling_v1_HorizontalPodAutoscalerSpec(ref),
-		"k8s.io/api/autoscaling/v1.HorizontalPodAutoscalerStatus":                                               schema_k8sio_api_autoscaling_v1_HorizontalPodAutoscalerStatus(ref),
-		"k8s.io/api/autoscaling/v1.MetricSpec":                                                                  schema_k8sio_api_autoscaling_v1_MetricSpec(ref),
-		"k8s.io/api/autoscaling/v1.MetricStatus":                                                                schema_k8sio_api_autoscaling_v1_MetricStatus(ref),
-		"k8s.io/api/autoscaling/v1.ObjectMetricSource":                                                          schema_k8sio_api_autoscaling_v1_ObjectMetricSource(ref),
-		"k8s.io/api/autoscaling/v1.ObjectMetricStatus":                                                          schema_k8sio_api_autoscaling_v1_ObjectMetricStatus(ref),
-		"k8s.io/api/autoscaling/v1.PodsMetricSource":                                                            schema_k8sio_api_autoscaling_v1_PodsMetricSource(ref),
-		"k8s.io/api/autoscaling/v1.PodsMetricStatus":                                                            schema_k8sio_api_autoscaling_v1_PodsMetricStatus(ref),
-		"k8s.io/api/autoscaling/v1.ResourceMetricSource":                                                        schema_k8sio_api_autoscaling_v1_ResourceMetricSource(ref),
-		"k8s.io/api/autoscaling/v1.ResourceMetricStatus":                                                        schema_k8sio_api_autoscaling_v1_ResourceMetricStatus(ref),
-		"k8s.io/api/autoscaling/v1.Scale":                                                                       schema_k8sio_api_autoscaling_v1_Scale(ref),
-		"k8s.io/api/autoscaling/v1.ScaleSpec":                                                                   schema_k8sio_api_autoscaling_v1_ScaleSpec(ref),
-		"k8s.io/api/autoscaling/v1.ScaleStatus":                                                                 schema_k8sio_api_autoscaling_v1_ScaleStatus(ref),
-		"k8s.io/api/autoscaling/v2.ContainerResourceMetricSource":                                               schema_k8sio_api_autoscaling_v2_ContainerResourceMetricSource(ref),
-		"k8s.io/api/autoscaling/v2.ContainerResourceMetricStatus":                                               schema_k8sio_api_autoscaling_v2_ContainerResourceMetricStatus(ref),
-		"k8s.io/api/autoscaling/v2.CrossVersionObjectReference":                                                 schema_k8sio_api_autoscaling_v2_CrossVersionObjectReference(ref),
-		"k8s.io/api/autoscaling/v2.ExternalMetricSource":                                                        schema_k8sio_api_autoscaling_v2_ExternalMetricSource(ref),
-		"k8s.io/api/autoscaling/v2.ExternalMetricStatus":                                                        schema_k8sio_api_autoscaling_v2_ExternalMetricStatus(ref),
-		"k8s.io/api/autoscaling/v2.HPAScalingPolicy":                                                            schema_k8sio_api_autoscaling_v2_HPAScalingPolicy(ref),
-		"k8s.io/api/autoscaling/v2.HPAScalingRules":                                                             schema_k8sio_api_autoscaling_v2_HPAScalingRules(ref),
-		"k8s.io/api/autoscaling/v2.HorizontalPodAutoscaler":                                                     schema_k8sio_api_autoscaling_v2_HorizontalPodAutoscaler(ref),
-		"k8s.io/api/autoscaling/v2.HorizontalPodAutoscalerBehavior":                                             schema_k8sio_api_autoscaling_v2_HorizontalPodAutoscalerBehavior(ref),
-		"k8s.io/api/autoscaling/v2.HorizontalPodAutoscalerCondition":                                            schema_k8sio_api_autoscaling_v2_HorizontalPodAutoscalerCondition(ref),
-		"k8s.io/api/autoscaling/v2.HorizontalPodAutoscalerList":                                                 schema_k8sio_api_autoscaling_v2_HorizontalPodAutoscalerList(ref),
-		"k8s.io/api/autoscaling/v2.HorizontalPodAutoscalerSpec":                                                 schema_k8sio_api_autoscaling_v2_HorizontalPodAutoscalerSpec(ref),
-		"k8s.io/api/autoscaling/v2.HorizontalPodAutoscalerStatus":                                               schema_k8sio_api_autoscaling_v2_HorizontalPodAutoscalerStatus(ref),
-		"k8s.io/api/autoscaling/v2.MetricIdentifier":                                                            schema_k8sio_api_autoscaling_v2_MetricIdentifier(ref),
-		"k8s.io/api/autoscaling/v2.MetricSpec":                                                                  schema_k8sio_api_autoscaling_v2_MetricSpec(ref),
-		"k8s.io/api/autoscaling/v2.MetricStatus":                                                                schema_k8sio_api_autoscaling_v2_MetricStatus(ref),
-		"k8s.io/api/autoscaling/v2.MetricTarget":                                                                schema_k8sio_api_autoscaling_v2_MetricTarget(ref),
-		"k8s.io/api/autoscaling/v2.MetricValueStatus":                                                           schema_k8sio_api_autoscaling_v2_MetricValueStatus(ref),
-		"k8s.io/api/autoscaling/v2.ObjectMetricSource":                                                          schema_k8sio_api_autoscaling_v2_ObjectMetricSource(ref),
-		"k8s.io/api/autoscaling/v2.ObjectMetricStatus":                                                          schema_k8sio_api_autoscaling_v2_ObjectMetricStatus(ref),
-		"k8s.io/api/autoscaling/v2.PodsMetricSource":                                                            schema_k8sio_api_autoscaling_v2_PodsMetricSource(ref),
-		"k8s.io/api/autoscaling/v2.PodsMetricStatus":                                                            schema_k8sio_api_autoscaling_v2_PodsMetricStatus(ref),
-		"k8s.io/api/autoscaling/v2.ResourceMetricSource":                                                        schema_k8sio_api_autoscaling_v2_ResourceMetricSource(ref),
-		"k8s.io/api/autoscaling/v2.ResourceMetricStatus":                                                        schema_k8sio_api_autoscaling_v2_ResourceMetricStatus(ref),
-		"k8s.io/api/autoscaling/v2beta1.ContainerResourceMetricSource":                                          schema_k8sio_api_autoscaling_v2beta1_ContainerResourceMetricSource(ref),
-		"k8s.io/api/autoscaling/v2beta1.ContainerResourceMetricStatus":                                          schema_k8sio_api_autoscaling_v2beta1_ContainerResourceMetricStatus(ref),
-		"k8s.io/api/autoscaling/v2beta1.CrossVersionObjectReference":                                            schema_k8sio_api_autoscaling_v2beta1_CrossVersionObjectReference(ref),
-		"k8s.io/api/autoscaling/v2beta1.ExternalMetricSource":                                                   schema_k8sio_api_autoscaling_v2beta1_ExternalMetricSource(ref),
-		"k8s.io/api/autoscaling/v2beta1.ExternalMetricStatus":                                                   schema_k8sio_api_autoscaling_v2beta1_ExternalMetricStatus(ref),
-		"k8s.io/api/autoscaling/v2beta1.HorizontalPodAutoscaler":                                                schema_k8sio_api_autoscaling_v2beta1_HorizontalPodAutoscaler(ref),
-		"k8s.io/api/autoscaling/v2beta1.HorizontalPodAutoscalerCondition":                                       schema_k8sio_api_autoscaling_v2beta1_HorizontalPodAutoscalerCondition(ref),
-		"k8s.io/api/autoscaling/v2beta1.HorizontalPodAutoscalerList":                                            schema_k8sio_api_autoscaling_v2beta1_HorizontalPodAutoscalerList(ref),
-		"k8s.io/api/autoscaling/v2beta1.HorizontalPodAutoscalerSpec":                                            schema_k8sio_api_autoscaling_v2beta1_HorizontalPodAutoscalerSpec(ref),
-		"k8s.io/api/autoscaling/v2beta1.HorizontalPodAutoscalerStatus":                                          schema_k8sio_api_autoscaling_v2beta1_HorizontalPodAutoscalerStatus(ref),
-		"k8s.io/api/autoscaling/v2beta1.MetricSpec":                                                             schema_k8sio_api_autoscaling_v2beta1_MetricSpec(ref),
-		"k8s.io/api/autoscaling/v2beta1.MetricStatus":                                                           schema_k8sio_api_autoscaling_v2beta1_MetricStatus(ref),
-		"k8s.io/api/autoscaling/v2beta1.ObjectMetricSource":                                                     schema_k8sio_api_autoscaling_v2beta1_ObjectMetricSource(ref),
-		"k8s.io/api/autoscaling/v2beta1.ObjectMetricStatus":                                                     schema_k8sio_api_autoscaling_v2beta1_ObjectMetricStatus(ref),
-		"k8s.io/api/autoscaling/v2beta1.PodsMetricSource":                                                       schema_k8sio_api_autoscaling_v2beta1_PodsMetricSource(ref),
-		"k8s.io/api/autoscaling/v2beta1.PodsMetricStatus":                                                       schema_k8sio_api_autoscaling_v2beta1_PodsMetricStatus(ref),
-		"k8s.io/api/autoscaling/v2beta1.ResourceMetricSource":                                                   schema_k8sio_api_autoscaling_v2beta1_ResourceMetricSource(ref),
-		"k8s.io/api/autoscaling/v2beta1.ResourceMetricStatus":                                                   schema_k8sio_api_autoscaling_v2beta1_ResourceMetricStatus(ref),
-		"k8s.io/api/autoscaling/v2beta2.ContainerResourceMetricSource":                                          schema_k8sio_api_autoscaling_v2beta2_ContainerResourceMetricSource(ref),
-		"k8s.io/api/autoscaling/v2beta2.ContainerResourceMetricStatus":                                          schema_k8sio_api_autoscaling_v2beta2_ContainerResourceMetricStatus(ref),
-		"k8s.io/api/autoscaling/v2beta2.CrossVersionObjectReference":                                            schema_k8sio_api_autoscaling_v2beta2_CrossVersionObjectReference(ref),
-		"k8s.io/api/autoscaling/v2beta2.ExternalMetricSource":                                                   schema_k8sio_api_autoscaling_v2beta2_ExternalMetricSource(ref),
-		"k8s.io/api/autoscaling/v2beta2.ExternalMetricStatus":                                                   schema_k8sio_api_autoscaling_v2beta2_ExternalMetricStatus(ref),
-		"k8s.io/api/autoscaling/v2beta2.HPAScalingPolicy":                                                       schema_k8sio_api_autoscaling_v2beta2_HPAScalingPolicy(ref),
-		"k8s.io/api/autoscaling/v2beta2.HPAScalingRules":                                                        schema_k8sio_api_autoscaling_v2beta2_HPAScalingRules(ref),
-		"k8s.io/api/autoscaling/v2beta2.HorizontalPodAutoscaler":                                                schema_k8sio_api_autoscaling_v2beta2_HorizontalPodAutoscaler(ref),
-		"k8s.io/api/autoscaling/v2beta2.HorizontalPodAutoscalerBehavior":                                        schema_k8sio_api_autoscaling_v2beta2_HorizontalPodAutoscalerBehavior(ref),
-		"k8s.io/api/autoscaling/v2beta2.HorizontalPodAutoscalerCondition":                                       schema_k8sio_api_autoscaling_v2beta2_HorizontalPodAutoscalerCondition(ref),
-		"k8s.io/api/autoscaling/v2beta2.HorizontalPodAutoscalerList":                                            schema_k8sio_api_autoscaling_v2beta2_HorizontalPodAutoscalerList(ref),
-		"k8s.io/api/autoscaling/v2beta2.HorizontalPodAutoscalerSpec":                                            schema_k8sio_api_autoscaling_v2beta2_HorizontalPodAutoscalerSpec(ref),
-		"k8s.io/api/autoscaling/v2beta2.HorizontalPodAutoscalerStatus":                                          schema_k8sio_api_autoscaling_v2beta2_HorizontalPodAutoscalerStatus(ref),
-		"k8s.io/api/autoscaling/v2beta2.MetricIdentifier":                                                       schema_k8sio_api_autoscaling_v2beta2_MetricIdentifier(ref),
-		"k8s.io/api/autoscaling/v2beta2.MetricSpec":                                                             schema_k8sio_api_autoscaling_v2beta2_MetricSpec(ref),
-		"k8s.io/api/autoscaling/v2beta2.MetricStatus":                                                           schema_k8sio_api_autoscaling_v2beta2_MetricStatus(ref),
-		"k8s.io/api/autoscaling/v2beta2.MetricTarget":                                                           schema_k8sio_api_autoscaling_v2beta2_MetricTarget(ref),
-		"k8s.io/api/autoscaling/v2beta2.MetricValueStatus":                                                      schema_k8sio_api_autoscaling_v2beta2_MetricValueStatus(ref),
-		"k8s.io/api/autoscaling/v2beta2.ObjectMetricSource":                                                     schema_k8sio_api_autoscaling_v2beta2_ObjectMetricSource(ref),
-		"k8s.io/api/autoscaling/v2beta2.ObjectMetricStatus":                                                     schema_k8sio_api_autoscaling_v2beta2_ObjectMetricStatus(ref),
-		"k8s.io/api/autoscaling/v2beta2.PodsMetricSource":                                                       schema_k8sio_api_autoscaling_v2beta2_PodsMetricSource(ref),
-		"k8s.io/api/autoscaling/v2beta2.PodsMetricStatus":                                                       schema_k8sio_api_autoscaling_v2beta2_PodsMetricStatus(ref),
-		"k8s.io/api/autoscaling/v2beta2.ResourceMetricSource":                                                   schema_k8sio_api_autoscaling_v2beta2_ResourceMetricSource(ref),
-		"k8s.io/api/autoscaling/v2beta2.ResourceMetricStatus":                                                   schema_k8sio_api_autoscaling_v2beta2_ResourceMetricStatus(ref),
-		"k8s.io/api/batch/v1.CronJob":                                                                           schema_k8sio_api_batch_v1_CronJob(ref),
-		"k8s.io/api/batch/v1.CronJobList":                                                                       schema_k8sio_api_batch_v1_CronJobList(ref),
-		"k8s.io/api/batch/v1.CronJobSpec":                                                                       schema_k8sio_api_batch_v1_CronJobSpec(ref),
-		"k8s.io/api/batch/v1.CronJobStatus":                                                                     schema_k8sio_api_batch_v1_CronJobStatus(ref),
-		"k8s.io/api/batch/v1.Job":                                                                               schema_k8sio_api_batch_v1_Job(ref),
-		"k8s.io/api/batch/v1.JobCondition":                                                                      schema_k8sio_api_batch_v1_JobCondition(ref),
-		"k8s.io/api/batch/v1.JobList":                                                                           schema_k8sio_api_batch_v1_JobList(ref),
-		"k8s.io/api/batch/v1.JobSpec":                                                                           schema_k8sio_api_batch_v1_JobSpec(ref),
-		"k8s.io/api/batch/v1.JobStatus":                                                                         schema_k8sio_api_batch_v1_JobStatus(ref),
-		"k8s.io/api/batch/v1.JobTemplateSpec":                                                                   schema_k8sio_api_batch_v1_JobTemplateSpec(ref),
-		"k8s.io/api/batch/v1.PodFailurePolicy":                                                                  schema_k8sio_api_batch_v1_PodFailurePolicy(ref),
-		"k8s.io/api/batch/v1.PodFailurePolicyOnExitCodesRequirement":                                            schema_k8sio_api_batch_v1_PodFailurePolicyOnExitCodesRequirement(ref),
-		"k8s.io/api/batch/v1.PodFailurePolicyOnPodConditionsPattern":                                            schema_k8sio_api_batch_v1_PodFailurePolicyOnPodConditionsPattern(ref),
-		"k8s.io/api/batch/v1.PodFailurePolicyRule":                                                              schema_k8sio_api_batch_v1_PodFailurePolicyRule(ref),
-		"k8s.io/api/batch/v1.SuccessPolicy":                                                                     schema_k8sio_api_batch_v1_SuccessPolicy(ref),
-		"k8s.io/api/batch/v1.SuccessPolicyRule":                                                                 schema_k8sio_api_batch_v1_SuccessPolicyRule(ref),
-		"k8s.io/api/batch/v1.UncountedTerminatedPods":                                                           schema_k8sio_api_batch_v1_UncountedTerminatedPods(ref),
-		"k8s.io/api/batch/v1beta1.CronJob":                                                                      schema_k8sio_api_batch_v1beta1_CronJob(ref),
-		"k8s.io/api/batch/v1beta1.CronJobList":                                                                  schema_k8sio_api_batch_v1beta1_CronJobList(ref),
-		"k8s.io/api/batch/v1beta1.CronJobSpec":                                                                  schema_k8sio_api_batch_v1beta1_CronJobSpec(ref),
-		"k8s.io/api/batch/v1beta1.CronJobStatus":                                                                schema_k8sio_api_batch_v1beta1_CronJobStatus(ref),
-		"k8s.io/api/batch/v1beta1.JobTemplateSpec":                                                              schema_k8sio_api_batch_v1beta1_JobTemplateSpec(ref),
-		"k8s.io/api/certificates/v1.CertificateSigningRequest":                                                  schema_k8sio_api_certificates_v1_CertificateSigningRequest(ref),
-		"k8s.io/api/certificates/v1.CertificateSigningRequestCondition":                                         schema_k8sio_api_certificates_v1_CertificateSigningRequestCondition(ref),
-		"k8s.io/api/certificates/v1.CertificateSigningRequestList":                                              schema_k8sio_api_certificates_v1_CertificateSigningRequestList(ref),
-		"k8s.io/api/certificates/v1.CertificateSigningRequestSpec":                                              schema_k8sio_api_certificates_v1_CertificateSigningRequestSpec(ref),
-		"k8s.io/api/certificates/v1.CertificateSigningRequestStatus":                                            schema_k8sio_api_certificates_v1_CertificateSigningRequestStatus(ref),
-		"k8s.io/api/certificates/v1alpha1.ClusterTrustBundle":                                                   schema_k8sio_api_certificates_v1alpha1_ClusterTrustBundle(ref),
-		"k8s.io/api/certificates/v1alpha1.ClusterTrustBundleList":                                               schema_k8sio_api_certificates_v1alpha1_ClusterTrustBundleList(ref),
-		"k8s.io/api/certificates/v1alpha1.ClusterTrustBundleSpec":                                               schema_k8sio_api_certificates_v1alpha1_ClusterTrustBundleSpec(ref),
-		"k8s.io/api/certificates/v1alpha1.PodCertificateRequest":                                                schema_k8sio_api_certificates_v1alpha1_PodCertificateRequest(ref),
-		"k8s.io/api/certificates/v1alpha1.PodCertificateRequestList":                                            schema_k8sio_api_certificates_v1alpha1_PodCertificateRequestList(ref),
-		"k8s.io/api/certificates/v1alpha1.PodCertificateRequestSpec":                                            schema_k8sio_api_certificates_v1alpha1_PodCertificateRequestSpec(ref),
-		"k8s.io/api/certificates/v1alpha1.PodCertificateRequestStatus":                                          schema_k8sio_api_certificates_v1alpha1_PodCertificateRequestStatus(ref),
-		"k8s.io/api/certificates/v1beta1.CertificateSigningRequest":                                             schema_k8sio_api_certificates_v1beta1_CertificateSigningRequest(ref),
-		"k8s.io/api/certificates/v1beta1.CertificateSigningRequestCondition":                                    schema_k8sio_api_certificates_v1beta1_CertificateSigningRequestCondition(ref),
-		"k8s.io/api/certificates/v1beta1.CertificateSigningRequestList":                                         schema_k8sio_api_certificates_v1beta1_CertificateSigningRequestList(ref),
-		"k8s.io/api/certificates/v1beta1.CertificateSigningRequestSpec":                                         schema_k8sio_api_certificates_v1beta1_CertificateSigningRequestSpec(ref),
-		"k8s.io/api/certificates/v1beta1.CertificateSigningRequestStatus":                                       schema_k8sio_api_certificates_v1beta1_CertificateSigningRequestStatus(ref),
-		"k8s.io/api/certificates/v1beta1.ClusterTrustBundle":                                                    schema_k8sio_api_certificates_v1beta1_ClusterTrustBundle(ref),
-		"k8s.io/api/certificates/v1beta1.ClusterTrustBundleList":                                                schema_k8sio_api_certificates_v1beta1_ClusterTrustBundleList(ref),
-		"k8s.io/api/certificates/v1beta1.ClusterTrustBundleSpec":                                                schema_k8sio_api_certificates_v1beta1_ClusterTrustBundleSpec(ref),
-		"k8s.io/api/coordination/v1.Lease":                                                                      schema_k8sio_api_coordination_v1_Lease(ref),
-		"k8s.io/api/coordination/v1.LeaseList":                                                                  schema_k8sio_api_coordination_v1_LeaseList(ref),
-		"k8s.io/api/coordination/v1.LeaseSpec":                                                                  schema_k8sio_api_coordination_v1_LeaseSpec(ref),
-		"k8s.io/api/coordination/v1alpha2.LeaseCandidate":                                                       schema_k8sio_api_coordination_v1alpha2_LeaseCandidate(ref),
-		"k8s.io/api/coordination/v1alpha2.LeaseCandidateList":                                                   schema_k8sio_api_coordination_v1alpha2_LeaseCandidateList(ref),
-		"k8s.io/api/coordination/v1alpha2.LeaseCandidateSpec":                                                   schema_k8sio_api_coordination_v1alpha2_LeaseCandidateSpec(ref),
-		"k8s.io/api/coordination/v1beta1.Lease":                                                                 schema_k8sio_api_coordination_v1beta1_Lease(ref),
-		"k8s.io/api/coordination/v1beta1.LeaseCandidate":                                                        schema_k8sio_api_coordination_v1beta1_LeaseCandidate(ref),
-		"k8s.io/api/coordination/v1beta1.LeaseCandidateList":                                                    schema_k8sio_api_coordination_v1beta1_LeaseCandidateList(ref),
-		"k8s.io/api/coordination/v1beta1.LeaseCandidateSpec":                                                    schema_k8sio_api_coordination_v1beta1_LeaseCandidateSpec(ref),
-		"k8s.io/api/coordination/v1beta1.LeaseList":                                                             schema_k8sio_api_coordination_v1beta1_LeaseList(ref),
-		"k8s.io/api/coordination/v1beta1.LeaseSpec":                                                             schema_k8sio_api_coordination_v1beta1_LeaseSpec(ref),
-		"k8s.io/api/core/v1.AWSElasticBlockStoreVolumeSource":                                                   schema_k8sio_api_core_v1_AWSElasticBlockStoreVolumeSource(ref),
-		"k8s.io/api/core/v1.Affinity":                                                                           schema_k8sio_api_core_v1_Affinity(ref),
-		"k8s.io/api/core/v1.AppArmorProfile":                                                                    schema_k8sio_api_core_v1_AppArmorProfile(ref),
-		"k8s.io/api/core/v1.AttachedVolume":                                                                     schema_k8sio_api_core_v1_AttachedVolume(ref),
-		"k8s.io/api/core/v1.AvoidPods":                                                                          schema_k8sio_api_core_v1_AvoidPods(ref),
-		"k8s.io/api/core/v1.AzureDiskVolumeSource":                                                              schema_k8sio_api_core_v1_AzureDiskVolumeSource(ref),
-		"k8s.io/api/core/v1.AzureFilePersistentVolumeSource":                                                    schema_k8sio_api_core_v1_AzureFilePersistentVolumeSource(ref),
-		"k8s.io/api/core/v1.AzureFileVolumeSource":                                                              schema_k8sio_api_core_v1_AzureFileVolumeSource(ref),
-		"k8s.io/api/core/v1.Binding":                                                                            schema_k8sio_api_core_v1_Binding(ref),
-		"k8s.io/api/core/v1.CSIPersistentVolumeSource":                                                          schema_k8sio_api_core_v1_CSIPersistentVolumeSource(ref),
-		"k8s.io/api/core/v1.CSIVolumeSource":                                                                    schema_k8sio_api_core_v1_CSIVolumeSource(ref),
-		"k8s.io/api/core/v1.Capabilities":                                                                       schema_k8sio_api_core_v1_Capabilities(ref),
-		"k8s.io/api/core/v1.CephFSPersistentVolumeSource":                                                       schema_k8sio_api_core_v1_CephFSPersistentVolumeSource(ref),
-		"k8s.io/api/core/v1.CephFSVolumeSource":                                                                 schema_k8sio_api_core_v1_CephFSVolumeSource(ref),
-		"k8s.io/api/core/v1.CinderPersistentVolumeSource":                                                       schema_k8sio_api_core_v1_CinderPersistentVolumeSource(ref),
-		"k8s.io/api/core/v1.CinderVolumeSource":                                                                 schema_k8sio_api_core_v1_CinderVolumeSource(ref),
-		"k8s.io/api/core/v1.ClientIPConfig":                                                                     schema_k8sio_api_core_v1_ClientIPConfig(ref),
-		"k8s.io/api/core/v1.ClusterTrustBundleProjection":                                                       schema_k8sio_api_core_v1_ClusterTrustBundleProjection(ref),
-		"k8s.io/api/core/v1.ComponentCondition":                                                                 schema_k8sio_api_core_v1_ComponentCondition(ref),
-		"k8s.io/api/core/v1.ComponentStatus":                                                                    schema_k8sio_api_core_v1_ComponentStatus(ref),
-		"k8s.io/api/core/v1.ComponentStatusList":                                                                schema_k8sio_api_core_v1_ComponentStatusList(ref),
-		"k8s.io/api/core/v1.ConfigMap":                                                                          schema_k8sio_api_core_v1_ConfigMap(ref),
-		"k8s.io/api/core/v1.ConfigMapEnvSource":                                                                 schema_k8sio_api_core_v1_ConfigMapEnvSource(ref),
-		"k8s.io/api/core/v1.ConfigMapKeySelector":                                                               schema_k8sio_api_core_v1_ConfigMapKeySelector(ref),
-		"k8s.io/api/core/v1.ConfigMapList":                                                                      schema_k8sio_api_core_v1_ConfigMapList(ref),
-		"k8s.io/api/core/v1.ConfigMapNodeConfigSource":                                                          schema_k8sio_api_core_v1_ConfigMapNodeConfigSource(ref),
-		"k8s.io/api/core/v1.ConfigMapProjection":                                                                schema_k8sio_api_core_v1_ConfigMapProjection(ref),
-		"k8s.io/api/core/v1.ConfigMapVolumeSource":                                                              schema_k8sio_api_core_v1_ConfigMapVolumeSource(ref),
-		"k8s.io/api/core/v1.Container":                                                                          schema_k8sio_api_core_v1_Container(ref),
-		"k8s.io/api/core/v1.ContainerExtendedResourceRequest":                                                   schema_k8sio_api_core_v1_ContainerExtendedResourceRequest(ref),
-		"k8s.io/api/core/v1.ContainerImage":                                                                     schema_k8sio_api_core_v1_ContainerImage(ref),
-		"k8s.io/api/core/v1.ContainerPort":                                                                      schema_k8sio_api_core_v1_ContainerPort(ref),
-		"k8s.io/api/core/v1.ContainerResizePolicy":                                                              schema_k8sio_api_core_v1_ContainerResizePolicy(ref),
-		"k8s.io/api/core/v1.ContainerRestartRule":                                                               schema_k8sio_api_core_v1_ContainerRestartRule(ref),
-		"k8s.io/api/core/v1.ContainerRestartRuleOnExitCodes":                                                    schema_k8sio_api_core_v1_ContainerRestartRuleOnExitCodes(ref),
-		"k8s.io/api/core/v1.ContainerState":                                                                     schema_k8sio_api_core_v1_ContainerState(ref),
-		"k8s.io/api/core/v1.ContainerStateRunning":                                                              schema_k8sio_api_core_v1_ContainerStateRunning(ref),
-		"k8s.io/api/core/v1.ContainerStateTerminated":                                                           schema_k8sio_api_core_v1_ContainerStateTerminated(ref),
-		"k8s.io/api/core/v1.ContainerStateWaiting":                                                              schema_k8sio_api_core_v1_ContainerStateWaiting(ref),
-		"k8s.io/api/core/v1.ContainerStatus":                                                                    schema_k8sio_api_core_v1_ContainerStatus(ref),
-		"k8s.io/api/core/v1.ContainerUser":                                                                      schema_k8sio_api_core_v1_ContainerUser(ref),
-		"k8s.io/api/core/v1.DaemonEndpoint":                                                                     schema_k8sio_api_core_v1_DaemonEndpoint(ref),
-		"k8s.io/api/core/v1.DownwardAPIProjection":                                                              schema_k8sio_api_core_v1_DownwardAPIProjection(ref),
-		"k8s.io/api/core/v1.DownwardAPIVolumeFile":                                                              schema_k8sio_api_core_v1_DownwardAPIVolumeFile(ref),
-		"k8s.io/api/core/v1.DownwardAPIVolumeSource":                                                            schema_k8sio_api_core_v1_DownwardAPIVolumeSource(ref),
-		"k8s.io/api/core/v1.EmptyDirVolumeSource":                                                               schema_k8sio_api_core_v1_EmptyDirVolumeSource(ref),
-		"k8s.io/api/core/v1.EndpointAddress":                                                                    schema_k8sio_api_core_v1_EndpointAddress(ref),
-		"k8s.io/api/core/v1.EndpointPort":                                                                       schema_k8sio_api_core_v1_EndpointPort(ref),
-		"k8s.io/api/core/v1.EndpointSubset":                                                                     schema_k8sio_api_core_v1_EndpointSubset(ref),
-		"k8s.io/api/core/v1.Endpoints":                                                                          schema_k8sio_api_core_v1_Endpoints(ref),
-		"k8s.io/api/core/v1.EndpointsList":                                                                      schema_k8sio_api_core_v1_EndpointsList(ref),
-		"k8s.io/api/core/v1.EnvFromSource":                                                                      schema_k8sio_api_core_v1_EnvFromSource(ref),
-		"k8s.io/api/core/v1.EnvVar":                                                                             schema_k8sio_api_core_v1_EnvVar(ref),
-		"k8s.io/api/core/v1.EnvVarSource":                                                                       schema_k8sio_api_core_v1_EnvVarSource(ref),
-		"k8s.io/api/core/v1.EphemeralContainer":                                                                 schema_k8sio_api_core_v1_EphemeralContainer(ref),
-		"k8s.io/api/core/v1.EphemeralContainerCommon":                                                           schema_k8sio_api_core_v1_EphemeralContainerCommon(ref),
-		"k8s.io/api/core/v1.EphemeralVolumeSource":                                                              schema_k8sio_api_core_v1_EphemeralVolumeSource(ref),
-		"k8s.io/api/core/v1.Event":                                                                              schema_k8sio_api_core_v1_Event(ref),
-		"k8s.io/api/core/v1.EventList":                                                                          schema_k8sio_api_core_v1_EventList(ref),
-		"k8s.io/api/core/v1.EventSeries":                                                                        schema_k8sio_api_core_v1_EventSeries(ref),
-		"k8s.io/api/core/v1.EventSource":                                                                        schema_k8sio_api_core_v1_EventSource(ref),
-		"k8s.io/api/core/v1.ExecAction":                                                                         schema_k8sio_api_core_v1_ExecAction(ref),
-		"k8s.io/api/core/v1.FCVolumeSource":                                                                     schema_k8sio_api_core_v1_FCVolumeSource(ref),
-		"k8s.io/api/core/v1.FileKeySelector":                                                                    schema_k8sio_api_core_v1_FileKeySelector(ref),
-		"k8s.io/api/core/v1.FlexPersistentVolumeSource":                                                         schema_k8sio_api_core_v1_FlexPersistentVolumeSource(ref),
-		"k8s.io/api/core/v1.FlexVolumeSource":                                                                   schema_k8sio_api_core_v1_FlexVolumeSource(ref),
-		"k8s.io/api/core/v1.FlockerVolumeSource":                                                                schema_k8sio_api_core_v1_FlockerVolumeSource(ref),
-		"k8s.io/api/core/v1.GCEPersistentDiskVolumeSource":                                                      schema_k8sio_api_core_v1_GCEPersistentDiskVolumeSource(ref),
-		"k8s.io/api/core/v1.GRPCAction":                                                                         schema_k8sio_api_core_v1_GRPCAction(ref),
-		"k8s.io/api/core/v1.GitRepoVolumeSource":                                                                schema_k8sio_api_core_v1_GitRepoVolumeSource(ref),
-		"k8s.io/api/core/v1.GlusterfsPersistentVolumeSource":                                                    schema_k8sio_api_core_v1_GlusterfsPersistentVolumeSource(ref),
-		"k8s.io/api/core/v1.GlusterfsVolumeSource":                                                              schema_k8sio_api_core_v1_GlusterfsVolumeSource(ref),
-		"k8s.io/api/core/v1.HTTPGetAction":                                                                      schema_k8sio_api_core_v1_HTTPGetAction(ref),
-		"k8s.io/api/core/v1.HTTPHeader":                                                                         schema_k8sio_api_core_v1_HTTPHeader(ref),
-		"k8s.io/api/core/v1.HostAlias":                                                                          schema_k8sio_api_core_v1_HostAlias(ref),
-		"k8s.io/api/core/v1.HostIP":                                                                             schema_k8sio_api_core_v1_HostIP(ref),
-		"k8s.io/api/core/v1.HostPathVolumeSource":                                                               schema_k8sio_api_core_v1_HostPathVolumeSource(ref),
-		"k8s.io/api/core/v1.ISCSIPersistentVolumeSource":                                                        schema_k8sio_api_core_v1_ISCSIPersistentVolumeSource(ref),
-		"k8s.io/api/core/v1.ISCSIVolumeSource":                                                                  schema_k8sio_api_core_v1_ISCSIVolumeSource(ref),
-		"k8s.io/api/core/v1.ImageVolumeSource":                                                                  schema_k8sio_api_core_v1_ImageVolumeSource(ref),
-		"k8s.io/api/core/v1.KeyToPath":                                                                          schema_k8sio_api_core_v1_KeyToPath(ref),
-		"k8s.io/api/core/v1.Lifecycle":                                                                          schema_k8sio_api_core_v1_Lifecycle(ref),
-		"k8s.io/api/core/v1.LifecycleHandler":                                                                   schema_k8sio_api_core_v1_LifecycleHandler(ref),
-		"k8s.io/api/core/v1.LimitRange":                                                                         schema_k8sio_api_core_v1_LimitRange(ref),
-		"k8s.io/api/core/v1.LimitRangeItem":                                                                     schema_k8sio_api_core_v1_LimitRangeItem(ref),
-		"k8s.io/api/core/v1.LimitRangeList":                                                                     schema_k8sio_api_core_v1_LimitRangeList(ref),
-		"k8s.io/api/core/v1.LimitRangeSpec":                                                                     schema_k8sio_api_core_v1_LimitRangeSpec(ref),
-		"k8s.io/api/core/v1.LinuxContainerUser":                                                                 schema_k8sio_api_core_v1_LinuxContainerUser(ref),
-		"k8s.io/api/core/v1.List":                                                                               schema_k8sio_api_core_v1_List(ref),
-		"k8s.io/api/core/v1.LoadBalancerIngress":                                                                schema_k8sio_api_core_v1_LoadBalancerIngress(ref),
-		"k8s.io/api/core/v1.LoadBalancerStatus":                                                                 schema_k8sio_api_core_v1_LoadBalancerStatus(ref),
-		"k8s.io/api/core/v1.LocalObjectReference":                                                               schema_k8sio_api_core_v1_LocalObjectReference(ref),
-		"k8s.io/api/core/v1.LocalVolumeSource":                                                                  schema_k8sio_api_core_v1_LocalVolumeSource(ref),
-		"k8s.io/api/core/v1.ModifyVolumeStatus":                                                                 schema_k8sio_api_core_v1_ModifyVolumeStatus(ref),
-		"k8s.io/api/core/v1.NFSVolumeSource":                                                                    schema_k8sio_api_core_v1_NFSVolumeSource(ref),
-		"k8s.io/api/core/v1.Namespace":                                                                          schema_k8sio_api_core_v1_Namespace(ref),
-		"k8s.io/api/core/v1.NamespaceCondition":                                                                 schema_k8sio_api_core_v1_NamespaceCondition(ref),
-		"k8s.io/api/core/v1.NamespaceList":                                                                      schema_k8sio_api_core_v1_NamespaceList(ref),
-		"k8s.io/api/core/v1.NamespaceSpec":                                                                      schema_k8sio_api_core_v1_NamespaceSpec(ref),
-		"k8s.io/api/core/v1.NamespaceStatus":                                                                    schema_k8sio_api_core_v1_NamespaceStatus(ref),
-		"k8s.io/api/core/v1.Node":                                                                               schema_k8sio_api_core_v1_Node(ref),
-		"k8s.io/api/core/v1.NodeAddress":                                                                        schema_k8sio_api_core_v1_NodeAddress(ref),
-		"k8s.io/api/core/v1.NodeAffinity":                                                                       schema_k8sio_api_core_v1_NodeAffinity(ref),
-		"k8s.io/api/core/v1.NodeCondition":                                                                      schema_k8sio_api_core_v1_NodeCondition(ref),
-		"k8s.io/api/core/v1.NodeConfigSource":                                                                   schema_k8sio_api_core_v1_NodeConfigSource(ref),
-		"k8s.io/api/core/v1.NodeConfigStatus":                                                                   schema_k8sio_api_core_v1_NodeConfigStatus(ref),
-		"k8s.io/api/core/v1.NodeDaemonEndpoints":                                                                schema_k8sio_api_core_v1_NodeDaemonEndpoints(ref),
-		"k8s.io/api/core/v1.NodeFeatures":                                                                       schema_k8sio_api_core_v1_NodeFeatures(ref),
-		"k8s.io/api/core/v1.NodeList":                                                                           schema_k8sio_api_core_v1_NodeList(ref),
-		"k8s.io/api/core/v1.NodeProxyOptions":                                                                   schema_k8sio_api_core_v1_NodeProxyOptions(ref),
-		"k8s.io/api/core/v1.NodeRuntimeHandler":                                                                 schema_k8sio_api_core_v1_NodeRuntimeHandler(ref),
-		"k8s.io/api/core/v1.NodeRuntimeHandlerFeatures":                                                         schema_k8sio_api_core_v1_NodeRuntimeHandlerFeatures(ref),
-		"k8s.io/api/core/v1.NodeSelector":                                                                       schema_k8sio_api_core_v1_NodeSelector(ref),
-		"k8s.io/api/core/v1.NodeSelectorRequirement":                                                            schema_k8sio_api_core_v1_NodeSelectorRequirement(ref),
-		"k8s.io/api/core/v1.NodeSelectorTerm":                                                                   schema_k8sio_api_core_v1_NodeSelectorTerm(ref),
-		"k8s.io/api/core/v1.NodeSpec":                                                                           schema_k8sio_api_core_v1_NodeSpec(ref),
-		"k8s.io/api/core/v1.NodeStatus":                                                                         schema_k8sio_api_core_v1_NodeStatus(ref),
-		"k8s.io/api/core/v1.NodeSwapStatus":                                                                     schema_k8sio_api_core_v1_NodeSwapStatus(ref),
-		"k8s.io/api/core/v1.NodeSystemInfo":                                                                     schema_k8sio_api_core_v1_NodeSystemInfo(ref),
-		"k8s.io/api/core/v1.ObjectFieldSelector":                                                                schema_k8sio_api_core_v1_ObjectFieldSelector(ref),
-		"k8s.io/api/core/v1.ObjectReference":                                                                    schema_k8sio_api_core_v1_ObjectReference(ref),
-		"k8s.io/api/core/v1.PersistentVolume":                                                                   schema_k8sio_api_core_v1_PersistentVolume(ref),
-		"k8s.io/api/core/v1.PersistentVolumeClaim":                                                              schema_k8sio_api_core_v1_PersistentVolumeClaim(ref),
-		"k8s.io/api/core/v1.PersistentVolumeClaimCondition":                                                     schema_k8sio_api_core_v1_PersistentVolumeClaimCondition(ref),
-		"k8s.io/api/core/v1.PersistentVolumeClaimList":                                                          schema_k8sio_api_core_v1_PersistentVolumeClaimList(ref),
-		"k8s.io/api/core/v1.PersistentVolumeClaimSpec":                                                          schema_k8sio_api_core_v1_PersistentVolumeClaimSpec(ref),
-		"k8s.io/api/core/v1.PersistentVolumeClaimStatus":                                                        schema_k8sio_api_core_v1_PersistentVolumeClaimStatus(ref),
-		"k8s.io/api/core/v1.PersistentVolumeClaimTemplate":                                                      schema_k8sio_api_core_v1_PersistentVolumeClaimTemplate(ref),
-		"k8s.io/api/core/v1.PersistentVolumeClaimVolumeSource":                                                  schema_k8sio_api_core_v1_PersistentVolumeClaimVolumeSource(ref),
-		"k8s.io/api/core/v1.PersistentVolumeList":                                                               schema_k8sio_api_core_v1_PersistentVolumeList(ref),
-		"k8s.io/api/core/v1.PersistentVolumeSource":                                                             schema_k8sio_api_core_v1_PersistentVolumeSource(ref),
-		"k8s.io/api/core/v1.PersistentVolumeSpec":                                                               schema_k8sio_api_core_v1_PersistentVolumeSpec(ref),
-		"k8s.io/api/core/v1.PersistentVolumeStatus":                                                             schema_k8sio_api_core_v1_PersistentVolumeStatus(ref),
-		"k8s.io/api/core/v1.PhotonPersistentDiskVolumeSource":                                                   schema_k8sio_api_core_v1_PhotonPersistentDiskVolumeSource(ref),
-		"k8s.io/api/core/v1.Pod":                                                                                schema_k8sio_api_core_v1_Pod(ref),
-		"k8s.io/api/core/v1.PodAffinity":                                                                        schema_k8sio_api_core_v1_PodAffinity(ref),
-		"k8s.io/api/core/v1.PodAffinityTerm":                                                                    schema_k8sio_api_core_v1_PodAffinityTerm(ref),
-		"k8s.io/api/core/v1.PodAntiAffinity":                                                                    schema_k8sio_api_core_v1_PodAntiAffinity(ref),
-		"k8s.io/api/core/v1.PodAttachOptions":                                                                   schema_k8sio_api_core_v1_PodAttachOptions(ref),
-		"k8s.io/api/core/v1.PodCertificateProjection":                                                           schema_k8sio_api_core_v1_PodCertificateProjection(ref),
-		"k8s.io/api/core/v1.PodCondition":                                                                       schema_k8sio_api_core_v1_PodCondition(ref),
-		"k8s.io/api/core/v1.PodDNSConfig":                                                                       schema_k8sio_api_core_v1_PodDNSConfig(ref),
-		"k8s.io/api/core/v1.PodDNSConfigOption":                                                                 schema_k8sio_api_core_v1_PodDNSConfigOption(ref),
-		"k8s.io/api/core/v1.PodExecOptions":                                                                     schema_k8sio_api_core_v1_PodExecOptions(ref),
-		"k8s.io/api/core/v1.PodExtendedResourceClaimStatus":                                                     schema_k8sio_api_core_v1_PodExtendedResourceClaimStatus(ref),
-		"k8s.io/api/core/v1.PodIP":                                                                              schema_k8sio_api_core_v1_PodIP(ref),
-		"k8s.io/api/core/v1.PodList":                                                                            schema_k8sio_api_core_v1_PodList(ref),
-		"k8s.io/api/core/v1.PodLogOptions":                                                                      schema_k8sio_api_core_v1_PodLogOptions(ref),
-		"k8s.io/api/core/v1.PodOS":                                                                              schema_k8sio_api_core_v1_PodOS(ref),
-		"k8s.io/api/core/v1.PodPortForwardOptions":                                                              schema_k8sio_api_core_v1_PodPortForwardOptions(ref),
-		"k8s.io/api/core/v1.PodProxyOptions":                                                                    schema_k8sio_api_core_v1_PodProxyOptions(ref),
-		"k8s.io/api/core/v1.PodReadinessGate":                                                                   schema_k8sio_api_core_v1_PodReadinessGate(ref),
-		"k8s.io/api/core/v1.PodResourceClaim":                                                                   schema_k8sio_api_core_v1_PodResourceClaim(ref),
-		"k8s.io/api/core/v1.PodResourceClaimStatus":                                                             schema_k8sio_api_core_v1_PodResourceClaimStatus(ref),
-		"k8s.io/api/core/v1.PodSchedulingGate":                                                                  schema_k8sio_api_core_v1_PodSchedulingGate(ref),
-		"k8s.io/api/core/v1.PodSecurityContext":                                                                 schema_k8sio_api_core_v1_PodSecurityContext(ref),
-		"k8s.io/api/core/v1.PodSignature":                                                                       schema_k8sio_api_core_v1_PodSignature(ref),
-		"k8s.io/api/core/v1.PodSpec":                                                                            schema_k8sio_api_core_v1_PodSpec(ref),
-		"k8s.io/api/core/v1.PodStatus":                                                                          schema_k8sio_api_core_v1_PodStatus(ref),
-		"k8s.io/api/core/v1.PodStatusResult":                                                                    schema_k8sio_api_core_v1_PodStatusResult(ref),
-		"k8s.io/api/core/v1.PodTemplate":                                                                        schema_k8sio_api_core_v1_PodTemplate(ref),
-		"k8s.io/api/core/v1.PodTemplateList":                                                                    schema_k8sio_api_core_v1_PodTemplateList(ref),
-		"k8s.io/api/core/v1.PodTemplateSpec":                                                                    schema_k8sio_api_core_v1_PodTemplateSpec(ref),
-		"k8s.io/api/core/v1.PortStatus":                                                                         schema_k8sio_api_core_v1_PortStatus(ref),
-		"k8s.io/api/core/v1.PortworxVolumeSource":                                                               schema_k8sio_api_core_v1_PortworxVolumeSource(ref),
-		"k8s.io/api/core/v1.PreferAvoidPodsEntry":                                                               schema_k8sio_api_core_v1_PreferAvoidPodsEntry(ref),
-		"k8s.io/api/core/v1.PreferredSchedulingTerm":                                                            schema_k8sio_api_core_v1_PreferredSchedulingTerm(ref),
-		"k8s.io/api/core/v1.Probe":                                                                              schema_k8sio_api_core_v1_Probe(ref),
-		"k8s.io/api/core/v1.ProbeHandler":                                                                       schema_k8sio_api_core_v1_ProbeHandler(ref),
-		"k8s.io/api/core/v1.ProjectedVolumeSource":                                                              schema_k8sio_api_core_v1_ProjectedVolumeSource(ref),
-		"k8s.io/api/core/v1.QuobyteVolumeSource":                                                                schema_k8sio_api_core_v1_QuobyteVolumeSource(ref),
-		"k8s.io/api/core/v1.RBDPersistentVolumeSource":                                                          schema_k8sio_api_core_v1_RBDPersistentVolumeSource(ref),
-		"k8s.io/api/core/v1.RBDVolumeSource":                                                                    schema_k8sio_api_core_v1_RBDVolumeSource(ref),
-		"k8s.io/api/core/v1.RangeAllocation":                                                                    schema_k8sio_api_core_v1_RangeAllocation(ref),
-		"k8s.io/api/core/v1.ReplicationController":                                                              schema_k8sio_api_core_v1_ReplicationController(ref),
-		"k8s.io/api/core/v1.ReplicationControllerCondition":                                                     schema_k8sio_api_core_v1_ReplicationControllerCondition(ref),
-		"k8s.io/api/core/v1.ReplicationControllerList":                                                          schema_k8sio_api_core_v1_ReplicationControllerList(ref),
-		"k8s.io/api/core/v1.ReplicationControllerSpec":                                                          schema_k8sio_api_core_v1_ReplicationControllerSpec(ref),
-		"k8s.io/api/core/v1.ReplicationControllerStatus":                                                        schema_k8sio_api_core_v1_ReplicationControllerStatus(ref),
-		"k8s.io/api/core/v1.ResourceClaim":                                                                      schema_k8sio_api_core_v1_ResourceClaim(ref),
-		"k8s.io/api/core/v1.ResourceFieldSelector":                                                              schema_k8sio_api_core_v1_ResourceFieldSelector(ref),
-		"k8s.io/api/core/v1.ResourceHealth":                                                                     schema_k8sio_api_core_v1_ResourceHealth(ref),
-		"k8s.io/api/core/v1.ResourceQuota":                                                                      schema_k8sio_api_core_v1_ResourceQuota(ref),
-		"k8s.io/api/core/v1.ResourceQuotaList":                                                                  schema_k8sio_api_core_v1_ResourceQuotaList(ref),
-		"k8s.io/api/core/v1.ResourceQuotaSpec":                                                                  schema_k8sio_api_core_v1_ResourceQuotaSpec(ref),
-		"k8s.io/api/core/v1.ResourceQuotaStatus":                                                                schema_k8sio_api_core_v1_ResourceQuotaStatus(ref),
-		"k8s.io/api/core/v1.ResourceRequirements":                                                               schema_k8sio_api_core_v1_ResourceRequirements(ref),
-		"k8s.io/api/core/v1.ResourceStatus":                                                                     schema_k8sio_api_core_v1_ResourceStatus(ref),
-		"k8s.io/api/core/v1.SELinuxOptions":                                                                     schema_k8sio_api_core_v1_SELinuxOptions(ref),
-		"k8s.io/api/core/v1.ScaleIOPersistentVolumeSource":                                                      schema_k8sio_api_core_v1_ScaleIOPersistentVolumeSource(ref),
-		"k8s.io/api/core/v1.ScaleIOVolumeSource":                                                                schema_k8sio_api_core_v1_ScaleIOVolumeSource(ref),
-		"k8s.io/api/core/v1.ScopeSelector":                                                                      schema_k8sio_api_core_v1_ScopeSelector(ref),
-		"k8s.io/api/core/v1.ScopedResourceSelectorRequirement":                                                  schema_k8sio_api_core_v1_ScopedResourceSelectorRequirement(ref),
-		"k8s.io/api/core/v1.SeccompProfile":                                                                     schema_k8sio_api_core_v1_SeccompProfile(ref),
-		"k8s.io/api/core/v1.Secret":                                                                             schema_k8sio_api_core_v1_Secret(ref),
-		"k8s.io/api/core/v1.SecretEnvSource":                                                                    schema_k8sio_api_core_v1_SecretEnvSource(ref),
-		"k8s.io/api/core/v1.SecretKeySelector":                                                                  schema_k8sio_api_core_v1_SecretKeySelector(ref),
-		"k8s.io/api/core/v1.SecretList":                                                                         schema_k8sio_api_core_v1_SecretList(ref),
-		"k8s.io/api/core/v1.SecretProjection":                                                                   schema_k8sio_api_core_v1_SecretProjection(ref),
-		"k8s.io/api/core/v1.SecretReference":                                                                    schema_k8sio_api_core_v1_SecretReference(ref),
-		"k8s.io/api/core/v1.SecretVolumeSource":                                                                 schema_k8sio_api_core_v1_SecretVolumeSource(ref),
-		"k8s.io/api/core/v1.SecurityContext":                                                                    schema_k8sio_api_core_v1_SecurityContext(ref),
-		"k8s.io/api/core/v1.SerializedReference":                                                                schema_k8sio_api_core_v1_SerializedReference(ref),
-		"k8s.io/api/core/v1.Service":                                                                            schema_k8sio_api_core_v1_Service(ref),
-		"k8s.io/api/core/v1.ServiceAccount":                                                                     schema_k8sio_api_core_v1_ServiceAccount(ref),
-		"k8s.io/api/core/v1.ServiceAccountList":                                                                 schema_k8sio_api_core_v1_ServiceAccountList(ref),
-		"k8s.io/api/core/v1.ServiceAccountTokenProjection":                                                      schema_k8sio_api_core_v1_ServiceAccountTokenProjection(ref),
-		"k8s.io/api/core/v1.ServiceList":                                                                        schema_k8sio_api_core_v1_ServiceList(ref),
-		"k8s.io/api/core/v1.ServicePort":                                                                        schema_k8sio_api_core_v1_ServicePort(ref),
-		"k8s.io/api/core/v1.ServiceProxyOptions":                                                                schema_k8sio_api_core_v1_ServiceProxyOptions(ref),
-		"k8s.io/api/core/v1.ServiceSpec":                                                                        schema_k8sio_api_core_v1_ServiceSpec(ref),
-		"k8s.io/api/core/v1.ServiceStatus":                                                                      schema_k8sio_api_core_v1_ServiceStatus(ref),
-		"k8s.io/api/core/v1.SessionAffinityConfig":                                                              schema_k8sio_api_core_v1_SessionAffinityConfig(ref),
-		"k8s.io/api/core/v1.SleepAction":                                                                        schema_k8sio_api_core_v1_SleepAction(ref),
-		"k8s.io/api/core/v1.StorageOSPersistentVolumeSource":                                                    schema_k8sio_api_core_v1_StorageOSPersistentVolumeSource(ref),
-		"k8s.io/api/core/v1.StorageOSVolumeSource":                                                              schema_k8sio_api_core_v1_StorageOSVolumeSource(ref),
-		"k8s.io/api/core/v1.Sysctl":                                                                             schema_k8sio_api_core_v1_Sysctl(ref),
-		"k8s.io/api/core/v1.TCPSocketAction":                                                                    schema_k8sio_api_core_v1_TCPSocketAction(ref),
-		"k8s.io/api/core/v1.Taint":                                                                              schema_k8sio_api_core_v1_Taint(ref),
-		"k8s.io/api/core/v1.Toleration":                                                                         schema_k8sio_api_core_v1_Toleration(ref),
-		"k8s.io/api/core/v1.TopologySelectorLabelRequirement":                                                   schema_k8sio_api_core_v1_TopologySelectorLabelRequirement(ref),
-		"k8s.io/api/core/v1.TopologySelectorTerm":                                                               schema_k8sio_api_core_v1_TopologySelectorTerm(ref),
-		"k8s.io/api/core/v1.TopologySpreadConstraint":                                                           schema_k8sio_api_core_v1_TopologySpreadConstraint(ref),
-		"k8s.io/api/core/v1.TypedLocalObjectReference":                                                          schema_k8sio_api_core_v1_TypedLocalObjectReference(ref),
-		"k8s.io/api/core/v1.TypedObjectReference":                                                               schema_k8sio_api_core_v1_TypedObjectReference(ref),
-		"k8s.io/api/core/v1.Volume":                                                                             schema_k8sio_api_core_v1_Volume(ref),
-		"k8s.io/api/core/v1.VolumeDevice":                                                                       schema_k8sio_api_core_v1_VolumeDevice(ref),
-		"k8s.io/api/core/v1.VolumeMount":                                                                        schema_k8sio_api_core_v1_VolumeMount(ref),
-		"k8s.io/api/core/v1.VolumeMountStatus":                                                                  schema_k8sio_api_core_v1_VolumeMountStatus(ref),
-		"k8s.io/api/core/v1.VolumeNodeAffinity":                                                                 schema_k8sio_api_core_v1_VolumeNodeAffinity(ref),
-		"k8s.io/api/core/v1.VolumeProjection":                                                                   schema_k8sio_api_core_v1_VolumeProjection(ref),
-		"k8s.io/api/core/v1.VolumeResourceRequirements":                                                         schema_k8sio_api_core_v1_VolumeResourceRequirements(ref),
-		"k8s.io/api/core/v1.VolumeSource":                                                                       schema_k8sio_api_core_v1_VolumeSource(ref),
-		"k8s.io/api/core/v1.VsphereVirtualDiskVolumeSource":                                                     schema_k8sio_api_core_v1_VsphereVirtualDiskVolumeSource(ref),
-		"k8s.io/api/core/v1.WeightedPodAffinityTerm":                                                            schema_k8sio_api_core_v1_WeightedPodAffinityTerm(ref),
-		"k8s.io/api/core/v1.WindowsSecurityContextOptions":                                                      schema_k8sio_api_core_v1_WindowsSecurityContextOptions(ref),
-		"k8s.io/api/discovery/v1.Endpoint":                                                                      schema_k8sio_api_discovery_v1_Endpoint(ref),
-		"k8s.io/api/discovery/v1.EndpointConditions":                                                            schema_k8sio_api_discovery_v1_EndpointConditions(ref),
-		"k8s.io/api/discovery/v1.EndpointHints":                                                                 schema_k8sio_api_discovery_v1_EndpointHints(ref),
-		"k8s.io/api/discovery/v1.EndpointPort":                                                                  schema_k8sio_api_discovery_v1_EndpointPort(ref),
-		"k8s.io/api/discovery/v1.EndpointSlice":                                                                 schema_k8sio_api_discovery_v1_EndpointSlice(ref),
-		"k8s.io/api/discovery/v1.EndpointSliceList":                                                             schema_k8sio_api_discovery_v1_EndpointSliceList(ref),
-		"k8s.io/api/discovery/v1.ForNode":                                                                       schema_k8sio_api_discovery_v1_ForNode(ref),
-		"k8s.io/api/discovery/v1.ForZone":                                                                       schema_k8sio_api_discovery_v1_ForZone(ref),
-		"k8s.io/api/discovery/v1beta1.Endpoint":                                                                 schema_k8sio_api_discovery_v1beta1_Endpoint(ref),
-		"k8s.io/api/discovery/v1beta1.EndpointConditions":                                                       schema_k8sio_api_discovery_v1beta1_EndpointConditions(ref),
-		"k8s.io/api/discovery/v1beta1.EndpointHints":                                                            schema_k8sio_api_discovery_v1beta1_EndpointHints(ref),
-		"k8s.io/api/discovery/v1beta1.EndpointPort":                                                             schema_k8sio_api_discovery_v1beta1_EndpointPort(ref),
-		"k8s.io/api/discovery/v1beta1.EndpointSlice":                                                            schema_k8sio_api_discovery_v1beta1_EndpointSlice(ref),
-		"k8s.io/api/discovery/v1beta1.EndpointSliceList":                                                        schema_k8sio_api_discovery_v1beta1_EndpointSliceList(ref),
-		"k8s.io/api/discovery/v1beta1.ForNode":                                                                  schema_k8sio_api_discovery_v1beta1_ForNode(ref),
-		"k8s.io/api/discovery/v1beta1.ForZone":                                                                  schema_k8sio_api_discovery_v1beta1_ForZone(ref),
-		"k8s.io/api/events/v1.Event":                                                                            schema_k8sio_api_events_v1_Event(ref),
-		"k8s.io/api/events/v1.EventList":                                                                        schema_k8sio_api_events_v1_EventList(ref),
-		"k8s.io/api/events/v1.EventSeries":                                                                      schema_k8sio_api_events_v1_EventSeries(ref),
-		"k8s.io/api/events/v1beta1.Event":                                                                       schema_k8sio_api_events_v1beta1_Event(ref),
-		"k8s.io/api/events/v1beta1.EventList":                                                                   schema_k8sio_api_events_v1beta1_EventList(ref),
-		"k8s.io/api/events/v1beta1.EventSeries":                                                                 schema_k8sio_api_events_v1beta1_EventSeries(ref),
-		"k8s.io/api/extensions/v1beta1.DaemonSet":                                                               schema_k8sio_api_extensions_v1beta1_DaemonSet(ref),
-		"k8s.io/api/extensions/v1beta1.DaemonSetCondition":                                                      schema_k8sio_api_extensions_v1beta1_DaemonSetCondition(ref),
-		"k8s.io/api/extensions/v1beta1.DaemonSetList":                                                           schema_k8sio_api_extensions_v1beta1_DaemonSetList(ref),
-		"k8s.io/api/extensions/v1beta1.DaemonSetSpec":                                                           schema_k8sio_api_extensions_v1beta1_DaemonSetSpec(ref),
-		"k8s.io/api/extensions/v1beta1.DaemonSetStatus":                                                         schema_k8sio_api_extensions_v1beta1_DaemonSetStatus(ref),
-		"k8s.io/api/extensions/v1beta1.DaemonSetUpdateStrategy":                                                 schema_k8sio_api_extensions_v1beta1_DaemonSetUpdateStrategy(ref),
-		"k8s.io/api/extensions/v1beta1.Deployment":                                                              schema_k8sio_api_extensions_v1beta1_Deployment(ref),
-		"k8s.io/api/extensions/v1beta1.DeploymentCondition":                                                     schema_k8sio_api_extensions_v1beta1_DeploymentCondition(ref),
-		"k8s.io/api/extensions/v1beta1.DeploymentList":                                                          schema_k8sio_api_extensions_v1beta1_DeploymentList(ref),
-		"k8s.io/api/extensions/v1beta1.DeploymentRollback":                                                      schema_k8sio_api_extensions_v1beta1_DeploymentRollback(ref),
-		"k8s.io/api/extensions/v1beta1.DeploymentSpec":                                                          schema_k8sio_api_extensions_v1beta1_DeploymentSpec(ref),
-		"k8s.io/api/extensions/v1beta1.DeploymentStatus":                                                        schema_k8sio_api_extensions_v1beta1_DeploymentStatus(ref),
-		"k8s.io/api/extensions/v1beta1.DeploymentStrategy":                                                      schema_k8sio_api_extensions_v1beta1_DeploymentStrategy(ref),
-		"k8s.io/api/extensions/v1beta1.HTTPIngressPath":                                                         schema_k8sio_api_extensions_v1beta1_HTTPIngressPath(ref),
-		"k8s.io/api/extensions/v1beta1.HTTPIngressRuleValue":                                                    schema_k8sio_api_extensions_v1beta1_HTTPIngressRuleValue(ref),
-		"k8s.io/api/extensions/v1beta1.IPBlock":                                                                 schema_k8sio_api_extensions_v1beta1_IPBlock(ref),
-		"k8s.io/api/extensions/v1beta1.Ingress":                                                                 schema_k8sio_api_extensions_v1beta1_Ingress(ref),
-		"k8s.io/api/extensions/v1beta1.IngressBackend":                                                          schema_k8sio_api_extensions_v1beta1_IngressBackend(ref),
-		"k8s.io/api/extensions/v1beta1.IngressList":                                                             schema_k8sio_api_extensions_v1beta1_IngressList(ref),
-		"k8s.io/api/extensions/v1beta1.IngressLoadBalancerIngress":                                              schema_k8sio_api_extensions_v1beta1_IngressLoadBalancerIngress(ref),
-		"k8s.io/api/extensions/v1beta1.IngressLoadBalancerStatus":                                               schema_k8sio_api_extensions_v1beta1_IngressLoadBalancerStatus(ref),
-		"k8s.io/api/extensions/v1beta1.IngressPortStatus":                                                       schema_k8sio_api_extensions_v1beta1_IngressPortStatus(ref),
-		"k8s.io/api/extensions/v1beta1.IngressRule":                                                             schema_k8sio_api_extensions_v1beta1_IngressRule(ref),
-		"k8s.io/api/extensions/v1beta1.IngressRuleValue":                                                        schema_k8sio_api_extensions_v1beta1_IngressRuleValue(ref),
-		"k8s.io/api/extensions/v1beta1.IngressSpec":                                                             schema_k8sio_api_extensions_v1beta1_IngressSpec(ref),
-		"k8s.io/api/extensions/v1beta1.IngressStatus":                                                           schema_k8sio_api_extensions_v1beta1_IngressStatus(ref),
-		"k8s.io/api/extensions/v1beta1.IngressTLS":                                                              schema_k8sio_api_extensions_v1beta1_IngressTLS(ref),
-		"k8s.io/api/extensions/v1beta1.NetworkPolicy":                                                           schema_k8sio_api_extensions_v1beta1_NetworkPolicy(ref),
-		"k8s.io/api/extensions/v1beta1.NetworkPolicyEgressRule":                                                 schema_k8sio_api_extensions_v1beta1_NetworkPolicyEgressRule(ref),
-		"k8s.io/api/extensions/v1beta1.NetworkPolicyIngressRule":                                                schema_k8sio_api_extensions_v1beta1_NetworkPolicyIngressRule(ref),
-		"k8s.io/api/extensions/v1beta1.NetworkPolicyList":                                                       schema_k8sio_api_extensions_v1beta1_NetworkPolicyList(ref),
-		"k8s.io/api/extensions/v1beta1.NetworkPolicyPeer":                                                       schema_k8sio_api_extensions_v1beta1_NetworkPolicyPeer(ref),
-		"k8s.io/api/extensions/v1beta1.NetworkPolicyPort":                                                       schema_k8sio_api_extensions_v1beta1_NetworkPolicyPort(ref),
-		"k8s.io/api/extensions/v1beta1.NetworkPolicySpec":                                                       schema_k8sio_api_extensions_v1beta1_NetworkPolicySpec(ref),
-		"k8s.io/api/extensions/v1beta1.ReplicaSet":                                                              schema_k8sio_api_extensions_v1beta1_ReplicaSet(ref),
-		"k8s.io/api/extensions/v1beta1.ReplicaSetCondition":                                                     schema_k8sio_api_extensions_v1beta1_ReplicaSetCondition(ref),
-		"k8s.io/api/extensions/v1beta1.ReplicaSetList":                                                          schema_k8sio_api_extensions_v1beta1_ReplicaSetList(ref),
-		"k8s.io/api/extensions/v1beta1.ReplicaSetSpec":                                                          schema_k8sio_api_extensions_v1beta1_ReplicaSetSpec(ref),
-		"k8s.io/api/extensions/v1beta1.ReplicaSetStatus":                                                        schema_k8sio_api_extensions_v1beta1_ReplicaSetStatus(ref),
-		"k8s.io/api/extensions/v1beta1.RollbackConfig":                                                          schema_k8sio_api_extensions_v1beta1_RollbackConfig(ref),
-		"k8s.io/api/extensions/v1beta1.RollingUpdateDaemonSet":                                                  schema_k8sio_api_extensions_v1beta1_RollingUpdateDaemonSet(ref),
-		"k8s.io/api/extensions/v1beta1.RollingUpdateDeployment":                                                 schema_k8sio_api_extensions_v1beta1_RollingUpdateDeployment(ref),
-		"k8s.io/api/extensions/v1beta1.Scale":                                                                   schema_k8sio_api_extensions_v1beta1_Scale(ref),
-		"k8s.io/api/extensions/v1beta1.ScaleSpec":                                                               schema_k8sio_api_extensions_v1beta1_ScaleSpec(ref),
-		"k8s.io/api/extensions/v1beta1.ScaleStatus":                                                             schema_k8sio_api_extensions_v1beta1_ScaleStatus(ref),
-		"k8s.io/api/flowcontrol/v1.ExemptPriorityLevelConfiguration":                                            schema_k8sio_api_flowcontrol_v1_ExemptPriorityLevelConfiguration(ref),
-		"k8s.io/api/flowcontrol/v1.FlowDistinguisherMethod":                                                     schema_k8sio_api_flowcontrol_v1_FlowDistinguisherMethod(ref),
-		"k8s.io/api/flowcontrol/v1.FlowSchema":                                                                  schema_k8sio_api_flowcontrol_v1_FlowSchema(ref),
-		"k8s.io/api/flowcontrol/v1.FlowSchemaCondition":                                                         schema_k8sio_api_flowcontrol_v1_FlowSchemaCondition(ref),
-		"k8s.io/api/flowcontrol/v1.FlowSchemaList":                                                              schema_k8sio_api_flowcontrol_v1_FlowSchemaList(ref),
-		"k8s.io/api/flowcontrol/v1.FlowSchemaSpec":                                                              schema_k8sio_api_flowcontrol_v1_FlowSchemaSpec(ref),
-		"k8s.io/api/flowcontrol/v1.FlowSchemaStatus":                                                            schema_k8sio_api_flowcontrol_v1_FlowSchemaStatus(ref),
-		"k8s.io/api/flowcontrol/v1.GroupSubject":                                                                schema_k8sio_api_flowcontrol_v1_GroupSubject(ref),
-		"k8s.io/api/flowcontrol/v1.LimitResponse":                                                               schema_k8sio_api_flowcontrol_v1_LimitResponse(ref),
-		"k8s.io/api/flowcontrol/v1.LimitedPriorityLevelConfiguration":                                           schema_k8sio_api_flowcontrol_v1_LimitedPriorityLevelConfiguration(ref),
-		"k8s.io/api/flowcontrol/v1.NonResourcePolicyRule":                                                       schema_k8sio_api_flowcontrol_v1_NonResourcePolicyRule(ref),
-		"k8s.io/api/flowcontrol/v1.PolicyRulesWithSubjects":                                                     schema_k8sio_api_flowcontrol_v1_PolicyRulesWithSubjects(ref),
-		"k8s.io/api/flowcontrol/v1.PriorityLevelConfiguration":                                                  schema_k8sio_api_flowcontrol_v1_PriorityLevelConfiguration(ref),
-		"k8s.io/api/flowcontrol/v1.PriorityLevelConfigurationCondition":                                         schema_k8sio_api_flowcontrol_v1_PriorityLevelConfigurationCondition(ref),
-		"k8s.io/api/flowcontrol/v1.PriorityLevelConfigurationList":                                              schema_k8sio_api_flowcontrol_v1_PriorityLevelConfigurationList(ref),
-		"k8s.io/api/flowcontrol/v1.PriorityLevelConfigurationReference":                                         schema_k8sio_api_flowcontrol_v1_PriorityLevelConfigurationReference(ref),
-		"k8s.io/api/flowcontrol/v1.PriorityLevelConfigurationSpec":                                              schema_k8sio_api_flowcontrol_v1_PriorityLevelConfigurationSpec(ref),
-		"k8s.io/api/flowcontrol/v1.PriorityLevelConfigurationStatus":                                            schema_k8sio_api_flowcontrol_v1_PriorityLevelConfigurationStatus(ref),
-		"k8s.io/api/flowcontrol/v1.QueuingConfiguration":                                                        schema_k8sio_api_flowcontrol_v1_QueuingConfiguration(ref),
-		"k8s.io/api/flowcontrol/v1.ResourcePolicyRule":                                                          schema_k8sio_api_flowcontrol_v1_ResourcePolicyRule(ref),
-		"k8s.io/api/flowcontrol/v1.ServiceAccountSubject":                                                       schema_k8sio_api_flowcontrol_v1_ServiceAccountSubject(ref),
-		"k8s.io/api/flowcontrol/v1.Subject":                                                                     schema_k8sio_api_flowcontrol_v1_Subject(ref),
-		"k8s.io/api/flowcontrol/v1.UserSubject":                                                                 schema_k8sio_api_flowcontrol_v1_UserSubject(ref),
-		"k8s.io/api/flowcontrol/v1beta1.ExemptPriorityLevelConfiguration":                                       schema_k8sio_api_flowcontrol_v1beta1_ExemptPriorityLevelConfiguration(ref),
-		"k8s.io/api/flowcontrol/v1beta1.FlowDistinguisherMethod":                                                schema_k8sio_api_flowcontrol_v1beta1_FlowDistinguisherMethod(ref),
-		"k8s.io/api/flowcontrol/v1beta1.FlowSchema":                                                             schema_k8sio_api_flowcontrol_v1beta1_FlowSchema(ref),
-		"k8s.io/api/flowcontrol/v1beta1.FlowSchemaCondition":                                                    schema_k8sio_api_flowcontrol_v1beta1_FlowSchemaCondition(ref),
-		"k8s.io/api/flowcontrol/v1beta1.FlowSchemaList":                                                         schema_k8sio_api_flowcontrol_v1beta1_FlowSchemaList(ref),
-		"k8s.io/api/flowcontrol/v1beta1.FlowSchemaSpec":                                                         schema_k8sio_api_flowcontrol_v1beta1_FlowSchemaSpec(ref),
-		"k8s.io/api/flowcontrol/v1beta1.FlowSchemaStatus":                                                       schema_k8sio_api_flowcontrol_v1beta1_FlowSchemaStatus(ref),
-		"k8s.io/api/flowcontrol/v1beta1.GroupSubject":                                                           schema_k8sio_api_flowcontrol_v1beta1_GroupSubject(ref),
-		"k8s.io/api/flowcontrol/v1beta1.LimitResponse":                                                          schema_k8sio_api_flowcontrol_v1beta1_LimitResponse(ref),
-		"k8s.io/api/flowcontrol/v1beta1.LimitedPriorityLevelConfiguration":                                      schema_k8sio_api_flowcontrol_v1beta1_LimitedPriorityLevelConfiguration(ref),
-		"k8s.io/api/flowcontrol/v1beta1.NonResourcePolicyRule":                                                  schema_k8sio_api_flowcontrol_v1beta1_NonResourcePolicyRule(ref),
-		"k8s.io/api/flowcontrol/v1beta1.PolicyRulesWithSubjects":                                                schema_k8sio_api_flowcontrol_v1beta1_PolicyRulesWithSubjects(ref),
-		"k8s.io/api/flowcontrol/v1beta1.PriorityLevelConfiguration":                                             schema_k8sio_api_flowcontrol_v1beta1_PriorityLevelConfiguration(ref),
-		"k8s.io/api/flowcontrol/v1beta1.PriorityLevelConfigurationCondition":                                    schema_k8sio_api_flowcontrol_v1beta1_PriorityLevelConfigurationCondition(ref),
-		"k8s.io/api/flowcontrol/v1beta1.PriorityLevelConfigurationList":                                         schema_k8sio_api_flowcontrol_v1beta1_PriorityLevelConfigurationList(ref),
-		"k8s.io/api/flowcontrol/v1beta1.PriorityLevelConfigurationReference":                                    schema_k8sio_api_flowcontrol_v1beta1_PriorityLevelConfigurationReference(ref),
-		"k8s.io/api/flowcontrol/v1beta1.PriorityLevelConfigurationSpec":                                         schema_k8sio_api_flowcontrol_v1beta1_PriorityLevelConfigurationSpec(ref),
-		"k8s.io/api/flowcontrol/v1beta1.PriorityLevelConfigurationStatus":                                       schema_k8sio_api_flowcontrol_v1beta1_PriorityLevelConfigurationStatus(ref),
-		"k8s.io/api/flowcontrol/v1beta1.QueuingConfiguration":                                                   schema_k8sio_api_flowcontrol_v1beta1_QueuingConfiguration(ref),
-		"k8s.io/api/flowcontrol/v1beta1.ResourcePolicyRule":                                                     schema_k8sio_api_flowcontrol_v1beta1_ResourcePolicyRule(ref),
-		"k8s.io/api/flowcontrol/v1beta1.ServiceAccountSubject":                                                  schema_k8sio_api_flowcontrol_v1beta1_ServiceAccountSubject(ref),
-		"k8s.io/api/flowcontrol/v1beta1.Subject":                                                                schema_k8sio_api_flowcontrol_v1beta1_Subject(ref),
-		"k8s.io/api/flowcontrol/v1beta1.UserSubject":                                                            schema_k8sio_api_flowcontrol_v1beta1_UserSubject(ref),
-		"k8s.io/api/flowcontrol/v1beta2.ExemptPriorityLevelConfiguration":                                       schema_k8sio_api_flowcontrol_v1beta2_ExemptPriorityLevelConfiguration(ref),
-		"k8s.io/api/flowcontrol/v1beta2.FlowDistinguisherMethod":                                                schema_k8sio_api_flowcontrol_v1beta2_FlowDistinguisherMethod(ref),
-		"k8s.io/api/flowcontrol/v1beta2.FlowSchema":                                                             schema_k8sio_api_flowcontrol_v1beta2_FlowSchema(ref),
-		"k8s.io/api/flowcontrol/v1beta2.FlowSchemaCondition":                                                    schema_k8sio_api_flowcontrol_v1beta2_FlowSchemaCondition(ref),
-		"k8s.io/api/flowcontrol/v1beta2.FlowSchemaList":                                                         schema_k8sio_api_flowcontrol_v1beta2_FlowSchemaList(ref),
-		"k8s.io/api/flowcontrol/v1beta2.FlowSchemaSpec":                                                         schema_k8sio_api_flowcontrol_v1beta2_FlowSchemaSpec(ref),
-		"k8s.io/api/flowcontrol/v1beta2.FlowSchemaStatus":                                                       schema_k8sio_api_flowcontrol_v1beta2_FlowSchemaStatus(ref),
-		"k8s.io/api/flowcontrol/v1beta2.GroupSubject":                                                           schema_k8sio_api_flowcontrol_v1beta2_GroupSubject(ref),
-		"k8s.io/api/flowcontrol/v1beta2.LimitResponse":                                                          schema_k8sio_api_flowcontrol_v1beta2_LimitResponse(ref),
-		"k8s.io/api/flowcontrol/v1beta2.LimitedPriorityLevelConfiguration":                                      schema_k8sio_api_flowcontrol_v1beta2_LimitedPriorityLevelConfiguration(ref),
-		"k8s.io/api/flowcontrol/v1beta2.NonResourcePolicyRule":                                                  schema_k8sio_api_flowcontrol_v1beta2_NonResourcePolicyRule(ref),
-		"k8s.io/api/flowcontrol/v1beta2.PolicyRulesWithSubjects":                                                schema_k8sio_api_flowcontrol_v1beta2_PolicyRulesWithSubjects(ref),
-		"k8s.io/api/flowcontrol/v1beta2.PriorityLevelConfiguration":                                             schema_k8sio_api_flowcontrol_v1beta2_PriorityLevelConfiguration(ref),
-		"k8s.io/api/flowcontrol/v1beta2.PriorityLevelConfigurationCondition":                                    schema_k8sio_api_flowcontrol_v1beta2_PriorityLevelConfigurationCondition(ref),
-		"k8s.io/api/flowcontrol/v1beta2.PriorityLevelConfigurationList":                                         schema_k8sio_api_flowcontrol_v1beta2_PriorityLevelConfigurationList(ref),
-		"k8s.io/api/flowcontrol/v1beta2.PriorityLevelConfigurationReference":                                    schema_k8sio_api_flowcontrol_v1beta2_PriorityLevelConfigurationReference(ref),
-		"k8s.io/api/flowcontrol/v1beta2.PriorityLevelConfigurationSpec":                                         schema_k8sio_api_flowcontrol_v1beta2_PriorityLevelConfigurationSpec(ref),
-		"k8s.io/api/flowcontrol/v1beta2.PriorityLevelConfigurationStatus":                                       schema_k8sio_api_flowcontrol_v1beta2_PriorityLevelConfigurationStatus(ref),
-		"k8s.io/api/flowcontrol/v1beta2.QueuingConfiguration":                                                   schema_k8sio_api_flowcontrol_v1beta2_QueuingConfiguration(ref),
-		"k8s.io/api/flowcontrol/v1beta2.ResourcePolicyRule":                                                     schema_k8sio_api_flowcontrol_v1beta2_ResourcePolicyRule(ref),
-		"k8s.io/api/flowcontrol/v1beta2.ServiceAccountSubject":                                                  schema_k8sio_api_flowcontrol_v1beta2_ServiceAccountSubject(ref),
-		"k8s.io/api/flowcontrol/v1beta2.Subject":                                                                schema_k8sio_api_flowcontrol_v1beta2_Subject(ref),
-		"k8s.io/api/flowcontrol/v1beta2.UserSubject":                                                            schema_k8sio_api_flowcontrol_v1beta2_UserSubject(ref),
-		"k8s.io/api/flowcontrol/v1beta3.ExemptPriorityLevelConfiguration":                                       schema_k8sio_api_flowcontrol_v1beta3_ExemptPriorityLevelConfiguration(ref),
-		"k8s.io/api/flowcontrol/v1beta3.FlowDistinguisherMethod":                                                schema_k8sio_api_flowcontrol_v1beta3_FlowDistinguisherMethod(ref),
-		"k8s.io/api/flowcontrol/v1beta3.FlowSchema":                                                             schema_k8sio_api_flowcontrol_v1beta3_FlowSchema(ref),
-		"k8s.io/api/flowcontrol/v1beta3.FlowSchemaCondition":                                                    schema_k8sio_api_flowcontrol_v1beta3_FlowSchemaCondition(ref),
-		"k8s.io/api/flowcontrol/v1beta3.FlowSchemaList":                                                         schema_k8sio_api_flowcontrol_v1beta3_FlowSchemaList(ref),
-		"k8s.io/api/flowcontrol/v1beta3.FlowSchemaSpec":                                                         schema_k8sio_api_flowcontrol_v1beta3_FlowSchemaSpec(ref),
-		"k8s.io/api/flowcontrol/v1beta3.FlowSchemaStatus":                                                       schema_k8sio_api_flowcontrol_v1beta3_FlowSchemaStatus(ref),
-		"k8s.io/api/flowcontrol/v1beta3.GroupSubject":                                                           schema_k8sio_api_flowcontrol_v1beta3_GroupSubject(ref),
-		"k8s.io/api/flowcontrol/v1beta3.LimitResponse":                                                          schema_k8sio_api_flowcontrol_v1beta3_LimitResponse(ref),
-		"k8s.io/api/flowcontrol/v1beta3.LimitedPriorityLevelConfiguration":                                      schema_k8sio_api_flowcontrol_v1beta3_LimitedPriorityLevelConfiguration(ref),
-		"k8s.io/api/flowcontrol/v1beta3.NonResourcePolicyRule":                                                  schema_k8sio_api_flowcontrol_v1beta3_NonResourcePolicyRule(ref),
-		"k8s.io/api/flowcontrol/v1beta3.PolicyRulesWithSubjects":                                                schema_k8sio_api_flowcontrol_v1beta3_PolicyRulesWithSubjects(ref),
-		"k8s.io/api/flowcontrol/v1beta3.PriorityLevelConfiguration":                                             schema_k8sio_api_flowcontrol_v1beta3_PriorityLevelConfiguration(ref),
-		"k8s.io/api/flowcontrol/v1beta3.PriorityLevelConfigurationCondition":                                    schema_k8sio_api_flowcontrol_v1beta3_PriorityLevelConfigurationCondition(ref),
-		"k8s.io/api/flowcontrol/v1beta3.PriorityLevelConfigurationList":                                         schema_k8sio_api_flowcontrol_v1beta3_PriorityLevelConfigurationList(ref),
-		"k8s.io/api/flowcontrol/v1beta3.PriorityLevelConfigurationReference":                                    schema_k8sio_api_flowcontrol_v1beta3_PriorityLevelConfigurationReference(ref),
-		"k8s.io/api/flowcontrol/v1beta3.PriorityLevelConfigurationSpec":                                         schema_k8sio_api_flowcontrol_v1beta3_PriorityLevelConfigurationSpec(ref),
-		"k8s.io/api/flowcontrol/v1beta3.PriorityLevelConfigurationStatus":                                       schema_k8sio_api_flowcontrol_v1beta3_PriorityLevelConfigurationStatus(ref),
-		"k8s.io/api/flowcontrol/v1beta3.QueuingConfiguration":                                                   schema_k8sio_api_flowcontrol_v1beta3_QueuingConfiguration(ref),
-		"k8s.io/api/flowcontrol/v1beta3.ResourcePolicyRule":                                                     schema_k8sio_api_flowcontrol_v1beta3_ResourcePolicyRule(ref),
-		"k8s.io/api/flowcontrol/v1beta3.ServiceAccountSubject":                                                  schema_k8sio_api_flowcontrol_v1beta3_ServiceAccountSubject(ref),
-		"k8s.io/api/flowcontrol/v1beta3.Subject":                                                                schema_k8sio_api_flowcontrol_v1beta3_Subject(ref),
-		"k8s.io/api/flowcontrol/v1beta3.UserSubject":                                                            schema_k8sio_api_flowcontrol_v1beta3_UserSubject(ref),
-		"k8s.io/api/imagepolicy/v1alpha1.ImageReview":                                                           schema_k8sio_api_imagepolicy_v1alpha1_ImageReview(ref),
-		"k8s.io/api/imagepolicy/v1alpha1.ImageReviewContainerSpec":                                              schema_k8sio_api_imagepolicy_v1alpha1_ImageReviewContainerSpec(ref),
-		"k8s.io/api/imagepolicy/v1alpha1.ImageReviewSpec":                                                       schema_k8sio_api_imagepolicy_v1alpha1_ImageReviewSpec(ref),
-		"k8s.io/api/imagepolicy/v1alpha1.ImageReviewStatus":                                                     schema_k8sio_api_imagepolicy_v1alpha1_ImageReviewStatus(ref),
-		"k8s.io/api/networking/v1.HTTPIngressPath":                                                              schema_k8sio_api_networking_v1_HTTPIngressPath(ref),
-		"k8s.io/api/networking/v1.HTTPIngressRuleValue":                                                         schema_k8sio_api_networking_v1_HTTPIngressRuleValue(ref),
-		"k8s.io/api/networking/v1.IPAddress":                                                                    schema_k8sio_api_networking_v1_IPAddress(ref),
-		"k8s.io/api/networking/v1.IPAddressList":                                                                schema_k8sio_api_networking_v1_IPAddressList(ref),
-		"k8s.io/api/networking/v1.IPAddressSpec":                                                                schema_k8sio_api_networking_v1_IPAddressSpec(ref),
-		"k8s.io/api/networking/v1.IPBlock":                                                                      schema_k8sio_api_networking_v1_IPBlock(ref),
-		"k8s.io/api/networking/v1.Ingress":                                                                      schema_k8sio_api_networking_v1_Ingress(ref),
-		"k8s.io/api/networking/v1.IngressBackend":                                                               schema_k8sio_api_networking_v1_IngressBackend(ref),
-		"k8s.io/api/networking/v1.IngressClass":                                                                 schema_k8sio_api_networking_v1_IngressClass(ref),
-		"k8s.io/api/networking/v1.IngressClassList":                                                             schema_k8sio_api_networking_v1_IngressClassList(ref),
-		"k8s.io/api/networking/v1.IngressClassParametersReference":                                              schema_k8sio_api_networking_v1_IngressClassParametersReference(ref),
-		"k8s.io/api/networking/v1.IngressClassSpec":                                                             schema_k8sio_api_networking_v1_IngressClassSpec(ref),
-		"k8s.io/api/networking/v1.IngressList":                                                                  schema_k8sio_api_networking_v1_IngressList(ref),
-		"k8s.io/api/networking/v1.IngressLoadBalancerIngress":                                                   schema_k8sio_api_networking_v1_IngressLoadBalancerIngress(ref),
-		"k8s.io/api/networking/v1.IngressLoadBalancerStatus":                                                    schema_k8sio_api_networking_v1_IngressLoadBalancerStatus(ref),
-		"k8s.io/api/networking/v1.IngressPortStatus":                                                            schema_k8sio_api_networking_v1_IngressPortStatus(ref),
-		"k8s.io/api/networking/v1.IngressRule":                                                                  schema_k8sio_api_networking_v1_IngressRule(ref),
-		"k8s.io/api/networking/v1.IngressRuleValue":                                                             schema_k8sio_api_networking_v1_IngressRuleValue(ref),
-		"k8s.io/api/networking/v1.IngressServiceBackend":                                                        schema_k8sio_api_networking_v1_IngressServiceBackend(ref),
-		"k8s.io/api/networking/v1.IngressSpec":                                                                  schema_k8sio_api_networking_v1_IngressSpec(ref),
-		"k8s.io/api/networking/v1.IngressStatus":                                                                schema_k8sio_api_networking_v1_IngressStatus(ref),
-		"k8s.io/api/networking/v1.IngressTLS":                                                                   schema_k8sio_api_networking_v1_IngressTLS(ref),
-		"k8s.io/api/networking/v1.NetworkPolicy":                                                                schema_k8sio_api_networking_v1_NetworkPolicy(ref),
-		"k8s.io/api/networking/v1.NetworkPolicyEgressRule":                                                      schema_k8sio_api_networking_v1_NetworkPolicyEgressRule(ref),
-		"k8s.io/api/networking/v1.NetworkPolicyIngressRule":                                                     schema_k8sio_api_networking_v1_NetworkPolicyIngressRule(ref),
-		"k8s.io/api/networking/v1.NetworkPolicyList":                                                            schema_k8sio_api_networking_v1_NetworkPolicyList(ref),
-		"k8s.io/api/networking/v1.NetworkPolicyPeer":                                                            schema_k8sio_api_networking_v1_NetworkPolicyPeer(ref),
-		"k8s.io/api/networking/v1.NetworkPolicyPort":                                                            schema_k8sio_api_networking_v1_NetworkPolicyPort(ref),
-		"k8s.io/api/networking/v1.NetworkPolicySpec":                                                            schema_k8sio_api_networking_v1_NetworkPolicySpec(ref),
-		"k8s.io/api/networking/v1.ParentReference":                                                              schema_k8sio_api_networking_v1_ParentReference(ref),
-		"k8s.io/api/networking/v1.ServiceBackendPort":                                                           schema_k8sio_api_networking_v1_ServiceBackendPort(ref),
-		"k8s.io/api/networking/v1.ServiceCIDR":                                                                  schema_k8sio_api_networking_v1_ServiceCIDR(ref),
-		"k8s.io/api/networking/v1.ServiceCIDRList":                                                              schema_k8sio_api_networking_v1_ServiceCIDRList(ref),
-		"k8s.io/api/networking/v1.ServiceCIDRSpec":                                                              schema_k8sio_api_networking_v1_ServiceCIDRSpec(ref),
-		"k8s.io/api/networking/v1.ServiceCIDRStatus":                                                            schema_k8sio_api_networking_v1_ServiceCIDRStatus(ref),
-		"k8s.io/api/networking/v1beta1.HTTPIngressPath":                                                         schema_k8sio_api_networking_v1beta1_HTTPIngressPath(ref),
-		"k8s.io/api/networking/v1beta1.HTTPIngressRuleValue":                                                    schema_k8sio_api_networking_v1beta1_HTTPIngressRuleValue(ref),
-		"k8s.io/api/networking/v1beta1.IPAddress":                                                               schema_k8sio_api_networking_v1beta1_IPAddress(ref),
-		"k8s.io/api/networking/v1beta1.IPAddressList":                                                           schema_k8sio_api_networking_v1beta1_IPAddressList(ref),
-		"k8s.io/api/networking/v1beta1.IPAddressSpec":                                                           schema_k8sio_api_networking_v1beta1_IPAddressSpec(ref),
-		"k8s.io/api/networking/v1beta1.Ingress":                                                                 schema_k8sio_api_networking_v1beta1_Ingress(ref),
-		"k8s.io/api/networking/v1beta1.IngressBackend":                                                          schema_k8sio_api_networking_v1beta1_IngressBackend(ref),
-		"k8s.io/api/networking/v1beta1.IngressClass":                                                            schema_k8sio_api_networking_v1beta1_IngressClass(ref),
-		"k8s.io/api/networking/v1beta1.IngressClassList":                                                        schema_k8sio_api_networking_v1beta1_IngressClassList(ref),
-		"k8s.io/api/networking/v1beta1.IngressClassParametersReference":                                         schema_k8sio_api_networking_v1beta1_IngressClassParametersReference(ref),
-		"k8s.io/api/networking/v1beta1.IngressClassSpec":                                                        schema_k8sio_api_networking_v1beta1_IngressClassSpec(ref),
-		"k8s.io/api/networking/v1beta1.IngressList":                                                             schema_k8sio_api_networking_v1beta1_IngressList(ref),
-		"k8s.io/api/networking/v1beta1.IngressLoadBalancerIngress":                                              schema_k8sio_api_networking_v1beta1_IngressLoadBalancerIngress(ref),
-		"k8s.io/api/networking/v1beta1.IngressLoadBalancerStatus":                                               schema_k8sio_api_networking_v1beta1_IngressLoadBalancerStatus(ref),
-		"k8s.io/api/networking/v1beta1.IngressPortStatus":                                                       schema_k8sio_api_networking_v1beta1_IngressPortStatus(ref),
-		"k8s.io/api/networking/v1beta1.IngressRule":                                                             schema_k8sio_api_networking_v1beta1_IngressRule(ref),
-		"k8s.io/api/networking/v1beta1.IngressRuleValue":                                                        schema_k8sio_api_networking_v1beta1_IngressRuleValue(ref),
-		"k8s.io/api/networking/v1beta1.IngressSpec":                                                             schema_k8sio_api_networking_v1beta1_IngressSpec(ref),
-		"k8s.io/api/networking/v1beta1.IngressStatus":                                                           schema_k8sio_api_networking_v1beta1_IngressStatus(ref),
-		"k8s.io/api/networking/v1beta1.IngressTLS":                                                              schema_k8sio_api_networking_v1beta1_IngressTLS(ref),
-		"k8s.io/api/networking/v1beta1.ParentReference":                                                         schema_k8sio_api_networking_v1beta1_ParentReference(ref),
-		"k8s.io/api/networking/v1beta1.ServiceCIDR":                                                             schema_k8sio_api_networking_v1beta1_ServiceCIDR(ref),
-		"k8s.io/api/networking/v1beta1.ServiceCIDRList":                                                         schema_k8sio_api_networking_v1beta1_ServiceCIDRList(ref),
-		"k8s.io/api/networking/v1beta1.ServiceCIDRSpec":                                                         schema_k8sio_api_networking_v1beta1_ServiceCIDRSpec(ref),
-		"k8s.io/api/networking/v1beta1.ServiceCIDRStatus":                                                       schema_k8sio_api_networking_v1beta1_ServiceCIDRStatus(ref),
-		"k8s.io/api/node/v1.Overhead":                                                                           schema_k8sio_api_node_v1_Overhead(ref),
-		"k8s.io/api/node/v1.RuntimeClass":                                                                       schema_k8sio_api_node_v1_RuntimeClass(ref),
-		"k8s.io/api/node/v1.RuntimeClassList":                                                                   schema_k8sio_api_node_v1_RuntimeClassList(ref),
-		"k8s.io/api/node/v1.Scheduling":                                                                         schema_k8sio_api_node_v1_Scheduling(ref),
-		"k8s.io/api/node/v1alpha1.Overhead":                                                                     schema_k8sio_api_node_v1alpha1_Overhead(ref),
-		"k8s.io/api/node/v1alpha1.RuntimeClass":                                                                 schema_k8sio_api_node_v1alpha1_RuntimeClass(ref),
-		"k8s.io/api/node/v1alpha1.RuntimeClassList":                                                             schema_k8sio_api_node_v1alpha1_RuntimeClassList(ref),
-		"k8s.io/api/node/v1alpha1.RuntimeClassSpec":                                                             schema_k8sio_api_node_v1alpha1_RuntimeClassSpec(ref),
-		"k8s.io/api/node/v1alpha1.Scheduling":                                                                   schema_k8sio_api_node_v1alpha1_Scheduling(ref),
-		"k8s.io/api/node/v1beta1.Overhead":                                                                      schema_k8sio_api_node_v1beta1_Overhead(ref),
-		"k8s.io/api/node/v1beta1.RuntimeClass":                                                                  schema_k8sio_api_node_v1beta1_RuntimeClass(ref),
-		"k8s.io/api/node/v1beta1.RuntimeClassList":                                                              schema_k8sio_api_node_v1beta1_RuntimeClassList(ref),
-		"k8s.io/api/node/v1beta1.Scheduling":                                                                    schema_k8sio_api_node_v1beta1_Scheduling(ref),
-		"k8s.io/api/policy/v1.Eviction":                                                                         schema_k8sio_api_policy_v1_Eviction(ref),
-		"k8s.io/api/policy/v1.PodDisruptionBudget":                                                              schema_k8sio_api_policy_v1_PodDisruptionBudget(ref),
-		"k8s.io/api/policy/v1.PodDisruptionBudgetList":                                                          schema_k8sio_api_policy_v1_PodDisruptionBudgetList(ref),
-		"k8s.io/api/policy/v1.PodDisruptionBudgetSpec":                                                          schema_k8sio_api_policy_v1_PodDisruptionBudgetSpec(ref),
-		"k8s.io/api/policy/v1.PodDisruptionBudgetStatus":                                                        schema_k8sio_api_policy_v1_PodDisruptionBudgetStatus(ref),
-		"k8s.io/api/policy/v1beta1.Eviction":                                                                    schema_k8sio_api_policy_v1beta1_Eviction(ref),
-		"k8s.io/api/policy/v1beta1.PodDisruptionBudget":                                                         schema_k8sio_api_policy_v1beta1_PodDisruptionBudget(ref),
-		"k8s.io/api/policy/v1beta1.PodDisruptionBudgetList":                                                     schema_k8sio_api_policy_v1beta1_PodDisruptionBudgetList(ref),
-		"k8s.io/api/policy/v1beta1.PodDisruptionBudgetSpec":                                                     schema_k8sio_api_policy_v1beta1_PodDisruptionBudgetSpec(ref),
-		"k8s.io/api/policy/v1beta1.PodDisruptionBudgetStatus":                                                   schema_k8sio_api_policy_v1beta1_PodDisruptionBudgetStatus(ref),
-		"k8s.io/api/rbac/v1.AggregationRule":                                                                    schema_k8sio_api_rbac_v1_AggregationRule(ref),
-		"k8s.io/api/rbac/v1.ClusterRole":                                                                        schema_k8sio_api_rbac_v1_ClusterRole(ref),
-		"k8s.io/api/rbac/v1.ClusterRoleBinding":                                                                 schema_k8sio_api_rbac_v1_ClusterRoleBinding(ref),
-		"k8s.io/api/rbac/v1.ClusterRoleBindingList":                                                             schema_k8sio_api_rbac_v1_ClusterRoleBindingList(ref),
-		"k8s.io/api/rbac/v1.ClusterRoleList":                                                                    schema_k8sio_api_rbac_v1_ClusterRoleList(ref),
-		"k8s.io/api/rbac/v1.PolicyRule":                                                                         schema_k8sio_api_rbac_v1_PolicyRule(ref),
-		"k8s.io/api/rbac/v1.Role":                                                                               schema_k8sio_api_rbac_v1_Role(ref),
-		"k8s.io/api/rbac/v1.RoleBinding":                                                                        schema_k8sio_api_rbac_v1_RoleBinding(ref),
-		"k8s.io/api/rbac/v1.RoleBindingList":                                                                    schema_k8sio_api_rbac_v1_RoleBindingList(ref),
-		"k8s.io/api/rbac/v1.RoleList":                                                                           schema_k8sio_api_rbac_v1_RoleList(ref),
-		"k8s.io/api/rbac/v1.RoleRef":                                                                            schema_k8sio_api_rbac_v1_RoleRef(ref),
-		"k8s.io/api/rbac/v1.Subject":                                                                            schema_k8sio_api_rbac_v1_Subject(ref),
-		"k8s.io/api/rbac/v1alpha1.AggregationRule":                                                              schema_k8sio_api_rbac_v1alpha1_AggregationRule(ref),
-		"k8s.io/api/rbac/v1alpha1.ClusterRole":                                                                  schema_k8sio_api_rbac_v1alpha1_ClusterRole(ref),
-		"k8s.io/api/rbac/v1alpha1.ClusterRoleBinding":                                                           schema_k8sio_api_rbac_v1alpha1_ClusterRoleBinding(ref),
-		"k8s.io/api/rbac/v1alpha1.ClusterRoleBindingList":                                                       schema_k8sio_api_rbac_v1alpha1_ClusterRoleBindingList(ref),
-		"k8s.io/api/rbac/v1alpha1.ClusterRoleList":                                                              schema_k8sio_api_rbac_v1alpha1_ClusterRoleList(ref),
-		"k8s.io/api/rbac/v1alpha1.PolicyRule":                                                                   schema_k8sio_api_rbac_v1alpha1_PolicyRule(ref),
-		"k8s.io/api/rbac/v1alpha1.Role":                                                                         schema_k8sio_api_rbac_v1alpha1_Role(ref),
-		"k8s.io/api/rbac/v1alpha1.RoleBinding":                                                                  schema_k8sio_api_rbac_v1alpha1_RoleBinding(ref),
-		"k8s.io/api/rbac/v1alpha1.RoleBindingList":                                                              schema_k8sio_api_rbac_v1alpha1_RoleBindingList(ref),
-		"k8s.io/api/rbac/v1alpha1.RoleList":                                                                     schema_k8sio_api_rbac_v1alpha1_RoleList(ref),
-		"k8s.io/api/rbac/v1alpha1.RoleRef":                                                                      schema_k8sio_api_rbac_v1alpha1_RoleRef(ref),
-		"k8s.io/api/rbac/v1alpha1.Subject":                                                                      schema_k8sio_api_rbac_v1alpha1_Subject(ref),
-		"k8s.io/api/rbac/v1beta1.AggregationRule":                                                               schema_k8sio_api_rbac_v1beta1_AggregationRule(ref),
-		"k8s.io/api/rbac/v1beta1.ClusterRole":                                                                   schema_k8sio_api_rbac_v1beta1_ClusterRole(ref),
-		"k8s.io/api/rbac/v1beta1.ClusterRoleBinding":                                                            schema_k8sio_api_rbac_v1beta1_ClusterRoleBinding(ref),
-		"k8s.io/api/rbac/v1beta1.ClusterRoleBindingList":                                                        schema_k8sio_api_rbac_v1beta1_ClusterRoleBindingList(ref),
-		"k8s.io/api/rbac/v1beta1.ClusterRoleList":                                                               schema_k8sio_api_rbac_v1beta1_ClusterRoleList(ref),
-		"k8s.io/api/rbac/v1beta1.PolicyRule":                                                                    schema_k8sio_api_rbac_v1beta1_PolicyRule(ref),
-		"k8s.io/api/rbac/v1beta1.Role":                                                                          schema_k8sio_api_rbac_v1beta1_Role(ref),
-		"k8s.io/api/rbac/v1beta1.RoleBinding":                                                                   schema_k8sio_api_rbac_v1beta1_RoleBinding(ref),
-		"k8s.io/api/rbac/v1beta1.RoleBindingList":                                                               schema_k8sio_api_rbac_v1beta1_RoleBindingList(ref),
-		"k8s.io/api/rbac/v1beta1.RoleList":                                                                      schema_k8sio_api_rbac_v1beta1_RoleList(ref),
-		"k8s.io/api/rbac/v1beta1.RoleRef":                                                                       schema_k8sio_api_rbac_v1beta1_RoleRef(ref),
-		"k8s.io/api/rbac/v1beta1.Subject":                                                                       schema_k8sio_api_rbac_v1beta1_Subject(ref),
-		"k8s.io/api/resource/v1.AllocatedDeviceStatus":                                                          schema_k8sio_api_resource_v1_AllocatedDeviceStatus(ref),
-		"k8s.io/api/resource/v1.AllocationResult":                                                               schema_k8sio_api_resource_v1_AllocationResult(ref),
-		"k8s.io/api/resource/v1.CELDeviceSelector":                                                              schema_k8sio_api_resource_v1_CELDeviceSelector(ref),
-		"k8s.io/api/resource/v1.CapacityRequestPolicy":                                                          schema_k8sio_api_resource_v1_CapacityRequestPolicy(ref),
-		"k8s.io/api/resource/v1.CapacityRequestPolicyRange":                                                     schema_k8sio_api_resource_v1_CapacityRequestPolicyRange(ref),
-		"k8s.io/api/resource/v1.CapacityRequirements":                                                           schema_k8sio_api_resource_v1_CapacityRequirements(ref),
-		"k8s.io/api/resource/v1.Counter":                                                                        schema_k8sio_api_resource_v1_Counter(ref),
-		"k8s.io/api/resource/v1.CounterSet":                                                                     schema_k8sio_api_resource_v1_CounterSet(ref),
-		"k8s.io/api/resource/v1.Device":                                                                         schema_k8sio_api_resource_v1_Device(ref),
-		"k8s.io/api/resource/v1.DeviceAllocationConfiguration":                                                  schema_k8sio_api_resource_v1_DeviceAllocationConfiguration(ref),
-		"k8s.io/api/resource/v1.DeviceAllocationResult":                                                         schema_k8sio_api_resource_v1_DeviceAllocationResult(ref),
-		"k8s.io/api/resource/v1.DeviceAttribute":                                                                schema_k8sio_api_resource_v1_DeviceAttribute(ref),
-		"k8s.io/api/resource/v1.DeviceCapacity":                                                                 schema_k8sio_api_resource_v1_DeviceCapacity(ref),
-		"k8s.io/api/resource/v1.DeviceClaim":                                                                    schema_k8sio_api_resource_v1_DeviceClaim(ref),
-		"k8s.io/api/resource/v1.DeviceClaimConfiguration":                                                       schema_k8sio_api_resource_v1_DeviceClaimConfiguration(ref),
-		"k8s.io/api/resource/v1.DeviceClass":                                                                    schema_k8sio_api_resource_v1_DeviceClass(ref),
-		"k8s.io/api/resource/v1.DeviceClassConfiguration":                                                       schema_k8sio_api_resource_v1_DeviceClassConfiguration(ref),
-		"k8s.io/api/resource/v1.DeviceClassList":                                                                schema_k8sio_api_resource_v1_DeviceClassList(ref),
-		"k8s.io/api/resource/v1.DeviceClassSpec":                                                                schema_k8sio_api_resource_v1_DeviceClassSpec(ref),
-		"k8s.io/api/resource/v1.DeviceConfiguration":                                                            schema_k8sio_api_resource_v1_DeviceConfiguration(ref),
-		"k8s.io/api/resource/v1.DeviceConstraint":                                                               schema_k8sio_api_resource_v1_DeviceConstraint(ref),
-		"k8s.io/api/resource/v1.DeviceCounterConsumption":                                                       schema_k8sio_api_resource_v1_DeviceCounterConsumption(ref),
-		"k8s.io/api/resource/v1.DeviceRequest":                                                                  schema_k8sio_api_resource_v1_DeviceRequest(ref),
-		"k8s.io/api/resource/v1.DeviceRequestAllocationResult":                                                  schema_k8sio_api_resource_v1_DeviceRequestAllocationResult(ref),
-		"k8s.io/api/resource/v1.DeviceSelector":                                                                 schema_k8sio_api_resource_v1_DeviceSelector(ref),
-		"k8s.io/api/resource/v1.DeviceSubRequest":                                                               schema_k8sio_api_resource_v1_DeviceSubRequest(ref),
-		"k8s.io/api/resource/v1.DeviceTaint":                                                                    schema_k8sio_api_resource_v1_DeviceTaint(ref),
-		"k8s.io/api/resource/v1.DeviceToleration":                                                               schema_k8sio_api_resource_v1_DeviceToleration(ref),
-		"k8s.io/api/resource/v1.ExactDeviceRequest":                                                             schema_k8sio_api_resource_v1_ExactDeviceRequest(ref),
-		"k8s.io/api/resource/v1.NetworkDeviceData":                                                              schema_k8sio_api_resource_v1_NetworkDeviceData(ref),
-		"k8s.io/api/resource/v1.OpaqueDeviceConfiguration":                                                      schema_k8sio_api_resource_v1_OpaqueDeviceConfiguration(ref),
-		"k8s.io/api/resource/v1.ResourceClaim":                                                                  schema_k8sio_api_resource_v1_ResourceClaim(ref),
-		"k8s.io/api/resource/v1.ResourceClaimConsumerReference":                                                 schema_k8sio_api_resource_v1_ResourceClaimConsumerReference(ref),
-		"k8s.io/api/resource/v1.ResourceClaimList":                                                              schema_k8sio_api_resource_v1_ResourceClaimList(ref),
-		"k8s.io/api/resource/v1.ResourceClaimSpec":                                                              schema_k8sio_api_resource_v1_ResourceClaimSpec(ref),
-		"k8s.io/api/resource/v1.ResourceClaimStatus":                                                            schema_k8sio_api_resource_v1_ResourceClaimStatus(ref),
-		"k8s.io/api/resource/v1.ResourceClaimTemplate":                                                          schema_k8sio_api_resource_v1_ResourceClaimTemplate(ref),
-		"k8s.io/api/resource/v1.ResourceClaimTemplateList":                                                      schema_k8sio_api_resource_v1_ResourceClaimTemplateList(ref),
-		"k8s.io/api/resource/v1.ResourceClaimTemplateSpec":                                                      schema_k8sio_api_resource_v1_ResourceClaimTemplateSpec(ref),
-		"k8s.io/api/resource/v1.ResourcePool":                                                                   schema_k8sio_api_resource_v1_ResourcePool(ref),
-		"k8s.io/api/resource/v1.ResourceSlice":                                                                  schema_k8sio_api_resource_v1_ResourceSlice(ref),
-		"k8s.io/api/resource/v1.ResourceSliceList":                                                              schema_k8sio_api_resource_v1_ResourceSliceList(ref),
-		"k8s.io/api/resource/v1.ResourceSliceSpec":                                                              schema_k8sio_api_resource_v1_ResourceSliceSpec(ref),
-		"k8s.io/api/resource/v1alpha3.CELDeviceSelector":                                                        schema_k8sio_api_resource_v1alpha3_CELDeviceSelector(ref),
-		"k8s.io/api/resource/v1alpha3.DeviceSelector":                                                           schema_k8sio_api_resource_v1alpha3_DeviceSelector(ref),
-		"k8s.io/api/resource/v1alpha3.DeviceTaint":                                                              schema_k8sio_api_resource_v1alpha3_DeviceTaint(ref),
-		"k8s.io/api/resource/v1alpha3.DeviceTaintRule":                                                          schema_k8sio_api_resource_v1alpha3_DeviceTaintRule(ref),
-		"k8s.io/api/resource/v1alpha3.DeviceTaintRuleList":                                                      schema_k8sio_api_resource_v1alpha3_DeviceTaintRuleList(ref),
-		"k8s.io/api/resource/v1alpha3.DeviceTaintRuleSpec":                                                      schema_k8sio_api_resource_v1alpha3_DeviceTaintRuleSpec(ref),
-		"k8s.io/api/resource/v1alpha3.DeviceTaintSelector":                                                      schema_k8sio_api_resource_v1alpha3_DeviceTaintSelector(ref),
-		"k8s.io/api/resource/v1beta1.AllocatedDeviceStatus":                                                     schema_k8sio_api_resource_v1beta1_AllocatedDeviceStatus(ref),
-		"k8s.io/api/resource/v1beta1.AllocationResult":                                                          schema_k8sio_api_resource_v1beta1_AllocationResult(ref),
-		"k8s.io/api/resource/v1beta1.BasicDevice":                                                               schema_k8sio_api_resource_v1beta1_BasicDevice(ref),
-		"k8s.io/api/resource/v1beta1.CELDeviceSelector":                                                         schema_k8sio_api_resource_v1beta1_CELDeviceSelector(ref),
-		"k8s.io/api/resource/v1beta1.CapacityRequestPolicy":                                                     schema_k8sio_api_resource_v1beta1_CapacityRequestPolicy(ref),
-		"k8s.io/api/resource/v1beta1.CapacityRequestPolicyRange":                                                schema_k8sio_api_resource_v1beta1_CapacityRequestPolicyRange(ref),
-		"k8s.io/api/resource/v1beta1.CapacityRequirements":                                                      schema_k8sio_api_resource_v1beta1_CapacityRequirements(ref),
-		"k8s.io/api/resource/v1beta1.Counter":                                                                   schema_k8sio_api_resource_v1beta1_Counter(ref),
-		"k8s.io/api/resource/v1beta1.CounterSet":                                                                schema_k8sio_api_resource_v1beta1_CounterSet(ref),
-		"k8s.io/api/resource/v1beta1.Device":                                                                    schema_k8sio_api_resource_v1beta1_Device(ref),
-		"k8s.io/api/resource/v1beta1.DeviceAllocationConfiguration":                                             schema_k8sio_api_resource_v1beta1_DeviceAllocationConfiguration(ref),
-		"k8s.io/api/resource/v1beta1.DeviceAllocationResult":                                                    schema_k8sio_api_resource_v1beta1_DeviceAllocationResult(ref),
-		"k8s.io/api/resource/v1beta1.DeviceAttribute":                                                           schema_k8sio_api_resource_v1beta1_DeviceAttribute(ref),
-		"k8s.io/api/resource/v1beta1.DeviceCapacity":                                                            schema_k8sio_api_resource_v1beta1_DeviceCapacity(ref),
-		"k8s.io/api/resource/v1beta1.DeviceClaim":                                                               schema_k8sio_api_resource_v1beta1_DeviceClaim(ref),
-		"k8s.io/api/resource/v1beta1.DeviceClaimConfiguration":                                                  schema_k8sio_api_resource_v1beta1_DeviceClaimConfiguration(ref),
-		"k8s.io/api/resource/v1beta1.DeviceClass":                                                               schema_k8sio_api_resource_v1beta1_DeviceClass(ref),
-		"k8s.io/api/resource/v1beta1.DeviceClassConfiguration":                                                  schema_k8sio_api_resource_v1beta1_DeviceClassConfiguration(ref),
-		"k8s.io/api/resource/v1beta1.DeviceClassList":                                                           schema_k8sio_api_resource_v1beta1_DeviceClassList(ref),
-		"k8s.io/api/resource/v1beta1.DeviceClassSpec":                                                           schema_k8sio_api_resource_v1beta1_DeviceClassSpec(ref),
-		"k8s.io/api/resource/v1beta1.DeviceConfiguration":                                                       schema_k8sio_api_resource_v1beta1_DeviceConfiguration(ref),
-		"k8s.io/api/resource/v1beta1.DeviceConstraint":                                                          schema_k8sio_api_resource_v1beta1_DeviceConstraint(ref),
-		"k8s.io/api/resource/v1beta1.DeviceCounterConsumption":                                                  schema_k8sio_api_resource_v1beta1_DeviceCounterConsumption(ref),
-		"k8s.io/api/resource/v1beta1.DeviceRequest":                                                             schema_k8sio_api_resource_v1beta1_DeviceRequest(ref),
-		"k8s.io/api/resource/v1beta1.DeviceRequestAllocationResult":                                             schema_k8sio_api_resource_v1beta1_DeviceRequestAllocationResult(ref),
-		"k8s.io/api/resource/v1beta1.DeviceSelector":                                                            schema_k8sio_api_resource_v1beta1_DeviceSelector(ref),
-		"k8s.io/api/resource/v1beta1.DeviceSubRequest":                                                          schema_k8sio_api_resource_v1beta1_DeviceSubRequest(ref),
-		"k8s.io/api/resource/v1beta1.DeviceTaint":                                                               schema_k8sio_api_resource_v1beta1_DeviceTaint(ref),
-		"k8s.io/api/resource/v1beta1.DeviceToleration":                                                          schema_k8sio_api_resource_v1beta1_DeviceToleration(ref),
-		"k8s.io/api/resource/v1beta1.NetworkDeviceData":                                                         schema_k8sio_api_resource_v1beta1_NetworkDeviceData(ref),
-		"k8s.io/api/resource/v1beta1.OpaqueDeviceConfiguration":                                                 schema_k8sio_api_resource_v1beta1_OpaqueDeviceConfiguration(ref),
-		"k8s.io/api/resource/v1beta1.ResourceClaim":                                                             schema_k8sio_api_resource_v1beta1_ResourceClaim(ref),
-		"k8s.io/api/resource/v1beta1.ResourceClaimConsumerReference":                                            schema_k8sio_api_resource_v1beta1_ResourceClaimConsumerReference(ref),
-		"k8s.io/api/resource/v1beta1.ResourceClaimList":                                                         schema_k8sio_api_resource_v1beta1_ResourceClaimList(ref),
-		"k8s.io/api/resource/v1beta1.ResourceClaimSpec":                                                         schema_k8sio_api_resource_v1beta1_ResourceClaimSpec(ref),
-		"k8s.io/api/resource/v1beta1.ResourceClaimStatus":                                                       schema_k8sio_api_resource_v1beta1_ResourceClaimStatus(ref),
-		"k8s.io/api/resource/v1beta1.ResourceClaimTemplate":                                                     schema_k8sio_api_resource_v1beta1_ResourceClaimTemplate(ref),
-		"k8s.io/api/resource/v1beta1.ResourceClaimTemplateList":                                                 schema_k8sio_api_resource_v1beta1_ResourceClaimTemplateList(ref),
-		"k8s.io/api/resource/v1beta1.ResourceClaimTemplateSpec":                                                 schema_k8sio_api_resource_v1beta1_ResourceClaimTemplateSpec(ref),
-		"k8s.io/api/resource/v1beta1.ResourcePool":                                                              schema_k8sio_api_resource_v1beta1_ResourcePool(ref),
-		"k8s.io/api/resource/v1beta1.ResourceSlice":                                                             schema_k8sio_api_resource_v1beta1_ResourceSlice(ref),
-		"k8s.io/api/resource/v1beta1.ResourceSliceList":                                                         schema_k8sio_api_resource_v1beta1_ResourceSliceList(ref),
-		"k8s.io/api/resource/v1beta1.ResourceSliceSpec":                                                         schema_k8sio_api_resource_v1beta1_ResourceSliceSpec(ref),
-		"k8s.io/api/resource/v1beta2.AllocatedDeviceStatus":                                                     schema_k8sio_api_resource_v1beta2_AllocatedDeviceStatus(ref),
-		"k8s.io/api/resource/v1beta2.AllocationResult":                                                          schema_k8sio_api_resource_v1beta2_AllocationResult(ref),
-		"k8s.io/api/resource/v1beta2.CELDeviceSelector":                                                         schema_k8sio_api_resource_v1beta2_CELDeviceSelector(ref),
-		"k8s.io/api/resource/v1beta2.CapacityRequestPolicy":                                                     schema_k8sio_api_resource_v1beta2_CapacityRequestPolicy(ref),
-		"k8s.io/api/resource/v1beta2.CapacityRequestPolicyRange":                                                schema_k8sio_api_resource_v1beta2_CapacityRequestPolicyRange(ref),
-		"k8s.io/api/resource/v1beta2.CapacityRequirements":                                                      schema_k8sio_api_resource_v1beta2_CapacityRequirements(ref),
-		"k8s.io/api/resource/v1beta2.Counter":                                                                   schema_k8sio_api_resource_v1beta2_Counter(ref),
-		"k8s.io/api/resource/v1beta2.CounterSet":                                                                schema_k8sio_api_resource_v1beta2_CounterSet(ref),
-		"k8s.io/api/resource/v1beta2.Device":                                                                    schema_k8sio_api_resource_v1beta2_Device(ref),
-		"k8s.io/api/resource/v1beta2.DeviceAllocationConfiguration":                                             schema_k8sio_api_resource_v1beta2_DeviceAllocationConfiguration(ref),
-		"k8s.io/api/resource/v1beta2.DeviceAllocationResult":                                                    schema_k8sio_api_resource_v1beta2_DeviceAllocationResult(ref),
-		"k8s.io/api/resource/v1beta2.DeviceAttribute":                                                           schema_k8sio_api_resource_v1beta2_DeviceAttribute(ref),
-		"k8s.io/api/resource/v1beta2.DeviceCapacity":                                                            schema_k8sio_api_resource_v1beta2_DeviceCapacity(ref),
-		"k8s.io/api/resource/v1beta2.DeviceClaim":                                                               schema_k8sio_api_resource_v1beta2_DeviceClaim(ref),
-		"k8s.io/api/resource/v1beta2.DeviceClaimConfiguration":                                                  schema_k8sio_api_resource_v1beta2_DeviceClaimConfiguration(ref),
-		"k8s.io/api/resource/v1beta2.DeviceClass":                                                               schema_k8sio_api_resource_v1beta2_DeviceClass(ref),
-		"k8s.io/api/resource/v1beta2.DeviceClassConfiguration":                                                  schema_k8sio_api_resource_v1beta2_DeviceClassConfiguration(ref),
-		"k8s.io/api/resource/v1beta2.DeviceClassList":                                                           schema_k8sio_api_resource_v1beta2_DeviceClassList(ref),
-		"k8s.io/api/resource/v1beta2.DeviceClassSpec":                                                           schema_k8sio_api_resource_v1beta2_DeviceClassSpec(ref),
-		"k8s.io/api/resource/v1beta2.DeviceConfiguration":                                                       schema_k8sio_api_resource_v1beta2_DeviceConfiguration(ref),
-		"k8s.io/api/resource/v1beta2.DeviceConstraint":                                                          schema_k8sio_api_resource_v1beta2_DeviceConstraint(ref),
-		"k8s.io/api/resource/v1beta2.DeviceCounterConsumption":                                                  schema_k8sio_api_resource_v1beta2_DeviceCounterConsumption(ref),
-		"k8s.io/api/resource/v1beta2.DeviceRequest":                                                             schema_k8sio_api_resource_v1beta2_DeviceRequest(ref),
-		"k8s.io/api/resource/v1beta2.DeviceRequestAllocationResult":                                             schema_k8sio_api_resource_v1beta2_DeviceRequestAllocationResult(ref),
-		"k8s.io/api/resource/v1beta2.DeviceSelector":                                                            schema_k8sio_api_resource_v1beta2_DeviceSelector(ref),
-		"k8s.io/api/resource/v1beta2.DeviceSubRequest":                                                          schema_k8sio_api_resource_v1beta2_DeviceSubRequest(ref),
-		"k8s.io/api/resource/v1beta2.DeviceTaint":                                                               schema_k8sio_api_resource_v1beta2_DeviceTaint(ref),
-		"k8s.io/api/resource/v1beta2.DeviceToleration":                                                          schema_k8sio_api_resource_v1beta2_DeviceToleration(ref),
-		"k8s.io/api/resource/v1beta2.ExactDeviceRequest":                                                        schema_k8sio_api_resource_v1beta2_ExactDeviceRequest(ref),
-		"k8s.io/api/resource/v1beta2.NetworkDeviceData":                                                         schema_k8sio_api_resource_v1beta2_NetworkDeviceData(ref),
-		"k8s.io/api/resource/v1beta2.OpaqueDeviceConfiguration":                                                 schema_k8sio_api_resource_v1beta2_OpaqueDeviceConfiguration(ref),
-		"k8s.io/api/resource/v1beta2.ResourceClaim":                                                             schema_k8sio_api_resource_v1beta2_ResourceClaim(ref),
-		"k8s.io/api/resource/v1beta2.ResourceClaimConsumerReference":                                            schema_k8sio_api_resource_v1beta2_ResourceClaimConsumerReference(ref),
-		"k8s.io/api/resource/v1beta2.ResourceClaimList":                                                         schema_k8sio_api_resource_v1beta2_ResourceClaimList(ref),
-		"k8s.io/api/resource/v1beta2.ResourceClaimSpec":                                                         schema_k8sio_api_resource_v1beta2_ResourceClaimSpec(ref),
-		"k8s.io/api/resource/v1beta2.ResourceClaimStatus":                                                       schema_k8sio_api_resource_v1beta2_ResourceClaimStatus(ref),
-		"k8s.io/api/resource/v1beta2.ResourceClaimTemplate":                                                     schema_k8sio_api_resource_v1beta2_ResourceClaimTemplate(ref),
-		"k8s.io/api/resource/v1beta2.ResourceClaimTemplateList":                                                 schema_k8sio_api_resource_v1beta2_ResourceClaimTemplateList(ref),
-		"k8s.io/api/resource/v1beta2.ResourceClaimTemplateSpec":                                                 schema_k8sio_api_resource_v1beta2_ResourceClaimTemplateSpec(ref),
-		"k8s.io/api/resource/v1beta2.ResourcePool":                                                              schema_k8sio_api_resource_v1beta2_ResourcePool(ref),
-		"k8s.io/api/resource/v1beta2.ResourceSlice":                                                             schema_k8sio_api_resource_v1beta2_ResourceSlice(ref),
-		"k8s.io/api/resource/v1beta2.ResourceSliceList":                                                         schema_k8sio_api_resource_v1beta2_ResourceSliceList(ref),
-		"k8s.io/api/resource/v1beta2.ResourceSliceSpec":                                                         schema_k8sio_api_resource_v1beta2_ResourceSliceSpec(ref),
-		"k8s.io/api/scheduling/v1.PriorityClass":                                                                schema_k8sio_api_scheduling_v1_PriorityClass(ref),
-		"k8s.io/api/scheduling/v1.PriorityClassList":                                                            schema_k8sio_api_scheduling_v1_PriorityClassList(ref),
-		"k8s.io/api/scheduling/v1alpha1.PriorityClass":                                                          schema_k8sio_api_scheduling_v1alpha1_PriorityClass(ref),
-		"k8s.io/api/scheduling/v1alpha1.PriorityClassList":                                                      schema_k8sio_api_scheduling_v1alpha1_PriorityClassList(ref),
-		"k8s.io/api/scheduling/v1beta1.PriorityClass":                                                           schema_k8sio_api_scheduling_v1beta1_PriorityClass(ref),
-		"k8s.io/api/scheduling/v1beta1.PriorityClassList":                                                       schema_k8sio_api_scheduling_v1beta1_PriorityClassList(ref),
-		"k8s.io/api/storage/v1.CSIDriver":                                                                       schema_k8sio_api_storage_v1_CSIDriver(ref),
-		"k8s.io/api/storage/v1.CSIDriverList":                                                                   schema_k8sio_api_storage_v1_CSIDriverList(ref),
-		"k8s.io/api/storage/v1.CSIDriverSpec":                                                                   schema_k8sio_api_storage_v1_CSIDriverSpec(ref),
-		"k8s.io/api/storage/v1.CSINode":                                                                         schema_k8sio_api_storage_v1_CSINode(ref),
-		"k8s.io/api/storage/v1.CSINodeDriver":                                                                   schema_k8sio_api_storage_v1_CSINodeDriver(ref),
-		"k8s.io/api/storage/v1.CSINodeList":                                                                     schema_k8sio_api_storage_v1_CSINodeList(ref),
-		"k8s.io/api/storage/v1.CSINodeSpec":                                                                     schema_k8sio_api_storage_v1_CSINodeSpec(ref),
-		"k8s.io/api/storage/v1.CSIStorageCapacity":                                                              schema_k8sio_api_storage_v1_CSIStorageCapacity(ref),
-		"k8s.io/api/storage/v1.CSIStorageCapacityList":                                                          schema_k8sio_api_storage_v1_CSIStorageCapacityList(ref),
-		"k8s.io/api/storage/v1.StorageClass":                                                                    schema_k8sio_api_storage_v1_StorageClass(ref),
-		"k8s.io/api/storage/v1.StorageClassList":                                                                schema_k8sio_api_storage_v1_StorageClassList(ref),
-		"k8s.io/api/storage/v1.TokenRequest":                                                                    schema_k8sio_api_storage_v1_TokenRequest(ref),
-		"k8s.io/api/storage/v1.VolumeAttachment":                                                                schema_k8sio_api_storage_v1_VolumeAttachment(ref),
-		"k8s.io/api/storage/v1.VolumeAttachmentList":                                                            schema_k8sio_api_storage_v1_VolumeAttachmentList(ref),
-		"k8s.io/api/storage/v1.VolumeAttachmentSource":                                                          schema_k8sio_api_storage_v1_VolumeAttachmentSource(ref),
-		"k8s.io/api/storage/v1.VolumeAttachmentSpec":                                                            schema_k8sio_api_storage_v1_VolumeAttachmentSpec(ref),
-		"k8s.io/api/storage/v1.VolumeAttachmentStatus":                                                          schema_k8sio_api_storage_v1_VolumeAttachmentStatus(ref),
-		"k8s.io/api/storage/v1.VolumeAttributesClass":                                                           schema_k8sio_api_storage_v1_VolumeAttributesClass(ref),
-		"k8s.io/api/storage/v1.VolumeAttributesClassList":                                                       schema_k8sio_api_storage_v1_VolumeAttributesClassList(ref),
-		"k8s.io/api/storage/v1.VolumeError":                                                                     schema_k8sio_api_storage_v1_VolumeError(ref),
-		"k8s.io/api/storage/v1.VolumeNodeResources":                                                             schema_k8sio_api_storage_v1_VolumeNodeResources(ref),
-		"k8s.io/api/storage/v1alpha1.CSIStorageCapacity":                                                        schema_k8sio_api_storage_v1alpha1_CSIStorageCapacity(ref),
-		"k8s.io/api/storage/v1alpha1.CSIStorageCapacityList":                                                    schema_k8sio_api_storage_v1alpha1_CSIStorageCapacityList(ref),
-		"k8s.io/api/storage/v1alpha1.VolumeAttachment":                                                          schema_k8sio_api_storage_v1alpha1_VolumeAttachment(ref),
-		"k8s.io/api/storage/v1alpha1.VolumeAttachmentList":                                                      schema_k8sio_api_storage_v1alpha1_VolumeAttachmentList(ref),
-		"k8s.io/api/storage/v1alpha1.VolumeAttachmentSource":                                                    schema_k8sio_api_storage_v1alpha1_VolumeAttachmentSource(ref),
-		"k8s.io/api/storage/v1alpha1.VolumeAttachmentSpec":                                                      schema_k8sio_api_storage_v1alpha1_VolumeAttachmentSpec(ref),
-		"k8s.io/api/storage/v1alpha1.VolumeAttachmentStatus":                                                    schema_k8sio_api_storage_v1alpha1_VolumeAttachmentStatus(ref),
-		"k8s.io/api/storage/v1alpha1.VolumeAttributesClass":                                                     schema_k8sio_api_storage_v1alpha1_VolumeAttributesClass(ref),
-		"k8s.io/api/storage/v1alpha1.VolumeAttributesClassList":                                                 schema_k8sio_api_storage_v1alpha1_VolumeAttributesClassList(ref),
-		"k8s.io/api/storage/v1alpha1.VolumeError":                                                               schema_k8sio_api_storage_v1alpha1_VolumeError(ref),
-		"k8s.io/api/storage/v1beta1.CSIDriver":                                                                  schema_k8sio_api_storage_v1beta1_CSIDriver(ref),
-		"k8s.io/api/storage/v1beta1.CSIDriverList":                                                              schema_k8sio_api_storage_v1beta1_CSIDriverList(ref),
-		"k8s.io/api/storage/v1beta1.CSIDriverSpec":                                                              schema_k8sio_api_storage_v1beta1_CSIDriverSpec(ref),
-		"k8s.io/api/storage/v1beta1.CSINode":                                                                    schema_k8sio_api_storage_v1beta1_CSINode(ref),
-		"k8s.io/api/storage/v1beta1.CSINodeDriver":                                                              schema_k8sio_api_storage_v1beta1_CSINodeDriver(ref),
-		"k8s.io/api/storage/v1beta1.CSINodeList":                                                                schema_k8sio_api_storage_v1beta1_CSINodeList(ref),
-		"k8s.io/api/storage/v1beta1.CSINodeSpec":                                                                schema_k8sio_api_storage_v1beta1_CSINodeSpec(ref),
-		"k8s.io/api/storage/v1beta1.CSIStorageCapacity":                                                         schema_k8sio_api_storage_v1beta1_CSIStorageCapacity(ref),
-		"k8s.io/api/storage/v1beta1.CSIStorageCapacityList":                                                     schema_k8sio_api_storage_v1beta1_CSIStorageCapacityList(ref),
-		"k8s.io/api/storage/v1beta1.StorageClass":                                                               schema_k8sio_api_storage_v1beta1_StorageClass(ref),
-		"k8s.io/api/storage/v1beta1.StorageClassList":                                                           schema_k8sio_api_storage_v1beta1_StorageClassList(ref),
-		"k8s.io/api/storage/v1beta1.TokenRequest":                                                               schema_k8sio_api_storage_v1beta1_TokenRequest(ref),
-		"k8s.io/api/storage/v1beta1.VolumeAttachment":                                                           schema_k8sio_api_storage_v1beta1_VolumeAttachment(ref),
-		"k8s.io/api/storage/v1beta1.VolumeAttachmentList":                                                       schema_k8sio_api_storage_v1beta1_VolumeAttachmentList(ref),
-		"k8s.io/api/storage/v1beta1.VolumeAttachmentSource":                                                     schema_k8sio_api_storage_v1beta1_VolumeAttachmentSource(ref),
-		"k8s.io/api/storage/v1beta1.VolumeAttachmentSpec":                                                       schema_k8sio_api_storage_v1beta1_VolumeAttachmentSpec(ref),
-		"k8s.io/api/storage/v1beta1.VolumeAttachmentStatus":                                                     schema_k8sio_api_storage_v1beta1_VolumeAttachmentStatus(ref),
-		"k8s.io/api/storage/v1beta1.VolumeAttributesClass":                                                      schema_k8sio_api_storage_v1beta1_VolumeAttributesClass(ref),
-		"k8s.io/api/storage/v1beta1.VolumeAttributesClassList":                                                  schema_k8sio_api_storage_v1beta1_VolumeAttributesClassList(ref),
-		"k8s.io/api/storage/v1beta1.VolumeError":                                                                schema_k8sio_api_storage_v1beta1_VolumeError(ref),
-		"k8s.io/api/storage/v1beta1.VolumeNodeResources":                                                        schema_k8sio_api_storage_v1beta1_VolumeNodeResources(ref),
-		"k8s.io/api/storagemigration/v1alpha1.GroupVersionResource":                                             schema_k8sio_api_storagemigration_v1alpha1_GroupVersionResource(ref),
-		"k8s.io/api/storagemigration/v1alpha1.MigrationCondition":                                               schema_k8sio_api_storagemigration_v1alpha1_MigrationCondition(ref),
-		"k8s.io/api/storagemigration/v1alpha1.StorageVersionMigration":                                          schema_k8sio_api_storagemigration_v1alpha1_StorageVersionMigration(ref),
-		"k8s.io/api/storagemigration/v1alpha1.StorageVersionMigrationList":                                      schema_k8sio_api_storagemigration_v1alpha1_StorageVersionMigrationList(ref),
-		"k8s.io/api/storagemigration/v1alpha1.StorageVersionMigrationSpec":                                      schema_k8sio_api_storagemigration_v1alpha1_StorageVersionMigrationSpec(ref),
-		"k8s.io/api/storagemigration/v1alpha1.StorageVersionMigrationStatus":                                    schema_k8sio_api_storagemigration_v1alpha1_StorageVersionMigrationStatus(ref),
-		"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.ConversionRequest":                            schema_pkg_apis_apiextensions_v1_ConversionRequest(ref),
-		"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.ConversionResponse":                           schema_pkg_apis_apiextensions_v1_ConversionResponse(ref),
-		"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.ConversionReview":                             schema_pkg_apis_apiextensions_v1_ConversionReview(ref),
-		"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.CustomResourceColumnDefinition":               schema_pkg_apis_apiextensions_v1_CustomResourceColumnDefinition(ref),
-		"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.CustomResourceConversion":                     schema_pkg_apis_apiextensions_v1_CustomResourceConversion(ref),
-		"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.CustomResourceDefinition":                     schema_pkg_apis_apiextensions_v1_CustomResourceDefinition(ref),
-		"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.CustomResourceDefinitionCondition":            schema_pkg_apis_apiextensions_v1_CustomResourceDefinitionCondition(ref),
-		"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.CustomResourceDefinitionList":                 schema_pkg_apis_apiextensions_v1_CustomResourceDefinitionList(ref),
-		"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.CustomResourceDefinitionNames":                schema_pkg_apis_apiextensions_v1_CustomResourceDefinitionNames(ref),
-		"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.CustomResourceDefinitionSpec":                 schema_pkg_apis_apiextensions_v1_CustomResourceDefinitionSpec(ref),
-		"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.CustomResourceDefinitionStatus":               schema_pkg_apis_apiextensions_v1_CustomResourceDefinitionStatus(ref),
-		"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.CustomResourceDefinitionVersion":              schema_pkg_apis_apiextensions_v1_CustomResourceDefinitionVersion(ref),
-		"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.CustomResourceSubresourceScale":               schema_pkg_apis_apiextensions_v1_CustomResourceSubresourceScale(ref),
-		"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.CustomResourceSubresourceStatus":              schema_pkg_apis_apiextensions_v1_CustomResourceSubresourceStatus(ref),
-		"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.CustomResourceSubresources":                   schema_pkg_apis_apiextensions_v1_CustomResourceSubresources(ref),
-		"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.CustomResourceValidation":                     schema_pkg_apis_apiextensions_v1_CustomResourceValidation(ref),
-		"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.ExternalDocumentation":                        schema_pkg_apis_apiextensions_v1_ExternalDocumentation(ref),
-		"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.JSON":                                         schema_pkg_apis_apiextensions_v1_JSON(ref),
-		"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.JSONSchemaProps":                              schema_pkg_apis_apiextensions_v1_JSONSchemaProps(ref),
-		"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.JSONSchemaPropsOrArray":                       schema_pkg_apis_apiextensions_v1_JSONSchemaPropsOrArray(ref),
-		"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.JSONSchemaPropsOrBool":                        schema_pkg_apis_apiextensions_v1_JSONSchemaPropsOrBool(ref),
-		"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.JSONSchemaPropsOrStringArray":                 schema_pkg_apis_apiextensions_v1_JSONSchemaPropsOrStringArray(ref),
-		"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.SelectableField":                              schema_pkg_apis_apiextensions_v1_SelectableField(ref),
-		"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.ServiceReference":                             schema_pkg_apis_apiextensions_v1_ServiceReference(ref),
-		"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.ValidationRule":                               schema_pkg_apis_apiextensions_v1_ValidationRule(ref),
-		"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.WebhookClientConfig":                          schema_pkg_apis_apiextensions_v1_WebhookClientConfig(ref),
-		"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.WebhookConversion":                            schema_pkg_apis_apiextensions_v1_WebhookConversion(ref),
-		"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1.ConversionRequest":                       schema_pkg_apis_apiextensions_v1beta1_ConversionRequest(ref),
-		"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1.ConversionResponse":                      schema_pkg_apis_apiextensions_v1beta1_ConversionResponse(ref),
-		"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1.ConversionReview":                        schema_pkg_apis_apiextensions_v1beta1_ConversionReview(ref),
-		"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1.CustomResourceColumnDefinition":          schema_pkg_apis_apiextensions_v1beta1_CustomResourceColumnDefinition(ref),
-		"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1.CustomResourceConversion":                schema_pkg_apis_apiextensions_v1beta1_CustomResourceConversion(ref),
-		"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1.CustomResourceDefinition":                schema_pkg_apis_apiextensions_v1beta1_CustomResourceDefinition(ref),
-		"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1.CustomResourceDefinitionCondition":       schema_pkg_apis_apiextensions_v1beta1_CustomResourceDefinitionCondition(ref),
-		"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1.CustomResourceDefinitionList":            schema_pkg_apis_apiextensions_v1beta1_CustomResourceDefinitionList(ref),
-		"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1.CustomResourceDefinitionNames":           schema_pkg_apis_apiextensions_v1beta1_CustomResourceDefinitionNames(ref),
-		"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1.CustomResourceDefinitionSpec":            schema_pkg_apis_apiextensions_v1beta1_CustomResourceDefinitionSpec(ref),
-		"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1.CustomResourceDefinitionStatus":          schema_pkg_apis_apiextensions_v1beta1_CustomResourceDefinitionStatus(ref),
-		"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1.CustomResourceDefinitionVersion":         schema_pkg_apis_apiextensions_v1beta1_CustomResourceDefinitionVersion(ref),
-		"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1.CustomResourceSubresourceScale":          schema_pkg_apis_apiextensions_v1beta1_CustomResourceSubresourceScale(ref),
-		"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1.CustomResourceSubresourceStatus":         schema_pkg_apis_apiextensions_v1beta1_CustomResourceSubresourceStatus(ref),
-		"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1.CustomResourceSubresources":              schema_pkg_apis_apiextensions_v1beta1_CustomResourceSubresources(ref),
-		"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1.CustomResourceValidation":                schema_pkg_apis_apiextensions_v1beta1_CustomResourceValidation(ref),
-		"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1.ExternalDocumentation":                   schema_pkg_apis_apiextensions_v1beta1_ExternalDocumentation(ref),
-		"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1.JSON":                                    schema_pkg_apis_apiextensions_v1beta1_JSON(ref),
-		"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1.JSONSchemaProps":                         schema_pkg_apis_apiextensions_v1beta1_JSONSchemaProps(ref),
-		"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1.JSONSchemaPropsOrArray":                  schema_pkg_apis_apiextensions_v1beta1_JSONSchemaPropsOrArray(ref),
-		"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1.JSONSchemaPropsOrBool":                   schema_pkg_apis_apiextensions_v1beta1_JSONSchemaPropsOrBool(ref),
-		"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1.JSONSchemaPropsOrStringArray":            schema_pkg_apis_apiextensions_v1beta1_JSONSchemaPropsOrStringArray(ref),
-		"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1.SelectableField":                         schema_pkg_apis_apiextensions_v1beta1_SelectableField(ref),
-		"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1.ServiceReference":                        schema_pkg_apis_apiextensions_v1beta1_ServiceReference(ref),
-		"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1.ValidationRule":                          schema_pkg_apis_apiextensions_v1beta1_ValidationRule(ref),
-		"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1.WebhookClientConfig":                     schema_pkg_apis_apiextensions_v1beta1_WebhookClientConfig(ref),
-		"k8s.io/apimachinery/pkg/api/resource.Quantity":                                                         schema_apimachinery_pkg_api_resource_Quantity(ref),
-		"k8s.io/apimachinery/pkg/api/resource.int64Amount":                                                      schema_apimachinery_pkg_api_resource_int64Amount(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.APIGroup":                                                         schema_pkg_apis_meta_v1_APIGroup(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.APIGroupList":                                                     schema_pkg_apis_meta_v1_APIGroupList(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.APIResource":                                                      schema_pkg_apis_meta_v1_APIResource(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.APIResourceList":                                                  schema_pkg_apis_meta_v1_APIResourceList(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.APIVersions":                                                      schema_pkg_apis_meta_v1_APIVersions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.ApplyOptions":                                                     schema_pkg_apis_meta_v1_ApplyOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Condition":                                                        schema_pkg_apis_meta_v1_Condition(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.CreateOptions":                                                    schema_pkg_apis_meta_v1_CreateOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.DeleteOptions":                                                    schema_pkg_apis_meta_v1_DeleteOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Duration":                                                         schema_pkg_apis_meta_v1_Duration(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.FieldSelectorRequirement":                                         schema_pkg_apis_meta_v1_FieldSelectorRequirement(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.FieldsV1":                                                         schema_pkg_apis_meta_v1_FieldsV1(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GetOptions":                                                       schema_pkg_apis_meta_v1_GetOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupKind":                                                        schema_pkg_apis_meta_v1_GroupKind(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupResource":                                                    schema_pkg_apis_meta_v1_GroupResource(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersion":                                                     schema_pkg_apis_meta_v1_GroupVersion(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionForDiscovery":                                         schema_pkg_apis_meta_v1_GroupVersionForDiscovery(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionKind":                                                 schema_pkg_apis_meta_v1_GroupVersionKind(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionResource":                                             schema_pkg_apis_meta_v1_GroupVersionResource(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.InternalEvent":                                                    schema_pkg_apis_meta_v1_InternalEvent(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector":                                                    schema_pkg_apis_meta_v1_LabelSelector(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelectorRequirement":                                         schema_pkg_apis_meta_v1_LabelSelectorRequirement(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.List":                                                             schema_pkg_apis_meta_v1_List(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta":                                                         schema_pkg_apis_meta_v1_ListMeta(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.ListOptions":                                                      schema_pkg_apis_meta_v1_ListOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.ManagedFieldsEntry":                                               schema_pkg_apis_meta_v1_ManagedFieldsEntry(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.MicroTime":                                                        schema_pkg_apis_meta_v1_MicroTime(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta":                                                       schema_pkg_apis_meta_v1_ObjectMeta(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.OwnerReference":                                                   schema_pkg_apis_meta_v1_OwnerReference(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.PartialObjectMetadata":                                            schema_pkg_apis_meta_v1_PartialObjectMetadata(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.PartialObjectMetadataList":                                        schema_pkg_apis_meta_v1_PartialObjectMetadataList(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Patch":                                                            schema_pkg_apis_meta_v1_Patch(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.PatchOptions":                                                     schema_pkg_apis_meta_v1_PatchOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Preconditions":                                                    schema_pkg_apis_meta_v1_Preconditions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.RootPaths":                                                        schema_pkg_apis_meta_v1_RootPaths(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.ServerAddressByClientCIDR":                                        schema_pkg_apis_meta_v1_ServerAddressByClientCIDR(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Status":                                                           schema_pkg_apis_meta_v1_Status(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.StatusCause":                                                      schema_pkg_apis_meta_v1_StatusCause(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.StatusDetails":                                                    schema_pkg_apis_meta_v1_StatusDetails(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Table":                                                            schema_pkg_apis_meta_v1_Table(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.TableColumnDefinition":                                            schema_pkg_apis_meta_v1_TableColumnDefinition(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.TableOptions":                                                     schema_pkg_apis_meta_v1_TableOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.TableRow":                                                         schema_pkg_apis_meta_v1_TableRow(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.TableRowCondition":                                                schema_pkg_apis_meta_v1_TableRowCondition(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Time":                                                             schema_pkg_apis_meta_v1_Time(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Timestamp":                                                        schema_pkg_apis_meta_v1_Timestamp(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.TypeMeta":                                                         schema_pkg_apis_meta_v1_TypeMeta(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.UpdateOptions":                                                    schema_pkg_apis_meta_v1_UpdateOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.WatchEvent":                                                       schema_pkg_apis_meta_v1_WatchEvent(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1beta1.PartialObjectMetadataList":                                   schema_pkg_apis_meta_v1beta1_PartialObjectMetadataList(ref),
-		"k8s.io/apimachinery/pkg/apis/testapigroup/v1.Carp":                                                     schema_pkg_apis_testapigroup_v1_Carp(ref),
-		"k8s.io/apimachinery/pkg/apis/testapigroup/v1.CarpCondition":                                            schema_pkg_apis_testapigroup_v1_CarpCondition(ref),
-		"k8s.io/apimachinery/pkg/apis/testapigroup/v1.CarpInfo":                                                 schema_pkg_apis_testapigroup_v1_CarpInfo(ref),
-		"k8s.io/apimachinery/pkg/apis/testapigroup/v1.CarpList":                                                 schema_pkg_apis_testapigroup_v1_CarpList(ref),
-		"k8s.io/apimachinery/pkg/apis/testapigroup/v1.CarpSpec":                                                 schema_pkg_apis_testapigroup_v1_CarpSpec(ref),
-		"k8s.io/apimachinery/pkg/apis/testapigroup/v1.CarpStatus":                                               schema_pkg_apis_testapigroup_v1_CarpStatus(ref),
-		"k8s.io/apimachinery/pkg/runtime.RawExtension":                                                          schema_k8sio_apimachinery_pkg_runtime_RawExtension(ref),
-		"k8s.io/apimachinery/pkg/runtime.TypeMeta":                                                              schema_k8sio_apimachinery_pkg_runtime_TypeMeta(ref),
-		"k8s.io/apimachinery/pkg/runtime.Unknown":                                                               schema_k8sio_apimachinery_pkg_runtime_Unknown(ref),
-		"k8s.io/apimachinery/pkg/util/intstr.IntOrString":                                                       schema_apimachinery_pkg_util_intstr_IntOrString(ref),
-		"k8s.io/apimachinery/pkg/version.Info":                                                                  schema_k8sio_apimachinery_pkg_version_Info(ref),
-		"k8s.io/apiserver/pkg/apis/audit/v1.Event":                                                              schema_pkg_apis_audit_v1_Event(ref),
-		"k8s.io/apiserver/pkg/apis/audit/v1.EventList":                                                          schema_pkg_apis_audit_v1_EventList(ref),
-		"k8s.io/apiserver/pkg/apis/audit/v1.GroupResources":                                                     schema_pkg_apis_audit_v1_GroupResources(ref),
-		"k8s.io/apiserver/pkg/apis/audit/v1.ObjectReference":                                                    schema_pkg_apis_audit_v1_ObjectReference(ref),
-		"k8s.io/apiserver/pkg/apis/audit/v1.Policy":                                                             schema_pkg_apis_audit_v1_Policy(ref),
-		"k8s.io/apiserver/pkg/apis/audit/v1.PolicyList":                                                         schema_pkg_apis_audit_v1_PolicyList(ref),
-		"k8s.io/apiserver/pkg/apis/audit/v1.PolicyRule":                                                         schema_pkg_apis_audit_v1_PolicyRule(ref),
-		"k8s.io/client-go/pkg/apis/clientauthentication/v1.Cluster":                                             schema_pkg_apis_clientauthentication_v1_Cluster(ref),
-		"k8s.io/client-go/pkg/apis/clientauthentication/v1.ExecCredential":                                      schema_pkg_apis_clientauthentication_v1_ExecCredential(ref),
-		"k8s.io/client-go/pkg/apis/clientauthentication/v1.ExecCredentialSpec":                                  schema_pkg_apis_clientauthentication_v1_ExecCredentialSpec(ref),
-		"k8s.io/client-go/pkg/apis/clientauthentication/v1.ExecCredentialStatus":                                schema_pkg_apis_clientauthentication_v1_ExecCredentialStatus(ref),
-		"k8s.io/client-go/pkg/apis/clientauthentication/v1beta1.Cluster":                                        schema_pkg_apis_clientauthentication_v1beta1_Cluster(ref),
-		"k8s.io/client-go/pkg/apis/clientauthentication/v1beta1.ExecCredential":                                 schema_pkg_apis_clientauthentication_v1beta1_ExecCredential(ref),
-		"k8s.io/client-go/pkg/apis/clientauthentication/v1beta1.ExecCredentialSpec":                             schema_pkg_apis_clientauthentication_v1beta1_ExecCredentialSpec(ref),
-		"k8s.io/client-go/pkg/apis/clientauthentication/v1beta1.ExecCredentialStatus":                           schema_pkg_apis_clientauthentication_v1beta1_ExecCredentialStatus(ref),
-		"k8s.io/cloud-provider/config/v1alpha1.CloudControllerManagerConfiguration":                             schema_k8sio_cloud_provider_config_v1alpha1_CloudControllerManagerConfiguration(ref),
-		"k8s.io/cloud-provider/config/v1alpha1.CloudProviderConfiguration":                                      schema_k8sio_cloud_provider_config_v1alpha1_CloudProviderConfiguration(ref),
-		"k8s.io/cloud-provider/config/v1alpha1.KubeCloudSharedConfiguration":                                    schema_k8sio_cloud_provider_config_v1alpha1_KubeCloudSharedConfiguration(ref),
-		"k8s.io/cloud-provider/config/v1alpha1.WebhookConfiguration":                                            schema_k8sio_cloud_provider_config_v1alpha1_WebhookConfiguration(ref),
-		"k8s.io/controller-manager/config/v1alpha1.ControllerLeaderConfiguration":                               schema_k8sio_controller_manager_config_v1alpha1_ControllerLeaderConfiguration(ref),
-		"k8s.io/controller-manager/config/v1alpha1.GenericControllerManagerConfiguration":                       schema_k8sio_controller_manager_config_v1alpha1_GenericControllerManagerConfiguration(ref),
-		"k8s.io/controller-manager/config/v1alpha1.LeaderMigrationConfiguration":                                schema_k8sio_controller_manager_config_v1alpha1_LeaderMigrationConfiguration(ref),
-		"k8s.io/controller-manager/config/v1beta1.ControllerLeaderConfiguration":                                schema_k8sio_controller_manager_config_v1beta1_ControllerLeaderConfiguration(ref),
-		"k8s.io/controller-manager/config/v1beta1.LeaderMigrationConfiguration":                                 schema_k8sio_controller_manager_config_v1beta1_LeaderMigrationConfiguration(ref),
-		"k8s.io/kube-aggregator/pkg/apis/apiregistration/v1.APIService":                                         schema_pkg_apis_apiregistration_v1_APIService(ref),
-		"k8s.io/kube-aggregator/pkg/apis/apiregistration/v1.APIServiceCondition":                                schema_pkg_apis_apiregistration_v1_APIServiceCondition(ref),
-		"k8s.io/kube-aggregator/pkg/apis/apiregistration/v1.APIServiceList":                                     schema_pkg_apis_apiregistration_v1_APIServiceList(ref),
-		"k8s.io/kube-aggregator/pkg/apis/apiregistration/v1.APIServiceSpec":                                     schema_pkg_apis_apiregistration_v1_APIServiceSpec(ref),
-		"k8s.io/kube-aggregator/pkg/apis/apiregistration/v1.APIServiceStatus":                                   schema_pkg_apis_apiregistration_v1_APIServiceStatus(ref),
-		"k8s.io/kube-aggregator/pkg/apis/apiregistration/v1.ServiceReference":                                   schema_pkg_apis_apiregistration_v1_ServiceReference(ref),
-		"k8s.io/kube-aggregator/pkg/apis/apiregistration/v1beta1.APIService":                                    schema_pkg_apis_apiregistration_v1beta1_APIService(ref),
-		"k8s.io/kube-aggregator/pkg/apis/apiregistration/v1beta1.APIServiceCondition":                           schema_pkg_apis_apiregistration_v1beta1_APIServiceCondition(ref),
-		"k8s.io/kube-aggregator/pkg/apis/apiregistration/v1beta1.APIServiceList":                                schema_pkg_apis_apiregistration_v1beta1_APIServiceList(ref),
-		"k8s.io/kube-aggregator/pkg/apis/apiregistration/v1beta1.APIServiceSpec":                                schema_pkg_apis_apiregistration_v1beta1_APIServiceSpec(ref),
-		"k8s.io/kube-aggregator/pkg/apis/apiregistration/v1beta1.APIServiceStatus":                              schema_pkg_apis_apiregistration_v1beta1_APIServiceStatus(ref),
-		"k8s.io/kube-aggregator/pkg/apis/apiregistration/v1beta1.ServiceReference":                              schema_pkg_apis_apiregistration_v1beta1_ServiceReference(ref),
-		"k8s.io/kube-controller-manager/config/v1alpha1.AttachDetachControllerConfiguration":                    schema_k8sio_kube_controller_manager_config_v1alpha1_AttachDetachControllerConfiguration(ref),
-		"k8s.io/kube-controller-manager/config/v1alpha1.CSRSigningConfiguration":                                schema_k8sio_kube_controller_manager_config_v1alpha1_CSRSigningConfiguration(ref),
-		"k8s.io/kube-controller-manager/config/v1alpha1.CSRSigningControllerConfiguration":                      schema_k8sio_kube_controller_manager_config_v1alpha1_CSRSigningControllerConfiguration(ref),
-		"k8s.io/kube-controller-manager/config/v1alpha1.CronJobControllerConfiguration":                         schema_k8sio_kube_controller_manager_config_v1alpha1_CronJobControllerConfiguration(ref),
-		"k8s.io/kube-controller-manager/config/v1alpha1.DaemonSetControllerConfiguration":                       schema_k8sio_kube_controller_manager_config_v1alpha1_DaemonSetControllerConfiguration(ref),
-		"k8s.io/kube-controller-manager/config/v1alpha1.DeploymentControllerConfiguration":                      schema_k8sio_kube_controller_manager_config_v1alpha1_DeploymentControllerConfiguration(ref),
-		"k8s.io/kube-controller-manager/config/v1alpha1.DeprecatedControllerConfiguration":                      schema_k8sio_kube_controller_manager_config_v1alpha1_DeprecatedControllerConfiguration(ref),
-		"k8s.io/kube-controller-manager/config/v1alpha1.EndpointControllerConfiguration":                        schema_k8sio_kube_controller_manager_config_v1alpha1_EndpointControllerConfiguration(ref),
-		"k8s.io/kube-controller-manager/config/v1alpha1.EndpointSliceControllerConfiguration":                   schema_k8sio_kube_controller_manager_config_v1alpha1_EndpointSliceControllerConfiguration(ref),
-		"k8s.io/kube-controller-manager/config/v1alpha1.EndpointSliceMirroringControllerConfiguration":          schema_k8sio_kube_controller_manager_config_v1alpha1_EndpointSliceMirroringControllerConfiguration(ref),
-		"k8s.io/kube-controller-manager/config/v1alpha1.EphemeralVolumeControllerConfiguration":                 schema_k8sio_kube_controller_manager_config_v1alpha1_EphemeralVolumeControllerConfiguration(ref),
-		"k8s.io/kube-controller-manager/config/v1alpha1.GarbageCollectorControllerConfiguration":                schema_k8sio_kube_controller_manager_config_v1alpha1_GarbageCollectorControllerConfiguration(ref),
-		"k8s.io/kube-controller-manager/config/v1alpha1.GroupResource":                                          schema_k8sio_kube_controller_manager_config_v1alpha1_GroupResource(ref),
-		"k8s.io/kube-controller-manager/config/v1alpha1.HPAControllerConfiguration":                             schema_k8sio_kube_controller_manager_config_v1alpha1_HPAControllerConfiguration(ref),
-		"k8s.io/kube-controller-manager/config/v1alpha1.JobControllerConfiguration":                             schema_k8sio_kube_controller_manager_config_v1alpha1_JobControllerConfiguration(ref),
-		"k8s.io/kube-controller-manager/config/v1alpha1.KubeControllerManagerConfiguration":                     schema_k8sio_kube_controller_manager_config_v1alpha1_KubeControllerManagerConfiguration(ref),
-		"k8s.io/kube-controller-manager/config/v1alpha1.LegacySATokenCleanerConfiguration":                      schema_k8sio_kube_controller_manager_config_v1alpha1_LegacySATokenCleanerConfiguration(ref),
-		"k8s.io/kube-controller-manager/config/v1alpha1.NamespaceControllerConfiguration":                       schema_k8sio_kube_controller_manager_config_v1alpha1_NamespaceControllerConfiguration(ref),
-		"k8s.io/kube-controller-manager/config/v1alpha1.NodeIPAMControllerConfiguration":                        schema_k8sio_kube_controller_manager_config_v1alpha1_NodeIPAMControllerConfiguration(ref),
-		"k8s.io/kube-controller-manager/config/v1alpha1.NodeLifecycleControllerConfiguration":                   schema_k8sio_kube_controller_manager_config_v1alpha1_NodeLifecycleControllerConfiguration(ref),
-		"k8s.io/kube-controller-manager/config/v1alpha1.PersistentVolumeBinderControllerConfiguration":          schema_k8sio_kube_controller_manager_config_v1alpha1_PersistentVolumeBinderControllerConfiguration(ref),
-		"k8s.io/kube-controller-manager/config/v1alpha1.PersistentVolumeRecyclerConfiguration":                  schema_k8sio_kube_controller_manager_config_v1alpha1_PersistentVolumeRecyclerConfiguration(ref),
-		"k8s.io/kube-controller-manager/config/v1alpha1.PodGCControllerConfiguration":                           schema_k8sio_kube_controller_manager_config_v1alpha1_PodGCControllerConfiguration(ref),
-		"k8s.io/kube-controller-manager/config/v1alpha1.ReplicaSetControllerConfiguration":                      schema_k8sio_kube_controller_manager_config_v1alpha1_ReplicaSetControllerConfiguration(ref),
-		"k8s.io/kube-controller-manager/config/v1alpha1.ReplicationControllerConfiguration":                     schema_k8sio_kube_controller_manager_config_v1alpha1_ReplicationControllerConfiguration(ref),
-		"k8s.io/kube-controller-manager/config/v1alpha1.ResourceQuotaControllerConfiguration":                   schema_k8sio_kube_controller_manager_config_v1alpha1_ResourceQuotaControllerConfiguration(ref),
-		"k8s.io/kube-controller-manager/config/v1alpha1.SAControllerConfiguration":                              schema_k8sio_kube_controller_manager_config_v1alpha1_SAControllerConfiguration(ref),
-		"k8s.io/kube-controller-manager/config/v1alpha1.StatefulSetControllerConfiguration":                     schema_k8sio_kube_controller_manager_config_v1alpha1_StatefulSetControllerConfiguration(ref),
-		"k8s.io/kube-controller-manager/config/v1alpha1.TTLAfterFinishedControllerConfiguration":                schema_k8sio_kube_controller_manager_config_v1alpha1_TTLAfterFinishedControllerConfiguration(ref),
-		"k8s.io/kube-controller-manager/config/v1alpha1.ValidatingAdmissionPolicyStatusControllerConfiguration": schema_k8sio_kube_controller_manager_config_v1alpha1_ValidatingAdmissionPolicyStatusControllerConfiguration(ref),
-		"k8s.io/kube-controller-manager/config/v1alpha1.VolumeConfiguration":                                    schema_k8sio_kube_controller_manager_config_v1alpha1_VolumeConfiguration(ref),
-		"k8s.io/kube-proxy/config/v1alpha1.DetectLocalConfiguration":                                            schema_k8sio_kube_proxy_config_v1alpha1_DetectLocalConfiguration(ref),
-		"k8s.io/kube-proxy/config/v1alpha1.KubeProxyConfiguration":                                              schema_k8sio_kube_proxy_config_v1alpha1_KubeProxyConfiguration(ref),
-		"k8s.io/kube-proxy/config/v1alpha1.KubeProxyConntrackConfiguration":                                     schema_k8sio_kube_proxy_config_v1alpha1_KubeProxyConntrackConfiguration(ref),
-		"k8s.io/kube-proxy/config/v1alpha1.KubeProxyIPTablesConfiguration":                                      schema_k8sio_kube_proxy_config_v1alpha1_KubeProxyIPTablesConfiguration(ref),
-		"k8s.io/kube-proxy/config/v1alpha1.KubeProxyIPVSConfiguration":                                          schema_k8sio_kube_proxy_config_v1alpha1_KubeProxyIPVSConfiguration(ref),
-		"k8s.io/kube-proxy/config/v1alpha1.KubeProxyNFTablesConfiguration":                                      schema_k8sio_kube_proxy_config_v1alpha1_KubeProxyNFTablesConfiguration(ref),
-		"k8s.io/kube-proxy/config/v1alpha1.KubeProxyWinkernelConfiguration":                                     schema_k8sio_kube_proxy_config_v1alpha1_KubeProxyWinkernelConfiguration(ref),
-		"k8s.io/kube-scheduler/config/v1.DefaultPreemptionArgs":                                                 schema_k8sio_kube_scheduler_config_v1_DefaultPreemptionArgs(ref),
-		"k8s.io/kube-scheduler/config/v1.DynamicResourcesArgs":                                                  schema_k8sio_kube_scheduler_config_v1_DynamicResourcesArgs(ref),
-		"k8s.io/kube-scheduler/config/v1.Extender":                                                              schema_k8sio_kube_scheduler_config_v1_Extender(ref),
-		"k8s.io/kube-scheduler/config/v1.ExtenderManagedResource":                                               schema_k8sio_kube_scheduler_config_v1_ExtenderManagedResource(ref),
-		"k8s.io/kube-scheduler/config/v1.ExtenderTLSConfig":                                                     schema_k8sio_kube_scheduler_config_v1_ExtenderTLSConfig(ref),
-		"k8s.io/kube-scheduler/config/v1.InterPodAffinityArgs":                                                  schema_k8sio_kube_scheduler_config_v1_InterPodAffinityArgs(ref),
-		"k8s.io/kube-scheduler/config/v1.KubeSchedulerConfiguration":                                            schema_k8sio_kube_scheduler_config_v1_KubeSchedulerConfiguration(ref),
-		"k8s.io/kube-scheduler/config/v1.KubeSchedulerProfile":                                                  schema_k8sio_kube_scheduler_config_v1_KubeSchedulerProfile(ref),
-		"k8s.io/kube-scheduler/config/v1.NodeAffinityArgs":                                                      schema_k8sio_kube_scheduler_config_v1_NodeAffinityArgs(ref),
-		"k8s.io/kube-scheduler/config/v1.NodeResourcesBalancedAllocationArgs":                                   schema_k8sio_kube_scheduler_config_v1_NodeResourcesBalancedAllocationArgs(ref),
-		"k8s.io/kube-scheduler/config/v1.NodeResourcesFitArgs":                                                  schema_k8sio_kube_scheduler_config_v1_NodeResourcesFitArgs(ref),
-		"k8s.io/kube-scheduler/config/v1.Plugin":                                                                schema_k8sio_kube_scheduler_config_v1_Plugin(ref),
-		"k8s.io/kube-scheduler/config/v1.PluginConfig":                                                          schema_k8sio_kube_scheduler_config_v1_PluginConfig(ref),
-		"k8s.io/kube-scheduler/config/v1.PluginSet":                                                             schema_k8sio_kube_scheduler_config_v1_PluginSet(ref),
-		"k8s.io/kube-scheduler/config/v1.Plugins":                                                               schema_k8sio_kube_scheduler_config_v1_Plugins(ref),
-		"k8s.io/kube-scheduler/config/v1.PodTopologySpreadArgs":                                                 schema_k8sio_kube_scheduler_config_v1_PodTopologySpreadArgs(ref),
-		"k8s.io/kube-scheduler/config/v1.RequestedToCapacityRatioParam":                                         schema_k8sio_kube_scheduler_config_v1_RequestedToCapacityRatioParam(ref),
-		"k8s.io/kube-scheduler/config/v1.ResourceSpec":                                                          schema_k8sio_kube_scheduler_config_v1_ResourceSpec(ref),
-		"k8s.io/kube-scheduler/config/v1.ScoringStrategy":                                                       schema_k8sio_kube_scheduler_config_v1_ScoringStrategy(ref),
-		"k8s.io/kube-scheduler/config/v1.UtilizationShapePoint":                                                 schema_k8sio_kube_scheduler_config_v1_UtilizationShapePoint(ref),
-		"k8s.io/kube-scheduler/config/v1.VolumeBindingArgs":                                                     schema_k8sio_kube_scheduler_config_v1_VolumeBindingArgs(ref),
-		"k8s.io/kubectl/pkg/config/v1alpha1.AliasOverride":                                                      schema_kubectl_pkg_config_v1alpha1_AliasOverride(ref),
-		"k8s.io/kubectl/pkg/config/v1alpha1.CommandDefaults":                                                    schema_kubectl_pkg_config_v1alpha1_CommandDefaults(ref),
-		"k8s.io/kubectl/pkg/config/v1alpha1.CommandOptionDefault":                                               schema_kubectl_pkg_config_v1alpha1_CommandOptionDefault(ref),
-		"k8s.io/kubectl/pkg/config/v1alpha1.Preference":                                                         schema_kubectl_pkg_config_v1alpha1_Preference(ref),
-		"k8s.io/kubectl/pkg/config/v1beta1.AliasOverride":                                                       schema_kubectl_pkg_config_v1beta1_AliasOverride(ref),
-		"k8s.io/kubectl/pkg/config/v1beta1.CommandDefaults":                                                     schema_kubectl_pkg_config_v1beta1_CommandDefaults(ref),
-		"k8s.io/kubectl/pkg/config/v1beta1.CommandOptionDefault":                                                schema_kubectl_pkg_config_v1beta1_CommandOptionDefault(ref),
-		"k8s.io/kubectl/pkg/config/v1beta1.Preference":                                                          schema_kubectl_pkg_config_v1beta1_Preference(ref),
-		"k8s.io/kubelet/config/v1.CredentialProvider":                                                           schema_k8sio_kubelet_config_v1_CredentialProvider(ref),
-		"k8s.io/kubelet/config/v1.CredentialProviderConfig":                                                     schema_k8sio_kubelet_config_v1_CredentialProviderConfig(ref),
-		"k8s.io/kubelet/config/v1.ExecEnvVar":                                                                   schema_k8sio_kubelet_config_v1_ExecEnvVar(ref),
-		"k8s.io/kubelet/config/v1.ServiceAccountTokenAttributes":                                                schema_k8sio_kubelet_config_v1_ServiceAccountTokenAttributes(ref),
-		"k8s.io/kubelet/config/v1alpha1.CredentialProvider":                                                     schema_k8sio_kubelet_config_v1alpha1_CredentialProvider(ref),
-		"k8s.io/kubelet/config/v1alpha1.CredentialProviderConfig":                                               schema_k8sio_kubelet_config_v1alpha1_CredentialProviderConfig(ref),
-		"k8s.io/kubelet/config/v1alpha1.ExecEnvVar":                                                             schema_k8sio_kubelet_config_v1alpha1_ExecEnvVar(ref),
-		"k8s.io/kubelet/config/v1alpha1.ImagePullCredentials":                                                   schema_k8sio_kubelet_config_v1alpha1_ImagePullCredentials(ref),
-		"k8s.io/kubelet/config/v1alpha1.ImagePullIntent":                                                        schema_k8sio_kubelet_config_v1alpha1_ImagePullIntent(ref),
-		"k8s.io/kubelet/config/v1alpha1.ImagePullSecret":                                                        schema_k8sio_kubelet_config_v1alpha1_ImagePullSecret(ref),
-		"k8s.io/kubelet/config/v1alpha1.ImagePullServiceAccount":                                                schema_k8sio_kubelet_config_v1alpha1_ImagePullServiceAccount(ref),
-		"k8s.io/kubelet/config/v1alpha1.ImagePulledRecord":                                                      schema_k8sio_kubelet_config_v1alpha1_ImagePulledRecord(ref),
-		"k8s.io/kubelet/config/v1beta1.CrashLoopBackOffConfig":                                                  schema_k8sio_kubelet_config_v1beta1_CrashLoopBackOffConfig(ref),
-		"k8s.io/kubelet/config/v1beta1.CredentialProvider":                                                      schema_k8sio_kubelet_config_v1beta1_CredentialProvider(ref),
-		"k8s.io/kubelet/config/v1beta1.CredentialProviderConfig":                                                schema_k8sio_kubelet_config_v1beta1_CredentialProviderConfig(ref),
-		"k8s.io/kubelet/config/v1beta1.ExecEnvVar":                                                              schema_k8sio_kubelet_config_v1beta1_ExecEnvVar(ref),
-		"k8s.io/kubelet/config/v1beta1.KubeletAnonymousAuthentication":                                          schema_k8sio_kubelet_config_v1beta1_KubeletAnonymousAuthentication(ref),
-		"k8s.io/kubelet/config/v1beta1.KubeletAuthentication":                                                   schema_k8sio_kubelet_config_v1beta1_KubeletAuthentication(ref),
-		"k8s.io/kubelet/config/v1beta1.KubeletAuthorization":                                                    schema_k8sio_kubelet_config_v1beta1_KubeletAuthorization(ref),
-		"k8s.io/kubelet/config/v1beta1.KubeletConfiguration":                                                    schema_k8sio_kubelet_config_v1beta1_KubeletConfiguration(ref),
-		"k8s.io/kubelet/config/v1beta1.KubeletWebhookAuthentication":                                            schema_k8sio_kubelet_config_v1beta1_KubeletWebhookAuthentication(ref),
-		"k8s.io/kubelet/config/v1beta1.KubeletWebhookAuthorization":                                             schema_k8sio_kubelet_config_v1beta1_KubeletWebhookAuthorization(ref),
-		"k8s.io/kubelet/config/v1beta1.KubeletX509Authentication":                                               schema_k8sio_kubelet_config_v1beta1_KubeletX509Authentication(ref),
-		"k8s.io/kubelet/config/v1beta1.MemoryReservation":                                                       schema_k8sio_kubelet_config_v1beta1_MemoryReservation(ref),
-		"k8s.io/kubelet/config/v1beta1.MemorySwapConfiguration":                                                 schema_k8sio_kubelet_config_v1beta1_MemorySwapConfiguration(ref),
-		"k8s.io/kubelet/config/v1beta1.SerializedNodeConfigSource":                                              schema_k8sio_kubelet_config_v1beta1_SerializedNodeConfigSource(ref),
-		"k8s.io/kubelet/config/v1beta1.ShutdownGracePeriodByPodPriority":                                        schema_k8sio_kubelet_config_v1beta1_ShutdownGracePeriodByPodPriority(ref),
-		"k8s.io/kubelet/config/v1beta1.UserNamespaces":                                                          schema_k8sio_kubelet_config_v1beta1_UserNamespaces(ref),
-		"k8s.io/kubernetes/pkg/apis/abac/v1beta1.Policy":                                                        schema_pkg_apis_abac_v1beta1_Policy(ref),
-		"k8s.io/kubernetes/pkg/apis/abac/v1beta1.PolicySpec":                                                    schema_pkg_apis_abac_v1beta1_PolicySpec(ref),
-		"k8s.io/metrics/pkg/apis/custom_metrics/v1beta1.MetricListOptions":                                      schema_pkg_apis_custom_metrics_v1beta1_MetricListOptions(ref),
-		"k8s.io/metrics/pkg/apis/custom_metrics/v1beta1.MetricValue":                                            schema_pkg_apis_custom_metrics_v1beta1_MetricValue(ref),
-		"k8s.io/metrics/pkg/apis/custom_metrics/v1beta1.MetricValueList":                                        schema_pkg_apis_custom_metrics_v1beta1_MetricValueList(ref),
-		"k8s.io/metrics/pkg/apis/custom_metrics/v1beta2.MetricIdentifier":                                       schema_pkg_apis_custom_metrics_v1beta2_MetricIdentifier(ref),
-		"k8s.io/metrics/pkg/apis/custom_metrics/v1beta2.MetricListOptions":                                      schema_pkg_apis_custom_metrics_v1beta2_MetricListOptions(ref),
-		"k8s.io/metrics/pkg/apis/custom_metrics/v1beta2.MetricValue":                                            schema_pkg_apis_custom_metrics_v1beta2_MetricValue(ref),
-		"k8s.io/metrics/pkg/apis/custom_metrics/v1beta2.MetricValueList":                                        schema_pkg_apis_custom_metrics_v1beta2_MetricValueList(ref),
-		"k8s.io/metrics/pkg/apis/external_metrics/v1beta1.ExternalMetricValue":                                  schema_pkg_apis_external_metrics_v1beta1_ExternalMetricValue(ref),
-		"k8s.io/metrics/pkg/apis/external_metrics/v1beta1.ExternalMetricValueList":                              schema_pkg_apis_external_metrics_v1beta1_ExternalMetricValueList(ref),
-		"k8s.io/metrics/pkg/apis/metrics/v1alpha1.ContainerMetrics":                                             schema_pkg_apis_metrics_v1alpha1_ContainerMetrics(ref),
-		"k8s.io/metrics/pkg/apis/metrics/v1alpha1.NodeMetrics":                                                  schema_pkg_apis_metrics_v1alpha1_NodeMetrics(ref),
-		"k8s.io/metrics/pkg/apis/metrics/v1alpha1.NodeMetricsList":                                              schema_pkg_apis_metrics_v1alpha1_NodeMetricsList(ref),
-		"k8s.io/metrics/pkg/apis/metrics/v1alpha1.PodMetrics":                                                   schema_pkg_apis_metrics_v1alpha1_PodMetrics(ref),
-		"k8s.io/metrics/pkg/apis/metrics/v1alpha1.PodMetricsList":                                               schema_pkg_apis_metrics_v1alpha1_PodMetricsList(ref),
-		"k8s.io/metrics/pkg/apis/metrics/v1beta1.ContainerMetrics":                                              schema_pkg_apis_metrics_v1beta1_ContainerMetrics(ref),
-		"k8s.io/metrics/pkg/apis/metrics/v1beta1.NodeMetrics":                                                   schema_pkg_apis_metrics_v1beta1_NodeMetrics(ref),
-		"k8s.io/metrics/pkg/apis/metrics/v1beta1.NodeMetricsList":                                               schema_pkg_apis_metrics_v1beta1_NodeMetricsList(ref),
-		"k8s.io/metrics/pkg/apis/metrics/v1beta1.PodMetrics":                                                    schema_pkg_apis_metrics_v1beta1_PodMetrics(ref),
-		"k8s.io/metrics/pkg/apis/metrics/v1beta1.PodMetricsList":                                                schema_pkg_apis_metrics_v1beta1_PodMetricsList(ref),
+		v1.AuditAnnotation{}.OpenAPIModelName():                                                                         schema_k8sio_api_admissionregistration_v1_AuditAnnotation(ref),
+		v1.ExpressionWarning{}.OpenAPIModelName():                                                                       schema_k8sio_api_admissionregistration_v1_ExpressionWarning(ref),
+		v1.MatchCondition{}.OpenAPIModelName():                                                                          schema_k8sio_api_admissionregistration_v1_MatchCondition(ref),
+		v1.MatchResources{}.OpenAPIModelName():                                                                          schema_k8sio_api_admissionregistration_v1_MatchResources(ref),
+		v1.MutatingWebhook{}.OpenAPIModelName():                                                                         schema_k8sio_api_admissionregistration_v1_MutatingWebhook(ref),
+		v1.MutatingWebhookConfiguration{}.OpenAPIModelName():                                                            schema_k8sio_api_admissionregistration_v1_MutatingWebhookConfiguration(ref),
+		v1.MutatingWebhookConfigurationList{}.OpenAPIModelName():                                                        schema_k8sio_api_admissionregistration_v1_MutatingWebhookConfigurationList(ref),
+		v1.NamedRuleWithOperations{}.OpenAPIModelName():                                                                 schema_k8sio_api_admissionregistration_v1_NamedRuleWithOperations(ref),
+		v1.ParamKind{}.OpenAPIModelName():                                                                               schema_k8sio_api_admissionregistration_v1_ParamKind(ref),
+		v1.ParamRef{}.OpenAPIModelName():                                                                                schema_k8sio_api_admissionregistration_v1_ParamRef(ref),
+		v1.Rule{}.OpenAPIModelName():                                                                                    schema_k8sio_api_admissionregistration_v1_Rule(ref),
+		v1.RuleWithOperations{}.OpenAPIModelName():                                                                      schema_k8sio_api_admissionregistration_v1_RuleWithOperations(ref),
+		v1.ServiceReference{}.OpenAPIModelName():                                                                        schema_k8sio_api_admissionregistration_v1_ServiceReference(ref),
+		v1.TypeChecking{}.OpenAPIModelName():                                                                            schema_k8sio_api_admissionregistration_v1_TypeChecking(ref),
+		v1.ValidatingAdmissionPolicy{}.OpenAPIModelName():                                                               schema_k8sio_api_admissionregistration_v1_ValidatingAdmissionPolicy(ref),
+		v1.ValidatingAdmissionPolicyBinding{}.OpenAPIModelName():                                                        schema_k8sio_api_admissionregistration_v1_ValidatingAdmissionPolicyBinding(ref),
+		v1.ValidatingAdmissionPolicyBindingList{}.OpenAPIModelName():                                                    schema_k8sio_api_admissionregistration_v1_ValidatingAdmissionPolicyBindingList(ref),
+		v1.ValidatingAdmissionPolicyBindingSpec{}.OpenAPIModelName():                                                    schema_k8sio_api_admissionregistration_v1_ValidatingAdmissionPolicyBindingSpec(ref),
+		v1.ValidatingAdmissionPolicyList{}.OpenAPIModelName():                                                           schema_k8sio_api_admissionregistration_v1_ValidatingAdmissionPolicyList(ref),
+		v1.ValidatingAdmissionPolicySpec{}.OpenAPIModelName():                                                           schema_k8sio_api_admissionregistration_v1_ValidatingAdmissionPolicySpec(ref),
+		v1.ValidatingAdmissionPolicyStatus{}.OpenAPIModelName():                                                         schema_k8sio_api_admissionregistration_v1_ValidatingAdmissionPolicyStatus(ref),
+		v1.ValidatingWebhook{}.OpenAPIModelName():                                                                       schema_k8sio_api_admissionregistration_v1_ValidatingWebhook(ref),
+		v1.ValidatingWebhookConfiguration{}.OpenAPIModelName():                                                          schema_k8sio_api_admissionregistration_v1_ValidatingWebhookConfiguration(ref),
+		v1.ValidatingWebhookConfigurationList{}.OpenAPIModelName():                                                      schema_k8sio_api_admissionregistration_v1_ValidatingWebhookConfigurationList(ref),
+		v1.Validation{}.OpenAPIModelName():                                                                              schema_k8sio_api_admissionregistration_v1_Validation(ref),
+		v1.Variable{}.OpenAPIModelName():                                                                                schema_k8sio_api_admissionregistration_v1_Variable(ref),
+		v1.WebhookClientConfig{}.OpenAPIModelName():                                                                     schema_k8sio_api_admissionregistration_v1_WebhookClientConfig(ref),
+		v1alpha1.ApplyConfiguration{}.OpenAPIModelName():                                                                schema_k8sio_api_admissionregistration_v1alpha1_ApplyConfiguration(ref),
+		v1alpha1.AuditAnnotation{}.OpenAPIModelName():                                                                   schema_k8sio_api_admissionregistration_v1alpha1_AuditAnnotation(ref),
+		v1alpha1.ExpressionWarning{}.OpenAPIModelName():                                                                 schema_k8sio_api_admissionregistration_v1alpha1_ExpressionWarning(ref),
+		v1alpha1.JSONPatch{}.OpenAPIModelName():                                                                         schema_k8sio_api_admissionregistration_v1alpha1_JSONPatch(ref),
+		v1alpha1.MatchCondition{}.OpenAPIModelName():                                                                    schema_k8sio_api_admissionregistration_v1alpha1_MatchCondition(ref),
+		v1alpha1.MatchResources{}.OpenAPIModelName():                                                                    schema_k8sio_api_admissionregistration_v1alpha1_MatchResources(ref),
+		v1alpha1.MutatingAdmissionPolicy{}.OpenAPIModelName():                                                           schema_k8sio_api_admissionregistration_v1alpha1_MutatingAdmissionPolicy(ref),
+		v1alpha1.MutatingAdmissionPolicyBinding{}.OpenAPIModelName():                                                    schema_k8sio_api_admissionregistration_v1alpha1_MutatingAdmissionPolicyBinding(ref),
+		v1alpha1.MutatingAdmissionPolicyBindingList{}.OpenAPIModelName():                                                schema_k8sio_api_admissionregistration_v1alpha1_MutatingAdmissionPolicyBindingList(ref),
+		v1alpha1.MutatingAdmissionPolicyBindingSpec{}.OpenAPIModelName():                                                schema_k8sio_api_admissionregistration_v1alpha1_MutatingAdmissionPolicyBindingSpec(ref),
+		v1alpha1.MutatingAdmissionPolicyList{}.OpenAPIModelName():                                                       schema_k8sio_api_admissionregistration_v1alpha1_MutatingAdmissionPolicyList(ref),
+		v1alpha1.MutatingAdmissionPolicySpec{}.OpenAPIModelName():                                                       schema_k8sio_api_admissionregistration_v1alpha1_MutatingAdmissionPolicySpec(ref),
+		v1alpha1.Mutation{}.OpenAPIModelName():                                                                          schema_k8sio_api_admissionregistration_v1alpha1_Mutation(ref),
+		v1alpha1.NamedRuleWithOperations{}.OpenAPIModelName():                                                           schema_k8sio_api_admissionregistration_v1alpha1_NamedRuleWithOperations(ref),
+		v1alpha1.ParamKind{}.OpenAPIModelName():                                                                         schema_k8sio_api_admissionregistration_v1alpha1_ParamKind(ref),
+		v1alpha1.ParamRef{}.OpenAPIModelName():                                                                          schema_k8sio_api_admissionregistration_v1alpha1_ParamRef(ref),
+		v1alpha1.TypeChecking{}.OpenAPIModelName():                                                                      schema_k8sio_api_admissionregistration_v1alpha1_TypeChecking(ref),
+		v1alpha1.ValidatingAdmissionPolicy{}.OpenAPIModelName():                                                         schema_k8sio_api_admissionregistration_v1alpha1_ValidatingAdmissionPolicy(ref),
+		v1alpha1.ValidatingAdmissionPolicyBinding{}.OpenAPIModelName():                                                  schema_k8sio_api_admissionregistration_v1alpha1_ValidatingAdmissionPolicyBinding(ref),
+		v1alpha1.ValidatingAdmissionPolicyBindingList{}.OpenAPIModelName():                                              schema_k8sio_api_admissionregistration_v1alpha1_ValidatingAdmissionPolicyBindingList(ref),
+		v1alpha1.ValidatingAdmissionPolicyBindingSpec{}.OpenAPIModelName():                                              schema_k8sio_api_admissionregistration_v1alpha1_ValidatingAdmissionPolicyBindingSpec(ref),
+		v1alpha1.ValidatingAdmissionPolicyList{}.OpenAPIModelName():                                                     schema_k8sio_api_admissionregistration_v1alpha1_ValidatingAdmissionPolicyList(ref),
+		v1alpha1.ValidatingAdmissionPolicySpec{}.OpenAPIModelName():                                                     schema_k8sio_api_admissionregistration_v1alpha1_ValidatingAdmissionPolicySpec(ref),
+		v1alpha1.ValidatingAdmissionPolicyStatus{}.OpenAPIModelName():                                                   schema_k8sio_api_admissionregistration_v1alpha1_ValidatingAdmissionPolicyStatus(ref),
+		v1alpha1.Validation{}.OpenAPIModelName():                                                                        schema_k8sio_api_admissionregistration_v1alpha1_Validation(ref),
+		v1alpha1.Variable{}.OpenAPIModelName():                                                                          schema_k8sio_api_admissionregistration_v1alpha1_Variable(ref),
+		v1beta1.ApplyConfiguration{}.OpenAPIModelName():                                                                 schema_k8sio_api_admissionregistration_v1beta1_ApplyConfiguration(ref),
+		v1beta1.AuditAnnotation{}.OpenAPIModelName():                                                                    schema_k8sio_api_admissionregistration_v1beta1_AuditAnnotation(ref),
+		v1beta1.ExpressionWarning{}.OpenAPIModelName():                                                                  schema_k8sio_api_admissionregistration_v1beta1_ExpressionWarning(ref),
+		v1beta1.JSONPatch{}.OpenAPIModelName():                                                                          schema_k8sio_api_admissionregistration_v1beta1_JSONPatch(ref),
+		v1beta1.MatchCondition{}.OpenAPIModelName():                                                                     schema_k8sio_api_admissionregistration_v1beta1_MatchCondition(ref),
+		v1beta1.MatchResources{}.OpenAPIModelName():                                                                     schema_k8sio_api_admissionregistration_v1beta1_MatchResources(ref),
+		v1beta1.MutatingAdmissionPolicy{}.OpenAPIModelName():                                                            schema_k8sio_api_admissionregistration_v1beta1_MutatingAdmissionPolicy(ref),
+		v1beta1.MutatingAdmissionPolicyBinding{}.OpenAPIModelName():                                                     schema_k8sio_api_admissionregistration_v1beta1_MutatingAdmissionPolicyBinding(ref),
+		v1beta1.MutatingAdmissionPolicyBindingList{}.OpenAPIModelName():                                                 schema_k8sio_api_admissionregistration_v1beta1_MutatingAdmissionPolicyBindingList(ref),
+		v1beta1.MutatingAdmissionPolicyBindingSpec{}.OpenAPIModelName():                                                 schema_k8sio_api_admissionregistration_v1beta1_MutatingAdmissionPolicyBindingSpec(ref),
+		v1beta1.MutatingAdmissionPolicyList{}.OpenAPIModelName():                                                        schema_k8sio_api_admissionregistration_v1beta1_MutatingAdmissionPolicyList(ref),
+		v1beta1.MutatingAdmissionPolicySpec{}.OpenAPIModelName():                                                        schema_k8sio_api_admissionregistration_v1beta1_MutatingAdmissionPolicySpec(ref),
+		v1beta1.MutatingWebhook{}.OpenAPIModelName():                                                                    schema_k8sio_api_admissionregistration_v1beta1_MutatingWebhook(ref),
+		v1beta1.MutatingWebhookConfiguration{}.OpenAPIModelName():                                                       schema_k8sio_api_admissionregistration_v1beta1_MutatingWebhookConfiguration(ref),
+		v1beta1.MutatingWebhookConfigurationList{}.OpenAPIModelName():                                                   schema_k8sio_api_admissionregistration_v1beta1_MutatingWebhookConfigurationList(ref),
+		v1beta1.Mutation{}.OpenAPIModelName():                                                                           schema_k8sio_api_admissionregistration_v1beta1_Mutation(ref),
+		v1beta1.NamedRuleWithOperations{}.OpenAPIModelName():                                                            schema_k8sio_api_admissionregistration_v1beta1_NamedRuleWithOperations(ref),
+		v1beta1.ParamKind{}.OpenAPIModelName():                                                                          schema_k8sio_api_admissionregistration_v1beta1_ParamKind(ref),
+		v1beta1.ParamRef{}.OpenAPIModelName():                                                                           schema_k8sio_api_admissionregistration_v1beta1_ParamRef(ref),
+		v1beta1.ServiceReference{}.OpenAPIModelName():                                                                   schema_k8sio_api_admissionregistration_v1beta1_ServiceReference(ref),
+		v1beta1.TypeChecking{}.OpenAPIModelName():                                                                       schema_k8sio_api_admissionregistration_v1beta1_TypeChecking(ref),
+		v1beta1.ValidatingAdmissionPolicy{}.OpenAPIModelName():                                                          schema_k8sio_api_admissionregistration_v1beta1_ValidatingAdmissionPolicy(ref),
+		v1beta1.ValidatingAdmissionPolicyBinding{}.OpenAPIModelName():                                                   schema_k8sio_api_admissionregistration_v1beta1_ValidatingAdmissionPolicyBinding(ref),
+		v1beta1.ValidatingAdmissionPolicyBindingList{}.OpenAPIModelName():                                               schema_k8sio_api_admissionregistration_v1beta1_ValidatingAdmissionPolicyBindingList(ref),
+		v1beta1.ValidatingAdmissionPolicyBindingSpec{}.OpenAPIModelName():                                               schema_k8sio_api_admissionregistration_v1beta1_ValidatingAdmissionPolicyBindingSpec(ref),
+		v1beta1.ValidatingAdmissionPolicyList{}.OpenAPIModelName():                                                      schema_k8sio_api_admissionregistration_v1beta1_ValidatingAdmissionPolicyList(ref),
+		v1beta1.ValidatingAdmissionPolicySpec{}.OpenAPIModelName():                                                      schema_k8sio_api_admissionregistration_v1beta1_ValidatingAdmissionPolicySpec(ref),
+		v1beta1.ValidatingAdmissionPolicyStatus{}.OpenAPIModelName():                                                    schema_k8sio_api_admissionregistration_v1beta1_ValidatingAdmissionPolicyStatus(ref),
+		v1beta1.ValidatingWebhook{}.OpenAPIModelName():                                                                  schema_k8sio_api_admissionregistration_v1beta1_ValidatingWebhook(ref),
+		v1beta1.ValidatingWebhookConfiguration{}.OpenAPIModelName():                                                     schema_k8sio_api_admissionregistration_v1beta1_ValidatingWebhookConfiguration(ref),
+		v1beta1.ValidatingWebhookConfigurationList{}.OpenAPIModelName():                                                 schema_k8sio_api_admissionregistration_v1beta1_ValidatingWebhookConfigurationList(ref),
+		v1beta1.Validation{}.OpenAPIModelName():                                                                         schema_k8sio_api_admissionregistration_v1beta1_Validation(ref),
+		v1beta1.Variable{}.OpenAPIModelName():                                                                           schema_k8sio_api_admissionregistration_v1beta1_Variable(ref),
+		v1beta1.WebhookClientConfig{}.OpenAPIModelName():                                                                schema_k8sio_api_admissionregistration_v1beta1_WebhookClientConfig(ref),
+		v2.APIGroupDiscovery{}.OpenAPIModelName():                                                                       schema_k8sio_api_apidiscovery_v2_APIGroupDiscovery(ref),
+		v2.APIGroupDiscoveryList{}.OpenAPIModelName():                                                                   schema_k8sio_api_apidiscovery_v2_APIGroupDiscoveryList(ref),
+		v2.APIResourceDiscovery{}.OpenAPIModelName():                                                                    schema_k8sio_api_apidiscovery_v2_APIResourceDiscovery(ref),
+		v2.APISubresourceDiscovery{}.OpenAPIModelName():                                                                 schema_k8sio_api_apidiscovery_v2_APISubresourceDiscovery(ref),
+		v2.APIVersionDiscovery{}.OpenAPIModelName():                                                                     schema_k8sio_api_apidiscovery_v2_APIVersionDiscovery(ref),
+		v2beta1.APIGroupDiscovery{}.OpenAPIModelName():                                                                  schema_k8sio_api_apidiscovery_v2beta1_APIGroupDiscovery(ref),
+		v2beta1.APIGroupDiscoveryList{}.OpenAPIModelName():                                                              schema_k8sio_api_apidiscovery_v2beta1_APIGroupDiscoveryList(ref),
+		v2beta1.APIResourceDiscovery{}.OpenAPIModelName():                                                               schema_k8sio_api_apidiscovery_v2beta1_APIResourceDiscovery(ref),
+		v2beta1.APISubresourceDiscovery{}.OpenAPIModelName():                                                            schema_k8sio_api_apidiscovery_v2beta1_APISubresourceDiscovery(ref),
+		v2beta1.APIVersionDiscovery{}.OpenAPIModelName():                                                                schema_k8sio_api_apidiscovery_v2beta1_APIVersionDiscovery(ref),
+		apiserverinternalv1alpha1.ServerStorageVersion{}.OpenAPIModelName():                                             schema_k8sio_api_apiserverinternal_v1alpha1_ServerStorageVersion(ref),
+		apiserverinternalv1alpha1.StorageVersion{}.OpenAPIModelName():                                                   schema_k8sio_api_apiserverinternal_v1alpha1_StorageVersion(ref),
+		apiserverinternalv1alpha1.StorageVersionCondition{}.OpenAPIModelName():                                          schema_k8sio_api_apiserverinternal_v1alpha1_StorageVersionCondition(ref),
+		apiserverinternalv1alpha1.StorageVersionList{}.OpenAPIModelName():                                               schema_k8sio_api_apiserverinternal_v1alpha1_StorageVersionList(ref),
+		apiserverinternalv1alpha1.StorageVersionSpec{}.OpenAPIModelName():                                               schema_k8sio_api_apiserverinternal_v1alpha1_StorageVersionSpec(ref),
+		apiserverinternalv1alpha1.StorageVersionStatus{}.OpenAPIModelName():                                             schema_k8sio_api_apiserverinternal_v1alpha1_StorageVersionStatus(ref),
+		appsv1.ControllerRevision{}.OpenAPIModelName():                                                                  schema_k8sio_api_apps_v1_ControllerRevision(ref),
+		appsv1.ControllerRevisionList{}.OpenAPIModelName():                                                              schema_k8sio_api_apps_v1_ControllerRevisionList(ref),
+		appsv1.DaemonSet{}.OpenAPIModelName():                                                                           schema_k8sio_api_apps_v1_DaemonSet(ref),
+		appsv1.DaemonSetCondition{}.OpenAPIModelName():                                                                  schema_k8sio_api_apps_v1_DaemonSetCondition(ref),
+		appsv1.DaemonSetList{}.OpenAPIModelName():                                                                       schema_k8sio_api_apps_v1_DaemonSetList(ref),
+		appsv1.DaemonSetSpec{}.OpenAPIModelName():                                                                       schema_k8sio_api_apps_v1_DaemonSetSpec(ref),
+		appsv1.DaemonSetStatus{}.OpenAPIModelName():                                                                     schema_k8sio_api_apps_v1_DaemonSetStatus(ref),
+		appsv1.DaemonSetUpdateStrategy{}.OpenAPIModelName():                                                             schema_k8sio_api_apps_v1_DaemonSetUpdateStrategy(ref),
+		appsv1.Deployment{}.OpenAPIModelName():                                                                          schema_k8sio_api_apps_v1_Deployment(ref),
+		appsv1.DeploymentCondition{}.OpenAPIModelName():                                                                 schema_k8sio_api_apps_v1_DeploymentCondition(ref),
+		appsv1.DeploymentList{}.OpenAPIModelName():                                                                      schema_k8sio_api_apps_v1_DeploymentList(ref),
+		appsv1.DeploymentSpec{}.OpenAPIModelName():                                                                      schema_k8sio_api_apps_v1_DeploymentSpec(ref),
+		appsv1.DeploymentStatus{}.OpenAPIModelName():                                                                    schema_k8sio_api_apps_v1_DeploymentStatus(ref),
+		appsv1.DeploymentStrategy{}.OpenAPIModelName():                                                                  schema_k8sio_api_apps_v1_DeploymentStrategy(ref),
+		appsv1.ReplicaSet{}.OpenAPIModelName():                                                                          schema_k8sio_api_apps_v1_ReplicaSet(ref),
+		appsv1.ReplicaSetCondition{}.OpenAPIModelName():                                                                 schema_k8sio_api_apps_v1_ReplicaSetCondition(ref),
+		appsv1.ReplicaSetList{}.OpenAPIModelName():                                                                      schema_k8sio_api_apps_v1_ReplicaSetList(ref),
+		appsv1.ReplicaSetSpec{}.OpenAPIModelName():                                                                      schema_k8sio_api_apps_v1_ReplicaSetSpec(ref),
+		appsv1.ReplicaSetStatus{}.OpenAPIModelName():                                                                    schema_k8sio_api_apps_v1_ReplicaSetStatus(ref),
+		appsv1.RollingUpdateDaemonSet{}.OpenAPIModelName():                                                              schema_k8sio_api_apps_v1_RollingUpdateDaemonSet(ref),
+		appsv1.RollingUpdateDeployment{}.OpenAPIModelName():                                                             schema_k8sio_api_apps_v1_RollingUpdateDeployment(ref),
+		appsv1.RollingUpdateStatefulSetStrategy{}.OpenAPIModelName():                                                    schema_k8sio_api_apps_v1_RollingUpdateStatefulSetStrategy(ref),
+		appsv1.StatefulSet{}.OpenAPIModelName():                                                                         schema_k8sio_api_apps_v1_StatefulSet(ref),
+		appsv1.StatefulSetCondition{}.OpenAPIModelName():                                                                schema_k8sio_api_apps_v1_StatefulSetCondition(ref),
+		appsv1.StatefulSetList{}.OpenAPIModelName():                                                                     schema_k8sio_api_apps_v1_StatefulSetList(ref),
+		appsv1.StatefulSetOrdinals{}.OpenAPIModelName():                                                                 schema_k8sio_api_apps_v1_StatefulSetOrdinals(ref),
+		appsv1.StatefulSetPersistentVolumeClaimRetentionPolicy{}.OpenAPIModelName():                                     schema_k8sio_api_apps_v1_StatefulSetPersistentVolumeClaimRetentionPolicy(ref),
+		appsv1.StatefulSetSpec{}.OpenAPIModelName():                                                                     schema_k8sio_api_apps_v1_StatefulSetSpec(ref),
+		appsv1.StatefulSetStatus{}.OpenAPIModelName():                                                                   schema_k8sio_api_apps_v1_StatefulSetStatus(ref),
+		appsv1.StatefulSetUpdateStrategy{}.OpenAPIModelName():                                                           schema_k8sio_api_apps_v1_StatefulSetUpdateStrategy(ref),
+		appsv1beta1.ControllerRevision{}.OpenAPIModelName():                                                             schema_k8sio_api_apps_v1beta1_ControllerRevision(ref),
+		appsv1beta1.ControllerRevisionList{}.OpenAPIModelName():                                                         schema_k8sio_api_apps_v1beta1_ControllerRevisionList(ref),
+		appsv1beta1.Deployment{}.OpenAPIModelName():                                                                     schema_k8sio_api_apps_v1beta1_Deployment(ref),
+		appsv1beta1.DeploymentCondition{}.OpenAPIModelName():                                                            schema_k8sio_api_apps_v1beta1_DeploymentCondition(ref),
+		appsv1beta1.DeploymentList{}.OpenAPIModelName():                                                                 schema_k8sio_api_apps_v1beta1_DeploymentList(ref),
+		appsv1beta1.DeploymentRollback{}.OpenAPIModelName():                                                             schema_k8sio_api_apps_v1beta1_DeploymentRollback(ref),
+		appsv1beta1.DeploymentSpec{}.OpenAPIModelName():                                                                 schema_k8sio_api_apps_v1beta1_DeploymentSpec(ref),
+		appsv1beta1.DeploymentStatus{}.OpenAPIModelName():                                                               schema_k8sio_api_apps_v1beta1_DeploymentStatus(ref),
+		appsv1beta1.DeploymentStrategy{}.OpenAPIModelName():                                                             schema_k8sio_api_apps_v1beta1_DeploymentStrategy(ref),
+		appsv1beta1.RollbackConfig{}.OpenAPIModelName():                                                                 schema_k8sio_api_apps_v1beta1_RollbackConfig(ref),
+		appsv1beta1.RollingUpdateDeployment{}.OpenAPIModelName():                                                        schema_k8sio_api_apps_v1beta1_RollingUpdateDeployment(ref),
+		appsv1beta1.RollingUpdateStatefulSetStrategy{}.OpenAPIModelName():                                               schema_k8sio_api_apps_v1beta1_RollingUpdateStatefulSetStrategy(ref),
+		appsv1beta1.Scale{}.OpenAPIModelName():                                                                          schema_k8sio_api_apps_v1beta1_Scale(ref),
+		appsv1beta1.ScaleSpec{}.OpenAPIModelName():                                                                      schema_k8sio_api_apps_v1beta1_ScaleSpec(ref),
+		appsv1beta1.ScaleStatus{}.OpenAPIModelName():                                                                    schema_k8sio_api_apps_v1beta1_ScaleStatus(ref),
+		appsv1beta1.StatefulSet{}.OpenAPIModelName():                                                                    schema_k8sio_api_apps_v1beta1_StatefulSet(ref),
+		appsv1beta1.StatefulSetCondition{}.OpenAPIModelName():                                                           schema_k8sio_api_apps_v1beta1_StatefulSetCondition(ref),
+		appsv1beta1.StatefulSetList{}.OpenAPIModelName():                                                                schema_k8sio_api_apps_v1beta1_StatefulSetList(ref),
+		appsv1beta1.StatefulSetOrdinals{}.OpenAPIModelName():                                                            schema_k8sio_api_apps_v1beta1_StatefulSetOrdinals(ref),
+		appsv1beta1.StatefulSetPersistentVolumeClaimRetentionPolicy{}.OpenAPIModelName():                                schema_k8sio_api_apps_v1beta1_StatefulSetPersistentVolumeClaimRetentionPolicy(ref),
+		appsv1beta1.StatefulSetSpec{}.OpenAPIModelName():                                                                schema_k8sio_api_apps_v1beta1_StatefulSetSpec(ref),
+		appsv1beta1.StatefulSetStatus{}.OpenAPIModelName():                                                              schema_k8sio_api_apps_v1beta1_StatefulSetStatus(ref),
+		appsv1beta1.StatefulSetUpdateStrategy{}.OpenAPIModelName():                                                      schema_k8sio_api_apps_v1beta1_StatefulSetUpdateStrategy(ref),
+		v1beta2.ControllerRevision{}.OpenAPIModelName():                                                                 schema_k8sio_api_apps_v1beta2_ControllerRevision(ref),
+		v1beta2.ControllerRevisionList{}.OpenAPIModelName():                                                             schema_k8sio_api_apps_v1beta2_ControllerRevisionList(ref),
+		v1beta2.DaemonSet{}.OpenAPIModelName():                                                                          schema_k8sio_api_apps_v1beta2_DaemonSet(ref),
+		v1beta2.DaemonSetCondition{}.OpenAPIModelName():                                                                 schema_k8sio_api_apps_v1beta2_DaemonSetCondition(ref),
+		v1beta2.DaemonSetList{}.OpenAPIModelName():                                                                      schema_k8sio_api_apps_v1beta2_DaemonSetList(ref),
+		v1beta2.DaemonSetSpec{}.OpenAPIModelName():                                                                      schema_k8sio_api_apps_v1beta2_DaemonSetSpec(ref),
+		v1beta2.DaemonSetStatus{}.OpenAPIModelName():                                                                    schema_k8sio_api_apps_v1beta2_DaemonSetStatus(ref),
+		v1beta2.DaemonSetUpdateStrategy{}.OpenAPIModelName():                                                            schema_k8sio_api_apps_v1beta2_DaemonSetUpdateStrategy(ref),
+		v1beta2.Deployment{}.OpenAPIModelName():                                                                         schema_k8sio_api_apps_v1beta2_Deployment(ref),
+		v1beta2.DeploymentCondition{}.OpenAPIModelName():                                                                schema_k8sio_api_apps_v1beta2_DeploymentCondition(ref),
+		v1beta2.DeploymentList{}.OpenAPIModelName():                                                                     schema_k8sio_api_apps_v1beta2_DeploymentList(ref),
+		v1beta2.DeploymentSpec{}.OpenAPIModelName():                                                                     schema_k8sio_api_apps_v1beta2_DeploymentSpec(ref),
+		v1beta2.DeploymentStatus{}.OpenAPIModelName():                                                                   schema_k8sio_api_apps_v1beta2_DeploymentStatus(ref),
+		v1beta2.DeploymentStrategy{}.OpenAPIModelName():                                                                 schema_k8sio_api_apps_v1beta2_DeploymentStrategy(ref),
+		v1beta2.ReplicaSet{}.OpenAPIModelName():                                                                         schema_k8sio_api_apps_v1beta2_ReplicaSet(ref),
+		v1beta2.ReplicaSetCondition{}.OpenAPIModelName():                                                                schema_k8sio_api_apps_v1beta2_ReplicaSetCondition(ref),
+		v1beta2.ReplicaSetList{}.OpenAPIModelName():                                                                     schema_k8sio_api_apps_v1beta2_ReplicaSetList(ref),
+		v1beta2.ReplicaSetSpec{}.OpenAPIModelName():                                                                     schema_k8sio_api_apps_v1beta2_ReplicaSetSpec(ref),
+		v1beta2.ReplicaSetStatus{}.OpenAPIModelName():                                                                   schema_k8sio_api_apps_v1beta2_ReplicaSetStatus(ref),
+		v1beta2.RollingUpdateDaemonSet{}.OpenAPIModelName():                                                             schema_k8sio_api_apps_v1beta2_RollingUpdateDaemonSet(ref),
+		v1beta2.RollingUpdateDeployment{}.OpenAPIModelName():                                                            schema_k8sio_api_apps_v1beta2_RollingUpdateDeployment(ref),
+		v1beta2.RollingUpdateStatefulSetStrategy{}.OpenAPIModelName():                                                   schema_k8sio_api_apps_v1beta2_RollingUpdateStatefulSetStrategy(ref),
+		v1beta2.Scale{}.OpenAPIModelName():                                                                              schema_k8sio_api_apps_v1beta2_Scale(ref),
+		v1beta2.ScaleSpec{}.OpenAPIModelName():                                                                          schema_k8sio_api_apps_v1beta2_ScaleSpec(ref),
+		v1beta2.ScaleStatus{}.OpenAPIModelName():                                                                        schema_k8sio_api_apps_v1beta2_ScaleStatus(ref),
+		v1beta2.StatefulSet{}.OpenAPIModelName():                                                                        schema_k8sio_api_apps_v1beta2_StatefulSet(ref),
+		v1beta2.StatefulSetCondition{}.OpenAPIModelName():                                                               schema_k8sio_api_apps_v1beta2_StatefulSetCondition(ref),
+		v1beta2.StatefulSetList{}.OpenAPIModelName():                                                                    schema_k8sio_api_apps_v1beta2_StatefulSetList(ref),
+		v1beta2.StatefulSetOrdinals{}.OpenAPIModelName():                                                                schema_k8sio_api_apps_v1beta2_StatefulSetOrdinals(ref),
+		v1beta2.StatefulSetPersistentVolumeClaimRetentionPolicy{}.OpenAPIModelName():                                    schema_k8sio_api_apps_v1beta2_StatefulSetPersistentVolumeClaimRetentionPolicy(ref),
+		v1beta2.StatefulSetSpec{}.OpenAPIModelName():                                                                    schema_k8sio_api_apps_v1beta2_StatefulSetSpec(ref),
+		v1beta2.StatefulSetStatus{}.OpenAPIModelName():                                                                  schema_k8sio_api_apps_v1beta2_StatefulSetStatus(ref),
+		v1beta2.StatefulSetUpdateStrategy{}.OpenAPIModelName():                                                          schema_k8sio_api_apps_v1beta2_StatefulSetUpdateStrategy(ref),
+		authenticationv1.BoundObjectReference{}.OpenAPIModelName():                                                      schema_k8sio_api_authentication_v1_BoundObjectReference(ref),
+		authenticationv1.SelfSubjectReview{}.OpenAPIModelName():                                                         schema_k8sio_api_authentication_v1_SelfSubjectReview(ref),
+		authenticationv1.SelfSubjectReviewStatus{}.OpenAPIModelName():                                                   schema_k8sio_api_authentication_v1_SelfSubjectReviewStatus(ref),
+		authenticationv1.TokenRequest{}.OpenAPIModelName():                                                              schema_k8sio_api_authentication_v1_TokenRequest(ref),
+		authenticationv1.TokenRequestSpec{}.OpenAPIModelName():                                                          schema_k8sio_api_authentication_v1_TokenRequestSpec(ref),
+		authenticationv1.TokenRequestStatus{}.OpenAPIModelName():                                                        schema_k8sio_api_authentication_v1_TokenRequestStatus(ref),
+		authenticationv1.TokenReview{}.OpenAPIModelName():                                                               schema_k8sio_api_authentication_v1_TokenReview(ref),
+		authenticationv1.TokenReviewSpec{}.OpenAPIModelName():                                                           schema_k8sio_api_authentication_v1_TokenReviewSpec(ref),
+		authenticationv1.TokenReviewStatus{}.OpenAPIModelName():                                                         schema_k8sio_api_authentication_v1_TokenReviewStatus(ref),
+		authenticationv1.UserInfo{}.OpenAPIModelName():                                                                  schema_k8sio_api_authentication_v1_UserInfo(ref),
+		authenticationv1alpha1.SelfSubjectReview{}.OpenAPIModelName():                                                   schema_k8sio_api_authentication_v1alpha1_SelfSubjectReview(ref),
+		authenticationv1alpha1.SelfSubjectReviewStatus{}.OpenAPIModelName():                                             schema_k8sio_api_authentication_v1alpha1_SelfSubjectReviewStatus(ref),
+		authenticationv1beta1.SelfSubjectReview{}.OpenAPIModelName():                                                    schema_k8sio_api_authentication_v1beta1_SelfSubjectReview(ref),
+		authenticationv1beta1.SelfSubjectReviewStatus{}.OpenAPIModelName():                                              schema_k8sio_api_authentication_v1beta1_SelfSubjectReviewStatus(ref),
+		authenticationv1beta1.TokenReview{}.OpenAPIModelName():                                                          schema_k8sio_api_authentication_v1beta1_TokenReview(ref),
+		authenticationv1beta1.TokenReviewSpec{}.OpenAPIModelName():                                                      schema_k8sio_api_authentication_v1beta1_TokenReviewSpec(ref),
+		authenticationv1beta1.TokenReviewStatus{}.OpenAPIModelName():                                                    schema_k8sio_api_authentication_v1beta1_TokenReviewStatus(ref),
+		authenticationv1beta1.UserInfo{}.OpenAPIModelName():                                                             schema_k8sio_api_authentication_v1beta1_UserInfo(ref),
+		authorizationv1.FieldSelectorAttributes{}.OpenAPIModelName():                                                    schema_k8sio_api_authorization_v1_FieldSelectorAttributes(ref),
+		authorizationv1.LabelSelectorAttributes{}.OpenAPIModelName():                                                    schema_k8sio_api_authorization_v1_LabelSelectorAttributes(ref),
+		authorizationv1.LocalSubjectAccessReview{}.OpenAPIModelName():                                                   schema_k8sio_api_authorization_v1_LocalSubjectAccessReview(ref),
+		authorizationv1.NonResourceAttributes{}.OpenAPIModelName():                                                      schema_k8sio_api_authorization_v1_NonResourceAttributes(ref),
+		authorizationv1.NonResourceRule{}.OpenAPIModelName():                                                            schema_k8sio_api_authorization_v1_NonResourceRule(ref),
+		authorizationv1.ResourceAttributes{}.OpenAPIModelName():                                                         schema_k8sio_api_authorization_v1_ResourceAttributes(ref),
+		authorizationv1.ResourceRule{}.OpenAPIModelName():                                                               schema_k8sio_api_authorization_v1_ResourceRule(ref),
+		authorizationv1.SelfSubjectAccessReview{}.OpenAPIModelName():                                                    schema_k8sio_api_authorization_v1_SelfSubjectAccessReview(ref),
+		authorizationv1.SelfSubjectAccessReviewSpec{}.OpenAPIModelName():                                                schema_k8sio_api_authorization_v1_SelfSubjectAccessReviewSpec(ref),
+		authorizationv1.SelfSubjectRulesReview{}.OpenAPIModelName():                                                     schema_k8sio_api_authorization_v1_SelfSubjectRulesReview(ref),
+		authorizationv1.SelfSubjectRulesReviewSpec{}.OpenAPIModelName():                                                 schema_k8sio_api_authorization_v1_SelfSubjectRulesReviewSpec(ref),
+		authorizationv1.SubjectAccessReview{}.OpenAPIModelName():                                                        schema_k8sio_api_authorization_v1_SubjectAccessReview(ref),
+		authorizationv1.SubjectAccessReviewSpec{}.OpenAPIModelName():                                                    schema_k8sio_api_authorization_v1_SubjectAccessReviewSpec(ref),
+		authorizationv1.SubjectAccessReviewStatus{}.OpenAPIModelName():                                                  schema_k8sio_api_authorization_v1_SubjectAccessReviewStatus(ref),
+		authorizationv1.SubjectRulesReviewStatus{}.OpenAPIModelName():                                                   schema_k8sio_api_authorization_v1_SubjectRulesReviewStatus(ref),
+		authorizationv1beta1.LocalSubjectAccessReview{}.OpenAPIModelName():                                              schema_k8sio_api_authorization_v1beta1_LocalSubjectAccessReview(ref),
+		authorizationv1beta1.NonResourceAttributes{}.OpenAPIModelName():                                                 schema_k8sio_api_authorization_v1beta1_NonResourceAttributes(ref),
+		authorizationv1beta1.NonResourceRule{}.OpenAPIModelName():                                                       schema_k8sio_api_authorization_v1beta1_NonResourceRule(ref),
+		authorizationv1beta1.ResourceAttributes{}.OpenAPIModelName():                                                    schema_k8sio_api_authorization_v1beta1_ResourceAttributes(ref),
+		authorizationv1beta1.ResourceRule{}.OpenAPIModelName():                                                          schema_k8sio_api_authorization_v1beta1_ResourceRule(ref),
+		authorizationv1beta1.SelfSubjectAccessReview{}.OpenAPIModelName():                                               schema_k8sio_api_authorization_v1beta1_SelfSubjectAccessReview(ref),
+		authorizationv1beta1.SelfSubjectAccessReviewSpec{}.OpenAPIModelName():                                           schema_k8sio_api_authorization_v1beta1_SelfSubjectAccessReviewSpec(ref),
+		authorizationv1beta1.SelfSubjectRulesReview{}.OpenAPIModelName():                                                schema_k8sio_api_authorization_v1beta1_SelfSubjectRulesReview(ref),
+		authorizationv1beta1.SelfSubjectRulesReviewSpec{}.OpenAPIModelName():                                            schema_k8sio_api_authorization_v1beta1_SelfSubjectRulesReviewSpec(ref),
+		authorizationv1beta1.SubjectAccessReview{}.OpenAPIModelName():                                                   schema_k8sio_api_authorization_v1beta1_SubjectAccessReview(ref),
+		authorizationv1beta1.SubjectAccessReviewSpec{}.OpenAPIModelName():                                               schema_k8sio_api_authorization_v1beta1_SubjectAccessReviewSpec(ref),
+		authorizationv1beta1.SubjectAccessReviewStatus{}.OpenAPIModelName():                                             schema_k8sio_api_authorization_v1beta1_SubjectAccessReviewStatus(ref),
+		authorizationv1beta1.SubjectRulesReviewStatus{}.OpenAPIModelName():                                              schema_k8sio_api_authorization_v1beta1_SubjectRulesReviewStatus(ref),
+		autoscalingv1.ContainerResourceMetricSource{}.OpenAPIModelName():                                                schema_k8sio_api_autoscaling_v1_ContainerResourceMetricSource(ref),
+		autoscalingv1.ContainerResourceMetricStatus{}.OpenAPIModelName():                                                schema_k8sio_api_autoscaling_v1_ContainerResourceMetricStatus(ref),
+		autoscalingv1.CrossVersionObjectReference{}.OpenAPIModelName():                                                  schema_k8sio_api_autoscaling_v1_CrossVersionObjectReference(ref),
+		autoscalingv1.ExternalMetricSource{}.OpenAPIModelName():                                                         schema_k8sio_api_autoscaling_v1_ExternalMetricSource(ref),
+		autoscalingv1.ExternalMetricStatus{}.OpenAPIModelName():                                                         schema_k8sio_api_autoscaling_v1_ExternalMetricStatus(ref),
+		autoscalingv1.HorizontalPodAutoscaler{}.OpenAPIModelName():                                                      schema_k8sio_api_autoscaling_v1_HorizontalPodAutoscaler(ref),
+		autoscalingv1.HorizontalPodAutoscalerCondition{}.OpenAPIModelName():                                             schema_k8sio_api_autoscaling_v1_HorizontalPodAutoscalerCondition(ref),
+		autoscalingv1.HorizontalPodAutoscalerList{}.OpenAPIModelName():                                                  schema_k8sio_api_autoscaling_v1_HorizontalPodAutoscalerList(ref),
+		autoscalingv1.HorizontalPodAutoscalerSpec{}.OpenAPIModelName():                                                  schema_k8sio_api_autoscaling_v1_HorizontalPodAutoscalerSpec(ref),
+		autoscalingv1.HorizontalPodAutoscalerStatus{}.OpenAPIModelName():                                                schema_k8sio_api_autoscaling_v1_HorizontalPodAutoscalerStatus(ref),
+		autoscalingv1.MetricSpec{}.OpenAPIModelName():                                                                   schema_k8sio_api_autoscaling_v1_MetricSpec(ref),
+		autoscalingv1.MetricStatus{}.OpenAPIModelName():                                                                 schema_k8sio_api_autoscaling_v1_MetricStatus(ref),
+		autoscalingv1.ObjectMetricSource{}.OpenAPIModelName():                                                           schema_k8sio_api_autoscaling_v1_ObjectMetricSource(ref),
+		autoscalingv1.ObjectMetricStatus{}.OpenAPIModelName():                                                           schema_k8sio_api_autoscaling_v1_ObjectMetricStatus(ref),
+		autoscalingv1.PodsMetricSource{}.OpenAPIModelName():                                                             schema_k8sio_api_autoscaling_v1_PodsMetricSource(ref),
+		autoscalingv1.PodsMetricStatus{}.OpenAPIModelName():                                                             schema_k8sio_api_autoscaling_v1_PodsMetricStatus(ref),
+		autoscalingv1.ResourceMetricSource{}.OpenAPIModelName():                                                         schema_k8sio_api_autoscaling_v1_ResourceMetricSource(ref),
+		autoscalingv1.ResourceMetricStatus{}.OpenAPIModelName():                                                         schema_k8sio_api_autoscaling_v1_ResourceMetricStatus(ref),
+		autoscalingv1.Scale{}.OpenAPIModelName():                                                                        schema_k8sio_api_autoscaling_v1_Scale(ref),
+		autoscalingv1.ScaleSpec{}.OpenAPIModelName():                                                                    schema_k8sio_api_autoscaling_v1_ScaleSpec(ref),
+		autoscalingv1.ScaleStatus{}.OpenAPIModelName():                                                                  schema_k8sio_api_autoscaling_v1_ScaleStatus(ref),
+		autoscalingv2.ContainerResourceMetricSource{}.OpenAPIModelName():                                                schema_k8sio_api_autoscaling_v2_ContainerResourceMetricSource(ref),
+		autoscalingv2.ContainerResourceMetricStatus{}.OpenAPIModelName():                                                schema_k8sio_api_autoscaling_v2_ContainerResourceMetricStatus(ref),
+		autoscalingv2.CrossVersionObjectReference{}.OpenAPIModelName():                                                  schema_k8sio_api_autoscaling_v2_CrossVersionObjectReference(ref),
+		autoscalingv2.ExternalMetricSource{}.OpenAPIModelName():                                                         schema_k8sio_api_autoscaling_v2_ExternalMetricSource(ref),
+		autoscalingv2.ExternalMetricStatus{}.OpenAPIModelName():                                                         schema_k8sio_api_autoscaling_v2_ExternalMetricStatus(ref),
+		autoscalingv2.HPAScalingPolicy{}.OpenAPIModelName():                                                             schema_k8sio_api_autoscaling_v2_HPAScalingPolicy(ref),
+		autoscalingv2.HPAScalingRules{}.OpenAPIModelName():                                                              schema_k8sio_api_autoscaling_v2_HPAScalingRules(ref),
+		autoscalingv2.HorizontalPodAutoscaler{}.OpenAPIModelName():                                                      schema_k8sio_api_autoscaling_v2_HorizontalPodAutoscaler(ref),
+		autoscalingv2.HorizontalPodAutoscalerBehavior{}.OpenAPIModelName():                                              schema_k8sio_api_autoscaling_v2_HorizontalPodAutoscalerBehavior(ref),
+		autoscalingv2.HorizontalPodAutoscalerCondition{}.OpenAPIModelName():                                             schema_k8sio_api_autoscaling_v2_HorizontalPodAutoscalerCondition(ref),
+		autoscalingv2.HorizontalPodAutoscalerList{}.OpenAPIModelName():                                                  schema_k8sio_api_autoscaling_v2_HorizontalPodAutoscalerList(ref),
+		autoscalingv2.HorizontalPodAutoscalerSpec{}.OpenAPIModelName():                                                  schema_k8sio_api_autoscaling_v2_HorizontalPodAutoscalerSpec(ref),
+		autoscalingv2.HorizontalPodAutoscalerStatus{}.OpenAPIModelName():                                                schema_k8sio_api_autoscaling_v2_HorizontalPodAutoscalerStatus(ref),
+		autoscalingv2.MetricIdentifier{}.OpenAPIModelName():                                                             schema_k8sio_api_autoscaling_v2_MetricIdentifier(ref),
+		autoscalingv2.MetricSpec{}.OpenAPIModelName():                                                                   schema_k8sio_api_autoscaling_v2_MetricSpec(ref),
+		autoscalingv2.MetricStatus{}.OpenAPIModelName():                                                                 schema_k8sio_api_autoscaling_v2_MetricStatus(ref),
+		autoscalingv2.MetricTarget{}.OpenAPIModelName():                                                                 schema_k8sio_api_autoscaling_v2_MetricTarget(ref),
+		autoscalingv2.MetricValueStatus{}.OpenAPIModelName():                                                            schema_k8sio_api_autoscaling_v2_MetricValueStatus(ref),
+		autoscalingv2.ObjectMetricSource{}.OpenAPIModelName():                                                           schema_k8sio_api_autoscaling_v2_ObjectMetricSource(ref),
+		autoscalingv2.ObjectMetricStatus{}.OpenAPIModelName():                                                           schema_k8sio_api_autoscaling_v2_ObjectMetricStatus(ref),
+		autoscalingv2.PodsMetricSource{}.OpenAPIModelName():                                                             schema_k8sio_api_autoscaling_v2_PodsMetricSource(ref),
+		autoscalingv2.PodsMetricStatus{}.OpenAPIModelName():                                                             schema_k8sio_api_autoscaling_v2_PodsMetricStatus(ref),
+		autoscalingv2.ResourceMetricSource{}.OpenAPIModelName():                                                         schema_k8sio_api_autoscaling_v2_ResourceMetricSource(ref),
+		autoscalingv2.ResourceMetricStatus{}.OpenAPIModelName():                                                         schema_k8sio_api_autoscaling_v2_ResourceMetricStatus(ref),
+		autoscalingv2beta1.ContainerResourceMetricSource{}.OpenAPIModelName():                                           schema_k8sio_api_autoscaling_v2beta1_ContainerResourceMetricSource(ref),
+		autoscalingv2beta1.ContainerResourceMetricStatus{}.OpenAPIModelName():                                           schema_k8sio_api_autoscaling_v2beta1_ContainerResourceMetricStatus(ref),
+		autoscalingv2beta1.CrossVersionObjectReference{}.OpenAPIModelName():                                             schema_k8sio_api_autoscaling_v2beta1_CrossVersionObjectReference(ref),
+		autoscalingv2beta1.ExternalMetricSource{}.OpenAPIModelName():                                                    schema_k8sio_api_autoscaling_v2beta1_ExternalMetricSource(ref),
+		autoscalingv2beta1.ExternalMetricStatus{}.OpenAPIModelName():                                                    schema_k8sio_api_autoscaling_v2beta1_ExternalMetricStatus(ref),
+		autoscalingv2beta1.HorizontalPodAutoscaler{}.OpenAPIModelName():                                                 schema_k8sio_api_autoscaling_v2beta1_HorizontalPodAutoscaler(ref),
+		autoscalingv2beta1.HorizontalPodAutoscalerCondition{}.OpenAPIModelName():                                        schema_k8sio_api_autoscaling_v2beta1_HorizontalPodAutoscalerCondition(ref),
+		autoscalingv2beta1.HorizontalPodAutoscalerList{}.OpenAPIModelName():                                             schema_k8sio_api_autoscaling_v2beta1_HorizontalPodAutoscalerList(ref),
+		autoscalingv2beta1.HorizontalPodAutoscalerSpec{}.OpenAPIModelName():                                             schema_k8sio_api_autoscaling_v2beta1_HorizontalPodAutoscalerSpec(ref),
+		autoscalingv2beta1.HorizontalPodAutoscalerStatus{}.OpenAPIModelName():                                           schema_k8sio_api_autoscaling_v2beta1_HorizontalPodAutoscalerStatus(ref),
+		autoscalingv2beta1.MetricSpec{}.OpenAPIModelName():                                                              schema_k8sio_api_autoscaling_v2beta1_MetricSpec(ref),
+		autoscalingv2beta1.MetricStatus{}.OpenAPIModelName():                                                            schema_k8sio_api_autoscaling_v2beta1_MetricStatus(ref),
+		autoscalingv2beta1.ObjectMetricSource{}.OpenAPIModelName():                                                      schema_k8sio_api_autoscaling_v2beta1_ObjectMetricSource(ref),
+		autoscalingv2beta1.ObjectMetricStatus{}.OpenAPIModelName():                                                      schema_k8sio_api_autoscaling_v2beta1_ObjectMetricStatus(ref),
+		autoscalingv2beta1.PodsMetricSource{}.OpenAPIModelName():                                                        schema_k8sio_api_autoscaling_v2beta1_PodsMetricSource(ref),
+		autoscalingv2beta1.PodsMetricStatus{}.OpenAPIModelName():                                                        schema_k8sio_api_autoscaling_v2beta1_PodsMetricStatus(ref),
+		autoscalingv2beta1.ResourceMetricSource{}.OpenAPIModelName():                                                    schema_k8sio_api_autoscaling_v2beta1_ResourceMetricSource(ref),
+		autoscalingv2beta1.ResourceMetricStatus{}.OpenAPIModelName():                                                    schema_k8sio_api_autoscaling_v2beta1_ResourceMetricStatus(ref),
+		v2beta2.ContainerResourceMetricSource{}.OpenAPIModelName():                                                      schema_k8sio_api_autoscaling_v2beta2_ContainerResourceMetricSource(ref),
+		v2beta2.ContainerResourceMetricStatus{}.OpenAPIModelName():                                                      schema_k8sio_api_autoscaling_v2beta2_ContainerResourceMetricStatus(ref),
+		v2beta2.CrossVersionObjectReference{}.OpenAPIModelName():                                                        schema_k8sio_api_autoscaling_v2beta2_CrossVersionObjectReference(ref),
+		v2beta2.ExternalMetricSource{}.OpenAPIModelName():                                                               schema_k8sio_api_autoscaling_v2beta2_ExternalMetricSource(ref),
+		v2beta2.ExternalMetricStatus{}.OpenAPIModelName():                                                               schema_k8sio_api_autoscaling_v2beta2_ExternalMetricStatus(ref),
+		v2beta2.HPAScalingPolicy{}.OpenAPIModelName():                                                                   schema_k8sio_api_autoscaling_v2beta2_HPAScalingPolicy(ref),
+		v2beta2.HPAScalingRules{}.OpenAPIModelName():                                                                    schema_k8sio_api_autoscaling_v2beta2_HPAScalingRules(ref),
+		v2beta2.HorizontalPodAutoscaler{}.OpenAPIModelName():                                                            schema_k8sio_api_autoscaling_v2beta2_HorizontalPodAutoscaler(ref),
+		v2beta2.HorizontalPodAutoscalerBehavior{}.OpenAPIModelName():                                                    schema_k8sio_api_autoscaling_v2beta2_HorizontalPodAutoscalerBehavior(ref),
+		v2beta2.HorizontalPodAutoscalerCondition{}.OpenAPIModelName():                                                   schema_k8sio_api_autoscaling_v2beta2_HorizontalPodAutoscalerCondition(ref),
+		v2beta2.HorizontalPodAutoscalerList{}.OpenAPIModelName():                                                        schema_k8sio_api_autoscaling_v2beta2_HorizontalPodAutoscalerList(ref),
+		v2beta2.HorizontalPodAutoscalerSpec{}.OpenAPIModelName():                                                        schema_k8sio_api_autoscaling_v2beta2_HorizontalPodAutoscalerSpec(ref),
+		v2beta2.HorizontalPodAutoscalerStatus{}.OpenAPIModelName():                                                      schema_k8sio_api_autoscaling_v2beta2_HorizontalPodAutoscalerStatus(ref),
+		v2beta2.MetricIdentifier{}.OpenAPIModelName():                                                                   schema_k8sio_api_autoscaling_v2beta2_MetricIdentifier(ref),
+		v2beta2.MetricSpec{}.OpenAPIModelName():                                                                         schema_k8sio_api_autoscaling_v2beta2_MetricSpec(ref),
+		v2beta2.MetricStatus{}.OpenAPIModelName():                                                                       schema_k8sio_api_autoscaling_v2beta2_MetricStatus(ref),
+		v2beta2.MetricTarget{}.OpenAPIModelName():                                                                       schema_k8sio_api_autoscaling_v2beta2_MetricTarget(ref),
+		v2beta2.MetricValueStatus{}.OpenAPIModelName():                                                                  schema_k8sio_api_autoscaling_v2beta2_MetricValueStatus(ref),
+		v2beta2.ObjectMetricSource{}.OpenAPIModelName():                                                                 schema_k8sio_api_autoscaling_v2beta2_ObjectMetricSource(ref),
+		v2beta2.ObjectMetricStatus{}.OpenAPIModelName():                                                                 schema_k8sio_api_autoscaling_v2beta2_ObjectMetricStatus(ref),
+		v2beta2.PodsMetricSource{}.OpenAPIModelName():                                                                   schema_k8sio_api_autoscaling_v2beta2_PodsMetricSource(ref),
+		v2beta2.PodsMetricStatus{}.OpenAPIModelName():                                                                   schema_k8sio_api_autoscaling_v2beta2_PodsMetricStatus(ref),
+		v2beta2.ResourceMetricSource{}.OpenAPIModelName():                                                               schema_k8sio_api_autoscaling_v2beta2_ResourceMetricSource(ref),
+		v2beta2.ResourceMetricStatus{}.OpenAPIModelName():                                                               schema_k8sio_api_autoscaling_v2beta2_ResourceMetricStatus(ref),
+		batchv1.CronJob{}.OpenAPIModelName():                                                                            schema_k8sio_api_batch_v1_CronJob(ref),
+		batchv1.CronJobList{}.OpenAPIModelName():                                                                        schema_k8sio_api_batch_v1_CronJobList(ref),
+		batchv1.CronJobSpec{}.OpenAPIModelName():                                                                        schema_k8sio_api_batch_v1_CronJobSpec(ref),
+		batchv1.CronJobStatus{}.OpenAPIModelName():                                                                      schema_k8sio_api_batch_v1_CronJobStatus(ref),
+		batchv1.Job{}.OpenAPIModelName():                                                                                schema_k8sio_api_batch_v1_Job(ref),
+		batchv1.JobCondition{}.OpenAPIModelName():                                                                       schema_k8sio_api_batch_v1_JobCondition(ref),
+		batchv1.JobList{}.OpenAPIModelName():                                                                            schema_k8sio_api_batch_v1_JobList(ref),
+		batchv1.JobSpec{}.OpenAPIModelName():                                                                            schema_k8sio_api_batch_v1_JobSpec(ref),
+		batchv1.JobStatus{}.OpenAPIModelName():                                                                          schema_k8sio_api_batch_v1_JobStatus(ref),
+		batchv1.JobTemplateSpec{}.OpenAPIModelName():                                                                    schema_k8sio_api_batch_v1_JobTemplateSpec(ref),
+		batchv1.PodFailurePolicy{}.OpenAPIModelName():                                                                   schema_k8sio_api_batch_v1_PodFailurePolicy(ref),
+		batchv1.PodFailurePolicyOnExitCodesRequirement{}.OpenAPIModelName():                                             schema_k8sio_api_batch_v1_PodFailurePolicyOnExitCodesRequirement(ref),
+		batchv1.PodFailurePolicyOnPodConditionsPattern{}.OpenAPIModelName():                                             schema_k8sio_api_batch_v1_PodFailurePolicyOnPodConditionsPattern(ref),
+		batchv1.PodFailurePolicyRule{}.OpenAPIModelName():                                                               schema_k8sio_api_batch_v1_PodFailurePolicyRule(ref),
+		batchv1.SuccessPolicy{}.OpenAPIModelName():                                                                      schema_k8sio_api_batch_v1_SuccessPolicy(ref),
+		batchv1.SuccessPolicyRule{}.OpenAPIModelName():                                                                  schema_k8sio_api_batch_v1_SuccessPolicyRule(ref),
+		batchv1.UncountedTerminatedPods{}.OpenAPIModelName():                                                            schema_k8sio_api_batch_v1_UncountedTerminatedPods(ref),
+		batchv1beta1.CronJob{}.OpenAPIModelName():                                                                       schema_k8sio_api_batch_v1beta1_CronJob(ref),
+		batchv1beta1.CronJobList{}.OpenAPIModelName():                                                                   schema_k8sio_api_batch_v1beta1_CronJobList(ref),
+		batchv1beta1.CronJobSpec{}.OpenAPIModelName():                                                                   schema_k8sio_api_batch_v1beta1_CronJobSpec(ref),
+		batchv1beta1.CronJobStatus{}.OpenAPIModelName():                                                                 schema_k8sio_api_batch_v1beta1_CronJobStatus(ref),
+		batchv1beta1.JobTemplateSpec{}.OpenAPIModelName():                                                               schema_k8sio_api_batch_v1beta1_JobTemplateSpec(ref),
+		certificatesv1.CertificateSigningRequest{}.OpenAPIModelName():                                                   schema_k8sio_api_certificates_v1_CertificateSigningRequest(ref),
+		certificatesv1.CertificateSigningRequestCondition{}.OpenAPIModelName():                                          schema_k8sio_api_certificates_v1_CertificateSigningRequestCondition(ref),
+		certificatesv1.CertificateSigningRequestList{}.OpenAPIModelName():                                               schema_k8sio_api_certificates_v1_CertificateSigningRequestList(ref),
+		certificatesv1.CertificateSigningRequestSpec{}.OpenAPIModelName():                                               schema_k8sio_api_certificates_v1_CertificateSigningRequestSpec(ref),
+		certificatesv1.CertificateSigningRequestStatus{}.OpenAPIModelName():                                             schema_k8sio_api_certificates_v1_CertificateSigningRequestStatus(ref),
+		certificatesv1alpha1.ClusterTrustBundle{}.OpenAPIModelName():                                                    schema_k8sio_api_certificates_v1alpha1_ClusterTrustBundle(ref),
+		certificatesv1alpha1.ClusterTrustBundleList{}.OpenAPIModelName():                                                schema_k8sio_api_certificates_v1alpha1_ClusterTrustBundleList(ref),
+		certificatesv1alpha1.ClusterTrustBundleSpec{}.OpenAPIModelName():                                                schema_k8sio_api_certificates_v1alpha1_ClusterTrustBundleSpec(ref),
+		certificatesv1beta1.CertificateSigningRequest{}.OpenAPIModelName():                                              schema_k8sio_api_certificates_v1beta1_CertificateSigningRequest(ref),
+		certificatesv1beta1.CertificateSigningRequestCondition{}.OpenAPIModelName():                                     schema_k8sio_api_certificates_v1beta1_CertificateSigningRequestCondition(ref),
+		certificatesv1beta1.CertificateSigningRequestList{}.OpenAPIModelName():                                          schema_k8sio_api_certificates_v1beta1_CertificateSigningRequestList(ref),
+		certificatesv1beta1.CertificateSigningRequestSpec{}.OpenAPIModelName():                                          schema_k8sio_api_certificates_v1beta1_CertificateSigningRequestSpec(ref),
+		certificatesv1beta1.CertificateSigningRequestStatus{}.OpenAPIModelName():                                        schema_k8sio_api_certificates_v1beta1_CertificateSigningRequestStatus(ref),
+		certificatesv1beta1.ClusterTrustBundle{}.OpenAPIModelName():                                                     schema_k8sio_api_certificates_v1beta1_ClusterTrustBundle(ref),
+		certificatesv1beta1.ClusterTrustBundleList{}.OpenAPIModelName():                                                 schema_k8sio_api_certificates_v1beta1_ClusterTrustBundleList(ref),
+		certificatesv1beta1.ClusterTrustBundleSpec{}.OpenAPIModelName():                                                 schema_k8sio_api_certificates_v1beta1_ClusterTrustBundleSpec(ref),
+		certificatesv1beta1.PodCertificateRequest{}.OpenAPIModelName():                                                  schema_k8sio_api_certificates_v1beta1_PodCertificateRequest(ref),
+		certificatesv1beta1.PodCertificateRequestList{}.OpenAPIModelName():                                              schema_k8sio_api_certificates_v1beta1_PodCertificateRequestList(ref),
+		certificatesv1beta1.PodCertificateRequestSpec{}.OpenAPIModelName():                                              schema_k8sio_api_certificates_v1beta1_PodCertificateRequestSpec(ref),
+		certificatesv1beta1.PodCertificateRequestStatus{}.OpenAPIModelName():                                            schema_k8sio_api_certificates_v1beta1_PodCertificateRequestStatus(ref),
+		coordinationv1.Lease{}.OpenAPIModelName():                                                                       schema_k8sio_api_coordination_v1_Lease(ref),
+		coordinationv1.LeaseList{}.OpenAPIModelName():                                                                   schema_k8sio_api_coordination_v1_LeaseList(ref),
+		coordinationv1.LeaseSpec{}.OpenAPIModelName():                                                                   schema_k8sio_api_coordination_v1_LeaseSpec(ref),
+		v1alpha2.LeaseCandidate{}.OpenAPIModelName():                                                                    schema_k8sio_api_coordination_v1alpha2_LeaseCandidate(ref),
+		v1alpha2.LeaseCandidateList{}.OpenAPIModelName():                                                                schema_k8sio_api_coordination_v1alpha2_LeaseCandidateList(ref),
+		v1alpha2.LeaseCandidateSpec{}.OpenAPIModelName():                                                                schema_k8sio_api_coordination_v1alpha2_LeaseCandidateSpec(ref),
+		coordinationv1beta1.Lease{}.OpenAPIModelName():                                                                  schema_k8sio_api_coordination_v1beta1_Lease(ref),
+		coordinationv1beta1.LeaseCandidate{}.OpenAPIModelName():                                                         schema_k8sio_api_coordination_v1beta1_LeaseCandidate(ref),
+		coordinationv1beta1.LeaseCandidateList{}.OpenAPIModelName():                                                     schema_k8sio_api_coordination_v1beta1_LeaseCandidateList(ref),
+		coordinationv1beta1.LeaseCandidateSpec{}.OpenAPIModelName():                                                     schema_k8sio_api_coordination_v1beta1_LeaseCandidateSpec(ref),
+		coordinationv1beta1.LeaseList{}.OpenAPIModelName():                                                              schema_k8sio_api_coordination_v1beta1_LeaseList(ref),
+		coordinationv1beta1.LeaseSpec{}.OpenAPIModelName():                                                              schema_k8sio_api_coordination_v1beta1_LeaseSpec(ref),
+		corev1.AWSElasticBlockStoreVolumeSource{}.OpenAPIModelName():                                                    schema_k8sio_api_core_v1_AWSElasticBlockStoreVolumeSource(ref),
+		corev1.Affinity{}.OpenAPIModelName():                                                                            schema_k8sio_api_core_v1_Affinity(ref),
+		corev1.AppArmorProfile{}.OpenAPIModelName():                                                                     schema_k8sio_api_core_v1_AppArmorProfile(ref),
+		corev1.AttachedVolume{}.OpenAPIModelName():                                                                      schema_k8sio_api_core_v1_AttachedVolume(ref),
+		corev1.AvoidPods{}.OpenAPIModelName():                                                                           schema_k8sio_api_core_v1_AvoidPods(ref),
+		corev1.AzureDiskVolumeSource{}.OpenAPIModelName():                                                               schema_k8sio_api_core_v1_AzureDiskVolumeSource(ref),
+		corev1.AzureFilePersistentVolumeSource{}.OpenAPIModelName():                                                     schema_k8sio_api_core_v1_AzureFilePersistentVolumeSource(ref),
+		corev1.AzureFileVolumeSource{}.OpenAPIModelName():                                                               schema_k8sio_api_core_v1_AzureFileVolumeSource(ref),
+		corev1.Binding{}.OpenAPIModelName():                                                                             schema_k8sio_api_core_v1_Binding(ref),
+		corev1.CSIPersistentVolumeSource{}.OpenAPIModelName():                                                           schema_k8sio_api_core_v1_CSIPersistentVolumeSource(ref),
+		corev1.CSIVolumeSource{}.OpenAPIModelName():                                                                     schema_k8sio_api_core_v1_CSIVolumeSource(ref),
+		corev1.Capabilities{}.OpenAPIModelName():                                                                        schema_k8sio_api_core_v1_Capabilities(ref),
+		corev1.CephFSPersistentVolumeSource{}.OpenAPIModelName():                                                        schema_k8sio_api_core_v1_CephFSPersistentVolumeSource(ref),
+		corev1.CephFSVolumeSource{}.OpenAPIModelName():                                                                  schema_k8sio_api_core_v1_CephFSVolumeSource(ref),
+		corev1.CinderPersistentVolumeSource{}.OpenAPIModelName():                                                        schema_k8sio_api_core_v1_CinderPersistentVolumeSource(ref),
+		corev1.CinderVolumeSource{}.OpenAPIModelName():                                                                  schema_k8sio_api_core_v1_CinderVolumeSource(ref),
+		corev1.ClientIPConfig{}.OpenAPIModelName():                                                                      schema_k8sio_api_core_v1_ClientIPConfig(ref),
+		corev1.ClusterTrustBundleProjection{}.OpenAPIModelName():                                                        schema_k8sio_api_core_v1_ClusterTrustBundleProjection(ref),
+		corev1.ComponentCondition{}.OpenAPIModelName():                                                                  schema_k8sio_api_core_v1_ComponentCondition(ref),
+		corev1.ComponentStatus{}.OpenAPIModelName():                                                                     schema_k8sio_api_core_v1_ComponentStatus(ref),
+		corev1.ComponentStatusList{}.OpenAPIModelName():                                                                 schema_k8sio_api_core_v1_ComponentStatusList(ref),
+		corev1.ConfigMap{}.OpenAPIModelName():                                                                           schema_k8sio_api_core_v1_ConfigMap(ref),
+		corev1.ConfigMapEnvSource{}.OpenAPIModelName():                                                                  schema_k8sio_api_core_v1_ConfigMapEnvSource(ref),
+		corev1.ConfigMapKeySelector{}.OpenAPIModelName():                                                                schema_k8sio_api_core_v1_ConfigMapKeySelector(ref),
+		corev1.ConfigMapList{}.OpenAPIModelName():                                                                       schema_k8sio_api_core_v1_ConfigMapList(ref),
+		corev1.ConfigMapNodeConfigSource{}.OpenAPIModelName():                                                           schema_k8sio_api_core_v1_ConfigMapNodeConfigSource(ref),
+		corev1.ConfigMapProjection{}.OpenAPIModelName():                                                                 schema_k8sio_api_core_v1_ConfigMapProjection(ref),
+		corev1.ConfigMapVolumeSource{}.OpenAPIModelName():                                                               schema_k8sio_api_core_v1_ConfigMapVolumeSource(ref),
+		corev1.Container{}.OpenAPIModelName():                                                                           schema_k8sio_api_core_v1_Container(ref),
+		corev1.ContainerExtendedResourceRequest{}.OpenAPIModelName():                                                    schema_k8sio_api_core_v1_ContainerExtendedResourceRequest(ref),
+		corev1.ContainerImage{}.OpenAPIModelName():                                                                      schema_k8sio_api_core_v1_ContainerImage(ref),
+		corev1.ContainerPort{}.OpenAPIModelName():                                                                       schema_k8sio_api_core_v1_ContainerPort(ref),
+		corev1.ContainerResizePolicy{}.OpenAPIModelName():                                                               schema_k8sio_api_core_v1_ContainerResizePolicy(ref),
+		corev1.ContainerRestartRule{}.OpenAPIModelName():                                                                schema_k8sio_api_core_v1_ContainerRestartRule(ref),
+		corev1.ContainerRestartRuleOnExitCodes{}.OpenAPIModelName():                                                     schema_k8sio_api_core_v1_ContainerRestartRuleOnExitCodes(ref),
+		corev1.ContainerState{}.OpenAPIModelName():                                                                      schema_k8sio_api_core_v1_ContainerState(ref),
+		corev1.ContainerStateRunning{}.OpenAPIModelName():                                                               schema_k8sio_api_core_v1_ContainerStateRunning(ref),
+		corev1.ContainerStateTerminated{}.OpenAPIModelName():                                                            schema_k8sio_api_core_v1_ContainerStateTerminated(ref),
+		corev1.ContainerStateWaiting{}.OpenAPIModelName():                                                               schema_k8sio_api_core_v1_ContainerStateWaiting(ref),
+		corev1.ContainerStatus{}.OpenAPIModelName():                                                                     schema_k8sio_api_core_v1_ContainerStatus(ref),
+		corev1.ContainerUser{}.OpenAPIModelName():                                                                       schema_k8sio_api_core_v1_ContainerUser(ref),
+		corev1.DaemonEndpoint{}.OpenAPIModelName():                                                                      schema_k8sio_api_core_v1_DaemonEndpoint(ref),
+		corev1.DownwardAPIProjection{}.OpenAPIModelName():                                                               schema_k8sio_api_core_v1_DownwardAPIProjection(ref),
+		corev1.DownwardAPIVolumeFile{}.OpenAPIModelName():                                                               schema_k8sio_api_core_v1_DownwardAPIVolumeFile(ref),
+		corev1.DownwardAPIVolumeSource{}.OpenAPIModelName():                                                             schema_k8sio_api_core_v1_DownwardAPIVolumeSource(ref),
+		corev1.EmptyDirVolumeSource{}.OpenAPIModelName():                                                                schema_k8sio_api_core_v1_EmptyDirVolumeSource(ref),
+		corev1.EndpointAddress{}.OpenAPIModelName():                                                                     schema_k8sio_api_core_v1_EndpointAddress(ref),
+		corev1.EndpointPort{}.OpenAPIModelName():                                                                        schema_k8sio_api_core_v1_EndpointPort(ref),
+		corev1.EndpointSubset{}.OpenAPIModelName():                                                                      schema_k8sio_api_core_v1_EndpointSubset(ref),
+		corev1.Endpoints{}.OpenAPIModelName():                                                                           schema_k8sio_api_core_v1_Endpoints(ref),
+		corev1.EndpointsList{}.OpenAPIModelName():                                                                       schema_k8sio_api_core_v1_EndpointsList(ref),
+		corev1.EnvFromSource{}.OpenAPIModelName():                                                                       schema_k8sio_api_core_v1_EnvFromSource(ref),
+		corev1.EnvVar{}.OpenAPIModelName():                                                                              schema_k8sio_api_core_v1_EnvVar(ref),
+		corev1.EnvVarSource{}.OpenAPIModelName():                                                                        schema_k8sio_api_core_v1_EnvVarSource(ref),
+		corev1.EphemeralContainer{}.OpenAPIModelName():                                                                  schema_k8sio_api_core_v1_EphemeralContainer(ref),
+		corev1.EphemeralContainerCommon{}.OpenAPIModelName():                                                            schema_k8sio_api_core_v1_EphemeralContainerCommon(ref),
+		corev1.EphemeralVolumeSource{}.OpenAPIModelName():                                                               schema_k8sio_api_core_v1_EphemeralVolumeSource(ref),
+		corev1.Event{}.OpenAPIModelName():                                                                               schema_k8sio_api_core_v1_Event(ref),
+		corev1.EventList{}.OpenAPIModelName():                                                                           schema_k8sio_api_core_v1_EventList(ref),
+		corev1.EventSeries{}.OpenAPIModelName():                                                                         schema_k8sio_api_core_v1_EventSeries(ref),
+		corev1.EventSource{}.OpenAPIModelName():                                                                         schema_k8sio_api_core_v1_EventSource(ref),
+		corev1.ExecAction{}.OpenAPIModelName():                                                                          schema_k8sio_api_core_v1_ExecAction(ref),
+		corev1.FCVolumeSource{}.OpenAPIModelName():                                                                      schema_k8sio_api_core_v1_FCVolumeSource(ref),
+		corev1.FileKeySelector{}.OpenAPIModelName():                                                                     schema_k8sio_api_core_v1_FileKeySelector(ref),
+		corev1.FlexPersistentVolumeSource{}.OpenAPIModelName():                                                          schema_k8sio_api_core_v1_FlexPersistentVolumeSource(ref),
+		corev1.FlexVolumeSource{}.OpenAPIModelName():                                                                    schema_k8sio_api_core_v1_FlexVolumeSource(ref),
+		corev1.FlockerVolumeSource{}.OpenAPIModelName():                                                                 schema_k8sio_api_core_v1_FlockerVolumeSource(ref),
+		corev1.GCEPersistentDiskVolumeSource{}.OpenAPIModelName():                                                       schema_k8sio_api_core_v1_GCEPersistentDiskVolumeSource(ref),
+		corev1.GRPCAction{}.OpenAPIModelName():                                                                          schema_k8sio_api_core_v1_GRPCAction(ref),
+		corev1.GitRepoVolumeSource{}.OpenAPIModelName():                                                                 schema_k8sio_api_core_v1_GitRepoVolumeSource(ref),
+		corev1.GlusterfsPersistentVolumeSource{}.OpenAPIModelName():                                                     schema_k8sio_api_core_v1_GlusterfsPersistentVolumeSource(ref),
+		corev1.GlusterfsVolumeSource{}.OpenAPIModelName():                                                               schema_k8sio_api_core_v1_GlusterfsVolumeSource(ref),
+		corev1.HTTPGetAction{}.OpenAPIModelName():                                                                       schema_k8sio_api_core_v1_HTTPGetAction(ref),
+		corev1.HTTPHeader{}.OpenAPIModelName():                                                                          schema_k8sio_api_core_v1_HTTPHeader(ref),
+		corev1.HostAlias{}.OpenAPIModelName():                                                                           schema_k8sio_api_core_v1_HostAlias(ref),
+		corev1.HostIP{}.OpenAPIModelName():                                                                              schema_k8sio_api_core_v1_HostIP(ref),
+		corev1.HostPathVolumeSource{}.OpenAPIModelName():                                                                schema_k8sio_api_core_v1_HostPathVolumeSource(ref),
+		corev1.ISCSIPersistentVolumeSource{}.OpenAPIModelName():                                                         schema_k8sio_api_core_v1_ISCSIPersistentVolumeSource(ref),
+		corev1.ISCSIVolumeSource{}.OpenAPIModelName():                                                                   schema_k8sio_api_core_v1_ISCSIVolumeSource(ref),
+		corev1.ImageVolumeSource{}.OpenAPIModelName():                                                                   schema_k8sio_api_core_v1_ImageVolumeSource(ref),
+		corev1.KeyToPath{}.OpenAPIModelName():                                                                           schema_k8sio_api_core_v1_KeyToPath(ref),
+		corev1.Lifecycle{}.OpenAPIModelName():                                                                           schema_k8sio_api_core_v1_Lifecycle(ref),
+		corev1.LifecycleHandler{}.OpenAPIModelName():                                                                    schema_k8sio_api_core_v1_LifecycleHandler(ref),
+		corev1.LimitRange{}.OpenAPIModelName():                                                                          schema_k8sio_api_core_v1_LimitRange(ref),
+		corev1.LimitRangeItem{}.OpenAPIModelName():                                                                      schema_k8sio_api_core_v1_LimitRangeItem(ref),
+		corev1.LimitRangeList{}.OpenAPIModelName():                                                                      schema_k8sio_api_core_v1_LimitRangeList(ref),
+		corev1.LimitRangeSpec{}.OpenAPIModelName():                                                                      schema_k8sio_api_core_v1_LimitRangeSpec(ref),
+		corev1.LinuxContainerUser{}.OpenAPIModelName():                                                                  schema_k8sio_api_core_v1_LinuxContainerUser(ref),
+		corev1.List{}.OpenAPIModelName():                                                                                schema_k8sio_api_core_v1_List(ref),
+		corev1.LoadBalancerIngress{}.OpenAPIModelName():                                                                 schema_k8sio_api_core_v1_LoadBalancerIngress(ref),
+		corev1.LoadBalancerStatus{}.OpenAPIModelName():                                                                  schema_k8sio_api_core_v1_LoadBalancerStatus(ref),
+		corev1.LocalObjectReference{}.OpenAPIModelName():                                                                schema_k8sio_api_core_v1_LocalObjectReference(ref),
+		corev1.LocalVolumeSource{}.OpenAPIModelName():                                                                   schema_k8sio_api_core_v1_LocalVolumeSource(ref),
+		corev1.ModifyVolumeStatus{}.OpenAPIModelName():                                                                  schema_k8sio_api_core_v1_ModifyVolumeStatus(ref),
+		corev1.NFSVolumeSource{}.OpenAPIModelName():                                                                     schema_k8sio_api_core_v1_NFSVolumeSource(ref),
+		corev1.Namespace{}.OpenAPIModelName():                                                                           schema_k8sio_api_core_v1_Namespace(ref),
+		corev1.NamespaceCondition{}.OpenAPIModelName():                                                                  schema_k8sio_api_core_v1_NamespaceCondition(ref),
+		corev1.NamespaceList{}.OpenAPIModelName():                                                                       schema_k8sio_api_core_v1_NamespaceList(ref),
+		corev1.NamespaceSpec{}.OpenAPIModelName():                                                                       schema_k8sio_api_core_v1_NamespaceSpec(ref),
+		corev1.NamespaceStatus{}.OpenAPIModelName():                                                                     schema_k8sio_api_core_v1_NamespaceStatus(ref),
+		corev1.Node{}.OpenAPIModelName():                                                                                schema_k8sio_api_core_v1_Node(ref),
+		corev1.NodeAddress{}.OpenAPIModelName():                                                                         schema_k8sio_api_core_v1_NodeAddress(ref),
+		corev1.NodeAffinity{}.OpenAPIModelName():                                                                        schema_k8sio_api_core_v1_NodeAffinity(ref),
+		corev1.NodeCondition{}.OpenAPIModelName():                                                                       schema_k8sio_api_core_v1_NodeCondition(ref),
+		corev1.NodeConfigSource{}.OpenAPIModelName():                                                                    schema_k8sio_api_core_v1_NodeConfigSource(ref),
+		corev1.NodeConfigStatus{}.OpenAPIModelName():                                                                    schema_k8sio_api_core_v1_NodeConfigStatus(ref),
+		corev1.NodeDaemonEndpoints{}.OpenAPIModelName():                                                                 schema_k8sio_api_core_v1_NodeDaemonEndpoints(ref),
+		corev1.NodeFeatures{}.OpenAPIModelName():                                                                        schema_k8sio_api_core_v1_NodeFeatures(ref),
+		corev1.NodeList{}.OpenAPIModelName():                                                                            schema_k8sio_api_core_v1_NodeList(ref),
+		corev1.NodeProxyOptions{}.OpenAPIModelName():                                                                    schema_k8sio_api_core_v1_NodeProxyOptions(ref),
+		corev1.NodeRuntimeHandler{}.OpenAPIModelName():                                                                  schema_k8sio_api_core_v1_NodeRuntimeHandler(ref),
+		corev1.NodeRuntimeHandlerFeatures{}.OpenAPIModelName():                                                          schema_k8sio_api_core_v1_NodeRuntimeHandlerFeatures(ref),
+		corev1.NodeSelector{}.OpenAPIModelName():                                                                        schema_k8sio_api_core_v1_NodeSelector(ref),
+		corev1.NodeSelectorRequirement{}.OpenAPIModelName():                                                             schema_k8sio_api_core_v1_NodeSelectorRequirement(ref),
+		corev1.NodeSelectorTerm{}.OpenAPIModelName():                                                                    schema_k8sio_api_core_v1_NodeSelectorTerm(ref),
+		corev1.NodeSpec{}.OpenAPIModelName():                                                                            schema_k8sio_api_core_v1_NodeSpec(ref),
+		corev1.NodeStatus{}.OpenAPIModelName():                                                                          schema_k8sio_api_core_v1_NodeStatus(ref),
+		corev1.NodeSwapStatus{}.OpenAPIModelName():                                                                      schema_k8sio_api_core_v1_NodeSwapStatus(ref),
+		corev1.NodeSystemInfo{}.OpenAPIModelName():                                                                      schema_k8sio_api_core_v1_NodeSystemInfo(ref),
+		corev1.ObjectFieldSelector{}.OpenAPIModelName():                                                                 schema_k8sio_api_core_v1_ObjectFieldSelector(ref),
+		corev1.ObjectReference{}.OpenAPIModelName():                                                                     schema_k8sio_api_core_v1_ObjectReference(ref),
+		corev1.PersistentVolume{}.OpenAPIModelName():                                                                    schema_k8sio_api_core_v1_PersistentVolume(ref),
+		corev1.PersistentVolumeClaim{}.OpenAPIModelName():                                                               schema_k8sio_api_core_v1_PersistentVolumeClaim(ref),
+		corev1.PersistentVolumeClaimCondition{}.OpenAPIModelName():                                                      schema_k8sio_api_core_v1_PersistentVolumeClaimCondition(ref),
+		corev1.PersistentVolumeClaimList{}.OpenAPIModelName():                                                           schema_k8sio_api_core_v1_PersistentVolumeClaimList(ref),
+		corev1.PersistentVolumeClaimSpec{}.OpenAPIModelName():                                                           schema_k8sio_api_core_v1_PersistentVolumeClaimSpec(ref),
+		corev1.PersistentVolumeClaimStatus{}.OpenAPIModelName():                                                         schema_k8sio_api_core_v1_PersistentVolumeClaimStatus(ref),
+		corev1.PersistentVolumeClaimTemplate{}.OpenAPIModelName():                                                       schema_k8sio_api_core_v1_PersistentVolumeClaimTemplate(ref),
+		corev1.PersistentVolumeClaimVolumeSource{}.OpenAPIModelName():                                                   schema_k8sio_api_core_v1_PersistentVolumeClaimVolumeSource(ref),
+		corev1.PersistentVolumeList{}.OpenAPIModelName():                                                                schema_k8sio_api_core_v1_PersistentVolumeList(ref),
+		corev1.PersistentVolumeSource{}.OpenAPIModelName():                                                              schema_k8sio_api_core_v1_PersistentVolumeSource(ref),
+		corev1.PersistentVolumeSpec{}.OpenAPIModelName():                                                                schema_k8sio_api_core_v1_PersistentVolumeSpec(ref),
+		corev1.PersistentVolumeStatus{}.OpenAPIModelName():                                                              schema_k8sio_api_core_v1_PersistentVolumeStatus(ref),
+		corev1.PhotonPersistentDiskVolumeSource{}.OpenAPIModelName():                                                    schema_k8sio_api_core_v1_PhotonPersistentDiskVolumeSource(ref),
+		corev1.Pod{}.OpenAPIModelName():                                                                                 schema_k8sio_api_core_v1_Pod(ref),
+		corev1.PodAffinity{}.OpenAPIModelName():                                                                         schema_k8sio_api_core_v1_PodAffinity(ref),
+		corev1.PodAffinityTerm{}.OpenAPIModelName():                                                                     schema_k8sio_api_core_v1_PodAffinityTerm(ref),
+		corev1.PodAntiAffinity{}.OpenAPIModelName():                                                                     schema_k8sio_api_core_v1_PodAntiAffinity(ref),
+		corev1.PodAttachOptions{}.OpenAPIModelName():                                                                    schema_k8sio_api_core_v1_PodAttachOptions(ref),
+		corev1.PodCertificateProjection{}.OpenAPIModelName():                                                            schema_k8sio_api_core_v1_PodCertificateProjection(ref),
+		corev1.PodCondition{}.OpenAPIModelName():                                                                        schema_k8sio_api_core_v1_PodCondition(ref),
+		corev1.PodDNSConfig{}.OpenAPIModelName():                                                                        schema_k8sio_api_core_v1_PodDNSConfig(ref),
+		corev1.PodDNSConfigOption{}.OpenAPIModelName():                                                                  schema_k8sio_api_core_v1_PodDNSConfigOption(ref),
+		corev1.PodExecOptions{}.OpenAPIModelName():                                                                      schema_k8sio_api_core_v1_PodExecOptions(ref),
+		corev1.PodExtendedResourceClaimStatus{}.OpenAPIModelName():                                                      schema_k8sio_api_core_v1_PodExtendedResourceClaimStatus(ref),
+		corev1.PodIP{}.OpenAPIModelName():                                                                               schema_k8sio_api_core_v1_PodIP(ref),
+		corev1.PodList{}.OpenAPIModelName():                                                                             schema_k8sio_api_core_v1_PodList(ref),
+		corev1.PodLogOptions{}.OpenAPIModelName():                                                                       schema_k8sio_api_core_v1_PodLogOptions(ref),
+		corev1.PodOS{}.OpenAPIModelName():                                                                               schema_k8sio_api_core_v1_PodOS(ref),
+		corev1.PodPortForwardOptions{}.OpenAPIModelName():                                                               schema_k8sio_api_core_v1_PodPortForwardOptions(ref),
+		corev1.PodProxyOptions{}.OpenAPIModelName():                                                                     schema_k8sio_api_core_v1_PodProxyOptions(ref),
+		corev1.PodReadinessGate{}.OpenAPIModelName():                                                                    schema_k8sio_api_core_v1_PodReadinessGate(ref),
+		corev1.PodResourceClaim{}.OpenAPIModelName():                                                                    schema_k8sio_api_core_v1_PodResourceClaim(ref),
+		corev1.PodResourceClaimStatus{}.OpenAPIModelName():                                                              schema_k8sio_api_core_v1_PodResourceClaimStatus(ref),
+		corev1.PodSchedulingGate{}.OpenAPIModelName():                                                                   schema_k8sio_api_core_v1_PodSchedulingGate(ref),
+		corev1.PodSecurityContext{}.OpenAPIModelName():                                                                  schema_k8sio_api_core_v1_PodSecurityContext(ref),
+		corev1.PodSignature{}.OpenAPIModelName():                                                                        schema_k8sio_api_core_v1_PodSignature(ref),
+		corev1.PodSpec{}.OpenAPIModelName():                                                                             schema_k8sio_api_core_v1_PodSpec(ref),
+		corev1.PodStatus{}.OpenAPIModelName():                                                                           schema_k8sio_api_core_v1_PodStatus(ref),
+		corev1.PodStatusResult{}.OpenAPIModelName():                                                                     schema_k8sio_api_core_v1_PodStatusResult(ref),
+		corev1.PodTemplate{}.OpenAPIModelName():                                                                         schema_k8sio_api_core_v1_PodTemplate(ref),
+		corev1.PodTemplateList{}.OpenAPIModelName():                                                                     schema_k8sio_api_core_v1_PodTemplateList(ref),
+		corev1.PodTemplateSpec{}.OpenAPIModelName():                                                                     schema_k8sio_api_core_v1_PodTemplateSpec(ref),
+		corev1.PortStatus{}.OpenAPIModelName():                                                                          schema_k8sio_api_core_v1_PortStatus(ref),
+		corev1.PortworxVolumeSource{}.OpenAPIModelName():                                                                schema_k8sio_api_core_v1_PortworxVolumeSource(ref),
+		corev1.PreferAvoidPodsEntry{}.OpenAPIModelName():                                                                schema_k8sio_api_core_v1_PreferAvoidPodsEntry(ref),
+		corev1.PreferredSchedulingTerm{}.OpenAPIModelName():                                                             schema_k8sio_api_core_v1_PreferredSchedulingTerm(ref),
+		corev1.Probe{}.OpenAPIModelName():                                                                               schema_k8sio_api_core_v1_Probe(ref),
+		corev1.ProbeHandler{}.OpenAPIModelName():                                                                        schema_k8sio_api_core_v1_ProbeHandler(ref),
+		corev1.ProjectedVolumeSource{}.OpenAPIModelName():                                                               schema_k8sio_api_core_v1_ProjectedVolumeSource(ref),
+		corev1.QuobyteVolumeSource{}.OpenAPIModelName():                                                                 schema_k8sio_api_core_v1_QuobyteVolumeSource(ref),
+		corev1.RBDPersistentVolumeSource{}.OpenAPIModelName():                                                           schema_k8sio_api_core_v1_RBDPersistentVolumeSource(ref),
+		corev1.RBDVolumeSource{}.OpenAPIModelName():                                                                     schema_k8sio_api_core_v1_RBDVolumeSource(ref),
+		corev1.RangeAllocation{}.OpenAPIModelName():                                                                     schema_k8sio_api_core_v1_RangeAllocation(ref),
+		corev1.ReplicationController{}.OpenAPIModelName():                                                               schema_k8sio_api_core_v1_ReplicationController(ref),
+		corev1.ReplicationControllerCondition{}.OpenAPIModelName():                                                      schema_k8sio_api_core_v1_ReplicationControllerCondition(ref),
+		corev1.ReplicationControllerList{}.OpenAPIModelName():                                                           schema_k8sio_api_core_v1_ReplicationControllerList(ref),
+		corev1.ReplicationControllerSpec{}.OpenAPIModelName():                                                           schema_k8sio_api_core_v1_ReplicationControllerSpec(ref),
+		corev1.ReplicationControllerStatus{}.OpenAPIModelName():                                                         schema_k8sio_api_core_v1_ReplicationControllerStatus(ref),
+		corev1.ResourceClaim{}.OpenAPIModelName():                                                                       schema_k8sio_api_core_v1_ResourceClaim(ref),
+		corev1.ResourceFieldSelector{}.OpenAPIModelName():                                                               schema_k8sio_api_core_v1_ResourceFieldSelector(ref),
+		corev1.ResourceHealth{}.OpenAPIModelName():                                                                      schema_k8sio_api_core_v1_ResourceHealth(ref),
+		corev1.ResourceQuota{}.OpenAPIModelName():                                                                       schema_k8sio_api_core_v1_ResourceQuota(ref),
+		corev1.ResourceQuotaList{}.OpenAPIModelName():                                                                   schema_k8sio_api_core_v1_ResourceQuotaList(ref),
+		corev1.ResourceQuotaSpec{}.OpenAPIModelName():                                                                   schema_k8sio_api_core_v1_ResourceQuotaSpec(ref),
+		corev1.ResourceQuotaStatus{}.OpenAPIModelName():                                                                 schema_k8sio_api_core_v1_ResourceQuotaStatus(ref),
+		corev1.ResourceRequirements{}.OpenAPIModelName():                                                                schema_k8sio_api_core_v1_ResourceRequirements(ref),
+		corev1.ResourceStatus{}.OpenAPIModelName():                                                                      schema_k8sio_api_core_v1_ResourceStatus(ref),
+		corev1.SELinuxOptions{}.OpenAPIModelName():                                                                      schema_k8sio_api_core_v1_SELinuxOptions(ref),
+		corev1.ScaleIOPersistentVolumeSource{}.OpenAPIModelName():                                                       schema_k8sio_api_core_v1_ScaleIOPersistentVolumeSource(ref),
+		corev1.ScaleIOVolumeSource{}.OpenAPIModelName():                                                                 schema_k8sio_api_core_v1_ScaleIOVolumeSource(ref),
+		corev1.ScopeSelector{}.OpenAPIModelName():                                                                       schema_k8sio_api_core_v1_ScopeSelector(ref),
+		corev1.ScopedResourceSelectorRequirement{}.OpenAPIModelName():                                                   schema_k8sio_api_core_v1_ScopedResourceSelectorRequirement(ref),
+		corev1.SeccompProfile{}.OpenAPIModelName():                                                                      schema_k8sio_api_core_v1_SeccompProfile(ref),
+		corev1.Secret{}.OpenAPIModelName():                                                                              schema_k8sio_api_core_v1_Secret(ref),
+		corev1.SecretEnvSource{}.OpenAPIModelName():                                                                     schema_k8sio_api_core_v1_SecretEnvSource(ref),
+		corev1.SecretKeySelector{}.OpenAPIModelName():                                                                   schema_k8sio_api_core_v1_SecretKeySelector(ref),
+		corev1.SecretList{}.OpenAPIModelName():                                                                          schema_k8sio_api_core_v1_SecretList(ref),
+		corev1.SecretProjection{}.OpenAPIModelName():                                                                    schema_k8sio_api_core_v1_SecretProjection(ref),
+		corev1.SecretReference{}.OpenAPIModelName():                                                                     schema_k8sio_api_core_v1_SecretReference(ref),
+		corev1.SecretVolumeSource{}.OpenAPIModelName():                                                                  schema_k8sio_api_core_v1_SecretVolumeSource(ref),
+		corev1.SecurityContext{}.OpenAPIModelName():                                                                     schema_k8sio_api_core_v1_SecurityContext(ref),
+		corev1.SerializedReference{}.OpenAPIModelName():                                                                 schema_k8sio_api_core_v1_SerializedReference(ref),
+		corev1.Service{}.OpenAPIModelName():                                                                             schema_k8sio_api_core_v1_Service(ref),
+		corev1.ServiceAccount{}.OpenAPIModelName():                                                                      schema_k8sio_api_core_v1_ServiceAccount(ref),
+		corev1.ServiceAccountList{}.OpenAPIModelName():                                                                  schema_k8sio_api_core_v1_ServiceAccountList(ref),
+		corev1.ServiceAccountTokenProjection{}.OpenAPIModelName():                                                       schema_k8sio_api_core_v1_ServiceAccountTokenProjection(ref),
+		corev1.ServiceList{}.OpenAPIModelName():                                                                         schema_k8sio_api_core_v1_ServiceList(ref),
+		corev1.ServicePort{}.OpenAPIModelName():                                                                         schema_k8sio_api_core_v1_ServicePort(ref),
+		corev1.ServiceProxyOptions{}.OpenAPIModelName():                                                                 schema_k8sio_api_core_v1_ServiceProxyOptions(ref),
+		corev1.ServiceSpec{}.OpenAPIModelName():                                                                         schema_k8sio_api_core_v1_ServiceSpec(ref),
+		corev1.ServiceStatus{}.OpenAPIModelName():                                                                       schema_k8sio_api_core_v1_ServiceStatus(ref),
+		corev1.SessionAffinityConfig{}.OpenAPIModelName():                                                               schema_k8sio_api_core_v1_SessionAffinityConfig(ref),
+		corev1.SleepAction{}.OpenAPIModelName():                                                                         schema_k8sio_api_core_v1_SleepAction(ref),
+		corev1.StorageOSPersistentVolumeSource{}.OpenAPIModelName():                                                     schema_k8sio_api_core_v1_StorageOSPersistentVolumeSource(ref),
+		corev1.StorageOSVolumeSource{}.OpenAPIModelName():                                                               schema_k8sio_api_core_v1_StorageOSVolumeSource(ref),
+		corev1.Sysctl{}.OpenAPIModelName():                                                                              schema_k8sio_api_core_v1_Sysctl(ref),
+		corev1.TCPSocketAction{}.OpenAPIModelName():                                                                     schema_k8sio_api_core_v1_TCPSocketAction(ref),
+		corev1.Taint{}.OpenAPIModelName():                                                                               schema_k8sio_api_core_v1_Taint(ref),
+		corev1.Toleration{}.OpenAPIModelName():                                                                          schema_k8sio_api_core_v1_Toleration(ref),
+		corev1.TopologySelectorLabelRequirement{}.OpenAPIModelName():                                                    schema_k8sio_api_core_v1_TopologySelectorLabelRequirement(ref),
+		corev1.TopologySelectorTerm{}.OpenAPIModelName():                                                                schema_k8sio_api_core_v1_TopologySelectorTerm(ref),
+		corev1.TopologySpreadConstraint{}.OpenAPIModelName():                                                            schema_k8sio_api_core_v1_TopologySpreadConstraint(ref),
+		corev1.TypedLocalObjectReference{}.OpenAPIModelName():                                                           schema_k8sio_api_core_v1_TypedLocalObjectReference(ref),
+		corev1.TypedObjectReference{}.OpenAPIModelName():                                                                schema_k8sio_api_core_v1_TypedObjectReference(ref),
+		corev1.Volume{}.OpenAPIModelName():                                                                              schema_k8sio_api_core_v1_Volume(ref),
+		corev1.VolumeDevice{}.OpenAPIModelName():                                                                        schema_k8sio_api_core_v1_VolumeDevice(ref),
+		corev1.VolumeMount{}.OpenAPIModelName():                                                                         schema_k8sio_api_core_v1_VolumeMount(ref),
+		corev1.VolumeMountStatus{}.OpenAPIModelName():                                                                   schema_k8sio_api_core_v1_VolumeMountStatus(ref),
+		corev1.VolumeNodeAffinity{}.OpenAPIModelName():                                                                  schema_k8sio_api_core_v1_VolumeNodeAffinity(ref),
+		corev1.VolumeProjection{}.OpenAPIModelName():                                                                    schema_k8sio_api_core_v1_VolumeProjection(ref),
+		corev1.VolumeResourceRequirements{}.OpenAPIModelName():                                                          schema_k8sio_api_core_v1_VolumeResourceRequirements(ref),
+		corev1.VolumeSource{}.OpenAPIModelName():                                                                        schema_k8sio_api_core_v1_VolumeSource(ref),
+		corev1.VsphereVirtualDiskVolumeSource{}.OpenAPIModelName():                                                      schema_k8sio_api_core_v1_VsphereVirtualDiskVolumeSource(ref),
+		corev1.WeightedPodAffinityTerm{}.OpenAPIModelName():                                                             schema_k8sio_api_core_v1_WeightedPodAffinityTerm(ref),
+		corev1.WindowsSecurityContextOptions{}.OpenAPIModelName():                                                       schema_k8sio_api_core_v1_WindowsSecurityContextOptions(ref),
+		corev1.WorkloadReference{}.OpenAPIModelName():                                                                   schema_k8sio_api_core_v1_WorkloadReference(ref),
+		discoveryv1.Endpoint{}.OpenAPIModelName():                                                                       schema_k8sio_api_discovery_v1_Endpoint(ref),
+		discoveryv1.EndpointConditions{}.OpenAPIModelName():                                                             schema_k8sio_api_discovery_v1_EndpointConditions(ref),
+		discoveryv1.EndpointHints{}.OpenAPIModelName():                                                                  schema_k8sio_api_discovery_v1_EndpointHints(ref),
+		discoveryv1.EndpointPort{}.OpenAPIModelName():                                                                   schema_k8sio_api_discovery_v1_EndpointPort(ref),
+		discoveryv1.EndpointSlice{}.OpenAPIModelName():                                                                  schema_k8sio_api_discovery_v1_EndpointSlice(ref),
+		discoveryv1.EndpointSliceList{}.OpenAPIModelName():                                                              schema_k8sio_api_discovery_v1_EndpointSliceList(ref),
+		discoveryv1.ForNode{}.OpenAPIModelName():                                                                        schema_k8sio_api_discovery_v1_ForNode(ref),
+		discoveryv1.ForZone{}.OpenAPIModelName():                                                                        schema_k8sio_api_discovery_v1_ForZone(ref),
+		discoveryv1beta1.Endpoint{}.OpenAPIModelName():                                                                  schema_k8sio_api_discovery_v1beta1_Endpoint(ref),
+		discoveryv1beta1.EndpointConditions{}.OpenAPIModelName():                                                        schema_k8sio_api_discovery_v1beta1_EndpointConditions(ref),
+		discoveryv1beta1.EndpointHints{}.OpenAPIModelName():                                                             schema_k8sio_api_discovery_v1beta1_EndpointHints(ref),
+		discoveryv1beta1.EndpointPort{}.OpenAPIModelName():                                                              schema_k8sio_api_discovery_v1beta1_EndpointPort(ref),
+		discoveryv1beta1.EndpointSlice{}.OpenAPIModelName():                                                             schema_k8sio_api_discovery_v1beta1_EndpointSlice(ref),
+		discoveryv1beta1.EndpointSliceList{}.OpenAPIModelName():                                                         schema_k8sio_api_discovery_v1beta1_EndpointSliceList(ref),
+		discoveryv1beta1.ForNode{}.OpenAPIModelName():                                                                   schema_k8sio_api_discovery_v1beta1_ForNode(ref),
+		discoveryv1beta1.ForZone{}.OpenAPIModelName():                                                                   schema_k8sio_api_discovery_v1beta1_ForZone(ref),
+		eventsv1.Event{}.OpenAPIModelName():                                                                             schema_k8sio_api_events_v1_Event(ref),
+		eventsv1.EventList{}.OpenAPIModelName():                                                                         schema_k8sio_api_events_v1_EventList(ref),
+		eventsv1.EventSeries{}.OpenAPIModelName():                                                                       schema_k8sio_api_events_v1_EventSeries(ref),
+		eventsv1beta1.Event{}.OpenAPIModelName():                                                                        schema_k8sio_api_events_v1beta1_Event(ref),
+		eventsv1beta1.EventList{}.OpenAPIModelName():                                                                    schema_k8sio_api_events_v1beta1_EventList(ref),
+		eventsv1beta1.EventSeries{}.OpenAPIModelName():                                                                  schema_k8sio_api_events_v1beta1_EventSeries(ref),
+		extensionsv1beta1.DaemonSet{}.OpenAPIModelName():                                                                schema_k8sio_api_extensions_v1beta1_DaemonSet(ref),
+		extensionsv1beta1.DaemonSetCondition{}.OpenAPIModelName():                                                       schema_k8sio_api_extensions_v1beta1_DaemonSetCondition(ref),
+		extensionsv1beta1.DaemonSetList{}.OpenAPIModelName():                                                            schema_k8sio_api_extensions_v1beta1_DaemonSetList(ref),
+		extensionsv1beta1.DaemonSetSpec{}.OpenAPIModelName():                                                            schema_k8sio_api_extensions_v1beta1_DaemonSetSpec(ref),
+		extensionsv1beta1.DaemonSetStatus{}.OpenAPIModelName():                                                          schema_k8sio_api_extensions_v1beta1_DaemonSetStatus(ref),
+		extensionsv1beta1.DaemonSetUpdateStrategy{}.OpenAPIModelName():                                                  schema_k8sio_api_extensions_v1beta1_DaemonSetUpdateStrategy(ref),
+		extensionsv1beta1.Deployment{}.OpenAPIModelName():                                                               schema_k8sio_api_extensions_v1beta1_Deployment(ref),
+		extensionsv1beta1.DeploymentCondition{}.OpenAPIModelName():                                                      schema_k8sio_api_extensions_v1beta1_DeploymentCondition(ref),
+		extensionsv1beta1.DeploymentList{}.OpenAPIModelName():                                                           schema_k8sio_api_extensions_v1beta1_DeploymentList(ref),
+		extensionsv1beta1.DeploymentRollback{}.OpenAPIModelName():                                                       schema_k8sio_api_extensions_v1beta1_DeploymentRollback(ref),
+		extensionsv1beta1.DeploymentSpec{}.OpenAPIModelName():                                                           schema_k8sio_api_extensions_v1beta1_DeploymentSpec(ref),
+		extensionsv1beta1.DeploymentStatus{}.OpenAPIModelName():                                                         schema_k8sio_api_extensions_v1beta1_DeploymentStatus(ref),
+		extensionsv1beta1.DeploymentStrategy{}.OpenAPIModelName():                                                       schema_k8sio_api_extensions_v1beta1_DeploymentStrategy(ref),
+		extensionsv1beta1.HTTPIngressPath{}.OpenAPIModelName():                                                          schema_k8sio_api_extensions_v1beta1_HTTPIngressPath(ref),
+		extensionsv1beta1.HTTPIngressRuleValue{}.OpenAPIModelName():                                                     schema_k8sio_api_extensions_v1beta1_HTTPIngressRuleValue(ref),
+		extensionsv1beta1.IPBlock{}.OpenAPIModelName():                                                                  schema_k8sio_api_extensions_v1beta1_IPBlock(ref),
+		extensionsv1beta1.Ingress{}.OpenAPIModelName():                                                                  schema_k8sio_api_extensions_v1beta1_Ingress(ref),
+		extensionsv1beta1.IngressBackend{}.OpenAPIModelName():                                                           schema_k8sio_api_extensions_v1beta1_IngressBackend(ref),
+		extensionsv1beta1.IngressList{}.OpenAPIModelName():                                                              schema_k8sio_api_extensions_v1beta1_IngressList(ref),
+		extensionsv1beta1.IngressLoadBalancerIngress{}.OpenAPIModelName():                                               schema_k8sio_api_extensions_v1beta1_IngressLoadBalancerIngress(ref),
+		extensionsv1beta1.IngressLoadBalancerStatus{}.OpenAPIModelName():                                                schema_k8sio_api_extensions_v1beta1_IngressLoadBalancerStatus(ref),
+		extensionsv1beta1.IngressPortStatus{}.OpenAPIModelName():                                                        schema_k8sio_api_extensions_v1beta1_IngressPortStatus(ref),
+		extensionsv1beta1.IngressRule{}.OpenAPIModelName():                                                              schema_k8sio_api_extensions_v1beta1_IngressRule(ref),
+		extensionsv1beta1.IngressRuleValue{}.OpenAPIModelName():                                                         schema_k8sio_api_extensions_v1beta1_IngressRuleValue(ref),
+		extensionsv1beta1.IngressSpec{}.OpenAPIModelName():                                                              schema_k8sio_api_extensions_v1beta1_IngressSpec(ref),
+		extensionsv1beta1.IngressStatus{}.OpenAPIModelName():                                                            schema_k8sio_api_extensions_v1beta1_IngressStatus(ref),
+		extensionsv1beta1.IngressTLS{}.OpenAPIModelName():                                                               schema_k8sio_api_extensions_v1beta1_IngressTLS(ref),
+		extensionsv1beta1.NetworkPolicy{}.OpenAPIModelName():                                                            schema_k8sio_api_extensions_v1beta1_NetworkPolicy(ref),
+		extensionsv1beta1.NetworkPolicyEgressRule{}.OpenAPIModelName():                                                  schema_k8sio_api_extensions_v1beta1_NetworkPolicyEgressRule(ref),
+		extensionsv1beta1.NetworkPolicyIngressRule{}.OpenAPIModelName():                                                 schema_k8sio_api_extensions_v1beta1_NetworkPolicyIngressRule(ref),
+		extensionsv1beta1.NetworkPolicyList{}.OpenAPIModelName():                                                        schema_k8sio_api_extensions_v1beta1_NetworkPolicyList(ref),
+		extensionsv1beta1.NetworkPolicyPeer{}.OpenAPIModelName():                                                        schema_k8sio_api_extensions_v1beta1_NetworkPolicyPeer(ref),
+		extensionsv1beta1.NetworkPolicyPort{}.OpenAPIModelName():                                                        schema_k8sio_api_extensions_v1beta1_NetworkPolicyPort(ref),
+		extensionsv1beta1.NetworkPolicySpec{}.OpenAPIModelName():                                                        schema_k8sio_api_extensions_v1beta1_NetworkPolicySpec(ref),
+		extensionsv1beta1.ReplicaSet{}.OpenAPIModelName():                                                               schema_k8sio_api_extensions_v1beta1_ReplicaSet(ref),
+		extensionsv1beta1.ReplicaSetCondition{}.OpenAPIModelName():                                                      schema_k8sio_api_extensions_v1beta1_ReplicaSetCondition(ref),
+		extensionsv1beta1.ReplicaSetList{}.OpenAPIModelName():                                                           schema_k8sio_api_extensions_v1beta1_ReplicaSetList(ref),
+		extensionsv1beta1.ReplicaSetSpec{}.OpenAPIModelName():                                                           schema_k8sio_api_extensions_v1beta1_ReplicaSetSpec(ref),
+		extensionsv1beta1.ReplicaSetStatus{}.OpenAPIModelName():                                                         schema_k8sio_api_extensions_v1beta1_ReplicaSetStatus(ref),
+		extensionsv1beta1.RollbackConfig{}.OpenAPIModelName():                                                           schema_k8sio_api_extensions_v1beta1_RollbackConfig(ref),
+		extensionsv1beta1.RollingUpdateDaemonSet{}.OpenAPIModelName():                                                   schema_k8sio_api_extensions_v1beta1_RollingUpdateDaemonSet(ref),
+		extensionsv1beta1.RollingUpdateDeployment{}.OpenAPIModelName():                                                  schema_k8sio_api_extensions_v1beta1_RollingUpdateDeployment(ref),
+		extensionsv1beta1.Scale{}.OpenAPIModelName():                                                                    schema_k8sio_api_extensions_v1beta1_Scale(ref),
+		extensionsv1beta1.ScaleSpec{}.OpenAPIModelName():                                                                schema_k8sio_api_extensions_v1beta1_ScaleSpec(ref),
+		extensionsv1beta1.ScaleStatus{}.OpenAPIModelName():                                                              schema_k8sio_api_extensions_v1beta1_ScaleStatus(ref),
+		flowcontrolv1.ExemptPriorityLevelConfiguration{}.OpenAPIModelName():                                             schema_k8sio_api_flowcontrol_v1_ExemptPriorityLevelConfiguration(ref),
+		flowcontrolv1.FlowDistinguisherMethod{}.OpenAPIModelName():                                                      schema_k8sio_api_flowcontrol_v1_FlowDistinguisherMethod(ref),
+		flowcontrolv1.FlowSchema{}.OpenAPIModelName():                                                                   schema_k8sio_api_flowcontrol_v1_FlowSchema(ref),
+		flowcontrolv1.FlowSchemaCondition{}.OpenAPIModelName():                                                          schema_k8sio_api_flowcontrol_v1_FlowSchemaCondition(ref),
+		flowcontrolv1.FlowSchemaList{}.OpenAPIModelName():                                                               schema_k8sio_api_flowcontrol_v1_FlowSchemaList(ref),
+		flowcontrolv1.FlowSchemaSpec{}.OpenAPIModelName():                                                               schema_k8sio_api_flowcontrol_v1_FlowSchemaSpec(ref),
+		flowcontrolv1.FlowSchemaStatus{}.OpenAPIModelName():                                                             schema_k8sio_api_flowcontrol_v1_FlowSchemaStatus(ref),
+		flowcontrolv1.GroupSubject{}.OpenAPIModelName():                                                                 schema_k8sio_api_flowcontrol_v1_GroupSubject(ref),
+		flowcontrolv1.LimitResponse{}.OpenAPIModelName():                                                                schema_k8sio_api_flowcontrol_v1_LimitResponse(ref),
+		flowcontrolv1.LimitedPriorityLevelConfiguration{}.OpenAPIModelName():                                            schema_k8sio_api_flowcontrol_v1_LimitedPriorityLevelConfiguration(ref),
+		flowcontrolv1.NonResourcePolicyRule{}.OpenAPIModelName():                                                        schema_k8sio_api_flowcontrol_v1_NonResourcePolicyRule(ref),
+		flowcontrolv1.PolicyRulesWithSubjects{}.OpenAPIModelName():                                                      schema_k8sio_api_flowcontrol_v1_PolicyRulesWithSubjects(ref),
+		flowcontrolv1.PriorityLevelConfiguration{}.OpenAPIModelName():                                                   schema_k8sio_api_flowcontrol_v1_PriorityLevelConfiguration(ref),
+		flowcontrolv1.PriorityLevelConfigurationCondition{}.OpenAPIModelName():                                          schema_k8sio_api_flowcontrol_v1_PriorityLevelConfigurationCondition(ref),
+		flowcontrolv1.PriorityLevelConfigurationList{}.OpenAPIModelName():                                               schema_k8sio_api_flowcontrol_v1_PriorityLevelConfigurationList(ref),
+		flowcontrolv1.PriorityLevelConfigurationReference{}.OpenAPIModelName():                                          schema_k8sio_api_flowcontrol_v1_PriorityLevelConfigurationReference(ref),
+		flowcontrolv1.PriorityLevelConfigurationSpec{}.OpenAPIModelName():                                               schema_k8sio_api_flowcontrol_v1_PriorityLevelConfigurationSpec(ref),
+		flowcontrolv1.PriorityLevelConfigurationStatus{}.OpenAPIModelName():                                             schema_k8sio_api_flowcontrol_v1_PriorityLevelConfigurationStatus(ref),
+		flowcontrolv1.QueuingConfiguration{}.OpenAPIModelName():                                                         schema_k8sio_api_flowcontrol_v1_QueuingConfiguration(ref),
+		flowcontrolv1.ResourcePolicyRule{}.OpenAPIModelName():                                                           schema_k8sio_api_flowcontrol_v1_ResourcePolicyRule(ref),
+		flowcontrolv1.ServiceAccountSubject{}.OpenAPIModelName():                                                        schema_k8sio_api_flowcontrol_v1_ServiceAccountSubject(ref),
+		flowcontrolv1.Subject{}.OpenAPIModelName():                                                                      schema_k8sio_api_flowcontrol_v1_Subject(ref),
+		flowcontrolv1.UserSubject{}.OpenAPIModelName():                                                                  schema_k8sio_api_flowcontrol_v1_UserSubject(ref),
+		flowcontrolv1beta1.ExemptPriorityLevelConfiguration{}.OpenAPIModelName():                                        schema_k8sio_api_flowcontrol_v1beta1_ExemptPriorityLevelConfiguration(ref),
+		flowcontrolv1beta1.FlowDistinguisherMethod{}.OpenAPIModelName():                                                 schema_k8sio_api_flowcontrol_v1beta1_FlowDistinguisherMethod(ref),
+		flowcontrolv1beta1.FlowSchema{}.OpenAPIModelName():                                                              schema_k8sio_api_flowcontrol_v1beta1_FlowSchema(ref),
+		flowcontrolv1beta1.FlowSchemaCondition{}.OpenAPIModelName():                                                     schema_k8sio_api_flowcontrol_v1beta1_FlowSchemaCondition(ref),
+		flowcontrolv1beta1.FlowSchemaList{}.OpenAPIModelName():                                                          schema_k8sio_api_flowcontrol_v1beta1_FlowSchemaList(ref),
+		flowcontrolv1beta1.FlowSchemaSpec{}.OpenAPIModelName():                                                          schema_k8sio_api_flowcontrol_v1beta1_FlowSchemaSpec(ref),
+		flowcontrolv1beta1.FlowSchemaStatus{}.OpenAPIModelName():                                                        schema_k8sio_api_flowcontrol_v1beta1_FlowSchemaStatus(ref),
+		flowcontrolv1beta1.GroupSubject{}.OpenAPIModelName():                                                            schema_k8sio_api_flowcontrol_v1beta1_GroupSubject(ref),
+		flowcontrolv1beta1.LimitResponse{}.OpenAPIModelName():                                                           schema_k8sio_api_flowcontrol_v1beta1_LimitResponse(ref),
+		flowcontrolv1beta1.LimitedPriorityLevelConfiguration{}.OpenAPIModelName():                                       schema_k8sio_api_flowcontrol_v1beta1_LimitedPriorityLevelConfiguration(ref),
+		flowcontrolv1beta1.NonResourcePolicyRule{}.OpenAPIModelName():                                                   schema_k8sio_api_flowcontrol_v1beta1_NonResourcePolicyRule(ref),
+		flowcontrolv1beta1.PolicyRulesWithSubjects{}.OpenAPIModelName():                                                 schema_k8sio_api_flowcontrol_v1beta1_PolicyRulesWithSubjects(ref),
+		flowcontrolv1beta1.PriorityLevelConfiguration{}.OpenAPIModelName():                                              schema_k8sio_api_flowcontrol_v1beta1_PriorityLevelConfiguration(ref),
+		flowcontrolv1beta1.PriorityLevelConfigurationCondition{}.OpenAPIModelName():                                     schema_k8sio_api_flowcontrol_v1beta1_PriorityLevelConfigurationCondition(ref),
+		flowcontrolv1beta1.PriorityLevelConfigurationList{}.OpenAPIModelName():                                          schema_k8sio_api_flowcontrol_v1beta1_PriorityLevelConfigurationList(ref),
+		flowcontrolv1beta1.PriorityLevelConfigurationReference{}.OpenAPIModelName():                                     schema_k8sio_api_flowcontrol_v1beta1_PriorityLevelConfigurationReference(ref),
+		flowcontrolv1beta1.PriorityLevelConfigurationSpec{}.OpenAPIModelName():                                          schema_k8sio_api_flowcontrol_v1beta1_PriorityLevelConfigurationSpec(ref),
+		flowcontrolv1beta1.PriorityLevelConfigurationStatus{}.OpenAPIModelName():                                        schema_k8sio_api_flowcontrol_v1beta1_PriorityLevelConfigurationStatus(ref),
+		flowcontrolv1beta1.QueuingConfiguration{}.OpenAPIModelName():                                                    schema_k8sio_api_flowcontrol_v1beta1_QueuingConfiguration(ref),
+		flowcontrolv1beta1.ResourcePolicyRule{}.OpenAPIModelName():                                                      schema_k8sio_api_flowcontrol_v1beta1_ResourcePolicyRule(ref),
+		flowcontrolv1beta1.ServiceAccountSubject{}.OpenAPIModelName():                                                   schema_k8sio_api_flowcontrol_v1beta1_ServiceAccountSubject(ref),
+		flowcontrolv1beta1.Subject{}.OpenAPIModelName():                                                                 schema_k8sio_api_flowcontrol_v1beta1_Subject(ref),
+		flowcontrolv1beta1.UserSubject{}.OpenAPIModelName():                                                             schema_k8sio_api_flowcontrol_v1beta1_UserSubject(ref),
+		flowcontrolv1beta2.ExemptPriorityLevelConfiguration{}.OpenAPIModelName():                                        schema_k8sio_api_flowcontrol_v1beta2_ExemptPriorityLevelConfiguration(ref),
+		flowcontrolv1beta2.FlowDistinguisherMethod{}.OpenAPIModelName():                                                 schema_k8sio_api_flowcontrol_v1beta2_FlowDistinguisherMethod(ref),
+		flowcontrolv1beta2.FlowSchema{}.OpenAPIModelName():                                                              schema_k8sio_api_flowcontrol_v1beta2_FlowSchema(ref),
+		flowcontrolv1beta2.FlowSchemaCondition{}.OpenAPIModelName():                                                     schema_k8sio_api_flowcontrol_v1beta2_FlowSchemaCondition(ref),
+		flowcontrolv1beta2.FlowSchemaList{}.OpenAPIModelName():                                                          schema_k8sio_api_flowcontrol_v1beta2_FlowSchemaList(ref),
+		flowcontrolv1beta2.FlowSchemaSpec{}.OpenAPIModelName():                                                          schema_k8sio_api_flowcontrol_v1beta2_FlowSchemaSpec(ref),
+		flowcontrolv1beta2.FlowSchemaStatus{}.OpenAPIModelName():                                                        schema_k8sio_api_flowcontrol_v1beta2_FlowSchemaStatus(ref),
+		flowcontrolv1beta2.GroupSubject{}.OpenAPIModelName():                                                            schema_k8sio_api_flowcontrol_v1beta2_GroupSubject(ref),
+		flowcontrolv1beta2.LimitResponse{}.OpenAPIModelName():                                                           schema_k8sio_api_flowcontrol_v1beta2_LimitResponse(ref),
+		flowcontrolv1beta2.LimitedPriorityLevelConfiguration{}.OpenAPIModelName():                                       schema_k8sio_api_flowcontrol_v1beta2_LimitedPriorityLevelConfiguration(ref),
+		flowcontrolv1beta2.NonResourcePolicyRule{}.OpenAPIModelName():                                                   schema_k8sio_api_flowcontrol_v1beta2_NonResourcePolicyRule(ref),
+		flowcontrolv1beta2.PolicyRulesWithSubjects{}.OpenAPIModelName():                                                 schema_k8sio_api_flowcontrol_v1beta2_PolicyRulesWithSubjects(ref),
+		flowcontrolv1beta2.PriorityLevelConfiguration{}.OpenAPIModelName():                                              schema_k8sio_api_flowcontrol_v1beta2_PriorityLevelConfiguration(ref),
+		flowcontrolv1beta2.PriorityLevelConfigurationCondition{}.OpenAPIModelName():                                     schema_k8sio_api_flowcontrol_v1beta2_PriorityLevelConfigurationCondition(ref),
+		flowcontrolv1beta2.PriorityLevelConfigurationList{}.OpenAPIModelName():                                          schema_k8sio_api_flowcontrol_v1beta2_PriorityLevelConfigurationList(ref),
+		flowcontrolv1beta2.PriorityLevelConfigurationReference{}.OpenAPIModelName():                                     schema_k8sio_api_flowcontrol_v1beta2_PriorityLevelConfigurationReference(ref),
+		flowcontrolv1beta2.PriorityLevelConfigurationSpec{}.OpenAPIModelName():                                          schema_k8sio_api_flowcontrol_v1beta2_PriorityLevelConfigurationSpec(ref),
+		flowcontrolv1beta2.PriorityLevelConfigurationStatus{}.OpenAPIModelName():                                        schema_k8sio_api_flowcontrol_v1beta2_PriorityLevelConfigurationStatus(ref),
+		flowcontrolv1beta2.QueuingConfiguration{}.OpenAPIModelName():                                                    schema_k8sio_api_flowcontrol_v1beta2_QueuingConfiguration(ref),
+		flowcontrolv1beta2.ResourcePolicyRule{}.OpenAPIModelName():                                                      schema_k8sio_api_flowcontrol_v1beta2_ResourcePolicyRule(ref),
+		flowcontrolv1beta2.ServiceAccountSubject{}.OpenAPIModelName():                                                   schema_k8sio_api_flowcontrol_v1beta2_ServiceAccountSubject(ref),
+		flowcontrolv1beta2.Subject{}.OpenAPIModelName():                                                                 schema_k8sio_api_flowcontrol_v1beta2_Subject(ref),
+		flowcontrolv1beta2.UserSubject{}.OpenAPIModelName():                                                             schema_k8sio_api_flowcontrol_v1beta2_UserSubject(ref),
+		v1beta3.ExemptPriorityLevelConfiguration{}.OpenAPIModelName():                                                   schema_k8sio_api_flowcontrol_v1beta3_ExemptPriorityLevelConfiguration(ref),
+		v1beta3.FlowDistinguisherMethod{}.OpenAPIModelName():                                                            schema_k8sio_api_flowcontrol_v1beta3_FlowDistinguisherMethod(ref),
+		v1beta3.FlowSchema{}.OpenAPIModelName():                                                                         schema_k8sio_api_flowcontrol_v1beta3_FlowSchema(ref),
+		v1beta3.FlowSchemaCondition{}.OpenAPIModelName():                                                                schema_k8sio_api_flowcontrol_v1beta3_FlowSchemaCondition(ref),
+		v1beta3.FlowSchemaList{}.OpenAPIModelName():                                                                     schema_k8sio_api_flowcontrol_v1beta3_FlowSchemaList(ref),
+		v1beta3.FlowSchemaSpec{}.OpenAPIModelName():                                                                     schema_k8sio_api_flowcontrol_v1beta3_FlowSchemaSpec(ref),
+		v1beta3.FlowSchemaStatus{}.OpenAPIModelName():                                                                   schema_k8sio_api_flowcontrol_v1beta3_FlowSchemaStatus(ref),
+		v1beta3.GroupSubject{}.OpenAPIModelName():                                                                       schema_k8sio_api_flowcontrol_v1beta3_GroupSubject(ref),
+		v1beta3.LimitResponse{}.OpenAPIModelName():                                                                      schema_k8sio_api_flowcontrol_v1beta3_LimitResponse(ref),
+		v1beta3.LimitedPriorityLevelConfiguration{}.OpenAPIModelName():                                                  schema_k8sio_api_flowcontrol_v1beta3_LimitedPriorityLevelConfiguration(ref),
+		v1beta3.NonResourcePolicyRule{}.OpenAPIModelName():                                                              schema_k8sio_api_flowcontrol_v1beta3_NonResourcePolicyRule(ref),
+		v1beta3.PolicyRulesWithSubjects{}.OpenAPIModelName():                                                            schema_k8sio_api_flowcontrol_v1beta3_PolicyRulesWithSubjects(ref),
+		v1beta3.PriorityLevelConfiguration{}.OpenAPIModelName():                                                         schema_k8sio_api_flowcontrol_v1beta3_PriorityLevelConfiguration(ref),
+		v1beta3.PriorityLevelConfigurationCondition{}.OpenAPIModelName():                                                schema_k8sio_api_flowcontrol_v1beta3_PriorityLevelConfigurationCondition(ref),
+		v1beta3.PriorityLevelConfigurationList{}.OpenAPIModelName():                                                     schema_k8sio_api_flowcontrol_v1beta3_PriorityLevelConfigurationList(ref),
+		v1beta3.PriorityLevelConfigurationReference{}.OpenAPIModelName():                                                schema_k8sio_api_flowcontrol_v1beta3_PriorityLevelConfigurationReference(ref),
+		v1beta3.PriorityLevelConfigurationSpec{}.OpenAPIModelName():                                                     schema_k8sio_api_flowcontrol_v1beta3_PriorityLevelConfigurationSpec(ref),
+		v1beta3.PriorityLevelConfigurationStatus{}.OpenAPIModelName():                                                   schema_k8sio_api_flowcontrol_v1beta3_PriorityLevelConfigurationStatus(ref),
+		v1beta3.QueuingConfiguration{}.OpenAPIModelName():                                                               schema_k8sio_api_flowcontrol_v1beta3_QueuingConfiguration(ref),
+		v1beta3.ResourcePolicyRule{}.OpenAPIModelName():                                                                 schema_k8sio_api_flowcontrol_v1beta3_ResourcePolicyRule(ref),
+		v1beta3.ServiceAccountSubject{}.OpenAPIModelName():                                                              schema_k8sio_api_flowcontrol_v1beta3_ServiceAccountSubject(ref),
+		v1beta3.Subject{}.OpenAPIModelName():                                                                            schema_k8sio_api_flowcontrol_v1beta3_Subject(ref),
+		v1beta3.UserSubject{}.OpenAPIModelName():                                                                        schema_k8sio_api_flowcontrol_v1beta3_UserSubject(ref),
+		imagepolicyv1alpha1.ImageReview{}.OpenAPIModelName():                                                            schema_k8sio_api_imagepolicy_v1alpha1_ImageReview(ref),
+		imagepolicyv1alpha1.ImageReviewContainerSpec{}.OpenAPIModelName():                                               schema_k8sio_api_imagepolicy_v1alpha1_ImageReviewContainerSpec(ref),
+		imagepolicyv1alpha1.ImageReviewSpec{}.OpenAPIModelName():                                                        schema_k8sio_api_imagepolicy_v1alpha1_ImageReviewSpec(ref),
+		imagepolicyv1alpha1.ImageReviewStatus{}.OpenAPIModelName():                                                      schema_k8sio_api_imagepolicy_v1alpha1_ImageReviewStatus(ref),
+		networkingv1.HTTPIngressPath{}.OpenAPIModelName():                                                               schema_k8sio_api_networking_v1_HTTPIngressPath(ref),
+		networkingv1.HTTPIngressRuleValue{}.OpenAPIModelName():                                                          schema_k8sio_api_networking_v1_HTTPIngressRuleValue(ref),
+		networkingv1.IPAddress{}.OpenAPIModelName():                                                                     schema_k8sio_api_networking_v1_IPAddress(ref),
+		networkingv1.IPAddressList{}.OpenAPIModelName():                                                                 schema_k8sio_api_networking_v1_IPAddressList(ref),
+		networkingv1.IPAddressSpec{}.OpenAPIModelName():                                                                 schema_k8sio_api_networking_v1_IPAddressSpec(ref),
+		networkingv1.IPBlock{}.OpenAPIModelName():                                                                       schema_k8sio_api_networking_v1_IPBlock(ref),
+		networkingv1.Ingress{}.OpenAPIModelName():                                                                       schema_k8sio_api_networking_v1_Ingress(ref),
+		networkingv1.IngressBackend{}.OpenAPIModelName():                                                                schema_k8sio_api_networking_v1_IngressBackend(ref),
+		networkingv1.IngressClass{}.OpenAPIModelName():                                                                  schema_k8sio_api_networking_v1_IngressClass(ref),
+		networkingv1.IngressClassList{}.OpenAPIModelName():                                                              schema_k8sio_api_networking_v1_IngressClassList(ref),
+		networkingv1.IngressClassParametersReference{}.OpenAPIModelName():                                               schema_k8sio_api_networking_v1_IngressClassParametersReference(ref),
+		networkingv1.IngressClassSpec{}.OpenAPIModelName():                                                              schema_k8sio_api_networking_v1_IngressClassSpec(ref),
+		networkingv1.IngressList{}.OpenAPIModelName():                                                                   schema_k8sio_api_networking_v1_IngressList(ref),
+		networkingv1.IngressLoadBalancerIngress{}.OpenAPIModelName():                                                    schema_k8sio_api_networking_v1_IngressLoadBalancerIngress(ref),
+		networkingv1.IngressLoadBalancerStatus{}.OpenAPIModelName():                                                     schema_k8sio_api_networking_v1_IngressLoadBalancerStatus(ref),
+		networkingv1.IngressPortStatus{}.OpenAPIModelName():                                                             schema_k8sio_api_networking_v1_IngressPortStatus(ref),
+		networkingv1.IngressRule{}.OpenAPIModelName():                                                                   schema_k8sio_api_networking_v1_IngressRule(ref),
+		networkingv1.IngressRuleValue{}.OpenAPIModelName():                                                              schema_k8sio_api_networking_v1_IngressRuleValue(ref),
+		networkingv1.IngressServiceBackend{}.OpenAPIModelName():                                                         schema_k8sio_api_networking_v1_IngressServiceBackend(ref),
+		networkingv1.IngressSpec{}.OpenAPIModelName():                                                                   schema_k8sio_api_networking_v1_IngressSpec(ref),
+		networkingv1.IngressStatus{}.OpenAPIModelName():                                                                 schema_k8sio_api_networking_v1_IngressStatus(ref),
+		networkingv1.IngressTLS{}.OpenAPIModelName():                                                                    schema_k8sio_api_networking_v1_IngressTLS(ref),
+		networkingv1.NetworkPolicy{}.OpenAPIModelName():                                                                 schema_k8sio_api_networking_v1_NetworkPolicy(ref),
+		networkingv1.NetworkPolicyEgressRule{}.OpenAPIModelName():                                                       schema_k8sio_api_networking_v1_NetworkPolicyEgressRule(ref),
+		networkingv1.NetworkPolicyIngressRule{}.OpenAPIModelName():                                                      schema_k8sio_api_networking_v1_NetworkPolicyIngressRule(ref),
+		networkingv1.NetworkPolicyList{}.OpenAPIModelName():                                                             schema_k8sio_api_networking_v1_NetworkPolicyList(ref),
+		networkingv1.NetworkPolicyPeer{}.OpenAPIModelName():                                                             schema_k8sio_api_networking_v1_NetworkPolicyPeer(ref),
+		networkingv1.NetworkPolicyPort{}.OpenAPIModelName():                                                             schema_k8sio_api_networking_v1_NetworkPolicyPort(ref),
+		networkingv1.NetworkPolicySpec{}.OpenAPIModelName():                                                             schema_k8sio_api_networking_v1_NetworkPolicySpec(ref),
+		networkingv1.ParentReference{}.OpenAPIModelName():                                                               schema_k8sio_api_networking_v1_ParentReference(ref),
+		networkingv1.ServiceBackendPort{}.OpenAPIModelName():                                                            schema_k8sio_api_networking_v1_ServiceBackendPort(ref),
+		networkingv1.ServiceCIDR{}.OpenAPIModelName():                                                                   schema_k8sio_api_networking_v1_ServiceCIDR(ref),
+		networkingv1.ServiceCIDRList{}.OpenAPIModelName():                                                               schema_k8sio_api_networking_v1_ServiceCIDRList(ref),
+		networkingv1.ServiceCIDRSpec{}.OpenAPIModelName():                                                               schema_k8sio_api_networking_v1_ServiceCIDRSpec(ref),
+		networkingv1.ServiceCIDRStatus{}.OpenAPIModelName():                                                             schema_k8sio_api_networking_v1_ServiceCIDRStatus(ref),
+		networkingv1beta1.HTTPIngressPath{}.OpenAPIModelName():                                                          schema_k8sio_api_networking_v1beta1_HTTPIngressPath(ref),
+		networkingv1beta1.HTTPIngressRuleValue{}.OpenAPIModelName():                                                     schema_k8sio_api_networking_v1beta1_HTTPIngressRuleValue(ref),
+		networkingv1beta1.IPAddress{}.OpenAPIModelName():                                                                schema_k8sio_api_networking_v1beta1_IPAddress(ref),
+		networkingv1beta1.IPAddressList{}.OpenAPIModelName():                                                            schema_k8sio_api_networking_v1beta1_IPAddressList(ref),
+		networkingv1beta1.IPAddressSpec{}.OpenAPIModelName():                                                            schema_k8sio_api_networking_v1beta1_IPAddressSpec(ref),
+		networkingv1beta1.Ingress{}.OpenAPIModelName():                                                                  schema_k8sio_api_networking_v1beta1_Ingress(ref),
+		networkingv1beta1.IngressBackend{}.OpenAPIModelName():                                                           schema_k8sio_api_networking_v1beta1_IngressBackend(ref),
+		networkingv1beta1.IngressClass{}.OpenAPIModelName():                                                             schema_k8sio_api_networking_v1beta1_IngressClass(ref),
+		networkingv1beta1.IngressClassList{}.OpenAPIModelName():                                                         schema_k8sio_api_networking_v1beta1_IngressClassList(ref),
+		networkingv1beta1.IngressClassParametersReference{}.OpenAPIModelName():                                          schema_k8sio_api_networking_v1beta1_IngressClassParametersReference(ref),
+		networkingv1beta1.IngressClassSpec{}.OpenAPIModelName():                                                         schema_k8sio_api_networking_v1beta1_IngressClassSpec(ref),
+		networkingv1beta1.IngressList{}.OpenAPIModelName():                                                              schema_k8sio_api_networking_v1beta1_IngressList(ref),
+		networkingv1beta1.IngressLoadBalancerIngress{}.OpenAPIModelName():                                               schema_k8sio_api_networking_v1beta1_IngressLoadBalancerIngress(ref),
+		networkingv1beta1.IngressLoadBalancerStatus{}.OpenAPIModelName():                                                schema_k8sio_api_networking_v1beta1_IngressLoadBalancerStatus(ref),
+		networkingv1beta1.IngressPortStatus{}.OpenAPIModelName():                                                        schema_k8sio_api_networking_v1beta1_IngressPortStatus(ref),
+		networkingv1beta1.IngressRule{}.OpenAPIModelName():                                                              schema_k8sio_api_networking_v1beta1_IngressRule(ref),
+		networkingv1beta1.IngressRuleValue{}.OpenAPIModelName():                                                         schema_k8sio_api_networking_v1beta1_IngressRuleValue(ref),
+		networkingv1beta1.IngressSpec{}.OpenAPIModelName():                                                              schema_k8sio_api_networking_v1beta1_IngressSpec(ref),
+		networkingv1beta1.IngressStatus{}.OpenAPIModelName():                                                            schema_k8sio_api_networking_v1beta1_IngressStatus(ref),
+		networkingv1beta1.IngressTLS{}.OpenAPIModelName():                                                               schema_k8sio_api_networking_v1beta1_IngressTLS(ref),
+		networkingv1beta1.ParentReference{}.OpenAPIModelName():                                                          schema_k8sio_api_networking_v1beta1_ParentReference(ref),
+		networkingv1beta1.ServiceCIDR{}.OpenAPIModelName():                                                              schema_k8sio_api_networking_v1beta1_ServiceCIDR(ref),
+		networkingv1beta1.ServiceCIDRList{}.OpenAPIModelName():                                                          schema_k8sio_api_networking_v1beta1_ServiceCIDRList(ref),
+		networkingv1beta1.ServiceCIDRSpec{}.OpenAPIModelName():                                                          schema_k8sio_api_networking_v1beta1_ServiceCIDRSpec(ref),
+		networkingv1beta1.ServiceCIDRStatus{}.OpenAPIModelName():                                                        schema_k8sio_api_networking_v1beta1_ServiceCIDRStatus(ref),
+		nodev1.Overhead{}.OpenAPIModelName():                                                                            schema_k8sio_api_node_v1_Overhead(ref),
+		nodev1.RuntimeClass{}.OpenAPIModelName():                                                                        schema_k8sio_api_node_v1_RuntimeClass(ref),
+		nodev1.RuntimeClassList{}.OpenAPIModelName():                                                                    schema_k8sio_api_node_v1_RuntimeClassList(ref),
+		nodev1.Scheduling{}.OpenAPIModelName():                                                                          schema_k8sio_api_node_v1_Scheduling(ref),
+		nodev1alpha1.Overhead{}.OpenAPIModelName():                                                                      schema_k8sio_api_node_v1alpha1_Overhead(ref),
+		nodev1alpha1.RuntimeClass{}.OpenAPIModelName():                                                                  schema_k8sio_api_node_v1alpha1_RuntimeClass(ref),
+		nodev1alpha1.RuntimeClassList{}.OpenAPIModelName():                                                              schema_k8sio_api_node_v1alpha1_RuntimeClassList(ref),
+		nodev1alpha1.RuntimeClassSpec{}.OpenAPIModelName():                                                              schema_k8sio_api_node_v1alpha1_RuntimeClassSpec(ref),
+		nodev1alpha1.Scheduling{}.OpenAPIModelName():                                                                    schema_k8sio_api_node_v1alpha1_Scheduling(ref),
+		nodev1beta1.Overhead{}.OpenAPIModelName():                                                                       schema_k8sio_api_node_v1beta1_Overhead(ref),
+		nodev1beta1.RuntimeClass{}.OpenAPIModelName():                                                                   schema_k8sio_api_node_v1beta1_RuntimeClass(ref),
+		nodev1beta1.RuntimeClassList{}.OpenAPIModelName():                                                               schema_k8sio_api_node_v1beta1_RuntimeClassList(ref),
+		nodev1beta1.Scheduling{}.OpenAPIModelName():                                                                     schema_k8sio_api_node_v1beta1_Scheduling(ref),
+		policyv1.Eviction{}.OpenAPIModelName():                                                                          schema_k8sio_api_policy_v1_Eviction(ref),
+		policyv1.PodDisruptionBudget{}.OpenAPIModelName():                                                               schema_k8sio_api_policy_v1_PodDisruptionBudget(ref),
+		policyv1.PodDisruptionBudgetList{}.OpenAPIModelName():                                                           schema_k8sio_api_policy_v1_PodDisruptionBudgetList(ref),
+		policyv1.PodDisruptionBudgetSpec{}.OpenAPIModelName():                                                           schema_k8sio_api_policy_v1_PodDisruptionBudgetSpec(ref),
+		policyv1.PodDisruptionBudgetStatus{}.OpenAPIModelName():                                                         schema_k8sio_api_policy_v1_PodDisruptionBudgetStatus(ref),
+		policyv1beta1.Eviction{}.OpenAPIModelName():                                                                     schema_k8sio_api_policy_v1beta1_Eviction(ref),
+		policyv1beta1.PodDisruptionBudget{}.OpenAPIModelName():                                                          schema_k8sio_api_policy_v1beta1_PodDisruptionBudget(ref),
+		policyv1beta1.PodDisruptionBudgetList{}.OpenAPIModelName():                                                      schema_k8sio_api_policy_v1beta1_PodDisruptionBudgetList(ref),
+		policyv1beta1.PodDisruptionBudgetSpec{}.OpenAPIModelName():                                                      schema_k8sio_api_policy_v1beta1_PodDisruptionBudgetSpec(ref),
+		policyv1beta1.PodDisruptionBudgetStatus{}.OpenAPIModelName():                                                    schema_k8sio_api_policy_v1beta1_PodDisruptionBudgetStatus(ref),
+		rbacv1.AggregationRule{}.OpenAPIModelName():                                                                     schema_k8sio_api_rbac_v1_AggregationRule(ref),
+		rbacv1.ClusterRole{}.OpenAPIModelName():                                                                         schema_k8sio_api_rbac_v1_ClusterRole(ref),
+		rbacv1.ClusterRoleBinding{}.OpenAPIModelName():                                                                  schema_k8sio_api_rbac_v1_ClusterRoleBinding(ref),
+		rbacv1.ClusterRoleBindingList{}.OpenAPIModelName():                                                              schema_k8sio_api_rbac_v1_ClusterRoleBindingList(ref),
+		rbacv1.ClusterRoleList{}.OpenAPIModelName():                                                                     schema_k8sio_api_rbac_v1_ClusterRoleList(ref),
+		rbacv1.PolicyRule{}.OpenAPIModelName():                                                                          schema_k8sio_api_rbac_v1_PolicyRule(ref),
+		rbacv1.Role{}.OpenAPIModelName():                                                                                schema_k8sio_api_rbac_v1_Role(ref),
+		rbacv1.RoleBinding{}.OpenAPIModelName():                                                                         schema_k8sio_api_rbac_v1_RoleBinding(ref),
+		rbacv1.RoleBindingList{}.OpenAPIModelName():                                                                     schema_k8sio_api_rbac_v1_RoleBindingList(ref),
+		rbacv1.RoleList{}.OpenAPIModelName():                                                                            schema_k8sio_api_rbac_v1_RoleList(ref),
+		rbacv1.RoleRef{}.OpenAPIModelName():                                                                             schema_k8sio_api_rbac_v1_RoleRef(ref),
+		rbacv1.Subject{}.OpenAPIModelName():                                                                             schema_k8sio_api_rbac_v1_Subject(ref),
+		rbacv1alpha1.AggregationRule{}.OpenAPIModelName():                                                               schema_k8sio_api_rbac_v1alpha1_AggregationRule(ref),
+		rbacv1alpha1.ClusterRole{}.OpenAPIModelName():                                                                   schema_k8sio_api_rbac_v1alpha1_ClusterRole(ref),
+		rbacv1alpha1.ClusterRoleBinding{}.OpenAPIModelName():                                                            schema_k8sio_api_rbac_v1alpha1_ClusterRoleBinding(ref),
+		rbacv1alpha1.ClusterRoleBindingList{}.OpenAPIModelName():                                                        schema_k8sio_api_rbac_v1alpha1_ClusterRoleBindingList(ref),
+		rbacv1alpha1.ClusterRoleList{}.OpenAPIModelName():                                                               schema_k8sio_api_rbac_v1alpha1_ClusterRoleList(ref),
+		rbacv1alpha1.PolicyRule{}.OpenAPIModelName():                                                                    schema_k8sio_api_rbac_v1alpha1_PolicyRule(ref),
+		rbacv1alpha1.Role{}.OpenAPIModelName():                                                                          schema_k8sio_api_rbac_v1alpha1_Role(ref),
+		rbacv1alpha1.RoleBinding{}.OpenAPIModelName():                                                                   schema_k8sio_api_rbac_v1alpha1_RoleBinding(ref),
+		rbacv1alpha1.RoleBindingList{}.OpenAPIModelName():                                                               schema_k8sio_api_rbac_v1alpha1_RoleBindingList(ref),
+		rbacv1alpha1.RoleList{}.OpenAPIModelName():                                                                      schema_k8sio_api_rbac_v1alpha1_RoleList(ref),
+		rbacv1alpha1.RoleRef{}.OpenAPIModelName():                                                                       schema_k8sio_api_rbac_v1alpha1_RoleRef(ref),
+		rbacv1alpha1.Subject{}.OpenAPIModelName():                                                                       schema_k8sio_api_rbac_v1alpha1_Subject(ref),
+		rbacv1beta1.AggregationRule{}.OpenAPIModelName():                                                                schema_k8sio_api_rbac_v1beta1_AggregationRule(ref),
+		rbacv1beta1.ClusterRole{}.OpenAPIModelName():                                                                    schema_k8sio_api_rbac_v1beta1_ClusterRole(ref),
+		rbacv1beta1.ClusterRoleBinding{}.OpenAPIModelName():                                                             schema_k8sio_api_rbac_v1beta1_ClusterRoleBinding(ref),
+		rbacv1beta1.ClusterRoleBindingList{}.OpenAPIModelName():                                                         schema_k8sio_api_rbac_v1beta1_ClusterRoleBindingList(ref),
+		rbacv1beta1.ClusterRoleList{}.OpenAPIModelName():                                                                schema_k8sio_api_rbac_v1beta1_ClusterRoleList(ref),
+		rbacv1beta1.PolicyRule{}.OpenAPIModelName():                                                                     schema_k8sio_api_rbac_v1beta1_PolicyRule(ref),
+		rbacv1beta1.Role{}.OpenAPIModelName():                                                                           schema_k8sio_api_rbac_v1beta1_Role(ref),
+		rbacv1beta1.RoleBinding{}.OpenAPIModelName():                                                                    schema_k8sio_api_rbac_v1beta1_RoleBinding(ref),
+		rbacv1beta1.RoleBindingList{}.OpenAPIModelName():                                                                schema_k8sio_api_rbac_v1beta1_RoleBindingList(ref),
+		rbacv1beta1.RoleList{}.OpenAPIModelName():                                                                       schema_k8sio_api_rbac_v1beta1_RoleList(ref),
+		rbacv1beta1.RoleRef{}.OpenAPIModelName():                                                                        schema_k8sio_api_rbac_v1beta1_RoleRef(ref),
+		rbacv1beta1.Subject{}.OpenAPIModelName():                                                                        schema_k8sio_api_rbac_v1beta1_Subject(ref),
+		resourcev1.AllocatedDeviceStatus{}.OpenAPIModelName():                                                           schema_k8sio_api_resource_v1_AllocatedDeviceStatus(ref),
+		resourcev1.AllocationResult{}.OpenAPIModelName():                                                                schema_k8sio_api_resource_v1_AllocationResult(ref),
+		resourcev1.CELDeviceSelector{}.OpenAPIModelName():                                                               schema_k8sio_api_resource_v1_CELDeviceSelector(ref),
+		resourcev1.CapacityRequestPolicy{}.OpenAPIModelName():                                                           schema_k8sio_api_resource_v1_CapacityRequestPolicy(ref),
+		resourcev1.CapacityRequestPolicyRange{}.OpenAPIModelName():                                                      schema_k8sio_api_resource_v1_CapacityRequestPolicyRange(ref),
+		resourcev1.CapacityRequirements{}.OpenAPIModelName():                                                            schema_k8sio_api_resource_v1_CapacityRequirements(ref),
+		resourcev1.Counter{}.OpenAPIModelName():                                                                         schema_k8sio_api_resource_v1_Counter(ref),
+		resourcev1.CounterSet{}.OpenAPIModelName():                                                                      schema_k8sio_api_resource_v1_CounterSet(ref),
+		resourcev1.Device{}.OpenAPIModelName():                                                                          schema_k8sio_api_resource_v1_Device(ref),
+		resourcev1.DeviceAllocationConfiguration{}.OpenAPIModelName():                                                   schema_k8sio_api_resource_v1_DeviceAllocationConfiguration(ref),
+		resourcev1.DeviceAllocationResult{}.OpenAPIModelName():                                                          schema_k8sio_api_resource_v1_DeviceAllocationResult(ref),
+		resourcev1.DeviceAttribute{}.OpenAPIModelName():                                                                 schema_k8sio_api_resource_v1_DeviceAttribute(ref),
+		resourcev1.DeviceCapacity{}.OpenAPIModelName():                                                                  schema_k8sio_api_resource_v1_DeviceCapacity(ref),
+		resourcev1.DeviceClaim{}.OpenAPIModelName():                                                                     schema_k8sio_api_resource_v1_DeviceClaim(ref),
+		resourcev1.DeviceClaimConfiguration{}.OpenAPIModelName():                                                        schema_k8sio_api_resource_v1_DeviceClaimConfiguration(ref),
+		resourcev1.DeviceClass{}.OpenAPIModelName():                                                                     schema_k8sio_api_resource_v1_DeviceClass(ref),
+		resourcev1.DeviceClassConfiguration{}.OpenAPIModelName():                                                        schema_k8sio_api_resource_v1_DeviceClassConfiguration(ref),
+		resourcev1.DeviceClassList{}.OpenAPIModelName():                                                                 schema_k8sio_api_resource_v1_DeviceClassList(ref),
+		resourcev1.DeviceClassSpec{}.OpenAPIModelName():                                                                 schema_k8sio_api_resource_v1_DeviceClassSpec(ref),
+		resourcev1.DeviceConfiguration{}.OpenAPIModelName():                                                             schema_k8sio_api_resource_v1_DeviceConfiguration(ref),
+		resourcev1.DeviceConstraint{}.OpenAPIModelName():                                                                schema_k8sio_api_resource_v1_DeviceConstraint(ref),
+		resourcev1.DeviceCounterConsumption{}.OpenAPIModelName():                                                        schema_k8sio_api_resource_v1_DeviceCounterConsumption(ref),
+		resourcev1.DeviceRequest{}.OpenAPIModelName():                                                                   schema_k8sio_api_resource_v1_DeviceRequest(ref),
+		resourcev1.DeviceRequestAllocationResult{}.OpenAPIModelName():                                                   schema_k8sio_api_resource_v1_DeviceRequestAllocationResult(ref),
+		resourcev1.DeviceSelector{}.OpenAPIModelName():                                                                  schema_k8sio_api_resource_v1_DeviceSelector(ref),
+		resourcev1.DeviceSubRequest{}.OpenAPIModelName():                                                                schema_k8sio_api_resource_v1_DeviceSubRequest(ref),
+		resourcev1.DeviceTaint{}.OpenAPIModelName():                                                                     schema_k8sio_api_resource_v1_DeviceTaint(ref),
+		resourcev1.DeviceToleration{}.OpenAPIModelName():                                                                schema_k8sio_api_resource_v1_DeviceToleration(ref),
+		resourcev1.ExactDeviceRequest{}.OpenAPIModelName():                                                              schema_k8sio_api_resource_v1_ExactDeviceRequest(ref),
+		resourcev1.NetworkDeviceData{}.OpenAPIModelName():                                                               schema_k8sio_api_resource_v1_NetworkDeviceData(ref),
+		resourcev1.OpaqueDeviceConfiguration{}.OpenAPIModelName():                                                       schema_k8sio_api_resource_v1_OpaqueDeviceConfiguration(ref),
+		resourcev1.ResourceClaim{}.OpenAPIModelName():                                                                   schema_k8sio_api_resource_v1_ResourceClaim(ref),
+		resourcev1.ResourceClaimConsumerReference{}.OpenAPIModelName():                                                  schema_k8sio_api_resource_v1_ResourceClaimConsumerReference(ref),
+		resourcev1.ResourceClaimList{}.OpenAPIModelName():                                                               schema_k8sio_api_resource_v1_ResourceClaimList(ref),
+		resourcev1.ResourceClaimSpec{}.OpenAPIModelName():                                                               schema_k8sio_api_resource_v1_ResourceClaimSpec(ref),
+		resourcev1.ResourceClaimStatus{}.OpenAPIModelName():                                                             schema_k8sio_api_resource_v1_ResourceClaimStatus(ref),
+		resourcev1.ResourceClaimTemplate{}.OpenAPIModelName():                                                           schema_k8sio_api_resource_v1_ResourceClaimTemplate(ref),
+		resourcev1.ResourceClaimTemplateList{}.OpenAPIModelName():                                                       schema_k8sio_api_resource_v1_ResourceClaimTemplateList(ref),
+		resourcev1.ResourceClaimTemplateSpec{}.OpenAPIModelName():                                                       schema_k8sio_api_resource_v1_ResourceClaimTemplateSpec(ref),
+		resourcev1.ResourcePool{}.OpenAPIModelName():                                                                    schema_k8sio_api_resource_v1_ResourcePool(ref),
+		resourcev1.ResourceSlice{}.OpenAPIModelName():                                                                   schema_k8sio_api_resource_v1_ResourceSlice(ref),
+		resourcev1.ResourceSliceList{}.OpenAPIModelName():                                                               schema_k8sio_api_resource_v1_ResourceSliceList(ref),
+		resourcev1.ResourceSliceSpec{}.OpenAPIModelName():                                                               schema_k8sio_api_resource_v1_ResourceSliceSpec(ref),
+		v1alpha3.CELDeviceSelector{}.OpenAPIModelName():                                                                 schema_k8sio_api_resource_v1alpha3_CELDeviceSelector(ref),
+		v1alpha3.DeviceSelector{}.OpenAPIModelName():                                                                    schema_k8sio_api_resource_v1alpha3_DeviceSelector(ref),
+		v1alpha3.DeviceTaint{}.OpenAPIModelName():                                                                       schema_k8sio_api_resource_v1alpha3_DeviceTaint(ref),
+		v1alpha3.DeviceTaintRule{}.OpenAPIModelName():                                                                   schema_k8sio_api_resource_v1alpha3_DeviceTaintRule(ref),
+		v1alpha3.DeviceTaintRuleList{}.OpenAPIModelName():                                                               schema_k8sio_api_resource_v1alpha3_DeviceTaintRuleList(ref),
+		v1alpha3.DeviceTaintRuleSpec{}.OpenAPIModelName():                                                               schema_k8sio_api_resource_v1alpha3_DeviceTaintRuleSpec(ref),
+		v1alpha3.DeviceTaintRuleStatus{}.OpenAPIModelName():                                                             schema_k8sio_api_resource_v1alpha3_DeviceTaintRuleStatus(ref),
+		v1alpha3.DeviceTaintSelector{}.OpenAPIModelName():                                                               schema_k8sio_api_resource_v1alpha3_DeviceTaintSelector(ref),
+		resourcev1beta1.AllocatedDeviceStatus{}.OpenAPIModelName():                                                      schema_k8sio_api_resource_v1beta1_AllocatedDeviceStatus(ref),
+		resourcev1beta1.AllocationResult{}.OpenAPIModelName():                                                           schema_k8sio_api_resource_v1beta1_AllocationResult(ref),
+		resourcev1beta1.BasicDevice{}.OpenAPIModelName():                                                                schema_k8sio_api_resource_v1beta1_BasicDevice(ref),
+		resourcev1beta1.CELDeviceSelector{}.OpenAPIModelName():                                                          schema_k8sio_api_resource_v1beta1_CELDeviceSelector(ref),
+		resourcev1beta1.CapacityRequestPolicy{}.OpenAPIModelName():                                                      schema_k8sio_api_resource_v1beta1_CapacityRequestPolicy(ref),
+		resourcev1beta1.CapacityRequestPolicyRange{}.OpenAPIModelName():                                                 schema_k8sio_api_resource_v1beta1_CapacityRequestPolicyRange(ref),
+		resourcev1beta1.CapacityRequirements{}.OpenAPIModelName():                                                       schema_k8sio_api_resource_v1beta1_CapacityRequirements(ref),
+		resourcev1beta1.Counter{}.OpenAPIModelName():                                                                    schema_k8sio_api_resource_v1beta1_Counter(ref),
+		resourcev1beta1.CounterSet{}.OpenAPIModelName():                                                                 schema_k8sio_api_resource_v1beta1_CounterSet(ref),
+		resourcev1beta1.Device{}.OpenAPIModelName():                                                                     schema_k8sio_api_resource_v1beta1_Device(ref),
+		resourcev1beta1.DeviceAllocationConfiguration{}.OpenAPIModelName():                                              schema_k8sio_api_resource_v1beta1_DeviceAllocationConfiguration(ref),
+		resourcev1beta1.DeviceAllocationResult{}.OpenAPIModelName():                                                     schema_k8sio_api_resource_v1beta1_DeviceAllocationResult(ref),
+		resourcev1beta1.DeviceAttribute{}.OpenAPIModelName():                                                            schema_k8sio_api_resource_v1beta1_DeviceAttribute(ref),
+		resourcev1beta1.DeviceCapacity{}.OpenAPIModelName():                                                             schema_k8sio_api_resource_v1beta1_DeviceCapacity(ref),
+		resourcev1beta1.DeviceClaim{}.OpenAPIModelName():                                                                schema_k8sio_api_resource_v1beta1_DeviceClaim(ref),
+		resourcev1beta1.DeviceClaimConfiguration{}.OpenAPIModelName():                                                   schema_k8sio_api_resource_v1beta1_DeviceClaimConfiguration(ref),
+		resourcev1beta1.DeviceClass{}.OpenAPIModelName():                                                                schema_k8sio_api_resource_v1beta1_DeviceClass(ref),
+		resourcev1beta1.DeviceClassConfiguration{}.OpenAPIModelName():                                                   schema_k8sio_api_resource_v1beta1_DeviceClassConfiguration(ref),
+		resourcev1beta1.DeviceClassList{}.OpenAPIModelName():                                                            schema_k8sio_api_resource_v1beta1_DeviceClassList(ref),
+		resourcev1beta1.DeviceClassSpec{}.OpenAPIModelName():                                                            schema_k8sio_api_resource_v1beta1_DeviceClassSpec(ref),
+		resourcev1beta1.DeviceConfiguration{}.OpenAPIModelName():                                                        schema_k8sio_api_resource_v1beta1_DeviceConfiguration(ref),
+		resourcev1beta1.DeviceConstraint{}.OpenAPIModelName():                                                           schema_k8sio_api_resource_v1beta1_DeviceConstraint(ref),
+		resourcev1beta1.DeviceCounterConsumption{}.OpenAPIModelName():                                                   schema_k8sio_api_resource_v1beta1_DeviceCounterConsumption(ref),
+		resourcev1beta1.DeviceRequest{}.OpenAPIModelName():                                                              schema_k8sio_api_resource_v1beta1_DeviceRequest(ref),
+		resourcev1beta1.DeviceRequestAllocationResult{}.OpenAPIModelName():                                              schema_k8sio_api_resource_v1beta1_DeviceRequestAllocationResult(ref),
+		resourcev1beta1.DeviceSelector{}.OpenAPIModelName():                                                             schema_k8sio_api_resource_v1beta1_DeviceSelector(ref),
+		resourcev1beta1.DeviceSubRequest{}.OpenAPIModelName():                                                           schema_k8sio_api_resource_v1beta1_DeviceSubRequest(ref),
+		resourcev1beta1.DeviceTaint{}.OpenAPIModelName():                                                                schema_k8sio_api_resource_v1beta1_DeviceTaint(ref),
+		resourcev1beta1.DeviceToleration{}.OpenAPIModelName():                                                           schema_k8sio_api_resource_v1beta1_DeviceToleration(ref),
+		resourcev1beta1.NetworkDeviceData{}.OpenAPIModelName():                                                          schema_k8sio_api_resource_v1beta1_NetworkDeviceData(ref),
+		resourcev1beta1.OpaqueDeviceConfiguration{}.OpenAPIModelName():                                                  schema_k8sio_api_resource_v1beta1_OpaqueDeviceConfiguration(ref),
+		resourcev1beta1.ResourceClaim{}.OpenAPIModelName():                                                              schema_k8sio_api_resource_v1beta1_ResourceClaim(ref),
+		resourcev1beta1.ResourceClaimConsumerReference{}.OpenAPIModelName():                                             schema_k8sio_api_resource_v1beta1_ResourceClaimConsumerReference(ref),
+		resourcev1beta1.ResourceClaimList{}.OpenAPIModelName():                                                          schema_k8sio_api_resource_v1beta1_ResourceClaimList(ref),
+		resourcev1beta1.ResourceClaimSpec{}.OpenAPIModelName():                                                          schema_k8sio_api_resource_v1beta1_ResourceClaimSpec(ref),
+		resourcev1beta1.ResourceClaimStatus{}.OpenAPIModelName():                                                        schema_k8sio_api_resource_v1beta1_ResourceClaimStatus(ref),
+		resourcev1beta1.ResourceClaimTemplate{}.OpenAPIModelName():                                                      schema_k8sio_api_resource_v1beta1_ResourceClaimTemplate(ref),
+		resourcev1beta1.ResourceClaimTemplateList{}.OpenAPIModelName():                                                  schema_k8sio_api_resource_v1beta1_ResourceClaimTemplateList(ref),
+		resourcev1beta1.ResourceClaimTemplateSpec{}.OpenAPIModelName():                                                  schema_k8sio_api_resource_v1beta1_ResourceClaimTemplateSpec(ref),
+		resourcev1beta1.ResourcePool{}.OpenAPIModelName():                                                               schema_k8sio_api_resource_v1beta1_ResourcePool(ref),
+		resourcev1beta1.ResourceSlice{}.OpenAPIModelName():                                                              schema_k8sio_api_resource_v1beta1_ResourceSlice(ref),
+		resourcev1beta1.ResourceSliceList{}.OpenAPIModelName():                                                          schema_k8sio_api_resource_v1beta1_ResourceSliceList(ref),
+		resourcev1beta1.ResourceSliceSpec{}.OpenAPIModelName():                                                          schema_k8sio_api_resource_v1beta1_ResourceSliceSpec(ref),
+		resourcev1beta2.AllocatedDeviceStatus{}.OpenAPIModelName():                                                      schema_k8sio_api_resource_v1beta2_AllocatedDeviceStatus(ref),
+		resourcev1beta2.AllocationResult{}.OpenAPIModelName():                                                           schema_k8sio_api_resource_v1beta2_AllocationResult(ref),
+		resourcev1beta2.CELDeviceSelector{}.OpenAPIModelName():                                                          schema_k8sio_api_resource_v1beta2_CELDeviceSelector(ref),
+		resourcev1beta2.CapacityRequestPolicy{}.OpenAPIModelName():                                                      schema_k8sio_api_resource_v1beta2_CapacityRequestPolicy(ref),
+		resourcev1beta2.CapacityRequestPolicyRange{}.OpenAPIModelName():                                                 schema_k8sio_api_resource_v1beta2_CapacityRequestPolicyRange(ref),
+		resourcev1beta2.CapacityRequirements{}.OpenAPIModelName():                                                       schema_k8sio_api_resource_v1beta2_CapacityRequirements(ref),
+		resourcev1beta2.Counter{}.OpenAPIModelName():                                                                    schema_k8sio_api_resource_v1beta2_Counter(ref),
+		resourcev1beta2.CounterSet{}.OpenAPIModelName():                                                                 schema_k8sio_api_resource_v1beta2_CounterSet(ref),
+		resourcev1beta2.Device{}.OpenAPIModelName():                                                                     schema_k8sio_api_resource_v1beta2_Device(ref),
+		resourcev1beta2.DeviceAllocationConfiguration{}.OpenAPIModelName():                                              schema_k8sio_api_resource_v1beta2_DeviceAllocationConfiguration(ref),
+		resourcev1beta2.DeviceAllocationResult{}.OpenAPIModelName():                                                     schema_k8sio_api_resource_v1beta2_DeviceAllocationResult(ref),
+		resourcev1beta2.DeviceAttribute{}.OpenAPIModelName():                                                            schema_k8sio_api_resource_v1beta2_DeviceAttribute(ref),
+		resourcev1beta2.DeviceCapacity{}.OpenAPIModelName():                                                             schema_k8sio_api_resource_v1beta2_DeviceCapacity(ref),
+		resourcev1beta2.DeviceClaim{}.OpenAPIModelName():                                                                schema_k8sio_api_resource_v1beta2_DeviceClaim(ref),
+		resourcev1beta2.DeviceClaimConfiguration{}.OpenAPIModelName():                                                   schema_k8sio_api_resource_v1beta2_DeviceClaimConfiguration(ref),
+		resourcev1beta2.DeviceClass{}.OpenAPIModelName():                                                                schema_k8sio_api_resource_v1beta2_DeviceClass(ref),
+		resourcev1beta2.DeviceClassConfiguration{}.OpenAPIModelName():                                                   schema_k8sio_api_resource_v1beta2_DeviceClassConfiguration(ref),
+		resourcev1beta2.DeviceClassList{}.OpenAPIModelName():                                                            schema_k8sio_api_resource_v1beta2_DeviceClassList(ref),
+		resourcev1beta2.DeviceClassSpec{}.OpenAPIModelName():                                                            schema_k8sio_api_resource_v1beta2_DeviceClassSpec(ref),
+		resourcev1beta2.DeviceConfiguration{}.OpenAPIModelName():                                                        schema_k8sio_api_resource_v1beta2_DeviceConfiguration(ref),
+		resourcev1beta2.DeviceConstraint{}.OpenAPIModelName():                                                           schema_k8sio_api_resource_v1beta2_DeviceConstraint(ref),
+		resourcev1beta2.DeviceCounterConsumption{}.OpenAPIModelName():                                                   schema_k8sio_api_resource_v1beta2_DeviceCounterConsumption(ref),
+		resourcev1beta2.DeviceRequest{}.OpenAPIModelName():                                                              schema_k8sio_api_resource_v1beta2_DeviceRequest(ref),
+		resourcev1beta2.DeviceRequestAllocationResult{}.OpenAPIModelName():                                              schema_k8sio_api_resource_v1beta2_DeviceRequestAllocationResult(ref),
+		resourcev1beta2.DeviceSelector{}.OpenAPIModelName():                                                             schema_k8sio_api_resource_v1beta2_DeviceSelector(ref),
+		resourcev1beta2.DeviceSubRequest{}.OpenAPIModelName():                                                           schema_k8sio_api_resource_v1beta2_DeviceSubRequest(ref),
+		resourcev1beta2.DeviceTaint{}.OpenAPIModelName():                                                                schema_k8sio_api_resource_v1beta2_DeviceTaint(ref),
+		resourcev1beta2.DeviceToleration{}.OpenAPIModelName():                                                           schema_k8sio_api_resource_v1beta2_DeviceToleration(ref),
+		resourcev1beta2.ExactDeviceRequest{}.OpenAPIModelName():                                                         schema_k8sio_api_resource_v1beta2_ExactDeviceRequest(ref),
+		resourcev1beta2.NetworkDeviceData{}.OpenAPIModelName():                                                          schema_k8sio_api_resource_v1beta2_NetworkDeviceData(ref),
+		resourcev1beta2.OpaqueDeviceConfiguration{}.OpenAPIModelName():                                                  schema_k8sio_api_resource_v1beta2_OpaqueDeviceConfiguration(ref),
+		resourcev1beta2.ResourceClaim{}.OpenAPIModelName():                                                              schema_k8sio_api_resource_v1beta2_ResourceClaim(ref),
+		resourcev1beta2.ResourceClaimConsumerReference{}.OpenAPIModelName():                                             schema_k8sio_api_resource_v1beta2_ResourceClaimConsumerReference(ref),
+		resourcev1beta2.ResourceClaimList{}.OpenAPIModelName():                                                          schema_k8sio_api_resource_v1beta2_ResourceClaimList(ref),
+		resourcev1beta2.ResourceClaimSpec{}.OpenAPIModelName():                                                          schema_k8sio_api_resource_v1beta2_ResourceClaimSpec(ref),
+		resourcev1beta2.ResourceClaimStatus{}.OpenAPIModelName():                                                        schema_k8sio_api_resource_v1beta2_ResourceClaimStatus(ref),
+		resourcev1beta2.ResourceClaimTemplate{}.OpenAPIModelName():                                                      schema_k8sio_api_resource_v1beta2_ResourceClaimTemplate(ref),
+		resourcev1beta2.ResourceClaimTemplateList{}.OpenAPIModelName():                                                  schema_k8sio_api_resource_v1beta2_ResourceClaimTemplateList(ref),
+		resourcev1beta2.ResourceClaimTemplateSpec{}.OpenAPIModelName():                                                  schema_k8sio_api_resource_v1beta2_ResourceClaimTemplateSpec(ref),
+		resourcev1beta2.ResourcePool{}.OpenAPIModelName():                                                               schema_k8sio_api_resource_v1beta2_ResourcePool(ref),
+		resourcev1beta2.ResourceSlice{}.OpenAPIModelName():                                                              schema_k8sio_api_resource_v1beta2_ResourceSlice(ref),
+		resourcev1beta2.ResourceSliceList{}.OpenAPIModelName():                                                          schema_k8sio_api_resource_v1beta2_ResourceSliceList(ref),
+		resourcev1beta2.ResourceSliceSpec{}.OpenAPIModelName():                                                          schema_k8sio_api_resource_v1beta2_ResourceSliceSpec(ref),
+		schedulingv1.PriorityClass{}.OpenAPIModelName():                                                                 schema_k8sio_api_scheduling_v1_PriorityClass(ref),
+		schedulingv1.PriorityClassList{}.OpenAPIModelName():                                                             schema_k8sio_api_scheduling_v1_PriorityClassList(ref),
+		schedulingv1alpha1.BasicSchedulingPolicy{}.OpenAPIModelName():                                                   schema_k8sio_api_scheduling_v1alpha1_BasicSchedulingPolicy(ref),
+		schedulingv1alpha1.GangSchedulingPolicy{}.OpenAPIModelName():                                                    schema_k8sio_api_scheduling_v1alpha1_GangSchedulingPolicy(ref),
+		schedulingv1alpha1.PodGroup{}.OpenAPIModelName():                                                                schema_k8sio_api_scheduling_v1alpha1_PodGroup(ref),
+		schedulingv1alpha1.PodGroupPolicy{}.OpenAPIModelName():                                                          schema_k8sio_api_scheduling_v1alpha1_PodGroupPolicy(ref),
+		schedulingv1alpha1.PriorityClass{}.OpenAPIModelName():                                                           schema_k8sio_api_scheduling_v1alpha1_PriorityClass(ref),
+		schedulingv1alpha1.PriorityClassList{}.OpenAPIModelName():                                                       schema_k8sio_api_scheduling_v1alpha1_PriorityClassList(ref),
+		schedulingv1alpha1.TypedLocalObjectReference{}.OpenAPIModelName():                                               schema_k8sio_api_scheduling_v1alpha1_TypedLocalObjectReference(ref),
+		schedulingv1alpha1.Workload{}.OpenAPIModelName():                                                                schema_k8sio_api_scheduling_v1alpha1_Workload(ref),
+		schedulingv1alpha1.WorkloadList{}.OpenAPIModelName():                                                            schema_k8sio_api_scheduling_v1alpha1_WorkloadList(ref),
+		schedulingv1alpha1.WorkloadSpec{}.OpenAPIModelName():                                                            schema_k8sio_api_scheduling_v1alpha1_WorkloadSpec(ref),
+		schedulingv1beta1.PriorityClass{}.OpenAPIModelName():                                                            schema_k8sio_api_scheduling_v1beta1_PriorityClass(ref),
+		schedulingv1beta1.PriorityClassList{}.OpenAPIModelName():                                                        schema_k8sio_api_scheduling_v1beta1_PriorityClassList(ref),
+		storagev1.CSIDriver{}.OpenAPIModelName():                                                                        schema_k8sio_api_storage_v1_CSIDriver(ref),
+		storagev1.CSIDriverList{}.OpenAPIModelName():                                                                    schema_k8sio_api_storage_v1_CSIDriverList(ref),
+		storagev1.CSIDriverSpec{}.OpenAPIModelName():                                                                    schema_k8sio_api_storage_v1_CSIDriverSpec(ref),
+		storagev1.CSINode{}.OpenAPIModelName():                                                                          schema_k8sio_api_storage_v1_CSINode(ref),
+		storagev1.CSINodeDriver{}.OpenAPIModelName():                                                                    schema_k8sio_api_storage_v1_CSINodeDriver(ref),
+		storagev1.CSINodeList{}.OpenAPIModelName():                                                                      schema_k8sio_api_storage_v1_CSINodeList(ref),
+		storagev1.CSINodeSpec{}.OpenAPIModelName():                                                                      schema_k8sio_api_storage_v1_CSINodeSpec(ref),
+		storagev1.CSIStorageCapacity{}.OpenAPIModelName():                                                               schema_k8sio_api_storage_v1_CSIStorageCapacity(ref),
+		storagev1.CSIStorageCapacityList{}.OpenAPIModelName():                                                           schema_k8sio_api_storage_v1_CSIStorageCapacityList(ref),
+		storagev1.StorageClass{}.OpenAPIModelName():                                                                     schema_k8sio_api_storage_v1_StorageClass(ref),
+		storagev1.StorageClassList{}.OpenAPIModelName():                                                                 schema_k8sio_api_storage_v1_StorageClassList(ref),
+		storagev1.TokenRequest{}.OpenAPIModelName():                                                                     schema_k8sio_api_storage_v1_TokenRequest(ref),
+		storagev1.VolumeAttachment{}.OpenAPIModelName():                                                                 schema_k8sio_api_storage_v1_VolumeAttachment(ref),
+		storagev1.VolumeAttachmentList{}.OpenAPIModelName():                                                             schema_k8sio_api_storage_v1_VolumeAttachmentList(ref),
+		storagev1.VolumeAttachmentSource{}.OpenAPIModelName():                                                           schema_k8sio_api_storage_v1_VolumeAttachmentSource(ref),
+		storagev1.VolumeAttachmentSpec{}.OpenAPIModelName():                                                             schema_k8sio_api_storage_v1_VolumeAttachmentSpec(ref),
+		storagev1.VolumeAttachmentStatus{}.OpenAPIModelName():                                                           schema_k8sio_api_storage_v1_VolumeAttachmentStatus(ref),
+		storagev1.VolumeAttributesClass{}.OpenAPIModelName():                                                            schema_k8sio_api_storage_v1_VolumeAttributesClass(ref),
+		storagev1.VolumeAttributesClassList{}.OpenAPIModelName():                                                        schema_k8sio_api_storage_v1_VolumeAttributesClassList(ref),
+		storagev1.VolumeError{}.OpenAPIModelName():                                                                      schema_k8sio_api_storage_v1_VolumeError(ref),
+		storagev1.VolumeNodeResources{}.OpenAPIModelName():                                                              schema_k8sio_api_storage_v1_VolumeNodeResources(ref),
+		storagev1alpha1.CSIStorageCapacity{}.OpenAPIModelName():                                                         schema_k8sio_api_storage_v1alpha1_CSIStorageCapacity(ref),
+		storagev1alpha1.CSIStorageCapacityList{}.OpenAPIModelName():                                                     schema_k8sio_api_storage_v1alpha1_CSIStorageCapacityList(ref),
+		storagev1alpha1.VolumeAttachment{}.OpenAPIModelName():                                                           schema_k8sio_api_storage_v1alpha1_VolumeAttachment(ref),
+		storagev1alpha1.VolumeAttachmentList{}.OpenAPIModelName():                                                       schema_k8sio_api_storage_v1alpha1_VolumeAttachmentList(ref),
+		storagev1alpha1.VolumeAttachmentSource{}.OpenAPIModelName():                                                     schema_k8sio_api_storage_v1alpha1_VolumeAttachmentSource(ref),
+		storagev1alpha1.VolumeAttachmentSpec{}.OpenAPIModelName():                                                       schema_k8sio_api_storage_v1alpha1_VolumeAttachmentSpec(ref),
+		storagev1alpha1.VolumeAttachmentStatus{}.OpenAPIModelName():                                                     schema_k8sio_api_storage_v1alpha1_VolumeAttachmentStatus(ref),
+		storagev1alpha1.VolumeAttributesClass{}.OpenAPIModelName():                                                      schema_k8sio_api_storage_v1alpha1_VolumeAttributesClass(ref),
+		storagev1alpha1.VolumeAttributesClassList{}.OpenAPIModelName():                                                  schema_k8sio_api_storage_v1alpha1_VolumeAttributesClassList(ref),
+		storagev1alpha1.VolumeError{}.OpenAPIModelName():                                                                schema_k8sio_api_storage_v1alpha1_VolumeError(ref),
+		storagev1beta1.CSIDriver{}.OpenAPIModelName():                                                                   schema_k8sio_api_storage_v1beta1_CSIDriver(ref),
+		storagev1beta1.CSIDriverList{}.OpenAPIModelName():                                                               schema_k8sio_api_storage_v1beta1_CSIDriverList(ref),
+		storagev1beta1.CSIDriverSpec{}.OpenAPIModelName():                                                               schema_k8sio_api_storage_v1beta1_CSIDriverSpec(ref),
+		storagev1beta1.CSINode{}.OpenAPIModelName():                                                                     schema_k8sio_api_storage_v1beta1_CSINode(ref),
+		storagev1beta1.CSINodeDriver{}.OpenAPIModelName():                                                               schema_k8sio_api_storage_v1beta1_CSINodeDriver(ref),
+		storagev1beta1.CSINodeList{}.OpenAPIModelName():                                                                 schema_k8sio_api_storage_v1beta1_CSINodeList(ref),
+		storagev1beta1.CSINodeSpec{}.OpenAPIModelName():                                                                 schema_k8sio_api_storage_v1beta1_CSINodeSpec(ref),
+		storagev1beta1.CSIStorageCapacity{}.OpenAPIModelName():                                                          schema_k8sio_api_storage_v1beta1_CSIStorageCapacity(ref),
+		storagev1beta1.CSIStorageCapacityList{}.OpenAPIModelName():                                                      schema_k8sio_api_storage_v1beta1_CSIStorageCapacityList(ref),
+		storagev1beta1.StorageClass{}.OpenAPIModelName():                                                                schema_k8sio_api_storage_v1beta1_StorageClass(ref),
+		storagev1beta1.StorageClassList{}.OpenAPIModelName():                                                            schema_k8sio_api_storage_v1beta1_StorageClassList(ref),
+		storagev1beta1.TokenRequest{}.OpenAPIModelName():                                                                schema_k8sio_api_storage_v1beta1_TokenRequest(ref),
+		storagev1beta1.VolumeAttachment{}.OpenAPIModelName():                                                            schema_k8sio_api_storage_v1beta1_VolumeAttachment(ref),
+		storagev1beta1.VolumeAttachmentList{}.OpenAPIModelName():                                                        schema_k8sio_api_storage_v1beta1_VolumeAttachmentList(ref),
+		storagev1beta1.VolumeAttachmentSource{}.OpenAPIModelName():                                                      schema_k8sio_api_storage_v1beta1_VolumeAttachmentSource(ref),
+		storagev1beta1.VolumeAttachmentSpec{}.OpenAPIModelName():                                                        schema_k8sio_api_storage_v1beta1_VolumeAttachmentSpec(ref),
+		storagev1beta1.VolumeAttachmentStatus{}.OpenAPIModelName():                                                      schema_k8sio_api_storage_v1beta1_VolumeAttachmentStatus(ref),
+		storagev1beta1.VolumeAttributesClass{}.OpenAPIModelName():                                                       schema_k8sio_api_storage_v1beta1_VolumeAttributesClass(ref),
+		storagev1beta1.VolumeAttributesClassList{}.OpenAPIModelName():                                                   schema_k8sio_api_storage_v1beta1_VolumeAttributesClassList(ref),
+		storagev1beta1.VolumeError{}.OpenAPIModelName():                                                                 schema_k8sio_api_storage_v1beta1_VolumeError(ref),
+		storagev1beta1.VolumeNodeResources{}.OpenAPIModelName():                                                         schema_k8sio_api_storage_v1beta1_VolumeNodeResources(ref),
+		storagemigrationv1beta1.StorageVersionMigration{}.OpenAPIModelName():                                            schema_k8sio_api_storagemigration_v1beta1_StorageVersionMigration(ref),
+		storagemigrationv1beta1.StorageVersionMigrationList{}.OpenAPIModelName():                                        schema_k8sio_api_storagemigration_v1beta1_StorageVersionMigrationList(ref),
+		storagemigrationv1beta1.StorageVersionMigrationSpec{}.OpenAPIModelName():                                        schema_k8sio_api_storagemigration_v1beta1_StorageVersionMigrationSpec(ref),
+		storagemigrationv1beta1.StorageVersionMigrationStatus{}.OpenAPIModelName():                                      schema_k8sio_api_storagemigration_v1beta1_StorageVersionMigrationStatus(ref),
+		apiextensionsv1.ConversionRequest{}.OpenAPIModelName():                                                          schema_pkg_apis_apiextensions_v1_ConversionRequest(ref),
+		apiextensionsv1.ConversionResponse{}.OpenAPIModelName():                                                         schema_pkg_apis_apiextensions_v1_ConversionResponse(ref),
+		apiextensionsv1.ConversionReview{}.OpenAPIModelName():                                                           schema_pkg_apis_apiextensions_v1_ConversionReview(ref),
+		apiextensionsv1.CustomResourceColumnDefinition{}.OpenAPIModelName():                                             schema_pkg_apis_apiextensions_v1_CustomResourceColumnDefinition(ref),
+		apiextensionsv1.CustomResourceConversion{}.OpenAPIModelName():                                                   schema_pkg_apis_apiextensions_v1_CustomResourceConversion(ref),
+		apiextensionsv1.CustomResourceDefinition{}.OpenAPIModelName():                                                   schema_pkg_apis_apiextensions_v1_CustomResourceDefinition(ref),
+		apiextensionsv1.CustomResourceDefinitionCondition{}.OpenAPIModelName():                                          schema_pkg_apis_apiextensions_v1_CustomResourceDefinitionCondition(ref),
+		apiextensionsv1.CustomResourceDefinitionList{}.OpenAPIModelName():                                               schema_pkg_apis_apiextensions_v1_CustomResourceDefinitionList(ref),
+		apiextensionsv1.CustomResourceDefinitionNames{}.OpenAPIModelName():                                              schema_pkg_apis_apiextensions_v1_CustomResourceDefinitionNames(ref),
+		apiextensionsv1.CustomResourceDefinitionSpec{}.OpenAPIModelName():                                               schema_pkg_apis_apiextensions_v1_CustomResourceDefinitionSpec(ref),
+		apiextensionsv1.CustomResourceDefinitionStatus{}.OpenAPIModelName():                                             schema_pkg_apis_apiextensions_v1_CustomResourceDefinitionStatus(ref),
+		apiextensionsv1.CustomResourceDefinitionVersion{}.OpenAPIModelName():                                            schema_pkg_apis_apiextensions_v1_CustomResourceDefinitionVersion(ref),
+		apiextensionsv1.CustomResourceSubresourceScale{}.OpenAPIModelName():                                             schema_pkg_apis_apiextensions_v1_CustomResourceSubresourceScale(ref),
+		apiextensionsv1.CustomResourceSubresourceStatus{}.OpenAPIModelName():                                            schema_pkg_apis_apiextensions_v1_CustomResourceSubresourceStatus(ref),
+		apiextensionsv1.CustomResourceSubresources{}.OpenAPIModelName():                                                 schema_pkg_apis_apiextensions_v1_CustomResourceSubresources(ref),
+		apiextensionsv1.CustomResourceValidation{}.OpenAPIModelName():                                                   schema_pkg_apis_apiextensions_v1_CustomResourceValidation(ref),
+		apiextensionsv1.ExternalDocumentation{}.OpenAPIModelName():                                                      schema_pkg_apis_apiextensions_v1_ExternalDocumentation(ref),
+		apiextensionsv1.JSON{}.OpenAPIModelName():                                                                       schema_pkg_apis_apiextensions_v1_JSON(ref),
+		apiextensionsv1.JSONSchemaProps{}.OpenAPIModelName():                                                            schema_pkg_apis_apiextensions_v1_JSONSchemaProps(ref),
+		apiextensionsv1.JSONSchemaPropsOrArray{}.OpenAPIModelName():                                                     schema_pkg_apis_apiextensions_v1_JSONSchemaPropsOrArray(ref),
+		apiextensionsv1.JSONSchemaPropsOrBool{}.OpenAPIModelName():                                                      schema_pkg_apis_apiextensions_v1_JSONSchemaPropsOrBool(ref),
+		apiextensionsv1.JSONSchemaPropsOrStringArray{}.OpenAPIModelName():                                               schema_pkg_apis_apiextensions_v1_JSONSchemaPropsOrStringArray(ref),
+		apiextensionsv1.SelectableField{}.OpenAPIModelName():                                                            schema_pkg_apis_apiextensions_v1_SelectableField(ref),
+		apiextensionsv1.ServiceReference{}.OpenAPIModelName():                                                           schema_pkg_apis_apiextensions_v1_ServiceReference(ref),
+		apiextensionsv1.ValidationRule{}.OpenAPIModelName():                                                             schema_pkg_apis_apiextensions_v1_ValidationRule(ref),
+		apiextensionsv1.WebhookClientConfig{}.OpenAPIModelName():                                                        schema_pkg_apis_apiextensions_v1_WebhookClientConfig(ref),
+		apiextensionsv1.WebhookConversion{}.OpenAPIModelName():                                                          schema_pkg_apis_apiextensions_v1_WebhookConversion(ref),
+		apiextensionsv1beta1.ConversionRequest{}.OpenAPIModelName():                                                     schema_pkg_apis_apiextensions_v1beta1_ConversionRequest(ref),
+		apiextensionsv1beta1.ConversionResponse{}.OpenAPIModelName():                                                    schema_pkg_apis_apiextensions_v1beta1_ConversionResponse(ref),
+		apiextensionsv1beta1.ConversionReview{}.OpenAPIModelName():                                                      schema_pkg_apis_apiextensions_v1beta1_ConversionReview(ref),
+		apiextensionsv1beta1.CustomResourceColumnDefinition{}.OpenAPIModelName():                                        schema_pkg_apis_apiextensions_v1beta1_CustomResourceColumnDefinition(ref),
+		apiextensionsv1beta1.CustomResourceConversion{}.OpenAPIModelName():                                              schema_pkg_apis_apiextensions_v1beta1_CustomResourceConversion(ref),
+		apiextensionsv1beta1.CustomResourceDefinition{}.OpenAPIModelName():                                              schema_pkg_apis_apiextensions_v1beta1_CustomResourceDefinition(ref),
+		apiextensionsv1beta1.CustomResourceDefinitionCondition{}.OpenAPIModelName():                                     schema_pkg_apis_apiextensions_v1beta1_CustomResourceDefinitionCondition(ref),
+		apiextensionsv1beta1.CustomResourceDefinitionList{}.OpenAPIModelName():                                          schema_pkg_apis_apiextensions_v1beta1_CustomResourceDefinitionList(ref),
+		apiextensionsv1beta1.CustomResourceDefinitionNames{}.OpenAPIModelName():                                         schema_pkg_apis_apiextensions_v1beta1_CustomResourceDefinitionNames(ref),
+		apiextensionsv1beta1.CustomResourceDefinitionSpec{}.OpenAPIModelName():                                          schema_pkg_apis_apiextensions_v1beta1_CustomResourceDefinitionSpec(ref),
+		apiextensionsv1beta1.CustomResourceDefinitionStatus{}.OpenAPIModelName():                                        schema_pkg_apis_apiextensions_v1beta1_CustomResourceDefinitionStatus(ref),
+		apiextensionsv1beta1.CustomResourceDefinitionVersion{}.OpenAPIModelName():                                       schema_pkg_apis_apiextensions_v1beta1_CustomResourceDefinitionVersion(ref),
+		apiextensionsv1beta1.CustomResourceSubresourceScale{}.OpenAPIModelName():                                        schema_pkg_apis_apiextensions_v1beta1_CustomResourceSubresourceScale(ref),
+		apiextensionsv1beta1.CustomResourceSubresourceStatus{}.OpenAPIModelName():                                       schema_pkg_apis_apiextensions_v1beta1_CustomResourceSubresourceStatus(ref),
+		apiextensionsv1beta1.CustomResourceSubresources{}.OpenAPIModelName():                                            schema_pkg_apis_apiextensions_v1beta1_CustomResourceSubresources(ref),
+		apiextensionsv1beta1.CustomResourceValidation{}.OpenAPIModelName():                                              schema_pkg_apis_apiextensions_v1beta1_CustomResourceValidation(ref),
+		apiextensionsv1beta1.ExternalDocumentation{}.OpenAPIModelName():                                                 schema_pkg_apis_apiextensions_v1beta1_ExternalDocumentation(ref),
+		apiextensionsv1beta1.JSON{}.OpenAPIModelName():                                                                  schema_pkg_apis_apiextensions_v1beta1_JSON(ref),
+		apiextensionsv1beta1.JSONSchemaProps{}.OpenAPIModelName():                                                       schema_pkg_apis_apiextensions_v1beta1_JSONSchemaProps(ref),
+		apiextensionsv1beta1.JSONSchemaPropsOrArray{}.OpenAPIModelName():                                                schema_pkg_apis_apiextensions_v1beta1_JSONSchemaPropsOrArray(ref),
+		apiextensionsv1beta1.JSONSchemaPropsOrBool{}.OpenAPIModelName():                                                 schema_pkg_apis_apiextensions_v1beta1_JSONSchemaPropsOrBool(ref),
+		apiextensionsv1beta1.JSONSchemaPropsOrStringArray{}.OpenAPIModelName():                                          schema_pkg_apis_apiextensions_v1beta1_JSONSchemaPropsOrStringArray(ref),
+		apiextensionsv1beta1.SelectableField{}.OpenAPIModelName():                                                       schema_pkg_apis_apiextensions_v1beta1_SelectableField(ref),
+		apiextensionsv1beta1.ServiceReference{}.OpenAPIModelName():                                                      schema_pkg_apis_apiextensions_v1beta1_ServiceReference(ref),
+		apiextensionsv1beta1.ValidationRule{}.OpenAPIModelName():                                                        schema_pkg_apis_apiextensions_v1beta1_ValidationRule(ref),
+		apiextensionsv1beta1.WebhookClientConfig{}.OpenAPIModelName():                                                   schema_pkg_apis_apiextensions_v1beta1_WebhookClientConfig(ref),
+		resource.Quantity{}.OpenAPIModelName():                                                                          schema_apimachinery_pkg_api_resource_Quantity(ref),
+		metav1.APIGroup{}.OpenAPIModelName():                                                                            schema_pkg_apis_meta_v1_APIGroup(ref),
+		metav1.APIGroupList{}.OpenAPIModelName():                                                                        schema_pkg_apis_meta_v1_APIGroupList(ref),
+		metav1.APIResource{}.OpenAPIModelName():                                                                         schema_pkg_apis_meta_v1_APIResource(ref),
+		metav1.APIResourceList{}.OpenAPIModelName():                                                                     schema_pkg_apis_meta_v1_APIResourceList(ref),
+		metav1.APIVersions{}.OpenAPIModelName():                                                                         schema_pkg_apis_meta_v1_APIVersions(ref),
+		metav1.ApplyOptions{}.OpenAPIModelName():                                                                        schema_pkg_apis_meta_v1_ApplyOptions(ref),
+		metav1.Condition{}.OpenAPIModelName():                                                                           schema_pkg_apis_meta_v1_Condition(ref),
+		metav1.CreateOptions{}.OpenAPIModelName():                                                                       schema_pkg_apis_meta_v1_CreateOptions(ref),
+		metav1.DeleteOptions{}.OpenAPIModelName():                                                                       schema_pkg_apis_meta_v1_DeleteOptions(ref),
+		metav1.Duration{}.OpenAPIModelName():                                                                            schema_pkg_apis_meta_v1_Duration(ref),
+		metav1.FieldSelectorRequirement{}.OpenAPIModelName():                                                            schema_pkg_apis_meta_v1_FieldSelectorRequirement(ref),
+		metav1.FieldsV1{}.OpenAPIModelName():                                                                            schema_pkg_apis_meta_v1_FieldsV1(ref),
+		metav1.GetOptions{}.OpenAPIModelName():                                                                          schema_pkg_apis_meta_v1_GetOptions(ref),
+		metav1.GroupKind{}.OpenAPIModelName():                                                                           schema_pkg_apis_meta_v1_GroupKind(ref),
+		metav1.GroupResource{}.OpenAPIModelName():                                                                       schema_pkg_apis_meta_v1_GroupResource(ref),
+		metav1.GroupVersion{}.OpenAPIModelName():                                                                        schema_pkg_apis_meta_v1_GroupVersion(ref),
+		metav1.GroupVersionForDiscovery{}.OpenAPIModelName():                                                            schema_pkg_apis_meta_v1_GroupVersionForDiscovery(ref),
+		metav1.GroupVersionKind{}.OpenAPIModelName():                                                                    schema_pkg_apis_meta_v1_GroupVersionKind(ref),
+		metav1.GroupVersionResource{}.OpenAPIModelName():                                                                schema_pkg_apis_meta_v1_GroupVersionResource(ref),
+		metav1.InternalEvent{}.OpenAPIModelName():                                                                       schema_pkg_apis_meta_v1_InternalEvent(ref),
+		metav1.LabelSelector{}.OpenAPIModelName():                                                                       schema_pkg_apis_meta_v1_LabelSelector(ref),
+		metav1.LabelSelectorRequirement{}.OpenAPIModelName():                                                            schema_pkg_apis_meta_v1_LabelSelectorRequirement(ref),
+		metav1.List{}.OpenAPIModelName():                                                                                schema_pkg_apis_meta_v1_List(ref),
+		metav1.ListMeta{}.OpenAPIModelName():                                                                            schema_pkg_apis_meta_v1_ListMeta(ref),
+		metav1.ListOptions{}.OpenAPIModelName():                                                                         schema_pkg_apis_meta_v1_ListOptions(ref),
+		metav1.ManagedFieldsEntry{}.OpenAPIModelName():                                                                  schema_pkg_apis_meta_v1_ManagedFieldsEntry(ref),
+		metav1.MicroTime{}.OpenAPIModelName():                                                                           schema_pkg_apis_meta_v1_MicroTime(ref),
+		metav1.ObjectMeta{}.OpenAPIModelName():                                                                          schema_pkg_apis_meta_v1_ObjectMeta(ref),
+		metav1.OwnerReference{}.OpenAPIModelName():                                                                      schema_pkg_apis_meta_v1_OwnerReference(ref),
+		metav1.PartialObjectMetadata{}.OpenAPIModelName():                                                               schema_pkg_apis_meta_v1_PartialObjectMetadata(ref),
+		metav1.PartialObjectMetadataList{}.OpenAPIModelName():                                                           schema_pkg_apis_meta_v1_PartialObjectMetadataList(ref),
+		metav1.Patch{}.OpenAPIModelName():                                                                               schema_pkg_apis_meta_v1_Patch(ref),
+		metav1.PatchOptions{}.OpenAPIModelName():                                                                        schema_pkg_apis_meta_v1_PatchOptions(ref),
+		metav1.Preconditions{}.OpenAPIModelName():                                                                       schema_pkg_apis_meta_v1_Preconditions(ref),
+		metav1.RootPaths{}.OpenAPIModelName():                                                                           schema_pkg_apis_meta_v1_RootPaths(ref),
+		metav1.ServerAddressByClientCIDR{}.OpenAPIModelName():                                                           schema_pkg_apis_meta_v1_ServerAddressByClientCIDR(ref),
+		metav1.Status{}.OpenAPIModelName():                                                                              schema_pkg_apis_meta_v1_Status(ref),
+		metav1.StatusCause{}.OpenAPIModelName():                                                                         schema_pkg_apis_meta_v1_StatusCause(ref),
+		metav1.StatusDetails{}.OpenAPIModelName():                                                                       schema_pkg_apis_meta_v1_StatusDetails(ref),
+		metav1.Table{}.OpenAPIModelName():                                                                               schema_pkg_apis_meta_v1_Table(ref),
+		metav1.TableColumnDefinition{}.OpenAPIModelName():                                                               schema_pkg_apis_meta_v1_TableColumnDefinition(ref),
+		metav1.TableOptions{}.OpenAPIModelName():                                                                        schema_pkg_apis_meta_v1_TableOptions(ref),
+		metav1.TableRow{}.OpenAPIModelName():                                                                            schema_pkg_apis_meta_v1_TableRow(ref),
+		metav1.TableRowCondition{}.OpenAPIModelName():                                                                   schema_pkg_apis_meta_v1_TableRowCondition(ref),
+		metav1.Time{}.OpenAPIModelName():                                                                                schema_pkg_apis_meta_v1_Time(ref),
+		metav1.Timestamp{}.OpenAPIModelName():                                                                           schema_pkg_apis_meta_v1_Timestamp(ref),
+		metav1.TypeMeta{}.OpenAPIModelName():                                                                            schema_pkg_apis_meta_v1_TypeMeta(ref),
+		metav1.UpdateOptions{}.OpenAPIModelName():                                                                       schema_pkg_apis_meta_v1_UpdateOptions(ref),
+		metav1.WatchEvent{}.OpenAPIModelName():                                                                          schema_pkg_apis_meta_v1_WatchEvent(ref),
+		metav1beta1.PartialObjectMetadataList{}.OpenAPIModelName():                                                      schema_pkg_apis_meta_v1beta1_PartialObjectMetadataList(ref),
+		testapigroupv1.Carp{}.OpenAPIModelName():                                                                        schema_pkg_apis_testapigroup_v1_Carp(ref),
+		testapigroupv1.CarpCondition{}.OpenAPIModelName():                                                               schema_pkg_apis_testapigroup_v1_CarpCondition(ref),
+		testapigroupv1.CarpInfo{}.OpenAPIModelName():                                                                    schema_pkg_apis_testapigroup_v1_CarpInfo(ref),
+		testapigroupv1.CarpList{}.OpenAPIModelName():                                                                    schema_pkg_apis_testapigroup_v1_CarpList(ref),
+		testapigroupv1.CarpSpec{}.OpenAPIModelName():                                                                    schema_pkg_apis_testapigroup_v1_CarpSpec(ref),
+		testapigroupv1.CarpStatus{}.OpenAPIModelName():                                                                  schema_pkg_apis_testapigroup_v1_CarpStatus(ref),
+		runtime.RawExtension{}.OpenAPIModelName():                                                                       schema_k8sio_apimachinery_pkg_runtime_RawExtension(ref),
+		runtime.TypeMeta{}.OpenAPIModelName():                                                                           schema_k8sio_apimachinery_pkg_runtime_TypeMeta(ref),
+		runtime.Unknown{}.OpenAPIModelName():                                                                            schema_k8sio_apimachinery_pkg_runtime_Unknown(ref),
+		intstr.IntOrString{}.OpenAPIModelName():                                                                         schema_apimachinery_pkg_util_intstr_IntOrString(ref),
+		version.Info{}.OpenAPIModelName():                                                                               schema_k8sio_apimachinery_pkg_version_Info(ref),
+		auditv1.AuthenticationMetadata{}.OpenAPIModelName():                                                             schema_pkg_apis_audit_v1_AuthenticationMetadata(ref),
+		auditv1.Event{}.OpenAPIModelName():                                                                              schema_pkg_apis_audit_v1_Event(ref),
+		auditv1.EventList{}.OpenAPIModelName():                                                                          schema_pkg_apis_audit_v1_EventList(ref),
+		auditv1.GroupResources{}.OpenAPIModelName():                                                                     schema_pkg_apis_audit_v1_GroupResources(ref),
+		auditv1.ObjectReference{}.OpenAPIModelName():                                                                    schema_pkg_apis_audit_v1_ObjectReference(ref),
+		auditv1.Policy{}.OpenAPIModelName():                                                                             schema_pkg_apis_audit_v1_Policy(ref),
+		auditv1.PolicyList{}.OpenAPIModelName():                                                                         schema_pkg_apis_audit_v1_PolicyList(ref),
+		auditv1.PolicyRule{}.OpenAPIModelName():                                                                         schema_pkg_apis_audit_v1_PolicyRule(ref),
+		apiv1alpha1.Flagz{}.OpenAPIModelName():                                                                          schema_server_flagz_api_v1alpha1_Flagz(ref),
+		statuszapiv1alpha1.Statusz{}.OpenAPIModelName():                                                                 schema_server_statusz_api_v1alpha1_Statusz(ref),
+		clientauthenticationv1.Cluster{}.OpenAPIModelName():                                                             schema_pkg_apis_clientauthentication_v1_Cluster(ref),
+		clientauthenticationv1.ExecCredential{}.OpenAPIModelName():                                                      schema_pkg_apis_clientauthentication_v1_ExecCredential(ref),
+		clientauthenticationv1.ExecCredentialSpec{}.OpenAPIModelName():                                                  schema_pkg_apis_clientauthentication_v1_ExecCredentialSpec(ref),
+		clientauthenticationv1.ExecCredentialStatus{}.OpenAPIModelName():                                                schema_pkg_apis_clientauthentication_v1_ExecCredentialStatus(ref),
+		clientauthenticationv1beta1.Cluster{}.OpenAPIModelName():                                                        schema_pkg_apis_clientauthentication_v1beta1_Cluster(ref),
+		clientauthenticationv1beta1.ExecCredential{}.OpenAPIModelName():                                                 schema_pkg_apis_clientauthentication_v1beta1_ExecCredential(ref),
+		clientauthenticationv1beta1.ExecCredentialSpec{}.OpenAPIModelName():                                             schema_pkg_apis_clientauthentication_v1beta1_ExecCredentialSpec(ref),
+		clientauthenticationv1beta1.ExecCredentialStatus{}.OpenAPIModelName():                                           schema_pkg_apis_clientauthentication_v1beta1_ExecCredentialStatus(ref),
+		configv1alpha1.CloudControllerManagerConfiguration{}.OpenAPIModelName():                                         schema_k8sio_cloud_provider_config_v1alpha1_CloudControllerManagerConfiguration(ref),
+		configv1alpha1.CloudProviderConfiguration{}.OpenAPIModelName():                                                  schema_k8sio_cloud_provider_config_v1alpha1_CloudProviderConfiguration(ref),
+		configv1alpha1.KubeCloudSharedConfiguration{}.OpenAPIModelName():                                                schema_k8sio_cloud_provider_config_v1alpha1_KubeCloudSharedConfiguration(ref),
+		configv1alpha1.WebhookConfiguration{}.OpenAPIModelName():                                                        schema_k8sio_cloud_provider_config_v1alpha1_WebhookConfiguration(ref),
+		nodeconfigv1alpha1.NodeControllerConfiguration{}.OpenAPIModelName():                                             schema_controllers_node_config_v1alpha1_NodeControllerConfiguration(ref),
+		serviceconfigv1alpha1.ServiceControllerConfiguration{}.OpenAPIModelName():                                       schema_controllers_service_config_v1alpha1_ServiceControllerConfiguration(ref),
+		componentbaseconfigv1alpha1.ClientConnectionConfiguration{}.OpenAPIModelName():                                  schema_k8sio_component_base_config_v1alpha1_ClientConnectionConfiguration(ref),
+		componentbaseconfigv1alpha1.DebuggingConfiguration{}.OpenAPIModelName():                                         schema_k8sio_component_base_config_v1alpha1_DebuggingConfiguration(ref),
+		componentbaseconfigv1alpha1.LeaderElectionConfiguration{}.OpenAPIModelName():                                    schema_k8sio_component_base_config_v1alpha1_LeaderElectionConfiguration(ref),
+		apiv1.TracingConfiguration{}.OpenAPIModelName():                                                                 schema_component_base_tracing_api_v1_TracingConfiguration(ref),
+		controllermanagerconfigv1alpha1.ControllerLeaderConfiguration{}.OpenAPIModelName():                              schema_k8sio_controller_manager_config_v1alpha1_ControllerLeaderConfiguration(ref),
+		controllermanagerconfigv1alpha1.GenericControllerManagerConfiguration{}.OpenAPIModelName():                      schema_k8sio_controller_manager_config_v1alpha1_GenericControllerManagerConfiguration(ref),
+		controllermanagerconfigv1alpha1.LeaderMigrationConfiguration{}.OpenAPIModelName():                               schema_k8sio_controller_manager_config_v1alpha1_LeaderMigrationConfiguration(ref),
+		configv1beta1.ControllerLeaderConfiguration{}.OpenAPIModelName():                                                schema_k8sio_controller_manager_config_v1beta1_ControllerLeaderConfiguration(ref),
+		configv1beta1.LeaderMigrationConfiguration{}.OpenAPIModelName():                                                 schema_k8sio_controller_manager_config_v1beta1_LeaderMigrationConfiguration(ref),
+		apiregistrationv1.APIService{}.OpenAPIModelName():                                                               schema_pkg_apis_apiregistration_v1_APIService(ref),
+		apiregistrationv1.APIServiceCondition{}.OpenAPIModelName():                                                      schema_pkg_apis_apiregistration_v1_APIServiceCondition(ref),
+		apiregistrationv1.APIServiceList{}.OpenAPIModelName():                                                           schema_pkg_apis_apiregistration_v1_APIServiceList(ref),
+		apiregistrationv1.APIServiceSpec{}.OpenAPIModelName():                                                           schema_pkg_apis_apiregistration_v1_APIServiceSpec(ref),
+		apiregistrationv1.APIServiceStatus{}.OpenAPIModelName():                                                         schema_pkg_apis_apiregistration_v1_APIServiceStatus(ref),
+		apiregistrationv1.ServiceReference{}.OpenAPIModelName():                                                         schema_pkg_apis_apiregistration_v1_ServiceReference(ref),
+		apiregistrationv1beta1.APIService{}.OpenAPIModelName():                                                          schema_pkg_apis_apiregistration_v1beta1_APIService(ref),
+		apiregistrationv1beta1.APIServiceCondition{}.OpenAPIModelName():                                                 schema_pkg_apis_apiregistration_v1beta1_APIServiceCondition(ref),
+		apiregistrationv1beta1.APIServiceList{}.OpenAPIModelName():                                                      schema_pkg_apis_apiregistration_v1beta1_APIServiceList(ref),
+		apiregistrationv1beta1.APIServiceSpec{}.OpenAPIModelName():                                                      schema_pkg_apis_apiregistration_v1beta1_APIServiceSpec(ref),
+		apiregistrationv1beta1.APIServiceStatus{}.OpenAPIModelName():                                                    schema_pkg_apis_apiregistration_v1beta1_APIServiceStatus(ref),
+		apiregistrationv1beta1.ServiceReference{}.OpenAPIModelName():                                                    schema_pkg_apis_apiregistration_v1beta1_ServiceReference(ref),
+		kubecontrollermanagerconfigv1alpha1.AttachDetachControllerConfiguration{}.OpenAPIModelName():                    schema_k8sio_kube_controller_manager_config_v1alpha1_AttachDetachControllerConfiguration(ref),
+		kubecontrollermanagerconfigv1alpha1.CSRSigningConfiguration{}.OpenAPIModelName():                                schema_k8sio_kube_controller_manager_config_v1alpha1_CSRSigningConfiguration(ref),
+		kubecontrollermanagerconfigv1alpha1.CSRSigningControllerConfiguration{}.OpenAPIModelName():                      schema_k8sio_kube_controller_manager_config_v1alpha1_CSRSigningControllerConfiguration(ref),
+		kubecontrollermanagerconfigv1alpha1.CronJobControllerConfiguration{}.OpenAPIModelName():                         schema_k8sio_kube_controller_manager_config_v1alpha1_CronJobControllerConfiguration(ref),
+		kubecontrollermanagerconfigv1alpha1.DaemonSetControllerConfiguration{}.OpenAPIModelName():                       schema_k8sio_kube_controller_manager_config_v1alpha1_DaemonSetControllerConfiguration(ref),
+		kubecontrollermanagerconfigv1alpha1.DeploymentControllerConfiguration{}.OpenAPIModelName():                      schema_k8sio_kube_controller_manager_config_v1alpha1_DeploymentControllerConfiguration(ref),
+		kubecontrollermanagerconfigv1alpha1.DeprecatedControllerConfiguration{}.OpenAPIModelName():                      schema_k8sio_kube_controller_manager_config_v1alpha1_DeprecatedControllerConfiguration(ref),
+		kubecontrollermanagerconfigv1alpha1.DeviceTaintEvictionControllerConfiguration{}.OpenAPIModelName():             schema_k8sio_kube_controller_manager_config_v1alpha1_DeviceTaintEvictionControllerConfiguration(ref),
+		kubecontrollermanagerconfigv1alpha1.EndpointControllerConfiguration{}.OpenAPIModelName():                        schema_k8sio_kube_controller_manager_config_v1alpha1_EndpointControllerConfiguration(ref),
+		kubecontrollermanagerconfigv1alpha1.EndpointSliceControllerConfiguration{}.OpenAPIModelName():                   schema_k8sio_kube_controller_manager_config_v1alpha1_EndpointSliceControllerConfiguration(ref),
+		kubecontrollermanagerconfigv1alpha1.EndpointSliceMirroringControllerConfiguration{}.OpenAPIModelName():          schema_k8sio_kube_controller_manager_config_v1alpha1_EndpointSliceMirroringControllerConfiguration(ref),
+		kubecontrollermanagerconfigv1alpha1.EphemeralVolumeControllerConfiguration{}.OpenAPIModelName():                 schema_k8sio_kube_controller_manager_config_v1alpha1_EphemeralVolumeControllerConfiguration(ref),
+		kubecontrollermanagerconfigv1alpha1.GarbageCollectorControllerConfiguration{}.OpenAPIModelName():                schema_k8sio_kube_controller_manager_config_v1alpha1_GarbageCollectorControllerConfiguration(ref),
+		kubecontrollermanagerconfigv1alpha1.GroupResource{}.OpenAPIModelName():                                          schema_k8sio_kube_controller_manager_config_v1alpha1_GroupResource(ref),
+		kubecontrollermanagerconfigv1alpha1.HPAControllerConfiguration{}.OpenAPIModelName():                             schema_k8sio_kube_controller_manager_config_v1alpha1_HPAControllerConfiguration(ref),
+		kubecontrollermanagerconfigv1alpha1.JobControllerConfiguration{}.OpenAPIModelName():                             schema_k8sio_kube_controller_manager_config_v1alpha1_JobControllerConfiguration(ref),
+		kubecontrollermanagerconfigv1alpha1.KubeControllerManagerConfiguration{}.OpenAPIModelName():                     schema_k8sio_kube_controller_manager_config_v1alpha1_KubeControllerManagerConfiguration(ref),
+		kubecontrollermanagerconfigv1alpha1.LegacySATokenCleanerConfiguration{}.OpenAPIModelName():                      schema_k8sio_kube_controller_manager_config_v1alpha1_LegacySATokenCleanerConfiguration(ref),
+		kubecontrollermanagerconfigv1alpha1.NamespaceControllerConfiguration{}.OpenAPIModelName():                       schema_k8sio_kube_controller_manager_config_v1alpha1_NamespaceControllerConfiguration(ref),
+		kubecontrollermanagerconfigv1alpha1.NodeIPAMControllerConfiguration{}.OpenAPIModelName():                        schema_k8sio_kube_controller_manager_config_v1alpha1_NodeIPAMControllerConfiguration(ref),
+		kubecontrollermanagerconfigv1alpha1.NodeLifecycleControllerConfiguration{}.OpenAPIModelName():                   schema_k8sio_kube_controller_manager_config_v1alpha1_NodeLifecycleControllerConfiguration(ref),
+		kubecontrollermanagerconfigv1alpha1.PersistentVolumeBinderControllerConfiguration{}.OpenAPIModelName():          schema_k8sio_kube_controller_manager_config_v1alpha1_PersistentVolumeBinderControllerConfiguration(ref),
+		kubecontrollermanagerconfigv1alpha1.PersistentVolumeRecyclerConfiguration{}.OpenAPIModelName():                  schema_k8sio_kube_controller_manager_config_v1alpha1_PersistentVolumeRecyclerConfiguration(ref),
+		kubecontrollermanagerconfigv1alpha1.PodGCControllerConfiguration{}.OpenAPIModelName():                           schema_k8sio_kube_controller_manager_config_v1alpha1_PodGCControllerConfiguration(ref),
+		kubecontrollermanagerconfigv1alpha1.ReplicaSetControllerConfiguration{}.OpenAPIModelName():                      schema_k8sio_kube_controller_manager_config_v1alpha1_ReplicaSetControllerConfiguration(ref),
+		kubecontrollermanagerconfigv1alpha1.ReplicationControllerConfiguration{}.OpenAPIModelName():                     schema_k8sio_kube_controller_manager_config_v1alpha1_ReplicationControllerConfiguration(ref),
+		kubecontrollermanagerconfigv1alpha1.ResourceQuotaControllerConfiguration{}.OpenAPIModelName():                   schema_k8sio_kube_controller_manager_config_v1alpha1_ResourceQuotaControllerConfiguration(ref),
+		kubecontrollermanagerconfigv1alpha1.SAControllerConfiguration{}.OpenAPIModelName():                              schema_k8sio_kube_controller_manager_config_v1alpha1_SAControllerConfiguration(ref),
+		kubecontrollermanagerconfigv1alpha1.StatefulSetControllerConfiguration{}.OpenAPIModelName():                     schema_k8sio_kube_controller_manager_config_v1alpha1_StatefulSetControllerConfiguration(ref),
+		kubecontrollermanagerconfigv1alpha1.TTLAfterFinishedControllerConfiguration{}.OpenAPIModelName():                schema_k8sio_kube_controller_manager_config_v1alpha1_TTLAfterFinishedControllerConfiguration(ref),
+		kubecontrollermanagerconfigv1alpha1.ValidatingAdmissionPolicyStatusControllerConfiguration{}.OpenAPIModelName(): schema_k8sio_kube_controller_manager_config_v1alpha1_ValidatingAdmissionPolicyStatusControllerConfiguration(ref),
+		kubecontrollermanagerconfigv1alpha1.VolumeConfiguration{}.OpenAPIModelName():                                    schema_k8sio_kube_controller_manager_config_v1alpha1_VolumeConfiguration(ref),
+		kubeproxyconfigv1alpha1.DetectLocalConfiguration{}.OpenAPIModelName():                                           schema_k8sio_kube_proxy_config_v1alpha1_DetectLocalConfiguration(ref),
+		kubeproxyconfigv1alpha1.KubeProxyConfiguration{}.OpenAPIModelName():                                             schema_k8sio_kube_proxy_config_v1alpha1_KubeProxyConfiguration(ref),
+		kubeproxyconfigv1alpha1.KubeProxyConntrackConfiguration{}.OpenAPIModelName():                                    schema_k8sio_kube_proxy_config_v1alpha1_KubeProxyConntrackConfiguration(ref),
+		kubeproxyconfigv1alpha1.KubeProxyIPTablesConfiguration{}.OpenAPIModelName():                                     schema_k8sio_kube_proxy_config_v1alpha1_KubeProxyIPTablesConfiguration(ref),
+		kubeproxyconfigv1alpha1.KubeProxyIPVSConfiguration{}.OpenAPIModelName():                                         schema_k8sio_kube_proxy_config_v1alpha1_KubeProxyIPVSConfiguration(ref),
+		kubeproxyconfigv1alpha1.KubeProxyNFTablesConfiguration{}.OpenAPIModelName():                                     schema_k8sio_kube_proxy_config_v1alpha1_KubeProxyNFTablesConfiguration(ref),
+		kubeproxyconfigv1alpha1.KubeProxyWinkernelConfiguration{}.OpenAPIModelName():                                    schema_k8sio_kube_proxy_config_v1alpha1_KubeProxyWinkernelConfiguration(ref),
+		configv1.DefaultPreemptionArgs{}.OpenAPIModelName():                                                             schema_k8sio_kube_scheduler_config_v1_DefaultPreemptionArgs(ref),
+		configv1.DynamicResourcesArgs{}.OpenAPIModelName():                                                              schema_k8sio_kube_scheduler_config_v1_DynamicResourcesArgs(ref),
+		configv1.Extender{}.OpenAPIModelName():                                                                          schema_k8sio_kube_scheduler_config_v1_Extender(ref),
+		configv1.ExtenderManagedResource{}.OpenAPIModelName():                                                           schema_k8sio_kube_scheduler_config_v1_ExtenderManagedResource(ref),
+		configv1.ExtenderTLSConfig{}.OpenAPIModelName():                                                                 schema_k8sio_kube_scheduler_config_v1_ExtenderTLSConfig(ref),
+		configv1.InterPodAffinityArgs{}.OpenAPIModelName():                                                              schema_k8sio_kube_scheduler_config_v1_InterPodAffinityArgs(ref),
+		configv1.KubeSchedulerConfiguration{}.OpenAPIModelName():                                                        schema_k8sio_kube_scheduler_config_v1_KubeSchedulerConfiguration(ref),
+		configv1.KubeSchedulerProfile{}.OpenAPIModelName():                                                              schema_k8sio_kube_scheduler_config_v1_KubeSchedulerProfile(ref),
+		configv1.NodeAffinityArgs{}.OpenAPIModelName():                                                                  schema_k8sio_kube_scheduler_config_v1_NodeAffinityArgs(ref),
+		configv1.NodeResourcesBalancedAllocationArgs{}.OpenAPIModelName():                                               schema_k8sio_kube_scheduler_config_v1_NodeResourcesBalancedAllocationArgs(ref),
+		configv1.NodeResourcesFitArgs{}.OpenAPIModelName():                                                              schema_k8sio_kube_scheduler_config_v1_NodeResourcesFitArgs(ref),
+		configv1.Plugin{}.OpenAPIModelName():                                                                            schema_k8sio_kube_scheduler_config_v1_Plugin(ref),
+		configv1.PluginConfig{}.OpenAPIModelName():                                                                      schema_k8sio_kube_scheduler_config_v1_PluginConfig(ref),
+		configv1.PluginSet{}.OpenAPIModelName():                                                                         schema_k8sio_kube_scheduler_config_v1_PluginSet(ref),
+		configv1.Plugins{}.OpenAPIModelName():                                                                           schema_k8sio_kube_scheduler_config_v1_Plugins(ref),
+		configv1.PodTopologySpreadArgs{}.OpenAPIModelName():                                                             schema_k8sio_kube_scheduler_config_v1_PodTopologySpreadArgs(ref),
+		configv1.RequestedToCapacityRatioParam{}.OpenAPIModelName():                                                     schema_k8sio_kube_scheduler_config_v1_RequestedToCapacityRatioParam(ref),
+		configv1.ResourceSpec{}.OpenAPIModelName():                                                                      schema_k8sio_kube_scheduler_config_v1_ResourceSpec(ref),
+		configv1.ScoringStrategy{}.OpenAPIModelName():                                                                   schema_k8sio_kube_scheduler_config_v1_ScoringStrategy(ref),
+		configv1.UtilizationShapePoint{}.OpenAPIModelName():                                                             schema_k8sio_kube_scheduler_config_v1_UtilizationShapePoint(ref),
+		configv1.VolumeBindingArgs{}.OpenAPIModelName():                                                                 schema_k8sio_kube_scheduler_config_v1_VolumeBindingArgs(ref),
+		pkgconfigv1alpha1.AliasOverride{}.OpenAPIModelName():                                                            schema_kubectl_pkg_config_v1alpha1_AliasOverride(ref),
+		pkgconfigv1alpha1.CommandDefaults{}.OpenAPIModelName():                                                          schema_kubectl_pkg_config_v1alpha1_CommandDefaults(ref),
+		pkgconfigv1alpha1.CommandOptionDefault{}.OpenAPIModelName():                                                     schema_kubectl_pkg_config_v1alpha1_CommandOptionDefault(ref),
+		pkgconfigv1alpha1.Preference{}.OpenAPIModelName():                                                               schema_kubectl_pkg_config_v1alpha1_Preference(ref),
+		pkgconfigv1beta1.AliasOverride{}.OpenAPIModelName():                                                             schema_kubectl_pkg_config_v1beta1_AliasOverride(ref),
+		pkgconfigv1beta1.AllowlistEntry{}.OpenAPIModelName():                                                            schema_kubectl_pkg_config_v1beta1_AllowlistEntry(ref),
+		pkgconfigv1beta1.CommandDefaults{}.OpenAPIModelName():                                                           schema_kubectl_pkg_config_v1beta1_CommandDefaults(ref),
+		pkgconfigv1beta1.CommandOptionDefault{}.OpenAPIModelName():                                                      schema_kubectl_pkg_config_v1beta1_CommandOptionDefault(ref),
+		pkgconfigv1beta1.Preference{}.OpenAPIModelName():                                                                schema_kubectl_pkg_config_v1beta1_Preference(ref),
+		kubeletconfigv1.CredentialProvider{}.OpenAPIModelName():                                                         schema_k8sio_kubelet_config_v1_CredentialProvider(ref),
+		kubeletconfigv1.CredentialProviderConfig{}.OpenAPIModelName():                                                   schema_k8sio_kubelet_config_v1_CredentialProviderConfig(ref),
+		kubeletconfigv1.ExecEnvVar{}.OpenAPIModelName():                                                                 schema_k8sio_kubelet_config_v1_ExecEnvVar(ref),
+		kubeletconfigv1.ServiceAccountTokenAttributes{}.OpenAPIModelName():                                              schema_k8sio_kubelet_config_v1_ServiceAccountTokenAttributes(ref),
+		kubeletconfigv1alpha1.CredentialProvider{}.OpenAPIModelName():                                                   schema_k8sio_kubelet_config_v1alpha1_CredentialProvider(ref),
+		kubeletconfigv1alpha1.CredentialProviderConfig{}.OpenAPIModelName():                                             schema_k8sio_kubelet_config_v1alpha1_CredentialProviderConfig(ref),
+		kubeletconfigv1alpha1.ExecEnvVar{}.OpenAPIModelName():                                                           schema_k8sio_kubelet_config_v1alpha1_ExecEnvVar(ref),
+		kubeletconfigv1alpha1.ImagePullCredentials{}.OpenAPIModelName():                                                 schema_k8sio_kubelet_config_v1alpha1_ImagePullCredentials(ref),
+		kubeletconfigv1alpha1.ImagePullIntent{}.OpenAPIModelName():                                                      schema_k8sio_kubelet_config_v1alpha1_ImagePullIntent(ref),
+		kubeletconfigv1alpha1.ImagePullSecret{}.OpenAPIModelName():                                                      schema_k8sio_kubelet_config_v1alpha1_ImagePullSecret(ref),
+		kubeletconfigv1alpha1.ImagePullServiceAccount{}.OpenAPIModelName():                                              schema_k8sio_kubelet_config_v1alpha1_ImagePullServiceAccount(ref),
+		kubeletconfigv1alpha1.ImagePulledRecord{}.OpenAPIModelName():                                                    schema_k8sio_kubelet_config_v1alpha1_ImagePulledRecord(ref),
+		kubeletconfigv1beta1.CrashLoopBackOffConfig{}.OpenAPIModelName():                                                schema_k8sio_kubelet_config_v1beta1_CrashLoopBackOffConfig(ref),
+		kubeletconfigv1beta1.CredentialProvider{}.OpenAPIModelName():                                                    schema_k8sio_kubelet_config_v1beta1_CredentialProvider(ref),
+		kubeletconfigv1beta1.CredentialProviderConfig{}.OpenAPIModelName():                                              schema_k8sio_kubelet_config_v1beta1_CredentialProviderConfig(ref),
+		kubeletconfigv1beta1.ExecEnvVar{}.OpenAPIModelName():                                                            schema_k8sio_kubelet_config_v1beta1_ExecEnvVar(ref),
+		kubeletconfigv1beta1.ImagePullCredentials{}.OpenAPIModelName():                                                  schema_k8sio_kubelet_config_v1beta1_ImagePullCredentials(ref),
+		kubeletconfigv1beta1.ImagePullIntent{}.OpenAPIModelName():                                                       schema_k8sio_kubelet_config_v1beta1_ImagePullIntent(ref),
+		kubeletconfigv1beta1.ImagePullSecret{}.OpenAPIModelName():                                                       schema_k8sio_kubelet_config_v1beta1_ImagePullSecret(ref),
+		kubeletconfigv1beta1.ImagePullServiceAccount{}.OpenAPIModelName():                                               schema_k8sio_kubelet_config_v1beta1_ImagePullServiceAccount(ref),
+		kubeletconfigv1beta1.ImagePulledRecord{}.OpenAPIModelName():                                                     schema_k8sio_kubelet_config_v1beta1_ImagePulledRecord(ref),
+		kubeletconfigv1beta1.KubeletAnonymousAuthentication{}.OpenAPIModelName():                                        schema_k8sio_kubelet_config_v1beta1_KubeletAnonymousAuthentication(ref),
+		kubeletconfigv1beta1.KubeletAuthentication{}.OpenAPIModelName():                                                 schema_k8sio_kubelet_config_v1beta1_KubeletAuthentication(ref),
+		kubeletconfigv1beta1.KubeletAuthorization{}.OpenAPIModelName():                                                  schema_k8sio_kubelet_config_v1beta1_KubeletAuthorization(ref),
+		kubeletconfigv1beta1.KubeletConfiguration{}.OpenAPIModelName():                                                  schema_k8sio_kubelet_config_v1beta1_KubeletConfiguration(ref),
+		kubeletconfigv1beta1.KubeletWebhookAuthentication{}.OpenAPIModelName():                                          schema_k8sio_kubelet_config_v1beta1_KubeletWebhookAuthentication(ref),
+		kubeletconfigv1beta1.KubeletWebhookAuthorization{}.OpenAPIModelName():                                           schema_k8sio_kubelet_config_v1beta1_KubeletWebhookAuthorization(ref),
+		kubeletconfigv1beta1.KubeletX509Authentication{}.OpenAPIModelName():                                             schema_k8sio_kubelet_config_v1beta1_KubeletX509Authentication(ref),
+		kubeletconfigv1beta1.MemoryReservation{}.OpenAPIModelName():                                                     schema_k8sio_kubelet_config_v1beta1_MemoryReservation(ref),
+		kubeletconfigv1beta1.MemorySwapConfiguration{}.OpenAPIModelName():                                               schema_k8sio_kubelet_config_v1beta1_MemorySwapConfiguration(ref),
+		kubeletconfigv1beta1.SerializedNodeConfigSource{}.OpenAPIModelName():                                            schema_k8sio_kubelet_config_v1beta1_SerializedNodeConfigSource(ref),
+		kubeletconfigv1beta1.ShutdownGracePeriodByPodPriority{}.OpenAPIModelName():                                      schema_k8sio_kubelet_config_v1beta1_ShutdownGracePeriodByPodPriority(ref),
+		kubeletconfigv1beta1.UserNamespaces{}.OpenAPIModelName():                                                        schema_k8sio_kubelet_config_v1beta1_UserNamespaces(ref),
+		abacv1beta1.Policy{}.OpenAPIModelName():                                                                         schema_pkg_apis_abac_v1beta1_Policy(ref),
+		abacv1beta1.PolicySpec{}.OpenAPIModelName():                                                                     schema_pkg_apis_abac_v1beta1_PolicySpec(ref),
+		custommetricsv1beta1.MetricListOptions{}.OpenAPIModelName():                                                     schema_pkg_apis_custom_metrics_v1beta1_MetricListOptions(ref),
+		custommetricsv1beta1.MetricValue{}.OpenAPIModelName():                                                           schema_pkg_apis_custom_metrics_v1beta1_MetricValue(ref),
+		custommetricsv1beta1.MetricValueList{}.OpenAPIModelName():                                                       schema_pkg_apis_custom_metrics_v1beta1_MetricValueList(ref),
+		custommetricsv1beta2.MetricIdentifier{}.OpenAPIModelName():                                                      schema_pkg_apis_custom_metrics_v1beta2_MetricIdentifier(ref),
+		custommetricsv1beta2.MetricListOptions{}.OpenAPIModelName():                                                     schema_pkg_apis_custom_metrics_v1beta2_MetricListOptions(ref),
+		custommetricsv1beta2.MetricValue{}.OpenAPIModelName():                                                           schema_pkg_apis_custom_metrics_v1beta2_MetricValue(ref),
+		custommetricsv1beta2.MetricValueList{}.OpenAPIModelName():                                                       schema_pkg_apis_custom_metrics_v1beta2_MetricValueList(ref),
+		externalmetricsv1beta1.ExternalMetricValue{}.OpenAPIModelName():                                                 schema_pkg_apis_external_metrics_v1beta1_ExternalMetricValue(ref),
+		externalmetricsv1beta1.ExternalMetricValueList{}.OpenAPIModelName():                                             schema_pkg_apis_external_metrics_v1beta1_ExternalMetricValueList(ref),
+		metricsv1alpha1.ContainerMetrics{}.OpenAPIModelName():                                                           schema_pkg_apis_metrics_v1alpha1_ContainerMetrics(ref),
+		metricsv1alpha1.NodeMetrics{}.OpenAPIModelName():                                                                schema_pkg_apis_metrics_v1alpha1_NodeMetrics(ref),
+		metricsv1alpha1.NodeMetricsList{}.OpenAPIModelName():                                                            schema_pkg_apis_metrics_v1alpha1_NodeMetricsList(ref),
+		metricsv1alpha1.PodMetrics{}.OpenAPIModelName():                                                                 schema_pkg_apis_metrics_v1alpha1_PodMetrics(ref),
+		metricsv1alpha1.PodMetricsList{}.OpenAPIModelName():                                                             schema_pkg_apis_metrics_v1alpha1_PodMetricsList(ref),
+		metricsv1beta1.ContainerMetrics{}.OpenAPIModelName():                                                            schema_pkg_apis_metrics_v1beta1_ContainerMetrics(ref),
+		metricsv1beta1.NodeMetrics{}.OpenAPIModelName():                                                                 schema_pkg_apis_metrics_v1beta1_NodeMetrics(ref),
+		metricsv1beta1.NodeMetricsList{}.OpenAPIModelName():                                                             schema_pkg_apis_metrics_v1beta1_NodeMetricsList(ref),
+		metricsv1beta1.PodMetrics{}.OpenAPIModelName():                                                                  schema_pkg_apis_metrics_v1beta1_PodMetrics(ref),
+		metricsv1beta1.PodMetricsList{}.OpenAPIModelName():                                                              schema_pkg_apis_metrics_v1beta1_PodMetricsList(ref),
 	}
 }
 
@@ -1499,13 +1612,13 @@ func schema_k8sio_api_admissionregistration_v1_MatchResources(ref common.Referen
 					"namespaceSelector": {
 						SchemaProps: spec.SchemaProps{
 							Description: "NamespaceSelector decides whether to run the admission control policy on an object based on whether the namespace for that object matches the selector. If the object itself is a namespace, the matching is performed on object.metadata.labels. If the object is another cluster scoped resource, it never skips the policy.\n\nFor example, to run the webhook on any objects whose namespace is not associated with \"runlevel\" of \"0\" or \"1\";  you will set the selector as follows: \"namespaceSelector\": {\n  \"matchExpressions\": [\n    {\n      \"key\": \"runlevel\",\n      \"operator\": \"NotIn\",\n      \"values\": [\n        \"0\",\n        \"1\"\n      ]\n    }\n  ]\n}\n\nIf instead you want to only run the policy on any objects whose namespace is associated with the \"environment\" of \"prod\" or \"staging\"; you will set the selector as follows: \"namespaceSelector\": {\n  \"matchExpressions\": [\n    {\n      \"key\": \"environment\",\n      \"operator\": \"In\",\n      \"values\": [\n        \"prod\",\n        \"staging\"\n      ]\n    }\n  ]\n}\n\nSee https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ for more examples of label selectors.\n\nDefault to the empty LabelSelector, which matches everything.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector"),
+							Ref:         ref(metav1.LabelSelector{}.OpenAPIModelName()),
 						},
 					},
 					"objectSelector": {
 						SchemaProps: spec.SchemaProps{
 							Description: "ObjectSelector decides whether to run the validation based on if the object has matching labels. objectSelector is evaluated against both the oldObject and newObject that would be sent to the cel validation, and is considered to match if either object matches the selector. A null object (oldObject in the case of create, or newObject in the case of delete) or an object that cannot have labels (like a DeploymentRollback or a PodProxyOptions object) is not considered to match. Use the object selector only if the webhook is opt-in, because end users may skip the admission webhook by setting the labels. Default to the empty LabelSelector, which matches everything.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector"),
+							Ref:         ref(metav1.LabelSelector{}.OpenAPIModelName()),
 						},
 					},
 					"resourceRules": {
@@ -1521,7 +1634,7 @@ func schema_k8sio_api_admissionregistration_v1_MatchResources(ref common.Referen
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/admissionregistration/v1.NamedRuleWithOperations"),
+										Ref:     ref(v1.NamedRuleWithOperations{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -1540,7 +1653,7 @@ func schema_k8sio_api_admissionregistration_v1_MatchResources(ref common.Referen
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/admissionregistration/v1.NamedRuleWithOperations"),
+										Ref:     ref(v1.NamedRuleWithOperations{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -1563,7 +1676,7 @@ func schema_k8sio_api_admissionregistration_v1_MatchResources(ref common.Referen
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/admissionregistration/v1.NamedRuleWithOperations", "k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector"},
+			v1.NamedRuleWithOperations{}.OpenAPIModelName(), metav1.LabelSelector{}.OpenAPIModelName()},
 	}
 }
 
@@ -1586,7 +1699,7 @@ func schema_k8sio_api_admissionregistration_v1_MutatingWebhook(ref common.Refere
 						SchemaProps: spec.SchemaProps{
 							Description: "ClientConfig defines how to communicate with the hook. Required",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/admissionregistration/v1.WebhookClientConfig"),
+							Ref:         ref(v1.WebhookClientConfig{}.OpenAPIModelName()),
 						},
 					},
 					"rules": {
@@ -1602,7 +1715,7 @@ func schema_k8sio_api_admissionregistration_v1_MutatingWebhook(ref common.Refere
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/admissionregistration/v1.RuleWithOperations"),
+										Ref:     ref(v1.RuleWithOperations{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -1627,13 +1740,13 @@ func schema_k8sio_api_admissionregistration_v1_MutatingWebhook(ref common.Refere
 					"namespaceSelector": {
 						SchemaProps: spec.SchemaProps{
 							Description: "NamespaceSelector decides whether to run the webhook on an object based on whether the namespace for that object matches the selector. If the object itself is a namespace, the matching is performed on object.metadata.labels. If the object is another cluster scoped resource, it never skips the webhook.\n\nFor example, to run the webhook on any objects whose namespace is not associated with \"runlevel\" of \"0\" or \"1\";  you will set the selector as follows: \"namespaceSelector\": {\n  \"matchExpressions\": [\n    {\n      \"key\": \"runlevel\",\n      \"operator\": \"NotIn\",\n      \"values\": [\n        \"0\",\n        \"1\"\n      ]\n    }\n  ]\n}\n\nIf instead you want to only run the webhook on any objects whose namespace is associated with the \"environment\" of \"prod\" or \"staging\"; you will set the selector as follows: \"namespaceSelector\": {\n  \"matchExpressions\": [\n    {\n      \"key\": \"environment\",\n      \"operator\": \"In\",\n      \"values\": [\n        \"prod\",\n        \"staging\"\n      ]\n    }\n  ]\n}\n\nSee https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ for more examples of label selectors.\n\nDefault to the empty LabelSelector, which matches everything.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector"),
+							Ref:         ref(metav1.LabelSelector{}.OpenAPIModelName()),
 						},
 					},
 					"objectSelector": {
 						SchemaProps: spec.SchemaProps{
 							Description: "ObjectSelector decides whether to run the webhook based on if the object has matching labels. objectSelector is evaluated against both the oldObject and newObject that would be sent to the webhook, and is considered to match if either object matches the selector. A null object (oldObject in the case of create, or newObject in the case of delete) or an object that cannot have labels (like a DeploymentRollback or a PodProxyOptions object) is not considered to match. Use the object selector only if the webhook is opt-in, because end users may skip the admission webhook by setting the labels. Default to the empty LabelSelector, which matches everything.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector"),
+							Ref:         ref(metav1.LabelSelector{}.OpenAPIModelName()),
 						},
 					},
 					"sideEffects": {
@@ -1673,9 +1786,10 @@ func schema_k8sio_api_admissionregistration_v1_MutatingWebhook(ref common.Refere
 					},
 					"reinvocationPolicy": {
 						SchemaProps: spec.SchemaProps{
-							Description: "reinvocationPolicy indicates whether this webhook should be called multiple times as part of a single admission evaluation. Allowed values are \"Never\" and \"IfNeeded\".\n\nNever: the webhook will not be called more than once in a single admission evaluation.\n\nIfNeeded: the webhook will be called at least one additional time as part of the admission evaluation if the object being admitted is modified by other admission plugins after the initial webhook call. Webhooks that specify this option *must* be idempotent, able to process objects they previously admitted. Note: * the number of additional invocations is not guaranteed to be exactly one. * if additional invocations result in further modifications to the object, webhooks are not guaranteed to be invoked again. * webhooks that use this option may be reordered to minimize the number of additional invocations. * to validate an object after all mutations are guaranteed complete, use a validating admission webhook instead.\n\nDefaults to \"Never\".",
+							Description: "reinvocationPolicy indicates whether this webhook should be called multiple times as part of a single admission evaluation. Allowed values are \"Never\" and \"IfNeeded\".\n\nNever: the webhook will not be called more than once in a single admission evaluation.\n\nIfNeeded: the webhook will be called at least one additional time as part of the admission evaluation if the object being admitted is modified by other admission plugins after the initial webhook call. Webhooks that specify this option *must* be idempotent, able to process objects they previously admitted. Note: * the number of additional invocations is not guaranteed to be exactly one. * if additional invocations result in further modifications to the object, webhooks are not guaranteed to be invoked again. * webhooks that use this option may be reordered to minimize the number of additional invocations. * to validate an object after all mutations are guaranteed complete, use a validating admission webhook instead.\n\nDefaults to \"Never\".\n\nPossible enum values:\n - `\"IfNeeded\"` indicates that the mutation may be called at least one additional time as part of the admission evaluation if the object being admitted is modified by other admission plugins after the initial mutation call.\n - `\"Never\"` indicates that the mutation must not be called more than once in a single admission evaluation.",
 							Type:        []string{"string"},
 							Format:      "",
+							Enum:        []interface{}{"IfNeeded", "Never"},
 						},
 					},
 					"matchConditions": {
@@ -1696,7 +1810,7 @@ func schema_k8sio_api_admissionregistration_v1_MutatingWebhook(ref common.Refere
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/admissionregistration/v1.MatchCondition"),
+										Ref:     ref(v1.MatchCondition{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -1707,7 +1821,7 @@ func schema_k8sio_api_admissionregistration_v1_MutatingWebhook(ref common.Refere
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/admissionregistration/v1.MatchCondition", "k8s.io/api/admissionregistration/v1.RuleWithOperations", "k8s.io/api/admissionregistration/v1.WebhookClientConfig", "k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector"},
+			v1.MatchCondition{}.OpenAPIModelName(), v1.RuleWithOperations{}.OpenAPIModelName(), v1.WebhookClientConfig{}.OpenAPIModelName(), metav1.LabelSelector{}.OpenAPIModelName()},
 	}
 }
 
@@ -1736,7 +1850,7 @@ func schema_k8sio_api_admissionregistration_v1_MutatingWebhookConfiguration(ref
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Ref:         ref(metav1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 					"webhooks": {
@@ -1757,7 +1871,7 @@ func schema_k8sio_api_admissionregistration_v1_MutatingWebhookConfiguration(ref
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/admissionregistration/v1.MutatingWebhook"),
+										Ref:     ref(v1.MutatingWebhook{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -1767,7 +1881,7 @@ func schema_k8sio_api_admissionregistration_v1_MutatingWebhookConfiguration(ref
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/admissionregistration/v1.MutatingWebhook", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			v1.MutatingWebhook{}.OpenAPIModelName(), metav1.ObjectMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -1796,7 +1910,7 @@ func schema_k8sio_api_admissionregistration_v1_MutatingWebhookConfigurationList(
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+							Ref:         ref(metav1.ListMeta{}.OpenAPIModelName()),
 						},
 					},
 					"items": {
@@ -1807,7 +1921,7 @@ func schema_k8sio_api_admissionregistration_v1_MutatingWebhookConfigurationList(
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/admissionregistration/v1.MutatingWebhookConfiguration"),
+										Ref:     ref(v1.MutatingWebhookConfiguration{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -1818,7 +1932,7 @@ func schema_k8sio_api_admissionregistration_v1_MutatingWebhookConfigurationList(
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/admissionregistration/v1.MutatingWebhookConfiguration", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
+			v1.MutatingWebhookConfiguration{}.OpenAPIModelName(), metav1.ListMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -1932,9 +2046,10 @@ func schema_k8sio_api_admissionregistration_v1_NamedRuleWithOperations(ref commo
 					},
 					"scope": {
 						SchemaProps: spec.SchemaProps{
-							Description: "scope specifies the scope of this rule. Valid values are \"Cluster\", \"Namespaced\", and \"*\" \"Cluster\" means that only cluster-scoped resources will match this rule. Namespace API objects are cluster-scoped. \"Namespaced\" means that only namespaced resources will match this rule. \"*\" means that there are no scope restrictions. Subresources match the scope of their parent resource. Default is \"*\".",
+							Description: "scope specifies the scope of this rule. Valid values are \"Cluster\", \"Namespaced\", and \"*\" \"Cluster\" means that only cluster-scoped resources will match this rule. Namespace API objects are cluster-scoped. \"Namespaced\" means that only namespaced resources will match this rule. \"*\" means that there are no scope restrictions. Subresources match the scope of their parent resource. Default is \"*\".\n\n\nPossible enum values:\n - `\"*\"` means that all scopes are included.\n - `\"Cluster\"` means that scope is limited to cluster-scoped objects. Namespace objects are cluster-scoped.\n - `\"Namespaced\"` means that scope is limited to namespaced objects.",
 							Type:        []string{"string"},
 							Format:      "",
+							Enum:        []interface{}{"*", "Cluster", "Namespaced"},
 						},
 					},
 				},
@@ -2004,7 +2119,7 @@ func schema_k8sio_api_admissionregistration_v1_ParamRef(ref common.ReferenceCall
 					"selector": {
 						SchemaProps: spec.SchemaProps{
 							Description: "selector can be used to match multiple param objects based on their labels. Supply selector: {} to match all resources of the ParamKind.\n\nIf multiple params are found, they are all evaluated with the policy expressions and the results are ANDed together.\n\nOne of `name` or `selector` must be set, but `name` and `selector` are mutually exclusive properties. If one is set, the other must be unset.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector"),
+							Ref:         ref(metav1.LabelSelector{}.OpenAPIModelName()),
 						},
 					},
 					"parameterNotFoundAction": {
@@ -2023,7 +2138,7 @@ func schema_k8sio_api_admissionregistration_v1_ParamRef(ref common.ReferenceCall
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector"},
+			metav1.LabelSelector{}.OpenAPIModelName()},
 	}
 }
 
@@ -2096,9 +2211,10 @@ func schema_k8sio_api_admissionregistration_v1_Rule(ref common.ReferenceCallback
 					},
 					"scope": {
 						SchemaProps: spec.SchemaProps{
-							Description: "scope specifies the scope of this rule. Valid values are \"Cluster\", \"Namespaced\", and \"*\" \"Cluster\" means that only cluster-scoped resources will match this rule. Namespace API objects are cluster-scoped. \"Namespaced\" means that only namespaced resources will match this rule. \"*\" means that there are no scope restrictions. Subresources match the scope of their parent resource. Default is \"*\".",
+							Description: "scope specifies the scope of this rule. Valid values are \"Cluster\", \"Namespaced\", and \"*\" \"Cluster\" means that only cluster-scoped resources will match this rule. Namespace API objects are cluster-scoped. \"Namespaced\" means that only namespaced resources will match this rule. \"*\" means that there are no scope restrictions. Subresources match the scope of their parent resource. Default is \"*\".\n\n\nPossible enum values:\n - `\"*\"` means that all scopes are included.\n - `\"Cluster\"` means that scope is limited to cluster-scoped objects. Namespace objects are cluster-scoped.\n - `\"Namespaced\"` means that scope is limited to namespaced objects.",
 							Type:        []string{"string"},
 							Format:      "",
+							Enum:        []interface{}{"*", "Cluster", "Namespaced"},
 						},
 					},
 				},
@@ -2197,9 +2313,10 @@ func schema_k8sio_api_admissionregistration_v1_RuleWithOperations(ref common.Ref
 					},
 					"scope": {
 						SchemaProps: spec.SchemaProps{
-							Description: "scope specifies the scope of this rule. Valid values are \"Cluster\", \"Namespaced\", and \"*\" \"Cluster\" means that only cluster-scoped resources will match this rule. Namespace API objects are cluster-scoped. \"Namespaced\" means that only namespaced resources will match this rule. \"*\" means that there are no scope restrictions. Subresources match the scope of their parent resource. Default is \"*\".",
+							Description: "scope specifies the scope of this rule. Valid values are \"Cluster\", \"Namespaced\", and \"*\" \"Cluster\" means that only cluster-scoped resources will match this rule. Namespace API objects are cluster-scoped. \"Namespaced\" means that only namespaced resources will match this rule. \"*\" means that there are no scope restrictions. Subresources match the scope of their parent resource. Default is \"*\".\n\n\nPossible enum values:\n - `\"*\"` means that all scopes are included.\n - `\"Cluster\"` means that scope is limited to cluster-scoped objects. Namespace objects are cluster-scoped.\n - `\"Namespaced\"` means that scope is limited to namespaced objects.",
 							Type:        []string{"string"},
 							Format:      "",
+							Enum:        []interface{}{"*", "Cluster", "Namespaced"},
 						},
 					},
 				},
@@ -2272,7 +2389,7 @@ func schema_k8sio_api_admissionregistration_v1_TypeChecking(ref common.Reference
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/admissionregistration/v1.ExpressionWarning"),
+										Ref:     ref(v1.ExpressionWarning{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -2282,7 +2399,7 @@ func schema_k8sio_api_admissionregistration_v1_TypeChecking(ref common.Reference
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/admissionregistration/v1.ExpressionWarning"},
+			v1.ExpressionWarning{}.OpenAPIModelName()},
 	}
 }
 
@@ -2311,28 +2428,28 @@ func schema_k8sio_api_admissionregistration_v1_ValidatingAdmissionPolicy(ref com
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Ref:         ref(metav1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 					"spec": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Specification of the desired behavior of the ValidatingAdmissionPolicy.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/admissionregistration/v1.ValidatingAdmissionPolicySpec"),
+							Ref:         ref(v1.ValidatingAdmissionPolicySpec{}.OpenAPIModelName()),
 						},
 					},
 					"status": {
 						SchemaProps: spec.SchemaProps{
 							Description: "The status of the ValidatingAdmissionPolicy, including warnings that are useful to determine if the policy behaves in the expected way. Populated by the system. Read-only.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/admissionregistration/v1.ValidatingAdmissionPolicyStatus"),
+							Ref:         ref(v1.ValidatingAdmissionPolicyStatus{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/admissionregistration/v1.ValidatingAdmissionPolicySpec", "k8s.io/api/admissionregistration/v1.ValidatingAdmissionPolicyStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			v1.ValidatingAdmissionPolicySpec{}.OpenAPIModelName(), v1.ValidatingAdmissionPolicyStatus{}.OpenAPIModelName(), metav1.ObjectMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -2361,21 +2478,21 @@ func schema_k8sio_api_admissionregistration_v1_ValidatingAdmissionPolicyBinding(
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Ref:         ref(metav1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 					"spec": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Specification of the desired behavior of the ValidatingAdmissionPolicyBinding.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/admissionregistration/v1.ValidatingAdmissionPolicyBindingSpec"),
+							Ref:         ref(v1.ValidatingAdmissionPolicyBindingSpec{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/admissionregistration/v1.ValidatingAdmissionPolicyBindingSpec", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			v1.ValidatingAdmissionPolicyBindingSpec{}.OpenAPIModelName(), metav1.ObjectMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -2404,7 +2521,7 @@ func schema_k8sio_api_admissionregistration_v1_ValidatingAdmissionPolicyBindingL
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+							Ref:         ref(metav1.ListMeta{}.OpenAPIModelName()),
 						},
 					},
 					"items": {
@@ -2415,7 +2532,7 @@ func schema_k8sio_api_admissionregistration_v1_ValidatingAdmissionPolicyBindingL
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/admissionregistration/v1.ValidatingAdmissionPolicyBinding"),
+										Ref:     ref(v1.ValidatingAdmissionPolicyBinding{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -2426,7 +2543,7 @@ func schema_k8sio_api_admissionregistration_v1_ValidatingAdmissionPolicyBindingL
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/admissionregistration/v1.ValidatingAdmissionPolicyBinding", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
+			v1.ValidatingAdmissionPolicyBinding{}.OpenAPIModelName(), metav1.ListMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -2447,13 +2564,13 @@ func schema_k8sio_api_admissionregistration_v1_ValidatingAdmissionPolicyBindingS
 					"paramRef": {
 						SchemaProps: spec.SchemaProps{
 							Description: "paramRef specifies the parameter resource used to configure the admission control policy. It should point to a resource of the type specified in ParamKind of the bound ValidatingAdmissionPolicy. If the policy specifies a ParamKind and the resource referred to by ParamRef does not exist, this binding is considered mis-configured and the FailurePolicy of the ValidatingAdmissionPolicy applied. If the policy does not specify a ParamKind then this field is ignored, and the rules are evaluated without a param.",
-							Ref:         ref("k8s.io/api/admissionregistration/v1.ParamRef"),
+							Ref:         ref(v1.ParamRef{}.OpenAPIModelName()),
 						},
 					},
 					"matchResources": {
 						SchemaProps: spec.SchemaProps{
 							Description: "MatchResources declares what resources match this binding and will be validated by it. Note that this is intersected with the policy's matchConstraints, so only requests that are matched by the policy can be selected by this. If this is unset, all resources matched by the policy are validated by this binding When resourceRules is unset, it does not constrain resource matching. If a resource is matched by the other fields of this object, it will be validated. Note that this is differs from ValidatingAdmissionPolicy matchConstraints, where resourceRules are required.",
-							Ref:         ref("k8s.io/api/admissionregistration/v1.MatchResources"),
+							Ref:         ref(v1.MatchResources{}.OpenAPIModelName()),
 						},
 					},
 					"validationActions": {
@@ -2481,7 +2598,7 @@ func schema_k8sio_api_admissionregistration_v1_ValidatingAdmissionPolicyBindingS
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/admissionregistration/v1.MatchResources", "k8s.io/api/admissionregistration/v1.ParamRef"},
+			v1.MatchResources{}.OpenAPIModelName(), v1.ParamRef{}.OpenAPIModelName()},
 	}
 }
 
@@ -2510,7 +2627,7 @@ func schema_k8sio_api_admissionregistration_v1_ValidatingAdmissionPolicyList(ref
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+							Ref:         ref(metav1.ListMeta{}.OpenAPIModelName()),
 						},
 					},
 					"items": {
@@ -2521,7 +2638,7 @@ func schema_k8sio_api_admissionregistration_v1_ValidatingAdmissionPolicyList(ref
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/admissionregistration/v1.ValidatingAdmissionPolicy"),
+										Ref:     ref(v1.ValidatingAdmissionPolicy{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -2532,7 +2649,7 @@ func schema_k8sio_api_admissionregistration_v1_ValidatingAdmissionPolicyList(ref
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/admissionregistration/v1.ValidatingAdmissionPolicy", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
+			v1.ValidatingAdmissionPolicy{}.OpenAPIModelName(), metav1.ListMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -2546,13 +2663,13 @@ func schema_k8sio_api_admissionregistration_v1_ValidatingAdmissionPolicySpec(ref
 					"paramKind": {
 						SchemaProps: spec.SchemaProps{
 							Description: "ParamKind specifies the kind of resources used to parameterize this policy. If absent, there are no parameters for this policy and the param CEL variable will not be provided to validation expressions. If ParamKind refers to a non-existent kind, this policy definition is mis-configured and the FailurePolicy is applied. If paramKind is specified but paramRef is unset in ValidatingAdmissionPolicyBinding, the params variable will be null.",
-							Ref:         ref("k8s.io/api/admissionregistration/v1.ParamKind"),
+							Ref:         ref(v1.ParamKind{}.OpenAPIModelName()),
 						},
 					},
 					"matchConstraints": {
 						SchemaProps: spec.SchemaProps{
 							Description: "MatchConstraints specifies what resources this policy is designed to validate. The AdmissionPolicy cares about a request if it matches _all_ Constraints. However, in order to prevent clusters from being put into an unstable state that cannot be recovered from via the API ValidatingAdmissionPolicy cannot match ValidatingAdmissionPolicy and ValidatingAdmissionPolicyBinding. Required.",
-							Ref:         ref("k8s.io/api/admissionregistration/v1.MatchResources"),
+							Ref:         ref(v1.MatchResources{}.OpenAPIModelName()),
 						},
 					},
 					"validations": {
@@ -2568,7 +2685,7 @@ func schema_k8sio_api_admissionregistration_v1_ValidatingAdmissionPolicySpec(ref
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/admissionregistration/v1.Validation"),
+										Ref:     ref(v1.Validation{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -2595,7 +2712,7 @@ func schema_k8sio_api_admissionregistration_v1_ValidatingAdmissionPolicySpec(ref
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/admissionregistration/v1.AuditAnnotation"),
+										Ref:     ref(v1.AuditAnnotation{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -2619,7 +2736,7 @@ func schema_k8sio_api_admissionregistration_v1_ValidatingAdmissionPolicySpec(ref
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/admissionregistration/v1.MatchCondition"),
+										Ref:     ref(v1.MatchCondition{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -2643,7 +2760,7 @@ func schema_k8sio_api_admissionregistration_v1_ValidatingAdmissionPolicySpec(ref
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/admissionregistration/v1.Variable"),
+										Ref:     ref(v1.Variable{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -2653,7 +2770,7 @@ func schema_k8sio_api_admissionregistration_v1_ValidatingAdmissionPolicySpec(ref
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/admissionregistration/v1.AuditAnnotation", "k8s.io/api/admissionregistration/v1.MatchCondition", "k8s.io/api/admissionregistration/v1.MatchResources", "k8s.io/api/admissionregistration/v1.ParamKind", "k8s.io/api/admissionregistration/v1.Validation", "k8s.io/api/admissionregistration/v1.Variable"},
+			v1.AuditAnnotation{}.OpenAPIModelName(), v1.MatchCondition{}.OpenAPIModelName(), v1.MatchResources{}.OpenAPIModelName(), v1.ParamKind{}.OpenAPIModelName(), v1.Validation{}.OpenAPIModelName(), v1.Variable{}.OpenAPIModelName()},
 	}
 }
 
@@ -2674,7 +2791,7 @@ func schema_k8sio_api_admissionregistration_v1_ValidatingAdmissionPolicyStatus(r
 					"typeChecking": {
 						SchemaProps: spec.SchemaProps{
 							Description: "The results of type checking for each expression. Presence of this field indicates the completion of the type checking.",
-							Ref:         ref("k8s.io/api/admissionregistration/v1.TypeChecking"),
+							Ref:         ref(v1.TypeChecking{}.OpenAPIModelName()),
 						},
 					},
 					"conditions": {
@@ -2693,7 +2810,7 @@ func schema_k8sio_api_admissionregistration_v1_ValidatingAdmissionPolicyStatus(r
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/apimachinery/pkg/apis/meta/v1.Condition"),
+										Ref:     ref(metav1.Condition{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -2703,7 +2820,7 @@ func schema_k8sio_api_admissionregistration_v1_ValidatingAdmissionPolicyStatus(r
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/admissionregistration/v1.TypeChecking", "k8s.io/apimachinery/pkg/apis/meta/v1.Condition"},
+			v1.TypeChecking{}.OpenAPIModelName(), metav1.Condition{}.OpenAPIModelName()},
 	}
 }
 
@@ -2726,7 +2843,7 @@ func schema_k8sio_api_admissionregistration_v1_ValidatingWebhook(ref common.Refe
 						SchemaProps: spec.SchemaProps{
 							Description: "ClientConfig defines how to communicate with the hook. Required",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/admissionregistration/v1.WebhookClientConfig"),
+							Ref:         ref(v1.WebhookClientConfig{}.OpenAPIModelName()),
 						},
 					},
 					"rules": {
@@ -2742,7 +2859,7 @@ func schema_k8sio_api_admissionregistration_v1_ValidatingWebhook(ref common.Refe
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/admissionregistration/v1.RuleWithOperations"),
+										Ref:     ref(v1.RuleWithOperations{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -2767,13 +2884,13 @@ func schema_k8sio_api_admissionregistration_v1_ValidatingWebhook(ref common.Refe
 					"namespaceSelector": {
 						SchemaProps: spec.SchemaProps{
 							Description: "NamespaceSelector decides whether to run the webhook on an object based on whether the namespace for that object matches the selector. If the object itself is a namespace, the matching is performed on object.metadata.labels. If the object is another cluster scoped resource, it never skips the webhook.\n\nFor example, to run the webhook on any objects whose namespace is not associated with \"runlevel\" of \"0\" or \"1\";  you will set the selector as follows: \"namespaceSelector\": {\n  \"matchExpressions\": [\n    {\n      \"key\": \"runlevel\",\n      \"operator\": \"NotIn\",\n      \"values\": [\n        \"0\",\n        \"1\"\n      ]\n    }\n  ]\n}\n\nIf instead you want to only run the webhook on any objects whose namespace is associated with the \"environment\" of \"prod\" or \"staging\"; you will set the selector as follows: \"namespaceSelector\": {\n  \"matchExpressions\": [\n    {\n      \"key\": \"environment\",\n      \"operator\": \"In\",\n      \"values\": [\n        \"prod\",\n        \"staging\"\n      ]\n    }\n  ]\n}\n\nSee https://kubernetes.io/docs/concepts/overview/working-with-objects/labels for more examples of label selectors.\n\nDefault to the empty LabelSelector, which matches everything.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector"),
+							Ref:         ref(metav1.LabelSelector{}.OpenAPIModelName()),
 						},
 					},
 					"objectSelector": {
 						SchemaProps: spec.SchemaProps{
 							Description: "ObjectSelector decides whether to run the webhook based on if the object has matching labels. objectSelector is evaluated against both the oldObject and newObject that would be sent to the webhook, and is considered to match if either object matches the selector. A null object (oldObject in the case of create, or newObject in the case of delete) or an object that cannot have labels (like a DeploymentRollback or a PodProxyOptions object) is not considered to match. Use the object selector only if the webhook is opt-in, because end users may skip the admission webhook by setting the labels. Default to the empty LabelSelector, which matches everything.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector"),
+							Ref:         ref(metav1.LabelSelector{}.OpenAPIModelName()),
 						},
 					},
 					"sideEffects": {
@@ -2829,7 +2946,7 @@ func schema_k8sio_api_admissionregistration_v1_ValidatingWebhook(ref common.Refe
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/admissionregistration/v1.MatchCondition"),
+										Ref:     ref(v1.MatchCondition{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -2840,7 +2957,7 @@ func schema_k8sio_api_admissionregistration_v1_ValidatingWebhook(ref common.Refe
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/admissionregistration/v1.MatchCondition", "k8s.io/api/admissionregistration/v1.RuleWithOperations", "k8s.io/api/admissionregistration/v1.WebhookClientConfig", "k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector"},
+			v1.MatchCondition{}.OpenAPIModelName(), v1.RuleWithOperations{}.OpenAPIModelName(), v1.WebhookClientConfig{}.OpenAPIModelName(), metav1.LabelSelector{}.OpenAPIModelName()},
 	}
 }
 
@@ -2869,7 +2986,7 @@ func schema_k8sio_api_admissionregistration_v1_ValidatingWebhookConfiguration(re
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Ref:         ref(metav1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 					"webhooks": {
@@ -2890,7 +3007,7 @@ func schema_k8sio_api_admissionregistration_v1_ValidatingWebhookConfiguration(re
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/admissionregistration/v1.ValidatingWebhook"),
+										Ref:     ref(v1.ValidatingWebhook{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -2900,7 +3017,7 @@ func schema_k8sio_api_admissionregistration_v1_ValidatingWebhookConfiguration(re
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/admissionregistration/v1.ValidatingWebhook", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			v1.ValidatingWebhook{}.OpenAPIModelName(), metav1.ObjectMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -2929,7 +3046,7 @@ func schema_k8sio_api_admissionregistration_v1_ValidatingWebhookConfigurationLis
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+							Ref:         ref(metav1.ListMeta{}.OpenAPIModelName()),
 						},
 					},
 					"items": {
@@ -2940,7 +3057,7 @@ func schema_k8sio_api_admissionregistration_v1_ValidatingWebhookConfigurationLis
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/admissionregistration/v1.ValidatingWebhookConfiguration"),
+										Ref:     ref(v1.ValidatingWebhookConfiguration{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -2951,7 +3068,7 @@ func schema_k8sio_api_admissionregistration_v1_ValidatingWebhookConfigurationLis
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/admissionregistration/v1.ValidatingWebhookConfiguration", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
+			v1.ValidatingWebhookConfiguration{}.OpenAPIModelName(), metav1.ListMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -3050,7 +3167,7 @@ func schema_k8sio_api_admissionregistration_v1_WebhookClientConfig(ref common.Re
 					"service": {
 						SchemaProps: spec.SchemaProps{
 							Description: "`service` is a reference to the service for this webhook. Either `service` or `url` must be specified.\n\nIf the webhook is running within the cluster, then you should use `service`.",
-							Ref:         ref("k8s.io/api/admissionregistration/v1.ServiceReference"),
+							Ref:         ref(v1.ServiceReference{}.OpenAPIModelName()),
 						},
 					},
 					"caBundle": {
@@ -3064,7 +3181,7 @@ func schema_k8sio_api_admissionregistration_v1_WebhookClientConfig(ref common.Re
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/admissionregistration/v1.ServiceReference"},
+			v1.ServiceReference{}.OpenAPIModelName()},
 	}
 }
 
@@ -3207,13 +3324,13 @@ func schema_k8sio_api_admissionregistration_v1alpha1_MatchResources(ref common.R
 					"namespaceSelector": {
 						SchemaProps: spec.SchemaProps{
 							Description: "NamespaceSelector decides whether to run the admission control policy on an object based on whether the namespace for that object matches the selector. If the object itself is a namespace, the matching is performed on object.metadata.labels. If the object is another cluster scoped resource, it never skips the policy.\n\nFor example, to run the webhook on any objects whose namespace is not associated with \"runlevel\" of \"0\" or \"1\";  you will set the selector as follows: \"namespaceSelector\": {\n  \"matchExpressions\": [\n    {\n      \"key\": \"runlevel\",\n      \"operator\": \"NotIn\",\n      \"values\": [\n        \"0\",\n        \"1\"\n      ]\n    }\n  ]\n}\n\nIf instead you want to only run the policy on any objects whose namespace is associated with the \"environment\" of \"prod\" or \"staging\"; you will set the selector as follows: \"namespaceSelector\": {\n  \"matchExpressions\": [\n    {\n      \"key\": \"environment\",\n      \"operator\": \"In\",\n      \"values\": [\n        \"prod\",\n        \"staging\"\n      ]\n    }\n  ]\n}\n\nSee https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ for more examples of label selectors.\n\nDefault to the empty LabelSelector, which matches everything.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector"),
+							Ref:         ref(metav1.LabelSelector{}.OpenAPIModelName()),
 						},
 					},
 					"objectSelector": {
 						SchemaProps: spec.SchemaProps{
 							Description: "ObjectSelector decides whether to run the policy based on if the object has matching labels. objectSelector is evaluated against both the oldObject and newObject that would be sent to the policy's expression (CEL), and is considered to match if either object matches the selector. A null object (oldObject in the case of create, or newObject in the case of delete) or an object that cannot have labels (like a DeploymentRollback or a PodProxyOptions object) is not considered to match. Use the object selector only if the webhook is opt-in, because end users may skip the admission webhook by setting the labels. Default to the empty LabelSelector, which matches everything.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector"),
+							Ref:         ref(metav1.LabelSelector{}.OpenAPIModelName()),
 						},
 					},
 					"resourceRules": {
@@ -3229,7 +3346,7 @@ func schema_k8sio_api_admissionregistration_v1alpha1_MatchResources(ref common.R
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/admissionregistration/v1alpha1.NamedRuleWithOperations"),
+										Ref:     ref(v1alpha1.NamedRuleWithOperations{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -3248,7 +3365,7 @@ func schema_k8sio_api_admissionregistration_v1alpha1_MatchResources(ref common.R
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/admissionregistration/v1alpha1.NamedRuleWithOperations"),
+										Ref:     ref(v1alpha1.NamedRuleWithOperations{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -3271,7 +3388,7 @@ func schema_k8sio_api_admissionregistration_v1alpha1_MatchResources(ref common.R
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/admissionregistration/v1alpha1.NamedRuleWithOperations", "k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector"},
+			v1alpha1.NamedRuleWithOperations{}.OpenAPIModelName(), metav1.LabelSelector{}.OpenAPIModelName()},
 	}
 }
 
@@ -3300,21 +3417,21 @@ func schema_k8sio_api_admissionregistration_v1alpha1_MutatingAdmissionPolicy(ref
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Ref:         ref(metav1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 					"spec": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Specification of the desired behavior of the MutatingAdmissionPolicy.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/admissionregistration/v1alpha1.MutatingAdmissionPolicySpec"),
+							Ref:         ref(v1alpha1.MutatingAdmissionPolicySpec{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/admissionregistration/v1alpha1.MutatingAdmissionPolicySpec", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			v1alpha1.MutatingAdmissionPolicySpec{}.OpenAPIModelName(), metav1.ObjectMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -3343,21 +3460,21 @@ func schema_k8sio_api_admissionregistration_v1alpha1_MutatingAdmissionPolicyBind
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Ref:         ref(metav1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 					"spec": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Specification of the desired behavior of the MutatingAdmissionPolicyBinding.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/admissionregistration/v1alpha1.MutatingAdmissionPolicyBindingSpec"),
+							Ref:         ref(v1alpha1.MutatingAdmissionPolicyBindingSpec{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/admissionregistration/v1alpha1.MutatingAdmissionPolicyBindingSpec", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			v1alpha1.MutatingAdmissionPolicyBindingSpec{}.OpenAPIModelName(), metav1.ObjectMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -3386,7 +3503,7 @@ func schema_k8sio_api_admissionregistration_v1alpha1_MutatingAdmissionPolicyBind
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+							Ref:         ref(metav1.ListMeta{}.OpenAPIModelName()),
 						},
 					},
 					"items": {
@@ -3397,7 +3514,7 @@ func schema_k8sio_api_admissionregistration_v1alpha1_MutatingAdmissionPolicyBind
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/admissionregistration/v1alpha1.MutatingAdmissionPolicyBinding"),
+										Ref:     ref(v1alpha1.MutatingAdmissionPolicyBinding{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -3408,7 +3525,7 @@ func schema_k8sio_api_admissionregistration_v1alpha1_MutatingAdmissionPolicyBind
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/admissionregistration/v1alpha1.MutatingAdmissionPolicyBinding", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
+			v1alpha1.MutatingAdmissionPolicyBinding{}.OpenAPIModelName(), metav1.ListMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -3429,20 +3546,20 @@ func schema_k8sio_api_admissionregistration_v1alpha1_MutatingAdmissionPolicyBind
 					"paramRef": {
 						SchemaProps: spec.SchemaProps{
 							Description: "paramRef specifies the parameter resource used to configure the admission control policy. It should point to a resource of the type specified in spec.ParamKind of the bound MutatingAdmissionPolicy. If the policy specifies a ParamKind and the resource referred to by ParamRef does not exist, this binding is considered mis-configured and the FailurePolicy of the MutatingAdmissionPolicy applied. If the policy does not specify a ParamKind then this field is ignored, and the rules are evaluated without a param.",
-							Ref:         ref("k8s.io/api/admissionregistration/v1alpha1.ParamRef"),
+							Ref:         ref(v1alpha1.ParamRef{}.OpenAPIModelName()),
 						},
 					},
 					"matchResources": {
 						SchemaProps: spec.SchemaProps{
 							Description: "matchResources limits what resources match this binding and may be mutated by it. Note that if matchResources matches a resource, the resource must also match a policy's matchConstraints and matchConditions before the resource may be mutated. When matchResources is unset, it does not constrain resource matching, and only the policy's matchConstraints and matchConditions must match for the resource to be mutated. Additionally, matchResources.resourceRules are optional and do not constraint matching when unset. Note that this is differs from MutatingAdmissionPolicy matchConstraints, where resourceRules are required. The CREATE, UPDATE and CONNECT operations are allowed.  The DELETE operation may not be matched. '*' matches CREATE, UPDATE and CONNECT.",
-							Ref:         ref("k8s.io/api/admissionregistration/v1alpha1.MatchResources"),
+							Ref:         ref(v1alpha1.MatchResources{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/admissionregistration/v1alpha1.MatchResources", "k8s.io/api/admissionregistration/v1alpha1.ParamRef"},
+			v1alpha1.MatchResources{}.OpenAPIModelName(), v1alpha1.ParamRef{}.OpenAPIModelName()},
 	}
 }
 
@@ -3471,7 +3588,7 @@ func schema_k8sio_api_admissionregistration_v1alpha1_MutatingAdmissionPolicyList
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+							Ref:         ref(metav1.ListMeta{}.OpenAPIModelName()),
 						},
 					},
 					"items": {
@@ -3482,7 +3599,7 @@ func schema_k8sio_api_admissionregistration_v1alpha1_MutatingAdmissionPolicyList
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/admissionregistration/v1alpha1.MutatingAdmissionPolicy"),
+										Ref:     ref(v1alpha1.MutatingAdmissionPolicy{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -3493,7 +3610,7 @@ func schema_k8sio_api_admissionregistration_v1alpha1_MutatingAdmissionPolicyList
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/admissionregistration/v1alpha1.MutatingAdmissionPolicy", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
+			v1alpha1.MutatingAdmissionPolicy{}.OpenAPIModelName(), metav1.ListMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -3507,13 +3624,13 @@ func schema_k8sio_api_admissionregistration_v1alpha1_MutatingAdmissionPolicySpec
 					"paramKind": {
 						SchemaProps: spec.SchemaProps{
 							Description: "paramKind specifies the kind of resources used to parameterize this policy. If absent, there are no parameters for this policy and the param CEL variable will not be provided to validation expressions. If paramKind refers to a non-existent kind, this policy definition is mis-configured and the FailurePolicy is applied. If paramKind is specified but paramRef is unset in MutatingAdmissionPolicyBinding, the params variable will be null.",
-							Ref:         ref("k8s.io/api/admissionregistration/v1alpha1.ParamKind"),
+							Ref:         ref(v1alpha1.ParamKind{}.OpenAPIModelName()),
 						},
 					},
 					"matchConstraints": {
 						SchemaProps: spec.SchemaProps{
 							Description: "matchConstraints specifies what resources this policy is designed to validate. The MutatingAdmissionPolicy cares about a request if it matches _all_ Constraints. However, in order to prevent clusters from being put into an unstable state that cannot be recovered from via the API MutatingAdmissionPolicy cannot match MutatingAdmissionPolicy and MutatingAdmissionPolicyBinding. The CREATE, UPDATE and CONNECT operations are allowed.  The DELETE operation may not be matched. '*' matches CREATE, UPDATE and CONNECT. Required.",
-							Ref:         ref("k8s.io/api/admissionregistration/v1alpha1.MatchResources"),
+							Ref:         ref(v1alpha1.MatchResources{}.OpenAPIModelName()),
 						},
 					},
 					"variables": {
@@ -3529,7 +3646,7 @@ func schema_k8sio_api_admissionregistration_v1alpha1_MutatingAdmissionPolicySpec
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/admissionregistration/v1alpha1.Variable"),
+										Ref:     ref(v1alpha1.Variable{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -3548,7 +3665,7 @@ func schema_k8sio_api_admissionregistration_v1alpha1_MutatingAdmissionPolicySpec
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/admissionregistration/v1alpha1.Mutation"),
+										Ref:     ref(v1alpha1.Mutation{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -3580,7 +3697,7 @@ func schema_k8sio_api_admissionregistration_v1alpha1_MutatingAdmissionPolicySpec
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/admissionregistration/v1alpha1.MatchCondition"),
+										Ref:     ref(v1alpha1.MatchCondition{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -3588,16 +3705,17 @@ func schema_k8sio_api_admissionregistration_v1alpha1_MutatingAdmissionPolicySpec
 					},
 					"reinvocationPolicy": {
 						SchemaProps: spec.SchemaProps{
-							Description: "reinvocationPolicy indicates whether mutations may be called multiple times per MutatingAdmissionPolicyBinding as part of a single admission evaluation. Allowed values are \"Never\" and \"IfNeeded\".\n\nNever: These mutations will not be called more than once per binding in a single admission evaluation.\n\nIfNeeded: These mutations may be invoked more than once per binding for a single admission request and there is no guarantee of order with respect to other admission plugins, admission webhooks, bindings of this policy and admission policies.  Mutations are only reinvoked when mutations change the object after this mutation is invoked. Required.",
+							Description: "reinvocationPolicy indicates whether mutations may be called multiple times per MutatingAdmissionPolicyBinding as part of a single admission evaluation. Allowed values are \"Never\" and \"IfNeeded\".\n\nNever: These mutations will not be called more than once per binding in a single admission evaluation.\n\nIfNeeded: These mutations may be invoked more than once per binding for a single admission request and there is no guarantee of order with respect to other admission plugins, admission webhooks, bindings of this policy and admission policies.  Mutations are only reinvoked when mutations change the object after this mutation is invoked. Required.\n\nPossible enum values:\n - `\"IfNeeded\"` indicates that the mutation may be called at least one additional time as part of the admission evaluation if the object being admitted is modified by other admission plugins after the initial mutation call.\n - `\"Never\"` indicates that the mutation must not be called more than once in a single admission evaluation.",
 							Type:        []string{"string"},
 							Format:      "",
+							Enum:        []interface{}{"IfNeeded", "Never"},
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/admissionregistration/v1alpha1.MatchCondition", "k8s.io/api/admissionregistration/v1alpha1.MatchResources", "k8s.io/api/admissionregistration/v1alpha1.Mutation", "k8s.io/api/admissionregistration/v1alpha1.ParamKind", "k8s.io/api/admissionregistration/v1alpha1.Variable"},
+			v1alpha1.MatchCondition{}.OpenAPIModelName(), v1alpha1.MatchResources{}.OpenAPIModelName(), v1alpha1.Mutation{}.OpenAPIModelName(), v1alpha1.ParamKind{}.OpenAPIModelName(), v1alpha1.Variable{}.OpenAPIModelName()},
 	}
 }
 
@@ -3620,13 +3738,13 @@ func schema_k8sio_api_admissionregistration_v1alpha1_Mutation(ref common.Referen
 					"applyConfiguration": {
 						SchemaProps: spec.SchemaProps{
 							Description: "applyConfiguration defines the desired configuration values of an object. The configuration is applied to the admission object using [structured merge diff](https://github.com/kubernetes-sigs/structured-merge-diff). A CEL expression is used to create apply configuration.",
-							Ref:         ref("k8s.io/api/admissionregistration/v1alpha1.ApplyConfiguration"),
+							Ref:         ref(v1alpha1.ApplyConfiguration{}.OpenAPIModelName()),
 						},
 					},
 					"jsonPatch": {
 						SchemaProps: spec.SchemaProps{
 							Description: "jsonPatch defines a [JSON patch](https://jsonpatch.com/) operation to perform a mutation to the object. A CEL expression is used to create the JSON patch.",
-							Ref:         ref("k8s.io/api/admissionregistration/v1alpha1.JSONPatch"),
+							Ref:         ref(v1alpha1.JSONPatch{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -3634,7 +3752,7 @@ func schema_k8sio_api_admissionregistration_v1alpha1_Mutation(ref common.Referen
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/admissionregistration/v1alpha1.ApplyConfiguration", "k8s.io/api/admissionregistration/v1alpha1.JSONPatch"},
+			v1alpha1.ApplyConfiguration{}.OpenAPIModelName(), v1alpha1.JSONPatch{}.OpenAPIModelName()},
 	}
 }
 
@@ -3748,9 +3866,10 @@ func schema_k8sio_api_admissionregistration_v1alpha1_NamedRuleWithOperations(ref
 					},
 					"scope": {
 						SchemaProps: spec.SchemaProps{
-							Description: "scope specifies the scope of this rule. Valid values are \"Cluster\", \"Namespaced\", and \"*\" \"Cluster\" means that only cluster-scoped resources will match this rule. Namespace API objects are cluster-scoped. \"Namespaced\" means that only namespaced resources will match this rule. \"*\" means that there are no scope restrictions. Subresources match the scope of their parent resource. Default is \"*\".",
+							Description: "scope specifies the scope of this rule. Valid values are \"Cluster\", \"Namespaced\", and \"*\" \"Cluster\" means that only cluster-scoped resources will match this rule. Namespace API objects are cluster-scoped. \"Namespaced\" means that only namespaced resources will match this rule. \"*\" means that there are no scope restrictions. Subresources match the scope of their parent resource. Default is \"*\".\n\n\nPossible enum values:\n - `\"*\"` means that all scopes are included.\n - `\"Cluster\"` means that scope is limited to cluster-scoped objects. Namespace objects are cluster-scoped.\n - `\"Namespaced\"` means that scope is limited to namespaced objects.",
 							Type:        []string{"string"},
 							Format:      "",
+							Enum:        []interface{}{"*", "Cluster", "Namespaced"},
 						},
 					},
 				},
@@ -3820,7 +3939,7 @@ func schema_k8sio_api_admissionregistration_v1alpha1_ParamRef(ref common.Referen
 					"selector": {
 						SchemaProps: spec.SchemaProps{
 							Description: "selector can be used to match multiple param objects based on their labels. Supply selector: {} to match all resources of the ParamKind.\n\nIf multiple params are found, they are all evaluated with the policy expressions and the results are ANDed together.\n\nOne of `name` or `selector` must be set, but `name` and `selector` are mutually exclusive properties. If one is set, the other must be unset.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector"),
+							Ref:         ref(metav1.LabelSelector{}.OpenAPIModelName()),
 						},
 					},
 					"parameterNotFoundAction": {
@@ -3840,7 +3959,7 @@ func schema_k8sio_api_admissionregistration_v1alpha1_ParamRef(ref common.Referen
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector"},
+			metav1.LabelSelector{}.OpenAPIModelName()},
 	}
 }
 
@@ -3864,7 +3983,7 @@ func schema_k8sio_api_admissionregistration_v1alpha1_TypeChecking(ref common.Ref
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/admissionregistration/v1alpha1.ExpressionWarning"),
+										Ref:     ref(v1alpha1.ExpressionWarning{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -3874,7 +3993,7 @@ func schema_k8sio_api_admissionregistration_v1alpha1_TypeChecking(ref common.Ref
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/admissionregistration/v1alpha1.ExpressionWarning"},
+			v1alpha1.ExpressionWarning{}.OpenAPIModelName()},
 	}
 }
 
@@ -3903,28 +4022,28 @@ func schema_k8sio_api_admissionregistration_v1alpha1_ValidatingAdmissionPolicy(r
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Ref:         ref(metav1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 					"spec": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Specification of the desired behavior of the ValidatingAdmissionPolicy.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/admissionregistration/v1alpha1.ValidatingAdmissionPolicySpec"),
+							Ref:         ref(v1alpha1.ValidatingAdmissionPolicySpec{}.OpenAPIModelName()),
 						},
 					},
 					"status": {
 						SchemaProps: spec.SchemaProps{
 							Description: "The status of the ValidatingAdmissionPolicy, including warnings that are useful to determine if the policy behaves in the expected way. Populated by the system. Read-only.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/admissionregistration/v1alpha1.ValidatingAdmissionPolicyStatus"),
+							Ref:         ref(v1alpha1.ValidatingAdmissionPolicyStatus{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/admissionregistration/v1alpha1.ValidatingAdmissionPolicySpec", "k8s.io/api/admissionregistration/v1alpha1.ValidatingAdmissionPolicyStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			v1alpha1.ValidatingAdmissionPolicySpec{}.OpenAPIModelName(), v1alpha1.ValidatingAdmissionPolicyStatus{}.OpenAPIModelName(), metav1.ObjectMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -3953,21 +4072,21 @@ func schema_k8sio_api_admissionregistration_v1alpha1_ValidatingAdmissionPolicyBi
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Ref:         ref(metav1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 					"spec": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Specification of the desired behavior of the ValidatingAdmissionPolicyBinding.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/admissionregistration/v1alpha1.ValidatingAdmissionPolicyBindingSpec"),
+							Ref:         ref(v1alpha1.ValidatingAdmissionPolicyBindingSpec{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/admissionregistration/v1alpha1.ValidatingAdmissionPolicyBindingSpec", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			v1alpha1.ValidatingAdmissionPolicyBindingSpec{}.OpenAPIModelName(), metav1.ObjectMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -3996,7 +4115,7 @@ func schema_k8sio_api_admissionregistration_v1alpha1_ValidatingAdmissionPolicyBi
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+							Ref:         ref(metav1.ListMeta{}.OpenAPIModelName()),
 						},
 					},
 					"items": {
@@ -4007,7 +4126,7 @@ func schema_k8sio_api_admissionregistration_v1alpha1_ValidatingAdmissionPolicyBi
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/admissionregistration/v1alpha1.ValidatingAdmissionPolicyBinding"),
+										Ref:     ref(v1alpha1.ValidatingAdmissionPolicyBinding{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -4018,7 +4137,7 @@ func schema_k8sio_api_admissionregistration_v1alpha1_ValidatingAdmissionPolicyBi
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/admissionregistration/v1alpha1.ValidatingAdmissionPolicyBinding", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
+			v1alpha1.ValidatingAdmissionPolicyBinding{}.OpenAPIModelName(), metav1.ListMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -4039,13 +4158,13 @@ func schema_k8sio_api_admissionregistration_v1alpha1_ValidatingAdmissionPolicyBi
 					"paramRef": {
 						SchemaProps: spec.SchemaProps{
 							Description: "paramRef specifies the parameter resource used to configure the admission control policy. It should point to a resource of the type specified in ParamKind of the bound ValidatingAdmissionPolicy. If the policy specifies a ParamKind and the resource referred to by ParamRef does not exist, this binding is considered mis-configured and the FailurePolicy of the ValidatingAdmissionPolicy applied. If the policy does not specify a ParamKind then this field is ignored, and the rules are evaluated without a param.",
-							Ref:         ref("k8s.io/api/admissionregistration/v1alpha1.ParamRef"),
+							Ref:         ref(v1alpha1.ParamRef{}.OpenAPIModelName()),
 						},
 					},
 					"matchResources": {
 						SchemaProps: spec.SchemaProps{
 							Description: "MatchResources declares what resources match this binding and will be validated by it. Note that this is intersected with the policy's matchConstraints, so only requests that are matched by the policy can be selected by this. If this is unset, all resources matched by the policy are validated by this binding When resourceRules is unset, it does not constrain resource matching. If a resource is matched by the other fields of this object, it will be validated. Note that this is differs from ValidatingAdmissionPolicy matchConstraints, where resourceRules are required.",
-							Ref:         ref("k8s.io/api/admissionregistration/v1alpha1.MatchResources"),
+							Ref:         ref(v1alpha1.MatchResources{}.OpenAPIModelName()),
 						},
 					},
 					"validationActions": {
@@ -4073,7 +4192,7 @@ func schema_k8sio_api_admissionregistration_v1alpha1_ValidatingAdmissionPolicyBi
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/admissionregistration/v1alpha1.MatchResources", "k8s.io/api/admissionregistration/v1alpha1.ParamRef"},
+			v1alpha1.MatchResources{}.OpenAPIModelName(), v1alpha1.ParamRef{}.OpenAPIModelName()},
 	}
 }
 
@@ -4102,7 +4221,7 @@ func schema_k8sio_api_admissionregistration_v1alpha1_ValidatingAdmissionPolicyLi
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+							Ref:         ref(metav1.ListMeta{}.OpenAPIModelName()),
 						},
 					},
 					"items": {
@@ -4113,7 +4232,7 @@ func schema_k8sio_api_admissionregistration_v1alpha1_ValidatingAdmissionPolicyLi
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/admissionregistration/v1alpha1.ValidatingAdmissionPolicy"),
+										Ref:     ref(v1alpha1.ValidatingAdmissionPolicy{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -4124,7 +4243,7 @@ func schema_k8sio_api_admissionregistration_v1alpha1_ValidatingAdmissionPolicyLi
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/admissionregistration/v1alpha1.ValidatingAdmissionPolicy", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
+			v1alpha1.ValidatingAdmissionPolicy{}.OpenAPIModelName(), metav1.ListMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -4138,13 +4257,13 @@ func schema_k8sio_api_admissionregistration_v1alpha1_ValidatingAdmissionPolicySp
 					"paramKind": {
 						SchemaProps: spec.SchemaProps{
 							Description: "ParamKind specifies the kind of resources used to parameterize this policy. If absent, there are no parameters for this policy and the param CEL variable will not be provided to validation expressions. If ParamKind refers to a non-existent kind, this policy definition is mis-configured and the FailurePolicy is applied. If paramKind is specified but paramRef is unset in ValidatingAdmissionPolicyBinding, the params variable will be null.",
-							Ref:         ref("k8s.io/api/admissionregistration/v1alpha1.ParamKind"),
+							Ref:         ref(v1alpha1.ParamKind{}.OpenAPIModelName()),
 						},
 					},
 					"matchConstraints": {
 						SchemaProps: spec.SchemaProps{
 							Description: "MatchConstraints specifies what resources this policy is designed to validate. The AdmissionPolicy cares about a request if it matches _all_ Constraints. However, in order to prevent clusters from being put into an unstable state that cannot be recovered from via the API ValidatingAdmissionPolicy cannot match ValidatingAdmissionPolicy and ValidatingAdmissionPolicyBinding. Required.",
-							Ref:         ref("k8s.io/api/admissionregistration/v1alpha1.MatchResources"),
+							Ref:         ref(v1alpha1.MatchResources{}.OpenAPIModelName()),
 						},
 					},
 					"validations": {
@@ -4160,7 +4279,7 @@ func schema_k8sio_api_admissionregistration_v1alpha1_ValidatingAdmissionPolicySp
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/admissionregistration/v1alpha1.Validation"),
+										Ref:     ref(v1alpha1.Validation{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -4187,7 +4306,7 @@ func schema_k8sio_api_admissionregistration_v1alpha1_ValidatingAdmissionPolicySp
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/admissionregistration/v1alpha1.AuditAnnotation"),
+										Ref:     ref(v1alpha1.AuditAnnotation{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -4211,7 +4330,7 @@ func schema_k8sio_api_admissionregistration_v1alpha1_ValidatingAdmissionPolicySp
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/admissionregistration/v1alpha1.MatchCondition"),
+										Ref:     ref(v1alpha1.MatchCondition{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -4235,7 +4354,7 @@ func schema_k8sio_api_admissionregistration_v1alpha1_ValidatingAdmissionPolicySp
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/admissionregistration/v1alpha1.Variable"),
+										Ref:     ref(v1alpha1.Variable{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -4245,7 +4364,7 @@ func schema_k8sio_api_admissionregistration_v1alpha1_ValidatingAdmissionPolicySp
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/admissionregistration/v1alpha1.AuditAnnotation", "k8s.io/api/admissionregistration/v1alpha1.MatchCondition", "k8s.io/api/admissionregistration/v1alpha1.MatchResources", "k8s.io/api/admissionregistration/v1alpha1.ParamKind", "k8s.io/api/admissionregistration/v1alpha1.Validation", "k8s.io/api/admissionregistration/v1alpha1.Variable"},
+			v1alpha1.AuditAnnotation{}.OpenAPIModelName(), v1alpha1.MatchCondition{}.OpenAPIModelName(), v1alpha1.MatchResources{}.OpenAPIModelName(), v1alpha1.ParamKind{}.OpenAPIModelName(), v1alpha1.Validation{}.OpenAPIModelName(), v1alpha1.Variable{}.OpenAPIModelName()},
 	}
 }
 
@@ -4266,7 +4385,7 @@ func schema_k8sio_api_admissionregistration_v1alpha1_ValidatingAdmissionPolicySt
 					"typeChecking": {
 						SchemaProps: spec.SchemaProps{
 							Description: "The results of type checking for each expression. Presence of this field indicates the completion of the type checking.",
-							Ref:         ref("k8s.io/api/admissionregistration/v1alpha1.TypeChecking"),
+							Ref:         ref(v1alpha1.TypeChecking{}.OpenAPIModelName()),
 						},
 					},
 					"conditions": {
@@ -4285,7 +4404,7 @@ func schema_k8sio_api_admissionregistration_v1alpha1_ValidatingAdmissionPolicySt
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/apimachinery/pkg/apis/meta/v1.Condition"),
+										Ref:     ref(metav1.Condition{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -4295,7 +4414,7 @@ func schema_k8sio_api_admissionregistration_v1alpha1_ValidatingAdmissionPolicySt
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/admissionregistration/v1alpha1.TypeChecking", "k8s.io/apimachinery/pkg/apis/meta/v1.Condition"},
+			v1alpha1.TypeChecking{}.OpenAPIModelName(), metav1.Condition{}.OpenAPIModelName()},
 	}
 }
 
@@ -4512,13 +4631,13 @@ func schema_k8sio_api_admissionregistration_v1beta1_MatchResources(ref common.Re
 					"namespaceSelector": {
 						SchemaProps: spec.SchemaProps{
 							Description: "NamespaceSelector decides whether to run the admission control policy on an object based on whether the namespace for that object matches the selector. If the object itself is a namespace, the matching is performed on object.metadata.labels. If the object is another cluster scoped resource, it never skips the policy.\n\nFor example, to run the webhook on any objects whose namespace is not associated with \"runlevel\" of \"0\" or \"1\";  you will set the selector as follows: \"namespaceSelector\": {\n  \"matchExpressions\": [\n    {\n      \"key\": \"runlevel\",\n      \"operator\": \"NotIn\",\n      \"values\": [\n        \"0\",\n        \"1\"\n      ]\n    }\n  ]\n}\n\nIf instead you want to only run the policy on any objects whose namespace is associated with the \"environment\" of \"prod\" or \"staging\"; you will set the selector as follows: \"namespaceSelector\": {\n  \"matchExpressions\": [\n    {\n      \"key\": \"environment\",\n      \"operator\": \"In\",\n      \"values\": [\n        \"prod\",\n        \"staging\"\n      ]\n    }\n  ]\n}\n\nSee https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ for more examples of label selectors.\n\nDefault to the empty LabelSelector, which matches everything.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector"),
+							Ref:         ref(metav1.LabelSelector{}.OpenAPIModelName()),
 						},
 					},
 					"objectSelector": {
 						SchemaProps: spec.SchemaProps{
 							Description: "ObjectSelector decides whether to run the validation based on if the object has matching labels. objectSelector is evaluated against both the oldObject and newObject that would be sent to the cel validation, and is considered to match if either object matches the selector. A null object (oldObject in the case of create, or newObject in the case of delete) or an object that cannot have labels (like a DeploymentRollback or a PodProxyOptions object) is not considered to match. Use the object selector only if the webhook is opt-in, because end users may skip the admission webhook by setting the labels. Default to the empty LabelSelector, which matches everything.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector"),
+							Ref:         ref(metav1.LabelSelector{}.OpenAPIModelName()),
 						},
 					},
 					"resourceRules": {
@@ -4534,7 +4653,7 @@ func schema_k8sio_api_admissionregistration_v1beta1_MatchResources(ref common.Re
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/admissionregistration/v1beta1.NamedRuleWithOperations"),
+										Ref:     ref(v1beta1.NamedRuleWithOperations{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -4553,7 +4672,7 @@ func schema_k8sio_api_admissionregistration_v1beta1_MatchResources(ref common.Re
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/admissionregistration/v1beta1.NamedRuleWithOperations"),
+										Ref:     ref(v1beta1.NamedRuleWithOperations{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -4575,7 +4694,7 @@ func schema_k8sio_api_admissionregistration_v1beta1_MatchResources(ref common.Re
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/admissionregistration/v1beta1.NamedRuleWithOperations", "k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector"},
+			v1beta1.NamedRuleWithOperations{}.OpenAPIModelName(), metav1.LabelSelector{}.OpenAPIModelName()},
 	}
 }
 
@@ -4604,21 +4723,21 @@ func schema_k8sio_api_admissionregistration_v1beta1_MutatingAdmissionPolicy(ref
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Ref:         ref(metav1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 					"spec": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Specification of the desired behavior of the MutatingAdmissionPolicy.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/admissionregistration/v1beta1.MutatingAdmissionPolicySpec"),
+							Ref:         ref(v1beta1.MutatingAdmissionPolicySpec{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/admissionregistration/v1beta1.MutatingAdmissionPolicySpec", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			v1beta1.MutatingAdmissionPolicySpec{}.OpenAPIModelName(), metav1.ObjectMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -4647,21 +4766,21 @@ func schema_k8sio_api_admissionregistration_v1beta1_MutatingAdmissionPolicyBindi
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Ref:         ref(metav1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 					"spec": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Specification of the desired behavior of the MutatingAdmissionPolicyBinding.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/admissionregistration/v1beta1.MutatingAdmissionPolicyBindingSpec"),
+							Ref:         ref(v1beta1.MutatingAdmissionPolicyBindingSpec{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/admissionregistration/v1beta1.MutatingAdmissionPolicyBindingSpec", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			v1beta1.MutatingAdmissionPolicyBindingSpec{}.OpenAPIModelName(), metav1.ObjectMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -4690,7 +4809,7 @@ func schema_k8sio_api_admissionregistration_v1beta1_MutatingAdmissionPolicyBindi
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+							Ref:         ref(metav1.ListMeta{}.OpenAPIModelName()),
 						},
 					},
 					"items": {
@@ -4701,7 +4820,7 @@ func schema_k8sio_api_admissionregistration_v1beta1_MutatingAdmissionPolicyBindi
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/admissionregistration/v1beta1.MutatingAdmissionPolicyBinding"),
+										Ref:     ref(v1beta1.MutatingAdmissionPolicyBinding{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -4712,7 +4831,7 @@ func schema_k8sio_api_admissionregistration_v1beta1_MutatingAdmissionPolicyBindi
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/admissionregistration/v1beta1.MutatingAdmissionPolicyBinding", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
+			v1beta1.MutatingAdmissionPolicyBinding{}.OpenAPIModelName(), metav1.ListMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -4733,20 +4852,20 @@ func schema_k8sio_api_admissionregistration_v1beta1_MutatingAdmissionPolicyBindi
 					"paramRef": {
 						SchemaProps: spec.SchemaProps{
 							Description: "paramRef specifies the parameter resource used to configure the admission control policy. It should point to a resource of the type specified in spec.ParamKind of the bound MutatingAdmissionPolicy. If the policy specifies a ParamKind and the resource referred to by ParamRef does not exist, this binding is considered mis-configured and the FailurePolicy of the MutatingAdmissionPolicy applied. If the policy does not specify a ParamKind then this field is ignored, and the rules are evaluated without a param.",
-							Ref:         ref("k8s.io/api/admissionregistration/v1beta1.ParamRef"),
+							Ref:         ref(v1beta1.ParamRef{}.OpenAPIModelName()),
 						},
 					},
 					"matchResources": {
 						SchemaProps: spec.SchemaProps{
 							Description: "matchResources limits what resources match this binding and may be mutated by it. Note that if matchResources matches a resource, the resource must also match a policy's matchConstraints and matchConditions before the resource may be mutated. When matchResources is unset, it does not constrain resource matching, and only the policy's matchConstraints and matchConditions must match for the resource to be mutated. Additionally, matchResources.resourceRules are optional and do not constraint matching when unset. Note that this is differs from MutatingAdmissionPolicy matchConstraints, where resourceRules are required. The CREATE, UPDATE and CONNECT operations are allowed.  The DELETE operation may not be matched. '*' matches CREATE, UPDATE and CONNECT.",
-							Ref:         ref("k8s.io/api/admissionregistration/v1beta1.MatchResources"),
+							Ref:         ref(v1beta1.MatchResources{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/admissionregistration/v1beta1.MatchResources", "k8s.io/api/admissionregistration/v1beta1.ParamRef"},
+			v1beta1.MatchResources{}.OpenAPIModelName(), v1beta1.ParamRef{}.OpenAPIModelName()},
 	}
 }
 
@@ -4775,7 +4894,7 @@ func schema_k8sio_api_admissionregistration_v1beta1_MutatingAdmissionPolicyList(
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+							Ref:         ref(metav1.ListMeta{}.OpenAPIModelName()),
 						},
 					},
 					"items": {
@@ -4786,7 +4905,7 @@ func schema_k8sio_api_admissionregistration_v1beta1_MutatingAdmissionPolicyList(
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/admissionregistration/v1beta1.MutatingAdmissionPolicy"),
+										Ref:     ref(v1beta1.MutatingAdmissionPolicy{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -4797,7 +4916,7 @@ func schema_k8sio_api_admissionregistration_v1beta1_MutatingAdmissionPolicyList(
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/admissionregistration/v1beta1.MutatingAdmissionPolicy", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
+			v1beta1.MutatingAdmissionPolicy{}.OpenAPIModelName(), metav1.ListMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -4811,13 +4930,13 @@ func schema_k8sio_api_admissionregistration_v1beta1_MutatingAdmissionPolicySpec(
 					"paramKind": {
 						SchemaProps: spec.SchemaProps{
 							Description: "paramKind specifies the kind of resources used to parameterize this policy. If absent, there are no parameters for this policy and the param CEL variable will not be provided to validation expressions. If paramKind refers to a non-existent kind, this policy definition is mis-configured and the FailurePolicy is applied. If paramKind is specified but paramRef is unset in MutatingAdmissionPolicyBinding, the params variable will be null.",
-							Ref:         ref("k8s.io/api/admissionregistration/v1beta1.ParamKind"),
+							Ref:         ref(v1beta1.ParamKind{}.OpenAPIModelName()),
 						},
 					},
 					"matchConstraints": {
 						SchemaProps: spec.SchemaProps{
 							Description: "matchConstraints specifies what resources this policy is designed to validate. The MutatingAdmissionPolicy cares about a request if it matches _all_ Constraints. However, in order to prevent clusters from being put into an unstable state that cannot be recovered from via the API MutatingAdmissionPolicy cannot match MutatingAdmissionPolicy and MutatingAdmissionPolicyBinding. The CREATE, UPDATE and CONNECT operations are allowed.  The DELETE operation may not be matched. '*' matches CREATE, UPDATE and CONNECT. Required.",
-							Ref:         ref("k8s.io/api/admissionregistration/v1beta1.MatchResources"),
+							Ref:         ref(v1beta1.MatchResources{}.OpenAPIModelName()),
 						},
 					},
 					"variables": {
@@ -4833,7 +4952,7 @@ func schema_k8sio_api_admissionregistration_v1beta1_MutatingAdmissionPolicySpec(
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/admissionregistration/v1beta1.Variable"),
+										Ref:     ref(v1beta1.Variable{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -4852,7 +4971,7 @@ func schema_k8sio_api_admissionregistration_v1beta1_MutatingAdmissionPolicySpec(
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/admissionregistration/v1beta1.Mutation"),
+										Ref:     ref(v1beta1.Mutation{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -4883,7 +5002,7 @@ func schema_k8sio_api_admissionregistration_v1beta1_MutatingAdmissionPolicySpec(
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/admissionregistration/v1beta1.MatchCondition"),
+										Ref:     ref(v1beta1.MatchCondition{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -4891,16 +5010,17 @@ func schema_k8sio_api_admissionregistration_v1beta1_MutatingAdmissionPolicySpec(
 					},
 					"reinvocationPolicy": {
 						SchemaProps: spec.SchemaProps{
-							Description: "reinvocationPolicy indicates whether mutations may be called multiple times per MutatingAdmissionPolicyBinding as part of a single admission evaluation. Allowed values are \"Never\" and \"IfNeeded\".\n\nNever: These mutations will not be called more than once per binding in a single admission evaluation.\n\nIfNeeded: These mutations may be invoked more than once per binding for a single admission request and there is no guarantee of order with respect to other admission plugins, admission webhooks, bindings of this policy and admission policies.  Mutations are only reinvoked when mutations change the object after this mutation is invoked. Required.",
+							Description: "reinvocationPolicy indicates whether mutations may be called multiple times per MutatingAdmissionPolicyBinding as part of a single admission evaluation. Allowed values are \"Never\" and \"IfNeeded\".\n\nNever: These mutations will not be called more than once per binding in a single admission evaluation.\n\nIfNeeded: These mutations may be invoked more than once per binding for a single admission request and there is no guarantee of order with respect to other admission plugins, admission webhooks, bindings of this policy and admission policies.  Mutations are only reinvoked when mutations change the object after this mutation is invoked. Required.\n\nPossible enum values:\n - `\"IfNeeded\"` indicates that the mutation may be called at least one additional time as part of the admission evaluation if the object being admitted is modified by other admission plugins after the initial mutation call.\n - `\"Never\"` indicates that the mutation must not be called more than once in a single admission evaluation.",
 							Type:        []string{"string"},
 							Format:      "",
+							Enum:        []interface{}{"IfNeeded", "Never"},
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/admissionregistration/v1beta1.MatchCondition", "k8s.io/api/admissionregistration/v1beta1.MatchResources", "k8s.io/api/admissionregistration/v1beta1.Mutation", "k8s.io/api/admissionregistration/v1beta1.ParamKind", "k8s.io/api/admissionregistration/v1beta1.Variable"},
+			v1beta1.MatchCondition{}.OpenAPIModelName(), v1beta1.MatchResources{}.OpenAPIModelName(), v1beta1.Mutation{}.OpenAPIModelName(), v1beta1.ParamKind{}.OpenAPIModelName(), v1beta1.Variable{}.OpenAPIModelName()},
 	}
 }
 
@@ -4923,7 +5043,7 @@ func schema_k8sio_api_admissionregistration_v1beta1_MutatingWebhook(ref common.R
 						SchemaProps: spec.SchemaProps{
 							Description: "ClientConfig defines how to communicate with the hook. Required",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/admissionregistration/v1beta1.WebhookClientConfig"),
+							Ref:         ref(v1beta1.WebhookClientConfig{}.OpenAPIModelName()),
 						},
 					},
 					"rules": {
@@ -4939,7 +5059,7 @@ func schema_k8sio_api_admissionregistration_v1beta1_MutatingWebhook(ref common.R
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/admissionregistration/v1.RuleWithOperations"),
+										Ref:     ref(v1.RuleWithOperations{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -4962,13 +5082,13 @@ func schema_k8sio_api_admissionregistration_v1beta1_MutatingWebhook(ref common.R
 					"namespaceSelector": {
 						SchemaProps: spec.SchemaProps{
 							Description: "NamespaceSelector decides whether to run the webhook on an object based on whether the namespace for that object matches the selector. If the object itself is a namespace, the matching is performed on object.metadata.labels. If the object is another cluster scoped resource, it never skips the webhook.\n\nFor example, to run the webhook on any objects whose namespace is not associated with \"runlevel\" of \"0\" or \"1\";  you will set the selector as follows: \"namespaceSelector\": {\n  \"matchExpressions\": [\n    {\n      \"key\": \"runlevel\",\n      \"operator\": \"NotIn\",\n      \"values\": [\n        \"0\",\n        \"1\"\n      ]\n    }\n  ]\n}\n\nIf instead you want to only run the webhook on any objects whose namespace is associated with the \"environment\" of \"prod\" or \"staging\"; you will set the selector as follows: \"namespaceSelector\": {\n  \"matchExpressions\": [\n    {\n      \"key\": \"environment\",\n      \"operator\": \"In\",\n      \"values\": [\n        \"prod\",\n        \"staging\"\n      ]\n    }\n  ]\n}\n\nSee https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ for more examples of label selectors.\n\nDefault to the empty LabelSelector, which matches everything.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector"),
+							Ref:         ref(metav1.LabelSelector{}.OpenAPIModelName()),
 						},
 					},
 					"objectSelector": {
 						SchemaProps: spec.SchemaProps{
 							Description: "ObjectSelector decides whether to run the webhook based on if the object has matching labels. objectSelector is evaluated against both the oldObject and newObject that would be sent to the webhook, and is considered to match if either object matches the selector. A null object (oldObject in the case of create, or newObject in the case of delete) or an object that cannot have labels (like a DeploymentRollback or a PodProxyOptions object) is not considered to match. Use the object selector only if the webhook is opt-in, because end users may skip the admission webhook by setting the labels. Default to the empty LabelSelector, which matches everything.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector"),
+							Ref:         ref(metav1.LabelSelector{}.OpenAPIModelName()),
 						},
 					},
 					"sideEffects": {
@@ -5007,9 +5127,10 @@ func schema_k8sio_api_admissionregistration_v1beta1_MutatingWebhook(ref common.R
 					},
 					"reinvocationPolicy": {
 						SchemaProps: spec.SchemaProps{
-							Description: "reinvocationPolicy indicates whether this webhook should be called multiple times as part of a single admission evaluation. Allowed values are \"Never\" and \"IfNeeded\".\n\nNever: the webhook will not be called more than once in a single admission evaluation.\n\nIfNeeded: the webhook will be called at least one additional time as part of the admission evaluation if the object being admitted is modified by other admission plugins after the initial webhook call. Webhooks that specify this option *must* be idempotent, able to process objects they previously admitted. Note: * the number of additional invocations is not guaranteed to be exactly one. * if additional invocations result in further modifications to the object, webhooks are not guaranteed to be invoked again. * webhooks that use this option may be reordered to minimize the number of additional invocations. * to validate an object after all mutations are guaranteed complete, use a validating admission webhook instead.\n\nDefaults to \"Never\".",
+							Description: "reinvocationPolicy indicates whether this webhook should be called multiple times as part of a single admission evaluation. Allowed values are \"Never\" and \"IfNeeded\".\n\nNever: the webhook will not be called more than once in a single admission evaluation.\n\nIfNeeded: the webhook will be called at least one additional time as part of the admission evaluation if the object being admitted is modified by other admission plugins after the initial webhook call. Webhooks that specify this option *must* be idempotent, able to process objects they previously admitted. Note: * the number of additional invocations is not guaranteed to be exactly one. * if additional invocations result in further modifications to the object, webhooks are not guaranteed to be invoked again. * webhooks that use this option may be reordered to minimize the number of additional invocations. * to validate an object after all mutations are guaranteed complete, use a validating admission webhook instead.\n\nDefaults to \"Never\".\n\nPossible enum values:\n - `\"IfNeeded\"` indicates that the mutation may be called at least one additional time as part of the admission evaluation if the object being admitted is modified by other admission plugins after the initial mutation call.\n - `\"Never\"` indicates that the mutation must not be called more than once in a single admission evaluation.",
 							Type:        []string{"string"},
 							Format:      "",
+							Enum:        []interface{}{"IfNeeded", "Never"},
 						},
 					},
 					"matchConditions": {
@@ -5030,7 +5151,7 @@ func schema_k8sio_api_admissionregistration_v1beta1_MutatingWebhook(ref common.R
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/admissionregistration/v1beta1.MatchCondition"),
+										Ref:     ref(v1beta1.MatchCondition{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -5041,7 +5162,7 @@ func schema_k8sio_api_admissionregistration_v1beta1_MutatingWebhook(ref common.R
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/admissionregistration/v1.RuleWithOperations", "k8s.io/api/admissionregistration/v1beta1.MatchCondition", "k8s.io/api/admissionregistration/v1beta1.WebhookClientConfig", "k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector"},
+			v1.RuleWithOperations{}.OpenAPIModelName(), v1beta1.MatchCondition{}.OpenAPIModelName(), v1beta1.WebhookClientConfig{}.OpenAPIModelName(), metav1.LabelSelector{}.OpenAPIModelName()},
 	}
 }
 
@@ -5070,7 +5191,7 @@ func schema_k8sio_api_admissionregistration_v1beta1_MutatingWebhookConfiguration
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Ref:         ref(metav1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 					"webhooks": {
@@ -5091,7 +5212,7 @@ func schema_k8sio_api_admissionregistration_v1beta1_MutatingWebhookConfiguration
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/admissionregistration/v1beta1.MutatingWebhook"),
+										Ref:     ref(v1beta1.MutatingWebhook{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -5101,7 +5222,7 @@ func schema_k8sio_api_admissionregistration_v1beta1_MutatingWebhookConfiguration
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/admissionregistration/v1beta1.MutatingWebhook", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			v1beta1.MutatingWebhook{}.OpenAPIModelName(), metav1.ObjectMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -5130,7 +5251,7 @@ func schema_k8sio_api_admissionregistration_v1beta1_MutatingWebhookConfiguration
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+							Ref:         ref(metav1.ListMeta{}.OpenAPIModelName()),
 						},
 					},
 					"items": {
@@ -5141,7 +5262,7 @@ func schema_k8sio_api_admissionregistration_v1beta1_MutatingWebhookConfiguration
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/admissionregistration/v1beta1.MutatingWebhookConfiguration"),
+										Ref:     ref(v1beta1.MutatingWebhookConfiguration{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -5152,7 +5273,7 @@ func schema_k8sio_api_admissionregistration_v1beta1_MutatingWebhookConfiguration
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/admissionregistration/v1beta1.MutatingWebhookConfiguration", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
+			v1beta1.MutatingWebhookConfiguration{}.OpenAPIModelName(), metav1.ListMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -5175,13 +5296,13 @@ func schema_k8sio_api_admissionregistration_v1beta1_Mutation(ref common.Referenc
 					"applyConfiguration": {
 						SchemaProps: spec.SchemaProps{
 							Description: "applyConfiguration defines the desired configuration values of an object. The configuration is applied to the admission object using [structured merge diff](https://github.com/kubernetes-sigs/structured-merge-diff). A CEL expression is used to create apply configuration.",
-							Ref:         ref("k8s.io/api/admissionregistration/v1beta1.ApplyConfiguration"),
+							Ref:         ref(v1beta1.ApplyConfiguration{}.OpenAPIModelName()),
 						},
 					},
 					"jsonPatch": {
 						SchemaProps: spec.SchemaProps{
 							Description: "jsonPatch defines a [JSON patch](https://jsonpatch.com/) operation to perform a mutation to the object. A CEL expression is used to create the JSON patch.",
-							Ref:         ref("k8s.io/api/admissionregistration/v1beta1.JSONPatch"),
+							Ref:         ref(v1beta1.JSONPatch{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -5189,7 +5310,7 @@ func schema_k8sio_api_admissionregistration_v1beta1_Mutation(ref common.Referenc
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/admissionregistration/v1beta1.ApplyConfiguration", "k8s.io/api/admissionregistration/v1beta1.JSONPatch"},
+			v1beta1.ApplyConfiguration{}.OpenAPIModelName(), v1beta1.JSONPatch{}.OpenAPIModelName()},
 	}
 }
 
@@ -5303,9 +5424,10 @@ func schema_k8sio_api_admissionregistration_v1beta1_NamedRuleWithOperations(ref
 					},
 					"scope": {
 						SchemaProps: spec.SchemaProps{
-							Description: "scope specifies the scope of this rule. Valid values are \"Cluster\", \"Namespaced\", and \"*\" \"Cluster\" means that only cluster-scoped resources will match this rule. Namespace API objects are cluster-scoped. \"Namespaced\" means that only namespaced resources will match this rule. \"*\" means that there are no scope restrictions. Subresources match the scope of their parent resource. Default is \"*\".",
+							Description: "scope specifies the scope of this rule. Valid values are \"Cluster\", \"Namespaced\", and \"*\" \"Cluster\" means that only cluster-scoped resources will match this rule. Namespace API objects are cluster-scoped. \"Namespaced\" means that only namespaced resources will match this rule. \"*\" means that there are no scope restrictions. Subresources match the scope of their parent resource. Default is \"*\".\n\n\nPossible enum values:\n - `\"*\"` means that all scopes are included.\n - `\"Cluster\"` means that scope is limited to cluster-scoped objects. Namespace objects are cluster-scoped.\n - `\"Namespaced\"` means that scope is limited to namespaced objects.",
 							Type:        []string{"string"},
 							Format:      "",
+							Enum:        []interface{}{"*", "Cluster", "Namespaced"},
 						},
 					},
 				},
@@ -5375,7 +5497,7 @@ func schema_k8sio_api_admissionregistration_v1beta1_ParamRef(ref common.Referenc
 					"selector": {
 						SchemaProps: spec.SchemaProps{
 							Description: "selector can be used to match multiple param objects based on their labels. Supply selector: {} to match all resources of the ParamKind.\n\nIf multiple params are found, they are all evaluated with the policy expressions and the results are ANDed together.\n\nOne of `name` or `selector` must be set, but `name` and `selector` are mutually exclusive properties. If one is set, the other must be unset.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector"),
+							Ref:         ref(metav1.LabelSelector{}.OpenAPIModelName()),
 						},
 					},
 					"parameterNotFoundAction": {
@@ -5394,7 +5516,7 @@ func schema_k8sio_api_admissionregistration_v1beta1_ParamRef(ref common.Referenc
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector"},
+			metav1.LabelSelector{}.OpenAPIModelName()},
 	}
 }
 
@@ -5462,7 +5584,7 @@ func schema_k8sio_api_admissionregistration_v1beta1_TypeChecking(ref common.Refe
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/admissionregistration/v1beta1.ExpressionWarning"),
+										Ref:     ref(v1beta1.ExpressionWarning{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -5472,7 +5594,7 @@ func schema_k8sio_api_admissionregistration_v1beta1_TypeChecking(ref common.Refe
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/admissionregistration/v1beta1.ExpressionWarning"},
+			v1beta1.ExpressionWarning{}.OpenAPIModelName()},
 	}
 }
 
@@ -5501,28 +5623,28 @@ func schema_k8sio_api_admissionregistration_v1beta1_ValidatingAdmissionPolicy(re
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Ref:         ref(metav1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 					"spec": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Specification of the desired behavior of the ValidatingAdmissionPolicy.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/admissionregistration/v1beta1.ValidatingAdmissionPolicySpec"),
+							Ref:         ref(v1beta1.ValidatingAdmissionPolicySpec{}.OpenAPIModelName()),
 						},
 					},
 					"status": {
 						SchemaProps: spec.SchemaProps{
 							Description: "The status of the ValidatingAdmissionPolicy, including warnings that are useful to determine if the policy behaves in the expected way. Populated by the system. Read-only.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/admissionregistration/v1beta1.ValidatingAdmissionPolicyStatus"),
+							Ref:         ref(v1beta1.ValidatingAdmissionPolicyStatus{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/admissionregistration/v1beta1.ValidatingAdmissionPolicySpec", "k8s.io/api/admissionregistration/v1beta1.ValidatingAdmissionPolicyStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			v1beta1.ValidatingAdmissionPolicySpec{}.OpenAPIModelName(), v1beta1.ValidatingAdmissionPolicyStatus{}.OpenAPIModelName(), metav1.ObjectMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -5551,21 +5673,21 @@ func schema_k8sio_api_admissionregistration_v1beta1_ValidatingAdmissionPolicyBin
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Ref:         ref(metav1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 					"spec": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Specification of the desired behavior of the ValidatingAdmissionPolicyBinding.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/admissionregistration/v1beta1.ValidatingAdmissionPolicyBindingSpec"),
+							Ref:         ref(v1beta1.ValidatingAdmissionPolicyBindingSpec{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/admissionregistration/v1beta1.ValidatingAdmissionPolicyBindingSpec", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			v1beta1.ValidatingAdmissionPolicyBindingSpec{}.OpenAPIModelName(), metav1.ObjectMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -5594,7 +5716,7 @@ func schema_k8sio_api_admissionregistration_v1beta1_ValidatingAdmissionPolicyBin
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+							Ref:         ref(metav1.ListMeta{}.OpenAPIModelName()),
 						},
 					},
 					"items": {
@@ -5605,7 +5727,7 @@ func schema_k8sio_api_admissionregistration_v1beta1_ValidatingAdmissionPolicyBin
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/admissionregistration/v1beta1.ValidatingAdmissionPolicyBinding"),
+										Ref:     ref(v1beta1.ValidatingAdmissionPolicyBinding{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -5616,7 +5738,7 @@ func schema_k8sio_api_admissionregistration_v1beta1_ValidatingAdmissionPolicyBin
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/admissionregistration/v1beta1.ValidatingAdmissionPolicyBinding", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
+			v1beta1.ValidatingAdmissionPolicyBinding{}.OpenAPIModelName(), metav1.ListMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -5637,13 +5759,13 @@ func schema_k8sio_api_admissionregistration_v1beta1_ValidatingAdmissionPolicyBin
 					"paramRef": {
 						SchemaProps: spec.SchemaProps{
 							Description: "paramRef specifies the parameter resource used to configure the admission control policy. It should point to a resource of the type specified in ParamKind of the bound ValidatingAdmissionPolicy. If the policy specifies a ParamKind and the resource referred to by ParamRef does not exist, this binding is considered mis-configured and the FailurePolicy of the ValidatingAdmissionPolicy applied. If the policy does not specify a ParamKind then this field is ignored, and the rules are evaluated without a param.",
-							Ref:         ref("k8s.io/api/admissionregistration/v1beta1.ParamRef"),
+							Ref:         ref(v1beta1.ParamRef{}.OpenAPIModelName()),
 						},
 					},
 					"matchResources": {
 						SchemaProps: spec.SchemaProps{
 							Description: "MatchResources declares what resources match this binding and will be validated by it. Note that this is intersected with the policy's matchConstraints, so only requests that are matched by the policy can be selected by this. If this is unset, all resources matched by the policy are validated by this binding When resourceRules is unset, it does not constrain resource matching. If a resource is matched by the other fields of this object, it will be validated. Note that this is differs from ValidatingAdmissionPolicy matchConstraints, where resourceRules are required.",
-							Ref:         ref("k8s.io/api/admissionregistration/v1beta1.MatchResources"),
+							Ref:         ref(v1beta1.MatchResources{}.OpenAPIModelName()),
 						},
 					},
 					"validationActions": {
@@ -5671,7 +5793,7 @@ func schema_k8sio_api_admissionregistration_v1beta1_ValidatingAdmissionPolicyBin
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/admissionregistration/v1beta1.MatchResources", "k8s.io/api/admissionregistration/v1beta1.ParamRef"},
+			v1beta1.MatchResources{}.OpenAPIModelName(), v1beta1.ParamRef{}.OpenAPIModelName()},
 	}
 }
 
@@ -5700,7 +5822,7 @@ func schema_k8sio_api_admissionregistration_v1beta1_ValidatingAdmissionPolicyLis
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+							Ref:         ref(metav1.ListMeta{}.OpenAPIModelName()),
 						},
 					},
 					"items": {
@@ -5711,7 +5833,7 @@ func schema_k8sio_api_admissionregistration_v1beta1_ValidatingAdmissionPolicyLis
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/admissionregistration/v1beta1.ValidatingAdmissionPolicy"),
+										Ref:     ref(v1beta1.ValidatingAdmissionPolicy{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -5722,7 +5844,7 @@ func schema_k8sio_api_admissionregistration_v1beta1_ValidatingAdmissionPolicyLis
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/admissionregistration/v1beta1.ValidatingAdmissionPolicy", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
+			v1beta1.ValidatingAdmissionPolicy{}.OpenAPIModelName(), metav1.ListMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -5736,13 +5858,13 @@ func schema_k8sio_api_admissionregistration_v1beta1_ValidatingAdmissionPolicySpe
 					"paramKind": {
 						SchemaProps: spec.SchemaProps{
 							Description: "ParamKind specifies the kind of resources used to parameterize this policy. If absent, there are no parameters for this policy and the param CEL variable will not be provided to validation expressions. If ParamKind refers to a non-existent kind, this policy definition is mis-configured and the FailurePolicy is applied. If paramKind is specified but paramRef is unset in ValidatingAdmissionPolicyBinding, the params variable will be null.",
-							Ref:         ref("k8s.io/api/admissionregistration/v1beta1.ParamKind"),
+							Ref:         ref(v1beta1.ParamKind{}.OpenAPIModelName()),
 						},
 					},
 					"matchConstraints": {
 						SchemaProps: spec.SchemaProps{
 							Description: "MatchConstraints specifies what resources this policy is designed to validate. The AdmissionPolicy cares about a request if it matches _all_ Constraints. However, in order to prevent clusters from being put into an unstable state that cannot be recovered from via the API ValidatingAdmissionPolicy cannot match ValidatingAdmissionPolicy and ValidatingAdmissionPolicyBinding. Required.",
-							Ref:         ref("k8s.io/api/admissionregistration/v1beta1.MatchResources"),
+							Ref:         ref(v1beta1.MatchResources{}.OpenAPIModelName()),
 						},
 					},
 					"validations": {
@@ -5758,7 +5880,7 @@ func schema_k8sio_api_admissionregistration_v1beta1_ValidatingAdmissionPolicySpe
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/admissionregistration/v1beta1.Validation"),
+										Ref:     ref(v1beta1.Validation{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -5784,7 +5906,7 @@ func schema_k8sio_api_admissionregistration_v1beta1_ValidatingAdmissionPolicySpe
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/admissionregistration/v1beta1.AuditAnnotation"),
+										Ref:     ref(v1beta1.AuditAnnotation{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -5808,7 +5930,7 @@ func schema_k8sio_api_admissionregistration_v1beta1_ValidatingAdmissionPolicySpe
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/admissionregistration/v1beta1.MatchCondition"),
+										Ref:     ref(v1beta1.MatchCondition{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -5832,7 +5954,7 @@ func schema_k8sio_api_admissionregistration_v1beta1_ValidatingAdmissionPolicySpe
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/admissionregistration/v1beta1.Variable"),
+										Ref:     ref(v1beta1.Variable{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -5842,7 +5964,7 @@ func schema_k8sio_api_admissionregistration_v1beta1_ValidatingAdmissionPolicySpe
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/admissionregistration/v1beta1.AuditAnnotation", "k8s.io/api/admissionregistration/v1beta1.MatchCondition", "k8s.io/api/admissionregistration/v1beta1.MatchResources", "k8s.io/api/admissionregistration/v1beta1.ParamKind", "k8s.io/api/admissionregistration/v1beta1.Validation", "k8s.io/api/admissionregistration/v1beta1.Variable"},
+			v1beta1.AuditAnnotation{}.OpenAPIModelName(), v1beta1.MatchCondition{}.OpenAPIModelName(), v1beta1.MatchResources{}.OpenAPIModelName(), v1beta1.ParamKind{}.OpenAPIModelName(), v1beta1.Validation{}.OpenAPIModelName(), v1beta1.Variable{}.OpenAPIModelName()},
 	}
 }
 
@@ -5863,7 +5985,7 @@ func schema_k8sio_api_admissionregistration_v1beta1_ValidatingAdmissionPolicySta
 					"typeChecking": {
 						SchemaProps: spec.SchemaProps{
 							Description: "The results of type checking for each expression. Presence of this field indicates the completion of the type checking.",
-							Ref:         ref("k8s.io/api/admissionregistration/v1beta1.TypeChecking"),
+							Ref:         ref(v1beta1.TypeChecking{}.OpenAPIModelName()),
 						},
 					},
 					"conditions": {
@@ -5882,7 +6004,7 @@ func schema_k8sio_api_admissionregistration_v1beta1_ValidatingAdmissionPolicySta
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/apimachinery/pkg/apis/meta/v1.Condition"),
+										Ref:     ref(metav1.Condition{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -5892,7 +6014,7 @@ func schema_k8sio_api_admissionregistration_v1beta1_ValidatingAdmissionPolicySta
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/admissionregistration/v1beta1.TypeChecking", "k8s.io/apimachinery/pkg/apis/meta/v1.Condition"},
+			v1beta1.TypeChecking{}.OpenAPIModelName(), metav1.Condition{}.OpenAPIModelName()},
 	}
 }
 
@@ -5915,7 +6037,7 @@ func schema_k8sio_api_admissionregistration_v1beta1_ValidatingWebhook(ref common
 						SchemaProps: spec.SchemaProps{
 							Description: "ClientConfig defines how to communicate with the hook. Required",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/admissionregistration/v1beta1.WebhookClientConfig"),
+							Ref:         ref(v1beta1.WebhookClientConfig{}.OpenAPIModelName()),
 						},
 					},
 					"rules": {
@@ -5931,7 +6053,7 @@ func schema_k8sio_api_admissionregistration_v1beta1_ValidatingWebhook(ref common
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/admissionregistration/v1.RuleWithOperations"),
+										Ref:     ref(v1.RuleWithOperations{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -5954,13 +6076,13 @@ func schema_k8sio_api_admissionregistration_v1beta1_ValidatingWebhook(ref common
 					"namespaceSelector": {
 						SchemaProps: spec.SchemaProps{
 							Description: "NamespaceSelector decides whether to run the webhook on an object based on whether the namespace for that object matches the selector. If the object itself is a namespace, the matching is performed on object.metadata.labels. If the object is another cluster scoped resource, it never skips the webhook.\n\nFor example, to run the webhook on any objects whose namespace is not associated with \"runlevel\" of \"0\" or \"1\";  you will set the selector as follows: \"namespaceSelector\": {\n  \"matchExpressions\": [\n    {\n      \"key\": \"runlevel\",\n      \"operator\": \"NotIn\",\n      \"values\": [\n        \"0\",\n        \"1\"\n      ]\n    }\n  ]\n}\n\nIf instead you want to only run the webhook on any objects whose namespace is associated with the \"environment\" of \"prod\" or \"staging\"; you will set the selector as follows: \"namespaceSelector\": {\n  \"matchExpressions\": [\n    {\n      \"key\": \"environment\",\n      \"operator\": \"In\",\n      \"values\": [\n        \"prod\",\n        \"staging\"\n      ]\n    }\n  ]\n}\n\nSee https://kubernetes.io/docs/concepts/overview/working-with-objects/labels for more examples of label selectors.\n\nDefault to the empty LabelSelector, which matches everything.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector"),
+							Ref:         ref(metav1.LabelSelector{}.OpenAPIModelName()),
 						},
 					},
 					"objectSelector": {
 						SchemaProps: spec.SchemaProps{
 							Description: "ObjectSelector decides whether to run the webhook based on if the object has matching labels. objectSelector is evaluated against both the oldObject and newObject that would be sent to the webhook, and is considered to match if either object matches the selector. A null object (oldObject in the case of create, or newObject in the case of delete) or an object that cannot have labels (like a DeploymentRollback or a PodProxyOptions object) is not considered to match. Use the object selector only if the webhook is opt-in, because end users may skip the admission webhook by setting the labels. Default to the empty LabelSelector, which matches everything.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector"),
+							Ref:         ref(metav1.LabelSelector{}.OpenAPIModelName()),
 						},
 					},
 					"sideEffects": {
@@ -6020,7 +6142,7 @@ func schema_k8sio_api_admissionregistration_v1beta1_ValidatingWebhook(ref common
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/admissionregistration/v1beta1.MatchCondition"),
+										Ref:     ref(v1beta1.MatchCondition{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -6031,7 +6153,7 @@ func schema_k8sio_api_admissionregistration_v1beta1_ValidatingWebhook(ref common
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/admissionregistration/v1.RuleWithOperations", "k8s.io/api/admissionregistration/v1beta1.MatchCondition", "k8s.io/api/admissionregistration/v1beta1.WebhookClientConfig", "k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector"},
+			v1.RuleWithOperations{}.OpenAPIModelName(), v1beta1.MatchCondition{}.OpenAPIModelName(), v1beta1.WebhookClientConfig{}.OpenAPIModelName(), metav1.LabelSelector{}.OpenAPIModelName()},
 	}
 }
 
@@ -6060,7 +6182,7 @@ func schema_k8sio_api_admissionregistration_v1beta1_ValidatingWebhookConfigurati
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Ref:         ref(metav1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 					"webhooks": {
@@ -6081,7 +6203,7 @@ func schema_k8sio_api_admissionregistration_v1beta1_ValidatingWebhookConfigurati
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/admissionregistration/v1beta1.ValidatingWebhook"),
+										Ref:     ref(v1beta1.ValidatingWebhook{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -6091,7 +6213,7 @@ func schema_k8sio_api_admissionregistration_v1beta1_ValidatingWebhookConfigurati
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/admissionregistration/v1beta1.ValidatingWebhook", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			v1beta1.ValidatingWebhook{}.OpenAPIModelName(), metav1.ObjectMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -6120,7 +6242,7 @@ func schema_k8sio_api_admissionregistration_v1beta1_ValidatingWebhookConfigurati
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+							Ref:         ref(metav1.ListMeta{}.OpenAPIModelName()),
 						},
 					},
 					"items": {
@@ -6131,7 +6253,7 @@ func schema_k8sio_api_admissionregistration_v1beta1_ValidatingWebhookConfigurati
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/admissionregistration/v1beta1.ValidatingWebhookConfiguration"),
+										Ref:     ref(v1beta1.ValidatingWebhookConfiguration{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -6142,7 +6264,7 @@ func schema_k8sio_api_admissionregistration_v1beta1_ValidatingWebhookConfigurati
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/admissionregistration/v1beta1.ValidatingWebhookConfiguration", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
+			v1beta1.ValidatingWebhookConfiguration{}.OpenAPIModelName(), metav1.ListMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -6241,7 +6363,7 @@ func schema_k8sio_api_admissionregistration_v1beta1_WebhookClientConfig(ref comm
 					"service": {
 						SchemaProps: spec.SchemaProps{
 							Description: "`service` is a reference to the service for this webhook. Either `service` or `url` must be specified.\n\nIf the webhook is running within the cluster, then you should use `service`.",
-							Ref:         ref("k8s.io/api/admissionregistration/v1beta1.ServiceReference"),
+							Ref:         ref(v1beta1.ServiceReference{}.OpenAPIModelName()),
 						},
 					},
 					"caBundle": {
@@ -6255,7 +6377,7 @@ func schema_k8sio_api_admissionregistration_v1beta1_WebhookClientConfig(ref comm
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/admissionregistration/v1beta1.ServiceReference"},
+			v1beta1.ServiceReference{}.OpenAPIModelName()},
 	}
 }
 
@@ -6284,7 +6406,7 @@ func schema_k8sio_api_apidiscovery_v2_APIGroupDiscovery(ref common.ReferenceCall
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard object's metadata. The only field completed will be name. For instance, resourceVersion will be empty. name is the name of the API group whose discovery information is presented here. name is allowed to be \"\" to represent the legacy, ungroupified resources. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Ref:         ref(metav1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 					"versions": {
@@ -6303,7 +6425,7 @@ func schema_k8sio_api_apidiscovery_v2_APIGroupDiscovery(ref common.ReferenceCall
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/apidiscovery/v2.APIVersionDiscovery"),
+										Ref:     ref(v2.APIVersionDiscovery{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -6313,7 +6435,7 @@ func schema_k8sio_api_apidiscovery_v2_APIGroupDiscovery(ref common.ReferenceCall
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/apidiscovery/v2.APIVersionDiscovery", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			v2.APIVersionDiscovery{}.OpenAPIModelName(), metav1.ObjectMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -6342,7 +6464,7 @@ func schema_k8sio_api_apidiscovery_v2_APIGroupDiscoveryList(ref common.Reference
 						SchemaProps: spec.SchemaProps{
 							Description: "ResourceVersion will not be set, because this does not have a replayable ordering among multiple apiservers. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+							Ref:         ref(metav1.ListMeta{}.OpenAPIModelName()),
 						},
 					},
 					"items": {
@@ -6353,7 +6475,7 @@ func schema_k8sio_api_apidiscovery_v2_APIGroupDiscoveryList(ref common.Reference
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/apidiscovery/v2.APIGroupDiscovery"),
+										Ref:     ref(v2.APIGroupDiscovery{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -6364,7 +6486,7 @@ func schema_k8sio_api_apidiscovery_v2_APIGroupDiscoveryList(ref common.Reference
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/apidiscovery/v2.APIGroupDiscovery", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
+			v2.APIGroupDiscovery{}.OpenAPIModelName(), metav1.ListMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -6386,7 +6508,7 @@ func schema_k8sio_api_apidiscovery_v2_APIResourceDiscovery(ref common.ReferenceC
 					"responseKind": {
 						SchemaProps: spec.SchemaProps{
 							Description: "responseKind describes the group, version, and kind of the serialization schema for the object type this endpoint typically returns. APIs may return other objects types at their discretion, such as error conditions, requests for alternate representations, or other operation specific behavior. This value will be null or empty if an APIService reports subresources but supports no operations on the parent resource",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionKind"),
+							Ref:         ref(metav1.GroupVersionKind{}.OpenAPIModelName()),
 						},
 					},
 					"scope": {
@@ -6481,7 +6603,7 @@ func schema_k8sio_api_apidiscovery_v2_APIResourceDiscovery(ref common.ReferenceC
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/apidiscovery/v2.APISubresourceDiscovery"),
+										Ref:     ref(v2.APISubresourceDiscovery{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -6492,7 +6614,7 @@ func schema_k8sio_api_apidiscovery_v2_APIResourceDiscovery(ref common.ReferenceC
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/apidiscovery/v2.APISubresourceDiscovery", "k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionKind"},
+			v2.APISubresourceDiscovery{}.OpenAPIModelName(), metav1.GroupVersionKind{}.OpenAPIModelName()},
 	}
 }
 
@@ -6514,7 +6636,7 @@ func schema_k8sio_api_apidiscovery_v2_APISubresourceDiscovery(ref common.Referen
 					"responseKind": {
 						SchemaProps: spec.SchemaProps{
 							Description: "responseKind describes the group, version, and kind of the serialization schema for the object type this endpoint typically returns. Some subresources do not return normal resources, these will have null or empty return types.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionKind"),
+							Ref:         ref(metav1.GroupVersionKind{}.OpenAPIModelName()),
 						},
 					},
 					"acceptedTypes": {
@@ -6535,7 +6657,7 @@ func schema_k8sio_api_apidiscovery_v2_APISubresourceDiscovery(ref common.Referen
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionKind"),
+										Ref:     ref(metav1.GroupVersionKind{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -6566,7 +6688,7 @@ func schema_k8sio_api_apidiscovery_v2_APISubresourceDiscovery(ref common.Referen
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionKind"},
+			metav1.GroupVersionKind{}.OpenAPIModelName()},
 	}
 }
 
@@ -6601,7 +6723,7 @@ func schema_k8sio_api_apidiscovery_v2_APIVersionDiscovery(ref common.ReferenceCa
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/apidiscovery/v2.APIResourceDiscovery"),
+										Ref:     ref(v2.APIResourceDiscovery{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -6619,7 +6741,7 @@ func schema_k8sio_api_apidiscovery_v2_APIVersionDiscovery(ref common.ReferenceCa
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/apidiscovery/v2.APIResourceDiscovery"},
+			v2.APIResourceDiscovery{}.OpenAPIModelName()},
 	}
 }
 
@@ -6648,7 +6770,7 @@ func schema_k8sio_api_apidiscovery_v2beta1_APIGroupDiscovery(ref common.Referenc
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard object's metadata. The only field completed will be name. For instance, resourceVersion will be empty. name is the name of the API group whose discovery information is presented here. name is allowed to be \"\" to represent the legacy, ungroupified resources. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Ref:         ref(metav1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 					"versions": {
@@ -6667,7 +6789,7 @@ func schema_k8sio_api_apidiscovery_v2beta1_APIGroupDiscovery(ref common.Referenc
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/apidiscovery/v2beta1.APIVersionDiscovery"),
+										Ref:     ref(v2beta1.APIVersionDiscovery{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -6677,7 +6799,7 @@ func schema_k8sio_api_apidiscovery_v2beta1_APIGroupDiscovery(ref common.Referenc
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/apidiscovery/v2beta1.APIVersionDiscovery", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			v2beta1.APIVersionDiscovery{}.OpenAPIModelName(), metav1.ObjectMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -6706,7 +6828,7 @@ func schema_k8sio_api_apidiscovery_v2beta1_APIGroupDiscoveryList(ref common.Refe
 						SchemaProps: spec.SchemaProps{
 							Description: "ResourceVersion will not be set, because this does not have a replayable ordering among multiple apiservers. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+							Ref:         ref(metav1.ListMeta{}.OpenAPIModelName()),
 						},
 					},
 					"items": {
@@ -6717,7 +6839,7 @@ func schema_k8sio_api_apidiscovery_v2beta1_APIGroupDiscoveryList(ref common.Refe
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/apidiscovery/v2beta1.APIGroupDiscovery"),
+										Ref:     ref(v2beta1.APIGroupDiscovery{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -6728,7 +6850,7 @@ func schema_k8sio_api_apidiscovery_v2beta1_APIGroupDiscoveryList(ref common.Refe
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/apidiscovery/v2beta1.APIGroupDiscovery", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
+			v2beta1.APIGroupDiscovery{}.OpenAPIModelName(), metav1.ListMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -6750,7 +6872,7 @@ func schema_k8sio_api_apidiscovery_v2beta1_APIResourceDiscovery(ref common.Refer
 					"responseKind": {
 						SchemaProps: spec.SchemaProps{
 							Description: "responseKind describes the group, version, and kind of the serialization schema for the object type this endpoint typically returns. APIs may return other objects types at their discretion, such as error conditions, requests for alternate representations, or other operation specific behavior. This value will be null or empty if an APIService reports subresources but supports no operations on the parent resource",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionKind"),
+							Ref:         ref(metav1.GroupVersionKind{}.OpenAPIModelName()),
 						},
 					},
 					"scope": {
@@ -6845,7 +6967,7 @@ func schema_k8sio_api_apidiscovery_v2beta1_APIResourceDiscovery(ref common.Refer
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/apidiscovery/v2beta1.APISubresourceDiscovery"),
+										Ref:     ref(v2beta1.APISubresourceDiscovery{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -6856,7 +6978,7 @@ func schema_k8sio_api_apidiscovery_v2beta1_APIResourceDiscovery(ref common.Refer
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/apidiscovery/v2beta1.APISubresourceDiscovery", "k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionKind"},
+			v2beta1.APISubresourceDiscovery{}.OpenAPIModelName(), metav1.GroupVersionKind{}.OpenAPIModelName()},
 	}
 }
 
@@ -6878,7 +7000,7 @@ func schema_k8sio_api_apidiscovery_v2beta1_APISubresourceDiscovery(ref common.Re
 					"responseKind": {
 						SchemaProps: spec.SchemaProps{
 							Description: "responseKind describes the group, version, and kind of the serialization schema for the object type this endpoint typically returns. Some subresources do not return normal resources, these will have null or empty return types.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionKind"),
+							Ref:         ref(metav1.GroupVersionKind{}.OpenAPIModelName()),
 						},
 					},
 					"acceptedTypes": {
@@ -6899,7 +7021,7 @@ func schema_k8sio_api_apidiscovery_v2beta1_APISubresourceDiscovery(ref common.Re
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionKind"),
+										Ref:     ref(metav1.GroupVersionKind{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -6930,7 +7052,7 @@ func schema_k8sio_api_apidiscovery_v2beta1_APISubresourceDiscovery(ref common.Re
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionKind"},
+			metav1.GroupVersionKind{}.OpenAPIModelName()},
 	}
 }
 
@@ -6965,7 +7087,7 @@ func schema_k8sio_api_apidiscovery_v2beta1_APIVersionDiscovery(ref common.Refere
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/apidiscovery/v2beta1.APIResourceDiscovery"),
+										Ref:     ref(v2beta1.APIResourceDiscovery{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -6983,7 +7105,7 @@ func schema_k8sio_api_apidiscovery_v2beta1_APIVersionDiscovery(ref common.Refere
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/apidiscovery/v2beta1.APIResourceDiscovery"},
+			v2beta1.APIResourceDiscovery{}.OpenAPIModelName()},
 	}
 }
 
@@ -7079,21 +7201,21 @@ func schema_k8sio_api_apiserverinternal_v1alpha1_StorageVersion(ref common.Refer
 						SchemaProps: spec.SchemaProps{
 							Description: "The name is <group>.<resource>.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Ref:         ref(metav1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 					"spec": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Spec is an empty spec. It is here to comply with Kubernetes API style.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/apiserverinternal/v1alpha1.StorageVersionSpec"),
+							Ref:         ref(apiserverinternalv1alpha1.StorageVersionSpec{}.OpenAPIModelName()),
 						},
 					},
 					"status": {
 						SchemaProps: spec.SchemaProps{
 							Description: "API server instances report the version they can decode and the version they encode objects to when persisting objects in the backend.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/apiserverinternal/v1alpha1.StorageVersionStatus"),
+							Ref:         ref(apiserverinternalv1alpha1.StorageVersionStatus{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -7101,7 +7223,7 @@ func schema_k8sio_api_apiserverinternal_v1alpha1_StorageVersion(ref common.Refer
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/apiserverinternal/v1alpha1.StorageVersionSpec", "k8s.io/api/apiserverinternal/v1alpha1.StorageVersionStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			apiserverinternalv1alpha1.StorageVersionSpec{}.OpenAPIModelName(), apiserverinternalv1alpha1.StorageVersionStatus{}.OpenAPIModelName(), metav1.ObjectMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -7138,7 +7260,7 @@ func schema_k8sio_api_apiserverinternal_v1alpha1_StorageVersionCondition(ref com
 					"lastTransitionTime": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Last time the condition transitioned from one status to another.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Time"),
+							Ref:         ref(metav1.Time{}.OpenAPIModelName()),
 						},
 					},
 					"reason": {
@@ -7161,7 +7283,7 @@ func schema_k8sio_api_apiserverinternal_v1alpha1_StorageVersionCondition(ref com
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.Time"},
+			metav1.Time{}.OpenAPIModelName()},
 	}
 }
 
@@ -7190,7 +7312,7 @@ func schema_k8sio_api_apiserverinternal_v1alpha1_StorageVersionList(ref common.R
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+							Ref:         ref(metav1.ListMeta{}.OpenAPIModelName()),
 						},
 					},
 					"items": {
@@ -7201,7 +7323,7 @@ func schema_k8sio_api_apiserverinternal_v1alpha1_StorageVersionList(ref common.R
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/apiserverinternal/v1alpha1.StorageVersion"),
+										Ref:     ref(apiserverinternalv1alpha1.StorageVersion{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -7212,7 +7334,7 @@ func schema_k8sio_api_apiserverinternal_v1alpha1_StorageVersionList(ref common.R
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/apiserverinternal/v1alpha1.StorageVersion", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
+			apiserverinternalv1alpha1.StorageVersion{}.OpenAPIModelName(), metav1.ListMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -7250,7 +7372,7 @@ func schema_k8sio_api_apiserverinternal_v1alpha1_StorageVersionStatus(ref common
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/apiserverinternal/v1alpha1.ServerStorageVersion"),
+										Ref:     ref(apiserverinternalv1alpha1.ServerStorageVersion{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -7279,7 +7401,7 @@ func schema_k8sio_api_apiserverinternal_v1alpha1_StorageVersionStatus(ref common
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/apiserverinternal/v1alpha1.StorageVersionCondition"),
+										Ref:     ref(apiserverinternalv1alpha1.StorageVersionCondition{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -7289,7 +7411,7 @@ func schema_k8sio_api_apiserverinternal_v1alpha1_StorageVersionStatus(ref common
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/apiserverinternal/v1alpha1.ServerStorageVersion", "k8s.io/api/apiserverinternal/v1alpha1.StorageVersionCondition"},
+			apiserverinternalv1alpha1.ServerStorageVersion{}.OpenAPIModelName(), apiserverinternalv1alpha1.StorageVersionCondition{}.OpenAPIModelName()},
 	}
 }
 
@@ -7318,13 +7440,13 @@ func schema_k8sio_api_apps_v1_ControllerRevision(ref common.ReferenceCallback) c
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Ref:         ref(metav1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 					"data": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Data is the serialized representation of the state.",
-							Ref:         ref("k8s.io/apimachinery/pkg/runtime.RawExtension"),
+							Ref:         ref(runtime.RawExtension{}.OpenAPIModelName()),
 						},
 					},
 					"revision": {
@@ -7340,7 +7462,7 @@ func schema_k8sio_api_apps_v1_ControllerRevision(ref common.ReferenceCallback) c
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta", "k8s.io/apimachinery/pkg/runtime.RawExtension"},
+			metav1.ObjectMeta{}.OpenAPIModelName(), runtime.RawExtension{}.OpenAPIModelName()},
 	}
 }
 
@@ -7369,7 +7491,7 @@ func schema_k8sio_api_apps_v1_ControllerRevisionList(ref common.ReferenceCallbac
 						SchemaProps: spec.SchemaProps{
 							Description: "More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+							Ref:         ref(metav1.ListMeta{}.OpenAPIModelName()),
 						},
 					},
 					"items": {
@@ -7380,7 +7502,7 @@ func schema_k8sio_api_apps_v1_ControllerRevisionList(ref common.ReferenceCallbac
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/apps/v1.ControllerRevision"),
+										Ref:     ref(appsv1.ControllerRevision{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -7391,7 +7513,7 @@ func schema_k8sio_api_apps_v1_ControllerRevisionList(ref common.ReferenceCallbac
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/apps/v1.ControllerRevision", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
+			appsv1.ControllerRevision{}.OpenAPIModelName(), metav1.ListMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -7420,28 +7542,28 @@ func schema_k8sio_api_apps_v1_DaemonSet(ref common.ReferenceCallback) common.Ope
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Ref:         ref(metav1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 					"spec": {
 						SchemaProps: spec.SchemaProps{
 							Description: "The desired behavior of this daemon set. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/apps/v1.DaemonSetSpec"),
+							Ref:         ref(appsv1.DaemonSetSpec{}.OpenAPIModelName()),
 						},
 					},
 					"status": {
 						SchemaProps: spec.SchemaProps{
 							Description: "The current status of this daemon set. This data may be out of date by some window of time. Populated by the system. Read-only. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/apps/v1.DaemonSetStatus"),
+							Ref:         ref(appsv1.DaemonSetStatus{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/apps/v1.DaemonSetSpec", "k8s.io/api/apps/v1.DaemonSetStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			appsv1.DaemonSetSpec{}.OpenAPIModelName(), appsv1.DaemonSetStatus{}.OpenAPIModelName(), metav1.ObjectMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -7471,7 +7593,7 @@ func schema_k8sio_api_apps_v1_DaemonSetCondition(ref common.ReferenceCallback) c
 					"lastTransitionTime": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Last time the condition transitioned from one status to another.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Time"),
+							Ref:         ref(metav1.Time{}.OpenAPIModelName()),
 						},
 					},
 					"reason": {
@@ -7493,7 +7615,7 @@ func schema_k8sio_api_apps_v1_DaemonSetCondition(ref common.ReferenceCallback) c
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.Time"},
+			metav1.Time{}.OpenAPIModelName()},
 	}
 }
 
@@ -7522,7 +7644,7 @@ func schema_k8sio_api_apps_v1_DaemonSetList(ref common.ReferenceCallback) common
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+							Ref:         ref(metav1.ListMeta{}.OpenAPIModelName()),
 						},
 					},
 					"items": {
@@ -7533,7 +7655,7 @@ func schema_k8sio_api_apps_v1_DaemonSetList(ref common.ReferenceCallback) common
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/apps/v1.DaemonSet"),
+										Ref:     ref(appsv1.DaemonSet{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -7544,7 +7666,7 @@ func schema_k8sio_api_apps_v1_DaemonSetList(ref common.ReferenceCallback) common
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/apps/v1.DaemonSet", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
+			appsv1.DaemonSet{}.OpenAPIModelName(), metav1.ListMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -7558,21 +7680,21 @@ func schema_k8sio_api_apps_v1_DaemonSetSpec(ref common.ReferenceCallback) common
 					"selector": {
 						SchemaProps: spec.SchemaProps{
 							Description: "A label query over pods that are managed by the daemon set. Must match in order to be controlled. It must match the pod template's labels. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector"),
+							Ref:         ref(metav1.LabelSelector{}.OpenAPIModelName()),
 						},
 					},
 					"template": {
 						SchemaProps: spec.SchemaProps{
 							Description: "An object that describes the pod that will be created. The DaemonSet will create exactly one copy of this pod on every node that matches the template's node selector (or on every node if no node selector is specified). The only allowed template.spec.restartPolicy value is \"Always\". More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller#pod-template",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/core/v1.PodTemplateSpec"),
+							Ref:         ref(corev1.PodTemplateSpec{}.OpenAPIModelName()),
 						},
 					},
 					"updateStrategy": {
 						SchemaProps: spec.SchemaProps{
 							Description: "An update strategy to replace existing DaemonSet pods with new pods.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/apps/v1.DaemonSetUpdateStrategy"),
+							Ref:         ref(appsv1.DaemonSetUpdateStrategy{}.OpenAPIModelName()),
 						},
 					},
 					"minReadySeconds": {
@@ -7594,7 +7716,7 @@ func schema_k8sio_api_apps_v1_DaemonSetSpec(ref common.ReferenceCallback) common
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/apps/v1.DaemonSetUpdateStrategy", "k8s.io/api/core/v1.PodTemplateSpec", "k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector"},
+			appsv1.DaemonSetUpdateStrategy{}.OpenAPIModelName(), corev1.PodTemplateSpec{}.OpenAPIModelName(), metav1.LabelSelector{}.OpenAPIModelName()},
 	}
 }
 
@@ -7690,7 +7812,7 @@ func schema_k8sio_api_apps_v1_DaemonSetStatus(ref common.ReferenceCallback) comm
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/apps/v1.DaemonSetCondition"),
+										Ref:     ref(appsv1.DaemonSetCondition{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -7701,7 +7823,7 @@ func schema_k8sio_api_apps_v1_DaemonSetStatus(ref common.ReferenceCallback) comm
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/apps/v1.DaemonSetCondition"},
+			appsv1.DaemonSetCondition{}.OpenAPIModelName()},
 	}
 }
 
@@ -7723,14 +7845,14 @@ func schema_k8sio_api_apps_v1_DaemonSetUpdateStrategy(ref common.ReferenceCallba
 					"rollingUpdate": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Rolling update config params. Present only if type = \"RollingUpdate\".",
-							Ref:         ref("k8s.io/api/apps/v1.RollingUpdateDaemonSet"),
+							Ref:         ref(appsv1.RollingUpdateDaemonSet{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/apps/v1.RollingUpdateDaemonSet"},
+			appsv1.RollingUpdateDaemonSet{}.OpenAPIModelName()},
 	}
 }
 
@@ -7759,28 +7881,28 @@ func schema_k8sio_api_apps_v1_Deployment(ref common.ReferenceCallback) common.Op
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Ref:         ref(metav1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 					"spec": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Specification of the desired behavior of the Deployment.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/apps/v1.DeploymentSpec"),
+							Ref:         ref(appsv1.DeploymentSpec{}.OpenAPIModelName()),
 						},
 					},
 					"status": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Most recently observed status of the Deployment.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/apps/v1.DeploymentStatus"),
+							Ref:         ref(appsv1.DeploymentStatus{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/apps/v1.DeploymentSpec", "k8s.io/api/apps/v1.DeploymentStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			appsv1.DeploymentSpec{}.OpenAPIModelName(), appsv1.DeploymentStatus{}.OpenAPIModelName(), metav1.ObjectMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -7810,13 +7932,13 @@ func schema_k8sio_api_apps_v1_DeploymentCondition(ref common.ReferenceCallback)
 					"lastUpdateTime": {
 						SchemaProps: spec.SchemaProps{
 							Description: "The last time this condition was updated.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Time"),
+							Ref:         ref(metav1.Time{}.OpenAPIModelName()),
 						},
 					},
 					"lastTransitionTime": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Last time the condition transitioned from one status to another.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Time"),
+							Ref:         ref(metav1.Time{}.OpenAPIModelName()),
 						},
 					},
 					"reason": {
@@ -7838,7 +7960,7 @@ func schema_k8sio_api_apps_v1_DeploymentCondition(ref common.ReferenceCallback)
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.Time"},
+			metav1.Time{}.OpenAPIModelName()},
 	}
 }
 
@@ -7867,7 +7989,7 @@ func schema_k8sio_api_apps_v1_DeploymentList(ref common.ReferenceCallback) commo
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard list metadata.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+							Ref:         ref(metav1.ListMeta{}.OpenAPIModelName()),
 						},
 					},
 					"items": {
@@ -7878,7 +8000,7 @@ func schema_k8sio_api_apps_v1_DeploymentList(ref common.ReferenceCallback) commo
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/apps/v1.Deployment"),
+										Ref:     ref(appsv1.Deployment{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -7889,7 +8011,7 @@ func schema_k8sio_api_apps_v1_DeploymentList(ref common.ReferenceCallback) commo
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/apps/v1.Deployment", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
+			appsv1.Deployment{}.OpenAPIModelName(), metav1.ListMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -7910,14 +8032,14 @@ func schema_k8sio_api_apps_v1_DeploymentSpec(ref common.ReferenceCallback) commo
 					"selector": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Label selector for pods. Existing ReplicaSets whose pods are selected by this will be the ones affected by this deployment. It must match the pod template's labels.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector"),
+							Ref:         ref(metav1.LabelSelector{}.OpenAPIModelName()),
 						},
 					},
 					"template": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Template describes the pods that will be created. The only allowed template.spec.restartPolicy value is \"Always\".",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/core/v1.PodTemplateSpec"),
+							Ref:         ref(corev1.PodTemplateSpec{}.OpenAPIModelName()),
 						},
 					},
 					"strategy": {
@@ -7929,7 +8051,7 @@ func schema_k8sio_api_apps_v1_DeploymentSpec(ref common.ReferenceCallback) commo
 						SchemaProps: spec.SchemaProps{
 							Description: "The deployment strategy to use to replace existing pods with new ones.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/apps/v1.DeploymentStrategy"),
+							Ref:         ref(appsv1.DeploymentStrategy{}.OpenAPIModelName()),
 						},
 					},
 					"minReadySeconds": {
@@ -7965,7 +8087,7 @@ func schema_k8sio_api_apps_v1_DeploymentSpec(ref common.ReferenceCallback) commo
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/apps/v1.DeploymentStrategy", "k8s.io/api/core/v1.PodTemplateSpec", "k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector"},
+			appsv1.DeploymentStrategy{}.OpenAPIModelName(), corev1.PodTemplateSpec{}.OpenAPIModelName(), metav1.LabelSelector{}.OpenAPIModelName()},
 	}
 }
 
@@ -8020,7 +8142,7 @@ func schema_k8sio_api_apps_v1_DeploymentStatus(ref common.ReferenceCallback) com
 					},
 					"terminatingReplicas": {
 						SchemaProps: spec.SchemaProps{
-							Description: "Total number of terminating pods targeted by this deployment. Terminating pods have a non-null .metadata.deletionTimestamp and have not yet reached the Failed or Succeeded .status.phase.\n\nThis is an alpha field. Enable DeploymentReplicaSetTerminatingReplicas to be able to use this field.",
+							Description: "Total number of terminating pods targeted by this deployment. Terminating pods have a non-null .metadata.deletionTimestamp and have not yet reached the Failed or Succeeded .status.phase.\n\nThis is a beta field and requires enabling DeploymentReplicaSetTerminatingReplicas feature (enabled by default).",
 							Type:        []string{"integer"},
 							Format:      "int32",
 						},
@@ -8043,7 +8165,7 @@ func schema_k8sio_api_apps_v1_DeploymentStatus(ref common.ReferenceCallback) com
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/apps/v1.DeploymentCondition"),
+										Ref:     ref(appsv1.DeploymentCondition{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -8060,7 +8182,7 @@ func schema_k8sio_api_apps_v1_DeploymentStatus(ref common.ReferenceCallback) com
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/apps/v1.DeploymentCondition"},
+			appsv1.DeploymentCondition{}.OpenAPIModelName()},
 	}
 }
 
@@ -8082,14 +8204,14 @@ func schema_k8sio_api_apps_v1_DeploymentStrategy(ref common.ReferenceCallback) c
 					"rollingUpdate": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Rolling update config params. Present only if DeploymentStrategyType = RollingUpdate.",
-							Ref:         ref("k8s.io/api/apps/v1.RollingUpdateDeployment"),
+							Ref:         ref(appsv1.RollingUpdateDeployment{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/apps/v1.RollingUpdateDeployment"},
+			appsv1.RollingUpdateDeployment{}.OpenAPIModelName()},
 	}
 }
 
@@ -8118,28 +8240,28 @@ func schema_k8sio_api_apps_v1_ReplicaSet(ref common.ReferenceCallback) common.Op
 						SchemaProps: spec.SchemaProps{
 							Description: "If the Labels of a ReplicaSet are empty, they are defaulted to be the same as the Pod(s) that the ReplicaSet manages. Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Ref:         ref(metav1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 					"spec": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Spec defines the specification of the desired behavior of the ReplicaSet. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/apps/v1.ReplicaSetSpec"),
+							Ref:         ref(appsv1.ReplicaSetSpec{}.OpenAPIModelName()),
 						},
 					},
 					"status": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Status is the most recently observed status of the ReplicaSet. This data may be out of date by some window of time. Populated by the system. Read-only. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/apps/v1.ReplicaSetStatus"),
+							Ref:         ref(appsv1.ReplicaSetStatus{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/apps/v1.ReplicaSetSpec", "k8s.io/api/apps/v1.ReplicaSetStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			appsv1.ReplicaSetSpec{}.OpenAPIModelName(), appsv1.ReplicaSetStatus{}.OpenAPIModelName(), metav1.ObjectMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -8169,7 +8291,7 @@ func schema_k8sio_api_apps_v1_ReplicaSetCondition(ref common.ReferenceCallback)
 					"lastTransitionTime": {
 						SchemaProps: spec.SchemaProps{
 							Description: "The last time the condition transitioned from one status to another.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Time"),
+							Ref:         ref(metav1.Time{}.OpenAPIModelName()),
 						},
 					},
 					"reason": {
@@ -8191,7 +8313,7 @@ func schema_k8sio_api_apps_v1_ReplicaSetCondition(ref common.ReferenceCallback)
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.Time"},
+			metav1.Time{}.OpenAPIModelName()},
 	}
 }
 
@@ -8220,7 +8342,7 @@ func schema_k8sio_api_apps_v1_ReplicaSetList(ref common.ReferenceCallback) commo
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+							Ref:         ref(metav1.ListMeta{}.OpenAPIModelName()),
 						},
 					},
 					"items": {
@@ -8231,7 +8353,7 @@ func schema_k8sio_api_apps_v1_ReplicaSetList(ref common.ReferenceCallback) commo
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/apps/v1.ReplicaSet"),
+										Ref:     ref(appsv1.ReplicaSet{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -8242,7 +8364,7 @@ func schema_k8sio_api_apps_v1_ReplicaSetList(ref common.ReferenceCallback) commo
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/apps/v1.ReplicaSet", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
+			appsv1.ReplicaSet{}.OpenAPIModelName(), metav1.ListMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -8270,14 +8392,14 @@ func schema_k8sio_api_apps_v1_ReplicaSetSpec(ref common.ReferenceCallback) commo
 					"selector": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Selector is a label query over pods that should match the replica count. Label keys and values that must match in order to be controlled by this replica set. It must match the pod template's labels. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector"),
+							Ref:         ref(metav1.LabelSelector{}.OpenAPIModelName()),
 						},
 					},
 					"template": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Template is the object that describes the pod that will be created if insufficient replicas are detected. More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicaset/#pod-template",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/core/v1.PodTemplateSpec"),
+							Ref:         ref(corev1.PodTemplateSpec{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -8285,7 +8407,7 @@ func schema_k8sio_api_apps_v1_ReplicaSetSpec(ref common.ReferenceCallback) commo
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/core/v1.PodTemplateSpec", "k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector"},
+			corev1.PodTemplateSpec{}.OpenAPIModelName(), metav1.LabelSelector{}.OpenAPIModelName()},
 	}
 }
 
@@ -8327,7 +8449,7 @@ func schema_k8sio_api_apps_v1_ReplicaSetStatus(ref common.ReferenceCallback) com
 					},
 					"terminatingReplicas": {
 						SchemaProps: spec.SchemaProps{
-							Description: "The number of terminating pods for this replica set. Terminating pods have a non-null .metadata.deletionTimestamp and have not yet reached the Failed or Succeeded .status.phase.\n\nThis is an alpha field. Enable DeploymentReplicaSetTerminatingReplicas to be able to use this field.",
+							Description: "The number of terminating pods for this replica set. Terminating pods have a non-null .metadata.deletionTimestamp and have not yet reached the Failed or Succeeded .status.phase.\n\nThis is a beta field and requires enabling DeploymentReplicaSetTerminatingReplicas feature (enabled by default).",
 							Type:        []string{"integer"},
 							Format:      "int32",
 						},
@@ -8357,7 +8479,7 @@ func schema_k8sio_api_apps_v1_ReplicaSetStatus(ref common.ReferenceCallback) com
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/apps/v1.ReplicaSetCondition"),
+										Ref:     ref(appsv1.ReplicaSetCondition{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -8368,7 +8490,7 @@ func schema_k8sio_api_apps_v1_ReplicaSetStatus(ref common.ReferenceCallback) com
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/apps/v1.ReplicaSetCondition"},
+			appsv1.ReplicaSetCondition{}.OpenAPIModelName()},
 	}
 }
 
@@ -8382,20 +8504,20 @@ func schema_k8sio_api_apps_v1_RollingUpdateDaemonSet(ref common.ReferenceCallbac
 					"maxUnavailable": {
 						SchemaProps: spec.SchemaProps{
 							Description: "The maximum number of DaemonSet pods that can be unavailable during the update. Value can be an absolute number (ex: 5) or a percentage of total number of DaemonSet pods at the start of the update (ex: 10%). Absolute number is calculated from percentage by rounding up. This cannot be 0 if MaxSurge is 0 Default value is 1. Example: when this is set to 30%, at most 30% of the total number of nodes that should be running the daemon pod (i.e. status.desiredNumberScheduled) can have their pods stopped for an update at any given time. The update starts by stopping at most 30% of those DaemonSet pods and then brings up new DaemonSet pods in their place. Once the new pods are available, it then proceeds onto other DaemonSet pods, thus ensuring that at least 70% of original number of DaemonSet pods are available at all times during the update.",
-							Ref:         ref("k8s.io/apimachinery/pkg/util/intstr.IntOrString"),
+							Ref:         ref(intstr.IntOrString{}.OpenAPIModelName()),
 						},
 					},
 					"maxSurge": {
 						SchemaProps: spec.SchemaProps{
 							Description: "The maximum number of nodes with an existing available DaemonSet pod that can have an updated DaemonSet pod during during an update. Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%). This can not be 0 if MaxUnavailable is 0. Absolute number is calculated from percentage by rounding up to a minimum of 1. Default value is 0. Example: when this is set to 30%, at most 30% of the total number of nodes that should be running the daemon pod (i.e. status.desiredNumberScheduled) can have their a new pod created before the old pod is marked as deleted. The update starts by launching new pods on 30% of nodes. Once an updated pod is available (Ready for at least minReadySeconds) the old DaemonSet pod on that node is marked deleted. If the old pod becomes unavailable for any reason (Ready transitions to false, is evicted, or is drained) an updated pod is immediately created on that node without considering surge limits. Allowing surge implies the possibility that the resources consumed by the daemonset on any given node can double if the readiness check fails, and so resource intensive daemonsets should take into account that they may cause evictions during disruption.",
-							Ref:         ref("k8s.io/apimachinery/pkg/util/intstr.IntOrString"),
+							Ref:         ref(intstr.IntOrString{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/util/intstr.IntOrString"},
+			intstr.IntOrString{}.OpenAPIModelName()},
 	}
 }
 
@@ -8409,20 +8531,20 @@ func schema_k8sio_api_apps_v1_RollingUpdateDeployment(ref common.ReferenceCallba
 					"maxUnavailable": {
 						SchemaProps: spec.SchemaProps{
 							Description: "The maximum number of pods that can be unavailable during the update. Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%). Absolute number is calculated from percentage by rounding down. This can not be 0 if MaxSurge is 0. Defaults to 25%. Example: when this is set to 30%, the old ReplicaSet can be scaled down to 70% of desired pods immediately when the rolling update starts. Once new pods are ready, old ReplicaSet can be scaled down further, followed by scaling up the new ReplicaSet, ensuring that the total number of pods available at all times during the update is at least 70% of desired pods.",
-							Ref:         ref("k8s.io/apimachinery/pkg/util/intstr.IntOrString"),
+							Ref:         ref(intstr.IntOrString{}.OpenAPIModelName()),
 						},
 					},
 					"maxSurge": {
 						SchemaProps: spec.SchemaProps{
 							Description: "The maximum number of pods that can be scheduled above the desired number of pods. Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%). This can not be 0 if MaxUnavailable is 0. Absolute number is calculated from percentage by rounding up. Defaults to 25%. Example: when this is set to 30%, the new ReplicaSet can be scaled up immediately when the rolling update starts, such that the total number of old and new pods do not exceed 130% of desired pods. Once old pods have been killed, new ReplicaSet can be scaled up further, ensuring that total number of pods running at any time during the update is at most 130% of desired pods.",
-							Ref:         ref("k8s.io/apimachinery/pkg/util/intstr.IntOrString"),
+							Ref:         ref(intstr.IntOrString{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/util/intstr.IntOrString"},
+			intstr.IntOrString{}.OpenAPIModelName()},
 	}
 }
 
@@ -8442,15 +8564,15 @@ func schema_k8sio_api_apps_v1_RollingUpdateStatefulSetStrategy(ref common.Refere
 					},
 					"maxUnavailable": {
 						SchemaProps: spec.SchemaProps{
-							Description: "The maximum number of pods that can be unavailable during the update. Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%). Absolute number is calculated from percentage by rounding up. This can not be 0. Defaults to 1. This field is alpha-level and is only honored by servers that enable the MaxUnavailableStatefulSet feature. The field applies to all pods in the range 0 to Replicas-1. That means if there is any unavailable pod in the range 0 to Replicas-1, it will be counted towards MaxUnavailable.",
-							Ref:         ref("k8s.io/apimachinery/pkg/util/intstr.IntOrString"),
+							Description: "The maximum number of pods that can be unavailable during the update. Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%). Absolute number is calculated from percentage by rounding up. This can not be 0. Defaults to 1. This field is beta-level and is enabled by default. The field applies to all pods in the range 0 to Replicas-1. That means if there is any unavailable pod in the range 0 to Replicas-1, it will be counted towards MaxUnavailable. This setting might not be effective for the OrderedReady podManagementPolicy. That policy ensures pods are created and become ready one at a time.",
+							Ref:         ref(intstr.IntOrString{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/util/intstr.IntOrString"},
+			intstr.IntOrString{}.OpenAPIModelName()},
 	}
 }
 
@@ -8479,28 +8601,28 @@ func schema_k8sio_api_apps_v1_StatefulSet(ref common.ReferenceCallback) common.O
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Ref:         ref(metav1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 					"spec": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Spec defines the desired identities of pods in this set.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/apps/v1.StatefulSetSpec"),
+							Ref:         ref(appsv1.StatefulSetSpec{}.OpenAPIModelName()),
 						},
 					},
 					"status": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Status is the current status of Pods in this StatefulSet. This data may be out of date by some window of time.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/apps/v1.StatefulSetStatus"),
+							Ref:         ref(appsv1.StatefulSetStatus{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/apps/v1.StatefulSetSpec", "k8s.io/api/apps/v1.StatefulSetStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			appsv1.StatefulSetSpec{}.OpenAPIModelName(), appsv1.StatefulSetStatus{}.OpenAPIModelName(), metav1.ObjectMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -8530,7 +8652,7 @@ func schema_k8sio_api_apps_v1_StatefulSetCondition(ref common.ReferenceCallback)
 					"lastTransitionTime": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Last time the condition transitioned from one status to another.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Time"),
+							Ref:         ref(metav1.Time{}.OpenAPIModelName()),
 						},
 					},
 					"reason": {
@@ -8552,7 +8674,7 @@ func schema_k8sio_api_apps_v1_StatefulSetCondition(ref common.ReferenceCallback)
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.Time"},
+			metav1.Time{}.OpenAPIModelName()},
 	}
 }
 
@@ -8581,7 +8703,7 @@ func schema_k8sio_api_apps_v1_StatefulSetList(ref common.ReferenceCallback) comm
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard list's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+							Ref:         ref(metav1.ListMeta{}.OpenAPIModelName()),
 						},
 					},
 					"items": {
@@ -8592,7 +8714,7 @@ func schema_k8sio_api_apps_v1_StatefulSetList(ref common.ReferenceCallback) comm
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/apps/v1.StatefulSet"),
+										Ref:     ref(appsv1.StatefulSet{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -8603,7 +8725,7 @@ func schema_k8sio_api_apps_v1_StatefulSetList(ref common.ReferenceCallback) comm
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/apps/v1.StatefulSet", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
+			appsv1.StatefulSet{}.OpenAPIModelName(), metav1.ListMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -8672,14 +8794,14 @@ func schema_k8sio_api_apps_v1_StatefulSetSpec(ref common.ReferenceCallback) comm
 					"selector": {
 						SchemaProps: spec.SchemaProps{
 							Description: "selector is a label query over pods that should match the replica count. It must match the pod template's labels. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector"),
+							Ref:         ref(metav1.LabelSelector{}.OpenAPIModelName()),
 						},
 					},
 					"template": {
 						SchemaProps: spec.SchemaProps{
 							Description: "template is the object that describes the pod that will be created if insufficient replicas are detected. Each pod stamped out by the StatefulSet will fulfill this Template, but have a unique identity from the rest of the StatefulSet. Each pod will be named with the format <statefulsetname>-<podindex>. For example, a pod in a StatefulSet named \"web\" with index number \"3\" would be named \"web-3\". The only allowed template.spec.restartPolicy value is \"Always\".",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/core/v1.PodTemplateSpec"),
+							Ref:         ref(corev1.PodTemplateSpec{}.OpenAPIModelName()),
 						},
 					},
 					"volumeClaimTemplates": {
@@ -8695,7 +8817,7 @@ func schema_k8sio_api_apps_v1_StatefulSetSpec(ref common.ReferenceCallback) comm
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/core/v1.PersistentVolumeClaim"),
+										Ref:     ref(corev1.PersistentVolumeClaim{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -8721,7 +8843,7 @@ func schema_k8sio_api_apps_v1_StatefulSetSpec(ref common.ReferenceCallback) comm
 						SchemaProps: spec.SchemaProps{
 							Description: "updateStrategy indicates the StatefulSetUpdateStrategy that will be employed to update Pods in the StatefulSet when a revision is made to Template.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/apps/v1.StatefulSetUpdateStrategy"),
+							Ref:         ref(appsv1.StatefulSetUpdateStrategy{}.OpenAPIModelName()),
 						},
 					},
 					"revisionHistoryLimit": {
@@ -8741,13 +8863,13 @@ func schema_k8sio_api_apps_v1_StatefulSetSpec(ref common.ReferenceCallback) comm
 					"persistentVolumeClaimRetentionPolicy": {
 						SchemaProps: spec.SchemaProps{
 							Description: "persistentVolumeClaimRetentionPolicy describes the lifecycle of persistent volume claims created from volumeClaimTemplates. By default, all persistent volume claims are created as needed and retained until manually deleted. This policy allows the lifecycle to be altered, for example by deleting persistent volume claims when their stateful set is deleted, or when their pod is scaled down.",
-							Ref:         ref("k8s.io/api/apps/v1.StatefulSetPersistentVolumeClaimRetentionPolicy"),
+							Ref:         ref(appsv1.StatefulSetPersistentVolumeClaimRetentionPolicy{}.OpenAPIModelName()),
 						},
 					},
 					"ordinals": {
 						SchemaProps: spec.SchemaProps{
 							Description: "ordinals controls the numbering of replica indices in a StatefulSet. The default ordinals behavior assigns a \"0\" index to the first replica and increments the index by one for each additional replica requested.",
-							Ref:         ref("k8s.io/api/apps/v1.StatefulSetOrdinals"),
+							Ref:         ref(appsv1.StatefulSetOrdinals{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -8755,7 +8877,7 @@ func schema_k8sio_api_apps_v1_StatefulSetSpec(ref common.ReferenceCallback) comm
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/apps/v1.StatefulSetOrdinals", "k8s.io/api/apps/v1.StatefulSetPersistentVolumeClaimRetentionPolicy", "k8s.io/api/apps/v1.StatefulSetUpdateStrategy", "k8s.io/api/core/v1.PersistentVolumeClaim", "k8s.io/api/core/v1.PodTemplateSpec", "k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector"},
+			appsv1.StatefulSetOrdinals{}.OpenAPIModelName(), appsv1.StatefulSetPersistentVolumeClaimRetentionPolicy{}.OpenAPIModelName(), appsv1.StatefulSetUpdateStrategy{}.OpenAPIModelName(), corev1.PersistentVolumeClaim{}.OpenAPIModelName(), corev1.PodTemplateSpec{}.OpenAPIModelName(), metav1.LabelSelector{}.OpenAPIModelName()},
 	}
 }
 
@@ -8841,7 +8963,7 @@ func schema_k8sio_api_apps_v1_StatefulSetStatus(ref common.ReferenceCallback) co
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/apps/v1.StatefulSetCondition"),
+										Ref:     ref(appsv1.StatefulSetCondition{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -8860,7 +8982,7 @@ func schema_k8sio_api_apps_v1_StatefulSetStatus(ref common.ReferenceCallback) co
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/apps/v1.StatefulSetCondition"},
+			appsv1.StatefulSetCondition{}.OpenAPIModelName()},
 	}
 }
 
@@ -8882,14 +9004,14 @@ func schema_k8sio_api_apps_v1_StatefulSetUpdateStrategy(ref common.ReferenceCall
 					"rollingUpdate": {
 						SchemaProps: spec.SchemaProps{
 							Description: "RollingUpdate is used to communicate parameters when Type is RollingUpdateStatefulSetStrategyType.",
-							Ref:         ref("k8s.io/api/apps/v1.RollingUpdateStatefulSetStrategy"),
+							Ref:         ref(appsv1.RollingUpdateStatefulSetStrategy{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/apps/v1.RollingUpdateStatefulSetStrategy"},
+			appsv1.RollingUpdateStatefulSetStrategy{}.OpenAPIModelName()},
 	}
 }
 
@@ -8918,13 +9040,13 @@ func schema_k8sio_api_apps_v1beta1_ControllerRevision(ref common.ReferenceCallba
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Ref:         ref(metav1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 					"data": {
 						SchemaProps: spec.SchemaProps{
 							Description: "data is the serialized representation of the state.",
-							Ref:         ref("k8s.io/apimachinery/pkg/runtime.RawExtension"),
+							Ref:         ref(runtime.RawExtension{}.OpenAPIModelName()),
 						},
 					},
 					"revision": {
@@ -8940,7 +9062,7 @@ func schema_k8sio_api_apps_v1beta1_ControllerRevision(ref common.ReferenceCallba
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta", "k8s.io/apimachinery/pkg/runtime.RawExtension"},
+			metav1.ObjectMeta{}.OpenAPIModelName(), runtime.RawExtension{}.OpenAPIModelName()},
 	}
 }
 
@@ -8969,7 +9091,7 @@ func schema_k8sio_api_apps_v1beta1_ControllerRevisionList(ref common.ReferenceCa
 						SchemaProps: spec.SchemaProps{
 							Description: "More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+							Ref:         ref(metav1.ListMeta{}.OpenAPIModelName()),
 						},
 					},
 					"items": {
@@ -8980,7 +9102,7 @@ func schema_k8sio_api_apps_v1beta1_ControllerRevisionList(ref common.ReferenceCa
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/apps/v1beta1.ControllerRevision"),
+										Ref:     ref(appsv1beta1.ControllerRevision{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -8991,7 +9113,7 @@ func schema_k8sio_api_apps_v1beta1_ControllerRevisionList(ref common.ReferenceCa
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/apps/v1beta1.ControllerRevision", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
+			appsv1beta1.ControllerRevision{}.OpenAPIModelName(), metav1.ListMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -9020,28 +9142,28 @@ func schema_k8sio_api_apps_v1beta1_Deployment(ref common.ReferenceCallback) comm
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard object metadata.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Ref:         ref(metav1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 					"spec": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Specification of the desired behavior of the Deployment.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/apps/v1beta1.DeploymentSpec"),
+							Ref:         ref(appsv1beta1.DeploymentSpec{}.OpenAPIModelName()),
 						},
 					},
 					"status": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Most recently observed status of the Deployment.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/apps/v1beta1.DeploymentStatus"),
+							Ref:         ref(appsv1beta1.DeploymentStatus{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/apps/v1beta1.DeploymentSpec", "k8s.io/api/apps/v1beta1.DeploymentStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			appsv1beta1.DeploymentSpec{}.OpenAPIModelName(), appsv1beta1.DeploymentStatus{}.OpenAPIModelName(), metav1.ObjectMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -9071,13 +9193,13 @@ func schema_k8sio_api_apps_v1beta1_DeploymentCondition(ref common.ReferenceCallb
 					"lastUpdateTime": {
 						SchemaProps: spec.SchemaProps{
 							Description: "The last time this condition was updated.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Time"),
+							Ref:         ref(metav1.Time{}.OpenAPIModelName()),
 						},
 					},
 					"lastTransitionTime": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Last time the condition transitioned from one status to another.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Time"),
+							Ref:         ref(metav1.Time{}.OpenAPIModelName()),
 						},
 					},
 					"reason": {
@@ -9099,7 +9221,7 @@ func schema_k8sio_api_apps_v1beta1_DeploymentCondition(ref common.ReferenceCallb
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.Time"},
+			metav1.Time{}.OpenAPIModelName()},
 	}
 }
 
@@ -9128,7 +9250,7 @@ func schema_k8sio_api_apps_v1beta1_DeploymentList(ref common.ReferenceCallback)
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard list metadata.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+							Ref:         ref(metav1.ListMeta{}.OpenAPIModelName()),
 						},
 					},
 					"items": {
@@ -9139,7 +9261,7 @@ func schema_k8sio_api_apps_v1beta1_DeploymentList(ref common.ReferenceCallback)
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/apps/v1beta1.Deployment"),
+										Ref:     ref(appsv1beta1.Deployment{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -9150,7 +9272,7 @@ func schema_k8sio_api_apps_v1beta1_DeploymentList(ref common.ReferenceCallback)
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/apps/v1beta1.Deployment", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
+			appsv1beta1.Deployment{}.OpenAPIModelName(), metav1.ListMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -9203,7 +9325,7 @@ func schema_k8sio_api_apps_v1beta1_DeploymentRollback(ref common.ReferenceCallba
 						SchemaProps: spec.SchemaProps{
 							Description: "The config of this deployment rollback.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/apps/v1beta1.RollbackConfig"),
+							Ref:         ref(appsv1beta1.RollbackConfig{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -9211,7 +9333,7 @@ func schema_k8sio_api_apps_v1beta1_DeploymentRollback(ref common.ReferenceCallba
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/apps/v1beta1.RollbackConfig"},
+			appsv1beta1.RollbackConfig{}.OpenAPIModelName()},
 	}
 }
 
@@ -9232,14 +9354,14 @@ func schema_k8sio_api_apps_v1beta1_DeploymentSpec(ref common.ReferenceCallback)
 					"selector": {
 						SchemaProps: spec.SchemaProps{
 							Description: "selector is the label selector for pods. Existing ReplicaSets whose pods are selected by this will be the ones affected by this deployment.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector"),
+							Ref:         ref(metav1.LabelSelector{}.OpenAPIModelName()),
 						},
 					},
 					"template": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Template describes the pods that will be created. The only allowed template.spec.restartPolicy value is \"Always\".",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/core/v1.PodTemplateSpec"),
+							Ref:         ref(corev1.PodTemplateSpec{}.OpenAPIModelName()),
 						},
 					},
 					"strategy": {
@@ -9251,7 +9373,7 @@ func schema_k8sio_api_apps_v1beta1_DeploymentSpec(ref common.ReferenceCallback)
 						SchemaProps: spec.SchemaProps{
 							Description: "The deployment strategy to use to replace existing pods with new ones.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/apps/v1beta1.DeploymentStrategy"),
+							Ref:         ref(appsv1beta1.DeploymentStrategy{}.OpenAPIModelName()),
 						},
 					},
 					"minReadySeconds": {
@@ -9278,7 +9400,7 @@ func schema_k8sio_api_apps_v1beta1_DeploymentSpec(ref common.ReferenceCallback)
 					"rollbackTo": {
 						SchemaProps: spec.SchemaProps{
 							Description: "DEPRECATED. rollbackTo is the config this deployment is rolling back to. Will be cleared after rollback is done.",
-							Ref:         ref("k8s.io/api/apps/v1beta1.RollbackConfig"),
+							Ref:         ref(appsv1beta1.RollbackConfig{}.OpenAPIModelName()),
 						},
 					},
 					"progressDeadlineSeconds": {
@@ -9293,7 +9415,7 @@ func schema_k8sio_api_apps_v1beta1_DeploymentSpec(ref common.ReferenceCallback)
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/apps/v1beta1.DeploymentStrategy", "k8s.io/api/apps/v1beta1.RollbackConfig", "k8s.io/api/core/v1.PodTemplateSpec", "k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector"},
+			appsv1beta1.DeploymentStrategy{}.OpenAPIModelName(), appsv1beta1.RollbackConfig{}.OpenAPIModelName(), corev1.PodTemplateSpec{}.OpenAPIModelName(), metav1.LabelSelector{}.OpenAPIModelName()},
 	}
 }
 
@@ -9348,7 +9470,7 @@ func schema_k8sio_api_apps_v1beta1_DeploymentStatus(ref common.ReferenceCallback
 					},
 					"terminatingReplicas": {
 						SchemaProps: spec.SchemaProps{
-							Description: "Total number of terminating pods targeted by this deployment. Terminating pods have a non-null .metadata.deletionTimestamp and have not yet reached the Failed or Succeeded .status.phase.\n\nThis is an alpha field. Enable DeploymentReplicaSetTerminatingReplicas to be able to use this field.",
+							Description: "Total number of terminating pods targeted by this deployment. Terminating pods have a non-null .metadata.deletionTimestamp and have not yet reached the Failed or Succeeded .status.phase.\n\nThis is a beta field and requires enabling DeploymentReplicaSetTerminatingReplicas feature (enabled by default).",
 							Type:        []string{"integer"},
 							Format:      "int32",
 						},
@@ -9371,7 +9493,7 @@ func schema_k8sio_api_apps_v1beta1_DeploymentStatus(ref common.ReferenceCallback
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/apps/v1beta1.DeploymentCondition"),
+										Ref:     ref(appsv1beta1.DeploymentCondition{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -9388,7 +9510,7 @@ func schema_k8sio_api_apps_v1beta1_DeploymentStatus(ref common.ReferenceCallback
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/apps/v1beta1.DeploymentCondition"},
+			appsv1beta1.DeploymentCondition{}.OpenAPIModelName()},
 	}
 }
 
@@ -9409,14 +9531,14 @@ func schema_k8sio_api_apps_v1beta1_DeploymentStrategy(ref common.ReferenceCallba
 					"rollingUpdate": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Rolling update config params. Present only if DeploymentStrategyType = RollingUpdate.",
-							Ref:         ref("k8s.io/api/apps/v1beta1.RollingUpdateDeployment"),
+							Ref:         ref(appsv1beta1.RollingUpdateDeployment{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/apps/v1beta1.RollingUpdateDeployment"},
+			appsv1beta1.RollingUpdateDeployment{}.OpenAPIModelName()},
 	}
 }
 
@@ -9450,20 +9572,20 @@ func schema_k8sio_api_apps_v1beta1_RollingUpdateDeployment(ref common.ReferenceC
 					"maxUnavailable": {
 						SchemaProps: spec.SchemaProps{
 							Description: "The maximum number of pods that can be unavailable during the update. Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%). Absolute number is calculated from percentage by rounding down. This can not be 0 if MaxSurge is 0. Defaults to 25%. Example: when this is set to 30%, the old ReplicaSet can be scaled down to 70% of desired pods immediately when the rolling update starts. Once new pods are ready, old ReplicaSet can be scaled down further, followed by scaling up the new ReplicaSet, ensuring that the total number of pods available at all times during the update is at least 70% of desired pods.",
-							Ref:         ref("k8s.io/apimachinery/pkg/util/intstr.IntOrString"),
+							Ref:         ref(intstr.IntOrString{}.OpenAPIModelName()),
 						},
 					},
 					"maxSurge": {
 						SchemaProps: spec.SchemaProps{
 							Description: "The maximum number of pods that can be scheduled above the desired number of pods. Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%). This can not be 0 if MaxUnavailable is 0. Absolute number is calculated from percentage by rounding up. Defaults to 25%. Example: when this is set to 30%, the new ReplicaSet can be scaled up immediately when the rolling update starts, such that the total number of old and new pods do not exceed 130% of desired pods. Once old pods have been killed, new ReplicaSet can be scaled up further, ensuring that total number of pods running at any time during the update is at most 130% of desired pods.",
-							Ref:         ref("k8s.io/apimachinery/pkg/util/intstr.IntOrString"),
+							Ref:         ref(intstr.IntOrString{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/util/intstr.IntOrString"},
+			intstr.IntOrString{}.OpenAPIModelName()},
 	}
 }
 
@@ -9483,15 +9605,15 @@ func schema_k8sio_api_apps_v1beta1_RollingUpdateStatefulSetStrategy(ref common.R
 					},
 					"maxUnavailable": {
 						SchemaProps: spec.SchemaProps{
-							Description: "maxUnavailable is the maximum number of pods that can be unavailable during the update. Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%). Absolute number is calculated from percentage by rounding up. This can not be 0. Defaults to 1. This field is alpha-level and is only honored by servers that enable the MaxUnavailableStatefulSet feature. The field applies to all pods in the range 0 to Replicas-1. That means if there is any unavailable pod in the range 0 to Replicas-1, it will be counted towards MaxUnavailable.",
-							Ref:         ref("k8s.io/apimachinery/pkg/util/intstr.IntOrString"),
+							Description: "maxUnavailable is the maximum number of pods that can be unavailable during the update. Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%). Absolute number is calculated from percentage by rounding up. This can not be 0. Defaults to 1. This field is beta-level and is enabled by default. The field applies to all pods in the range 0 to Replicas-1. That means if there is any unavailable pod in the range 0 to Replicas-1, it will be counted towards MaxUnavailable. This setting might not be effective for the OrderedReady podManagementPolicy. That policy ensures pods are created and become ready one at a time.",
+							Ref:         ref(intstr.IntOrString{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/util/intstr.IntOrString"},
+			intstr.IntOrString{}.OpenAPIModelName()},
 	}
 }
 
@@ -9520,28 +9642,28 @@ func schema_k8sio_api_apps_v1beta1_Scale(ref common.ReferenceCallback) common.Op
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Ref:         ref(metav1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 					"spec": {
 						SchemaProps: spec.SchemaProps{
 							Description: "spec defines the behavior of the scale. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/apps/v1beta1.ScaleSpec"),
+							Ref:         ref(appsv1beta1.ScaleSpec{}.OpenAPIModelName()),
 						},
 					},
 					"status": {
 						SchemaProps: spec.SchemaProps{
 							Description: "status defines current status of the scale. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status. Read-only.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/apps/v1beta1.ScaleStatus"),
+							Ref:         ref(appsv1beta1.ScaleStatus{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/apps/v1beta1.ScaleSpec", "k8s.io/api/apps/v1beta1.ScaleStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			appsv1beta1.ScaleSpec{}.OpenAPIModelName(), appsv1beta1.ScaleStatus{}.OpenAPIModelName(), metav1.ObjectMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -9635,28 +9757,28 @@ func schema_k8sio_api_apps_v1beta1_StatefulSet(ref common.ReferenceCallback) com
 					"metadata": {
 						SchemaProps: spec.SchemaProps{
 							Default: map[string]interface{}{},
-							Ref:     ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Ref:     ref(metav1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 					"spec": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Spec defines the desired identities of pods in this set.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/apps/v1beta1.StatefulSetSpec"),
+							Ref:         ref(appsv1beta1.StatefulSetSpec{}.OpenAPIModelName()),
 						},
 					},
 					"status": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Status is the current status of Pods in this StatefulSet. This data may be out of date by some window of time.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/apps/v1beta1.StatefulSetStatus"),
+							Ref:         ref(appsv1beta1.StatefulSetStatus{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/apps/v1beta1.StatefulSetSpec", "k8s.io/api/apps/v1beta1.StatefulSetStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			appsv1beta1.StatefulSetSpec{}.OpenAPIModelName(), appsv1beta1.StatefulSetStatus{}.OpenAPIModelName(), metav1.ObjectMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -9686,7 +9808,7 @@ func schema_k8sio_api_apps_v1beta1_StatefulSetCondition(ref common.ReferenceCall
 					"lastTransitionTime": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Last time the condition transitioned from one status to another.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Time"),
+							Ref:         ref(metav1.Time{}.OpenAPIModelName()),
 						},
 					},
 					"reason": {
@@ -9708,7 +9830,7 @@ func schema_k8sio_api_apps_v1beta1_StatefulSetCondition(ref common.ReferenceCall
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.Time"},
+			metav1.Time{}.OpenAPIModelName()},
 	}
 }
 
@@ -9736,7 +9858,7 @@ func schema_k8sio_api_apps_v1beta1_StatefulSetList(ref common.ReferenceCallback)
 					"metadata": {
 						SchemaProps: spec.SchemaProps{
 							Default: map[string]interface{}{},
-							Ref:     ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+							Ref:     ref(metav1.ListMeta{}.OpenAPIModelName()),
 						},
 					},
 					"items": {
@@ -9746,7 +9868,7 @@ func schema_k8sio_api_apps_v1beta1_StatefulSetList(ref common.ReferenceCallback)
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/apps/v1beta1.StatefulSet"),
+										Ref:     ref(appsv1beta1.StatefulSet{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -9757,7 +9879,7 @@ func schema_k8sio_api_apps_v1beta1_StatefulSetList(ref common.ReferenceCallback)
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/apps/v1beta1.StatefulSet", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
+			appsv1beta1.StatefulSet{}.OpenAPIModelName(), metav1.ListMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -9826,14 +9948,14 @@ func schema_k8sio_api_apps_v1beta1_StatefulSetSpec(ref common.ReferenceCallback)
 					"selector": {
 						SchemaProps: spec.SchemaProps{
 							Description: "selector is a label query over pods that should match the replica count. If empty, defaulted to labels on the pod template. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector"),
+							Ref:         ref(metav1.LabelSelector{}.OpenAPIModelName()),
 						},
 					},
 					"template": {
 						SchemaProps: spec.SchemaProps{
 							Description: "template is the object that describes the pod that will be created if insufficient replicas are detected. Each pod stamped out by the StatefulSet will fulfill this Template, but have a unique identity from the rest of the StatefulSet. Each pod will be named with the format <statefulsetname>-<podindex>. For example, a pod in a StatefulSet named \"web\" with index number \"3\" would be named \"web-3\".",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/core/v1.PodTemplateSpec"),
+							Ref:         ref(corev1.PodTemplateSpec{}.OpenAPIModelName()),
 						},
 					},
 					"volumeClaimTemplates": {
@@ -9849,7 +9971,7 @@ func schema_k8sio_api_apps_v1beta1_StatefulSetSpec(ref common.ReferenceCallback)
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/core/v1.PersistentVolumeClaim"),
+										Ref:     ref(corev1.PersistentVolumeClaim{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -9874,7 +9996,7 @@ func schema_k8sio_api_apps_v1beta1_StatefulSetSpec(ref common.ReferenceCallback)
 						SchemaProps: spec.SchemaProps{
 							Description: "updateStrategy indicates the StatefulSetUpdateStrategy that will be employed to update Pods in the StatefulSet when a revision is made to Template.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/apps/v1beta1.StatefulSetUpdateStrategy"),
+							Ref:         ref(appsv1beta1.StatefulSetUpdateStrategy{}.OpenAPIModelName()),
 						},
 					},
 					"revisionHistoryLimit": {
@@ -9893,14 +10015,14 @@ func schema_k8sio_api_apps_v1beta1_StatefulSetSpec(ref common.ReferenceCallback)
 					},
 					"persistentVolumeClaimRetentionPolicy": {
 						SchemaProps: spec.SchemaProps{
-							Description: "PersistentVolumeClaimRetentionPolicy describes the policy used for PVCs created from the StatefulSet VolumeClaimTemplates.",
-							Ref:         ref("k8s.io/api/apps/v1beta1.StatefulSetPersistentVolumeClaimRetentionPolicy"),
+							Description: "persistentVolumeClaimRetentionPolicy describes the lifecycle of persistent volume claims created from volumeClaimTemplates. By default, all persistent volume claims are created as needed and retained until manually deleted. This policy allows the lifecycle to be altered, for example by deleting persistent volume claims when their stateful set is deleted, or when their pod is scaled down.",
+							Ref:         ref(appsv1beta1.StatefulSetPersistentVolumeClaimRetentionPolicy{}.OpenAPIModelName()),
 						},
 					},
 					"ordinals": {
 						SchemaProps: spec.SchemaProps{
 							Description: "ordinals controls the numbering of replica indices in a StatefulSet. The default ordinals behavior assigns a \"0\" index to the first replica and increments the index by one for each additional replica requested.",
-							Ref:         ref("k8s.io/api/apps/v1beta1.StatefulSetOrdinals"),
+							Ref:         ref(appsv1beta1.StatefulSetOrdinals{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -9908,7 +10030,7 @@ func schema_k8sio_api_apps_v1beta1_StatefulSetSpec(ref common.ReferenceCallback)
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/apps/v1beta1.StatefulSetOrdinals", "k8s.io/api/apps/v1beta1.StatefulSetPersistentVolumeClaimRetentionPolicy", "k8s.io/api/apps/v1beta1.StatefulSetUpdateStrategy", "k8s.io/api/core/v1.PersistentVolumeClaim", "k8s.io/api/core/v1.PodTemplateSpec", "k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector"},
+			appsv1beta1.StatefulSetOrdinals{}.OpenAPIModelName(), appsv1beta1.StatefulSetPersistentVolumeClaimRetentionPolicy{}.OpenAPIModelName(), appsv1beta1.StatefulSetUpdateStrategy{}.OpenAPIModelName(), corev1.PersistentVolumeClaim{}.OpenAPIModelName(), corev1.PodTemplateSpec{}.OpenAPIModelName(), metav1.LabelSelector{}.OpenAPIModelName()},
 	}
 }
 
@@ -9994,7 +10116,7 @@ func schema_k8sio_api_apps_v1beta1_StatefulSetStatus(ref common.ReferenceCallbac
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/apps/v1beta1.StatefulSetCondition"),
+										Ref:     ref(appsv1beta1.StatefulSetCondition{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -10013,7 +10135,7 @@ func schema_k8sio_api_apps_v1beta1_StatefulSetStatus(ref common.ReferenceCallbac
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/apps/v1beta1.StatefulSetCondition"},
+			appsv1beta1.StatefulSetCondition{}.OpenAPIModelName()},
 	}
 }
 
@@ -10034,14 +10156,14 @@ func schema_k8sio_api_apps_v1beta1_StatefulSetUpdateStrategy(ref common.Referenc
 					"rollingUpdate": {
 						SchemaProps: spec.SchemaProps{
 							Description: "RollingUpdate is used to communicate parameters when Type is RollingUpdateStatefulSetStrategyType.",
-							Ref:         ref("k8s.io/api/apps/v1beta1.RollingUpdateStatefulSetStrategy"),
+							Ref:         ref(appsv1beta1.RollingUpdateStatefulSetStrategy{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/apps/v1beta1.RollingUpdateStatefulSetStrategy"},
+			appsv1beta1.RollingUpdateStatefulSetStrategy{}.OpenAPIModelName()},
 	}
 }
 
@@ -10070,13 +10192,13 @@ func schema_k8sio_api_apps_v1beta2_ControllerRevision(ref common.ReferenceCallba
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Ref:         ref(metav1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 					"data": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Data is the serialized representation of the state.",
-							Ref:         ref("k8s.io/apimachinery/pkg/runtime.RawExtension"),
+							Ref:         ref(runtime.RawExtension{}.OpenAPIModelName()),
 						},
 					},
 					"revision": {
@@ -10092,7 +10214,7 @@ func schema_k8sio_api_apps_v1beta2_ControllerRevision(ref common.ReferenceCallba
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta", "k8s.io/apimachinery/pkg/runtime.RawExtension"},
+			metav1.ObjectMeta{}.OpenAPIModelName(), runtime.RawExtension{}.OpenAPIModelName()},
 	}
 }
 
@@ -10121,7 +10243,7 @@ func schema_k8sio_api_apps_v1beta2_ControllerRevisionList(ref common.ReferenceCa
 						SchemaProps: spec.SchemaProps{
 							Description: "More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+							Ref:         ref(metav1.ListMeta{}.OpenAPIModelName()),
 						},
 					},
 					"items": {
@@ -10132,7 +10254,7 @@ func schema_k8sio_api_apps_v1beta2_ControllerRevisionList(ref common.ReferenceCa
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/apps/v1beta2.ControllerRevision"),
+										Ref:     ref(v1beta2.ControllerRevision{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -10143,7 +10265,7 @@ func schema_k8sio_api_apps_v1beta2_ControllerRevisionList(ref common.ReferenceCa
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/apps/v1beta2.ControllerRevision", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
+			v1beta2.ControllerRevision{}.OpenAPIModelName(), metav1.ListMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -10172,28 +10294,28 @@ func schema_k8sio_api_apps_v1beta2_DaemonSet(ref common.ReferenceCallback) commo
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Ref:         ref(metav1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 					"spec": {
 						SchemaProps: spec.SchemaProps{
 							Description: "The desired behavior of this daemon set. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/apps/v1beta2.DaemonSetSpec"),
+							Ref:         ref(v1beta2.DaemonSetSpec{}.OpenAPIModelName()),
 						},
 					},
 					"status": {
 						SchemaProps: spec.SchemaProps{
 							Description: "The current status of this daemon set. This data may be out of date by some window of time. Populated by the system. Read-only. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/apps/v1beta2.DaemonSetStatus"),
+							Ref:         ref(v1beta2.DaemonSetStatus{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/apps/v1beta2.DaemonSetSpec", "k8s.io/api/apps/v1beta2.DaemonSetStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			v1beta2.DaemonSetSpec{}.OpenAPIModelName(), v1beta2.DaemonSetStatus{}.OpenAPIModelName(), metav1.ObjectMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -10223,7 +10345,7 @@ func schema_k8sio_api_apps_v1beta2_DaemonSetCondition(ref common.ReferenceCallba
 					"lastTransitionTime": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Last time the condition transitioned from one status to another.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Time"),
+							Ref:         ref(metav1.Time{}.OpenAPIModelName()),
 						},
 					},
 					"reason": {
@@ -10245,7 +10367,7 @@ func schema_k8sio_api_apps_v1beta2_DaemonSetCondition(ref common.ReferenceCallba
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.Time"},
+			metav1.Time{}.OpenAPIModelName()},
 	}
 }
 
@@ -10274,7 +10396,7 @@ func schema_k8sio_api_apps_v1beta2_DaemonSetList(ref common.ReferenceCallback) c
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+							Ref:         ref(metav1.ListMeta{}.OpenAPIModelName()),
 						},
 					},
 					"items": {
@@ -10285,7 +10407,7 @@ func schema_k8sio_api_apps_v1beta2_DaemonSetList(ref common.ReferenceCallback) c
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/apps/v1beta2.DaemonSet"),
+										Ref:     ref(v1beta2.DaemonSet{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -10296,7 +10418,7 @@ func schema_k8sio_api_apps_v1beta2_DaemonSetList(ref common.ReferenceCallback) c
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/apps/v1beta2.DaemonSet", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
+			v1beta2.DaemonSet{}.OpenAPIModelName(), metav1.ListMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -10310,21 +10432,21 @@ func schema_k8sio_api_apps_v1beta2_DaemonSetSpec(ref common.ReferenceCallback) c
 					"selector": {
 						SchemaProps: spec.SchemaProps{
 							Description: "A label query over pods that are managed by the daemon set. Must match in order to be controlled. It must match the pod template's labels. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector"),
+							Ref:         ref(metav1.LabelSelector{}.OpenAPIModelName()),
 						},
 					},
 					"template": {
 						SchemaProps: spec.SchemaProps{
 							Description: "An object that describes the pod that will be created. The DaemonSet will create exactly one copy of this pod on every node that matches the template's node selector (or on every node if no node selector is specified). The only allowed template.spec.restartPolicy value is \"Always\". More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller#pod-template",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/core/v1.PodTemplateSpec"),
+							Ref:         ref(corev1.PodTemplateSpec{}.OpenAPIModelName()),
 						},
 					},
 					"updateStrategy": {
 						SchemaProps: spec.SchemaProps{
 							Description: "An update strategy to replace existing DaemonSet pods with new pods.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/apps/v1beta2.DaemonSetUpdateStrategy"),
+							Ref:         ref(v1beta2.DaemonSetUpdateStrategy{}.OpenAPIModelName()),
 						},
 					},
 					"minReadySeconds": {
@@ -10346,7 +10468,7 @@ func schema_k8sio_api_apps_v1beta2_DaemonSetSpec(ref common.ReferenceCallback) c
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/apps/v1beta2.DaemonSetUpdateStrategy", "k8s.io/api/core/v1.PodTemplateSpec", "k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector"},
+			v1beta2.DaemonSetUpdateStrategy{}.OpenAPIModelName(), corev1.PodTemplateSpec{}.OpenAPIModelName(), metav1.LabelSelector{}.OpenAPIModelName()},
 	}
 }
 
@@ -10442,7 +10564,7 @@ func schema_k8sio_api_apps_v1beta2_DaemonSetStatus(ref common.ReferenceCallback)
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/apps/v1beta2.DaemonSetCondition"),
+										Ref:     ref(v1beta2.DaemonSetCondition{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -10453,7 +10575,7 @@ func schema_k8sio_api_apps_v1beta2_DaemonSetStatus(ref common.ReferenceCallback)
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/apps/v1beta2.DaemonSetCondition"},
+			v1beta2.DaemonSetCondition{}.OpenAPIModelName()},
 	}
 }
 
@@ -10474,14 +10596,14 @@ func schema_k8sio_api_apps_v1beta2_DaemonSetUpdateStrategy(ref common.ReferenceC
 					"rollingUpdate": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Rolling update config params. Present only if type = \"RollingUpdate\".",
-							Ref:         ref("k8s.io/api/apps/v1beta2.RollingUpdateDaemonSet"),
+							Ref:         ref(v1beta2.RollingUpdateDaemonSet{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/apps/v1beta2.RollingUpdateDaemonSet"},
+			v1beta2.RollingUpdateDaemonSet{}.OpenAPIModelName()},
 	}
 }
 
@@ -10510,28 +10632,28 @@ func schema_k8sio_api_apps_v1beta2_Deployment(ref common.ReferenceCallback) comm
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard object metadata.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Ref:         ref(metav1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 					"spec": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Specification of the desired behavior of the Deployment.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/apps/v1beta2.DeploymentSpec"),
+							Ref:         ref(v1beta2.DeploymentSpec{}.OpenAPIModelName()),
 						},
 					},
 					"status": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Most recently observed status of the Deployment.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/apps/v1beta2.DeploymentStatus"),
+							Ref:         ref(v1beta2.DeploymentStatus{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/apps/v1beta2.DeploymentSpec", "k8s.io/api/apps/v1beta2.DeploymentStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			v1beta2.DeploymentSpec{}.OpenAPIModelName(), v1beta2.DeploymentStatus{}.OpenAPIModelName(), metav1.ObjectMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -10561,13 +10683,13 @@ func schema_k8sio_api_apps_v1beta2_DeploymentCondition(ref common.ReferenceCallb
 					"lastUpdateTime": {
 						SchemaProps: spec.SchemaProps{
 							Description: "The last time this condition was updated.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Time"),
+							Ref:         ref(metav1.Time{}.OpenAPIModelName()),
 						},
 					},
 					"lastTransitionTime": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Last time the condition transitioned from one status to another.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Time"),
+							Ref:         ref(metav1.Time{}.OpenAPIModelName()),
 						},
 					},
 					"reason": {
@@ -10589,7 +10711,7 @@ func schema_k8sio_api_apps_v1beta2_DeploymentCondition(ref common.ReferenceCallb
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.Time"},
+			metav1.Time{}.OpenAPIModelName()},
 	}
 }
 
@@ -10618,7 +10740,7 @@ func schema_k8sio_api_apps_v1beta2_DeploymentList(ref common.ReferenceCallback)
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard list metadata.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+							Ref:         ref(metav1.ListMeta{}.OpenAPIModelName()),
 						},
 					},
 					"items": {
@@ -10629,7 +10751,7 @@ func schema_k8sio_api_apps_v1beta2_DeploymentList(ref common.ReferenceCallback)
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/apps/v1beta2.Deployment"),
+										Ref:     ref(v1beta2.Deployment{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -10640,7 +10762,7 @@ func schema_k8sio_api_apps_v1beta2_DeploymentList(ref common.ReferenceCallback)
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/apps/v1beta2.Deployment", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
+			v1beta2.Deployment{}.OpenAPIModelName(), metav1.ListMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -10661,14 +10783,14 @@ func schema_k8sio_api_apps_v1beta2_DeploymentSpec(ref common.ReferenceCallback)
 					"selector": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Label selector for pods. Existing ReplicaSets whose pods are selected by this will be the ones affected by this deployment. It must match the pod template's labels.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector"),
+							Ref:         ref(metav1.LabelSelector{}.OpenAPIModelName()),
 						},
 					},
 					"template": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Template describes the pods that will be created. The only allowed template.spec.restartPolicy value is \"Always\".",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/core/v1.PodTemplateSpec"),
+							Ref:         ref(corev1.PodTemplateSpec{}.OpenAPIModelName()),
 						},
 					},
 					"strategy": {
@@ -10680,7 +10802,7 @@ func schema_k8sio_api_apps_v1beta2_DeploymentSpec(ref common.ReferenceCallback)
 						SchemaProps: spec.SchemaProps{
 							Description: "The deployment strategy to use to replace existing pods with new ones.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/apps/v1beta2.DeploymentStrategy"),
+							Ref:         ref(v1beta2.DeploymentStrategy{}.OpenAPIModelName()),
 						},
 					},
 					"minReadySeconds": {
@@ -10716,7 +10838,7 @@ func schema_k8sio_api_apps_v1beta2_DeploymentSpec(ref common.ReferenceCallback)
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/apps/v1beta2.DeploymentStrategy", "k8s.io/api/core/v1.PodTemplateSpec", "k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector"},
+			v1beta2.DeploymentStrategy{}.OpenAPIModelName(), corev1.PodTemplateSpec{}.OpenAPIModelName(), metav1.LabelSelector{}.OpenAPIModelName()},
 	}
 }
 
@@ -10771,7 +10893,7 @@ func schema_k8sio_api_apps_v1beta2_DeploymentStatus(ref common.ReferenceCallback
 					},
 					"terminatingReplicas": {
 						SchemaProps: spec.SchemaProps{
-							Description: "Total number of terminating pods targeted by this deployment. Terminating pods have a non-null .metadata.deletionTimestamp and have not yet reached the Failed or Succeeded .status.phase.\n\nThis is an alpha field. Enable DeploymentReplicaSetTerminatingReplicas to be able to use this field.",
+							Description: "Total number of terminating pods targeted by this deployment. Terminating pods have a non-null .metadata.deletionTimestamp and have not yet reached the Failed or Succeeded .status.phase.\n\nThis is a beta field and requires enabling DeploymentReplicaSetTerminatingReplicas feature (enabled by default).",
 							Type:        []string{"integer"},
 							Format:      "int32",
 						},
@@ -10794,7 +10916,7 @@ func schema_k8sio_api_apps_v1beta2_DeploymentStatus(ref common.ReferenceCallback
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/apps/v1beta2.DeploymentCondition"),
+										Ref:     ref(v1beta2.DeploymentCondition{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -10811,7 +10933,7 @@ func schema_k8sio_api_apps_v1beta2_DeploymentStatus(ref common.ReferenceCallback
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/apps/v1beta2.DeploymentCondition"},
+			v1beta2.DeploymentCondition{}.OpenAPIModelName()},
 	}
 }
 
@@ -10832,14 +10954,14 @@ func schema_k8sio_api_apps_v1beta2_DeploymentStrategy(ref common.ReferenceCallba
 					"rollingUpdate": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Rolling update config params. Present only if DeploymentStrategyType = RollingUpdate.",
-							Ref:         ref("k8s.io/api/apps/v1beta2.RollingUpdateDeployment"),
+							Ref:         ref(v1beta2.RollingUpdateDeployment{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/apps/v1beta2.RollingUpdateDeployment"},
+			v1beta2.RollingUpdateDeployment{}.OpenAPIModelName()},
 	}
 }
 
@@ -10868,28 +10990,28 @@ func schema_k8sio_api_apps_v1beta2_ReplicaSet(ref common.ReferenceCallback) comm
 						SchemaProps: spec.SchemaProps{
 							Description: "If the Labels of a ReplicaSet are empty, they are defaulted to be the same as the Pod(s) that the ReplicaSet manages. Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Ref:         ref(metav1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 					"spec": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Spec defines the specification of the desired behavior of the ReplicaSet. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/apps/v1beta2.ReplicaSetSpec"),
+							Ref:         ref(v1beta2.ReplicaSetSpec{}.OpenAPIModelName()),
 						},
 					},
 					"status": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Status is the most recently observed status of the ReplicaSet. This data may be out of date by some window of time. Populated by the system. Read-only. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/apps/v1beta2.ReplicaSetStatus"),
+							Ref:         ref(v1beta2.ReplicaSetStatus{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/apps/v1beta2.ReplicaSetSpec", "k8s.io/api/apps/v1beta2.ReplicaSetStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			v1beta2.ReplicaSetSpec{}.OpenAPIModelName(), v1beta2.ReplicaSetStatus{}.OpenAPIModelName(), metav1.ObjectMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -10919,7 +11041,7 @@ func schema_k8sio_api_apps_v1beta2_ReplicaSetCondition(ref common.ReferenceCallb
 					"lastTransitionTime": {
 						SchemaProps: spec.SchemaProps{
 							Description: "The last time the condition transitioned from one status to another.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Time"),
+							Ref:         ref(metav1.Time{}.OpenAPIModelName()),
 						},
 					},
 					"reason": {
@@ -10941,7 +11063,7 @@ func schema_k8sio_api_apps_v1beta2_ReplicaSetCondition(ref common.ReferenceCallb
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.Time"},
+			metav1.Time{}.OpenAPIModelName()},
 	}
 }
 
@@ -10970,7 +11092,7 @@ func schema_k8sio_api_apps_v1beta2_ReplicaSetList(ref common.ReferenceCallback)
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+							Ref:         ref(metav1.ListMeta{}.OpenAPIModelName()),
 						},
 					},
 					"items": {
@@ -10981,7 +11103,7 @@ func schema_k8sio_api_apps_v1beta2_ReplicaSetList(ref common.ReferenceCallback)
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/apps/v1beta2.ReplicaSet"),
+										Ref:     ref(v1beta2.ReplicaSet{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -10992,7 +11114,7 @@ func schema_k8sio_api_apps_v1beta2_ReplicaSetList(ref common.ReferenceCallback)
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/apps/v1beta2.ReplicaSet", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
+			v1beta2.ReplicaSet{}.OpenAPIModelName(), metav1.ListMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -11020,14 +11142,14 @@ func schema_k8sio_api_apps_v1beta2_ReplicaSetSpec(ref common.ReferenceCallback)
 					"selector": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Selector is a label query over pods that should match the replica count. Label keys and values that must match in order to be controlled by this replica set. It must match the pod template's labels. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector"),
+							Ref:         ref(metav1.LabelSelector{}.OpenAPIModelName()),
 						},
 					},
 					"template": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Template is the object that describes the pod that will be created if insufficient replicas are detected. More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicaset/#pod-template",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/core/v1.PodTemplateSpec"),
+							Ref:         ref(corev1.PodTemplateSpec{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -11035,7 +11157,7 @@ func schema_k8sio_api_apps_v1beta2_ReplicaSetSpec(ref common.ReferenceCallback)
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/core/v1.PodTemplateSpec", "k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector"},
+			corev1.PodTemplateSpec{}.OpenAPIModelName(), metav1.LabelSelector{}.OpenAPIModelName()},
 	}
 }
 
@@ -11077,7 +11199,7 @@ func schema_k8sio_api_apps_v1beta2_ReplicaSetStatus(ref common.ReferenceCallback
 					},
 					"terminatingReplicas": {
 						SchemaProps: spec.SchemaProps{
-							Description: "The number of terminating pods for this replica set. Terminating pods have a non-null .metadata.deletionTimestamp and have not yet reached the Failed or Succeeded .status.phase.\n\nThis is an alpha field. Enable DeploymentReplicaSetTerminatingReplicas to be able to use this field.",
+							Description: "The number of terminating pods for this replica set. Terminating pods have a non-null .metadata.deletionTimestamp and have not yet reached the Failed or Succeeded .status.phase.\n\nThis is a beta field and requires enabling DeploymentReplicaSetTerminatingReplicas feature (enabled by default).",
 							Type:        []string{"integer"},
 							Format:      "int32",
 						},
@@ -11107,7 +11229,7 @@ func schema_k8sio_api_apps_v1beta2_ReplicaSetStatus(ref common.ReferenceCallback
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/apps/v1beta2.ReplicaSetCondition"),
+										Ref:     ref(v1beta2.ReplicaSetCondition{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -11118,7 +11240,7 @@ func schema_k8sio_api_apps_v1beta2_ReplicaSetStatus(ref common.ReferenceCallback
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/apps/v1beta2.ReplicaSetCondition"},
+			v1beta2.ReplicaSetCondition{}.OpenAPIModelName()},
 	}
 }
 
@@ -11132,20 +11254,20 @@ func schema_k8sio_api_apps_v1beta2_RollingUpdateDaemonSet(ref common.ReferenceCa
 					"maxUnavailable": {
 						SchemaProps: spec.SchemaProps{
 							Description: "The maximum number of DaemonSet pods that can be unavailable during the update. Value can be an absolute number (ex: 5) or a percentage of total number of DaemonSet pods at the start of the update (ex: 10%). Absolute number is calculated from percentage by rounding up. This cannot be 0 if MaxSurge is 0 Default value is 1. Example: when this is set to 30%, at most 30% of the total number of nodes that should be running the daemon pod (i.e. status.desiredNumberScheduled) can have their pods stopped for an update at any given time. The update starts by stopping at most 30% of those DaemonSet pods and then brings up new DaemonSet pods in their place. Once the new pods are available, it then proceeds onto other DaemonSet pods, thus ensuring that at least 70% of original number of DaemonSet pods are available at all times during the update.",
-							Ref:         ref("k8s.io/apimachinery/pkg/util/intstr.IntOrString"),
+							Ref:         ref(intstr.IntOrString{}.OpenAPIModelName()),
 						},
 					},
 					"maxSurge": {
 						SchemaProps: spec.SchemaProps{
 							Description: "The maximum number of nodes with an existing available DaemonSet pod that can have an updated DaemonSet pod during during an update. Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%). This can not be 0 if MaxUnavailable is 0. Absolute number is calculated from percentage by rounding up to a minimum of 1. Default value is 0. Example: when this is set to 30%, at most 30% of the total number of nodes that should be running the daemon pod (i.e. status.desiredNumberScheduled) can have their a new pod created before the old pod is marked as deleted. The update starts by launching new pods on 30% of nodes. Once an updated pod is available (Ready for at least minReadySeconds) the old DaemonSet pod on that node is marked deleted. If the old pod becomes unavailable for any reason (Ready transitions to false, is evicted, or is drained) an updated pod is immediately created on that node without considering surge limits. Allowing surge implies the possibility that the resources consumed by the daemonset on any given node can double if the readiness check fails, and so resource intensive daemonsets should take into account that they may cause evictions during disruption.",
-							Ref:         ref("k8s.io/apimachinery/pkg/util/intstr.IntOrString"),
+							Ref:         ref(intstr.IntOrString{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/util/intstr.IntOrString"},
+			intstr.IntOrString{}.OpenAPIModelName()},
 	}
 }
 
@@ -11159,20 +11281,20 @@ func schema_k8sio_api_apps_v1beta2_RollingUpdateDeployment(ref common.ReferenceC
 					"maxUnavailable": {
 						SchemaProps: spec.SchemaProps{
 							Description: "The maximum number of pods that can be unavailable during the update. Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%). Absolute number is calculated from percentage by rounding down. This can not be 0 if MaxSurge is 0. Defaults to 25%. Example: when this is set to 30%, the old ReplicaSet can be scaled down to 70% of desired pods immediately when the rolling update starts. Once new pods are ready, old ReplicaSet can be scaled down further, followed by scaling up the new ReplicaSet, ensuring that the total number of pods available at all times during the update is at least 70% of desired pods.",
-							Ref:         ref("k8s.io/apimachinery/pkg/util/intstr.IntOrString"),
+							Ref:         ref(intstr.IntOrString{}.OpenAPIModelName()),
 						},
 					},
 					"maxSurge": {
 						SchemaProps: spec.SchemaProps{
 							Description: "The maximum number of pods that can be scheduled above the desired number of pods. Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%). This can not be 0 if MaxUnavailable is 0. Absolute number is calculated from percentage by rounding up. Defaults to 25%. Example: when this is set to 30%, the new ReplicaSet can be scaled up immediately when the rolling update starts, such that the total number of old and new pods do not exceed 130% of desired pods. Once old pods have been killed, new ReplicaSet can be scaled up further, ensuring that total number of pods running at any time during the update is at most 130% of desired pods.",
-							Ref:         ref("k8s.io/apimachinery/pkg/util/intstr.IntOrString"),
+							Ref:         ref(intstr.IntOrString{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/util/intstr.IntOrString"},
+			intstr.IntOrString{}.OpenAPIModelName()},
 	}
 }
 
@@ -11192,15 +11314,15 @@ func schema_k8sio_api_apps_v1beta2_RollingUpdateStatefulSetStrategy(ref common.R
 					},
 					"maxUnavailable": {
 						SchemaProps: spec.SchemaProps{
-							Description: "The maximum number of pods that can be unavailable during the update. Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%). Absolute number is calculated from percentage by rounding up. This can not be 0. Defaults to 1. This field is alpha-level and is only honored by servers that enable the MaxUnavailableStatefulSet feature. The field applies to all pods in the range 0 to Replicas-1. That means if there is any unavailable pod in the range 0 to Replicas-1, it will be counted towards MaxUnavailable.",
-							Ref:         ref("k8s.io/apimachinery/pkg/util/intstr.IntOrString"),
+							Description: "The maximum number of pods that can be unavailable during the update. Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%). Absolute number is calculated from percentage by rounding up. This can not be 0. Defaults to 1. This field is beta-level and is enabled by default. The field applies to all pods in the range 0 to Replicas-1. That means if there is any unavailable pod in the range 0 to Replicas-1, it will be counted towards MaxUnavailable. This setting might not be effective for the OrderedReady podManagementPolicy. That policy ensures pods are created and become ready one at a time.",
+							Ref:         ref(intstr.IntOrString{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/util/intstr.IntOrString"},
+			intstr.IntOrString{}.OpenAPIModelName()},
 	}
 }
 
@@ -11229,28 +11351,28 @@ func schema_k8sio_api_apps_v1beta2_Scale(ref common.ReferenceCallback) common.Op
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Ref:         ref(metav1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 					"spec": {
 						SchemaProps: spec.SchemaProps{
 							Description: "defines the behavior of the scale. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/apps/v1beta2.ScaleSpec"),
+							Ref:         ref(v1beta2.ScaleSpec{}.OpenAPIModelName()),
 						},
 					},
 					"status": {
 						SchemaProps: spec.SchemaProps{
 							Description: "current status of the scale. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status. Read-only.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/apps/v1beta2.ScaleStatus"),
+							Ref:         ref(v1beta2.ScaleStatus{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/apps/v1beta2.ScaleSpec", "k8s.io/api/apps/v1beta2.ScaleStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			v1beta2.ScaleSpec{}.OpenAPIModelName(), v1beta2.ScaleStatus{}.OpenAPIModelName(), metav1.ObjectMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -11349,28 +11471,28 @@ func schema_k8sio_api_apps_v1beta2_StatefulSet(ref common.ReferenceCallback) com
 					"metadata": {
 						SchemaProps: spec.SchemaProps{
 							Default: map[string]interface{}{},
-							Ref:     ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Ref:     ref(metav1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 					"spec": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Spec defines the desired identities of pods in this set.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/apps/v1beta2.StatefulSetSpec"),
+							Ref:         ref(v1beta2.StatefulSetSpec{}.OpenAPIModelName()),
 						},
 					},
 					"status": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Status is the current status of Pods in this StatefulSet. This data may be out of date by some window of time.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/apps/v1beta2.StatefulSetStatus"),
+							Ref:         ref(v1beta2.StatefulSetStatus{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/apps/v1beta2.StatefulSetSpec", "k8s.io/api/apps/v1beta2.StatefulSetStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			v1beta2.StatefulSetSpec{}.OpenAPIModelName(), v1beta2.StatefulSetStatus{}.OpenAPIModelName(), metav1.ObjectMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -11400,7 +11522,7 @@ func schema_k8sio_api_apps_v1beta2_StatefulSetCondition(ref common.ReferenceCall
 					"lastTransitionTime": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Last time the condition transitioned from one status to another.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Time"),
+							Ref:         ref(metav1.Time{}.OpenAPIModelName()),
 						},
 					},
 					"reason": {
@@ -11422,7 +11544,7 @@ func schema_k8sio_api_apps_v1beta2_StatefulSetCondition(ref common.ReferenceCall
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.Time"},
+			metav1.Time{}.OpenAPIModelName()},
 	}
 }
 
@@ -11450,7 +11572,7 @@ func schema_k8sio_api_apps_v1beta2_StatefulSetList(ref common.ReferenceCallback)
 					"metadata": {
 						SchemaProps: spec.SchemaProps{
 							Default: map[string]interface{}{},
-							Ref:     ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+							Ref:     ref(metav1.ListMeta{}.OpenAPIModelName()),
 						},
 					},
 					"items": {
@@ -11460,7 +11582,7 @@ func schema_k8sio_api_apps_v1beta2_StatefulSetList(ref common.ReferenceCallback)
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/apps/v1beta2.StatefulSet"),
+										Ref:     ref(v1beta2.StatefulSet{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -11471,7 +11593,7 @@ func schema_k8sio_api_apps_v1beta2_StatefulSetList(ref common.ReferenceCallback)
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/apps/v1beta2.StatefulSet", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
+			v1beta2.StatefulSet{}.OpenAPIModelName(), metav1.ListMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -11540,14 +11662,14 @@ func schema_k8sio_api_apps_v1beta2_StatefulSetSpec(ref common.ReferenceCallback)
 					"selector": {
 						SchemaProps: spec.SchemaProps{
 							Description: "selector is a label query over pods that should match the replica count. It must match the pod template's labels. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector"),
+							Ref:         ref(metav1.LabelSelector{}.OpenAPIModelName()),
 						},
 					},
 					"template": {
 						SchemaProps: spec.SchemaProps{
 							Description: "template is the object that describes the pod that will be created if insufficient replicas are detected. Each pod stamped out by the StatefulSet will fulfill this Template, but have a unique identity from the rest of the StatefulSet. Each pod will be named with the format <statefulsetname>-<podindex>. For example, a pod in a StatefulSet named \"web\" with index number \"3\" would be named \"web-3\". The only allowed template.spec.restartPolicy value is \"Always\".",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/core/v1.PodTemplateSpec"),
+							Ref:         ref(corev1.PodTemplateSpec{}.OpenAPIModelName()),
 						},
 					},
 					"volumeClaimTemplates": {
@@ -11563,7 +11685,7 @@ func schema_k8sio_api_apps_v1beta2_StatefulSetSpec(ref common.ReferenceCallback)
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/core/v1.PersistentVolumeClaim"),
+										Ref:     ref(corev1.PersistentVolumeClaim{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -11588,7 +11710,7 @@ func schema_k8sio_api_apps_v1beta2_StatefulSetSpec(ref common.ReferenceCallback)
 						SchemaProps: spec.SchemaProps{
 							Description: "updateStrategy indicates the StatefulSetUpdateStrategy that will be employed to update Pods in the StatefulSet when a revision is made to Template.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/apps/v1beta2.StatefulSetUpdateStrategy"),
+							Ref:         ref(v1beta2.StatefulSetUpdateStrategy{}.OpenAPIModelName()),
 						},
 					},
 					"revisionHistoryLimit": {
@@ -11607,14 +11729,14 @@ func schema_k8sio_api_apps_v1beta2_StatefulSetSpec(ref common.ReferenceCallback)
 					},
 					"persistentVolumeClaimRetentionPolicy": {
 						SchemaProps: spec.SchemaProps{
-							Description: "PersistentVolumeClaimRetentionPolicy describes the policy used for PVCs created from the StatefulSet VolumeClaimTemplates.",
-							Ref:         ref("k8s.io/api/apps/v1beta2.StatefulSetPersistentVolumeClaimRetentionPolicy"),
+							Description: "persistentVolumeClaimRetentionPolicy describes the lifecycle of persistent volume claims created from volumeClaimTemplates. By default, all persistent volume claims are created as needed and retained until manually deleted. This policy allows the lifecycle to be altered, for example by deleting persistent volume claims when their stateful set is deleted, or when their pod is scaled down.",
+							Ref:         ref(v1beta2.StatefulSetPersistentVolumeClaimRetentionPolicy{}.OpenAPIModelName()),
 						},
 					},
 					"ordinals": {
 						SchemaProps: spec.SchemaProps{
 							Description: "ordinals controls the numbering of replica indices in a StatefulSet. The default ordinals behavior assigns a \"0\" index to the first replica and increments the index by one for each additional replica requested.",
-							Ref:         ref("k8s.io/api/apps/v1beta2.StatefulSetOrdinals"),
+							Ref:         ref(v1beta2.StatefulSetOrdinals{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -11622,7 +11744,7 @@ func schema_k8sio_api_apps_v1beta2_StatefulSetSpec(ref common.ReferenceCallback)
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/apps/v1beta2.StatefulSetOrdinals", "k8s.io/api/apps/v1beta2.StatefulSetPersistentVolumeClaimRetentionPolicy", "k8s.io/api/apps/v1beta2.StatefulSetUpdateStrategy", "k8s.io/api/core/v1.PersistentVolumeClaim", "k8s.io/api/core/v1.PodTemplateSpec", "k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector"},
+			v1beta2.StatefulSetOrdinals{}.OpenAPIModelName(), v1beta2.StatefulSetPersistentVolumeClaimRetentionPolicy{}.OpenAPIModelName(), v1beta2.StatefulSetUpdateStrategy{}.OpenAPIModelName(), corev1.PersistentVolumeClaim{}.OpenAPIModelName(), corev1.PodTemplateSpec{}.OpenAPIModelName(), metav1.LabelSelector{}.OpenAPIModelName()},
 	}
 }
 
@@ -11708,7 +11830,7 @@ func schema_k8sio_api_apps_v1beta2_StatefulSetStatus(ref common.ReferenceCallbac
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/apps/v1beta2.StatefulSetCondition"),
+										Ref:     ref(v1beta2.StatefulSetCondition{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -11727,7 +11849,7 @@ func schema_k8sio_api_apps_v1beta2_StatefulSetStatus(ref common.ReferenceCallbac
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/apps/v1beta2.StatefulSetCondition"},
+			v1beta2.StatefulSetCondition{}.OpenAPIModelName()},
 	}
 }
 
@@ -11748,14 +11870,14 @@ func schema_k8sio_api_apps_v1beta2_StatefulSetUpdateStrategy(ref common.Referenc
 					"rollingUpdate": {
 						SchemaProps: spec.SchemaProps{
 							Description: "RollingUpdate is used to communicate parameters when Type is RollingUpdateStatefulSetStrategyType.",
-							Ref:         ref("k8s.io/api/apps/v1beta2.RollingUpdateStatefulSetStrategy"),
+							Ref:         ref(v1beta2.RollingUpdateStatefulSetStrategy{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/apps/v1beta2.RollingUpdateStatefulSetStrategy"},
+			v1beta2.RollingUpdateStatefulSetStrategy{}.OpenAPIModelName()},
 	}
 }
 
@@ -11825,21 +11947,21 @@ func schema_k8sio_api_authentication_v1_SelfSubjectReview(ref common.ReferenceCa
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Ref:         ref(metav1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 					"status": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Status is filled in by the server with the user attributes.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/authentication/v1.SelfSubjectReviewStatus"),
+							Ref:         ref(authenticationv1.SelfSubjectReviewStatus{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/authentication/v1.SelfSubjectReviewStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			authenticationv1.SelfSubjectReviewStatus{}.OpenAPIModelName(), metav1.ObjectMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -11854,14 +11976,14 @@ func schema_k8sio_api_authentication_v1_SelfSubjectReviewStatus(ref common.Refer
 						SchemaProps: spec.SchemaProps{
 							Description: "User attributes of the user making this request.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/authentication/v1.UserInfo"),
+							Ref:         ref(authenticationv1.UserInfo{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/authentication/v1.UserInfo"},
+			authenticationv1.UserInfo{}.OpenAPIModelName()},
 	}
 }
 
@@ -11890,21 +12012,21 @@ func schema_k8sio_api_authentication_v1_TokenRequest(ref common.ReferenceCallbac
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Ref:         ref(metav1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 					"spec": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Spec holds information about the request being evaluated",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/authentication/v1.TokenRequestSpec"),
+							Ref:         ref(authenticationv1.TokenRequestSpec{}.OpenAPIModelName()),
 						},
 					},
 					"status": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Status is filled in by the server and indicates whether the token can be authenticated.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/authentication/v1.TokenRequestStatus"),
+							Ref:         ref(authenticationv1.TokenRequestStatus{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -11912,7 +12034,7 @@ func schema_k8sio_api_authentication_v1_TokenRequest(ref common.ReferenceCallbac
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/authentication/v1.TokenRequestSpec", "k8s.io/api/authentication/v1.TokenRequestStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			authenticationv1.TokenRequestSpec{}.OpenAPIModelName(), authenticationv1.TokenRequestStatus{}.OpenAPIModelName(), metav1.ObjectMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -11953,7 +12075,7 @@ func schema_k8sio_api_authentication_v1_TokenRequestSpec(ref common.ReferenceCal
 					"boundObjectRef": {
 						SchemaProps: spec.SchemaProps{
 							Description: "BoundObjectRef is a reference to an object that the token will be bound to. The token will only be valid for as long as the bound object exists. NOTE: The API server's TokenReview endpoint will validate the BoundObjectRef, but other audiences may not. Keep ExpirationSeconds small if you want prompt revocation.",
-							Ref:         ref("k8s.io/api/authentication/v1.BoundObjectReference"),
+							Ref:         ref(authenticationv1.BoundObjectReference{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -11961,7 +12083,7 @@ func schema_k8sio_api_authentication_v1_TokenRequestSpec(ref common.ReferenceCal
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/authentication/v1.BoundObjectReference"},
+			authenticationv1.BoundObjectReference{}.OpenAPIModelName()},
 	}
 }
 
@@ -11983,7 +12105,7 @@ func schema_k8sio_api_authentication_v1_TokenRequestStatus(ref common.ReferenceC
 					"expirationTimestamp": {
 						SchemaProps: spec.SchemaProps{
 							Description: "ExpirationTimestamp is the time of expiration of the returned token.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Time"),
+							Ref:         ref(metav1.Time{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -11991,7 +12113,7 @@ func schema_k8sio_api_authentication_v1_TokenRequestStatus(ref common.ReferenceC
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.Time"},
+			metav1.Time{}.OpenAPIModelName()},
 	}
 }
 
@@ -12020,21 +12142,21 @@ func schema_k8sio_api_authentication_v1_TokenReview(ref common.ReferenceCallback
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Ref:         ref(metav1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 					"spec": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Spec holds information about the request being evaluated",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/authentication/v1.TokenReviewSpec"),
+							Ref:         ref(authenticationv1.TokenReviewSpec{}.OpenAPIModelName()),
 						},
 					},
 					"status": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Status is filled in by the server and indicates whether the request can be authenticated.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/authentication/v1.TokenReviewStatus"),
+							Ref:         ref(authenticationv1.TokenReviewStatus{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -12042,7 +12164,7 @@ func schema_k8sio_api_authentication_v1_TokenReview(ref common.ReferenceCallback
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/authentication/v1.TokenReviewSpec", "k8s.io/api/authentication/v1.TokenReviewStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			authenticationv1.TokenReviewSpec{}.OpenAPIModelName(), authenticationv1.TokenReviewStatus{}.OpenAPIModelName(), metav1.ObjectMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -12104,7 +12226,7 @@ func schema_k8sio_api_authentication_v1_TokenReviewStatus(ref common.ReferenceCa
 						SchemaProps: spec.SchemaProps{
 							Description: "User is the UserInfo associated with the provided token.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/authentication/v1.UserInfo"),
+							Ref:         ref(authenticationv1.UserInfo{}.OpenAPIModelName()),
 						},
 					},
 					"audiences": {
@@ -12138,7 +12260,7 @@ func schema_k8sio_api_authentication_v1_TokenReviewStatus(ref common.ReferenceCa
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/authentication/v1.UserInfo"},
+			authenticationv1.UserInfo{}.OpenAPIModelName()},
 	}
 }
 
@@ -12237,21 +12359,21 @@ func schema_k8sio_api_authentication_v1alpha1_SelfSubjectReview(ref common.Refer
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Ref:         ref(metav1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 					"status": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Status is filled in by the server with the user attributes.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/authentication/v1alpha1.SelfSubjectReviewStatus"),
+							Ref:         ref(authenticationv1alpha1.SelfSubjectReviewStatus{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/authentication/v1alpha1.SelfSubjectReviewStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			authenticationv1alpha1.SelfSubjectReviewStatus{}.OpenAPIModelName(), metav1.ObjectMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -12266,14 +12388,14 @@ func schema_k8sio_api_authentication_v1alpha1_SelfSubjectReviewStatus(ref common
 						SchemaProps: spec.SchemaProps{
 							Description: "User attributes of the user making this request.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/authentication/v1.UserInfo"),
+							Ref:         ref(authenticationv1.UserInfo{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/authentication/v1.UserInfo"},
+			authenticationv1.UserInfo{}.OpenAPIModelName()},
 	}
 }
 
@@ -12302,21 +12424,21 @@ func schema_k8sio_api_authentication_v1beta1_SelfSubjectReview(ref common.Refere
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Ref:         ref(metav1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 					"status": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Status is filled in by the server with the user attributes.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/authentication/v1beta1.SelfSubjectReviewStatus"),
+							Ref:         ref(authenticationv1beta1.SelfSubjectReviewStatus{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/authentication/v1beta1.SelfSubjectReviewStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			authenticationv1beta1.SelfSubjectReviewStatus{}.OpenAPIModelName(), metav1.ObjectMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -12331,14 +12453,14 @@ func schema_k8sio_api_authentication_v1beta1_SelfSubjectReviewStatus(ref common.
 						SchemaProps: spec.SchemaProps{
 							Description: "User attributes of the user making this request.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/authentication/v1.UserInfo"),
+							Ref:         ref(authenticationv1.UserInfo{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/authentication/v1.UserInfo"},
+			authenticationv1.UserInfo{}.OpenAPIModelName()},
 	}
 }
 
@@ -12367,21 +12489,21 @@ func schema_k8sio_api_authentication_v1beta1_TokenReview(ref common.ReferenceCal
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Ref:         ref(metav1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 					"spec": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Spec holds information about the request being evaluated",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/authentication/v1beta1.TokenReviewSpec"),
+							Ref:         ref(authenticationv1beta1.TokenReviewSpec{}.OpenAPIModelName()),
 						},
 					},
 					"status": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Status is filled in by the server and indicates whether the token can be authenticated.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/authentication/v1beta1.TokenReviewStatus"),
+							Ref:         ref(authenticationv1beta1.TokenReviewStatus{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -12389,7 +12511,7 @@ func schema_k8sio_api_authentication_v1beta1_TokenReview(ref common.ReferenceCal
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/authentication/v1beta1.TokenReviewSpec", "k8s.io/api/authentication/v1beta1.TokenReviewStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			authenticationv1beta1.TokenReviewSpec{}.OpenAPIModelName(), authenticationv1beta1.TokenReviewStatus{}.OpenAPIModelName(), metav1.ObjectMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -12451,7 +12573,7 @@ func schema_k8sio_api_authentication_v1beta1_TokenReviewStatus(ref common.Refere
 						SchemaProps: spec.SchemaProps{
 							Description: "User is the UserInfo associated with the provided token.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/authentication/v1beta1.UserInfo"),
+							Ref:         ref(authenticationv1beta1.UserInfo{}.OpenAPIModelName()),
 						},
 					},
 					"audiences": {
@@ -12485,7 +12607,7 @@ func schema_k8sio_api_authentication_v1beta1_TokenReviewStatus(ref common.Refere
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/authentication/v1beta1.UserInfo"},
+			authenticationv1beta1.UserInfo{}.OpenAPIModelName()},
 	}
 }
 
@@ -12586,7 +12708,7 @@ func schema_k8sio_api_authorization_v1_FieldSelectorAttributes(ref common.Refere
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/apimachinery/pkg/apis/meta/v1.FieldSelectorRequirement"),
+										Ref:     ref(metav1.FieldSelectorRequirement{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -12596,7 +12718,7 @@ func schema_k8sio_api_authorization_v1_FieldSelectorAttributes(ref common.Refere
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.FieldSelectorRequirement"},
+			metav1.FieldSelectorRequirement{}.OpenAPIModelName()},
 	}
 }
 
@@ -12627,7 +12749,7 @@ func schema_k8sio_api_authorization_v1_LabelSelectorAttributes(ref common.Refere
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelectorRequirement"),
+										Ref:     ref(metav1.LabelSelectorRequirement{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -12637,7 +12759,7 @@ func schema_k8sio_api_authorization_v1_LabelSelectorAttributes(ref common.Refere
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelectorRequirement"},
+			metav1.LabelSelectorRequirement{}.OpenAPIModelName()},
 	}
 }
 
@@ -12666,21 +12788,21 @@ func schema_k8sio_api_authorization_v1_LocalSubjectAccessReview(ref common.Refer
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Ref:         ref(metav1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 					"spec": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Spec holds information about the request being evaluated.  spec.namespace must be equal to the namespace you made the request against.  If empty, it is defaulted.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/authorization/v1.SubjectAccessReviewSpec"),
+							Ref:         ref(authorizationv1.SubjectAccessReviewSpec{}.OpenAPIModelName()),
 						},
 					},
 					"status": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Status is filled in by the server and indicates whether the request is allowed or not",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/authorization/v1.SubjectAccessReviewStatus"),
+							Ref:         ref(authorizationv1.SubjectAccessReviewStatus{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -12688,7 +12810,7 @@ func schema_k8sio_api_authorization_v1_LocalSubjectAccessReview(ref common.Refer
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/authorization/v1.SubjectAccessReviewSpec", "k8s.io/api/authorization/v1.SubjectAccessReviewStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			authorizationv1.SubjectAccessReviewSpec{}.OpenAPIModelName(), authorizationv1.SubjectAccessReviewStatus{}.OpenAPIModelName(), metav1.ObjectMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -12832,20 +12954,20 @@ func schema_k8sio_api_authorization_v1_ResourceAttributes(ref common.ReferenceCa
 					"fieldSelector": {
 						SchemaProps: spec.SchemaProps{
 							Description: "fieldSelector describes the limitation on access based on field.  It can only limit access, not broaden it.",
-							Ref:         ref("k8s.io/api/authorization/v1.FieldSelectorAttributes"),
+							Ref:         ref(authorizationv1.FieldSelectorAttributes{}.OpenAPIModelName()),
 						},
 					},
 					"labelSelector": {
 						SchemaProps: spec.SchemaProps{
 							Description: "labelSelector describes the limitation on access based on labels.  It can only limit access, not broaden it.",
-							Ref:         ref("k8s.io/api/authorization/v1.LabelSelectorAttributes"),
+							Ref:         ref(authorizationv1.LabelSelectorAttributes{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/authorization/v1.FieldSelectorAttributes", "k8s.io/api/authorization/v1.LabelSelectorAttributes"},
+			authorizationv1.FieldSelectorAttributes{}.OpenAPIModelName(), authorizationv1.LabelSelectorAttributes{}.OpenAPIModelName()},
 	}
 }
 
@@ -12968,21 +13090,21 @@ func schema_k8sio_api_authorization_v1_SelfSubjectAccessReview(ref common.Refere
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Ref:         ref(metav1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 					"spec": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Spec holds information about the request being evaluated.  user and groups must be empty",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/authorization/v1.SelfSubjectAccessReviewSpec"),
+							Ref:         ref(authorizationv1.SelfSubjectAccessReviewSpec{}.OpenAPIModelName()),
 						},
 					},
 					"status": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Status is filled in by the server and indicates whether the request is allowed or not",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/authorization/v1.SubjectAccessReviewStatus"),
+							Ref:         ref(authorizationv1.SubjectAccessReviewStatus{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -12990,7 +13112,7 @@ func schema_k8sio_api_authorization_v1_SelfSubjectAccessReview(ref common.Refere
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/authorization/v1.SelfSubjectAccessReviewSpec", "k8s.io/api/authorization/v1.SubjectAccessReviewStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			authorizationv1.SelfSubjectAccessReviewSpec{}.OpenAPIModelName(), authorizationv1.SubjectAccessReviewStatus{}.OpenAPIModelName(), metav1.ObjectMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -13004,20 +13126,20 @@ func schema_k8sio_api_authorization_v1_SelfSubjectAccessReviewSpec(ref common.Re
 					"resourceAttributes": {
 						SchemaProps: spec.SchemaProps{
 							Description: "ResourceAuthorizationAttributes describes information for a resource access request",
-							Ref:         ref("k8s.io/api/authorization/v1.ResourceAttributes"),
+							Ref:         ref(authorizationv1.ResourceAttributes{}.OpenAPIModelName()),
 						},
 					},
 					"nonResourceAttributes": {
 						SchemaProps: spec.SchemaProps{
 							Description: "NonResourceAttributes describes information for a non-resource access request",
-							Ref:         ref("k8s.io/api/authorization/v1.NonResourceAttributes"),
+							Ref:         ref(authorizationv1.NonResourceAttributes{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/authorization/v1.NonResourceAttributes", "k8s.io/api/authorization/v1.ResourceAttributes"},
+			authorizationv1.NonResourceAttributes{}.OpenAPIModelName(), authorizationv1.ResourceAttributes{}.OpenAPIModelName()},
 	}
 }
 
@@ -13046,21 +13168,21 @@ func schema_k8sio_api_authorization_v1_SelfSubjectRulesReview(ref common.Referen
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Ref:         ref(metav1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 					"spec": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Spec holds information about the request being evaluated.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/authorization/v1.SelfSubjectRulesReviewSpec"),
+							Ref:         ref(authorizationv1.SelfSubjectRulesReviewSpec{}.OpenAPIModelName()),
 						},
 					},
 					"status": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Status is filled in by the server and indicates the set of actions a user can perform.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/authorization/v1.SubjectRulesReviewStatus"),
+							Ref:         ref(authorizationv1.SubjectRulesReviewStatus{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -13068,7 +13190,7 @@ func schema_k8sio_api_authorization_v1_SelfSubjectRulesReview(ref common.Referen
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/authorization/v1.SelfSubjectRulesReviewSpec", "k8s.io/api/authorization/v1.SubjectRulesReviewStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			authorizationv1.SelfSubjectRulesReviewSpec{}.OpenAPIModelName(), authorizationv1.SubjectRulesReviewStatus{}.OpenAPIModelName(), metav1.ObjectMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -13117,21 +13239,21 @@ func schema_k8sio_api_authorization_v1_SubjectAccessReview(ref common.ReferenceC
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Ref:         ref(metav1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 					"spec": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Spec holds information about the request being evaluated",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/authorization/v1.SubjectAccessReviewSpec"),
+							Ref:         ref(authorizationv1.SubjectAccessReviewSpec{}.OpenAPIModelName()),
 						},
 					},
 					"status": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Status is filled in by the server and indicates whether the request is allowed or not",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/authorization/v1.SubjectAccessReviewStatus"),
+							Ref:         ref(authorizationv1.SubjectAccessReviewStatus{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -13139,7 +13261,7 @@ func schema_k8sio_api_authorization_v1_SubjectAccessReview(ref common.ReferenceC
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/authorization/v1.SubjectAccessReviewSpec", "k8s.io/api/authorization/v1.SubjectAccessReviewStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			authorizationv1.SubjectAccessReviewSpec{}.OpenAPIModelName(), authorizationv1.SubjectAccessReviewStatus{}.OpenAPIModelName(), metav1.ObjectMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -13153,13 +13275,13 @@ func schema_k8sio_api_authorization_v1_SubjectAccessReviewSpec(ref common.Refere
 					"resourceAttributes": {
 						SchemaProps: spec.SchemaProps{
 							Description: "ResourceAuthorizationAttributes describes information for a resource access request",
-							Ref:         ref("k8s.io/api/authorization/v1.ResourceAttributes"),
+							Ref:         ref(authorizationv1.ResourceAttributes{}.OpenAPIModelName()),
 						},
 					},
 					"nonResourceAttributes": {
 						SchemaProps: spec.SchemaProps{
 							Description: "NonResourceAttributes describes information for a non-resource access request",
-							Ref:         ref("k8s.io/api/authorization/v1.NonResourceAttributes"),
+							Ref:         ref(authorizationv1.NonResourceAttributes{}.OpenAPIModelName()),
 						},
 					},
 					"user": {
@@ -13223,7 +13345,7 @@ func schema_k8sio_api_authorization_v1_SubjectAccessReviewSpec(ref common.Refere
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/authorization/v1.NonResourceAttributes", "k8s.io/api/authorization/v1.ResourceAttributes"},
+			authorizationv1.NonResourceAttributes{}.OpenAPIModelName(), authorizationv1.ResourceAttributes{}.OpenAPIModelName()},
 	}
 }
 
@@ -13290,7 +13412,7 @@ func schema_k8sio_api_authorization_v1_SubjectRulesReviewStatus(ref common.Refer
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/authorization/v1.ResourceRule"),
+										Ref:     ref(authorizationv1.ResourceRule{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -13309,7 +13431,7 @@ func schema_k8sio_api_authorization_v1_SubjectRulesReviewStatus(ref common.Refer
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/authorization/v1.NonResourceRule"),
+										Ref:     ref(authorizationv1.NonResourceRule{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -13335,7 +13457,7 @@ func schema_k8sio_api_authorization_v1_SubjectRulesReviewStatus(ref common.Refer
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/authorization/v1.NonResourceRule", "k8s.io/api/authorization/v1.ResourceRule"},
+			authorizationv1.NonResourceRule{}.OpenAPIModelName(), authorizationv1.ResourceRule{}.OpenAPIModelName()},
 	}
 }
 
@@ -13364,21 +13486,21 @@ func schema_k8sio_api_authorization_v1beta1_LocalSubjectAccessReview(ref common.
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Ref:         ref(metav1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 					"spec": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Spec holds information about the request being evaluated.  spec.namespace must be equal to the namespace you made the request against.  If empty, it is defaulted.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/authorization/v1beta1.SubjectAccessReviewSpec"),
+							Ref:         ref(authorizationv1beta1.SubjectAccessReviewSpec{}.OpenAPIModelName()),
 						},
 					},
 					"status": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Status is filled in by the server and indicates whether the request is allowed or not",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/authorization/v1beta1.SubjectAccessReviewStatus"),
+							Ref:         ref(authorizationv1beta1.SubjectAccessReviewStatus{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -13386,7 +13508,7 @@ func schema_k8sio_api_authorization_v1beta1_LocalSubjectAccessReview(ref common.
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/authorization/v1beta1.SubjectAccessReviewSpec", "k8s.io/api/authorization/v1beta1.SubjectAccessReviewStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			authorizationv1beta1.SubjectAccessReviewSpec{}.OpenAPIModelName(), authorizationv1beta1.SubjectAccessReviewStatus{}.OpenAPIModelName(), metav1.ObjectMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -13530,20 +13652,20 @@ func schema_k8sio_api_authorization_v1beta1_ResourceAttributes(ref common.Refere
 					"fieldSelector": {
 						SchemaProps: spec.SchemaProps{
 							Description: "fieldSelector describes the limitation on access based on field.  It can only limit access, not broaden it.",
-							Ref:         ref("k8s.io/api/authorization/v1.FieldSelectorAttributes"),
+							Ref:         ref(authorizationv1.FieldSelectorAttributes{}.OpenAPIModelName()),
 						},
 					},
 					"labelSelector": {
 						SchemaProps: spec.SchemaProps{
 							Description: "labelSelector describes the limitation on access based on labels.  It can only limit access, not broaden it.",
-							Ref:         ref("k8s.io/api/authorization/v1.LabelSelectorAttributes"),
+							Ref:         ref(authorizationv1.LabelSelectorAttributes{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/authorization/v1.FieldSelectorAttributes", "k8s.io/api/authorization/v1.LabelSelectorAttributes"},
+			authorizationv1.FieldSelectorAttributes{}.OpenAPIModelName(), authorizationv1.LabelSelectorAttributes{}.OpenAPIModelName()},
 	}
 }
 
@@ -13666,21 +13788,21 @@ func schema_k8sio_api_authorization_v1beta1_SelfSubjectAccessReview(ref common.R
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Ref:         ref(metav1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 					"spec": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Spec holds information about the request being evaluated.  user and groups must be empty",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/authorization/v1beta1.SelfSubjectAccessReviewSpec"),
+							Ref:         ref(authorizationv1beta1.SelfSubjectAccessReviewSpec{}.OpenAPIModelName()),
 						},
 					},
 					"status": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Status is filled in by the server and indicates whether the request is allowed or not",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/authorization/v1beta1.SubjectAccessReviewStatus"),
+							Ref:         ref(authorizationv1beta1.SubjectAccessReviewStatus{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -13688,7 +13810,7 @@ func schema_k8sio_api_authorization_v1beta1_SelfSubjectAccessReview(ref common.R
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/authorization/v1beta1.SelfSubjectAccessReviewSpec", "k8s.io/api/authorization/v1beta1.SubjectAccessReviewStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			authorizationv1beta1.SelfSubjectAccessReviewSpec{}.OpenAPIModelName(), authorizationv1beta1.SubjectAccessReviewStatus{}.OpenAPIModelName(), metav1.ObjectMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -13702,20 +13824,20 @@ func schema_k8sio_api_authorization_v1beta1_SelfSubjectAccessReviewSpec(ref comm
 					"resourceAttributes": {
 						SchemaProps: spec.SchemaProps{
 							Description: "ResourceAuthorizationAttributes describes information for a resource access request",
-							Ref:         ref("k8s.io/api/authorization/v1beta1.ResourceAttributes"),
+							Ref:         ref(authorizationv1beta1.ResourceAttributes{}.OpenAPIModelName()),
 						},
 					},
 					"nonResourceAttributes": {
 						SchemaProps: spec.SchemaProps{
 							Description: "NonResourceAttributes describes information for a non-resource access request",
-							Ref:         ref("k8s.io/api/authorization/v1beta1.NonResourceAttributes"),
+							Ref:         ref(authorizationv1beta1.NonResourceAttributes{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/authorization/v1beta1.NonResourceAttributes", "k8s.io/api/authorization/v1beta1.ResourceAttributes"},
+			authorizationv1beta1.NonResourceAttributes{}.OpenAPIModelName(), authorizationv1beta1.ResourceAttributes{}.OpenAPIModelName()},
 	}
 }
 
@@ -13744,21 +13866,21 @@ func schema_k8sio_api_authorization_v1beta1_SelfSubjectRulesReview(ref common.Re
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Ref:         ref(metav1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 					"spec": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Spec holds information about the request being evaluated.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/authorization/v1beta1.SelfSubjectRulesReviewSpec"),
+							Ref:         ref(authorizationv1beta1.SelfSubjectRulesReviewSpec{}.OpenAPIModelName()),
 						},
 					},
 					"status": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Status is filled in by the server and indicates the set of actions a user can perform.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/authorization/v1beta1.SubjectRulesReviewStatus"),
+							Ref:         ref(authorizationv1beta1.SubjectRulesReviewStatus{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -13766,7 +13888,7 @@ func schema_k8sio_api_authorization_v1beta1_SelfSubjectRulesReview(ref common.Re
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/authorization/v1beta1.SelfSubjectRulesReviewSpec", "k8s.io/api/authorization/v1beta1.SubjectRulesReviewStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			authorizationv1beta1.SelfSubjectRulesReviewSpec{}.OpenAPIModelName(), authorizationv1beta1.SubjectRulesReviewStatus{}.OpenAPIModelName(), metav1.ObjectMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -13815,21 +13937,21 @@ func schema_k8sio_api_authorization_v1beta1_SubjectAccessReview(ref common.Refer
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Ref:         ref(metav1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 					"spec": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Spec holds information about the request being evaluated",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/authorization/v1beta1.SubjectAccessReviewSpec"),
+							Ref:         ref(authorizationv1beta1.SubjectAccessReviewSpec{}.OpenAPIModelName()),
 						},
 					},
 					"status": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Status is filled in by the server and indicates whether the request is allowed or not",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/authorization/v1beta1.SubjectAccessReviewStatus"),
+							Ref:         ref(authorizationv1beta1.SubjectAccessReviewStatus{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -13837,7 +13959,7 @@ func schema_k8sio_api_authorization_v1beta1_SubjectAccessReview(ref common.Refer
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/authorization/v1beta1.SubjectAccessReviewSpec", "k8s.io/api/authorization/v1beta1.SubjectAccessReviewStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			authorizationv1beta1.SubjectAccessReviewSpec{}.OpenAPIModelName(), authorizationv1beta1.SubjectAccessReviewStatus{}.OpenAPIModelName(), metav1.ObjectMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -13851,13 +13973,13 @@ func schema_k8sio_api_authorization_v1beta1_SubjectAccessReviewSpec(ref common.R
 					"resourceAttributes": {
 						SchemaProps: spec.SchemaProps{
 							Description: "ResourceAuthorizationAttributes describes information for a resource access request",
-							Ref:         ref("k8s.io/api/authorization/v1beta1.ResourceAttributes"),
+							Ref:         ref(authorizationv1beta1.ResourceAttributes{}.OpenAPIModelName()),
 						},
 					},
 					"nonResourceAttributes": {
 						SchemaProps: spec.SchemaProps{
 							Description: "NonResourceAttributes describes information for a non-resource access request",
-							Ref:         ref("k8s.io/api/authorization/v1beta1.NonResourceAttributes"),
+							Ref:         ref(authorizationv1beta1.NonResourceAttributes{}.OpenAPIModelName()),
 						},
 					},
 					"user": {
@@ -13921,7 +14043,7 @@ func schema_k8sio_api_authorization_v1beta1_SubjectAccessReviewSpec(ref common.R
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/authorization/v1beta1.NonResourceAttributes", "k8s.io/api/authorization/v1beta1.ResourceAttributes"},
+			authorizationv1beta1.NonResourceAttributes{}.OpenAPIModelName(), authorizationv1beta1.ResourceAttributes{}.OpenAPIModelName()},
 	}
 }
 
@@ -13988,7 +14110,7 @@ func schema_k8sio_api_authorization_v1beta1_SubjectRulesReviewStatus(ref common.
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/authorization/v1beta1.ResourceRule"),
+										Ref:     ref(authorizationv1beta1.ResourceRule{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -14007,7 +14129,7 @@ func schema_k8sio_api_authorization_v1beta1_SubjectRulesReviewStatus(ref common.
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/authorization/v1beta1.NonResourceRule"),
+										Ref:     ref(authorizationv1beta1.NonResourceRule{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -14033,7 +14155,7 @@ func schema_k8sio_api_authorization_v1beta1_SubjectRulesReviewStatus(ref common.
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/authorization/v1beta1.NonResourceRule", "k8s.io/api/authorization/v1beta1.ResourceRule"},
+			authorizationv1beta1.NonResourceRule{}.OpenAPIModelName(), authorizationv1beta1.ResourceRule{}.OpenAPIModelName()},
 	}
 }
 
@@ -14062,7 +14184,7 @@ func schema_k8sio_api_autoscaling_v1_ContainerResourceMetricSource(ref common.Re
 					"targetAverageValue": {
 						SchemaProps: spec.SchemaProps{
 							Description: "targetAverageValue is the target value of the average of the resource metric across all relevant pods, as a raw value (instead of as a percentage of the request), similar to the \"pods\" metric source type.",
-							Ref:         ref("k8s.io/apimachinery/pkg/api/resource.Quantity"),
+							Ref:         ref(resource.Quantity{}.OpenAPIModelName()),
 						},
 					},
 					"container": {
@@ -14078,7 +14200,7 @@ func schema_k8sio_api_autoscaling_v1_ContainerResourceMetricSource(ref common.Re
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/api/resource.Quantity"},
+			resource.Quantity{}.OpenAPIModelName()},
 	}
 }
 
@@ -14107,7 +14229,7 @@ func schema_k8sio_api_autoscaling_v1_ContainerResourceMetricStatus(ref common.Re
 					"currentAverageValue": {
 						SchemaProps: spec.SchemaProps{
 							Description: "currentAverageValue is the current value of the average of the resource metric across all relevant pods, as a raw value (instead of as a percentage of the request), similar to the \"pods\" metric source type. It will always be set, regardless of the corresponding metric specification.",
-							Ref:         ref("k8s.io/apimachinery/pkg/api/resource.Quantity"),
+							Ref:         ref(resource.Quantity{}.OpenAPIModelName()),
 						},
 					},
 					"container": {
@@ -14123,7 +14245,7 @@ func schema_k8sio_api_autoscaling_v1_ContainerResourceMetricStatus(ref common.Re
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/api/resource.Quantity"},
+			resource.Quantity{}.OpenAPIModelName()},
 	}
 }
 
@@ -14187,19 +14309,19 @@ func schema_k8sio_api_autoscaling_v1_ExternalMetricSource(ref common.ReferenceCa
 					"metricSelector": {
 						SchemaProps: spec.SchemaProps{
 							Description: "metricSelector is used to identify a specific time series within a given metric.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector"),
+							Ref:         ref(metav1.LabelSelector{}.OpenAPIModelName()),
 						},
 					},
 					"targetValue": {
 						SchemaProps: spec.SchemaProps{
 							Description: "targetValue is the target value of the metric (as a quantity). Mutually exclusive with TargetAverageValue.",
-							Ref:         ref("k8s.io/apimachinery/pkg/api/resource.Quantity"),
+							Ref:         ref(resource.Quantity{}.OpenAPIModelName()),
 						},
 					},
 					"targetAverageValue": {
 						SchemaProps: spec.SchemaProps{
 							Description: "targetAverageValue is the target per-pod value of global metric (as a quantity). Mutually exclusive with TargetValue.",
-							Ref:         ref("k8s.io/apimachinery/pkg/api/resource.Quantity"),
+							Ref:         ref(resource.Quantity{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -14207,7 +14329,7 @@ func schema_k8sio_api_autoscaling_v1_ExternalMetricSource(ref common.ReferenceCa
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/api/resource.Quantity", "k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector"},
+			resource.Quantity{}.OpenAPIModelName(), metav1.LabelSelector{}.OpenAPIModelName()},
 	}
 }
 
@@ -14229,19 +14351,19 @@ func schema_k8sio_api_autoscaling_v1_ExternalMetricStatus(ref common.ReferenceCa
 					"metricSelector": {
 						SchemaProps: spec.SchemaProps{
 							Description: "metricSelector is used to identify a specific time series within a given metric.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector"),
+							Ref:         ref(metav1.LabelSelector{}.OpenAPIModelName()),
 						},
 					},
 					"currentValue": {
 						SchemaProps: spec.SchemaProps{
 							Description: "currentValue is the current value of the metric (as a quantity)",
-							Ref:         ref("k8s.io/apimachinery/pkg/api/resource.Quantity"),
+							Ref:         ref(resource.Quantity{}.OpenAPIModelName()),
 						},
 					},
 					"currentAverageValue": {
 						SchemaProps: spec.SchemaProps{
 							Description: "currentAverageValue is the current value of metric averaged over autoscaled pods.",
-							Ref:         ref("k8s.io/apimachinery/pkg/api/resource.Quantity"),
+							Ref:         ref(resource.Quantity{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -14249,7 +14371,7 @@ func schema_k8sio_api_autoscaling_v1_ExternalMetricStatus(ref common.ReferenceCa
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/api/resource.Quantity", "k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector"},
+			resource.Quantity{}.OpenAPIModelName(), metav1.LabelSelector{}.OpenAPIModelName()},
 	}
 }
 
@@ -14278,28 +14400,28 @@ func schema_k8sio_api_autoscaling_v1_HorizontalPodAutoscaler(ref common.Referenc
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard object metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Ref:         ref(metav1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 					"spec": {
 						SchemaProps: spec.SchemaProps{
 							Description: "spec defines the behaviour of autoscaler. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/autoscaling/v1.HorizontalPodAutoscalerSpec"),
+							Ref:         ref(autoscalingv1.HorizontalPodAutoscalerSpec{}.OpenAPIModelName()),
 						},
 					},
 					"status": {
 						SchemaProps: spec.SchemaProps{
 							Description: "status is the current information about the autoscaler.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/autoscaling/v1.HorizontalPodAutoscalerStatus"),
+							Ref:         ref(autoscalingv1.HorizontalPodAutoscalerStatus{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/autoscaling/v1.HorizontalPodAutoscalerSpec", "k8s.io/api/autoscaling/v1.HorizontalPodAutoscalerStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			autoscalingv1.HorizontalPodAutoscalerSpec{}.OpenAPIModelName(), autoscalingv1.HorizontalPodAutoscalerStatus{}.OpenAPIModelName(), metav1.ObjectMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -14329,7 +14451,7 @@ func schema_k8sio_api_autoscaling_v1_HorizontalPodAutoscalerCondition(ref common
 					"lastTransitionTime": {
 						SchemaProps: spec.SchemaProps{
 							Description: "lastTransitionTime is the last time the condition transitioned from one status to another",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Time"),
+							Ref:         ref(metav1.Time{}.OpenAPIModelName()),
 						},
 					},
 					"reason": {
@@ -14351,7 +14473,7 @@ func schema_k8sio_api_autoscaling_v1_HorizontalPodAutoscalerCondition(ref common
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.Time"},
+			metav1.Time{}.OpenAPIModelName()},
 	}
 }
 
@@ -14380,7 +14502,7 @@ func schema_k8sio_api_autoscaling_v1_HorizontalPodAutoscalerList(ref common.Refe
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard list metadata.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+							Ref:         ref(metav1.ListMeta{}.OpenAPIModelName()),
 						},
 					},
 					"items": {
@@ -14391,7 +14513,7 @@ func schema_k8sio_api_autoscaling_v1_HorizontalPodAutoscalerList(ref common.Refe
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/autoscaling/v1.HorizontalPodAutoscaler"),
+										Ref:     ref(autoscalingv1.HorizontalPodAutoscaler{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -14402,7 +14524,7 @@ func schema_k8sio_api_autoscaling_v1_HorizontalPodAutoscalerList(ref common.Refe
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/autoscaling/v1.HorizontalPodAutoscaler", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
+			autoscalingv1.HorizontalPodAutoscaler{}.OpenAPIModelName(), metav1.ListMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -14417,7 +14539,7 @@ func schema_k8sio_api_autoscaling_v1_HorizontalPodAutoscalerSpec(ref common.Refe
 						SchemaProps: spec.SchemaProps{
 							Description: "reference to scaled resource; horizontal pod autoscaler will learn the current resource consumption and will set the desired number of pods by using its Scale subresource.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/autoscaling/v1.CrossVersionObjectReference"),
+							Ref:         ref(autoscalingv1.CrossVersionObjectReference{}.OpenAPIModelName()),
 						},
 					},
 					"minReplicas": {
@@ -14447,7 +14569,7 @@ func schema_k8sio_api_autoscaling_v1_HorizontalPodAutoscalerSpec(ref common.Refe
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/autoscaling/v1.CrossVersionObjectReference"},
+			autoscalingv1.CrossVersionObjectReference{}.OpenAPIModelName()},
 	}
 }
 
@@ -14468,7 +14590,7 @@ func schema_k8sio_api_autoscaling_v1_HorizontalPodAutoscalerStatus(ref common.Re
 					"lastScaleTime": {
 						SchemaProps: spec.SchemaProps{
 							Description: "lastScaleTime is the last time the HorizontalPodAutoscaler scaled the number of pods; used by the autoscaler to control how often the number of pods is changed.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Time"),
+							Ref:         ref(metav1.Time{}.OpenAPIModelName()),
 						},
 					},
 					"currentReplicas": {
@@ -14499,7 +14621,7 @@ func schema_k8sio_api_autoscaling_v1_HorizontalPodAutoscalerStatus(ref common.Re
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.Time"},
+			metav1.Time{}.OpenAPIModelName()},
 	}
 }
 
@@ -14522,31 +14644,31 @@ func schema_k8sio_api_autoscaling_v1_MetricSpec(ref common.ReferenceCallback) co
 					"object": {
 						SchemaProps: spec.SchemaProps{
 							Description: "object refers to a metric describing a single kubernetes object (for example, hits-per-second on an Ingress object).",
-							Ref:         ref("k8s.io/api/autoscaling/v1.ObjectMetricSource"),
+							Ref:         ref(autoscalingv1.ObjectMetricSource{}.OpenAPIModelName()),
 						},
 					},
 					"pods": {
 						SchemaProps: spec.SchemaProps{
 							Description: "pods refers to a metric describing each pod in the current scale target (for example, transactions-processed-per-second).  The values will be averaged together before being compared to the target value.",
-							Ref:         ref("k8s.io/api/autoscaling/v1.PodsMetricSource"),
+							Ref:         ref(autoscalingv1.PodsMetricSource{}.OpenAPIModelName()),
 						},
 					},
 					"resource": {
 						SchemaProps: spec.SchemaProps{
 							Description: "resource refers to a resource metric (such as those specified in requests and limits) known to Kubernetes describing each pod in the current scale target (e.g. CPU or memory). Such metrics are built in to Kubernetes, and have special scaling options on top of those available to normal per-pod metrics using the \"pods\" source.",
-							Ref:         ref("k8s.io/api/autoscaling/v1.ResourceMetricSource"),
+							Ref:         ref(autoscalingv1.ResourceMetricSource{}.OpenAPIModelName()),
 						},
 					},
 					"containerResource": {
 						SchemaProps: spec.SchemaProps{
 							Description: "containerResource refers to a resource metric (such as those specified in requests and limits) known to Kubernetes describing a single container in each pod of the current scale target (e.g. CPU or memory). Such metrics are built in to Kubernetes, and have special scaling options on top of those available to normal per-pod metrics using the \"pods\" source.",
-							Ref:         ref("k8s.io/api/autoscaling/v1.ContainerResourceMetricSource"),
+							Ref:         ref(autoscalingv1.ContainerResourceMetricSource{}.OpenAPIModelName()),
 						},
 					},
 					"external": {
 						SchemaProps: spec.SchemaProps{
 							Description: "external refers to a global metric that is not associated with any Kubernetes object. It allows autoscaling based on information coming from components running outside of cluster (for example length of queue in cloud messaging service, or QPS from loadbalancer running outside of cluster).",
-							Ref:         ref("k8s.io/api/autoscaling/v1.ExternalMetricSource"),
+							Ref:         ref(autoscalingv1.ExternalMetricSource{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -14554,7 +14676,7 @@ func schema_k8sio_api_autoscaling_v1_MetricSpec(ref common.ReferenceCallback) co
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/autoscaling/v1.ContainerResourceMetricSource", "k8s.io/api/autoscaling/v1.ExternalMetricSource", "k8s.io/api/autoscaling/v1.ObjectMetricSource", "k8s.io/api/autoscaling/v1.PodsMetricSource", "k8s.io/api/autoscaling/v1.ResourceMetricSource"},
+			autoscalingv1.ContainerResourceMetricSource{}.OpenAPIModelName(), autoscalingv1.ExternalMetricSource{}.OpenAPIModelName(), autoscalingv1.ObjectMetricSource{}.OpenAPIModelName(), autoscalingv1.PodsMetricSource{}.OpenAPIModelName(), autoscalingv1.ResourceMetricSource{}.OpenAPIModelName()},
 	}
 }
 
@@ -14577,31 +14699,31 @@ func schema_k8sio_api_autoscaling_v1_MetricStatus(ref common.ReferenceCallback)
 					"object": {
 						SchemaProps: spec.SchemaProps{
 							Description: "object refers to a metric describing a single kubernetes object (for example, hits-per-second on an Ingress object).",
-							Ref:         ref("k8s.io/api/autoscaling/v1.ObjectMetricStatus"),
+							Ref:         ref(autoscalingv1.ObjectMetricStatus{}.OpenAPIModelName()),
 						},
 					},
 					"pods": {
 						SchemaProps: spec.SchemaProps{
 							Description: "pods refers to a metric describing each pod in the current scale target (for example, transactions-processed-per-second).  The values will be averaged together before being compared to the target value.",
-							Ref:         ref("k8s.io/api/autoscaling/v1.PodsMetricStatus"),
+							Ref:         ref(autoscalingv1.PodsMetricStatus{}.OpenAPIModelName()),
 						},
 					},
 					"resource": {
 						SchemaProps: spec.SchemaProps{
 							Description: "resource refers to a resource metric (such as those specified in requests and limits) known to Kubernetes describing each pod in the current scale target (e.g. CPU or memory). Such metrics are built in to Kubernetes, and have special scaling options on top of those available to normal per-pod metrics using the \"pods\" source.",
-							Ref:         ref("k8s.io/api/autoscaling/v1.ResourceMetricStatus"),
+							Ref:         ref(autoscalingv1.ResourceMetricStatus{}.OpenAPIModelName()),
 						},
 					},
 					"containerResource": {
 						SchemaProps: spec.SchemaProps{
 							Description: "containerResource refers to a resource metric (such as those specified in requests and limits) known to Kubernetes describing a single container in each pod in the current scale target (e.g. CPU or memory). Such metrics are built in to Kubernetes, and have special scaling options on top of those available to normal per-pod metrics using the \"pods\" source.",
-							Ref:         ref("k8s.io/api/autoscaling/v1.ContainerResourceMetricStatus"),
+							Ref:         ref(autoscalingv1.ContainerResourceMetricStatus{}.OpenAPIModelName()),
 						},
 					},
 					"external": {
 						SchemaProps: spec.SchemaProps{
 							Description: "external refers to a global metric that is not associated with any Kubernetes object. It allows autoscaling based on information coming from components running outside of cluster (for example length of queue in cloud messaging service, or QPS from loadbalancer running outside of cluster).",
-							Ref:         ref("k8s.io/api/autoscaling/v1.ExternalMetricStatus"),
+							Ref:         ref(autoscalingv1.ExternalMetricStatus{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -14609,7 +14731,7 @@ func schema_k8sio_api_autoscaling_v1_MetricStatus(ref common.ReferenceCallback)
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/autoscaling/v1.ContainerResourceMetricStatus", "k8s.io/api/autoscaling/v1.ExternalMetricStatus", "k8s.io/api/autoscaling/v1.ObjectMetricStatus", "k8s.io/api/autoscaling/v1.PodsMetricStatus", "k8s.io/api/autoscaling/v1.ResourceMetricStatus"},
+			autoscalingv1.ContainerResourceMetricStatus{}.OpenAPIModelName(), autoscalingv1.ExternalMetricStatus{}.OpenAPIModelName(), autoscalingv1.ObjectMetricStatus{}.OpenAPIModelName(), autoscalingv1.PodsMetricStatus{}.OpenAPIModelName(), autoscalingv1.ResourceMetricStatus{}.OpenAPIModelName()},
 	}
 }
 
@@ -14624,7 +14746,7 @@ func schema_k8sio_api_autoscaling_v1_ObjectMetricSource(ref common.ReferenceCall
 						SchemaProps: spec.SchemaProps{
 							Description: "target is the described Kubernetes object.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/autoscaling/v1.CrossVersionObjectReference"),
+							Ref:         ref(autoscalingv1.CrossVersionObjectReference{}.OpenAPIModelName()),
 						},
 					},
 					"metricName": {
@@ -14638,19 +14760,19 @@ func schema_k8sio_api_autoscaling_v1_ObjectMetricSource(ref common.ReferenceCall
 					"targetValue": {
 						SchemaProps: spec.SchemaProps{
 							Description: "targetValue is the target value of the metric (as a quantity).",
-							Ref:         ref("k8s.io/apimachinery/pkg/api/resource.Quantity"),
+							Ref:         ref(resource.Quantity{}.OpenAPIModelName()),
 						},
 					},
 					"selector": {
 						SchemaProps: spec.SchemaProps{
 							Description: "selector is the string-encoded form of a standard kubernetes label selector for the given metric. When set, it is passed as an additional parameter to the metrics server for more specific metrics scoping When unset, just the metricName will be used to gather metrics.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector"),
+							Ref:         ref(metav1.LabelSelector{}.OpenAPIModelName()),
 						},
 					},
 					"averageValue": {
 						SchemaProps: spec.SchemaProps{
 							Description: "averageValue is the target value of the average of the metric across all relevant pods (as a quantity)",
-							Ref:         ref("k8s.io/apimachinery/pkg/api/resource.Quantity"),
+							Ref:         ref(resource.Quantity{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -14658,7 +14780,7 @@ func schema_k8sio_api_autoscaling_v1_ObjectMetricSource(ref common.ReferenceCall
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/autoscaling/v1.CrossVersionObjectReference", "k8s.io/apimachinery/pkg/api/resource.Quantity", "k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector"},
+			autoscalingv1.CrossVersionObjectReference{}.OpenAPIModelName(), resource.Quantity{}.OpenAPIModelName(), metav1.LabelSelector{}.OpenAPIModelName()},
 	}
 }
 
@@ -14673,7 +14795,7 @@ func schema_k8sio_api_autoscaling_v1_ObjectMetricStatus(ref common.ReferenceCall
 						SchemaProps: spec.SchemaProps{
 							Description: "target is the described Kubernetes object.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/autoscaling/v1.CrossVersionObjectReference"),
+							Ref:         ref(autoscalingv1.CrossVersionObjectReference{}.OpenAPIModelName()),
 						},
 					},
 					"metricName": {
@@ -14687,19 +14809,19 @@ func schema_k8sio_api_autoscaling_v1_ObjectMetricStatus(ref common.ReferenceCall
 					"currentValue": {
 						SchemaProps: spec.SchemaProps{
 							Description: "currentValue is the current value of the metric (as a quantity).",
-							Ref:         ref("k8s.io/apimachinery/pkg/api/resource.Quantity"),
+							Ref:         ref(resource.Quantity{}.OpenAPIModelName()),
 						},
 					},
 					"selector": {
 						SchemaProps: spec.SchemaProps{
 							Description: "selector is the string-encoded form of a standard kubernetes label selector for the given metric When set in the ObjectMetricSource, it is passed as an additional parameter to the metrics server for more specific metrics scoping. When unset, just the metricName will be used to gather metrics.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector"),
+							Ref:         ref(metav1.LabelSelector{}.OpenAPIModelName()),
 						},
 					},
 					"averageValue": {
 						SchemaProps: spec.SchemaProps{
 							Description: "averageValue is the current value of the average of the metric across all relevant pods (as a quantity)",
-							Ref:         ref("k8s.io/apimachinery/pkg/api/resource.Quantity"),
+							Ref:         ref(resource.Quantity{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -14707,7 +14829,7 @@ func schema_k8sio_api_autoscaling_v1_ObjectMetricStatus(ref common.ReferenceCall
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/autoscaling/v1.CrossVersionObjectReference", "k8s.io/apimachinery/pkg/api/resource.Quantity", "k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector"},
+			autoscalingv1.CrossVersionObjectReference{}.OpenAPIModelName(), resource.Quantity{}.OpenAPIModelName(), metav1.LabelSelector{}.OpenAPIModelName()},
 	}
 }
 
@@ -14729,13 +14851,13 @@ func schema_k8sio_api_autoscaling_v1_PodsMetricSource(ref common.ReferenceCallba
 					"targetAverageValue": {
 						SchemaProps: spec.SchemaProps{
 							Description: "targetAverageValue is the target value of the average of the metric across all relevant pods (as a quantity)",
-							Ref:         ref("k8s.io/apimachinery/pkg/api/resource.Quantity"),
+							Ref:         ref(resource.Quantity{}.OpenAPIModelName()),
 						},
 					},
 					"selector": {
 						SchemaProps: spec.SchemaProps{
 							Description: "selector is the string-encoded form of a standard kubernetes label selector for the given metric When set, it is passed as an additional parameter to the metrics server for more specific metrics scoping When unset, just the metricName will be used to gather metrics.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector"),
+							Ref:         ref(metav1.LabelSelector{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -14743,7 +14865,7 @@ func schema_k8sio_api_autoscaling_v1_PodsMetricSource(ref common.ReferenceCallba
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/api/resource.Quantity", "k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector"},
+			resource.Quantity{}.OpenAPIModelName(), metav1.LabelSelector{}.OpenAPIModelName()},
 	}
 }
 
@@ -14765,13 +14887,13 @@ func schema_k8sio_api_autoscaling_v1_PodsMetricStatus(ref common.ReferenceCallba
 					"currentAverageValue": {
 						SchemaProps: spec.SchemaProps{
 							Description: "currentAverageValue is the current value of the average of the metric across all relevant pods (as a quantity)",
-							Ref:         ref("k8s.io/apimachinery/pkg/api/resource.Quantity"),
+							Ref:         ref(resource.Quantity{}.OpenAPIModelName()),
 						},
 					},
 					"selector": {
 						SchemaProps: spec.SchemaProps{
 							Description: "selector is the string-encoded form of a standard kubernetes label selector for the given metric When set in the PodsMetricSource, it is passed as an additional parameter to the metrics server for more specific metrics scoping. When unset, just the metricName will be used to gather metrics.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector"),
+							Ref:         ref(metav1.LabelSelector{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -14779,7 +14901,7 @@ func schema_k8sio_api_autoscaling_v1_PodsMetricStatus(ref common.ReferenceCallba
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/api/resource.Quantity", "k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector"},
+			resource.Quantity{}.OpenAPIModelName(), metav1.LabelSelector{}.OpenAPIModelName()},
 	}
 }
 
@@ -14808,7 +14930,7 @@ func schema_k8sio_api_autoscaling_v1_ResourceMetricSource(ref common.ReferenceCa
 					"targetAverageValue": {
 						SchemaProps: spec.SchemaProps{
 							Description: "targetAverageValue is the target value of the average of the resource metric across all relevant pods, as a raw value (instead of as a percentage of the request), similar to the \"pods\" metric source type.",
-							Ref:         ref("k8s.io/apimachinery/pkg/api/resource.Quantity"),
+							Ref:         ref(resource.Quantity{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -14816,7 +14938,7 @@ func schema_k8sio_api_autoscaling_v1_ResourceMetricSource(ref common.ReferenceCa
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/api/resource.Quantity"},
+			resource.Quantity{}.OpenAPIModelName()},
 	}
 }
 
@@ -14845,7 +14967,7 @@ func schema_k8sio_api_autoscaling_v1_ResourceMetricStatus(ref common.ReferenceCa
 					"currentAverageValue": {
 						SchemaProps: spec.SchemaProps{
 							Description: "currentAverageValue is the current value of the average of the resource metric across all relevant pods, as a raw value (instead of as a percentage of the request), similar to the \"pods\" metric source type. It will always be set, regardless of the corresponding metric specification.",
-							Ref:         ref("k8s.io/apimachinery/pkg/api/resource.Quantity"),
+							Ref:         ref(resource.Quantity{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -14853,7 +14975,7 @@ func schema_k8sio_api_autoscaling_v1_ResourceMetricStatus(ref common.ReferenceCa
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/api/resource.Quantity"},
+			resource.Quantity{}.OpenAPIModelName()},
 	}
 }
 
@@ -14882,28 +15004,28 @@ func schema_k8sio_api_autoscaling_v1_Scale(ref common.ReferenceCallback) common.
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Ref:         ref(metav1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 					"spec": {
 						SchemaProps: spec.SchemaProps{
 							Description: "spec defines the behavior of the scale. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/autoscaling/v1.ScaleSpec"),
+							Ref:         ref(autoscalingv1.ScaleSpec{}.OpenAPIModelName()),
 						},
 					},
 					"status": {
 						SchemaProps: spec.SchemaProps{
 							Description: "status is the current status of the scale. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status. Read-only.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/autoscaling/v1.ScaleStatus"),
+							Ref:         ref(autoscalingv1.ScaleStatus{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/autoscaling/v1.ScaleSpec", "k8s.io/api/autoscaling/v1.ScaleStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			autoscalingv1.ScaleSpec{}.OpenAPIModelName(), autoscalingv1.ScaleStatus{}.OpenAPIModelName(), metav1.ObjectMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -14976,7 +15098,7 @@ func schema_k8sio_api_autoscaling_v2_ContainerResourceMetricSource(ref common.Re
 						SchemaProps: spec.SchemaProps{
 							Description: "target specifies the target value for the given metric",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/autoscaling/v2.MetricTarget"),
+							Ref:         ref(autoscalingv2.MetricTarget{}.OpenAPIModelName()),
 						},
 					},
 					"container": {
@@ -14992,7 +15114,7 @@ func schema_k8sio_api_autoscaling_v2_ContainerResourceMetricSource(ref common.Re
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/autoscaling/v2.MetricTarget"},
+			autoscalingv2.MetricTarget{}.OpenAPIModelName()},
 	}
 }
 
@@ -15015,7 +15137,7 @@ func schema_k8sio_api_autoscaling_v2_ContainerResourceMetricStatus(ref common.Re
 						SchemaProps: spec.SchemaProps{
 							Description: "current contains the current value for the given metric",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/autoscaling/v2.MetricValueStatus"),
+							Ref:         ref(autoscalingv2.MetricValueStatus{}.OpenAPIModelName()),
 						},
 					},
 					"container": {
@@ -15031,7 +15153,7 @@ func schema_k8sio_api_autoscaling_v2_ContainerResourceMetricStatus(ref common.Re
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/autoscaling/v2.MetricValueStatus"},
+			autoscalingv2.MetricValueStatus{}.OpenAPIModelName()},
 	}
 }
 
@@ -15083,14 +15205,14 @@ func schema_k8sio_api_autoscaling_v2_ExternalMetricSource(ref common.ReferenceCa
 						SchemaProps: spec.SchemaProps{
 							Description: "metric identifies the target metric by name and selector",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/autoscaling/v2.MetricIdentifier"),
+							Ref:         ref(autoscalingv2.MetricIdentifier{}.OpenAPIModelName()),
 						},
 					},
 					"target": {
 						SchemaProps: spec.SchemaProps{
 							Description: "target specifies the target value for the given metric",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/autoscaling/v2.MetricTarget"),
+							Ref:         ref(autoscalingv2.MetricTarget{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -15098,7 +15220,7 @@ func schema_k8sio_api_autoscaling_v2_ExternalMetricSource(ref common.ReferenceCa
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/autoscaling/v2.MetricIdentifier", "k8s.io/api/autoscaling/v2.MetricTarget"},
+			autoscalingv2.MetricIdentifier{}.OpenAPIModelName(), autoscalingv2.MetricTarget{}.OpenAPIModelName()},
 	}
 }
 
@@ -15113,14 +15235,14 @@ func schema_k8sio_api_autoscaling_v2_ExternalMetricStatus(ref common.ReferenceCa
 						SchemaProps: spec.SchemaProps{
 							Description: "metric identifies the target metric by name and selector",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/autoscaling/v2.MetricIdentifier"),
+							Ref:         ref(autoscalingv2.MetricIdentifier{}.OpenAPIModelName()),
 						},
 					},
 					"current": {
 						SchemaProps: spec.SchemaProps{
 							Description: "current contains the current value for the given metric",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/autoscaling/v2.MetricValueStatus"),
+							Ref:         ref(autoscalingv2.MetricValueStatus{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -15128,7 +15250,7 @@ func schema_k8sio_api_autoscaling_v2_ExternalMetricStatus(ref common.ReferenceCa
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/autoscaling/v2.MetricIdentifier", "k8s.io/api/autoscaling/v2.MetricValueStatus"},
+			autoscalingv2.MetricIdentifier{}.OpenAPIModelName(), autoscalingv2.MetricValueStatus{}.OpenAPIModelName()},
 	}
 }
 
@@ -15174,7 +15296,7 @@ func schema_k8sio_api_autoscaling_v2_HPAScalingRules(ref common.ReferenceCallbac
 	return common.OpenAPIDefinition{
 		Schema: spec.Schema{
 			SchemaProps: spec.SchemaProps{
-				Description: "HPAScalingRules configures the scaling behavior for one direction via scaling Policy Rules and a configurable metric tolerance.\n\nScaling Policy Rules are applied after calculating DesiredReplicas from metrics for the HPA. They can limit the scaling velocity by specifying scaling policies. They can prevent flapping by specifying the stabilization window, so that the number of replicas is not set instantly, instead, the safest value from the stabilization window is chosen.\n\nThe tolerance is applied to the metric values and prevents scaling too eagerly for small metric variations. (Note that setting a tolerance requires enabling the alpha HPAConfigurableTolerance feature gate.)",
+				Description: "HPAScalingRules configures the scaling behavior for one direction via scaling Policy Rules and a configurable metric tolerance.\n\nScaling Policy Rules are applied after calculating DesiredReplicas from metrics for the HPA. They can limit the scaling velocity by specifying scaling policies. They can prevent flapping by specifying the stabilization window, so that the number of replicas is not set instantly, instead, the safest value from the stabilization window is chosen.\n\nThe tolerance is applied to the metric values and prevents scaling too eagerly for small metric variations. (Note that setting a tolerance requires the beta HPAConfigurableTolerance feature gate to be enabled.)",
 				Type:        []string{"object"},
 				Properties: map[string]spec.Schema{
 					"stabilizationWindowSeconds": {
@@ -15204,7 +15326,7 @@ func schema_k8sio_api_autoscaling_v2_HPAScalingRules(ref common.ReferenceCallbac
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/autoscaling/v2.HPAScalingPolicy"),
+										Ref:     ref(autoscalingv2.HPAScalingPolicy{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -15212,15 +15334,15 @@ func schema_k8sio_api_autoscaling_v2_HPAScalingRules(ref common.ReferenceCallbac
 					},
 					"tolerance": {
 						SchemaProps: spec.SchemaProps{
-							Description: "tolerance is the tolerance on the ratio between the current and desired metric value under which no updates are made to the desired number of replicas (e.g. 0.01 for 1%). Must be greater than or equal to zero. If not set, the default cluster-wide tolerance is applied (by default 10%).\n\nFor example, if autoscaling is configured with a memory consumption target of 100Mi, and scale-down and scale-up tolerances of 5% and 1% respectively, scaling will be triggered when the actual consumption falls below 95Mi or exceeds 101Mi.\n\nThis is an alpha field and requires enabling the HPAConfigurableTolerance feature gate.",
-							Ref:         ref("k8s.io/apimachinery/pkg/api/resource.Quantity"),
+							Description: "tolerance is the tolerance on the ratio between the current and desired metric value under which no updates are made to the desired number of replicas (e.g. 0.01 for 1%). Must be greater than or equal to zero. If not set, the default cluster-wide tolerance is applied (by default 10%).\n\nFor example, if autoscaling is configured with a memory consumption target of 100Mi, and scale-down and scale-up tolerances of 5% and 1% respectively, scaling will be triggered when the actual consumption falls below 95Mi or exceeds 101Mi.\n\nThis is an beta field and requires the HPAConfigurableTolerance feature gate to be enabled.",
+							Ref:         ref(resource.Quantity{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/autoscaling/v2.HPAScalingPolicy", "k8s.io/apimachinery/pkg/api/resource.Quantity"},
+			autoscalingv2.HPAScalingPolicy{}.OpenAPIModelName(), resource.Quantity{}.OpenAPIModelName()},
 	}
 }
 
@@ -15249,28 +15371,28 @@ func schema_k8sio_api_autoscaling_v2_HorizontalPodAutoscaler(ref common.Referenc
 						SchemaProps: spec.SchemaProps{
 							Description: "metadata is the standard object metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Ref:         ref(metav1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 					"spec": {
 						SchemaProps: spec.SchemaProps{
 							Description: "spec is the specification for the behaviour of the autoscaler. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/autoscaling/v2.HorizontalPodAutoscalerSpec"),
+							Ref:         ref(autoscalingv2.HorizontalPodAutoscalerSpec{}.OpenAPIModelName()),
 						},
 					},
 					"status": {
 						SchemaProps: spec.SchemaProps{
 							Description: "status is the current information about the autoscaler.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/autoscaling/v2.HorizontalPodAutoscalerStatus"),
+							Ref:         ref(autoscalingv2.HorizontalPodAutoscalerStatus{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/autoscaling/v2.HorizontalPodAutoscalerSpec", "k8s.io/api/autoscaling/v2.HorizontalPodAutoscalerStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			autoscalingv2.HorizontalPodAutoscalerSpec{}.OpenAPIModelName(), autoscalingv2.HorizontalPodAutoscalerStatus{}.OpenAPIModelName(), metav1.ObjectMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -15284,20 +15406,20 @@ func schema_k8sio_api_autoscaling_v2_HorizontalPodAutoscalerBehavior(ref common.
 					"scaleUp": {
 						SchemaProps: spec.SchemaProps{
 							Description: "scaleUp is scaling policy for scaling Up. If not set, the default value is the higher of:\n  * increase no more than 4 pods per 60 seconds\n  * double the number of pods per 60 seconds\nNo stabilization is used.",
-							Ref:         ref("k8s.io/api/autoscaling/v2.HPAScalingRules"),
+							Ref:         ref(autoscalingv2.HPAScalingRules{}.OpenAPIModelName()),
 						},
 					},
 					"scaleDown": {
 						SchemaProps: spec.SchemaProps{
 							Description: "scaleDown is scaling policy for scaling Down. If not set, the default value is to allow to scale down to minReplicas pods, with a 300 second stabilization window (i.e., the highest recommendation for the last 300sec is used).",
-							Ref:         ref("k8s.io/api/autoscaling/v2.HPAScalingRules"),
+							Ref:         ref(autoscalingv2.HPAScalingRules{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/autoscaling/v2.HPAScalingRules"},
+			autoscalingv2.HPAScalingRules{}.OpenAPIModelName()},
 	}
 }
 
@@ -15327,7 +15449,7 @@ func schema_k8sio_api_autoscaling_v2_HorizontalPodAutoscalerCondition(ref common
 					"lastTransitionTime": {
 						SchemaProps: spec.SchemaProps{
 							Description: "lastTransitionTime is the last time the condition transitioned from one status to another",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Time"),
+							Ref:         ref(metav1.Time{}.OpenAPIModelName()),
 						},
 					},
 					"reason": {
@@ -15349,7 +15471,7 @@ func schema_k8sio_api_autoscaling_v2_HorizontalPodAutoscalerCondition(ref common
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.Time"},
+			metav1.Time{}.OpenAPIModelName()},
 	}
 }
 
@@ -15378,7 +15500,7 @@ func schema_k8sio_api_autoscaling_v2_HorizontalPodAutoscalerList(ref common.Refe
 						SchemaProps: spec.SchemaProps{
 							Description: "metadata is the standard list metadata.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+							Ref:         ref(metav1.ListMeta{}.OpenAPIModelName()),
 						},
 					},
 					"items": {
@@ -15389,7 +15511,7 @@ func schema_k8sio_api_autoscaling_v2_HorizontalPodAutoscalerList(ref common.Refe
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/autoscaling/v2.HorizontalPodAutoscaler"),
+										Ref:     ref(autoscalingv2.HorizontalPodAutoscaler{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -15400,7 +15522,7 @@ func schema_k8sio_api_autoscaling_v2_HorizontalPodAutoscalerList(ref common.Refe
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/autoscaling/v2.HorizontalPodAutoscaler", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
+			autoscalingv2.HorizontalPodAutoscaler{}.OpenAPIModelName(), metav1.ListMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -15415,7 +15537,7 @@ func schema_k8sio_api_autoscaling_v2_HorizontalPodAutoscalerSpec(ref common.Refe
 						SchemaProps: spec.SchemaProps{
 							Description: "scaleTargetRef points to the target resource to scale, and is used to the pods for which metrics should be collected, as well as to actually change the replica count.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/autoscaling/v2.CrossVersionObjectReference"),
+							Ref:         ref(autoscalingv2.CrossVersionObjectReference{}.OpenAPIModelName()),
 						},
 					},
 					"minReplicas": {
@@ -15446,7 +15568,7 @@ func schema_k8sio_api_autoscaling_v2_HorizontalPodAutoscalerSpec(ref common.Refe
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/autoscaling/v2.MetricSpec"),
+										Ref:     ref(autoscalingv2.MetricSpec{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -15455,7 +15577,7 @@ func schema_k8sio_api_autoscaling_v2_HorizontalPodAutoscalerSpec(ref common.Refe
 					"behavior": {
 						SchemaProps: spec.SchemaProps{
 							Description: "behavior configures the scaling behavior of the target in both Up and Down directions (scaleUp and scaleDown fields respectively). If not set, the default HPAScalingRules for scale up and scale down are used.",
-							Ref:         ref("k8s.io/api/autoscaling/v2.HorizontalPodAutoscalerBehavior"),
+							Ref:         ref(autoscalingv2.HorizontalPodAutoscalerBehavior{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -15463,7 +15585,7 @@ func schema_k8sio_api_autoscaling_v2_HorizontalPodAutoscalerSpec(ref common.Refe
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/autoscaling/v2.CrossVersionObjectReference", "k8s.io/api/autoscaling/v2.HorizontalPodAutoscalerBehavior", "k8s.io/api/autoscaling/v2.MetricSpec"},
+			autoscalingv2.CrossVersionObjectReference{}.OpenAPIModelName(), autoscalingv2.HorizontalPodAutoscalerBehavior{}.OpenAPIModelName(), autoscalingv2.MetricSpec{}.OpenAPIModelName()},
 	}
 }
 
@@ -15484,7 +15606,7 @@ func schema_k8sio_api_autoscaling_v2_HorizontalPodAutoscalerStatus(ref common.Re
 					"lastScaleTime": {
 						SchemaProps: spec.SchemaProps{
 							Description: "lastScaleTime is the last time the HorizontalPodAutoscaler scaled the number of pods, used by the autoscaler to control how often the number of pods is changed.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Time"),
+							Ref:         ref(metav1.Time{}.OpenAPIModelName()),
 						},
 					},
 					"currentReplicas": {
@@ -15515,7 +15637,7 @@ func schema_k8sio_api_autoscaling_v2_HorizontalPodAutoscalerStatus(ref common.Re
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/autoscaling/v2.MetricStatus"),
+										Ref:     ref(autoscalingv2.MetricStatus{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -15539,7 +15661,7 @@ func schema_k8sio_api_autoscaling_v2_HorizontalPodAutoscalerStatus(ref common.Re
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/autoscaling/v2.HorizontalPodAutoscalerCondition"),
+										Ref:     ref(autoscalingv2.HorizontalPodAutoscalerCondition{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -15550,7 +15672,7 @@ func schema_k8sio_api_autoscaling_v2_HorizontalPodAutoscalerStatus(ref common.Re
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/autoscaling/v2.HorizontalPodAutoscalerCondition", "k8s.io/api/autoscaling/v2.MetricStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.Time"},
+			autoscalingv2.HorizontalPodAutoscalerCondition{}.OpenAPIModelName(), autoscalingv2.MetricStatus{}.OpenAPIModelName(), metav1.Time{}.OpenAPIModelName()},
 	}
 }
 
@@ -15572,7 +15694,7 @@ func schema_k8sio_api_autoscaling_v2_MetricIdentifier(ref common.ReferenceCallba
 					"selector": {
 						SchemaProps: spec.SchemaProps{
 							Description: "selector is the string-encoded form of a standard kubernetes label selector for the given metric When set, it is passed as an additional parameter to the metrics server for more specific metrics scoping. When unset, just the metricName will be used to gather metrics.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector"),
+							Ref:         ref(metav1.LabelSelector{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -15580,7 +15702,7 @@ func schema_k8sio_api_autoscaling_v2_MetricIdentifier(ref common.ReferenceCallba
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector"},
+			metav1.LabelSelector{}.OpenAPIModelName()},
 	}
 }
 
@@ -15602,31 +15724,31 @@ func schema_k8sio_api_autoscaling_v2_MetricSpec(ref common.ReferenceCallback) co
 					"object": {
 						SchemaProps: spec.SchemaProps{
 							Description: "object refers to a metric describing a single kubernetes object (for example, hits-per-second on an Ingress object).",
-							Ref:         ref("k8s.io/api/autoscaling/v2.ObjectMetricSource"),
+							Ref:         ref(autoscalingv2.ObjectMetricSource{}.OpenAPIModelName()),
 						},
 					},
 					"pods": {
 						SchemaProps: spec.SchemaProps{
 							Description: "pods refers to a metric describing each pod in the current scale target (for example, transactions-processed-per-second).  The values will be averaged together before being compared to the target value.",
-							Ref:         ref("k8s.io/api/autoscaling/v2.PodsMetricSource"),
+							Ref:         ref(autoscalingv2.PodsMetricSource{}.OpenAPIModelName()),
 						},
 					},
 					"resource": {
 						SchemaProps: spec.SchemaProps{
 							Description: "resource refers to a resource metric (such as those specified in requests and limits) known to Kubernetes describing each pod in the current scale target (e.g. CPU or memory). Such metrics are built in to Kubernetes, and have special scaling options on top of those available to normal per-pod metrics using the \"pods\" source.",
-							Ref:         ref("k8s.io/api/autoscaling/v2.ResourceMetricSource"),
+							Ref:         ref(autoscalingv2.ResourceMetricSource{}.OpenAPIModelName()),
 						},
 					},
 					"containerResource": {
 						SchemaProps: spec.SchemaProps{
 							Description: "containerResource refers to a resource metric (such as those specified in requests and limits) known to Kubernetes describing a single container in each pod of the current scale target (e.g. CPU or memory). Such metrics are built in to Kubernetes, and have special scaling options on top of those available to normal per-pod metrics using the \"pods\" source.",
-							Ref:         ref("k8s.io/api/autoscaling/v2.ContainerResourceMetricSource"),
+							Ref:         ref(autoscalingv2.ContainerResourceMetricSource{}.OpenAPIModelName()),
 						},
 					},
 					"external": {
 						SchemaProps: spec.SchemaProps{
 							Description: "external refers to a global metric that is not associated with any Kubernetes object. It allows autoscaling based on information coming from components running outside of cluster (for example length of queue in cloud messaging service, or QPS from loadbalancer running outside of cluster).",
-							Ref:         ref("k8s.io/api/autoscaling/v2.ExternalMetricSource"),
+							Ref:         ref(autoscalingv2.ExternalMetricSource{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -15634,7 +15756,7 @@ func schema_k8sio_api_autoscaling_v2_MetricSpec(ref common.ReferenceCallback) co
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/autoscaling/v2.ContainerResourceMetricSource", "k8s.io/api/autoscaling/v2.ExternalMetricSource", "k8s.io/api/autoscaling/v2.ObjectMetricSource", "k8s.io/api/autoscaling/v2.PodsMetricSource", "k8s.io/api/autoscaling/v2.ResourceMetricSource"},
+			autoscalingv2.ContainerResourceMetricSource{}.OpenAPIModelName(), autoscalingv2.ExternalMetricSource{}.OpenAPIModelName(), autoscalingv2.ObjectMetricSource{}.OpenAPIModelName(), autoscalingv2.PodsMetricSource{}.OpenAPIModelName(), autoscalingv2.ResourceMetricSource{}.OpenAPIModelName()},
 	}
 }
 
@@ -15656,31 +15778,31 @@ func schema_k8sio_api_autoscaling_v2_MetricStatus(ref common.ReferenceCallback)
 					"object": {
 						SchemaProps: spec.SchemaProps{
 							Description: "object refers to a metric describing a single kubernetes object (for example, hits-per-second on an Ingress object).",
-							Ref:         ref("k8s.io/api/autoscaling/v2.ObjectMetricStatus"),
+							Ref:         ref(autoscalingv2.ObjectMetricStatus{}.OpenAPIModelName()),
 						},
 					},
 					"pods": {
 						SchemaProps: spec.SchemaProps{
 							Description: "pods refers to a metric describing each pod in the current scale target (for example, transactions-processed-per-second).  The values will be averaged together before being compared to the target value.",
-							Ref:         ref("k8s.io/api/autoscaling/v2.PodsMetricStatus"),
+							Ref:         ref(autoscalingv2.PodsMetricStatus{}.OpenAPIModelName()),
 						},
 					},
 					"resource": {
 						SchemaProps: spec.SchemaProps{
 							Description: "resource refers to a resource metric (such as those specified in requests and limits) known to Kubernetes describing each pod in the current scale target (e.g. CPU or memory). Such metrics are built in to Kubernetes, and have special scaling options on top of those available to normal per-pod metrics using the \"pods\" source.",
-							Ref:         ref("k8s.io/api/autoscaling/v2.ResourceMetricStatus"),
+							Ref:         ref(autoscalingv2.ResourceMetricStatus{}.OpenAPIModelName()),
 						},
 					},
 					"containerResource": {
 						SchemaProps: spec.SchemaProps{
 							Description: "container resource refers to a resource metric (such as those specified in requests and limits) known to Kubernetes describing a single container in each pod in the current scale target (e.g. CPU or memory). Such metrics are built in to Kubernetes, and have special scaling options on top of those available to normal per-pod metrics using the \"pods\" source.",
-							Ref:         ref("k8s.io/api/autoscaling/v2.ContainerResourceMetricStatus"),
+							Ref:         ref(autoscalingv2.ContainerResourceMetricStatus{}.OpenAPIModelName()),
 						},
 					},
 					"external": {
 						SchemaProps: spec.SchemaProps{
 							Description: "external refers to a global metric that is not associated with any Kubernetes object. It allows autoscaling based on information coming from components running outside of cluster (for example length of queue in cloud messaging service, or QPS from loadbalancer running outside of cluster).",
-							Ref:         ref("k8s.io/api/autoscaling/v2.ExternalMetricStatus"),
+							Ref:         ref(autoscalingv2.ExternalMetricStatus{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -15688,7 +15810,7 @@ func schema_k8sio_api_autoscaling_v2_MetricStatus(ref common.ReferenceCallback)
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/autoscaling/v2.ContainerResourceMetricStatus", "k8s.io/api/autoscaling/v2.ExternalMetricStatus", "k8s.io/api/autoscaling/v2.ObjectMetricStatus", "k8s.io/api/autoscaling/v2.PodsMetricStatus", "k8s.io/api/autoscaling/v2.ResourceMetricStatus"},
+			autoscalingv2.ContainerResourceMetricStatus{}.OpenAPIModelName(), autoscalingv2.ExternalMetricStatus{}.OpenAPIModelName(), autoscalingv2.ObjectMetricStatus{}.OpenAPIModelName(), autoscalingv2.PodsMetricStatus{}.OpenAPIModelName(), autoscalingv2.ResourceMetricStatus{}.OpenAPIModelName()},
 	}
 }
 
@@ -15710,13 +15832,13 @@ func schema_k8sio_api_autoscaling_v2_MetricTarget(ref common.ReferenceCallback)
 					"value": {
 						SchemaProps: spec.SchemaProps{
 							Description: "value is the target value of the metric (as a quantity).",
-							Ref:         ref("k8s.io/apimachinery/pkg/api/resource.Quantity"),
+							Ref:         ref(resource.Quantity{}.OpenAPIModelName()),
 						},
 					},
 					"averageValue": {
 						SchemaProps: spec.SchemaProps{
 							Description: "averageValue is the target value of the average of the metric across all relevant pods (as a quantity)",
-							Ref:         ref("k8s.io/apimachinery/pkg/api/resource.Quantity"),
+							Ref:         ref(resource.Quantity{}.OpenAPIModelName()),
 						},
 					},
 					"averageUtilization": {
@@ -15731,7 +15853,7 @@ func schema_k8sio_api_autoscaling_v2_MetricTarget(ref common.ReferenceCallback)
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/api/resource.Quantity"},
+			resource.Quantity{}.OpenAPIModelName()},
 	}
 }
 
@@ -15745,13 +15867,13 @@ func schema_k8sio_api_autoscaling_v2_MetricValueStatus(ref common.ReferenceCallb
 					"value": {
 						SchemaProps: spec.SchemaProps{
 							Description: "value is the current value of the metric (as a quantity).",
-							Ref:         ref("k8s.io/apimachinery/pkg/api/resource.Quantity"),
+							Ref:         ref(resource.Quantity{}.OpenAPIModelName()),
 						},
 					},
 					"averageValue": {
 						SchemaProps: spec.SchemaProps{
 							Description: "averageValue is the current value of the average of the metric across all relevant pods (as a quantity)",
-							Ref:         ref("k8s.io/apimachinery/pkg/api/resource.Quantity"),
+							Ref:         ref(resource.Quantity{}.OpenAPIModelName()),
 						},
 					},
 					"averageUtilization": {
@@ -15765,7 +15887,7 @@ func schema_k8sio_api_autoscaling_v2_MetricValueStatus(ref common.ReferenceCallb
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/api/resource.Quantity"},
+			resource.Quantity{}.OpenAPIModelName()},
 	}
 }
 
@@ -15780,21 +15902,21 @@ func schema_k8sio_api_autoscaling_v2_ObjectMetricSource(ref common.ReferenceCall
 						SchemaProps: spec.SchemaProps{
 							Description: "describedObject specifies the descriptions of a object,such as kind,name apiVersion",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/autoscaling/v2.CrossVersionObjectReference"),
+							Ref:         ref(autoscalingv2.CrossVersionObjectReference{}.OpenAPIModelName()),
 						},
 					},
 					"target": {
 						SchemaProps: spec.SchemaProps{
 							Description: "target specifies the target value for the given metric",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/autoscaling/v2.MetricTarget"),
+							Ref:         ref(autoscalingv2.MetricTarget{}.OpenAPIModelName()),
 						},
 					},
 					"metric": {
 						SchemaProps: spec.SchemaProps{
 							Description: "metric identifies the target metric by name and selector",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/autoscaling/v2.MetricIdentifier"),
+							Ref:         ref(autoscalingv2.MetricIdentifier{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -15802,7 +15924,7 @@ func schema_k8sio_api_autoscaling_v2_ObjectMetricSource(ref common.ReferenceCall
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/autoscaling/v2.CrossVersionObjectReference", "k8s.io/api/autoscaling/v2.MetricIdentifier", "k8s.io/api/autoscaling/v2.MetricTarget"},
+			autoscalingv2.CrossVersionObjectReference{}.OpenAPIModelName(), autoscalingv2.MetricIdentifier{}.OpenAPIModelName(), autoscalingv2.MetricTarget{}.OpenAPIModelName()},
 	}
 }
 
@@ -15817,21 +15939,21 @@ func schema_k8sio_api_autoscaling_v2_ObjectMetricStatus(ref common.ReferenceCall
 						SchemaProps: spec.SchemaProps{
 							Description: "metric identifies the target metric by name and selector",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/autoscaling/v2.MetricIdentifier"),
+							Ref:         ref(autoscalingv2.MetricIdentifier{}.OpenAPIModelName()),
 						},
 					},
 					"current": {
 						SchemaProps: spec.SchemaProps{
 							Description: "current contains the current value for the given metric",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/autoscaling/v2.MetricValueStatus"),
+							Ref:         ref(autoscalingv2.MetricValueStatus{}.OpenAPIModelName()),
 						},
 					},
 					"describedObject": {
 						SchemaProps: spec.SchemaProps{
 							Description: "DescribedObject specifies the descriptions of a object,such as kind,name apiVersion",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/autoscaling/v2.CrossVersionObjectReference"),
+							Ref:         ref(autoscalingv2.CrossVersionObjectReference{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -15839,7 +15961,7 @@ func schema_k8sio_api_autoscaling_v2_ObjectMetricStatus(ref common.ReferenceCall
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/autoscaling/v2.CrossVersionObjectReference", "k8s.io/api/autoscaling/v2.MetricIdentifier", "k8s.io/api/autoscaling/v2.MetricValueStatus"},
+			autoscalingv2.CrossVersionObjectReference{}.OpenAPIModelName(), autoscalingv2.MetricIdentifier{}.OpenAPIModelName(), autoscalingv2.MetricValueStatus{}.OpenAPIModelName()},
 	}
 }
 
@@ -15854,14 +15976,14 @@ func schema_k8sio_api_autoscaling_v2_PodsMetricSource(ref common.ReferenceCallba
 						SchemaProps: spec.SchemaProps{
 							Description: "metric identifies the target metric by name and selector",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/autoscaling/v2.MetricIdentifier"),
+							Ref:         ref(autoscalingv2.MetricIdentifier{}.OpenAPIModelName()),
 						},
 					},
 					"target": {
 						SchemaProps: spec.SchemaProps{
 							Description: "target specifies the target value for the given metric",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/autoscaling/v2.MetricTarget"),
+							Ref:         ref(autoscalingv2.MetricTarget{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -15869,7 +15991,7 @@ func schema_k8sio_api_autoscaling_v2_PodsMetricSource(ref common.ReferenceCallba
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/autoscaling/v2.MetricIdentifier", "k8s.io/api/autoscaling/v2.MetricTarget"},
+			autoscalingv2.MetricIdentifier{}.OpenAPIModelName(), autoscalingv2.MetricTarget{}.OpenAPIModelName()},
 	}
 }
 
@@ -15884,14 +16006,14 @@ func schema_k8sio_api_autoscaling_v2_PodsMetricStatus(ref common.ReferenceCallba
 						SchemaProps: spec.SchemaProps{
 							Description: "metric identifies the target metric by name and selector",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/autoscaling/v2.MetricIdentifier"),
+							Ref:         ref(autoscalingv2.MetricIdentifier{}.OpenAPIModelName()),
 						},
 					},
 					"current": {
 						SchemaProps: spec.SchemaProps{
 							Description: "current contains the current value for the given metric",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/autoscaling/v2.MetricValueStatus"),
+							Ref:         ref(autoscalingv2.MetricValueStatus{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -15899,7 +16021,7 @@ func schema_k8sio_api_autoscaling_v2_PodsMetricStatus(ref common.ReferenceCallba
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/autoscaling/v2.MetricIdentifier", "k8s.io/api/autoscaling/v2.MetricValueStatus"},
+			autoscalingv2.MetricIdentifier{}.OpenAPIModelName(), autoscalingv2.MetricValueStatus{}.OpenAPIModelName()},
 	}
 }
 
@@ -15922,7 +16044,7 @@ func schema_k8sio_api_autoscaling_v2_ResourceMetricSource(ref common.ReferenceCa
 						SchemaProps: spec.SchemaProps{
 							Description: "target specifies the target value for the given metric",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/autoscaling/v2.MetricTarget"),
+							Ref:         ref(autoscalingv2.MetricTarget{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -15930,7 +16052,7 @@ func schema_k8sio_api_autoscaling_v2_ResourceMetricSource(ref common.ReferenceCa
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/autoscaling/v2.MetricTarget"},
+			autoscalingv2.MetricTarget{}.OpenAPIModelName()},
 	}
 }
 
@@ -15953,7 +16075,7 @@ func schema_k8sio_api_autoscaling_v2_ResourceMetricStatus(ref common.ReferenceCa
 						SchemaProps: spec.SchemaProps{
 							Description: "current contains the current value for the given metric",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/autoscaling/v2.MetricValueStatus"),
+							Ref:         ref(autoscalingv2.MetricValueStatus{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -15961,7 +16083,7 @@ func schema_k8sio_api_autoscaling_v2_ResourceMetricStatus(ref common.ReferenceCa
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/autoscaling/v2.MetricValueStatus"},
+			autoscalingv2.MetricValueStatus{}.OpenAPIModelName()},
 	}
 }
 
@@ -15990,7 +16112,7 @@ func schema_k8sio_api_autoscaling_v2beta1_ContainerResourceMetricSource(ref comm
 					"targetAverageValue": {
 						SchemaProps: spec.SchemaProps{
 							Description: "targetAverageValue is the target value of the average of the resource metric across all relevant pods, as a raw value (instead of as a percentage of the request), similar to the \"pods\" metric source type.",
-							Ref:         ref("k8s.io/apimachinery/pkg/api/resource.Quantity"),
+							Ref:         ref(resource.Quantity{}.OpenAPIModelName()),
 						},
 					},
 					"container": {
@@ -16006,7 +16128,7 @@ func schema_k8sio_api_autoscaling_v2beta1_ContainerResourceMetricSource(ref comm
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/api/resource.Quantity"},
+			resource.Quantity{}.OpenAPIModelName()},
 	}
 }
 
@@ -16035,7 +16157,7 @@ func schema_k8sio_api_autoscaling_v2beta1_ContainerResourceMetricStatus(ref comm
 					"currentAverageValue": {
 						SchemaProps: spec.SchemaProps{
 							Description: "currentAverageValue is the current value of the average of the resource metric across all relevant pods, as a raw value (instead of as a percentage of the request), similar to the \"pods\" metric source type. It will always be set, regardless of the corresponding metric specification.",
-							Ref:         ref("k8s.io/apimachinery/pkg/api/resource.Quantity"),
+							Ref:         ref(resource.Quantity{}.OpenAPIModelName()),
 						},
 					},
 					"container": {
@@ -16051,7 +16173,7 @@ func schema_k8sio_api_autoscaling_v2beta1_ContainerResourceMetricStatus(ref comm
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/api/resource.Quantity"},
+			resource.Quantity{}.OpenAPIModelName()},
 	}
 }
 
@@ -16110,19 +16232,19 @@ func schema_k8sio_api_autoscaling_v2beta1_ExternalMetricSource(ref common.Refere
 					"metricSelector": {
 						SchemaProps: spec.SchemaProps{
 							Description: "metricSelector is used to identify a specific time series within a given metric.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector"),
+							Ref:         ref(metav1.LabelSelector{}.OpenAPIModelName()),
 						},
 					},
 					"targetValue": {
 						SchemaProps: spec.SchemaProps{
 							Description: "targetValue is the target value of the metric (as a quantity). Mutually exclusive with TargetAverageValue.",
-							Ref:         ref("k8s.io/apimachinery/pkg/api/resource.Quantity"),
+							Ref:         ref(resource.Quantity{}.OpenAPIModelName()),
 						},
 					},
 					"targetAverageValue": {
 						SchemaProps: spec.SchemaProps{
 							Description: "targetAverageValue is the target per-pod value of global metric (as a quantity). Mutually exclusive with TargetValue.",
-							Ref:         ref("k8s.io/apimachinery/pkg/api/resource.Quantity"),
+							Ref:         ref(resource.Quantity{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -16130,7 +16252,7 @@ func schema_k8sio_api_autoscaling_v2beta1_ExternalMetricSource(ref common.Refere
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/api/resource.Quantity", "k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector"},
+			resource.Quantity{}.OpenAPIModelName(), metav1.LabelSelector{}.OpenAPIModelName()},
 	}
 }
 
@@ -16152,19 +16274,19 @@ func schema_k8sio_api_autoscaling_v2beta1_ExternalMetricStatus(ref common.Refere
 					"metricSelector": {
 						SchemaProps: spec.SchemaProps{
 							Description: "metricSelector is used to identify a specific time series within a given metric.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector"),
+							Ref:         ref(metav1.LabelSelector{}.OpenAPIModelName()),
 						},
 					},
 					"currentValue": {
 						SchemaProps: spec.SchemaProps{
 							Description: "currentValue is the current value of the metric (as a quantity)",
-							Ref:         ref("k8s.io/apimachinery/pkg/api/resource.Quantity"),
+							Ref:         ref(resource.Quantity{}.OpenAPIModelName()),
 						},
 					},
 					"currentAverageValue": {
 						SchemaProps: spec.SchemaProps{
 							Description: "currentAverageValue is the current value of metric averaged over autoscaled pods.",
-							Ref:         ref("k8s.io/apimachinery/pkg/api/resource.Quantity"),
+							Ref:         ref(resource.Quantity{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -16172,7 +16294,7 @@ func schema_k8sio_api_autoscaling_v2beta1_ExternalMetricStatus(ref common.Refere
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/api/resource.Quantity", "k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector"},
+			resource.Quantity{}.OpenAPIModelName(), metav1.LabelSelector{}.OpenAPIModelName()},
 	}
 }
 
@@ -16201,28 +16323,28 @@ func schema_k8sio_api_autoscaling_v2beta1_HorizontalPodAutoscaler(ref common.Ref
 						SchemaProps: spec.SchemaProps{
 							Description: "metadata is the standard object metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Ref:         ref(metav1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 					"spec": {
 						SchemaProps: spec.SchemaProps{
 							Description: "spec is the specification for the behaviour of the autoscaler. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/autoscaling/v2beta1.HorizontalPodAutoscalerSpec"),
+							Ref:         ref(autoscalingv2beta1.HorizontalPodAutoscalerSpec{}.OpenAPIModelName()),
 						},
 					},
 					"status": {
 						SchemaProps: spec.SchemaProps{
 							Description: "status is the current information about the autoscaler.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/autoscaling/v2beta1.HorizontalPodAutoscalerStatus"),
+							Ref:         ref(autoscalingv2beta1.HorizontalPodAutoscalerStatus{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/autoscaling/v2beta1.HorizontalPodAutoscalerSpec", "k8s.io/api/autoscaling/v2beta1.HorizontalPodAutoscalerStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			autoscalingv2beta1.HorizontalPodAutoscalerSpec{}.OpenAPIModelName(), autoscalingv2beta1.HorizontalPodAutoscalerStatus{}.OpenAPIModelName(), metav1.ObjectMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -16252,7 +16374,7 @@ func schema_k8sio_api_autoscaling_v2beta1_HorizontalPodAutoscalerCondition(ref c
 					"lastTransitionTime": {
 						SchemaProps: spec.SchemaProps{
 							Description: "lastTransitionTime is the last time the condition transitioned from one status to another",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Time"),
+							Ref:         ref(metav1.Time{}.OpenAPIModelName()),
 						},
 					},
 					"reason": {
@@ -16274,7 +16396,7 @@ func schema_k8sio_api_autoscaling_v2beta1_HorizontalPodAutoscalerCondition(ref c
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.Time"},
+			metav1.Time{}.OpenAPIModelName()},
 	}
 }
 
@@ -16303,7 +16425,7 @@ func schema_k8sio_api_autoscaling_v2beta1_HorizontalPodAutoscalerList(ref common
 						SchemaProps: spec.SchemaProps{
 							Description: "metadata is the standard list metadata.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+							Ref:         ref(metav1.ListMeta{}.OpenAPIModelName()),
 						},
 					},
 					"items": {
@@ -16314,7 +16436,7 @@ func schema_k8sio_api_autoscaling_v2beta1_HorizontalPodAutoscalerList(ref common
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/autoscaling/v2beta1.HorizontalPodAutoscaler"),
+										Ref:     ref(autoscalingv2beta1.HorizontalPodAutoscaler{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -16325,7 +16447,7 @@ func schema_k8sio_api_autoscaling_v2beta1_HorizontalPodAutoscalerList(ref common
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/autoscaling/v2beta1.HorizontalPodAutoscaler", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
+			autoscalingv2beta1.HorizontalPodAutoscaler{}.OpenAPIModelName(), metav1.ListMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -16340,7 +16462,7 @@ func schema_k8sio_api_autoscaling_v2beta1_HorizontalPodAutoscalerSpec(ref common
 						SchemaProps: spec.SchemaProps{
 							Description: "scaleTargetRef points to the target resource to scale, and is used to the pods for which metrics should be collected, as well as to actually change the replica count.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/autoscaling/v2beta1.CrossVersionObjectReference"),
+							Ref:         ref(autoscalingv2beta1.CrossVersionObjectReference{}.OpenAPIModelName()),
 						},
 					},
 					"minReplicas": {
@@ -16371,7 +16493,7 @@ func schema_k8sio_api_autoscaling_v2beta1_HorizontalPodAutoscalerSpec(ref common
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/autoscaling/v2beta1.MetricSpec"),
+										Ref:     ref(autoscalingv2beta1.MetricSpec{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -16382,7 +16504,7 @@ func schema_k8sio_api_autoscaling_v2beta1_HorizontalPodAutoscalerSpec(ref common
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/autoscaling/v2beta1.CrossVersionObjectReference", "k8s.io/api/autoscaling/v2beta1.MetricSpec"},
+			autoscalingv2beta1.CrossVersionObjectReference{}.OpenAPIModelName(), autoscalingv2beta1.MetricSpec{}.OpenAPIModelName()},
 	}
 }
 
@@ -16403,7 +16525,7 @@ func schema_k8sio_api_autoscaling_v2beta1_HorizontalPodAutoscalerStatus(ref comm
 					"lastScaleTime": {
 						SchemaProps: spec.SchemaProps{
 							Description: "lastScaleTime is the last time the HorizontalPodAutoscaler scaled the number of pods, used by the autoscaler to control how often the number of pods is changed.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Time"),
+							Ref:         ref(metav1.Time{}.OpenAPIModelName()),
 						},
 					},
 					"currentReplicas": {
@@ -16435,7 +16557,7 @@ func schema_k8sio_api_autoscaling_v2beta1_HorizontalPodAutoscalerStatus(ref comm
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/autoscaling/v2beta1.MetricStatus"),
+										Ref:     ref(autoscalingv2beta1.MetricStatus{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -16454,7 +16576,7 @@ func schema_k8sio_api_autoscaling_v2beta1_HorizontalPodAutoscalerStatus(ref comm
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/autoscaling/v2beta1.HorizontalPodAutoscalerCondition"),
+										Ref:     ref(autoscalingv2beta1.HorizontalPodAutoscalerCondition{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -16465,7 +16587,7 @@ func schema_k8sio_api_autoscaling_v2beta1_HorizontalPodAutoscalerStatus(ref comm
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/autoscaling/v2beta1.HorizontalPodAutoscalerCondition", "k8s.io/api/autoscaling/v2beta1.MetricStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.Time"},
+			autoscalingv2beta1.HorizontalPodAutoscalerCondition{}.OpenAPIModelName(), autoscalingv2beta1.MetricStatus{}.OpenAPIModelName(), metav1.Time{}.OpenAPIModelName()},
 	}
 }
 
@@ -16487,31 +16609,31 @@ func schema_k8sio_api_autoscaling_v2beta1_MetricSpec(ref common.ReferenceCallbac
 					"object": {
 						SchemaProps: spec.SchemaProps{
 							Description: "object refers to a metric describing a single kubernetes object (for example, hits-per-second on an Ingress object).",
-							Ref:         ref("k8s.io/api/autoscaling/v2beta1.ObjectMetricSource"),
+							Ref:         ref(autoscalingv2beta1.ObjectMetricSource{}.OpenAPIModelName()),
 						},
 					},
 					"pods": {
 						SchemaProps: spec.SchemaProps{
 							Description: "pods refers to a metric describing each pod in the current scale target (for example, transactions-processed-per-second).  The values will be averaged together before being compared to the target value.",
-							Ref:         ref("k8s.io/api/autoscaling/v2beta1.PodsMetricSource"),
+							Ref:         ref(autoscalingv2beta1.PodsMetricSource{}.OpenAPIModelName()),
 						},
 					},
 					"resource": {
 						SchemaProps: spec.SchemaProps{
 							Description: "resource refers to a resource metric (such as those specified in requests and limits) known to Kubernetes describing each pod in the current scale target (e.g. CPU or memory). Such metrics are built in to Kubernetes, and have special scaling options on top of those available to normal per-pod metrics using the \"pods\" source.",
-							Ref:         ref("k8s.io/api/autoscaling/v2beta1.ResourceMetricSource"),
+							Ref:         ref(autoscalingv2beta1.ResourceMetricSource{}.OpenAPIModelName()),
 						},
 					},
 					"containerResource": {
 						SchemaProps: spec.SchemaProps{
 							Description: "container resource refers to a resource metric (such as those specified in requests and limits) known to Kubernetes describing a single container in each pod of the current scale target (e.g. CPU or memory). Such metrics are built in to Kubernetes, and have special scaling options on top of those available to normal per-pod metrics using the \"pods\" source.",
-							Ref:         ref("k8s.io/api/autoscaling/v2beta1.ContainerResourceMetricSource"),
+							Ref:         ref(autoscalingv2beta1.ContainerResourceMetricSource{}.OpenAPIModelName()),
 						},
 					},
 					"external": {
 						SchemaProps: spec.SchemaProps{
 							Description: "external refers to a global metric that is not associated with any Kubernetes object. It allows autoscaling based on information coming from components running outside of cluster (for example length of queue in cloud messaging service, or QPS from loadbalancer running outside of cluster).",
-							Ref:         ref("k8s.io/api/autoscaling/v2beta1.ExternalMetricSource"),
+							Ref:         ref(autoscalingv2beta1.ExternalMetricSource{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -16519,7 +16641,7 @@ func schema_k8sio_api_autoscaling_v2beta1_MetricSpec(ref common.ReferenceCallbac
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/autoscaling/v2beta1.ContainerResourceMetricSource", "k8s.io/api/autoscaling/v2beta1.ExternalMetricSource", "k8s.io/api/autoscaling/v2beta1.ObjectMetricSource", "k8s.io/api/autoscaling/v2beta1.PodsMetricSource", "k8s.io/api/autoscaling/v2beta1.ResourceMetricSource"},
+			autoscalingv2beta1.ContainerResourceMetricSource{}.OpenAPIModelName(), autoscalingv2beta1.ExternalMetricSource{}.OpenAPIModelName(), autoscalingv2beta1.ObjectMetricSource{}.OpenAPIModelName(), autoscalingv2beta1.PodsMetricSource{}.OpenAPIModelName(), autoscalingv2beta1.ResourceMetricSource{}.OpenAPIModelName()},
 	}
 }
 
@@ -16541,31 +16663,31 @@ func schema_k8sio_api_autoscaling_v2beta1_MetricStatus(ref common.ReferenceCallb
 					"object": {
 						SchemaProps: spec.SchemaProps{
 							Description: "object refers to a metric describing a single kubernetes object (for example, hits-per-second on an Ingress object).",
-							Ref:         ref("k8s.io/api/autoscaling/v2beta1.ObjectMetricStatus"),
+							Ref:         ref(autoscalingv2beta1.ObjectMetricStatus{}.OpenAPIModelName()),
 						},
 					},
 					"pods": {
 						SchemaProps: spec.SchemaProps{
 							Description: "pods refers to a metric describing each pod in the current scale target (for example, transactions-processed-per-second).  The values will be averaged together before being compared to the target value.",
-							Ref:         ref("k8s.io/api/autoscaling/v2beta1.PodsMetricStatus"),
+							Ref:         ref(autoscalingv2beta1.PodsMetricStatus{}.OpenAPIModelName()),
 						},
 					},
 					"resource": {
 						SchemaProps: spec.SchemaProps{
 							Description: "resource refers to a resource metric (such as those specified in requests and limits) known to Kubernetes describing each pod in the current scale target (e.g. CPU or memory). Such metrics are built in to Kubernetes, and have special scaling options on top of those available to normal per-pod metrics using the \"pods\" source.",
-							Ref:         ref("k8s.io/api/autoscaling/v2beta1.ResourceMetricStatus"),
+							Ref:         ref(autoscalingv2beta1.ResourceMetricStatus{}.OpenAPIModelName()),
 						},
 					},
 					"containerResource": {
 						SchemaProps: spec.SchemaProps{
 							Description: "container resource refers to a resource metric (such as those specified in requests and limits) known to Kubernetes describing a single container in each pod in the current scale target (e.g. CPU or memory). Such metrics are built in to Kubernetes, and have special scaling options on top of those available to normal per-pod metrics using the \"pods\" source.",
-							Ref:         ref("k8s.io/api/autoscaling/v2beta1.ContainerResourceMetricStatus"),
+							Ref:         ref(autoscalingv2beta1.ContainerResourceMetricStatus{}.OpenAPIModelName()),
 						},
 					},
 					"external": {
 						SchemaProps: spec.SchemaProps{
 							Description: "external refers to a global metric that is not associated with any Kubernetes object. It allows autoscaling based on information coming from components running outside of cluster (for example length of queue in cloud messaging service, or QPS from loadbalancer running outside of cluster).",
-							Ref:         ref("k8s.io/api/autoscaling/v2beta1.ExternalMetricStatus"),
+							Ref:         ref(autoscalingv2beta1.ExternalMetricStatus{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -16573,7 +16695,7 @@ func schema_k8sio_api_autoscaling_v2beta1_MetricStatus(ref common.ReferenceCallb
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/autoscaling/v2beta1.ContainerResourceMetricStatus", "k8s.io/api/autoscaling/v2beta1.ExternalMetricStatus", "k8s.io/api/autoscaling/v2beta1.ObjectMetricStatus", "k8s.io/api/autoscaling/v2beta1.PodsMetricStatus", "k8s.io/api/autoscaling/v2beta1.ResourceMetricStatus"},
+			autoscalingv2beta1.ContainerResourceMetricStatus{}.OpenAPIModelName(), autoscalingv2beta1.ExternalMetricStatus{}.OpenAPIModelName(), autoscalingv2beta1.ObjectMetricStatus{}.OpenAPIModelName(), autoscalingv2beta1.PodsMetricStatus{}.OpenAPIModelName(), autoscalingv2beta1.ResourceMetricStatus{}.OpenAPIModelName()},
 	}
 }
 
@@ -16588,7 +16710,7 @@ func schema_k8sio_api_autoscaling_v2beta1_ObjectMetricSource(ref common.Referenc
 						SchemaProps: spec.SchemaProps{
 							Description: "target is the described Kubernetes object.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/autoscaling/v2beta1.CrossVersionObjectReference"),
+							Ref:         ref(autoscalingv2beta1.CrossVersionObjectReference{}.OpenAPIModelName()),
 						},
 					},
 					"metricName": {
@@ -16602,19 +16724,19 @@ func schema_k8sio_api_autoscaling_v2beta1_ObjectMetricSource(ref common.Referenc
 					"targetValue": {
 						SchemaProps: spec.SchemaProps{
 							Description: "targetValue is the target value of the metric (as a quantity).",
-							Ref:         ref("k8s.io/apimachinery/pkg/api/resource.Quantity"),
+							Ref:         ref(resource.Quantity{}.OpenAPIModelName()),
 						},
 					},
 					"selector": {
 						SchemaProps: spec.SchemaProps{
 							Description: "selector is the string-encoded form of a standard kubernetes label selector for the given metric When set, it is passed as an additional parameter to the metrics server for more specific metrics scoping When unset, just the metricName will be used to gather metrics.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector"),
+							Ref:         ref(metav1.LabelSelector{}.OpenAPIModelName()),
 						},
 					},
 					"averageValue": {
 						SchemaProps: spec.SchemaProps{
 							Description: "averageValue is the target value of the average of the metric across all relevant pods (as a quantity)",
-							Ref:         ref("k8s.io/apimachinery/pkg/api/resource.Quantity"),
+							Ref:         ref(resource.Quantity{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -16622,7 +16744,7 @@ func schema_k8sio_api_autoscaling_v2beta1_ObjectMetricSource(ref common.Referenc
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/autoscaling/v2beta1.CrossVersionObjectReference", "k8s.io/apimachinery/pkg/api/resource.Quantity", "k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector"},
+			autoscalingv2beta1.CrossVersionObjectReference{}.OpenAPIModelName(), resource.Quantity{}.OpenAPIModelName(), metav1.LabelSelector{}.OpenAPIModelName()},
 	}
 }
 
@@ -16637,7 +16759,7 @@ func schema_k8sio_api_autoscaling_v2beta1_ObjectMetricStatus(ref common.Referenc
 						SchemaProps: spec.SchemaProps{
 							Description: "target is the described Kubernetes object.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/autoscaling/v2beta1.CrossVersionObjectReference"),
+							Ref:         ref(autoscalingv2beta1.CrossVersionObjectReference{}.OpenAPIModelName()),
 						},
 					},
 					"metricName": {
@@ -16651,19 +16773,19 @@ func schema_k8sio_api_autoscaling_v2beta1_ObjectMetricStatus(ref common.Referenc
 					"currentValue": {
 						SchemaProps: spec.SchemaProps{
 							Description: "currentValue is the current value of the metric (as a quantity).",
-							Ref:         ref("k8s.io/apimachinery/pkg/api/resource.Quantity"),
+							Ref:         ref(resource.Quantity{}.OpenAPIModelName()),
 						},
 					},
 					"selector": {
 						SchemaProps: spec.SchemaProps{
 							Description: "selector is the string-encoded form of a standard kubernetes label selector for the given metric When set in the ObjectMetricSource, it is passed as an additional parameter to the metrics server for more specific metrics scoping. When unset, just the metricName will be used to gather metrics.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector"),
+							Ref:         ref(metav1.LabelSelector{}.OpenAPIModelName()),
 						},
 					},
 					"averageValue": {
 						SchemaProps: spec.SchemaProps{
 							Description: "averageValue is the current value of the average of the metric across all relevant pods (as a quantity)",
-							Ref:         ref("k8s.io/apimachinery/pkg/api/resource.Quantity"),
+							Ref:         ref(resource.Quantity{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -16671,7 +16793,7 @@ func schema_k8sio_api_autoscaling_v2beta1_ObjectMetricStatus(ref common.Referenc
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/autoscaling/v2beta1.CrossVersionObjectReference", "k8s.io/apimachinery/pkg/api/resource.Quantity", "k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector"},
+			autoscalingv2beta1.CrossVersionObjectReference{}.OpenAPIModelName(), resource.Quantity{}.OpenAPIModelName(), metav1.LabelSelector{}.OpenAPIModelName()},
 	}
 }
 
@@ -16693,13 +16815,13 @@ func schema_k8sio_api_autoscaling_v2beta1_PodsMetricSource(ref common.ReferenceC
 					"targetAverageValue": {
 						SchemaProps: spec.SchemaProps{
 							Description: "targetAverageValue is the target value of the average of the metric across all relevant pods (as a quantity)",
-							Ref:         ref("k8s.io/apimachinery/pkg/api/resource.Quantity"),
+							Ref:         ref(resource.Quantity{}.OpenAPIModelName()),
 						},
 					},
 					"selector": {
 						SchemaProps: spec.SchemaProps{
 							Description: "selector is the string-encoded form of a standard kubernetes label selector for the given metric When set, it is passed as an additional parameter to the metrics server for more specific metrics scoping When unset, just the metricName will be used to gather metrics.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector"),
+							Ref:         ref(metav1.LabelSelector{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -16707,7 +16829,7 @@ func schema_k8sio_api_autoscaling_v2beta1_PodsMetricSource(ref common.ReferenceC
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/api/resource.Quantity", "k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector"},
+			resource.Quantity{}.OpenAPIModelName(), metav1.LabelSelector{}.OpenAPIModelName()},
 	}
 }
 
@@ -16729,13 +16851,13 @@ func schema_k8sio_api_autoscaling_v2beta1_PodsMetricStatus(ref common.ReferenceC
 					"currentAverageValue": {
 						SchemaProps: spec.SchemaProps{
 							Description: "currentAverageValue is the current value of the average of the metric across all relevant pods (as a quantity)",
-							Ref:         ref("k8s.io/apimachinery/pkg/api/resource.Quantity"),
+							Ref:         ref(resource.Quantity{}.OpenAPIModelName()),
 						},
 					},
 					"selector": {
 						SchemaProps: spec.SchemaProps{
 							Description: "selector is the string-encoded form of a standard kubernetes label selector for the given metric When set in the PodsMetricSource, it is passed as an additional parameter to the metrics server for more specific metrics scoping. When unset, just the metricName will be used to gather metrics.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector"),
+							Ref:         ref(metav1.LabelSelector{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -16743,7 +16865,7 @@ func schema_k8sio_api_autoscaling_v2beta1_PodsMetricStatus(ref common.ReferenceC
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/api/resource.Quantity", "k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector"},
+			resource.Quantity{}.OpenAPIModelName(), metav1.LabelSelector{}.OpenAPIModelName()},
 	}
 }
 
@@ -16772,7 +16894,7 @@ func schema_k8sio_api_autoscaling_v2beta1_ResourceMetricSource(ref common.Refere
 					"targetAverageValue": {
 						SchemaProps: spec.SchemaProps{
 							Description: "targetAverageValue is the target value of the average of the resource metric across all relevant pods, as a raw value (instead of as a percentage of the request), similar to the \"pods\" metric source type.",
-							Ref:         ref("k8s.io/apimachinery/pkg/api/resource.Quantity"),
+							Ref:         ref(resource.Quantity{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -16780,7 +16902,7 @@ func schema_k8sio_api_autoscaling_v2beta1_ResourceMetricSource(ref common.Refere
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/api/resource.Quantity"},
+			resource.Quantity{}.OpenAPIModelName()},
 	}
 }
 
@@ -16809,7 +16931,7 @@ func schema_k8sio_api_autoscaling_v2beta1_ResourceMetricStatus(ref common.Refere
 					"currentAverageValue": {
 						SchemaProps: spec.SchemaProps{
 							Description: "currentAverageValue is the current value of the average of the resource metric across all relevant pods, as a raw value (instead of as a percentage of the request), similar to the \"pods\" metric source type. It will always be set, regardless of the corresponding metric specification.",
-							Ref:         ref("k8s.io/apimachinery/pkg/api/resource.Quantity"),
+							Ref:         ref(resource.Quantity{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -16817,7 +16939,7 @@ func schema_k8sio_api_autoscaling_v2beta1_ResourceMetricStatus(ref common.Refere
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/api/resource.Quantity"},
+			resource.Quantity{}.OpenAPIModelName()},
 	}
 }
 
@@ -16840,7 +16962,7 @@ func schema_k8sio_api_autoscaling_v2beta2_ContainerResourceMetricSource(ref comm
 						SchemaProps: spec.SchemaProps{
 							Description: "target specifies the target value for the given metric",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/autoscaling/v2beta2.MetricTarget"),
+							Ref:         ref(v2beta2.MetricTarget{}.OpenAPIModelName()),
 						},
 					},
 					"container": {
@@ -16856,7 +16978,7 @@ func schema_k8sio_api_autoscaling_v2beta2_ContainerResourceMetricSource(ref comm
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/autoscaling/v2beta2.MetricTarget"},
+			v2beta2.MetricTarget{}.OpenAPIModelName()},
 	}
 }
 
@@ -16879,7 +17001,7 @@ func schema_k8sio_api_autoscaling_v2beta2_ContainerResourceMetricStatus(ref comm
 						SchemaProps: spec.SchemaProps{
 							Description: "current contains the current value for the given metric",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/autoscaling/v2beta2.MetricValueStatus"),
+							Ref:         ref(v2beta2.MetricValueStatus{}.OpenAPIModelName()),
 						},
 					},
 					"container": {
@@ -16895,7 +17017,7 @@ func schema_k8sio_api_autoscaling_v2beta2_ContainerResourceMetricStatus(ref comm
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/autoscaling/v2beta2.MetricValueStatus"},
+			v2beta2.MetricValueStatus{}.OpenAPIModelName()},
 	}
 }
 
@@ -16947,14 +17069,14 @@ func schema_k8sio_api_autoscaling_v2beta2_ExternalMetricSource(ref common.Refere
 						SchemaProps: spec.SchemaProps{
 							Description: "metric identifies the target metric by name and selector",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/autoscaling/v2beta2.MetricIdentifier"),
+							Ref:         ref(v2beta2.MetricIdentifier{}.OpenAPIModelName()),
 						},
 					},
 					"target": {
 						SchemaProps: spec.SchemaProps{
 							Description: "target specifies the target value for the given metric",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/autoscaling/v2beta2.MetricTarget"),
+							Ref:         ref(v2beta2.MetricTarget{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -16962,7 +17084,7 @@ func schema_k8sio_api_autoscaling_v2beta2_ExternalMetricSource(ref common.Refere
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/autoscaling/v2beta2.MetricIdentifier", "k8s.io/api/autoscaling/v2beta2.MetricTarget"},
+			v2beta2.MetricIdentifier{}.OpenAPIModelName(), v2beta2.MetricTarget{}.OpenAPIModelName()},
 	}
 }
 
@@ -16977,14 +17099,14 @@ func schema_k8sio_api_autoscaling_v2beta2_ExternalMetricStatus(ref common.Refere
 						SchemaProps: spec.SchemaProps{
 							Description: "metric identifies the target metric by name and selector",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/autoscaling/v2beta2.MetricIdentifier"),
+							Ref:         ref(v2beta2.MetricIdentifier{}.OpenAPIModelName()),
 						},
 					},
 					"current": {
 						SchemaProps: spec.SchemaProps{
 							Description: "current contains the current value for the given metric",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/autoscaling/v2beta2.MetricValueStatus"),
+							Ref:         ref(v2beta2.MetricValueStatus{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -16992,7 +17114,7 @@ func schema_k8sio_api_autoscaling_v2beta2_ExternalMetricStatus(ref common.Refere
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/autoscaling/v2beta2.MetricIdentifier", "k8s.io/api/autoscaling/v2beta2.MetricValueStatus"},
+			v2beta2.MetricIdentifier{}.OpenAPIModelName(), v2beta2.MetricValueStatus{}.OpenAPIModelName()},
 	}
 }
 
@@ -17068,7 +17190,7 @@ func schema_k8sio_api_autoscaling_v2beta2_HPAScalingRules(ref common.ReferenceCa
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/autoscaling/v2beta2.HPAScalingPolicy"),
+										Ref:     ref(v2beta2.HPAScalingPolicy{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -17078,7 +17200,7 @@ func schema_k8sio_api_autoscaling_v2beta2_HPAScalingRules(ref common.ReferenceCa
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/autoscaling/v2beta2.HPAScalingPolicy"},
+			v2beta2.HPAScalingPolicy{}.OpenAPIModelName()},
 	}
 }
 
@@ -17107,28 +17229,28 @@ func schema_k8sio_api_autoscaling_v2beta2_HorizontalPodAutoscaler(ref common.Ref
 						SchemaProps: spec.SchemaProps{
 							Description: "metadata is the standard object metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Ref:         ref(metav1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 					"spec": {
 						SchemaProps: spec.SchemaProps{
 							Description: "spec is the specification for the behaviour of the autoscaler. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/autoscaling/v2beta2.HorizontalPodAutoscalerSpec"),
+							Ref:         ref(v2beta2.HorizontalPodAutoscalerSpec{}.OpenAPIModelName()),
 						},
 					},
 					"status": {
 						SchemaProps: spec.SchemaProps{
 							Description: "status is the current information about the autoscaler.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/autoscaling/v2beta2.HorizontalPodAutoscalerStatus"),
+							Ref:         ref(v2beta2.HorizontalPodAutoscalerStatus{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/autoscaling/v2beta2.HorizontalPodAutoscalerSpec", "k8s.io/api/autoscaling/v2beta2.HorizontalPodAutoscalerStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			v2beta2.HorizontalPodAutoscalerSpec{}.OpenAPIModelName(), v2beta2.HorizontalPodAutoscalerStatus{}.OpenAPIModelName(), metav1.ObjectMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -17142,20 +17264,20 @@ func schema_k8sio_api_autoscaling_v2beta2_HorizontalPodAutoscalerBehavior(ref co
 					"scaleUp": {
 						SchemaProps: spec.SchemaProps{
 							Description: "scaleUp is scaling policy for scaling Up. If not set, the default value is the higher of:\n  * increase no more than 4 pods per 60 seconds\n  * double the number of pods per 60 seconds\nNo stabilization is used.",
-							Ref:         ref("k8s.io/api/autoscaling/v2beta2.HPAScalingRules"),
+							Ref:         ref(v2beta2.HPAScalingRules{}.OpenAPIModelName()),
 						},
 					},
 					"scaleDown": {
 						SchemaProps: spec.SchemaProps{
 							Description: "scaleDown is scaling policy for scaling Down. If not set, the default value is to allow to scale down to minReplicas pods, with a 300 second stabilization window (i.e., the highest recommendation for the last 300sec is used).",
-							Ref:         ref("k8s.io/api/autoscaling/v2beta2.HPAScalingRules"),
+							Ref:         ref(v2beta2.HPAScalingRules{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/autoscaling/v2beta2.HPAScalingRules"},
+			v2beta2.HPAScalingRules{}.OpenAPIModelName()},
 	}
 }
 
@@ -17185,7 +17307,7 @@ func schema_k8sio_api_autoscaling_v2beta2_HorizontalPodAutoscalerCondition(ref c
 					"lastTransitionTime": {
 						SchemaProps: spec.SchemaProps{
 							Description: "lastTransitionTime is the last time the condition transitioned from one status to another",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Time"),
+							Ref:         ref(metav1.Time{}.OpenAPIModelName()),
 						},
 					},
 					"reason": {
@@ -17207,7 +17329,7 @@ func schema_k8sio_api_autoscaling_v2beta2_HorizontalPodAutoscalerCondition(ref c
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.Time"},
+			metav1.Time{}.OpenAPIModelName()},
 	}
 }
 
@@ -17236,7 +17358,7 @@ func schema_k8sio_api_autoscaling_v2beta2_HorizontalPodAutoscalerList(ref common
 						SchemaProps: spec.SchemaProps{
 							Description: "metadata is the standard list metadata.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+							Ref:         ref(metav1.ListMeta{}.OpenAPIModelName()),
 						},
 					},
 					"items": {
@@ -17247,7 +17369,7 @@ func schema_k8sio_api_autoscaling_v2beta2_HorizontalPodAutoscalerList(ref common
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/autoscaling/v2beta2.HorizontalPodAutoscaler"),
+										Ref:     ref(v2beta2.HorizontalPodAutoscaler{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -17258,7 +17380,7 @@ func schema_k8sio_api_autoscaling_v2beta2_HorizontalPodAutoscalerList(ref common
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/autoscaling/v2beta2.HorizontalPodAutoscaler", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
+			v2beta2.HorizontalPodAutoscaler{}.OpenAPIModelName(), metav1.ListMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -17273,7 +17395,7 @@ func schema_k8sio_api_autoscaling_v2beta2_HorizontalPodAutoscalerSpec(ref common
 						SchemaProps: spec.SchemaProps{
 							Description: "scaleTargetRef points to the target resource to scale, and is used to the pods for which metrics should be collected, as well as to actually change the replica count.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/autoscaling/v2beta2.CrossVersionObjectReference"),
+							Ref:         ref(v2beta2.CrossVersionObjectReference{}.OpenAPIModelName()),
 						},
 					},
 					"minReplicas": {
@@ -17304,7 +17426,7 @@ func schema_k8sio_api_autoscaling_v2beta2_HorizontalPodAutoscalerSpec(ref common
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/autoscaling/v2beta2.MetricSpec"),
+										Ref:     ref(v2beta2.MetricSpec{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -17313,7 +17435,7 @@ func schema_k8sio_api_autoscaling_v2beta2_HorizontalPodAutoscalerSpec(ref common
 					"behavior": {
 						SchemaProps: spec.SchemaProps{
 							Description: "behavior configures the scaling behavior of the target in both Up and Down directions (scaleUp and scaleDown fields respectively). If not set, the default HPAScalingRules for scale up and scale down are used.",
-							Ref:         ref("k8s.io/api/autoscaling/v2beta2.HorizontalPodAutoscalerBehavior"),
+							Ref:         ref(v2beta2.HorizontalPodAutoscalerBehavior{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -17321,7 +17443,7 @@ func schema_k8sio_api_autoscaling_v2beta2_HorizontalPodAutoscalerSpec(ref common
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/autoscaling/v2beta2.CrossVersionObjectReference", "k8s.io/api/autoscaling/v2beta2.HorizontalPodAutoscalerBehavior", "k8s.io/api/autoscaling/v2beta2.MetricSpec"},
+			v2beta2.CrossVersionObjectReference{}.OpenAPIModelName(), v2beta2.HorizontalPodAutoscalerBehavior{}.OpenAPIModelName(), v2beta2.MetricSpec{}.OpenAPIModelName()},
 	}
 }
 
@@ -17342,7 +17464,7 @@ func schema_k8sio_api_autoscaling_v2beta2_HorizontalPodAutoscalerStatus(ref comm
 					"lastScaleTime": {
 						SchemaProps: spec.SchemaProps{
 							Description: "lastScaleTime is the last time the HorizontalPodAutoscaler scaled the number of pods, used by the autoscaler to control how often the number of pods is changed.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Time"),
+							Ref:         ref(metav1.Time{}.OpenAPIModelName()),
 						},
 					},
 					"currentReplicas": {
@@ -17374,7 +17496,7 @@ func schema_k8sio_api_autoscaling_v2beta2_HorizontalPodAutoscalerStatus(ref comm
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/autoscaling/v2beta2.MetricStatus"),
+										Ref:     ref(v2beta2.MetricStatus{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -17393,7 +17515,7 @@ func schema_k8sio_api_autoscaling_v2beta2_HorizontalPodAutoscalerStatus(ref comm
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/autoscaling/v2beta2.HorizontalPodAutoscalerCondition"),
+										Ref:     ref(v2beta2.HorizontalPodAutoscalerCondition{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -17404,7 +17526,7 @@ func schema_k8sio_api_autoscaling_v2beta2_HorizontalPodAutoscalerStatus(ref comm
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/autoscaling/v2beta2.HorizontalPodAutoscalerCondition", "k8s.io/api/autoscaling/v2beta2.MetricStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.Time"},
+			v2beta2.HorizontalPodAutoscalerCondition{}.OpenAPIModelName(), v2beta2.MetricStatus{}.OpenAPIModelName(), metav1.Time{}.OpenAPIModelName()},
 	}
 }
 
@@ -17426,7 +17548,7 @@ func schema_k8sio_api_autoscaling_v2beta2_MetricIdentifier(ref common.ReferenceC
 					"selector": {
 						SchemaProps: spec.SchemaProps{
 							Description: "selector is the string-encoded form of a standard kubernetes label selector for the given metric When set, it is passed as an additional parameter to the metrics server for more specific metrics scoping. When unset, just the metricName will be used to gather metrics.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector"),
+							Ref:         ref(metav1.LabelSelector{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -17434,7 +17556,7 @@ func schema_k8sio_api_autoscaling_v2beta2_MetricIdentifier(ref common.ReferenceC
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector"},
+			metav1.LabelSelector{}.OpenAPIModelName()},
 	}
 }
 
@@ -17456,31 +17578,31 @@ func schema_k8sio_api_autoscaling_v2beta2_MetricSpec(ref common.ReferenceCallbac
 					"object": {
 						SchemaProps: spec.SchemaProps{
 							Description: "object refers to a metric describing a single kubernetes object (for example, hits-per-second on an Ingress object).",
-							Ref:         ref("k8s.io/api/autoscaling/v2beta2.ObjectMetricSource"),
+							Ref:         ref(v2beta2.ObjectMetricSource{}.OpenAPIModelName()),
 						},
 					},
 					"pods": {
 						SchemaProps: spec.SchemaProps{
 							Description: "pods refers to a metric describing each pod in the current scale target (for example, transactions-processed-per-second).  The values will be averaged together before being compared to the target value.",
-							Ref:         ref("k8s.io/api/autoscaling/v2beta2.PodsMetricSource"),
+							Ref:         ref(v2beta2.PodsMetricSource{}.OpenAPIModelName()),
 						},
 					},
 					"resource": {
 						SchemaProps: spec.SchemaProps{
 							Description: "resource refers to a resource metric (such as those specified in requests and limits) known to Kubernetes describing each pod in the current scale target (e.g. CPU or memory). Such metrics are built in to Kubernetes, and have special scaling options on top of those available to normal per-pod metrics using the \"pods\" source.",
-							Ref:         ref("k8s.io/api/autoscaling/v2beta2.ResourceMetricSource"),
+							Ref:         ref(v2beta2.ResourceMetricSource{}.OpenAPIModelName()),
 						},
 					},
 					"containerResource": {
 						SchemaProps: spec.SchemaProps{
 							Description: "container resource refers to a resource metric (such as those specified in requests and limits) known to Kubernetes describing a single container in each pod of the current scale target (e.g. CPU or memory). Such metrics are built in to Kubernetes, and have special scaling options on top of those available to normal per-pod metrics using the \"pods\" source.",
-							Ref:         ref("k8s.io/api/autoscaling/v2beta2.ContainerResourceMetricSource"),
+							Ref:         ref(v2beta2.ContainerResourceMetricSource{}.OpenAPIModelName()),
 						},
 					},
 					"external": {
 						SchemaProps: spec.SchemaProps{
 							Description: "external refers to a global metric that is not associated with any Kubernetes object. It allows autoscaling based on information coming from components running outside of cluster (for example length of queue in cloud messaging service, or QPS from loadbalancer running outside of cluster).",
-							Ref:         ref("k8s.io/api/autoscaling/v2beta2.ExternalMetricSource"),
+							Ref:         ref(v2beta2.ExternalMetricSource{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -17488,7 +17610,7 @@ func schema_k8sio_api_autoscaling_v2beta2_MetricSpec(ref common.ReferenceCallbac
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/autoscaling/v2beta2.ContainerResourceMetricSource", "k8s.io/api/autoscaling/v2beta2.ExternalMetricSource", "k8s.io/api/autoscaling/v2beta2.ObjectMetricSource", "k8s.io/api/autoscaling/v2beta2.PodsMetricSource", "k8s.io/api/autoscaling/v2beta2.ResourceMetricSource"},
+			v2beta2.ContainerResourceMetricSource{}.OpenAPIModelName(), v2beta2.ExternalMetricSource{}.OpenAPIModelName(), v2beta2.ObjectMetricSource{}.OpenAPIModelName(), v2beta2.PodsMetricSource{}.OpenAPIModelName(), v2beta2.ResourceMetricSource{}.OpenAPIModelName()},
 	}
 }
 
@@ -17510,31 +17632,31 @@ func schema_k8sio_api_autoscaling_v2beta2_MetricStatus(ref common.ReferenceCallb
 					"object": {
 						SchemaProps: spec.SchemaProps{
 							Description: "object refers to a metric describing a single kubernetes object (for example, hits-per-second on an Ingress object).",
-							Ref:         ref("k8s.io/api/autoscaling/v2beta2.ObjectMetricStatus"),
+							Ref:         ref(v2beta2.ObjectMetricStatus{}.OpenAPIModelName()),
 						},
 					},
 					"pods": {
 						SchemaProps: spec.SchemaProps{
 							Description: "pods refers to a metric describing each pod in the current scale target (for example, transactions-processed-per-second).  The values will be averaged together before being compared to the target value.",
-							Ref:         ref("k8s.io/api/autoscaling/v2beta2.PodsMetricStatus"),
+							Ref:         ref(v2beta2.PodsMetricStatus{}.OpenAPIModelName()),
 						},
 					},
 					"resource": {
 						SchemaProps: spec.SchemaProps{
 							Description: "resource refers to a resource metric (such as those specified in requests and limits) known to Kubernetes describing each pod in the current scale target (e.g. CPU or memory). Such metrics are built in to Kubernetes, and have special scaling options on top of those available to normal per-pod metrics using the \"pods\" source.",
-							Ref:         ref("k8s.io/api/autoscaling/v2beta2.ResourceMetricStatus"),
+							Ref:         ref(v2beta2.ResourceMetricStatus{}.OpenAPIModelName()),
 						},
 					},
 					"containerResource": {
 						SchemaProps: spec.SchemaProps{
 							Description: "containerResource refers to a resource metric (such as those specified in requests and limits) known to Kubernetes describing a single container in each pod in the current scale target (e.g. CPU or memory). Such metrics are built in to Kubernetes, and have special scaling options on top of those available to normal per-pod metrics using the \"pods\" source.",
-							Ref:         ref("k8s.io/api/autoscaling/v2beta2.ContainerResourceMetricStatus"),
+							Ref:         ref(v2beta2.ContainerResourceMetricStatus{}.OpenAPIModelName()),
 						},
 					},
 					"external": {
 						SchemaProps: spec.SchemaProps{
 							Description: "external refers to a global metric that is not associated with any Kubernetes object. It allows autoscaling based on information coming from components running outside of cluster (for example length of queue in cloud messaging service, or QPS from loadbalancer running outside of cluster).",
-							Ref:         ref("k8s.io/api/autoscaling/v2beta2.ExternalMetricStatus"),
+							Ref:         ref(v2beta2.ExternalMetricStatus{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -17542,7 +17664,7 @@ func schema_k8sio_api_autoscaling_v2beta2_MetricStatus(ref common.ReferenceCallb
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/autoscaling/v2beta2.ContainerResourceMetricStatus", "k8s.io/api/autoscaling/v2beta2.ExternalMetricStatus", "k8s.io/api/autoscaling/v2beta2.ObjectMetricStatus", "k8s.io/api/autoscaling/v2beta2.PodsMetricStatus", "k8s.io/api/autoscaling/v2beta2.ResourceMetricStatus"},
+			v2beta2.ContainerResourceMetricStatus{}.OpenAPIModelName(), v2beta2.ExternalMetricStatus{}.OpenAPIModelName(), v2beta2.ObjectMetricStatus{}.OpenAPIModelName(), v2beta2.PodsMetricStatus{}.OpenAPIModelName(), v2beta2.ResourceMetricStatus{}.OpenAPIModelName()},
 	}
 }
 
@@ -17564,13 +17686,13 @@ func schema_k8sio_api_autoscaling_v2beta2_MetricTarget(ref common.ReferenceCallb
 					"value": {
 						SchemaProps: spec.SchemaProps{
 							Description: "value is the target value of the metric (as a quantity).",
-							Ref:         ref("k8s.io/apimachinery/pkg/api/resource.Quantity"),
+							Ref:         ref(resource.Quantity{}.OpenAPIModelName()),
 						},
 					},
 					"averageValue": {
 						SchemaProps: spec.SchemaProps{
 							Description: "averageValue is the target value of the average of the metric across all relevant pods (as a quantity)",
-							Ref:         ref("k8s.io/apimachinery/pkg/api/resource.Quantity"),
+							Ref:         ref(resource.Quantity{}.OpenAPIModelName()),
 						},
 					},
 					"averageUtilization": {
@@ -17585,7 +17707,7 @@ func schema_k8sio_api_autoscaling_v2beta2_MetricTarget(ref common.ReferenceCallb
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/api/resource.Quantity"},
+			resource.Quantity{}.OpenAPIModelName()},
 	}
 }
 
@@ -17599,13 +17721,13 @@ func schema_k8sio_api_autoscaling_v2beta2_MetricValueStatus(ref common.Reference
 					"value": {
 						SchemaProps: spec.SchemaProps{
 							Description: "value is the current value of the metric (as a quantity).",
-							Ref:         ref("k8s.io/apimachinery/pkg/api/resource.Quantity"),
+							Ref:         ref(resource.Quantity{}.OpenAPIModelName()),
 						},
 					},
 					"averageValue": {
 						SchemaProps: spec.SchemaProps{
 							Description: "averageValue is the current value of the average of the metric across all relevant pods (as a quantity)",
-							Ref:         ref("k8s.io/apimachinery/pkg/api/resource.Quantity"),
+							Ref:         ref(resource.Quantity{}.OpenAPIModelName()),
 						},
 					},
 					"averageUtilization": {
@@ -17619,7 +17741,7 @@ func schema_k8sio_api_autoscaling_v2beta2_MetricValueStatus(ref common.Reference
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/api/resource.Quantity"},
+			resource.Quantity{}.OpenAPIModelName()},
 	}
 }
 
@@ -17633,21 +17755,21 @@ func schema_k8sio_api_autoscaling_v2beta2_ObjectMetricSource(ref common.Referenc
 					"describedObject": {
 						SchemaProps: spec.SchemaProps{
 							Default: map[string]interface{}{},
-							Ref:     ref("k8s.io/api/autoscaling/v2beta2.CrossVersionObjectReference"),
+							Ref:     ref(v2beta2.CrossVersionObjectReference{}.OpenAPIModelName()),
 						},
 					},
 					"target": {
 						SchemaProps: spec.SchemaProps{
 							Description: "target specifies the target value for the given metric",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/autoscaling/v2beta2.MetricTarget"),
+							Ref:         ref(v2beta2.MetricTarget{}.OpenAPIModelName()),
 						},
 					},
 					"metric": {
 						SchemaProps: spec.SchemaProps{
 							Description: "metric identifies the target metric by name and selector",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/autoscaling/v2beta2.MetricIdentifier"),
+							Ref:         ref(v2beta2.MetricIdentifier{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -17655,7 +17777,7 @@ func schema_k8sio_api_autoscaling_v2beta2_ObjectMetricSource(ref common.Referenc
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/autoscaling/v2beta2.CrossVersionObjectReference", "k8s.io/api/autoscaling/v2beta2.MetricIdentifier", "k8s.io/api/autoscaling/v2beta2.MetricTarget"},
+			v2beta2.CrossVersionObjectReference{}.OpenAPIModelName(), v2beta2.MetricIdentifier{}.OpenAPIModelName(), v2beta2.MetricTarget{}.OpenAPIModelName()},
 	}
 }
 
@@ -17670,20 +17792,20 @@ func schema_k8sio_api_autoscaling_v2beta2_ObjectMetricStatus(ref common.Referenc
 						SchemaProps: spec.SchemaProps{
 							Description: "metric identifies the target metric by name and selector",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/autoscaling/v2beta2.MetricIdentifier"),
+							Ref:         ref(v2beta2.MetricIdentifier{}.OpenAPIModelName()),
 						},
 					},
 					"current": {
 						SchemaProps: spec.SchemaProps{
 							Description: "current contains the current value for the given metric",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/autoscaling/v2beta2.MetricValueStatus"),
+							Ref:         ref(v2beta2.MetricValueStatus{}.OpenAPIModelName()),
 						},
 					},
 					"describedObject": {
 						SchemaProps: spec.SchemaProps{
 							Default: map[string]interface{}{},
-							Ref:     ref("k8s.io/api/autoscaling/v2beta2.CrossVersionObjectReference"),
+							Ref:     ref(v2beta2.CrossVersionObjectReference{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -17691,7 +17813,7 @@ func schema_k8sio_api_autoscaling_v2beta2_ObjectMetricStatus(ref common.Referenc
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/autoscaling/v2beta2.CrossVersionObjectReference", "k8s.io/api/autoscaling/v2beta2.MetricIdentifier", "k8s.io/api/autoscaling/v2beta2.MetricValueStatus"},
+			v2beta2.CrossVersionObjectReference{}.OpenAPIModelName(), v2beta2.MetricIdentifier{}.OpenAPIModelName(), v2beta2.MetricValueStatus{}.OpenAPIModelName()},
 	}
 }
 
@@ -17706,14 +17828,14 @@ func schema_k8sio_api_autoscaling_v2beta2_PodsMetricSource(ref common.ReferenceC
 						SchemaProps: spec.SchemaProps{
 							Description: "metric identifies the target metric by name and selector",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/autoscaling/v2beta2.MetricIdentifier"),
+							Ref:         ref(v2beta2.MetricIdentifier{}.OpenAPIModelName()),
 						},
 					},
 					"target": {
 						SchemaProps: spec.SchemaProps{
 							Description: "target specifies the target value for the given metric",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/autoscaling/v2beta2.MetricTarget"),
+							Ref:         ref(v2beta2.MetricTarget{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -17721,7 +17843,7 @@ func schema_k8sio_api_autoscaling_v2beta2_PodsMetricSource(ref common.ReferenceC
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/autoscaling/v2beta2.MetricIdentifier", "k8s.io/api/autoscaling/v2beta2.MetricTarget"},
+			v2beta2.MetricIdentifier{}.OpenAPIModelName(), v2beta2.MetricTarget{}.OpenAPIModelName()},
 	}
 }
 
@@ -17736,14 +17858,14 @@ func schema_k8sio_api_autoscaling_v2beta2_PodsMetricStatus(ref common.ReferenceC
 						SchemaProps: spec.SchemaProps{
 							Description: "metric identifies the target metric by name and selector",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/autoscaling/v2beta2.MetricIdentifier"),
+							Ref:         ref(v2beta2.MetricIdentifier{}.OpenAPIModelName()),
 						},
 					},
 					"current": {
 						SchemaProps: spec.SchemaProps{
 							Description: "current contains the current value for the given metric",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/autoscaling/v2beta2.MetricValueStatus"),
+							Ref:         ref(v2beta2.MetricValueStatus{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -17751,7 +17873,7 @@ func schema_k8sio_api_autoscaling_v2beta2_PodsMetricStatus(ref common.ReferenceC
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/autoscaling/v2beta2.MetricIdentifier", "k8s.io/api/autoscaling/v2beta2.MetricValueStatus"},
+			v2beta2.MetricIdentifier{}.OpenAPIModelName(), v2beta2.MetricValueStatus{}.OpenAPIModelName()},
 	}
 }
 
@@ -17774,7 +17896,7 @@ func schema_k8sio_api_autoscaling_v2beta2_ResourceMetricSource(ref common.Refere
 						SchemaProps: spec.SchemaProps{
 							Description: "target specifies the target value for the given metric",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/autoscaling/v2beta2.MetricTarget"),
+							Ref:         ref(v2beta2.MetricTarget{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -17782,7 +17904,7 @@ func schema_k8sio_api_autoscaling_v2beta2_ResourceMetricSource(ref common.Refere
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/autoscaling/v2beta2.MetricTarget"},
+			v2beta2.MetricTarget{}.OpenAPIModelName()},
 	}
 }
 
@@ -17805,7 +17927,7 @@ func schema_k8sio_api_autoscaling_v2beta2_ResourceMetricStatus(ref common.Refere
 						SchemaProps: spec.SchemaProps{
 							Description: "current contains the current value for the given metric",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/autoscaling/v2beta2.MetricValueStatus"),
+							Ref:         ref(v2beta2.MetricValueStatus{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -17813,7 +17935,7 @@ func schema_k8sio_api_autoscaling_v2beta2_ResourceMetricStatus(ref common.Refere
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/autoscaling/v2beta2.MetricValueStatus"},
+			v2beta2.MetricValueStatus{}.OpenAPIModelName()},
 	}
 }
 
@@ -17842,28 +17964,28 @@ func schema_k8sio_api_batch_v1_CronJob(ref common.ReferenceCallback) common.Open
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Ref:         ref(metav1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 					"spec": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Specification of the desired behavior of a cron job, including the schedule. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/batch/v1.CronJobSpec"),
+							Ref:         ref(batchv1.CronJobSpec{}.OpenAPIModelName()),
 						},
 					},
 					"status": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Current status of a cron job. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/batch/v1.CronJobStatus"),
+							Ref:         ref(batchv1.CronJobStatus{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/batch/v1.CronJobSpec", "k8s.io/api/batch/v1.CronJobStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			batchv1.CronJobSpec{}.OpenAPIModelName(), batchv1.CronJobStatus{}.OpenAPIModelName(), metav1.ObjectMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -17892,7 +18014,7 @@ func schema_k8sio_api_batch_v1_CronJobList(ref common.ReferenceCallback) common.
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+							Ref:         ref(metav1.ListMeta{}.OpenAPIModelName()),
 						},
 					},
 					"items": {
@@ -17903,7 +18025,7 @@ func schema_k8sio_api_batch_v1_CronJobList(ref common.ReferenceCallback) common.
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/batch/v1.CronJob"),
+										Ref:     ref(batchv1.CronJob{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -17914,7 +18036,7 @@ func schema_k8sio_api_batch_v1_CronJobList(ref common.ReferenceCallback) common.
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/batch/v1.CronJob", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
+			batchv1.CronJob{}.OpenAPIModelName(), metav1.ListMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -17966,7 +18088,7 @@ func schema_k8sio_api_batch_v1_CronJobSpec(ref common.ReferenceCallback) common.
 						SchemaProps: spec.SchemaProps{
 							Description: "Specifies the job that will be created when executing a CronJob.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/batch/v1.JobTemplateSpec"),
+							Ref:         ref(batchv1.JobTemplateSpec{}.OpenAPIModelName()),
 						},
 					},
 					"successfulJobsHistoryLimit": {
@@ -17988,7 +18110,7 @@ func schema_k8sio_api_batch_v1_CronJobSpec(ref common.ReferenceCallback) common.
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/batch/v1.JobTemplateSpec"},
+			batchv1.JobTemplateSpec{}.OpenAPIModelName()},
 	}
 }
 
@@ -18012,7 +18134,7 @@ func schema_k8sio_api_batch_v1_CronJobStatus(ref common.ReferenceCallback) commo
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/core/v1.ObjectReference"),
+										Ref:     ref(corev1.ObjectReference{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -18021,20 +18143,20 @@ func schema_k8sio_api_batch_v1_CronJobStatus(ref common.ReferenceCallback) commo
 					"lastScheduleTime": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Information when was the last time the job was successfully scheduled.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Time"),
+							Ref:         ref(metav1.Time{}.OpenAPIModelName()),
 						},
 					},
 					"lastSuccessfulTime": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Information when was the last time the job successfully completed.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Time"),
+							Ref:         ref(metav1.Time{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/core/v1.ObjectReference", "k8s.io/apimachinery/pkg/apis/meta/v1.Time"},
+			corev1.ObjectReference{}.OpenAPIModelName(), metav1.Time{}.OpenAPIModelName()},
 	}
 }
 
@@ -18063,28 +18185,28 @@ func schema_k8sio_api_batch_v1_Job(ref common.ReferenceCallback) common.OpenAPID
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Ref:         ref(metav1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 					"spec": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Specification of the desired behavior of a job. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/batch/v1.JobSpec"),
+							Ref:         ref(batchv1.JobSpec{}.OpenAPIModelName()),
 						},
 					},
 					"status": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Current status of a job. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/batch/v1.JobStatus"),
+							Ref:         ref(batchv1.JobStatus{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/batch/v1.JobSpec", "k8s.io/api/batch/v1.JobStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			batchv1.JobSpec{}.OpenAPIModelName(), batchv1.JobStatus{}.OpenAPIModelName(), metav1.ObjectMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -18114,13 +18236,13 @@ func schema_k8sio_api_batch_v1_JobCondition(ref common.ReferenceCallback) common
 					"lastProbeTime": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Last time the condition was checked.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Time"),
+							Ref:         ref(metav1.Time{}.OpenAPIModelName()),
 						},
 					},
 					"lastTransitionTime": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Last time the condition transit from one status to another.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Time"),
+							Ref:         ref(metav1.Time{}.OpenAPIModelName()),
 						},
 					},
 					"reason": {
@@ -18142,7 +18264,7 @@ func schema_k8sio_api_batch_v1_JobCondition(ref common.ReferenceCallback) common
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.Time"},
+			metav1.Time{}.OpenAPIModelName()},
 	}
 }
 
@@ -18171,7 +18293,7 @@ func schema_k8sio_api_batch_v1_JobList(ref common.ReferenceCallback) common.Open
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+							Ref:         ref(metav1.ListMeta{}.OpenAPIModelName()),
 						},
 					},
 					"items": {
@@ -18182,7 +18304,7 @@ func schema_k8sio_api_batch_v1_JobList(ref common.ReferenceCallback) common.Open
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/batch/v1.Job"),
+										Ref:     ref(batchv1.Job{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -18193,7 +18315,7 @@ func schema_k8sio_api_batch_v1_JobList(ref common.ReferenceCallback) common.Open
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/batch/v1.Job", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
+			batchv1.Job{}.OpenAPIModelName(), metav1.ListMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -18228,13 +18350,13 @@ func schema_k8sio_api_batch_v1_JobSpec(ref common.ReferenceCallback) common.Open
 					"podFailurePolicy": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Specifies the policy of handling failed pods. In particular, it allows to specify the set of actions and conditions which need to be satisfied to take the associated action. If empty, the default behaviour applies - the counter of failed pods, represented by the jobs's .status.failed field, is incremented and it is checked against the backoffLimit. This field cannot be used in combination with restartPolicy=OnFailure.",
-							Ref:         ref("k8s.io/api/batch/v1.PodFailurePolicy"),
+							Ref:         ref(batchv1.PodFailurePolicy{}.OpenAPIModelName()),
 						},
 					},
 					"successPolicy": {
 						SchemaProps: spec.SchemaProps{
 							Description: "successPolicy specifies the policy when the Job can be declared as succeeded. If empty, the default behavior applies - the Job is declared as succeeded only when the number of succeeded pods equals to the completions. When the field is specified, it must be immutable and works only for the Indexed Jobs. Once the Job meets the SuccessPolicy, the lingering pods are terminated.",
-							Ref:         ref("k8s.io/api/batch/v1.SuccessPolicy"),
+							Ref:         ref(batchv1.SuccessPolicy{}.OpenAPIModelName()),
 						},
 					},
 					"backoffLimit": {
@@ -18261,7 +18383,7 @@ func schema_k8sio_api_batch_v1_JobSpec(ref common.ReferenceCallback) common.Open
 					"selector": {
 						SchemaProps: spec.SchemaProps{
 							Description: "A label query over pods that should match the pod count. Normally, the system sets this field for you. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector"),
+							Ref:         ref(metav1.LabelSelector{}.OpenAPIModelName()),
 						},
 					},
 					"manualSelector": {
@@ -18275,7 +18397,7 @@ func schema_k8sio_api_batch_v1_JobSpec(ref common.ReferenceCallback) common.Open
 						SchemaProps: spec.SchemaProps{
 							Description: "Describes the pod that will be created when executing a job. The only allowed template.spec.restartPolicy values are \"Never\" or \"OnFailure\". More info: https://kubernetes.io/docs/concepts/workloads/controllers/jobs-run-to-completion/",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/core/v1.PodTemplateSpec"),
+							Ref:         ref(corev1.PodTemplateSpec{}.OpenAPIModelName()),
 						},
 					},
 					"ttlSecondsAfterFinished": {
@@ -18310,7 +18432,7 @@ func schema_k8sio_api_batch_v1_JobSpec(ref common.ReferenceCallback) common.Open
 					},
 					"managedBy": {
 						SchemaProps: spec.SchemaProps{
-							Description: "ManagedBy field indicates the controller that manages a Job. The k8s Job controller reconciles jobs which don't have this field at all or the field value is the reserved string `kubernetes.io/job-controller`, but skips reconciling Jobs with a custom value for this field. The value must be a valid domain-prefixed path (e.g. acme.io/foo) - all characters before the first \"/\" must be a valid subdomain as defined by RFC 1123. All characters trailing the first \"/\" must be valid HTTP Path characters as defined by RFC 3986. The value cannot exceed 63 characters. This field is immutable.\n\nThis field is beta-level. The job controller accepts setting the field when the feature gate JobManagedBy is enabled (enabled by default).",
+							Description: "ManagedBy field indicates the controller that manages a Job. The k8s Job controller reconciles jobs which don't have this field at all or the field value is the reserved string `kubernetes.io/job-controller`, but skips reconciling Jobs with a custom value for this field. The value must be a valid domain-prefixed path (e.g. acme.io/foo) - all characters before the first \"/\" must be a valid subdomain as defined by RFC 1123. All characters trailing the first \"/\" must be valid HTTP Path characters as defined by RFC 3986. The value cannot exceed 63 characters. This field is immutable.",
 							Type:        []string{"string"},
 							Format:      "",
 						},
@@ -18320,7 +18442,7 @@ func schema_k8sio_api_batch_v1_JobSpec(ref common.ReferenceCallback) common.Open
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/batch/v1.PodFailurePolicy", "k8s.io/api/batch/v1.SuccessPolicy", "k8s.io/api/core/v1.PodTemplateSpec", "k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector"},
+			batchv1.PodFailurePolicy{}.OpenAPIModelName(), batchv1.SuccessPolicy{}.OpenAPIModelName(), corev1.PodTemplateSpec{}.OpenAPIModelName(), metav1.LabelSelector{}.OpenAPIModelName()},
 	}
 }
 
@@ -18346,7 +18468,7 @@ func schema_k8sio_api_batch_v1_JobStatus(ref common.ReferenceCallback) common.Op
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/batch/v1.JobCondition"),
+										Ref:     ref(batchv1.JobCondition{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -18355,13 +18477,13 @@ func schema_k8sio_api_batch_v1_JobStatus(ref common.ReferenceCallback) common.Op
 					"startTime": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Represents time when the job controller started processing a job. When a Job is created in the suspended state, this field is not set until the first time it is resumed. This field is reset every time a Job is resumed from suspension. It is represented in RFC3339 form and is in UTC.\n\nOnce set, the field can only be removed when the job is suspended. The field cannot be modified while the job is unsuspended or finished.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Time"),
+							Ref:         ref(metav1.Time{}.OpenAPIModelName()),
 						},
 					},
 					"completionTime": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Represents time when the job was completed. It is not guaranteed to be set in happens-before order across separate operations. It is represented in RFC3339 form and is in UTC. The completion time is set when the job finishes successfully, and only then. The value cannot be updated or removed. The value indicates the same or later point in time as the startTime field.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Time"),
+							Ref:         ref(metav1.Time{}.OpenAPIModelName()),
 						},
 					},
 					"active": {
@@ -18409,7 +18531,7 @@ func schema_k8sio_api_batch_v1_JobStatus(ref common.ReferenceCallback) common.Op
 					"uncountedTerminatedPods": {
 						SchemaProps: spec.SchemaProps{
 							Description: "uncountedTerminatedPods holds the UIDs of Pods that have terminated but the job controller hasn't yet accounted for in the status counters.\n\nThe job controller creates pods with a finalizer. When a pod terminates (succeeded or failed), the controller does three steps to account for it in the job status:\n\n1. Add the pod UID to the arrays in this field. 2. Remove the pod finalizer. 3. Remove the pod UID from the arrays while increasing the corresponding\n    counter.\n\nOld jobs might not be tracked using this field, in which case the field remains null. The structure is empty for finished jobs.",
-							Ref:         ref("k8s.io/api/batch/v1.UncountedTerminatedPods"),
+							Ref:         ref(batchv1.UncountedTerminatedPods{}.OpenAPIModelName()),
 						},
 					},
 					"ready": {
@@ -18423,7 +18545,7 @@ func schema_k8sio_api_batch_v1_JobStatus(ref common.ReferenceCallback) common.Op
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/batch/v1.JobCondition", "k8s.io/api/batch/v1.UncountedTerminatedPods", "k8s.io/apimachinery/pkg/apis/meta/v1.Time"},
+			batchv1.JobCondition{}.OpenAPIModelName(), batchv1.UncountedTerminatedPods{}.OpenAPIModelName(), metav1.Time{}.OpenAPIModelName()},
 	}
 }
 
@@ -18438,21 +18560,21 @@ func schema_k8sio_api_batch_v1_JobTemplateSpec(ref common.ReferenceCallback) com
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard object's metadata of the jobs created from this template. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Ref:         ref(metav1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 					"spec": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Specification of the desired behavior of the job. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/batch/v1.JobSpec"),
+							Ref:         ref(batchv1.JobSpec{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/batch/v1.JobSpec", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			batchv1.JobSpec{}.OpenAPIModelName(), metav1.ObjectMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -18476,7 +18598,7 @@ func schema_k8sio_api_batch_v1_PodFailurePolicy(ref common.ReferenceCallback) co
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/batch/v1.PodFailurePolicyRule"),
+										Ref:     ref(batchv1.PodFailurePolicyRule{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -18487,7 +18609,7 @@ func schema_k8sio_api_batch_v1_PodFailurePolicy(ref common.ReferenceCallback) co
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/batch/v1.PodFailurePolicyRule"},
+			batchv1.PodFailurePolicyRule{}.OpenAPIModelName()},
 	}
 }
 
@@ -18565,7 +18687,7 @@ func schema_k8sio_api_batch_v1_PodFailurePolicyOnPodConditionsPattern(ref common
 						},
 					},
 				},
-				Required: []string{"type", "status"},
+				Required: []string{"type"},
 			},
 		},
 	}
@@ -18590,7 +18712,7 @@ func schema_k8sio_api_batch_v1_PodFailurePolicyRule(ref common.ReferenceCallback
 					"onExitCodes": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Represents the requirement on the container exit codes.",
-							Ref:         ref("k8s.io/api/batch/v1.PodFailurePolicyOnExitCodesRequirement"),
+							Ref:         ref(batchv1.PodFailurePolicyOnExitCodesRequirement{}.OpenAPIModelName()),
 						},
 					},
 					"onPodConditions": {
@@ -18606,7 +18728,7 @@ func schema_k8sio_api_batch_v1_PodFailurePolicyRule(ref common.ReferenceCallback
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/batch/v1.PodFailurePolicyOnPodConditionsPattern"),
+										Ref:     ref(batchv1.PodFailurePolicyOnPodConditionsPattern{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -18617,7 +18739,7 @@ func schema_k8sio_api_batch_v1_PodFailurePolicyRule(ref common.ReferenceCallback
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/batch/v1.PodFailurePolicyOnExitCodesRequirement", "k8s.io/api/batch/v1.PodFailurePolicyOnPodConditionsPattern"},
+			batchv1.PodFailurePolicyOnExitCodesRequirement{}.OpenAPIModelName(), batchv1.PodFailurePolicyOnPodConditionsPattern{}.OpenAPIModelName()},
 	}
 }
 
@@ -18641,7 +18763,7 @@ func schema_k8sio_api_batch_v1_SuccessPolicy(ref common.ReferenceCallback) commo
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/batch/v1.SuccessPolicyRule"),
+										Ref:     ref(batchv1.SuccessPolicyRule{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -18652,7 +18774,7 @@ func schema_k8sio_api_batch_v1_SuccessPolicy(ref common.ReferenceCallback) commo
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/batch/v1.SuccessPolicyRule"},
+			batchv1.SuccessPolicyRule{}.OpenAPIModelName()},
 	}
 }
 
@@ -18761,28 +18883,28 @@ func schema_k8sio_api_batch_v1beta1_CronJob(ref common.ReferenceCallback) common
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Ref:         ref(metav1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 					"spec": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Specification of the desired behavior of a cron job, including the schedule. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/batch/v1beta1.CronJobSpec"),
+							Ref:         ref(batchv1beta1.CronJobSpec{}.OpenAPIModelName()),
 						},
 					},
 					"status": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Current status of a cron job. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/batch/v1beta1.CronJobStatus"),
+							Ref:         ref(batchv1beta1.CronJobStatus{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/batch/v1beta1.CronJobSpec", "k8s.io/api/batch/v1beta1.CronJobStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			batchv1beta1.CronJobSpec{}.OpenAPIModelName(), batchv1beta1.CronJobStatus{}.OpenAPIModelName(), metav1.ObjectMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -18811,7 +18933,7 @@ func schema_k8sio_api_batch_v1beta1_CronJobList(ref common.ReferenceCallback) co
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+							Ref:         ref(metav1.ListMeta{}.OpenAPIModelName()),
 						},
 					},
 					"items": {
@@ -18822,7 +18944,7 @@ func schema_k8sio_api_batch_v1beta1_CronJobList(ref common.ReferenceCallback) co
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/batch/v1beta1.CronJob"),
+										Ref:     ref(batchv1beta1.CronJob{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -18833,7 +18955,7 @@ func schema_k8sio_api_batch_v1beta1_CronJobList(ref common.ReferenceCallback) co
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/batch/v1beta1.CronJob", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
+			batchv1beta1.CronJob{}.OpenAPIModelName(), metav1.ListMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -18884,7 +19006,7 @@ func schema_k8sio_api_batch_v1beta1_CronJobSpec(ref common.ReferenceCallback) co
 						SchemaProps: spec.SchemaProps{
 							Description: "Specifies the job that will be created when executing a CronJob.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/batch/v1beta1.JobTemplateSpec"),
+							Ref:         ref(batchv1beta1.JobTemplateSpec{}.OpenAPIModelName()),
 						},
 					},
 					"successfulJobsHistoryLimit": {
@@ -18906,7 +19028,7 @@ func schema_k8sio_api_batch_v1beta1_CronJobSpec(ref common.ReferenceCallback) co
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/batch/v1beta1.JobTemplateSpec"},
+			batchv1beta1.JobTemplateSpec{}.OpenAPIModelName()},
 	}
 }
 
@@ -18930,7 +19052,7 @@ func schema_k8sio_api_batch_v1beta1_CronJobStatus(ref common.ReferenceCallback)
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/core/v1.ObjectReference"),
+										Ref:     ref(corev1.ObjectReference{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -18939,20 +19061,20 @@ func schema_k8sio_api_batch_v1beta1_CronJobStatus(ref common.ReferenceCallback)
 					"lastScheduleTime": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Information when was the last time the job was successfully scheduled.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Time"),
+							Ref:         ref(metav1.Time{}.OpenAPIModelName()),
 						},
 					},
 					"lastSuccessfulTime": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Information when was the last time the job successfully completed.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Time"),
+							Ref:         ref(metav1.Time{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/core/v1.ObjectReference", "k8s.io/apimachinery/pkg/apis/meta/v1.Time"},
+			corev1.ObjectReference{}.OpenAPIModelName(), metav1.Time{}.OpenAPIModelName()},
 	}
 }
 
@@ -18967,21 +19089,21 @@ func schema_k8sio_api_batch_v1beta1_JobTemplateSpec(ref common.ReferenceCallback
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard object's metadata of the jobs created from this template. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Ref:         ref(metav1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 					"spec": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Specification of the desired behavior of the job. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/batch/v1.JobSpec"),
+							Ref:         ref(batchv1.JobSpec{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/batch/v1.JobSpec", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			batchv1.JobSpec{}.OpenAPIModelName(), metav1.ObjectMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -19009,21 +19131,21 @@ func schema_k8sio_api_certificates_v1_CertificateSigningRequest(ref common.Refer
 					"metadata": {
 						SchemaProps: spec.SchemaProps{
 							Default: map[string]interface{}{},
-							Ref:     ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Ref:     ref(metav1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 					"spec": {
 						SchemaProps: spec.SchemaProps{
 							Description: "spec contains the certificate request, and is immutable after creation. Only the request, signerName, expirationSeconds, and usages fields can be set on creation. Other fields are derived by Kubernetes and cannot be modified by users.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/certificates/v1.CertificateSigningRequestSpec"),
+							Ref:         ref(certificatesv1.CertificateSigningRequestSpec{}.OpenAPIModelName()),
 						},
 					},
 					"status": {
 						SchemaProps: spec.SchemaProps{
 							Description: "status contains information about whether the request is approved or denied, and the certificate issued by the signer, or the failure condition indicating signer failure.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/certificates/v1.CertificateSigningRequestStatus"),
+							Ref:         ref(certificatesv1.CertificateSigningRequestStatus{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -19031,7 +19153,7 @@ func schema_k8sio_api_certificates_v1_CertificateSigningRequest(ref common.Refer
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/certificates/v1.CertificateSigningRequestSpec", "k8s.io/api/certificates/v1.CertificateSigningRequestStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			certificatesv1.CertificateSigningRequestSpec{}.OpenAPIModelName(), certificatesv1.CertificateSigningRequestStatus{}.OpenAPIModelName(), metav1.ObjectMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -19075,13 +19197,13 @@ func schema_k8sio_api_certificates_v1_CertificateSigningRequestCondition(ref com
 					"lastUpdateTime": {
 						SchemaProps: spec.SchemaProps{
 							Description: "lastUpdateTime is the time of the last update to this condition",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Time"),
+							Ref:         ref(metav1.Time{}.OpenAPIModelName()),
 						},
 					},
 					"lastTransitionTime": {
 						SchemaProps: spec.SchemaProps{
 							Description: "lastTransitionTime is the time the condition last transitioned from one status to another. If unset, when a new condition type is added or an existing condition's status is changed, the server defaults this to the current time.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Time"),
+							Ref:         ref(metav1.Time{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -19089,7 +19211,7 @@ func schema_k8sio_api_certificates_v1_CertificateSigningRequestCondition(ref com
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.Time"},
+			metav1.Time{}.OpenAPIModelName()},
 	}
 }
 
@@ -19117,7 +19239,7 @@ func schema_k8sio_api_certificates_v1_CertificateSigningRequestList(ref common.R
 					"metadata": {
 						SchemaProps: spec.SchemaProps{
 							Default: map[string]interface{}{},
-							Ref:     ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+							Ref:     ref(metav1.ListMeta{}.OpenAPIModelName()),
 						},
 					},
 					"items": {
@@ -19128,7 +19250,7 @@ func schema_k8sio_api_certificates_v1_CertificateSigningRequestList(ref common.R
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/certificates/v1.CertificateSigningRequest"),
+										Ref:     ref(certificatesv1.CertificateSigningRequest{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -19139,7 +19261,7 @@ func schema_k8sio_api_certificates_v1_CertificateSigningRequestList(ref common.R
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/certificates/v1.CertificateSigningRequest", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
+			certificatesv1.CertificateSigningRequest{}.OpenAPIModelName(), metav1.ListMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -19151,11 +19273,6 @@ func schema_k8sio_api_certificates_v1_CertificateSigningRequestSpec(ref common.R
 				Type:        []string{"object"},
 				Properties: map[string]spec.Schema{
 					"request": {
-						VendorExtensible: spec.VendorExtensible{
-							Extensions: spec.Extensions{
-								"x-kubernetes-list-type": "atomic",
-							},
-						},
 						SchemaProps: spec.SchemaProps{
 							Description: "request contains an x509 certificate signing request encoded in a \"CERTIFICATE REQUEST\" PEM block. When serialized as JSON or YAML, the data is additionally base64-encoded.",
 							Type:        []string{"string"},
@@ -19285,18 +19402,13 @@ func schema_k8sio_api_certificates_v1_CertificateSigningRequestStatus(ref common
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/certificates/v1.CertificateSigningRequestCondition"),
+										Ref:     ref(certificatesv1.CertificateSigningRequestCondition{}.OpenAPIModelName()),
 									},
 								},
 							},
 						},
 					},
 					"certificate": {
-						VendorExtensible: spec.VendorExtensible{
-							Extensions: spec.Extensions{
-								"x-kubernetes-list-type": "atomic",
-							},
-						},
 						SchemaProps: spec.SchemaProps{
 							Description: "certificate is populated with an issued certificate by the signer after an Approved condition is present. This field is set via the /status subresource. Once populated, this field is immutable.\n\nIf the certificate signing request is denied, a condition of type \"Denied\" is added and this field remains empty. If the signer cannot issue the certificate, a condition of type \"Failed\" is added and this field remains empty.\n\nValidation requirements:\n 1. certificate must contain one or more PEM blocks.\n 2. All PEM blocks must have the \"CERTIFICATE\" label, contain no headers, and the encoded data\n  must be a BER-encoded ASN.1 Certificate structure as described in section 4 of RFC5280.\n 3. Non-PEM content may appear before or after the \"CERTIFICATE\" PEM blocks and is unvalidated,\n  to allow for explanatory text as described in section 5.2 of RFC7468.\n\nIf more than one PEM block is present, and the definition of the requested spec.signerName does not indicate otherwise, the first block is the issued certificate, and subsequent blocks should be treated as intermediate certificates and presented in TLS handshakes.\n\nThe certificate is encoded in PEM format.\n\nWhen serialized as JSON or YAML, the data is additionally base64-encoded, so it consists of:\n\n    base64(\n    -----BEGIN CERTIFICATE-----\n    ...\n    -----END CERTIFICATE-----\n    )",
 							Type:        []string{"string"},
@@ -19307,7 +19419,7 @@ func schema_k8sio_api_certificates_v1_CertificateSigningRequestStatus(ref common
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/certificates/v1.CertificateSigningRequestCondition"},
+			certificatesv1.CertificateSigningRequestCondition{}.OpenAPIModelName()},
 	}
 }
 
@@ -19336,14 +19448,14 @@ func schema_k8sio_api_certificates_v1alpha1_ClusterTrustBundle(ref common.Refere
 						SchemaProps: spec.SchemaProps{
 							Description: "metadata contains the object metadata.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Ref:         ref(metav1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 					"spec": {
 						SchemaProps: spec.SchemaProps{
 							Description: "spec contains the signer (if any) and trust anchors.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/certificates/v1alpha1.ClusterTrustBundleSpec"),
+							Ref:         ref(certificatesv1alpha1.ClusterTrustBundleSpec{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -19351,7 +19463,7 @@ func schema_k8sio_api_certificates_v1alpha1_ClusterTrustBundle(ref common.Refere
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/certificates/v1alpha1.ClusterTrustBundleSpec", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			certificatesv1alpha1.ClusterTrustBundleSpec{}.OpenAPIModelName(), metav1.ObjectMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -19380,7 +19492,7 @@ func schema_k8sio_api_certificates_v1alpha1_ClusterTrustBundleList(ref common.Re
 						SchemaProps: spec.SchemaProps{
 							Description: "metadata contains the list metadata.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+							Ref:         ref(metav1.ListMeta{}.OpenAPIModelName()),
 						},
 					},
 					"items": {
@@ -19391,7 +19503,7 @@ func schema_k8sio_api_certificates_v1alpha1_ClusterTrustBundleList(ref common.Re
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/certificates/v1alpha1.ClusterTrustBundle"),
+										Ref:     ref(certificatesv1alpha1.ClusterTrustBundle{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -19402,7 +19514,7 @@ func schema_k8sio_api_certificates_v1alpha1_ClusterTrustBundleList(ref common.Re
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/certificates/v1alpha1.ClusterTrustBundle", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
+			certificatesv1alpha1.ClusterTrustBundle{}.OpenAPIModelName(), metav1.ListMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -19435,264 +19547,6 @@ func schema_k8sio_api_certificates_v1alpha1_ClusterTrustBundleSpec(ref common.Re
 	}
 }
 
-func schema_k8sio_api_certificates_v1alpha1_PodCertificateRequest(ref common.ReferenceCallback) common.OpenAPIDefinition {
-	return common.OpenAPIDefinition{
-		Schema: spec.Schema{
-			SchemaProps: spec.SchemaProps{
-				Description: "PodCertificateRequest encodes a pod requesting a certificate from a given signer.\n\nKubelets use this API to implement podCertificate projected volumes",
-				Type:        []string{"object"},
-				Properties: map[string]spec.Schema{
-					"kind": {
-						SchemaProps: spec.SchemaProps{
-							Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
-							Type:        []string{"string"},
-							Format:      "",
-						},
-					},
-					"apiVersion": {
-						SchemaProps: spec.SchemaProps{
-							Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
-							Type:        []string{"string"},
-							Format:      "",
-						},
-					},
-					"metadata": {
-						SchemaProps: spec.SchemaProps{
-							Description: "metadata contains the object metadata.",
-							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
-						},
-					},
-					"spec": {
-						SchemaProps: spec.SchemaProps{
-							Description: "spec contains the details about the certificate being requested.",
-							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/certificates/v1alpha1.PodCertificateRequestSpec"),
-						},
-					},
-					"status": {
-						SchemaProps: spec.SchemaProps{
-							Description: "status contains the issued certificate, and a standard set of conditions.",
-							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/certificates/v1alpha1.PodCertificateRequestStatus"),
-						},
-					},
-				},
-				Required: []string{"spec"},
-			},
-		},
-		Dependencies: []string{
-			"k8s.io/api/certificates/v1alpha1.PodCertificateRequestSpec", "k8s.io/api/certificates/v1alpha1.PodCertificateRequestStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
-	}
-}
-
-func schema_k8sio_api_certificates_v1alpha1_PodCertificateRequestList(ref common.ReferenceCallback) common.OpenAPIDefinition {
-	return common.OpenAPIDefinition{
-		Schema: spec.Schema{
-			SchemaProps: spec.SchemaProps{
-				Description: "PodCertificateRequestList is a collection of PodCertificateRequest objects",
-				Type:        []string{"object"},
-				Properties: map[string]spec.Schema{
-					"kind": {
-						SchemaProps: spec.SchemaProps{
-							Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
-							Type:        []string{"string"},
-							Format:      "",
-						},
-					},
-					"apiVersion": {
-						SchemaProps: spec.SchemaProps{
-							Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
-							Type:        []string{"string"},
-							Format:      "",
-						},
-					},
-					"metadata": {
-						SchemaProps: spec.SchemaProps{
-							Description: "metadata contains the list metadata.",
-							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
-						},
-					},
-					"items": {
-						SchemaProps: spec.SchemaProps{
-							Description: "items is a collection of PodCertificateRequest objects",
-							Type:        []string{"array"},
-							Items: &spec.SchemaOrArray{
-								Schema: &spec.Schema{
-									SchemaProps: spec.SchemaProps{
-										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/certificates/v1alpha1.PodCertificateRequest"),
-									},
-								},
-							},
-						},
-					},
-				},
-				Required: []string{"items"},
-			},
-		},
-		Dependencies: []string{
-			"k8s.io/api/certificates/v1alpha1.PodCertificateRequest", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
-	}
-}
-
-func schema_k8sio_api_certificates_v1alpha1_PodCertificateRequestSpec(ref common.ReferenceCallback) common.OpenAPIDefinition {
-	return common.OpenAPIDefinition{
-		Schema: spec.Schema{
-			SchemaProps: spec.SchemaProps{
-				Description: "PodCertificateRequestSpec describes the certificate request.  All fields are immutable after creation.",
-				Type:        []string{"object"},
-				Properties: map[string]spec.Schema{
-					"signerName": {
-						SchemaProps: spec.SchemaProps{
-							Description: "signerName indicates the requested signer.\n\nAll signer names beginning with `kubernetes.io` are reserved for use by the Kubernetes project.  There is currently one well-known signer documented by the Kubernetes project, `kubernetes.io/kube-apiserver-client-pod`, which will issue client certificates understood by kube-apiserver.  It is currently unimplemented.",
-							Default:     "",
-							Type:        []string{"string"},
-							Format:      "",
-						},
-					},
-					"podName": {
-						SchemaProps: spec.SchemaProps{
-							Description: "podName is the name of the pod into which the certificate will be mounted.",
-							Default:     "",
-							Type:        []string{"string"},
-							Format:      "",
-						},
-					},
-					"podUID": {
-						SchemaProps: spec.SchemaProps{
-							Description: "podUID is the UID of the pod into which the certificate will be mounted.",
-							Default:     "",
-							Type:        []string{"string"},
-							Format:      "",
-						},
-					},
-					"serviceAccountName": {
-						SchemaProps: spec.SchemaProps{
-							Description: "serviceAccountName is the name of the service account the pod is running as.",
-							Default:     "",
-							Type:        []string{"string"},
-							Format:      "",
-						},
-					},
-					"serviceAccountUID": {
-						SchemaProps: spec.SchemaProps{
-							Description: "serviceAccountUID is the UID of the service account the pod is running as.",
-							Default:     "",
-							Type:        []string{"string"},
-							Format:      "",
-						},
-					},
-					"nodeName": {
-						SchemaProps: spec.SchemaProps{
-							Description: "nodeName is the name of the node the pod is assigned to.",
-							Default:     "",
-							Type:        []string{"string"},
-							Format:      "",
-						},
-					},
-					"nodeUID": {
-						SchemaProps: spec.SchemaProps{
-							Description: "nodeUID is the UID of the node the pod is assigned to.",
-							Default:     "",
-							Type:        []string{"string"},
-							Format:      "",
-						},
-					},
-					"maxExpirationSeconds": {
-						SchemaProps: spec.SchemaProps{
-							Description: "maxExpirationSeconds is the maximum lifetime permitted for the certificate.\n\nIf omitted, kube-apiserver will set it to 86400(24 hours). kube-apiserver will reject values shorter than 3600 (1 hour).  The maximum allowable value is 7862400 (91 days).\n\nThe signer implementation is then free to issue a certificate with any lifetime *shorter* than MaxExpirationSeconds, but no shorter than 3600 seconds (1 hour).  This constraint is enforced by kube-apiserver. `kubernetes.io` signers will never issue certificates with a lifetime longer than 24 hours.",
-							Default:     86400,
-							Type:        []string{"integer"},
-							Format:      "int32",
-						},
-					},
-					"pkixPublicKey": {
-						SchemaProps: spec.SchemaProps{
-							Description: "pkixPublicKey is the PKIX-serialized public key the signer will issue the certificate to.\n\nThe key must be one of RSA3072, RSA4096, ECDSAP256, ECDSAP384, ECDSAP521, or ED25519. Note that this list may be expanded in the future.\n\nSigner implementations do not need to support all key types supported by kube-apiserver and kubelet.  If a signer does not support the key type used for a given PodCertificateRequest, it must deny the request by setting a status.conditions entry with a type of \"Denied\" and a reason of \"UnsupportedKeyType\". It may also suggest a key type that it does support in the message field.",
-							Type:        []string{"string"},
-							Format:      "byte",
-						},
-					},
-					"proofOfPossession": {
-						SchemaProps: spec.SchemaProps{
-							Description: "proofOfPossession proves that the requesting kubelet holds the private key corresponding to pkixPublicKey.\n\nIt is contructed by signing the ASCII bytes of the pod's UID using `pkixPublicKey`.\n\nkube-apiserver validates the proof of possession during creation of the PodCertificateRequest.\n\nIf the key is an RSA key, then the signature is over the ASCII bytes of the pod UID, using RSASSA-PSS from RFC 8017 (as implemented by the golang function crypto/rsa.SignPSS with nil options).\n\nIf the key is an ECDSA key, then the signature is as described by [SEC 1, Version 2.0](https://www.secg.org/sec1-v2.pdf) (as implemented by the golang library function crypto/ecdsa.SignASN1)\n\nIf the key is an ED25519 key, the the signature is as described by the [ED25519 Specification](https://ed25519.cr.yp.to/) (as implemented by the golang library crypto/ed25519.Sign).",
-							Type:        []string{"string"},
-							Format:      "byte",
-						},
-					},
-				},
-				Required: []string{"signerName", "podName", "podUID", "serviceAccountName", "serviceAccountUID", "nodeName", "nodeUID", "pkixPublicKey", "proofOfPossession"},
-			},
-		},
-	}
-}
-
-func schema_k8sio_api_certificates_v1alpha1_PodCertificateRequestStatus(ref common.ReferenceCallback) common.OpenAPIDefinition {
-	return common.OpenAPIDefinition{
-		Schema: spec.Schema{
-			SchemaProps: spec.SchemaProps{
-				Description: "PodCertificateRequestStatus describes the status of the request, and holds the certificate data if the request is issued.",
-				Type:        []string{"object"},
-				Properties: map[string]spec.Schema{
-					"conditions": {
-						VendorExtensible: spec.VendorExtensible{
-							Extensions: spec.Extensions{
-								"x-kubernetes-list-map-keys": []interface{}{
-									"type",
-								},
-								"x-kubernetes-list-type":       "map",
-								"x-kubernetes-patch-merge-key": "type",
-								"x-kubernetes-patch-strategy":  "merge",
-							},
-						},
-						SchemaProps: spec.SchemaProps{
-							Description: "conditions applied to the request.\n\nThe types \"Issued\", \"Denied\", and \"Failed\" have special handling.  At most one of these conditions may be present, and they must have status \"True\".\n\nIf the request is denied with `Reason=UnsupportedKeyType`, the signer may suggest a key type that will work in the message field.",
-							Type:        []string{"array"},
-							Items: &spec.SchemaOrArray{
-								Schema: &spec.Schema{
-									SchemaProps: spec.SchemaProps{
-										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/apimachinery/pkg/apis/meta/v1.Condition"),
-									},
-								},
-							},
-						},
-					},
-					"certificateChain": {
-						SchemaProps: spec.SchemaProps{
-							Description: "certificateChain is populated with an issued certificate by the signer. This field is set via the /status subresource. Once populated, this field is immutable.\n\nIf the certificate signing request is denied, a condition of type \"Denied\" is added and this field remains empty. If the signer cannot issue the certificate, a condition of type \"Failed\" is added and this field remains empty.\n\nValidation requirements:\n 1. certificateChain must consist of one or more PEM-formatted certificates.\n 2. Each entry must be a valid PEM-wrapped, DER-encoded ASN.1 Certificate as\n    described in section 4 of RFC5280.\n\nIf more than one block is present, and the definition of the requested spec.signerName does not indicate otherwise, the first block is the issued certificate, and subsequent blocks should be treated as intermediate certificates and presented in TLS handshakes.  When projecting the chain into a pod volume, kubelet will drop any data in-between the PEM blocks, as well as any PEM block headers.",
-							Type:        []string{"string"},
-							Format:      "",
-						},
-					},
-					"notBefore": {
-						SchemaProps: spec.SchemaProps{
-							Description: "notBefore is the time at which the certificate becomes valid.  The value must be the same as the notBefore value in the leaf certificate in certificateChain.  This field is set via the /status subresource.  Once populated, it is immutable. The signer must set this field at the same time it sets certificateChain.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Time"),
-						},
-					},
-					"beginRefreshAt": {
-						SchemaProps: spec.SchemaProps{
-							Description: "beginRefreshAt is the time at which the kubelet should begin trying to refresh the certificate.  This field is set via the /status subresource, and must be set at the same time as certificateChain.  Once populated, this field is immutable.\n\nThis field is only a hint.  Kubelet may start refreshing before or after this time if necessary.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Time"),
-						},
-					},
-					"notAfter": {
-						SchemaProps: spec.SchemaProps{
-							Description: "notAfter is the time at which the certificate expires.  The value must be the same as the notAfter value in the leaf certificate in certificateChain.  This field is set via the /status subresource.  Once populated, it is immutable.  The signer must set this field at the same time it sets certificateChain.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Time"),
-						},
-					},
-				},
-			},
-		},
-		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.Condition", "k8s.io/apimachinery/pkg/apis/meta/v1.Time"},
-	}
-}
-
 func schema_k8sio_api_certificates_v1beta1_CertificateSigningRequest(ref common.ReferenceCallback) common.OpenAPIDefinition {
 	return common.OpenAPIDefinition{
 		Schema: spec.Schema{
@@ -19717,21 +19571,21 @@ func schema_k8sio_api_certificates_v1beta1_CertificateSigningRequest(ref common.
 					"metadata": {
 						SchemaProps: spec.SchemaProps{
 							Default: map[string]interface{}{},
-							Ref:     ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Ref:     ref(metav1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 					"spec": {
 						SchemaProps: spec.SchemaProps{
 							Description: "spec contains the certificate request, and is immutable after creation. Only the request, signerName, expirationSeconds, and usages fields can be set on creation. Other fields are derived by Kubernetes and cannot be modified by users.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/certificates/v1beta1.CertificateSigningRequestSpec"),
+							Ref:         ref(certificatesv1beta1.CertificateSigningRequestSpec{}.OpenAPIModelName()),
 						},
 					},
 					"status": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Derived information about the request.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/certificates/v1beta1.CertificateSigningRequestStatus"),
+							Ref:         ref(certificatesv1beta1.CertificateSigningRequestStatus{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -19739,7 +19593,7 @@ func schema_k8sio_api_certificates_v1beta1_CertificateSigningRequest(ref common.
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/certificates/v1beta1.CertificateSigningRequestSpec", "k8s.io/api/certificates/v1beta1.CertificateSigningRequestStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			certificatesv1beta1.CertificateSigningRequestSpec{}.OpenAPIModelName(), certificatesv1beta1.CertificateSigningRequestStatus{}.OpenAPIModelName(), metav1.ObjectMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -19782,13 +19636,13 @@ func schema_k8sio_api_certificates_v1beta1_CertificateSigningRequestCondition(re
 					"lastUpdateTime": {
 						SchemaProps: spec.SchemaProps{
 							Description: "timestamp for the last update to this condition",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Time"),
+							Ref:         ref(metav1.Time{}.OpenAPIModelName()),
 						},
 					},
 					"lastTransitionTime": {
 						SchemaProps: spec.SchemaProps{
 							Description: "lastTransitionTime is the time the condition last transitioned from one status to another. If unset, when a new condition type is added or an existing condition's status is changed, the server defaults this to the current time.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Time"),
+							Ref:         ref(metav1.Time{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -19796,7 +19650,7 @@ func schema_k8sio_api_certificates_v1beta1_CertificateSigningRequestCondition(re
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.Time"},
+			metav1.Time{}.OpenAPIModelName()},
 	}
 }
 
@@ -19823,7 +19677,7 @@ func schema_k8sio_api_certificates_v1beta1_CertificateSigningRequestList(ref com
 					"metadata": {
 						SchemaProps: spec.SchemaProps{
 							Default: map[string]interface{}{},
-							Ref:     ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+							Ref:     ref(metav1.ListMeta{}.OpenAPIModelName()),
 						},
 					},
 					"items": {
@@ -19833,7 +19687,7 @@ func schema_k8sio_api_certificates_v1beta1_CertificateSigningRequestList(ref com
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/certificates/v1beta1.CertificateSigningRequest"),
+										Ref:     ref(certificatesv1beta1.CertificateSigningRequest{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -19844,7 +19698,7 @@ func schema_k8sio_api_certificates_v1beta1_CertificateSigningRequestList(ref com
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/certificates/v1beta1.CertificateSigningRequest", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
+			certificatesv1beta1.CertificateSigningRequest{}.OpenAPIModelName(), metav1.ListMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -19856,11 +19710,6 @@ func schema_k8sio_api_certificates_v1beta1_CertificateSigningRequestSpec(ref com
 				Type:        []string{"object"},
 				Properties: map[string]spec.Schema{
 					"request": {
-						VendorExtensible: spec.VendorExtensible{
-							Extensions: spec.Extensions{
-								"x-kubernetes-list-type": "atomic",
-							},
-						},
 						SchemaProps: spec.SchemaProps{
 							Description: "Base64-encoded PKCS#10 CSR data",
 							Type:        []string{"string"},
@@ -19987,18 +19836,13 @@ func schema_k8sio_api_certificates_v1beta1_CertificateSigningRequestStatus(ref c
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/certificates/v1beta1.CertificateSigningRequestCondition"),
+										Ref:     ref(certificatesv1beta1.CertificateSigningRequestCondition{}.OpenAPIModelName()),
 									},
 								},
 							},
 						},
 					},
 					"certificate": {
-						VendorExtensible: spec.VendorExtensible{
-							Extensions: spec.Extensions{
-								"x-kubernetes-list-type": "atomic",
-							},
-						},
 						SchemaProps: spec.SchemaProps{
 							Description: "If request was approved, the controller will place the issued certificate here.",
 							Type:        []string{"string"},
@@ -20009,7 +19853,7 @@ func schema_k8sio_api_certificates_v1beta1_CertificateSigningRequestStatus(ref c
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/certificates/v1beta1.CertificateSigningRequestCondition"},
+			certificatesv1beta1.CertificateSigningRequestCondition{}.OpenAPIModelName()},
 	}
 }
 
@@ -20038,14 +19882,14 @@ func schema_k8sio_api_certificates_v1beta1_ClusterTrustBundle(ref common.Referen
 						SchemaProps: spec.SchemaProps{
 							Description: "metadata contains the object metadata.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Ref:         ref(metav1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 					"spec": {
 						SchemaProps: spec.SchemaProps{
 							Description: "spec contains the signer (if any) and trust anchors.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/certificates/v1beta1.ClusterTrustBundleSpec"),
+							Ref:         ref(certificatesv1beta1.ClusterTrustBundleSpec{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -20053,7 +19897,7 @@ func schema_k8sio_api_certificates_v1beta1_ClusterTrustBundle(ref common.Referen
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/certificates/v1beta1.ClusterTrustBundleSpec", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			certificatesv1beta1.ClusterTrustBundleSpec{}.OpenAPIModelName(), metav1.ObjectMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -20082,7 +19926,7 @@ func schema_k8sio_api_certificates_v1beta1_ClusterTrustBundleList(ref common.Ref
 						SchemaProps: spec.SchemaProps{
 							Description: "metadata contains the list metadata.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+							Ref:         ref(metav1.ListMeta{}.OpenAPIModelName()),
 						},
 					},
 					"items": {
@@ -20093,7 +19937,7 @@ func schema_k8sio_api_certificates_v1beta1_ClusterTrustBundleList(ref common.Ref
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/certificates/v1beta1.ClusterTrustBundle"),
+										Ref:     ref(certificatesv1beta1.ClusterTrustBundle{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -20104,7 +19948,7 @@ func schema_k8sio_api_certificates_v1beta1_ClusterTrustBundleList(ref common.Ref
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/certificates/v1beta1.ClusterTrustBundle", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
+			certificatesv1beta1.ClusterTrustBundle{}.OpenAPIModelName(), metav1.ListMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -20137,11 +19981,11 @@ func schema_k8sio_api_certificates_v1beta1_ClusterTrustBundleSpec(ref common.Ref
 	}
 }
 
-func schema_k8sio_api_coordination_v1_Lease(ref common.ReferenceCallback) common.OpenAPIDefinition {
+func schema_k8sio_api_certificates_v1beta1_PodCertificateRequest(ref common.ReferenceCallback) common.OpenAPIDefinition {
 	return common.OpenAPIDefinition{
 		Schema: spec.Schema{
 			SchemaProps: spec.SchemaProps{
-				Description: "Lease defines a lease concept.",
+				Description: "PodCertificateRequest encodes a pod requesting a certificate from a given signer.\n\nKubelets use this API to implement podCertificate projected volumes",
 				Type:        []string{"object"},
 				Properties: map[string]spec.Schema{
 					"kind": {
@@ -20160,31 +20004,39 @@ func schema_k8sio_api_coordination_v1_Lease(ref common.ReferenceCallback) common
 					},
 					"metadata": {
 						SchemaProps: spec.SchemaProps{
-							Description: "More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
+							Description: "metadata contains the object metadata.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Ref:         ref(metav1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 					"spec": {
 						SchemaProps: spec.SchemaProps{
-							Description: "spec contains the specification of the Lease. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status",
+							Description: "spec contains the details about the certificate being requested.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/coordination/v1.LeaseSpec"),
+							Ref:         ref(certificatesv1beta1.PodCertificateRequestSpec{}.OpenAPIModelName()),
+						},
+					},
+					"status": {
+						SchemaProps: spec.SchemaProps{
+							Description: "status contains the issued certificate, and a standard set of conditions.",
+							Default:     map[string]interface{}{},
+							Ref:         ref(certificatesv1beta1.PodCertificateRequestStatus{}.OpenAPIModelName()),
 						},
 					},
 				},
+				Required: []string{"spec"},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/coordination/v1.LeaseSpec", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			certificatesv1beta1.PodCertificateRequestSpec{}.OpenAPIModelName(), certificatesv1beta1.PodCertificateRequestStatus{}.OpenAPIModelName(), metav1.ObjectMeta{}.OpenAPIModelName()},
 	}
 }
 
-func schema_k8sio_api_coordination_v1_LeaseList(ref common.ReferenceCallback) common.OpenAPIDefinition {
+func schema_k8sio_api_certificates_v1beta1_PodCertificateRequestList(ref common.ReferenceCallback) common.OpenAPIDefinition {
 	return common.OpenAPIDefinition{
 		Schema: spec.Schema{
 			SchemaProps: spec.SchemaProps{
-				Description: "LeaseList is a list of Lease objects.",
+				Description: "PodCertificateRequestList is a collection of PodCertificateRequest objects",
 				Type:        []string{"object"},
 				Properties: map[string]spec.Schema{
 					"kind": {
@@ -20203,20 +20055,20 @@ func schema_k8sio_api_coordination_v1_LeaseList(ref common.ReferenceCallback) co
 					},
 					"metadata": {
 						SchemaProps: spec.SchemaProps{
-							Description: "Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
+							Description: "metadata contains the list metadata.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+							Ref:         ref(metav1.ListMeta{}.OpenAPIModelName()),
 						},
 					},
 					"items": {
 						SchemaProps: spec.SchemaProps{
-							Description: "items is a list of schema objects.",
+							Description: "items is a collection of PodCertificateRequest objects",
 							Type:        []string{"array"},
 							Items: &spec.SchemaOrArray{
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/coordination/v1.Lease"),
+										Ref:     ref(certificatesv1beta1.PodCertificateRequest{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -20227,77 +20079,187 @@ func schema_k8sio_api_coordination_v1_LeaseList(ref common.ReferenceCallback) co
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/coordination/v1.Lease", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
+			certificatesv1beta1.PodCertificateRequest{}.OpenAPIModelName(), metav1.ListMeta{}.OpenAPIModelName()},
 	}
 }
 
-func schema_k8sio_api_coordination_v1_LeaseSpec(ref common.ReferenceCallback) common.OpenAPIDefinition {
+func schema_k8sio_api_certificates_v1beta1_PodCertificateRequestSpec(ref common.ReferenceCallback) common.OpenAPIDefinition {
 	return common.OpenAPIDefinition{
 		Schema: spec.Schema{
 			SchemaProps: spec.SchemaProps{
-				Description: "LeaseSpec is a specification of a Lease.",
+				Description: "PodCertificateRequestSpec describes the certificate request.  All fields are immutable after creation.",
 				Type:        []string{"object"},
 				Properties: map[string]spec.Schema{
-					"holderIdentity": {
+					"signerName": {
 						SchemaProps: spec.SchemaProps{
-							Description: "holderIdentity contains the identity of the holder of a current lease. If Coordinated Leader Election is used, the holder identity must be equal to the elected LeaseCandidate.metadata.name field.",
+							Description: "signerName indicates the requested signer.\n\nAll signer names beginning with `kubernetes.io` are reserved for use by the Kubernetes project.  There is currently one well-known signer documented by the Kubernetes project, `kubernetes.io/kube-apiserver-client-pod`, which will issue client certificates understood by kube-apiserver.  It is currently unimplemented.",
+							Default:     "",
 							Type:        []string{"string"},
 							Format:      "",
 						},
 					},
-					"leaseDurationSeconds": {
+					"podName": {
 						SchemaProps: spec.SchemaProps{
-							Description: "leaseDurationSeconds is a duration that candidates for a lease need to wait to force acquire it. This is measured against the time of last observed renewTime.",
-							Type:        []string{"integer"},
-							Format:      "int32",
+							Description: "podName is the name of the pod into which the certificate will be mounted.",
+							Default:     "",
+							Type:        []string{"string"},
+							Format:      "",
 						},
 					},
-					"acquireTime": {
+					"podUID": {
 						SchemaProps: spec.SchemaProps{
-							Description: "acquireTime is a time when the current lease was acquired.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.MicroTime"),
+							Description: "podUID is the UID of the pod into which the certificate will be mounted.",
+							Default:     "",
+							Type:        []string{"string"},
+							Format:      "",
 						},
 					},
-					"renewTime": {
+					"serviceAccountName": {
 						SchemaProps: spec.SchemaProps{
-							Description: "renewTime is a time when the current holder of a lease has last updated the lease.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.MicroTime"),
+							Description: "serviceAccountName is the name of the service account the pod is running as.",
+							Default:     "",
+							Type:        []string{"string"},
+							Format:      "",
 						},
 					},
-					"leaseTransitions": {
+					"serviceAccountUID": {
 						SchemaProps: spec.SchemaProps{
-							Description: "leaseTransitions is the number of transitions of a lease between holders.",
+							Description: "serviceAccountUID is the UID of the service account the pod is running as.",
+							Default:     "",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+					"nodeName": {
+						SchemaProps: spec.SchemaProps{
+							Description: "nodeName is the name of the node the pod is assigned to.",
+							Default:     "",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+					"nodeUID": {
+						SchemaProps: spec.SchemaProps{
+							Description: "nodeUID is the UID of the node the pod is assigned to.",
+							Default:     "",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+					"maxExpirationSeconds": {
+						SchemaProps: spec.SchemaProps{
+							Description: "maxExpirationSeconds is the maximum lifetime permitted for the certificate.\n\nIf omitted, kube-apiserver will set it to 86400(24 hours). kube-apiserver will reject values shorter than 3600 (1 hour).  The maximum allowable value is 7862400 (91 days).\n\nThe signer implementation is then free to issue a certificate with any lifetime *shorter* than MaxExpirationSeconds, but no shorter than 3600 seconds (1 hour).  This constraint is enforced by kube-apiserver. `kubernetes.io` signers will never issue certificates with a lifetime longer than 24 hours.",
+							Default:     86400,
 							Type:        []string{"integer"},
 							Format:      "int32",
 						},
 					},
-					"strategy": {
+					"pkixPublicKey": {
 						SchemaProps: spec.SchemaProps{
-							Description: "Strategy indicates the strategy for picking the leader for coordinated leader election. If the field is not specified, there is no active coordination for this lease. (Alpha) Using this field requires the CoordinatedLeaderElection feature gate to be enabled.",
+							Description: "pkixPublicKey is the PKIX-serialized public key the signer will issue the certificate to.\n\nThe key must be one of RSA3072, RSA4096, ECDSAP256, ECDSAP384, ECDSAP521, or ED25519. Note that this list may be expanded in the future.\n\nSigner implementations do not need to support all key types supported by kube-apiserver and kubelet.  If a signer does not support the key type used for a given PodCertificateRequest, it must deny the request by setting a status.conditions entry with a type of \"Denied\" and a reason of \"UnsupportedKeyType\". It may also suggest a key type that it does support in the message field.",
 							Type:        []string{"string"},
-							Format:      "",
+							Format:      "byte",
 						},
 					},
-					"preferredHolder": {
+					"proofOfPossession": {
 						SchemaProps: spec.SchemaProps{
-							Description: "PreferredHolder signals to a lease holder that the lease has a more optimal holder and should be given up. This field can only be set if Strategy is also set.",
+							Description: "proofOfPossession proves that the requesting kubelet holds the private key corresponding to pkixPublicKey.\n\nIt is contructed by signing the ASCII bytes of the pod's UID using `pkixPublicKey`.\n\nkube-apiserver validates the proof of possession during creation of the PodCertificateRequest.\n\nIf the key is an RSA key, then the signature is over the ASCII bytes of the pod UID, using RSASSA-PSS from RFC 8017 (as implemented by the golang function crypto/rsa.SignPSS with nil options).\n\nIf the key is an ECDSA key, then the signature is as described by [SEC 1, Version 2.0](https://www.secg.org/sec1-v2.pdf) (as implemented by the golang library function crypto/ecdsa.SignASN1)\n\nIf the key is an ED25519 key, the the signature is as described by the [ED25519 Specification](https://ed25519.cr.yp.to/) (as implemented by the golang library crypto/ed25519.Sign).",
+							Type:        []string{"string"},
+							Format:      "byte",
+						},
+					},
+					"unverifiedUserAnnotations": {
+						SchemaProps: spec.SchemaProps{
+							Description: "unverifiedUserAnnotations allow pod authors to pass additional information to the signer implementation.  Kubernetes does not restrict or validate this metadata in any way.\n\nEntries are subject to the same validation as object metadata annotations, with the addition that all keys must be domain-prefixed. No restrictions are placed on values, except an overall size limitation on the entire field.\n\nSigners should document the keys and values they support.  Signers should deny requests that contain keys they do not recognize.",
+							Type:        []string{"object"},
+							AdditionalProperties: &spec.SchemaOrBool{
+								Allows: true,
+								Schema: &spec.Schema{
+									SchemaProps: spec.SchemaProps{
+										Default: "",
+										Type:    []string{"string"},
+										Format:  "",
+									},
+								},
+							},
+						},
+					},
+				},
+				Required: []string{"signerName", "podName", "podUID", "serviceAccountName", "serviceAccountUID", "nodeName", "nodeUID", "pkixPublicKey", "proofOfPossession"},
+			},
+		},
+	}
+}
+
+func schema_k8sio_api_certificates_v1beta1_PodCertificateRequestStatus(ref common.ReferenceCallback) common.OpenAPIDefinition {
+	return common.OpenAPIDefinition{
+		Schema: spec.Schema{
+			SchemaProps: spec.SchemaProps{
+				Description: "PodCertificateRequestStatus describes the status of the request, and holds the certificate data if the request is issued.",
+				Type:        []string{"object"},
+				Properties: map[string]spec.Schema{
+					"conditions": {
+						VendorExtensible: spec.VendorExtensible{
+							Extensions: spec.Extensions{
+								"x-kubernetes-list-map-keys": []interface{}{
+									"type",
+								},
+								"x-kubernetes-list-type":       "map",
+								"x-kubernetes-patch-merge-key": "type",
+								"x-kubernetes-patch-strategy":  "merge",
+							},
+						},
+						SchemaProps: spec.SchemaProps{
+							Description: "conditions applied to the request.\n\nThe types \"Issued\", \"Denied\", and \"Failed\" have special handling.  At most one of these conditions may be present, and they must have status \"True\".\n\nIf the request is denied with `Reason=UnsupportedKeyType`, the signer may suggest a key type that will work in the message field.",
+							Type:        []string{"array"},
+							Items: &spec.SchemaOrArray{
+								Schema: &spec.Schema{
+									SchemaProps: spec.SchemaProps{
+										Default: map[string]interface{}{},
+										Ref:     ref(metav1.Condition{}.OpenAPIModelName()),
+									},
+								},
+							},
+						},
+					},
+					"certificateChain": {
+						SchemaProps: spec.SchemaProps{
+							Description: "certificateChain is populated with an issued certificate by the signer. This field is set via the /status subresource. Once populated, this field is immutable.\n\nIf the certificate signing request is denied, a condition of type \"Denied\" is added and this field remains empty. If the signer cannot issue the certificate, a condition of type \"Failed\" is added and this field remains empty.\n\nValidation requirements:\n 1. certificateChain must consist of one or more PEM-formatted certificates.\n 2. Each entry must be a valid PEM-wrapped, DER-encoded ASN.1 Certificate as\n    described in section 4 of RFC5280.\n\nIf more than one block is present, and the definition of the requested spec.signerName does not indicate otherwise, the first block is the issued certificate, and subsequent blocks should be treated as intermediate certificates and presented in TLS handshakes.  When projecting the chain into a pod volume, kubelet will drop any data in-between the PEM blocks, as well as any PEM block headers.",
 							Type:        []string{"string"},
 							Format:      "",
 						},
 					},
+					"notBefore": {
+						SchemaProps: spec.SchemaProps{
+							Description: "notBefore is the time at which the certificate becomes valid.  The value must be the same as the notBefore value in the leaf certificate in certificateChain.  This field is set via the /status subresource.  Once populated, it is immutable. The signer must set this field at the same time it sets certificateChain.",
+							Ref:         ref(metav1.Time{}.OpenAPIModelName()),
+						},
+					},
+					"beginRefreshAt": {
+						SchemaProps: spec.SchemaProps{
+							Description: "beginRefreshAt is the time at which the kubelet should begin trying to refresh the certificate.  This field is set via the /status subresource, and must be set at the same time as certificateChain.  Once populated, this field is immutable.\n\nThis field is only a hint.  Kubelet may start refreshing before or after this time if necessary.",
+							Ref:         ref(metav1.Time{}.OpenAPIModelName()),
+						},
+					},
+					"notAfter": {
+						SchemaProps: spec.SchemaProps{
+							Description: "notAfter is the time at which the certificate expires.  The value must be the same as the notAfter value in the leaf certificate in certificateChain.  This field is set via the /status subresource.  Once populated, it is immutable.  The signer must set this field at the same time it sets certificateChain.",
+							Ref:         ref(metav1.Time{}.OpenAPIModelName()),
+						},
+					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.MicroTime"},
+			metav1.Condition{}.OpenAPIModelName(), metav1.Time{}.OpenAPIModelName()},
 	}
 }
 
-func schema_k8sio_api_coordination_v1alpha2_LeaseCandidate(ref common.ReferenceCallback) common.OpenAPIDefinition {
+func schema_k8sio_api_coordination_v1_Lease(ref common.ReferenceCallback) common.OpenAPIDefinition {
 	return common.OpenAPIDefinition{
 		Schema: spec.Schema{
 			SchemaProps: spec.SchemaProps{
-				Description: "LeaseCandidate defines a candidate for a Lease object. Candidates are created such that coordinated leader election will pick the best leader from the list of candidates.",
+				Description: "Lease defines a lease concept.",
 				Type:        []string{"object"},
 				Properties: map[string]spec.Schema{
 					"kind": {
@@ -20318,29 +20280,29 @@ func schema_k8sio_api_coordination_v1alpha2_LeaseCandidate(ref common.ReferenceC
 						SchemaProps: spec.SchemaProps{
 							Description: "More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Ref:         ref(metav1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 					"spec": {
 						SchemaProps: spec.SchemaProps{
 							Description: "spec contains the specification of the Lease. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/coordination/v1alpha2.LeaseCandidateSpec"),
+							Ref:         ref(coordinationv1.LeaseSpec{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/coordination/v1alpha2.LeaseCandidateSpec", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			coordinationv1.LeaseSpec{}.OpenAPIModelName(), metav1.ObjectMeta{}.OpenAPIModelName()},
 	}
 }
 
-func schema_k8sio_api_coordination_v1alpha2_LeaseCandidateList(ref common.ReferenceCallback) common.OpenAPIDefinition {
+func schema_k8sio_api_coordination_v1_LeaseList(ref common.ReferenceCallback) common.OpenAPIDefinition {
 	return common.OpenAPIDefinition{
 		Schema: spec.Schema{
 			SchemaProps: spec.SchemaProps{
-				Description: "LeaseCandidateList is a list of Lease objects.",
+				Description: "LeaseList is a list of Lease objects.",
 				Type:        []string{"object"},
 				Properties: map[string]spec.Schema{
 					"kind": {
@@ -20361,7 +20323,7 @@ func schema_k8sio_api_coordination_v1alpha2_LeaseCandidateList(ref common.Refere
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+							Ref:         ref(metav1.ListMeta{}.OpenAPIModelName()),
 						},
 					},
 					"items": {
@@ -20372,7 +20334,7 @@ func schema_k8sio_api_coordination_v1alpha2_LeaseCandidateList(ref common.Refere
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/coordination/v1alpha2.LeaseCandidate"),
+										Ref:     ref(coordinationv1.Lease{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -20383,112 +20345,73 @@ func schema_k8sio_api_coordination_v1alpha2_LeaseCandidateList(ref common.Refere
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/coordination/v1alpha2.LeaseCandidate", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
+			coordinationv1.Lease{}.OpenAPIModelName(), metav1.ListMeta{}.OpenAPIModelName()},
 	}
 }
 
-func schema_k8sio_api_coordination_v1alpha2_LeaseCandidateSpec(ref common.ReferenceCallback) common.OpenAPIDefinition {
+func schema_k8sio_api_coordination_v1_LeaseSpec(ref common.ReferenceCallback) common.OpenAPIDefinition {
 	return common.OpenAPIDefinition{
 		Schema: spec.Schema{
 			SchemaProps: spec.SchemaProps{
-				Description: "LeaseCandidateSpec is a specification of a Lease.",
+				Description: "LeaseSpec is a specification of a Lease.",
 				Type:        []string{"object"},
 				Properties: map[string]spec.Schema{
-					"leaseName": {
+					"holderIdentity": {
 						SchemaProps: spec.SchemaProps{
-							Description: "LeaseName is the name of the lease for which this candidate is contending. This field is immutable.",
-							Default:     "",
+							Description: "holderIdentity contains the identity of the holder of a current lease. If Coordinated Leader Election is used, the holder identity must be equal to the elected LeaseCandidate.metadata.name field.",
 							Type:        []string{"string"},
 							Format:      "",
 						},
 					},
-					"pingTime": {
+					"leaseDurationSeconds": {
 						SchemaProps: spec.SchemaProps{
-							Description: "PingTime is the last time that the server has requested the LeaseCandidate to renew. It is only done during leader election to check if any LeaseCandidates have become ineligible. When PingTime is updated, the LeaseCandidate will respond by updating RenewTime.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.MicroTime"),
+							Description: "leaseDurationSeconds is a duration that candidates for a lease need to wait to force acquire it. This is measured against the time of last observed renewTime.",
+							Type:        []string{"integer"},
+							Format:      "int32",
 						},
 					},
-					"renewTime": {
+					"acquireTime": {
 						SchemaProps: spec.SchemaProps{
-							Description: "RenewTime is the time that the LeaseCandidate was last updated. Any time a Lease needs to do leader election, the PingTime field is updated to signal to the LeaseCandidate that they should update the RenewTime. Old LeaseCandidate objects are also garbage collected if it has been hours since the last renew. The PingTime field is updated regularly to prevent garbage collection for still active LeaseCandidates.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.MicroTime"),
+							Description: "acquireTime is a time when the current lease was acquired.",
+							Ref:         ref(metav1.MicroTime{}.OpenAPIModelName()),
 						},
 					},
-					"binaryVersion": {
+					"renewTime": {
 						SchemaProps: spec.SchemaProps{
-							Description: "BinaryVersion is the binary version. It must be in a semver format without leading `v`. This field is required.",
-							Default:     "",
-							Type:        []string{"string"},
-							Format:      "",
+							Description: "renewTime is a time when the current holder of a lease has last updated the lease.",
+							Ref:         ref(metav1.MicroTime{}.OpenAPIModelName()),
 						},
 					},
-					"emulationVersion": {
+					"leaseTransitions": {
 						SchemaProps: spec.SchemaProps{
-							Description: "EmulationVersion is the emulation version. It must be in a semver format without leading `v`. EmulationVersion must be less than or equal to BinaryVersion. This field is required when strategy is \"OldestEmulationVersion\"",
-							Type:        []string{"string"},
-							Format:      "",
+							Description: "leaseTransitions is the number of transitions of a lease between holders.",
+							Type:        []string{"integer"},
+							Format:      "int32",
 						},
 					},
 					"strategy": {
 						SchemaProps: spec.SchemaProps{
-							Description: "Strategy is the strategy that coordinated leader election will use for picking the leader. If multiple candidates for the same Lease return different strategies, the strategy provided by the candidate with the latest BinaryVersion will be used. If there is still conflict, this is a user error and coordinated leader election will not operate the Lease until resolved.",
-							Type:        []string{"string"},
-							Format:      "",
-						},
-					},
-				},
-				Required: []string{"leaseName", "binaryVersion", "strategy"},
-			},
-		},
-		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.MicroTime"},
-	}
-}
-
-func schema_k8sio_api_coordination_v1beta1_Lease(ref common.ReferenceCallback) common.OpenAPIDefinition {
-	return common.OpenAPIDefinition{
-		Schema: spec.Schema{
-			SchemaProps: spec.SchemaProps{
-				Description: "Lease defines a lease concept.",
-				Type:        []string{"object"},
-				Properties: map[string]spec.Schema{
-					"kind": {
-						SchemaProps: spec.SchemaProps{
-							Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
+							Description: "Strategy indicates the strategy for picking the leader for coordinated leader election. If the field is not specified, there is no active coordination for this lease. (Alpha) Using this field requires the CoordinatedLeaderElection feature gate to be enabled.",
 							Type:        []string{"string"},
 							Format:      "",
 						},
 					},
-					"apiVersion": {
+					"preferredHolder": {
 						SchemaProps: spec.SchemaProps{
-							Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
+							Description: "PreferredHolder signals to a lease holder that the lease has a more optimal holder and should be given up. This field can only be set if Strategy is also set.",
 							Type:        []string{"string"},
 							Format:      "",
 						},
 					},
-					"metadata": {
-						SchemaProps: spec.SchemaProps{
-							Description: "More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
-							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
-						},
-					},
-					"spec": {
-						SchemaProps: spec.SchemaProps{
-							Description: "spec contains the specification of the Lease. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status",
-							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/coordination/v1beta1.LeaseSpec"),
-						},
-					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/coordination/v1beta1.LeaseSpec", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			metav1.MicroTime{}.OpenAPIModelName()},
 	}
 }
 
-func schema_k8sio_api_coordination_v1beta1_LeaseCandidate(ref common.ReferenceCallback) common.OpenAPIDefinition {
+func schema_k8sio_api_coordination_v1alpha2_LeaseCandidate(ref common.ReferenceCallback) common.OpenAPIDefinition {
 	return common.OpenAPIDefinition{
 		Schema: spec.Schema{
 			SchemaProps: spec.SchemaProps{
@@ -20513,25 +20436,25 @@ func schema_k8sio_api_coordination_v1beta1_LeaseCandidate(ref common.ReferenceCa
 						SchemaProps: spec.SchemaProps{
 							Description: "More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Ref:         ref(metav1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 					"spec": {
 						SchemaProps: spec.SchemaProps{
 							Description: "spec contains the specification of the Lease. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/coordination/v1beta1.LeaseCandidateSpec"),
+							Ref:         ref(v1alpha2.LeaseCandidateSpec{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/coordination/v1beta1.LeaseCandidateSpec", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			v1alpha2.LeaseCandidateSpec{}.OpenAPIModelName(), metav1.ObjectMeta{}.OpenAPIModelName()},
 	}
 }
 
-func schema_k8sio_api_coordination_v1beta1_LeaseCandidateList(ref common.ReferenceCallback) common.OpenAPIDefinition {
+func schema_k8sio_api_coordination_v1alpha2_LeaseCandidateList(ref common.ReferenceCallback) common.OpenAPIDefinition {
 	return common.OpenAPIDefinition{
 		Schema: spec.Schema{
 			SchemaProps: spec.SchemaProps{
@@ -20556,7 +20479,7 @@ func schema_k8sio_api_coordination_v1beta1_LeaseCandidateList(ref common.Referen
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+							Ref:         ref(metav1.ListMeta{}.OpenAPIModelName()),
 						},
 					},
 					"items": {
@@ -20567,7 +20490,7 @@ func schema_k8sio_api_coordination_v1beta1_LeaseCandidateList(ref common.Referen
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/coordination/v1beta1.LeaseCandidate"),
+										Ref:     ref(v1alpha2.LeaseCandidate{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -20578,11 +20501,11 @@ func schema_k8sio_api_coordination_v1beta1_LeaseCandidateList(ref common.Referen
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/coordination/v1beta1.LeaseCandidate", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
+			v1alpha2.LeaseCandidate{}.OpenAPIModelName(), metav1.ListMeta{}.OpenAPIModelName()},
 	}
 }
 
-func schema_k8sio_api_coordination_v1beta1_LeaseCandidateSpec(ref common.ReferenceCallback) common.OpenAPIDefinition {
+func schema_k8sio_api_coordination_v1alpha2_LeaseCandidateSpec(ref common.ReferenceCallback) common.OpenAPIDefinition {
 	return common.OpenAPIDefinition{
 		Schema: spec.Schema{
 			SchemaProps: spec.SchemaProps{
@@ -20591,7 +20514,7 @@ func schema_k8sio_api_coordination_v1beta1_LeaseCandidateSpec(ref common.Referen
 				Properties: map[string]spec.Schema{
 					"leaseName": {
 						SchemaProps: spec.SchemaProps{
-							Description: "LeaseName is the name of the lease for which this candidate is contending. The limits on this field are the same as on Lease.name. Multiple lease candidates may reference the same Lease.name. This field is immutable.",
+							Description: "LeaseName is the name of the lease for which this candidate is contending. This field is immutable.",
 							Default:     "",
 							Type:        []string{"string"},
 							Format:      "",
@@ -20600,13 +20523,13 @@ func schema_k8sio_api_coordination_v1beta1_LeaseCandidateSpec(ref common.Referen
 					"pingTime": {
 						SchemaProps: spec.SchemaProps{
 							Description: "PingTime is the last time that the server has requested the LeaseCandidate to renew. It is only done during leader election to check if any LeaseCandidates have become ineligible. When PingTime is updated, the LeaseCandidate will respond by updating RenewTime.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.MicroTime"),
+							Ref:         ref(metav1.MicroTime{}.OpenAPIModelName()),
 						},
 					},
 					"renewTime": {
 						SchemaProps: spec.SchemaProps{
 							Description: "RenewTime is the time that the LeaseCandidate was last updated. Any time a Lease needs to do leader election, the PingTime field is updated to signal to the LeaseCandidate that they should update the RenewTime. Old LeaseCandidate objects are also garbage collected if it has been hours since the last renew. The PingTime field is updated regularly to prevent garbage collection for still active LeaseCandidates.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.MicroTime"),
+							Ref:         ref(metav1.MicroTime{}.OpenAPIModelName()),
 						},
 					},
 					"binaryVersion": {
@@ -20636,7 +20559,202 @@ func schema_k8sio_api_coordination_v1beta1_LeaseCandidateSpec(ref common.Referen
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.MicroTime"},
+			metav1.MicroTime{}.OpenAPIModelName()},
+	}
+}
+
+func schema_k8sio_api_coordination_v1beta1_Lease(ref common.ReferenceCallback) common.OpenAPIDefinition {
+	return common.OpenAPIDefinition{
+		Schema: spec.Schema{
+			SchemaProps: spec.SchemaProps{
+				Description: "Lease defines a lease concept.",
+				Type:        []string{"object"},
+				Properties: map[string]spec.Schema{
+					"kind": {
+						SchemaProps: spec.SchemaProps{
+							Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+					"apiVersion": {
+						SchemaProps: spec.SchemaProps{
+							Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+					"metadata": {
+						SchemaProps: spec.SchemaProps{
+							Description: "More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
+							Default:     map[string]interface{}{},
+							Ref:         ref(metav1.ObjectMeta{}.OpenAPIModelName()),
+						},
+					},
+					"spec": {
+						SchemaProps: spec.SchemaProps{
+							Description: "spec contains the specification of the Lease. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status",
+							Default:     map[string]interface{}{},
+							Ref:         ref(coordinationv1beta1.LeaseSpec{}.OpenAPIModelName()),
+						},
+					},
+				},
+			},
+		},
+		Dependencies: []string{
+			coordinationv1beta1.LeaseSpec{}.OpenAPIModelName(), metav1.ObjectMeta{}.OpenAPIModelName()},
+	}
+}
+
+func schema_k8sio_api_coordination_v1beta1_LeaseCandidate(ref common.ReferenceCallback) common.OpenAPIDefinition {
+	return common.OpenAPIDefinition{
+		Schema: spec.Schema{
+			SchemaProps: spec.SchemaProps{
+				Description: "LeaseCandidate defines a candidate for a Lease object. Candidates are created such that coordinated leader election will pick the best leader from the list of candidates.",
+				Type:        []string{"object"},
+				Properties: map[string]spec.Schema{
+					"kind": {
+						SchemaProps: spec.SchemaProps{
+							Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+					"apiVersion": {
+						SchemaProps: spec.SchemaProps{
+							Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+					"metadata": {
+						SchemaProps: spec.SchemaProps{
+							Description: "More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
+							Default:     map[string]interface{}{},
+							Ref:         ref(metav1.ObjectMeta{}.OpenAPIModelName()),
+						},
+					},
+					"spec": {
+						SchemaProps: spec.SchemaProps{
+							Description: "spec contains the specification of the Lease. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status",
+							Default:     map[string]interface{}{},
+							Ref:         ref(coordinationv1beta1.LeaseCandidateSpec{}.OpenAPIModelName()),
+						},
+					},
+				},
+			},
+		},
+		Dependencies: []string{
+			coordinationv1beta1.LeaseCandidateSpec{}.OpenAPIModelName(), metav1.ObjectMeta{}.OpenAPIModelName()},
+	}
+}
+
+func schema_k8sio_api_coordination_v1beta1_LeaseCandidateList(ref common.ReferenceCallback) common.OpenAPIDefinition {
+	return common.OpenAPIDefinition{
+		Schema: spec.Schema{
+			SchemaProps: spec.SchemaProps{
+				Description: "LeaseCandidateList is a list of Lease objects.",
+				Type:        []string{"object"},
+				Properties: map[string]spec.Schema{
+					"kind": {
+						SchemaProps: spec.SchemaProps{
+							Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+					"apiVersion": {
+						SchemaProps: spec.SchemaProps{
+							Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+					"metadata": {
+						SchemaProps: spec.SchemaProps{
+							Description: "Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
+							Default:     map[string]interface{}{},
+							Ref:         ref(metav1.ListMeta{}.OpenAPIModelName()),
+						},
+					},
+					"items": {
+						SchemaProps: spec.SchemaProps{
+							Description: "items is a list of schema objects.",
+							Type:        []string{"array"},
+							Items: &spec.SchemaOrArray{
+								Schema: &spec.Schema{
+									SchemaProps: spec.SchemaProps{
+										Default: map[string]interface{}{},
+										Ref:     ref(coordinationv1beta1.LeaseCandidate{}.OpenAPIModelName()),
+									},
+								},
+							},
+						},
+					},
+				},
+				Required: []string{"items"},
+			},
+		},
+		Dependencies: []string{
+			coordinationv1beta1.LeaseCandidate{}.OpenAPIModelName(), metav1.ListMeta{}.OpenAPIModelName()},
+	}
+}
+
+func schema_k8sio_api_coordination_v1beta1_LeaseCandidateSpec(ref common.ReferenceCallback) common.OpenAPIDefinition {
+	return common.OpenAPIDefinition{
+		Schema: spec.Schema{
+			SchemaProps: spec.SchemaProps{
+				Description: "LeaseCandidateSpec is a specification of a Lease.",
+				Type:        []string{"object"},
+				Properties: map[string]spec.Schema{
+					"leaseName": {
+						SchemaProps: spec.SchemaProps{
+							Description: "LeaseName is the name of the lease for which this candidate is contending. The limits on this field are the same as on Lease.name. Multiple lease candidates may reference the same Lease.name. This field is immutable.",
+							Default:     "",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+					"pingTime": {
+						SchemaProps: spec.SchemaProps{
+							Description: "PingTime is the last time that the server has requested the LeaseCandidate to renew. It is only done during leader election to check if any LeaseCandidates have become ineligible. When PingTime is updated, the LeaseCandidate will respond by updating RenewTime.",
+							Ref:         ref(metav1.MicroTime{}.OpenAPIModelName()),
+						},
+					},
+					"renewTime": {
+						SchemaProps: spec.SchemaProps{
+							Description: "RenewTime is the time that the LeaseCandidate was last updated. Any time a Lease needs to do leader election, the PingTime field is updated to signal to the LeaseCandidate that they should update the RenewTime. Old LeaseCandidate objects are also garbage collected if it has been hours since the last renew. The PingTime field is updated regularly to prevent garbage collection for still active LeaseCandidates.",
+							Ref:         ref(metav1.MicroTime{}.OpenAPIModelName()),
+						},
+					},
+					"binaryVersion": {
+						SchemaProps: spec.SchemaProps{
+							Description: "BinaryVersion is the binary version. It must be in a semver format without leading `v`. This field is required.",
+							Default:     "",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+					"emulationVersion": {
+						SchemaProps: spec.SchemaProps{
+							Description: "EmulationVersion is the emulation version. It must be in a semver format without leading `v`. EmulationVersion must be less than or equal to BinaryVersion. This field is required when strategy is \"OldestEmulationVersion\"",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+					"strategy": {
+						SchemaProps: spec.SchemaProps{
+							Description: "Strategy is the strategy that coordinated leader election will use for picking the leader. If multiple candidates for the same Lease return different strategies, the strategy provided by the candidate with the latest BinaryVersion will be used. If there is still conflict, this is a user error and coordinated leader election will not operate the Lease until resolved.",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+				},
+				Required: []string{"leaseName", "binaryVersion", "strategy"},
+			},
+		},
+		Dependencies: []string{
+			metav1.MicroTime{}.OpenAPIModelName()},
 	}
 }
 
@@ -20665,7 +20783,7 @@ func schema_k8sio_api_coordination_v1beta1_LeaseList(ref common.ReferenceCallbac
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+							Ref:         ref(metav1.ListMeta{}.OpenAPIModelName()),
 						},
 					},
 					"items": {
@@ -20676,7 +20794,7 @@ func schema_k8sio_api_coordination_v1beta1_LeaseList(ref common.ReferenceCallbac
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/coordination/v1beta1.Lease"),
+										Ref:     ref(coordinationv1beta1.Lease{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -20687,7 +20805,7 @@ func schema_k8sio_api_coordination_v1beta1_LeaseList(ref common.ReferenceCallbac
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/coordination/v1beta1.Lease", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
+			coordinationv1beta1.Lease{}.OpenAPIModelName(), metav1.ListMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -20715,13 +20833,13 @@ func schema_k8sio_api_coordination_v1beta1_LeaseSpec(ref common.ReferenceCallbac
 					"acquireTime": {
 						SchemaProps: spec.SchemaProps{
 							Description: "acquireTime is a time when the current lease was acquired.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.MicroTime"),
+							Ref:         ref(metav1.MicroTime{}.OpenAPIModelName()),
 						},
 					},
 					"renewTime": {
 						SchemaProps: spec.SchemaProps{
 							Description: "renewTime is a time when the current holder of a lease has last updated the lease.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.MicroTime"),
+							Ref:         ref(metav1.MicroTime{}.OpenAPIModelName()),
 						},
 					},
 					"leaseTransitions": {
@@ -20749,7 +20867,7 @@ func schema_k8sio_api_coordination_v1beta1_LeaseSpec(ref common.ReferenceCallbac
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.MicroTime"},
+			metav1.MicroTime{}.OpenAPIModelName()},
 	}
 }
 
@@ -20806,26 +20924,26 @@ func schema_k8sio_api_core_v1_Affinity(ref common.ReferenceCallback) common.Open
 					"nodeAffinity": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Describes node affinity scheduling rules for the pod.",
-							Ref:         ref("k8s.io/api/core/v1.NodeAffinity"),
+							Ref:         ref(corev1.NodeAffinity{}.OpenAPIModelName()),
 						},
 					},
 					"podAffinity": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).",
-							Ref:         ref("k8s.io/api/core/v1.PodAffinity"),
+							Ref:         ref(corev1.PodAffinity{}.OpenAPIModelName()),
 						},
 					},
 					"podAntiAffinity": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).",
-							Ref:         ref("k8s.io/api/core/v1.PodAntiAffinity"),
+							Ref:         ref(corev1.PodAntiAffinity{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/core/v1.NodeAffinity", "k8s.io/api/core/v1.PodAffinity", "k8s.io/api/core/v1.PodAntiAffinity"},
+			corev1.NodeAffinity{}.OpenAPIModelName(), corev1.PodAffinity{}.OpenAPIModelName(), corev1.PodAntiAffinity{}.OpenAPIModelName()},
 	}
 }
 
@@ -20921,7 +21039,7 @@ func schema_k8sio_api_core_v1_AvoidPods(ref common.ReferenceCallback) common.Ope
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/core/v1.PreferAvoidPodsEntry"),
+										Ref:     ref(corev1.PreferAvoidPodsEntry{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -20931,7 +21049,7 @@ func schema_k8sio_api_core_v1_AvoidPods(ref common.ReferenceCallback) common.Ope
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/core/v1.PreferAvoidPodsEntry"},
+			corev1.PreferAvoidPodsEntry{}.OpenAPIModelName()},
 	}
 }
 
@@ -20961,7 +21079,7 @@ func schema_k8sio_api_core_v1_AzureDiskVolumeSource(ref common.ReferenceCallback
 					"cachingMode": {
 						SchemaProps: spec.SchemaProps{
 							Description: "cachingMode is the Host Caching mode: None, Read Only, Read Write.\n\nPossible enum values:\n - `\"None\"`\n - `\"ReadOnly\"`\n - `\"ReadWrite\"`",
-							Default:     v1.AzureDataDiskCachingReadWrite,
+							Default:     corev1.AzureDataDiskCachingReadWrite,
 							Type:        []string{"string"},
 							Format:      "",
 							Enum:        []interface{}{"None", "ReadOnly", "ReadWrite"},
@@ -20986,7 +21104,7 @@ func schema_k8sio_api_core_v1_AzureDiskVolumeSource(ref common.ReferenceCallback
 					"kind": {
 						SchemaProps: spec.SchemaProps{
 							Description: "kind expected values are Shared: multiple blob disks per storage account  Dedicated: single blob disk per storage account  Managed: azure managed data disk (only in managed availability set). defaults to shared\n\nPossible enum values:\n - `\"Dedicated\"`\n - `\"Managed\"`\n - `\"Shared\"`",
-							Default:     v1.AzureSharedBlobDisk,
+							Default:     corev1.AzureSharedBlobDisk,
 							Type:        []string{"string"},
 							Format:      "",
 							Enum:        []interface{}{"Dedicated", "Managed", "Shared"},
@@ -21105,14 +21223,14 @@ func schema_k8sio_api_core_v1_Binding(ref common.ReferenceCallback) common.OpenA
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Ref:         ref(metav1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 					"target": {
 						SchemaProps: spec.SchemaProps{
 							Description: "The target object that you want to bind to the standard object.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/core/v1.ObjectReference"),
+							Ref:         ref(corev1.ObjectReference{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -21120,7 +21238,7 @@ func schema_k8sio_api_core_v1_Binding(ref common.ReferenceCallback) common.OpenA
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/core/v1.ObjectReference", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			corev1.ObjectReference{}.OpenAPIModelName(), metav1.ObjectMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -21180,31 +21298,31 @@ func schema_k8sio_api_core_v1_CSIPersistentVolumeSource(ref common.ReferenceCall
 					"controllerPublishSecretRef": {
 						SchemaProps: spec.SchemaProps{
 							Description: "controllerPublishSecretRef is a reference to the secret object containing sensitive information to pass to the CSI driver to complete the CSI ControllerPublishVolume and ControllerUnpublishVolume calls. This field is optional, and may be empty if no secret is required. If the secret object contains more than one secret, all secrets are passed.",
-							Ref:         ref("k8s.io/api/core/v1.SecretReference"),
+							Ref:         ref(corev1.SecretReference{}.OpenAPIModelName()),
 						},
 					},
 					"nodeStageSecretRef": {
 						SchemaProps: spec.SchemaProps{
 							Description: "nodeStageSecretRef is a reference to the secret object containing sensitive information to pass to the CSI driver to complete the CSI NodeStageVolume and NodeStageVolume and NodeUnstageVolume calls. This field is optional, and may be empty if no secret is required. If the secret object contains more than one secret, all secrets are passed.",
-							Ref:         ref("k8s.io/api/core/v1.SecretReference"),
+							Ref:         ref(corev1.SecretReference{}.OpenAPIModelName()),
 						},
 					},
 					"nodePublishSecretRef": {
 						SchemaProps: spec.SchemaProps{
 							Description: "nodePublishSecretRef is a reference to the secret object containing sensitive information to pass to the CSI driver to complete the CSI NodePublishVolume and NodeUnpublishVolume calls. This field is optional, and may be empty if no secret is required. If the secret object contains more than one secret, all secrets are passed.",
-							Ref:         ref("k8s.io/api/core/v1.SecretReference"),
+							Ref:         ref(corev1.SecretReference{}.OpenAPIModelName()),
 						},
 					},
 					"controllerExpandSecretRef": {
 						SchemaProps: spec.SchemaProps{
 							Description: "controllerExpandSecretRef is a reference to the secret object containing sensitive information to pass to the CSI driver to complete the CSI ControllerExpandVolume call. This field is optional, and may be empty if no secret is required. If the secret object contains more than one secret, all secrets are passed.",
-							Ref:         ref("k8s.io/api/core/v1.SecretReference"),
+							Ref:         ref(corev1.SecretReference{}.OpenAPIModelName()),
 						},
 					},
 					"nodeExpandSecretRef": {
 						SchemaProps: spec.SchemaProps{
 							Description: "nodeExpandSecretRef is a reference to the secret object containing sensitive information to pass to the CSI driver to complete the CSI NodeExpandVolume call. This field is optional, may be omitted if no secret is required. If the secret object contains more than one secret, all secrets are passed.",
-							Ref:         ref("k8s.io/api/core/v1.SecretReference"),
+							Ref:         ref(corev1.SecretReference{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -21212,7 +21330,7 @@ func schema_k8sio_api_core_v1_CSIPersistentVolumeSource(ref common.ReferenceCall
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/core/v1.SecretReference"},
+			corev1.SecretReference{}.OpenAPIModelName()},
 	}
 }
 
@@ -21264,7 +21382,7 @@ func schema_k8sio_api_core_v1_CSIVolumeSource(ref common.ReferenceCallback) comm
 					"nodePublishSecretRef": {
 						SchemaProps: spec.SchemaProps{
 							Description: "nodePublishSecretRef is a reference to the secret object containing sensitive information to pass to the CSI driver to complete the CSI NodePublishVolume and NodeUnpublishVolume calls. This field is optional, and  may be empty if no secret is required. If the secret object contains more than one secret, all secret references are passed.",
-							Ref:         ref("k8s.io/api/core/v1.LocalObjectReference"),
+							Ref:         ref(corev1.LocalObjectReference{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -21272,7 +21390,7 @@ func schema_k8sio_api_core_v1_CSIVolumeSource(ref common.ReferenceCallback) comm
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/core/v1.LocalObjectReference"},
+			corev1.LocalObjectReference{}.OpenAPIModelName()},
 	}
 }
 
@@ -21380,7 +21498,7 @@ func schema_k8sio_api_core_v1_CephFSPersistentVolumeSource(ref common.ReferenceC
 					"secretRef": {
 						SchemaProps: spec.SchemaProps{
 							Description: "secretRef is Optional: SecretRef is reference to the authentication secret for User, default is empty. More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it",
-							Ref:         ref("k8s.io/api/core/v1.SecretReference"),
+							Ref:         ref(corev1.SecretReference{}.OpenAPIModelName()),
 						},
 					},
 					"readOnly": {
@@ -21395,7 +21513,7 @@ func schema_k8sio_api_core_v1_CephFSPersistentVolumeSource(ref common.ReferenceC
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/core/v1.SecretReference"},
+			corev1.SecretReference{}.OpenAPIModelName()},
 	}
 }
 
@@ -21450,7 +21568,7 @@ func schema_k8sio_api_core_v1_CephFSVolumeSource(ref common.ReferenceCallback) c
 					"secretRef": {
 						SchemaProps: spec.SchemaProps{
 							Description: "secretRef is Optional: SecretRef is reference to the authentication secret for User, default is empty. More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it",
-							Ref:         ref("k8s.io/api/core/v1.LocalObjectReference"),
+							Ref:         ref(corev1.LocalObjectReference{}.OpenAPIModelName()),
 						},
 					},
 					"readOnly": {
@@ -21465,7 +21583,7 @@ func schema_k8sio_api_core_v1_CephFSVolumeSource(ref common.ReferenceCallback) c
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/core/v1.LocalObjectReference"},
+			corev1.LocalObjectReference{}.OpenAPIModelName()},
 	}
 }
 
@@ -21501,7 +21619,7 @@ func schema_k8sio_api_core_v1_CinderPersistentVolumeSource(ref common.ReferenceC
 					"secretRef": {
 						SchemaProps: spec.SchemaProps{
 							Description: "secretRef is Optional: points to a secret object containing parameters used to connect to OpenStack.",
-							Ref:         ref("k8s.io/api/core/v1.SecretReference"),
+							Ref:         ref(corev1.SecretReference{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -21509,7 +21627,7 @@ func schema_k8sio_api_core_v1_CinderPersistentVolumeSource(ref common.ReferenceC
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/core/v1.SecretReference"},
+			corev1.SecretReference{}.OpenAPIModelName()},
 	}
 }
 
@@ -21545,7 +21663,7 @@ func schema_k8sio_api_core_v1_CinderVolumeSource(ref common.ReferenceCallback) c
 					"secretRef": {
 						SchemaProps: spec.SchemaProps{
 							Description: "secretRef is optional: points to a secret object containing parameters used to connect to OpenStack.",
-							Ref:         ref("k8s.io/api/core/v1.LocalObjectReference"),
+							Ref:         ref(corev1.LocalObjectReference{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -21553,7 +21671,7 @@ func schema_k8sio_api_core_v1_CinderVolumeSource(ref common.ReferenceCallback) c
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/core/v1.LocalObjectReference"},
+			corev1.LocalObjectReference{}.OpenAPIModelName()},
 	}
 }
 
@@ -21601,7 +21719,7 @@ func schema_k8sio_api_core_v1_ClusterTrustBundleProjection(ref common.ReferenceC
 					"labelSelector": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Select all ClusterTrustBundles that match this label selector.  Only has effect if signerName is set.  Mutually-exclusive with name.  If unset, interpreted as \"match nothing\".  If set but empty, interpreted as \"match everything\".",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector"),
+							Ref:         ref(metav1.LabelSelector{}.OpenAPIModelName()),
 						},
 					},
 					"optional": {
@@ -21624,7 +21742,7 @@ func schema_k8sio_api_core_v1_ClusterTrustBundleProjection(ref common.ReferenceC
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector"},
+			metav1.LabelSelector{}.OpenAPIModelName()},
 	}
 }
 
@@ -21697,7 +21815,7 @@ func schema_k8sio_api_core_v1_ComponentStatus(ref common.ReferenceCallback) comm
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Ref:         ref(metav1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 					"conditions": {
@@ -21718,7 +21836,7 @@ func schema_k8sio_api_core_v1_ComponentStatus(ref common.ReferenceCallback) comm
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/core/v1.ComponentCondition"),
+										Ref:     ref(corev1.ComponentCondition{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -21728,7 +21846,7 @@ func schema_k8sio_api_core_v1_ComponentStatus(ref common.ReferenceCallback) comm
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/core/v1.ComponentCondition", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			corev1.ComponentCondition{}.OpenAPIModelName(), metav1.ObjectMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -21757,7 +21875,7 @@ func schema_k8sio_api_core_v1_ComponentStatusList(ref common.ReferenceCallback)
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+							Ref:         ref(metav1.ListMeta{}.OpenAPIModelName()),
 						},
 					},
 					"items": {
@@ -21768,7 +21886,7 @@ func schema_k8sio_api_core_v1_ComponentStatusList(ref common.ReferenceCallback)
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/core/v1.ComponentStatus"),
+										Ref:     ref(corev1.ComponentStatus{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -21779,7 +21897,7 @@ func schema_k8sio_api_core_v1_ComponentStatusList(ref common.ReferenceCallback)
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/core/v1.ComponentStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
+			corev1.ComponentStatus{}.OpenAPIModelName(), metav1.ListMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -21808,7 +21926,7 @@ func schema_k8sio_api_core_v1_ConfigMap(ref common.ReferenceCallback) common.Ope
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Ref:         ref(metav1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 					"immutable": {
@@ -21853,7 +21971,7 @@ func schema_k8sio_api_core_v1_ConfigMap(ref common.ReferenceCallback) common.Ope
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			metav1.ObjectMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -21952,7 +22070,7 @@ func schema_k8sio_api_core_v1_ConfigMapList(ref common.ReferenceCallback) common
 						SchemaProps: spec.SchemaProps{
 							Description: "More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+							Ref:         ref(metav1.ListMeta{}.OpenAPIModelName()),
 						},
 					},
 					"items": {
@@ -21963,7 +22081,7 @@ func schema_k8sio_api_core_v1_ConfigMapList(ref common.ReferenceCallback) common
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/core/v1.ConfigMap"),
+										Ref:     ref(corev1.ConfigMap{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -21974,7 +22092,7 @@ func schema_k8sio_api_core_v1_ConfigMapList(ref common.ReferenceCallback) common
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/core/v1.ConfigMap", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
+			corev1.ConfigMap{}.OpenAPIModelName(), metav1.ListMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -22058,7 +22176,7 @@ func schema_k8sio_api_core_v1_ConfigMapProjection(ref common.ReferenceCallback)
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/core/v1.KeyToPath"),
+										Ref:     ref(corev1.KeyToPath{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -22075,7 +22193,7 @@ func schema_k8sio_api_core_v1_ConfigMapProjection(ref common.ReferenceCallback)
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/core/v1.KeyToPath"},
+			corev1.KeyToPath{}.OpenAPIModelName()},
 	}
 }
 
@@ -22107,7 +22225,7 @@ func schema_k8sio_api_core_v1_ConfigMapVolumeSource(ref common.ReferenceCallback
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/core/v1.KeyToPath"),
+										Ref:     ref(corev1.KeyToPath{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -22131,7 +22249,7 @@ func schema_k8sio_api_core_v1_ConfigMapVolumeSource(ref common.ReferenceCallback
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/core/v1.KeyToPath"},
+			corev1.KeyToPath{}.OpenAPIModelName()},
 	}
 }
 
@@ -22223,7 +22341,7 @@ func schema_k8sio_api_core_v1_Container(ref common.ReferenceCallback) common.Ope
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/core/v1.ContainerPort"),
+										Ref:     ref(corev1.ContainerPort{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -22242,7 +22360,7 @@ func schema_k8sio_api_core_v1_Container(ref common.ReferenceCallback) common.Ope
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/core/v1.EnvFromSource"),
+										Ref:     ref(corev1.EnvFromSource{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -22266,7 +22384,7 @@ func schema_k8sio_api_core_v1_Container(ref common.ReferenceCallback) common.Ope
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/core/v1.EnvVar"),
+										Ref:     ref(corev1.EnvVar{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -22276,7 +22394,7 @@ func schema_k8sio_api_core_v1_Container(ref common.ReferenceCallback) common.Ope
 						SchemaProps: spec.SchemaProps{
 							Description: "Compute Resources required by this container. Cannot be updated. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/core/v1.ResourceRequirements"),
+							Ref:         ref(corev1.ResourceRequirements{}.OpenAPIModelName()),
 						},
 					},
 					"resizePolicy": {
@@ -22286,13 +22404,13 @@ func schema_k8sio_api_core_v1_Container(ref common.ReferenceCallback) common.Ope
 							},
 						},
 						SchemaProps: spec.SchemaProps{
-							Description: "Resources resize policy for the container.",
+							Description: "Resources resize policy for the container. This field cannot be set on ephemeral containers.",
 							Type:        []string{"array"},
 							Items: &spec.SchemaOrArray{
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/core/v1.ContainerResizePolicy"),
+										Ref:     ref(corev1.ContainerResizePolicy{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -22318,7 +22436,7 @@ func schema_k8sio_api_core_v1_Container(ref common.ReferenceCallback) common.Ope
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/core/v1.ContainerRestartRule"),
+										Ref:     ref(corev1.ContainerRestartRule{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -22342,7 +22460,7 @@ func schema_k8sio_api_core_v1_Container(ref common.ReferenceCallback) common.Ope
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/core/v1.VolumeMount"),
+										Ref:     ref(corev1.VolumeMount{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -22366,7 +22484,7 @@ func schema_k8sio_api_core_v1_Container(ref common.ReferenceCallback) common.Ope
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/core/v1.VolumeDevice"),
+										Ref:     ref(corev1.VolumeDevice{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -22375,25 +22493,25 @@ func schema_k8sio_api_core_v1_Container(ref common.ReferenceCallback) common.Ope
 					"livenessProbe": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Periodic probe of container liveness. Container will be restarted if the probe fails. Cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes",
-							Ref:         ref("k8s.io/api/core/v1.Probe"),
+							Ref:         ref(corev1.Probe{}.OpenAPIModelName()),
 						},
 					},
 					"readinessProbe": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Periodic probe of container service readiness. Container will be removed from service endpoints if the probe fails. Cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes",
-							Ref:         ref("k8s.io/api/core/v1.Probe"),
+							Ref:         ref(corev1.Probe{}.OpenAPIModelName()),
 						},
 					},
 					"startupProbe": {
 						SchemaProps: spec.SchemaProps{
 							Description: "StartupProbe indicates that the Pod has successfully initialized. If specified, no other probes are executed until this completes successfully. If this probe fails, the Pod will be restarted, just as if the livenessProbe failed. This can be used to provide different probe parameters at the beginning of a Pod's lifecycle, when it might take a long time to load data or warm a cache, than during steady-state operation. This cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes",
-							Ref:         ref("k8s.io/api/core/v1.Probe"),
+							Ref:         ref(corev1.Probe{}.OpenAPIModelName()),
 						},
 					},
 					"lifecycle": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Actions that the management system should take in response to container lifecycle events. Cannot be updated.",
-							Ref:         ref("k8s.io/api/core/v1.Lifecycle"),
+							Ref:         ref(corev1.Lifecycle{}.OpenAPIModelName()),
 						},
 					},
 					"terminationMessagePath": {
@@ -22422,7 +22540,7 @@ func schema_k8sio_api_core_v1_Container(ref common.ReferenceCallback) common.Ope
 					"securityContext": {
 						SchemaProps: spec.SchemaProps{
 							Description: "SecurityContext defines the security options the container should be run with. If set, the fields of SecurityContext override the equivalent fields of PodSecurityContext. More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/",
-							Ref:         ref("k8s.io/api/core/v1.SecurityContext"),
+							Ref:         ref(corev1.SecurityContext{}.OpenAPIModelName()),
 						},
 					},
 					"stdin": {
@@ -22451,7 +22569,7 @@ func schema_k8sio_api_core_v1_Container(ref common.ReferenceCallback) common.Ope
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/core/v1.ContainerPort", "k8s.io/api/core/v1.ContainerResizePolicy", "k8s.io/api/core/v1.ContainerRestartRule", "k8s.io/api/core/v1.EnvFromSource", "k8s.io/api/core/v1.EnvVar", "k8s.io/api/core/v1.Lifecycle", "k8s.io/api/core/v1.Probe", "k8s.io/api/core/v1.ResourceRequirements", "k8s.io/api/core/v1.SecurityContext", "k8s.io/api/core/v1.VolumeDevice", "k8s.io/api/core/v1.VolumeMount"},
+			corev1.ContainerPort{}.OpenAPIModelName(), corev1.ContainerResizePolicy{}.OpenAPIModelName(), corev1.ContainerRestartRule{}.OpenAPIModelName(), corev1.EnvFromSource{}.OpenAPIModelName(), corev1.EnvVar{}.OpenAPIModelName(), corev1.Lifecycle{}.OpenAPIModelName(), corev1.Probe{}.OpenAPIModelName(), corev1.ResourceRequirements{}.OpenAPIModelName(), corev1.SecurityContext{}.OpenAPIModelName(), corev1.VolumeDevice{}.OpenAPIModelName(), corev1.VolumeMount{}.OpenAPIModelName()},
 	}
 }
 
@@ -22632,7 +22750,7 @@ func schema_k8sio_api_core_v1_ContainerRestartRule(ref common.ReferenceCallback)
 					"exitCodes": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Represents the exit codes to check on container exits.",
-							Ref:         ref("k8s.io/api/core/v1.ContainerRestartRuleOnExitCodes"),
+							Ref:         ref(corev1.ContainerRestartRuleOnExitCodes{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -22640,7 +22758,7 @@ func schema_k8sio_api_core_v1_ContainerRestartRule(ref common.ReferenceCallback)
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/core/v1.ContainerRestartRuleOnExitCodes"},
+			corev1.ContainerRestartRuleOnExitCodes{}.OpenAPIModelName()},
 	}
 }
 
@@ -22695,26 +22813,26 @@ func schema_k8sio_api_core_v1_ContainerState(ref common.ReferenceCallback) commo
 					"waiting": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Details about a waiting container",
-							Ref:         ref("k8s.io/api/core/v1.ContainerStateWaiting"),
+							Ref:         ref(corev1.ContainerStateWaiting{}.OpenAPIModelName()),
 						},
 					},
 					"running": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Details about a running container",
-							Ref:         ref("k8s.io/api/core/v1.ContainerStateRunning"),
+							Ref:         ref(corev1.ContainerStateRunning{}.OpenAPIModelName()),
 						},
 					},
 					"terminated": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Details about a terminated container",
-							Ref:         ref("k8s.io/api/core/v1.ContainerStateTerminated"),
+							Ref:         ref(corev1.ContainerStateTerminated{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/core/v1.ContainerStateRunning", "k8s.io/api/core/v1.ContainerStateTerminated", "k8s.io/api/core/v1.ContainerStateWaiting"},
+			corev1.ContainerStateRunning{}.OpenAPIModelName(), corev1.ContainerStateTerminated{}.OpenAPIModelName(), corev1.ContainerStateWaiting{}.OpenAPIModelName()},
 	}
 }
 
@@ -22728,14 +22846,14 @@ func schema_k8sio_api_core_v1_ContainerStateRunning(ref common.ReferenceCallback
 					"startedAt": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Time at which the container was last (re-)started",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Time"),
+							Ref:         ref(metav1.Time{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.Time"},
+			metav1.Time{}.OpenAPIModelName()},
 	}
 }
 
@@ -22778,13 +22896,13 @@ func schema_k8sio_api_core_v1_ContainerStateTerminated(ref common.ReferenceCallb
 					"startedAt": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Time at which previous execution of the container started",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Time"),
+							Ref:         ref(metav1.Time{}.OpenAPIModelName()),
 						},
 					},
 					"finishedAt": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Time at which the container last terminated",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Time"),
+							Ref:         ref(metav1.Time{}.OpenAPIModelName()),
 						},
 					},
 					"containerID": {
@@ -22799,7 +22917,7 @@ func schema_k8sio_api_core_v1_ContainerStateTerminated(ref common.ReferenceCallb
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.Time"},
+			metav1.Time{}.OpenAPIModelName()},
 	}
 }
 
@@ -22849,14 +22967,14 @@ func schema_k8sio_api_core_v1_ContainerStatus(ref common.ReferenceCallback) comm
 						SchemaProps: spec.SchemaProps{
 							Description: "State holds details about the container's current condition.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/core/v1.ContainerState"),
+							Ref:         ref(corev1.ContainerState{}.OpenAPIModelName()),
 						},
 					},
 					"lastState": {
 						SchemaProps: spec.SchemaProps{
 							Description: "LastTerminationState holds the last termination state of the container to help debug container crashes and restarts. This field is not populated if the container is still running and RestartCount is 0.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/core/v1.ContainerState"),
+							Ref:         ref(corev1.ContainerState{}.OpenAPIModelName()),
 						},
 					},
 					"ready": {
@@ -22913,7 +23031,7 @@ func schema_k8sio_api_core_v1_ContainerStatus(ref common.ReferenceCallback) comm
 								Allows: true,
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
-										Ref: ref("k8s.io/apimachinery/pkg/api/resource.Quantity"),
+										Ref: ref(resource.Quantity{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -22922,7 +23040,7 @@ func schema_k8sio_api_core_v1_ContainerStatus(ref common.ReferenceCallback) comm
 					"resources": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Resources represents the compute resource requests and limits that have been successfully enacted on the running container after it has been started or has been successfully resized.",
-							Ref:         ref("k8s.io/api/core/v1.ResourceRequirements"),
+							Ref:         ref(corev1.ResourceRequirements{}.OpenAPIModelName()),
 						},
 					},
 					"volumeMounts": {
@@ -22943,7 +23061,7 @@ func schema_k8sio_api_core_v1_ContainerStatus(ref common.ReferenceCallback) comm
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/core/v1.VolumeMountStatus"),
+										Ref:     ref(corev1.VolumeMountStatus{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -22952,7 +23070,7 @@ func schema_k8sio_api_core_v1_ContainerStatus(ref common.ReferenceCallback) comm
 					"user": {
 						SchemaProps: spec.SchemaProps{
 							Description: "User represents user identity information initially attached to the first process of the container",
-							Ref:         ref("k8s.io/api/core/v1.ContainerUser"),
+							Ref:         ref(corev1.ContainerUser{}.OpenAPIModelName()),
 						},
 					},
 					"allocatedResourcesStatus": {
@@ -22973,7 +23091,7 @@ func schema_k8sio_api_core_v1_ContainerStatus(ref common.ReferenceCallback) comm
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/core/v1.ResourceStatus"),
+										Ref:     ref(corev1.ResourceStatus{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -22992,7 +23110,7 @@ func schema_k8sio_api_core_v1_ContainerStatus(ref common.ReferenceCallback) comm
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/core/v1.ContainerState", "k8s.io/api/core/v1.ContainerUser", "k8s.io/api/core/v1.ResourceRequirements", "k8s.io/api/core/v1.ResourceStatus", "k8s.io/api/core/v1.VolumeMountStatus", "k8s.io/apimachinery/pkg/api/resource.Quantity"},
+			corev1.ContainerState{}.OpenAPIModelName(), corev1.ContainerUser{}.OpenAPIModelName(), corev1.ResourceRequirements{}.OpenAPIModelName(), corev1.ResourceStatus{}.OpenAPIModelName(), corev1.VolumeMountStatus{}.OpenAPIModelName(), resource.Quantity{}.OpenAPIModelName()},
 	}
 }
 
@@ -23006,14 +23124,14 @@ func schema_k8sio_api_core_v1_ContainerUser(ref common.ReferenceCallback) common
 					"linux": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Linux holds user identity information initially attached to the first process of the containers in Linux. Note that the actual running identity can be changed if the process has enough privilege to do so.",
-							Ref:         ref("k8s.io/api/core/v1.LinuxContainerUser"),
+							Ref:         ref(corev1.LinuxContainerUser{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/core/v1.LinuxContainerUser"},
+			corev1.LinuxContainerUser{}.OpenAPIModelName()},
 	}
 }
 
@@ -23059,7 +23177,7 @@ func schema_k8sio_api_core_v1_DownwardAPIProjection(ref common.ReferenceCallback
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/core/v1.DownwardAPIVolumeFile"),
+										Ref:     ref(corev1.DownwardAPIVolumeFile{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -23069,7 +23187,7 @@ func schema_k8sio_api_core_v1_DownwardAPIProjection(ref common.ReferenceCallback
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/core/v1.DownwardAPIVolumeFile"},
+			corev1.DownwardAPIVolumeFile{}.OpenAPIModelName()},
 	}
 }
 
@@ -23091,13 +23209,13 @@ func schema_k8sio_api_core_v1_DownwardAPIVolumeFile(ref common.ReferenceCallback
 					"fieldRef": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Required: Selects a field of the pod: only annotations, labels, name, namespace and uid are supported.",
-							Ref:         ref("k8s.io/api/core/v1.ObjectFieldSelector"),
+							Ref:         ref(corev1.ObjectFieldSelector{}.OpenAPIModelName()),
 						},
 					},
 					"resourceFieldRef": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Selects a resource of the container: only resources limits and requests (limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported.",
-							Ref:         ref("k8s.io/api/core/v1.ResourceFieldSelector"),
+							Ref:         ref(corev1.ResourceFieldSelector{}.OpenAPIModelName()),
 						},
 					},
 					"mode": {
@@ -23112,7 +23230,7 @@ func schema_k8sio_api_core_v1_DownwardAPIVolumeFile(ref common.ReferenceCallback
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/core/v1.ObjectFieldSelector", "k8s.io/api/core/v1.ResourceFieldSelector"},
+			corev1.ObjectFieldSelector{}.OpenAPIModelName(), corev1.ResourceFieldSelector{}.OpenAPIModelName()},
 	}
 }
 
@@ -23136,7 +23254,7 @@ func schema_k8sio_api_core_v1_DownwardAPIVolumeSource(ref common.ReferenceCallba
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/core/v1.DownwardAPIVolumeFile"),
+										Ref:     ref(corev1.DownwardAPIVolumeFile{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -23153,7 +23271,7 @@ func schema_k8sio_api_core_v1_DownwardAPIVolumeSource(ref common.ReferenceCallba
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/core/v1.DownwardAPIVolumeFile"},
+			corev1.DownwardAPIVolumeFile{}.OpenAPIModelName()},
 	}
 }
 
@@ -23174,14 +23292,14 @@ func schema_k8sio_api_core_v1_EmptyDirVolumeSource(ref common.ReferenceCallback)
 					"sizeLimit": {
 						SchemaProps: spec.SchemaProps{
 							Description: "sizeLimit is the total amount of local storage required for this EmptyDir volume. The size limit is also applicable for memory medium. The maximum usage on memory medium EmptyDir would be the minimum value between the SizeLimit specified here and the sum of memory limits of all containers in a pod. The default is nil which means that the limit is undefined. More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir",
-							Ref:         ref("k8s.io/apimachinery/pkg/api/resource.Quantity"),
+							Ref:         ref(resource.Quantity{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/api/resource.Quantity"},
+			resource.Quantity{}.OpenAPIModelName()},
 	}
 }
 
@@ -23217,7 +23335,7 @@ func schema_k8sio_api_core_v1_EndpointAddress(ref common.ReferenceCallback) comm
 					"targetRef": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Reference to object providing the endpoint.",
-							Ref:         ref("k8s.io/api/core/v1.ObjectReference"),
+							Ref:         ref(corev1.ObjectReference{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -23230,7 +23348,7 @@ func schema_k8sio_api_core_v1_EndpointAddress(ref common.ReferenceCallback) comm
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/core/v1.ObjectReference"},
+			corev1.ObjectReference{}.OpenAPIModelName()},
 	}
 }
 
@@ -23303,7 +23421,7 @@ func schema_k8sio_api_core_v1_EndpointSubset(ref common.ReferenceCallback) commo
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/core/v1.EndpointAddress"),
+										Ref:     ref(corev1.EndpointAddress{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -23322,7 +23440,7 @@ func schema_k8sio_api_core_v1_EndpointSubset(ref common.ReferenceCallback) commo
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/core/v1.EndpointAddress"),
+										Ref:     ref(corev1.EndpointAddress{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -23341,7 +23459,7 @@ func schema_k8sio_api_core_v1_EndpointSubset(ref common.ReferenceCallback) commo
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/core/v1.EndpointPort"),
+										Ref:     ref(corev1.EndpointPort{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -23351,7 +23469,7 @@ func schema_k8sio_api_core_v1_EndpointSubset(ref common.ReferenceCallback) commo
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/core/v1.EndpointAddress", "k8s.io/api/core/v1.EndpointPort"},
+			corev1.EndpointAddress{}.OpenAPIModelName(), corev1.EndpointPort{}.OpenAPIModelName()},
 	}
 }
 
@@ -23380,7 +23498,7 @@ func schema_k8sio_api_core_v1_Endpoints(ref common.ReferenceCallback) common.Ope
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Ref:         ref(metav1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 					"subsets": {
@@ -23396,7 +23514,7 @@ func schema_k8sio_api_core_v1_Endpoints(ref common.ReferenceCallback) common.Ope
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/core/v1.EndpointSubset"),
+										Ref:     ref(corev1.EndpointSubset{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -23406,7 +23524,7 @@ func schema_k8sio_api_core_v1_Endpoints(ref common.ReferenceCallback) common.Ope
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/core/v1.EndpointSubset", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			corev1.EndpointSubset{}.OpenAPIModelName(), metav1.ObjectMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -23435,7 +23553,7 @@ func schema_k8sio_api_core_v1_EndpointsList(ref common.ReferenceCallback) common
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+							Ref:         ref(metav1.ListMeta{}.OpenAPIModelName()),
 						},
 					},
 					"items": {
@@ -23446,7 +23564,7 @@ func schema_k8sio_api_core_v1_EndpointsList(ref common.ReferenceCallback) common
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/core/v1.Endpoints"),
+										Ref:     ref(corev1.Endpoints{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -23457,7 +23575,7 @@ func schema_k8sio_api_core_v1_EndpointsList(ref common.ReferenceCallback) common
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/core/v1.Endpoints", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
+			corev1.Endpoints{}.OpenAPIModelName(), metav1.ListMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -23478,20 +23596,20 @@ func schema_k8sio_api_core_v1_EnvFromSource(ref common.ReferenceCallback) common
 					"configMapRef": {
 						SchemaProps: spec.SchemaProps{
 							Description: "The ConfigMap to select from",
-							Ref:         ref("k8s.io/api/core/v1.ConfigMapEnvSource"),
+							Ref:         ref(corev1.ConfigMapEnvSource{}.OpenAPIModelName()),
 						},
 					},
 					"secretRef": {
 						SchemaProps: spec.SchemaProps{
 							Description: "The Secret to select from",
-							Ref:         ref("k8s.io/api/core/v1.SecretEnvSource"),
+							Ref:         ref(corev1.SecretEnvSource{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/core/v1.ConfigMapEnvSource", "k8s.io/api/core/v1.SecretEnvSource"},
+			corev1.ConfigMapEnvSource{}.OpenAPIModelName(), corev1.SecretEnvSource{}.OpenAPIModelName()},
 	}
 }
 
@@ -23520,7 +23638,7 @@ func schema_k8sio_api_core_v1_EnvVar(ref common.ReferenceCallback) common.OpenAP
 					"valueFrom": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Source for the environment variable's value. Cannot be used if value is not empty.",
-							Ref:         ref("k8s.io/api/core/v1.EnvVarSource"),
+							Ref:         ref(corev1.EnvVarSource{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -23528,7 +23646,7 @@ func schema_k8sio_api_core_v1_EnvVar(ref common.ReferenceCallback) common.OpenAP
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/core/v1.EnvVarSource"},
+			corev1.EnvVarSource{}.OpenAPIModelName()},
 	}
 }
 
@@ -23542,38 +23660,38 @@ func schema_k8sio_api_core_v1_EnvVarSource(ref common.ReferenceCallback) common.
 					"fieldRef": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['<KEY>']`, `metadata.annotations['<KEY>']`, spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs.",
-							Ref:         ref("k8s.io/api/core/v1.ObjectFieldSelector"),
+							Ref:         ref(corev1.ObjectFieldSelector{}.OpenAPIModelName()),
 						},
 					},
 					"resourceFieldRef": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Selects a resource of the container: only resources limits and requests (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported.",
-							Ref:         ref("k8s.io/api/core/v1.ResourceFieldSelector"),
+							Ref:         ref(corev1.ResourceFieldSelector{}.OpenAPIModelName()),
 						},
 					},
 					"configMapKeyRef": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Selects a key of a ConfigMap.",
-							Ref:         ref("k8s.io/api/core/v1.ConfigMapKeySelector"),
+							Ref:         ref(corev1.ConfigMapKeySelector{}.OpenAPIModelName()),
 						},
 					},
 					"secretKeyRef": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Selects a key of a secret in the pod's namespace",
-							Ref:         ref("k8s.io/api/core/v1.SecretKeySelector"),
+							Ref:         ref(corev1.SecretKeySelector{}.OpenAPIModelName()),
 						},
 					},
 					"fileKeyRef": {
 						SchemaProps: spec.SchemaProps{
 							Description: "FileKeyRef selects a key of the env file. Requires the EnvFiles feature gate to be enabled.",
-							Ref:         ref("k8s.io/api/core/v1.FileKeySelector"),
+							Ref:         ref(corev1.FileKeySelector{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/core/v1.ConfigMapKeySelector", "k8s.io/api/core/v1.FileKeySelector", "k8s.io/api/core/v1.ObjectFieldSelector", "k8s.io/api/core/v1.ResourceFieldSelector", "k8s.io/api/core/v1.SecretKeySelector"},
+			corev1.ConfigMapKeySelector{}.OpenAPIModelName(), corev1.FileKeySelector{}.OpenAPIModelName(), corev1.ObjectFieldSelector{}.OpenAPIModelName(), corev1.ResourceFieldSelector{}.OpenAPIModelName(), corev1.SecretKeySelector{}.OpenAPIModelName()},
 	}
 }
 
@@ -23665,7 +23783,7 @@ func schema_k8sio_api_core_v1_EphemeralContainer(ref common.ReferenceCallback) c
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/core/v1.ContainerPort"),
+										Ref:     ref(corev1.ContainerPort{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -23684,7 +23802,7 @@ func schema_k8sio_api_core_v1_EphemeralContainer(ref common.ReferenceCallback) c
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/core/v1.EnvFromSource"),
+										Ref:     ref(corev1.EnvFromSource{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -23708,7 +23826,7 @@ func schema_k8sio_api_core_v1_EphemeralContainer(ref common.ReferenceCallback) c
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/core/v1.EnvVar"),
+										Ref:     ref(corev1.EnvVar{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -23718,7 +23836,7 @@ func schema_k8sio_api_core_v1_EphemeralContainer(ref common.ReferenceCallback) c
 						SchemaProps: spec.SchemaProps{
 							Description: "Resources are not allowed for ephemeral containers. Ephemeral containers use spare resources already allocated to the pod.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/core/v1.ResourceRequirements"),
+							Ref:         ref(corev1.ResourceRequirements{}.OpenAPIModelName()),
 						},
 					},
 					"resizePolicy": {
@@ -23734,7 +23852,7 @@ func schema_k8sio_api_core_v1_EphemeralContainer(ref common.ReferenceCallback) c
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/core/v1.ContainerResizePolicy"),
+										Ref:     ref(corev1.ContainerResizePolicy{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -23760,7 +23878,7 @@ func schema_k8sio_api_core_v1_EphemeralContainer(ref common.ReferenceCallback) c
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/core/v1.ContainerRestartRule"),
+										Ref:     ref(corev1.ContainerRestartRule{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -23784,7 +23902,7 @@ func schema_k8sio_api_core_v1_EphemeralContainer(ref common.ReferenceCallback) c
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/core/v1.VolumeMount"),
+										Ref:     ref(corev1.VolumeMount{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -23808,7 +23926,7 @@ func schema_k8sio_api_core_v1_EphemeralContainer(ref common.ReferenceCallback) c
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/core/v1.VolumeDevice"),
+										Ref:     ref(corev1.VolumeDevice{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -23817,25 +23935,25 @@ func schema_k8sio_api_core_v1_EphemeralContainer(ref common.ReferenceCallback) c
 					"livenessProbe": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Probes are not allowed for ephemeral containers.",
-							Ref:         ref("k8s.io/api/core/v1.Probe"),
+							Ref:         ref(corev1.Probe{}.OpenAPIModelName()),
 						},
 					},
 					"readinessProbe": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Probes are not allowed for ephemeral containers.",
-							Ref:         ref("k8s.io/api/core/v1.Probe"),
+							Ref:         ref(corev1.Probe{}.OpenAPIModelName()),
 						},
 					},
 					"startupProbe": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Probes are not allowed for ephemeral containers.",
-							Ref:         ref("k8s.io/api/core/v1.Probe"),
+							Ref:         ref(corev1.Probe{}.OpenAPIModelName()),
 						},
 					},
 					"lifecycle": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Lifecycle is not allowed for ephemeral containers.",
-							Ref:         ref("k8s.io/api/core/v1.Lifecycle"),
+							Ref:         ref(corev1.Lifecycle{}.OpenAPIModelName()),
 						},
 					},
 					"terminationMessagePath": {
@@ -23864,7 +23982,7 @@ func schema_k8sio_api_core_v1_EphemeralContainer(ref common.ReferenceCallback) c
 					"securityContext": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Optional: SecurityContext defines the security options the ephemeral container should be run with. If set, the fields of SecurityContext override the equivalent fields of PodSecurityContext.",
-							Ref:         ref("k8s.io/api/core/v1.SecurityContext"),
+							Ref:         ref(corev1.SecurityContext{}.OpenAPIModelName()),
 						},
 					},
 					"stdin": {
@@ -23900,7 +24018,7 @@ func schema_k8sio_api_core_v1_EphemeralContainer(ref common.ReferenceCallback) c
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/core/v1.ContainerPort", "k8s.io/api/core/v1.ContainerResizePolicy", "k8s.io/api/core/v1.ContainerRestartRule", "k8s.io/api/core/v1.EnvFromSource", "k8s.io/api/core/v1.EnvVar", "k8s.io/api/core/v1.Lifecycle", "k8s.io/api/core/v1.Probe", "k8s.io/api/core/v1.ResourceRequirements", "k8s.io/api/core/v1.SecurityContext", "k8s.io/api/core/v1.VolumeDevice", "k8s.io/api/core/v1.VolumeMount"},
+			corev1.ContainerPort{}.OpenAPIModelName(), corev1.ContainerResizePolicy{}.OpenAPIModelName(), corev1.ContainerRestartRule{}.OpenAPIModelName(), corev1.EnvFromSource{}.OpenAPIModelName(), corev1.EnvVar{}.OpenAPIModelName(), corev1.Lifecycle{}.OpenAPIModelName(), corev1.Probe{}.OpenAPIModelName(), corev1.ResourceRequirements{}.OpenAPIModelName(), corev1.SecurityContext{}.OpenAPIModelName(), corev1.VolumeDevice{}.OpenAPIModelName(), corev1.VolumeMount{}.OpenAPIModelName()},
 	}
 }
 
@@ -23992,7 +24110,7 @@ func schema_k8sio_api_core_v1_EphemeralContainerCommon(ref common.ReferenceCallb
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/core/v1.ContainerPort"),
+										Ref:     ref(corev1.ContainerPort{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -24011,7 +24129,7 @@ func schema_k8sio_api_core_v1_EphemeralContainerCommon(ref common.ReferenceCallb
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/core/v1.EnvFromSource"),
+										Ref:     ref(corev1.EnvFromSource{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -24035,7 +24153,7 @@ func schema_k8sio_api_core_v1_EphemeralContainerCommon(ref common.ReferenceCallb
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/core/v1.EnvVar"),
+										Ref:     ref(corev1.EnvVar{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -24045,7 +24163,7 @@ func schema_k8sio_api_core_v1_EphemeralContainerCommon(ref common.ReferenceCallb
 						SchemaProps: spec.SchemaProps{
 							Description: "Resources are not allowed for ephemeral containers. Ephemeral containers use spare resources already allocated to the pod.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/core/v1.ResourceRequirements"),
+							Ref:         ref(corev1.ResourceRequirements{}.OpenAPIModelName()),
 						},
 					},
 					"resizePolicy": {
@@ -24061,7 +24179,7 @@ func schema_k8sio_api_core_v1_EphemeralContainerCommon(ref common.ReferenceCallb
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/core/v1.ContainerResizePolicy"),
+										Ref:     ref(corev1.ContainerResizePolicy{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -24087,7 +24205,7 @@ func schema_k8sio_api_core_v1_EphemeralContainerCommon(ref common.ReferenceCallb
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/core/v1.ContainerRestartRule"),
+										Ref:     ref(corev1.ContainerRestartRule{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -24111,7 +24229,7 @@ func schema_k8sio_api_core_v1_EphemeralContainerCommon(ref common.ReferenceCallb
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/core/v1.VolumeMount"),
+										Ref:     ref(corev1.VolumeMount{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -24135,7 +24253,7 @@ func schema_k8sio_api_core_v1_EphemeralContainerCommon(ref common.ReferenceCallb
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/core/v1.VolumeDevice"),
+										Ref:     ref(corev1.VolumeDevice{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -24144,25 +24262,25 @@ func schema_k8sio_api_core_v1_EphemeralContainerCommon(ref common.ReferenceCallb
 					"livenessProbe": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Probes are not allowed for ephemeral containers.",
-							Ref:         ref("k8s.io/api/core/v1.Probe"),
+							Ref:         ref(corev1.Probe{}.OpenAPIModelName()),
 						},
 					},
 					"readinessProbe": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Probes are not allowed for ephemeral containers.",
-							Ref:         ref("k8s.io/api/core/v1.Probe"),
+							Ref:         ref(corev1.Probe{}.OpenAPIModelName()),
 						},
 					},
 					"startupProbe": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Probes are not allowed for ephemeral containers.",
-							Ref:         ref("k8s.io/api/core/v1.Probe"),
+							Ref:         ref(corev1.Probe{}.OpenAPIModelName()),
 						},
 					},
 					"lifecycle": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Lifecycle is not allowed for ephemeral containers.",
-							Ref:         ref("k8s.io/api/core/v1.Lifecycle"),
+							Ref:         ref(corev1.Lifecycle{}.OpenAPIModelName()),
 						},
 					},
 					"terminationMessagePath": {
@@ -24191,7 +24309,7 @@ func schema_k8sio_api_core_v1_EphemeralContainerCommon(ref common.ReferenceCallb
 					"securityContext": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Optional: SecurityContext defines the security options the ephemeral container should be run with. If set, the fields of SecurityContext override the equivalent fields of PodSecurityContext.",
-							Ref:         ref("k8s.io/api/core/v1.SecurityContext"),
+							Ref:         ref(corev1.SecurityContext{}.OpenAPIModelName()),
 						},
 					},
 					"stdin": {
@@ -24220,7 +24338,7 @@ func schema_k8sio_api_core_v1_EphemeralContainerCommon(ref common.ReferenceCallb
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/core/v1.ContainerPort", "k8s.io/api/core/v1.ContainerResizePolicy", "k8s.io/api/core/v1.ContainerRestartRule", "k8s.io/api/core/v1.EnvFromSource", "k8s.io/api/core/v1.EnvVar", "k8s.io/api/core/v1.Lifecycle", "k8s.io/api/core/v1.Probe", "k8s.io/api/core/v1.ResourceRequirements", "k8s.io/api/core/v1.SecurityContext", "k8s.io/api/core/v1.VolumeDevice", "k8s.io/api/core/v1.VolumeMount"},
+			corev1.ContainerPort{}.OpenAPIModelName(), corev1.ContainerResizePolicy{}.OpenAPIModelName(), corev1.ContainerRestartRule{}.OpenAPIModelName(), corev1.EnvFromSource{}.OpenAPIModelName(), corev1.EnvVar{}.OpenAPIModelName(), corev1.Lifecycle{}.OpenAPIModelName(), corev1.Probe{}.OpenAPIModelName(), corev1.ResourceRequirements{}.OpenAPIModelName(), corev1.SecurityContext{}.OpenAPIModelName(), corev1.VolumeDevice{}.OpenAPIModelName(), corev1.VolumeMount{}.OpenAPIModelName()},
 	}
 }
 
@@ -24234,14 +24352,14 @@ func schema_k8sio_api_core_v1_EphemeralVolumeSource(ref common.ReferenceCallback
 					"volumeClaimTemplate": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Will be used to create a stand-alone PVC to provision the volume. The pod in which this EphemeralVolumeSource is embedded will be the owner of the PVC, i.e. the PVC will be deleted together with the pod.  The name of the PVC will be `<pod name>-<volume name>` where `<volume name>` is the name from the `PodSpec.Volumes` array entry. Pod validation will reject the pod if the concatenated name is not valid for a PVC (for example, too long).\n\nAn existing PVC with that name that is not owned by the pod will *not* be used for the pod to avoid using an unrelated volume by mistake. Starting the pod is then blocked until the unrelated PVC is removed. If such a pre-created PVC is meant to be used by the pod, the PVC has to updated with an owner reference to the pod once the pod exists. Normally this should not be necessary, but it may be useful when manually reconstructing a broken cluster.\n\nThis field is read-only and no changes will be made by Kubernetes to the PVC after it has been created.\n\nRequired, must not be nil.",
-							Ref:         ref("k8s.io/api/core/v1.PersistentVolumeClaimTemplate"),
+							Ref:         ref(corev1.PersistentVolumeClaimTemplate{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/core/v1.PersistentVolumeClaimTemplate"},
+			corev1.PersistentVolumeClaimTemplate{}.OpenAPIModelName()},
 	}
 }
 
@@ -24270,14 +24388,14 @@ func schema_k8sio_api_core_v1_Event(ref common.ReferenceCallback) common.OpenAPI
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Ref:         ref(metav1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 					"involvedObject": {
 						SchemaProps: spec.SchemaProps{
 							Description: "The object that this event is about.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/core/v1.ObjectReference"),
+							Ref:         ref(corev1.ObjectReference{}.OpenAPIModelName()),
 						},
 					},
 					"reason": {
@@ -24298,19 +24416,19 @@ func schema_k8sio_api_core_v1_Event(ref common.ReferenceCallback) common.OpenAPI
 						SchemaProps: spec.SchemaProps{
 							Description: "The component reporting this event. Should be a short machine understandable string.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/core/v1.EventSource"),
+							Ref:         ref(corev1.EventSource{}.OpenAPIModelName()),
 						},
 					},
 					"firstTimestamp": {
 						SchemaProps: spec.SchemaProps{
 							Description: "The time at which the event was first recorded. (Time of server receipt is in TypeMeta.)",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Time"),
+							Ref:         ref(metav1.Time{}.OpenAPIModelName()),
 						},
 					},
 					"lastTimestamp": {
 						SchemaProps: spec.SchemaProps{
 							Description: "The time at which the most recent occurrence of this event was recorded.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Time"),
+							Ref:         ref(metav1.Time{}.OpenAPIModelName()),
 						},
 					},
 					"count": {
@@ -24330,13 +24448,13 @@ func schema_k8sio_api_core_v1_Event(ref common.ReferenceCallback) common.OpenAPI
 					"eventTime": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Time when this Event was first observed.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.MicroTime"),
+							Ref:         ref(metav1.MicroTime{}.OpenAPIModelName()),
 						},
 					},
 					"series": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Data about the Event series this event represents or nil if it's a singleton Event.",
-							Ref:         ref("k8s.io/api/core/v1.EventSeries"),
+							Ref:         ref(corev1.EventSeries{}.OpenAPIModelName()),
 						},
 					},
 					"action": {
@@ -24349,7 +24467,7 @@ func schema_k8sio_api_core_v1_Event(ref common.ReferenceCallback) common.OpenAPI
 					"related": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Optional secondary object for more complex actions.",
-							Ref:         ref("k8s.io/api/core/v1.ObjectReference"),
+							Ref:         ref(corev1.ObjectReference{}.OpenAPIModelName()),
 						},
 					},
 					"reportingComponent": {
@@ -24373,7 +24491,7 @@ func schema_k8sio_api_core_v1_Event(ref common.ReferenceCallback) common.OpenAPI
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/core/v1.EventSeries", "k8s.io/api/core/v1.EventSource", "k8s.io/api/core/v1.ObjectReference", "k8s.io/apimachinery/pkg/apis/meta/v1.MicroTime", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta", "k8s.io/apimachinery/pkg/apis/meta/v1.Time"},
+			corev1.EventSeries{}.OpenAPIModelName(), corev1.EventSource{}.OpenAPIModelName(), corev1.ObjectReference{}.OpenAPIModelName(), metav1.MicroTime{}.OpenAPIModelName(), metav1.ObjectMeta{}.OpenAPIModelName(), metav1.Time{}.OpenAPIModelName()},
 	}
 }
 
@@ -24402,7 +24520,7 @@ func schema_k8sio_api_core_v1_EventList(ref common.ReferenceCallback) common.Ope
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+							Ref:         ref(metav1.ListMeta{}.OpenAPIModelName()),
 						},
 					},
 					"items": {
@@ -24413,7 +24531,7 @@ func schema_k8sio_api_core_v1_EventList(ref common.ReferenceCallback) common.Ope
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/core/v1.Event"),
+										Ref:     ref(corev1.Event{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -24424,7 +24542,7 @@ func schema_k8sio_api_core_v1_EventList(ref common.ReferenceCallback) common.Ope
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/core/v1.Event", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
+			corev1.Event{}.OpenAPIModelName(), metav1.ListMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -24445,14 +24563,14 @@ func schema_k8sio_api_core_v1_EventSeries(ref common.ReferenceCallback) common.O
 					"lastObservedTime": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Time of the last occurrence observed",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.MicroTime"),
+							Ref:         ref(metav1.MicroTime{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.MicroTime"},
+			metav1.MicroTime{}.OpenAPIModelName()},
 	}
 }
 
@@ -24666,7 +24784,7 @@ func schema_k8sio_api_core_v1_FlexPersistentVolumeSource(ref common.ReferenceCal
 					"secretRef": {
 						SchemaProps: spec.SchemaProps{
 							Description: "secretRef is Optional: SecretRef is reference to the secret object containing sensitive information to pass to the plugin scripts. This may be empty if no secret object is specified. If the secret object contains more than one secret, all secrets are passed to the plugin scripts.",
-							Ref:         ref("k8s.io/api/core/v1.SecretReference"),
+							Ref:         ref(corev1.SecretReference{}.OpenAPIModelName()),
 						},
 					},
 					"readOnly": {
@@ -24697,7 +24815,7 @@ func schema_k8sio_api_core_v1_FlexPersistentVolumeSource(ref common.ReferenceCal
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/core/v1.SecretReference"},
+			corev1.SecretReference{}.OpenAPIModelName()},
 	}
 }
 
@@ -24726,7 +24844,7 @@ func schema_k8sio_api_core_v1_FlexVolumeSource(ref common.ReferenceCallback) com
 					"secretRef": {
 						SchemaProps: spec.SchemaProps{
 							Description: "secretRef is Optional: secretRef is reference to the secret object containing sensitive information to pass to the plugin scripts. This may be empty if no secret object is specified. If the secret object contains more than one secret, all secrets are passed to the plugin scripts.",
-							Ref:         ref("k8s.io/api/core/v1.LocalObjectReference"),
+							Ref:         ref(corev1.LocalObjectReference{}.OpenAPIModelName()),
 						},
 					},
 					"readOnly": {
@@ -24757,7 +24875,7 @@ func schema_k8sio_api_core_v1_FlexVolumeSource(ref common.ReferenceCallback) com
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/core/v1.LocalObjectReference"},
+			corev1.LocalObjectReference{}.OpenAPIModelName()},
 	}
 }
 
@@ -24995,7 +25113,7 @@ func schema_k8sio_api_core_v1_HTTPGetAction(ref common.ReferenceCallback) common
 					"port": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME.",
-							Ref:         ref("k8s.io/apimachinery/pkg/util/intstr.IntOrString"),
+							Ref:         ref(intstr.IntOrString{}.OpenAPIModelName()),
 						},
 					},
 					"host": {
@@ -25026,7 +25144,7 @@ func schema_k8sio_api_core_v1_HTTPGetAction(ref common.ReferenceCallback) common
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/core/v1.HTTPHeader"),
+										Ref:     ref(corev1.HTTPHeader{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -25037,7 +25155,7 @@ func schema_k8sio_api_core_v1_HTTPGetAction(ref common.ReferenceCallback) common
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/core/v1.HTTPHeader", "k8s.io/apimachinery/pkg/util/intstr.IntOrString"},
+			corev1.HTTPHeader{}.OpenAPIModelName(), intstr.IntOrString{}.OpenAPIModelName()},
 	}
 }
 
@@ -25255,7 +25373,7 @@ func schema_k8sio_api_core_v1_ISCSIPersistentVolumeSource(ref common.ReferenceCa
 					"secretRef": {
 						SchemaProps: spec.SchemaProps{
 							Description: "secretRef is the CHAP Secret for iSCSI target and initiator authentication",
-							Ref:         ref("k8s.io/api/core/v1.SecretReference"),
+							Ref:         ref(corev1.SecretReference{}.OpenAPIModelName()),
 						},
 					},
 					"initiatorName": {
@@ -25270,7 +25388,7 @@ func schema_k8sio_api_core_v1_ISCSIPersistentVolumeSource(ref common.ReferenceCa
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/core/v1.SecretReference"},
+			corev1.SecretReference{}.OpenAPIModelName()},
 	}
 }
 
@@ -25364,7 +25482,7 @@ func schema_k8sio_api_core_v1_ISCSIVolumeSource(ref common.ReferenceCallback) co
 					"secretRef": {
 						SchemaProps: spec.SchemaProps{
 							Description: "secretRef is the CHAP Secret for iSCSI target and initiator authentication",
-							Ref:         ref("k8s.io/api/core/v1.LocalObjectReference"),
+							Ref:         ref(corev1.LocalObjectReference{}.OpenAPIModelName()),
 						},
 					},
 					"initiatorName": {
@@ -25379,7 +25497,7 @@ func schema_k8sio_api_core_v1_ISCSIVolumeSource(ref common.ReferenceCallback) co
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/core/v1.LocalObjectReference"},
+			corev1.LocalObjectReference{}.OpenAPIModelName()},
 	}
 }
 
@@ -25458,13 +25576,13 @@ func schema_k8sio_api_core_v1_Lifecycle(ref common.ReferenceCallback) common.Ope
 					"postStart": {
 						SchemaProps: spec.SchemaProps{
 							Description: "PostStart is called immediately after a container is created. If the handler fails, the container is terminated and restarted according to its restart policy. Other management of the container blocks until the hook completes. More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks",
-							Ref:         ref("k8s.io/api/core/v1.LifecycleHandler"),
+							Ref:         ref(corev1.LifecycleHandler{}.OpenAPIModelName()),
 						},
 					},
 					"preStop": {
 						SchemaProps: spec.SchemaProps{
 							Description: "PreStop is called immediately before a container is terminated due to an API request or management event such as liveness/startup probe failure, preemption, resource contention, etc. The handler is not called if the container crashes or exits. The Pod's termination grace period countdown begins before the PreStop hook is executed. Regardless of the outcome of the handler, the container will eventually terminate within the Pod's termination grace period (unless delayed by finalizers). Other management of the container blocks until the hook completes or until the termination grace period is reached. More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks",
-							Ref:         ref("k8s.io/api/core/v1.LifecycleHandler"),
+							Ref:         ref(corev1.LifecycleHandler{}.OpenAPIModelName()),
 						},
 					},
 					"stopSignal": {
@@ -25479,7 +25597,7 @@ func schema_k8sio_api_core_v1_Lifecycle(ref common.ReferenceCallback) common.Ope
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/core/v1.LifecycleHandler"},
+			corev1.LifecycleHandler{}.OpenAPIModelName()},
 	}
 }
 
@@ -25493,32 +25611,32 @@ func schema_k8sio_api_core_v1_LifecycleHandler(ref common.ReferenceCallback) com
 					"exec": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Exec specifies a command to execute in the container.",
-							Ref:         ref("k8s.io/api/core/v1.ExecAction"),
+							Ref:         ref(corev1.ExecAction{}.OpenAPIModelName()),
 						},
 					},
 					"httpGet": {
 						SchemaProps: spec.SchemaProps{
 							Description: "HTTPGet specifies an HTTP GET request to perform.",
-							Ref:         ref("k8s.io/api/core/v1.HTTPGetAction"),
+							Ref:         ref(corev1.HTTPGetAction{}.OpenAPIModelName()),
 						},
 					},
 					"tcpSocket": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept for backward compatibility. There is no validation of this field and lifecycle hooks will fail at runtime when it is specified.",
-							Ref:         ref("k8s.io/api/core/v1.TCPSocketAction"),
+							Ref:         ref(corev1.TCPSocketAction{}.OpenAPIModelName()),
 						},
 					},
 					"sleep": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Sleep represents a duration that the container should sleep.",
-							Ref:         ref("k8s.io/api/core/v1.SleepAction"),
+							Ref:         ref(corev1.SleepAction{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/core/v1.ExecAction", "k8s.io/api/core/v1.HTTPGetAction", "k8s.io/api/core/v1.SleepAction", "k8s.io/api/core/v1.TCPSocketAction"},
+			corev1.ExecAction{}.OpenAPIModelName(), corev1.HTTPGetAction{}.OpenAPIModelName(), corev1.SleepAction{}.OpenAPIModelName(), corev1.TCPSocketAction{}.OpenAPIModelName()},
 	}
 }
 
@@ -25547,21 +25665,21 @@ func schema_k8sio_api_core_v1_LimitRange(ref common.ReferenceCallback) common.Op
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Ref:         ref(metav1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 					"spec": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Spec defines the limits enforced. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/core/v1.LimitRangeSpec"),
+							Ref:         ref(corev1.LimitRangeSpec{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/core/v1.LimitRangeSpec", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			corev1.LimitRangeSpec{}.OpenAPIModelName(), metav1.ObjectMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -25588,7 +25706,7 @@ func schema_k8sio_api_core_v1_LimitRangeItem(ref common.ReferenceCallback) commo
 								Allows: true,
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
-										Ref: ref("k8s.io/apimachinery/pkg/api/resource.Quantity"),
+										Ref: ref(resource.Quantity{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -25602,7 +25720,7 @@ func schema_k8sio_api_core_v1_LimitRangeItem(ref common.ReferenceCallback) commo
 								Allows: true,
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
-										Ref: ref("k8s.io/apimachinery/pkg/api/resource.Quantity"),
+										Ref: ref(resource.Quantity{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -25616,7 +25734,7 @@ func schema_k8sio_api_core_v1_LimitRangeItem(ref common.ReferenceCallback) commo
 								Allows: true,
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
-										Ref: ref("k8s.io/apimachinery/pkg/api/resource.Quantity"),
+										Ref: ref(resource.Quantity{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -25630,7 +25748,7 @@ func schema_k8sio_api_core_v1_LimitRangeItem(ref common.ReferenceCallback) commo
 								Allows: true,
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
-										Ref: ref("k8s.io/apimachinery/pkg/api/resource.Quantity"),
+										Ref: ref(resource.Quantity{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -25644,7 +25762,7 @@ func schema_k8sio_api_core_v1_LimitRangeItem(ref common.ReferenceCallback) commo
 								Allows: true,
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
-										Ref: ref("k8s.io/apimachinery/pkg/api/resource.Quantity"),
+										Ref: ref(resource.Quantity{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -25655,7 +25773,7 @@ func schema_k8sio_api_core_v1_LimitRangeItem(ref common.ReferenceCallback) commo
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/api/resource.Quantity"},
+			resource.Quantity{}.OpenAPIModelName()},
 	}
 }
 
@@ -25684,7 +25802,7 @@ func schema_k8sio_api_core_v1_LimitRangeList(ref common.ReferenceCallback) commo
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+							Ref:         ref(metav1.ListMeta{}.OpenAPIModelName()),
 						},
 					},
 					"items": {
@@ -25695,7 +25813,7 @@ func schema_k8sio_api_core_v1_LimitRangeList(ref common.ReferenceCallback) commo
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/core/v1.LimitRange"),
+										Ref:     ref(corev1.LimitRange{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -25706,7 +25824,7 @@ func schema_k8sio_api_core_v1_LimitRangeList(ref common.ReferenceCallback) commo
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/core/v1.LimitRange", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
+			corev1.LimitRange{}.OpenAPIModelName(), metav1.ListMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -25730,7 +25848,7 @@ func schema_k8sio_api_core_v1_LimitRangeSpec(ref common.ReferenceCallback) commo
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/core/v1.LimitRangeItem"),
+										Ref:     ref(corev1.LimitRangeItem{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -25741,7 +25859,7 @@ func schema_k8sio_api_core_v1_LimitRangeSpec(ref common.ReferenceCallback) commo
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/core/v1.LimitRangeItem"},
+			corev1.LimitRangeItem{}.OpenAPIModelName()},
 	}
 }
 
@@ -25820,7 +25938,7 @@ func schema_k8sio_api_core_v1_List(ref common.ReferenceCallback) common.OpenAPID
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+							Ref:         ref(metav1.ListMeta{}.OpenAPIModelName()),
 						},
 					},
 					"items": {
@@ -25830,7 +25948,7 @@ func schema_k8sio_api_core_v1_List(ref common.ReferenceCallback) common.OpenAPID
 							Items: &spec.SchemaOrArray{
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
-										Ref: ref("k8s.io/apimachinery/pkg/runtime.RawExtension"),
+										Ref: ref(runtime.RawExtension{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -25841,7 +25959,7 @@ func schema_k8sio_api_core_v1_List(ref common.ReferenceCallback) common.OpenAPID
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta", "k8s.io/apimachinery/pkg/runtime.RawExtension"},
+			metav1.ListMeta{}.OpenAPIModelName(), runtime.RawExtension{}.OpenAPIModelName()},
 	}
 }
 
@@ -25886,7 +26004,7 @@ func schema_k8sio_api_core_v1_LoadBalancerIngress(ref common.ReferenceCallback)
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/core/v1.PortStatus"),
+										Ref:     ref(corev1.PortStatus{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -25896,7 +26014,7 @@ func schema_k8sio_api_core_v1_LoadBalancerIngress(ref common.ReferenceCallback)
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/core/v1.PortStatus"},
+			corev1.PortStatus{}.OpenAPIModelName()},
 	}
 }
 
@@ -25920,7 +26038,7 @@ func schema_k8sio_api_core_v1_LoadBalancerStatus(ref common.ReferenceCallback) c
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/core/v1.LoadBalancerIngress"),
+										Ref:     ref(corev1.LoadBalancerIngress{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -25930,7 +26048,7 @@ func schema_k8sio_api_core_v1_LoadBalancerStatus(ref common.ReferenceCallback) c
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/core/v1.LoadBalancerIngress"},
+			corev1.LoadBalancerIngress{}.OpenAPIModelName()},
 	}
 }
 
@@ -26081,28 +26199,28 @@ func schema_k8sio_api_core_v1_Namespace(ref common.ReferenceCallback) common.Ope
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Ref:         ref(metav1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 					"spec": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Spec defines the behavior of the Namespace. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/core/v1.NamespaceSpec"),
+							Ref:         ref(corev1.NamespaceSpec{}.OpenAPIModelName()),
 						},
 					},
 					"status": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Status describes the current status of a Namespace. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/core/v1.NamespaceStatus"),
+							Ref:         ref(corev1.NamespaceStatus{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/core/v1.NamespaceSpec", "k8s.io/api/core/v1.NamespaceStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			corev1.NamespaceSpec{}.OpenAPIModelName(), corev1.NamespaceStatus{}.OpenAPIModelName(), metav1.ObjectMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -26132,7 +26250,7 @@ func schema_k8sio_api_core_v1_NamespaceCondition(ref common.ReferenceCallback) c
 					"lastTransitionTime": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Last time the condition transitioned from one status to another.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Time"),
+							Ref:         ref(metav1.Time{}.OpenAPIModelName()),
 						},
 					},
 					"reason": {
@@ -26154,7 +26272,7 @@ func schema_k8sio_api_core_v1_NamespaceCondition(ref common.ReferenceCallback) c
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.Time"},
+			metav1.Time{}.OpenAPIModelName()},
 	}
 }
 
@@ -26183,7 +26301,7 @@ func schema_k8sio_api_core_v1_NamespaceList(ref common.ReferenceCallback) common
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+							Ref:         ref(metav1.ListMeta{}.OpenAPIModelName()),
 						},
 					},
 					"items": {
@@ -26194,7 +26312,7 @@ func schema_k8sio_api_core_v1_NamespaceList(ref common.ReferenceCallback) common
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/core/v1.Namespace"),
+										Ref:     ref(corev1.Namespace{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -26205,7 +26323,7 @@ func schema_k8sio_api_core_v1_NamespaceList(ref common.ReferenceCallback) common
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/core/v1.Namespace", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
+			corev1.Namespace{}.OpenAPIModelName(), metav1.ListMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -26275,7 +26393,7 @@ func schema_k8sio_api_core_v1_NamespaceStatus(ref common.ReferenceCallback) comm
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/core/v1.NamespaceCondition"),
+										Ref:     ref(corev1.NamespaceCondition{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -26285,7 +26403,7 @@ func schema_k8sio_api_core_v1_NamespaceStatus(ref common.ReferenceCallback) comm
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/core/v1.NamespaceCondition"},
+			corev1.NamespaceCondition{}.OpenAPIModelName()},
 	}
 }
 
@@ -26314,28 +26432,28 @@ func schema_k8sio_api_core_v1_Node(ref common.ReferenceCallback) common.OpenAPID
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Ref:         ref(metav1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 					"spec": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Spec defines the behavior of a node. https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/core/v1.NodeSpec"),
+							Ref:         ref(corev1.NodeSpec{}.OpenAPIModelName()),
 						},
 					},
 					"status": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Most recently observed status of the node. Populated by the system. Read-only. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/core/v1.NodeStatus"),
+							Ref:         ref(corev1.NodeStatus{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/core/v1.NodeSpec", "k8s.io/api/core/v1.NodeStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			corev1.NodeSpec{}.OpenAPIModelName(), corev1.NodeStatus{}.OpenAPIModelName(), metav1.ObjectMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -26379,7 +26497,7 @@ func schema_k8sio_api_core_v1_NodeAffinity(ref common.ReferenceCallback) common.
 					"requiredDuringSchedulingIgnoredDuringExecution": {
 						SchemaProps: spec.SchemaProps{
 							Description: "If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to an update), the system may or may not try to eventually evict the pod from its node.",
-							Ref:         ref("k8s.io/api/core/v1.NodeSelector"),
+							Ref:         ref(corev1.NodeSelector{}.OpenAPIModelName()),
 						},
 					},
 					"preferredDuringSchedulingIgnoredDuringExecution": {
@@ -26395,7 +26513,7 @@ func schema_k8sio_api_core_v1_NodeAffinity(ref common.ReferenceCallback) common.
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/core/v1.PreferredSchedulingTerm"),
+										Ref:     ref(corev1.PreferredSchedulingTerm{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -26405,7 +26523,7 @@ func schema_k8sio_api_core_v1_NodeAffinity(ref common.ReferenceCallback) common.
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/core/v1.NodeSelector", "k8s.io/api/core/v1.PreferredSchedulingTerm"},
+			corev1.NodeSelector{}.OpenAPIModelName(), corev1.PreferredSchedulingTerm{}.OpenAPIModelName()},
 	}
 }
 
@@ -26435,13 +26553,13 @@ func schema_k8sio_api_core_v1_NodeCondition(ref common.ReferenceCallback) common
 					"lastHeartbeatTime": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Last time we got an update on a given condition.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Time"),
+							Ref:         ref(metav1.Time{}.OpenAPIModelName()),
 						},
 					},
 					"lastTransitionTime": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Last time the condition transit from one status to another.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Time"),
+							Ref:         ref(metav1.Time{}.OpenAPIModelName()),
 						},
 					},
 					"reason": {
@@ -26463,7 +26581,7 @@ func schema_k8sio_api_core_v1_NodeCondition(ref common.ReferenceCallback) common
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.Time"},
+			metav1.Time{}.OpenAPIModelName()},
 	}
 }
 
@@ -26477,14 +26595,14 @@ func schema_k8sio_api_core_v1_NodeConfigSource(ref common.ReferenceCallback) com
 					"configMap": {
 						SchemaProps: spec.SchemaProps{
 							Description: "ConfigMap is a reference to a Node's ConfigMap",
-							Ref:         ref("k8s.io/api/core/v1.ConfigMapNodeConfigSource"),
+							Ref:         ref(corev1.ConfigMapNodeConfigSource{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/core/v1.ConfigMapNodeConfigSource"},
+			corev1.ConfigMapNodeConfigSource{}.OpenAPIModelName()},
 	}
 }
 
@@ -26498,19 +26616,19 @@ func schema_k8sio_api_core_v1_NodeConfigStatus(ref common.ReferenceCallback) com
 					"assigned": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Assigned reports the checkpointed config the node will try to use. When Node.Spec.ConfigSource is updated, the node checkpoints the associated config payload to local disk, along with a record indicating intended config. The node refers to this record to choose its config checkpoint, and reports this record in Assigned. Assigned only updates in the status after the record has been checkpointed to disk. When the Kubelet is restarted, it tries to make the Assigned config the Active config by loading and validating the checkpointed payload identified by Assigned.",
-							Ref:         ref("k8s.io/api/core/v1.NodeConfigSource"),
+							Ref:         ref(corev1.NodeConfigSource{}.OpenAPIModelName()),
 						},
 					},
 					"active": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Active reports the checkpointed config the node is actively using. Active will represent either the current version of the Assigned config, or the current LastKnownGood config, depending on whether attempting to use the Assigned config results in an error.",
-							Ref:         ref("k8s.io/api/core/v1.NodeConfigSource"),
+							Ref:         ref(corev1.NodeConfigSource{}.OpenAPIModelName()),
 						},
 					},
 					"lastKnownGood": {
 						SchemaProps: spec.SchemaProps{
 							Description: "LastKnownGood reports the checkpointed config the node will fall back to when it encounters an error attempting to use the Assigned config. The Assigned config becomes the LastKnownGood config when the node determines that the Assigned config is stable and correct. This is currently implemented as a 10-minute soak period starting when the local record of Assigned config is updated. If the Assigned config is Active at the end of this period, it becomes the LastKnownGood. Note that if Spec.ConfigSource is reset to nil (use local defaults), the LastKnownGood is also immediately reset to nil, because the local default config is always assumed good. You should not make assumptions about the node's method of determining config stability and correctness, as this may change or become configurable in the future.",
-							Ref:         ref("k8s.io/api/core/v1.NodeConfigSource"),
+							Ref:         ref(corev1.NodeConfigSource{}.OpenAPIModelName()),
 						},
 					},
 					"error": {
@@ -26524,7 +26642,7 @@ func schema_k8sio_api_core_v1_NodeConfigStatus(ref common.ReferenceCallback) com
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/core/v1.NodeConfigSource"},
+			corev1.NodeConfigSource{}.OpenAPIModelName()},
 	}
 }
 
@@ -26539,14 +26657,14 @@ func schema_k8sio_api_core_v1_NodeDaemonEndpoints(ref common.ReferenceCallback)
 						SchemaProps: spec.SchemaProps{
 							Description: "Endpoint on which Kubelet is listening.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/core/v1.DaemonEndpoint"),
+							Ref:         ref(corev1.DaemonEndpoint{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/core/v1.DaemonEndpoint"},
+			corev1.DaemonEndpoint{}.OpenAPIModelName()},
 	}
 }
 
@@ -26595,7 +26713,7 @@ func schema_k8sio_api_core_v1_NodeList(ref common.ReferenceCallback) common.Open
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+							Ref:         ref(metav1.ListMeta{}.OpenAPIModelName()),
 						},
 					},
 					"items": {
@@ -26606,7 +26724,7 @@ func schema_k8sio_api_core_v1_NodeList(ref common.ReferenceCallback) common.Open
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/core/v1.Node"),
+										Ref:     ref(corev1.Node{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -26617,7 +26735,7 @@ func schema_k8sio_api_core_v1_NodeList(ref common.ReferenceCallback) common.Open
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/core/v1.Node", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
+			corev1.Node{}.OpenAPIModelName(), metav1.ListMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -26673,14 +26791,14 @@ func schema_k8sio_api_core_v1_NodeRuntimeHandler(ref common.ReferenceCallback) c
 					"features": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Supported features.",
-							Ref:         ref("k8s.io/api/core/v1.NodeRuntimeHandlerFeatures"),
+							Ref:         ref(corev1.NodeRuntimeHandlerFeatures{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/core/v1.NodeRuntimeHandlerFeatures"},
+			corev1.NodeRuntimeHandlerFeatures{}.OpenAPIModelName()},
 	}
 }
 
@@ -26731,7 +26849,7 @@ func schema_k8sio_api_core_v1_NodeSelector(ref common.ReferenceCallback) common.
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/core/v1.NodeSelectorTerm"),
+										Ref:     ref(corev1.NodeSelectorTerm{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -26747,7 +26865,7 @@ func schema_k8sio_api_core_v1_NodeSelector(ref common.ReferenceCallback) common.
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/core/v1.NodeSelectorTerm"},
+			corev1.NodeSelectorTerm{}.OpenAPIModelName()},
 	}
 }
 
@@ -26822,7 +26940,7 @@ func schema_k8sio_api_core_v1_NodeSelectorTerm(ref common.ReferenceCallback) com
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/core/v1.NodeSelectorRequirement"),
+										Ref:     ref(corev1.NodeSelectorRequirement{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -26841,7 +26959,7 @@ func schema_k8sio_api_core_v1_NodeSelectorTerm(ref common.ReferenceCallback) com
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/core/v1.NodeSelectorRequirement"),
+										Ref:     ref(corev1.NodeSelectorRequirement{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -26856,7 +26974,7 @@ func schema_k8sio_api_core_v1_NodeSelectorTerm(ref common.ReferenceCallback) com
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/core/v1.NodeSelectorRequirement"},
+			corev1.NodeSelectorRequirement{}.OpenAPIModelName()},
 	}
 }
 
@@ -26922,7 +27040,7 @@ func schema_k8sio_api_core_v1_NodeSpec(ref common.ReferenceCallback) common.Open
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/core/v1.Taint"),
+										Ref:     ref(corev1.Taint{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -26931,7 +27049,7 @@ func schema_k8sio_api_core_v1_NodeSpec(ref common.ReferenceCallback) common.Open
 					"configSource": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Deprecated: Previously used to specify the source of the node's configuration for the DynamicKubeletConfig feature. This feature is removed.",
-							Ref:         ref("k8s.io/api/core/v1.NodeConfigSource"),
+							Ref:         ref(corev1.NodeConfigSource{}.OpenAPIModelName()),
 						},
 					},
 					"externalID": {
@@ -26945,7 +27063,7 @@ func schema_k8sio_api_core_v1_NodeSpec(ref common.ReferenceCallback) common.Open
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/core/v1.NodeConfigSource", "k8s.io/api/core/v1.Taint"},
+			corev1.NodeConfigSource{}.OpenAPIModelName(), corev1.Taint{}.OpenAPIModelName()},
 	}
 }
 
@@ -26964,7 +27082,7 @@ func schema_k8sio_api_core_v1_NodeStatus(ref common.ReferenceCallback) common.Op
 								Allows: true,
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
-										Ref: ref("k8s.io/apimachinery/pkg/api/resource.Quantity"),
+										Ref: ref(resource.Quantity{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -26978,7 +27096,7 @@ func schema_k8sio_api_core_v1_NodeStatus(ref common.ReferenceCallback) common.Op
 								Allows: true,
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
-										Ref: ref("k8s.io/apimachinery/pkg/api/resource.Quantity"),
+										Ref: ref(resource.Quantity{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -27010,7 +27128,7 @@ func schema_k8sio_api_core_v1_NodeStatus(ref common.ReferenceCallback) common.Op
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/core/v1.NodeCondition"),
+										Ref:     ref(corev1.NodeCondition{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -27034,7 +27152,7 @@ func schema_k8sio_api_core_v1_NodeStatus(ref common.ReferenceCallback) common.Op
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/core/v1.NodeAddress"),
+										Ref:     ref(corev1.NodeAddress{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -27044,14 +27162,14 @@ func schema_k8sio_api_core_v1_NodeStatus(ref common.ReferenceCallback) common.Op
 						SchemaProps: spec.SchemaProps{
 							Description: "Endpoints of daemons running on the Node.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/core/v1.NodeDaemonEndpoints"),
+							Ref:         ref(corev1.NodeDaemonEndpoints{}.OpenAPIModelName()),
 						},
 					},
 					"nodeInfo": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Set of ids/uuids to uniquely identify the node. More info: https://kubernetes.io/docs/reference/node/node-status/#info",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/core/v1.NodeSystemInfo"),
+							Ref:         ref(corev1.NodeSystemInfo{}.OpenAPIModelName()),
 						},
 					},
 					"images": {
@@ -27067,7 +27185,7 @@ func schema_k8sio_api_core_v1_NodeStatus(ref common.ReferenceCallback) common.Op
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/core/v1.ContainerImage"),
+										Ref:     ref(corev1.ContainerImage{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -27106,7 +27224,7 @@ func schema_k8sio_api_core_v1_NodeStatus(ref common.ReferenceCallback) common.Op
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/core/v1.AttachedVolume"),
+										Ref:     ref(corev1.AttachedVolume{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -27115,7 +27233,7 @@ func schema_k8sio_api_core_v1_NodeStatus(ref common.ReferenceCallback) common.Op
 					"config": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Status of the config assigned to the node via the dynamic Kubelet config feature.",
-							Ref:         ref("k8s.io/api/core/v1.NodeConfigStatus"),
+							Ref:         ref(corev1.NodeConfigStatus{}.OpenAPIModelName()),
 						},
 					},
 					"runtimeHandlers": {
@@ -27131,7 +27249,7 @@ func schema_k8sio_api_core_v1_NodeStatus(ref common.ReferenceCallback) common.Op
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/core/v1.NodeRuntimeHandler"),
+										Ref:     ref(corev1.NodeRuntimeHandler{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -27140,14 +27258,34 @@ func schema_k8sio_api_core_v1_NodeStatus(ref common.ReferenceCallback) common.Op
 					"features": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Features describes the set of features implemented by the CRI implementation.",
-							Ref:         ref("k8s.io/api/core/v1.NodeFeatures"),
+							Ref:         ref(corev1.NodeFeatures{}.OpenAPIModelName()),
+						},
+					},
+					"declaredFeatures": {
+						VendorExtensible: spec.VendorExtensible{
+							Extensions: spec.Extensions{
+								"x-kubernetes-list-type": "atomic",
+							},
+						},
+						SchemaProps: spec.SchemaProps{
+							Description: "DeclaredFeatures represents the features related to feature gates that are declared by the node.",
+							Type:        []string{"array"},
+							Items: &spec.SchemaOrArray{
+								Schema: &spec.Schema{
+									SchemaProps: spec.SchemaProps{
+										Default: "",
+										Type:    []string{"string"},
+										Format:  "",
+									},
+								},
+							},
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/core/v1.AttachedVolume", "k8s.io/api/core/v1.ContainerImage", "k8s.io/api/core/v1.NodeAddress", "k8s.io/api/core/v1.NodeCondition", "k8s.io/api/core/v1.NodeConfigStatus", "k8s.io/api/core/v1.NodeDaemonEndpoints", "k8s.io/api/core/v1.NodeFeatures", "k8s.io/api/core/v1.NodeRuntimeHandler", "k8s.io/api/core/v1.NodeSystemInfo", "k8s.io/apimachinery/pkg/api/resource.Quantity"},
+			corev1.AttachedVolume{}.OpenAPIModelName(), corev1.ContainerImage{}.OpenAPIModelName(), corev1.NodeAddress{}.OpenAPIModelName(), corev1.NodeCondition{}.OpenAPIModelName(), corev1.NodeConfigStatus{}.OpenAPIModelName(), corev1.NodeDaemonEndpoints{}.OpenAPIModelName(), corev1.NodeFeatures{}.OpenAPIModelName(), corev1.NodeRuntimeHandler{}.OpenAPIModelName(), corev1.NodeSystemInfo{}.OpenAPIModelName(), resource.Quantity{}.OpenAPIModelName()},
 	}
 }
 
@@ -27261,7 +27399,7 @@ func schema_k8sio_api_core_v1_NodeSystemInfo(ref common.ReferenceCallback) commo
 					"swap": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Swap Info reported by the node.",
-							Ref:         ref("k8s.io/api/core/v1.NodeSwapStatus"),
+							Ref:         ref(corev1.NodeSwapStatus{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -27269,7 +27407,7 @@ func schema_k8sio_api_core_v1_NodeSystemInfo(ref common.ReferenceCallback) commo
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/core/v1.NodeSwapStatus"},
+			corev1.NodeSwapStatus{}.OpenAPIModelName()},
 	}
 }
 
@@ -27399,28 +27537,28 @@ func schema_k8sio_api_core_v1_PersistentVolume(ref common.ReferenceCallback) com
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Ref:         ref(metav1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 					"spec": {
 						SchemaProps: spec.SchemaProps{
 							Description: "spec defines a specification of a persistent volume owned by the cluster. Provisioned by an administrator. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistent-volumes",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/core/v1.PersistentVolumeSpec"),
+							Ref:         ref(corev1.PersistentVolumeSpec{}.OpenAPIModelName()),
 						},
 					},
 					"status": {
 						SchemaProps: spec.SchemaProps{
 							Description: "status represents the current information/status for the persistent volume. Populated by the system. Read-only. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistent-volumes",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/core/v1.PersistentVolumeStatus"),
+							Ref:         ref(corev1.PersistentVolumeStatus{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/core/v1.PersistentVolumeSpec", "k8s.io/api/core/v1.PersistentVolumeStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			corev1.PersistentVolumeSpec{}.OpenAPIModelName(), corev1.PersistentVolumeStatus{}.OpenAPIModelName(), metav1.ObjectMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -27449,28 +27587,28 @@ func schema_k8sio_api_core_v1_PersistentVolumeClaim(ref common.ReferenceCallback
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Ref:         ref(metav1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 					"spec": {
 						SchemaProps: spec.SchemaProps{
 							Description: "spec defines the desired characteristics of a volume requested by a pod author. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/core/v1.PersistentVolumeClaimSpec"),
+							Ref:         ref(corev1.PersistentVolumeClaimSpec{}.OpenAPIModelName()),
 						},
 					},
 					"status": {
 						SchemaProps: spec.SchemaProps{
 							Description: "status represents the current information/status of a persistent volume claim. Read-only. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/core/v1.PersistentVolumeClaimStatus"),
+							Ref:         ref(corev1.PersistentVolumeClaimStatus{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/core/v1.PersistentVolumeClaimSpec", "k8s.io/api/core/v1.PersistentVolumeClaimStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			corev1.PersistentVolumeClaimSpec{}.OpenAPIModelName(), corev1.PersistentVolumeClaimStatus{}.OpenAPIModelName(), metav1.ObjectMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -27500,13 +27638,13 @@ func schema_k8sio_api_core_v1_PersistentVolumeClaimCondition(ref common.Referenc
 					"lastProbeTime": {
 						SchemaProps: spec.SchemaProps{
 							Description: "lastProbeTime is the time we probed the condition.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Time"),
+							Ref:         ref(metav1.Time{}.OpenAPIModelName()),
 						},
 					},
 					"lastTransitionTime": {
 						SchemaProps: spec.SchemaProps{
 							Description: "lastTransitionTime is the time the condition transitioned from one status to another.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Time"),
+							Ref:         ref(metav1.Time{}.OpenAPIModelName()),
 						},
 					},
 					"reason": {
@@ -27528,7 +27666,7 @@ func schema_k8sio_api_core_v1_PersistentVolumeClaimCondition(ref common.Referenc
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.Time"},
+			metav1.Time{}.OpenAPIModelName()},
 	}
 }
 
@@ -27557,7 +27695,7 @@ func schema_k8sio_api_core_v1_PersistentVolumeClaimList(ref common.ReferenceCall
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+							Ref:         ref(metav1.ListMeta{}.OpenAPIModelName()),
 						},
 					},
 					"items": {
@@ -27568,7 +27706,7 @@ func schema_k8sio_api_core_v1_PersistentVolumeClaimList(ref common.ReferenceCall
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/core/v1.PersistentVolumeClaim"),
+										Ref:     ref(corev1.PersistentVolumeClaim{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -27579,7 +27717,7 @@ func schema_k8sio_api_core_v1_PersistentVolumeClaimList(ref common.ReferenceCall
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/core/v1.PersistentVolumeClaim", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
+			corev1.PersistentVolumeClaim{}.OpenAPIModelName(), metav1.ListMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -27614,14 +27752,14 @@ func schema_k8sio_api_core_v1_PersistentVolumeClaimSpec(ref common.ReferenceCall
 					"selector": {
 						SchemaProps: spec.SchemaProps{
 							Description: "selector is a label query over volumes to consider for binding.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector"),
+							Ref:         ref(metav1.LabelSelector{}.OpenAPIModelName()),
 						},
 					},
 					"resources": {
 						SchemaProps: spec.SchemaProps{
-							Description: "resources represents the minimum resources the volume should have. If RecoverVolumeExpansionFailure feature is enabled users are allowed to specify resource requirements that are lower than previous value but must still be higher than capacity recorded in the status field of the claim. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources",
+							Description: "resources represents the minimum resources the volume should have. Users are allowed to specify resource requirements that are lower than previous value but must still be higher than capacity recorded in the status field of the claim. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/core/v1.VolumeResourceRequirements"),
+							Ref:         ref(corev1.VolumeResourceRequirements{}.OpenAPIModelName()),
 						},
 					},
 					"volumeName": {
@@ -27649,13 +27787,13 @@ func schema_k8sio_api_core_v1_PersistentVolumeClaimSpec(ref common.ReferenceCall
 					"dataSource": {
 						SchemaProps: spec.SchemaProps{
 							Description: "dataSource field can be used to specify either: * An existing VolumeSnapshot object (snapshot.storage.k8s.io/VolumeSnapshot) * An existing PVC (PersistentVolumeClaim) If the provisioner or an external controller can support the specified data source, it will create a new volume based on the contents of the specified data source. When the AnyVolumeDataSource feature gate is enabled, dataSource contents will be copied to dataSourceRef, and dataSourceRef contents will be copied to dataSource when dataSourceRef.namespace is not specified. If the namespace is specified, then dataSourceRef will not be copied to dataSource.",
-							Ref:         ref("k8s.io/api/core/v1.TypedLocalObjectReference"),
+							Ref:         ref(corev1.TypedLocalObjectReference{}.OpenAPIModelName()),
 						},
 					},
 					"dataSourceRef": {
 						SchemaProps: spec.SchemaProps{
 							Description: "dataSourceRef specifies the object from which to populate the volume with data, if a non-empty volume is desired. This may be any object from a non-empty API group (non core object) or a PersistentVolumeClaim object. When this field is specified, volume binding will only succeed if the type of the specified object matches some installed volume populator or dynamic provisioner. This field will replace the functionality of the dataSource field and as such if both fields are non-empty, they must have the same value. For backwards compatibility, when namespace isn't specified in dataSourceRef, both fields (dataSource and dataSourceRef) will be set to the same value automatically if one of them is empty and the other is non-empty. When namespace is specified in dataSourceRef, dataSource isn't set to the same value and must be empty. There are three important differences between dataSource and dataSourceRef: * While dataSource only allows two specific types of objects, dataSourceRef\n  allows any non-core object, as well as PersistentVolumeClaim objects.\n* While dataSource ignores disallowed values (dropping them), dataSourceRef\n  preserves all values, and generates an error if a disallowed value is\n  specified.\n* While dataSource only allows local objects, dataSourceRef allows objects\n  in any namespaces.\n(Beta) Using this field requires the AnyVolumeDataSource feature gate to be enabled. (Alpha) Using the namespace field of dataSourceRef requires the CrossNamespaceVolumeDataSource feature gate to be enabled.",
-							Ref:         ref("k8s.io/api/core/v1.TypedObjectReference"),
+							Ref:         ref(corev1.TypedObjectReference{}.OpenAPIModelName()),
 						},
 					},
 					"volumeAttributesClassName": {
@@ -27669,7 +27807,7 @@ func schema_k8sio_api_core_v1_PersistentVolumeClaimSpec(ref common.ReferenceCall
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/core/v1.TypedLocalObjectReference", "k8s.io/api/core/v1.TypedObjectReference", "k8s.io/api/core/v1.VolumeResourceRequirements", "k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector"},
+			corev1.TypedLocalObjectReference{}.OpenAPIModelName(), corev1.TypedObjectReference{}.OpenAPIModelName(), corev1.VolumeResourceRequirements{}.OpenAPIModelName(), metav1.LabelSelector{}.OpenAPIModelName()},
 	}
 }
 
@@ -27717,7 +27855,7 @@ func schema_k8sio_api_core_v1_PersistentVolumeClaimStatus(ref common.ReferenceCa
 								Allows: true,
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
-										Ref: ref("k8s.io/apimachinery/pkg/api/resource.Quantity"),
+										Ref: ref(resource.Quantity{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -27741,7 +27879,7 @@ func schema_k8sio_api_core_v1_PersistentVolumeClaimStatus(ref common.ReferenceCa
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/core/v1.PersistentVolumeClaimCondition"),
+										Ref:     ref(corev1.PersistentVolumeClaimCondition{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -27749,13 +27887,13 @@ func schema_k8sio_api_core_v1_PersistentVolumeClaimStatus(ref common.ReferenceCa
 					},
 					"allocatedResources": {
 						SchemaProps: spec.SchemaProps{
-							Description: "allocatedResources tracks the resources allocated to a PVC including its capacity. Key names follow standard Kubernetes label syntax. Valid values are either:\n\t* Un-prefixed keys:\n\t\t- storage - the capacity of the volume.\n\t* Custom resources must use implementation-defined prefixed names such as \"example.com/my-custom-resource\"\nApart from above values - keys that are unprefixed or have kubernetes.io prefix are considered reserved and hence may not be used.\n\nCapacity reported here may be larger than the actual capacity when a volume expansion operation is requested. For storage quota, the larger value from allocatedResources and PVC.spec.resources is used. If allocatedResources is not set, PVC.spec.resources alone is used for quota calculation. If a volume expansion capacity request is lowered, allocatedResources is only lowered if there are no expansion operations in progress and if the actual volume capacity is equal or lower than the requested capacity.\n\nA controller that receives PVC update with previously unknown resourceName should ignore the update for the purpose it was designed. For example - a controller that only is responsible for resizing capacity of the volume, should ignore PVC updates that change other valid resources associated with PVC.\n\nThis is an alpha field and requires enabling RecoverVolumeExpansionFailure feature.",
+							Description: "allocatedResources tracks the resources allocated to a PVC including its capacity. Key names follow standard Kubernetes label syntax. Valid values are either:\n\t* Un-prefixed keys:\n\t\t- storage - the capacity of the volume.\n\t* Custom resources must use implementation-defined prefixed names such as \"example.com/my-custom-resource\"\nApart from above values - keys that are unprefixed or have kubernetes.io prefix are considered reserved and hence may not be used.\n\nCapacity reported here may be larger than the actual capacity when a volume expansion operation is requested. For storage quota, the larger value from allocatedResources and PVC.spec.resources is used. If allocatedResources is not set, PVC.spec.resources alone is used for quota calculation. If a volume expansion capacity request is lowered, allocatedResources is only lowered if there are no expansion operations in progress and if the actual volume capacity is equal or lower than the requested capacity.\n\nA controller that receives PVC update with previously unknown resourceName should ignore the update for the purpose it was designed. For example - a controller that only is responsible for resizing capacity of the volume, should ignore PVC updates that change other valid resources associated with PVC.",
 							Type:        []string{"object"},
 							AdditionalProperties: &spec.SchemaOrBool{
 								Allows: true,
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
-										Ref: ref("k8s.io/apimachinery/pkg/api/resource.Quantity"),
+										Ref: ref(resource.Quantity{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -27768,7 +27906,7 @@ func schema_k8sio_api_core_v1_PersistentVolumeClaimStatus(ref common.ReferenceCa
 							},
 						},
 						SchemaProps: spec.SchemaProps{
-							Description: "allocatedResourceStatuses stores status of resource being resized for the given PVC. Key names follow standard Kubernetes label syntax. Valid values are either:\n\t* Un-prefixed keys:\n\t\t- storage - the capacity of the volume.\n\t* Custom resources must use implementation-defined prefixed names such as \"example.com/my-custom-resource\"\nApart from above values - keys that are unprefixed or have kubernetes.io prefix are considered reserved and hence may not be used.\n\nClaimResourceStatus can be in any of following states:\n\t- ControllerResizeInProgress:\n\t\tState set when resize controller starts resizing the volume in control-plane.\n\t- ControllerResizeFailed:\n\t\tState set when resize has failed in resize controller with a terminal error.\n\t- NodeResizePending:\n\t\tState set when resize controller has finished resizing the volume but further resizing of\n\t\tvolume is needed on the node.\n\t- NodeResizeInProgress:\n\t\tState set when kubelet starts resizing the volume.\n\t- NodeResizeFailed:\n\t\tState set when resizing has failed in kubelet with a terminal error. Transient errors don't set\n\t\tNodeResizeFailed.\nFor example: if expanding a PVC for more capacity - this field can be one of the following states:\n\t- pvc.status.allocatedResourceStatus['storage'] = \"ControllerResizeInProgress\"\n     - pvc.status.allocatedResourceStatus['storage'] = \"ControllerResizeFailed\"\n     - pvc.status.allocatedResourceStatus['storage'] = \"NodeResizePending\"\n     - pvc.status.allocatedResourceStatus['storage'] = \"NodeResizeInProgress\"\n     - pvc.status.allocatedResourceStatus['storage'] = \"NodeResizeFailed\"\nWhen this field is not set, it means that no resize operation is in progress for the given PVC.\n\nA controller that receives PVC update with previously unknown resourceName or ClaimResourceStatus should ignore the update for the purpose it was designed. For example - a controller that only is responsible for resizing capacity of the volume, should ignore PVC updates that change other valid resources associated with PVC.\n\nThis is an alpha field and requires enabling RecoverVolumeExpansionFailure feature.",
+							Description: "allocatedResourceStatuses stores status of resource being resized for the given PVC. Key names follow standard Kubernetes label syntax. Valid values are either:\n\t* Un-prefixed keys:\n\t\t- storage - the capacity of the volume.\n\t* Custom resources must use implementation-defined prefixed names such as \"example.com/my-custom-resource\"\nApart from above values - keys that are unprefixed or have kubernetes.io prefix are considered reserved and hence may not be used.\n\nClaimResourceStatus can be in any of following states:\n\t- ControllerResizeInProgress:\n\t\tState set when resize controller starts resizing the volume in control-plane.\n\t- ControllerResizeFailed:\n\t\tState set when resize has failed in resize controller with a terminal error.\n\t- NodeResizePending:\n\t\tState set when resize controller has finished resizing the volume but further resizing of\n\t\tvolume is needed on the node.\n\t- NodeResizeInProgress:\n\t\tState set when kubelet starts resizing the volume.\n\t- NodeResizeFailed:\n\t\tState set when resizing has failed in kubelet with a terminal error. Transient errors don't set\n\t\tNodeResizeFailed.\nFor example: if expanding a PVC for more capacity - this field can be one of the following states:\n\t- pvc.status.allocatedResourceStatus['storage'] = \"ControllerResizeInProgress\"\n     - pvc.status.allocatedResourceStatus['storage'] = \"ControllerResizeFailed\"\n     - pvc.status.allocatedResourceStatus['storage'] = \"NodeResizePending\"\n     - pvc.status.allocatedResourceStatus['storage'] = \"NodeResizeInProgress\"\n     - pvc.status.allocatedResourceStatus['storage'] = \"NodeResizeFailed\"\nWhen this field is not set, it means that no resize operation is in progress for the given PVC.\n\nA controller that receives PVC update with previously unknown resourceName or ClaimResourceStatus should ignore the update for the purpose it was designed. For example - a controller that only is responsible for resizing capacity of the volume, should ignore PVC updates that change other valid resources associated with PVC.",
 							Type:        []string{"object"},
 							AdditionalProperties: &spec.SchemaOrBool{
 								Allows: true,
@@ -27793,14 +27931,14 @@ func schema_k8sio_api_core_v1_PersistentVolumeClaimStatus(ref common.ReferenceCa
 					"modifyVolumeStatus": {
 						SchemaProps: spec.SchemaProps{
 							Description: "ModifyVolumeStatus represents the status object of ControllerModifyVolume operation. When this is unset, there is no ModifyVolume operation being attempted.",
-							Ref:         ref("k8s.io/api/core/v1.ModifyVolumeStatus"),
+							Ref:         ref(corev1.ModifyVolumeStatus{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/core/v1.ModifyVolumeStatus", "k8s.io/api/core/v1.PersistentVolumeClaimCondition", "k8s.io/apimachinery/pkg/api/resource.Quantity"},
+			corev1.ModifyVolumeStatus{}.OpenAPIModelName(), corev1.PersistentVolumeClaimCondition{}.OpenAPIModelName(), resource.Quantity{}.OpenAPIModelName()},
 	}
 }
 
@@ -27815,14 +27953,14 @@ func schema_k8sio_api_core_v1_PersistentVolumeClaimTemplate(ref common.Reference
 						SchemaProps: spec.SchemaProps{
 							Description: "May contain labels and annotations that will be copied into the PVC when creating it. No other fields are allowed and will be rejected during validation.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Ref:         ref(metav1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 					"spec": {
 						SchemaProps: spec.SchemaProps{
 							Description: "The specification for the PersistentVolumeClaim. The entire content is copied unchanged into the PVC that gets created from this template. The same fields as in a PersistentVolumeClaim are also valid here.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/core/v1.PersistentVolumeClaimSpec"),
+							Ref:         ref(corev1.PersistentVolumeClaimSpec{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -27830,7 +27968,7 @@ func schema_k8sio_api_core_v1_PersistentVolumeClaimTemplate(ref common.Reference
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/core/v1.PersistentVolumeClaimSpec", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			corev1.PersistentVolumeClaimSpec{}.OpenAPIModelName(), metav1.ObjectMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -27888,7 +28026,7 @@ func schema_k8sio_api_core_v1_PersistentVolumeList(ref common.ReferenceCallback)
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+							Ref:         ref(metav1.ListMeta{}.OpenAPIModelName()),
 						},
 					},
 					"items": {
@@ -27899,7 +28037,7 @@ func schema_k8sio_api_core_v1_PersistentVolumeList(ref common.ReferenceCallback)
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/core/v1.PersistentVolume"),
+										Ref:     ref(corev1.PersistentVolume{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -27910,7 +28048,7 @@ func schema_k8sio_api_core_v1_PersistentVolumeList(ref common.ReferenceCallback)
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/core/v1.PersistentVolume", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
+			corev1.PersistentVolume{}.OpenAPIModelName(), metav1.ListMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -27924,140 +28062,140 @@ func schema_k8sio_api_core_v1_PersistentVolumeSource(ref common.ReferenceCallbac
 					"gcePersistentDisk": {
 						SchemaProps: spec.SchemaProps{
 							Description: "gcePersistentDisk represents a GCE Disk resource that is attached to a kubelet's host machine and then exposed to the pod. Provisioned by an admin. Deprecated: GCEPersistentDisk is deprecated. All operations for the in-tree gcePersistentDisk type are redirected to the pd.csi.storage.gke.io CSI driver. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk",
-							Ref:         ref("k8s.io/api/core/v1.GCEPersistentDiskVolumeSource"),
+							Ref:         ref(corev1.GCEPersistentDiskVolumeSource{}.OpenAPIModelName()),
 						},
 					},
 					"awsElasticBlockStore": {
 						SchemaProps: spec.SchemaProps{
 							Description: "awsElasticBlockStore represents an AWS Disk resource that is attached to a kubelet's host machine and then exposed to the pod. Deprecated: AWSElasticBlockStore is deprecated. All operations for the in-tree awsElasticBlockStore type are redirected to the ebs.csi.aws.com CSI driver. More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore",
-							Ref:         ref("k8s.io/api/core/v1.AWSElasticBlockStoreVolumeSource"),
+							Ref:         ref(corev1.AWSElasticBlockStoreVolumeSource{}.OpenAPIModelName()),
 						},
 					},
 					"hostPath": {
 						SchemaProps: spec.SchemaProps{
 							Description: "hostPath represents a directory on the host. Provisioned by a developer or tester. This is useful for single-node development and testing only! On-host storage is not supported in any way and WILL NOT WORK in a multi-node cluster. More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath",
-							Ref:         ref("k8s.io/api/core/v1.HostPathVolumeSource"),
+							Ref:         ref(corev1.HostPathVolumeSource{}.OpenAPIModelName()),
 						},
 					},
 					"glusterfs": {
 						SchemaProps: spec.SchemaProps{
 							Description: "glusterfs represents a Glusterfs volume that is attached to a host and exposed to the pod. Provisioned by an admin. Deprecated: Glusterfs is deprecated and the in-tree glusterfs type is no longer supported. More info: https://examples.k8s.io/volumes/glusterfs/README.md",
-							Ref:         ref("k8s.io/api/core/v1.GlusterfsPersistentVolumeSource"),
+							Ref:         ref(corev1.GlusterfsPersistentVolumeSource{}.OpenAPIModelName()),
 						},
 					},
 					"nfs": {
 						SchemaProps: spec.SchemaProps{
 							Description: "nfs represents an NFS mount on the host. Provisioned by an admin. More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs",
-							Ref:         ref("k8s.io/api/core/v1.NFSVolumeSource"),
+							Ref:         ref(corev1.NFSVolumeSource{}.OpenAPIModelName()),
 						},
 					},
 					"rbd": {
 						SchemaProps: spec.SchemaProps{
 							Description: "rbd represents a Rados Block Device mount on the host that shares a pod's lifetime. Deprecated: RBD is deprecated and the in-tree rbd type is no longer supported. More info: https://examples.k8s.io/volumes/rbd/README.md",
-							Ref:         ref("k8s.io/api/core/v1.RBDPersistentVolumeSource"),
+							Ref:         ref(corev1.RBDPersistentVolumeSource{}.OpenAPIModelName()),
 						},
 					},
 					"iscsi": {
 						SchemaProps: spec.SchemaProps{
 							Description: "iscsi represents an ISCSI Disk resource that is attached to a kubelet's host machine and then exposed to the pod. Provisioned by an admin.",
-							Ref:         ref("k8s.io/api/core/v1.ISCSIPersistentVolumeSource"),
+							Ref:         ref(corev1.ISCSIPersistentVolumeSource{}.OpenAPIModelName()),
 						},
 					},
 					"cinder": {
 						SchemaProps: spec.SchemaProps{
 							Description: "cinder represents a cinder volume attached and mounted on kubelets host machine. Deprecated: Cinder is deprecated. All operations for the in-tree cinder type are redirected to the cinder.csi.openstack.org CSI driver. More info: https://examples.k8s.io/mysql-cinder-pd/README.md",
-							Ref:         ref("k8s.io/api/core/v1.CinderPersistentVolumeSource"),
+							Ref:         ref(corev1.CinderPersistentVolumeSource{}.OpenAPIModelName()),
 						},
 					},
 					"cephfs": {
 						SchemaProps: spec.SchemaProps{
 							Description: "cephFS represents a Ceph FS mount on the host that shares a pod's lifetime. Deprecated: CephFS is deprecated and the in-tree cephfs type is no longer supported.",
-							Ref:         ref("k8s.io/api/core/v1.CephFSPersistentVolumeSource"),
+							Ref:         ref(corev1.CephFSPersistentVolumeSource{}.OpenAPIModelName()),
 						},
 					},
 					"fc": {
 						SchemaProps: spec.SchemaProps{
 							Description: "fc represents a Fibre Channel resource that is attached to a kubelet's host machine and then exposed to the pod.",
-							Ref:         ref("k8s.io/api/core/v1.FCVolumeSource"),
+							Ref:         ref(corev1.FCVolumeSource{}.OpenAPIModelName()),
 						},
 					},
 					"flocker": {
 						SchemaProps: spec.SchemaProps{
 							Description: "flocker represents a Flocker volume attached to a kubelet's host machine and exposed to the pod for its usage. This depends on the Flocker control service being running. Deprecated: Flocker is deprecated and the in-tree flocker type is no longer supported.",
-							Ref:         ref("k8s.io/api/core/v1.FlockerVolumeSource"),
+							Ref:         ref(corev1.FlockerVolumeSource{}.OpenAPIModelName()),
 						},
 					},
 					"flexVolume": {
 						SchemaProps: spec.SchemaProps{
 							Description: "flexVolume represents a generic volume resource that is provisioned/attached using an exec based plugin. Deprecated: FlexVolume is deprecated. Consider using a CSIDriver instead.",
-							Ref:         ref("k8s.io/api/core/v1.FlexPersistentVolumeSource"),
+							Ref:         ref(corev1.FlexPersistentVolumeSource{}.OpenAPIModelName()),
 						},
 					},
 					"azureFile": {
 						SchemaProps: spec.SchemaProps{
 							Description: "azureFile represents an Azure File Service mount on the host and bind mount to the pod. Deprecated: AzureFile is deprecated. All operations for the in-tree azureFile type are redirected to the file.csi.azure.com CSI driver.",
-							Ref:         ref("k8s.io/api/core/v1.AzureFilePersistentVolumeSource"),
+							Ref:         ref(corev1.AzureFilePersistentVolumeSource{}.OpenAPIModelName()),
 						},
 					},
 					"vsphereVolume": {
 						SchemaProps: spec.SchemaProps{
 							Description: "vsphereVolume represents a vSphere volume attached and mounted on kubelets host machine. Deprecated: VsphereVolume is deprecated. All operations for the in-tree vsphereVolume type are redirected to the csi.vsphere.vmware.com CSI driver.",
-							Ref:         ref("k8s.io/api/core/v1.VsphereVirtualDiskVolumeSource"),
+							Ref:         ref(corev1.VsphereVirtualDiskVolumeSource{}.OpenAPIModelName()),
 						},
 					},
 					"quobyte": {
 						SchemaProps: spec.SchemaProps{
 							Description: "quobyte represents a Quobyte mount on the host that shares a pod's lifetime. Deprecated: Quobyte is deprecated and the in-tree quobyte type is no longer supported.",
-							Ref:         ref("k8s.io/api/core/v1.QuobyteVolumeSource"),
+							Ref:         ref(corev1.QuobyteVolumeSource{}.OpenAPIModelName()),
 						},
 					},
 					"azureDisk": {
 						SchemaProps: spec.SchemaProps{
 							Description: "azureDisk represents an Azure Data Disk mount on the host and bind mount to the pod. Deprecated: AzureDisk is deprecated. All operations for the in-tree azureDisk type are redirected to the disk.csi.azure.com CSI driver.",
-							Ref:         ref("k8s.io/api/core/v1.AzureDiskVolumeSource"),
+							Ref:         ref(corev1.AzureDiskVolumeSource{}.OpenAPIModelName()),
 						},
 					},
 					"photonPersistentDisk": {
 						SchemaProps: spec.SchemaProps{
 							Description: "photonPersistentDisk represents a PhotonController persistent disk attached and mounted on kubelets host machine. Deprecated: PhotonPersistentDisk is deprecated and the in-tree photonPersistentDisk type is no longer supported.",
-							Ref:         ref("k8s.io/api/core/v1.PhotonPersistentDiskVolumeSource"),
+							Ref:         ref(corev1.PhotonPersistentDiskVolumeSource{}.OpenAPIModelName()),
 						},
 					},
 					"portworxVolume": {
 						SchemaProps: spec.SchemaProps{
 							Description: "portworxVolume represents a portworx volume attached and mounted on kubelets host machine. Deprecated: PortworxVolume is deprecated. All operations for the in-tree portworxVolume type are redirected to the pxd.portworx.com CSI driver when the CSIMigrationPortworx feature-gate is on.",
-							Ref:         ref("k8s.io/api/core/v1.PortworxVolumeSource"),
+							Ref:         ref(corev1.PortworxVolumeSource{}.OpenAPIModelName()),
 						},
 					},
 					"scaleIO": {
 						SchemaProps: spec.SchemaProps{
 							Description: "scaleIO represents a ScaleIO persistent volume attached and mounted on Kubernetes nodes. Deprecated: ScaleIO is deprecated and the in-tree scaleIO type is no longer supported.",
-							Ref:         ref("k8s.io/api/core/v1.ScaleIOPersistentVolumeSource"),
+							Ref:         ref(corev1.ScaleIOPersistentVolumeSource{}.OpenAPIModelName()),
 						},
 					},
 					"local": {
 						SchemaProps: spec.SchemaProps{
 							Description: "local represents directly-attached storage with node affinity",
-							Ref:         ref("k8s.io/api/core/v1.LocalVolumeSource"),
+							Ref:         ref(corev1.LocalVolumeSource{}.OpenAPIModelName()),
 						},
 					},
 					"storageos": {
 						SchemaProps: spec.SchemaProps{
 							Description: "storageOS represents a StorageOS volume that is attached to the kubelet's host machine and mounted into the pod. Deprecated: StorageOS is deprecated and the in-tree storageos type is no longer supported. More info: https://examples.k8s.io/volumes/storageos/README.md",
-							Ref:         ref("k8s.io/api/core/v1.StorageOSPersistentVolumeSource"),
+							Ref:         ref(corev1.StorageOSPersistentVolumeSource{}.OpenAPIModelName()),
 						},
 					},
 					"csi": {
 						SchemaProps: spec.SchemaProps{
 							Description: "csi represents storage that is handled by an external CSI driver.",
-							Ref:         ref("k8s.io/api/core/v1.CSIPersistentVolumeSource"),
+							Ref:         ref(corev1.CSIPersistentVolumeSource{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/core/v1.AWSElasticBlockStoreVolumeSource", "k8s.io/api/core/v1.AzureDiskVolumeSource", "k8s.io/api/core/v1.AzureFilePersistentVolumeSource", "k8s.io/api/core/v1.CSIPersistentVolumeSource", "k8s.io/api/core/v1.CephFSPersistentVolumeSource", "k8s.io/api/core/v1.CinderPersistentVolumeSource", "k8s.io/api/core/v1.FCVolumeSource", "k8s.io/api/core/v1.FlexPersistentVolumeSource", "k8s.io/api/core/v1.FlockerVolumeSource", "k8s.io/api/core/v1.GCEPersistentDiskVolumeSource", "k8s.io/api/core/v1.GlusterfsPersistentVolumeSource", "k8s.io/api/core/v1.HostPathVolumeSource", "k8s.io/api/core/v1.ISCSIPersistentVolumeSource", "k8s.io/api/core/v1.LocalVolumeSource", "k8s.io/api/core/v1.NFSVolumeSource", "k8s.io/api/core/v1.PhotonPersistentDiskVolumeSource", "k8s.io/api/core/v1.PortworxVolumeSource", "k8s.io/api/core/v1.QuobyteVolumeSource", "k8s.io/api/core/v1.RBDPersistentVolumeSource", "k8s.io/api/core/v1.ScaleIOPersistentVolumeSource", "k8s.io/api/core/v1.StorageOSPersistentVolumeSource", "k8s.io/api/core/v1.VsphereVirtualDiskVolumeSource"},
+			corev1.AWSElasticBlockStoreVolumeSource{}.OpenAPIModelName(), corev1.AzureDiskVolumeSource{}.OpenAPIModelName(), corev1.AzureFilePersistentVolumeSource{}.OpenAPIModelName(), corev1.CSIPersistentVolumeSource{}.OpenAPIModelName(), corev1.CephFSPersistentVolumeSource{}.OpenAPIModelName(), corev1.CinderPersistentVolumeSource{}.OpenAPIModelName(), corev1.FCVolumeSource{}.OpenAPIModelName(), corev1.FlexPersistentVolumeSource{}.OpenAPIModelName(), corev1.FlockerVolumeSource{}.OpenAPIModelName(), corev1.GCEPersistentDiskVolumeSource{}.OpenAPIModelName(), corev1.GlusterfsPersistentVolumeSource{}.OpenAPIModelName(), corev1.HostPathVolumeSource{}.OpenAPIModelName(), corev1.ISCSIPersistentVolumeSource{}.OpenAPIModelName(), corev1.LocalVolumeSource{}.OpenAPIModelName(), corev1.NFSVolumeSource{}.OpenAPIModelName(), corev1.PhotonPersistentDiskVolumeSource{}.OpenAPIModelName(), corev1.PortworxVolumeSource{}.OpenAPIModelName(), corev1.QuobyteVolumeSource{}.OpenAPIModelName(), corev1.RBDPersistentVolumeSource{}.OpenAPIModelName(), corev1.ScaleIOPersistentVolumeSource{}.OpenAPIModelName(), corev1.StorageOSPersistentVolumeSource{}.OpenAPIModelName(), corev1.VsphereVirtualDiskVolumeSource{}.OpenAPIModelName()},
 	}
 }
 
@@ -28076,7 +28214,7 @@ func schema_k8sio_api_core_v1_PersistentVolumeSpec(ref common.ReferenceCallback)
 								Allows: true,
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
-										Ref: ref("k8s.io/apimachinery/pkg/api/resource.Quantity"),
+										Ref: ref(resource.Quantity{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -28085,133 +28223,133 @@ func schema_k8sio_api_core_v1_PersistentVolumeSpec(ref common.ReferenceCallback)
 					"gcePersistentDisk": {
 						SchemaProps: spec.SchemaProps{
 							Description: "gcePersistentDisk represents a GCE Disk resource that is attached to a kubelet's host machine and then exposed to the pod. Provisioned by an admin. Deprecated: GCEPersistentDisk is deprecated. All operations for the in-tree gcePersistentDisk type are redirected to the pd.csi.storage.gke.io CSI driver. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk",
-							Ref:         ref("k8s.io/api/core/v1.GCEPersistentDiskVolumeSource"),
+							Ref:         ref(corev1.GCEPersistentDiskVolumeSource{}.OpenAPIModelName()),
 						},
 					},
 					"awsElasticBlockStore": {
 						SchemaProps: spec.SchemaProps{
 							Description: "awsElasticBlockStore represents an AWS Disk resource that is attached to a kubelet's host machine and then exposed to the pod. Deprecated: AWSElasticBlockStore is deprecated. All operations for the in-tree awsElasticBlockStore type are redirected to the ebs.csi.aws.com CSI driver. More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore",
-							Ref:         ref("k8s.io/api/core/v1.AWSElasticBlockStoreVolumeSource"),
+							Ref:         ref(corev1.AWSElasticBlockStoreVolumeSource{}.OpenAPIModelName()),
 						},
 					},
 					"hostPath": {
 						SchemaProps: spec.SchemaProps{
 							Description: "hostPath represents a directory on the host. Provisioned by a developer or tester. This is useful for single-node development and testing only! On-host storage is not supported in any way and WILL NOT WORK in a multi-node cluster. More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath",
-							Ref:         ref("k8s.io/api/core/v1.HostPathVolumeSource"),
+							Ref:         ref(corev1.HostPathVolumeSource{}.OpenAPIModelName()),
 						},
 					},
 					"glusterfs": {
 						SchemaProps: spec.SchemaProps{
 							Description: "glusterfs represents a Glusterfs volume that is attached to a host and exposed to the pod. Provisioned by an admin. Deprecated: Glusterfs is deprecated and the in-tree glusterfs type is no longer supported. More info: https://examples.k8s.io/volumes/glusterfs/README.md",
-							Ref:         ref("k8s.io/api/core/v1.GlusterfsPersistentVolumeSource"),
+							Ref:         ref(corev1.GlusterfsPersistentVolumeSource{}.OpenAPIModelName()),
 						},
 					},
 					"nfs": {
 						SchemaProps: spec.SchemaProps{
 							Description: "nfs represents an NFS mount on the host. Provisioned by an admin. More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs",
-							Ref:         ref("k8s.io/api/core/v1.NFSVolumeSource"),
+							Ref:         ref(corev1.NFSVolumeSource{}.OpenAPIModelName()),
 						},
 					},
 					"rbd": {
 						SchemaProps: spec.SchemaProps{
 							Description: "rbd represents a Rados Block Device mount on the host that shares a pod's lifetime. Deprecated: RBD is deprecated and the in-tree rbd type is no longer supported. More info: https://examples.k8s.io/volumes/rbd/README.md",
-							Ref:         ref("k8s.io/api/core/v1.RBDPersistentVolumeSource"),
+							Ref:         ref(corev1.RBDPersistentVolumeSource{}.OpenAPIModelName()),
 						},
 					},
 					"iscsi": {
 						SchemaProps: spec.SchemaProps{
 							Description: "iscsi represents an ISCSI Disk resource that is attached to a kubelet's host machine and then exposed to the pod. Provisioned by an admin.",
-							Ref:         ref("k8s.io/api/core/v1.ISCSIPersistentVolumeSource"),
+							Ref:         ref(corev1.ISCSIPersistentVolumeSource{}.OpenAPIModelName()),
 						},
 					},
 					"cinder": {
 						SchemaProps: spec.SchemaProps{
 							Description: "cinder represents a cinder volume attached and mounted on kubelets host machine. Deprecated: Cinder is deprecated. All operations for the in-tree cinder type are redirected to the cinder.csi.openstack.org CSI driver. More info: https://examples.k8s.io/mysql-cinder-pd/README.md",
-							Ref:         ref("k8s.io/api/core/v1.CinderPersistentVolumeSource"),
+							Ref:         ref(corev1.CinderPersistentVolumeSource{}.OpenAPIModelName()),
 						},
 					},
 					"cephfs": {
 						SchemaProps: spec.SchemaProps{
 							Description: "cephFS represents a Ceph FS mount on the host that shares a pod's lifetime. Deprecated: CephFS is deprecated and the in-tree cephfs type is no longer supported.",
-							Ref:         ref("k8s.io/api/core/v1.CephFSPersistentVolumeSource"),
+							Ref:         ref(corev1.CephFSPersistentVolumeSource{}.OpenAPIModelName()),
 						},
 					},
 					"fc": {
 						SchemaProps: spec.SchemaProps{
 							Description: "fc represents a Fibre Channel resource that is attached to a kubelet's host machine and then exposed to the pod.",
-							Ref:         ref("k8s.io/api/core/v1.FCVolumeSource"),
+							Ref:         ref(corev1.FCVolumeSource{}.OpenAPIModelName()),
 						},
 					},
 					"flocker": {
 						SchemaProps: spec.SchemaProps{
 							Description: "flocker represents a Flocker volume attached to a kubelet's host machine and exposed to the pod for its usage. This depends on the Flocker control service being running. Deprecated: Flocker is deprecated and the in-tree flocker type is no longer supported.",
-							Ref:         ref("k8s.io/api/core/v1.FlockerVolumeSource"),
+							Ref:         ref(corev1.FlockerVolumeSource{}.OpenAPIModelName()),
 						},
 					},
 					"flexVolume": {
 						SchemaProps: spec.SchemaProps{
 							Description: "flexVolume represents a generic volume resource that is provisioned/attached using an exec based plugin. Deprecated: FlexVolume is deprecated. Consider using a CSIDriver instead.",
-							Ref:         ref("k8s.io/api/core/v1.FlexPersistentVolumeSource"),
+							Ref:         ref(corev1.FlexPersistentVolumeSource{}.OpenAPIModelName()),
 						},
 					},
 					"azureFile": {
 						SchemaProps: spec.SchemaProps{
 							Description: "azureFile represents an Azure File Service mount on the host and bind mount to the pod. Deprecated: AzureFile is deprecated. All operations for the in-tree azureFile type are redirected to the file.csi.azure.com CSI driver.",
-							Ref:         ref("k8s.io/api/core/v1.AzureFilePersistentVolumeSource"),
+							Ref:         ref(corev1.AzureFilePersistentVolumeSource{}.OpenAPIModelName()),
 						},
 					},
 					"vsphereVolume": {
 						SchemaProps: spec.SchemaProps{
 							Description: "vsphereVolume represents a vSphere volume attached and mounted on kubelets host machine. Deprecated: VsphereVolume is deprecated. All operations for the in-tree vsphereVolume type are redirected to the csi.vsphere.vmware.com CSI driver.",
-							Ref:         ref("k8s.io/api/core/v1.VsphereVirtualDiskVolumeSource"),
+							Ref:         ref(corev1.VsphereVirtualDiskVolumeSource{}.OpenAPIModelName()),
 						},
 					},
 					"quobyte": {
 						SchemaProps: spec.SchemaProps{
 							Description: "quobyte represents a Quobyte mount on the host that shares a pod's lifetime. Deprecated: Quobyte is deprecated and the in-tree quobyte type is no longer supported.",
-							Ref:         ref("k8s.io/api/core/v1.QuobyteVolumeSource"),
+							Ref:         ref(corev1.QuobyteVolumeSource{}.OpenAPIModelName()),
 						},
 					},
 					"azureDisk": {
 						SchemaProps: spec.SchemaProps{
 							Description: "azureDisk represents an Azure Data Disk mount on the host and bind mount to the pod. Deprecated: AzureDisk is deprecated. All operations for the in-tree azureDisk type are redirected to the disk.csi.azure.com CSI driver.",
-							Ref:         ref("k8s.io/api/core/v1.AzureDiskVolumeSource"),
+							Ref:         ref(corev1.AzureDiskVolumeSource{}.OpenAPIModelName()),
 						},
 					},
 					"photonPersistentDisk": {
 						SchemaProps: spec.SchemaProps{
 							Description: "photonPersistentDisk represents a PhotonController persistent disk attached and mounted on kubelets host machine. Deprecated: PhotonPersistentDisk is deprecated and the in-tree photonPersistentDisk type is no longer supported.",
-							Ref:         ref("k8s.io/api/core/v1.PhotonPersistentDiskVolumeSource"),
+							Ref:         ref(corev1.PhotonPersistentDiskVolumeSource{}.OpenAPIModelName()),
 						},
 					},
 					"portworxVolume": {
 						SchemaProps: spec.SchemaProps{
 							Description: "portworxVolume represents a portworx volume attached and mounted on kubelets host machine. Deprecated: PortworxVolume is deprecated. All operations for the in-tree portworxVolume type are redirected to the pxd.portworx.com CSI driver when the CSIMigrationPortworx feature-gate is on.",
-							Ref:         ref("k8s.io/api/core/v1.PortworxVolumeSource"),
+							Ref:         ref(corev1.PortworxVolumeSource{}.OpenAPIModelName()),
 						},
 					},
 					"scaleIO": {
 						SchemaProps: spec.SchemaProps{
 							Description: "scaleIO represents a ScaleIO persistent volume attached and mounted on Kubernetes nodes. Deprecated: ScaleIO is deprecated and the in-tree scaleIO type is no longer supported.",
-							Ref:         ref("k8s.io/api/core/v1.ScaleIOPersistentVolumeSource"),
+							Ref:         ref(corev1.ScaleIOPersistentVolumeSource{}.OpenAPIModelName()),
 						},
 					},
 					"local": {
 						SchemaProps: spec.SchemaProps{
 							Description: "local represents directly-attached storage with node affinity",
-							Ref:         ref("k8s.io/api/core/v1.LocalVolumeSource"),
+							Ref:         ref(corev1.LocalVolumeSource{}.OpenAPIModelName()),
 						},
 					},
 					"storageos": {
 						SchemaProps: spec.SchemaProps{
 							Description: "storageOS represents a StorageOS volume that is attached to the kubelet's host machine and mounted into the pod. Deprecated: StorageOS is deprecated and the in-tree storageos type is no longer supported. More info: https://examples.k8s.io/volumes/storageos/README.md",
-							Ref:         ref("k8s.io/api/core/v1.StorageOSPersistentVolumeSource"),
+							Ref:         ref(corev1.StorageOSPersistentVolumeSource{}.OpenAPIModelName()),
 						},
 					},
 					"csi": {
 						SchemaProps: spec.SchemaProps{
 							Description: "csi represents storage that is handled by an external CSI driver.",
-							Ref:         ref("k8s.io/api/core/v1.CSIPersistentVolumeSource"),
+							Ref:         ref(corev1.CSIPersistentVolumeSource{}.OpenAPIModelName()),
 						},
 					},
 					"accessModes": {
@@ -28243,7 +28381,7 @@ func schema_k8sio_api_core_v1_PersistentVolumeSpec(ref common.ReferenceCallback)
 						},
 						SchemaProps: spec.SchemaProps{
 							Description: "claimRef is part of a bi-directional binding between PersistentVolume and PersistentVolumeClaim. Expected to be non-nil when bound. claim.VolumeName is the authoritative bind between PV and PVC. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#binding",
-							Ref:         ref("k8s.io/api/core/v1.ObjectReference"),
+							Ref:         ref(corev1.ObjectReference{}.OpenAPIModelName()),
 						},
 					},
 					"persistentVolumeReclaimPolicy": {
@@ -28291,8 +28429,8 @@ func schema_k8sio_api_core_v1_PersistentVolumeSpec(ref common.ReferenceCallback)
 					},
 					"nodeAffinity": {
 						SchemaProps: spec.SchemaProps{
-							Description: "nodeAffinity defines constraints that limit what nodes this volume can be accessed from. This field influences the scheduling of pods that use this volume.",
-							Ref:         ref("k8s.io/api/core/v1.VolumeNodeAffinity"),
+							Description: "nodeAffinity defines constraints that limit what nodes this volume can be accessed from. This field influences the scheduling of pods that use this volume. This field is mutable if MutablePVNodeAffinity feature gate is enabled.",
+							Ref:         ref(corev1.VolumeNodeAffinity{}.OpenAPIModelName()),
 						},
 					},
 					"volumeAttributesClassName": {
@@ -28306,7 +28444,7 @@ func schema_k8sio_api_core_v1_PersistentVolumeSpec(ref common.ReferenceCallback)
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/core/v1.AWSElasticBlockStoreVolumeSource", "k8s.io/api/core/v1.AzureDiskVolumeSource", "k8s.io/api/core/v1.AzureFilePersistentVolumeSource", "k8s.io/api/core/v1.CSIPersistentVolumeSource", "k8s.io/api/core/v1.CephFSPersistentVolumeSource", "k8s.io/api/core/v1.CinderPersistentVolumeSource", "k8s.io/api/core/v1.FCVolumeSource", "k8s.io/api/core/v1.FlexPersistentVolumeSource", "k8s.io/api/core/v1.FlockerVolumeSource", "k8s.io/api/core/v1.GCEPersistentDiskVolumeSource", "k8s.io/api/core/v1.GlusterfsPersistentVolumeSource", "k8s.io/api/core/v1.HostPathVolumeSource", "k8s.io/api/core/v1.ISCSIPersistentVolumeSource", "k8s.io/api/core/v1.LocalVolumeSource", "k8s.io/api/core/v1.NFSVolumeSource", "k8s.io/api/core/v1.ObjectReference", "k8s.io/api/core/v1.PhotonPersistentDiskVolumeSource", "k8s.io/api/core/v1.PortworxVolumeSource", "k8s.io/api/core/v1.QuobyteVolumeSource", "k8s.io/api/core/v1.RBDPersistentVolumeSource", "k8s.io/api/core/v1.ScaleIOPersistentVolumeSource", "k8s.io/api/core/v1.StorageOSPersistentVolumeSource", "k8s.io/api/core/v1.VolumeNodeAffinity", "k8s.io/api/core/v1.VsphereVirtualDiskVolumeSource", "k8s.io/apimachinery/pkg/api/resource.Quantity"},
+			corev1.AWSElasticBlockStoreVolumeSource{}.OpenAPIModelName(), corev1.AzureDiskVolumeSource{}.OpenAPIModelName(), corev1.AzureFilePersistentVolumeSource{}.OpenAPIModelName(), corev1.CSIPersistentVolumeSource{}.OpenAPIModelName(), corev1.CephFSPersistentVolumeSource{}.OpenAPIModelName(), corev1.CinderPersistentVolumeSource{}.OpenAPIModelName(), corev1.FCVolumeSource{}.OpenAPIModelName(), corev1.FlexPersistentVolumeSource{}.OpenAPIModelName(), corev1.FlockerVolumeSource{}.OpenAPIModelName(), corev1.GCEPersistentDiskVolumeSource{}.OpenAPIModelName(), corev1.GlusterfsPersistentVolumeSource{}.OpenAPIModelName(), corev1.HostPathVolumeSource{}.OpenAPIModelName(), corev1.ISCSIPersistentVolumeSource{}.OpenAPIModelName(), corev1.LocalVolumeSource{}.OpenAPIModelName(), corev1.NFSVolumeSource{}.OpenAPIModelName(), corev1.ObjectReference{}.OpenAPIModelName(), corev1.PhotonPersistentDiskVolumeSource{}.OpenAPIModelName(), corev1.PortworxVolumeSource{}.OpenAPIModelName(), corev1.QuobyteVolumeSource{}.OpenAPIModelName(), corev1.RBDPersistentVolumeSource{}.OpenAPIModelName(), corev1.ScaleIOPersistentVolumeSource{}.OpenAPIModelName(), corev1.StorageOSPersistentVolumeSource{}.OpenAPIModelName(), corev1.VolumeNodeAffinity{}.OpenAPIModelName(), corev1.VsphereVirtualDiskVolumeSource{}.OpenAPIModelName(), resource.Quantity{}.OpenAPIModelName()},
 	}
 }
 
@@ -28342,14 +28480,14 @@ func schema_k8sio_api_core_v1_PersistentVolumeStatus(ref common.ReferenceCallbac
 					"lastPhaseTransitionTime": {
 						SchemaProps: spec.SchemaProps{
 							Description: "lastPhaseTransitionTime is the time the phase transitioned from one to another and automatically resets to current time everytime a volume phase transitions.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Time"),
+							Ref:         ref(metav1.Time{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.Time"},
+			metav1.Time{}.OpenAPIModelName()},
 	}
 }
 
@@ -28407,28 +28545,28 @@ func schema_k8sio_api_core_v1_Pod(ref common.ReferenceCallback) common.OpenAPIDe
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Ref:         ref(metav1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 					"spec": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Specification of the desired behavior of the pod. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/core/v1.PodSpec"),
+							Ref:         ref(corev1.PodSpec{}.OpenAPIModelName()),
 						},
 					},
 					"status": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Most recently observed status of the pod. This data may not be up to date. Populated by the system. Read-only. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/core/v1.PodStatus"),
+							Ref:         ref(corev1.PodStatus{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/core/v1.PodSpec", "k8s.io/api/core/v1.PodStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			corev1.PodSpec{}.OpenAPIModelName(), corev1.PodStatus{}.OpenAPIModelName(), metav1.ObjectMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -28452,7 +28590,7 @@ func schema_k8sio_api_core_v1_PodAffinity(ref common.ReferenceCallback) common.O
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/core/v1.PodAffinityTerm"),
+										Ref:     ref(corev1.PodAffinityTerm{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -28471,7 +28609,7 @@ func schema_k8sio_api_core_v1_PodAffinity(ref common.ReferenceCallback) common.O
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/core/v1.WeightedPodAffinityTerm"),
+										Ref:     ref(corev1.WeightedPodAffinityTerm{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -28481,7 +28619,7 @@ func schema_k8sio_api_core_v1_PodAffinity(ref common.ReferenceCallback) common.O
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/core/v1.PodAffinityTerm", "k8s.io/api/core/v1.WeightedPodAffinityTerm"},
+			corev1.PodAffinityTerm{}.OpenAPIModelName(), corev1.WeightedPodAffinityTerm{}.OpenAPIModelName()},
 	}
 }
 
@@ -28495,7 +28633,7 @@ func schema_k8sio_api_core_v1_PodAffinityTerm(ref common.ReferenceCallback) comm
 					"labelSelector": {
 						SchemaProps: spec.SchemaProps{
 							Description: "A label query over a set of resources, in this case pods. If it's null, this PodAffinityTerm matches with no Pods.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector"),
+							Ref:         ref(metav1.LabelSelector{}.OpenAPIModelName()),
 						},
 					},
 					"namespaces": {
@@ -28529,7 +28667,7 @@ func schema_k8sio_api_core_v1_PodAffinityTerm(ref common.ReferenceCallback) comm
 					"namespaceSelector": {
 						SchemaProps: spec.SchemaProps{
 							Description: "A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means \"this pod's namespace\". An empty selector ({}) matches all namespaces.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector"),
+							Ref:         ref(metav1.LabelSelector{}.OpenAPIModelName()),
 						},
 					},
 					"matchLabelKeys": {
@@ -28577,7 +28715,7 @@ func schema_k8sio_api_core_v1_PodAffinityTerm(ref common.ReferenceCallback) comm
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector"},
+			metav1.LabelSelector{}.OpenAPIModelName()},
 	}
 }
 
@@ -28601,7 +28739,7 @@ func schema_k8sio_api_core_v1_PodAntiAffinity(ref common.ReferenceCallback) comm
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/core/v1.PodAffinityTerm"),
+										Ref:     ref(corev1.PodAffinityTerm{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -28620,7 +28758,7 @@ func schema_k8sio_api_core_v1_PodAntiAffinity(ref common.ReferenceCallback) comm
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/core/v1.WeightedPodAffinityTerm"),
+										Ref:     ref(corev1.WeightedPodAffinityTerm{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -28630,7 +28768,7 @@ func schema_k8sio_api_core_v1_PodAntiAffinity(ref common.ReferenceCallback) comm
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/core/v1.PodAffinityTerm", "k8s.io/api/core/v1.WeightedPodAffinityTerm"},
+			corev1.PodAffinityTerm{}.OpenAPIModelName(), corev1.WeightedPodAffinityTerm{}.OpenAPIModelName()},
 	}
 }
 
@@ -28745,6 +28883,22 @@ func schema_k8sio_api_core_v1_PodCertificateProjection(ref common.ReferenceCallb
 							Format:      "",
 						},
 					},
+					"userAnnotations": {
+						SchemaProps: spec.SchemaProps{
+							Description: "userAnnotations allow pod authors to pass additional information to the signer implementation.  Kubernetes does not restrict or validate this metadata in any way.\n\nThese values are copied verbatim into the `spec.unverifiedUserAnnotations` field of the PodCertificateRequest objects that Kubelet creates.\n\nEntries are subject to the same validation as object metadata annotations, with the addition that all keys must be domain-prefixed. No restrictions are placed on values, except an overall size limitation on the entire field.\n\nSigners should document the keys and values they support. Signers should deny requests that contain keys they do not recognize.",
+							Type:        []string{"object"},
+							AdditionalProperties: &spec.SchemaOrBool{
+								Allows: true,
+								Schema: &spec.Schema{
+									SchemaProps: spec.SchemaProps{
+										Default: "",
+										Type:    []string{"string"},
+										Format:  "",
+									},
+								},
+							},
+						},
+					},
 				},
 				Required: []string{"signerName", "keyType"},
 			},
@@ -28769,7 +28923,7 @@ func schema_k8sio_api_core_v1_PodCondition(ref common.ReferenceCallback) common.
 					},
 					"observedGeneration": {
 						SchemaProps: spec.SchemaProps{
-							Description: "If set, this represents the .metadata.generation that the pod condition was set based upon. This is an alpha field. Enable PodObservedGenerationTracking to be able to use this field.",
+							Description: "If set, this represents the .metadata.generation that the pod condition was set based upon. The PodObservedGenerationTracking feature gate must be enabled to use this field.",
 							Type:        []string{"integer"},
 							Format:      "int64",
 						},
@@ -28785,13 +28939,13 @@ func schema_k8sio_api_core_v1_PodCondition(ref common.ReferenceCallback) common.
 					"lastProbeTime": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Last time we probed the condition.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Time"),
+							Ref:         ref(metav1.Time{}.OpenAPIModelName()),
 						},
 					},
 					"lastTransitionTime": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Last time the condition transitioned from one status to another.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Time"),
+							Ref:         ref(metav1.Time{}.OpenAPIModelName()),
 						},
 					},
 					"reason": {
@@ -28813,7 +28967,7 @@ func schema_k8sio_api_core_v1_PodCondition(ref common.ReferenceCallback) common.
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.Time"},
+			metav1.Time{}.OpenAPIModelName()},
 	}
 }
 
@@ -28877,7 +29031,7 @@ func schema_k8sio_api_core_v1_PodDNSConfig(ref common.ReferenceCallback) common.
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/core/v1.PodDNSConfigOption"),
+										Ref:     ref(corev1.PodDNSConfigOption{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -28887,7 +29041,7 @@ func schema_k8sio_api_core_v1_PodDNSConfig(ref common.ReferenceCallback) common.
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/core/v1.PodDNSConfigOption"},
+			corev1.PodDNSConfigOption{}.OpenAPIModelName()},
 	}
 }
 
@@ -29021,7 +29175,7 @@ func schema_k8sio_api_core_v1_PodExtendedResourceClaimStatus(ref common.Referenc
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/core/v1.ContainerExtendedResourceRequest"),
+										Ref:     ref(corev1.ContainerExtendedResourceRequest{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -29040,7 +29194,7 @@ func schema_k8sio_api_core_v1_PodExtendedResourceClaimStatus(ref common.Referenc
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/core/v1.ContainerExtendedResourceRequest"},
+			corev1.ContainerExtendedResourceRequest{}.OpenAPIModelName()},
 	}
 }
 
@@ -29091,7 +29245,7 @@ func schema_k8sio_api_core_v1_PodList(ref common.ReferenceCallback) common.OpenA
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+							Ref:         ref(metav1.ListMeta{}.OpenAPIModelName()),
 						},
 					},
 					"items": {
@@ -29102,7 +29256,7 @@ func schema_k8sio_api_core_v1_PodList(ref common.ReferenceCallback) common.OpenA
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/core/v1.Pod"),
+										Ref:     ref(corev1.Pod{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -29113,7 +29267,7 @@ func schema_k8sio_api_core_v1_PodList(ref common.ReferenceCallback) common.OpenA
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/core/v1.Pod", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
+			corev1.Pod{}.OpenAPIModelName(), metav1.ListMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -29169,7 +29323,7 @@ func schema_k8sio_api_core_v1_PodLogOptions(ref common.ReferenceCallback) common
 					"sinceTime": {
 						SchemaProps: spec.SchemaProps{
 							Description: "An RFC3339 timestamp from which to show logs. If this value precedes the time a pod was started, only logs since the pod start will be returned. If this value is in the future, no logs will be returned. Only one of sinceSeconds or sinceTime may be specified.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Time"),
+							Ref:         ref(metav1.Time{}.OpenAPIModelName()),
 						},
 					},
 					"timestamps": {
@@ -29211,7 +29365,7 @@ func schema_k8sio_api_core_v1_PodLogOptions(ref common.ReferenceCallback) common
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.Time"},
+			metav1.Time{}.OpenAPIModelName()},
 	}
 }
 
@@ -29437,13 +29591,13 @@ func schema_k8sio_api_core_v1_PodSecurityContext(ref common.ReferenceCallback) c
 					"seLinuxOptions": {
 						SchemaProps: spec.SchemaProps{
 							Description: "The SELinux context to be applied to all containers. If unspecified, the container runtime will allocate a random SELinux context for each container.  May also be set in SecurityContext.  If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence for that container. Note that this field cannot be set when spec.os.name is windows.",
-							Ref:         ref("k8s.io/api/core/v1.SELinuxOptions"),
+							Ref:         ref(corev1.SELinuxOptions{}.OpenAPIModelName()),
 						},
 					},
 					"windowsOptions": {
 						SchemaProps: spec.SchemaProps{
 							Description: "The Windows specific settings applied to all containers. If unspecified, the options within a container's SecurityContext will be used. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. Note that this field cannot be set when spec.os.name is linux.",
-							Ref:         ref("k8s.io/api/core/v1.WindowsSecurityContextOptions"),
+							Ref:         ref(corev1.WindowsSecurityContextOptions{}.OpenAPIModelName()),
 						},
 					},
 					"runAsUser": {
@@ -29515,7 +29669,7 @@ func schema_k8sio_api_core_v1_PodSecurityContext(ref common.ReferenceCallback) c
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/core/v1.Sysctl"),
+										Ref:     ref(corev1.Sysctl{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -29532,13 +29686,13 @@ func schema_k8sio_api_core_v1_PodSecurityContext(ref common.ReferenceCallback) c
 					"seccompProfile": {
 						SchemaProps: spec.SchemaProps{
 							Description: "The seccomp options to use by the containers in this pod. Note that this field cannot be set when spec.os.name is windows.",
-							Ref:         ref("k8s.io/api/core/v1.SeccompProfile"),
+							Ref:         ref(corev1.SeccompProfile{}.OpenAPIModelName()),
 						},
 					},
 					"appArmorProfile": {
 						SchemaProps: spec.SchemaProps{
 							Description: "appArmorProfile is the AppArmor options to use by the containers in this pod. Note that this field cannot be set when spec.os.name is windows.",
-							Ref:         ref("k8s.io/api/core/v1.AppArmorProfile"),
+							Ref:         ref(corev1.AppArmorProfile{}.OpenAPIModelName()),
 						},
 					},
 					"seLinuxChangePolicy": {
@@ -29552,7 +29706,7 @@ func schema_k8sio_api_core_v1_PodSecurityContext(ref common.ReferenceCallback) c
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/core/v1.AppArmorProfile", "k8s.io/api/core/v1.SELinuxOptions", "k8s.io/api/core/v1.SeccompProfile", "k8s.io/api/core/v1.Sysctl", "k8s.io/api/core/v1.WindowsSecurityContextOptions"},
+			corev1.AppArmorProfile{}.OpenAPIModelName(), corev1.SELinuxOptions{}.OpenAPIModelName(), corev1.SeccompProfile{}.OpenAPIModelName(), corev1.Sysctl{}.OpenAPIModelName(), corev1.WindowsSecurityContextOptions{}.OpenAPIModelName()},
 	}
 }
 
@@ -29566,14 +29720,14 @@ func schema_k8sio_api_core_v1_PodSignature(ref common.ReferenceCallback) common.
 					"podController": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Reference to controller whose pods should avoid this node.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.OwnerReference"),
+							Ref:         ref(metav1.OwnerReference{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.OwnerReference"},
+			metav1.OwnerReference{}.OpenAPIModelName()},
 	}
 }
 
@@ -29602,7 +29756,7 @@ func schema_k8sio_api_core_v1_PodSpec(ref common.ReferenceCallback) common.OpenA
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/core/v1.Volume"),
+										Ref:     ref(corev1.Volume{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -29626,7 +29780,7 @@ func schema_k8sio_api_core_v1_PodSpec(ref common.ReferenceCallback) common.OpenA
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/core/v1.Container"),
+										Ref:     ref(corev1.Container{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -29650,7 +29804,7 @@ func schema_k8sio_api_core_v1_PodSpec(ref common.ReferenceCallback) common.OpenA
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/core/v1.Container"),
+										Ref:     ref(corev1.Container{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -29674,7 +29828,7 @@ func schema_k8sio_api_core_v1_PodSpec(ref common.ReferenceCallback) common.OpenA
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/core/v1.EphemeralContainer"),
+										Ref:     ref(corev1.EphemeralContainer{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -29790,7 +29944,7 @@ func schema_k8sio_api_core_v1_PodSpec(ref common.ReferenceCallback) common.OpenA
 					"securityContext": {
 						SchemaProps: spec.SchemaProps{
 							Description: "SecurityContext holds pod-level security attributes and common container settings. Optional: Defaults to empty.  See type description for default values of each field.",
-							Ref:         ref("k8s.io/api/core/v1.PodSecurityContext"),
+							Ref:         ref(corev1.PodSecurityContext{}.OpenAPIModelName()),
 						},
 					},
 					"imagePullSecrets": {
@@ -29811,7 +29965,7 @@ func schema_k8sio_api_core_v1_PodSpec(ref common.ReferenceCallback) common.OpenA
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/core/v1.LocalObjectReference"),
+										Ref:     ref(corev1.LocalObjectReference{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -29834,7 +29988,7 @@ func schema_k8sio_api_core_v1_PodSpec(ref common.ReferenceCallback) common.OpenA
 					"affinity": {
 						SchemaProps: spec.SchemaProps{
 							Description: "If specified, the pod's scheduling constraints",
-							Ref:         ref("k8s.io/api/core/v1.Affinity"),
+							Ref:         ref(corev1.Affinity{}.OpenAPIModelName()),
 						},
 					},
 					"schedulerName": {
@@ -29857,7 +30011,7 @@ func schema_k8sio_api_core_v1_PodSpec(ref common.ReferenceCallback) common.OpenA
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/core/v1.Toleration"),
+										Ref:     ref(corev1.Toleration{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -29881,7 +30035,7 @@ func schema_k8sio_api_core_v1_PodSpec(ref common.ReferenceCallback) common.OpenA
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/core/v1.HostAlias"),
+										Ref:     ref(corev1.HostAlias{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -29904,7 +30058,7 @@ func schema_k8sio_api_core_v1_PodSpec(ref common.ReferenceCallback) common.OpenA
 					"dnsConfig": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Specifies the DNS parameters of a pod. Parameters specified here will be merged to the generated DNS configuration based on DNSPolicy.",
-							Ref:         ref("k8s.io/api/core/v1.PodDNSConfig"),
+							Ref:         ref(corev1.PodDNSConfig{}.OpenAPIModelName()),
 						},
 					},
 					"readinessGates": {
@@ -29920,7 +30074,7 @@ func schema_k8sio_api_core_v1_PodSpec(ref common.ReferenceCallback) common.OpenA
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/core/v1.PodReadinessGate"),
+										Ref:     ref(corev1.PodReadinessGate{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -29956,7 +30110,7 @@ func schema_k8sio_api_core_v1_PodSpec(ref common.ReferenceCallback) common.OpenA
 								Allows: true,
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
-										Ref: ref("k8s.io/apimachinery/pkg/api/resource.Quantity"),
+										Ref: ref(resource.Quantity{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -29981,7 +30135,7 @@ func schema_k8sio_api_core_v1_PodSpec(ref common.ReferenceCallback) common.OpenA
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/core/v1.TopologySpreadConstraint"),
+										Ref:     ref(corev1.TopologySpreadConstraint{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -29997,7 +30151,7 @@ func schema_k8sio_api_core_v1_PodSpec(ref common.ReferenceCallback) common.OpenA
 					"os": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Specifies the OS of the containers in the pod. Some pod and container fields are restricted if this is set.\n\nIf the OS field is set to linux, the following fields must be unset: -securityContext.windowsOptions\n\nIf the OS field is set to windows, following fields must be unset: - spec.hostPID - spec.hostIPC - spec.hostUsers - spec.resources - spec.securityContext.appArmorProfile - spec.securityContext.seLinuxOptions - spec.securityContext.seccompProfile - spec.securityContext.fsGroup - spec.securityContext.fsGroupChangePolicy - spec.securityContext.sysctls - spec.shareProcessNamespace - spec.securityContext.runAsUser - spec.securityContext.runAsGroup - spec.securityContext.supplementalGroups - spec.securityContext.supplementalGroupsPolicy - spec.containers[*].securityContext.appArmorProfile - spec.containers[*].securityContext.seLinuxOptions - spec.containers[*].securityContext.seccompProfile - spec.containers[*].securityContext.capabilities - spec.containers[*].securityContext.readOnlyRootFilesystem - spec.containers[*].securityContext.privileged - spec.containers[*].securityContext.allowPrivilegeEscalation - spec.containers[*].securityContext.procMount - spec.containers[*].securityContext.runAsUser - spec.containers[*].securityContext.runAsGroup",
-							Ref:         ref("k8s.io/api/core/v1.PodOS"),
+							Ref:         ref(corev1.PodOS{}.OpenAPIModelName()),
 						},
 					},
 					"hostUsers": {
@@ -30025,7 +30179,7 @@ func schema_k8sio_api_core_v1_PodSpec(ref common.ReferenceCallback) common.OpenA
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/core/v1.PodSchedulingGate"),
+										Ref:     ref(corev1.PodSchedulingGate{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -30043,13 +30197,13 @@ func schema_k8sio_api_core_v1_PodSpec(ref common.ReferenceCallback) common.OpenA
 							},
 						},
 						SchemaProps: spec.SchemaProps{
-							Description: "ResourceClaims defines which ResourceClaims must be allocated and reserved before the Pod is allowed to start. The resources will be made available to those containers which consume them by name.\n\nThis is an alpha field and requires enabling the DynamicResourceAllocation feature gate.\n\nThis field is immutable.",
+							Description: "ResourceClaims defines which ResourceClaims must be allocated and reserved before the Pod is allowed to start. The resources will be made available to those containers which consume them by name.\n\nThis is a stable field but requires that the DynamicResourceAllocation feature gate is enabled.\n\nThis field is immutable.",
 							Type:        []string{"array"},
 							Items: &spec.SchemaOrArray{
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/core/v1.PodResourceClaim"),
+										Ref:     ref(corev1.PodResourceClaim{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -30058,7 +30212,7 @@ func schema_k8sio_api_core_v1_PodSpec(ref common.ReferenceCallback) common.OpenA
 					"resources": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Resources is the total amount of CPU and Memory resources required by all containers in the pod. It supports specifying Requests and Limits for \"cpu\", \"memory\" and \"hugepages-\" resource names only. ResourceClaims are not supported.\n\nThis field enables fine-grained control over resource allocation for the entire pod, allowing resource sharing among containers in a pod.\n\nThis is an alpha field and requires enabling the PodLevelResources feature gate.",
-							Ref:         ref("k8s.io/api/core/v1.ResourceRequirements"),
+							Ref:         ref(corev1.ResourceRequirements{}.OpenAPIModelName()),
 						},
 					},
 					"hostnameOverride": {
@@ -30068,12 +30222,18 @@ func schema_k8sio_api_core_v1_PodSpec(ref common.ReferenceCallback) common.OpenA
 							Format:      "",
 						},
 					},
+					"workloadRef": {
+						SchemaProps: spec.SchemaProps{
+							Description: "WorkloadRef provides a reference to the Workload object that this Pod belongs to. This field is used by the scheduler to identify the PodGroup and apply the correct group scheduling policies. The Workload object referenced by this field may not exist at the time the Pod is created. This field is immutable, but a Workload object with the same name may be recreated with different policies. Doing this during pod scheduling may result in the placement not conforming to the expected policies.",
+							Ref:         ref(corev1.WorkloadReference{}.OpenAPIModelName()),
+						},
+					},
 				},
 				Required: []string{"containers"},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/core/v1.Affinity", "k8s.io/api/core/v1.Container", "k8s.io/api/core/v1.EphemeralContainer", "k8s.io/api/core/v1.HostAlias", "k8s.io/api/core/v1.LocalObjectReference", "k8s.io/api/core/v1.PodDNSConfig", "k8s.io/api/core/v1.PodOS", "k8s.io/api/core/v1.PodReadinessGate", "k8s.io/api/core/v1.PodResourceClaim", "k8s.io/api/core/v1.PodSchedulingGate", "k8s.io/api/core/v1.PodSecurityContext", "k8s.io/api/core/v1.ResourceRequirements", "k8s.io/api/core/v1.Toleration", "k8s.io/api/core/v1.TopologySpreadConstraint", "k8s.io/api/core/v1.Volume", "k8s.io/apimachinery/pkg/api/resource.Quantity"},
+			corev1.Affinity{}.OpenAPIModelName(), corev1.Container{}.OpenAPIModelName(), corev1.EphemeralContainer{}.OpenAPIModelName(), corev1.HostAlias{}.OpenAPIModelName(), corev1.LocalObjectReference{}.OpenAPIModelName(), corev1.PodDNSConfig{}.OpenAPIModelName(), corev1.PodOS{}.OpenAPIModelName(), corev1.PodReadinessGate{}.OpenAPIModelName(), corev1.PodResourceClaim{}.OpenAPIModelName(), corev1.PodSchedulingGate{}.OpenAPIModelName(), corev1.PodSecurityContext{}.OpenAPIModelName(), corev1.ResourceRequirements{}.OpenAPIModelName(), corev1.Toleration{}.OpenAPIModelName(), corev1.TopologySpreadConstraint{}.OpenAPIModelName(), corev1.Volume{}.OpenAPIModelName(), corev1.WorkloadReference{}.OpenAPIModelName(), resource.Quantity{}.OpenAPIModelName()},
 	}
 }
 
@@ -30086,7 +30246,7 @@ func schema_k8sio_api_core_v1_PodStatus(ref common.ReferenceCallback) common.Ope
 				Properties: map[string]spec.Schema{
 					"observedGeneration": {
 						SchemaProps: spec.SchemaProps{
-							Description: "If set, this represents the .metadata.generation that the pod status was set based upon. This is an alpha field. Enable PodObservedGenerationTracking to be able to use this field.",
+							Description: "If set, this represents the .metadata.generation that the pod status was set based upon. The PodObservedGenerationTracking feature gate must be enabled to use this field.",
 							Type:        []string{"integer"},
 							Format:      "int64",
 						},
@@ -30117,7 +30277,7 @@ func schema_k8sio_api_core_v1_PodStatus(ref common.ReferenceCallback) common.Ope
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/core/v1.PodCondition"),
+										Ref:     ref(corev1.PodCondition{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -30166,7 +30326,7 @@ func schema_k8sio_api_core_v1_PodStatus(ref common.ReferenceCallback) common.Ope
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/core/v1.HostIP"),
+										Ref:     ref(corev1.HostIP{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -30197,7 +30357,7 @@ func schema_k8sio_api_core_v1_PodStatus(ref common.ReferenceCallback) common.Ope
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/core/v1.PodIP"),
+										Ref:     ref(corev1.PodIP{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -30206,7 +30366,7 @@ func schema_k8sio_api_core_v1_PodStatus(ref common.ReferenceCallback) common.Ope
 					"startTime": {
 						SchemaProps: spec.SchemaProps{
 							Description: "RFC 3339 date and time at which the object was acknowledged by the Kubelet. This is before the Kubelet pulled the container image(s) for the pod.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Time"),
+							Ref:         ref(metav1.Time{}.OpenAPIModelName()),
 						},
 					},
 					"initContainerStatuses": {
@@ -30222,7 +30382,7 @@ func schema_k8sio_api_core_v1_PodStatus(ref common.ReferenceCallback) common.Ope
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/core/v1.ContainerStatus"),
+										Ref:     ref(corev1.ContainerStatus{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -30241,7 +30401,7 @@ func schema_k8sio_api_core_v1_PodStatus(ref common.ReferenceCallback) common.Ope
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/core/v1.ContainerStatus"),
+										Ref:     ref(corev1.ContainerStatus{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -30268,7 +30428,7 @@ func schema_k8sio_api_core_v1_PodStatus(ref common.ReferenceCallback) common.Ope
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/core/v1.ContainerStatus"),
+										Ref:     ref(corev1.ContainerStatus{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -30299,7 +30459,7 @@ func schema_k8sio_api_core_v1_PodStatus(ref common.ReferenceCallback) common.Ope
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/core/v1.PodResourceClaimStatus"),
+										Ref:     ref(corev1.PodResourceClaimStatus{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -30308,14 +30468,34 @@ func schema_k8sio_api_core_v1_PodStatus(ref common.ReferenceCallback) common.Ope
 					"extendedResourceClaimStatus": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Status of extended resource claim backed by DRA.",
-							Ref:         ref("k8s.io/api/core/v1.PodExtendedResourceClaimStatus"),
+							Ref:         ref(corev1.PodExtendedResourceClaimStatus{}.OpenAPIModelName()),
+						},
+					},
+					"allocatedResources": {
+						SchemaProps: spec.SchemaProps{
+							Description: "AllocatedResources is the total requests allocated for this pod by the node. If pod-level requests are not set, this will be the total requests aggregated across containers in the pod.",
+							Type:        []string{"object"},
+							AdditionalProperties: &spec.SchemaOrBool{
+								Allows: true,
+								Schema: &spec.Schema{
+									SchemaProps: spec.SchemaProps{
+										Ref: ref(resource.Quantity{}.OpenAPIModelName()),
+									},
+								},
+							},
+						},
+					},
+					"resources": {
+						SchemaProps: spec.SchemaProps{
+							Description: "Resources represents the compute resource requests and limits that have been applied at the pod level if pod-level requests or limits are set in PodSpec.Resources",
+							Ref:         ref(corev1.ResourceRequirements{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/core/v1.ContainerStatus", "k8s.io/api/core/v1.HostIP", "k8s.io/api/core/v1.PodCondition", "k8s.io/api/core/v1.PodExtendedResourceClaimStatus", "k8s.io/api/core/v1.PodIP", "k8s.io/api/core/v1.PodResourceClaimStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.Time"},
+			corev1.ContainerStatus{}.OpenAPIModelName(), corev1.HostIP{}.OpenAPIModelName(), corev1.PodCondition{}.OpenAPIModelName(), corev1.PodExtendedResourceClaimStatus{}.OpenAPIModelName(), corev1.PodIP{}.OpenAPIModelName(), corev1.PodResourceClaimStatus{}.OpenAPIModelName(), corev1.ResourceRequirements{}.OpenAPIModelName(), resource.Quantity{}.OpenAPIModelName(), metav1.Time{}.OpenAPIModelName()},
 	}
 }
 
@@ -30344,21 +30524,21 @@ func schema_k8sio_api_core_v1_PodStatusResult(ref common.ReferenceCallback) comm
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Ref:         ref(metav1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 					"status": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Most recently observed status of the pod. This data may not be up to date. Populated by the system. Read-only. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/core/v1.PodStatus"),
+							Ref:         ref(corev1.PodStatus{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/core/v1.PodStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			corev1.PodStatus{}.OpenAPIModelName(), metav1.ObjectMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -30387,21 +30567,21 @@ func schema_k8sio_api_core_v1_PodTemplate(ref common.ReferenceCallback) common.O
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Ref:         ref(metav1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 					"template": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Template defines the pods that will be created from this pod template. https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/core/v1.PodTemplateSpec"),
+							Ref:         ref(corev1.PodTemplateSpec{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/core/v1.PodTemplateSpec", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			corev1.PodTemplateSpec{}.OpenAPIModelName(), metav1.ObjectMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -30430,7 +30610,7 @@ func schema_k8sio_api_core_v1_PodTemplateList(ref common.ReferenceCallback) comm
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+							Ref:         ref(metav1.ListMeta{}.OpenAPIModelName()),
 						},
 					},
 					"items": {
@@ -30441,7 +30621,7 @@ func schema_k8sio_api_core_v1_PodTemplateList(ref common.ReferenceCallback) comm
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/core/v1.PodTemplate"),
+										Ref:     ref(corev1.PodTemplate{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -30452,7 +30632,7 @@ func schema_k8sio_api_core_v1_PodTemplateList(ref common.ReferenceCallback) comm
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/core/v1.PodTemplate", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
+			corev1.PodTemplate{}.OpenAPIModelName(), metav1.ListMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -30467,21 +30647,21 @@ func schema_k8sio_api_core_v1_PodTemplateSpec(ref common.ReferenceCallback) comm
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Ref:         ref(metav1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 					"spec": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Specification of the desired behavior of the pod. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/core/v1.PodSpec"),
+							Ref:         ref(corev1.PodSpec{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/core/v1.PodSpec", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			corev1.PodSpec{}.OpenAPIModelName(), metav1.ObjectMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -30570,13 +30750,13 @@ func schema_k8sio_api_core_v1_PreferAvoidPodsEntry(ref common.ReferenceCallback)
 						SchemaProps: spec.SchemaProps{
 							Description: "The class of pods.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/core/v1.PodSignature"),
+							Ref:         ref(corev1.PodSignature{}.OpenAPIModelName()),
 						},
 					},
 					"evictionTime": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Time at which this entry was added to the list.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Time"),
+							Ref:         ref(metav1.Time{}.OpenAPIModelName()),
 						},
 					},
 					"reason": {
@@ -30598,7 +30778,7 @@ func schema_k8sio_api_core_v1_PreferAvoidPodsEntry(ref common.ReferenceCallback)
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/core/v1.PodSignature", "k8s.io/apimachinery/pkg/apis/meta/v1.Time"},
+			corev1.PodSignature{}.OpenAPIModelName(), metav1.Time{}.OpenAPIModelName()},
 	}
 }
 
@@ -30621,7 +30801,7 @@ func schema_k8sio_api_core_v1_PreferredSchedulingTerm(ref common.ReferenceCallba
 						SchemaProps: spec.SchemaProps{
 							Description: "A node selector term, associated with the corresponding weight.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/core/v1.NodeSelectorTerm"),
+							Ref:         ref(corev1.NodeSelectorTerm{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -30629,7 +30809,7 @@ func schema_k8sio_api_core_v1_PreferredSchedulingTerm(ref common.ReferenceCallba
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/core/v1.NodeSelectorTerm"},
+			corev1.NodeSelectorTerm{}.OpenAPIModelName()},
 	}
 }
 
@@ -30643,25 +30823,25 @@ func schema_k8sio_api_core_v1_Probe(ref common.ReferenceCallback) common.OpenAPI
 					"exec": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Exec specifies a command to execute in the container.",
-							Ref:         ref("k8s.io/api/core/v1.ExecAction"),
+							Ref:         ref(corev1.ExecAction{}.OpenAPIModelName()),
 						},
 					},
 					"httpGet": {
 						SchemaProps: spec.SchemaProps{
 							Description: "HTTPGet specifies an HTTP GET request to perform.",
-							Ref:         ref("k8s.io/api/core/v1.HTTPGetAction"),
+							Ref:         ref(corev1.HTTPGetAction{}.OpenAPIModelName()),
 						},
 					},
 					"tcpSocket": {
 						SchemaProps: spec.SchemaProps{
 							Description: "TCPSocket specifies a connection to a TCP port.",
-							Ref:         ref("k8s.io/api/core/v1.TCPSocketAction"),
+							Ref:         ref(corev1.TCPSocketAction{}.OpenAPIModelName()),
 						},
 					},
 					"grpc": {
 						SchemaProps: spec.SchemaProps{
 							Description: "GRPC specifies a GRPC HealthCheckRequest.",
-							Ref:         ref("k8s.io/api/core/v1.GRPCAction"),
+							Ref:         ref(corev1.GRPCAction{}.OpenAPIModelName()),
 						},
 					},
 					"initialDelaySeconds": {
@@ -30710,7 +30890,7 @@ func schema_k8sio_api_core_v1_Probe(ref common.ReferenceCallback) common.OpenAPI
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/core/v1.ExecAction", "k8s.io/api/core/v1.GRPCAction", "k8s.io/api/core/v1.HTTPGetAction", "k8s.io/api/core/v1.TCPSocketAction"},
+			corev1.ExecAction{}.OpenAPIModelName(), corev1.GRPCAction{}.OpenAPIModelName(), corev1.HTTPGetAction{}.OpenAPIModelName(), corev1.TCPSocketAction{}.OpenAPIModelName()},
 	}
 }
 
@@ -30724,32 +30904,32 @@ func schema_k8sio_api_core_v1_ProbeHandler(ref common.ReferenceCallback) common.
 					"exec": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Exec specifies a command to execute in the container.",
-							Ref:         ref("k8s.io/api/core/v1.ExecAction"),
+							Ref:         ref(corev1.ExecAction{}.OpenAPIModelName()),
 						},
 					},
 					"httpGet": {
 						SchemaProps: spec.SchemaProps{
 							Description: "HTTPGet specifies an HTTP GET request to perform.",
-							Ref:         ref("k8s.io/api/core/v1.HTTPGetAction"),
+							Ref:         ref(corev1.HTTPGetAction{}.OpenAPIModelName()),
 						},
 					},
 					"tcpSocket": {
 						SchemaProps: spec.SchemaProps{
 							Description: "TCPSocket specifies a connection to a TCP port.",
-							Ref:         ref("k8s.io/api/core/v1.TCPSocketAction"),
+							Ref:         ref(corev1.TCPSocketAction{}.OpenAPIModelName()),
 						},
 					},
 					"grpc": {
 						SchemaProps: spec.SchemaProps{
 							Description: "GRPC specifies a GRPC HealthCheckRequest.",
-							Ref:         ref("k8s.io/api/core/v1.GRPCAction"),
+							Ref:         ref(corev1.GRPCAction{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/core/v1.ExecAction", "k8s.io/api/core/v1.GRPCAction", "k8s.io/api/core/v1.HTTPGetAction", "k8s.io/api/core/v1.TCPSocketAction"},
+			corev1.ExecAction{}.OpenAPIModelName(), corev1.GRPCAction{}.OpenAPIModelName(), corev1.HTTPGetAction{}.OpenAPIModelName(), corev1.TCPSocketAction{}.OpenAPIModelName()},
 	}
 }
 
@@ -30773,7 +30953,7 @@ func schema_k8sio_api_core_v1_ProjectedVolumeSource(ref common.ReferenceCallback
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/core/v1.VolumeProjection"),
+										Ref:     ref(corev1.VolumeProjection{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -30790,7 +30970,7 @@ func schema_k8sio_api_core_v1_ProjectedVolumeSource(ref common.ReferenceCallback
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/core/v1.VolumeProjection"},
+			corev1.VolumeProjection{}.OpenAPIModelName()},
 	}
 }
 
@@ -30921,7 +31101,7 @@ func schema_k8sio_api_core_v1_RBDPersistentVolumeSource(ref common.ReferenceCall
 					"secretRef": {
 						SchemaProps: spec.SchemaProps{
 							Description: "secretRef is name of the authentication secret for RBDUser. If provided overrides keyring. Default is nil. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it",
-							Ref:         ref("k8s.io/api/core/v1.SecretReference"),
+							Ref:         ref(corev1.SecretReference{}.OpenAPIModelName()),
 						},
 					},
 					"readOnly": {
@@ -30936,7 +31116,7 @@ func schema_k8sio_api_core_v1_RBDPersistentVolumeSource(ref common.ReferenceCall
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/core/v1.SecretReference"},
+			corev1.SecretReference{}.OpenAPIModelName()},
 	}
 }
 
@@ -31009,7 +31189,7 @@ func schema_k8sio_api_core_v1_RBDVolumeSource(ref common.ReferenceCallback) comm
 					"secretRef": {
 						SchemaProps: spec.SchemaProps{
 							Description: "secretRef is name of the authentication secret for RBDUser. If provided overrides keyring. Default is nil. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it",
-							Ref:         ref("k8s.io/api/core/v1.LocalObjectReference"),
+							Ref:         ref(corev1.LocalObjectReference{}.OpenAPIModelName()),
 						},
 					},
 					"readOnly": {
@@ -31024,7 +31204,7 @@ func schema_k8sio_api_core_v1_RBDVolumeSource(ref common.ReferenceCallback) comm
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/core/v1.LocalObjectReference"},
+			corev1.LocalObjectReference{}.OpenAPIModelName()},
 	}
 }
 
@@ -31053,7 +31233,7 @@ func schema_k8sio_api_core_v1_RangeAllocation(ref common.ReferenceCallback) comm
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Ref:         ref(metav1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 					"range": {
@@ -31076,7 +31256,7 @@ func schema_k8sio_api_core_v1_RangeAllocation(ref common.ReferenceCallback) comm
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			metav1.ObjectMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -31105,28 +31285,28 @@ func schema_k8sio_api_core_v1_ReplicationController(ref common.ReferenceCallback
 						SchemaProps: spec.SchemaProps{
 							Description: "If the Labels of a ReplicationController are empty, they are defaulted to be the same as the Pod(s) that the replication controller manages. Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Ref:         ref(metav1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 					"spec": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Spec defines the specification of the desired behavior of the replication controller. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/core/v1.ReplicationControllerSpec"),
+							Ref:         ref(corev1.ReplicationControllerSpec{}.OpenAPIModelName()),
 						},
 					},
 					"status": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Status is the most recently observed status of the replication controller. This data may be out of date by some window of time. Populated by the system. Read-only. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/core/v1.ReplicationControllerStatus"),
+							Ref:         ref(corev1.ReplicationControllerStatus{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/core/v1.ReplicationControllerSpec", "k8s.io/api/core/v1.ReplicationControllerStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			corev1.ReplicationControllerSpec{}.OpenAPIModelName(), corev1.ReplicationControllerStatus{}.OpenAPIModelName(), metav1.ObjectMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -31156,7 +31336,7 @@ func schema_k8sio_api_core_v1_ReplicationControllerCondition(ref common.Referenc
 					"lastTransitionTime": {
 						SchemaProps: spec.SchemaProps{
 							Description: "The last time the condition transitioned from one status to another.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Time"),
+							Ref:         ref(metav1.Time{}.OpenAPIModelName()),
 						},
 					},
 					"reason": {
@@ -31178,7 +31358,7 @@ func schema_k8sio_api_core_v1_ReplicationControllerCondition(ref common.Referenc
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.Time"},
+			metav1.Time{}.OpenAPIModelName()},
 	}
 }
 
@@ -31207,7 +31387,7 @@ func schema_k8sio_api_core_v1_ReplicationControllerList(ref common.ReferenceCall
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+							Ref:         ref(metav1.ListMeta{}.OpenAPIModelName()),
 						},
 					},
 					"items": {
@@ -31218,7 +31398,7 @@ func schema_k8sio_api_core_v1_ReplicationControllerList(ref common.ReferenceCall
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/core/v1.ReplicationController"),
+										Ref:     ref(corev1.ReplicationController{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -31229,7 +31409,7 @@ func schema_k8sio_api_core_v1_ReplicationControllerList(ref common.ReferenceCall
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/core/v1.ReplicationController", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
+			corev1.ReplicationController{}.OpenAPIModelName(), metav1.ListMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -31280,14 +31460,14 @@ func schema_k8sio_api_core_v1_ReplicationControllerSpec(ref common.ReferenceCall
 					"template": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Template is the object that describes the pod that will be created if insufficient replicas are detected. This takes precedence over a TemplateRef. The only allowed template.spec.restartPolicy value is \"Always\". More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller#pod-template",
-							Ref:         ref("k8s.io/api/core/v1.PodTemplateSpec"),
+							Ref:         ref(corev1.PodTemplateSpec{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/core/v1.PodTemplateSpec"},
+			corev1.PodTemplateSpec{}.OpenAPIModelName()},
 	}
 }
 
@@ -31352,7 +31532,7 @@ func schema_k8sio_api_core_v1_ReplicationControllerStatus(ref common.ReferenceCa
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/core/v1.ReplicationControllerCondition"),
+										Ref:     ref(corev1.ReplicationControllerCondition{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -31363,7 +31543,7 @@ func schema_k8sio_api_core_v1_ReplicationControllerStatus(ref common.ReferenceCa
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/core/v1.ReplicationControllerCondition"},
+			corev1.ReplicationControllerCondition{}.OpenAPIModelName()},
 	}
 }
 
@@ -31421,7 +31601,7 @@ func schema_k8sio_api_core_v1_ResourceFieldSelector(ref common.ReferenceCallback
 					"divisor": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Specifies the output format of the exposed resources, defaults to \"1\"",
-							Ref:         ref("k8s.io/apimachinery/pkg/api/resource.Quantity"),
+							Ref:         ref(resource.Quantity{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -31434,7 +31614,7 @@ func schema_k8sio_api_core_v1_ResourceFieldSelector(ref common.ReferenceCallback
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/api/resource.Quantity"},
+			resource.Quantity{}.OpenAPIModelName()},
 	}
 }
 
@@ -31492,28 +31672,28 @@ func schema_k8sio_api_core_v1_ResourceQuota(ref common.ReferenceCallback) common
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Ref:         ref(metav1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 					"spec": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Spec defines the desired quota. https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/core/v1.ResourceQuotaSpec"),
+							Ref:         ref(corev1.ResourceQuotaSpec{}.OpenAPIModelName()),
 						},
 					},
 					"status": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Status defines the actual enforced quota and its current usage. https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/core/v1.ResourceQuotaStatus"),
+							Ref:         ref(corev1.ResourceQuotaStatus{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/core/v1.ResourceQuotaSpec", "k8s.io/api/core/v1.ResourceQuotaStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			corev1.ResourceQuotaSpec{}.OpenAPIModelName(), corev1.ResourceQuotaStatus{}.OpenAPIModelName(), metav1.ObjectMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -31542,7 +31722,7 @@ func schema_k8sio_api_core_v1_ResourceQuotaList(ref common.ReferenceCallback) co
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+							Ref:         ref(metav1.ListMeta{}.OpenAPIModelName()),
 						},
 					},
 					"items": {
@@ -31553,7 +31733,7 @@ func schema_k8sio_api_core_v1_ResourceQuotaList(ref common.ReferenceCallback) co
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/core/v1.ResourceQuota"),
+										Ref:     ref(corev1.ResourceQuota{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -31564,7 +31744,7 @@ func schema_k8sio_api_core_v1_ResourceQuotaList(ref common.ReferenceCallback) co
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/core/v1.ResourceQuota", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
+			corev1.ResourceQuota{}.OpenAPIModelName(), metav1.ListMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -31583,7 +31763,7 @@ func schema_k8sio_api_core_v1_ResourceQuotaSpec(ref common.ReferenceCallback) co
 								Allows: true,
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
-										Ref: ref("k8s.io/apimachinery/pkg/api/resource.Quantity"),
+										Ref: ref(resource.Quantity{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -31613,14 +31793,14 @@ func schema_k8sio_api_core_v1_ResourceQuotaSpec(ref common.ReferenceCallback) co
 					"scopeSelector": {
 						SchemaProps: spec.SchemaProps{
 							Description: "scopeSelector is also a collection of filters like scopes that must match each object tracked by a quota but expressed using ScopeSelectorOperator in combination with possible values. For a resource to match, both scopes AND scopeSelector (if specified in spec), must be matched.",
-							Ref:         ref("k8s.io/api/core/v1.ScopeSelector"),
+							Ref:         ref(corev1.ScopeSelector{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/core/v1.ScopeSelector", "k8s.io/apimachinery/pkg/api/resource.Quantity"},
+			corev1.ScopeSelector{}.OpenAPIModelName(), resource.Quantity{}.OpenAPIModelName()},
 	}
 }
 
@@ -31639,7 +31819,7 @@ func schema_k8sio_api_core_v1_ResourceQuotaStatus(ref common.ReferenceCallback)
 								Allows: true,
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
-										Ref: ref("k8s.io/apimachinery/pkg/api/resource.Quantity"),
+										Ref: ref(resource.Quantity{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -31653,7 +31833,7 @@ func schema_k8sio_api_core_v1_ResourceQuotaStatus(ref common.ReferenceCallback)
 								Allows: true,
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
-										Ref: ref("k8s.io/apimachinery/pkg/api/resource.Quantity"),
+										Ref: ref(resource.Quantity{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -31663,7 +31843,7 @@ func schema_k8sio_api_core_v1_ResourceQuotaStatus(ref common.ReferenceCallback)
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/api/resource.Quantity"},
+			resource.Quantity{}.OpenAPIModelName()},
 	}
 }
 
@@ -31682,7 +31862,7 @@ func schema_k8sio_api_core_v1_ResourceRequirements(ref common.ReferenceCallback)
 								Allows: true,
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
-										Ref: ref("k8s.io/apimachinery/pkg/api/resource.Quantity"),
+										Ref: ref(resource.Quantity{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -31696,7 +31876,7 @@ func schema_k8sio_api_core_v1_ResourceRequirements(ref common.ReferenceCallback)
 								Allows: true,
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
-										Ref: ref("k8s.io/apimachinery/pkg/api/resource.Quantity"),
+										Ref: ref(resource.Quantity{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -31718,7 +31898,7 @@ func schema_k8sio_api_core_v1_ResourceRequirements(ref common.ReferenceCallback)
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/core/v1.ResourceClaim"),
+										Ref:     ref(corev1.ResourceClaim{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -31728,7 +31908,7 @@ func schema_k8sio_api_core_v1_ResourceRequirements(ref common.ReferenceCallback)
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/core/v1.ResourceClaim", "k8s.io/apimachinery/pkg/api/resource.Quantity"},
+			corev1.ResourceClaim{}.OpenAPIModelName(), resource.Quantity{}.OpenAPIModelName()},
 	}
 }
 
@@ -31763,7 +31943,7 @@ func schema_k8sio_api_core_v1_ResourceStatus(ref common.ReferenceCallback) commo
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/core/v1.ResourceHealth"),
+										Ref:     ref(corev1.ResourceHealth{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -31774,7 +31954,7 @@ func schema_k8sio_api_core_v1_ResourceStatus(ref common.ReferenceCallback) commo
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/core/v1.ResourceHealth"},
+			corev1.ResourceHealth{}.OpenAPIModelName()},
 	}
 }
 
@@ -31845,7 +32025,7 @@ func schema_k8sio_api_core_v1_ScaleIOPersistentVolumeSource(ref common.Reference
 					"secretRef": {
 						SchemaProps: spec.SchemaProps{
 							Description: "secretRef references to the secret for ScaleIO user and other sensitive information. If this is not provided, Login operation will fail.",
-							Ref:         ref("k8s.io/api/core/v1.SecretReference"),
+							Ref:         ref(corev1.SecretReference{}.OpenAPIModelName()),
 						},
 					},
 					"sslEnabled": {
@@ -31904,7 +32084,7 @@ func schema_k8sio_api_core_v1_ScaleIOPersistentVolumeSource(ref common.Reference
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/core/v1.SecretReference"},
+			corev1.SecretReference{}.OpenAPIModelName()},
 	}
 }
 
@@ -31934,7 +32114,7 @@ func schema_k8sio_api_core_v1_ScaleIOVolumeSource(ref common.ReferenceCallback)
 					"secretRef": {
 						SchemaProps: spec.SchemaProps{
 							Description: "secretRef references to the secret for ScaleIO user and other sensitive information. If this is not provided, Login operation will fail.",
-							Ref:         ref("k8s.io/api/core/v1.LocalObjectReference"),
+							Ref:         ref(corev1.LocalObjectReference{}.OpenAPIModelName()),
 						},
 					},
 					"sslEnabled": {
@@ -31993,7 +32173,7 @@ func schema_k8sio_api_core_v1_ScaleIOVolumeSource(ref common.ReferenceCallback)
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/core/v1.LocalObjectReference"},
+			corev1.LocalObjectReference{}.OpenAPIModelName()},
 	}
 }
 
@@ -32017,7 +32197,7 @@ func schema_k8sio_api_core_v1_ScopeSelector(ref common.ReferenceCallback) common
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/core/v1.ScopedResourceSelectorRequirement"),
+										Ref:     ref(corev1.ScopedResourceSelectorRequirement{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -32032,7 +32212,7 @@ func schema_k8sio_api_core_v1_ScopeSelector(ref common.ReferenceCallback) common
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/core/v1.ScopedResourceSelectorRequirement"},
+			corev1.ScopedResourceSelectorRequirement{}.OpenAPIModelName()},
 	}
 }
 
@@ -32155,7 +32335,7 @@ func schema_k8sio_api_core_v1_Secret(ref common.ReferenceCallback) common.OpenAP
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Ref:         ref(metav1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 					"immutable": {
@@ -32207,7 +32387,7 @@ func schema_k8sio_api_core_v1_Secret(ref common.ReferenceCallback) common.OpenAP
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			metav1.ObjectMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -32306,7 +32486,7 @@ func schema_k8sio_api_core_v1_SecretList(ref common.ReferenceCallback) common.Op
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+							Ref:         ref(metav1.ListMeta{}.OpenAPIModelName()),
 						},
 					},
 					"items": {
@@ -32317,7 +32497,7 @@ func schema_k8sio_api_core_v1_SecretList(ref common.ReferenceCallback) common.Op
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/core/v1.Secret"),
+										Ref:     ref(corev1.Secret{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -32328,7 +32508,7 @@ func schema_k8sio_api_core_v1_SecretList(ref common.ReferenceCallback) common.Op
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/core/v1.Secret", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
+			corev1.Secret{}.OpenAPIModelName(), metav1.ListMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -32360,7 +32540,7 @@ func schema_k8sio_api_core_v1_SecretProjection(ref common.ReferenceCallback) com
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/core/v1.KeyToPath"),
+										Ref:     ref(corev1.KeyToPath{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -32377,7 +32557,7 @@ func schema_k8sio_api_core_v1_SecretProjection(ref common.ReferenceCallback) com
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/core/v1.KeyToPath"},
+			corev1.KeyToPath{}.OpenAPIModelName()},
 	}
 }
 
@@ -32440,7 +32620,7 @@ func schema_k8sio_api_core_v1_SecretVolumeSource(ref common.ReferenceCallback) c
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/core/v1.KeyToPath"),
+										Ref:     ref(corev1.KeyToPath{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -32464,7 +32644,7 @@ func schema_k8sio_api_core_v1_SecretVolumeSource(ref common.ReferenceCallback) c
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/core/v1.KeyToPath"},
+			corev1.KeyToPath{}.OpenAPIModelName()},
 	}
 }
 
@@ -32478,7 +32658,7 @@ func schema_k8sio_api_core_v1_SecurityContext(ref common.ReferenceCallback) comm
 					"capabilities": {
 						SchemaProps: spec.SchemaProps{
 							Description: "The capabilities to add/drop when running containers. Defaults to the default set of capabilities granted by the container runtime. Note that this field cannot be set when spec.os.name is windows.",
-							Ref:         ref("k8s.io/api/core/v1.Capabilities"),
+							Ref:         ref(corev1.Capabilities{}.OpenAPIModelName()),
 						},
 					},
 					"privileged": {
@@ -32491,13 +32671,13 @@ func schema_k8sio_api_core_v1_SecurityContext(ref common.ReferenceCallback) comm
 					"seLinuxOptions": {
 						SchemaProps: spec.SchemaProps{
 							Description: "The SELinux context to be applied to the container. If unspecified, the container runtime will allocate a random SELinux context for each container.  May also be set in PodSecurityContext.  If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. Note that this field cannot be set when spec.os.name is windows.",
-							Ref:         ref("k8s.io/api/core/v1.SELinuxOptions"),
+							Ref:         ref(corev1.SELinuxOptions{}.OpenAPIModelName()),
 						},
 					},
 					"windowsOptions": {
 						SchemaProps: spec.SchemaProps{
 							Description: "The Windows specific settings applied to all containers. If unspecified, the options from the PodSecurityContext will be used. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. Note that this field cannot be set when spec.os.name is linux.",
-							Ref:         ref("k8s.io/api/core/v1.WindowsSecurityContextOptions"),
+							Ref:         ref(corev1.WindowsSecurityContextOptions{}.OpenAPIModelName()),
 						},
 					},
 					"runAsUser": {
@@ -32546,20 +32726,20 @@ func schema_k8sio_api_core_v1_SecurityContext(ref common.ReferenceCallback) comm
 					"seccompProfile": {
 						SchemaProps: spec.SchemaProps{
 							Description: "The seccomp options to use by this container. If seccomp options are provided at both the pod & container level, the container options override the pod options. Note that this field cannot be set when spec.os.name is windows.",
-							Ref:         ref("k8s.io/api/core/v1.SeccompProfile"),
+							Ref:         ref(corev1.SeccompProfile{}.OpenAPIModelName()),
 						},
 					},
 					"appArmorProfile": {
 						SchemaProps: spec.SchemaProps{
 							Description: "appArmorProfile is the AppArmor options to use by this container. If set, this profile overrides the pod's appArmorProfile. Note that this field cannot be set when spec.os.name is windows.",
-							Ref:         ref("k8s.io/api/core/v1.AppArmorProfile"),
+							Ref:         ref(corev1.AppArmorProfile{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/core/v1.AppArmorProfile", "k8s.io/api/core/v1.Capabilities", "k8s.io/api/core/v1.SELinuxOptions", "k8s.io/api/core/v1.SeccompProfile", "k8s.io/api/core/v1.WindowsSecurityContextOptions"},
+			corev1.AppArmorProfile{}.OpenAPIModelName(), corev1.Capabilities{}.OpenAPIModelName(), corev1.SELinuxOptions{}.OpenAPIModelName(), corev1.SeccompProfile{}.OpenAPIModelName(), corev1.WindowsSecurityContextOptions{}.OpenAPIModelName()},
 	}
 }
 
@@ -32588,14 +32768,14 @@ func schema_k8sio_api_core_v1_SerializedReference(ref common.ReferenceCallback)
 						SchemaProps: spec.SchemaProps{
 							Description: "The reference to an object in the system.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/core/v1.ObjectReference"),
+							Ref:         ref(corev1.ObjectReference{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/core/v1.ObjectReference"},
+			corev1.ObjectReference{}.OpenAPIModelName()},
 	}
 }
 
@@ -32624,28 +32804,28 @@ func schema_k8sio_api_core_v1_Service(ref common.ReferenceCallback) common.OpenA
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Ref:         ref(metav1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 					"spec": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Spec defines the behavior of a service. https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/core/v1.ServiceSpec"),
+							Ref:         ref(corev1.ServiceSpec{}.OpenAPIModelName()),
 						},
 					},
 					"status": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Most recently observed status of the service. Populated by the system. Read-only. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/core/v1.ServiceStatus"),
+							Ref:         ref(corev1.ServiceStatus{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/core/v1.ServiceSpec", "k8s.io/api/core/v1.ServiceStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			corev1.ServiceSpec{}.OpenAPIModelName(), corev1.ServiceStatus{}.OpenAPIModelName(), metav1.ObjectMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -32674,7 +32854,7 @@ func schema_k8sio_api_core_v1_ServiceAccount(ref common.ReferenceCallback) commo
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Ref:         ref(metav1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 					"secrets": {
@@ -32695,7 +32875,7 @@ func schema_k8sio_api_core_v1_ServiceAccount(ref common.ReferenceCallback) commo
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/core/v1.ObjectReference"),
+										Ref:     ref(corev1.ObjectReference{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -32714,7 +32894,7 @@ func schema_k8sio_api_core_v1_ServiceAccount(ref common.ReferenceCallback) commo
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/core/v1.LocalObjectReference"),
+										Ref:     ref(corev1.LocalObjectReference{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -32731,7 +32911,7 @@ func schema_k8sio_api_core_v1_ServiceAccount(ref common.ReferenceCallback) commo
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/core/v1.LocalObjectReference", "k8s.io/api/core/v1.ObjectReference", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			corev1.LocalObjectReference{}.OpenAPIModelName(), corev1.ObjectReference{}.OpenAPIModelName(), metav1.ObjectMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -32760,7 +32940,7 @@ func schema_k8sio_api_core_v1_ServiceAccountList(ref common.ReferenceCallback) c
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+							Ref:         ref(metav1.ListMeta{}.OpenAPIModelName()),
 						},
 					},
 					"items": {
@@ -32771,7 +32951,7 @@ func schema_k8sio_api_core_v1_ServiceAccountList(ref common.ReferenceCallback) c
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/core/v1.ServiceAccount"),
+										Ref:     ref(corev1.ServiceAccount{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -32782,7 +32962,7 @@ func schema_k8sio_api_core_v1_ServiceAccountList(ref common.ReferenceCallback) c
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/core/v1.ServiceAccount", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
+			corev1.ServiceAccount{}.OpenAPIModelName(), metav1.ListMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -32847,7 +33027,7 @@ func schema_k8sio_api_core_v1_ServiceList(ref common.ReferenceCallback) common.O
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+							Ref:         ref(metav1.ListMeta{}.OpenAPIModelName()),
 						},
 					},
 					"items": {
@@ -32858,7 +33038,7 @@ func schema_k8sio_api_core_v1_ServiceList(ref common.ReferenceCallback) common.O
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/core/v1.Service"),
+										Ref:     ref(corev1.Service{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -32869,7 +33049,7 @@ func schema_k8sio_api_core_v1_ServiceList(ref common.ReferenceCallback) common.O
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/core/v1.Service", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
+			corev1.Service{}.OpenAPIModelName(), metav1.ListMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -32914,7 +33094,7 @@ func schema_k8sio_api_core_v1_ServicePort(ref common.ReferenceCallback) common.O
 					"targetPort": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Number or name of the port to access on the pods targeted by the service. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. If this is a string, it will be looked up as a named port in the target Pod's container ports. If this is not specified, the value of the 'port' field is used (an identity map). This field is ignored for services with clusterIP=None, and should be omitted or set equal to the 'port' field. More info: https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service",
-							Ref:         ref("k8s.io/apimachinery/pkg/util/intstr.IntOrString"),
+							Ref:         ref(intstr.IntOrString{}.OpenAPIModelName()),
 						},
 					},
 					"nodePort": {
@@ -32929,7 +33109,7 @@ func schema_k8sio_api_core_v1_ServicePort(ref common.ReferenceCallback) common.O
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/util/intstr.IntOrString"},
+			intstr.IntOrString{}.OpenAPIModelName()},
 	}
 }
 
@@ -32993,7 +33173,7 @@ func schema_k8sio_api_core_v1_ServiceSpec(ref common.ReferenceCallback) common.O
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/core/v1.ServicePort"),
+										Ref:     ref(corev1.ServicePort{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -33142,7 +33322,7 @@ func schema_k8sio_api_core_v1_ServiceSpec(ref common.ReferenceCallback) common.O
 					"sessionAffinityConfig": {
 						SchemaProps: spec.SchemaProps{
 							Description: "sessionAffinityConfig contains the configurations of session affinity.",
-							Ref:         ref("k8s.io/api/core/v1.SessionAffinityConfig"),
+							Ref:         ref(corev1.SessionAffinityConfig{}.OpenAPIModelName()),
 						},
 					},
 					"ipFamilies": {
@@ -33207,7 +33387,7 @@ func schema_k8sio_api_core_v1_ServiceSpec(ref common.ReferenceCallback) common.O
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/core/v1.ServicePort", "k8s.io/api/core/v1.SessionAffinityConfig"},
+			corev1.ServicePort{}.OpenAPIModelName(), corev1.SessionAffinityConfig{}.OpenAPIModelName()},
 	}
 }
 
@@ -33222,7 +33402,7 @@ func schema_k8sio_api_core_v1_ServiceStatus(ref common.ReferenceCallback) common
 						SchemaProps: spec.SchemaProps{
 							Description: "LoadBalancer contains the current status of the load-balancer, if one is present.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/core/v1.LoadBalancerStatus"),
+							Ref:         ref(corev1.LoadBalancerStatus{}.OpenAPIModelName()),
 						},
 					},
 					"conditions": {
@@ -33243,7 +33423,7 @@ func schema_k8sio_api_core_v1_ServiceStatus(ref common.ReferenceCallback) common
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/apimachinery/pkg/apis/meta/v1.Condition"),
+										Ref:     ref(metav1.Condition{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -33253,7 +33433,7 @@ func schema_k8sio_api_core_v1_ServiceStatus(ref common.ReferenceCallback) common
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/core/v1.LoadBalancerStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.Condition"},
+			corev1.LoadBalancerStatus{}.OpenAPIModelName(), metav1.Condition{}.OpenAPIModelName()},
 	}
 }
 
@@ -33267,14 +33447,14 @@ func schema_k8sio_api_core_v1_SessionAffinityConfig(ref common.ReferenceCallback
 					"clientIP": {
 						SchemaProps: spec.SchemaProps{
 							Description: "clientIP contains the configurations of Client IP based session affinity.",
-							Ref:         ref("k8s.io/api/core/v1.ClientIPConfig"),
+							Ref:         ref(corev1.ClientIPConfig{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/core/v1.ClientIPConfig"},
+			corev1.ClientIPConfig{}.OpenAPIModelName()},
 	}
 }
 
@@ -33338,14 +33518,14 @@ func schema_k8sio_api_core_v1_StorageOSPersistentVolumeSource(ref common.Referen
 					"secretRef": {
 						SchemaProps: spec.SchemaProps{
 							Description: "secretRef specifies the secret to use for obtaining the StorageOS API credentials.  If not specified, default values will be attempted.",
-							Ref:         ref("k8s.io/api/core/v1.ObjectReference"),
+							Ref:         ref(corev1.ObjectReference{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/core/v1.ObjectReference"},
+			corev1.ObjectReference{}.OpenAPIModelName()},
 	}
 }
 
@@ -33387,14 +33567,14 @@ func schema_k8sio_api_core_v1_StorageOSVolumeSource(ref common.ReferenceCallback
 					"secretRef": {
 						SchemaProps: spec.SchemaProps{
 							Description: "secretRef specifies the secret to use for obtaining the StorageOS API credentials.  If not specified, default values will be attempted.",
-							Ref:         ref("k8s.io/api/core/v1.LocalObjectReference"),
+							Ref:         ref(corev1.LocalObjectReference{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/core/v1.LocalObjectReference"},
+			corev1.LocalObjectReference{}.OpenAPIModelName()},
 	}
 }
 
@@ -33438,7 +33618,7 @@ func schema_k8sio_api_core_v1_TCPSocketAction(ref common.ReferenceCallback) comm
 					"port": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME.",
-							Ref:         ref("k8s.io/apimachinery/pkg/util/intstr.IntOrString"),
+							Ref:         ref(intstr.IntOrString{}.OpenAPIModelName()),
 						},
 					},
 					"host": {
@@ -33453,7 +33633,7 @@ func schema_k8sio_api_core_v1_TCPSocketAction(ref common.ReferenceCallback) comm
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/util/intstr.IntOrString"},
+			intstr.IntOrString{}.OpenAPIModelName()},
 	}
 }
 
@@ -33491,7 +33671,7 @@ func schema_k8sio_api_core_v1_Taint(ref common.ReferenceCallback) common.OpenAPI
 					"timeAdded": {
 						SchemaProps: spec.SchemaProps{
 							Description: "TimeAdded represents the time at which the taint was added.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Time"),
+							Ref:         ref(metav1.Time{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -33499,7 +33679,7 @@ func schema_k8sio_api_core_v1_Taint(ref common.ReferenceCallback) common.OpenAPI
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.Time"},
+			metav1.Time{}.OpenAPIModelName()},
 	}
 }
 
@@ -33519,10 +33699,10 @@ func schema_k8sio_api_core_v1_Toleration(ref common.ReferenceCallback) common.Op
 					},
 					"operator": {
 						SchemaProps: spec.SchemaProps{
-							Description: "Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.\n\nPossible enum values:\n - `\"Equal\"`\n - `\"Exists\"`",
+							Description: "Operator represents a key's relationship to the value. Valid operators are Exists, Equal, Lt, and Gt. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category. Lt and Gt perform numeric comparisons (requires feature gate TaintTolerationComparisonOperators).\n\nPossible enum values:\n - `\"Equal\"`\n - `\"Exists\"`\n - `\"Gt\"`\n - `\"Lt\"`",
 							Type:        []string{"string"},
 							Format:      "",
-							Enum:        []interface{}{"Equal", "Exists"},
+							Enum:        []interface{}{"Equal", "Exists", "Gt", "Lt"},
 						},
 					},
 					"value": {
@@ -33615,7 +33795,7 @@ func schema_k8sio_api_core_v1_TopologySelectorTerm(ref common.ReferenceCallback)
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/core/v1.TopologySelectorLabelRequirement"),
+										Ref:     ref(corev1.TopologySelectorLabelRequirement{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -33630,7 +33810,7 @@ func schema_k8sio_api_core_v1_TopologySelectorTerm(ref common.ReferenceCallback)
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/core/v1.TopologySelectorLabelRequirement"},
+			corev1.TopologySelectorLabelRequirement{}.OpenAPIModelName()},
 	}
 }
 
@@ -33669,7 +33849,7 @@ func schema_k8sio_api_core_v1_TopologySpreadConstraint(ref common.ReferenceCallb
 					"labelSelector": {
 						SchemaProps: spec.SchemaProps{
 							Description: "LabelSelector is used to find matching pods. Pods that match this label selector are counted to determine the number of pods in their corresponding topology domain.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector"),
+							Ref:         ref(metav1.LabelSelector{}.OpenAPIModelName()),
 						},
 					},
 					"minDomains": {
@@ -33720,7 +33900,7 @@ func schema_k8sio_api_core_v1_TopologySpreadConstraint(ref common.ReferenceCallb
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector"},
+			metav1.LabelSelector{}.OpenAPIModelName()},
 	}
 }
 
@@ -33828,181 +34008,181 @@ func schema_k8sio_api_core_v1_Volume(ref common.ReferenceCallback) common.OpenAP
 					"hostPath": {
 						SchemaProps: spec.SchemaProps{
 							Description: "hostPath represents a pre-existing file or directory on the host machine that is directly exposed to the container. This is generally used for system agents or other privileged things that are allowed to see the host machine. Most containers will NOT need this. More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath",
-							Ref:         ref("k8s.io/api/core/v1.HostPathVolumeSource"),
+							Ref:         ref(corev1.HostPathVolumeSource{}.OpenAPIModelName()),
 						},
 					},
 					"emptyDir": {
 						SchemaProps: spec.SchemaProps{
 							Description: "emptyDir represents a temporary directory that shares a pod's lifetime. More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir",
-							Ref:         ref("k8s.io/api/core/v1.EmptyDirVolumeSource"),
+							Ref:         ref(corev1.EmptyDirVolumeSource{}.OpenAPIModelName()),
 						},
 					},
 					"gcePersistentDisk": {
 						SchemaProps: spec.SchemaProps{
 							Description: "gcePersistentDisk represents a GCE Disk resource that is attached to a kubelet's host machine and then exposed to the pod. Deprecated: GCEPersistentDisk is deprecated. All operations for the in-tree gcePersistentDisk type are redirected to the pd.csi.storage.gke.io CSI driver. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk",
-							Ref:         ref("k8s.io/api/core/v1.GCEPersistentDiskVolumeSource"),
+							Ref:         ref(corev1.GCEPersistentDiskVolumeSource{}.OpenAPIModelName()),
 						},
 					},
 					"awsElasticBlockStore": {
 						SchemaProps: spec.SchemaProps{
 							Description: "awsElasticBlockStore represents an AWS Disk resource that is attached to a kubelet's host machine and then exposed to the pod. Deprecated: AWSElasticBlockStore is deprecated. All operations for the in-tree awsElasticBlockStore type are redirected to the ebs.csi.aws.com CSI driver. More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore",
-							Ref:         ref("k8s.io/api/core/v1.AWSElasticBlockStoreVolumeSource"),
+							Ref:         ref(corev1.AWSElasticBlockStoreVolumeSource{}.OpenAPIModelName()),
 						},
 					},
 					"gitRepo": {
 						SchemaProps: spec.SchemaProps{
 							Description: "gitRepo represents a git repository at a particular revision. Deprecated: GitRepo is deprecated. To provision a container with a git repo, mount an EmptyDir into an InitContainer that clones the repo using git, then mount the EmptyDir into the Pod's container.",
-							Ref:         ref("k8s.io/api/core/v1.GitRepoVolumeSource"),
+							Ref:         ref(corev1.GitRepoVolumeSource{}.OpenAPIModelName()),
 						},
 					},
 					"secret": {
 						SchemaProps: spec.SchemaProps{
 							Description: "secret represents a secret that should populate this volume. More info: https://kubernetes.io/docs/concepts/storage/volumes#secret",
-							Ref:         ref("k8s.io/api/core/v1.SecretVolumeSource"),
+							Ref:         ref(corev1.SecretVolumeSource{}.OpenAPIModelName()),
 						},
 					},
 					"nfs": {
 						SchemaProps: spec.SchemaProps{
 							Description: "nfs represents an NFS mount on the host that shares a pod's lifetime More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs",
-							Ref:         ref("k8s.io/api/core/v1.NFSVolumeSource"),
+							Ref:         ref(corev1.NFSVolumeSource{}.OpenAPIModelName()),
 						},
 					},
 					"iscsi": {
 						SchemaProps: spec.SchemaProps{
 							Description: "iscsi represents an ISCSI Disk resource that is attached to a kubelet's host machine and then exposed to the pod. More info: https://kubernetes.io/docs/concepts/storage/volumes/#iscsi",
-							Ref:         ref("k8s.io/api/core/v1.ISCSIVolumeSource"),
+							Ref:         ref(corev1.ISCSIVolumeSource{}.OpenAPIModelName()),
 						},
 					},
 					"glusterfs": {
 						SchemaProps: spec.SchemaProps{
 							Description: "glusterfs represents a Glusterfs mount on the host that shares a pod's lifetime. Deprecated: Glusterfs is deprecated and the in-tree glusterfs type is no longer supported.",
-							Ref:         ref("k8s.io/api/core/v1.GlusterfsVolumeSource"),
+							Ref:         ref(corev1.GlusterfsVolumeSource{}.OpenAPIModelName()),
 						},
 					},
 					"persistentVolumeClaim": {
 						SchemaProps: spec.SchemaProps{
 							Description: "persistentVolumeClaimVolumeSource represents a reference to a PersistentVolumeClaim in the same namespace. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims",
-							Ref:         ref("k8s.io/api/core/v1.PersistentVolumeClaimVolumeSource"),
+							Ref:         ref(corev1.PersistentVolumeClaimVolumeSource{}.OpenAPIModelName()),
 						},
 					},
 					"rbd": {
 						SchemaProps: spec.SchemaProps{
 							Description: "rbd represents a Rados Block Device mount on the host that shares a pod's lifetime. Deprecated: RBD is deprecated and the in-tree rbd type is no longer supported.",
-							Ref:         ref("k8s.io/api/core/v1.RBDVolumeSource"),
+							Ref:         ref(corev1.RBDVolumeSource{}.OpenAPIModelName()),
 						},
 					},
 					"flexVolume": {
 						SchemaProps: spec.SchemaProps{
 							Description: "flexVolume represents a generic volume resource that is provisioned/attached using an exec based plugin. Deprecated: FlexVolume is deprecated. Consider using a CSIDriver instead.",
-							Ref:         ref("k8s.io/api/core/v1.FlexVolumeSource"),
+							Ref:         ref(corev1.FlexVolumeSource{}.OpenAPIModelName()),
 						},
 					},
 					"cinder": {
 						SchemaProps: spec.SchemaProps{
 							Description: "cinder represents a cinder volume attached and mounted on kubelets host machine. Deprecated: Cinder is deprecated. All operations for the in-tree cinder type are redirected to the cinder.csi.openstack.org CSI driver. More info: https://examples.k8s.io/mysql-cinder-pd/README.md",
-							Ref:         ref("k8s.io/api/core/v1.CinderVolumeSource"),
+							Ref:         ref(corev1.CinderVolumeSource{}.OpenAPIModelName()),
 						},
 					},
 					"cephfs": {
 						SchemaProps: spec.SchemaProps{
 							Description: "cephFS represents a Ceph FS mount on the host that shares a pod's lifetime. Deprecated: CephFS is deprecated and the in-tree cephfs type is no longer supported.",
-							Ref:         ref("k8s.io/api/core/v1.CephFSVolumeSource"),
+							Ref:         ref(corev1.CephFSVolumeSource{}.OpenAPIModelName()),
 						},
 					},
 					"flocker": {
 						SchemaProps: spec.SchemaProps{
 							Description: "flocker represents a Flocker volume attached to a kubelet's host machine. This depends on the Flocker control service being running. Deprecated: Flocker is deprecated and the in-tree flocker type is no longer supported.",
-							Ref:         ref("k8s.io/api/core/v1.FlockerVolumeSource"),
+							Ref:         ref(corev1.FlockerVolumeSource{}.OpenAPIModelName()),
 						},
 					},
 					"downwardAPI": {
 						SchemaProps: spec.SchemaProps{
 							Description: "downwardAPI represents downward API about the pod that should populate this volume",
-							Ref:         ref("k8s.io/api/core/v1.DownwardAPIVolumeSource"),
+							Ref:         ref(corev1.DownwardAPIVolumeSource{}.OpenAPIModelName()),
 						},
 					},
 					"fc": {
 						SchemaProps: spec.SchemaProps{
 							Description: "fc represents a Fibre Channel resource that is attached to a kubelet's host machine and then exposed to the pod.",
-							Ref:         ref("k8s.io/api/core/v1.FCVolumeSource"),
+							Ref:         ref(corev1.FCVolumeSource{}.OpenAPIModelName()),
 						},
 					},
 					"azureFile": {
 						SchemaProps: spec.SchemaProps{
 							Description: "azureFile represents an Azure File Service mount on the host and bind mount to the pod. Deprecated: AzureFile is deprecated. All operations for the in-tree azureFile type are redirected to the file.csi.azure.com CSI driver.",
-							Ref:         ref("k8s.io/api/core/v1.AzureFileVolumeSource"),
+							Ref:         ref(corev1.AzureFileVolumeSource{}.OpenAPIModelName()),
 						},
 					},
 					"configMap": {
 						SchemaProps: spec.SchemaProps{
 							Description: "configMap represents a configMap that should populate this volume",
-							Ref:         ref("k8s.io/api/core/v1.ConfigMapVolumeSource"),
+							Ref:         ref(corev1.ConfigMapVolumeSource{}.OpenAPIModelName()),
 						},
 					},
 					"vsphereVolume": {
 						SchemaProps: spec.SchemaProps{
 							Description: "vsphereVolume represents a vSphere volume attached and mounted on kubelets host machine. Deprecated: VsphereVolume is deprecated. All operations for the in-tree vsphereVolume type are redirected to the csi.vsphere.vmware.com CSI driver.",
-							Ref:         ref("k8s.io/api/core/v1.VsphereVirtualDiskVolumeSource"),
+							Ref:         ref(corev1.VsphereVirtualDiskVolumeSource{}.OpenAPIModelName()),
 						},
 					},
 					"quobyte": {
 						SchemaProps: spec.SchemaProps{
 							Description: "quobyte represents a Quobyte mount on the host that shares a pod's lifetime. Deprecated: Quobyte is deprecated and the in-tree quobyte type is no longer supported.",
-							Ref:         ref("k8s.io/api/core/v1.QuobyteVolumeSource"),
+							Ref:         ref(corev1.QuobyteVolumeSource{}.OpenAPIModelName()),
 						},
 					},
 					"azureDisk": {
 						SchemaProps: spec.SchemaProps{
 							Description: "azureDisk represents an Azure Data Disk mount on the host and bind mount to the pod. Deprecated: AzureDisk is deprecated. All operations for the in-tree azureDisk type are redirected to the disk.csi.azure.com CSI driver.",
-							Ref:         ref("k8s.io/api/core/v1.AzureDiskVolumeSource"),
+							Ref:         ref(corev1.AzureDiskVolumeSource{}.OpenAPIModelName()),
 						},
 					},
 					"photonPersistentDisk": {
 						SchemaProps: spec.SchemaProps{
 							Description: "photonPersistentDisk represents a PhotonController persistent disk attached and mounted on kubelets host machine. Deprecated: PhotonPersistentDisk is deprecated and the in-tree photonPersistentDisk type is no longer supported.",
-							Ref:         ref("k8s.io/api/core/v1.PhotonPersistentDiskVolumeSource"),
+							Ref:         ref(corev1.PhotonPersistentDiskVolumeSource{}.OpenAPIModelName()),
 						},
 					},
 					"projected": {
 						SchemaProps: spec.SchemaProps{
 							Description: "projected items for all in one resources secrets, configmaps, and downward API",
-							Ref:         ref("k8s.io/api/core/v1.ProjectedVolumeSource"),
+							Ref:         ref(corev1.ProjectedVolumeSource{}.OpenAPIModelName()),
 						},
 					},
 					"portworxVolume": {
 						SchemaProps: spec.SchemaProps{
 							Description: "portworxVolume represents a portworx volume attached and mounted on kubelets host machine. Deprecated: PortworxVolume is deprecated. All operations for the in-tree portworxVolume type are redirected to the pxd.portworx.com CSI driver when the CSIMigrationPortworx feature-gate is on.",
-							Ref:         ref("k8s.io/api/core/v1.PortworxVolumeSource"),
+							Ref:         ref(corev1.PortworxVolumeSource{}.OpenAPIModelName()),
 						},
 					},
 					"scaleIO": {
 						SchemaProps: spec.SchemaProps{
 							Description: "scaleIO represents a ScaleIO persistent volume attached and mounted on Kubernetes nodes. Deprecated: ScaleIO is deprecated and the in-tree scaleIO type is no longer supported.",
-							Ref:         ref("k8s.io/api/core/v1.ScaleIOVolumeSource"),
+							Ref:         ref(corev1.ScaleIOVolumeSource{}.OpenAPIModelName()),
 						},
 					},
 					"storageos": {
 						SchemaProps: spec.SchemaProps{
 							Description: "storageOS represents a StorageOS volume attached and mounted on Kubernetes nodes. Deprecated: StorageOS is deprecated and the in-tree storageos type is no longer supported.",
-							Ref:         ref("k8s.io/api/core/v1.StorageOSVolumeSource"),
+							Ref:         ref(corev1.StorageOSVolumeSource{}.OpenAPIModelName()),
 						},
 					},
 					"csi": {
 						SchemaProps: spec.SchemaProps{
 							Description: "csi (Container Storage Interface) represents ephemeral storage that is handled by certain external CSI drivers.",
-							Ref:         ref("k8s.io/api/core/v1.CSIVolumeSource"),
+							Ref:         ref(corev1.CSIVolumeSource{}.OpenAPIModelName()),
 						},
 					},
 					"ephemeral": {
 						SchemaProps: spec.SchemaProps{
 							Description: "ephemeral represents a volume that is handled by a cluster storage driver. The volume's lifecycle is tied to the pod that defines it - it will be created before the pod starts, and deleted when the pod is removed.\n\nUse this if: a) the volume is only needed while the pod runs, b) features of normal volumes like restoring from snapshot or capacity\n   tracking are needed,\nc) the storage driver is specified through a storage class, and d) the storage driver supports dynamic volume provisioning through\n   a PersistentVolumeClaim (see EphemeralVolumeSource for more\n   information on the connection between this volume type\n   and PersistentVolumeClaim).\n\nUse PersistentVolumeClaim or one of the vendor-specific APIs for volumes that persist for longer than the lifecycle of an individual pod.\n\nUse CSI for light-weight local ephemeral volumes if the CSI driver is meant to be used that way - see the documentation of the driver for more information.\n\nA pod can use both types of ephemeral volumes and persistent volumes at the same time.",
-							Ref:         ref("k8s.io/api/core/v1.EphemeralVolumeSource"),
+							Ref:         ref(corev1.EphemeralVolumeSource{}.OpenAPIModelName()),
 						},
 					},
 					"image": {
 						SchemaProps: spec.SchemaProps{
 							Description: "image represents an OCI object (a container image or artifact) pulled and mounted on the kubelet's host machine. The volume is resolved at pod startup depending on which PullPolicy value is provided:\n\n- Always: the kubelet always attempts to pull the reference. Container creation will fail If the pull fails. - Never: the kubelet never pulls the reference and only uses a local image or artifact. Container creation will fail if the reference isn't present. - IfNotPresent: the kubelet pulls if the reference isn't already present on disk. Container creation will fail if the reference isn't present and the pull fails.\n\nThe volume gets re-resolved if the pod gets deleted and recreated, which means that new remote content will become available on pod recreation. A failure to resolve or pull the image during pod startup will block containers from starting and may add significant latency. Failures will be retried using normal volume backoff and will be reported on the pod reason and message. The types of objects that may be mounted by this volume are defined by the container runtime implementation on a host machine and at minimum must include all valid types supported by the container image field. The OCI object gets mounted in a single directory (spec.containers[*].volumeMounts.mountPath) by merging the manifest layers in the same way as for container images. The volume will be mounted read-only (ro) and non-executable files (noexec). Sub path mounts for containers are not supported (spec.containers[*].volumeMounts.subpath) before 1.33. The field spec.securityContext.fsGroupChangePolicy has no effect on this volume type.",
-							Ref:         ref("k8s.io/api/core/v1.ImageVolumeSource"),
+							Ref:         ref(corev1.ImageVolumeSource{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -34010,7 +34190,7 @@ func schema_k8sio_api_core_v1_Volume(ref common.ReferenceCallback) common.OpenAP
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/core/v1.AWSElasticBlockStoreVolumeSource", "k8s.io/api/core/v1.AzureDiskVolumeSource", "k8s.io/api/core/v1.AzureFileVolumeSource", "k8s.io/api/core/v1.CSIVolumeSource", "k8s.io/api/core/v1.CephFSVolumeSource", "k8s.io/api/core/v1.CinderVolumeSource", "k8s.io/api/core/v1.ConfigMapVolumeSource", "k8s.io/api/core/v1.DownwardAPIVolumeSource", "k8s.io/api/core/v1.EmptyDirVolumeSource", "k8s.io/api/core/v1.EphemeralVolumeSource", "k8s.io/api/core/v1.FCVolumeSource", "k8s.io/api/core/v1.FlexVolumeSource", "k8s.io/api/core/v1.FlockerVolumeSource", "k8s.io/api/core/v1.GCEPersistentDiskVolumeSource", "k8s.io/api/core/v1.GitRepoVolumeSource", "k8s.io/api/core/v1.GlusterfsVolumeSource", "k8s.io/api/core/v1.HostPathVolumeSource", "k8s.io/api/core/v1.ISCSIVolumeSource", "k8s.io/api/core/v1.ImageVolumeSource", "k8s.io/api/core/v1.NFSVolumeSource", "k8s.io/api/core/v1.PersistentVolumeClaimVolumeSource", "k8s.io/api/core/v1.PhotonPersistentDiskVolumeSource", "k8s.io/api/core/v1.PortworxVolumeSource", "k8s.io/api/core/v1.ProjectedVolumeSource", "k8s.io/api/core/v1.QuobyteVolumeSource", "k8s.io/api/core/v1.RBDVolumeSource", "k8s.io/api/core/v1.ScaleIOVolumeSource", "k8s.io/api/core/v1.SecretVolumeSource", "k8s.io/api/core/v1.StorageOSVolumeSource", "k8s.io/api/core/v1.VsphereVirtualDiskVolumeSource"},
+			corev1.AWSElasticBlockStoreVolumeSource{}.OpenAPIModelName(), corev1.AzureDiskVolumeSource{}.OpenAPIModelName(), corev1.AzureFileVolumeSource{}.OpenAPIModelName(), corev1.CSIVolumeSource{}.OpenAPIModelName(), corev1.CephFSVolumeSource{}.OpenAPIModelName(), corev1.CinderVolumeSource{}.OpenAPIModelName(), corev1.ConfigMapVolumeSource{}.OpenAPIModelName(), corev1.DownwardAPIVolumeSource{}.OpenAPIModelName(), corev1.EmptyDirVolumeSource{}.OpenAPIModelName(), corev1.EphemeralVolumeSource{}.OpenAPIModelName(), corev1.FCVolumeSource{}.OpenAPIModelName(), corev1.FlexVolumeSource{}.OpenAPIModelName(), corev1.FlockerVolumeSource{}.OpenAPIModelName(), corev1.GCEPersistentDiskVolumeSource{}.OpenAPIModelName(), corev1.GitRepoVolumeSource{}.OpenAPIModelName(), corev1.GlusterfsVolumeSource{}.OpenAPIModelName(), corev1.HostPathVolumeSource{}.OpenAPIModelName(), corev1.ISCSIVolumeSource{}.OpenAPIModelName(), corev1.ImageVolumeSource{}.OpenAPIModelName(), corev1.NFSVolumeSource{}.OpenAPIModelName(), corev1.PersistentVolumeClaimVolumeSource{}.OpenAPIModelName(), corev1.PhotonPersistentDiskVolumeSource{}.OpenAPIModelName(), corev1.PortworxVolumeSource{}.OpenAPIModelName(), corev1.ProjectedVolumeSource{}.OpenAPIModelName(), corev1.QuobyteVolumeSource{}.OpenAPIModelName(), corev1.RBDVolumeSource{}.OpenAPIModelName(), corev1.ScaleIOVolumeSource{}.OpenAPIModelName(), corev1.SecretVolumeSource{}.OpenAPIModelName(), corev1.StorageOSVolumeSource{}.OpenAPIModelName(), corev1.VsphereVirtualDiskVolumeSource{}.OpenAPIModelName()},
 	}
 }
 
@@ -34164,14 +34344,14 @@ func schema_k8sio_api_core_v1_VolumeNodeAffinity(ref common.ReferenceCallback) c
 					"required": {
 						SchemaProps: spec.SchemaProps{
 							Description: "required specifies hard node constraints that must be met.",
-							Ref:         ref("k8s.io/api/core/v1.NodeSelector"),
+							Ref:         ref(corev1.NodeSelector{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/core/v1.NodeSelector"},
+			corev1.NodeSelector{}.OpenAPIModelName()},
 	}
 }
 
@@ -34185,44 +34365,44 @@ func schema_k8sio_api_core_v1_VolumeProjection(ref common.ReferenceCallback) com
 					"secret": {
 						SchemaProps: spec.SchemaProps{
 							Description: "secret information about the secret data to project",
-							Ref:         ref("k8s.io/api/core/v1.SecretProjection"),
+							Ref:         ref(corev1.SecretProjection{}.OpenAPIModelName()),
 						},
 					},
 					"downwardAPI": {
 						SchemaProps: spec.SchemaProps{
 							Description: "downwardAPI information about the downwardAPI data to project",
-							Ref:         ref("k8s.io/api/core/v1.DownwardAPIProjection"),
+							Ref:         ref(corev1.DownwardAPIProjection{}.OpenAPIModelName()),
 						},
 					},
 					"configMap": {
 						SchemaProps: spec.SchemaProps{
 							Description: "configMap information about the configMap data to project",
-							Ref:         ref("k8s.io/api/core/v1.ConfigMapProjection"),
+							Ref:         ref(corev1.ConfigMapProjection{}.OpenAPIModelName()),
 						},
 					},
 					"serviceAccountToken": {
 						SchemaProps: spec.SchemaProps{
 							Description: "serviceAccountToken is information about the serviceAccountToken data to project",
-							Ref:         ref("k8s.io/api/core/v1.ServiceAccountTokenProjection"),
+							Ref:         ref(corev1.ServiceAccountTokenProjection{}.OpenAPIModelName()),
 						},
 					},
 					"clusterTrustBundle": {
 						SchemaProps: spec.SchemaProps{
 							Description: "ClusterTrustBundle allows a pod to access the `.spec.trustBundle` field of ClusterTrustBundle objects in an auto-updating file.\n\nAlpha, gated by the ClusterTrustBundleProjection feature gate.\n\nClusterTrustBundle objects can either be selected by name, or by the combination of signer name and a label selector.\n\nKubelet performs aggressive normalization of the PEM contents written into the pod filesystem.  Esoteric PEM features such as inter-block comments and block headers are stripped.  Certificates are deduplicated. The ordering of certificates within the file is arbitrary, and Kubelet may change the order over time.",
-							Ref:         ref("k8s.io/api/core/v1.ClusterTrustBundleProjection"),
+							Ref:         ref(corev1.ClusterTrustBundleProjection{}.OpenAPIModelName()),
 						},
 					},
 					"podCertificate": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Projects an auto-rotating credential bundle (private key and certificate chain) that the pod can use either as a TLS client or server.\n\nKubelet generates a private key and uses it to send a PodCertificateRequest to the named signer.  Once the signer approves the request and issues a certificate chain, Kubelet writes the key and certificate chain to the pod filesystem.  The pod does not start until certificates have been issued for each podCertificate projected volume source in its spec.\n\nKubelet will begin trying to rotate the certificate at the time indicated by the signer using the PodCertificateRequest.Status.BeginRefreshAt timestamp.\n\nKubelet can write a single file, indicated by the credentialBundlePath field, or separate files, indicated by the keyPath and certificateChainPath fields.\n\nThe credential bundle is a single file in PEM format.  The first PEM entry is the private key (in PKCS#8 format), and the remaining PEM entries are the certificate chain issued by the signer (typically, signers will return their certificate chain in leaf-to-root order).\n\nPrefer using the credential bundle format, since your application code can read it atomically.  If you use keyPath and certificateChainPath, your application must make two separate file reads. If these coincide with a certificate rotation, it is possible that the private key and leaf certificate you read may not correspond to each other.  Your application will need to check for this condition, and re-read until they are consistent.\n\nThe named signer controls chooses the format of the certificate it issues; consult the signer implementation's documentation to learn how to use the certificates it issues.",
-							Ref:         ref("k8s.io/api/core/v1.PodCertificateProjection"),
+							Ref:         ref(corev1.PodCertificateProjection{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/core/v1.ClusterTrustBundleProjection", "k8s.io/api/core/v1.ConfigMapProjection", "k8s.io/api/core/v1.DownwardAPIProjection", "k8s.io/api/core/v1.PodCertificateProjection", "k8s.io/api/core/v1.SecretProjection", "k8s.io/api/core/v1.ServiceAccountTokenProjection"},
+			corev1.ClusterTrustBundleProjection{}.OpenAPIModelName(), corev1.ConfigMapProjection{}.OpenAPIModelName(), corev1.DownwardAPIProjection{}.OpenAPIModelName(), corev1.PodCertificateProjection{}.OpenAPIModelName(), corev1.SecretProjection{}.OpenAPIModelName(), corev1.ServiceAccountTokenProjection{}.OpenAPIModelName()},
 	}
 }
 
@@ -34241,7 +34421,7 @@ func schema_k8sio_api_core_v1_VolumeResourceRequirements(ref common.ReferenceCal
 								Allows: true,
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
-										Ref: ref("k8s.io/apimachinery/pkg/api/resource.Quantity"),
+										Ref: ref(resource.Quantity{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -34255,7 +34435,7 @@ func schema_k8sio_api_core_v1_VolumeResourceRequirements(ref common.ReferenceCal
 								Allows: true,
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
-										Ref: ref("k8s.io/apimachinery/pkg/api/resource.Quantity"),
+										Ref: ref(resource.Quantity{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -34265,7 +34445,7 @@ func schema_k8sio_api_core_v1_VolumeResourceRequirements(ref common.ReferenceCal
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/api/resource.Quantity"},
+			resource.Quantity{}.OpenAPIModelName()},
 	}
 }
 
@@ -34279,188 +34459,188 @@ func schema_k8sio_api_core_v1_VolumeSource(ref common.ReferenceCallback) common.
 					"hostPath": {
 						SchemaProps: spec.SchemaProps{
 							Description: "hostPath represents a pre-existing file or directory on the host machine that is directly exposed to the container. This is generally used for system agents or other privileged things that are allowed to see the host machine. Most containers will NOT need this. More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath",
-							Ref:         ref("k8s.io/api/core/v1.HostPathVolumeSource"),
+							Ref:         ref(corev1.HostPathVolumeSource{}.OpenAPIModelName()),
 						},
 					},
 					"emptyDir": {
 						SchemaProps: spec.SchemaProps{
 							Description: "emptyDir represents a temporary directory that shares a pod's lifetime. More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir",
-							Ref:         ref("k8s.io/api/core/v1.EmptyDirVolumeSource"),
+							Ref:         ref(corev1.EmptyDirVolumeSource{}.OpenAPIModelName()),
 						},
 					},
 					"gcePersistentDisk": {
 						SchemaProps: spec.SchemaProps{
 							Description: "gcePersistentDisk represents a GCE Disk resource that is attached to a kubelet's host machine and then exposed to the pod. Deprecated: GCEPersistentDisk is deprecated. All operations for the in-tree gcePersistentDisk type are redirected to the pd.csi.storage.gke.io CSI driver. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk",
-							Ref:         ref("k8s.io/api/core/v1.GCEPersistentDiskVolumeSource"),
+							Ref:         ref(corev1.GCEPersistentDiskVolumeSource{}.OpenAPIModelName()),
 						},
 					},
 					"awsElasticBlockStore": {
 						SchemaProps: spec.SchemaProps{
 							Description: "awsElasticBlockStore represents an AWS Disk resource that is attached to a kubelet's host machine and then exposed to the pod. Deprecated: AWSElasticBlockStore is deprecated. All operations for the in-tree awsElasticBlockStore type are redirected to the ebs.csi.aws.com CSI driver. More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore",
-							Ref:         ref("k8s.io/api/core/v1.AWSElasticBlockStoreVolumeSource"),
+							Ref:         ref(corev1.AWSElasticBlockStoreVolumeSource{}.OpenAPIModelName()),
 						},
 					},
 					"gitRepo": {
 						SchemaProps: spec.SchemaProps{
 							Description: "gitRepo represents a git repository at a particular revision. Deprecated: GitRepo is deprecated. To provision a container with a git repo, mount an EmptyDir into an InitContainer that clones the repo using git, then mount the EmptyDir into the Pod's container.",
-							Ref:         ref("k8s.io/api/core/v1.GitRepoVolumeSource"),
+							Ref:         ref(corev1.GitRepoVolumeSource{}.OpenAPIModelName()),
 						},
 					},
 					"secret": {
 						SchemaProps: spec.SchemaProps{
 							Description: "secret represents a secret that should populate this volume. More info: https://kubernetes.io/docs/concepts/storage/volumes#secret",
-							Ref:         ref("k8s.io/api/core/v1.SecretVolumeSource"),
+							Ref:         ref(corev1.SecretVolumeSource{}.OpenAPIModelName()),
 						},
 					},
 					"nfs": {
 						SchemaProps: spec.SchemaProps{
 							Description: "nfs represents an NFS mount on the host that shares a pod's lifetime More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs",
-							Ref:         ref("k8s.io/api/core/v1.NFSVolumeSource"),
+							Ref:         ref(corev1.NFSVolumeSource{}.OpenAPIModelName()),
 						},
 					},
 					"iscsi": {
 						SchemaProps: spec.SchemaProps{
 							Description: "iscsi represents an ISCSI Disk resource that is attached to a kubelet's host machine and then exposed to the pod. More info: https://kubernetes.io/docs/concepts/storage/volumes/#iscsi",
-							Ref:         ref("k8s.io/api/core/v1.ISCSIVolumeSource"),
+							Ref:         ref(corev1.ISCSIVolumeSource{}.OpenAPIModelName()),
 						},
 					},
 					"glusterfs": {
 						SchemaProps: spec.SchemaProps{
 							Description: "glusterfs represents a Glusterfs mount on the host that shares a pod's lifetime. Deprecated: Glusterfs is deprecated and the in-tree glusterfs type is no longer supported.",
-							Ref:         ref("k8s.io/api/core/v1.GlusterfsVolumeSource"),
+							Ref:         ref(corev1.GlusterfsVolumeSource{}.OpenAPIModelName()),
 						},
 					},
 					"persistentVolumeClaim": {
 						SchemaProps: spec.SchemaProps{
 							Description: "persistentVolumeClaimVolumeSource represents a reference to a PersistentVolumeClaim in the same namespace. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims",
-							Ref:         ref("k8s.io/api/core/v1.PersistentVolumeClaimVolumeSource"),
+							Ref:         ref(corev1.PersistentVolumeClaimVolumeSource{}.OpenAPIModelName()),
 						},
 					},
 					"rbd": {
 						SchemaProps: spec.SchemaProps{
 							Description: "rbd represents a Rados Block Device mount on the host that shares a pod's lifetime. Deprecated: RBD is deprecated and the in-tree rbd type is no longer supported.",
-							Ref:         ref("k8s.io/api/core/v1.RBDVolumeSource"),
+							Ref:         ref(corev1.RBDVolumeSource{}.OpenAPIModelName()),
 						},
 					},
 					"flexVolume": {
 						SchemaProps: spec.SchemaProps{
 							Description: "flexVolume represents a generic volume resource that is provisioned/attached using an exec based plugin. Deprecated: FlexVolume is deprecated. Consider using a CSIDriver instead.",
-							Ref:         ref("k8s.io/api/core/v1.FlexVolumeSource"),
+							Ref:         ref(corev1.FlexVolumeSource{}.OpenAPIModelName()),
 						},
 					},
 					"cinder": {
 						SchemaProps: spec.SchemaProps{
 							Description: "cinder represents a cinder volume attached and mounted on kubelets host machine. Deprecated: Cinder is deprecated. All operations for the in-tree cinder type are redirected to the cinder.csi.openstack.org CSI driver. More info: https://examples.k8s.io/mysql-cinder-pd/README.md",
-							Ref:         ref("k8s.io/api/core/v1.CinderVolumeSource"),
+							Ref:         ref(corev1.CinderVolumeSource{}.OpenAPIModelName()),
 						},
 					},
 					"cephfs": {
 						SchemaProps: spec.SchemaProps{
 							Description: "cephFS represents a Ceph FS mount on the host that shares a pod's lifetime. Deprecated: CephFS is deprecated and the in-tree cephfs type is no longer supported.",
-							Ref:         ref("k8s.io/api/core/v1.CephFSVolumeSource"),
+							Ref:         ref(corev1.CephFSVolumeSource{}.OpenAPIModelName()),
 						},
 					},
 					"flocker": {
 						SchemaProps: spec.SchemaProps{
 							Description: "flocker represents a Flocker volume attached to a kubelet's host machine. This depends on the Flocker control service being running. Deprecated: Flocker is deprecated and the in-tree flocker type is no longer supported.",
-							Ref:         ref("k8s.io/api/core/v1.FlockerVolumeSource"),
+							Ref:         ref(corev1.FlockerVolumeSource{}.OpenAPIModelName()),
 						},
 					},
 					"downwardAPI": {
 						SchemaProps: spec.SchemaProps{
 							Description: "downwardAPI represents downward API about the pod that should populate this volume",
-							Ref:         ref("k8s.io/api/core/v1.DownwardAPIVolumeSource"),
+							Ref:         ref(corev1.DownwardAPIVolumeSource{}.OpenAPIModelName()),
 						},
 					},
 					"fc": {
 						SchemaProps: spec.SchemaProps{
 							Description: "fc represents a Fibre Channel resource that is attached to a kubelet's host machine and then exposed to the pod.",
-							Ref:         ref("k8s.io/api/core/v1.FCVolumeSource"),
+							Ref:         ref(corev1.FCVolumeSource{}.OpenAPIModelName()),
 						},
 					},
 					"azureFile": {
 						SchemaProps: spec.SchemaProps{
 							Description: "azureFile represents an Azure File Service mount on the host and bind mount to the pod. Deprecated: AzureFile is deprecated. All operations for the in-tree azureFile type are redirected to the file.csi.azure.com CSI driver.",
-							Ref:         ref("k8s.io/api/core/v1.AzureFileVolumeSource"),
+							Ref:         ref(corev1.AzureFileVolumeSource{}.OpenAPIModelName()),
 						},
 					},
 					"configMap": {
 						SchemaProps: spec.SchemaProps{
 							Description: "configMap represents a configMap that should populate this volume",
-							Ref:         ref("k8s.io/api/core/v1.ConfigMapVolumeSource"),
+							Ref:         ref(corev1.ConfigMapVolumeSource{}.OpenAPIModelName()),
 						},
 					},
 					"vsphereVolume": {
 						SchemaProps: spec.SchemaProps{
 							Description: "vsphereVolume represents a vSphere volume attached and mounted on kubelets host machine. Deprecated: VsphereVolume is deprecated. All operations for the in-tree vsphereVolume type are redirected to the csi.vsphere.vmware.com CSI driver.",
-							Ref:         ref("k8s.io/api/core/v1.VsphereVirtualDiskVolumeSource"),
+							Ref:         ref(corev1.VsphereVirtualDiskVolumeSource{}.OpenAPIModelName()),
 						},
 					},
 					"quobyte": {
 						SchemaProps: spec.SchemaProps{
 							Description: "quobyte represents a Quobyte mount on the host that shares a pod's lifetime. Deprecated: Quobyte is deprecated and the in-tree quobyte type is no longer supported.",
-							Ref:         ref("k8s.io/api/core/v1.QuobyteVolumeSource"),
+							Ref:         ref(corev1.QuobyteVolumeSource{}.OpenAPIModelName()),
 						},
 					},
 					"azureDisk": {
 						SchemaProps: spec.SchemaProps{
 							Description: "azureDisk represents an Azure Data Disk mount on the host and bind mount to the pod. Deprecated: AzureDisk is deprecated. All operations for the in-tree azureDisk type are redirected to the disk.csi.azure.com CSI driver.",
-							Ref:         ref("k8s.io/api/core/v1.AzureDiskVolumeSource"),
+							Ref:         ref(corev1.AzureDiskVolumeSource{}.OpenAPIModelName()),
 						},
 					},
 					"photonPersistentDisk": {
 						SchemaProps: spec.SchemaProps{
 							Description: "photonPersistentDisk represents a PhotonController persistent disk attached and mounted on kubelets host machine. Deprecated: PhotonPersistentDisk is deprecated and the in-tree photonPersistentDisk type is no longer supported.",
-							Ref:         ref("k8s.io/api/core/v1.PhotonPersistentDiskVolumeSource"),
+							Ref:         ref(corev1.PhotonPersistentDiskVolumeSource{}.OpenAPIModelName()),
 						},
 					},
 					"projected": {
 						SchemaProps: spec.SchemaProps{
 							Description: "projected items for all in one resources secrets, configmaps, and downward API",
-							Ref:         ref("k8s.io/api/core/v1.ProjectedVolumeSource"),
+							Ref:         ref(corev1.ProjectedVolumeSource{}.OpenAPIModelName()),
 						},
 					},
 					"portworxVolume": {
 						SchemaProps: spec.SchemaProps{
 							Description: "portworxVolume represents a portworx volume attached and mounted on kubelets host machine. Deprecated: PortworxVolume is deprecated. All operations for the in-tree portworxVolume type are redirected to the pxd.portworx.com CSI driver when the CSIMigrationPortworx feature-gate is on.",
-							Ref:         ref("k8s.io/api/core/v1.PortworxVolumeSource"),
+							Ref:         ref(corev1.PortworxVolumeSource{}.OpenAPIModelName()),
 						},
 					},
 					"scaleIO": {
 						SchemaProps: spec.SchemaProps{
 							Description: "scaleIO represents a ScaleIO persistent volume attached and mounted on Kubernetes nodes. Deprecated: ScaleIO is deprecated and the in-tree scaleIO type is no longer supported.",
-							Ref:         ref("k8s.io/api/core/v1.ScaleIOVolumeSource"),
+							Ref:         ref(corev1.ScaleIOVolumeSource{}.OpenAPIModelName()),
 						},
 					},
 					"storageos": {
 						SchemaProps: spec.SchemaProps{
 							Description: "storageOS represents a StorageOS volume attached and mounted on Kubernetes nodes. Deprecated: StorageOS is deprecated and the in-tree storageos type is no longer supported.",
-							Ref:         ref("k8s.io/api/core/v1.StorageOSVolumeSource"),
+							Ref:         ref(corev1.StorageOSVolumeSource{}.OpenAPIModelName()),
 						},
 					},
 					"csi": {
 						SchemaProps: spec.SchemaProps{
 							Description: "csi (Container Storage Interface) represents ephemeral storage that is handled by certain external CSI drivers.",
-							Ref:         ref("k8s.io/api/core/v1.CSIVolumeSource"),
+							Ref:         ref(corev1.CSIVolumeSource{}.OpenAPIModelName()),
 						},
 					},
 					"ephemeral": {
 						SchemaProps: spec.SchemaProps{
 							Description: "ephemeral represents a volume that is handled by a cluster storage driver. The volume's lifecycle is tied to the pod that defines it - it will be created before the pod starts, and deleted when the pod is removed.\n\nUse this if: a) the volume is only needed while the pod runs, b) features of normal volumes like restoring from snapshot or capacity\n   tracking are needed,\nc) the storage driver is specified through a storage class, and d) the storage driver supports dynamic volume provisioning through\n   a PersistentVolumeClaim (see EphemeralVolumeSource for more\n   information on the connection between this volume type\n   and PersistentVolumeClaim).\n\nUse PersistentVolumeClaim or one of the vendor-specific APIs for volumes that persist for longer than the lifecycle of an individual pod.\n\nUse CSI for light-weight local ephemeral volumes if the CSI driver is meant to be used that way - see the documentation of the driver for more information.\n\nA pod can use both types of ephemeral volumes and persistent volumes at the same time.",
-							Ref:         ref("k8s.io/api/core/v1.EphemeralVolumeSource"),
+							Ref:         ref(corev1.EphemeralVolumeSource{}.OpenAPIModelName()),
 						},
 					},
 					"image": {
 						SchemaProps: spec.SchemaProps{
 							Description: "image represents an OCI object (a container image or artifact) pulled and mounted on the kubelet's host machine. The volume is resolved at pod startup depending on which PullPolicy value is provided:\n\n- Always: the kubelet always attempts to pull the reference. Container creation will fail If the pull fails. - Never: the kubelet never pulls the reference and only uses a local image or artifact. Container creation will fail if the reference isn't present. - IfNotPresent: the kubelet pulls if the reference isn't already present on disk. Container creation will fail if the reference isn't present and the pull fails.\n\nThe volume gets re-resolved if the pod gets deleted and recreated, which means that new remote content will become available on pod recreation. A failure to resolve or pull the image during pod startup will block containers from starting and may add significant latency. Failures will be retried using normal volume backoff and will be reported on the pod reason and message. The types of objects that may be mounted by this volume are defined by the container runtime implementation on a host machine and at minimum must include all valid types supported by the container image field. The OCI object gets mounted in a single directory (spec.containers[*].volumeMounts.mountPath) by merging the manifest layers in the same way as for container images. The volume will be mounted read-only (ro) and non-executable files (noexec). Sub path mounts for containers are not supported (spec.containers[*].volumeMounts.subpath) before 1.33. The field spec.securityContext.fsGroupChangePolicy has no effect on this volume type.",
-							Ref:         ref("k8s.io/api/core/v1.ImageVolumeSource"),
+							Ref:         ref(corev1.ImageVolumeSource{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/core/v1.AWSElasticBlockStoreVolumeSource", "k8s.io/api/core/v1.AzureDiskVolumeSource", "k8s.io/api/core/v1.AzureFileVolumeSource", "k8s.io/api/core/v1.CSIVolumeSource", "k8s.io/api/core/v1.CephFSVolumeSource", "k8s.io/api/core/v1.CinderVolumeSource", "k8s.io/api/core/v1.ConfigMapVolumeSource", "k8s.io/api/core/v1.DownwardAPIVolumeSource", "k8s.io/api/core/v1.EmptyDirVolumeSource", "k8s.io/api/core/v1.EphemeralVolumeSource", "k8s.io/api/core/v1.FCVolumeSource", "k8s.io/api/core/v1.FlexVolumeSource", "k8s.io/api/core/v1.FlockerVolumeSource", "k8s.io/api/core/v1.GCEPersistentDiskVolumeSource", "k8s.io/api/core/v1.GitRepoVolumeSource", "k8s.io/api/core/v1.GlusterfsVolumeSource", "k8s.io/api/core/v1.HostPathVolumeSource", "k8s.io/api/core/v1.ISCSIVolumeSource", "k8s.io/api/core/v1.ImageVolumeSource", "k8s.io/api/core/v1.NFSVolumeSource", "k8s.io/api/core/v1.PersistentVolumeClaimVolumeSource", "k8s.io/api/core/v1.PhotonPersistentDiskVolumeSource", "k8s.io/api/core/v1.PortworxVolumeSource", "k8s.io/api/core/v1.ProjectedVolumeSource", "k8s.io/api/core/v1.QuobyteVolumeSource", "k8s.io/api/core/v1.RBDVolumeSource", "k8s.io/api/core/v1.ScaleIOVolumeSource", "k8s.io/api/core/v1.SecretVolumeSource", "k8s.io/api/core/v1.StorageOSVolumeSource", "k8s.io/api/core/v1.VsphereVirtualDiskVolumeSource"},
+			corev1.AWSElasticBlockStoreVolumeSource{}.OpenAPIModelName(), corev1.AzureDiskVolumeSource{}.OpenAPIModelName(), corev1.AzureFileVolumeSource{}.OpenAPIModelName(), corev1.CSIVolumeSource{}.OpenAPIModelName(), corev1.CephFSVolumeSource{}.OpenAPIModelName(), corev1.CinderVolumeSource{}.OpenAPIModelName(), corev1.ConfigMapVolumeSource{}.OpenAPIModelName(), corev1.DownwardAPIVolumeSource{}.OpenAPIModelName(), corev1.EmptyDirVolumeSource{}.OpenAPIModelName(), corev1.EphemeralVolumeSource{}.OpenAPIModelName(), corev1.FCVolumeSource{}.OpenAPIModelName(), corev1.FlexVolumeSource{}.OpenAPIModelName(), corev1.FlockerVolumeSource{}.OpenAPIModelName(), corev1.GCEPersistentDiskVolumeSource{}.OpenAPIModelName(), corev1.GitRepoVolumeSource{}.OpenAPIModelName(), corev1.GlusterfsVolumeSource{}.OpenAPIModelName(), corev1.HostPathVolumeSource{}.OpenAPIModelName(), corev1.ISCSIVolumeSource{}.OpenAPIModelName(), corev1.ImageVolumeSource{}.OpenAPIModelName(), corev1.NFSVolumeSource{}.OpenAPIModelName(), corev1.PersistentVolumeClaimVolumeSource{}.OpenAPIModelName(), corev1.PhotonPersistentDiskVolumeSource{}.OpenAPIModelName(), corev1.PortworxVolumeSource{}.OpenAPIModelName(), corev1.ProjectedVolumeSource{}.OpenAPIModelName(), corev1.QuobyteVolumeSource{}.OpenAPIModelName(), corev1.RBDVolumeSource{}.OpenAPIModelName(), corev1.ScaleIOVolumeSource{}.OpenAPIModelName(), corev1.SecretVolumeSource{}.OpenAPIModelName(), corev1.StorageOSVolumeSource{}.OpenAPIModelName(), corev1.VsphereVirtualDiskVolumeSource{}.OpenAPIModelName()},
 	}
 }
 
@@ -34526,7 +34706,7 @@ func schema_k8sio_api_core_v1_WeightedPodAffinityTerm(ref common.ReferenceCallba
 						SchemaProps: spec.SchemaProps{
 							Description: "Required. A pod affinity term, associated with the corresponding weight.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/core/v1.PodAffinityTerm"),
+							Ref:         ref(corev1.PodAffinityTerm{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -34534,7 +34714,7 @@ func schema_k8sio_api_core_v1_WeightedPodAffinityTerm(ref common.ReferenceCallba
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/core/v1.PodAffinityTerm"},
+			corev1.PodAffinityTerm{}.OpenAPIModelName()},
 	}
 }
 
@@ -34579,6 +34759,43 @@ func schema_k8sio_api_core_v1_WindowsSecurityContextOptions(ref common.Reference
 	}
 }
 
+func schema_k8sio_api_core_v1_WorkloadReference(ref common.ReferenceCallback) common.OpenAPIDefinition {
+	return common.OpenAPIDefinition{
+		Schema: spec.Schema{
+			SchemaProps: spec.SchemaProps{
+				Description: "WorkloadReference identifies the Workload object and PodGroup membership that a Pod belongs to. The scheduler uses this information to apply workload-aware scheduling semantics.",
+				Type:        []string{"object"},
+				Properties: map[string]spec.Schema{
+					"name": {
+						SchemaProps: spec.SchemaProps{
+							Description: "Name defines the name of the Workload object this Pod belongs to. Workload must be in the same namespace as the Pod. If it doesn't match any existing Workload, the Pod will remain unschedulable until a Workload object is created and observed by the kube-scheduler. It must be a DNS subdomain.",
+							Default:     "",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+					"podGroup": {
+						SchemaProps: spec.SchemaProps{
+							Description: "PodGroup is the name of the PodGroup within the Workload that this Pod belongs to. If it doesn't match any existing PodGroup within the Workload, the Pod will remain unschedulable until the Workload object is recreated and observed by the kube-scheduler. It must be a DNS label.",
+							Default:     "",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+					"podGroupReplicaKey": {
+						SchemaProps: spec.SchemaProps{
+							Description: "PodGroupReplicaKey specifies the replica key of the PodGroup to which this Pod belongs. It is used to distinguish pods belonging to different replicas of the same pod group. The pod group policy is applied separately to each replica. When set, it must be a DNS label.",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+				},
+				Required: []string{"name", "podGroup"},
+			},
+		},
+	}
+}
+
 func schema_k8sio_api_discovery_v1_Endpoint(ref common.ReferenceCallback) common.OpenAPIDefinition {
 	return common.OpenAPIDefinition{
 		Schema: spec.Schema{
@@ -34610,7 +34827,7 @@ func schema_k8sio_api_discovery_v1_Endpoint(ref common.ReferenceCallback) common
 						SchemaProps: spec.SchemaProps{
 							Description: "conditions contains information about the current status of the endpoint.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/discovery/v1.EndpointConditions"),
+							Ref:         ref(discoveryv1.EndpointConditions{}.OpenAPIModelName()),
 						},
 					},
 					"hostname": {
@@ -34623,7 +34840,7 @@ func schema_k8sio_api_discovery_v1_Endpoint(ref common.ReferenceCallback) common
 					"targetRef": {
 						SchemaProps: spec.SchemaProps{
 							Description: "targetRef is a reference to a Kubernetes object that represents this endpoint.",
-							Ref:         ref("k8s.io/api/core/v1.ObjectReference"),
+							Ref:         ref(corev1.ObjectReference{}.OpenAPIModelName()),
 						},
 					},
 					"deprecatedTopology": {
@@ -34659,7 +34876,7 @@ func schema_k8sio_api_discovery_v1_Endpoint(ref common.ReferenceCallback) common
 					"hints": {
 						SchemaProps: spec.SchemaProps{
 							Description: "hints contains information associated with how an endpoint should be consumed.",
-							Ref:         ref("k8s.io/api/discovery/v1.EndpointHints"),
+							Ref:         ref(discoveryv1.EndpointHints{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -34667,7 +34884,7 @@ func schema_k8sio_api_discovery_v1_Endpoint(ref common.ReferenceCallback) common
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/core/v1.ObjectReference", "k8s.io/api/discovery/v1.EndpointConditions", "k8s.io/api/discovery/v1.EndpointHints"},
+			corev1.ObjectReference{}.OpenAPIModelName(), discoveryv1.EndpointConditions{}.OpenAPIModelName(), discoveryv1.EndpointHints{}.OpenAPIModelName()},
 	}
 }
 
@@ -34725,7 +34942,7 @@ func schema_k8sio_api_discovery_v1_EndpointHints(ref common.ReferenceCallback) c
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/discovery/v1.ForZone"),
+										Ref:     ref(discoveryv1.ForZone{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -34738,13 +34955,13 @@ func schema_k8sio_api_discovery_v1_EndpointHints(ref common.ReferenceCallback) c
 							},
 						},
 						SchemaProps: spec.SchemaProps{
-							Description: "forNodes indicates the node(s) this endpoint should be consumed by when using topology aware routing. May contain a maximum of 8 entries. This is an Alpha feature and is only used when the PreferSameTrafficDistribution feature gate is enabled.",
+							Description: "forNodes indicates the node(s) this endpoint should be consumed by when using topology aware routing. May contain a maximum of 8 entries.",
 							Type:        []string{"array"},
 							Items: &spec.SchemaOrArray{
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/discovery/v1.ForNode"),
+										Ref:     ref(discoveryv1.ForNode{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -34754,7 +34971,7 @@ func schema_k8sio_api_discovery_v1_EndpointHints(ref common.ReferenceCallback) c
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/discovery/v1.ForNode", "k8s.io/api/discovery/v1.ForZone"},
+			discoveryv1.ForNode{}.OpenAPIModelName(), discoveryv1.ForZone{}.OpenAPIModelName()},
 	}
 }
 
@@ -34830,7 +35047,7 @@ func schema_k8sio_api_discovery_v1_EndpointSlice(ref common.ReferenceCallback) c
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard object's metadata.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Ref:         ref(metav1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 					"addressType": {
@@ -34855,7 +35072,7 @@ func schema_k8sio_api_discovery_v1_EndpointSlice(ref common.ReferenceCallback) c
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/discovery/v1.Endpoint"),
+										Ref:     ref(discoveryv1.Endpoint{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -34874,7 +35091,7 @@ func schema_k8sio_api_discovery_v1_EndpointSlice(ref common.ReferenceCallback) c
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/discovery/v1.EndpointPort"),
+										Ref:     ref(discoveryv1.EndpointPort{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -34885,7 +35102,7 @@ func schema_k8sio_api_discovery_v1_EndpointSlice(ref common.ReferenceCallback) c
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/discovery/v1.Endpoint", "k8s.io/api/discovery/v1.EndpointPort", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			discoveryv1.Endpoint{}.OpenAPIModelName(), discoveryv1.EndpointPort{}.OpenAPIModelName(), metav1.ObjectMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -34914,7 +35131,7 @@ func schema_k8sio_api_discovery_v1_EndpointSliceList(ref common.ReferenceCallbac
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard list metadata.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+							Ref:         ref(metav1.ListMeta{}.OpenAPIModelName()),
 						},
 					},
 					"items": {
@@ -34925,7 +35142,7 @@ func schema_k8sio_api_discovery_v1_EndpointSliceList(ref common.ReferenceCallbac
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/discovery/v1.EndpointSlice"),
+										Ref:     ref(discoveryv1.EndpointSlice{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -34936,7 +35153,7 @@ func schema_k8sio_api_discovery_v1_EndpointSliceList(ref common.ReferenceCallbac
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/discovery/v1.EndpointSlice", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
+			discoveryv1.EndpointSlice{}.OpenAPIModelName(), metav1.ListMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -35015,7 +35232,7 @@ func schema_k8sio_api_discovery_v1beta1_Endpoint(ref common.ReferenceCallback) c
 						SchemaProps: spec.SchemaProps{
 							Description: "conditions contains information about the current status of the endpoint.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/discovery/v1beta1.EndpointConditions"),
+							Ref:         ref(discoveryv1beta1.EndpointConditions{}.OpenAPIModelName()),
 						},
 					},
 					"hostname": {
@@ -35028,7 +35245,7 @@ func schema_k8sio_api_discovery_v1beta1_Endpoint(ref common.ReferenceCallback) c
 					"targetRef": {
 						SchemaProps: spec.SchemaProps{
 							Description: "targetRef is a reference to a Kubernetes object that represents this endpoint.",
-							Ref:         ref("k8s.io/api/core/v1.ObjectReference"),
+							Ref:         ref(corev1.ObjectReference{}.OpenAPIModelName()),
 						},
 					},
 					"topology": {
@@ -35057,7 +35274,7 @@ func schema_k8sio_api_discovery_v1beta1_Endpoint(ref common.ReferenceCallback) c
 					"hints": {
 						SchemaProps: spec.SchemaProps{
 							Description: "hints contains information associated with how an endpoint should be consumed.",
-							Ref:         ref("k8s.io/api/discovery/v1beta1.EndpointHints"),
+							Ref:         ref(discoveryv1beta1.EndpointHints{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -35065,7 +35282,7 @@ func schema_k8sio_api_discovery_v1beta1_Endpoint(ref common.ReferenceCallback) c
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/core/v1.ObjectReference", "k8s.io/api/discovery/v1beta1.EndpointConditions", "k8s.io/api/discovery/v1beta1.EndpointHints"},
+			corev1.ObjectReference{}.OpenAPIModelName(), discoveryv1beta1.EndpointConditions{}.OpenAPIModelName(), discoveryv1beta1.EndpointHints{}.OpenAPIModelName()},
 	}
 }
 
@@ -35123,7 +35340,7 @@ func schema_k8sio_api_discovery_v1beta1_EndpointHints(ref common.ReferenceCallba
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/discovery/v1beta1.ForZone"),
+										Ref:     ref(discoveryv1beta1.ForZone{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -35136,13 +35353,13 @@ func schema_k8sio_api_discovery_v1beta1_EndpointHints(ref common.ReferenceCallba
 							},
 						},
 						SchemaProps: spec.SchemaProps{
-							Description: "forNodes indicates the node(s) this endpoint should be consumed by when using topology aware routing. May contain a maximum of 8 entries. This is an Alpha feature and is only used when the PreferSameTrafficDistribution feature gate is enabled.",
+							Description: "forNodes indicates the node(s) this endpoint should be consumed by when using topology aware routing. May contain a maximum of 8 entries.",
 							Type:        []string{"array"},
 							Items: &spec.SchemaOrArray{
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/discovery/v1beta1.ForNode"),
+										Ref:     ref(discoveryv1beta1.ForNode{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -35152,7 +35369,7 @@ func schema_k8sio_api_discovery_v1beta1_EndpointHints(ref common.ReferenceCallba
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/discovery/v1beta1.ForNode", "k8s.io/api/discovery/v1beta1.ForZone"},
+			discoveryv1beta1.ForNode{}.OpenAPIModelName(), discoveryv1beta1.ForZone{}.OpenAPIModelName()},
 	}
 }
 
@@ -35223,7 +35440,7 @@ func schema_k8sio_api_discovery_v1beta1_EndpointSlice(ref common.ReferenceCallba
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard object's metadata.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Ref:         ref(metav1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 					"addressType": {
@@ -35247,7 +35464,7 @@ func schema_k8sio_api_discovery_v1beta1_EndpointSlice(ref common.ReferenceCallba
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/discovery/v1beta1.Endpoint"),
+										Ref:     ref(discoveryv1beta1.Endpoint{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -35266,7 +35483,7 @@ func schema_k8sio_api_discovery_v1beta1_EndpointSlice(ref common.ReferenceCallba
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/discovery/v1beta1.EndpointPort"),
+										Ref:     ref(discoveryv1beta1.EndpointPort{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -35277,7 +35494,7 @@ func schema_k8sio_api_discovery_v1beta1_EndpointSlice(ref common.ReferenceCallba
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/discovery/v1beta1.Endpoint", "k8s.io/api/discovery/v1beta1.EndpointPort", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			discoveryv1beta1.Endpoint{}.OpenAPIModelName(), discoveryv1beta1.EndpointPort{}.OpenAPIModelName(), metav1.ObjectMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -35306,7 +35523,7 @@ func schema_k8sio_api_discovery_v1beta1_EndpointSliceList(ref common.ReferenceCa
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard list metadata.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+							Ref:         ref(metav1.ListMeta{}.OpenAPIModelName()),
 						},
 					},
 					"items": {
@@ -35317,7 +35534,7 @@ func schema_k8sio_api_discovery_v1beta1_EndpointSliceList(ref common.ReferenceCa
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/discovery/v1beta1.EndpointSlice"),
+										Ref:     ref(discoveryv1beta1.EndpointSlice{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -35328,7 +35545,7 @@ func schema_k8sio_api_discovery_v1beta1_EndpointSliceList(ref common.ReferenceCa
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/discovery/v1beta1.EndpointSlice", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
+			discoveryv1beta1.EndpointSlice{}.OpenAPIModelName(), metav1.ListMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -35401,19 +35618,19 @@ func schema_k8sio_api_events_v1_Event(ref common.ReferenceCallback) common.OpenA
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Ref:         ref(metav1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 					"eventTime": {
 						SchemaProps: spec.SchemaProps{
 							Description: "eventTime is the time when this Event was first observed. It is required.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.MicroTime"),
+							Ref:         ref(metav1.MicroTime{}.OpenAPIModelName()),
 						},
 					},
 					"series": {
 						SchemaProps: spec.SchemaProps{
 							Description: "series is data about the Event series this event represents or nil if it's a singleton Event.",
-							Ref:         ref("k8s.io/api/events/v1.EventSeries"),
+							Ref:         ref(eventsv1.EventSeries{}.OpenAPIModelName()),
 						},
 					},
 					"reportingController": {
@@ -35448,13 +35665,13 @@ func schema_k8sio_api_events_v1_Event(ref common.ReferenceCallback) common.OpenA
 						SchemaProps: spec.SchemaProps{
 							Description: "regarding contains the object this Event is about. In most cases it's an Object reporting controller implements, e.g. ReplicaSetController implements ReplicaSets and this event is emitted because it acts on some changes in a ReplicaSet object.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/core/v1.ObjectReference"),
+							Ref:         ref(corev1.ObjectReference{}.OpenAPIModelName()),
 						},
 					},
 					"related": {
 						SchemaProps: spec.SchemaProps{
 							Description: "related is the optional secondary object for more complex actions. E.g. when regarding object triggers a creation or deletion of related object.",
-							Ref:         ref("k8s.io/api/core/v1.ObjectReference"),
+							Ref:         ref(corev1.ObjectReference{}.OpenAPIModelName()),
 						},
 					},
 					"note": {
@@ -35475,19 +35692,19 @@ func schema_k8sio_api_events_v1_Event(ref common.ReferenceCallback) common.OpenA
 						SchemaProps: spec.SchemaProps{
 							Description: "deprecatedSource is the deprecated field assuring backward compatibility with core.v1 Event type.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/core/v1.EventSource"),
+							Ref:         ref(corev1.EventSource{}.OpenAPIModelName()),
 						},
 					},
 					"deprecatedFirstTimestamp": {
 						SchemaProps: spec.SchemaProps{
 							Description: "deprecatedFirstTimestamp is the deprecated field assuring backward compatibility with core.v1 Event type.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Time"),
+							Ref:         ref(metav1.Time{}.OpenAPIModelName()),
 						},
 					},
 					"deprecatedLastTimestamp": {
 						SchemaProps: spec.SchemaProps{
 							Description: "deprecatedLastTimestamp is the deprecated field assuring backward compatibility with core.v1 Event type.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Time"),
+							Ref:         ref(metav1.Time{}.OpenAPIModelName()),
 						},
 					},
 					"deprecatedCount": {
@@ -35502,7 +35719,7 @@ func schema_k8sio_api_events_v1_Event(ref common.ReferenceCallback) common.OpenA
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/core/v1.EventSource", "k8s.io/api/core/v1.ObjectReference", "k8s.io/api/events/v1.EventSeries", "k8s.io/apimachinery/pkg/apis/meta/v1.MicroTime", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta", "k8s.io/apimachinery/pkg/apis/meta/v1.Time"},
+			corev1.EventSource{}.OpenAPIModelName(), corev1.ObjectReference{}.OpenAPIModelName(), eventsv1.EventSeries{}.OpenAPIModelName(), metav1.MicroTime{}.OpenAPIModelName(), metav1.ObjectMeta{}.OpenAPIModelName(), metav1.Time{}.OpenAPIModelName()},
 	}
 }
 
@@ -35531,7 +35748,7 @@ func schema_k8sio_api_events_v1_EventList(ref common.ReferenceCallback) common.O
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+							Ref:         ref(metav1.ListMeta{}.OpenAPIModelName()),
 						},
 					},
 					"items": {
@@ -35542,7 +35759,7 @@ func schema_k8sio_api_events_v1_EventList(ref common.ReferenceCallback) common.O
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/events/v1.Event"),
+										Ref:     ref(eventsv1.Event{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -35553,7 +35770,7 @@ func schema_k8sio_api_events_v1_EventList(ref common.ReferenceCallback) common.O
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/events/v1.Event", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
+			eventsv1.Event{}.OpenAPIModelName(), metav1.ListMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -35575,7 +35792,7 @@ func schema_k8sio_api_events_v1_EventSeries(ref common.ReferenceCallback) common
 					"lastObservedTime": {
 						SchemaProps: spec.SchemaProps{
 							Description: "lastObservedTime is the time when last Event from the series was seen before last heartbeat.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.MicroTime"),
+							Ref:         ref(metav1.MicroTime{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -35583,7 +35800,7 @@ func schema_k8sio_api_events_v1_EventSeries(ref common.ReferenceCallback) common
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.MicroTime"},
+			metav1.MicroTime{}.OpenAPIModelName()},
 	}
 }
 
@@ -35612,19 +35829,19 @@ func schema_k8sio_api_events_v1beta1_Event(ref common.ReferenceCallback) common.
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Ref:         ref(metav1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 					"eventTime": {
 						SchemaProps: spec.SchemaProps{
 							Description: "eventTime is the time when this Event was first observed. It is required.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.MicroTime"),
+							Ref:         ref(metav1.MicroTime{}.OpenAPIModelName()),
 						},
 					},
 					"series": {
 						SchemaProps: spec.SchemaProps{
 							Description: "series is data about the Event series this event represents or nil if it's a singleton Event.",
-							Ref:         ref("k8s.io/api/events/v1beta1.EventSeries"),
+							Ref:         ref(eventsv1beta1.EventSeries{}.OpenAPIModelName()),
 						},
 					},
 					"reportingController": {
@@ -35659,13 +35876,13 @@ func schema_k8sio_api_events_v1beta1_Event(ref common.ReferenceCallback) common.
 						SchemaProps: spec.SchemaProps{
 							Description: "regarding contains the object this Event is about. In most cases it's an Object reporting controller implements, e.g. ReplicaSetController implements ReplicaSets and this event is emitted because it acts on some changes in a ReplicaSet object.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/core/v1.ObjectReference"),
+							Ref:         ref(corev1.ObjectReference{}.OpenAPIModelName()),
 						},
 					},
 					"related": {
 						SchemaProps: spec.SchemaProps{
 							Description: "related is the optional secondary object for more complex actions. E.g. when regarding object triggers a creation or deletion of related object.",
-							Ref:         ref("k8s.io/api/core/v1.ObjectReference"),
+							Ref:         ref(corev1.ObjectReference{}.OpenAPIModelName()),
 						},
 					},
 					"note": {
@@ -35686,19 +35903,19 @@ func schema_k8sio_api_events_v1beta1_Event(ref common.ReferenceCallback) common.
 						SchemaProps: spec.SchemaProps{
 							Description: "deprecatedSource is the deprecated field assuring backward compatibility with core.v1 Event type.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/core/v1.EventSource"),
+							Ref:         ref(corev1.EventSource{}.OpenAPIModelName()),
 						},
 					},
 					"deprecatedFirstTimestamp": {
 						SchemaProps: spec.SchemaProps{
 							Description: "deprecatedFirstTimestamp is the deprecated field assuring backward compatibility with core.v1 Event type.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Time"),
+							Ref:         ref(metav1.Time{}.OpenAPIModelName()),
 						},
 					},
 					"deprecatedLastTimestamp": {
 						SchemaProps: spec.SchemaProps{
 							Description: "deprecatedLastTimestamp is the deprecated field assuring backward compatibility with core.v1 Event type.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Time"),
+							Ref:         ref(metav1.Time{}.OpenAPIModelName()),
 						},
 					},
 					"deprecatedCount": {
@@ -35713,7 +35930,7 @@ func schema_k8sio_api_events_v1beta1_Event(ref common.ReferenceCallback) common.
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/core/v1.EventSource", "k8s.io/api/core/v1.ObjectReference", "k8s.io/api/events/v1beta1.EventSeries", "k8s.io/apimachinery/pkg/apis/meta/v1.MicroTime", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta", "k8s.io/apimachinery/pkg/apis/meta/v1.Time"},
+			corev1.EventSource{}.OpenAPIModelName(), corev1.ObjectReference{}.OpenAPIModelName(), eventsv1beta1.EventSeries{}.OpenAPIModelName(), metav1.MicroTime{}.OpenAPIModelName(), metav1.ObjectMeta{}.OpenAPIModelName(), metav1.Time{}.OpenAPIModelName()},
 	}
 }
 
@@ -35742,7 +35959,7 @@ func schema_k8sio_api_events_v1beta1_EventList(ref common.ReferenceCallback) com
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+							Ref:         ref(metav1.ListMeta{}.OpenAPIModelName()),
 						},
 					},
 					"items": {
@@ -35753,7 +35970,7 @@ func schema_k8sio_api_events_v1beta1_EventList(ref common.ReferenceCallback) com
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/events/v1beta1.Event"),
+										Ref:     ref(eventsv1beta1.Event{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -35764,7 +35981,7 @@ func schema_k8sio_api_events_v1beta1_EventList(ref common.ReferenceCallback) com
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/events/v1beta1.Event", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
+			eventsv1beta1.Event{}.OpenAPIModelName(), metav1.ListMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -35786,7 +36003,7 @@ func schema_k8sio_api_events_v1beta1_EventSeries(ref common.ReferenceCallback) c
 					"lastObservedTime": {
 						SchemaProps: spec.SchemaProps{
 							Description: "lastObservedTime is the time when last Event from the series was seen before last heartbeat.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.MicroTime"),
+							Ref:         ref(metav1.MicroTime{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -35794,7 +36011,7 @@ func schema_k8sio_api_events_v1beta1_EventSeries(ref common.ReferenceCallback) c
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.MicroTime"},
+			metav1.MicroTime{}.OpenAPIModelName()},
 	}
 }
 
@@ -35823,28 +36040,28 @@ func schema_k8sio_api_extensions_v1beta1_DaemonSet(ref common.ReferenceCallback)
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Ref:         ref(metav1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 					"spec": {
 						SchemaProps: spec.SchemaProps{
 							Description: "The desired behavior of this daemon set. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/extensions/v1beta1.DaemonSetSpec"),
+							Ref:         ref(extensionsv1beta1.DaemonSetSpec{}.OpenAPIModelName()),
 						},
 					},
 					"status": {
 						SchemaProps: spec.SchemaProps{
 							Description: "The current status of this daemon set. This data may be out of date by some window of time. Populated by the system. Read-only. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/extensions/v1beta1.DaemonSetStatus"),
+							Ref:         ref(extensionsv1beta1.DaemonSetStatus{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/extensions/v1beta1.DaemonSetSpec", "k8s.io/api/extensions/v1beta1.DaemonSetStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			extensionsv1beta1.DaemonSetSpec{}.OpenAPIModelName(), extensionsv1beta1.DaemonSetStatus{}.OpenAPIModelName(), metav1.ObjectMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -35874,7 +36091,7 @@ func schema_k8sio_api_extensions_v1beta1_DaemonSetCondition(ref common.Reference
 					"lastTransitionTime": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Last time the condition transitioned from one status to another.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Time"),
+							Ref:         ref(metav1.Time{}.OpenAPIModelName()),
 						},
 					},
 					"reason": {
@@ -35896,7 +36113,7 @@ func schema_k8sio_api_extensions_v1beta1_DaemonSetCondition(ref common.Reference
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.Time"},
+			metav1.Time{}.OpenAPIModelName()},
 	}
 }
 
@@ -35925,7 +36142,7 @@ func schema_k8sio_api_extensions_v1beta1_DaemonSetList(ref common.ReferenceCallb
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+							Ref:         ref(metav1.ListMeta{}.OpenAPIModelName()),
 						},
 					},
 					"items": {
@@ -35936,7 +36153,7 @@ func schema_k8sio_api_extensions_v1beta1_DaemonSetList(ref common.ReferenceCallb
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/extensions/v1beta1.DaemonSet"),
+										Ref:     ref(extensionsv1beta1.DaemonSet{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -35947,7 +36164,7 @@ func schema_k8sio_api_extensions_v1beta1_DaemonSetList(ref common.ReferenceCallb
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/extensions/v1beta1.DaemonSet", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
+			extensionsv1beta1.DaemonSet{}.OpenAPIModelName(), metav1.ListMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -35961,21 +36178,21 @@ func schema_k8sio_api_extensions_v1beta1_DaemonSetSpec(ref common.ReferenceCallb
 					"selector": {
 						SchemaProps: spec.SchemaProps{
 							Description: "A label query over pods that are managed by the daemon set. Must match in order to be controlled. If empty, defaulted to labels on Pod template. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector"),
+							Ref:         ref(metav1.LabelSelector{}.OpenAPIModelName()),
 						},
 					},
 					"template": {
 						SchemaProps: spec.SchemaProps{
 							Description: "An object that describes the pod that will be created. The DaemonSet will create exactly one copy of this pod on every node that matches the template's node selector (or on every node if no node selector is specified). More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller#pod-template",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/core/v1.PodTemplateSpec"),
+							Ref:         ref(corev1.PodTemplateSpec{}.OpenAPIModelName()),
 						},
 					},
 					"updateStrategy": {
 						SchemaProps: spec.SchemaProps{
 							Description: "An update strategy to replace existing DaemonSet pods with new pods.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/extensions/v1beta1.DaemonSetUpdateStrategy"),
+							Ref:         ref(extensionsv1beta1.DaemonSetUpdateStrategy{}.OpenAPIModelName()),
 						},
 					},
 					"minReadySeconds": {
@@ -36004,7 +36221,7 @@ func schema_k8sio_api_extensions_v1beta1_DaemonSetSpec(ref common.ReferenceCallb
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/core/v1.PodTemplateSpec", "k8s.io/api/extensions/v1beta1.DaemonSetUpdateStrategy", "k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector"},
+			corev1.PodTemplateSpec{}.OpenAPIModelName(), extensionsv1beta1.DaemonSetUpdateStrategy{}.OpenAPIModelName(), metav1.LabelSelector{}.OpenAPIModelName()},
 	}
 }
 
@@ -36100,7 +36317,7 @@ func schema_k8sio_api_extensions_v1beta1_DaemonSetStatus(ref common.ReferenceCal
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/extensions/v1beta1.DaemonSetCondition"),
+										Ref:     ref(extensionsv1beta1.DaemonSetCondition{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -36111,7 +36328,7 @@ func schema_k8sio_api_extensions_v1beta1_DaemonSetStatus(ref common.ReferenceCal
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/extensions/v1beta1.DaemonSetCondition"},
+			extensionsv1beta1.DaemonSetCondition{}.OpenAPIModelName()},
 	}
 }
 
@@ -36132,14 +36349,14 @@ func schema_k8sio_api_extensions_v1beta1_DaemonSetUpdateStrategy(ref common.Refe
 					"rollingUpdate": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Rolling update config params. Present only if type = \"RollingUpdate\".",
-							Ref:         ref("k8s.io/api/extensions/v1beta1.RollingUpdateDaemonSet"),
+							Ref:         ref(extensionsv1beta1.RollingUpdateDaemonSet{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/extensions/v1beta1.RollingUpdateDaemonSet"},
+			extensionsv1beta1.RollingUpdateDaemonSet{}.OpenAPIModelName()},
 	}
 }
 
@@ -36168,28 +36385,28 @@ func schema_k8sio_api_extensions_v1beta1_Deployment(ref common.ReferenceCallback
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard object metadata.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Ref:         ref(metav1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 					"spec": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Specification of the desired behavior of the Deployment.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/extensions/v1beta1.DeploymentSpec"),
+							Ref:         ref(extensionsv1beta1.DeploymentSpec{}.OpenAPIModelName()),
 						},
 					},
 					"status": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Most recently observed status of the Deployment.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/extensions/v1beta1.DeploymentStatus"),
+							Ref:         ref(extensionsv1beta1.DeploymentStatus{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/extensions/v1beta1.DeploymentSpec", "k8s.io/api/extensions/v1beta1.DeploymentStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			extensionsv1beta1.DeploymentSpec{}.OpenAPIModelName(), extensionsv1beta1.DeploymentStatus{}.OpenAPIModelName(), metav1.ObjectMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -36219,13 +36436,13 @@ func schema_k8sio_api_extensions_v1beta1_DeploymentCondition(ref common.Referenc
 					"lastUpdateTime": {
 						SchemaProps: spec.SchemaProps{
 							Description: "The last time this condition was updated.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Time"),
+							Ref:         ref(metav1.Time{}.OpenAPIModelName()),
 						},
 					},
 					"lastTransitionTime": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Last time the condition transitioned from one status to another.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Time"),
+							Ref:         ref(metav1.Time{}.OpenAPIModelName()),
 						},
 					},
 					"reason": {
@@ -36247,7 +36464,7 @@ func schema_k8sio_api_extensions_v1beta1_DeploymentCondition(ref common.Referenc
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.Time"},
+			metav1.Time{}.OpenAPIModelName()},
 	}
 }
 
@@ -36276,7 +36493,7 @@ func schema_k8sio_api_extensions_v1beta1_DeploymentList(ref common.ReferenceCall
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard list metadata.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+							Ref:         ref(metav1.ListMeta{}.OpenAPIModelName()),
 						},
 					},
 					"items": {
@@ -36287,7 +36504,7 @@ func schema_k8sio_api_extensions_v1beta1_DeploymentList(ref common.ReferenceCall
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/extensions/v1beta1.Deployment"),
+										Ref:     ref(extensionsv1beta1.Deployment{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -36298,7 +36515,7 @@ func schema_k8sio_api_extensions_v1beta1_DeploymentList(ref common.ReferenceCall
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/extensions/v1beta1.Deployment", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
+			extensionsv1beta1.Deployment{}.OpenAPIModelName(), metav1.ListMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -36351,7 +36568,7 @@ func schema_k8sio_api_extensions_v1beta1_DeploymentRollback(ref common.Reference
 						SchemaProps: spec.SchemaProps{
 							Description: "The config of this deployment rollback.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/extensions/v1beta1.RollbackConfig"),
+							Ref:         ref(extensionsv1beta1.RollbackConfig{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -36359,7 +36576,7 @@ func schema_k8sio_api_extensions_v1beta1_DeploymentRollback(ref common.Reference
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/extensions/v1beta1.RollbackConfig"},
+			extensionsv1beta1.RollbackConfig{}.OpenAPIModelName()},
 	}
 }
 
@@ -36380,14 +36597,14 @@ func schema_k8sio_api_extensions_v1beta1_DeploymentSpec(ref common.ReferenceCall
 					"selector": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Label selector for pods. Existing ReplicaSets whose pods are selected by this will be the ones affected by this deployment.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector"),
+							Ref:         ref(metav1.LabelSelector{}.OpenAPIModelName()),
 						},
 					},
 					"template": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Template describes the pods that will be created.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/core/v1.PodTemplateSpec"),
+							Ref:         ref(corev1.PodTemplateSpec{}.OpenAPIModelName()),
 						},
 					},
 					"strategy": {
@@ -36399,7 +36616,7 @@ func schema_k8sio_api_extensions_v1beta1_DeploymentSpec(ref common.ReferenceCall
 						SchemaProps: spec.SchemaProps{
 							Description: "The deployment strategy to use to replace existing pods with new ones.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/extensions/v1beta1.DeploymentStrategy"),
+							Ref:         ref(extensionsv1beta1.DeploymentStrategy{}.OpenAPIModelName()),
 						},
 					},
 					"minReadySeconds": {
@@ -36426,7 +36643,7 @@ func schema_k8sio_api_extensions_v1beta1_DeploymentSpec(ref common.ReferenceCall
 					"rollbackTo": {
 						SchemaProps: spec.SchemaProps{
 							Description: "DEPRECATED. The config this deployment is rolling back to. Will be cleared after rollback is done.",
-							Ref:         ref("k8s.io/api/extensions/v1beta1.RollbackConfig"),
+							Ref:         ref(extensionsv1beta1.RollbackConfig{}.OpenAPIModelName()),
 						},
 					},
 					"progressDeadlineSeconds": {
@@ -36441,7 +36658,7 @@ func schema_k8sio_api_extensions_v1beta1_DeploymentSpec(ref common.ReferenceCall
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/core/v1.PodTemplateSpec", "k8s.io/api/extensions/v1beta1.DeploymentStrategy", "k8s.io/api/extensions/v1beta1.RollbackConfig", "k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector"},
+			corev1.PodTemplateSpec{}.OpenAPIModelName(), extensionsv1beta1.DeploymentStrategy{}.OpenAPIModelName(), extensionsv1beta1.RollbackConfig{}.OpenAPIModelName(), metav1.LabelSelector{}.OpenAPIModelName()},
 	}
 }
 
@@ -36496,7 +36713,7 @@ func schema_k8sio_api_extensions_v1beta1_DeploymentStatus(ref common.ReferenceCa
 					},
 					"terminatingReplicas": {
 						SchemaProps: spec.SchemaProps{
-							Description: "Total number of terminating pods targeted by this deployment. Terminating pods have a non-null .metadata.deletionTimestamp and have not yet reached the Failed or Succeeded .status.phase.\n\nThis is an alpha field. Enable DeploymentReplicaSetTerminatingReplicas to be able to use this field.",
+							Description: "Total number of terminating pods targeted by this deployment. Terminating pods have a non-null .metadata.deletionTimestamp and have not yet reached the Failed or Succeeded .status.phase.\n\nThis is a beta field and requires enabling DeploymentReplicaSetTerminatingReplicas feature (enabled by default).",
 							Type:        []string{"integer"},
 							Format:      "int32",
 						},
@@ -36519,7 +36736,7 @@ func schema_k8sio_api_extensions_v1beta1_DeploymentStatus(ref common.ReferenceCa
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/extensions/v1beta1.DeploymentCondition"),
+										Ref:     ref(extensionsv1beta1.DeploymentCondition{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -36536,7 +36753,7 @@ func schema_k8sio_api_extensions_v1beta1_DeploymentStatus(ref common.ReferenceCa
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/extensions/v1beta1.DeploymentCondition"},
+			extensionsv1beta1.DeploymentCondition{}.OpenAPIModelName()},
 	}
 }
 
@@ -36557,14 +36774,14 @@ func schema_k8sio_api_extensions_v1beta1_DeploymentStrategy(ref common.Reference
 					"rollingUpdate": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Rolling update config params. Present only if DeploymentStrategyType = RollingUpdate.",
-							Ref:         ref("k8s.io/api/extensions/v1beta1.RollingUpdateDeployment"),
+							Ref:         ref(extensionsv1beta1.RollingUpdateDeployment{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/extensions/v1beta1.RollingUpdateDeployment"},
+			extensionsv1beta1.RollingUpdateDeployment{}.OpenAPIModelName()},
 	}
 }
 
@@ -36593,7 +36810,7 @@ func schema_k8sio_api_extensions_v1beta1_HTTPIngressPath(ref common.ReferenceCal
 						SchemaProps: spec.SchemaProps{
 							Description: "Backend defines the referenced service endpoint to which the traffic will be forwarded to.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/extensions/v1beta1.IngressBackend"),
+							Ref:         ref(extensionsv1beta1.IngressBackend{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -36601,7 +36818,7 @@ func schema_k8sio_api_extensions_v1beta1_HTTPIngressPath(ref common.ReferenceCal
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/extensions/v1beta1.IngressBackend"},
+			extensionsv1beta1.IngressBackend{}.OpenAPIModelName()},
 	}
 }
 
@@ -36625,7 +36842,7 @@ func schema_k8sio_api_extensions_v1beta1_HTTPIngressRuleValue(ref common.Referen
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/extensions/v1beta1.HTTPIngressPath"),
+										Ref:     ref(extensionsv1beta1.HTTPIngressPath{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -36636,7 +36853,7 @@ func schema_k8sio_api_extensions_v1beta1_HTTPIngressRuleValue(ref common.Referen
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/extensions/v1beta1.HTTPIngressPath"},
+			extensionsv1beta1.HTTPIngressPath{}.OpenAPIModelName()},
 	}
 }
 
@@ -36707,28 +36924,28 @@ func schema_k8sio_api_extensions_v1beta1_Ingress(ref common.ReferenceCallback) c
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Ref:         ref(metav1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 					"spec": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Spec is the desired state of the Ingress. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/extensions/v1beta1.IngressSpec"),
+							Ref:         ref(extensionsv1beta1.IngressSpec{}.OpenAPIModelName()),
 						},
 					},
 					"status": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Status is the current state of the Ingress. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/extensions/v1beta1.IngressStatus"),
+							Ref:         ref(extensionsv1beta1.IngressStatus{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/extensions/v1beta1.IngressSpec", "k8s.io/api/extensions/v1beta1.IngressStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			extensionsv1beta1.IngressSpec{}.OpenAPIModelName(), extensionsv1beta1.IngressStatus{}.OpenAPIModelName(), metav1.ObjectMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -36749,20 +36966,20 @@ func schema_k8sio_api_extensions_v1beta1_IngressBackend(ref common.ReferenceCall
 					"servicePort": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Specifies the port of the referenced service.",
-							Ref:         ref("k8s.io/apimachinery/pkg/util/intstr.IntOrString"),
+							Ref:         ref(intstr.IntOrString{}.OpenAPIModelName()),
 						},
 					},
 					"resource": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Resource is an ObjectRef to another Kubernetes resource in the namespace of the Ingress object. If resource is specified, serviceName and servicePort must not be specified.",
-							Ref:         ref("k8s.io/api/core/v1.TypedLocalObjectReference"),
+							Ref:         ref(corev1.TypedLocalObjectReference{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/core/v1.TypedLocalObjectReference", "k8s.io/apimachinery/pkg/util/intstr.IntOrString"},
+			corev1.TypedLocalObjectReference{}.OpenAPIModelName(), intstr.IntOrString{}.OpenAPIModelName()},
 	}
 }
 
@@ -36791,7 +37008,7 @@ func schema_k8sio_api_extensions_v1beta1_IngressList(ref common.ReferenceCallbac
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+							Ref:         ref(metav1.ListMeta{}.OpenAPIModelName()),
 						},
 					},
 					"items": {
@@ -36802,7 +37019,7 @@ func schema_k8sio_api_extensions_v1beta1_IngressList(ref common.ReferenceCallbac
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/extensions/v1beta1.Ingress"),
+										Ref:     ref(extensionsv1beta1.Ingress{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -36813,7 +37030,7 @@ func schema_k8sio_api_extensions_v1beta1_IngressList(ref common.ReferenceCallbac
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/extensions/v1beta1.Ingress", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
+			extensionsv1beta1.Ingress{}.OpenAPIModelName(), metav1.ListMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -36851,7 +37068,7 @@ func schema_k8sio_api_extensions_v1beta1_IngressLoadBalancerIngress(ref common.R
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/extensions/v1beta1.IngressPortStatus"),
+										Ref:     ref(extensionsv1beta1.IngressPortStatus{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -36861,7 +37078,7 @@ func schema_k8sio_api_extensions_v1beta1_IngressLoadBalancerIngress(ref common.R
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/extensions/v1beta1.IngressPortStatus"},
+			extensionsv1beta1.IngressPortStatus{}.OpenAPIModelName()},
 	}
 }
 
@@ -36885,7 +37102,7 @@ func schema_k8sio_api_extensions_v1beta1_IngressLoadBalancerStatus(ref common.Re
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/extensions/v1beta1.IngressLoadBalancerIngress"),
+										Ref:     ref(extensionsv1beta1.IngressLoadBalancerIngress{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -36895,7 +37112,7 @@ func schema_k8sio_api_extensions_v1beta1_IngressLoadBalancerStatus(ref common.Re
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/extensions/v1beta1.IngressLoadBalancerIngress"},
+			extensionsv1beta1.IngressLoadBalancerIngress{}.OpenAPIModelName()},
 	}
 }
 
@@ -36954,14 +37171,14 @@ func schema_k8sio_api_extensions_v1beta1_IngressRule(ref common.ReferenceCallbac
 					"http": {
 						SchemaProps: spec.SchemaProps{
 							Description: "http is a list of http selectors pointing to backends. A path is matched against the path of an incoming request. Currently it can contain characters disallowed from the conventional \"path\" part of a URL as defined by RFC 3986. Paths must begin with a '/'. A backend defines the referenced service endpoint to which the traffic will be forwarded to.",
-							Ref:         ref("k8s.io/api/extensions/v1beta1.HTTPIngressRuleValue"),
+							Ref:         ref(extensionsv1beta1.HTTPIngressRuleValue{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/extensions/v1beta1.HTTPIngressRuleValue"},
+			extensionsv1beta1.HTTPIngressRuleValue{}.OpenAPIModelName()},
 	}
 }
 
@@ -36975,14 +37192,14 @@ func schema_k8sio_api_extensions_v1beta1_IngressRuleValue(ref common.ReferenceCa
 					"http": {
 						SchemaProps: spec.SchemaProps{
 							Description: "http is a list of http selectors pointing to backends. A path is matched against the path of an incoming request. Currently it can contain characters disallowed from the conventional \"path\" part of a URL as defined by RFC 3986. Paths must begin with a '/'. A backend defines the referenced service endpoint to which the traffic will be forwarded to.",
-							Ref:         ref("k8s.io/api/extensions/v1beta1.HTTPIngressRuleValue"),
+							Ref:         ref(extensionsv1beta1.HTTPIngressRuleValue{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/extensions/v1beta1.HTTPIngressRuleValue"},
+			extensionsv1beta1.HTTPIngressRuleValue{}.OpenAPIModelName()},
 	}
 }
 
@@ -37003,7 +37220,7 @@ func schema_k8sio_api_extensions_v1beta1_IngressSpec(ref common.ReferenceCallbac
 					"backend": {
 						SchemaProps: spec.SchemaProps{
 							Description: "A default backend capable of servicing requests that don't match any rule. At least one of 'backend' or 'rules' must be specified. This field is optional to allow the loadbalancer controller or defaulting logic to specify a global default.",
-							Ref:         ref("k8s.io/api/extensions/v1beta1.IngressBackend"),
+							Ref:         ref(extensionsv1beta1.IngressBackend{}.OpenAPIModelName()),
 						},
 					},
 					"tls": {
@@ -37019,7 +37236,7 @@ func schema_k8sio_api_extensions_v1beta1_IngressSpec(ref common.ReferenceCallbac
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/extensions/v1beta1.IngressTLS"),
+										Ref:     ref(extensionsv1beta1.IngressTLS{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -37038,7 +37255,7 @@ func schema_k8sio_api_extensions_v1beta1_IngressSpec(ref common.ReferenceCallbac
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/extensions/v1beta1.IngressRule"),
+										Ref:     ref(extensionsv1beta1.IngressRule{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -37048,7 +37265,7 @@ func schema_k8sio_api_extensions_v1beta1_IngressSpec(ref common.ReferenceCallbac
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/extensions/v1beta1.IngressBackend", "k8s.io/api/extensions/v1beta1.IngressRule", "k8s.io/api/extensions/v1beta1.IngressTLS"},
+			extensionsv1beta1.IngressBackend{}.OpenAPIModelName(), extensionsv1beta1.IngressRule{}.OpenAPIModelName(), extensionsv1beta1.IngressTLS{}.OpenAPIModelName()},
 	}
 }
 
@@ -37063,14 +37280,14 @@ func schema_k8sio_api_extensions_v1beta1_IngressStatus(ref common.ReferenceCallb
 						SchemaProps: spec.SchemaProps{
 							Description: "LoadBalancer contains the current status of the load-balancer.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/extensions/v1beta1.IngressLoadBalancerStatus"),
+							Ref:         ref(extensionsv1beta1.IngressLoadBalancerStatus{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/extensions/v1beta1.IngressLoadBalancerStatus"},
+			extensionsv1beta1.IngressLoadBalancerStatus{}.OpenAPIModelName()},
 	}
 }
 
@@ -37139,21 +37356,21 @@ func schema_k8sio_api_extensions_v1beta1_NetworkPolicy(ref common.ReferenceCallb
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Ref:         ref(metav1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 					"spec": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Specification of the desired behavior for this NetworkPolicy.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/extensions/v1beta1.NetworkPolicySpec"),
+							Ref:         ref(extensionsv1beta1.NetworkPolicySpec{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/extensions/v1beta1.NetworkPolicySpec", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			extensionsv1beta1.NetworkPolicySpec{}.OpenAPIModelName(), metav1.ObjectMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -37177,7 +37394,7 @@ func schema_k8sio_api_extensions_v1beta1_NetworkPolicyEgressRule(ref common.Refe
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/extensions/v1beta1.NetworkPolicyPort"),
+										Ref:     ref(extensionsv1beta1.NetworkPolicyPort{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -37196,7 +37413,7 @@ func schema_k8sio_api_extensions_v1beta1_NetworkPolicyEgressRule(ref common.Refe
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/extensions/v1beta1.NetworkPolicyPeer"),
+										Ref:     ref(extensionsv1beta1.NetworkPolicyPeer{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -37206,7 +37423,7 @@ func schema_k8sio_api_extensions_v1beta1_NetworkPolicyEgressRule(ref common.Refe
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/extensions/v1beta1.NetworkPolicyPeer", "k8s.io/api/extensions/v1beta1.NetworkPolicyPort"},
+			extensionsv1beta1.NetworkPolicyPeer{}.OpenAPIModelName(), extensionsv1beta1.NetworkPolicyPort{}.OpenAPIModelName()},
 	}
 }
 
@@ -37230,7 +37447,7 @@ func schema_k8sio_api_extensions_v1beta1_NetworkPolicyIngressRule(ref common.Ref
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/extensions/v1beta1.NetworkPolicyPort"),
+										Ref:     ref(extensionsv1beta1.NetworkPolicyPort{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -37249,7 +37466,7 @@ func schema_k8sio_api_extensions_v1beta1_NetworkPolicyIngressRule(ref common.Ref
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/extensions/v1beta1.NetworkPolicyPeer"),
+										Ref:     ref(extensionsv1beta1.NetworkPolicyPeer{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -37259,7 +37476,7 @@ func schema_k8sio_api_extensions_v1beta1_NetworkPolicyIngressRule(ref common.Ref
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/extensions/v1beta1.NetworkPolicyPeer", "k8s.io/api/extensions/v1beta1.NetworkPolicyPort"},
+			extensionsv1beta1.NetworkPolicyPeer{}.OpenAPIModelName(), extensionsv1beta1.NetworkPolicyPort{}.OpenAPIModelName()},
 	}
 }
 
@@ -37288,7 +37505,7 @@ func schema_k8sio_api_extensions_v1beta1_NetworkPolicyList(ref common.ReferenceC
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+							Ref:         ref(metav1.ListMeta{}.OpenAPIModelName()),
 						},
 					},
 					"items": {
@@ -37299,7 +37516,7 @@ func schema_k8sio_api_extensions_v1beta1_NetworkPolicyList(ref common.ReferenceC
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/extensions/v1beta1.NetworkPolicy"),
+										Ref:     ref(extensionsv1beta1.NetworkPolicy{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -37310,7 +37527,7 @@ func schema_k8sio_api_extensions_v1beta1_NetworkPolicyList(ref common.ReferenceC
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/extensions/v1beta1.NetworkPolicy", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
+			extensionsv1beta1.NetworkPolicy{}.OpenAPIModelName(), metav1.ListMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -37324,26 +37541,26 @@ func schema_k8sio_api_extensions_v1beta1_NetworkPolicyPeer(ref common.ReferenceC
 					"podSelector": {
 						SchemaProps: spec.SchemaProps{
 							Description: "This is a label selector which selects Pods. This field follows standard label selector semantics; if present but empty, it selects all pods.\n\nIf NamespaceSelector is also set, then the NetworkPolicyPeer as a whole selects the Pods matching PodSelector in the Namespaces selected by NamespaceSelector. Otherwise it selects the Pods matching PodSelector in the policy's own Namespace.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector"),
+							Ref:         ref(metav1.LabelSelector{}.OpenAPIModelName()),
 						},
 					},
 					"namespaceSelector": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Selects Namespaces using cluster-scoped labels. This field follows standard label selector semantics; if present but empty, it selects all namespaces.\n\nIf PodSelector is also set, then the NetworkPolicyPeer as a whole selects the Pods matching PodSelector in the Namespaces selected by NamespaceSelector. Otherwise it selects all Pods in the Namespaces selected by NamespaceSelector.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector"),
+							Ref:         ref(metav1.LabelSelector{}.OpenAPIModelName()),
 						},
 					},
 					"ipBlock": {
 						SchemaProps: spec.SchemaProps{
 							Description: "IPBlock defines policy on a particular IPBlock. If this field is set then neither of the other fields can be.",
-							Ref:         ref("k8s.io/api/extensions/v1beta1.IPBlock"),
+							Ref:         ref(extensionsv1beta1.IPBlock{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/extensions/v1beta1.IPBlock", "k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector"},
+			extensionsv1beta1.IPBlock{}.OpenAPIModelName(), metav1.LabelSelector{}.OpenAPIModelName()},
 	}
 }
 
@@ -37365,7 +37582,7 @@ func schema_k8sio_api_extensions_v1beta1_NetworkPolicyPort(ref common.ReferenceC
 					"port": {
 						SchemaProps: spec.SchemaProps{
 							Description: "The port on the given protocol. This can either be a numerical or named port on a pod. If this field is not provided, this matches all port names and numbers. If present, only traffic on the specified protocol AND port will be matched.",
-							Ref:         ref("k8s.io/apimachinery/pkg/util/intstr.IntOrString"),
+							Ref:         ref(intstr.IntOrString{}.OpenAPIModelName()),
 						},
 					},
 					"endPort": {
@@ -37379,7 +37596,7 @@ func schema_k8sio_api_extensions_v1beta1_NetworkPolicyPort(ref common.ReferenceC
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/util/intstr.IntOrString"},
+			intstr.IntOrString{}.OpenAPIModelName()},
 	}
 }
 
@@ -37394,7 +37611,7 @@ func schema_k8sio_api_extensions_v1beta1_NetworkPolicySpec(ref common.ReferenceC
 						SchemaProps: spec.SchemaProps{
 							Description: "Selects the pods to which this NetworkPolicy object applies.  The array of ingress rules is applied to any pods selected by this field. Multiple network policies can select the same set of pods.  In this case, the ingress rules for each are combined additively. This field is NOT optional and follows standard label selector semantics. An empty podSelector matches all pods in this namespace.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector"),
+							Ref:         ref(metav1.LabelSelector{}.OpenAPIModelName()),
 						},
 					},
 					"ingress": {
@@ -37410,7 +37627,7 @@ func schema_k8sio_api_extensions_v1beta1_NetworkPolicySpec(ref common.ReferenceC
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/extensions/v1beta1.NetworkPolicyIngressRule"),
+										Ref:     ref(extensionsv1beta1.NetworkPolicyIngressRule{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -37429,7 +37646,7 @@ func schema_k8sio_api_extensions_v1beta1_NetworkPolicySpec(ref common.ReferenceC
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/extensions/v1beta1.NetworkPolicyEgressRule"),
+										Ref:     ref(extensionsv1beta1.NetworkPolicyEgressRule{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -37460,7 +37677,7 @@ func schema_k8sio_api_extensions_v1beta1_NetworkPolicySpec(ref common.ReferenceC
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/extensions/v1beta1.NetworkPolicyEgressRule", "k8s.io/api/extensions/v1beta1.NetworkPolicyIngressRule", "k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector"},
+			extensionsv1beta1.NetworkPolicyEgressRule{}.OpenAPIModelName(), extensionsv1beta1.NetworkPolicyIngressRule{}.OpenAPIModelName(), metav1.LabelSelector{}.OpenAPIModelName()},
 	}
 }
 
@@ -37489,28 +37706,28 @@ func schema_k8sio_api_extensions_v1beta1_ReplicaSet(ref common.ReferenceCallback
 						SchemaProps: spec.SchemaProps{
 							Description: "If the Labels of a ReplicaSet are empty, they are defaulted to be the same as the Pod(s) that the ReplicaSet manages. Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Ref:         ref(metav1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 					"spec": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Spec defines the specification of the desired behavior of the ReplicaSet. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/extensions/v1beta1.ReplicaSetSpec"),
+							Ref:         ref(extensionsv1beta1.ReplicaSetSpec{}.OpenAPIModelName()),
 						},
 					},
 					"status": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Status is the most recently observed status of the ReplicaSet. This data may be out of date by some window of time. Populated by the system. Read-only. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/extensions/v1beta1.ReplicaSetStatus"),
+							Ref:         ref(extensionsv1beta1.ReplicaSetStatus{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/extensions/v1beta1.ReplicaSetSpec", "k8s.io/api/extensions/v1beta1.ReplicaSetStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			extensionsv1beta1.ReplicaSetSpec{}.OpenAPIModelName(), extensionsv1beta1.ReplicaSetStatus{}.OpenAPIModelName(), metav1.ObjectMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -37540,7 +37757,7 @@ func schema_k8sio_api_extensions_v1beta1_ReplicaSetCondition(ref common.Referenc
 					"lastTransitionTime": {
 						SchemaProps: spec.SchemaProps{
 							Description: "The last time the condition transitioned from one status to another.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Time"),
+							Ref:         ref(metav1.Time{}.OpenAPIModelName()),
 						},
 					},
 					"reason": {
@@ -37562,7 +37779,7 @@ func schema_k8sio_api_extensions_v1beta1_ReplicaSetCondition(ref common.Referenc
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.Time"},
+			metav1.Time{}.OpenAPIModelName()},
 	}
 }
 
@@ -37591,7 +37808,7 @@ func schema_k8sio_api_extensions_v1beta1_ReplicaSetList(ref common.ReferenceCall
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+							Ref:         ref(metav1.ListMeta{}.OpenAPIModelName()),
 						},
 					},
 					"items": {
@@ -37602,7 +37819,7 @@ func schema_k8sio_api_extensions_v1beta1_ReplicaSetList(ref common.ReferenceCall
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/extensions/v1beta1.ReplicaSet"),
+										Ref:     ref(extensionsv1beta1.ReplicaSet{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -37613,7 +37830,7 @@ func schema_k8sio_api_extensions_v1beta1_ReplicaSetList(ref common.ReferenceCall
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/extensions/v1beta1.ReplicaSet", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
+			extensionsv1beta1.ReplicaSet{}.OpenAPIModelName(), metav1.ListMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -37641,21 +37858,21 @@ func schema_k8sio_api_extensions_v1beta1_ReplicaSetSpec(ref common.ReferenceCall
 					"selector": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Selector is a label query over pods that should match the replica count. If the selector is empty, it is defaulted to the labels present on the pod template. Label keys and values that must match in order to be controlled by this replica set. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector"),
+							Ref:         ref(metav1.LabelSelector{}.OpenAPIModelName()),
 						},
 					},
 					"template": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Template is the object that describes the pod that will be created if insufficient replicas are detected. More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicaset/#pod-template",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/core/v1.PodTemplateSpec"),
+							Ref:         ref(corev1.PodTemplateSpec{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/core/v1.PodTemplateSpec", "k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector"},
+			corev1.PodTemplateSpec{}.OpenAPIModelName(), metav1.LabelSelector{}.OpenAPIModelName()},
 	}
 }
 
@@ -37697,7 +37914,7 @@ func schema_k8sio_api_extensions_v1beta1_ReplicaSetStatus(ref common.ReferenceCa
 					},
 					"terminatingReplicas": {
 						SchemaProps: spec.SchemaProps{
-							Description: "The number of terminating pods for this replica set. Terminating pods have a non-null .metadata.deletionTimestamp and have not yet reached the Failed or Succeeded .status.phase.\n\nThis is an alpha field. Enable DeploymentReplicaSetTerminatingReplicas to be able to use this field.",
+							Description: "The number of terminating pods for this replica set. Terminating pods have a non-null .metadata.deletionTimestamp and have not yet reached the Failed or Succeeded .status.phase.\n\nThis is a beta field and requires enabling DeploymentReplicaSetTerminatingReplicas feature (enabled by default).",
 							Type:        []string{"integer"},
 							Format:      "int32",
 						},
@@ -37727,7 +37944,7 @@ func schema_k8sio_api_extensions_v1beta1_ReplicaSetStatus(ref common.ReferenceCa
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/extensions/v1beta1.ReplicaSetCondition"),
+										Ref:     ref(extensionsv1beta1.ReplicaSetCondition{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -37738,7 +37955,7 @@ func schema_k8sio_api_extensions_v1beta1_ReplicaSetStatus(ref common.ReferenceCa
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/extensions/v1beta1.ReplicaSetCondition"},
+			extensionsv1beta1.ReplicaSetCondition{}.OpenAPIModelName()},
 	}
 }
 
@@ -37772,20 +37989,20 @@ func schema_k8sio_api_extensions_v1beta1_RollingUpdateDaemonSet(ref common.Refer
 					"maxUnavailable": {
 						SchemaProps: spec.SchemaProps{
 							Description: "The maximum number of DaemonSet pods that can be unavailable during the update. Value can be an absolute number (ex: 5) or a percentage of total number of DaemonSet pods at the start of the update (ex: 10%). Absolute number is calculated from percentage by rounding up. This cannot be 0 if MaxSurge is 0 Default value is 1. Example: when this is set to 30%, at most 30% of the total number of nodes that should be running the daemon pod (i.e. status.desiredNumberScheduled) can have their pods stopped for an update at any given time. The update starts by stopping at most 30% of those DaemonSet pods and then brings up new DaemonSet pods in their place. Once the new pods are available, it then proceeds onto other DaemonSet pods, thus ensuring that at least 70% of original number of DaemonSet pods are available at all times during the update.",
-							Ref:         ref("k8s.io/apimachinery/pkg/util/intstr.IntOrString"),
+							Ref:         ref(intstr.IntOrString{}.OpenAPIModelName()),
 						},
 					},
 					"maxSurge": {
 						SchemaProps: spec.SchemaProps{
 							Description: "The maximum number of nodes with an existing available DaemonSet pod that can have an updated DaemonSet pod during during an update. Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%). This can not be 0 if MaxUnavailable is 0. Absolute number is calculated from percentage by rounding up to a minimum of 1. Default value is 0. Example: when this is set to 30%, at most 30% of the total number of nodes that should be running the daemon pod (i.e. status.desiredNumberScheduled) can have their a new pod created before the old pod is marked as deleted. The update starts by launching new pods on 30% of nodes. Once an updated pod is available (Ready for at least minReadySeconds) the old DaemonSet pod on that node is marked deleted. If the old pod becomes unavailable for any reason (Ready transitions to false, is evicted, or is drained) an updated pod is immediately created on that node without considering surge limits. Allowing surge implies the possibility that the resources consumed by the daemonset on any given node can double if the readiness check fails, and so resource intensive daemonsets should take into account that they may cause evictions during disruption. This is an alpha field and requires enabling DaemonSetUpdateSurge feature gate.",
-							Ref:         ref("k8s.io/apimachinery/pkg/util/intstr.IntOrString"),
+							Ref:         ref(intstr.IntOrString{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/util/intstr.IntOrString"},
+			intstr.IntOrString{}.OpenAPIModelName()},
 	}
 }
 
@@ -37799,20 +38016,20 @@ func schema_k8sio_api_extensions_v1beta1_RollingUpdateDeployment(ref common.Refe
 					"maxUnavailable": {
 						SchemaProps: spec.SchemaProps{
 							Description: "The maximum number of pods that can be unavailable during the update. Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%). Absolute number is calculated from percentage by rounding down. This can not be 0 if MaxSurge is 0. By default, a fixed value of 1 is used. Example: when this is set to 30%, the old RC can be scaled down to 70% of desired pods immediately when the rolling update starts. Once new pods are ready, old RC can be scaled down further, followed by scaling up the new RC, ensuring that the total number of pods available at all times during the update is at least 70% of desired pods.",
-							Ref:         ref("k8s.io/apimachinery/pkg/util/intstr.IntOrString"),
+							Ref:         ref(intstr.IntOrString{}.OpenAPIModelName()),
 						},
 					},
 					"maxSurge": {
 						SchemaProps: spec.SchemaProps{
 							Description: "The maximum number of pods that can be scheduled above the desired number of pods. Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%). This can not be 0 if MaxUnavailable is 0. Absolute number is calculated from percentage by rounding up. By default, a value of 1 is used. Example: when this is set to 30%, the new RC can be scaled up immediately when the rolling update starts, such that the total number of old and new pods do not exceed 130% of desired pods. Once old pods have been killed, new RC can be scaled up further, ensuring that total number of pods running at any time during the update is at most 130% of desired pods.",
-							Ref:         ref("k8s.io/apimachinery/pkg/util/intstr.IntOrString"),
+							Ref:         ref(intstr.IntOrString{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/util/intstr.IntOrString"},
+			intstr.IntOrString{}.OpenAPIModelName()},
 	}
 }
 
@@ -37841,28 +38058,28 @@ func schema_k8sio_api_extensions_v1beta1_Scale(ref common.ReferenceCallback) com
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Ref:         ref(metav1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 					"spec": {
 						SchemaProps: spec.SchemaProps{
 							Description: "defines the behavior of the scale. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/extensions/v1beta1.ScaleSpec"),
+							Ref:         ref(extensionsv1beta1.ScaleSpec{}.OpenAPIModelName()),
 						},
 					},
 					"status": {
 						SchemaProps: spec.SchemaProps{
 							Description: "current status of the scale. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status. Read-only.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/extensions/v1beta1.ScaleStatus"),
+							Ref:         ref(extensionsv1beta1.ScaleStatus{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/extensions/v1beta1.ScaleSpec", "k8s.io/api/extensions/v1beta1.ScaleStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			extensionsv1beta1.ScaleSpec{}.OpenAPIModelName(), extensionsv1beta1.ScaleStatus{}.OpenAPIModelName(), metav1.ObjectMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -38011,28 +38228,28 @@ func schema_k8sio_api_flowcontrol_v1_FlowSchema(ref common.ReferenceCallback) co
 						SchemaProps: spec.SchemaProps{
 							Description: "`metadata` is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Ref:         ref(metav1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 					"spec": {
 						SchemaProps: spec.SchemaProps{
 							Description: "`spec` is the specification of the desired behavior of a FlowSchema. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/flowcontrol/v1.FlowSchemaSpec"),
+							Ref:         ref(flowcontrolv1.FlowSchemaSpec{}.OpenAPIModelName()),
 						},
 					},
 					"status": {
 						SchemaProps: spec.SchemaProps{
 							Description: "`status` is the current status of a FlowSchema. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/flowcontrol/v1.FlowSchemaStatus"),
+							Ref:         ref(flowcontrolv1.FlowSchemaStatus{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/flowcontrol/v1.FlowSchemaSpec", "k8s.io/api/flowcontrol/v1.FlowSchemaStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			flowcontrolv1.FlowSchemaSpec{}.OpenAPIModelName(), flowcontrolv1.FlowSchemaStatus{}.OpenAPIModelName(), metav1.ObjectMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -38060,7 +38277,7 @@ func schema_k8sio_api_flowcontrol_v1_FlowSchemaCondition(ref common.ReferenceCal
 					"lastTransitionTime": {
 						SchemaProps: spec.SchemaProps{
 							Description: "`lastTransitionTime` is the last time the condition transitioned from one status to another.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Time"),
+							Ref:         ref(metav1.Time{}.OpenAPIModelName()),
 						},
 					},
 					"reason": {
@@ -38081,7 +38298,7 @@ func schema_k8sio_api_flowcontrol_v1_FlowSchemaCondition(ref common.ReferenceCal
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.Time"},
+			metav1.Time{}.OpenAPIModelName()},
 	}
 }
 
@@ -38110,7 +38327,7 @@ func schema_k8sio_api_flowcontrol_v1_FlowSchemaList(ref common.ReferenceCallback
 						SchemaProps: spec.SchemaProps{
 							Description: "`metadata` is the standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+							Ref:         ref(metav1.ListMeta{}.OpenAPIModelName()),
 						},
 					},
 					"items": {
@@ -38121,7 +38338,7 @@ func schema_k8sio_api_flowcontrol_v1_FlowSchemaList(ref common.ReferenceCallback
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/flowcontrol/v1.FlowSchema"),
+										Ref:     ref(flowcontrolv1.FlowSchema{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -38132,7 +38349,7 @@ func schema_k8sio_api_flowcontrol_v1_FlowSchemaList(ref common.ReferenceCallback
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/flowcontrol/v1.FlowSchema", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
+			flowcontrolv1.FlowSchema{}.OpenAPIModelName(), metav1.ListMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -38147,7 +38364,7 @@ func schema_k8sio_api_flowcontrol_v1_FlowSchemaSpec(ref common.ReferenceCallback
 						SchemaProps: spec.SchemaProps{
 							Description: "`priorityLevelConfiguration` should reference a PriorityLevelConfiguration in the cluster. If the reference cannot be resolved, the FlowSchema will be ignored and marked as invalid in its status. Required.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/flowcontrol/v1.PriorityLevelConfigurationReference"),
+							Ref:         ref(flowcontrolv1.PriorityLevelConfigurationReference{}.OpenAPIModelName()),
 						},
 					},
 					"matchingPrecedence": {
@@ -38161,7 +38378,7 @@ func schema_k8sio_api_flowcontrol_v1_FlowSchemaSpec(ref common.ReferenceCallback
 					"distinguisherMethod": {
 						SchemaProps: spec.SchemaProps{
 							Description: "`distinguisherMethod` defines how to compute the flow distinguisher for requests that match this schema. `nil` specifies that the distinguisher is disabled and thus will always be the empty string.",
-							Ref:         ref("k8s.io/api/flowcontrol/v1.FlowDistinguisherMethod"),
+							Ref:         ref(flowcontrolv1.FlowDistinguisherMethod{}.OpenAPIModelName()),
 						},
 					},
 					"rules": {
@@ -38177,7 +38394,7 @@ func schema_k8sio_api_flowcontrol_v1_FlowSchemaSpec(ref common.ReferenceCallback
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/flowcontrol/v1.PolicyRulesWithSubjects"),
+										Ref:     ref(flowcontrolv1.PolicyRulesWithSubjects{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -38188,7 +38405,7 @@ func schema_k8sio_api_flowcontrol_v1_FlowSchemaSpec(ref common.ReferenceCallback
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/flowcontrol/v1.FlowDistinguisherMethod", "k8s.io/api/flowcontrol/v1.PolicyRulesWithSubjects", "k8s.io/api/flowcontrol/v1.PriorityLevelConfigurationReference"},
+			flowcontrolv1.FlowDistinguisherMethod{}.OpenAPIModelName(), flowcontrolv1.PolicyRulesWithSubjects{}.OpenAPIModelName(), flowcontrolv1.PriorityLevelConfigurationReference{}.OpenAPIModelName()},
 	}
 }
 
@@ -38217,7 +38434,7 @@ func schema_k8sio_api_flowcontrol_v1_FlowSchemaStatus(ref common.ReferenceCallba
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/flowcontrol/v1.FlowSchemaCondition"),
+										Ref:     ref(flowcontrolv1.FlowSchemaCondition{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -38227,7 +38444,7 @@ func schema_k8sio_api_flowcontrol_v1_FlowSchemaStatus(ref common.ReferenceCallba
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/flowcontrol/v1.FlowSchemaCondition"},
+			flowcontrolv1.FlowSchemaCondition{}.OpenAPIModelName()},
 	}
 }
 
@@ -38271,7 +38488,7 @@ func schema_k8sio_api_flowcontrol_v1_LimitResponse(ref common.ReferenceCallback)
 					"queuing": {
 						SchemaProps: spec.SchemaProps{
 							Description: "`queuing` holds the configuration parameters for queuing. This field may be non-empty only if `type` is `\"Queue\"`.",
-							Ref:         ref("k8s.io/api/flowcontrol/v1.QueuingConfiguration"),
+							Ref:         ref(flowcontrolv1.QueuingConfiguration{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -38291,7 +38508,7 @@ func schema_k8sio_api_flowcontrol_v1_LimitResponse(ref common.ReferenceCallback)
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/flowcontrol/v1.QueuingConfiguration"},
+			flowcontrolv1.QueuingConfiguration{}.OpenAPIModelName()},
 	}
 }
 
@@ -38313,7 +38530,7 @@ func schema_k8sio_api_flowcontrol_v1_LimitedPriorityLevelConfiguration(ref commo
 						SchemaProps: spec.SchemaProps{
 							Description: "`limitResponse` indicates what to do with requests that can not be executed right now",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/flowcontrol/v1.LimitResponse"),
+							Ref:         ref(flowcontrolv1.LimitResponse{}.OpenAPIModelName()),
 						},
 					},
 					"lendablePercent": {
@@ -38334,7 +38551,7 @@ func schema_k8sio_api_flowcontrol_v1_LimitedPriorityLevelConfiguration(ref commo
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/flowcontrol/v1.LimitResponse"},
+			flowcontrolv1.LimitResponse{}.OpenAPIModelName()},
 	}
 }
 
@@ -38412,7 +38629,7 @@ func schema_k8sio_api_flowcontrol_v1_PolicyRulesWithSubjects(ref common.Referenc
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/flowcontrol/v1.Subject"),
+										Ref:     ref(flowcontrolv1.Subject{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -38431,7 +38648,7 @@ func schema_k8sio_api_flowcontrol_v1_PolicyRulesWithSubjects(ref common.Referenc
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/flowcontrol/v1.ResourcePolicyRule"),
+										Ref:     ref(flowcontrolv1.ResourcePolicyRule{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -38450,7 +38667,7 @@ func schema_k8sio_api_flowcontrol_v1_PolicyRulesWithSubjects(ref common.Referenc
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/flowcontrol/v1.NonResourcePolicyRule"),
+										Ref:     ref(flowcontrolv1.NonResourcePolicyRule{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -38461,7 +38678,7 @@ func schema_k8sio_api_flowcontrol_v1_PolicyRulesWithSubjects(ref common.Referenc
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/flowcontrol/v1.NonResourcePolicyRule", "k8s.io/api/flowcontrol/v1.ResourcePolicyRule", "k8s.io/api/flowcontrol/v1.Subject"},
+			flowcontrolv1.NonResourcePolicyRule{}.OpenAPIModelName(), flowcontrolv1.ResourcePolicyRule{}.OpenAPIModelName(), flowcontrolv1.Subject{}.OpenAPIModelName()},
 	}
 }
 
@@ -38490,28 +38707,28 @@ func schema_k8sio_api_flowcontrol_v1_PriorityLevelConfiguration(ref common.Refer
 						SchemaProps: spec.SchemaProps{
 							Description: "`metadata` is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Ref:         ref(metav1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 					"spec": {
 						SchemaProps: spec.SchemaProps{
 							Description: "`spec` is the specification of the desired behavior of a \"request-priority\". More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/flowcontrol/v1.PriorityLevelConfigurationSpec"),
+							Ref:         ref(flowcontrolv1.PriorityLevelConfigurationSpec{}.OpenAPIModelName()),
 						},
 					},
 					"status": {
 						SchemaProps: spec.SchemaProps{
 							Description: "`status` is the current status of a \"request-priority\". More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/flowcontrol/v1.PriorityLevelConfigurationStatus"),
+							Ref:         ref(flowcontrolv1.PriorityLevelConfigurationStatus{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/flowcontrol/v1.PriorityLevelConfigurationSpec", "k8s.io/api/flowcontrol/v1.PriorityLevelConfigurationStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			flowcontrolv1.PriorityLevelConfigurationSpec{}.OpenAPIModelName(), flowcontrolv1.PriorityLevelConfigurationStatus{}.OpenAPIModelName(), metav1.ObjectMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -38539,7 +38756,7 @@ func schema_k8sio_api_flowcontrol_v1_PriorityLevelConfigurationCondition(ref com
 					"lastTransitionTime": {
 						SchemaProps: spec.SchemaProps{
 							Description: "`lastTransitionTime` is the last time the condition transitioned from one status to another.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Time"),
+							Ref:         ref(metav1.Time{}.OpenAPIModelName()),
 						},
 					},
 					"reason": {
@@ -38560,7 +38777,7 @@ func schema_k8sio_api_flowcontrol_v1_PriorityLevelConfigurationCondition(ref com
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.Time"},
+			metav1.Time{}.OpenAPIModelName()},
 	}
 }
 
@@ -38589,7 +38806,7 @@ func schema_k8sio_api_flowcontrol_v1_PriorityLevelConfigurationList(ref common.R
 						SchemaProps: spec.SchemaProps{
 							Description: "`metadata` is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+							Ref:         ref(metav1.ListMeta{}.OpenAPIModelName()),
 						},
 					},
 					"items": {
@@ -38600,7 +38817,7 @@ func schema_k8sio_api_flowcontrol_v1_PriorityLevelConfigurationList(ref common.R
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/flowcontrol/v1.PriorityLevelConfiguration"),
+										Ref:     ref(flowcontrolv1.PriorityLevelConfiguration{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -38611,7 +38828,7 @@ func schema_k8sio_api_flowcontrol_v1_PriorityLevelConfigurationList(ref common.R
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/flowcontrol/v1.PriorityLevelConfiguration", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
+			flowcontrolv1.PriorityLevelConfiguration{}.OpenAPIModelName(), metav1.ListMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -38655,13 +38872,13 @@ func schema_k8sio_api_flowcontrol_v1_PriorityLevelConfigurationSpec(ref common.R
 					"limited": {
 						SchemaProps: spec.SchemaProps{
 							Description: "`limited` specifies how requests are handled for a Limited priority level. This field must be non-empty if and only if `type` is `\"Limited\"`.",
-							Ref:         ref("k8s.io/api/flowcontrol/v1.LimitedPriorityLevelConfiguration"),
+							Ref:         ref(flowcontrolv1.LimitedPriorityLevelConfiguration{}.OpenAPIModelName()),
 						},
 					},
 					"exempt": {
 						SchemaProps: spec.SchemaProps{
 							Description: "`exempt` specifies how requests are handled for an exempt priority level. This field MUST be empty if `type` is `\"Limited\"`. This field MAY be non-empty if `type` is `\"Exempt\"`. If empty and `type` is `\"Exempt\"` then the default values for `ExemptPriorityLevelConfiguration` apply.",
-							Ref:         ref("k8s.io/api/flowcontrol/v1.ExemptPriorityLevelConfiguration"),
+							Ref:         ref(flowcontrolv1.ExemptPriorityLevelConfiguration{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -38682,7 +38899,7 @@ func schema_k8sio_api_flowcontrol_v1_PriorityLevelConfigurationSpec(ref common.R
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/flowcontrol/v1.ExemptPriorityLevelConfiguration", "k8s.io/api/flowcontrol/v1.LimitedPriorityLevelConfiguration"},
+			flowcontrolv1.ExemptPriorityLevelConfiguration{}.OpenAPIModelName(), flowcontrolv1.LimitedPriorityLevelConfiguration{}.OpenAPIModelName()},
 	}
 }
 
@@ -38711,7 +38928,7 @@ func schema_k8sio_api_flowcontrol_v1_PriorityLevelConfigurationStatus(ref common
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/flowcontrol/v1.PriorityLevelConfigurationCondition"),
+										Ref:     ref(flowcontrolv1.PriorityLevelConfigurationCondition{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -38721,7 +38938,7 @@ func schema_k8sio_api_flowcontrol_v1_PriorityLevelConfigurationStatus(ref common
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/flowcontrol/v1.PriorityLevelConfigurationCondition"},
+			flowcontrolv1.PriorityLevelConfigurationCondition{}.OpenAPIModelName()},
 	}
 }
 
@@ -38911,19 +39128,19 @@ func schema_k8sio_api_flowcontrol_v1_Subject(ref common.ReferenceCallback) commo
 					"user": {
 						SchemaProps: spec.SchemaProps{
 							Description: "`user` matches based on username.",
-							Ref:         ref("k8s.io/api/flowcontrol/v1.UserSubject"),
+							Ref:         ref(flowcontrolv1.UserSubject{}.OpenAPIModelName()),
 						},
 					},
 					"group": {
 						SchemaProps: spec.SchemaProps{
 							Description: "`group` matches based on user group name.",
-							Ref:         ref("k8s.io/api/flowcontrol/v1.GroupSubject"),
+							Ref:         ref(flowcontrolv1.GroupSubject{}.OpenAPIModelName()),
 						},
 					},
 					"serviceAccount": {
 						SchemaProps: spec.SchemaProps{
 							Description: "`serviceAccount` matches ServiceAccounts.",
-							Ref:         ref("k8s.io/api/flowcontrol/v1.ServiceAccountSubject"),
+							Ref:         ref(flowcontrolv1.ServiceAccountSubject{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -38945,7 +39162,7 @@ func schema_k8sio_api_flowcontrol_v1_Subject(ref common.ReferenceCallback) commo
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/flowcontrol/v1.GroupSubject", "k8s.io/api/flowcontrol/v1.ServiceAccountSubject", "k8s.io/api/flowcontrol/v1.UserSubject"},
+			flowcontrolv1.GroupSubject{}.OpenAPIModelName(), flowcontrolv1.ServiceAccountSubject{}.OpenAPIModelName(), flowcontrolv1.UserSubject{}.OpenAPIModelName()},
 	}
 }
 
@@ -39045,28 +39262,28 @@ func schema_k8sio_api_flowcontrol_v1beta1_FlowSchema(ref common.ReferenceCallbac
 						SchemaProps: spec.SchemaProps{
 							Description: "`metadata` is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Ref:         ref(metav1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 					"spec": {
 						SchemaProps: spec.SchemaProps{
 							Description: "`spec` is the specification of the desired behavior of a FlowSchema. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/flowcontrol/v1beta1.FlowSchemaSpec"),
+							Ref:         ref(flowcontrolv1beta1.FlowSchemaSpec{}.OpenAPIModelName()),
 						},
 					},
 					"status": {
 						SchemaProps: spec.SchemaProps{
 							Description: "`status` is the current status of a FlowSchema. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/flowcontrol/v1beta1.FlowSchemaStatus"),
+							Ref:         ref(flowcontrolv1beta1.FlowSchemaStatus{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/flowcontrol/v1beta1.FlowSchemaSpec", "k8s.io/api/flowcontrol/v1beta1.FlowSchemaStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			flowcontrolv1beta1.FlowSchemaSpec{}.OpenAPIModelName(), flowcontrolv1beta1.FlowSchemaStatus{}.OpenAPIModelName(), metav1.ObjectMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -39094,7 +39311,7 @@ func schema_k8sio_api_flowcontrol_v1beta1_FlowSchemaCondition(ref common.Referen
 					"lastTransitionTime": {
 						SchemaProps: spec.SchemaProps{
 							Description: "`lastTransitionTime` is the last time the condition transitioned from one status to another.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Time"),
+							Ref:         ref(metav1.Time{}.OpenAPIModelName()),
 						},
 					},
 					"reason": {
@@ -39115,7 +39332,7 @@ func schema_k8sio_api_flowcontrol_v1beta1_FlowSchemaCondition(ref common.Referen
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.Time"},
+			metav1.Time{}.OpenAPIModelName()},
 	}
 }
 
@@ -39144,7 +39361,7 @@ func schema_k8sio_api_flowcontrol_v1beta1_FlowSchemaList(ref common.ReferenceCal
 						SchemaProps: spec.SchemaProps{
 							Description: "`metadata` is the standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+							Ref:         ref(metav1.ListMeta{}.OpenAPIModelName()),
 						},
 					},
 					"items": {
@@ -39155,7 +39372,7 @@ func schema_k8sio_api_flowcontrol_v1beta1_FlowSchemaList(ref common.ReferenceCal
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/flowcontrol/v1beta1.FlowSchema"),
+										Ref:     ref(flowcontrolv1beta1.FlowSchema{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -39166,7 +39383,7 @@ func schema_k8sio_api_flowcontrol_v1beta1_FlowSchemaList(ref common.ReferenceCal
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/flowcontrol/v1beta1.FlowSchema", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
+			flowcontrolv1beta1.FlowSchema{}.OpenAPIModelName(), metav1.ListMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -39181,7 +39398,7 @@ func schema_k8sio_api_flowcontrol_v1beta1_FlowSchemaSpec(ref common.ReferenceCal
 						SchemaProps: spec.SchemaProps{
 							Description: "`priorityLevelConfiguration` should reference a PriorityLevelConfiguration in the cluster. If the reference cannot be resolved, the FlowSchema will be ignored and marked as invalid in its status. Required.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/flowcontrol/v1beta1.PriorityLevelConfigurationReference"),
+							Ref:         ref(flowcontrolv1beta1.PriorityLevelConfigurationReference{}.OpenAPIModelName()),
 						},
 					},
 					"matchingPrecedence": {
@@ -39195,7 +39412,7 @@ func schema_k8sio_api_flowcontrol_v1beta1_FlowSchemaSpec(ref common.ReferenceCal
 					"distinguisherMethod": {
 						SchemaProps: spec.SchemaProps{
 							Description: "`distinguisherMethod` defines how to compute the flow distinguisher for requests that match this schema. `nil` specifies that the distinguisher is disabled and thus will always be the empty string.",
-							Ref:         ref("k8s.io/api/flowcontrol/v1beta1.FlowDistinguisherMethod"),
+							Ref:         ref(flowcontrolv1beta1.FlowDistinguisherMethod{}.OpenAPIModelName()),
 						},
 					},
 					"rules": {
@@ -39211,7 +39428,7 @@ func schema_k8sio_api_flowcontrol_v1beta1_FlowSchemaSpec(ref common.ReferenceCal
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/flowcontrol/v1beta1.PolicyRulesWithSubjects"),
+										Ref:     ref(flowcontrolv1beta1.PolicyRulesWithSubjects{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -39222,7 +39439,7 @@ func schema_k8sio_api_flowcontrol_v1beta1_FlowSchemaSpec(ref common.ReferenceCal
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/flowcontrol/v1beta1.FlowDistinguisherMethod", "k8s.io/api/flowcontrol/v1beta1.PolicyRulesWithSubjects", "k8s.io/api/flowcontrol/v1beta1.PriorityLevelConfigurationReference"},
+			flowcontrolv1beta1.FlowDistinguisherMethod{}.OpenAPIModelName(), flowcontrolv1beta1.PolicyRulesWithSubjects{}.OpenAPIModelName(), flowcontrolv1beta1.PriorityLevelConfigurationReference{}.OpenAPIModelName()},
 	}
 }
 
@@ -39249,7 +39466,7 @@ func schema_k8sio_api_flowcontrol_v1beta1_FlowSchemaStatus(ref common.ReferenceC
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/flowcontrol/v1beta1.FlowSchemaCondition"),
+										Ref:     ref(flowcontrolv1beta1.FlowSchemaCondition{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -39259,7 +39476,7 @@ func schema_k8sio_api_flowcontrol_v1beta1_FlowSchemaStatus(ref common.ReferenceC
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/flowcontrol/v1beta1.FlowSchemaCondition"},
+			flowcontrolv1beta1.FlowSchemaCondition{}.OpenAPIModelName()},
 	}
 }
 
@@ -39303,7 +39520,7 @@ func schema_k8sio_api_flowcontrol_v1beta1_LimitResponse(ref common.ReferenceCall
 					"queuing": {
 						SchemaProps: spec.SchemaProps{
 							Description: "`queuing` holds the configuration parameters for queuing. This field may be non-empty only if `type` is `\"Queue\"`.",
-							Ref:         ref("k8s.io/api/flowcontrol/v1beta1.QueuingConfiguration"),
+							Ref:         ref(flowcontrolv1beta1.QueuingConfiguration{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -39323,7 +39540,7 @@ func schema_k8sio_api_flowcontrol_v1beta1_LimitResponse(ref common.ReferenceCall
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/flowcontrol/v1beta1.QueuingConfiguration"},
+			flowcontrolv1beta1.QueuingConfiguration{}.OpenAPIModelName()},
 	}
 }
 
@@ -39346,7 +39563,7 @@ func schema_k8sio_api_flowcontrol_v1beta1_LimitedPriorityLevelConfiguration(ref
 						SchemaProps: spec.SchemaProps{
 							Description: "`limitResponse` indicates what to do with requests that can not be executed right now",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/flowcontrol/v1beta1.LimitResponse"),
+							Ref:         ref(flowcontrolv1beta1.LimitResponse{}.OpenAPIModelName()),
 						},
 					},
 					"lendablePercent": {
@@ -39367,7 +39584,7 @@ func schema_k8sio_api_flowcontrol_v1beta1_LimitedPriorityLevelConfiguration(ref
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/flowcontrol/v1beta1.LimitResponse"},
+			flowcontrolv1beta1.LimitResponse{}.OpenAPIModelName()},
 	}
 }
 
@@ -39445,7 +39662,7 @@ func schema_k8sio_api_flowcontrol_v1beta1_PolicyRulesWithSubjects(ref common.Ref
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/flowcontrol/v1beta1.Subject"),
+										Ref:     ref(flowcontrolv1beta1.Subject{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -39464,7 +39681,7 @@ func schema_k8sio_api_flowcontrol_v1beta1_PolicyRulesWithSubjects(ref common.Ref
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/flowcontrol/v1beta1.ResourcePolicyRule"),
+										Ref:     ref(flowcontrolv1beta1.ResourcePolicyRule{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -39483,7 +39700,7 @@ func schema_k8sio_api_flowcontrol_v1beta1_PolicyRulesWithSubjects(ref common.Ref
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/flowcontrol/v1beta1.NonResourcePolicyRule"),
+										Ref:     ref(flowcontrolv1beta1.NonResourcePolicyRule{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -39494,7 +39711,7 @@ func schema_k8sio_api_flowcontrol_v1beta1_PolicyRulesWithSubjects(ref common.Ref
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/flowcontrol/v1beta1.NonResourcePolicyRule", "k8s.io/api/flowcontrol/v1beta1.ResourcePolicyRule", "k8s.io/api/flowcontrol/v1beta1.Subject"},
+			flowcontrolv1beta1.NonResourcePolicyRule{}.OpenAPIModelName(), flowcontrolv1beta1.ResourcePolicyRule{}.OpenAPIModelName(), flowcontrolv1beta1.Subject{}.OpenAPIModelName()},
 	}
 }
 
@@ -39523,28 +39740,28 @@ func schema_k8sio_api_flowcontrol_v1beta1_PriorityLevelConfiguration(ref common.
 						SchemaProps: spec.SchemaProps{
 							Description: "`metadata` is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Ref:         ref(metav1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 					"spec": {
 						SchemaProps: spec.SchemaProps{
 							Description: "`spec` is the specification of the desired behavior of a \"request-priority\". More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/flowcontrol/v1beta1.PriorityLevelConfigurationSpec"),
+							Ref:         ref(flowcontrolv1beta1.PriorityLevelConfigurationSpec{}.OpenAPIModelName()),
 						},
 					},
 					"status": {
 						SchemaProps: spec.SchemaProps{
 							Description: "`status` is the current status of a \"request-priority\". More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/flowcontrol/v1beta1.PriorityLevelConfigurationStatus"),
+							Ref:         ref(flowcontrolv1beta1.PriorityLevelConfigurationStatus{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/flowcontrol/v1beta1.PriorityLevelConfigurationSpec", "k8s.io/api/flowcontrol/v1beta1.PriorityLevelConfigurationStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			flowcontrolv1beta1.PriorityLevelConfigurationSpec{}.OpenAPIModelName(), flowcontrolv1beta1.PriorityLevelConfigurationStatus{}.OpenAPIModelName(), metav1.ObjectMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -39572,7 +39789,7 @@ func schema_k8sio_api_flowcontrol_v1beta1_PriorityLevelConfigurationCondition(re
 					"lastTransitionTime": {
 						SchemaProps: spec.SchemaProps{
 							Description: "`lastTransitionTime` is the last time the condition transitioned from one status to another.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Time"),
+							Ref:         ref(metav1.Time{}.OpenAPIModelName()),
 						},
 					},
 					"reason": {
@@ -39593,7 +39810,7 @@ func schema_k8sio_api_flowcontrol_v1beta1_PriorityLevelConfigurationCondition(re
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.Time"},
+			metav1.Time{}.OpenAPIModelName()},
 	}
 }
 
@@ -39622,7 +39839,7 @@ func schema_k8sio_api_flowcontrol_v1beta1_PriorityLevelConfigurationList(ref com
 						SchemaProps: spec.SchemaProps{
 							Description: "`metadata` is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+							Ref:         ref(metav1.ListMeta{}.OpenAPIModelName()),
 						},
 					},
 					"items": {
@@ -39633,7 +39850,7 @@ func schema_k8sio_api_flowcontrol_v1beta1_PriorityLevelConfigurationList(ref com
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/flowcontrol/v1beta1.PriorityLevelConfiguration"),
+										Ref:     ref(flowcontrolv1beta1.PriorityLevelConfiguration{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -39644,7 +39861,7 @@ func schema_k8sio_api_flowcontrol_v1beta1_PriorityLevelConfigurationList(ref com
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/flowcontrol/v1beta1.PriorityLevelConfiguration", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
+			flowcontrolv1beta1.PriorityLevelConfiguration{}.OpenAPIModelName(), metav1.ListMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -39688,13 +39905,13 @@ func schema_k8sio_api_flowcontrol_v1beta1_PriorityLevelConfigurationSpec(ref com
 					"limited": {
 						SchemaProps: spec.SchemaProps{
 							Description: "`limited` specifies how requests are handled for a Limited priority level. This field must be non-empty if and only if `type` is `\"Limited\"`.",
-							Ref:         ref("k8s.io/api/flowcontrol/v1beta1.LimitedPriorityLevelConfiguration"),
+							Ref:         ref(flowcontrolv1beta1.LimitedPriorityLevelConfiguration{}.OpenAPIModelName()),
 						},
 					},
 					"exempt": {
 						SchemaProps: spec.SchemaProps{
 							Description: "`exempt` specifies how requests are handled for an exempt priority level. This field MUST be empty if `type` is `\"Limited\"`. This field MAY be non-empty if `type` is `\"Exempt\"`. If empty and `type` is `\"Exempt\"` then the default values for `ExemptPriorityLevelConfiguration` apply.",
-							Ref:         ref("k8s.io/api/flowcontrol/v1beta1.ExemptPriorityLevelConfiguration"),
+							Ref:         ref(flowcontrolv1beta1.ExemptPriorityLevelConfiguration{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -39715,7 +39932,7 @@ func schema_k8sio_api_flowcontrol_v1beta1_PriorityLevelConfigurationSpec(ref com
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/flowcontrol/v1beta1.ExemptPriorityLevelConfiguration", "k8s.io/api/flowcontrol/v1beta1.LimitedPriorityLevelConfiguration"},
+			flowcontrolv1beta1.ExemptPriorityLevelConfiguration{}.OpenAPIModelName(), flowcontrolv1beta1.LimitedPriorityLevelConfiguration{}.OpenAPIModelName()},
 	}
 }
 
@@ -39742,7 +39959,7 @@ func schema_k8sio_api_flowcontrol_v1beta1_PriorityLevelConfigurationStatus(ref c
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/flowcontrol/v1beta1.PriorityLevelConfigurationCondition"),
+										Ref:     ref(flowcontrolv1beta1.PriorityLevelConfigurationCondition{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -39752,7 +39969,7 @@ func schema_k8sio_api_flowcontrol_v1beta1_PriorityLevelConfigurationStatus(ref c
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/flowcontrol/v1beta1.PriorityLevelConfigurationCondition"},
+			flowcontrolv1beta1.PriorityLevelConfigurationCondition{}.OpenAPIModelName()},
 	}
 }
 
@@ -39942,19 +40159,19 @@ func schema_k8sio_api_flowcontrol_v1beta1_Subject(ref common.ReferenceCallback)
 					"user": {
 						SchemaProps: spec.SchemaProps{
 							Description: "`user` matches based on username.",
-							Ref:         ref("k8s.io/api/flowcontrol/v1beta1.UserSubject"),
+							Ref:         ref(flowcontrolv1beta1.UserSubject{}.OpenAPIModelName()),
 						},
 					},
 					"group": {
 						SchemaProps: spec.SchemaProps{
 							Description: "`group` matches based on user group name.",
-							Ref:         ref("k8s.io/api/flowcontrol/v1beta1.GroupSubject"),
+							Ref:         ref(flowcontrolv1beta1.GroupSubject{}.OpenAPIModelName()),
 						},
 					},
 					"serviceAccount": {
 						SchemaProps: spec.SchemaProps{
 							Description: "`serviceAccount` matches ServiceAccounts.",
-							Ref:         ref("k8s.io/api/flowcontrol/v1beta1.ServiceAccountSubject"),
+							Ref:         ref(flowcontrolv1beta1.ServiceAccountSubject{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -39976,7 +40193,7 @@ func schema_k8sio_api_flowcontrol_v1beta1_Subject(ref common.ReferenceCallback)
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/flowcontrol/v1beta1.GroupSubject", "k8s.io/api/flowcontrol/v1beta1.ServiceAccountSubject", "k8s.io/api/flowcontrol/v1beta1.UserSubject"},
+			flowcontrolv1beta1.GroupSubject{}.OpenAPIModelName(), flowcontrolv1beta1.ServiceAccountSubject{}.OpenAPIModelName(), flowcontrolv1beta1.UserSubject{}.OpenAPIModelName()},
 	}
 }
 
@@ -40076,28 +40293,28 @@ func schema_k8sio_api_flowcontrol_v1beta2_FlowSchema(ref common.ReferenceCallbac
 						SchemaProps: spec.SchemaProps{
 							Description: "`metadata` is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Ref:         ref(metav1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 					"spec": {
 						SchemaProps: spec.SchemaProps{
 							Description: "`spec` is the specification of the desired behavior of a FlowSchema. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/flowcontrol/v1beta2.FlowSchemaSpec"),
+							Ref:         ref(flowcontrolv1beta2.FlowSchemaSpec{}.OpenAPIModelName()),
 						},
 					},
 					"status": {
 						SchemaProps: spec.SchemaProps{
 							Description: "`status` is the current status of a FlowSchema. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/flowcontrol/v1beta2.FlowSchemaStatus"),
+							Ref:         ref(flowcontrolv1beta2.FlowSchemaStatus{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/flowcontrol/v1beta2.FlowSchemaSpec", "k8s.io/api/flowcontrol/v1beta2.FlowSchemaStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			flowcontrolv1beta2.FlowSchemaSpec{}.OpenAPIModelName(), flowcontrolv1beta2.FlowSchemaStatus{}.OpenAPIModelName(), metav1.ObjectMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -40125,7 +40342,7 @@ func schema_k8sio_api_flowcontrol_v1beta2_FlowSchemaCondition(ref common.Referen
 					"lastTransitionTime": {
 						SchemaProps: spec.SchemaProps{
 							Description: "`lastTransitionTime` is the last time the condition transitioned from one status to another.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Time"),
+							Ref:         ref(metav1.Time{}.OpenAPIModelName()),
 						},
 					},
 					"reason": {
@@ -40146,7 +40363,7 @@ func schema_k8sio_api_flowcontrol_v1beta2_FlowSchemaCondition(ref common.Referen
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.Time"},
+			metav1.Time{}.OpenAPIModelName()},
 	}
 }
 
@@ -40175,7 +40392,7 @@ func schema_k8sio_api_flowcontrol_v1beta2_FlowSchemaList(ref common.ReferenceCal
 						SchemaProps: spec.SchemaProps{
 							Description: "`metadata` is the standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+							Ref:         ref(metav1.ListMeta{}.OpenAPIModelName()),
 						},
 					},
 					"items": {
@@ -40186,7 +40403,7 @@ func schema_k8sio_api_flowcontrol_v1beta2_FlowSchemaList(ref common.ReferenceCal
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/flowcontrol/v1beta2.FlowSchema"),
+										Ref:     ref(flowcontrolv1beta2.FlowSchema{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -40197,7 +40414,7 @@ func schema_k8sio_api_flowcontrol_v1beta2_FlowSchemaList(ref common.ReferenceCal
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/flowcontrol/v1beta2.FlowSchema", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
+			flowcontrolv1beta2.FlowSchema{}.OpenAPIModelName(), metav1.ListMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -40212,7 +40429,7 @@ func schema_k8sio_api_flowcontrol_v1beta2_FlowSchemaSpec(ref common.ReferenceCal
 						SchemaProps: spec.SchemaProps{
 							Description: "`priorityLevelConfiguration` should reference a PriorityLevelConfiguration in the cluster. If the reference cannot be resolved, the FlowSchema will be ignored and marked as invalid in its status. Required.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/flowcontrol/v1beta2.PriorityLevelConfigurationReference"),
+							Ref:         ref(flowcontrolv1beta2.PriorityLevelConfigurationReference{}.OpenAPIModelName()),
 						},
 					},
 					"matchingPrecedence": {
@@ -40226,7 +40443,7 @@ func schema_k8sio_api_flowcontrol_v1beta2_FlowSchemaSpec(ref common.ReferenceCal
 					"distinguisherMethod": {
 						SchemaProps: spec.SchemaProps{
 							Description: "`distinguisherMethod` defines how to compute the flow distinguisher for requests that match this schema. `nil` specifies that the distinguisher is disabled and thus will always be the empty string.",
-							Ref:         ref("k8s.io/api/flowcontrol/v1beta2.FlowDistinguisherMethod"),
+							Ref:         ref(flowcontrolv1beta2.FlowDistinguisherMethod{}.OpenAPIModelName()),
 						},
 					},
 					"rules": {
@@ -40242,7 +40459,7 @@ func schema_k8sio_api_flowcontrol_v1beta2_FlowSchemaSpec(ref common.ReferenceCal
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/flowcontrol/v1beta2.PolicyRulesWithSubjects"),
+										Ref:     ref(flowcontrolv1beta2.PolicyRulesWithSubjects{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -40253,7 +40470,7 @@ func schema_k8sio_api_flowcontrol_v1beta2_FlowSchemaSpec(ref common.ReferenceCal
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/flowcontrol/v1beta2.FlowDistinguisherMethod", "k8s.io/api/flowcontrol/v1beta2.PolicyRulesWithSubjects", "k8s.io/api/flowcontrol/v1beta2.PriorityLevelConfigurationReference"},
+			flowcontrolv1beta2.FlowDistinguisherMethod{}.OpenAPIModelName(), flowcontrolv1beta2.PolicyRulesWithSubjects{}.OpenAPIModelName(), flowcontrolv1beta2.PriorityLevelConfigurationReference{}.OpenAPIModelName()},
 	}
 }
 
@@ -40280,7 +40497,7 @@ func schema_k8sio_api_flowcontrol_v1beta2_FlowSchemaStatus(ref common.ReferenceC
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/flowcontrol/v1beta2.FlowSchemaCondition"),
+										Ref:     ref(flowcontrolv1beta2.FlowSchemaCondition{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -40290,7 +40507,7 @@ func schema_k8sio_api_flowcontrol_v1beta2_FlowSchemaStatus(ref common.ReferenceC
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/flowcontrol/v1beta2.FlowSchemaCondition"},
+			flowcontrolv1beta2.FlowSchemaCondition{}.OpenAPIModelName()},
 	}
 }
 
@@ -40334,7 +40551,7 @@ func schema_k8sio_api_flowcontrol_v1beta2_LimitResponse(ref common.ReferenceCall
 					"queuing": {
 						SchemaProps: spec.SchemaProps{
 							Description: "`queuing` holds the configuration parameters for queuing. This field may be non-empty only if `type` is `\"Queue\"`.",
-							Ref:         ref("k8s.io/api/flowcontrol/v1beta2.QueuingConfiguration"),
+							Ref:         ref(flowcontrolv1beta2.QueuingConfiguration{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -40354,7 +40571,7 @@ func schema_k8sio_api_flowcontrol_v1beta2_LimitResponse(ref common.ReferenceCall
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/flowcontrol/v1beta2.QueuingConfiguration"},
+			flowcontrolv1beta2.QueuingConfiguration{}.OpenAPIModelName()},
 	}
 }
 
@@ -40377,7 +40594,7 @@ func schema_k8sio_api_flowcontrol_v1beta2_LimitedPriorityLevelConfiguration(ref
 						SchemaProps: spec.SchemaProps{
 							Description: "`limitResponse` indicates what to do with requests that can not be executed right now",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/flowcontrol/v1beta2.LimitResponse"),
+							Ref:         ref(flowcontrolv1beta2.LimitResponse{}.OpenAPIModelName()),
 						},
 					},
 					"lendablePercent": {
@@ -40398,7 +40615,7 @@ func schema_k8sio_api_flowcontrol_v1beta2_LimitedPriorityLevelConfiguration(ref
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/flowcontrol/v1beta2.LimitResponse"},
+			flowcontrolv1beta2.LimitResponse{}.OpenAPIModelName()},
 	}
 }
 
@@ -40476,7 +40693,7 @@ func schema_k8sio_api_flowcontrol_v1beta2_PolicyRulesWithSubjects(ref common.Ref
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/flowcontrol/v1beta2.Subject"),
+										Ref:     ref(flowcontrolv1beta2.Subject{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -40495,7 +40712,7 @@ func schema_k8sio_api_flowcontrol_v1beta2_PolicyRulesWithSubjects(ref common.Ref
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/flowcontrol/v1beta2.ResourcePolicyRule"),
+										Ref:     ref(flowcontrolv1beta2.ResourcePolicyRule{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -40514,7 +40731,7 @@ func schema_k8sio_api_flowcontrol_v1beta2_PolicyRulesWithSubjects(ref common.Ref
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/flowcontrol/v1beta2.NonResourcePolicyRule"),
+										Ref:     ref(flowcontrolv1beta2.NonResourcePolicyRule{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -40525,7 +40742,7 @@ func schema_k8sio_api_flowcontrol_v1beta2_PolicyRulesWithSubjects(ref common.Ref
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/flowcontrol/v1beta2.NonResourcePolicyRule", "k8s.io/api/flowcontrol/v1beta2.ResourcePolicyRule", "k8s.io/api/flowcontrol/v1beta2.Subject"},
+			flowcontrolv1beta2.NonResourcePolicyRule{}.OpenAPIModelName(), flowcontrolv1beta2.ResourcePolicyRule{}.OpenAPIModelName(), flowcontrolv1beta2.Subject{}.OpenAPIModelName()},
 	}
 }
 
@@ -40554,28 +40771,28 @@ func schema_k8sio_api_flowcontrol_v1beta2_PriorityLevelConfiguration(ref common.
 						SchemaProps: spec.SchemaProps{
 							Description: "`metadata` is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Ref:         ref(metav1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 					"spec": {
 						SchemaProps: spec.SchemaProps{
 							Description: "`spec` is the specification of the desired behavior of a \"request-priority\". More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/flowcontrol/v1beta2.PriorityLevelConfigurationSpec"),
+							Ref:         ref(flowcontrolv1beta2.PriorityLevelConfigurationSpec{}.OpenAPIModelName()),
 						},
 					},
 					"status": {
 						SchemaProps: spec.SchemaProps{
 							Description: "`status` is the current status of a \"request-priority\". More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/flowcontrol/v1beta2.PriorityLevelConfigurationStatus"),
+							Ref:         ref(flowcontrolv1beta2.PriorityLevelConfigurationStatus{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/flowcontrol/v1beta2.PriorityLevelConfigurationSpec", "k8s.io/api/flowcontrol/v1beta2.PriorityLevelConfigurationStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			flowcontrolv1beta2.PriorityLevelConfigurationSpec{}.OpenAPIModelName(), flowcontrolv1beta2.PriorityLevelConfigurationStatus{}.OpenAPIModelName(), metav1.ObjectMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -40603,7 +40820,7 @@ func schema_k8sio_api_flowcontrol_v1beta2_PriorityLevelConfigurationCondition(re
 					"lastTransitionTime": {
 						SchemaProps: spec.SchemaProps{
 							Description: "`lastTransitionTime` is the last time the condition transitioned from one status to another.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Time"),
+							Ref:         ref(metav1.Time{}.OpenAPIModelName()),
 						},
 					},
 					"reason": {
@@ -40624,7 +40841,7 @@ func schema_k8sio_api_flowcontrol_v1beta2_PriorityLevelConfigurationCondition(re
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.Time"},
+			metav1.Time{}.OpenAPIModelName()},
 	}
 }
 
@@ -40653,7 +40870,7 @@ func schema_k8sio_api_flowcontrol_v1beta2_PriorityLevelConfigurationList(ref com
 						SchemaProps: spec.SchemaProps{
 							Description: "`metadata` is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+							Ref:         ref(metav1.ListMeta{}.OpenAPIModelName()),
 						},
 					},
 					"items": {
@@ -40664,7 +40881,7 @@ func schema_k8sio_api_flowcontrol_v1beta2_PriorityLevelConfigurationList(ref com
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/flowcontrol/v1beta2.PriorityLevelConfiguration"),
+										Ref:     ref(flowcontrolv1beta2.PriorityLevelConfiguration{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -40675,7 +40892,7 @@ func schema_k8sio_api_flowcontrol_v1beta2_PriorityLevelConfigurationList(ref com
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/flowcontrol/v1beta2.PriorityLevelConfiguration", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
+			flowcontrolv1beta2.PriorityLevelConfiguration{}.OpenAPIModelName(), metav1.ListMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -40719,13 +40936,13 @@ func schema_k8sio_api_flowcontrol_v1beta2_PriorityLevelConfigurationSpec(ref com
 					"limited": {
 						SchemaProps: spec.SchemaProps{
 							Description: "`limited` specifies how requests are handled for a Limited priority level. This field must be non-empty if and only if `type` is `\"Limited\"`.",
-							Ref:         ref("k8s.io/api/flowcontrol/v1beta2.LimitedPriorityLevelConfiguration"),
+							Ref:         ref(flowcontrolv1beta2.LimitedPriorityLevelConfiguration{}.OpenAPIModelName()),
 						},
 					},
 					"exempt": {
 						SchemaProps: spec.SchemaProps{
 							Description: "`exempt` specifies how requests are handled for an exempt priority level. This field MUST be empty if `type` is `\"Limited\"`. This field MAY be non-empty if `type` is `\"Exempt\"`. If empty and `type` is `\"Exempt\"` then the default values for `ExemptPriorityLevelConfiguration` apply.",
-							Ref:         ref("k8s.io/api/flowcontrol/v1beta2.ExemptPriorityLevelConfiguration"),
+							Ref:         ref(flowcontrolv1beta2.ExemptPriorityLevelConfiguration{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -40746,7 +40963,7 @@ func schema_k8sio_api_flowcontrol_v1beta2_PriorityLevelConfigurationSpec(ref com
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/flowcontrol/v1beta2.ExemptPriorityLevelConfiguration", "k8s.io/api/flowcontrol/v1beta2.LimitedPriorityLevelConfiguration"},
+			flowcontrolv1beta2.ExemptPriorityLevelConfiguration{}.OpenAPIModelName(), flowcontrolv1beta2.LimitedPriorityLevelConfiguration{}.OpenAPIModelName()},
 	}
 }
 
@@ -40773,7 +40990,7 @@ func schema_k8sio_api_flowcontrol_v1beta2_PriorityLevelConfigurationStatus(ref c
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/flowcontrol/v1beta2.PriorityLevelConfigurationCondition"),
+										Ref:     ref(flowcontrolv1beta2.PriorityLevelConfigurationCondition{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -40783,7 +41000,7 @@ func schema_k8sio_api_flowcontrol_v1beta2_PriorityLevelConfigurationStatus(ref c
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/flowcontrol/v1beta2.PriorityLevelConfigurationCondition"},
+			flowcontrolv1beta2.PriorityLevelConfigurationCondition{}.OpenAPIModelName()},
 	}
 }
 
@@ -40973,19 +41190,19 @@ func schema_k8sio_api_flowcontrol_v1beta2_Subject(ref common.ReferenceCallback)
 					"user": {
 						SchemaProps: spec.SchemaProps{
 							Description: "`user` matches based on username.",
-							Ref:         ref("k8s.io/api/flowcontrol/v1beta2.UserSubject"),
+							Ref:         ref(flowcontrolv1beta2.UserSubject{}.OpenAPIModelName()),
 						},
 					},
 					"group": {
 						SchemaProps: spec.SchemaProps{
 							Description: "`group` matches based on user group name.",
-							Ref:         ref("k8s.io/api/flowcontrol/v1beta2.GroupSubject"),
+							Ref:         ref(flowcontrolv1beta2.GroupSubject{}.OpenAPIModelName()),
 						},
 					},
 					"serviceAccount": {
 						SchemaProps: spec.SchemaProps{
 							Description: "`serviceAccount` matches ServiceAccounts.",
-							Ref:         ref("k8s.io/api/flowcontrol/v1beta2.ServiceAccountSubject"),
+							Ref:         ref(flowcontrolv1beta2.ServiceAccountSubject{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -41007,7 +41224,7 @@ func schema_k8sio_api_flowcontrol_v1beta2_Subject(ref common.ReferenceCallback)
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/flowcontrol/v1beta2.GroupSubject", "k8s.io/api/flowcontrol/v1beta2.ServiceAccountSubject", "k8s.io/api/flowcontrol/v1beta2.UserSubject"},
+			flowcontrolv1beta2.GroupSubject{}.OpenAPIModelName(), flowcontrolv1beta2.ServiceAccountSubject{}.OpenAPIModelName(), flowcontrolv1beta2.UserSubject{}.OpenAPIModelName()},
 	}
 }
 
@@ -41107,28 +41324,28 @@ func schema_k8sio_api_flowcontrol_v1beta3_FlowSchema(ref common.ReferenceCallbac
 						SchemaProps: spec.SchemaProps{
 							Description: "`metadata` is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Ref:         ref(metav1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 					"spec": {
 						SchemaProps: spec.SchemaProps{
 							Description: "`spec` is the specification of the desired behavior of a FlowSchema. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/flowcontrol/v1beta3.FlowSchemaSpec"),
+							Ref:         ref(v1beta3.FlowSchemaSpec{}.OpenAPIModelName()),
 						},
 					},
 					"status": {
 						SchemaProps: spec.SchemaProps{
 							Description: "`status` is the current status of a FlowSchema. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/flowcontrol/v1beta3.FlowSchemaStatus"),
+							Ref:         ref(v1beta3.FlowSchemaStatus{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/flowcontrol/v1beta3.FlowSchemaSpec", "k8s.io/api/flowcontrol/v1beta3.FlowSchemaStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			v1beta3.FlowSchemaSpec{}.OpenAPIModelName(), v1beta3.FlowSchemaStatus{}.OpenAPIModelName(), metav1.ObjectMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -41156,7 +41373,7 @@ func schema_k8sio_api_flowcontrol_v1beta3_FlowSchemaCondition(ref common.Referen
 					"lastTransitionTime": {
 						SchemaProps: spec.SchemaProps{
 							Description: "`lastTransitionTime` is the last time the condition transitioned from one status to another.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Time"),
+							Ref:         ref(metav1.Time{}.OpenAPIModelName()),
 						},
 					},
 					"reason": {
@@ -41177,7 +41394,7 @@ func schema_k8sio_api_flowcontrol_v1beta3_FlowSchemaCondition(ref common.Referen
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.Time"},
+			metav1.Time{}.OpenAPIModelName()},
 	}
 }
 
@@ -41206,7 +41423,7 @@ func schema_k8sio_api_flowcontrol_v1beta3_FlowSchemaList(ref common.ReferenceCal
 						SchemaProps: spec.SchemaProps{
 							Description: "`metadata` is the standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+							Ref:         ref(metav1.ListMeta{}.OpenAPIModelName()),
 						},
 					},
 					"items": {
@@ -41217,7 +41434,7 @@ func schema_k8sio_api_flowcontrol_v1beta3_FlowSchemaList(ref common.ReferenceCal
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/flowcontrol/v1beta3.FlowSchema"),
+										Ref:     ref(v1beta3.FlowSchema{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -41228,7 +41445,7 @@ func schema_k8sio_api_flowcontrol_v1beta3_FlowSchemaList(ref common.ReferenceCal
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/flowcontrol/v1beta3.FlowSchema", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
+			v1beta3.FlowSchema{}.OpenAPIModelName(), metav1.ListMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -41243,7 +41460,7 @@ func schema_k8sio_api_flowcontrol_v1beta3_FlowSchemaSpec(ref common.ReferenceCal
 						SchemaProps: spec.SchemaProps{
 							Description: "`priorityLevelConfiguration` should reference a PriorityLevelConfiguration in the cluster. If the reference cannot be resolved, the FlowSchema will be ignored and marked as invalid in its status. Required.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/flowcontrol/v1beta3.PriorityLevelConfigurationReference"),
+							Ref:         ref(v1beta3.PriorityLevelConfigurationReference{}.OpenAPIModelName()),
 						},
 					},
 					"matchingPrecedence": {
@@ -41257,7 +41474,7 @@ func schema_k8sio_api_flowcontrol_v1beta3_FlowSchemaSpec(ref common.ReferenceCal
 					"distinguisherMethod": {
 						SchemaProps: spec.SchemaProps{
 							Description: "`distinguisherMethod` defines how to compute the flow distinguisher for requests that match this schema. `nil` specifies that the distinguisher is disabled and thus will always be the empty string.",
-							Ref:         ref("k8s.io/api/flowcontrol/v1beta3.FlowDistinguisherMethod"),
+							Ref:         ref(v1beta3.FlowDistinguisherMethod{}.OpenAPIModelName()),
 						},
 					},
 					"rules": {
@@ -41273,7 +41490,7 @@ func schema_k8sio_api_flowcontrol_v1beta3_FlowSchemaSpec(ref common.ReferenceCal
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/flowcontrol/v1beta3.PolicyRulesWithSubjects"),
+										Ref:     ref(v1beta3.PolicyRulesWithSubjects{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -41284,7 +41501,7 @@ func schema_k8sio_api_flowcontrol_v1beta3_FlowSchemaSpec(ref common.ReferenceCal
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/flowcontrol/v1beta3.FlowDistinguisherMethod", "k8s.io/api/flowcontrol/v1beta3.PolicyRulesWithSubjects", "k8s.io/api/flowcontrol/v1beta3.PriorityLevelConfigurationReference"},
+			v1beta3.FlowDistinguisherMethod{}.OpenAPIModelName(), v1beta3.PolicyRulesWithSubjects{}.OpenAPIModelName(), v1beta3.PriorityLevelConfigurationReference{}.OpenAPIModelName()},
 	}
 }
 
@@ -41313,7 +41530,7 @@ func schema_k8sio_api_flowcontrol_v1beta3_FlowSchemaStatus(ref common.ReferenceC
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/flowcontrol/v1beta3.FlowSchemaCondition"),
+										Ref:     ref(v1beta3.FlowSchemaCondition{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -41323,7 +41540,7 @@ func schema_k8sio_api_flowcontrol_v1beta3_FlowSchemaStatus(ref common.ReferenceC
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/flowcontrol/v1beta3.FlowSchemaCondition"},
+			v1beta3.FlowSchemaCondition{}.OpenAPIModelName()},
 	}
 }
 
@@ -41367,7 +41584,7 @@ func schema_k8sio_api_flowcontrol_v1beta3_LimitResponse(ref common.ReferenceCall
 					"queuing": {
 						SchemaProps: spec.SchemaProps{
 							Description: "`queuing` holds the configuration parameters for queuing. This field may be non-empty only if `type` is `\"Queue\"`.",
-							Ref:         ref("k8s.io/api/flowcontrol/v1beta3.QueuingConfiguration"),
+							Ref:         ref(v1beta3.QueuingConfiguration{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -41387,7 +41604,7 @@ func schema_k8sio_api_flowcontrol_v1beta3_LimitResponse(ref common.ReferenceCall
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/flowcontrol/v1beta3.QueuingConfiguration"},
+			v1beta3.QueuingConfiguration{}.OpenAPIModelName()},
 	}
 }
 
@@ -41410,7 +41627,7 @@ func schema_k8sio_api_flowcontrol_v1beta3_LimitedPriorityLevelConfiguration(ref
 						SchemaProps: spec.SchemaProps{
 							Description: "`limitResponse` indicates what to do with requests that can not be executed right now",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/flowcontrol/v1beta3.LimitResponse"),
+							Ref:         ref(v1beta3.LimitResponse{}.OpenAPIModelName()),
 						},
 					},
 					"lendablePercent": {
@@ -41431,7 +41648,7 @@ func schema_k8sio_api_flowcontrol_v1beta3_LimitedPriorityLevelConfiguration(ref
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/flowcontrol/v1beta3.LimitResponse"},
+			v1beta3.LimitResponse{}.OpenAPIModelName()},
 	}
 }
 
@@ -41509,7 +41726,7 @@ func schema_k8sio_api_flowcontrol_v1beta3_PolicyRulesWithSubjects(ref common.Ref
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/flowcontrol/v1beta3.Subject"),
+										Ref:     ref(v1beta3.Subject{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -41528,7 +41745,7 @@ func schema_k8sio_api_flowcontrol_v1beta3_PolicyRulesWithSubjects(ref common.Ref
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/flowcontrol/v1beta3.ResourcePolicyRule"),
+										Ref:     ref(v1beta3.ResourcePolicyRule{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -41547,7 +41764,7 @@ func schema_k8sio_api_flowcontrol_v1beta3_PolicyRulesWithSubjects(ref common.Ref
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/flowcontrol/v1beta3.NonResourcePolicyRule"),
+										Ref:     ref(v1beta3.NonResourcePolicyRule{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -41558,7 +41775,7 @@ func schema_k8sio_api_flowcontrol_v1beta3_PolicyRulesWithSubjects(ref common.Ref
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/flowcontrol/v1beta3.NonResourcePolicyRule", "k8s.io/api/flowcontrol/v1beta3.ResourcePolicyRule", "k8s.io/api/flowcontrol/v1beta3.Subject"},
+			v1beta3.NonResourcePolicyRule{}.OpenAPIModelName(), v1beta3.ResourcePolicyRule{}.OpenAPIModelName(), v1beta3.Subject{}.OpenAPIModelName()},
 	}
 }
 
@@ -41587,28 +41804,28 @@ func schema_k8sio_api_flowcontrol_v1beta3_PriorityLevelConfiguration(ref common.
 						SchemaProps: spec.SchemaProps{
 							Description: "`metadata` is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Ref:         ref(metav1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 					"spec": {
 						SchemaProps: spec.SchemaProps{
 							Description: "`spec` is the specification of the desired behavior of a \"request-priority\". More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/flowcontrol/v1beta3.PriorityLevelConfigurationSpec"),
+							Ref:         ref(v1beta3.PriorityLevelConfigurationSpec{}.OpenAPIModelName()),
 						},
 					},
 					"status": {
 						SchemaProps: spec.SchemaProps{
 							Description: "`status` is the current status of a \"request-priority\". More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/flowcontrol/v1beta3.PriorityLevelConfigurationStatus"),
+							Ref:         ref(v1beta3.PriorityLevelConfigurationStatus{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/flowcontrol/v1beta3.PriorityLevelConfigurationSpec", "k8s.io/api/flowcontrol/v1beta3.PriorityLevelConfigurationStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			v1beta3.PriorityLevelConfigurationSpec{}.OpenAPIModelName(), v1beta3.PriorityLevelConfigurationStatus{}.OpenAPIModelName(), metav1.ObjectMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -41636,7 +41853,7 @@ func schema_k8sio_api_flowcontrol_v1beta3_PriorityLevelConfigurationCondition(re
 					"lastTransitionTime": {
 						SchemaProps: spec.SchemaProps{
 							Description: "`lastTransitionTime` is the last time the condition transitioned from one status to another.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Time"),
+							Ref:         ref(metav1.Time{}.OpenAPIModelName()),
 						},
 					},
 					"reason": {
@@ -41657,7 +41874,7 @@ func schema_k8sio_api_flowcontrol_v1beta3_PriorityLevelConfigurationCondition(re
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.Time"},
+			metav1.Time{}.OpenAPIModelName()},
 	}
 }
 
@@ -41686,7 +41903,7 @@ func schema_k8sio_api_flowcontrol_v1beta3_PriorityLevelConfigurationList(ref com
 						SchemaProps: spec.SchemaProps{
 							Description: "`metadata` is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+							Ref:         ref(metav1.ListMeta{}.OpenAPIModelName()),
 						},
 					},
 					"items": {
@@ -41697,7 +41914,7 @@ func schema_k8sio_api_flowcontrol_v1beta3_PriorityLevelConfigurationList(ref com
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/flowcontrol/v1beta3.PriorityLevelConfiguration"),
+										Ref:     ref(v1beta3.PriorityLevelConfiguration{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -41708,7 +41925,7 @@ func schema_k8sio_api_flowcontrol_v1beta3_PriorityLevelConfigurationList(ref com
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/flowcontrol/v1beta3.PriorityLevelConfiguration", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
+			v1beta3.PriorityLevelConfiguration{}.OpenAPIModelName(), metav1.ListMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -41752,13 +41969,13 @@ func schema_k8sio_api_flowcontrol_v1beta3_PriorityLevelConfigurationSpec(ref com
 					"limited": {
 						SchemaProps: spec.SchemaProps{
 							Description: "`limited` specifies how requests are handled for a Limited priority level. This field must be non-empty if and only if `type` is `\"Limited\"`.",
-							Ref:         ref("k8s.io/api/flowcontrol/v1beta3.LimitedPriorityLevelConfiguration"),
+							Ref:         ref(v1beta3.LimitedPriorityLevelConfiguration{}.OpenAPIModelName()),
 						},
 					},
 					"exempt": {
 						SchemaProps: spec.SchemaProps{
 							Description: "`exempt` specifies how requests are handled for an exempt priority level. This field MUST be empty if `type` is `\"Limited\"`. This field MAY be non-empty if `type` is `\"Exempt\"`. If empty and `type` is `\"Exempt\"` then the default values for `ExemptPriorityLevelConfiguration` apply.",
-							Ref:         ref("k8s.io/api/flowcontrol/v1beta3.ExemptPriorityLevelConfiguration"),
+							Ref:         ref(v1beta3.ExemptPriorityLevelConfiguration{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -41779,7 +41996,7 @@ func schema_k8sio_api_flowcontrol_v1beta3_PriorityLevelConfigurationSpec(ref com
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/flowcontrol/v1beta3.ExemptPriorityLevelConfiguration", "k8s.io/api/flowcontrol/v1beta3.LimitedPriorityLevelConfiguration"},
+			v1beta3.ExemptPriorityLevelConfiguration{}.OpenAPIModelName(), v1beta3.LimitedPriorityLevelConfiguration{}.OpenAPIModelName()},
 	}
 }
 
@@ -41808,7 +42025,7 @@ func schema_k8sio_api_flowcontrol_v1beta3_PriorityLevelConfigurationStatus(ref c
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/flowcontrol/v1beta3.PriorityLevelConfigurationCondition"),
+										Ref:     ref(v1beta3.PriorityLevelConfigurationCondition{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -41818,7 +42035,7 @@ func schema_k8sio_api_flowcontrol_v1beta3_PriorityLevelConfigurationStatus(ref c
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/flowcontrol/v1beta3.PriorityLevelConfigurationCondition"},
+			v1beta3.PriorityLevelConfigurationCondition{}.OpenAPIModelName()},
 	}
 }
 
@@ -42008,19 +42225,19 @@ func schema_k8sio_api_flowcontrol_v1beta3_Subject(ref common.ReferenceCallback)
 					"user": {
 						SchemaProps: spec.SchemaProps{
 							Description: "`user` matches based on username.",
-							Ref:         ref("k8s.io/api/flowcontrol/v1beta3.UserSubject"),
+							Ref:         ref(v1beta3.UserSubject{}.OpenAPIModelName()),
 						},
 					},
 					"group": {
 						SchemaProps: spec.SchemaProps{
 							Description: "`group` matches based on user group name.",
-							Ref:         ref("k8s.io/api/flowcontrol/v1beta3.GroupSubject"),
+							Ref:         ref(v1beta3.GroupSubject{}.OpenAPIModelName()),
 						},
 					},
 					"serviceAccount": {
 						SchemaProps: spec.SchemaProps{
 							Description: "`serviceAccount` matches ServiceAccounts.",
-							Ref:         ref("k8s.io/api/flowcontrol/v1beta3.ServiceAccountSubject"),
+							Ref:         ref(v1beta3.ServiceAccountSubject{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -42042,7 +42259,7 @@ func schema_k8sio_api_flowcontrol_v1beta3_Subject(ref common.ReferenceCallback)
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/flowcontrol/v1beta3.GroupSubject", "k8s.io/api/flowcontrol/v1beta3.ServiceAccountSubject", "k8s.io/api/flowcontrol/v1beta3.UserSubject"},
+			v1beta3.GroupSubject{}.OpenAPIModelName(), v1beta3.ServiceAccountSubject{}.OpenAPIModelName(), v1beta3.UserSubject{}.OpenAPIModelName()},
 	}
 }
 
@@ -42093,21 +42310,21 @@ func schema_k8sio_api_imagepolicy_v1alpha1_ImageReview(ref common.ReferenceCallb
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Ref:         ref(metav1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 					"spec": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Spec holds information about the pod being evaluated",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/imagepolicy/v1alpha1.ImageReviewSpec"),
+							Ref:         ref(imagepolicyv1alpha1.ImageReviewSpec{}.OpenAPIModelName()),
 						},
 					},
 					"status": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Status is filled in by the backend and indicates whether the pod should be allowed.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/imagepolicy/v1alpha1.ImageReviewStatus"),
+							Ref:         ref(imagepolicyv1alpha1.ImageReviewStatus{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -42115,7 +42332,7 @@ func schema_k8sio_api_imagepolicy_v1alpha1_ImageReview(ref common.ReferenceCallb
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/imagepolicy/v1alpha1.ImageReviewSpec", "k8s.io/api/imagepolicy/v1alpha1.ImageReviewStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			imagepolicyv1alpha1.ImageReviewSpec{}.OpenAPIModelName(), imagepolicyv1alpha1.ImageReviewStatus{}.OpenAPIModelName(), metav1.ObjectMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -42159,7 +42376,7 @@ func schema_k8sio_api_imagepolicy_v1alpha1_ImageReviewSpec(ref common.ReferenceC
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/imagepolicy/v1alpha1.ImageReviewContainerSpec"),
+										Ref:     ref(imagepolicyv1alpha1.ImageReviewContainerSpec{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -42192,7 +42409,7 @@ func schema_k8sio_api_imagepolicy_v1alpha1_ImageReviewSpec(ref common.ReferenceC
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/imagepolicy/v1alpha1.ImageReviewContainerSpec"},
+			imagepolicyv1alpha1.ImageReviewContainerSpec{}.OpenAPIModelName()},
 	}
 }
 
@@ -42267,7 +42484,7 @@ func schema_k8sio_api_networking_v1_HTTPIngressPath(ref common.ReferenceCallback
 						SchemaProps: spec.SchemaProps{
 							Description: "backend defines the referenced service endpoint to which the traffic will be forwarded to.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/networking/v1.IngressBackend"),
+							Ref:         ref(networkingv1.IngressBackend{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -42275,7 +42492,7 @@ func schema_k8sio_api_networking_v1_HTTPIngressPath(ref common.ReferenceCallback
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/networking/v1.IngressBackend"},
+			networkingv1.IngressBackend{}.OpenAPIModelName()},
 	}
 }
 
@@ -42299,7 +42516,7 @@ func schema_k8sio_api_networking_v1_HTTPIngressRuleValue(ref common.ReferenceCal
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/networking/v1.HTTPIngressPath"),
+										Ref:     ref(networkingv1.HTTPIngressPath{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -42310,7 +42527,7 @@ func schema_k8sio_api_networking_v1_HTTPIngressRuleValue(ref common.ReferenceCal
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/networking/v1.HTTPIngressPath"},
+			networkingv1.HTTPIngressPath{}.OpenAPIModelName()},
 	}
 }
 
@@ -42339,21 +42556,21 @@ func schema_k8sio_api_networking_v1_IPAddress(ref common.ReferenceCallback) comm
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Ref:         ref(metav1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 					"spec": {
 						SchemaProps: spec.SchemaProps{
 							Description: "spec is the desired state of the IPAddress. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/networking/v1.IPAddressSpec"),
+							Ref:         ref(networkingv1.IPAddressSpec{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/networking/v1.IPAddressSpec", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			networkingv1.IPAddressSpec{}.OpenAPIModelName(), metav1.ObjectMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -42382,7 +42599,7 @@ func schema_k8sio_api_networking_v1_IPAddressList(ref common.ReferenceCallback)
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+							Ref:         ref(metav1.ListMeta{}.OpenAPIModelName()),
 						},
 					},
 					"items": {
@@ -42393,7 +42610,7 @@ func schema_k8sio_api_networking_v1_IPAddressList(ref common.ReferenceCallback)
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/networking/v1.IPAddress"),
+										Ref:     ref(networkingv1.IPAddress{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -42404,7 +42621,7 @@ func schema_k8sio_api_networking_v1_IPAddressList(ref common.ReferenceCallback)
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/networking/v1.IPAddress", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
+			networkingv1.IPAddress{}.OpenAPIModelName(), metav1.ListMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -42418,7 +42635,7 @@ func schema_k8sio_api_networking_v1_IPAddressSpec(ref common.ReferenceCallback)
 					"parentRef": {
 						SchemaProps: spec.SchemaProps{
 							Description: "ParentRef references the resource that an IPAddress is attached to. An IPAddress must reference a parent object.",
-							Ref:         ref("k8s.io/api/networking/v1.ParentReference"),
+							Ref:         ref(networkingv1.ParentReference{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -42426,7 +42643,7 @@ func schema_k8sio_api_networking_v1_IPAddressSpec(ref common.ReferenceCallback)
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/networking/v1.ParentReference"},
+			networkingv1.ParentReference{}.OpenAPIModelName()},
 	}
 }
 
@@ -42497,28 +42714,28 @@ func schema_k8sio_api_networking_v1_Ingress(ref common.ReferenceCallback) common
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Ref:         ref(metav1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 					"spec": {
 						SchemaProps: spec.SchemaProps{
 							Description: "spec is the desired state of the Ingress. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/networking/v1.IngressSpec"),
+							Ref:         ref(networkingv1.IngressSpec{}.OpenAPIModelName()),
 						},
 					},
 					"status": {
 						SchemaProps: spec.SchemaProps{
 							Description: "status is the current state of the Ingress. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/networking/v1.IngressStatus"),
+							Ref:         ref(networkingv1.IngressStatus{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/networking/v1.IngressSpec", "k8s.io/api/networking/v1.IngressStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			networkingv1.IngressSpec{}.OpenAPIModelName(), networkingv1.IngressStatus{}.OpenAPIModelName(), metav1.ObjectMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -42532,20 +42749,20 @@ func schema_k8sio_api_networking_v1_IngressBackend(ref common.ReferenceCallback)
 					"service": {
 						SchemaProps: spec.SchemaProps{
 							Description: "service references a service as a backend. This is a mutually exclusive setting with \"Resource\".",
-							Ref:         ref("k8s.io/api/networking/v1.IngressServiceBackend"),
+							Ref:         ref(networkingv1.IngressServiceBackend{}.OpenAPIModelName()),
 						},
 					},
 					"resource": {
 						SchemaProps: spec.SchemaProps{
 							Description: "resource is an ObjectRef to another Kubernetes resource in the namespace of the Ingress object. If resource is specified, a service.Name and service.Port must not be specified. This is a mutually exclusive setting with \"Service\".",
-							Ref:         ref("k8s.io/api/core/v1.TypedLocalObjectReference"),
+							Ref:         ref(corev1.TypedLocalObjectReference{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/core/v1.TypedLocalObjectReference", "k8s.io/api/networking/v1.IngressServiceBackend"},
+			corev1.TypedLocalObjectReference{}.OpenAPIModelName(), networkingv1.IngressServiceBackend{}.OpenAPIModelName()},
 	}
 }
 
@@ -42574,21 +42791,21 @@ func schema_k8sio_api_networking_v1_IngressClass(ref common.ReferenceCallback) c
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Ref:         ref(metav1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 					"spec": {
 						SchemaProps: spec.SchemaProps{
 							Description: "spec is the desired state of the IngressClass. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/networking/v1.IngressClassSpec"),
+							Ref:         ref(networkingv1.IngressClassSpec{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/networking/v1.IngressClassSpec", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			networkingv1.IngressClassSpec{}.OpenAPIModelName(), metav1.ObjectMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -42617,7 +42834,7 @@ func schema_k8sio_api_networking_v1_IngressClassList(ref common.ReferenceCallbac
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard list metadata.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+							Ref:         ref(metav1.ListMeta{}.OpenAPIModelName()),
 						},
 					},
 					"items": {
@@ -42628,7 +42845,7 @@ func schema_k8sio_api_networking_v1_IngressClassList(ref common.ReferenceCallbac
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/networking/v1.IngressClass"),
+										Ref:     ref(networkingv1.IngressClass{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -42639,7 +42856,7 @@ func schema_k8sio_api_networking_v1_IngressClassList(ref common.ReferenceCallbac
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/networking/v1.IngressClass", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
+			networkingv1.IngressClass{}.OpenAPIModelName(), metav1.ListMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -42711,14 +42928,14 @@ func schema_k8sio_api_networking_v1_IngressClassSpec(ref common.ReferenceCallbac
 					"parameters": {
 						SchemaProps: spec.SchemaProps{
 							Description: "parameters is a link to a custom resource containing additional configuration for the controller. This is optional if the controller does not require extra parameters.",
-							Ref:         ref("k8s.io/api/networking/v1.IngressClassParametersReference"),
+							Ref:         ref(networkingv1.IngressClassParametersReference{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/networking/v1.IngressClassParametersReference"},
+			networkingv1.IngressClassParametersReference{}.OpenAPIModelName()},
 	}
 }
 
@@ -42747,7 +42964,7 @@ func schema_k8sio_api_networking_v1_IngressList(ref common.ReferenceCallback) co
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+							Ref:         ref(metav1.ListMeta{}.OpenAPIModelName()),
 						},
 					},
 					"items": {
@@ -42758,7 +42975,7 @@ func schema_k8sio_api_networking_v1_IngressList(ref common.ReferenceCallback) co
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/networking/v1.Ingress"),
+										Ref:     ref(networkingv1.Ingress{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -42769,7 +42986,7 @@ func schema_k8sio_api_networking_v1_IngressList(ref common.ReferenceCallback) co
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/networking/v1.Ingress", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
+			networkingv1.Ingress{}.OpenAPIModelName(), metav1.ListMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -42807,7 +43024,7 @@ func schema_k8sio_api_networking_v1_IngressLoadBalancerIngress(ref common.Refere
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/networking/v1.IngressPortStatus"),
+										Ref:     ref(networkingv1.IngressPortStatus{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -42817,7 +43034,7 @@ func schema_k8sio_api_networking_v1_IngressLoadBalancerIngress(ref common.Refere
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/networking/v1.IngressPortStatus"},
+			networkingv1.IngressPortStatus{}.OpenAPIModelName()},
 	}
 }
 
@@ -42841,7 +43058,7 @@ func schema_k8sio_api_networking_v1_IngressLoadBalancerStatus(ref common.Referen
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/networking/v1.IngressLoadBalancerIngress"),
+										Ref:     ref(networkingv1.IngressLoadBalancerIngress{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -42851,7 +43068,7 @@ func schema_k8sio_api_networking_v1_IngressLoadBalancerStatus(ref common.Referen
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/networking/v1.IngressLoadBalancerIngress"},
+			networkingv1.IngressLoadBalancerIngress{}.OpenAPIModelName()},
 	}
 }
 
@@ -42909,14 +43126,14 @@ func schema_k8sio_api_networking_v1_IngressRule(ref common.ReferenceCallback) co
 					},
 					"http": {
 						SchemaProps: spec.SchemaProps{
-							Ref: ref("k8s.io/api/networking/v1.HTTPIngressRuleValue"),
+							Ref: ref(networkingv1.HTTPIngressRuleValue{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/networking/v1.HTTPIngressRuleValue"},
+			networkingv1.HTTPIngressRuleValue{}.OpenAPIModelName()},
 	}
 }
 
@@ -42929,14 +43146,14 @@ func schema_k8sio_api_networking_v1_IngressRuleValue(ref common.ReferenceCallbac
 				Properties: map[string]spec.Schema{
 					"http": {
 						SchemaProps: spec.SchemaProps{
-							Ref: ref("k8s.io/api/networking/v1.HTTPIngressRuleValue"),
+							Ref: ref(networkingv1.HTTPIngressRuleValue{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/networking/v1.HTTPIngressRuleValue"},
+			networkingv1.HTTPIngressRuleValue{}.OpenAPIModelName()},
 	}
 }
 
@@ -42959,7 +43176,7 @@ func schema_k8sio_api_networking_v1_IngressServiceBackend(ref common.ReferenceCa
 						SchemaProps: spec.SchemaProps{
 							Description: "port of the referenced service. A port name or port number is required for a IngressServiceBackend.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/networking/v1.ServiceBackendPort"),
+							Ref:         ref(networkingv1.ServiceBackendPort{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -42967,7 +43184,7 @@ func schema_k8sio_api_networking_v1_IngressServiceBackend(ref common.ReferenceCa
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/networking/v1.ServiceBackendPort"},
+			networkingv1.ServiceBackendPort{}.OpenAPIModelName()},
 	}
 }
 
@@ -42988,7 +43205,7 @@ func schema_k8sio_api_networking_v1_IngressSpec(ref common.ReferenceCallback) co
 					"defaultBackend": {
 						SchemaProps: spec.SchemaProps{
 							Description: "defaultBackend is the backend that should handle requests that don't match any rule. If Rules are not specified, DefaultBackend must be specified. If DefaultBackend is not set, the handling of requests that do not match any of the rules will be up to the Ingress controller.",
-							Ref:         ref("k8s.io/api/networking/v1.IngressBackend"),
+							Ref:         ref(networkingv1.IngressBackend{}.OpenAPIModelName()),
 						},
 					},
 					"tls": {
@@ -43004,7 +43221,7 @@ func schema_k8sio_api_networking_v1_IngressSpec(ref common.ReferenceCallback) co
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/networking/v1.IngressTLS"),
+										Ref:     ref(networkingv1.IngressTLS{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -43023,7 +43240,7 @@ func schema_k8sio_api_networking_v1_IngressSpec(ref common.ReferenceCallback) co
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/networking/v1.IngressRule"),
+										Ref:     ref(networkingv1.IngressRule{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -43033,7 +43250,7 @@ func schema_k8sio_api_networking_v1_IngressSpec(ref common.ReferenceCallback) co
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/networking/v1.IngressBackend", "k8s.io/api/networking/v1.IngressRule", "k8s.io/api/networking/v1.IngressTLS"},
+			networkingv1.IngressBackend{}.OpenAPIModelName(), networkingv1.IngressRule{}.OpenAPIModelName(), networkingv1.IngressTLS{}.OpenAPIModelName()},
 	}
 }
 
@@ -43048,14 +43265,14 @@ func schema_k8sio_api_networking_v1_IngressStatus(ref common.ReferenceCallback)
 						SchemaProps: spec.SchemaProps{
 							Description: "loadBalancer contains the current status of the load-balancer.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/networking/v1.IngressLoadBalancerStatus"),
+							Ref:         ref(networkingv1.IngressLoadBalancerStatus{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/networking/v1.IngressLoadBalancerStatus"},
+			networkingv1.IngressLoadBalancerStatus{}.OpenAPIModelName()},
 	}
 }
 
@@ -43124,21 +43341,21 @@ func schema_k8sio_api_networking_v1_NetworkPolicy(ref common.ReferenceCallback)
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Ref:         ref(metav1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 					"spec": {
 						SchemaProps: spec.SchemaProps{
 							Description: "spec represents the specification of the desired behavior for this NetworkPolicy.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/networking/v1.NetworkPolicySpec"),
+							Ref:         ref(networkingv1.NetworkPolicySpec{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/networking/v1.NetworkPolicySpec", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			networkingv1.NetworkPolicySpec{}.OpenAPIModelName(), metav1.ObjectMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -43162,7 +43379,7 @@ func schema_k8sio_api_networking_v1_NetworkPolicyEgressRule(ref common.Reference
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/networking/v1.NetworkPolicyPort"),
+										Ref:     ref(networkingv1.NetworkPolicyPort{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -43181,7 +43398,7 @@ func schema_k8sio_api_networking_v1_NetworkPolicyEgressRule(ref common.Reference
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/networking/v1.NetworkPolicyPeer"),
+										Ref:     ref(networkingv1.NetworkPolicyPeer{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -43191,7 +43408,7 @@ func schema_k8sio_api_networking_v1_NetworkPolicyEgressRule(ref common.Reference
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/networking/v1.NetworkPolicyPeer", "k8s.io/api/networking/v1.NetworkPolicyPort"},
+			networkingv1.NetworkPolicyPeer{}.OpenAPIModelName(), networkingv1.NetworkPolicyPort{}.OpenAPIModelName()},
 	}
 }
 
@@ -43215,7 +43432,7 @@ func schema_k8sio_api_networking_v1_NetworkPolicyIngressRule(ref common.Referenc
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/networking/v1.NetworkPolicyPort"),
+										Ref:     ref(networkingv1.NetworkPolicyPort{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -43234,7 +43451,7 @@ func schema_k8sio_api_networking_v1_NetworkPolicyIngressRule(ref common.Referenc
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/networking/v1.NetworkPolicyPeer"),
+										Ref:     ref(networkingv1.NetworkPolicyPeer{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -43244,7 +43461,7 @@ func schema_k8sio_api_networking_v1_NetworkPolicyIngressRule(ref common.Referenc
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/networking/v1.NetworkPolicyPeer", "k8s.io/api/networking/v1.NetworkPolicyPort"},
+			networkingv1.NetworkPolicyPeer{}.OpenAPIModelName(), networkingv1.NetworkPolicyPort{}.OpenAPIModelName()},
 	}
 }
 
@@ -43273,7 +43490,7 @@ func schema_k8sio_api_networking_v1_NetworkPolicyList(ref common.ReferenceCallba
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+							Ref:         ref(metav1.ListMeta{}.OpenAPIModelName()),
 						},
 					},
 					"items": {
@@ -43284,7 +43501,7 @@ func schema_k8sio_api_networking_v1_NetworkPolicyList(ref common.ReferenceCallba
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/networking/v1.NetworkPolicy"),
+										Ref:     ref(networkingv1.NetworkPolicy{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -43295,7 +43512,7 @@ func schema_k8sio_api_networking_v1_NetworkPolicyList(ref common.ReferenceCallba
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/networking/v1.NetworkPolicy", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
+			networkingv1.NetworkPolicy{}.OpenAPIModelName(), metav1.ListMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -43309,26 +43526,26 @@ func schema_k8sio_api_networking_v1_NetworkPolicyPeer(ref common.ReferenceCallba
 					"podSelector": {
 						SchemaProps: spec.SchemaProps{
 							Description: "podSelector is a label selector which selects pods. This field follows standard label selector semantics; if present but empty, it selects all pods.\n\nIf namespaceSelector is also set, then the NetworkPolicyPeer as a whole selects the pods matching podSelector in the Namespaces selected by NamespaceSelector. Otherwise it selects the pods matching podSelector in the policy's own namespace.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector"),
+							Ref:         ref(metav1.LabelSelector{}.OpenAPIModelName()),
 						},
 					},
 					"namespaceSelector": {
 						SchemaProps: spec.SchemaProps{
 							Description: "namespaceSelector selects namespaces using cluster-scoped labels. This field follows standard label selector semantics; if present but empty, it selects all namespaces.\n\nIf podSelector is also set, then the NetworkPolicyPeer as a whole selects the pods matching podSelector in the namespaces selected by namespaceSelector. Otherwise it selects all pods in the namespaces selected by namespaceSelector.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector"),
+							Ref:         ref(metav1.LabelSelector{}.OpenAPIModelName()),
 						},
 					},
 					"ipBlock": {
 						SchemaProps: spec.SchemaProps{
 							Description: "ipBlock defines policy on a particular IPBlock. If this field is set then neither of the other fields can be.",
-							Ref:         ref("k8s.io/api/networking/v1.IPBlock"),
+							Ref:         ref(networkingv1.IPBlock{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/networking/v1.IPBlock", "k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector"},
+			networkingv1.IPBlock{}.OpenAPIModelName(), metav1.LabelSelector{}.OpenAPIModelName()},
 	}
 }
 
@@ -43350,7 +43567,7 @@ func schema_k8sio_api_networking_v1_NetworkPolicyPort(ref common.ReferenceCallba
 					"port": {
 						SchemaProps: spec.SchemaProps{
 							Description: "port represents the port on the given protocol. This can either be a numerical or named port on a pod. If this field is not provided, this matches all port names and numbers. If present, only traffic on the specified protocol AND port will be matched.",
-							Ref:         ref("k8s.io/apimachinery/pkg/util/intstr.IntOrString"),
+							Ref:         ref(intstr.IntOrString{}.OpenAPIModelName()),
 						},
 					},
 					"endPort": {
@@ -43364,7 +43581,7 @@ func schema_k8sio_api_networking_v1_NetworkPolicyPort(ref common.ReferenceCallba
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/util/intstr.IntOrString"},
+			intstr.IntOrString{}.OpenAPIModelName()},
 	}
 }
 
@@ -43379,7 +43596,7 @@ func schema_k8sio_api_networking_v1_NetworkPolicySpec(ref common.ReferenceCallba
 						SchemaProps: spec.SchemaProps{
 							Description: "podSelector selects the pods to which this NetworkPolicy object applies. The array of rules is applied to any pods selected by this field. An empty selector matches all pods in the policy's namespace. Multiple network policies can select the same set of pods. In this case, the ingress rules for each are combined additively. This field is optional. If it is not specified, it defaults to an empty selector.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector"),
+							Ref:         ref(metav1.LabelSelector{}.OpenAPIModelName()),
 						},
 					},
 					"ingress": {
@@ -43395,7 +43612,7 @@ func schema_k8sio_api_networking_v1_NetworkPolicySpec(ref common.ReferenceCallba
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/networking/v1.NetworkPolicyIngressRule"),
+										Ref:     ref(networkingv1.NetworkPolicyIngressRule{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -43414,7 +43631,7 @@ func schema_k8sio_api_networking_v1_NetworkPolicySpec(ref common.ReferenceCallba
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/networking/v1.NetworkPolicyEgressRule"),
+										Ref:     ref(networkingv1.NetworkPolicyEgressRule{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -43445,7 +43662,7 @@ func schema_k8sio_api_networking_v1_NetworkPolicySpec(ref common.ReferenceCallba
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/networking/v1.NetworkPolicyEgressRule", "k8s.io/api/networking/v1.NetworkPolicyIngressRule", "k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector"},
+			networkingv1.NetworkPolicyEgressRule{}.OpenAPIModelName(), networkingv1.NetworkPolicyIngressRule{}.OpenAPIModelName(), metav1.LabelSelector{}.OpenAPIModelName()},
 	}
 }
 
@@ -43548,28 +43765,28 @@ func schema_k8sio_api_networking_v1_ServiceCIDR(ref common.ReferenceCallback) co
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Ref:         ref(metav1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 					"spec": {
 						SchemaProps: spec.SchemaProps{
 							Description: "spec is the desired state of the ServiceCIDR. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/networking/v1.ServiceCIDRSpec"),
+							Ref:         ref(networkingv1.ServiceCIDRSpec{}.OpenAPIModelName()),
 						},
 					},
 					"status": {
 						SchemaProps: spec.SchemaProps{
 							Description: "status represents the current state of the ServiceCIDR. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/networking/v1.ServiceCIDRStatus"),
+							Ref:         ref(networkingv1.ServiceCIDRStatus{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/networking/v1.ServiceCIDRSpec", "k8s.io/api/networking/v1.ServiceCIDRStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			networkingv1.ServiceCIDRSpec{}.OpenAPIModelName(), networkingv1.ServiceCIDRStatus{}.OpenAPIModelName(), metav1.ObjectMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -43598,7 +43815,7 @@ func schema_k8sio_api_networking_v1_ServiceCIDRList(ref common.ReferenceCallback
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+							Ref:         ref(metav1.ListMeta{}.OpenAPIModelName()),
 						},
 					},
 					"items": {
@@ -43609,7 +43826,7 @@ func schema_k8sio_api_networking_v1_ServiceCIDRList(ref common.ReferenceCallback
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/networking/v1.ServiceCIDR"),
+										Ref:     ref(networkingv1.ServiceCIDR{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -43620,7 +43837,7 @@ func schema_k8sio_api_networking_v1_ServiceCIDRList(ref common.ReferenceCallback
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/networking/v1.ServiceCIDR", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
+			networkingv1.ServiceCIDR{}.OpenAPIModelName(), metav1.ListMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -43682,7 +43899,7 @@ func schema_k8sio_api_networking_v1_ServiceCIDRStatus(ref common.ReferenceCallba
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/apimachinery/pkg/apis/meta/v1.Condition"),
+										Ref:     ref(metav1.Condition{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -43692,7 +43909,7 @@ func schema_k8sio_api_networking_v1_ServiceCIDRStatus(ref common.ReferenceCallba
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.Condition"},
+			metav1.Condition{}.OpenAPIModelName()},
 	}
 }
 
@@ -43721,7 +43938,7 @@ func schema_k8sio_api_networking_v1beta1_HTTPIngressPath(ref common.ReferenceCal
 						SchemaProps: spec.SchemaProps{
 							Description: "backend defines the referenced service endpoint to which the traffic will be forwarded to.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/networking/v1beta1.IngressBackend"),
+							Ref:         ref(networkingv1beta1.IngressBackend{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -43729,7 +43946,7 @@ func schema_k8sio_api_networking_v1beta1_HTTPIngressPath(ref common.ReferenceCal
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/networking/v1beta1.IngressBackend"},
+			networkingv1beta1.IngressBackend{}.OpenAPIModelName()},
 	}
 }
 
@@ -43753,7 +43970,7 @@ func schema_k8sio_api_networking_v1beta1_HTTPIngressRuleValue(ref common.Referen
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/networking/v1beta1.HTTPIngressPath"),
+										Ref:     ref(networkingv1beta1.HTTPIngressPath{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -43764,7 +43981,7 @@ func schema_k8sio_api_networking_v1beta1_HTTPIngressRuleValue(ref common.Referen
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/networking/v1beta1.HTTPIngressPath"},
+			networkingv1beta1.HTTPIngressPath{}.OpenAPIModelName()},
 	}
 }
 
@@ -43793,21 +44010,21 @@ func schema_k8sio_api_networking_v1beta1_IPAddress(ref common.ReferenceCallback)
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Ref:         ref(metav1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 					"spec": {
 						SchemaProps: spec.SchemaProps{
 							Description: "spec is the desired state of the IPAddress. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/networking/v1beta1.IPAddressSpec"),
+							Ref:         ref(networkingv1beta1.IPAddressSpec{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/networking/v1beta1.IPAddressSpec", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			networkingv1beta1.IPAddressSpec{}.OpenAPIModelName(), metav1.ObjectMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -43836,7 +44053,7 @@ func schema_k8sio_api_networking_v1beta1_IPAddressList(ref common.ReferenceCallb
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+							Ref:         ref(metav1.ListMeta{}.OpenAPIModelName()),
 						},
 					},
 					"items": {
@@ -43847,7 +44064,7 @@ func schema_k8sio_api_networking_v1beta1_IPAddressList(ref common.ReferenceCallb
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/networking/v1beta1.IPAddress"),
+										Ref:     ref(networkingv1beta1.IPAddress{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -43858,7 +44075,7 @@ func schema_k8sio_api_networking_v1beta1_IPAddressList(ref common.ReferenceCallb
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/networking/v1beta1.IPAddress", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
+			networkingv1beta1.IPAddress{}.OpenAPIModelName(), metav1.ListMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -43872,7 +44089,7 @@ func schema_k8sio_api_networking_v1beta1_IPAddressSpec(ref common.ReferenceCallb
 					"parentRef": {
 						SchemaProps: spec.SchemaProps{
 							Description: "ParentRef references the resource that an IPAddress is attached to. An IPAddress must reference a parent object.",
-							Ref:         ref("k8s.io/api/networking/v1beta1.ParentReference"),
+							Ref:         ref(networkingv1beta1.ParentReference{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -43880,7 +44097,7 @@ func schema_k8sio_api_networking_v1beta1_IPAddressSpec(ref common.ReferenceCallb
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/networking/v1beta1.ParentReference"},
+			networkingv1beta1.ParentReference{}.OpenAPIModelName()},
 	}
 }
 
@@ -43909,28 +44126,28 @@ func schema_k8sio_api_networking_v1beta1_Ingress(ref common.ReferenceCallback) c
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Ref:         ref(metav1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 					"spec": {
 						SchemaProps: spec.SchemaProps{
 							Description: "spec is the desired state of the Ingress. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/networking/v1beta1.IngressSpec"),
+							Ref:         ref(networkingv1beta1.IngressSpec{}.OpenAPIModelName()),
 						},
 					},
 					"status": {
 						SchemaProps: spec.SchemaProps{
 							Description: "status is the current state of the Ingress. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/networking/v1beta1.IngressStatus"),
+							Ref:         ref(networkingv1beta1.IngressStatus{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/networking/v1beta1.IngressSpec", "k8s.io/api/networking/v1beta1.IngressStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			networkingv1beta1.IngressSpec{}.OpenAPIModelName(), networkingv1beta1.IngressStatus{}.OpenAPIModelName(), metav1.ObjectMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -43951,20 +44168,20 @@ func schema_k8sio_api_networking_v1beta1_IngressBackend(ref common.ReferenceCall
 					"servicePort": {
 						SchemaProps: spec.SchemaProps{
 							Description: "servicePort Specifies the port of the referenced service.",
-							Ref:         ref("k8s.io/apimachinery/pkg/util/intstr.IntOrString"),
+							Ref:         ref(intstr.IntOrString{}.OpenAPIModelName()),
 						},
 					},
 					"resource": {
 						SchemaProps: spec.SchemaProps{
 							Description: "resource is an ObjectRef to another Kubernetes resource in the namespace of the Ingress object. If resource is specified, serviceName and servicePort must not be specified.",
-							Ref:         ref("k8s.io/api/core/v1.TypedLocalObjectReference"),
+							Ref:         ref(corev1.TypedLocalObjectReference{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/core/v1.TypedLocalObjectReference", "k8s.io/apimachinery/pkg/util/intstr.IntOrString"},
+			corev1.TypedLocalObjectReference{}.OpenAPIModelName(), intstr.IntOrString{}.OpenAPIModelName()},
 	}
 }
 
@@ -43993,21 +44210,21 @@ func schema_k8sio_api_networking_v1beta1_IngressClass(ref common.ReferenceCallba
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Ref:         ref(metav1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 					"spec": {
 						SchemaProps: spec.SchemaProps{
 							Description: "spec is the desired state of the IngressClass. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/networking/v1beta1.IngressClassSpec"),
+							Ref:         ref(networkingv1beta1.IngressClassSpec{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/networking/v1beta1.IngressClassSpec", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			networkingv1beta1.IngressClassSpec{}.OpenAPIModelName(), metav1.ObjectMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -44036,7 +44253,7 @@ func schema_k8sio_api_networking_v1beta1_IngressClassList(ref common.ReferenceCa
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard list metadata.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+							Ref:         ref(metav1.ListMeta{}.OpenAPIModelName()),
 						},
 					},
 					"items": {
@@ -44047,7 +44264,7 @@ func schema_k8sio_api_networking_v1beta1_IngressClassList(ref common.ReferenceCa
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/networking/v1beta1.IngressClass"),
+										Ref:     ref(networkingv1beta1.IngressClass{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -44058,7 +44275,7 @@ func schema_k8sio_api_networking_v1beta1_IngressClassList(ref common.ReferenceCa
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/networking/v1beta1.IngressClass", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
+			networkingv1beta1.IngressClass{}.OpenAPIModelName(), metav1.ListMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -44130,14 +44347,14 @@ func schema_k8sio_api_networking_v1beta1_IngressClassSpec(ref common.ReferenceCa
 					"parameters": {
 						SchemaProps: spec.SchemaProps{
 							Description: "parameters is a link to a custom resource containing additional configuration for the controller. This is optional if the controller does not require extra parameters.",
-							Ref:         ref("k8s.io/api/networking/v1beta1.IngressClassParametersReference"),
+							Ref:         ref(networkingv1beta1.IngressClassParametersReference{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/networking/v1beta1.IngressClassParametersReference"},
+			networkingv1beta1.IngressClassParametersReference{}.OpenAPIModelName()},
 	}
 }
 
@@ -44166,7 +44383,7 @@ func schema_k8sio_api_networking_v1beta1_IngressList(ref common.ReferenceCallbac
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+							Ref:         ref(metav1.ListMeta{}.OpenAPIModelName()),
 						},
 					},
 					"items": {
@@ -44177,7 +44394,7 @@ func schema_k8sio_api_networking_v1beta1_IngressList(ref common.ReferenceCallbac
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/networking/v1beta1.Ingress"),
+										Ref:     ref(networkingv1beta1.Ingress{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -44188,7 +44405,7 @@ func schema_k8sio_api_networking_v1beta1_IngressList(ref common.ReferenceCallbac
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/networking/v1beta1.Ingress", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
+			networkingv1beta1.Ingress{}.OpenAPIModelName(), metav1.ListMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -44226,7 +44443,7 @@ func schema_k8sio_api_networking_v1beta1_IngressLoadBalancerIngress(ref common.R
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/networking/v1beta1.IngressPortStatus"),
+										Ref:     ref(networkingv1beta1.IngressPortStatus{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -44236,7 +44453,7 @@ func schema_k8sio_api_networking_v1beta1_IngressLoadBalancerIngress(ref common.R
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/networking/v1beta1.IngressPortStatus"},
+			networkingv1beta1.IngressPortStatus{}.OpenAPIModelName()},
 	}
 }
 
@@ -44260,7 +44477,7 @@ func schema_k8sio_api_networking_v1beta1_IngressLoadBalancerStatus(ref common.Re
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/networking/v1beta1.IngressLoadBalancerIngress"),
+										Ref:     ref(networkingv1beta1.IngressLoadBalancerIngress{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -44270,7 +44487,7 @@ func schema_k8sio_api_networking_v1beta1_IngressLoadBalancerStatus(ref common.Re
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/networking/v1beta1.IngressLoadBalancerIngress"},
+			networkingv1beta1.IngressLoadBalancerIngress{}.OpenAPIModelName()},
 	}
 }
 
@@ -44328,14 +44545,14 @@ func schema_k8sio_api_networking_v1beta1_IngressRule(ref common.ReferenceCallbac
 					},
 					"http": {
 						SchemaProps: spec.SchemaProps{
-							Ref: ref("k8s.io/api/networking/v1beta1.HTTPIngressRuleValue"),
+							Ref: ref(networkingv1beta1.HTTPIngressRuleValue{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/networking/v1beta1.HTTPIngressRuleValue"},
+			networkingv1beta1.HTTPIngressRuleValue{}.OpenAPIModelName()},
 	}
 }
 
@@ -44348,14 +44565,14 @@ func schema_k8sio_api_networking_v1beta1_IngressRuleValue(ref common.ReferenceCa
 				Properties: map[string]spec.Schema{
 					"http": {
 						SchemaProps: spec.SchemaProps{
-							Ref: ref("k8s.io/api/networking/v1beta1.HTTPIngressRuleValue"),
+							Ref: ref(networkingv1beta1.HTTPIngressRuleValue{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/networking/v1beta1.HTTPIngressRuleValue"},
+			networkingv1beta1.HTTPIngressRuleValue{}.OpenAPIModelName()},
 	}
 }
 
@@ -44376,7 +44593,7 @@ func schema_k8sio_api_networking_v1beta1_IngressSpec(ref common.ReferenceCallbac
 					"backend": {
 						SchemaProps: spec.SchemaProps{
 							Description: "backend is the default backend capable of servicing requests that don't match any rule. At least one of 'backend' or 'rules' must be specified. This field is optional to allow the loadbalancer controller or defaulting logic to specify a global default.",
-							Ref:         ref("k8s.io/api/networking/v1beta1.IngressBackend"),
+							Ref:         ref(networkingv1beta1.IngressBackend{}.OpenAPIModelName()),
 						},
 					},
 					"tls": {
@@ -44392,7 +44609,7 @@ func schema_k8sio_api_networking_v1beta1_IngressSpec(ref common.ReferenceCallbac
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/networking/v1beta1.IngressTLS"),
+										Ref:     ref(networkingv1beta1.IngressTLS{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -44411,7 +44628,7 @@ func schema_k8sio_api_networking_v1beta1_IngressSpec(ref common.ReferenceCallbac
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/networking/v1beta1.IngressRule"),
+										Ref:     ref(networkingv1beta1.IngressRule{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -44421,7 +44638,7 @@ func schema_k8sio_api_networking_v1beta1_IngressSpec(ref common.ReferenceCallbac
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/networking/v1beta1.IngressBackend", "k8s.io/api/networking/v1beta1.IngressRule", "k8s.io/api/networking/v1beta1.IngressTLS"},
+			networkingv1beta1.IngressBackend{}.OpenAPIModelName(), networkingv1beta1.IngressRule{}.OpenAPIModelName(), networkingv1beta1.IngressTLS{}.OpenAPIModelName()},
 	}
 }
 
@@ -44436,14 +44653,14 @@ func schema_k8sio_api_networking_v1beta1_IngressStatus(ref common.ReferenceCallb
 						SchemaProps: spec.SchemaProps{
 							Description: "loadBalancer contains the current status of the load-balancer.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/networking/v1beta1.IngressLoadBalancerStatus"),
+							Ref:         ref(networkingv1beta1.IngressLoadBalancerStatus{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/networking/v1beta1.IngressLoadBalancerStatus"},
+			networkingv1beta1.IngressLoadBalancerStatus{}.OpenAPIModelName()},
 	}
 }
 
@@ -44554,28 +44771,28 @@ func schema_k8sio_api_networking_v1beta1_ServiceCIDR(ref common.ReferenceCallbac
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Ref:         ref(metav1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 					"spec": {
 						SchemaProps: spec.SchemaProps{
 							Description: "spec is the desired state of the ServiceCIDR. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/networking/v1beta1.ServiceCIDRSpec"),
+							Ref:         ref(networkingv1beta1.ServiceCIDRSpec{}.OpenAPIModelName()),
 						},
 					},
 					"status": {
 						SchemaProps: spec.SchemaProps{
 							Description: "status represents the current state of the ServiceCIDR. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/networking/v1beta1.ServiceCIDRStatus"),
+							Ref:         ref(networkingv1beta1.ServiceCIDRStatus{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/networking/v1beta1.ServiceCIDRSpec", "k8s.io/api/networking/v1beta1.ServiceCIDRStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			networkingv1beta1.ServiceCIDRSpec{}.OpenAPIModelName(), networkingv1beta1.ServiceCIDRStatus{}.OpenAPIModelName(), metav1.ObjectMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -44604,7 +44821,7 @@ func schema_k8sio_api_networking_v1beta1_ServiceCIDRList(ref common.ReferenceCal
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+							Ref:         ref(metav1.ListMeta{}.OpenAPIModelName()),
 						},
 					},
 					"items": {
@@ -44615,7 +44832,7 @@ func schema_k8sio_api_networking_v1beta1_ServiceCIDRList(ref common.ReferenceCal
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/networking/v1beta1.ServiceCIDR"),
+										Ref:     ref(networkingv1beta1.ServiceCIDR{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -44626,7 +44843,7 @@ func schema_k8sio_api_networking_v1beta1_ServiceCIDRList(ref common.ReferenceCal
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/networking/v1beta1.ServiceCIDR", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
+			networkingv1beta1.ServiceCIDR{}.OpenAPIModelName(), metav1.ListMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -44688,7 +44905,7 @@ func schema_k8sio_api_networking_v1beta1_ServiceCIDRStatus(ref common.ReferenceC
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/apimachinery/pkg/apis/meta/v1.Condition"),
+										Ref:     ref(metav1.Condition{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -44698,7 +44915,7 @@ func schema_k8sio_api_networking_v1beta1_ServiceCIDRStatus(ref common.ReferenceC
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.Condition"},
+			metav1.Condition{}.OpenAPIModelName()},
 	}
 }
 
@@ -44717,7 +44934,7 @@ func schema_k8sio_api_node_v1_Overhead(ref common.ReferenceCallback) common.Open
 								Allows: true,
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
-										Ref: ref("k8s.io/apimachinery/pkg/api/resource.Quantity"),
+										Ref: ref(resource.Quantity{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -44727,7 +44944,7 @@ func schema_k8sio_api_node_v1_Overhead(ref common.ReferenceCallback) common.Open
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/api/resource.Quantity"},
+			resource.Quantity{}.OpenAPIModelName()},
 	}
 }
 
@@ -44756,7 +44973,7 @@ func schema_k8sio_api_node_v1_RuntimeClass(ref common.ReferenceCallback) common.
 						SchemaProps: spec.SchemaProps{
 							Description: "More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Ref:         ref(metav1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 					"handler": {
@@ -44770,13 +44987,13 @@ func schema_k8sio_api_node_v1_RuntimeClass(ref common.ReferenceCallback) common.
 					"overhead": {
 						SchemaProps: spec.SchemaProps{
 							Description: "overhead represents the resource overhead associated with running a pod for a given RuntimeClass. For more details, see\n https://kubernetes.io/docs/concepts/scheduling-eviction/pod-overhead/",
-							Ref:         ref("k8s.io/api/node/v1.Overhead"),
+							Ref:         ref(nodev1.Overhead{}.OpenAPIModelName()),
 						},
 					},
 					"scheduling": {
 						SchemaProps: spec.SchemaProps{
 							Description: "scheduling holds the scheduling constraints to ensure that pods running with this RuntimeClass are scheduled to nodes that support it. If scheduling is nil, this RuntimeClass is assumed to be supported by all nodes.",
-							Ref:         ref("k8s.io/api/node/v1.Scheduling"),
+							Ref:         ref(nodev1.Scheduling{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -44784,7 +45001,7 @@ func schema_k8sio_api_node_v1_RuntimeClass(ref common.ReferenceCallback) common.
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/node/v1.Overhead", "k8s.io/api/node/v1.Scheduling", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			nodev1.Overhead{}.OpenAPIModelName(), nodev1.Scheduling{}.OpenAPIModelName(), metav1.ObjectMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -44813,7 +45030,7 @@ func schema_k8sio_api_node_v1_RuntimeClassList(ref common.ReferenceCallback) com
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+							Ref:         ref(metav1.ListMeta{}.OpenAPIModelName()),
 						},
 					},
 					"items": {
@@ -44824,7 +45041,7 @@ func schema_k8sio_api_node_v1_RuntimeClassList(ref common.ReferenceCallback) com
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/node/v1.RuntimeClass"),
+										Ref:     ref(nodev1.RuntimeClass{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -44835,7 +45052,7 @@ func schema_k8sio_api_node_v1_RuntimeClassList(ref common.ReferenceCallback) com
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/node/v1.RuntimeClass", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
+			nodev1.RuntimeClass{}.OpenAPIModelName(), metav1.ListMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -44880,7 +45097,7 @@ func schema_k8sio_api_node_v1_Scheduling(ref common.ReferenceCallback) common.Op
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/core/v1.Toleration"),
+										Ref:     ref(corev1.Toleration{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -44890,7 +45107,7 @@ func schema_k8sio_api_node_v1_Scheduling(ref common.ReferenceCallback) common.Op
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/core/v1.Toleration"},
+			corev1.Toleration{}.OpenAPIModelName()},
 	}
 }
 
@@ -44909,7 +45126,7 @@ func schema_k8sio_api_node_v1alpha1_Overhead(ref common.ReferenceCallback) commo
 								Allows: true,
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
-										Ref: ref("k8s.io/apimachinery/pkg/api/resource.Quantity"),
+										Ref: ref(resource.Quantity{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -44919,7 +45136,7 @@ func schema_k8sio_api_node_v1alpha1_Overhead(ref common.ReferenceCallback) commo
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/api/resource.Quantity"},
+			resource.Quantity{}.OpenAPIModelName()},
 	}
 }
 
@@ -44948,14 +45165,14 @@ func schema_k8sio_api_node_v1alpha1_RuntimeClass(ref common.ReferenceCallback) c
 						SchemaProps: spec.SchemaProps{
 							Description: "More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Ref:         ref(metav1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 					"spec": {
 						SchemaProps: spec.SchemaProps{
 							Description: "spec represents specification of the RuntimeClass More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/node/v1alpha1.RuntimeClassSpec"),
+							Ref:         ref(nodev1alpha1.RuntimeClassSpec{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -44963,7 +45180,7 @@ func schema_k8sio_api_node_v1alpha1_RuntimeClass(ref common.ReferenceCallback) c
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/node/v1alpha1.RuntimeClassSpec", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			nodev1alpha1.RuntimeClassSpec{}.OpenAPIModelName(), metav1.ObjectMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -44992,7 +45209,7 @@ func schema_k8sio_api_node_v1alpha1_RuntimeClassList(ref common.ReferenceCallbac
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+							Ref:         ref(metav1.ListMeta{}.OpenAPIModelName()),
 						},
 					},
 					"items": {
@@ -45003,7 +45220,7 @@ func schema_k8sio_api_node_v1alpha1_RuntimeClassList(ref common.ReferenceCallbac
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/node/v1alpha1.RuntimeClass"),
+										Ref:     ref(nodev1alpha1.RuntimeClass{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -45014,7 +45231,7 @@ func schema_k8sio_api_node_v1alpha1_RuntimeClassList(ref common.ReferenceCallbac
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/node/v1alpha1.RuntimeClass", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
+			nodev1alpha1.RuntimeClass{}.OpenAPIModelName(), metav1.ListMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -45036,13 +45253,13 @@ func schema_k8sio_api_node_v1alpha1_RuntimeClassSpec(ref common.ReferenceCallbac
 					"overhead": {
 						SchemaProps: spec.SchemaProps{
 							Description: "overhead represents the resource overhead associated with running a pod for a given RuntimeClass. For more details, see https://git.k8s.io/enhancements/keps/sig-node/688-pod-overhead/README.md",
-							Ref:         ref("k8s.io/api/node/v1alpha1.Overhead"),
+							Ref:         ref(nodev1alpha1.Overhead{}.OpenAPIModelName()),
 						},
 					},
 					"scheduling": {
 						SchemaProps: spec.SchemaProps{
 							Description: "scheduling holds the scheduling constraints to ensure that pods running with this RuntimeClass are scheduled to nodes that support it. If scheduling is nil, this RuntimeClass is assumed to be supported by all nodes.",
-							Ref:         ref("k8s.io/api/node/v1alpha1.Scheduling"),
+							Ref:         ref(nodev1alpha1.Scheduling{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -45050,7 +45267,7 @@ func schema_k8sio_api_node_v1alpha1_RuntimeClassSpec(ref common.ReferenceCallbac
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/node/v1alpha1.Overhead", "k8s.io/api/node/v1alpha1.Scheduling"},
+			nodev1alpha1.Overhead{}.OpenAPIModelName(), nodev1alpha1.Scheduling{}.OpenAPIModelName()},
 	}
 }
 
@@ -45095,7 +45312,7 @@ func schema_k8sio_api_node_v1alpha1_Scheduling(ref common.ReferenceCallback) com
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/core/v1.Toleration"),
+										Ref:     ref(corev1.Toleration{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -45105,7 +45322,7 @@ func schema_k8sio_api_node_v1alpha1_Scheduling(ref common.ReferenceCallback) com
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/core/v1.Toleration"},
+			corev1.Toleration{}.OpenAPIModelName()},
 	}
 }
 
@@ -45124,7 +45341,7 @@ func schema_k8sio_api_node_v1beta1_Overhead(ref common.ReferenceCallback) common
 								Allows: true,
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
-										Ref: ref("k8s.io/apimachinery/pkg/api/resource.Quantity"),
+										Ref: ref(resource.Quantity{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -45134,7 +45351,7 @@ func schema_k8sio_api_node_v1beta1_Overhead(ref common.ReferenceCallback) common
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/api/resource.Quantity"},
+			resource.Quantity{}.OpenAPIModelName()},
 	}
 }
 
@@ -45163,7 +45380,7 @@ func schema_k8sio_api_node_v1beta1_RuntimeClass(ref common.ReferenceCallback) co
 						SchemaProps: spec.SchemaProps{
 							Description: "More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Ref:         ref(metav1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 					"handler": {
@@ -45177,13 +45394,13 @@ func schema_k8sio_api_node_v1beta1_RuntimeClass(ref common.ReferenceCallback) co
 					"overhead": {
 						SchemaProps: spec.SchemaProps{
 							Description: "overhead represents the resource overhead associated with running a pod for a given RuntimeClass. For more details, see https://git.k8s.io/enhancements/keps/sig-node/688-pod-overhead/README.md",
-							Ref:         ref("k8s.io/api/node/v1beta1.Overhead"),
+							Ref:         ref(nodev1beta1.Overhead{}.OpenAPIModelName()),
 						},
 					},
 					"scheduling": {
 						SchemaProps: spec.SchemaProps{
 							Description: "scheduling holds the scheduling constraints to ensure that pods running with this RuntimeClass are scheduled to nodes that support it. If scheduling is nil, this RuntimeClass is assumed to be supported by all nodes.",
-							Ref:         ref("k8s.io/api/node/v1beta1.Scheduling"),
+							Ref:         ref(nodev1beta1.Scheduling{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -45191,7 +45408,7 @@ func schema_k8sio_api_node_v1beta1_RuntimeClass(ref common.ReferenceCallback) co
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/node/v1beta1.Overhead", "k8s.io/api/node/v1beta1.Scheduling", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			nodev1beta1.Overhead{}.OpenAPIModelName(), nodev1beta1.Scheduling{}.OpenAPIModelName(), metav1.ObjectMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -45220,7 +45437,7 @@ func schema_k8sio_api_node_v1beta1_RuntimeClassList(ref common.ReferenceCallback
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+							Ref:         ref(metav1.ListMeta{}.OpenAPIModelName()),
 						},
 					},
 					"items": {
@@ -45231,7 +45448,7 @@ func schema_k8sio_api_node_v1beta1_RuntimeClassList(ref common.ReferenceCallback
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/node/v1beta1.RuntimeClass"),
+										Ref:     ref(nodev1beta1.RuntimeClass{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -45242,7 +45459,7 @@ func schema_k8sio_api_node_v1beta1_RuntimeClassList(ref common.ReferenceCallback
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/node/v1beta1.RuntimeClass", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
+			nodev1beta1.RuntimeClass{}.OpenAPIModelName(), metav1.ListMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -45287,7 +45504,7 @@ func schema_k8sio_api_node_v1beta1_Scheduling(ref common.ReferenceCallback) comm
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/core/v1.Toleration"),
+										Ref:     ref(corev1.Toleration{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -45297,7 +45514,7 @@ func schema_k8sio_api_node_v1beta1_Scheduling(ref common.ReferenceCallback) comm
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/core/v1.Toleration"},
+			corev1.Toleration{}.OpenAPIModelName()},
 	}
 }
 
@@ -45326,20 +45543,20 @@ func schema_k8sio_api_policy_v1_Eviction(ref common.ReferenceCallback) common.Op
 						SchemaProps: spec.SchemaProps{
 							Description: "ObjectMeta describes the pod that is being evicted.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Ref:         ref(metav1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 					"deleteOptions": {
 						SchemaProps: spec.SchemaProps{
 							Description: "DeleteOptions may be provided",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.DeleteOptions"),
+							Ref:         ref(metav1.DeleteOptions{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.DeleteOptions", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			metav1.DeleteOptions{}.OpenAPIModelName(), metav1.ObjectMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -45368,28 +45585,28 @@ func schema_k8sio_api_policy_v1_PodDisruptionBudget(ref common.ReferenceCallback
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Ref:         ref(metav1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 					"spec": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Specification of the desired behavior of the PodDisruptionBudget.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/policy/v1.PodDisruptionBudgetSpec"),
+							Ref:         ref(policyv1.PodDisruptionBudgetSpec{}.OpenAPIModelName()),
 						},
 					},
 					"status": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Most recently observed status of the PodDisruptionBudget.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/policy/v1.PodDisruptionBudgetStatus"),
+							Ref:         ref(policyv1.PodDisruptionBudgetStatus{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/policy/v1.PodDisruptionBudgetSpec", "k8s.io/api/policy/v1.PodDisruptionBudgetStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			policyv1.PodDisruptionBudgetSpec{}.OpenAPIModelName(), policyv1.PodDisruptionBudgetStatus{}.OpenAPIModelName(), metav1.ObjectMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -45418,7 +45635,7 @@ func schema_k8sio_api_policy_v1_PodDisruptionBudgetList(ref common.ReferenceCall
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+							Ref:         ref(metav1.ListMeta{}.OpenAPIModelName()),
 						},
 					},
 					"items": {
@@ -45429,7 +45646,7 @@ func schema_k8sio_api_policy_v1_PodDisruptionBudgetList(ref common.ReferenceCall
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/policy/v1.PodDisruptionBudget"),
+										Ref:     ref(policyv1.PodDisruptionBudget{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -45440,7 +45657,7 @@ func schema_k8sio_api_policy_v1_PodDisruptionBudgetList(ref common.ReferenceCall
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/policy/v1.PodDisruptionBudget", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
+			policyv1.PodDisruptionBudget{}.OpenAPIModelName(), metav1.ListMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -45454,7 +45671,7 @@ func schema_k8sio_api_policy_v1_PodDisruptionBudgetSpec(ref common.ReferenceCall
 					"minAvailable": {
 						SchemaProps: spec.SchemaProps{
 							Description: "An eviction is allowed if at least \"minAvailable\" pods selected by \"selector\" will still be available after the eviction, i.e. even in the absence of the evicted pod.  So for example you can prevent all voluntary evictions by specifying \"100%\".",
-							Ref:         ref("k8s.io/apimachinery/pkg/util/intstr.IntOrString"),
+							Ref:         ref(intstr.IntOrString{}.OpenAPIModelName()),
 						},
 					},
 					"selector": {
@@ -45465,13 +45682,13 @@ func schema_k8sio_api_policy_v1_PodDisruptionBudgetSpec(ref common.ReferenceCall
 						},
 						SchemaProps: spec.SchemaProps{
 							Description: "Label query over pods whose evictions are managed by the disruption budget. A null selector will match no pods, while an empty ({}) selector will select all pods within the namespace.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector"),
+							Ref:         ref(metav1.LabelSelector{}.OpenAPIModelName()),
 						},
 					},
 					"maxUnavailable": {
 						SchemaProps: spec.SchemaProps{
 							Description: "An eviction is allowed if at most \"maxUnavailable\" pods selected by \"selector\" are unavailable after the eviction, i.e. even in absence of the evicted pod. For example, one can prevent all voluntary evictions by specifying 0. This is a mutually exclusive setting with \"minAvailable\".",
-							Ref:         ref("k8s.io/apimachinery/pkg/util/intstr.IntOrString"),
+							Ref:         ref(intstr.IntOrString{}.OpenAPIModelName()),
 						},
 					},
 					"unhealthyPodEvictionPolicy": {
@@ -45486,7 +45703,7 @@ func schema_k8sio_api_policy_v1_PodDisruptionBudgetSpec(ref common.ReferenceCall
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector", "k8s.io/apimachinery/pkg/util/intstr.IntOrString"},
+			metav1.LabelSelector{}.OpenAPIModelName(), intstr.IntOrString{}.OpenAPIModelName()},
 	}
 }
 
@@ -45512,7 +45729,7 @@ func schema_k8sio_api_policy_v1_PodDisruptionBudgetStatus(ref common.ReferenceCa
 								Allows: true,
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
-										Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.Time"),
+										Ref: ref(metav1.Time{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -45568,7 +45785,7 @@ func schema_k8sio_api_policy_v1_PodDisruptionBudgetStatus(ref common.ReferenceCa
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/apimachinery/pkg/apis/meta/v1.Condition"),
+										Ref:     ref(metav1.Condition{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -45579,7 +45796,7 @@ func schema_k8sio_api_policy_v1_PodDisruptionBudgetStatus(ref common.ReferenceCa
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.Condition", "k8s.io/apimachinery/pkg/apis/meta/v1.Time"},
+			metav1.Condition{}.OpenAPIModelName(), metav1.Time{}.OpenAPIModelName()},
 	}
 }
 
@@ -45608,20 +45825,20 @@ func schema_k8sio_api_policy_v1beta1_Eviction(ref common.ReferenceCallback) comm
 						SchemaProps: spec.SchemaProps{
 							Description: "ObjectMeta describes the pod that is being evicted.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Ref:         ref(metav1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 					"deleteOptions": {
 						SchemaProps: spec.SchemaProps{
 							Description: "DeleteOptions may be provided",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.DeleteOptions"),
+							Ref:         ref(metav1.DeleteOptions{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.DeleteOptions", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			metav1.DeleteOptions{}.OpenAPIModelName(), metav1.ObjectMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -45650,28 +45867,28 @@ func schema_k8sio_api_policy_v1beta1_PodDisruptionBudget(ref common.ReferenceCal
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Ref:         ref(metav1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 					"spec": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Specification of the desired behavior of the PodDisruptionBudget.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/policy/v1beta1.PodDisruptionBudgetSpec"),
+							Ref:         ref(policyv1beta1.PodDisruptionBudgetSpec{}.OpenAPIModelName()),
 						},
 					},
 					"status": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Most recently observed status of the PodDisruptionBudget.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/policy/v1beta1.PodDisruptionBudgetStatus"),
+							Ref:         ref(policyv1beta1.PodDisruptionBudgetStatus{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/policy/v1beta1.PodDisruptionBudgetSpec", "k8s.io/api/policy/v1beta1.PodDisruptionBudgetStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			policyv1beta1.PodDisruptionBudgetSpec{}.OpenAPIModelName(), policyv1beta1.PodDisruptionBudgetStatus{}.OpenAPIModelName(), metav1.ObjectMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -45700,7 +45917,7 @@ func schema_k8sio_api_policy_v1beta1_PodDisruptionBudgetList(ref common.Referenc
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+							Ref:         ref(metav1.ListMeta{}.OpenAPIModelName()),
 						},
 					},
 					"items": {
@@ -45711,7 +45928,7 @@ func schema_k8sio_api_policy_v1beta1_PodDisruptionBudgetList(ref common.Referenc
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/policy/v1beta1.PodDisruptionBudget"),
+										Ref:     ref(policyv1beta1.PodDisruptionBudget{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -45722,7 +45939,7 @@ func schema_k8sio_api_policy_v1beta1_PodDisruptionBudgetList(ref common.Referenc
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/policy/v1beta1.PodDisruptionBudget", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
+			policyv1beta1.PodDisruptionBudget{}.OpenAPIModelName(), metav1.ListMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -45736,19 +45953,19 @@ func schema_k8sio_api_policy_v1beta1_PodDisruptionBudgetSpec(ref common.Referenc
 					"minAvailable": {
 						SchemaProps: spec.SchemaProps{
 							Description: "An eviction is allowed if at least \"minAvailable\" pods selected by \"selector\" will still be available after the eviction, i.e. even in the absence of the evicted pod.  So for example you can prevent all voluntary evictions by specifying \"100%\".",
-							Ref:         ref("k8s.io/apimachinery/pkg/util/intstr.IntOrString"),
+							Ref:         ref(intstr.IntOrString{}.OpenAPIModelName()),
 						},
 					},
 					"selector": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Label query over pods whose evictions are managed by the disruption budget. A null selector selects no pods. An empty selector ({}) also selects no pods, which differs from standard behavior of selecting all pods. In policy/v1, an empty selector will select all pods in the namespace.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector"),
+							Ref:         ref(metav1.LabelSelector{}.OpenAPIModelName()),
 						},
 					},
 					"maxUnavailable": {
 						SchemaProps: spec.SchemaProps{
 							Description: "An eviction is allowed if at most \"maxUnavailable\" pods selected by \"selector\" are unavailable after the eviction, i.e. even in absence of the evicted pod. For example, one can prevent all voluntary evictions by specifying 0. This is a mutually exclusive setting with \"minAvailable\".",
-							Ref:         ref("k8s.io/apimachinery/pkg/util/intstr.IntOrString"),
+							Ref:         ref(intstr.IntOrString{}.OpenAPIModelName()),
 						},
 					},
 					"unhealthyPodEvictionPolicy": {
@@ -45763,7 +45980,7 @@ func schema_k8sio_api_policy_v1beta1_PodDisruptionBudgetSpec(ref common.Referenc
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector", "k8s.io/apimachinery/pkg/util/intstr.IntOrString"},
+			metav1.LabelSelector{}.OpenAPIModelName(), intstr.IntOrString{}.OpenAPIModelName()},
 	}
 }
 
@@ -45789,7 +46006,7 @@ func schema_k8sio_api_policy_v1beta1_PodDisruptionBudgetStatus(ref common.Refere
 								Allows: true,
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
-										Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.Time"),
+										Ref: ref(metav1.Time{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -45845,7 +46062,7 @@ func schema_k8sio_api_policy_v1beta1_PodDisruptionBudgetStatus(ref common.Refere
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/apimachinery/pkg/apis/meta/v1.Condition"),
+										Ref:     ref(metav1.Condition{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -45856,7 +46073,7 @@ func schema_k8sio_api_policy_v1beta1_PodDisruptionBudgetStatus(ref common.Refere
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.Condition", "k8s.io/apimachinery/pkg/apis/meta/v1.Time"},
+			metav1.Condition{}.OpenAPIModelName(), metav1.Time{}.OpenAPIModelName()},
 	}
 }
 
@@ -45880,7 +46097,7 @@ func schema_k8sio_api_rbac_v1_AggregationRule(ref common.ReferenceCallback) comm
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector"),
+										Ref:     ref(metav1.LabelSelector{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -45890,7 +46107,7 @@ func schema_k8sio_api_rbac_v1_AggregationRule(ref common.ReferenceCallback) comm
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector"},
+			metav1.LabelSelector{}.OpenAPIModelName()},
 	}
 }
 
@@ -45919,7 +46136,7 @@ func schema_k8sio_api_rbac_v1_ClusterRole(ref common.ReferenceCallback) common.O
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard object's metadata.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Ref:         ref(metav1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 					"rules": {
@@ -45935,7 +46152,7 @@ func schema_k8sio_api_rbac_v1_ClusterRole(ref common.ReferenceCallback) common.O
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/rbac/v1.PolicyRule"),
+										Ref:     ref(rbacv1.PolicyRule{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -45944,14 +46161,14 @@ func schema_k8sio_api_rbac_v1_ClusterRole(ref common.ReferenceCallback) common.O
 					"aggregationRule": {
 						SchemaProps: spec.SchemaProps{
 							Description: "AggregationRule is an optional field that describes how to build the Rules for this ClusterRole. If AggregationRule is set, then the Rules are controller managed and direct changes to Rules will be stomped by the controller.",
-							Ref:         ref("k8s.io/api/rbac/v1.AggregationRule"),
+							Ref:         ref(rbacv1.AggregationRule{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/rbac/v1.AggregationRule", "k8s.io/api/rbac/v1.PolicyRule", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			rbacv1.AggregationRule{}.OpenAPIModelName(), rbacv1.PolicyRule{}.OpenAPIModelName(), metav1.ObjectMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -45980,7 +46197,7 @@ func schema_k8sio_api_rbac_v1_ClusterRoleBinding(ref common.ReferenceCallback) c
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard object's metadata.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Ref:         ref(metav1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 					"subjects": {
@@ -45996,7 +46213,7 @@ func schema_k8sio_api_rbac_v1_ClusterRoleBinding(ref common.ReferenceCallback) c
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/rbac/v1.Subject"),
+										Ref:     ref(rbacv1.Subject{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -46006,7 +46223,7 @@ func schema_k8sio_api_rbac_v1_ClusterRoleBinding(ref common.ReferenceCallback) c
 						SchemaProps: spec.SchemaProps{
 							Description: "RoleRef can only reference a ClusterRole in the global namespace. If the RoleRef cannot be resolved, the Authorizer must return an error. This field is immutable.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/rbac/v1.RoleRef"),
+							Ref:         ref(rbacv1.RoleRef{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -46014,7 +46231,7 @@ func schema_k8sio_api_rbac_v1_ClusterRoleBinding(ref common.ReferenceCallback) c
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/rbac/v1.RoleRef", "k8s.io/api/rbac/v1.Subject", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			rbacv1.RoleRef{}.OpenAPIModelName(), rbacv1.Subject{}.OpenAPIModelName(), metav1.ObjectMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -46043,7 +46260,7 @@ func schema_k8sio_api_rbac_v1_ClusterRoleBindingList(ref common.ReferenceCallbac
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard object's metadata.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+							Ref:         ref(metav1.ListMeta{}.OpenAPIModelName()),
 						},
 					},
 					"items": {
@@ -46054,7 +46271,7 @@ func schema_k8sio_api_rbac_v1_ClusterRoleBindingList(ref common.ReferenceCallbac
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/rbac/v1.ClusterRoleBinding"),
+										Ref:     ref(rbacv1.ClusterRoleBinding{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -46065,7 +46282,7 @@ func schema_k8sio_api_rbac_v1_ClusterRoleBindingList(ref common.ReferenceCallbac
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/rbac/v1.ClusterRoleBinding", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
+			rbacv1.ClusterRoleBinding{}.OpenAPIModelName(), metav1.ListMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -46094,7 +46311,7 @@ func schema_k8sio_api_rbac_v1_ClusterRoleList(ref common.ReferenceCallback) comm
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard object's metadata.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+							Ref:         ref(metav1.ListMeta{}.OpenAPIModelName()),
 						},
 					},
 					"items": {
@@ -46105,7 +46322,7 @@ func schema_k8sio_api_rbac_v1_ClusterRoleList(ref common.ReferenceCallback) comm
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/rbac/v1.ClusterRole"),
+										Ref:     ref(rbacv1.ClusterRole{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -46116,7 +46333,7 @@ func schema_k8sio_api_rbac_v1_ClusterRoleList(ref common.ReferenceCallback) comm
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/rbac/v1.ClusterRole", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
+			rbacv1.ClusterRole{}.OpenAPIModelName(), metav1.ListMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -46259,7 +46476,7 @@ func schema_k8sio_api_rbac_v1_Role(ref common.ReferenceCallback) common.OpenAPID
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard object's metadata.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Ref:         ref(metav1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 					"rules": {
@@ -46275,7 +46492,7 @@ func schema_k8sio_api_rbac_v1_Role(ref common.ReferenceCallback) common.OpenAPID
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/rbac/v1.PolicyRule"),
+										Ref:     ref(rbacv1.PolicyRule{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -46285,7 +46502,7 @@ func schema_k8sio_api_rbac_v1_Role(ref common.ReferenceCallback) common.OpenAPID
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/rbac/v1.PolicyRule", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			rbacv1.PolicyRule{}.OpenAPIModelName(), metav1.ObjectMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -46314,7 +46531,7 @@ func schema_k8sio_api_rbac_v1_RoleBinding(ref common.ReferenceCallback) common.O
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard object's metadata.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Ref:         ref(metav1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 					"subjects": {
@@ -46330,7 +46547,7 @@ func schema_k8sio_api_rbac_v1_RoleBinding(ref common.ReferenceCallback) common.O
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/rbac/v1.Subject"),
+										Ref:     ref(rbacv1.Subject{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -46340,7 +46557,7 @@ func schema_k8sio_api_rbac_v1_RoleBinding(ref common.ReferenceCallback) common.O
 						SchemaProps: spec.SchemaProps{
 							Description: "RoleRef can reference a Role in the current namespace or a ClusterRole in the global namespace. If the RoleRef cannot be resolved, the Authorizer must return an error. This field is immutable.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/rbac/v1.RoleRef"),
+							Ref:         ref(rbacv1.RoleRef{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -46348,7 +46565,7 @@ func schema_k8sio_api_rbac_v1_RoleBinding(ref common.ReferenceCallback) common.O
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/rbac/v1.RoleRef", "k8s.io/api/rbac/v1.Subject", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			rbacv1.RoleRef{}.OpenAPIModelName(), rbacv1.Subject{}.OpenAPIModelName(), metav1.ObjectMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -46377,7 +46594,7 @@ func schema_k8sio_api_rbac_v1_RoleBindingList(ref common.ReferenceCallback) comm
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard object's metadata.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+							Ref:         ref(metav1.ListMeta{}.OpenAPIModelName()),
 						},
 					},
 					"items": {
@@ -46388,7 +46605,7 @@ func schema_k8sio_api_rbac_v1_RoleBindingList(ref common.ReferenceCallback) comm
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/rbac/v1.RoleBinding"),
+										Ref:     ref(rbacv1.RoleBinding{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -46399,7 +46616,7 @@ func schema_k8sio_api_rbac_v1_RoleBindingList(ref common.ReferenceCallback) comm
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/rbac/v1.RoleBinding", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
+			rbacv1.RoleBinding{}.OpenAPIModelName(), metav1.ListMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -46428,7 +46645,7 @@ func schema_k8sio_api_rbac_v1_RoleList(ref common.ReferenceCallback) common.Open
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard object's metadata.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+							Ref:         ref(metav1.ListMeta{}.OpenAPIModelName()),
 						},
 					},
 					"items": {
@@ -46439,7 +46656,7 @@ func schema_k8sio_api_rbac_v1_RoleList(ref common.ReferenceCallback) common.Open
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/rbac/v1.Role"),
+										Ref:     ref(rbacv1.Role{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -46450,7 +46667,7 @@ func schema_k8sio_api_rbac_v1_RoleList(ref common.ReferenceCallback) common.Open
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/rbac/v1.Role", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
+			rbacv1.Role{}.OpenAPIModelName(), metav1.ListMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -46566,7 +46783,7 @@ func schema_k8sio_api_rbac_v1alpha1_AggregationRule(ref common.ReferenceCallback
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector"),
+										Ref:     ref(metav1.LabelSelector{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -46576,7 +46793,7 @@ func schema_k8sio_api_rbac_v1alpha1_AggregationRule(ref common.ReferenceCallback
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector"},
+			metav1.LabelSelector{}.OpenAPIModelName()},
 	}
 }
 
@@ -46605,7 +46822,7 @@ func schema_k8sio_api_rbac_v1alpha1_ClusterRole(ref common.ReferenceCallback) co
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard object's metadata.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Ref:         ref(metav1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 					"rules": {
@@ -46621,7 +46838,7 @@ func schema_k8sio_api_rbac_v1alpha1_ClusterRole(ref common.ReferenceCallback) co
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/rbac/v1alpha1.PolicyRule"),
+										Ref:     ref(rbacv1alpha1.PolicyRule{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -46630,14 +46847,14 @@ func schema_k8sio_api_rbac_v1alpha1_ClusterRole(ref common.ReferenceCallback) co
 					"aggregationRule": {
 						SchemaProps: spec.SchemaProps{
 							Description: "AggregationRule is an optional field that describes how to build the Rules for this ClusterRole. If AggregationRule is set, then the Rules are controller managed and direct changes to Rules will be stomped by the controller.",
-							Ref:         ref("k8s.io/api/rbac/v1alpha1.AggregationRule"),
+							Ref:         ref(rbacv1alpha1.AggregationRule{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/rbac/v1alpha1.AggregationRule", "k8s.io/api/rbac/v1alpha1.PolicyRule", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			rbacv1alpha1.AggregationRule{}.OpenAPIModelName(), rbacv1alpha1.PolicyRule{}.OpenAPIModelName(), metav1.ObjectMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -46666,7 +46883,7 @@ func schema_k8sio_api_rbac_v1alpha1_ClusterRoleBinding(ref common.ReferenceCallb
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard object's metadata.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Ref:         ref(metav1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 					"subjects": {
@@ -46682,7 +46899,7 @@ func schema_k8sio_api_rbac_v1alpha1_ClusterRoleBinding(ref common.ReferenceCallb
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/rbac/v1alpha1.Subject"),
+										Ref:     ref(rbacv1alpha1.Subject{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -46692,7 +46909,7 @@ func schema_k8sio_api_rbac_v1alpha1_ClusterRoleBinding(ref common.ReferenceCallb
 						SchemaProps: spec.SchemaProps{
 							Description: "RoleRef can only reference a ClusterRole in the global namespace. If the RoleRef cannot be resolved, the Authorizer must return an error.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/rbac/v1alpha1.RoleRef"),
+							Ref:         ref(rbacv1alpha1.RoleRef{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -46700,7 +46917,7 @@ func schema_k8sio_api_rbac_v1alpha1_ClusterRoleBinding(ref common.ReferenceCallb
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/rbac/v1alpha1.RoleRef", "k8s.io/api/rbac/v1alpha1.Subject", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			rbacv1alpha1.RoleRef{}.OpenAPIModelName(), rbacv1alpha1.Subject{}.OpenAPIModelName(), metav1.ObjectMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -46729,7 +46946,7 @@ func schema_k8sio_api_rbac_v1alpha1_ClusterRoleBindingList(ref common.ReferenceC
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard object's metadata.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+							Ref:         ref(metav1.ListMeta{}.OpenAPIModelName()),
 						},
 					},
 					"items": {
@@ -46740,7 +46957,7 @@ func schema_k8sio_api_rbac_v1alpha1_ClusterRoleBindingList(ref common.ReferenceC
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/rbac/v1alpha1.ClusterRoleBinding"),
+										Ref:     ref(rbacv1alpha1.ClusterRoleBinding{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -46751,7 +46968,7 @@ func schema_k8sio_api_rbac_v1alpha1_ClusterRoleBindingList(ref common.ReferenceC
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/rbac/v1alpha1.ClusterRoleBinding", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
+			rbacv1alpha1.ClusterRoleBinding{}.OpenAPIModelName(), metav1.ListMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -46780,7 +46997,7 @@ func schema_k8sio_api_rbac_v1alpha1_ClusterRoleList(ref common.ReferenceCallback
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard object's metadata.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+							Ref:         ref(metav1.ListMeta{}.OpenAPIModelName()),
 						},
 					},
 					"items": {
@@ -46791,7 +47008,7 @@ func schema_k8sio_api_rbac_v1alpha1_ClusterRoleList(ref common.ReferenceCallback
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/rbac/v1alpha1.ClusterRole"),
+										Ref:     ref(rbacv1alpha1.ClusterRole{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -46802,7 +47019,7 @@ func schema_k8sio_api_rbac_v1alpha1_ClusterRoleList(ref common.ReferenceCallback
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/rbac/v1alpha1.ClusterRole", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
+			rbacv1alpha1.ClusterRole{}.OpenAPIModelName(), metav1.ListMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -46945,7 +47162,7 @@ func schema_k8sio_api_rbac_v1alpha1_Role(ref common.ReferenceCallback) common.Op
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard object's metadata.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Ref:         ref(metav1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 					"rules": {
@@ -46961,7 +47178,7 @@ func schema_k8sio_api_rbac_v1alpha1_Role(ref common.ReferenceCallback) common.Op
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/rbac/v1alpha1.PolicyRule"),
+										Ref:     ref(rbacv1alpha1.PolicyRule{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -46971,7 +47188,7 @@ func schema_k8sio_api_rbac_v1alpha1_Role(ref common.ReferenceCallback) common.Op
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/rbac/v1alpha1.PolicyRule", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			rbacv1alpha1.PolicyRule{}.OpenAPIModelName(), metav1.ObjectMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -47000,7 +47217,7 @@ func schema_k8sio_api_rbac_v1alpha1_RoleBinding(ref common.ReferenceCallback) co
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard object's metadata.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Ref:         ref(metav1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 					"subjects": {
@@ -47016,7 +47233,7 @@ func schema_k8sio_api_rbac_v1alpha1_RoleBinding(ref common.ReferenceCallback) co
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/rbac/v1alpha1.Subject"),
+										Ref:     ref(rbacv1alpha1.Subject{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -47026,7 +47243,7 @@ func schema_k8sio_api_rbac_v1alpha1_RoleBinding(ref common.ReferenceCallback) co
 						SchemaProps: spec.SchemaProps{
 							Description: "RoleRef can reference a Role in the current namespace or a ClusterRole in the global namespace. If the RoleRef cannot be resolved, the Authorizer must return an error.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/rbac/v1alpha1.RoleRef"),
+							Ref:         ref(rbacv1alpha1.RoleRef{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -47034,7 +47251,7 @@ func schema_k8sio_api_rbac_v1alpha1_RoleBinding(ref common.ReferenceCallback) co
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/rbac/v1alpha1.RoleRef", "k8s.io/api/rbac/v1alpha1.Subject", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			rbacv1alpha1.RoleRef{}.OpenAPIModelName(), rbacv1alpha1.Subject{}.OpenAPIModelName(), metav1.ObjectMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -47063,7 +47280,7 @@ func schema_k8sio_api_rbac_v1alpha1_RoleBindingList(ref common.ReferenceCallback
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard object's metadata.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+							Ref:         ref(metav1.ListMeta{}.OpenAPIModelName()),
 						},
 					},
 					"items": {
@@ -47074,7 +47291,7 @@ func schema_k8sio_api_rbac_v1alpha1_RoleBindingList(ref common.ReferenceCallback
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/rbac/v1alpha1.RoleBinding"),
+										Ref:     ref(rbacv1alpha1.RoleBinding{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -47085,7 +47302,7 @@ func schema_k8sio_api_rbac_v1alpha1_RoleBindingList(ref common.ReferenceCallback
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/rbac/v1alpha1.RoleBinding", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
+			rbacv1alpha1.RoleBinding{}.OpenAPIModelName(), metav1.ListMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -47114,7 +47331,7 @@ func schema_k8sio_api_rbac_v1alpha1_RoleList(ref common.ReferenceCallback) commo
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard object's metadata.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+							Ref:         ref(metav1.ListMeta{}.OpenAPIModelName()),
 						},
 					},
 					"items": {
@@ -47125,7 +47342,7 @@ func schema_k8sio_api_rbac_v1alpha1_RoleList(ref common.ReferenceCallback) commo
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/rbac/v1alpha1.Role"),
+										Ref:     ref(rbacv1alpha1.Role{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -47136,7 +47353,7 @@ func schema_k8sio_api_rbac_v1alpha1_RoleList(ref common.ReferenceCallback) commo
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/rbac/v1alpha1.Role", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
+			rbacv1alpha1.Role{}.OpenAPIModelName(), metav1.ListMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -47242,7 +47459,7 @@ func schema_k8sio_api_rbac_v1beta1_AggregationRule(ref common.ReferenceCallback)
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector"),
+										Ref:     ref(metav1.LabelSelector{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -47252,7 +47469,7 @@ func schema_k8sio_api_rbac_v1beta1_AggregationRule(ref common.ReferenceCallback)
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector"},
+			metav1.LabelSelector{}.OpenAPIModelName()},
 	}
 }
 
@@ -47281,7 +47498,7 @@ func schema_k8sio_api_rbac_v1beta1_ClusterRole(ref common.ReferenceCallback) com
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard object's metadata.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Ref:         ref(metav1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 					"rules": {
@@ -47297,7 +47514,7 @@ func schema_k8sio_api_rbac_v1beta1_ClusterRole(ref common.ReferenceCallback) com
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/rbac/v1beta1.PolicyRule"),
+										Ref:     ref(rbacv1beta1.PolicyRule{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -47306,14 +47523,14 @@ func schema_k8sio_api_rbac_v1beta1_ClusterRole(ref common.ReferenceCallback) com
 					"aggregationRule": {
 						SchemaProps: spec.SchemaProps{
 							Description: "AggregationRule is an optional field that describes how to build the Rules for this ClusterRole. If AggregationRule is set, then the Rules are controller managed and direct changes to Rules will be stomped by the controller.",
-							Ref:         ref("k8s.io/api/rbac/v1beta1.AggregationRule"),
+							Ref:         ref(rbacv1beta1.AggregationRule{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/rbac/v1beta1.AggregationRule", "k8s.io/api/rbac/v1beta1.PolicyRule", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			rbacv1beta1.AggregationRule{}.OpenAPIModelName(), rbacv1beta1.PolicyRule{}.OpenAPIModelName(), metav1.ObjectMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -47342,7 +47559,7 @@ func schema_k8sio_api_rbac_v1beta1_ClusterRoleBinding(ref common.ReferenceCallba
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard object's metadata.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Ref:         ref(metav1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 					"subjects": {
@@ -47358,7 +47575,7 @@ func schema_k8sio_api_rbac_v1beta1_ClusterRoleBinding(ref common.ReferenceCallba
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/rbac/v1beta1.Subject"),
+										Ref:     ref(rbacv1beta1.Subject{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -47368,7 +47585,7 @@ func schema_k8sio_api_rbac_v1beta1_ClusterRoleBinding(ref common.ReferenceCallba
 						SchemaProps: spec.SchemaProps{
 							Description: "RoleRef can only reference a ClusterRole in the global namespace. If the RoleRef cannot be resolved, the Authorizer must return an error.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/rbac/v1beta1.RoleRef"),
+							Ref:         ref(rbacv1beta1.RoleRef{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -47376,7 +47593,7 @@ func schema_k8sio_api_rbac_v1beta1_ClusterRoleBinding(ref common.ReferenceCallba
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/rbac/v1beta1.RoleRef", "k8s.io/api/rbac/v1beta1.Subject", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			rbacv1beta1.RoleRef{}.OpenAPIModelName(), rbacv1beta1.Subject{}.OpenAPIModelName(), metav1.ObjectMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -47405,7 +47622,7 @@ func schema_k8sio_api_rbac_v1beta1_ClusterRoleBindingList(ref common.ReferenceCa
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard object's metadata.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+							Ref:         ref(metav1.ListMeta{}.OpenAPIModelName()),
 						},
 					},
 					"items": {
@@ -47416,7 +47633,7 @@ func schema_k8sio_api_rbac_v1beta1_ClusterRoleBindingList(ref common.ReferenceCa
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/rbac/v1beta1.ClusterRoleBinding"),
+										Ref:     ref(rbacv1beta1.ClusterRoleBinding{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -47427,7 +47644,7 @@ func schema_k8sio_api_rbac_v1beta1_ClusterRoleBindingList(ref common.ReferenceCa
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/rbac/v1beta1.ClusterRoleBinding", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
+			rbacv1beta1.ClusterRoleBinding{}.OpenAPIModelName(), metav1.ListMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -47456,7 +47673,7 @@ func schema_k8sio_api_rbac_v1beta1_ClusterRoleList(ref common.ReferenceCallback)
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard object's metadata.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+							Ref:         ref(metav1.ListMeta{}.OpenAPIModelName()),
 						},
 					},
 					"items": {
@@ -47467,7 +47684,7 @@ func schema_k8sio_api_rbac_v1beta1_ClusterRoleList(ref common.ReferenceCallback)
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/rbac/v1beta1.ClusterRole"),
+										Ref:     ref(rbacv1beta1.ClusterRole{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -47478,7 +47695,7 @@ func schema_k8sio_api_rbac_v1beta1_ClusterRoleList(ref common.ReferenceCallback)
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/rbac/v1beta1.ClusterRole", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
+			rbacv1beta1.ClusterRole{}.OpenAPIModelName(), metav1.ListMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -47621,7 +47838,7 @@ func schema_k8sio_api_rbac_v1beta1_Role(ref common.ReferenceCallback) common.Ope
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard object's metadata.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Ref:         ref(metav1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 					"rules": {
@@ -47637,7 +47854,7 @@ func schema_k8sio_api_rbac_v1beta1_Role(ref common.ReferenceCallback) common.Ope
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/rbac/v1beta1.PolicyRule"),
+										Ref:     ref(rbacv1beta1.PolicyRule{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -47647,7 +47864,7 @@ func schema_k8sio_api_rbac_v1beta1_Role(ref common.ReferenceCallback) common.Ope
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/rbac/v1beta1.PolicyRule", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			rbacv1beta1.PolicyRule{}.OpenAPIModelName(), metav1.ObjectMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -47676,7 +47893,7 @@ func schema_k8sio_api_rbac_v1beta1_RoleBinding(ref common.ReferenceCallback) com
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard object's metadata.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Ref:         ref(metav1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 					"subjects": {
@@ -47692,7 +47909,7 @@ func schema_k8sio_api_rbac_v1beta1_RoleBinding(ref common.ReferenceCallback) com
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/rbac/v1beta1.Subject"),
+										Ref:     ref(rbacv1beta1.Subject{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -47702,7 +47919,7 @@ func schema_k8sio_api_rbac_v1beta1_RoleBinding(ref common.ReferenceCallback) com
 						SchemaProps: spec.SchemaProps{
 							Description: "RoleRef can reference a Role in the current namespace or a ClusterRole in the global namespace. If the RoleRef cannot be resolved, the Authorizer must return an error.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/rbac/v1beta1.RoleRef"),
+							Ref:         ref(rbacv1beta1.RoleRef{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -47710,7 +47927,7 @@ func schema_k8sio_api_rbac_v1beta1_RoleBinding(ref common.ReferenceCallback) com
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/rbac/v1beta1.RoleRef", "k8s.io/api/rbac/v1beta1.Subject", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			rbacv1beta1.RoleRef{}.OpenAPIModelName(), rbacv1beta1.Subject{}.OpenAPIModelName(), metav1.ObjectMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -47739,7 +47956,7 @@ func schema_k8sio_api_rbac_v1beta1_RoleBindingList(ref common.ReferenceCallback)
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard object's metadata.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+							Ref:         ref(metav1.ListMeta{}.OpenAPIModelName()),
 						},
 					},
 					"items": {
@@ -47750,7 +47967,7 @@ func schema_k8sio_api_rbac_v1beta1_RoleBindingList(ref common.ReferenceCallback)
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/rbac/v1beta1.RoleBinding"),
+										Ref:     ref(rbacv1beta1.RoleBinding{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -47761,7 +47978,7 @@ func schema_k8sio_api_rbac_v1beta1_RoleBindingList(ref common.ReferenceCallback)
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/rbac/v1beta1.RoleBinding", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
+			rbacv1beta1.RoleBinding{}.OpenAPIModelName(), metav1.ListMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -47790,7 +48007,7 @@ func schema_k8sio_api_rbac_v1beta1_RoleList(ref common.ReferenceCallback) common
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard object's metadata.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+							Ref:         ref(metav1.ListMeta{}.OpenAPIModelName()),
 						},
 					},
 					"items": {
@@ -47801,7 +48018,7 @@ func schema_k8sio_api_rbac_v1beta1_RoleList(ref common.ReferenceCallback) common
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/rbac/v1beta1.Role"),
+										Ref:     ref(rbacv1beta1.Role{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -47812,7 +48029,7 @@ func schema_k8sio_api_rbac_v1beta1_RoleList(ref common.ReferenceCallback) common
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/rbac/v1beta1.Role", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
+			rbacv1beta1.Role{}.OpenAPIModelName(), metav1.ListMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -47907,7 +48124,7 @@ func schema_k8sio_api_resource_v1_AllocatedDeviceStatus(ref common.ReferenceCall
 				Properties: map[string]spec.Schema{
 					"driver": {
 						SchemaProps: spec.SchemaProps{
-							Description: "Driver specifies the name of the DRA driver whose kubelet plugin should be invoked to process the allocation once the claim is needed on a node.\n\nMust be a DNS subdomain and should end with a DNS domain owned by the vendor of the driver.",
+							Description: "Driver specifies the name of the DRA driver whose kubelet plugin should be invoked to process the allocation once the claim is needed on a node.\n\nMust be a DNS subdomain and should end with a DNS domain owned by the vendor of the driver. It should use only lower case characters.",
 							Default:     "",
 							Type:        []string{"string"},
 							Format:      "",
@@ -47952,7 +48169,7 @@ func schema_k8sio_api_resource_v1_AllocatedDeviceStatus(ref common.ReferenceCall
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/apimachinery/pkg/apis/meta/v1.Condition"),
+										Ref:     ref(metav1.Condition{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -47961,13 +48178,13 @@ func schema_k8sio_api_resource_v1_AllocatedDeviceStatus(ref common.ReferenceCall
 					"data": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Data contains arbitrary driver-specific data.\n\nThe length of the raw data must be smaller or equal to 10 Ki.",
-							Ref:         ref("k8s.io/apimachinery/pkg/runtime.RawExtension"),
+							Ref:         ref(runtime.RawExtension{}.OpenAPIModelName()),
 						},
 					},
 					"networkData": {
 						SchemaProps: spec.SchemaProps{
 							Description: "NetworkData contains network-related information specific to the device.",
-							Ref:         ref("k8s.io/api/resource/v1.NetworkDeviceData"),
+							Ref:         ref(resourcev1.NetworkDeviceData{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -47975,7 +48192,7 @@ func schema_k8sio_api_resource_v1_AllocatedDeviceStatus(ref common.ReferenceCall
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/resource/v1.NetworkDeviceData", "k8s.io/apimachinery/pkg/apis/meta/v1.Condition", "k8s.io/apimachinery/pkg/runtime.RawExtension"},
+			resourcev1.NetworkDeviceData{}.OpenAPIModelName(), metav1.Condition{}.OpenAPIModelName(), runtime.RawExtension{}.OpenAPIModelName()},
 	}
 }
 
@@ -47990,26 +48207,26 @@ func schema_k8sio_api_resource_v1_AllocationResult(ref common.ReferenceCallback)
 						SchemaProps: spec.SchemaProps{
 							Description: "Devices is the result of allocating devices.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/resource/v1.DeviceAllocationResult"),
+							Ref:         ref(resourcev1.DeviceAllocationResult{}.OpenAPIModelName()),
 						},
 					},
 					"nodeSelector": {
 						SchemaProps: spec.SchemaProps{
 							Description: "NodeSelector defines where the allocated resources are available. If unset, they are available everywhere.",
-							Ref:         ref("k8s.io/api/core/v1.NodeSelector"),
+							Ref:         ref(corev1.NodeSelector{}.OpenAPIModelName()),
 						},
 					},
 					"allocationTimestamp": {
 						SchemaProps: spec.SchemaProps{
 							Description: "AllocationTimestamp stores the time when the resources were allocated. This field is not guaranteed to be set, in which case that time is unknown.\n\nThis is an alpha field and requires enabling the DRADeviceBindingConditions and DRAResourceClaimDeviceStatus feature gate.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Time"),
+							Ref:         ref(metav1.Time{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/core/v1.NodeSelector", "k8s.io/api/resource/v1.DeviceAllocationResult", "k8s.io/apimachinery/pkg/apis/meta/v1.Time"},
+			corev1.NodeSelector{}.OpenAPIModelName(), resourcev1.DeviceAllocationResult{}.OpenAPIModelName(), metav1.Time{}.OpenAPIModelName()},
 	}
 }
 
@@ -48045,7 +48262,7 @@ func schema_k8sio_api_resource_v1_CapacityRequestPolicy(ref common.ReferenceCall
 					"default": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Default specifies how much of this capacity is consumed by a request that does not contain an entry for it in DeviceRequest's Capacity.",
-							Ref:         ref("k8s.io/apimachinery/pkg/api/resource.Quantity"),
+							Ref:         ref(resource.Quantity{}.OpenAPIModelName()),
 						},
 					},
 					"validValues": {
@@ -48060,7 +48277,7 @@ func schema_k8sio_api_resource_v1_CapacityRequestPolicy(ref common.ReferenceCall
 							Items: &spec.SchemaOrArray{
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
-										Ref: ref("k8s.io/apimachinery/pkg/api/resource.Quantity"),
+										Ref: ref(resource.Quantity{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -48069,14 +48286,14 @@ func schema_k8sio_api_resource_v1_CapacityRequestPolicy(ref common.ReferenceCall
 					"validRange": {
 						SchemaProps: spec.SchemaProps{
 							Description: "ValidRange defines an acceptable quantity value range in consuming requests.\n\nIf this field is set, Default must be defined and it must fall within the defined ValidRange.\n\nIf the requested amount does not fall within the defined range, the request violates the policy, and this device cannot be allocated.\n\nIf the request doesn't contain this capacity entry, Default value is used.",
-							Ref:         ref("k8s.io/api/resource/v1.CapacityRequestPolicyRange"),
+							Ref:         ref(resourcev1.CapacityRequestPolicyRange{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/resource/v1.CapacityRequestPolicyRange", "k8s.io/apimachinery/pkg/api/resource.Quantity"},
+			resourcev1.CapacityRequestPolicyRange{}.OpenAPIModelName(), resource.Quantity{}.OpenAPIModelName()},
 	}
 }
 
@@ -48090,19 +48307,19 @@ func schema_k8sio_api_resource_v1_CapacityRequestPolicyRange(ref common.Referenc
 					"min": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Min specifies the minimum capacity allowed for a consumption request.\n\nMin must be greater than or equal to zero, and less than or equal to the capacity value. requestPolicy.default must be more than or equal to the minimum.",
-							Ref:         ref("k8s.io/apimachinery/pkg/api/resource.Quantity"),
+							Ref:         ref(resource.Quantity{}.OpenAPIModelName()),
 						},
 					},
 					"max": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Max defines the upper limit for capacity that can be requested.\n\nMax must be less than or equal to the capacity value. Min and requestPolicy.default must be less than or equal to the maximum.",
-							Ref:         ref("k8s.io/apimachinery/pkg/api/resource.Quantity"),
+							Ref:         ref(resource.Quantity{}.OpenAPIModelName()),
 						},
 					},
 					"step": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Step defines the step size between valid capacity amounts within the range.\n\nMax (if set) and requestPolicy.default must be a multiple of Step. Min + Step must be less than or equal to the capacity value.",
-							Ref:         ref("k8s.io/apimachinery/pkg/api/resource.Quantity"),
+							Ref:         ref(resource.Quantity{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -48110,7 +48327,7 @@ func schema_k8sio_api_resource_v1_CapacityRequestPolicyRange(ref common.Referenc
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/api/resource.Quantity"},
+			resource.Quantity{}.OpenAPIModelName()},
 	}
 }
 
@@ -48129,7 +48346,7 @@ func schema_k8sio_api_resource_v1_CapacityRequirements(ref common.ReferenceCallb
 								Allows: true,
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
-										Ref: ref("k8s.io/apimachinery/pkg/api/resource.Quantity"),
+										Ref: ref(resource.Quantity{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -48139,7 +48356,7 @@ func schema_k8sio_api_resource_v1_CapacityRequirements(ref common.ReferenceCallb
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/api/resource.Quantity"},
+			resource.Quantity{}.OpenAPIModelName()},
 	}
 }
 
@@ -48153,7 +48370,7 @@ func schema_k8sio_api_resource_v1_Counter(ref common.ReferenceCallback) common.O
 					"value": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Value defines how much of a certain device counter is available.",
-							Ref:         ref("k8s.io/apimachinery/pkg/api/resource.Quantity"),
+							Ref:         ref(resource.Quantity{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -48161,7 +48378,7 @@ func schema_k8sio_api_resource_v1_Counter(ref common.ReferenceCallback) common.O
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/api/resource.Quantity"},
+			resource.Quantity{}.OpenAPIModelName()},
 	}
 }
 
@@ -48169,7 +48386,7 @@ func schema_k8sio_api_resource_v1_CounterSet(ref common.ReferenceCallback) commo
 	return common.OpenAPIDefinition{
 		Schema: spec.Schema{
 			SchemaProps: spec.SchemaProps{
-				Description: "CounterSet defines a named set of counters that are available to be used by devices defined in the ResourceSlice.\n\nThe counters are not allocatable by themselves, but can be referenced by devices. When a device is allocated, the portion of counters it uses will no longer be available for use by other devices.",
+				Description: "CounterSet defines a named set of counters that are available to be used by devices defined in the ResourcePool.\n\nThe counters are not allocatable by themselves, but can be referenced by devices. When a device is allocated, the portion of counters it uses will no longer be available for use by other devices.",
 				Type:        []string{"object"},
 				Properties: map[string]spec.Schema{
 					"name": {
@@ -48182,14 +48399,14 @@ func schema_k8sio_api_resource_v1_CounterSet(ref common.ReferenceCallback) commo
 					},
 					"counters": {
 						SchemaProps: spec.SchemaProps{
-							Description: "Counters defines the set of counters for this CounterSet The name of each counter must be unique in that set and must be a DNS label.\n\nThe maximum number of counters in all sets is 32.",
+							Description: "Counters defines the set of counters for this CounterSet The name of each counter must be unique in that set and must be a DNS label.\n\nThe maximum number of counters is 32.",
 							Type:        []string{"object"},
 							AdditionalProperties: &spec.SchemaOrBool{
 								Allows: true,
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/resource/v1.Counter"),
+										Ref:     ref(resourcev1.Counter{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -48200,7 +48417,7 @@ func schema_k8sio_api_resource_v1_CounterSet(ref common.ReferenceCallback) commo
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/resource/v1.Counter"},
+			resourcev1.Counter{}.OpenAPIModelName()},
 	}
 }
 
@@ -48228,7 +48445,7 @@ func schema_k8sio_api_resource_v1_Device(ref common.ReferenceCallback) common.Op
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/resource/v1.DeviceAttribute"),
+										Ref:     ref(resourcev1.DeviceAttribute{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -48243,7 +48460,7 @@ func schema_k8sio_api_resource_v1_Device(ref common.ReferenceCallback) common.Op
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/resource/v1.DeviceCapacity"),
+										Ref:     ref(resourcev1.DeviceCapacity{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -48256,13 +48473,13 @@ func schema_k8sio_api_resource_v1_Device(ref common.ReferenceCallback) common.Op
 							},
 						},
 						SchemaProps: spec.SchemaProps{
-							Description: "ConsumesCounters defines a list of references to sharedCounters and the set of counters that the device will consume from those counter sets.\n\nThere can only be a single entry per counterSet.\n\nThe total number of device counter consumption entries must be <= 32. In addition, the total number in the entire ResourceSlice must be <= 1024 (for example, 64 devices with 16 counters each).",
+							Description: "ConsumesCounters defines a list of references to sharedCounters and the set of counters that the device will consume from those counter sets.\n\nThere can only be a single entry per counterSet.\n\nThe maximum number of device counter consumptions per device is 2.",
 							Type:        []string{"array"},
 							Items: &spec.SchemaOrArray{
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/resource/v1.DeviceCounterConsumption"),
+										Ref:     ref(resourcev1.DeviceCounterConsumption{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -48278,7 +48495,7 @@ func schema_k8sio_api_resource_v1_Device(ref common.ReferenceCallback) common.Op
 					"nodeSelector": {
 						SchemaProps: spec.SchemaProps{
 							Description: "NodeSelector defines the nodes where the device is available.\n\nMust use exactly one term.\n\nMust only be set if Spec.PerDeviceNodeSelection is set to true. At most one of NodeName, NodeSelector and AllNodes can be set.",
-							Ref:         ref("k8s.io/api/core/v1.NodeSelector"),
+							Ref:         ref(corev1.NodeSelector{}.OpenAPIModelName()),
 						},
 					},
 					"allNodes": {
@@ -48295,13 +48512,13 @@ func schema_k8sio_api_resource_v1_Device(ref common.ReferenceCallback) common.Op
 							},
 						},
 						SchemaProps: spec.SchemaProps{
-							Description: "If specified, these are the driver-defined taints.\n\nThe maximum number of taints is 4.\n\nThis is an alpha field and requires enabling the DRADeviceTaints feature gate.",
+							Description: "If specified, these are the driver-defined taints.\n\nThe maximum number of taints is 16. If taints are set for any device in a ResourceSlice, then the maximum number of allowed devices per ResourceSlice is 64 instead of 128.\n\nThis is an alpha field and requires enabling the DRADeviceTaints feature gate.",
 							Type:        []string{"array"},
 							Items: &spec.SchemaOrArray{
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/resource/v1.DeviceTaint"),
+										Ref:     ref(resourcev1.DeviceTaint{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -48366,7 +48583,7 @@ func schema_k8sio_api_resource_v1_Device(ref common.ReferenceCallback) common.Op
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/core/v1.NodeSelector", "k8s.io/api/resource/v1.DeviceAttribute", "k8s.io/api/resource/v1.DeviceCapacity", "k8s.io/api/resource/v1.DeviceCounterConsumption", "k8s.io/api/resource/v1.DeviceTaint"},
+			corev1.NodeSelector{}.OpenAPIModelName(), resourcev1.DeviceAttribute{}.OpenAPIModelName(), resourcev1.DeviceCapacity{}.OpenAPIModelName(), resourcev1.DeviceCounterConsumption{}.OpenAPIModelName(), resourcev1.DeviceTaint{}.OpenAPIModelName()},
 	}
 }
 
@@ -48379,10 +48596,11 @@ func schema_k8sio_api_resource_v1_DeviceAllocationConfiguration(ref common.Refer
 				Properties: map[string]spec.Schema{
 					"source": {
 						SchemaProps: spec.SchemaProps{
-							Description: "Source records whether the configuration comes from a class and thus is not something that a normal user would have been able to set or from a claim.",
+							Description: "Source records whether the configuration comes from a class and thus is not something that a normal user would have been able to set or from a claim.\n\n\nPossible enum values:\n - `\"FromClaim\"`\n - `\"FromClass\"`",
 							Default:     "",
 							Type:        []string{"string"},
 							Format:      "",
+							Enum:        []interface{}{"FromClaim", "FromClass"},
 						},
 					},
 					"requests": {
@@ -48408,7 +48626,7 @@ func schema_k8sio_api_resource_v1_DeviceAllocationConfiguration(ref common.Refer
 					"opaque": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Opaque provides driver-specific configuration parameters.",
-							Ref:         ref("k8s.io/api/resource/v1.OpaqueDeviceConfiguration"),
+							Ref:         ref(resourcev1.OpaqueDeviceConfiguration{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -48416,7 +48634,7 @@ func schema_k8sio_api_resource_v1_DeviceAllocationConfiguration(ref common.Refer
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/resource/v1.OpaqueDeviceConfiguration"},
+			resourcev1.OpaqueDeviceConfiguration{}.OpenAPIModelName()},
 	}
 }
 
@@ -48440,7 +48658,7 @@ func schema_k8sio_api_resource_v1_DeviceAllocationResult(ref common.ReferenceCal
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/resource/v1.DeviceRequestAllocationResult"),
+										Ref:     ref(resourcev1.DeviceRequestAllocationResult{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -48459,7 +48677,7 @@ func schema_k8sio_api_resource_v1_DeviceAllocationResult(ref common.ReferenceCal
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/resource/v1.DeviceAllocationConfiguration"),
+										Ref:     ref(resourcev1.DeviceAllocationConfiguration{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -48469,7 +48687,7 @@ func schema_k8sio_api_resource_v1_DeviceAllocationResult(ref common.ReferenceCal
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/resource/v1.DeviceAllocationConfiguration", "k8s.io/api/resource/v1.DeviceRequestAllocationResult"},
+			resourcev1.DeviceAllocationConfiguration{}.OpenAPIModelName(), resourcev1.DeviceRequestAllocationResult{}.OpenAPIModelName()},
 	}
 }
 
@@ -48524,13 +48742,13 @@ func schema_k8sio_api_resource_v1_DeviceCapacity(ref common.ReferenceCallback) c
 					"value": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Value defines how much of a certain capacity that device has.\n\nThis field reflects the fixed total capacity and does not change. The consumed amount is tracked separately by scheduler and does not affect this value.",
-							Ref:         ref("k8s.io/apimachinery/pkg/api/resource.Quantity"),
+							Ref:         ref(resource.Quantity{}.OpenAPIModelName()),
 						},
 					},
 					"requestPolicy": {
 						SchemaProps: spec.SchemaProps{
 							Description: "RequestPolicy defines how this DeviceCapacity must be consumed when the device is allowed to be shared by multiple allocations.\n\nThe Device must have allowMultipleAllocations set to true in order to set a requestPolicy.\n\nIf unset, capacity requests are unconstrained: requests can consume any amount of capacity, as long as the total consumed across all allocations does not exceed the device's defined capacity. If request is also unset, default is the full capacity value.",
-							Ref:         ref("k8s.io/api/resource/v1.CapacityRequestPolicy"),
+							Ref:         ref(resourcev1.CapacityRequestPolicy{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -48538,7 +48756,7 @@ func schema_k8sio_api_resource_v1_DeviceCapacity(ref common.ReferenceCallback) c
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/resource/v1.CapacityRequestPolicy", "k8s.io/apimachinery/pkg/api/resource.Quantity"},
+			resourcev1.CapacityRequestPolicy{}.OpenAPIModelName(), resource.Quantity{}.OpenAPIModelName()},
 	}
 }
 
@@ -48562,7 +48780,7 @@ func schema_k8sio_api_resource_v1_DeviceClaim(ref common.ReferenceCallback) comm
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/resource/v1.DeviceRequest"),
+										Ref:     ref(resourcev1.DeviceRequest{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -48581,7 +48799,7 @@ func schema_k8sio_api_resource_v1_DeviceClaim(ref common.ReferenceCallback) comm
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/resource/v1.DeviceConstraint"),
+										Ref:     ref(resourcev1.DeviceConstraint{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -48600,7 +48818,7 @@ func schema_k8sio_api_resource_v1_DeviceClaim(ref common.ReferenceCallback) comm
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/resource/v1.DeviceClaimConfiguration"),
+										Ref:     ref(resourcev1.DeviceClaimConfiguration{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -48610,7 +48828,7 @@ func schema_k8sio_api_resource_v1_DeviceClaim(ref common.ReferenceCallback) comm
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/resource/v1.DeviceClaimConfiguration", "k8s.io/api/resource/v1.DeviceConstraint", "k8s.io/api/resource/v1.DeviceRequest"},
+			resourcev1.DeviceClaimConfiguration{}.OpenAPIModelName(), resourcev1.DeviceConstraint{}.OpenAPIModelName(), resourcev1.DeviceRequest{}.OpenAPIModelName()},
 	}
 }
 
@@ -48644,14 +48862,14 @@ func schema_k8sio_api_resource_v1_DeviceClaimConfiguration(ref common.ReferenceC
 					"opaque": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Opaque provides driver-specific configuration parameters.",
-							Ref:         ref("k8s.io/api/resource/v1.OpaqueDeviceConfiguration"),
+							Ref:         ref(resourcev1.OpaqueDeviceConfiguration{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/resource/v1.OpaqueDeviceConfiguration"},
+			resourcev1.OpaqueDeviceConfiguration{}.OpenAPIModelName()},
 	}
 }
 
@@ -48680,14 +48898,14 @@ func schema_k8sio_api_resource_v1_DeviceClass(ref common.ReferenceCallback) comm
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard object metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Ref:         ref(metav1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 					"spec": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Spec defines what can be allocated and how to configure it.\n\nThis is mutable. Consumers have to be prepared for classes changing at any time, either because they get updated or replaced. Claim allocations are done once based on whatever was set in classes at the time of allocation.\n\nChanging the spec automatically increments the metadata.generation number.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/resource/v1.DeviceClassSpec"),
+							Ref:         ref(resourcev1.DeviceClassSpec{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -48695,7 +48913,7 @@ func schema_k8sio_api_resource_v1_DeviceClass(ref common.ReferenceCallback) comm
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/resource/v1.DeviceClassSpec", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			resourcev1.DeviceClassSpec{}.OpenAPIModelName(), metav1.ObjectMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -48709,14 +48927,14 @@ func schema_k8sio_api_resource_v1_DeviceClassConfiguration(ref common.ReferenceC
 					"opaque": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Opaque provides driver-specific configuration parameters.",
-							Ref:         ref("k8s.io/api/resource/v1.OpaqueDeviceConfiguration"),
+							Ref:         ref(resourcev1.OpaqueDeviceConfiguration{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/resource/v1.OpaqueDeviceConfiguration"},
+			resourcev1.OpaqueDeviceConfiguration{}.OpenAPIModelName()},
 	}
 }
 
@@ -48745,7 +48963,7 @@ func schema_k8sio_api_resource_v1_DeviceClassList(ref common.ReferenceCallback)
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard list metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+							Ref:         ref(metav1.ListMeta{}.OpenAPIModelName()),
 						},
 					},
 					"items": {
@@ -48756,7 +48974,7 @@ func schema_k8sio_api_resource_v1_DeviceClassList(ref common.ReferenceCallback)
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/resource/v1.DeviceClass"),
+										Ref:     ref(resourcev1.DeviceClass{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -48767,7 +48985,7 @@ func schema_k8sio_api_resource_v1_DeviceClassList(ref common.ReferenceCallback)
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/resource/v1.DeviceClass", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
+			resourcev1.DeviceClass{}.OpenAPIModelName(), metav1.ListMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -48791,7 +49009,7 @@ func schema_k8sio_api_resource_v1_DeviceClassSpec(ref common.ReferenceCallback)
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/resource/v1.DeviceSelector"),
+										Ref:     ref(resourcev1.DeviceSelector{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -48810,7 +49028,7 @@ func schema_k8sio_api_resource_v1_DeviceClassSpec(ref common.ReferenceCallback)
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/resource/v1.DeviceClassConfiguration"),
+										Ref:     ref(resourcev1.DeviceClassConfiguration{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -48827,7 +49045,7 @@ func schema_k8sio_api_resource_v1_DeviceClassSpec(ref common.ReferenceCallback)
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/resource/v1.DeviceClassConfiguration", "k8s.io/api/resource/v1.DeviceSelector"},
+			resourcev1.DeviceClassConfiguration{}.OpenAPIModelName(), resourcev1.DeviceSelector{}.OpenAPIModelName()},
 	}
 }
 
@@ -48841,14 +49059,14 @@ func schema_k8sio_api_resource_v1_DeviceConfiguration(ref common.ReferenceCallba
 					"opaque": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Opaque provides driver-specific configuration parameters.",
-							Ref:         ref("k8s.io/api/resource/v1.OpaqueDeviceConfiguration"),
+							Ref:         ref(resourcev1.OpaqueDeviceConfiguration{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/resource/v1.OpaqueDeviceConfiguration"},
+			resourcev1.OpaqueDeviceConfiguration{}.OpenAPIModelName()},
 	}
 }
 
@@ -48916,14 +49134,14 @@ func schema_k8sio_api_resource_v1_DeviceCounterConsumption(ref common.ReferenceC
 					},
 					"counters": {
 						SchemaProps: spec.SchemaProps{
-							Description: "Counters defines the counters that will be consumed by the device.\n\nThe maximum number counters in a device is 32. In addition, the maximum number of all counters in all devices is 1024 (for example, 64 devices with 16 counters each).",
+							Description: "Counters defines the counters that will be consumed by the device.\n\nThe maximum number of counters is 32.",
 							Type:        []string{"object"},
 							AdditionalProperties: &spec.SchemaOrBool{
 								Allows: true,
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/resource/v1.Counter"),
+										Ref:     ref(resourcev1.Counter{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -48934,7 +49152,7 @@ func schema_k8sio_api_resource_v1_DeviceCounterConsumption(ref common.ReferenceC
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/resource/v1.Counter"},
+			resourcev1.Counter{}.OpenAPIModelName()},
 	}
 }
 
@@ -48956,7 +49174,7 @@ func schema_k8sio_api_resource_v1_DeviceRequest(ref common.ReferenceCallback) co
 					"exactly": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Exactly specifies the details for a single request that must be met exactly for the request to be satisfied.\n\nOne of Exactly or FirstAvailable must be set.",
-							Ref:         ref("k8s.io/api/resource/v1.ExactDeviceRequest"),
+							Ref:         ref(resourcev1.ExactDeviceRequest{}.OpenAPIModelName()),
 						},
 					},
 					"firstAvailable": {
@@ -48972,7 +49190,7 @@ func schema_k8sio_api_resource_v1_DeviceRequest(ref common.ReferenceCallback) co
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/resource/v1.DeviceSubRequest"),
+										Ref:     ref(resourcev1.DeviceSubRequest{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -48983,7 +49201,7 @@ func schema_k8sio_api_resource_v1_DeviceRequest(ref common.ReferenceCallback) co
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/resource/v1.DeviceSubRequest", "k8s.io/api/resource/v1.ExactDeviceRequest"},
+			resourcev1.DeviceSubRequest{}.OpenAPIModelName(), resourcev1.ExactDeviceRequest{}.OpenAPIModelName()},
 	}
 }
 
@@ -49004,7 +49222,7 @@ func schema_k8sio_api_resource_v1_DeviceRequestAllocationResult(ref common.Refer
 					},
 					"driver": {
 						SchemaProps: spec.SchemaProps{
-							Description: "Driver specifies the name of the DRA driver whose kubelet plugin should be invoked to process the allocation once the claim is needed on a node.\n\nMust be a DNS subdomain and should end with a DNS domain owned by the vendor of the driver.",
+							Description: "Driver specifies the name of the DRA driver whose kubelet plugin should be invoked to process the allocation once the claim is needed on a node.\n\nMust be a DNS subdomain and should end with a DNS domain owned by the vendor of the driver. It should use only lower case characters.",
 							Default:     "",
 							Type:        []string{"string"},
 							Format:      "",
@@ -49046,7 +49264,7 @@ func schema_k8sio_api_resource_v1_DeviceRequestAllocationResult(ref common.Refer
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/resource/v1.DeviceToleration"),
+										Ref:     ref(resourcev1.DeviceToleration{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -49107,7 +49325,7 @@ func schema_k8sio_api_resource_v1_DeviceRequestAllocationResult(ref common.Refer
 								Allows: true,
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
-										Ref: ref("k8s.io/apimachinery/pkg/api/resource.Quantity"),
+										Ref: ref(resource.Quantity{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -49118,7 +49336,7 @@ func schema_k8sio_api_resource_v1_DeviceRequestAllocationResult(ref common.Refer
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/resource/v1.DeviceToleration", "k8s.io/apimachinery/pkg/api/resource.Quantity"},
+			resourcev1.DeviceToleration{}.OpenAPIModelName(), resource.Quantity{}.OpenAPIModelName()},
 	}
 }
 
@@ -49132,14 +49350,14 @@ func schema_k8sio_api_resource_v1_DeviceSelector(ref common.ReferenceCallback) c
 					"cel": {
 						SchemaProps: spec.SchemaProps{
 							Description: "CEL contains a CEL expression for selecting a device.",
-							Ref:         ref("k8s.io/api/resource/v1.CELDeviceSelector"),
+							Ref:         ref(resourcev1.CELDeviceSelector{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/resource/v1.CELDeviceSelector"},
+			resourcev1.CELDeviceSelector{}.OpenAPIModelName()},
 	}
 }
 
@@ -49179,7 +49397,7 @@ func schema_k8sio_api_resource_v1_DeviceSubRequest(ref common.ReferenceCallback)
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/resource/v1.DeviceSelector"),
+										Ref:     ref(resourcev1.DeviceSelector{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -49187,9 +49405,10 @@ func schema_k8sio_api_resource_v1_DeviceSubRequest(ref common.ReferenceCallback)
 					},
 					"allocationMode": {
 						SchemaProps: spec.SchemaProps{
-							Description: "AllocationMode and its related fields define how devices are allocated to satisfy this subrequest. Supported values are:\n\n- ExactCount: This request is for a specific number of devices.\n  This is the default. The exact number is provided in the\n  count field.\n\n- All: This subrequest is for all of the matching devices in a pool.\n  Allocation will fail if some devices are already allocated,\n  unless adminAccess is requested.\n\nIf AllocationMode is not specified, the default mode is ExactCount. If the mode is ExactCount and count is not specified, the default count is one. Any other subrequests must specify this field.\n\nMore modes may get added in the future. Clients must refuse to handle requests with unknown modes.",
+							Description: "AllocationMode and its related fields define how devices are allocated to satisfy this subrequest. Supported values are:\n\n- ExactCount: This request is for a specific number of devices.\n  This is the default. The exact number is provided in the\n  count field.\n\n- All: This subrequest is for all of the matching devices in a pool.\n  Allocation will fail if some devices are already allocated,\n  unless adminAccess is requested.\n\nIf AllocationMode is not specified, the default mode is ExactCount. If the mode is ExactCount and count is not specified, the default count is one. Any other subrequests must specify this field.\n\nMore modes may get added in the future. Clients must refuse to handle requests with unknown modes.\n\n\nPossible enum values:\n - `\"All\"`\n - `\"ExactCount\"`",
 							Type:        []string{"string"},
 							Format:      "",
+							Enum:        []interface{}{"All", "ExactCount"},
 						},
 					},
 					"count": {
@@ -49212,7 +49431,7 @@ func schema_k8sio_api_resource_v1_DeviceSubRequest(ref common.ReferenceCallback)
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/resource/v1.DeviceToleration"),
+										Ref:     ref(resourcev1.DeviceToleration{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -49221,7 +49440,7 @@ func schema_k8sio_api_resource_v1_DeviceSubRequest(ref common.ReferenceCallback)
 					"capacity": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Capacity define resource requirements against each capacity.\n\nIf this field is unset and the device supports multiple allocations, the default value will be applied to each capacity according to requestPolicy. For the capacity that has no requestPolicy, default is the full capacity value.\n\nApplies to each device allocation. If Count > 1, the request fails if there aren't enough devices that meet the requirements. If AllocationMode is set to All, the request fails if there are devices that otherwise match the request, and have this capacity, with a value >= the requested amount, but which cannot be allocated to this request.",
-							Ref:         ref("k8s.io/api/resource/v1.CapacityRequirements"),
+							Ref:         ref(resourcev1.CapacityRequirements{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -49229,7 +49448,7 @@ func schema_k8sio_api_resource_v1_DeviceSubRequest(ref common.ReferenceCallback)
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/resource/v1.CapacityRequirements", "k8s.io/api/resource/v1.DeviceSelector", "k8s.io/api/resource/v1.DeviceToleration"},
+			resourcev1.CapacityRequirements{}.OpenAPIModelName(), resourcev1.DeviceSelector{}.OpenAPIModelName(), resourcev1.DeviceToleration{}.OpenAPIModelName()},
 	}
 }
 
@@ -49257,17 +49476,17 @@ func schema_k8sio_api_resource_v1_DeviceTaint(ref common.ReferenceCallback) comm
 					},
 					"effect": {
 						SchemaProps: spec.SchemaProps{
-							Description: "The effect of the taint on claims that do not tolerate the taint and through such claims on the pods using them. Valid effects are NoSchedule and NoExecute. PreferNoSchedule as used for nodes is not valid here.\n\n\nPossible enum values:\n - `\"NoExecute\"` Evict any already-running pods that do not tolerate the device taint.\n - `\"NoSchedule\"` Do not allow new pods to schedule which use a tainted device unless they tolerate the taint, but allow all pods submitted to Kubelet without going through the scheduler to start, and allow all already-running pods to continue running.",
+							Description: "The effect of the taint on claims that do not tolerate the taint and through such claims on the pods using them.\n\nValid effects are None, NoSchedule and NoExecute. PreferNoSchedule as used for nodes is not valid here. More effects may get added in the future. Consumers must treat unknown effects like None.\n\n\nPossible enum values:\n - `\"NoExecute\"` Evict any already-running pods that do not tolerate the device taint.\n - `\"NoSchedule\"` Do not allow new pods to schedule which use a tainted device unless they tolerate the taint, but allow all pods submitted to Kubelet without going through the scheduler to start, and allow all already-running pods to continue running.\n - `\"None\"` No effect, the taint is purely informational.",
 							Default:     "",
 							Type:        []string{"string"},
 							Format:      "",
-							Enum:        []interface{}{"NoExecute", "NoSchedule"},
+							Enum:        []interface{}{"NoExecute", "NoSchedule", "None"},
 						},
 					},
 					"timeAdded": {
 						SchemaProps: spec.SchemaProps{
 							Description: "TimeAdded represents the time at which the taint was added. Added automatically during create or update if not set.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Time"),
+							Ref:         ref(metav1.Time{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -49275,7 +49494,7 @@ func schema_k8sio_api_resource_v1_DeviceTaint(ref common.ReferenceCallback) comm
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.Time"},
+			metav1.Time{}.OpenAPIModelName()},
 	}
 }
 
@@ -49311,10 +49530,10 @@ func schema_k8sio_api_resource_v1_DeviceToleration(ref common.ReferenceCallback)
 					},
 					"effect": {
 						SchemaProps: spec.SchemaProps{
-							Description: "Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule and NoExecute.\n\n\nPossible enum values:\n - `\"NoExecute\"` Evict any already-running pods that do not tolerate the device taint.\n - `\"NoSchedule\"` Do not allow new pods to schedule which use a tainted device unless they tolerate the taint, but allow all pods submitted to Kubelet without going through the scheduler to start, and allow all already-running pods to continue running.",
+							Description: "Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule and NoExecute.\n\n\nPossible enum values:\n - `\"NoExecute\"` Evict any already-running pods that do not tolerate the device taint.\n - `\"NoSchedule\"` Do not allow new pods to schedule which use a tainted device unless they tolerate the taint, but allow all pods submitted to Kubelet without going through the scheduler to start, and allow all already-running pods to continue running.\n - `\"None\"` No effect, the taint is purely informational.",
 							Type:        []string{"string"},
 							Format:      "",
-							Enum:        []interface{}{"NoExecute", "NoSchedule"},
+							Enum:        []interface{}{"NoExecute", "NoSchedule", "None"},
 						},
 					},
 					"tolerationSeconds": {
@@ -49358,7 +49577,7 @@ func schema_k8sio_api_resource_v1_ExactDeviceRequest(ref common.ReferenceCallbac
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/resource/v1.DeviceSelector"),
+										Ref:     ref(resourcev1.DeviceSelector{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -49366,9 +49585,10 @@ func schema_k8sio_api_resource_v1_ExactDeviceRequest(ref common.ReferenceCallbac
 					},
 					"allocationMode": {
 						SchemaProps: spec.SchemaProps{
-							Description: "AllocationMode and its related fields define how devices are allocated to satisfy this request. Supported values are:\n\n- ExactCount: This request is for a specific number of devices.\n  This is the default. The exact number is provided in the\n  count field.\n\n- All: This request is for all of the matching devices in a pool.\n  At least one device must exist on the node for the allocation to succeed.\n  Allocation will fail if some devices are already allocated,\n  unless adminAccess is requested.\n\nIf AllocationMode is not specified, the default mode is ExactCount. If the mode is ExactCount and count is not specified, the default count is one. Any other requests must specify this field.\n\nMore modes may get added in the future. Clients must refuse to handle requests with unknown modes.",
+							Description: "AllocationMode and its related fields define how devices are allocated to satisfy this request. Supported values are:\n\n- ExactCount: This request is for a specific number of devices.\n  This is the default. The exact number is provided in the\n  count field.\n\n- All: This request is for all of the matching devices in a pool.\n  At least one device must exist on the node for the allocation to succeed.\n  Allocation will fail if some devices are already allocated,\n  unless adminAccess is requested.\n\nIf AllocationMode is not specified, the default mode is ExactCount. If the mode is ExactCount and count is not specified, the default count is one. Any other requests must specify this field.\n\nMore modes may get added in the future. Clients must refuse to handle requests with unknown modes.\n\n\nPossible enum values:\n - `\"All\"`\n - `\"ExactCount\"`",
 							Type:        []string{"string"},
 							Format:      "",
+							Enum:        []interface{}{"All", "ExactCount"},
 						},
 					},
 					"count": {
@@ -49398,7 +49618,7 @@ func schema_k8sio_api_resource_v1_ExactDeviceRequest(ref common.ReferenceCallbac
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/resource/v1.DeviceToleration"),
+										Ref:     ref(resourcev1.DeviceToleration{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -49407,7 +49627,7 @@ func schema_k8sio_api_resource_v1_ExactDeviceRequest(ref common.ReferenceCallbac
 					"capacity": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Capacity define resource requirements against each capacity.\n\nIf this field is unset and the device supports multiple allocations, the default value will be applied to each capacity according to requestPolicy. For the capacity that has no requestPolicy, default is the full capacity value.\n\nApplies to each device allocation. If Count > 1, the request fails if there aren't enough devices that meet the requirements. If AllocationMode is set to All, the request fails if there are devices that otherwise match the request, and have this capacity, with a value >= the requested amount, but which cannot be allocated to this request.",
-							Ref:         ref("k8s.io/api/resource/v1.CapacityRequirements"),
+							Ref:         ref(resourcev1.CapacityRequirements{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -49415,7 +49635,7 @@ func schema_k8sio_api_resource_v1_ExactDeviceRequest(ref common.ReferenceCallbac
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/resource/v1.CapacityRequirements", "k8s.io/api/resource/v1.DeviceSelector", "k8s.io/api/resource/v1.DeviceToleration"},
+			resourcev1.CapacityRequirements{}.OpenAPIModelName(), resourcev1.DeviceSelector{}.OpenAPIModelName(), resourcev1.DeviceToleration{}.OpenAPIModelName()},
 	}
 }
 
@@ -49475,7 +49695,7 @@ func schema_k8sio_api_resource_v1_OpaqueDeviceConfiguration(ref common.Reference
 				Properties: map[string]spec.Schema{
 					"driver": {
 						SchemaProps: spec.SchemaProps{
-							Description: "Driver is used to determine which kubelet plugin needs to be passed these configuration parameters.\n\nAn admission policy provided by the driver developer could use this to decide whether it needs to validate them.\n\nMust be a DNS subdomain and should end with a DNS domain owned by the vendor of the driver.",
+							Description: "Driver is used to determine which kubelet plugin needs to be passed these configuration parameters.\n\nAn admission policy provided by the driver developer could use this to decide whether it needs to validate them.\n\nMust be a DNS subdomain and should end with a DNS domain owned by the vendor of the driver. It should use only lower case characters.",
 							Default:     "",
 							Type:        []string{"string"},
 							Format:      "",
@@ -49484,7 +49704,7 @@ func schema_k8sio_api_resource_v1_OpaqueDeviceConfiguration(ref common.Reference
 					"parameters": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Parameters can contain arbitrary data. It is the responsibility of the driver developer to handle validation and versioning. Typically this includes self-identification and a version (\"kind\" + \"apiVersion\" for Kubernetes types), with conversion between different versions.\n\nThe length of the raw data must be smaller or equal to 10 Ki.",
-							Ref:         ref("k8s.io/apimachinery/pkg/runtime.RawExtension"),
+							Ref:         ref(runtime.RawExtension{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -49492,7 +49712,7 @@ func schema_k8sio_api_resource_v1_OpaqueDeviceConfiguration(ref common.Reference
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/runtime.RawExtension"},
+			runtime.RawExtension{}.OpenAPIModelName()},
 	}
 }
 
@@ -49521,21 +49741,21 @@ func schema_k8sio_api_resource_v1_ResourceClaim(ref common.ReferenceCallback) co
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard object metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Ref:         ref(metav1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 					"spec": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Spec describes what is being requested and how to configure it. The spec is immutable.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/resource/v1.ResourceClaimSpec"),
+							Ref:         ref(resourcev1.ResourceClaimSpec{}.OpenAPIModelName()),
 						},
 					},
 					"status": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Status describes whether the claim is ready to use and what has been allocated.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/resource/v1.ResourceClaimStatus"),
+							Ref:         ref(resourcev1.ResourceClaimStatus{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -49543,7 +49763,7 @@ func schema_k8sio_api_resource_v1_ResourceClaim(ref common.ReferenceCallback) co
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/resource/v1.ResourceClaimSpec", "k8s.io/api/resource/v1.ResourceClaimStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			resourcev1.ResourceClaimSpec{}.OpenAPIModelName(), resourcev1.ResourceClaimStatus{}.OpenAPIModelName(), metav1.ObjectMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -49617,7 +49837,7 @@ func schema_k8sio_api_resource_v1_ResourceClaimList(ref common.ReferenceCallback
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard list metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+							Ref:         ref(metav1.ListMeta{}.OpenAPIModelName()),
 						},
 					},
 					"items": {
@@ -49628,7 +49848,7 @@ func schema_k8sio_api_resource_v1_ResourceClaimList(ref common.ReferenceCallback
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/resource/v1.ResourceClaim"),
+										Ref:     ref(resourcev1.ResourceClaim{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -49639,7 +49859,7 @@ func schema_k8sio_api_resource_v1_ResourceClaimList(ref common.ReferenceCallback
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/resource/v1.ResourceClaim", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
+			resourcev1.ResourceClaim{}.OpenAPIModelName(), metav1.ListMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -49654,14 +49874,14 @@ func schema_k8sio_api_resource_v1_ResourceClaimSpec(ref common.ReferenceCallback
 						SchemaProps: spec.SchemaProps{
 							Description: "Devices defines how to request devices.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/resource/v1.DeviceClaim"),
+							Ref:         ref(resourcev1.DeviceClaim{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/resource/v1.DeviceClaim"},
+			resourcev1.DeviceClaim{}.OpenAPIModelName()},
 	}
 }
 
@@ -49675,7 +49895,7 @@ func schema_k8sio_api_resource_v1_ResourceClaimStatus(ref common.ReferenceCallba
 					"allocation": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Allocation is set once the claim has been allocated successfully.",
-							Ref:         ref("k8s.io/api/resource/v1.AllocationResult"),
+							Ref:         ref(resourcev1.AllocationResult{}.OpenAPIModelName()),
 						},
 					},
 					"reservedFor": {
@@ -49696,7 +49916,7 @@ func schema_k8sio_api_resource_v1_ResourceClaimStatus(ref common.ReferenceCallba
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/resource/v1.ResourceClaimConsumerReference"),
+										Ref:     ref(resourcev1.ResourceClaimConsumerReference{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -49721,7 +49941,7 @@ func schema_k8sio_api_resource_v1_ResourceClaimStatus(ref common.ReferenceCallba
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/resource/v1.AllocatedDeviceStatus"),
+										Ref:     ref(resourcev1.AllocatedDeviceStatus{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -49731,7 +49951,7 @@ func schema_k8sio_api_resource_v1_ResourceClaimStatus(ref common.ReferenceCallba
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/resource/v1.AllocatedDeviceStatus", "k8s.io/api/resource/v1.AllocationResult", "k8s.io/api/resource/v1.ResourceClaimConsumerReference"},
+			resourcev1.AllocatedDeviceStatus{}.OpenAPIModelName(), resourcev1.AllocationResult{}.OpenAPIModelName(), resourcev1.ResourceClaimConsumerReference{}.OpenAPIModelName()},
 	}
 }
 
@@ -49760,14 +49980,14 @@ func schema_k8sio_api_resource_v1_ResourceClaimTemplate(ref common.ReferenceCall
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard object metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Ref:         ref(metav1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 					"spec": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Describes the ResourceClaim that is to be generated.\n\nThis field is immutable. A ResourceClaim will get created by the control plane for a Pod when needed and then not get updated anymore.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/resource/v1.ResourceClaimTemplateSpec"),
+							Ref:         ref(resourcev1.ResourceClaimTemplateSpec{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -49775,7 +49995,7 @@ func schema_k8sio_api_resource_v1_ResourceClaimTemplate(ref common.ReferenceCall
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/resource/v1.ResourceClaimTemplateSpec", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			resourcev1.ResourceClaimTemplateSpec{}.OpenAPIModelName(), metav1.ObjectMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -49804,7 +50024,7 @@ func schema_k8sio_api_resource_v1_ResourceClaimTemplateList(ref common.Reference
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard list metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+							Ref:         ref(metav1.ListMeta{}.OpenAPIModelName()),
 						},
 					},
 					"items": {
@@ -49815,7 +50035,7 @@ func schema_k8sio_api_resource_v1_ResourceClaimTemplateList(ref common.Reference
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/resource/v1.ResourceClaimTemplate"),
+										Ref:     ref(resourcev1.ResourceClaimTemplate{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -49826,7 +50046,7 @@ func schema_k8sio_api_resource_v1_ResourceClaimTemplateList(ref common.Reference
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/resource/v1.ResourceClaimTemplate", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
+			resourcev1.ResourceClaimTemplate{}.OpenAPIModelName(), metav1.ListMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -49841,14 +50061,14 @@ func schema_k8sio_api_resource_v1_ResourceClaimTemplateSpec(ref common.Reference
 						SchemaProps: spec.SchemaProps{
 							Description: "ObjectMeta may contain labels and annotations that will be copied into the ResourceClaim when creating it. No other fields are allowed and will be rejected during validation.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Ref:         ref(metav1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 					"spec": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Spec for the ResourceClaim. The entire content is copied unchanged into the ResourceClaim that gets created from this template. The same fields as in a ResourceClaim are also valid here.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/resource/v1.ResourceClaimSpec"),
+							Ref:         ref(resourcev1.ResourceClaimSpec{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -49856,7 +50076,7 @@ func schema_k8sio_api_resource_v1_ResourceClaimTemplateSpec(ref common.Reference
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/resource/v1.ResourceClaimSpec", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			resourcev1.ResourceClaimSpec{}.OpenAPIModelName(), metav1.ObjectMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -49923,14 +50143,14 @@ func schema_k8sio_api_resource_v1_ResourceSlice(ref common.ReferenceCallback) co
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard object metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Ref:         ref(metav1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 					"spec": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Contains the information published by the driver.\n\nChanging the spec automatically increments the metadata.generation number.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/resource/v1.ResourceSliceSpec"),
+							Ref:         ref(resourcev1.ResourceSliceSpec{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -49938,7 +50158,7 @@ func schema_k8sio_api_resource_v1_ResourceSlice(ref common.ReferenceCallback) co
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/resource/v1.ResourceSliceSpec", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			resourcev1.ResourceSliceSpec{}.OpenAPIModelName(), metav1.ObjectMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -49967,7 +50187,7 @@ func schema_k8sio_api_resource_v1_ResourceSliceList(ref common.ReferenceCallback
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard list metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+							Ref:         ref(metav1.ListMeta{}.OpenAPIModelName()),
 						},
 					},
 					"items": {
@@ -49978,7 +50198,7 @@ func schema_k8sio_api_resource_v1_ResourceSliceList(ref common.ReferenceCallback
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/resource/v1.ResourceSlice"),
+										Ref:     ref(resourcev1.ResourceSlice{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -49989,7 +50209,7 @@ func schema_k8sio_api_resource_v1_ResourceSliceList(ref common.ReferenceCallback
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/resource/v1.ResourceSlice", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
+			resourcev1.ResourceSlice{}.OpenAPIModelName(), metav1.ListMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -50002,7 +50222,7 @@ func schema_k8sio_api_resource_v1_ResourceSliceSpec(ref common.ReferenceCallback
 				Properties: map[string]spec.Schema{
 					"driver": {
 						SchemaProps: spec.SchemaProps{
-							Description: "Driver identifies the DRA driver providing the capacity information. A field selector can be used to list only ResourceSlice objects with a certain driver name.\n\nMust be a DNS subdomain and should end with a DNS domain owned by the vendor of the driver. This field is immutable.",
+							Description: "Driver identifies the DRA driver providing the capacity information. A field selector can be used to list only ResourceSlice objects with a certain driver name.\n\nMust be a DNS subdomain and should end with a DNS domain owned by the vendor of the driver. It should use only lower case characters. This field is immutable.",
 							Default:     "",
 							Type:        []string{"string"},
 							Format:      "",
@@ -50012,7 +50232,7 @@ func schema_k8sio_api_resource_v1_ResourceSliceSpec(ref common.ReferenceCallback
 						SchemaProps: spec.SchemaProps{
 							Description: "Pool describes the pool that this ResourceSlice belongs to.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/resource/v1.ResourcePool"),
+							Ref:         ref(resourcev1.ResourcePool{}.OpenAPIModelName()),
 						},
 					},
 					"nodeName": {
@@ -50025,7 +50245,7 @@ func schema_k8sio_api_resource_v1_ResourceSliceSpec(ref common.ReferenceCallback
 					"nodeSelector": {
 						SchemaProps: spec.SchemaProps{
 							Description: "NodeSelector defines which nodes have access to the resources in the pool, when that pool is not limited to a single node.\n\nMust use exactly one term.\n\nExactly one of NodeName, NodeSelector, AllNodes, and PerDeviceNodeSelection must be set.",
-							Ref:         ref("k8s.io/api/core/v1.NodeSelector"),
+							Ref:         ref(corev1.NodeSelector{}.OpenAPIModelName()),
 						},
 					},
 					"allNodes": {
@@ -50042,13 +50262,13 @@ func schema_k8sio_api_resource_v1_ResourceSliceSpec(ref common.ReferenceCallback
 							},
 						},
 						SchemaProps: spec.SchemaProps{
-							Description: "Devices lists some or all of the devices in this pool.\n\nMust not have more than 128 entries.",
+							Description: "Devices lists some or all of the devices in this pool.\n\nMust not have more than 128 entries. If any device uses taints or consumes counters the limit is 64.\n\nOnly one of Devices and SharedCounters can be set in a ResourceSlice.",
 							Type:        []string{"array"},
 							Items: &spec.SchemaOrArray{
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/resource/v1.Device"),
+										Ref:     ref(resourcev1.Device{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -50068,13 +50288,13 @@ func schema_k8sio_api_resource_v1_ResourceSliceSpec(ref common.ReferenceCallback
 							},
 						},
 						SchemaProps: spec.SchemaProps{
-							Description: "SharedCounters defines a list of counter sets, each of which has a name and a list of counters available.\n\nThe names of the SharedCounters must be unique in the ResourceSlice.\n\nThe maximum number of counters in all sets is 32.",
+							Description: "SharedCounters defines a list of counter sets, each of which has a name and a list of counters available.\n\nThe names of the counter sets must be unique in the ResourcePool.\n\nOnly one of Devices and SharedCounters can be set in a ResourceSlice.\n\nThe maximum number of counter sets is 8.",
 							Type:        []string{"array"},
 							Items: &spec.SchemaOrArray{
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/resource/v1.CounterSet"),
+										Ref:     ref(resourcev1.CounterSet{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -50085,7 +50305,7 @@ func schema_k8sio_api_resource_v1_ResourceSliceSpec(ref common.ReferenceCallback
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/core/v1.NodeSelector", "k8s.io/api/resource/v1.CounterSet", "k8s.io/api/resource/v1.Device", "k8s.io/api/resource/v1.ResourcePool"},
+			corev1.NodeSelector{}.OpenAPIModelName(), resourcev1.CounterSet{}.OpenAPIModelName(), resourcev1.Device{}.OpenAPIModelName(), resourcev1.ResourcePool{}.OpenAPIModelName()},
 	}
 }
 
@@ -50121,14 +50341,14 @@ func schema_k8sio_api_resource_v1alpha3_DeviceSelector(ref common.ReferenceCallb
 					"cel": {
 						SchemaProps: spec.SchemaProps{
 							Description: "CEL contains a CEL expression for selecting a device.",
-							Ref:         ref("k8s.io/api/resource/v1alpha3.CELDeviceSelector"),
+							Ref:         ref(v1alpha3.CELDeviceSelector{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/resource/v1alpha3.CELDeviceSelector"},
+			v1alpha3.CELDeviceSelector{}.OpenAPIModelName()},
 	}
 }
 
@@ -50156,17 +50376,17 @@ func schema_k8sio_api_resource_v1alpha3_DeviceTaint(ref common.ReferenceCallback
 					},
 					"effect": {
 						SchemaProps: spec.SchemaProps{
-							Description: "The effect of the taint on claims that do not tolerate the taint and through such claims on the pods using them. Valid effects are NoSchedule and NoExecute. PreferNoSchedule as used for nodes is not valid here.\n\n\nPossible enum values:\n - `\"NoExecute\"` Evict any already-running pods that do not tolerate the device taint.\n - `\"NoSchedule\"` Do not allow new pods to schedule which use a tainted device unless they tolerate the taint, but allow all pods submitted to Kubelet without going through the scheduler to start, and allow all already-running pods to continue running.",
+							Description: "The effect of the taint on claims that do not tolerate the taint and through such claims on the pods using them.\n\nValid effects are None, NoSchedule and NoExecute. PreferNoSchedule as used for nodes is not valid here. More effects may get added in the future. Consumers must treat unknown effects like None.\n\n\nPossible enum values:\n - `\"NoExecute\"` Evict any already-running pods that do not tolerate the device taint.\n - `\"NoSchedule\"` Do not allow new pods to schedule which use a tainted device unless they tolerate the taint, but allow all pods submitted to Kubelet without going through the scheduler to start, and allow all already-running pods to continue running.\n - `\"None\"` No effect, the taint is purely informational.",
 							Default:     "",
 							Type:        []string{"string"},
 							Format:      "",
-							Enum:        []interface{}{"NoExecute", "NoSchedule"},
+							Enum:        []interface{}{"NoExecute", "NoSchedule", "None"},
 						},
 					},
 					"timeAdded": {
 						SchemaProps: spec.SchemaProps{
 							Description: "TimeAdded represents the time at which the taint was added. Added automatically during create or update if not set.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Time"),
+							Ref:         ref(metav1.Time{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -50174,7 +50394,7 @@ func schema_k8sio_api_resource_v1alpha3_DeviceTaint(ref common.ReferenceCallback
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.Time"},
+			metav1.Time{}.OpenAPIModelName()},
 	}
 }
 
@@ -50203,14 +50423,21 @@ func schema_k8sio_api_resource_v1alpha3_DeviceTaintRule(ref common.ReferenceCall
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard object metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Ref:         ref(metav1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 					"spec": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Spec specifies the selector and one taint.\n\nChanging the spec automatically increments the metadata.generation number.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/resource/v1alpha3.DeviceTaintRuleSpec"),
+							Ref:         ref(v1alpha3.DeviceTaintRuleSpec{}.OpenAPIModelName()),
+						},
+					},
+					"status": {
+						SchemaProps: spec.SchemaProps{
+							Description: "Status provides information about what was requested in the spec.",
+							Default:     map[string]interface{}{},
+							Ref:         ref(v1alpha3.DeviceTaintRuleStatus{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -50218,7 +50445,7 @@ func schema_k8sio_api_resource_v1alpha3_DeviceTaintRule(ref common.ReferenceCall
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/resource/v1alpha3.DeviceTaintRuleSpec", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			v1alpha3.DeviceTaintRuleSpec{}.OpenAPIModelName(), v1alpha3.DeviceTaintRuleStatus{}.OpenAPIModelName(), metav1.ObjectMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -50247,7 +50474,7 @@ func schema_k8sio_api_resource_v1alpha3_DeviceTaintRuleList(ref common.Reference
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard list metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+							Ref:         ref(metav1.ListMeta{}.OpenAPIModelName()),
 						},
 					},
 					"items": {
@@ -50258,7 +50485,7 @@ func schema_k8sio_api_resource_v1alpha3_DeviceTaintRuleList(ref common.Reference
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/resource/v1alpha3.DeviceTaintRule"),
+										Ref:     ref(v1alpha3.DeviceTaintRule{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -50269,7 +50496,7 @@ func schema_k8sio_api_resource_v1alpha3_DeviceTaintRuleList(ref common.Reference
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/resource/v1alpha3.DeviceTaintRule", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
+			v1alpha3.DeviceTaintRule{}.OpenAPIModelName(), metav1.ListMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -50282,15 +50509,15 @@ func schema_k8sio_api_resource_v1alpha3_DeviceTaintRuleSpec(ref common.Reference
 				Properties: map[string]spec.Schema{
 					"deviceSelector": {
 						SchemaProps: spec.SchemaProps{
-							Description: "DeviceSelector defines which device(s) the taint is applied to. All selector criteria must be satified for a device to match. The empty selector matches all devices. Without a selector, no devices are matches.",
-							Ref:         ref("k8s.io/api/resource/v1alpha3.DeviceTaintSelector"),
+							Description: "DeviceSelector defines which device(s) the taint is applied to. All selector criteria must be satisfied for a device to match. The empty selector matches all devices. Without a selector, no devices are matches.",
+							Ref:         ref(v1alpha3.DeviceTaintSelector{}.OpenAPIModelName()),
 						},
 					},
 					"taint": {
 						SchemaProps: spec.SchemaProps{
 							Description: "The taint that gets applied to matching devices.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/resource/v1alpha3.DeviceTaint"),
+							Ref:         ref(v1alpha3.DeviceTaint{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -50298,24 +50525,56 @@ func schema_k8sio_api_resource_v1alpha3_DeviceTaintRuleSpec(ref common.Reference
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/resource/v1alpha3.DeviceTaint", "k8s.io/api/resource/v1alpha3.DeviceTaintSelector"},
+			v1alpha3.DeviceTaint{}.OpenAPIModelName(), v1alpha3.DeviceTaintSelector{}.OpenAPIModelName()},
 	}
 }
 
-func schema_k8sio_api_resource_v1alpha3_DeviceTaintSelector(ref common.ReferenceCallback) common.OpenAPIDefinition {
+func schema_k8sio_api_resource_v1alpha3_DeviceTaintRuleStatus(ref common.ReferenceCallback) common.OpenAPIDefinition {
 	return common.OpenAPIDefinition{
 		Schema: spec.Schema{
 			SchemaProps: spec.SchemaProps{
-				Description: "DeviceTaintSelector defines which device(s) a DeviceTaintRule applies to. The empty selector matches all devices. Without a selector, no devices are matched.",
+				Description: "DeviceTaintRuleStatus provides information about an on-going pod eviction.",
 				Type:        []string{"object"},
 				Properties: map[string]spec.Schema{
-					"deviceClassName": {
+					"conditions": {
+						VendorExtensible: spec.VendorExtensible{
+							Extensions: spec.Extensions{
+								"x-kubernetes-list-map-keys": []interface{}{
+									"type",
+								},
+								"x-kubernetes-list-type":       "map",
+								"x-kubernetes-patch-merge-key": "type",
+								"x-kubernetes-patch-strategy":  "merge",
+							},
+						},
 						SchemaProps: spec.SchemaProps{
-							Description: "If DeviceClassName is set, the selectors defined there must be satisfied by a device to be selected. This field corresponds to class.metadata.name.",
-							Type:        []string{"string"},
-							Format:      "",
+							Description: "Conditions provide information about the state of the DeviceTaintRule and the cluster at some point in time, in a machine-readable and human-readable format.\n\nThe following condition is currently defined as part of this API, more may get added: - Type: EvictionInProgress - Status: True if there are currently pods which need to be evicted, False otherwise\n  (includes the effects which don't cause eviction).\n- Reason: not specified, may change - Message: includes information about number of pending pods and already evicted pods\n  in a human-readable format, updated periodically, may change\n\nFor `effect: None`, the condition above gets set once for each change to the spec, with the message containing information about what would happen if the effect was `NoExecute`. This feedback can be used to decide whether changing the effect to `NoExecute` will work as intended. It only gets set once to avoid having to constantly update the status.\n\nMust have 8 or fewer entries.",
+							Type:        []string{"array"},
+							Items: &spec.SchemaOrArray{
+								Schema: &spec.Schema{
+									SchemaProps: spec.SchemaProps{
+										Default: map[string]interface{}{},
+										Ref:     ref(metav1.Condition{}.OpenAPIModelName()),
+									},
+								},
+							},
 						},
 					},
+				},
+			},
+		},
+		Dependencies: []string{
+			metav1.Condition{}.OpenAPIModelName()},
+	}
+}
+
+func schema_k8sio_api_resource_v1alpha3_DeviceTaintSelector(ref common.ReferenceCallback) common.OpenAPIDefinition {
+	return common.OpenAPIDefinition{
+		Schema: spec.Schema{
+			SchemaProps: spec.SchemaProps{
+				Description: "DeviceTaintSelector defines which device(s) a DeviceTaintRule applies to. The empty selector matches all devices. Without a selector, no devices are matched.",
+				Type:        []string{"object"},
+				Properties: map[string]spec.Schema{
 					"driver": {
 						SchemaProps: spec.SchemaProps{
 							Description: "If driver is set, only devices from that driver are selected. This fields corresponds to slice.spec.driver.",
@@ -50337,30 +50596,9 @@ func schema_k8sio_api_resource_v1alpha3_DeviceTaintSelector(ref common.Reference
 							Format:      "",
 						},
 					},
-					"selectors": {
-						VendorExtensible: spec.VendorExtensible{
-							Extensions: spec.Extensions{
-								"x-kubernetes-list-type": "atomic",
-							},
-						},
-						SchemaProps: spec.SchemaProps{
-							Description: "Selectors contains the same selection criteria as a ResourceClaim. Currently, CEL expressions are supported. All of these selectors must be satisfied.",
-							Type:        []string{"array"},
-							Items: &spec.SchemaOrArray{
-								Schema: &spec.Schema{
-									SchemaProps: spec.SchemaProps{
-										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/resource/v1alpha3.DeviceSelector"),
-									},
-								},
-							},
-						},
-					},
 				},
 			},
 		},
-		Dependencies: []string{
-			"k8s.io/api/resource/v1alpha3.DeviceSelector"},
 	}
 }
 
@@ -50373,7 +50611,7 @@ func schema_k8sio_api_resource_v1beta1_AllocatedDeviceStatus(ref common.Referenc
 				Properties: map[string]spec.Schema{
 					"driver": {
 						SchemaProps: spec.SchemaProps{
-							Description: "Driver specifies the name of the DRA driver whose kubelet plugin should be invoked to process the allocation once the claim is needed on a node.\n\nMust be a DNS subdomain and should end with a DNS domain owned by the vendor of the driver.",
+							Description: "Driver specifies the name of the DRA driver whose kubelet plugin should be invoked to process the allocation once the claim is needed on a node.\n\nMust be a DNS subdomain and should end with a DNS domain owned by the vendor of the driver. It should use only lower case characters.",
 							Default:     "",
 							Type:        []string{"string"},
 							Format:      "",
@@ -50418,7 +50656,7 @@ func schema_k8sio_api_resource_v1beta1_AllocatedDeviceStatus(ref common.Referenc
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/apimachinery/pkg/apis/meta/v1.Condition"),
+										Ref:     ref(metav1.Condition{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -50427,13 +50665,13 @@ func schema_k8sio_api_resource_v1beta1_AllocatedDeviceStatus(ref common.Referenc
 					"data": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Data contains arbitrary driver-specific data.\n\nThe length of the raw data must be smaller or equal to 10 Ki.",
-							Ref:         ref("k8s.io/apimachinery/pkg/runtime.RawExtension"),
+							Ref:         ref(runtime.RawExtension{}.OpenAPIModelName()),
 						},
 					},
 					"networkData": {
 						SchemaProps: spec.SchemaProps{
 							Description: "NetworkData contains network-related information specific to the device.",
-							Ref:         ref("k8s.io/api/resource/v1beta1.NetworkDeviceData"),
+							Ref:         ref(resourcev1beta1.NetworkDeviceData{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -50441,7 +50679,7 @@ func schema_k8sio_api_resource_v1beta1_AllocatedDeviceStatus(ref common.Referenc
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/resource/v1beta1.NetworkDeviceData", "k8s.io/apimachinery/pkg/apis/meta/v1.Condition", "k8s.io/apimachinery/pkg/runtime.RawExtension"},
+			resourcev1beta1.NetworkDeviceData{}.OpenAPIModelName(), metav1.Condition{}.OpenAPIModelName(), runtime.RawExtension{}.OpenAPIModelName()},
 	}
 }
 
@@ -50456,26 +50694,26 @@ func schema_k8sio_api_resource_v1beta1_AllocationResult(ref common.ReferenceCall
 						SchemaProps: spec.SchemaProps{
 							Description: "Devices is the result of allocating devices.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/resource/v1beta1.DeviceAllocationResult"),
+							Ref:         ref(resourcev1beta1.DeviceAllocationResult{}.OpenAPIModelName()),
 						},
 					},
 					"nodeSelector": {
 						SchemaProps: spec.SchemaProps{
 							Description: "NodeSelector defines where the allocated resources are available. If unset, they are available everywhere.",
-							Ref:         ref("k8s.io/api/core/v1.NodeSelector"),
+							Ref:         ref(corev1.NodeSelector{}.OpenAPIModelName()),
 						},
 					},
 					"allocationTimestamp": {
 						SchemaProps: spec.SchemaProps{
 							Description: "AllocationTimestamp stores the time when the resources were allocated. This field is not guaranteed to be set, in which case that time is unknown.\n\nThis is an alpha field and requires enabling the DRADeviceBindingConditions and DRAResourceClaimDeviceStatus feature gate.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Time"),
+							Ref:         ref(metav1.Time{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/core/v1.NodeSelector", "k8s.io/api/resource/v1beta1.DeviceAllocationResult", "k8s.io/apimachinery/pkg/apis/meta/v1.Time"},
+			corev1.NodeSelector{}.OpenAPIModelName(), resourcev1beta1.DeviceAllocationResult{}.OpenAPIModelName(), metav1.Time{}.OpenAPIModelName()},
 	}
 }
 
@@ -50495,7 +50733,7 @@ func schema_k8sio_api_resource_v1beta1_BasicDevice(ref common.ReferenceCallback)
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/resource/v1beta1.DeviceAttribute"),
+										Ref:     ref(resourcev1beta1.DeviceAttribute{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -50510,7 +50748,7 @@ func schema_k8sio_api_resource_v1beta1_BasicDevice(ref common.ReferenceCallback)
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/resource/v1beta1.DeviceCapacity"),
+										Ref:     ref(resourcev1beta1.DeviceCapacity{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -50523,13 +50761,13 @@ func schema_k8sio_api_resource_v1beta1_BasicDevice(ref common.ReferenceCallback)
 							},
 						},
 						SchemaProps: spec.SchemaProps{
-							Description: "ConsumesCounters defines a list of references to sharedCounters and the set of counters that the device will consume from those counter sets.\n\nThere can only be a single entry per counterSet.\n\nThe total number of device counter consumption entries must be <= 32. In addition, the total number in the entire ResourceSlice must be <= 1024 (for example, 64 devices with 16 counters each).",
+							Description: "ConsumesCounters defines a list of references to sharedCounters and the set of counters that the device will consume from those counter sets.\n\nThere can only be a single entry per counterSet.\n\nThe maximum number of device counter consumptions per device is 2.",
 							Type:        []string{"array"},
 							Items: &spec.SchemaOrArray{
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/resource/v1beta1.DeviceCounterConsumption"),
+										Ref:     ref(resourcev1beta1.DeviceCounterConsumption{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -50545,7 +50783,7 @@ func schema_k8sio_api_resource_v1beta1_BasicDevice(ref common.ReferenceCallback)
 					"nodeSelector": {
 						SchemaProps: spec.SchemaProps{
 							Description: "NodeSelector defines the nodes where the device is available.\n\nMust use exactly one term.\n\nMust only be set if Spec.PerDeviceNodeSelection is set to true. At most one of NodeName, NodeSelector and AllNodes can be set.",
-							Ref:         ref("k8s.io/api/core/v1.NodeSelector"),
+							Ref:         ref(corev1.NodeSelector{}.OpenAPIModelName()),
 						},
 					},
 					"allNodes": {
@@ -50562,13 +50800,13 @@ func schema_k8sio_api_resource_v1beta1_BasicDevice(ref common.ReferenceCallback)
 							},
 						},
 						SchemaProps: spec.SchemaProps{
-							Description: "If specified, these are the driver-defined taints.\n\nThe maximum number of taints is 4.\n\nThis is an alpha field and requires enabling the DRADeviceTaints feature gate.",
+							Description: "If specified, these are the driver-defined taints.\n\nThe maximum number of taints is 16. If taints are set for any device in a ResourceSlice, then the maximum number of allowed devices per ResourceSlice is 64 instead of 128.\n\nThis is an alpha field and requires enabling the DRADeviceTaints feature gate.",
 							Type:        []string{"array"},
 							Items: &spec.SchemaOrArray{
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/resource/v1beta1.DeviceTaint"),
+										Ref:     ref(resourcev1beta1.DeviceTaint{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -50632,7 +50870,7 @@ func schema_k8sio_api_resource_v1beta1_BasicDevice(ref common.ReferenceCallback)
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/core/v1.NodeSelector", "k8s.io/api/resource/v1beta1.DeviceAttribute", "k8s.io/api/resource/v1beta1.DeviceCapacity", "k8s.io/api/resource/v1beta1.DeviceCounterConsumption", "k8s.io/api/resource/v1beta1.DeviceTaint"},
+			corev1.NodeSelector{}.OpenAPIModelName(), resourcev1beta1.DeviceAttribute{}.OpenAPIModelName(), resourcev1beta1.DeviceCapacity{}.OpenAPIModelName(), resourcev1beta1.DeviceCounterConsumption{}.OpenAPIModelName(), resourcev1beta1.DeviceTaint{}.OpenAPIModelName()},
 	}
 }
 
@@ -50668,7 +50906,7 @@ func schema_k8sio_api_resource_v1beta1_CapacityRequestPolicy(ref common.Referenc
 					"default": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Default specifies how much of this capacity is consumed by a request that does not contain an entry for it in DeviceRequest's Capacity.",
-							Ref:         ref("k8s.io/apimachinery/pkg/api/resource.Quantity"),
+							Ref:         ref(resource.Quantity{}.OpenAPIModelName()),
 						},
 					},
 					"validValues": {
@@ -50683,7 +50921,7 @@ func schema_k8sio_api_resource_v1beta1_CapacityRequestPolicy(ref common.Referenc
 							Items: &spec.SchemaOrArray{
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
-										Ref: ref("k8s.io/apimachinery/pkg/api/resource.Quantity"),
+										Ref: ref(resource.Quantity{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -50692,14 +50930,14 @@ func schema_k8sio_api_resource_v1beta1_CapacityRequestPolicy(ref common.Referenc
 					"validRange": {
 						SchemaProps: spec.SchemaProps{
 							Description: "ValidRange defines an acceptable quantity value range in consuming requests.\n\nIf this field is set, Default must be defined and it must fall within the defined ValidRange.\n\nIf the requested amount does not fall within the defined range, the request violates the policy, and this device cannot be allocated.\n\nIf the request doesn't contain this capacity entry, Default value is used.",
-							Ref:         ref("k8s.io/api/resource/v1beta1.CapacityRequestPolicyRange"),
+							Ref:         ref(resourcev1beta1.CapacityRequestPolicyRange{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/resource/v1beta1.CapacityRequestPolicyRange", "k8s.io/apimachinery/pkg/api/resource.Quantity"},
+			resourcev1beta1.CapacityRequestPolicyRange{}.OpenAPIModelName(), resource.Quantity{}.OpenAPIModelName()},
 	}
 }
 
@@ -50713,19 +50951,19 @@ func schema_k8sio_api_resource_v1beta1_CapacityRequestPolicyRange(ref common.Ref
 					"min": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Min specifies the minimum capacity allowed for a consumption request.\n\nMin must be greater than or equal to zero, and less than or equal to the capacity value. requestPolicy.default must be more than or equal to the minimum.",
-							Ref:         ref("k8s.io/apimachinery/pkg/api/resource.Quantity"),
+							Ref:         ref(resource.Quantity{}.OpenAPIModelName()),
 						},
 					},
 					"max": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Max defines the upper limit for capacity that can be requested.\n\nMax must be less than or equal to the capacity value. Min and requestPolicy.default must be less than or equal to the maximum.",
-							Ref:         ref("k8s.io/apimachinery/pkg/api/resource.Quantity"),
+							Ref:         ref(resource.Quantity{}.OpenAPIModelName()),
 						},
 					},
 					"step": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Step defines the step size between valid capacity amounts within the range.\n\nMax (if set) and requestPolicy.default must be a multiple of Step. Min + Step must be less than or equal to the capacity value.",
-							Ref:         ref("k8s.io/apimachinery/pkg/api/resource.Quantity"),
+							Ref:         ref(resource.Quantity{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -50733,7 +50971,7 @@ func schema_k8sio_api_resource_v1beta1_CapacityRequestPolicyRange(ref common.Ref
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/api/resource.Quantity"},
+			resource.Quantity{}.OpenAPIModelName()},
 	}
 }
 
@@ -50752,7 +50990,7 @@ func schema_k8sio_api_resource_v1beta1_CapacityRequirements(ref common.Reference
 								Allows: true,
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
-										Ref: ref("k8s.io/apimachinery/pkg/api/resource.Quantity"),
+										Ref: ref(resource.Quantity{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -50762,7 +51000,7 @@ func schema_k8sio_api_resource_v1beta1_CapacityRequirements(ref common.Reference
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/api/resource.Quantity"},
+			resource.Quantity{}.OpenAPIModelName()},
 	}
 }
 
@@ -50776,7 +51014,7 @@ func schema_k8sio_api_resource_v1beta1_Counter(ref common.ReferenceCallback) com
 					"value": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Value defines how much of a certain device counter is available.",
-							Ref:         ref("k8s.io/apimachinery/pkg/api/resource.Quantity"),
+							Ref:         ref(resource.Quantity{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -50784,7 +51022,7 @@ func schema_k8sio_api_resource_v1beta1_Counter(ref common.ReferenceCallback) com
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/api/resource.Quantity"},
+			resource.Quantity{}.OpenAPIModelName()},
 	}
 }
 
@@ -50792,7 +51030,7 @@ func schema_k8sio_api_resource_v1beta1_CounterSet(ref common.ReferenceCallback)
 	return common.OpenAPIDefinition{
 		Schema: spec.Schema{
 			SchemaProps: spec.SchemaProps{
-				Description: "CounterSet defines a named set of counters that are available to be used by devices defined in the ResourceSlice.\n\nThe counters are not allocatable by themselves, but can be referenced by devices. When a device is allocated, the portion of counters it uses will no longer be available for use by other devices.",
+				Description: "CounterSet defines a named set of counters that are available to be used by devices defined in the ResourcePool.\n\nThe counters are not allocatable by themselves, but can be referenced by devices. When a device is allocated, the portion of counters it uses will no longer be available for use by other devices.",
 				Type:        []string{"object"},
 				Properties: map[string]spec.Schema{
 					"name": {
@@ -50812,7 +51050,7 @@ func schema_k8sio_api_resource_v1beta1_CounterSet(ref common.ReferenceCallback)
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/resource/v1beta1.Counter"),
+										Ref:     ref(resourcev1beta1.Counter{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -50823,7 +51061,7 @@ func schema_k8sio_api_resource_v1beta1_CounterSet(ref common.ReferenceCallback)
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/resource/v1beta1.Counter"},
+			resourcev1beta1.Counter{}.OpenAPIModelName()},
 	}
 }
 
@@ -50845,7 +51083,7 @@ func schema_k8sio_api_resource_v1beta1_Device(ref common.ReferenceCallback) comm
 					"basic": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Basic defines one device instance.",
-							Ref:         ref("k8s.io/api/resource/v1beta1.BasicDevice"),
+							Ref:         ref(resourcev1beta1.BasicDevice{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -50853,7 +51091,7 @@ func schema_k8sio_api_resource_v1beta1_Device(ref common.ReferenceCallback) comm
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/resource/v1beta1.BasicDevice"},
+			resourcev1beta1.BasicDevice{}.OpenAPIModelName()},
 	}
 }
 
@@ -50866,10 +51104,11 @@ func schema_k8sio_api_resource_v1beta1_DeviceAllocationConfiguration(ref common.
 				Properties: map[string]spec.Schema{
 					"source": {
 						SchemaProps: spec.SchemaProps{
-							Description: "Source records whether the configuration comes from a class and thus is not something that a normal user would have been able to set or from a claim.",
+							Description: "Source records whether the configuration comes from a class and thus is not something that a normal user would have been able to set or from a claim.\n\n\nPossible enum values:\n - `\"FromClaim\"`\n - `\"FromClass\"`",
 							Default:     "",
 							Type:        []string{"string"},
 							Format:      "",
+							Enum:        []interface{}{"FromClaim", "FromClass"},
 						},
 					},
 					"requests": {
@@ -50895,7 +51134,7 @@ func schema_k8sio_api_resource_v1beta1_DeviceAllocationConfiguration(ref common.
 					"opaque": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Opaque provides driver-specific configuration parameters.",
-							Ref:         ref("k8s.io/api/resource/v1beta1.OpaqueDeviceConfiguration"),
+							Ref:         ref(resourcev1beta1.OpaqueDeviceConfiguration{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -50903,7 +51142,7 @@ func schema_k8sio_api_resource_v1beta1_DeviceAllocationConfiguration(ref common.
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/resource/v1beta1.OpaqueDeviceConfiguration"},
+			resourcev1beta1.OpaqueDeviceConfiguration{}.OpenAPIModelName()},
 	}
 }
 
@@ -50927,7 +51166,7 @@ func schema_k8sio_api_resource_v1beta1_DeviceAllocationResult(ref common.Referen
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/resource/v1beta1.DeviceRequestAllocationResult"),
+										Ref:     ref(resourcev1beta1.DeviceRequestAllocationResult{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -50946,7 +51185,7 @@ func schema_k8sio_api_resource_v1beta1_DeviceAllocationResult(ref common.Referen
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/resource/v1beta1.DeviceAllocationConfiguration"),
+										Ref:     ref(resourcev1beta1.DeviceAllocationConfiguration{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -50956,7 +51195,7 @@ func schema_k8sio_api_resource_v1beta1_DeviceAllocationResult(ref common.Referen
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/resource/v1beta1.DeviceAllocationConfiguration", "k8s.io/api/resource/v1beta1.DeviceRequestAllocationResult"},
+			resourcev1beta1.DeviceAllocationConfiguration{}.OpenAPIModelName(), resourcev1beta1.DeviceRequestAllocationResult{}.OpenAPIModelName()},
 	}
 }
 
@@ -51011,13 +51250,13 @@ func schema_k8sio_api_resource_v1beta1_DeviceCapacity(ref common.ReferenceCallba
 					"value": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Value defines how much of a certain capacity that device has.\n\nThis field reflects the fixed total capacity and does not change. The consumed amount is tracked separately by scheduler and does not affect this value.",
-							Ref:         ref("k8s.io/apimachinery/pkg/api/resource.Quantity"),
+							Ref:         ref(resource.Quantity{}.OpenAPIModelName()),
 						},
 					},
 					"requestPolicy": {
 						SchemaProps: spec.SchemaProps{
 							Description: "RequestPolicy defines how this DeviceCapacity must be consumed when the device is allowed to be shared by multiple allocations.\n\nThe Device must have allowMultipleAllocations set to true in order to set a requestPolicy.\n\nIf unset, capacity requests are unconstrained: requests can consume any amount of capacity, as long as the total consumed across all allocations does not exceed the device's defined capacity. If request is also unset, default is the full capacity value.",
-							Ref:         ref("k8s.io/api/resource/v1beta1.CapacityRequestPolicy"),
+							Ref:         ref(resourcev1beta1.CapacityRequestPolicy{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -51025,7 +51264,7 @@ func schema_k8sio_api_resource_v1beta1_DeviceCapacity(ref common.ReferenceCallba
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/resource/v1beta1.CapacityRequestPolicy", "k8s.io/apimachinery/pkg/api/resource.Quantity"},
+			resourcev1beta1.CapacityRequestPolicy{}.OpenAPIModelName(), resource.Quantity{}.OpenAPIModelName()},
 	}
 }
 
@@ -51049,7 +51288,7 @@ func schema_k8sio_api_resource_v1beta1_DeviceClaim(ref common.ReferenceCallback)
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/resource/v1beta1.DeviceRequest"),
+										Ref:     ref(resourcev1beta1.DeviceRequest{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -51068,7 +51307,7 @@ func schema_k8sio_api_resource_v1beta1_DeviceClaim(ref common.ReferenceCallback)
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/resource/v1beta1.DeviceConstraint"),
+										Ref:     ref(resourcev1beta1.DeviceConstraint{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -51087,7 +51326,7 @@ func schema_k8sio_api_resource_v1beta1_DeviceClaim(ref common.ReferenceCallback)
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/resource/v1beta1.DeviceClaimConfiguration"),
+										Ref:     ref(resourcev1beta1.DeviceClaimConfiguration{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -51097,7 +51336,7 @@ func schema_k8sio_api_resource_v1beta1_DeviceClaim(ref common.ReferenceCallback)
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/resource/v1beta1.DeviceClaimConfiguration", "k8s.io/api/resource/v1beta1.DeviceConstraint", "k8s.io/api/resource/v1beta1.DeviceRequest"},
+			resourcev1beta1.DeviceClaimConfiguration{}.OpenAPIModelName(), resourcev1beta1.DeviceConstraint{}.OpenAPIModelName(), resourcev1beta1.DeviceRequest{}.OpenAPIModelName()},
 	}
 }
 
@@ -51131,14 +51370,14 @@ func schema_k8sio_api_resource_v1beta1_DeviceClaimConfiguration(ref common.Refer
 					"opaque": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Opaque provides driver-specific configuration parameters.",
-							Ref:         ref("k8s.io/api/resource/v1beta1.OpaqueDeviceConfiguration"),
+							Ref:         ref(resourcev1beta1.OpaqueDeviceConfiguration{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/resource/v1beta1.OpaqueDeviceConfiguration"},
+			resourcev1beta1.OpaqueDeviceConfiguration{}.OpenAPIModelName()},
 	}
 }
 
@@ -51167,14 +51406,14 @@ func schema_k8sio_api_resource_v1beta1_DeviceClass(ref common.ReferenceCallback)
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard object metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Ref:         ref(metav1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 					"spec": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Spec defines what can be allocated and how to configure it.\n\nThis is mutable. Consumers have to be prepared for classes changing at any time, either because they get updated or replaced. Claim allocations are done once based on whatever was set in classes at the time of allocation.\n\nChanging the spec automatically increments the metadata.generation number.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/resource/v1beta1.DeviceClassSpec"),
+							Ref:         ref(resourcev1beta1.DeviceClassSpec{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -51182,7 +51421,7 @@ func schema_k8sio_api_resource_v1beta1_DeviceClass(ref common.ReferenceCallback)
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/resource/v1beta1.DeviceClassSpec", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			resourcev1beta1.DeviceClassSpec{}.OpenAPIModelName(), metav1.ObjectMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -51196,14 +51435,14 @@ func schema_k8sio_api_resource_v1beta1_DeviceClassConfiguration(ref common.Refer
 					"opaque": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Opaque provides driver-specific configuration parameters.",
-							Ref:         ref("k8s.io/api/resource/v1beta1.OpaqueDeviceConfiguration"),
+							Ref:         ref(resourcev1beta1.OpaqueDeviceConfiguration{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/resource/v1beta1.OpaqueDeviceConfiguration"},
+			resourcev1beta1.OpaqueDeviceConfiguration{}.OpenAPIModelName()},
 	}
 }
 
@@ -51232,7 +51471,7 @@ func schema_k8sio_api_resource_v1beta1_DeviceClassList(ref common.ReferenceCallb
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard list metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+							Ref:         ref(metav1.ListMeta{}.OpenAPIModelName()),
 						},
 					},
 					"items": {
@@ -51243,7 +51482,7 @@ func schema_k8sio_api_resource_v1beta1_DeviceClassList(ref common.ReferenceCallb
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/resource/v1beta1.DeviceClass"),
+										Ref:     ref(resourcev1beta1.DeviceClass{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -51254,7 +51493,7 @@ func schema_k8sio_api_resource_v1beta1_DeviceClassList(ref common.ReferenceCallb
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/resource/v1beta1.DeviceClass", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
+			resourcev1beta1.DeviceClass{}.OpenAPIModelName(), metav1.ListMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -51278,7 +51517,7 @@ func schema_k8sio_api_resource_v1beta1_DeviceClassSpec(ref common.ReferenceCallb
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/resource/v1beta1.DeviceSelector"),
+										Ref:     ref(resourcev1beta1.DeviceSelector{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -51297,7 +51536,7 @@ func schema_k8sio_api_resource_v1beta1_DeviceClassSpec(ref common.ReferenceCallb
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/resource/v1beta1.DeviceClassConfiguration"),
+										Ref:     ref(resourcev1beta1.DeviceClassConfiguration{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -51314,7 +51553,7 @@ func schema_k8sio_api_resource_v1beta1_DeviceClassSpec(ref common.ReferenceCallb
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/resource/v1beta1.DeviceClassConfiguration", "k8s.io/api/resource/v1beta1.DeviceSelector"},
+			resourcev1beta1.DeviceClassConfiguration{}.OpenAPIModelName(), resourcev1beta1.DeviceSelector{}.OpenAPIModelName()},
 	}
 }
 
@@ -51328,14 +51567,14 @@ func schema_k8sio_api_resource_v1beta1_DeviceConfiguration(ref common.ReferenceC
 					"opaque": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Opaque provides driver-specific configuration parameters.",
-							Ref:         ref("k8s.io/api/resource/v1beta1.OpaqueDeviceConfiguration"),
+							Ref:         ref(resourcev1beta1.OpaqueDeviceConfiguration{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/resource/v1beta1.OpaqueDeviceConfiguration"},
+			resourcev1beta1.OpaqueDeviceConfiguration{}.OpenAPIModelName()},
 	}
 }
 
@@ -51403,14 +51642,14 @@ func schema_k8sio_api_resource_v1beta1_DeviceCounterConsumption(ref common.Refer
 					},
 					"counters": {
 						SchemaProps: spec.SchemaProps{
-							Description: "Counters defines the counters that will be consumed by the device.\n\nThe maximum number counters in a device is 32. In addition, the maximum number of all counters in all devices is 1024 (for example, 64 devices with 16 counters each).",
+							Description: "Counters defines the counters that will be consumed by the device.\n\nThe maximum number of counters is 32.",
 							Type:        []string{"object"},
 							AdditionalProperties: &spec.SchemaOrBool{
 								Allows: true,
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/resource/v1beta1.Counter"),
+										Ref:     ref(resourcev1beta1.Counter{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -51421,7 +51660,7 @@ func schema_k8sio_api_resource_v1beta1_DeviceCounterConsumption(ref common.Refer
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/resource/v1beta1.Counter"},
+			resourcev1beta1.Counter{}.OpenAPIModelName()},
 	}
 }
 
@@ -51461,7 +51700,7 @@ func schema_k8sio_api_resource_v1beta1_DeviceRequest(ref common.ReferenceCallbac
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/resource/v1beta1.DeviceSelector"),
+										Ref:     ref(resourcev1beta1.DeviceSelector{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -51469,9 +51708,10 @@ func schema_k8sio_api_resource_v1beta1_DeviceRequest(ref common.ReferenceCallbac
 					},
 					"allocationMode": {
 						SchemaProps: spec.SchemaProps{
-							Description: "AllocationMode and its related fields define how devices are allocated to satisfy this request. Supported values are:\n\n- ExactCount: This request is for a specific number of devices.\n  This is the default. The exact number is provided in the\n  count field.\n\n- All: This request is for all of the matching devices in a pool.\n  At least one device must exist on the node for the allocation to succeed.\n  Allocation will fail if some devices are already allocated,\n  unless adminAccess is requested.\n\nIf AllocationMode is not specified, the default mode is ExactCount. If the mode is ExactCount and count is not specified, the default count is one. Any other requests must specify this field.\n\nThis field can only be set when deviceClassName is set and no subrequests are specified in the firstAvailable list.\n\nMore modes may get added in the future. Clients must refuse to handle requests with unknown modes.",
+							Description: "AllocationMode and its related fields define how devices are allocated to satisfy this request. Supported values are:\n\n- ExactCount: This request is for a specific number of devices.\n  This is the default. The exact number is provided in the\n  count field.\n\n- All: This request is for all of the matching devices in a pool.\n  At least one device must exist on the node for the allocation to succeed.\n  Allocation will fail if some devices are already allocated,\n  unless adminAccess is requested.\n\nIf AllocationMode is not specified, the default mode is ExactCount. If the mode is ExactCount and count is not specified, the default count is one. Any other requests must specify this field.\n\nThis field can only be set when deviceClassName is set and no subrequests are specified in the firstAvailable list.\n\nMore modes may get added in the future. Clients must refuse to handle requests with unknown modes.\n\n\nPossible enum values:\n - `\"All\"`\n - `\"ExactCount\"`",
 							Type:        []string{"string"},
 							Format:      "",
+							Enum:        []interface{}{"All", "ExactCount"},
 						},
 					},
 					"count": {
@@ -51501,7 +51741,7 @@ func schema_k8sio_api_resource_v1beta1_DeviceRequest(ref common.ReferenceCallbac
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/resource/v1beta1.DeviceSubRequest"),
+										Ref:     ref(resourcev1beta1.DeviceSubRequest{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -51520,7 +51760,7 @@ func schema_k8sio_api_resource_v1beta1_DeviceRequest(ref common.ReferenceCallbac
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/resource/v1beta1.DeviceToleration"),
+										Ref:     ref(resourcev1beta1.DeviceToleration{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -51529,7 +51769,7 @@ func schema_k8sio_api_resource_v1beta1_DeviceRequest(ref common.ReferenceCallbac
 					"capacity": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Capacity define resource requirements against each capacity.\n\nIf this field is unset and the device supports multiple allocations, the default value will be applied to each capacity according to requestPolicy. For the capacity that has no requestPolicy, default is the full capacity value.\n\nApplies to each device allocation. If Count > 1, the request fails if there aren't enough devices that meet the requirements. If AllocationMode is set to All, the request fails if there are devices that otherwise match the request, and have this capacity, with a value >= the requested amount, but which cannot be allocated to this request.",
-							Ref:         ref("k8s.io/api/resource/v1beta1.CapacityRequirements"),
+							Ref:         ref(resourcev1beta1.CapacityRequirements{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -51537,7 +51777,7 @@ func schema_k8sio_api_resource_v1beta1_DeviceRequest(ref common.ReferenceCallbac
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/resource/v1beta1.CapacityRequirements", "k8s.io/api/resource/v1beta1.DeviceSelector", "k8s.io/api/resource/v1beta1.DeviceSubRequest", "k8s.io/api/resource/v1beta1.DeviceToleration"},
+			resourcev1beta1.CapacityRequirements{}.OpenAPIModelName(), resourcev1beta1.DeviceSelector{}.OpenAPIModelName(), resourcev1beta1.DeviceSubRequest{}.OpenAPIModelName(), resourcev1beta1.DeviceToleration{}.OpenAPIModelName()},
 	}
 }
 
@@ -51558,7 +51798,7 @@ func schema_k8sio_api_resource_v1beta1_DeviceRequestAllocationResult(ref common.
 					},
 					"driver": {
 						SchemaProps: spec.SchemaProps{
-							Description: "Driver specifies the name of the DRA driver whose kubelet plugin should be invoked to process the allocation once the claim is needed on a node.\n\nMust be a DNS subdomain and should end with a DNS domain owned by the vendor of the driver.",
+							Description: "Driver specifies the name of the DRA driver whose kubelet plugin should be invoked to process the allocation once the claim is needed on a node.\n\nMust be a DNS subdomain and should end with a DNS domain owned by the vendor of the driver. It should use only lower case characters.",
 							Default:     "",
 							Type:        []string{"string"},
 							Format:      "",
@@ -51600,7 +51840,7 @@ func schema_k8sio_api_resource_v1beta1_DeviceRequestAllocationResult(ref common.
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/resource/v1beta1.DeviceToleration"),
+										Ref:     ref(resourcev1beta1.DeviceToleration{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -51661,7 +51901,7 @@ func schema_k8sio_api_resource_v1beta1_DeviceRequestAllocationResult(ref common.
 								Allows: true,
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
-										Ref: ref("k8s.io/apimachinery/pkg/api/resource.Quantity"),
+										Ref: ref(resource.Quantity{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -51672,7 +51912,7 @@ func schema_k8sio_api_resource_v1beta1_DeviceRequestAllocationResult(ref common.
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/resource/v1beta1.DeviceToleration", "k8s.io/apimachinery/pkg/api/resource.Quantity"},
+			resourcev1beta1.DeviceToleration{}.OpenAPIModelName(), resource.Quantity{}.OpenAPIModelName()},
 	}
 }
 
@@ -51686,14 +51926,14 @@ func schema_k8sio_api_resource_v1beta1_DeviceSelector(ref common.ReferenceCallba
 					"cel": {
 						SchemaProps: spec.SchemaProps{
 							Description: "CEL contains a CEL expression for selecting a device.",
-							Ref:         ref("k8s.io/api/resource/v1beta1.CELDeviceSelector"),
+							Ref:         ref(resourcev1beta1.CELDeviceSelector{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/resource/v1beta1.CELDeviceSelector"},
+			resourcev1beta1.CELDeviceSelector{}.OpenAPIModelName()},
 	}
 }
 
@@ -51733,7 +51973,7 @@ func schema_k8sio_api_resource_v1beta1_DeviceSubRequest(ref common.ReferenceCall
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/resource/v1beta1.DeviceSelector"),
+										Ref:     ref(resourcev1beta1.DeviceSelector{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -51741,9 +51981,10 @@ func schema_k8sio_api_resource_v1beta1_DeviceSubRequest(ref common.ReferenceCall
 					},
 					"allocationMode": {
 						SchemaProps: spec.SchemaProps{
-							Description: "AllocationMode and its related fields define how devices are allocated to satisfy this subrequest. Supported values are:\n\n- ExactCount: This request is for a specific number of devices.\n  This is the default. The exact number is provided in the\n  count field.\n\n- All: This subrequest is for all of the matching devices in a pool.\n  Allocation will fail if some devices are already allocated,\n  unless adminAccess is requested.\n\nIf AllocationMode is not specified, the default mode is ExactCount. If the mode is ExactCount and count is not specified, the default count is one. Any other subrequests must specify this field.\n\nMore modes may get added in the future. Clients must refuse to handle requests with unknown modes.",
+							Description: "AllocationMode and its related fields define how devices are allocated to satisfy this subrequest. Supported values are:\n\n- ExactCount: This request is for a specific number of devices.\n  This is the default. The exact number is provided in the\n  count field.\n\n- All: This subrequest is for all of the matching devices in a pool.\n  Allocation will fail if some devices are already allocated,\n  unless adminAccess is requested.\n\nIf AllocationMode is not specified, the default mode is ExactCount. If the mode is ExactCount and count is not specified, the default count is one. Any other subrequests must specify this field.\n\nMore modes may get added in the future. Clients must refuse to handle requests with unknown modes.\n\n\nPossible enum values:\n - `\"All\"`\n - `\"ExactCount\"`",
 							Type:        []string{"string"},
 							Format:      "",
+							Enum:        []interface{}{"All", "ExactCount"},
 						},
 					},
 					"count": {
@@ -51766,7 +52007,7 @@ func schema_k8sio_api_resource_v1beta1_DeviceSubRequest(ref common.ReferenceCall
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/resource/v1beta1.DeviceToleration"),
+										Ref:     ref(resourcev1beta1.DeviceToleration{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -51775,7 +52016,7 @@ func schema_k8sio_api_resource_v1beta1_DeviceSubRequest(ref common.ReferenceCall
 					"capacity": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Capacity define resource requirements against each capacity.\n\nIf this field is unset and the device supports multiple allocations, the default value will be applied to each capacity according to requestPolicy. For the capacity that has no requestPolicy, default is the full capacity value.\n\nApplies to each device allocation. If Count > 1, the request fails if there aren't enough devices that meet the requirements. If AllocationMode is set to All, the request fails if there are devices that otherwise match the request, and have this capacity, with a value >= the requested amount, but which cannot be allocated to this request.",
-							Ref:         ref("k8s.io/api/resource/v1beta1.CapacityRequirements"),
+							Ref:         ref(resourcev1beta1.CapacityRequirements{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -51783,7 +52024,7 @@ func schema_k8sio_api_resource_v1beta1_DeviceSubRequest(ref common.ReferenceCall
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/resource/v1beta1.CapacityRequirements", "k8s.io/api/resource/v1beta1.DeviceSelector", "k8s.io/api/resource/v1beta1.DeviceToleration"},
+			resourcev1beta1.CapacityRequirements{}.OpenAPIModelName(), resourcev1beta1.DeviceSelector{}.OpenAPIModelName(), resourcev1beta1.DeviceToleration{}.OpenAPIModelName()},
 	}
 }
 
@@ -51811,17 +52052,17 @@ func schema_k8sio_api_resource_v1beta1_DeviceTaint(ref common.ReferenceCallback)
 					},
 					"effect": {
 						SchemaProps: spec.SchemaProps{
-							Description: "The effect of the taint on claims that do not tolerate the taint and through such claims on the pods using them. Valid effects are NoSchedule and NoExecute. PreferNoSchedule as used for nodes is not valid here.\n\n\nPossible enum values:\n - `\"NoExecute\"` Evict any already-running pods that do not tolerate the device taint.\n - `\"NoSchedule\"` Do not allow new pods to schedule which use a tainted device unless they tolerate the taint, but allow all pods submitted to Kubelet without going through the scheduler to start, and allow all already-running pods to continue running.",
+							Description: "The effect of the taint on claims that do not tolerate the taint and through such claims on the pods using them.\n\nValid effects are None, NoSchedule and NoExecute. PreferNoSchedule as used for nodes is not valid here. More effects may get added in the future. Consumers must treat unknown effects like None.\n\n\nPossible enum values:\n - `\"NoExecute\"` Evict any already-running pods that do not tolerate the device taint.\n - `\"NoSchedule\"` Do not allow new pods to schedule which use a tainted device unless they tolerate the taint, but allow all pods submitted to Kubelet without going through the scheduler to start, and allow all already-running pods to continue running.\n - `\"None\"` No effect, the taint is purely informational.",
 							Default:     "",
 							Type:        []string{"string"},
 							Format:      "",
-							Enum:        []interface{}{"NoExecute", "NoSchedule"},
+							Enum:        []interface{}{"NoExecute", "NoSchedule", "None"},
 						},
 					},
 					"timeAdded": {
 						SchemaProps: spec.SchemaProps{
 							Description: "TimeAdded represents the time at which the taint was added. Added automatically during create or update if not set.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Time"),
+							Ref:         ref(metav1.Time{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -51829,7 +52070,7 @@ func schema_k8sio_api_resource_v1beta1_DeviceTaint(ref common.ReferenceCallback)
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.Time"},
+			metav1.Time{}.OpenAPIModelName()},
 	}
 }
 
@@ -51865,10 +52106,10 @@ func schema_k8sio_api_resource_v1beta1_DeviceToleration(ref common.ReferenceCall
 					},
 					"effect": {
 						SchemaProps: spec.SchemaProps{
-							Description: "Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule and NoExecute.\n\n\nPossible enum values:\n - `\"NoExecute\"` Evict any already-running pods that do not tolerate the device taint.\n - `\"NoSchedule\"` Do not allow new pods to schedule which use a tainted device unless they tolerate the taint, but allow all pods submitted to Kubelet without going through the scheduler to start, and allow all already-running pods to continue running.",
+							Description: "Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule and NoExecute.\n\n\nPossible enum values:\n - `\"NoExecute\"` Evict any already-running pods that do not tolerate the device taint.\n - `\"NoSchedule\"` Do not allow new pods to schedule which use a tainted device unless they tolerate the taint, but allow all pods submitted to Kubelet without going through the scheduler to start, and allow all already-running pods to continue running.\n - `\"None\"` No effect, the taint is purely informational.",
 							Type:        []string{"string"},
 							Format:      "",
-							Enum:        []interface{}{"NoExecute", "NoSchedule"},
+							Enum:        []interface{}{"NoExecute", "NoSchedule", "None"},
 						},
 					},
 					"tolerationSeconds": {
@@ -51940,7 +52181,7 @@ func schema_k8sio_api_resource_v1beta1_OpaqueDeviceConfiguration(ref common.Refe
 				Properties: map[string]spec.Schema{
 					"driver": {
 						SchemaProps: spec.SchemaProps{
-							Description: "Driver is used to determine which kubelet plugin needs to be passed these configuration parameters.\n\nAn admission policy provided by the driver developer could use this to decide whether it needs to validate them.\n\nMust be a DNS subdomain and should end with a DNS domain owned by the vendor of the driver.",
+							Description: "Driver is used to determine which kubelet plugin needs to be passed these configuration parameters.\n\nAn admission policy provided by the driver developer could use this to decide whether it needs to validate them.\n\nMust be a DNS subdomain and should end with a DNS domain owned by the vendor of the driver. It should use only lower case characters.",
 							Default:     "",
 							Type:        []string{"string"},
 							Format:      "",
@@ -51949,7 +52190,7 @@ func schema_k8sio_api_resource_v1beta1_OpaqueDeviceConfiguration(ref common.Refe
 					"parameters": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Parameters can contain arbitrary data. It is the responsibility of the driver developer to handle validation and versioning. Typically this includes self-identification and a version (\"kind\" + \"apiVersion\" for Kubernetes types), with conversion between different versions.\n\nThe length of the raw data must be smaller or equal to 10 Ki.",
-							Ref:         ref("k8s.io/apimachinery/pkg/runtime.RawExtension"),
+							Ref:         ref(runtime.RawExtension{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -51957,7 +52198,7 @@ func schema_k8sio_api_resource_v1beta1_OpaqueDeviceConfiguration(ref common.Refe
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/runtime.RawExtension"},
+			runtime.RawExtension{}.OpenAPIModelName()},
 	}
 }
 
@@ -51986,21 +52227,21 @@ func schema_k8sio_api_resource_v1beta1_ResourceClaim(ref common.ReferenceCallbac
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard object metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Ref:         ref(metav1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 					"spec": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Spec describes what is being requested and how to configure it. The spec is immutable.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/resource/v1beta1.ResourceClaimSpec"),
+							Ref:         ref(resourcev1beta1.ResourceClaimSpec{}.OpenAPIModelName()),
 						},
 					},
 					"status": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Status describes whether the claim is ready to use and what has been allocated.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/resource/v1beta1.ResourceClaimStatus"),
+							Ref:         ref(resourcev1beta1.ResourceClaimStatus{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -52008,7 +52249,7 @@ func schema_k8sio_api_resource_v1beta1_ResourceClaim(ref common.ReferenceCallbac
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/resource/v1beta1.ResourceClaimSpec", "k8s.io/api/resource/v1beta1.ResourceClaimStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			resourcev1beta1.ResourceClaimSpec{}.OpenAPIModelName(), resourcev1beta1.ResourceClaimStatus{}.OpenAPIModelName(), metav1.ObjectMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -52082,7 +52323,7 @@ func schema_k8sio_api_resource_v1beta1_ResourceClaimList(ref common.ReferenceCal
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard list metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+							Ref:         ref(metav1.ListMeta{}.OpenAPIModelName()),
 						},
 					},
 					"items": {
@@ -52093,7 +52334,7 @@ func schema_k8sio_api_resource_v1beta1_ResourceClaimList(ref common.ReferenceCal
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/resource/v1beta1.ResourceClaim"),
+										Ref:     ref(resourcev1beta1.ResourceClaim{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -52104,7 +52345,7 @@ func schema_k8sio_api_resource_v1beta1_ResourceClaimList(ref common.ReferenceCal
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/resource/v1beta1.ResourceClaim", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
+			resourcev1beta1.ResourceClaim{}.OpenAPIModelName(), metav1.ListMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -52119,14 +52360,14 @@ func schema_k8sio_api_resource_v1beta1_ResourceClaimSpec(ref common.ReferenceCal
 						SchemaProps: spec.SchemaProps{
 							Description: "Devices defines how to request devices.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/resource/v1beta1.DeviceClaim"),
+							Ref:         ref(resourcev1beta1.DeviceClaim{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/resource/v1beta1.DeviceClaim"},
+			resourcev1beta1.DeviceClaim{}.OpenAPIModelName()},
 	}
 }
 
@@ -52140,7 +52381,7 @@ func schema_k8sio_api_resource_v1beta1_ResourceClaimStatus(ref common.ReferenceC
 					"allocation": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Allocation is set once the claim has been allocated successfully.",
-							Ref:         ref("k8s.io/api/resource/v1beta1.AllocationResult"),
+							Ref:         ref(resourcev1beta1.AllocationResult{}.OpenAPIModelName()),
 						},
 					},
 					"reservedFor": {
@@ -52161,7 +52402,7 @@ func schema_k8sio_api_resource_v1beta1_ResourceClaimStatus(ref common.ReferenceC
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/resource/v1beta1.ResourceClaimConsumerReference"),
+										Ref:     ref(resourcev1beta1.ResourceClaimConsumerReference{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -52186,7 +52427,7 @@ func schema_k8sio_api_resource_v1beta1_ResourceClaimStatus(ref common.ReferenceC
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/resource/v1beta1.AllocatedDeviceStatus"),
+										Ref:     ref(resourcev1beta1.AllocatedDeviceStatus{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -52196,7 +52437,7 @@ func schema_k8sio_api_resource_v1beta1_ResourceClaimStatus(ref common.ReferenceC
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/resource/v1beta1.AllocatedDeviceStatus", "k8s.io/api/resource/v1beta1.AllocationResult", "k8s.io/api/resource/v1beta1.ResourceClaimConsumerReference"},
+			resourcev1beta1.AllocatedDeviceStatus{}.OpenAPIModelName(), resourcev1beta1.AllocationResult{}.OpenAPIModelName(), resourcev1beta1.ResourceClaimConsumerReference{}.OpenAPIModelName()},
 	}
 }
 
@@ -52225,14 +52466,14 @@ func schema_k8sio_api_resource_v1beta1_ResourceClaimTemplate(ref common.Referenc
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard object metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Ref:         ref(metav1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 					"spec": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Describes the ResourceClaim that is to be generated.\n\nThis field is immutable. A ResourceClaim will get created by the control plane for a Pod when needed and then not get updated anymore.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/resource/v1beta1.ResourceClaimTemplateSpec"),
+							Ref:         ref(resourcev1beta1.ResourceClaimTemplateSpec{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -52240,7 +52481,7 @@ func schema_k8sio_api_resource_v1beta1_ResourceClaimTemplate(ref common.Referenc
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/resource/v1beta1.ResourceClaimTemplateSpec", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			resourcev1beta1.ResourceClaimTemplateSpec{}.OpenAPIModelName(), metav1.ObjectMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -52269,7 +52510,7 @@ func schema_k8sio_api_resource_v1beta1_ResourceClaimTemplateList(ref common.Refe
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard list metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+							Ref:         ref(metav1.ListMeta{}.OpenAPIModelName()),
 						},
 					},
 					"items": {
@@ -52280,7 +52521,7 @@ func schema_k8sio_api_resource_v1beta1_ResourceClaimTemplateList(ref common.Refe
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/resource/v1beta1.ResourceClaimTemplate"),
+										Ref:     ref(resourcev1beta1.ResourceClaimTemplate{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -52291,7 +52532,7 @@ func schema_k8sio_api_resource_v1beta1_ResourceClaimTemplateList(ref common.Refe
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/resource/v1beta1.ResourceClaimTemplate", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
+			resourcev1beta1.ResourceClaimTemplate{}.OpenAPIModelName(), metav1.ListMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -52306,14 +52547,14 @@ func schema_k8sio_api_resource_v1beta1_ResourceClaimTemplateSpec(ref common.Refe
 						SchemaProps: spec.SchemaProps{
 							Description: "ObjectMeta may contain labels and annotations that will be copied into the ResourceClaim when creating it. No other fields are allowed and will be rejected during validation.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Ref:         ref(metav1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 					"spec": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Spec for the ResourceClaim. The entire content is copied unchanged into the ResourceClaim that gets created from this template. The same fields as in a ResourceClaim are also valid here.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/resource/v1beta1.ResourceClaimSpec"),
+							Ref:         ref(resourcev1beta1.ResourceClaimSpec{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -52321,7 +52562,7 @@ func schema_k8sio_api_resource_v1beta1_ResourceClaimTemplateSpec(ref common.Refe
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/resource/v1beta1.ResourceClaimSpec", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			resourcev1beta1.ResourceClaimSpec{}.OpenAPIModelName(), metav1.ObjectMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -52388,14 +52629,14 @@ func schema_k8sio_api_resource_v1beta1_ResourceSlice(ref common.ReferenceCallbac
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard object metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Ref:         ref(metav1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 					"spec": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Contains the information published by the driver.\n\nChanging the spec automatically increments the metadata.generation number.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/resource/v1beta1.ResourceSliceSpec"),
+							Ref:         ref(resourcev1beta1.ResourceSliceSpec{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -52403,7 +52644,7 @@ func schema_k8sio_api_resource_v1beta1_ResourceSlice(ref common.ReferenceCallbac
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/resource/v1beta1.ResourceSliceSpec", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			resourcev1beta1.ResourceSliceSpec{}.OpenAPIModelName(), metav1.ObjectMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -52432,7 +52673,7 @@ func schema_k8sio_api_resource_v1beta1_ResourceSliceList(ref common.ReferenceCal
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard list metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+							Ref:         ref(metav1.ListMeta{}.OpenAPIModelName()),
 						},
 					},
 					"items": {
@@ -52443,7 +52684,7 @@ func schema_k8sio_api_resource_v1beta1_ResourceSliceList(ref common.ReferenceCal
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/resource/v1beta1.ResourceSlice"),
+										Ref:     ref(resourcev1beta1.ResourceSlice{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -52454,7 +52695,7 @@ func schema_k8sio_api_resource_v1beta1_ResourceSliceList(ref common.ReferenceCal
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/resource/v1beta1.ResourceSlice", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
+			resourcev1beta1.ResourceSlice{}.OpenAPIModelName(), metav1.ListMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -52467,7 +52708,7 @@ func schema_k8sio_api_resource_v1beta1_ResourceSliceSpec(ref common.ReferenceCal
 				Properties: map[string]spec.Schema{
 					"driver": {
 						SchemaProps: spec.SchemaProps{
-							Description: "Driver identifies the DRA driver providing the capacity information. A field selector can be used to list only ResourceSlice objects with a certain driver name.\n\nMust be a DNS subdomain and should end with a DNS domain owned by the vendor of the driver. This field is immutable.",
+							Description: "Driver identifies the DRA driver providing the capacity information. A field selector can be used to list only ResourceSlice objects with a certain driver name.\n\nMust be a DNS subdomain and should end with a DNS domain owned by the vendor of the driver. It should use only lower case characters. This field is immutable.",
 							Default:     "",
 							Type:        []string{"string"},
 							Format:      "",
@@ -52477,7 +52718,7 @@ func schema_k8sio_api_resource_v1beta1_ResourceSliceSpec(ref common.ReferenceCal
 						SchemaProps: spec.SchemaProps{
 							Description: "Pool describes the pool that this ResourceSlice belongs to.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/resource/v1beta1.ResourcePool"),
+							Ref:         ref(resourcev1beta1.ResourcePool{}.OpenAPIModelName()),
 						},
 					},
 					"nodeName": {
@@ -52490,7 +52731,7 @@ func schema_k8sio_api_resource_v1beta1_ResourceSliceSpec(ref common.ReferenceCal
 					"nodeSelector": {
 						SchemaProps: spec.SchemaProps{
 							Description: "NodeSelector defines which nodes have access to the resources in the pool, when that pool is not limited to a single node.\n\nMust use exactly one term.\n\nExactly one of NodeName, NodeSelector, AllNodes, and PerDeviceNodeSelection must be set.",
-							Ref:         ref("k8s.io/api/core/v1.NodeSelector"),
+							Ref:         ref(corev1.NodeSelector{}.OpenAPIModelName()),
 						},
 					},
 					"allNodes": {
@@ -52507,13 +52748,13 @@ func schema_k8sio_api_resource_v1beta1_ResourceSliceSpec(ref common.ReferenceCal
 							},
 						},
 						SchemaProps: spec.SchemaProps{
-							Description: "Devices lists some or all of the devices in this pool.\n\nMust not have more than 128 entries.",
+							Description: "Devices lists some or all of the devices in this pool.\n\nMust not have more than 128 entries. If any device uses taints or consumes counters the limit is 64.\n\nOnly one of Devices and SharedCounters can be set in a ResourceSlice.",
 							Type:        []string{"array"},
 							Items: &spec.SchemaOrArray{
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/resource/v1beta1.Device"),
+										Ref:     ref(resourcev1beta1.Device{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -52533,13 +52774,13 @@ func schema_k8sio_api_resource_v1beta1_ResourceSliceSpec(ref common.ReferenceCal
 							},
 						},
 						SchemaProps: spec.SchemaProps{
-							Description: "SharedCounters defines a list of counter sets, each of which has a name and a list of counters available.\n\nThe names of the SharedCounters must be unique in the ResourceSlice.\n\nThe maximum number of SharedCounters is 32.",
+							Description: "SharedCounters defines a list of counter sets, each of which has a name and a list of counters available.\n\nThe names of the counter sets must be unique in the ResourcePool.\n\nOnly one of Devices and SharedCounters can be set in a ResourceSlice.\n\nThe maximum number of counter sets is 8.",
 							Type:        []string{"array"},
 							Items: &spec.SchemaOrArray{
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/resource/v1beta1.CounterSet"),
+										Ref:     ref(resourcev1beta1.CounterSet{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -52550,7 +52791,7 @@ func schema_k8sio_api_resource_v1beta1_ResourceSliceSpec(ref common.ReferenceCal
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/core/v1.NodeSelector", "k8s.io/api/resource/v1beta1.CounterSet", "k8s.io/api/resource/v1beta1.Device", "k8s.io/api/resource/v1beta1.ResourcePool"},
+			corev1.NodeSelector{}.OpenAPIModelName(), resourcev1beta1.CounterSet{}.OpenAPIModelName(), resourcev1beta1.Device{}.OpenAPIModelName(), resourcev1beta1.ResourcePool{}.OpenAPIModelName()},
 	}
 }
 
@@ -52563,7 +52804,7 @@ func schema_k8sio_api_resource_v1beta2_AllocatedDeviceStatus(ref common.Referenc
 				Properties: map[string]spec.Schema{
 					"driver": {
 						SchemaProps: spec.SchemaProps{
-							Description: "Driver specifies the name of the DRA driver whose kubelet plugin should be invoked to process the allocation once the claim is needed on a node.\n\nMust be a DNS subdomain and should end with a DNS domain owned by the vendor of the driver.",
+							Description: "Driver specifies the name of the DRA driver whose kubelet plugin should be invoked to process the allocation once the claim is needed on a node.\n\nMust be a DNS subdomain and should end with a DNS domain owned by the vendor of the driver. It should use only lower case characters.",
 							Default:     "",
 							Type:        []string{"string"},
 							Format:      "",
@@ -52608,7 +52849,7 @@ func schema_k8sio_api_resource_v1beta2_AllocatedDeviceStatus(ref common.Referenc
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/apimachinery/pkg/apis/meta/v1.Condition"),
+										Ref:     ref(metav1.Condition{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -52617,13 +52858,13 @@ func schema_k8sio_api_resource_v1beta2_AllocatedDeviceStatus(ref common.Referenc
 					"data": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Data contains arbitrary driver-specific data.\n\nThe length of the raw data must be smaller or equal to 10 Ki.",
-							Ref:         ref("k8s.io/apimachinery/pkg/runtime.RawExtension"),
+							Ref:         ref(runtime.RawExtension{}.OpenAPIModelName()),
 						},
 					},
 					"networkData": {
 						SchemaProps: spec.SchemaProps{
 							Description: "NetworkData contains network-related information specific to the device.",
-							Ref:         ref("k8s.io/api/resource/v1beta2.NetworkDeviceData"),
+							Ref:         ref(resourcev1beta2.NetworkDeviceData{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -52631,7 +52872,7 @@ func schema_k8sio_api_resource_v1beta2_AllocatedDeviceStatus(ref common.Referenc
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/resource/v1beta2.NetworkDeviceData", "k8s.io/apimachinery/pkg/apis/meta/v1.Condition", "k8s.io/apimachinery/pkg/runtime.RawExtension"},
+			resourcev1beta2.NetworkDeviceData{}.OpenAPIModelName(), metav1.Condition{}.OpenAPIModelName(), runtime.RawExtension{}.OpenAPIModelName()},
 	}
 }
 
@@ -52646,26 +52887,26 @@ func schema_k8sio_api_resource_v1beta2_AllocationResult(ref common.ReferenceCall
 						SchemaProps: spec.SchemaProps{
 							Description: "Devices is the result of allocating devices.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/resource/v1beta2.DeviceAllocationResult"),
+							Ref:         ref(resourcev1beta2.DeviceAllocationResult{}.OpenAPIModelName()),
 						},
 					},
 					"nodeSelector": {
 						SchemaProps: spec.SchemaProps{
 							Description: "NodeSelector defines where the allocated resources are available. If unset, they are available everywhere.",
-							Ref:         ref("k8s.io/api/core/v1.NodeSelector"),
+							Ref:         ref(corev1.NodeSelector{}.OpenAPIModelName()),
 						},
 					},
 					"allocationTimestamp": {
 						SchemaProps: spec.SchemaProps{
 							Description: "AllocationTimestamp stores the time when the resources were allocated. This field is not guaranteed to be set, in which case that time is unknown.\n\nThis is an alpha field and requires enabling the DRADeviceBindingConditions and DRAResourceClaimDeviceStatus feature gate.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Time"),
+							Ref:         ref(metav1.Time{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/core/v1.NodeSelector", "k8s.io/api/resource/v1beta2.DeviceAllocationResult", "k8s.io/apimachinery/pkg/apis/meta/v1.Time"},
+			corev1.NodeSelector{}.OpenAPIModelName(), resourcev1beta2.DeviceAllocationResult{}.OpenAPIModelName(), metav1.Time{}.OpenAPIModelName()},
 	}
 }
 
@@ -52701,7 +52942,7 @@ func schema_k8sio_api_resource_v1beta2_CapacityRequestPolicy(ref common.Referenc
 					"default": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Default specifies how much of this capacity is consumed by a request that does not contain an entry for it in DeviceRequest's Capacity.",
-							Ref:         ref("k8s.io/apimachinery/pkg/api/resource.Quantity"),
+							Ref:         ref(resource.Quantity{}.OpenAPIModelName()),
 						},
 					},
 					"validValues": {
@@ -52716,7 +52957,7 @@ func schema_k8sio_api_resource_v1beta2_CapacityRequestPolicy(ref common.Referenc
 							Items: &spec.SchemaOrArray{
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
-										Ref: ref("k8s.io/apimachinery/pkg/api/resource.Quantity"),
+										Ref: ref(resource.Quantity{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -52725,14 +52966,14 @@ func schema_k8sio_api_resource_v1beta2_CapacityRequestPolicy(ref common.Referenc
 					"validRange": {
 						SchemaProps: spec.SchemaProps{
 							Description: "ValidRange defines an acceptable quantity value range in consuming requests.\n\nIf this field is set, Default must be defined and it must fall within the defined ValidRange.\n\nIf the requested amount does not fall within the defined range, the request violates the policy, and this device cannot be allocated.\n\nIf the request doesn't contain this capacity entry, Default value is used.",
-							Ref:         ref("k8s.io/api/resource/v1beta2.CapacityRequestPolicyRange"),
+							Ref:         ref(resourcev1beta2.CapacityRequestPolicyRange{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/resource/v1beta2.CapacityRequestPolicyRange", "k8s.io/apimachinery/pkg/api/resource.Quantity"},
+			resourcev1beta2.CapacityRequestPolicyRange{}.OpenAPIModelName(), resource.Quantity{}.OpenAPIModelName()},
 	}
 }
 
@@ -52746,19 +52987,19 @@ func schema_k8sio_api_resource_v1beta2_CapacityRequestPolicyRange(ref common.Ref
 					"min": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Min specifies the minimum capacity allowed for a consumption request.\n\nMin must be greater than or equal to zero, and less than or equal to the capacity value. requestPolicy.default must be more than or equal to the minimum.",
-							Ref:         ref("k8s.io/apimachinery/pkg/api/resource.Quantity"),
+							Ref:         ref(resource.Quantity{}.OpenAPIModelName()),
 						},
 					},
 					"max": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Max defines the upper limit for capacity that can be requested.\n\nMax must be less than or equal to the capacity value. Min and requestPolicy.default must be less than or equal to the maximum.",
-							Ref:         ref("k8s.io/apimachinery/pkg/api/resource.Quantity"),
+							Ref:         ref(resource.Quantity{}.OpenAPIModelName()),
 						},
 					},
 					"step": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Step defines the step size between valid capacity amounts within the range.\n\nMax (if set) and requestPolicy.default must be a multiple of Step. Min + Step must be less than or equal to the capacity value.",
-							Ref:         ref("k8s.io/apimachinery/pkg/api/resource.Quantity"),
+							Ref:         ref(resource.Quantity{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -52766,7 +53007,7 @@ func schema_k8sio_api_resource_v1beta2_CapacityRequestPolicyRange(ref common.Ref
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/api/resource.Quantity"},
+			resource.Quantity{}.OpenAPIModelName()},
 	}
 }
 
@@ -52785,7 +53026,7 @@ func schema_k8sio_api_resource_v1beta2_CapacityRequirements(ref common.Reference
 								Allows: true,
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
-										Ref: ref("k8s.io/apimachinery/pkg/api/resource.Quantity"),
+										Ref: ref(resource.Quantity{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -52795,7 +53036,7 @@ func schema_k8sio_api_resource_v1beta2_CapacityRequirements(ref common.Reference
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/api/resource.Quantity"},
+			resource.Quantity{}.OpenAPIModelName()},
 	}
 }
 
@@ -52809,7 +53050,7 @@ func schema_k8sio_api_resource_v1beta2_Counter(ref common.ReferenceCallback) com
 					"value": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Value defines how much of a certain device counter is available.",
-							Ref:         ref("k8s.io/apimachinery/pkg/api/resource.Quantity"),
+							Ref:         ref(resource.Quantity{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -52817,7 +53058,7 @@ func schema_k8sio_api_resource_v1beta2_Counter(ref common.ReferenceCallback) com
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/api/resource.Quantity"},
+			resource.Quantity{}.OpenAPIModelName()},
 	}
 }
 
@@ -52825,7 +53066,7 @@ func schema_k8sio_api_resource_v1beta2_CounterSet(ref common.ReferenceCallback)
 	return common.OpenAPIDefinition{
 		Schema: spec.Schema{
 			SchemaProps: spec.SchemaProps{
-				Description: "CounterSet defines a named set of counters that are available to be used by devices defined in the ResourceSlice.\n\nThe counters are not allocatable by themselves, but can be referenced by devices. When a device is allocated, the portion of counters it uses will no longer be available for use by other devices.",
+				Description: "CounterSet defines a named set of counters that are available to be used by devices defined in the ResourcePool.\n\nThe counters are not allocatable by themselves, but can be referenced by devices. When a device is allocated, the portion of counters it uses will no longer be available for use by other devices.",
 				Type:        []string{"object"},
 				Properties: map[string]spec.Schema{
 					"name": {
@@ -52838,14 +53079,14 @@ func schema_k8sio_api_resource_v1beta2_CounterSet(ref common.ReferenceCallback)
 					},
 					"counters": {
 						SchemaProps: spec.SchemaProps{
-							Description: "Counters defines the set of counters for this CounterSet The name of each counter must be unique in that set and must be a DNS label.\n\nThe maximum number of counters in all sets is 32.",
+							Description: "Counters defines the set of counters for this CounterSet The name of each counter must be unique in that set and must be a DNS label.\n\nThe maximum number of counters is 32.",
 							Type:        []string{"object"},
 							AdditionalProperties: &spec.SchemaOrBool{
 								Allows: true,
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/resource/v1beta2.Counter"),
+										Ref:     ref(resourcev1beta2.Counter{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -52856,7 +53097,7 @@ func schema_k8sio_api_resource_v1beta2_CounterSet(ref common.ReferenceCallback)
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/resource/v1beta2.Counter"},
+			resourcev1beta2.Counter{}.OpenAPIModelName()},
 	}
 }
 
@@ -52884,7 +53125,7 @@ func schema_k8sio_api_resource_v1beta2_Device(ref common.ReferenceCallback) comm
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/resource/v1beta2.DeviceAttribute"),
+										Ref:     ref(resourcev1beta2.DeviceAttribute{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -52899,7 +53140,7 @@ func schema_k8sio_api_resource_v1beta2_Device(ref common.ReferenceCallback) comm
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/resource/v1beta2.DeviceCapacity"),
+										Ref:     ref(resourcev1beta2.DeviceCapacity{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -52912,13 +53153,13 @@ func schema_k8sio_api_resource_v1beta2_Device(ref common.ReferenceCallback) comm
 							},
 						},
 						SchemaProps: spec.SchemaProps{
-							Description: "ConsumesCounters defines a list of references to sharedCounters and the set of counters that the device will consume from those counter sets.\n\nThere can only be a single entry per counterSet.\n\nThe total number of device counter consumption entries must be <= 32. In addition, the total number in the entire ResourceSlice must be <= 1024 (for example, 64 devices with 16 counters each).",
+							Description: "ConsumesCounters defines a list of references to sharedCounters and the set of counters that the device will consume from those counter sets.\n\nThere can only be a single entry per counterSet.\n\nThe maximum number of device counter consumptions per device is 2.",
 							Type:        []string{"array"},
 							Items: &spec.SchemaOrArray{
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/resource/v1beta2.DeviceCounterConsumption"),
+										Ref:     ref(resourcev1beta2.DeviceCounterConsumption{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -52934,7 +53175,7 @@ func schema_k8sio_api_resource_v1beta2_Device(ref common.ReferenceCallback) comm
 					"nodeSelector": {
 						SchemaProps: spec.SchemaProps{
 							Description: "NodeSelector defines the nodes where the device is available.\n\nMust use exactly one term.\n\nMust only be set if Spec.PerDeviceNodeSelection is set to true. At most one of NodeName, NodeSelector and AllNodes can be set.",
-							Ref:         ref("k8s.io/api/core/v1.NodeSelector"),
+							Ref:         ref(corev1.NodeSelector{}.OpenAPIModelName()),
 						},
 					},
 					"allNodes": {
@@ -52951,13 +53192,13 @@ func schema_k8sio_api_resource_v1beta2_Device(ref common.ReferenceCallback) comm
 							},
 						},
 						SchemaProps: spec.SchemaProps{
-							Description: "If specified, these are the driver-defined taints.\n\nThe maximum number of taints is 4.\n\nThis is an alpha field and requires enabling the DRADeviceTaints feature gate.",
+							Description: "If specified, these are the driver-defined taints.\n\nThe maximum number of taints is 16. If taints are set for any device in a ResourceSlice, then the maximum number of allowed devices per ResourceSlice is 64 instead of 128.\n\nThis is an alpha field and requires enabling the DRADeviceTaints feature gate.",
 							Type:        []string{"array"},
 							Items: &spec.SchemaOrArray{
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/resource/v1beta2.DeviceTaint"),
+										Ref:     ref(resourcev1beta2.DeviceTaint{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -53022,7 +53263,7 @@ func schema_k8sio_api_resource_v1beta2_Device(ref common.ReferenceCallback) comm
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/core/v1.NodeSelector", "k8s.io/api/resource/v1beta2.DeviceAttribute", "k8s.io/api/resource/v1beta2.DeviceCapacity", "k8s.io/api/resource/v1beta2.DeviceCounterConsumption", "k8s.io/api/resource/v1beta2.DeviceTaint"},
+			corev1.NodeSelector{}.OpenAPIModelName(), resourcev1beta2.DeviceAttribute{}.OpenAPIModelName(), resourcev1beta2.DeviceCapacity{}.OpenAPIModelName(), resourcev1beta2.DeviceCounterConsumption{}.OpenAPIModelName(), resourcev1beta2.DeviceTaint{}.OpenAPIModelName()},
 	}
 }
 
@@ -53035,10 +53276,11 @@ func schema_k8sio_api_resource_v1beta2_DeviceAllocationConfiguration(ref common.
 				Properties: map[string]spec.Schema{
 					"source": {
 						SchemaProps: spec.SchemaProps{
-							Description: "Source records whether the configuration comes from a class and thus is not something that a normal user would have been able to set or from a claim.",
+							Description: "Source records whether the configuration comes from a class and thus is not something that a normal user would have been able to set or from a claim.\n\n\nPossible enum values:\n - `\"FromClaim\"`\n - `\"FromClass\"`",
 							Default:     "",
 							Type:        []string{"string"},
 							Format:      "",
+							Enum:        []interface{}{"FromClaim", "FromClass"},
 						},
 					},
 					"requests": {
@@ -53064,7 +53306,7 @@ func schema_k8sio_api_resource_v1beta2_DeviceAllocationConfiguration(ref common.
 					"opaque": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Opaque provides driver-specific configuration parameters.",
-							Ref:         ref("k8s.io/api/resource/v1beta2.OpaqueDeviceConfiguration"),
+							Ref:         ref(resourcev1beta2.OpaqueDeviceConfiguration{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -53072,7 +53314,7 @@ func schema_k8sio_api_resource_v1beta2_DeviceAllocationConfiguration(ref common.
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/resource/v1beta2.OpaqueDeviceConfiguration"},
+			resourcev1beta2.OpaqueDeviceConfiguration{}.OpenAPIModelName()},
 	}
 }
 
@@ -53096,7 +53338,7 @@ func schema_k8sio_api_resource_v1beta2_DeviceAllocationResult(ref common.Referen
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/resource/v1beta2.DeviceRequestAllocationResult"),
+										Ref:     ref(resourcev1beta2.DeviceRequestAllocationResult{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -53115,7 +53357,7 @@ func schema_k8sio_api_resource_v1beta2_DeviceAllocationResult(ref common.Referen
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/resource/v1beta2.DeviceAllocationConfiguration"),
+										Ref:     ref(resourcev1beta2.DeviceAllocationConfiguration{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -53125,7 +53367,7 @@ func schema_k8sio_api_resource_v1beta2_DeviceAllocationResult(ref common.Referen
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/resource/v1beta2.DeviceAllocationConfiguration", "k8s.io/api/resource/v1beta2.DeviceRequestAllocationResult"},
+			resourcev1beta2.DeviceAllocationConfiguration{}.OpenAPIModelName(), resourcev1beta2.DeviceRequestAllocationResult{}.OpenAPIModelName()},
 	}
 }
 
@@ -53180,13 +53422,13 @@ func schema_k8sio_api_resource_v1beta2_DeviceCapacity(ref common.ReferenceCallba
 					"value": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Value defines how much of a certain capacity that device has.\n\nThis field reflects the fixed total capacity and does not change. The consumed amount is tracked separately by scheduler and does not affect this value.",
-							Ref:         ref("k8s.io/apimachinery/pkg/api/resource.Quantity"),
+							Ref:         ref(resource.Quantity{}.OpenAPIModelName()),
 						},
 					},
 					"requestPolicy": {
 						SchemaProps: spec.SchemaProps{
 							Description: "RequestPolicy defines how this DeviceCapacity must be consumed when the device is allowed to be shared by multiple allocations.\n\nThe Device must have allowMultipleAllocations set to true in order to set a requestPolicy.\n\nIf unset, capacity requests are unconstrained: requests can consume any amount of capacity, as long as the total consumed across all allocations does not exceed the device's defined capacity. If request is also unset, default is the full capacity value.",
-							Ref:         ref("k8s.io/api/resource/v1beta2.CapacityRequestPolicy"),
+							Ref:         ref(resourcev1beta2.CapacityRequestPolicy{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -53194,7 +53436,7 @@ func schema_k8sio_api_resource_v1beta2_DeviceCapacity(ref common.ReferenceCallba
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/resource/v1beta2.CapacityRequestPolicy", "k8s.io/apimachinery/pkg/api/resource.Quantity"},
+			resourcev1beta2.CapacityRequestPolicy{}.OpenAPIModelName(), resource.Quantity{}.OpenAPIModelName()},
 	}
 }
 
@@ -53218,7 +53460,7 @@ func schema_k8sio_api_resource_v1beta2_DeviceClaim(ref common.ReferenceCallback)
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/resource/v1beta2.DeviceRequest"),
+										Ref:     ref(resourcev1beta2.DeviceRequest{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -53237,7 +53479,7 @@ func schema_k8sio_api_resource_v1beta2_DeviceClaim(ref common.ReferenceCallback)
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/resource/v1beta2.DeviceConstraint"),
+										Ref:     ref(resourcev1beta2.DeviceConstraint{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -53256,7 +53498,7 @@ func schema_k8sio_api_resource_v1beta2_DeviceClaim(ref common.ReferenceCallback)
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/resource/v1beta2.DeviceClaimConfiguration"),
+										Ref:     ref(resourcev1beta2.DeviceClaimConfiguration{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -53266,7 +53508,7 @@ func schema_k8sio_api_resource_v1beta2_DeviceClaim(ref common.ReferenceCallback)
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/resource/v1beta2.DeviceClaimConfiguration", "k8s.io/api/resource/v1beta2.DeviceConstraint", "k8s.io/api/resource/v1beta2.DeviceRequest"},
+			resourcev1beta2.DeviceClaimConfiguration{}.OpenAPIModelName(), resourcev1beta2.DeviceConstraint{}.OpenAPIModelName(), resourcev1beta2.DeviceRequest{}.OpenAPIModelName()},
 	}
 }
 
@@ -53300,14 +53542,14 @@ func schema_k8sio_api_resource_v1beta2_DeviceClaimConfiguration(ref common.Refer
 					"opaque": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Opaque provides driver-specific configuration parameters.",
-							Ref:         ref("k8s.io/api/resource/v1beta2.OpaqueDeviceConfiguration"),
+							Ref:         ref(resourcev1beta2.OpaqueDeviceConfiguration{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/resource/v1beta2.OpaqueDeviceConfiguration"},
+			resourcev1beta2.OpaqueDeviceConfiguration{}.OpenAPIModelName()},
 	}
 }
 
@@ -53336,14 +53578,14 @@ func schema_k8sio_api_resource_v1beta2_DeviceClass(ref common.ReferenceCallback)
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard object metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Ref:         ref(metav1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 					"spec": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Spec defines what can be allocated and how to configure it.\n\nThis is mutable. Consumers have to be prepared for classes changing at any time, either because they get updated or replaced. Claim allocations are done once based on whatever was set in classes at the time of allocation.\n\nChanging the spec automatically increments the metadata.generation number.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/resource/v1beta2.DeviceClassSpec"),
+							Ref:         ref(resourcev1beta2.DeviceClassSpec{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -53351,7 +53593,7 @@ func schema_k8sio_api_resource_v1beta2_DeviceClass(ref common.ReferenceCallback)
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/resource/v1beta2.DeviceClassSpec", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			resourcev1beta2.DeviceClassSpec{}.OpenAPIModelName(), metav1.ObjectMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -53365,14 +53607,14 @@ func schema_k8sio_api_resource_v1beta2_DeviceClassConfiguration(ref common.Refer
 					"opaque": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Opaque provides driver-specific configuration parameters.",
-							Ref:         ref("k8s.io/api/resource/v1beta2.OpaqueDeviceConfiguration"),
+							Ref:         ref(resourcev1beta2.OpaqueDeviceConfiguration{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/resource/v1beta2.OpaqueDeviceConfiguration"},
+			resourcev1beta2.OpaqueDeviceConfiguration{}.OpenAPIModelName()},
 	}
 }
 
@@ -53401,7 +53643,7 @@ func schema_k8sio_api_resource_v1beta2_DeviceClassList(ref common.ReferenceCallb
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard list metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+							Ref:         ref(metav1.ListMeta{}.OpenAPIModelName()),
 						},
 					},
 					"items": {
@@ -53412,7 +53654,7 @@ func schema_k8sio_api_resource_v1beta2_DeviceClassList(ref common.ReferenceCallb
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/resource/v1beta2.DeviceClass"),
+										Ref:     ref(resourcev1beta2.DeviceClass{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -53423,7 +53665,7 @@ func schema_k8sio_api_resource_v1beta2_DeviceClassList(ref common.ReferenceCallb
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/resource/v1beta2.DeviceClass", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
+			resourcev1beta2.DeviceClass{}.OpenAPIModelName(), metav1.ListMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -53447,7 +53689,7 @@ func schema_k8sio_api_resource_v1beta2_DeviceClassSpec(ref common.ReferenceCallb
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/resource/v1beta2.DeviceSelector"),
+										Ref:     ref(resourcev1beta2.DeviceSelector{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -53466,7 +53708,7 @@ func schema_k8sio_api_resource_v1beta2_DeviceClassSpec(ref common.ReferenceCallb
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/resource/v1beta2.DeviceClassConfiguration"),
+										Ref:     ref(resourcev1beta2.DeviceClassConfiguration{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -53483,7 +53725,7 @@ func schema_k8sio_api_resource_v1beta2_DeviceClassSpec(ref common.ReferenceCallb
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/resource/v1beta2.DeviceClassConfiguration", "k8s.io/api/resource/v1beta2.DeviceSelector"},
+			resourcev1beta2.DeviceClassConfiguration{}.OpenAPIModelName(), resourcev1beta2.DeviceSelector{}.OpenAPIModelName()},
 	}
 }
 
@@ -53497,14 +53739,14 @@ func schema_k8sio_api_resource_v1beta2_DeviceConfiguration(ref common.ReferenceC
 					"opaque": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Opaque provides driver-specific configuration parameters.",
-							Ref:         ref("k8s.io/api/resource/v1beta2.OpaqueDeviceConfiguration"),
+							Ref:         ref(resourcev1beta2.OpaqueDeviceConfiguration{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/resource/v1beta2.OpaqueDeviceConfiguration"},
+			resourcev1beta2.OpaqueDeviceConfiguration{}.OpenAPIModelName()},
 	}
 }
 
@@ -53572,14 +53814,14 @@ func schema_k8sio_api_resource_v1beta2_DeviceCounterConsumption(ref common.Refer
 					},
 					"counters": {
 						SchemaProps: spec.SchemaProps{
-							Description: "Counters defines the counters that will be consumed by the device.\n\nThe maximum number counters in a device is 32. In addition, the maximum number of all counters in all devices is 1024 (for example, 64 devices with 16 counters each).",
+							Description: "Counters defines the counters that will be consumed by the device.\n\nThe maximum number of counters is 32.",
 							Type:        []string{"object"},
 							AdditionalProperties: &spec.SchemaOrBool{
 								Allows: true,
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/resource/v1beta2.Counter"),
+										Ref:     ref(resourcev1beta2.Counter{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -53590,7 +53832,7 @@ func schema_k8sio_api_resource_v1beta2_DeviceCounterConsumption(ref common.Refer
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/resource/v1beta2.Counter"},
+			resourcev1beta2.Counter{}.OpenAPIModelName()},
 	}
 }
 
@@ -53612,7 +53854,7 @@ func schema_k8sio_api_resource_v1beta2_DeviceRequest(ref common.ReferenceCallbac
 					"exactly": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Exactly specifies the details for a single request that must be met exactly for the request to be satisfied.\n\nOne of Exactly or FirstAvailable must be set.",
-							Ref:         ref("k8s.io/api/resource/v1beta2.ExactDeviceRequest"),
+							Ref:         ref(resourcev1beta2.ExactDeviceRequest{}.OpenAPIModelName()),
 						},
 					},
 					"firstAvailable": {
@@ -53628,7 +53870,7 @@ func schema_k8sio_api_resource_v1beta2_DeviceRequest(ref common.ReferenceCallbac
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/resource/v1beta2.DeviceSubRequest"),
+										Ref:     ref(resourcev1beta2.DeviceSubRequest{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -53639,7 +53881,7 @@ func schema_k8sio_api_resource_v1beta2_DeviceRequest(ref common.ReferenceCallbac
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/resource/v1beta2.DeviceSubRequest", "k8s.io/api/resource/v1beta2.ExactDeviceRequest"},
+			resourcev1beta2.DeviceSubRequest{}.OpenAPIModelName(), resourcev1beta2.ExactDeviceRequest{}.OpenAPIModelName()},
 	}
 }
 
@@ -53660,7 +53902,7 @@ func schema_k8sio_api_resource_v1beta2_DeviceRequestAllocationResult(ref common.
 					},
 					"driver": {
 						SchemaProps: spec.SchemaProps{
-							Description: "Driver specifies the name of the DRA driver whose kubelet plugin should be invoked to process the allocation once the claim is needed on a node.\n\nMust be a DNS subdomain and should end with a DNS domain owned by the vendor of the driver.",
+							Description: "Driver specifies the name of the DRA driver whose kubelet plugin should be invoked to process the allocation once the claim is needed on a node.\n\nMust be a DNS subdomain and should end with a DNS domain owned by the vendor of the driver. It should use only lower case characters.",
 							Default:     "",
 							Type:        []string{"string"},
 							Format:      "",
@@ -53702,7 +53944,7 @@ func schema_k8sio_api_resource_v1beta2_DeviceRequestAllocationResult(ref common.
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/resource/v1beta2.DeviceToleration"),
+										Ref:     ref(resourcev1beta2.DeviceToleration{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -53763,7 +54005,7 @@ func schema_k8sio_api_resource_v1beta2_DeviceRequestAllocationResult(ref common.
 								Allows: true,
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
-										Ref: ref("k8s.io/apimachinery/pkg/api/resource.Quantity"),
+										Ref: ref(resource.Quantity{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -53774,7 +54016,7 @@ func schema_k8sio_api_resource_v1beta2_DeviceRequestAllocationResult(ref common.
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/resource/v1beta2.DeviceToleration", "k8s.io/apimachinery/pkg/api/resource.Quantity"},
+			resourcev1beta2.DeviceToleration{}.OpenAPIModelName(), resource.Quantity{}.OpenAPIModelName()},
 	}
 }
 
@@ -53788,14 +54030,14 @@ func schema_k8sio_api_resource_v1beta2_DeviceSelector(ref common.ReferenceCallba
 					"cel": {
 						SchemaProps: spec.SchemaProps{
 							Description: "CEL contains a CEL expression for selecting a device.",
-							Ref:         ref("k8s.io/api/resource/v1beta2.CELDeviceSelector"),
+							Ref:         ref(resourcev1beta2.CELDeviceSelector{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/resource/v1beta2.CELDeviceSelector"},
+			resourcev1beta2.CELDeviceSelector{}.OpenAPIModelName()},
 	}
 }
 
@@ -53835,7 +54077,7 @@ func schema_k8sio_api_resource_v1beta2_DeviceSubRequest(ref common.ReferenceCall
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/resource/v1beta2.DeviceSelector"),
+										Ref:     ref(resourcev1beta2.DeviceSelector{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -53843,9 +54085,10 @@ func schema_k8sio_api_resource_v1beta2_DeviceSubRequest(ref common.ReferenceCall
 					},
 					"allocationMode": {
 						SchemaProps: spec.SchemaProps{
-							Description: "AllocationMode and its related fields define how devices are allocated to satisfy this subrequest. Supported values are:\n\n- ExactCount: This request is for a specific number of devices.\n  This is the default. The exact number is provided in the\n  count field.\n\n- All: This subrequest is for all of the matching devices in a pool.\n  Allocation will fail if some devices are already allocated,\n  unless adminAccess is requested.\n\nIf AllocationMode is not specified, the default mode is ExactCount. If the mode is ExactCount and count is not specified, the default count is one. Any other subrequests must specify this field.\n\nMore modes may get added in the future. Clients must refuse to handle requests with unknown modes.",
+							Description: "AllocationMode and its related fields define how devices are allocated to satisfy this subrequest. Supported values are:\n\n- ExactCount: This request is for a specific number of devices.\n  This is the default. The exact number is provided in the\n  count field.\n\n- All: This subrequest is for all of the matching devices in a pool.\n  Allocation will fail if some devices are already allocated,\n  unless adminAccess is requested.\n\nIf AllocationMode is not specified, the default mode is ExactCount. If the mode is ExactCount and count is not specified, the default count is one. Any other subrequests must specify this field.\n\nMore modes may get added in the future. Clients must refuse to handle requests with unknown modes.\n\n\nPossible enum values:\n - `\"All\"`\n - `\"ExactCount\"`",
 							Type:        []string{"string"},
 							Format:      "",
+							Enum:        []interface{}{"All", "ExactCount"},
 						},
 					},
 					"count": {
@@ -53868,7 +54111,7 @@ func schema_k8sio_api_resource_v1beta2_DeviceSubRequest(ref common.ReferenceCall
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/resource/v1beta2.DeviceToleration"),
+										Ref:     ref(resourcev1beta2.DeviceToleration{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -53877,7 +54120,7 @@ func schema_k8sio_api_resource_v1beta2_DeviceSubRequest(ref common.ReferenceCall
 					"capacity": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Capacity define resource requirements against each capacity.\n\nIf this field is unset and the device supports multiple allocations, the default value will be applied to each capacity according to requestPolicy. For the capacity that has no requestPolicy, default is the full capacity value.\n\nApplies to each device allocation. If Count > 1, the request fails if there aren't enough devices that meet the requirements. If AllocationMode is set to All, the request fails if there are devices that otherwise match the request, and have this capacity, with a value >= the requested amount, but which cannot be allocated to this request.",
-							Ref:         ref("k8s.io/api/resource/v1beta2.CapacityRequirements"),
+							Ref:         ref(resourcev1beta2.CapacityRequirements{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -53885,7 +54128,7 @@ func schema_k8sio_api_resource_v1beta2_DeviceSubRequest(ref common.ReferenceCall
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/resource/v1beta2.CapacityRequirements", "k8s.io/api/resource/v1beta2.DeviceSelector", "k8s.io/api/resource/v1beta2.DeviceToleration"},
+			resourcev1beta2.CapacityRequirements{}.OpenAPIModelName(), resourcev1beta2.DeviceSelector{}.OpenAPIModelName(), resourcev1beta2.DeviceToleration{}.OpenAPIModelName()},
 	}
 }
 
@@ -53913,17 +54156,17 @@ func schema_k8sio_api_resource_v1beta2_DeviceTaint(ref common.ReferenceCallback)
 					},
 					"effect": {
 						SchemaProps: spec.SchemaProps{
-							Description: "The effect of the taint on claims that do not tolerate the taint and through such claims on the pods using them. Valid effects are NoSchedule and NoExecute. PreferNoSchedule as used for nodes is not valid here.\n\n\nPossible enum values:\n - `\"NoExecute\"` Evict any already-running pods that do not tolerate the device taint.\n - `\"NoSchedule\"` Do not allow new pods to schedule which use a tainted device unless they tolerate the taint, but allow all pods submitted to Kubelet without going through the scheduler to start, and allow all already-running pods to continue running.",
+							Description: "The effect of the taint on claims that do not tolerate the taint and through such claims on the pods using them.\n\nValid effects are None, NoSchedule and NoExecute. PreferNoSchedule as used for nodes is not valid here. More effects may get added in the future. Consumers must treat unknown effects like None.\n\n\nPossible enum values:\n - `\"NoExecute\"` Evict any already-running pods that do not tolerate the device taint.\n - `\"NoSchedule\"` Do not allow new pods to schedule which use a tainted device unless they tolerate the taint, but allow all pods submitted to Kubelet without going through the scheduler to start, and allow all already-running pods to continue running.\n - `\"None\"` No effect, the taint is purely informational.",
 							Default:     "",
 							Type:        []string{"string"},
 							Format:      "",
-							Enum:        []interface{}{"NoExecute", "NoSchedule"},
+							Enum:        []interface{}{"NoExecute", "NoSchedule", "None"},
 						},
 					},
 					"timeAdded": {
 						SchemaProps: spec.SchemaProps{
 							Description: "TimeAdded represents the time at which the taint was added. Added automatically during create or update if not set.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Time"),
+							Ref:         ref(metav1.Time{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -53931,7 +54174,7 @@ func schema_k8sio_api_resource_v1beta2_DeviceTaint(ref common.ReferenceCallback)
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.Time"},
+			metav1.Time{}.OpenAPIModelName()},
 	}
 }
 
@@ -53967,10 +54210,10 @@ func schema_k8sio_api_resource_v1beta2_DeviceToleration(ref common.ReferenceCall
 					},
 					"effect": {
 						SchemaProps: spec.SchemaProps{
-							Description: "Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule and NoExecute.\n\n\nPossible enum values:\n - `\"NoExecute\"` Evict any already-running pods that do not tolerate the device taint.\n - `\"NoSchedule\"` Do not allow new pods to schedule which use a tainted device unless they tolerate the taint, but allow all pods submitted to Kubelet without going through the scheduler to start, and allow all already-running pods to continue running.",
+							Description: "Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule and NoExecute.\n\n\nPossible enum values:\n - `\"NoExecute\"` Evict any already-running pods that do not tolerate the device taint.\n - `\"NoSchedule\"` Do not allow new pods to schedule which use a tainted device unless they tolerate the taint, but allow all pods submitted to Kubelet without going through the scheduler to start, and allow all already-running pods to continue running.\n - `\"None\"` No effect, the taint is purely informational.",
 							Type:        []string{"string"},
 							Format:      "",
-							Enum:        []interface{}{"NoExecute", "NoSchedule"},
+							Enum:        []interface{}{"NoExecute", "NoSchedule", "None"},
 						},
 					},
 					"tolerationSeconds": {
@@ -54014,7 +54257,7 @@ func schema_k8sio_api_resource_v1beta2_ExactDeviceRequest(ref common.ReferenceCa
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/resource/v1beta2.DeviceSelector"),
+										Ref:     ref(resourcev1beta2.DeviceSelector{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -54022,9 +54265,10 @@ func schema_k8sio_api_resource_v1beta2_ExactDeviceRequest(ref common.ReferenceCa
 					},
 					"allocationMode": {
 						SchemaProps: spec.SchemaProps{
-							Description: "AllocationMode and its related fields define how devices are allocated to satisfy this request. Supported values are:\n\n- ExactCount: This request is for a specific number of devices.\n  This is the default. The exact number is provided in the\n  count field.\n\n- All: This request is for all of the matching devices in a pool.\n  At least one device must exist on the node for the allocation to succeed.\n  Allocation will fail if some devices are already allocated,\n  unless adminAccess is requested.\n\nIf AllocationMode is not specified, the default mode is ExactCount. If the mode is ExactCount and count is not specified, the default count is one. Any other requests must specify this field.\n\nMore modes may get added in the future. Clients must refuse to handle requests with unknown modes.",
+							Description: "AllocationMode and its related fields define how devices are allocated to satisfy this request. Supported values are:\n\n- ExactCount: This request is for a specific number of devices.\n  This is the default. The exact number is provided in the\n  count field.\n\n- All: This request is for all of the matching devices in a pool.\n  At least one device must exist on the node for the allocation to succeed.\n  Allocation will fail if some devices are already allocated,\n  unless adminAccess is requested.\n\nIf AllocationMode is not specified, the default mode is ExactCount. If the mode is ExactCount and count is not specified, the default count is one. Any other requests must specify this field.\n\nMore modes may get added in the future. Clients must refuse to handle requests with unknown modes.\n\n\nPossible enum values:\n - `\"All\"`\n - `\"ExactCount\"`",
 							Type:        []string{"string"},
 							Format:      "",
+							Enum:        []interface{}{"All", "ExactCount"},
 						},
 					},
 					"count": {
@@ -54054,7 +54298,7 @@ func schema_k8sio_api_resource_v1beta2_ExactDeviceRequest(ref common.ReferenceCa
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/resource/v1beta2.DeviceToleration"),
+										Ref:     ref(resourcev1beta2.DeviceToleration{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -54063,7 +54307,7 @@ func schema_k8sio_api_resource_v1beta2_ExactDeviceRequest(ref common.ReferenceCa
 					"capacity": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Capacity define resource requirements against each capacity.\n\nIf this field is unset and the device supports multiple allocations, the default value will be applied to each capacity according to requestPolicy. For the capacity that has no requestPolicy, default is the full capacity value.\n\nApplies to each device allocation. If Count > 1, the request fails if there aren't enough devices that meet the requirements. If AllocationMode is set to All, the request fails if there are devices that otherwise match the request, and have this capacity, with a value >= the requested amount, but which cannot be allocated to this request.",
-							Ref:         ref("k8s.io/api/resource/v1beta2.CapacityRequirements"),
+							Ref:         ref(resourcev1beta2.CapacityRequirements{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -54071,7 +54315,7 @@ func schema_k8sio_api_resource_v1beta2_ExactDeviceRequest(ref common.ReferenceCa
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/resource/v1beta2.CapacityRequirements", "k8s.io/api/resource/v1beta2.DeviceSelector", "k8s.io/api/resource/v1beta2.DeviceToleration"},
+			resourcev1beta2.CapacityRequirements{}.OpenAPIModelName(), resourcev1beta2.DeviceSelector{}.OpenAPIModelName(), resourcev1beta2.DeviceToleration{}.OpenAPIModelName()},
 	}
 }
 
@@ -54131,7 +54375,7 @@ func schema_k8sio_api_resource_v1beta2_OpaqueDeviceConfiguration(ref common.Refe
 				Properties: map[string]spec.Schema{
 					"driver": {
 						SchemaProps: spec.SchemaProps{
-							Description: "Driver is used to determine which kubelet plugin needs to be passed these configuration parameters.\n\nAn admission policy provided by the driver developer could use this to decide whether it needs to validate them.\n\nMust be a DNS subdomain and should end with a DNS domain owned by the vendor of the driver.",
+							Description: "Driver is used to determine which kubelet plugin needs to be passed these configuration parameters.\n\nAn admission policy provided by the driver developer could use this to decide whether it needs to validate them.\n\nMust be a DNS subdomain and should end with a DNS domain owned by the vendor of the driver. It should use only lower case characters.",
 							Default:     "",
 							Type:        []string{"string"},
 							Format:      "",
@@ -54140,7 +54384,7 @@ func schema_k8sio_api_resource_v1beta2_OpaqueDeviceConfiguration(ref common.Refe
 					"parameters": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Parameters can contain arbitrary data. It is the responsibility of the driver developer to handle validation and versioning. Typically this includes self-identification and a version (\"kind\" + \"apiVersion\" for Kubernetes types), with conversion between different versions.\n\nThe length of the raw data must be smaller or equal to 10 Ki.",
-							Ref:         ref("k8s.io/apimachinery/pkg/runtime.RawExtension"),
+							Ref:         ref(runtime.RawExtension{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -54148,7 +54392,7 @@ func schema_k8sio_api_resource_v1beta2_OpaqueDeviceConfiguration(ref common.Refe
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/runtime.RawExtension"},
+			runtime.RawExtension{}.OpenAPIModelName()},
 	}
 }
 
@@ -54177,21 +54421,21 @@ func schema_k8sio_api_resource_v1beta2_ResourceClaim(ref common.ReferenceCallbac
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard object metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Ref:         ref(metav1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 					"spec": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Spec describes what is being requested and how to configure it. The spec is immutable.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/resource/v1beta2.ResourceClaimSpec"),
+							Ref:         ref(resourcev1beta2.ResourceClaimSpec{}.OpenAPIModelName()),
 						},
 					},
 					"status": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Status describes whether the claim is ready to use and what has been allocated.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/resource/v1beta2.ResourceClaimStatus"),
+							Ref:         ref(resourcev1beta2.ResourceClaimStatus{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -54199,7 +54443,7 @@ func schema_k8sio_api_resource_v1beta2_ResourceClaim(ref common.ReferenceCallbac
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/resource/v1beta2.ResourceClaimSpec", "k8s.io/api/resource/v1beta2.ResourceClaimStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			resourcev1beta2.ResourceClaimSpec{}.OpenAPIModelName(), resourcev1beta2.ResourceClaimStatus{}.OpenAPIModelName(), metav1.ObjectMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -54273,7 +54517,7 @@ func schema_k8sio_api_resource_v1beta2_ResourceClaimList(ref common.ReferenceCal
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard list metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+							Ref:         ref(metav1.ListMeta{}.OpenAPIModelName()),
 						},
 					},
 					"items": {
@@ -54284,7 +54528,7 @@ func schema_k8sio_api_resource_v1beta2_ResourceClaimList(ref common.ReferenceCal
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/resource/v1beta2.ResourceClaim"),
+										Ref:     ref(resourcev1beta2.ResourceClaim{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -54295,7 +54539,7 @@ func schema_k8sio_api_resource_v1beta2_ResourceClaimList(ref common.ReferenceCal
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/resource/v1beta2.ResourceClaim", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
+			resourcev1beta2.ResourceClaim{}.OpenAPIModelName(), metav1.ListMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -54310,14 +54554,14 @@ func schema_k8sio_api_resource_v1beta2_ResourceClaimSpec(ref common.ReferenceCal
 						SchemaProps: spec.SchemaProps{
 							Description: "Devices defines how to request devices.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/resource/v1beta2.DeviceClaim"),
+							Ref:         ref(resourcev1beta2.DeviceClaim{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/resource/v1beta2.DeviceClaim"},
+			resourcev1beta2.DeviceClaim{}.OpenAPIModelName()},
 	}
 }
 
@@ -54331,7 +54575,7 @@ func schema_k8sio_api_resource_v1beta2_ResourceClaimStatus(ref common.ReferenceC
 					"allocation": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Allocation is set once the claim has been allocated successfully.",
-							Ref:         ref("k8s.io/api/resource/v1beta2.AllocationResult"),
+							Ref:         ref(resourcev1beta2.AllocationResult{}.OpenAPIModelName()),
 						},
 					},
 					"reservedFor": {
@@ -54352,7 +54596,7 @@ func schema_k8sio_api_resource_v1beta2_ResourceClaimStatus(ref common.ReferenceC
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/resource/v1beta2.ResourceClaimConsumerReference"),
+										Ref:     ref(resourcev1beta2.ResourceClaimConsumerReference{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -54377,7 +54621,7 @@ func schema_k8sio_api_resource_v1beta2_ResourceClaimStatus(ref common.ReferenceC
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/resource/v1beta2.AllocatedDeviceStatus"),
+										Ref:     ref(resourcev1beta2.AllocatedDeviceStatus{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -54387,7 +54631,7 @@ func schema_k8sio_api_resource_v1beta2_ResourceClaimStatus(ref common.ReferenceC
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/resource/v1beta2.AllocatedDeviceStatus", "k8s.io/api/resource/v1beta2.AllocationResult", "k8s.io/api/resource/v1beta2.ResourceClaimConsumerReference"},
+			resourcev1beta2.AllocatedDeviceStatus{}.OpenAPIModelName(), resourcev1beta2.AllocationResult{}.OpenAPIModelName(), resourcev1beta2.ResourceClaimConsumerReference{}.OpenAPIModelName()},
 	}
 }
 
@@ -54416,14 +54660,14 @@ func schema_k8sio_api_resource_v1beta2_ResourceClaimTemplate(ref common.Referenc
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard object metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Ref:         ref(metav1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 					"spec": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Describes the ResourceClaim that is to be generated.\n\nThis field is immutable. A ResourceClaim will get created by the control plane for a Pod when needed and then not get updated anymore.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/resource/v1beta2.ResourceClaimTemplateSpec"),
+							Ref:         ref(resourcev1beta2.ResourceClaimTemplateSpec{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -54431,7 +54675,7 @@ func schema_k8sio_api_resource_v1beta2_ResourceClaimTemplate(ref common.Referenc
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/resource/v1beta2.ResourceClaimTemplateSpec", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			resourcev1beta2.ResourceClaimTemplateSpec{}.OpenAPIModelName(), metav1.ObjectMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -54460,7 +54704,7 @@ func schema_k8sio_api_resource_v1beta2_ResourceClaimTemplateList(ref common.Refe
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard list metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+							Ref:         ref(metav1.ListMeta{}.OpenAPIModelName()),
 						},
 					},
 					"items": {
@@ -54471,7 +54715,7 @@ func schema_k8sio_api_resource_v1beta2_ResourceClaimTemplateList(ref common.Refe
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/resource/v1beta2.ResourceClaimTemplate"),
+										Ref:     ref(resourcev1beta2.ResourceClaimTemplate{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -54482,7 +54726,7 @@ func schema_k8sio_api_resource_v1beta2_ResourceClaimTemplateList(ref common.Refe
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/resource/v1beta2.ResourceClaimTemplate", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
+			resourcev1beta2.ResourceClaimTemplate{}.OpenAPIModelName(), metav1.ListMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -54497,14 +54741,14 @@ func schema_k8sio_api_resource_v1beta2_ResourceClaimTemplateSpec(ref common.Refe
 						SchemaProps: spec.SchemaProps{
 							Description: "ObjectMeta may contain labels and annotations that will be copied into the ResourceClaim when creating it. No other fields are allowed and will be rejected during validation.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Ref:         ref(metav1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 					"spec": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Spec for the ResourceClaim. The entire content is copied unchanged into the ResourceClaim that gets created from this template. The same fields as in a ResourceClaim are also valid here.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/resource/v1beta2.ResourceClaimSpec"),
+							Ref:         ref(resourcev1beta2.ResourceClaimSpec{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -54512,7 +54756,7 @@ func schema_k8sio_api_resource_v1beta2_ResourceClaimTemplateSpec(ref common.Refe
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/resource/v1beta2.ResourceClaimSpec", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			resourcev1beta2.ResourceClaimSpec{}.OpenAPIModelName(), metav1.ObjectMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -54579,14 +54823,14 @@ func schema_k8sio_api_resource_v1beta2_ResourceSlice(ref common.ReferenceCallbac
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard object metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Ref:         ref(metav1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 					"spec": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Contains the information published by the driver.\n\nChanging the spec automatically increments the metadata.generation number.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/resource/v1beta2.ResourceSliceSpec"),
+							Ref:         ref(resourcev1beta2.ResourceSliceSpec{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -54594,7 +54838,7 @@ func schema_k8sio_api_resource_v1beta2_ResourceSlice(ref common.ReferenceCallbac
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/resource/v1beta2.ResourceSliceSpec", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			resourcev1beta2.ResourceSliceSpec{}.OpenAPIModelName(), metav1.ObjectMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -54623,7 +54867,7 @@ func schema_k8sio_api_resource_v1beta2_ResourceSliceList(ref common.ReferenceCal
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard list metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+							Ref:         ref(metav1.ListMeta{}.OpenAPIModelName()),
 						},
 					},
 					"items": {
@@ -54634,7 +54878,7 @@ func schema_k8sio_api_resource_v1beta2_ResourceSliceList(ref common.ReferenceCal
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/resource/v1beta2.ResourceSlice"),
+										Ref:     ref(resourcev1beta2.ResourceSlice{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -54645,7 +54889,7 @@ func schema_k8sio_api_resource_v1beta2_ResourceSliceList(ref common.ReferenceCal
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/resource/v1beta2.ResourceSlice", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
+			resourcev1beta2.ResourceSlice{}.OpenAPIModelName(), metav1.ListMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -54658,7 +54902,7 @@ func schema_k8sio_api_resource_v1beta2_ResourceSliceSpec(ref common.ReferenceCal
 				Properties: map[string]spec.Schema{
 					"driver": {
 						SchemaProps: spec.SchemaProps{
-							Description: "Driver identifies the DRA driver providing the capacity information. A field selector can be used to list only ResourceSlice objects with a certain driver name.\n\nMust be a DNS subdomain and should end with a DNS domain owned by the vendor of the driver. This field is immutable.",
+							Description: "Driver identifies the DRA driver providing the capacity information. A field selector can be used to list only ResourceSlice objects with a certain driver name.\n\nMust be a DNS subdomain and should end with a DNS domain owned by the vendor of the driver. It should use only lower case characters. This field is immutable.",
 							Default:     "",
 							Type:        []string{"string"},
 							Format:      "",
@@ -54668,7 +54912,7 @@ func schema_k8sio_api_resource_v1beta2_ResourceSliceSpec(ref common.ReferenceCal
 						SchemaProps: spec.SchemaProps{
 							Description: "Pool describes the pool that this ResourceSlice belongs to.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/resource/v1beta2.ResourcePool"),
+							Ref:         ref(resourcev1beta2.ResourcePool{}.OpenAPIModelName()),
 						},
 					},
 					"nodeName": {
@@ -54681,7 +54925,7 @@ func schema_k8sio_api_resource_v1beta2_ResourceSliceSpec(ref common.ReferenceCal
 					"nodeSelector": {
 						SchemaProps: spec.SchemaProps{
 							Description: "NodeSelector defines which nodes have access to the resources in the pool, when that pool is not limited to a single node.\n\nMust use exactly one term.\n\nExactly one of NodeName, NodeSelector, AllNodes, and PerDeviceNodeSelection must be set.",
-							Ref:         ref("k8s.io/api/core/v1.NodeSelector"),
+							Ref:         ref(corev1.NodeSelector{}.OpenAPIModelName()),
 						},
 					},
 					"allNodes": {
@@ -54698,13 +54942,13 @@ func schema_k8sio_api_resource_v1beta2_ResourceSliceSpec(ref common.ReferenceCal
 							},
 						},
 						SchemaProps: spec.SchemaProps{
-							Description: "Devices lists some or all of the devices in this pool.\n\nMust not have more than 128 entries.",
+							Description: "Devices lists some or all of the devices in this pool.\n\nMust not have more than 128 entries. If any device uses taints or consumes counters the limit is 64.\n\nOnly one of Devices and SharedCounters can be set in a ResourceSlice.",
 							Type:        []string{"array"},
 							Items: &spec.SchemaOrArray{
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/resource/v1beta2.Device"),
+										Ref:     ref(resourcev1beta2.Device{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -54724,13 +54968,13 @@ func schema_k8sio_api_resource_v1beta2_ResourceSliceSpec(ref common.ReferenceCal
 							},
 						},
 						SchemaProps: spec.SchemaProps{
-							Description: "SharedCounters defines a list of counter sets, each of which has a name and a list of counters available.\n\nThe names of the SharedCounters must be unique in the ResourceSlice.\n\nThe maximum number of counters in all sets is 32.",
+							Description: "SharedCounters defines a list of counter sets, each of which has a name and a list of counters available.\n\nThe names of the counter sets must be unique in the ResourcePool.\n\nOnly one of Devices and SharedCounters can be set in a ResourceSlice.\n\nThe maximum number of counter sets is 8.",
 							Type:        []string{"array"},
 							Items: &spec.SchemaOrArray{
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/resource/v1beta2.CounterSet"),
+										Ref:     ref(resourcev1beta2.CounterSet{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -54741,7 +54985,7 @@ func schema_k8sio_api_resource_v1beta2_ResourceSliceSpec(ref common.ReferenceCal
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/core/v1.NodeSelector", "k8s.io/api/resource/v1beta2.CounterSet", "k8s.io/api/resource/v1beta2.Device", "k8s.io/api/resource/v1beta2.ResourcePool"},
+			corev1.NodeSelector{}.OpenAPIModelName(), resourcev1beta2.CounterSet{}.OpenAPIModelName(), resourcev1beta2.Device{}.OpenAPIModelName(), resourcev1beta2.ResourcePool{}.OpenAPIModelName()},
 	}
 }
 
@@ -54770,7 +55014,7 @@ func schema_k8sio_api_scheduling_v1_PriorityClass(ref common.ReferenceCallback)
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Ref:         ref(metav1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 					"value": {
@@ -54808,7 +55052,7 @@ func schema_k8sio_api_scheduling_v1_PriorityClass(ref common.ReferenceCallback)
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			metav1.ObjectMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -54837,7 +55081,7 @@ func schema_k8sio_api_scheduling_v1_PriorityClassList(ref common.ReferenceCallba
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard list metadata More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+							Ref:         ref(metav1.ListMeta{}.OpenAPIModelName()),
 						},
 					},
 					"items": {
@@ -54848,7 +55092,7 @@ func schema_k8sio_api_scheduling_v1_PriorityClassList(ref common.ReferenceCallba
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/scheduling/v1.PriorityClass"),
+										Ref:     ref(schedulingv1.PriorityClass{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -54859,7 +55103,98 @@ func schema_k8sio_api_scheduling_v1_PriorityClassList(ref common.ReferenceCallba
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/scheduling/v1.PriorityClass", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
+			schedulingv1.PriorityClass{}.OpenAPIModelName(), metav1.ListMeta{}.OpenAPIModelName()},
+	}
+}
+
+func schema_k8sio_api_scheduling_v1alpha1_BasicSchedulingPolicy(ref common.ReferenceCallback) common.OpenAPIDefinition {
+	return common.OpenAPIDefinition{
+		Schema: spec.Schema{
+			SchemaProps: spec.SchemaProps{
+				Description: "BasicSchedulingPolicy indicates that standard Kubernetes scheduling behavior should be used.",
+				Type:        []string{"object"},
+			},
+		},
+	}
+}
+
+func schema_k8sio_api_scheduling_v1alpha1_GangSchedulingPolicy(ref common.ReferenceCallback) common.OpenAPIDefinition {
+	return common.OpenAPIDefinition{
+		Schema: spec.Schema{
+			SchemaProps: spec.SchemaProps{
+				Description: "GangSchedulingPolicy defines the parameters for gang scheduling.",
+				Type:        []string{"object"},
+				Properties: map[string]spec.Schema{
+					"minCount": {
+						SchemaProps: spec.SchemaProps{
+							Description: "MinCount is the minimum number of pods that must be schedulable or scheduled at the same time for the scheduler to admit the entire group. It must be a positive integer.",
+							Default:     0,
+							Type:        []string{"integer"},
+							Format:      "int32",
+						},
+					},
+				},
+				Required: []string{"minCount"},
+			},
+		},
+	}
+}
+
+func schema_k8sio_api_scheduling_v1alpha1_PodGroup(ref common.ReferenceCallback) common.OpenAPIDefinition {
+	return common.OpenAPIDefinition{
+		Schema: spec.Schema{
+			SchemaProps: spec.SchemaProps{
+				Description: "PodGroup represents a set of pods with a common scheduling policy.",
+				Type:        []string{"object"},
+				Properties: map[string]spec.Schema{
+					"name": {
+						SchemaProps: spec.SchemaProps{
+							Description: "Name is a unique identifier for the PodGroup within the Workload. It must be a DNS label. This field is immutable.",
+							Default:     "",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+					"policy": {
+						SchemaProps: spec.SchemaProps{
+							Description: "Policy defines the scheduling policy for this PodGroup.",
+							Default:     map[string]interface{}{},
+							Ref:         ref(schedulingv1alpha1.PodGroupPolicy{}.OpenAPIModelName()),
+						},
+					},
+				},
+				Required: []string{"name", "policy"},
+			},
+		},
+		Dependencies: []string{
+			schedulingv1alpha1.PodGroupPolicy{}.OpenAPIModelName()},
+	}
+}
+
+func schema_k8sio_api_scheduling_v1alpha1_PodGroupPolicy(ref common.ReferenceCallback) common.OpenAPIDefinition {
+	return common.OpenAPIDefinition{
+		Schema: spec.Schema{
+			SchemaProps: spec.SchemaProps{
+				Description: "PodGroupPolicy defines the scheduling configuration for a PodGroup.",
+				Type:        []string{"object"},
+				Properties: map[string]spec.Schema{
+					"basic": {
+						SchemaProps: spec.SchemaProps{
+							Description: "Basic specifies that the pods in this group should be scheduled using standard Kubernetes scheduling behavior.",
+							Ref:         ref(schedulingv1alpha1.BasicSchedulingPolicy{}.OpenAPIModelName()),
+						},
+					},
+					"gang": {
+						SchemaProps: spec.SchemaProps{
+							Description: "Gang specifies that the pods in this group should be scheduled using all-or-nothing semantics.",
+							Ref:         ref(schedulingv1alpha1.GangSchedulingPolicy{}.OpenAPIModelName()),
+						},
+					},
+				},
+			},
+		},
+		Dependencies: []string{
+			schedulingv1alpha1.BasicSchedulingPolicy{}.OpenAPIModelName(), schedulingv1alpha1.GangSchedulingPolicy{}.OpenAPIModelName()},
 	}
 }
 
@@ -54888,7 +55223,7 @@ func schema_k8sio_api_scheduling_v1alpha1_PriorityClass(ref common.ReferenceCall
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Ref:         ref(metav1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 					"value": {
@@ -54926,7 +55261,7 @@ func schema_k8sio_api_scheduling_v1alpha1_PriorityClass(ref common.ReferenceCall
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			metav1.ObjectMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -54955,7 +55290,7 @@ func schema_k8sio_api_scheduling_v1alpha1_PriorityClassList(ref common.Reference
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard list metadata More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+							Ref:         ref(metav1.ListMeta{}.OpenAPIModelName()),
 						},
 					},
 					"items": {
@@ -54966,7 +55301,7 @@ func schema_k8sio_api_scheduling_v1alpha1_PriorityClassList(ref common.Reference
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/scheduling/v1alpha1.PriorityClass"),
+										Ref:     ref(schedulingv1alpha1.PriorityClass{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -54977,82 +55312,96 @@ func schema_k8sio_api_scheduling_v1alpha1_PriorityClassList(ref common.Reference
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/scheduling/v1alpha1.PriorityClass", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
+			schedulingv1alpha1.PriorityClass{}.OpenAPIModelName(), metav1.ListMeta{}.OpenAPIModelName()},
 	}
 }
 
-func schema_k8sio_api_scheduling_v1beta1_PriorityClass(ref common.ReferenceCallback) common.OpenAPIDefinition {
+func schema_k8sio_api_scheduling_v1alpha1_TypedLocalObjectReference(ref common.ReferenceCallback) common.OpenAPIDefinition {
 	return common.OpenAPIDefinition{
 		Schema: spec.Schema{
 			SchemaProps: spec.SchemaProps{
-				Description: "DEPRECATED - This group version of PriorityClass is deprecated by scheduling.k8s.io/v1/PriorityClass. PriorityClass defines mapping from a priority class name to the priority integer value. The value can be any valid integer.",
+				Description: "TypedLocalObjectReference allows to reference typed object inside the same namespace.",
 				Type:        []string{"object"},
 				Properties: map[string]spec.Schema{
-					"kind": {
+					"apiGroup": {
 						SchemaProps: spec.SchemaProps{
-							Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
+							Description: "APIGroup is the group for the resource being referenced. If APIGroup is empty, the specified Kind must be in the core API group. For any other third-party types, setting APIGroup is required. It must be a DNS subdomain.",
 							Type:        []string{"string"},
 							Format:      "",
 						},
 					},
-					"apiVersion": {
+					"kind": {
 						SchemaProps: spec.SchemaProps{
-							Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
+							Description: "Kind is the type of resource being referenced. It must be a path segment name.",
+							Default:     "",
 							Type:        []string{"string"},
 							Format:      "",
 						},
 					},
-					"metadata": {
+					"name": {
 						SchemaProps: spec.SchemaProps{
-							Description: "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
-							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Description: "Name is the name of resource being referenced. It must be a path segment name.",
+							Default:     "",
+							Type:        []string{"string"},
+							Format:      "",
 						},
 					},
-					"value": {
+				},
+				Required: []string{"kind", "name"},
+			},
+		},
+	}
+}
+
+func schema_k8sio_api_scheduling_v1alpha1_Workload(ref common.ReferenceCallback) common.OpenAPIDefinition {
+	return common.OpenAPIDefinition{
+		Schema: spec.Schema{
+			SchemaProps: spec.SchemaProps{
+				Description: "Workload allows for expressing scheduling constraints that should be used when managing lifecycle of workloads from scheduling perspective, including scheduling, preemption, eviction and other phases.",
+				Type:        []string{"object"},
+				Properties: map[string]spec.Schema{
+					"kind": {
 						SchemaProps: spec.SchemaProps{
-							Description: "value represents the integer value of this priority class. This is the actual priority that pods receive when they have the name of this class in their pod spec.",
-							Default:     0,
-							Type:        []string{"integer"},
-							Format:      "int32",
+							Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
+							Type:        []string{"string"},
+							Format:      "",
 						},
 					},
-					"globalDefault": {
+					"apiVersion": {
 						SchemaProps: spec.SchemaProps{
-							Description: "globalDefault specifies whether this PriorityClass should be considered as the default priority for pods that do not have any priority class. Only one PriorityClass can be marked as `globalDefault`. However, if more than one PriorityClasses exists with their `globalDefault` field set to true, the smallest value of such global default PriorityClasses will be used as the default priority.",
-							Type:        []string{"boolean"},
+							Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
+							Type:        []string{"string"},
 							Format:      "",
 						},
 					},
-					"description": {
+					"metadata": {
 						SchemaProps: spec.SchemaProps{
-							Description: "description is an arbitrary string that usually provides guidelines on when this priority class should be used.",
-							Type:        []string{"string"},
-							Format:      "",
+							Description: "Standard object's metadata. Name must be a DNS subdomain.",
+							Default:     map[string]interface{}{},
+							Ref:         ref(metav1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
-					"preemptionPolicy": {
+					"spec": {
 						SchemaProps: spec.SchemaProps{
-							Description: "preemptionPolicy is the Policy for preempting pods with lower priority. One of Never, PreemptLowerPriority. Defaults to PreemptLowerPriority if unset.\n\nPossible enum values:\n - `\"Never\"` means that pod never preempts other pods with lower priority.\n - `\"PreemptLowerPriority\"` means that pod can preempt other pods with lower priority.",
-							Type:        []string{"string"},
-							Format:      "",
-							Enum:        []interface{}{"Never", "PreemptLowerPriority"},
+							Description: "Spec defines the desired behavior of a Workload.",
+							Default:     map[string]interface{}{},
+							Ref:         ref(schedulingv1alpha1.WorkloadSpec{}.OpenAPIModelName()),
 						},
 					},
 				},
-				Required: []string{"value"},
+				Required: []string{"spec"},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			schedulingv1alpha1.WorkloadSpec{}.OpenAPIModelName(), metav1.ObjectMeta{}.OpenAPIModelName()},
 	}
 }
 
-func schema_k8sio_api_scheduling_v1beta1_PriorityClassList(ref common.ReferenceCallback) common.OpenAPIDefinition {
+func schema_k8sio_api_scheduling_v1alpha1_WorkloadList(ref common.ReferenceCallback) common.OpenAPIDefinition {
 	return common.OpenAPIDefinition{
 		Schema: spec.Schema{
 			SchemaProps: spec.SchemaProps{
-				Description: "PriorityClassList is a collection of priority classes.",
+				Description: "WorkloadList contains a list of Workload resources.",
 				Type:        []string{"object"},
 				Properties: map[string]spec.Schema{
 					"kind": {
@@ -55071,20 +55420,20 @@ func schema_k8sio_api_scheduling_v1beta1_PriorityClassList(ref common.ReferenceC
 					},
 					"metadata": {
 						SchemaProps: spec.SchemaProps{
-							Description: "Standard list metadata More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
+							Description: "Standard list metadata.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+							Ref:         ref(metav1.ListMeta{}.OpenAPIModelName()),
 						},
 					},
 					"items": {
 						SchemaProps: spec.SchemaProps{
-							Description: "items is the list of PriorityClasses",
+							Description: "Items is the list of Workloads.",
 							Type:        []string{"array"},
 							Items: &spec.SchemaOrArray{
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/scheduling/v1beta1.PriorityClass"),
+										Ref:     ref(schedulingv1alpha1.Workload{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -55095,15 +55444,59 @@ func schema_k8sio_api_scheduling_v1beta1_PriorityClassList(ref common.ReferenceC
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/scheduling/v1beta1.PriorityClass", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
+			schedulingv1alpha1.Workload{}.OpenAPIModelName(), metav1.ListMeta{}.OpenAPIModelName()},
 	}
 }
 
-func schema_k8sio_api_storage_v1_CSIDriver(ref common.ReferenceCallback) common.OpenAPIDefinition {
+func schema_k8sio_api_scheduling_v1alpha1_WorkloadSpec(ref common.ReferenceCallback) common.OpenAPIDefinition {
 	return common.OpenAPIDefinition{
 		Schema: spec.Schema{
 			SchemaProps: spec.SchemaProps{
-				Description: "CSIDriver captures information about a Container Storage Interface (CSI) volume driver deployed on the cluster. Kubernetes attach detach controller uses this object to determine whether attach is required. Kubelet uses this object to determine whether pod information needs to be passed on mount. CSIDriver objects are non-namespaced.",
+				Description: "WorkloadSpec defines the desired state of a Workload.",
+				Type:        []string{"object"},
+				Properties: map[string]spec.Schema{
+					"controllerRef": {
+						SchemaProps: spec.SchemaProps{
+							Description: "ControllerRef is an optional reference to the controlling object, such as a Deployment or Job. This field is intended for use by tools like CLIs to provide a link back to the original workload definition. When set, it cannot be changed.",
+							Ref:         ref(schedulingv1alpha1.TypedLocalObjectReference{}.OpenAPIModelName()),
+						},
+					},
+					"podGroups": {
+						VendorExtensible: spec.VendorExtensible{
+							Extensions: spec.Extensions{
+								"x-kubernetes-list-map-keys": []interface{}{
+									"name",
+								},
+								"x-kubernetes-list-type": "map",
+							},
+						},
+						SchemaProps: spec.SchemaProps{
+							Description: "PodGroups is the list of pod groups that make up the Workload. The maximum number of pod groups is 8. This field is immutable.",
+							Type:        []string{"array"},
+							Items: &spec.SchemaOrArray{
+								Schema: &spec.Schema{
+									SchemaProps: spec.SchemaProps{
+										Default: map[string]interface{}{},
+										Ref:     ref(schedulingv1alpha1.PodGroup{}.OpenAPIModelName()),
+									},
+								},
+							},
+						},
+					},
+				},
+				Required: []string{"podGroups"},
+			},
+		},
+		Dependencies: []string{
+			schedulingv1alpha1.PodGroup{}.OpenAPIModelName(), schedulingv1alpha1.TypedLocalObjectReference{}.OpenAPIModelName()},
+	}
+}
+
+func schema_k8sio_api_scheduling_v1beta1_PriorityClass(ref common.ReferenceCallback) common.OpenAPIDefinition {
+	return common.OpenAPIDefinition{
+		Schema: spec.Schema{
+			SchemaProps: spec.SchemaProps{
+				Description: "DEPRECATED - This group version of PriorityClass is deprecated by scheduling.k8s.io/v1/PriorityClass. PriorityClass defines mapping from a priority class name to the priority integer value. The value can be any valid integer.",
 				Type:        []string{"object"},
 				Properties: map[string]spec.Schema{
 					"kind": {
@@ -55122,32 +55515,55 @@ func schema_k8sio_api_storage_v1_CSIDriver(ref common.ReferenceCallback) common.
 					},
 					"metadata": {
 						SchemaProps: spec.SchemaProps{
-							Description: "Standard object metadata. metadata.Name indicates the name of the CSI driver that this object refers to; it MUST be the same name returned by the CSI GetPluginName() call for that driver. The driver name must be 63 characters or less, beginning and ending with an alphanumeric character ([a-z0-9A-Z]) with dashes (-), dots (.), and alphanumerics between. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
+							Description: "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Ref:         ref(metav1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
-					"spec": {
+					"value": {
 						SchemaProps: spec.SchemaProps{
-							Description: "spec represents the specification of the CSI Driver.",
-							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/storage/v1.CSIDriverSpec"),
+							Description: "value represents the integer value of this priority class. This is the actual priority that pods receive when they have the name of this class in their pod spec.",
+							Default:     0,
+							Type:        []string{"integer"},
+							Format:      "int32",
+						},
+					},
+					"globalDefault": {
+						SchemaProps: spec.SchemaProps{
+							Description: "globalDefault specifies whether this PriorityClass should be considered as the default priority for pods that do not have any priority class. Only one PriorityClass can be marked as `globalDefault`. However, if more than one PriorityClasses exists with their `globalDefault` field set to true, the smallest value of such global default PriorityClasses will be used as the default priority.",
+							Type:        []string{"boolean"},
+							Format:      "",
+						},
+					},
+					"description": {
+						SchemaProps: spec.SchemaProps{
+							Description: "description is an arbitrary string that usually provides guidelines on when this priority class should be used.",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+					"preemptionPolicy": {
+						SchemaProps: spec.SchemaProps{
+							Description: "preemptionPolicy is the Policy for preempting pods with lower priority. One of Never, PreemptLowerPriority. Defaults to PreemptLowerPriority if unset.\n\nPossible enum values:\n - `\"Never\"` means that pod never preempts other pods with lower priority.\n - `\"PreemptLowerPriority\"` means that pod can preempt other pods with lower priority.",
+							Type:        []string{"string"},
+							Format:      "",
+							Enum:        []interface{}{"Never", "PreemptLowerPriority"},
 						},
 					},
 				},
-				Required: []string{"spec"},
+				Required: []string{"value"},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/storage/v1.CSIDriverSpec", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			metav1.ObjectMeta{}.OpenAPIModelName()},
 	}
 }
 
-func schema_k8sio_api_storage_v1_CSIDriverList(ref common.ReferenceCallback) common.OpenAPIDefinition {
+func schema_k8sio_api_scheduling_v1beta1_PriorityClassList(ref common.ReferenceCallback) common.OpenAPIDefinition {
 	return common.OpenAPIDefinition{
 		Schema: spec.Schema{
 			SchemaProps: spec.SchemaProps{
-				Description: "CSIDriverList is a collection of CSIDriver objects.",
+				Description: "PriorityClassList is a collection of priority classes.",
 				Type:        []string{"object"},
 				Properties: map[string]spec.Schema{
 					"kind": {
@@ -55168,7 +55584,102 @@ func schema_k8sio_api_storage_v1_CSIDriverList(ref common.ReferenceCallback) com
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard list metadata More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+							Ref:         ref(metav1.ListMeta{}.OpenAPIModelName()),
+						},
+					},
+					"items": {
+						SchemaProps: spec.SchemaProps{
+							Description: "items is the list of PriorityClasses",
+							Type:        []string{"array"},
+							Items: &spec.SchemaOrArray{
+								Schema: &spec.Schema{
+									SchemaProps: spec.SchemaProps{
+										Default: map[string]interface{}{},
+										Ref:     ref(schedulingv1beta1.PriorityClass{}.OpenAPIModelName()),
+									},
+								},
+							},
+						},
+					},
+				},
+				Required: []string{"items"},
+			},
+		},
+		Dependencies: []string{
+			schedulingv1beta1.PriorityClass{}.OpenAPIModelName(), metav1.ListMeta{}.OpenAPIModelName()},
+	}
+}
+
+func schema_k8sio_api_storage_v1_CSIDriver(ref common.ReferenceCallback) common.OpenAPIDefinition {
+	return common.OpenAPIDefinition{
+		Schema: spec.Schema{
+			SchemaProps: spec.SchemaProps{
+				Description: "CSIDriver captures information about a Container Storage Interface (CSI) volume driver deployed on the cluster. Kubernetes attach detach controller uses this object to determine whether attach is required. Kubelet uses this object to determine whether pod information needs to be passed on mount. CSIDriver objects are non-namespaced.",
+				Type:        []string{"object"},
+				Properties: map[string]spec.Schema{
+					"kind": {
+						SchemaProps: spec.SchemaProps{
+							Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+					"apiVersion": {
+						SchemaProps: spec.SchemaProps{
+							Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+					"metadata": {
+						SchemaProps: spec.SchemaProps{
+							Description: "Standard object metadata. metadata.Name indicates the name of the CSI driver that this object refers to; it MUST be the same name returned by the CSI GetPluginName() call for that driver. The driver name must be 63 characters or less, beginning and ending with an alphanumeric character ([a-z0-9A-Z]) with dashes (-), dots (.), and alphanumerics between. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
+							Default:     map[string]interface{}{},
+							Ref:         ref(metav1.ObjectMeta{}.OpenAPIModelName()),
+						},
+					},
+					"spec": {
+						SchemaProps: spec.SchemaProps{
+							Description: "spec represents the specification of the CSI Driver.",
+							Default:     map[string]interface{}{},
+							Ref:         ref(storagev1.CSIDriverSpec{}.OpenAPIModelName()),
+						},
+					},
+				},
+				Required: []string{"spec"},
+			},
+		},
+		Dependencies: []string{
+			storagev1.CSIDriverSpec{}.OpenAPIModelName(), metav1.ObjectMeta{}.OpenAPIModelName()},
+	}
+}
+
+func schema_k8sio_api_storage_v1_CSIDriverList(ref common.ReferenceCallback) common.OpenAPIDefinition {
+	return common.OpenAPIDefinition{
+		Schema: spec.Schema{
+			SchemaProps: spec.SchemaProps{
+				Description: "CSIDriverList is a collection of CSIDriver objects.",
+				Type:        []string{"object"},
+				Properties: map[string]spec.Schema{
+					"kind": {
+						SchemaProps: spec.SchemaProps{
+							Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+					"apiVersion": {
+						SchemaProps: spec.SchemaProps{
+							Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+					"metadata": {
+						SchemaProps: spec.SchemaProps{
+							Description: "Standard list metadata More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
+							Default:     map[string]interface{}{},
+							Ref:         ref(metav1.ListMeta{}.OpenAPIModelName()),
 						},
 					},
 					"items": {
@@ -55179,7 +55690,7 @@ func schema_k8sio_api_storage_v1_CSIDriverList(ref common.ReferenceCallback) com
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/storage/v1.CSIDriver"),
+										Ref:     ref(storagev1.CSIDriver{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -55190,7 +55701,7 @@ func schema_k8sio_api_storage_v1_CSIDriverList(ref common.ReferenceCallback) com
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/storage/v1.CSIDriver", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
+			storagev1.CSIDriver{}.OpenAPIModelName(), metav1.ListMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -55262,7 +55773,7 @@ func schema_k8sio_api_storage_v1_CSIDriverSpec(ref common.ReferenceCallback) com
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/storage/v1.TokenRequest"),
+										Ref:     ref(storagev1.TokenRequest{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -55289,11 +55800,18 @@ func schema_k8sio_api_storage_v1_CSIDriverSpec(ref common.ReferenceCallback) com
 							Format:      "int64",
 						},
 					},
+					"serviceAccountTokenInSecrets": {
+						SchemaProps: spec.SchemaProps{
+							Description: "serviceAccountTokenInSecrets is an opt-in for CSI drivers to indicate that service account tokens should be passed via the Secrets field in NodePublishVolumeRequest instead of the VolumeContext field. The CSI specification provides a dedicated Secrets field for sensitive information like tokens, which is the appropriate mechanism for handling credentials. This addresses security concerns where sensitive tokens were being logged as part of volume context.\n\nWhen \"true\", kubelet will pass the tokens only in the Secrets field with the key \"csi.storage.k8s.io/serviceAccount.tokens\". The CSI driver must be updated to read tokens from the Secrets field instead of VolumeContext.\n\nWhen \"false\" or not set, kubelet will pass the tokens in VolumeContext with the key \"csi.storage.k8s.io/serviceAccount.tokens\" (existing behavior). This maintains backward compatibility with existing CSI drivers.\n\nThis field can only be set when TokenRequests is configured. The API server will reject CSIDriver specs that set this field without TokenRequests.\n\nDefault behavior if unset is to pass tokens in the VolumeContext field.",
+							Type:        []string{"boolean"},
+							Format:      "",
+						},
+					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/storage/v1.TokenRequest"},
+			storagev1.TokenRequest{}.OpenAPIModelName()},
 	}
 }
 
@@ -55322,14 +55840,14 @@ func schema_k8sio_api_storage_v1_CSINode(ref common.ReferenceCallback) common.Op
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard object's metadata. metadata.name must be the Kubernetes node name.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Ref:         ref(metav1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 					"spec": {
 						SchemaProps: spec.SchemaProps{
 							Description: "spec is the specification of CSINode",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/storage/v1.CSINodeSpec"),
+							Ref:         ref(storagev1.CSINodeSpec{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -55337,7 +55855,7 @@ func schema_k8sio_api_storage_v1_CSINode(ref common.ReferenceCallback) common.Op
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/storage/v1.CSINodeSpec", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			storagev1.CSINodeSpec{}.OpenAPIModelName(), metav1.ObjectMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -55387,7 +55905,7 @@ func schema_k8sio_api_storage_v1_CSINodeDriver(ref common.ReferenceCallback) com
 					"allocatable": {
 						SchemaProps: spec.SchemaProps{
 							Description: "allocatable represents the volume resources of a node that are available for scheduling. This field is beta.",
-							Ref:         ref("k8s.io/api/storage/v1.VolumeNodeResources"),
+							Ref:         ref(storagev1.VolumeNodeResources{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -55395,7 +55913,7 @@ func schema_k8sio_api_storage_v1_CSINodeDriver(ref common.ReferenceCallback) com
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/storage/v1.VolumeNodeResources"},
+			storagev1.VolumeNodeResources{}.OpenAPIModelName()},
 	}
 }
 
@@ -55424,7 +55942,7 @@ func schema_k8sio_api_storage_v1_CSINodeList(ref common.ReferenceCallback) commo
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard list metadata More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+							Ref:         ref(metav1.ListMeta{}.OpenAPIModelName()),
 						},
 					},
 					"items": {
@@ -55435,7 +55953,7 @@ func schema_k8sio_api_storage_v1_CSINodeList(ref common.ReferenceCallback) commo
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/storage/v1.CSINode"),
+										Ref:     ref(storagev1.CSINode{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -55446,7 +55964,7 @@ func schema_k8sio_api_storage_v1_CSINodeList(ref common.ReferenceCallback) commo
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/storage/v1.CSINode", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
+			storagev1.CSINode{}.OpenAPIModelName(), metav1.ListMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -55475,7 +55993,7 @@ func schema_k8sio_api_storage_v1_CSINodeSpec(ref common.ReferenceCallback) commo
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/storage/v1.CSINodeDriver"),
+										Ref:     ref(storagev1.CSINodeDriver{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -55486,7 +56004,7 @@ func schema_k8sio_api_storage_v1_CSINodeSpec(ref common.ReferenceCallback) commo
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/storage/v1.CSINodeDriver"},
+			storagev1.CSINodeDriver{}.OpenAPIModelName()},
 	}
 }
 
@@ -55515,13 +56033,13 @@ func schema_k8sio_api_storage_v1_CSIStorageCapacity(ref common.ReferenceCallback
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard object's metadata. The name has no particular meaning. It must be a DNS subdomain (dots allowed, 253 characters). To ensure that there are no conflicts with other CSI drivers on the cluster, the recommendation is to use csisc-<uuid>, a generated name, or a reverse-domain name which ends with the unique CSI driver name.\n\nObjects are namespaced.\n\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Ref:         ref(metav1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 					"nodeTopology": {
 						SchemaProps: spec.SchemaProps{
 							Description: "nodeTopology defines which nodes have access to the storage for which capacity was reported. If not set, the storage is not accessible from any node in the cluster. If empty, the storage is accessible from all nodes. This field is immutable.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector"),
+							Ref:         ref(metav1.LabelSelector{}.OpenAPIModelName()),
 						},
 					},
 					"storageClassName": {
@@ -55535,13 +56053,13 @@ func schema_k8sio_api_storage_v1_CSIStorageCapacity(ref common.ReferenceCallback
 					"capacity": {
 						SchemaProps: spec.SchemaProps{
 							Description: "capacity is the value reported by the CSI driver in its GetCapacityResponse for a GetCapacityRequest with topology and parameters that match the previous fields.\n\nThe semantic is currently (CSI spec 1.2) defined as: The available capacity, in bytes, of the storage that can be used to provision volumes. If not set, that information is currently unavailable.",
-							Ref:         ref("k8s.io/apimachinery/pkg/api/resource.Quantity"),
+							Ref:         ref(resource.Quantity{}.OpenAPIModelName()),
 						},
 					},
 					"maximumVolumeSize": {
 						SchemaProps: spec.SchemaProps{
 							Description: "maximumVolumeSize is the value reported by the CSI driver in its GetCapacityResponse for a GetCapacityRequest with topology and parameters that match the previous fields.\n\nThis is defined since CSI spec 1.4.0 as the largest size that may be used in a CreateVolumeRequest.capacity_range.required_bytes field to create a volume with the same parameters as those in GetCapacityRequest. The corresponding value in the Kubernetes API is ResourceRequirements.Requests in a volume claim.",
-							Ref:         ref("k8s.io/apimachinery/pkg/api/resource.Quantity"),
+							Ref:         ref(resource.Quantity{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -55549,7 +56067,7 @@ func schema_k8sio_api_storage_v1_CSIStorageCapacity(ref common.ReferenceCallback
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/api/resource.Quantity", "k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			resource.Quantity{}.OpenAPIModelName(), metav1.LabelSelector{}.OpenAPIModelName(), metav1.ObjectMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -55578,7 +56096,7 @@ func schema_k8sio_api_storage_v1_CSIStorageCapacityList(ref common.ReferenceCall
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard list metadata More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+							Ref:         ref(metav1.ListMeta{}.OpenAPIModelName()),
 						},
 					},
 					"items": {
@@ -55589,7 +56107,7 @@ func schema_k8sio_api_storage_v1_CSIStorageCapacityList(ref common.ReferenceCall
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/storage/v1.CSIStorageCapacity"),
+										Ref:     ref(storagev1.CSIStorageCapacity{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -55600,7 +56118,7 @@ func schema_k8sio_api_storage_v1_CSIStorageCapacityList(ref common.ReferenceCall
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/storage/v1.CSIStorageCapacity", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
+			storagev1.CSIStorageCapacity{}.OpenAPIModelName(), metav1.ListMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -55629,7 +56147,7 @@ func schema_k8sio_api_storage_v1_StorageClass(ref common.ReferenceCallback) comm
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Ref:         ref(metav1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 					"provisioner": {
@@ -55712,7 +56230,7 @@ func schema_k8sio_api_storage_v1_StorageClass(ref common.ReferenceCallback) comm
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/core/v1.TopologySelectorTerm"),
+										Ref:     ref(corev1.TopologySelectorTerm{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -55723,7 +56241,7 @@ func schema_k8sio_api_storage_v1_StorageClass(ref common.ReferenceCallback) comm
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/core/v1.TopologySelectorTerm", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			corev1.TopologySelectorTerm{}.OpenAPIModelName(), metav1.ObjectMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -55752,7 +56270,7 @@ func schema_k8sio_api_storage_v1_StorageClassList(ref common.ReferenceCallback)
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard list metadata More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+							Ref:         ref(metav1.ListMeta{}.OpenAPIModelName()),
 						},
 					},
 					"items": {
@@ -55763,7 +56281,7 @@ func schema_k8sio_api_storage_v1_StorageClassList(ref common.ReferenceCallback)
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/storage/v1.StorageClass"),
+										Ref:     ref(storagev1.StorageClass{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -55774,7 +56292,7 @@ func schema_k8sio_api_storage_v1_StorageClassList(ref common.ReferenceCallback)
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/storage/v1.StorageClass", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
+			storagev1.StorageClass{}.OpenAPIModelName(), metav1.ListMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -55832,21 +56350,21 @@ func schema_k8sio_api_storage_v1_VolumeAttachment(ref common.ReferenceCallback)
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard object metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Ref:         ref(metav1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 					"spec": {
 						SchemaProps: spec.SchemaProps{
 							Description: "spec represents specification of the desired attach/detach volume behavior. Populated by the Kubernetes system.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/storage/v1.VolumeAttachmentSpec"),
+							Ref:         ref(storagev1.VolumeAttachmentSpec{}.OpenAPIModelName()),
 						},
 					},
 					"status": {
 						SchemaProps: spec.SchemaProps{
 							Description: "status represents status of the VolumeAttachment request. Populated by the entity completing the attach or detach operation, i.e. the external-attacher.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/storage/v1.VolumeAttachmentStatus"),
+							Ref:         ref(storagev1.VolumeAttachmentStatus{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -55854,7 +56372,7 @@ func schema_k8sio_api_storage_v1_VolumeAttachment(ref common.ReferenceCallback)
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/storage/v1.VolumeAttachmentSpec", "k8s.io/api/storage/v1.VolumeAttachmentStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			storagev1.VolumeAttachmentSpec{}.OpenAPIModelName(), storagev1.VolumeAttachmentStatus{}.OpenAPIModelName(), metav1.ObjectMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -55883,7 +56401,7 @@ func schema_k8sio_api_storage_v1_VolumeAttachmentList(ref common.ReferenceCallba
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard list metadata More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+							Ref:         ref(metav1.ListMeta{}.OpenAPIModelName()),
 						},
 					},
 					"items": {
@@ -55894,7 +56412,7 @@ func schema_k8sio_api_storage_v1_VolumeAttachmentList(ref common.ReferenceCallba
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/storage/v1.VolumeAttachment"),
+										Ref:     ref(storagev1.VolumeAttachment{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -55905,7 +56423,7 @@ func schema_k8sio_api_storage_v1_VolumeAttachmentList(ref common.ReferenceCallba
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/storage/v1.VolumeAttachment", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
+			storagev1.VolumeAttachment{}.OpenAPIModelName(), metav1.ListMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -55926,14 +56444,14 @@ func schema_k8sio_api_storage_v1_VolumeAttachmentSource(ref common.ReferenceCall
 					"inlineVolumeSpec": {
 						SchemaProps: spec.SchemaProps{
 							Description: "inlineVolumeSpec contains all the information necessary to attach a persistent volume defined by a pod's inline VolumeSource. This field is populated only for the CSIMigration feature. It contains translated fields from a pod's inline VolumeSource to a PersistentVolumeSpec. This field is beta-level and is only honored by servers that enabled the CSIMigration feature.",
-							Ref:         ref("k8s.io/api/core/v1.PersistentVolumeSpec"),
+							Ref:         ref(corev1.PersistentVolumeSpec{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/core/v1.PersistentVolumeSpec"},
+			corev1.PersistentVolumeSpec{}.OpenAPIModelName()},
 	}
 }
 
@@ -55956,7 +56474,7 @@ func schema_k8sio_api_storage_v1_VolumeAttachmentSpec(ref common.ReferenceCallba
 						SchemaProps: spec.SchemaProps{
 							Description: "source represents the volume that should be attached.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/storage/v1.VolumeAttachmentSource"),
+							Ref:         ref(storagev1.VolumeAttachmentSource{}.OpenAPIModelName()),
 						},
 					},
 					"nodeName": {
@@ -55972,7 +56490,7 @@ func schema_k8sio_api_storage_v1_VolumeAttachmentSpec(ref common.ReferenceCallba
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/storage/v1.VolumeAttachmentSource"},
+			storagev1.VolumeAttachmentSource{}.OpenAPIModelName()},
 	}
 }
 
@@ -56010,13 +56528,13 @@ func schema_k8sio_api_storage_v1_VolumeAttachmentStatus(ref common.ReferenceCall
 					"attachError": {
 						SchemaProps: spec.SchemaProps{
 							Description: "attachError represents the last error encountered during attach operation, if any. This field must only be set by the entity completing the attach operation, i.e. the external-attacher.",
-							Ref:         ref("k8s.io/api/storage/v1.VolumeError"),
+							Ref:         ref(storagev1.VolumeError{}.OpenAPIModelName()),
 						},
 					},
 					"detachError": {
 						SchemaProps: spec.SchemaProps{
 							Description: "detachError represents the last error encountered during detach operation, if any. This field must only be set by the entity completing the detach operation, i.e. the external-attacher.",
-							Ref:         ref("k8s.io/api/storage/v1.VolumeError"),
+							Ref:         ref(storagev1.VolumeError{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -56024,7 +56542,7 @@ func schema_k8sio_api_storage_v1_VolumeAttachmentStatus(ref common.ReferenceCall
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/storage/v1.VolumeError"},
+			storagev1.VolumeError{}.OpenAPIModelName()},
 	}
 }
 
@@ -56053,7 +56571,7 @@ func schema_k8sio_api_storage_v1_VolumeAttributesClass(ref common.ReferenceCallb
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Ref:         ref(metav1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 					"driverName": {
@@ -56085,7 +56603,7 @@ func schema_k8sio_api_storage_v1_VolumeAttributesClass(ref common.ReferenceCallb
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			metav1.ObjectMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -56114,7 +56632,7 @@ func schema_k8sio_api_storage_v1_VolumeAttributesClassList(ref common.ReferenceC
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard list metadata More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+							Ref:         ref(metav1.ListMeta{}.OpenAPIModelName()),
 						},
 					},
 					"items": {
@@ -56125,7 +56643,7 @@ func schema_k8sio_api_storage_v1_VolumeAttributesClassList(ref common.ReferenceC
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/storage/v1.VolumeAttributesClass"),
+										Ref:     ref(storagev1.VolumeAttributesClass{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -56136,7 +56654,7 @@ func schema_k8sio_api_storage_v1_VolumeAttributesClassList(ref common.ReferenceC
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/storage/v1.VolumeAttributesClass", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
+			storagev1.VolumeAttributesClass{}.OpenAPIModelName(), metav1.ListMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -56150,7 +56668,7 @@ func schema_k8sio_api_storage_v1_VolumeError(ref common.ReferenceCallback) commo
 					"time": {
 						SchemaProps: spec.SchemaProps{
 							Description: "time represents the time the error was encountered.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Time"),
+							Ref:         ref(metav1.Time{}.OpenAPIModelName()),
 						},
 					},
 					"message": {
@@ -56171,7 +56689,7 @@ func schema_k8sio_api_storage_v1_VolumeError(ref common.ReferenceCallback) commo
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.Time"},
+			metav1.Time{}.OpenAPIModelName()},
 	}
 }
 
@@ -56220,13 +56738,13 @@ func schema_k8sio_api_storage_v1alpha1_CSIStorageCapacity(ref common.ReferenceCa
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard object's metadata. The name has no particular meaning. It must be be a DNS subdomain (dots allowed, 253 characters). To ensure that there are no conflicts with other CSI drivers on the cluster, the recommendation is to use csisc-<uuid>, a generated name, or a reverse-domain name which ends with the unique CSI driver name.\n\nObjects are namespaced.\n\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Ref:         ref(metav1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 					"nodeTopology": {
 						SchemaProps: spec.SchemaProps{
 							Description: "nodeTopology defines which nodes have access to the storage for which capacity was reported. If not set, the storage is not accessible from any node in the cluster. If empty, the storage is accessible from all nodes. This field is immutable.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector"),
+							Ref:         ref(metav1.LabelSelector{}.OpenAPIModelName()),
 						},
 					},
 					"storageClassName": {
@@ -56240,13 +56758,13 @@ func schema_k8sio_api_storage_v1alpha1_CSIStorageCapacity(ref common.ReferenceCa
 					"capacity": {
 						SchemaProps: spec.SchemaProps{
 							Description: "capacity is the value reported by the CSI driver in its GetCapacityResponse for a GetCapacityRequest with topology and parameters that match the previous fields.\n\nThe semantic is currently (CSI spec 1.2) defined as: The available capacity, in bytes, of the storage that can be used to provision volumes. If not set, that information is currently unavailable.",
-							Ref:         ref("k8s.io/apimachinery/pkg/api/resource.Quantity"),
+							Ref:         ref(resource.Quantity{}.OpenAPIModelName()),
 						},
 					},
 					"maximumVolumeSize": {
 						SchemaProps: spec.SchemaProps{
 							Description: "maximumVolumeSize is the value reported by the CSI driver in its GetCapacityResponse for a GetCapacityRequest with topology and parameters that match the previous fields.\n\nThis is defined since CSI spec 1.4.0 as the largest size that may be used in a CreateVolumeRequest.capacity_range.required_bytes field to create a volume with the same parameters as those in GetCapacityRequest. The corresponding value in the Kubernetes API is ResourceRequirements.Requests in a volume claim.",
-							Ref:         ref("k8s.io/apimachinery/pkg/api/resource.Quantity"),
+							Ref:         ref(resource.Quantity{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -56254,7 +56772,7 @@ func schema_k8sio_api_storage_v1alpha1_CSIStorageCapacity(ref common.ReferenceCa
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/api/resource.Quantity", "k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			resource.Quantity{}.OpenAPIModelName(), metav1.LabelSelector{}.OpenAPIModelName(), metav1.ObjectMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -56283,7 +56801,7 @@ func schema_k8sio_api_storage_v1alpha1_CSIStorageCapacityList(ref common.Referen
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard list metadata More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+							Ref:         ref(metav1.ListMeta{}.OpenAPIModelName()),
 						},
 					},
 					"items": {
@@ -56294,7 +56812,7 @@ func schema_k8sio_api_storage_v1alpha1_CSIStorageCapacityList(ref common.Referen
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/storage/v1alpha1.CSIStorageCapacity"),
+										Ref:     ref(storagev1alpha1.CSIStorageCapacity{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -56305,7 +56823,7 @@ func schema_k8sio_api_storage_v1alpha1_CSIStorageCapacityList(ref common.Referen
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/storage/v1alpha1.CSIStorageCapacity", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
+			storagev1alpha1.CSIStorageCapacity{}.OpenAPIModelName(), metav1.ListMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -56334,21 +56852,21 @@ func schema_k8sio_api_storage_v1alpha1_VolumeAttachment(ref common.ReferenceCall
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard object metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Ref:         ref(metav1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 					"spec": {
 						SchemaProps: spec.SchemaProps{
 							Description: "spec represents specification of the desired attach/detach volume behavior. Populated by the Kubernetes system.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/storage/v1alpha1.VolumeAttachmentSpec"),
+							Ref:         ref(storagev1alpha1.VolumeAttachmentSpec{}.OpenAPIModelName()),
 						},
 					},
 					"status": {
 						SchemaProps: spec.SchemaProps{
 							Description: "status represents status of the VolumeAttachment request. Populated by the entity completing the attach or detach operation, i.e. the external-attacher.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/storage/v1alpha1.VolumeAttachmentStatus"),
+							Ref:         ref(storagev1alpha1.VolumeAttachmentStatus{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -56356,7 +56874,7 @@ func schema_k8sio_api_storage_v1alpha1_VolumeAttachment(ref common.ReferenceCall
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/storage/v1alpha1.VolumeAttachmentSpec", "k8s.io/api/storage/v1alpha1.VolumeAttachmentStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			storagev1alpha1.VolumeAttachmentSpec{}.OpenAPIModelName(), storagev1alpha1.VolumeAttachmentStatus{}.OpenAPIModelName(), metav1.ObjectMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -56385,7 +56903,7 @@ func schema_k8sio_api_storage_v1alpha1_VolumeAttachmentList(ref common.Reference
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard list metadata More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+							Ref:         ref(metav1.ListMeta{}.OpenAPIModelName()),
 						},
 					},
 					"items": {
@@ -56396,7 +56914,7 @@ func schema_k8sio_api_storage_v1alpha1_VolumeAttachmentList(ref common.Reference
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/storage/v1alpha1.VolumeAttachment"),
+										Ref:     ref(storagev1alpha1.VolumeAttachment{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -56407,7 +56925,7 @@ func schema_k8sio_api_storage_v1alpha1_VolumeAttachmentList(ref common.Reference
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/storage/v1alpha1.VolumeAttachment", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
+			storagev1alpha1.VolumeAttachment{}.OpenAPIModelName(), metav1.ListMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -56428,14 +56946,14 @@ func schema_k8sio_api_storage_v1alpha1_VolumeAttachmentSource(ref common.Referen
 					"inlineVolumeSpec": {
 						SchemaProps: spec.SchemaProps{
 							Description: "inlineVolumeSpec contains all the information necessary to attach a persistent volume defined by a pod's inline VolumeSource. This field is populated only for the CSIMigration feature. It contains translated fields from a pod's inline VolumeSource to a PersistentVolumeSpec. This field is alpha-level and is only honored by servers that enabled the CSIMigration feature.",
-							Ref:         ref("k8s.io/api/core/v1.PersistentVolumeSpec"),
+							Ref:         ref(corev1.PersistentVolumeSpec{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/core/v1.PersistentVolumeSpec"},
+			corev1.PersistentVolumeSpec{}.OpenAPIModelName()},
 	}
 }
 
@@ -56458,7 +56976,7 @@ func schema_k8sio_api_storage_v1alpha1_VolumeAttachmentSpec(ref common.Reference
 						SchemaProps: spec.SchemaProps{
 							Description: "source represents the volume that should be attached.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/storage/v1alpha1.VolumeAttachmentSource"),
+							Ref:         ref(storagev1alpha1.VolumeAttachmentSource{}.OpenAPIModelName()),
 						},
 					},
 					"nodeName": {
@@ -56474,7 +56992,7 @@ func schema_k8sio_api_storage_v1alpha1_VolumeAttachmentSpec(ref common.Reference
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/storage/v1alpha1.VolumeAttachmentSource"},
+			storagev1alpha1.VolumeAttachmentSource{}.OpenAPIModelName()},
 	}
 }
 
@@ -56512,13 +57030,13 @@ func schema_k8sio_api_storage_v1alpha1_VolumeAttachmentStatus(ref common.Referen
 					"attachError": {
 						SchemaProps: spec.SchemaProps{
 							Description: "attachError represents the last error encountered during attach operation, if any. This field must only be set by the entity completing the attach operation, i.e. the external-attacher.",
-							Ref:         ref("k8s.io/api/storage/v1alpha1.VolumeError"),
+							Ref:         ref(storagev1alpha1.VolumeError{}.OpenAPIModelName()),
 						},
 					},
 					"detachError": {
 						SchemaProps: spec.SchemaProps{
 							Description: "detachError represents the last error encountered during detach operation, if any. This field must only be set by the entity completing the detach operation, i.e. the external-attacher.",
-							Ref:         ref("k8s.io/api/storage/v1alpha1.VolumeError"),
+							Ref:         ref(storagev1alpha1.VolumeError{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -56526,7 +57044,7 @@ func schema_k8sio_api_storage_v1alpha1_VolumeAttachmentStatus(ref common.Referen
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/storage/v1alpha1.VolumeError"},
+			storagev1alpha1.VolumeError{}.OpenAPIModelName()},
 	}
 }
 
@@ -56555,7 +57073,7 @@ func schema_k8sio_api_storage_v1alpha1_VolumeAttributesClass(ref common.Referenc
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Ref:         ref(metav1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 					"driverName": {
@@ -56587,7 +57105,7 @@ func schema_k8sio_api_storage_v1alpha1_VolumeAttributesClass(ref common.Referenc
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			metav1.ObjectMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -56616,7 +57134,7 @@ func schema_k8sio_api_storage_v1alpha1_VolumeAttributesClassList(ref common.Refe
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard list metadata More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+							Ref:         ref(metav1.ListMeta{}.OpenAPIModelName()),
 						},
 					},
 					"items": {
@@ -56627,7 +57145,7 @@ func schema_k8sio_api_storage_v1alpha1_VolumeAttributesClassList(ref common.Refe
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/storage/v1alpha1.VolumeAttributesClass"),
+										Ref:     ref(storagev1alpha1.VolumeAttributesClass{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -56638,7 +57156,7 @@ func schema_k8sio_api_storage_v1alpha1_VolumeAttributesClassList(ref common.Refe
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/storage/v1alpha1.VolumeAttributesClass", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
+			storagev1alpha1.VolumeAttributesClass{}.OpenAPIModelName(), metav1.ListMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -56652,7 +57170,7 @@ func schema_k8sio_api_storage_v1alpha1_VolumeError(ref common.ReferenceCallback)
 					"time": {
 						SchemaProps: spec.SchemaProps{
 							Description: "time represents the time the error was encountered.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Time"),
+							Ref:         ref(metav1.Time{}.OpenAPIModelName()),
 						},
 					},
 					"message": {
@@ -56673,7 +57191,7 @@ func schema_k8sio_api_storage_v1alpha1_VolumeError(ref common.ReferenceCallback)
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.Time"},
+			metav1.Time{}.OpenAPIModelName()},
 	}
 }
 
@@ -56702,14 +57220,14 @@ func schema_k8sio_api_storage_v1beta1_CSIDriver(ref common.ReferenceCallback) co
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard object metadata. metadata.Name indicates the name of the CSI driver that this object refers to; it MUST be the same name returned by the CSI GetPluginName() call for that driver. The driver name must be 63 characters or less, beginning and ending with an alphanumeric character ([a-z0-9A-Z]) with dashes (-), dots (.), and alphanumerics between. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Ref:         ref(metav1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 					"spec": {
 						SchemaProps: spec.SchemaProps{
 							Description: "spec represents the specification of the CSI Driver.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/storage/v1beta1.CSIDriverSpec"),
+							Ref:         ref(storagev1beta1.CSIDriverSpec{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -56717,7 +57235,7 @@ func schema_k8sio_api_storage_v1beta1_CSIDriver(ref common.ReferenceCallback) co
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/storage/v1beta1.CSIDriverSpec", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			storagev1beta1.CSIDriverSpec{}.OpenAPIModelName(), metav1.ObjectMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -56746,7 +57264,7 @@ func schema_k8sio_api_storage_v1beta1_CSIDriverList(ref common.ReferenceCallback
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard list metadata More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+							Ref:         ref(metav1.ListMeta{}.OpenAPIModelName()),
 						},
 					},
 					"items": {
@@ -56757,7 +57275,7 @@ func schema_k8sio_api_storage_v1beta1_CSIDriverList(ref common.ReferenceCallback
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/storage/v1beta1.CSIDriver"),
+										Ref:     ref(storagev1beta1.CSIDriver{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -56768,7 +57286,7 @@ func schema_k8sio_api_storage_v1beta1_CSIDriverList(ref common.ReferenceCallback
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/storage/v1beta1.CSIDriver", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
+			storagev1beta1.CSIDriver{}.OpenAPIModelName(), metav1.ListMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -56840,7 +57358,7 @@ func schema_k8sio_api_storage_v1beta1_CSIDriverSpec(ref common.ReferenceCallback
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/storage/v1beta1.TokenRequest"),
+										Ref:     ref(storagev1beta1.TokenRequest{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -56867,11 +57385,18 @@ func schema_k8sio_api_storage_v1beta1_CSIDriverSpec(ref common.ReferenceCallback
 							Format:      "int64",
 						},
 					},
+					"serviceAccountTokenInSecrets": {
+						SchemaProps: spec.SchemaProps{
+							Description: "serviceAccountTokenInSecrets is an opt-in for CSI drivers to indicate that service account tokens should be passed via the Secrets field in NodePublishVolumeRequest instead of the VolumeContext field. The CSI specification provides a dedicated Secrets field for sensitive information like tokens, which is the appropriate mechanism for handling credentials. This addresses security concerns where sensitive tokens were being logged as part of volume context.\n\nWhen \"true\", kubelet will pass the tokens only in the Secrets field with the key \"csi.storage.k8s.io/serviceAccount.tokens\". The CSI driver must be updated to read tokens from the Secrets field instead of VolumeContext.\n\nWhen \"false\" or not set, kubelet will pass the tokens in VolumeContext with the key \"csi.storage.k8s.io/serviceAccount.tokens\" (existing behavior). This maintains backward compatibility with existing CSI drivers.\n\nThis field can only be set when TokenRequests is configured. The API server will reject CSIDriver specs that set this field without TokenRequests.\n\nDefault behavior if unset is to pass tokens in the VolumeContext field.",
+							Type:        []string{"boolean"},
+							Format:      "",
+						},
+					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/storage/v1beta1.TokenRequest"},
+			storagev1beta1.TokenRequest{}.OpenAPIModelName()},
 	}
 }
 
@@ -56900,14 +57425,14 @@ func schema_k8sio_api_storage_v1beta1_CSINode(ref common.ReferenceCallback) comm
 						SchemaProps: spec.SchemaProps{
 							Description: "metadata.name must be the Kubernetes node name.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Ref:         ref(metav1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 					"spec": {
 						SchemaProps: spec.SchemaProps{
 							Description: "spec is the specification of CSINode",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/storage/v1beta1.CSINodeSpec"),
+							Ref:         ref(storagev1beta1.CSINodeSpec{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -56915,7 +57440,7 @@ func schema_k8sio_api_storage_v1beta1_CSINode(ref common.ReferenceCallback) comm
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/storage/v1beta1.CSINodeSpec", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			storagev1beta1.CSINodeSpec{}.OpenAPIModelName(), metav1.ObjectMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -56965,7 +57490,7 @@ func schema_k8sio_api_storage_v1beta1_CSINodeDriver(ref common.ReferenceCallback
 					"allocatable": {
 						SchemaProps: spec.SchemaProps{
 							Description: "allocatable represents the volume resources of a node that are available for scheduling.",
-							Ref:         ref("k8s.io/api/storage/v1beta1.VolumeNodeResources"),
+							Ref:         ref(storagev1beta1.VolumeNodeResources{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -56973,7 +57498,7 @@ func schema_k8sio_api_storage_v1beta1_CSINodeDriver(ref common.ReferenceCallback
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/storage/v1beta1.VolumeNodeResources"},
+			storagev1beta1.VolumeNodeResources{}.OpenAPIModelName()},
 	}
 }
 
@@ -57002,7 +57527,7 @@ func schema_k8sio_api_storage_v1beta1_CSINodeList(ref common.ReferenceCallback)
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard list metadata More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+							Ref:         ref(metav1.ListMeta{}.OpenAPIModelName()),
 						},
 					},
 					"items": {
@@ -57013,7 +57538,7 @@ func schema_k8sio_api_storage_v1beta1_CSINodeList(ref common.ReferenceCallback)
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/storage/v1beta1.CSINode"),
+										Ref:     ref(storagev1beta1.CSINode{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -57024,7 +57549,7 @@ func schema_k8sio_api_storage_v1beta1_CSINodeList(ref common.ReferenceCallback)
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/storage/v1beta1.CSINode", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
+			storagev1beta1.CSINode{}.OpenAPIModelName(), metav1.ListMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -57053,7 +57578,7 @@ func schema_k8sio_api_storage_v1beta1_CSINodeSpec(ref common.ReferenceCallback)
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/storage/v1beta1.CSINodeDriver"),
+										Ref:     ref(storagev1beta1.CSINodeDriver{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -57064,7 +57589,7 @@ func schema_k8sio_api_storage_v1beta1_CSINodeSpec(ref common.ReferenceCallback)
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/storage/v1beta1.CSINodeDriver"},
+			storagev1beta1.CSINodeDriver{}.OpenAPIModelName()},
 	}
 }
 
@@ -57093,13 +57618,13 @@ func schema_k8sio_api_storage_v1beta1_CSIStorageCapacity(ref common.ReferenceCal
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard object's metadata. The name has no particular meaning. It must be be a DNS subdomain (dots allowed, 253 characters). To ensure that there are no conflicts with other CSI drivers on the cluster, the recommendation is to use csisc-<uuid>, a generated name, or a reverse-domain name which ends with the unique CSI driver name.\n\nObjects are namespaced.\n\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Ref:         ref(metav1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 					"nodeTopology": {
 						SchemaProps: spec.SchemaProps{
 							Description: "nodeTopology defines which nodes have access to the storage for which capacity was reported. If not set, the storage is not accessible from any node in the cluster. If empty, the storage is accessible from all nodes. This field is immutable.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector"),
+							Ref:         ref(metav1.LabelSelector{}.OpenAPIModelName()),
 						},
 					},
 					"storageClassName": {
@@ -57113,13 +57638,13 @@ func schema_k8sio_api_storage_v1beta1_CSIStorageCapacity(ref common.ReferenceCal
 					"capacity": {
 						SchemaProps: spec.SchemaProps{
 							Description: "capacity is the value reported by the CSI driver in its GetCapacityResponse for a GetCapacityRequest with topology and parameters that match the previous fields.\n\nThe semantic is currently (CSI spec 1.2) defined as: The available capacity, in bytes, of the storage that can be used to provision volumes. If not set, that information is currently unavailable.",
-							Ref:         ref("k8s.io/apimachinery/pkg/api/resource.Quantity"),
+							Ref:         ref(resource.Quantity{}.OpenAPIModelName()),
 						},
 					},
 					"maximumVolumeSize": {
 						SchemaProps: spec.SchemaProps{
 							Description: "maximumVolumeSize is the value reported by the CSI driver in its GetCapacityResponse for a GetCapacityRequest with topology and parameters that match the previous fields.\n\nThis is defined since CSI spec 1.4.0 as the largest size that may be used in a CreateVolumeRequest.capacity_range.required_bytes field to create a volume with the same parameters as those in GetCapacityRequest. The corresponding value in the Kubernetes API is ResourceRequirements.Requests in a volume claim.",
-							Ref:         ref("k8s.io/apimachinery/pkg/api/resource.Quantity"),
+							Ref:         ref(resource.Quantity{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -57127,7 +57652,7 @@ func schema_k8sio_api_storage_v1beta1_CSIStorageCapacity(ref common.ReferenceCal
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/api/resource.Quantity", "k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			resource.Quantity{}.OpenAPIModelName(), metav1.LabelSelector{}.OpenAPIModelName(), metav1.ObjectMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -57156,7 +57681,7 @@ func schema_k8sio_api_storage_v1beta1_CSIStorageCapacityList(ref common.Referenc
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard list metadata More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+							Ref:         ref(metav1.ListMeta{}.OpenAPIModelName()),
 						},
 					},
 					"items": {
@@ -57167,7 +57692,7 @@ func schema_k8sio_api_storage_v1beta1_CSIStorageCapacityList(ref common.Referenc
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/storage/v1beta1.CSIStorageCapacity"),
+										Ref:     ref(storagev1beta1.CSIStorageCapacity{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -57178,7 +57703,7 @@ func schema_k8sio_api_storage_v1beta1_CSIStorageCapacityList(ref common.Referenc
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/storage/v1beta1.CSIStorageCapacity", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
+			storagev1beta1.CSIStorageCapacity{}.OpenAPIModelName(), metav1.ListMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -57207,7 +57732,7 @@ func schema_k8sio_api_storage_v1beta1_StorageClass(ref common.ReferenceCallback)
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Ref:         ref(metav1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 					"provisioner": {
@@ -57289,7 +57814,7 @@ func schema_k8sio_api_storage_v1beta1_StorageClass(ref common.ReferenceCallback)
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/core/v1.TopologySelectorTerm"),
+										Ref:     ref(corev1.TopologySelectorTerm{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -57300,7 +57825,7 @@ func schema_k8sio_api_storage_v1beta1_StorageClass(ref common.ReferenceCallback)
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/core/v1.TopologySelectorTerm", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			corev1.TopologySelectorTerm{}.OpenAPIModelName(), metav1.ObjectMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -57329,7 +57854,7 @@ func schema_k8sio_api_storage_v1beta1_StorageClassList(ref common.ReferenceCallb
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard list metadata More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+							Ref:         ref(metav1.ListMeta{}.OpenAPIModelName()),
 						},
 					},
 					"items": {
@@ -57340,7 +57865,7 @@ func schema_k8sio_api_storage_v1beta1_StorageClassList(ref common.ReferenceCallb
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/storage/v1beta1.StorageClass"),
+										Ref:     ref(storagev1beta1.StorageClass{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -57351,7 +57876,7 @@ func schema_k8sio_api_storage_v1beta1_StorageClassList(ref common.ReferenceCallb
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/storage/v1beta1.StorageClass", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
+			storagev1beta1.StorageClass{}.OpenAPIModelName(), metav1.ListMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -57409,21 +57934,21 @@ func schema_k8sio_api_storage_v1beta1_VolumeAttachment(ref common.ReferenceCallb
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard object metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Ref:         ref(metav1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 					"spec": {
 						SchemaProps: spec.SchemaProps{
 							Description: "spec represents specification of the desired attach/detach volume behavior. Populated by the Kubernetes system.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/storage/v1beta1.VolumeAttachmentSpec"),
+							Ref:         ref(storagev1beta1.VolumeAttachmentSpec{}.OpenAPIModelName()),
 						},
 					},
 					"status": {
 						SchemaProps: spec.SchemaProps{
 							Description: "status represents status of the VolumeAttachment request. Populated by the entity completing the attach or detach operation, i.e. the external-attacher.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/storage/v1beta1.VolumeAttachmentStatus"),
+							Ref:         ref(storagev1beta1.VolumeAttachmentStatus{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -57431,7 +57956,7 @@ func schema_k8sio_api_storage_v1beta1_VolumeAttachment(ref common.ReferenceCallb
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/storage/v1beta1.VolumeAttachmentSpec", "k8s.io/api/storage/v1beta1.VolumeAttachmentStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			storagev1beta1.VolumeAttachmentSpec{}.OpenAPIModelName(), storagev1beta1.VolumeAttachmentStatus{}.OpenAPIModelName(), metav1.ObjectMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -57460,7 +57985,7 @@ func schema_k8sio_api_storage_v1beta1_VolumeAttachmentList(ref common.ReferenceC
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard list metadata More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+							Ref:         ref(metav1.ListMeta{}.OpenAPIModelName()),
 						},
 					},
 					"items": {
@@ -57471,7 +57996,7 @@ func schema_k8sio_api_storage_v1beta1_VolumeAttachmentList(ref common.ReferenceC
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/storage/v1beta1.VolumeAttachment"),
+										Ref:     ref(storagev1beta1.VolumeAttachment{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -57482,7 +58007,7 @@ func schema_k8sio_api_storage_v1beta1_VolumeAttachmentList(ref common.ReferenceC
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/storage/v1beta1.VolumeAttachment", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
+			storagev1beta1.VolumeAttachment{}.OpenAPIModelName(), metav1.ListMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -57503,14 +58028,14 @@ func schema_k8sio_api_storage_v1beta1_VolumeAttachmentSource(ref common.Referenc
 					"inlineVolumeSpec": {
 						SchemaProps: spec.SchemaProps{
 							Description: "inlineVolumeSpec contains all the information necessary to attach a persistent volume defined by a pod's inline VolumeSource. This field is populated only for the CSIMigration feature. It contains translated fields from a pod's inline VolumeSource to a PersistentVolumeSpec. This field is beta-level and is only honored by servers that enabled the CSIMigration feature.",
-							Ref:         ref("k8s.io/api/core/v1.PersistentVolumeSpec"),
+							Ref:         ref(corev1.PersistentVolumeSpec{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/core/v1.PersistentVolumeSpec"},
+			corev1.PersistentVolumeSpec{}.OpenAPIModelName()},
 	}
 }
 
@@ -57533,7 +58058,7 @@ func schema_k8sio_api_storage_v1beta1_VolumeAttachmentSpec(ref common.ReferenceC
 						SchemaProps: spec.SchemaProps{
 							Description: "source represents the volume that should be attached.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/storage/v1beta1.VolumeAttachmentSource"),
+							Ref:         ref(storagev1beta1.VolumeAttachmentSource{}.OpenAPIModelName()),
 						},
 					},
 					"nodeName": {
@@ -57549,7 +58074,7 @@ func schema_k8sio_api_storage_v1beta1_VolumeAttachmentSpec(ref common.ReferenceC
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/storage/v1beta1.VolumeAttachmentSource"},
+			storagev1beta1.VolumeAttachmentSource{}.OpenAPIModelName()},
 	}
 }
 
@@ -57587,13 +58112,13 @@ func schema_k8sio_api_storage_v1beta1_VolumeAttachmentStatus(ref common.Referenc
 					"attachError": {
 						SchemaProps: spec.SchemaProps{
 							Description: "attachError represents the last error encountered during attach operation, if any. This field must only be set by the entity completing the attach operation, i.e. the external-attacher.",
-							Ref:         ref("k8s.io/api/storage/v1beta1.VolumeError"),
+							Ref:         ref(storagev1beta1.VolumeError{}.OpenAPIModelName()),
 						},
 					},
 					"detachError": {
 						SchemaProps: spec.SchemaProps{
 							Description: "detachError represents the last error encountered during detach operation, if any. This field must only be set by the entity completing the detach operation, i.e. the external-attacher.",
-							Ref:         ref("k8s.io/api/storage/v1beta1.VolumeError"),
+							Ref:         ref(storagev1beta1.VolumeError{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -57601,7 +58126,7 @@ func schema_k8sio_api_storage_v1beta1_VolumeAttachmentStatus(ref common.Referenc
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/storage/v1beta1.VolumeError"},
+			storagev1beta1.VolumeError{}.OpenAPIModelName()},
 	}
 }
 
@@ -57630,7 +58155,7 @@ func schema_k8sio_api_storage_v1beta1_VolumeAttributesClass(ref common.Reference
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Ref:         ref(metav1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 					"driverName": {
@@ -57662,7 +58187,7 @@ func schema_k8sio_api_storage_v1beta1_VolumeAttributesClass(ref common.Reference
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			metav1.ObjectMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -57691,7 +58216,7 @@ func schema_k8sio_api_storage_v1beta1_VolumeAttributesClassList(ref common.Refer
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard list metadata More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+							Ref:         ref(metav1.ListMeta{}.OpenAPIModelName()),
 						},
 					},
 					"items": {
@@ -57702,7 +58227,7 @@ func schema_k8sio_api_storage_v1beta1_VolumeAttributesClassList(ref common.Refer
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/storage/v1beta1.VolumeAttributesClass"),
+										Ref:     ref(storagev1beta1.VolumeAttributesClass{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -57713,7 +58238,7 @@ func schema_k8sio_api_storage_v1beta1_VolumeAttributesClassList(ref common.Refer
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/storage/v1beta1.VolumeAttributesClass", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
+			storagev1beta1.VolumeAttributesClass{}.OpenAPIModelName(), metav1.ListMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -57727,7 +58252,7 @@ func schema_k8sio_api_storage_v1beta1_VolumeError(ref common.ReferenceCallback)
 					"time": {
 						SchemaProps: spec.SchemaProps{
 							Description: "time represents the time the error was encountered.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Time"),
+							Ref:         ref(metav1.Time{}.OpenAPIModelName()),
 						},
 					},
 					"message": {
@@ -57748,7 +58273,7 @@ func schema_k8sio_api_storage_v1beta1_VolumeError(ref common.ReferenceCallback)
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.Time"},
+			metav1.Time{}.OpenAPIModelName()},
 	}
 }
 
@@ -57772,93 +58297,7 @@ func schema_k8sio_api_storage_v1beta1_VolumeNodeResources(ref common.ReferenceCa
 	}
 }
 
-func schema_k8sio_api_storagemigration_v1alpha1_GroupVersionResource(ref common.ReferenceCallback) common.OpenAPIDefinition {
-	return common.OpenAPIDefinition{
-		Schema: spec.Schema{
-			SchemaProps: spec.SchemaProps{
-				Description: "The names of the group, the version, and the resource.",
-				Type:        []string{"object"},
-				Properties: map[string]spec.Schema{
-					"group": {
-						SchemaProps: spec.SchemaProps{
-							Description: "The name of the group.",
-							Type:        []string{"string"},
-							Format:      "",
-						},
-					},
-					"version": {
-						SchemaProps: spec.SchemaProps{
-							Description: "The name of the version.",
-							Type:        []string{"string"},
-							Format:      "",
-						},
-					},
-					"resource": {
-						SchemaProps: spec.SchemaProps{
-							Description: "The name of the resource.",
-							Type:        []string{"string"},
-							Format:      "",
-						},
-					},
-				},
-			},
-		},
-	}
-}
-
-func schema_k8sio_api_storagemigration_v1alpha1_MigrationCondition(ref common.ReferenceCallback) common.OpenAPIDefinition {
-	return common.OpenAPIDefinition{
-		Schema: spec.Schema{
-			SchemaProps: spec.SchemaProps{
-				Description: "Describes the state of a migration at a certain point.",
-				Type:        []string{"object"},
-				Properties: map[string]spec.Schema{
-					"type": {
-						SchemaProps: spec.SchemaProps{
-							Description: "Type of the condition.",
-							Default:     "",
-							Type:        []string{"string"},
-							Format:      "",
-						},
-					},
-					"status": {
-						SchemaProps: spec.SchemaProps{
-							Description: "Status of the condition, one of True, False, Unknown.",
-							Default:     "",
-							Type:        []string{"string"},
-							Format:      "",
-						},
-					},
-					"lastUpdateTime": {
-						SchemaProps: spec.SchemaProps{
-							Description: "The last time this condition was updated.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Time"),
-						},
-					},
-					"reason": {
-						SchemaProps: spec.SchemaProps{
-							Description: "The reason for the condition's last transition.",
-							Type:        []string{"string"},
-							Format:      "",
-						},
-					},
-					"message": {
-						SchemaProps: spec.SchemaProps{
-							Description: "A human readable message indicating details about the transition.",
-							Type:        []string{"string"},
-							Format:      "",
-						},
-					},
-				},
-				Required: []string{"type", "status"},
-			},
-		},
-		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.Time"},
-	}
-}
-
-func schema_k8sio_api_storagemigration_v1alpha1_StorageVersionMigration(ref common.ReferenceCallback) common.OpenAPIDefinition {
+func schema_k8sio_api_storagemigration_v1beta1_StorageVersionMigration(ref common.ReferenceCallback) common.OpenAPIDefinition {
 	return common.OpenAPIDefinition{
 		Schema: spec.Schema{
 			SchemaProps: spec.SchemaProps{
@@ -57883,32 +58322,32 @@ func schema_k8sio_api_storagemigration_v1alpha1_StorageVersionMigration(ref comm
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard object metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Ref:         ref(metav1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 					"spec": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Specification of the migration.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/storagemigration/v1alpha1.StorageVersionMigrationSpec"),
+							Ref:         ref(storagemigrationv1beta1.StorageVersionMigrationSpec{}.OpenAPIModelName()),
 						},
 					},
 					"status": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Status of the migration.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/storagemigration/v1alpha1.StorageVersionMigrationStatus"),
+							Ref:         ref(storagemigrationv1beta1.StorageVersionMigrationStatus{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/storagemigration/v1alpha1.StorageVersionMigrationSpec", "k8s.io/api/storagemigration/v1alpha1.StorageVersionMigrationStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			storagemigrationv1beta1.StorageVersionMigrationSpec{}.OpenAPIModelName(), storagemigrationv1beta1.StorageVersionMigrationStatus{}.OpenAPIModelName(), metav1.ObjectMeta{}.OpenAPIModelName()},
 	}
 }
 
-func schema_k8sio_api_storagemigration_v1alpha1_StorageVersionMigrationList(ref common.ReferenceCallback) common.OpenAPIDefinition {
+func schema_k8sio_api_storagemigration_v1beta1_StorageVersionMigrationList(ref common.ReferenceCallback) common.OpenAPIDefinition {
 	return common.OpenAPIDefinition{
 		Schema: spec.Schema{
 			SchemaProps: spec.SchemaProps{
@@ -57933,20 +58372,10 @@ func schema_k8sio_api_storagemigration_v1alpha1_StorageVersionMigrationList(ref
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard list metadata More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+							Ref:         ref(metav1.ListMeta{}.OpenAPIModelName()),
 						},
 					},
 					"items": {
-						VendorExtensible: spec.VendorExtensible{
-							Extensions: spec.Extensions{
-								"x-kubernetes-list-map-keys": []interface{}{
-									"type",
-								},
-								"x-kubernetes-list-type":       "map",
-								"x-kubernetes-patch-merge-key": "type",
-								"x-kubernetes-patch-strategy":  "merge",
-							},
-						},
 						SchemaProps: spec.SchemaProps{
 							Description: "Items is the list of StorageVersionMigration",
 							Type:        []string{"array"},
@@ -57954,7 +58383,7 @@ func schema_k8sio_api_storagemigration_v1alpha1_StorageVersionMigrationList(ref
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/storagemigration/v1alpha1.StorageVersionMigration"),
+										Ref:     ref(storagemigrationv1beta1.StorageVersionMigration{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -57965,11 +58394,11 @@ func schema_k8sio_api_storagemigration_v1alpha1_StorageVersionMigrationList(ref
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/storagemigration/v1alpha1.StorageVersionMigration", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
+			storagemigrationv1beta1.StorageVersionMigration{}.OpenAPIModelName(), metav1.ListMeta{}.OpenAPIModelName()},
 	}
 }
 
-func schema_k8sio_api_storagemigration_v1alpha1_StorageVersionMigrationSpec(ref common.ReferenceCallback) common.OpenAPIDefinition {
+func schema_k8sio_api_storagemigration_v1beta1_StorageVersionMigrationSpec(ref common.ReferenceCallback) common.OpenAPIDefinition {
 	return common.OpenAPIDefinition{
 		Schema: spec.Schema{
 			SchemaProps: spec.SchemaProps{
@@ -57980,14 +58409,7 @@ func schema_k8sio_api_storagemigration_v1alpha1_StorageVersionMigrationSpec(ref
 						SchemaProps: spec.SchemaProps{
 							Description: "The resource that is being migrated. The migrator sends requests to the endpoint serving the resource. Immutable.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/storagemigration/v1alpha1.GroupVersionResource"),
-						},
-					},
-					"continueToken": {
-						SchemaProps: spec.SchemaProps{
-							Description: "The token used in the list options to get the next chunk of objects to migrate. When the .status.conditions indicates the migration is \"Running\", users can use this token to check the progress of the migration.",
-							Type:        []string{"string"},
-							Format:      "",
+							Ref:         ref(metav1.GroupResource{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -57995,11 +58417,11 @@ func schema_k8sio_api_storagemigration_v1alpha1_StorageVersionMigrationSpec(ref
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/storagemigration/v1alpha1.GroupVersionResource"},
+			metav1.GroupResource{}.OpenAPIModelName()},
 	}
 }
 
-func schema_k8sio_api_storagemigration_v1alpha1_StorageVersionMigrationStatus(ref common.ReferenceCallback) common.OpenAPIDefinition {
+func schema_k8sio_api_storagemigration_v1beta1_StorageVersionMigrationStatus(ref common.ReferenceCallback) common.OpenAPIDefinition {
 	return common.OpenAPIDefinition{
 		Schema: spec.Schema{
 			SchemaProps: spec.SchemaProps{
@@ -58024,7 +58446,7 @@ func schema_k8sio_api_storagemigration_v1alpha1_StorageVersionMigrationStatus(re
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/storagemigration/v1alpha1.MigrationCondition"),
+										Ref:     ref(metav1.Condition{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -58041,7 +58463,7 @@ func schema_k8sio_api_storagemigration_v1alpha1_StorageVersionMigrationStatus(re
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/storagemigration/v1alpha1.MigrationCondition"},
+			metav1.Condition{}.OpenAPIModelName()},
 	}
 }
 
@@ -58080,7 +58502,7 @@ func schema_pkg_apis_apiextensions_v1_ConversionRequest(ref common.ReferenceCall
 							Items: &spec.SchemaOrArray{
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
-										Ref: ref("k8s.io/apimachinery/pkg/runtime.RawExtension"),
+										Ref: ref(runtime.RawExtension{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -58091,7 +58513,7 @@ func schema_pkg_apis_apiextensions_v1_ConversionRequest(ref common.ReferenceCall
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/runtime.RawExtension"},
+			runtime.RawExtension{}.OpenAPIModelName()},
 	}
 }
 
@@ -58122,7 +58544,7 @@ func schema_pkg_apis_apiextensions_v1_ConversionResponse(ref common.ReferenceCal
 							Items: &spec.SchemaOrArray{
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
-										Ref: ref("k8s.io/apimachinery/pkg/runtime.RawExtension"),
+										Ref: ref(runtime.RawExtension{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -58132,7 +58554,7 @@ func schema_pkg_apis_apiextensions_v1_ConversionResponse(ref common.ReferenceCal
 						SchemaProps: spec.SchemaProps{
 							Description: "result contains the result of conversion with extra details if the conversion failed. `result.status` determines if the conversion failed or succeeded. The `result.status` field is required and represents the success or failure of the conversion. A successful conversion must set `result.status` to `Success`. A failed conversion must set `result.status` to `Failure` and provide more details in `result.message` and return http status 200. The `result.message` will be used to construct an error message for the end user.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Status"),
+							Ref:         ref(metav1.Status{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -58140,7 +58562,7 @@ func schema_pkg_apis_apiextensions_v1_ConversionResponse(ref common.ReferenceCal
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.Status", "k8s.io/apimachinery/pkg/runtime.RawExtension"},
+			metav1.Status{}.OpenAPIModelName(), runtime.RawExtension{}.OpenAPIModelName()},
 	}
 }
 
@@ -58168,20 +58590,20 @@ func schema_pkg_apis_apiextensions_v1_ConversionReview(ref common.ReferenceCallb
 					"request": {
 						SchemaProps: spec.SchemaProps{
 							Description: "request describes the attributes for the conversion request.",
-							Ref:         ref("k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.ConversionRequest"),
+							Ref:         ref(apiextensionsv1.ConversionRequest{}.OpenAPIModelName()),
 						},
 					},
 					"response": {
 						SchemaProps: spec.SchemaProps{
 							Description: "response describes the attributes for the conversion response.",
-							Ref:         ref("k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.ConversionResponse"),
+							Ref:         ref(apiextensionsv1.ConversionResponse{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.ConversionRequest", "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.ConversionResponse"},
+			apiextensionsv1.ConversionRequest{}.OpenAPIModelName(), apiextensionsv1.ConversionResponse{}.OpenAPIModelName()},
 	}
 }
 
@@ -58262,7 +58684,7 @@ func schema_pkg_apis_apiextensions_v1_CustomResourceConversion(ref common.Refere
 					"webhook": {
 						SchemaProps: spec.SchemaProps{
 							Description: "webhook describes how to call the conversion webhook. Required when `strategy` is set to `\"Webhook\"`.",
-							Ref:         ref("k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.WebhookConversion"),
+							Ref:         ref(apiextensionsv1.WebhookConversion{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -58270,7 +58692,7 @@ func schema_pkg_apis_apiextensions_v1_CustomResourceConversion(ref common.Refere
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.WebhookConversion"},
+			apiextensionsv1.WebhookConversion{}.OpenAPIModelName()},
 	}
 }
 
@@ -58299,21 +58721,21 @@ func schema_pkg_apis_apiextensions_v1_CustomResourceDefinition(ref common.Refere
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard object's metadata More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Ref:         ref(metav1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 					"spec": {
 						SchemaProps: spec.SchemaProps{
 							Description: "spec describes how the user wants the resources to appear",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.CustomResourceDefinitionSpec"),
+							Ref:         ref(apiextensionsv1.CustomResourceDefinitionSpec{}.OpenAPIModelName()),
 						},
 					},
 					"status": {
 						SchemaProps: spec.SchemaProps{
 							Description: "status indicates the actual state of the CustomResourceDefinition",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.CustomResourceDefinitionStatus"),
+							Ref:         ref(apiextensionsv1.CustomResourceDefinitionStatus{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -58321,7 +58743,7 @@ func schema_pkg_apis_apiextensions_v1_CustomResourceDefinition(ref common.Refere
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.CustomResourceDefinitionSpec", "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.CustomResourceDefinitionStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			apiextensionsv1.CustomResourceDefinitionSpec{}.OpenAPIModelName(), apiextensionsv1.CustomResourceDefinitionStatus{}.OpenAPIModelName(), metav1.ObjectMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -58351,7 +58773,7 @@ func schema_pkg_apis_apiextensions_v1_CustomResourceDefinitionCondition(ref comm
 					"lastTransitionTime": {
 						SchemaProps: spec.SchemaProps{
 							Description: "lastTransitionTime last time the condition transitioned from one status to another.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Time"),
+							Ref:         ref(metav1.Time{}.OpenAPIModelName()),
 						},
 					},
 					"reason": {
@@ -58368,12 +58790,19 @@ func schema_pkg_apis_apiextensions_v1_CustomResourceDefinitionCondition(ref comm
 							Format:      "",
 						},
 					},
+					"observedGeneration": {
+						SchemaProps: spec.SchemaProps{
+							Description: "observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.",
+							Type:        []string{"integer"},
+							Format:      "int64",
+						},
+					},
 				},
 				Required: []string{"type", "status"},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.Time"},
+			metav1.Time{}.OpenAPIModelName()},
 	}
 }
 
@@ -58402,7 +58831,7 @@ func schema_pkg_apis_apiextensions_v1_CustomResourceDefinitionList(ref common.Re
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard object's metadata More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+							Ref:         ref(metav1.ListMeta{}.OpenAPIModelName()),
 						},
 					},
 					"items": {
@@ -58413,7 +58842,7 @@ func schema_pkg_apis_apiextensions_v1_CustomResourceDefinitionList(ref common.Re
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.CustomResourceDefinition"),
+										Ref:     ref(apiextensionsv1.CustomResourceDefinition{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -58424,7 +58853,7 @@ func schema_pkg_apis_apiextensions_v1_CustomResourceDefinitionList(ref common.Re
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.CustomResourceDefinition", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
+			apiextensionsv1.CustomResourceDefinition{}.OpenAPIModelName(), metav1.ListMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -58531,7 +58960,7 @@ func schema_pkg_apis_apiextensions_v1_CustomResourceDefinitionSpec(ref common.Re
 						SchemaProps: spec.SchemaProps{
 							Description: "names specify the resource and kind names for the custom resource.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.CustomResourceDefinitionNames"),
+							Ref:         ref(apiextensionsv1.CustomResourceDefinitionNames{}.OpenAPIModelName()),
 						},
 					},
 					"scope": {
@@ -58555,7 +58984,7 @@ func schema_pkg_apis_apiextensions_v1_CustomResourceDefinitionSpec(ref common.Re
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.CustomResourceDefinitionVersion"),
+										Ref:     ref(apiextensionsv1.CustomResourceDefinitionVersion{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -58564,7 +58993,7 @@ func schema_pkg_apis_apiextensions_v1_CustomResourceDefinitionSpec(ref common.Re
 					"conversion": {
 						SchemaProps: spec.SchemaProps{
 							Description: "conversion defines conversion settings for the CRD.",
-							Ref:         ref("k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.CustomResourceConversion"),
+							Ref:         ref(apiextensionsv1.CustomResourceConversion{}.OpenAPIModelName()),
 						},
 					},
 					"preserveUnknownFields": {
@@ -58579,7 +59008,7 @@ func schema_pkg_apis_apiextensions_v1_CustomResourceDefinitionSpec(ref common.Re
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.CustomResourceConversion", "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.CustomResourceDefinitionNames", "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.CustomResourceDefinitionVersion"},
+			apiextensionsv1.CustomResourceConversion{}.OpenAPIModelName(), apiextensionsv1.CustomResourceDefinitionNames{}.OpenAPIModelName(), apiextensionsv1.CustomResourceDefinitionVersion{}.OpenAPIModelName()},
 	}
 }
 
@@ -58606,7 +59035,7 @@ func schema_pkg_apis_apiextensions_v1_CustomResourceDefinitionStatus(ref common.
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.CustomResourceDefinitionCondition"),
+										Ref:     ref(apiextensionsv1.CustomResourceDefinitionCondition{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -58616,7 +59045,7 @@ func schema_pkg_apis_apiextensions_v1_CustomResourceDefinitionStatus(ref common.
 						SchemaProps: spec.SchemaProps{
 							Description: "acceptedNames are the names that are actually being used to serve discovery. They may be different than the names in spec.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.CustomResourceDefinitionNames"),
+							Ref:         ref(apiextensionsv1.CustomResourceDefinitionNames{}.OpenAPIModelName()),
 						},
 					},
 					"storedVersions": {
@@ -58639,11 +59068,18 @@ func schema_pkg_apis_apiextensions_v1_CustomResourceDefinitionStatus(ref common.
 							},
 						},
 					},
+					"observedGeneration": {
+						SchemaProps: spec.SchemaProps{
+							Description: "The generation observed by the CRD controller.",
+							Type:        []string{"integer"},
+							Format:      "int64",
+						},
+					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.CustomResourceDefinitionCondition", "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.CustomResourceDefinitionNames"},
+			apiextensionsv1.CustomResourceDefinitionCondition{}.OpenAPIModelName(), apiextensionsv1.CustomResourceDefinitionNames{}.OpenAPIModelName()},
 	}
 }
 
@@ -58695,13 +59131,13 @@ func schema_pkg_apis_apiextensions_v1_CustomResourceDefinitionVersion(ref common
 					"schema": {
 						SchemaProps: spec.SchemaProps{
 							Description: "schema describes the schema used for validation, pruning, and defaulting of this version of the custom resource.",
-							Ref:         ref("k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.CustomResourceValidation"),
+							Ref:         ref(apiextensionsv1.CustomResourceValidation{}.OpenAPIModelName()),
 						},
 					},
 					"subresources": {
 						SchemaProps: spec.SchemaProps{
 							Description: "subresources specify what subresources this version of the defined custom resource have.",
-							Ref:         ref("k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.CustomResourceSubresources"),
+							Ref:         ref(apiextensionsv1.CustomResourceSubresources{}.OpenAPIModelName()),
 						},
 					},
 					"additionalPrinterColumns": {
@@ -58717,7 +59153,7 @@ func schema_pkg_apis_apiextensions_v1_CustomResourceDefinitionVersion(ref common
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.CustomResourceColumnDefinition"),
+										Ref:     ref(apiextensionsv1.CustomResourceColumnDefinition{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -58736,7 +59172,7 @@ func schema_pkg_apis_apiextensions_v1_CustomResourceDefinitionVersion(ref common
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.SelectableField"),
+										Ref:     ref(apiextensionsv1.SelectableField{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -58747,7 +59183,7 @@ func schema_pkg_apis_apiextensions_v1_CustomResourceDefinitionVersion(ref common
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.CustomResourceColumnDefinition", "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.CustomResourceSubresources", "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.CustomResourceValidation", "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.SelectableField"},
+			apiextensionsv1.CustomResourceColumnDefinition{}.OpenAPIModelName(), apiextensionsv1.CustomResourceSubresources{}.OpenAPIModelName(), apiextensionsv1.CustomResourceValidation{}.OpenAPIModelName(), apiextensionsv1.SelectableField{}.OpenAPIModelName()},
 	}
 }
 
@@ -58809,20 +59245,20 @@ func schema_pkg_apis_apiextensions_v1_CustomResourceSubresources(ref common.Refe
 					"status": {
 						SchemaProps: spec.SchemaProps{
 							Description: "status indicates the custom resource should serve a `/status` subresource. When enabled: 1. requests to the custom resource primary endpoint ignore changes to the `status` stanza of the object. 2. requests to the custom resource `/status` subresource ignore changes to anything other than the `status` stanza of the object.",
-							Ref:         ref("k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.CustomResourceSubresourceStatus"),
+							Ref:         ref(apiextensionsv1.CustomResourceSubresourceStatus{}.OpenAPIModelName()),
 						},
 					},
 					"scale": {
 						SchemaProps: spec.SchemaProps{
 							Description: "scale indicates the custom resource should serve a `/scale` subresource that returns an `autoscaling/v1` Scale object.",
-							Ref:         ref("k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.CustomResourceSubresourceScale"),
+							Ref:         ref(apiextensionsv1.CustomResourceSubresourceScale{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.CustomResourceSubresourceScale", "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.CustomResourceSubresourceStatus"},
+			apiextensionsv1.CustomResourceSubresourceScale{}.OpenAPIModelName(), apiextensionsv1.CustomResourceSubresourceStatus{}.OpenAPIModelName()},
 	}
 }
 
@@ -58836,14 +59272,14 @@ func schema_pkg_apis_apiextensions_v1_CustomResourceValidation(ref common.Refere
 					"openAPIV3Schema": {
 						SchemaProps: spec.SchemaProps{
 							Description: "openAPIV3Schema is the OpenAPI v3 schema to use for validation and pruning.",
-							Ref:         ref("k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.JSONSchemaProps"),
+							Ref:         ref(apiextensionsv1.JSONSchemaProps{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.JSONSchemaProps"},
+			apiextensionsv1.JSONSchemaProps{}.OpenAPIModelName()},
 	}
 }
 
@@ -58937,7 +59373,7 @@ func schema_pkg_apis_apiextensions_v1_JSONSchemaProps(ref common.ReferenceCallba
 					"default": {
 						SchemaProps: spec.SchemaProps{
 							Description: "default is a default value for undefined object fields. Defaulting is a beta feature under the CustomResourceDefaulting feature gate. Defaulting requires spec.preserveUnknownFields to be false.",
-							Ref:         ref("k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.JSON"),
+							Ref:         ref(apiextensionsv1.JSON{}.OpenAPIModelName()),
 						},
 					},
 					"maximum": {
@@ -59017,7 +59453,7 @@ func schema_pkg_apis_apiextensions_v1_JSONSchemaProps(ref common.ReferenceCallba
 							Items: &spec.SchemaOrArray{
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
-										Ref: ref("k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.JSON"),
+										Ref: ref(apiextensionsv1.JSON{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -59056,7 +59492,7 @@ func schema_pkg_apis_apiextensions_v1_JSONSchemaProps(ref common.ReferenceCallba
 					},
 					"items": {
 						SchemaProps: spec.SchemaProps{
-							Ref: ref("k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.JSONSchemaPropsOrArray"),
+							Ref: ref(apiextensionsv1.JSONSchemaPropsOrArray{}.OpenAPIModelName()),
 						},
 					},
 					"allOf": {
@@ -59071,7 +59507,7 @@ func schema_pkg_apis_apiextensions_v1_JSONSchemaProps(ref common.ReferenceCallba
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.JSONSchemaProps"),
+										Ref:     ref(apiextensionsv1.JSONSchemaProps{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -59089,7 +59525,7 @@ func schema_pkg_apis_apiextensions_v1_JSONSchemaProps(ref common.ReferenceCallba
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.JSONSchemaProps"),
+										Ref:     ref(apiextensionsv1.JSONSchemaProps{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -59107,7 +59543,7 @@ func schema_pkg_apis_apiextensions_v1_JSONSchemaProps(ref common.ReferenceCallba
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.JSONSchemaProps"),
+										Ref:     ref(apiextensionsv1.JSONSchemaProps{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -59115,7 +59551,7 @@ func schema_pkg_apis_apiextensions_v1_JSONSchemaProps(ref common.ReferenceCallba
 					},
 					"not": {
 						SchemaProps: spec.SchemaProps{
-							Ref: ref("k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.JSONSchemaProps"),
+							Ref: ref(apiextensionsv1.JSONSchemaProps{}.OpenAPIModelName()),
 						},
 					},
 					"properties": {
@@ -59126,7 +59562,7 @@ func schema_pkg_apis_apiextensions_v1_JSONSchemaProps(ref common.ReferenceCallba
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.JSONSchemaProps"),
+										Ref:     ref(apiextensionsv1.JSONSchemaProps{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -59134,7 +59570,7 @@ func schema_pkg_apis_apiextensions_v1_JSONSchemaProps(ref common.ReferenceCallba
 					},
 					"additionalProperties": {
 						SchemaProps: spec.SchemaProps{
-							Ref: ref("k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.JSONSchemaPropsOrBool"),
+							Ref: ref(apiextensionsv1.JSONSchemaPropsOrBool{}.OpenAPIModelName()),
 						},
 					},
 					"patternProperties": {
@@ -59145,7 +59581,7 @@ func schema_pkg_apis_apiextensions_v1_JSONSchemaProps(ref common.ReferenceCallba
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.JSONSchemaProps"),
+										Ref:     ref(apiextensionsv1.JSONSchemaProps{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -59158,7 +59594,7 @@ func schema_pkg_apis_apiextensions_v1_JSONSchemaProps(ref common.ReferenceCallba
 								Allows: true,
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
-										Ref: ref("k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.JSONSchemaPropsOrStringArray"),
+										Ref: ref(apiextensionsv1.JSONSchemaPropsOrStringArray{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -59166,7 +59602,7 @@ func schema_pkg_apis_apiextensions_v1_JSONSchemaProps(ref common.ReferenceCallba
 					},
 					"additionalItems": {
 						SchemaProps: spec.SchemaProps{
-							Ref: ref("k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.JSONSchemaPropsOrBool"),
+							Ref: ref(apiextensionsv1.JSONSchemaPropsOrBool{}.OpenAPIModelName()),
 						},
 					},
 					"definitions": {
@@ -59177,7 +59613,7 @@ func schema_pkg_apis_apiextensions_v1_JSONSchemaProps(ref common.ReferenceCallba
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.JSONSchemaProps"),
+										Ref:     ref(apiextensionsv1.JSONSchemaProps{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -59185,12 +59621,12 @@ func schema_pkg_apis_apiextensions_v1_JSONSchemaProps(ref common.ReferenceCallba
 					},
 					"externalDocs": {
 						SchemaProps: spec.SchemaProps{
-							Ref: ref("k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.ExternalDocumentation"),
+							Ref: ref(apiextensionsv1.ExternalDocumentation{}.OpenAPIModelName()),
 						},
 					},
 					"example": {
 						SchemaProps: spec.SchemaProps{
-							Ref: ref("k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.JSON"),
+							Ref: ref(apiextensionsv1.JSON{}.OpenAPIModelName()),
 						},
 					},
 					"nullable": {
@@ -59272,7 +59708,7 @@ func schema_pkg_apis_apiextensions_v1_JSONSchemaProps(ref common.ReferenceCallba
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.ValidationRule"),
+										Ref:     ref(apiextensionsv1.ValidationRule{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -59282,7 +59718,7 @@ func schema_pkg_apis_apiextensions_v1_JSONSchemaProps(ref common.ReferenceCallba
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.ExternalDocumentation", "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.JSON", "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.JSONSchemaProps", "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.JSONSchemaPropsOrArray", "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.JSONSchemaPropsOrBool", "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.JSONSchemaPropsOrStringArray", "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.ValidationRule"},
+			apiextensionsv1.ExternalDocumentation{}.OpenAPIModelName(), apiextensionsv1.JSON{}.OpenAPIModelName(), apiextensionsv1.JSONSchemaProps{}.OpenAPIModelName(), apiextensionsv1.JSONSchemaPropsOrArray{}.OpenAPIModelName(), apiextensionsv1.JSONSchemaPropsOrBool{}.OpenAPIModelName(), apiextensionsv1.JSONSchemaPropsOrStringArray{}.OpenAPIModelName(), apiextensionsv1.ValidationRule{}.OpenAPIModelName()},
 	}
 }
 
@@ -59463,7 +59899,7 @@ func schema_pkg_apis_apiextensions_v1_WebhookClientConfig(ref common.ReferenceCa
 					"service": {
 						SchemaProps: spec.SchemaProps{
 							Description: "service is a reference to the service for this webhook. Either service or url must be specified.\n\nIf the webhook is running within the cluster, then you should use `service`.",
-							Ref:         ref("k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.ServiceReference"),
+							Ref:         ref(apiextensionsv1.ServiceReference{}.OpenAPIModelName()),
 						},
 					},
 					"caBundle": {
@@ -59477,7 +59913,7 @@ func schema_pkg_apis_apiextensions_v1_WebhookClientConfig(ref common.ReferenceCa
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.ServiceReference"},
+			apiextensionsv1.ServiceReference{}.OpenAPIModelName()},
 	}
 }
 
@@ -59491,7 +59927,7 @@ func schema_pkg_apis_apiextensions_v1_WebhookConversion(ref common.ReferenceCall
 					"clientConfig": {
 						SchemaProps: spec.SchemaProps{
 							Description: "clientConfig is the instructions for how to call the webhook if strategy is `Webhook`.",
-							Ref:         ref("k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.WebhookClientConfig"),
+							Ref:         ref(apiextensionsv1.WebhookClientConfig{}.OpenAPIModelName()),
 						},
 					},
 					"conversionReviewVersions": {
@@ -59519,7 +59955,7 @@ func schema_pkg_apis_apiextensions_v1_WebhookConversion(ref common.ReferenceCall
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.WebhookClientConfig"},
+			apiextensionsv1.WebhookClientConfig{}.OpenAPIModelName()},
 	}
 }
 
@@ -59558,7 +59994,7 @@ func schema_pkg_apis_apiextensions_v1beta1_ConversionRequest(ref common.Referenc
 							Items: &spec.SchemaOrArray{
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
-										Ref: ref("k8s.io/apimachinery/pkg/runtime.RawExtension"),
+										Ref: ref(runtime.RawExtension{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -59569,7 +60005,7 @@ func schema_pkg_apis_apiextensions_v1beta1_ConversionRequest(ref common.Referenc
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/runtime.RawExtension"},
+			runtime.RawExtension{}.OpenAPIModelName()},
 	}
 }
 
@@ -59600,7 +60036,7 @@ func schema_pkg_apis_apiextensions_v1beta1_ConversionResponse(ref common.Referen
 							Items: &spec.SchemaOrArray{
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
-										Ref: ref("k8s.io/apimachinery/pkg/runtime.RawExtension"),
+										Ref: ref(runtime.RawExtension{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -59610,7 +60046,7 @@ func schema_pkg_apis_apiextensions_v1beta1_ConversionResponse(ref common.Referen
 						SchemaProps: spec.SchemaProps{
 							Description: "result contains the result of conversion with extra details if the conversion failed. `result.status` determines if the conversion failed or succeeded. The `result.status` field is required and represents the success or failure of the conversion. A successful conversion must set `result.status` to `Success`. A failed conversion must set `result.status` to `Failure` and provide more details in `result.message` and return http status 200. The `result.message` will be used to construct an error message for the end user.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Status"),
+							Ref:         ref(metav1.Status{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -59618,7 +60054,7 @@ func schema_pkg_apis_apiextensions_v1beta1_ConversionResponse(ref common.Referen
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.Status", "k8s.io/apimachinery/pkg/runtime.RawExtension"},
+			metav1.Status{}.OpenAPIModelName(), runtime.RawExtension{}.OpenAPIModelName()},
 	}
 }
 
@@ -59646,20 +60082,20 @@ func schema_pkg_apis_apiextensions_v1beta1_ConversionReview(ref common.Reference
 					"request": {
 						SchemaProps: spec.SchemaProps{
 							Description: "request describes the attributes for the conversion request.",
-							Ref:         ref("k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1.ConversionRequest"),
+							Ref:         ref(apiextensionsv1beta1.ConversionRequest{}.OpenAPIModelName()),
 						},
 					},
 					"response": {
 						SchemaProps: spec.SchemaProps{
 							Description: "response describes the attributes for the conversion response.",
-							Ref:         ref("k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1.ConversionResponse"),
+							Ref:         ref(apiextensionsv1beta1.ConversionResponse{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1.ConversionRequest", "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1.ConversionResponse"},
+			apiextensionsv1beta1.ConversionRequest{}.OpenAPIModelName(), apiextensionsv1beta1.ConversionResponse{}.OpenAPIModelName()},
 	}
 }
 
@@ -59740,7 +60176,7 @@ func schema_pkg_apis_apiextensions_v1beta1_CustomResourceConversion(ref common.R
 					"webhookClientConfig": {
 						SchemaProps: spec.SchemaProps{
 							Description: "webhookClientConfig is the instructions for how to call the webhook if strategy is `Webhook`. Required when `strategy` is set to `Webhook`.",
-							Ref:         ref("k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1.WebhookClientConfig"),
+							Ref:         ref(apiextensionsv1beta1.WebhookClientConfig{}.OpenAPIModelName()),
 						},
 					},
 					"conversionReviewVersions": {
@@ -59768,7 +60204,7 @@ func schema_pkg_apis_apiextensions_v1beta1_CustomResourceConversion(ref common.R
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1.WebhookClientConfig"},
+			apiextensionsv1beta1.WebhookClientConfig{}.OpenAPIModelName()},
 	}
 }
 
@@ -59797,21 +60233,21 @@ func schema_pkg_apis_apiextensions_v1beta1_CustomResourceDefinition(ref common.R
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard object's metadata More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Ref:         ref(metav1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 					"spec": {
 						SchemaProps: spec.SchemaProps{
 							Description: "spec describes how the user wants the resources to appear",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1.CustomResourceDefinitionSpec"),
+							Ref:         ref(apiextensionsv1beta1.CustomResourceDefinitionSpec{}.OpenAPIModelName()),
 						},
 					},
 					"status": {
 						SchemaProps: spec.SchemaProps{
 							Description: "status indicates the actual state of the CustomResourceDefinition",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1.CustomResourceDefinitionStatus"),
+							Ref:         ref(apiextensionsv1beta1.CustomResourceDefinitionStatus{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -59819,7 +60255,7 @@ func schema_pkg_apis_apiextensions_v1beta1_CustomResourceDefinition(ref common.R
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1.CustomResourceDefinitionSpec", "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1.CustomResourceDefinitionStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			apiextensionsv1beta1.CustomResourceDefinitionSpec{}.OpenAPIModelName(), apiextensionsv1beta1.CustomResourceDefinitionStatus{}.OpenAPIModelName(), metav1.ObjectMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -59849,7 +60285,7 @@ func schema_pkg_apis_apiextensions_v1beta1_CustomResourceDefinitionCondition(ref
 					"lastTransitionTime": {
 						SchemaProps: spec.SchemaProps{
 							Description: "lastTransitionTime last time the condition transitioned from one status to another.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Time"),
+							Ref:         ref(metav1.Time{}.OpenAPIModelName()),
 						},
 					},
 					"reason": {
@@ -59866,12 +60302,19 @@ func schema_pkg_apis_apiextensions_v1beta1_CustomResourceDefinitionCondition(ref
 							Format:      "",
 						},
 					},
+					"observedGeneration": {
+						SchemaProps: spec.SchemaProps{
+							Description: "observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.",
+							Type:        []string{"integer"},
+							Format:      "int64",
+						},
+					},
 				},
 				Required: []string{"type", "status"},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.Time"},
+			metav1.Time{}.OpenAPIModelName()},
 	}
 }
 
@@ -59900,7 +60343,7 @@ func schema_pkg_apis_apiextensions_v1beta1_CustomResourceDefinitionList(ref comm
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard object's metadata More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+							Ref:         ref(metav1.ListMeta{}.OpenAPIModelName()),
 						},
 					},
 					"items": {
@@ -59911,7 +60354,7 @@ func schema_pkg_apis_apiextensions_v1beta1_CustomResourceDefinitionList(ref comm
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1.CustomResourceDefinition"),
+										Ref:     ref(apiextensionsv1beta1.CustomResourceDefinition{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -59922,7 +60365,7 @@ func schema_pkg_apis_apiextensions_v1beta1_CustomResourceDefinitionList(ref comm
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1.CustomResourceDefinition", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
+			apiextensionsv1beta1.CustomResourceDefinition{}.OpenAPIModelName(), metav1.ListMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -60036,7 +60479,7 @@ func schema_pkg_apis_apiextensions_v1beta1_CustomResourceDefinitionSpec(ref comm
 						SchemaProps: spec.SchemaProps{
 							Description: "names specify the resource and kind names for the custom resource.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1.CustomResourceDefinitionNames"),
+							Ref:         ref(apiextensionsv1beta1.CustomResourceDefinitionNames{}.OpenAPIModelName()),
 						},
 					},
 					"scope": {
@@ -60050,13 +60493,13 @@ func schema_pkg_apis_apiextensions_v1beta1_CustomResourceDefinitionSpec(ref comm
 					"validation": {
 						SchemaProps: spec.SchemaProps{
 							Description: "validation describes the schema used for validation and pruning of the custom resource. If present, this validation schema is used to validate all versions. Top-level and per-version schemas are mutually exclusive.",
-							Ref:         ref("k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1.CustomResourceValidation"),
+							Ref:         ref(apiextensionsv1beta1.CustomResourceValidation{}.OpenAPIModelName()),
 						},
 					},
 					"subresources": {
 						SchemaProps: spec.SchemaProps{
 							Description: "subresources specify what subresources the defined custom resource has. If present, this field configures subresources for all versions. Top-level and per-version subresources are mutually exclusive.",
-							Ref:         ref("k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1.CustomResourceSubresources"),
+							Ref:         ref(apiextensionsv1beta1.CustomResourceSubresources{}.OpenAPIModelName()),
 						},
 					},
 					"versions": {
@@ -60072,7 +60515,7 @@ func schema_pkg_apis_apiextensions_v1beta1_CustomResourceDefinitionSpec(ref comm
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1.CustomResourceDefinitionVersion"),
+										Ref:     ref(apiextensionsv1beta1.CustomResourceDefinitionVersion{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -60091,7 +60534,7 @@ func schema_pkg_apis_apiextensions_v1beta1_CustomResourceDefinitionSpec(ref comm
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1.CustomResourceColumnDefinition"),
+										Ref:     ref(apiextensionsv1beta1.CustomResourceColumnDefinition{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -60110,7 +60553,7 @@ func schema_pkg_apis_apiextensions_v1beta1_CustomResourceDefinitionSpec(ref comm
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1.SelectableField"),
+										Ref:     ref(apiextensionsv1beta1.SelectableField{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -60119,7 +60562,7 @@ func schema_pkg_apis_apiextensions_v1beta1_CustomResourceDefinitionSpec(ref comm
 					"conversion": {
 						SchemaProps: spec.SchemaProps{
 							Description: "conversion defines conversion settings for the CRD.",
-							Ref:         ref("k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1.CustomResourceConversion"),
+							Ref:         ref(apiextensionsv1beta1.CustomResourceConversion{}.OpenAPIModelName()),
 						},
 					},
 					"preserveUnknownFields": {
@@ -60134,7 +60577,7 @@ func schema_pkg_apis_apiextensions_v1beta1_CustomResourceDefinitionSpec(ref comm
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1.CustomResourceColumnDefinition", "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1.CustomResourceConversion", "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1.CustomResourceDefinitionNames", "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1.CustomResourceDefinitionVersion", "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1.CustomResourceSubresources", "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1.CustomResourceValidation", "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1.SelectableField"},
+			apiextensionsv1beta1.CustomResourceColumnDefinition{}.OpenAPIModelName(), apiextensionsv1beta1.CustomResourceConversion{}.OpenAPIModelName(), apiextensionsv1beta1.CustomResourceDefinitionNames{}.OpenAPIModelName(), apiextensionsv1beta1.CustomResourceDefinitionVersion{}.OpenAPIModelName(), apiextensionsv1beta1.CustomResourceSubresources{}.OpenAPIModelName(), apiextensionsv1beta1.CustomResourceValidation{}.OpenAPIModelName(), apiextensionsv1beta1.SelectableField{}.OpenAPIModelName()},
 	}
 }
 
@@ -60161,7 +60604,7 @@ func schema_pkg_apis_apiextensions_v1beta1_CustomResourceDefinitionStatus(ref co
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1.CustomResourceDefinitionCondition"),
+										Ref:     ref(apiextensionsv1beta1.CustomResourceDefinitionCondition{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -60171,7 +60614,7 @@ func schema_pkg_apis_apiextensions_v1beta1_CustomResourceDefinitionStatus(ref co
 						SchemaProps: spec.SchemaProps{
 							Description: "acceptedNames are the names that are actually being used to serve discovery. They may be different than the names in spec.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1.CustomResourceDefinitionNames"),
+							Ref:         ref(apiextensionsv1beta1.CustomResourceDefinitionNames{}.OpenAPIModelName()),
 						},
 					},
 					"storedVersions": {
@@ -60194,11 +60637,18 @@ func schema_pkg_apis_apiextensions_v1beta1_CustomResourceDefinitionStatus(ref co
 							},
 						},
 					},
+					"observedGeneration": {
+						SchemaProps: spec.SchemaProps{
+							Description: "The generation observed by the CRD controller.",
+							Type:        []string{"integer"},
+							Format:      "int64",
+						},
+					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1.CustomResourceDefinitionCondition", "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1.CustomResourceDefinitionNames"},
+			apiextensionsv1beta1.CustomResourceDefinitionCondition{}.OpenAPIModelName(), apiextensionsv1beta1.CustomResourceDefinitionNames{}.OpenAPIModelName()},
 	}
 }
 
@@ -60250,13 +60700,13 @@ func schema_pkg_apis_apiextensions_v1beta1_CustomResourceDefinitionVersion(ref c
 					"schema": {
 						SchemaProps: spec.SchemaProps{
 							Description: "schema describes the schema used for validation and pruning of this version of the custom resource. Top-level and per-version schemas are mutually exclusive. Per-version schemas must not all be set to identical values (top-level validation schema should be used instead).",
-							Ref:         ref("k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1.CustomResourceValidation"),
+							Ref:         ref(apiextensionsv1beta1.CustomResourceValidation{}.OpenAPIModelName()),
 						},
 					},
 					"subresources": {
 						SchemaProps: spec.SchemaProps{
 							Description: "subresources specify what subresources this version of the defined custom resource have. Top-level and per-version subresources are mutually exclusive. Per-version subresources must not all be set to identical values (top-level subresources should be used instead).",
-							Ref:         ref("k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1.CustomResourceSubresources"),
+							Ref:         ref(apiextensionsv1beta1.CustomResourceSubresources{}.OpenAPIModelName()),
 						},
 					},
 					"additionalPrinterColumns": {
@@ -60272,7 +60722,7 @@ func schema_pkg_apis_apiextensions_v1beta1_CustomResourceDefinitionVersion(ref c
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1.CustomResourceColumnDefinition"),
+										Ref:     ref(apiextensionsv1beta1.CustomResourceColumnDefinition{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -60291,7 +60741,7 @@ func schema_pkg_apis_apiextensions_v1beta1_CustomResourceDefinitionVersion(ref c
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1.SelectableField"),
+										Ref:     ref(apiextensionsv1beta1.SelectableField{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -60302,7 +60752,7 @@ func schema_pkg_apis_apiextensions_v1beta1_CustomResourceDefinitionVersion(ref c
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1.CustomResourceColumnDefinition", "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1.CustomResourceSubresources", "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1.CustomResourceValidation", "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1.SelectableField"},
+			apiextensionsv1beta1.CustomResourceColumnDefinition{}.OpenAPIModelName(), apiextensionsv1beta1.CustomResourceSubresources{}.OpenAPIModelName(), apiextensionsv1beta1.CustomResourceValidation{}.OpenAPIModelName(), apiextensionsv1beta1.SelectableField{}.OpenAPIModelName()},
 	}
 }
 
@@ -60364,20 +60814,20 @@ func schema_pkg_apis_apiextensions_v1beta1_CustomResourceSubresources(ref common
 					"status": {
 						SchemaProps: spec.SchemaProps{
 							Description: "status indicates the custom resource should serve a `/status` subresource. When enabled: 1. requests to the custom resource primary endpoint ignore changes to the `status` stanza of the object. 2. requests to the custom resource `/status` subresource ignore changes to anything other than the `status` stanza of the object.",
-							Ref:         ref("k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1.CustomResourceSubresourceStatus"),
+							Ref:         ref(apiextensionsv1beta1.CustomResourceSubresourceStatus{}.OpenAPIModelName()),
 						},
 					},
 					"scale": {
 						SchemaProps: spec.SchemaProps{
 							Description: "scale indicates the custom resource should serve a `/scale` subresource that returns an `autoscaling/v1` Scale object.",
-							Ref:         ref("k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1.CustomResourceSubresourceScale"),
+							Ref:         ref(apiextensionsv1beta1.CustomResourceSubresourceScale{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1.CustomResourceSubresourceScale", "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1.CustomResourceSubresourceStatus"},
+			apiextensionsv1beta1.CustomResourceSubresourceScale{}.OpenAPIModelName(), apiextensionsv1beta1.CustomResourceSubresourceStatus{}.OpenAPIModelName()},
 	}
 }
 
@@ -60391,14 +60841,14 @@ func schema_pkg_apis_apiextensions_v1beta1_CustomResourceValidation(ref common.R
 					"openAPIV3Schema": {
 						SchemaProps: spec.SchemaProps{
 							Description: "openAPIV3Schema is the OpenAPI v3 schema to use for validation and pruning.",
-							Ref:         ref("k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1.JSONSchemaProps"),
+							Ref:         ref(apiextensionsv1beta1.JSONSchemaProps{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1.JSONSchemaProps"},
+			apiextensionsv1beta1.JSONSchemaProps{}.OpenAPIModelName()},
 	}
 }
 
@@ -60432,8 +60882,8 @@ func schema_pkg_apis_apiextensions_v1beta1_JSON(ref common.ReferenceCallback) co
 		Schema: spec.Schema{
 			SchemaProps: spec.SchemaProps{
 				Description: "JSON represents any valid JSON value. These types are supported: bool, int64, float64, string, []interface{}, map[string]interface{} and nil.",
-				Type:        v1beta1.JSON{}.OpenAPISchemaType(),
-				Format:      v1beta1.JSON{}.OpenAPISchemaFormat(),
+				Type:        apiextensionsv1beta1.JSON{}.OpenAPISchemaType(),
+				Format:      apiextensionsv1beta1.JSON{}.OpenAPISchemaFormat(),
 			},
 		},
 	}
@@ -60492,7 +60942,7 @@ func schema_pkg_apis_apiextensions_v1beta1_JSONSchemaProps(ref common.ReferenceC
 					"default": {
 						SchemaProps: spec.SchemaProps{
 							Description: "default is a default value for undefined object fields. Defaulting is a beta feature under the CustomResourceDefaulting feature gate. CustomResourceDefinitions with defaults must be created using the v1 (or newer) CustomResourceDefinition API.",
-							Ref:         ref("k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1.JSON"),
+							Ref:         ref(apiextensionsv1beta1.JSON{}.OpenAPIModelName()),
 						},
 					},
 					"maximum": {
@@ -60572,7 +61022,7 @@ func schema_pkg_apis_apiextensions_v1beta1_JSONSchemaProps(ref common.ReferenceC
 							Items: &spec.SchemaOrArray{
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
-										Ref: ref("k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1.JSON"),
+										Ref: ref(apiextensionsv1beta1.JSON{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -60611,7 +61061,7 @@ func schema_pkg_apis_apiextensions_v1beta1_JSONSchemaProps(ref common.ReferenceC
 					},
 					"items": {
 						SchemaProps: spec.SchemaProps{
-							Ref: ref("k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1.JSONSchemaPropsOrArray"),
+							Ref: ref(apiextensionsv1beta1.JSONSchemaPropsOrArray{}.OpenAPIModelName()),
 						},
 					},
 					"allOf": {
@@ -60626,7 +61076,7 @@ func schema_pkg_apis_apiextensions_v1beta1_JSONSchemaProps(ref common.ReferenceC
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1.JSONSchemaProps"),
+										Ref:     ref(apiextensionsv1beta1.JSONSchemaProps{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -60644,7 +61094,7 @@ func schema_pkg_apis_apiextensions_v1beta1_JSONSchemaProps(ref common.ReferenceC
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1.JSONSchemaProps"),
+										Ref:     ref(apiextensionsv1beta1.JSONSchemaProps{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -60662,7 +61112,7 @@ func schema_pkg_apis_apiextensions_v1beta1_JSONSchemaProps(ref common.ReferenceC
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1.JSONSchemaProps"),
+										Ref:     ref(apiextensionsv1beta1.JSONSchemaProps{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -60670,7 +61120,7 @@ func schema_pkg_apis_apiextensions_v1beta1_JSONSchemaProps(ref common.ReferenceC
 					},
 					"not": {
 						SchemaProps: spec.SchemaProps{
-							Ref: ref("k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1.JSONSchemaProps"),
+							Ref: ref(apiextensionsv1beta1.JSONSchemaProps{}.OpenAPIModelName()),
 						},
 					},
 					"properties": {
@@ -60681,7 +61131,7 @@ func schema_pkg_apis_apiextensions_v1beta1_JSONSchemaProps(ref common.ReferenceC
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1.JSONSchemaProps"),
+										Ref:     ref(apiextensionsv1beta1.JSONSchemaProps{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -60689,7 +61139,7 @@ func schema_pkg_apis_apiextensions_v1beta1_JSONSchemaProps(ref common.ReferenceC
 					},
 					"additionalProperties": {
 						SchemaProps: spec.SchemaProps{
-							Ref: ref("k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1.JSONSchemaPropsOrBool"),
+							Ref: ref(apiextensionsv1beta1.JSONSchemaPropsOrBool{}.OpenAPIModelName()),
 						},
 					},
 					"patternProperties": {
@@ -60700,7 +61150,7 @@ func schema_pkg_apis_apiextensions_v1beta1_JSONSchemaProps(ref common.ReferenceC
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1.JSONSchemaProps"),
+										Ref:     ref(apiextensionsv1beta1.JSONSchemaProps{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -60713,7 +61163,7 @@ func schema_pkg_apis_apiextensions_v1beta1_JSONSchemaProps(ref common.ReferenceC
 								Allows: true,
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
-										Ref: ref("k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1.JSONSchemaPropsOrStringArray"),
+										Ref: ref(apiextensionsv1beta1.JSONSchemaPropsOrStringArray{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -60721,7 +61171,7 @@ func schema_pkg_apis_apiextensions_v1beta1_JSONSchemaProps(ref common.ReferenceC
 					},
 					"additionalItems": {
 						SchemaProps: spec.SchemaProps{
-							Ref: ref("k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1.JSONSchemaPropsOrBool"),
+							Ref: ref(apiextensionsv1beta1.JSONSchemaPropsOrBool{}.OpenAPIModelName()),
 						},
 					},
 					"definitions": {
@@ -60732,7 +61182,7 @@ func schema_pkg_apis_apiextensions_v1beta1_JSONSchemaProps(ref common.ReferenceC
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1.JSONSchemaProps"),
+										Ref:     ref(apiextensionsv1beta1.JSONSchemaProps{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -60740,12 +61190,12 @@ func schema_pkg_apis_apiextensions_v1beta1_JSONSchemaProps(ref common.ReferenceC
 					},
 					"externalDocs": {
 						SchemaProps: spec.SchemaProps{
-							Ref: ref("k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1.ExternalDocumentation"),
+							Ref: ref(apiextensionsv1beta1.ExternalDocumentation{}.OpenAPIModelName()),
 						},
 					},
 					"example": {
 						SchemaProps: spec.SchemaProps{
-							Ref: ref("k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1.JSON"),
+							Ref: ref(apiextensionsv1beta1.JSON{}.OpenAPIModelName()),
 						},
 					},
 					"nullable": {
@@ -60827,7 +61277,7 @@ func schema_pkg_apis_apiextensions_v1beta1_JSONSchemaProps(ref common.ReferenceC
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1.ValidationRule"),
+										Ref:     ref(apiextensionsv1beta1.ValidationRule{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -60837,7 +61287,7 @@ func schema_pkg_apis_apiextensions_v1beta1_JSONSchemaProps(ref common.ReferenceC
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1.ExternalDocumentation", "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1.JSON", "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1.JSONSchemaProps", "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1.JSONSchemaPropsOrArray", "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1.JSONSchemaPropsOrBool", "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1.JSONSchemaPropsOrStringArray", "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1.ValidationRule"},
+			apiextensionsv1beta1.ExternalDocumentation{}.OpenAPIModelName(), apiextensionsv1beta1.JSON{}.OpenAPIModelName(), apiextensionsv1beta1.JSONSchemaProps{}.OpenAPIModelName(), apiextensionsv1beta1.JSONSchemaPropsOrArray{}.OpenAPIModelName(), apiextensionsv1beta1.JSONSchemaPropsOrBool{}.OpenAPIModelName(), apiextensionsv1beta1.JSONSchemaPropsOrStringArray{}.OpenAPIModelName(), apiextensionsv1beta1.ValidationRule{}.OpenAPIModelName()},
 	}
 }
 
@@ -60846,8 +61296,8 @@ func schema_pkg_apis_apiextensions_v1beta1_JSONSchemaPropsOrArray(ref common.Ref
 		Schema: spec.Schema{
 			SchemaProps: spec.SchemaProps{
 				Description: "JSONSchemaPropsOrArray represents a value that can either be a JSONSchemaProps or an array of JSONSchemaProps. Mainly here for serialization purposes.",
-				Type:        v1beta1.JSONSchemaPropsOrArray{}.OpenAPISchemaType(),
-				Format:      v1beta1.JSONSchemaPropsOrArray{}.OpenAPISchemaFormat(),
+				Type:        apiextensionsv1beta1.JSONSchemaPropsOrArray{}.OpenAPISchemaType(),
+				Format:      apiextensionsv1beta1.JSONSchemaPropsOrArray{}.OpenAPISchemaFormat(),
 			},
 		},
 	}
@@ -60858,8 +61308,8 @@ func schema_pkg_apis_apiextensions_v1beta1_JSONSchemaPropsOrBool(ref common.Refe
 		Schema: spec.Schema{
 			SchemaProps: spec.SchemaProps{
 				Description: "JSONSchemaPropsOrBool represents JSONSchemaProps or a boolean value. Defaults to true for the boolean property.",
-				Type:        v1beta1.JSONSchemaPropsOrBool{}.OpenAPISchemaType(),
-				Format:      v1beta1.JSONSchemaPropsOrBool{}.OpenAPISchemaFormat(),
+				Type:        apiextensionsv1beta1.JSONSchemaPropsOrBool{}.OpenAPISchemaType(),
+				Format:      apiextensionsv1beta1.JSONSchemaPropsOrBool{}.OpenAPISchemaFormat(),
 			},
 		},
 	}
@@ -60870,8 +61320,8 @@ func schema_pkg_apis_apiextensions_v1beta1_JSONSchemaPropsOrStringArray(ref comm
 		Schema: spec.Schema{
 			SchemaProps: spec.SchemaProps{
 				Description: "JSONSchemaPropsOrStringArray represents a JSONSchemaProps or a string array.",
-				Type:        v1beta1.JSONSchemaPropsOrStringArray{}.OpenAPISchemaType(),
-				Format:      v1beta1.JSONSchemaPropsOrStringArray{}.OpenAPISchemaFormat(),
+				Type:        apiextensionsv1beta1.JSONSchemaPropsOrStringArray{}.OpenAPISchemaType(),
+				Format:      apiextensionsv1beta1.JSONSchemaPropsOrStringArray{}.OpenAPISchemaFormat(),
 			},
 		},
 	}
@@ -61018,7 +61468,7 @@ func schema_pkg_apis_apiextensions_v1beta1_WebhookClientConfig(ref common.Refere
 					"service": {
 						SchemaProps: spec.SchemaProps{
 							Description: "service is a reference to the service for this webhook. Either service or url must be specified.\n\nIf the webhook is running within the cluster, then you should use `service`.",
-							Ref:         ref("k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1.ServiceReference"),
+							Ref:         ref(apiextensionsv1beta1.ServiceReference{}.OpenAPIModelName()),
 						},
 					},
 					"caBundle": {
@@ -61032,7 +61482,7 @@ func schema_pkg_apis_apiextensions_v1beta1_WebhookClientConfig(ref common.Refere
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1.ServiceReference"},
+			apiextensionsv1beta1.ServiceReference{}.OpenAPIModelName()},
 	}
 }
 
@@ -61126,7 +61576,7 @@ func schema_pkg_apis_meta_v1_APIGroup(ref common.ReferenceCallback) common.OpenA
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionForDiscovery"),
+										Ref:     ref(metav1.GroupVersionForDiscovery{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -61136,7 +61586,7 @@ func schema_pkg_apis_meta_v1_APIGroup(ref common.ReferenceCallback) common.OpenA
 						SchemaProps: spec.SchemaProps{
 							Description: "preferredVersion is the version preferred by the API server, which probably is the storage version.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionForDiscovery"),
+							Ref:         ref(metav1.GroupVersionForDiscovery{}.OpenAPIModelName()),
 						},
 					},
 					"serverAddressByClientCIDRs": {
@@ -61152,7 +61602,7 @@ func schema_pkg_apis_meta_v1_APIGroup(ref common.ReferenceCallback) common.OpenA
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/apimachinery/pkg/apis/meta/v1.ServerAddressByClientCIDR"),
+										Ref:     ref(metav1.ServerAddressByClientCIDR{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -61163,7 +61613,7 @@ func schema_pkg_apis_meta_v1_APIGroup(ref common.ReferenceCallback) common.OpenA
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionForDiscovery", "k8s.io/apimachinery/pkg/apis/meta/v1.ServerAddressByClientCIDR"},
+			metav1.GroupVersionForDiscovery{}.OpenAPIModelName(), metav1.ServerAddressByClientCIDR{}.OpenAPIModelName()},
 	}
 }
 
@@ -61201,7 +61651,7 @@ func schema_pkg_apis_meta_v1_APIGroupList(ref common.ReferenceCallback) common.O
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/apimachinery/pkg/apis/meta/v1.APIGroup"),
+										Ref:     ref(metav1.APIGroup{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -61212,7 +61662,7 @@ func schema_pkg_apis_meta_v1_APIGroupList(ref common.ReferenceCallback) common.O
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.APIGroup"},
+			metav1.APIGroup{}.OpenAPIModelName()},
 	}
 }
 
@@ -61380,7 +61830,7 @@ func schema_pkg_apis_meta_v1_APIResourceList(ref common.ReferenceCallback) commo
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/apimachinery/pkg/apis/meta/v1.APIResource"),
+										Ref:     ref(metav1.APIResource{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -61391,7 +61841,7 @@ func schema_pkg_apis_meta_v1_APIResourceList(ref common.ReferenceCallback) commo
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.APIResource"},
+			metav1.APIResource{}.OpenAPIModelName()},
 	}
 }
 
@@ -61449,7 +61899,7 @@ func schema_pkg_apis_meta_v1_APIVersions(ref common.ReferenceCallback) common.Op
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/apimachinery/pkg/apis/meta/v1.ServerAddressByClientCIDR"),
+										Ref:     ref(metav1.ServerAddressByClientCIDR{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -61460,7 +61910,7 @@ func schema_pkg_apis_meta_v1_APIVersions(ref common.ReferenceCallback) common.Op
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.ServerAddressByClientCIDR"},
+			metav1.ServerAddressByClientCIDR{}.OpenAPIModelName()},
 	}
 }
 
@@ -61561,7 +62011,7 @@ func schema_pkg_apis_meta_v1_Condition(ref common.ReferenceCallback) common.Open
 					"lastTransitionTime": {
 						SchemaProps: spec.SchemaProps{
 							Description: "lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Time"),
+							Ref:         ref(metav1.Time{}.OpenAPIModelName()),
 						},
 					},
 					"reason": {
@@ -61585,7 +62035,7 @@ func schema_pkg_apis_meta_v1_Condition(ref common.ReferenceCallback) common.Open
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.Time"},
+			metav1.Time{}.OpenAPIModelName()},
 	}
 }
 
@@ -61681,7 +62131,7 @@ func schema_pkg_apis_meta_v1_DeleteOptions(ref common.ReferenceCallback) common.
 					"preconditions": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Must be fulfilled before a deletion is carried out. If not possible, a 409 Conflict status will be returned.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Preconditions"),
+							Ref:         ref(metav1.Preconditions{}.OpenAPIModelName()),
 						},
 					},
 					"orphanDependents": {
@@ -61729,7 +62179,7 @@ func schema_pkg_apis_meta_v1_DeleteOptions(ref common.ReferenceCallback) common.
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.Preconditions"},
+			metav1.Preconditions{}.OpenAPIModelName()},
 	}
 }
 
@@ -62041,15 +62491,12 @@ func schema_pkg_apis_meta_v1_InternalEvent(ref common.ReferenceCallback) common.
 					"Object": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Object is:\n * If Type is Added or Modified: the new state of the object.\n * If Type is Deleted: the state of the object immediately before deletion.\n * If Type is Bookmark: the object (instance of a type being watched) where\n   only ResourceVersion field is set. On successful restart of watch from a\n   bookmark resourceVersion, client is guaranteed to not get repeat event\n   nor miss any events.\n * If Type is Error: *api.Status is recommended; other types may make sense\n   depending on context.",
-							Ref:         ref("k8s.io/apimachinery/pkg/runtime.Object"),
 						},
 					},
 				},
 				Required: []string{"Type", "Object"},
 			},
 		},
-		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/runtime.Object"},
 	}
 }
 
@@ -62089,7 +62536,7 @@ func schema_pkg_apis_meta_v1_LabelSelector(ref common.ReferenceCallback) common.
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelectorRequirement"),
+										Ref:     ref(metav1.LabelSelectorRequirement{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -62104,7 +62551,7 @@ func schema_pkg_apis_meta_v1_LabelSelector(ref common.ReferenceCallback) common.
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelectorRequirement"},
+			metav1.LabelSelectorRequirement{}.OpenAPIModelName()},
 	}
 }
 
@@ -62183,7 +62630,7 @@ func schema_pkg_apis_meta_v1_List(ref common.ReferenceCallback) common.OpenAPIDe
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+							Ref:         ref(metav1.ListMeta{}.OpenAPIModelName()),
 						},
 					},
 					"items": {
@@ -62193,7 +62640,7 @@ func schema_pkg_apis_meta_v1_List(ref common.ReferenceCallback) common.OpenAPIDe
 							Items: &spec.SchemaOrArray{
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
-										Ref: ref("k8s.io/apimachinery/pkg/runtime.RawExtension"),
+										Ref: ref(runtime.RawExtension{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -62204,7 +62651,7 @@ func schema_pkg_apis_meta_v1_List(ref common.ReferenceCallback) common.OpenAPIDe
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta", "k8s.io/apimachinery/pkg/runtime.RawExtension"},
+			metav1.ListMeta{}.OpenAPIModelName(), runtime.RawExtension{}.OpenAPIModelName()},
 	}
 }
 
@@ -62377,7 +62824,7 @@ func schema_pkg_apis_meta_v1_ManagedFieldsEntry(ref common.ReferenceCallback) co
 					"time": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Time is the timestamp of when the ManagedFields entry was added. The timestamp will also be updated if a field is added, the manager changes any of the owned fields value or removes a field. The timestamp does not update when a field is removed from the entry because another manager took it over.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Time"),
+							Ref:         ref(metav1.Time{}.OpenAPIModelName()),
 						},
 					},
 					"fieldsType": {
@@ -62390,7 +62837,7 @@ func schema_pkg_apis_meta_v1_ManagedFieldsEntry(ref common.ReferenceCallback) co
 					"fieldsV1": {
 						SchemaProps: spec.SchemaProps{
 							Description: "FieldsV1 holds the first JSON version format as described in the \"FieldsV1\" type.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.FieldsV1"),
+							Ref:         ref(metav1.FieldsV1{}.OpenAPIModelName()),
 						},
 					},
 					"subresource": {
@@ -62404,7 +62851,7 @@ func schema_pkg_apis_meta_v1_ManagedFieldsEntry(ref common.ReferenceCallback) co
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.FieldsV1", "k8s.io/apimachinery/pkg/apis/meta/v1.Time"},
+			metav1.FieldsV1{}.OpenAPIModelName(), metav1.Time{}.OpenAPIModelName()},
 	}
 }
 
@@ -62479,13 +62926,13 @@ func schema_pkg_apis_meta_v1_ObjectMeta(ref common.ReferenceCallback) common.Ope
 					"creationTimestamp": {
 						SchemaProps: spec.SchemaProps{
 							Description: "CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.\n\nPopulated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Time"),
+							Ref:         ref(metav1.Time{}.OpenAPIModelName()),
 						},
 					},
 					"deletionTimestamp": {
 						SchemaProps: spec.SchemaProps{
 							Description: "DeletionTimestamp is RFC 3339 date and time at which this resource will be deleted. This field is set by the server when a graceful deletion is requested by the user, and is not directly settable by a client. The resource is expected to be deleted (no longer visible from resource lists, and not reachable by name) after the time in this field, once the finalizers list is empty. As long as the finalizers list contains items, deletion is blocked. Once the deletionTimestamp is set, this value may not be unset or be set further into the future, although it may be shortened or the resource may be deleted prior to this time. For example, a user may request that a pod is deleted in 30 seconds. The Kubelet will react by sending a graceful termination signal to the containers in the pod. After that 30 seconds, the Kubelet will send a hard termination signal (SIGKILL) to the container and after cleanup, remove the pod from the API. In the presence of network partitions, this object may still exist after this timestamp, until an administrator or automated process can determine the resource is fully terminated. If not set, graceful deletion of the object has not been requested.\n\nPopulated by the system when a graceful deletion is requested. Read-only. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Time"),
+							Ref:         ref(metav1.Time{}.OpenAPIModelName()),
 						},
 					},
 					"deletionGracePeriodSeconds": {
@@ -62545,7 +62992,7 @@ func schema_pkg_apis_meta_v1_ObjectMeta(ref common.ReferenceCallback) common.Ope
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/apimachinery/pkg/apis/meta/v1.OwnerReference"),
+										Ref:     ref(metav1.OwnerReference{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -62585,7 +63032,7 @@ func schema_pkg_apis_meta_v1_ObjectMeta(ref common.ReferenceCallback) common.Ope
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/apimachinery/pkg/apis/meta/v1.ManagedFieldsEntry"),
+										Ref:     ref(metav1.ManagedFieldsEntry{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -62595,7 +63042,7 @@ func schema_pkg_apis_meta_v1_ObjectMeta(ref common.ReferenceCallback) common.Ope
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.ManagedFieldsEntry", "k8s.io/apimachinery/pkg/apis/meta/v1.OwnerReference", "k8s.io/apimachinery/pkg/apis/meta/v1.Time"},
+			metav1.ManagedFieldsEntry{}.OpenAPIModelName(), metav1.OwnerReference{}.OpenAPIModelName(), metav1.Time{}.OpenAPIModelName()},
 	}
 }
 
@@ -62689,14 +63136,14 @@ func schema_pkg_apis_meta_v1_PartialObjectMetadata(ref common.ReferenceCallback)
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Ref:         ref(metav1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			metav1.ObjectMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -62725,7 +63172,7 @@ func schema_pkg_apis_meta_v1_PartialObjectMetadataList(ref common.ReferenceCallb
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+							Ref:         ref(metav1.ListMeta{}.OpenAPIModelName()),
 						},
 					},
 					"items": {
@@ -62736,7 +63183,7 @@ func schema_pkg_apis_meta_v1_PartialObjectMetadataList(ref common.ReferenceCallb
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/apimachinery/pkg/apis/meta/v1.PartialObjectMetadata"),
+										Ref:     ref(metav1.PartialObjectMetadata{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -62747,7 +63194,7 @@ func schema_pkg_apis_meta_v1_PartialObjectMetadataList(ref common.ReferenceCallb
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta", "k8s.io/apimachinery/pkg/apis/meta/v1.PartialObjectMetadata"},
+			metav1.ListMeta{}.OpenAPIModelName(), metav1.PartialObjectMetadata{}.OpenAPIModelName()},
 	}
 }
 
@@ -62946,7 +63393,7 @@ func schema_pkg_apis_meta_v1_Status(ref common.ReferenceCallback) common.OpenAPI
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+							Ref:         ref(metav1.ListMeta{}.OpenAPIModelName()),
 						},
 					},
 					"status": {
@@ -62971,14 +63418,9 @@ func schema_pkg_apis_meta_v1_Status(ref common.ReferenceCallback) common.OpenAPI
 						},
 					},
 					"details": {
-						VendorExtensible: spec.VendorExtensible{
-							Extensions: spec.Extensions{
-								"x-kubernetes-list-type": "atomic",
-							},
-						},
 						SchemaProps: spec.SchemaProps{
 							Description: "Extended data associated with the reason.  Each reason may define its own extended details. This field is optional and the data returned is not guaranteed to conform to any schema except that defined by the reason type.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.StatusDetails"),
+							Ref:         ref(metav1.StatusDetails{}.OpenAPIModelName()),
 						},
 					},
 					"code": {
@@ -62992,7 +63434,7 @@ func schema_pkg_apis_meta_v1_Status(ref common.ReferenceCallback) common.OpenAPI
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta", "k8s.io/apimachinery/pkg/apis/meta/v1.StatusDetails"},
+			metav1.ListMeta{}.OpenAPIModelName(), metav1.StatusDetails{}.OpenAPIModelName()},
 	}
 }
 
@@ -63078,7 +63520,7 @@ func schema_pkg_apis_meta_v1_StatusDetails(ref common.ReferenceCallback) common.
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/apimachinery/pkg/apis/meta/v1.StatusCause"),
+										Ref:     ref(metav1.StatusCause{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -63095,7 +63537,7 @@ func schema_pkg_apis_meta_v1_StatusDetails(ref common.ReferenceCallback) common.
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.StatusCause"},
+			metav1.StatusCause{}.OpenAPIModelName()},
 	}
 }
 
@@ -63124,7 +63566,7 @@ func schema_pkg_apis_meta_v1_Table(ref common.ReferenceCallback) common.OpenAPID
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+							Ref:         ref(metav1.ListMeta{}.OpenAPIModelName()),
 						},
 					},
 					"columnDefinitions": {
@@ -63140,7 +63582,7 @@ func schema_pkg_apis_meta_v1_Table(ref common.ReferenceCallback) common.OpenAPID
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/apimachinery/pkg/apis/meta/v1.TableColumnDefinition"),
+										Ref:     ref(metav1.TableColumnDefinition{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -63159,7 +63601,7 @@ func schema_pkg_apis_meta_v1_Table(ref common.ReferenceCallback) common.OpenAPID
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/apimachinery/pkg/apis/meta/v1.TableRow"),
+										Ref:     ref(metav1.TableRow{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -63170,7 +63612,7 @@ func schema_pkg_apis_meta_v1_Table(ref common.ReferenceCallback) common.OpenAPID
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta", "k8s.io/apimachinery/pkg/apis/meta/v1.TableColumnDefinition", "k8s.io/apimachinery/pkg/apis/meta/v1.TableRow"},
+			metav1.ListMeta{}.OpenAPIModelName(), metav1.TableColumnDefinition{}.OpenAPIModelName(), metav1.TableRow{}.OpenAPIModelName()},
 	}
 }
 
@@ -63301,7 +63743,7 @@ func schema_pkg_apis_meta_v1_TableRow(ref common.ReferenceCallback) common.OpenA
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/apimachinery/pkg/apis/meta/v1.TableRowCondition"),
+										Ref:     ref(metav1.TableRowCondition{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -63310,7 +63752,7 @@ func schema_pkg_apis_meta_v1_TableRow(ref common.ReferenceCallback) common.OpenA
 					"object": {
 						SchemaProps: spec.SchemaProps{
 							Description: "This field contains the requested additional information about each object based on the includeObject policy when requesting the Table. If \"None\", this field is empty, if \"Object\" this will be the default serialization of the object for the current API version, and if \"Metadata\" (the default) will contain the object metadata. Check the returned kind and apiVersion of the object before parsing. The media type of the object will always match the enclosing list - if this as a JSON table, these will be JSON encoded objects.",
-							Ref:         ref("k8s.io/apimachinery/pkg/runtime.RawExtension"),
+							Ref:         ref(runtime.RawExtension{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -63318,7 +63760,7 @@ func schema_pkg_apis_meta_v1_TableRow(ref common.ReferenceCallback) common.OpenA
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.TableRowCondition", "k8s.io/apimachinery/pkg/runtime.RawExtension"},
+			metav1.TableRowCondition{}.OpenAPIModelName(), runtime.RawExtension{}.OpenAPIModelName()},
 	}
 }
 
@@ -63513,7 +63955,7 @@ func schema_pkg_apis_meta_v1_WatchEvent(ref common.ReferenceCallback) common.Ope
 					"object": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Object is:\n * If Type is Added or Modified: the new state of the object.\n * If Type is Deleted: the state of the object immediately before deletion.\n * If Type is Error: *Status is recommended; other types may make sense\n   depending on context.",
-							Ref:         ref("k8s.io/apimachinery/pkg/runtime.RawExtension"),
+							Ref:         ref(runtime.RawExtension{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -63521,7 +63963,7 @@ func schema_pkg_apis_meta_v1_WatchEvent(ref common.ReferenceCallback) common.Ope
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/runtime.RawExtension"},
+			runtime.RawExtension{}.OpenAPIModelName()},
 	}
 }
 
@@ -63550,7 +63992,7 @@ func schema_pkg_apis_meta_v1beta1_PartialObjectMetadataList(ref common.Reference
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+							Ref:         ref(metav1.ListMeta{}.OpenAPIModelName()),
 						},
 					},
 					"items": {
@@ -63561,7 +64003,7 @@ func schema_pkg_apis_meta_v1beta1_PartialObjectMetadataList(ref common.Reference
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/apimachinery/pkg/apis/meta/v1.PartialObjectMetadata"),
+										Ref:     ref(metav1.PartialObjectMetadata{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -63572,7 +64014,7 @@ func schema_pkg_apis_meta_v1beta1_PartialObjectMetadataList(ref common.Reference
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta", "k8s.io/apimachinery/pkg/apis/meta/v1.PartialObjectMetadata"},
+			metav1.ListMeta{}.OpenAPIModelName(), metav1.PartialObjectMetadata{}.OpenAPIModelName()},
 	}
 }
 
@@ -63601,28 +64043,28 @@ func schema_pkg_apis_testapigroup_v1_Carp(ref common.ReferenceCallback) common.O
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Ref:         ref(metav1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 					"spec": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Specification of the desired behavior of the carp. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/testapigroup/v1.CarpSpec"),
+							Ref:         ref(testapigroupv1.CarpSpec{}.OpenAPIModelName()),
 						},
 					},
 					"status": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Most recently observed status of the carp. This data may not be up to date. Populated by the system. Read-only. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/testapigroup/v1.CarpStatus"),
+							Ref:         ref(testapigroupv1.CarpStatus{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta", "k8s.io/apimachinery/pkg/apis/testapigroup/v1.CarpSpec", "k8s.io/apimachinery/pkg/apis/testapigroup/v1.CarpStatus"},
+			metav1.ObjectMeta{}.OpenAPIModelName(), testapigroupv1.CarpSpec{}.OpenAPIModelName(), testapigroupv1.CarpStatus{}.OpenAPIModelName()},
 	}
 }
 
@@ -63651,13 +64093,13 @@ func schema_pkg_apis_testapigroup_v1_CarpCondition(ref common.ReferenceCallback)
 					"lastProbeTime": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Last time we probed the condition.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Time"),
+							Ref:         ref(metav1.Time{}.OpenAPIModelName()),
 						},
 					},
 					"lastTransitionTime": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Last time the condition transitioned from one status to another.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Time"),
+							Ref:         ref(metav1.Time{}.OpenAPIModelName()),
 						},
 					},
 					"reason": {
@@ -63679,7 +64121,7 @@ func schema_pkg_apis_testapigroup_v1_CarpCondition(ref common.ReferenceCallback)
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.Time"},
+			metav1.Time{}.OpenAPIModelName()},
 	}
 }
 
@@ -63752,7 +64194,7 @@ func schema_pkg_apis_testapigroup_v1_CarpList(ref common.ReferenceCallback) comm
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+							Ref:         ref(metav1.ListMeta{}.OpenAPIModelName()),
 						},
 					},
 					"items": {
@@ -63763,7 +64205,7 @@ func schema_pkg_apis_testapigroup_v1_CarpList(ref common.ReferenceCallback) comm
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/apimachinery/pkg/apis/testapigroup/v1.Carp"),
+										Ref:     ref(testapigroupv1.Carp{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -63774,7 +64216,7 @@ func schema_pkg_apis_testapigroup_v1_CarpList(ref common.ReferenceCallback) comm
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta", "k8s.io/apimachinery/pkg/apis/testapigroup/v1.Carp"},
+			metav1.ListMeta{}.OpenAPIModelName(), testapigroupv1.Carp{}.OpenAPIModelName()},
 	}
 }
 
@@ -63923,7 +64365,7 @@ func schema_pkg_apis_testapigroup_v1_CarpStatus(ref common.ReferenceCallback) co
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/apimachinery/pkg/apis/testapigroup/v1.CarpCondition"),
+										Ref:     ref(testapigroupv1.CarpCondition{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -63960,7 +64402,7 @@ func schema_pkg_apis_testapigroup_v1_CarpStatus(ref common.ReferenceCallback) co
 					"startTime": {
 						SchemaProps: spec.SchemaProps{
 							Description: "RFC 3339 date and time at which the object was acknowledged by the Kubelet. This is before the Kubelet pulled the container image(s) for the carp.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Time"),
+							Ref:         ref(metav1.Time{}.OpenAPIModelName()),
 						},
 					},
 					"infos": {
@@ -63981,7 +64423,7 @@ func schema_pkg_apis_testapigroup_v1_CarpStatus(ref common.ReferenceCallback) co
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/apimachinery/pkg/apis/testapigroup/v1.CarpInfo"),
+										Ref:     ref(testapigroupv1.CarpInfo{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -63991,7 +64433,7 @@ func schema_pkg_apis_testapigroup_v1_CarpStatus(ref common.ReferenceCallback) co
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.Time", "k8s.io/apimachinery/pkg/apis/testapigroup/v1.CarpCondition", "k8s.io/apimachinery/pkg/apis/testapigroup/v1.CarpInfo"},
+			metav1.Time{}.OpenAPIModelName(), testapigroupv1.CarpCondition{}.OpenAPIModelName(), testapigroupv1.CarpInfo{}.OpenAPIModelName()},
 	}
 }
 
@@ -64200,6 +64642,25 @@ func schema_k8sio_apimachinery_pkg_version_Info(ref common.ReferenceCallback) co
 	}
 }
 
+func schema_pkg_apis_audit_v1_AuthenticationMetadata(ref common.ReferenceCallback) common.OpenAPIDefinition {
+	return common.OpenAPIDefinition{
+		Schema: spec.Schema{
+			SchemaProps: spec.SchemaProps{
+				Type: []string{"object"},
+				Properties: map[string]spec.Schema{
+					"impersonationConstraint": {
+						SchemaProps: spec.SchemaProps{
+							Description: "ImpersonationConstraint is the verb associated with the constrained impersonation mode that was used to authorize the ImpersonatedUser associated with this audit event.  It is only set when constrained impersonation was used.",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+				},
+			},
+		},
+	}
+}
+
 func schema_pkg_apis_audit_v1_Event(ref common.ReferenceCallback) common.OpenAPIDefinition {
 	return common.OpenAPIDefinition{
 		Schema: spec.Schema{
@@ -64265,13 +64726,19 @@ func schema_pkg_apis_audit_v1_Event(ref common.ReferenceCallback) common.OpenAPI
 						SchemaProps: spec.SchemaProps{
 							Description: "Authenticated user information.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/authentication/v1.UserInfo"),
+							Ref:         ref(authenticationv1.UserInfo{}.OpenAPIModelName()),
 						},
 					},
 					"impersonatedUser": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Impersonated user information.",
-							Ref:         ref("k8s.io/api/authentication/v1.UserInfo"),
+							Ref:         ref(authenticationv1.UserInfo{}.OpenAPIModelName()),
+						},
+					},
+					"authenticationMetadata": {
+						SchemaProps: spec.SchemaProps{
+							Description: "AuthenticationMetadata contains details about how the request was authenticated.",
+							Ref:         ref(auditv1.AuthenticationMetadata{}.OpenAPIModelName()),
 						},
 					},
 					"sourceIPs": {
@@ -64304,37 +64771,37 @@ func schema_pkg_apis_audit_v1_Event(ref common.ReferenceCallback) common.OpenAPI
 					"objectRef": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Object reference this request is targeted at. Does not apply for List-type requests, or non-resource requests.",
-							Ref:         ref("k8s.io/apiserver/pkg/apis/audit/v1.ObjectReference"),
+							Ref:         ref(auditv1.ObjectReference{}.OpenAPIModelName()),
 						},
 					},
 					"responseStatus": {
 						SchemaProps: spec.SchemaProps{
 							Description: "The response status, populated even when the ResponseObject is not a Status type. For successful responses, this will only include the Code and StatusSuccess. For non-status type error responses, this will be auto-populated with the error Message.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Status"),
+							Ref:         ref(metav1.Status{}.OpenAPIModelName()),
 						},
 					},
 					"requestObject": {
 						SchemaProps: spec.SchemaProps{
 							Description: "API object from the request, in JSON format. The RequestObject is recorded as-is in the request (possibly re-encoded as JSON), prior to version conversion, defaulting, admission or merging. It is an external versioned object type, and may not be a valid object on its own. Omitted for non-resource requests.  Only logged at Request Level and higher.",
-							Ref:         ref("k8s.io/apimachinery/pkg/runtime.Unknown"),
+							Ref:         ref(runtime.Unknown{}.OpenAPIModelName()),
 						},
 					},
 					"responseObject": {
 						SchemaProps: spec.SchemaProps{
 							Description: "API object returned in the response, in JSON. The ResponseObject is recorded after conversion to the external type, and serialized as JSON.  Omitted for non-resource requests.  Only logged at Response Level.",
-							Ref:         ref("k8s.io/apimachinery/pkg/runtime.Unknown"),
+							Ref:         ref(runtime.Unknown{}.OpenAPIModelName()),
 						},
 					},
 					"requestReceivedTimestamp": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Time the request reached the apiserver.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.MicroTime"),
+							Ref:         ref(metav1.MicroTime{}.OpenAPIModelName()),
 						},
 					},
 					"stageTimestamp": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Time the request reached current audit stage.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.MicroTime"),
+							Ref:         ref(metav1.MicroTime{}.OpenAPIModelName()),
 						},
 					},
 					"annotations": {
@@ -64358,7 +64825,7 @@ func schema_pkg_apis_audit_v1_Event(ref common.ReferenceCallback) common.OpenAPI
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/authentication/v1.UserInfo", "k8s.io/apimachinery/pkg/apis/meta/v1.MicroTime", "k8s.io/apimachinery/pkg/apis/meta/v1.Status", "k8s.io/apimachinery/pkg/runtime.Unknown", "k8s.io/apiserver/pkg/apis/audit/v1.ObjectReference"},
+			authenticationv1.UserInfo{}.OpenAPIModelName(), metav1.MicroTime{}.OpenAPIModelName(), metav1.Status{}.OpenAPIModelName(), runtime.Unknown{}.OpenAPIModelName(), auditv1.AuthenticationMetadata{}.OpenAPIModelName(), auditv1.ObjectReference{}.OpenAPIModelName()},
 	}
 }
 
@@ -64386,7 +64853,7 @@ func schema_pkg_apis_audit_v1_EventList(ref common.ReferenceCallback) common.Ope
 					"metadata": {
 						SchemaProps: spec.SchemaProps{
 							Default: map[string]interface{}{},
-							Ref:     ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+							Ref:     ref(metav1.ListMeta{}.OpenAPIModelName()),
 						},
 					},
 					"items": {
@@ -64396,7 +64863,7 @@ func schema_pkg_apis_audit_v1_EventList(ref common.ReferenceCallback) common.Ope
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/apiserver/pkg/apis/audit/v1.Event"),
+										Ref:     ref(auditv1.Event{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -64407,7 +64874,7 @@ func schema_pkg_apis_audit_v1_EventList(ref common.ReferenceCallback) common.Ope
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta", "k8s.io/apiserver/pkg/apis/audit/v1.Event"},
+			metav1.ListMeta{}.OpenAPIModelName(), auditv1.Event{}.OpenAPIModelName()},
 	}
 }
 
@@ -64559,7 +65026,7 @@ func schema_pkg_apis_audit_v1_Policy(ref common.ReferenceCallback) common.OpenAP
 						SchemaProps: spec.SchemaProps{
 							Description: "ObjectMeta is included for interoperability with API infrastructure.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Ref:         ref(metav1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 					"rules": {
@@ -64575,7 +65042,7 @@ func schema_pkg_apis_audit_v1_Policy(ref common.ReferenceCallback) common.OpenAP
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/apiserver/pkg/apis/audit/v1.PolicyRule"),
+										Ref:     ref(auditv1.PolicyRule{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -64613,7 +65080,7 @@ func schema_pkg_apis_audit_v1_Policy(ref common.ReferenceCallback) common.OpenAP
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta", "k8s.io/apiserver/pkg/apis/audit/v1.PolicyRule"},
+			metav1.ObjectMeta{}.OpenAPIModelName(), auditv1.PolicyRule{}.OpenAPIModelName()},
 	}
 }
 
@@ -64641,7 +65108,7 @@ func schema_pkg_apis_audit_v1_PolicyList(ref common.ReferenceCallback) common.Op
 					"metadata": {
 						SchemaProps: spec.SchemaProps{
 							Default: map[string]interface{}{},
-							Ref:     ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+							Ref:     ref(metav1.ListMeta{}.OpenAPIModelName()),
 						},
 					},
 					"items": {
@@ -64651,7 +65118,7 @@ func schema_pkg_apis_audit_v1_PolicyList(ref common.ReferenceCallback) common.Op
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/apiserver/pkg/apis/audit/v1.Policy"),
+										Ref:     ref(auditv1.Policy{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -64662,7 +65129,7 @@ func schema_pkg_apis_audit_v1_PolicyList(ref common.ReferenceCallback) common.Op
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta", "k8s.io/apiserver/pkg/apis/audit/v1.Policy"},
+			metav1.ListMeta{}.OpenAPIModelName(), auditv1.Policy{}.OpenAPIModelName()},
 	}
 }
 
@@ -64754,7 +65221,7 @@ func schema_pkg_apis_audit_v1_PolicyRule(ref common.ReferenceCallback) common.Op
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/apiserver/pkg/apis/audit/v1.GroupResources"),
+										Ref:     ref(auditv1.GroupResources{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -64832,7 +65299,153 @@ func schema_pkg_apis_audit_v1_PolicyRule(ref common.ReferenceCallback) common.Op
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apiserver/pkg/apis/audit/v1.GroupResources"},
+			auditv1.GroupResources{}.OpenAPIModelName()},
+	}
+}
+
+func schema_server_flagz_api_v1alpha1_Flagz(ref common.ReferenceCallback) common.OpenAPIDefinition {
+	return common.OpenAPIDefinition{
+		Schema: spec.Schema{
+			SchemaProps: spec.SchemaProps{
+				Description: "Flagz is the structured response for the /flagz endpoint.",
+				Type:        []string{"object"},
+				Properties: map[string]spec.Schema{
+					"kind": {
+						SchemaProps: spec.SchemaProps{
+							Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+					"apiVersion": {
+						SchemaProps: spec.SchemaProps{
+							Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+					"metadata": {
+						SchemaProps: spec.SchemaProps{
+							Description: "Standard object's metadata.",
+							Default:     map[string]interface{}{},
+							Ref:         ref(metav1.ObjectMeta{}.OpenAPIModelName()),
+						},
+					},
+					"flags": {
+						SchemaProps: spec.SchemaProps{
+							Description: "Flags contains the command-line flags and their values. The keys are the flag names and the values are the flag values, possibly with confidential values redacted.",
+							Type:        []string{"object"},
+							AdditionalProperties: &spec.SchemaOrBool{
+								Allows: true,
+								Schema: &spec.Schema{
+									SchemaProps: spec.SchemaProps{
+										Default: "",
+										Type:    []string{"string"},
+										Format:  "",
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+		},
+		Dependencies: []string{
+			metav1.ObjectMeta{}.OpenAPIModelName()},
+	}
+}
+
+func schema_server_statusz_api_v1alpha1_Statusz(ref common.ReferenceCallback) common.OpenAPIDefinition {
+	return common.OpenAPIDefinition{
+		Schema: spec.Schema{
+			SchemaProps: spec.SchemaProps{
+				Description: "Statusz is a struct used for versioned statusz endpoint.",
+				Type:        []string{"object"},
+				Properties: map[string]spec.Schema{
+					"kind": {
+						SchemaProps: spec.SchemaProps{
+							Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+					"apiVersion": {
+						SchemaProps: spec.SchemaProps{
+							Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+					"metadata": {
+						SchemaProps: spec.SchemaProps{
+							Description: "Standard object's metadata.",
+							Default:     map[string]interface{}{},
+							Ref:         ref(metav1.ObjectMeta{}.OpenAPIModelName()),
+						},
+					},
+					"startTime": {
+						SchemaProps: spec.SchemaProps{
+							Description: "StartTime is the time the component process was initiated.",
+							Ref:         ref(metav1.Time{}.OpenAPIModelName()),
+						},
+					},
+					"uptimeSeconds": {
+						SchemaProps: spec.SchemaProps{
+							Description: "UptimeSeconds is the duration in seconds for which the component has been running continuously.",
+							Default:     0,
+							Type:        []string{"integer"},
+							Format:      "int64",
+						},
+					},
+					"goVersion": {
+						SchemaProps: spec.SchemaProps{
+							Description: "GoVersion is the version of the Go programming language used to build the binary. The format is not guaranteed to be consistent across different Go builds.",
+							Default:     "",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+					"binaryVersion": {
+						SchemaProps: spec.SchemaProps{
+							Description: "BinaryVersion is the version of the component's binary. The format is not guaranteed to be semantic versioning and may be an arbitrary string.",
+							Default:     "",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+					"emulationVersion": {
+						SchemaProps: spec.SchemaProps{
+							Description: "EmulationVersion is the Kubernetes API version which this component is emulating. if present, formatted as \"<major>.<minor>\"",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+					"paths": {
+						VendorExtensible: spec.VendorExtensible{
+							Extensions: spec.Extensions{
+								"x-kubernetes-list-type": "set",
+							},
+						},
+						SchemaProps: spec.SchemaProps{
+							Description: "Paths contains relative URLs to other essential read-only endpoints for debugging and troubleshooting.",
+							Type:        []string{"array"},
+							Items: &spec.SchemaOrArray{
+								Schema: &spec.Schema{
+									SchemaProps: spec.SchemaProps{
+										Default: "",
+										Type:    []string{"string"},
+										Format:  "",
+									},
+								},
+							},
+						},
+					},
+				},
+				Required: []string{"startTime", "uptimeSeconds", "binaryVersion"},
+			},
+		},
+		Dependencies: []string{
+			metav1.ObjectMeta{}.OpenAPIModelName(), metav1.Time{}.OpenAPIModelName()},
 	}
 }
 
@@ -64894,7 +65507,7 @@ func schema_pkg_apis_clientauthentication_v1_Cluster(ref common.ReferenceCallbac
 					"config": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Config holds additional config data that is specific to the exec plugin with regards to the cluster being authenticated to.\n\nThis data is sourced from the clientcmd Cluster object's extensions[client.authentication.k8s.io/exec] field:\n\nclusters: - name: my-cluster\n  cluster:\n    ...\n    extensions:\n    - name: client.authentication.k8s.io/exec  # reserved extension name for per cluster exec config\n      extension:\n        audience: 06e3fbd18de8  # arbitrary config\n\nIn some environments, the user config may be exactly the same across many clusters (i.e. call this exec plugin) minus some details that are specific to each cluster such as the audience.  This field allows the per cluster config to be directly specified with the cluster info.  Using this field to store secret data is not recommended as one of the prime benefits of exec plugins is that no secrets need to be stored directly in the kubeconfig.",
-							Ref:         ref("k8s.io/apimachinery/pkg/runtime.RawExtension"),
+							Ref:         ref(runtime.RawExtension{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -64902,7 +65515,7 @@ func schema_pkg_apis_clientauthentication_v1_Cluster(ref common.ReferenceCallbac
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/runtime.RawExtension"},
+			runtime.RawExtension{}.OpenAPIModelName()},
 	}
 }
 
@@ -64931,20 +65544,20 @@ func schema_pkg_apis_clientauthentication_v1_ExecCredential(ref common.Reference
 						SchemaProps: spec.SchemaProps{
 							Description: "Spec holds information passed to the plugin by the transport.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/client-go/pkg/apis/clientauthentication/v1.ExecCredentialSpec"),
+							Ref:         ref(clientauthenticationv1.ExecCredentialSpec{}.OpenAPIModelName()),
 						},
 					},
 					"status": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Status is filled in by the plugin and holds the credentials that the transport should use to contact the API.",
-							Ref:         ref("k8s.io/client-go/pkg/apis/clientauthentication/v1.ExecCredentialStatus"),
+							Ref:         ref(clientauthenticationv1.ExecCredentialStatus{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/client-go/pkg/apis/clientauthentication/v1.ExecCredentialSpec", "k8s.io/client-go/pkg/apis/clientauthentication/v1.ExecCredentialStatus"},
+			clientauthenticationv1.ExecCredentialSpec{}.OpenAPIModelName(), clientauthenticationv1.ExecCredentialStatus{}.OpenAPIModelName()},
 	}
 }
 
@@ -64958,7 +65571,7 @@ func schema_pkg_apis_clientauthentication_v1_ExecCredentialSpec(ref common.Refer
 					"cluster": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Cluster contains information to allow an exec plugin to communicate with the kubernetes cluster being authenticated to. Note that Cluster is non-nil only when provideClusterInfo is set to true in the exec provider config (i.e., ExecConfig.ProvideClusterInfo).",
-							Ref:         ref("k8s.io/client-go/pkg/apis/clientauthentication/v1.Cluster"),
+							Ref:         ref(clientauthenticationv1.Cluster{}.OpenAPIModelName()),
 						},
 					},
 					"interactive": {
@@ -64974,7 +65587,7 @@ func schema_pkg_apis_clientauthentication_v1_ExecCredentialSpec(ref common.Refer
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/client-go/pkg/apis/clientauthentication/v1.Cluster"},
+			clientauthenticationv1.Cluster{}.OpenAPIModelName()},
 	}
 }
 
@@ -64988,7 +65601,7 @@ func schema_pkg_apis_clientauthentication_v1_ExecCredentialStatus(ref common.Ref
 					"expirationTimestamp": {
 						SchemaProps: spec.SchemaProps{
 							Description: "ExpirationTimestamp indicates a time when the provided credentials expire.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Time"),
+							Ref:         ref(metav1.Time{}.OpenAPIModelName()),
 						},
 					},
 					"token": {
@@ -65016,7 +65629,7 @@ func schema_pkg_apis_clientauthentication_v1_ExecCredentialStatus(ref common.Ref
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.Time"},
+			metav1.Time{}.OpenAPIModelName()},
 	}
 }
 
@@ -65078,7 +65691,7 @@ func schema_pkg_apis_clientauthentication_v1beta1_Cluster(ref common.ReferenceCa
 					"config": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Config holds additional config data that is specific to the exec plugin with regards to the cluster being authenticated to.\n\nThis data is sourced from the clientcmd Cluster object's extensions[client.authentication.k8s.io/exec] field:\n\nclusters: - name: my-cluster\n  cluster:\n    ...\n    extensions:\n    - name: client.authentication.k8s.io/exec  # reserved extension name for per cluster exec config\n      extension:\n        audience: 06e3fbd18de8  # arbitrary config\n\nIn some environments, the user config may be exactly the same across many clusters (i.e. call this exec plugin) minus some details that are specific to each cluster such as the audience.  This field allows the per cluster config to be directly specified with the cluster info.  Using this field to store secret data is not recommended as one of the prime benefits of exec plugins is that no secrets need to be stored directly in the kubeconfig.",
-							Ref:         ref("k8s.io/apimachinery/pkg/runtime.RawExtension"),
+							Ref:         ref(runtime.RawExtension{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -65086,7 +65699,7 @@ func schema_pkg_apis_clientauthentication_v1beta1_Cluster(ref common.ReferenceCa
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/runtime.RawExtension"},
+			runtime.RawExtension{}.OpenAPIModelName()},
 	}
 }
 
@@ -65115,20 +65728,20 @@ func schema_pkg_apis_clientauthentication_v1beta1_ExecCredential(ref common.Refe
 						SchemaProps: spec.SchemaProps{
 							Description: "Spec holds information passed to the plugin by the transport.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/client-go/pkg/apis/clientauthentication/v1beta1.ExecCredentialSpec"),
+							Ref:         ref(clientauthenticationv1beta1.ExecCredentialSpec{}.OpenAPIModelName()),
 						},
 					},
 					"status": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Status is filled in by the plugin and holds the credentials that the transport should use to contact the API.",
-							Ref:         ref("k8s.io/client-go/pkg/apis/clientauthentication/v1beta1.ExecCredentialStatus"),
+							Ref:         ref(clientauthenticationv1beta1.ExecCredentialStatus{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/client-go/pkg/apis/clientauthentication/v1beta1.ExecCredentialSpec", "k8s.io/client-go/pkg/apis/clientauthentication/v1beta1.ExecCredentialStatus"},
+			clientauthenticationv1beta1.ExecCredentialSpec{}.OpenAPIModelName(), clientauthenticationv1beta1.ExecCredentialStatus{}.OpenAPIModelName()},
 	}
 }
 
@@ -65142,7 +65755,7 @@ func schema_pkg_apis_clientauthentication_v1beta1_ExecCredentialSpec(ref common.
 					"cluster": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Cluster contains information to allow an exec plugin to communicate with the kubernetes cluster being authenticated to. Note that Cluster is non-nil only when provideClusterInfo is set to true in the exec provider config (i.e., ExecConfig.ProvideClusterInfo).",
-							Ref:         ref("k8s.io/client-go/pkg/apis/clientauthentication/v1beta1.Cluster"),
+							Ref:         ref(clientauthenticationv1beta1.Cluster{}.OpenAPIModelName()),
 						},
 					},
 					"interactive": {
@@ -65158,7 +65771,7 @@ func schema_pkg_apis_clientauthentication_v1beta1_ExecCredentialSpec(ref common.
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/client-go/pkg/apis/clientauthentication/v1beta1.Cluster"},
+			clientauthenticationv1beta1.Cluster{}.OpenAPIModelName()},
 	}
 }
 
@@ -65172,7 +65785,7 @@ func schema_pkg_apis_clientauthentication_v1beta1_ExecCredentialStatus(ref commo
 					"expirationTimestamp": {
 						SchemaProps: spec.SchemaProps{
 							Description: "ExpirationTimestamp indicates a time when the provided credentials expire.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Time"),
+							Ref:         ref(metav1.Time{}.OpenAPIModelName()),
 						},
 					},
 					"token": {
@@ -65200,7 +65813,7 @@ func schema_pkg_apis_clientauthentication_v1beta1_ExecCredentialStatus(ref commo
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.Time"},
+			metav1.Time{}.OpenAPIModelName()},
 	}
 }
 
@@ -65229,41 +65842,41 @@ func schema_k8sio_cloud_provider_config_v1alpha1_CloudControllerManagerConfigura
 						SchemaProps: spec.SchemaProps{
 							Description: "Generic holds configuration for a generic controller-manager",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/controller-manager/config/v1alpha1.GenericControllerManagerConfiguration"),
+							Ref:         ref(controllermanagerconfigv1alpha1.GenericControllerManagerConfiguration{}.OpenAPIModelName()),
 						},
 					},
 					"KubeCloudShared": {
 						SchemaProps: spec.SchemaProps{
 							Description: "KubeCloudSharedConfiguration holds configuration for shared related features both in cloud controller manager and kube-controller manager.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/cloud-provider/config/v1alpha1.KubeCloudSharedConfiguration"),
+							Ref:         ref(configv1alpha1.KubeCloudSharedConfiguration{}.OpenAPIModelName()),
 						},
 					},
 					"NodeController": {
 						SchemaProps: spec.SchemaProps{
 							Description: "NodeController holds configuration for node controller related features.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/cloud-provider/controllers/node/config/v1alpha1.NodeControllerConfiguration"),
+							Ref:         ref(nodeconfigv1alpha1.NodeControllerConfiguration{}.OpenAPIModelName()),
 						},
 					},
 					"ServiceController": {
 						SchemaProps: spec.SchemaProps{
 							Description: "ServiceControllerConfiguration holds configuration for ServiceController related features.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/cloud-provider/controllers/service/config/v1alpha1.ServiceControllerConfiguration"),
+							Ref:         ref(serviceconfigv1alpha1.ServiceControllerConfiguration{}.OpenAPIModelName()),
 						},
 					},
 					"NodeStatusUpdateFrequency": {
 						SchemaProps: spec.SchemaProps{
 							Description: "NodeStatusUpdateFrequency is the frequency at which the controller updates nodes' status",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Duration"),
+							Ref:         ref(metav1.Duration{}.OpenAPIModelName()),
 						},
 					},
 					"Webhook": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Webhook is the configuration for cloud-controller-manager hosted webhooks",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/cloud-provider/config/v1alpha1.WebhookConfiguration"),
+							Ref:         ref(configv1alpha1.WebhookConfiguration{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -65271,7 +65884,7 @@ func schema_k8sio_cloud_provider_config_v1alpha1_CloudControllerManagerConfigura
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.Duration", "k8s.io/cloud-provider/config/v1alpha1.KubeCloudSharedConfiguration", "k8s.io/cloud-provider/config/v1alpha1.WebhookConfiguration", "k8s.io/cloud-provider/controllers/node/config/v1alpha1.NodeControllerConfiguration", "k8s.io/cloud-provider/controllers/service/config/v1alpha1.ServiceControllerConfiguration", "k8s.io/controller-manager/config/v1alpha1.GenericControllerManagerConfiguration"},
+			metav1.Duration{}.OpenAPIModelName(), configv1alpha1.KubeCloudSharedConfiguration{}.OpenAPIModelName(), configv1alpha1.WebhookConfiguration{}.OpenAPIModelName(), nodeconfigv1alpha1.NodeControllerConfiguration{}.OpenAPIModelName(), serviceconfigv1alpha1.ServiceControllerConfiguration{}.OpenAPIModelName(), controllermanagerconfigv1alpha1.GenericControllerManagerConfiguration{}.OpenAPIModelName()},
 	}
 }
 
@@ -65316,7 +65929,7 @@ func schema_k8sio_cloud_provider_config_v1alpha1_KubeCloudSharedConfiguration(re
 						SchemaProps: spec.SchemaProps{
 							Description: "CloudProviderConfiguration holds configuration for CloudProvider related features.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/cloud-provider/config/v1alpha1.CloudProviderConfiguration"),
+							Ref:         ref(configv1alpha1.CloudProviderConfiguration{}.OpenAPIModelName()),
 						},
 					},
 					"ExternalCloudVolumePlugin": {
@@ -65346,13 +65959,13 @@ func schema_k8sio_cloud_provider_config_v1alpha1_KubeCloudSharedConfiguration(re
 					"RouteReconciliationPeriod": {
 						SchemaProps: spec.SchemaProps{
 							Description: "routeReconciliationPeriod is the period for reconciling routes created for Nodes by cloud provider..",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Duration"),
+							Ref:         ref(metav1.Duration{}.OpenAPIModelName()),
 						},
 					},
 					"NodeMonitorPeriod": {
 						SchemaProps: spec.SchemaProps{
 							Description: "nodeMonitorPeriod is the period for syncing NodeStatus in NodeController.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Duration"),
+							Ref:         ref(metav1.Duration{}.OpenAPIModelName()),
 						},
 					},
 					"ClusterName": {
@@ -65397,7 +66010,7 @@ func schema_k8sio_cloud_provider_config_v1alpha1_KubeCloudSharedConfiguration(re
 					"NodeSyncPeriod": {
 						SchemaProps: spec.SchemaProps{
 							Description: "nodeSyncPeriod is the period for syncing nodes from cloudprovider. Longer periods will result in fewer calls to cloud provider, but may delay addition of new nodes to cluster.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Duration"),
+							Ref:         ref(metav1.Duration{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -65405,7 +66018,7 @@ func schema_k8sio_cloud_provider_config_v1alpha1_KubeCloudSharedConfiguration(re
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.Duration", "k8s.io/cloud-provider/config/v1alpha1.CloudProviderConfiguration"},
+			metav1.Duration{}.OpenAPIModelName(), configv1alpha1.CloudProviderConfiguration{}.OpenAPIModelName()},
 	}
 }
 
@@ -65438,6 +66051,223 @@ func schema_k8sio_cloud_provider_config_v1alpha1_WebhookConfiguration(ref common
 	}
 }
 
+func schema_controllers_node_config_v1alpha1_NodeControllerConfiguration(ref common.ReferenceCallback) common.OpenAPIDefinition {
+	return common.OpenAPIDefinition{
+		Schema: spec.Schema{
+			SchemaProps: spec.SchemaProps{
+				Description: "NodeControllerConfiguration contains elements describing NodeController.",
+				Type:        []string{"object"},
+				Properties: map[string]spec.Schema{
+					"ConcurrentNodeSyncs": {
+						SchemaProps: spec.SchemaProps{
+							Description: "ConcurrentNodeSyncs is the number of workers concurrently synchronizing nodes",
+							Default:     0,
+							Type:        []string{"integer"},
+							Format:      "int32",
+						},
+					},
+				},
+				Required: []string{"ConcurrentNodeSyncs"},
+			},
+		},
+	}
+}
+
+func schema_controllers_service_config_v1alpha1_ServiceControllerConfiguration(ref common.ReferenceCallback) common.OpenAPIDefinition {
+	return common.OpenAPIDefinition{
+		Schema: spec.Schema{
+			SchemaProps: spec.SchemaProps{
+				Description: "ServiceControllerConfiguration contains elements describing ServiceController.",
+				Type:        []string{"object"},
+				Properties: map[string]spec.Schema{
+					"ConcurrentServiceSyncs": {
+						SchemaProps: spec.SchemaProps{
+							Description: "concurrentServiceSyncs is the number of services that are allowed to sync concurrently. Larger number = more responsive service management, but more CPU (and network) load.",
+							Default:     0,
+							Type:        []string{"integer"},
+							Format:      "int32",
+						},
+					},
+				},
+				Required: []string{"ConcurrentServiceSyncs"},
+			},
+		},
+	}
+}
+
+func schema_k8sio_component_base_config_v1alpha1_ClientConnectionConfiguration(ref common.ReferenceCallback) common.OpenAPIDefinition {
+	return common.OpenAPIDefinition{
+		Schema: spec.Schema{
+			SchemaProps: spec.SchemaProps{
+				Description: "ClientConnectionConfiguration contains details for constructing a client.",
+				Type:        []string{"object"},
+				Properties: map[string]spec.Schema{
+					"kubeconfig": {
+						SchemaProps: spec.SchemaProps{
+							Description: "kubeconfig is the path to a KubeConfig file.",
+							Default:     "",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+					"acceptContentTypes": {
+						SchemaProps: spec.SchemaProps{
+							Description: "acceptContentTypes defines the Accept header sent by clients when connecting to a server, overriding the default value of 'application/json'. This field will control all connections to the server used by a particular client.",
+							Default:     "",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+					"contentType": {
+						SchemaProps: spec.SchemaProps{
+							Description: "contentType is the content type used when sending data to the server from this client.",
+							Default:     "",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+					"qps": {
+						SchemaProps: spec.SchemaProps{
+							Description: "qps controls the number of queries per second allowed for this connection.",
+							Default:     0,
+							Type:        []string{"number"},
+							Format:      "float",
+						},
+					},
+					"burst": {
+						SchemaProps: spec.SchemaProps{
+							Description: "burst allows extra queries to accumulate when a client is exceeding its rate.",
+							Default:     0,
+							Type:        []string{"integer"},
+							Format:      "int32",
+						},
+					},
+				},
+				Required: []string{"kubeconfig", "acceptContentTypes", "contentType", "qps", "burst"},
+			},
+		},
+	}
+}
+
+func schema_k8sio_component_base_config_v1alpha1_DebuggingConfiguration(ref common.ReferenceCallback) common.OpenAPIDefinition {
+	return common.OpenAPIDefinition{
+		Schema: spec.Schema{
+			SchemaProps: spec.SchemaProps{
+				Description: "DebuggingConfiguration holds configuration for Debugging related features.",
+				Type:        []string{"object"},
+				Properties: map[string]spec.Schema{
+					"enableProfiling": {
+						SchemaProps: spec.SchemaProps{
+							Description: "enableProfiling enables profiling via web interface host:port/debug/pprof/",
+							Type:        []string{"boolean"},
+							Format:      "",
+						},
+					},
+					"enableContentionProfiling": {
+						SchemaProps: spec.SchemaProps{
+							Description: "enableContentionProfiling enables block profiling, if enableProfiling is true.",
+							Type:        []string{"boolean"},
+							Format:      "",
+						},
+					},
+				},
+			},
+		},
+	}
+}
+
+func schema_k8sio_component_base_config_v1alpha1_LeaderElectionConfiguration(ref common.ReferenceCallback) common.OpenAPIDefinition {
+	return common.OpenAPIDefinition{
+		Schema: spec.Schema{
+			SchemaProps: spec.SchemaProps{
+				Description: "LeaderElectionConfiguration defines the configuration of leader election clients for components that can run with leader election enabled.",
+				Type:        []string{"object"},
+				Properties: map[string]spec.Schema{
+					"leaderElect": {
+						SchemaProps: spec.SchemaProps{
+							Description: "leaderElect enables a leader election client to gain leadership before executing the main loop. Enable this when running replicated components for high availability.",
+							Type:        []string{"boolean"},
+							Format:      "",
+						},
+					},
+					"leaseDuration": {
+						SchemaProps: spec.SchemaProps{
+							Description: "leaseDuration is the duration that non-leader candidates will wait after observing a leadership renewal until attempting to acquire leadership of a led but unrenewed leader slot. This is effectively the maximum duration that a leader can be stopped before it is replaced by another candidate. This is only applicable if leader election is enabled.",
+							Ref:         ref(metav1.Duration{}.OpenAPIModelName()),
+						},
+					},
+					"renewDeadline": {
+						SchemaProps: spec.SchemaProps{
+							Description: "renewDeadline is the interval between attempts by the acting master to renew a leadership slot before it stops leading. This must be less than or equal to the lease duration. This is only applicable if leader election is enabled.",
+							Ref:         ref(metav1.Duration{}.OpenAPIModelName()),
+						},
+					},
+					"retryPeriod": {
+						SchemaProps: spec.SchemaProps{
+							Description: "retryPeriod is the duration the clients should wait between attempting acquisition and renewal of a leadership. This is only applicable if leader election is enabled.",
+							Ref:         ref(metav1.Duration{}.OpenAPIModelName()),
+						},
+					},
+					"resourceLock": {
+						SchemaProps: spec.SchemaProps{
+							Description: "resourceLock indicates the resource object type that will be used to lock during leader election cycles.",
+							Default:     "",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+					"resourceName": {
+						SchemaProps: spec.SchemaProps{
+							Description: "resourceName indicates the name of resource object that will be used to lock during leader election cycles.",
+							Default:     "",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+					"resourceNamespace": {
+						SchemaProps: spec.SchemaProps{
+							Description: "resourceName indicates the namespace of resource object that will be used to lock during leader election cycles.",
+							Default:     "",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+				},
+				Required: []string{"leaderElect", "leaseDuration", "renewDeadline", "retryPeriod", "resourceLock", "resourceName", "resourceNamespace"},
+			},
+		},
+		Dependencies: []string{
+			metav1.Duration{}.OpenAPIModelName()},
+	}
+}
+
+func schema_component_base_tracing_api_v1_TracingConfiguration(ref common.ReferenceCallback) common.OpenAPIDefinition {
+	return common.OpenAPIDefinition{
+		Schema: spec.Schema{
+			SchemaProps: spec.SchemaProps{
+				Description: "TracingConfiguration provides versioned configuration for OpenTelemetry tracing clients.",
+				Type:        []string{"object"},
+				Properties: map[string]spec.Schema{
+					"endpoint": {
+						SchemaProps: spec.SchemaProps{
+							Description: "Endpoint of the collector this component will report traces to. The connection is insecure, and does not currently support TLS. Recommended is unset, and endpoint is the otlp grpc default, localhost:4317.",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+					"samplingRatePerMillion": {
+						SchemaProps: spec.SchemaProps{
+							Description: "SamplingRatePerMillion is the number of samples to collect per million spans. Recommended is unset. If unset, sampler respects its parent span's sampling rate, but otherwise never samples.",
+							Type:        []string{"integer"},
+							Format:      "int32",
+						},
+					},
+				},
+			},
+		},
+	}
+}
+
 func schema_k8sio_controller_manager_config_v1alpha1_ControllerLeaderConfiguration(ref common.ReferenceCallback) common.OpenAPIDefinition {
 	return common.OpenAPIDefinition{
 		Schema: spec.Schema{
@@ -65494,27 +66324,27 @@ func schema_k8sio_controller_manager_config_v1alpha1_GenericControllerManagerCon
 					"MinResyncPeriod": {
 						SchemaProps: spec.SchemaProps{
 							Description: "minResyncPeriod is the resync period in reflectors; will be random between minResyncPeriod and 2*minResyncPeriod.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Duration"),
+							Ref:         ref(metav1.Duration{}.OpenAPIModelName()),
 						},
 					},
 					"ClientConnection": {
 						SchemaProps: spec.SchemaProps{
 							Description: "ClientConnection specifies the kubeconfig file and client connection settings for the proxy server to use when communicating with the apiserver.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/component-base/config/v1alpha1.ClientConnectionConfiguration"),
+							Ref:         ref(componentbaseconfigv1alpha1.ClientConnectionConfiguration{}.OpenAPIModelName()),
 						},
 					},
 					"ControllerStartInterval": {
 						SchemaProps: spec.SchemaProps{
 							Description: "How long to wait between starting controller managers",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Duration"),
+							Ref:         ref(metav1.Duration{}.OpenAPIModelName()),
 						},
 					},
 					"LeaderElection": {
 						SchemaProps: spec.SchemaProps{
 							Description: "leaderElection defines the configuration of leader election client.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/component-base/config/v1alpha1.LeaderElectionConfiguration"),
+							Ref:         ref(componentbaseconfigv1alpha1.LeaderElectionConfiguration{}.OpenAPIModelName()),
 						},
 					},
 					"Controllers": {
@@ -65536,7 +66366,7 @@ func schema_k8sio_controller_manager_config_v1alpha1_GenericControllerManagerCon
 						SchemaProps: spec.SchemaProps{
 							Description: "DebuggingConfiguration holds configuration for Debugging related features.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/component-base/config/v1alpha1.DebuggingConfiguration"),
+							Ref:         ref(componentbaseconfigv1alpha1.DebuggingConfiguration{}.OpenAPIModelName()),
 						},
 					},
 					"LeaderMigrationEnabled": {
@@ -65551,7 +66381,7 @@ func schema_k8sio_controller_manager_config_v1alpha1_GenericControllerManagerCon
 						SchemaProps: spec.SchemaProps{
 							Description: "LeaderMigration holds the configuration for Leader Migration.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/controller-manager/config/v1alpha1.LeaderMigrationConfiguration"),
+							Ref:         ref(controllermanagerconfigv1alpha1.LeaderMigrationConfiguration{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -65559,7 +66389,7 @@ func schema_k8sio_controller_manager_config_v1alpha1_GenericControllerManagerCon
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.Duration", "k8s.io/component-base/config/v1alpha1.ClientConnectionConfiguration", "k8s.io/component-base/config/v1alpha1.DebuggingConfiguration", "k8s.io/component-base/config/v1alpha1.LeaderElectionConfiguration", "k8s.io/controller-manager/config/v1alpha1.LeaderMigrationConfiguration"},
+			metav1.Duration{}.OpenAPIModelName(), componentbaseconfigv1alpha1.ClientConnectionConfiguration{}.OpenAPIModelName(), componentbaseconfigv1alpha1.DebuggingConfiguration{}.OpenAPIModelName(), componentbaseconfigv1alpha1.LeaderElectionConfiguration{}.OpenAPIModelName(), controllermanagerconfigv1alpha1.LeaderMigrationConfiguration{}.OpenAPIModelName()},
 	}
 }
 
@@ -65608,7 +66438,7 @@ func schema_k8sio_controller_manager_config_v1alpha1_LeaderMigrationConfiguratio
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/controller-manager/config/v1alpha1.ControllerLeaderConfiguration"),
+										Ref:     ref(controllermanagerconfigv1alpha1.ControllerLeaderConfiguration{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -65619,7 +66449,7 @@ func schema_k8sio_controller_manager_config_v1alpha1_LeaderMigrationConfiguratio
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/controller-manager/config/v1alpha1.ControllerLeaderConfiguration"},
+			controllermanagerconfigv1alpha1.ControllerLeaderConfiguration{}.OpenAPIModelName()},
 	}
 }
 
@@ -65703,7 +66533,7 @@ func schema_k8sio_controller_manager_config_v1beta1_LeaderMigrationConfiguration
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/controller-manager/config/v1beta1.ControllerLeaderConfiguration"),
+										Ref:     ref(configv1beta1.ControllerLeaderConfiguration{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -65714,7 +66544,7 @@ func schema_k8sio_controller_manager_config_v1beta1_LeaderMigrationConfiguration
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/controller-manager/config/v1beta1.ControllerLeaderConfiguration"},
+			configv1beta1.ControllerLeaderConfiguration{}.OpenAPIModelName()},
 	}
 }
 
@@ -65743,28 +66573,28 @@ func schema_pkg_apis_apiregistration_v1_APIService(ref common.ReferenceCallback)
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Ref:         ref(metav1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 					"spec": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Spec contains information for locating and communicating with a server",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/kube-aggregator/pkg/apis/apiregistration/v1.APIServiceSpec"),
+							Ref:         ref(apiregistrationv1.APIServiceSpec{}.OpenAPIModelName()),
 						},
 					},
 					"status": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Status contains derived information about an API server",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/kube-aggregator/pkg/apis/apiregistration/v1.APIServiceStatus"),
+							Ref:         ref(apiregistrationv1.APIServiceStatus{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta", "k8s.io/kube-aggregator/pkg/apis/apiregistration/v1.APIServiceSpec", "k8s.io/kube-aggregator/pkg/apis/apiregistration/v1.APIServiceStatus"},
+			metav1.ObjectMeta{}.OpenAPIModelName(), apiregistrationv1.APIServiceSpec{}.OpenAPIModelName(), apiregistrationv1.APIServiceStatus{}.OpenAPIModelName()},
 	}
 }
 
@@ -65794,7 +66624,7 @@ func schema_pkg_apis_apiregistration_v1_APIServiceCondition(ref common.Reference
 					"lastTransitionTime": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Last time the condition transitioned from one status to another.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Time"),
+							Ref:         ref(metav1.Time{}.OpenAPIModelName()),
 						},
 					},
 					"reason": {
@@ -65816,7 +66646,7 @@ func schema_pkg_apis_apiregistration_v1_APIServiceCondition(ref common.Reference
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.Time"},
+			metav1.Time{}.OpenAPIModelName()},
 	}
 }
 
@@ -65845,7 +66675,7 @@ func schema_pkg_apis_apiregistration_v1_APIServiceList(ref common.ReferenceCallb
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard list metadata More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+							Ref:         ref(metav1.ListMeta{}.OpenAPIModelName()),
 						},
 					},
 					"items": {
@@ -65856,7 +66686,7 @@ func schema_pkg_apis_apiregistration_v1_APIServiceList(ref common.ReferenceCallb
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/kube-aggregator/pkg/apis/apiregistration/v1.APIService"),
+										Ref:     ref(apiregistrationv1.APIService{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -65867,7 +66697,7 @@ func schema_pkg_apis_apiregistration_v1_APIServiceList(ref common.ReferenceCallb
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta", "k8s.io/kube-aggregator/pkg/apis/apiregistration/v1.APIService"},
+			metav1.ListMeta{}.OpenAPIModelName(), apiregistrationv1.APIService{}.OpenAPIModelName()},
 	}
 }
 
@@ -65881,7 +66711,7 @@ func schema_pkg_apis_apiregistration_v1_APIServiceSpec(ref common.ReferenceCallb
 					"service": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Service is a reference to the service for this API server.  It must communicate on port 443. If the Service is nil, that means the handling for the API groupversion is handled locally on this server. The call will simply delegate to the normal handler chain to be fulfilled.",
-							Ref:         ref("k8s.io/kube-aggregator/pkg/apis/apiregistration/v1.ServiceReference"),
+							Ref:         ref(apiregistrationv1.ServiceReference{}.OpenAPIModelName()),
 						},
 					},
 					"group": {
@@ -65938,7 +66768,7 @@ func schema_pkg_apis_apiregistration_v1_APIServiceSpec(ref common.ReferenceCallb
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/kube-aggregator/pkg/apis/apiregistration/v1.ServiceReference"},
+			apiregistrationv1.ServiceReference{}.OpenAPIModelName()},
 	}
 }
 
@@ -65967,7 +66797,7 @@ func schema_pkg_apis_apiregistration_v1_APIServiceStatus(ref common.ReferenceCal
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/kube-aggregator/pkg/apis/apiregistration/v1.APIServiceCondition"),
+										Ref:     ref(apiregistrationv1.APIServiceCondition{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -65977,7 +66807,7 @@ func schema_pkg_apis_apiregistration_v1_APIServiceStatus(ref common.ReferenceCal
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/kube-aggregator/pkg/apis/apiregistration/v1.APIServiceCondition"},
+			apiregistrationv1.APIServiceCondition{}.OpenAPIModelName()},
 	}
 }
 
@@ -66040,28 +66870,28 @@ func schema_pkg_apis_apiregistration_v1beta1_APIService(ref common.ReferenceCall
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Ref:         ref(metav1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 					"spec": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Spec contains information for locating and communicating with a server",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/kube-aggregator/pkg/apis/apiregistration/v1beta1.APIServiceSpec"),
+							Ref:         ref(apiregistrationv1beta1.APIServiceSpec{}.OpenAPIModelName()),
 						},
 					},
 					"status": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Status contains derived information about an API server",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/kube-aggregator/pkg/apis/apiregistration/v1beta1.APIServiceStatus"),
+							Ref:         ref(apiregistrationv1beta1.APIServiceStatus{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta", "k8s.io/kube-aggregator/pkg/apis/apiregistration/v1beta1.APIServiceSpec", "k8s.io/kube-aggregator/pkg/apis/apiregistration/v1beta1.APIServiceStatus"},
+			metav1.ObjectMeta{}.OpenAPIModelName(), apiregistrationv1beta1.APIServiceSpec{}.OpenAPIModelName(), apiregistrationv1beta1.APIServiceStatus{}.OpenAPIModelName()},
 	}
 }
 
@@ -66091,7 +66921,7 @@ func schema_pkg_apis_apiregistration_v1beta1_APIServiceCondition(ref common.Refe
 					"lastTransitionTime": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Last time the condition transitioned from one status to another.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Time"),
+							Ref:         ref(metav1.Time{}.OpenAPIModelName()),
 						},
 					},
 					"reason": {
@@ -66113,7 +66943,7 @@ func schema_pkg_apis_apiregistration_v1beta1_APIServiceCondition(ref common.Refe
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.Time"},
+			metav1.Time{}.OpenAPIModelName()},
 	}
 }
 
@@ -66142,7 +66972,7 @@ func schema_pkg_apis_apiregistration_v1beta1_APIServiceList(ref common.Reference
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard list metadata More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+							Ref:         ref(metav1.ListMeta{}.OpenAPIModelName()),
 						},
 					},
 					"items": {
@@ -66153,7 +66983,7 @@ func schema_pkg_apis_apiregistration_v1beta1_APIServiceList(ref common.Reference
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/kube-aggregator/pkg/apis/apiregistration/v1beta1.APIService"),
+										Ref:     ref(apiregistrationv1beta1.APIService{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -66164,7 +66994,7 @@ func schema_pkg_apis_apiregistration_v1beta1_APIServiceList(ref common.Reference
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta", "k8s.io/kube-aggregator/pkg/apis/apiregistration/v1beta1.APIService"},
+			metav1.ListMeta{}.OpenAPIModelName(), apiregistrationv1beta1.APIService{}.OpenAPIModelName()},
 	}
 }
 
@@ -66178,7 +67008,7 @@ func schema_pkg_apis_apiregistration_v1beta1_APIServiceSpec(ref common.Reference
 					"service": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Service is a reference to the service for this API server.  It must communicate on port 443. If the Service is nil, that means the handling for the API groupversion is handled locally on this server. The call will simply delegate to the normal handler chain to be fulfilled.",
-							Ref:         ref("k8s.io/kube-aggregator/pkg/apis/apiregistration/v1beta1.ServiceReference"),
+							Ref:         ref(apiregistrationv1beta1.ServiceReference{}.OpenAPIModelName()),
 						},
 					},
 					"group": {
@@ -66235,7 +67065,7 @@ func schema_pkg_apis_apiregistration_v1beta1_APIServiceSpec(ref common.Reference
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/kube-aggregator/pkg/apis/apiregistration/v1beta1.ServiceReference"},
+			apiregistrationv1beta1.ServiceReference{}.OpenAPIModelName()},
 	}
 }
 
@@ -66264,7 +67094,7 @@ func schema_pkg_apis_apiregistration_v1beta1_APIServiceStatus(ref common.Referen
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/kube-aggregator/pkg/apis/apiregistration/v1beta1.APIServiceCondition"),
+										Ref:     ref(apiregistrationv1beta1.APIServiceCondition{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -66274,7 +67104,7 @@ func schema_pkg_apis_apiregistration_v1beta1_APIServiceStatus(ref common.Referen
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/kube-aggregator/pkg/apis/apiregistration/v1beta1.APIServiceCondition"},
+			apiregistrationv1beta1.APIServiceCondition{}.OpenAPIModelName()},
 	}
 }
 
@@ -66330,7 +67160,7 @@ func schema_k8sio_kube_controller_manager_config_v1alpha1_AttachDetachController
 					"ReconcilerSyncLoopPeriod": {
 						SchemaProps: spec.SchemaProps{
 							Description: "ReconcilerSyncLoopPeriod is the amount of time the reconciler sync states loop wait between successive executions. Is set to 60 sec by default.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Duration"),
+							Ref:         ref(metav1.Duration{}.OpenAPIModelName()),
 						},
 					},
 					"disableForceDetachOnTimeout": {
@@ -66346,7 +67176,7 @@ func schema_k8sio_kube_controller_manager_config_v1alpha1_AttachDetachController
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.Duration"},
+			metav1.Duration{}.OpenAPIModelName()},
 	}
 }
 
@@ -66407,34 +67237,34 @@ func schema_k8sio_kube_controller_manager_config_v1alpha1_CSRSigningControllerCo
 						SchemaProps: spec.SchemaProps{
 							Description: "kubeletServingSignerConfiguration holds the certificate and key used to issue certificates for the kubernetes.io/kubelet-serving signer",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/kube-controller-manager/config/v1alpha1.CSRSigningConfiguration"),
+							Ref:         ref(kubecontrollermanagerconfigv1alpha1.CSRSigningConfiguration{}.OpenAPIModelName()),
 						},
 					},
 					"KubeletClientSignerConfiguration": {
 						SchemaProps: spec.SchemaProps{
 							Description: "kubeletClientSignerConfiguration holds the certificate and key used to issue certificates for the kubernetes.io/kube-apiserver-client-kubelet",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/kube-controller-manager/config/v1alpha1.CSRSigningConfiguration"),
+							Ref:         ref(kubecontrollermanagerconfigv1alpha1.CSRSigningConfiguration{}.OpenAPIModelName()),
 						},
 					},
 					"KubeAPIServerClientSignerConfiguration": {
 						SchemaProps: spec.SchemaProps{
 							Description: "kubeAPIServerClientSignerConfiguration holds the certificate and key used to issue certificates for the kubernetes.io/kube-apiserver-client",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/kube-controller-manager/config/v1alpha1.CSRSigningConfiguration"),
+							Ref:         ref(kubecontrollermanagerconfigv1alpha1.CSRSigningConfiguration{}.OpenAPIModelName()),
 						},
 					},
 					"LegacyUnknownSignerConfiguration": {
 						SchemaProps: spec.SchemaProps{
 							Description: "legacyUnknownSignerConfiguration holds the certificate and key used to issue certificates for the kubernetes.io/legacy-unknown",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/kube-controller-manager/config/v1alpha1.CSRSigningConfiguration"),
+							Ref:         ref(kubecontrollermanagerconfigv1alpha1.CSRSigningConfiguration{}.OpenAPIModelName()),
 						},
 					},
 					"ClusterSigningDuration": {
 						SchemaProps: spec.SchemaProps{
 							Description: "clusterSigningDuration is the max length of duration signed certificates will be given. Individual CSRs may request shorter certs by setting spec.expirationSeconds.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Duration"),
+							Ref:         ref(metav1.Duration{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -66442,7 +67272,7 @@ func schema_k8sio_kube_controller_manager_config_v1alpha1_CSRSigningControllerCo
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.Duration", "k8s.io/kube-controller-manager/config/v1alpha1.CSRSigningConfiguration"},
+			metav1.Duration{}.OpenAPIModelName(), kubecontrollermanagerconfigv1alpha1.CSRSigningConfiguration{}.OpenAPIModelName()},
 	}
 }
 
@@ -66523,6 +67353,28 @@ func schema_k8sio_kube_controller_manager_config_v1alpha1_DeprecatedControllerCo
 	}
 }
 
+func schema_k8sio_kube_controller_manager_config_v1alpha1_DeviceTaintEvictionControllerConfiguration(ref common.ReferenceCallback) common.OpenAPIDefinition {
+	return common.OpenAPIDefinition{
+		Schema: spec.Schema{
+			SchemaProps: spec.SchemaProps{
+				Description: "DeviceTaintEvictionControllerConfiguration contains elements configuring the device taint eviction controller.",
+				Type:        []string{"object"},
+				Properties: map[string]spec.Schema{
+					"ConcurrentSyncs": {
+						SchemaProps: spec.SchemaProps{
+							Description: "ConcurrentSyncs is the number of operations (deleting a pod, updating a ResourcClaim status, etc.) that will be done concurrently. Larger number = processing, but more CPU (and network) load.\n\nThe default is 10.",
+							Default:     0,
+							Type:        []string{"integer"},
+							Format:      "int32",
+						},
+					},
+				},
+				Required: []string{"ConcurrentSyncs"},
+			},
+		},
+	}
+}
+
 func schema_k8sio_kube_controller_manager_config_v1alpha1_EndpointControllerConfiguration(ref common.ReferenceCallback) common.OpenAPIDefinition {
 	return common.OpenAPIDefinition{
 		Schema: spec.Schema{
@@ -66541,7 +67393,7 @@ func schema_k8sio_kube_controller_manager_config_v1alpha1_EndpointControllerConf
 					"EndpointUpdatesBatchPeriod": {
 						SchemaProps: spec.SchemaProps{
 							Description: "EndpointUpdatesBatchPeriod describes the length of endpoint updates batching period. Processing of pod changes will be delayed by this duration to join them with potential upcoming updates and reduce the overall number of endpoints updates.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Duration"),
+							Ref:         ref(metav1.Duration{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -66549,7 +67401,7 @@ func schema_k8sio_kube_controller_manager_config_v1alpha1_EndpointControllerConf
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.Duration"},
+			metav1.Duration{}.OpenAPIModelName()},
 	}
 }
 
@@ -66579,7 +67431,7 @@ func schema_k8sio_kube_controller_manager_config_v1alpha1_EndpointSliceControlle
 					"EndpointUpdatesBatchPeriod": {
 						SchemaProps: spec.SchemaProps{
 							Description: "EndpointUpdatesBatchPeriod describes the length of endpoint updates batching period. Processing of pod changes will be delayed by this duration to join them with potential upcoming updates and reduce the overall number of endpoints updates.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Duration"),
+							Ref:         ref(metav1.Duration{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -66587,7 +67439,7 @@ func schema_k8sio_kube_controller_manager_config_v1alpha1_EndpointSliceControlle
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.Duration"},
+			metav1.Duration{}.OpenAPIModelName()},
 	}
 }
 
@@ -66617,7 +67469,7 @@ func schema_k8sio_kube_controller_manager_config_v1alpha1_EndpointSliceMirroring
 					"MirroringEndpointUpdatesBatchPeriod": {
 						SchemaProps: spec.SchemaProps{
 							Description: "mirroringEndpointUpdatesBatchPeriod can be used to batch EndpointSlice updates. All updates triggered by EndpointSlice changes will be delayed by up to 'mirroringEndpointUpdatesBatchPeriod'. If other addresses in the same Endpoints resource change in that period, they will be batched to a single EndpointSlice update. Default 0 value means that each Endpoints update triggers an EndpointSlice update.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Duration"),
+							Ref:         ref(metav1.Duration{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -66625,7 +67477,7 @@ func schema_k8sio_kube_controller_manager_config_v1alpha1_EndpointSliceMirroring
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.Duration"},
+			metav1.Duration{}.OpenAPIModelName()},
 	}
 }
 
@@ -66681,7 +67533,7 @@ func schema_k8sio_kube_controller_manager_config_v1alpha1_GarbageCollectorContro
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/kube-controller-manager/config/v1alpha1.GroupResource"),
+										Ref:     ref(kubecontrollermanagerconfigv1alpha1.GroupResource{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -66692,7 +67544,7 @@ func schema_k8sio_kube_controller_manager_config_v1alpha1_GarbageCollectorContro
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/kube-controller-manager/config/v1alpha1.GroupResource"},
+			kubecontrollermanagerconfigv1alpha1.GroupResource{}.OpenAPIModelName()},
 	}
 }
 
@@ -66744,13 +67596,13 @@ func schema_k8sio_kube_controller_manager_config_v1alpha1_HPAControllerConfigura
 					"HorizontalPodAutoscalerSyncPeriod": {
 						SchemaProps: spec.SchemaProps{
 							Description: "HorizontalPodAutoscalerSyncPeriod is the period for syncing the number of pods in horizontal pod autoscaler.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Duration"),
+							Ref:         ref(metav1.Duration{}.OpenAPIModelName()),
 						},
 					},
 					"HorizontalPodAutoscalerDownscaleStabilizationWindow": {
 						SchemaProps: spec.SchemaProps{
 							Description: "HorizontalPodAutoscalerDowncaleStabilizationWindow is a period for which autoscaler will look backwards and not scale down below any recommendation it made during that period.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Duration"),
+							Ref:         ref(metav1.Duration{}.OpenAPIModelName()),
 						},
 					},
 					"HorizontalPodAutoscalerTolerance": {
@@ -66764,13 +67616,13 @@ func schema_k8sio_kube_controller_manager_config_v1alpha1_HPAControllerConfigura
 					"HorizontalPodAutoscalerCPUInitializationPeriod": {
 						SchemaProps: spec.SchemaProps{
 							Description: "HorizontalPodAutoscalerCPUInitializationPeriod is the period after pod start when CPU samples might be skipped.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Duration"),
+							Ref:         ref(metav1.Duration{}.OpenAPIModelName()),
 						},
 					},
 					"HorizontalPodAutoscalerInitialReadinessDelay": {
 						SchemaProps: spec.SchemaProps{
 							Description: "HorizontalPodAutoscalerInitialReadinessDelay is period after pod start during which readiness changes are treated as readiness being set for the first time. The only effect of this is that HPA will disregard CPU samples from unready pods that had last readiness change during that period.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Duration"),
+							Ref:         ref(metav1.Duration{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -66778,7 +67630,7 @@ func schema_k8sio_kube_controller_manager_config_v1alpha1_HPAControllerConfigura
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.Duration"},
+			metav1.Duration{}.OpenAPIModelName()},
 	}
 }
 
@@ -66829,211 +67681,218 @@ func schema_k8sio_kube_controller_manager_config_v1alpha1_KubeControllerManagerC
 						SchemaProps: spec.SchemaProps{
 							Description: "Generic holds configuration for a generic controller-manager",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/controller-manager/config/v1alpha1.GenericControllerManagerConfiguration"),
+							Ref:         ref(controllermanagerconfigv1alpha1.GenericControllerManagerConfiguration{}.OpenAPIModelName()),
 						},
 					},
 					"KubeCloudShared": {
 						SchemaProps: spec.SchemaProps{
 							Description: "KubeCloudSharedConfiguration holds configuration for shared related features both in cloud controller manager and kube-controller manager.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/cloud-provider/config/v1alpha1.KubeCloudSharedConfiguration"),
+							Ref:         ref(configv1alpha1.KubeCloudSharedConfiguration{}.OpenAPIModelName()),
 						},
 					},
 					"AttachDetachController": {
 						SchemaProps: spec.SchemaProps{
 							Description: "AttachDetachControllerConfiguration holds configuration for AttachDetachController related features.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/kube-controller-manager/config/v1alpha1.AttachDetachControllerConfiguration"),
+							Ref:         ref(kubecontrollermanagerconfigv1alpha1.AttachDetachControllerConfiguration{}.OpenAPIModelName()),
 						},
 					},
 					"CSRSigningController": {
 						SchemaProps: spec.SchemaProps{
 							Description: "CSRSigningControllerConfiguration holds configuration for CSRSigningController related features.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/kube-controller-manager/config/v1alpha1.CSRSigningControllerConfiguration"),
+							Ref:         ref(kubecontrollermanagerconfigv1alpha1.CSRSigningControllerConfiguration{}.OpenAPIModelName()),
 						},
 					},
 					"DaemonSetController": {
 						SchemaProps: spec.SchemaProps{
 							Description: "DaemonSetControllerConfiguration holds configuration for DaemonSetController related features.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/kube-controller-manager/config/v1alpha1.DaemonSetControllerConfiguration"),
+							Ref:         ref(kubecontrollermanagerconfigv1alpha1.DaemonSetControllerConfiguration{}.OpenAPIModelName()),
 						},
 					},
 					"DeploymentController": {
 						SchemaProps: spec.SchemaProps{
 							Description: "DeploymentControllerConfiguration holds configuration for DeploymentController related features.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/kube-controller-manager/config/v1alpha1.DeploymentControllerConfiguration"),
+							Ref:         ref(kubecontrollermanagerconfigv1alpha1.DeploymentControllerConfiguration{}.OpenAPIModelName()),
 						},
 					},
 					"StatefulSetController": {
 						SchemaProps: spec.SchemaProps{
 							Description: "StatefulSetControllerConfiguration holds configuration for StatefulSetController related features.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/kube-controller-manager/config/v1alpha1.StatefulSetControllerConfiguration"),
+							Ref:         ref(kubecontrollermanagerconfigv1alpha1.StatefulSetControllerConfiguration{}.OpenAPIModelName()),
 						},
 					},
 					"DeprecatedController": {
 						SchemaProps: spec.SchemaProps{
 							Description: "DeprecatedControllerConfiguration holds configuration for some deprecated features.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/kube-controller-manager/config/v1alpha1.DeprecatedControllerConfiguration"),
+							Ref:         ref(kubecontrollermanagerconfigv1alpha1.DeprecatedControllerConfiguration{}.OpenAPIModelName()),
 						},
 					},
 					"EndpointController": {
 						SchemaProps: spec.SchemaProps{
 							Description: "EndpointControllerConfiguration holds configuration for EndpointController related features.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/kube-controller-manager/config/v1alpha1.EndpointControllerConfiguration"),
+							Ref:         ref(kubecontrollermanagerconfigv1alpha1.EndpointControllerConfiguration{}.OpenAPIModelName()),
 						},
 					},
 					"EndpointSliceController": {
 						SchemaProps: spec.SchemaProps{
 							Description: "EndpointSliceControllerConfiguration holds configuration for EndpointSliceController related features.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/kube-controller-manager/config/v1alpha1.EndpointSliceControllerConfiguration"),
+							Ref:         ref(kubecontrollermanagerconfigv1alpha1.EndpointSliceControllerConfiguration{}.OpenAPIModelName()),
 						},
 					},
 					"EndpointSliceMirroringController": {
 						SchemaProps: spec.SchemaProps{
 							Description: "EndpointSliceMirroringControllerConfiguration holds configuration for EndpointSliceMirroringController related features.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/kube-controller-manager/config/v1alpha1.EndpointSliceMirroringControllerConfiguration"),
+							Ref:         ref(kubecontrollermanagerconfigv1alpha1.EndpointSliceMirroringControllerConfiguration{}.OpenAPIModelName()),
 						},
 					},
 					"EphemeralVolumeController": {
 						SchemaProps: spec.SchemaProps{
 							Description: "EphemeralVolumeControllerConfiguration holds configuration for EphemeralVolumeController related features.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/kube-controller-manager/config/v1alpha1.EphemeralVolumeControllerConfiguration"),
+							Ref:         ref(kubecontrollermanagerconfigv1alpha1.EphemeralVolumeControllerConfiguration{}.OpenAPIModelName()),
 						},
 					},
 					"GarbageCollectorController": {
 						SchemaProps: spec.SchemaProps{
 							Description: "GarbageCollectorControllerConfiguration holds configuration for GarbageCollectorController related features.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/kube-controller-manager/config/v1alpha1.GarbageCollectorControllerConfiguration"),
+							Ref:         ref(kubecontrollermanagerconfigv1alpha1.GarbageCollectorControllerConfiguration{}.OpenAPIModelName()),
 						},
 					},
 					"HPAController": {
 						SchemaProps: spec.SchemaProps{
 							Description: "HPAControllerConfiguration holds configuration for HPAController related features.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/kube-controller-manager/config/v1alpha1.HPAControllerConfiguration"),
+							Ref:         ref(kubecontrollermanagerconfigv1alpha1.HPAControllerConfiguration{}.OpenAPIModelName()),
 						},
 					},
 					"JobController": {
 						SchemaProps: spec.SchemaProps{
 							Description: "JobControllerConfiguration holds configuration for JobController related features.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/kube-controller-manager/config/v1alpha1.JobControllerConfiguration"),
+							Ref:         ref(kubecontrollermanagerconfigv1alpha1.JobControllerConfiguration{}.OpenAPIModelName()),
 						},
 					},
 					"CronJobController": {
 						SchemaProps: spec.SchemaProps{
 							Description: "CronJobControllerConfiguration holds configuration for CronJobController related features.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/kube-controller-manager/config/v1alpha1.CronJobControllerConfiguration"),
+							Ref:         ref(kubecontrollermanagerconfigv1alpha1.CronJobControllerConfiguration{}.OpenAPIModelName()),
 						},
 					},
 					"LegacySATokenCleaner": {
 						SchemaProps: spec.SchemaProps{
 							Description: "LegacySATokenCleanerConfiguration holds configuration for LegacySATokenCleaner related features.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/kube-controller-manager/config/v1alpha1.LegacySATokenCleanerConfiguration"),
+							Ref:         ref(kubecontrollermanagerconfigv1alpha1.LegacySATokenCleanerConfiguration{}.OpenAPIModelName()),
 						},
 					},
 					"NamespaceController": {
 						SchemaProps: spec.SchemaProps{
 							Description: "NamespaceControllerConfiguration holds configuration for NamespaceController related features.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/kube-controller-manager/config/v1alpha1.NamespaceControllerConfiguration"),
+							Ref:         ref(kubecontrollermanagerconfigv1alpha1.NamespaceControllerConfiguration{}.OpenAPIModelName()),
 						},
 					},
 					"NodeIPAMController": {
 						SchemaProps: spec.SchemaProps{
 							Description: "NodeIPAMControllerConfiguration holds configuration for NodeIPAMController related features.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/kube-controller-manager/config/v1alpha1.NodeIPAMControllerConfiguration"),
+							Ref:         ref(kubecontrollermanagerconfigv1alpha1.NodeIPAMControllerConfiguration{}.OpenAPIModelName()),
 						},
 					},
 					"NodeLifecycleController": {
 						SchemaProps: spec.SchemaProps{
 							Description: "NodeLifecycleControllerConfiguration holds configuration for NodeLifecycleController related features.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/kube-controller-manager/config/v1alpha1.NodeLifecycleControllerConfiguration"),
+							Ref:         ref(kubecontrollermanagerconfigv1alpha1.NodeLifecycleControllerConfiguration{}.OpenAPIModelName()),
 						},
 					},
 					"PersistentVolumeBinderController": {
 						SchemaProps: spec.SchemaProps{
 							Description: "PersistentVolumeBinderControllerConfiguration holds configuration for PersistentVolumeBinderController related features.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/kube-controller-manager/config/v1alpha1.PersistentVolumeBinderControllerConfiguration"),
+							Ref:         ref(kubecontrollermanagerconfigv1alpha1.PersistentVolumeBinderControllerConfiguration{}.OpenAPIModelName()),
 						},
 					},
 					"PodGCController": {
 						SchemaProps: spec.SchemaProps{
 							Description: "PodGCControllerConfiguration holds configuration for PodGCController related features.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/kube-controller-manager/config/v1alpha1.PodGCControllerConfiguration"),
+							Ref:         ref(kubecontrollermanagerconfigv1alpha1.PodGCControllerConfiguration{}.OpenAPIModelName()),
 						},
 					},
 					"ReplicaSetController": {
 						SchemaProps: spec.SchemaProps{
 							Description: "ReplicaSetControllerConfiguration holds configuration for ReplicaSet related features.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/kube-controller-manager/config/v1alpha1.ReplicaSetControllerConfiguration"),
+							Ref:         ref(kubecontrollermanagerconfigv1alpha1.ReplicaSetControllerConfiguration{}.OpenAPIModelName()),
 						},
 					},
 					"ReplicationController": {
 						SchemaProps: spec.SchemaProps{
 							Description: "ReplicationControllerConfiguration holds configuration for ReplicationController related features.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/kube-controller-manager/config/v1alpha1.ReplicationControllerConfiguration"),
+							Ref:         ref(kubecontrollermanagerconfigv1alpha1.ReplicationControllerConfiguration{}.OpenAPIModelName()),
 						},
 					},
 					"ResourceQuotaController": {
 						SchemaProps: spec.SchemaProps{
 							Description: "ResourceQuotaControllerConfiguration holds configuration for ResourceQuotaController related features.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/kube-controller-manager/config/v1alpha1.ResourceQuotaControllerConfiguration"),
+							Ref:         ref(kubecontrollermanagerconfigv1alpha1.ResourceQuotaControllerConfiguration{}.OpenAPIModelName()),
 						},
 					},
 					"SAController": {
 						SchemaProps: spec.SchemaProps{
 							Description: "SAControllerConfiguration holds configuration for ServiceAccountController related features.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/kube-controller-manager/config/v1alpha1.SAControllerConfiguration"),
+							Ref:         ref(kubecontrollermanagerconfigv1alpha1.SAControllerConfiguration{}.OpenAPIModelName()),
 						},
 					},
 					"ServiceController": {
 						SchemaProps: spec.SchemaProps{
 							Description: "ServiceControllerConfiguration holds configuration for ServiceController related features.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/cloud-provider/controllers/service/config/v1alpha1.ServiceControllerConfiguration"),
+							Ref:         ref(serviceconfigv1alpha1.ServiceControllerConfiguration{}.OpenAPIModelName()),
 						},
 					},
 					"TTLAfterFinishedController": {
 						SchemaProps: spec.SchemaProps{
 							Description: "TTLAfterFinishedControllerConfiguration holds configuration for TTLAfterFinishedController related features.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/kube-controller-manager/config/v1alpha1.TTLAfterFinishedControllerConfiguration"),
+							Ref:         ref(kubecontrollermanagerconfigv1alpha1.TTLAfterFinishedControllerConfiguration{}.OpenAPIModelName()),
 						},
 					},
 					"ValidatingAdmissionPolicyStatusController": {
 						SchemaProps: spec.SchemaProps{
 							Description: "ValidatingAdmissionPolicyStatusControllerConfiguration holds configuration for ValidatingAdmissionPolicyStatusController related features.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/kube-controller-manager/config/v1alpha1.ValidatingAdmissionPolicyStatusControllerConfiguration"),
+							Ref:         ref(kubecontrollermanagerconfigv1alpha1.ValidatingAdmissionPolicyStatusControllerConfiguration{}.OpenAPIModelName()),
+						},
+					},
+					"DeviceTaintEvictionController": {
+						SchemaProps: spec.SchemaProps{
+							Description: "DeviceTaintEvictionControllerConfiguration contains elements configuring the device taint eviction controller.",
+							Default:     map[string]interface{}{},
+							Ref:         ref(kubecontrollermanagerconfigv1alpha1.DeviceTaintEvictionControllerConfiguration{}.OpenAPIModelName()),
 						},
 					},
 				},
-				Required: []string{"Generic", "KubeCloudShared", "AttachDetachController", "CSRSigningController", "DaemonSetController", "DeploymentController", "StatefulSetController", "DeprecatedController", "EndpointController", "EndpointSliceController", "EndpointSliceMirroringController", "EphemeralVolumeController", "GarbageCollectorController", "HPAController", "JobController", "CronJobController", "LegacySATokenCleaner", "NamespaceController", "NodeIPAMController", "NodeLifecycleController", "PersistentVolumeBinderController", "PodGCController", "ReplicaSetController", "ReplicationController", "ResourceQuotaController", "SAController", "ServiceController", "TTLAfterFinishedController", "ValidatingAdmissionPolicyStatusController"},
+				Required: []string{"Generic", "KubeCloudShared", "AttachDetachController", "CSRSigningController", "DaemonSetController", "DeploymentController", "StatefulSetController", "DeprecatedController", "EndpointController", "EndpointSliceController", "EndpointSliceMirroringController", "EphemeralVolumeController", "GarbageCollectorController", "HPAController", "JobController", "CronJobController", "LegacySATokenCleaner", "NamespaceController", "NodeIPAMController", "NodeLifecycleController", "PersistentVolumeBinderController", "PodGCController", "ReplicaSetController", "ReplicationController", "ResourceQuotaController", "SAController", "ServiceController", "TTLAfterFinishedController", "ValidatingAdmissionPolicyStatusController", "DeviceTaintEvictionController"},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/cloud-provider/config/v1alpha1.KubeCloudSharedConfiguration", "k8s.io/cloud-provider/controllers/service/config/v1alpha1.ServiceControllerConfiguration", "k8s.io/controller-manager/config/v1alpha1.GenericControllerManagerConfiguration", "k8s.io/kube-controller-manager/config/v1alpha1.AttachDetachControllerConfiguration", "k8s.io/kube-controller-manager/config/v1alpha1.CSRSigningControllerConfiguration", "k8s.io/kube-controller-manager/config/v1alpha1.CronJobControllerConfiguration", "k8s.io/kube-controller-manager/config/v1alpha1.DaemonSetControllerConfiguration", "k8s.io/kube-controller-manager/config/v1alpha1.DeploymentControllerConfiguration", "k8s.io/kube-controller-manager/config/v1alpha1.DeprecatedControllerConfiguration", "k8s.io/kube-controller-manager/config/v1alpha1.EndpointControllerConfiguration", "k8s.io/kube-controller-manager/config/v1alpha1.EndpointSliceControllerConfiguration", "k8s.io/kube-controller-manager/config/v1alpha1.EndpointSliceMirroringControllerConfiguration", "k8s.io/kube-controller-manager/config/v1alpha1.EphemeralVolumeControllerConfiguration", "k8s.io/kube-controller-manager/config/v1alpha1.GarbageCollectorControllerConfiguration", "k8s.io/kube-controller-manager/config/v1alpha1.HPAControllerConfiguration", "k8s.io/kube-controller-manager/config/v1alpha1.JobControllerConfiguration", "k8s.io/kube-controller-manager/config/v1alpha1.LegacySATokenCleanerConfiguration", "k8s.io/kube-controller-manager/config/v1alpha1.NamespaceControllerConfiguration", "k8s.io/kube-controller-manager/config/v1alpha1.NodeIPAMControllerConfiguration", "k8s.io/kube-controller-manager/config/v1alpha1.NodeLifecycleControllerConfiguration", "k8s.io/kube-controller-manager/config/v1alpha1.PersistentVolumeBinderControllerConfiguration", "k8s.io/kube-controller-manager/config/v1alpha1.PodGCControllerConfiguration", "k8s.io/kube-controller-manager/config/v1alpha1.ReplicaSetControllerConfiguration", "k8s.io/kube-controller-manager/config/v1alpha1.ReplicationControllerConfiguration", "k8s.io/kube-controller-manager/config/v1alpha1.ResourceQuotaControllerConfiguration", "k8s.io/kube-controller-manager/config/v1alpha1.SAControllerConfiguration", "k8s.io/kube-controller-manager/config/v1alpha1.StatefulSetControllerConfiguration", "k8s.io/kube-controller-manager/config/v1alpha1.TTLAfterFinishedControllerConfiguration", "k8s.io/kube-controller-manager/config/v1alpha1.ValidatingAdmissionPolicyStatusControllerConfiguration"},
+			configv1alpha1.KubeCloudSharedConfiguration{}.OpenAPIModelName(), serviceconfigv1alpha1.ServiceControllerConfiguration{}.OpenAPIModelName(), controllermanagerconfigv1alpha1.GenericControllerManagerConfiguration{}.OpenAPIModelName(), kubecontrollermanagerconfigv1alpha1.AttachDetachControllerConfiguration{}.OpenAPIModelName(), kubecontrollermanagerconfigv1alpha1.CSRSigningControllerConfiguration{}.OpenAPIModelName(), kubecontrollermanagerconfigv1alpha1.CronJobControllerConfiguration{}.OpenAPIModelName(), kubecontrollermanagerconfigv1alpha1.DaemonSetControllerConfiguration{}.OpenAPIModelName(), kubecontrollermanagerconfigv1alpha1.DeploymentControllerConfiguration{}.OpenAPIModelName(), kubecontrollermanagerconfigv1alpha1.DeprecatedControllerConfiguration{}.OpenAPIModelName(), kubecontrollermanagerconfigv1alpha1.DeviceTaintEvictionControllerConfiguration{}.OpenAPIModelName(), kubecontrollermanagerconfigv1alpha1.EndpointControllerConfiguration{}.OpenAPIModelName(), kubecontrollermanagerconfigv1alpha1.EndpointSliceControllerConfiguration{}.OpenAPIModelName(), kubecontrollermanagerconfigv1alpha1.EndpointSliceMirroringControllerConfiguration{}.OpenAPIModelName(), kubecontrollermanagerconfigv1alpha1.EphemeralVolumeControllerConfiguration{}.OpenAPIModelName(), kubecontrollermanagerconfigv1alpha1.GarbageCollectorControllerConfiguration{}.OpenAPIModelName(), kubecontrollermanagerconfigv1alpha1.HPAControllerConfiguration{}.OpenAPIModelName(), kubecontrollermanagerconfigv1alpha1.JobControllerConfiguration{}.OpenAPIModelName(), kubecontrollermanagerconfigv1alpha1.LegacySATokenCleanerConfiguration{}.OpenAPIModelName(), kubecontrollermanagerconfigv1alpha1.NamespaceControllerConfiguration{}.OpenAPIModelName(), kubecontrollermanagerconfigv1alpha1.NodeIPAMControllerConfiguration{}.OpenAPIModelName(), kubecontrollermanagerconfigv1alpha1.NodeLifecycleControllerConfiguration{}.OpenAPIModelName(), kubecontrollermanagerconfigv1alpha1.PersistentVolumeBinderControllerConfiguration{}.OpenAPIModelName(), kubecontrollermanagerconfigv1alpha1.PodGCControllerConfiguration{}.OpenAPIModelName(), kubecontrollermanagerconfigv1alpha1.ReplicaSetControllerConfiguration{}.OpenAPIModelName(), kubecontrollermanagerconfigv1alpha1.ReplicationControllerConfiguration{}.OpenAPIModelName(), kubecontrollermanagerconfigv1alpha1.ResourceQuotaControllerConfiguration{}.OpenAPIModelName(), kubecontrollermanagerconfigv1alpha1.SAControllerConfiguration{}.OpenAPIModelName(), kubecontrollermanagerconfigv1alpha1.StatefulSetControllerConfiguration{}.OpenAPIModelName(), kubecontrollermanagerconfigv1alpha1.TTLAfterFinishedControllerConfiguration{}.OpenAPIModelName(), kubecontrollermanagerconfigv1alpha1.ValidatingAdmissionPolicyStatusControllerConfiguration{}.OpenAPIModelName()},
 	}
 }
 
@@ -67047,7 +67906,7 @@ func schema_k8sio_kube_controller_manager_config_v1alpha1_LegacySATokenCleanerCo
 					"CleanUpPeriod": {
 						SchemaProps: spec.SchemaProps{
 							Description: "CleanUpPeriod is the period of time since the last usage of an auto-generated service account token before it can be deleted.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Duration"),
+							Ref:         ref(metav1.Duration{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -67055,7 +67914,7 @@ func schema_k8sio_kube_controller_manager_config_v1alpha1_LegacySATokenCleanerCo
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.Duration"},
+			metav1.Duration{}.OpenAPIModelName()},
 	}
 }
 
@@ -67069,7 +67928,7 @@ func schema_k8sio_kube_controller_manager_config_v1alpha1_NamespaceControllerCon
 					"NamespaceSyncPeriod": {
 						SchemaProps: spec.SchemaProps{
 							Description: "namespaceSyncPeriod is the period for syncing namespace life-cycle updates.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Duration"),
+							Ref:         ref(metav1.Duration{}.OpenAPIModelName()),
 						},
 					},
 					"ConcurrentNamespaceSyncs": {
@@ -67085,7 +67944,7 @@ func schema_k8sio_kube_controller_manager_config_v1alpha1_NamespaceControllerCon
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.Duration"},
+			metav1.Duration{}.OpenAPIModelName()},
 	}
 }
 
@@ -67169,19 +68028,19 @@ func schema_k8sio_kube_controller_manager_config_v1alpha1_NodeLifecycleControlle
 					"NodeStartupGracePeriod": {
 						SchemaProps: spec.SchemaProps{
 							Description: "nodeStartupGracePeriod is the amount of time which we allow starting a node to be unresponsive before marking it unhealthy.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Duration"),
+							Ref:         ref(metav1.Duration{}.OpenAPIModelName()),
 						},
 					},
 					"NodeMonitorGracePeriod": {
 						SchemaProps: spec.SchemaProps{
 							Description: "nodeMontiorGracePeriod is the amount of time which we allow a running node to be unresponsive before marking it unhealthy. Must be N times more than kubelet's nodeStatusUpdateFrequency, where N means number of retries allowed for kubelet to post node status. This value should also be greater than the sum of HTTP2_PING_TIMEOUT_SECONDS and HTTP2_READ_IDLE_TIMEOUT_SECONDS.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Duration"),
+							Ref:         ref(metav1.Duration{}.OpenAPIModelName()),
 						},
 					},
 					"PodEvictionTimeout": {
 						SchemaProps: spec.SchemaProps{
 							Description: "podEvictionTimeout is the grace period for deleting pods on failed nodes.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Duration"),
+							Ref:         ref(metav1.Duration{}.OpenAPIModelName()),
 						},
 					},
 					"LargeClusterSizeThreshold": {
@@ -67205,7 +68064,7 @@ func schema_k8sio_kube_controller_manager_config_v1alpha1_NodeLifecycleControlle
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.Duration"},
+			metav1.Duration{}.OpenAPIModelName()},
 	}
 }
 
@@ -67219,14 +68078,14 @@ func schema_k8sio_kube_controller_manager_config_v1alpha1_PersistentVolumeBinder
 					"PVClaimBinderSyncPeriod": {
 						SchemaProps: spec.SchemaProps{
 							Description: "pvClaimBinderSyncPeriod is the period for syncing persistent volumes and persistent volume claims.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Duration"),
+							Ref:         ref(metav1.Duration{}.OpenAPIModelName()),
 						},
 					},
 					"VolumeConfiguration": {
 						SchemaProps: spec.SchemaProps{
 							Description: "volumeConfiguration holds configuration for volume related features.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/kube-controller-manager/config/v1alpha1.VolumeConfiguration"),
+							Ref:         ref(kubecontrollermanagerconfigv1alpha1.VolumeConfiguration{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -67234,7 +68093,7 @@ func schema_k8sio_kube_controller_manager_config_v1alpha1_PersistentVolumeBinder
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.Duration", "k8s.io/kube-controller-manager/config/v1alpha1.VolumeConfiguration"},
+			metav1.Duration{}.OpenAPIModelName(), kubecontrollermanagerconfigv1alpha1.VolumeConfiguration{}.OpenAPIModelName()},
 	}
 }
 
@@ -67384,7 +68243,7 @@ func schema_k8sio_kube_controller_manager_config_v1alpha1_ResourceQuotaControlle
 					"ResourceQuotaSyncPeriod": {
 						SchemaProps: spec.SchemaProps{
 							Description: "resourceQuotaSyncPeriod is the period for syncing quota usage status in the system.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Duration"),
+							Ref:         ref(metav1.Duration{}.OpenAPIModelName()),
 						},
 					},
 					"ConcurrentResourceQuotaSyncs": {
@@ -67400,7 +68259,7 @@ func schema_k8sio_kube_controller_manager_config_v1alpha1_ResourceQuotaControlle
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.Duration"},
+			metav1.Duration{}.OpenAPIModelName()},
 	}
 }
 
@@ -67533,7 +68392,7 @@ func schema_k8sio_kube_controller_manager_config_v1alpha1_VolumeConfiguration(re
 						SchemaProps: spec.SchemaProps{
 							Description: "persistentVolumeRecyclerConfiguration holds configuration for persistent volume plugins.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/kube-controller-manager/config/v1alpha1.PersistentVolumeRecyclerConfiguration"),
+							Ref:         ref(kubecontrollermanagerconfigv1alpha1.PersistentVolumeRecyclerConfiguration{}.OpenAPIModelName()),
 						},
 					},
 					"FlexVolumePluginDir": {
@@ -67549,7 +68408,7 @@ func schema_k8sio_kube_controller_manager_config_v1alpha1_VolumeConfiguration(re
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/kube-controller-manager/config/v1alpha1.PersistentVolumeRecyclerConfiguration"},
+			kubecontrollermanagerconfigv1alpha1.PersistentVolumeRecyclerConfiguration{}.OpenAPIModelName()},
 	}
 }
 
@@ -67624,14 +68483,14 @@ func schema_k8sio_kube_proxy_config_v1alpha1_KubeProxyConfiguration(ref common.R
 						SchemaProps: spec.SchemaProps{
 							Description: "clientConnection specifies the kubeconfig file and client connection settings for the proxy server to use when communicating with the apiserver.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/component-base/config/v1alpha1.ClientConnectionConfiguration"),
+							Ref:         ref(componentbaseconfigv1alpha1.ClientConnectionConfiguration{}.OpenAPIModelName()),
 						},
 					},
 					"logging": {
 						SchemaProps: spec.SchemaProps{
 							Description: "logging specifies the options of logging. Refer to [Logs Options](https://github.com/kubernetes/component-base/blob/master/logs/options.go) for more information.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/component-base/logs/api/v1.LoggingConfiguration"),
+							Ref:         ref(logsapiv1.LoggingConfiguration{}.OpenAPIModelName()),
 						},
 					},
 					"hostnameOverride": {
@@ -67702,28 +68561,28 @@ func schema_k8sio_kube_proxy_config_v1alpha1_KubeProxyConfiguration(ref common.R
 						SchemaProps: spec.SchemaProps{
 							Description: "iptables contains iptables-related configuration options.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/kube-proxy/config/v1alpha1.KubeProxyIPTablesConfiguration"),
+							Ref:         ref(kubeproxyconfigv1alpha1.KubeProxyIPTablesConfiguration{}.OpenAPIModelName()),
 						},
 					},
 					"ipvs": {
 						SchemaProps: spec.SchemaProps{
 							Description: "ipvs contains ipvs-related configuration options.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/kube-proxy/config/v1alpha1.KubeProxyIPVSConfiguration"),
+							Ref:         ref(kubeproxyconfigv1alpha1.KubeProxyIPVSConfiguration{}.OpenAPIModelName()),
 						},
 					},
 					"nftables": {
 						SchemaProps: spec.SchemaProps{
 							Description: "nftables contains nftables-related configuration options.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/kube-proxy/config/v1alpha1.KubeProxyNFTablesConfiguration"),
+							Ref:         ref(kubeproxyconfigv1alpha1.KubeProxyNFTablesConfiguration{}.OpenAPIModelName()),
 						},
 					},
 					"winkernel": {
 						SchemaProps: spec.SchemaProps{
 							Description: "winkernel contains winkernel-related configuration options.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/kube-proxy/config/v1alpha1.KubeProxyWinkernelConfiguration"),
+							Ref:         ref(kubeproxyconfigv1alpha1.KubeProxyWinkernelConfiguration{}.OpenAPIModelName()),
 						},
 					},
 					"detectLocalMode": {
@@ -67738,7 +68597,7 @@ func schema_k8sio_kube_proxy_config_v1alpha1_KubeProxyConfiguration(ref common.R
 						SchemaProps: spec.SchemaProps{
 							Description: "detectLocal contains optional configuration settings related to DetectLocalMode.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/kube-proxy/config/v1alpha1.DetectLocalConfiguration"),
+							Ref:         ref(kubeproxyconfigv1alpha1.DetectLocalConfiguration{}.OpenAPIModelName()),
 						},
 					},
 					"clusterCIDR": {
@@ -67775,13 +68634,13 @@ func schema_k8sio_kube_proxy_config_v1alpha1_KubeProxyConfiguration(ref common.R
 						SchemaProps: spec.SchemaProps{
 							Description: "conntrack contains conntrack-related configuration options.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/kube-proxy/config/v1alpha1.KubeProxyConntrackConfiguration"),
+							Ref:         ref(kubeproxyconfigv1alpha1.KubeProxyConntrackConfiguration{}.OpenAPIModelName()),
 						},
 					},
 					"configSyncPeriod": {
 						SchemaProps: spec.SchemaProps{
 							Description: "configSyncPeriod is how often configuration from the apiserver is refreshed. Must be greater than 0.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Duration"),
+							Ref:         ref(metav1.Duration{}.OpenAPIModelName()),
 						},
 					},
 					"portRange": {
@@ -67804,7 +68663,7 @@ func schema_k8sio_kube_proxy_config_v1alpha1_KubeProxyConfiguration(ref common.R
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.Duration", "k8s.io/component-base/config/v1alpha1.ClientConnectionConfiguration", "k8s.io/component-base/logs/api/v1.LoggingConfiguration", "k8s.io/kube-proxy/config/v1alpha1.DetectLocalConfiguration", "k8s.io/kube-proxy/config/v1alpha1.KubeProxyConntrackConfiguration", "k8s.io/kube-proxy/config/v1alpha1.KubeProxyIPTablesConfiguration", "k8s.io/kube-proxy/config/v1alpha1.KubeProxyIPVSConfiguration", "k8s.io/kube-proxy/config/v1alpha1.KubeProxyNFTablesConfiguration", "k8s.io/kube-proxy/config/v1alpha1.KubeProxyWinkernelConfiguration"},
+			metav1.Duration{}.OpenAPIModelName(), componentbaseconfigv1alpha1.ClientConnectionConfiguration{}.OpenAPIModelName(), logsapiv1.LoggingConfiguration{}.OpenAPIModelName(), kubeproxyconfigv1alpha1.DetectLocalConfiguration{}.OpenAPIModelName(), kubeproxyconfigv1alpha1.KubeProxyConntrackConfiguration{}.OpenAPIModelName(), kubeproxyconfigv1alpha1.KubeProxyIPTablesConfiguration{}.OpenAPIModelName(), kubeproxyconfigv1alpha1.KubeProxyIPVSConfiguration{}.OpenAPIModelName(), kubeproxyconfigv1alpha1.KubeProxyNFTablesConfiguration{}.OpenAPIModelName(), kubeproxyconfigv1alpha1.KubeProxyWinkernelConfiguration{}.OpenAPIModelName()},
 	}
 }
 
@@ -67832,13 +68691,13 @@ func schema_k8sio_kube_proxy_config_v1alpha1_KubeProxyConntrackConfiguration(ref
 					"tcpEstablishedTimeout": {
 						SchemaProps: spec.SchemaProps{
 							Description: "tcpEstablishedTimeout is how long an idle TCP connection will be kept open (e.g. '2s').  Must be greater than 0 to set.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Duration"),
+							Ref:         ref(metav1.Duration{}.OpenAPIModelName()),
 						},
 					},
 					"tcpCloseWaitTimeout": {
 						SchemaProps: spec.SchemaProps{
 							Description: "tcpCloseWaitTimeout is how long an idle conntrack entry in CLOSE_WAIT state will remain in the conntrack table. (e.g. '60s'). Must be greater than 0 to set.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Duration"),
+							Ref:         ref(metav1.Duration{}.OpenAPIModelName()),
 						},
 					},
 					"tcpBeLiberal": {
@@ -67852,13 +68711,13 @@ func schema_k8sio_kube_proxy_config_v1alpha1_KubeProxyConntrackConfiguration(ref
 					"udpTimeout": {
 						SchemaProps: spec.SchemaProps{
 							Description: "udpTimeout is how long an idle UDP conntrack entry in UNREPLIED state will remain in the conntrack table (e.g. '30s'). Must be greater than 0 to set.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Duration"),
+							Ref:         ref(metav1.Duration{}.OpenAPIModelName()),
 						},
 					},
 					"udpStreamTimeout": {
 						SchemaProps: spec.SchemaProps{
 							Description: "udpStreamTimeout is how long an idle UDP conntrack entry in ASSURED state will remain in the conntrack table (e.g. '300s'). Must be greater than 0 to set.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Duration"),
+							Ref:         ref(metav1.Duration{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -67866,7 +68725,7 @@ func schema_k8sio_kube_proxy_config_v1alpha1_KubeProxyConntrackConfiguration(ref
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.Duration"},
+			metav1.Duration{}.OpenAPIModelName()},
 	}
 }
 
@@ -67902,13 +68761,13 @@ func schema_k8sio_kube_proxy_config_v1alpha1_KubeProxyIPTablesConfiguration(ref
 					"syncPeriod": {
 						SchemaProps: spec.SchemaProps{
 							Description: "syncPeriod is an interval (e.g. '5s', '1m', '2h22m') indicating how frequently various re-synchronizing and cleanup operations are performed. Must be greater than 0.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Duration"),
+							Ref:         ref(metav1.Duration{}.OpenAPIModelName()),
 						},
 					},
 					"minSyncPeriod": {
 						SchemaProps: spec.SchemaProps{
 							Description: "minSyncPeriod is the minimum period between iptables rule resyncs (e.g. '5s', '1m', '2h22m'). A value of 0 means every Service or EndpointSlice change will result in an immediate iptables resync.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Duration"),
+							Ref:         ref(metav1.Duration{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -67916,7 +68775,7 @@ func schema_k8sio_kube_proxy_config_v1alpha1_KubeProxyIPTablesConfiguration(ref
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.Duration"},
+			metav1.Duration{}.OpenAPIModelName()},
 	}
 }
 
@@ -67930,13 +68789,13 @@ func schema_k8sio_kube_proxy_config_v1alpha1_KubeProxyIPVSConfiguration(ref comm
 					"syncPeriod": {
 						SchemaProps: spec.SchemaProps{
 							Description: "syncPeriod is an interval (e.g. '5s', '1m', '2h22m') indicating how frequently various re-synchronizing and cleanup operations are performed. Must be greater than 0.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Duration"),
+							Ref:         ref(metav1.Duration{}.OpenAPIModelName()),
 						},
 					},
 					"minSyncPeriod": {
 						SchemaProps: spec.SchemaProps{
 							Description: "minSyncPeriod is the minimum period between IPVS rule resyncs (e.g. '5s', '1m', '2h22m'). A value of 0 means every Service or EndpointSlice change will result in an immediate IPVS resync.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Duration"),
+							Ref:         ref(metav1.Duration{}.OpenAPIModelName()),
 						},
 					},
 					"scheduler": {
@@ -67973,19 +68832,19 @@ func schema_k8sio_kube_proxy_config_v1alpha1_KubeProxyIPVSConfiguration(ref comm
 					"tcpTimeout": {
 						SchemaProps: spec.SchemaProps{
 							Description: "tcpTimeout is the timeout value used for idle IPVS TCP sessions. The default value is 0, which preserves the current timeout value on the system.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Duration"),
+							Ref:         ref(metav1.Duration{}.OpenAPIModelName()),
 						},
 					},
 					"tcpFinTimeout": {
 						SchemaProps: spec.SchemaProps{
 							Description: "tcpFinTimeout is the timeout value used for IPVS TCP sessions after receiving a FIN. The default value is 0, which preserves the current timeout value on the system.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Duration"),
+							Ref:         ref(metav1.Duration{}.OpenAPIModelName()),
 						},
 					},
 					"udpTimeout": {
 						SchemaProps: spec.SchemaProps{
 							Description: "udpTimeout is the timeout value used for IPVS UDP packets. The default value is 0, which preserves the current timeout value on the system.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Duration"),
+							Ref:         ref(metav1.Duration{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -67993,7 +68852,7 @@ func schema_k8sio_kube_proxy_config_v1alpha1_KubeProxyIPVSConfiguration(ref comm
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.Duration"},
+			metav1.Duration{}.OpenAPIModelName()},
 	}
 }
 
@@ -68022,13 +68881,13 @@ func schema_k8sio_kube_proxy_config_v1alpha1_KubeProxyNFTablesConfiguration(ref
 					"syncPeriod": {
 						SchemaProps: spec.SchemaProps{
 							Description: "syncPeriod is an interval (e.g. '5s', '1m', '2h22m') indicating how frequently various re-synchronizing and cleanup operations are performed. Must be greater than 0.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Duration"),
+							Ref:         ref(metav1.Duration{}.OpenAPIModelName()),
 						},
 					},
 					"minSyncPeriod": {
 						SchemaProps: spec.SchemaProps{
 							Description: "minSyncPeriod is the minimum period between iptables rule resyncs (e.g. '5s', '1m', '2h22m'). A value of 0 means every Service or EndpointSlice change will result in an immediate iptables resync.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Duration"),
+							Ref:         ref(metav1.Duration{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -68036,7 +68895,7 @@ func schema_k8sio_kube_proxy_config_v1alpha1_KubeProxyNFTablesConfiguration(ref
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.Duration"},
+			metav1.Duration{}.OpenAPIModelName()},
 	}
 }
 
@@ -68159,7 +69018,13 @@ func schema_k8sio_kube_scheduler_config_v1_DynamicResourcesArgs(ref common.Refer
 					"filterTimeout": {
 						SchemaProps: spec.SchemaProps{
 							Description: "FilterTimeout limits the amount of time that the filter operation may take per node to search for devices that can be allocated to scheduler a pod to that node.\n\nIn typical scenarios, this operation should complete in 10 to 200 milliseconds, but could also be longer depending on the number of requests per ResourceClaim, number of ResourceClaims, number of published devices in ResourceSlices, and the complexity of the requests. Other checks besides CEL evaluation also take time (usage checks, match attributes, etc.).\n\nTherefore the scheduler plugin applies this timeout. If the timeout is reached, the Pod is considered unschedulable for the node. If filtering succeeds for some other node(s), those are picked instead. If filtering fails for all of them, the Pod is placed in the unschedulable queue. It will get checked again if changes in e.g. ResourceSlices or ResourceClaims indicate that another scheduling attempt might succeed. If this fails repeatedly, exponential backoff slows down future attempts.\n\nThe default is 10 seconds. This is sufficient to prevent worst-case scenarios while not impacting normal usage of DRA. However, slow filtering can slow down Pod scheduling also for Pods not using DRA. Administators can reduce the timeout after checking the `scheduler_framework_extension_point_duration_seconds` metrics.\n\nSetting it to zero completely disables the timeout.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Duration"),
+							Ref:         ref(metav1.Duration{}.OpenAPIModelName()),
+						},
+					},
+					"bindingTimeout": {
+						SchemaProps: spec.SchemaProps{
+							Description: "BindingTimeout limits how long the PreBind extension point may wait for ResourceClaim device BindingConditions to become satisfied when such conditions are present. While waiting, the scheduler periodically checks device status. If the timeout elapses before all required conditions are true (or any bindingFailureConditions become true), the allocation is cleared and the Pod re-enters scheduling queue. Note that the same or other node may be chosen if feasible; otherwise the Pod is placed in the unschedulable queue and retried based on cluster changes and backoff.\n\nDefaults & feature gates:\n  - Defaults to 10 minutes when the DRADeviceBindingConditions feature gate is enabled.\n  - Has effect only when BOTH DRADeviceBindingConditions and\n    DRAResourceClaimDeviceStatus are enabled; otherwise omit this field.\n  - When DRADeviceBindingConditions is disabled, setting this field is considered an error.\n\nValid values:\n  - >=1s (non-zero). No upper bound is enforced.\n\nTuning guidance:\n  - Lower values reduce time-to-retry when devices aren’t ready but can\n    increase churn if drivers typically need longer to report readiness.\n  - Review scheduler latency metrics (e.g. PreBind duration in\n    `scheduler_framework_extension_point_duration_seconds`) and driver\n    readiness behavior before tightening this timeout.",
+							Ref:         ref(metav1.Duration{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -68167,7 +69032,7 @@ func schema_k8sio_kube_scheduler_config_v1_DynamicResourcesArgs(ref common.Refer
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.Duration"},
+			metav1.Duration{}.OpenAPIModelName()},
 	}
 }
 
@@ -68231,13 +69096,13 @@ func schema_k8sio_kube_scheduler_config_v1_Extender(ref common.ReferenceCallback
 					"tlsConfig": {
 						SchemaProps: spec.SchemaProps{
 							Description: "TLSConfig specifies the transport layer security config",
-							Ref:         ref("k8s.io/kube-scheduler/config/v1.ExtenderTLSConfig"),
+							Ref:         ref(configv1.ExtenderTLSConfig{}.OpenAPIModelName()),
 						},
 					},
 					"httpTimeout": {
 						SchemaProps: spec.SchemaProps{
 							Description: "HTTPTimeout specifies the timeout duration for a call to the extender. Filter timeout fails the scheduling of the pod. Prioritize timeout is ignored, k8s/other extenders priorities are used to select the node.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Duration"),
+							Ref:         ref(metav1.Duration{}.OpenAPIModelName()),
 						},
 					},
 					"nodeCacheCapable": {
@@ -68260,7 +69125,7 @@ func schema_k8sio_kube_scheduler_config_v1_Extender(ref common.ReferenceCallback
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/kube-scheduler/config/v1.ExtenderManagedResource"),
+										Ref:     ref(configv1.ExtenderManagedResource{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -68278,7 +69143,7 @@ func schema_k8sio_kube_scheduler_config_v1_Extender(ref common.ReferenceCallback
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.Duration", "k8s.io/kube-scheduler/config/v1.ExtenderManagedResource", "k8s.io/kube-scheduler/config/v1.ExtenderTLSConfig"},
+			metav1.Duration{}.OpenAPIModelName(), configv1.ExtenderManagedResource{}.OpenAPIModelName(), configv1.ExtenderTLSConfig{}.OpenAPIModelName()},
 	}
 }
 
@@ -68470,14 +69335,14 @@ func schema_k8sio_kube_scheduler_config_v1_KubeSchedulerConfiguration(ref common
 						SchemaProps: spec.SchemaProps{
 							Description: "LeaderElection defines the configuration of leader election client.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/component-base/config/v1alpha1.LeaderElectionConfiguration"),
+							Ref:         ref(componentbaseconfigv1alpha1.LeaderElectionConfiguration{}.OpenAPIModelName()),
 						},
 					},
 					"clientConnection": {
 						SchemaProps: spec.SchemaProps{
 							Description: "ClientConnection specifies the kubeconfig file and client connection settings for the proxy server to use when communicating with the apiserver.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/component-base/config/v1alpha1.ClientConnectionConfiguration"),
+							Ref:         ref(componentbaseconfigv1alpha1.ClientConnectionConfiguration{}.OpenAPIModelName()),
 						},
 					},
 					"enableProfiling": {
@@ -68531,7 +69396,7 @@ func schema_k8sio_kube_scheduler_config_v1_KubeSchedulerConfiguration(ref common
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/kube-scheduler/config/v1.KubeSchedulerProfile"),
+										Ref:     ref(configv1.KubeSchedulerProfile{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -68550,7 +69415,7 @@ func schema_k8sio_kube_scheduler_config_v1_KubeSchedulerConfiguration(ref common
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/kube-scheduler/config/v1.Extender"),
+										Ref:     ref(configv1.Extender{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -68568,7 +69433,7 @@ func schema_k8sio_kube_scheduler_config_v1_KubeSchedulerConfiguration(ref common
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/component-base/config/v1alpha1.ClientConnectionConfiguration", "k8s.io/component-base/config/v1alpha1.LeaderElectionConfiguration", "k8s.io/kube-scheduler/config/v1.Extender", "k8s.io/kube-scheduler/config/v1.KubeSchedulerProfile"},
+			componentbaseconfigv1alpha1.ClientConnectionConfiguration{}.OpenAPIModelName(), componentbaseconfigv1alpha1.LeaderElectionConfiguration{}.OpenAPIModelName(), configv1.Extender{}.OpenAPIModelName(), configv1.KubeSchedulerProfile{}.OpenAPIModelName()},
 	}
 }
 
@@ -68596,7 +69461,7 @@ func schema_k8sio_kube_scheduler_config_v1_KubeSchedulerProfile(ref common.Refer
 					"plugins": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Plugins specify the set of plugins that should be enabled or disabled. Enabled plugins are the ones that should be enabled in addition to the default plugins. Disabled plugins are any of the default plugins that should be disabled. When no enabled or disabled plugin is specified for an extension point, default plugins for that extension point will be used if there is any. If a QueueSort plugin is specified, the same QueueSort Plugin and PluginConfig must be specified for all profiles.",
-							Ref:         ref("k8s.io/kube-scheduler/config/v1.Plugins"),
+							Ref:         ref(configv1.Plugins{}.OpenAPIModelName()),
 						},
 					},
 					"pluginConfig": {
@@ -68615,7 +69480,7 @@ func schema_k8sio_kube_scheduler_config_v1_KubeSchedulerProfile(ref common.Refer
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/kube-scheduler/config/v1.PluginConfig"),
+										Ref:     ref(configv1.PluginConfig{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -68625,7 +69490,7 @@ func schema_k8sio_kube_scheduler_config_v1_KubeSchedulerProfile(ref common.Refer
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/kube-scheduler/config/v1.PluginConfig", "k8s.io/kube-scheduler/config/v1.Plugins"},
+			configv1.PluginConfig{}.OpenAPIModelName(), configv1.Plugins{}.OpenAPIModelName()},
 	}
 }
 
@@ -68653,14 +69518,14 @@ func schema_k8sio_kube_scheduler_config_v1_NodeAffinityArgs(ref common.Reference
 					"addedAffinity": {
 						SchemaProps: spec.SchemaProps{
 							Description: "AddedAffinity is applied to all Pods additionally to the NodeAffinity specified in the PodSpec. That is, Nodes need to satisfy AddedAffinity AND .spec.NodeAffinity. AddedAffinity is empty by default (all Nodes match). When AddedAffinity is used, some Pods with affinity requirements that match a specific Node (such as Daemonset Pods) might remain unschedulable.",
-							Ref:         ref("k8s.io/api/core/v1.NodeAffinity"),
+							Ref:         ref(corev1.NodeAffinity{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/core/v1.NodeAffinity"},
+			corev1.NodeAffinity{}.OpenAPIModelName()},
 	}
 }
 
@@ -68701,7 +69566,7 @@ func schema_k8sio_kube_scheduler_config_v1_NodeResourcesBalancedAllocationArgs(r
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/kube-scheduler/config/v1.ResourceSpec"),
+										Ref:     ref(configv1.ResourceSpec{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -68711,7 +69576,7 @@ func schema_k8sio_kube_scheduler_config_v1_NodeResourcesBalancedAllocationArgs(r
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/kube-scheduler/config/v1.ResourceSpec"},
+			configv1.ResourceSpec{}.OpenAPIModelName()},
 	}
 }
 
@@ -68779,14 +69644,14 @@ func schema_k8sio_kube_scheduler_config_v1_NodeResourcesFitArgs(ref common.Refer
 					"scoringStrategy": {
 						SchemaProps: spec.SchemaProps{
 							Description: "ScoringStrategy selects the node resource scoring strategy. The default strategy is LeastAllocated with an equal \"cpu\" and \"memory\" weight.",
-							Ref:         ref("k8s.io/kube-scheduler/config/v1.ScoringStrategy"),
+							Ref:         ref(configv1.ScoringStrategy{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/kube-scheduler/config/v1.ScoringStrategy"},
+			configv1.ScoringStrategy{}.OpenAPIModelName()},
 	}
 }
 
@@ -68837,7 +69702,7 @@ func schema_k8sio_kube_scheduler_config_v1_PluginConfig(ref common.ReferenceCall
 					"args": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Args defines the arguments passed to the plugins at the time of initialization. Args can have arbitrary structure.",
-							Ref:         ref("k8s.io/apimachinery/pkg/runtime.RawExtension"),
+							Ref:         ref(runtime.RawExtension{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -68845,7 +69710,7 @@ func schema_k8sio_kube_scheduler_config_v1_PluginConfig(ref common.ReferenceCall
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/runtime.RawExtension"},
+			runtime.RawExtension{}.OpenAPIModelName()},
 	}
 }
 
@@ -68869,7 +69734,7 @@ func schema_k8sio_kube_scheduler_config_v1_PluginSet(ref common.ReferenceCallbac
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/kube-scheduler/config/v1.Plugin"),
+										Ref:     ref(configv1.Plugin{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -68891,7 +69756,7 @@ func schema_k8sio_kube_scheduler_config_v1_PluginSet(ref common.ReferenceCallbac
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/kube-scheduler/config/v1.Plugin"),
+										Ref:     ref(configv1.Plugin{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -68901,7 +69766,7 @@ func schema_k8sio_kube_scheduler_config_v1_PluginSet(ref common.ReferenceCallbac
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/kube-scheduler/config/v1.Plugin"},
+			configv1.Plugin{}.OpenAPIModelName()},
 	}
 }
 
@@ -68916,98 +69781,98 @@ func schema_k8sio_kube_scheduler_config_v1_Plugins(ref common.ReferenceCallback)
 						SchemaProps: spec.SchemaProps{
 							Description: "PreEnqueue is a list of plugins that should be invoked before adding pods to the scheduling queue.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/kube-scheduler/config/v1.PluginSet"),
+							Ref:         ref(configv1.PluginSet{}.OpenAPIModelName()),
 						},
 					},
 					"queueSort": {
 						SchemaProps: spec.SchemaProps{
 							Description: "QueueSort is a list of plugins that should be invoked when sorting pods in the scheduling queue.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/kube-scheduler/config/v1.PluginSet"),
+							Ref:         ref(configv1.PluginSet{}.OpenAPIModelName()),
 						},
 					},
 					"preFilter": {
 						SchemaProps: spec.SchemaProps{
 							Description: "PreFilter is a list of plugins that should be invoked at \"PreFilter\" extension point of the scheduling framework.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/kube-scheduler/config/v1.PluginSet"),
+							Ref:         ref(configv1.PluginSet{}.OpenAPIModelName()),
 						},
 					},
 					"filter": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Filter is a list of plugins that should be invoked when filtering out nodes that cannot run the Pod.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/kube-scheduler/config/v1.PluginSet"),
+							Ref:         ref(configv1.PluginSet{}.OpenAPIModelName()),
 						},
 					},
 					"postFilter": {
 						SchemaProps: spec.SchemaProps{
 							Description: "PostFilter is a list of plugins that are invoked after filtering phase, but only when no feasible nodes were found for the pod.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/kube-scheduler/config/v1.PluginSet"),
+							Ref:         ref(configv1.PluginSet{}.OpenAPIModelName()),
 						},
 					},
 					"preScore": {
 						SchemaProps: spec.SchemaProps{
 							Description: "PreScore is a list of plugins that are invoked before scoring.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/kube-scheduler/config/v1.PluginSet"),
+							Ref:         ref(configv1.PluginSet{}.OpenAPIModelName()),
 						},
 					},
 					"score": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Score is a list of plugins that should be invoked when ranking nodes that have passed the filtering phase.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/kube-scheduler/config/v1.PluginSet"),
+							Ref:         ref(configv1.PluginSet{}.OpenAPIModelName()),
 						},
 					},
 					"reserve": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Reserve is a list of plugins invoked when reserving/unreserving resources after a node is assigned to run the pod.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/kube-scheduler/config/v1.PluginSet"),
+							Ref:         ref(configv1.PluginSet{}.OpenAPIModelName()),
 						},
 					},
 					"permit": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Permit is a list of plugins that control binding of a Pod. These plugins can prevent or delay binding of a Pod.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/kube-scheduler/config/v1.PluginSet"),
+							Ref:         ref(configv1.PluginSet{}.OpenAPIModelName()),
 						},
 					},
 					"preBind": {
 						SchemaProps: spec.SchemaProps{
 							Description: "PreBind is a list of plugins that should be invoked before a pod is bound.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/kube-scheduler/config/v1.PluginSet"),
+							Ref:         ref(configv1.PluginSet{}.OpenAPIModelName()),
 						},
 					},
 					"bind": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Bind is a list of plugins that should be invoked at \"Bind\" extension point of the scheduling framework. The scheduler call these plugins in order. Scheduler skips the rest of these plugins as soon as one returns success.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/kube-scheduler/config/v1.PluginSet"),
+							Ref:         ref(configv1.PluginSet{}.OpenAPIModelName()),
 						},
 					},
 					"postBind": {
 						SchemaProps: spec.SchemaProps{
 							Description: "PostBind is a list of plugins that should be invoked after a pod is successfully bound.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/kube-scheduler/config/v1.PluginSet"),
+							Ref:         ref(configv1.PluginSet{}.OpenAPIModelName()),
 						},
 					},
 					"multiPoint": {
 						SchemaProps: spec.SchemaProps{
 							Description: "MultiPoint is a simplified config section to enable plugins for all valid extension points. Plugins enabled through MultiPoint will automatically register for every individual extension point the plugin has implemented. Disabling a plugin through MultiPoint disables that behavior. The same is true for disabling \"*\" through MultiPoint (no default plugins will be automatically registered). Plugins can still be disabled through their individual extension points.\n\nIn terms of precedence, plugin config follows this basic hierarchy\n  1. Specific extension points\n  2. Explicitly configured MultiPoint plugins\n  3. The set of default plugins, as MultiPoint plugins\nThis implies that a higher precedence plugin will run first and overwrite any settings within MultiPoint. Explicitly user-configured plugins also take a higher precedence over default plugins. Within this hierarchy, an Enabled setting takes precedence over Disabled. For example, if a plugin is set in both `multiPoint.Enabled` and `multiPoint.Disabled`, the plugin will be enabled. Similarly, including `multiPoint.Disabled = '*'` and `multiPoint.Enabled = pluginA` will still register that specific plugin through MultiPoint. This follows the same behavior as all other extension point configurations.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/kube-scheduler/config/v1.PluginSet"),
+							Ref:         ref(configv1.PluginSet{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/kube-scheduler/config/v1.PluginSet"},
+			configv1.PluginSet{}.OpenAPIModelName()},
 	}
 }
 
@@ -69045,7 +69910,7 @@ func schema_k8sio_kube_scheduler_config_v1_PodTopologySpreadArgs(ref common.Refe
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/core/v1.TopologySpreadConstraint"),
+										Ref:     ref(corev1.TopologySpreadConstraint{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -69062,7 +69927,7 @@ func schema_k8sio_kube_scheduler_config_v1_PodTopologySpreadArgs(ref common.Refe
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/core/v1.TopologySpreadConstraint"},
+			corev1.TopologySpreadConstraint{}.OpenAPIModelName()},
 	}
 }
 
@@ -69086,7 +69951,7 @@ func schema_k8sio_kube_scheduler_config_v1_RequestedToCapacityRatioParam(ref com
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/kube-scheduler/config/v1.UtilizationShapePoint"),
+										Ref:     ref(configv1.UtilizationShapePoint{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -69096,7 +69961,7 @@ func schema_k8sio_kube_scheduler_config_v1_RequestedToCapacityRatioParam(ref com
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/kube-scheduler/config/v1.UtilizationShapePoint"},
+			configv1.UtilizationShapePoint{}.OpenAPIModelName()},
 	}
 }
 
@@ -69159,7 +70024,7 @@ func schema_k8sio_kube_scheduler_config_v1_ScoringStrategy(ref common.ReferenceC
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/kube-scheduler/config/v1.ResourceSpec"),
+										Ref:     ref(configv1.ResourceSpec{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -69168,14 +70033,14 @@ func schema_k8sio_kube_scheduler_config_v1_ScoringStrategy(ref common.ReferenceC
 					"requestedToCapacityRatio": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Arguments specific to RequestedToCapacityRatio strategy.",
-							Ref:         ref("k8s.io/kube-scheduler/config/v1.RequestedToCapacityRatioParam"),
+							Ref:         ref(configv1.RequestedToCapacityRatioParam{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/kube-scheduler/config/v1.RequestedToCapacityRatioParam", "k8s.io/kube-scheduler/config/v1.ResourceSpec"},
+			configv1.RequestedToCapacityRatioParam{}.OpenAPIModelName(), configv1.ResourceSpec{}.OpenAPIModelName()},
 	}
 }
 
@@ -69250,7 +70115,7 @@ func schema_k8sio_kube_scheduler_config_v1_VolumeBindingArgs(ref common.Referenc
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/kube-scheduler/config/v1.UtilizationShapePoint"),
+										Ref:     ref(configv1.UtilizationShapePoint{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -69260,7 +70125,7 @@ func schema_k8sio_kube_scheduler_config_v1_VolumeBindingArgs(ref common.Referenc
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/kube-scheduler/config/v1.UtilizationShapePoint"},
+			configv1.UtilizationShapePoint{}.OpenAPIModelName()},
 	}
 }
 
@@ -69340,7 +70205,7 @@ func schema_kubectl_pkg_config_v1alpha1_AliasOverride(ref common.ReferenceCallba
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/kubectl/pkg/config/v1alpha1.CommandOptionDefault"),
+										Ref:     ref(pkgconfigv1alpha1.CommandOptionDefault{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -69351,7 +70216,7 @@ func schema_kubectl_pkg_config_v1alpha1_AliasOverride(ref common.ReferenceCallba
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/kubectl/pkg/config/v1alpha1.CommandOptionDefault"},
+			pkgconfigv1alpha1.CommandOptionDefault{}.OpenAPIModelName()},
 	}
 }
 
@@ -69383,7 +70248,7 @@ func schema_kubectl_pkg_config_v1alpha1_CommandDefaults(ref common.ReferenceCall
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/kubectl/pkg/config/v1alpha1.CommandOptionDefault"),
+										Ref:     ref(pkgconfigv1alpha1.CommandOptionDefault{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -69394,7 +70259,7 @@ func schema_kubectl_pkg_config_v1alpha1_CommandDefaults(ref common.ReferenceCall
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/kubectl/pkg/config/v1alpha1.CommandOptionDefault"},
+			pkgconfigv1alpha1.CommandOptionDefault{}.OpenAPIModelName()},
 	}
 }
 
@@ -69462,7 +70327,7 @@ func schema_kubectl_pkg_config_v1alpha1_Preference(ref common.ReferenceCallback)
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/kubectl/pkg/config/v1alpha1.CommandDefaults"),
+										Ref:     ref(pkgconfigv1alpha1.CommandDefaults{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -69481,7 +70346,7 @@ func schema_kubectl_pkg_config_v1alpha1_Preference(ref common.ReferenceCallback)
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/kubectl/pkg/config/v1alpha1.AliasOverride"),
+										Ref:     ref(pkgconfigv1alpha1.AliasOverride{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -69492,7 +70357,7 @@ func schema_kubectl_pkg_config_v1alpha1_Preference(ref common.ReferenceCallback)
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/kubectl/pkg/config/v1alpha1.AliasOverride", "k8s.io/kubectl/pkg/config/v1alpha1.CommandDefaults"},
+			pkgconfigv1alpha1.AliasOverride{}.OpenAPIModelName(), pkgconfigv1alpha1.CommandDefaults{}.OpenAPIModelName()},
 	}
 }
 
@@ -69572,7 +70437,7 @@ func schema_kubectl_pkg_config_v1beta1_AliasOverride(ref common.ReferenceCallbac
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/kubectl/pkg/config/v1beta1.CommandOptionDefault"),
+										Ref:     ref(pkgconfigv1beta1.CommandOptionDefault{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -69583,7 +70448,29 @@ func schema_kubectl_pkg_config_v1beta1_AliasOverride(ref common.ReferenceCallbac
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/kubectl/pkg/config/v1beta1.CommandOptionDefault"},
+			pkgconfigv1beta1.CommandOptionDefault{}.OpenAPIModelName()},
+	}
+}
+
+func schema_kubectl_pkg_config_v1beta1_AllowlistEntry(ref common.ReferenceCallback) common.OpenAPIDefinition {
+	return common.OpenAPIDefinition{
+		Schema: spec.Schema{
+			SchemaProps: spec.SchemaProps{
+				Description: "AllowlistEntry is an entry in the allowlist. For each allowlist item, at least one field must be nonempty. A struct with all empty fields is considered a misconfiguration error. Each field is a criterion for execution. If multiple fields are specified, then the criteria of all specified fields must be met. That is, the result of an individual entry is the logical AND of all checks corresponding to the specified fields within the entry.",
+				Type:        []string{"object"},
+				Properties: map[string]spec.Schema{
+					"name": {
+						SchemaProps: spec.SchemaProps{
+							Description: "Name matching is performed by first resolving the absolute path of both the plugin and the name in the allowlist entry using `exec.LookPath`. It will be called on both, and the resulting strings must be equal. If either call to `exec.LookPath` results in an error, the `Name` check will be considered a failure.",
+							Default:     "",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+				},
+				Required: []string{"name"},
+			},
+		},
 	}
 }
 
@@ -69615,7 +70502,7 @@ func schema_kubectl_pkg_config_v1beta1_CommandDefaults(ref common.ReferenceCallb
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/kubectl/pkg/config/v1beta1.CommandOptionDefault"),
+										Ref:     ref(pkgconfigv1beta1.CommandOptionDefault{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -69626,7 +70513,7 @@ func schema_kubectl_pkg_config_v1beta1_CommandDefaults(ref common.ReferenceCallb
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/kubectl/pkg/config/v1beta1.CommandOptionDefault"},
+			pkgconfigv1beta1.CommandOptionDefault{}.OpenAPIModelName()},
 	}
 }
 
@@ -69694,7 +70581,7 @@ func schema_kubectl_pkg_config_v1beta1_Preference(ref common.ReferenceCallback)
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/kubectl/pkg/config/v1beta1.CommandDefaults"),
+										Ref:     ref(pkgconfigv1beta1.CommandDefaults{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -69713,7 +70600,33 @@ func schema_kubectl_pkg_config_v1beta1_Preference(ref common.ReferenceCallback)
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/kubectl/pkg/config/v1beta1.AliasOverride"),
+										Ref:     ref(pkgconfigv1beta1.AliasOverride{}.OpenAPIModelName()),
+									},
+								},
+							},
+						},
+					},
+					"credentialPluginPolicy": {
+						SchemaProps: spec.SchemaProps{
+							Description: "credentialPluginPolicy specifies the policy governing which, if any, client-go credential plugins may be executed. It MUST be one of { \"\", \"AllowAll\", \"DenyAll\", \"Allowlist\" }. If the policy is \"\", then it falls back to \"AllowAll\" (this is required to maintain backward compatibility). If the policy is DenyAll, no credential plugins may run. If the policy is Allowlist, only those plugins meeting the criteria specified in the `credentialPluginAllowlist` field may run.",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+					"credentialPluginAllowlist": {
+						VendorExtensible: spec.VendorExtensible{
+							Extensions: spec.Extensions{
+								"x-kubernetes-list-type": "atomic",
+							},
+						},
+						SchemaProps: spec.SchemaProps{
+							Description: "Allowlist is a slice of allowlist entries. If any of them is a match, then the executable in question may execute. That is, the result is the logical OR of all entries in the allowlist. This list MUST NOT be supplied if the policy is not \"Allowlist\".\n\ne.g. credentialPluginAllowlist: - name: cloud-provider-plugin - name: /usr/local/bin/my-plugin In the above example, the user allows the credential plugins `cloud-provider-plugin` (found somewhere in PATH), and the plugin found at the explicit path `/usr/local/bin/my-plugin`.",
+							Type:        []string{"array"},
+							Items: &spec.SchemaOrArray{
+								Schema: &spec.Schema{
+									SchemaProps: spec.SchemaProps{
+										Default: map[string]interface{}{},
+										Ref:     ref(pkgconfigv1beta1.AllowlistEntry{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -69724,7 +70637,7 @@ func schema_kubectl_pkg_config_v1beta1_Preference(ref common.ReferenceCallback)
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/kubectl/pkg/config/v1beta1.AliasOverride", "k8s.io/kubectl/pkg/config/v1beta1.CommandDefaults"},
+			pkgconfigv1beta1.AliasOverride{}.OpenAPIModelName(), pkgconfigv1beta1.AllowlistEntry{}.OpenAPIModelName(), pkgconfigv1beta1.CommandDefaults{}.OpenAPIModelName()},
 	}
 }
 
@@ -69761,7 +70674,7 @@ func schema_k8sio_kubelet_config_v1_CredentialProvider(ref common.ReferenceCallb
 					"defaultCacheDuration": {
 						SchemaProps: spec.SchemaProps{
 							Description: "defaultCacheDuration is the default duration the plugin will cache credentials in-memory if a cache duration is not provided in the plugin response. This field is required.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Duration"),
+							Ref:         ref(metav1.Duration{}.OpenAPIModelName()),
 						},
 					},
 					"apiVersion": {
@@ -69795,7 +70708,7 @@ func schema_k8sio_kubelet_config_v1_CredentialProvider(ref common.ReferenceCallb
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/kubelet/config/v1.ExecEnvVar"),
+										Ref:     ref(kubeletconfigv1.ExecEnvVar{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -69804,7 +70717,7 @@ func schema_k8sio_kubelet_config_v1_CredentialProvider(ref common.ReferenceCallb
 					"tokenAttributes": {
 						SchemaProps: spec.SchemaProps{
 							Description: "tokenAttributes is the configuration for the service account token that will be passed to the plugin. The credential provider opts in to using service account tokens for image pull by setting this field. When this field is set, kubelet will generate a service account token bound to the pod for which the image is being pulled and pass to the plugin as part of CredentialProviderRequest along with other attributes required by the plugin.\n\nThe service account metadata and token attributes will be used as a dimension to cache the credentials in kubelet. The cache key is generated by combining the service account metadata (namespace, name, UID, and annotations key+value for the keys defined in serviceAccountTokenAttribute.requiredServiceAccountAnnotationKeys and serviceAccountTokenAttribute.optionalServiceAccountAnnotationKeys). The pod metadata (namespace, name, UID) that are in the service account token are not used as a dimension to cache the credentials in kubelet. This means workloads that are using the same service account could end up using the same credentials for image pull. For plugins that don't want this behavior, or plugins that operate in pass-through mode; i.e., they return the service account token as-is, they can set the credentialProviderResponse.cacheDuration to 0. This will disable the caching of credentials in kubelet and the plugin will be invoked for every image pull. This does result in token generation overhead for every image pull, but it is the only way to ensure that the credentials are not shared across pods (even if they are using the same service account).",
-							Ref:         ref("k8s.io/kubelet/config/v1.ServiceAccountTokenAttributes"),
+							Ref:         ref(kubeletconfigv1.ServiceAccountTokenAttributes{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -69812,7 +70725,7 @@ func schema_k8sio_kubelet_config_v1_CredentialProvider(ref common.ReferenceCallb
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.Duration", "k8s.io/kubelet/config/v1.ExecEnvVar", "k8s.io/kubelet/config/v1.ServiceAccountTokenAttributes"},
+			metav1.Duration{}.OpenAPIModelName(), kubeletconfigv1.ExecEnvVar{}.OpenAPIModelName(), kubeletconfigv1.ServiceAccountTokenAttributes{}.OpenAPIModelName()},
 	}
 }
 
@@ -69845,7 +70758,7 @@ func schema_k8sio_kubelet_config_v1_CredentialProviderConfig(ref common.Referenc
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/kubelet/config/v1.CredentialProvider"),
+										Ref:     ref(kubeletconfigv1.CredentialProvider{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -69856,7 +70769,7 @@ func schema_k8sio_kubelet_config_v1_CredentialProviderConfig(ref common.Referenc
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/kubelet/config/v1.CredentialProvider"},
+			kubeletconfigv1.CredentialProvider{}.OpenAPIModelName()},
 	}
 }
 
@@ -69998,7 +70911,7 @@ func schema_k8sio_kubelet_config_v1alpha1_CredentialProvider(ref common.Referenc
 					"defaultCacheDuration": {
 						SchemaProps: spec.SchemaProps{
 							Description: "defaultCacheDuration is the default duration the plugin will cache credentials in-memory if a cache duration is not provided in the plugin response. This field is required.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Duration"),
+							Ref:         ref(metav1.Duration{}.OpenAPIModelName()),
 						},
 					},
 					"apiVersion": {
@@ -70032,7 +70945,7 @@ func schema_k8sio_kubelet_config_v1alpha1_CredentialProvider(ref common.Referenc
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/kubelet/config/v1alpha1.ExecEnvVar"),
+										Ref:     ref(kubeletconfigv1alpha1.ExecEnvVar{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -70043,7 +70956,7 @@ func schema_k8sio_kubelet_config_v1alpha1_CredentialProvider(ref common.Referenc
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.Duration", "k8s.io/kubelet/config/v1alpha1.ExecEnvVar"},
+			metav1.Duration{}.OpenAPIModelName(), kubeletconfigv1alpha1.ExecEnvVar{}.OpenAPIModelName()},
 	}
 }
 
@@ -70076,7 +70989,7 @@ func schema_k8sio_kubelet_config_v1alpha1_CredentialProviderConfig(ref common.Re
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/kubelet/config/v1alpha1.CredentialProvider"),
+										Ref:     ref(kubeletconfigv1alpha1.CredentialProvider{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -70087,7 +71000,7 @@ func schema_k8sio_kubelet_config_v1alpha1_CredentialProviderConfig(ref common.Re
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/kubelet/config/v1alpha1.CredentialProvider"},
+			kubeletconfigv1alpha1.CredentialProvider{}.OpenAPIModelName()},
 	}
 }
 
@@ -70139,7 +71052,7 @@ func schema_k8sio_kubelet_config_v1alpha1_ImagePullCredentials(ref common.Refere
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/kubelet/config/v1alpha1.ImagePullSecret"),
+										Ref:     ref(kubeletconfigv1alpha1.ImagePullSecret{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -70158,7 +71071,7 @@ func schema_k8sio_kubelet_config_v1alpha1_ImagePullCredentials(ref common.Refere
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/kubelet/config/v1alpha1.ImagePullServiceAccount"),
+										Ref:     ref(kubeletconfigv1alpha1.ImagePullServiceAccount{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -70175,7 +71088,7 @@ func schema_k8sio_kubelet_config_v1alpha1_ImagePullCredentials(ref common.Refere
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/kubelet/config/v1alpha1.ImagePullSecret", "k8s.io/kubelet/config/v1alpha1.ImagePullServiceAccount"},
+			kubeletconfigv1alpha1.ImagePullSecret{}.OpenAPIModelName(), kubeletconfigv1alpha1.ImagePullServiceAccount{}.OpenAPIModelName()},
 	}
 }
 
@@ -70317,7 +71230,7 @@ func schema_k8sio_kubelet_config_v1alpha1_ImagePulledRecord(ref common.Reference
 					"lastUpdatedTime": {
 						SchemaProps: spec.SchemaProps{
 							Description: "LastUpdatedTime is the time of the last update to this record",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Time"),
+							Ref:         ref(metav1.Time{}.OpenAPIModelName()),
 						},
 					},
 					"imageRef": {
@@ -70337,7 +71250,7 @@ func schema_k8sio_kubelet_config_v1alpha1_ImagePulledRecord(ref common.Reference
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/kubelet/config/v1alpha1.ImagePullCredentials"),
+										Ref:     ref(kubeletconfigv1alpha1.ImagePullCredentials{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -70348,7 +71261,7 @@ func schema_k8sio_kubelet_config_v1alpha1_ImagePulledRecord(ref common.Reference
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.Time", "k8s.io/kubelet/config/v1alpha1.ImagePullCredentials"},
+			metav1.Time{}.OpenAPIModelName(), kubeletconfigv1alpha1.ImagePullCredentials{}.OpenAPIModelName()},
 	}
 }
 
@@ -70361,14 +71274,14 @@ func schema_k8sio_kubelet_config_v1beta1_CrashLoopBackOffConfig(ref common.Refer
 					"maxContainerRestartPeriod": {
 						SchemaProps: spec.SchemaProps{
 							Description: "maxContainerRestartPeriod is the maximum duration the backoff delay can accrue to for container restarts, minimum 1 second, maximum 300 seconds. If not set, defaults to the internal crashloopbackoff maximum (300s).",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Duration"),
+							Ref:         ref(metav1.Duration{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.Duration"},
+			metav1.Duration{}.OpenAPIModelName()},
 	}
 }
 
@@ -70405,7 +71318,7 @@ func schema_k8sio_kubelet_config_v1beta1_CredentialProvider(ref common.Reference
 					"defaultCacheDuration": {
 						SchemaProps: spec.SchemaProps{
 							Description: "defaultCacheDuration is the default duration the plugin will cache credentials in-memory if a cache duration is not provided in the plugin response. This field is required.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Duration"),
+							Ref:         ref(metav1.Duration{}.OpenAPIModelName()),
 						},
 					},
 					"apiVersion": {
@@ -70439,7 +71352,7 @@ func schema_k8sio_kubelet_config_v1beta1_CredentialProvider(ref common.Reference
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/kubelet/config/v1beta1.ExecEnvVar"),
+										Ref:     ref(kubeletconfigv1beta1.ExecEnvVar{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -70450,7 +71363,7 @@ func schema_k8sio_kubelet_config_v1beta1_CredentialProvider(ref common.Reference
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.Duration", "k8s.io/kubelet/config/v1beta1.ExecEnvVar"},
+			metav1.Duration{}.OpenAPIModelName(), kubeletconfigv1beta1.ExecEnvVar{}.OpenAPIModelName()},
 	}
 }
 
@@ -70483,7 +71396,7 @@ func schema_k8sio_kubelet_config_v1beta1_CredentialProviderConfig(ref common.Ref
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/kubelet/config/v1beta1.CredentialProvider"),
+										Ref:     ref(kubeletconfigv1beta1.CredentialProvider{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -70494,7 +71407,7 @@ func schema_k8sio_kubelet_config_v1beta1_CredentialProviderConfig(ref common.Ref
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/kubelet/config/v1beta1.CredentialProvider"},
+			kubeletconfigv1beta1.CredentialProvider{}.OpenAPIModelName()},
 	}
 }
 
@@ -70526,6 +71439,239 @@ func schema_k8sio_kubelet_config_v1beta1_ExecEnvVar(ref common.ReferenceCallback
 	}
 }
 
+func schema_k8sio_kubelet_config_v1beta1_ImagePullCredentials(ref common.ReferenceCallback) common.OpenAPIDefinition {
+	return common.OpenAPIDefinition{
+		Schema: spec.Schema{
+			SchemaProps: spec.SchemaProps{
+				Description: "ImagePullCredentials describe credentials that can be used to pull an image.",
+				Type:        []string{"object"},
+				Properties: map[string]spec.Schema{
+					"kubernetesSecrets": {
+						VendorExtensible: spec.VendorExtensible{
+							Extensions: spec.Extensions{
+								"x-kubernetes-list-type": "set",
+							},
+						},
+						SchemaProps: spec.SchemaProps{
+							Description: "KubernetesSecretCoordinates is an index of coordinates of all the kubernetes secrets that were used to pull the image.",
+							Type:        []string{"array"},
+							Items: &spec.SchemaOrArray{
+								Schema: &spec.Schema{
+									SchemaProps: spec.SchemaProps{
+										Default: map[string]interface{}{},
+										Ref:     ref(kubeletconfigv1beta1.ImagePullSecret{}.OpenAPIModelName()),
+									},
+								},
+							},
+						},
+					},
+					"kubernetesServiceAccounts": {
+						VendorExtensible: spec.VendorExtensible{
+							Extensions: spec.Extensions{
+								"x-kubernetes-list-type": "set",
+							},
+						},
+						SchemaProps: spec.SchemaProps{
+							Description: "KubernetesServiceAccounts is an index of coordinates of all the kubernetes service accounts that were used to pull the image.",
+							Type:        []string{"array"},
+							Items: &spec.SchemaOrArray{
+								Schema: &spec.Schema{
+									SchemaProps: spec.SchemaProps{
+										Default: map[string]interface{}{},
+										Ref:     ref(kubeletconfigv1beta1.ImagePullServiceAccount{}.OpenAPIModelName()),
+									},
+								},
+							},
+						},
+					},
+					"nodePodsAccessible": {
+						SchemaProps: spec.SchemaProps{
+							Description: "NodePodsAccessible is a flag denoting the pull credentials are accessible by all the pods on the node, or that no credentials are needed for the pull.\n\nIf true, it is mutually exclusive with the `kubernetesSecrets` field.",
+							Type:        []string{"boolean"},
+							Format:      "",
+						},
+					},
+				},
+			},
+		},
+		Dependencies: []string{
+			kubeletconfigv1beta1.ImagePullSecret{}.OpenAPIModelName(), kubeletconfigv1beta1.ImagePullServiceAccount{}.OpenAPIModelName()},
+	}
+}
+
+func schema_k8sio_kubelet_config_v1beta1_ImagePullIntent(ref common.ReferenceCallback) common.OpenAPIDefinition {
+	return common.OpenAPIDefinition{
+		Schema: spec.Schema{
+			SchemaProps: spec.SchemaProps{
+				Description: "ImagePullIntent is a record of the kubelet attempting to pull an image.",
+				Type:        []string{"object"},
+				Properties: map[string]spec.Schema{
+					"kind": {
+						SchemaProps: spec.SchemaProps{
+							Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+					"apiVersion": {
+						SchemaProps: spec.SchemaProps{
+							Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+					"image": {
+						SchemaProps: spec.SchemaProps{
+							Description: "Image is the image spec from a Container's `image` field. The filename is a SHA-256 hash of this value. This is to avoid filename-unsafe characters like ':' and '/'.",
+							Default:     "",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+				},
+				Required: []string{"image"},
+			},
+		},
+	}
+}
+
+func schema_k8sio_kubelet_config_v1beta1_ImagePullSecret(ref common.ReferenceCallback) common.OpenAPIDefinition {
+	return common.OpenAPIDefinition{
+		Schema: spec.Schema{
+			SchemaProps: spec.SchemaProps{
+				Description: "ImagePullSecret is a representation of a Kubernetes secret object coordinates along with a credential hash of the pull secret credentials this object contains.",
+				Type:        []string{"object"},
+				Properties: map[string]spec.Schema{
+					"uid": {
+						SchemaProps: spec.SchemaProps{
+							Default: "",
+							Type:    []string{"string"},
+							Format:  "",
+						},
+					},
+					"namespace": {
+						SchemaProps: spec.SchemaProps{
+							Default: "",
+							Type:    []string{"string"},
+							Format:  "",
+						},
+					},
+					"name": {
+						SchemaProps: spec.SchemaProps{
+							Default: "",
+							Type:    []string{"string"},
+							Format:  "",
+						},
+					},
+					"credentialHash": {
+						SchemaProps: spec.SchemaProps{
+							Description: "CredentialHash is a SHA-256 retrieved by hashing the image pull credentials content of the secret specified by the UID/Namespace/Name coordinates.",
+							Default:     "",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+				},
+				Required: []string{"uid", "namespace", "name", "credentialHash"},
+			},
+		},
+	}
+}
+
+func schema_k8sio_kubelet_config_v1beta1_ImagePullServiceAccount(ref common.ReferenceCallback) common.OpenAPIDefinition {
+	return common.OpenAPIDefinition{
+		Schema: spec.Schema{
+			SchemaProps: spec.SchemaProps{
+				Description: "ImagePullServiceAccount is a representation of a Kubernetes service account object coordinates for which the kubelet sent service account token to the credential provider plugin for image pull credentials.",
+				Type:        []string{"object"},
+				Properties: map[string]spec.Schema{
+					"uid": {
+						SchemaProps: spec.SchemaProps{
+							Default: "",
+							Type:    []string{"string"},
+							Format:  "",
+						},
+					},
+					"namespace": {
+						SchemaProps: spec.SchemaProps{
+							Default: "",
+							Type:    []string{"string"},
+							Format:  "",
+						},
+					},
+					"name": {
+						SchemaProps: spec.SchemaProps{
+							Default: "",
+							Type:    []string{"string"},
+							Format:  "",
+						},
+					},
+				},
+				Required: []string{"uid", "namespace", "name"},
+			},
+		},
+	}
+}
+
+func schema_k8sio_kubelet_config_v1beta1_ImagePulledRecord(ref common.ReferenceCallback) common.OpenAPIDefinition {
+	return common.OpenAPIDefinition{
+		Schema: spec.Schema{
+			SchemaProps: spec.SchemaProps{
+				Description: "ImagePullRecord is a record of an image that was pulled by the kubelet.\n\nIf there are no records in the `kubernetesSecrets` field and both `nodeWideCredentials` and `anonymous` are `false`, credentials must be re-checked the next time an image represented by this record is being requested.",
+				Type:        []string{"object"},
+				Properties: map[string]spec.Schema{
+					"kind": {
+						SchemaProps: spec.SchemaProps{
+							Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+					"apiVersion": {
+						SchemaProps: spec.SchemaProps{
+							Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+					"lastUpdatedTime": {
+						SchemaProps: spec.SchemaProps{
+							Description: "LastUpdatedTime is the time of the last update to this record",
+							Ref:         ref(metav1.Time{}.OpenAPIModelName()),
+						},
+					},
+					"imageRef": {
+						SchemaProps: spec.SchemaProps{
+							Description: "ImageRef is a reference to the image represented by this file as received from the CRI. The filename is a SHA-256 hash of this value. This is to avoid filename-unsafe characters like ':' and '/'.",
+							Default:     "",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+					"credentialMapping": {
+						SchemaProps: spec.SchemaProps{
+							Description: "CredentialMapping maps `image` to the set of credentials that it was previously pulled with. `image` in this case is the content of a pod's container `image` field that's got its tag/digest removed.\n\nExample:\n  Container requests the `hello-world:latest@sha256:91fb4b041da273d5a3273b6d587d62d518300a6ad268b28628f74997b93171b2` image:\n    \"credentialMapping\": {\n      \"hello-world\": { \"nodePodsAccessible\": true }\n    }",
+							Type:        []string{"object"},
+							AdditionalProperties: &spec.SchemaOrBool{
+								Allows: true,
+								Schema: &spec.Schema{
+									SchemaProps: spec.SchemaProps{
+										Default: map[string]interface{}{},
+										Ref:     ref(kubeletconfigv1beta1.ImagePullCredentials{}.OpenAPIModelName()),
+									},
+								},
+							},
+						},
+					},
+				},
+				Required: []string{"lastUpdatedTime", "imageRef"},
+			},
+		},
+		Dependencies: []string{
+			metav1.Time{}.OpenAPIModelName(), kubeletconfigv1beta1.ImagePullCredentials{}.OpenAPIModelName()},
+	}
+}
+
 func schema_k8sio_kubelet_config_v1beta1_KubeletAnonymousAuthentication(ref common.ReferenceCallback) common.OpenAPIDefinition {
 	return common.OpenAPIDefinition{
 		Schema: spec.Schema{
@@ -70555,28 +71701,28 @@ func schema_k8sio_kubelet_config_v1beta1_KubeletAuthentication(ref common.Refere
 						SchemaProps: spec.SchemaProps{
 							Description: "x509 contains settings related to x509 client certificate authentication.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/kubelet/config/v1beta1.KubeletX509Authentication"),
+							Ref:         ref(kubeletconfigv1beta1.KubeletX509Authentication{}.OpenAPIModelName()),
 						},
 					},
 					"webhook": {
 						SchemaProps: spec.SchemaProps{
 							Description: "webhook contains settings related to webhook bearer token authentication.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/kubelet/config/v1beta1.KubeletWebhookAuthentication"),
+							Ref:         ref(kubeletconfigv1beta1.KubeletWebhookAuthentication{}.OpenAPIModelName()),
 						},
 					},
 					"anonymous": {
 						SchemaProps: spec.SchemaProps{
 							Description: "anonymous contains settings related to anonymous authentication.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/kubelet/config/v1beta1.KubeletAnonymousAuthentication"),
+							Ref:         ref(kubeletconfigv1beta1.KubeletAnonymousAuthentication{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/kubelet/config/v1beta1.KubeletAnonymousAuthentication", "k8s.io/kubelet/config/v1beta1.KubeletWebhookAuthentication", "k8s.io/kubelet/config/v1beta1.KubeletX509Authentication"},
+			kubeletconfigv1beta1.KubeletAnonymousAuthentication{}.OpenAPIModelName(), kubeletconfigv1beta1.KubeletWebhookAuthentication{}.OpenAPIModelName(), kubeletconfigv1beta1.KubeletX509Authentication{}.OpenAPIModelName()},
 	}
 }
 
@@ -70597,14 +71743,14 @@ func schema_k8sio_kubelet_config_v1beta1_KubeletAuthorization(ref common.Referen
 						SchemaProps: spec.SchemaProps{
 							Description: "webhook contains settings related to Webhook authorization.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/kubelet/config/v1beta1.KubeletWebhookAuthorization"),
+							Ref:         ref(kubeletconfigv1beta1.KubeletWebhookAuthorization{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/kubelet/config/v1beta1.KubeletWebhookAuthorization"},
+			kubeletconfigv1beta1.KubeletWebhookAuthorization{}.OpenAPIModelName()},
 	}
 }
 
@@ -70653,19 +71799,19 @@ func schema_k8sio_kubelet_config_v1beta1_KubeletConfiguration(ref common.Referen
 					"syncFrequency": {
 						SchemaProps: spec.SchemaProps{
 							Description: "syncFrequency is the max period between synchronizing running containers and config. Default: \"1m\"",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Duration"),
+							Ref:         ref(metav1.Duration{}.OpenAPIModelName()),
 						},
 					},
 					"fileCheckFrequency": {
 						SchemaProps: spec.SchemaProps{
 							Description: "fileCheckFrequency is the duration between checking config files for new data. Default: \"20s\"",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Duration"),
+							Ref:         ref(metav1.Duration{}.OpenAPIModelName()),
 						},
 					},
 					"httpCheckFrequency": {
 						SchemaProps: spec.SchemaProps{
 							Description: "httpCheckFrequency is the duration between checking http for new data. Default: \"20s\"",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Duration"),
+							Ref:         ref(metav1.Duration{}.OpenAPIModelName()),
 						},
 					},
 					"staticPodURL": {
@@ -70773,14 +71919,14 @@ func schema_k8sio_kubelet_config_v1beta1_KubeletConfiguration(ref common.Referen
 						SchemaProps: spec.SchemaProps{
 							Description: "authentication specifies how requests to the Kubelet's server are authenticated. Defaults:\n  anonymous:\n    enabled: false\n  webhook:\n    enabled: true\n    cacheTTL: \"2m\"",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/kubelet/config/v1beta1.KubeletAuthentication"),
+							Ref:         ref(kubeletconfigv1beta1.KubeletAuthentication{}.OpenAPIModelName()),
 						},
 					},
 					"authorization": {
 						SchemaProps: spec.SchemaProps{
 							Description: "authorization specifies how requests to the Kubelet's server are authorized. Defaults:\n  mode: Webhook\n  webhook:\n    cacheAuthorizedTTL: \"5m\"\n    cacheUnauthorizedTTL: \"30s\"",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/kubelet/config/v1beta1.KubeletAuthorization"),
+							Ref:         ref(kubeletconfigv1beta1.KubeletAuthorization{}.OpenAPIModelName()),
 						},
 					},
 					"registryPullQPS": {
@@ -70898,19 +72044,19 @@ func schema_k8sio_kubelet_config_v1beta1_KubeletConfiguration(ref common.Referen
 					"streamingConnectionIdleTimeout": {
 						SchemaProps: spec.SchemaProps{
 							Description: "streamingConnectionIdleTimeout is the maximum time a streaming connection can be idle before the connection is automatically closed. Deprecated: no longer has any effect. Default: \"4h\"",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Duration"),
+							Ref:         ref(metav1.Duration{}.OpenAPIModelName()),
 						},
 					},
 					"nodeStatusUpdateFrequency": {
 						SchemaProps: spec.SchemaProps{
 							Description: "nodeStatusUpdateFrequency is the frequency that kubelet computes node status. If node lease feature is not enabled, it is also the frequency that kubelet posts node status to master. Note: When node lease feature is not enabled, be cautious when changing the constant, it must work with nodeMonitorGracePeriod in nodecontroller. Default: \"10s\"",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Duration"),
+							Ref:         ref(metav1.Duration{}.OpenAPIModelName()),
 						},
 					},
 					"nodeStatusReportFrequency": {
 						SchemaProps: spec.SchemaProps{
 							Description: "nodeStatusReportFrequency is the frequency that kubelet posts node status to master if node status does not change. Kubelet will ignore this frequency and post node status immediately if any change is detected. It is only used when node lease feature is enabled. nodeStatusReportFrequency's default value is 5m. But if nodeStatusUpdateFrequency is set explicitly, nodeStatusReportFrequency's default value will be set to nodeStatusUpdateFrequency for backward compatibility. Default: \"5m\"",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Duration"),
+							Ref:         ref(metav1.Duration{}.OpenAPIModelName()),
 						},
 					},
 					"nodeLeaseDurationSeconds": {
@@ -70923,13 +72069,13 @@ func schema_k8sio_kubelet_config_v1beta1_KubeletConfiguration(ref common.Referen
 					"imageMinimumGCAge": {
 						SchemaProps: spec.SchemaProps{
 							Description: "imageMinimumGCAge is the minimum age for an unused image before it is garbage collected. Default: \"2m\"",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Duration"),
+							Ref:         ref(metav1.Duration{}.OpenAPIModelName()),
 						},
 					},
 					"imageMaximumGCAge": {
 						SchemaProps: spec.SchemaProps{
 							Description: "imageMaximumGCAge is the maximum age an image can be unused before it is garbage collected. The default of this field is \"0s\", which disables this field--meaning images won't be garbage collected based on being unused for too long. Default: \"0s\" (disabled)",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Duration"),
+							Ref:         ref(metav1.Duration{}.OpenAPIModelName()),
 						},
 					},
 					"imageGCHighThresholdPercent": {
@@ -70949,7 +72095,7 @@ func schema_k8sio_kubelet_config_v1beta1_KubeletConfiguration(ref common.Referen
 					"volumeStatsAggPeriod": {
 						SchemaProps: spec.SchemaProps{
 							Description: "volumeStatsAggPeriod is the frequency for calculating and caching volume disk usage for all pods. Default: \"1m\"",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Duration"),
+							Ref:         ref(metav1.Duration{}.OpenAPIModelName()),
 						},
 					},
 					"kubeletCgroups": {
@@ -71020,7 +72166,7 @@ func schema_k8sio_kubelet_config_v1beta1_KubeletConfiguration(ref common.Referen
 					"cpuManagerReconcilePeriod": {
 						SchemaProps: spec.SchemaProps{
 							Description: "cpuManagerReconcilePeriod is the reconciliation period for the CPU Manager. Default: \"10s\"",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Duration"),
+							Ref:         ref(metav1.Duration{}.OpenAPIModelName()),
 						},
 					},
 					"memoryManagerPolicy": {
@@ -71079,7 +72225,7 @@ func schema_k8sio_kubelet_config_v1beta1_KubeletConfiguration(ref common.Referen
 					"runtimeRequestTimeout": {
 						SchemaProps: spec.SchemaProps{
 							Description: "runtimeRequestTimeout is the timeout for all runtime requests except long running requests - pull, logs, exec and attach. Default: \"2m\"",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Duration"),
+							Ref:         ref(metav1.Duration{}.OpenAPIModelName()),
 						},
 					},
 					"hairpinMode": {
@@ -71134,7 +72280,7 @@ func schema_k8sio_kubelet_config_v1beta1_KubeletConfiguration(ref common.Referen
 					"cpuCFSQuotaPeriod": {
 						SchemaProps: spec.SchemaProps{
 							Description: "cpuCFSQuotaPeriod is the CPU CFS quota period value, `cpu.cfs_period_us`. The value must be between 1 ms and 1 second, inclusive. Requires the CustomCPUCFSQuotaPeriod feature gate to be enabled. Default: \"100ms\"",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Duration"),
+							Ref:         ref(metav1.Duration{}.OpenAPIModelName()),
 						},
 					},
 					"nodeStatusMaxImages": {
@@ -71237,7 +72383,7 @@ func schema_k8sio_kubelet_config_v1beta1_KubeletConfiguration(ref common.Referen
 					"evictionPressureTransitionPeriod": {
 						SchemaProps: spec.SchemaProps{
 							Description: "evictionPressureTransitionPeriod is the duration for which the kubelet has to wait before transitioning out of an eviction pressure condition. A duration of 0s will be converted to the default value of 5m Default: \"5m\"",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Duration"),
+							Ref:         ref(metav1.Duration{}.OpenAPIModelName()),
 						},
 					},
 					"evictionMaxPodGracePeriod": {
@@ -71339,7 +72485,7 @@ func schema_k8sio_kubelet_config_v1beta1_KubeletConfiguration(ref common.Referen
 						SchemaProps: spec.SchemaProps{
 							Description: "memorySwap configures swap memory available to container workloads.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/kubelet/config/v1beta1.MemorySwapConfiguration"),
+							Ref:         ref(kubeletconfigv1beta1.MemorySwapConfiguration{}.OpenAPIModelName()),
 						},
 					},
 					"containerLogMaxSize": {
@@ -71366,7 +72512,7 @@ func schema_k8sio_kubelet_config_v1beta1_KubeletConfiguration(ref common.Referen
 					"containerLogMonitorInterval": {
 						SchemaProps: spec.SchemaProps{
 							Description: "ContainerLogMonitorInterval specifies the duration at which the container logs are monitored for performing the log rotate operation. This defaults to 10 * time.Seconds. But can be customized to a smaller value based on the log generation rate and the size required to be rotated against Default: 10s",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Duration"),
+							Ref:         ref(metav1.Duration{}.OpenAPIModelName()),
 						},
 					},
 					"configMapAndSecretChangeDetectionStrategy": {
@@ -71491,7 +72637,7 @@ func schema_k8sio_kubelet_config_v1beta1_KubeletConfiguration(ref common.Referen
 						SchemaProps: spec.SchemaProps{
 							Description: "logging specifies the options of logging. Refer to [Logs Options](https://github.com/kubernetes/component-base/blob/master/logs/options.go) for more information. Default:\n  Format: text",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/component-base/logs/api/v1.LoggingConfiguration"),
+							Ref:         ref(logsapiv1.LoggingConfiguration{}.OpenAPIModelName()),
 						},
 					},
 					"enableSystemLogHandler": {
@@ -71511,13 +72657,13 @@ func schema_k8sio_kubelet_config_v1beta1_KubeletConfiguration(ref common.Referen
 					"shutdownGracePeriod": {
 						SchemaProps: spec.SchemaProps{
 							Description: "shutdownGracePeriod specifies the total duration that the node should delay the shutdown and total grace period for pod termination during a node shutdown. Default: \"0s\"",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Duration"),
+							Ref:         ref(metav1.Duration{}.OpenAPIModelName()),
 						},
 					},
 					"shutdownGracePeriodCriticalPods": {
 						SchemaProps: spec.SchemaProps{
 							Description: "shutdownGracePeriodCriticalPods specifies the duration used to terminate critical pods during a node shutdown. This should be less than shutdownGracePeriod. For example, if shutdownGracePeriod=30s, and shutdownGracePeriodCriticalPods=10s, during a node shutdown the first 20 seconds would be reserved for gracefully terminating normal pods, and the last 10 seconds would be reserved for terminating critical pods. Default: \"0s\"",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Duration"),
+							Ref:         ref(metav1.Duration{}.OpenAPIModelName()),
 						},
 					},
 					"shutdownGracePeriodByPodPriority": {
@@ -71528,7 +72674,7 @@ func schema_k8sio_kubelet_config_v1beta1_KubeletConfiguration(ref common.Referen
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/kubelet/config/v1beta1.ShutdownGracePeriodByPodPriority"),
+										Ref:     ref(kubeletconfigv1beta1.ShutdownGracePeriodByPodPriority{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -71538,7 +72684,7 @@ func schema_k8sio_kubelet_config_v1beta1_KubeletConfiguration(ref common.Referen
 						SchemaProps: spec.SchemaProps{
 							Description: "CrashLoopBackOff contains config to modify node-level parameters for container restart behavior",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/kubelet/config/v1beta1.CrashLoopBackOffConfig"),
+							Ref:         ref(kubeletconfigv1beta1.CrashLoopBackOffConfig{}.OpenAPIModelName()),
 						},
 					},
 					"reservedMemory": {
@@ -71549,7 +72695,7 @@ func schema_k8sio_kubelet_config_v1beta1_KubeletConfiguration(ref common.Referen
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/kubelet/config/v1beta1.MemoryReservation"),
+										Ref:     ref(kubeletconfigv1beta1.MemoryReservation{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -71591,7 +72737,7 @@ func schema_k8sio_kubelet_config_v1beta1_KubeletConfiguration(ref common.Referen
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/core/v1.Taint"),
+										Ref:     ref(corev1.Taint{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -71607,7 +72753,7 @@ func schema_k8sio_kubelet_config_v1beta1_KubeletConfiguration(ref common.Referen
 					"tracing": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Tracing specifies the versioned configuration for OpenTelemetry tracing clients. See https://kep.k8s.io/2832 for more details. Default: nil",
-							Ref:         ref("k8s.io/component-base/tracing/api/v1.TracingConfiguration"),
+							Ref:         ref(apiv1.TracingConfiguration{}.OpenAPIModelName()),
 						},
 					},
 					"localStorageCapacityIsolation": {
@@ -71634,7 +72780,7 @@ func schema_k8sio_kubelet_config_v1beta1_KubeletConfiguration(ref common.Referen
 					},
 					"failCgroupV1": {
 						SchemaProps: spec.SchemaProps{
-							Description: "FailCgroupV1 prevents the kubelet from starting on hosts that use cgroup v1. By default, this is set to 'false', meaning the kubelet is allowed to start on cgroup v1 hosts unless this option is explicitly enabled. Default: false",
+							Description: "FailCgroupV1 prevents the kubelet from starting on hosts that use cgroup v1. By default, this is set to 'true', meaning the kubelet will not start on cgroup v1 hosts unless this option is explicitly disabled. Default: true",
 							Type:        []string{"boolean"},
 							Format:      "",
 						},
@@ -71642,7 +72788,7 @@ func schema_k8sio_kubelet_config_v1beta1_KubeletConfiguration(ref common.Referen
 					"userNamespaces": {
 						SchemaProps: spec.SchemaProps{
 							Description: "UserNamespaces contains User Namespace configurations.",
-							Ref:         ref("k8s.io/kubelet/config/v1beta1.UserNamespaces"),
+							Ref:         ref(kubeletconfigv1beta1.UserNamespaces{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -71650,7 +72796,7 @@ func schema_k8sio_kubelet_config_v1beta1_KubeletConfiguration(ref common.Referen
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/core/v1.Taint", "k8s.io/apimachinery/pkg/apis/meta/v1.Duration", "k8s.io/component-base/logs/api/v1.LoggingConfiguration", "k8s.io/component-base/tracing/api/v1.TracingConfiguration", "k8s.io/kubelet/config/v1beta1.CrashLoopBackOffConfig", "k8s.io/kubelet/config/v1beta1.KubeletAuthentication", "k8s.io/kubelet/config/v1beta1.KubeletAuthorization", "k8s.io/kubelet/config/v1beta1.MemoryReservation", "k8s.io/kubelet/config/v1beta1.MemorySwapConfiguration", "k8s.io/kubelet/config/v1beta1.ShutdownGracePeriodByPodPriority", "k8s.io/kubelet/config/v1beta1.UserNamespaces"},
+			corev1.Taint{}.OpenAPIModelName(), metav1.Duration{}.OpenAPIModelName(), logsapiv1.LoggingConfiguration{}.OpenAPIModelName(), apiv1.TracingConfiguration{}.OpenAPIModelName(), kubeletconfigv1beta1.CrashLoopBackOffConfig{}.OpenAPIModelName(), kubeletconfigv1beta1.KubeletAuthentication{}.OpenAPIModelName(), kubeletconfigv1beta1.KubeletAuthorization{}.OpenAPIModelName(), kubeletconfigv1beta1.MemoryReservation{}.OpenAPIModelName(), kubeletconfigv1beta1.MemorySwapConfiguration{}.OpenAPIModelName(), kubeletconfigv1beta1.ShutdownGracePeriodByPodPriority{}.OpenAPIModelName(), kubeletconfigv1beta1.UserNamespaces{}.OpenAPIModelName()},
 	}
 }
 
@@ -71670,14 +72816,14 @@ func schema_k8sio_kubelet_config_v1beta1_KubeletWebhookAuthentication(ref common
 					"cacheTTL": {
 						SchemaProps: spec.SchemaProps{
 							Description: "cacheTTL enables caching of authentication results",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Duration"),
+							Ref:         ref(metav1.Duration{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.Duration"},
+			metav1.Duration{}.OpenAPIModelName()},
 	}
 }
 
@@ -71690,20 +72836,20 @@ func schema_k8sio_kubelet_config_v1beta1_KubeletWebhookAuthorization(ref common.
 					"cacheAuthorizedTTL": {
 						SchemaProps: spec.SchemaProps{
 							Description: "cacheAuthorizedTTL is the duration to cache 'authorized' responses from the webhook authorizer.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Duration"),
+							Ref:         ref(metav1.Duration{}.OpenAPIModelName()),
 						},
 					},
 					"cacheUnauthorizedTTL": {
 						SchemaProps: spec.SchemaProps{
 							Description: "cacheUnauthorizedTTL is the duration to cache 'unauthorized' responses from the webhook authorizer.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Duration"),
+							Ref:         ref(metav1.Duration{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.Duration"},
+			metav1.Duration{}.OpenAPIModelName()},
 	}
 }
 
@@ -71747,7 +72893,7 @@ func schema_k8sio_kubelet_config_v1beta1_MemoryReservation(ref common.ReferenceC
 								Allows: true,
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
-										Ref: ref("k8s.io/apimachinery/pkg/api/resource.Quantity"),
+										Ref: ref(resource.Quantity{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -71758,7 +72904,7 @@ func schema_k8sio_kubelet_config_v1beta1_MemoryReservation(ref common.ReferenceC
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/api/resource.Quantity"},
+			resource.Quantity{}.OpenAPIModelName()},
 	}
 }
 
@@ -71806,14 +72952,14 @@ func schema_k8sio_kubelet_config_v1beta1_SerializedNodeConfigSource(ref common.R
 						SchemaProps: spec.SchemaProps{
 							Description: "source is the source that we are serializing.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/core/v1.NodeConfigSource"),
+							Ref:         ref(corev1.NodeConfigSource{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/core/v1.NodeConfigSource"},
+			corev1.NodeConfigSource{}.OpenAPIModelName()},
 	}
 }
 
@@ -71892,7 +73038,7 @@ func schema_pkg_apis_abac_v1beta1_Policy(ref common.ReferenceCallback) common.Op
 						SchemaProps: spec.SchemaProps{
 							Description: "Spec describes the policy rule",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/kubernetes/pkg/apis/abac/v1beta1.PolicySpec"),
+							Ref:         ref(abacv1beta1.PolicySpec{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -71900,7 +73046,7 @@ func schema_pkg_apis_abac_v1beta1_Policy(ref common.ReferenceCallback) common.Op
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/kubernetes/pkg/apis/abac/v1beta1.PolicySpec"},
+			abacv1beta1.PolicySpec{}.OpenAPIModelName()},
 	}
 }
 
@@ -72032,7 +73178,7 @@ func schema_pkg_apis_custom_metrics_v1beta1_MetricValue(ref common.ReferenceCall
 						SchemaProps: spec.SchemaProps{
 							Description: "a reference to the described object",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/core/v1.ObjectReference"),
+							Ref:         ref(corev1.ObjectReference{}.OpenAPIModelName()),
 						},
 					},
 					"metricName": {
@@ -72046,7 +73192,7 @@ func schema_pkg_apis_custom_metrics_v1beta1_MetricValue(ref common.ReferenceCall
 					"timestamp": {
 						SchemaProps: spec.SchemaProps{
 							Description: "indicates the time at which the metrics were produced",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Time"),
+							Ref:         ref(metav1.Time{}.OpenAPIModelName()),
 						},
 					},
 					"window": {
@@ -72059,13 +73205,13 @@ func schema_pkg_apis_custom_metrics_v1beta1_MetricValue(ref common.ReferenceCall
 					"value": {
 						SchemaProps: spec.SchemaProps{
 							Description: "the value of the metric for this",
-							Ref:         ref("k8s.io/apimachinery/pkg/api/resource.Quantity"),
+							Ref:         ref(resource.Quantity{}.OpenAPIModelName()),
 						},
 					},
 					"selector": {
 						SchemaProps: spec.SchemaProps{
 							Description: "selector represents the label selector that could be used to select this metric, and will generally just be the selector passed in to the query used to fetch this metric. When left blank, only the metric's Name will be used to gather metrics.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector"),
+							Ref:         ref(metav1.LabelSelector{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -72073,7 +73219,7 @@ func schema_pkg_apis_custom_metrics_v1beta1_MetricValue(ref common.ReferenceCall
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/core/v1.ObjectReference", "k8s.io/apimachinery/pkg/api/resource.Quantity", "k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector", "k8s.io/apimachinery/pkg/apis/meta/v1.Time"},
+			corev1.ObjectReference{}.OpenAPIModelName(), resource.Quantity{}.OpenAPIModelName(), metav1.LabelSelector{}.OpenAPIModelName(), metav1.Time{}.OpenAPIModelName()},
 	}
 }
 
@@ -72101,7 +73247,7 @@ func schema_pkg_apis_custom_metrics_v1beta1_MetricValueList(ref common.Reference
 					"metadata": {
 						SchemaProps: spec.SchemaProps{
 							Default: map[string]interface{}{},
-							Ref:     ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+							Ref:     ref(metav1.ListMeta{}.OpenAPIModelName()),
 						},
 					},
 					"items": {
@@ -72112,7 +73258,7 @@ func schema_pkg_apis_custom_metrics_v1beta1_MetricValueList(ref common.Reference
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/metrics/pkg/apis/custom_metrics/v1beta1.MetricValue"),
+										Ref:     ref(custommetricsv1beta1.MetricValue{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -72123,7 +73269,7 @@ func schema_pkg_apis_custom_metrics_v1beta1_MetricValueList(ref common.Reference
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta", "k8s.io/metrics/pkg/apis/custom_metrics/v1beta1.MetricValue"},
+			metav1.ListMeta{}.OpenAPIModelName(), custommetricsv1beta1.MetricValue{}.OpenAPIModelName()},
 	}
 }
 
@@ -72145,7 +73291,7 @@ func schema_pkg_apis_custom_metrics_v1beta2_MetricIdentifier(ref common.Referenc
 					"selector": {
 						SchemaProps: spec.SchemaProps{
 							Description: "selector represents the label selector that could be used to select this metric, and will generally just be the selector passed in to the query used to fetch this metric. When left blank, only the metric's Name will be used to gather metrics.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector"),
+							Ref:         ref(metav1.LabelSelector{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -72153,7 +73299,7 @@ func schema_pkg_apis_custom_metrics_v1beta2_MetricIdentifier(ref common.Referenc
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector"},
+			metav1.LabelSelector{}.OpenAPIModelName()},
 	}
 }
 
@@ -72223,19 +73369,19 @@ func schema_pkg_apis_custom_metrics_v1beta2_MetricValue(ref common.ReferenceCall
 						SchemaProps: spec.SchemaProps{
 							Description: "a reference to the described object",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/core/v1.ObjectReference"),
+							Ref:         ref(corev1.ObjectReference{}.OpenAPIModelName()),
 						},
 					},
 					"metric": {
 						SchemaProps: spec.SchemaProps{
 							Default: map[string]interface{}{},
-							Ref:     ref("k8s.io/metrics/pkg/apis/custom_metrics/v1beta2.MetricIdentifier"),
+							Ref:     ref(custommetricsv1beta2.MetricIdentifier{}.OpenAPIModelName()),
 						},
 					},
 					"timestamp": {
 						SchemaProps: spec.SchemaProps{
 							Description: "indicates the time at which the metrics were produced",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Time"),
+							Ref:         ref(metav1.Time{}.OpenAPIModelName()),
 						},
 					},
 					"windowSeconds": {
@@ -72248,7 +73394,7 @@ func schema_pkg_apis_custom_metrics_v1beta2_MetricValue(ref common.ReferenceCall
 					"value": {
 						SchemaProps: spec.SchemaProps{
 							Description: "the value of the metric for this",
-							Ref:         ref("k8s.io/apimachinery/pkg/api/resource.Quantity"),
+							Ref:         ref(resource.Quantity{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -72256,7 +73402,7 @@ func schema_pkg_apis_custom_metrics_v1beta2_MetricValue(ref common.ReferenceCall
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/core/v1.ObjectReference", "k8s.io/apimachinery/pkg/api/resource.Quantity", "k8s.io/apimachinery/pkg/apis/meta/v1.Time", "k8s.io/metrics/pkg/apis/custom_metrics/v1beta2.MetricIdentifier"},
+			corev1.ObjectReference{}.OpenAPIModelName(), resource.Quantity{}.OpenAPIModelName(), metav1.Time{}.OpenAPIModelName(), custommetricsv1beta2.MetricIdentifier{}.OpenAPIModelName()},
 	}
 }
 
@@ -72284,7 +73430,7 @@ func schema_pkg_apis_custom_metrics_v1beta2_MetricValueList(ref common.Reference
 					"metadata": {
 						SchemaProps: spec.SchemaProps{
 							Default: map[string]interface{}{},
-							Ref:     ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+							Ref:     ref(metav1.ListMeta{}.OpenAPIModelName()),
 						},
 					},
 					"items": {
@@ -72295,7 +73441,7 @@ func schema_pkg_apis_custom_metrics_v1beta2_MetricValueList(ref common.Reference
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/metrics/pkg/apis/custom_metrics/v1beta2.MetricValue"),
+										Ref:     ref(custommetricsv1beta2.MetricValue{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -72306,7 +73452,7 @@ func schema_pkg_apis_custom_metrics_v1beta2_MetricValueList(ref common.Reference
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta", "k8s.io/metrics/pkg/apis/custom_metrics/v1beta2.MetricValue"},
+			metav1.ListMeta{}.OpenAPIModelName(), custommetricsv1beta2.MetricValue{}.OpenAPIModelName()},
 	}
 }
 
@@ -72358,7 +73504,7 @@ func schema_pkg_apis_external_metrics_v1beta1_ExternalMetricValue(ref common.Ref
 					"timestamp": {
 						SchemaProps: spec.SchemaProps{
 							Description: "indicates the time at which the metrics were produced",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Time"),
+							Ref:         ref(metav1.Time{}.OpenAPIModelName()),
 						},
 					},
 					"window": {
@@ -72371,7 +73517,7 @@ func schema_pkg_apis_external_metrics_v1beta1_ExternalMetricValue(ref common.Ref
 					"value": {
 						SchemaProps: spec.SchemaProps{
 							Description: "the value of the metric",
-							Ref:         ref("k8s.io/apimachinery/pkg/api/resource.Quantity"),
+							Ref:         ref(resource.Quantity{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -72379,7 +73525,7 @@ func schema_pkg_apis_external_metrics_v1beta1_ExternalMetricValue(ref common.Ref
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/api/resource.Quantity", "k8s.io/apimachinery/pkg/apis/meta/v1.Time"},
+			resource.Quantity{}.OpenAPIModelName(), metav1.Time{}.OpenAPIModelName()},
 	}
 }
 
@@ -72407,7 +73553,7 @@ func schema_pkg_apis_external_metrics_v1beta1_ExternalMetricValueList(ref common
 					"metadata": {
 						SchemaProps: spec.SchemaProps{
 							Default: map[string]interface{}{},
-							Ref:     ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+							Ref:     ref(metav1.ListMeta{}.OpenAPIModelName()),
 						},
 					},
 					"items": {
@@ -72418,7 +73564,7 @@ func schema_pkg_apis_external_metrics_v1beta1_ExternalMetricValueList(ref common
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/metrics/pkg/apis/external_metrics/v1beta1.ExternalMetricValue"),
+										Ref:     ref(externalmetricsv1beta1.ExternalMetricValue{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -72429,7 +73575,7 @@ func schema_pkg_apis_external_metrics_v1beta1_ExternalMetricValueList(ref common
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta", "k8s.io/metrics/pkg/apis/external_metrics/v1beta1.ExternalMetricValue"},
+			metav1.ListMeta{}.OpenAPIModelName(), externalmetricsv1beta1.ExternalMetricValue{}.OpenAPIModelName()},
 	}
 }
 
@@ -72456,7 +73602,7 @@ func schema_pkg_apis_metrics_v1alpha1_ContainerMetrics(ref common.ReferenceCallb
 								Allows: true,
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
-										Ref: ref("k8s.io/apimachinery/pkg/api/resource.Quantity"),
+										Ref: ref(resource.Quantity{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -72467,7 +73613,7 @@ func schema_pkg_apis_metrics_v1alpha1_ContainerMetrics(ref common.ReferenceCallb
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/api/resource.Quantity"},
+			resource.Quantity{}.OpenAPIModelName()},
 	}
 }
 
@@ -72496,18 +73642,18 @@ func schema_pkg_apis_metrics_v1alpha1_NodeMetrics(ref common.ReferenceCallback)
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Ref:         ref(metav1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 					"timestamp": {
 						SchemaProps: spec.SchemaProps{
 							Description: "The following fields define time interval from which metrics were collected from the interval [Timestamp-Window, Timestamp].",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Time"),
+							Ref:         ref(metav1.Time{}.OpenAPIModelName()),
 						},
 					},
 					"window": {
 						SchemaProps: spec.SchemaProps{
-							Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.Duration"),
+							Ref: ref(metav1.Duration{}.OpenAPIModelName()),
 						},
 					},
 					"usage": {
@@ -72518,7 +73664,7 @@ func schema_pkg_apis_metrics_v1alpha1_NodeMetrics(ref common.ReferenceCallback)
 								Allows: true,
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
-										Ref: ref("k8s.io/apimachinery/pkg/api/resource.Quantity"),
+										Ref: ref(resource.Quantity{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -72529,7 +73675,7 @@ func schema_pkg_apis_metrics_v1alpha1_NodeMetrics(ref common.ReferenceCallback)
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/api/resource.Quantity", "k8s.io/apimachinery/pkg/apis/meta/v1.Duration", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta", "k8s.io/apimachinery/pkg/apis/meta/v1.Time"},
+			resource.Quantity{}.OpenAPIModelName(), metav1.Duration{}.OpenAPIModelName(), metav1.ObjectMeta{}.OpenAPIModelName(), metav1.Time{}.OpenAPIModelName()},
 	}
 }
 
@@ -72558,7 +73704,7 @@ func schema_pkg_apis_metrics_v1alpha1_NodeMetricsList(ref common.ReferenceCallba
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+							Ref:         ref(metav1.ListMeta{}.OpenAPIModelName()),
 						},
 					},
 					"items": {
@@ -72569,7 +73715,7 @@ func schema_pkg_apis_metrics_v1alpha1_NodeMetricsList(ref common.ReferenceCallba
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/metrics/pkg/apis/metrics/v1alpha1.NodeMetrics"),
+										Ref:     ref(metricsv1alpha1.NodeMetrics{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -72580,7 +73726,7 @@ func schema_pkg_apis_metrics_v1alpha1_NodeMetricsList(ref common.ReferenceCallba
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta", "k8s.io/metrics/pkg/apis/metrics/v1alpha1.NodeMetrics"},
+			metav1.ListMeta{}.OpenAPIModelName(), metricsv1alpha1.NodeMetrics{}.OpenAPIModelName()},
 	}
 }
 
@@ -72609,18 +73755,18 @@ func schema_pkg_apis_metrics_v1alpha1_PodMetrics(ref common.ReferenceCallback) c
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Ref:         ref(metav1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 					"timestamp": {
 						SchemaProps: spec.SchemaProps{
 							Description: "The following fields define time interval from which metrics were collected from the interval [Timestamp-Window, Timestamp].",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Time"),
+							Ref:         ref(metav1.Time{}.OpenAPIModelName()),
 						},
 					},
 					"window": {
 						SchemaProps: spec.SchemaProps{
-							Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.Duration"),
+							Ref: ref(metav1.Duration{}.OpenAPIModelName()),
 						},
 					},
 					"containers": {
@@ -72636,7 +73782,7 @@ func schema_pkg_apis_metrics_v1alpha1_PodMetrics(ref common.ReferenceCallback) c
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/metrics/pkg/apis/metrics/v1alpha1.ContainerMetrics"),
+										Ref:     ref(metricsv1alpha1.ContainerMetrics{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -72647,7 +73793,7 @@ func schema_pkg_apis_metrics_v1alpha1_PodMetrics(ref common.ReferenceCallback) c
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.Duration", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta", "k8s.io/apimachinery/pkg/apis/meta/v1.Time", "k8s.io/metrics/pkg/apis/metrics/v1alpha1.ContainerMetrics"},
+			metav1.Duration{}.OpenAPIModelName(), metav1.ObjectMeta{}.OpenAPIModelName(), metav1.Time{}.OpenAPIModelName(), metricsv1alpha1.ContainerMetrics{}.OpenAPIModelName()},
 	}
 }
 
@@ -72676,7 +73822,7 @@ func schema_pkg_apis_metrics_v1alpha1_PodMetricsList(ref common.ReferenceCallbac
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+							Ref:         ref(metav1.ListMeta{}.OpenAPIModelName()),
 						},
 					},
 					"items": {
@@ -72687,7 +73833,7 @@ func schema_pkg_apis_metrics_v1alpha1_PodMetricsList(ref common.ReferenceCallbac
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/metrics/pkg/apis/metrics/v1alpha1.PodMetrics"),
+										Ref:     ref(metricsv1alpha1.PodMetrics{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -72698,7 +73844,7 @@ func schema_pkg_apis_metrics_v1alpha1_PodMetricsList(ref common.ReferenceCallbac
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta", "k8s.io/metrics/pkg/apis/metrics/v1alpha1.PodMetrics"},
+			metav1.ListMeta{}.OpenAPIModelName(), metricsv1alpha1.PodMetrics{}.OpenAPIModelName()},
 	}
 }
 
@@ -72725,7 +73871,7 @@ func schema_pkg_apis_metrics_v1beta1_ContainerMetrics(ref common.ReferenceCallba
 								Allows: true,
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
-										Ref: ref("k8s.io/apimachinery/pkg/api/resource.Quantity"),
+										Ref: ref(resource.Quantity{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -72736,7 +73882,7 @@ func schema_pkg_apis_metrics_v1beta1_ContainerMetrics(ref common.ReferenceCallba
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/api/resource.Quantity"},
+			resource.Quantity{}.OpenAPIModelName()},
 	}
 }
 
@@ -72765,18 +73911,18 @@ func schema_pkg_apis_metrics_v1beta1_NodeMetrics(ref common.ReferenceCallback) c
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Ref:         ref(metav1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 					"timestamp": {
 						SchemaProps: spec.SchemaProps{
 							Description: "The following fields define time interval from which metrics were collected from the interval [Timestamp-Window, Timestamp].",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Time"),
+							Ref:         ref(metav1.Time{}.OpenAPIModelName()),
 						},
 					},
 					"window": {
 						SchemaProps: spec.SchemaProps{
-							Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.Duration"),
+							Ref: ref(metav1.Duration{}.OpenAPIModelName()),
 						},
 					},
 					"usage": {
@@ -72787,7 +73933,7 @@ func schema_pkg_apis_metrics_v1beta1_NodeMetrics(ref common.ReferenceCallback) c
 								Allows: true,
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
-										Ref: ref("k8s.io/apimachinery/pkg/api/resource.Quantity"),
+										Ref: ref(resource.Quantity{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -72798,7 +73944,7 @@ func schema_pkg_apis_metrics_v1beta1_NodeMetrics(ref common.ReferenceCallback) c
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/api/resource.Quantity", "k8s.io/apimachinery/pkg/apis/meta/v1.Duration", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta", "k8s.io/apimachinery/pkg/apis/meta/v1.Time"},
+			resource.Quantity{}.OpenAPIModelName(), metav1.Duration{}.OpenAPIModelName(), metav1.ObjectMeta{}.OpenAPIModelName(), metav1.Time{}.OpenAPIModelName()},
 	}
 }
 
@@ -72827,7 +73973,7 @@ func schema_pkg_apis_metrics_v1beta1_NodeMetricsList(ref common.ReferenceCallbac
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+							Ref:         ref(metav1.ListMeta{}.OpenAPIModelName()),
 						},
 					},
 					"items": {
@@ -72838,7 +73984,7 @@ func schema_pkg_apis_metrics_v1beta1_NodeMetricsList(ref common.ReferenceCallbac
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/metrics/pkg/apis/metrics/v1beta1.NodeMetrics"),
+										Ref:     ref(metricsv1beta1.NodeMetrics{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -72849,7 +73995,7 @@ func schema_pkg_apis_metrics_v1beta1_NodeMetricsList(ref common.ReferenceCallbac
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta", "k8s.io/metrics/pkg/apis/metrics/v1beta1.NodeMetrics"},
+			metav1.ListMeta{}.OpenAPIModelName(), metricsv1beta1.NodeMetrics{}.OpenAPIModelName()},
 	}
 }
 
@@ -72878,18 +74024,18 @@ func schema_pkg_apis_metrics_v1beta1_PodMetrics(ref common.ReferenceCallback) co
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Ref:         ref(metav1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 					"timestamp": {
 						SchemaProps: spec.SchemaProps{
 							Description: "The following fields define time interval from which metrics were collected from the interval [Timestamp-Window, Timestamp].",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Time"),
+							Ref:         ref(metav1.Time{}.OpenAPIModelName()),
 						},
 					},
 					"window": {
 						SchemaProps: spec.SchemaProps{
-							Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.Duration"),
+							Ref: ref(metav1.Duration{}.OpenAPIModelName()),
 						},
 					},
 					"containers": {
@@ -72905,7 +74051,7 @@ func schema_pkg_apis_metrics_v1beta1_PodMetrics(ref common.ReferenceCallback) co
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/metrics/pkg/apis/metrics/v1beta1.ContainerMetrics"),
+										Ref:     ref(metricsv1beta1.ContainerMetrics{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -72916,7 +74062,7 @@ func schema_pkg_apis_metrics_v1beta1_PodMetrics(ref common.ReferenceCallback) co
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.Duration", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta", "k8s.io/apimachinery/pkg/apis/meta/v1.Time", "k8s.io/metrics/pkg/apis/metrics/v1beta1.ContainerMetrics"},
+			metav1.Duration{}.OpenAPIModelName(), metav1.ObjectMeta{}.OpenAPIModelName(), metav1.Time{}.OpenAPIModelName(), metricsv1beta1.ContainerMetrics{}.OpenAPIModelName()},
 	}
 }
 
@@ -72945,7 +74091,7 @@ func schema_pkg_apis_metrics_v1beta1_PodMetricsList(ref common.ReferenceCallback
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+							Ref:         ref(metav1.ListMeta{}.OpenAPIModelName()),
 						},
 					},
 					"items": {
@@ -72956,7 +74102,7 @@ func schema_pkg_apis_metrics_v1beta1_PodMetricsList(ref common.ReferenceCallback
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/metrics/pkg/apis/metrics/v1beta1.PodMetrics"),
+										Ref:     ref(metricsv1beta1.PodMetrics{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -72967,6 +74113,6 @@ func schema_pkg_apis_metrics_v1beta1_PodMetricsList(ref common.ReferenceCallback
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta", "k8s.io/metrics/pkg/apis/metrics/v1beta1.PodMetrics"},
+			metav1.ListMeta{}.OpenAPIModelName(), metricsv1beta1.PodMetrics{}.OpenAPIModelName()},
 	}
 }
diff --git a/pkg/kubeapiserver/authenticator/config.go b/pkg/kubeapiserver/authenticator/config.go
index 609a9d135a7e5..0e73d9b97d109 100644
--- a/pkg/kubeapiserver/authenticator/config.go
+++ b/pkg/kubeapiserver/authenticator/config.go
@@ -25,6 +25,7 @@ import (
 
 	utilerrors "k8s.io/apimachinery/pkg/util/errors"
 	utilnet "k8s.io/apimachinery/pkg/util/net"
+	"k8s.io/apimachinery/pkg/util/sets"
 	"k8s.io/apimachinery/pkg/util/wait"
 	"k8s.io/apiserver/pkg/apis/apiserver"
 	"k8s.io/apiserver/pkg/authentication/authenticator"
@@ -96,6 +97,9 @@ type Config struct {
 	CustomDial utilnet.DialFunc
 
 	EgressLookup egressselector.Lookup
+
+	// APIServerID is the ID of the API server
+	APIServerID string
 }
 
 // New returns an authenticator.Request or an error that supports the standard
@@ -161,7 +165,7 @@ func (config Config) New(serverLifecycle context.Context) (authenticator.Request
 	// update the keys, causing performance hits.
 	var updateAuthenticationConfig func(context.Context, *apiserver.AuthenticationConfiguration) error
 	if config.AuthenticationConfig != nil {
-		initialJWTAuthenticator, err := newJWTAuthenticator(serverLifecycle, config.AuthenticationConfig, config.OIDCSigningAlgs, config.APIAudiences, config.ServiceAccountIssuers, config.EgressLookup)
+		initialJWTAuthenticator, err := newJWTAuthenticator(serverLifecycle, config.AuthenticationConfig, config.OIDCSigningAlgs, config.APIAudiences, config.ServiceAccountIssuers, config.EgressLookup, config.APIServerID)
 		if err != nil {
 			return nil, nil, nil, nil, err
 		}
@@ -169,10 +173,16 @@ func (config Config) New(serverLifecycle context.Context) (authenticator.Request
 		jwtAuthenticatorPtr := &atomic.Pointer[jwtAuthenticatorWithCancel]{}
 		jwtAuthenticatorPtr.Store(initialJWTAuthenticator)
 
+		initialIssuers := sets.New[string]()
+		for _, jwt := range config.AuthenticationConfig.JWT {
+			initialIssuers.Insert(jwt.Issuer.URL)
+		}
+
 		updateAuthenticationConfig = (&authenticationConfigUpdater{
 			serverLifecycle:     serverLifecycle,
 			config:              config,
 			jwtAuthenticatorPtr: jwtAuthenticatorPtr,
+			issuers:             initialIssuers,
 		}).updateAuthenticationConfig
 
 		tokenAuthenticators = append(tokenAuthenticators,
@@ -244,7 +254,7 @@ type jwtAuthenticatorWithCancel struct {
 	cancel           func()
 }
 
-func newJWTAuthenticator(serverLifecycle context.Context, config *apiserver.AuthenticationConfiguration, oidcSigningAlgs []string, apiAudiences authenticator.Audiences, disallowedIssuers []string, egressLookup egressselector.Lookup) (_ *jwtAuthenticatorWithCancel, buildErr error) {
+func newJWTAuthenticator(serverLifecycle context.Context, config *apiserver.AuthenticationConfiguration, oidcSigningAlgs []string, apiAudiences authenticator.Audiences, disallowedIssuers []string, egressLookup egressselector.Lookup, apiServerID string) (_ *jwtAuthenticatorWithCancel, buildErr error) {
 	ctx, cancel := context.WithCancel(serverLifecycle)
 
 	defer func() {
@@ -270,6 +280,7 @@ func newJWTAuthenticator(serverLifecycle context.Context, config *apiserver.Auth
 			EgressLookup:         egressLookup,
 			SupportedSigningAlgs: oidcSigningAlgs,
 			DisallowedIssuers:    disallowedIssuers,
+			APIServerID:          apiServerID,
 		})
 		if err != nil {
 			return nil, err
@@ -296,11 +307,12 @@ type authenticationConfigUpdater struct {
 	serverLifecycle     context.Context
 	config              Config
 	jwtAuthenticatorPtr *atomic.Pointer[jwtAuthenticatorWithCancel]
+	issuers             sets.Set[string]
 }
 
 // the input ctx controls the timeout for updateAuthenticationConfig to return, not the lifetime of the constructed authenticators.
 func (c *authenticationConfigUpdater) updateAuthenticationConfig(ctx context.Context, authConfig *apiserver.AuthenticationConfiguration) error {
-	updatedJWTAuthenticator, err := newJWTAuthenticator(c.serverLifecycle, authConfig, c.config.OIDCSigningAlgs, c.config.APIAudiences, c.config.ServiceAccountIssuers, c.config.EgressLookup)
+	updatedJWTAuthenticator, err := newJWTAuthenticator(c.serverLifecycle, authConfig, c.config.OIDCSigningAlgs, c.config.APIAudiences, c.config.ServiceAccountIssuers, c.config.EgressLookup, c.config.APIServerID)
 	if err != nil {
 		return err
 	}
@@ -314,7 +326,17 @@ func (c *authenticationConfigUpdater) updateAuthenticationConfig(ctx context.Con
 		return utilerrors.NewAggregate([]error{lastErr, waitErr}) // filters out nil errors
 	}
 
+	newIssuers := sets.New[string]()
+	for _, jwt := range authConfig.JWT {
+		newIssuers.Insert(jwt.Issuer.URL)
+	}
+
+	// Determine which issuers were removed (in old but not in new)
+	removedIssuers := c.issuers.Difference(newIssuers)
+
 	oldJWTAuthenticator := c.jwtAuthenticatorPtr.Swap(updatedJWTAuthenticator)
+	c.issuers = newIssuers
+
 	go func() {
 		t := time.NewTimer(time.Minute)
 		defer t.Stop()
@@ -324,6 +346,21 @@ func (c *authenticationConfigUpdater) updateAuthenticationConfig(ctx context.Con
 		}
 		// TODO maybe track requests so we know when this is safe to do
 		oldJWTAuthenticator.cancel()
+
+		// Wait a bit to account for the lack of locks in shouldRecordFunc.
+		// This ensures any in-flight HTTP requests that checked shouldRecordFunc
+		// before the cancel() have time to complete their metric recording.
+		time.Sleep(30 * time.Second)
+
+		// Delete metrics for removed issuers.
+		// Note: If the configuration changes rapidly (e.g., an issuer is removed and then re-added
+		// within the grace period + sleep duration), we may delete metrics for an issuer that is
+		// now back in use. This is an unlikely edge case that would only occur during configuration
+		// churn, and the metrics would be re-established on the next JWKS fetch. The system will
+		// stabilize once configuration changes stop.
+		for _, issuer := range removedIssuers.UnsortedList() {
+			oidc.DeleteJWKSFetchMetrics(issuer, c.config.APIServerID)
+		}
 	}()
 
 	return nil
diff --git a/pkg/kubeapiserver/authorizer/config.go b/pkg/kubeapiserver/authorizer/config.go
index ca6c86b9cf9c1..149ff7d7527b7 100644
--- a/pkg/kubeapiserver/authorizer/config.go
+++ b/pkg/kubeapiserver/authorizer/config.go
@@ -34,7 +34,7 @@ import (
 	authorizationcel "k8s.io/apiserver/pkg/authorization/cel"
 	utilfeature "k8s.io/apiserver/pkg/util/feature"
 	versionedinformers "k8s.io/client-go/informers"
-	certinformersv1alpha1 "k8s.io/client-go/informers/certificates/v1alpha1"
+	certinformersv1beta1 "k8s.io/client-go/informers/certificates/v1beta1"
 	resourceinformers "k8s.io/client-go/informers/resource/v1"
 	"k8s.io/kubernetes/openshift-kube-apiserver/authorization/scopeauthorizer"
 	"k8s.io/kubernetes/pkg/auth/authorizer/abac"
@@ -107,9 +107,9 @@ func (config Config) New(ctx context.Context, serverID string) (authorizer.Autho
 			if utilfeature.DefaultFeatureGate.Enabled(features.DynamicResourceAllocation) {
 				slices = config.VersionedInformerFactory.Resource().V1().ResourceSlices()
 			}
-			var podCertificateRequestInformer certinformersv1alpha1.PodCertificateRequestInformer
+			var podCertificateRequestInformer certinformersv1beta1.PodCertificateRequestInformer
 			if utilfeature.DefaultFeatureGate.Enabled(features.PodCertificateRequest) {
-				podCertificateRequestInformer = config.VersionedInformerFactory.Certificates().V1alpha1().PodCertificateRequests()
+				podCertificateRequestInformer = config.VersionedInformerFactory.Certificates().V1beta1().PodCertificateRequests()
 			}
 			node.RegisterMetrics()
 			graph := node.NewGraph()
diff --git a/pkg/kubeapiserver/default_storage_factory_builder.go b/pkg/kubeapiserver/default_storage_factory_builder.go
index a3ba1c8cfaf57..6cf4688bfc8b9 100644
--- a/pkg/kubeapiserver/default_storage_factory_builder.go
+++ b/pkg/kubeapiserver/default_storage_factory_builder.go
@@ -38,6 +38,7 @@ import (
 	"k8s.io/kubernetes/pkg/apis/networking"
 	"k8s.io/kubernetes/pkg/apis/policy"
 	"k8s.io/kubernetes/pkg/apis/resource"
+	"k8s.io/kubernetes/pkg/apis/scheduling"
 	"k8s.io/kubernetes/pkg/apis/storage"
 	"k8s.io/kubernetes/pkg/apis/storagemigration"
 )
@@ -81,13 +82,14 @@ func NewStorageFactoryConfigEffectiveVersion(effectiveVersion basecompatibility.
 		// TODO (https://github.com/kubernetes/kubernetes/issues/108451): remove the override in 1.25.
 		// apisstorage.Resource("csistoragecapacities").WithVersion("v1beta1"),
 		coordination.Resource("leasecandidates").WithVersion("v1beta1"),
-		admissionregistration.Resource("mutatingadmissionpolicies").WithVersion("v1alpha1"),
-		admissionregistration.Resource("mutatingadmissionpolicybindings").WithVersion("v1alpha1"),
+		admissionregistration.Resource("mutatingadmissionpolicies").WithVersion("v1beta1"),
+		admissionregistration.Resource("mutatingadmissionpolicybindings").WithVersion("v1beta1"),
 		certificates.Resource("clustertrustbundles").WithVersion("v1beta1"),
-		certificates.Resource("podcertificaterequests").WithVersion("v1alpha1"),
+		certificates.Resource("podcertificaterequests").WithVersion("v1beta1"),
 		storage.Resource("volumeattributesclasses").WithVersion("v1beta1"),
-		storagemigration.Resource("storagemigrations").WithVersion("v1alpha1"),
+		storagemigration.Resource("storagemigrations").WithVersion("v1beta1"),
 		resource.Resource("devicetaintrules").WithVersion("v1alpha3"),
+		scheduling.Resource("workloads").WithVersion("v1alpha1"),
 	}
 
 	return &StorageFactoryConfig{
diff --git a/pkg/kubeapiserver/options/OWNERS b/pkg/kubeapiserver/options/OWNERS
new file mode 100644
index 0000000000000..4035e2fc20ffc
--- /dev/null
+++ b/pkg/kubeapiserver/options/OWNERS
@@ -0,0 +1,17 @@
+# See the OWNERS docs at https://go.k8s.io/owners
+
+filters:
+  ".*authentication.*":
+    approvers:
+      - sig-auth-authenticators-approvers
+    reviewers:
+      - sig-auth-authenticators-reviewers
+    labels:
+      - sig/auth
+  ".*authorization.*":
+    approvers:
+      - sig-auth-authorizers-approvers
+    reviewers:
+      - sig-auth-authorizers-reviewers
+    labels:
+      - sig/auth
diff --git a/pkg/kubeapiserver/options/admission.go b/pkg/kubeapiserver/options/admission.go
index d70df9742a6d0..de0c0b6d33ce7 100644
--- a/pkg/kubeapiserver/options/admission.go
+++ b/pkg/kubeapiserver/options/admission.go
@@ -21,6 +21,7 @@ import (
 	"strings"
 
 	"github.com/spf13/pflag"
+
 	"k8s.io/client-go/dynamic"
 	"k8s.io/client-go/kubernetes"
 
@@ -29,6 +30,7 @@ import (
 	"k8s.io/apiserver/pkg/server"
 	genericoptions "k8s.io/apiserver/pkg/server/options"
 	"k8s.io/client-go/informers"
+	"k8s.io/component-base/compatibility"
 	"k8s.io/component-base/featuregate"
 )
 
@@ -116,6 +118,7 @@ func (a *AdmissionOptions) ApplyTo(
 	kubeClient kubernetes.Interface,
 	dynamicClient dynamic.Interface,
 	features featuregate.FeatureGate,
+	effectiveVersion compatibility.EffectiveVersion,
 	pluginInitializers ...admission.PluginInitializer,
 ) error {
 	if a == nil {
@@ -127,7 +130,7 @@ func (a *AdmissionOptions) ApplyTo(
 		a.GenericAdmission.EnablePlugins, a.GenericAdmission.DisablePlugins = computePluginNames(a.PluginNames, a.GenericAdmission.RecommendedPluginOrder)
 	}
 
-	return a.GenericAdmission.ApplyTo(c, informers, kubeClient, dynamicClient, features, pluginInitializers...)
+	return a.GenericAdmission.ApplyTo(c, informers, kubeClient, dynamicClient, features, effectiveVersion, pluginInitializers...)
 }
 
 // explicitly disable all plugins that are not in the enabled list
diff --git a/pkg/kubeapiserver/options/authentication.go b/pkg/kubeapiserver/options/authentication.go
index 4f9ebeae0eb7c..9b202d9d728ff 100644
--- a/pkg/kubeapiserver/options/authentication.go
+++ b/pkg/kubeapiserver/options/authentication.go
@@ -18,6 +18,7 @@ package options
 
 import (
 	"context"
+	"crypto/x509"
 	"errors"
 	"fmt"
 	"net/url"
@@ -50,6 +51,7 @@ import (
 	"k8s.io/client-go/informers"
 	"k8s.io/client-go/kubernetes"
 	v1listers "k8s.io/client-go/listers/core/v1"
+	certutil "k8s.io/client-go/util/cert"
 	"k8s.io/client-go/util/keyutil"
 	cliflag "k8s.io/component-base/cli/flag"
 	"k8s.io/klog/v2"
@@ -293,11 +295,6 @@ func (o *BuiltInAuthenticationOptions) Validate() []error {
 		}
 	}
 
-	// verify that if ServiceAccountTokenNodeBinding is enabled, ServiceAccountTokenNodeBindingValidation is also enabled.
-	if utilfeature.DefaultFeatureGate.Enabled(features.ServiceAccountTokenNodeBinding) && !utilfeature.DefaultFeatureGate.Enabled(features.ServiceAccountTokenNodeBindingValidation) {
-		allErrors = append(allErrors, fmt.Errorf("the %q feature gate can only be enabled if the %q feature gate is also enabled", features.ServiceAccountTokenNodeBinding, features.ServiceAccountTokenNodeBindingValidation))
-	}
-
 	if o.WebHook != nil {
 		retryBackoff := o.WebHook.RetryBackoff
 		if retryBackoff != nil && retryBackoff.Steps <= 0 {
@@ -307,11 +304,39 @@ func (o *BuiltInAuthenticationOptions) Validate() []error {
 
 	if o.RequestHeader != nil {
 		allErrors = append(allErrors, o.RequestHeader.Validate()...)
+
+		if o.ClientCert != nil &&
+			len(o.ClientCert.ClientCA) > 0 &&
+			len(o.RequestHeader.ClientCAFile) > 0 &&
+			len(o.RequestHeader.AllowedNames) == 0 {
+			clientCACerts, err1 := certutil.CertsFromFile(o.ClientCert.ClientCA)
+			requestHeaderCACerts, err2 := certutil.CertsFromFile(o.RequestHeader.ClientCAFile)
+			if err1 == nil && err2 == nil {
+				if certificatesOverlap(clientCACerts, requestHeaderCACerts) {
+					allErrors = append(allErrors,
+						fmt.Errorf("--requestheader-client-ca-file and --client-ca-file contain overlapping certificates; --requestheader-allowed-names must be specified to ensure regular client certificates cannot set authenticating proxy headers for arbitrary users"))
+				}
+			}
+		}
+
 	}
 
 	return allErrors
 }
 
+// certificatesOverlap returns true when there's at least one identical
+// certificate in the two certificate bundles
+func certificatesOverlap(a, b []*x509.Certificate) bool {
+	for _, ca := range a {
+		for _, cb := range b {
+			if ca.Equal(cb) {
+				return true
+			}
+		}
+	}
+	return false
+}
+
 // AddFlags returns flags of authentication for a API Server
 func (o *BuiltInAuthenticationOptions) AddFlags(fs *pflag.FlagSet) {
 	if o == nil {
@@ -718,6 +743,7 @@ func (o *BuiltInAuthenticationOptions) ApplyTo(
 		authenticatorConfig.EgressLookup = egressSelector.Lookup
 	}
 
+	authenticatorConfig.APIServerID = apiServerID
 	// var openAPIV3SecuritySchemes spec3.SecuritySchemes
 	authenticator, updateAuthenticationConfig, openAPIV2SecurityDefinitions, openAPIV3SecuritySchemes, err := authenticatorConfig.New(ctx)
 	if err != nil {
diff --git a/pkg/kubeapiserver/options/authentication_test.go b/pkg/kubeapiserver/options/authentication_test.go
index 9e2cb74e8bdc9..5f346761f2516 100644
--- a/pkg/kubeapiserver/options/authentication_test.go
+++ b/pkg/kubeapiserver/options/authentication_test.go
@@ -24,6 +24,7 @@ import (
 	"encoding/pem"
 	"fmt"
 	"os"
+	"path/filepath"
 	"reflect"
 	goruntime "runtime"
 	"strings"
@@ -58,6 +59,8 @@ import (
 func TestAuthenticationValidate(t *testing.T) {
 	testCases := []struct {
 		name                              string
+		clientCert                        *apiserveroptions.ClientCertAuthenticationOptions
+		requestHeader                     *apiserveroptions.RequestHeaderAuthenticationOptions
 		testAnonymous                     *AnonymousAuthenticationOptions
 		testOIDC                          *OIDCAuthenticationOptions
 		testSA                            *ServiceAccountAuthenticationOptions
@@ -256,11 +259,43 @@ func TestAuthenticationValidate(t *testing.T) {
 			// feature-gate, otherwise this feature-gate cannot be disabled.
 			emulationVersion: version.MustParse("1.33"),
 		},
+		{
+			name:       "overlapping CA without allowed-names",
+			clientCert: &apiserveroptions.ClientCertAuthenticationOptions{ClientCA: filepath.Join("testdata", "client-ca.pem")},
+			requestHeader: &apiserveroptions.RequestHeaderAuthenticationOptions{
+				ClientCAFile:    filepath.Join("testdata", "client-ca.pem"),
+				AllowedNames:    []string{},
+				UsernameHeaders: []string{"X-Remote-User"},
+			},
+			expectErr: "--requestheader-client-ca-file and --client-ca-file contain overlapping certificates; --requestheader-allowed-names must be specified to ensure regular client certificates cannot set authenticating proxy headers for arbitrary users",
+		},
+		{
+			name:       "overlapping CA with allowed-names",
+			clientCert: &apiserveroptions.ClientCertAuthenticationOptions{ClientCA: filepath.Join("testdata", "client-ca.pem")},
+			requestHeader: &apiserveroptions.RequestHeaderAuthenticationOptions{
+				ClientCAFile:    filepath.Join("testdata", "client-ca.pem"),
+				AllowedNames:    []string{"Client-CA"},
+				UsernameHeaders: []string{"X-Remote-User"},
+			},
+			expectErr: "",
+		},
+		{
+			name:       "different CAs without allowed-names",
+			clientCert: &apiserveroptions.ClientCertAuthenticationOptions{ClientCA: filepath.Join("testdata", "client-ca.pem")},
+			requestHeader: &apiserveroptions.RequestHeaderAuthenticationOptions{
+				ClientCAFile:    filepath.Join("testdata", "server-ca.pem"),
+				AllowedNames:    []string{},
+				UsernameHeaders: []string{"X-Remote-User"},
+			},
+			expectErr: "",
+		},
 	}
 
 	for _, testcase := range testCases {
 		t.Run(testcase.name, func(t *testing.T) {
 			options := NewBuiltInAuthenticationOptions()
+			options.ClientCert = testcase.clientCert
+			options.RequestHeader = testcase.requestHeader
 			options.Anonymous = testcase.testAnonymous
 			options.OIDC = testcase.testOIDC
 			options.ServiceAccounts = testcase.testSA
@@ -562,7 +597,7 @@ anonymous:
   enabled: false
 `),
 			},
-			expectErr: "anonymous is not supported when AnonymousAuthConfigurableEnpoints feature gate is disabled",
+			expectErr: "anonymous is not supported when AnonymousAuthConfigurableEndpoints feature gate is disabled",
 		},
 		{
 			name:                     "file-anonymous-disabled-AnonymousAuthConfigurableEndpoints-enabled",
diff --git a/pkg/kubeapiserver/options/plugins.go b/pkg/kubeapiserver/options/plugins.go
index d3bf0503c1e20..4fb7d0b5b8238 100644
--- a/pkg/kubeapiserver/options/plugins.go
+++ b/pkg/kubeapiserver/options/plugins.go
@@ -44,6 +44,7 @@ import (
 	"k8s.io/kubernetes/plugin/pkg/admission/namespace/exists"
 	"k8s.io/kubernetes/plugin/pkg/admission/network/defaultingressclass"
 	"k8s.io/kubernetes/plugin/pkg/admission/network/denyserviceexternalips"
+	"k8s.io/kubernetes/plugin/pkg/admission/nodedeclaredfeatures"
 	"k8s.io/kubernetes/plugin/pkg/admission/noderestriction"
 	"k8s.io/kubernetes/plugin/pkg/admission/nodetaint"
 	"k8s.io/kubernetes/plugin/pkg/admission/podnodeselector"
@@ -97,6 +98,7 @@ var AllOrderedPlugins = []string{
 	defaultingressclass.PluginName,          // DefaultIngressClass
 	denyserviceexternalips.PluginName,       // DenyServiceExternalIPs
 	podtopologylabels.PluginName,            // PodTopologyLabels
+	nodedeclaredfeatures.PluginName,         // NodeDeclaredFeatureValidator
 
 	// new admission plugins should generally be inserted above here
 	// webhook, resourcequota, and deny plugins must go at the end
@@ -149,6 +151,7 @@ func RegisterAllAdmissionPlugins(plugins *admission.Plugins) {
 	ctbattest.Register(plugins)
 	certsubjectrestriction.Register(plugins)
 	podtopologylabels.Register(plugins)
+	nodedeclaredfeatures.Register(plugins)
 }
 
 // DefaultOffAdmissionPlugins get admission plugins off by default for kube-apiserver.
@@ -176,6 +179,7 @@ func DefaultOffAdmissionPlugins() sets.Set[string] {
 		podtopologylabels.PluginName,            // PodTopologyLabels, only active when feature gate PodTopologyLabelsAdmission is enabled.
 		mutatingadmissionpolicy.PluginName,      // Mutatingadmissionpolicy, only active when feature gate MutatingAdmissionpolicy is enabled
 		validatingadmissionpolicy.PluginName,    // ValidatingAdmissionPolicy, only active when feature gate ValidatingAdmissionPolicy is enabled
+		nodedeclaredfeatures.PluginName,         // NodeDeclaredFeatureValidator, only active when feature gate NodeDeclaredFeatures is enabled
 	)
 
 	return sets.New(AllOrderedPlugins...).Difference(defaultOnPlugins)
diff --git a/pkg/kubeapiserver/options/testdata/OWNERS b/pkg/kubeapiserver/options/testdata/OWNERS
new file mode 100644
index 0000000000000..c4ea6463df4d0
--- /dev/null
+++ b/pkg/kubeapiserver/options/testdata/OWNERS
@@ -0,0 +1,8 @@
+# See the OWNERS docs at https://go.k8s.io/owners
+
+approvers:
+  - sig-auth-authenticators-approvers
+reviewers:
+  - sig-auth-authenticators-reviewers
+labels:
+  - sig/auth
diff --git a/pkg/kubeapiserver/options/testdata/client-ca.pem b/pkg/kubeapiserver/options/testdata/client-ca.pem
new file mode 100644
index 0000000000000..589af4bfdeaa8
--- /dev/null
+++ b/pkg/kubeapiserver/options/testdata/client-ca.pem
@@ -0,0 +1,10 @@
+-----BEGIN CERTIFICATE-----
+MIIBbTCCARSgAwIBAgIUDMmq4/Gw2N1o5TWBLWsm65RiVkIwCgYIKoZIzj0EAwIw
+FDESMBAGA1UEAxMJQ2xpZW50LUNBMCAXDTIxMDUyMjIzNTIwMFoYDzIxMjEwNDI4
+MjM1MjAwWjAUMRIwEAYDVQQDEwlDbGllbnQtQ0EwWTATBgcqhkjOPQIBBggqhkjO
+PQMBBwNCAAQDhCqK/KktlUtqgVgBLRRbJ/I1FJdG2AxYRpu+ygc7fUJFrZlLebyC
+U5DbVovKxV0Xq8A/fU71+rKy4YybRQjvo0IwQDAOBgNVHQ8BAf8EBAMCAQYwDwYD
+VR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUaDl2pG6N7NoORQjpHprKDSOL8+0wCgYI
+KoZIzj0EAwIDRwAwRAIgbS1tdj6El37kUwF9yZDXKfjLUlRBBLmIYhP0mdui6/AC
+IB4F/weuM/6IjCdcPJRxvdC7qjCdV0xnFqvQ+BhuUGSF
+-----END CERTIFICATE-----
diff --git a/pkg/kubeapiserver/options/testdata/server-ca.pem b/pkg/kubeapiserver/options/testdata/server-ca.pem
new file mode 100644
index 0000000000000..4b203f3e3b961
--- /dev/null
+++ b/pkg/kubeapiserver/options/testdata/server-ca.pem
@@ -0,0 +1,10 @@
+-----BEGIN CERTIFICATE-----
+MIIBbzCCARSgAwIBAgIUf0aG2C1P7KaDGobg9oeN3uhQlu4wCgYIKoZIzj0EAwIw
+FDESMBAGA1UEAxMJU2VydmVyLUNBMCAXDTIxMDUyMjIzNTIwMFoYDzIxMjEwNDI4
+MjM1MjAwWjAUMRIwEAYDVQQDEwlTZXJ2ZXItQ0EwWTATBgcqhkjOPQIBBggqhkjO
+PQMBBwNCAAQ/DG/wiOR9TkCK9wrQiK6scv0foSIaH7NnRLyv48FbQNcU9dwCNBy0
+TyBUe7d+n3TLUlVOuJrGuJT/Hwtuunxko0IwQDAOBgNVHQ8BAf8EBAMCAQYwDwYD
+VR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUjcdIlU1vGLSUWBcSqCEJTgqlSacwCgYI
+KoZIzj0EAwIDSQAwRgIhAIujFeJKprddp+9aCZZUv05jCS5JiopW2bn/FJJRQ6OK
+AiEA1NS6trAbfgk6vYS2D2vamuF4XC9LggyxbcoaMf+GAn4=
+-----END CERTIFICATE-----
diff --git a/pkg/kubelet/allocation/allocation_manager.go b/pkg/kubelet/allocation/allocation_manager.go
index c7eff6a01d094..a6167f269466e 100644
--- a/pkg/kubelet/allocation/allocation_manager.go
+++ b/pkg/kubelet/allocation/allocation_manager.go
@@ -24,8 +24,6 @@ import (
 	"sync"
 	"time"
 
-	"encoding/json"
-
 	v1 "k8s.io/api/core/v1"
 	apiequality "k8s.io/apimachinery/pkg/api/equality"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -56,7 +54,6 @@ import (
 // podStatusManagerStateFile is the file name where status manager stores its state
 const (
 	allocatedPodsStateFile = "allocated_pods_state"
-	actuatedPodsStateFile  = "actuated_pods_state"
 
 	initialRetryDelay = 30 * time.Second
 	retryDelay        = 3 * time.Minute
@@ -74,6 +71,9 @@ type Manager interface {
 	// GetContainerResourceAllocation returns the AllocatedResources value for the container
 	GetContainerResourceAllocation(podUID types.UID, containerName string) (v1.ResourceRequirements, bool)
 
+	// GetPodLevelResourceAllocation returns the AllocatedResources value for the container
+	GetPodLevelResourceAllocation(podUID types.UID) (*v1.ResourceRequirements, bool)
+
 	// UpdatePodFromAllocation overwrites the pod spec with the allocation.
 	// This function does a deep copy only if updates are needed.
 	// Returns the updated (or original) pod, and whether there was an allocation stored.
@@ -82,13 +82,6 @@ type Manager interface {
 	// SetAllocatedResources checkpoints the resources allocated to a pod's containers.
 	SetAllocatedResources(allocatedPod *v1.Pod) error
 
-	// SetActuatedResources records the actuated resources of the given container (or the entire
-	// pod, if actuatedContainer is nil).
-	SetActuatedResources(allocatedPod *v1.Pod, actuatedContainer *v1.Container) error
-
-	// GetActuatedResources returns the stored actuated resources for the container, and whether they exist.
-	GetActuatedResources(podUID types.UID, containerName string) (v1.ResourceRequirements, bool)
-
 	// AddPodAdmitHandlers adds the admit handlers to the allocation manager.
 	// TODO: See if we can remove this and just add them in the allocation manager constructor.
 	AddPodAdmitHandlers(handlers lifecycle.PodAdmitHandlers)
@@ -123,21 +116,17 @@ type Manager interface {
 
 	// RetryPendingResizes retries all pending resizes.
 	RetryPendingResizes(trigger string)
-
-	// CheckPodResizeInProgress checks whether the actuated resizable resources differ from the allocated resources
-	// for any running containers.
-	CheckPodResizeInProgress(allocatedPod *v1.Pod, podStatus *kubecontainer.PodStatus)
 }
 
 type manager struct {
 	allocated state.State
-	actuated  state.State
 
-	admitHandlers    lifecycle.PodAdmitHandlers
-	containerManager cm.ContainerManager
-	containerRuntime kubecontainer.Runtime
-	statusManager    status.Manager
-	sourcesReady     config.SourcesReady
+	admitHandlers           lifecycle.PodAdmitHandlers
+	containerRuntime        kubecontainer.Runtime
+	statusManager           status.Manager
+	sourcesReady            config.SourcesReady
+	nodeConfig              cm.NodeConfig
+	nodeAllocatableAbsolute v1.ResourceList
 
 	ticker         *time.Ticker
 	triggerPodSync func(pod *v1.Pod)
@@ -151,7 +140,8 @@ type manager struct {
 }
 
 func NewManager(checkpointDirectory string,
-	containerManager cm.ContainerManager,
+	nodeConfig cm.NodeConfig,
+	nodeAllocatableAbsolute v1.ResourceList,
 	statusManager status.Manager,
 	triggerPodSync func(pod *v1.Pod),
 	getActivePods func() []*v1.Pod,
@@ -161,12 +151,12 @@ func NewManager(checkpointDirectory string,
 ) Manager {
 	return &manager{
 		allocated: newStateImpl(checkpointDirectory, allocatedPodsStateFile),
-		actuated:  newStateImpl(checkpointDirectory, actuatedPodsStateFile),
 
-		containerManager: containerManager,
-		statusManager:    statusManager,
-		admitHandlers:    lifecycle.PodAdmitHandlers{},
-		sourcesReady:     sourcesReady,
+		statusManager:           statusManager,
+		admitHandlers:           lifecycle.PodAdmitHandlers{},
+		sourcesReady:            sourcesReady,
+		nodeConfig:              nodeConfig,
+		nodeAllocatableAbsolute: nodeAllocatableAbsolute,
 
 		ticker:         time.NewTicker(initialRetryDelay),
 		triggerPodSync: triggerPodSync,
@@ -176,17 +166,6 @@ func NewManager(checkpointDirectory string,
 	}
 }
 
-type containerAllocation struct {
-	Name      string                  `json:"name"`
-	Resources v1.ResourceRequirements `json:"resources,omitempty"`
-}
-
-type podResourceSummary struct {
-	//TODO: resources v1.ResourceRequirements, add pod-level resources here once resizing pod-level resources is supported
-	InitContainers []containerAllocation `json:"initContainers,omitempty"`
-	Containers     []containerAllocation `json:"containers,omitempty"`
-}
-
 func newStateImpl(checkpointDirectory, checkpointName string) state.State {
 	if !utilfeature.DefaultFeatureGate.Enabled(features.InPlacePodVerticalScaling) {
 		return state.NewNoopStateCheckpoint()
@@ -205,26 +184,29 @@ func newStateImpl(checkpointDirectory, checkpointName string) state.State {
 
 // NewInMemoryManager returns an allocation manager that doesn't persist state.
 // For testing purposes only!
-func NewInMemoryManager(containerManager cm.ContainerManager,
+func NewInMemoryManager(nodeConfig cm.NodeConfig,
+	nodeAllocatableAbsolute v1.ResourceList,
 	statusManager status.Manager,
 	triggerPodSync func(pod *v1.Pod),
 	getActivePods func() []*v1.Pod,
 	getPodByUID func(types.UID) (*v1.Pod, bool),
 	sourcesReady config.SourcesReady,
+	recorder record.EventRecorder,
 ) Manager {
 	return &manager{
 		allocated: state.NewStateMemory(nil),
-		actuated:  state.NewStateMemory(nil),
 
-		containerManager: containerManager,
-		statusManager:    statusManager,
-		admitHandlers:    lifecycle.PodAdmitHandlers{},
-		sourcesReady:     sourcesReady,
+		statusManager:           statusManager,
+		admitHandlers:           lifecycle.PodAdmitHandlers{},
+		sourcesReady:            sourcesReady,
+		nodeConfig:              nodeConfig,
+		nodeAllocatableAbsolute: nodeAllocatableAbsolute,
 
 		ticker:         time.NewTicker(initialRetryDelay),
 		triggerPodSync: triggerPodSync,
 		getActivePods:  getActivePods,
 		getPodByUID:    getPodByUID,
+		recorder:       recorder,
 	}
 }
 
@@ -246,33 +228,6 @@ func (m *manager) Run(ctx context.Context) {
 	}()
 }
 
-// Gernerate pod resize completed event message
-func (m *manager) podResizeCompletionMsg(allocatedPod *v1.Pod) string {
-	podResizeSource := &podResourceSummary{}
-	podutil.VisitContainers(&allocatedPod.Spec, podutil.InitContainers|podutil.Containers,
-		func(allocatedContainer *v1.Container, containerType podutil.ContainerType) bool {
-			allocation := containerAllocation{
-				Name:      allocatedContainer.Name,
-				Resources: allocatedContainer.Resources,
-			}
-			switch containerType {
-			case podutil.InitContainers:
-				podResizeSource.InitContainers = append(podResizeSource.InitContainers, allocation)
-			case podutil.Containers:
-				podResizeSource.Containers = append(podResizeSource.Containers, allocation)
-			}
-			return true
-		})
-
-	podResizeMsgDetailsJSON, err := json.Marshal(podResizeSource)
-	if err != nil {
-		klog.ErrorS(err, "Failed to serialize resource summary", "pod", format.Pod(allocatedPod))
-		return "Pod resize completed"
-	}
-	podResizeCompletedMsg := fmt.Sprintf("Pod resize completed: %s", string(podResizeMsgDetailsJSON))
-	return podResizeCompletedMsg
-}
-
 func (m *manager) RetryPendingResizes(trigger string) {
 	m.retryPendingResizes(trigger)
 }
@@ -467,6 +422,12 @@ func (m *manager) GetContainerResourceAllocation(podUID types.UID, containerName
 	return m.allocated.GetContainerResources(podUID, containerName)
 }
 
+// GetPodLevelResourceAllocation returns the last checkpointed AllocatedResources values
+// If checkpoint manager has not been initialized, it returns nil, false
+func (m *manager) GetPodLevelResourceAllocation(podUID types.UID) (*v1.ResourceRequirements, bool) {
+	return m.allocated.GetPodLevelResources(podUID)
+}
+
 // UpdatePodFromAllocation overwrites the pod spec with the allocation.
 // This function does a deep copy only if updates are needed.
 func (m *manager) UpdatePodFromAllocation(pod *v1.Pod) (*v1.Pod, bool) {
@@ -488,6 +449,15 @@ func updatePodFromAllocation(pod *v1.Pod, allocated state.PodResourceInfo) (*v1.
 	}
 
 	updated := false
+	if utilfeature.DefaultFeatureGate.Enabled(features.InPlacePodLevelResourcesVerticalScaling) {
+		pAlloc := allocated.PodLevelResources
+		if !apiequality.Semantic.DeepEqual(pod.Spec.Resources, pAlloc) {
+			// Allocation differs from pod spec, retrieve the allocation
+			pod = pod.DeepCopy()
+			pod.Spec.Resources = pAlloc
+			updated = true
+		}
+	}
 	containerAlloc := func(c v1.Container) (v1.ResourceRequirements, bool) {
 		if cAlloc, ok := allocated.ContainerResources[c.Name]; ok {
 			if !apiequality.Semantic.DeepEqual(c.Resources, cAlloc) {
@@ -525,6 +495,9 @@ func (m *manager) SetAllocatedResources(pod *v1.Pod) error {
 
 func allocationFromPod(pod *v1.Pod) state.PodResourceInfo {
 	var podAlloc state.PodResourceInfo
+	if utilfeature.DefaultFeatureGate.Enabled(features.InPlacePodLevelResourcesVerticalScaling) && pod.Spec.Resources != nil {
+		podAlloc.PodLevelResources = pod.Spec.Resources.DeepCopy()
+	}
 	podAlloc.ContainerResources = make(map[string]v1.ResourceRequirements)
 	for _, container := range pod.Spec.Containers {
 		alloc := *container.Resources.DeepCopy()
@@ -581,29 +554,10 @@ func (m *manager) RemovePod(uid types.UID) {
 		// If the deletion fails, it will be retried by RemoveOrphanedPods, so we can safely ignore the error.
 		klog.V(3).ErrorS(err, "Failed to delete pod allocation", "podUID", uid)
 	}
-
-	if err := m.actuated.RemovePod(uid); err != nil {
-		// If the deletion fails, it will be retried by RemoveOrphanedPods, so we can safely ignore the error.
-		klog.V(3).ErrorS(err, "Failed to delete pod allocation", "podUID", uid)
-	}
 }
 
 func (m *manager) RemoveOrphanedPods(remainingPods sets.Set[types.UID]) {
 	m.allocated.RemoveOrphanedPods(remainingPods)
-	m.actuated.RemoveOrphanedPods(remainingPods)
-}
-
-func (m *manager) SetActuatedResources(allocatedPod *v1.Pod, actuatedContainer *v1.Container) error {
-	if actuatedContainer == nil {
-		alloc := allocationFromPod(allocatedPod)
-		return m.actuated.SetPodResourceInfo(allocatedPod.UID, alloc)
-	}
-
-	return m.actuated.SetContainerResources(allocatedPod.UID, actuatedContainer.Name, actuatedContainer.Resources)
-}
-
-func (m *manager) GetActuatedResources(podUID types.UID, containerName string) (v1.ResourceRequirements, bool) {
-	return m.actuated.GetContainerResources(podUID, containerName)
 }
 
 func (m *manager) handlePodResourcesResize(pod *v1.Pod) (bool, error) {
@@ -626,6 +580,15 @@ func (m *manager) handlePodResourcesResize(pod *v1.Pod) (bool, error) {
 		return false, nil
 	}
 
+	if !apiequality.Semantic.DeepEqual(pod.Spec.Resources, allocatedPod.Spec.Resources) {
+		if resizable, msg, reason := IsInPlacePodLevelResourcesVerticalScalingAllowed(pod); !resizable {
+			// If there is a pending pod-level resources resize but the resize is not allowed, always use the allocated resources.
+			metrics.PodInfeasibleResizes.WithLabelValues(reason).Inc()
+			m.statusManager.SetPodResizePendingCondition(pod.UID, v1.PodReasonInfeasible, msg, pod.Generation)
+			return false, nil
+		}
+	}
+
 	// Desired resources != allocated resources. Can we update the allocation to the desired resources?
 	fit, reason, message := m.canResizePod(m.getAllocatedPods(m.getActivePods()), pod)
 	if fit {
@@ -633,6 +596,7 @@ func (m *manager) handlePodResourcesResize(pod *v1.Pod) (bool, error) {
 		if err := m.SetAllocatedResources(pod); err != nil {
 			return false, err
 		}
+		allocatedPod = pod
 		m.statusManager.ClearPodResizePendingCondition(pod.UID)
 
 		// Clear any errors that may have been surfaced from a previous resize and update the
@@ -640,11 +604,21 @@ func (m *manager) handlePodResourcesResize(pod *v1.Pod) (bool, error) {
 		m.statusManager.ClearPodResizeInProgressCondition(pod.UID)
 		m.statusManager.SetPodResizeInProgressCondition(pod.UID, "", "", pod.Generation)
 
+		msg := events.PodResizeStartedMsg(allocatedPod, pod.Generation)
+		m.recorder.Eventf(pod, v1.EventTypeNormal, events.ResizeStarted, msg)
+
 		return true, nil
 	}
 
 	if reason != "" {
-		m.statusManager.SetPodResizePendingCondition(pod.UID, reason, message, pod.Generation)
+		if m.statusManager.SetPodResizePendingCondition(pod.UID, reason, message, pod.Generation) {
+			eventType := events.ResizeDeferred
+			if reason == v1.PodReasonInfeasible {
+				eventType = events.ResizeInfeasible
+			}
+			msg := events.PodResizePendingMsg(pod, reason, message, pod.Generation)
+			m.recorder.Eventf(pod, v1.EventTypeWarning, eventType, msg)
+		}
 	}
 
 	return false, nil
@@ -716,7 +690,7 @@ func (m *manager) canResizePod(allocatedPods []*v1.Pod, pod *v1.Pod) (bool, stri
 	// lifecycle.PodAdmitAttributes, and combine canResizePod with canAdmitPod.
 	if v1qos.GetPodQOS(pod) == v1.PodQOSGuaranteed {
 		if !utilfeature.DefaultFeatureGate.Enabled(features.InPlacePodVerticalScalingExclusiveCPUs) &&
-			m.containerManager.GetNodeConfig().CPUManagerPolicy == string(cpumanager.PolicyStatic) &&
+			m.nodeConfig.CPUManagerPolicy == string(cpumanager.PolicyStatic) &&
 			m.guaranteedPodResourceResizeRequired(pod, v1.ResourceCPU) {
 			msg := fmt.Sprintf("Resize is infeasible for Guaranteed Pods alongside CPU Manager policy \"%s\"", string(cpumanager.PolicyStatic))
 			klog.V(3).InfoS(msg, "pod", format.Pod(pod))
@@ -725,7 +699,7 @@ func (m *manager) canResizePod(allocatedPods []*v1.Pod, pod *v1.Pod) (bool, stri
 		}
 		if utilfeature.DefaultFeatureGate.Enabled(features.MemoryManager) &&
 			!utilfeature.DefaultFeatureGate.Enabled(features.InPlacePodVerticalScalingExclusiveMemory) &&
-			m.containerManager.GetNodeConfig().MemoryManagerPolicy == string(memorymanager.PolicyTypeStatic) &&
+			m.nodeConfig.MemoryManagerPolicy == string(memorymanager.PolicyTypeStatic) &&
 			m.guaranteedPodResourceResizeRequired(pod, v1.ResourceMemory) {
 			msg := fmt.Sprintf("Resize is infeasible for Guaranteed Pods alongside Memory Manager policy \"%s\"", string(memorymanager.PolicyTypeStatic))
 			klog.V(3).InfoS(msg, "pod", format.Pod(pod))
@@ -734,9 +708,8 @@ func (m *manager) canResizePod(allocatedPods []*v1.Pod, pod *v1.Pod) (bool, stri
 		}
 	}
 
-	allocatable := m.containerManager.GetNodeAllocatableAbsolute()
-	cpuAvailable := allocatable.Cpu().MilliValue()
-	memAvailable := allocatable.Memory().Value()
+	cpuAvailable := m.nodeAllocatableAbsolute.Cpu().MilliValue()
+	memAvailable := m.nodeAllocatableAbsolute.Memory().Value()
 	cpuRequests := resource.GetResourceRequest(pod, v1.ResourceCPU)
 	memRequests := resource.GetResourceRequest(pod, v1.ResourceMemory)
 	if cpuRequests > cpuAvailable || memRequests > memAvailable {
@@ -761,49 +734,6 @@ func (m *manager) canResizePod(allocatedPods []*v1.Pod, pod *v1.Pod) (bool, stri
 	return true, "", ""
 }
 
-func (m *manager) CheckPodResizeInProgress(allocatedPod *v1.Pod, podStatus *kubecontainer.PodStatus) {
-	// If a resize is in progress, make sure the cache has the correct state in case the Kubelet restarted.
-	if m.isPodResizeInProgress(allocatedPod, podStatus) {
-		// This is a no-op if the resize in progress condition is already set.
-		m.statusManager.SetPodResizeInProgressCondition(allocatedPod.UID, "", "", allocatedPod.Generation)
-	} else if m.statusManager.ClearPodResizeInProgressCondition(allocatedPod.UID) {
-		// (Allocated == Actual) => clear the resize in-progress status.
-		// Generate Pod resize completed event
-		podResizeCompletedEventMsg := m.podResizeCompletionMsg(allocatedPod)
-		if m.recorder != nil {
-			m.recorder.Eventf(allocatedPod, v1.EventTypeNormal, events.ResizeCompleted, podResizeCompletedEventMsg)
-		}
-	}
-}
-
-// isPodResizeInProgress checks whether the actuated resizable resources differ from the allocated resources
-// for any running containers. Specifically, the following differences are ignored:
-// - Non-resizable containers: non-restartable init containers, ephemeral containers
-// - Non-resizable resources: only CPU & memory are resizable
-// - Non-running containers: they will be sized correctly when (re)started
-func (m *manager) isPodResizeInProgress(allocatedPod *v1.Pod, podStatus *kubecontainer.PodStatus) bool {
-	return !podutil.VisitContainers(&allocatedPod.Spec, podutil.InitContainers|podutil.Containers,
-		func(allocatedContainer *v1.Container, containerType podutil.ContainerType) (shouldContinue bool) {
-			if !IsResizableContainer(allocatedContainer, containerType) {
-				return true
-			}
-
-			containerStatus := podStatus.FindContainerStatusByName(allocatedContainer.Name)
-			if containerStatus == nil || containerStatus.State != kubecontainer.ContainerStateRunning {
-				// If the container isn't running, it doesn't need to be resized.
-				return true
-			}
-
-			actuatedResources, _ := m.GetActuatedResources(allocatedPod.UID, allocatedContainer.Name)
-			allocatedResources := allocatedContainer.Resources
-
-			return allocatedResources.Requests[v1.ResourceCPU].Equal(actuatedResources.Requests[v1.ResourceCPU]) &&
-				allocatedResources.Limits[v1.ResourceCPU].Equal(actuatedResources.Limits[v1.ResourceCPU]) &&
-				allocatedResources.Requests[v1.ResourceMemory].Equal(actuatedResources.Requests[v1.ResourceMemory]) &&
-				allocatedResources.Limits[v1.ResourceMemory].Equal(actuatedResources.Limits[v1.ResourceMemory])
-		})
-}
-
 func (m *manager) guaranteedPodResourceResizeRequired(pod *v1.Pod, resourceName v1.ResourceName) bool {
 	for container, containerType := range podutil.ContainerIter(&pod.Spec, podutil.InitContainers|podutil.Containers) {
 		if !IsResizableContainer(container, containerType) {
diff --git a/pkg/kubelet/allocation/allocation_manager_test.go b/pkg/kubelet/allocation/allocation_manager_test.go
index 6b5fe55b221f9..2e33fb1f161f4 100644
--- a/pkg/kubelet/allocation/allocation_manager_test.go
+++ b/pkg/kubelet/allocation/allocation_manager_test.go
@@ -17,6 +17,7 @@ limitations under the License.
 package allocation
 
 import (
+	"context"
 	"fmt"
 	goruntime "runtime"
 	"strings"
@@ -30,6 +31,7 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/sets"
+	"k8s.io/apimachinery/pkg/util/version"
 	utilfeature "k8s.io/apiserver/pkg/util/feature"
 	"k8s.io/client-go/kubernetes/fake"
 	"k8s.io/client-go/tools/record"
@@ -124,16 +126,45 @@ func TestUpdatePodFromAllocation(t *testing.T) {
 		},
 	}
 
+	podWithPodLevelResources := pod.DeepCopy()
+	podWithPodLevelResources.Spec.Resources = &v1.ResourceRequirements{
+		Requests: v1.ResourceList{
+			v1.ResourceCPU:    *resource.NewMilliQuantity(1200, resource.DecimalSI),
+			v1.ResourceMemory: *resource.NewQuantity(1700, resource.DecimalSI),
+		},
+		Limits: v1.ResourceList{
+			v1.ResourceCPU:    *resource.NewMilliQuantity(2000, resource.DecimalSI),
+			v1.ResourceMemory: *resource.NewQuantity(2500, resource.DecimalSI),
+		},
+	}
+
+	podWithoutContainerResources := pod.DeepCopy()
+	podWithoutContainerResources.Spec.Containers[0].Resources = v1.ResourceRequirements{}
+	podWithoutContainerResources.Spec.InitContainers[0].Resources = v1.ResourceRequirements{}
+
 	resizedPod := pod.DeepCopy()
 	resizedPod.Spec.Containers[0].Resources.Requests[v1.ResourceCPU] = *resource.NewMilliQuantity(200, resource.DecimalSI)
 	resizedPod.Spec.InitContainers[0].Resources.Requests[v1.ResourceCPU] = *resource.NewMilliQuantity(300, resource.DecimalSI)
 
+	resizedPodWithPodLevelResources := resizedPod.DeepCopy()
+	resizedPodWithPodLevelResources.Spec.Resources = &v1.ResourceRequirements{
+		Requests: v1.ResourceList{
+			v1.ResourceCPU:    *resource.NewMilliQuantity(1500, resource.DecimalSI),
+			v1.ResourceMemory: *resource.NewQuantity(1700, resource.DecimalSI),
+		},
+		Limits: v1.ResourceList{
+			v1.ResourceCPU:    *resource.NewMilliQuantity(2200, resource.DecimalSI),
+			v1.ResourceMemory: *resource.NewQuantity(2500, resource.DecimalSI),
+		},
+	}
+	featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.NodeDeclaredFeatures, true)
 	tests := []struct {
-		name         string
-		pod          *v1.Pod
-		allocated    state.PodResourceInfo
-		expectPod    *v1.Pod
-		expectUpdate bool
+		name                         string
+		pod                          *v1.Pod
+		allocated                    state.PodResourceInfo
+		expectPod                    *v1.Pod
+		expectUpdate                 bool
+		inPlacePodLevelResizeEnabled bool
 	}{{
 		name: "steady state",
 		pod:  pod,
@@ -173,10 +204,73 @@ func TestUpdatePodFromAllocation(t *testing.T) {
 		},
 		expectUpdate: true,
 		expectPod:    resizedPod,
+	}, {
+		name: "resized pod-level allocation",
+		pod:  pod,
+		allocated: state.PodResourceInfo{
+			ContainerResources: map[string]v1.ResourceRequirements{
+				"c1":                  *resizedPod.Spec.Containers[0].Resources.DeepCopy(),
+				"c2":                  *resizedPod.Spec.Containers[1].Resources.DeepCopy(),
+				"c1-restartable-init": *resizedPod.Spec.InitContainers[0].Resources.DeepCopy(),
+				"c1-init":             *resizedPod.Spec.InitContainers[1].Resources.DeepCopy(),
+			},
+			PodLevelResources: resizedPodWithPodLevelResources.Spec.Resources.DeepCopy(),
+		},
+		expectUpdate:                 true,
+		expectPod:                    resizedPodWithPodLevelResources,
+		inPlacePodLevelResizeEnabled: true,
+	}, {
+		name: "resized pod-level resources and allocation",
+		pod:  podWithPodLevelResources,
+		allocated: state.PodResourceInfo{
+			ContainerResources: map[string]v1.ResourceRequirements{
+				"c1":                  *resizedPod.Spec.Containers[0].Resources.DeepCopy(),
+				"c2":                  *resizedPod.Spec.Containers[1].Resources.DeepCopy(),
+				"c1-restartable-init": *resizedPod.Spec.InitContainers[0].Resources.DeepCopy(),
+				"c1-init":             *resizedPod.Spec.InitContainers[1].Resources.DeepCopy(),
+			},
+			PodLevelResources: resizedPodWithPodLevelResources.Spec.Resources.DeepCopy(),
+		},
+		expectUpdate:                 true,
+		expectPod:                    resizedPodWithPodLevelResources,
+		inPlacePodLevelResizeEnabled: true,
+	}, {
+		name: "resized pod-level resources and no container resources",
+		pod:  podWithoutContainerResources,
+		allocated: state.PodResourceInfo{
+			ContainerResources: map[string]v1.ResourceRequirements{
+				"c1":                  *resizedPod.Spec.Containers[0].Resources.DeepCopy(),
+				"c2":                  *resizedPod.Spec.Containers[1].Resources.DeepCopy(),
+				"c1-restartable-init": *resizedPod.Spec.InitContainers[0].Resources.DeepCopy(),
+				"c1-init":             *resizedPod.Spec.InitContainers[1].Resources.DeepCopy(),
+			},
+			PodLevelResources: resizedPodWithPodLevelResources.Spec.Resources.DeepCopy(),
+		},
+		expectUpdate:                 true,
+		expectPod:                    resizedPodWithPodLevelResources,
+		inPlacePodLevelResizeEnabled: true,
+	}, {
+		name: "resized pod-level resources with feature gate disabled",
+		pod:  podWithPodLevelResources,
+		allocated: state.PodResourceInfo{
+			ContainerResources: map[string]v1.ResourceRequirements{
+				"c1":                  *pod.Spec.Containers[0].Resources.DeepCopy(),
+				"c2":                  *pod.Spec.Containers[1].Resources.DeepCopy(),
+				"c1-restartable-init": *pod.Spec.InitContainers[0].Resources.DeepCopy(),
+				"c1-init":             *pod.Spec.InitContainers[1].Resources.DeepCopy(),
+			},
+			PodLevelResources: resizedPod.Spec.Resources.DeepCopy(),
+		},
+		expectUpdate:                 false,
+		expectPod:                    podWithPodLevelResources,
+		inPlacePodLevelResizeEnabled: false,
 	}}
 
 	for _, test := range tests {
 		t.Run(test.name, func(t *testing.T) {
+			if test.inPlacePodLevelResizeEnabled {
+				featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.InPlacePodLevelResourcesVerticalScaling, true)
+			}
 			pod := test.pod.DeepCopy()
 			allocatedPod, updated := updatePodFromAllocation(pod, test.allocated)
 
@@ -192,330 +286,7 @@ func TestUpdatePodFromAllocation(t *testing.T) {
 	}
 }
 
-func getEventsFromFakeRecorder(t *testing.T, am Manager) string {
-	select {
-	case e := <-am.(*manager).recorder.(*record.FakeRecorder).Events:
-		return e
-	default:
-		return ""
-	}
-}
-
-func TestCheckPodResizeInProgress(t *testing.T) {
-	type testResources struct {
-		cpuReq, cpuLim, memReq, memLim int64
-	}
-	type testContainer struct {
-		allocated               testResources
-		actuated                *testResources
-		nonSidecarInit, sidecar bool
-		isRunning               bool
-		unstarted               bool // Whether the container is missing from the pod status
-	}
-
-	tests := []struct {
-		name                            string
-		containers                      []testContainer
-		oldPodResizeInProgressCondition bool
-		expectHasResize                 bool
-		expectPodResizeCompletedMsg     string
-	}{{
-		name: "simple running container",
-		containers: []testContainer{{
-			allocated: testResources{100, 100, 100, 100},
-			actuated:  &testResources{100, 100, 100, 100},
-			isRunning: true,
-		}},
-		oldPodResizeInProgressCondition: true,
-		expectHasResize:                 false,
-		expectPodResizeCompletedMsg:     `Normal ResizeCompleted Pod resize completed: {"containers":[{"name":"c0","resources":{"limits":{"cpu":"100m","memory":"100"},"requests":{"cpu":"100m","memory":"100"}}}]}`,
-	}, {
-		name: "simple unstarted container",
-		containers: []testContainer{{
-			allocated: testResources{100, 100, 100, 100},
-			unstarted: true,
-		}},
-		oldPodResizeInProgressCondition: false,
-		expectHasResize:                 false,
-	}, {
-		name: "simple resized container/cpu req",
-		containers: []testContainer{{
-			allocated: testResources{100, 200, 100, 200},
-			actuated:  &testResources{150, 200, 100, 200},
-			isRunning: true,
-		}},
-		oldPodResizeInProgressCondition: false,
-		expectHasResize:                 true,
-	}, {
-		name: "simple resized container/cpu limit",
-		containers: []testContainer{{
-			allocated: testResources{100, 200, 100, 200},
-			actuated:  &testResources{100, 300, 100, 200},
-			isRunning: true,
-		}},
-		oldPodResizeInProgressCondition: false,
-		expectHasResize:                 true,
-	}, {
-		name: "simple resized container/mem req",
-		containers: []testContainer{{
-			allocated: testResources{100, 200, 100, 200},
-			actuated:  &testResources{100, 200, 150, 200},
-			isRunning: true,
-		}},
-		oldPodResizeInProgressCondition: false,
-		expectHasResize:                 true,
-	}, {
-		name: "simple resized container/cpu+mem req",
-		containers: []testContainer{{
-			allocated: testResources{100, 200, 100, 200},
-			actuated:  &testResources{150, 200, 150, 200},
-			isRunning: true,
-		}},
-		oldPodResizeInProgressCondition: false,
-		expectHasResize:                 true,
-	}, {
-		name: "simple resized container/mem limit",
-		containers: []testContainer{{
-			allocated: testResources{100, 200, 100, 200},
-			actuated:  &testResources{100, 200, 100, 300},
-			isRunning: true,
-		}},
-		oldPodResizeInProgressCondition: false,
-		expectHasResize:                 true,
-	}, {
-		name: "terminated resized container",
-		containers: []testContainer{{
-			allocated: testResources{100, 200, 100, 200},
-			actuated:  &testResources{200, 200, 100, 200},
-			isRunning: false,
-		}},
-		oldPodResizeInProgressCondition: false,
-		expectHasResize:                 false,
-	}, {
-		name: "non-sidecar init container",
-		containers: []testContainer{{
-			allocated:      testResources{100, 200, 100, 200},
-			nonSidecarInit: true,
-			isRunning:      true,
-		}, {
-			allocated: testResources{100, 200, 100, 200},
-			actuated:  &testResources{100, 200, 100, 200},
-			isRunning: true,
-		}},
-		oldPodResizeInProgressCondition: false,
-		expectHasResize:                 false,
-	}, {
-		name: "non-resized sidecar",
-		containers: []testContainer{{
-			allocated: testResources{100, 200, 100, 200},
-			actuated:  &testResources{100, 200, 100, 200},
-			sidecar:   true,
-			isRunning: true,
-		}, {
-			allocated: testResources{100, 200, 100, 200},
-			actuated:  &testResources{100, 200, 100, 200},
-			isRunning: true,
-		}},
-		oldPodResizeInProgressCondition: false,
-		expectHasResize:                 false,
-	}, {
-		name: "resized sidecar",
-		containers: []testContainer{{
-			allocated: testResources{100, 200, 100, 200},
-			actuated:  &testResources{200, 200, 100, 200},
-			sidecar:   true,
-			isRunning: true,
-		}, {
-			allocated: testResources{100, 200, 100, 200},
-			actuated:  &testResources{100, 200, 100, 200},
-			isRunning: true,
-		}},
-		oldPodResizeInProgressCondition: false,
-		expectHasResize:                 true,
-	}, {
-		name: "several containers and a resize",
-		containers: []testContainer{{
-			allocated:      testResources{100, 200, 100, 200},
-			nonSidecarInit: true,
-			isRunning:      true,
-		}, {
-			allocated: testResources{100, 200, 100, 200},
-			actuated:  &testResources{100, 200, 100, 200},
-			isRunning: true,
-		}, {
-			allocated: testResources{100, 200, 100, 200},
-			unstarted: true,
-		}, {
-			allocated: testResources{100, 200, 100, 200},
-			actuated:  &testResources{200, 200, 100, 200}, // Resized
-			isRunning: true,
-		}},
-		oldPodResizeInProgressCondition: false,
-		expectHasResize:                 true,
-	}, {
-		name: "several containers",
-		containers: []testContainer{{
-			allocated: testResources{cpuReq: 100, cpuLim: 200},
-			actuated:  &testResources{cpuReq: 100, cpuLim: 200},
-			sidecar:   true,
-			isRunning: true,
-		}, {
-			allocated: testResources{memReq: 100, memLim: 200},
-			actuated:  &testResources{memReq: 100, memLim: 200},
-			isRunning: true,
-		}, {
-			allocated: testResources{cpuReq: 200, memReq: 100},
-			actuated:  &testResources{cpuReq: 200, memReq: 100},
-			isRunning: true,
-		}},
-		oldPodResizeInProgressCondition: true,
-		expectHasResize:                 false,
-		expectPodResizeCompletedMsg:     `Normal ResizeCompleted Pod resize completed: {"initContainers":[{"name":"c0","resources":{"limits":{"cpu":"200m"},"requests":{"cpu":"100m"}}}],"containers":[{"name":"c1","resources":{"limits":{"memory":"200"},"requests":{"memory":"100"}}},{"name":"c2","resources":{"requests":{"cpu":"200m","memory":"100"}}}]}`,
-	}, {
-		name: "best-effort pod",
-		containers: []testContainer{{
-			allocated: testResources{},
-			actuated:  &testResources{},
-			isRunning: true,
-		}},
-		oldPodResizeInProgressCondition: true,
-		expectHasResize:                 false,
-		expectPodResizeCompletedMsg:     `Normal ResizeCompleted Pod resize completed: {"containers":[{"name":"c0","resources":{}}]}`,
-	}, {
-		name: "burstable pod/not resizing",
-		containers: []testContainer{{
-			allocated: testResources{cpuReq: 100},
-			actuated:  &testResources{cpuReq: 100},
-			isRunning: true,
-		}},
-		oldPodResizeInProgressCondition: false,
-		expectHasResize:                 false,
-	}, {
-		name: "burstable pod/resized",
-		containers: []testContainer{{
-			allocated: testResources{cpuReq: 100},
-			actuated:  &testResources{cpuReq: 500},
-			isRunning: true,
-		}},
-		oldPodResizeInProgressCondition: false,
-		expectHasResize:                 true,
-	}}
-
-	mkRequirements := func(r testResources) v1.ResourceRequirements {
-		res := v1.ResourceRequirements{
-			Requests: v1.ResourceList{},
-			Limits:   v1.ResourceList{},
-		}
-		if r.cpuReq != 0 {
-			res.Requests[v1.ResourceCPU] = *resource.NewMilliQuantity(r.cpuReq, resource.DecimalSI)
-		}
-		if r.cpuLim != 0 {
-			res.Limits[v1.ResourceCPU] = *resource.NewMilliQuantity(r.cpuLim, resource.DecimalSI)
-		}
-		if r.memReq != 0 {
-			res.Requests[v1.ResourceMemory] = *resource.NewQuantity(r.memReq, resource.DecimalSI)
-		}
-		if r.memLim != 0 {
-			res.Limits[v1.ResourceMemory] = *resource.NewQuantity(r.memLim, resource.DecimalSI)
-		}
-		return res
-	}
-	mkContainer := func(index int, c testContainer) v1.Container {
-		container := v1.Container{
-			Name:      fmt.Sprintf("c%d", index),
-			Resources: mkRequirements(c.allocated),
-		}
-		if c.sidecar {
-			container.RestartPolicy = ptr.To(v1.ContainerRestartPolicyAlways)
-		}
-		return container
-	}
-
-	for _, test := range tests {
-		t.Run(test.name, func(t *testing.T) {
-			pod := &v1.Pod{
-				ObjectMeta: metav1.ObjectMeta{
-					Name: "test-pod",
-					UID:  "12345",
-				},
-			}
-			podStatus := &kubecontainer.PodStatus{
-				ID:   pod.UID,
-				Name: pod.Name,
-			}
-
-			am := makeAllocationManager(t, &containertest.FakeRuntime{PodStatus: *podStatus}, []*v1.Pod{pod}, nil)
-			t.Cleanup(func() { am.RemovePod(pod.UID) })
-
-			for i, c := range test.containers {
-				// Add the container to the pod
-				container := mkContainer(i, c)
-				if c.nonSidecarInit || c.sidecar {
-					pod.Spec.InitContainers = append(pod.Spec.InitContainers, container)
-				} else {
-					pod.Spec.Containers = append(pod.Spec.Containers, container)
-				}
-
-				// Add the container to the pod status, if it's started.
-				if !test.containers[i].unstarted {
-					cs := kubecontainer.Status{
-						Name: container.Name,
-					}
-					if test.containers[i].isRunning {
-						cs.State = kubecontainer.ContainerStateRunning
-					} else {
-						cs.State = kubecontainer.ContainerStateExited
-					}
-					podStatus.ContainerStatuses = append(podStatus.ContainerStatuses, &cs)
-				}
-
-				// Register the actuated container (if needed)
-				if c.actuated != nil {
-					actuatedContainer := container.DeepCopy()
-					actuatedContainer.Resources = mkRequirements(*c.actuated)
-					require.NoError(t, am.SetActuatedResources(pod, actuatedContainer))
-
-					fetched, found := am.GetActuatedResources(pod.UID, container.Name)
-					require.True(t, found)
-					assert.Equal(t, actuatedContainer.Resources, fetched)
-				} else {
-					_, found := am.GetActuatedResources(pod.UID, container.Name)
-					require.False(t, found)
-				}
-			}
-			require.NoError(t, am.SetAllocatedResources(pod))
-
-			am.(*manager).recorder = record.NewFakeRecorder(200)
-
-			// Set old Pod condition as Inprogress, so that ClearPodResizeInProgressCondition is true and emit resize completed event
-			if test.oldPodResizeInProgressCondition {
-				am.(*manager).statusManager.SetPodResizeInProgressCondition(pod.UID, "", "", int64(1))
-			}
-
-			am.CheckPodResizeInProgress(pod, podStatus)
-
-			// Verify pod resize completed event is emitted
-			podResizeCompletionEvent := getEventsFromFakeRecorder(t, am)
-			assert.Equal(t, test.expectPodResizeCompletedMsg, podResizeCompletionEvent)
-
-			if test.expectHasResize {
-				// Verify the status manager has the InProgress condition set on it
-				gotResizeConditions := am.(*manager).statusManager.GetPodResizeConditions(pod.UID)
-				for _, c := range gotResizeConditions {
-					require.Equal(t, v1.PodResizeInProgress, c.Type, "ResizeConditions Type should be PodResizeInProgress")
-					require.Empty(t, c.Reason, "ResizeConditions Error")
-					require.Empty(t, c.Message, "ResizeConditions Message")
-				}
-			} else {
-				// Verify pod resize Inprogress condition is cleared
-				gotResizeConditions := am.(*manager).statusManager.GetPodResizeConditions(pod.UID)
-				require.Empty(t, gotResizeConditions, "ResizeConditions Error")
-			}
-		})
-	}
-}
-
-func TestHandlePodResourcesResize(t *testing.T) {
+func TestRetryPendingResizes(t *testing.T) {
 	if goruntime.GOOS == "windows" {
 		t.Skip("InPlacePodVerticalScaling is not currently supported for Windows")
 	}
@@ -528,12 +299,16 @@ func TestHandlePodResourcesResize(t *testing.T) {
 	cpu2m := resource.MustParse("2m")
 	cpu500m := resource.MustParse("500m")
 	cpu1000m := resource.MustParse("1")
+	cpu1200m := resource.MustParse("1200m")
 	cpu1500m := resource.MustParse("1500m")
+	cpu2000m := resource.MustParse("2")
 	cpu2500m := resource.MustParse("2500m")
 	cpu5000m := resource.MustParse("5000m")
 	mem500M := resource.MustParse("500Mi")
 	mem1000M := resource.MustParse("1Gi")
+	mem1200M := resource.MustParse("1200Mi")
 	mem1500M := resource.MustParse("1500Mi")
+	mem2000M := resource.MustParse("2Gi")
 	mem2500M := resource.MustParse("2500Mi")
 	mem4500M := resource.MustParse("4500Mi")
 
@@ -596,18 +371,29 @@ func TestHandlePodResourcesResize(t *testing.T) {
 	testPod3.Name = "pod3"
 	testPod3.Namespace = "ns2"
 
+	const (
+		originalInProgressMsg = "original in-progress"
+		originalPendingMsg    = "original pending"
+	)
+	featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.NodeDeclaredFeatures, true)
 	tests := []struct {
-		name                   string
-		originalRequests       v1.ResourceList
-		newRequests            v1.ResourceList
-		originalLimits         v1.ResourceList
-		newLimits              v1.ResourceList
-		newResourcesAllocated  bool // Whether the new requests have already been allocated (but not actuated)
-		expectedAllocatedReqs  v1.ResourceList
-		expectedAllocatedLims  v1.ResourceList
-		expectedResize         []*v1.PodCondition
-		expectPodSyncTriggered string
-		annotations            map[string]string
+		name                         string
+		originalRequests             v1.ResourceList
+		newRequests                  v1.ResourceList
+		originalLimits               v1.ResourceList
+		newLimits                    v1.ResourceList
+		originalPodRequests          v1.ResourceList
+		newPodRequests               v1.ResourceList
+		originalInProgress           bool // Whether to prepopulate an in-progress condition.
+		originalPending              bool // Whether to prepopulate a pending condition.
+		newResourcesAllocated        bool // Whether the new requests have already been allocated (but not actuated)
+		expectedAllocatedReqs        v1.ResourceList
+		expectedAllocatedLims        v1.ResourceList
+		expectedAllocatedPodReqs     v1.ResourceList
+		expectedResize               []*v1.PodCondition
+		expectPodSyncTriggered       string
+		annotations                  map[string]string
+		inPlacePodLevelResizeEnabled bool
 	}{
 		{
 			name:                  "Request CPU and memory decrease - expect InProgress",
@@ -617,8 +403,9 @@ func TestHandlePodResourcesResize(t *testing.T) {
 
 			expectedResize: []*v1.PodCondition{
 				{
-					Type:   v1.PodResizeInProgress,
-					Status: "True",
+					Type:    v1.PodResizeInProgress,
+					Status:  "True",
+					Message: "", // Expect the original InProgress condition to be cleared.
 				},
 			},
 			expectPodSyncTriggered: "true",
@@ -662,7 +449,7 @@ func TestHandlePodResourcesResize(t *testing.T) {
 					Type:    v1.PodResizePending,
 					Status:  "True",
 					Reason:  "Deferred",
-					Message: "",
+					Message: "Node didn't have enough resource: cpu",
 				},
 			},
 			expectPodSyncTriggered: "true",
@@ -716,18 +503,64 @@ func TestHandlePodResourcesResize(t *testing.T) {
 			expectPodSyncTriggered: "true",
 		},
 		{
-			name:                  "CPU increase in progress - expect InProgress",
+			name:                  "CPU increase in progress, resources unchanged - expect InProgress",
 			originalRequests:      v1.ResourceList{v1.ResourceCPU: cpu1000m, v1.ResourceMemory: mem1000M},
 			newRequests:           v1.ResourceList{v1.ResourceCPU: cpu1500m, v1.ResourceMemory: mem1000M},
 			newResourcesAllocated: true,
 			expectedAllocatedReqs: v1.ResourceList{v1.ResourceCPU: cpu1500m, v1.ResourceMemory: mem1000M},
+			originalInProgress:    true,
+			originalPending:       true,
 
 			expectedResize: []*v1.PodCondition{
 				{
-					Type:   v1.PodResizeInProgress,
-					Status: "True",
+					Type:    v1.PodResizeInProgress,
+					Status:  "True",
+					Message: originalInProgressMsg, // Since the allocation didn't change, the condition isn't reset.
+				},
+			},
+			// Should trigger a sync since the conditions changed (to update status), even though
+			// the allocated resources are unchanged.
+			expectPodSyncTriggered: "true",
+		},
+		{
+			name:                  "CPU increase in progress, new allocation - expect InProgress reset",
+			originalRequests:      v1.ResourceList{v1.ResourceCPU: cpu1000m, v1.ResourceMemory: mem1000M},
+			newRequests:           v1.ResourceList{v1.ResourceCPU: cpu1500m, v1.ResourceMemory: mem1000M},
+			expectedAllocatedReqs: v1.ResourceList{v1.ResourceCPU: cpu1500m, v1.ResourceMemory: mem1000M},
+			originalInProgress:    true,
+			originalPending:       true,
+
+			expectedResize: []*v1.PodCondition{
+				{
+					Type:    v1.PodResizeInProgress,
+					Status:  "True",
+					Message: "",
 				},
 			},
+			expectPodSyncTriggered: "true",
+		},
+		{
+			name:                  "Deferred resize doesn't clear in-progress status",
+			originalRequests:      v1.ResourceList{v1.ResourceCPU: cpu1000m, v1.ResourceMemory: mem1000M},
+			newRequests:           v1.ResourceList{v1.ResourceCPU: cpu500m, v1.ResourceMemory: mem2500M},
+			expectedAllocatedReqs: v1.ResourceList{v1.ResourceCPU: cpu1000m, v1.ResourceMemory: mem1000M},
+			originalInProgress:    true,
+			originalPending:       true,
+
+			expectedResize: []*v1.PodCondition{
+				{
+					Type:    v1.PodResizePending,
+					Status:  "True",
+					Reason:  "Deferred",
+					Message: "Node didn't have enough resource: memory", // Deferred condition should be updated.
+				},
+				{
+					Type:    v1.PodResizeInProgress,
+					Status:  "True",
+					Message: originalInProgressMsg, // InProgress condition should be unchanged.
+				},
+			},
+			expectPodSyncTriggered: "true",
 		},
 		{
 			name:                  "No resize",
@@ -815,11 +648,90 @@ func TestHandlePodResourcesResize(t *testing.T) {
 			},
 			expectPodSyncTriggered: "true",
 		},
+		{
+			name:                         "pod-level: Request CPU and memory increase - expect InProgress",
+			inPlacePodLevelResizeEnabled: true,
+			originalPodRequests:          v1.ResourceList{v1.ResourceCPU: cpu1500m, v1.ResourceMemory: mem1500M},
+			newPodRequests:               v1.ResourceList{v1.ResourceCPU: cpu2000m, v1.ResourceMemory: mem2000M},
+			originalRequests:             v1.ResourceList{v1.ResourceCPU: cpu1000m, v1.ResourceMemory: mem1000M},
+			newRequests:                  v1.ResourceList{v1.ResourceCPU: cpu1000m, v1.ResourceMemory: mem1000M},
+			expectedAllocatedReqs:        v1.ResourceList{v1.ResourceCPU: cpu1000m, v1.ResourceMemory: mem1000M},
+			expectedAllocatedPodReqs:     v1.ResourceList{v1.ResourceCPU: cpu2000m, v1.ResourceMemory: mem2000M},
+			expectedResize: []*v1.PodCondition{
+				{
+					Type:   v1.PodResizeInProgress,
+					Status: "True",
+				},
+			},
+			expectPodSyncTriggered: "true",
+		},
+		{
+			name:                         "pod-level: Request CPU and memory decrease - expect InProgress",
+			inPlacePodLevelResizeEnabled: true,
+			originalPodRequests:          v1.ResourceList{v1.ResourceCPU: cpu1500m, v1.ResourceMemory: mem1500M},
+			newPodRequests:               v1.ResourceList{v1.ResourceCPU: cpu1200m, v1.ResourceMemory: mem1200M}, // still > container reqs
+			originalRequests:             v1.ResourceList{v1.ResourceCPU: cpu1000m, v1.ResourceMemory: mem1000M},
+			newRequests:                  v1.ResourceList{v1.ResourceCPU: cpu1000m, v1.ResourceMemory: mem1000M},
+			expectedAllocatedReqs:        v1.ResourceList{v1.ResourceCPU: cpu1000m, v1.ResourceMemory: mem1000M},
+			expectedAllocatedPodReqs:     v1.ResourceList{v1.ResourceCPU: cpu1200m, v1.ResourceMemory: mem1200M},
+			expectedResize: []*v1.PodCondition{
+				{
+					Type:    v1.PodResizeInProgress,
+					Status:  "True",
+					Message: "",
+				},
+			},
+			expectPodSyncTriggered: "true",
+		},
+		{
+			name:                         "pod-level: Request CPU increase beyond current capacity - expect Deferred",
+			inPlacePodLevelResizeEnabled: true,
+			originalPodRequests:          v1.ResourceList{v1.ResourceCPU: cpu1500m, v1.ResourceMemory: mem1500M},
+			newPodRequests:               v1.ResourceList{v1.ResourceCPU: cpu2500m, v1.ResourceMemory: mem1500M},
+			originalRequests:             v1.ResourceList{v1.ResourceCPU: cpu1000m, v1.ResourceMemory: mem1000M},
+			newRequests:                  v1.ResourceList{v1.ResourceCPU: cpu1000m, v1.ResourceMemory: mem1000M},
+			expectedAllocatedReqs:        v1.ResourceList{v1.ResourceCPU: cpu1000m, v1.ResourceMemory: mem1000M},
+			expectedAllocatedPodReqs:     v1.ResourceList{v1.ResourceCPU: cpu1500m, v1.ResourceMemory: mem1500M},
+			expectedResize: []*v1.PodCondition{
+				{
+					Type:    v1.PodResizePending,
+					Status:  "True",
+					Reason:  "Deferred",
+					Message: "Node didn't have enough resource: cpu",
+				},
+			},
+			expectPodSyncTriggered: "true",
+		},
+		{
+			name:                         "pod-level: Request memory increase beyond node capacity - expect Infeasible",
+			inPlacePodLevelResizeEnabled: true,
+			originalPodRequests:          v1.ResourceList{v1.ResourceCPU: cpu1500m, v1.ResourceMemory: mem1500M},
+			newPodRequests:               v1.ResourceList{v1.ResourceCPU: cpu1500m, v1.ResourceMemory: mem4500M},
+			originalRequests:             v1.ResourceList{v1.ResourceCPU: cpu1000m, v1.ResourceMemory: mem1000M},
+			newRequests:                  v1.ResourceList{v1.ResourceCPU: cpu1000m, v1.ResourceMemory: mem1000M},
+			expectedAllocatedReqs:        v1.ResourceList{v1.ResourceCPU: cpu1000m, v1.ResourceMemory: mem1000M},
+			expectedAllocatedPodReqs:     v1.ResourceList{v1.ResourceCPU: cpu1500m, v1.ResourceMemory: mem1500M},
+			expectedResize: []*v1.PodCondition{
+				{
+					Type:    v1.PodResizePending,
+					Status:  "True",
+					Reason:  "Infeasible",
+					Message: "Node didn't have enough capacity: memory, requested: 4718592000, capacity: 4294967296",
+				},
+			},
+			expectPodSyncTriggered: "true",
+		},
 	}
 
 	for _, tt := range tests {
 		for _, isSidecarContainer := range []bool{false, true} {
+			if tt.inPlacePodLevelResizeEnabled && isSidecarContainer {
+				continue // pod level resources makes the distinction between container types irrelevant
+			}
 			t.Run(fmt.Sprintf("%s/sidecar=%t", tt.name, isSidecarContainer), func(t *testing.T) {
+				if tt.inPlacePodLevelResizeEnabled {
+					featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.InPlacePodLevelResourcesVerticalScaling, true)
+				}
 				var originalPod *v1.Pod
 				var originalCtr *v1.Container
 				if isSidecarContainer {
@@ -832,6 +744,9 @@ func TestHandlePodResourcesResize(t *testing.T) {
 				originalPod.Annotations = tt.annotations
 				originalCtr.Resources.Requests = tt.originalRequests
 				originalCtr.Resources.Limits = tt.originalLimits
+				if tt.originalPodRequests != nil {
+					originalPod.Spec.Resources = &v1.ResourceRequirements{Requests: tt.originalPodRequests.DeepCopy()}
+				}
 
 				newPod := originalPod.DeepCopy()
 				if isSidecarContainer {
@@ -841,6 +756,12 @@ func TestHandlePodResourcesResize(t *testing.T) {
 					newPod.Spec.Containers[0].Resources.Requests = tt.newRequests
 					newPod.Spec.Containers[0].Resources.Limits = tt.newLimits
 				}
+				if tt.newPodRequests != nil {
+					if newPod.Spec.Resources == nil {
+						newPod.Spec.Resources = &v1.ResourceRequirements{}
+					}
+					newPod.Spec.Resources.Requests = tt.newPodRequests.DeepCopy()
+				}
 
 				podStatus := &kubecontainer.PodStatus{
 					ID:        originalPod.UID,
@@ -862,16 +783,20 @@ func TestHandlePodResourcesResize(t *testing.T) {
 				} else {
 					require.NoError(t, allocationManager.SetAllocatedResources(newPod))
 				}
-				require.NoError(t, allocationManager.SetActuatedResources(originalPod, nil))
 				t.Cleanup(func() { allocationManager.RemovePod(originalPod.UID) })
 
+				if tt.originalInProgress {
+					allocationManager.(*manager).statusManager.SetPodResizeInProgressCondition(originalPod.UID, "", originalInProgressMsg, 0)
+				}
+				if tt.originalPending {
+					allocationManager.(*manager).statusManager.SetPodResizePendingCondition(originalPod.UID, v1.PodReasonDeferred, originalPendingMsg, 0)
+				}
+
 				allocationManager.(*manager).getPodByUID = func(uid types.UID) (*v1.Pod, bool) {
 					return newPod, true
 				}
 				allocationManager.PushPendingResize(originalPod.UID)
 				allocationManager.RetryPendingResizes(TriggerReasonPodUpdated)
-				allocatedPod, _ := allocationManager.UpdatePodFromAllocation(newPod)
-				allocationManager.CheckPodResizeInProgress(allocatedPod, podStatus)
 
 				var updatedPod *v1.Pod
 				if allocationManager.(*manager).statusManager.IsPodResizeInfeasible(newPod.UID) || allocationManager.(*manager).statusManager.IsPodResizeDeferred(newPod.UID) {
@@ -889,22 +814,47 @@ func TestHandlePodResourcesResize(t *testing.T) {
 				assert.Equal(t, tt.expectedAllocatedReqs, updatedPodCtr.Resources.Requests, "updated pod spec requests")
 				assert.Equal(t, tt.expectedAllocatedLims, updatedPodCtr.Resources.Limits, "updated pod spec limits")
 
+				if tt.inPlacePodLevelResizeEnabled {
+					if tt.expectedAllocatedPodReqs != nil {
+						require.NotNil(t, updatedPod.Spec.Resources)
+						assert.Equal(t, tt.expectedAllocatedPodReqs, updatedPod.Spec.Resources.Requests, "updated pod spec pod requests")
+					} else if updatedPod.Spec.Resources != nil {
+						assert.Empty(t, updatedPod.Spec.Resources.Requests, "updated pod spec pod requests should be empty")
+					}
+
+					alloc, found := allocationManager.(*manager).allocated.GetPodResourceInfo(newPod.UID)
+					if tt.expectedAllocatedPodReqs != nil {
+						require.True(t, found, "pod allocation")
+						if alloc.PodLevelResources == nil {
+							assert.Equal(t, tt.expectedAllocatedPodReqs, alloc.PodLevelResources.Requests, "stored pod request allocation")
+						}
+					} else {
+						require.False(t, found, "pod allocation should not be found")
+					}
+				}
+
 				alloc, found := allocationManager.GetContainerResourceAllocation(newPod.UID, updatedPodCtr.Name)
 				require.True(t, found, "container allocation")
 				assert.Equal(t, tt.expectedAllocatedReqs, alloc.Requests, "stored container request allocation")
 				assert.Equal(t, tt.expectedAllocatedLims, alloc.Limits, "stored container limit allocation")
 
 				resizeStatus := allocationManager.(*manager).statusManager.GetPodResizeConditions(newPod.UID)
-				for i := range resizeStatus {
-					// Ignore probe time and last transition time during comparison.
-					resizeStatus[i].LastProbeTime = metav1.Time{}
-					resizeStatus[i].LastTransitionTime = metav1.Time{}
-
-					// Message is a substring assertion, since it can change slightly.
-					assert.Contains(t, resizeStatus[i].Message, tt.expectedResize[i].Message)
-					resizeStatus[i].Message = tt.expectedResize[i].Message
+				if assert.Len(t, resizeStatus, len(tt.expectedResize), "different number of resize conditions") {
+					for i := range resizeStatus {
+						// Ignore probe time and last transition time during comparison.
+						resizeStatus[i].LastProbeTime = metav1.Time{}
+						resizeStatus[i].LastTransitionTime = metav1.Time{}
+
+						// Message is a substring assertion, since it can change slightly.
+						if tt.expectedResize[i].Message != "" {
+							assert.Contains(t, resizeStatus[i].Message, tt.expectedResize[i].Message)
+						} else {
+							assert.Empty(t, resizeStatus[i].Message)
+						}
+						resizeStatus[i].Message = tt.expectedResize[i].Message
+					}
+					assert.Equal(t, tt.expectedResize, resizeStatus)
 				}
-				assert.Equal(t, tt.expectedResize, resizeStatus)
 				assert.Equal(t, tt.expectPodSyncTriggered, newPod.Annotations["pod-sync-triggered"], "pod sync annotation should be set")
 			})
 		}
@@ -912,16 +862,16 @@ func TestHandlePodResourcesResize(t *testing.T) {
 
 	expectedMetrics := `
 		# HELP kubelet_pod_infeasible_resizes_total [ALPHA] Number of infeasible resizes for pods.
-        # TYPE kubelet_pod_infeasible_resizes_total counter
-        kubelet_pod_infeasible_resizes_total{reason_detail="insufficient_node_allocatable"} 4
-        kubelet_pod_infeasible_resizes_total{reason_detail="static_pod"} 2
+	    # TYPE kubelet_pod_infeasible_resizes_total counter
+	    kubelet_pod_infeasible_resizes_total{reason_detail="insufficient_node_allocatable"} 5
+	    kubelet_pod_infeasible_resizes_total{reason_detail="static_pod"} 2
 	`
 	assert.NoError(t, testutil.GatherAndCompare(
 		legacyregistry.DefaultGatherer, strings.NewReader(expectedMetrics), "kubelet_pod_infeasible_resizes_total",
 	))
 }
 
-func TestHandlePodResourcesResizeForGuanteedQOSPods(t *testing.T) {
+func TestRetryPendingResizesGuanteedQOSPods(t *testing.T) {
 	if goruntime.GOOS == "windows" {
 		t.Skip("InPlacePodVerticalScaling is not currently supported for Windows")
 	}
@@ -1072,8 +1022,10 @@ func TestHandlePodResourcesResizeForGuanteedQOSPods(t *testing.T) {
 		for _, originalPod := range tt.podsToTest {
 			isSidecarContainer := len(originalPod.Spec.InitContainers) > 0
 			t.Run(fmt.Sprintf("%s/sidecar=%t", tt.name, isSidecarContainer), func(t *testing.T) {
-				featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.InPlacePodVerticalScalingExclusiveCPUs, tt.ipprExclusiveCPUsFeatureGate)
-				featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.InPlacePodVerticalScalingExclusiveMemory, tt.ipprExclusiveMemoryFeatureGate)
+				featuregatetesting.SetFeatureGatesDuringTest(t, utilfeature.DefaultFeatureGate, featuregatetesting.FeatureOverrides{
+					features.InPlacePodVerticalScalingExclusiveCPUs:   tt.ipprExclusiveCPUsFeatureGate,
+					features.InPlacePodVerticalScalingExclusiveMemory: tt.ipprExclusiveMemoryFeatureGate,
+				})
 				var originalCtr *v1.Container
 
 				if isSidecarContainer {
@@ -1122,8 +1074,6 @@ func TestHandlePodResourcesResizeForGuanteedQOSPods(t *testing.T) {
 				allocationManager := makeAllocationManager(t, &containertest.FakeRuntime{PodStatus: *podStatus}, []*v1.Pod{guaranteedQOSPod, guaranteedQOSPodWithSidecar, bestEffortPod}, &nodeConfig)
 
 				require.NoError(t, allocationManager.SetAllocatedResources(originalPod))
-
-				require.NoError(t, allocationManager.SetActuatedResources(originalPod, nil))
 				t.Cleanup(func() { allocationManager.RemovePod(originalPod.UID) })
 
 				allocationManager.(*manager).getPodByUID = func(uid types.UID) (*v1.Pod, bool) {
@@ -1131,8 +1081,6 @@ func TestHandlePodResourcesResizeForGuanteedQOSPods(t *testing.T) {
 				}
 				allocationManager.PushPendingResize(originalPod.UID)
 				allocationManager.RetryPendingResizes(TriggerReasonPodUpdated)
-				allocatedPod, _ := allocationManager.UpdatePodFromAllocation(newPod)
-				allocationManager.CheckPodResizeInProgress(allocatedPod, podStatus)
 
 				var updatedPod *v1.Pod
 				if allocationManager.(*manager).statusManager.IsPodResizeInfeasible(newPod.UID) || allocationManager.(*manager).statusManager.IsPodResizeDeferred(newPod.UID) {
@@ -1171,15 +1119,17 @@ func TestHandlePodResourcesResizeForGuanteedQOSPods(t *testing.T) {
 	}
 }
 
-func TestHandlePodResourcesResizeWithSwap(t *testing.T) {
+func TestRetryPendingResizesWithSwap(t *testing.T) {
 	if goruntime.GOOS == "windows" {
 		t.Skip("InPlacePodVerticalScaling is not currently supported for Windows")
 	}
 	metrics.Register()
 	metrics.PodInfeasibleResizes.Reset()
 
-	featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.InPlacePodVerticalScaling, true)
-	featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.NodeSwap, true)
+	featuregatetesting.SetFeatureGatesDuringTest(t, utilfeature.DefaultFeatureGate, featuregatetesting.FeatureOverrides{
+		features.InPlacePodVerticalScaling: true,
+		features.NodeSwap:                  true,
+	})
 	noSwapContainerName, swapContainerName := "test-container-noswap", "test-container-limitedswap"
 
 	cpu500m := resource.MustParse("500m")
@@ -1303,7 +1253,6 @@ func TestHandlePodResourcesResizeWithSwap(t *testing.T) {
 			allocationManager := makeAllocationManager(t, runtime, []*v1.Pod{testPod}, nil)
 
 			require.NoError(t, allocationManager.SetAllocatedResources(originalPod))
-			require.NoError(t, allocationManager.SetActuatedResources(originalPod, nil))
 			t.Cleanup(func() { allocationManager.RemovePod(originalPod.UID) })
 
 			allocationManager.(*manager).getPodByUID = func(uid types.UID) (*v1.Pod, bool) {
@@ -1311,8 +1260,6 @@ func TestHandlePodResourcesResizeWithSwap(t *testing.T) {
 			}
 			allocationManager.PushPendingResize(testPod.UID)
 			allocationManager.RetryPendingResizes(TriggerReasonPodUpdated)
-			allocatedPod, _ := allocationManager.UpdatePodFromAllocation(newPod)
-			allocationManager.CheckPodResizeInProgress(allocatedPod, podStatus)
 
 			var updatedPod *v1.Pod
 			if allocationManager.(*manager).statusManager.IsPodResizeInfeasible(newPod.UID) {
@@ -1346,7 +1293,7 @@ func TestHandlePodResourcesResizeWithSwap(t *testing.T) {
 	}
 }
 
-func TestHandlePodResourcesResizeMultipleConditions(t *testing.T) {
+func TestRetryPendingResizesMultipleConditions(t *testing.T) {
 	if goruntime.GOOS == "windows" {
 		t.Skip("InPlacePodVerticalScaling is not currently supported for Windows")
 	}
@@ -1415,6 +1362,7 @@ func TestHandlePodResourcesResizeMultipleConditions(t *testing.T) {
 		mem                resource.Quantity
 		generation         int64
 		expectedConditions []*v1.PodCondition
+		expectedEvent      string
 	}{
 		{
 			name:       "allocated != actuated, pod resize should be in progress",
@@ -1426,6 +1374,7 @@ func TestHandlePodResourcesResizeMultipleConditions(t *testing.T) {
 				Status:             "True",
 				ObservedGeneration: 1,
 			}},
+			expectedEvent: `Normal ResizeStarted Pod resize started: {"containers":[{"name":"c1","resources":{"requests":{"cpu":"1","memory":"1Gi"}}}],"generation":1}`,
 		},
 		{
 			name:       "desired != allocated != actuated, both conditions should be present in the pod status",
@@ -1446,6 +1395,27 @@ func TestHandlePodResourcesResizeMultipleConditions(t *testing.T) {
 					ObservedGeneration: 1,
 				},
 			},
+			expectedEvent: `Warning ResizeInfeasible Pod resize Infeasible: {"containers":[{"name":"c1","resources":{"requests":{"cpu":"5","memory":"4500Mi"}}}],"generation":2,"error":"Node didn't have enough capacity: memory, requested: 4718592000, capacity: 4294967296"}`,
+		},
+		{
+			name:       "same as previous case to ensure no new event is generated",
+			cpu:        cpu5000m,
+			mem:        mem4500M,
+			generation: 2,
+			expectedConditions: []*v1.PodCondition{
+				{
+					Type:               v1.PodResizePending,
+					Status:             "True",
+					Reason:             v1.PodReasonInfeasible,
+					Message:            "Node didn't have enough capacity: memory, requested: 4718592000, capacity: 4294967296",
+					ObservedGeneration: 2,
+				},
+				{
+					Type:               v1.PodResizeInProgress,
+					Status:             "True",
+					ObservedGeneration: 1,
+				},
+			},
 		},
 		{
 			name:       "revert back to the original resize request",
@@ -1480,6 +1450,7 @@ func TestHandlePodResourcesResizeMultipleConditions(t *testing.T) {
 				Status:             "True",
 				ObservedGeneration: 5,
 			}},
+			expectedEvent: `Normal ResizeStarted Pod resize started: {"containers":[{"name":"c1","resources":{"requests":{"cpu":"500m","memory":"500Mi"}}}],"generation":5}`,
 		},
 	}
 
@@ -1498,8 +1469,6 @@ func TestHandlePodResourcesResizeMultipleConditions(t *testing.T) {
 
 			allocationManager.PushPendingResize(testPod.UID)
 			allocationManager.RetryPendingResizes(TriggerReasonPodUpdated)
-			allocatedPod, _ := allocationManager.UpdatePodFromAllocation(testPod)
-			allocationManager.CheckPodResizeInProgress(allocatedPod, podStatus)
 
 			conditions := allocationManager.(*manager).statusManager.GetPodResizeConditions(testPod.UID)
 			require.Len(t, conditions, len(tc.expectedConditions))
@@ -1508,6 +1477,15 @@ func TestHandlePodResourcesResizeMultipleConditions(t *testing.T) {
 				c.LastTransitionTime = metav1.Time{}
 			}
 			require.Equal(t, tc.expectedConditions, conditions)
+
+			fakeRecorder := allocationManager.(*manager).recorder.(*record.FakeRecorder)
+			if tc.expectedEvent != "" {
+				require.Len(t, fakeRecorder.Events, 1)
+				event := <-fakeRecorder.Events
+				require.Equal(t, tc.expectedEvent, event)
+			} else {
+				require.Empty(t, fakeRecorder.Events)
+			}
 		})
 	}
 }
@@ -1526,6 +1504,292 @@ func (a *testPodAdmitHandler) Admit(attrs *lifecycle.PodAdmitAttributes) lifecyc
 	return a.admitFunc(attrs)
 }
 
+func TestAllocationManagerAddPodWithPLR(t *testing.T) {
+	if goruntime.GOOS == "windows" {
+		t.Skip("InPlacePodVerticalScaling is not currently supported for Windows")
+	}
+
+	const containerName = "c1"
+
+	cpu1Mem1G := v1.ResourceList{v1.ResourceCPU: resource.MustParse("1"), v1.ResourceMemory: resource.MustParse("1Gi")}
+	cpu2Mem2G := v1.ResourceList{v1.ResourceCPU: resource.MustParse("2"), v1.ResourceMemory: resource.MustParse("2Gi")}
+
+	createTestPod := func(uid types.UID, name, namespace string, resources v1.ResourceList) *v1.Pod {
+		pod := &v1.Pod{
+			ObjectMeta: metav1.ObjectMeta{UID: uid, Name: name, Namespace: namespace},
+		}
+		container := v1.Container{
+			Name:  containerName,
+			Image: "i1",
+			Resources: v1.ResourceRequirements{
+				Requests: resources,
+			},
+		}
+		pod.Spec.Containers = append(pod.Spec.Containers, container)
+		return pod
+	}
+
+	pod1UID := types.UID("1111")
+	pod2UID := types.UID("2222")
+	pod1Small := createTestPod(pod1UID, "pod1", "ns1", cpu1Mem1G)
+	pod1Large := createTestPod(pod1UID, "pod1", "ns1", cpu2Mem2G)
+	pod2Small := createTestPod(pod2UID, "pod2", "ns2", cpu1Mem1G)
+	pod2Large := createTestPod(pod2UID, "pod2", "ns2", cpu2Mem2G)
+
+	pod1SmallWithPLR := pod1Small.DeepCopy()
+	pod1SmallWithPLR.Spec.Resources = &v1.ResourceRequirements{Requests: cpu1Mem1G}
+	pod1LargeWithPLR := pod1Large.DeepCopy()
+	pod1LargeWithPLR.Spec.Resources = &v1.ResourceRequirements{Requests: cpu2Mem2G}
+	pod2SmallWithPLR := pod2Small.DeepCopy()
+	pod2SmallWithPLR.Spec.Resources = &v1.ResourceRequirements{Requests: cpu1Mem1G}
+	pod2LargeWithPLR := pod2Large.DeepCopy()
+	pod2LargeWithPLR.Spec.Resources = &v1.ResourceRequirements{Requests: cpu2Mem2G}
+
+	type resourceState struct {
+		podResources       v1.ResourceList
+		containerResources v1.ResourceList
+	}
+	featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.NodeDeclaredFeatures, true)
+	testCases := []struct {
+		name                            string
+		initialAllocatedResourcesState  map[types.UID]resourceState
+		currentActivePods               []*v1.Pod
+		podToAdd                        *v1.Pod
+		admitFunc                       func(attrs *lifecycle.PodAdmitAttributes) lifecycle.PodAdmitResult
+		expectAdmit                     bool
+		admissionFailureReason          string
+		admissionFailureMessage         string
+		expectedAllocatedResourcesState map[types.UID]resourceState
+		ipprPLRFeatureGate              bool
+	}{
+		{
+			name:                           "PLR IPPR Enabled - New pod admitted and allocated resources updated",
+			initialAllocatedResourcesState: map[types.UID]resourceState{},
+			currentActivePods:              []*v1.Pod{},
+			podToAdd:                       pod1SmallWithPLR,
+			admitFunc:                      nil,
+			expectAdmit:                    true,
+			// allocated resources updated with pod1's resources
+			expectedAllocatedResourcesState: map[types.UID]resourceState{pod1UID: {podResources: cpu1Mem1G, containerResources: cpu1Mem1G}},
+			ipprPLRFeatureGate:              true,
+		},
+		{
+			name:                            "PLR IPPR Disabled - New pod admitted with PLR but allocated pod-level resources not updated",
+			initialAllocatedResourcesState:  map[types.UID]resourceState{},
+			currentActivePods:               []*v1.Pod{},
+			podToAdd:                        pod1SmallWithPLR,
+			admitFunc:                       nil,
+			expectAdmit:                     true,
+			expectedAllocatedResourcesState: map[types.UID]resourceState{pod1UID: {containerResources: cpu1Mem1G}},
+		},
+		{
+			name:                           "PLR IPPR Enabled - New pod not admitted due to insufficient resources",
+			initialAllocatedResourcesState: map[types.UID]resourceState{pod1UID: {containerResources: cpu1Mem1G}},
+			currentActivePods:              []*v1.Pod{pod1Small},
+			podToAdd:                       pod2LargeWithPLR,
+			admitFunc: func(attrs *lifecycle.PodAdmitAttributes) lifecycle.PodAdmitResult {
+				cpuRequest := attrs.Pod.Spec.Resources.Requests.Cpu().Value()
+				if cpuRequest > 1 {
+					return lifecycle.PodAdmitResult{
+						Admit:   false,
+						Reason:  "OutOfcpu",
+						Message: fmt.Sprintf("not enough CPUs available for pod %s/%s, requested: %d, available:1", attrs.Pod.Namespace, attrs.Pod.Name, cpuRequest),
+					}
+				}
+				return lifecycle.PodAdmitResult{Admit: true}
+			},
+			expectAdmit:             false,
+			admissionFailureReason:  "OutOfcpu",
+			admissionFailureMessage: "not enough CPUs available for pod ns2/pod2, requested: 2, available:1",
+			// allocated resources not modified
+			expectedAllocatedResourcesState: map[types.UID]resourceState{pod1UID: {containerResources: cpu1Mem1G}},
+			ipprPLRFeatureGate:              true,
+		},
+		{
+			name:                           "PLR IPPR Disabled - New pod not admitted due to insufficient resources",
+			initialAllocatedResourcesState: map[types.UID]resourceState{pod1UID: {containerResources: cpu1Mem1G}},
+			currentActivePods:              []*v1.Pod{pod1Small},
+			podToAdd:                       pod2LargeWithPLR,
+			admitFunc: func(attrs *lifecycle.PodAdmitAttributes) lifecycle.PodAdmitResult {
+				cpuRequest := attrs.Pod.Spec.Resources.Requests.Cpu().Value()
+				if cpuRequest > 1 {
+					return lifecycle.PodAdmitResult{
+						Admit:   false,
+						Reason:  "OutOfcpu",
+						Message: fmt.Sprintf("not enough CPUs available for pod %s/%s, requested: %d, available:1", attrs.Pod.Namespace, attrs.Pod.Name, cpuRequest),
+					}
+				}
+				return lifecycle.PodAdmitResult{Admit: true}
+			},
+			expectAdmit:             false,
+			admissionFailureReason:  "OutOfcpu",
+			admissionFailureMessage: "not enough CPUs available for pod ns2/pod2, requested: 2, available:1",
+			// allocated resources not modified
+			expectedAllocatedResourcesState: map[types.UID]resourceState{pod1UID: {containerResources: cpu1Mem1G}},
+		},
+		{
+			name: "PLR IPPR Enabled - no pod resize request. Resource request same as existing allocation",
+			initialAllocatedResourcesState: map[types.UID]resourceState{
+				pod1UID: {containerResources: cpu1Mem1G, podResources: cpu1Mem1G},
+				pod2UID: {containerResources: cpu1Mem1G, podResources: cpu1Mem1G},
+			},
+			currentActivePods: []*v1.Pod{pod1SmallWithPLR},
+			podToAdd:          pod1SmallWithPLR,
+			admitFunc:         nil,
+			expectAdmit:       true,
+			expectedAllocatedResourcesState: map[types.UID]resourceState{
+				pod1UID: {containerResources: cpu1Mem1G, podResources: cpu1Mem1G},
+				pod2UID: {containerResources: cpu1Mem1G, podResources: cpu1Mem1G},
+			},
+			ipprPLRFeatureGate: true,
+		},
+		{
+			name:                           "PLR IPPR Enabled - current allocation not found for added pod. Allocated resources updated.",
+			initialAllocatedResourcesState: map[types.UID]resourceState{},
+			currentActivePods:              []*v1.Pod{pod1Small},
+			podToAdd:                       pod1LargeWithPLR,
+			admitFunc:                      nil,
+			expectAdmit:                    true,
+			// pod2's resources added to allocated resources
+			expectedAllocatedResourcesState: map[types.UID]resourceState{pod1UID: {containerResources: cpu2Mem2G, podResources: cpu2Mem2G}},
+			ipprPLRFeatureGate:              true,
+		},
+		{
+			name: "PLR IPPR Enabled - request different from current allocation. Pod still admitted based on existing allocation, but allocated resources remains unchanges.",
+			initialAllocatedResourcesState: map[types.UID]resourceState{
+				pod1UID: {containerResources: cpu1Mem1G, podResources: cpu1Mem1G},
+				pod2UID: {containerResources: cpu1Mem1G, podResources: cpu1Mem1G},
+			},
+			currentActivePods: []*v1.Pod{pod1SmallWithPLR, pod2SmallWithPLR},
+			podToAdd:          pod1LargeWithPLR,
+			admitFunc: func(attrs *lifecycle.PodAdmitAttributes) lifecycle.PodAdmitResult {
+				cpuRequest := attrs.Pod.Spec.Resources.Requests.Cpu().Value()
+				if cpuRequest > 1 {
+					return lifecycle.PodAdmitResult{
+						Admit:   false,
+						Reason:  "OutOfcpu",
+						Message: fmt.Sprintf("not enough CPUs available for pod %s/%s, requested: %d, available:1", attrs.Pod.Namespace, attrs.Pod.Name, cpuRequest),
+					}
+				}
+				return lifecycle.PodAdmitResult{Admit: true}
+			},
+			// pod is still admitted as allocated resources are considered during admission.
+			expectAdmit: true,
+			//  allocated Resources state must not be updated.
+			expectedAllocatedResourcesState: map[types.UID]resourceState{
+				pod1UID: {containerResources: cpu1Mem1G, podResources: cpu1Mem1G},
+				pod2UID: {containerResources: cpu1Mem1G, podResources: cpu1Mem1G},
+			},
+			ipprPLRFeatureGate: true,
+		},
+		{
+			name:                           "PLR IPPR Disabled - request different from current allocation. Admission fails. Allocated resources not updated.",
+			initialAllocatedResourcesState: map[types.UID]resourceState{pod1UID: {containerResources: cpu1Mem1G}},
+			currentActivePods:              []*v1.Pod{pod1SmallWithPLR},
+			podToAdd:                       pod1LargeWithPLR,
+			admitFunc: func(attrs *lifecycle.PodAdmitAttributes) lifecycle.PodAdmitResult {
+				cpuRequest := attrs.Pod.Spec.Resources.Requests.Cpu().Value()
+				if cpuRequest > 1 {
+					return lifecycle.PodAdmitResult{
+						Admit:   false,
+						Reason:  "OutOfcpu",
+						Message: fmt.Sprintf("not enough CPUs available for pod %s/%s, requested: %d, available:1", attrs.Pod.Namespace, attrs.Pod.Name, cpuRequest),
+					}
+				}
+				return lifecycle.PodAdmitResult{Admit: true}
+			},
+			// pod is still admitted as allocated resources are considered during admission.
+			expectAdmit:             false,
+			admissionFailureReason:  "OutOfcpu",
+			admissionFailureMessage: "not enough CPUs available for pod ns1/pod1, requested: 2, available:1",
+			// allocated Resources state must not be updated.
+			expectedAllocatedResourcesState: map[types.UID]resourceState{
+				pod1UID: {containerResources: cpu1Mem1G},
+			},
+			ipprPLRFeatureGate: false,
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.InPlacePodLevelResourcesVerticalScaling, tc.ipprPLRFeatureGate)
+			allocationManager := makeAllocationManager(t, &containertest.FakeRuntime{}, []*v1.Pod{}, nil)
+
+			podForAllocation := func(uid types.UID, resources resourceState) *v1.Pod {
+				pod := &v1.Pod{
+					ObjectMeta: metav1.ObjectMeta{UID: uid},
+					Spec: v1.PodSpec{
+						Containers: []v1.Container{{
+							Name:      containerName,
+							Resources: v1.ResourceRequirements{Requests: resources.containerResources},
+						}},
+					},
+				}
+
+				if resources.podResources != nil {
+					pod.Spec.Resources = &v1.ResourceRequirements{Requests: resources.podResources}
+				}
+				return pod
+			}
+
+			for podUID, resources := range tc.initialAllocatedResourcesState {
+				err := allocationManager.SetAllocatedResources(podForAllocation(podUID, resources))
+				require.NoError(t, err)
+			}
+
+			if tc.admitFunc != nil {
+				handler := &testPodAdmitHandler{admitFunc: tc.admitFunc}
+				allocationManager.AddPodAdmitHandlers(lifecycle.PodAdmitHandlers{handler})
+			}
+
+			ok, reason, message := allocationManager.AddPod(tc.currentActivePods, tc.podToAdd)
+			require.Equal(t, tc.expectAdmit, ok)
+			require.Equal(t, tc.admissionFailureReason, reason)
+			require.Equal(t, tc.admissionFailureMessage, message)
+
+			for podUID, resources := range tc.expectedAllocatedResourcesState {
+				pod := podForAllocation(podUID, resources)
+				for _, container := range pod.Spec.Containers {
+					allocatedResources, found := allocationManager.GetContainerResourceAllocation(pod.UID, container.Name)
+					if pod.UID == tc.podToAdd.UID {
+						if tc.expectAdmit && !found {
+							t.Fatalf("resource allocation should exist for pod: %s", tc.podToAdd.Name)
+						}
+						if !tc.expectAdmit && found {
+							initialResources := tc.initialAllocatedResourcesState[pod.UID]
+							// allocated resources should not be modified when the pod is not admitted
+							assert.Equal(t, initialResources.containerResources, allocatedResources.Requests, tc.name)
+						}
+					}
+					assert.Equal(t, container.Resources, allocatedResources, tc.name)
+				}
+				if pod.Spec.Resources != nil {
+					allocatedPodResources, found := allocationManager.GetPodLevelResourceAllocation(pod.UID)
+					if tc.expectAdmit && !found {
+						t.Fatalf("resource allocation should exist for pod: %s", tc.podToAdd.Name)
+					}
+					if !tc.expectAdmit && found {
+						initialResources := tc.initialAllocatedResourcesState[pod.UID]
+						// allocated resources should not be modified when the pod
+						// is not admitted
+						if initialResources.podResources == nil {
+							if allocatedPodResources != nil {
+								t.Fatalf("resource allocation should nil for pod: %s", tc.podToAdd.Name)
+							}
+						}
+						if allocatedPodResources == nil {
+							t.Fatalf("resource allocation should exist for pod: %s", tc.podToAdd.Name)
+						}
+
+						assert.Equal(t, initialResources.podResources, allocatedPodResources.Requests, tc.name)
+					}
+					assert.Equal(t, pod.Spec.Resources, allocatedPodResources, tc.name)
+				}
+			}
+		})
+	}
+}
+
 func TestAllocationManagerAddPod(t *testing.T) {
 	if goruntime.GOOS == "windows" {
 		t.Skip("InPlacePodVerticalScaling is not currently supported for Windows")
@@ -1707,6 +1971,7 @@ func TestAllocationManagerAddPod(t *testing.T) {
 	}
 
 	for _, tc := range testCases {
+		featuregatetesting.SetFeatureGateEmulationVersionDuringTest(t, utilfeature.DefaultFeatureGate, version.MustParse("1.34"))
 		t.Run(tc.name, func(t *testing.T) {
 			featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.InPlacePodVerticalScaling, tc.ipprFeatureGate)
 			allocationManager := makeAllocationManager(t, &containertest.FakeRuntime{}, []*v1.Pod{}, nil)
@@ -1763,38 +2028,42 @@ func TestIsResizeIncreasingRequests(t *testing.T) {
 	cpu500m := resource.MustParse("500m")
 	cpu1000m := resource.MustParse("1")
 	cpu1500m := resource.MustParse("1500m")
+	cpu2500m := resource.MustParse("2500m")
 	mem500M := resource.MustParse("500Mi")
 	mem1000M := resource.MustParse("1Gi")
 	mem1500M := resource.MustParse("1500Mi")
+	mem2500M := resource.MustParse("2500Mi")
 
 	tests := []struct {
-		name        string
-		newRequests map[int]v1.ResourceList
-		expected    bool
+		name                         string
+		newPodRequests               v1.ResourceList
+		newContRequests              map[int]v1.ResourceList
+		expected                     bool
+		inPlacePodLevelResizeEnabled bool
 	}{
 		{
-			name:        "increase requests, one container",
-			newRequests: map[int]v1.ResourceList{0: {v1.ResourceCPU: cpu1500m, v1.ResourceMemory: mem1500M}},
-			expected:    true,
+			name:            "increase requests, one container",
+			newContRequests: map[int]v1.ResourceList{0: {v1.ResourceCPU: cpu1500m, v1.ResourceMemory: mem1500M}},
+			expected:        true,
 		},
 		{
-			name:        "decrease requests, one container",
-			newRequests: map[int]v1.ResourceList{0: {v1.ResourceCPU: cpu500m, v1.ResourceMemory: mem500M}},
-			expected:    false,
+			name:            "decrease requests, one container",
+			newContRequests: map[int]v1.ResourceList{0: {v1.ResourceCPU: cpu500m, v1.ResourceMemory: mem500M}},
+			expected:        false,
 		},
 		{
-			name:        "increase cpu, decrease memory, one container",
-			newRequests: map[int]v1.ResourceList{0: {v1.ResourceCPU: cpu1500m, v1.ResourceMemory: mem500M}},
-			expected:    true,
+			name:            "increase cpu, decrease memory, one container",
+			newContRequests: map[int]v1.ResourceList{0: {v1.ResourceCPU: cpu1500m, v1.ResourceMemory: mem500M}},
+			expected:        true,
 		},
 		{
-			name:        "increase memory, decrease cpu, one container",
-			newRequests: map[int]v1.ResourceList{0: {v1.ResourceCPU: cpu500m, v1.ResourceMemory: mem1500M}},
-			expected:    true,
+			name:            "increase memory, decrease cpu, one container",
+			newContRequests: map[int]v1.ResourceList{0: {v1.ResourceCPU: cpu500m, v1.ResourceMemory: mem1500M}},
+			expected:        true,
 		},
 		{
 			name: "increase one container, decrease another container, net neutral",
-			newRequests: map[int]v1.ResourceList{
+			newContRequests: map[int]v1.ResourceList{
 				0: {v1.ResourceCPU: cpu1500m, v1.ResourceMemory: mem1500M},
 				1: {v1.ResourceCPU: cpu500m, v1.ResourceMemory: mem500M},
 			},
@@ -1802,36 +2071,92 @@ func TestIsResizeIncreasingRequests(t *testing.T) {
 		},
 		{
 			name: "decrease requests, two containers",
-			newRequests: map[int]v1.ResourceList{
+			newContRequests: map[int]v1.ResourceList{
 				0: {v1.ResourceCPU: cpu500m, v1.ResourceMemory: mem500M},
 				1: {v1.ResourceCPU: cpu500m, v1.ResourceMemory: mem500M},
 			},
 			expected: false,
 		},
 		{
-			name:        "remove requests, set as empty struct",
-			newRequests: map[int]v1.ResourceList{0: {}},
-			expected:    false,
+			name:            "remove requests, set as empty struct",
+			newContRequests: map[int]v1.ResourceList{0: {}},
+			expected:        false,
+		},
+		{
+			name:            "remove requests, set as nil",
+			newContRequests: map[int]v1.ResourceList{0: nil},
+			expected:        false,
+		},
+		{
+			name:            "add requests, set as empty struct",
+			newContRequests: map[int]v1.ResourceList{2: {v1.ResourceCPU: cpu1000m, v1.ResourceMemory: mem1000M}},
+			expected:        true,
+		},
+		{
+			name:            "add requests, set as nil",
+			newContRequests: map[int]v1.ResourceList{3: {v1.ResourceCPU: cpu1000m, v1.ResourceMemory: mem1000M}},
+			expected:        true,
+		},
+		{
+			name:                         "pod-level: increase cpu",
+			newPodRequests:               v1.ResourceList{v1.ResourceCPU: resource.MustParse("3000m"), v1.ResourceMemory: resource.MustParse("2500Mi")},
+			expected:                     true,
+			inPlacePodLevelResizeEnabled: true,
+		},
+		{
+			name:                         "pod-level: decrease memory",
+			newPodRequests:               v1.ResourceList{v1.ResourceCPU: resource.MustParse("2500m"), v1.ResourceMemory: resource.MustParse("2000Mi")},
+			expected:                     false,
+			inPlacePodLevelResizeEnabled: true,
+		},
+		{
+			name:                         "pod-level: increase cpu, decrease memory",
+			newPodRequests:               v1.ResourceList{v1.ResourceCPU: resource.MustParse("3000m"), v1.ResourceMemory: resource.MustParse("2000Mi")},
+			expected:                     true,
+			inPlacePodLevelResizeEnabled: true,
+		},
+		{
+			name:                         "container-level: increase cpu",
+			newContRequests:              map[int]v1.ResourceList{0: {v1.ResourceCPU: cpu1500m, v1.ResourceMemory: mem1000M}},
+			expected:                     false,
+			inPlacePodLevelResizeEnabled: true,
 		},
 		{
-			name:        "remove requests, set as nil",
-			newRequests: map[int]v1.ResourceList{0: nil},
-			expected:    false,
+			name:                         "container-level: decrease cpu",
+			newContRequests:              map[int]v1.ResourceList{0: {v1.ResourceCPU: cpu500m, v1.ResourceMemory: mem1000M}},
+			expected:                     false,
+			inPlacePodLevelResizeEnabled: true,
 		},
 		{
-			name:        "add requests, set as empty struct",
-			newRequests: map[int]v1.ResourceList{2: {v1.ResourceCPU: cpu1000m, v1.ResourceMemory: mem1000M}},
-			expected:    true,
+			name:                         "pod & container: increase container cpu, increase pod cpu, net increase",
+			newPodRequests:               v1.ResourceList{v1.ResourceCPU: resource.MustParse("2600m"), v1.ResourceMemory: resource.MustParse("2500Mi")}, // +100m
+			newContRequests:              map[int]v1.ResourceList{0: {v1.ResourceCPU: cpu1500m, v1.ResourceMemory: mem1000M}},                           // +500m
+			expected:                     true,
+			inPlacePodLevelResizeEnabled: true,
 		},
 		{
-			name:        "add requests, set as nil",
-			newRequests: map[int]v1.ResourceList{3: {v1.ResourceCPU: cpu1000m, v1.ResourceMemory: mem1000M}},
-			expected:    true,
+			name:                         "pod & container: decrease container cpu, decrease pod cpu, net decrease",
+			newPodRequests:               v1.ResourceList{v1.ResourceCPU: resource.MustParse("2000m"), v1.ResourceMemory: resource.MustParse("2500Mi")}, // -500m
+			newContRequests:              map[int]v1.ResourceList{0: {v1.ResourceCPU: cpu500m, v1.ResourceMemory: mem1000M}},                            // -500m
+			expected:                     false,
+			inPlacePodLevelResizeEnabled: true,
+		},
+		{
+			name:                         "pod & container: increase container cpu, same pod cpu, net neutral",
+			newPodRequests:               v1.ResourceList{v1.ResourceCPU: resource.MustParse("2500m"), v1.ResourceMemory: resource.MustParse("2500Mi")}, // 0
+			newContRequests:              map[int]v1.ResourceList{0: {v1.ResourceCPU: cpu1500m, v1.ResourceMemory: mem1000M}},                           // +500m
+			expected:                     false,
+			inPlacePodLevelResizeEnabled: true,
 		},
 	}
 
+	featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.NodeDeclaredFeatures, true)
 	for _, tc := range tests {
 		t.Run(tc.name, func(t *testing.T) {
+			if tc.inPlacePodLevelResizeEnabled == true {
+				featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.InPlacePodLevelResourcesVerticalScaling, true)
+			}
+
 			testPod := &v1.Pod{
 				ObjectMeta: metav1.ObjectMeta{
 					UID:       "1111",
@@ -1871,10 +2196,19 @@ func TestIsResizeIncreasingRequests(t *testing.T) {
 					},
 				},
 			}
+			if tc.inPlacePodLevelResizeEnabled == true {
+				testPod.Spec.Resources = &v1.ResourceRequirements{
+					Requests: v1.ResourceList{v1.ResourceCPU: cpu2500m, v1.ResourceMemory: mem2500M},
+				}
+			}
+
 			allocationManager := makeAllocationManager(t, &containertest.FakeRuntime{}, []*v1.Pod{testPod}, nil)
 			require.NoError(t, allocationManager.SetAllocatedResources(testPod))
 
-			for k, v := range tc.newRequests {
+			if tc.newPodRequests != nil {
+				testPod.Spec.Resources.Requests = tc.newPodRequests
+			}
+			for k, v := range tc.newContRequests {
 				testPod.Spec.Containers[k].Resources.Requests = v
 			}
 			require.Equal(t, tc.expected, allocationManager.(*manager).isResizeIncreasingRequests(testPod))
@@ -1889,7 +2223,7 @@ func TestSortPendingResizes(t *testing.T) {
 	mem500M := resource.MustParse("500Mi")
 	mem1000M := resource.MustParse("1Gi")
 	mem1500M := resource.MustParse("1500Mi")
-
+	featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.NodeDeclaredFeatures, true)
 	createTestPod := func(podNumber int) *v1.Pod {
 		return &v1.Pod{
 			ObjectMeta: metav1.ObjectMeta{
@@ -1909,43 +2243,43 @@ func TestSortPendingResizes(t *testing.T) {
 		}
 	}
 
-	testPods := []*v1.Pod{createTestPod(0), createTestPod(1), createTestPod(2), createTestPod(3), createTestPod(4), createTestPod(5)}
+	testPods := []*v1.Pod{createTestPod(0), createTestPod(1), createTestPod(2), createTestPod(3), createTestPod(4), createTestPod(5), createTestPod(6)}
 	allocationManager := makeAllocationManager(t, &containertest.FakeRuntime{}, testPods, nil)
 	for _, testPod := range testPods {
 		require.NoError(t, allocationManager.SetAllocatedResources(testPod))
 	}
 
-	// testPods[0] has the highest priority, as it doesn't increase resource requests.
-	// testPods[1] has the highest PriorityClass.
-	// testPods[2] is the only pod with QoS class "guaranteed" (all others are burstable).
-	// testPods[3] has been in a "deferred" state for longer than testPods[4].
-	// testPods[5] has no resize conditions yet, indicating it is a newer request than the other deferred resizes.
+	// testPods[0] has the highest priority, as it doesn't increase resource requests (pod-level).
+	// testPods[1] has the next highest priority, as it doesn't increase resource requests (container-level).
+	// testPods[2] has the highest PriorityClass.
+	// testPods[3] is the only pod with QoS class "guaranteed" (all others are burstable).
+	// testPods[4] has been in a "deferred" state for longer than testPods[5].
+	// testPods[6] has no resize conditions yet, indicating it is a newer request than the other deferred resizes.
 
-	testPods[0].Spec.Containers[0].Resources.Requests = v1.ResourceList{v1.ResourceCPU: cpu500m, v1.ResourceMemory: mem500M}
-	for i := 1; i < len(testPods); i++ {
+	featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.InPlacePodLevelResourcesVerticalScaling, true)
+
+	testPods[0].Spec.Resources = &v1.ResourceRequirements{Requests: v1.ResourceList{v1.ResourceCPU: cpu500m, v1.ResourceMemory: mem500M}}
+	testPods[1].Spec.Containers[0].Resources.Requests = v1.ResourceList{v1.ResourceCPU: cpu500m, v1.ResourceMemory: mem500M}
+	for i := 2; i < len(testPods); i++ {
 		testPods[i].Spec.Containers[0].Resources.Requests = v1.ResourceList{v1.ResourceCPU: cpu1500m, v1.ResourceMemory: mem1500M}
 	}
 
-	testPods[1].Spec.Priority = ptr.To(int32(100))
-	testPods[2].Status.QOSClass = v1.PodQOSGuaranteed
-	allocationManager.(*manager).statusManager.SetPodResizePendingCondition(testPods[3].UID, v1.PodReasonDeferred, "some-message", 1)
-	time.Sleep(5 * time.Millisecond)
+	testPods[2].Spec.Priority = ptr.To(int32(100))
+	testPods[3].Status.QOSClass = v1.PodQOSGuaranteed
 	allocationManager.(*manager).statusManager.SetPodResizePendingCondition(testPods[4].UID, v1.PodReasonDeferred, "some-message", 1)
+	time.Sleep(5 * time.Millisecond)
+	allocationManager.(*manager).statusManager.SetPodResizePendingCondition(testPods[5].UID, v1.PodReasonDeferred, "some-message", 1)
 
 	allocationManager.(*manager).getPodByUID = func(uid types.UID) (*v1.Pod, bool) {
-		pods := map[types.UID]*v1.Pod{
-			testPods[0].UID: testPods[0],
-			testPods[1].UID: testPods[1],
-			testPods[2].UID: testPods[2],
-			testPods[3].UID: testPods[3],
-			testPods[4].UID: testPods[4],
-			testPods[5].UID: testPods[5],
+		pods := make(map[types.UID]*v1.Pod)
+		for _, pod := range testPods {
+			pods[pod.UID] = pod
 		}
 		pod, found := pods[uid]
 		return pod, found
 	}
 
-	expected := []types.UID{testPods[0].UID, testPods[1].UID, testPods[2].UID, testPods[3].UID, testPods[4].UID, testPods[5].UID}
+	expected := []types.UID{testPods[0].UID, testPods[1].UID, testPods[2].UID, testPods[3].UID, testPods[4].UID, testPods[5].UID, testPods[6].UID}
 
 	// Push all the pods to the queue.
 	for i := range testPods {
@@ -1955,7 +2289,7 @@ func TestSortPendingResizes(t *testing.T) {
 
 	// Clear the queue and push the pods in reverse order to spice things up.
 	allocationManager.(*manager).podsWithPendingResizes = nil
-	for i := 5; i >= 0; i-- {
+	for i := len(testPods) - 1; i >= 0; i-- {
 		allocationManager.PushPendingResize(testPods[i].UID)
 	}
 	require.Equal(t, expected, allocationManager.(*manager).podsWithPendingResizes)
@@ -1979,10 +2313,12 @@ func TestRecordPodDeferredAcceptedResizes(t *testing.T) {
 		trigger             string
 		hasPendingCondition bool
 		expectedMetrics     string
+		expectedEvent       string
 	}{
 		{
-			name:    "trigger reason: pod updated, no pending condition",
-			trigger: TriggerReasonPodUpdated,
+			name:          "trigger reason: pod updated, no pending condition",
+			trigger:       TriggerReasonPodUpdated,
+			expectedEvent: `Normal ResizeStarted Pod resize started: {"containers":[{"name":"c1","resources":{"requests":{"cpu":"500m","memory":"500Mi"}}}],"generation":0}`,
 		},
 		{
 			name:                "trigger reason: pod resized, pending condition",
@@ -1993,6 +2329,7 @@ func TestRecordPodDeferredAcceptedResizes(t *testing.T) {
 					# TYPE kubelet_pod_deferred_accepted_resizes_total counter
 					kubelet_pod_deferred_accepted_resizes_total{retry_trigger="pod_resized"} 1
 			`,
+			expectedEvent: `Normal ResizeStarted Pod resize started: {"containers":[{"name":"c1","resources":{"requests":{"cpu":"500m","memory":"500Mi"}}}],"generation":0}`,
 		},
 		{
 			name:                "trigger reason: periodic retry, pending condition",
@@ -2004,6 +2341,7 @@ func TestRecordPodDeferredAcceptedResizes(t *testing.T) {
 					kubelet_pod_deferred_accepted_resizes_total{retry_trigger="periodic_retry"} 1
 					kubelet_pod_deferred_accepted_resizes_total{retry_trigger="pod_resized"} 1
 			`,
+			expectedEvent: `Normal ResizeStarted Pod resize started: {"containers":[{"name":"c1","resources":{"requests":{"cpu":"500m","memory":"500Mi"}}}],"generation":0}`,
 		},
 	} {
 		t.Run(tc.name, func(t *testing.T) {
@@ -2041,7 +2379,6 @@ func TestRecordPodDeferredAcceptedResizes(t *testing.T) {
 
 			am := makeAllocationManager(t, &containertest.FakeRuntime{}, []*v1.Pod{original}, nil)
 			require.NoError(t, am.SetAllocatedResources(original))
-			require.NoError(t, am.SetActuatedResources(original, nil))
 			if tc.hasPendingCondition {
 				am.(*manager).statusManager.SetPodResizePendingCondition(original.UID, v1.PodReasonDeferred, "message", 1)
 			}
@@ -2058,9 +2395,13 @@ func TestRecordPodDeferredAcceptedResizes(t *testing.T) {
 			require.NoError(t, testutil.GatherAndCompare(
 				legacyregistry.DefaultGatherer, strings.NewReader(tc.expectedMetrics), "kubelet_pod_deferred_accepted_resizes_total",
 			))
+
+			fakeRecorder := am.(*manager).recorder.(*record.FakeRecorder)
+			require.Len(t, fakeRecorder.Events, 1)
+			event := <-fakeRecorder.Events
+			require.Equal(t, tc.expectedEvent, event)
 		})
 	}
-
 }
 
 func makeAllocationManager(t *testing.T, runtime *containertest.FakeRuntime, allocatedPods []*v1.Pod, nodeConfig *cm.NodeConfig) Manager {
@@ -2073,7 +2414,8 @@ func makeAllocationManager(t *testing.T, runtime *containertest.FakeRuntime, all
 		containerManager = cm.NewFakeContainerManagerWithNodeConfig(*nodeConfig)
 	}
 	allocationManager := NewInMemoryManager(
-		containerManager,
+		containerManager.GetNodeConfig(),
+		containerManager.GetNodeAllocatableAbsolute(),
 		statusManager,
 		func(pod *v1.Pod) {
 			/* For testing, just mark the pod as having a pod sync triggered in an annotation. */
@@ -2092,10 +2434,11 @@ func makeAllocationManager(t *testing.T, runtime *containertest.FakeRuntime, all
 			return nil, false
 		},
 		config.NewSourcesReady(func(_ sets.Set[string]) bool { return true }),
+		record.NewFakeRecorder(20),
 	)
 	allocationManager.SetContainerRuntime(runtime)
 
-	getNode := func() (*v1.Node, error) {
+	getNode := func(context.Context, bool) (*v1.Node, error) {
 		return &v1.Node{
 			Status: v1.NodeStatus{
 				Capacity: v1.ResourceList{
@@ -2110,7 +2453,7 @@ func makeAllocationManager(t *testing.T, runtime *containertest.FakeRuntime, all
 			},
 		}, nil
 	}
-	handler := lifecycle.NewPredicateAdmitHandler(getNode, lifecycle.NewAdmissionFailureHandlerStub(), allocationManager.(*manager).containerManager.UpdatePluginResources)
+	handler := lifecycle.NewPredicateAdmitHandler(getNode, lifecycle.NewAdmissionFailureHandlerStub(), containerManager.UpdatePluginResources)
 	allocationManager.AddPodAdmitHandlers(lifecycle.PodAdmitHandlers{handler})
 
 	return allocationManager
diff --git a/pkg/kubelet/allocation/features_linux.go b/pkg/kubelet/allocation/features_linux.go
index f0f462f8339c9..fad24ace7e3cc 100644
--- a/pkg/kubelet/allocation/features_linux.go
+++ b/pkg/kubelet/allocation/features_linux.go
@@ -35,3 +35,10 @@ func IsInPlacePodVerticalScalingAllowed(pod *v1.Pod) (allowed bool, msg, reason
 	}
 	return true, "", ""
 }
+
+func IsInPlacePodLevelResourcesVerticalScalingAllowed(pod *v1.Pod) (allowed bool, msg, reason string) {
+	if !utilfeature.DefaultFeatureGate.Enabled(features.InPlacePodLevelResourcesVerticalScaling) {
+		return false, "InPlacePodLevelResourcesVerticalScaling is disabled", "plr_feature_gate_off"
+	}
+	return true, "", ""
+}
diff --git a/pkg/kubelet/allocation/features_unsupported.go b/pkg/kubelet/allocation/features_unsupported.go
index 869a9727c62f9..127b062326f72 100644
--- a/pkg/kubelet/allocation/features_unsupported.go
+++ b/pkg/kubelet/allocation/features_unsupported.go
@@ -24,3 +24,7 @@ import v1 "k8s.io/api/core/v1"
 func IsInPlacePodVerticalScalingAllowed(_ *v1.Pod) (allowed bool, msg, reason string) {
 	return false, "In-place pod resize is not supported on this node", "unsupported_platform"
 }
+
+func IsInPlacePodLevelResourcesVerticalScalingAllowed(pod *v1.Pod) (allowed bool, msg, reason string) {
+	return false, "In-place pod-level resources resize is not supported on this node", "unsupported_platform"
+}
diff --git a/pkg/kubelet/allocation/features_windows.go b/pkg/kubelet/allocation/features_windows.go
index 0818a825b643f..15b6855f39a9c 100644
--- a/pkg/kubelet/allocation/features_windows.go
+++ b/pkg/kubelet/allocation/features_windows.go
@@ -24,3 +24,7 @@ import v1 "k8s.io/api/core/v1"
 func IsInPlacePodVerticalScalingAllowed(_ *v1.Pod) (allowed bool, msg, reason string) {
 	return false, "In-place pod resize is not supported on Windows", "windows"
 }
+
+func IsInPlacePodLevelResourcesVerticalScalingAllowed(pod *v1.Pod) (allowed bool, msg, reason string) {
+	return false, "In-place pod-level resources resize is not supported on Windows", "windows"
+}
diff --git a/pkg/kubelet/allocation/state/state.go b/pkg/kubelet/allocation/state/state.go
index 8022e10413c3e..d21b476595030 100644
--- a/pkg/kubelet/allocation/state/state.go
+++ b/pkg/kubelet/allocation/state/state.go
@@ -26,6 +26,7 @@ import (
 type PodResourceInfo struct {
 	// ContainerResources maps container names to their respective ResourceRequirements.
 	ContainerResources map[string]v1.ResourceRequirements
+	PodLevelResources  *v1.ResourceRequirements
 }
 
 // PodResourceInfoMap maps pod UIDs to their corresponding PodResourceInfo,
@@ -38,6 +39,7 @@ func (pr PodResourceInfoMap) Clone() PodResourceInfoMap {
 	for podUID, podInfo := range pr {
 		prCopy[podUID] = PodResourceInfo{
 			ContainerResources: make(map[string]v1.ResourceRequirements),
+			PodLevelResources:  podInfo.PodLevelResources.DeepCopy(),
 		}
 		for containerName, containerInfo := range podInfo.ContainerResources {
 			prCopy[podUID].ContainerResources[containerName] = *containerInfo.DeepCopy()
@@ -51,11 +53,13 @@ type Reader interface {
 	GetContainerResources(podUID types.UID, containerName string) (v1.ResourceRequirements, bool)
 	GetPodResourceInfoMap() PodResourceInfoMap
 	GetPodResourceInfo(podUID types.UID) (PodResourceInfo, bool)
+	GetPodLevelResources(podUID types.UID) (*v1.ResourceRequirements, bool)
 }
 
 type writer interface {
 	SetContainerResources(podUID types.UID, containerName string, resources v1.ResourceRequirements) error
 	SetPodResourceInfo(podUID types.UID, resourceInfo PodResourceInfo) error
+	SetPodLevelResources(podUID types.UID, alloc *v1.ResourceRequirements) error
 	RemovePod(podUID types.UID) error
 	// RemoveOrphanedPods removes the stored state for any pods not included in the set of remaining pods.
 	RemoveOrphanedPods(remainingPods sets.Set[types.UID])
diff --git a/pkg/kubelet/allocation/state/state_checkpoint.go b/pkg/kubelet/allocation/state/state_checkpoint.go
index f41415c0152d7..cdfff8b164852 100644
--- a/pkg/kubelet/allocation/state/state_checkpoint.go
+++ b/pkg/kubelet/allocation/state/state_checkpoint.go
@@ -112,6 +112,13 @@ func (sc *stateCheckpoint) GetContainerResources(podUID types.UID, containerName
 	return sc.cache.GetContainerResources(podUID, containerName)
 }
 
+// GetPodLevelResources returns current resources information at pod-level
+func (sc *stateCheckpoint) GetPodLevelResources(podUID types.UID) (*v1.ResourceRequirements, bool) {
+	sc.mux.RLock()
+	defer sc.mux.RUnlock()
+	return sc.cache.GetPodLevelResources(podUID)
+}
+
 // GetPodResourceInfoMap returns current pod resource information map
 func (sc *stateCheckpoint) GetPodResourceInfoMap() PodResourceInfoMap {
 	sc.mux.RLock()
@@ -137,6 +144,17 @@ func (sc *stateCheckpoint) SetContainerResources(podUID types.UID, containerName
 	return sc.storeState()
 }
 
+// SetPodLevelResources sets resources information for a pod's resources at pod-level.
+func (sc *stateCheckpoint) SetPodLevelResources(podUID types.UID, resInfo *v1.ResourceRequirements) error {
+	sc.mux.Lock()
+	defer sc.mux.Unlock()
+	err := sc.cache.SetPodLevelResources(podUID, resInfo)
+	if err != nil {
+		return err
+	}
+	return sc.storeState()
+}
+
 // SetPodResourceInfo sets pod resource information
 func (sc *stateCheckpoint) SetPodResourceInfo(podUID types.UID, resourceInfo PodResourceInfo) error {
 	sc.mux.Lock()
@@ -175,6 +193,10 @@ func (sc *noopStateCheckpoint) GetContainerResources(_ types.UID, _ string) (v1.
 	return v1.ResourceRequirements{}, false
 }
 
+func (sc *noopStateCheckpoint) GetPodLevelResources(_ types.UID) (*v1.ResourceRequirements, bool) {
+	return nil, false
+}
+
 func (sc *noopStateCheckpoint) GetPodResourceInfoMap() PodResourceInfoMap {
 	return nil
 }
@@ -187,6 +209,10 @@ func (sc *noopStateCheckpoint) SetContainerResources(_ types.UID, _ string, _ v1
 	return nil
 }
 
+func (sc *noopStateCheckpoint) SetPodLevelResources(_ types.UID, _ *v1.ResourceRequirements) error {
+	return nil
+}
+
 func (sc *noopStateCheckpoint) SetPodResourceInfo(_ types.UID, _ PodResourceInfo) error {
 	return nil
 }
diff --git a/pkg/kubelet/allocation/state/state_checkpoint_test.go b/pkg/kubelet/allocation/state/state_checkpoint_test.go
index f409245fc40c1..e306d7e32d5cc 100644
--- a/pkg/kubelet/allocation/state/state_checkpoint_test.go
+++ b/pkg/kubelet/allocation/state/state_checkpoint_test.go
@@ -101,6 +101,12 @@ func Test_stateCheckpoint_storeState(t *testing.T) {
 									},
 								},
 							},
+							PodLevelResources: &v1.ResourceRequirements{
+								Requests: v1.ResourceList{
+									v1.ResourceCPU:    resource.MustParse(fmt.Sprintf("%s%s", fact, suf)),
+									v1.ResourceMemory: resource.MustParse(fmt.Sprintf("%s%s", fact, suf)),
+								},
+							},
 						},
 					},
 				},
@@ -142,6 +148,7 @@ func Test_stateCheckpoint_storeState(t *testing.T) {
 				ContainerResources: map[string]v1.ResourceRequirements{
 					"container1": {Requests: v1.ResourceList{v1.ResourceCPU: resource.MustParse("1")}},
 				},
+				PodLevelResources: &v1.ResourceRequirements{Requests: v1.ResourceList{v1.ResourceCPU: resource.MustParse("1")}},
 			}))
 			require.FileExists(t, checkpointPath, "checkpoint should be re-written")
 		})
diff --git a/pkg/kubelet/allocation/state/state_mem.go b/pkg/kubelet/allocation/state/state_mem.go
index e4b5210524bb8..3dfad44837ca1 100644
--- a/pkg/kubelet/allocation/state/state_mem.go
+++ b/pkg/kubelet/allocation/state/state_mem.go
@@ -59,6 +59,19 @@ func (s *stateMemory) GetContainerResources(podUID types.UID, containerName stri
 	return *resources.DeepCopy(), ok
 }
 
+// GetPodLevelResources returns current resources information at pod-level
+func (s *stateMemory) GetPodLevelResources(podUID types.UID) (*v1.ResourceRequirements, bool) {
+	s.RLock()
+	defer s.RUnlock()
+
+	pr, ok := s.podResources[podUID]
+	if !ok {
+		return nil, ok
+	}
+
+	return pr.PodLevelResources.DeepCopy(), ok
+}
+
 func (s *stateMemory) GetPodResourceInfoMap() PodResourceInfoMap {
 	s.RLock()
 	defer s.RUnlock()
@@ -77,17 +90,41 @@ func (s *stateMemory) SetContainerResources(podUID types.UID, containerName stri
 	s.Lock()
 	defer s.Unlock()
 
-	if _, ok := s.podResources[podUID]; !ok {
-		s.podResources[podUID] = PodResourceInfo{
+	podInfo, ok := s.podResources[podUID]
+	if !ok {
+		podInfo = PodResourceInfo{
 			ContainerResources: make(map[string]v1.ResourceRequirements),
 		}
 	}
 
-	s.podResources[podUID].ContainerResources[containerName] = resources
+	if podInfo.ContainerResources == nil {
+		podInfo.ContainerResources = make(map[string]v1.ResourceRequirements)
+	}
+
+	podInfo.ContainerResources[containerName] = resources
+	s.podResources[podUID] = podInfo
+
 	klog.V(3).InfoS("Updated container resource information", "podUID", podUID, "containerName", containerName, "resources", resources)
 	return nil
 }
 
+func (s *stateMemory) SetPodLevelResources(podUID types.UID, resources *v1.ResourceRequirements) error {
+	s.Lock()
+	defer s.Unlock()
+
+	podInfo, ok := s.podResources[podUID]
+	if !ok {
+		podInfo.PodLevelResources = &v1.ResourceRequirements{}
+	}
+
+	podInfo.PodLevelResources = resources
+
+	s.podResources[podUID] = podInfo
+
+	klog.V(3).InfoS("Updated pod-level resource info", "podUID", podUID, "resources", resources)
+	return nil
+}
+
 func (s *stateMemory) SetPodResourceInfo(podUID types.UID, resourceInfo PodResourceInfo) error {
 	s.Lock()
 	defer s.Unlock()
diff --git a/pkg/kubelet/apis/config/fuzzer/fuzzer.go b/pkg/kubelet/apis/config/fuzzer/fuzzer.go
index 16f7c2238604a..bc2f9b0700724 100644
--- a/pkg/kubelet/apis/config/fuzzer/fuzzer.go
+++ b/pkg/kubelet/apis/config/fuzzer/fuzzer.go
@@ -64,6 +64,7 @@ func Funcs(codecs runtimeserializer.CodecFactory) []interface{} {
 			obj.ImageMaximumGCAge = metav1.Duration{}
 			obj.ImageGCHighThresholdPercent = 85
 			obj.ImageGCLowThresholdPercent = 80
+			obj.ImagePullCredentialsVerificationPolicy = string(kubeletconfig.NeverVerifyPreloadedImages)
 			obj.KernelMemcgNotification = false
 			obj.MaxOpenFiles = 1000000
 			obj.MaxPods = 110
@@ -126,6 +127,9 @@ func Funcs(codecs runtimeserializer.CodecFactory) []interface{} {
 				"AllAlpha": false,
 				"AllBeta":  true,
 			}
+			obj.CrashLoopBackOff = kubeletconfig.CrashLoopBackOffConfig{
+				MaxContainerRestartPeriod: &metav1.Duration{Duration: 5 * time.Minute},
+			}
 		},
 
 		// tokenAttributes field is only supported in v1 CredentialProvider
diff --git a/pkg/kubelet/apis/config/scheme/testdata/ImagePullIntent/after/v1beta1.yaml b/pkg/kubelet/apis/config/scheme/testdata/ImagePullIntent/after/v1beta1.yaml
new file mode 100644
index 0000000000000..5621227a099ca
--- /dev/null
+++ b/pkg/kubelet/apis/config/scheme/testdata/ImagePullIntent/after/v1beta1.yaml
@@ -0,0 +1,3 @@
+apiVersion: kubelet.config.k8s.io/v1beta1
+image: ""
+kind: ImagePullIntent
diff --git a/pkg/kubelet/apis/config/scheme/testdata/ImagePullIntent/before/v1beta1.yaml b/pkg/kubelet/apis/config/scheme/testdata/ImagePullIntent/before/v1beta1.yaml
new file mode 100644
index 0000000000000..c2b5d8ce5553d
--- /dev/null
+++ b/pkg/kubelet/apis/config/scheme/testdata/ImagePullIntent/before/v1beta1.yaml
@@ -0,0 +1,2 @@
+kind: ImagePullIntent
+apiVersion: kubelet.config.k8s.io/v1beta1
\ No newline at end of file
diff --git a/pkg/kubelet/apis/config/scheme/testdata/ImagePullIntent/roundtrip/default/v1beta1.yaml b/pkg/kubelet/apis/config/scheme/testdata/ImagePullIntent/roundtrip/default/v1beta1.yaml
new file mode 100644
index 0000000000000..5621227a099ca
--- /dev/null
+++ b/pkg/kubelet/apis/config/scheme/testdata/ImagePullIntent/roundtrip/default/v1beta1.yaml
@@ -0,0 +1,3 @@
+apiVersion: kubelet.config.k8s.io/v1beta1
+image: ""
+kind: ImagePullIntent
diff --git a/pkg/kubelet/apis/config/scheme/testdata/ImagePulledRecord/after/v1beta1.yaml b/pkg/kubelet/apis/config/scheme/testdata/ImagePulledRecord/after/v1beta1.yaml
new file mode 100644
index 0000000000000..6e13c182686bd
--- /dev/null
+++ b/pkg/kubelet/apis/config/scheme/testdata/ImagePulledRecord/after/v1beta1.yaml
@@ -0,0 +1,4 @@
+apiVersion: kubelet.config.k8s.io/v1beta1
+imageRef: ""
+kind: ImagePulledRecord
+lastUpdatedTime: null
diff --git a/pkg/kubelet/apis/config/scheme/testdata/ImagePulledRecord/before/v1beta1.yaml b/pkg/kubelet/apis/config/scheme/testdata/ImagePulledRecord/before/v1beta1.yaml
new file mode 100644
index 0000000000000..a51bb9f9b05e4
--- /dev/null
+++ b/pkg/kubelet/apis/config/scheme/testdata/ImagePulledRecord/before/v1beta1.yaml
@@ -0,0 +1,2 @@
+kind: ImagePulledRecord
+apiVersion: kubelet.config.k8s.io/v1beta1
\ No newline at end of file
diff --git a/pkg/kubelet/apis/config/scheme/testdata/ImagePulledRecord/roundtrip/default/v1beta1.yaml b/pkg/kubelet/apis/config/scheme/testdata/ImagePulledRecord/roundtrip/default/v1beta1.yaml
new file mode 100644
index 0000000000000..6e13c182686bd
--- /dev/null
+++ b/pkg/kubelet/apis/config/scheme/testdata/ImagePulledRecord/roundtrip/default/v1beta1.yaml
@@ -0,0 +1,4 @@
+apiVersion: kubelet.config.k8s.io/v1beta1
+imageRef: ""
+kind: ImagePulledRecord
+lastUpdatedTime: null
diff --git a/pkg/kubelet/apis/config/scheme/testdata/KubeletConfiguration/after/v1beta1.yaml b/pkg/kubelet/apis/config/scheme/testdata/KubeletConfiguration/after/v1beta1.yaml
index 1acdd87f50f11..3b0ea0fc8d9f3 100644
--- a/pkg/kubelet/apis/config/scheme/testdata/KubeletConfiguration/after/v1beta1.yaml
+++ b/pkg/kubelet/apis/config/scheme/testdata/KubeletConfiguration/after/v1beta1.yaml
@@ -25,7 +25,8 @@ cpuCFSQuota: true
 cpuCFSQuotaPeriod: 100ms
 cpuManagerPolicy: none
 cpuManagerReconcilePeriod: 10s
-crashLoopBackOff: {}
+crashLoopBackOff:
+  maxContainerRestartPeriod: 5m0s
 enableControllerAttachDetach: true
 enableDebugFlagsHandler: true
 enableDebuggingHandlers: true
@@ -38,7 +39,7 @@ enforceNodeAllocatable:
 eventBurst: 100
 eventRecordQPS: 50
 evictionPressureTransitionPeriod: 5m0s
-failCgroupV1: false
+failCgroupV1: true
 failSwapOn: true
 fileCheckFrequency: 20s
 hairpinMode: promiscuous-bridge
@@ -49,6 +50,7 @@ imageGCHighThresholdPercent: 85
 imageGCLowThresholdPercent: 80
 imageMaximumGCAge: 0s
 imageMinimumGCAge: 2m0s
+imagePullCredentialsVerificationPolicy: NeverVerifyPreloadedImages
 iptablesDropBit: 15
 iptablesMasqueradeBit: 14
 kind: KubeletConfiguration
diff --git a/pkg/kubelet/apis/config/scheme/testdata/KubeletConfiguration/roundtrip/default/v1beta1.yaml b/pkg/kubelet/apis/config/scheme/testdata/KubeletConfiguration/roundtrip/default/v1beta1.yaml
index 33c9777a94aad..1ceb95dc24ec7 100644
--- a/pkg/kubelet/apis/config/scheme/testdata/KubeletConfiguration/roundtrip/default/v1beta1.yaml
+++ b/pkg/kubelet/apis/config/scheme/testdata/KubeletConfiguration/roundtrip/default/v1beta1.yaml
@@ -25,7 +25,8 @@ cpuCFSQuota: true
 cpuCFSQuotaPeriod: 100ms
 cpuManagerPolicy: none
 cpuManagerReconcilePeriod: 10s
-crashLoopBackOff: {}
+crashLoopBackOff:
+  maxContainerRestartPeriod: 5m0s
 enableControllerAttachDetach: true
 enableDebugFlagsHandler: true
 enableDebuggingHandlers: true
@@ -38,7 +39,7 @@ enforceNodeAllocatable:
 eventBurst: 10
 eventRecordQPS: 5
 evictionPressureTransitionPeriod: 5m0s
-failCgroupV1: false
+failCgroupV1: true
 failSwapOn: true
 fileCheckFrequency: 20s
 hairpinMode: promiscuous-bridge
@@ -49,6 +50,7 @@ imageGCHighThresholdPercent: 85
 imageGCLowThresholdPercent: 80
 imageMaximumGCAge: 0s
 imageMinimumGCAge: 2m0s
+imagePullCredentialsVerificationPolicy: NeverVerifyPreloadedImages
 iptablesDropBit: 15
 iptablesMasqueradeBit: 14
 kind: KubeletConfiguration
diff --git a/pkg/kubelet/apis/config/types.go b/pkg/kubelet/apis/config/types.go
index 1260dddc5b578..6ab19ac1c6614 100644
--- a/pkg/kubelet/apis/config/types.go
+++ b/pkg/kubelet/apis/config/types.go
@@ -887,7 +887,7 @@ type ImagePulledRecord struct {
 
 // ImagePullCredentials describe credentials that can be used to pull an image.
 type ImagePullCredentials struct {
-	// KuberneteSecretCoordinates is an index of coordinates of all the kubernetes
+	// KubernetesSecretCoordinates is an index of coordinates of all the kubernetes
 	// secrets that were used to pull the image.
 	// +optional
 	KubernetesSecrets []ImagePullSecret
diff --git a/pkg/kubelet/apis/config/v1beta1/defaults.go b/pkg/kubelet/apis/config/v1beta1/defaults.go
index 04d71d00bd778..ba5e7aeb6008e 100644
--- a/pkg/kubelet/apis/config/v1beta1/defaults.go
+++ b/pkg/kubelet/apis/config/v1beta1/defaults.go
@@ -290,7 +290,7 @@ func SetDefaults_KubeletConfiguration(obj *kubeletconfigv1beta1.KubeletConfigura
 		obj.SeccompDefault = ptr.To(false)
 	}
 	if obj.FailCgroupV1 == nil {
-		obj.FailCgroupV1 = ptr.To(false)
+		obj.FailCgroupV1 = ptr.To(true)
 	}
 	if obj.MemoryThrottlingFactor == nil {
 		obj.MemoryThrottlingFactor = ptr.To(DefaultMemoryThrottlingFactor)
diff --git a/pkg/kubelet/apis/config/v1beta1/defaults_test.go b/pkg/kubelet/apis/config/v1beta1/defaults_test.go
index 9c79a088cc0ff..471e74924db4a 100644
--- a/pkg/kubelet/apis/config/v1beta1/defaults_test.go
+++ b/pkg/kubelet/apis/config/v1beta1/defaults_test.go
@@ -77,7 +77,7 @@ func TestSetDefaultsKubeletConfiguration(t *testing.T) {
 				NodeLeaseDurationSeconds:                  40,
 				ImageMinimumGCAge:                         metav1.Duration{Duration: 2 * time.Minute},
 				ImageMaximumGCAge:                         metav1.Duration{},
-				ImagePullCredentialsVerificationPolicy:    "",
+				ImagePullCredentialsVerificationPolicy:    "NeverVerifyPreloadedImages",
 				ImageGCHighThresholdPercent:               ptr.To[int32](85),
 				ImageGCLowThresholdPercent:                ptr.To[int32](80),
 				ContainerRuntimeEndpoint:                  "unix:///run/containerd/containerd.sock",
@@ -126,13 +126,15 @@ func TestSetDefaultsKubeletConfiguration(t *testing.T) {
 				EnableProfilingHandler:        ptr.To(true),
 				EnableDebugFlagsHandler:       ptr.To(true),
 				SeccompDefault:                ptr.To(false),
-				FailCgroupV1:                  ptr.To(false),
+				FailCgroupV1:                  ptr.To(true),
 				MemoryThrottlingFactor:        ptr.To(DefaultMemoryThrottlingFactor),
 				RegisterNode:                  ptr.To(true),
 				LocalStorageCapacityIsolation: ptr.To(true),
 				PodLogsDir:                    DefaultPodLogsDir,
 				SingleProcessOOMKill:          nil,
-				CrashLoopBackOff:              v1beta1.CrashLoopBackOffConfig{},
+				CrashLoopBackOff: v1beta1.CrashLoopBackOffConfig{
+					MaxContainerRestartPeriod: &metav1.Duration{Duration: MaxContainerBackOff},
+				},
 			},
 		},
 		{
@@ -261,7 +263,7 @@ func TestSetDefaultsKubeletConfiguration(t *testing.T) {
 				EnableProfilingHandler:          ptr.To(false),
 				EnableDebugFlagsHandler:         ptr.To(false),
 				SeccompDefault:                  ptr.To(false),
-				FailCgroupV1:                    ptr.To(false),
+				FailCgroupV1:                    ptr.To(true),
 				MemoryThrottlingFactor:          ptr.To[float64](0),
 				RegisterNode:                    ptr.To(false),
 				LocalStorageCapacityIsolation:   ptr.To(false),
@@ -309,7 +311,7 @@ func TestSetDefaultsKubeletConfiguration(t *testing.T) {
 				ImageMinimumGCAge:                         metav1.Duration{Duration: 2 * time.Minute},
 				ImageGCHighThresholdPercent:               ptr.To[int32](0),
 				ImageGCLowThresholdPercent:                ptr.To[int32](0),
-				ImagePullCredentialsVerificationPolicy:    "",
+				ImagePullCredentialsVerificationPolicy:    "NeverVerifyPreloadedImages",
 				VolumeStatsAggPeriod:                      metav1.Duration{Duration: time.Minute},
 				CgroupsPerQOS:                             ptr.To(false),
 				CgroupDriver:                              "cgroupfs",
@@ -366,13 +368,15 @@ func TestSetDefaultsKubeletConfiguration(t *testing.T) {
 				EnableProfilingHandler:        ptr.To(false),
 				EnableDebugFlagsHandler:       ptr.To(false),
 				SeccompDefault:                ptr.To(false),
-				FailCgroupV1:                  ptr.To(false),
+				FailCgroupV1:                  ptr.To(true),
 				MemoryThrottlingFactor:        ptr.To[float64](0),
 				RegisterNode:                  ptr.To(false),
 				LocalStorageCapacityIsolation: ptr.To(false),
 				PodLogsDir:                    DefaultPodLogsDir,
 				SingleProcessOOMKill:          ptr.To(false),
-				CrashLoopBackOff:              v1beta1.CrashLoopBackOffConfig{},
+				CrashLoopBackOff: v1beta1.CrashLoopBackOffConfig{
+					MaxContainerRestartPeriod: &metav1.Duration{Duration: MaxContainerBackOff},
+				},
 			},
 		},
 		{
@@ -410,55 +414,56 @@ func TestSetDefaultsKubeletConfiguration(t *testing.T) {
 						CacheUnauthorizedTTL: metav1.Duration{Duration: 60 * time.Second},
 					},
 				},
-				RegistryPullQPS:                      ptr.To[int32](1),
-				RegistryBurst:                        1,
-				EventRecordQPS:                       ptr.To[int32](1),
-				EventBurst:                           1,
-				EnableDebuggingHandlers:              ptr.To(true),
-				EnableContentionProfiling:            true,
-				HealthzPort:                          ptr.To[int32](1),
-				HealthzBindAddress:                   "127.0.0.2",
-				OOMScoreAdj:                          ptr.To[int32](1),
-				ClusterDomain:                        "cluster-domain",
-				ClusterDNS:                           []string{"192.168.1.3"},
-				StreamingConnectionIdleTimeout:       metav1.Duration{Duration: 60 * time.Second},
-				NodeStatusUpdateFrequency:            metav1.Duration{Duration: 60 * time.Second},
-				NodeStatusReportFrequency:            metav1.Duration{Duration: 60 * time.Second},
-				NodeLeaseDurationSeconds:             1,
-				ContainerRuntimeEndpoint:             "unix:///run/containerd/containerd.sock",
-				ImageMinimumGCAge:                    metav1.Duration{Duration: 60 * time.Second},
-				ImageGCHighThresholdPercent:          ptr.To[int32](1),
-				ImageGCLowThresholdPercent:           ptr.To[int32](1),
-				PreloadedImagesVerificationAllowlist: []string{"test.test/repo/image"},
-				VolumeStatsAggPeriod:                 metav1.Duration{Duration: 60 * time.Second},
-				KubeletCgroups:                       "kubelet-cgroup",
-				SystemCgroups:                        "system-cgroup",
-				CgroupRoot:                           "root-cgroup",
-				CgroupsPerQOS:                        ptr.To(true),
-				CgroupDriver:                         "systemd",
-				CPUManagerPolicy:                     "cpu-manager-policy",
-				CPUManagerPolicyOptions:              map[string]string{"key": "value"},
-				CPUManagerReconcilePeriod:            metav1.Duration{Duration: 60 * time.Second},
-				MemoryManagerPolicy:                  v1beta1.StaticMemoryManagerPolicy,
-				TopologyManagerPolicy:                v1beta1.RestrictedTopologyManagerPolicy,
-				TopologyManagerScope:                 v1beta1.PodTopologyManagerScope,
-				QOSReserved:                          map[string]string{"memory": "10%"},
-				RuntimeRequestTimeout:                metav1.Duration{Duration: 60 * time.Second},
-				HairpinMode:                          v1beta1.HairpinVeth,
-				MaxPods:                              1,
-				PodCIDR:                              "192.168.1.0/24",
-				PodPidsLimit:                         ptr.To[int64](1),
-				ResolverConfig:                       ptr.To("resolver-config"),
-				RunOnce:                              true,
-				CPUCFSQuota:                          ptr.To(true),
-				CPUCFSQuotaPeriod:                    &metav1.Duration{Duration: 60 * time.Second},
-				NodeStatusMaxImages:                  ptr.To[int32](1),
-				MaxOpenFiles:                         1,
-				ContentType:                          "application/protobuf",
-				KubeAPIQPS:                           ptr.To[int32](1),
-				KubeAPIBurst:                         1,
-				SerializeImagePulls:                  ptr.To(true),
-				MaxParallelImagePulls:                ptr.To[int32](5),
+				RegistryPullQPS:                        ptr.To[int32](1),
+				RegistryBurst:                          1,
+				EventRecordQPS:                         ptr.To[int32](1),
+				EventBurst:                             1,
+				EnableDebuggingHandlers:                ptr.To(true),
+				EnableContentionProfiling:              true,
+				HealthzPort:                            ptr.To[int32](1),
+				HealthzBindAddress:                     "127.0.0.2",
+				OOMScoreAdj:                            ptr.To[int32](1),
+				ClusterDomain:                          "cluster-domain",
+				ClusterDNS:                             []string{"192.168.1.3"},
+				StreamingConnectionIdleTimeout:         metav1.Duration{Duration: 60 * time.Second},
+				NodeStatusUpdateFrequency:              metav1.Duration{Duration: 60 * time.Second},
+				NodeStatusReportFrequency:              metav1.Duration{Duration: 60 * time.Second},
+				NodeLeaseDurationSeconds:               1,
+				ContainerRuntimeEndpoint:               "unix:///run/containerd/containerd.sock",
+				ImageMinimumGCAge:                      metav1.Duration{Duration: 60 * time.Second},
+				ImageGCHighThresholdPercent:            ptr.To[int32](1),
+				ImageGCLowThresholdPercent:             ptr.To[int32](1),
+				ImagePullCredentialsVerificationPolicy: "AlwaysVerify",
+				PreloadedImagesVerificationAllowlist:   []string{"test.test/repo/image"},
+				VolumeStatsAggPeriod:                   metav1.Duration{Duration: 60 * time.Second},
+				KubeletCgroups:                         "kubelet-cgroup",
+				SystemCgroups:                          "system-cgroup",
+				CgroupRoot:                             "root-cgroup",
+				CgroupsPerQOS:                          ptr.To(true),
+				CgroupDriver:                           "systemd",
+				CPUManagerPolicy:                       "cpu-manager-policy",
+				CPUManagerPolicyOptions:                map[string]string{"key": "value"},
+				CPUManagerReconcilePeriod:              metav1.Duration{Duration: 60 * time.Second},
+				MemoryManagerPolicy:                    v1beta1.StaticMemoryManagerPolicy,
+				TopologyManagerPolicy:                  v1beta1.RestrictedTopologyManagerPolicy,
+				TopologyManagerScope:                   v1beta1.PodTopologyManagerScope,
+				QOSReserved:                            map[string]string{"memory": "10%"},
+				RuntimeRequestTimeout:                  metav1.Duration{Duration: 60 * time.Second},
+				HairpinMode:                            v1beta1.HairpinVeth,
+				MaxPods:                                1,
+				PodCIDR:                                "192.168.1.0/24",
+				PodPidsLimit:                           ptr.To[int64](1),
+				ResolverConfig:                         ptr.To("resolver-config"),
+				RunOnce:                                true,
+				CPUCFSQuota:                            ptr.To(true),
+				CPUCFSQuotaPeriod:                      &metav1.Duration{Duration: 60 * time.Second},
+				NodeStatusMaxImages:                    ptr.To[int32](1),
+				MaxOpenFiles:                           1,
+				ContentType:                            "application/protobuf",
+				KubeAPIQPS:                             ptr.To[int32](1),
+				KubeAPIBurst:                           1,
+				SerializeImagePulls:                    ptr.To(true),
+				MaxParallelImagePulls:                  ptr.To[int32](5),
 				EvictionHard: map[string]string{
 					"memory.available":  "1Mi",
 					"nodefs.available":  "1%",
@@ -567,55 +572,56 @@ func TestSetDefaultsKubeletConfiguration(t *testing.T) {
 						CacheUnauthorizedTTL: metav1.Duration{Duration: 60 * time.Second},
 					},
 				},
-				RegistryPullQPS:                      ptr.To[int32](1),
-				RegistryBurst:                        1,
-				EventRecordQPS:                       ptr.To[int32](1),
-				EventBurst:                           1,
-				EnableDebuggingHandlers:              ptr.To(true),
-				EnableContentionProfiling:            true,
-				HealthzPort:                          ptr.To[int32](1),
-				HealthzBindAddress:                   "127.0.0.2",
-				OOMScoreAdj:                          ptr.To[int32](1),
-				ClusterDomain:                        "cluster-domain",
-				ClusterDNS:                           []string{"192.168.1.3"},
-				StreamingConnectionIdleTimeout:       metav1.Duration{Duration: 60 * time.Second},
-				NodeStatusUpdateFrequency:            metav1.Duration{Duration: 60 * time.Second},
-				NodeStatusReportFrequency:            metav1.Duration{Duration: 60 * time.Second},
-				NodeLeaseDurationSeconds:             1,
-				ContainerRuntimeEndpoint:             "unix:///run/containerd/containerd.sock",
-				ImageMinimumGCAge:                    metav1.Duration{Duration: 60 * time.Second},
-				ImageGCHighThresholdPercent:          ptr.To[int32](1),
-				ImageGCLowThresholdPercent:           ptr.To[int32](1),
-				PreloadedImagesVerificationAllowlist: []string{"test.test/repo/image"},
-				VolumeStatsAggPeriod:                 metav1.Duration{Duration: 60 * time.Second},
-				KubeletCgroups:                       "kubelet-cgroup",
-				SystemCgroups:                        "system-cgroup",
-				CgroupRoot:                           "root-cgroup",
-				CgroupsPerQOS:                        ptr.To(true),
-				CgroupDriver:                         "systemd",
-				CPUManagerPolicy:                     "cpu-manager-policy",
-				CPUManagerPolicyOptions:              map[string]string{"key": "value"},
-				CPUManagerReconcilePeriod:            metav1.Duration{Duration: 60 * time.Second},
-				MemoryManagerPolicy:                  v1beta1.StaticMemoryManagerPolicy,
-				TopologyManagerPolicy:                v1beta1.RestrictedTopologyManagerPolicy,
-				TopologyManagerScope:                 v1beta1.PodTopologyManagerScope,
-				QOSReserved:                          map[string]string{"memory": "10%"},
-				RuntimeRequestTimeout:                metav1.Duration{Duration: 60 * time.Second},
-				HairpinMode:                          v1beta1.HairpinVeth,
-				MaxPods:                              1,
-				PodCIDR:                              "192.168.1.0/24",
-				PodPidsLimit:                         ptr.To[int64](1),
-				ResolverConfig:                       ptr.To("resolver-config"),
-				RunOnce:                              true,
-				CPUCFSQuota:                          ptr.To(true),
-				CPUCFSQuotaPeriod:                    &metav1.Duration{Duration: 60 * time.Second},
-				NodeStatusMaxImages:                  ptr.To[int32](1),
-				MaxOpenFiles:                         1,
-				ContentType:                          "application/protobuf",
-				KubeAPIQPS:                           ptr.To[int32](1),
-				KubeAPIBurst:                         1,
-				SerializeImagePulls:                  ptr.To(true),
-				MaxParallelImagePulls:                ptr.To[int32](5),
+				RegistryPullQPS:                        ptr.To[int32](1),
+				RegistryBurst:                          1,
+				EventRecordQPS:                         ptr.To[int32](1),
+				EventBurst:                             1,
+				EnableDebuggingHandlers:                ptr.To(true),
+				EnableContentionProfiling:              true,
+				HealthzPort:                            ptr.To[int32](1),
+				HealthzBindAddress:                     "127.0.0.2",
+				OOMScoreAdj:                            ptr.To[int32](1),
+				ClusterDomain:                          "cluster-domain",
+				ClusterDNS:                             []string{"192.168.1.3"},
+				StreamingConnectionIdleTimeout:         metav1.Duration{Duration: 60 * time.Second},
+				NodeStatusUpdateFrequency:              metav1.Duration{Duration: 60 * time.Second},
+				NodeStatusReportFrequency:              metav1.Duration{Duration: 60 * time.Second},
+				NodeLeaseDurationSeconds:               1,
+				ContainerRuntimeEndpoint:               "unix:///run/containerd/containerd.sock",
+				ImageMinimumGCAge:                      metav1.Duration{Duration: 60 * time.Second},
+				ImageGCHighThresholdPercent:            ptr.To[int32](1),
+				ImageGCLowThresholdPercent:             ptr.To[int32](1),
+				ImagePullCredentialsVerificationPolicy: "AlwaysVerify",
+				PreloadedImagesVerificationAllowlist:   []string{"test.test/repo/image"},
+				VolumeStatsAggPeriod:                   metav1.Duration{Duration: 60 * time.Second},
+				KubeletCgroups:                         "kubelet-cgroup",
+				SystemCgroups:                          "system-cgroup",
+				CgroupRoot:                             "root-cgroup",
+				CgroupsPerQOS:                          ptr.To(true),
+				CgroupDriver:                           "systemd",
+				CPUManagerPolicy:                       "cpu-manager-policy",
+				CPUManagerPolicyOptions:                map[string]string{"key": "value"},
+				CPUManagerReconcilePeriod:              metav1.Duration{Duration: 60 * time.Second},
+				MemoryManagerPolicy:                    v1beta1.StaticMemoryManagerPolicy,
+				TopologyManagerPolicy:                  v1beta1.RestrictedTopologyManagerPolicy,
+				TopologyManagerScope:                   v1beta1.PodTopologyManagerScope,
+				QOSReserved:                            map[string]string{"memory": "10%"},
+				RuntimeRequestTimeout:                  metav1.Duration{Duration: 60 * time.Second},
+				HairpinMode:                            v1beta1.HairpinVeth,
+				MaxPods:                                1,
+				PodCIDR:                                "192.168.1.0/24",
+				PodPidsLimit:                           ptr.To[int64](1),
+				ResolverConfig:                         ptr.To("resolver-config"),
+				RunOnce:                                true,
+				CPUCFSQuota:                            ptr.To(true),
+				CPUCFSQuotaPeriod:                      &metav1.Duration{Duration: 60 * time.Second},
+				NodeStatusMaxImages:                    ptr.To[int32](1),
+				MaxOpenFiles:                           1,
+				ContentType:                            "application/protobuf",
+				KubeAPIQPS:                             ptr.To[int32](1),
+				KubeAPIBurst:                           1,
+				SerializeImagePulls:                    ptr.To(true),
+				MaxParallelImagePulls:                  ptr.To[int32](5),
 				EvictionHard: map[string]string{
 					"memory.available":  "1Mi",
 					"nodefs.available":  "1%",
@@ -734,6 +740,7 @@ func TestSetDefaultsKubeletConfiguration(t *testing.T) {
 				ImageMinimumGCAge:                         metav1.Duration{Duration: 2 * time.Minute},
 				ImageGCHighThresholdPercent:               ptr.To[int32](85),
 				ImageGCLowThresholdPercent:                ptr.To[int32](80),
+				ImagePullCredentialsVerificationPolicy:    "NeverVerifyPreloadedImages",
 				VolumeStatsAggPeriod:                      metav1.Duration{Duration: time.Minute},
 				CgroupsPerQOS:                             ptr.To(true),
 				CgroupDriver:                              "cgroupfs",
@@ -779,13 +786,15 @@ func TestSetDefaultsKubeletConfiguration(t *testing.T) {
 				EnableProfilingHandler:        ptr.To(true),
 				EnableDebugFlagsHandler:       ptr.To(true),
 				SeccompDefault:                ptr.To(false),
-				FailCgroupV1:                  ptr.To(false),
+				FailCgroupV1:                  ptr.To(true),
 				MemoryThrottlingFactor:        ptr.To(DefaultMemoryThrottlingFactor),
 				RegisterNode:                  ptr.To(true),
 				LocalStorageCapacityIsolation: ptr.To(true),
 				PodLogsDir:                    DefaultPodLogsDir,
 				SingleProcessOOMKill:          nil,
-				CrashLoopBackOff:              v1beta1.CrashLoopBackOffConfig{},
+				CrashLoopBackOff: v1beta1.CrashLoopBackOffConfig{
+					MaxContainerRestartPeriod: &metav1.Duration{Duration: MaxContainerBackOff},
+				},
 			},
 		},
 		{
@@ -830,6 +839,7 @@ func TestSetDefaultsKubeletConfiguration(t *testing.T) {
 				ImageMinimumGCAge:                         metav1.Duration{Duration: 2 * time.Minute},
 				ImageGCHighThresholdPercent:               ptr.To[int32](85),
 				ImageGCLowThresholdPercent:                ptr.To[int32](80),
+				ImagePullCredentialsVerificationPolicy:    "NeverVerifyPreloadedImages",
 				VolumeStatsAggPeriod:                      metav1.Duration{Duration: time.Minute},
 				CgroupsPerQOS:                             ptr.To(true),
 				CgroupDriver:                              "cgroupfs",
@@ -875,13 +885,15 @@ func TestSetDefaultsKubeletConfiguration(t *testing.T) {
 				EnableProfilingHandler:        ptr.To(true),
 				EnableDebugFlagsHandler:       ptr.To(true),
 				SeccompDefault:                ptr.To(false),
-				FailCgroupV1:                  ptr.To(false),
+				FailCgroupV1:                  ptr.To(true),
 				MemoryThrottlingFactor:        ptr.To(DefaultMemoryThrottlingFactor),
 				RegisterNode:                  ptr.To(true),
 				LocalStorageCapacityIsolation: ptr.To(true),
 				PodLogsDir:                    DefaultPodLogsDir,
 				SingleProcessOOMKill:          nil,
-				CrashLoopBackOff:              v1beta1.CrashLoopBackOffConfig{},
+				CrashLoopBackOff: v1beta1.CrashLoopBackOffConfig{
+					MaxContainerRestartPeriod: &metav1.Duration{Duration: MaxContainerBackOff},
+				},
 			},
 		},
 		{
@@ -926,6 +938,7 @@ func TestSetDefaultsKubeletConfiguration(t *testing.T) {
 				ImageMinimumGCAge:                         metav1.Duration{Duration: 2 * time.Minute},
 				ImageGCHighThresholdPercent:               ptr.To[int32](85),
 				ImageGCLowThresholdPercent:                ptr.To[int32](80),
+				ImagePullCredentialsVerificationPolicy:    "NeverVerifyPreloadedImages",
 				VolumeStatsAggPeriod:                      metav1.Duration{Duration: time.Minute},
 				CgroupsPerQOS:                             ptr.To(true),
 				CgroupDriver:                              "cgroupfs",
@@ -971,21 +984,23 @@ func TestSetDefaultsKubeletConfiguration(t *testing.T) {
 				EnableProfilingHandler:        ptr.To(true),
 				EnableDebugFlagsHandler:       ptr.To(true),
 				SeccompDefault:                ptr.To(false),
-				FailCgroupV1:                  ptr.To(false),
+				FailCgroupV1:                  ptr.To(true),
 				MemoryThrottlingFactor:        ptr.To(DefaultMemoryThrottlingFactor),
 				RegisterNode:                  ptr.To(true),
 				LocalStorageCapacityIsolation: ptr.To(true),
 				PodLogsDir:                    DefaultPodLogsDir,
-				CrashLoopBackOff:              v1beta1.CrashLoopBackOffConfig{},
+				CrashLoopBackOff: v1beta1.CrashLoopBackOffConfig{
+					MaxContainerRestartPeriod: &metav1.Duration{Duration: MaxContainerBackOff},
+				},
 			},
 		},
 		{
-			"CrashLoopBackOff.MaxContainerRestartPeriod defaults to internal default when feature gate enabled",
+			"CrashLoopBackOff defaults empty when feature gate disabled",
 			&v1beta1.KubeletConfiguration{
-				FeatureGates: map[string]bool{"KubeletCrashLoopBackOffMax": true},
+				FeatureGates: map[string]bool{"KubeletCrashLoopBackOffMax": false},
 			},
 			&v1beta1.KubeletConfiguration{
-				FeatureGates:       map[string]bool{"KubeletCrashLoopBackOffMax": true},
+				FeatureGates:       map[string]bool{"KubeletCrashLoopBackOffMax": false},
 				EnableServer:       ptr.To(true),
 				SyncFrequency:      metav1.Duration{Duration: 1 * time.Minute},
 				FileCheckFrequency: metav1.Duration{Duration: 20 * time.Second},
@@ -1022,6 +1037,7 @@ func TestSetDefaultsKubeletConfiguration(t *testing.T) {
 				ImageMinimumGCAge:                         metav1.Duration{Duration: 2 * time.Minute},
 				ImageGCHighThresholdPercent:               ptr.To[int32](85),
 				ImageGCLowThresholdPercent:                ptr.To[int32](80),
+				ImagePullCredentialsVerificationPolicy:    "NeverVerifyPreloadedImages",
 				VolumeStatsAggPeriod:                      metav1.Duration{Duration: time.Minute},
 				CgroupsPerQOS:                             ptr.To(true),
 				CgroupDriver:                              "cgroupfs",
@@ -1067,15 +1083,13 @@ func TestSetDefaultsKubeletConfiguration(t *testing.T) {
 				EnableProfilingHandler:        ptr.To(true),
 				EnableDebugFlagsHandler:       ptr.To(true),
 				SeccompDefault:                ptr.To(false),
-				FailCgroupV1:                  ptr.To(false),
+				FailCgroupV1:                  ptr.To(true),
 				MemoryThrottlingFactor:        ptr.To(DefaultMemoryThrottlingFactor),
 				RegisterNode:                  ptr.To(true),
 				LocalStorageCapacityIsolation: ptr.To(true),
 				PodLogsDir:                    DefaultPodLogsDir,
 				SingleProcessOOMKill:          nil,
-				CrashLoopBackOff: v1beta1.CrashLoopBackOffConfig{
-					MaxContainerRestartPeriod: &metav1.Duration{Duration: MaxContainerBackOff},
-				},
+				CrashLoopBackOff:              v1beta1.CrashLoopBackOffConfig{},
 			},
 		},
 	}
diff --git a/pkg/kubelet/apis/config/v1beta1/zz_generated.conversion.go b/pkg/kubelet/apis/config/v1beta1/zz_generated.conversion.go
index 917d40a5e843d..96c6d7df9c89e 100644
--- a/pkg/kubelet/apis/config/v1beta1/zz_generated.conversion.go
+++ b/pkg/kubelet/apis/config/v1beta1/zz_generated.conversion.go
@@ -75,6 +75,56 @@ func RegisterConversions(s *runtime.Scheme) error {
 	}); err != nil {
 		return err
 	}
+	if err := s.AddGeneratedConversionFunc((*configv1beta1.ImagePullCredentials)(nil), (*config.ImagePullCredentials)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_v1beta1_ImagePullCredentials_To_config_ImagePullCredentials(a.(*configv1beta1.ImagePullCredentials), b.(*config.ImagePullCredentials), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddGeneratedConversionFunc((*config.ImagePullCredentials)(nil), (*configv1beta1.ImagePullCredentials)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_config_ImagePullCredentials_To_v1beta1_ImagePullCredentials(a.(*config.ImagePullCredentials), b.(*configv1beta1.ImagePullCredentials), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddGeneratedConversionFunc((*configv1beta1.ImagePullIntent)(nil), (*config.ImagePullIntent)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_v1beta1_ImagePullIntent_To_config_ImagePullIntent(a.(*configv1beta1.ImagePullIntent), b.(*config.ImagePullIntent), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddGeneratedConversionFunc((*config.ImagePullIntent)(nil), (*configv1beta1.ImagePullIntent)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_config_ImagePullIntent_To_v1beta1_ImagePullIntent(a.(*config.ImagePullIntent), b.(*configv1beta1.ImagePullIntent), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddGeneratedConversionFunc((*configv1beta1.ImagePullSecret)(nil), (*config.ImagePullSecret)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_v1beta1_ImagePullSecret_To_config_ImagePullSecret(a.(*configv1beta1.ImagePullSecret), b.(*config.ImagePullSecret), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddGeneratedConversionFunc((*config.ImagePullSecret)(nil), (*configv1beta1.ImagePullSecret)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_config_ImagePullSecret_To_v1beta1_ImagePullSecret(a.(*config.ImagePullSecret), b.(*configv1beta1.ImagePullSecret), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddGeneratedConversionFunc((*configv1beta1.ImagePullServiceAccount)(nil), (*config.ImagePullServiceAccount)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_v1beta1_ImagePullServiceAccount_To_config_ImagePullServiceAccount(a.(*configv1beta1.ImagePullServiceAccount), b.(*config.ImagePullServiceAccount), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddGeneratedConversionFunc((*config.ImagePullServiceAccount)(nil), (*configv1beta1.ImagePullServiceAccount)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_config_ImagePullServiceAccount_To_v1beta1_ImagePullServiceAccount(a.(*config.ImagePullServiceAccount), b.(*configv1beta1.ImagePullServiceAccount), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddGeneratedConversionFunc((*configv1beta1.ImagePulledRecord)(nil), (*config.ImagePulledRecord)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_v1beta1_ImagePulledRecord_To_config_ImagePulledRecord(a.(*configv1beta1.ImagePulledRecord), b.(*config.ImagePulledRecord), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddGeneratedConversionFunc((*config.ImagePulledRecord)(nil), (*configv1beta1.ImagePulledRecord)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_config_ImagePulledRecord_To_v1beta1_ImagePulledRecord(a.(*config.ImagePulledRecord), b.(*configv1beta1.ImagePulledRecord), scope)
+	}); err != nil {
+		return err
+	}
 	if err := s.AddGeneratedConversionFunc((*configv1beta1.KubeletAnonymousAuthentication)(nil), (*config.KubeletAnonymousAuthentication)(nil), func(a, b interface{}, scope conversion.Scope) error {
 		return Convert_v1beta1_KubeletAnonymousAuthentication_To_config_KubeletAnonymousAuthentication(a.(*configv1beta1.KubeletAnonymousAuthentication), b.(*config.KubeletAnonymousAuthentication), scope)
 	}); err != nil {
@@ -311,6 +361,124 @@ func Convert_config_ExecEnvVar_To_v1beta1_ExecEnvVar(in *config.ExecEnvVar, out
 	return autoConvert_config_ExecEnvVar_To_v1beta1_ExecEnvVar(in, out, s)
 }
 
+func autoConvert_v1beta1_ImagePullCredentials_To_config_ImagePullCredentials(in *configv1beta1.ImagePullCredentials, out *config.ImagePullCredentials, s conversion.Scope) error {
+	out.KubernetesSecrets = *(*[]config.ImagePullSecret)(unsafe.Pointer(&in.KubernetesSecrets))
+	out.KubernetesServiceAccounts = *(*[]config.ImagePullServiceAccount)(unsafe.Pointer(&in.KubernetesServiceAccounts))
+	out.NodePodsAccessible = in.NodePodsAccessible
+	return nil
+}
+
+// Convert_v1beta1_ImagePullCredentials_To_config_ImagePullCredentials is an autogenerated conversion function.
+func Convert_v1beta1_ImagePullCredentials_To_config_ImagePullCredentials(in *configv1beta1.ImagePullCredentials, out *config.ImagePullCredentials, s conversion.Scope) error {
+	return autoConvert_v1beta1_ImagePullCredentials_To_config_ImagePullCredentials(in, out, s)
+}
+
+func autoConvert_config_ImagePullCredentials_To_v1beta1_ImagePullCredentials(in *config.ImagePullCredentials, out *configv1beta1.ImagePullCredentials, s conversion.Scope) error {
+	out.KubernetesSecrets = *(*[]configv1beta1.ImagePullSecret)(unsafe.Pointer(&in.KubernetesSecrets))
+	out.KubernetesServiceAccounts = *(*[]configv1beta1.ImagePullServiceAccount)(unsafe.Pointer(&in.KubernetesServiceAccounts))
+	out.NodePodsAccessible = in.NodePodsAccessible
+	return nil
+}
+
+// Convert_config_ImagePullCredentials_To_v1beta1_ImagePullCredentials is an autogenerated conversion function.
+func Convert_config_ImagePullCredentials_To_v1beta1_ImagePullCredentials(in *config.ImagePullCredentials, out *configv1beta1.ImagePullCredentials, s conversion.Scope) error {
+	return autoConvert_config_ImagePullCredentials_To_v1beta1_ImagePullCredentials(in, out, s)
+}
+
+func autoConvert_v1beta1_ImagePullIntent_To_config_ImagePullIntent(in *configv1beta1.ImagePullIntent, out *config.ImagePullIntent, s conversion.Scope) error {
+	out.Image = in.Image
+	return nil
+}
+
+// Convert_v1beta1_ImagePullIntent_To_config_ImagePullIntent is an autogenerated conversion function.
+func Convert_v1beta1_ImagePullIntent_To_config_ImagePullIntent(in *configv1beta1.ImagePullIntent, out *config.ImagePullIntent, s conversion.Scope) error {
+	return autoConvert_v1beta1_ImagePullIntent_To_config_ImagePullIntent(in, out, s)
+}
+
+func autoConvert_config_ImagePullIntent_To_v1beta1_ImagePullIntent(in *config.ImagePullIntent, out *configv1beta1.ImagePullIntent, s conversion.Scope) error {
+	out.Image = in.Image
+	return nil
+}
+
+// Convert_config_ImagePullIntent_To_v1beta1_ImagePullIntent is an autogenerated conversion function.
+func Convert_config_ImagePullIntent_To_v1beta1_ImagePullIntent(in *config.ImagePullIntent, out *configv1beta1.ImagePullIntent, s conversion.Scope) error {
+	return autoConvert_config_ImagePullIntent_To_v1beta1_ImagePullIntent(in, out, s)
+}
+
+func autoConvert_v1beta1_ImagePullSecret_To_config_ImagePullSecret(in *configv1beta1.ImagePullSecret, out *config.ImagePullSecret, s conversion.Scope) error {
+	out.UID = in.UID
+	out.Namespace = in.Namespace
+	out.Name = in.Name
+	out.CredentialHash = in.CredentialHash
+	return nil
+}
+
+// Convert_v1beta1_ImagePullSecret_To_config_ImagePullSecret is an autogenerated conversion function.
+func Convert_v1beta1_ImagePullSecret_To_config_ImagePullSecret(in *configv1beta1.ImagePullSecret, out *config.ImagePullSecret, s conversion.Scope) error {
+	return autoConvert_v1beta1_ImagePullSecret_To_config_ImagePullSecret(in, out, s)
+}
+
+func autoConvert_config_ImagePullSecret_To_v1beta1_ImagePullSecret(in *config.ImagePullSecret, out *configv1beta1.ImagePullSecret, s conversion.Scope) error {
+	out.UID = in.UID
+	out.Namespace = in.Namespace
+	out.Name = in.Name
+	out.CredentialHash = in.CredentialHash
+	return nil
+}
+
+// Convert_config_ImagePullSecret_To_v1beta1_ImagePullSecret is an autogenerated conversion function.
+func Convert_config_ImagePullSecret_To_v1beta1_ImagePullSecret(in *config.ImagePullSecret, out *configv1beta1.ImagePullSecret, s conversion.Scope) error {
+	return autoConvert_config_ImagePullSecret_To_v1beta1_ImagePullSecret(in, out, s)
+}
+
+func autoConvert_v1beta1_ImagePullServiceAccount_To_config_ImagePullServiceAccount(in *configv1beta1.ImagePullServiceAccount, out *config.ImagePullServiceAccount, s conversion.Scope) error {
+	out.UID = in.UID
+	out.Namespace = in.Namespace
+	out.Name = in.Name
+	return nil
+}
+
+// Convert_v1beta1_ImagePullServiceAccount_To_config_ImagePullServiceAccount is an autogenerated conversion function.
+func Convert_v1beta1_ImagePullServiceAccount_To_config_ImagePullServiceAccount(in *configv1beta1.ImagePullServiceAccount, out *config.ImagePullServiceAccount, s conversion.Scope) error {
+	return autoConvert_v1beta1_ImagePullServiceAccount_To_config_ImagePullServiceAccount(in, out, s)
+}
+
+func autoConvert_config_ImagePullServiceAccount_To_v1beta1_ImagePullServiceAccount(in *config.ImagePullServiceAccount, out *configv1beta1.ImagePullServiceAccount, s conversion.Scope) error {
+	out.UID = in.UID
+	out.Namespace = in.Namespace
+	out.Name = in.Name
+	return nil
+}
+
+// Convert_config_ImagePullServiceAccount_To_v1beta1_ImagePullServiceAccount is an autogenerated conversion function.
+func Convert_config_ImagePullServiceAccount_To_v1beta1_ImagePullServiceAccount(in *config.ImagePullServiceAccount, out *configv1beta1.ImagePullServiceAccount, s conversion.Scope) error {
+	return autoConvert_config_ImagePullServiceAccount_To_v1beta1_ImagePullServiceAccount(in, out, s)
+}
+
+func autoConvert_v1beta1_ImagePulledRecord_To_config_ImagePulledRecord(in *configv1beta1.ImagePulledRecord, out *config.ImagePulledRecord, s conversion.Scope) error {
+	out.LastUpdatedTime = in.LastUpdatedTime
+	out.ImageRef = in.ImageRef
+	out.CredentialMapping = *(*map[string]config.ImagePullCredentials)(unsafe.Pointer(&in.CredentialMapping))
+	return nil
+}
+
+// Convert_v1beta1_ImagePulledRecord_To_config_ImagePulledRecord is an autogenerated conversion function.
+func Convert_v1beta1_ImagePulledRecord_To_config_ImagePulledRecord(in *configv1beta1.ImagePulledRecord, out *config.ImagePulledRecord, s conversion.Scope) error {
+	return autoConvert_v1beta1_ImagePulledRecord_To_config_ImagePulledRecord(in, out, s)
+}
+
+func autoConvert_config_ImagePulledRecord_To_v1beta1_ImagePulledRecord(in *config.ImagePulledRecord, out *configv1beta1.ImagePulledRecord, s conversion.Scope) error {
+	out.LastUpdatedTime = in.LastUpdatedTime
+	out.ImageRef = in.ImageRef
+	out.CredentialMapping = *(*map[string]configv1beta1.ImagePullCredentials)(unsafe.Pointer(&in.CredentialMapping))
+	return nil
+}
+
+// Convert_config_ImagePulledRecord_To_v1beta1_ImagePulledRecord is an autogenerated conversion function.
+func Convert_config_ImagePulledRecord_To_v1beta1_ImagePulledRecord(in *config.ImagePulledRecord, out *configv1beta1.ImagePulledRecord, s conversion.Scope) error {
+	return autoConvert_config_ImagePulledRecord_To_v1beta1_ImagePulledRecord(in, out, s)
+}
+
 func autoConvert_v1beta1_KubeletAnonymousAuthentication_To_config_KubeletAnonymousAuthentication(in *configv1beta1.KubeletAnonymousAuthentication, out *config.KubeletAnonymousAuthentication, s conversion.Scope) error {
 	if err := v1.Convert_Pointer_bool_To_bool(&in.Enabled, &out.Enabled, s); err != nil {
 		return err
diff --git a/pkg/kubelet/apis/config/validation/validation.go b/pkg/kubelet/apis/config/validation/validation.go
index 44763f1471487..5fc256fc79520 100644
--- a/pkg/kubelet/apis/config/validation/validation.go
+++ b/pkg/kubelet/apis/config/validation/validation.go
@@ -59,6 +59,9 @@ func ValidateKubeletConfiguration(kc *kubeletconfig.KubeletConfiguration, featur
 	if err := localFeatureGate.SetFromMap(kc.FeatureGates); err != nil {
 		return err
 	}
+	if errs := localFeatureGate.Validate(); len(errs) > 0 {
+		allErrors = append(allErrors, errs...)
+	}
 
 	if kc.NodeLeaseDurationSeconds <= 0 {
 		allErrors = append(allErrors, fmt.Errorf("invalid configuration: nodeLeaseDurationSeconds must be greater than 0"))
@@ -350,7 +353,7 @@ func ValidateKubeletConfiguration(kc *kubeletconfig.KubeletConfiguration, featur
 	}
 
 	if kc.EnableSystemLogQuery && !localFeatureGate.Enabled(features.NodeLogQuery) {
-		allErrors = append(allErrors, fmt.Errorf("invalid configuration: NodeLogQuery feature gate is required for enableSystemLogHandler"))
+		allErrors = append(allErrors, fmt.Errorf("invalid configuration: NodeLogQuery feature gate is required for enableSystemLogQuery"))
 	}
 	if kc.EnableSystemLogQuery && !kc.EnableSystemLogHandler {
 		allErrors = append(allErrors,
diff --git a/pkg/kubelet/apis/config/validation/validation_linux.go b/pkg/kubelet/apis/config/validation/validation_linux.go
index dca9c69b5a3e7..76c976f6c00c1 100644
--- a/pkg/kubelet/apis/config/validation/validation_linux.go
+++ b/pkg/kubelet/apis/config/validation/validation_linux.go
@@ -34,7 +34,7 @@ const userNsUnitLength = 65536
 func validateKubeletOSConfiguration(kc *kubeletconfig.KubeletConfiguration) error {
 	isCgroup1 := !libcontainercgroups.IsCgroup2UnifiedMode()
 	if kc.FailCgroupV1 && isCgroup1 {
-		return fmt.Errorf("kubelet is configured to not run on a host using cgroup v1. cgroup v1 support is in maintenance mode")
+		return fmt.Errorf("kubelet is configured to not run on a host using cgroup v1. cgroup v1 support is unsupported and will be removed in a future release")
 	}
 
 	if isCgroup1 && kc.SingleProcessOOMKill != nil && !ptr.Deref(kc.SingleProcessOOMKill, true) {
diff --git a/pkg/kubelet/apis/config/validation/validation_test.go b/pkg/kubelet/apis/config/validation/validation_test.go
index e66385312ff4a..01ec8e0412b51 100644
--- a/pkg/kubelet/apis/config/validation/validation_test.go
+++ b/pkg/kubelet/apis/config/validation/validation_test.go
@@ -36,39 +36,40 @@ import (
 
 var (
 	successConfig = kubeletconfig.KubeletConfiguration{
-		CgroupsPerQOS:                   cgroupsPerQOS,
-		EnforceNodeAllocatable:          enforceNodeAllocatable,
-		SystemReservedCgroup:            "/system.slice",
-		KubeReservedCgroup:              "/kubelet.service",
-		PodLogsDir:                      "/logs",
-		SystemCgroups:                   "",
-		CgroupRoot:                      "",
-		EventBurst:                      10,
-		EventRecordQPS:                  5,
-		HealthzPort:                     10248,
-		ImageGCHighThresholdPercent:     85,
-		ImageGCLowThresholdPercent:      80,
-		IPTablesDropBit:                 15,
-		IPTablesMasqueradeBit:           14,
-		KubeAPIBurst:                    10,
-		KubeAPIQPS:                      5,
-		MaxOpenFiles:                    1000000,
-		MaxPods:                         110,
-		OOMScoreAdj:                     -999,
-		PodsPerCore:                     100,
-		Port:                            65535,
-		ReadOnlyPort:                    0,
-		RegistryBurst:                   10,
-		RegistryPullQPS:                 5,
-		MaxParallelImagePulls:           nil,
-		HairpinMode:                     kubeletconfig.PromiscuousBridge,
-		NodeLeaseDurationSeconds:        1,
-		CPUCFSQuotaPeriod:               metav1.Duration{Duration: 25 * time.Millisecond},
-		TopologyManagerScope:            kubeletconfig.PodTopologyManagerScope,
-		TopologyManagerPolicy:           kubeletconfig.SingleNumaNodeTopologyManagerPolicy,
-		ShutdownGracePeriod:             metav1.Duration{Duration: 30 * time.Second},
-		ShutdownGracePeriodCriticalPods: metav1.Duration{Duration: 10 * time.Second},
-		MemoryThrottlingFactor:          ptr.To(0.9),
+		CgroupsPerQOS:                          cgroupsPerQOS,
+		EnforceNodeAllocatable:                 enforceNodeAllocatable,
+		SystemReservedCgroup:                   "/system.slice",
+		KubeReservedCgroup:                     "/kubelet.service",
+		PodLogsDir:                             "/logs",
+		SystemCgroups:                          "",
+		CgroupRoot:                             "",
+		EventBurst:                             10,
+		EventRecordQPS:                         5,
+		HealthzPort:                            10248,
+		ImageGCHighThresholdPercent:            85,
+		ImageGCLowThresholdPercent:             80,
+		ImagePullCredentialsVerificationPolicy: "NeverVerifyPreloadedImages",
+		IPTablesDropBit:                        15,
+		IPTablesMasqueradeBit:                  14,
+		KubeAPIBurst:                           10,
+		KubeAPIQPS:                             5,
+		MaxOpenFiles:                           1000000,
+		MaxPods:                                110,
+		OOMScoreAdj:                            -999,
+		PodsPerCore:                            100,
+		Port:                                   65535,
+		ReadOnlyPort:                           0,
+		RegistryBurst:                          10,
+		RegistryPullQPS:                        5,
+		MaxParallelImagePulls:                  nil,
+		HairpinMode:                            kubeletconfig.PromiscuousBridge,
+		NodeLeaseDurationSeconds:               1,
+		CPUCFSQuotaPeriod:                      metav1.Duration{Duration: 25 * time.Millisecond},
+		TopologyManagerScope:                   kubeletconfig.PodTopologyManagerScope,
+		TopologyManagerPolicy:                  kubeletconfig.SingleNumaNodeTopologyManagerPolicy,
+		ShutdownGracePeriod:                    metav1.Duration{Duration: 30 * time.Second},
+		ShutdownGracePeriodCriticalPods:        metav1.Duration{Duration: 10 * time.Second},
+		MemoryThrottlingFactor:                 ptr.To(0.9),
 		FeatureGates: map[string]bool{
 			"CustomCPUCFSQuotaPeriod":    true,
 			"GracefulNodeShutdown":       true,
@@ -76,7 +77,8 @@ var (
 			"KubeletCrashLoopBackOffMax": true,
 		},
 		Logging: logsapi.LoggingConfiguration{
-			Format: "text",
+			Format:         "text",
+			FlushFrequency: logsapi.TimeOrMetaDuration{Duration: metav1.Duration{Duration: logsapi.LogFlushFreqDefault}},
 		},
 		ContainerRuntimeEndpoint:    "unix:///run/containerd/containerd.sock",
 		ContainerLogMaxWorkers:      1,
@@ -360,7 +362,12 @@ func TestValidateKubeletConfiguration(t *testing.T) {
 	}, {
 		name: "specify ShutdownGracePeriod without enabling GracefulNodeShutdown",
 		configure: func(conf *kubeletconfig.KubeletConfiguration) *kubeletconfig.KubeletConfiguration {
-			conf.FeatureGates = map[string]bool{"GracefulNodeShutdown": false}
+			conf.FeatureGates = map[string]bool{
+				"GracefulNodeShutdown": false,
+				// Disable dependents.
+				"GracefulNodeShutdownBasedOnPodPriority": false,
+				"WindowsGracefulNodeShutdown":            false,
+			}
 			conf.ShutdownGracePeriod = metav1.Duration{Duration: 1 * time.Second}
 			return conf
 		},
@@ -368,7 +375,12 @@ func TestValidateKubeletConfiguration(t *testing.T) {
 	}, {
 		name: "specify ShutdownGracePeriodCriticalPods without enabling GracefulNodeShutdown",
 		configure: func(conf *kubeletconfig.KubeletConfiguration) *kubeletconfig.KubeletConfiguration {
-			conf.FeatureGates = map[string]bool{"GracefulNodeShutdown": false}
+			conf.FeatureGates = map[string]bool{
+				"GracefulNodeShutdown": false,
+				// Disable dependents.
+				"GracefulNodeShutdownBasedOnPodPriority": false,
+				"WindowsGracefulNodeShutdown":            false,
+			}
 			conf.ShutdownGracePeriodCriticalPods = metav1.Duration{Duration: 1 * time.Second}
 			return conf
 		},
@@ -606,7 +618,7 @@ func TestValidateKubeletConfiguration(t *testing.T) {
 				conf.EnableSystemLogQuery = true
 				return conf
 			},
-			errMsg: "invalid configuration: NodeLogQuery feature gate is required for enableSystemLogHandler",
+			errMsg: "invalid configuration: NodeLogQuery feature gate is required for enableSystemLogQuery",
 		}, {
 			name: "enableSystemLogQuery is enabled without enableSystemLogHandler",
 			configure: func(conf *kubeletconfig.KubeletConfiguration) *kubeletconfig.KubeletConfiguration {
@@ -616,18 +628,9 @@ func TestValidateKubeletConfiguration(t *testing.T) {
 				return conf
 			},
 			errMsg: "invalid configuration: enableSystemLogHandler is required for enableSystemLogQuery",
-		}, {
-			name: "imageMaximumGCAge should not be specified without feature gate",
-			configure: func(conf *kubeletconfig.KubeletConfiguration) *kubeletconfig.KubeletConfiguration {
-				conf.FeatureGates = map[string]bool{"ImageMaximumGCAge": false}
-				conf.ImageMaximumGCAge = metav1.Duration{Duration: 1}
-				return conf
-			},
-			errMsg: "invalid configuration: ImageMaximumGCAge feature gate is required for Kubelet configuration option imageMaximumGCAge",
 		}, {
 			name: "imageMaximumGCAge should not be negative",
 			configure: func(conf *kubeletconfig.KubeletConfiguration) *kubeletconfig.KubeletConfiguration {
-				conf.FeatureGates = map[string]bool{"ImageMaximumGCAge": true}
 				conf.ImageMaximumGCAge = metav1.Duration{Duration: -1}
 				return conf
 			},
@@ -635,7 +638,6 @@ func TestValidateKubeletConfiguration(t *testing.T) {
 		}, {
 			name: "imageMaximumGCAge should not be less than imageMinimumGCAge",
 			configure: func(conf *kubeletconfig.KubeletConfiguration) *kubeletconfig.KubeletConfiguration {
-				conf.FeatureGates = map[string]bool{"ImageMaximumGCAge": true}
 				conf.ImageMaximumGCAge = metav1.Duration{Duration: 1}
 				conf.ImageMinimumGCAge = metav1.Duration{Duration: 2}
 				return conf
diff --git a/pkg/kubelet/apis/podresources/.mockery.yaml b/pkg/kubelet/apis/podresources/.mockery.yaml
index d25fc0979c7f8..bf7308edb78f1 100644
--- a/pkg/kubelet/apis/podresources/.mockery.yaml
+++ b/pkg/kubelet/apis/podresources/.mockery.yaml
@@ -1,16 +1,16 @@
 ---
 dir: testing
-filename: "{{.InterfaceName | snakecase}}.go"
-boilerplate-file: ../../../../hack/boilerplate/boilerplate.generatego.txt
-outpkg: testing
-with-expecter: true
+filename: mocks.go
+pkgname: testing
+template: testify
+template-data:
+  boilerplate-file: ../../../../hack/boilerplate/boilerplate.generatego.txt
+  unroll-variadic: true
 packages:
   k8s.io/kubernetes/pkg/kubelet/apis/podresources:
     interfaces:
-      CPUsProvider:
-        config:
-          filename: cpus_provider.go
-      DevicesProvider:
-      DynamicResourcesProvider:
-      MemoryProvider:
-      PodsProvider:
+      CPUsProvider: {}
+      DevicesProvider: {}
+      DynamicResourcesProvider: {}
+      MemoryProvider: {}
+      PodsProvider: {}
diff --git a/pkg/kubelet/apis/podresources/server_v1_test.go b/pkg/kubelet/apis/podresources/server_v1_test.go
index 36f631a595339..0875366206dca 100644
--- a/pkg/kubelet/apis/podresources/server_v1_test.go
+++ b/pkg/kubelet/apis/podresources/server_v1_test.go
@@ -899,8 +899,10 @@ func TestAllocatableResources(t *testing.T) {
 }
 
 func TestGetPodResourcesV1(t *testing.T) {
-	featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, pkgfeatures.KubeletPodResourcesGet, true)
-	featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, pkgfeatures.KubeletPodResourcesDynamicResources, true)
+	featuregatetesting.SetFeatureGatesDuringTest(t, utilfeature.DefaultFeatureGate, featuregatetesting.FeatureOverrides{
+		pkgfeatures.KubeletPodResourcesGet:              true,
+		pkgfeatures.KubeletPodResourcesDynamicResources: true,
+	})
 
 	tCtx := ktesting.Init(t)
 	podName := "pod-name"
@@ -1077,8 +1079,10 @@ func TestGetPodResourcesV1(t *testing.T) {
 }
 
 func TestGetPodResourcesWithInitContainersV1(t *testing.T) {
-	featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, pkgfeatures.KubeletPodResourcesGet, true)
-	featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, pkgfeatures.KubeletPodResourcesDynamicResources, true)
+	featuregatetesting.SetFeatureGatesDuringTest(t, utilfeature.DefaultFeatureGate, featuregatetesting.FeatureOverrides{
+		pkgfeatures.KubeletPodResourcesGet:              true,
+		pkgfeatures.KubeletPodResourcesDynamicResources: true,
+	})
 
 	tCtx := ktesting.Init(t)
 	podName := "pod-name"
diff --git a/pkg/kubelet/apis/podresources/testing/cpus_provider.go b/pkg/kubelet/apis/podresources/testing/cpus_provider.go
deleted file mode 100644
index ff193543d3e95..0000000000000
--- a/pkg/kubelet/apis/podresources/testing/cpus_provider.go
+++ /dev/null
@@ -1,144 +0,0 @@
-/*
-Copyright The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-// Code generated by mockery v2.53.3. DO NOT EDIT.
-
-package testing
-
-import mock "github.com/stretchr/testify/mock"
-
-// MockCPUsProvider is an autogenerated mock type for the CPUsProvider type
-type MockCPUsProvider struct {
-	mock.Mock
-}
-
-type MockCPUsProvider_Expecter struct {
-	mock *mock.Mock
-}
-
-func (_m *MockCPUsProvider) EXPECT() *MockCPUsProvider_Expecter {
-	return &MockCPUsProvider_Expecter{mock: &_m.Mock}
-}
-
-// GetAllocatableCPUs provides a mock function with no fields
-func (_m *MockCPUsProvider) GetAllocatableCPUs() []int64 {
-	ret := _m.Called()
-
-	if len(ret) == 0 {
-		panic("no return value specified for GetAllocatableCPUs")
-	}
-
-	var r0 []int64
-	if rf, ok := ret.Get(0).(func() []int64); ok {
-		r0 = rf()
-	} else {
-		if ret.Get(0) != nil {
-			r0 = ret.Get(0).([]int64)
-		}
-	}
-
-	return r0
-}
-
-// MockCPUsProvider_GetAllocatableCPUs_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetAllocatableCPUs'
-type MockCPUsProvider_GetAllocatableCPUs_Call struct {
-	*mock.Call
-}
-
-// GetAllocatableCPUs is a helper method to define mock.On call
-func (_e *MockCPUsProvider_Expecter) GetAllocatableCPUs() *MockCPUsProvider_GetAllocatableCPUs_Call {
-	return &MockCPUsProvider_GetAllocatableCPUs_Call{Call: _e.mock.On("GetAllocatableCPUs")}
-}
-
-func (_c *MockCPUsProvider_GetAllocatableCPUs_Call) Run(run func()) *MockCPUsProvider_GetAllocatableCPUs_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run()
-	})
-	return _c
-}
-
-func (_c *MockCPUsProvider_GetAllocatableCPUs_Call) Return(_a0 []int64) *MockCPUsProvider_GetAllocatableCPUs_Call {
-	_c.Call.Return(_a0)
-	return _c
-}
-
-func (_c *MockCPUsProvider_GetAllocatableCPUs_Call) RunAndReturn(run func() []int64) *MockCPUsProvider_GetAllocatableCPUs_Call {
-	_c.Call.Return(run)
-	return _c
-}
-
-// GetCPUs provides a mock function with given fields: podUID, containerName
-func (_m *MockCPUsProvider) GetCPUs(podUID string, containerName string) []int64 {
-	ret := _m.Called(podUID, containerName)
-
-	if len(ret) == 0 {
-		panic("no return value specified for GetCPUs")
-	}
-
-	var r0 []int64
-	if rf, ok := ret.Get(0).(func(string, string) []int64); ok {
-		r0 = rf(podUID, containerName)
-	} else {
-		if ret.Get(0) != nil {
-			r0 = ret.Get(0).([]int64)
-		}
-	}
-
-	return r0
-}
-
-// MockCPUsProvider_GetCPUs_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetCPUs'
-type MockCPUsProvider_GetCPUs_Call struct {
-	*mock.Call
-}
-
-// GetCPUs is a helper method to define mock.On call
-//   - podUID string
-//   - containerName string
-func (_e *MockCPUsProvider_Expecter) GetCPUs(podUID interface{}, containerName interface{}) *MockCPUsProvider_GetCPUs_Call {
-	return &MockCPUsProvider_GetCPUs_Call{Call: _e.mock.On("GetCPUs", podUID, containerName)}
-}
-
-func (_c *MockCPUsProvider_GetCPUs_Call) Run(run func(podUID string, containerName string)) *MockCPUsProvider_GetCPUs_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run(args[0].(string), args[1].(string))
-	})
-	return _c
-}
-
-func (_c *MockCPUsProvider_GetCPUs_Call) Return(_a0 []int64) *MockCPUsProvider_GetCPUs_Call {
-	_c.Call.Return(_a0)
-	return _c
-}
-
-func (_c *MockCPUsProvider_GetCPUs_Call) RunAndReturn(run func(string, string) []int64) *MockCPUsProvider_GetCPUs_Call {
-	_c.Call.Return(run)
-	return _c
-}
-
-// NewMockCPUsProvider creates a new instance of MockCPUsProvider. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
-// The first argument is typically a *testing.T value.
-func NewMockCPUsProvider(t interface {
-	mock.TestingT
-	Cleanup(func())
-}) *MockCPUsProvider {
-	mock := &MockCPUsProvider{}
-	mock.Mock.Test(t)
-
-	t.Cleanup(func() { mock.AssertExpectations(t) })
-
-	return mock
-}
diff --git a/pkg/kubelet/apis/podresources/testing/devices_provider.go b/pkg/kubelet/apis/podresources/testing/devices_provider.go
deleted file mode 100644
index db086aa6b9c05..0000000000000
--- a/pkg/kubelet/apis/podresources/testing/devices_provider.go
+++ /dev/null
@@ -1,180 +0,0 @@
-/*
-Copyright The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-// Code generated by mockery v2.53.3. DO NOT EDIT.
-
-package testing
-
-import (
-	mock "github.com/stretchr/testify/mock"
-
-	v1 "k8s.io/kubelet/pkg/apis/podresources/v1"
-)
-
-// MockDevicesProvider is an autogenerated mock type for the DevicesProvider type
-type MockDevicesProvider struct {
-	mock.Mock
-}
-
-type MockDevicesProvider_Expecter struct {
-	mock *mock.Mock
-}
-
-func (_m *MockDevicesProvider) EXPECT() *MockDevicesProvider_Expecter {
-	return &MockDevicesProvider_Expecter{mock: &_m.Mock}
-}
-
-// GetAllocatableDevices provides a mock function with no fields
-func (_m *MockDevicesProvider) GetAllocatableDevices() []*v1.ContainerDevices {
-	ret := _m.Called()
-
-	if len(ret) == 0 {
-		panic("no return value specified for GetAllocatableDevices")
-	}
-
-	var r0 []*v1.ContainerDevices
-	if rf, ok := ret.Get(0).(func() []*v1.ContainerDevices); ok {
-		r0 = rf()
-	} else {
-		if ret.Get(0) != nil {
-			r0 = ret.Get(0).([]*v1.ContainerDevices)
-		}
-	}
-
-	return r0
-}
-
-// MockDevicesProvider_GetAllocatableDevices_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetAllocatableDevices'
-type MockDevicesProvider_GetAllocatableDevices_Call struct {
-	*mock.Call
-}
-
-// GetAllocatableDevices is a helper method to define mock.On call
-func (_e *MockDevicesProvider_Expecter) GetAllocatableDevices() *MockDevicesProvider_GetAllocatableDevices_Call {
-	return &MockDevicesProvider_GetAllocatableDevices_Call{Call: _e.mock.On("GetAllocatableDevices")}
-}
-
-func (_c *MockDevicesProvider_GetAllocatableDevices_Call) Run(run func()) *MockDevicesProvider_GetAllocatableDevices_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run()
-	})
-	return _c
-}
-
-func (_c *MockDevicesProvider_GetAllocatableDevices_Call) Return(_a0 []*v1.ContainerDevices) *MockDevicesProvider_GetAllocatableDevices_Call {
-	_c.Call.Return(_a0)
-	return _c
-}
-
-func (_c *MockDevicesProvider_GetAllocatableDevices_Call) RunAndReturn(run func() []*v1.ContainerDevices) *MockDevicesProvider_GetAllocatableDevices_Call {
-	_c.Call.Return(run)
-	return _c
-}
-
-// GetDevices provides a mock function with given fields: podUID, containerName
-func (_m *MockDevicesProvider) GetDevices(podUID string, containerName string) []*v1.ContainerDevices {
-	ret := _m.Called(podUID, containerName)
-
-	if len(ret) == 0 {
-		panic("no return value specified for GetDevices")
-	}
-
-	var r0 []*v1.ContainerDevices
-	if rf, ok := ret.Get(0).(func(string, string) []*v1.ContainerDevices); ok {
-		r0 = rf(podUID, containerName)
-	} else {
-		if ret.Get(0) != nil {
-			r0 = ret.Get(0).([]*v1.ContainerDevices)
-		}
-	}
-
-	return r0
-}
-
-// MockDevicesProvider_GetDevices_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetDevices'
-type MockDevicesProvider_GetDevices_Call struct {
-	*mock.Call
-}
-
-// GetDevices is a helper method to define mock.On call
-//   - podUID string
-//   - containerName string
-func (_e *MockDevicesProvider_Expecter) GetDevices(podUID interface{}, containerName interface{}) *MockDevicesProvider_GetDevices_Call {
-	return &MockDevicesProvider_GetDevices_Call{Call: _e.mock.On("GetDevices", podUID, containerName)}
-}
-
-func (_c *MockDevicesProvider_GetDevices_Call) Run(run func(podUID string, containerName string)) *MockDevicesProvider_GetDevices_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run(args[0].(string), args[1].(string))
-	})
-	return _c
-}
-
-func (_c *MockDevicesProvider_GetDevices_Call) Return(_a0 []*v1.ContainerDevices) *MockDevicesProvider_GetDevices_Call {
-	_c.Call.Return(_a0)
-	return _c
-}
-
-func (_c *MockDevicesProvider_GetDevices_Call) RunAndReturn(run func(string, string) []*v1.ContainerDevices) *MockDevicesProvider_GetDevices_Call {
-	_c.Call.Return(run)
-	return _c
-}
-
-// UpdateAllocatedDevices provides a mock function with no fields
-func (_m *MockDevicesProvider) UpdateAllocatedDevices() {
-	_m.Called()
-}
-
-// MockDevicesProvider_UpdateAllocatedDevices_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'UpdateAllocatedDevices'
-type MockDevicesProvider_UpdateAllocatedDevices_Call struct {
-	*mock.Call
-}
-
-// UpdateAllocatedDevices is a helper method to define mock.On call
-func (_e *MockDevicesProvider_Expecter) UpdateAllocatedDevices() *MockDevicesProvider_UpdateAllocatedDevices_Call {
-	return &MockDevicesProvider_UpdateAllocatedDevices_Call{Call: _e.mock.On("UpdateAllocatedDevices")}
-}
-
-func (_c *MockDevicesProvider_UpdateAllocatedDevices_Call) Run(run func()) *MockDevicesProvider_UpdateAllocatedDevices_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run()
-	})
-	return _c
-}
-
-func (_c *MockDevicesProvider_UpdateAllocatedDevices_Call) Return() *MockDevicesProvider_UpdateAllocatedDevices_Call {
-	_c.Call.Return()
-	return _c
-}
-
-func (_c *MockDevicesProvider_UpdateAllocatedDevices_Call) RunAndReturn(run func()) *MockDevicesProvider_UpdateAllocatedDevices_Call {
-	_c.Run(run)
-	return _c
-}
-
-// NewMockDevicesProvider creates a new instance of MockDevicesProvider. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
-// The first argument is typically a *testing.T value.
-func NewMockDevicesProvider(t interface {
-	mock.TestingT
-	Cleanup(func())
-}) *MockDevicesProvider {
-	mock := &MockDevicesProvider{}
-	mock.Mock.Test(t)
-
-	t.Cleanup(func() { mock.AssertExpectations(t) })
-
-	return mock
-}
diff --git a/pkg/kubelet/apis/podresources/testing/dynamic_resources_provider.go b/pkg/kubelet/apis/podresources/testing/dynamic_resources_provider.go
deleted file mode 100644
index e68ba5f8fdaf9..0000000000000
--- a/pkg/kubelet/apis/podresources/testing/dynamic_resources_provider.go
+++ /dev/null
@@ -1,103 +0,0 @@
-/*
-Copyright The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-// Code generated by mockery v2.53.3. DO NOT EDIT.
-
-package testing
-
-import (
-	mock "github.com/stretchr/testify/mock"
-
-	podresourcesv1 "k8s.io/kubelet/pkg/apis/podresources/v1"
-
-	v1 "k8s.io/api/core/v1"
-)
-
-// MockDynamicResourcesProvider is an autogenerated mock type for the DynamicResourcesProvider type
-type MockDynamicResourcesProvider struct {
-	mock.Mock
-}
-
-type MockDynamicResourcesProvider_Expecter struct {
-	mock *mock.Mock
-}
-
-func (_m *MockDynamicResourcesProvider) EXPECT() *MockDynamicResourcesProvider_Expecter {
-	return &MockDynamicResourcesProvider_Expecter{mock: &_m.Mock}
-}
-
-// GetDynamicResources provides a mock function with given fields: pod, container
-func (_m *MockDynamicResourcesProvider) GetDynamicResources(pod *v1.Pod, container *v1.Container) []*podresourcesv1.DynamicResource {
-	ret := _m.Called(pod, container)
-
-	if len(ret) == 0 {
-		panic("no return value specified for GetDynamicResources")
-	}
-
-	var r0 []*podresourcesv1.DynamicResource
-	if rf, ok := ret.Get(0).(func(*v1.Pod, *v1.Container) []*podresourcesv1.DynamicResource); ok {
-		r0 = rf(pod, container)
-	} else {
-		if ret.Get(0) != nil {
-			r0 = ret.Get(0).([]*podresourcesv1.DynamicResource)
-		}
-	}
-
-	return r0
-}
-
-// MockDynamicResourcesProvider_GetDynamicResources_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetDynamicResources'
-type MockDynamicResourcesProvider_GetDynamicResources_Call struct {
-	*mock.Call
-}
-
-// GetDynamicResources is a helper method to define mock.On call
-//   - pod *v1.Pod
-//   - container *v1.Container
-func (_e *MockDynamicResourcesProvider_Expecter) GetDynamicResources(pod interface{}, container interface{}) *MockDynamicResourcesProvider_GetDynamicResources_Call {
-	return &MockDynamicResourcesProvider_GetDynamicResources_Call{Call: _e.mock.On("GetDynamicResources", pod, container)}
-}
-
-func (_c *MockDynamicResourcesProvider_GetDynamicResources_Call) Run(run func(pod *v1.Pod, container *v1.Container)) *MockDynamicResourcesProvider_GetDynamicResources_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run(args[0].(*v1.Pod), args[1].(*v1.Container))
-	})
-	return _c
-}
-
-func (_c *MockDynamicResourcesProvider_GetDynamicResources_Call) Return(_a0 []*podresourcesv1.DynamicResource) *MockDynamicResourcesProvider_GetDynamicResources_Call {
-	_c.Call.Return(_a0)
-	return _c
-}
-
-func (_c *MockDynamicResourcesProvider_GetDynamicResources_Call) RunAndReturn(run func(*v1.Pod, *v1.Container) []*podresourcesv1.DynamicResource) *MockDynamicResourcesProvider_GetDynamicResources_Call {
-	_c.Call.Return(run)
-	return _c
-}
-
-// NewMockDynamicResourcesProvider creates a new instance of MockDynamicResourcesProvider. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
-// The first argument is typically a *testing.T value.
-func NewMockDynamicResourcesProvider(t interface {
-	mock.TestingT
-	Cleanup(func())
-}) *MockDynamicResourcesProvider {
-	mock := &MockDynamicResourcesProvider{}
-	mock.Mock.Test(t)
-
-	t.Cleanup(func() { mock.AssertExpectations(t) })
-
-	return mock
-}
diff --git a/pkg/kubelet/apis/podresources/testing/memory_provider.go b/pkg/kubelet/apis/podresources/testing/memory_provider.go
deleted file mode 100644
index 506778e850831..0000000000000
--- a/pkg/kubelet/apis/podresources/testing/memory_provider.go
+++ /dev/null
@@ -1,148 +0,0 @@
-/*
-Copyright The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-// Code generated by mockery v2.53.3. DO NOT EDIT.
-
-package testing
-
-import (
-	mock "github.com/stretchr/testify/mock"
-
-	v1 "k8s.io/kubelet/pkg/apis/podresources/v1"
-)
-
-// MockMemoryProvider is an autogenerated mock type for the MemoryProvider type
-type MockMemoryProvider struct {
-	mock.Mock
-}
-
-type MockMemoryProvider_Expecter struct {
-	mock *mock.Mock
-}
-
-func (_m *MockMemoryProvider) EXPECT() *MockMemoryProvider_Expecter {
-	return &MockMemoryProvider_Expecter{mock: &_m.Mock}
-}
-
-// GetAllocatableMemory provides a mock function with no fields
-func (_m *MockMemoryProvider) GetAllocatableMemory() []*v1.ContainerMemory {
-	ret := _m.Called()
-
-	if len(ret) == 0 {
-		panic("no return value specified for GetAllocatableMemory")
-	}
-
-	var r0 []*v1.ContainerMemory
-	if rf, ok := ret.Get(0).(func() []*v1.ContainerMemory); ok {
-		r0 = rf()
-	} else {
-		if ret.Get(0) != nil {
-			r0 = ret.Get(0).([]*v1.ContainerMemory)
-		}
-	}
-
-	return r0
-}
-
-// MockMemoryProvider_GetAllocatableMemory_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetAllocatableMemory'
-type MockMemoryProvider_GetAllocatableMemory_Call struct {
-	*mock.Call
-}
-
-// GetAllocatableMemory is a helper method to define mock.On call
-func (_e *MockMemoryProvider_Expecter) GetAllocatableMemory() *MockMemoryProvider_GetAllocatableMemory_Call {
-	return &MockMemoryProvider_GetAllocatableMemory_Call{Call: _e.mock.On("GetAllocatableMemory")}
-}
-
-func (_c *MockMemoryProvider_GetAllocatableMemory_Call) Run(run func()) *MockMemoryProvider_GetAllocatableMemory_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run()
-	})
-	return _c
-}
-
-func (_c *MockMemoryProvider_GetAllocatableMemory_Call) Return(_a0 []*v1.ContainerMemory) *MockMemoryProvider_GetAllocatableMemory_Call {
-	_c.Call.Return(_a0)
-	return _c
-}
-
-func (_c *MockMemoryProvider_GetAllocatableMemory_Call) RunAndReturn(run func() []*v1.ContainerMemory) *MockMemoryProvider_GetAllocatableMemory_Call {
-	_c.Call.Return(run)
-	return _c
-}
-
-// GetMemory provides a mock function with given fields: podUID, containerName
-func (_m *MockMemoryProvider) GetMemory(podUID string, containerName string) []*v1.ContainerMemory {
-	ret := _m.Called(podUID, containerName)
-
-	if len(ret) == 0 {
-		panic("no return value specified for GetMemory")
-	}
-
-	var r0 []*v1.ContainerMemory
-	if rf, ok := ret.Get(0).(func(string, string) []*v1.ContainerMemory); ok {
-		r0 = rf(podUID, containerName)
-	} else {
-		if ret.Get(0) != nil {
-			r0 = ret.Get(0).([]*v1.ContainerMemory)
-		}
-	}
-
-	return r0
-}
-
-// MockMemoryProvider_GetMemory_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetMemory'
-type MockMemoryProvider_GetMemory_Call struct {
-	*mock.Call
-}
-
-// GetMemory is a helper method to define mock.On call
-//   - podUID string
-//   - containerName string
-func (_e *MockMemoryProvider_Expecter) GetMemory(podUID interface{}, containerName interface{}) *MockMemoryProvider_GetMemory_Call {
-	return &MockMemoryProvider_GetMemory_Call{Call: _e.mock.On("GetMemory", podUID, containerName)}
-}
-
-func (_c *MockMemoryProvider_GetMemory_Call) Run(run func(podUID string, containerName string)) *MockMemoryProvider_GetMemory_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run(args[0].(string), args[1].(string))
-	})
-	return _c
-}
-
-func (_c *MockMemoryProvider_GetMemory_Call) Return(_a0 []*v1.ContainerMemory) *MockMemoryProvider_GetMemory_Call {
-	_c.Call.Return(_a0)
-	return _c
-}
-
-func (_c *MockMemoryProvider_GetMemory_Call) RunAndReturn(run func(string, string) []*v1.ContainerMemory) *MockMemoryProvider_GetMemory_Call {
-	_c.Call.Return(run)
-	return _c
-}
-
-// NewMockMemoryProvider creates a new instance of MockMemoryProvider. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
-// The first argument is typically a *testing.T value.
-func NewMockMemoryProvider(t interface {
-	mock.TestingT
-	Cleanup(func())
-}) *MockMemoryProvider {
-	mock := &MockMemoryProvider{}
-	mock.Mock.Test(t)
-
-	t.Cleanup(func() { mock.AssertExpectations(t) })
-
-	return mock
-}
diff --git a/pkg/kubelet/apis/podresources/testing/mocks.go b/pkg/kubelet/apis/podresources/testing/mocks.go
new file mode 100644
index 0000000000000..cbda9159c9bb6
--- /dev/null
+++ b/pkg/kubelet/apis/podresources/testing/mocks.go
@@ -0,0 +1,729 @@
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by mockery; DO NOT EDIT.
+// github.com/vektra/mockery
+// template: testify
+
+package testing
+
+import (
+	mock "github.com/stretchr/testify/mock"
+	v10 "k8s.io/api/core/v1"
+	"k8s.io/kubelet/pkg/apis/podresources/v1"
+)
+
+// NewMockDevicesProvider creates a new instance of MockDevicesProvider. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
+// The first argument is typically a *testing.T value.
+func NewMockDevicesProvider(t interface {
+	mock.TestingT
+	Cleanup(func())
+}) *MockDevicesProvider {
+	mock := &MockDevicesProvider{}
+	mock.Mock.Test(t)
+
+	t.Cleanup(func() { mock.AssertExpectations(t) })
+
+	return mock
+}
+
+// MockDevicesProvider is an autogenerated mock type for the DevicesProvider type
+type MockDevicesProvider struct {
+	mock.Mock
+}
+
+type MockDevicesProvider_Expecter struct {
+	mock *mock.Mock
+}
+
+func (_m *MockDevicesProvider) EXPECT() *MockDevicesProvider_Expecter {
+	return &MockDevicesProvider_Expecter{mock: &_m.Mock}
+}
+
+// GetAllocatableDevices provides a mock function for the type MockDevicesProvider
+func (_mock *MockDevicesProvider) GetAllocatableDevices() []*v1.ContainerDevices {
+	ret := _mock.Called()
+
+	if len(ret) == 0 {
+		panic("no return value specified for GetAllocatableDevices")
+	}
+
+	var r0 []*v1.ContainerDevices
+	if returnFunc, ok := ret.Get(0).(func() []*v1.ContainerDevices); ok {
+		r0 = returnFunc()
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).([]*v1.ContainerDevices)
+		}
+	}
+	return r0
+}
+
+// MockDevicesProvider_GetAllocatableDevices_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetAllocatableDevices'
+type MockDevicesProvider_GetAllocatableDevices_Call struct {
+	*mock.Call
+}
+
+// GetAllocatableDevices is a helper method to define mock.On call
+func (_e *MockDevicesProvider_Expecter) GetAllocatableDevices() *MockDevicesProvider_GetAllocatableDevices_Call {
+	return &MockDevicesProvider_GetAllocatableDevices_Call{Call: _e.mock.On("GetAllocatableDevices")}
+}
+
+func (_c *MockDevicesProvider_GetAllocatableDevices_Call) Run(run func()) *MockDevicesProvider_GetAllocatableDevices_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run()
+	})
+	return _c
+}
+
+func (_c *MockDevicesProvider_GetAllocatableDevices_Call) Return(containerDevicess []*v1.ContainerDevices) *MockDevicesProvider_GetAllocatableDevices_Call {
+	_c.Call.Return(containerDevicess)
+	return _c
+}
+
+func (_c *MockDevicesProvider_GetAllocatableDevices_Call) RunAndReturn(run func() []*v1.ContainerDevices) *MockDevicesProvider_GetAllocatableDevices_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// GetDevices provides a mock function for the type MockDevicesProvider
+func (_mock *MockDevicesProvider) GetDevices(podUID string, containerName string) []*v1.ContainerDevices {
+	ret := _mock.Called(podUID, containerName)
+
+	if len(ret) == 0 {
+		panic("no return value specified for GetDevices")
+	}
+
+	var r0 []*v1.ContainerDevices
+	if returnFunc, ok := ret.Get(0).(func(string, string) []*v1.ContainerDevices); ok {
+		r0 = returnFunc(podUID, containerName)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).([]*v1.ContainerDevices)
+		}
+	}
+	return r0
+}
+
+// MockDevicesProvider_GetDevices_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetDevices'
+type MockDevicesProvider_GetDevices_Call struct {
+	*mock.Call
+}
+
+// GetDevices is a helper method to define mock.On call
+//   - podUID string
+//   - containerName string
+func (_e *MockDevicesProvider_Expecter) GetDevices(podUID interface{}, containerName interface{}) *MockDevicesProvider_GetDevices_Call {
+	return &MockDevicesProvider_GetDevices_Call{Call: _e.mock.On("GetDevices", podUID, containerName)}
+}
+
+func (_c *MockDevicesProvider_GetDevices_Call) Run(run func(podUID string, containerName string)) *MockDevicesProvider_GetDevices_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 string
+		if args[0] != nil {
+			arg0 = args[0].(string)
+		}
+		var arg1 string
+		if args[1] != nil {
+			arg1 = args[1].(string)
+		}
+		run(
+			arg0,
+			arg1,
+		)
+	})
+	return _c
+}
+
+func (_c *MockDevicesProvider_GetDevices_Call) Return(containerDevicess []*v1.ContainerDevices) *MockDevicesProvider_GetDevices_Call {
+	_c.Call.Return(containerDevicess)
+	return _c
+}
+
+func (_c *MockDevicesProvider_GetDevices_Call) RunAndReturn(run func(podUID string, containerName string) []*v1.ContainerDevices) *MockDevicesProvider_GetDevices_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// UpdateAllocatedDevices provides a mock function for the type MockDevicesProvider
+func (_mock *MockDevicesProvider) UpdateAllocatedDevices() {
+	_mock.Called()
+	return
+}
+
+// MockDevicesProvider_UpdateAllocatedDevices_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'UpdateAllocatedDevices'
+type MockDevicesProvider_UpdateAllocatedDevices_Call struct {
+	*mock.Call
+}
+
+// UpdateAllocatedDevices is a helper method to define mock.On call
+func (_e *MockDevicesProvider_Expecter) UpdateAllocatedDevices() *MockDevicesProvider_UpdateAllocatedDevices_Call {
+	return &MockDevicesProvider_UpdateAllocatedDevices_Call{Call: _e.mock.On("UpdateAllocatedDevices")}
+}
+
+func (_c *MockDevicesProvider_UpdateAllocatedDevices_Call) Run(run func()) *MockDevicesProvider_UpdateAllocatedDevices_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run()
+	})
+	return _c
+}
+
+func (_c *MockDevicesProvider_UpdateAllocatedDevices_Call) Return() *MockDevicesProvider_UpdateAllocatedDevices_Call {
+	_c.Call.Return()
+	return _c
+}
+
+func (_c *MockDevicesProvider_UpdateAllocatedDevices_Call) RunAndReturn(run func()) *MockDevicesProvider_UpdateAllocatedDevices_Call {
+	_c.Run(run)
+	return _c
+}
+
+// NewMockPodsProvider creates a new instance of MockPodsProvider. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
+// The first argument is typically a *testing.T value.
+func NewMockPodsProvider(t interface {
+	mock.TestingT
+	Cleanup(func())
+}) *MockPodsProvider {
+	mock := &MockPodsProvider{}
+	mock.Mock.Test(t)
+
+	t.Cleanup(func() { mock.AssertExpectations(t) })
+
+	return mock
+}
+
+// MockPodsProvider is an autogenerated mock type for the PodsProvider type
+type MockPodsProvider struct {
+	mock.Mock
+}
+
+type MockPodsProvider_Expecter struct {
+	mock *mock.Mock
+}
+
+func (_m *MockPodsProvider) EXPECT() *MockPodsProvider_Expecter {
+	return &MockPodsProvider_Expecter{mock: &_m.Mock}
+}
+
+// GetActivePods provides a mock function for the type MockPodsProvider
+func (_mock *MockPodsProvider) GetActivePods() []*v10.Pod {
+	ret := _mock.Called()
+
+	if len(ret) == 0 {
+		panic("no return value specified for GetActivePods")
+	}
+
+	var r0 []*v10.Pod
+	if returnFunc, ok := ret.Get(0).(func() []*v10.Pod); ok {
+		r0 = returnFunc()
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).([]*v10.Pod)
+		}
+	}
+	return r0
+}
+
+// MockPodsProvider_GetActivePods_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetActivePods'
+type MockPodsProvider_GetActivePods_Call struct {
+	*mock.Call
+}
+
+// GetActivePods is a helper method to define mock.On call
+func (_e *MockPodsProvider_Expecter) GetActivePods() *MockPodsProvider_GetActivePods_Call {
+	return &MockPodsProvider_GetActivePods_Call{Call: _e.mock.On("GetActivePods")}
+}
+
+func (_c *MockPodsProvider_GetActivePods_Call) Run(run func()) *MockPodsProvider_GetActivePods_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run()
+	})
+	return _c
+}
+
+func (_c *MockPodsProvider_GetActivePods_Call) Return(pods []*v10.Pod) *MockPodsProvider_GetActivePods_Call {
+	_c.Call.Return(pods)
+	return _c
+}
+
+func (_c *MockPodsProvider_GetActivePods_Call) RunAndReturn(run func() []*v10.Pod) *MockPodsProvider_GetActivePods_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// GetPodByName provides a mock function for the type MockPodsProvider
+func (_mock *MockPodsProvider) GetPodByName(namespace string, name string) (*v10.Pod, bool) {
+	ret := _mock.Called(namespace, name)
+
+	if len(ret) == 0 {
+		panic("no return value specified for GetPodByName")
+	}
+
+	var r0 *v10.Pod
+	var r1 bool
+	if returnFunc, ok := ret.Get(0).(func(string, string) (*v10.Pod, bool)); ok {
+		return returnFunc(namespace, name)
+	}
+	if returnFunc, ok := ret.Get(0).(func(string, string) *v10.Pod); ok {
+		r0 = returnFunc(namespace, name)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(*v10.Pod)
+		}
+	}
+	if returnFunc, ok := ret.Get(1).(func(string, string) bool); ok {
+		r1 = returnFunc(namespace, name)
+	} else {
+		r1 = ret.Get(1).(bool)
+	}
+	return r0, r1
+}
+
+// MockPodsProvider_GetPodByName_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetPodByName'
+type MockPodsProvider_GetPodByName_Call struct {
+	*mock.Call
+}
+
+// GetPodByName is a helper method to define mock.On call
+//   - namespace string
+//   - name string
+func (_e *MockPodsProvider_Expecter) GetPodByName(namespace interface{}, name interface{}) *MockPodsProvider_GetPodByName_Call {
+	return &MockPodsProvider_GetPodByName_Call{Call: _e.mock.On("GetPodByName", namespace, name)}
+}
+
+func (_c *MockPodsProvider_GetPodByName_Call) Run(run func(namespace string, name string)) *MockPodsProvider_GetPodByName_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 string
+		if args[0] != nil {
+			arg0 = args[0].(string)
+		}
+		var arg1 string
+		if args[1] != nil {
+			arg1 = args[1].(string)
+		}
+		run(
+			arg0,
+			arg1,
+		)
+	})
+	return _c
+}
+
+func (_c *MockPodsProvider_GetPodByName_Call) Return(pod *v10.Pod, b bool) *MockPodsProvider_GetPodByName_Call {
+	_c.Call.Return(pod, b)
+	return _c
+}
+
+func (_c *MockPodsProvider_GetPodByName_Call) RunAndReturn(run func(namespace string, name string) (*v10.Pod, bool)) *MockPodsProvider_GetPodByName_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// GetPods provides a mock function for the type MockPodsProvider
+func (_mock *MockPodsProvider) GetPods() []*v10.Pod {
+	ret := _mock.Called()
+
+	if len(ret) == 0 {
+		panic("no return value specified for GetPods")
+	}
+
+	var r0 []*v10.Pod
+	if returnFunc, ok := ret.Get(0).(func() []*v10.Pod); ok {
+		r0 = returnFunc()
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).([]*v10.Pod)
+		}
+	}
+	return r0
+}
+
+// MockPodsProvider_GetPods_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetPods'
+type MockPodsProvider_GetPods_Call struct {
+	*mock.Call
+}
+
+// GetPods is a helper method to define mock.On call
+func (_e *MockPodsProvider_Expecter) GetPods() *MockPodsProvider_GetPods_Call {
+	return &MockPodsProvider_GetPods_Call{Call: _e.mock.On("GetPods")}
+}
+
+func (_c *MockPodsProvider_GetPods_Call) Run(run func()) *MockPodsProvider_GetPods_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run()
+	})
+	return _c
+}
+
+func (_c *MockPodsProvider_GetPods_Call) Return(pods []*v10.Pod) *MockPodsProvider_GetPods_Call {
+	_c.Call.Return(pods)
+	return _c
+}
+
+func (_c *MockPodsProvider_GetPods_Call) RunAndReturn(run func() []*v10.Pod) *MockPodsProvider_GetPods_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// NewMockCPUsProvider creates a new instance of MockCPUsProvider. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
+// The first argument is typically a *testing.T value.
+func NewMockCPUsProvider(t interface {
+	mock.TestingT
+	Cleanup(func())
+}) *MockCPUsProvider {
+	mock := &MockCPUsProvider{}
+	mock.Mock.Test(t)
+
+	t.Cleanup(func() { mock.AssertExpectations(t) })
+
+	return mock
+}
+
+// MockCPUsProvider is an autogenerated mock type for the CPUsProvider type
+type MockCPUsProvider struct {
+	mock.Mock
+}
+
+type MockCPUsProvider_Expecter struct {
+	mock *mock.Mock
+}
+
+func (_m *MockCPUsProvider) EXPECT() *MockCPUsProvider_Expecter {
+	return &MockCPUsProvider_Expecter{mock: &_m.Mock}
+}
+
+// GetAllocatableCPUs provides a mock function for the type MockCPUsProvider
+func (_mock *MockCPUsProvider) GetAllocatableCPUs() []int64 {
+	ret := _mock.Called()
+
+	if len(ret) == 0 {
+		panic("no return value specified for GetAllocatableCPUs")
+	}
+
+	var r0 []int64
+	if returnFunc, ok := ret.Get(0).(func() []int64); ok {
+		r0 = returnFunc()
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).([]int64)
+		}
+	}
+	return r0
+}
+
+// MockCPUsProvider_GetAllocatableCPUs_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetAllocatableCPUs'
+type MockCPUsProvider_GetAllocatableCPUs_Call struct {
+	*mock.Call
+}
+
+// GetAllocatableCPUs is a helper method to define mock.On call
+func (_e *MockCPUsProvider_Expecter) GetAllocatableCPUs() *MockCPUsProvider_GetAllocatableCPUs_Call {
+	return &MockCPUsProvider_GetAllocatableCPUs_Call{Call: _e.mock.On("GetAllocatableCPUs")}
+}
+
+func (_c *MockCPUsProvider_GetAllocatableCPUs_Call) Run(run func()) *MockCPUsProvider_GetAllocatableCPUs_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run()
+	})
+	return _c
+}
+
+func (_c *MockCPUsProvider_GetAllocatableCPUs_Call) Return(int64s []int64) *MockCPUsProvider_GetAllocatableCPUs_Call {
+	_c.Call.Return(int64s)
+	return _c
+}
+
+func (_c *MockCPUsProvider_GetAllocatableCPUs_Call) RunAndReturn(run func() []int64) *MockCPUsProvider_GetAllocatableCPUs_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// GetCPUs provides a mock function for the type MockCPUsProvider
+func (_mock *MockCPUsProvider) GetCPUs(podUID string, containerName string) []int64 {
+	ret := _mock.Called(podUID, containerName)
+
+	if len(ret) == 0 {
+		panic("no return value specified for GetCPUs")
+	}
+
+	var r0 []int64
+	if returnFunc, ok := ret.Get(0).(func(string, string) []int64); ok {
+		r0 = returnFunc(podUID, containerName)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).([]int64)
+		}
+	}
+	return r0
+}
+
+// MockCPUsProvider_GetCPUs_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetCPUs'
+type MockCPUsProvider_GetCPUs_Call struct {
+	*mock.Call
+}
+
+// GetCPUs is a helper method to define mock.On call
+//   - podUID string
+//   - containerName string
+func (_e *MockCPUsProvider_Expecter) GetCPUs(podUID interface{}, containerName interface{}) *MockCPUsProvider_GetCPUs_Call {
+	return &MockCPUsProvider_GetCPUs_Call{Call: _e.mock.On("GetCPUs", podUID, containerName)}
+}
+
+func (_c *MockCPUsProvider_GetCPUs_Call) Run(run func(podUID string, containerName string)) *MockCPUsProvider_GetCPUs_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 string
+		if args[0] != nil {
+			arg0 = args[0].(string)
+		}
+		var arg1 string
+		if args[1] != nil {
+			arg1 = args[1].(string)
+		}
+		run(
+			arg0,
+			arg1,
+		)
+	})
+	return _c
+}
+
+func (_c *MockCPUsProvider_GetCPUs_Call) Return(int64s []int64) *MockCPUsProvider_GetCPUs_Call {
+	_c.Call.Return(int64s)
+	return _c
+}
+
+func (_c *MockCPUsProvider_GetCPUs_Call) RunAndReturn(run func(podUID string, containerName string) []int64) *MockCPUsProvider_GetCPUs_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// NewMockMemoryProvider creates a new instance of MockMemoryProvider. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
+// The first argument is typically a *testing.T value.
+func NewMockMemoryProvider(t interface {
+	mock.TestingT
+	Cleanup(func())
+}) *MockMemoryProvider {
+	mock := &MockMemoryProvider{}
+	mock.Mock.Test(t)
+
+	t.Cleanup(func() { mock.AssertExpectations(t) })
+
+	return mock
+}
+
+// MockMemoryProvider is an autogenerated mock type for the MemoryProvider type
+type MockMemoryProvider struct {
+	mock.Mock
+}
+
+type MockMemoryProvider_Expecter struct {
+	mock *mock.Mock
+}
+
+func (_m *MockMemoryProvider) EXPECT() *MockMemoryProvider_Expecter {
+	return &MockMemoryProvider_Expecter{mock: &_m.Mock}
+}
+
+// GetAllocatableMemory provides a mock function for the type MockMemoryProvider
+func (_mock *MockMemoryProvider) GetAllocatableMemory() []*v1.ContainerMemory {
+	ret := _mock.Called()
+
+	if len(ret) == 0 {
+		panic("no return value specified for GetAllocatableMemory")
+	}
+
+	var r0 []*v1.ContainerMemory
+	if returnFunc, ok := ret.Get(0).(func() []*v1.ContainerMemory); ok {
+		r0 = returnFunc()
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).([]*v1.ContainerMemory)
+		}
+	}
+	return r0
+}
+
+// MockMemoryProvider_GetAllocatableMemory_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetAllocatableMemory'
+type MockMemoryProvider_GetAllocatableMemory_Call struct {
+	*mock.Call
+}
+
+// GetAllocatableMemory is a helper method to define mock.On call
+func (_e *MockMemoryProvider_Expecter) GetAllocatableMemory() *MockMemoryProvider_GetAllocatableMemory_Call {
+	return &MockMemoryProvider_GetAllocatableMemory_Call{Call: _e.mock.On("GetAllocatableMemory")}
+}
+
+func (_c *MockMemoryProvider_GetAllocatableMemory_Call) Run(run func()) *MockMemoryProvider_GetAllocatableMemory_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run()
+	})
+	return _c
+}
+
+func (_c *MockMemoryProvider_GetAllocatableMemory_Call) Return(containerMemorys []*v1.ContainerMemory) *MockMemoryProvider_GetAllocatableMemory_Call {
+	_c.Call.Return(containerMemorys)
+	return _c
+}
+
+func (_c *MockMemoryProvider_GetAllocatableMemory_Call) RunAndReturn(run func() []*v1.ContainerMemory) *MockMemoryProvider_GetAllocatableMemory_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// GetMemory provides a mock function for the type MockMemoryProvider
+func (_mock *MockMemoryProvider) GetMemory(podUID string, containerName string) []*v1.ContainerMemory {
+	ret := _mock.Called(podUID, containerName)
+
+	if len(ret) == 0 {
+		panic("no return value specified for GetMemory")
+	}
+
+	var r0 []*v1.ContainerMemory
+	if returnFunc, ok := ret.Get(0).(func(string, string) []*v1.ContainerMemory); ok {
+		r0 = returnFunc(podUID, containerName)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).([]*v1.ContainerMemory)
+		}
+	}
+	return r0
+}
+
+// MockMemoryProvider_GetMemory_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetMemory'
+type MockMemoryProvider_GetMemory_Call struct {
+	*mock.Call
+}
+
+// GetMemory is a helper method to define mock.On call
+//   - podUID string
+//   - containerName string
+func (_e *MockMemoryProvider_Expecter) GetMemory(podUID interface{}, containerName interface{}) *MockMemoryProvider_GetMemory_Call {
+	return &MockMemoryProvider_GetMemory_Call{Call: _e.mock.On("GetMemory", podUID, containerName)}
+}
+
+func (_c *MockMemoryProvider_GetMemory_Call) Run(run func(podUID string, containerName string)) *MockMemoryProvider_GetMemory_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 string
+		if args[0] != nil {
+			arg0 = args[0].(string)
+		}
+		var arg1 string
+		if args[1] != nil {
+			arg1 = args[1].(string)
+		}
+		run(
+			arg0,
+			arg1,
+		)
+	})
+	return _c
+}
+
+func (_c *MockMemoryProvider_GetMemory_Call) Return(containerMemorys []*v1.ContainerMemory) *MockMemoryProvider_GetMemory_Call {
+	_c.Call.Return(containerMemorys)
+	return _c
+}
+
+func (_c *MockMemoryProvider_GetMemory_Call) RunAndReturn(run func(podUID string, containerName string) []*v1.ContainerMemory) *MockMemoryProvider_GetMemory_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// NewMockDynamicResourcesProvider creates a new instance of MockDynamicResourcesProvider. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
+// The first argument is typically a *testing.T value.
+func NewMockDynamicResourcesProvider(t interface {
+	mock.TestingT
+	Cleanup(func())
+}) *MockDynamicResourcesProvider {
+	mock := &MockDynamicResourcesProvider{}
+	mock.Mock.Test(t)
+
+	t.Cleanup(func() { mock.AssertExpectations(t) })
+
+	return mock
+}
+
+// MockDynamicResourcesProvider is an autogenerated mock type for the DynamicResourcesProvider type
+type MockDynamicResourcesProvider struct {
+	mock.Mock
+}
+
+type MockDynamicResourcesProvider_Expecter struct {
+	mock *mock.Mock
+}
+
+func (_m *MockDynamicResourcesProvider) EXPECT() *MockDynamicResourcesProvider_Expecter {
+	return &MockDynamicResourcesProvider_Expecter{mock: &_m.Mock}
+}
+
+// GetDynamicResources provides a mock function for the type MockDynamicResourcesProvider
+func (_mock *MockDynamicResourcesProvider) GetDynamicResources(pod *v10.Pod, container *v10.Container) []*v1.DynamicResource {
+	ret := _mock.Called(pod, container)
+
+	if len(ret) == 0 {
+		panic("no return value specified for GetDynamicResources")
+	}
+
+	var r0 []*v1.DynamicResource
+	if returnFunc, ok := ret.Get(0).(func(*v10.Pod, *v10.Container) []*v1.DynamicResource); ok {
+		r0 = returnFunc(pod, container)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).([]*v1.DynamicResource)
+		}
+	}
+	return r0
+}
+
+// MockDynamicResourcesProvider_GetDynamicResources_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetDynamicResources'
+type MockDynamicResourcesProvider_GetDynamicResources_Call struct {
+	*mock.Call
+}
+
+// GetDynamicResources is a helper method to define mock.On call
+//   - pod *v10.Pod
+//   - container *v10.Container
+func (_e *MockDynamicResourcesProvider_Expecter) GetDynamicResources(pod interface{}, container interface{}) *MockDynamicResourcesProvider_GetDynamicResources_Call {
+	return &MockDynamicResourcesProvider_GetDynamicResources_Call{Call: _e.mock.On("GetDynamicResources", pod, container)}
+}
+
+func (_c *MockDynamicResourcesProvider_GetDynamicResources_Call) Run(run func(pod *v10.Pod, container *v10.Container)) *MockDynamicResourcesProvider_GetDynamicResources_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 *v10.Pod
+		if args[0] != nil {
+			arg0 = args[0].(*v10.Pod)
+		}
+		var arg1 *v10.Container
+		if args[1] != nil {
+			arg1 = args[1].(*v10.Container)
+		}
+		run(
+			arg0,
+			arg1,
+		)
+	})
+	return _c
+}
+
+func (_c *MockDynamicResourcesProvider_GetDynamicResources_Call) Return(dynamicResources []*v1.DynamicResource) *MockDynamicResourcesProvider_GetDynamicResources_Call {
+	_c.Call.Return(dynamicResources)
+	return _c
+}
+
+func (_c *MockDynamicResourcesProvider_GetDynamicResources_Call) RunAndReturn(run func(pod *v10.Pod, container *v10.Container) []*v1.DynamicResource) *MockDynamicResourcesProvider_GetDynamicResources_Call {
+	_c.Call.Return(run)
+	return _c
+}
diff --git a/pkg/kubelet/apis/podresources/testing/pods_provider.go b/pkg/kubelet/apis/podresources/testing/pods_provider.go
deleted file mode 100644
index d917e0c7cad1a..0000000000000
--- a/pkg/kubelet/apis/podresources/testing/pods_provider.go
+++ /dev/null
@@ -1,205 +0,0 @@
-/*
-Copyright The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-// Code generated by mockery v2.53.3. DO NOT EDIT.
-
-package testing
-
-import (
-	mock "github.com/stretchr/testify/mock"
-
-	v1 "k8s.io/api/core/v1"
-)
-
-// MockPodsProvider is an autogenerated mock type for the PodsProvider type
-type MockPodsProvider struct {
-	mock.Mock
-}
-
-type MockPodsProvider_Expecter struct {
-	mock *mock.Mock
-}
-
-func (_m *MockPodsProvider) EXPECT() *MockPodsProvider_Expecter {
-	return &MockPodsProvider_Expecter{mock: &_m.Mock}
-}
-
-// GetActivePods provides a mock function with no fields
-func (_m *MockPodsProvider) GetActivePods() []*v1.Pod {
-	ret := _m.Called()
-
-	if len(ret) == 0 {
-		panic("no return value specified for GetActivePods")
-	}
-
-	var r0 []*v1.Pod
-	if rf, ok := ret.Get(0).(func() []*v1.Pod); ok {
-		r0 = rf()
-	} else {
-		if ret.Get(0) != nil {
-			r0 = ret.Get(0).([]*v1.Pod)
-		}
-	}
-
-	return r0
-}
-
-// MockPodsProvider_GetActivePods_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetActivePods'
-type MockPodsProvider_GetActivePods_Call struct {
-	*mock.Call
-}
-
-// GetActivePods is a helper method to define mock.On call
-func (_e *MockPodsProvider_Expecter) GetActivePods() *MockPodsProvider_GetActivePods_Call {
-	return &MockPodsProvider_GetActivePods_Call{Call: _e.mock.On("GetActivePods")}
-}
-
-func (_c *MockPodsProvider_GetActivePods_Call) Run(run func()) *MockPodsProvider_GetActivePods_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run()
-	})
-	return _c
-}
-
-func (_c *MockPodsProvider_GetActivePods_Call) Return(_a0 []*v1.Pod) *MockPodsProvider_GetActivePods_Call {
-	_c.Call.Return(_a0)
-	return _c
-}
-
-func (_c *MockPodsProvider_GetActivePods_Call) RunAndReturn(run func() []*v1.Pod) *MockPodsProvider_GetActivePods_Call {
-	_c.Call.Return(run)
-	return _c
-}
-
-// GetPodByName provides a mock function with given fields: namespace, name
-func (_m *MockPodsProvider) GetPodByName(namespace string, name string) (*v1.Pod, bool) {
-	ret := _m.Called(namespace, name)
-
-	if len(ret) == 0 {
-		panic("no return value specified for GetPodByName")
-	}
-
-	var r0 *v1.Pod
-	var r1 bool
-	if rf, ok := ret.Get(0).(func(string, string) (*v1.Pod, bool)); ok {
-		return rf(namespace, name)
-	}
-	if rf, ok := ret.Get(0).(func(string, string) *v1.Pod); ok {
-		r0 = rf(namespace, name)
-	} else {
-		if ret.Get(0) != nil {
-			r0 = ret.Get(0).(*v1.Pod)
-		}
-	}
-
-	if rf, ok := ret.Get(1).(func(string, string) bool); ok {
-		r1 = rf(namespace, name)
-	} else {
-		r1 = ret.Get(1).(bool)
-	}
-
-	return r0, r1
-}
-
-// MockPodsProvider_GetPodByName_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetPodByName'
-type MockPodsProvider_GetPodByName_Call struct {
-	*mock.Call
-}
-
-// GetPodByName is a helper method to define mock.On call
-//   - namespace string
-//   - name string
-func (_e *MockPodsProvider_Expecter) GetPodByName(namespace interface{}, name interface{}) *MockPodsProvider_GetPodByName_Call {
-	return &MockPodsProvider_GetPodByName_Call{Call: _e.mock.On("GetPodByName", namespace, name)}
-}
-
-func (_c *MockPodsProvider_GetPodByName_Call) Run(run func(namespace string, name string)) *MockPodsProvider_GetPodByName_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run(args[0].(string), args[1].(string))
-	})
-	return _c
-}
-
-func (_c *MockPodsProvider_GetPodByName_Call) Return(_a0 *v1.Pod, _a1 bool) *MockPodsProvider_GetPodByName_Call {
-	_c.Call.Return(_a0, _a1)
-	return _c
-}
-
-func (_c *MockPodsProvider_GetPodByName_Call) RunAndReturn(run func(string, string) (*v1.Pod, bool)) *MockPodsProvider_GetPodByName_Call {
-	_c.Call.Return(run)
-	return _c
-}
-
-// GetPods provides a mock function with no fields
-func (_m *MockPodsProvider) GetPods() []*v1.Pod {
-	ret := _m.Called()
-
-	if len(ret) == 0 {
-		panic("no return value specified for GetPods")
-	}
-
-	var r0 []*v1.Pod
-	if rf, ok := ret.Get(0).(func() []*v1.Pod); ok {
-		r0 = rf()
-	} else {
-		if ret.Get(0) != nil {
-			r0 = ret.Get(0).([]*v1.Pod)
-		}
-	}
-
-	return r0
-}
-
-// MockPodsProvider_GetPods_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetPods'
-type MockPodsProvider_GetPods_Call struct {
-	*mock.Call
-}
-
-// GetPods is a helper method to define mock.On call
-func (_e *MockPodsProvider_Expecter) GetPods() *MockPodsProvider_GetPods_Call {
-	return &MockPodsProvider_GetPods_Call{Call: _e.mock.On("GetPods")}
-}
-
-func (_c *MockPodsProvider_GetPods_Call) Run(run func()) *MockPodsProvider_GetPods_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run()
-	})
-	return _c
-}
-
-func (_c *MockPodsProvider_GetPods_Call) Return(_a0 []*v1.Pod) *MockPodsProvider_GetPods_Call {
-	_c.Call.Return(_a0)
-	return _c
-}
-
-func (_c *MockPodsProvider_GetPods_Call) RunAndReturn(run func() []*v1.Pod) *MockPodsProvider_GetPods_Call {
-	_c.Call.Return(run)
-	return _c
-}
-
-// NewMockPodsProvider creates a new instance of MockPodsProvider. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
-// The first argument is typically a *testing.T value.
-func NewMockPodsProvider(t interface {
-	mock.TestingT
-	Cleanup(func())
-}) *MockPodsProvider {
-	mock := &MockPodsProvider{}
-	mock.Mock.Test(t)
-
-	t.Cleanup(func() { mock.AssertExpectations(t) })
-
-	return mock
-}
diff --git a/pkg/kubelet/cadvisor/.mockery.yaml b/pkg/kubelet/cadvisor/.mockery.yaml
index b8d6ef3efaa1a..586061a15d916 100644
--- a/pkg/kubelet/cadvisor/.mockery.yaml
+++ b/pkg/kubelet/cadvisor/.mockery.yaml
@@ -1,10 +1,12 @@
 ---
 dir: testing
-filename: cadvisor_mock.go
-boilerplate-file: ../../../hack/boilerplate/boilerplate.generatego.txt
-outpkg: testing
-with-expecter: true
+filename: mocks.go
+pkgname: testing
+template: testify
+template-data:
+  boilerplate-file: ../../../hack/boilerplate/boilerplate.generatego.txt
+  unroll-variadic: true
 packages:
   k8s.io/kubernetes/pkg/kubelet/cadvisor:
     interfaces:
-      Interface:
+      Interface: {}
diff --git a/pkg/kubelet/cadvisor/testing/cadvisor_mock.go b/pkg/kubelet/cadvisor/testing/cadvisor_mock.go
deleted file mode 100644
index 3073773ba6819..0000000000000
--- a/pkg/kubelet/cadvisor/testing/cadvisor_mock.go
+++ /dev/null
@@ -1,555 +0,0 @@
-/*
-Copyright The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-// Code generated by mockery v2.53.3. DO NOT EDIT.
-
-package testing
-
-import (
-	context "context"
-
-	v1 "github.com/google/cadvisor/info/v1"
-	mock "github.com/stretchr/testify/mock"
-
-	v2 "github.com/google/cadvisor/info/v2"
-)
-
-// MockInterface is an autogenerated mock type for the Interface type
-type MockInterface struct {
-	mock.Mock
-}
-
-type MockInterface_Expecter struct {
-	mock *mock.Mock
-}
-
-func (_m *MockInterface) EXPECT() *MockInterface_Expecter {
-	return &MockInterface_Expecter{mock: &_m.Mock}
-}
-
-// ContainerFsInfo provides a mock function with given fields: _a0
-func (_m *MockInterface) ContainerFsInfo(_a0 context.Context) (v2.FsInfo, error) {
-	ret := _m.Called(_a0)
-
-	if len(ret) == 0 {
-		panic("no return value specified for ContainerFsInfo")
-	}
-
-	var r0 v2.FsInfo
-	var r1 error
-	if rf, ok := ret.Get(0).(func(context.Context) (v2.FsInfo, error)); ok {
-		return rf(_a0)
-	}
-	if rf, ok := ret.Get(0).(func(context.Context) v2.FsInfo); ok {
-		r0 = rf(_a0)
-	} else {
-		r0 = ret.Get(0).(v2.FsInfo)
-	}
-
-	if rf, ok := ret.Get(1).(func(context.Context) error); ok {
-		r1 = rf(_a0)
-	} else {
-		r1 = ret.Error(1)
-	}
-
-	return r0, r1
-}
-
-// MockInterface_ContainerFsInfo_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'ContainerFsInfo'
-type MockInterface_ContainerFsInfo_Call struct {
-	*mock.Call
-}
-
-// ContainerFsInfo is a helper method to define mock.On call
-//   - _a0 context.Context
-func (_e *MockInterface_Expecter) ContainerFsInfo(_a0 interface{}) *MockInterface_ContainerFsInfo_Call {
-	return &MockInterface_ContainerFsInfo_Call{Call: _e.mock.On("ContainerFsInfo", _a0)}
-}
-
-func (_c *MockInterface_ContainerFsInfo_Call) Run(run func(_a0 context.Context)) *MockInterface_ContainerFsInfo_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run(args[0].(context.Context))
-	})
-	return _c
-}
-
-func (_c *MockInterface_ContainerFsInfo_Call) Return(_a0 v2.FsInfo, _a1 error) *MockInterface_ContainerFsInfo_Call {
-	_c.Call.Return(_a0, _a1)
-	return _c
-}
-
-func (_c *MockInterface_ContainerFsInfo_Call) RunAndReturn(run func(context.Context) (v2.FsInfo, error)) *MockInterface_ContainerFsInfo_Call {
-	_c.Call.Return(run)
-	return _c
-}
-
-// ContainerInfoV2 provides a mock function with given fields: name, options
-func (_m *MockInterface) ContainerInfoV2(name string, options v2.RequestOptions) (map[string]v2.ContainerInfo, error) {
-	ret := _m.Called(name, options)
-
-	if len(ret) == 0 {
-		panic("no return value specified for ContainerInfoV2")
-	}
-
-	var r0 map[string]v2.ContainerInfo
-	var r1 error
-	if rf, ok := ret.Get(0).(func(string, v2.RequestOptions) (map[string]v2.ContainerInfo, error)); ok {
-		return rf(name, options)
-	}
-	if rf, ok := ret.Get(0).(func(string, v2.RequestOptions) map[string]v2.ContainerInfo); ok {
-		r0 = rf(name, options)
-	} else {
-		if ret.Get(0) != nil {
-			r0 = ret.Get(0).(map[string]v2.ContainerInfo)
-		}
-	}
-
-	if rf, ok := ret.Get(1).(func(string, v2.RequestOptions) error); ok {
-		r1 = rf(name, options)
-	} else {
-		r1 = ret.Error(1)
-	}
-
-	return r0, r1
-}
-
-// MockInterface_ContainerInfoV2_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'ContainerInfoV2'
-type MockInterface_ContainerInfoV2_Call struct {
-	*mock.Call
-}
-
-// ContainerInfoV2 is a helper method to define mock.On call
-//   - name string
-//   - options v2.RequestOptions
-func (_e *MockInterface_Expecter) ContainerInfoV2(name interface{}, options interface{}) *MockInterface_ContainerInfoV2_Call {
-	return &MockInterface_ContainerInfoV2_Call{Call: _e.mock.On("ContainerInfoV2", name, options)}
-}
-
-func (_c *MockInterface_ContainerInfoV2_Call) Run(run func(name string, options v2.RequestOptions)) *MockInterface_ContainerInfoV2_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run(args[0].(string), args[1].(v2.RequestOptions))
-	})
-	return _c
-}
-
-func (_c *MockInterface_ContainerInfoV2_Call) Return(_a0 map[string]v2.ContainerInfo, _a1 error) *MockInterface_ContainerInfoV2_Call {
-	_c.Call.Return(_a0, _a1)
-	return _c
-}
-
-func (_c *MockInterface_ContainerInfoV2_Call) RunAndReturn(run func(string, v2.RequestOptions) (map[string]v2.ContainerInfo, error)) *MockInterface_ContainerInfoV2_Call {
-	_c.Call.Return(run)
-	return _c
-}
-
-// GetDirFsInfo provides a mock function with given fields: path
-func (_m *MockInterface) GetDirFsInfo(path string) (v2.FsInfo, error) {
-	ret := _m.Called(path)
-
-	if len(ret) == 0 {
-		panic("no return value specified for GetDirFsInfo")
-	}
-
-	var r0 v2.FsInfo
-	var r1 error
-	if rf, ok := ret.Get(0).(func(string) (v2.FsInfo, error)); ok {
-		return rf(path)
-	}
-	if rf, ok := ret.Get(0).(func(string) v2.FsInfo); ok {
-		r0 = rf(path)
-	} else {
-		r0 = ret.Get(0).(v2.FsInfo)
-	}
-
-	if rf, ok := ret.Get(1).(func(string) error); ok {
-		r1 = rf(path)
-	} else {
-		r1 = ret.Error(1)
-	}
-
-	return r0, r1
-}
-
-// MockInterface_GetDirFsInfo_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetDirFsInfo'
-type MockInterface_GetDirFsInfo_Call struct {
-	*mock.Call
-}
-
-// GetDirFsInfo is a helper method to define mock.On call
-//   - path string
-func (_e *MockInterface_Expecter) GetDirFsInfo(path interface{}) *MockInterface_GetDirFsInfo_Call {
-	return &MockInterface_GetDirFsInfo_Call{Call: _e.mock.On("GetDirFsInfo", path)}
-}
-
-func (_c *MockInterface_GetDirFsInfo_Call) Run(run func(path string)) *MockInterface_GetDirFsInfo_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run(args[0].(string))
-	})
-	return _c
-}
-
-func (_c *MockInterface_GetDirFsInfo_Call) Return(_a0 v2.FsInfo, _a1 error) *MockInterface_GetDirFsInfo_Call {
-	_c.Call.Return(_a0, _a1)
-	return _c
-}
-
-func (_c *MockInterface_GetDirFsInfo_Call) RunAndReturn(run func(string) (v2.FsInfo, error)) *MockInterface_GetDirFsInfo_Call {
-	_c.Call.Return(run)
-	return _c
-}
-
-// GetRequestedContainersInfo provides a mock function with given fields: containerName, options
-func (_m *MockInterface) GetRequestedContainersInfo(containerName string, options v2.RequestOptions) (map[string]*v1.ContainerInfo, error) {
-	ret := _m.Called(containerName, options)
-
-	if len(ret) == 0 {
-		panic("no return value specified for GetRequestedContainersInfo")
-	}
-
-	var r0 map[string]*v1.ContainerInfo
-	var r1 error
-	if rf, ok := ret.Get(0).(func(string, v2.RequestOptions) (map[string]*v1.ContainerInfo, error)); ok {
-		return rf(containerName, options)
-	}
-	if rf, ok := ret.Get(0).(func(string, v2.RequestOptions) map[string]*v1.ContainerInfo); ok {
-		r0 = rf(containerName, options)
-	} else {
-		if ret.Get(0) != nil {
-			r0 = ret.Get(0).(map[string]*v1.ContainerInfo)
-		}
-	}
-
-	if rf, ok := ret.Get(1).(func(string, v2.RequestOptions) error); ok {
-		r1 = rf(containerName, options)
-	} else {
-		r1 = ret.Error(1)
-	}
-
-	return r0, r1
-}
-
-// MockInterface_GetRequestedContainersInfo_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetRequestedContainersInfo'
-type MockInterface_GetRequestedContainersInfo_Call struct {
-	*mock.Call
-}
-
-// GetRequestedContainersInfo is a helper method to define mock.On call
-//   - containerName string
-//   - options v2.RequestOptions
-func (_e *MockInterface_Expecter) GetRequestedContainersInfo(containerName interface{}, options interface{}) *MockInterface_GetRequestedContainersInfo_Call {
-	return &MockInterface_GetRequestedContainersInfo_Call{Call: _e.mock.On("GetRequestedContainersInfo", containerName, options)}
-}
-
-func (_c *MockInterface_GetRequestedContainersInfo_Call) Run(run func(containerName string, options v2.RequestOptions)) *MockInterface_GetRequestedContainersInfo_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run(args[0].(string), args[1].(v2.RequestOptions))
-	})
-	return _c
-}
-
-func (_c *MockInterface_GetRequestedContainersInfo_Call) Return(_a0 map[string]*v1.ContainerInfo, _a1 error) *MockInterface_GetRequestedContainersInfo_Call {
-	_c.Call.Return(_a0, _a1)
-	return _c
-}
-
-func (_c *MockInterface_GetRequestedContainersInfo_Call) RunAndReturn(run func(string, v2.RequestOptions) (map[string]*v1.ContainerInfo, error)) *MockInterface_GetRequestedContainersInfo_Call {
-	_c.Call.Return(run)
-	return _c
-}
-
-// ImagesFsInfo provides a mock function with given fields: _a0
-func (_m *MockInterface) ImagesFsInfo(_a0 context.Context) (v2.FsInfo, error) {
-	ret := _m.Called(_a0)
-
-	if len(ret) == 0 {
-		panic("no return value specified for ImagesFsInfo")
-	}
-
-	var r0 v2.FsInfo
-	var r1 error
-	if rf, ok := ret.Get(0).(func(context.Context) (v2.FsInfo, error)); ok {
-		return rf(_a0)
-	}
-	if rf, ok := ret.Get(0).(func(context.Context) v2.FsInfo); ok {
-		r0 = rf(_a0)
-	} else {
-		r0 = ret.Get(0).(v2.FsInfo)
-	}
-
-	if rf, ok := ret.Get(1).(func(context.Context) error); ok {
-		r1 = rf(_a0)
-	} else {
-		r1 = ret.Error(1)
-	}
-
-	return r0, r1
-}
-
-// MockInterface_ImagesFsInfo_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'ImagesFsInfo'
-type MockInterface_ImagesFsInfo_Call struct {
-	*mock.Call
-}
-
-// ImagesFsInfo is a helper method to define mock.On call
-//   - _a0 context.Context
-func (_e *MockInterface_Expecter) ImagesFsInfo(_a0 interface{}) *MockInterface_ImagesFsInfo_Call {
-	return &MockInterface_ImagesFsInfo_Call{Call: _e.mock.On("ImagesFsInfo", _a0)}
-}
-
-func (_c *MockInterface_ImagesFsInfo_Call) Run(run func(_a0 context.Context)) *MockInterface_ImagesFsInfo_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run(args[0].(context.Context))
-	})
-	return _c
-}
-
-func (_c *MockInterface_ImagesFsInfo_Call) Return(_a0 v2.FsInfo, _a1 error) *MockInterface_ImagesFsInfo_Call {
-	_c.Call.Return(_a0, _a1)
-	return _c
-}
-
-func (_c *MockInterface_ImagesFsInfo_Call) RunAndReturn(run func(context.Context) (v2.FsInfo, error)) *MockInterface_ImagesFsInfo_Call {
-	_c.Call.Return(run)
-	return _c
-}
-
-// MachineInfo provides a mock function with no fields
-func (_m *MockInterface) MachineInfo() (*v1.MachineInfo, error) {
-	ret := _m.Called()
-
-	if len(ret) == 0 {
-		panic("no return value specified for MachineInfo")
-	}
-
-	var r0 *v1.MachineInfo
-	var r1 error
-	if rf, ok := ret.Get(0).(func() (*v1.MachineInfo, error)); ok {
-		return rf()
-	}
-	if rf, ok := ret.Get(0).(func() *v1.MachineInfo); ok {
-		r0 = rf()
-	} else {
-		if ret.Get(0) != nil {
-			r0 = ret.Get(0).(*v1.MachineInfo)
-		}
-	}
-
-	if rf, ok := ret.Get(1).(func() error); ok {
-		r1 = rf()
-	} else {
-		r1 = ret.Error(1)
-	}
-
-	return r0, r1
-}
-
-// MockInterface_MachineInfo_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'MachineInfo'
-type MockInterface_MachineInfo_Call struct {
-	*mock.Call
-}
-
-// MachineInfo is a helper method to define mock.On call
-func (_e *MockInterface_Expecter) MachineInfo() *MockInterface_MachineInfo_Call {
-	return &MockInterface_MachineInfo_Call{Call: _e.mock.On("MachineInfo")}
-}
-
-func (_c *MockInterface_MachineInfo_Call) Run(run func()) *MockInterface_MachineInfo_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run()
-	})
-	return _c
-}
-
-func (_c *MockInterface_MachineInfo_Call) Return(_a0 *v1.MachineInfo, _a1 error) *MockInterface_MachineInfo_Call {
-	_c.Call.Return(_a0, _a1)
-	return _c
-}
-
-func (_c *MockInterface_MachineInfo_Call) RunAndReturn(run func() (*v1.MachineInfo, error)) *MockInterface_MachineInfo_Call {
-	_c.Call.Return(run)
-	return _c
-}
-
-// RootFsInfo provides a mock function with no fields
-func (_m *MockInterface) RootFsInfo() (v2.FsInfo, error) {
-	ret := _m.Called()
-
-	if len(ret) == 0 {
-		panic("no return value specified for RootFsInfo")
-	}
-
-	var r0 v2.FsInfo
-	var r1 error
-	if rf, ok := ret.Get(0).(func() (v2.FsInfo, error)); ok {
-		return rf()
-	}
-	if rf, ok := ret.Get(0).(func() v2.FsInfo); ok {
-		r0 = rf()
-	} else {
-		r0 = ret.Get(0).(v2.FsInfo)
-	}
-
-	if rf, ok := ret.Get(1).(func() error); ok {
-		r1 = rf()
-	} else {
-		r1 = ret.Error(1)
-	}
-
-	return r0, r1
-}
-
-// MockInterface_RootFsInfo_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'RootFsInfo'
-type MockInterface_RootFsInfo_Call struct {
-	*mock.Call
-}
-
-// RootFsInfo is a helper method to define mock.On call
-func (_e *MockInterface_Expecter) RootFsInfo() *MockInterface_RootFsInfo_Call {
-	return &MockInterface_RootFsInfo_Call{Call: _e.mock.On("RootFsInfo")}
-}
-
-func (_c *MockInterface_RootFsInfo_Call) Run(run func()) *MockInterface_RootFsInfo_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run()
-	})
-	return _c
-}
-
-func (_c *MockInterface_RootFsInfo_Call) Return(_a0 v2.FsInfo, _a1 error) *MockInterface_RootFsInfo_Call {
-	_c.Call.Return(_a0, _a1)
-	return _c
-}
-
-func (_c *MockInterface_RootFsInfo_Call) RunAndReturn(run func() (v2.FsInfo, error)) *MockInterface_RootFsInfo_Call {
-	_c.Call.Return(run)
-	return _c
-}
-
-// Start provides a mock function with no fields
-func (_m *MockInterface) Start() error {
-	ret := _m.Called()
-
-	if len(ret) == 0 {
-		panic("no return value specified for Start")
-	}
-
-	var r0 error
-	if rf, ok := ret.Get(0).(func() error); ok {
-		r0 = rf()
-	} else {
-		r0 = ret.Error(0)
-	}
-
-	return r0
-}
-
-// MockInterface_Start_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Start'
-type MockInterface_Start_Call struct {
-	*mock.Call
-}
-
-// Start is a helper method to define mock.On call
-func (_e *MockInterface_Expecter) Start() *MockInterface_Start_Call {
-	return &MockInterface_Start_Call{Call: _e.mock.On("Start")}
-}
-
-func (_c *MockInterface_Start_Call) Run(run func()) *MockInterface_Start_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run()
-	})
-	return _c
-}
-
-func (_c *MockInterface_Start_Call) Return(_a0 error) *MockInterface_Start_Call {
-	_c.Call.Return(_a0)
-	return _c
-}
-
-func (_c *MockInterface_Start_Call) RunAndReturn(run func() error) *MockInterface_Start_Call {
-	_c.Call.Return(run)
-	return _c
-}
-
-// VersionInfo provides a mock function with no fields
-func (_m *MockInterface) VersionInfo() (*v1.VersionInfo, error) {
-	ret := _m.Called()
-
-	if len(ret) == 0 {
-		panic("no return value specified for VersionInfo")
-	}
-
-	var r0 *v1.VersionInfo
-	var r1 error
-	if rf, ok := ret.Get(0).(func() (*v1.VersionInfo, error)); ok {
-		return rf()
-	}
-	if rf, ok := ret.Get(0).(func() *v1.VersionInfo); ok {
-		r0 = rf()
-	} else {
-		if ret.Get(0) != nil {
-			r0 = ret.Get(0).(*v1.VersionInfo)
-		}
-	}
-
-	if rf, ok := ret.Get(1).(func() error); ok {
-		r1 = rf()
-	} else {
-		r1 = ret.Error(1)
-	}
-
-	return r0, r1
-}
-
-// MockInterface_VersionInfo_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'VersionInfo'
-type MockInterface_VersionInfo_Call struct {
-	*mock.Call
-}
-
-// VersionInfo is a helper method to define mock.On call
-func (_e *MockInterface_Expecter) VersionInfo() *MockInterface_VersionInfo_Call {
-	return &MockInterface_VersionInfo_Call{Call: _e.mock.On("VersionInfo")}
-}
-
-func (_c *MockInterface_VersionInfo_Call) Run(run func()) *MockInterface_VersionInfo_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run()
-	})
-	return _c
-}
-
-func (_c *MockInterface_VersionInfo_Call) Return(_a0 *v1.VersionInfo, _a1 error) *MockInterface_VersionInfo_Call {
-	_c.Call.Return(_a0, _a1)
-	return _c
-}
-
-func (_c *MockInterface_VersionInfo_Call) RunAndReturn(run func() (*v1.VersionInfo, error)) *MockInterface_VersionInfo_Call {
-	_c.Call.Return(run)
-	return _c
-}
-
-// NewMockInterface creates a new instance of MockInterface. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
-// The first argument is typically a *testing.T value.
-func NewMockInterface(t interface {
-	mock.TestingT
-	Cleanup(func())
-}) *MockInterface {
-	mock := &MockInterface{}
-	mock.Mock.Test(t)
-
-	t.Cleanup(func() { mock.AssertExpectations(t) })
-
-	return mock
-}
diff --git a/pkg/kubelet/cadvisor/testing/mocks.go b/pkg/kubelet/cadvisor/testing/mocks.go
new file mode 100644
index 0000000000000..b781cad143a57
--- /dev/null
+++ b/pkg/kubelet/cadvisor/testing/mocks.go
@@ -0,0 +1,579 @@
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by mockery; DO NOT EDIT.
+// github.com/vektra/mockery
+// template: testify
+
+package testing
+
+import (
+	"context"
+
+	"github.com/google/cadvisor/info/v1"
+	"github.com/google/cadvisor/info/v2"
+	mock "github.com/stretchr/testify/mock"
+)
+
+// NewMockInterface creates a new instance of MockInterface. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
+// The first argument is typically a *testing.T value.
+func NewMockInterface(t interface {
+	mock.TestingT
+	Cleanup(func())
+}) *MockInterface {
+	mock := &MockInterface{}
+	mock.Mock.Test(t)
+
+	t.Cleanup(func() { mock.AssertExpectations(t) })
+
+	return mock
+}
+
+// MockInterface is an autogenerated mock type for the Interface type
+type MockInterface struct {
+	mock.Mock
+}
+
+type MockInterface_Expecter struct {
+	mock *mock.Mock
+}
+
+func (_m *MockInterface) EXPECT() *MockInterface_Expecter {
+	return &MockInterface_Expecter{mock: &_m.Mock}
+}
+
+// ContainerFsInfo provides a mock function for the type MockInterface
+func (_mock *MockInterface) ContainerFsInfo(context1 context.Context) (v2.FsInfo, error) {
+	ret := _mock.Called(context1)
+
+	if len(ret) == 0 {
+		panic("no return value specified for ContainerFsInfo")
+	}
+
+	var r0 v2.FsInfo
+	var r1 error
+	if returnFunc, ok := ret.Get(0).(func(context.Context) (v2.FsInfo, error)); ok {
+		return returnFunc(context1)
+	}
+	if returnFunc, ok := ret.Get(0).(func(context.Context) v2.FsInfo); ok {
+		r0 = returnFunc(context1)
+	} else {
+		r0 = ret.Get(0).(v2.FsInfo)
+	}
+	if returnFunc, ok := ret.Get(1).(func(context.Context) error); ok {
+		r1 = returnFunc(context1)
+	} else {
+		r1 = ret.Error(1)
+	}
+	return r0, r1
+}
+
+// MockInterface_ContainerFsInfo_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'ContainerFsInfo'
+type MockInterface_ContainerFsInfo_Call struct {
+	*mock.Call
+}
+
+// ContainerFsInfo is a helper method to define mock.On call
+//   - context1 context.Context
+func (_e *MockInterface_Expecter) ContainerFsInfo(context1 interface{}) *MockInterface_ContainerFsInfo_Call {
+	return &MockInterface_ContainerFsInfo_Call{Call: _e.mock.On("ContainerFsInfo", context1)}
+}
+
+func (_c *MockInterface_ContainerFsInfo_Call) Run(run func(context1 context.Context)) *MockInterface_ContainerFsInfo_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 context.Context
+		if args[0] != nil {
+			arg0 = args[0].(context.Context)
+		}
+		run(
+			arg0,
+		)
+	})
+	return _c
+}
+
+func (_c *MockInterface_ContainerFsInfo_Call) Return(fsInfo v2.FsInfo, err error) *MockInterface_ContainerFsInfo_Call {
+	_c.Call.Return(fsInfo, err)
+	return _c
+}
+
+func (_c *MockInterface_ContainerFsInfo_Call) RunAndReturn(run func(context1 context.Context) (v2.FsInfo, error)) *MockInterface_ContainerFsInfo_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// ContainerInfoV2 provides a mock function for the type MockInterface
+func (_mock *MockInterface) ContainerInfoV2(name string, options v2.RequestOptions) (map[string]v2.ContainerInfo, error) {
+	ret := _mock.Called(name, options)
+
+	if len(ret) == 0 {
+		panic("no return value specified for ContainerInfoV2")
+	}
+
+	var r0 map[string]v2.ContainerInfo
+	var r1 error
+	if returnFunc, ok := ret.Get(0).(func(string, v2.RequestOptions) (map[string]v2.ContainerInfo, error)); ok {
+		return returnFunc(name, options)
+	}
+	if returnFunc, ok := ret.Get(0).(func(string, v2.RequestOptions) map[string]v2.ContainerInfo); ok {
+		r0 = returnFunc(name, options)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(map[string]v2.ContainerInfo)
+		}
+	}
+	if returnFunc, ok := ret.Get(1).(func(string, v2.RequestOptions) error); ok {
+		r1 = returnFunc(name, options)
+	} else {
+		r1 = ret.Error(1)
+	}
+	return r0, r1
+}
+
+// MockInterface_ContainerInfoV2_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'ContainerInfoV2'
+type MockInterface_ContainerInfoV2_Call struct {
+	*mock.Call
+}
+
+// ContainerInfoV2 is a helper method to define mock.On call
+//   - name string
+//   - options v2.RequestOptions
+func (_e *MockInterface_Expecter) ContainerInfoV2(name interface{}, options interface{}) *MockInterface_ContainerInfoV2_Call {
+	return &MockInterface_ContainerInfoV2_Call{Call: _e.mock.On("ContainerInfoV2", name, options)}
+}
+
+func (_c *MockInterface_ContainerInfoV2_Call) Run(run func(name string, options v2.RequestOptions)) *MockInterface_ContainerInfoV2_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 string
+		if args[0] != nil {
+			arg0 = args[0].(string)
+		}
+		var arg1 v2.RequestOptions
+		if args[1] != nil {
+			arg1 = args[1].(v2.RequestOptions)
+		}
+		run(
+			arg0,
+			arg1,
+		)
+	})
+	return _c
+}
+
+func (_c *MockInterface_ContainerInfoV2_Call) Return(stringToContainerInfo map[string]v2.ContainerInfo, err error) *MockInterface_ContainerInfoV2_Call {
+	_c.Call.Return(stringToContainerInfo, err)
+	return _c
+}
+
+func (_c *MockInterface_ContainerInfoV2_Call) RunAndReturn(run func(name string, options v2.RequestOptions) (map[string]v2.ContainerInfo, error)) *MockInterface_ContainerInfoV2_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// GetDirFsInfo provides a mock function for the type MockInterface
+func (_mock *MockInterface) GetDirFsInfo(path string) (v2.FsInfo, error) {
+	ret := _mock.Called(path)
+
+	if len(ret) == 0 {
+		panic("no return value specified for GetDirFsInfo")
+	}
+
+	var r0 v2.FsInfo
+	var r1 error
+	if returnFunc, ok := ret.Get(0).(func(string) (v2.FsInfo, error)); ok {
+		return returnFunc(path)
+	}
+	if returnFunc, ok := ret.Get(0).(func(string) v2.FsInfo); ok {
+		r0 = returnFunc(path)
+	} else {
+		r0 = ret.Get(0).(v2.FsInfo)
+	}
+	if returnFunc, ok := ret.Get(1).(func(string) error); ok {
+		r1 = returnFunc(path)
+	} else {
+		r1 = ret.Error(1)
+	}
+	return r0, r1
+}
+
+// MockInterface_GetDirFsInfo_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetDirFsInfo'
+type MockInterface_GetDirFsInfo_Call struct {
+	*mock.Call
+}
+
+// GetDirFsInfo is a helper method to define mock.On call
+//   - path string
+func (_e *MockInterface_Expecter) GetDirFsInfo(path interface{}) *MockInterface_GetDirFsInfo_Call {
+	return &MockInterface_GetDirFsInfo_Call{Call: _e.mock.On("GetDirFsInfo", path)}
+}
+
+func (_c *MockInterface_GetDirFsInfo_Call) Run(run func(path string)) *MockInterface_GetDirFsInfo_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 string
+		if args[0] != nil {
+			arg0 = args[0].(string)
+		}
+		run(
+			arg0,
+		)
+	})
+	return _c
+}
+
+func (_c *MockInterface_GetDirFsInfo_Call) Return(fsInfo v2.FsInfo, err error) *MockInterface_GetDirFsInfo_Call {
+	_c.Call.Return(fsInfo, err)
+	return _c
+}
+
+func (_c *MockInterface_GetDirFsInfo_Call) RunAndReturn(run func(path string) (v2.FsInfo, error)) *MockInterface_GetDirFsInfo_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// GetRequestedContainersInfo provides a mock function for the type MockInterface
+func (_mock *MockInterface) GetRequestedContainersInfo(containerName string, options v2.RequestOptions) (map[string]*v1.ContainerInfo, error) {
+	ret := _mock.Called(containerName, options)
+
+	if len(ret) == 0 {
+		panic("no return value specified for GetRequestedContainersInfo")
+	}
+
+	var r0 map[string]*v1.ContainerInfo
+	var r1 error
+	if returnFunc, ok := ret.Get(0).(func(string, v2.RequestOptions) (map[string]*v1.ContainerInfo, error)); ok {
+		return returnFunc(containerName, options)
+	}
+	if returnFunc, ok := ret.Get(0).(func(string, v2.RequestOptions) map[string]*v1.ContainerInfo); ok {
+		r0 = returnFunc(containerName, options)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(map[string]*v1.ContainerInfo)
+		}
+	}
+	if returnFunc, ok := ret.Get(1).(func(string, v2.RequestOptions) error); ok {
+		r1 = returnFunc(containerName, options)
+	} else {
+		r1 = ret.Error(1)
+	}
+	return r0, r1
+}
+
+// MockInterface_GetRequestedContainersInfo_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetRequestedContainersInfo'
+type MockInterface_GetRequestedContainersInfo_Call struct {
+	*mock.Call
+}
+
+// GetRequestedContainersInfo is a helper method to define mock.On call
+//   - containerName string
+//   - options v2.RequestOptions
+func (_e *MockInterface_Expecter) GetRequestedContainersInfo(containerName interface{}, options interface{}) *MockInterface_GetRequestedContainersInfo_Call {
+	return &MockInterface_GetRequestedContainersInfo_Call{Call: _e.mock.On("GetRequestedContainersInfo", containerName, options)}
+}
+
+func (_c *MockInterface_GetRequestedContainersInfo_Call) Run(run func(containerName string, options v2.RequestOptions)) *MockInterface_GetRequestedContainersInfo_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 string
+		if args[0] != nil {
+			arg0 = args[0].(string)
+		}
+		var arg1 v2.RequestOptions
+		if args[1] != nil {
+			arg1 = args[1].(v2.RequestOptions)
+		}
+		run(
+			arg0,
+			arg1,
+		)
+	})
+	return _c
+}
+
+func (_c *MockInterface_GetRequestedContainersInfo_Call) Return(stringToContainerInfo map[string]*v1.ContainerInfo, err error) *MockInterface_GetRequestedContainersInfo_Call {
+	_c.Call.Return(stringToContainerInfo, err)
+	return _c
+}
+
+func (_c *MockInterface_GetRequestedContainersInfo_Call) RunAndReturn(run func(containerName string, options v2.RequestOptions) (map[string]*v1.ContainerInfo, error)) *MockInterface_GetRequestedContainersInfo_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// ImagesFsInfo provides a mock function for the type MockInterface
+func (_mock *MockInterface) ImagesFsInfo(context1 context.Context) (v2.FsInfo, error) {
+	ret := _mock.Called(context1)
+
+	if len(ret) == 0 {
+		panic("no return value specified for ImagesFsInfo")
+	}
+
+	var r0 v2.FsInfo
+	var r1 error
+	if returnFunc, ok := ret.Get(0).(func(context.Context) (v2.FsInfo, error)); ok {
+		return returnFunc(context1)
+	}
+	if returnFunc, ok := ret.Get(0).(func(context.Context) v2.FsInfo); ok {
+		r0 = returnFunc(context1)
+	} else {
+		r0 = ret.Get(0).(v2.FsInfo)
+	}
+	if returnFunc, ok := ret.Get(1).(func(context.Context) error); ok {
+		r1 = returnFunc(context1)
+	} else {
+		r1 = ret.Error(1)
+	}
+	return r0, r1
+}
+
+// MockInterface_ImagesFsInfo_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'ImagesFsInfo'
+type MockInterface_ImagesFsInfo_Call struct {
+	*mock.Call
+}
+
+// ImagesFsInfo is a helper method to define mock.On call
+//   - context1 context.Context
+func (_e *MockInterface_Expecter) ImagesFsInfo(context1 interface{}) *MockInterface_ImagesFsInfo_Call {
+	return &MockInterface_ImagesFsInfo_Call{Call: _e.mock.On("ImagesFsInfo", context1)}
+}
+
+func (_c *MockInterface_ImagesFsInfo_Call) Run(run func(context1 context.Context)) *MockInterface_ImagesFsInfo_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 context.Context
+		if args[0] != nil {
+			arg0 = args[0].(context.Context)
+		}
+		run(
+			arg0,
+		)
+	})
+	return _c
+}
+
+func (_c *MockInterface_ImagesFsInfo_Call) Return(fsInfo v2.FsInfo, err error) *MockInterface_ImagesFsInfo_Call {
+	_c.Call.Return(fsInfo, err)
+	return _c
+}
+
+func (_c *MockInterface_ImagesFsInfo_Call) RunAndReturn(run func(context1 context.Context) (v2.FsInfo, error)) *MockInterface_ImagesFsInfo_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// MachineInfo provides a mock function for the type MockInterface
+func (_mock *MockInterface) MachineInfo() (*v1.MachineInfo, error) {
+	ret := _mock.Called()
+
+	if len(ret) == 0 {
+		panic("no return value specified for MachineInfo")
+	}
+
+	var r0 *v1.MachineInfo
+	var r1 error
+	if returnFunc, ok := ret.Get(0).(func() (*v1.MachineInfo, error)); ok {
+		return returnFunc()
+	}
+	if returnFunc, ok := ret.Get(0).(func() *v1.MachineInfo); ok {
+		r0 = returnFunc()
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(*v1.MachineInfo)
+		}
+	}
+	if returnFunc, ok := ret.Get(1).(func() error); ok {
+		r1 = returnFunc()
+	} else {
+		r1 = ret.Error(1)
+	}
+	return r0, r1
+}
+
+// MockInterface_MachineInfo_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'MachineInfo'
+type MockInterface_MachineInfo_Call struct {
+	*mock.Call
+}
+
+// MachineInfo is a helper method to define mock.On call
+func (_e *MockInterface_Expecter) MachineInfo() *MockInterface_MachineInfo_Call {
+	return &MockInterface_MachineInfo_Call{Call: _e.mock.On("MachineInfo")}
+}
+
+func (_c *MockInterface_MachineInfo_Call) Run(run func()) *MockInterface_MachineInfo_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run()
+	})
+	return _c
+}
+
+func (_c *MockInterface_MachineInfo_Call) Return(machineInfo *v1.MachineInfo, err error) *MockInterface_MachineInfo_Call {
+	_c.Call.Return(machineInfo, err)
+	return _c
+}
+
+func (_c *MockInterface_MachineInfo_Call) RunAndReturn(run func() (*v1.MachineInfo, error)) *MockInterface_MachineInfo_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// RootFsInfo provides a mock function for the type MockInterface
+func (_mock *MockInterface) RootFsInfo() (v2.FsInfo, error) {
+	ret := _mock.Called()
+
+	if len(ret) == 0 {
+		panic("no return value specified for RootFsInfo")
+	}
+
+	var r0 v2.FsInfo
+	var r1 error
+	if returnFunc, ok := ret.Get(0).(func() (v2.FsInfo, error)); ok {
+		return returnFunc()
+	}
+	if returnFunc, ok := ret.Get(0).(func() v2.FsInfo); ok {
+		r0 = returnFunc()
+	} else {
+		r0 = ret.Get(0).(v2.FsInfo)
+	}
+	if returnFunc, ok := ret.Get(1).(func() error); ok {
+		r1 = returnFunc()
+	} else {
+		r1 = ret.Error(1)
+	}
+	return r0, r1
+}
+
+// MockInterface_RootFsInfo_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'RootFsInfo'
+type MockInterface_RootFsInfo_Call struct {
+	*mock.Call
+}
+
+// RootFsInfo is a helper method to define mock.On call
+func (_e *MockInterface_Expecter) RootFsInfo() *MockInterface_RootFsInfo_Call {
+	return &MockInterface_RootFsInfo_Call{Call: _e.mock.On("RootFsInfo")}
+}
+
+func (_c *MockInterface_RootFsInfo_Call) Run(run func()) *MockInterface_RootFsInfo_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run()
+	})
+	return _c
+}
+
+func (_c *MockInterface_RootFsInfo_Call) Return(fsInfo v2.FsInfo, err error) *MockInterface_RootFsInfo_Call {
+	_c.Call.Return(fsInfo, err)
+	return _c
+}
+
+func (_c *MockInterface_RootFsInfo_Call) RunAndReturn(run func() (v2.FsInfo, error)) *MockInterface_RootFsInfo_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// Start provides a mock function for the type MockInterface
+func (_mock *MockInterface) Start() error {
+	ret := _mock.Called()
+
+	if len(ret) == 0 {
+		panic("no return value specified for Start")
+	}
+
+	var r0 error
+	if returnFunc, ok := ret.Get(0).(func() error); ok {
+		r0 = returnFunc()
+	} else {
+		r0 = ret.Error(0)
+	}
+	return r0
+}
+
+// MockInterface_Start_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Start'
+type MockInterface_Start_Call struct {
+	*mock.Call
+}
+
+// Start is a helper method to define mock.On call
+func (_e *MockInterface_Expecter) Start() *MockInterface_Start_Call {
+	return &MockInterface_Start_Call{Call: _e.mock.On("Start")}
+}
+
+func (_c *MockInterface_Start_Call) Run(run func()) *MockInterface_Start_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run()
+	})
+	return _c
+}
+
+func (_c *MockInterface_Start_Call) Return(err error) *MockInterface_Start_Call {
+	_c.Call.Return(err)
+	return _c
+}
+
+func (_c *MockInterface_Start_Call) RunAndReturn(run func() error) *MockInterface_Start_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// VersionInfo provides a mock function for the type MockInterface
+func (_mock *MockInterface) VersionInfo() (*v1.VersionInfo, error) {
+	ret := _mock.Called()
+
+	if len(ret) == 0 {
+		panic("no return value specified for VersionInfo")
+	}
+
+	var r0 *v1.VersionInfo
+	var r1 error
+	if returnFunc, ok := ret.Get(0).(func() (*v1.VersionInfo, error)); ok {
+		return returnFunc()
+	}
+	if returnFunc, ok := ret.Get(0).(func() *v1.VersionInfo); ok {
+		r0 = returnFunc()
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(*v1.VersionInfo)
+		}
+	}
+	if returnFunc, ok := ret.Get(1).(func() error); ok {
+		r1 = returnFunc()
+	} else {
+		r1 = ret.Error(1)
+	}
+	return r0, r1
+}
+
+// MockInterface_VersionInfo_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'VersionInfo'
+type MockInterface_VersionInfo_Call struct {
+	*mock.Call
+}
+
+// VersionInfo is a helper method to define mock.On call
+func (_e *MockInterface_Expecter) VersionInfo() *MockInterface_VersionInfo_Call {
+	return &MockInterface_VersionInfo_Call{Call: _e.mock.On("VersionInfo")}
+}
+
+func (_c *MockInterface_VersionInfo_Call) Run(run func()) *MockInterface_VersionInfo_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run()
+	})
+	return _c
+}
+
+func (_c *MockInterface_VersionInfo_Call) Return(versionInfo *v1.VersionInfo, err error) *MockInterface_VersionInfo_Call {
+	_c.Call.Return(versionInfo, err)
+	return _c
+}
+
+func (_c *MockInterface_VersionInfo_Call) RunAndReturn(run func() (*v1.VersionInfo, error)) *MockInterface_VersionInfo_Call {
+	_c.Call.Return(run)
+	return _c
+}
diff --git a/pkg/kubelet/certificate/bootstrap/bootstrap.go b/pkg/kubelet/certificate/bootstrap/bootstrap.go
index 2caea4c24f38b..4377ff32aa04d 100644
--- a/pkg/kubelet/certificate/bootstrap/bootstrap.go
+++ b/pkg/kubelet/certificate/bootstrap/bootstrap.go
@@ -56,13 +56,13 @@ const tmpPrivateKeyFile = "kubelet-client.key.tmp"
 // kubeconfigPath on disk is populated based on bootstrapPath but pointing to the location of the client cert
 // in certDir. This preserves the historical behavior of bootstrapping where on subsequent restarts the
 // most recent client cert is used to request new client certs instead of the initial token.
-func LoadClientConfig(kubeconfigPath, bootstrapPath, certDir string) (certConfig, userConfig *restclient.Config, err error) {
+func LoadClientConfig(logger klog.Logger, kubeconfigPath, bootstrapPath, certDir string) (certConfig, userConfig *restclient.Config, err error) {
 	if len(bootstrapPath) == 0 {
 		clientConfig, err := loadRESTClientConfig(kubeconfigPath)
 		if err != nil {
 			return nil, nil, fmt.Errorf("unable to load kubeconfig: %v", err)
 		}
-		klog.V(2).InfoS("No bootstrapping requested, will use kubeconfig")
+		logger.V(2).Info("No bootstrapping requested, will use kubeconfig")
 		return clientConfig, restclient.CopyConfig(clientConfig), nil
 	}
 
@@ -82,7 +82,7 @@ func LoadClientConfig(kubeconfigPath, bootstrapPath, certDir string) (certConfig
 		if err != nil {
 			return nil, nil, fmt.Errorf("unable to load kubeconfig: %v", err)
 		}
-		klog.V(2).InfoS("Current kubeconfig file contents are still valid, no bootstrap necessary")
+		logger.V(2).Info("Current kubeconfig file contents are still valid, no bootstrap necessary")
 		return clientConfig, restclient.CopyConfig(clientConfig), nil
 	}
 
@@ -98,7 +98,7 @@ func LoadClientConfig(kubeconfigPath, bootstrapPath, certDir string) (certConfig
 	if err := writeKubeconfigFromBootstrapping(clientConfig, kubeconfigPath, pemPath); err != nil {
 		return nil, nil, err
 	}
-	klog.V(2).InfoS("Use the bootstrap credentials to request a cert, and set kubeconfig to point to the certificate dir")
+	logger.V(2).Info("Use the bootstrap credentials to request a cert, and set kubeconfig to point to the certificate dir")
 	return bootstrapClientConfig, clientConfig, nil
 }
 
@@ -107,17 +107,18 @@ func LoadClientConfig(kubeconfigPath, bootstrapPath, certDir string) (certConfig
 // On success, a kubeconfig file referencing the generated key and obtained certificate is written to kubeconfigPath.
 // The certificate and key file are stored in certDir.
 func LoadClientCert(ctx context.Context, kubeconfigPath, bootstrapPath, certDir string, nodeName types.NodeName) error {
+	logger := klog.FromContext(ctx)
 	// Short-circuit if the kubeconfig file exists and is valid.
 	ok, err := isClientConfigStillValid(kubeconfigPath)
 	if err != nil {
 		return err
 	}
 	if ok {
-		klog.V(2).InfoS("Kubeconfig exists and is valid, skipping bootstrap", "path", kubeconfigPath)
+		logger.V(2).Info("Kubeconfig exists and is valid, skipping bootstrap", "path", kubeconfigPath)
 		return nil
 	}
 
-	klog.V(2).InfoS("Using bootstrap kubeconfig to generate TLS client cert, key and kubeconfig file")
+	logger.V(2).Info("Using bootstrap kubeconfig to generate TLS client cert, key and kubeconfig file")
 
 	bootstrapClientConfig, err := loadRESTClientConfig(bootstrapPath)
 	if err != nil {
@@ -148,7 +149,7 @@ func LoadClientCert(ctx context.Context, kubeconfigPath, bootstrapPath, certDir
 	// managed by the store.
 	privKeyPath := filepath.Join(certDir, tmpPrivateKeyFile)
 	if !verifyKeyData(keyData) {
-		klog.V(2).InfoS("No valid private key and/or certificate found, reusing existing private key or creating a new one")
+		logger.V(2).Info("No valid private key and/or certificate found, reusing existing private key or creating a new one")
 		// Note: always call LoadOrGenerateKeyFile so that private key is
 		// reused on next startup if CSR request fails.
 		keyData, _, err = keyutil.LoadOrGenerateKeyFile(privKeyPath)
@@ -158,7 +159,7 @@ func LoadClientCert(ctx context.Context, kubeconfigPath, bootstrapPath, certDir
 	}
 
 	if err := waitForServer(ctx, *bootstrapClientConfig, 1*time.Minute); err != nil {
-		klog.InfoS("Error waiting for apiserver to come up", "err", err)
+		logger.Info("Error waiting for apiserver to come up", "err", err)
 	}
 
 	certData, err := requestNodeCertificate(ctx, bootstrapClient, keyData, nodeName)
@@ -169,7 +170,7 @@ func LoadClientCert(ctx context.Context, kubeconfigPath, bootstrapPath, certDir
 		return err
 	}
 	if err := os.Remove(privKeyPath); err != nil && !os.IsNotExist(err) {
-		klog.V(2).InfoS("Failed cleaning up private key file", "path", privKeyPath, "err", err)
+		logger.V(2).Info("Failed cleaning up private key file", "path", privKeyPath, "err", err)
 	}
 
 	return writeKubeconfigFromBootstrapping(bootstrapClientConfig, kubeconfigPath, store.CurrentPath())
@@ -293,7 +294,7 @@ func waitForServer(ctx context.Context, cfg restclient.Config, deadline time.Dur
 	var connected bool
 	wait.JitterUntil(func() {
 		if _, err := cli.Get().AbsPath("/healthz").Do(ctx).Raw(); err != nil {
-			klog.InfoS("Failed to connect to apiserver", "err", err)
+			klog.FromContext(ctx).Info("Failed to connect to apiserver", "err", err)
 			return
 		}
 		cancel()
@@ -355,7 +356,7 @@ func requestNodeCertificate(ctx context.Context, client clientset.Interface, pri
 	ctx, cancel := context.WithTimeout(ctx, 3600*time.Second)
 	defer cancel()
 
-	klog.V(2).InfoS("Waiting for client certificate to be issued")
+	klog.FromContext(ctx).V(2).Info("Waiting for client certificate to be issued")
 	return csr.WaitForCertificate(ctx, client, reqName, reqUID)
 }
 
diff --git a/pkg/kubelet/certificate/bootstrap/bootstrap_test.go b/pkg/kubelet/certificate/bootstrap/bootstrap_test.go
index b393070dcfe0a..9c3ea4d06e9b6 100644
--- a/pkg/kubelet/certificate/bootstrap/bootstrap_test.go
+++ b/pkg/kubelet/certificate/bootstrap/bootstrap_test.go
@@ -17,7 +17,6 @@ limitations under the License.
 package bootstrap
 
 import (
-	"context"
 	"fmt"
 	"io"
 	"os"
@@ -26,6 +25,7 @@ import (
 	"testing"
 
 	utiltesting "k8s.io/client-go/util/testing"
+	"k8s.io/kubernetes/test/utils/ktesting"
 
 	"github.com/google/go-cmp/cmp"
 	certificatesv1 "k8s.io/api/certificates/v1"
@@ -273,9 +273,10 @@ users:
 		},
 	}
 
+	logger, _ := ktesting.NewTestContext(t)
 	for _, test := range tests {
 		t.Run(test.name, func(t *testing.T) {
-			certConfig, clientConfig, err := LoadClientConfig(test.kubeconfigPath, test.bootstrapPath, test.certDir)
+			certConfig, clientConfig, err := LoadClientConfig(logger, test.kubeconfigPath, test.bootstrapPath, test.certDir)
 			if err != nil {
 				t.Fatal(err)
 			}
@@ -348,7 +349,8 @@ users:
 }
 
 func TestRequestNodeCertificateNoKeyData(t *testing.T) {
-	certData, err := requestNodeCertificate(context.TODO(), newClientset(fakeClient{}), []byte{}, "fake-node-name")
+	tCtx := ktesting.Init(t)
+	certData, err := requestNodeCertificate(tCtx, newClientset(fakeClient{}), []byte{}, "fake-node-name")
 	if err == nil {
 		t.Errorf("Got no error, wanted error an error because there was an empty private key passed in.")
 	}
@@ -358,6 +360,7 @@ func TestRequestNodeCertificateNoKeyData(t *testing.T) {
 }
 
 func TestRequestNodeCertificateErrorCreatingCSR(t *testing.T) {
+	tCtx := ktesting.Init(t)
 	client := newClientset(fakeClient{
 		failureType: createError,
 	})
@@ -366,7 +369,7 @@ func TestRequestNodeCertificateErrorCreatingCSR(t *testing.T) {
 		t.Fatalf("Unable to generate a new private key: %v", err)
 	}
 
-	certData, err := requestNodeCertificate(context.TODO(), client, privateKeyData, "fake-node-name")
+	certData, err := requestNodeCertificate(tCtx, client, privateKeyData, "fake-node-name")
 	if err == nil {
 		t.Errorf("Got no error, wanted error an error because client.Create failed.")
 	}
@@ -376,12 +379,13 @@ func TestRequestNodeCertificateErrorCreatingCSR(t *testing.T) {
 }
 
 func TestRequestNodeCertificate(t *testing.T) {
+	tCtx := ktesting.Init(t)
 	privateKeyData, err := keyutil.MakeEllipticPrivateKeyPEM()
 	if err != nil {
 		t.Fatalf("Unable to generate a new private key: %v", err)
 	}
 
-	certData, err := requestNodeCertificate(context.TODO(), newClientset(fakeClient{}), privateKeyData, "fake-node-name")
+	certData, err := requestNodeCertificate(tCtx, newClientset(fakeClient{}), privateKeyData, "fake-node-name")
 	if err != nil {
 		t.Errorf("Got %v, wanted no error.", err)
 	}
diff --git a/pkg/kubelet/certificate/kubelet.go b/pkg/kubelet/certificate/kubelet.go
index a2d7a03c83218..988de7cb64dd2 100644
--- a/pkg/kubelet/certificate/kubelet.go
+++ b/pkg/kubelet/certificate/kubelet.go
@@ -282,14 +282,17 @@ type kubeletServerCertificateDynamicFileManager struct {
 
 // Enqueue implements the functions to be notified when the serving cert content changes.
 func (m *kubeletServerCertificateDynamicFileManager) Enqueue() {
+	// Use klog.TODO() because we currently do not have a proper logger to pass in.
+	// Replace this with an appropriate logger when refactoring this function to accept a logger parameter.
+	logger := klog.TODO()
 	certContent, keyContent := m.dynamicCertificateContent.CurrentCertKeyContent()
 	cert, err := tls.X509KeyPair(certContent, keyContent)
 	if err != nil {
-		klog.ErrorS(err, "invalid certificate and key pair from file", "certFile", m.certFile, "keyFile", m.keyFile)
+		logger.Error(err, "invalid certificate and key pair from file", "certFile", m.certFile, "keyFile", m.keyFile)
 		return
 	}
 	m.currentTLSCertificate.Store(&cert)
-	klog.V(4).InfoS("loaded certificate and key pair in kubelet server certificate manager", "certFile", m.certFile, "keyFile", m.keyFile)
+	logger.V(4).Info("loaded certificate and key pair in kubelet server certificate manager", "certFile", m.certFile, "keyFile", m.keyFile)
 }
 
 // Current returns the last valid certificate key pair loaded from files.
@@ -300,7 +303,9 @@ func (m *kubeletServerCertificateDynamicFileManager) Current() *tls.Certificate
 // Start starts watching the certificate and key files
 func (m *kubeletServerCertificateDynamicFileManager) Start() {
 	var ctx context.Context
-	ctx, m.cancelFn = context.WithCancel(context.Background())
+	// Use context.TODO() because we currently do not have a proper context to pass in.
+	// This should be replaced with an appropriate context when refactoring this function to accept a context parameter.
+	ctx, m.cancelFn = context.WithCancel(context.TODO())
 	go m.dynamicCertificateContent.Run(ctx, 1)
 }
 
diff --git a/pkg/kubelet/certificate/transport.go b/pkg/kubelet/certificate/transport.go
index 7591a4884f0a6..31b19dcd38700 100644
--- a/pkg/kubelet/certificate/transport.go
+++ b/pkg/kubelet/certificate/transport.go
@@ -55,13 +55,13 @@ import (
 //
 // stopCh should be used to indicate when the transport is unused and doesn't need
 // to continue checking the manager.
-func UpdateTransport(stopCh <-chan struct{}, clientConfig *restclient.Config, clientCertificateManager certificate.Manager, exitAfter time.Duration) (func(), error) {
-	return updateTransport(stopCh, 10*time.Second, clientConfig, clientCertificateManager, exitAfter)
+func UpdateTransport(logger klog.Logger, stopCh <-chan struct{}, clientConfig *restclient.Config, clientCertificateManager certificate.Manager, exitAfter time.Duration) (func(), error) {
+	return updateTransport(logger, stopCh, 10*time.Second, clientConfig, clientCertificateManager, exitAfter)
 }
 
 // updateTransport is an internal method that exposes how often this method checks that the
 // client cert has changed.
-func updateTransport(stopCh <-chan struct{}, period time.Duration, clientConfig *restclient.Config, clientCertificateManager certificate.Manager, exitAfter time.Duration) (func(), error) {
+func updateTransport(logger klog.Logger, stopCh <-chan struct{}, period time.Duration, clientConfig *restclient.Config, clientCertificateManager certificate.Manager, exitAfter time.Duration) (func(), error) {
 	if clientConfig.Transport != nil || clientConfig.Dial != nil {
 		return nil, fmt.Errorf("there is already a transport or dialer configured")
 	}
@@ -69,7 +69,7 @@ func updateTransport(stopCh <-chan struct{}, period time.Duration, clientConfig
 	d := connrotation.NewDialer((&net.Dialer{Timeout: 30 * time.Second, KeepAlive: 30 * time.Second}).DialContext)
 
 	if clientCertificateManager != nil {
-		if err := addCertRotation(stopCh, period, clientConfig, clientCertificateManager, exitAfter, d); err != nil {
+		if err := addCertRotation(logger, stopCh, period, clientConfig, clientCertificateManager, exitAfter, d); err != nil {
 			return nil, err
 		}
 	} else {
@@ -79,7 +79,7 @@ func updateTransport(stopCh <-chan struct{}, period time.Duration, clientConfig
 	return d.CloseAll, nil
 }
 
-func addCertRotation(stopCh <-chan struct{}, period time.Duration, clientConfig *restclient.Config, clientCertificateManager certificate.Manager, exitAfter time.Duration, d *connrotation.Dialer) error {
+func addCertRotation(logger klog.Logger, stopCh <-chan struct{}, period time.Duration, clientConfig *restclient.Config, clientCertificateManager certificate.Manager, exitAfter time.Duration, d *connrotation.Dialer) error {
 	tlsConfig, err := restclient.TLSConfigFor(clientConfig)
 	if err != nil {
 		return fmt.Errorf("unable to configure TLS for the rest client: %v", err)
@@ -117,20 +117,20 @@ func addCertRotation(stopCh <-chan struct{}, period time.Duration, clientConfig
 				// the certificate has been deleted from disk or is otherwise corrupt
 				if now.After(lastCertAvailable.Add(exitAfter)) {
 					if clientCertificateManager.ServerHealthy() {
-						klog.ErrorS(nil, "No valid client certificate is found and the server is responsive, exiting.", "lastCertificateAvailabilityTime", lastCertAvailable, "shutdownThreshold", exitAfter)
+						logger.Error(nil, "No valid client certificate is found and the server is responsive, exiting.", "lastCertificateAvailabilityTime", lastCertAvailable, "shutdownThreshold", exitAfter)
 						os.Exit(1)
 					} else {
-						klog.ErrorS(nil, "No valid client certificate is found but the server is not responsive. A restart may be necessary to retrieve new initial credentials.", "lastCertificateAvailabilityTime", lastCertAvailable, "shutdownThreshold", exitAfter)
+						logger.Error(nil, "No valid client certificate is found but the server is not responsive. A restart may be necessary to retrieve new initial credentials.", "lastCertificateAvailabilityTime", lastCertAvailable, "shutdownThreshold", exitAfter)
 					}
 				}
 			} else {
 				// the certificate is expired
 				if now.After(curr.Leaf.NotAfter) {
 					if clientCertificateManager.ServerHealthy() {
-						klog.ErrorS(nil, "The currently active client certificate has expired and the server is responsive, exiting.")
+						logger.Error(nil, "The currently active client certificate has expired and the server is responsive, exiting.")
 						os.Exit(1)
 					} else {
-						klog.ErrorS(nil, "The currently active client certificate has expired, but the server is not responsive. A restart may be necessary to retrieve new initial credentials.")
+						logger.Error(nil, "The currently active client certificate has expired, but the server is not responsive. A restart may be necessary to retrieve new initial credentials.")
 					}
 				}
 				lastCertAvailable = now
@@ -144,7 +144,7 @@ func addCertRotation(stopCh <-chan struct{}, period time.Duration, clientConfig
 		lastCert = curr
 		hasCert.Store(lastCert != nil)
 
-		klog.InfoS("Certificate rotation detected, shutting down client connections to start using new credentials")
+		logger.Info("Certificate rotation detected, shutting down client connections to start using new credentials")
 		// The cert has been rotated. Close all existing connections to force the client
 		// to reperform its TLS handshake with new cert.
 		//
diff --git a/pkg/kubelet/certificate/transport_test.go b/pkg/kubelet/certificate/transport_test.go
index 92381d47ed904..d5cebaf793f72 100644
--- a/pkg/kubelet/certificate/transport_test.go
+++ b/pkg/kubelet/certificate/transport_test.go
@@ -17,7 +17,6 @@ limitations under the License.
 package certificate
 
 import (
-	"context"
 	"crypto/tls"
 	"crypto/x509"
 	"fmt"
@@ -33,6 +32,7 @@ import (
 	"k8s.io/apimachinery/pkg/util/wait"
 	certificatesclient "k8s.io/client-go/kubernetes/typed/certificates/v1beta1"
 	"k8s.io/client-go/rest"
+	"k8s.io/kubernetes/test/utils/ktesting"
 )
 
 var (
@@ -146,6 +146,8 @@ func TestRotateShutsDownConnections(t *testing.T) {
 	// This test fails if you comment out the t.closeAllConns() call in
 	// transport.go and don't close connections on a rotate.
 
+	logger, tCtx := ktesting.NewTestContext(t)
+
 	stop := make(chan struct{})
 	defer close(stop)
 
@@ -191,7 +193,7 @@ func TestRotateShutsDownConnections(t *testing.T) {
 	}
 
 	// Check for a new cert every 10 milliseconds
-	if _, err := updateTransport(stop, 10*time.Millisecond, c, m, 0); err != nil {
+	if _, err := updateTransport(logger, stop, 10*time.Millisecond, c, m, 0); err != nil {
 		t.Fatal(err)
 	}
 
@@ -200,7 +202,7 @@ func TestRotateShutsDownConnections(t *testing.T) {
 		t.Fatal(err)
 	}
 
-	if err := client.Get().Do(context.TODO()).Error(); err != nil {
+	if err := client.Get().Do(tCtx).Error(); err != nil {
 		t.Fatal(err)
 	}
 	firstCertSerial := lastSerialNumber()
@@ -210,7 +212,7 @@ func TestRotateShutsDownConnections(t *testing.T) {
 	m.setCurrent(client2CertData.certificate)
 
 	err = wait.PollImmediate(time.Millisecond*50, wait.ForeverTestTimeout, func() (done bool, err error) {
-		client.Get().Do(context.TODO())
+		client.Get().Do(tCtx)
 		if firstCertSerial.Cmp(lastSerialNumber()) != 0 {
 			// The certificate changed!
 			return true, nil
diff --git a/pkg/kubelet/cm/.mockery.yaml b/pkg/kubelet/cm/.mockery.yaml
index 3a8ae03084447..3236f7ce93548 100644
--- a/pkg/kubelet/cm/.mockery.yaml
+++ b/pkg/kubelet/cm/.mockery.yaml
@@ -1,11 +1,13 @@
 ---
 dir: testing
-filename: "mock_{{.InterfaceName | snakecase}}.go"
-boilerplate-file: ../../../hack/boilerplate/boilerplate.generatego.txt
-outpkg: testing
-with-expecter: true
+filename: mocks.go
+pkgname: testing
+template: testify
+template-data:
+  boilerplate-file: ../../../hack/boilerplate/boilerplate.generatego.txt
+  unroll-variadic: true
 packages:
   k8s.io/kubernetes/pkg/kubelet/cm:
     interfaces:
-      ContainerManager:
-      PodContainerManager:
+      ContainerManager: {}
+      PodContainerManager: {}
diff --git a/pkg/kubelet/cm/cgroup_manager_linux.go b/pkg/kubelet/cm/cgroup_manager_linux.go
index 8bec4833aa529..45b63a88d4224 100644
--- a/pkg/kubelet/cm/cgroup_manager_linux.go
+++ b/pkg/kubelet/cm/cgroup_manager_linux.go
@@ -29,7 +29,6 @@ import (
 	"github.com/opencontainers/cgroups/fscommon"
 	libcontainercgroupmanager "github.com/opencontainers/cgroups/manager"
 	cgroupsystemd "github.com/opencontainers/cgroups/systemd"
-	"github.com/opencontainers/runc/libcontainer/cgroups"
 	"k8s.io/klog/v2"
 	v1helper "k8s.io/kubernetes/pkg/apis/core/v1/helper"
 
@@ -157,14 +156,14 @@ var _ CgroupManager = &cgroupV1impl{}
 var _ CgroupManager = &cgroupV2impl{}
 
 // NewCgroupManager is a factory method that returns a CgroupManager
-func NewCgroupManager(cs *CgroupSubsystems, cgroupDriver string) CgroupManager {
+func NewCgroupManager(logger klog.Logger, cs *CgroupSubsystems, cgroupDriver string) CgroupManager {
 	if libcontainercgroups.IsCgroup2UnifiedMode() {
-		return NewCgroupV2Manager(cs, cgroupDriver)
+		return NewCgroupV2Manager(logger, cs, cgroupDriver)
 	}
-	return NewCgroupV1Manager(cs, cgroupDriver)
+	return NewCgroupV1Manager(logger, cs, cgroupDriver)
 }
 
-func newCgroupCommon(cs *CgroupSubsystems, cgroupDriver string) cgroupCommon {
+func newCgroupCommon(logger klog.Logger, cs *CgroupSubsystems, cgroupDriver string) cgroupCommon {
 	return cgroupCommon{
 		subsystems: cs,
 		useSystemd: cgroupDriver == "systemd",
@@ -199,12 +198,12 @@ func (m *cgroupCommon) buildCgroupPaths(name CgroupName) map[string]string {
 }
 
 // libctCgroupConfig converts CgroupConfig to libcontainer's Cgroup config.
-func (m *cgroupCommon) libctCgroupConfig(in *CgroupConfig, needResources bool) *libcontainercgroups.Cgroup {
+func (m *cgroupCommon) libctCgroupConfig(logger klog.Logger, in *CgroupConfig, needResources bool) *libcontainercgroups.Cgroup {
 	config := &libcontainercgroups.Cgroup{
 		Systemd: m.useSystemd,
 	}
 	if needResources {
-		config.Resources = m.toResources(in.ResourceParameters)
+		config.Resources = m.toResources(logger, in.ResourceParameters)
 	} else {
 		config.Resources = &libcontainercgroups.Resources{}
 	}
@@ -238,13 +237,14 @@ func (m *cgroupCommon) libctCgroupConfig(in *CgroupConfig, needResources bool) *
 }
 
 // Destroy destroys the specified cgroup
-func (m *cgroupCommon) Destroy(cgroupConfig *CgroupConfig) error {
+func (m *cgroupCommon) Destroy(logger klog.Logger, cgroupConfig *CgroupConfig) error {
+
 	start := time.Now()
 	defer func() {
 		metrics.CgroupManagerDuration.WithLabelValues("destroy").Observe(metrics.SinceInSeconds(start))
 	}()
 
-	libcontainerCgroupConfig := m.libctCgroupConfig(cgroupConfig, false)
+	libcontainerCgroupConfig := m.libctCgroupConfig(logger, cgroupConfig, false)
 	manager, err := libcontainercgroupmanager.New(libcontainerCgroupConfig)
 	if err != nil {
 		return err
@@ -258,13 +258,13 @@ func (m *cgroupCommon) Destroy(cgroupConfig *CgroupConfig) error {
 	return nil
 }
 
-func (m *cgroupCommon) SetCgroupConfig(name CgroupName, resourceConfig *ResourceConfig) error {
+func (m *cgroupCommon) SetCgroupConfig(logger klog.Logger, name CgroupName, resourceConfig *ResourceConfig) error {
 	containerConfig := &CgroupConfig{
 		Name:               name,
 		ResourceParameters: resourceConfig,
 	}
 
-	return m.Update(containerConfig)
+	return m.Update(logger, containerConfig)
 }
 
 // getCPUWeight converts from the range [2, 262144] to [1, 10000]
@@ -283,7 +283,7 @@ var (
 	availableRootControllers     sets.Set[string]
 )
 
-func (m *cgroupCommon) toResources(resourceConfig *ResourceConfig) *libcontainercgroups.Resources {
+func (m *cgroupCommon) toResources(logger klog.Logger, resourceConfig *ResourceConfig) *libcontainercgroups.Resources {
 	resources := &libcontainercgroups.Resources{
 		SkipDevices:     true,
 		SkipFreezeOnSet: true,
@@ -314,7 +314,7 @@ func (m *cgroupCommon) toResources(resourceConfig *ResourceConfig) *libcontainer
 		resources.CpusetCpus = resourceConfig.CPUSet.String()
 	}
 
-	m.maybeSetHugetlb(resourceConfig, resources)
+	m.maybeSetHugetlb(logger, resourceConfig, resources)
 
 	// Ideally unified is used for all the resources when running on cgroup v2.
 	// It doesn't make difference for the memory.max limit, but for e.g. the cpu controller
@@ -328,15 +328,15 @@ func (m *cgroupCommon) toResources(resourceConfig *ResourceConfig) *libcontainer
 	return resources
 }
 
-func (m *cgroupCommon) maybeSetHugetlb(resourceConfig *ResourceConfig, resources *libcontainercgroups.Resources) {
+func (m *cgroupCommon) maybeSetHugetlb(logger klog.Logger, resourceConfig *ResourceConfig, resources *libcontainercgroups.Resources) {
 	// Check if hugetlb is supported.
 	if libcontainercgroups.IsCgroup2UnifiedMode() {
 		if !getSupportedUnifiedControllers().Has("hugetlb") {
-			klog.V(6).InfoS("Optional subsystem not supported: hugetlb")
+			logger.V(6).Info("Optional subsystem not supported: hugetlb")
 			return
 		}
 	} else if _, ok := m.subsystems.MountPoints["hugetlb"]; !ok {
-		klog.V(6).InfoS("Optional subsystem not supported: hugetlb")
+		logger.V(6).Info("Optional subsystem not supported: hugetlb")
 		return
 	}
 
@@ -345,7 +345,7 @@ func (m *cgroupCommon) maybeSetHugetlb(resourceConfig *ResourceConfig, resources
 	for pageSize, limit := range resourceConfig.HugePageLimit {
 		sizeString, err := v1helper.HugePageUnitSizeFromByteSize(pageSize)
 		if err != nil {
-			klog.InfoS("Invalid pageSize", "err", err)
+			logger.Info("Invalid pageSize", "err", err)
 			continue
 		}
 		resources.HugetlbLimit = append(resources.HugetlbLimit, &libcontainercgroups.HugepageLimit{
@@ -367,13 +367,13 @@ func (m *cgroupCommon) maybeSetHugetlb(resourceConfig *ResourceConfig, resources
 }
 
 // Update updates the cgroup with the specified Cgroup Configuration
-func (m *cgroupCommon) Update(cgroupConfig *CgroupConfig) error {
+func (m *cgroupCommon) Update(logger klog.Logger, cgroupConfig *CgroupConfig) error {
 	start := time.Now()
 	defer func() {
 		metrics.CgroupManagerDuration.WithLabelValues("update").Observe(metrics.SinceInSeconds(start))
 	}()
 
-	libcontainerCgroupConfig := m.libctCgroupConfig(cgroupConfig, true)
+	libcontainerCgroupConfig := m.libctCgroupConfig(logger, cgroupConfig, true)
 	manager, err := libcontainercgroupmanager.New(libcontainerCgroupConfig)
 	if err != nil {
 		return fmt.Errorf("failed to create cgroup manager: %v", err)
@@ -382,13 +382,13 @@ func (m *cgroupCommon) Update(cgroupConfig *CgroupConfig) error {
 }
 
 // Create creates the specified cgroup
-func (m *cgroupCommon) Create(cgroupConfig *CgroupConfig) error {
+func (m *cgroupCommon) Create(logger klog.Logger, cgroupConfig *CgroupConfig) error {
 	start := time.Now()
 	defer func() {
 		metrics.CgroupManagerDuration.WithLabelValues("create").Observe(metrics.SinceInSeconds(start))
 	}()
 
-	libcontainerCgroupConfig := m.libctCgroupConfig(cgroupConfig, true)
+	libcontainerCgroupConfig := m.libctCgroupConfig(logger, cgroupConfig, true)
 	manager, err := libcontainercgroupmanager.New(libcontainerCgroupConfig)
 	if err != nil {
 		return err
@@ -408,7 +408,7 @@ func (m *cgroupCommon) Create(cgroupConfig *CgroupConfig) error {
 		if err := os.MkdirAll(path, 0o755); err != nil {
 			return fmt.Errorf("failed to create cpuset for newly created cgroup: %w", err)
 		}
-		if err := cgroups.WriteFile(path, "cpuset.sched_load_balance", "0"); err != nil {
+		if err := libcontainercgroups.WriteFile(path, "cpuset.sched_load_balance", "0"); err != nil {
 			return err
 		}
 	}
@@ -432,7 +432,7 @@ func (m *cgroupCommon) Create(cgroupConfig *CgroupConfig) error {
 }
 
 // Scans through all subsystems to find pids associated with specified cgroup.
-func (m *cgroupCommon) Pids(name CgroupName) []int {
+func (m *cgroupCommon) Pids(logger klog.Logger, name CgroupName) []int {
 	// we need the driver specific name
 	cgroupFsName := m.Name(name)
 
@@ -457,7 +457,7 @@ func (m *cgroupCommon) Pids(name CgroupName) []int {
 		// WalkFunc which is called for each file and directory in the pod cgroup dir
 		visitor := func(path string, info os.FileInfo, err error) error {
 			if err != nil {
-				klog.V(4).InfoS("Cgroup manager encountered error scanning cgroup path", "path", path, "err", err)
+				logger.V(4).Info("Cgroup manager encountered error scanning cgroup path", "path", path, "err", err)
 				return filepath.SkipDir
 			}
 			if !info.IsDir() {
@@ -465,7 +465,7 @@ func (m *cgroupCommon) Pids(name CgroupName) []int {
 			}
 			pids, err = getCgroupProcs(path)
 			if err != nil {
-				klog.V(4).InfoS("Cgroup manager encountered error getting procs for cgroup path", "path", path, "err", err)
+				logger.V(4).Info("Cgroup manager encountered error getting procs for cgroup path", "path", path, "err", err)
 				return filepath.SkipDir
 			}
 			pidsToKill.Insert(pids...)
@@ -475,14 +475,14 @@ func (m *cgroupCommon) Pids(name CgroupName) []int {
 		// container cgroups haven't been GCed yet. Get attached processes to
 		// all such unwanted containers under the pod cgroup
 		if err = filepath.Walk(dir, visitor); err != nil {
-			klog.V(4).InfoS("Cgroup manager encountered error scanning pids for directory", "path", dir, "err", err)
+			logger.V(4).Info("Cgroup manager encountered error scanning pids for directory", "path", dir, "err", err)
 		}
 	}
 	return sets.List(pidsToKill)
 }
 
 // ReduceCPULimits reduces the cgroup's cpu shares to the lowest possible value
-func (m *cgroupCommon) ReduceCPULimits(cgroupName CgroupName) error {
+func (m *cgroupCommon) ReduceCPULimits(logger klog.Logger, cgroupName CgroupName) error {
 	// Set lowest possible CpuShares value for the cgroup
 	minimumCPUShares := uint64(MinShares)
 	resources := &ResourceConfig{
@@ -492,7 +492,7 @@ func (m *cgroupCommon) ReduceCPULimits(cgroupName CgroupName) error {
 		Name:               cgroupName,
 		ResourceParameters: resources,
 	}
-	return m.Update(containerConfig)
+	return m.Update(logger, containerConfig)
 }
 
 func readCgroupMemoryConfig(cgroupPath string, memLimitFile string) (*ResourceConfig, error) {
diff --git a/pkg/kubelet/cm/cgroup_manager_linux_test.go b/pkg/kubelet/cm/cgroup_manager_linux_test.go
index 2974b5bc51f58..2388d4da20c09 100644
--- a/pkg/kubelet/cm/cgroup_manager_linux_test.go
+++ b/pkg/kubelet/cm/cgroup_manager_linux_test.go
@@ -170,49 +170,6 @@ func TestParseSystemdToCgroupName(t *testing.T) {
 	}
 }
 
-func TestCpuSharesToCPUWeight(t *testing.T) {
-	testCases := []struct {
-		cpuShares         uint64
-		expectedCpuWeight uint64
-	}{
-		{
-			cpuShares:         2,
-			expectedCpuWeight: 1,
-		},
-		{
-			cpuShares:         3,
-			expectedCpuWeight: 1,
-		},
-		{
-			cpuShares:         4,
-			expectedCpuWeight: 1,
-		},
-		{
-			cpuShares:         28,
-			expectedCpuWeight: 1,
-		},
-		{
-			cpuShares:         29,
-			expectedCpuWeight: 2,
-		},
-		{
-			cpuShares:         245,
-			expectedCpuWeight: 10,
-		},
-		{
-			cpuShares:         262144,
-			expectedCpuWeight: 10000,
-		},
-	}
-
-	for _, testCase := range testCases {
-		if actual := cpuSharesToCPUWeight(testCase.cpuShares); actual != testCase.expectedCpuWeight {
-			t.Errorf("cpuShares: %v, expectedCpuWeight: %v, actualCpuWeight: %v",
-				testCase.cpuShares, testCase.expectedCpuWeight, actual)
-		}
-	}
-}
-
 func TestCpuWeightToCPUShares(t *testing.T) {
 	testCases := []struct {
 		cpuWeight         uint64
diff --git a/pkg/kubelet/cm/cgroup_manager_unsupported.go b/pkg/kubelet/cm/cgroup_manager_unsupported.go
index 986054121b450..5088e7b132e80 100644
--- a/pkg/kubelet/cm/cgroup_manager_unsupported.go
+++ b/pkg/kubelet/cm/cgroup_manager_unsupported.go
@@ -23,6 +23,7 @@ import (
 	"errors"
 
 	v1 "k8s.io/api/core/v1"
+	"k8s.io/klog/v2"
 )
 
 type unsupportedCgroupManager struct{}
@@ -57,15 +58,15 @@ func (m *unsupportedCgroupManager) Exists(_ CgroupName) bool {
 	return false
 }
 
-func (m *unsupportedCgroupManager) Destroy(_ *CgroupConfig) error {
+func (m *unsupportedCgroupManager) Destroy(_ klog.Logger, _ *CgroupConfig) error {
 	return nil
 }
 
-func (m *unsupportedCgroupManager) Update(_ *CgroupConfig) error {
+func (m *unsupportedCgroupManager) Update(_ klog.Logger, _ *CgroupConfig) error {
 	return nil
 }
 
-func (m *unsupportedCgroupManager) Create(_ *CgroupConfig) error {
+func (m *unsupportedCgroupManager) Create(_ klog.Logger, _ *CgroupConfig) error {
 	return errNotSupported
 }
 
@@ -73,7 +74,7 @@ func (m *unsupportedCgroupManager) MemoryUsage(_ CgroupName) (int64, error) {
 	return -1, errNotSupported
 }
 
-func (m *unsupportedCgroupManager) Pids(_ CgroupName) []int {
+func (m *unsupportedCgroupManager) Pids(_ klog.Logger, _ CgroupName) []int {
 	return nil
 }
 
@@ -81,7 +82,7 @@ func (m *unsupportedCgroupManager) CgroupName(name string) CgroupName {
 	return CgroupName([]string{})
 }
 
-func (m *unsupportedCgroupManager) ReduceCPULimits(cgroupName CgroupName) error {
+func (m *unsupportedCgroupManager) ReduceCPULimits(_ klog.Logger, cgroupName CgroupName) error {
 	return nil
 }
 
@@ -89,7 +90,7 @@ func (m *unsupportedCgroupManager) GetCgroupConfig(name CgroupName, resource v1.
 	return nil, errNotSupported
 }
 
-func (m *unsupportedCgroupManager) SetCgroupConfig(name CgroupName, resourceConfig *ResourceConfig) error {
+func (m *unsupportedCgroupManager) SetCgroupConfig(logger klog.Logger, name CgroupName, resourceConfig *ResourceConfig) error {
 	return errNotSupported
 }
 
diff --git a/pkg/kubelet/cm/cgroup_v1_manager_linux.go b/pkg/kubelet/cm/cgroup_v1_manager_linux.go
index 837013fa2d5f5..65d757779052c 100644
--- a/pkg/kubelet/cm/cgroup_v1_manager_linux.go
+++ b/pkg/kubelet/cm/cgroup_v1_manager_linux.go
@@ -26,6 +26,7 @@ import (
 	"github.com/opencontainers/cgroups/fscommon"
 	v1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/util/sets"
+	"k8s.io/klog/v2"
 )
 
 const cgroupv1MemLimitFile string = "memory.limit_in_bytes"
@@ -39,9 +40,9 @@ type cgroupV1impl struct {
 	cgroupCommon
 }
 
-func NewCgroupV1Manager(cs *CgroupSubsystems, cgroupDriver string) CgroupManager {
+func NewCgroupV1Manager(logger klog.Logger, cs *CgroupSubsystems, cgroupDriver string) CgroupManager {
 	return &cgroupV1impl{
-		cgroupCommon: newCgroupCommon(cs, cgroupDriver),
+		cgroupCommon: newCgroupCommon(logger, cs, cgroupDriver),
 	}
 }
 
diff --git a/pkg/kubelet/cm/cgroup_v2_manager_linux.go b/pkg/kubelet/cm/cgroup_v2_manager_linux.go
index 97ada0183358f..c8299ba26d8ae 100644
--- a/pkg/kubelet/cm/cgroup_v2_manager_linux.go
+++ b/pkg/kubelet/cm/cgroup_v2_manager_linux.go
@@ -27,6 +27,7 @@ import (
 	"github.com/opencontainers/cgroups/fscommon"
 	v1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/util/sets"
+	"k8s.io/klog/v2"
 	cmutil "k8s.io/kubernetes/pkg/kubelet/cm/util"
 )
 
@@ -45,9 +46,9 @@ type cgroupV2impl struct {
 	cgroupCommon
 }
 
-func NewCgroupV2Manager(cs *CgroupSubsystems, cgroupDriver string) CgroupManager {
+func NewCgroupV2Manager(logger klog.Logger, cs *CgroupSubsystems, cgroupDriver string) CgroupManager {
 	return &cgroupV2impl{
-		cgroupCommon: newCgroupCommon(cs, cgroupDriver),
+		cgroupCommon: newCgroupCommon(logger, cs, cgroupDriver),
 	}
 }
 
@@ -168,12 +169,6 @@ func (c *cgroupV2impl) buildCgroupUnifiedPath(name CgroupName) string {
 	return path.Join(cmutil.CgroupRoot, cgroupFsAdaptedName)
 }
 
-// Convert cgroup v1 cpu.shares value to cgroup v2 cpu.weight
-// https://github.com/kubernetes/enhancements/tree/master/keps/sig-node/2254-cgroup-v2#phase-1-convert-from-cgroups-v1-settings-to-v2
-func cpuSharesToCPUWeight(cpuShares uint64) uint64 {
-	return uint64((((cpuShares - 2) * 9999) / 262142) + 1)
-}
-
 // Convert cgroup v2 cpu.weight value to cgroup v1 cpu.shares
 // https://github.com/kubernetes/enhancements/tree/master/keps/sig-node/2254-cgroup-v2#phase-1-convert-from-cgroups-v1-settings-to-v2
 func cpuWeightToCPUShares(cpuWeight uint64) uint64 {
diff --git a/pkg/kubelet/cm/container_manager.go b/pkg/kubelet/cm/container_manager.go
index 0f4a20807531b..b1719fe85a608 100644
--- a/pkg/kubelet/cm/container_manager.go
+++ b/pkg/kubelet/cm/container_manager.go
@@ -49,7 +49,7 @@ import (
 
 const (
 	// Warning message for the users still using cgroup v1
-	CgroupV1MaintenanceModeWarning = "cgroup v1 support is in maintenance mode, please migrate to cgroup v2"
+	CgroupV1DeprecatedWarning = "cgroup v1 detected. cgroup v1 support is deprecated and will be removed in a future release. Please migrate to cgroup v2. More information at https://git.k8s.io/enhancements/keps/sig-node/5573-remove-cgroup-v1"
 
 	// Warning message for the users using cgroup v2 on kernel doesn't support root `cpu.stat`.
 	// `cpu.stat` was added to root cgroup in kernel 5.8.
@@ -102,7 +102,7 @@ type ContainerManager interface {
 
 	// UpdateQOSCgroups performs housekeeping updates to ensure that the top
 	// level QoS containers have their desired state in a thread-safe way
-	UpdateQOSCgroups() error
+	UpdateQOSCgroups(logger klog.Logger) error
 
 	// GetResources returns RunContainerOptions with devices, mounts, and env fields populated for
 	// extended resources required by container.
diff --git a/pkg/kubelet/cm/container_manager_linux.go b/pkg/kubelet/cm/container_manager_linux.go
index 502ac34aad164..0b19cd7a7df99 100644
--- a/pkg/kubelet/cm/container_manager_linux.go
+++ b/pkg/kubelet/cm/container_manager_linux.go
@@ -205,7 +205,9 @@ func validateSystemRequirements(mountUtil mount.Interface) (features, error) {
 // TODO(vmarmol): Add limits to the system containers.
 // Takes the absolute name of the specified containers.
 // Empty container name disables use of the specified container.
-func NewContainerManager(mountUtil mount.Interface, cadvisorInterface cadvisor.Interface, nodeConfig NodeConfig, failSwapOn bool, recorder record.EventRecorder, kubeClient clientset.Interface) (ContainerManager, error) {
+func NewContainerManager(ctx context.Context, mountUtil mount.Interface, cadvisorInterface cadvisor.Interface, nodeConfig NodeConfig, failSwapOn bool, recorder record.EventRecorder, kubeClient clientset.Interface) (ContainerManager, error) {
+	logger := klog.FromContext(ctx)
+
 	subsystems, err := GetCgroupSubsystems()
 	if err != nil {
 		return nil, fmt.Errorf("failed to get mounted cgroup subsystems: %v", err)
@@ -251,7 +253,7 @@ func NewContainerManager(mountUtil mount.Interface, cadvisorInterface cadvisor.I
 
 	// Turn CgroupRoot from a string (in cgroupfs path format) to internal CgroupName
 	cgroupRoot := ParseCgroupfsToCgroupName(nodeConfig.CgroupRoot)
-	cgroupManager := NewCgroupManager(subsystems, nodeConfig.CgroupDriver)
+	cgroupManager := NewCgroupManager(logger, subsystems, nodeConfig.CgroupDriver)
 	nodeConfig.CgroupVersion = cgroupManager.Version()
 	if nodeConfig.CPUManagerPolicy == string(cpumanager.PolicyStatic) {
 		cgroupManager.SetCPULoadBalanceDisable()
@@ -270,12 +272,12 @@ func NewContainerManager(mountUtil mount.Interface, cadvisorInterface cadvisor.I
 		if err := cgroupManager.Validate(cgroupRoot); err != nil {
 			return nil, fmt.Errorf("invalid configuration: %w", err)
 		}
-		klog.InfoS("Container manager verified user specified cgroup-root exists", "cgroupRoot", cgroupRoot)
+		logger.Info("Container manager verified user specified cgroup-root exists", "cgroupRoot", cgroupRoot)
 		// Include the top level cgroup for enforcing node allocatable into cgroup-root.
 		// This way, all sub modules can avoid having to understand the concept of node allocatable.
 		cgroupRoot = NewCgroupName(cgroupRoot, defaultNodeAllocatableCgroupName)
 	}
-	klog.InfoS("Creating Container Manager object based on Node Config", "nodeConfig", nodeConfig)
+	logger.Info("Creating Container Manager object based on Node Config", "nodeConfig", nodeConfig)
 
 	qosContainerManager, err := NewQOSContainerManager(subsystems, cgroupRoot, nodeConfig, cgroupManager)
 	if err != nil {
@@ -306,17 +308,17 @@ func NewContainerManager(mountUtil mount.Interface, cadvisorInterface cadvisor.I
 		return nil, err
 	}
 
-	klog.InfoS("Creating device plugin manager")
+	logger.Info("Creating device plugin manager")
 	cm.deviceManager, err = devicemanager.NewManagerImpl(machineInfo.Topology, cm.topologyManager)
 	if err != nil {
 		return nil, err
 	}
-	cm.topologyManager.AddHintProvider(cm.deviceManager)
+	cm.topologyManager.AddHintProvider(logger, cm.deviceManager)
 
 	// Initialize DRA manager
 	if utilfeature.DefaultFeatureGate.Enabled(kubefeatures.DynamicResourceAllocation) {
-		klog.InfoS("Creating Dynamic Resource Allocation (DRA) manager")
-		cm.draManager, err = dra.NewManager(klog.TODO(), kubeClient, nodeConfig.KubeletRootDir)
+		logger.Info("Creating Dynamic Resource Allocation (DRA) manager")
+		cm.draManager, err = dra.NewManager(logger, kubeClient, nodeConfig.KubeletRootDir)
 		if err != nil {
 			return nil, err
 		}
@@ -326,6 +328,7 @@ func NewContainerManager(mountUtil mount.Interface, cadvisorInterface cadvisor.I
 
 	// Initialize CPU manager
 	cm.cpuManager, err = cpumanager.NewManager(
+		logger,
 		nodeConfig.CPUManagerPolicy,
 		nodeConfig.CPUManagerPolicyOptions,
 		nodeConfig.CPUManagerReconcilePeriod,
@@ -336,13 +339,13 @@ func NewContainerManager(mountUtil mount.Interface, cadvisorInterface cadvisor.I
 		cm.topologyManager,
 	)
 	if err != nil {
-		klog.ErrorS(err, "Failed to initialize cpu manager")
+		logger.Error(err, "Failed to initialize cpu manager")
 		return nil, err
 	}
-	cm.topologyManager.AddHintProvider(cm.cpuManager)
+	cm.topologyManager.AddHintProvider(logger, cm.cpuManager)
 
 	cm.memoryManager, err = memorymanager.NewManager(
-		context.TODO(),
+		logger,
 		nodeConfig.MemoryManagerPolicy,
 		machineInfo,
 		cm.GetNodeAllocatableReservation(),
@@ -351,10 +354,10 @@ func NewContainerManager(mountUtil mount.Interface, cadvisorInterface cadvisor.I
 		cm.topologyManager,
 	)
 	if err != nil {
-		klog.ErrorS(err, "Failed to initialize memory manager")
+		logger.Error(err, "Failed to initialize memory manager")
 		return nil, err
 	}
-	cm.topologyManager.AddHintProvider(cm.memoryManager)
+	cm.topologyManager.AddHintProvider(logger, cm.memoryManager)
 
 	// Create a single channel for all resource updates. This channel is consumed
 	// by the Kubelet's main sync loop.
@@ -378,7 +381,7 @@ func NewContainerManager(mountUtil mount.Interface, cadvisorInterface cadvisor.I
 		go func(name string, c <-chan resourceupdates.Update) {
 			defer wg.Done()
 			for v := range c {
-				klog.V(4).InfoS("Container Manager: forwarding resource update", "source", name, "pods", v.PodUIDs)
+				logger.V(4).Info("Container Manager: forwarding resource update", "source", name, "pods", v.PodUIDs)
 				cm.resourceUpdates <- v
 			}
 		}(name, ch)
@@ -496,7 +499,9 @@ func setupKernelTunables(option KernelTunableBehavior) error {
 	return utilerrors.NewAggregate(errList)
 }
 
-func (cm *containerManagerImpl) setupNode(activePods ActivePodsFunc) error {
+func (cm *containerManagerImpl) setupNode(ctx context.Context, activePods ActivePodsFunc) error {
+	logger := klog.FromContext(ctx)
+
 	f, err := validateSystemRequirements(cm.mountUtil)
 	if err != nil {
 		return err
@@ -514,17 +519,17 @@ func (cm *containerManagerImpl) setupNode(activePods ActivePodsFunc) error {
 
 	// Setup top level qos containers only if CgroupsPerQOS flag is specified as true
 	if cm.NodeConfig.CgroupsPerQOS {
-		if err := cm.createNodeAllocatableCgroups(); err != nil {
+		if err := cm.createNodeAllocatableCgroups(logger); err != nil {
 			return err
 		}
-		err = cm.qosContainerManager.Start(cm.GetNodeAllocatableAbsolute, activePods)
+		err = cm.qosContainerManager.Start(ctx, cm.GetNodeAllocatableAbsolute, activePods)
 		if err != nil {
 			return fmt.Errorf("failed to initialize top level QOS containers: %v", err)
 		}
 	}
 
 	// Enforce Node Allocatable (if required)
-	if err := cm.enforceNodeAllocatableCgroups(); err != nil {
+	if err := cm.enforceNodeAllocatableCgroups(logger); err != nil {
 		return err
 	}
 
@@ -551,18 +556,18 @@ func (cm *containerManagerImpl) setupNode(activePods ActivePodsFunc) error {
 		}
 
 		cont.ensureStateFunc = func(_ cgroups.Manager) error {
-			return ensureProcessInContainerWithOOMScore(os.Getpid(), int(cm.KubeletOOMScoreAdj), cont.manager)
+			return ensureProcessInContainerWithOOMScore(logger, os.Getpid(), int(cm.KubeletOOMScoreAdj), cont.manager)
 		}
 		systemContainers = append(systemContainers, cont)
 	} else {
 		cm.periodicTasks = append(cm.periodicTasks, func() {
-			if err := ensureProcessInContainerWithOOMScore(os.Getpid(), int(cm.KubeletOOMScoreAdj), nil); err != nil {
-				klog.ErrorS(err, "Failed to ensure process in container with oom score")
+			if err := ensureProcessInContainerWithOOMScore(logger, os.Getpid(), int(cm.KubeletOOMScoreAdj), nil); err != nil {
+				logger.Error(err, "Failed to ensure process in container with oom score")
 				return
 			}
-			cont, err := getContainer(os.Getpid())
+			cont, err := getContainer(logger, os.Getpid())
 			if err != nil {
-				klog.ErrorS(err, "Failed to find cgroups of kubelet")
+				logger.Error(err, "Failed to find cgroups of kubelet")
 				return
 			}
 			cm.Lock()
@@ -595,8 +600,8 @@ func (cm *containerManagerImpl) GetQOSContainersInfo() QOSContainersInfo {
 	return cm.qosContainerManager.GetQOSContainersInfo()
 }
 
-func (cm *containerManagerImpl) UpdateQOSCgroups() error {
-	return cm.qosContainerManager.UpdateCgroups()
+func (cm *containerManagerImpl) UpdateQOSCgroups(logger klog.Logger) error {
+	return cm.qosContainerManager.UpdateCgroups(logger)
 }
 
 func (cm *containerManagerImpl) Status() Status {
@@ -612,6 +617,7 @@ func (cm *containerManagerImpl) Start(ctx context.Context, node *v1.Node,
 	podStatusProvider status.PodStatusProvider,
 	runtimeService internalapi.RuntimeService,
 	localStorageCapacityIsolation bool) error {
+	logger := klog.FromContext(ctx)
 
 	containerMap, containerRunningSet := buildContainerMapAndRunningSetFromRuntime(ctx, runtimeService)
 
@@ -624,7 +630,7 @@ func (cm *containerManagerImpl) Start(ctx context.Context, node *v1.Node,
 	}
 
 	// Initialize CPU manager
-	err := cm.cpuManager.Start(cpumanager.ActivePodsFunc(activePods), sourcesReady, podStatusProvider, runtimeService, containerMap.Clone())
+	err := cm.cpuManager.Start(ctx, cpumanager.ActivePodsFunc(activePods), sourcesReady, podStatusProvider, runtimeService, containerMap.Clone())
 	if err != nil {
 		return fmt.Errorf("start cpu manager error: %w", err)
 	}
@@ -655,7 +661,7 @@ func (cm *containerManagerImpl) Start(ctx context.Context, node *v1.Node,
 	}
 
 	// Setup the node
-	if err := cm.setupNode(activePods); err != nil {
+	if err := cm.setupNode(ctx, activePods); err != nil {
 		return err
 	}
 
@@ -673,7 +679,7 @@ func (cm *containerManagerImpl) Start(ctx context.Context, node *v1.Node,
 			for _, cont := range cm.systemContainers {
 				if cont.ensureStateFunc != nil {
 					if err := cont.ensureStateFunc(cont.manager); err != nil {
-						klog.InfoS("Failed to ensure state", "containerName", cont.name, "err", err)
+						logger.Info("Failed to ensure state", "containerName", cont.name, "err", err)
 					}
 				}
 			}
@@ -692,7 +698,7 @@ func (cm *containerManagerImpl) Start(ctx context.Context, node *v1.Node,
 	}
 
 	// Starts device manager.
-	if err := cm.deviceManager.Start(devicemanager.ActivePodsFunc(activePods), sourcesReady, containerMap.Clone(), containerRunningSet); err != nil {
+	if err := cm.deviceManager.Start(klog.FromContext(ctx), devicemanager.ActivePodsFunc(activePods), sourcesReady, containerMap.Clone(), containerRunningSet); err != nil {
 		return err
 	}
 
@@ -729,7 +735,7 @@ func (cm *containerManagerImpl) GetResources(ctx context.Context, pod *v1.Pod, c
 	}
 	// Allocate should already be called during predicateAdmitHandler.Admit(),
 	// just try to fetch device runtime information from cached state here
-	devOpts, err := cm.deviceManager.GetDeviceRunContainerOptions(pod, container)
+	devOpts, err := cm.deviceManager.GetDeviceRunContainerOptions(ctx, pod, container)
 	if err != nil {
 		return nil, err
 	} else if devOpts == nil {
@@ -781,19 +787,19 @@ func isProcessRunningInHost(pid int) (bool, error) {
 	return initPidNs == processPidNs, nil
 }
 
-func ensureProcessInContainerWithOOMScore(pid int, oomScoreAdj int, manager cgroups.Manager) error {
+func ensureProcessInContainerWithOOMScore(logger klog.Logger, pid int, oomScoreAdj int, manager cgroups.Manager) error {
 	if runningInHost, err := isProcessRunningInHost(pid); err != nil {
 		// Err on the side of caution. Avoid moving the docker daemon unless we are able to identify its context.
 		return err
 	} else if !runningInHost {
 		// Process is running inside a container. Don't touch that.
-		klog.V(2).InfoS("PID is not running in the host namespace", "pid", pid)
+		logger.V(2).Info("PID is not running in the host namespace", "pid", pid)
 		return nil
 	}
 
 	var errs []error
 	if manager != nil {
-		cont, err := getContainer(pid)
+		cont, err := getContainer(logger, pid)
 		if err != nil {
 			errs = append(errs, fmt.Errorf("failed to find container of PID %d: %v", pid, err))
 		}
@@ -816,9 +822,9 @@ func ensureProcessInContainerWithOOMScore(pid int, oomScoreAdj int, manager cgro
 
 	// Also apply oom-score-adj to processes
 	oomAdjuster := oom.NewOOMAdjuster()
-	klog.V(5).InfoS("Attempting to apply oom_score_adj to process", "oomScoreAdj", oomScoreAdj, "pid", pid)
+	logger.V(5).Info("Attempting to apply oom_score_adj to process", "oomScoreAdj", oomScoreAdj, "pid", pid)
 	if err := oomAdjuster.ApplyOOMScoreAdj(pid, oomScoreAdj); err != nil {
-		klog.V(3).InfoS("Failed to apply oom_score_adj to process", "oomScoreAdj", oomScoreAdj, "pid", pid, "err", err)
+		logger.V(3).Info("Failed to apply oom_score_adj to process", "oomScoreAdj", oomScoreAdj, "pid", pid, "err", err)
 		errs = append(errs, fmt.Errorf("failed to apply oom score %d to PID %d: %v", oomScoreAdj, pid, err))
 	}
 	return utilerrors.NewAggregate(errs)
@@ -827,7 +833,7 @@ func ensureProcessInContainerWithOOMScore(pid int, oomScoreAdj int, manager cgro
 // getContainer returns the cgroup associated with the specified pid.
 // It enforces a unified hierarchy for memory and cpu cgroups.
 // On systemd environments, it uses the name=systemd cgroup for the specified pid.
-func getContainer(pid int) (string, error) {
+func getContainer(logger klog.Logger, pid int) (string, error) {
 	cgs, err := cgroups.ParseCgroupFile(fmt.Sprintf("/proc/%d/cgroup", pid))
 	if err != nil {
 		return "", err
@@ -866,10 +872,10 @@ func getContainer(pid int) (string, error) {
 	// in addition, you would not get memory or cpu accounting for the runtime unless accounting was enabled on its unit (or globally).
 	if systemd, found := cgs["name=systemd"]; found {
 		if systemd != cpu {
-			klog.InfoS("CPUAccounting not enabled for process", "pid", pid)
+			logger.Info("CPUAccounting not enabled for process", "pid", pid)
 		}
 		if systemd != memory {
-			klog.InfoS("MemoryAccounting not enabled for process", "pid", pid)
+			logger.Info("MemoryAccounting not enabled for process", "pid", pid)
 		}
 		return systemd, nil
 	}
@@ -995,7 +1001,7 @@ func (cm *containerManagerImpl) GetMemory(podUID, containerName string) []*podre
 
 	// This is tempporary as part of migration of memory manager to Contextual logging.
 	// Direct context to be passed when container manager is migrated.
-	return containerMemoryFromBlock(cm.memoryManager.GetMemory(context.TODO(), podUID, containerName))
+	return containerMemoryFromBlock(cm.memoryManager.GetMemory(podUID, containerName))
 }
 
 func (cm *containerManagerImpl) GetAllocatableMemory() []*podresourcesapi.ContainerMemory {
@@ -1005,7 +1011,7 @@ func (cm *containerManagerImpl) GetAllocatableMemory() []*podresourcesapi.Contai
 
 	// This is tempporary as part of migration of memory manager to Contextual logging.
 	// Direct context to be passed when container manager is migrated.
-	return containerMemoryFromBlock(cm.memoryManager.GetAllocatableMemory(context.TODO()))
+	return containerMemoryFromBlock(cm.memoryManager.GetAllocatableMemory())
 }
 
 func (cm *containerManagerImpl) GetDynamicResources(pod *v1.Pod, container *v1.Container) []*podresourcesapi.DynamicResource {
@@ -1032,6 +1038,7 @@ func (cm *containerManagerImpl) GetDynamicResources(pod *v1.Pod, container *v1.C
 					DriverName: driverName,
 					PoolName:   device.PoolName,
 					DeviceName: device.DeviceName,
+					ShareId:    (*string)(device.ShareID),
 				}
 				claimResources = append(claimResources, resources)
 			}
diff --git a/pkg/kubelet/cm/container_manager_linux_test.go b/pkg/kubelet/cm/container_manager_linux_test.go
index ddc66d7fbb2cf..7e38e2e476ebe 100644
--- a/pkg/kubelet/cm/container_manager_linux_test.go
+++ b/pkg/kubelet/cm/container_manager_linux_test.go
@@ -33,6 +33,7 @@ import (
 	"github.com/stretchr/testify/require"
 	v1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/resource"
+	"k8s.io/klog/v2/ktesting"
 	cadvisortest "k8s.io/kubernetes/pkg/kubelet/cadvisor/testing"
 
 	"k8s.io/mount-utils"
@@ -257,7 +258,7 @@ func TestGetCapacity(t *testing.T) {
 }
 
 func TestNewPodContainerManager(t *testing.T) {
-
+	logger, _ := ktesting.NewTestContext(t)
 	info := QOSContainersInfo{
 		Guaranteed: CgroupName{"guaranteed"},
 		BestEffort: CgroupName{"besteffort"},
@@ -279,7 +280,7 @@ func TestNewPodContainerManager(t *testing.T) {
 			cm: &containerManagerImpl{
 				qosContainerManager: &qosContainerManagerImpl{
 					qosContainersInfo: info,
-					cgroupManager:     NewCgroupManager(&CgroupSubsystems{}, ""),
+					cgroupManager:     NewCgroupManager(logger, &CgroupSubsystems{}, ""),
 				},
 
 				NodeConfig: QosDisabled,
@@ -290,7 +291,7 @@ func TestNewPodContainerManager(t *testing.T) {
 			cm: &containerManagerImpl{
 				qosContainerManager: &qosContainerManagerImpl{
 					qosContainersInfo: info,
-					cgroupManager:     NewCgroupManager(&CgroupSubsystems{}, ""),
+					cgroupManager:     NewCgroupManager(logger, &CgroupSubsystems{}, ""),
 				},
 
 				NodeConfig: QosEnabled,
@@ -301,7 +302,7 @@ func TestNewPodContainerManager(t *testing.T) {
 			cm: &containerManagerImpl{
 				qosContainerManager: &qosContainerManagerImpl{
 					qosContainersInfo: info,
-					cgroupManager:     NewCgroupManager(&CgroupSubsystems{}, "systemd"),
+					cgroupManager:     NewCgroupManager(logger, &CgroupSubsystems{}, "systemd"),
 				},
 
 				NodeConfig: QosEnabled,
@@ -312,7 +313,7 @@ func TestNewPodContainerManager(t *testing.T) {
 			cm: &containerManagerImpl{
 				qosContainerManager: &qosContainerManagerImpl{
 					qosContainersInfo: info,
-					cgroupManager:     NewCgroupManager(&CgroupSubsystems{}, "systemd"),
+					cgroupManager:     NewCgroupManager(logger, &CgroupSubsystems{}, "systemd"),
 				},
 
 				NodeConfig: QosDisabled,
diff --git a/pkg/kubelet/cm/container_manager_stub.go b/pkg/kubelet/cm/container_manager_stub.go
index f17e7e77ff6fc..27252ba29ffbd 100644
--- a/pkg/kubelet/cm/container_manager_stub.go
+++ b/pkg/kubelet/cm/container_manager_stub.go
@@ -44,13 +44,16 @@ type containerManagerStub struct {
 	shouldResetExtendedResourceCapacity bool
 	extendedPluginResources             v1.ResourceList
 	memoryManager                       memorymanager.Manager
+	cpuManager                          cpumanager.Manager
 }
 
 var _ ContainerManager = &containerManagerStub{}
 
 func (cm *containerManagerStub) Start(ctx context.Context, _ *v1.Node, _ ActivePodsFunc, _ GetNodeFunc, _ config.SourcesReady, _ status.PodStatusProvider, _ internalapi.RuntimeService, _ bool) error {
-	klog.V(2).InfoS("Starting stub container manager")
-	cm.memoryManager = memorymanager.NewFakeManager(ctx)
+	logger := klog.FromContext(ctx)
+	logger.V(2).Info("Starting stub container manager")
+	cm.memoryManager = memorymanager.NewFakeManager(logger)
+	cm.cpuManager = cpumanager.NewFakeManager(logger)
 	return nil
 }
 
@@ -70,7 +73,7 @@ func (cm *containerManagerStub) GetQOSContainersInfo() QOSContainersInfo {
 	return QOSContainersInfo{}
 }
 
-func (cm *containerManagerStub) UpdateQOSCgroups() error {
+func (cm *containerManagerStub) UpdateQOSCgroups(logger klog.Logger) error {
 	return nil
 }
 
@@ -110,7 +113,7 @@ func (m *podContainerManagerStub) GetPodCgroupConfig(_ *v1.Pod, _ v1.ResourceNam
 	return nil, fmt.Errorf("not implemented")
 }
 
-func (m *podContainerManagerStub) SetPodCgroupConfig(pod *v1.Pod, resourceConfig *ResourceConfig) error {
+func (m *podContainerManagerStub) SetPodCgroupConfig(logger klog.Logger, pod *v1.Pod, resourceConfig *ResourceConfig) error {
 	return fmt.Errorf("not implemented")
 }
 
@@ -127,7 +130,7 @@ func (cm *containerManagerStub) UpdatePluginResources(*schedulerframework.NodeIn
 }
 
 func (cm *containerManagerStub) InternalContainerLifecycle() InternalContainerLifecycle {
-	return &internalContainerLifecycleImpl{cpumanager.NewFakeManager(), cm.memoryManager, topologymanager.NewFakeManager()}
+	return &internalContainerLifecycleImpl{cm.cpuManager, cm.memoryManager, topologymanager.NewFakeManager()}
 }
 
 func (cm *containerManagerStub) GetPodCgroupRoot() string {
diff --git a/pkg/kubelet/cm/container_manager_unsupported.go b/pkg/kubelet/cm/container_manager_unsupported.go
index ea30b75d58698..a92f0ce89f0ac 100644
--- a/pkg/kubelet/cm/container_manager_unsupported.go
+++ b/pkg/kubelet/cm/container_manager_unsupported.go
@@ -44,6 +44,6 @@ func (unsupportedContainerManager) Start(_ context.Context, _ *v1.Node, _ Active
 	return fmt.Errorf("Container Manager is unsupported in this build")
 }
 
-func NewContainerManager(_ mount.Interface, _ cadvisor.Interface, _ NodeConfig, failSwapOn bool, recorder record.EventRecorder, kubeClient clientset.Interface) (ContainerManager, error) {
+func NewContainerManager(_ context.Context, _ mount.Interface, _ cadvisor.Interface, _ NodeConfig, failSwapOn bool, recorder record.EventRecorder, kubeClient clientset.Interface) (ContainerManager, error) {
 	return &unsupportedContainerManager{}, nil
 }
diff --git a/pkg/kubelet/cm/container_manager_windows.go b/pkg/kubelet/cm/container_manager_windows.go
index 41f977168da26..1f967620cdff8 100644
--- a/pkg/kubelet/cm/container_manager_windows.go
+++ b/pkg/kubelet/cm/container_manager_windows.go
@@ -80,7 +80,8 @@ func (cm *containerManagerImpl) Start(ctx context.Context, node *v1.Node,
 	podStatusProvider status.PodStatusProvider,
 	runtimeService internalapi.RuntimeService,
 	localStorageCapacityIsolation bool) error {
-	klog.V(2).InfoS("Starting Windows container manager")
+	logger := klog.FromContext(ctx)
+	logger.V(2).Info("Starting Windows container manager")
 
 	cm.nodeInfo = node
 
@@ -97,7 +98,7 @@ func (cm *containerManagerImpl) Start(ctx context.Context, node *v1.Node,
 	containerMap, containerRunningSet := buildContainerMapAndRunningSetFromRuntime(ctx, runtimeService)
 
 	if utilfeature.DefaultFeatureGate.Enabled(kubefeatures.WindowsCPUAndMemoryAffinity) {
-		err := cm.cpuManager.Start(cpumanager.ActivePodsFunc(activePods), sourcesReady, podStatusProvider, runtimeService, containerMap.Clone())
+		err := cm.cpuManager.Start(ctx, cpumanager.ActivePodsFunc(activePods), sourcesReady, podStatusProvider, runtimeService, containerMap.Clone())
 		if err != nil {
 			return fmt.Errorf("start cpu manager error: %v", err)
 		}
@@ -110,7 +111,7 @@ func (cm *containerManagerImpl) Start(ctx context.Context, node *v1.Node,
 	}
 
 	// Starts device manager.
-	if err := cm.deviceManager.Start(devicemanager.ActivePodsFunc(activePods), sourcesReady, containerMap.Clone(), containerRunningSet); err != nil {
+	if err := cm.deviceManager.Start(logger, devicemanager.ActivePodsFunc(activePods), sourcesReady, containerMap.Clone(), containerRunningSet); err != nil {
 		return err
 	}
 
@@ -118,7 +119,7 @@ func (cm *containerManagerImpl) Start(ctx context.Context, node *v1.Node,
 }
 
 // NewContainerManager creates windows container manager.
-func NewContainerManager(mountUtil mount.Interface, cadvisorInterface cadvisor.Interface, nodeConfig NodeConfig, failSwapOn bool, recorder record.EventRecorder, kubeClient clientset.Interface) (ContainerManager, error) {
+func NewContainerManager(ctx context.Context, mountUtil mount.Interface, cadvisorInterface cadvisor.Interface, nodeConfig NodeConfig, failSwapOn bool, recorder record.EventRecorder, kubeClient clientset.Interface) (ContainerManager, error) {
 	// It is safe to invoke `MachineInfo` on cAdvisor before logically initializing cAdvisor here because
 	// machine info is computed and cached once as part of cAdvisor object creation.
 	// But `RootFsInfo` and `ImagesFsInfo` are not available at this moment so they will be called later during manager starts
@@ -134,23 +135,26 @@ func NewContainerManager(mountUtil mount.Interface, cadvisorInterface cadvisor.I
 		cadvisorInterface: cadvisorInterface,
 	}
 
+	logger := klog.FromContext(ctx)
+
 	cm.topologyManager = topologymanager.NewFakeManager()
-	cm.cpuManager = cpumanager.NewFakeManager()
-	cm.memoryManager = memorymanager.NewFakeManager(context.TODO())
+	cm.cpuManager = cpumanager.NewFakeManager(logger)
+	cm.memoryManager = memorymanager.NewFakeManager(logger)
 
 	if utilfeature.DefaultFeatureGate.Enabled(kubefeatures.WindowsCPUAndMemoryAffinity) {
-		klog.InfoS("Creating topology manager")
+		logger.Info("Creating topology manager")
 		cm.topologyManager, err = topologymanager.NewManager(machineInfo.Topology,
 			nodeConfig.TopologyManagerPolicy,
 			nodeConfig.TopologyManagerScope,
 			nodeConfig.TopologyManagerPolicyOptions)
 		if err != nil {
-			klog.ErrorS(err, "Failed to initialize topology manager")
+			logger.Error(err, "Failed to initialize topology manager")
 			return nil, err
 		}
 
-		klog.InfoS("Creating cpu manager")
+		logger.Info("Creating cpu manager")
 		cm.cpuManager, err = cpumanager.NewManager(
+			logger,
 			nodeConfig.CPUManagerPolicy,
 			nodeConfig.CPUManagerPolicyOptions,
 			nodeConfig.CPUManagerReconcilePeriod,
@@ -161,14 +165,14 @@ func NewContainerManager(mountUtil mount.Interface, cadvisorInterface cadvisor.I
 			cm.topologyManager,
 		)
 		if err != nil {
-			klog.ErrorS(err, "Failed to initialize cpu manager")
+			logger.Error(err, "Failed to initialize cpu manager")
 			return nil, err
 		}
-		cm.topologyManager.AddHintProvider(cm.cpuManager)
+		cm.topologyManager.AddHintProvider(logger, cm.cpuManager)
 
-		klog.InfoS("Creating memory manager")
+		logger.Info("Creating memory manager")
 		cm.memoryManager, err = memorymanager.NewManager(
-			context.TODO(),
+			logger,
 			nodeConfig.MemoryManagerPolicy,
 			machineInfo,
 			cm.GetNodeAllocatableReservation(),
@@ -177,18 +181,18 @@ func NewContainerManager(mountUtil mount.Interface, cadvisorInterface cadvisor.I
 			cm.topologyManager,
 		)
 		if err != nil {
-			klog.ErrorS(err, "Failed to initialize memory manager")
+			logger.Error(err, "Failed to initialize memory manager")
 			return nil, err
 		}
-		cm.topologyManager.AddHintProvider(cm.memoryManager)
+		cm.topologyManager.AddHintProvider(logger, cm.memoryManager)
 	}
 
-	klog.InfoS("Creating device plugin manager")
+	logger.Info("Creating device plugin manager")
 	cm.deviceManager, err = devicemanager.NewManagerImpl(nil, cm.topologyManager)
 	if err != nil {
 		return nil, err
 	}
-	cm.topologyManager.AddHintProvider(cm.deviceManager)
+	cm.topologyManager.AddHintProvider(logger, cm.deviceManager)
 
 	return cm, nil
 }
@@ -211,7 +215,7 @@ func (cm *containerManagerImpl) GetQOSContainersInfo() QOSContainersInfo {
 	return QOSContainersInfo{}
 }
 
-func (cm *containerManagerImpl) UpdateQOSCgroups() error {
+func (cm *containerManagerImpl) UpdateQOSCgroups(logger klog.Logger) error {
 	return nil
 }
 
@@ -265,7 +269,7 @@ func (cm *containerManagerImpl) GetResources(ctx context.Context, pod *v1.Pod, c
 	opts := &kubecontainer.RunContainerOptions{}
 	// Allocate should already be called during predicateAdmitHandler.Admit(),
 	// just try to fetch device runtime information from cached state here
-	devOpts, err := cm.deviceManager.GetDeviceRunContainerOptions(pod, container)
+	devOpts, err := cm.deviceManager.GetDeviceRunContainerOptions(ctx, pod, container)
 	if err != nil {
 		return nil, err
 	} else if devOpts == nil {
diff --git a/pkg/kubelet/cm/cpumanager/cpu_assignment.go b/pkg/kubelet/cm/cpumanager/cpu_assignment.go
index 4838056c0de17..bff55a600d7b4 100644
--- a/pkg/kubelet/cm/cpumanager/cpu_assignment.go
+++ b/pkg/kubelet/cm/cpumanager/cpu_assignment.go
@@ -22,7 +22,7 @@ import (
 	"math"
 	"sort"
 
-	"k8s.io/klog/v2"
+	"github.com/go-logr/logr"
 
 	"k8s.io/kubernetes/pkg/kubelet/cm/cpumanager/topology"
 	"k8s.io/utils/cpuset"
@@ -257,6 +257,13 @@ const (
 )
 
 type cpuAccumulator struct {
+	// `logger` is the logger instance the cpuAccumulator is going to be use. We store internally
+	// because the expected lifetime of a cpuAccumulator object is fully contained in a
+	// `takeByTopology` call. Hence there's no functional difference between storing it or
+	// getting repeatedly from the calls. Furthermore, this way we can keep the API surface smaller
+	// (less parameters).
+	logger logr.Logger
+
 	// `topo` describes the layout of CPUs (i.e. hyper-threads if hyperthreading is on) between
 	// cores (i.e. physical CPUs if hyper-threading is on), NUMA nodes, and sockets on the K8s
 	// cluster node. `topo` is never mutated, meaning that as the cpuAccumulator claims CPUs topo is
@@ -291,8 +298,9 @@ type cpuAccumulator struct {
 	availableCPUSorter availableCPUSorter
 }
 
-func newCPUAccumulator(topo *topology.CPUTopology, availableCPUs cpuset.CPUSet, numCPUs int, cpuSortingStrategy CPUSortingStrategy) *cpuAccumulator {
+func newCPUAccumulator(logger logr.Logger, topo *topology.CPUTopology, availableCPUs cpuset.CPUSet, numCPUs int, cpuSortingStrategy CPUSortingStrategy) *cpuAccumulator {
 	acc := &cpuAccumulator{
+		logger:        logger,
 		topo:          topo,
 		details:       topo.CPUDetails.KeepOnly(availableCPUs),
 		numCPUsNeeded: numCPUs,
@@ -528,7 +536,7 @@ func (a *cpuAccumulator) takeFullNUMANodes() {
 		if !a.needsAtLeast(cpusInNUMANode.Size()) {
 			continue
 		}
-		klog.V(4).InfoS("takeFullNUMANodes: claiming NUMA node", "numa", numa)
+		a.logger.V(4).Info("takeFullNUMANodes: claiming NUMA node", "numa", numa)
 		a.take(cpusInNUMANode)
 	}
 }
@@ -539,7 +547,7 @@ func (a *cpuAccumulator) takeFullSockets() {
 		if !a.needsAtLeast(cpusInSocket.Size()) {
 			continue
 		}
-		klog.V(4).InfoS("takeFullSockets: claiming socket", "socket", socket)
+		a.logger.V(4).Info("takeFullSockets: claiming socket", "socket", socket)
 		a.take(cpusInSocket)
 	}
 }
@@ -550,7 +558,7 @@ func (a *cpuAccumulator) takeFullUncore() {
 		if !a.needsAtLeast(cpusInUncore.Size()) {
 			continue
 		}
-		klog.V(4).InfoS("takeFullUncore: claiming uncore", "uncore", uncore)
+		a.logger.V(4).Info("takeFullUncore: claiming uncore", "uncore", uncore)
 		a.take(cpusInUncore)
 	}
 }
@@ -583,7 +591,7 @@ func (a *cpuAccumulator) takePartialUncore(uncoreID int) {
 
 	// claim the cpus if the free cpus within the UncoreCache can satisfy the needed cpus
 	claimed := (a.numCPUsNeeded == freeCPUs.Size())
-	klog.V(4).InfoS("takePartialUncore: trying to claim partial uncore",
+	a.logger.V(4).Info("takePartialUncore: trying to claim partial uncore",
 		"uncore", uncoreID,
 		"claimed", claimed,
 		"needed", a.numCPUsNeeded,
@@ -624,14 +632,14 @@ func (a *cpuAccumulator) takeFullCores() {
 		if !a.needsAtLeast(cpusInCore.Size()) {
 			continue
 		}
-		klog.V(4).InfoS("takeFullCores: claiming core", "core", core)
+		a.logger.V(4).Info("takeFullCores: claiming core", "core", core)
 		a.take(cpusInCore)
 	}
 }
 
 func (a *cpuAccumulator) takeRemainingCPUs() {
 	for _, cpu := range a.availableCPUSorter.sort() {
-		klog.V(4).InfoS("takeRemainingCPUs: claiming CPU", "cpu", cpu)
+		a.logger.V(4).Info("takeRemainingCPUs: claiming CPU", "cpu", cpu)
 		a.take(cpuset.New(cpu))
 		if a.isSatisfied() {
 			return
@@ -765,8 +773,8 @@ func (a *cpuAccumulator) iterateCombinations(n []int, k int, f func([]int) LoopC
 // the least amount of free CPUs to the one with the highest amount of free CPUs (i.e. in ascending
 // order of free CPUs). For any NUMA node, the cores are selected from the ones in the socket with
 // the least amount of free CPUs to the one with the highest amount of free CPUs.
-func takeByTopologyNUMAPacked(topo *topology.CPUTopology, availableCPUs cpuset.CPUSet, numCPUs int, cpuSortingStrategy CPUSortingStrategy, preferAlignByUncoreCache bool) (cpuset.CPUSet, error) {
-	acc := newCPUAccumulator(topo, availableCPUs, numCPUs, cpuSortingStrategy)
+func takeByTopologyNUMAPacked(logger logr.Logger, topo *topology.CPUTopology, availableCPUs cpuset.CPUSet, numCPUs int, cpuSortingStrategy CPUSortingStrategy, preferAlignByUncoreCache bool) (cpuset.CPUSet, error) {
+	acc := newCPUAccumulator(logger, topo, availableCPUs, numCPUs, cpuSortingStrategy)
 	if acc.isSatisfied() {
 		return acc.result, nil
 	}
@@ -882,18 +890,18 @@ func takeByTopologyNUMAPacked(topo *topology.CPUTopology, availableCPUs cpuset.C
 // of size 'cpuGroupSize' according to the algorithm described above. This is
 // important, for example, to ensure that all CPUs (i.e. all hyperthreads) from
 // a single core are allocated together.
-func takeByTopologyNUMADistributed(topo *topology.CPUTopology, availableCPUs cpuset.CPUSet, numCPUs int, cpuGroupSize int, cpuSortingStrategy CPUSortingStrategy) (cpuset.CPUSet, error) {
+func takeByTopologyNUMADistributed(logger logr.Logger, topo *topology.CPUTopology, availableCPUs cpuset.CPUSet, numCPUs int, cpuGroupSize int, cpuSortingStrategy CPUSortingStrategy) (cpuset.CPUSet, error) {
 	// If the number of CPUs requested cannot be handed out in chunks of
 	// 'cpuGroupSize', then we just call out the packing algorithm since we
 	// can't distribute CPUs in this chunk size.
 	// PreferAlignByUncoreCache feature not implemented here yet and set to false.
 	// Support for PreferAlignByUncoreCache to be done at beta release.
 	if (numCPUs % cpuGroupSize) != 0 {
-		return takeByTopologyNUMAPacked(topo, availableCPUs, numCPUs, cpuSortingStrategy, false)
+		return takeByTopologyNUMAPacked(logger, topo, availableCPUs, numCPUs, cpuSortingStrategy, false)
 	}
 
 	// Otherwise build an accumulator to start allocating CPUs from.
-	acc := newCPUAccumulator(topo, availableCPUs, numCPUs, cpuSortingStrategy)
+	acc := newCPUAccumulator(logger, topo, availableCPUs, numCPUs, cpuSortingStrategy)
 	if acc.isSatisfied() {
 		return acc.result, nil
 	}
@@ -1072,7 +1080,7 @@ func takeByTopologyNUMADistributed(topo *topology.CPUTopology, availableCPUs cpu
 		// size 'cpuGroupSize' from 'bestCombo'.
 		distribution := (numCPUs / len(bestCombo) / cpuGroupSize) * cpuGroupSize
 		for _, numa := range bestCombo {
-			cpus, _ := takeByTopologyNUMAPacked(acc.topo, acc.details.CPUsInNUMANodes(numa), distribution, cpuSortingStrategy, false)
+			cpus, _ := takeByTopologyNUMAPacked(logger, acc.topo, acc.details.CPUsInNUMANodes(numa), distribution, cpuSortingStrategy, false)
 			acc.take(cpus)
 		}
 
@@ -1087,7 +1095,7 @@ func takeByTopologyNUMADistributed(topo *topology.CPUTopology, availableCPUs cpu
 				if acc.details.CPUsInNUMANodes(numa).Size() < cpuGroupSize {
 					continue
 				}
-				cpus, _ := takeByTopologyNUMAPacked(acc.topo, acc.details.CPUsInNUMANodes(numa), cpuGroupSize, cpuSortingStrategy, false)
+				cpus, _ := takeByTopologyNUMAPacked(logger, acc.topo, acc.details.CPUsInNUMANodes(numa), cpuGroupSize, cpuSortingStrategy, false)
 				acc.take(cpus)
 				remainder -= cpuGroupSize
 			}
@@ -1111,5 +1119,5 @@ func takeByTopologyNUMADistributed(topo *topology.CPUTopology, availableCPUs cpu
 
 	// If we never found a combination of NUMA nodes that we could properly
 	// distribute CPUs across, fall back to the packing algorithm.
-	return takeByTopologyNUMAPacked(topo, availableCPUs, numCPUs, cpuSortingStrategy, false)
+	return takeByTopologyNUMAPacked(logger, topo, availableCPUs, numCPUs, cpuSortingStrategy, false)
 }
diff --git a/pkg/kubelet/cm/cpumanager/cpu_assignment_test.go b/pkg/kubelet/cm/cpumanager/cpu_assignment_test.go
index 8d5e05aa5d4ec..34933bc982a55 100644
--- a/pkg/kubelet/cm/cpumanager/cpu_assignment_test.go
+++ b/pkg/kubelet/cm/cpumanager/cpu_assignment_test.go
@@ -22,10 +22,12 @@ import (
 	"testing"
 
 	"k8s.io/kubernetes/pkg/kubelet/cm/cpumanager/topology"
+	"k8s.io/kubernetes/test/utils/ktesting"
 	"k8s.io/utils/cpuset"
 )
 
 func TestCPUAccumulatorFreeSockets(t *testing.T) {
+	logger, _ := ktesting.NewTestContext(t)
 	testCases := []struct {
 		description   string
 		topo          *topology.CPUTopology
@@ -114,7 +116,7 @@ func TestCPUAccumulatorFreeSockets(t *testing.T) {
 
 	for _, tc := range testCases {
 		t.Run(tc.description, func(t *testing.T) {
-			acc := newCPUAccumulator(tc.topo, tc.availableCPUs, 0, CPUSortingStrategyPacked)
+			acc := newCPUAccumulator(logger, tc.topo, tc.availableCPUs, 0, CPUSortingStrategyPacked)
 			result := acc.freeSockets()
 			sort.Ints(result)
 			if !reflect.DeepEqual(result, tc.expect) {
@@ -126,6 +128,7 @@ func TestCPUAccumulatorFreeSockets(t *testing.T) {
 }
 
 func TestCPUAccumulatorFreeNUMANodes(t *testing.T) {
+	logger, _ := ktesting.NewTestContext(t)
 	testCases := []struct {
 		description   string
 		topo          *topology.CPUTopology
@@ -214,7 +217,7 @@ func TestCPUAccumulatorFreeNUMANodes(t *testing.T) {
 
 	for _, tc := range testCases {
 		t.Run(tc.description, func(t *testing.T) {
-			acc := newCPUAccumulator(tc.topo, tc.availableCPUs, 0, CPUSortingStrategyPacked)
+			acc := newCPUAccumulator(logger, tc.topo, tc.availableCPUs, 0, CPUSortingStrategyPacked)
 			result := acc.freeNUMANodes()
 			if !reflect.DeepEqual(result, tc.expect) {
 				t.Errorf("expected %v to equal %v", result, tc.expect)
@@ -224,6 +227,7 @@ func TestCPUAccumulatorFreeNUMANodes(t *testing.T) {
 }
 
 func TestCPUAccumulatorFreeSocketsAndNUMANodes(t *testing.T) {
+	logger, _ := ktesting.NewTestContext(t)
 	testCases := []struct {
 		description     string
 		topo            *topology.CPUTopology
@@ -263,7 +267,7 @@ func TestCPUAccumulatorFreeSocketsAndNUMANodes(t *testing.T) {
 
 	for _, tc := range testCases {
 		t.Run(tc.description, func(t *testing.T) {
-			acc := newCPUAccumulator(tc.topo, tc.availableCPUs, 0, CPUSortingStrategyPacked)
+			acc := newCPUAccumulator(logger, tc.topo, tc.availableCPUs, 0, CPUSortingStrategyPacked)
 			resultNUMANodes := acc.freeNUMANodes()
 			if !reflect.DeepEqual(resultNUMANodes, tc.expectNUMANodes) {
 				t.Errorf("expected NUMA Nodes %v to equal %v", resultNUMANodes, tc.expectNUMANodes)
@@ -277,6 +281,7 @@ func TestCPUAccumulatorFreeSocketsAndNUMANodes(t *testing.T) {
 }
 
 func TestCPUAccumulatorFreeCores(t *testing.T) {
+	logger, _ := ktesting.NewTestContext(t)
 	testCases := []struct {
 		description   string
 		topo          *topology.CPUTopology
@@ -335,7 +340,7 @@ func TestCPUAccumulatorFreeCores(t *testing.T) {
 
 	for _, tc := range testCases {
 		t.Run(tc.description, func(t *testing.T) {
-			acc := newCPUAccumulator(tc.topo, tc.availableCPUs, 0, CPUSortingStrategyPacked)
+			acc := newCPUAccumulator(logger, tc.topo, tc.availableCPUs, 0, CPUSortingStrategyPacked)
 			result := acc.freeCores()
 			if !reflect.DeepEqual(result, tc.expect) {
 				t.Errorf("expected %v to equal %v", result, tc.expect)
@@ -345,6 +350,7 @@ func TestCPUAccumulatorFreeCores(t *testing.T) {
 }
 
 func TestCPUAccumulatorFreeCPUs(t *testing.T) {
+	logger, _ := ktesting.NewTestContext(t)
 	testCases := []struct {
 		description   string
 		topo          *topology.CPUTopology
@@ -391,7 +397,7 @@ func TestCPUAccumulatorFreeCPUs(t *testing.T) {
 
 	for _, tc := range testCases {
 		t.Run(tc.description, func(t *testing.T) {
-			acc := newCPUAccumulator(tc.topo, tc.availableCPUs, 0, CPUSortingStrategyPacked)
+			acc := newCPUAccumulator(logger, tc.topo, tc.availableCPUs, 0, CPUSortingStrategyPacked)
 			result := acc.freeCPUs()
 			if !reflect.DeepEqual(result, tc.expect) {
 				t.Errorf("expected %v to equal %v", result, tc.expect)
@@ -401,6 +407,7 @@ func TestCPUAccumulatorFreeCPUs(t *testing.T) {
 }
 
 func TestCPUAccumulatorTake(t *testing.T) {
+	logger, _ := ktesting.NewTestContext(t)
 	testCases := []struct {
 		description     string
 		topo            *topology.CPUTopology
@@ -477,7 +484,7 @@ func TestCPUAccumulatorTake(t *testing.T) {
 
 	for _, tc := range testCases {
 		t.Run(tc.description, func(t *testing.T) {
-			acc := newCPUAccumulator(tc.topo, tc.availableCPUs, tc.numCPUs, CPUSortingStrategyPacked)
+			acc := newCPUAccumulator(logger, tc.topo, tc.availableCPUs, tc.numCPUs, CPUSortingStrategyPacked)
 			totalTaken := 0
 			for _, cpus := range tc.takeCPUs {
 				acc.take(cpus)
@@ -639,6 +646,7 @@ func commonTakeByTopologyTestCases(t *testing.T) []takeByTopologyTestCase {
 }
 
 func TestTakeByTopologyNUMAPacked(t *testing.T) {
+	logger, _ := ktesting.NewTestContext(t)
 	testCases := commonTakeByTopologyTestCases(t)
 	testCases = append(testCases, []takeByTopologyTestCase{
 		{
@@ -750,7 +758,7 @@ func TestTakeByTopologyNUMAPacked(t *testing.T) {
 				strategy = CPUSortingStrategySpread
 			}
 
-			result, err := takeByTopologyNUMAPacked(tc.topo, tc.availableCPUs, tc.numCPUs, strategy, tc.opts.PreferAlignByUncoreCacheOption)
+			result, err := takeByTopologyNUMAPacked(logger, tc.topo, tc.availableCPUs, tc.numCPUs, strategy, tc.opts.PreferAlignByUncoreCacheOption)
 			if tc.expErr != "" && err != nil && err.Error() != tc.expErr {
 				t.Errorf("expected error to be [%v] but it was [%v]", tc.expErr, err)
 			}
@@ -762,6 +770,7 @@ func TestTakeByTopologyNUMAPacked(t *testing.T) {
 }
 
 func TestTakeByTopologyWithSpreadPhysicalCPUsPreferredOption(t *testing.T) {
+	logger, _ := ktesting.NewTestContext(t)
 	testCases := []struct {
 		description   string
 		topo          *topology.CPUTopology
@@ -851,7 +860,7 @@ func TestTakeByTopologyWithSpreadPhysicalCPUsPreferredOption(t *testing.T) {
 		if tc.opts.DistributeCPUsAcrossCores {
 			strategy = CPUSortingStrategySpread
 		}
-		result, err := takeByTopologyNUMAPacked(tc.topo, tc.availableCPUs, tc.numCPUs, strategy, tc.opts.PreferAlignByUncoreCacheOption)
+		result, err := takeByTopologyNUMAPacked(logger, tc.topo, tc.availableCPUs, tc.numCPUs, strategy, tc.opts.PreferAlignByUncoreCacheOption)
 		if tc.expErr != "" && err.Error() != tc.expErr {
 			t.Errorf("testCase %q failed, expected error to be [%v] but it was [%v]", tc.description, tc.expErr, err)
 		}
@@ -957,6 +966,7 @@ func commonTakeByTopologyExtendedTestCases(t *testing.T) []takeByTopologyExtende
 }
 
 func TestTakeByTopologyNUMADistributed(t *testing.T) {
+	logger, _ := ktesting.NewTestContext(t)
 	testCases := commonTakeByTopologyExtendedTestCases(t)
 	testCases = append(testCases, []takeByTopologyExtendedTestCase{
 		{
@@ -1053,7 +1063,7 @@ func TestTakeByTopologyNUMADistributed(t *testing.T) {
 
 	for _, tc := range testCases {
 		t.Run(tc.description, func(t *testing.T) {
-			result, err := takeByTopologyNUMADistributed(tc.topo, tc.availableCPUs, tc.numCPUs, tc.cpuGroupSize, CPUSortingStrategyPacked)
+			result, err := takeByTopologyNUMADistributed(logger, tc.topo, tc.availableCPUs, tc.numCPUs, tc.cpuGroupSize, CPUSortingStrategyPacked)
 			if err != nil {
 				if tc.expErr == "" {
 					t.Errorf("unexpected error [%v]", err)
diff --git a/pkg/kubelet/cm/cpumanager/cpu_manager.go b/pkg/kubelet/cm/cpumanager/cpu_manager.go
index d4a10145d5b96..f5a7e249dcfa8 100644
--- a/pkg/kubelet/cm/cpumanager/cpu_manager.go
+++ b/pkg/kubelet/cm/cpumanager/cpu_manager.go
@@ -23,6 +23,7 @@ import (
 	"sync"
 	"time"
 
+	"github.com/go-logr/logr"
 	cadvisorapi "github.com/google/cadvisor/info/v1"
 	v1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/util/wait"
@@ -55,7 +56,9 @@ const cpuManagerStateFileName = "cpu_manager_state"
 // Manager interface provides methods for Kubelet to manage pod cpus.
 type Manager interface {
 	// Start is called during Kubelet initialization.
-	Start(activePods ActivePodsFunc, sourcesReady config.SourcesReady, podStatusProvider status.PodStatusProvider, containerRuntime runtimeService, initialContainers containermap.ContainerMap) error
+	// Start takes a `Context` because it may possibly spin the reconcileState helper, which in turn
+	// needs to update container state, which takes a context.
+	Start(ctx context.Context, activePods ActivePodsFunc, sourcesReady config.SourcesReady, podStatusProvider status.PodStatusProvider, containerRuntime runtimeService, initialContainers containermap.ContainerMap) error
 
 	// Called to trigger the allocation of CPUs to a container. This must be
 	// called at some point prior to the AddContainer() call for a container,
@@ -64,12 +67,12 @@ type Manager interface {
 
 	// AddContainer adds the mapping between container ID to pod UID and the container name
 	// The mapping used to remove the CPU allocation during the container removal
-	AddContainer(p *v1.Pod, c *v1.Container, containerID string)
+	AddContainer(logger logr.Logger, p *v1.Pod, c *v1.Container, containerID string)
 
 	// RemoveContainer is called after Kubelet decides to kill or delete a
 	// container. After this call, the CPU manager stops trying to reconcile
 	// that container and any CPUs dedicated to the container are freed.
-	RemoveContainer(containerID string) error
+	RemoveContainer(logger logr.Logger, containerID string) error
 
 	// State returns a read-only interface to the internal CPU manager state.
 	State() state.Reader
@@ -77,7 +80,7 @@ type Manager interface {
 	// GetTopologyHints implements the topologymanager.HintProvider Interface
 	// and is consulted to achieve NUMA aware resource alignment among this
 	// and other resource controllers.
-	GetTopologyHints(*v1.Pod, *v1.Container) map[string][]topologymanager.TopologyHint
+	GetTopologyHints(pod *v1.Pod, container *v1.Container) map[string][]topologymanager.TopologyHint
 
 	// GetExclusiveCPUs implements the podresources.CPUsProvider interface to provide
 	// exclusively allocated cpus for the container
@@ -157,12 +160,12 @@ func (s *sourcesReadyStub) AddSource(source string) {}
 func (s *sourcesReadyStub) AllReady() bool          { return true }
 
 // NewManager creates new cpu manager based on provided policy
-func NewManager(cpuPolicyName string, cpuPolicyOptions map[string]string, reconcilePeriod time.Duration, machineInfo *cadvisorapi.MachineInfo, specificCPUs cpuset.CPUSet, nodeAllocatableReservation v1.ResourceList, stateFileDirectory string, affinity topologymanager.Store) (Manager, error) {
+func NewManager(logger logr.Logger, cpuPolicyName string, cpuPolicyOptions map[string]string, reconcilePeriod time.Duration, machineInfo *cadvisorapi.MachineInfo, specificCPUs cpuset.CPUSet, nodeAllocatableReservation v1.ResourceList, stateFileDirectory string, affinity topologymanager.Store) (Manager, error) {
 	var topo *topology.CPUTopology
 	var policy Policy
 	var err error
 
-	topo, err = topology.Discover(machineInfo)
+	topo, err = topology.Discover(logger, machineInfo)
 	if err != nil {
 		return nil, err
 	}
@@ -176,7 +179,7 @@ func NewManager(cpuPolicyName string, cpuPolicyOptions map[string]string, reconc
 		}
 
 	case PolicyStatic:
-		klog.InfoS("Detected CPU topology", "topology", topo)
+		logger.Info("Detected CPU topology", "topology", topo)
 
 		reservedCPUs, ok := nodeAllocatableReservation[v1.ResourceCPU]
 		if !ok {
@@ -196,7 +199,7 @@ func NewManager(cpuPolicyName string, cpuPolicyOptions map[string]string, reconc
 		// exclusively allocated.
 		reservedCPUsFloat := float64(reservedCPUs.MilliValue()) / 1000
 		numReservedCPUs := int(math.Ceil(reservedCPUsFloat))
-		policy, err = NewStaticPolicy(topo, numReservedCPUs, specificCPUs, affinity, cpuPolicyOptions)
+		policy, err = NewStaticPolicy(logger, topo, numReservedCPUs, specificCPUs, affinity, cpuPolicyOptions)
 		if err != nil {
 			return nil, fmt.Errorf("new static policy error: %w", err)
 		}
@@ -208,7 +211,7 @@ func NewManager(cpuPolicyName string, cpuPolicyOptions map[string]string, reconc
 	manager := &manager{
 		policy:                     policy,
 		reconcilePeriod:            reconcilePeriod,
-		lastUpdateState:            state.NewMemoryState(),
+		lastUpdateState:            state.NewMemoryState(logger),
 		topology:                   topo,
 		nodeAllocatableReservation: nodeAllocatableReservation,
 		stateFileDirectory:         stateFileDirectory,
@@ -218,29 +221,30 @@ func NewManager(cpuPolicyName string, cpuPolicyOptions map[string]string, reconc
 	return manager, nil
 }
 
-func (m *manager) Start(activePods ActivePodsFunc, sourcesReady config.SourcesReady, podStatusProvider status.PodStatusProvider, containerRuntime runtimeService, initialContainers containermap.ContainerMap) error {
-	klog.InfoS("Starting CPU manager", "policy", m.policy.Name())
-	klog.InfoS("Reconciling", "reconcilePeriod", m.reconcilePeriod)
+func (m *manager) Start(ctx context.Context, activePods ActivePodsFunc, sourcesReady config.SourcesReady, podStatusProvider status.PodStatusProvider, containerRuntime runtimeService, initialContainers containermap.ContainerMap) error {
+	logger := klog.FromContext(ctx)
+	logger.Info("Starting", "policy", m.policy.Name())
+	logger.Info("Reconciling", "reconcilePeriod", m.reconcilePeriod)
 	m.sourcesReady = sourcesReady
 	m.activePods = activePods
 	m.podStatusProvider = podStatusProvider
 	m.containerRuntime = containerRuntime
 	m.containerMap = initialContainers
 
-	stateImpl, err := state.NewCheckpointState(m.stateFileDirectory, cpuManagerStateFileName, m.policy.Name(), m.containerMap)
+	stateImpl, err := state.NewCheckpointState(logger, m.stateFileDirectory, cpuManagerStateFileName, m.policy.Name(), m.containerMap)
 	if err != nil {
-		klog.ErrorS(err, "Could not initialize checkpoint manager, please drain node and remove policy state file")
+		logger.Error(err, "Could not initialize checkpoint manager, please drain node and remove policy state file")
 		return err
 	}
 	m.state = stateImpl
 
-	err = m.policy.Start(m.state)
+	err = m.policy.Start(logger, m.state)
 	if err != nil {
-		klog.ErrorS(err, "Policy start error")
+		logger.Error(err, "Policy start error")
 		return err
 	}
 
-	klog.V(4).InfoS("CPU manager started", "policy", m.policy.Name())
+	logger.V(4).Info("CPU manager started", "policy", m.policy.Name())
 
 	m.allocatableCPUs = m.policy.GetAllocatableCPUs(m.state)
 
@@ -249,56 +253,59 @@ func (m *manager) Start(activePods ActivePodsFunc, sourcesReady config.SourcesRe
 	}
 	// Periodically call m.reconcileState() to continue to keep the CPU sets of
 	// all pods in sync with and guaranteed CPUs handed out among them.
-	go wait.Until(func() { m.reconcileState() }, m.reconcilePeriod, wait.NeverStop)
+	go wait.Until(func() { m.reconcileState(ctx) }, m.reconcilePeriod, wait.NeverStop)
 	return nil
 }
 
 func (m *manager) Allocate(p *v1.Pod, c *v1.Container) error {
+	logger := klog.TODO() // until we move topology manager to contextual logging
+
 	// Garbage collect any stranded resources before allocating CPUs.
-	m.removeStaleState()
+	m.removeStaleState(logger)
 
 	m.Lock()
 	defer m.Unlock()
 
 	// Call down into the policy to assign this container CPUs if required.
-	err := m.policy.Allocate(m.state, p, c)
+	err := m.policy.Allocate(logger, m.state, p, c)
 	if err != nil {
-		klog.ErrorS(err, "Allocate error")
+		logger.Error(err, "policy error")
 		return err
 	}
 
 	return nil
 }
 
-func (m *manager) AddContainer(pod *v1.Pod, container *v1.Container, containerID string) {
+func (m *manager) AddContainer(logger logr.Logger, pod *v1.Pod, container *v1.Container, containerID string) {
 	m.Lock()
 	defer m.Unlock()
 	if cset, exists := m.state.GetCPUSet(string(pod.UID), container.Name); exists {
 		m.lastUpdateState.SetCPUSet(string(pod.UID), container.Name, cset)
 	}
 	m.containerMap.Add(string(pod.UID), container.Name, containerID)
+	logger.V(4).Info("Added Container", "pod", klog.KObj(pod), "podUID", pod.UID, "containerName", container.Name, "containerID", containerID)
 }
 
-func (m *manager) RemoveContainer(containerID string) error {
+func (m *manager) RemoveContainer(logger logr.Logger, containerID string) error {
 	m.Lock()
 	defer m.Unlock()
 
-	err := m.policyRemoveContainerByID(containerID)
+	err := m.policyRemoveContainerByID(logger, containerID)
 	if err != nil {
-		klog.ErrorS(err, "RemoveContainer error")
+		logger.Error(err, "RemoveContainer error")
 		return err
 	}
 
 	return nil
 }
 
-func (m *manager) policyRemoveContainerByID(containerID string) error {
+func (m *manager) policyRemoveContainerByID(logger logr.Logger, containerID string) error {
 	podUID, containerName, err := m.containerMap.GetContainerRef(containerID)
 	if err != nil {
 		return nil
 	}
 
-	err = m.policy.RemoveContainer(m.state, podUID, containerName)
+	err = m.policy.RemoveContainer(logger, m.state, podUID, containerName)
 	if err == nil {
 		m.lastUpdateState.Delete(podUID, containerName)
 		m.containerMap.RemoveByContainerID(containerID)
@@ -307,8 +314,8 @@ func (m *manager) policyRemoveContainerByID(containerID string) error {
 	return err
 }
 
-func (m *manager) policyRemoveContainerByRef(podUID string, containerName string) error {
-	err := m.policy.RemoveContainer(m.state, podUID, containerName)
+func (m *manager) policyRemoveContainerByRef(logger logr.Logger, podUID string, containerName string) error {
+	err := m.policy.RemoveContainer(logger, m.state, podUID, containerName)
 	if err == nil {
 		m.lastUpdateState.Delete(podUID, containerName)
 		m.containerMap.RemoveByContainerRef(podUID, containerName)
@@ -322,17 +329,19 @@ func (m *manager) State() state.Reader {
 }
 
 func (m *manager) GetTopologyHints(pod *v1.Pod, container *v1.Container) map[string][]topologymanager.TopologyHint {
+	logger := klog.TODO()
 	// Garbage collect any stranded resources before providing TopologyHints
-	m.removeStaleState()
+	m.removeStaleState(logger)
 	// Delegate to active policy
-	return m.policy.GetTopologyHints(m.state, pod, container)
+	return m.policy.GetTopologyHints(logger, m.state, pod, container)
 }
 
 func (m *manager) GetPodTopologyHints(pod *v1.Pod) map[string][]topologymanager.TopologyHint {
+	logger := klog.TODO()
 	// Garbage collect any stranded resources before providing TopologyHints
-	m.removeStaleState()
+	m.removeStaleState(logger)
 	// Delegate to active policy
-	return m.policy.GetPodTopologyHints(m.state, pod)
+	return m.policy.GetPodTopologyHints(logger, m.state, pod)
 }
 
 func (m *manager) GetAllocatableCPUs() cpuset.CPUSet {
@@ -349,7 +358,7 @@ type reconciledContainer struct {
 	containerID   string
 }
 
-func (m *manager) removeStaleState() {
+func (m *manager) removeStaleState(rootLogger logr.Logger) {
 	// Only once all sources are ready do we attempt to remove any stale state.
 	// This ensures that the call to `m.activePods()` below will succeed with
 	// the actual active pods list.
@@ -381,42 +390,49 @@ func (m *manager) removeStaleState() {
 	assignments := m.state.GetCPUAssignments()
 	for podUID := range assignments {
 		for containerName := range assignments[podUID] {
+			logger := klog.LoggerWithValues(rootLogger, "podUID", podUID, "containerName", containerName)
+
 			if _, ok := activeContainers[podUID][containerName]; ok {
-				klog.V(5).InfoS("RemoveStaleState: container still active", "podUID", podUID, "containerName", containerName)
+				logger.V(5).Info("container still active")
 				continue
 			}
-			klog.V(2).InfoS("RemoveStaleState: removing container", "podUID", podUID, "containerName", containerName)
-			err := m.policyRemoveContainerByRef(podUID, containerName)
+
+			logger.V(2).Info("removing container")
+			err := m.policyRemoveContainerByRef(logger, podUID, containerName)
 			if err != nil {
-				klog.ErrorS(err, "RemoveStaleState: failed to remove container", "podUID", podUID, "containerName", containerName)
+				logger.Error(err, "failed to remove container")
 			}
 		}
 	}
 
 	m.containerMap.Visit(func(podUID, containerName, containerID string) {
+		logger := klog.LoggerWithValues(rootLogger, "podUID", podUID, "containerName", containerName)
 		if _, ok := activeContainers[podUID][containerName]; ok {
-			klog.V(5).InfoS("RemoveStaleState: containerMap: container still active", "podUID", podUID, "containerName", containerName)
+			logger.V(5).Info("containerMap: container still active")
 			return
 		}
-		klog.V(2).InfoS("RemoveStaleState: containerMap: removing container", "podUID", podUID, "containerName", containerName)
-		err := m.policyRemoveContainerByRef(podUID, containerName)
+		logger.V(2).Info("containerMap: removing container")
+		err := m.policyRemoveContainerByRef(logger, podUID, containerName)
 		if err != nil {
-			klog.ErrorS(err, "RemoveStaleState: containerMap: failed to remove container", "podUID", podUID, "containerName", containerName)
+			logger.Error(err, "containerMap: failed to remove container")
 		}
 	})
 }
 
-func (m *manager) reconcileState() (success []reconciledContainer, failure []reconciledContainer) {
-	ctx := context.Background()
+func (m *manager) reconcileState(ctx context.Context) (success []reconciledContainer, failure []reconciledContainer) {
 	success = []reconciledContainer{}
 	failure = []reconciledContainer{}
 
-	m.removeStaleState()
+	rootLogger := klog.FromContext(ctx)
+
+	m.removeStaleState(rootLogger)
 	workloadEnabled := managed.IsEnabled()
 	for _, pod := range m.activePods() {
+		podLogger := klog.LoggerWithValues(rootLogger, "pod", klog.KObj(pod))
+
 		pstatus, ok := m.podStatusProvider.GetPodStatus(pod.UID)
 		if !ok {
-			klog.V(5).InfoS("ReconcileState: skipping pod; status not found", "pod", klog.KObj(pod))
+			podLogger.V(5).Info("skipping pod; status not found")
 			failure = append(failure, reconciledContainer{pod.Name, "", ""})
 			continue
 		}
@@ -428,23 +444,25 @@ func (m *manager) reconcileState() (success []reconciledContainer, failure []rec
 		allContainers := pod.Spec.InitContainers
 		allContainers = append(allContainers, pod.Spec.Containers...)
 		for _, container := range allContainers {
+			logger := klog.LoggerWithValues(podLogger, "containerName", container.Name)
+
 			containerID, err := findContainerIDByName(&pstatus, container.Name)
 			if err != nil {
-				klog.V(5).InfoS("ReconcileState: skipping container; ID not found in pod status", "pod", klog.KObj(pod), "containerName", container.Name, "err", err)
+				logger.V(5).Info("skipping container; ID not found in pod status", "err", err)
 				failure = append(failure, reconciledContainer{pod.Name, container.Name, ""})
 				continue
 			}
 
 			cstatus, err := findContainerStatusByName(&pstatus, container.Name)
 			if err != nil {
-				klog.V(5).InfoS("ReconcileState: skipping container; container status not found in pod status", "pod", klog.KObj(pod), "containerName", container.Name, "err", err)
+				logger.V(5).Info("skipping container; container status not found in pod status", "err", err)
 				failure = append(failure, reconciledContainer{pod.Name, container.Name, ""})
 				continue
 			}
 
 			if cstatus.State.Waiting != nil ||
 				(cstatus.State.Waiting == nil && cstatus.State.Running == nil && cstatus.State.Terminated == nil) {
-				klog.V(4).InfoS("ReconcileState: skipping container; container still in the waiting state", "pod", klog.KObj(pod), "containerName", container.Name, "err", err)
+				logger.V(4).Info("skipping container; container still in the waiting state", "err", err)
 				failure = append(failure, reconciledContainer{pod.Name, container.Name, ""})
 				continue
 			}
@@ -458,7 +476,7 @@ func (m *manager) reconcileState() (success []reconciledContainer, failure []rec
 				// was allocated.
 				_, _, err := m.containerMap.GetContainerRef(containerID)
 				if err == nil {
-					klog.V(4).InfoS("ReconcileState: ignoring terminated container", "pod", klog.KObj(pod), "containerID", containerID)
+					logger.V(4).Info("ignoring terminated container", "containerID", containerID)
 				}
 				m.Unlock()
 				continue
@@ -473,17 +491,17 @@ func (m *manager) reconcileState() (success []reconciledContainer, failure []rec
 			cset := m.state.GetCPUSetOrDefault(string(pod.UID), container.Name)
 			if cset.IsEmpty() {
 				// NOTE: This should not happen outside of tests.
-				klog.V(2).InfoS("ReconcileState: skipping container; empty cpuset assigned", "pod", klog.KObj(pod), "containerName", container.Name)
+				logger.V(2).Info("ReconcileState: skipping container; empty cpuset assigned")
 				failure = append(failure, reconciledContainer{pod.Name, container.Name, containerID})
 				continue
 			}
 
 			lcset := m.lastUpdateState.GetCPUSetOrDefault(string(pod.UID), container.Name)
 			if !cset.Equals(lcset) {
-				klog.V(5).InfoS("ReconcileState: updating container", "pod", klog.KObj(pod), "containerName", container.Name, "containerID", containerID, "cpuSet", cset)
+				logger.V(5).Info("updating container", "containerID", containerID, "cpuSet", cset)
 				err = m.updateContainerCPUSet(ctx, containerID, cset)
 				if err != nil {
-					klog.ErrorS(err, "ReconcileState: failed to update container", "pod", klog.KObj(pod), "containerName", container.Name, "containerID", containerID, "cpuSet", cset)
+					logger.Error(err, "failed to update container", "containerID", containerID, "cpuSet", cset)
 					failure = append(failure, reconciledContainer{pod.Name, container.Name, containerID})
 					continue
 				}
diff --git a/pkg/kubelet/cm/cpumanager/cpu_manager_test.go b/pkg/kubelet/cm/cpumanager/cpu_manager_test.go
index 742dfc11ae902..2361595a4bf7e 100644
--- a/pkg/kubelet/cm/cpumanager/cpu_manager_test.go
+++ b/pkg/kubelet/cm/cpumanager/cpu_manager_test.go
@@ -31,12 +31,14 @@ import (
 	featuregatetesting "k8s.io/component-base/featuregate/testing"
 	"k8s.io/kubernetes/pkg/features"
 
+	"github.com/go-logr/logr"
 	cadvisorapi "github.com/google/cadvisor/info/v1"
 	v1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/resource"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
 	runtimeapi "k8s.io/cri-api/pkg/apis/runtime/v1"
+	"k8s.io/kubernetes/test/utils/ktesting"
 
 	"k8s.io/kubernetes/pkg/kubelet/cm/containermap"
 	"k8s.io/kubernetes/pkg/kubelet/cm/cpumanager/state"
@@ -105,23 +107,23 @@ func (p *mockPolicy) Name() string {
 	return "mock"
 }
 
-func (p *mockPolicy) Start(s state.State) error {
+func (p *mockPolicy) Start(_ logr.Logger, s state.State) error {
 	return p.err
 }
 
-func (p *mockPolicy) Allocate(s state.State, pod *v1.Pod, container *v1.Container) error {
+func (p *mockPolicy) Allocate(_ logr.Logger, s state.State, pod *v1.Pod, container *v1.Container) error {
 	return p.err
 }
 
-func (p *mockPolicy) RemoveContainer(s state.State, podUID string, containerName string) error {
+func (p *mockPolicy) RemoveContainer(_ logr.Logger, s state.State, podUID string, containerName string) error {
 	return p.err
 }
 
-func (p *mockPolicy) GetTopologyHints(s state.State, pod *v1.Pod, container *v1.Container) map[string][]topologymanager.TopologyHint {
+func (p *mockPolicy) GetTopologyHints(_ logr.Logger, s state.State, pod *v1.Pod, container *v1.Container) map[string][]topologymanager.TopologyHint {
 	return nil
 }
 
-func (p *mockPolicy) GetPodTopologyHints(s state.State, pod *v1.Pod) map[string][]topologymanager.TopologyHint {
+func (p *mockPolicy) GetPodTopologyHints(_ logr.Logger, s state.State, pod *v1.Pod) map[string][]topologymanager.TopologyHint {
 	return nil
 }
 
@@ -288,7 +290,10 @@ func TestCPUManagerAdd(t *testing.T) {
 		featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.WindowsCPUAndMemoryAffinity, true)
 	}
 
+	logger, _ := ktesting.NewTestContext(t)
+
 	testPolicy, _ := NewStaticPolicy(
+		logger,
 		&topology.CPUTopology{
 			NumCPUs:    4,
 			NumSockets: 1,
@@ -339,7 +344,7 @@ func TestCPUManagerAdd(t *testing.T) {
 				assignments:   state.ContainerCPUAssignments{},
 				defaultCPUSet: cpuset.New(1, 2, 3, 4),
 			},
-			lastUpdateState: state.NewMemoryState(),
+			lastUpdateState: state.NewMemoryState(logger),
 			containerRuntime: mockRuntimeService{
 				err: testCase.updateErr,
 			},
@@ -358,7 +363,7 @@ func TestCPUManagerAdd(t *testing.T) {
 				testCase.description, testCase.expAllocateErr, err)
 		}
 
-		mgr.AddContainer(pod, container, "fakeID")
+		mgr.AddContainer(logger, pod, container, "fakeID")
 		_, _, err = mgr.containerMap.GetContainerRef("fakeID")
 		if !reflect.DeepEqual(err, testCase.expAddContainerErr) {
 			t.Errorf("CPU Manager AddContainer() error (%v). expected error: %v but got: %v",
@@ -557,7 +562,8 @@ func TestCPUManagerAddWithInitContainers(t *testing.T) {
 	}
 
 	for _, testCase := range testCases {
-		policy, _ := NewStaticPolicy(testCase.topo, testCase.numReservedCPUs, cpuset.New(), topologymanager.NewFakeManager(), nil)
+		logger, _ := ktesting.NewTestContext(t)
+		policy, _ := NewStaticPolicy(logger, testCase.topo, testCase.numReservedCPUs, cpuset.New(), topologymanager.NewFakeManager(), nil)
 
 		mockState := &mockState{
 			assignments:   testCase.stAssignments,
@@ -567,7 +573,7 @@ func TestCPUManagerAddWithInitContainers(t *testing.T) {
 		mgr := &manager{
 			policy:            policy,
 			state:             mockState,
-			lastUpdateState:   state.NewMemoryState(),
+			lastUpdateState:   state.NewMemoryState(logger),
 			containerRuntime:  mockRuntimeService{},
 			containerMap:      containermap.NewContainerMap(),
 			podStatusProvider: mockPodStatusProvider{},
@@ -598,7 +604,7 @@ func TestCPUManagerAddWithInitContainers(t *testing.T) {
 					testCase.description, containerIDs[i], err)
 			}
 
-			mgr.AddContainer(testCase.pod, &containers[i], containerIDs[i])
+			mgr.AddContainer(logger, testCase.pod, &containers[i], containerIDs[i])
 			_, _, err = mgr.containerMap.GetContainerRef(containerIDs[i])
 			if err != nil {
 				t.Errorf("StaticPolicy AddContainer() error (%v). unexpected error for container id: %v: %v",
@@ -720,7 +726,8 @@ func TestCPUManagerGenerate(t *testing.T) {
 			}
 			defer os.RemoveAll(sDir)
 
-			mgr, err := NewManager(testCase.cpuPolicyName, nil, 5*time.Second, machineInfo, cpuset.New(), testCase.nodeAllocatableReservation, sDir, topologymanager.NewFakeManager())
+			logger, _ := ktesting.NewTestContext(t)
+			mgr, err := NewManager(logger, testCase.cpuPolicyName, nil, 5*time.Second, machineInfo, cpuset.New(), testCase.nodeAllocatableReservation, sDir, topologymanager.NewFakeManager())
 			if testCase.expectedError != nil {
 				if !strings.Contains(err.Error(), testCase.expectedError.Error()) {
 					t.Errorf("Unexpected error message. Have: %s wants %s", err.Error(), testCase.expectedError.Error())
@@ -747,6 +754,7 @@ func TestCPUManagerRemove(t *testing.T) {
 	containerID := "fakeID"
 	containerMap := containermap.NewContainerMap()
 
+	logger, _ := ktesting.NewTestContext(t)
 	mgr := &manager{
 		policy: &mockPolicy{
 			err: nil,
@@ -755,7 +763,7 @@ func TestCPUManagerRemove(t *testing.T) {
 			assignments:   state.ContainerCPUAssignments{},
 			defaultCPUSet: cpuset.New(),
 		},
-		lastUpdateState:   state.NewMemoryState(),
+		lastUpdateState:   state.NewMemoryState(logger),
 		containerRuntime:  mockRuntimeService{},
 		containerMap:      containerMap,
 		activePods:        func() []*v1.Pod { return nil },
@@ -763,7 +771,7 @@ func TestCPUManagerRemove(t *testing.T) {
 	}
 
 	containerMap.Add("", "", containerID)
-	err := mgr.RemoveContainer(containerID)
+	err := mgr.RemoveContainer(logger, containerID)
 	if err != nil {
 		t.Errorf("CPU Manager RemoveContainer() error. expected error to be nil but got: %v", err)
 	}
@@ -772,7 +780,7 @@ func TestCPUManagerRemove(t *testing.T) {
 		policy: &mockPolicy{
 			err: fmt.Errorf("fake error"),
 		},
-		state:             state.NewMemoryState(),
+		state:             state.NewMemoryState(logger),
 		containerRuntime:  mockRuntimeService{},
 		containerMap:      containerMap,
 		activePods:        func() []*v1.Pod { return nil },
@@ -780,7 +788,7 @@ func TestCPUManagerRemove(t *testing.T) {
 	}
 
 	containerMap.Add("", "", containerID)
-	err = mgr.RemoveContainer(containerID)
+	err = mgr.RemoveContainer(logger, containerID)
 	if !reflect.DeepEqual(err, fmt.Errorf("fake error")) {
 		t.Errorf("CPU Manager RemoveContainer() error. expected error: fake error but got: %v", err)
 	}
@@ -791,7 +799,10 @@ func TestReconcileState(t *testing.T) {
 		featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.WindowsCPUAndMemoryAffinity, true)
 	}
 
+	logger, _ := ktesting.NewTestContext(t)
+
 	testPolicy, _ := NewStaticPolicy(
+		logger,
 		&topology.CPUTopology{
 			NumCPUs:    8,
 			NumSockets: 2,
@@ -1245,13 +1256,14 @@ func TestReconcileState(t *testing.T) {
 	}
 
 	for _, testCase := range testCases {
+		logger, _ := ktesting.NewTestContext(t)
 		mgr := &manager{
 			policy: testCase.policy,
 			state: &mockState{
 				assignments:   testCase.stAssignments,
 				defaultCPUSet: testCase.stDefaultCPUSet,
 			},
-			lastUpdateState: state.NewMemoryState(),
+			lastUpdateState: state.NewMemoryState(logger),
 			containerRuntime: mockRuntimeService{
 				err: testCase.updateErr,
 			},
@@ -1265,7 +1277,7 @@ func TestReconcileState(t *testing.T) {
 			},
 		}
 		mgr.sourcesReady = &sourcesReadyStub{}
-		success, failure := mgr.reconcileState()
+		success, failure := mgr.reconcileState(context.Background())
 
 		if !reflect.DeepEqual(testCase.expectStAssignments, mgr.state.GetCPUAssignments()) {
 			t.Errorf("%v", testCase.description)
@@ -1318,7 +1330,9 @@ func TestCPUManagerAddWithResvList(t *testing.T) {
 		featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.WindowsCPUAndMemoryAffinity, true)
 	}
 
+	logger, _ := ktesting.NewTestContext(t)
 	testPolicy, _ := NewStaticPolicy(
+		logger,
 		&topology.CPUTopology{
 			NumCPUs:    4,
 			NumSockets: 1,
@@ -1359,7 +1373,7 @@ func TestCPUManagerAddWithResvList(t *testing.T) {
 				assignments:   state.ContainerCPUAssignments{},
 				defaultCPUSet: cpuset.New(0, 1, 2, 3),
 			},
-			lastUpdateState: state.NewMemoryState(),
+			lastUpdateState: state.NewMemoryState(logger),
 			containerRuntime: mockRuntimeService{
 				err: testCase.updateErr,
 			},
@@ -1378,7 +1392,7 @@ func TestCPUManagerAddWithResvList(t *testing.T) {
 				testCase.description, testCase.expAllocateErr, err)
 		}
 
-		mgr.AddContainer(pod, container, "fakeID")
+		mgr.AddContainer(logger, pod, container, "fakeID")
 		_, _, err = mgr.containerMap.GetContainerRef("fakeID")
 		if !reflect.DeepEqual(err, testCase.expAddContainerErr) {
 			t.Errorf("CPU Manager AddContainer() error (%v). expected error: %v but got: %v",
@@ -1449,7 +1463,8 @@ func TestCPUManagerHandlePolicyOptions(t *testing.T) {
 			}
 			defer os.RemoveAll(sDir)
 
-			_, err = NewManager(testCase.cpuPolicyName, testCase.cpuPolicyOptions, 5*time.Second, machineInfo, cpuset.New(), nodeAllocatableReservation, sDir, topologymanager.NewFakeManager())
+			logger, _ := ktesting.NewTestContext(t)
+			_, err = NewManager(logger, testCase.cpuPolicyName, testCase.cpuPolicyOptions, 5*time.Second, machineInfo, cpuset.New(), nodeAllocatableReservation, sDir, topologymanager.NewFakeManager())
 			if err == nil {
 				t.Errorf("Expected error, but NewManager succeeded")
 			}
@@ -1462,12 +1477,14 @@ func TestCPUManagerHandlePolicyOptions(t *testing.T) {
 }
 
 func TestCPUManagerGetAllocatableCPUs(t *testing.T) {
+	logger, _ := ktesting.NewTestContext(t)
 	if runtime.GOOS == "windows" {
 		featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.WindowsCPUAndMemoryAffinity, true)
 	}
 
 	nonePolicy, _ := NewNonePolicy(nil)
 	staticPolicy, _ := NewStaticPolicy(
+		logger,
 		&topology.CPUTopology{
 			NumCPUs:    4,
 			NumSockets: 1,
@@ -1508,7 +1525,7 @@ func TestCPUManagerGetAllocatableCPUs(t *testing.T) {
 				assignments:   state.ContainerCPUAssignments{},
 				defaultCPUSet: cpuset.New(0, 1, 2, 3),
 			},
-			lastUpdateState:   state.NewMemoryState(),
+			lastUpdateState:   state.NewMemoryState(logger),
 			containerMap:      containermap.NewContainerMap(),
 			podStatusProvider: mockPodStatusProvider{},
 			sourcesReady:      &sourcesReadyStub{},
diff --git a/pkg/kubelet/cm/cpumanager/fake_cpu_manager.go b/pkg/kubelet/cm/cpumanager/fake_cpu_manager.go
index 8f00ec3784b03..38ce4e655e725 100644
--- a/pkg/kubelet/cm/cpumanager/fake_cpu_manager.go
+++ b/pkg/kubelet/cm/cpumanager/fake_cpu_manager.go
@@ -17,7 +17,10 @@ limitations under the License.
 package cpumanager
 
 import (
-	"k8s.io/api/core/v1"
+	"context"
+
+	"github.com/go-logr/logr"
+	v1 "k8s.io/api/core/v1"
 	"k8s.io/klog/v2"
 	"k8s.io/kubernetes/pkg/kubelet/cm/containermap"
 	"k8s.io/kubernetes/pkg/kubelet/cm/cpumanager/state"
@@ -28,41 +31,46 @@ import (
 )
 
 type fakeManager struct {
-	state state.State
+	logger logr.Logger
+	state  state.State
 }
 
-func (m *fakeManager) Start(activePods ActivePodsFunc, sourcesReady config.SourcesReady, podStatusProvider status.PodStatusProvider, containerRuntime runtimeService, initialContainers containermap.ContainerMap) error {
-	klog.InfoS("Start()")
+func (m *fakeManager) Start(ctx context.Context, activePods ActivePodsFunc, sourcesReady config.SourcesReady, podStatusProvider status.PodStatusProvider, containerRuntime runtimeService, initialContainers containermap.ContainerMap) error {
+	logger := klog.FromContext(ctx)
+	logger.Info("Start()")
 	return nil
 }
 
 func (m *fakeManager) Policy() Policy {
-	klog.InfoS("Policy()")
+	m.logger.Info("Policy()")
 	pol, _ := NewNonePolicy(nil)
 	return pol
 }
 
 func (m *fakeManager) Allocate(pod *v1.Pod, container *v1.Container) error {
-	klog.InfoS("Allocate", "pod", klog.KObj(pod), "containerName", container.Name)
+	logger := klog.TODO()
+	logger.Info("Allocate", "pod", klog.KObj(pod), "containerName", container.Name)
 	return nil
 }
 
-func (m *fakeManager) AddContainer(pod *v1.Pod, container *v1.Container, containerID string) {
-	klog.InfoS("AddContainer", "pod", klog.KObj(pod), "containerName", container.Name, "containerID", containerID)
+func (m *fakeManager) AddContainer(logger logr.Logger, pod *v1.Pod, container *v1.Container, containerID string) {
+	logger.Info("AddContainer", "pod", klog.KObj(pod), "containerName", container.Name, "containerID", containerID)
 }
 
-func (m *fakeManager) RemoveContainer(containerID string) error {
-	klog.InfoS("RemoveContainer", "containerID", containerID)
+func (m *fakeManager) RemoveContainer(logger logr.Logger, containerID string) error {
+	logger.Info("RemoveContainer", "containerID", containerID)
 	return nil
 }
 
 func (m *fakeManager) GetTopologyHints(pod *v1.Pod, container *v1.Container) map[string][]topologymanager.TopologyHint {
-	klog.InfoS("Get container topology hints")
+	logger := klog.TODO()
+	logger.Info("Get container topology hints")
 	return map[string][]topologymanager.TopologyHint{}
 }
 
 func (m *fakeManager) GetPodTopologyHints(pod *v1.Pod) map[string][]topologymanager.TopologyHint {
-	klog.InfoS("Get pod topology hints")
+	logger := klog.TODO()
+	logger.Info("Get pod topology hints")
 	return map[string][]topologymanager.TopologyHint{}
 }
 
@@ -71,28 +79,30 @@ func (m *fakeManager) State() state.Reader {
 }
 
 func (m *fakeManager) GetExclusiveCPUs(podUID, containerName string) cpuset.CPUSet {
-	klog.InfoS("GetExclusiveCPUs", "podUID", podUID, "containerName", containerName)
+	m.logger.Info("GetExclusiveCPUs", "podUID", podUID, "containerName", containerName)
 	return cpuset.CPUSet{}
 }
 
 func (m *fakeManager) GetAllocatableCPUs() cpuset.CPUSet {
-	klog.InfoS("Get Allocatable CPUs")
+	m.logger.Info("Get Allocatable CPUs")
 	return cpuset.CPUSet{}
 }
 
 func (m *fakeManager) GetCPUAffinity(podUID, containerName string) cpuset.CPUSet {
-	klog.InfoS("GetCPUAffinity", "podUID", podUID, "containerName", containerName)
+	m.logger.Info("GetCPUAffinity", "podUID", podUID, "containerName", containerName)
 	return cpuset.CPUSet{}
 }
 
 func (m *fakeManager) GetAllCPUs() cpuset.CPUSet {
-	klog.InfoS("GetAllCPUs")
+	m.logger.Info("GetAllCPUs")
 	return cpuset.CPUSet{}
 }
 
 // NewFakeManager creates empty/fake cpu manager
-func NewFakeManager() Manager {
+func NewFakeManager(logger logr.Logger) Manager {
+	logger = klog.LoggerWithName(logger, "cpu.fake")
 	return &fakeManager{
-		state: state.NewMemoryState(),
+		logger: logger,
+		state:  state.NewMemoryState(logger),
 	}
 }
diff --git a/pkg/kubelet/cm/cpumanager/policy.go b/pkg/kubelet/cm/cpumanager/policy.go
index a80da9427cefd..628b0254af16a 100644
--- a/pkg/kubelet/cm/cpumanager/policy.go
+++ b/pkg/kubelet/cm/cpumanager/policy.go
@@ -17,8 +17,9 @@ limitations under the License.
 package cpumanager
 
 import (
-	"k8s.io/api/core/v1"
+	"github.com/go-logr/logr"
 
+	v1 "k8s.io/api/core/v1"
 	"k8s.io/kubernetes/pkg/kubelet/cm/cpumanager/state"
 	"k8s.io/kubernetes/pkg/kubelet/cm/topologymanager"
 	"k8s.io/utils/cpuset"
@@ -27,19 +28,19 @@ import (
 // Policy implements logic for pod container to CPU assignment.
 type Policy interface {
 	Name() string
-	Start(s state.State) error
+	Start(logger logr.Logger, s state.State) error
 	// Allocate call is idempotent
-	Allocate(s state.State, pod *v1.Pod, container *v1.Container) error
+	Allocate(logger logr.Logger, s state.State, pod *v1.Pod, container *v1.Container) error
 	// RemoveContainer call is idempotent
-	RemoveContainer(s state.State, podUID string, containerName string) error
+	RemoveContainer(logger logr.Logger, s state.State, podUID string, containerName string) error
 	// GetTopologyHints implements the topologymanager.HintProvider Interface
 	// and is consulted to achieve NUMA aware resource alignment among this
 	// and other resource controllers.
-	GetTopologyHints(s state.State, pod *v1.Pod, container *v1.Container) map[string][]topologymanager.TopologyHint
+	GetTopologyHints(logger logr.Logger, s state.State, pod *v1.Pod, container *v1.Container) map[string][]topologymanager.TopologyHint
 	// GetPodTopologyHints implements the topologymanager.HintProvider Interface
 	// and is consulted to achieve NUMA aware resource alignment per Pod
 	// among this and other resource controllers.
-	GetPodTopologyHints(s state.State, pod *v1.Pod) map[string][]topologymanager.TopologyHint
+	GetPodTopologyHints(logger logr.Logger, s state.State, pod *v1.Pod) map[string][]topologymanager.TopologyHint
 	// GetAllocatableCPUs returns the total set of CPUs available for allocation.
 	GetAllocatableCPUs(m state.State) cpuset.CPUSet
 }
diff --git a/pkg/kubelet/cm/cpumanager/policy_none.go b/pkg/kubelet/cm/cpumanager/policy_none.go
index ff86498fd926c..e29d0598a36f0 100644
--- a/pkg/kubelet/cm/cpumanager/policy_none.go
+++ b/pkg/kubelet/cm/cpumanager/policy_none.go
@@ -19,14 +19,15 @@ package cpumanager
 import (
 	"fmt"
 
-	"k8s.io/api/core/v1"
-	"k8s.io/klog/v2"
+	"github.com/go-logr/logr"
+	v1 "k8s.io/api/core/v1"
 	"k8s.io/kubernetes/pkg/kubelet/cm/cpumanager/state"
 	"k8s.io/kubernetes/pkg/kubelet/cm/topologymanager"
 	"k8s.io/utils/cpuset"
 )
 
-type nonePolicy struct{}
+type nonePolicy struct {
+}
 
 var _ Policy = &nonePolicy{}
 
@@ -45,24 +46,24 @@ func (p *nonePolicy) Name() string {
 	return string(PolicyNone)
 }
 
-func (p *nonePolicy) Start(s state.State) error {
-	klog.InfoS("None policy: Start")
+func (p *nonePolicy) Start(logger logr.Logger, s state.State) error {
+	logger.Info("Start")
 	return nil
 }
 
-func (p *nonePolicy) Allocate(s state.State, pod *v1.Pod, container *v1.Container) error {
+func (p *nonePolicy) Allocate(_ logr.Logger, s state.State, pod *v1.Pod, container *v1.Container) error {
 	return nil
 }
 
-func (p *nonePolicy) RemoveContainer(s state.State, podUID string, containerName string) error {
+func (p *nonePolicy) RemoveContainer(_ logr.Logger, s state.State, podUID string, containerName string) error {
 	return nil
 }
 
-func (p *nonePolicy) GetTopologyHints(s state.State, pod *v1.Pod, container *v1.Container) map[string][]topologymanager.TopologyHint {
+func (p *nonePolicy) GetTopologyHints(_ logr.Logger, s state.State, pod *v1.Pod, container *v1.Container) map[string][]topologymanager.TopologyHint {
 	return nil
 }
 
-func (p *nonePolicy) GetPodTopologyHints(s state.State, pod *v1.Pod) map[string][]topologymanager.TopologyHint {
+func (p *nonePolicy) GetPodTopologyHints(_ logr.Logger, s state.State, pod *v1.Pod) map[string][]topologymanager.TopologyHint {
 	return nil
 }
 
diff --git a/pkg/kubelet/cm/cpumanager/policy_none_test.go b/pkg/kubelet/cm/cpumanager/policy_none_test.go
index 22a977eb94d71..bba7908fe5dce 100644
--- a/pkg/kubelet/cm/cpumanager/policy_none_test.go
+++ b/pkg/kubelet/cm/cpumanager/policy_none_test.go
@@ -19,6 +19,8 @@ package cpumanager
 import (
 	"testing"
 
+	"k8s.io/kubernetes/test/utils/ktesting"
+
 	"k8s.io/kubernetes/pkg/kubelet/cm/cpumanager/state"
 	"k8s.io/utils/cpuset"
 )
@@ -33,6 +35,7 @@ func TestNonePolicyName(t *testing.T) {
 }
 
 func TestNonePolicyAllocate(t *testing.T) {
+	logger, _ := ktesting.NewTestContext(t)
 	policy := &nonePolicy{}
 
 	st := &mockState{
@@ -43,13 +46,14 @@ func TestNonePolicyAllocate(t *testing.T) {
 	testPod := makePod("fakePod", "fakeContainer", "1000m", "1000m")
 
 	container := &testPod.Spec.Containers[0]
-	err := policy.Allocate(st, testPod, container)
+	err := policy.Allocate(logger, st, testPod, container)
 	if err != nil {
 		t.Errorf("NonePolicy Allocate() error. expected no error but got: %v", err)
 	}
 }
 
 func TestNonePolicyRemove(t *testing.T) {
+	logger, _ := ktesting.NewTestContext(t)
 	policy := &nonePolicy{}
 
 	st := &mockState{
@@ -60,7 +64,7 @@ func TestNonePolicyRemove(t *testing.T) {
 	testPod := makePod("fakePod", "fakeContainer", "1000m", "1000m")
 
 	container := &testPod.Spec.Containers[0]
-	err := policy.RemoveContainer(st, string(testPod.UID), container.Name)
+	err := policy.RemoveContainer(logger, st, string(testPod.UID), container.Name)
 	if err != nil {
 		t.Errorf("NonePolicy RemoveContainer() error. expected no error but got %v", err)
 	}
diff --git a/pkg/kubelet/cm/cpumanager/policy_options.go b/pkg/kubelet/cm/cpumanager/policy_options.go
index c9830650873ae..745c6bf7ca5e9 100644
--- a/pkg/kubelet/cm/cpumanager/policy_options.go
+++ b/pkg/kubelet/cm/cpumanager/policy_options.go
@@ -43,12 +43,12 @@ var (
 		DistributeCPUsAcrossCoresOption,
 	)
 	betaOptions = sets.New[string](
-		StrictCPUReservationOption,
 		DistributeCPUsAcrossNUMAOption,
 		PreferAlignByUnCoreCacheOption,
 	)
 	stableOptions = sets.New[string](
 		FullPCPUsOnlyOption,
+		StrictCPUReservationOption,
 	)
 )
 
diff --git a/pkg/kubelet/cm/cpumanager/policy_options_test.go b/pkg/kubelet/cm/cpumanager/policy_options_test.go
index ba9c1461115bd..5af8060cc23c5 100644
--- a/pkg/kubelet/cm/cpumanager/policy_options_test.go
+++ b/pkg/kubelet/cm/cpumanager/policy_options_test.go
@@ -106,18 +106,6 @@ func TestPolicyOptionsAvailable(t *testing.T) {
 			featureGateEnable: true,
 			expectedAvailable: false,
 		},
-		{
-			option:            StrictCPUReservationOption,
-			featureGate:       pkgfeatures.CPUManagerPolicyBetaOptions,
-			featureGateEnable: false,
-			expectedAvailable: false,
-		},
-		{
-			option:            StrictCPUReservationOption,
-			featureGate:       pkgfeatures.CPUManagerPolicyBetaOptions,
-			featureGateEnable: true,
-			expectedAvailable: true,
-		},
 		{
 			option:            PreferAlignByUnCoreCacheOption,
 			featureGate:       pkgfeatures.CPUManagerPolicyBetaOptions,
@@ -146,11 +134,14 @@ func TestPolicyOptionsAvailable(t *testing.T) {
 func TestPolicyOptionsAlwaysAvailableOnceGA(t *testing.T) {
 	options := []string{
 		FullPCPUsOnlyOption,
+		StrictCPUReservationOption,
 	}
 	for _, option := range options {
 		t.Run(option, func(t *testing.T) {
-			featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, pkgfeatures.CPUManagerPolicyAlphaOptions, false)
-			featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, pkgfeatures.CPUManagerPolicyBetaOptions, false)
+			featuregatetesting.SetFeatureGatesDuringTest(t, utilfeature.DefaultFeatureGate, featuregatetesting.FeatureOverrides{
+				pkgfeatures.CPUManagerPolicyAlphaOptions: false,
+				pkgfeatures.CPUManagerPolicyBetaOptions:  false,
+			})
 			if err := CheckPolicyOptionAvailable(option); err != nil {
 				t.Errorf("option %q should be available even with all featuregate disabled", option)
 			}
diff --git a/pkg/kubelet/cm/cpumanager/policy_static.go b/pkg/kubelet/cm/cpumanager/policy_static.go
index 2120b5f789005..635570dbf492d 100644
--- a/pkg/kubelet/cm/cpumanager/policy_static.go
+++ b/pkg/kubelet/cm/cpumanager/policy_static.go
@@ -20,6 +20,8 @@ import (
 	"fmt"
 	"strconv"
 
+	"github.com/go-logr/logr"
+
 	v1 "k8s.io/api/core/v1"
 	utilfeature "k8s.io/apiserver/pkg/util/feature"
 	resourcehelper "k8s.io/component-helpers/resource"
@@ -132,7 +134,7 @@ var _ Policy = &staticPolicy{}
 // NewStaticPolicy returns a CPU manager policy that does not change CPU
 // assignments for exclusively pinned guaranteed containers after the main
 // container process starts.
-func NewStaticPolicy(topology *topology.CPUTopology, numReservedCPUs int, reservedCPUs cpuset.CPUSet, affinity topologymanager.Store, cpuPolicyOptions map[string]string) (Policy, error) {
+func NewStaticPolicy(logger logr.Logger, topology *topology.CPUTopology, numReservedCPUs int, reservedCPUs cpuset.CPUSet, affinity topologymanager.Store, cpuPolicyOptions map[string]string) (Policy, error) {
 	opts, err := NewStaticPolicyOptions(cpuPolicyOptions)
 	if err != nil {
 		return nil, err
@@ -143,7 +145,7 @@ func NewStaticPolicy(topology *topology.CPUTopology, numReservedCPUs int, reserv
 	}
 
 	cpuGroupSize := topology.CPUsPerCore()
-	klog.InfoS("Static policy created with configuration", "options", opts, "cpuGroupSize", cpuGroupSize)
+	logger.Info("created with configuration", "options", opts, "cpuGroupSize", cpuGroupSize)
 
 	policy := &staticPolicy{
 		topology:     topology,
@@ -163,7 +165,7 @@ func NewStaticPolicy(topology *topology.CPUTopology, numReservedCPUs int, reserv
 		//
 		// For example: Given a system with 8 CPUs available and HT enabled,
 		// if numReservedCPUs=2, then reserved={0,4}
-		reserved, _ = policy.takeByTopology(allCPUs, numReservedCPUs)
+		reserved, _ = policy.takeByTopology(logger, allCPUs, numReservedCPUs)
 	}
 
 	if reserved.Size() != numReservedCPUs {
@@ -180,7 +182,7 @@ func NewStaticPolicy(topology *topology.CPUTopology, numReservedCPUs int, reserv
 		reservedPhysicalCPUs = reservedPhysicalCPUs.Union(topology.CPUDetails.CPUsInCores(core))
 	}
 
-	klog.InfoS("Reserved CPUs not available for exclusive assignment", "reservedSize", reserved.Size(), "reserved", reserved, "reservedPhysicalCPUs", reservedPhysicalCPUs)
+	logger.Info("Reserved CPUs not available for exclusive assignment", "reservedSize", reserved.Size(), "reserved", reserved, "reservedPhysicalCPUs", reservedPhysicalCPUs)
 	policy.reservedCPUs = reserved
 	policy.reservedPhysicalCPUs = reservedPhysicalCPUs
 
@@ -191,16 +193,16 @@ func (p *staticPolicy) Name() string {
 	return string(PolicyStatic)
 }
 
-func (p *staticPolicy) Start(s state.State) error {
-	if err := p.validateState(s); err != nil {
-		klog.ErrorS(err, "Static policy invalid state, please drain node and remove policy state file")
+func (p *staticPolicy) Start(logger logr.Logger, s state.State) error {
+	if err := p.validateState(logger, s); err != nil {
+		logger.Error(err, "invalid state, please drain node and remove policy state file")
 		return err
 	}
-	p.initializeMetrics(s)
+	p.initializeMetrics(logger, s)
 	return nil
 }
 
-func (p *staticPolicy) validateState(s state.State) error {
+func (p *staticPolicy) validateState(logger logr.Logger, s state.State) error {
 	tmpAssignments := s.GetCPUAssignments()
 	tmpDefaultCPUset := s.GetDefaultCPUSet()
 
@@ -216,7 +218,7 @@ func (p *staticPolicy) validateState(s state.State) error {
 		}
 		// state is empty initialize
 		s.SetDefaultCPUSet(allCPUs)
-		klog.InfoS("Static policy initialized", "defaultCPUSet", allCPUs)
+		logger.Info("Static policy initialized", "defaultCPUSet", allCPUs)
 		if managed.IsEnabled() {
 			defaultCpus := s.GetDefaultCPUSet().Difference(p.reservedCPUs)
 			s.SetDefaultCPUSet(defaultCpus)
@@ -230,7 +232,7 @@ func (p *staticPolicy) validateState(s state.State) error {
 	// - user tampered with file
 	if p.options.StrictCPUReservation {
 		if !p.reservedCPUs.Intersection(tmpDefaultCPUset).IsEmpty() {
-			return fmt.Errorf("some of strictly reserved cpus: \"%s\" are present in defaultCpuSet: \"%s\"",
+			return fmt.Errorf("some of strictly reserved cpus: %q are present in defaultCpuSet: %q",
 				p.reservedCPUs.Intersection(tmpDefaultCPUset).String(), tmpDefaultCPUset.String())
 		}
 	} else {
@@ -247,7 +249,7 @@ func (p *staticPolicy) validateState(s state.State) error {
 		for container, cset := range tmpAssignments[pod] {
 			// None of the cpu in DEFAULT cset should be in s.assignments
 			if !tmpDefaultCPUset.Intersection(cset).IsEmpty() {
-				return fmt.Errorf("pod: %s, container: %s cpuset: \"%s\" overlaps with default cpuset \"%s\"",
+				return fmt.Errorf("pod: %s, container: %s cpuset: %q overlaps with default cpuset %q",
 					pod, container, cset.String(), tmpDefaultCPUset.String())
 			}
 		}
@@ -328,19 +330,24 @@ func (p *staticPolicy) updateCPUsToReuse(pod *v1.Pod, container *v1.Container, c
 	p.cpusToReuse[string(pod.UID)] = p.cpusToReuse[string(pod.UID)].Difference(cset)
 }
 
-func (p *staticPolicy) Allocate(s state.State, pod *v1.Pod, container *v1.Container) (rerr error) {
-	numCPUs := p.guaranteedCPUs(pod, container)
+func (p *staticPolicy) Allocate(logger logr.Logger, s state.State, pod *v1.Pod, container *v1.Container) (rerr error) {
+	logger = klog.LoggerWithValues(logger, "pod", klog.KObj(pod), "podUID", pod.UID, "containerName", container.Name)
+	logger.Info("Allocate start") // V=0 for backward compatibility
+	defer logger.V(2).Info("Allocate end")
+
+	numCPUs := p.guaranteedCPUs(logger, pod, container)
 	if numCPUs == 0 {
 		// container belongs in the shared pool (nothing to do; use default cpuset)
 		return nil
 	}
 
 	if utilfeature.DefaultFeatureGate.Enabled(features.PodLevelResources) && resourcehelper.IsPodLevelResourcesSet(pod) {
-		klog.V(2).InfoS("CPU Manager allocation skipped, pod is using pod-level resources which are not supported by the static CPU manager policy", "pod", klog.KObj(pod), "podUID", pod.UID)
+		logger.Info("CPU Manager allocation skipped, pod is using pod-level resources which are not supported by the static CPU manager policy")
 		return nil
 	}
 
-	klog.InfoS("Static policy: Allocate", "pod", klog.KObj(pod), "containerName", container.Name)
+	logger.Info("Static policy: Allocate")
+
 	// container belongs in an exclusively allocated pool
 	metrics.CPUManagerPinningRequestsTotal.Inc()
 	defer func() {
@@ -393,26 +400,26 @@ func (p *staticPolicy) Allocate(s state.State, pod *v1.Pod, container *v1.Contai
 	}
 	if cset, ok := s.GetCPUSet(string(pod.UID), container.Name); ok {
 		p.updateCPUsToReuse(pod, container, cset)
-		klog.InfoS("Static policy: container already present in state, skipping", "pod", klog.KObj(pod), "containerName", container.Name)
+		logger.Info("Static policy: container already present in state, skipping")
 		return nil
 	}
 
 	// Call Topology Manager to get the aligned socket affinity across all hint providers.
 	hint := p.affinity.GetAffinity(string(pod.UID), container.Name)
-	klog.InfoS("Topology Affinity", "pod", klog.KObj(pod), "containerName", container.Name, "affinity", hint)
+	logger.Info("Topology Affinity", "affinity", hint)
 
 	// Allocate CPUs according to the NUMA affinity contained in the hint.
-	cpuAllocation, err := p.allocateCPUs(s, numCPUs, hint.NUMANodeAffinity, p.cpusToReuse[string(pod.UID)])
+	cpuAllocation, err := p.allocateCPUs(logger, s, numCPUs, hint.NUMANodeAffinity, p.cpusToReuse[string(pod.UID)])
 	if err != nil {
-		klog.ErrorS(err, "Unable to allocate CPUs", "pod", klog.KObj(pod), "containerName", container.Name, "numCPUs", numCPUs)
+		logger.Error(err, "Unable to allocate CPUs", "numCPUs", numCPUs)
 		return err
 	}
 
 	s.SetCPUSet(string(pod.UID), container.Name, cpuAllocation.CPUs)
 	p.updateCPUsToReuse(pod, container, cpuAllocation.CPUs)
-	p.updateMetricsOnAllocate(s, cpuAllocation)
+	p.updateMetricsOnAllocate(logger, s, cpuAllocation)
 
-	klog.V(4).InfoS("Allocated exclusive CPUs", "pod", klog.KObj(pod), "containerName", container.Name, "cpuset", cpuAllocation.CPUs.String())
+	logger.V(4).Info("Allocated exclusive CPUs", "cpuset", cpuAllocation.CPUs.String())
 	return nil
 }
 
@@ -429,22 +436,27 @@ func getAssignedCPUsOfSiblings(s state.State, podUID string, containerName strin
 	return cset
 }
 
-func (p *staticPolicy) RemoveContainer(s state.State, podUID string, containerName string) error {
-	klog.InfoS("Static policy: RemoveContainer", "podUID", podUID, "containerName", containerName)
+func (p *staticPolicy) RemoveContainer(logger logr.Logger, s state.State, podUID string, containerName string) error {
+	logger = klog.LoggerWithValues(logger, "podUID", podUID, "containerName", containerName)
+	logger.Info("RemoveContainer start") // backward compatibility
+	defer logger.V(4).Info("RemoveContainer start")
 	cpusInUse := getAssignedCPUsOfSiblings(s, podUID, containerName)
-	if toRelease, ok := s.GetCPUSet(podUID, containerName); ok {
-		s.Delete(podUID, containerName)
-		// Mutate the shared pool, adding released cpus.
-		toRelease = toRelease.Difference(cpusInUse)
-		s.SetDefaultCPUSet(s.GetDefaultCPUSet().Union(toRelease))
-		p.updateMetricsOnRelease(s, toRelease)
-
+	toRelease, ok := s.GetCPUSet(podUID, containerName)
+	if !ok {
+		return nil
 	}
+	s.Delete(podUID, containerName)
+	// Mutate the shared pool, adding released cpus.
+	toRelease = toRelease.Difference(cpusInUse)
+	updatedCPUs := s.GetDefaultCPUSet().Union(toRelease)
+	s.SetDefaultCPUSet(updatedCPUs)
+	p.updateMetricsOnRelease(logger, s, toRelease)
+	logger.Info(" RemoveContainer end", "defaultCPUSet", updatedCPUs)
 	return nil
 }
 
-func (p *staticPolicy) allocateCPUs(s state.State, numCPUs int, numaAffinity bitmask.BitMask, reusableCPUs cpuset.CPUSet) (topology.Allocation, error) {
-	klog.InfoS("AllocateCPUs", "numCPUs", numCPUs, "socket", numaAffinity)
+func (p *staticPolicy) allocateCPUs(logger logr.Logger, s state.State, numCPUs int, numaAffinity bitmask.BitMask, reusableCPUs cpuset.CPUSet) (topology.Allocation, error) {
+	logger.Info("AllocateCPUs", "numCPUs", numCPUs, "socket", numaAffinity)
 
 	allocatableCPUs := p.GetAvailableCPUs(s).Union(reusableCPUs)
 
@@ -458,7 +470,7 @@ func (p *staticPolicy) allocateCPUs(s state.State, numCPUs int, numaAffinity bit
 			numAlignedToAlloc = numCPUs
 		}
 
-		allocatedCPUs, err := p.takeByTopology(alignedCPUs, numAlignedToAlloc)
+		allocatedCPUs, err := p.takeByTopology(logger, alignedCPUs, numAlignedToAlloc)
 		if err != nil {
 			return topology.EmptyAllocation(), err
 		}
@@ -467,7 +479,7 @@ func (p *staticPolicy) allocateCPUs(s state.State, numCPUs int, numaAffinity bit
 	}
 
 	// Get any remaining CPUs from what's leftover after attempting to grab aligned ones.
-	remainingCPUs, err := p.takeByTopology(allocatableCPUs.Difference(result.CPUs), numCPUs-result.CPUs.Size())
+	remainingCPUs, err := p.takeByTopology(logger, allocatableCPUs.Difference(result.CPUs), numCPUs-result.CPUs.Size())
 	if err != nil {
 		return topology.EmptyAllocation(), err
 	}
@@ -477,35 +489,20 @@ func (p *staticPolicy) allocateCPUs(s state.State, numCPUs int, numaAffinity bit
 	// Remove allocated CPUs from the shared CPUSet.
 	s.SetDefaultCPUSet(s.GetDefaultCPUSet().Difference(result.CPUs))
 
-	klog.InfoS("AllocateCPUs", "result", result.String())
+	logger.Info("AllocateCPUs", "result", result.String())
 	return result, nil
 }
 
-func (p *staticPolicy) guaranteedCPUs(pod *v1.Pod, container *v1.Container) int {
+func (p *staticPolicy) guaranteedCPUs(logger logr.Logger, pod *v1.Pod, container *v1.Container) int {
 	qos := v1qos.GetPodQOS(pod)
 	if qos != v1.PodQOSGuaranteed {
-		klog.V(5).InfoS("Exclusive CPU allocation skipped, pod QoS is not guaranteed", "pod", klog.KObj(pod), "containerName", container.Name, "qos", qos)
+		logger.V(5).Info("Exclusive CPU allocation skipped, pod QoS is not guaranteed", "qos", qos)
 		return 0
 	}
 	cpuQuantity := container.Resources.Requests[v1.ResourceCPU]
-	// In-place pod resize feature makes Container.Resources field mutable for CPU & memory.
-	// AllocatedResources holds the value of Container.Resources.Requests when the pod was admitted.
-	// We should return this value because this is what kubelet agreed to allocate for the container
-	// and the value configured with runtime.
-	if utilfeature.DefaultFeatureGate.Enabled(features.InPlacePodVerticalScaling) {
-		containerStatuses := pod.Status.ContainerStatuses
-		if podutil.IsRestartableInitContainer(container) {
-			if len(pod.Status.InitContainerStatuses) != 0 {
-				containerStatuses = append(containerStatuses, pod.Status.InitContainerStatuses...)
-			}
-		}
-		if cs, ok := podutil.GetContainerStatus(containerStatuses, container.Name); ok {
-			cpuQuantity = cs.AllocatedResources[v1.ResourceCPU]
-		}
-	}
 	cpuValue := cpuQuantity.Value()
 	if cpuValue*1000 != cpuQuantity.MilliValue() {
-		klog.V(5).InfoS("Exclusive CPU allocation skipped, pod requested non-integral CPUs", "pod", klog.KObj(pod), "containerName", container.Name, "cpu", cpuValue)
+		logger.V(5).Info("Exclusive CPU allocation skipped, pod requested non-integral CPUs", "cpu", cpuValue)
 		return 0
 	}
 	// Safe downcast to do for all systems with < 2.1 billion CPUs.
@@ -514,7 +511,7 @@ func (p *staticPolicy) guaranteedCPUs(pod *v1.Pod, container *v1.Container) int
 	return int(cpuQuantity.Value())
 }
 
-func (p *staticPolicy) podGuaranteedCPUs(pod *v1.Pod) int {
+func (p *staticPolicy) podGuaranteedCPUs(logger logr.Logger, pod *v1.Pod) int {
 	// The maximum of requested CPUs by init containers.
 	requestedByInitContainers := 0
 	requestedByRestartableInitContainers := 0
@@ -522,7 +519,7 @@ func (p *staticPolicy) podGuaranteedCPUs(pod *v1.Pod) int {
 		if _, ok := container.Resources.Requests[v1.ResourceCPU]; !ok {
 			continue
 		}
-		requestedCPU := p.guaranteedCPUs(pod, &container)
+		requestedCPU := p.guaranteedCPUs(logger, pod, &container)
 		// See https://github.com/kubernetes/enhancements/tree/master/keps/sig-node/753-sidecar-containers#resources-calculation-for-scheduling-and-pod-admission
 		// for the detail.
 		if podutil.IsRestartableInitContainer(&container) {
@@ -538,7 +535,7 @@ func (p *staticPolicy) podGuaranteedCPUs(pod *v1.Pod) int {
 		if _, ok := container.Resources.Requests[v1.ResourceCPU]; !ok {
 			continue
 		}
-		requestedByAppContainers += p.guaranteedCPUs(pod, &container)
+		requestedByAppContainers += p.guaranteedCPUs(logger, pod, &container)
 	}
 
 	requestedByLongRunningContainers := requestedByAppContainers + requestedByRestartableInitContainers
@@ -548,7 +545,7 @@ func (p *staticPolicy) podGuaranteedCPUs(pod *v1.Pod) int {
 	return requestedByLongRunningContainers
 }
 
-func (p *staticPolicy) takeByTopology(availableCPUs cpuset.CPUSet, numCPUs int) (cpuset.CPUSet, error) {
+func (p *staticPolicy) takeByTopology(logger logr.Logger, availableCPUs cpuset.CPUSet, numCPUs int) (cpuset.CPUSet, error) {
 	cpuSortingStrategy := CPUSortingStrategyPacked
 	if p.options.DistributeCPUsAcrossCores {
 		cpuSortingStrategy = CPUSortingStrategySpread
@@ -559,15 +556,17 @@ func (p *staticPolicy) takeByTopology(availableCPUs cpuset.CPUSet, numCPUs int)
 		if p.options.FullPhysicalCPUsOnly {
 			cpuGroupSize = p.cpuGroupSize
 		}
-		return takeByTopologyNUMADistributed(p.topology, availableCPUs, numCPUs, cpuGroupSize, cpuSortingStrategy)
+		return takeByTopologyNUMADistributed(logger, p.topology, availableCPUs, numCPUs, cpuGroupSize, cpuSortingStrategy)
 	}
 
-	return takeByTopologyNUMAPacked(p.topology, availableCPUs, numCPUs, cpuSortingStrategy, p.options.PreferAlignByUncoreCacheOption)
+	return takeByTopologyNUMAPacked(logger, p.topology, availableCPUs, numCPUs, cpuSortingStrategy, p.options.PreferAlignByUncoreCacheOption)
 }
 
-func (p *staticPolicy) GetTopologyHints(s state.State, pod *v1.Pod, container *v1.Container) map[string][]topologymanager.TopologyHint {
+func (p *staticPolicy) GetTopologyHints(logger logr.Logger, s state.State, pod *v1.Pod, container *v1.Container) map[string][]topologymanager.TopologyHint {
+	logger = klog.LoggerWithValues(logger, "pod", klog.KObj(pod), "podUID", pod.UID, "containerName", container.Name)
+
 	// Get a count of how many guaranteed CPUs have been requested.
-	requested := p.guaranteedCPUs(pod, container)
+	requested := p.guaranteedCPUs(logger, pod, container)
 
 	// Number of required CPUs is not an integer or a container is not part of the Guaranteed QoS class.
 	// It will be treated by the TopologyManager as having no preference and cause it to ignore this
@@ -578,7 +577,7 @@ func (p *staticPolicy) GetTopologyHints(s state.State, pod *v1.Pod, container *v
 	}
 
 	if utilfeature.DefaultFeatureGate.Enabled(features.PodLevelResources) && resourcehelper.IsPodLevelResourcesSet(pod) {
-		klog.V(3).InfoS("CPU Manager hint generation skipped, pod is using pod-level resources which are not supported by the static CPU manager policy", "pod", klog.KObj(pod), "podUID", pod.UID)
+		logger.V(3).Info("CPU Manager hint generation skipped, pod is using pod-level resources which are not supported by the static CPU manager policy", "pod", klog.KObj(pod), "podUID", pod.UID)
 		return nil
 	}
 
@@ -587,7 +586,7 @@ func (p *staticPolicy) GetTopologyHints(s state.State, pod *v1.Pod, container *v
 	// kubelet restart, for example.
 	if allocated, exists := s.GetCPUSet(string(pod.UID), container.Name); exists {
 		if allocated.Size() != requested {
-			klog.InfoS("CPUs already allocated to container with different number than request", "pod", klog.KObj(pod), "containerName", container.Name, "requestedSize", requested, "allocatedSize", allocated.Size())
+			logger.Info("CPUs already allocated to container with different number than request", "requestedSize", requested, "allocatedSize", allocated.Size())
 			// An empty list of hints will be treated as a preference that cannot be satisfied.
 			// In definition of hints this is equal to: TopologyHint[NUMANodeAffinity: nil, Preferred: false].
 			// For all but the best-effort policy, the Topology Manager will throw a pod-admission error.
@@ -595,7 +594,7 @@ func (p *staticPolicy) GetTopologyHints(s state.State, pod *v1.Pod, container *v
 				string(v1.ResourceCPU): {},
 			}
 		}
-		klog.InfoS("Regenerating TopologyHints for CPUs already allocated", "pod", klog.KObj(pod), "containerName", container.Name)
+		logger.Info("Regenerating TopologyHints for CPUs already allocated")
 		return map[string][]topologymanager.TopologyHint{
 			string(v1.ResourceCPU): p.generateCPUTopologyHints(allocated, cpuset.CPUSet{}, requested),
 		}
@@ -610,16 +609,18 @@ func (p *staticPolicy) GetTopologyHints(s state.State, pod *v1.Pod, container *v
 
 	// Generate hints.
 	cpuHints := p.generateCPUTopologyHints(available, reusable, requested)
-	klog.InfoS("TopologyHints generated", "pod", klog.KObj(pod), "containerName", container.Name, "cpuHints", cpuHints)
+	logger.Info("TopologyHints generated", "cpuHints", cpuHints)
 
 	return map[string][]topologymanager.TopologyHint{
 		string(v1.ResourceCPU): cpuHints,
 	}
 }
 
-func (p *staticPolicy) GetPodTopologyHints(s state.State, pod *v1.Pod) map[string][]topologymanager.TopologyHint {
+func (p *staticPolicy) GetPodTopologyHints(logger logr.Logger, s state.State, pod *v1.Pod) map[string][]topologymanager.TopologyHint {
+	logger = klog.LoggerWithValues(logger, "pod", klog.KObj(pod), "podUID", pod.UID)
+
 	// Get a count of how many guaranteed CPUs have been requested by Pod.
-	requested := p.podGuaranteedCPUs(pod)
+	requested := p.podGuaranteedCPUs(logger, pod)
 
 	// Number of required CPUs is not an integer or a pod is not part of the Guaranteed QoS class.
 	// It will be treated by the TopologyManager as having no preference and cause it to ignore this
@@ -630,19 +631,21 @@ func (p *staticPolicy) GetPodTopologyHints(s state.State, pod *v1.Pod) map[strin
 	}
 
 	if utilfeature.DefaultFeatureGate.Enabled(features.PodLevelResources) && resourcehelper.IsPodLevelResourcesSet(pod) {
-		klog.V(3).InfoS("CPU Manager pod hint generation skipped, pod is using pod-level resources which are not supported by the static CPU manager policy", "pod", klog.KObj(pod), "podUID", pod.UID)
+		logger.V(3).Info("CPU Manager pod hint generation skipped, pod is using pod-level resources which are not supported by the static CPU manager policy")
 		return nil
 	}
 
 	assignedCPUs := cpuset.New()
 	for _, container := range append(pod.Spec.InitContainers, pod.Spec.Containers...) {
-		requestedByContainer := p.guaranteedCPUs(pod, &container)
+		logger_ := klog.LoggerWithValues(logger, "containerName", container.Name)
+
+		requestedByContainer := p.guaranteedCPUs(logger, pod, &container)
 		// Short circuit to regenerate the same hints if there are already
 		// guaranteed CPUs allocated to the Container. This might happen after a
 		// kubelet restart, for example.
 		if allocated, exists := s.GetCPUSet(string(pod.UID), container.Name); exists {
 			if allocated.Size() != requestedByContainer {
-				klog.InfoS("CPUs already allocated to container with different number than request", "pod", klog.KObj(pod), "containerName", container.Name, "allocatedSize", requested, "requestedByContainer", requestedByContainer, "allocatedSize", allocated.Size())
+				logger_.Info("CPUs already allocated to container with different number than request", "allocatedSize", requested, "requestedByContainer", requestedByContainer, "allocatedSize", allocated.Size())
 				// An empty list of hints will be treated as a preference that cannot be satisfied.
 				// In definition of hints this is equal to: TopologyHint[NUMANodeAffinity: nil, Preferred: false].
 				// For all but the best-effort policy, the Topology Manager will throw a pod-admission error.
@@ -655,7 +658,7 @@ func (p *staticPolicy) GetPodTopologyHints(s state.State, pod *v1.Pod) map[strin
 		}
 	}
 	if assignedCPUs.Size() == requested {
-		klog.InfoS("Regenerating TopologyHints for CPUs already allocated", "pod", klog.KObj(pod))
+		logger.Info("Regenerating TopologyHints for CPUs already allocated")
 		return map[string][]topologymanager.TopologyHint{
 			string(v1.ResourceCPU): p.generateCPUTopologyHints(assignedCPUs, cpuset.CPUSet{}, requested),
 		}
@@ -673,7 +676,7 @@ func (p *staticPolicy) GetPodTopologyHints(s state.State, pod *v1.Pod) map[strin
 
 	// Generate hints.
 	cpuHints := p.generateCPUTopologyHints(available, reusable, requested)
-	klog.InfoS("TopologyHints generated", "pod", klog.KObj(pod), "cpuHints", cpuHints)
+	logger.Info("TopologyHints generated", "cpuHints", cpuHints)
 
 	return map[string][]topologymanager.TopologyHint{
 		string(v1.ResourceCPU): cpuHints,
@@ -785,17 +788,17 @@ func (p *staticPolicy) getAlignedCPUs(numaAffinity bitmask.BitMask, allocatableC
 	return alignedCPUs
 }
 
-func (p *staticPolicy) initializeMetrics(s state.State) {
+func (p *staticPolicy) initializeMetrics(logger logr.Logger, s state.State) {
 	metrics.CPUManagerSharedPoolSizeMilliCores.Set(float64(p.GetAvailableCPUs(s).Size() * 1000))
 	metrics.ContainerAlignedComputeResourcesFailure.WithLabelValues(metrics.AlignScopeContainer, metrics.AlignedPhysicalCPU).Add(0) // ensure the value exists
 	metrics.ContainerAlignedComputeResources.WithLabelValues(metrics.AlignScopeContainer, metrics.AlignedPhysicalCPU).Add(0)        // ensure the value exists
 	metrics.ContainerAlignedComputeResources.WithLabelValues(metrics.AlignScopeContainer, metrics.AlignedUncoreCache).Add(0)        // ensure the value exists
 	totalAssignedCPUs := getTotalAssignedExclusiveCPUs(s)
 	metrics.CPUManagerExclusiveCPUsAllocationCount.Set(float64(totalAssignedCPUs.Size()))
-	updateAllocationPerNUMAMetric(p.topology, totalAssignedCPUs)
+	updateAllocationPerNUMAMetric(logger, p.topology, totalAssignedCPUs)
 }
 
-func (p *staticPolicy) updateMetricsOnAllocate(s state.State, cpuAlloc topology.Allocation) {
+func (p *staticPolicy) updateMetricsOnAllocate(logger logr.Logger, s state.State, cpuAlloc topology.Allocation) {
 	ncpus := cpuAlloc.CPUs.Size()
 	metrics.CPUManagerExclusiveCPUsAllocationCount.Add(float64(ncpus))
 	metrics.CPUManagerSharedPoolSizeMilliCores.Add(float64(-ncpus * 1000))
@@ -803,15 +806,15 @@ func (p *staticPolicy) updateMetricsOnAllocate(s state.State, cpuAlloc topology.
 		metrics.ContainerAlignedComputeResources.WithLabelValues(metrics.AlignScopeContainer, metrics.AlignedUncoreCache).Inc()
 	}
 	totalAssignedCPUs := getTotalAssignedExclusiveCPUs(s)
-	updateAllocationPerNUMAMetric(p.topology, totalAssignedCPUs)
+	updateAllocationPerNUMAMetric(logger, p.topology, totalAssignedCPUs)
 }
 
-func (p *staticPolicy) updateMetricsOnRelease(s state.State, cset cpuset.CPUSet) {
+func (p *staticPolicy) updateMetricsOnRelease(logger logr.Logger, s state.State, cset cpuset.CPUSet) {
 	ncpus := cset.Size()
 	metrics.CPUManagerExclusiveCPUsAllocationCount.Add(float64(-ncpus))
 	metrics.CPUManagerSharedPoolSizeMilliCores.Add(float64(ncpus * 1000))
 	totalAssignedCPUs := getTotalAssignedExclusiveCPUs(s)
-	updateAllocationPerNUMAMetric(p.topology, totalAssignedCPUs.Difference(cset))
+	updateAllocationPerNUMAMetric(logger, p.topology, totalAssignedCPUs.Difference(cset))
 }
 
 func getTotalAssignedExclusiveCPUs(s state.State) cpuset.CPUSet {
@@ -820,12 +823,11 @@ func getTotalAssignedExclusiveCPUs(s state.State) cpuset.CPUSet {
 		for _, cset := range assignment {
 			totalAssignedCPUs = totalAssignedCPUs.Union(cset)
 		}
-
 	}
 	return totalAssignedCPUs
 }
 
-func updateAllocationPerNUMAMetric(topo *topology.CPUTopology, allocatedCPUs cpuset.CPUSet) {
+func updateAllocationPerNUMAMetric(logger logr.Logger, topo *topology.CPUTopology, allocatedCPUs cpuset.CPUSet) {
 	numaCount := make(map[int]int)
 
 	// Count CPUs allocated per NUMA node
@@ -834,7 +836,7 @@ func updateAllocationPerNUMAMetric(topo *topology.CPUTopology, allocatedCPUs cpu
 		if err != nil {
 			//NOTE: We are logging the error but it is highly unlikely to happen as the CPUset
 			//      is already computed, evaluated and there is no room for user tampering.
-			klog.ErrorS(err, "Unable to determine NUMA node", "cpuID", cpuID)
+			logger.Error(err, "Unable to determine NUMA node", "cpuID", cpuID)
 		}
 		numaCount[numaNode]++
 	}
diff --git a/pkg/kubelet/cm/cpumanager/policy_static_test.go b/pkg/kubelet/cm/cpumanager/policy_static_test.go
index e51f7336b57b6..234654dead8e2 100644
--- a/pkg/kubelet/cm/cpumanager/policy_static_test.go
+++ b/pkg/kubelet/cm/cpumanager/policy_static_test.go
@@ -27,11 +27,13 @@ import (
 	"k8s.io/apimachinery/pkg/types"
 	utilfeature "k8s.io/apiserver/pkg/util/feature"
 	featuregatetesting "k8s.io/component-base/featuregate/testing"
+	"k8s.io/klog/v2"
 	pkgfeatures "k8s.io/kubernetes/pkg/features"
 	"k8s.io/kubernetes/pkg/kubelet/cm/cpumanager/state"
 	"k8s.io/kubernetes/pkg/kubelet/cm/cpumanager/topology"
 	"k8s.io/kubernetes/pkg/kubelet/cm/topologymanager"
 	"k8s.io/kubernetes/pkg/kubelet/cm/topologymanager/bitmask"
+	"k8s.io/kubernetes/test/utils/ktesting"
 	"k8s.io/utils/cpuset"
 )
 
@@ -72,7 +74,8 @@ func (spt staticPolicyTest) PseudoClone() staticPolicyTest {
 }
 
 func TestStaticPolicyName(t *testing.T) {
-	policy, err := NewStaticPolicy(topoSingleSocketHT, 1, cpuset.New(), topologymanager.NewFakeManager(), nil)
+	logger, _ := ktesting.NewTestContext(t)
+	policy, err := NewStaticPolicy(logger, topoSingleSocketHT, 1, cpuset.New(), topologymanager.NewFakeManager(), nil)
 	if err != nil {
 		t.Fatalf("NewStaticPolicy() failed: %v", err)
 	}
@@ -172,7 +175,9 @@ func TestStaticPolicyStart(t *testing.T) {
 	}
 	for _, testCase := range testCases {
 		t.Run(testCase.description, func(t *testing.T) {
-			p, err := NewStaticPolicy(testCase.topo, testCase.numReservedCPUs, cpuset.New(), topologymanager.NewFakeManager(), testCase.options)
+			logger, _ := ktesting.NewTestContext(t)
+			featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, pkgfeatures.CPUManagerPolicyAlphaOptions, true)
+			p, err := NewStaticPolicy(logger, testCase.topo, testCase.numReservedCPUs, cpuset.New(), topologymanager.NewFakeManager(), testCase.options)
 			if err != nil {
 				t.Fatalf("NewStaticPolicy() failed: %v", err)
 			}
@@ -181,7 +186,7 @@ func TestStaticPolicyStart(t *testing.T) {
 				assignments:   testCase.stAssignments,
 				defaultCPUSet: testCase.stDefaultCPUSet,
 			}
-			err = policy.Start(st)
+			err = policy.Start(logger, st)
 			if !reflect.DeepEqual(err, testCase.expErr) {
 				t.Errorf("StaticPolicy Start() error (%v). expected error: %v but got: %v",
 					testCase.description, testCase.expErr, err)
@@ -644,7 +649,8 @@ func runStaticPolicyTestCase(t *testing.T, testCase staticPolicyTest) {
 	if testCase.reservedCPUs != nil {
 		cpus = testCase.reservedCPUs.Clone()
 	}
-	policy, err := NewStaticPolicy(testCase.topo, testCase.numReservedCPUs, cpus, tm, testCase.options)
+	logger, _ := ktesting.NewTestContext(t)
+	policy, err := NewStaticPolicy(logger, testCase.topo, testCase.numReservedCPUs, cpus, tm, testCase.options)
 	if err != nil {
 		t.Fatalf("NewStaticPolicy() failed: %v", err)
 	}
@@ -655,7 +661,7 @@ func runStaticPolicyTestCase(t *testing.T, testCase staticPolicyTest) {
 	}
 
 	container := &testCase.pod.Spec.Containers[0]
-	err = policy.Allocate(st, testCase.pod, container)
+	err = policy.Allocate(logger, st, testCase.pod, container)
 	if !reflect.DeepEqual(err, testCase.expErr) {
 		t.Errorf("StaticPolicy Allocate() error (%v). expected add error: %q but got: %q",
 			testCase.description, testCase.expErr, err)
@@ -718,7 +724,8 @@ func TestStaticPolicyReuseCPUs(t *testing.T) {
 	}
 
 	for _, testCase := range testCases {
-		policy, err := NewStaticPolicy(testCase.topo, testCase.numReservedCPUs, cpuset.New(), topologymanager.NewFakeManager(), nil)
+		logger, _ := ktesting.NewTestContext(t)
+		policy, err := NewStaticPolicy(logger, testCase.topo, testCase.numReservedCPUs, cpuset.New(), topologymanager.NewFakeManager(), nil)
 		if err != nil {
 			t.Fatalf("NewStaticPolicy() failed: %v", err)
 		}
@@ -731,7 +738,7 @@ func TestStaticPolicyReuseCPUs(t *testing.T) {
 
 		// allocate
 		for _, container := range append(pod.Spec.InitContainers, pod.Spec.Containers...) {
-			policy.Allocate(st, pod, &container)
+			_ = policy.Allocate(logger, st, pod, &container)
 		}
 		if !st.defaultCPUSet.Equals(testCase.expCSetAfterAlloc) {
 			t.Errorf("StaticPolicy Allocate() error (%v). expected default cpuset %s but got %s",
@@ -739,7 +746,7 @@ func TestStaticPolicyReuseCPUs(t *testing.T) {
 		}
 
 		// remove
-		policy.RemoveContainer(st, string(pod.UID), testCase.containerName)
+		_ = policy.RemoveContainer(logger, st, string(pod.UID), testCase.containerName)
 
 		if !st.defaultCPUSet.Equals(testCase.expCSetAfterRemove) {
 			t.Errorf("StaticPolicy RemoveContainer() error (%v). expected default cpuset %sv but got %s",
@@ -774,7 +781,8 @@ func TestStaticPolicyDoNotReuseCPUs(t *testing.T) {
 	}
 
 	for _, testCase := range testCases {
-		policy, err := NewStaticPolicy(testCase.topo, testCase.numReservedCPUs, cpuset.New(), topologymanager.NewFakeManager(), nil)
+		logger, _ := ktesting.NewTestContext(t)
+		policy, err := NewStaticPolicy(logger, testCase.topo, testCase.numReservedCPUs, cpuset.New(), topologymanager.NewFakeManager(), nil)
 		if err != nil {
 			t.Fatalf("NewStaticPolicy() failed: %v", err)
 		}
@@ -787,7 +795,7 @@ func TestStaticPolicyDoNotReuseCPUs(t *testing.T) {
 
 		// allocate
 		for _, container := range append(pod.Spec.InitContainers, pod.Spec.Containers...) {
-			err := policy.Allocate(st, pod, &container)
+			err := policy.Allocate(logger, st, pod, &container)
 			if err != nil {
 				t.Errorf("StaticPolicy Allocate() error (%v). expected no error but got %v",
 					testCase.description, err)
@@ -859,7 +867,8 @@ func TestStaticPolicyRemove(t *testing.T) {
 	}
 
 	for _, testCase := range testCases {
-		policy, err := NewStaticPolicy(testCase.topo, testCase.numReservedCPUs, cpuset.New(), topologymanager.NewFakeManager(), nil)
+		logger, _ := ktesting.NewTestContext(t)
+		policy, err := NewStaticPolicy(logger, testCase.topo, testCase.numReservedCPUs, cpuset.New(), topologymanager.NewFakeManager(), nil)
 		if err != nil {
 			t.Fatalf("NewStaticPolicy() failed: %v", err)
 		}
@@ -869,7 +878,7 @@ func TestStaticPolicyRemove(t *testing.T) {
 			defaultCPUSet: testCase.stDefaultCPUSet,
 		}
 
-		policy.RemoveContainer(st, testCase.podUID, testCase.containerName)
+		_ = policy.RemoveContainer(logger, st, testCase.podUID, testCase.containerName)
 
 		if !st.defaultCPUSet.Equals(testCase.expCSet) {
 			t.Errorf("StaticPolicy RemoveContainer() error (%v). expected default cpuset %s but got %s",
@@ -952,7 +961,8 @@ func TestTopologyAwareAllocateCPUs(t *testing.T) {
 		},
 	}
 	for _, tc := range testCases {
-		p, err := NewStaticPolicy(tc.topo, 0, cpuset.New(), topologymanager.NewFakeManager(), nil)
+		logger, _ := ktesting.NewTestContext(t)
+		p, err := NewStaticPolicy(logger, tc.topo, 0, cpuset.New(), topologymanager.NewFakeManager(), nil)
 		if err != nil {
 			t.Fatalf("NewStaticPolicy() failed: %v", err)
 		}
@@ -961,13 +971,13 @@ func TestTopologyAwareAllocateCPUs(t *testing.T) {
 			assignments:   tc.stAssignments,
 			defaultCPUSet: tc.stDefaultCPUSet,
 		}
-		err = policy.Start(st)
+		err = policy.Start(logger, st)
 		if err != nil {
 			t.Errorf("StaticPolicy Start() error (%v)", err)
 			continue
 		}
 
-		cpuAlloc, err := policy.allocateCPUs(st, tc.numRequested, tc.socketMask, cpuset.New())
+		cpuAlloc, err := policy.allocateCPUs(klog.Background(), st, tc.numRequested, tc.socketMask, cpuset.New())
 		if err != nil {
 			t.Errorf("StaticPolicy allocateCPUs() error (%v). expected CPUSet %v not error %v",
 				tc.description, tc.expCSet, err)
@@ -1069,12 +1079,14 @@ func TestStaticPolicyStartWithResvList(t *testing.T) {
 	}
 	for _, testCase := range testCases {
 		t.Run(testCase.description, func(t *testing.T) {
+			logger, _ := ktesting.NewTestContext(t)
+			featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, pkgfeatures.CPUManagerPolicyAlphaOptions, true)
 			wasManaged := managed.IsEnabled()
 			managed.TestOnlySetEnabled(testCase.managementPartition)
 			defer func() {
 				managed.TestOnlySetEnabled(wasManaged)
 			}()
-			p, err := NewStaticPolicy(testCase.topo, testCase.numReservedCPUs, testCase.reserved, topologymanager.NewFakeManager(), testCase.cpuPolicyOptions)
+			p, err := NewStaticPolicy(logger, testCase.topo, testCase.numReservedCPUs, testCase.reserved, topologymanager.NewFakeManager(), testCase.cpuPolicyOptions)
 			if !reflect.DeepEqual(err, testCase.expNewErr) {
 				t.Errorf("StaticPolicy Start() error (%v). expected error: %v but got: %v",
 					testCase.description, testCase.expNewErr, err)
@@ -1087,7 +1099,7 @@ func TestStaticPolicyStartWithResvList(t *testing.T) {
 				assignments:   testCase.stAssignments,
 				defaultCPUSet: testCase.stDefaultCPUSet,
 			}
-			err = policy.Start(st)
+			err = policy.Start(logger, st)
 			if !reflect.DeepEqual(err, testCase.expErr) {
 				t.Errorf("StaticPolicy Start() error (%v). expected error: %v but got: %v",
 					testCase.description, testCase.expErr, err)
@@ -1151,7 +1163,8 @@ func TestStaticPolicyAddWithResvList(t *testing.T) {
 	}
 
 	for _, testCase := range testCases {
-		policy, err := NewStaticPolicy(testCase.topo, testCase.numReservedCPUs, testCase.reserved, topologymanager.NewFakeManager(), nil)
+		logger, _ := ktesting.NewTestContext(t)
+		policy, err := NewStaticPolicy(logger, testCase.topo, testCase.numReservedCPUs, testCase.reserved, topologymanager.NewFakeManager(), nil)
 		if err != nil {
 			t.Fatalf("NewStaticPolicy() failed: %v", err)
 		}
@@ -1162,7 +1175,7 @@ func TestStaticPolicyAddWithResvList(t *testing.T) {
 		}
 
 		container := &testCase.pod.Spec.Containers[0]
-		err = policy.Allocate(st, testCase.pod, container)
+		err = policy.Allocate(logger, st, testCase.pod, container)
 		if !reflect.DeepEqual(err, testCase.expErr) {
 			t.Errorf("StaticPolicy Allocate() error (%v). expected add error: %v but got: %v",
 				testCase.description, testCase.expErr, err)
@@ -1919,7 +1932,8 @@ func TestStaticPolicyAddWithUncoreAlignment(t *testing.T) {
 
 	for _, testCase := range testCases {
 		t.Run(testCase.description, func(t *testing.T) {
-			policy, err := NewStaticPolicy(testCase.topo, testCase.numReservedCPUs, testCase.reserved, topologymanager.NewFakeManager(), testCase.cpuPolicyOptions)
+			logger, _ := ktesting.NewTestContext(t)
+			policy, err := NewStaticPolicy(logger, testCase.topo, testCase.numReservedCPUs, testCase.reserved, topologymanager.NewFakeManager(), testCase.cpuPolicyOptions)
 			if err != nil {
 				t.Fatalf("NewStaticPolicy() failed with %v", err)
 			}
@@ -1931,7 +1945,7 @@ func TestStaticPolicyAddWithUncoreAlignment(t *testing.T) {
 
 			for idx := range testCase.pod.Spec.Containers {
 				container := &testCase.pod.Spec.Containers[idx]
-				err := policy.Allocate(st, testCase.pod, container)
+				err := policy.Allocate(logger, st, testCase.pod, container)
 				if err != nil {
 					t.Fatalf("Allocate failed: pod=%q container=%q", testCase.pod.UID, container.Name)
 				}
diff --git a/pkg/kubelet/cm/cpumanager/state/state_checkpoint.go b/pkg/kubelet/cm/cpumanager/state/state_checkpoint.go
index bda90ba1f4ca6..9774bf3728717 100644
--- a/pkg/kubelet/cm/cpumanager/state/state_checkpoint.go
+++ b/pkg/kubelet/cm/cpumanager/state/state_checkpoint.go
@@ -21,6 +21,7 @@ import (
 	"path/filepath"
 	"sync"
 
+	"github.com/go-logr/logr"
 	"k8s.io/klog/v2"
 	"k8s.io/kubernetes/pkg/kubelet/checkpointmanager"
 	"k8s.io/kubernetes/pkg/kubelet/checkpointmanager/errors"
@@ -32,6 +33,7 @@ var _ State = &stateCheckpoint{}
 
 type stateCheckpoint struct {
 	mux               sync.RWMutex
+	logger            logr.Logger
 	policyName        string
 	cache             State
 	checkpointManager checkpointmanager.CheckpointManager
@@ -40,13 +42,17 @@ type stateCheckpoint struct {
 }
 
 // NewCheckpointState creates new State for keeping track of cpu/pod assignment with checkpoint backend
-func NewCheckpointState(stateDir, checkpointName, policyName string, initialContainers containermap.ContainerMap) (State, error) {
+func NewCheckpointState(logger logr.Logger, stateDir, checkpointName, policyName string, initialContainers containermap.ContainerMap) (State, error) {
+	// we store a logger instance because the checkpointmanager code gets no context yet, so it's pointless to add on our outer layer
+	// since we store a checkpoint, we can use the relatively expensive "WithName".
+	logger = klog.LoggerWithName(logger, "CPUManager state checkpoint")
 	checkpointManager, err := checkpointmanager.NewCheckpointManager(stateDir)
 	if err != nil {
 		return nil, fmt.Errorf("failed to initialize checkpoint manager: %v", err)
 	}
 	stateCheckpoint := &stateCheckpoint{
-		cache:             NewMemoryState(),
+		logger:            logger,
+		cache:             NewMemoryState(logger),
 		policyName:        policyName,
 		checkpointManager: checkpointManager,
 		checkpointName:    checkpointName,
@@ -133,8 +139,8 @@ func (sc *stateCheckpoint) restoreState() error {
 	sc.cache.SetDefaultCPUSet(tmpDefaultCPUSet)
 	sc.cache.SetCPUAssignments(tmpAssignments)
 
-	klog.V(2).InfoS("State checkpoint: restored state from checkpoint")
-	klog.V(2).InfoS("State checkpoint: defaultCPUSet", "defaultCpuSet", tmpDefaultCPUSet.String())
+	sc.logger.V(2).Info("restored state from checkpoint")
+	sc.logger.V(2).Info("defaultCPUSet", "defaultCpuSet", tmpDefaultCPUSet.String())
 
 	return nil
 }
@@ -155,7 +161,7 @@ func (sc *stateCheckpoint) storeState() error {
 
 	err := sc.checkpointManager.CreateCheckpoint(sc.checkpointName, checkpoint)
 	if err != nil {
-		klog.ErrorS(err, "Failed to save checkpoint")
+		sc.logger.Error(err, "Failed to save checkpoint")
 		return err
 	}
 	return nil
@@ -201,7 +207,7 @@ func (sc *stateCheckpoint) SetCPUSet(podUID string, containerName string, cset c
 	sc.cache.SetCPUSet(podUID, containerName, cset)
 	err := sc.storeState()
 	if err != nil {
-		klog.ErrorS(err, "Failed to store state to checkpoint", "podUID", podUID, "containerName", containerName)
+		sc.logger.Error(err, "Failed to store state to checkpoint", "podUID", podUID, "containerName", containerName)
 	}
 }
 
@@ -212,7 +218,7 @@ func (sc *stateCheckpoint) SetDefaultCPUSet(cset cpuset.CPUSet) {
 	sc.cache.SetDefaultCPUSet(cset)
 	err := sc.storeState()
 	if err != nil {
-		klog.ErrorS(err, "Failed to store state to checkpoint")
+		sc.logger.Error(err, "Failed to store state to checkpoint")
 	}
 }
 
@@ -223,7 +229,7 @@ func (sc *stateCheckpoint) SetCPUAssignments(a ContainerCPUAssignments) {
 	sc.cache.SetCPUAssignments(a)
 	err := sc.storeState()
 	if err != nil {
-		klog.ErrorS(err, "Failed to store state to checkpoint")
+		sc.logger.Error(err, "Failed to store state to checkpoint")
 	}
 }
 
@@ -234,7 +240,7 @@ func (sc *stateCheckpoint) Delete(podUID string, containerName string) {
 	sc.cache.Delete(podUID, containerName)
 	err := sc.storeState()
 	if err != nil {
-		klog.ErrorS(err, "Failed to store state to checkpoint", "podUID", podUID, "containerName", containerName)
+		sc.logger.Error(err, "Failed to store state to checkpoint", "podUID", podUID, "containerName", containerName)
 	}
 }
 
@@ -245,6 +251,6 @@ func (sc *stateCheckpoint) ClearState() {
 	sc.cache.ClearState()
 	err := sc.storeState()
 	if err != nil {
-		klog.ErrorS(err, "Failed to store state to checkpoint")
+		sc.logger.Error(err, "Failed to store state to checkpoint")
 	}
 }
diff --git a/pkg/kubelet/cm/cpumanager/state/state_checkpoint_test.go b/pkg/kubelet/cm/cpumanager/state/state_checkpoint_test.go
index 3cb0ab9eb0fb8..458419fe1e43f 100644
--- a/pkg/kubelet/cm/cpumanager/state/state_checkpoint_test.go
+++ b/pkg/kubelet/cm/cpumanager/state/state_checkpoint_test.go
@@ -26,6 +26,7 @@ import (
 	"k8s.io/kubernetes/pkg/kubelet/checkpointmanager"
 	"k8s.io/kubernetes/pkg/kubelet/cm/containermap"
 	testutil "k8s.io/kubernetes/pkg/kubelet/cm/cpumanager/state/testing"
+	"k8s.io/kubernetes/test/utils/ktesting"
 	"k8s.io/utils/cpuset"
 )
 
@@ -219,7 +220,8 @@ func TestCheckpointStateRestore(t *testing.T) {
 				require.NoErrorf(t, err, "could not create testing checkpoint: %v", err)
 			}
 
-			restoredState, err := NewCheckpointState(testingDir, testingCheckpoint, tc.policyName, tc.initialContainers)
+			logger, _ := ktesting.NewTestContext(t)
+			restoredState, err := NewCheckpointState(logger, testingDir, testingCheckpoint, tc.policyName, tc.initialContainers)
 			if strings.TrimSpace(tc.expectedError) == "" {
 				require.NoError(t, err)
 			} else {
@@ -273,7 +275,8 @@ func TestCheckpointStateStore(t *testing.T) {
 			// ensure there is no previous checkpoint
 			cpm.RemoveCheckpoint(testingCheckpoint)
 
-			cs1, err := NewCheckpointState(testingDir, testingCheckpoint, "none", nil)
+			logger, _ := ktesting.NewTestContext(t)
+			cs1, err := NewCheckpointState(logger, testingDir, testingCheckpoint, "none", nil)
 			if err != nil {
 				t.Fatalf("could not create testing checkpointState instance: %v", err)
 			}
@@ -283,7 +286,7 @@ func TestCheckpointStateStore(t *testing.T) {
 			cs1.SetCPUAssignments(tc.expectedState.assignments)
 
 			// restore checkpoint with previously stored values
-			cs2, err := NewCheckpointState(testingDir, testingCheckpoint, "none", nil)
+			cs2, err := NewCheckpointState(logger, testingDir, testingCheckpoint, "none", nil)
 			if err != nil {
 				t.Fatalf("could not create testing checkpointState instance: %v", err)
 			}
@@ -346,7 +349,8 @@ func TestCheckpointStateHelpers(t *testing.T) {
 			// ensure there is no previous checkpoint
 			cpm.RemoveCheckpoint(testingCheckpoint)
 
-			state, err := NewCheckpointState(testingDir, testingCheckpoint, "none", nil)
+			logger, _ := ktesting.NewTestContext(t)
+			state, err := NewCheckpointState(logger, testingDir, testingCheckpoint, "none", nil)
 			if err != nil {
 				t.Fatalf("could not create testing checkpointState instance: %v", err)
 			}
@@ -395,7 +399,8 @@ func TestCheckpointStateClear(t *testing.T) {
 			}
 			defer os.RemoveAll(testingDir)
 
-			state, err := NewCheckpointState(testingDir, testingCheckpoint, "none", nil)
+			logger, _ := ktesting.NewTestContext(t)
+			state, err := NewCheckpointState(logger, testingDir, testingCheckpoint, "none", nil)
 			if err != nil {
 				t.Fatalf("could not create testing checkpointState instance: %v", err)
 			}
diff --git a/pkg/kubelet/cm/cpumanager/state/state_mem.go b/pkg/kubelet/cm/cpumanager/state/state_mem.go
index cb01ea92609b0..3da3c1a8d311b 100644
--- a/pkg/kubelet/cm/cpumanager/state/state_mem.go
+++ b/pkg/kubelet/cm/cpumanager/state/state_mem.go
@@ -19,12 +19,14 @@ package state
 import (
 	"sync"
 
+	"github.com/go-logr/logr"
 	"k8s.io/klog/v2"
 	"k8s.io/utils/cpuset"
 )
 
 type stateMemory struct {
 	sync.RWMutex
+	logger        logr.Logger
 	assignments   ContainerCPUAssignments
 	defaultCPUSet cpuset.CPUSet
 }
@@ -32,9 +34,13 @@ type stateMemory struct {
 var _ State = &stateMemory{}
 
 // NewMemoryState creates new State for keeping track of cpu/pod assignment
-func NewMemoryState() State {
-	klog.InfoS("Initialized new in-memory state store")
+func NewMemoryState(logger logr.Logger) State {
+	// we store a logger instance to be consistent with the CheckpointState interface (see comments there)
+	// since we store a checkpoint, we can use the relatively expensive "WithName".
+	logger = klog.LoggerWithName(logger, "CPUManager state memory")
+	logger.Info("Initialized")
 	return &stateMemory{
+		logger:        logger,
 		assignments:   ContainerCPUAssignments{},
 		defaultCPUSet: cpuset.New(),
 	}
@@ -77,7 +83,7 @@ func (s *stateMemory) SetCPUSet(podUID string, containerName string, cset cpuset
 	}
 
 	s.assignments[podUID][containerName] = cset
-	klog.InfoS("Updated desired CPUSet", "podUID", podUID, "containerName", containerName, "cpuSet", cset)
+	s.logger.Info("Updated desired CPUSet", "podUID", podUID, "containerName", containerName, "cpuSet", cset)
 }
 
 func (s *stateMemory) SetDefaultCPUSet(cset cpuset.CPUSet) {
@@ -85,7 +91,7 @@ func (s *stateMemory) SetDefaultCPUSet(cset cpuset.CPUSet) {
 	defer s.Unlock()
 
 	s.defaultCPUSet = cset
-	klog.InfoS("Updated default CPUSet", "cpuSet", cset)
+	s.logger.Info("Updated default CPUSet", "cpuSet", cset)
 }
 
 func (s *stateMemory) SetCPUAssignments(a ContainerCPUAssignments) {
@@ -93,7 +99,7 @@ func (s *stateMemory) SetCPUAssignments(a ContainerCPUAssignments) {
 	defer s.Unlock()
 
 	s.assignments = a.Clone()
-	klog.InfoS("Updated CPUSet assignments", "assignments", a)
+	s.logger.Info("Updated CPUSet assignments", "assignments", a)
 }
 
 func (s *stateMemory) Delete(podUID string, containerName string) {
@@ -104,7 +110,7 @@ func (s *stateMemory) Delete(podUID string, containerName string) {
 	if len(s.assignments[podUID]) == 0 {
 		delete(s.assignments, podUID)
 	}
-	klog.V(2).InfoS("Deleted CPUSet assignment", "podUID", podUID, "containerName", containerName)
+	s.logger.V(2).Info("Deleted CPUSet assignment", "podUID", podUID, "containerName", containerName)
 }
 
 func (s *stateMemory) ClearState() {
@@ -113,5 +119,5 @@ func (s *stateMemory) ClearState() {
 
 	s.defaultCPUSet = cpuset.CPUSet{}
 	s.assignments = make(ContainerCPUAssignments)
-	klog.V(2).InfoS("Cleared state")
+	s.logger.V(2).Info("Cleared state")
 }
diff --git a/pkg/kubelet/cm/cpumanager/topology/topology.go b/pkg/kubelet/cm/cpumanager/topology/topology.go
index 36291e6f5af44..5ea67397aad20 100644
--- a/pkg/kubelet/cm/cpumanager/topology/topology.go
+++ b/pkg/kubelet/cm/cpumanager/topology/topology.go
@@ -19,8 +19,8 @@ package topology
 import (
 	"fmt"
 
+	"github.com/go-logr/logr"
 	cadvisorapi "github.com/google/cadvisor/info/v1"
-	"k8s.io/klog/v2"
 	"k8s.io/utils/cpuset"
 )
 
@@ -338,7 +338,7 @@ func getUncoreCacheID(core cadvisorapi.Core) int {
 }
 
 // Discover returns CPUTopology based on cadvisor node info
-func Discover(machineInfo *cadvisorapi.MachineInfo) (*CPUTopology, error) {
+func Discover(logger logr.Logger, machineInfo *cadvisorapi.MachineInfo) (*CPUTopology, error) {
 	if machineInfo.NumCores == 0 {
 		return nil, fmt.Errorf("could not detect number of cpus")
 	}
@@ -359,7 +359,7 @@ func Discover(machineInfo *cadvisorapi.MachineInfo) (*CPUTopology, error) {
 					}
 				}
 			} else {
-				klog.ErrorS(nil, "Could not get unique coreID for socket", "socket", core.SocketID, "core", core.Id, "threads", core.Threads)
+				logger.Info("Could not get unique coreID for socket", "socket", core.SocketID, "core", core.Id, "threads", core.Threads)
 				return nil, err
 			}
 		}
diff --git a/pkg/kubelet/cm/cpumanager/topology/topology_test.go b/pkg/kubelet/cm/cpumanager/topology/topology_test.go
index b4f14547e5aab..fb02a4702acb4 100644
--- a/pkg/kubelet/cm/cpumanager/topology/topology_test.go
+++ b/pkg/kubelet/cm/cpumanager/topology/topology_test.go
@@ -20,8 +20,10 @@ import (
 	"reflect"
 	"testing"
 
-	cadvisorapi "github.com/google/cadvisor/info/v1"
 	"github.com/google/go-cmp/cmp"
+
+	cadvisorapi "github.com/google/cadvisor/info/v1"
+	"k8s.io/kubernetes/test/utils/ktesting"
 	"k8s.io/utils/cpuset"
 )
 
@@ -818,9 +820,11 @@ func Test_Discover(t *testing.T) {
 			wantErr: false,
 		},
 	}
+
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			got, err := Discover(&tt.machineInfo)
+			logger, _ := ktesting.NewTestContext(t)
+			got, err := Discover(logger, &tt.machineInfo)
 			if err != nil {
 				if tt.wantErr {
 					t.Logf("Discover() expected error = %v", err)
diff --git a/pkg/kubelet/cm/cpumanager/topology_hints_test.go b/pkg/kubelet/cm/cpumanager/topology_hints_test.go
index 4773c779a677a..166b86db0530d 100644
--- a/pkg/kubelet/cm/cpumanager/topology_hints_test.go
+++ b/pkg/kubelet/cm/cpumanager/topology_hints_test.go
@@ -31,6 +31,7 @@ import (
 	"k8s.io/kubernetes/pkg/kubelet/cm/cpumanager/topology"
 	"k8s.io/kubernetes/pkg/kubelet/cm/topologymanager"
 	"k8s.io/kubernetes/pkg/kubelet/cm/topologymanager/bitmask"
+	"k8s.io/kubernetes/test/utils/ktesting"
 	"k8s.io/utils/cpuset"
 )
 
@@ -73,6 +74,7 @@ type containerOptions struct {
 }
 
 func TestPodGuaranteedCPUs(t *testing.T) {
+	logger, _ := ktesting.NewTestContext(t)
 	options := [][]*containerOptions{
 		{
 			{request: "0", limit: "0"},
@@ -200,7 +202,7 @@ func TestPodGuaranteedCPUs(t *testing.T) {
 	}
 	for _, tc := range tcases {
 		t.Run(tc.name, func(t *testing.T) {
-			requestedCPU := p.podGuaranteedCPUs(tc.pod)
+			requestedCPU := p.podGuaranteedCPUs(logger, tc.pod)
 
 			if requestedCPU != tc.expectedCPU {
 				t.Errorf("Expected in result to be %v , got %v", tc.expectedCPU, requestedCPU)
@@ -210,12 +212,13 @@ func TestPodGuaranteedCPUs(t *testing.T) {
 }
 
 func TestGetTopologyHints(t *testing.T) {
+	logger, _ := ktesting.NewTestContext(t)
 	machineInfo := returnMachineInfo()
 
 	for _, tc := range returnTestCases() {
 		featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.PodLevelResources, tc.podLevelResourcesEnabled)
 
-		topology, _ := topology.Discover(&machineInfo)
+		topology, _ := topology.Discover(logger, &machineInfo)
 
 		var activePods []*v1.Pod
 		for p := range tc.assignments {
@@ -260,12 +263,13 @@ func TestGetTopologyHints(t *testing.T) {
 }
 
 func TestGetPodTopologyHints(t *testing.T) {
+	logger, _ := ktesting.NewTestContext(t)
 	machineInfo := returnMachineInfo()
 
 	for _, tc := range returnTestCases() {
 		featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.PodLevelResources, tc.podLevelResourcesEnabled)
 
-		topology, _ := topology.Discover(&machineInfo)
+		topology, _ := topology.Discover(logger, &machineInfo)
 
 		var activePods []*v1.Pod
 		for p := range tc.assignments {
diff --git a/pkg/kubelet/cm/devicemanager/endpoint.go b/pkg/kubelet/cm/devicemanager/endpoint.go
index 3157581287959..f9f0f2845be85 100644
--- a/pkg/kubelet/cm/devicemanager/endpoint.go
+++ b/pkg/kubelet/cm/devicemanager/endpoint.go
@@ -30,9 +30,9 @@ import (
 // for managing gRPC communications with the device plugin and caching
 // device states reported by the device plugin.
 type endpoint interface {
-	getPreferredAllocation(available, mustInclude []string, size int) (*pluginapi.PreferredAllocationResponse, error)
-	allocate(devs []string) (*pluginapi.AllocateResponse, error)
-	preStartContainer(devs []string) (*pluginapi.PreStartContainerResponse, error)
+	getPreferredAllocation(ctx context.Context, available, mustInclude []string, size int) (*pluginapi.PreferredAllocationResponse, error)
+	allocate(ctx context.Context, devs []string) (*pluginapi.AllocateResponse, error)
+	preStartContainer(ctx context.Context, devs []string) (*pluginapi.PreStartContainerResponse, error)
 	setStopTime(t time.Time)
 	isStopped() bool
 	stopGracePeriodExpired() bool
@@ -83,11 +83,11 @@ func (e *endpointImpl) setStopTime(t time.Time) {
 }
 
 // getPreferredAllocation issues GetPreferredAllocation gRPC call to the device plugin.
-func (e *endpointImpl) getPreferredAllocation(available, mustInclude []string, size int) (*pluginapi.PreferredAllocationResponse, error) {
+func (e *endpointImpl) getPreferredAllocation(ctx context.Context, available, mustInclude []string, size int) (*pluginapi.PreferredAllocationResponse, error) {
 	if e.isStopped() {
 		return nil, fmt.Errorf(errEndpointStopped, e)
 	}
-	return e.api.GetPreferredAllocation(context.Background(), &pluginapi.PreferredAllocationRequest{
+	return e.api.GetPreferredAllocation(ctx, &pluginapi.PreferredAllocationRequest{
 		ContainerRequests: []*pluginapi.ContainerPreferredAllocationRequest{
 			{
 				AvailableDeviceIDs:   available,
@@ -99,11 +99,11 @@ func (e *endpointImpl) getPreferredAllocation(available, mustInclude []string, s
 }
 
 // allocate issues Allocate gRPC call to the device plugin.
-func (e *endpointImpl) allocate(devs []string) (*pluginapi.AllocateResponse, error) {
+func (e *endpointImpl) allocate(ctx context.Context, devs []string) (*pluginapi.AllocateResponse, error) {
 	if e.isStopped() {
 		return nil, fmt.Errorf(errEndpointStopped, e)
 	}
-	return e.api.Allocate(context.Background(), &pluginapi.AllocateRequest{
+	return e.api.Allocate(ctx, &pluginapi.AllocateRequest{
 		ContainerRequests: []*pluginapi.ContainerAllocateRequest{
 			{DevicesIds: devs},
 		},
@@ -111,11 +111,11 @@ func (e *endpointImpl) allocate(devs []string) (*pluginapi.AllocateResponse, err
 }
 
 // preStartContainer issues PreStartContainer gRPC call to the device plugin.
-func (e *endpointImpl) preStartContainer(devs []string) (*pluginapi.PreStartContainerResponse, error) {
+func (e *endpointImpl) preStartContainer(ctx context.Context, devs []string) (*pluginapi.PreStartContainerResponse, error) {
 	if e.isStopped() {
 		return nil, fmt.Errorf(errEndpointStopped, e)
 	}
-	ctx, cancel := context.WithTimeout(context.Background(), pluginapi.KubeletPreStartContainerRPCTimeoutInSecs*time.Second)
+	ctx, cancel := context.WithTimeout(ctx, pluginapi.KubeletPreStartContainerRPCTimeoutInSecs*time.Second)
 	defer cancel()
 	return e.api.PreStartContainer(ctx, &pluginapi.PreStartContainerRequest{
 		DevicesIds: devs,
diff --git a/pkg/kubelet/cm/devicemanager/endpoint_test.go b/pkg/kubelet/cm/devicemanager/endpoint_test.go
index 530ccd3bd3a88..726dd7f43422a 100644
--- a/pkg/kubelet/cm/devicemanager/endpoint_test.go
+++ b/pkg/kubelet/cm/devicemanager/endpoint_test.go
@@ -17,6 +17,7 @@ limitations under the License.
 package devicemanager
 
 import (
+	"context"
 	"fmt"
 	"os"
 	"path/filepath"
@@ -27,20 +28,22 @@ import (
 	"github.com/stretchr/testify/require"
 	"google.golang.org/protobuf/proto"
 
+	"k8s.io/klog/v2"
 	pluginapi "k8s.io/kubelet/pkg/apis/deviceplugin/v1beta1"
 	plugin "k8s.io/kubernetes/pkg/kubelet/cm/devicemanager/plugin/v1beta1"
+	"k8s.io/kubernetes/test/utils/ktesting"
 )
 
 // monitorCallback is the function called when a device's health state changes,
 // or new devices are reported, or old devices are deleted.
 // Updated contains the most recent state of the Device.
-type monitorCallback func(resourceName string, devices []*pluginapi.Device)
+type monitorCallback func(logger klog.Logger, resourceName string, devices []*pluginapi.Device)
 
 func newMockPluginManager() *mockPluginManager {
 	return &mockPluginManager{
 		func(string) error { return nil },
 		func(string, plugin.DevicePlugin) error { return nil },
-		func(string) {},
+		func(klog.Logger, string) {},
 		func(string, *pluginapi.ListAndWatchResponse) {},
 	}
 }
@@ -48,7 +51,7 @@ func newMockPluginManager() *mockPluginManager {
 type mockPluginManager struct {
 	cleanupPluginDirectory     func(string) error
 	pluginConnected            func(string, plugin.DevicePlugin) error
-	pluginDisconnected         func(string)
+	pluginDisconnected         func(klog.Logger, string)
 	pluginListAndWatchReceiver func(string, *pluginapi.ListAndWatchResponse)
 }
 
@@ -56,15 +59,15 @@ func (m *mockPluginManager) CleanupPluginDirectory(r string) error {
 	return m.cleanupPluginDirectory(r)
 }
 
-func (m *mockPluginManager) PluginConnected(r string, p plugin.DevicePlugin) error {
+func (m *mockPluginManager) PluginConnected(_ context.Context, r string, p plugin.DevicePlugin) error {
 	return m.pluginConnected(r, p)
 }
 
-func (m *mockPluginManager) PluginDisconnected(r string) {
-	m.pluginDisconnected(r)
+func (m *mockPluginManager) PluginDisconnected(logger klog.Logger, r string) {
+	m.pluginDisconnected(logger, r)
 }
 
-func (m *mockPluginManager) PluginListAndWatchReceiver(r string, lr *pluginapi.ListAndWatchResponse) {
+func (m *mockPluginManager) PluginListAndWatchReceiver(_ klog.Logger, r string, lr *pluginapi.ListAndWatchResponse) {
 	m.pluginListAndWatchReceiver(r, lr)
 }
 
@@ -73,17 +76,22 @@ func esocketName() string {
 }
 
 func TestNewEndpoint(t *testing.T) {
+	logger, tCtx := ktesting.NewTestContext(t)
 	socket := filepath.Join(os.TempDir(), esocketName())
 
 	devs := []*pluginapi.Device{
 		{ID: "ADeviceId", Health: pluginapi.Healthy},
 	}
 
-	p, e := esetup(t, devs, socket, "mock", func(n string, d []*pluginapi.Device) {})
-	defer ecleanup(t, p, e)
+	p, e := esetup(tCtx, t, devs, socket, "mock", func(logger klog.Logger, n string, d []*pluginapi.Device) {})
+	defer func() {
+		err := ecleanup(logger, p, e)
+		require.NoError(t, err)
+	}()
 }
 
 func TestRun(t *testing.T) {
+	logger, tCtx := ktesting.NewTestContext(t)
 	socket := filepath.Join(os.TempDir(), esocketName())
 
 	devs := []*pluginapi.Device{
@@ -100,7 +108,7 @@ func TestRun(t *testing.T) {
 
 	callbackCount := 0
 	callbackChan := make(chan int)
-	callback := func(n string, devices []*pluginapi.Device) {
+	callback := func(_ klog.Logger, n string, devices []*pluginapi.Device) {
 		// Should be called twice:
 		// one for plugin registration, one for plugin update.
 		if callbackCount > 2 {
@@ -133,10 +141,13 @@ func TestRun(t *testing.T) {
 		callbackChan <- callbackCount
 	}
 
-	p, e := esetup(t, devs, socket, "mock", callback)
-	defer ecleanup(t, p, e)
+	p, e := esetup(tCtx, t, devs, socket, "mock", callback)
+	defer func() {
+		err := ecleanup(logger, p, e)
+		require.NoError(t, err)
+	}()
 
-	go e.client.Run()
+	go e.client.Run(tCtx)
 	// Wait for the first callback to be issued.
 	<-callbackChan
 
@@ -149,17 +160,21 @@ func TestRun(t *testing.T) {
 }
 
 func TestAllocate(t *testing.T) {
+	logger, tCtx := ktesting.NewTestContext(t)
 	socket := filepath.Join(os.TempDir(), esocketName())
 	devs := []*pluginapi.Device{
 		{ID: "ADeviceId", Health: pluginapi.Healthy},
 	}
 	callbackCount := 0
 	callbackChan := make(chan int)
-	p, e := esetup(t, devs, socket, "mock", func(n string, d []*pluginapi.Device) {
+	p, e := esetup(tCtx, t, devs, socket, "mock", func(_ klog.Logger, n string, d []*pluginapi.Device) {
 		callbackCount++
 		callbackChan <- callbackCount
 	})
-	defer ecleanup(t, p, e)
+	defer func() {
+		err := ecleanup(logger, p, e)
+		require.NoError(t, err)
+	}()
 
 	resp := new(pluginapi.AllocateResponse)
 	contResp := new(pluginapi.ContainerAllocateResponse)
@@ -187,7 +202,7 @@ func TestAllocate(t *testing.T) {
 		return resp, nil
 	})
 
-	go e.client.Run()
+	go e.client.Run(tCtx)
 	// Wait for the callback to be issued.
 	select {
 	case <-callbackChan:
@@ -196,20 +211,24 @@ func TestAllocate(t *testing.T) {
 		t.FailNow()
 	}
 
-	respOut, err := e.allocate([]string{"ADeviceId"})
+	respOut, err := e.allocate(tCtx, []string{"ADeviceId"})
 	require.NoError(t, err)
 	require.True(t, proto.Equal(resp, respOut))
 }
 
 func TestGetPreferredAllocation(t *testing.T) {
+	logger, tCtx := ktesting.NewTestContext(t)
 	socket := filepath.Join(os.TempDir(), esocketName())
 	callbackCount := 0
 	callbackChan := make(chan int)
-	p, e := esetup(t, []*pluginapi.Device{}, socket, "mock", func(n string, d []*pluginapi.Device) {
+	p, e := esetup(tCtx, t, []*pluginapi.Device{}, socket, "mock", func(_ klog.Logger, n string, d []*pluginapi.Device) {
 		callbackCount++
 		callbackChan <- callbackCount
 	})
-	defer ecleanup(t, p, e)
+	defer func() {
+		err := ecleanup(logger, p, e)
+		require.NoError(t, err)
+	}()
 
 	resp := &pluginapi.PreferredAllocationResponse{
 		ContainerResponses: []*pluginapi.ContainerPreferredAllocationResponse{
@@ -221,7 +240,7 @@ func TestGetPreferredAllocation(t *testing.T) {
 		return resp, nil
 	})
 
-	go e.client.Run()
+	go e.client.Run(tCtx)
 	// Wait for the callback to be issued.
 	select {
 	case <-callbackChan:
@@ -230,12 +249,13 @@ func TestGetPreferredAllocation(t *testing.T) {
 		t.FailNow()
 	}
 
-	respOut, err := e.getPreferredAllocation([]string{}, []string{}, -1)
+	respOut, err := e.getPreferredAllocation(tCtx, []string{}, []string{}, -1)
 	require.NoError(t, err)
 	require.True(t, proto.Equal(resp, respOut))
 }
 
-func esetup(t *testing.T, devs []*pluginapi.Device, socket, resourceName string, callback monitorCallback) (*plugin.Stub, *endpointImpl) {
+func esetup(ctx context.Context, t *testing.T, devs []*pluginapi.Device, socket, resourceName string, callback monitorCallback) (*plugin.Stub, *endpointImpl) {
+	logger := klog.FromContext(ctx)
 	m := newMockPluginManager()
 
 	m.pluginListAndWatchReceiver = func(r string, resp *pluginapi.ListAndWatchResponse) {
@@ -243,7 +263,7 @@ func esetup(t *testing.T, devs []*pluginapi.Device, socket, resourceName string,
 		for _, d := range resp.Devices {
 			newDevs = append(newDevs, d)
 		}
-		callback(resourceName, newDevs)
+		callback(klog.FromContext(ctx), resourceName, newDevs)
 	}
 
 	var dp plugin.DevicePlugin
@@ -255,12 +275,12 @@ func esetup(t *testing.T, devs []*pluginapi.Device, socket, resourceName string,
 		return nil
 	}
 
-	p := plugin.NewDevicePluginStub(devs, socket, resourceName, false, false)
-	err := p.Start()
+	p := plugin.NewDevicePluginStub(logger, devs, socket, resourceName, false, false)
+	err := p.Start(ctx)
 	require.NoError(t, err)
 
 	c := plugin.NewPluginClient(resourceName, socket, m)
-	err = c.Connect()
+	err = c.Connect(ctx)
 	require.NoError(t, err)
 
 	wg.Wait()
@@ -268,14 +288,16 @@ func esetup(t *testing.T, devs []*pluginapi.Device, socket, resourceName string,
 	e := newEndpointImpl(dp)
 	e.client = c
 
-	m.pluginDisconnected = func(r string) {
+	m.pluginDisconnected = func(logger klog.Logger, r string) {
 		e.setStopTime(time.Now())
 	}
 
 	return p, e
 }
 
-func ecleanup(t *testing.T, p *plugin.Stub, e *endpointImpl) {
-	p.Stop()
-	e.client.Disconnect()
+func ecleanup(logger klog.Logger, p *plugin.Stub, e *endpointImpl) error {
+	if err := p.Stop(logger); err != nil {
+		return err
+	}
+	return e.client.Disconnect(logger)
 }
diff --git a/pkg/kubelet/cm/devicemanager/manager.go b/pkg/kubelet/cm/devicemanager/manager.go
index 8074fa18e4116..166de0ccf7f84 100644
--- a/pkg/kubelet/cm/devicemanager/manager.go
+++ b/pkg/kubelet/cm/devicemanager/manager.go
@@ -130,15 +130,18 @@ func (s *sourcesReadyStub) AllReady() bool          { return true }
 
 // NewManagerImpl creates a new manager.
 func NewManagerImpl(topology []cadvisorapi.Node, topologyAffinityStore topologymanager.Store) (*ManagerImpl, error) {
+	// Use klog.TODO() because we currently do not have a proper logger to pass in.
+	// Replace this with an appropriate context when refactoring this function to accept a logger parameter.
+	logger := klog.TODO()
 	socketPath := pluginapi.KubeletSocket
 	if runtime.GOOS == "windows" {
 		socketPath = os.Getenv("SYSTEMDRIVE") + pluginapi.KubeletSocketWindows
 	}
-	return newManagerImpl(socketPath, topology, topologyAffinityStore)
+	return newManagerImpl(logger, socketPath, topology, topologyAffinityStore)
 }
 
-func newManagerImpl(socketPath string, topology []cadvisorapi.Node, topologyAffinityStore topologymanager.Store) (*ManagerImpl, error) {
-	klog.V(2).InfoS("Creating Device Plugin manager", "path", socketPath)
+func newManagerImpl(logger klog.Logger, socketPath string, topology []cadvisorapi.Node, topologyAffinityStore topologymanager.Store) (*ManagerImpl, error) {
+	logger.V(2).Info("Creating Device Plugin manager", "path", socketPath)
 
 	var numaNodes []int
 	for _, node := range topology {
@@ -159,7 +162,7 @@ func newManagerImpl(socketPath string, topology []cadvisorapi.Node, topologyAffi
 		update:                make(chan resourceupdates.Update, 100),
 	}
 
-	server, err := plugin.NewServer(socketPath, manager, manager)
+	server, err := plugin.NewServer(logger, socketPath, manager, manager)
 	if err != nil {
 		return nil, fmt.Errorf("failed to create plugin server: %v", err)
 	}
@@ -186,7 +189,7 @@ func (m *ManagerImpl) Updates() <-chan resourceupdates.Update {
 
 // CleanupPluginDirectory is to remove all existing unix sockets
 // from /var/lib/kubelet/device-plugins on Device Plugin Manager start
-func (m *ManagerImpl) CleanupPluginDirectory(dir string) error {
+func (m *ManagerImpl) CleanupPluginDirectory(logger klog.Logger, dir string) error {
 	d, err := os.Open(dir)
 	if err != nil {
 		return err
@@ -204,7 +207,7 @@ func (m *ManagerImpl) CleanupPluginDirectory(dir string) error {
 		}
 		stat, err := os.Stat(filePath)
 		if err != nil {
-			klog.ErrorS(err, "Failed to stat file", "path", filePath)
+			logger.Error(err, "Failed to stat file", "path", filePath)
 			continue
 		}
 		if stat.IsDir() || stat.Mode()&os.ModeSocket == 0 {
@@ -213,7 +216,7 @@ func (m *ManagerImpl) CleanupPluginDirectory(dir string) error {
 		err = os.RemoveAll(filePath)
 		if err != nil {
 			errs = append(errs, err)
-			klog.ErrorS(err, "Failed to remove file", "path", filePath)
+			logger.Error(err, "Failed to remove file", "path", filePath)
 			continue
 		}
 	}
@@ -222,8 +225,9 @@ func (m *ManagerImpl) CleanupPluginDirectory(dir string) error {
 
 // PluginConnected is to connect a plugin to a new endpoint.
 // This is done as part of device plugin registration.
-func (m *ManagerImpl) PluginConnected(resourceName string, p plugin.DevicePlugin) error {
-	options, err := p.API().GetDevicePluginOptions(context.Background(), &pluginapi.Empty{})
+func (m *ManagerImpl) PluginConnected(ctx context.Context, resourceName string, p plugin.DevicePlugin) error {
+	logger := klog.FromContext(ctx)
+	options, err := p.API().GetDevicePluginOptions(ctx, &pluginapi.Empty{})
 	if err != nil {
 		return fmt.Errorf("failed to get device plugin options: %v", err)
 	}
@@ -234,19 +238,19 @@ func (m *ManagerImpl) PluginConnected(resourceName string, p plugin.DevicePlugin
 	defer m.mutex.Unlock()
 	m.endpoints[resourceName] = endpointInfo{e, options}
 
-	klog.V(2).InfoS("Device plugin connected", "resourceName", resourceName)
+	logger.V(2).Info("Device plugin connected", "resourceName", resourceName)
 	return nil
 }
 
 // PluginDisconnected is to disconnect a plugin from an endpoint.
 // This is done as part of device plugin deregistration.
-func (m *ManagerImpl) PluginDisconnected(resourceName string) {
+func (m *ManagerImpl) PluginDisconnected(logger klog.Logger, resourceName string) {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()
 
 	if ep, exists := m.endpoints[resourceName]; exists {
-		m.markResourceUnhealthy(resourceName)
-		klog.V(2).InfoS("Endpoint became unhealthy", "resourceName", resourceName, "endpoint", ep)
+		m.markResourceUnhealthy(logger, resourceName)
+		logger.V(2).Info("Endpoint became unhealthy", "resourceName", resourceName, "endpoint", ep)
 
 		ep.e.setStopTime(time.Now())
 	}
@@ -256,11 +260,11 @@ func (m *ManagerImpl) PluginDisconnected(resourceName string) {
 // and ensures that an upto date state (e.g. number of devices and device health)
 // is captured. Also, registered device and device to container allocation
 // information is checkpointed to the disk.
-func (m *ManagerImpl) PluginListAndWatchReceiver(resourceName string, resp *pluginapi.ListAndWatchResponse) {
-	m.genericDeviceUpdateCallback(resourceName, resp.Devices)
+func (m *ManagerImpl) PluginListAndWatchReceiver(logger klog.Logger, resourceName string, resp *pluginapi.ListAndWatchResponse) {
+	m.genericDeviceUpdateCallback(logger, resourceName, resp.Devices)
 }
 
-func (m *ManagerImpl) genericDeviceUpdateCallback(resourceName string, devices []*pluginapi.Device) {
+func (m *ManagerImpl) genericDeviceUpdateCallback(logger klog.Logger, resourceName string, devices []*pluginapi.Device) {
 	healthyCount := 0
 	m.mutex.Lock()
 	m.healthyDevices[resourceName] = sets.New[string]()
@@ -304,15 +308,15 @@ func (m *ManagerImpl) genericDeviceUpdateCallback(resourceName string, devices [
 			select {
 			case m.update <- resourceupdates.Update{PodUIDs: podsToUpdate.UnsortedList()}:
 			default:
-				klog.ErrorS(goerrors.New("device update channel is full"), "discard pods info", "podsToUpdate", podsToUpdate.UnsortedList())
+				logger.Error(goerrors.New("device update channel is full"), "discard pods info", "podsToUpdate", podsToUpdate.UnsortedList())
 			}
 		}
 	}
 
-	if err := m.writeCheckpoint(); err != nil {
-		klog.ErrorS(err, "Writing checkpoint encountered")
+	if err := m.writeCheckpoint(logger); err != nil {
+		logger.Error(err, "Writing checkpoint encountered")
 	}
-	klog.V(2).InfoS("Processed device updates for resource", "resourceName", resourceName, "totalCount", len(devices), "healthyCount", healthyCount)
+	logger.V(2).Info("Processed device updates for resource", "resourceName", resourceName, "totalCount", len(devices), "healthyCount", healthyCount)
 }
 
 // GetWatcherHandler returns the plugin handler
@@ -333,8 +337,8 @@ func (m *ManagerImpl) checkpointFile() string {
 // Start starts the Device Plugin Manager and start initialization of
 // podDevices and allocatedDevices information from checkpointed state and
 // starts device plugin registration service.
-func (m *ManagerImpl) Start(activePods ActivePodsFunc, sourcesReady config.SourcesReady, initialContainers containermap.ContainerMap, initialContainerRunningSet sets.Set[string]) error {
-	klog.V(2).InfoS("Starting Device Plugin manager")
+func (m *ManagerImpl) Start(logger klog.Logger, activePods ActivePodsFunc, sourcesReady config.SourcesReady, initialContainers containermap.ContainerMap, initialContainerRunningSet sets.Set[string]) error {
+	logger.V(2).Info("Starting Device Plugin manager")
 
 	m.activePods = activePods
 	m.sourcesReady = sourcesReady
@@ -342,24 +346,27 @@ func (m *ManagerImpl) Start(activePods ActivePodsFunc, sourcesReady config.Sourc
 	m.containerRunningSet = initialContainerRunningSet
 
 	// Loads in allocatedDevices information from disk.
-	err := m.readCheckpoint()
+	err := m.readCheckpoint(logger)
 	if err != nil {
-		klog.ErrorS(err, "Continue after failing to read checkpoint file. Device allocation info may NOT be up-to-date")
+		logger.Error(err, "Continue after failing to read checkpoint file. Device allocation info may NOT be up-to-date")
 	}
 
-	return m.server.Start()
+	return m.server.Start(logger)
 }
 
 // Stop is the function that can stop the plugin server.
 // Can be called concurrently, more than once, and is safe to call
 // without a prior Start.
-func (m *ManagerImpl) Stop() error {
-	return m.server.Stop()
+func (m *ManagerImpl) Stop(logger klog.Logger) error {
+	return m.server.Stop(logger)
 }
 
 // Allocate is the call that you can use to allocate a set of devices
 // from the registered device plugins.
 func (m *ManagerImpl) Allocate(pod *v1.Pod, container *v1.Container) error {
+	// Use context.TODO() because we currently do not have a proper context to pass in.
+	// Replace this with an appropriate context when refactoring this function to accept a context parameter.
+	ctx := context.TODO()
 	if _, ok := m.devicesToReuse[string(pod.UID)]; !ok {
 		m.devicesToReuse[string(pod.UID)] = make(map[string]sets.Set[string])
 	}
@@ -374,7 +381,8 @@ func (m *ManagerImpl) Allocate(pod *v1.Pod, container *v1.Container) error {
 	// ever change those semantics, this logic will need to be amended.
 	for _, initContainer := range pod.Spec.InitContainers {
 		if container.Name == initContainer.Name {
-			if err := m.allocateContainerResources(pod, container, m.devicesToReuse[string(pod.UID)]); err != nil {
+
+			if err := m.allocateContainerResources(ctx, pod, container, m.devicesToReuse[string(pod.UID)]); err != nil {
 				return err
 			}
 			if !podutil.IsRestartableInitContainer(&initContainer) {
@@ -388,7 +396,7 @@ func (m *ManagerImpl) Allocate(pod *v1.Pod, container *v1.Container) error {
 			return nil
 		}
 	}
-	if err := m.allocateContainerResources(pod, container, m.devicesToReuse[string(pod.UID)]); err != nil {
+	if err := m.allocateContainerResources(ctx, pod, container, m.devicesToReuse[string(pod.UID)]); err != nil {
 		return err
 	}
 	m.podDevices.removeContainerAllocatedResources(string(pod.UID), container.Name, m.devicesToReuse[string(pod.UID)])
@@ -408,8 +416,8 @@ func (m *ManagerImpl) UpdatePluginResources(node *schedulerframework.NodeInfo, a
 	return nil
 }
 
-func (m *ManagerImpl) markResourceUnhealthy(resourceName string) {
-	klog.V(2).InfoS("Mark all resources Unhealthy for resource", "resourceName", resourceName)
+func (m *ManagerImpl) markResourceUnhealthy(logger klog.Logger, resourceName string) {
+	logger.V(2).Info("Mark all resources Unhealthy for resource", "resourceName", resourceName)
 	healthyDevices := sets.New[string]()
 	if _, ok := m.healthyDevices[resourceName]; ok {
 		healthyDevices = m.healthyDevices[resourceName]
@@ -434,7 +442,9 @@ func (m *ManagerImpl) markResourceUnhealthy(resourceName string) {
 // capacity for already allocated pods so that they can continue to run. However, new pods
 // requiring device plugin resources will not be scheduled till device plugin re-registers.
 func (m *ManagerImpl) GetCapacity() (v1.ResourceList, v1.ResourceList, []string) {
-	needsUpdateCheckpoint := false
+	// Use logger.TODO() because we currently do not have a proper logger to pass in.
+	// Replace this with an appropriate logger when refactoring this function to accept a logger parameter.
+	logger := klog.TODO()
 	var capacity = v1.ResourceList{}
 	var allocatable = v1.ResourceList{}
 	deletedResources := sets.New[string]()
@@ -446,12 +456,9 @@ func (m *ManagerImpl) GetCapacity() (v1.ResourceList, v1.ResourceList, []string)
 			// should always be consistent. Otherwise, we run with the risk
 			// of failing to garbage collect non-existing resources or devices.
 			if !ok {
-				klog.InfoS("Unexpected: healthyDevices and endpoints are out of sync")
+				logger.Info("Unexpected: healthyDevices and endpoints are out of sync")
 			}
-			delete(m.endpoints, resourceName)
-			delete(m.healthyDevices, resourceName)
 			deletedResources.Insert(resourceName)
-			needsUpdateCheckpoint = true
 		} else {
 			capacity[v1.ResourceName(resourceName)] = *resource.NewQuantity(int64(devices.Len()), resource.DecimalSI)
 			allocatable[v1.ResourceName(resourceName)] = *resource.NewQuantity(int64(devices.Len()), resource.DecimalSI)
@@ -461,12 +468,9 @@ func (m *ManagerImpl) GetCapacity() (v1.ResourceList, v1.ResourceList, []string)
 		eI, ok := m.endpoints[resourceName]
 		if (ok && eI.e.stopGracePeriodExpired()) || !ok {
 			if !ok {
-				klog.InfoS("Unexpected: unhealthyDevices and endpoints became out of sync")
+				logger.Info("Unexpected: unhealthyDevices and endpoints became out of sync")
 			}
-			delete(m.endpoints, resourceName)
-			delete(m.unhealthyDevices, resourceName)
 			deletedResources.Insert(resourceName)
-			needsUpdateCheckpoint = true
 		} else {
 			capacityCount := capacity[v1.ResourceName(resourceName)]
 			unhealthyCount := *resource.NewQuantity(int64(devices.Len()), resource.DecimalSI)
@@ -474,43 +478,51 @@ func (m *ManagerImpl) GetCapacity() (v1.ResourceList, v1.ResourceList, []string)
 			capacity[v1.ResourceName(resourceName)] = capacityCount
 		}
 	}
+
+	for resourceName := range deletedResources {
+		delete(m.endpoints, resourceName)
+		delete(m.healthyDevices, resourceName)
+		delete(m.unhealthyDevices, resourceName)
+	}
+
 	m.mutex.Unlock()
-	if needsUpdateCheckpoint {
-		if err := m.writeCheckpoint(); err != nil {
-			klog.ErrorS(err, "Failed to write checkpoint file")
+
+	if deletedResources.Len() > 0 {
+		if err := m.writeCheckpoint(logger); err != nil {
+			logger.Error(err, "Failed to write checkpoint file")
 		}
 	}
 	return capacity, allocatable, deletedResources.UnsortedList()
 }
 
 // Checkpoints device to container allocation information to disk.
-func (m *ManagerImpl) writeCheckpoint() error {
+func (m *ManagerImpl) writeCheckpoint(logger klog.Logger) error {
 	m.mutex.Lock()
 	registeredDevs := make(map[string][]string)
 	for resource, devices := range m.healthyDevices {
 		registeredDevs[resource] = devices.UnsortedList()
 	}
-	data := checkpoint.New(m.podDevices.toCheckpointData(),
+	data := checkpoint.New(m.podDevices.toCheckpointData(logger),
 		registeredDevs)
 	m.mutex.Unlock()
 	err := m.checkpointManager.CreateCheckpoint(kubeletDeviceManagerCheckpoint, data)
 	if err != nil {
 		err2 := fmt.Errorf("failed to write checkpoint file %q: %v", kubeletDeviceManagerCheckpoint, err)
-		klog.ErrorS(err, "Failed to write checkpoint file")
+		logger.Error(err, "Failed to write checkpoint file")
 		return err2
 	}
-	klog.V(4).InfoS("Checkpoint file written", "checkpoint", kubeletDeviceManagerCheckpoint)
+	logger.V(4).Info("Checkpoint file written", "checkpoint", kubeletDeviceManagerCheckpoint)
 	return nil
 }
 
 // Reads device to container allocation information from disk, and populates
 // m.allocatedDevices accordingly.
-func (m *ManagerImpl) readCheckpoint() error {
+func (m *ManagerImpl) readCheckpoint(logger klog.Logger) error {
 	cp, err := m.getCheckpoint()
 	if err != nil {
 		if err == errors.ErrCheckpointNotFound {
 			// no point in trying anything else
-			klog.ErrorS(err, "Failed to read data from checkpoint", "checkpoint", kubeletDeviceManagerCheckpoint)
+			logger.Error(err, "Failed to read data from checkpoint", "checkpoint", kubeletDeviceManagerCheckpoint)
 			return nil
 		}
 		return err
@@ -519,7 +531,7 @@ func (m *ManagerImpl) readCheckpoint() error {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()
 	podDevices, registeredDevs := cp.GetData()
-	m.podDevices.fromCheckpointData(podDevices)
+	m.podDevices.fromCheckpointData(logger, podDevices)
 	m.allocatedDevices = m.podDevices.devices()
 	for resource := range registeredDevs {
 		// During start up, creates empty healthyDevices list so that the resource capacity
@@ -529,7 +541,7 @@ func (m *ManagerImpl) readCheckpoint() error {
 		m.endpoints[resource] = endpointInfo{e: newStoppedEndpointImpl(resource), opts: nil}
 	}
 
-	klog.V(4).InfoS("Read data from checkpoint file", "checkpoint", kubeletDeviceManagerCheckpoint)
+	logger.V(4).Info("Read data from checkpoint file", "checkpoint", kubeletDeviceManagerCheckpoint)
 	return nil
 }
 
@@ -543,6 +555,9 @@ func (m *ManagerImpl) getCheckpoint() (checkpoint.DeviceManagerCheckpoint, error
 
 // UpdateAllocatedDevices frees any Devices that are bound to terminated pods.
 func (m *ManagerImpl) UpdateAllocatedDevices() {
+	// Use klog.TODO() because we currently do not have a proper logger to pass in.
+	// Replace this with an appropriate context when refactoring this function to accept a logger parameter.
+	logger := klog.TODO()
 	activePods := m.activePods()
 	if !m.sourcesReady.AllReady() {
 		return
@@ -556,7 +571,7 @@ func (m *ManagerImpl) UpdateAllocatedDevices() {
 	if len(podsToBeRemoved) <= 0 {
 		return
 	}
-	klog.V(3).InfoS("Pods to be removed", "podUIDs", sets.List(podsToBeRemoved))
+	logger.V(3).Info("Pods to be removed", "podUIDs", sets.List(podsToBeRemoved))
 	m.podDevices.delete(sets.List(podsToBeRemoved))
 	// Regenerated allocatedDevices after we update pod allocation information.
 	m.allocatedDevices = m.podDevices.devices()
@@ -564,7 +579,8 @@ func (m *ManagerImpl) UpdateAllocatedDevices() {
 
 // Returns list of device Ids we need to allocate with Allocate rpc call.
 // Returns empty list in case we don't need to issue the Allocate rpc call.
-func (m *ManagerImpl) devicesToAllocate(podUID, contName, resource string, required int, reusableDevices sets.Set[string]) (sets.Set[string], error) {
+func (m *ManagerImpl) devicesToAllocate(ctx context.Context, podUID, contName, resource string, required int, reusableDevices sets.Set[string]) (sets.Set[string], error) {
+	logger := klog.FromContext(ctx)
 	m.mutex.Lock()
 	defer m.mutex.Unlock()
 	needed := required
@@ -572,7 +588,7 @@ func (m *ManagerImpl) devicesToAllocate(podUID, contName, resource string, requi
 	// This can happen if a container restarts for example.
 	devices := m.podDevices.containerDevices(podUID, contName, resource)
 	if devices != nil {
-		klog.V(3).InfoS("Found pre-allocated devices for resource on pod", "resourceName", resource, "containerName", contName, "podUID", podUID, "devices", sets.List(devices))
+		logger.V(3).Info("Found pre-allocated devices for resource on pod", "resourceName", resource, "containerName", contName, "podUID", podUID, "devices", sets.List(devices))
 		needed = needed - devices.Len()
 		// A pod's resource is not expected to change once admitted by the API server,
 		// so just fail loudly here. We can revisit this part if this no longer holds.
@@ -591,13 +607,13 @@ func (m *ManagerImpl) devicesToAllocate(podUID, contName, resource string, requi
 	// Is this a simple kubelet restart (scenario 2)? To distinguish, we use the information we got for runtime. If we are asked to allocate devices for containers reported
 	// running, then it can only be a kubelet restart. On node reboot the runtime and the containers were also shut down. Then, if the container was running, it can only be
 	// because it already has access to all the required devices, so we got nothing to do and we can bail out.
-	if !m.sourcesReady.AllReady() && m.isContainerAlreadyRunning(podUID, contName) {
-		klog.V(3).InfoS("Container detected running, nothing to do", "deviceNumber", needed, "resourceName", resource, "podUID", podUID, "containerName", contName)
+	if !m.sourcesReady.AllReady() && m.isContainerAlreadyRunning(logger, podUID, contName) {
+		logger.V(3).Info("Container detected running, nothing to do", "deviceNumber", needed, "resourceName", resource, "podUID", podUID, "containerName", contName)
 		return nil, nil
 	}
 
 	// We dealt with scenario 2. If we got this far it's either scenario 3 (node reboot) or scenario 1 (steady state, normal flow).
-	klog.V(3).InfoS("Need devices to allocate for pod", "deviceNumber", needed, "resourceName", resource, "podUID", podUID, "containerName", contName)
+	logger.V(3).Info("Need devices to allocate for pod", "deviceNumber", needed, "resourceName", resource, "podUID", podUID, "containerName", contName)
 	healthyDevices, hasRegistered := m.healthyDevices[resource]
 
 	// The following checks are expected to fail only happen on scenario 3 (node reboot).
@@ -623,7 +639,7 @@ func (m *ManagerImpl) devicesToAllocate(podUID, contName, resource string, requi
 	// We handled the known error paths in scenario 3 (node reboot), so from now on we can fall back in a common path.
 	// We cover container restart on kubelet steady state with the same flow.
 	if needed == 0 {
-		klog.V(3).InfoS("No devices needed, nothing to do", "deviceNumber", needed, "resourceName", resource, "podUID", podUID, "containerName", contName)
+		logger.V(3).Info("No devices needed, nothing to do", "deviceNumber", needed, "resourceName", resource, "podUID", podUID, "containerName", contName)
 		// No change, no work.
 		return nil, nil
 	}
@@ -673,7 +689,7 @@ func (m *ManagerImpl) devicesToAllocate(podUID, contName, resource string, requi
 	// give the plugin the chance to influence which ones to allocate from that set.
 	if needed < aligned.Len() {
 		// First allocate from the preferred devices list (if available).
-		preferred, err := m.callGetPreferredAllocationIfAvailable(podUID, contName, resource, aligned.Union(allocated), allocated, required)
+		preferred, err := m.callGetPreferredAllocationIfAvailable(ctx, podUID, contName, resource, aligned.Union(allocated), allocated, required)
 		if err != nil {
 			return nil, err
 		}
@@ -698,7 +714,7 @@ func (m *ManagerImpl) devicesToAllocate(podUID, contName, resource string, requi
 
 	// Then give the plugin the chance to influence the decision on any
 	// remaining devices to allocate.
-	preferred, err := m.callGetPreferredAllocationIfAvailable(podUID, contName, resource, available.Union(allocated), allocated, required)
+	preferred, err := m.callGetPreferredAllocationIfAvailable(ctx, podUID, contName, resource, available.Union(allocated), allocated, required)
 	if err != nil {
 		return nil, err
 	}
@@ -820,7 +836,8 @@ func (m *ManagerImpl) filterByAffinity(podUID, contName, resource string, availa
 // plugin resources for the input container, issues an Allocate rpc request
 // for each new device resource requirement, processes their AllocateResponses,
 // and updates the cached containerDevices on success.
-func (m *ManagerImpl) allocateContainerResources(pod *v1.Pod, container *v1.Container, devicesToReuse map[string]sets.Set[string]) error {
+func (m *ManagerImpl) allocateContainerResources(ctx context.Context, pod *v1.Pod, container *v1.Container, devicesToReuse map[string]sets.Set[string]) error {
+	logger := klog.FromContext(ctx)
 	podUID := string(pod.UID)
 	contName := container.Name
 	allocatedDevicesUpdated := false
@@ -832,7 +849,12 @@ func (m *ManagerImpl) allocateContainerResources(pod *v1.Pod, container *v1.Cont
 	for k, v := range container.Resources.Limits {
 		resource := string(k)
 		needed := int(v.Value())
-		klog.V(3).InfoS("Looking for needed resources", "resourceName", resource, "pod", klog.KObj(pod), "containerName", container.Name, "needed", needed)
+		logger.V(3).Info("Looking for needed resources", "resourceName", resource, "pod", klog.KObj(pod), "containerName", container.Name, "needed", needed)
+		if utilfeature.DefaultFeatureGate.Enabled(features.DRAExtendedResource) && isDRAExtendedResource(pod, container.Name, resource) {
+			// Skip extended resources managed by DRA
+			logger.V(3).Info("Skipping allocation for DRA-backed extended resource", "resourceName", resource, "pod", klog.KObj(pod), "containerName", container.Name)
+			continue
+		}
 		if !m.isDevicePluginResource(resource) {
 			continue
 		}
@@ -842,7 +864,7 @@ func (m *ManagerImpl) allocateContainerResources(pod *v1.Pod, container *v1.Cont
 			m.UpdateAllocatedDevices()
 			allocatedDevicesUpdated = true
 		}
-		allocDevices, err := m.devicesToAllocate(podUID, contName, resource, needed, devicesToReuse[resource])
+		allocDevices, err := m.devicesToAllocate(ctx, podUID, contName, resource, needed, devicesToReuse[resource])
 		if err != nil {
 			return err
 		}
@@ -878,8 +900,8 @@ func (m *ManagerImpl) allocateContainerResources(pod *v1.Pod, container *v1.Cont
 		devs := allocDevices.UnsortedList()
 		// TODO: refactor this part of code to just append a ContainerAllocationRequest
 		// in a passed in AllocateRequest pointer, and issues a single Allocate call per pod.
-		klog.V(4).InfoS("Making allocation request for device plugin", "devices", devs, "resourceName", resource, "pod", klog.KObj(pod), "containerName", container.Name)
-		resp, err := eI.e.allocate(devs)
+		logger.V(4).Info("Making allocation request for device plugin", "devices", devs, "resourceName", resource, "pod", klog.KObj(pod), "containerName", container.Name)
+		resp, err := eI.e.allocate(ctx, devs)
 		metrics.DevicePluginAllocationDuration.WithLabelValues(resource).Observe(metrics.SinceInSeconds(startRPCTime))
 		if err != nil {
 			// In case of allocation failure, we want to restore m.allocatedDevices
@@ -912,7 +934,7 @@ func (m *ManagerImpl) allocateContainerResources(pod *v1.Pod, container *v1.Cont
 	}
 
 	if needsUpdateCheckpoint {
-		return m.writeCheckpoint()
+		return m.writeCheckpoint(logger)
 	}
 
 	return nil
@@ -933,7 +955,8 @@ func (m *ManagerImpl) checkPodActive(pod *v1.Pod) bool {
 // GetDeviceRunContainerOptions checks whether we have cached containerDevices
 // for the passed-in <pod, container> and returns its DeviceRunContainerOptions
 // for the found one. An empty struct is returned in case no cached state is found.
-func (m *ManagerImpl) GetDeviceRunContainerOptions(pod *v1.Pod, container *v1.Container) (*DeviceRunContainerOptions, error) {
+func (m *ManagerImpl) GetDeviceRunContainerOptions(ctx context.Context, pod *v1.Pod, container *v1.Container) (*DeviceRunContainerOptions, error) {
+	logger := klog.FromContext(ctx)
 	podUID := string(pod.UID)
 	contName := container.Name
 	needsReAllocate := false
@@ -942,13 +965,13 @@ func (m *ManagerImpl) GetDeviceRunContainerOptions(pod *v1.Pod, container *v1.Co
 		if !m.isDevicePluginResource(resource) || v.Value() == 0 {
 			continue
 		}
-		err := m.callPreStartContainerIfNeeded(podUID, contName, resource)
+		err := m.callPreStartContainerIfNeeded(ctx, podUID, contName, resource)
 		if err != nil {
 			return nil, err
 		}
 
 		if !m.checkPodActive(pod) {
-			klog.V(5).InfoS("Pod deleted from activePods, skip to reAllocate", "pod", klog.KObj(pod), "podUID", podUID, "containerName", container.Name)
+			logger.V(5).Info("Pod deleted from activePods, skip to reAllocate", "pod", klog.KObj(pod), "podUID", podUID, "containerName", container.Name)
 			continue
 		}
 
@@ -960,17 +983,18 @@ func (m *ManagerImpl) GetDeviceRunContainerOptions(pod *v1.Pod, container *v1.Co
 		}
 	}
 	if needsReAllocate {
-		klog.V(2).InfoS("Needs to re-allocate device plugin resources for pod", "pod", klog.KObj(pod), "containerName", container.Name)
+		logger.V(2).Info("Needs to re-allocate device plugin resources for pod", "pod", klog.KObj(pod), "containerName", container.Name)
 		if err := m.Allocate(pod, container); err != nil {
 			return nil, err
 		}
 	}
-	return m.podDevices.deviceRunContainerOptions(string(pod.UID), container.Name), nil
+	return m.podDevices.deviceRunContainerOptions(logger, string(pod.UID), container.Name), nil
 }
 
 // callPreStartContainerIfNeeded issues PreStartContainer grpc call for device plugin resource
 // with PreStartRequired option set.
-func (m *ManagerImpl) callPreStartContainerIfNeeded(podUID, contName, resource string) error {
+func (m *ManagerImpl) callPreStartContainerIfNeeded(ctx context.Context, podUID, contName, resource string) error {
+	logger := klog.FromContext(ctx)
 	m.mutex.Lock()
 	eI, ok := m.endpoints[resource]
 	if !ok {
@@ -980,7 +1004,7 @@ func (m *ManagerImpl) callPreStartContainerIfNeeded(podUID, contName, resource s
 
 	if eI.opts == nil || !eI.opts.PreStartRequired {
 		m.mutex.Unlock()
-		klog.V(5).InfoS("Plugin options indicate to skip PreStartContainer for resource", "podUID", podUID, "resourceName", resource, "containerName", contName)
+		logger.V(5).Info("Plugin options indicate to skip PreStartContainer for resource", "podUID", podUID, "resourceName", resource, "containerName", contName)
 		return nil
 	}
 
@@ -992,8 +1016,8 @@ func (m *ManagerImpl) callPreStartContainerIfNeeded(podUID, contName, resource s
 
 	m.mutex.Unlock()
 	devs := devices.UnsortedList()
-	klog.V(4).InfoS("Issuing a PreStartContainer call for container", "containerName", contName, "podUID", podUID)
-	_, err := eI.e.preStartContainer(devs)
+	logger.V(4).Info("Issuing a PreStartContainer call for container", "containerName", contName, "podUID", podUID)
+	_, err := eI.e.preStartContainer(ctx, devs)
 	if err != nil {
 		return fmt.Errorf("device plugin PreStartContainer rpc failed with err: %v", err)
 	}
@@ -1003,20 +1027,21 @@ func (m *ManagerImpl) callPreStartContainerIfNeeded(podUID, contName, resource s
 
 // callGetPreferredAllocationIfAvailable issues GetPreferredAllocation grpc
 // call for device plugin resource with GetPreferredAllocationAvailable option set.
-func (m *ManagerImpl) callGetPreferredAllocationIfAvailable(podUID, contName, resource string, available, mustInclude sets.Set[string], size int) (sets.Set[string], error) {
+func (m *ManagerImpl) callGetPreferredAllocationIfAvailable(ctx context.Context, podUID, contName, resource string, available, mustInclude sets.Set[string], size int) (sets.Set[string], error) {
+	logger := klog.FromContext(ctx)
 	eI, ok := m.endpoints[resource]
 	if !ok {
 		return nil, fmt.Errorf("endpoint not found in cache for a registered resource: %s", resource)
 	}
 
 	if eI.opts == nil || !eI.opts.GetPreferredAllocationAvailable {
-		klog.V(5).InfoS("Plugin options indicate to skip GetPreferredAllocation for resource", "resourceName", resource, "podUID", podUID, "containerName", contName)
+		logger.V(5).Info("Plugin options indicate to skip GetPreferredAllocation for resource", "resourceName", resource, "podUID", podUID, "containerName", contName)
 		return nil, nil
 	}
 
 	m.mutex.Unlock()
-	klog.V(4).InfoS("Issuing a GetPreferredAllocation call for container", "resourceName", resource, "containerName", contName, "podUID", podUID)
-	resp, err := eI.e.getPreferredAllocation(available.UnsortedList(), mustInclude.UnsortedList(), size)
+	logger.V(4).Info("Issuing a GetPreferredAllocation call for container", "resourceName", resource, "containerName", contName, "podUID", podUID)
+	resp, err := eI.e.getPreferredAllocation(ctx, available.UnsortedList(), mustInclude.UnsortedList(), size)
 	m.mutex.Lock()
 	if err != nil {
 		return nil, fmt.Errorf("device plugin GetPreferredAllocation rpc failed with err: %v", err)
@@ -1071,12 +1096,29 @@ func (m *ManagerImpl) isDevicePluginResource(resource string) bool {
 	return false
 }
 
+// isDRAExtendedResource checks if the specified resource for a given container
+// in the provided pod is an extended resource managed by DRA.
+func isDRAExtendedResource(pod *v1.Pod, containerName, resourceName string) bool {
+	claimStatus := pod.Status.ExtendedResourceClaimStatus
+	if claimStatus != nil {
+		for _, resMap := range claimStatus.RequestMappings {
+			if resMap.ContainerName == containerName && resMap.ResourceName == resourceName {
+				return true
+			}
+		}
+	}
+	return false
+}
+
 // GetAllocatableDevices returns information about all the healthy devices known to the manager
 func (m *ManagerImpl) GetAllocatableDevices() ResourceDeviceInstances {
+	// Use klog.TODO() because we currently do not have a proper logger to pass in.
+	// Replace this with an appropriate context when refactoring this function to accept a logger parameter.
+	logger := klog.TODO()
 	m.mutex.Lock()
 	defer m.mutex.Unlock()
 	resp := m.allDevices.Filter(m.healthyDevices)
-	klog.V(4).InfoS("GetAllocatableDevices", "known", len(m.allDevices), "allocatable", len(resp))
+	logger.V(4).Info("GetAllocatableDevices", "known", len(m.allDevices), "allocatable", len(resp))
 	return resp
 }
 
@@ -1160,10 +1202,10 @@ func (m *ManagerImpl) ShouldResetExtendedResourceCapacity() bool {
 	return len(checkpoints) == 0
 }
 
-func (m *ManagerImpl) isContainerAlreadyRunning(podUID, cntName string) bool {
+func (m *ManagerImpl) isContainerAlreadyRunning(logger klog.Logger, podUID, cntName string) bool {
 	cntID, err := m.containerMap.GetContainerID(podUID, cntName)
 	if err != nil {
-		klog.ErrorS(err, "Container not found in the initial map, assumed NOT running", "podUID", podUID, "containerName", cntName)
+		logger.Error(err, "Container not found in the initial map, assumed NOT running", "podUID", podUID, "containerName", cntName)
 		return false
 	}
 
@@ -1171,11 +1213,11 @@ func (m *ManagerImpl) isContainerAlreadyRunning(podUID, cntName string) bool {
 	// so on kubelet restart containers will again fail admission, hitting https://github.com/kubernetes/kubernetes/issues/118559 again.
 	// This scenario should however be rare enough.
 	if !m.containerRunningSet.Has(cntID) {
-		klog.V(4).InfoS("Container not present in the initial running set", "podUID", podUID, "containerName", cntName, "containerID", cntID)
+		logger.V(4).Info("Container not present in the initial running set", "podUID", podUID, "containerName", cntName, "containerID", cntID)
 		return false
 	}
 
 	// Once we make it here we know we have a running container.
-	klog.V(4).InfoS("Container found in the initial set, assumed running", "podUID", podUID, "containerName", cntName, "containerID", cntID)
+	logger.V(4).Info("Container found in the initial set, assumed running", "podUID", podUID, "containerName", cntName, "containerID", cntID)
 	return true
 }
diff --git a/pkg/kubelet/cm/devicemanager/manager_test.go b/pkg/kubelet/cm/devicemanager/manager_test.go
index febb9c834d83f..5178cb4c08f65 100644
--- a/pkg/kubelet/cm/devicemanager/manager_test.go
+++ b/pkg/kubelet/cm/devicemanager/manager_test.go
@@ -17,6 +17,7 @@ limitations under the License.
 package devicemanager
 
 import (
+	"context"
 	"fmt"
 	"os"
 	"path/filepath"
@@ -41,6 +42,7 @@ import (
 	utilfeature "k8s.io/apiserver/pkg/util/feature"
 	"k8s.io/client-go/tools/record"
 	featuregatetesting "k8s.io/component-base/featuregate/testing"
+	"k8s.io/klog/v2"
 	pluginapi "k8s.io/kubelet/pkg/apis/deviceplugin/v1beta1"
 	watcherapi "k8s.io/kubelet/pkg/apis/pluginregistration/v1"
 	"k8s.io/kubernetes/pkg/features"
@@ -55,30 +57,31 @@ import (
 	"k8s.io/kubernetes/pkg/kubelet/lifecycle"
 	"k8s.io/kubernetes/pkg/kubelet/pluginmanager"
 	schedulerframework "k8s.io/kubernetes/pkg/scheduler/framework"
+	"k8s.io/kubernetes/test/utils/ktesting"
 )
 
 const (
 	testResourceName = "fake-domain/resource"
 )
 
-func newWrappedManagerImpl(socketPath string, manager *ManagerImpl) *wrappedManagerImpl {
+func newWrappedManagerImpl(logger klog.Logger, socketPath string, manager *ManagerImpl) *wrappedManagerImpl {
 	w := &wrappedManagerImpl{
 		ManagerImpl: manager,
 		callback:    manager.genericDeviceUpdateCallback,
 	}
 	w.socketdir, _ = filepath.Split(socketPath)
-	w.server, _ = plugin.NewServer(socketPath, w, w)
+	w.server, _ = plugin.NewServer(logger, socketPath, w, w)
 	return w
 }
 
 type wrappedManagerImpl struct {
 	*ManagerImpl
 	socketdir string
-	callback  func(string, []*pluginapi.Device)
+	callback  func(klog.Logger, string, []*pluginapi.Device)
 }
 
-func (m *wrappedManagerImpl) PluginListAndWatchReceiver(r string, resp *pluginapi.ListAndWatchResponse) {
-	m.callback(r, resp.Devices)
+func (m *wrappedManagerImpl) PluginListAndWatchReceiver(logger klog.Logger, r string, resp *pluginapi.ListAndWatchResponse) {
+	m.callback(logger, r, resp.Devices)
 }
 
 func tmpSocketDir() (socketDir, socketName, pluginSocketName string, err error) {
@@ -93,37 +96,44 @@ func tmpSocketDir() (socketDir, socketName, pluginSocketName string, err error)
 }
 
 func TestNewManagerImpl(t *testing.T) {
+	logger, _ := ktesting.NewTestContext(t)
 	socketDir, socketName, _, err := tmpSocketDir()
 	topologyStore := topologymanager.NewFakeManager()
 	require.NoError(t, err)
 	defer os.RemoveAll(socketDir)
-	_, err = newManagerImpl(socketName, nil, topologyStore)
+	_, err = newManagerImpl(logger, socketName, nil, topologyStore)
 	require.NoError(t, err)
 	os.RemoveAll(socketDir)
 }
 
 func TestNewManagerImplStart(t *testing.T) {
+	logger, tCtx := ktesting.NewTestContext(t)
 	socketDir, socketName, pluginSocketName, err := tmpSocketDir()
 	require.NoError(t, err)
 	defer os.RemoveAll(socketDir)
-	m, _, p := setup(t, []*pluginapi.Device{}, func(n string, d []*pluginapi.Device) {}, socketName, pluginSocketName)
-	cleanup(t, m, p)
+	m, _, p := setup(tCtx, t, []*pluginapi.Device{}, func(_ klog.Logger, n string, d []*pluginapi.Device) {}, socketName, pluginSocketName)
+	err = cleanup(logger, m, p)
+	require.NoError(t, err)
 	// Stop should tolerate being called more than once.
-	cleanup(t, m, p)
+	err = cleanup(logger, m, p)
+	require.NoError(t, err)
 }
 
 func TestNewManagerImplStartProbeMode(t *testing.T) {
+	logger, tCtx := ktesting.NewTestContext(t)
 	socketDir, socketName, pluginSocketName, err := tmpSocketDir()
 	require.NoError(t, err)
 	defer os.RemoveAll(socketDir)
-	m, _, p, _ := setupInProbeMode(t, []*pluginapi.Device{}, func(n string, d []*pluginapi.Device) {}, socketName, pluginSocketName)
-	cleanup(t, m, p)
+	m, _, p, _ := setupInProbeMode(tCtx, t, []*pluginapi.Device{}, func(_ klog.Logger, n string, d []*pluginapi.Device) {}, socketName, pluginSocketName)
+	err = cleanup(logger, m, p)
+	require.NoError(t, err)
 }
 
 // Tests that the device plugin manager correctly handles registration and re-registration by
 // making sure that after registration, devices are correctly updated and if a re-registration
 // happens, we will NOT delete devices; and no orphaned devices left.
 func TestDevicePluginReRegistration(t *testing.T) {
+	logger, tCtx := ktesting.NewTestContext(t)
 	// TODO: Remove skip once https://github.com/kubernetes/kubernetes/pull/115269 merges.
 	if goruntime.GOOS == "windows" {
 		t.Skip("Skipping test on Windows.")
@@ -140,8 +150,9 @@ func TestDevicePluginReRegistration(t *testing.T) {
 	}
 	for _, preStartContainerFlag := range []bool{false, true} {
 		for _, getPreferredAllocationFlag := range []bool{false, true} {
-			m, ch, p1 := setup(t, devs, nil, socketName, pluginSocketName)
-			p1.Register(socketName, testResourceName, "")
+			m, ch, p1 := setup(tCtx, t, devs, nil, socketName, pluginSocketName)
+			err = p1.Register(tCtx, socketName, testResourceName, "")
+			require.NoError(t, err)
 
 			select {
 			case <-ch:
@@ -154,10 +165,11 @@ func TestDevicePluginReRegistration(t *testing.T) {
 			require.Equal(t, resourceCapacity.Value(), resourceAllocatable.Value(), "capacity should equal to allocatable")
 			require.Equal(t, int64(2), resourceAllocatable.Value(), "Devices are not updated.")
 
-			p2 := plugin.NewDevicePluginStub(devs, pluginSocketName+".new", testResourceName, preStartContainerFlag, getPreferredAllocationFlag)
-			err = p2.Start()
+			p2 := plugin.NewDevicePluginStub(logger, devs, pluginSocketName+".new", testResourceName, preStartContainerFlag, getPreferredAllocationFlag)
+			err = p2.Start(tCtx)
+			require.NoError(t, err)
+			err = p2.Register(tCtx, socketName, testResourceName, "")
 			require.NoError(t, err)
-			p2.Register(socketName, testResourceName, "")
 
 			select {
 			case <-ch:
@@ -171,10 +183,11 @@ func TestDevicePluginReRegistration(t *testing.T) {
 			require.Equal(t, int64(2), resourceAllocatable.Value(), "Devices shouldn't change.")
 
 			// Test the scenario that a plugin re-registers with different devices.
-			p3 := plugin.NewDevicePluginStub(devsForRegistration, pluginSocketName+".third", testResourceName, preStartContainerFlag, getPreferredAllocationFlag)
-			err = p3.Start()
+			p3 := plugin.NewDevicePluginStub(logger, devsForRegistration, pluginSocketName+".third", testResourceName, preStartContainerFlag, getPreferredAllocationFlag)
+			err = p3.Start(tCtx)
+			require.NoError(t, err)
+			err = p3.Register(tCtx, socketName, testResourceName, "")
 			require.NoError(t, err)
-			p3.Register(socketName, testResourceName, "")
 
 			select {
 			case <-ch:
@@ -186,9 +199,12 @@ func TestDevicePluginReRegistration(t *testing.T) {
 			resourceAllocatable = allocatable[v1.ResourceName(testResourceName)]
 			require.Equal(t, resourceCapacity.Value(), resourceAllocatable.Value(), "capacity should equal to allocatable")
 			require.Equal(t, int64(1), resourceAllocatable.Value(), "Devices of plugin previously registered should be removed.")
-			p2.Stop()
-			p3.Stop()
-			cleanup(t, m, p1)
+			err = p2.Stop(logger)
+			require.NoError(t, err)
+			err = p3.Stop(logger)
+			require.NoError(t, err)
+			err = cleanup(logger, m, p1)
+			require.NoError(t, err)
 		}
 	}
 }
@@ -199,6 +215,7 @@ func TestDevicePluginReRegistration(t *testing.T) {
 // While testing above scenario, plugin discovery and registration will be done using
 // Kubelet probe based mechanism
 func TestDevicePluginReRegistrationProbeMode(t *testing.T) {
+	logger, tCtx := ktesting.NewTestContext(t)
 	// TODO: Remove skip once https://github.com/kubernetes/kubernetes/pull/115269 merges.
 	if goruntime.GOOS == "windows" {
 		t.Skip("Skipping test on Windows.")
@@ -214,7 +231,7 @@ func TestDevicePluginReRegistrationProbeMode(t *testing.T) {
 		{ID: "Dev3", Health: pluginapi.Healthy},
 	}
 
-	m, ch, p1, _ := setupInProbeMode(t, devs, nil, socketName, pluginSocketName)
+	m, ch, p1, _ := setupInProbeMode(tCtx, t, devs, nil, socketName, pluginSocketName)
 
 	// Wait for the first callback to be issued.
 	select {
@@ -228,8 +245,8 @@ func TestDevicePluginReRegistrationProbeMode(t *testing.T) {
 	require.Equal(t, resourceCapacity.Value(), resourceAllocatable.Value(), "capacity should equal to allocatable")
 	require.Equal(t, int64(2), resourceAllocatable.Value(), "Devices are not updated.")
 
-	p2 := plugin.NewDevicePluginStub(devs, pluginSocketName+".new", testResourceName, false, false)
-	err = p2.Start()
+	p2 := plugin.NewDevicePluginStub(logger, devs, pluginSocketName+".new", testResourceName, false, false)
+	err = p2.Start(tCtx)
 	require.NoError(t, err)
 	// Wait for the second callback to be issued.
 	select {
@@ -245,8 +262,8 @@ func TestDevicePluginReRegistrationProbeMode(t *testing.T) {
 	require.Equal(t, int64(2), resourceAllocatable.Value(), "Devices are not updated.")
 
 	// Test the scenario that a plugin re-registers with different devices.
-	p3 := plugin.NewDevicePluginStub(devsForRegistration, pluginSocketName+".third", testResourceName, false, false)
-	err = p3.Start()
+	p3 := plugin.NewDevicePluginStub(logger, devsForRegistration, pluginSocketName+".third", testResourceName, false, false)
+	err = p3.Start(tCtx)
 	require.NoError(t, err)
 	// Wait for the third callback to be issued.
 	select {
@@ -260,26 +277,29 @@ func TestDevicePluginReRegistrationProbeMode(t *testing.T) {
 	resourceAllocatable = allocatable[v1.ResourceName(testResourceName)]
 	require.Equal(t, resourceCapacity.Value(), resourceAllocatable.Value(), "capacity should equal to allocatable")
 	require.Equal(t, int64(1), resourceAllocatable.Value(), "Devices of previous registered should be removed")
-	p2.Stop()
-	p3.Stop()
-	cleanup(t, m, p1)
+	err = p2.Stop(logger)
+	require.NoError(t, err)
+	err = p3.Stop(logger)
+	require.NoError(t, err)
+	err = cleanup(logger, m, p1)
+	require.NoError(t, err)
 }
 
 func setupDeviceManager(t *testing.T, devs []*pluginapi.Device, callback monitorCallback, socketName string,
-	topology []cadvisorapi.Node) (Manager, <-chan interface{}) {
+	topology []cadvisorapi.Node, logger klog.Logger) (Manager, <-chan interface{}) {
 	topologyStore := topologymanager.NewFakeManager()
-	m, err := newManagerImpl(socketName, topology, topologyStore)
+	m, err := newManagerImpl(logger, socketName, topology, topologyStore)
 	require.NoError(t, err)
 	updateChan := make(chan interface{})
 
-	w := newWrappedManagerImpl(socketName, m)
+	w := newWrappedManagerImpl(logger, socketName, m)
 	if callback != nil {
 		w.callback = callback
 	}
 
 	originalCallback := w.callback
-	w.callback = func(resourceName string, devices []*pluginapi.Device) {
-		originalCallback(resourceName, devices)
+	w.callback = func(logger klog.Logger, resourceName string, devices []*pluginapi.Device) {
+		originalCallback(logger, resourceName, devices)
 		updateChan <- new(interface{})
 	}
 	activePods := func() []*v1.Pod {
@@ -288,15 +308,15 @@ func setupDeviceManager(t *testing.T, devs []*pluginapi.Device, callback monitor
 
 	// test steady state, initialization where sourcesReady, containerMap and containerRunningSet
 	// are relevant will be tested with a different flow
-	err = w.Start(activePods, &sourcesReadyStub{}, containermap.NewContainerMap(), sets.New[string]())
+	err = w.Start(logger, activePods, &sourcesReadyStub{}, containermap.NewContainerMap(), sets.New[string]())
 	require.NoError(t, err)
 
 	return w, updateChan
 }
 
-func setupDevicePlugin(t *testing.T, devs []*pluginapi.Device, pluginSocketName string) *plugin.Stub {
-	p := plugin.NewDevicePluginStub(devs, pluginSocketName, testResourceName, false, false)
-	err := p.Start()
+func setupDevicePlugin(ctx context.Context, t *testing.T, devs []*pluginapi.Device, pluginSocketName string) *plugin.Stub {
+	p := plugin.NewDevicePluginStub(klog.FromContext(ctx), devs, pluginSocketName, testResourceName, false, false)
+	err := p.Start(ctx)
 	require.NoError(t, err)
 	return p
 }
@@ -307,41 +327,47 @@ func setupPluginManager(t *testing.T, pluginSocketName string, m Manager) plugin
 		&record.FakeRecorder{},
 	)
 
-	runPluginManager(pluginManager)
+	tCtx := ktesting.Init(t)
+	runPluginManager(tCtx, pluginManager)
 	pluginManager.AddHandler(watcherapi.DevicePlugin, m.GetWatcherHandler())
 	return pluginManager
 }
 
-func runPluginManager(pluginManager pluginmanager.PluginManager) {
+func runPluginManager(ctx context.Context, pluginManager pluginmanager.PluginManager) {
 	// FIXME: Replace sets.Set[string] with sets.Set[string]
 	sourcesReady := config.NewSourcesReady(func(_ sets.Set[string]) bool { return true })
-	go pluginManager.Run(sourcesReady, wait.NeverStop)
+	go pluginManager.Run(ctx, sourcesReady, wait.NeverStop)
 }
 
-func setup(t *testing.T, devs []*pluginapi.Device, callback monitorCallback, socketName string, pluginSocketName string) (Manager, <-chan interface{}, *plugin.Stub) {
-	m, updateChan := setupDeviceManager(t, devs, callback, socketName, nil)
-	p := setupDevicePlugin(t, devs, pluginSocketName)
+func setup(ctx context.Context, t *testing.T, devs []*pluginapi.Device, callback monitorCallback, socketName string, pluginSocketName string) (Manager, <-chan interface{}, *plugin.Stub) {
+	logger := klog.FromContext(ctx)
+	m, updateChan := setupDeviceManager(t, devs, callback, socketName, nil, logger)
+	p := setupDevicePlugin(ctx, t, devs, pluginSocketName)
 	return m, updateChan, p
 }
 
-func setupInProbeMode(t *testing.T, devs []*pluginapi.Device, callback monitorCallback, socketName string, pluginSocketName string) (Manager, <-chan interface{}, *plugin.Stub, pluginmanager.PluginManager) {
-	m, updateChan := setupDeviceManager(t, devs, callback, socketName, nil)
-	p := setupDevicePlugin(t, devs, pluginSocketName)
+func setupInProbeMode(ctx context.Context, t *testing.T, devs []*pluginapi.Device, callback monitorCallback, socketName string, pluginSocketName string) (Manager, <-chan interface{}, *plugin.Stub, pluginmanager.PluginManager) {
+	logger := klog.FromContext(ctx)
+	m, updateChan := setupDeviceManager(t, devs, callback, socketName, nil, logger)
+	p := setupDevicePlugin(ctx, t, devs, pluginSocketName)
 	pm := setupPluginManager(t, pluginSocketName, m)
 	return m, updateChan, p, pm
 }
 
-func cleanup(t *testing.T, m Manager, p *plugin.Stub) {
-	p.Stop()
-	m.Stop()
+func cleanup(logger klog.Logger, m Manager, p *plugin.Stub) error {
+	if err := p.Stop(logger); err != nil {
+		return err
+	}
+	return m.Stop(logger)
 }
 
 func TestUpdateCapacityAllocatable(t *testing.T) {
+	logger, tCtx := ktesting.NewTestContext(t)
 	socketDir, socketName, _, err := tmpSocketDir()
 	topologyStore := topologymanager.NewFakeManager()
 	require.NoError(t, err)
 	defer os.RemoveAll(socketDir)
-	testManager, err := newManagerImpl(socketName, nil, topologyStore)
+	testManager, err := newManagerImpl(logger, socketName, nil, topologyStore)
 	as := assert.New(t)
 	as.NotNil(testManager)
 	as.NoError(err)
@@ -358,7 +384,7 @@ func TestUpdateCapacityAllocatable(t *testing.T) {
 	resourceName1 := "domain1.com/resource1"
 	e1 := &endpointImpl{}
 	testManager.endpoints[resourceName1] = endpointInfo{e: e1, opts: nil}
-	callback(resourceName1, devs)
+	callback(logger, resourceName1, devs)
 	capacity, allocatable, removedResources := testManager.GetCapacity()
 	resource1Capacity, ok := capacity[v1.ResourceName(resourceName1)]
 	as.True(ok)
@@ -370,7 +396,7 @@ func TestUpdateCapacityAllocatable(t *testing.T) {
 
 	// Deletes an unhealthy device should NOT change allocatable but change capacity.
 	devs1 := devs[:len(devs)-1]
-	callback(resourceName1, devs1)
+	callback(logger, resourceName1, devs1)
 	capacity, allocatable, removedResources = testManager.GetCapacity()
 	resource1Capacity, ok = capacity[v1.ResourceName(resourceName1)]
 	as.True(ok)
@@ -382,7 +408,7 @@ func TestUpdateCapacityAllocatable(t *testing.T) {
 
 	// Updates a healthy device to unhealthy should reduce allocatable by 1.
 	devs[1].Health = pluginapi.Unhealthy
-	callback(resourceName1, devs)
+	callback(logger, resourceName1, devs)
 	capacity, allocatable, removedResources = testManager.GetCapacity()
 	resource1Capacity, ok = capacity[v1.ResourceName(resourceName1)]
 	as.True(ok)
@@ -394,7 +420,7 @@ func TestUpdateCapacityAllocatable(t *testing.T) {
 
 	// Deletes a healthy device should reduce capacity and allocatable by 1.
 	devs2 := devs[1:]
-	callback(resourceName1, devs2)
+	callback(logger, resourceName1, devs2)
 	capacity, allocatable, removedResources = testManager.GetCapacity()
 	resource1Capacity, ok = capacity[v1.ResourceName(resourceName1)]
 	as.True(ok)
@@ -409,7 +435,7 @@ func TestUpdateCapacityAllocatable(t *testing.T) {
 	e2 := &endpointImpl{}
 	e2.client = plugin.NewPluginClient(resourceName2, socketName, testManager)
 	testManager.endpoints[resourceName2] = endpointInfo{e: e2, opts: nil}
-	callback(resourceName2, devs)
+	callback(logger, resourceName2, devs)
 	capacity, allocatable, removedResources = testManager.GetCapacity()
 	as.Len(capacity, 2)
 	resource2Capacity, ok := capacity[v1.ResourceName(resourceName2)]
@@ -437,15 +463,16 @@ func TestUpdateCapacityAllocatable(t *testing.T) {
 
 	// Stops resourceName2 endpoint. Verifies its stopTime is set, allocate and
 	// preStartContainer calls return errors.
-	e2.client.Disconnect()
+	err = e2.client.Disconnect(logger)
+	require.NoError(t, err)
 	as.False(e2.stopTime.IsZero())
-	_, err = e2.allocate([]string{"Device1"})
+	_, err = e2.allocate(tCtx, []string{"Device1"})
 	reflect.DeepEqual(err, fmt.Errorf(errEndpointStopped, e2))
-	_, err = e2.preStartContainer([]string{"Device1"})
+	_, err = e2.preStartContainer(tCtx, []string{"Device1"})
 	reflect.DeepEqual(err, fmt.Errorf(errEndpointStopped, e2))
 	// Marks resourceName2 unhealthy and verifies its capacity/allocatable are
 	// correctly updated.
-	testManager.markResourceUnhealthy(resourceName2)
+	testManager.markResourceUnhealthy(logger, resourceName2)
 	capacity, allocatable, removed = testManager.GetCapacity()
 	val, ok = capacity[v1.ResourceName(resourceName2)]
 	as.True(ok)
@@ -459,11 +486,11 @@ func TestUpdateCapacityAllocatable(t *testing.T) {
 	// it as a DevicePlugin resource. This makes sure any pod that was scheduled
 	// during the time of propagating capacity change to the scheduler will be
 	// properly rejected instead of being incorrectly started.
-	err = testManager.writeCheckpoint()
+	err = testManager.writeCheckpoint(logger)
 	as.NoError(err)
 	testManager.healthyDevices = make(map[string]sets.Set[string])
 	testManager.unhealthyDevices = make(map[string]sets.Set[string])
-	err = testManager.readCheckpoint()
+	err = testManager.readCheckpoint(logger)
 	as.NoError(err)
 	as.Len(testManager.endpoints, 1)
 	as.Contains(testManager.endpoints, resourceName2)
@@ -479,11 +506,12 @@ func TestUpdateCapacityAllocatable(t *testing.T) {
 }
 
 func TestGetAllocatableDevicesMultipleResources(t *testing.T) {
+	logger, _ := ktesting.NewTestContext(t)
 	socketDir, socketName, _, err := tmpSocketDir()
 	topologyStore := topologymanager.NewFakeManager()
 	require.NoError(t, err)
 	defer os.RemoveAll(socketDir)
-	testManager, err := newManagerImpl(socketName, nil, topologyStore)
+	testManager, err := newManagerImpl(logger, socketName, nil, topologyStore)
 	as := assert.New(t)
 	as.NotNil(testManager)
 	as.NoError(err)
@@ -496,7 +524,7 @@ func TestGetAllocatableDevicesMultipleResources(t *testing.T) {
 	resourceName1 := "domain1.com/resource1"
 	e1 := &endpointImpl{}
 	testManager.endpoints[resourceName1] = endpointInfo{e: e1, opts: nil}
-	testManager.genericDeviceUpdateCallback(resourceName1, resource1Devs)
+	testManager.genericDeviceUpdateCallback(logger, resourceName1, resource1Devs)
 
 	resource2Devs := []*pluginapi.Device{
 		{ID: "R2Device1", Health: pluginapi.Healthy},
@@ -504,7 +532,7 @@ func TestGetAllocatableDevicesMultipleResources(t *testing.T) {
 	resourceName2 := "other.domain2.org/resource2"
 	e2 := &endpointImpl{}
 	testManager.endpoints[resourceName2] = endpointInfo{e: e2, opts: nil}
-	testManager.genericDeviceUpdateCallback(resourceName2, resource2Devs)
+	testManager.genericDeviceUpdateCallback(logger, resourceName2, resource2Devs)
 
 	allocatableDevs := testManager.GetAllocatableDevices()
 	as.Len(allocatableDevs, 2)
@@ -520,11 +548,12 @@ func TestGetAllocatableDevicesMultipleResources(t *testing.T) {
 }
 
 func TestGetAllocatableDevicesHealthTransition(t *testing.T) {
+	logger, _ := ktesting.NewTestContext(t)
 	socketDir, socketName, _, err := tmpSocketDir()
 	topologyStore := topologymanager.NewFakeManager()
 	require.NoError(t, err)
 	defer os.RemoveAll(socketDir)
-	testManager, err := newManagerImpl(socketName, nil, topologyStore)
+	testManager, err := newManagerImpl(logger, socketName, nil, topologyStore)
 	as := assert.New(t)
 	as.NotNil(testManager)
 	as.NoError(err)
@@ -541,7 +570,7 @@ func TestGetAllocatableDevicesHealthTransition(t *testing.T) {
 	e1 := &endpointImpl{}
 	testManager.endpoints[resourceName1] = endpointInfo{e: e1, opts: nil}
 
-	testManager.genericDeviceUpdateCallback(resourceName1, resource1Devs)
+	testManager.genericDeviceUpdateCallback(logger, resourceName1, resource1Devs)
 
 	allocatableDevs := testManager.GetAllocatableDevices()
 	as.Len(allocatableDevs, 1)
@@ -555,7 +584,7 @@ func TestGetAllocatableDevicesHealthTransition(t *testing.T) {
 		{ID: "R1Device2", Health: pluginapi.Healthy},
 		{ID: "R1Device3", Health: pluginapi.Healthy},
 	}
-	testManager.genericDeviceUpdateCallback(resourceName1, resource1Devs)
+	testManager.genericDeviceUpdateCallback(logger, resourceName1, resource1Devs)
 
 	allocatableDevs = testManager.GetAllocatableDevices()
 	as.Len(allocatableDevs, 1)
@@ -664,6 +693,7 @@ func (b *containerAllocateResponseBuilder) Build() *pluginapi.ContainerAllocateR
 }
 
 func TestCheckpoint(t *testing.T) {
+	logger, _ := ktesting.NewTestContext(t)
 	resourceName1 := "domain1.com/resource1"
 	resourceName2 := "domain2.com/resource2"
 	resourceName3 := "domain2.com/resource3"
@@ -736,11 +766,11 @@ func TestCheckpoint(t *testing.T) {
 	expectedAllocatedDevices := testManager.podDevices.devices()
 	expectedAllDevices := testManager.healthyDevices
 
-	err = testManager.writeCheckpoint()
+	err = testManager.writeCheckpoint(logger)
 
 	as.NoError(err)
 	testManager.podDevices = newPodDevices()
-	err = testManager.readCheckpoint()
+	err = testManager.readCheckpoint(logger)
 	as.NoError(err)
 
 	as.Equal(expectedPodDevices.size(), testManager.podDevices.size())
@@ -750,8 +780,8 @@ func TestCheckpoint(t *testing.T) {
 				expDevices := expectedPodDevices.containerDevices(podUID, conName, resource)
 				testDevices := testManager.podDevices.containerDevices(podUID, conName, resource)
 				as.True(reflect.DeepEqual(expDevices, testDevices))
-				opts1 := expectedPodDevices.deviceRunContainerOptions(podUID, conName)
-				opts2 := testManager.podDevices.deviceRunContainerOptions(podUID, conName)
+				opts1 := expectedPodDevices.deviceRunContainerOptions(logger, podUID, conName)
+				opts2 := testManager.podDevices.deviceRunContainerOptions(logger, podUID, conName)
 				as.Equal(len(opts1.Envs), len(opts2.Envs))
 				as.Equal(len(opts1.Mounts), len(opts2.Mounts))
 				as.Equal(len(opts1.Devices), len(opts2.Devices))
@@ -780,19 +810,19 @@ type MockEndpoint struct {
 	initChan                   chan []string
 }
 
-func (m *MockEndpoint) preStartContainer(devs []string) (*pluginapi.PreStartContainerResponse, error) {
+func (m *MockEndpoint) preStartContainer(_ context.Context, devs []string) (*pluginapi.PreStartContainerResponse, error) {
 	m.initChan <- devs
 	return &pluginapi.PreStartContainerResponse{}, nil
 }
 
-func (m *MockEndpoint) getPreferredAllocation(available, mustInclude []string, size int) (*pluginapi.PreferredAllocationResponse, error) {
+func (m *MockEndpoint) getPreferredAllocation(_ context.Context, available, mustInclude []string, size int) (*pluginapi.PreferredAllocationResponse, error) {
 	if m.getPreferredAllocationFunc != nil {
 		return m.getPreferredAllocationFunc(available, mustInclude, size)
 	}
 	return nil, nil
 }
 
-func (m *MockEndpoint) allocate(devs []string) (*pluginapi.AllocateResponse, error) {
+func (m *MockEndpoint) allocate(ctx context.Context, devs []string) (*pluginapi.AllocateResponse, error) {
 	if m.allocateFunc != nil {
 		return m.allocateFunc(devs)
 	}
@@ -823,7 +853,7 @@ func makePod(limits v1.ResourceList) *v1.Pod {
 }
 
 func getTestManager(tmpDir string, activePods ActivePodsFunc, testRes []TestResource) (*wrappedManagerImpl, error) {
-	monitorCallback := func(resourceName string, devices []*pluginapi.Device) {}
+	monitorCallback := func(logger klog.Logger, resourceName string, devices []*pluginapi.Device) {}
 	ckm, err := checkpointmanager.NewCheckpointManager(tmpDir)
 	if err != nil {
 		return nil, err
@@ -983,6 +1013,7 @@ func TestFilterByAffinity(t *testing.T) {
 }
 
 func TestPodContainerDeviceAllocation(t *testing.T) {
+	tCtx := ktesting.Init(t)
 	res1 := TestResource{
 		resourceName:     "domain1.com/resource1",
 		resourceQuantity: *resource.NewQuantity(int64(2), resource.DecimalSI),
@@ -1061,7 +1092,7 @@ func TestPodContainerDeviceAllocation(t *testing.T) {
 			t.Errorf("DevicePluginManager error (%v). expected error: %v but got: %v",
 				testCase.description, testCase.expErr, err)
 		}
-		runContainerOpts, err := testManager.GetDeviceRunContainerOptions(pod, &pod.Spec.Containers[0])
+		runContainerOpts, err := testManager.GetDeviceRunContainerOptions(tCtx, pod, &pod.Spec.Containers[0])
 		if testCase.expErr == nil {
 			as.NoError(err)
 		}
@@ -1079,6 +1110,7 @@ func TestPodContainerDeviceAllocation(t *testing.T) {
 }
 
 func TestPodContainerDeviceToAllocate(t *testing.T) {
+	tCtx := ktesting.Init(t)
 	resourceName1 := "domain1.com/resource1"
 	resourceName2 := "domain2.com/resource2"
 	resourceName3 := "domain2.com/resource3"
@@ -1172,7 +1204,7 @@ func TestPodContainerDeviceToAllocate(t *testing.T) {
 	}
 
 	for _, testCase := range testCases {
-		allocDevices, err := testManager.devicesToAllocate(testCase.podUID, testCase.contName, testCase.resource, testCase.required, testCase.reusableDevices)
+		allocDevices, err := testManager.devicesToAllocate(tCtx, testCase.podUID, testCase.contName, testCase.resource, testCase.required, testCase.reusableDevices)
 		if !reflect.DeepEqual(err, testCase.expErr) {
 			t.Errorf("devicePluginManager error (%v). expected error: %v but got: %v",
 				testCase.description, testCase.expErr, err)
@@ -1186,6 +1218,7 @@ func TestPodContainerDeviceToAllocate(t *testing.T) {
 }
 
 func TestDevicesToAllocateConflictWithUpdateAllocatedDevices(t *testing.T) {
+	tCtx := ktesting.Init(t)
 	podToAllocate := "podToAllocate"
 	containerToAllocate := "containerToAllocate"
 	podToRemove := "podToRemove"
@@ -1197,7 +1230,7 @@ func TestDevicesToAllocateConflictWithUpdateAllocatedDevices(t *testing.T) {
 	devs := []*pluginapi.Device{
 		{ID: deviceID, Health: pluginapi.Healthy},
 	}
-	p, e := esetup(t, devs, socket, resourceName, func(n string, d []*pluginapi.Device) {})
+	p, e := esetup(tCtx, t, devs, socket, resourceName, func(logger klog.Logger, n string, d []*pluginapi.Device) {})
 
 	waitUpdateAllocatedDevicesChan := make(chan struct{})
 	waitSetGetPreferredAllocChan := make(chan struct{})
@@ -1240,12 +1273,13 @@ func TestDevicesToAllocateConflictWithUpdateAllocatedDevices(t *testing.T) {
 		waitUpdateAllocatedDevicesChan <- struct{}{}
 	}()
 
-	set, err := testManager.devicesToAllocate(podToAllocate, containerToAllocate, resourceName, 1, sets.New[string]())
+	set, err := testManager.devicesToAllocate(tCtx, podToAllocate, containerToAllocate, resourceName, 1, sets.New[string]())
 	assert.NoError(t, err)
 	assert.Equal(t, set, sets.New[string](deviceID))
 }
 
 func TestGetDeviceRunContainerOptions(t *testing.T) {
+	tCtx := ktesting.Init(t)
 	res1 := TestResource{
 		resourceName:     "domain1.com/resource1",
 		resourceQuantity: *resource.NewQuantity(int64(2), resource.DecimalSI),
@@ -1292,7 +1326,7 @@ func TestGetDeviceRunContainerOptions(t *testing.T) {
 	as.NoError(err)
 
 	// when pod is in activePods, GetDeviceRunContainerOptions should return
-	runContainerOpts, err := testManager.GetDeviceRunContainerOptions(pod1, &pod1.Spec.Containers[0])
+	runContainerOpts, err := testManager.GetDeviceRunContainerOptions(tCtx, pod1, &pod1.Spec.Containers[0])
 	as.NoError(err)
 	as.Len(runContainerOpts.Devices, 3)
 	as.Len(runContainerOpts.Mounts, 2)
@@ -1303,7 +1337,7 @@ func TestGetDeviceRunContainerOptions(t *testing.T) {
 	testManager.UpdateAllocatedDevices()
 
 	// when pod is removed from activePods,G etDeviceRunContainerOptions should return error
-	runContainerOpts, err = testManager.GetDeviceRunContainerOptions(pod1, &pod1.Spec.Containers[0])
+	runContainerOpts, err = testManager.GetDeviceRunContainerOptions(tCtx, pod1, &pod1.Spec.Containers[0])
 	as.NoError(err)
 	as.Nil(runContainerOpts)
 }
@@ -1547,7 +1581,7 @@ func TestUpdatePluginResources(t *testing.T) {
 	devID2 := "dev2"
 
 	as := assert.New(t)
-	monitorCallback := func(resourceName string, devices []*pluginapi.Device) {}
+	monitorCallback := func(logger klog.Logger, resourceName string, devices []*pluginapi.Device) {}
 	tmpDir, err := os.MkdirTemp("", "checkpoint")
 	as.NoError(err)
 	defer os.RemoveAll(tmpDir)
@@ -1593,6 +1627,7 @@ func TestUpdatePluginResources(t *testing.T) {
 }
 
 func TestDevicePreStartContainer(t *testing.T) {
+	tCtx := ktesting.Init(t)
 	// Ensures that if device manager is indicated to invoke `PreStartContainer` RPC
 	// by device plugin, then device manager invokes PreStartContainer at endpoint interface.
 	// Also verifies that final allocation of mounts, envs etc is same as expected.
@@ -1628,7 +1663,7 @@ func TestDevicePreStartContainer(t *testing.T) {
 	podsStub.updateActivePods(activePods)
 	err = testManager.Allocate(pod, &pod.Spec.Containers[0])
 	as.NoError(err)
-	runContainerOpts, err := testManager.GetDeviceRunContainerOptions(pod, &pod.Spec.Containers[0])
+	runContainerOpts, err := testManager.GetDeviceRunContainerOptions(tCtx, pod, &pod.Spec.Containers[0])
 	as.NoError(err)
 	var initializedDevs []string
 	select {
@@ -1656,7 +1691,7 @@ func TestDevicePreStartContainer(t *testing.T) {
 	podsStub.updateActivePods(activePods)
 	err = testManager.Allocate(pod2, &pod2.Spec.Containers[0])
 	as.NoError(err)
-	_, err = testManager.GetDeviceRunContainerOptions(pod2, &pod2.Spec.Containers[0])
+	_, err = testManager.GetDeviceRunContainerOptions(tCtx, pod2, &pod2.Spec.Containers[0])
 	as.NoError(err)
 	select {
 	case <-time.After(time.Millisecond):
@@ -1667,6 +1702,7 @@ func TestDevicePreStartContainer(t *testing.T) {
 }
 
 func TestResetExtendedResource(t *testing.T) {
+	logger, _ := ktesting.NewTestContext(t)
 	as := assert.New(t)
 	tmpDir, err := os.MkdirTemp("", "checkpoint")
 	as.NoError(err)
@@ -1694,7 +1730,7 @@ func TestResetExtendedResource(t *testing.T) {
 	testManager.healthyDevices[extendedResourceName] = sets.New[string]()
 	testManager.healthyDevices[extendedResourceName].Insert("dev1")
 	// checkpoint is present, indicating node hasn't been recreated
-	err = testManager.writeCheckpoint()
+	err = testManager.writeCheckpoint(logger)
 	require.NoError(t, err)
 
 	as.False(testManager.ShouldResetExtendedResourceCapacity())
@@ -1773,6 +1809,7 @@ func makeDevice(devOnNUMA checkpoint.DevicesPerNUMA, topology bool) map[string]*
 }
 
 func TestGetTopologyHintsWithUpdates(t *testing.T) {
+	logger, _ := ktesting.NewTestContext(t)
 	socketDir, socketName, _, err := tmpSocketDir()
 	defer os.RemoveAll(socketDir)
 	require.NoError(t, err)
@@ -1820,8 +1857,11 @@ func TestGetTopologyHintsWithUpdates(t *testing.T) {
 
 	for _, test := range testCases {
 		t.Run(test.description, func(t *testing.T) {
-			m, _ := setupDeviceManager(t, nil, nil, socketName, topology)
-			defer m.Stop()
+			m, _ := setupDeviceManager(t, nil, nil, socketName, topology, logger)
+			defer func() {
+				err := m.Stop(logger)
+				require.NoError(t, err)
+			}()
 			mimpl := m.(*wrappedManagerImpl)
 
 			wg := sync.WaitGroup{}
@@ -1833,7 +1873,7 @@ func TestGetTopologyHintsWithUpdates(t *testing.T) {
 				defer wg.Done()
 				for i := 0; i < test.count; i++ {
 					// simulate the device plugin to send device updates
-					mimpl.genericDeviceUpdateCallback(testResourceName, devs)
+					mimpl.genericDeviceUpdateCallback(logger, testResourceName, devs)
 				}
 				updated.Store(true)
 			}()
@@ -1852,6 +1892,7 @@ func TestGetTopologyHintsWithUpdates(t *testing.T) {
 	}
 }
 func TestUpdateAllocatedResourcesStatus(t *testing.T) {
+	logger, _ := ktesting.NewTestContext(t)
 	podUID := "test-pod-uid"
 	containerName := "test-container"
 	resourceName := "test-resource"
@@ -1890,7 +1931,7 @@ func TestUpdateAllocatedResourcesStatus(t *testing.T) {
 		),
 	)
 
-	testManager.genericDeviceUpdateCallback(resourceName, []*pluginapi.Device{
+	testManager.genericDeviceUpdateCallback(logger, resourceName, []*pluginapi.Device{
 		{ID: "dev1", Health: pluginapi.Healthy},
 		{ID: "dev2", Health: pluginapi.Unhealthy},
 	})
@@ -1955,6 +1996,7 @@ func sortContainerStatuses(statuses []v1.ContainerStatus) {
 }
 
 func TestFeatureGateResourceHealthStatus(t *testing.T) {
+	logger, _ := ktesting.NewTestContext(t)
 	tmpDir, err := os.MkdirTemp("", "checkpoint")
 	require.NoError(t, err, "err should be nil")
 	defer func() {
@@ -2004,7 +2046,7 @@ func TestFeatureGateResourceHealthStatus(t *testing.T) {
 	featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.ResourceHealthStatus, true)
 
 	for i := 0; i < deviceUpdateNumber; i++ {
-		testManager.genericDeviceUpdateCallback(resourceName, []*pluginapi.Device{
+		testManager.genericDeviceUpdateCallback(logger, resourceName, []*pluginapi.Device{
 			{ID: "dev1", Health: pluginapi.Healthy},
 		})
 	}
@@ -2013,7 +2055,7 @@ func TestFeatureGateResourceHealthStatus(t *testing.T) {
 
 	// update device status, assume all device unhealthy.
 	for i := 0; i < deviceUpdateNumber; i++ {
-		testManager.genericDeviceUpdateCallback(resourceName, []*pluginapi.Device{
+		testManager.genericDeviceUpdateCallback(logger, resourceName, []*pluginapi.Device{
 			{ID: fmt.Sprintf("dev%d", i), Health: pluginapi.Unhealthy},
 		})
 	}
@@ -2024,3 +2066,128 @@ func TestFeatureGateResourceHealthStatus(t *testing.T) {
 		}, u)
 	}
 }
+
+// TestAdmitPodWithDRAResources verifies the behavior of admission
+// of the pods referring DRA extended resources depending on whether
+// the DRAExtendedResource feature gate is enabled or disabled.
+func TestAdmitPodWithDRAResources(t *testing.T) {
+	testCases := map[string]struct {
+		enableFeatureGate bool
+		checkError        func(t require.TestingT, err error, msgAndArgs ...interface{})
+	}{
+		"DRAExtendedResource enabled": {
+			enableFeatureGate: true,
+			checkError:        require.NoError,
+		},
+		"DRAExtendedResource disabled": {
+			enableFeatureGate: false,
+			checkError:        require.Error,
+		},
+	}
+
+	containerName := "container1"
+	resourceName := "domain1.com/resource1"
+
+	for description, test := range testCases {
+		t.Run(description, func(t *testing.T) {
+			featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.DRAExtendedResource, test.enableFeatureGate)
+
+			pod := &v1.Pod{
+				ObjectMeta: metav1.ObjectMeta{
+					UID: uuid.NewUUID(),
+				},
+				Spec: v1.PodSpec{
+					Containers: []v1.Container{
+						{
+							Name: containerName,
+							Resources: v1.ResourceRequirements{
+								Limits: v1.ResourceList{
+									v1.ResourceName(resourceName): resource.MustParse("1"),
+								},
+							},
+						},
+					},
+				},
+				Status: v1.PodStatus{
+					ExtendedResourceClaimStatus: &v1.PodExtendedResourceClaimStatus{
+						RequestMappings: []v1.ContainerExtendedResourceRequest{
+							{
+								ContainerName: containerName,
+								ResourceName:  resourceName,
+							},
+						},
+					},
+				},
+			}
+
+			require.True(t, isDRAExtendedResource(pod, containerName, resourceName))
+
+			testManager := &ManagerImpl{
+				devicesToReuse: make(PodReusableDevices),
+				podDevices:     newPodDevices(),
+				allocatedDevices: map[string]sets.Set[string]{
+					resourceName: sets.New("Dev"),
+				},
+				activePods:   func() []*v1.Pod { return nil },
+				sourcesReady: &sourcesReadyStub{},
+			}
+
+			err := testManager.Allocate(pod, &pod.Spec.Containers[0])
+			test.checkError(t, err)
+		})
+	}
+}
+
+// TestEndpointSyncOnDisconnect verifies that when a device plugin disconnects,
+// the device manager correctly updates its internal state by marking all
+// devices from that endpoint as unhealthy. It ensures that the healthyDevices
+// and unhealthyDevices maps are in sync with the plugin endpoint info.
+func TestEndpointSyncOnDisconnect(t *testing.T) {
+	logger, _ := ktesting.NewTestContext(t)
+	socketDir, socketName, _, err := tmpSocketDir()
+	require.NoError(t, err)
+	defer func() {
+		if err := os.RemoveAll(socketDir); err != nil {
+			logger.Error(err, "unable to remove socket directory", "dir", socketDir)
+		}
+	}()
+
+	manager, err := newManagerImpl(logger, socketName, nil, nil)
+	require.NoError(t, err)
+
+	resourceName := "domain1.com/resource1"
+	ep := &endpointImpl{
+		resourceName: resourceName,
+		client:       plugin.NewPluginClient(resourceName, socketName, manager),
+		stopTime:     time.Now().Add(-endpointStopGracePeriod * 2), // make the grace period expired
+	}
+
+	manager.endpoints[resourceName] = endpointInfo{e: ep, opts: nil}
+	devs := []*pluginapi.Device{
+		{ID: "Device1", Health: pluginapi.Healthy},
+		{ID: "Device2", Health: pluginapi.Healthy},
+		{ID: "Device3", Health: pluginapi.Unhealthy},
+	}
+	manager.genericDeviceUpdateCallback(logger, resourceName, devs)
+
+	// Disconnect should result in all devices for this resource
+	// moved to the unhealthy set.
+	err = ep.client.Disconnect(logger)
+	require.NoError(t, err)
+
+	require.Contains(t, manager.endpoints, resourceName)
+	require.Contains(t, manager.healthyDevices, resourceName)
+	require.Contains(t, manager.unhealthyDevices, resourceName)
+	require.Len(t, manager.endpoints, 1)
+	require.Empty(t, manager.healthyDevices[resourceName])
+	require.Equal(t, len(devs), manager.unhealthyDevices[resourceName].Len())
+
+	// Expire endpoint to shorten the test
+	ep.stopTime = time.Now().Add(-endpointStopGracePeriod * 2)
+	// Call GetCapacity to trigger https://github.com/kubernetes/kubernetes/issues/133702
+	manager.GetCapacity()
+
+	require.Empty(t, manager.endpoints)
+	require.Empty(t, manager.healthyDevices)
+	require.Empty(t, manager.unhealthyDevices)
+}
diff --git a/pkg/kubelet/cm/devicemanager/plugin/v1beta1/api.go b/pkg/kubelet/cm/devicemanager/plugin/v1beta1/api.go
index f84cd551ffd9f..b400a2125646a 100644
--- a/pkg/kubelet/cm/devicemanager/plugin/v1beta1/api.go
+++ b/pkg/kubelet/cm/devicemanager/plugin/v1beta1/api.go
@@ -17,20 +17,23 @@ limitations under the License.
 package v1beta1
 
 import (
+	"context"
+
+	"k8s.io/klog/v2"
 	api "k8s.io/kubelet/pkg/apis/deviceplugin/v1beta1"
 )
 
 // RegistrationHandler is an interface for handling device plugin registration
 // and plugin directory cleanup.
 type RegistrationHandler interface {
-	CleanupPluginDirectory(string) error
+	CleanupPluginDirectory(klog.Logger, string) error
 }
 
 // ClientHandler is an interface for handling device plugin connections.
 type ClientHandler interface {
-	PluginConnected(string, DevicePlugin) error
-	PluginDisconnected(string)
-	PluginListAndWatchReceiver(string, *api.ListAndWatchResponse)
+	PluginConnected(context.Context, string, DevicePlugin) error
+	PluginDisconnected(klog.Logger, string)
+	PluginListAndWatchReceiver(klog.Logger, string, *api.ListAndWatchResponse)
 }
 
 // TODO: evaluate whether we need these error definitions.
diff --git a/pkg/kubelet/cm/devicemanager/plugin/v1beta1/client.go b/pkg/kubelet/cm/devicemanager/plugin/v1beta1/client.go
index 98359ab32c08b..cdb6a50497101 100644
--- a/pkg/kubelet/cm/devicemanager/plugin/v1beta1/client.go
+++ b/pkg/kubelet/cm/devicemanager/plugin/v1beta1/client.go
@@ -39,9 +39,9 @@ type DevicePlugin interface {
 
 // Client interface provides methods for establishing/closing gRPC connection and running the device plugin gRPC client.
 type Client interface {
-	Connect() error
-	Run()
-	Disconnect() error
+	Connect(context.Context) error
+	Run(context.Context)
+	Disconnect(klog.Logger) error
 }
 
 type client struct {
@@ -63,51 +63,55 @@ func NewPluginClient(r string, socketPath string, h ClientHandler) Client {
 }
 
 // Connect is for establishing a gRPC connection between device manager and device plugin.
-func (c *client) Connect() error {
-	client, conn, err := dial(c.socket)
+func (c *client) Connect(ctx context.Context) error {
+	logger := klog.FromContext(ctx)
+	client, conn, err := dial(ctx, c.socket)
 	if err != nil {
-		klog.ErrorS(err, "Unable to connect to device plugin client with socket path", "path", c.socket)
+		logger.Error(err, "Unable to connect to device plugin client with socket path", "path", c.socket)
 		return err
 	}
 	c.mutex.Lock()
 	c.grpc = conn
 	c.client = client
 	c.mutex.Unlock()
-	return c.handler.PluginConnected(c.resource, c)
+	return c.handler.PluginConnected(ctx, c.resource, c)
 }
 
 // Run is for running the device plugin gRPC client.
-func (c *client) Run() {
-	stream, err := c.client.ListAndWatch(context.Background(), &api.Empty{})
+func (c *client) Run(ctx context.Context) {
+	logger := klog.FromContext(ctx)
+	// FIXME: passing real context to ListAndWatch results in
+	// failing TestDevicePluginReRegistration with "context cancelled" error
+	stream, err := c.client.ListAndWatch(context.TODO(), &api.Empty{})
 	if err != nil {
-		klog.ErrorS(err, "ListAndWatch ended unexpectedly for device plugin", "resource", c.resource)
+		logger.Error(err, "ListAndWatch ended unexpectedly for device plugin", "resource", c.resource)
 		return
 	}
 
 	for {
 		response, err := stream.Recv()
 		if err != nil {
-			klog.ErrorS(err, "ListAndWatch ended unexpectedly for device plugin", "resource", c.resource)
+			logger.Error(err, "ListAndWatch ended unexpectedly for device plugin", "resource", c.resource)
 			return
 		}
-		klog.V(2).InfoS("State pushed for device plugin", "resource", c.resource, "resourceCapacity", len(response.Devices))
-		c.handler.PluginListAndWatchReceiver(c.resource, response)
+		logger.V(2).Info("State pushed for device plugin", "resource", c.resource, "resourceCapacity", len(response.Devices))
+		c.handler.PluginListAndWatchReceiver(logger, c.resource, response)
 	}
 }
 
 // Disconnect is for closing gRPC connection between device manager and device plugin.
-func (c *client) Disconnect() error {
+func (c *client) Disconnect(logger klog.Logger) error {
 	c.mutex.Lock()
 	if c.grpc != nil {
 		if err := c.grpc.Close(); err != nil {
-			klog.V(2).ErrorS(err, "Failed to close grcp connection", "resource", c.Resource())
+			logger.V(2).Info("Failed to close gRPC connection", "resource", c.Resource(), "err", err)
 		}
 		c.grpc = nil
 	}
 	c.mutex.Unlock()
-	c.handler.PluginDisconnected(c.resource)
+	c.handler.PluginDisconnected(logger, c.resource)
 
-	klog.V(2).InfoS("Device plugin disconnected", "resource", c.resource)
+	logger.V(2).Info("Device plugin disconnected", "resource", c.resource)
 	return nil
 }
 
@@ -124,8 +128,8 @@ func (c *client) SocketPath() string {
 }
 
 // dial establishes the gRPC communication with the registered device plugin. https://godoc.org/google.golang.org/grpc#Dial
-func dial(unixSocketPath string) (api.DevicePluginClient, *grpc.ClientConn, error) {
-	ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
+func dial(ctx context.Context, unixSocketPath string) (api.DevicePluginClient, *grpc.ClientConn, error) {
+	ctx, cancel := context.WithTimeout(ctx, 10*time.Second)
 	defer cancel()
 
 	c, err := grpc.DialContext(ctx, unixSocketPath,
diff --git a/pkg/kubelet/cm/devicemanager/plugin/v1beta1/handler.go b/pkg/kubelet/cm/devicemanager/plugin/v1beta1/handler.go
index 204afd3d1b187..472399ffe6d16 100644
--- a/pkg/kubelet/cm/devicemanager/plugin/v1beta1/handler.go
+++ b/pkg/kubelet/cm/devicemanager/plugin/v1beta1/handler.go
@@ -17,6 +17,7 @@ limitations under the License.
 package v1beta1
 
 import (
+	"context"
 	"fmt"
 	"os"
 	"time"
@@ -29,30 +30,43 @@ import (
 )
 
 func (s *server) GetPluginHandler() cache.PluginHandler {
+	// Use context.TODO() because we currently do not have a proper context to pass in.
+	// Replace this with an appropriate context when refactoring this function to accept a context parameter.
+	logger := klog.FromContext(context.TODO())
 	if f, err := os.Create(s.socketDir + "DEPRECATION"); err != nil {
-		klog.ErrorS(err, "Failed to create deprecation file at socket dir", "path", s.socketDir)
+		logger.Error(err, "Failed to create deprecation file at socket dir", "path", s.socketDir)
 	} else {
 		f.Close()
-		klog.V(4).InfoS("Created deprecation file", "path", f.Name())
+		logger.V(4).Info("Created deprecation file", "path", f.Name())
 	}
 	return s
 }
 
 func (s *server) RegisterPlugin(pluginName string, endpoint string, versions []string, pluginClientTimeout *time.Duration) error {
-	klog.V(2).InfoS("Registering plugin at endpoint", "plugin", pluginName, "endpoint", endpoint)
-	return s.connectClient(pluginName, endpoint)
+	// Use context.TODO() because we currently do not have a proper context to pass in.
+	// Replace this with an appropriate context when refactoring this function to accept a context parameter.
+	ctx := context.TODO()
+	logger := klog.FromContext(ctx)
+	logger.V(2).Info("Registering plugin at endpoint", "plugin", pluginName, "endpoint", endpoint)
+	return s.connectClient(ctx, pluginName, endpoint)
 }
 
 func (s *server) DeRegisterPlugin(pluginName, endpoint string) {
-	klog.V(2).InfoS("Deregistering plugin", "plugin", pluginName, "endpoint", endpoint)
+	logger := klog.FromContext(context.TODO())
+	logger.V(2).Info("Deregistering plugin", "plugin", pluginName, "endpoint", endpoint)
 	client := s.getClient(pluginName)
 	if client != nil {
-		s.disconnectClient(pluginName, client)
+		if err := s.disconnectClient(logger, pluginName, client); err != nil {
+			logger.Error(err, "disconnecting client", "plugin", pluginName, "endpoing", endpoint)
+		}
 	}
 }
 
 func (s *server) ValidatePlugin(pluginName string, endpoint string, versions []string) error {
-	klog.V(2).InfoS("Got plugin at endpoint with versions", "plugin", pluginName, "endpoint", endpoint, "versions", versions)
+	// Use context.TODO() because we currently do not have a proper context to pass in.
+	// Replace this with an appropriate context when refactoring this function to accept a context parameter.
+	logger := klog.FromContext(context.TODO())
+	logger.V(2).Info("Got plugin at endpoint with versions", "plugin", pluginName, "endpoint", endpoint, "versions", versions)
 
 	if !s.isVersionCompatibleWithPlugin(versions...) {
 		return fmt.Errorf("manager version, %s, is not among plugin supported versions %v", api.Version, versions)
@@ -62,58 +76,60 @@ func (s *server) ValidatePlugin(pluginName string, endpoint string, versions []s
 		return fmt.Errorf("invalid name of device plugin socket: %s", fmt.Sprintf(errInvalidResourceName, pluginName))
 	}
 
-	klog.V(2).InfoS("Device plugin validated", "plugin", pluginName, "endpoint", endpoint, "versions", versions)
+	logger.V(2).Info("Device plugin validated", "plugin", pluginName, "endpoint", endpoint, "versions", versions)
 	return nil
 }
 
-func (s *server) connectClient(name string, socketPath string) error {
+func (s *server) connectClient(ctx context.Context, name string, socketPath string) error {
+	logger := klog.FromContext(ctx)
 	c := NewPluginClient(name, socketPath, s.chandler)
 
-	s.registerClient(name, c)
-	if err := c.Connect(); err != nil {
-		s.deregisterClient(name)
-		klog.ErrorS(err, "Failed to connect to new client", "resource", name)
+	s.registerClient(logger, name, c)
+	if err := c.Connect(ctx); err != nil {
+		s.deregisterClient(logger, name)
+		logger.Error(err, "Failed to connect to new client", "resource", name)
 		return err
 	}
 
-	klog.V(2).InfoS("Connected to new client", "resource", name)
+	logger.V(2).Info("Connected to new client", "resource", name)
 	go func() {
-		s.runClient(name, c)
+		s.runClient(ctx, name, c)
 	}()
 
 	return nil
 }
 
-func (s *server) disconnectClient(name string, c Client) error {
-	s.deregisterClient(name)
-	return c.Disconnect()
+func (s *server) disconnectClient(logger klog.Logger, name string, c Client) error {
+	s.deregisterClient(logger, name)
+	return c.Disconnect(logger)
 }
-func (s *server) registerClient(name string, c Client) {
+func (s *server) registerClient(logger klog.Logger, name string, c Client) {
 	s.mutex.Lock()
 	defer s.mutex.Unlock()
 
 	s.clients[name] = c
-	klog.V(2).InfoS("Registered client", "name", name)
+	logger.V(2).Info("Registered client", "name", name)
 }
 
-func (s *server) deregisterClient(name string) {
+func (s *server) deregisterClient(logger klog.Logger, name string) {
 	s.mutex.Lock()
 	defer s.mutex.Unlock()
 
 	delete(s.clients, name)
-	klog.V(2).InfoS("Deregistered client", "name", name)
+	logger.V(2).Info("Deregistered client", "name", name)
 }
 
-func (s *server) runClient(name string, c Client) {
-	c.Run()
+func (s *server) runClient(ctx context.Context, name string, c Client) {
+	logger := klog.FromContext(ctx)
+	c.Run(ctx)
 
 	c = s.getClient(name)
 	if c == nil {
 		return
 	}
 
-	if err := s.disconnectClient(name, c); err != nil {
-		klog.ErrorS(err, "Unable to disconnect client", "resource", name, "client", c)
+	if err := s.disconnectClient(logger, name, c); err != nil {
+		logger.Error(err, "Unable to disconnect client", "resource", name, "client", c)
 	}
 }
 
diff --git a/pkg/kubelet/cm/devicemanager/plugin/v1beta1/server.go b/pkg/kubelet/cm/devicemanager/plugin/v1beta1/server.go
index 56a379553e144..320ee4d80ea9d 100644
--- a/pkg/kubelet/cm/devicemanager/plugin/v1beta1/server.go
+++ b/pkg/kubelet/cm/devicemanager/plugin/v1beta1/server.go
@@ -33,7 +33,7 @@ import (
 	"k8s.io/klog/v2"
 	api "k8s.io/kubelet/pkg/apis/deviceplugin/v1beta1"
 	v1helper "k8s.io/kubernetes/pkg/apis/core/v1/helper"
-	"k8s.io/kubernetes/pkg/kubelet/config"
+	"k8s.io/kubernetes/pkg/kubelet/kubeletconfig"
 	"k8s.io/kubernetes/pkg/kubelet/metrics"
 	"k8s.io/kubernetes/pkg/kubelet/pluginmanager/cache"
 )
@@ -42,8 +42,8 @@ import (
 type Server interface {
 	cache.PluginHandler
 	healthz.HealthChecker
-	Start() error
-	Stop() error
+	Start(klog.Logger) error
+	Stop(klog.Logger) error
 	SocketPath() string
 }
 
@@ -57,21 +57,21 @@ type server struct {
 	chandler   ClientHandler
 	clients    map[string]Client
 
-	// isStarted indicates whether the service has started successfully.
-	isStarted bool
+	// lastError records the last runtime error. A server is considered healthy till an actual error occurs.
+	lastError error
 
 	api.UnsafeRegistrationServer
 }
 
 // NewServer returns an initialized device plugin registration server.
-func NewServer(socketPath string, rh RegistrationHandler, ch ClientHandler) (Server, error) {
+func NewServer(logger klog.Logger, socketPath string, rh RegistrationHandler, ch ClientHandler) (Server, error) {
 	if socketPath == "" || !filepath.IsAbs(socketPath) {
 		return nil, fmt.Errorf(errBadSocket+" %s", socketPath)
 	}
 
 	dir, name := filepath.Split(socketPath)
 
-	klog.V(2).InfoS("Creating device plugin registration server", "version", api.Version, "socket", socketPath)
+	logger.V(2).Info("Creating device plugin registration server", "version", api.Version, "socket", socketPath)
 	s := &server{
 		socketName: name,
 		socketDir:  dir,
@@ -83,31 +83,31 @@ func NewServer(socketPath string, rh RegistrationHandler, ch ClientHandler) (Ser
 	return s, nil
 }
 
-func (s *server) Start() error {
-	klog.V(2).InfoS("Starting device plugin registration server")
+func (s *server) Start(logger klog.Logger) error {
+	logger.V(2).Info("Starting device plugin registration server")
 
 	if err := os.MkdirAll(s.socketDir, 0750); err != nil {
-		klog.ErrorS(err, "Failed to create the device plugin socket directory", "directory", s.socketDir)
+		logger.Error(err, "Failed to create the device plugin socket directory", "directory", s.socketDir)
 		return err
 	}
 
 	if selinux.GetEnabled() {
-		if err := selinux.SetFileLabel(s.socketDir, config.KubeletPluginsDirSELinuxLabel); err != nil {
-			klog.ErrorS(err, "Unprivileged containerized plugins might not work. Could not set selinux context on socket dir", "path", s.socketDir)
+		if err := selinux.SetFileLabel(s.socketDir, kubeletconfig.KubeletPluginsDirSELinuxLabel); err != nil {
+			logger.Error(err, "Unprivileged containerized plugins might not work. Could not set selinux context on socket dir", "path", s.socketDir)
 		}
 	}
 
 	// For now, we leave cleanup of the *entire* directory up to the Handler
 	// (even though we should in theory be able to just wipe the whole directory)
 	// because the Handler stores its checkpoint file (amongst others) in here.
-	if err := s.rhandler.CleanupPluginDirectory(s.socketDir); err != nil {
-		klog.ErrorS(err, "Failed to cleanup the device plugin directory", "directory", s.socketDir)
+	if err := s.rhandler.CleanupPluginDirectory(logger, s.socketDir); err != nil {
+		logger.Error(err, "Failed to cleanup the device plugin directory", "directory", s.socketDir)
 		return err
 	}
 
 	ln, err := net.Listen("unix", s.SocketPath())
 	if err != nil {
-		klog.ErrorS(err, "Failed to listen to socket while starting device plugin registry")
+		logger.Error(err, "Failed to listen to socket while starting device plugin registry")
 		return err
 	}
 
@@ -119,18 +119,18 @@ func (s *server) Start() error {
 		defer s.wg.Done()
 		s.setHealthy()
 		if err = s.grpc.Serve(ln); err != nil {
-			s.setUnhealthy()
-			klog.ErrorS(err, "Error while serving device plugin registration grpc server")
+			s.setUnhealthy(err)
+			logger.Error(err, "Error while serving device plugin registration grpc server")
 		}
 	}()
 
 	return nil
 }
 
-func (s *server) Stop() error {
+func (s *server) Stop(logger klog.Logger) error {
 	s.visitClients(func(r string, c Client) {
-		if err := s.disconnectClient(r, c); err != nil {
-			klog.ErrorS(err, "Failed to disconnect device plugin client", "resourceName", r)
+		if err := s.disconnectClient(logger, r, c); err != nil {
+			logger.Error(err, "Failed to disconnect device plugin client", "resourceName", r)
 		}
 	})
 
@@ -147,7 +147,7 @@ func (s *server) Stop() error {
 	// During kubelet termination, we do not need the registration server,
 	// and we consider the kubelet to be healthy even when it is down.
 	s.setHealthy()
-	klog.V(2).InfoS("Stopping device plugin registration server")
+	logger.V(2).Info("Stopping device plugin registration server")
 
 	return nil
 }
@@ -157,23 +157,24 @@ func (s *server) SocketPath() string {
 }
 
 func (s *server) Register(ctx context.Context, r *api.RegisterRequest) (*api.Empty, error) {
-	klog.InfoS("Got registration request from device plugin with resource", "resourceName", r.ResourceName)
+	logger := klog.FromContext(ctx)
+	logger.Info("Got registration request from device plugin with resource", "resourceName", r.ResourceName)
 	metrics.DevicePluginRegistrationCount.WithLabelValues(r.ResourceName).Inc()
 
 	if !s.isVersionCompatibleWithPlugin(r.Version) {
 		err := fmt.Errorf(errUnsupportedVersion, r.Version, api.SupportedVersions)
-		klog.ErrorS(err, "Bad registration request from device plugin with resource", "resourceName", r.ResourceName)
+		logger.Error(err, "Bad registration request from device plugin with resource", "resourceName", r.ResourceName)
 		return &api.Empty{}, err
 	}
 
 	if !v1helper.IsExtendedResourceName(core.ResourceName(r.ResourceName)) {
 		err := fmt.Errorf(errInvalidResourceName, r.ResourceName)
-		klog.ErrorS(err, "Bad registration request from device plugin")
+		logger.Error(err, "Bad registration request from device plugin")
 		return &api.Empty{}, err
 	}
 
-	if err := s.connectClient(r.ResourceName, filepath.Join(s.socketDir, r.Endpoint)); err != nil {
-		klog.ErrorS(err, "Error connecting to device plugin client")
+	if err := s.connectClient(ctx, r.ResourceName, filepath.Join(s.socketDir, r.Endpoint)); err != nil {
+		logger.Error(err, "Error connecting to device plugin client")
 		return &api.Empty{}, err
 	}
 
@@ -210,18 +211,19 @@ func (s *server) Name() string {
 }
 
 func (s *server) Check(_ *http.Request) error {
-	if s.isStarted {
-		return nil
-	}
-	return fmt.Errorf("device plugin registration gRPC server failed and no device plugins can register")
+	return s.lastError
 }
 
 // setHealthy sets the health status of the gRPC server.
 func (s *server) setHealthy() {
-	s.isStarted = true
+	s.lastError = nil
 }
 
 // setUnhealthy sets the health status of the gRPC server to unhealthy.
-func (s *server) setUnhealthy() {
-	s.isStarted = false
+func (s *server) setUnhealthy(err error) {
+	if err == nil {
+		s.lastError = fmt.Errorf("device registration error: device plugin registration gRPC server failed and no device plugins can register")
+		return
+	}
+	s.lastError = fmt.Errorf("device registration error: device plugin registration gRPC server failed and no device plugins can register: %w", err)
 }
diff --git a/pkg/kubelet/cm/devicemanager/plugin/v1beta1/stub.go b/pkg/kubelet/cm/devicemanager/plugin/v1beta1/stub.go
index 1d271540a1d3e..d754010c727dd 100644
--- a/pkg/kubelet/cm/devicemanager/plugin/v1beta1/stub.go
+++ b/pkg/kubelet/cm/devicemanager/plugin/v1beta1/stub.go
@@ -92,11 +92,11 @@ func defaultRegisterControlFunc() bool {
 }
 
 // NewDevicePluginStub returns an initialized DevicePlugin Stub.
-func NewDevicePluginStub(devs []*pluginapi.Device, socket string, name string, preStartContainerFlag bool, getPreferredAllocationFlag bool) *Stub {
+func NewDevicePluginStub(logger klog.Logger, devs []*pluginapi.Device, socket string, name string, preStartContainerFlag bool, getPreferredAllocationFlag bool) *Stub {
 
 	watcher, err := fsnotify.NewWatcher()
 	if err != nil {
-		klog.ErrorS(err, "Watcher creation failed")
+		logger.Error(err, "Watcher creation failed")
 		panic(err)
 	}
 
@@ -134,8 +134,9 @@ func (m *Stub) SetRegisterControlFunc(f stubRegisterControlFunc) {
 
 // Start starts the gRPC server of the device plugin. Can only
 // be called once.
-func (m *Stub) Start() error {
-	klog.InfoS("Starting device plugin server")
+func (m *Stub) Start(ctx context.Context) error {
+	logger := klog.FromContext(ctx)
+	logger.Info("Starting device plugin server")
 	err := m.cleanup()
 	if err != nil {
 		return err
@@ -153,21 +154,21 @@ func (m *Stub) Start() error {
 
 	err = m.kubeletRestartWatcher.Add(filepath.Dir(m.socket))
 	if err != nil {
-		klog.ErrorS(err, "Failed to add watch", "devicePluginPath", pluginapi.DevicePluginPath)
+		logger.Error(err, "Failed to add watch", "devicePluginPath", pluginapi.DevicePluginPath)
 		return err
 	}
 
 	go func() {
 		defer m.wg.Done()
 		if err = m.server.Serve(sock); err != nil {
-			klog.ErrorS(err, "Error while serving device plugin registration grpc server")
+			logger.Error(err, "Error while serving device plugin registration grpc server")
 		}
 	}()
 
 	var lastDialErr error
 	wait.PollImmediate(1*time.Second, 10*time.Second, func() (bool, error) {
 		var conn *grpc.ClientConn
-		_, conn, lastDialErr = dial(m.socket)
+		_, conn, lastDialErr = dial(ctx, m.socket)
 		if lastDialErr != nil {
 			return false, nil
 		}
@@ -178,12 +179,12 @@ func (m *Stub) Start() error {
 		return lastDialErr
 	}
 
-	klog.InfoS("Starting to serve on socket", "socket", m.socket)
+	logger.Info("Starting to serve on socket", "socket", m.socket)
 	return nil
 }
 
-func (m *Stub) Restart() error {
-	klog.InfoS("Restarting Device Plugin server")
+func (m *Stub) Restart(ctx context.Context) error {
+	klog.FromContext(ctx).Info("Restarting Device Plugin server")
 	if m.server == nil {
 		return nil
 	}
@@ -191,14 +192,14 @@ func (m *Stub) Restart() error {
 	m.server.Stop()
 	m.server = nil
 
-	return m.Start()
+	return m.Start(ctx)
 }
 
 // Stop stops the gRPC server. Can be called without a prior Start
 // and more than once. Not safe to be called concurrently by different
 // goroutines!
-func (m *Stub) Stop() error {
-	klog.InfoS("Stopping device plugin server")
+func (m *Stub) Stop(logger klog.Logger) error {
+	logger.Info("Stopping device plugin server")
 	if m.server == nil {
 		return nil
 	}
@@ -213,7 +214,8 @@ func (m *Stub) Stop() error {
 	return m.cleanup()
 }
 
-func (m *Stub) Watch(kubeletEndpoint, resourceName, pluginSockDir string) {
+func (m *Stub) Watch(ctx context.Context, kubeletEndpoint, resourceName, pluginSockDir string) {
+	logger := klog.FromContext(ctx)
 	for {
 		select {
 		// Detect a kubelet restart by watching for a newly created
@@ -221,26 +223,26 @@ func (m *Stub) Watch(kubeletEndpoint, resourceName, pluginSockDir string) {
 		// the device plugin server
 		case event := <-m.kubeletRestartWatcher.Events:
 			if event.Name == kubeletEndpoint && event.Op&fsnotify.Create == fsnotify.Create {
-				klog.InfoS("inotify: file created, restarting", "kubeletEndpoint", kubeletEndpoint)
+				logger.Info("inotify: file created, restarting", "kubeletEndpoint", kubeletEndpoint)
 				var lastErr error
 
-				err := wait.PollUntilContextTimeout(context.Background(), 10*time.Second, 2*time.Minute, false, func(context.Context) (done bool, err error) {
-					restartErr := m.Restart()
+				err := wait.PollUntilContextTimeout(ctx, 10*time.Second, 2*time.Minute, false, func(context.Context) (done bool, err error) {
+					restartErr := m.Restart(ctx)
 					if restartErr == nil {
 						return true, nil
 					}
-					klog.ErrorS(restartErr, "Retrying after error")
+					logger.Error(restartErr, "Retrying after error")
 					lastErr = restartErr
 					return false, nil
 				})
 				if err != nil {
-					klog.ErrorS(err, "Unable to restart server: wait timed out", "lastErr", lastErr.Error())
+					logger.Error(err, "Unable to restart server: wait timed out", "lastErr", lastErr.Error())
 					panic(err)
 				}
 
 				if ok := m.registerControlFunc(); ok {
-					if err := m.Register(kubeletEndpoint, resourceName, pluginSockDir); err != nil {
-						klog.ErrorS(err, "Unable to register to kubelet")
+					if err := m.Register(ctx, kubeletEndpoint, resourceName, pluginSockDir); err != nil {
+						logger.Error(err, "Unable to register to kubelet")
 						panic(err)
 					}
 				}
@@ -248,14 +250,14 @@ func (m *Stub) Watch(kubeletEndpoint, resourceName, pluginSockDir string) {
 
 		// Watch for any other fs errors and log them.
 		case err := <-m.kubeletRestartWatcher.Errors:
-			klog.ErrorS(err, "inotify error")
+			logger.Error(err, "inotify error")
 		}
 	}
 }
 
 // GetInfo is the RPC which return pluginInfo
 func (m *Stub) GetInfo(ctx context.Context, req *watcherapi.InfoRequest) (*watcherapi.PluginInfo, error) {
-	klog.InfoS("GetInfo")
+	klog.FromContext(ctx).Info("GetInfo")
 	return &watcherapi.PluginInfo{
 		Type:              watcherapi.DevicePlugin,
 		Name:              m.resourceName,
@@ -265,30 +267,33 @@ func (m *Stub) GetInfo(ctx context.Context, req *watcherapi.InfoRequest) (*watch
 
 // NotifyRegistrationStatus receives the registration notification from watcher
 func (m *Stub) NotifyRegistrationStatus(ctx context.Context, status *watcherapi.RegistrationStatus) (*watcherapi.RegistrationStatusResponse, error) {
+	logger := klog.FromContext(ctx)
 	if m.registrationStatus != nil {
 		m.registrationStatus <- *status
 	}
 	if !status.PluginRegistered {
-		klog.InfoS("Registration failed", "err", status.Error)
+		logger.Info("Registration failed", "err", status.Error)
 	}
 	return &watcherapi.RegistrationStatusResponse{}, nil
 }
 
 // Register registers the device plugin for the given resourceName with Kubelet.
-func (m *Stub) Register(kubeletEndpoint, resourceName string, pluginSockDir string) error {
-	klog.InfoS("Register", "kubeletEndpoint", kubeletEndpoint, "resourceName", resourceName, "socket", pluginSockDir)
+func (m *Stub) Register(ctx context.Context, kubeletEndpoint, resourceName string, pluginSockDir string) error {
+	logger := klog.FromContext(ctx)
+	logger.Info("Register", "kubeletEndpoint", kubeletEndpoint, "resourceName", resourceName, "socket", pluginSockDir)
 
 	if pluginSockDir != "" {
 		if _, err := os.Stat(pluginSockDir + "DEPRECATION"); err == nil {
-			klog.InfoS("Deprecation file found. Skip registration")
+			logger.Info("Deprecation file found. Skip registration")
 			return nil
 		}
 	}
-	klog.InfoS("Deprecation file not found. Invoke registration")
-	ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
+	logger.Info("Deprecation file not found. Invoke registration")
+	ctxDial, cancel := context.WithTimeout(ctx, 10*time.Second)
 	defer cancel()
 
-	conn, err := grpc.DialContext(ctx, kubeletEndpoint,
+	//nolint:staticcheck // SA1019: grpc.DialContext is deprecated: use NewClient instead.
+	conn, err := grpc.DialContext(ctxDial, kubeletEndpoint,
 		grpc.WithTransportCredentials(insecure.NewCredentials()),
 		grpc.WithBlock(),
 		grpc.WithContextDialer(func(ctx context.Context, addr string) (net.Conn, error) {
@@ -309,14 +314,14 @@ func (m *Stub) Register(kubeletEndpoint, resourceName string, pluginSockDir stri
 		},
 	}
 
-	_, err = client.Register(context.Background(), reqt)
+	_, err = client.Register(ctx, reqt)
 	if err != nil {
 		// Stop server
 		m.server.Stop()
-		klog.ErrorS(err, "Client unable to register to kubelet")
+		logger.Error(err, "Client unable to register to kubelet")
 		return err
 	}
-	klog.InfoS("Device Plugin registered with the Kubelet")
+	logger.Info("Device Plugin registered with the Kubelet")
 	return err
 }
 
@@ -331,13 +336,15 @@ func (m *Stub) GetDevicePluginOptions(ctx context.Context, e *pluginapi.Empty) (
 
 // PreStartContainer resets the devices received
 func (m *Stub) PreStartContainer(ctx context.Context, r *pluginapi.PreStartContainerRequest) (*pluginapi.PreStartContainerResponse, error) {
-	klog.InfoS("PreStartContainer", "request", r)
+	klog.FromContext(ctx).Info("PreStartContainer", "request", r)
 	return &pluginapi.PreStartContainerResponse{}, nil
 }
 
 // ListAndWatch lists devices and update that list according to the Update call
 func (m *Stub) ListAndWatch(e *pluginapi.Empty, s pluginapi.DevicePlugin_ListAndWatchServer) error {
-	klog.InfoS("ListAndWatch")
+	// Use klog.TODO() because we currently do not have a proper logger to pass in.
+	// Replace this with an appropriate context when refactoring this function to accept a logger parameter.
+	klog.TODO().Info("ListAndWatch")
 
 	s.Send(&pluginapi.ListAndWatchResponse{Devices: m.devs})
 
@@ -358,7 +365,7 @@ func (m *Stub) Update(devs []*pluginapi.Device) {
 
 // GetPreferredAllocation gets the preferred allocation from a set of available devices
 func (m *Stub) GetPreferredAllocation(ctx context.Context, r *pluginapi.PreferredAllocationRequest) (*pluginapi.PreferredAllocationResponse, error) {
-	klog.InfoS("GetPreferredAllocation", "request", r)
+	klog.FromContext(ctx).Info("GetPreferredAllocation", "request", r)
 
 	devs := make(map[string]*pluginapi.Device)
 
@@ -371,7 +378,7 @@ func (m *Stub) GetPreferredAllocation(ctx context.Context, r *pluginapi.Preferre
 
 // Allocate does a mock allocation
 func (m *Stub) Allocate(ctx context.Context, r *pluginapi.AllocateRequest) (*pluginapi.AllocateResponse, error) {
-	klog.InfoS("Allocate", "request", r)
+	klog.FromContext(ctx).Info("Allocate", "request", r)
 
 	devs := make(map[string]*pluginapi.Device)
 
diff --git a/pkg/kubelet/cm/devicemanager/pod_devices.go b/pkg/kubelet/cm/devicemanager/pod_devices.go
index 2270a188a81c7..9ed59575bd377 100644
--- a/pkg/kubelet/cm/devicemanager/pod_devices.go
+++ b/pkg/kubelet/cm/devicemanager/pod_devices.go
@@ -198,7 +198,7 @@ func (pdev *podDevices) getPodAndContainerForDevice(deviceID string) (string, st
 }
 
 // Turns podDevices to checkpointData.
-func (pdev *podDevices) toCheckpointData() []checkpoint.PodDevicesEntry {
+func (pdev *podDevices) toCheckpointData(logger klog.Logger) []checkpoint.PodDevicesEntry {
 	var data []checkpoint.PodDevicesEntry
 	pdev.RLock()
 	defer pdev.RUnlock()
@@ -206,13 +206,13 @@ func (pdev *podDevices) toCheckpointData() []checkpoint.PodDevicesEntry {
 		for conName, resources := range containerDevices {
 			for resource, devices := range resources {
 				if devices.allocResp == nil {
-					klog.ErrorS(nil, "Can't marshal allocResp, allocation response is missing", "podUID", podUID, "containerName", conName, "resourceName", resource)
+					logger.Error(nil, "Can't marshal allocResp, allocation response is missing", "podUID", podUID, "containerName", conName, "resourceName", resource)
 					continue
 				}
 
 				allocResp, err := proto.Marshal(devices.allocResp)
 				if err != nil {
-					klog.ErrorS(err, "Can't marshal allocResp", "podUID", podUID, "containerName", conName, "resourceName", resource)
+					logger.Error(err, "Can't marshal allocResp", "podUID", podUID, "containerName", conName, "resourceName", resource)
 					continue
 				}
 				data = append(data, checkpoint.PodDevicesEntry{
@@ -228,15 +228,15 @@ func (pdev *podDevices) toCheckpointData() []checkpoint.PodDevicesEntry {
 }
 
 // Populates podDevices from the passed in checkpointData.
-func (pdev *podDevices) fromCheckpointData(data []checkpoint.PodDevicesEntry) {
+func (pdev *podDevices) fromCheckpointData(logger klog.Logger, data []checkpoint.PodDevicesEntry) {
 	for _, entry := range data {
-		klog.V(2).InfoS("Get checkpoint entry",
+		logger.V(2).Info("Get checkpoint entry",
 			"podUID", entry.PodUID, "containerName", entry.ContainerName,
 			"resourceName", entry.ResourceName, "deviceIDs", entry.DeviceIDs, "allocated", entry.AllocResp)
 		allocResp := &pluginapi.ContainerAllocateResponse{}
 		err := proto.Unmarshal(entry.AllocResp, allocResp)
 		if err != nil {
-			klog.ErrorS(err, "Can't unmarshal allocResp", "podUID", entry.PodUID, "containerName", entry.ContainerName, "resourceName", entry.ResourceName)
+			logger.Error(err, "Can't unmarshal allocResp", "podUID", entry.PodUID, "containerName", entry.ContainerName, "resourceName", entry.ResourceName)
 			continue
 		}
 		pdev.insert(entry.PodUID, entry.ContainerName, entry.ResourceName, entry.DeviceIDs, allocResp)
@@ -244,7 +244,7 @@ func (pdev *podDevices) fromCheckpointData(data []checkpoint.PodDevicesEntry) {
 }
 
 // Returns combined container runtime settings to consume the container's allocated devices.
-func (pdev *podDevices) deviceRunContainerOptions(podUID, contName string) *DeviceRunContainerOptions {
+func (pdev *podDevices) deviceRunContainerOptions(logger klog.Logger, podUID, contName string) *DeviceRunContainerOptions {
 	pdev.RLock()
 	defer pdev.RUnlock()
 
@@ -277,13 +277,13 @@ func (pdev *podDevices) deviceRunContainerOptions(podUID, contName string) *Devi
 		// Updates RunContainerOptions.Envs.
 		for k, v := range resp.Envs {
 			if e, ok := envsMap[k]; ok {
-				klog.V(4).InfoS("Skip existing env", "envKey", k, "envValue", v)
+				logger.V(4).Info("Skip existing env", "envKey", k, "envValue", v)
 				if e != v {
-					klog.ErrorS(nil, "Environment variable has conflicting setting", "envKey", k, "expected", v, "got", e)
+					logger.Error(nil, "Environment variable has conflicting setting", "envKey", k, "expected", v, "got", e)
 				}
 				continue
 			}
-			klog.V(4).InfoS("Add env", "envKey", k, "envValue", v)
+			logger.V(4).Info("Add env", "envKey", k, "envValue", v)
 			envsMap[k] = v
 			opts.Envs = append(opts.Envs, kubecontainer.EnvVar{Name: k, Value: v})
 		}
@@ -291,14 +291,14 @@ func (pdev *podDevices) deviceRunContainerOptions(podUID, contName string) *Devi
 		// Updates RunContainerOptions.Devices.
 		for _, dev := range resp.Devices {
 			if d, ok := devsMap[dev.ContainerPath]; ok {
-				klog.V(4).InfoS("Skip existing device", "containerPath", dev.ContainerPath, "hostPath", dev.HostPath)
+				logger.V(4).Info("Skip existing device", "containerPath", dev.ContainerPath, "hostPath", dev.HostPath)
 				if d != dev.HostPath {
-					klog.ErrorS(nil, "Container device has conflicting mapping host devices",
+					logger.Error(nil, "Container device has conflicting mapping host devices",
 						"containerPath", dev.ContainerPath, "got", d, "expected", dev.HostPath)
 				}
 				continue
 			}
-			klog.V(4).InfoS("Add device", "containerPath", dev.ContainerPath, "hostPath", dev.HostPath)
+			logger.V(4).Info("Add device", "containerPath", dev.ContainerPath, "hostPath", dev.HostPath)
 			devsMap[dev.ContainerPath] = dev.HostPath
 			opts.Devices = append(opts.Devices, kubecontainer.DeviceInfo{
 				PathOnHost:      dev.HostPath,
@@ -310,14 +310,14 @@ func (pdev *podDevices) deviceRunContainerOptions(podUID, contName string) *Devi
 		// Updates RunContainerOptions.Mounts.
 		for _, mount := range resp.Mounts {
 			if m, ok := mountsMap[mount.ContainerPath]; ok {
-				klog.V(4).InfoS("Skip existing mount", "containerPath", mount.ContainerPath, "hostPath", mount.HostPath)
+				logger.V(4).Info("Skip existing mount", "containerPath", mount.ContainerPath, "hostPath", mount.HostPath)
 				if m != mount.HostPath {
-					klog.ErrorS(nil, "Container mount has conflicting mapping host mounts",
+					logger.Error(nil, "Container mount has conflicting mapping host mounts",
 						"containerPath", mount.ContainerPath, "conflictingPath", m, "hostPath", mount.HostPath)
 				}
 				continue
 			}
-			klog.V(4).InfoS("Add mount", "containerPath", mount.ContainerPath, "hostPath", mount.HostPath)
+			logger.V(4).Info("Add mount", "containerPath", mount.ContainerPath, "hostPath", mount.HostPath)
 			mountsMap[mount.ContainerPath] = mount.HostPath
 			opts.Mounts = append(opts.Mounts, kubecontainer.Mount{
 				Name:          mount.ContainerPath,
@@ -332,19 +332,19 @@ func (pdev *podDevices) deviceRunContainerOptions(podUID, contName string) *Devi
 		// Updates for Annotations
 		for k, v := range resp.Annotations {
 			if e, ok := annotationsMap[k]; ok {
-				klog.V(4).InfoS("Skip existing annotation", "annotationKey", k, "annotationValue", v)
+				logger.V(4).Info("Skip existing annotation", "annotationKey", k, "annotationValue", v)
 				if e != v {
-					klog.ErrorS(nil, "Annotation has conflicting setting", "annotationKey", k, "expected", e, "got", v)
+					logger.Error(nil, "Annotation has conflicting setting", "annotationKey", k, "expected", e, "got", v)
 				}
 				continue
 			}
-			klog.V(4).InfoS("Add annotation", "annotationKey", k, "annotationValue", v)
+			logger.V(4).Info("Add annotation", "annotationKey", k, "annotationValue", v)
 			annotationsMap[k] = v
 			opts.Annotations = append(opts.Annotations, kubecontainer.Annotation{Name: k, Value: v})
 		}
 
 		// Updates for CDI devices.
-		cdiDevices := getCDIDeviceInfo(resp, allCDIDevices)
+		cdiDevices := getCDIDeviceInfo(logger, resp, allCDIDevices)
 		opts.CDIDevices = append(opts.CDIDevices, cdiDevices...)
 	}
 
@@ -352,14 +352,14 @@ func (pdev *podDevices) deviceRunContainerOptions(podUID, contName string) *Devi
 }
 
 // getCDIDeviceInfo returns CDI devices from an allocate response
-func getCDIDeviceInfo(resp *pluginapi.ContainerAllocateResponse, knownCDIDevices sets.Set[string]) []kubecontainer.CDIDevice {
+func getCDIDeviceInfo(logger klog.Logger, resp *pluginapi.ContainerAllocateResponse, knownCDIDevices sets.Set[string]) []kubecontainer.CDIDevice {
 	var cdiDevices []kubecontainer.CDIDevice
 	for _, cdiDevice := range resp.CdiDevices {
 		if knownCDIDevices.Has(cdiDevice.Name) {
-			klog.V(4).InfoS("Skip existing CDI Device", "name", cdiDevice.Name)
+			logger.V(4).Info("Skip existing CDI Device", "name", cdiDevice.Name)
 			continue
 		}
-		klog.V(4).InfoS("Add CDI device", "name", cdiDevice.Name)
+		logger.V(4).Info("Add CDI device", "name", cdiDevice.Name)
 		knownCDIDevices.Insert(cdiDevice.Name)
 
 		device := kubecontainer.CDIDevice{
diff --git a/pkg/kubelet/cm/devicemanager/pod_devices_test.go b/pkg/kubelet/cm/devicemanager/pod_devices_test.go
index b0c71086975ae..0e4d9f982d0e7 100644
--- a/pkg/kubelet/cm/devicemanager/pod_devices_test.go
+++ b/pkg/kubelet/cm/devicemanager/pod_devices_test.go
@@ -27,6 +27,7 @@ import (
 	pluginapi "k8s.io/kubelet/pkg/apis/deviceplugin/v1beta1"
 	"k8s.io/kubernetes/pkg/kubelet/cm/devicemanager/checkpoint"
 	kubecontainer "k8s.io/kubernetes/pkg/kubelet/container"
+	"k8s.io/kubernetes/test/utils/ktesting"
 )
 
 func TestGetContainerDevices(t *testing.T) {
@@ -157,6 +158,7 @@ func expectResourceDeviceInstances(t *testing.T, resp ResourceDeviceInstances, e
 }
 
 func TestDeviceRunContainerOptions(t *testing.T) {
+	logger, _ := ktesting.NewTestContext(t)
 	const (
 		podUID        = "pod"
 		containerName = "container"
@@ -239,7 +241,7 @@ func TestDeviceRunContainerOptions(t *testing.T) {
 					response,
 				)
 			}
-			opts := podDevices.deviceRunContainerOptions(podUID, containerName)
+			opts := podDevices.deviceRunContainerOptions(logger, podUID, containerName)
 
 			// The exact ordering of the options depends on the order of the resources in the map.
 			// We therefore use `ElementsMatch` instead of `Equal` on the member slices.
diff --git a/pkg/kubelet/cm/devicemanager/topology_hints.go b/pkg/kubelet/cm/devicemanager/topology_hints.go
index f4d7fa73a8af2..8846122a3d769 100644
--- a/pkg/kubelet/cm/devicemanager/topology_hints.go
+++ b/pkg/kubelet/cm/devicemanager/topology_hints.go
@@ -31,6 +31,9 @@ import (
 // ensures the Device Manager is consulted when Topology Aware Hints for each
 // container are created.
 func (m *ManagerImpl) GetTopologyHints(pod *v1.Pod, container *v1.Container) map[string][]topologymanager.TopologyHint {
+	// Use klog.TODO() because we currently do not have a proper logger to pass in.
+	// Replace this with an appropriate logger when refactoring this function to accept a logger parameter.
+	logger := klog.TODO()
 	// Garbage collect any stranded device resources before providing TopologyHints
 	m.UpdateAllocatedDevices()
 
@@ -43,7 +46,7 @@ func (m *ManagerImpl) GetTopologyHints(pod *v1.Pod, container *v1.Container) map
 	for resource, requested := range accumulatedResourceRequests {
 		// Only consider devices that actually contain topology information.
 		if aligned := m.deviceHasTopologyAlignment(resource); !aligned {
-			klog.InfoS("Resource does not have a topology preference", "resourceName", resource, "pod", klog.KObj(pod), "containerName", container.Name, "request", requested)
+			logger.Info("Resource does not have a topology preference", "resourceName", resource, "pod", klog.KObj(pod), "containerName", container.Name, "request", requested)
 			deviceHints[resource] = nil
 			continue
 		}
@@ -54,11 +57,11 @@ func (m *ManagerImpl) GetTopologyHints(pod *v1.Pod, container *v1.Container) map
 		allocated := m.podDevices.containerDevices(string(pod.UID), container.Name, resource)
 		if allocated.Len() > 0 {
 			if allocated.Len() != requested {
-				klog.InfoS("Resource already allocated to pod with different number than request", "resourceName", resource, "pod", klog.KObj(pod), "containerName", container.Name, "request", requested, "allocated", allocated.Len())
+				logger.Info("Resource already allocated to pod with different number than request", "resourceName", resource, "pod", klog.KObj(pod), "containerName", container.Name, "request", requested, "allocated", allocated.Len())
 				deviceHints[resource] = []topologymanager.TopologyHint{}
 				continue
 			}
-			klog.InfoS("Regenerating TopologyHints for resource already allocated to pod", "resourceName", resource, "pod", klog.KObj(pod), "containerName", container.Name)
+			logger.Info("Regenerating TopologyHints for resource already allocated to pod", "resourceName", resource, "pod", klog.KObj(pod), "containerName", container.Name)
 			deviceHints[resource] = m.generateDeviceTopologyHints(resource, allocated, sets.Set[string]{}, requested)
 			continue
 		}
@@ -67,7 +70,7 @@ func (m *ManagerImpl) GetTopologyHints(pod *v1.Pod, container *v1.Container) map
 		available := m.getAvailableDevices(resource)
 		reusable := m.devicesToReuse[string(pod.UID)][resource]
 		if available.Union(reusable).Len() < requested {
-			klog.InfoS("Unable to generate topology hints: requested number of devices unavailable", "resourceName", resource, "pod", klog.KObj(pod), "containerName", container.Name, "request", requested, "available", available.Union(reusable).Len())
+			logger.Info("Unable to generate topology hints: requested number of devices unavailable", "resourceName", resource, "pod", klog.KObj(pod), "containerName", container.Name, "request", requested, "available", available.Union(reusable).Len())
 			deviceHints[resource] = []topologymanager.TopologyHint{}
 			continue
 		}
@@ -83,6 +86,9 @@ func (m *ManagerImpl) GetTopologyHints(pod *v1.Pod, container *v1.Container) map
 // GetPodTopologyHints implements the topologymanager.HintProvider Interface which
 // ensures the Device Manager is consulted when Topology Aware Hints for Pod are created.
 func (m *ManagerImpl) GetPodTopologyHints(pod *v1.Pod) map[string][]topologymanager.TopologyHint {
+	// Use klog.TODO() because we currently do not have a proper logger to pass in.
+	// Replace this with an appropriate logger when refactoring this function to accept a logger parameter.
+	logger := klog.TODO()
 	// Garbage collect any stranded device resources before providing TopologyHints
 	m.UpdateAllocatedDevices()
 
@@ -94,7 +100,7 @@ func (m *ManagerImpl) GetPodTopologyHints(pod *v1.Pod) map[string][]topologymana
 	for resource, requested := range accumulatedResourceRequests {
 		// Only consider devices that actually contain topology information.
 		if aligned := m.deviceHasTopologyAlignment(resource); !aligned {
-			klog.InfoS("Resource does not have a topology preference", "resourceName", resource, "pod", klog.KObj(pod), "request", requested)
+			logger.Info("Resource does not have a topology preference", "resourceName", resource, "pod", klog.KObj(pod), "request", requested)
 			deviceHints[resource] = nil
 			continue
 		}
@@ -105,11 +111,11 @@ func (m *ManagerImpl) GetPodTopologyHints(pod *v1.Pod) map[string][]topologymana
 		allocated := m.podDevices.podDevices(string(pod.UID), resource)
 		if allocated.Len() > 0 {
 			if allocated.Len() != requested {
-				klog.InfoS("Resource already allocated to pod with different number than request", "resourceName", resource, "pod", klog.KObj(pod), "request", requested, "allocated", allocated.Len())
+				logger.Info("Resource already allocated to pod with different number than request", "resourceName", resource, "pod", klog.KObj(pod), "request", requested, "allocated", allocated.Len())
 				deviceHints[resource] = []topologymanager.TopologyHint{}
 				continue
 			}
-			klog.InfoS("Regenerating TopologyHints for resource already allocated to pod", "resourceName", resource, "pod", klog.KObj(pod), "allocated", allocated.Len())
+			logger.Info("Regenerating TopologyHints for resource already allocated to pod", "resourceName", resource, "pod", klog.KObj(pod), "allocated", allocated.Len())
 			deviceHints[resource] = m.generateDeviceTopologyHints(resource, allocated, sets.Set[string]{}, requested)
 			continue
 		}
@@ -117,7 +123,7 @@ func (m *ManagerImpl) GetPodTopologyHints(pod *v1.Pod) map[string][]topologymana
 		// Get the list of available devices, for which TopologyHints should be generated.
 		available := m.getAvailableDevices(resource)
 		if available.Len() < requested {
-			klog.InfoS("Unable to generate topology hints: requested number of devices unavailable", "resourceName", resource, "pod", klog.KObj(pod), "request", requested, "available", available.Len())
+			logger.Info("Unable to generate topology hints: requested number of devices unavailable", "resourceName", resource, "pod", klog.KObj(pod), "request", requested, "available", available.Len())
 			deviceHints[resource] = []topologymanager.TopologyHint{}
 			continue
 		}
diff --git a/pkg/kubelet/cm/devicemanager/topology_hints_test.go b/pkg/kubelet/cm/devicemanager/topology_hints_test.go
index 2ab1e957fcfb7..53ea645a3af68 100644
--- a/pkg/kubelet/cm/devicemanager/topology_hints_test.go
+++ b/pkg/kubelet/cm/devicemanager/topology_hints_test.go
@@ -29,6 +29,7 @@ import (
 	pluginapi "k8s.io/kubelet/pkg/apis/deviceplugin/v1beta1"
 	"k8s.io/kubernetes/pkg/kubelet/cm/topologymanager"
 	"k8s.io/kubernetes/pkg/kubelet/cm/topologymanager/bitmask"
+	"k8s.io/kubernetes/test/utils/ktesting"
 )
 
 type mockAffinityStore struct {
@@ -109,6 +110,7 @@ func TestGetTopologyHints(t *testing.T) {
 }
 
 func TestTopologyAlignedAllocation(t *testing.T) {
+	tCtx := ktesting.Init(t)
 	tcases := []struct {
 		description                 string
 		resource                    string
@@ -441,7 +443,7 @@ func TestTopologyAlignedAllocation(t *testing.T) {
 			}
 		}
 
-		allocated, err := m.devicesToAllocate("podUID", "containerName", tc.resource, tc.request, sets.New[string]())
+		allocated, err := m.devicesToAllocate(tCtx, "podUID", "containerName", tc.resource, tc.request, sets.New[string]())
 		if err != nil {
 			t.Errorf("Unexpected error: %v", err)
 			continue
@@ -471,6 +473,7 @@ func TestTopologyAlignedAllocation(t *testing.T) {
 }
 
 func TestGetPreferredAllocationParameters(t *testing.T) {
+	tCtx := ktesting.Init(t)
 	tcases := []struct {
 		description         string
 		resource            string
@@ -639,7 +642,7 @@ func TestGetPreferredAllocationParameters(t *testing.T) {
 			opts: &pluginapi.DevicePluginOptions{GetPreferredAllocationAvailable: true},
 		}
 
-		_, err := m.devicesToAllocate("podUID", "containerName", tc.resource, tc.request, sets.New[string](tc.reusableDevices...))
+		_, err := m.devicesToAllocate(tCtx, "podUID", "containerName", tc.resource, tc.request, sets.New[string](tc.reusableDevices...))
 		if err != nil {
 			t.Errorf("Unexpected error: %v", err)
 			continue
diff --git a/pkg/kubelet/cm/devicemanager/types.go b/pkg/kubelet/cm/devicemanager/types.go
index bdf0b27d67338..b377443c434c2 100644
--- a/pkg/kubelet/cm/devicemanager/types.go
+++ b/pkg/kubelet/cm/devicemanager/types.go
@@ -17,11 +17,13 @@ limitations under the License.
 package devicemanager
 
 import (
+	"context"
 	"time"
 
 	v1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/util/sets"
 	"k8s.io/apiserver/pkg/server/healthz"
+	"k8s.io/klog/v2"
 	"k8s.io/kubernetes/pkg/kubelet/cm/containermap"
 	"k8s.io/kubernetes/pkg/kubelet/cm/resourceupdates"
 	"k8s.io/kubernetes/pkg/kubelet/cm/topologymanager"
@@ -35,7 +37,7 @@ import (
 // Manager manages all the Device Plugins running on a node.
 type Manager interface {
 	// Start starts device plugin registration service.
-	Start(activePods ActivePodsFunc, sourcesReady config.SourcesReady, initialContainers containermap.ContainerMap, initialContainerRunningSet sets.Set[string]) error
+	Start(logger klog.Logger, activePods ActivePodsFunc, sourcesReady config.SourcesReady, initialContainers containermap.ContainerMap, initialContainerRunningSet sets.Set[string]) error
 
 	// Allocate configures and assigns devices to a container in a pod. From
 	// the requested device resources, Allocate will communicate with the
@@ -50,12 +52,12 @@ type Manager interface {
 	UpdatePluginResources(node *schedulerframework.NodeInfo, attrs *lifecycle.PodAdmitAttributes) error
 
 	// Stop stops the manager.
-	Stop() error
+	Stop(logger klog.Logger) error
 
 	// GetDeviceRunContainerOptions checks whether we have cached containerDevices
 	// for the passed-in <pod, container> and returns its DeviceRunContainerOptions
 	// for the found one. An empty struct is returned in case no cached state is found.
-	GetDeviceRunContainerOptions(pod *v1.Pod, container *v1.Container) (*DeviceRunContainerOptions, error)
+	GetDeviceRunContainerOptions(ctx context.Context, pod *v1.Pod, container *v1.Container) (*DeviceRunContainerOptions, error)
 
 	// GetCapacity returns the amount of available device plugin resource capacity, resource allocatable
 	// and inactive device plugin resources previously registered on the node.
diff --git a/pkg/kubelet/cm/dra/healthinfo.go b/pkg/kubelet/cm/dra/healthinfo.go
index b389192c3b046..47f7ef12c7b9a 100644
--- a/pkg/kubelet/cm/dra/healthinfo.go
+++ b/pkg/kubelet/cm/dra/healthinfo.go
@@ -28,9 +28,9 @@ import (
 	"k8s.io/kubernetes/pkg/kubelet/cm/dra/state"
 )
 
-// TODO(#133118): Make health timeout configurable.
 const (
-	healthTimeout = 30 * time.Second
+	// DefaultHealthTimeout is the default timeout for device health checks when not specified by the plugin
+	DefaultHealthTimeout = 30 * time.Second
 )
 
 // healthInfoCache is a cache of known device health.
@@ -129,7 +129,14 @@ func (cache *healthInfoCache) getHealthInfo(driverName, poolName, deviceName str
 		if driver, ok := (*cache.HealthInfo)[driverName]; ok {
 			key := poolName + "/" + deviceName
 			if device, ok := driver.Devices[key]; ok {
-				if now.Sub(device.LastUpdated) > healthTimeout {
+				// Use device-specific timeout if set, otherwise use default
+				timeout := device.HealthCheckTimeout
+				if timeout == 0 {
+					timeout = DefaultHealthTimeout
+				}
+
+				// Check if device health has timed out
+				if now.Sub(device.LastUpdated) > timeout {
 					res = state.DeviceHealthStatusUnknown
 				} else {
 					res = device.Health
@@ -166,7 +173,7 @@ func (cache *healthInfoCache) updateHealthInfo(driverName string, devices []stat
 
 			existingDevice, ok := currentDriver.Devices[key]
 
-			if !ok || existingDevice.Health != reportedDevice.Health {
+			if !ok || existingDevice.Health != reportedDevice.Health || existingDevice.HealthCheckTimeout != reportedDevice.HealthCheckTimeout {
 				changedDevices = append(changedDevices, reportedDevice)
 			}
 
@@ -178,7 +185,14 @@ func (cache *healthInfoCache) updateHealthInfo(driverName string, devices []stat
 		// them. Mark them as "Unknown" if their status has timed out.
 		for key, existingDevice := range currentDriver.Devices {
 			if _, wasReported := reportedKeys[key]; !wasReported {
-				if existingDevice.Health != state.DeviceHealthStatusUnknown && now.Sub(existingDevice.LastUpdated) > healthTimeout {
+				// Use device-specific timeout if set, otherwise use default
+				timeout := existingDevice.HealthCheckTimeout
+				if timeout == 0 {
+					timeout = DefaultHealthTimeout
+				}
+
+				// Mark as unknown if the device health has timed out
+				if existingDevice.Health != state.DeviceHealthStatusUnknown && now.Sub(existingDevice.LastUpdated) > timeout {
 					existingDevice.Health = state.DeviceHealthStatusUnknown
 					existingDevice.LastUpdated = now
 					currentDriver.Devices[key] = existingDevice
diff --git a/pkg/kubelet/cm/dra/healthinfo_test.go b/pkg/kubelet/cm/dra/healthinfo_test.go
index 3100b642d1b32..947ef515f686d 100644
--- a/pkg/kubelet/cm/dra/healthinfo_test.go
+++ b/pkg/kubelet/cm/dra/healthinfo_test.go
@@ -38,9 +38,10 @@ const (
 
 var (
 	testDeviceHealth = state.DeviceHealth{
-		PoolName:   testPool,
-		DeviceName: testDevice,
-		Health:     state.DeviceHealthStatusHealthy,
+		PoolName:           testPool,
+		DeviceName:         testDevice,
+		Health:             state.DeviceHealthStatusHealthy,
+		HealthCheckTimeout: DefaultHealthTimeout,
 	}
 )
 
@@ -206,7 +207,7 @@ func TestGetHealthInfo(t *testing.T) {
 		driverState := (*cache.HealthInfo)[testDriver]
 		deviceKey := testPool + "/" + testDevice
 		device := driverState.Devices[deviceKey]
-		device.LastUpdated = time.Now().Add((-healthTimeout) - time.Second)
+		device.LastUpdated = time.Now().Add((-DefaultHealthTimeout) - time.Second)
 		driverState.Devices[deviceKey] = device
 		(*cache.HealthInfo)[testDriver] = driverState
 		return nil
@@ -237,7 +238,7 @@ func TestGetHealthInfoRobust(t *testing.T) {
 			name: "device exists and is healthy",
 			initialState: &state.DevicesHealthMap{
 				testDriver: {Devices: map[string]state.DeviceHealth{
-					testPool + "/" + testDevice: {PoolName: testPool, DeviceName: testDevice, Health: state.DeviceHealthStatusHealthy, LastUpdated: time.Now()},
+					testPool + "/" + testDevice: {PoolName: testPool, DeviceName: testDevice, Health: state.DeviceHealthStatusHealthy, LastUpdated: time.Now(), HealthCheckTimeout: DefaultHealthTimeout},
 				}},
 			},
 			driverName:     testDriver,
@@ -249,7 +250,7 @@ func TestGetHealthInfoRobust(t *testing.T) {
 			name: "device exists and is unhealthy",
 			initialState: &state.DevicesHealthMap{
 				testDriver: {Devices: map[string]state.DeviceHealth{
-					testPool + "/" + testDevice: {PoolName: testPool, DeviceName: testDevice, Health: state.DeviceHealthStatusUnhealthy, LastUpdated: time.Now()},
+					testPool + "/" + testDevice: {PoolName: testPool, DeviceName: testDevice, Health: state.DeviceHealthStatusUnhealthy, LastUpdated: time.Now(), HealthCheckTimeout: DefaultHealthTimeout},
 				}},
 			},
 			driverName:     testDriver,
@@ -261,7 +262,7 @@ func TestGetHealthInfoRobust(t *testing.T) {
 			name: "device exists but timed out",
 			initialState: &state.DevicesHealthMap{
 				testDriver: {Devices: map[string]state.DeviceHealth{
-					testPool + "/" + testDevice: {PoolName: testPool, DeviceName: testDevice, Health: state.DeviceHealthStatusHealthy, LastUpdated: time.Now().Add((-1 * healthTimeout) - time.Second)},
+					testPool + "/" + testDevice: {PoolName: testPool, DeviceName: testDevice, Health: state.DeviceHealthStatusHealthy, LastUpdated: time.Now().Add((-1 * DefaultHealthTimeout) - time.Second), HealthCheckTimeout: DefaultHealthTimeout},
 				}},
 			},
 			driverName:     testDriver,
@@ -273,7 +274,7 @@ func TestGetHealthInfoRobust(t *testing.T) {
 			name: "device exists, just within timeout",
 			initialState: &state.DevicesHealthMap{
 				testDriver: {Devices: map[string]state.DeviceHealth{
-					testPool + "/" + testDevice: {PoolName: testPool, DeviceName: testDevice, Health: state.DeviceHealthStatusHealthy, LastUpdated: time.Now().Add((-1 * healthTimeout) + time.Second)},
+					testPool + "/" + testDevice: {PoolName: testPool, DeviceName: testDevice, Health: state.DeviceHealthStatusHealthy, LastUpdated: time.Now().Add((-1 * DefaultHealthTimeout) + time.Second), HealthCheckTimeout: DefaultHealthTimeout},
 				}},
 			},
 			driverName:     testDriver,
@@ -285,7 +286,7 @@ func TestGetHealthInfoRobust(t *testing.T) {
 			name: "device does not exist, just outside of timeout",
 			initialState: &state.DevicesHealthMap{
 				testDriver: {Devices: map[string]state.DeviceHealth{
-					testPool + "/" + testDevice: {PoolName: testPool, DeviceName: testDevice, Health: state.DeviceHealthStatusHealthy, LastUpdated: time.Now().Add((-1 * healthTimeout) - time.Second)},
+					testPool + "/" + testDevice: {PoolName: testPool, DeviceName: testDevice, Health: state.DeviceHealthStatusHealthy, LastUpdated: time.Now().Add((-1 * DefaultHealthTimeout) - time.Second), HealthCheckTimeout: DefaultHealthTimeout},
 				}},
 			},
 			driverName:     testDriver,
@@ -297,7 +298,7 @@ func TestGetHealthInfoRobust(t *testing.T) {
 			name: "device does not exist",
 			initialState: &state.DevicesHealthMap{
 				testDriver: {Devices: map[string]state.DeviceHealth{
-					testPool + "/" + testDevice: {PoolName: testPool, DeviceName: testDevice, Health: state.DeviceHealthStatusHealthy, LastUpdated: time.Now()},
+					testPool + "/" + testDevice: {PoolName: testPool, DeviceName: testDevice, Health: state.DeviceHealthStatusHealthy, LastUpdated: time.Now(), HealthCheckTimeout: DefaultHealthTimeout},
 				}},
 			},
 			driverName:     testDriver,
@@ -309,7 +310,7 @@ func TestGetHealthInfoRobust(t *testing.T) {
 			name: "driver does not exist",
 			initialState: &state.DevicesHealthMap{
 				testDriver: {Devices: map[string]state.DeviceHealth{
-					testPool + "/" + testDevice: {PoolName: testPool, DeviceName: testDevice, Health: state.DeviceHealthStatusHealthy, LastUpdated: time.Now()},
+					testPool + "/" + testDevice: {PoolName: testPool, DeviceName: testDevice, Health: state.DeviceHealthStatusHealthy, LastUpdated: time.Now(), HealthCheckTimeout: DefaultHealthTimeout},
 				}},
 			},
 			driverName:     "driver2",
@@ -321,7 +322,7 @@ func TestGetHealthInfoRobust(t *testing.T) {
 			name: "pool does not exist",
 			initialState: &state.DevicesHealthMap{
 				testDriver: {Devices: map[string]state.DeviceHealth{
-					testPool + "/" + testDevice: {PoolName: testPool, DeviceName: testDevice, Health: state.DeviceHealthStatusHealthy, LastUpdated: time.Now()},
+					testPool + "/" + testDevice: {PoolName: testPool, DeviceName: testDevice, Health: state.DeviceHealthStatusHealthy, LastUpdated: time.Now(), HealthCheckTimeout: DefaultHealthTimeout},
 				}},
 			},
 			driverName:     testDriver,
@@ -333,8 +334,8 @@ func TestGetHealthInfoRobust(t *testing.T) {
 			name: "multiple devices",
 			initialState: &state.DevicesHealthMap{
 				testDriver: {Devices: map[string]state.DeviceHealth{
-					testPool + "/" + testDevice: {PoolName: testPool, DeviceName: testDevice, Health: state.DeviceHealthStatusHealthy, LastUpdated: time.Now()},
-					testPool + "/device2":       {PoolName: testPool, DeviceName: "device2", Health: state.DeviceHealthStatusUnhealthy, LastUpdated: time.Now()},
+					testPool + "/" + testDevice: {PoolName: testPool, DeviceName: testDevice, Health: state.DeviceHealthStatusHealthy, LastUpdated: time.Now(), HealthCheckTimeout: DefaultHealthTimeout},
+					testPool + "/device2":       {PoolName: testPool, DeviceName: "device2", Health: state.DeviceHealthStatusUnhealthy, LastUpdated: time.Now(), HealthCheckTimeout: DefaultHealthTimeout},
 				}},
 			},
 			driverName:     testDriver,
@@ -382,7 +383,7 @@ func TestUpdateHealthInfo(t *testing.T) {
 	assert.Equal(t, state.DeviceHealthStatusUnhealthy, cache.getHealthInfo(testDriver, testPool, testDevice))
 
 	// 4 -- Add second device, omit first
-	secondDevice := state.DeviceHealth{PoolName: testPool, DeviceName: "device2", Health: state.DeviceHealthStatusHealthy}
+	secondDevice := state.DeviceHealth{PoolName: testPool, DeviceName: "device2", Health: state.DeviceHealthStatusHealthy, HealthCheckTimeout: DefaultHealthTimeout}
 	// When the first device is omitted, it should be marked as "Unknown" after a timeout.
 	// For this test, we simulate the timeout by not reporting it.
 	firstDeviceAsUnknown := newHealth
@@ -392,7 +393,7 @@ func TestUpdateHealthInfo(t *testing.T) {
 	err = cache.withLock(func() error {
 		deviceKey := testPool + "/" + testDevice
 		device := (*cache.HealthInfo)[testDriver].Devices[deviceKey]
-		device.LastUpdated = time.Now().Add(-healthTimeout * 2)
+		device.LastUpdated = time.Now().Add(-DefaultHealthTimeout * 2)
 		(*cache.HealthInfo)[testDriver].Devices[deviceKey] = device
 		return nil
 	})
@@ -411,7 +412,7 @@ func TestUpdateHealthInfo(t *testing.T) {
 	assert.Equal(t, state.DeviceHealthStatusUnknown, cache2.getHealthInfo(testDriver, testPool, testDevice))
 
 	// 6 -- Test how updateHealthInfo handles device timeouts
-	timeoutDevice := state.DeviceHealth{PoolName: testPool, DeviceName: "timeoutDevice", Health: "Unhealthy"}
+	timeoutDevice := state.DeviceHealth{PoolName: testPool, DeviceName: "timeoutDevice", Health: "Unhealthy", HealthCheckTimeout: DefaultHealthTimeout}
 	_, err = cache.updateHealthInfo(testDriver, []state.DeviceHealth{timeoutDevice})
 	require.NoError(t, err)
 
@@ -420,14 +421,14 @@ func TestUpdateHealthInfo(t *testing.T) {
 		driverState := (*cache.HealthInfo)[testDriver]
 		deviceKey := testPool + "/timeoutDevice"
 		device := driverState.Devices[deviceKey]
-		device.LastUpdated = time.Now().Add((-healthTimeout) - time.Second)
+		device.LastUpdated = time.Now().Add((-DefaultHealthTimeout) - time.Second)
 		driverState.Devices[deviceKey] = device
 		(*cache.HealthInfo)[testDriver] = driverState
 		return nil
 	})
 	require.NoError(t, err)
 
-	expectedTimeoutDeviceUnknown := state.DeviceHealth{PoolName: testPool, DeviceName: "timeoutDevice", Health: state.DeviceHealthStatusUnknown}
+	expectedTimeoutDeviceUnknown := state.DeviceHealth{PoolName: testPool, DeviceName: "timeoutDevice", Health: state.DeviceHealthStatusUnknown, HealthCheckTimeout: DefaultHealthTimeout}
 	expectedChanged6 := []state.DeviceHealth{expectedTimeoutDeviceUnknown}
 	changedDevices, err = cache.updateHealthInfo(testDriver, []state.DeviceHealth{})
 	require.NoError(t, err)
diff --git a/pkg/kubelet/cm/dra/manager.go b/pkg/kubelet/cm/dra/manager.go
index 9d034a091a566..d37747ec18ac4 100644
--- a/pkg/kubelet/cm/dra/manager.go
+++ b/pkg/kubelet/cm/dra/manager.go
@@ -39,7 +39,6 @@ import (
 
 	drahealthv1alpha1 "k8s.io/kubelet/pkg/apis/dra-health/v1alpha1"
 	drapb "k8s.io/kubelet/pkg/apis/dra/v1"
-	v1helper "k8s.io/kubernetes/pkg/apis/core/v1/helper"
 	kubefeatures "k8s.io/kubernetes/pkg/features"
 	draplugin "k8s.io/kubernetes/pkg/kubelet/cm/dra/plugin"
 	"k8s.io/kubernetes/pkg/kubelet/cm/dra/state"
@@ -48,6 +47,7 @@ import (
 	kubecontainer "k8s.io/kubernetes/pkg/kubelet/container"
 	kubeletmetrics "k8s.io/kubernetes/pkg/kubelet/metrics"
 	"k8s.io/kubernetes/pkg/kubelet/pluginmanager/cache"
+	schedutil "k8s.io/kubernetes/pkg/scheduler/util"
 )
 
 // draManagerStateFileName is the file name where dra manager stores its state
@@ -359,10 +359,10 @@ func (m *Manager) prepareResources(ctx context.Context, pod *v1.Pod) error {
 				return fmt.Errorf("checkpoint ResourceClaim cache: %w", err)
 			}
 
-			// If this claim is already prepared, there is no need to prepare it again.
+			// If this claim is already prepared, continue preparing for any remaining claims.
 			if claimInfo.isPrepared() {
 				logger.V(5).Info("Resources already prepared", "pod", klog.KObj(pod), "podClaim", podClaim.Name, "claim", klog.KObj(resourceClaim))
-				return nil
+				continue
 			}
 
 			// This saved claim will be used to update ClaimInfo cache
@@ -372,7 +372,7 @@ func (m *Manager) prepareResources(ctx context.Context, pod *v1.Pod) error {
 			// Loop through all drivers and prepare for calling NodePrepareResources.
 			claim := &drapb.Claim{
 				Namespace: claimInfo.Namespace,
-				UID:       string(claimInfo.ClaimUID),
+				Uid:       string(claimInfo.ClaimUID),
 				Name:      claimInfo.ClaimName,
 			}
 			for driverName := range claimInfo.DriverState {
@@ -417,7 +417,9 @@ func (m *Manager) prepareResources(ctx context.Context, pod *v1.Pod) error {
 					return fmt.Errorf("internal error: unable to get claim info for ResourceClaim %s", claim.Name)
 				}
 				for _, device := range result.GetDevices() {
-					info.addDevice(plugin.DriverName(), state.Device{PoolName: device.PoolName, DeviceName: device.DeviceName, RequestNames: device.RequestNames, CDIDeviceIDs: device.CDIDeviceIDs})
+					info.addDevice(plugin.DriverName(), state.Device{PoolName: device.PoolName,
+						DeviceName: device.DeviceName, ShareID: (*types.UID)(device.ShareId),
+						RequestNames: device.RequestNames, CDIDeviceIDs: device.CdiDeviceIds})
 				}
 				return nil
 			})
@@ -462,7 +464,7 @@ func (m *Manager) prepareResources(ctx context.Context, pod *v1.Pod) error {
 
 func lookupClaimRequest(claims []*drapb.Claim, claimUID string) *drapb.Claim {
 	for _, claim := range claims {
-		if claim.UID == claimUID {
+		if claim.Uid == claimUID {
 			return claim
 		}
 	}
@@ -526,18 +528,14 @@ func (m *Manager) GetResources(pod *v1.Pod, container *v1.Container) (*Container
 					// We only care about the resources requested by the pod
 					continue
 				}
-				if v1helper.IsExtendedResourceName(rName) {
-					requestName := ""
+				if schedutil.IsDRAExtendedResourceName(rName) {
 					for _, rm := range pod.Status.ExtendedResourceClaimStatus.RequestMappings {
+						// allow multiple device requests per container per resource.
 						if rm.ContainerName == container.Name && rm.ResourceName == rName.String() {
-							requestName = rm.RequestName
-							break
+							// As of Kubernetes 1.31, CDI device IDs are not passed via annotations anymore.
+							cdiDevices = append(cdiDevices, claimInfo.cdiDevicesAsList(rm.RequestName)...)
 						}
 					}
-					if requestName != "" {
-						// As of Kubernetes 1.31, CDI device IDs are not passed via annotations anymore.
-						cdiDevices = append(cdiDevices, claimInfo.cdiDevicesAsList(requestName)...)
-					}
 				}
 			}
 			return nil
@@ -622,7 +620,7 @@ func (m *Manager) unprepareResources(ctx context.Context, podUID types.UID, name
 			// Loop through all drivers and prepare for calling NodeUnprepareResources.
 			claim := &drapb.Claim{
 				Namespace: claimInfo.Namespace,
-				UID:       string(claimInfo.ClaimUID),
+				Uid:       string(claimInfo.ClaimUID),
 				Name:      claimInfo.ClaimName,
 			}
 			for driverName := range claimInfo.DriverState {
@@ -778,116 +776,116 @@ func (m *Manager) GetContainerClaimInfos(pod *v1.Pod, container *v1.Container) (
 // UpdateAllocatedResourcesStatus updates the health status of allocated DRA resources in the pod's container statuses.
 func (m *Manager) UpdateAllocatedResourcesStatus(pod *v1.Pod, status *v1.PodStatus) {
 	logger := klog.FromContext(context.Background())
-	for _, container := range pod.Spec.Containers {
-		// Get all the DRA claim details associated with this specific container.
-		claimInfos, err := m.GetContainerClaimInfos(pod, &container)
-		if err != nil {
-			logger.Error(err, "Failed to get claim infos for container", "pod", klog.KObj(pod), "container", container.Name)
+	for i := range status.ContainerStatuses {
+		containerStatus := &status.ContainerStatuses[i]
+
+		// Find the corresponding container spec in the pod spec.
+		var containerSpec *v1.Container
+		for j := range pod.Spec.Containers {
+			if pod.Spec.Containers[j].Name == containerStatus.Name {
+				containerSpec = &pod.Spec.Containers[j]
+				break
+			}
+		}
+
+		// Skip if there's no matching container spec or it has no resource claims.
+		if containerSpec == nil || len(containerSpec.Resources.Claims) == 0 {
 			continue
 		}
 
-		// Find the corresponding container status
-		for i, containerStatus := range status.ContainerStatuses {
-			if containerStatus.Name != container.Name {
-				continue
+		resourceStatusMap := make(map[v1.ResourceName]*v1.ResourceStatus)
+		if containerStatus.AllocatedResourcesStatus != nil {
+			for j := range containerStatus.AllocatedResourcesStatus {
+				resourceStatusMap[containerStatus.AllocatedResourcesStatus[j].Name] = &containerStatus.AllocatedResourcesStatus[j]
 			}
+		}
 
-			// Ensure the slice exists. Use a map for efficient updates by resource name.
-			resourceStatusMap := make(map[v1.ResourceName]*v1.ResourceStatus)
-			if status.ContainerStatuses[i].AllocatedResourcesStatus != nil {
-				for idx := range status.ContainerStatuses[i].AllocatedResourcesStatus {
-					// Store pointers to modify in place
-					resourceStatusMap[status.ContainerStatuses[i].AllocatedResourcesStatus[idx].Name] = &status.ContainerStatuses[i].AllocatedResourcesStatus[idx]
+		// Iterate through the claims requested by this specific container.
+		for _, claim := range containerSpec.Resources.Claims {
+			// Find the actual name of the ResourceClaim object.
+			var actualClaimName string
+			for _, podClaimStatus := range pod.Status.ResourceClaimStatuses {
+				if podClaimStatus.Name == claim.Name {
+					if podClaimStatus.ResourceClaimName != nil {
+						actualClaimName = *podClaimStatus.ResourceClaimName
+					}
+					break
 				}
-			} else {
-				status.ContainerStatuses[i].AllocatedResourcesStatus = []v1.ResourceStatus{}
 			}
 
-			// Loop through each claim associated with the container
-			for _, claimInfo := range claimInfos {
-				var resourceName v1.ResourceName
-				foundClaimInSpec := false
-				for _, cClaim := range container.Resources.Claims {
-					if cClaim.Name == claimInfo.ClaimName {
-						if cClaim.Request == "" {
-							resourceName = v1.ResourceName(fmt.Sprintf("claim:%s", cClaim.Name))
-						} else {
-							resourceName = v1.ResourceName(fmt.Sprintf("claim:%s/%s", cClaim.Name, cClaim.Request))
-						}
-						foundClaimInSpec = true
-						break
-					}
+			if actualClaimName == "" {
+				logger.V(4).Info("Could not find generated name for resource claim in pod status", "pod", klog.KObj(pod), "container", containerSpec.Name, "claimName", claim.Name)
+				continue
+			}
+
+			func() {
+				m.cache.RLock()
+				defer m.cache.RUnlock()
+
+				// Use the actual claim name to look up claim info.
+				claimInfo, exists := m.cache.get(actualClaimName, pod.Namespace)
+				if !exists {
+					logger.V(4).Info("Could not find claim info for resource claim", "pod", klog.KObj(pod), "container", containerSpec.Name, "claimName", actualClaimName)
+					return
 				}
-				if !foundClaimInSpec {
-					logger.V(4).Info("Could not find matching resource claim in container spec", "pod", klog.KObj(pod), "container", container.Name, "claimName", claimInfo.ClaimName)
-					continue
+
+				resourceName := v1.ResourceName(fmt.Sprintf("claim:%s", claim.Name))
+				if claim.Request != "" {
+					resourceName = v1.ResourceName(fmt.Sprintf("claim:%s/%s", claim.Name, claim.Request))
 				}
 
-				// Get or create the ResourceStatus entry for this claim
 				resStatus, ok := resourceStatusMap[resourceName]
-
 				if !ok {
-					// Create a new entry and add it to the map and the slice
 					newStatus := v1.ResourceStatus{
 						Name:      resourceName,
 						Resources: []v1.ResourceHealth{},
 					}
-					status.ContainerStatuses[i].AllocatedResourcesStatus = append(status.ContainerStatuses[i].AllocatedResourcesStatus, newStatus)
-					// Get pointer to the newly added element *after* appending
-					resStatus = &status.ContainerStatuses[i].AllocatedResourcesStatus[len(status.ContainerStatuses[i].AllocatedResourcesStatus)-1]
+					// Append and get a pointer to the new element.
+					if containerStatus.AllocatedResourcesStatus == nil {
+						containerStatus.AllocatedResourcesStatus = []v1.ResourceStatus{}
+					}
+					containerStatus.AllocatedResourcesStatus = append(containerStatus.AllocatedResourcesStatus, newStatus)
+					resStatus = &containerStatus.AllocatedResourcesStatus[len(containerStatus.AllocatedResourcesStatus)-1]
 					resourceStatusMap[resourceName] = resStatus
 				}
 
-				// Clear previous health entries for this resource before adding current ones
-				// Ensures we only report current health for allocated devices.
+				// Clear previous health entries before adding current ones.
 				resStatus.Resources = []v1.ResourceHealth{}
 
-				// Iterate through the map holding the state specific to each driver
 				for driverName, driverState := range claimInfo.DriverState {
-					// Iterate through each specific device allocated by this driver
 					for _, device := range driverState.Devices {
-
 						healthStr := m.healthInfoCache.getHealthInfo(driverName, device.PoolName, device.DeviceName)
 
-						// Convert internal health string to API type
 						var health v1.ResourceHealthStatus
 						switch healthStr {
 						case "Healthy":
 							health = v1.ResourceHealthStatusHealthy
 						case "Unhealthy":
 							health = v1.ResourceHealthStatusUnhealthy
-						default: // Catches "Unknown" or any other case
+						default:
 							health = v1.ResourceHealthStatusUnknown
 						}
 
-						// Create the ResourceHealth entry
-						resourceHealth := v1.ResourceHealth{
-							Health: health,
-						}
-
-						// Use first CDI device ID as ResourceID, with fallback
+						resourceHealth := v1.ResourceHealth{Health: health}
 						if len(device.CDIDeviceIDs) > 0 {
 							resourceHealth.ResourceID = v1.ResourceID(device.CDIDeviceIDs[0])
 						} else {
-							// Fallback ID if no CDI ID is present
 							resourceHealth.ResourceID = v1.ResourceID(fmt.Sprintf("%s/%s/%s", driverName, device.PoolName, device.DeviceName))
 						}
-
-						// Append the health status for this specific device/resource ID
 						resStatus.Resources = append(resStatus.Resources, resourceHealth)
 					}
 				}
+			}()
+		}
+
+		// Rebuild the slice from map to ensure correctness and remove empty entries.
+		finalStatuses := make([]v1.ResourceStatus, 0, len(resourceStatusMap))
+		for _, rs := range resourceStatusMap {
+			if len(rs.Resources) > 0 {
+				finalStatuses = append(finalStatuses, *rs)
 			}
-			// Rebuild the slice from the map values to ensure correctness
-			finalStatuses := make([]v1.ResourceStatus, 0, len(resourceStatusMap))
-			for _, rs := range resourceStatusMap {
-				// Only add if it actually has resource health entries populated
-				if len(rs.Resources) > 0 {
-					finalStatuses = append(finalStatuses, *rs)
-				}
-			}
-			status.ContainerStatuses[i].AllocatedResourcesStatus = finalStatuses
 		}
+		containerStatus.AllocatedResourcesStatus = finalStatuses
 	}
 }
 
@@ -933,11 +931,29 @@ func (m *Manager) HandleWatchResourcesStream(ctx context.Context, stream draheal
 			default:
 				health = state.DeviceHealthStatusUnknown
 			}
+
+			// Extract the health check timeout from the gRPC response
+			// If not specified, zero, or negative, use the default timeout
+			timeout := DefaultHealthTimeout
+			timeoutSeconds := d.GetHealthCheckTimeoutSeconds()
+			if timeoutSeconds > 0 {
+				timeout = time.Duration(timeoutSeconds) * time.Second
+			} else if timeoutSeconds < 0 {
+				// Log warning for negative timeout values and use default
+				logger.V(4).Info("Ignoring negative health check timeout, using default",
+					"pluginName", pluginName,
+					"poolName", d.GetDevice().GetPoolName(),
+					"deviceName", d.GetDevice().GetDeviceName(),
+					"providedTimeout", timeoutSeconds,
+					"defaultTimeout", DefaultHealthTimeout)
+			}
+
 			devices[i] = state.DeviceHealth{
-				PoolName:    d.GetDevice().GetPoolName(),
-				DeviceName:  d.GetDevice().GetDeviceName(),
-				Health:      health,
-				LastUpdated: time.Unix(d.GetLastUpdatedTime(), 0),
+				PoolName:           d.GetDevice().GetPoolName(),
+				DeviceName:         d.GetDevice().GetDeviceName(),
+				Health:             health,
+				LastUpdated:        time.Unix(d.GetLastUpdatedTime(), 0),
+				HealthCheckTimeout: timeout,
 			}
 		}
 
diff --git a/pkg/kubelet/cm/dra/manager_test.go b/pkg/kubelet/cm/dra/manager_test.go
index d9df565583909..209a30becf245 100644
--- a/pkg/kubelet/cm/dra/manager_test.go
+++ b/pkg/kubelet/cm/dra/manager_test.go
@@ -48,7 +48,7 @@ import (
 	"k8s.io/klog/v2"
 
 	drahealthv1alpha1 "k8s.io/kubelet/pkg/apis/dra-health/v1alpha1"
-	drapb "k8s.io/kubelet/pkg/apis/dra/v1beta1"
+	drapb "k8s.io/kubelet/pkg/apis/dra/v1"
 	"k8s.io/kubernetes/pkg/features"
 	"k8s.io/kubernetes/pkg/kubelet/cm/dra/state"
 	"k8s.io/kubernetes/pkg/kubelet/cm/resourceupdates"
@@ -61,6 +61,12 @@ const (
 	containerName   = "test-container"
 )
 
+var (
+	shareID        = "aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa"
+	shareUID       = types.UID(shareID)
+	testPodCounter atomic.Uint32
+)
+
 type fakeDRADriverGRPCServer struct {
 	drapb.UnimplementedDRAPluginServer
 	drahealthv1alpha1.UnimplementedDRAResourceHealthServer
@@ -83,17 +89,17 @@ func (s *fakeDRADriverGRPCServer) NodePrepareResources(ctx context.Context, req
 	}
 
 	if s.prepareResourcesResponse == nil {
-		cdiDeviceName := "claim-" + req.Claims[0].UID
+		cdiDeviceName := "claim-" + req.Claims[0].Uid
 		cdiID := s.driverName + "/" + driverClassName + "=" + cdiDeviceName
 		return &drapb.NodePrepareResourcesResponse{
 			Claims: map[string]*drapb.NodePrepareResourceResponse{
-				req.Claims[0].UID: {
+				req.Claims[0].Uid: {
 					Devices: []*drapb.Device{
 						{
 							PoolName:     poolName,
 							DeviceName:   deviceName,
 							RequestNames: []string{req.Claims[0].Name},
-							CDIDeviceIDs: []string{cdiID},
+							CdiDeviceIds: []string{cdiID},
 						},
 					},
 				},
@@ -114,7 +120,7 @@ func (s *fakeDRADriverGRPCServer) NodeUnprepareResources(ctx context.Context, re
 	if s.unprepareResourcesResponse == nil {
 		return &drapb.NodeUnprepareResourcesResponse{
 			Claims: map[string]*drapb.NodeUnprepareResourceResponse{
-				req.Claims[0].UID: {},
+				req.Claims[0].Uid: {},
 			},
 		}, nil
 	}
@@ -276,6 +282,23 @@ func setupFakeDRADriverGRPCServer(ctx context.Context, shouldTimeout bool, plugi
 	}, nil
 }
 
+func genPrepareResourcesResponse(claimUID types.UID) *drapb.NodePrepareResourcesResponse {
+	return &drapb.NodePrepareResourcesResponse{
+		Claims: map[string]*drapb.NodePrepareResourceResponse{
+			string(claimUID): {
+				Devices: []*drapb.Device{
+					{
+						PoolName:     poolName,
+						DeviceName:   deviceName,
+						RequestNames: []string{requestName},
+						CdiDeviceIds: []string{cdiID},
+					},
+				},
+			},
+		},
+	}
+}
+
 func TestNewManagerImpl(t *testing.T) {
 	kubeClient := fake.NewSimpleClientset()
 	for _, test := range []struct {
@@ -339,6 +362,45 @@ func genTestPod() *v1.Pod {
 	}
 }
 
+func genTestPodWithClaims(claimNames ...string) *v1.Pod {
+	podCounter := testPodCounter.Add(1)
+
+	podName := fmt.Sprintf("test-pod-%d", podCounter)
+	podUID := types.UID(fmt.Sprintf("test-pod-uid-%d", podCounter))
+
+	resourceClaims := make([]v1.PodResourceClaim, 0, len(claimNames))
+	containerClaims := make([]v1.ResourceClaim, 0, len(claimNames))
+
+	for _, claimName := range claimNames {
+		cn := claimName
+		resourceClaims = append(resourceClaims, v1.PodResourceClaim{
+			Name:              cn,
+			ResourceClaimName: &cn,
+		})
+		containerClaims = append(containerClaims, v1.ResourceClaim{
+			Name: cn,
+		})
+	}
+
+	return &v1.Pod{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      podName,
+			Namespace: namespace,
+			UID:       podUID,
+		},
+		Spec: v1.PodSpec{
+			ResourceClaims: resourceClaims,
+			Containers: []v1.Container{
+				{
+					Resources: v1.ResourceRequirements{
+						Claims: containerClaims,
+					},
+				},
+			},
+		},
+	}
+}
+
 // genTestPodWithExtendedResource generates pod object
 func genTestPodWithExtendedResource() *v1.Pod {
 	return &v1.Pod{
@@ -533,6 +595,24 @@ func genClaimInfoStateWithExtendedResource(cdiDeviceID string) state.ClaimInfoSt
 	return s
 }
 
+func genClaimInfoStateWithShareID(cdiDeviceID string) state.ClaimInfoState {
+	s := state.ClaimInfoState{
+		ClaimUID:  claimUID,
+		ClaimName: claimName,
+		Namespace: namespace,
+		PodUIDs:   sets.New[string](podUID),
+		DriverState: map[string]state.DriverState{
+			driverName: {},
+		},
+	}
+	if cdiDeviceID != "" {
+		s.DriverState[driverName] = state.DriverState{Devices: []state.Device{
+			{PoolName: poolName, DeviceName: deviceName, ShareID: &shareUID, RequestNames: []string{requestName}, CDIDeviceIDs: []string{cdiDeviceID}},
+		}}
+	}
+	return s
+}
+
 func TestGetResources(t *testing.T) {
 	kubeClient := fake.NewSimpleClientset()
 
@@ -616,6 +696,7 @@ func TestPrepareResources(t *testing.T) {
 	claimName := claimName
 	fakeKubeClient := fake.NewSimpleClientset()
 	anotherClaimUID := types.UID("another-claim-uid")
+	shareUID := types.UID(shareID)
 
 	for _, test := range []struct {
 		description         string
@@ -692,18 +773,7 @@ func TestPrepareResources(t *testing.T) {
 			claim:                  genTestClaim(claimName, driverName, deviceName, podUID),
 			expectedPrepareCalls:   1,
 			expectedClaimInfoState: genClaimInfoState(cdiID),
-			resp: &drapb.NodePrepareResourcesResponse{Claims: map[string]*drapb.NodePrepareResourceResponse{
-				string(claimUID): {
-					Devices: []*drapb.Device{
-						{
-							PoolName:     poolName,
-							DeviceName:   deviceName,
-							RequestNames: []string{requestName},
-							CDIDeviceIDs: []string{cdiID},
-						},
-					},
-				},
-			}},
+			resp:                   genPrepareResourcesResponse(claimUID),
 		},
 		{
 			description:            "resource already prepared",
@@ -712,18 +782,7 @@ func TestPrepareResources(t *testing.T) {
 			claim:                  genTestClaim(claimName, driverName, deviceName, podUID),
 			claimInfo:              genTestClaimInfo(claimUID, []string{podUID}, true),
 			expectedClaimInfoState: genClaimInfoState(cdiID),
-			resp: &drapb.NodePrepareResourcesResponse{Claims: map[string]*drapb.NodePrepareResourceResponse{
-				string(claimUID): {
-					Devices: []*drapb.Device{
-						{
-							PoolName:     poolName,
-							DeviceName:   deviceName,
-							RequestNames: []string{requestName},
-							CDIDeviceIDs: []string{cdiID},
-						},
-					},
-				},
-			}},
+			resp:                   genPrepareResourcesResponse(claimUID),
 		},
 		{
 			description:          "should timeout",
@@ -740,19 +799,8 @@ func TestPrepareResources(t *testing.T) {
 			pod:                    genTestPod(),
 			claim:                  genTestClaim(claimName, driverName, deviceName, podUID),
 			expectedClaimInfoState: genClaimInfoState(cdiID),
-			resp: &drapb.NodePrepareResourcesResponse{Claims: map[string]*drapb.NodePrepareResourceResponse{
-				string(claimUID): {
-					Devices: []*drapb.Device{
-						{
-							PoolName:     poolName,
-							DeviceName:   deviceName,
-							RequestNames: []string{requestName},
-							CDIDeviceIDs: []string{cdiID},
-						},
-					},
-				},
-			}},
-			expectedPrepareCalls: 1,
+			resp:                   genPrepareResourcesResponse(claimUID),
+			expectedPrepareCalls:   1,
 		},
 		{
 			description:            "should prepare extended resource claim backed by DRA",
@@ -767,7 +815,7 @@ func TestPrepareResources(t *testing.T) {
 							PoolName:     poolName,
 							DeviceName:   deviceName,
 							RequestNames: []string{"container-0-request-0"},
-							CDIDeviceIDs: []string{cdiID},
+							CdiDeviceIds: []string{cdiID},
 						},
 					},
 				},
@@ -782,6 +830,31 @@ func TestPrepareResources(t *testing.T) {
 			claimInfo:      genTestClaimInfo(anotherClaimUID, []string{podUID}, false),
 			expectedErrMsg: fmt.Sprintf("old ResourceClaim with same name %s and different UID %s still exists", claimName, anotherClaimUID),
 		},
+		{
+			description: "should prepare resources with share id",
+			driverName:  driverName,
+			pod:         genTestPod(),
+			claim: func() *resourceapi.ResourceClaim {
+				claim := genTestClaim(claimName, driverName, deviceName, podUID)
+				claim.Status.Allocation.Devices.Results[0].ShareID = &shareUID
+				return claim
+			}(),
+			expectedClaimInfoState: genClaimInfoStateWithShareID(cdiID),
+			resp: &drapb.NodePrepareResourcesResponse{Claims: map[string]*drapb.NodePrepareResourceResponse{
+				string(claimUID): {
+					Devices: []*drapb.Device{
+						{
+							PoolName:     poolName,
+							DeviceName:   deviceName,
+							RequestNames: []string{requestName},
+							ShareId:      &shareID,
+							CdiDeviceIds: []string{cdiID},
+						},
+					},
+				},
+			}},
+			expectedPrepareCalls: 1,
+		},
 	} {
 		t.Run(test.description, func(t *testing.T) {
 			backgroundCtx, cancel := context.WithCancel(context.Background())
@@ -824,6 +897,7 @@ func TestPrepareResources(t *testing.T) {
 			}
 
 			featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.DRAExtendedResource, true)
+			featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.DRAConsumableCapacity, true)
 			err = manager.PrepareResources(backgroundCtx, test.pod)
 
 			assert.Equal(t, test.expectedPrepareCalls, draServerInfo.server.prepareResourceCalls.Load())
@@ -863,6 +937,74 @@ func TestPrepareResources(t *testing.T) {
 	}
 }
 
+// TestPrepareResourcesWithPreparedAndNewClaim verifies that PrepareResources
+// correctly handles a pod that references a mix of ResourceClaims:
+// - first claim already prepared by a previous pod
+// - second claim is new and needs to be prepared
+func TestPrepareResourcesWithPreparedAndNewClaim(t *testing.T) {
+	logger, tCtx := ktesting.NewTestContext(t)
+	fakeKubeClient := fake.NewClientset()
+
+	manager, err := NewManager(logger, fakeKubeClient, t.TempDir())
+	require.NoError(t, err)
+	manager.initDRAPluginManager(tCtx, getFakeNode, time.Second)
+
+	secondClaimName := fmt.Sprintf("%s-second", claimName)
+
+	// Generate two pods where the second pod reuses an existing claim and adds a new one
+	firstPod := genTestPodWithClaims(claimName)
+	secondPod := genTestPodWithClaims(claimName, secondClaimName)
+
+	firstClaim := genTestClaim(claimName, driverName, deviceName, string(firstPod.ObjectMeta.UID))
+	secondClaim := genTestClaim(secondClaimName, driverName, deviceName, string(secondPod.ObjectMeta.UID))
+
+	// Make firstClaim reserved for first and second pod
+	firstClaim.Status.ReservedFor = append(
+		firstClaim.Status.ReservedFor,
+		resourceapi.ResourceClaimConsumerReference{UID: secondPod.ObjectMeta.UID},
+	)
+
+	_, err = fakeKubeClient.ResourceV1().ResourceClaims(namespace).Create(tCtx, firstClaim, metav1.CreateOptions{})
+	require.NoError(t, err)
+
+	_, err = fakeKubeClient.ResourceV1().ResourceClaims(namespace).Create(tCtx, secondClaim, metav1.CreateOptions{})
+	require.NoError(t, err)
+
+	respFirst := genPrepareResourcesResponse(firstClaim.UID)
+	draServerInfo, err := setupFakeDRADriverGRPCServer(tCtx, false, nil, respFirst, nil, nil)
+	require.NoError(t, err)
+	defer draServerInfo.teardownFn()
+
+	plg := manager.GetWatcherHandler()
+	require.NoError(t, plg.RegisterPlugin(driverName, draServerInfo.socketName, []string{drapb.DRAPluginService}, nil))
+
+	err = manager.PrepareResources(tCtx, firstPod)
+	require.NoError(t, err)
+
+	assert.Equal(t, uint32(1),
+		draServerInfo.server.prepareResourceCalls.Load(),
+		"first pod should trigger one prepare call",
+	)
+
+	respSecond := genPrepareResourcesResponse(secondClaim.UID)
+	draServerInfo.server.prepareResourcesResponse = respSecond
+
+	err = manager.PrepareResources(tCtx, secondPod)
+	require.NoError(t, err)
+
+	// second pod triggered exactly one prepare call (new claim only) + previous one call
+	assert.Equal(t, uint32(2),
+		draServerInfo.server.prepareResourceCalls.Load(),
+		"second pod should trigger one prepare call for the new claim",
+	)
+
+	for _, claimName := range []string{firstClaim.Name, secondClaim.Name} {
+		claimInfo, exists := manager.cache.get(claimName, namespace)
+		require.True(t, exists, "claim %s should exist in cache", claimName)
+		assert.True(t, claimInfo.prepared, "claim %s should be marked as prepared", claimName)
+	}
+}
+
 func TestUnprepareResources(t *testing.T) {
 	fakeKubeClient := fake.NewSimpleClientset()
 	for _, test := range []struct {
@@ -1424,7 +1566,7 @@ func TestHandleWatchResourcesStream(t *testing.T) {
 		manager, runStreamTest := setupNewManagerAndRunStreamTest(t, stCtx, initialClaim)
 
 		// Pre-populate health cache
-		initialHealth := state.DeviceHealth{PoolName: poolName, DeviceName: deviceName, Health: "Unhealthy", LastUpdated: time.Now().Add(-5 * time.Millisecond)} // Ensure LastUpdated is slightly in past
+		initialHealth := state.DeviceHealth{PoolName: poolName, DeviceName: deviceName, Health: "Unhealthy", LastUpdated: time.Now().Add(-5 * time.Millisecond), HealthCheckTimeout: DefaultHealthTimeout} // Ensure LastUpdated is slightly in past
 		_, err := manager.healthInfoCache.updateHealthInfo(driverName, []state.DeviceHealth{initialHealth})
 		require.NoError(t, err, "Failed to pre-populate health cache")
 
@@ -1538,49 +1680,165 @@ func TestHandleWatchResourcesStream(t *testing.T) {
 	})
 }
 
-// TestUpdateAllocatedResourcesStatus checks if the manager correctly updates the
-// PodStatus with the health information of allocated DRA resources. It populates
-// the caches with known claim and health data, then calls the function and verifies the resulting PodStatus.
+// TestUpdateAllocatedResourcesStatus verifies that the manager can correctly
+// update the PodStatus with health information for different types of DRA claims.
+// It covers the main scenarios that were difficult to test reliably in an e2e
+// environment due to timing issues:
+//  1. Direct claims: Where the pod's resource claim name directly matches the ResourceClaim object name.
+//  2. Renamed claims: Where the pod uses a local name for a ResourceClaim that has a different object name.
+//  3. Templated claims: Where the claim is generated from a template, and the pod status contains the
+//     dynamically generated claim name.
 func TestUpdateAllocatedResourcesStatus(t *testing.T) {
-	tCtx := ktesting.Init(t)
+	directClaimName := "direct-claim-name"
+	renamedClaimObject := "renamed-claim-object"
+	templateName := "template-name"
+	templatedClaimName := "pod-templated-templated-claim"
+
+	testCases := []struct {
+		name                             string
+		pod                              *v1.Pod
+		claimInfos                       []*ClaimInfo
+		initialStatus                    *v1.PodStatus
+		expectedAllocatedResourcesStatus []v1.ResourceStatus
+	}{
+		{
+			name: "Direct claim",
+			pod: &v1.Pod{
+				ObjectMeta: metav1.ObjectMeta{Name: "pod-direct", UID: "pod-direct-uid"},
+				Spec: v1.PodSpec{
+					Containers: []v1.Container{
+						{Name: "container1", Resources: v1.ResourceRequirements{Claims: []v1.ResourceClaim{{Name: "claim1"}}}},
+					},
+					ResourceClaims: []v1.PodResourceClaim{
+						{Name: "claim1", ResourceClaimName: &directClaimName},
+					},
+				},
+				Status: v1.PodStatus{
+					ResourceClaimStatuses: []v1.PodResourceClaimStatus{
+						{Name: "claim1", ResourceClaimName: &directClaimName},
+					},
+				},
+			},
+			claimInfos: []*ClaimInfo{
+				{
+					ClaimInfoState: state.ClaimInfoState{
+						ClaimName: directClaimName,
+						PodUIDs:   sets.New("pod-direct-uid"),
+						DriverState: map[string]state.DriverState{
+							"test-driver": {Devices: []state.Device{{PoolName: "pool", DeviceName: "dev-a"}}},
+						},
+					},
+				},
+			},
+			initialStatus: &v1.PodStatus{ContainerStatuses: []v1.ContainerStatus{{Name: "container1"}}},
+			expectedAllocatedResourcesStatus: []v1.ResourceStatus{
+				{
+					Name: "claim:claim1",
+					Resources: []v1.ResourceHealth{
+						{ResourceID: "test-driver/pool/dev-a", Health: v1.ResourceHealthStatusHealthy},
+					},
+				},
+			},
+		},
+		{
+			name: "Renamed claim",
+			pod: &v1.Pod{
+				ObjectMeta: metav1.ObjectMeta{Name: "pod-renamed", UID: "pod-renamed-uid"},
+				Spec: v1.PodSpec{
+					ResourceClaims: []v1.PodResourceClaim{{Name: "renamed-pod-claim", ResourceClaimName: &renamedClaimObject}},
+					Containers:     []v1.Container{{Name: "container1", Resources: v1.ResourceRequirements{Claims: []v1.ResourceClaim{{Name: "renamed-pod-claim"}}}}},
+				},
+				Status: v1.PodStatus{
+					ResourceClaimStatuses: []v1.PodResourceClaimStatus{
+						{Name: "renamed-pod-claim", ResourceClaimName: &renamedClaimObject},
+					},
+				},
+			},
+			claimInfos: []*ClaimInfo{
+				{
+					ClaimInfoState: state.ClaimInfoState{
+						ClaimName: renamedClaimObject,
+						PodUIDs:   sets.New("pod-renamed-uid"),
+						DriverState: map[string]state.DriverState{
+							"test-driver": {Devices: []state.Device{{PoolName: "pool", DeviceName: "dev-b"}}},
+						},
+					},
+				},
+			},
+			initialStatus: &v1.PodStatus{ContainerStatuses: []v1.ContainerStatus{{Name: "container1"}}},
+			expectedAllocatedResourcesStatus: []v1.ResourceStatus{
+				{
+					Name: "claim:renamed-pod-claim",
+					Resources: []v1.ResourceHealth{
+						{ResourceID: "test-driver/pool/dev-b", Health: v1.ResourceHealthStatusHealthy},
+					},
+				},
+			},
+		},
+		{
+			name: "Templated claim",
+			pod: &v1.Pod{
+				ObjectMeta: metav1.ObjectMeta{Name: "pod-templated", UID: "pod-templated-uid"},
+				Spec: v1.PodSpec{
+					ResourceClaims: []v1.PodResourceClaim{{Name: "templated-claim", ResourceClaimTemplateName: &templateName}},
+					Containers:     []v1.Container{{Name: "container1", Resources: v1.ResourceRequirements{Claims: []v1.ResourceClaim{{Name: "templated-claim"}}}}},
+				},
+				Status: v1.PodStatus{
+					ResourceClaimStatuses: []v1.PodResourceClaimStatus{
+						{Name: "templated-claim", ResourceClaimName: &templatedClaimName},
+					},
+				},
+			},
+			claimInfos: []*ClaimInfo{
+				{
+					ClaimInfoState: state.ClaimInfoState{
+						ClaimName: templatedClaimName,
+						PodUIDs:   sets.New("pod-templated-uid"),
+						DriverState: map[string]state.DriverState{
+							"test-driver": {Devices: []state.Device{{PoolName: "pool", DeviceName: "dev-c"}}},
+						},
+					},
+				},
+			},
+			initialStatus: &v1.PodStatus{ContainerStatuses: []v1.ContainerStatus{{Name: "container1"}}},
+			expectedAllocatedResourcesStatus: []v1.ResourceStatus{
+				{
+					Name: "claim:templated-claim",
+					Resources: []v1.ResourceHealth{
+						{ResourceID: "test-driver/pool/dev-c", Health: v1.ResourceHealthStatusHealthy},
+					},
+				},
+			},
+		},
+	}
 
-	// Setup Manager with caches
-	manager, err := NewManager(tCtx.Logger(), nil, t.TempDir())
-	require.NoError(t, err)
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			tCtx := ktesting.Init(t)
+			manager, err := NewManager(tCtx.Logger(), nil, t.TempDir())
+			require.NoError(t, err)
 
-	// Populate claimInfoCache
-	claimInfo := genTestClaimInfo(claimUID, []string{podUID}, true)
-	manager.cache.add(claimInfo)
+			for _, ci := range tc.claimInfos {
+				manager.cache.add(ci)
+			}
 
-	// Populate healthInfoCache
-	healthyDevice := state.DeviceHealth{PoolName: poolName, DeviceName: deviceName, Health: "Healthy", LastUpdated: time.Now()}
-	_, err = manager.healthInfoCache.updateHealthInfo(driverName, []state.DeviceHealth{healthyDevice})
-	require.NoError(t, err)
+			// Set all devices to be healthy for the test.
+			devices := []state.DeviceHealth{}
+			for _, ci := range tc.claimInfos {
+				for driverName, ds := range ci.DriverState {
+					for _, dev := range ds.Devices {
+						devices = append(devices, state.DeviceHealth{PoolName: dev.PoolName, DeviceName: dev.DeviceName, Health: state.DeviceHealthStatusHealthy})
+					}
+					_, err := manager.healthInfoCache.updateHealthInfo(driverName, devices)
+					require.NoError(t, err)
+				}
+			}
 
-	// Create Pod and Status objects
-	pod := genTestPod()
-	require.NotEmpty(t, pod.Spec.Containers, "genTestPod should create at least one container")
-	// Ensure the container has a name for matching
-	pod.Spec.Containers[0].Name = containerName
-	podStatus := &v1.PodStatus{
-		ContainerStatuses: []v1.ContainerStatus{
-			{Name: containerName},
-		},
-	}
+			status := tc.initialStatus.DeepCopy()
+			manager.UpdateAllocatedResourcesStatus(tc.pod, status)
 
-	// Call the function under test
-	manager.UpdateAllocatedResourcesStatus(pod, podStatus)
-
-	require.Len(t, podStatus.ContainerStatuses, 1)
-	contStatus := podStatus.ContainerStatuses[0]
-	require.NotNil(t, contStatus.AllocatedResourcesStatus)
-	require.Len(t, contStatus.AllocatedResourcesStatus, 1, "Should have status for one resource claim")
-
-	resourceStatus := contStatus.AllocatedResourcesStatus[0]
-	assert.Equal(t, v1.ResourceName("claim:"+claimName), resourceStatus.Name, "ResourceStatus Name mismatch")
-	// Check the Resources slice
-	require.Len(t, resourceStatus.Resources, 1, "Should have health info for one device")
-	resourceHealth := resourceStatus.Resources[0]
-	assert.Equal(t, v1.ResourceID(cdiID), resourceHealth.ResourceID, "ResourceHealth ResourceID mismatch")
-	assert.Equal(t, v1.ResourceHealthStatusHealthy, resourceHealth.Health, "ResourceHealth Health status mismatch")
+			require.Len(t, status.ContainerStatuses, 1)
+			assert.Equal(t, tc.expectedAllocatedResourcesStatus, status.ContainerStatuses[0].AllocatedResourcesStatus)
+		})
+	}
 }
diff --git a/pkg/kubelet/cm/dra/plugin/dra_plugin_manager.go b/pkg/kubelet/cm/dra/plugin/dra_plugin_manager.go
index 5305546ccf969..fd08372c93b5d 100644
--- a/pkg/kubelet/cm/dra/plugin/dra_plugin_manager.go
+++ b/pkg/kubelet/cm/dra/plugin/dra_plugin_manager.go
@@ -395,7 +395,7 @@ func (pm *DRAPluginManager) add(driverName string, endpoint string, chosenServic
 				logger.V(4).Info("Attempting to start WatchResources health stream")
 				stream, err := p.NodeWatchResources(ctx)
 				if err != nil {
-					logger.V(3).Error(err, "Failed to establish WatchResources stream, will retry")
+					logger.V(3).Info("Failed to establish WatchResources stream, will retry", "err", err)
 					return
 				}
 
diff --git a/pkg/kubelet/cm/dra/plugin/dra_plugin_test.go b/pkg/kubelet/cm/dra/plugin/dra_plugin_test.go
index c8eb975b9bbff..e443e981d6aaa 100644
--- a/pkg/kubelet/cm/dra/plugin/dra_plugin_test.go
+++ b/pkg/kubelet/cm/dra/plugin/dra_plugin_test.go
@@ -35,21 +35,33 @@ import (
 	drapbv1 "k8s.io/kubelet/pkg/apis/dra/v1"
 	drapbv1beta1 "k8s.io/kubelet/pkg/apis/dra/v1beta1"
 	"k8s.io/kubernetes/test/utils/ktesting"
+
+	grpccodes "google.golang.org/grpc/codes"
+	grpcstatus "google.golang.org/grpc/status"
 )
 
+// this interface satisfies what setupGRPCServerWithFake needs
+type fakeGRPCServerInterface interface {
+	drapbv1.DRAPluginServer
+	drahealthv1alpha1.DRAResourceHealthServer
+	drapbv1.UnsafeDRAPluginServer
+}
+
 type fakeGRPCServer struct {
 	drapbv1beta1.UnimplementedDRAPluginServer
 	drahealthv1alpha1.UnimplementedDRAResourceHealthServer
+	drapbv1.UnsafeDRAPluginServer
 }
 
 var _ drapbv1.DRAPluginServer = &fakeGRPCServer{}
+var _ fakeGRPCServerInterface = &fakeGRPCServer{}
 
 func (f *fakeGRPCServer) NodePrepareResources(ctx context.Context, in *drapbv1.NodePrepareResourcesRequest) (*drapbv1.NodePrepareResourcesResponse, error) {
 	return &drapbv1.NodePrepareResourcesResponse{Claims: map[string]*drapbv1.NodePrepareResourceResponse{"claim-uid": {
 		Devices: []*drapbv1.Device{
 			{
 				RequestNames: []string{"test-request"},
-				CDIDeviceIDs: []string{"test-cdi-id"},
+				CdiDeviceIds: []string{"test-cdi-id"},
 			},
 		},
 	}}}, nil
@@ -81,20 +93,16 @@ func (f *fakeGRPCServer) NodeWatchResources(in *drahealthv1alpha1.NodeWatchResou
 // tearDown is an idempotent cleanup function.
 type tearDown func()
 
-func setupFakeGRPCServer(service, addr string) (tearDown, error) {
+func setupGRPCServerWithFake(service, addr string, fakeGRPCServer fakeGRPCServerInterface) (tearDown, error) {
 	ctx, cancel := context.WithCancel(context.Background())
-	teardown := func() {
-		cancel()
-	}
 
 	listener, err := net.Listen("unix", addr)
 	if err != nil {
-		teardown()
+		cancel()
 		return nil, err
 	}
 
 	s := grpc.NewServer()
-	fakeGRPCServer := &fakeGRPCServer{}
 
 	switch service {
 	case drapbv1.DRAPluginService:
@@ -109,23 +117,38 @@ func setupFakeGRPCServer(service, addr string) (tearDown, error) {
 			drapbv1beta1.RegisterDRAPluginServer(s, drapbv1beta1.V1ServerWrapper{DRAPluginServer: fakeGRPCServer})
 			drahealthv1alpha1.RegisterDRAResourceHealthServer(s, fakeGRPCServer)
 		} else {
+			cancel()
 			return nil, err
 		}
 	}
 
+	var wg sync.WaitGroup
+	wg.Add(1)
+
+	go func() {
+		defer wg.Done()
+		if err := s.Serve(listener); err != nil && !errors.Is(err, grpc.ErrServerStopped) {
+			panic(err)
+		}
+	}()
+
 	go func() {
-		go func() {
-			if err := s.Serve(listener); err != nil && !errors.Is(err, grpc.ErrServerStopped) {
-				panic(err)
-			}
-		}()
 		<-ctx.Done()
 		s.GracefulStop()
 	}()
 
+	teardown := func() {
+		cancel()
+		wg.Wait() // wait for Serve() to finish
+	}
+
 	return teardown, nil
 }
 
+func setupFakeGRPCServer(service, addr string) (tearDown, error) {
+	return setupGRPCServerWithFake(service, addr, &fakeGRPCServer{})
+}
+
 func TestGRPCConnIsReused(t *testing.T) {
 	tCtx := ktesting.Init(t)
 	service := drapbv1.DRAPluginService
@@ -162,7 +185,7 @@ func TestGRPCConnIsReused(t *testing.T) {
 				Claims: []*drapbv1.Claim{
 					{
 						Namespace: "dummy-namespace",
-						UID:       "dummy-uid",
+						Uid:       "dummy-uid",
 						Name:      "dummy-claim",
 					},
 				},
@@ -212,7 +235,7 @@ func TestGRPCConnUsableAfterIdle(t *testing.T) {
 		Claims: []*drapbv1.Claim{
 			{
 				Namespace: "dummy-namespace",
-				UID:       "dummy-uid",
+				Uid:       "dummy-uid",
 				Name:      "dummy-claim",
 			},
 		},
@@ -324,6 +347,116 @@ func TestGRPCMethods(t *testing.T) {
 	}
 }
 
+func TestGRPCWithTimeoutEnforced(t *testing.T) {
+	tCtx := ktesting.Init(t)
+
+	service := drapbv1.DRAPluginService
+	addr := path.Join(t.TempDir(), "dra.sock")
+
+	// we force NodePrepareResources to block, this will cause the timeout
+	// to elapse, as a consequence the client should abort.
+	// once the client aborts, we unblock NodePrepareResources
+	blocked := make(chan struct{})
+	server := &timeoutFakeGRPCServer{
+		t:              t,
+		fakeGRPCServer: &fakeGRPCServer{},
+		blocked:        blocked,
+		done:           make(chan struct{}),
+	}
+	teardown, err := setupGRPCServerWithFake(service, addr, server)
+	require.NoError(t, err, "failed to setup grpc server")
+	defer teardown()
+
+	driverName := "dummy-driver"
+	timeout := time.Second
+	manager := NewDRAPluginManager(tCtx, nil, nil, nil, 0)
+	err = manager.add(driverName, addr, service, timeout)
+	require.NoError(t, err, "unexpected error while adding the plugin")
+
+	plugin, err := manager.GetPlugin(driverName)
+	require.NoError(t, err, "unexpected error while retrieving the plugin")
+
+	// we will invoke the method on a new gorouinte, in case there
+	// is no timeout enforced it might block forever
+	errCh := make(chan error, 1)
+	go func() {
+		defer close(errCh)
+		req := &drapbv1.NodePrepareResourcesRequest{
+			Claims: []*drapbv1.Claim{
+				{
+					Namespace: "dummy-namespace",
+					Uid:       "dummy-uid",
+					Name:      "dummy-claim",
+				},
+			},
+		}
+		_, err := plugin.NodePrepareResources(tCtx, req)
+		errCh <- err
+	}()
+
+	// wait for the grpc caller to timeout
+	select {
+	// not using wait.ForeverTestTimeout, we will wait at most
+	// 3*timeout to account for flakes in CI
+	case <-time.After(3 * timeout):
+		t.Errorf("expected the grpc caller to return after the timeout had elapsed")
+	case err = <-errCh:
+		// the grpc call returned
+	}
+
+	// unblock the request handler on the server, and wait for it to
+	// return, this ensures that the server method was invoked.
+	// if the timeout is not enforced, we don't leak any goroutine
+	close(blocked)
+	select {
+	case <-server.done:
+	// not using wait.ForeverTestTimeout, we will wait at most
+	// 3*timeout to account for flakes in CI
+	case <-time.After(3 * timeout):
+		t.Errorf("expected the grpc method to have been invoked")
+	}
+
+	require.Error(t, err, "expected the grpc method to return an error")
+	status, ok := grpcstatus.FromError(err)
+	// if it is not a gRPC error then the operation may have failed before
+	// the gRPC method was called, otherwise we would get gRPC error.
+	require.True(t, ok, "expected an error of type: %T, but got: %T", &grpcstatus.Status{}, err)
+
+	// DeadlineExceeded means operation expired before completion. The gRPC
+	// framework will generate this error code when the deadline is exceeded.
+	// More here: https://github.com/grpc/grpc/blob/master/doc/statuscodes.md
+	assert.Equal(t, grpccodes.DeadlineExceeded, status.Code(), "expected status code to match")
+}
+
+// it embeds a fakeGRPCServer instance and overrides the NodePrepareResources
+// method to simulate a timeout scenario.
+// NodePrepareResources will block until the test explicitly closes the blocked
+// channel to unblock it, and it will close the done channel when it completes
+// so the test can wait for it to finish.
+type timeoutFakeGRPCServer struct {
+	*fakeGRPCServer
+
+	t       *testing.T
+	blocked <-chan struct{}
+	done    chan struct{}
+}
+
+func (f *timeoutFakeGRPCServer) NodePrepareResources(ctx context.Context, in *drapbv1.NodePrepareResourcesRequest) (*drapbv1.NodePrepareResourcesResponse, error) {
+	defer close(f.done)
+	now := time.Now()
+	deadline, ok := ctx.Deadline()
+	f.t.Logf("request context has deadline: %t, after: %s", ok, deadline.Sub(now))
+	if !ok {
+		f.t.Errorf("expected the request context to have a deadline")
+	}
+	f.t.Logf("NodePrepareResources: blocking so the client times out before the server sends a reply")
+
+	<-f.blocked
+
+	f.t.Logf("NodePrepareResources: blocked for: %s", time.Since(now))
+	return &drapbv1.NodePrepareResourcesResponse{}, nil
+}
+
 func assertError(t *testing.T, expectError string, err error) {
 	t.Helper()
 	switch {
diff --git a/pkg/kubelet/cm/dra/state/checkpointer_test.go b/pkg/kubelet/cm/dra/state/checkpointer_test.go
index f1387debfc805..7c880077fe99b 100644
--- a/pkg/kubelet/cm/dra/state/checkpointer_test.go
+++ b/pkg/kubelet/cm/dra/state/checkpointer_test.go
@@ -24,9 +24,11 @@ import (
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 
+	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/sets"
 	"k8s.io/kubernetes/pkg/kubelet/checkpointmanager"
 	testutil "k8s.io/kubernetes/pkg/kubelet/cm/cpumanager/state/testing"
+	"k8s.io/utils/ptr"
 )
 
 const testingCheckpoint = "dramanager_checkpoint_test"
@@ -46,7 +48,7 @@ func TestCheckpointGetOrCreate(t *testing.T) {
 		},
 		{
 			description:       "single-claim-info-state",
-			checkpointContent: `{"Data":"{\"kind\":\"DRACheckpoint\",\"apiVersion\":\"checkpoint.dra.kubelet.k8s.io/v1\",\"ClaimInfoStateList\":[{\"ClaimUID\":\"067798be-454e-4be4-9047-1aa06aea63f7\",\"ClaimName\":\"example\",\"Namespace\":\"default\",\"PodUIDs\":{\"139cdb46-f989-4f17-9561-ca10cfb509a6\":{}},\"DriverState\":{\"test-driver.cdi.k8s.io\":{\"Devices\":[{\"PoolName\":\"worker-1\",\"DeviceName\":\"dev-1\",\"RequestNames\":[\"test request\"],\"CDIDeviceIDs\":[\"example.com/example=cdi-example\"]}]}}}]}","Checksum":1656016162}`,
+			checkpointContent: `{"Data":"{\"kind\":\"DRACheckpoint\",\"apiVersion\":\"checkpoint.dra.kubelet.k8s.io/v1\",\"ClaimInfoStateList\":[{\"ClaimUID\":\"067798be-454e-4be4-9047-1aa06aea63f7\",\"ClaimName\":\"example\",\"Namespace\":\"default\",\"PodUIDs\":{\"139cdb46-f989-4f17-9561-ca10cfb509a6\":{}},\"DriverState\":{\"test-driver.cdi.k8s.io\":{\"Devices\":[{\"PoolName\":\"worker-1\",\"DeviceName\":\"dev-1\",\"ShareID\":null,\"RequestNames\":[\"test request\"],\"CDIDeviceIDs\":[\"example.com/example=cdi-example\"]}]}}}]}","Checksum":2570581864}`,
 			expectedClaimInfoStateList: ClaimInfoStateList{
 				{
 					DriverState: map[string]DriverState{
@@ -68,9 +70,34 @@ func TestCheckpointGetOrCreate(t *testing.T) {
 				},
 			},
 		},
+		{
+			description:       "single-claim-info-state-with-share-id",
+			checkpointContent: `{"Data":"{\"kind\":\"DRACheckpoint\",\"apiVersion\":\"checkpoint.dra.kubelet.k8s.io/v1\",\"ClaimInfoStateList\":[{\"ClaimUID\":\"067798be-454e-4be4-9047-1aa06aea63f7\",\"ClaimName\":\"example\",\"Namespace\":\"default\",\"PodUIDs\":{\"139cdb46-f989-4f17-9561-ca10cfb509a6\":{}},\"DriverState\":{\"test-driver.cdi.k8s.io\":{\"Devices\":[{\"PoolName\":\"worker-1\",\"DeviceName\":\"dev-1\",\"ShareID\":\"aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa\",\"RequestNames\":[\"test request\"],\"CDIDeviceIDs\":[\"example.com/example=cdi-example\"]}]}}}]}","Checksum":736302156}`,
+			expectedClaimInfoStateList: ClaimInfoStateList{
+				{
+					DriverState: map[string]DriverState{
+						"test-driver.cdi.k8s.io": {
+							Devices: []Device{
+								{
+									PoolName:     "worker-1",
+									DeviceName:   "dev-1",
+									ShareID:      ptr.To(types.UID("aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa")),
+									RequestNames: []string{"test request"},
+									CDIDeviceIDs: []string{"example.com/example=cdi-example"},
+								},
+							},
+						},
+					},
+					ClaimUID:  "067798be-454e-4be4-9047-1aa06aea63f7",
+					ClaimName: "example",
+					Namespace: "default",
+					PodUIDs:   sets.New("139cdb46-f989-4f17-9561-ca10cfb509a6"),
+				},
+			},
+		},
 		{
 			description:       "claim-info-state-with-multiple-devices",
-			checkpointContent: `{"Data":"{\"kind\":\"DRACheckpoint\",\"apiVersion\":\"checkpoint.dra.kubelet.k8s.io/v1\",\"ClaimInfoStateList\":[{\"ClaimUID\":\"067798be-454e-4be4-9047-1aa06aea63f7\",\"ClaimName\":\"example\",\"Namespace\":\"default\",\"PodUIDs\":{\"139cdb46-f989-4f17-9561-ca10cfb509a6\":{}},\"DriverState\":{\"test-driver.cdi.k8s.io\":{\"Devices\":[{\"PoolName\":\"worker-1\",\"DeviceName\":\"dev-1\",\"RequestNames\":[\"test request\"],\"CDIDeviceIDs\":[\"example.com/example=cdi-example\"]},{\"PoolName\":\"worker-1\",\"DeviceName\":\"dev-2\",\"RequestNames\":[\"test request\"],\"CDIDeviceIDs\":[\"example.com/example=cdi-example\"]}]}}}]}","Checksum":3369508096}`,
+			checkpointContent: `{"Data":"{\"kind\":\"DRACheckpoint\",\"apiVersion\":\"checkpoint.dra.kubelet.k8s.io/v1\",\"ClaimInfoStateList\":[{\"ClaimUID\":\"067798be-454e-4be4-9047-1aa06aea63f7\",\"ClaimName\":\"example\",\"Namespace\":\"default\",\"PodUIDs\":{\"139cdb46-f989-4f17-9561-ca10cfb509a6\":{}},\"DriverState\":{\"test-driver.cdi.k8s.io\":{\"Devices\":[{\"PoolName\":\"worker-1\",\"DeviceName\":\"dev-1\",\"ShareID\":null,\"RequestNames\":[\"test request\"],\"CDIDeviceIDs\":[\"example.com/example=cdi-example\"]},{\"PoolName\":\"worker-1\",\"DeviceName\":\"dev-2\",\"ShareID\":null,\"RequestNames\":[\"test request\"],\"CDIDeviceIDs\":[\"example.com/example=cdi-example\"]}]}}}]}","Checksum":1223221469}`,
 			expectedClaimInfoStateList: ClaimInfoStateList{
 				{
 					DriverState: map[string]DriverState{
@@ -100,7 +127,7 @@ func TestCheckpointGetOrCreate(t *testing.T) {
 		},
 		{
 			description:       "two-claim-info-states",
-			checkpointContent: `{"Data":"{\"kind\":\"DRACheckpoint\",\"apiVersion\":\"checkpoint.dra.kubelet.k8s.io/v1\",\"ClaimInfoStateList\":[{\"ClaimUID\":\"067798be-454e-4be4-9047-1aa06aea63f7\",\"ClaimName\":\"example-1\",\"Namespace\":\"default\",\"PodUIDs\":{\"139cdb46-f989-4f17-9561-ca10cfb509a6\":{}},\"DriverState\":{\"test-driver.cdi.k8s.io\":{\"Devices\":[{\"PoolName\":\"worker-1\",\"DeviceName\":\"dev-1\",\"RequestNames\":[\"test request\"],\"CDIDeviceIDs\":[\"example.com/example=cdi-example\"]}]}}},{\"ClaimUID\":\"4cf8db2d-06c0-7d70-1a51-e59b25b2c16c\",\"ClaimName\":\"example-2\",\"Namespace\":\"default\",\"PodUIDs\":{\"139cdb46-f989-4f17-9561-ca10cfb509a6\":{}},\"DriverState\":{\"test-driver.cdi.k8s.io\":{\"Devices\":[{\"PoolName\":\"worker-1\",\"DeviceName\":\"dev-2\",\"RequestNames\":null,\"CDIDeviceIDs\":null}]}}}]}","Checksum":1582256999}`,
+			checkpointContent: `{"Data":"{\"kind\":\"DRACheckpoint\",\"apiVersion\":\"checkpoint.dra.kubelet.k8s.io/v1\",\"ClaimInfoStateList\":[{\"ClaimUID\":\"067798be-454e-4be4-9047-1aa06aea63f7\",\"ClaimName\":\"example-1\",\"Namespace\":\"default\",\"PodUIDs\":{\"139cdb46-f989-4f17-9561-ca10cfb509a6\":{}},\"DriverState\":{\"test-driver.cdi.k8s.io\":{\"Devices\":[{\"PoolName\":\"worker-1\",\"DeviceName\":\"dev-1\",\"ShareID\":null,\"RequestNames\":[\"test request\"],\"CDIDeviceIDs\":[\"example.com/example=cdi-example\"]}]}}},{\"ClaimUID\":\"4cf8db2d-06c0-7d70-1a51-e59b25b2c16c\",\"ClaimName\":\"example-2\",\"Namespace\":\"default\",\"PodUIDs\":{\"139cdb46-f989-4f17-9561-ca10cfb509a6\":{}},\"DriverState\":{\"test-driver.cdi.k8s.io\":{\"Devices\":[{\"PoolName\":\"worker-1\",\"DeviceName\":\"dev-2\",\"ShareID\":null,\"RequestNames\":null,\"CDIDeviceIDs\":null}]}}}]}","Checksum":2820117767}`,
 			expectedClaimInfoStateList: ClaimInfoStateList{
 				{
 					DriverState: map[string]DriverState{
@@ -273,7 +300,32 @@ func TestCheckpointStateStore(t *testing.T) {
 					PodUIDs:   sets.New("139cdb46-f989-4f17-9561-ca10cfb509a6"),
 				},
 			},
-			expectedCheckpointContent: `{"Data":"{\"kind\":\"DRACheckpoint\",\"apiVersion\":\"checkpoint.dra.kubelet.k8s.io/v1\",\"ClaimInfoStateList\":[{\"ClaimUID\":\"067798be-454e-4be4-9047-1aa06aea63f7\",\"ClaimName\":\"example\",\"Namespace\":\"default\",\"PodUIDs\":{\"139cdb46-f989-4f17-9561-ca10cfb509a6\":{}},\"DriverState\":{\"test-driver.cdi.k8s.io\":{\"Devices\":[{\"PoolName\":\"worker-1\",\"DeviceName\":\"dev-1\",\"RequestNames\":[\"test request\"],\"CDIDeviceIDs\":[\"example.com/example=cdi-example\"]}]}}}]}","Checksum":1656016162}`,
+			expectedCheckpointContent: `{"Data":"{\"kind\":\"DRACheckpoint\",\"apiVersion\":\"checkpoint.dra.kubelet.k8s.io/v1\",\"ClaimInfoStateList\":[{\"ClaimUID\":\"067798be-454e-4be4-9047-1aa06aea63f7\",\"ClaimName\":\"example\",\"Namespace\":\"default\",\"PodUIDs\":{\"139cdb46-f989-4f17-9561-ca10cfb509a6\":{}},\"DriverState\":{\"test-driver.cdi.k8s.io\":{\"Devices\":[{\"PoolName\":\"worker-1\",\"DeviceName\":\"dev-1\",\"ShareID\":null,\"RequestNames\":[\"test request\"],\"CDIDeviceIDs\":[\"example.com/example=cdi-example\"]}]}}}]}","Checksum":2570581864}`,
+		},
+		{
+			description: "single-claim-info-state-with-share-id",
+			claimInfoStateList: ClaimInfoStateList{
+				{
+					DriverState: map[string]DriverState{
+						"test-driver.cdi.k8s.io": {
+							Devices: []Device{
+								{
+									PoolName:     "worker-1",
+									DeviceName:   "dev-1",
+									ShareID:      ptr.To(types.UID("aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa")),
+									RequestNames: []string{"test request"},
+									CDIDeviceIDs: []string{"example.com/example=cdi-example"},
+								},
+							},
+						},
+					},
+					ClaimUID:  "067798be-454e-4be4-9047-1aa06aea63f7",
+					ClaimName: "example",
+					Namespace: "default",
+					PodUIDs:   sets.New("139cdb46-f989-4f17-9561-ca10cfb509a6"),
+				},
+			},
+			expectedCheckpointContent: `{"Data":"{\"kind\":\"DRACheckpoint\",\"apiVersion\":\"checkpoint.dra.kubelet.k8s.io/v1\",\"ClaimInfoStateList\":[{\"ClaimUID\":\"067798be-454e-4be4-9047-1aa06aea63f7\",\"ClaimName\":\"example\",\"Namespace\":\"default\",\"PodUIDs\":{\"139cdb46-f989-4f17-9561-ca10cfb509a6\":{}},\"DriverState\":{\"test-driver.cdi.k8s.io\":{\"Devices\":[{\"PoolName\":\"worker-1\",\"DeviceName\":\"dev-1\",\"ShareID\":\"aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa\",\"RequestNames\":[\"test request\"],\"CDIDeviceIDs\":[\"example.com/example=cdi-example\"]}]}}}]}","Checksum":736302156}`,
 		},
 		{
 			description: "claim-info-state-with-multiple-devices",
@@ -303,7 +355,7 @@ func TestCheckpointStateStore(t *testing.T) {
 					PodUIDs:   sets.New("139cdb46-f989-4f17-9561-ca10cfb509a6"),
 				},
 			},
-			expectedCheckpointContent: `{"Data":"{\"kind\":\"DRACheckpoint\",\"apiVersion\":\"checkpoint.dra.kubelet.k8s.io/v1\",\"ClaimInfoStateList\":[{\"ClaimUID\":\"067798be-454e-4be4-9047-1aa06aea63f7\",\"ClaimName\":\"example\",\"Namespace\":\"default\",\"PodUIDs\":{\"139cdb46-f989-4f17-9561-ca10cfb509a6\":{}},\"DriverState\":{\"test-driver.cdi.k8s.io\":{\"Devices\":[{\"PoolName\":\"worker-1\",\"DeviceName\":\"dev-1\",\"RequestNames\":[\"test request\"],\"CDIDeviceIDs\":[\"example.com/example=cdi-example\"]},{\"PoolName\":\"worker-1\",\"DeviceName\":\"dev-2\",\"RequestNames\":[\"test request\"],\"CDIDeviceIDs\":[\"example.com/example=cdi-example\"]}]}}}]}","Checksum":3369508096}`,
+			expectedCheckpointContent: `{"Data":"{\"kind\":\"DRACheckpoint\",\"apiVersion\":\"checkpoint.dra.kubelet.k8s.io/v1\",\"ClaimInfoStateList\":[{\"ClaimUID\":\"067798be-454e-4be4-9047-1aa06aea63f7\",\"ClaimName\":\"example\",\"Namespace\":\"default\",\"PodUIDs\":{\"139cdb46-f989-4f17-9561-ca10cfb509a6\":{}},\"DriverState\":{\"test-driver.cdi.k8s.io\":{\"Devices\":[{\"PoolName\":\"worker-1\",\"DeviceName\":\"dev-1\",\"ShareID\":null,\"RequestNames\":[\"test request\"],\"CDIDeviceIDs\":[\"example.com/example=cdi-example\"]},{\"PoolName\":\"worker-1\",\"DeviceName\":\"dev-2\",\"ShareID\":null,\"RequestNames\":[\"test request\"],\"CDIDeviceIDs\":[\"example.com/example=cdi-example\"]}]}}}]}","Checksum":1223221469}`,
 		},
 		{
 			description: "two-claim-info-states",
@@ -343,7 +395,7 @@ func TestCheckpointStateStore(t *testing.T) {
 					PodUIDs:   sets.New("139cdb46-f989-4f17-9561-ca10cfb509a6"),
 				},
 			},
-			expectedCheckpointContent: `{"Data":"{\"kind\":\"DRACheckpoint\",\"apiVersion\":\"checkpoint.dra.kubelet.k8s.io/v1\",\"ClaimInfoStateList\":[{\"ClaimUID\":\"067798be-454e-4be4-9047-1aa06aea63f7\",\"ClaimName\":\"example-1\",\"Namespace\":\"default\",\"PodUIDs\":{\"139cdb46-f989-4f17-9561-ca10cfb509a6\":{}},\"DriverState\":{\"test-driver.cdi.k8s.io\":{\"Devices\":[{\"PoolName\":\"worker-1\",\"DeviceName\":\"dev-1\",\"RequestNames\":[\"test request\"],\"CDIDeviceIDs\":[\"example.com/example=cdi-example\"]}]}}},{\"ClaimUID\":\"4cf8db2d-06c0-7d70-1a51-e59b25b2c16c\",\"ClaimName\":\"example-2\",\"Namespace\":\"default\",\"PodUIDs\":{\"139cdb46-f989-4f17-9561-ca10cfb509a6\":{}},\"DriverState\":{\"test-driver.cdi.k8s.io\":{\"Devices\":[{\"PoolName\":\"worker-1\",\"DeviceName\":\"dev-2\",\"RequestNames\":null,\"CDIDeviceIDs\":null}]}}}]}","Checksum":1582256999}`,
+			expectedCheckpointContent: `{"Data":"{\"kind\":\"DRACheckpoint\",\"apiVersion\":\"checkpoint.dra.kubelet.k8s.io/v1\",\"ClaimInfoStateList\":[{\"ClaimUID\":\"067798be-454e-4be4-9047-1aa06aea63f7\",\"ClaimName\":\"example-1\",\"Namespace\":\"default\",\"PodUIDs\":{\"139cdb46-f989-4f17-9561-ca10cfb509a6\":{}},\"DriverState\":{\"test-driver.cdi.k8s.io\":{\"Devices\":[{\"PoolName\":\"worker-1\",\"DeviceName\":\"dev-1\",\"ShareID\":null,\"RequestNames\":[\"test request\"],\"CDIDeviceIDs\":[\"example.com/example=cdi-example\"]}]}}},{\"ClaimUID\":\"4cf8db2d-06c0-7d70-1a51-e59b25b2c16c\",\"ClaimName\":\"example-2\",\"Namespace\":\"default\",\"PodUIDs\":{\"139cdb46-f989-4f17-9561-ca10cfb509a6\":{}},\"DriverState\":{\"test-driver.cdi.k8s.io\":{\"Devices\":[{\"PoolName\":\"worker-1\",\"DeviceName\":\"dev-2\",\"ShareID\":null,\"RequestNames\":null,\"CDIDeviceIDs\":null}]}}}]}","Checksum":2820117767}`,
 		},
 	}
 
diff --git a/pkg/kubelet/cm/dra/state/state.go b/pkg/kubelet/cm/dra/state/state.go
index 3f15d3c38e9a9..d61a5b65f615a 100644
--- a/pkg/kubelet/cm/dra/state/state.go
+++ b/pkg/kubelet/cm/dra/state/state.go
@@ -51,11 +51,12 @@ type DriverState struct {
 }
 
 // Device is how a DRA driver described an allocated device in a claim
-// to kubelet. RequestName and CDI device IDs are optional.
+// to kubelet. RequestName, ShareID, and CDI device IDs are optional.
 // +k8s:deepcopy-gen=true
 type Device struct {
 	PoolName     string
 	DeviceName   string
+	ShareID      *types.UID
 	RequestNames []string
 	CDIDeviceIDs []string
 }
@@ -95,4 +96,9 @@ type DeviceHealth struct {
 
 	// LastUpdated keeps track of the last health status update of this device.
 	LastUpdated time.Time
+
+	// HealthCheckTimeout is the timeout for the health check of the device.
+	// Zero value means use the default timeout (DefaultHealthTimeout).
+	// This ensures backward compatibility with existing data.
+	HealthCheckTimeout time.Duration
 }
diff --git a/pkg/kubelet/cm/dra/state/zz_generated.deepcopy.go b/pkg/kubelet/cm/dra/state/zz_generated.deepcopy.go
index 6489dab7a513f..77a54dca3cd4a 100644
--- a/pkg/kubelet/cm/dra/state/zz_generated.deepcopy.go
+++ b/pkg/kubelet/cm/dra/state/zz_generated.deepcopy.go
@@ -22,6 +22,7 @@ limitations under the License.
 package state
 
 import (
+	types "k8s.io/apimachinery/pkg/types"
 	sets "k8s.io/apimachinery/pkg/util/sets"
 )
 
@@ -58,6 +59,11 @@ func (in *ClaimInfoState) DeepCopy() *ClaimInfoState {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *Device) DeepCopyInto(out *Device) {
 	*out = *in
+	if in.ShareID != nil {
+		in, out := &in.ShareID, &out.ShareID
+		*out = new(types.UID)
+		**out = **in
+	}
 	if in.RequestNames != nil {
 		in, out := &in.RequestNames, &out.RequestNames
 		*out = make([]string, len(*in))
diff --git a/pkg/kubelet/cm/fake_container_manager.go b/pkg/kubelet/cm/fake_container_manager.go
index 0c76401885b68..728cdf8d1c298 100644
--- a/pkg/kubelet/cm/fake_container_manager.go
+++ b/pkg/kubelet/cm/fake_container_manager.go
@@ -21,6 +21,7 @@ import (
 	"sync"
 
 	v1 "k8s.io/api/core/v1"
+	"k8s.io/klog/v2"
 
 	"k8s.io/apimachinery/pkg/api/resource"
 	"k8s.io/apimachinery/pkg/types"
@@ -45,6 +46,7 @@ type FakeContainerManager struct {
 	PodContainerManager                 *FakePodContainerManager
 	shouldResetExtendedResourceCapacity bool
 	nodeConfig                          NodeConfig
+	cpuManager                          cpumanager.Manager
 	memoryManager                       memorymanager.Manager
 }
 
@@ -53,7 +55,9 @@ var _ ContainerManager = &FakeContainerManager{}
 func NewFakeContainerManager() *FakeContainerManager {
 	return &FakeContainerManager{
 		PodContainerManager: NewFakePodContainerManager(),
-		memoryManager:       memorymanager.NewFakeManager(context.TODO()),
+		// Using klog.Background() for fake/test implementations where no real context is available
+		cpuManager:    cpumanager.NewFakeManager(klog.Background()),
+		memoryManager: memorymanager.NewFakeManager(klog.Background()),
 	}
 }
 
@@ -99,7 +103,7 @@ func (cm *FakeContainerManager) GetQOSContainersInfo() QOSContainersInfo {
 	return QOSContainersInfo{}
 }
 
-func (cm *FakeContainerManager) UpdateQOSCgroups() error {
+func (cm *FakeContainerManager) UpdateQOSCgroups(logger klog.Logger) error {
 	cm.Lock()
 	defer cm.Unlock()
 	cm.CalledFunctions = append(cm.CalledFunctions, "UpdateQOSCgroups")
@@ -181,7 +185,7 @@ func (cm *FakeContainerManager) InternalContainerLifecycle() InternalContainerLi
 	cm.Lock()
 	defer cm.Unlock()
 	cm.CalledFunctions = append(cm.CalledFunctions, "InternalContainerLifecycle")
-	return &internalContainerLifecycleImpl{cpumanager.NewFakeManager(), cm.memoryManager, topologymanager.NewFakeManager()}
+	return &internalContainerLifecycleImpl{cm.cpuManager, cm.memoryManager, topologymanager.NewFakeManager()}
 }
 
 func (cm *FakeContainerManager) GetPodCgroupRoot() string {
diff --git a/pkg/kubelet/cm/fake_internal_container_lifecycle.go b/pkg/kubelet/cm/fake_internal_container_lifecycle.go
index d133f28f17c29..ac4a79d2e340f 100644
--- a/pkg/kubelet/cm/fake_internal_container_lifecycle.go
+++ b/pkg/kubelet/cm/fake_internal_container_lifecycle.go
@@ -19,6 +19,7 @@ package cm
 import (
 	"k8s.io/api/core/v1"
 	runtimeapi "k8s.io/cri-api/pkg/apis/runtime/v1"
+	"k8s.io/klog/v2"
 )
 
 func NewFakeInternalContainerLifecycle() *fakeInternalContainerLifecycle {
@@ -27,14 +28,14 @@ func NewFakeInternalContainerLifecycle() *fakeInternalContainerLifecycle {
 
 type fakeInternalContainerLifecycle struct{}
 
-func (f *fakeInternalContainerLifecycle) PreCreateContainer(pod *v1.Pod, container *v1.Container, containerConfig *runtimeapi.ContainerConfig) error {
+func (f *fakeInternalContainerLifecycle) PreCreateContainer(logger klog.Logger, pod *v1.Pod, container *v1.Container, containerConfig *runtimeapi.ContainerConfig) error {
 	return nil
 }
 
-func (f *fakeInternalContainerLifecycle) PreStartContainer(pod *v1.Pod, container *v1.Container, containerID string) error {
+func (f *fakeInternalContainerLifecycle) PreStartContainer(logger klog.Logger, pod *v1.Pod, container *v1.Container, containerID string) error {
 	return nil
 }
 
-func (f *fakeInternalContainerLifecycle) PostStopContainer(containerID string) error {
+func (f *fakeInternalContainerLifecycle) PostStopContainer(logger klog.Logger, containerID string) error {
 	return nil
 }
diff --git a/pkg/kubelet/cm/fake_pod_container_manager.go b/pkg/kubelet/cm/fake_pod_container_manager.go
index c3ffae1507891..c38bf5ce8aae5 100644
--- a/pkg/kubelet/cm/fake_pod_container_manager.go
+++ b/pkg/kubelet/cm/fake_pod_container_manager.go
@@ -20,8 +20,9 @@ import (
 	"reflect"
 	"sync"
 
-	"k8s.io/api/core/v1"
+	v1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/klog/v2"
 	kubecontainer "k8s.io/kubernetes/pkg/kubelet/container"
 )
 
@@ -52,7 +53,7 @@ func (m *FakePodContainerManager) Exists(_ *v1.Pod) bool {
 	return true
 }
 
-func (m *FakePodContainerManager) EnsureExists(_ *v1.Pod) error {
+func (m *FakePodContainerManager) EnsureExists(_ klog.Logger, _ *v1.Pod) error {
 	m.Lock()
 	defer m.Unlock()
 	m.CalledFunctions = append(m.CalledFunctions, "EnsureExists")
@@ -66,7 +67,7 @@ func (m *FakePodContainerManager) GetPodContainerName(_ *v1.Pod) (CgroupName, st
 	return nil, ""
 }
 
-func (m *FakePodContainerManager) Destroy(name CgroupName) error {
+func (m *FakePodContainerManager) Destroy(_ klog.Logger, name CgroupName) error {
 	m.Lock()
 	defer m.Unlock()
 	m.CalledFunctions = append(m.CalledFunctions, "Destroy")
@@ -79,7 +80,7 @@ func (m *FakePodContainerManager) Destroy(name CgroupName) error {
 	return nil
 }
 
-func (m *FakePodContainerManager) ReduceCPULimits(_ CgroupName) error {
+func (m *FakePodContainerManager) ReduceCPULimits(_ klog.Logger, _ CgroupName) error {
 	m.Lock()
 	defer m.Unlock()
 	m.CalledFunctions = append(m.CalledFunctions, "ReduceCPULimits")
@@ -119,7 +120,7 @@ func (cm *FakePodContainerManager) GetPodCgroupConfig(_ *v1.Pod, _ v1.ResourceNa
 	return nil, nil
 }
 
-func (cm *FakePodContainerManager) SetPodCgroupConfig(pod *v1.Pod, resourceConfig *ResourceConfig) error {
+func (cm *FakePodContainerManager) SetPodCgroupConfig(_ klog.Logger, pod *v1.Pod, resourceConfig *ResourceConfig) error {
 	cm.Lock()
 	defer cm.Unlock()
 	cm.CalledFunctions = append(cm.CalledFunctions, "SetPodCgroupConfig")
diff --git a/pkg/kubelet/cm/helpers.go b/pkg/kubelet/cm/helpers.go
index 1de4f7d528448..1e7a5ca0c6d29 100644
--- a/pkg/kubelet/cm/helpers.go
+++ b/pkg/kubelet/cm/helpers.go
@@ -19,7 +19,7 @@ package cm
 import (
 	"context"
 
-	"k8s.io/api/core/v1"
+	v1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/sets"
 	internalapi "k8s.io/cri-api/pkg/apis"
@@ -37,7 +37,7 @@ var _ func() (*CgroupSubsystems, error) = GetCgroupSubsystems
 var _ func(string) ([]int, error) = getCgroupProcs
 var _ func(types.UID) string = GetPodCgroupNameSuffix
 var _ func(string, bool, string) string = NodeAllocatableRoot
-var _ func(string) (string, error) = GetKubeletContainer
+var _ func(klog.Logger, string) (string, error) = GetKubeletContainer
 
 // hardEvictionReservation returns a resourcelist that includes reservation of resources based on hard eviction thresholds.
 func hardEvictionReservation(thresholds []evictionapi.Threshold, capacity v1.ResourceList) v1.ResourceList {
@@ -64,6 +64,7 @@ func hardEvictionReservation(thresholds []evictionapi.Threshold, capacity v1.Res
 }
 
 func buildContainerMapAndRunningSetFromRuntime(ctx context.Context, runtimeService internalapi.RuntimeService) (containermap.ContainerMap, sets.Set[string]) {
+	logger := klog.FromContext(ctx)
 	podSandboxMap := make(map[string]string)
 	podSandboxList, _ := runtimeService.ListPodSandbox(ctx, nil)
 	for _, p := range podSandboxList {
@@ -75,13 +76,13 @@ func buildContainerMapAndRunningSetFromRuntime(ctx context.Context, runtimeServi
 	containerList, _ := runtimeService.ListContainers(ctx, nil)
 	for _, c := range containerList {
 		if _, exists := podSandboxMap[c.PodSandboxId]; !exists {
-			klog.InfoS("No PodSandBox found for the container", "podSandboxId", c.PodSandboxId, "containerName", c.Metadata.Name, "containerId", c.Id)
+			logger.Info("No PodSandBox found for the container", "podSandboxId", c.PodSandboxId, "containerName", c.Metadata.Name, "containerId", c.Id)
 			continue
 		}
 		podUID := podSandboxMap[c.PodSandboxId]
 		containerMap.Add(podUID, c.Metadata.Name, c.Id)
 		if c.State == runtimeapi.ContainerState_CONTAINER_RUNNING {
-			klog.V(4).InfoS("Container reported running", "podSandboxId", c.PodSandboxId, "podUID", podUID, "containerName", c.Metadata.Name, "containerId", c.Id)
+			logger.V(4).Info("Container reported running", "podSandboxId", c.PodSandboxId, "podUID", podUID, "containerName", c.Metadata.Name, "containerId", c.Id)
 			runningSet.Insert(c.Id)
 		}
 	}
diff --git a/pkg/kubelet/cm/helpers_linux.go b/pkg/kubelet/cm/helpers_linux.go
index 8e2ffd7d2bb5f..b73ff774f8dc4 100644
--- a/pkg/kubelet/cm/helpers_linux.go
+++ b/pkg/kubelet/cm/helpers_linux.go
@@ -19,16 +19,18 @@ package cm
 import (
 	"bufio"
 	"fmt"
+	"math"
 	"os"
 	"path/filepath"
 	"strconv"
 
 	libcontainercgroups "github.com/opencontainers/cgroups"
 	v1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/api/resource"
 	"k8s.io/apimachinery/pkg/types"
 	utilfeature "k8s.io/apiserver/pkg/util/feature"
-
-	"k8s.io/component-helpers/resource"
+	resourcehelper "k8s.io/component-helpers/resource"
+	"k8s.io/klog/v2"
 	v1helper "k8s.io/kubernetes/pkg/apis/core/v1/helper"
 	v1qos "k8s.io/kubernetes/pkg/apis/core/v1/helper/qos"
 	kubefeatures "k8s.io/kubernetes/pkg/features"
@@ -124,7 +126,7 @@ func HugePageLimits(resourceList v1.ResourceList) map[int64]int64 {
 func ResourceConfigForPod(allocatedPod *v1.Pod, enforceCPULimits bool, cpuPeriod uint64, enforceMemoryQoS bool) *ResourceConfig {
 	podLevelResourcesEnabled := utilfeature.DefaultFeatureGate.Enabled(kubefeatures.PodLevelResources)
 	// sum requests and limits.
-	reqs := resource.PodRequests(allocatedPod, resource.PodResourcesOptions{
+	reqs := resourcehelper.PodRequests(allocatedPod, resourcehelper.PodResourcesOptions{
 		// SkipPodLevelResources is set to false when PodLevelResources feature is enabled.
 		SkipPodLevelResources: !podLevelResourcesEnabled,
 		UseStatusResources:    false,
@@ -133,10 +135,10 @@ func ResourceConfigForPod(allocatedPod *v1.Pod, enforceCPULimits bool, cpuPeriod
 	memoryLimitsDeclared := true
 	cpuLimitsDeclared := true
 
-	limits := resource.PodLimits(allocatedPod, resource.PodResourcesOptions{
+	limits := resourcehelper.PodLimits(allocatedPod, resourcehelper.PodResourcesOptions{
 		// SkipPodLevelResources is set to false when PodLevelResources feature is enabled.
 		SkipPodLevelResources: !podLevelResourcesEnabled,
-		ContainerFn: func(res v1.ResourceList, containerType resource.ContainerType) {
+		ContainerFn: func(res v1.ResourceList, containerType resourcehelper.ContainerType) {
 			if res.Cpu().IsZero() {
 				cpuLimitsDeclared = false
 			}
@@ -146,7 +148,7 @@ func ResourceConfigForPod(allocatedPod *v1.Pod, enforceCPULimits bool, cpuPeriod
 		},
 	})
 
-	if podLevelResourcesEnabled && resource.IsPodLevelResourcesSet(allocatedPod) {
+	if podLevelResourcesEnabled && resourcehelper.IsPodLevelResourcesSet(allocatedPod) {
 		if !allocatedPod.Spec.Resources.Limits.Cpu().IsZero() {
 			cpuLimitsDeclared = true
 		}
@@ -331,9 +333,9 @@ func NodeAllocatableRoot(cgroupRoot string, cgroupsPerQOS bool, cgroupDriver str
 }
 
 // GetKubeletContainer returns the cgroup the kubelet will use
-func GetKubeletContainer(kubeletCgroups string) (string, error) {
+func GetKubeletContainer(logger klog.Logger, kubeletCgroups string) (string, error) {
 	if kubeletCgroups == "" {
-		cont, err := getContainer(os.Getpid())
+		cont, err := getContainer(logger, os.Getpid())
 		if err != nil {
 			return "", err
 		}
@@ -341,3 +343,57 @@ func GetKubeletContainer(kubeletCgroups string) (string, error) {
 	}
 	return kubeletCgroups, nil
 }
+
+func CPURequestsFromConfig(podConfig *ResourceConfig) *resource.Quantity {
+	var cpuRequest *resource.Quantity
+	if podConfig != nil && *podConfig.CPUShares > 0 {
+		milliCPU := sharesToMilliCPU(int64(*podConfig.CPUShares))
+		if milliCPU > 0 {
+			cpuRequest = resource.NewMilliQuantity(milliCPU, resource.DecimalSI)
+		}
+	}
+
+	return cpuRequest
+}
+
+func CPULimitsFromConfig(podConfig *ResourceConfig) *resource.Quantity {
+	var cpuLimit *resource.Quantity
+
+	if podConfig != nil && *podConfig.CPUPeriod > 0 {
+		milliCPU := quotaToMilliCPU(*podConfig.CPUQuota, int64(*podConfig.CPUPeriod))
+		if milliCPU > 0 {
+			cpuLimit = resource.NewMilliQuantity(milliCPU, resource.DecimalSI)
+		}
+	}
+
+	return cpuLimit
+}
+
+func MemoryLimitsFromConfig(podConfig *ResourceConfig) *resource.Quantity {
+	var memLimit *resource.Quantity
+
+	if podConfig != nil && *podConfig.Memory > int64(0) {
+		memLimit = resource.NewQuantity(*podConfig.Memory, resource.BinarySI)
+	}
+	return memLimit
+}
+
+// sharesToMilliCPU converts CpuShares (cpu.shares) to milli-CPU value
+// TODO - dedup sharesToMilliCPU with sharesToMilliCPU in pkg/kubelet/kuberuntime/helpers_linux.go
+func sharesToMilliCPU(shares int64) int64 {
+	milliCPU := int64(0)
+	if shares >= int64(MinShares) {
+		milliCPU = int64(math.Ceil(float64(shares*MilliCPUToCPU) / float64(SharesPerCPU)))
+	}
+	return milliCPU
+}
+
+// quotaToMilliCPU converts cpu.cfs_quota_us and cpu.cfs_period_us to milli-CPU
+// value
+// TODO - dedup quotaToMilliCPU with sharesToMilliCPU in pkg/kubelet/kuberuntime/helpers_linux.go
+func quotaToMilliCPU(quota int64, period int64) int64 {
+	if quota == -1 {
+		return int64(0)
+	}
+	return (quota * MilliCPUToCPU) / period
+}
diff --git a/pkg/kubelet/cm/helpers_linux_test.go b/pkg/kubelet/cm/helpers_linux_test.go
index 92bab2549759a..6bc95ff6432a7 100644
--- a/pkg/kubelet/cm/helpers_linux_test.go
+++ b/pkg/kubelet/cm/helpers_linux_test.go
@@ -275,6 +275,25 @@ func TestResourceConfigForPod(t *testing.T) {
 			quotaPeriod:      tunedQuotaPeriod,
 			expected:         &ResourceConfig{CPUShares: &burstablePartialShares},
 		},
+		"besteffort-with-pod-level-resources-enabled": {
+			pod: &v1.Pod{
+				Spec: v1.PodSpec{
+					Resources: &v1.ResourceRequirements{
+						Requests: getResourceList("", ""),
+						Limits:   getResourceList("", ""),
+					},
+					Containers: []v1.Container{
+						{
+							Resources: getResourceRequirements(getResourceList("", ""), getResourceList("", "")),
+						},
+					},
+				},
+			},
+			podLevelResourcesEnabled: true,
+			enforceCPULimits:         true,
+			quotaPeriod:              defaultQuotaPeriod,
+			expected:                 &ResourceConfig{CPUShares: &minShares},
+		},
 		"burstable-with-pod-level-requests": {
 			pod: &v1.Pod{
 				Spec: v1.PodSpec{
@@ -351,6 +370,25 @@ func TestResourceConfigForPod(t *testing.T) {
 			quotaPeriod:              defaultQuotaPeriod,
 			expected:                 &ResourceConfig{CPUShares: &burstableShares, CPUQuota: &burstableQuota, CPUPeriod: &defaultQuotaPeriod, Memory: &burstableMemory},
 		},
+		"burstable-with-partial-pod-level-resources-limits": {
+			pod: &v1.Pod{
+				Spec: v1.PodSpec{
+					Resources: &v1.ResourceRequirements{
+						Requests: getResourceList("200m", "300Mi"),
+					},
+					Containers: []v1.Container{
+						{
+							Name:      "Container with guaranteed resources",
+							Resources: getResourceRequirements(getResourceList("200m", "200Mi"), getResourceList("200m", "200Mi")),
+						},
+					},
+				},
+			},
+			podLevelResourcesEnabled: true,
+			enforceCPULimits:         true,
+			quotaPeriod:              defaultQuotaPeriod,
+			expected:                 &ResourceConfig{CPUShares: &burstablePartialShares, CPUQuota: &burstableQuota, CPUPeriod: &defaultQuotaPeriod, Memory: &burstableMemory},
+		},
 		"guaranteed-with-pod-level-resources": {
 			pod: &v1.Pod{
 				Spec: v1.PodSpec{
@@ -390,6 +428,32 @@ func TestResourceConfigForPod(t *testing.T) {
 			quotaPeriod:              defaultQuotaPeriod,
 			expected:                 &ResourceConfig{CPUShares: &guaranteedShares, CPUQuota: &guaranteedQuota, CPUPeriod: &defaultQuotaPeriod, Memory: &guaranteedMemory},
 		},
+		"guaranteed-pod-level-resources-with-init-containers": {
+			pod: &v1.Pod{
+				Spec: v1.PodSpec{
+					Resources: &v1.ResourceRequirements{
+						Requests: getResourceList("100m", "100Mi"),
+						Limits:   getResourceList("100m", "100Mi"),
+					},
+					Containers: []v1.Container{
+						{
+							Name:      "Container with resources",
+							Resources: getResourceRequirements(getResourceList("10m", "50Mi"), getResourceList("50m", "50Mi")),
+						},
+					},
+					InitContainers: []v1.Container{
+						{
+							Name:      "Container with resources",
+							Resources: getResourceRequirements(getResourceList("10m", "50Mi"), getResourceList("50m", "50Mi")),
+						},
+					},
+				},
+			},
+			podLevelResourcesEnabled: true,
+			enforceCPULimits:         true,
+			quotaPeriod:              defaultQuotaPeriod,
+			expected:                 &ResourceConfig{CPUShares: &guaranteedShares, CPUQuota: &guaranteedQuota, CPUPeriod: &defaultQuotaPeriod, Memory: &guaranteedMemory},
+		},
 	}
 
 	for testName, testCase := range testCases {
diff --git a/pkg/kubelet/cm/helpers_unsupported.go b/pkg/kubelet/cm/helpers_unsupported.go
index 34d4ee59d12e1..33df93ff8c4e5 100644
--- a/pkg/kubelet/cm/helpers_unsupported.go
+++ b/pkg/kubelet/cm/helpers_unsupported.go
@@ -21,7 +21,9 @@ package cm
 
 import (
 	v1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/api/resource"
 	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/klog/v2"
 )
 
 const (
@@ -71,6 +73,18 @@ func NodeAllocatableRoot(cgroupRoot string, cgroupsPerQOS bool, cgroupDriver str
 }
 
 // GetKubeletContainer returns the cgroup the kubelet will use
-func GetKubeletContainer(kubeletCgroups string) (string, error) {
+func GetKubeletContainer(logger klog.Logger, kubeletCgroups string) (string, error) {
 	return "", nil
 }
+
+func CPURequestsFromConfig(podConfig *ResourceConfig) *resource.Quantity {
+	return nil
+}
+
+func CPULimitsFromConfig(podConfig *ResourceConfig) *resource.Quantity {
+	return nil
+}
+
+func MemoryLimitsFromConfig(podConfig *ResourceConfig) *resource.Quantity {
+	return nil
+}
diff --git a/pkg/kubelet/cm/internal_container_lifecycle.go b/pkg/kubelet/cm/internal_container_lifecycle.go
index 068022051ac4a..8fac97a4ec467 100644
--- a/pkg/kubelet/cm/internal_container_lifecycle.go
+++ b/pkg/kubelet/cm/internal_container_lifecycle.go
@@ -17,19 +17,18 @@ limitations under the License.
 package cm
 
 import (
-	"context"
-
 	v1 "k8s.io/api/core/v1"
 	runtimeapi "k8s.io/cri-api/pkg/apis/runtime/v1"
+	"k8s.io/klog/v2"
 	"k8s.io/kubernetes/pkg/kubelet/cm/cpumanager"
 	"k8s.io/kubernetes/pkg/kubelet/cm/memorymanager"
 	"k8s.io/kubernetes/pkg/kubelet/cm/topologymanager"
 )
 
 type InternalContainerLifecycle interface {
-	PreCreateContainer(pod *v1.Pod, container *v1.Container, containerConfig *runtimeapi.ContainerConfig) error
-	PreStartContainer(pod *v1.Pod, container *v1.Container, containerID string) error
-	PostStopContainer(containerID string) error
+	PreCreateContainer(logger klog.Logger, pod *v1.Pod, container *v1.Container, containerConfig *runtimeapi.ContainerConfig) error
+	PreStartContainer(logger klog.Logger, pod *v1.Pod, container *v1.Container, containerID string) error
+	PostStopContainer(logger klog.Logger, containerID string) error
 }
 
 // Implements InternalContainerLifecycle interface.
@@ -39,13 +38,13 @@ type internalContainerLifecycleImpl struct {
 	topologyManager topologymanager.Manager
 }
 
-func (i *internalContainerLifecycleImpl) PreStartContainer(pod *v1.Pod, container *v1.Container, containerID string) error {
+func (i *internalContainerLifecycleImpl) PreStartContainer(logger klog.Logger, pod *v1.Pod, container *v1.Container, containerID string) error {
 	if i.cpuManager != nil {
-		i.cpuManager.AddContainer(pod, container, containerID)
+		i.cpuManager.AddContainer(logger, pod, container, containerID)
 	}
 
 	if i.memoryManager != nil {
-		i.memoryManager.AddContainer(context.TODO(), pod, container, containerID)
+		i.memoryManager.AddContainer(logger, pod, container, containerID)
 	}
 
 	i.topologyManager.AddContainer(pod, container, containerID)
@@ -53,6 +52,6 @@ func (i *internalContainerLifecycleImpl) PreStartContainer(pod *v1.Pod, containe
 	return nil
 }
 
-func (i *internalContainerLifecycleImpl) PostStopContainer(containerID string) error {
+func (i *internalContainerLifecycleImpl) PostStopContainer(logger klog.Logger, containerID string) error {
 	return i.topologyManager.RemoveContainer(containerID)
 }
diff --git a/pkg/kubelet/cm/internal_container_lifecycle_linux.go b/pkg/kubelet/cm/internal_container_lifecycle_linux.go
index 43e2717ccdd21..91561cf7131a7 100644
--- a/pkg/kubelet/cm/internal_container_lifecycle_linux.go
+++ b/pkg/kubelet/cm/internal_container_lifecycle_linux.go
@@ -20,16 +20,16 @@ limitations under the License.
 package cm
 
 import (
-	"context"
 	"strconv"
 	"strings"
 
 	v1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/util/sets"
 	runtimeapi "k8s.io/cri-api/pkg/apis/runtime/v1"
+	"k8s.io/klog/v2"
 )
 
-func (i *internalContainerLifecycleImpl) PreCreateContainer(pod *v1.Pod, container *v1.Container, containerConfig *runtimeapi.ContainerConfig) error {
+func (i *internalContainerLifecycleImpl) PreCreateContainer(logger klog.Logger, pod *v1.Pod, container *v1.Container, containerConfig *runtimeapi.ContainerConfig) error {
 	if i.cpuManager != nil {
 		allocatedCPUs := i.cpuManager.GetCPUAffinity(string(pod.UID), container.Name)
 		if !allocatedCPUs.IsEmpty() {
@@ -38,7 +38,7 @@ func (i *internalContainerLifecycleImpl) PreCreateContainer(pod *v1.Pod, contain
 	}
 
 	if i.memoryManager != nil {
-		numaNodes := i.memoryManager.GetMemoryNUMANodes(context.TODO(), pod, container)
+		numaNodes := i.memoryManager.GetMemoryNUMANodes(logger, pod, container)
 		if numaNodes.Len() > 0 {
 			var affinity []string
 			for _, numaNode := range sets.List(numaNodes) {
diff --git a/pkg/kubelet/cm/internal_container_lifecycle_test.go b/pkg/kubelet/cm/internal_container_lifecycle_test.go
new file mode 100644
index 0000000000000..3c5bcb2ce32dd
--- /dev/null
+++ b/pkg/kubelet/cm/internal_container_lifecycle_test.go
@@ -0,0 +1,108 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package cm
+
+import (
+	"testing"
+
+	"github.com/go-logr/logr"
+
+	v1 "k8s.io/api/core/v1"
+	"k8s.io/klog/v2"
+	"k8s.io/kubernetes/pkg/kubelet/cm/cpumanager"
+	"k8s.io/kubernetes/pkg/kubelet/cm/memorymanager"
+	"k8s.io/kubernetes/pkg/kubelet/cm/topologymanager"
+)
+
+type mockCPUManager struct {
+	called bool
+	cpumanager.Manager
+}
+
+func (cpuManager *mockCPUManager) AddContainer(logr.Logger, *v1.Pod, *v1.Container, string) {
+	cpuManager.called = true
+}
+
+type mockMemoryManager struct {
+	called bool
+	memorymanager.Manager
+}
+
+func (memoryManager *mockMemoryManager) AddContainer(logr.Logger, *v1.Pod, *v1.Container, string) {
+	memoryManager.called = true
+}
+
+type mockTopologyManager struct {
+	called bool
+	topologymanager.Manager
+}
+
+func (topologyManager *mockTopologyManager) AddContainer(*v1.Pod, *v1.Container, string) {
+	topologyManager.called = true
+}
+
+func TestPreStartContainer(t *testing.T) {
+	pod := &v1.Pod{}
+	container := &v1.Container{}
+
+	tests := []struct {
+		name      string
+		lifecycle internalContainerLifecycleImpl
+	}{
+		{
+			name: "When a CPU manager is provided it has AddContainer called",
+			lifecycle: internalContainerLifecycleImpl{
+				cpuManager:      &mockCPUManager{},
+				memoryManager:   nil,
+				topologyManager: &mockTopologyManager{},
+			},
+		}, {
+			name: "When a Memory manager is provided it has AddContainer called",
+			lifecycle: internalContainerLifecycleImpl{
+				cpuManager:      nil,
+				memoryManager:   &mockMemoryManager{},
+				topologyManager: &mockTopologyManager{},
+			},
+		}, {
+			name: "When a CPU manager/Memory manager is not provided, it's ok",
+			lifecycle: internalContainerLifecycleImpl{
+				cpuManager:      nil,
+				memoryManager:   nil,
+				topologyManager: &mockTopologyManager{},
+			},
+		},
+	}
+
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			_ = test.lifecycle.PreStartContainer(klog.Background(), pod, container, "42")
+		})
+
+		cManager := test.lifecycle.cpuManager
+		mManager := test.lifecycle.memoryManager
+		tManager := test.lifecycle.topologyManager
+		if cManager != nil && !cManager.(*mockCPUManager).called {
+			t.Errorf("When a CPU manager is provided it must have AddContainer called")
+		}
+		if mManager != nil && !mManager.(*mockMemoryManager).called {
+			t.Errorf("When a Memory manager is provided it must have AddContainer called")
+		}
+		if !tManager.(*mockTopologyManager).called {
+			t.Errorf("TopologyManager's AddContainer method must be called during container startup")
+		}
+	}
+}
diff --git a/pkg/kubelet/cm/internal_container_lifecycle_unsupported.go b/pkg/kubelet/cm/internal_container_lifecycle_unsupported.go
index 5028c40bbbc1d..4f6aa89a8ecc4 100644
--- a/pkg/kubelet/cm/internal_container_lifecycle_unsupported.go
+++ b/pkg/kubelet/cm/internal_container_lifecycle_unsupported.go
@@ -22,8 +22,9 @@ package cm
 import (
 	"k8s.io/api/core/v1"
 	runtimeapi "k8s.io/cri-api/pkg/apis/runtime/v1"
+	"k8s.io/klog/v2"
 )
 
-func (i *internalContainerLifecycleImpl) PreCreateContainer(pod *v1.Pod, container *v1.Container, containerConfig *runtimeapi.ContainerConfig) error {
+func (i *internalContainerLifecycleImpl) PreCreateContainer(logger klog.Logger, pod *v1.Pod, container *v1.Container, containerConfig *runtimeapi.ContainerConfig) error {
 	return nil
 }
diff --git a/pkg/kubelet/cm/internal_container_lifecycle_windows.go b/pkg/kubelet/cm/internal_container_lifecycle_windows.go
index 35c7f48f95dc4..ec960f8ead0c7 100644
--- a/pkg/kubelet/cm/internal_container_lifecycle_windows.go
+++ b/pkg/kubelet/cm/internal_container_lifecycle_windows.go
@@ -20,7 +20,6 @@ limitations under the License.
 package cm
 
 import (
-	"context"
 	"fmt"
 
 	v1 "k8s.io/api/core/v1"
@@ -33,12 +32,12 @@ import (
 	"k8s.io/utils/cpuset"
 )
 
-func (i *internalContainerLifecycleImpl) PreCreateContainer(pod *v1.Pod, container *v1.Container, containerConfig *runtimeapi.ContainerConfig) error {
+func (i *internalContainerLifecycleImpl) PreCreateContainer(logger klog.Logger, pod *v1.Pod, container *v1.Container, containerConfig *runtimeapi.ContainerConfig) error {
 	if !utilfeature.DefaultFeatureGate.Enabled(kubefeatures.WindowsCPUAndMemoryAffinity) {
 		return nil
 	}
 
-	klog.V(4).Info("PreCreateContainer for Windows")
+	logger.V(4).Info("PreCreateContainer for Windows")
 
 	// retrieve CPU and NUMA affinity from CPU Manager and Memory Manager (if enabled)
 	var allocatedCPUs cpuset.CPUSet
@@ -48,7 +47,7 @@ func (i *internalContainerLifecycleImpl) PreCreateContainer(pod *v1.Pod, contain
 
 	var numaNodes sets.Set[int]
 	if i.memoryManager != nil {
-		numaNodes = i.memoryManager.GetMemoryNUMANodes(context.TODO(), pod, container)
+		numaNodes = i.memoryManager.GetMemoryNUMANodes(logger, pod, container)
 	}
 
 	// Gather all CPUs associated with the selected NUMA nodes
@@ -63,7 +62,7 @@ func (i *internalContainerLifecycleImpl) PreCreateContainer(pod *v1.Pod, contain
 
 	var finalCPUSet = computeFinalCpuSet(allocatedCPUs, allNumaNodeCPUs)
 
-	klog.V(4).InfoS("Setting CPU affinity", "affinity", finalCPUSet, "container", container.Name, "pod", pod.UID)
+	logger.V(4).Info("Setting CPU affinity", "affinity", finalCPUSet, "container", container.Name, "pod", pod.UID)
 
 	// Set CPU group affinities in the container config
 	if finalCPUSet != nil {
diff --git a/pkg/kubelet/cm/memorymanager/fake_memory_manager.go b/pkg/kubelet/cm/memorymanager/fake_memory_manager.go
index 6664730abcc0e..e589c78f573d3 100644
--- a/pkg/kubelet/cm/memorymanager/fake_memory_manager.go
+++ b/pkg/kubelet/cm/memorymanager/fake_memory_manager.go
@@ -39,46 +39,39 @@ func (m *fakeManager) Start(ctx context.Context, activePods ActivePodsFunc, sour
 	return nil
 }
 
-func (m *fakeManager) Policy(ctx context.Context) Policy {
-	logger := klog.FromContext(ctx)
+func (m *fakeManager) Policy(logger klog.Logger) Policy {
 	logger.Info("Policy()")
-	return NewPolicyNone(ctx)
+	return NewPolicyNone(logger)
 }
 
 func (m *fakeManager) Allocate(pod *v1.Pod, container *v1.Container) error {
-	ctx := context.TODO()
-	logger := klog.FromContext(ctx)
+	logger := klog.TODO()
 	logger.Info("Allocate", "pod", klog.KObj(pod), "containerName", container.Name)
 	return nil
 }
 
-func (m *fakeManager) AddContainer(ctx context.Context, pod *v1.Pod, container *v1.Container, containerID string) {
-	logger := klog.FromContext(ctx)
+func (m *fakeManager) AddContainer(logger klog.Logger, pod *v1.Pod, container *v1.Container, containerID string) {
 	logger.Info("Add container", "pod", klog.KObj(pod), "containerName", container.Name, "containerID", containerID)
 }
 
-func (m *fakeManager) GetMemoryNUMANodes(ctx context.Context, pod *v1.Pod, container *v1.Container) sets.Set[int] {
-	logger := klog.FromContext(ctx)
+func (m *fakeManager) GetMemoryNUMANodes(logger klog.Logger, pod *v1.Pod, container *v1.Container) sets.Set[int] {
 	logger.Info("Get MemoryNUMANodes", "pod", klog.KObj(pod), "containerName", container.Name)
 	return nil
 }
 
-func (m *fakeManager) RemoveContainer(ctx context.Context, containerID string) error {
-	logger := klog.FromContext(ctx)
+func (m *fakeManager) RemoveContainer(logger klog.Logger, containerID string) error {
 	logger.Info("RemoveContainer", "containerID", containerID)
 	return nil
 }
 
 func (m *fakeManager) GetTopologyHints(pod *v1.Pod, container *v1.Container) map[string][]topologymanager.TopologyHint {
-	ctx := context.TODO()
-	logger := klog.FromContext(ctx)
+	logger := klog.TODO()
 	logger.Info("Get Topology Hints", "pod", klog.KObj(pod), "containerName", container.Name)
 	return map[string][]topologymanager.TopologyHint{}
 }
 
 func (m *fakeManager) GetPodTopologyHints(pod *v1.Pod) map[string][]topologymanager.TopologyHint {
-	ctx := context.TODO()
-	logger := klog.FromContext(ctx)
+	logger := klog.TODO()
 	logger.Info("Get Pod Topology Hints", "pod", klog.KObj(pod))
 	return map[string][]topologymanager.TopologyHint{}
 }
@@ -88,24 +81,23 @@ func (m *fakeManager) State() state.Reader {
 }
 
 // GetAllocatableMemory returns the amount of allocatable memory for each NUMA node
-func (m *fakeManager) GetAllocatableMemory(ctx context.Context) []state.Block {
-	logger := klog.FromContext(ctx)
+func (m *fakeManager) GetAllocatableMemory() []state.Block {
+	logger := klog.TODO()
 	logger.Info("Get Allocatable Memory")
 	return []state.Block{}
 }
 
 // GetMemory returns the memory allocated by a container from NUMA nodes
-func (m *fakeManager) GetMemory(ctx context.Context, podUID, containerName string) []state.Block {
-	logger := klog.LoggerWithValues(klog.FromContext(ctx), "podUID", podUID, "containerName", containerName)
+func (m *fakeManager) GetMemory(podUID, containerName string) []state.Block {
+	logger := klog.LoggerWithValues(klog.TODO(), "podUID", podUID, "containerName", containerName)
 	logger.Info("Get Memory")
 	return []state.Block{}
 }
 
 // NewFakeManager creates empty/fake memory manager
-func NewFakeManager(ctx context.Context) Manager {
-	logger := klog.LoggerWithName(klog.FromContext(ctx), "memory-mgr.fake")
+func NewFakeManager(logger klog.Logger) Manager {
+	logger = klog.LoggerWithName(logger, "memory-mgr.fake")
 	return &fakeManager{
-		// logger: logger,
 		state: state.NewMemoryState(logger),
 	}
 }
diff --git a/pkg/kubelet/cm/memorymanager/memory_manager.go b/pkg/kubelet/cm/memorymanager/memory_manager.go
index 572f58599a07b..585ebff101390 100644
--- a/pkg/kubelet/cm/memorymanager/memory_manager.go
+++ b/pkg/kubelet/cm/memorymanager/memory_manager.go
@@ -61,7 +61,7 @@ type Manager interface {
 
 	// AddContainer adds the mapping between container ID to pod UID and the container name
 	// The mapping used to remove the memory allocation during the container removal
-	AddContainer(ctx context.Context, p *v1.Pod, c *v1.Container, containerID string)
+	AddContainer(logger klog.Logger, p *v1.Pod, c *v1.Container, containerID string)
 
 	// Allocate is called to pre-allocate memory resources during Pod admission.
 	// This must be called at some point prior to the AddContainer() call for a container, e.g. at pod admission time.
@@ -69,7 +69,7 @@ type Manager interface {
 
 	// RemoveContainer is called after Kubelet decides to kill or delete a
 	// container. After this call, any memory allocated to the container is freed.
-	RemoveContainer(ctx context.Context, containerID string) error
+	RemoveContainer(logger klog.Logger, containerID string) error
 
 	// State returns a read-only interface to the internal memory manager state.
 	State() state.Reader
@@ -85,13 +85,13 @@ type Manager interface {
 	GetPodTopologyHints(*v1.Pod) map[string][]topologymanager.TopologyHint
 
 	// GetMemoryNUMANodes provides NUMA nodes that are used to allocate the container memory
-	GetMemoryNUMANodes(ctx context.Context, pod *v1.Pod, container *v1.Container) sets.Set[int]
+	GetMemoryNUMANodes(logger klog.Logger, pod *v1.Pod, container *v1.Container) sets.Set[int]
 
 	// GetAllocatableMemory returns the amount of allocatable memory for each NUMA node
-	GetAllocatableMemory(ctx context.Context) []state.Block
+	GetAllocatableMemory() []state.Block
 
 	// GetMemory returns the memory allocated by a container from NUMA nodes
-	GetMemory(ctx context.Context, podUID, containerName string) []state.Block
+	GetMemory(podUID, containerName string) []state.Block
 }
 
 type manager struct {
@@ -132,13 +132,13 @@ type manager struct {
 var _ Manager = &manager{}
 
 // NewManager returns new instance of the memory manager
-func NewManager(ctx context.Context, policyName string, machineInfo *cadvisorapi.MachineInfo, nodeAllocatableReservation v1.ResourceList, reservedMemory []kubeletconfig.MemoryReservation, stateFileDirectory string, affinity topologymanager.Store) (Manager, error) {
+func NewManager(logger klog.Logger, policyName string, machineInfo *cadvisorapi.MachineInfo, nodeAllocatableReservation v1.ResourceList, reservedMemory []kubeletconfig.MemoryReservation, stateFileDirectory string, affinity topologymanager.Store) (Manager, error) {
 	var policy Policy
 
 	switch policyType(policyName) {
 
 	case policyTypeNone:
-		policy = NewPolicyNone(ctx)
+		policy = NewPolicyNone(logger)
 
 	case PolicyTypeStatic:
 		if runtime.GOOS == "windows" {
@@ -150,7 +150,7 @@ func NewManager(ctx context.Context, policyName string, machineInfo *cadvisorapi
 			return nil, err
 		}
 
-		policy, err = NewPolicyStatic(ctx, machineInfo, systemReserved, affinity)
+		policy, err = NewPolicyStatic(logger, machineInfo, systemReserved, affinity)
 		if err != nil {
 			return nil, err
 		}
@@ -161,7 +161,7 @@ func NewManager(ctx context.Context, policyName string, machineInfo *cadvisorapi
 			if err != nil {
 				return nil, err
 			}
-			policy, err = NewPolicyBestEffort(ctx, machineInfo, systemReserved, affinity)
+			policy, err = NewPolicyBestEffort(logger, machineInfo, systemReserved, affinity)
 			if err != nil {
 				return nil, err
 			}
@@ -198,20 +198,20 @@ func (m *manager) Start(ctx context.Context, activePods ActivePodsFunc, sourcesR
 	}
 	m.state = stateImpl
 
-	err = m.policy.Start(ctx, m.state)
+	err = m.policy.Start(logger, m.state)
 	if err != nil {
 		logger.Error(err, "Policy start error")
 		return err
 	}
 
-	m.allocatableMemory = m.policy.GetAllocatableMemory(ctx, m.state)
+	m.allocatableMemory = m.policy.GetAllocatableMemory(m.state)
 
 	logger.V(4).Info("memorymanager started", "policy", m.policy.Name())
 	return nil
 }
 
 // AddContainer saves the value of requested memory for the guaranteed pod under the state and set memory affinity according to the topolgy manager
-func (m *manager) AddContainer(ctx context.Context, pod *v1.Pod, container *v1.Container, containerID string) {
+func (m *manager) AddContainer(logger klog.Logger, pod *v1.Pod, container *v1.Container, containerID string) {
 	m.Lock()
 	defer m.Unlock()
 
@@ -234,13 +234,13 @@ func (m *manager) AddContainer(ctx context.Context, pod *v1.Pod, container *v1.C
 			continue
 		}
 
-		m.policyRemoveContainerByRef(string(pod.UID), initContainer.Name)
+		m.policyRemoveContainerByRef(logger, string(pod.UID), initContainer.Name)
 	}
 }
 
 // GetMemoryNUMANodes provides NUMA nodes that used to allocate the container memory
-func (m *manager) GetMemoryNUMANodes(ctx context.Context, pod *v1.Pod, container *v1.Container) sets.Set[int] {
-	logger := klog.LoggerWithValues(klog.FromContext(ctx), "pod", klog.KObj(pod), "containerName", container.Name)
+func (m *manager) GetMemoryNUMANodes(logger klog.Logger, pod *v1.Pod, container *v1.Container) sets.Set[int] {
+	logger = klog.LoggerWithValues(logger, "pod", klog.KObj(pod), "containerName", container.Name)
 
 	// Get NUMA node affinity of blocks assigned to the container during Allocate()
 	numaNodes := sets.New[int]()
@@ -262,17 +262,14 @@ func (m *manager) GetMemoryNUMANodes(ctx context.Context, pod *v1.Pod, container
 
 // Allocate is called to pre-allocate memory resources during Pod admission.
 func (m *manager) Allocate(pod *v1.Pod, container *v1.Container) error {
-	// Garbage collect any stranded resources before allocation
-	ctx := context.TODO()
-	logger := klog.FromContext(ctx)
-
+	logger := klog.TODO()
 	m.removeStaleState(logger)
 
 	m.Lock()
 	defer m.Unlock()
 
 	// Call down into the policy to assign this container memory if required.
-	if err := m.policy.Allocate(ctx, m.state, pod, container); err != nil {
+	if err := m.policy.Allocate(logger, m.state, pod, container); err != nil {
 		logger.Error(err, "Allocate error", "pod", klog.KObj(pod), "containerName", container.Name)
 		return err
 	}
@@ -280,8 +277,8 @@ func (m *manager) Allocate(pod *v1.Pod, container *v1.Container) error {
 }
 
 // RemoveContainer removes the container from the state
-func (m *manager) RemoveContainer(ctx context.Context, containerID string) error {
-	logger := klog.LoggerWithValues(klog.FromContext(ctx), "containerID", containerID)
+func (m *manager) RemoveContainer(logger klog.Logger, containerID string) error {
+	logger = klog.LoggerWithValues(logger, "containerID", containerID)
 
 	m.Lock()
 	defer m.Unlock()
@@ -293,7 +290,7 @@ func (m *manager) RemoveContainer(ctx context.Context, containerID string) error
 		return nil
 	}
 
-	m.policyRemoveContainerByRef(podUID, containerName)
+	m.policyRemoveContainerByRef(logger, podUID, containerName)
 
 	return nil
 }
@@ -311,7 +308,7 @@ func (m *manager) GetPodTopologyHints(pod *v1.Pod) map[string][]topologymanager.
 	// Garbage collect any stranded resources before providing TopologyHints
 	m.removeStaleState(klog.FromContext(ctx))
 	// Delegate to active policy
-	return m.policy.GetPodTopologyHints(context.TODO(), m.state, pod)
+	return m.policy.GetPodTopologyHints(klog.TODO(), m.state, pod)
 }
 
 // GetTopologyHints returns the topology hints for the topology manager
@@ -319,7 +316,7 @@ func (m *manager) GetTopologyHints(pod *v1.Pod, container *v1.Container) map[str
 	// Garbage collect any stranded resources before providing TopologyHints
 	m.removeStaleState(klog.TODO())
 	// Delegate to active policy
-	return m.policy.GetTopologyHints(context.TODO(), m.state, pod, container)
+	return m.policy.GetTopologyHints(klog.TODO(), m.state, pod, container)
 }
 
 // TODO: move the method to the upper level, to re-use it under the CPU and memory managers
@@ -358,7 +355,7 @@ func (m *manager) removeStaleState(logger klog.Logger) {
 		for containerName := range assignments[podUID] {
 			if _, ok := activeContainers[podUID][containerName]; !ok {
 				logger.V(2).Info("RemoveStaleState removing state", "podUID", podUID, "containerName", containerName)
-				m.policyRemoveContainerByRef(podUID, containerName)
+				m.policyRemoveContainerByRef(logger, podUID, containerName)
 			}
 		}
 	}
@@ -366,13 +363,13 @@ func (m *manager) removeStaleState(logger klog.Logger) {
 	m.containerMap.Visit(func(podUID, containerName, containerID string) {
 		if _, ok := activeContainers[podUID][containerName]; !ok {
 			logger.V(2).Info("RemoveStaleState removing state", "podUID", podUID, "containerName", containerName)
-			m.policyRemoveContainerByRef(podUID, containerName)
+			m.policyRemoveContainerByRef(logger, podUID, containerName)
 		}
 	})
 }
 
-func (m *manager) policyRemoveContainerByRef(podUID string, containerName string) {
-	m.policy.RemoveContainer(context.TODO(), m.state, podUID, containerName)
+func (m *manager) policyRemoveContainerByRef(logger klog.Logger, podUID string, containerName string) {
+	m.policy.RemoveContainer(logger, m.state, podUID, containerName)
 	m.containerMap.RemoveByContainerRef(podUID, containerName)
 }
 
@@ -470,11 +467,11 @@ func getSystemReservedMemory(machineInfo *cadvisorapi.MachineInfo, nodeAllocatab
 }
 
 // GetAllocatableMemory returns the amount of allocatable memory for each NUMA node
-func (m *manager) GetAllocatableMemory(ctx context.Context) []state.Block {
+func (m *manager) GetAllocatableMemory() []state.Block {
 	return m.allocatableMemory
 }
 
 // GetMemory returns the memory allocated by a container from NUMA nodes
-func (m *manager) GetMemory(ctx context.Context, podUID, containerName string) []state.Block {
+func (m *manager) GetMemory(podUID, containerName string) []state.Block {
 	return m.state.GetMemoryBlocks(podUID, containerName)
 }
diff --git a/pkg/kubelet/cm/memorymanager/memory_manager_test.go b/pkg/kubelet/cm/memorymanager/memory_manager_test.go
index fa5a9aa44798d..6844710fecd98 100644
--- a/pkg/kubelet/cm/memorymanager/memory_manager_test.go
+++ b/pkg/kubelet/cm/memorymanager/memory_manager_test.go
@@ -27,6 +27,7 @@ import (
 
 	cadvisorapi "github.com/google/cadvisor/info/v1"
 	"github.com/stretchr/testify/assert"
+	"k8s.io/klog/v2"
 
 	v1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/resource"
@@ -71,17 +72,17 @@ type testMemoryManager struct {
 	activePods                 []*v1.Pod
 }
 
-func returnPolicyByName(ctx context.Context, testCase testMemoryManager) Policy {
+func returnPolicyByName(logger klog.Logger, testCase testMemoryManager) Policy {
 	switch testCase.policyName {
 	case policyTypeMock:
 		return &mockPolicy{
 			err: fmt.Errorf("fake reg error"),
 		}
 	case PolicyTypeStatic:
-		policy, _ := NewPolicyStatic(ctx, &testCase.machineInfo, testCase.reserved, topologymanager.NewFakeManager())
+		policy, _ := NewPolicyStatic(logger, &testCase.machineInfo, testCase.reserved, topologymanager.NewFakeManager())
 		return policy
 	case policyTypeNone:
-		return NewPolicyNone(ctx)
+		return NewPolicyNone(logger)
 	}
 	return nil
 }
@@ -94,27 +95,27 @@ func (p *mockPolicy) Name() string {
 	return string(policyTypeMock)
 }
 
-func (p *mockPolicy) Start(context.Context, state.State) error {
+func (p *mockPolicy) Start(klog.Logger, state.State) error {
 	return p.err
 }
 
-func (p *mockPolicy) Allocate(context.Context, state.State, *v1.Pod, *v1.Container) error {
+func (p *mockPolicy) Allocate(klog.Logger, state.State, *v1.Pod, *v1.Container) error {
 	return p.err
 }
 
-func (p *mockPolicy) RemoveContainer(context.Context, state.State, string, string) {
+func (p *mockPolicy) RemoveContainer(klog.Logger, state.State, string, string) {
 }
 
-func (p *mockPolicy) GetTopologyHints(context.Context, state.State, *v1.Pod, *v1.Container) map[string][]topologymanager.TopologyHint {
+func (p *mockPolicy) GetTopologyHints(klog.Logger, state.State, *v1.Pod, *v1.Container) map[string][]topologymanager.TopologyHint {
 	return nil
 }
 
-func (p *mockPolicy) GetPodTopologyHints(context.Context, state.State, *v1.Pod) map[string][]topologymanager.TopologyHint {
+func (p *mockPolicy) GetPodTopologyHints(klog.Logger, state.State, *v1.Pod) map[string][]topologymanager.TopologyHint {
 	return nil
 }
 
 // GetAllocatableMemory returns the amount of allocatable memory for each NUMA node
-func (p *mockPolicy) GetAllocatableMemory(context.Context, state.State) []state.Block {
+func (p *mockPolicy) GetAllocatableMemory(state.State) []state.Block {
 	return []state.Block{}
 }
 
@@ -491,7 +492,7 @@ func TestGetSystemReservedMemory(t *testing.T) {
 }
 
 func TestRemoveStaleState(t *testing.T) {
-	logger, tCtx := ktesting.NewTestContext(t)
+	logger, _ := ktesting.NewTestContext(t)
 	machineInfo := returnMachineInfo()
 	testCases := []testMemoryManager{
 		{
@@ -903,7 +904,7 @@ func TestRemoveStaleState(t *testing.T) {
 	for _, testCase := range testCases {
 		t.Run(testCase.description, func(t *testing.T) {
 			mgr := &manager{
-				policy:       returnPolicyByName(tCtx, testCase),
+				policy:       returnPolicyByName(logger, testCase),
 				state:        state.NewMemoryState(logger),
 				containerMap: containermap.NewContainerMap(),
 				containerRuntime: mockRuntimeService{
@@ -931,7 +932,7 @@ func TestRemoveStaleState(t *testing.T) {
 }
 
 func TestAddContainer(t *testing.T) {
-	logger, tCtx := ktesting.NewTestContext(t)
+	logger, _ := ktesting.NewTestContext(t)
 	machineInfo := returnMachineInfo()
 	reserved := systemReservedMemory{
 		0: map[v1.ResourceName]uint64{
@@ -1396,7 +1397,7 @@ func TestAddContainer(t *testing.T) {
 	for _, testCase := range testCases {
 		t.Run(testCase.description, func(t *testing.T) {
 			mgr := &manager{
-				policy:       returnPolicyByName(tCtx, testCase),
+				policy:       returnPolicyByName(logger, testCase),
 				state:        state.NewMemoryState(logger),
 				containerMap: containermap.NewContainerMap(),
 				containerRuntime: mockRuntimeService{
@@ -1418,7 +1419,7 @@ func TestAddContainer(t *testing.T) {
 				t.Errorf("Memory Manager Allocate() error (%v), expected error: %v, but got: %v",
 					testCase.description, testCase.expectedAllocateError, err)
 			}
-			mgr.AddContainer(tCtx, pod, container, "fakeID")
+			mgr.AddContainer(logger, pod, container, "fakeID")
 			_, _, err = mgr.containerMap.GetContainerRef("fakeID")
 			if !reflect.DeepEqual(err, testCase.expectedAddContainerError) {
 				t.Errorf("Memory Manager AddContainer() error (%v), expected error: %v, but got: %v",
@@ -1435,7 +1436,7 @@ func TestAddContainer(t *testing.T) {
 }
 
 func TestRemoveContainer(t *testing.T) {
-	logger, tCtx := ktesting.NewTestContext(t)
+	logger, _ := ktesting.NewTestContext(t)
 	machineInfo := returnMachineInfo()
 	reserved := systemReservedMemory{
 		0: map[v1.ResourceName]uint64{
@@ -1873,7 +1874,7 @@ func TestRemoveContainer(t *testing.T) {
 			iniContainerMap.Add("fakePod1", "fakeContainer1", "fakeID1")
 			iniContainerMap.Add("fakePod1", "fakeContainer2", "fakeID2")
 			mgr := &manager{
-				policy:       returnPolicyByName(tCtx, testCase),
+				policy:       returnPolicyByName(logger, testCase),
 				state:        state.NewMemoryState(logger),
 				containerMap: iniContainerMap,
 				containerRuntime: mockRuntimeService{
@@ -1886,7 +1887,7 @@ func TestRemoveContainer(t *testing.T) {
 			mgr.state.SetMemoryAssignments(testCase.assignments)
 			mgr.state.SetMachineState(testCase.machineState)
 
-			err := mgr.RemoveContainer(tCtx, testCase.removeContainerID)
+			err := mgr.RemoveContainer(logger, testCase.removeContainerID)
 			if !reflect.DeepEqual(err, testCase.expectedError) {
 				t.Errorf("Memory Manager RemoveContainer() error (%v), expected error: %v, but got: %v",
 					testCase.description, testCase.expectedError, err)
@@ -1914,7 +1915,7 @@ func getPolicyNameForOs() policyType {
 }
 
 func TestNewManager(t *testing.T) {
-	tCtx := ktesting.Init(t)
+	logger, _ := ktesting.NewTestContext(t)
 	machineInfo := returnMachineInfo()
 	expectedReserved := systemReservedMemory{
 		0: map[v1.ResourceName]uint64{
@@ -2006,7 +2007,7 @@ func TestNewManager(t *testing.T) {
 			}
 			defer os.RemoveAll(stateFileDirectory)
 
-			mgr, err := NewManager(tCtx, string(testCase.policyName), &testCase.machineInfo, testCase.nodeAllocatableReservation, testCase.systemReservedMemory, stateFileDirectory, testCase.affinity)
+			mgr, err := NewManager(logger, string(testCase.policyName), &testCase.machineInfo, testCase.nodeAllocatableReservation, testCase.systemReservedMemory, stateFileDirectory, testCase.affinity)
 
 			if !reflect.DeepEqual(err, testCase.expectedError) {
 				t.Errorf("Could not create the Memory Manager. Expected error: '%v', but got: '%v'",
@@ -2036,7 +2037,7 @@ func TestNewManager(t *testing.T) {
 }
 
 func TestGetTopologyHints(t *testing.T) {
-	logger, tCtx := ktesting.NewTestContext(t)
+	logger, _ := ktesting.NewTestContext(t)
 	testCases := []testMemoryManager{
 		{
 			description: "Successful hint generation",
@@ -2157,7 +2158,7 @@ func TestGetTopologyHints(t *testing.T) {
 	for _, testCase := range testCases {
 		t.Run(testCase.description, func(t *testing.T) {
 			mgr := &manager{
-				policy:       returnPolicyByName(tCtx, testCase),
+				policy:       returnPolicyByName(logger, testCase),
 				state:        state.NewMemoryState(logger),
 				containerMap: containermap.NewContainerMap(),
 				containerRuntime: mockRuntimeService{
@@ -2182,7 +2183,7 @@ func TestGetTopologyHints(t *testing.T) {
 }
 
 func TestAllocateAndAddPodWithInitContainers(t *testing.T) {
-	logger, tCtx := ktesting.NewTestContext(t)
+	logger, _ := ktesting.NewTestContext(t)
 	testCases := []testMemoryManager{
 		{
 			description: "should remove init containers from the state file, once app container started",
@@ -2335,7 +2336,7 @@ func TestAllocateAndAddPodWithInitContainers(t *testing.T) {
 		t.Run(testCase.description, func(t *testing.T) {
 			logger.Info("TestAllocateAndAddPodWithInitContainers", "name", testCase.description)
 			mgr := &manager{
-				policy:       returnPolicyByName(tCtx, testCase),
+				policy:       returnPolicyByName(logger, testCase),
 				state:        state.NewMemoryState(logger),
 				containerMap: containermap.NewContainerMap(),
 				containerRuntime: mockRuntimeService{
@@ -2366,12 +2367,12 @@ func TestAllocateAndAddPodWithInitContainers(t *testing.T) {
 
 			// Calls AddContainer for init containers
 			for i, initContainer := range testCase.podAllocate.Spec.InitContainers {
-				mgr.AddContainer(tCtx, testCase.podAllocate, &testCase.podAllocate.Spec.InitContainers[i], initContainer.Name)
+				mgr.AddContainer(logger, testCase.podAllocate, &testCase.podAllocate.Spec.InitContainers[i], initContainer.Name)
 			}
 
 			// Calls AddContainer for apps containers
 			for i, appContainer := range testCase.podAllocate.Spec.Containers {
-				mgr.AddContainer(tCtx, testCase.podAllocate, &testCase.podAllocate.Spec.Containers[i], appContainer.Name)
+				mgr.AddContainer(logger, testCase.podAllocate, &testCase.podAllocate.Spec.Containers[i], appContainer.Name)
 			}
 
 			assignments := mgr.state.GetMemoryAssignments()
diff --git a/pkg/kubelet/cm/memorymanager/policy.go b/pkg/kubelet/cm/memorymanager/policy.go
index 69e79cdb7f2e9..3c17ec93c21fa 100644
--- a/pkg/kubelet/cm/memorymanager/policy.go
+++ b/pkg/kubelet/cm/memorymanager/policy.go
@@ -17,9 +17,8 @@ limitations under the License.
 package memorymanager
 
 import (
-	"context"
-
 	v1 "k8s.io/api/core/v1"
+	"k8s.io/klog/v2"
 	"k8s.io/kubernetes/pkg/kubelet/cm/memorymanager/state"
 	"k8s.io/kubernetes/pkg/kubelet/cm/topologymanager"
 )
@@ -30,19 +29,19 @@ type policyType string
 // Policy implements logic for pod container to a memory assignment.
 type Policy interface {
 	Name() string
-	Start(ctx context.Context, s state.State) error
+	Start(logger klog.Logger, s state.State) error
 	// Allocate call is idempotent
-	Allocate(ctx context.Context, s state.State, pod *v1.Pod, container *v1.Container) error
+	Allocate(logger klog.Logger, s state.State, pod *v1.Pod, container *v1.Container) error
 	// RemoveContainer call is idempotent
-	RemoveContainer(ctx context.Context, s state.State, podUID string, containerName string)
+	RemoveContainer(logger klog.Logger, s state.State, podUID string, containerName string)
 	// GetTopologyHints implements the topologymanager.HintProvider Interface
 	// and is consulted to achieve NUMA aware resource alignment among this
 	// and other resource controllers.
-	GetTopologyHints(ctx context.Context, s state.State, pod *v1.Pod, container *v1.Container) map[string][]topologymanager.TopologyHint
+	GetTopologyHints(logger klog.Logger, s state.State, pod *v1.Pod, container *v1.Container) map[string][]topologymanager.TopologyHint
 	// GetPodTopologyHints implements the topologymanager.HintProvider Interface
 	// and is consulted to achieve NUMA aware resource alignment among this
 	// and other resource controllers.
-	GetPodTopologyHints(ctx context.Context, s state.State, pod *v1.Pod) map[string][]topologymanager.TopologyHint
+	GetPodTopologyHints(logger klog.Logger, s state.State, pod *v1.Pod) map[string][]topologymanager.TopologyHint
 	// GetAllocatableMemory returns the amount of allocatable memory for each NUMA node
-	GetAllocatableMemory(ctx context.Context, s state.State) []state.Block
+	GetAllocatableMemory(s state.State) []state.Block
 }
diff --git a/pkg/kubelet/cm/memorymanager/policy_best_effort.go b/pkg/kubelet/cm/memorymanager/policy_best_effort.go
index 76ca2c8260841..53f5746d48d87 100644
--- a/pkg/kubelet/cm/memorymanager/policy_best_effort.go
+++ b/pkg/kubelet/cm/memorymanager/policy_best_effort.go
@@ -17,8 +17,7 @@ limitations under the License.
 package memorymanager
 
 import (
-	"context"
-
+	"github.com/go-logr/logr"
 	cadvisorapi "github.com/google/cadvisor/info/v1"
 
 	v1 "k8s.io/api/core/v1"
@@ -41,8 +40,8 @@ type bestEffortPolicy struct {
 
 var _ Policy = &bestEffortPolicy{}
 
-func NewPolicyBestEffort(ctx context.Context, machineInfo *cadvisorapi.MachineInfo, reserved systemReservedMemory, affinity topologymanager.Store) (Policy, error) {
-	p, err := NewPolicyStatic(ctx, machineInfo, reserved, affinity)
+func NewPolicyBestEffort(logger logr.Logger, machineInfo *cadvisorapi.MachineInfo, reserved systemReservedMemory, affinity topologymanager.Store) (Policy, error) {
+	p, err := NewPolicyStatic(logger, machineInfo, reserved, affinity)
 
 	if err != nil {
 		return nil, err
@@ -57,26 +56,26 @@ func (p *bestEffortPolicy) Name() string {
 	return string(policyTypeBestEffort)
 }
 
-func (p *bestEffortPolicy) Start(ctx context.Context, s state.State) error {
-	return p.static.Start(ctx, s)
+func (p *bestEffortPolicy) Start(logger logr.Logger, s state.State) error {
+	return p.static.Start(logger, s)
 }
 
-func (p *bestEffortPolicy) Allocate(ctx context.Context, s state.State, pod *v1.Pod, container *v1.Container) (rerr error) {
-	return p.static.Allocate(ctx, s, pod, container)
+func (p *bestEffortPolicy) Allocate(logger logr.Logger, s state.State, pod *v1.Pod, container *v1.Container) (rerr error) {
+	return p.static.Allocate(logger, s, pod, container)
 }
 
-func (p *bestEffortPolicy) RemoveContainer(ctx context.Context, s state.State, podUID string, containerName string) {
-	p.static.RemoveContainer(ctx, s, podUID, containerName)
+func (p *bestEffortPolicy) RemoveContainer(logger logr.Logger, s state.State, podUID string, containerName string) {
+	p.static.RemoveContainer(logger, s, podUID, containerName)
 }
 
-func (p *bestEffortPolicy) GetPodTopologyHints(ctx context.Context, s state.State, pod *v1.Pod) map[string][]topologymanager.TopologyHint {
-	return p.static.GetPodTopologyHints(ctx, s, pod)
+func (p *bestEffortPolicy) GetPodTopologyHints(logger logr.Logger, s state.State, pod *v1.Pod) map[string][]topologymanager.TopologyHint {
+	return p.static.GetPodTopologyHints(logger, s, pod)
 }
 
-func (p *bestEffortPolicy) GetTopologyHints(ctx context.Context, s state.State, pod *v1.Pod, container *v1.Container) map[string][]topologymanager.TopologyHint {
-	return p.static.GetTopologyHints(ctx, s, pod, container)
+func (p *bestEffortPolicy) GetTopologyHints(logger logr.Logger, s state.State, pod *v1.Pod, container *v1.Container) map[string][]topologymanager.TopologyHint {
+	return p.static.GetTopologyHints(logger, s, pod, container)
 }
 
-func (p *bestEffortPolicy) GetAllocatableMemory(ctx context.Context, s state.State) []state.Block {
-	return p.static.GetAllocatableMemory(ctx, s)
+func (p *bestEffortPolicy) GetAllocatableMemory(s state.State) []state.Block {
+	return p.static.GetAllocatableMemory(s)
 }
diff --git a/pkg/kubelet/cm/memorymanager/policy_none.go b/pkg/kubelet/cm/memorymanager/policy_none.go
index 5b821f7d234e8..ceb2d236d1faf 100644
--- a/pkg/kubelet/cm/memorymanager/policy_none.go
+++ b/pkg/kubelet/cm/memorymanager/policy_none.go
@@ -17,8 +17,6 @@ limitations under the License.
 package memorymanager
 
 import (
-	"context"
-
 	v1 "k8s.io/api/core/v1"
 	"k8s.io/klog/v2"
 	"k8s.io/kubernetes/pkg/kubelet/cm/memorymanager/state"
@@ -34,7 +32,7 @@ type none struct{}
 var _ Policy = &none{}
 
 // NewPolicyNone returns new none policy instance
-func NewPolicyNone(ctx context.Context) Policy {
+func NewPolicyNone(logger klog.Logger) Policy {
 	return &none{}
 }
 
@@ -42,36 +40,35 @@ func (p *none) Name() string {
 	return string(policyTypeNone)
 }
 
-func (p *none) Start(ctx context.Context, s state.State) error {
-	logger := klog.FromContext(ctx)
+func (p *none) Start(logger klog.Logger, s state.State) error {
 	logger.Info("Start")
 	return nil
 }
 
 // Allocate call is idempotent
-func (p *none) Allocate(_ context.Context, s state.State, pod *v1.Pod, container *v1.Container) error {
+func (p *none) Allocate(_ klog.Logger, s state.State, pod *v1.Pod, container *v1.Container) error {
 	return nil
 }
 
 // RemoveContainer call is idempotent
-func (p *none) RemoveContainer(_ context.Context, s state.State, podUID string, containerName string) {
+func (p *none) RemoveContainer(_ klog.Logger, s state.State, podUID string, containerName string) {
 }
 
 // GetTopologyHints implements the topologymanager.HintProvider Interface
 // and is consulted to achieve NUMA aware resource alignment among this
 // and other resource controllers.
-func (p *none) GetTopologyHints(_ context.Context, s state.State, pod *v1.Pod, container *v1.Container) map[string][]topologymanager.TopologyHint {
+func (p *none) GetTopologyHints(_ klog.Logger, s state.State, pod *v1.Pod, container *v1.Container) map[string][]topologymanager.TopologyHint {
 	return nil
 }
 
 // GetPodTopologyHints implements the topologymanager.HintProvider Interface
 // and is consulted to achieve NUMA aware resource alignment among this
 // and other resource controllers.
-func (p *none) GetPodTopologyHints(_ context.Context, s state.State, pod *v1.Pod) map[string][]topologymanager.TopologyHint {
+func (p *none) GetPodTopologyHints(_ klog.Logger, s state.State, pod *v1.Pod) map[string][]topologymanager.TopologyHint {
 	return nil
 }
 
 // GetAllocatableMemory returns the amount of allocatable memory for each NUMA node
-func (p *none) GetAllocatableMemory(_ context.Context, s state.State) []state.Block {
+func (p *none) GetAllocatableMemory(s state.State) []state.Block {
 	return []state.Block{}
 }
diff --git a/pkg/kubelet/cm/memorymanager/policy_static.go b/pkg/kubelet/cm/memorymanager/policy_static.go
index c744ebf3999e6..eb5c3b5f67c32 100644
--- a/pkg/kubelet/cm/memorymanager/policy_static.go
+++ b/pkg/kubelet/cm/memorymanager/policy_static.go
@@ -17,11 +17,9 @@ limitations under the License.
 package memorymanager
 
 import (
-	"context"
 	"fmt"
 	"sort"
 
-	"github.com/go-logr/logr"
 	cadvisorapi "github.com/google/cadvisor/info/v1"
 
 	v1 "k8s.io/api/core/v1"
@@ -62,7 +60,7 @@ type staticPolicy struct {
 var _ Policy = &staticPolicy{}
 
 // NewPolicyStatic returns new static policy instance
-func NewPolicyStatic(ctx context.Context, machineInfo *cadvisorapi.MachineInfo, reserved systemReservedMemory, affinity topologymanager.Store) (Policy, error) {
+func NewPolicyStatic(logger klog.Logger, machineInfo *cadvisorapi.MachineInfo, reserved systemReservedMemory, affinity topologymanager.Store) (Policy, error) {
 	var totalSystemReserved uint64
 	for _, node := range reserved {
 		if _, ok := node[v1.ResourceMemory]; !ok {
@@ -88,8 +86,7 @@ func (p *staticPolicy) Name() string {
 	return string(PolicyTypeStatic)
 }
 
-func (p *staticPolicy) Start(ctx context.Context, s state.State) error {
-	logger := klog.FromContext(ctx)
+func (p *staticPolicy) Start(logger klog.Logger, s state.State) error {
 	if err := p.validateState(logger, s); err != nil {
 		logger.Error(err, "Invalid state, please drain node and remove policy state file")
 		return err
@@ -98,9 +95,8 @@ func (p *staticPolicy) Start(ctx context.Context, s state.State) error {
 }
 
 // Allocate call is idempotent
-func (p *staticPolicy) Allocate(ctx context.Context, s state.State, pod *v1.Pod, container *v1.Container) (rerr error) {
+func (p *staticPolicy) Allocate(logger klog.Logger, s state.State, pod *v1.Pod, container *v1.Container) (rerr error) {
 	// allocate the memory only for guaranteed pods
-	logger := klog.FromContext(ctx)
 	logger = klog.LoggerWithValues(logger, "pod", klog.KObj(pod), "containerName", container.Name)
 	qos := v1qos.GetPodQOS(pod)
 	if qos != v1.PodQOSGuaranteed {
@@ -259,8 +255,8 @@ func (p *staticPolicy) getPodReusableMemory(pod *v1.Pod, numaAffinity bitmask.Bi
 }
 
 // RemoveContainer call is idempotent
-func (p *staticPolicy) RemoveContainer(ctx context.Context, s state.State, podUID string, containerName string) {
-	logger := klog.LoggerWithValues(klog.FromContext(ctx), "podUID", podUID, "containerName", containerName)
+func (p *staticPolicy) RemoveContainer(logger klog.Logger, s state.State, podUID string, containerName string) {
+	logger = klog.LoggerWithValues(logger, "podUID", podUID, "containerName", containerName)
 
 	blocks := s.GetMemoryBlocks(podUID, containerName)
 	if blocks == nil {
@@ -313,7 +309,7 @@ func (p *staticPolicy) RemoveContainer(ctx context.Context, s state.State, podUI
 	s.SetMachineState(machineState)
 }
 
-func regenerateHints(logger logr.Logger, pod *v1.Pod, ctn *v1.Container, ctnBlocks []state.Block, reqRsrc map[v1.ResourceName]uint64) map[string][]topologymanager.TopologyHint {
+func regenerateHints(logger klog.Logger, pod *v1.Pod, ctn *v1.Container, ctnBlocks []state.Block, reqRsrc map[v1.ResourceName]uint64) map[string][]topologymanager.TopologyHint {
 	hints := map[string][]topologymanager.TopologyHint{}
 	for resourceName := range reqRsrc {
 		hints[string(resourceName)] = []topologymanager.TopologyHint{}
@@ -405,8 +401,8 @@ func getPodRequestedResources(pod *v1.Pod) (map[v1.ResourceName]uint64, error) {
 	return reqRsrcs, nil
 }
 
-func (p *staticPolicy) GetPodTopologyHints(ctx context.Context, s state.State, pod *v1.Pod) map[string][]topologymanager.TopologyHint {
-	logger := klog.LoggerWithValues(klog.FromContext(ctx), "pod", klog.KObj(pod))
+func (p *staticPolicy) GetPodTopologyHints(logger klog.Logger, s state.State, pod *v1.Pod) map[string][]topologymanager.TopologyHint {
+	logger = klog.LoggerWithValues(logger, "pod", klog.KObj(pod))
 
 	if v1qos.GetPodQOS(pod) != v1.PodQOSGuaranteed {
 		return nil
@@ -440,8 +436,8 @@ func (p *staticPolicy) GetPodTopologyHints(ctx context.Context, s state.State, p
 // GetTopologyHints implements the topologymanager.HintProvider Interface
 // and is consulted to achieve NUMA aware resource alignment among this
 // and other resource controllers.
-func (p *staticPolicy) GetTopologyHints(ctx context.Context, s state.State, pod *v1.Pod, container *v1.Container) map[string][]topologymanager.TopologyHint {
-	logger := klog.LoggerWithValues(klog.FromContext(ctx), "pod", klog.KObj(pod))
+func (p *staticPolicy) GetTopologyHints(logger klog.Logger, s state.State, pod *v1.Pod, container *v1.Container) map[string][]topologymanager.TopologyHint {
+	logger = klog.LoggerWithValues(logger, "pod", klog.KObj(pod))
 
 	if v1qos.GetPodQOS(pod) != v1.PodQOSGuaranteed {
 		return nil
@@ -471,23 +467,7 @@ func (p *staticPolicy) GetTopologyHints(ctx context.Context, s state.State, pod
 
 func getRequestedResources(pod *v1.Pod, container *v1.Container) (map[v1.ResourceName]uint64, error) {
 	requestedResources := map[v1.ResourceName]uint64{}
-	resources := container.Resources.Requests
-	// In-place pod resize feature makes Container.Resources field mutable for CPU & memory.
-	// AllocatedResources holds the value of Container.Resources.Requests when the pod was admitted.
-	// We should return this value because this is what kubelet agreed to allocate for the container
-	// and the value configured with runtime.
-	if utilfeature.DefaultFeatureGate.Enabled(features.InPlacePodVerticalScaling) {
-		containerStatuses := pod.Status.ContainerStatuses
-		if podutil.IsRestartableInitContainer(container) {
-			if len(pod.Status.InitContainerStatuses) != 0 {
-				containerStatuses = append(containerStatuses, pod.Status.InitContainerStatuses...)
-			}
-		}
-		if cs, ok := podutil.GetContainerStatus(containerStatuses, container.Name); ok {
-			resources = cs.AllocatedResources
-		}
-	}
-	for resourceName, quantity := range resources {
+	for resourceName, quantity := range container.Resources.Requests {
 		if resourceName != v1.ResourceMemory && !corehelper.IsHugePageResourceName(resourceName) {
 			continue
 		}
@@ -615,7 +595,7 @@ func areGroupsEqual(group1, group2 []int) bool {
 	return true
 }
 
-func (p *staticPolicy) validateState(logger logr.Logger, s state.State) error {
+func (p *staticPolicy) validateState(logger klog.Logger, s state.State) error {
 	machineState := s.GetMachineState()
 	memoryAssignments := s.GetMemoryAssignments()
 
@@ -688,7 +668,7 @@ func (p *staticPolicy) validateState(logger logr.Logger, s state.State) error {
 	return nil
 }
 
-func areMachineStatesEqual(logger logr.Logger, ms1, ms2 state.NUMANodeMap) bool {
+func areMachineStatesEqual(logger klog.Logger, ms1, ms2 state.NUMANodeMap) bool {
 	if len(ms1) != len(ms2) {
 		logger.Info("Node states were different", "lengthNode1", len(ms1), "lengthNode2", len(ms2))
 		return false
@@ -749,7 +729,7 @@ func areMachineStatesEqual(logger logr.Logger, ms1, ms2 state.NUMANodeMap) bool
 	return true
 }
 
-func areMemoryStatesEqual(logger logr.Logger, memoryState1, memoryState2 *state.MemoryTable, nodeID int, resourceName v1.ResourceName) bool {
+func areMemoryStatesEqual(logger klog.Logger, memoryState1, memoryState2 *state.MemoryTable, nodeID int, resourceName v1.ResourceName) bool {
 	loggerWithValues := klog.LoggerWithValues(logger, "node", nodeID, "resource", resourceName, "memoryState1", *memoryState1, "memoryState2", *memoryState2)
 	if memoryState1.TotalMemSize != memoryState2.TotalMemSize {
 		logger.Info("Memory states for the NUMA node and resource are different", "field", "TotalMemSize", "TotalMemSize1", memoryState1.TotalMemSize, "TotalMemSize2", memoryState2.TotalMemSize)
@@ -926,7 +906,7 @@ func findBestHint(hints []topologymanager.TopologyHint) *topologymanager.Topolog
 }
 
 // GetAllocatableMemory returns the amount of allocatable memory for each NUMA node
-func (p *staticPolicy) GetAllocatableMemory(_ context.Context, s state.State) []state.Block {
+func (p *staticPolicy) GetAllocatableMemory(s state.State) []state.Block {
 	var allocatableMemory []state.Block
 	machineState := s.GetMachineState()
 	for numaNodeID, numaNodeState := range machineState {
@@ -990,7 +970,7 @@ func (p *staticPolicy) updatePodReusableMemory(pod *v1.Pod, container *v1.Contai
 	}
 }
 
-func (p *staticPolicy) updateInitContainersMemoryBlocks(logger logr.Logger, s state.State, pod *v1.Pod, container *v1.Container, containerMemoryBlocks []state.Block) {
+func (p *staticPolicy) updateInitContainersMemoryBlocks(logger klog.Logger, s state.State, pod *v1.Pod, container *v1.Container, containerMemoryBlocks []state.Block) {
 	podUID := string(pod.UID)
 
 	for _, containerBlock := range containerMemoryBlocks {
@@ -1054,7 +1034,7 @@ func isRegularInitContainer(pod *v1.Pod, container *v1.Container) bool {
 	return false
 }
 
-func isNUMAAffinitiesEqual(logger logr.Logger, numaAffinity1, numaAffinity2 []int) bool {
+func isNUMAAffinitiesEqual(logger klog.Logger, numaAffinity1, numaAffinity2 []int) bool {
 	bitMask1, err := bitmask.NewBitMask(numaAffinity1...)
 	if err != nil {
 		logger.Error(err, "failed to create bit mask", "numaAffinity1", numaAffinity1)
diff --git a/pkg/kubelet/cm/memorymanager/policy_static_test.go b/pkg/kubelet/cm/memorymanager/policy_static_test.go
index bb5ab463bbb6f..5f51082f87b3d 100644
--- a/pkg/kubelet/cm/memorymanager/policy_static_test.go
+++ b/pkg/kubelet/cm/memorymanager/policy_static_test.go
@@ -149,13 +149,13 @@ type testStaticPolicy struct {
 }
 
 func initTests(t *testing.T, testCase *testStaticPolicy, hint *topologymanager.TopologyHint, initContainersReusableMemory reusableMemory) (Policy, state.State, error) {
-	logger, tCtx := ktesting.NewTestContext(t)
+	logger, _ := ktesting.NewTestContext(t)
 	manager := topologymanager.NewFakeManager()
 	if hint != nil {
 		manager = topologymanager.NewFakeManagerWithHint(hint)
 	}
 
-	p, err := NewPolicyStatic(tCtx, testCase.machineInfo, testCase.systemReserved, manager)
+	p, err := NewPolicyStatic(logger, testCase.machineInfo, testCase.systemReserved, manager)
 	if err != nil {
 		return nil, nil, err
 	}
@@ -228,7 +228,7 @@ func TestStaticPolicyName(t *testing.T) {
 }
 
 func TestStaticPolicyStart(t *testing.T) {
-	logger, tCtx := ktesting.NewTestContext(t)
+	logger, _ := ktesting.NewTestContext(t)
 	testCases := []testStaticPolicy{
 		{
 			description: "should fail, if machine state is empty, but it has memory assignments",
@@ -1169,7 +1169,7 @@ func TestStaticPolicyStart(t *testing.T) {
 				t.Fatalf("Unexpected error: %v", err)
 			}
 
-			err = p.Start(tCtx, s)
+			err = p.Start(logger, s)
 			if !reflect.DeepEqual(err, testCase.expectedError) {
 				t.Fatalf("The actual error: %v is different from the expected one: %v", err, testCase.expectedError)
 			}
@@ -1192,7 +1192,7 @@ func TestStaticPolicyStart(t *testing.T) {
 }
 
 func TestStaticPolicyAllocate(t *testing.T) {
-	logger, tCtx := ktesting.NewTestContext(t)
+	logger, _ := ktesting.NewTestContext(t)
 	testCases := []testStaticPolicy{
 		{
 			description:         "should do nothing for non-guaranteed pods",
@@ -2089,7 +2089,7 @@ func TestStaticPolicyAllocate(t *testing.T) {
 				t.Fatalf("Unexpected error: %v", err)
 			}
 
-			err = p.Allocate(tCtx, s, testCase.pod, &testCase.pod.Spec.Containers[0])
+			err = p.Allocate(logger, s, testCase.pod, &testCase.pod.Spec.Containers[0])
 			if (err == nil) != (testCase.expectedError == nil) || (err != nil && testCase.expectedError != nil && err.Error() != testCase.expectedError.Error()) {
 				t.Fatalf("The actual error %v is different from the expected one %v", err, testCase.expectedError)
 			}
@@ -2112,7 +2112,7 @@ func TestStaticPolicyAllocate(t *testing.T) {
 }
 
 func TestStaticPolicyAllocateWithInitContainers(t *testing.T) {
-	logger, tCtx := ktesting.NewTestContext(t)
+	logger, _ := ktesting.NewTestContext(t)
 	testCases := []testStaticPolicy{
 		{
 			description: "should re-use init containers memory, init containers requests 1Gi and 2Gi, apps containers 3Gi and 4Gi",
@@ -2814,14 +2814,14 @@ func TestStaticPolicyAllocateWithInitContainers(t *testing.T) {
 			}
 
 			for i := range testCase.pod.Spec.InitContainers {
-				err = p.Allocate(tCtx, s, testCase.pod, &testCase.pod.Spec.InitContainers[i])
+				err = p.Allocate(logger, s, testCase.pod, &testCase.pod.Spec.InitContainers[i])
 				if !reflect.DeepEqual(err, testCase.expectedError) {
 					t.Fatalf("The actual error %v is different from the expected one %v", err, testCase.expectedError)
 				}
 			}
 
 			for i := range testCase.pod.Spec.Containers {
-				err = p.Allocate(tCtx, s, testCase.pod, &testCase.pod.Spec.Containers[i])
+				err = p.Allocate(logger, s, testCase.pod, &testCase.pod.Spec.Containers[i])
 				if !reflect.DeepEqual(err, testCase.expectedError) {
 					t.Fatalf("The actual error %v is different from the expected one %v", err, testCase.expectedError)
 				}
@@ -2841,7 +2841,7 @@ func TestStaticPolicyAllocateWithInitContainers(t *testing.T) {
 }
 
 func TestStaticPolicyAllocateWithRestartableInitContainers(t *testing.T) {
-	logger, tCtx := ktesting.NewTestContext(t)
+	logger, _ := ktesting.NewTestContext(t)
 	testCases := []testStaticPolicy{
 		{
 			description: "should do nothing once containers already exist under the state file",
@@ -3148,7 +3148,7 @@ func TestStaticPolicyAllocateWithRestartableInitContainers(t *testing.T) {
 			}
 
 			for i := range testCase.pod.Spec.InitContainers {
-				err = p.Allocate(tCtx, s, testCase.pod, &testCase.pod.Spec.InitContainers[i])
+				err = p.Allocate(logger, s, testCase.pod, &testCase.pod.Spec.InitContainers[i])
 				if !reflect.DeepEqual(err, testCase.expectedError) {
 					t.Fatalf("The actual error %v is different from the expected one %v", err, testCase.expectedError)
 				}
@@ -3159,7 +3159,7 @@ func TestStaticPolicyAllocateWithRestartableInitContainers(t *testing.T) {
 			}
 
 			for i := range testCase.pod.Spec.Containers {
-				err = p.Allocate(tCtx, s, testCase.pod, &testCase.pod.Spec.Containers[i])
+				err = p.Allocate(logger, s, testCase.pod, &testCase.pod.Spec.Containers[i])
 				if err != nil {
 					t.Fatalf("Unexpected error: %v", err)
 				}
@@ -3179,7 +3179,7 @@ func TestStaticPolicyAllocateWithRestartableInitContainers(t *testing.T) {
 }
 
 func TestStaticPolicyRemoveContainer(t *testing.T) {
-	logger, tCtx := ktesting.NewTestContext(t)
+	logger, _ := ktesting.NewTestContext(t)
 	testCases := []testStaticPolicy{
 		{
 			description:         "should do nothing when the container does not exist under the state",
@@ -3422,7 +3422,7 @@ func TestStaticPolicyRemoveContainer(t *testing.T) {
 				t.Fatalf("Unexpected error: %v", err)
 			}
 
-			p.RemoveContainer(tCtx, s, "pod1", "container1")
+			p.RemoveContainer(logger, s, "pod1", "container1")
 			assignments := s.GetMemoryAssignments()
 			if !areContainerMemoryAssignmentsEqual(t, assignments, testCase.expectedAssignments) {
 				t.Fatalf("Actual assignments %v are different from the expected %v", assignments, testCase.expectedAssignments)
@@ -3437,7 +3437,7 @@ func TestStaticPolicyRemoveContainer(t *testing.T) {
 }
 
 func TestStaticPolicyGetTopologyHints(t *testing.T) {
-	tCtx := ktesting.Init(t)
+	logger, _ := ktesting.NewTestContext(t)
 	testCases := []testStaticPolicy{
 		{
 			description: "should not provide topology hints for non-guaranteed pods",
@@ -3827,7 +3827,7 @@ func TestStaticPolicyGetTopologyHints(t *testing.T) {
 				t.Fatalf("Unexpected error: %v", err)
 			}
 
-			topologyHints := p.GetTopologyHints(tCtx, s, testCase.pod, &testCase.pod.Spec.Containers[0])
+			topologyHints := p.GetTopologyHints(logger, s, testCase.pod, &testCase.pod.Spec.Containers[0])
 			if !reflect.DeepEqual(topologyHints, testCase.expectedTopologyHints) {
 				t.Fatalf("The actual topology hints: '%+v' are different from the expected one: '%+v'", topologyHints, testCase.expectedTopologyHints)
 			}
@@ -3836,7 +3836,7 @@ func TestStaticPolicyGetTopologyHints(t *testing.T) {
 }
 
 func TestStaticPolicyGetPodTopologyHints(t *testing.T) {
-	_, tCtx := ktesting.NewTestContext(t)
+	logger, _ := ktesting.NewTestContext(t)
 	testCases := []testStaticPolicy{
 		{
 			description: "should not provide pod topology hints for guaranteed pod with pod level resources",
@@ -3860,7 +3860,7 @@ func TestStaticPolicyGetPodTopologyHints(t *testing.T) {
 				t.Fatalf("Unexpected error: %v", err)
 			}
 
-			topologyHints := p.GetPodTopologyHints(tCtx, s, testCase.pod)
+			topologyHints := p.GetPodTopologyHints(logger, s, testCase.pod)
 			if !reflect.DeepEqual(topologyHints, testCase.expectedTopologyHints) {
 				t.Fatalf("The actual topology hints: '%+v' are different from the expected one: '%+v'", topologyHints, testCase.expectedTopologyHints)
 			}
diff --git a/pkg/kubelet/cm/node_container_manager_linux.go b/pkg/kubelet/cm/node_container_manager_linux.go
index 7fa180cefdd72..2981c4ebd4ec0 100644
--- a/pkg/kubelet/cm/node_container_manager_linux.go
+++ b/pkg/kubelet/cm/node_container_manager_linux.go
@@ -28,7 +28,6 @@ import (
 
 	v1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/resource"
-	"k8s.io/apimachinery/pkg/types"
 	utilfeature "k8s.io/apiserver/pkg/util/feature"
 	"k8s.io/klog/v2"
 	kubefeatures "k8s.io/kubernetes/pkg/features"
@@ -42,7 +41,7 @@ const (
 )
 
 // createNodeAllocatableCgroups creates Node Allocatable Cgroup when CgroupsPerQOS flag is specified as true
-func (cm *containerManagerImpl) createNodeAllocatableCgroups() error {
+func (cm *containerManagerImpl) createNodeAllocatableCgroups(logger klog.Logger) error {
 	nodeAllocatable := cm.internalCapacity
 	// Use Node Allocatable limits instead of capacity if the user requested enforcing node allocatable.
 	nc := cm.NodeConfig.NodeAllocatableConfig
@@ -58,15 +57,15 @@ func (cm *containerManagerImpl) createNodeAllocatableCgroups() error {
 	if cm.cgroupManager.Exists(cgroupConfig.Name) {
 		return nil
 	}
-	if err := cm.cgroupManager.Create(cgroupConfig); err != nil {
-		klog.ErrorS(err, "Failed to create cgroup", "cgroupName", cm.cgroupRoot)
+	if err := cm.cgroupManager.Create(logger, cgroupConfig); err != nil {
+		logger.Error(err, "Failed to create cgroup", "cgroupName", cm.cgroupRoot)
 		return err
 	}
 	return nil
 }
 
 // enforceNodeAllocatableCgroups enforce Node Allocatable Cgroup settings.
-func (cm *containerManagerImpl) enforceNodeAllocatableCgroups() error {
+func (cm *containerManagerImpl) enforceNodeAllocatableCgroups(logger klog.Logger) error {
 	nc := cm.NodeConfig.NodeAllocatableConfig
 
 	// We need to update limits on node allocatable cgroup no matter what because
@@ -77,7 +76,7 @@ func (cm *containerManagerImpl) enforceNodeAllocatableCgroups() error {
 		nodeAllocatable = cm.getNodeAllocatableInternalAbsolute()
 	}
 
-	klog.V(4).InfoS("Attempting to enforce Node Allocatable", "config", nc)
+	logger.V(4).Info("Attempting to enforce Node Allocatable", "config", nc)
 
 	cgroupConfig := &CgroupConfig{
 		Name:               cm.cgroupRoot,
@@ -96,7 +95,7 @@ func (cm *containerManagerImpl) enforceNodeAllocatableCgroups() error {
 	if len(cm.cgroupRoot) > 0 {
 		go func() {
 			for {
-				err := cm.cgroupManager.Update(cgroupConfig)
+				err := cm.cgroupManager.Update(logger, cgroupConfig)
 				if err == nil {
 					cm.recorder.Event(nodeRef, v1.EventTypeNormal, events.SuccessfulNodeAllocatableEnforcement, "Updated Node Allocatable limit across pods")
 					return
@@ -109,8 +108,8 @@ func (cm *containerManagerImpl) enforceNodeAllocatableCgroups() error {
 	}
 	// Now apply kube reserved and system reserved limits if required.
 	if nc.EnforceNodeAllocatable.Has(kubetypes.SystemReservedEnforcementKey) {
-		klog.V(2).InfoS("Enforcing system reserved on cgroup", "cgroupName", nc.SystemReservedCgroupName, "limits", nc.SystemReserved)
-		if err := cm.enforceExistingCgroup(nc.SystemReservedCgroupName, nc.SystemReserved, false); err != nil {
+		logger.V(2).Info("Enforcing system reserved on cgroup", "cgroupName", nc.SystemReservedCgroupName, "limits", nc.SystemReserved)
+		if err := cm.enforceExistingCgroup(logger, nc.SystemReservedCgroupName, nc.SystemReserved, false); err != nil {
 			message := fmt.Sprintf("Failed to enforce System Reserved Cgroup Limits on %q: %v", nc.SystemReservedCgroupName, err)
 			cm.recorder.Event(nodeRef, v1.EventTypeWarning, events.FailedNodeAllocatableEnforcement, message)
 			return errors.New(message)
@@ -118,8 +117,8 @@ func (cm *containerManagerImpl) enforceNodeAllocatableCgroups() error {
 		cm.recorder.Eventf(nodeRef, v1.EventTypeNormal, events.SuccessfulNodeAllocatableEnforcement, "Updated limits on system reserved cgroup %v", nc.SystemReservedCgroupName)
 	}
 	if nc.EnforceNodeAllocatable.Has(kubetypes.KubeReservedEnforcementKey) {
-		klog.V(2).InfoS("Enforcing kube reserved on cgroup", "cgroupName", nc.KubeReservedCgroupName, "limits", nc.KubeReserved)
-		if err := cm.enforceExistingCgroup(nc.KubeReservedCgroupName, nc.KubeReserved, false); err != nil {
+		logger.V(2).Info("Enforcing kube reserved on cgroup", "cgroupName", nc.KubeReservedCgroupName, "limits", nc.KubeReserved)
+		if err := cm.enforceExistingCgroup(logger, nc.KubeReservedCgroupName, nc.KubeReserved, false); err != nil {
 			message := fmt.Sprintf("Failed to enforce Kube Reserved Cgroup Limits on %q: %v", nc.KubeReservedCgroupName, err)
 			cm.recorder.Event(nodeRef, v1.EventTypeWarning, events.FailedNodeAllocatableEnforcement, message)
 			return errors.New(message)
@@ -128,8 +127,8 @@ func (cm *containerManagerImpl) enforceNodeAllocatableCgroups() error {
 	}
 
 	if nc.EnforceNodeAllocatable.Has(kubetypes.SystemReservedCompressibleEnforcementKey) {
-		klog.V(2).InfoS("Enforcing system reserved compressible on cgroup", "cgroupName", nc.SystemReservedCgroupName, "limits", nc.SystemReserved)
-		if err := cm.enforceExistingCgroup(nc.SystemReservedCgroupName, nc.SystemReserved, true); err != nil {
+		logger.V(2).Info("Enforcing system reserved compressible on cgroup", "cgroupName", nc.SystemReservedCgroupName, "limits", nc.SystemReserved)
+		if err := cm.enforceExistingCgroup(logger, nc.SystemReservedCgroupName, nc.SystemReserved, true); err != nil {
 			message := fmt.Sprintf("Failed to enforce System Reserved Compressible Cgroup Limits on %q: %v", nc.SystemReservedCgroupName, err)
 			cm.recorder.Event(nodeRef, v1.EventTypeWarning, events.FailedNodeAllocatableEnforcement, message)
 			return errors.New(message)
@@ -138,8 +137,8 @@ func (cm *containerManagerImpl) enforceNodeAllocatableCgroups() error {
 	}
 
 	if nc.EnforceNodeAllocatable.Has(kubetypes.KubeReservedCompressibleEnforcementKey) {
-		klog.V(2).InfoS("Enforcing kube reserved compressible on cgroup", "cgroupName", nc.KubeReservedCgroupName, "limits", nc.KubeReserved)
-		if err := cm.enforceExistingCgroup(nc.KubeReservedCgroupName, nc.KubeReserved, true); err != nil {
+		logger.V(2).Info("Enforcing kube reserved compressible on cgroup", "cgroupName", nc.KubeReservedCgroupName, "limits", nc.KubeReserved)
+		if err := cm.enforceExistingCgroup(logger, nc.KubeReservedCgroupName, nc.KubeReserved, true); err != nil {
 			message := fmt.Sprintf("Failed to enforce Kube Reserved Compressible Cgroup Limits on %q: %v", nc.KubeReservedCgroupName, err)
 			cm.recorder.Event(nodeRef, v1.EventTypeWarning, events.FailedNodeAllocatableEnforcement, message)
 			return errors.New(message)
@@ -150,7 +149,7 @@ func (cm *containerManagerImpl) enforceNodeAllocatableCgroups() error {
 }
 
 // enforceExistingCgroup updates the limits `rl` on existing cgroup `cName` using `cgroupManager` interface.
-func (cm *containerManagerImpl) enforceExistingCgroup(cNameStr string, rl v1.ResourceList, compressibleResources bool) error {
+func (cm *containerManagerImpl) enforceExistingCgroup(logger klog.Logger, cNameStr string, rl v1.ResourceList, compressibleResources bool) error {
 	cName := cm.cgroupManager.CgroupName(cNameStr)
 	rp := cm.getCgroupConfig(rl, compressibleResources)
 	if rp == nil {
@@ -172,11 +171,11 @@ func (cm *containerManagerImpl) enforceExistingCgroup(cNameStr string, rl v1.Res
 		Name:               cName,
 		ResourceParameters: rp,
 	}
-	klog.V(4).InfoS("Enforcing limits on cgroup", "cgroupName", cName, "cpuShares", cgroupConfig.ResourceParameters.CPUShares, "memory", cgroupConfig.ResourceParameters.Memory, "pidsLimit", cgroupConfig.ResourceParameters.PidsLimit)
+	logger.V(4).Info("Enforcing limits on cgroup", "cgroupName", cName, "cpuShares", cgroupConfig.ResourceParameters.CPUShares, "memory", cgroupConfig.ResourceParameters.Memory, "pidsLimit", cgroupConfig.ResourceParameters.PidsLimit)
 	if err := cm.cgroupManager.Validate(cgroupConfig.Name); err != nil {
 		return err
 	}
-	if err := cm.cgroupManager.Update(cgroupConfig); err != nil {
+	if err := cm.cgroupManager.Update(logger, cgroupConfig); err != nil {
 		return err
 	}
 	return nil
@@ -320,9 +319,9 @@ func (cm *containerManagerImpl) validateNodeAllocatable() error {
 // Using ObjectReference for events as the node maybe not cached; refer to #42701 for detail.
 func nodeRefFromNode(nodeName string) *v1.ObjectReference {
 	return &v1.ObjectReference{
-		Kind:      "Node",
-		Name:      nodeName,
-		UID:       types.UID(nodeName),
-		Namespace: "",
+		APIVersion: "v1",
+		Kind:       "Node",
+		Name:       nodeName,
+		Namespace:  "",
 	}
 }
diff --git a/pkg/kubelet/cm/node_container_manager_linux_test.go b/pkg/kubelet/cm/node_container_manager_linux_test.go
index a74e1c7cb231e..bd3b9d616a920 100644
--- a/pkg/kubelet/cm/node_container_manager_linux_test.go
+++ b/pkg/kubelet/cm/node_container_manager_linux_test.go
@@ -402,6 +402,54 @@ func getEphemeralStorageResourceList(storage string) v1.ResourceList {
 	return res
 }
 
+func TestNodeRefFromNode(t *testing.T) {
+	testCases := []struct {
+		name     string
+		nodeName string
+		expected *v1.ObjectReference
+	}{
+		{
+			name:     "normal node name",
+			nodeName: "test-node",
+			expected: &v1.ObjectReference{
+				APIVersion: "v1",
+				Kind:       "Node",
+				Name:       "test-node",
+				Namespace:  "",
+			},
+		},
+		{
+			name:     "empty node name",
+			nodeName: "",
+			expected: &v1.ObjectReference{
+				APIVersion: "v1",
+				Kind:       "Node",
+				Name:       "",
+				UID:        "",
+				Namespace:  "",
+			},
+		},
+		{
+			name:     "node name with special characters",
+			nodeName: "test-node-123.domain.local",
+			expected: &v1.ObjectReference{
+				APIVersion: "v1",
+				Kind:       "Node",
+				Name:       "test-node-123.domain.local",
+				Namespace:  "",
+			},
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			result := nodeRefFromNode(tc.nodeName)
+
+			assert.Equal(t, tc.expected, result, "test case %q failed", tc.name)
+		})
+	}
+}
+
 func TestGetCgroupConfig(t *testing.T) {
 	cases := []struct {
 		name                  string
diff --git a/pkg/kubelet/cm/pod_container_manager_linux.go b/pkg/kubelet/cm/pod_container_manager_linux.go
index 3159e0ed7fa2d..14a77a741b29d 100644
--- a/pkg/kubelet/cm/pod_container_manager_linux.go
+++ b/pkg/kubelet/cm/pod_container_manager_linux.go
@@ -71,7 +71,7 @@ func (m *podContainerManagerImpl) Exists(pod *v1.Pod) bool {
 // EnsureExists takes a pod as argument and makes sure that
 // pod cgroup exists if qos cgroup hierarchy flag is enabled.
 // If the pod level container doesn't already exist it is created.
-func (m *podContainerManagerImpl) EnsureExists(pod *v1.Pod) error {
+func (m *podContainerManagerImpl) EnsureExists(logger klog.Logger, pod *v1.Pod) error {
 	// check if container already exist
 	alreadyExists := m.Exists(pod)
 	if !alreadyExists {
@@ -97,9 +97,10 @@ func (m *podContainerManagerImpl) EnsureExists(pod *v1.Pod) error {
 		if enforceMemoryQoS {
 			klog.V(4).InfoS("MemoryQoS config for pod", "pod", klog.KObj(pod), "unified", containerConfig.ResourceParameters.Unified)
 		}
-		if err := m.cgroupManager.Create(containerConfig); err != nil {
+		if err := m.cgroupManager.Create(logger, containerConfig); err != nil {
 			return fmt.Errorf("failed to create container for %v : %v", podContainerName, err)
 		}
+
 	}
 	return nil
 }
@@ -141,9 +142,9 @@ func (m *podContainerManagerImpl) GetPodCgroupConfig(pod *v1.Pod, resource v1.Re
 	return m.cgroupManager.GetCgroupConfig(podCgroupName, resource)
 }
 
-func (m *podContainerManagerImpl) SetPodCgroupConfig(pod *v1.Pod, resourceConfig *ResourceConfig) error {
+func (m *podContainerManagerImpl) SetPodCgroupConfig(logger klog.Logger, pod *v1.Pod, resourceConfig *ResourceConfig) error {
 	podCgroupName, _ := m.GetPodContainerName(pod)
-	return m.cgroupManager.SetCgroupConfig(podCgroupName, resourceConfig)
+	return m.cgroupManager.SetCgroupConfig(logger, podCgroupName, resourceConfig)
 }
 
 // Kill one process ID
@@ -164,8 +165,8 @@ func (m *podContainerManagerImpl) killOnePid(pid int) error {
 
 // Scan through the whole cgroup directory and kill all processes either
 // attached to the pod cgroup or to a container cgroup under the pod cgroup
-func (m *podContainerManagerImpl) tryKillingCgroupProcesses(podCgroup CgroupName) error {
-	pidsToKill := m.cgroupManager.Pids(podCgroup)
+func (m *podContainerManagerImpl) tryKillingCgroupProcesses(logger klog.Logger, podCgroup CgroupName) error {
+	pidsToKill := m.cgroupManager.Pids(logger, podCgroup)
 	// No pids charged to the terminated pod cgroup return
 	if len(pidsToKill) == 0 {
 		return nil
@@ -201,10 +202,10 @@ func (m *podContainerManagerImpl) tryKillingCgroupProcesses(podCgroup CgroupName
 }
 
 // Destroy destroys the pod container cgroup paths
-func (m *podContainerManagerImpl) Destroy(podCgroup CgroupName) error {
+func (m *podContainerManagerImpl) Destroy(logger klog.Logger, podCgroup CgroupName) error {
 	// Try killing all the processes attached to the pod cgroup
-	if err := m.tryKillingCgroupProcesses(podCgroup); err != nil {
-		klog.InfoS("Failed to kill all the processes attached to cgroup", "cgroupName", podCgroup, "err", err)
+	if err := m.tryKillingCgroupProcesses(logger, podCgroup); err != nil {
+		logger.Info("Failed to kill all the processes attached to cgroup", "cgroupName", podCgroup, "err", err)
 		return fmt.Errorf("failed to kill all the processes attached to the %v cgroups : %v", podCgroup, err)
 	}
 
@@ -213,16 +214,16 @@ func (m *podContainerManagerImpl) Destroy(podCgroup CgroupName) error {
 		Name:               podCgroup,
 		ResourceParameters: &ResourceConfig{},
 	}
-	if err := m.cgroupManager.Destroy(containerConfig); err != nil {
-		klog.InfoS("Failed to delete cgroup paths", "cgroupName", podCgroup, "err", err)
+	if err := m.cgroupManager.Destroy(logger, containerConfig); err != nil {
+		logger.Info("Failed to delete cgroup paths", "cgroupName", podCgroup, "err", err)
 		return fmt.Errorf("failed to delete cgroup paths for %v : %v", podCgroup, err)
 	}
 	return nil
 }
 
 // ReduceCPULimits reduces the CPU CFS values to the minimum amount of shares.
-func (m *podContainerManagerImpl) ReduceCPULimits(podCgroup CgroupName) error {
-	return m.cgroupManager.ReduceCPULimits(podCgroup)
+func (m *podContainerManagerImpl) ReduceCPULimits(logger klog.Logger, podCgroup CgroupName) error {
+	return m.cgroupManager.ReduceCPULimits(logger, podCgroup)
 }
 
 // IsPodCgroup returns true if the literal cgroupfs name corresponds to a pod
@@ -320,7 +321,7 @@ func (m *podContainerManagerNoop) Exists(_ *v1.Pod) bool {
 	return true
 }
 
-func (m *podContainerManagerNoop) EnsureExists(_ *v1.Pod) error {
+func (m *podContainerManagerNoop) EnsureExists(_ klog.Logger, _ *v1.Pod) error {
 	return nil
 }
 
@@ -333,11 +334,11 @@ func (m *podContainerManagerNoop) GetPodContainerNameForDriver(_ *v1.Pod) string
 }
 
 // Destroy destroys the pod container cgroup paths
-func (m *podContainerManagerNoop) Destroy(_ CgroupName) error {
+func (m *podContainerManagerNoop) Destroy(_ klog.Logger, _ CgroupName) error {
 	return nil
 }
 
-func (m *podContainerManagerNoop) ReduceCPULimits(_ CgroupName) error {
+func (m *podContainerManagerNoop) ReduceCPULimits(_ klog.Logger, _ CgroupName) error {
 	return nil
 }
 
@@ -357,6 +358,6 @@ func (m *podContainerManagerNoop) GetPodCgroupConfig(_ *v1.Pod, _ v1.ResourceNam
 	return nil, nil
 }
 
-func (m *podContainerManagerNoop) SetPodCgroupConfig(_ *v1.Pod, _ *ResourceConfig) error {
+func (m *podContainerManagerNoop) SetPodCgroupConfig(_ klog.Logger, _ *v1.Pod, _ *ResourceConfig) error {
 	return nil
 }
diff --git a/pkg/kubelet/cm/pod_container_manager_linux_test.go b/pkg/kubelet/cm/pod_container_manager_linux_test.go
index 6f59078d3db9b..971cecf19eb5b 100644
--- a/pkg/kubelet/cm/pod_container_manager_linux_test.go
+++ b/pkg/kubelet/cm/pod_container_manager_linux_test.go
@@ -26,12 +26,14 @@ import (
 	"github.com/stretchr/testify/require"
 	"k8s.io/apimachinery/pkg/api/resource"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/klog/v2/ktesting"
 
 	v1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/types"
 )
 
 func TestIsCgroupPod(t *testing.T) {
+	logger, _ := ktesting.NewTestContext(t)
 	qosContainersInfo := QOSContainersInfo{
 		Guaranteed: RootCgroupName,
 		Burstable:  NewCgroupName(RootCgroupName, strings.ToLower(string(v1.PodQOSBurstable))),
@@ -112,7 +114,7 @@ func TestIsCgroupPod(t *testing.T) {
 	}
 	for _, cgroupDriver := range []string{"cgroupfs", "systemd"} {
 		pcm := &podContainerManagerImpl{
-			cgroupManager:     NewCgroupManager(nil, cgroupDriver),
+			cgroupManager:     NewCgroupManager(logger, nil, cgroupDriver),
 			enforceCPULimits:  true,
 			qosContainersInfo: qosContainersInfo,
 		}
@@ -138,6 +140,7 @@ func TestIsCgroupPod(t *testing.T) {
 }
 
 func TestGetPodContainerName(t *testing.T) {
+	logger, _ := ktesting.NewTestContext(t)
 	newGuaranteedPodWithUID := func(uid types.UID) *v1.Pod {
 		return &v1.Pod{
 			ObjectMeta: metav1.ObjectMeta{
@@ -220,7 +223,7 @@ func TestGetPodContainerName(t *testing.T) {
 		{
 			name: "pod with qos guaranteed and cgroupfs",
 			fields: fields{
-				cgroupManager: NewCgroupManager(nil, "cgroupfs"),
+				cgroupManager: NewCgroupManager(logger, nil, "cgroupfs"),
 			},
 			args: args{
 				pod: newGuaranteedPodWithUID("fake-uid-1"),
@@ -230,7 +233,7 @@ func TestGetPodContainerName(t *testing.T) {
 		}, {
 			name: "pod with qos guaranteed and systemd",
 			fields: fields{
-				cgroupManager: NewCgroupManager(nil, "systemd"),
+				cgroupManager: NewCgroupManager(logger, nil, "systemd"),
 			},
 			args: args{
 				pod: newGuaranteedPodWithUID("fake-uid-2"),
@@ -240,7 +243,7 @@ func TestGetPodContainerName(t *testing.T) {
 		}, {
 			name: "pod with qos burstable and cgroupfs",
 			fields: fields{
-				cgroupManager: NewCgroupManager(nil, "cgroupfs"),
+				cgroupManager: NewCgroupManager(logger, nil, "cgroupfs"),
 			},
 			args: args{
 				pod: newBurstablePodWithUID("fake-uid-3"),
@@ -250,7 +253,7 @@ func TestGetPodContainerName(t *testing.T) {
 		}, {
 			name: "pod with qos burstable and systemd",
 			fields: fields{
-				cgroupManager: NewCgroupManager(nil, "systemd"),
+				cgroupManager: NewCgroupManager(logger, nil, "systemd"),
 			},
 			args: args{
 				pod: newBurstablePodWithUID("fake-uid-4"),
@@ -260,7 +263,7 @@ func TestGetPodContainerName(t *testing.T) {
 		}, {
 			name: "pod with qos best-effort and cgroupfs",
 			fields: fields{
-				cgroupManager: NewCgroupManager(nil, "cgroupfs"),
+				cgroupManager: NewCgroupManager(logger, nil, "cgroupfs"),
 			},
 			args: args{
 				pod: newBestEffortPodWithUID("fake-uid-5"),
@@ -270,7 +273,7 @@ func TestGetPodContainerName(t *testing.T) {
 		}, {
 			name: "pod with qos best-effort and systemd",
 			fields: fields{
-				cgroupManager: NewCgroupManager(nil, "systemd"),
+				cgroupManager: NewCgroupManager(logger, nil, "systemd"),
 			},
 			args: args{
 				pod: newBestEffortPodWithUID("fake-uid-6"),
diff --git a/pkg/kubelet/cm/pod_container_manager_stub.go b/pkg/kubelet/cm/pod_container_manager_stub.go
index 36a995c1895d8..a5c54b2b017f3 100644
--- a/pkg/kubelet/cm/pod_container_manager_stub.go
+++ b/pkg/kubelet/cm/pod_container_manager_stub.go
@@ -17,8 +17,9 @@ limitations under the License.
 package cm
 
 import (
-	"k8s.io/api/core/v1"
+	v1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/klog/v2"
 )
 
 type podContainerManagerStub struct {
@@ -30,7 +31,7 @@ func (m *podContainerManagerStub) Exists(_ *v1.Pod) bool {
 	return true
 }
 
-func (m *podContainerManagerStub) EnsureExists(_ *v1.Pod) error {
+func (m *podContainerManagerStub) EnsureExists(_ klog.Logger, _ *v1.Pod) error {
 	return nil
 }
 
@@ -38,11 +39,11 @@ func (m *podContainerManagerStub) GetPodContainerName(_ *v1.Pod) (CgroupName, st
 	return nil, ""
 }
 
-func (m *podContainerManagerStub) Destroy(_ CgroupName) error {
+func (m *podContainerManagerStub) Destroy(_ klog.Logger, _ CgroupName) error {
 	return nil
 }
 
-func (m *podContainerManagerStub) ReduceCPULimits(_ CgroupName) error {
+func (m *podContainerManagerStub) ReduceCPULimits(_ klog.Logger, _ CgroupName) error {
 	return nil
 }
 
@@ -70,6 +71,6 @@ func (m *podContainerManagerStub) SetPodCgroupMemoryLimit(_ *v1.Pod, _ int64) er
 	return nil
 }
 
-func (m *podContainerManagerStub) SetPodCgroupCpuLimit(_ *v1.Pod, _ *int64, _, _ *uint64) error {
+func (m *podContainerManagerStub) SetPodCgroupCPULimit(_ klog.Logger, _ *v1.Pod, _ *int64, _, _ *uint64) error {
 	return nil
 }
diff --git a/pkg/kubelet/cm/qos_container_manager_linux.go b/pkg/kubelet/cm/qos_container_manager_linux.go
index 762ced265b2ad..d30283afbc3a9 100644
--- a/pkg/kubelet/cm/qos_container_manager_linux.go
+++ b/pkg/kubelet/cm/qos_container_manager_linux.go
@@ -17,6 +17,7 @@ limitations under the License.
 package cm
 
 import (
+	"context"
 	"fmt"
 	"strconv"
 	"strings"
@@ -29,6 +30,7 @@ import (
 	"k8s.io/apimachinery/pkg/util/wait"
 
 	units "github.com/docker/go-units"
+	"github.com/go-logr/logr"
 	libcontainercgroups "github.com/opencontainers/cgroups"
 	utilfeature "k8s.io/apiserver/pkg/util/feature"
 
@@ -45,9 +47,9 @@ const (
 )
 
 type QOSContainerManager interface {
-	Start(func() v1.ResourceList, ActivePodsFunc) error
+	Start(context.Context, func() v1.ResourceList, ActivePodsFunc) error
 	GetQOSContainersInfo() QOSContainersInfo
-	UpdateCgroups() error
+	UpdateCgroups(logger klog.Logger) error
 }
 
 type qosContainerManagerImpl struct {
@@ -80,7 +82,8 @@ func (m *qosContainerManagerImpl) GetQOSContainersInfo() QOSContainersInfo {
 	return m.qosContainersInfo
 }
 
-func (m *qosContainerManagerImpl) Start(getNodeAllocatable func() v1.ResourceList, activePods ActivePodsFunc) error {
+func (m *qosContainerManagerImpl) Start(ctx context.Context, getNodeAllocatable func() v1.ResourceList, activePods ActivePodsFunc) error {
+	logger := klog.FromContext(ctx)
 	cm := m.cgroupManager
 	rootContainer := m.cgroupRoot
 
@@ -115,12 +118,12 @@ func (m *qosContainerManagerImpl) Start(getNodeAllocatable func() v1.ResourceLis
 
 		// check if it exists
 		if !cm.Exists(containerName) {
-			if err := cm.Create(containerConfig); err != nil {
+			if err := cm.Create(logger, containerConfig); err != nil {
 				return fmt.Errorf("failed to create top level %v QOS cgroup : %v", qosClass, err)
 			}
 		} else {
 			// to ensure we actually have the right state, we update the config on startup
-			if err := cm.Update(containerConfig); err != nil {
+			if err := cm.Update(logger, containerConfig); err != nil {
 				return fmt.Errorf("failed to update top level %v QOS cgroup : %v", qosClass, err)
 			}
 		}
@@ -137,7 +140,7 @@ func (m *qosContainerManagerImpl) Start(getNodeAllocatable func() v1.ResourceLis
 	// update qos cgroup tiers on startup and in periodic intervals
 	// to ensure desired state is in sync with actual state.
 	go wait.Until(func() {
-		err := m.UpdateCgroups()
+		err := m.UpdateCgroups(logger)
 		if err != nil {
 			klog.InfoS("Failed to reserve QoS requests", "err", err)
 		}
@@ -314,7 +317,7 @@ func (m *qosContainerManagerImpl) setMemoryQoS(configs map[v1.PodQOSClass]*Cgrou
 	}
 }
 
-func (m *qosContainerManagerImpl) UpdateCgroups() error {
+func (m *qosContainerManagerImpl) UpdateCgroups(logger logr.Logger) error {
 	m.Lock()
 	defer m.Unlock()
 
@@ -359,7 +362,7 @@ func (m *qosContainerManagerImpl) UpdateCgroups() error {
 
 		updateSuccess := true
 		for _, config := range qosConfigs {
-			err := m.cgroupManager.Update(config)
+			err := m.cgroupManager.Update(logger, config)
 			if err != nil {
 				updateSuccess = false
 			}
@@ -381,7 +384,7 @@ func (m *qosContainerManagerImpl) UpdateCgroups() error {
 	}
 
 	for _, config := range qosConfigs {
-		err := m.cgroupManager.Update(config)
+		err := m.cgroupManager.Update(logger, config)
 		if err != nil {
 			klog.ErrorS(err, "Failed to update QoS cgroup configuration")
 			return err
@@ -402,10 +405,10 @@ func (m *qosContainerManagerNoop) GetQOSContainersInfo() QOSContainersInfo {
 	return QOSContainersInfo{}
 }
 
-func (m *qosContainerManagerNoop) Start(_ func() v1.ResourceList, _ ActivePodsFunc) error {
+func (m *qosContainerManagerNoop) Start(_ context.Context, _ func() v1.ResourceList, _ ActivePodsFunc) error {
 	return nil
 }
 
-func (m *qosContainerManagerNoop) UpdateCgroups() error {
+func (m *qosContainerManagerNoop) UpdateCgroups(logger klog.Logger) error {
 	return nil
 }
diff --git a/pkg/kubelet/cm/qos_container_manager_linux_test.go b/pkg/kubelet/cm/qos_container_manager_linux_test.go
index c096779fccbf1..f06778a208ce8 100644
--- a/pkg/kubelet/cm/qos_container_manager_linux_test.go
+++ b/pkg/kubelet/cm/qos_container_manager_linux_test.go
@@ -28,6 +28,8 @@ import (
 	v1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/resource"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/klog/v2"
+	"k8s.io/klog/v2/ktesting"
 )
 
 func activeTestPods() []*v1.Pod {
@@ -106,7 +108,7 @@ func activeTestPods() []*v1.Pod {
 	}
 }
 
-func createTestQOSContainerManager() (*qosContainerManagerImpl, error) {
+func createTestQOSContainerManager(logger klog.Logger) (*qosContainerManagerImpl, error) {
 	subsystems, err := GetCgroupSubsystems()
 	if err != nil {
 		return nil, fmt.Errorf("failed to get mounted cgroup subsystems: %v", err)
@@ -117,7 +119,7 @@ func createTestQOSContainerManager() (*qosContainerManagerImpl, error) {
 
 	qosContainerManager := &qosContainerManagerImpl{
 		subsystems:    subsystems,
-		cgroupManager: NewCgroupManager(subsystems, "cgroupfs"),
+		cgroupManager: NewCgroupManager(logger, subsystems, "cgroupfs"),
 		cgroupRoot:    cgroupRoot,
 		qosReserved:   nil,
 	}
@@ -128,7 +130,8 @@ func createTestQOSContainerManager() (*qosContainerManagerImpl, error) {
 }
 
 func TestQoSContainerCgroup(t *testing.T) {
-	m, err := createTestQOSContainerManager()
+	logger, _ := ktesting.NewTestContext(t)
+	m, err := createTestQOSContainerManager(logger)
 	assert.NoError(t, err)
 
 	qosConfigs := map[v1.PodQOSClass]*CgroupConfig{
diff --git a/pkg/kubelet/cm/testing/mock_container_manager.go b/pkg/kubelet/cm/testing/mock_container_manager.go
deleted file mode 100644
index 0d56cec6ffd79..0000000000000
--- a/pkg/kubelet/cm/testing/mock_container_manager.go
+++ /dev/null
@@ -1,1729 +0,0 @@
-/*
-Copyright The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-// Code generated by mockery v2.53.3. DO NOT EDIT.
-
-package testing
-
-import (
-	cm "k8s.io/kubernetes/pkg/kubelet/cm"
-	cache "k8s.io/kubernetes/pkg/kubelet/pluginmanager/cache"
-
-	config "k8s.io/kubernetes/pkg/kubelet/config"
-
-	container "k8s.io/kubernetes/pkg/kubelet/container"
-
-	context "context"
-
-	cri "k8s.io/cri-api/pkg/apis"
-
-	framework "k8s.io/kubernetes/pkg/scheduler/framework"
-
-	healthz "k8s.io/apiserver/pkg/server/healthz"
-
-	lifecycle "k8s.io/kubernetes/pkg/kubelet/lifecycle"
-
-	mock "github.com/stretchr/testify/mock"
-
-	podresourcesv1 "k8s.io/kubelet/pkg/apis/podresources/v1"
-
-	resourceupdates "k8s.io/kubernetes/pkg/kubelet/cm/resourceupdates"
-
-	status "k8s.io/kubernetes/pkg/kubelet/status"
-
-	types "k8s.io/apimachinery/pkg/types"
-
-	v1 "k8s.io/api/core/v1"
-)
-
-// MockContainerManager is an autogenerated mock type for the ContainerManager type
-type MockContainerManager struct {
-	mock.Mock
-}
-
-type MockContainerManager_Expecter struct {
-	mock *mock.Mock
-}
-
-func (_m *MockContainerManager) EXPECT() *MockContainerManager_Expecter {
-	return &MockContainerManager_Expecter{mock: &_m.Mock}
-}
-
-// ContainerHasExclusiveCPUs provides a mock function with given fields: pod, _a1
-func (_m *MockContainerManager) ContainerHasExclusiveCPUs(pod *v1.Pod, _a1 *v1.Container) bool {
-	ret := _m.Called(pod, _a1)
-
-	if len(ret) == 0 {
-		panic("no return value specified for ContainerHasExclusiveCPUs")
-	}
-
-	var r0 bool
-	if rf, ok := ret.Get(0).(func(*v1.Pod, *v1.Container) bool); ok {
-		r0 = rf(pod, _a1)
-	} else {
-		r0 = ret.Get(0).(bool)
-	}
-
-	return r0
-}
-
-// MockContainerManager_ContainerHasExclusiveCPUs_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'ContainerHasExclusiveCPUs'
-type MockContainerManager_ContainerHasExclusiveCPUs_Call struct {
-	*mock.Call
-}
-
-// ContainerHasExclusiveCPUs is a helper method to define mock.On call
-//   - pod *v1.Pod
-//   - _a1 *v1.Container
-func (_e *MockContainerManager_Expecter) ContainerHasExclusiveCPUs(pod interface{}, _a1 interface{}) *MockContainerManager_ContainerHasExclusiveCPUs_Call {
-	return &MockContainerManager_ContainerHasExclusiveCPUs_Call{Call: _e.mock.On("ContainerHasExclusiveCPUs", pod, _a1)}
-}
-
-func (_c *MockContainerManager_ContainerHasExclusiveCPUs_Call) Run(run func(pod *v1.Pod, _a1 *v1.Container)) *MockContainerManager_ContainerHasExclusiveCPUs_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run(args[0].(*v1.Pod), args[1].(*v1.Container))
-	})
-	return _c
-}
-
-func (_c *MockContainerManager_ContainerHasExclusiveCPUs_Call) Return(_a0 bool) *MockContainerManager_ContainerHasExclusiveCPUs_Call {
-	_c.Call.Return(_a0)
-	return _c
-}
-
-func (_c *MockContainerManager_ContainerHasExclusiveCPUs_Call) RunAndReturn(run func(*v1.Pod, *v1.Container) bool) *MockContainerManager_ContainerHasExclusiveCPUs_Call {
-	_c.Call.Return(run)
-	return _c
-}
-
-// GetAllocatableCPUs provides a mock function with no fields
-func (_m *MockContainerManager) GetAllocatableCPUs() []int64 {
-	ret := _m.Called()
-
-	if len(ret) == 0 {
-		panic("no return value specified for GetAllocatableCPUs")
-	}
-
-	var r0 []int64
-	if rf, ok := ret.Get(0).(func() []int64); ok {
-		r0 = rf()
-	} else {
-		if ret.Get(0) != nil {
-			r0 = ret.Get(0).([]int64)
-		}
-	}
-
-	return r0
-}
-
-// MockContainerManager_GetAllocatableCPUs_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetAllocatableCPUs'
-type MockContainerManager_GetAllocatableCPUs_Call struct {
-	*mock.Call
-}
-
-// GetAllocatableCPUs is a helper method to define mock.On call
-func (_e *MockContainerManager_Expecter) GetAllocatableCPUs() *MockContainerManager_GetAllocatableCPUs_Call {
-	return &MockContainerManager_GetAllocatableCPUs_Call{Call: _e.mock.On("GetAllocatableCPUs")}
-}
-
-func (_c *MockContainerManager_GetAllocatableCPUs_Call) Run(run func()) *MockContainerManager_GetAllocatableCPUs_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run()
-	})
-	return _c
-}
-
-func (_c *MockContainerManager_GetAllocatableCPUs_Call) Return(_a0 []int64) *MockContainerManager_GetAllocatableCPUs_Call {
-	_c.Call.Return(_a0)
-	return _c
-}
-
-func (_c *MockContainerManager_GetAllocatableCPUs_Call) RunAndReturn(run func() []int64) *MockContainerManager_GetAllocatableCPUs_Call {
-	_c.Call.Return(run)
-	return _c
-}
-
-// GetAllocatableDevices provides a mock function with no fields
-func (_m *MockContainerManager) GetAllocatableDevices() []*podresourcesv1.ContainerDevices {
-	ret := _m.Called()
-
-	if len(ret) == 0 {
-		panic("no return value specified for GetAllocatableDevices")
-	}
-
-	var r0 []*podresourcesv1.ContainerDevices
-	if rf, ok := ret.Get(0).(func() []*podresourcesv1.ContainerDevices); ok {
-		r0 = rf()
-	} else {
-		if ret.Get(0) != nil {
-			r0 = ret.Get(0).([]*podresourcesv1.ContainerDevices)
-		}
-	}
-
-	return r0
-}
-
-// MockContainerManager_GetAllocatableDevices_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetAllocatableDevices'
-type MockContainerManager_GetAllocatableDevices_Call struct {
-	*mock.Call
-}
-
-// GetAllocatableDevices is a helper method to define mock.On call
-func (_e *MockContainerManager_Expecter) GetAllocatableDevices() *MockContainerManager_GetAllocatableDevices_Call {
-	return &MockContainerManager_GetAllocatableDevices_Call{Call: _e.mock.On("GetAllocatableDevices")}
-}
-
-func (_c *MockContainerManager_GetAllocatableDevices_Call) Run(run func()) *MockContainerManager_GetAllocatableDevices_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run()
-	})
-	return _c
-}
-
-func (_c *MockContainerManager_GetAllocatableDevices_Call) Return(_a0 []*podresourcesv1.ContainerDevices) *MockContainerManager_GetAllocatableDevices_Call {
-	_c.Call.Return(_a0)
-	return _c
-}
-
-func (_c *MockContainerManager_GetAllocatableDevices_Call) RunAndReturn(run func() []*podresourcesv1.ContainerDevices) *MockContainerManager_GetAllocatableDevices_Call {
-	_c.Call.Return(run)
-	return _c
-}
-
-// GetAllocatableMemory provides a mock function with no fields
-func (_m *MockContainerManager) GetAllocatableMemory() []*podresourcesv1.ContainerMemory {
-	ret := _m.Called()
-
-	if len(ret) == 0 {
-		panic("no return value specified for GetAllocatableMemory")
-	}
-
-	var r0 []*podresourcesv1.ContainerMemory
-	if rf, ok := ret.Get(0).(func() []*podresourcesv1.ContainerMemory); ok {
-		r0 = rf()
-	} else {
-		if ret.Get(0) != nil {
-			r0 = ret.Get(0).([]*podresourcesv1.ContainerMemory)
-		}
-	}
-
-	return r0
-}
-
-// MockContainerManager_GetAllocatableMemory_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetAllocatableMemory'
-type MockContainerManager_GetAllocatableMemory_Call struct {
-	*mock.Call
-}
-
-// GetAllocatableMemory is a helper method to define mock.On call
-func (_e *MockContainerManager_Expecter) GetAllocatableMemory() *MockContainerManager_GetAllocatableMemory_Call {
-	return &MockContainerManager_GetAllocatableMemory_Call{Call: _e.mock.On("GetAllocatableMemory")}
-}
-
-func (_c *MockContainerManager_GetAllocatableMemory_Call) Run(run func()) *MockContainerManager_GetAllocatableMemory_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run()
-	})
-	return _c
-}
-
-func (_c *MockContainerManager_GetAllocatableMemory_Call) Return(_a0 []*podresourcesv1.ContainerMemory) *MockContainerManager_GetAllocatableMemory_Call {
-	_c.Call.Return(_a0)
-	return _c
-}
-
-func (_c *MockContainerManager_GetAllocatableMemory_Call) RunAndReturn(run func() []*podresourcesv1.ContainerMemory) *MockContainerManager_GetAllocatableMemory_Call {
-	_c.Call.Return(run)
-	return _c
-}
-
-// GetAllocateResourcesPodAdmitHandler provides a mock function with no fields
-func (_m *MockContainerManager) GetAllocateResourcesPodAdmitHandler() lifecycle.PodAdmitHandler {
-	ret := _m.Called()
-
-	if len(ret) == 0 {
-		panic("no return value specified for GetAllocateResourcesPodAdmitHandler")
-	}
-
-	var r0 lifecycle.PodAdmitHandler
-	if rf, ok := ret.Get(0).(func() lifecycle.PodAdmitHandler); ok {
-		r0 = rf()
-	} else {
-		if ret.Get(0) != nil {
-			r0 = ret.Get(0).(lifecycle.PodAdmitHandler)
-		}
-	}
-
-	return r0
-}
-
-// MockContainerManager_GetAllocateResourcesPodAdmitHandler_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetAllocateResourcesPodAdmitHandler'
-type MockContainerManager_GetAllocateResourcesPodAdmitHandler_Call struct {
-	*mock.Call
-}
-
-// GetAllocateResourcesPodAdmitHandler is a helper method to define mock.On call
-func (_e *MockContainerManager_Expecter) GetAllocateResourcesPodAdmitHandler() *MockContainerManager_GetAllocateResourcesPodAdmitHandler_Call {
-	return &MockContainerManager_GetAllocateResourcesPodAdmitHandler_Call{Call: _e.mock.On("GetAllocateResourcesPodAdmitHandler")}
-}
-
-func (_c *MockContainerManager_GetAllocateResourcesPodAdmitHandler_Call) Run(run func()) *MockContainerManager_GetAllocateResourcesPodAdmitHandler_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run()
-	})
-	return _c
-}
-
-func (_c *MockContainerManager_GetAllocateResourcesPodAdmitHandler_Call) Return(_a0 lifecycle.PodAdmitHandler) *MockContainerManager_GetAllocateResourcesPodAdmitHandler_Call {
-	_c.Call.Return(_a0)
-	return _c
-}
-
-func (_c *MockContainerManager_GetAllocateResourcesPodAdmitHandler_Call) RunAndReturn(run func() lifecycle.PodAdmitHandler) *MockContainerManager_GetAllocateResourcesPodAdmitHandler_Call {
-	_c.Call.Return(run)
-	return _c
-}
-
-// GetCPUs provides a mock function with given fields: podUID, containerName
-func (_m *MockContainerManager) GetCPUs(podUID string, containerName string) []int64 {
-	ret := _m.Called(podUID, containerName)
-
-	if len(ret) == 0 {
-		panic("no return value specified for GetCPUs")
-	}
-
-	var r0 []int64
-	if rf, ok := ret.Get(0).(func(string, string) []int64); ok {
-		r0 = rf(podUID, containerName)
-	} else {
-		if ret.Get(0) != nil {
-			r0 = ret.Get(0).([]int64)
-		}
-	}
-
-	return r0
-}
-
-// MockContainerManager_GetCPUs_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetCPUs'
-type MockContainerManager_GetCPUs_Call struct {
-	*mock.Call
-}
-
-// GetCPUs is a helper method to define mock.On call
-//   - podUID string
-//   - containerName string
-func (_e *MockContainerManager_Expecter) GetCPUs(podUID interface{}, containerName interface{}) *MockContainerManager_GetCPUs_Call {
-	return &MockContainerManager_GetCPUs_Call{Call: _e.mock.On("GetCPUs", podUID, containerName)}
-}
-
-func (_c *MockContainerManager_GetCPUs_Call) Run(run func(podUID string, containerName string)) *MockContainerManager_GetCPUs_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run(args[0].(string), args[1].(string))
-	})
-	return _c
-}
-
-func (_c *MockContainerManager_GetCPUs_Call) Return(_a0 []int64) *MockContainerManager_GetCPUs_Call {
-	_c.Call.Return(_a0)
-	return _c
-}
-
-func (_c *MockContainerManager_GetCPUs_Call) RunAndReturn(run func(string, string) []int64) *MockContainerManager_GetCPUs_Call {
-	_c.Call.Return(run)
-	return _c
-}
-
-// GetCapacity provides a mock function with given fields: localStorageCapacityIsolation
-func (_m *MockContainerManager) GetCapacity(localStorageCapacityIsolation bool) v1.ResourceList {
-	ret := _m.Called(localStorageCapacityIsolation)
-
-	if len(ret) == 0 {
-		panic("no return value specified for GetCapacity")
-	}
-
-	var r0 v1.ResourceList
-	if rf, ok := ret.Get(0).(func(bool) v1.ResourceList); ok {
-		r0 = rf(localStorageCapacityIsolation)
-	} else {
-		if ret.Get(0) != nil {
-			r0 = ret.Get(0).(v1.ResourceList)
-		}
-	}
-
-	return r0
-}
-
-// MockContainerManager_GetCapacity_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetCapacity'
-type MockContainerManager_GetCapacity_Call struct {
-	*mock.Call
-}
-
-// GetCapacity is a helper method to define mock.On call
-//   - localStorageCapacityIsolation bool
-func (_e *MockContainerManager_Expecter) GetCapacity(localStorageCapacityIsolation interface{}) *MockContainerManager_GetCapacity_Call {
-	return &MockContainerManager_GetCapacity_Call{Call: _e.mock.On("GetCapacity", localStorageCapacityIsolation)}
-}
-
-func (_c *MockContainerManager_GetCapacity_Call) Run(run func(localStorageCapacityIsolation bool)) *MockContainerManager_GetCapacity_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run(args[0].(bool))
-	})
-	return _c
-}
-
-func (_c *MockContainerManager_GetCapacity_Call) Return(_a0 v1.ResourceList) *MockContainerManager_GetCapacity_Call {
-	_c.Call.Return(_a0)
-	return _c
-}
-
-func (_c *MockContainerManager_GetCapacity_Call) RunAndReturn(run func(bool) v1.ResourceList) *MockContainerManager_GetCapacity_Call {
-	_c.Call.Return(run)
-	return _c
-}
-
-// GetDevicePluginResourceCapacity provides a mock function with no fields
-func (_m *MockContainerManager) GetDevicePluginResourceCapacity() (v1.ResourceList, v1.ResourceList, []string) {
-	ret := _m.Called()
-
-	if len(ret) == 0 {
-		panic("no return value specified for GetDevicePluginResourceCapacity")
-	}
-
-	var r0 v1.ResourceList
-	var r1 v1.ResourceList
-	var r2 []string
-	if rf, ok := ret.Get(0).(func() (v1.ResourceList, v1.ResourceList, []string)); ok {
-		return rf()
-	}
-	if rf, ok := ret.Get(0).(func() v1.ResourceList); ok {
-		r0 = rf()
-	} else {
-		if ret.Get(0) != nil {
-			r0 = ret.Get(0).(v1.ResourceList)
-		}
-	}
-
-	if rf, ok := ret.Get(1).(func() v1.ResourceList); ok {
-		r1 = rf()
-	} else {
-		if ret.Get(1) != nil {
-			r1 = ret.Get(1).(v1.ResourceList)
-		}
-	}
-
-	if rf, ok := ret.Get(2).(func() []string); ok {
-		r2 = rf()
-	} else {
-		if ret.Get(2) != nil {
-			r2 = ret.Get(2).([]string)
-		}
-	}
-
-	return r0, r1, r2
-}
-
-// MockContainerManager_GetDevicePluginResourceCapacity_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetDevicePluginResourceCapacity'
-type MockContainerManager_GetDevicePluginResourceCapacity_Call struct {
-	*mock.Call
-}
-
-// GetDevicePluginResourceCapacity is a helper method to define mock.On call
-func (_e *MockContainerManager_Expecter) GetDevicePluginResourceCapacity() *MockContainerManager_GetDevicePluginResourceCapacity_Call {
-	return &MockContainerManager_GetDevicePluginResourceCapacity_Call{Call: _e.mock.On("GetDevicePluginResourceCapacity")}
-}
-
-func (_c *MockContainerManager_GetDevicePluginResourceCapacity_Call) Run(run func()) *MockContainerManager_GetDevicePluginResourceCapacity_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run()
-	})
-	return _c
-}
-
-func (_c *MockContainerManager_GetDevicePluginResourceCapacity_Call) Return(_a0 v1.ResourceList, _a1 v1.ResourceList, _a2 []string) *MockContainerManager_GetDevicePluginResourceCapacity_Call {
-	_c.Call.Return(_a0, _a1, _a2)
-	return _c
-}
-
-func (_c *MockContainerManager_GetDevicePluginResourceCapacity_Call) RunAndReturn(run func() (v1.ResourceList, v1.ResourceList, []string)) *MockContainerManager_GetDevicePluginResourceCapacity_Call {
-	_c.Call.Return(run)
-	return _c
-}
-
-// GetDevices provides a mock function with given fields: podUID, containerName
-func (_m *MockContainerManager) GetDevices(podUID string, containerName string) []*podresourcesv1.ContainerDevices {
-	ret := _m.Called(podUID, containerName)
-
-	if len(ret) == 0 {
-		panic("no return value specified for GetDevices")
-	}
-
-	var r0 []*podresourcesv1.ContainerDevices
-	if rf, ok := ret.Get(0).(func(string, string) []*podresourcesv1.ContainerDevices); ok {
-		r0 = rf(podUID, containerName)
-	} else {
-		if ret.Get(0) != nil {
-			r0 = ret.Get(0).([]*podresourcesv1.ContainerDevices)
-		}
-	}
-
-	return r0
-}
-
-// MockContainerManager_GetDevices_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetDevices'
-type MockContainerManager_GetDevices_Call struct {
-	*mock.Call
-}
-
-// GetDevices is a helper method to define mock.On call
-//   - podUID string
-//   - containerName string
-func (_e *MockContainerManager_Expecter) GetDevices(podUID interface{}, containerName interface{}) *MockContainerManager_GetDevices_Call {
-	return &MockContainerManager_GetDevices_Call{Call: _e.mock.On("GetDevices", podUID, containerName)}
-}
-
-func (_c *MockContainerManager_GetDevices_Call) Run(run func(podUID string, containerName string)) *MockContainerManager_GetDevices_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run(args[0].(string), args[1].(string))
-	})
-	return _c
-}
-
-func (_c *MockContainerManager_GetDevices_Call) Return(_a0 []*podresourcesv1.ContainerDevices) *MockContainerManager_GetDevices_Call {
-	_c.Call.Return(_a0)
-	return _c
-}
-
-func (_c *MockContainerManager_GetDevices_Call) RunAndReturn(run func(string, string) []*podresourcesv1.ContainerDevices) *MockContainerManager_GetDevices_Call {
-	_c.Call.Return(run)
-	return _c
-}
-
-// GetDynamicResources provides a mock function with given fields: pod, _a1
-func (_m *MockContainerManager) GetDynamicResources(pod *v1.Pod, _a1 *v1.Container) []*podresourcesv1.DynamicResource {
-	ret := _m.Called(pod, _a1)
-
-	if len(ret) == 0 {
-		panic("no return value specified for GetDynamicResources")
-	}
-
-	var r0 []*podresourcesv1.DynamicResource
-	if rf, ok := ret.Get(0).(func(*v1.Pod, *v1.Container) []*podresourcesv1.DynamicResource); ok {
-		r0 = rf(pod, _a1)
-	} else {
-		if ret.Get(0) != nil {
-			r0 = ret.Get(0).([]*podresourcesv1.DynamicResource)
-		}
-	}
-
-	return r0
-}
-
-// MockContainerManager_GetDynamicResources_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetDynamicResources'
-type MockContainerManager_GetDynamicResources_Call struct {
-	*mock.Call
-}
-
-// GetDynamicResources is a helper method to define mock.On call
-//   - pod *v1.Pod
-//   - _a1 *v1.Container
-func (_e *MockContainerManager_Expecter) GetDynamicResources(pod interface{}, _a1 interface{}) *MockContainerManager_GetDynamicResources_Call {
-	return &MockContainerManager_GetDynamicResources_Call{Call: _e.mock.On("GetDynamicResources", pod, _a1)}
-}
-
-func (_c *MockContainerManager_GetDynamicResources_Call) Run(run func(pod *v1.Pod, _a1 *v1.Container)) *MockContainerManager_GetDynamicResources_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run(args[0].(*v1.Pod), args[1].(*v1.Container))
-	})
-	return _c
-}
-
-func (_c *MockContainerManager_GetDynamicResources_Call) Return(_a0 []*podresourcesv1.DynamicResource) *MockContainerManager_GetDynamicResources_Call {
-	_c.Call.Return(_a0)
-	return _c
-}
-
-func (_c *MockContainerManager_GetDynamicResources_Call) RunAndReturn(run func(*v1.Pod, *v1.Container) []*podresourcesv1.DynamicResource) *MockContainerManager_GetDynamicResources_Call {
-	_c.Call.Return(run)
-	return _c
-}
-
-// GetHealthCheckers provides a mock function with no fields
-func (_m *MockContainerManager) GetHealthCheckers() []healthz.HealthChecker {
-	ret := _m.Called()
-
-	if len(ret) == 0 {
-		panic("no return value specified for GetHealthCheckers")
-	}
-
-	var r0 []healthz.HealthChecker
-	if rf, ok := ret.Get(0).(func() []healthz.HealthChecker); ok {
-		r0 = rf()
-	} else {
-		if ret.Get(0) != nil {
-			r0 = ret.Get(0).([]healthz.HealthChecker)
-		}
-	}
-
-	return r0
-}
-
-// MockContainerManager_GetHealthCheckers_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetHealthCheckers'
-type MockContainerManager_GetHealthCheckers_Call struct {
-	*mock.Call
-}
-
-// GetHealthCheckers is a helper method to define mock.On call
-func (_e *MockContainerManager_Expecter) GetHealthCheckers() *MockContainerManager_GetHealthCheckers_Call {
-	return &MockContainerManager_GetHealthCheckers_Call{Call: _e.mock.On("GetHealthCheckers")}
-}
-
-func (_c *MockContainerManager_GetHealthCheckers_Call) Run(run func()) *MockContainerManager_GetHealthCheckers_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run()
-	})
-	return _c
-}
-
-func (_c *MockContainerManager_GetHealthCheckers_Call) Return(_a0 []healthz.HealthChecker) *MockContainerManager_GetHealthCheckers_Call {
-	_c.Call.Return(_a0)
-	return _c
-}
-
-func (_c *MockContainerManager_GetHealthCheckers_Call) RunAndReturn(run func() []healthz.HealthChecker) *MockContainerManager_GetHealthCheckers_Call {
-	_c.Call.Return(run)
-	return _c
-}
-
-// GetMemory provides a mock function with given fields: podUID, containerName
-func (_m *MockContainerManager) GetMemory(podUID string, containerName string) []*podresourcesv1.ContainerMemory {
-	ret := _m.Called(podUID, containerName)
-
-	if len(ret) == 0 {
-		panic("no return value specified for GetMemory")
-	}
-
-	var r0 []*podresourcesv1.ContainerMemory
-	if rf, ok := ret.Get(0).(func(string, string) []*podresourcesv1.ContainerMemory); ok {
-		r0 = rf(podUID, containerName)
-	} else {
-		if ret.Get(0) != nil {
-			r0 = ret.Get(0).([]*podresourcesv1.ContainerMemory)
-		}
-	}
-
-	return r0
-}
-
-// MockContainerManager_GetMemory_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetMemory'
-type MockContainerManager_GetMemory_Call struct {
-	*mock.Call
-}
-
-// GetMemory is a helper method to define mock.On call
-//   - podUID string
-//   - containerName string
-func (_e *MockContainerManager_Expecter) GetMemory(podUID interface{}, containerName interface{}) *MockContainerManager_GetMemory_Call {
-	return &MockContainerManager_GetMemory_Call{Call: _e.mock.On("GetMemory", podUID, containerName)}
-}
-
-func (_c *MockContainerManager_GetMemory_Call) Run(run func(podUID string, containerName string)) *MockContainerManager_GetMemory_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run(args[0].(string), args[1].(string))
-	})
-	return _c
-}
-
-func (_c *MockContainerManager_GetMemory_Call) Return(_a0 []*podresourcesv1.ContainerMemory) *MockContainerManager_GetMemory_Call {
-	_c.Call.Return(_a0)
-	return _c
-}
-
-func (_c *MockContainerManager_GetMemory_Call) RunAndReturn(run func(string, string) []*podresourcesv1.ContainerMemory) *MockContainerManager_GetMemory_Call {
-	_c.Call.Return(run)
-	return _c
-}
-
-// GetMountedSubsystems provides a mock function with no fields
-func (_m *MockContainerManager) GetMountedSubsystems() *cm.CgroupSubsystems {
-	ret := _m.Called()
-
-	if len(ret) == 0 {
-		panic("no return value specified for GetMountedSubsystems")
-	}
-
-	var r0 *cm.CgroupSubsystems
-	if rf, ok := ret.Get(0).(func() *cm.CgroupSubsystems); ok {
-		r0 = rf()
-	} else {
-		if ret.Get(0) != nil {
-			r0 = ret.Get(0).(*cm.CgroupSubsystems)
-		}
-	}
-
-	return r0
-}
-
-// MockContainerManager_GetMountedSubsystems_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetMountedSubsystems'
-type MockContainerManager_GetMountedSubsystems_Call struct {
-	*mock.Call
-}
-
-// GetMountedSubsystems is a helper method to define mock.On call
-func (_e *MockContainerManager_Expecter) GetMountedSubsystems() *MockContainerManager_GetMountedSubsystems_Call {
-	return &MockContainerManager_GetMountedSubsystems_Call{Call: _e.mock.On("GetMountedSubsystems")}
-}
-
-func (_c *MockContainerManager_GetMountedSubsystems_Call) Run(run func()) *MockContainerManager_GetMountedSubsystems_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run()
-	})
-	return _c
-}
-
-func (_c *MockContainerManager_GetMountedSubsystems_Call) Return(_a0 *cm.CgroupSubsystems) *MockContainerManager_GetMountedSubsystems_Call {
-	_c.Call.Return(_a0)
-	return _c
-}
-
-func (_c *MockContainerManager_GetMountedSubsystems_Call) RunAndReturn(run func() *cm.CgroupSubsystems) *MockContainerManager_GetMountedSubsystems_Call {
-	_c.Call.Return(run)
-	return _c
-}
-
-// GetNodeAllocatableAbsolute provides a mock function with no fields
-func (_m *MockContainerManager) GetNodeAllocatableAbsolute() v1.ResourceList {
-	ret := _m.Called()
-
-	if len(ret) == 0 {
-		panic("no return value specified for GetNodeAllocatableAbsolute")
-	}
-
-	var r0 v1.ResourceList
-	if rf, ok := ret.Get(0).(func() v1.ResourceList); ok {
-		r0 = rf()
-	} else {
-		if ret.Get(0) != nil {
-			r0 = ret.Get(0).(v1.ResourceList)
-		}
-	}
-
-	return r0
-}
-
-// MockContainerManager_GetNodeAllocatableAbsolute_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetNodeAllocatableAbsolute'
-type MockContainerManager_GetNodeAllocatableAbsolute_Call struct {
-	*mock.Call
-}
-
-// GetNodeAllocatableAbsolute is a helper method to define mock.On call
-func (_e *MockContainerManager_Expecter) GetNodeAllocatableAbsolute() *MockContainerManager_GetNodeAllocatableAbsolute_Call {
-	return &MockContainerManager_GetNodeAllocatableAbsolute_Call{Call: _e.mock.On("GetNodeAllocatableAbsolute")}
-}
-
-func (_c *MockContainerManager_GetNodeAllocatableAbsolute_Call) Run(run func()) *MockContainerManager_GetNodeAllocatableAbsolute_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run()
-	})
-	return _c
-}
-
-func (_c *MockContainerManager_GetNodeAllocatableAbsolute_Call) Return(_a0 v1.ResourceList) *MockContainerManager_GetNodeAllocatableAbsolute_Call {
-	_c.Call.Return(_a0)
-	return _c
-}
-
-func (_c *MockContainerManager_GetNodeAllocatableAbsolute_Call) RunAndReturn(run func() v1.ResourceList) *MockContainerManager_GetNodeAllocatableAbsolute_Call {
-	_c.Call.Return(run)
-	return _c
-}
-
-// GetNodeAllocatableReservation provides a mock function with no fields
-func (_m *MockContainerManager) GetNodeAllocatableReservation() v1.ResourceList {
-	ret := _m.Called()
-
-	if len(ret) == 0 {
-		panic("no return value specified for GetNodeAllocatableReservation")
-	}
-
-	var r0 v1.ResourceList
-	if rf, ok := ret.Get(0).(func() v1.ResourceList); ok {
-		r0 = rf()
-	} else {
-		if ret.Get(0) != nil {
-			r0 = ret.Get(0).(v1.ResourceList)
-		}
-	}
-
-	return r0
-}
-
-// MockContainerManager_GetNodeAllocatableReservation_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetNodeAllocatableReservation'
-type MockContainerManager_GetNodeAllocatableReservation_Call struct {
-	*mock.Call
-}
-
-// GetNodeAllocatableReservation is a helper method to define mock.On call
-func (_e *MockContainerManager_Expecter) GetNodeAllocatableReservation() *MockContainerManager_GetNodeAllocatableReservation_Call {
-	return &MockContainerManager_GetNodeAllocatableReservation_Call{Call: _e.mock.On("GetNodeAllocatableReservation")}
-}
-
-func (_c *MockContainerManager_GetNodeAllocatableReservation_Call) Run(run func()) *MockContainerManager_GetNodeAllocatableReservation_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run()
-	})
-	return _c
-}
-
-func (_c *MockContainerManager_GetNodeAllocatableReservation_Call) Return(_a0 v1.ResourceList) *MockContainerManager_GetNodeAllocatableReservation_Call {
-	_c.Call.Return(_a0)
-	return _c
-}
-
-func (_c *MockContainerManager_GetNodeAllocatableReservation_Call) RunAndReturn(run func() v1.ResourceList) *MockContainerManager_GetNodeAllocatableReservation_Call {
-	_c.Call.Return(run)
-	return _c
-}
-
-// GetNodeConfig provides a mock function with no fields
-func (_m *MockContainerManager) GetNodeConfig() cm.NodeConfig {
-	ret := _m.Called()
-
-	if len(ret) == 0 {
-		panic("no return value specified for GetNodeConfig")
-	}
-
-	var r0 cm.NodeConfig
-	if rf, ok := ret.Get(0).(func() cm.NodeConfig); ok {
-		r0 = rf()
-	} else {
-		r0 = ret.Get(0).(cm.NodeConfig)
-	}
-
-	return r0
-}
-
-// MockContainerManager_GetNodeConfig_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetNodeConfig'
-type MockContainerManager_GetNodeConfig_Call struct {
-	*mock.Call
-}
-
-// GetNodeConfig is a helper method to define mock.On call
-func (_e *MockContainerManager_Expecter) GetNodeConfig() *MockContainerManager_GetNodeConfig_Call {
-	return &MockContainerManager_GetNodeConfig_Call{Call: _e.mock.On("GetNodeConfig")}
-}
-
-func (_c *MockContainerManager_GetNodeConfig_Call) Run(run func()) *MockContainerManager_GetNodeConfig_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run()
-	})
-	return _c
-}
-
-func (_c *MockContainerManager_GetNodeConfig_Call) Return(_a0 cm.NodeConfig) *MockContainerManager_GetNodeConfig_Call {
-	_c.Call.Return(_a0)
-	return _c
-}
-
-func (_c *MockContainerManager_GetNodeConfig_Call) RunAndReturn(run func() cm.NodeConfig) *MockContainerManager_GetNodeConfig_Call {
-	_c.Call.Return(run)
-	return _c
-}
-
-// GetPluginRegistrationHandlers provides a mock function with no fields
-func (_m *MockContainerManager) GetPluginRegistrationHandlers() map[string]cache.PluginHandler {
-	ret := _m.Called()
-
-	if len(ret) == 0 {
-		panic("no return value specified for GetPluginRegistrationHandlers")
-	}
-
-	var r0 map[string]cache.PluginHandler
-	if rf, ok := ret.Get(0).(func() map[string]cache.PluginHandler); ok {
-		r0 = rf()
-	} else {
-		if ret.Get(0) != nil {
-			r0 = ret.Get(0).(map[string]cache.PluginHandler)
-		}
-	}
-
-	return r0
-}
-
-// MockContainerManager_GetPluginRegistrationHandlers_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetPluginRegistrationHandlers'
-type MockContainerManager_GetPluginRegistrationHandlers_Call struct {
-	*mock.Call
-}
-
-// GetPluginRegistrationHandlers is a helper method to define mock.On call
-func (_e *MockContainerManager_Expecter) GetPluginRegistrationHandlers() *MockContainerManager_GetPluginRegistrationHandlers_Call {
-	return &MockContainerManager_GetPluginRegistrationHandlers_Call{Call: _e.mock.On("GetPluginRegistrationHandlers")}
-}
-
-func (_c *MockContainerManager_GetPluginRegistrationHandlers_Call) Run(run func()) *MockContainerManager_GetPluginRegistrationHandlers_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run()
-	})
-	return _c
-}
-
-func (_c *MockContainerManager_GetPluginRegistrationHandlers_Call) Return(_a0 map[string]cache.PluginHandler) *MockContainerManager_GetPluginRegistrationHandlers_Call {
-	_c.Call.Return(_a0)
-	return _c
-}
-
-func (_c *MockContainerManager_GetPluginRegistrationHandlers_Call) RunAndReturn(run func() map[string]cache.PluginHandler) *MockContainerManager_GetPluginRegistrationHandlers_Call {
-	_c.Call.Return(run)
-	return _c
-}
-
-// GetPodCgroupRoot provides a mock function with no fields
-func (_m *MockContainerManager) GetPodCgroupRoot() string {
-	ret := _m.Called()
-
-	if len(ret) == 0 {
-		panic("no return value specified for GetPodCgroupRoot")
-	}
-
-	var r0 string
-	if rf, ok := ret.Get(0).(func() string); ok {
-		r0 = rf()
-	} else {
-		r0 = ret.Get(0).(string)
-	}
-
-	return r0
-}
-
-// MockContainerManager_GetPodCgroupRoot_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetPodCgroupRoot'
-type MockContainerManager_GetPodCgroupRoot_Call struct {
-	*mock.Call
-}
-
-// GetPodCgroupRoot is a helper method to define mock.On call
-func (_e *MockContainerManager_Expecter) GetPodCgroupRoot() *MockContainerManager_GetPodCgroupRoot_Call {
-	return &MockContainerManager_GetPodCgroupRoot_Call{Call: _e.mock.On("GetPodCgroupRoot")}
-}
-
-func (_c *MockContainerManager_GetPodCgroupRoot_Call) Run(run func()) *MockContainerManager_GetPodCgroupRoot_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run()
-	})
-	return _c
-}
-
-func (_c *MockContainerManager_GetPodCgroupRoot_Call) Return(_a0 string) *MockContainerManager_GetPodCgroupRoot_Call {
-	_c.Call.Return(_a0)
-	return _c
-}
-
-func (_c *MockContainerManager_GetPodCgroupRoot_Call) RunAndReturn(run func() string) *MockContainerManager_GetPodCgroupRoot_Call {
-	_c.Call.Return(run)
-	return _c
-}
-
-// GetQOSContainersInfo provides a mock function with no fields
-func (_m *MockContainerManager) GetQOSContainersInfo() cm.QOSContainersInfo {
-	ret := _m.Called()
-
-	if len(ret) == 0 {
-		panic("no return value specified for GetQOSContainersInfo")
-	}
-
-	var r0 cm.QOSContainersInfo
-	if rf, ok := ret.Get(0).(func() cm.QOSContainersInfo); ok {
-		r0 = rf()
-	} else {
-		r0 = ret.Get(0).(cm.QOSContainersInfo)
-	}
-
-	return r0
-}
-
-// MockContainerManager_GetQOSContainersInfo_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetQOSContainersInfo'
-type MockContainerManager_GetQOSContainersInfo_Call struct {
-	*mock.Call
-}
-
-// GetQOSContainersInfo is a helper method to define mock.On call
-func (_e *MockContainerManager_Expecter) GetQOSContainersInfo() *MockContainerManager_GetQOSContainersInfo_Call {
-	return &MockContainerManager_GetQOSContainersInfo_Call{Call: _e.mock.On("GetQOSContainersInfo")}
-}
-
-func (_c *MockContainerManager_GetQOSContainersInfo_Call) Run(run func()) *MockContainerManager_GetQOSContainersInfo_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run()
-	})
-	return _c
-}
-
-func (_c *MockContainerManager_GetQOSContainersInfo_Call) Return(_a0 cm.QOSContainersInfo) *MockContainerManager_GetQOSContainersInfo_Call {
-	_c.Call.Return(_a0)
-	return _c
-}
-
-func (_c *MockContainerManager_GetQOSContainersInfo_Call) RunAndReturn(run func() cm.QOSContainersInfo) *MockContainerManager_GetQOSContainersInfo_Call {
-	_c.Call.Return(run)
-	return _c
-}
-
-// GetResources provides a mock function with given fields: ctx, pod, _a2
-func (_m *MockContainerManager) GetResources(ctx context.Context, pod *v1.Pod, _a2 *v1.Container) (*container.RunContainerOptions, error) {
-	ret := _m.Called(ctx, pod, _a2)
-
-	if len(ret) == 0 {
-		panic("no return value specified for GetResources")
-	}
-
-	var r0 *container.RunContainerOptions
-	var r1 error
-	if rf, ok := ret.Get(0).(func(context.Context, *v1.Pod, *v1.Container) (*container.RunContainerOptions, error)); ok {
-		return rf(ctx, pod, _a2)
-	}
-	if rf, ok := ret.Get(0).(func(context.Context, *v1.Pod, *v1.Container) *container.RunContainerOptions); ok {
-		r0 = rf(ctx, pod, _a2)
-	} else {
-		if ret.Get(0) != nil {
-			r0 = ret.Get(0).(*container.RunContainerOptions)
-		}
-	}
-
-	if rf, ok := ret.Get(1).(func(context.Context, *v1.Pod, *v1.Container) error); ok {
-		r1 = rf(ctx, pod, _a2)
-	} else {
-		r1 = ret.Error(1)
-	}
-
-	return r0, r1
-}
-
-// MockContainerManager_GetResources_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetResources'
-type MockContainerManager_GetResources_Call struct {
-	*mock.Call
-}
-
-// GetResources is a helper method to define mock.On call
-//   - ctx context.Context
-//   - pod *v1.Pod
-//   - _a2 *v1.Container
-func (_e *MockContainerManager_Expecter) GetResources(ctx interface{}, pod interface{}, _a2 interface{}) *MockContainerManager_GetResources_Call {
-	return &MockContainerManager_GetResources_Call{Call: _e.mock.On("GetResources", ctx, pod, _a2)}
-}
-
-func (_c *MockContainerManager_GetResources_Call) Run(run func(ctx context.Context, pod *v1.Pod, _a2 *v1.Container)) *MockContainerManager_GetResources_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run(args[0].(context.Context), args[1].(*v1.Pod), args[2].(*v1.Container))
-	})
-	return _c
-}
-
-func (_c *MockContainerManager_GetResources_Call) Return(_a0 *container.RunContainerOptions, _a1 error) *MockContainerManager_GetResources_Call {
-	_c.Call.Return(_a0, _a1)
-	return _c
-}
-
-func (_c *MockContainerManager_GetResources_Call) RunAndReturn(run func(context.Context, *v1.Pod, *v1.Container) (*container.RunContainerOptions, error)) *MockContainerManager_GetResources_Call {
-	_c.Call.Return(run)
-	return _c
-}
-
-// InternalContainerLifecycle provides a mock function with no fields
-func (_m *MockContainerManager) InternalContainerLifecycle() cm.InternalContainerLifecycle {
-	ret := _m.Called()
-
-	if len(ret) == 0 {
-		panic("no return value specified for InternalContainerLifecycle")
-	}
-
-	var r0 cm.InternalContainerLifecycle
-	if rf, ok := ret.Get(0).(func() cm.InternalContainerLifecycle); ok {
-		r0 = rf()
-	} else {
-		if ret.Get(0) != nil {
-			r0 = ret.Get(0).(cm.InternalContainerLifecycle)
-		}
-	}
-
-	return r0
-}
-
-// MockContainerManager_InternalContainerLifecycle_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'InternalContainerLifecycle'
-type MockContainerManager_InternalContainerLifecycle_Call struct {
-	*mock.Call
-}
-
-// InternalContainerLifecycle is a helper method to define mock.On call
-func (_e *MockContainerManager_Expecter) InternalContainerLifecycle() *MockContainerManager_InternalContainerLifecycle_Call {
-	return &MockContainerManager_InternalContainerLifecycle_Call{Call: _e.mock.On("InternalContainerLifecycle")}
-}
-
-func (_c *MockContainerManager_InternalContainerLifecycle_Call) Run(run func()) *MockContainerManager_InternalContainerLifecycle_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run()
-	})
-	return _c
-}
-
-func (_c *MockContainerManager_InternalContainerLifecycle_Call) Return(_a0 cm.InternalContainerLifecycle) *MockContainerManager_InternalContainerLifecycle_Call {
-	_c.Call.Return(_a0)
-	return _c
-}
-
-func (_c *MockContainerManager_InternalContainerLifecycle_Call) RunAndReturn(run func() cm.InternalContainerLifecycle) *MockContainerManager_InternalContainerLifecycle_Call {
-	_c.Call.Return(run)
-	return _c
-}
-
-// NewPodContainerManager provides a mock function with no fields
-func (_m *MockContainerManager) NewPodContainerManager() cm.PodContainerManager {
-	ret := _m.Called()
-
-	if len(ret) == 0 {
-		panic("no return value specified for NewPodContainerManager")
-	}
-
-	var r0 cm.PodContainerManager
-	if rf, ok := ret.Get(0).(func() cm.PodContainerManager); ok {
-		r0 = rf()
-	} else {
-		if ret.Get(0) != nil {
-			r0 = ret.Get(0).(cm.PodContainerManager)
-		}
-	}
-
-	return r0
-}
-
-// MockContainerManager_NewPodContainerManager_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'NewPodContainerManager'
-type MockContainerManager_NewPodContainerManager_Call struct {
-	*mock.Call
-}
-
-// NewPodContainerManager is a helper method to define mock.On call
-func (_e *MockContainerManager_Expecter) NewPodContainerManager() *MockContainerManager_NewPodContainerManager_Call {
-	return &MockContainerManager_NewPodContainerManager_Call{Call: _e.mock.On("NewPodContainerManager")}
-}
-
-func (_c *MockContainerManager_NewPodContainerManager_Call) Run(run func()) *MockContainerManager_NewPodContainerManager_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run()
-	})
-	return _c
-}
-
-func (_c *MockContainerManager_NewPodContainerManager_Call) Return(_a0 cm.PodContainerManager) *MockContainerManager_NewPodContainerManager_Call {
-	_c.Call.Return(_a0)
-	return _c
-}
-
-func (_c *MockContainerManager_NewPodContainerManager_Call) RunAndReturn(run func() cm.PodContainerManager) *MockContainerManager_NewPodContainerManager_Call {
-	_c.Call.Return(run)
-	return _c
-}
-
-// PodHasExclusiveCPUs provides a mock function with given fields: pod
-func (_m *MockContainerManager) PodHasExclusiveCPUs(pod *v1.Pod) bool {
-	ret := _m.Called(pod)
-
-	if len(ret) == 0 {
-		panic("no return value specified for PodHasExclusiveCPUs")
-	}
-
-	var r0 bool
-	if rf, ok := ret.Get(0).(func(*v1.Pod) bool); ok {
-		r0 = rf(pod)
-	} else {
-		r0 = ret.Get(0).(bool)
-	}
-
-	return r0
-}
-
-// MockContainerManager_PodHasExclusiveCPUs_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'PodHasExclusiveCPUs'
-type MockContainerManager_PodHasExclusiveCPUs_Call struct {
-	*mock.Call
-}
-
-// PodHasExclusiveCPUs is a helper method to define mock.On call
-//   - pod *v1.Pod
-func (_e *MockContainerManager_Expecter) PodHasExclusiveCPUs(pod interface{}) *MockContainerManager_PodHasExclusiveCPUs_Call {
-	return &MockContainerManager_PodHasExclusiveCPUs_Call{Call: _e.mock.On("PodHasExclusiveCPUs", pod)}
-}
-
-func (_c *MockContainerManager_PodHasExclusiveCPUs_Call) Run(run func(pod *v1.Pod)) *MockContainerManager_PodHasExclusiveCPUs_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run(args[0].(*v1.Pod))
-	})
-	return _c
-}
-
-func (_c *MockContainerManager_PodHasExclusiveCPUs_Call) Return(_a0 bool) *MockContainerManager_PodHasExclusiveCPUs_Call {
-	_c.Call.Return(_a0)
-	return _c
-}
-
-func (_c *MockContainerManager_PodHasExclusiveCPUs_Call) RunAndReturn(run func(*v1.Pod) bool) *MockContainerManager_PodHasExclusiveCPUs_Call {
-	_c.Call.Return(run)
-	return _c
-}
-
-// PodMightNeedToUnprepareResources provides a mock function with given fields: UID
-func (_m *MockContainerManager) PodMightNeedToUnprepareResources(UID types.UID) bool {
-	ret := _m.Called(UID)
-
-	if len(ret) == 0 {
-		panic("no return value specified for PodMightNeedToUnprepareResources")
-	}
-
-	var r0 bool
-	if rf, ok := ret.Get(0).(func(types.UID) bool); ok {
-		r0 = rf(UID)
-	} else {
-		r0 = ret.Get(0).(bool)
-	}
-
-	return r0
-}
-
-// MockContainerManager_PodMightNeedToUnprepareResources_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'PodMightNeedToUnprepareResources'
-type MockContainerManager_PodMightNeedToUnprepareResources_Call struct {
-	*mock.Call
-}
-
-// PodMightNeedToUnprepareResources is a helper method to define mock.On call
-//   - UID types.UID
-func (_e *MockContainerManager_Expecter) PodMightNeedToUnprepareResources(UID interface{}) *MockContainerManager_PodMightNeedToUnprepareResources_Call {
-	return &MockContainerManager_PodMightNeedToUnprepareResources_Call{Call: _e.mock.On("PodMightNeedToUnprepareResources", UID)}
-}
-
-func (_c *MockContainerManager_PodMightNeedToUnprepareResources_Call) Run(run func(UID types.UID)) *MockContainerManager_PodMightNeedToUnprepareResources_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run(args[0].(types.UID))
-	})
-	return _c
-}
-
-func (_c *MockContainerManager_PodMightNeedToUnprepareResources_Call) Return(_a0 bool) *MockContainerManager_PodMightNeedToUnprepareResources_Call {
-	_c.Call.Return(_a0)
-	return _c
-}
-
-func (_c *MockContainerManager_PodMightNeedToUnprepareResources_Call) RunAndReturn(run func(types.UID) bool) *MockContainerManager_PodMightNeedToUnprepareResources_Call {
-	_c.Call.Return(run)
-	return _c
-}
-
-// PrepareDynamicResources provides a mock function with given fields: _a0, _a1
-func (_m *MockContainerManager) PrepareDynamicResources(_a0 context.Context, _a1 *v1.Pod) error {
-	ret := _m.Called(_a0, _a1)
-
-	if len(ret) == 0 {
-		panic("no return value specified for PrepareDynamicResources")
-	}
-
-	var r0 error
-	if rf, ok := ret.Get(0).(func(context.Context, *v1.Pod) error); ok {
-		r0 = rf(_a0, _a1)
-	} else {
-		r0 = ret.Error(0)
-	}
-
-	return r0
-}
-
-// MockContainerManager_PrepareDynamicResources_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'PrepareDynamicResources'
-type MockContainerManager_PrepareDynamicResources_Call struct {
-	*mock.Call
-}
-
-// PrepareDynamicResources is a helper method to define mock.On call
-//   - _a0 context.Context
-//   - _a1 *v1.Pod
-func (_e *MockContainerManager_Expecter) PrepareDynamicResources(_a0 interface{}, _a1 interface{}) *MockContainerManager_PrepareDynamicResources_Call {
-	return &MockContainerManager_PrepareDynamicResources_Call{Call: _e.mock.On("PrepareDynamicResources", _a0, _a1)}
-}
-
-func (_c *MockContainerManager_PrepareDynamicResources_Call) Run(run func(_a0 context.Context, _a1 *v1.Pod)) *MockContainerManager_PrepareDynamicResources_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run(args[0].(context.Context), args[1].(*v1.Pod))
-	})
-	return _c
-}
-
-func (_c *MockContainerManager_PrepareDynamicResources_Call) Return(_a0 error) *MockContainerManager_PrepareDynamicResources_Call {
-	_c.Call.Return(_a0)
-	return _c
-}
-
-func (_c *MockContainerManager_PrepareDynamicResources_Call) RunAndReturn(run func(context.Context, *v1.Pod) error) *MockContainerManager_PrepareDynamicResources_Call {
-	_c.Call.Return(run)
-	return _c
-}
-
-// ShouldResetExtendedResourceCapacity provides a mock function with no fields
-func (_m *MockContainerManager) ShouldResetExtendedResourceCapacity() bool {
-	ret := _m.Called()
-
-	if len(ret) == 0 {
-		panic("no return value specified for ShouldResetExtendedResourceCapacity")
-	}
-
-	var r0 bool
-	if rf, ok := ret.Get(0).(func() bool); ok {
-		r0 = rf()
-	} else {
-		r0 = ret.Get(0).(bool)
-	}
-
-	return r0
-}
-
-// MockContainerManager_ShouldResetExtendedResourceCapacity_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'ShouldResetExtendedResourceCapacity'
-type MockContainerManager_ShouldResetExtendedResourceCapacity_Call struct {
-	*mock.Call
-}
-
-// ShouldResetExtendedResourceCapacity is a helper method to define mock.On call
-func (_e *MockContainerManager_Expecter) ShouldResetExtendedResourceCapacity() *MockContainerManager_ShouldResetExtendedResourceCapacity_Call {
-	return &MockContainerManager_ShouldResetExtendedResourceCapacity_Call{Call: _e.mock.On("ShouldResetExtendedResourceCapacity")}
-}
-
-func (_c *MockContainerManager_ShouldResetExtendedResourceCapacity_Call) Run(run func()) *MockContainerManager_ShouldResetExtendedResourceCapacity_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run()
-	})
-	return _c
-}
-
-func (_c *MockContainerManager_ShouldResetExtendedResourceCapacity_Call) Return(_a0 bool) *MockContainerManager_ShouldResetExtendedResourceCapacity_Call {
-	_c.Call.Return(_a0)
-	return _c
-}
-
-func (_c *MockContainerManager_ShouldResetExtendedResourceCapacity_Call) RunAndReturn(run func() bool) *MockContainerManager_ShouldResetExtendedResourceCapacity_Call {
-	_c.Call.Return(run)
-	return _c
-}
-
-// Start provides a mock function with given fields: _a0, _a1, _a2, _a3, _a4, _a5, _a6, _a7
-func (_m *MockContainerManager) Start(_a0 context.Context, _a1 *v1.Node, _a2 cm.ActivePodsFunc, _a3 cm.GetNodeFunc, _a4 config.SourcesReady, _a5 status.PodStatusProvider, _a6 cri.RuntimeService, _a7 bool) error {
-	ret := _m.Called(_a0, _a1, _a2, _a3, _a4, _a5, _a6, _a7)
-
-	if len(ret) == 0 {
-		panic("no return value specified for Start")
-	}
-
-	var r0 error
-	if rf, ok := ret.Get(0).(func(context.Context, *v1.Node, cm.ActivePodsFunc, cm.GetNodeFunc, config.SourcesReady, status.PodStatusProvider, cri.RuntimeService, bool) error); ok {
-		r0 = rf(_a0, _a1, _a2, _a3, _a4, _a5, _a6, _a7)
-	} else {
-		r0 = ret.Error(0)
-	}
-
-	return r0
-}
-
-// MockContainerManager_Start_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Start'
-type MockContainerManager_Start_Call struct {
-	*mock.Call
-}
-
-// Start is a helper method to define mock.On call
-//   - _a0 context.Context
-//   - _a1 *v1.Node
-//   - _a2 cm.ActivePodsFunc
-//   - _a3 cm.GetNodeFunc
-//   - _a4 config.SourcesReady
-//   - _a5 status.PodStatusProvider
-//   - _a6 cri.RuntimeService
-//   - _a7 bool
-func (_e *MockContainerManager_Expecter) Start(_a0 interface{}, _a1 interface{}, _a2 interface{}, _a3 interface{}, _a4 interface{}, _a5 interface{}, _a6 interface{}, _a7 interface{}) *MockContainerManager_Start_Call {
-	return &MockContainerManager_Start_Call{Call: _e.mock.On("Start", _a0, _a1, _a2, _a3, _a4, _a5, _a6, _a7)}
-}
-
-func (_c *MockContainerManager_Start_Call) Run(run func(_a0 context.Context, _a1 *v1.Node, _a2 cm.ActivePodsFunc, _a3 cm.GetNodeFunc, _a4 config.SourcesReady, _a5 status.PodStatusProvider, _a6 cri.RuntimeService, _a7 bool)) *MockContainerManager_Start_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run(args[0].(context.Context), args[1].(*v1.Node), args[2].(cm.ActivePodsFunc), args[3].(cm.GetNodeFunc), args[4].(config.SourcesReady), args[5].(status.PodStatusProvider), args[6].(cri.RuntimeService), args[7].(bool))
-	})
-	return _c
-}
-
-func (_c *MockContainerManager_Start_Call) Return(_a0 error) *MockContainerManager_Start_Call {
-	_c.Call.Return(_a0)
-	return _c
-}
-
-func (_c *MockContainerManager_Start_Call) RunAndReturn(run func(context.Context, *v1.Node, cm.ActivePodsFunc, cm.GetNodeFunc, config.SourcesReady, status.PodStatusProvider, cri.RuntimeService, bool) error) *MockContainerManager_Start_Call {
-	_c.Call.Return(run)
-	return _c
-}
-
-// Status provides a mock function with no fields
-func (_m *MockContainerManager) Status() cm.Status {
-	ret := _m.Called()
-
-	if len(ret) == 0 {
-		panic("no return value specified for Status")
-	}
-
-	var r0 cm.Status
-	if rf, ok := ret.Get(0).(func() cm.Status); ok {
-		r0 = rf()
-	} else {
-		r0 = ret.Get(0).(cm.Status)
-	}
-
-	return r0
-}
-
-// MockContainerManager_Status_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Status'
-type MockContainerManager_Status_Call struct {
-	*mock.Call
-}
-
-// Status is a helper method to define mock.On call
-func (_e *MockContainerManager_Expecter) Status() *MockContainerManager_Status_Call {
-	return &MockContainerManager_Status_Call{Call: _e.mock.On("Status")}
-}
-
-func (_c *MockContainerManager_Status_Call) Run(run func()) *MockContainerManager_Status_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run()
-	})
-	return _c
-}
-
-func (_c *MockContainerManager_Status_Call) Return(_a0 cm.Status) *MockContainerManager_Status_Call {
-	_c.Call.Return(_a0)
-	return _c
-}
-
-func (_c *MockContainerManager_Status_Call) RunAndReturn(run func() cm.Status) *MockContainerManager_Status_Call {
-	_c.Call.Return(run)
-	return _c
-}
-
-// SystemCgroupsLimit provides a mock function with no fields
-func (_m *MockContainerManager) SystemCgroupsLimit() v1.ResourceList {
-	ret := _m.Called()
-
-	if len(ret) == 0 {
-		panic("no return value specified for SystemCgroupsLimit")
-	}
-
-	var r0 v1.ResourceList
-	if rf, ok := ret.Get(0).(func() v1.ResourceList); ok {
-		r0 = rf()
-	} else {
-		if ret.Get(0) != nil {
-			r0 = ret.Get(0).(v1.ResourceList)
-		}
-	}
-
-	return r0
-}
-
-// MockContainerManager_SystemCgroupsLimit_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'SystemCgroupsLimit'
-type MockContainerManager_SystemCgroupsLimit_Call struct {
-	*mock.Call
-}
-
-// SystemCgroupsLimit is a helper method to define mock.On call
-func (_e *MockContainerManager_Expecter) SystemCgroupsLimit() *MockContainerManager_SystemCgroupsLimit_Call {
-	return &MockContainerManager_SystemCgroupsLimit_Call{Call: _e.mock.On("SystemCgroupsLimit")}
-}
-
-func (_c *MockContainerManager_SystemCgroupsLimit_Call) Run(run func()) *MockContainerManager_SystemCgroupsLimit_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run()
-	})
-	return _c
-}
-
-func (_c *MockContainerManager_SystemCgroupsLimit_Call) Return(_a0 v1.ResourceList) *MockContainerManager_SystemCgroupsLimit_Call {
-	_c.Call.Return(_a0)
-	return _c
-}
-
-func (_c *MockContainerManager_SystemCgroupsLimit_Call) RunAndReturn(run func() v1.ResourceList) *MockContainerManager_SystemCgroupsLimit_Call {
-	_c.Call.Return(run)
-	return _c
-}
-
-// UnprepareDynamicResources provides a mock function with given fields: _a0, _a1
-func (_m *MockContainerManager) UnprepareDynamicResources(_a0 context.Context, _a1 *v1.Pod) error {
-	ret := _m.Called(_a0, _a1)
-
-	if len(ret) == 0 {
-		panic("no return value specified for UnprepareDynamicResources")
-	}
-
-	var r0 error
-	if rf, ok := ret.Get(0).(func(context.Context, *v1.Pod) error); ok {
-		r0 = rf(_a0, _a1)
-	} else {
-		r0 = ret.Error(0)
-	}
-
-	return r0
-}
-
-// MockContainerManager_UnprepareDynamicResources_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'UnprepareDynamicResources'
-type MockContainerManager_UnprepareDynamicResources_Call struct {
-	*mock.Call
-}
-
-// UnprepareDynamicResources is a helper method to define mock.On call
-//   - _a0 context.Context
-//   - _a1 *v1.Pod
-func (_e *MockContainerManager_Expecter) UnprepareDynamicResources(_a0 interface{}, _a1 interface{}) *MockContainerManager_UnprepareDynamicResources_Call {
-	return &MockContainerManager_UnprepareDynamicResources_Call{Call: _e.mock.On("UnprepareDynamicResources", _a0, _a1)}
-}
-
-func (_c *MockContainerManager_UnprepareDynamicResources_Call) Run(run func(_a0 context.Context, _a1 *v1.Pod)) *MockContainerManager_UnprepareDynamicResources_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run(args[0].(context.Context), args[1].(*v1.Pod))
-	})
-	return _c
-}
-
-func (_c *MockContainerManager_UnprepareDynamicResources_Call) Return(_a0 error) *MockContainerManager_UnprepareDynamicResources_Call {
-	_c.Call.Return(_a0)
-	return _c
-}
-
-func (_c *MockContainerManager_UnprepareDynamicResources_Call) RunAndReturn(run func(context.Context, *v1.Pod) error) *MockContainerManager_UnprepareDynamicResources_Call {
-	_c.Call.Return(run)
-	return _c
-}
-
-// UpdateAllocatedDevices provides a mock function with no fields
-func (_m *MockContainerManager) UpdateAllocatedDevices() {
-	_m.Called()
-}
-
-// MockContainerManager_UpdateAllocatedDevices_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'UpdateAllocatedDevices'
-type MockContainerManager_UpdateAllocatedDevices_Call struct {
-	*mock.Call
-}
-
-// UpdateAllocatedDevices is a helper method to define mock.On call
-func (_e *MockContainerManager_Expecter) UpdateAllocatedDevices() *MockContainerManager_UpdateAllocatedDevices_Call {
-	return &MockContainerManager_UpdateAllocatedDevices_Call{Call: _e.mock.On("UpdateAllocatedDevices")}
-}
-
-func (_c *MockContainerManager_UpdateAllocatedDevices_Call) Run(run func()) *MockContainerManager_UpdateAllocatedDevices_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run()
-	})
-	return _c
-}
-
-func (_c *MockContainerManager_UpdateAllocatedDevices_Call) Return() *MockContainerManager_UpdateAllocatedDevices_Call {
-	_c.Call.Return()
-	return _c
-}
-
-func (_c *MockContainerManager_UpdateAllocatedDevices_Call) RunAndReturn(run func()) *MockContainerManager_UpdateAllocatedDevices_Call {
-	_c.Run(run)
-	return _c
-}
-
-// UpdateAllocatedResourcesStatus provides a mock function with given fields: pod, _a1
-func (_m *MockContainerManager) UpdateAllocatedResourcesStatus(pod *v1.Pod, _a1 *v1.PodStatus) {
-	_m.Called(pod, _a1)
-}
-
-// MockContainerManager_UpdateAllocatedResourcesStatus_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'UpdateAllocatedResourcesStatus'
-type MockContainerManager_UpdateAllocatedResourcesStatus_Call struct {
-	*mock.Call
-}
-
-// UpdateAllocatedResourcesStatus is a helper method to define mock.On call
-//   - pod *v1.Pod
-//   - _a1 *v1.PodStatus
-func (_e *MockContainerManager_Expecter) UpdateAllocatedResourcesStatus(pod interface{}, _a1 interface{}) *MockContainerManager_UpdateAllocatedResourcesStatus_Call {
-	return &MockContainerManager_UpdateAllocatedResourcesStatus_Call{Call: _e.mock.On("UpdateAllocatedResourcesStatus", pod, _a1)}
-}
-
-func (_c *MockContainerManager_UpdateAllocatedResourcesStatus_Call) Run(run func(pod *v1.Pod, _a1 *v1.PodStatus)) *MockContainerManager_UpdateAllocatedResourcesStatus_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run(args[0].(*v1.Pod), args[1].(*v1.PodStatus))
-	})
-	return _c
-}
-
-func (_c *MockContainerManager_UpdateAllocatedResourcesStatus_Call) Return() *MockContainerManager_UpdateAllocatedResourcesStatus_Call {
-	_c.Call.Return()
-	return _c
-}
-
-func (_c *MockContainerManager_UpdateAllocatedResourcesStatus_Call) RunAndReturn(run func(*v1.Pod, *v1.PodStatus)) *MockContainerManager_UpdateAllocatedResourcesStatus_Call {
-	_c.Run(run)
-	return _c
-}
-
-// UpdatePluginResources provides a mock function with given fields: _a0, _a1
-func (_m *MockContainerManager) UpdatePluginResources(_a0 *framework.NodeInfo, _a1 *lifecycle.PodAdmitAttributes) error {
-	ret := _m.Called(_a0, _a1)
-
-	if len(ret) == 0 {
-		panic("no return value specified for UpdatePluginResources")
-	}
-
-	var r0 error
-	if rf, ok := ret.Get(0).(func(*framework.NodeInfo, *lifecycle.PodAdmitAttributes) error); ok {
-		r0 = rf(_a0, _a1)
-	} else {
-		r0 = ret.Error(0)
-	}
-
-	return r0
-}
-
-// MockContainerManager_UpdatePluginResources_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'UpdatePluginResources'
-type MockContainerManager_UpdatePluginResources_Call struct {
-	*mock.Call
-}
-
-// UpdatePluginResources is a helper method to define mock.On call
-//   - _a0 *framework.NodeInfo
-//   - _a1 *lifecycle.PodAdmitAttributes
-func (_e *MockContainerManager_Expecter) UpdatePluginResources(_a0 interface{}, _a1 interface{}) *MockContainerManager_UpdatePluginResources_Call {
-	return &MockContainerManager_UpdatePluginResources_Call{Call: _e.mock.On("UpdatePluginResources", _a0, _a1)}
-}
-
-func (_c *MockContainerManager_UpdatePluginResources_Call) Run(run func(_a0 *framework.NodeInfo, _a1 *lifecycle.PodAdmitAttributes)) *MockContainerManager_UpdatePluginResources_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run(args[0].(*framework.NodeInfo), args[1].(*lifecycle.PodAdmitAttributes))
-	})
-	return _c
-}
-
-func (_c *MockContainerManager_UpdatePluginResources_Call) Return(_a0 error) *MockContainerManager_UpdatePluginResources_Call {
-	_c.Call.Return(_a0)
-	return _c
-}
-
-func (_c *MockContainerManager_UpdatePluginResources_Call) RunAndReturn(run func(*framework.NodeInfo, *lifecycle.PodAdmitAttributes) error) *MockContainerManager_UpdatePluginResources_Call {
-	_c.Call.Return(run)
-	return _c
-}
-
-// UpdateQOSCgroups provides a mock function with no fields
-func (_m *MockContainerManager) UpdateQOSCgroups() error {
-	ret := _m.Called()
-
-	if len(ret) == 0 {
-		panic("no return value specified for UpdateQOSCgroups")
-	}
-
-	var r0 error
-	if rf, ok := ret.Get(0).(func() error); ok {
-		r0 = rf()
-	} else {
-		r0 = ret.Error(0)
-	}
-
-	return r0
-}
-
-// MockContainerManager_UpdateQOSCgroups_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'UpdateQOSCgroups'
-type MockContainerManager_UpdateQOSCgroups_Call struct {
-	*mock.Call
-}
-
-// UpdateQOSCgroups is a helper method to define mock.On call
-func (_e *MockContainerManager_Expecter) UpdateQOSCgroups() *MockContainerManager_UpdateQOSCgroups_Call {
-	return &MockContainerManager_UpdateQOSCgroups_Call{Call: _e.mock.On("UpdateQOSCgroups")}
-}
-
-func (_c *MockContainerManager_UpdateQOSCgroups_Call) Run(run func()) *MockContainerManager_UpdateQOSCgroups_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run()
-	})
-	return _c
-}
-
-func (_c *MockContainerManager_UpdateQOSCgroups_Call) Return(_a0 error) *MockContainerManager_UpdateQOSCgroups_Call {
-	_c.Call.Return(_a0)
-	return _c
-}
-
-func (_c *MockContainerManager_UpdateQOSCgroups_Call) RunAndReturn(run func() error) *MockContainerManager_UpdateQOSCgroups_Call {
-	_c.Call.Return(run)
-	return _c
-}
-
-// Updates provides a mock function with no fields
-func (_m *MockContainerManager) Updates() <-chan resourceupdates.Update {
-	ret := _m.Called()
-
-	if len(ret) == 0 {
-		panic("no return value specified for Updates")
-	}
-
-	var r0 <-chan resourceupdates.Update
-	if rf, ok := ret.Get(0).(func() <-chan resourceupdates.Update); ok {
-		r0 = rf()
-	} else {
-		if ret.Get(0) != nil {
-			r0 = ret.Get(0).(<-chan resourceupdates.Update)
-		}
-	}
-
-	return r0
-}
-
-// MockContainerManager_Updates_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Updates'
-type MockContainerManager_Updates_Call struct {
-	*mock.Call
-}
-
-// Updates is a helper method to define mock.On call
-func (_e *MockContainerManager_Expecter) Updates() *MockContainerManager_Updates_Call {
-	return &MockContainerManager_Updates_Call{Call: _e.mock.On("Updates")}
-}
-
-func (_c *MockContainerManager_Updates_Call) Run(run func()) *MockContainerManager_Updates_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run()
-	})
-	return _c
-}
-
-func (_c *MockContainerManager_Updates_Call) Return(_a0 <-chan resourceupdates.Update) *MockContainerManager_Updates_Call {
-	_c.Call.Return(_a0)
-	return _c
-}
-
-func (_c *MockContainerManager_Updates_Call) RunAndReturn(run func() <-chan resourceupdates.Update) *MockContainerManager_Updates_Call {
-	_c.Call.Return(run)
-	return _c
-}
-
-// NewMockContainerManager creates a new instance of MockContainerManager. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
-// The first argument is typically a *testing.T value.
-func NewMockContainerManager(t interface {
-	mock.TestingT
-	Cleanup(func())
-}) *MockContainerManager {
-	mock := &MockContainerManager{}
-	mock.Mock.Test(t)
-
-	t.Cleanup(func() { mock.AssertExpectations(t) })
-
-	return mock
-}
diff --git a/pkg/kubelet/cm/testing/mock_pod_container_manager.go b/pkg/kubelet/cm/testing/mock_pod_container_manager.go
deleted file mode 100644
index 97467682b06dd..0000000000000
--- a/pkg/kubelet/cm/testing/mock_pod_container_manager.go
+++ /dev/null
@@ -1,572 +0,0 @@
-/*
-Copyright The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-// Code generated by mockery v2.53.3. DO NOT EDIT.
-
-package testing
-
-import (
-	mock "github.com/stretchr/testify/mock"
-	cm "k8s.io/kubernetes/pkg/kubelet/cm"
-
-	types "k8s.io/apimachinery/pkg/types"
-
-	v1 "k8s.io/api/core/v1"
-)
-
-// MockPodContainerManager is an autogenerated mock type for the PodContainerManager type
-type MockPodContainerManager struct {
-	mock.Mock
-}
-
-type MockPodContainerManager_Expecter struct {
-	mock *mock.Mock
-}
-
-func (_m *MockPodContainerManager) EXPECT() *MockPodContainerManager_Expecter {
-	return &MockPodContainerManager_Expecter{mock: &_m.Mock}
-}
-
-// Destroy provides a mock function with given fields: name
-func (_m *MockPodContainerManager) Destroy(name cm.CgroupName) error {
-	ret := _m.Called(name)
-
-	if len(ret) == 0 {
-		panic("no return value specified for Destroy")
-	}
-
-	var r0 error
-	if rf, ok := ret.Get(0).(func(cm.CgroupName) error); ok {
-		r0 = rf(name)
-	} else {
-		r0 = ret.Error(0)
-	}
-
-	return r0
-}
-
-// MockPodContainerManager_Destroy_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Destroy'
-type MockPodContainerManager_Destroy_Call struct {
-	*mock.Call
-}
-
-// Destroy is a helper method to define mock.On call
-//   - name cm.CgroupName
-func (_e *MockPodContainerManager_Expecter) Destroy(name interface{}) *MockPodContainerManager_Destroy_Call {
-	return &MockPodContainerManager_Destroy_Call{Call: _e.mock.On("Destroy", name)}
-}
-
-func (_c *MockPodContainerManager_Destroy_Call) Run(run func(name cm.CgroupName)) *MockPodContainerManager_Destroy_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run(args[0].(cm.CgroupName))
-	})
-	return _c
-}
-
-func (_c *MockPodContainerManager_Destroy_Call) Return(_a0 error) *MockPodContainerManager_Destroy_Call {
-	_c.Call.Return(_a0)
-	return _c
-}
-
-func (_c *MockPodContainerManager_Destroy_Call) RunAndReturn(run func(cm.CgroupName) error) *MockPodContainerManager_Destroy_Call {
-	_c.Call.Return(run)
-	return _c
-}
-
-// EnsureExists provides a mock function with given fields: _a0
-func (_m *MockPodContainerManager) EnsureExists(_a0 *v1.Pod) error {
-	ret := _m.Called(_a0)
-
-	if len(ret) == 0 {
-		panic("no return value specified for EnsureExists")
-	}
-
-	var r0 error
-	if rf, ok := ret.Get(0).(func(*v1.Pod) error); ok {
-		r0 = rf(_a0)
-	} else {
-		r0 = ret.Error(0)
-	}
-
-	return r0
-}
-
-// MockPodContainerManager_EnsureExists_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'EnsureExists'
-type MockPodContainerManager_EnsureExists_Call struct {
-	*mock.Call
-}
-
-// EnsureExists is a helper method to define mock.On call
-//   - _a0 *v1.Pod
-func (_e *MockPodContainerManager_Expecter) EnsureExists(_a0 interface{}) *MockPodContainerManager_EnsureExists_Call {
-	return &MockPodContainerManager_EnsureExists_Call{Call: _e.mock.On("EnsureExists", _a0)}
-}
-
-func (_c *MockPodContainerManager_EnsureExists_Call) Run(run func(_a0 *v1.Pod)) *MockPodContainerManager_EnsureExists_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run(args[0].(*v1.Pod))
-	})
-	return _c
-}
-
-func (_c *MockPodContainerManager_EnsureExists_Call) Return(_a0 error) *MockPodContainerManager_EnsureExists_Call {
-	_c.Call.Return(_a0)
-	return _c
-}
-
-func (_c *MockPodContainerManager_EnsureExists_Call) RunAndReturn(run func(*v1.Pod) error) *MockPodContainerManager_EnsureExists_Call {
-	_c.Call.Return(run)
-	return _c
-}
-
-// Exists provides a mock function with given fields: _a0
-func (_m *MockPodContainerManager) Exists(_a0 *v1.Pod) bool {
-	ret := _m.Called(_a0)
-
-	if len(ret) == 0 {
-		panic("no return value specified for Exists")
-	}
-
-	var r0 bool
-	if rf, ok := ret.Get(0).(func(*v1.Pod) bool); ok {
-		r0 = rf(_a0)
-	} else {
-		r0 = ret.Get(0).(bool)
-	}
-
-	return r0
-}
-
-// MockPodContainerManager_Exists_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Exists'
-type MockPodContainerManager_Exists_Call struct {
-	*mock.Call
-}
-
-// Exists is a helper method to define mock.On call
-//   - _a0 *v1.Pod
-func (_e *MockPodContainerManager_Expecter) Exists(_a0 interface{}) *MockPodContainerManager_Exists_Call {
-	return &MockPodContainerManager_Exists_Call{Call: _e.mock.On("Exists", _a0)}
-}
-
-func (_c *MockPodContainerManager_Exists_Call) Run(run func(_a0 *v1.Pod)) *MockPodContainerManager_Exists_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run(args[0].(*v1.Pod))
-	})
-	return _c
-}
-
-func (_c *MockPodContainerManager_Exists_Call) Return(_a0 bool) *MockPodContainerManager_Exists_Call {
-	_c.Call.Return(_a0)
-	return _c
-}
-
-func (_c *MockPodContainerManager_Exists_Call) RunAndReturn(run func(*v1.Pod) bool) *MockPodContainerManager_Exists_Call {
-	_c.Call.Return(run)
-	return _c
-}
-
-// GetAllPodsFromCgroups provides a mock function with no fields
-func (_m *MockPodContainerManager) GetAllPodsFromCgroups() (map[types.UID]cm.CgroupName, error) {
-	ret := _m.Called()
-
-	if len(ret) == 0 {
-		panic("no return value specified for GetAllPodsFromCgroups")
-	}
-
-	var r0 map[types.UID]cm.CgroupName
-	var r1 error
-	if rf, ok := ret.Get(0).(func() (map[types.UID]cm.CgroupName, error)); ok {
-		return rf()
-	}
-	if rf, ok := ret.Get(0).(func() map[types.UID]cm.CgroupName); ok {
-		r0 = rf()
-	} else {
-		if ret.Get(0) != nil {
-			r0 = ret.Get(0).(map[types.UID]cm.CgroupName)
-		}
-	}
-
-	if rf, ok := ret.Get(1).(func() error); ok {
-		r1 = rf()
-	} else {
-		r1 = ret.Error(1)
-	}
-
-	return r0, r1
-}
-
-// MockPodContainerManager_GetAllPodsFromCgroups_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetAllPodsFromCgroups'
-type MockPodContainerManager_GetAllPodsFromCgroups_Call struct {
-	*mock.Call
-}
-
-// GetAllPodsFromCgroups is a helper method to define mock.On call
-func (_e *MockPodContainerManager_Expecter) GetAllPodsFromCgroups() *MockPodContainerManager_GetAllPodsFromCgroups_Call {
-	return &MockPodContainerManager_GetAllPodsFromCgroups_Call{Call: _e.mock.On("GetAllPodsFromCgroups")}
-}
-
-func (_c *MockPodContainerManager_GetAllPodsFromCgroups_Call) Run(run func()) *MockPodContainerManager_GetAllPodsFromCgroups_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run()
-	})
-	return _c
-}
-
-func (_c *MockPodContainerManager_GetAllPodsFromCgroups_Call) Return(_a0 map[types.UID]cm.CgroupName, _a1 error) *MockPodContainerManager_GetAllPodsFromCgroups_Call {
-	_c.Call.Return(_a0, _a1)
-	return _c
-}
-
-func (_c *MockPodContainerManager_GetAllPodsFromCgroups_Call) RunAndReturn(run func() (map[types.UID]cm.CgroupName, error)) *MockPodContainerManager_GetAllPodsFromCgroups_Call {
-	_c.Call.Return(run)
-	return _c
-}
-
-// GetPodCgroupConfig provides a mock function with given fields: pod, resource
-func (_m *MockPodContainerManager) GetPodCgroupConfig(pod *v1.Pod, resource v1.ResourceName) (*cm.ResourceConfig, error) {
-	ret := _m.Called(pod, resource)
-
-	if len(ret) == 0 {
-		panic("no return value specified for GetPodCgroupConfig")
-	}
-
-	var r0 *cm.ResourceConfig
-	var r1 error
-	if rf, ok := ret.Get(0).(func(*v1.Pod, v1.ResourceName) (*cm.ResourceConfig, error)); ok {
-		return rf(pod, resource)
-	}
-	if rf, ok := ret.Get(0).(func(*v1.Pod, v1.ResourceName) *cm.ResourceConfig); ok {
-		r0 = rf(pod, resource)
-	} else {
-		if ret.Get(0) != nil {
-			r0 = ret.Get(0).(*cm.ResourceConfig)
-		}
-	}
-
-	if rf, ok := ret.Get(1).(func(*v1.Pod, v1.ResourceName) error); ok {
-		r1 = rf(pod, resource)
-	} else {
-		r1 = ret.Error(1)
-	}
-
-	return r0, r1
-}
-
-// MockPodContainerManager_GetPodCgroupConfig_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetPodCgroupConfig'
-type MockPodContainerManager_GetPodCgroupConfig_Call struct {
-	*mock.Call
-}
-
-// GetPodCgroupConfig is a helper method to define mock.On call
-//   - pod *v1.Pod
-//   - resource v1.ResourceName
-func (_e *MockPodContainerManager_Expecter) GetPodCgroupConfig(pod interface{}, resource interface{}) *MockPodContainerManager_GetPodCgroupConfig_Call {
-	return &MockPodContainerManager_GetPodCgroupConfig_Call{Call: _e.mock.On("GetPodCgroupConfig", pod, resource)}
-}
-
-func (_c *MockPodContainerManager_GetPodCgroupConfig_Call) Run(run func(pod *v1.Pod, resource v1.ResourceName)) *MockPodContainerManager_GetPodCgroupConfig_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run(args[0].(*v1.Pod), args[1].(v1.ResourceName))
-	})
-	return _c
-}
-
-func (_c *MockPodContainerManager_GetPodCgroupConfig_Call) Return(_a0 *cm.ResourceConfig, _a1 error) *MockPodContainerManager_GetPodCgroupConfig_Call {
-	_c.Call.Return(_a0, _a1)
-	return _c
-}
-
-func (_c *MockPodContainerManager_GetPodCgroupConfig_Call) RunAndReturn(run func(*v1.Pod, v1.ResourceName) (*cm.ResourceConfig, error)) *MockPodContainerManager_GetPodCgroupConfig_Call {
-	_c.Call.Return(run)
-	return _c
-}
-
-// GetPodCgroupMemoryUsage provides a mock function with given fields: pod
-func (_m *MockPodContainerManager) GetPodCgroupMemoryUsage(pod *v1.Pod) (uint64, error) {
-	ret := _m.Called(pod)
-
-	if len(ret) == 0 {
-		panic("no return value specified for GetPodCgroupMemoryUsage")
-	}
-
-	var r0 uint64
-	var r1 error
-	if rf, ok := ret.Get(0).(func(*v1.Pod) (uint64, error)); ok {
-		return rf(pod)
-	}
-	if rf, ok := ret.Get(0).(func(*v1.Pod) uint64); ok {
-		r0 = rf(pod)
-	} else {
-		r0 = ret.Get(0).(uint64)
-	}
-
-	if rf, ok := ret.Get(1).(func(*v1.Pod) error); ok {
-		r1 = rf(pod)
-	} else {
-		r1 = ret.Error(1)
-	}
-
-	return r0, r1
-}
-
-// MockPodContainerManager_GetPodCgroupMemoryUsage_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetPodCgroupMemoryUsage'
-type MockPodContainerManager_GetPodCgroupMemoryUsage_Call struct {
-	*mock.Call
-}
-
-// GetPodCgroupMemoryUsage is a helper method to define mock.On call
-//   - pod *v1.Pod
-func (_e *MockPodContainerManager_Expecter) GetPodCgroupMemoryUsage(pod interface{}) *MockPodContainerManager_GetPodCgroupMemoryUsage_Call {
-	return &MockPodContainerManager_GetPodCgroupMemoryUsage_Call{Call: _e.mock.On("GetPodCgroupMemoryUsage", pod)}
-}
-
-func (_c *MockPodContainerManager_GetPodCgroupMemoryUsage_Call) Run(run func(pod *v1.Pod)) *MockPodContainerManager_GetPodCgroupMemoryUsage_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run(args[0].(*v1.Pod))
-	})
-	return _c
-}
-
-func (_c *MockPodContainerManager_GetPodCgroupMemoryUsage_Call) Return(_a0 uint64, _a1 error) *MockPodContainerManager_GetPodCgroupMemoryUsage_Call {
-	_c.Call.Return(_a0, _a1)
-	return _c
-}
-
-func (_c *MockPodContainerManager_GetPodCgroupMemoryUsage_Call) RunAndReturn(run func(*v1.Pod) (uint64, error)) *MockPodContainerManager_GetPodCgroupMemoryUsage_Call {
-	_c.Call.Return(run)
-	return _c
-}
-
-// GetPodContainerName provides a mock function with given fields: _a0
-func (_m *MockPodContainerManager) GetPodContainerName(_a0 *v1.Pod) (cm.CgroupName, string) {
-	ret := _m.Called(_a0)
-
-	if len(ret) == 0 {
-		panic("no return value specified for GetPodContainerName")
-	}
-
-	var r0 cm.CgroupName
-	var r1 string
-	if rf, ok := ret.Get(0).(func(*v1.Pod) (cm.CgroupName, string)); ok {
-		return rf(_a0)
-	}
-	if rf, ok := ret.Get(0).(func(*v1.Pod) cm.CgroupName); ok {
-		r0 = rf(_a0)
-	} else {
-		if ret.Get(0) != nil {
-			r0 = ret.Get(0).(cm.CgroupName)
-		}
-	}
-
-	if rf, ok := ret.Get(1).(func(*v1.Pod) string); ok {
-		r1 = rf(_a0)
-	} else {
-		r1 = ret.Get(1).(string)
-	}
-
-	return r0, r1
-}
-
-// MockPodContainerManager_GetPodContainerName_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetPodContainerName'
-type MockPodContainerManager_GetPodContainerName_Call struct {
-	*mock.Call
-}
-
-// GetPodContainerName is a helper method to define mock.On call
-//   - _a0 *v1.Pod
-func (_e *MockPodContainerManager_Expecter) GetPodContainerName(_a0 interface{}) *MockPodContainerManager_GetPodContainerName_Call {
-	return &MockPodContainerManager_GetPodContainerName_Call{Call: _e.mock.On("GetPodContainerName", _a0)}
-}
-
-func (_c *MockPodContainerManager_GetPodContainerName_Call) Run(run func(_a0 *v1.Pod)) *MockPodContainerManager_GetPodContainerName_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run(args[0].(*v1.Pod))
-	})
-	return _c
-}
-
-func (_c *MockPodContainerManager_GetPodContainerName_Call) Return(_a0 cm.CgroupName, _a1 string) *MockPodContainerManager_GetPodContainerName_Call {
-	_c.Call.Return(_a0, _a1)
-	return _c
-}
-
-func (_c *MockPodContainerManager_GetPodContainerName_Call) RunAndReturn(run func(*v1.Pod) (cm.CgroupName, string)) *MockPodContainerManager_GetPodContainerName_Call {
-	_c.Call.Return(run)
-	return _c
-}
-
-// IsPodCgroup provides a mock function with given fields: cgroupfs
-func (_m *MockPodContainerManager) IsPodCgroup(cgroupfs string) (bool, types.UID) {
-	ret := _m.Called(cgroupfs)
-
-	if len(ret) == 0 {
-		panic("no return value specified for IsPodCgroup")
-	}
-
-	var r0 bool
-	var r1 types.UID
-	if rf, ok := ret.Get(0).(func(string) (bool, types.UID)); ok {
-		return rf(cgroupfs)
-	}
-	if rf, ok := ret.Get(0).(func(string) bool); ok {
-		r0 = rf(cgroupfs)
-	} else {
-		r0 = ret.Get(0).(bool)
-	}
-
-	if rf, ok := ret.Get(1).(func(string) types.UID); ok {
-		r1 = rf(cgroupfs)
-	} else {
-		r1 = ret.Get(1).(types.UID)
-	}
-
-	return r0, r1
-}
-
-// MockPodContainerManager_IsPodCgroup_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'IsPodCgroup'
-type MockPodContainerManager_IsPodCgroup_Call struct {
-	*mock.Call
-}
-
-// IsPodCgroup is a helper method to define mock.On call
-//   - cgroupfs string
-func (_e *MockPodContainerManager_Expecter) IsPodCgroup(cgroupfs interface{}) *MockPodContainerManager_IsPodCgroup_Call {
-	return &MockPodContainerManager_IsPodCgroup_Call{Call: _e.mock.On("IsPodCgroup", cgroupfs)}
-}
-
-func (_c *MockPodContainerManager_IsPodCgroup_Call) Run(run func(cgroupfs string)) *MockPodContainerManager_IsPodCgroup_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run(args[0].(string))
-	})
-	return _c
-}
-
-func (_c *MockPodContainerManager_IsPodCgroup_Call) Return(_a0 bool, _a1 types.UID) *MockPodContainerManager_IsPodCgroup_Call {
-	_c.Call.Return(_a0, _a1)
-	return _c
-}
-
-func (_c *MockPodContainerManager_IsPodCgroup_Call) RunAndReturn(run func(string) (bool, types.UID)) *MockPodContainerManager_IsPodCgroup_Call {
-	_c.Call.Return(run)
-	return _c
-}
-
-// ReduceCPULimits provides a mock function with given fields: name
-func (_m *MockPodContainerManager) ReduceCPULimits(name cm.CgroupName) error {
-	ret := _m.Called(name)
-
-	if len(ret) == 0 {
-		panic("no return value specified for ReduceCPULimits")
-	}
-
-	var r0 error
-	if rf, ok := ret.Get(0).(func(cm.CgroupName) error); ok {
-		r0 = rf(name)
-	} else {
-		r0 = ret.Error(0)
-	}
-
-	return r0
-}
-
-// MockPodContainerManager_ReduceCPULimits_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'ReduceCPULimits'
-type MockPodContainerManager_ReduceCPULimits_Call struct {
-	*mock.Call
-}
-
-// ReduceCPULimits is a helper method to define mock.On call
-//   - name cm.CgroupName
-func (_e *MockPodContainerManager_Expecter) ReduceCPULimits(name interface{}) *MockPodContainerManager_ReduceCPULimits_Call {
-	return &MockPodContainerManager_ReduceCPULimits_Call{Call: _e.mock.On("ReduceCPULimits", name)}
-}
-
-func (_c *MockPodContainerManager_ReduceCPULimits_Call) Run(run func(name cm.CgroupName)) *MockPodContainerManager_ReduceCPULimits_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run(args[0].(cm.CgroupName))
-	})
-	return _c
-}
-
-func (_c *MockPodContainerManager_ReduceCPULimits_Call) Return(_a0 error) *MockPodContainerManager_ReduceCPULimits_Call {
-	_c.Call.Return(_a0)
-	return _c
-}
-
-func (_c *MockPodContainerManager_ReduceCPULimits_Call) RunAndReturn(run func(cm.CgroupName) error) *MockPodContainerManager_ReduceCPULimits_Call {
-	_c.Call.Return(run)
-	return _c
-}
-
-// SetPodCgroupConfig provides a mock function with given fields: pod, resourceConfig
-func (_m *MockPodContainerManager) SetPodCgroupConfig(pod *v1.Pod, resourceConfig *cm.ResourceConfig) error {
-	ret := _m.Called(pod, resourceConfig)
-
-	if len(ret) == 0 {
-		panic("no return value specified for SetPodCgroupConfig")
-	}
-
-	var r0 error
-	if rf, ok := ret.Get(0).(func(*v1.Pod, *cm.ResourceConfig) error); ok {
-		r0 = rf(pod, resourceConfig)
-	} else {
-		r0 = ret.Error(0)
-	}
-
-	return r0
-}
-
-// MockPodContainerManager_SetPodCgroupConfig_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'SetPodCgroupConfig'
-type MockPodContainerManager_SetPodCgroupConfig_Call struct {
-	*mock.Call
-}
-
-// SetPodCgroupConfig is a helper method to define mock.On call
-//   - pod *v1.Pod
-//   - resourceConfig *cm.ResourceConfig
-func (_e *MockPodContainerManager_Expecter) SetPodCgroupConfig(pod interface{}, resourceConfig interface{}) *MockPodContainerManager_SetPodCgroupConfig_Call {
-	return &MockPodContainerManager_SetPodCgroupConfig_Call{Call: _e.mock.On("SetPodCgroupConfig", pod, resourceConfig)}
-}
-
-func (_c *MockPodContainerManager_SetPodCgroupConfig_Call) Run(run func(pod *v1.Pod, resourceConfig *cm.ResourceConfig)) *MockPodContainerManager_SetPodCgroupConfig_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run(args[0].(*v1.Pod), args[1].(*cm.ResourceConfig))
-	})
-	return _c
-}
-
-func (_c *MockPodContainerManager_SetPodCgroupConfig_Call) Return(_a0 error) *MockPodContainerManager_SetPodCgroupConfig_Call {
-	_c.Call.Return(_a0)
-	return _c
-}
-
-func (_c *MockPodContainerManager_SetPodCgroupConfig_Call) RunAndReturn(run func(*v1.Pod, *cm.ResourceConfig) error) *MockPodContainerManager_SetPodCgroupConfig_Call {
-	_c.Call.Return(run)
-	return _c
-}
-
-// NewMockPodContainerManager creates a new instance of MockPodContainerManager. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
-// The first argument is typically a *testing.T value.
-func NewMockPodContainerManager(t interface {
-	mock.TestingT
-	Cleanup(func())
-}) *MockPodContainerManager {
-	mock := &MockPodContainerManager{}
-	mock.Mock.Test(t)
-
-	t.Cleanup(func() { mock.AssertExpectations(t) })
-
-	return mock
-}
diff --git a/pkg/kubelet/cm/testing/mocks.go b/pkg/kubelet/cm/testing/mocks.go
new file mode 100644
index 0000000000000..bd9767eac0d3e
--- /dev/null
+++ b/pkg/kubelet/cm/testing/mocks.go
@@ -0,0 +1,2484 @@
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by mockery; DO NOT EDIT.
+// github.com/vektra/mockery
+// template: testify
+
+package testing
+
+import (
+	"context"
+
+	mock "github.com/stretchr/testify/mock"
+	"k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/apiserver/pkg/server/healthz"
+	"k8s.io/cri-api/pkg/apis"
+	"k8s.io/klog/v2"
+	v10 "k8s.io/kubelet/pkg/apis/podresources/v1"
+	"k8s.io/kubernetes/pkg/kubelet/cm"
+	"k8s.io/kubernetes/pkg/kubelet/cm/resourceupdates"
+	"k8s.io/kubernetes/pkg/kubelet/config"
+	"k8s.io/kubernetes/pkg/kubelet/container"
+	"k8s.io/kubernetes/pkg/kubelet/lifecycle"
+	"k8s.io/kubernetes/pkg/kubelet/pluginmanager/cache"
+	"k8s.io/kubernetes/pkg/kubelet/status"
+	"k8s.io/kubernetes/pkg/scheduler/framework"
+)
+
+// NewMockContainerManager creates a new instance of MockContainerManager. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
+// The first argument is typically a *testing.T value.
+func NewMockContainerManager(t interface {
+	mock.TestingT
+	Cleanup(func())
+}) *MockContainerManager {
+	mock := &MockContainerManager{}
+	mock.Mock.Test(t)
+
+	t.Cleanup(func() { mock.AssertExpectations(t) })
+
+	return mock
+}
+
+// MockContainerManager is an autogenerated mock type for the ContainerManager type
+type MockContainerManager struct {
+	mock.Mock
+}
+
+type MockContainerManager_Expecter struct {
+	mock *mock.Mock
+}
+
+func (_m *MockContainerManager) EXPECT() *MockContainerManager_Expecter {
+	return &MockContainerManager_Expecter{mock: &_m.Mock}
+}
+
+// ContainerHasExclusiveCPUs provides a mock function for the type MockContainerManager
+func (_mock *MockContainerManager) ContainerHasExclusiveCPUs(pod *v1.Pod, container *v1.Container) bool {
+	ret := _mock.Called(pod, container)
+
+	if len(ret) == 0 {
+		panic("no return value specified for ContainerHasExclusiveCPUs")
+	}
+
+	var r0 bool
+	if returnFunc, ok := ret.Get(0).(func(*v1.Pod, *v1.Container) bool); ok {
+		r0 = returnFunc(pod, container)
+	} else {
+		r0 = ret.Get(0).(bool)
+	}
+	return r0
+}
+
+// MockContainerManager_ContainerHasExclusiveCPUs_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'ContainerHasExclusiveCPUs'
+type MockContainerManager_ContainerHasExclusiveCPUs_Call struct {
+	*mock.Call
+}
+
+// ContainerHasExclusiveCPUs is a helper method to define mock.On call
+//   - pod *v1.Pod
+//   - container *v1.Container
+func (_e *MockContainerManager_Expecter) ContainerHasExclusiveCPUs(pod interface{}, container interface{}) *MockContainerManager_ContainerHasExclusiveCPUs_Call {
+	return &MockContainerManager_ContainerHasExclusiveCPUs_Call{Call: _e.mock.On("ContainerHasExclusiveCPUs", pod, container)}
+}
+
+func (_c *MockContainerManager_ContainerHasExclusiveCPUs_Call) Run(run func(pod *v1.Pod, container *v1.Container)) *MockContainerManager_ContainerHasExclusiveCPUs_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 *v1.Pod
+		if args[0] != nil {
+			arg0 = args[0].(*v1.Pod)
+		}
+		var arg1 *v1.Container
+		if args[1] != nil {
+			arg1 = args[1].(*v1.Container)
+		}
+		run(
+			arg0,
+			arg1,
+		)
+	})
+	return _c
+}
+
+func (_c *MockContainerManager_ContainerHasExclusiveCPUs_Call) Return(b bool) *MockContainerManager_ContainerHasExclusiveCPUs_Call {
+	_c.Call.Return(b)
+	return _c
+}
+
+func (_c *MockContainerManager_ContainerHasExclusiveCPUs_Call) RunAndReturn(run func(pod *v1.Pod, container *v1.Container) bool) *MockContainerManager_ContainerHasExclusiveCPUs_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// GetAllocatableCPUs provides a mock function for the type MockContainerManager
+func (_mock *MockContainerManager) GetAllocatableCPUs() []int64 {
+	ret := _mock.Called()
+
+	if len(ret) == 0 {
+		panic("no return value specified for GetAllocatableCPUs")
+	}
+
+	var r0 []int64
+	if returnFunc, ok := ret.Get(0).(func() []int64); ok {
+		r0 = returnFunc()
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).([]int64)
+		}
+	}
+	return r0
+}
+
+// MockContainerManager_GetAllocatableCPUs_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetAllocatableCPUs'
+type MockContainerManager_GetAllocatableCPUs_Call struct {
+	*mock.Call
+}
+
+// GetAllocatableCPUs is a helper method to define mock.On call
+func (_e *MockContainerManager_Expecter) GetAllocatableCPUs() *MockContainerManager_GetAllocatableCPUs_Call {
+	return &MockContainerManager_GetAllocatableCPUs_Call{Call: _e.mock.On("GetAllocatableCPUs")}
+}
+
+func (_c *MockContainerManager_GetAllocatableCPUs_Call) Run(run func()) *MockContainerManager_GetAllocatableCPUs_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run()
+	})
+	return _c
+}
+
+func (_c *MockContainerManager_GetAllocatableCPUs_Call) Return(int64s []int64) *MockContainerManager_GetAllocatableCPUs_Call {
+	_c.Call.Return(int64s)
+	return _c
+}
+
+func (_c *MockContainerManager_GetAllocatableCPUs_Call) RunAndReturn(run func() []int64) *MockContainerManager_GetAllocatableCPUs_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// GetAllocatableDevices provides a mock function for the type MockContainerManager
+func (_mock *MockContainerManager) GetAllocatableDevices() []*v10.ContainerDevices {
+	ret := _mock.Called()
+
+	if len(ret) == 0 {
+		panic("no return value specified for GetAllocatableDevices")
+	}
+
+	var r0 []*v10.ContainerDevices
+	if returnFunc, ok := ret.Get(0).(func() []*v10.ContainerDevices); ok {
+		r0 = returnFunc()
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).([]*v10.ContainerDevices)
+		}
+	}
+	return r0
+}
+
+// MockContainerManager_GetAllocatableDevices_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetAllocatableDevices'
+type MockContainerManager_GetAllocatableDevices_Call struct {
+	*mock.Call
+}
+
+// GetAllocatableDevices is a helper method to define mock.On call
+func (_e *MockContainerManager_Expecter) GetAllocatableDevices() *MockContainerManager_GetAllocatableDevices_Call {
+	return &MockContainerManager_GetAllocatableDevices_Call{Call: _e.mock.On("GetAllocatableDevices")}
+}
+
+func (_c *MockContainerManager_GetAllocatableDevices_Call) Run(run func()) *MockContainerManager_GetAllocatableDevices_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run()
+	})
+	return _c
+}
+
+func (_c *MockContainerManager_GetAllocatableDevices_Call) Return(containerDevicess []*v10.ContainerDevices) *MockContainerManager_GetAllocatableDevices_Call {
+	_c.Call.Return(containerDevicess)
+	return _c
+}
+
+func (_c *MockContainerManager_GetAllocatableDevices_Call) RunAndReturn(run func() []*v10.ContainerDevices) *MockContainerManager_GetAllocatableDevices_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// GetAllocatableMemory provides a mock function for the type MockContainerManager
+func (_mock *MockContainerManager) GetAllocatableMemory() []*v10.ContainerMemory {
+	ret := _mock.Called()
+
+	if len(ret) == 0 {
+		panic("no return value specified for GetAllocatableMemory")
+	}
+
+	var r0 []*v10.ContainerMemory
+	if returnFunc, ok := ret.Get(0).(func() []*v10.ContainerMemory); ok {
+		r0 = returnFunc()
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).([]*v10.ContainerMemory)
+		}
+	}
+	return r0
+}
+
+// MockContainerManager_GetAllocatableMemory_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetAllocatableMemory'
+type MockContainerManager_GetAllocatableMemory_Call struct {
+	*mock.Call
+}
+
+// GetAllocatableMemory is a helper method to define mock.On call
+func (_e *MockContainerManager_Expecter) GetAllocatableMemory() *MockContainerManager_GetAllocatableMemory_Call {
+	return &MockContainerManager_GetAllocatableMemory_Call{Call: _e.mock.On("GetAllocatableMemory")}
+}
+
+func (_c *MockContainerManager_GetAllocatableMemory_Call) Run(run func()) *MockContainerManager_GetAllocatableMemory_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run()
+	})
+	return _c
+}
+
+func (_c *MockContainerManager_GetAllocatableMemory_Call) Return(containerMemorys []*v10.ContainerMemory) *MockContainerManager_GetAllocatableMemory_Call {
+	_c.Call.Return(containerMemorys)
+	return _c
+}
+
+func (_c *MockContainerManager_GetAllocatableMemory_Call) RunAndReturn(run func() []*v10.ContainerMemory) *MockContainerManager_GetAllocatableMemory_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// GetAllocateResourcesPodAdmitHandler provides a mock function for the type MockContainerManager
+func (_mock *MockContainerManager) GetAllocateResourcesPodAdmitHandler() lifecycle.PodAdmitHandler {
+	ret := _mock.Called()
+
+	if len(ret) == 0 {
+		panic("no return value specified for GetAllocateResourcesPodAdmitHandler")
+	}
+
+	var r0 lifecycle.PodAdmitHandler
+	if returnFunc, ok := ret.Get(0).(func() lifecycle.PodAdmitHandler); ok {
+		r0 = returnFunc()
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(lifecycle.PodAdmitHandler)
+		}
+	}
+	return r0
+}
+
+// MockContainerManager_GetAllocateResourcesPodAdmitHandler_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetAllocateResourcesPodAdmitHandler'
+type MockContainerManager_GetAllocateResourcesPodAdmitHandler_Call struct {
+	*mock.Call
+}
+
+// GetAllocateResourcesPodAdmitHandler is a helper method to define mock.On call
+func (_e *MockContainerManager_Expecter) GetAllocateResourcesPodAdmitHandler() *MockContainerManager_GetAllocateResourcesPodAdmitHandler_Call {
+	return &MockContainerManager_GetAllocateResourcesPodAdmitHandler_Call{Call: _e.mock.On("GetAllocateResourcesPodAdmitHandler")}
+}
+
+func (_c *MockContainerManager_GetAllocateResourcesPodAdmitHandler_Call) Run(run func()) *MockContainerManager_GetAllocateResourcesPodAdmitHandler_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run()
+	})
+	return _c
+}
+
+func (_c *MockContainerManager_GetAllocateResourcesPodAdmitHandler_Call) Return(podAdmitHandler lifecycle.PodAdmitHandler) *MockContainerManager_GetAllocateResourcesPodAdmitHandler_Call {
+	_c.Call.Return(podAdmitHandler)
+	return _c
+}
+
+func (_c *MockContainerManager_GetAllocateResourcesPodAdmitHandler_Call) RunAndReturn(run func() lifecycle.PodAdmitHandler) *MockContainerManager_GetAllocateResourcesPodAdmitHandler_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// GetCPUs provides a mock function for the type MockContainerManager
+func (_mock *MockContainerManager) GetCPUs(podUID string, containerName string) []int64 {
+	ret := _mock.Called(podUID, containerName)
+
+	if len(ret) == 0 {
+		panic("no return value specified for GetCPUs")
+	}
+
+	var r0 []int64
+	if returnFunc, ok := ret.Get(0).(func(string, string) []int64); ok {
+		r0 = returnFunc(podUID, containerName)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).([]int64)
+		}
+	}
+	return r0
+}
+
+// MockContainerManager_GetCPUs_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetCPUs'
+type MockContainerManager_GetCPUs_Call struct {
+	*mock.Call
+}
+
+// GetCPUs is a helper method to define mock.On call
+//   - podUID string
+//   - containerName string
+func (_e *MockContainerManager_Expecter) GetCPUs(podUID interface{}, containerName interface{}) *MockContainerManager_GetCPUs_Call {
+	return &MockContainerManager_GetCPUs_Call{Call: _e.mock.On("GetCPUs", podUID, containerName)}
+}
+
+func (_c *MockContainerManager_GetCPUs_Call) Run(run func(podUID string, containerName string)) *MockContainerManager_GetCPUs_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 string
+		if args[0] != nil {
+			arg0 = args[0].(string)
+		}
+		var arg1 string
+		if args[1] != nil {
+			arg1 = args[1].(string)
+		}
+		run(
+			arg0,
+			arg1,
+		)
+	})
+	return _c
+}
+
+func (_c *MockContainerManager_GetCPUs_Call) Return(int64s []int64) *MockContainerManager_GetCPUs_Call {
+	_c.Call.Return(int64s)
+	return _c
+}
+
+func (_c *MockContainerManager_GetCPUs_Call) RunAndReturn(run func(podUID string, containerName string) []int64) *MockContainerManager_GetCPUs_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// GetCapacity provides a mock function for the type MockContainerManager
+func (_mock *MockContainerManager) GetCapacity(localStorageCapacityIsolation bool) v1.ResourceList {
+	ret := _mock.Called(localStorageCapacityIsolation)
+
+	if len(ret) == 0 {
+		panic("no return value specified for GetCapacity")
+	}
+
+	var r0 v1.ResourceList
+	if returnFunc, ok := ret.Get(0).(func(bool) v1.ResourceList); ok {
+		r0 = returnFunc(localStorageCapacityIsolation)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(v1.ResourceList)
+		}
+	}
+	return r0
+}
+
+// MockContainerManager_GetCapacity_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetCapacity'
+type MockContainerManager_GetCapacity_Call struct {
+	*mock.Call
+}
+
+// GetCapacity is a helper method to define mock.On call
+//   - localStorageCapacityIsolation bool
+func (_e *MockContainerManager_Expecter) GetCapacity(localStorageCapacityIsolation interface{}) *MockContainerManager_GetCapacity_Call {
+	return &MockContainerManager_GetCapacity_Call{Call: _e.mock.On("GetCapacity", localStorageCapacityIsolation)}
+}
+
+func (_c *MockContainerManager_GetCapacity_Call) Run(run func(localStorageCapacityIsolation bool)) *MockContainerManager_GetCapacity_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 bool
+		if args[0] != nil {
+			arg0 = args[0].(bool)
+		}
+		run(
+			arg0,
+		)
+	})
+	return _c
+}
+
+func (_c *MockContainerManager_GetCapacity_Call) Return(resourceList v1.ResourceList) *MockContainerManager_GetCapacity_Call {
+	_c.Call.Return(resourceList)
+	return _c
+}
+
+func (_c *MockContainerManager_GetCapacity_Call) RunAndReturn(run func(localStorageCapacityIsolation bool) v1.ResourceList) *MockContainerManager_GetCapacity_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// GetDevicePluginResourceCapacity provides a mock function for the type MockContainerManager
+func (_mock *MockContainerManager) GetDevicePluginResourceCapacity() (v1.ResourceList, v1.ResourceList, []string) {
+	ret := _mock.Called()
+
+	if len(ret) == 0 {
+		panic("no return value specified for GetDevicePluginResourceCapacity")
+	}
+
+	var r0 v1.ResourceList
+	var r1 v1.ResourceList
+	var r2 []string
+	if returnFunc, ok := ret.Get(0).(func() (v1.ResourceList, v1.ResourceList, []string)); ok {
+		return returnFunc()
+	}
+	if returnFunc, ok := ret.Get(0).(func() v1.ResourceList); ok {
+		r0 = returnFunc()
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(v1.ResourceList)
+		}
+	}
+	if returnFunc, ok := ret.Get(1).(func() v1.ResourceList); ok {
+		r1 = returnFunc()
+	} else {
+		if ret.Get(1) != nil {
+			r1 = ret.Get(1).(v1.ResourceList)
+		}
+	}
+	if returnFunc, ok := ret.Get(2).(func() []string); ok {
+		r2 = returnFunc()
+	} else {
+		if ret.Get(2) != nil {
+			r2 = ret.Get(2).([]string)
+		}
+	}
+	return r0, r1, r2
+}
+
+// MockContainerManager_GetDevicePluginResourceCapacity_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetDevicePluginResourceCapacity'
+type MockContainerManager_GetDevicePluginResourceCapacity_Call struct {
+	*mock.Call
+}
+
+// GetDevicePluginResourceCapacity is a helper method to define mock.On call
+func (_e *MockContainerManager_Expecter) GetDevicePluginResourceCapacity() *MockContainerManager_GetDevicePluginResourceCapacity_Call {
+	return &MockContainerManager_GetDevicePluginResourceCapacity_Call{Call: _e.mock.On("GetDevicePluginResourceCapacity")}
+}
+
+func (_c *MockContainerManager_GetDevicePluginResourceCapacity_Call) Run(run func()) *MockContainerManager_GetDevicePluginResourceCapacity_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run()
+	})
+	return _c
+}
+
+func (_c *MockContainerManager_GetDevicePluginResourceCapacity_Call) Return(resourceList v1.ResourceList, resourceList1 v1.ResourceList, strings []string) *MockContainerManager_GetDevicePluginResourceCapacity_Call {
+	_c.Call.Return(resourceList, resourceList1, strings)
+	return _c
+}
+
+func (_c *MockContainerManager_GetDevicePluginResourceCapacity_Call) RunAndReturn(run func() (v1.ResourceList, v1.ResourceList, []string)) *MockContainerManager_GetDevicePluginResourceCapacity_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// GetDevices provides a mock function for the type MockContainerManager
+func (_mock *MockContainerManager) GetDevices(podUID string, containerName string) []*v10.ContainerDevices {
+	ret := _mock.Called(podUID, containerName)
+
+	if len(ret) == 0 {
+		panic("no return value specified for GetDevices")
+	}
+
+	var r0 []*v10.ContainerDevices
+	if returnFunc, ok := ret.Get(0).(func(string, string) []*v10.ContainerDevices); ok {
+		r0 = returnFunc(podUID, containerName)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).([]*v10.ContainerDevices)
+		}
+	}
+	return r0
+}
+
+// MockContainerManager_GetDevices_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetDevices'
+type MockContainerManager_GetDevices_Call struct {
+	*mock.Call
+}
+
+// GetDevices is a helper method to define mock.On call
+//   - podUID string
+//   - containerName string
+func (_e *MockContainerManager_Expecter) GetDevices(podUID interface{}, containerName interface{}) *MockContainerManager_GetDevices_Call {
+	return &MockContainerManager_GetDevices_Call{Call: _e.mock.On("GetDevices", podUID, containerName)}
+}
+
+func (_c *MockContainerManager_GetDevices_Call) Run(run func(podUID string, containerName string)) *MockContainerManager_GetDevices_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 string
+		if args[0] != nil {
+			arg0 = args[0].(string)
+		}
+		var arg1 string
+		if args[1] != nil {
+			arg1 = args[1].(string)
+		}
+		run(
+			arg0,
+			arg1,
+		)
+	})
+	return _c
+}
+
+func (_c *MockContainerManager_GetDevices_Call) Return(containerDevicess []*v10.ContainerDevices) *MockContainerManager_GetDevices_Call {
+	_c.Call.Return(containerDevicess)
+	return _c
+}
+
+func (_c *MockContainerManager_GetDevices_Call) RunAndReturn(run func(podUID string, containerName string) []*v10.ContainerDevices) *MockContainerManager_GetDevices_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// GetDynamicResources provides a mock function for the type MockContainerManager
+func (_mock *MockContainerManager) GetDynamicResources(pod *v1.Pod, container *v1.Container) []*v10.DynamicResource {
+	ret := _mock.Called(pod, container)
+
+	if len(ret) == 0 {
+		panic("no return value specified for GetDynamicResources")
+	}
+
+	var r0 []*v10.DynamicResource
+	if returnFunc, ok := ret.Get(0).(func(*v1.Pod, *v1.Container) []*v10.DynamicResource); ok {
+		r0 = returnFunc(pod, container)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).([]*v10.DynamicResource)
+		}
+	}
+	return r0
+}
+
+// MockContainerManager_GetDynamicResources_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetDynamicResources'
+type MockContainerManager_GetDynamicResources_Call struct {
+	*mock.Call
+}
+
+// GetDynamicResources is a helper method to define mock.On call
+//   - pod *v1.Pod
+//   - container *v1.Container
+func (_e *MockContainerManager_Expecter) GetDynamicResources(pod interface{}, container interface{}) *MockContainerManager_GetDynamicResources_Call {
+	return &MockContainerManager_GetDynamicResources_Call{Call: _e.mock.On("GetDynamicResources", pod, container)}
+}
+
+func (_c *MockContainerManager_GetDynamicResources_Call) Run(run func(pod *v1.Pod, container *v1.Container)) *MockContainerManager_GetDynamicResources_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 *v1.Pod
+		if args[0] != nil {
+			arg0 = args[0].(*v1.Pod)
+		}
+		var arg1 *v1.Container
+		if args[1] != nil {
+			arg1 = args[1].(*v1.Container)
+		}
+		run(
+			arg0,
+			arg1,
+		)
+	})
+	return _c
+}
+
+func (_c *MockContainerManager_GetDynamicResources_Call) Return(dynamicResources []*v10.DynamicResource) *MockContainerManager_GetDynamicResources_Call {
+	_c.Call.Return(dynamicResources)
+	return _c
+}
+
+func (_c *MockContainerManager_GetDynamicResources_Call) RunAndReturn(run func(pod *v1.Pod, container *v1.Container) []*v10.DynamicResource) *MockContainerManager_GetDynamicResources_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// GetHealthCheckers provides a mock function for the type MockContainerManager
+func (_mock *MockContainerManager) GetHealthCheckers() []healthz.HealthChecker {
+	ret := _mock.Called()
+
+	if len(ret) == 0 {
+		panic("no return value specified for GetHealthCheckers")
+	}
+
+	var r0 []healthz.HealthChecker
+	if returnFunc, ok := ret.Get(0).(func() []healthz.HealthChecker); ok {
+		r0 = returnFunc()
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).([]healthz.HealthChecker)
+		}
+	}
+	return r0
+}
+
+// MockContainerManager_GetHealthCheckers_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetHealthCheckers'
+type MockContainerManager_GetHealthCheckers_Call struct {
+	*mock.Call
+}
+
+// GetHealthCheckers is a helper method to define mock.On call
+func (_e *MockContainerManager_Expecter) GetHealthCheckers() *MockContainerManager_GetHealthCheckers_Call {
+	return &MockContainerManager_GetHealthCheckers_Call{Call: _e.mock.On("GetHealthCheckers")}
+}
+
+func (_c *MockContainerManager_GetHealthCheckers_Call) Run(run func()) *MockContainerManager_GetHealthCheckers_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run()
+	})
+	return _c
+}
+
+func (_c *MockContainerManager_GetHealthCheckers_Call) Return(healthCheckers []healthz.HealthChecker) *MockContainerManager_GetHealthCheckers_Call {
+	_c.Call.Return(healthCheckers)
+	return _c
+}
+
+func (_c *MockContainerManager_GetHealthCheckers_Call) RunAndReturn(run func() []healthz.HealthChecker) *MockContainerManager_GetHealthCheckers_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// GetMemory provides a mock function for the type MockContainerManager
+func (_mock *MockContainerManager) GetMemory(podUID string, containerName string) []*v10.ContainerMemory {
+	ret := _mock.Called(podUID, containerName)
+
+	if len(ret) == 0 {
+		panic("no return value specified for GetMemory")
+	}
+
+	var r0 []*v10.ContainerMemory
+	if returnFunc, ok := ret.Get(0).(func(string, string) []*v10.ContainerMemory); ok {
+		r0 = returnFunc(podUID, containerName)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).([]*v10.ContainerMemory)
+		}
+	}
+	return r0
+}
+
+// MockContainerManager_GetMemory_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetMemory'
+type MockContainerManager_GetMemory_Call struct {
+	*mock.Call
+}
+
+// GetMemory is a helper method to define mock.On call
+//   - podUID string
+//   - containerName string
+func (_e *MockContainerManager_Expecter) GetMemory(podUID interface{}, containerName interface{}) *MockContainerManager_GetMemory_Call {
+	return &MockContainerManager_GetMemory_Call{Call: _e.mock.On("GetMemory", podUID, containerName)}
+}
+
+func (_c *MockContainerManager_GetMemory_Call) Run(run func(podUID string, containerName string)) *MockContainerManager_GetMemory_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 string
+		if args[0] != nil {
+			arg0 = args[0].(string)
+		}
+		var arg1 string
+		if args[1] != nil {
+			arg1 = args[1].(string)
+		}
+		run(
+			arg0,
+			arg1,
+		)
+	})
+	return _c
+}
+
+func (_c *MockContainerManager_GetMemory_Call) Return(containerMemorys []*v10.ContainerMemory) *MockContainerManager_GetMemory_Call {
+	_c.Call.Return(containerMemorys)
+	return _c
+}
+
+func (_c *MockContainerManager_GetMemory_Call) RunAndReturn(run func(podUID string, containerName string) []*v10.ContainerMemory) *MockContainerManager_GetMemory_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// GetMountedSubsystems provides a mock function for the type MockContainerManager
+func (_mock *MockContainerManager) GetMountedSubsystems() *cm.CgroupSubsystems {
+	ret := _mock.Called()
+
+	if len(ret) == 0 {
+		panic("no return value specified for GetMountedSubsystems")
+	}
+
+	var r0 *cm.CgroupSubsystems
+	if returnFunc, ok := ret.Get(0).(func() *cm.CgroupSubsystems); ok {
+		r0 = returnFunc()
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(*cm.CgroupSubsystems)
+		}
+	}
+	return r0
+}
+
+// MockContainerManager_GetMountedSubsystems_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetMountedSubsystems'
+type MockContainerManager_GetMountedSubsystems_Call struct {
+	*mock.Call
+}
+
+// GetMountedSubsystems is a helper method to define mock.On call
+func (_e *MockContainerManager_Expecter) GetMountedSubsystems() *MockContainerManager_GetMountedSubsystems_Call {
+	return &MockContainerManager_GetMountedSubsystems_Call{Call: _e.mock.On("GetMountedSubsystems")}
+}
+
+func (_c *MockContainerManager_GetMountedSubsystems_Call) Run(run func()) *MockContainerManager_GetMountedSubsystems_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run()
+	})
+	return _c
+}
+
+func (_c *MockContainerManager_GetMountedSubsystems_Call) Return(cgroupSubsystems *cm.CgroupSubsystems) *MockContainerManager_GetMountedSubsystems_Call {
+	_c.Call.Return(cgroupSubsystems)
+	return _c
+}
+
+func (_c *MockContainerManager_GetMountedSubsystems_Call) RunAndReturn(run func() *cm.CgroupSubsystems) *MockContainerManager_GetMountedSubsystems_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// GetNodeAllocatableAbsolute provides a mock function for the type MockContainerManager
+func (_mock *MockContainerManager) GetNodeAllocatableAbsolute() v1.ResourceList {
+	ret := _mock.Called()
+
+	if len(ret) == 0 {
+		panic("no return value specified for GetNodeAllocatableAbsolute")
+	}
+
+	var r0 v1.ResourceList
+	if returnFunc, ok := ret.Get(0).(func() v1.ResourceList); ok {
+		r0 = returnFunc()
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(v1.ResourceList)
+		}
+	}
+	return r0
+}
+
+// MockContainerManager_GetNodeAllocatableAbsolute_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetNodeAllocatableAbsolute'
+type MockContainerManager_GetNodeAllocatableAbsolute_Call struct {
+	*mock.Call
+}
+
+// GetNodeAllocatableAbsolute is a helper method to define mock.On call
+func (_e *MockContainerManager_Expecter) GetNodeAllocatableAbsolute() *MockContainerManager_GetNodeAllocatableAbsolute_Call {
+	return &MockContainerManager_GetNodeAllocatableAbsolute_Call{Call: _e.mock.On("GetNodeAllocatableAbsolute")}
+}
+
+func (_c *MockContainerManager_GetNodeAllocatableAbsolute_Call) Run(run func()) *MockContainerManager_GetNodeAllocatableAbsolute_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run()
+	})
+	return _c
+}
+
+func (_c *MockContainerManager_GetNodeAllocatableAbsolute_Call) Return(resourceList v1.ResourceList) *MockContainerManager_GetNodeAllocatableAbsolute_Call {
+	_c.Call.Return(resourceList)
+	return _c
+}
+
+func (_c *MockContainerManager_GetNodeAllocatableAbsolute_Call) RunAndReturn(run func() v1.ResourceList) *MockContainerManager_GetNodeAllocatableAbsolute_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// GetNodeAllocatableReservation provides a mock function for the type MockContainerManager
+func (_mock *MockContainerManager) GetNodeAllocatableReservation() v1.ResourceList {
+	ret := _mock.Called()
+
+	if len(ret) == 0 {
+		panic("no return value specified for GetNodeAllocatableReservation")
+	}
+
+	var r0 v1.ResourceList
+	if returnFunc, ok := ret.Get(0).(func() v1.ResourceList); ok {
+		r0 = returnFunc()
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(v1.ResourceList)
+		}
+	}
+	return r0
+}
+
+// MockContainerManager_GetNodeAllocatableReservation_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetNodeAllocatableReservation'
+type MockContainerManager_GetNodeAllocatableReservation_Call struct {
+	*mock.Call
+}
+
+// GetNodeAllocatableReservation is a helper method to define mock.On call
+func (_e *MockContainerManager_Expecter) GetNodeAllocatableReservation() *MockContainerManager_GetNodeAllocatableReservation_Call {
+	return &MockContainerManager_GetNodeAllocatableReservation_Call{Call: _e.mock.On("GetNodeAllocatableReservation")}
+}
+
+func (_c *MockContainerManager_GetNodeAllocatableReservation_Call) Run(run func()) *MockContainerManager_GetNodeAllocatableReservation_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run()
+	})
+	return _c
+}
+
+func (_c *MockContainerManager_GetNodeAllocatableReservation_Call) Return(resourceList v1.ResourceList) *MockContainerManager_GetNodeAllocatableReservation_Call {
+	_c.Call.Return(resourceList)
+	return _c
+}
+
+func (_c *MockContainerManager_GetNodeAllocatableReservation_Call) RunAndReturn(run func() v1.ResourceList) *MockContainerManager_GetNodeAllocatableReservation_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// GetNodeConfig provides a mock function for the type MockContainerManager
+func (_mock *MockContainerManager) GetNodeConfig() cm.NodeConfig {
+	ret := _mock.Called()
+
+	if len(ret) == 0 {
+		panic("no return value specified for GetNodeConfig")
+	}
+
+	var r0 cm.NodeConfig
+	if returnFunc, ok := ret.Get(0).(func() cm.NodeConfig); ok {
+		r0 = returnFunc()
+	} else {
+		r0 = ret.Get(0).(cm.NodeConfig)
+	}
+	return r0
+}
+
+// MockContainerManager_GetNodeConfig_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetNodeConfig'
+type MockContainerManager_GetNodeConfig_Call struct {
+	*mock.Call
+}
+
+// GetNodeConfig is a helper method to define mock.On call
+func (_e *MockContainerManager_Expecter) GetNodeConfig() *MockContainerManager_GetNodeConfig_Call {
+	return &MockContainerManager_GetNodeConfig_Call{Call: _e.mock.On("GetNodeConfig")}
+}
+
+func (_c *MockContainerManager_GetNodeConfig_Call) Run(run func()) *MockContainerManager_GetNodeConfig_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run()
+	})
+	return _c
+}
+
+func (_c *MockContainerManager_GetNodeConfig_Call) Return(nodeConfig cm.NodeConfig) *MockContainerManager_GetNodeConfig_Call {
+	_c.Call.Return(nodeConfig)
+	return _c
+}
+
+func (_c *MockContainerManager_GetNodeConfig_Call) RunAndReturn(run func() cm.NodeConfig) *MockContainerManager_GetNodeConfig_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// GetPluginRegistrationHandlers provides a mock function for the type MockContainerManager
+func (_mock *MockContainerManager) GetPluginRegistrationHandlers() map[string]cache.PluginHandler {
+	ret := _mock.Called()
+
+	if len(ret) == 0 {
+		panic("no return value specified for GetPluginRegistrationHandlers")
+	}
+
+	var r0 map[string]cache.PluginHandler
+	if returnFunc, ok := ret.Get(0).(func() map[string]cache.PluginHandler); ok {
+		r0 = returnFunc()
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(map[string]cache.PluginHandler)
+		}
+	}
+	return r0
+}
+
+// MockContainerManager_GetPluginRegistrationHandlers_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetPluginRegistrationHandlers'
+type MockContainerManager_GetPluginRegistrationHandlers_Call struct {
+	*mock.Call
+}
+
+// GetPluginRegistrationHandlers is a helper method to define mock.On call
+func (_e *MockContainerManager_Expecter) GetPluginRegistrationHandlers() *MockContainerManager_GetPluginRegistrationHandlers_Call {
+	return &MockContainerManager_GetPluginRegistrationHandlers_Call{Call: _e.mock.On("GetPluginRegistrationHandlers")}
+}
+
+func (_c *MockContainerManager_GetPluginRegistrationHandlers_Call) Run(run func()) *MockContainerManager_GetPluginRegistrationHandlers_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run()
+	})
+	return _c
+}
+
+func (_c *MockContainerManager_GetPluginRegistrationHandlers_Call) Return(stringToPluginHandler map[string]cache.PluginHandler) *MockContainerManager_GetPluginRegistrationHandlers_Call {
+	_c.Call.Return(stringToPluginHandler)
+	return _c
+}
+
+func (_c *MockContainerManager_GetPluginRegistrationHandlers_Call) RunAndReturn(run func() map[string]cache.PluginHandler) *MockContainerManager_GetPluginRegistrationHandlers_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// GetPodCgroupRoot provides a mock function for the type MockContainerManager
+func (_mock *MockContainerManager) GetPodCgroupRoot() string {
+	ret := _mock.Called()
+
+	if len(ret) == 0 {
+		panic("no return value specified for GetPodCgroupRoot")
+	}
+
+	var r0 string
+	if returnFunc, ok := ret.Get(0).(func() string); ok {
+		r0 = returnFunc()
+	} else {
+		r0 = ret.Get(0).(string)
+	}
+	return r0
+}
+
+// MockContainerManager_GetPodCgroupRoot_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetPodCgroupRoot'
+type MockContainerManager_GetPodCgroupRoot_Call struct {
+	*mock.Call
+}
+
+// GetPodCgroupRoot is a helper method to define mock.On call
+func (_e *MockContainerManager_Expecter) GetPodCgroupRoot() *MockContainerManager_GetPodCgroupRoot_Call {
+	return &MockContainerManager_GetPodCgroupRoot_Call{Call: _e.mock.On("GetPodCgroupRoot")}
+}
+
+func (_c *MockContainerManager_GetPodCgroupRoot_Call) Run(run func()) *MockContainerManager_GetPodCgroupRoot_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run()
+	})
+	return _c
+}
+
+func (_c *MockContainerManager_GetPodCgroupRoot_Call) Return(s string) *MockContainerManager_GetPodCgroupRoot_Call {
+	_c.Call.Return(s)
+	return _c
+}
+
+func (_c *MockContainerManager_GetPodCgroupRoot_Call) RunAndReturn(run func() string) *MockContainerManager_GetPodCgroupRoot_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// GetQOSContainersInfo provides a mock function for the type MockContainerManager
+func (_mock *MockContainerManager) GetQOSContainersInfo() cm.QOSContainersInfo {
+	ret := _mock.Called()
+
+	if len(ret) == 0 {
+		panic("no return value specified for GetQOSContainersInfo")
+	}
+
+	var r0 cm.QOSContainersInfo
+	if returnFunc, ok := ret.Get(0).(func() cm.QOSContainersInfo); ok {
+		r0 = returnFunc()
+	} else {
+		r0 = ret.Get(0).(cm.QOSContainersInfo)
+	}
+	return r0
+}
+
+// MockContainerManager_GetQOSContainersInfo_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetQOSContainersInfo'
+type MockContainerManager_GetQOSContainersInfo_Call struct {
+	*mock.Call
+}
+
+// GetQOSContainersInfo is a helper method to define mock.On call
+func (_e *MockContainerManager_Expecter) GetQOSContainersInfo() *MockContainerManager_GetQOSContainersInfo_Call {
+	return &MockContainerManager_GetQOSContainersInfo_Call{Call: _e.mock.On("GetQOSContainersInfo")}
+}
+
+func (_c *MockContainerManager_GetQOSContainersInfo_Call) Run(run func()) *MockContainerManager_GetQOSContainersInfo_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run()
+	})
+	return _c
+}
+
+func (_c *MockContainerManager_GetQOSContainersInfo_Call) Return(qOSContainersInfo cm.QOSContainersInfo) *MockContainerManager_GetQOSContainersInfo_Call {
+	_c.Call.Return(qOSContainersInfo)
+	return _c
+}
+
+func (_c *MockContainerManager_GetQOSContainersInfo_Call) RunAndReturn(run func() cm.QOSContainersInfo) *MockContainerManager_GetQOSContainersInfo_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// GetResources provides a mock function for the type MockContainerManager
+func (_mock *MockContainerManager) GetResources(ctx context.Context, pod *v1.Pod, container1 *v1.Container) (*container.RunContainerOptions, error) {
+	ret := _mock.Called(ctx, pod, container1)
+
+	if len(ret) == 0 {
+		panic("no return value specified for GetResources")
+	}
+
+	var r0 *container.RunContainerOptions
+	var r1 error
+	if returnFunc, ok := ret.Get(0).(func(context.Context, *v1.Pod, *v1.Container) (*container.RunContainerOptions, error)); ok {
+		return returnFunc(ctx, pod, container1)
+	}
+	if returnFunc, ok := ret.Get(0).(func(context.Context, *v1.Pod, *v1.Container) *container.RunContainerOptions); ok {
+		r0 = returnFunc(ctx, pod, container1)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(*container.RunContainerOptions)
+		}
+	}
+	if returnFunc, ok := ret.Get(1).(func(context.Context, *v1.Pod, *v1.Container) error); ok {
+		r1 = returnFunc(ctx, pod, container1)
+	} else {
+		r1 = ret.Error(1)
+	}
+	return r0, r1
+}
+
+// MockContainerManager_GetResources_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetResources'
+type MockContainerManager_GetResources_Call struct {
+	*mock.Call
+}
+
+// GetResources is a helper method to define mock.On call
+//   - ctx context.Context
+//   - pod *v1.Pod
+//   - container1 *v1.Container
+func (_e *MockContainerManager_Expecter) GetResources(ctx interface{}, pod interface{}, container1 interface{}) *MockContainerManager_GetResources_Call {
+	return &MockContainerManager_GetResources_Call{Call: _e.mock.On("GetResources", ctx, pod, container1)}
+}
+
+func (_c *MockContainerManager_GetResources_Call) Run(run func(ctx context.Context, pod *v1.Pod, container1 *v1.Container)) *MockContainerManager_GetResources_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 context.Context
+		if args[0] != nil {
+			arg0 = args[0].(context.Context)
+		}
+		var arg1 *v1.Pod
+		if args[1] != nil {
+			arg1 = args[1].(*v1.Pod)
+		}
+		var arg2 *v1.Container
+		if args[2] != nil {
+			arg2 = args[2].(*v1.Container)
+		}
+		run(
+			arg0,
+			arg1,
+			arg2,
+		)
+	})
+	return _c
+}
+
+func (_c *MockContainerManager_GetResources_Call) Return(runContainerOptions *container.RunContainerOptions, err error) *MockContainerManager_GetResources_Call {
+	_c.Call.Return(runContainerOptions, err)
+	return _c
+}
+
+func (_c *MockContainerManager_GetResources_Call) RunAndReturn(run func(ctx context.Context, pod *v1.Pod, container1 *v1.Container) (*container.RunContainerOptions, error)) *MockContainerManager_GetResources_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// InternalContainerLifecycle provides a mock function for the type MockContainerManager
+func (_mock *MockContainerManager) InternalContainerLifecycle() cm.InternalContainerLifecycle {
+	ret := _mock.Called()
+
+	if len(ret) == 0 {
+		panic("no return value specified for InternalContainerLifecycle")
+	}
+
+	var r0 cm.InternalContainerLifecycle
+	if returnFunc, ok := ret.Get(0).(func() cm.InternalContainerLifecycle); ok {
+		r0 = returnFunc()
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(cm.InternalContainerLifecycle)
+		}
+	}
+	return r0
+}
+
+// MockContainerManager_InternalContainerLifecycle_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'InternalContainerLifecycle'
+type MockContainerManager_InternalContainerLifecycle_Call struct {
+	*mock.Call
+}
+
+// InternalContainerLifecycle is a helper method to define mock.On call
+func (_e *MockContainerManager_Expecter) InternalContainerLifecycle() *MockContainerManager_InternalContainerLifecycle_Call {
+	return &MockContainerManager_InternalContainerLifecycle_Call{Call: _e.mock.On("InternalContainerLifecycle")}
+}
+
+func (_c *MockContainerManager_InternalContainerLifecycle_Call) Run(run func()) *MockContainerManager_InternalContainerLifecycle_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run()
+	})
+	return _c
+}
+
+func (_c *MockContainerManager_InternalContainerLifecycle_Call) Return(internalContainerLifecycle cm.InternalContainerLifecycle) *MockContainerManager_InternalContainerLifecycle_Call {
+	_c.Call.Return(internalContainerLifecycle)
+	return _c
+}
+
+func (_c *MockContainerManager_InternalContainerLifecycle_Call) RunAndReturn(run func() cm.InternalContainerLifecycle) *MockContainerManager_InternalContainerLifecycle_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// NewPodContainerManager provides a mock function for the type MockContainerManager
+func (_mock *MockContainerManager) NewPodContainerManager() cm.PodContainerManager {
+	ret := _mock.Called()
+
+	if len(ret) == 0 {
+		panic("no return value specified for NewPodContainerManager")
+	}
+
+	var r0 cm.PodContainerManager
+	if returnFunc, ok := ret.Get(0).(func() cm.PodContainerManager); ok {
+		r0 = returnFunc()
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(cm.PodContainerManager)
+		}
+	}
+	return r0
+}
+
+// MockContainerManager_NewPodContainerManager_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'NewPodContainerManager'
+type MockContainerManager_NewPodContainerManager_Call struct {
+	*mock.Call
+}
+
+// NewPodContainerManager is a helper method to define mock.On call
+func (_e *MockContainerManager_Expecter) NewPodContainerManager() *MockContainerManager_NewPodContainerManager_Call {
+	return &MockContainerManager_NewPodContainerManager_Call{Call: _e.mock.On("NewPodContainerManager")}
+}
+
+func (_c *MockContainerManager_NewPodContainerManager_Call) Run(run func()) *MockContainerManager_NewPodContainerManager_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run()
+	})
+	return _c
+}
+
+func (_c *MockContainerManager_NewPodContainerManager_Call) Return(podContainerManager cm.PodContainerManager) *MockContainerManager_NewPodContainerManager_Call {
+	_c.Call.Return(podContainerManager)
+	return _c
+}
+
+func (_c *MockContainerManager_NewPodContainerManager_Call) RunAndReturn(run func() cm.PodContainerManager) *MockContainerManager_NewPodContainerManager_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// PodHasExclusiveCPUs provides a mock function for the type MockContainerManager
+func (_mock *MockContainerManager) PodHasExclusiveCPUs(pod *v1.Pod) bool {
+	ret := _mock.Called(pod)
+
+	if len(ret) == 0 {
+		panic("no return value specified for PodHasExclusiveCPUs")
+	}
+
+	var r0 bool
+	if returnFunc, ok := ret.Get(0).(func(*v1.Pod) bool); ok {
+		r0 = returnFunc(pod)
+	} else {
+		r0 = ret.Get(0).(bool)
+	}
+	return r0
+}
+
+// MockContainerManager_PodHasExclusiveCPUs_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'PodHasExclusiveCPUs'
+type MockContainerManager_PodHasExclusiveCPUs_Call struct {
+	*mock.Call
+}
+
+// PodHasExclusiveCPUs is a helper method to define mock.On call
+//   - pod *v1.Pod
+func (_e *MockContainerManager_Expecter) PodHasExclusiveCPUs(pod interface{}) *MockContainerManager_PodHasExclusiveCPUs_Call {
+	return &MockContainerManager_PodHasExclusiveCPUs_Call{Call: _e.mock.On("PodHasExclusiveCPUs", pod)}
+}
+
+func (_c *MockContainerManager_PodHasExclusiveCPUs_Call) Run(run func(pod *v1.Pod)) *MockContainerManager_PodHasExclusiveCPUs_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 *v1.Pod
+		if args[0] != nil {
+			arg0 = args[0].(*v1.Pod)
+		}
+		run(
+			arg0,
+		)
+	})
+	return _c
+}
+
+func (_c *MockContainerManager_PodHasExclusiveCPUs_Call) Return(b bool) *MockContainerManager_PodHasExclusiveCPUs_Call {
+	_c.Call.Return(b)
+	return _c
+}
+
+func (_c *MockContainerManager_PodHasExclusiveCPUs_Call) RunAndReturn(run func(pod *v1.Pod) bool) *MockContainerManager_PodHasExclusiveCPUs_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// PodMightNeedToUnprepareResources provides a mock function for the type MockContainerManager
+func (_mock *MockContainerManager) PodMightNeedToUnprepareResources(UID types.UID) bool {
+	ret := _mock.Called(UID)
+
+	if len(ret) == 0 {
+		panic("no return value specified for PodMightNeedToUnprepareResources")
+	}
+
+	var r0 bool
+	if returnFunc, ok := ret.Get(0).(func(types.UID) bool); ok {
+		r0 = returnFunc(UID)
+	} else {
+		r0 = ret.Get(0).(bool)
+	}
+	return r0
+}
+
+// MockContainerManager_PodMightNeedToUnprepareResources_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'PodMightNeedToUnprepareResources'
+type MockContainerManager_PodMightNeedToUnprepareResources_Call struct {
+	*mock.Call
+}
+
+// PodMightNeedToUnprepareResources is a helper method to define mock.On call
+//   - UID types.UID
+func (_e *MockContainerManager_Expecter) PodMightNeedToUnprepareResources(UID interface{}) *MockContainerManager_PodMightNeedToUnprepareResources_Call {
+	return &MockContainerManager_PodMightNeedToUnprepareResources_Call{Call: _e.mock.On("PodMightNeedToUnprepareResources", UID)}
+}
+
+func (_c *MockContainerManager_PodMightNeedToUnprepareResources_Call) Run(run func(UID types.UID)) *MockContainerManager_PodMightNeedToUnprepareResources_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 types.UID
+		if args[0] != nil {
+			arg0 = args[0].(types.UID)
+		}
+		run(
+			arg0,
+		)
+	})
+	return _c
+}
+
+func (_c *MockContainerManager_PodMightNeedToUnprepareResources_Call) Return(b bool) *MockContainerManager_PodMightNeedToUnprepareResources_Call {
+	_c.Call.Return(b)
+	return _c
+}
+
+func (_c *MockContainerManager_PodMightNeedToUnprepareResources_Call) RunAndReturn(run func(UID types.UID) bool) *MockContainerManager_PodMightNeedToUnprepareResources_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// PrepareDynamicResources provides a mock function for the type MockContainerManager
+func (_mock *MockContainerManager) PrepareDynamicResources(context1 context.Context, pod *v1.Pod) error {
+	ret := _mock.Called(context1, pod)
+
+	if len(ret) == 0 {
+		panic("no return value specified for PrepareDynamicResources")
+	}
+
+	var r0 error
+	if returnFunc, ok := ret.Get(0).(func(context.Context, *v1.Pod) error); ok {
+		r0 = returnFunc(context1, pod)
+	} else {
+		r0 = ret.Error(0)
+	}
+	return r0
+}
+
+// MockContainerManager_PrepareDynamicResources_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'PrepareDynamicResources'
+type MockContainerManager_PrepareDynamicResources_Call struct {
+	*mock.Call
+}
+
+// PrepareDynamicResources is a helper method to define mock.On call
+//   - context1 context.Context
+//   - pod *v1.Pod
+func (_e *MockContainerManager_Expecter) PrepareDynamicResources(context1 interface{}, pod interface{}) *MockContainerManager_PrepareDynamicResources_Call {
+	return &MockContainerManager_PrepareDynamicResources_Call{Call: _e.mock.On("PrepareDynamicResources", context1, pod)}
+}
+
+func (_c *MockContainerManager_PrepareDynamicResources_Call) Run(run func(context1 context.Context, pod *v1.Pod)) *MockContainerManager_PrepareDynamicResources_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 context.Context
+		if args[0] != nil {
+			arg0 = args[0].(context.Context)
+		}
+		var arg1 *v1.Pod
+		if args[1] != nil {
+			arg1 = args[1].(*v1.Pod)
+		}
+		run(
+			arg0,
+			arg1,
+		)
+	})
+	return _c
+}
+
+func (_c *MockContainerManager_PrepareDynamicResources_Call) Return(err error) *MockContainerManager_PrepareDynamicResources_Call {
+	_c.Call.Return(err)
+	return _c
+}
+
+func (_c *MockContainerManager_PrepareDynamicResources_Call) RunAndReturn(run func(context1 context.Context, pod *v1.Pod) error) *MockContainerManager_PrepareDynamicResources_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// ShouldResetExtendedResourceCapacity provides a mock function for the type MockContainerManager
+func (_mock *MockContainerManager) ShouldResetExtendedResourceCapacity() bool {
+	ret := _mock.Called()
+
+	if len(ret) == 0 {
+		panic("no return value specified for ShouldResetExtendedResourceCapacity")
+	}
+
+	var r0 bool
+	if returnFunc, ok := ret.Get(0).(func() bool); ok {
+		r0 = returnFunc()
+	} else {
+		r0 = ret.Get(0).(bool)
+	}
+	return r0
+}
+
+// MockContainerManager_ShouldResetExtendedResourceCapacity_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'ShouldResetExtendedResourceCapacity'
+type MockContainerManager_ShouldResetExtendedResourceCapacity_Call struct {
+	*mock.Call
+}
+
+// ShouldResetExtendedResourceCapacity is a helper method to define mock.On call
+func (_e *MockContainerManager_Expecter) ShouldResetExtendedResourceCapacity() *MockContainerManager_ShouldResetExtendedResourceCapacity_Call {
+	return &MockContainerManager_ShouldResetExtendedResourceCapacity_Call{Call: _e.mock.On("ShouldResetExtendedResourceCapacity")}
+}
+
+func (_c *MockContainerManager_ShouldResetExtendedResourceCapacity_Call) Run(run func()) *MockContainerManager_ShouldResetExtendedResourceCapacity_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run()
+	})
+	return _c
+}
+
+func (_c *MockContainerManager_ShouldResetExtendedResourceCapacity_Call) Return(b bool) *MockContainerManager_ShouldResetExtendedResourceCapacity_Call {
+	_c.Call.Return(b)
+	return _c
+}
+
+func (_c *MockContainerManager_ShouldResetExtendedResourceCapacity_Call) RunAndReturn(run func() bool) *MockContainerManager_ShouldResetExtendedResourceCapacity_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// Start provides a mock function for the type MockContainerManager
+func (_mock *MockContainerManager) Start(context1 context.Context, node *v1.Node, activePodsFunc cm.ActivePodsFunc, getNodeFunc cm.GetNodeFunc, sourcesReady config.SourcesReady, podStatusProvider status.PodStatusProvider, runtimeService cri.RuntimeService, b bool) error {
+	ret := _mock.Called(context1, node, activePodsFunc, getNodeFunc, sourcesReady, podStatusProvider, runtimeService, b)
+
+	if len(ret) == 0 {
+		panic("no return value specified for Start")
+	}
+
+	var r0 error
+	if returnFunc, ok := ret.Get(0).(func(context.Context, *v1.Node, cm.ActivePodsFunc, cm.GetNodeFunc, config.SourcesReady, status.PodStatusProvider, cri.RuntimeService, bool) error); ok {
+		r0 = returnFunc(context1, node, activePodsFunc, getNodeFunc, sourcesReady, podStatusProvider, runtimeService, b)
+	} else {
+		r0 = ret.Error(0)
+	}
+	return r0
+}
+
+// MockContainerManager_Start_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Start'
+type MockContainerManager_Start_Call struct {
+	*mock.Call
+}
+
+// Start is a helper method to define mock.On call
+//   - context1 context.Context
+//   - node *v1.Node
+//   - activePodsFunc cm.ActivePodsFunc
+//   - getNodeFunc cm.GetNodeFunc
+//   - sourcesReady config.SourcesReady
+//   - podStatusProvider status.PodStatusProvider
+//   - runtimeService cri.RuntimeService
+//   - b bool
+func (_e *MockContainerManager_Expecter) Start(context1 interface{}, node interface{}, activePodsFunc interface{}, getNodeFunc interface{}, sourcesReady interface{}, podStatusProvider interface{}, runtimeService interface{}, b interface{}) *MockContainerManager_Start_Call {
+	return &MockContainerManager_Start_Call{Call: _e.mock.On("Start", context1, node, activePodsFunc, getNodeFunc, sourcesReady, podStatusProvider, runtimeService, b)}
+}
+
+func (_c *MockContainerManager_Start_Call) Run(run func(context1 context.Context, node *v1.Node, activePodsFunc cm.ActivePodsFunc, getNodeFunc cm.GetNodeFunc, sourcesReady config.SourcesReady, podStatusProvider status.PodStatusProvider, runtimeService cri.RuntimeService, b bool)) *MockContainerManager_Start_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 context.Context
+		if args[0] != nil {
+			arg0 = args[0].(context.Context)
+		}
+		var arg1 *v1.Node
+		if args[1] != nil {
+			arg1 = args[1].(*v1.Node)
+		}
+		var arg2 cm.ActivePodsFunc
+		if args[2] != nil {
+			arg2 = args[2].(cm.ActivePodsFunc)
+		}
+		var arg3 cm.GetNodeFunc
+		if args[3] != nil {
+			arg3 = args[3].(cm.GetNodeFunc)
+		}
+		var arg4 config.SourcesReady
+		if args[4] != nil {
+			arg4 = args[4].(config.SourcesReady)
+		}
+		var arg5 status.PodStatusProvider
+		if args[5] != nil {
+			arg5 = args[5].(status.PodStatusProvider)
+		}
+		var arg6 cri.RuntimeService
+		if args[6] != nil {
+			arg6 = args[6].(cri.RuntimeService)
+		}
+		var arg7 bool
+		if args[7] != nil {
+			arg7 = args[7].(bool)
+		}
+		run(
+			arg0,
+			arg1,
+			arg2,
+			arg3,
+			arg4,
+			arg5,
+			arg6,
+			arg7,
+		)
+	})
+	return _c
+}
+
+func (_c *MockContainerManager_Start_Call) Return(err error) *MockContainerManager_Start_Call {
+	_c.Call.Return(err)
+	return _c
+}
+
+func (_c *MockContainerManager_Start_Call) RunAndReturn(run func(context1 context.Context, node *v1.Node, activePodsFunc cm.ActivePodsFunc, getNodeFunc cm.GetNodeFunc, sourcesReady config.SourcesReady, podStatusProvider status.PodStatusProvider, runtimeService cri.RuntimeService, b bool) error) *MockContainerManager_Start_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// Status provides a mock function for the type MockContainerManager
+func (_mock *MockContainerManager) Status() cm.Status {
+	ret := _mock.Called()
+
+	if len(ret) == 0 {
+		panic("no return value specified for Status")
+	}
+
+	var r0 cm.Status
+	if returnFunc, ok := ret.Get(0).(func() cm.Status); ok {
+		r0 = returnFunc()
+	} else {
+		r0 = ret.Get(0).(cm.Status)
+	}
+	return r0
+}
+
+// MockContainerManager_Status_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Status'
+type MockContainerManager_Status_Call struct {
+	*mock.Call
+}
+
+// Status is a helper method to define mock.On call
+func (_e *MockContainerManager_Expecter) Status() *MockContainerManager_Status_Call {
+	return &MockContainerManager_Status_Call{Call: _e.mock.On("Status")}
+}
+
+func (_c *MockContainerManager_Status_Call) Run(run func()) *MockContainerManager_Status_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run()
+	})
+	return _c
+}
+
+func (_c *MockContainerManager_Status_Call) Return(status1 cm.Status) *MockContainerManager_Status_Call {
+	_c.Call.Return(status1)
+	return _c
+}
+
+func (_c *MockContainerManager_Status_Call) RunAndReturn(run func() cm.Status) *MockContainerManager_Status_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// SystemCgroupsLimit provides a mock function for the type MockContainerManager
+func (_mock *MockContainerManager) SystemCgroupsLimit() v1.ResourceList {
+	ret := _mock.Called()
+
+	if len(ret) == 0 {
+		panic("no return value specified for SystemCgroupsLimit")
+	}
+
+	var r0 v1.ResourceList
+	if returnFunc, ok := ret.Get(0).(func() v1.ResourceList); ok {
+		r0 = returnFunc()
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(v1.ResourceList)
+		}
+	}
+	return r0
+}
+
+// MockContainerManager_SystemCgroupsLimit_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'SystemCgroupsLimit'
+type MockContainerManager_SystemCgroupsLimit_Call struct {
+	*mock.Call
+}
+
+// SystemCgroupsLimit is a helper method to define mock.On call
+func (_e *MockContainerManager_Expecter) SystemCgroupsLimit() *MockContainerManager_SystemCgroupsLimit_Call {
+	return &MockContainerManager_SystemCgroupsLimit_Call{Call: _e.mock.On("SystemCgroupsLimit")}
+}
+
+func (_c *MockContainerManager_SystemCgroupsLimit_Call) Run(run func()) *MockContainerManager_SystemCgroupsLimit_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run()
+	})
+	return _c
+}
+
+func (_c *MockContainerManager_SystemCgroupsLimit_Call) Return(resourceList v1.ResourceList) *MockContainerManager_SystemCgroupsLimit_Call {
+	_c.Call.Return(resourceList)
+	return _c
+}
+
+func (_c *MockContainerManager_SystemCgroupsLimit_Call) RunAndReturn(run func() v1.ResourceList) *MockContainerManager_SystemCgroupsLimit_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// UnprepareDynamicResources provides a mock function for the type MockContainerManager
+func (_mock *MockContainerManager) UnprepareDynamicResources(context1 context.Context, pod *v1.Pod) error {
+	ret := _mock.Called(context1, pod)
+
+	if len(ret) == 0 {
+		panic("no return value specified for UnprepareDynamicResources")
+	}
+
+	var r0 error
+	if returnFunc, ok := ret.Get(0).(func(context.Context, *v1.Pod) error); ok {
+		r0 = returnFunc(context1, pod)
+	} else {
+		r0 = ret.Error(0)
+	}
+	return r0
+}
+
+// MockContainerManager_UnprepareDynamicResources_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'UnprepareDynamicResources'
+type MockContainerManager_UnprepareDynamicResources_Call struct {
+	*mock.Call
+}
+
+// UnprepareDynamicResources is a helper method to define mock.On call
+//   - context1 context.Context
+//   - pod *v1.Pod
+func (_e *MockContainerManager_Expecter) UnprepareDynamicResources(context1 interface{}, pod interface{}) *MockContainerManager_UnprepareDynamicResources_Call {
+	return &MockContainerManager_UnprepareDynamicResources_Call{Call: _e.mock.On("UnprepareDynamicResources", context1, pod)}
+}
+
+func (_c *MockContainerManager_UnprepareDynamicResources_Call) Run(run func(context1 context.Context, pod *v1.Pod)) *MockContainerManager_UnprepareDynamicResources_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 context.Context
+		if args[0] != nil {
+			arg0 = args[0].(context.Context)
+		}
+		var arg1 *v1.Pod
+		if args[1] != nil {
+			arg1 = args[1].(*v1.Pod)
+		}
+		run(
+			arg0,
+			arg1,
+		)
+	})
+	return _c
+}
+
+func (_c *MockContainerManager_UnprepareDynamicResources_Call) Return(err error) *MockContainerManager_UnprepareDynamicResources_Call {
+	_c.Call.Return(err)
+	return _c
+}
+
+func (_c *MockContainerManager_UnprepareDynamicResources_Call) RunAndReturn(run func(context1 context.Context, pod *v1.Pod) error) *MockContainerManager_UnprepareDynamicResources_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// UpdateAllocatedDevices provides a mock function for the type MockContainerManager
+func (_mock *MockContainerManager) UpdateAllocatedDevices() {
+	_mock.Called()
+	return
+}
+
+// MockContainerManager_UpdateAllocatedDevices_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'UpdateAllocatedDevices'
+type MockContainerManager_UpdateAllocatedDevices_Call struct {
+	*mock.Call
+}
+
+// UpdateAllocatedDevices is a helper method to define mock.On call
+func (_e *MockContainerManager_Expecter) UpdateAllocatedDevices() *MockContainerManager_UpdateAllocatedDevices_Call {
+	return &MockContainerManager_UpdateAllocatedDevices_Call{Call: _e.mock.On("UpdateAllocatedDevices")}
+}
+
+func (_c *MockContainerManager_UpdateAllocatedDevices_Call) Run(run func()) *MockContainerManager_UpdateAllocatedDevices_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run()
+	})
+	return _c
+}
+
+func (_c *MockContainerManager_UpdateAllocatedDevices_Call) Return() *MockContainerManager_UpdateAllocatedDevices_Call {
+	_c.Call.Return()
+	return _c
+}
+
+func (_c *MockContainerManager_UpdateAllocatedDevices_Call) RunAndReturn(run func()) *MockContainerManager_UpdateAllocatedDevices_Call {
+	_c.Run(run)
+	return _c
+}
+
+// UpdateAllocatedResourcesStatus provides a mock function for the type MockContainerManager
+func (_mock *MockContainerManager) UpdateAllocatedResourcesStatus(pod *v1.Pod, status1 *v1.PodStatus) {
+	_mock.Called(pod, status1)
+	return
+}
+
+// MockContainerManager_UpdateAllocatedResourcesStatus_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'UpdateAllocatedResourcesStatus'
+type MockContainerManager_UpdateAllocatedResourcesStatus_Call struct {
+	*mock.Call
+}
+
+// UpdateAllocatedResourcesStatus is a helper method to define mock.On call
+//   - pod *v1.Pod
+//   - status1 *v1.PodStatus
+func (_e *MockContainerManager_Expecter) UpdateAllocatedResourcesStatus(pod interface{}, status1 interface{}) *MockContainerManager_UpdateAllocatedResourcesStatus_Call {
+	return &MockContainerManager_UpdateAllocatedResourcesStatus_Call{Call: _e.mock.On("UpdateAllocatedResourcesStatus", pod, status1)}
+}
+
+func (_c *MockContainerManager_UpdateAllocatedResourcesStatus_Call) Run(run func(pod *v1.Pod, status1 *v1.PodStatus)) *MockContainerManager_UpdateAllocatedResourcesStatus_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 *v1.Pod
+		if args[0] != nil {
+			arg0 = args[0].(*v1.Pod)
+		}
+		var arg1 *v1.PodStatus
+		if args[1] != nil {
+			arg1 = args[1].(*v1.PodStatus)
+		}
+		run(
+			arg0,
+			arg1,
+		)
+	})
+	return _c
+}
+
+func (_c *MockContainerManager_UpdateAllocatedResourcesStatus_Call) Return() *MockContainerManager_UpdateAllocatedResourcesStatus_Call {
+	_c.Call.Return()
+	return _c
+}
+
+func (_c *MockContainerManager_UpdateAllocatedResourcesStatus_Call) RunAndReturn(run func(pod *v1.Pod, status1 *v1.PodStatus)) *MockContainerManager_UpdateAllocatedResourcesStatus_Call {
+	_c.Run(run)
+	return _c
+}
+
+// UpdatePluginResources provides a mock function for the type MockContainerManager
+func (_mock *MockContainerManager) UpdatePluginResources(nodeInfo *framework.NodeInfo, podAdmitAttributes *lifecycle.PodAdmitAttributes) error {
+	ret := _mock.Called(nodeInfo, podAdmitAttributes)
+
+	if len(ret) == 0 {
+		panic("no return value specified for UpdatePluginResources")
+	}
+
+	var r0 error
+	if returnFunc, ok := ret.Get(0).(func(*framework.NodeInfo, *lifecycle.PodAdmitAttributes) error); ok {
+		r0 = returnFunc(nodeInfo, podAdmitAttributes)
+	} else {
+		r0 = ret.Error(0)
+	}
+	return r0
+}
+
+// MockContainerManager_UpdatePluginResources_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'UpdatePluginResources'
+type MockContainerManager_UpdatePluginResources_Call struct {
+	*mock.Call
+}
+
+// UpdatePluginResources is a helper method to define mock.On call
+//   - nodeInfo *framework.NodeInfo
+//   - podAdmitAttributes *lifecycle.PodAdmitAttributes
+func (_e *MockContainerManager_Expecter) UpdatePluginResources(nodeInfo interface{}, podAdmitAttributes interface{}) *MockContainerManager_UpdatePluginResources_Call {
+	return &MockContainerManager_UpdatePluginResources_Call{Call: _e.mock.On("UpdatePluginResources", nodeInfo, podAdmitAttributes)}
+}
+
+func (_c *MockContainerManager_UpdatePluginResources_Call) Run(run func(nodeInfo *framework.NodeInfo, podAdmitAttributes *lifecycle.PodAdmitAttributes)) *MockContainerManager_UpdatePluginResources_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 *framework.NodeInfo
+		if args[0] != nil {
+			arg0 = args[0].(*framework.NodeInfo)
+		}
+		var arg1 *lifecycle.PodAdmitAttributes
+		if args[1] != nil {
+			arg1 = args[1].(*lifecycle.PodAdmitAttributes)
+		}
+		run(
+			arg0,
+			arg1,
+		)
+	})
+	return _c
+}
+
+func (_c *MockContainerManager_UpdatePluginResources_Call) Return(err error) *MockContainerManager_UpdatePluginResources_Call {
+	_c.Call.Return(err)
+	return _c
+}
+
+func (_c *MockContainerManager_UpdatePluginResources_Call) RunAndReturn(run func(nodeInfo *framework.NodeInfo, podAdmitAttributes *lifecycle.PodAdmitAttributes) error) *MockContainerManager_UpdatePluginResources_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// UpdateQOSCgroups provides a mock function for the type MockContainerManager
+func (_mock *MockContainerManager) UpdateQOSCgroups(logger klog.Logger) error {
+	ret := _mock.Called(logger)
+
+	if len(ret) == 0 {
+		panic("no return value specified for UpdateQOSCgroups")
+	}
+
+	var r0 error
+	if returnFunc, ok := ret.Get(0).(func(klog.Logger) error); ok {
+		r0 = returnFunc(logger)
+	} else {
+		r0 = ret.Error(0)
+	}
+	return r0
+}
+
+// MockContainerManager_UpdateQOSCgroups_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'UpdateQOSCgroups'
+type MockContainerManager_UpdateQOSCgroups_Call struct {
+	*mock.Call
+}
+
+// UpdateQOSCgroups is a helper method to define mock.On call
+//   - logger klog.Logger
+func (_e *MockContainerManager_Expecter) UpdateQOSCgroups(logger interface{}) *MockContainerManager_UpdateQOSCgroups_Call {
+	return &MockContainerManager_UpdateQOSCgroups_Call{Call: _e.mock.On("UpdateQOSCgroups", logger)}
+}
+
+func (_c *MockContainerManager_UpdateQOSCgroups_Call) Run(run func(logger klog.Logger)) *MockContainerManager_UpdateQOSCgroups_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 klog.Logger
+		if args[0] != nil {
+			arg0 = args[0].(klog.Logger)
+		}
+		run(
+			arg0,
+		)
+	})
+	return _c
+}
+
+func (_c *MockContainerManager_UpdateQOSCgroups_Call) Return(err error) *MockContainerManager_UpdateQOSCgroups_Call {
+	_c.Call.Return(err)
+	return _c
+}
+
+func (_c *MockContainerManager_UpdateQOSCgroups_Call) RunAndReturn(run func(logger klog.Logger) error) *MockContainerManager_UpdateQOSCgroups_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// Updates provides a mock function for the type MockContainerManager
+func (_mock *MockContainerManager) Updates() <-chan resourceupdates.Update {
+	ret := _mock.Called()
+
+	if len(ret) == 0 {
+		panic("no return value specified for Updates")
+	}
+
+	var r0 <-chan resourceupdates.Update
+	if returnFunc, ok := ret.Get(0).(func() <-chan resourceupdates.Update); ok {
+		r0 = returnFunc()
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(<-chan resourceupdates.Update)
+		}
+	}
+	return r0
+}
+
+// MockContainerManager_Updates_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Updates'
+type MockContainerManager_Updates_Call struct {
+	*mock.Call
+}
+
+// Updates is a helper method to define mock.On call
+func (_e *MockContainerManager_Expecter) Updates() *MockContainerManager_Updates_Call {
+	return &MockContainerManager_Updates_Call{Call: _e.mock.On("Updates")}
+}
+
+func (_c *MockContainerManager_Updates_Call) Run(run func()) *MockContainerManager_Updates_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run()
+	})
+	return _c
+}
+
+func (_c *MockContainerManager_Updates_Call) Return(updateCh <-chan resourceupdates.Update) *MockContainerManager_Updates_Call {
+	_c.Call.Return(updateCh)
+	return _c
+}
+
+func (_c *MockContainerManager_Updates_Call) RunAndReturn(run func() <-chan resourceupdates.Update) *MockContainerManager_Updates_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// NewMockPodContainerManager creates a new instance of MockPodContainerManager. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
+// The first argument is typically a *testing.T value.
+func NewMockPodContainerManager(t interface {
+	mock.TestingT
+	Cleanup(func())
+}) *MockPodContainerManager {
+	mock := &MockPodContainerManager{}
+	mock.Mock.Test(t)
+
+	t.Cleanup(func() { mock.AssertExpectations(t) })
+
+	return mock
+}
+
+// MockPodContainerManager is an autogenerated mock type for the PodContainerManager type
+type MockPodContainerManager struct {
+	mock.Mock
+}
+
+type MockPodContainerManager_Expecter struct {
+	mock *mock.Mock
+}
+
+func (_m *MockPodContainerManager) EXPECT() *MockPodContainerManager_Expecter {
+	return &MockPodContainerManager_Expecter{mock: &_m.Mock}
+}
+
+// Destroy provides a mock function for the type MockPodContainerManager
+func (_mock *MockPodContainerManager) Destroy(logger klog.Logger, name cm.CgroupName) error {
+	ret := _mock.Called(logger, name)
+
+	if len(ret) == 0 {
+		panic("no return value specified for Destroy")
+	}
+
+	var r0 error
+	if returnFunc, ok := ret.Get(0).(func(klog.Logger, cm.CgroupName) error); ok {
+		r0 = returnFunc(logger, name)
+	} else {
+		r0 = ret.Error(0)
+	}
+	return r0
+}
+
+// MockPodContainerManager_Destroy_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Destroy'
+type MockPodContainerManager_Destroy_Call struct {
+	*mock.Call
+}
+
+// Destroy is a helper method to define mock.On call
+//   - logger klog.Logger
+//   - name cm.CgroupName
+func (_e *MockPodContainerManager_Expecter) Destroy(logger interface{}, name interface{}) *MockPodContainerManager_Destroy_Call {
+	return &MockPodContainerManager_Destroy_Call{Call: _e.mock.On("Destroy", logger, name)}
+}
+
+func (_c *MockPodContainerManager_Destroy_Call) Run(run func(logger klog.Logger, name cm.CgroupName)) *MockPodContainerManager_Destroy_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 klog.Logger
+		if args[0] != nil {
+			arg0 = args[0].(klog.Logger)
+		}
+		var arg1 cm.CgroupName
+		if args[1] != nil {
+			arg1 = args[1].(cm.CgroupName)
+		}
+		run(
+			arg0,
+			arg1,
+		)
+	})
+	return _c
+}
+
+func (_c *MockPodContainerManager_Destroy_Call) Return(err error) *MockPodContainerManager_Destroy_Call {
+	_c.Call.Return(err)
+	return _c
+}
+
+func (_c *MockPodContainerManager_Destroy_Call) RunAndReturn(run func(logger klog.Logger, name cm.CgroupName) error) *MockPodContainerManager_Destroy_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// EnsureExists provides a mock function for the type MockPodContainerManager
+func (_mock *MockPodContainerManager) EnsureExists(logger klog.Logger, pod *v1.Pod) error {
+	ret := _mock.Called(logger, pod)
+
+	if len(ret) == 0 {
+		panic("no return value specified for EnsureExists")
+	}
+
+	var r0 error
+	if returnFunc, ok := ret.Get(0).(func(klog.Logger, *v1.Pod) error); ok {
+		r0 = returnFunc(logger, pod)
+	} else {
+		r0 = ret.Error(0)
+	}
+	return r0
+}
+
+// MockPodContainerManager_EnsureExists_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'EnsureExists'
+type MockPodContainerManager_EnsureExists_Call struct {
+	*mock.Call
+}
+
+// EnsureExists is a helper method to define mock.On call
+//   - logger klog.Logger
+//   - pod *v1.Pod
+func (_e *MockPodContainerManager_Expecter) EnsureExists(logger interface{}, pod interface{}) *MockPodContainerManager_EnsureExists_Call {
+	return &MockPodContainerManager_EnsureExists_Call{Call: _e.mock.On("EnsureExists", logger, pod)}
+}
+
+func (_c *MockPodContainerManager_EnsureExists_Call) Run(run func(logger klog.Logger, pod *v1.Pod)) *MockPodContainerManager_EnsureExists_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 klog.Logger
+		if args[0] != nil {
+			arg0 = args[0].(klog.Logger)
+		}
+		var arg1 *v1.Pod
+		if args[1] != nil {
+			arg1 = args[1].(*v1.Pod)
+		}
+		run(
+			arg0,
+			arg1,
+		)
+	})
+	return _c
+}
+
+func (_c *MockPodContainerManager_EnsureExists_Call) Return(err error) *MockPodContainerManager_EnsureExists_Call {
+	_c.Call.Return(err)
+	return _c
+}
+
+func (_c *MockPodContainerManager_EnsureExists_Call) RunAndReturn(run func(logger klog.Logger, pod *v1.Pod) error) *MockPodContainerManager_EnsureExists_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// Exists provides a mock function for the type MockPodContainerManager
+func (_mock *MockPodContainerManager) Exists(pod *v1.Pod) bool {
+	ret := _mock.Called(pod)
+
+	if len(ret) == 0 {
+		panic("no return value specified for Exists")
+	}
+
+	var r0 bool
+	if returnFunc, ok := ret.Get(0).(func(*v1.Pod) bool); ok {
+		r0 = returnFunc(pod)
+	} else {
+		r0 = ret.Get(0).(bool)
+	}
+	return r0
+}
+
+// MockPodContainerManager_Exists_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Exists'
+type MockPodContainerManager_Exists_Call struct {
+	*mock.Call
+}
+
+// Exists is a helper method to define mock.On call
+//   - pod *v1.Pod
+func (_e *MockPodContainerManager_Expecter) Exists(pod interface{}) *MockPodContainerManager_Exists_Call {
+	return &MockPodContainerManager_Exists_Call{Call: _e.mock.On("Exists", pod)}
+}
+
+func (_c *MockPodContainerManager_Exists_Call) Run(run func(pod *v1.Pod)) *MockPodContainerManager_Exists_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 *v1.Pod
+		if args[0] != nil {
+			arg0 = args[0].(*v1.Pod)
+		}
+		run(
+			arg0,
+		)
+	})
+	return _c
+}
+
+func (_c *MockPodContainerManager_Exists_Call) Return(b bool) *MockPodContainerManager_Exists_Call {
+	_c.Call.Return(b)
+	return _c
+}
+
+func (_c *MockPodContainerManager_Exists_Call) RunAndReturn(run func(pod *v1.Pod) bool) *MockPodContainerManager_Exists_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// GetAllPodsFromCgroups provides a mock function for the type MockPodContainerManager
+func (_mock *MockPodContainerManager) GetAllPodsFromCgroups() (map[types.UID]cm.CgroupName, error) {
+	ret := _mock.Called()
+
+	if len(ret) == 0 {
+		panic("no return value specified for GetAllPodsFromCgroups")
+	}
+
+	var r0 map[types.UID]cm.CgroupName
+	var r1 error
+	if returnFunc, ok := ret.Get(0).(func() (map[types.UID]cm.CgroupName, error)); ok {
+		return returnFunc()
+	}
+	if returnFunc, ok := ret.Get(0).(func() map[types.UID]cm.CgroupName); ok {
+		r0 = returnFunc()
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(map[types.UID]cm.CgroupName)
+		}
+	}
+	if returnFunc, ok := ret.Get(1).(func() error); ok {
+		r1 = returnFunc()
+	} else {
+		r1 = ret.Error(1)
+	}
+	return r0, r1
+}
+
+// MockPodContainerManager_GetAllPodsFromCgroups_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetAllPodsFromCgroups'
+type MockPodContainerManager_GetAllPodsFromCgroups_Call struct {
+	*mock.Call
+}
+
+// GetAllPodsFromCgroups is a helper method to define mock.On call
+func (_e *MockPodContainerManager_Expecter) GetAllPodsFromCgroups() *MockPodContainerManager_GetAllPodsFromCgroups_Call {
+	return &MockPodContainerManager_GetAllPodsFromCgroups_Call{Call: _e.mock.On("GetAllPodsFromCgroups")}
+}
+
+func (_c *MockPodContainerManager_GetAllPodsFromCgroups_Call) Run(run func()) *MockPodContainerManager_GetAllPodsFromCgroups_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run()
+	})
+	return _c
+}
+
+func (_c *MockPodContainerManager_GetAllPodsFromCgroups_Call) Return(uIDToCgroupName map[types.UID]cm.CgroupName, err error) *MockPodContainerManager_GetAllPodsFromCgroups_Call {
+	_c.Call.Return(uIDToCgroupName, err)
+	return _c
+}
+
+func (_c *MockPodContainerManager_GetAllPodsFromCgroups_Call) RunAndReturn(run func() (map[types.UID]cm.CgroupName, error)) *MockPodContainerManager_GetAllPodsFromCgroups_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// GetPodCgroupConfig provides a mock function for the type MockPodContainerManager
+func (_mock *MockPodContainerManager) GetPodCgroupConfig(pod *v1.Pod, resource v1.ResourceName) (*cm.ResourceConfig, error) {
+	ret := _mock.Called(pod, resource)
+
+	if len(ret) == 0 {
+		panic("no return value specified for GetPodCgroupConfig")
+	}
+
+	var r0 *cm.ResourceConfig
+	var r1 error
+	if returnFunc, ok := ret.Get(0).(func(*v1.Pod, v1.ResourceName) (*cm.ResourceConfig, error)); ok {
+		return returnFunc(pod, resource)
+	}
+	if returnFunc, ok := ret.Get(0).(func(*v1.Pod, v1.ResourceName) *cm.ResourceConfig); ok {
+		r0 = returnFunc(pod, resource)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(*cm.ResourceConfig)
+		}
+	}
+	if returnFunc, ok := ret.Get(1).(func(*v1.Pod, v1.ResourceName) error); ok {
+		r1 = returnFunc(pod, resource)
+	} else {
+		r1 = ret.Error(1)
+	}
+	return r0, r1
+}
+
+// MockPodContainerManager_GetPodCgroupConfig_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetPodCgroupConfig'
+type MockPodContainerManager_GetPodCgroupConfig_Call struct {
+	*mock.Call
+}
+
+// GetPodCgroupConfig is a helper method to define mock.On call
+//   - pod *v1.Pod
+//   - resource v1.ResourceName
+func (_e *MockPodContainerManager_Expecter) GetPodCgroupConfig(pod interface{}, resource interface{}) *MockPodContainerManager_GetPodCgroupConfig_Call {
+	return &MockPodContainerManager_GetPodCgroupConfig_Call{Call: _e.mock.On("GetPodCgroupConfig", pod, resource)}
+}
+
+func (_c *MockPodContainerManager_GetPodCgroupConfig_Call) Run(run func(pod *v1.Pod, resource v1.ResourceName)) *MockPodContainerManager_GetPodCgroupConfig_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 *v1.Pod
+		if args[0] != nil {
+			arg0 = args[0].(*v1.Pod)
+		}
+		var arg1 v1.ResourceName
+		if args[1] != nil {
+			arg1 = args[1].(v1.ResourceName)
+		}
+		run(
+			arg0,
+			arg1,
+		)
+	})
+	return _c
+}
+
+func (_c *MockPodContainerManager_GetPodCgroupConfig_Call) Return(resourceConfig *cm.ResourceConfig, err error) *MockPodContainerManager_GetPodCgroupConfig_Call {
+	_c.Call.Return(resourceConfig, err)
+	return _c
+}
+
+func (_c *MockPodContainerManager_GetPodCgroupConfig_Call) RunAndReturn(run func(pod *v1.Pod, resource v1.ResourceName) (*cm.ResourceConfig, error)) *MockPodContainerManager_GetPodCgroupConfig_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// GetPodCgroupMemoryUsage provides a mock function for the type MockPodContainerManager
+func (_mock *MockPodContainerManager) GetPodCgroupMemoryUsage(pod *v1.Pod) (uint64, error) {
+	ret := _mock.Called(pod)
+
+	if len(ret) == 0 {
+		panic("no return value specified for GetPodCgroupMemoryUsage")
+	}
+
+	var r0 uint64
+	var r1 error
+	if returnFunc, ok := ret.Get(0).(func(*v1.Pod) (uint64, error)); ok {
+		return returnFunc(pod)
+	}
+	if returnFunc, ok := ret.Get(0).(func(*v1.Pod) uint64); ok {
+		r0 = returnFunc(pod)
+	} else {
+		r0 = ret.Get(0).(uint64)
+	}
+	if returnFunc, ok := ret.Get(1).(func(*v1.Pod) error); ok {
+		r1 = returnFunc(pod)
+	} else {
+		r1 = ret.Error(1)
+	}
+	return r0, r1
+}
+
+// MockPodContainerManager_GetPodCgroupMemoryUsage_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetPodCgroupMemoryUsage'
+type MockPodContainerManager_GetPodCgroupMemoryUsage_Call struct {
+	*mock.Call
+}
+
+// GetPodCgroupMemoryUsage is a helper method to define mock.On call
+//   - pod *v1.Pod
+func (_e *MockPodContainerManager_Expecter) GetPodCgroupMemoryUsage(pod interface{}) *MockPodContainerManager_GetPodCgroupMemoryUsage_Call {
+	return &MockPodContainerManager_GetPodCgroupMemoryUsage_Call{Call: _e.mock.On("GetPodCgroupMemoryUsage", pod)}
+}
+
+func (_c *MockPodContainerManager_GetPodCgroupMemoryUsage_Call) Run(run func(pod *v1.Pod)) *MockPodContainerManager_GetPodCgroupMemoryUsage_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 *v1.Pod
+		if args[0] != nil {
+			arg0 = args[0].(*v1.Pod)
+		}
+		run(
+			arg0,
+		)
+	})
+	return _c
+}
+
+func (_c *MockPodContainerManager_GetPodCgroupMemoryUsage_Call) Return(v uint64, err error) *MockPodContainerManager_GetPodCgroupMemoryUsage_Call {
+	_c.Call.Return(v, err)
+	return _c
+}
+
+func (_c *MockPodContainerManager_GetPodCgroupMemoryUsage_Call) RunAndReturn(run func(pod *v1.Pod) (uint64, error)) *MockPodContainerManager_GetPodCgroupMemoryUsage_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// GetPodContainerName provides a mock function for the type MockPodContainerManager
+func (_mock *MockPodContainerManager) GetPodContainerName(pod *v1.Pod) (cm.CgroupName, string) {
+	ret := _mock.Called(pod)
+
+	if len(ret) == 0 {
+		panic("no return value specified for GetPodContainerName")
+	}
+
+	var r0 cm.CgroupName
+	var r1 string
+	if returnFunc, ok := ret.Get(0).(func(*v1.Pod) (cm.CgroupName, string)); ok {
+		return returnFunc(pod)
+	}
+	if returnFunc, ok := ret.Get(0).(func(*v1.Pod) cm.CgroupName); ok {
+		r0 = returnFunc(pod)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(cm.CgroupName)
+		}
+	}
+	if returnFunc, ok := ret.Get(1).(func(*v1.Pod) string); ok {
+		r1 = returnFunc(pod)
+	} else {
+		r1 = ret.Get(1).(string)
+	}
+	return r0, r1
+}
+
+// MockPodContainerManager_GetPodContainerName_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetPodContainerName'
+type MockPodContainerManager_GetPodContainerName_Call struct {
+	*mock.Call
+}
+
+// GetPodContainerName is a helper method to define mock.On call
+//   - pod *v1.Pod
+func (_e *MockPodContainerManager_Expecter) GetPodContainerName(pod interface{}) *MockPodContainerManager_GetPodContainerName_Call {
+	return &MockPodContainerManager_GetPodContainerName_Call{Call: _e.mock.On("GetPodContainerName", pod)}
+}
+
+func (_c *MockPodContainerManager_GetPodContainerName_Call) Run(run func(pod *v1.Pod)) *MockPodContainerManager_GetPodContainerName_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 *v1.Pod
+		if args[0] != nil {
+			arg0 = args[0].(*v1.Pod)
+		}
+		run(
+			arg0,
+		)
+	})
+	return _c
+}
+
+func (_c *MockPodContainerManager_GetPodContainerName_Call) Return(cgroupName cm.CgroupName, s string) *MockPodContainerManager_GetPodContainerName_Call {
+	_c.Call.Return(cgroupName, s)
+	return _c
+}
+
+func (_c *MockPodContainerManager_GetPodContainerName_Call) RunAndReturn(run func(pod *v1.Pod) (cm.CgroupName, string)) *MockPodContainerManager_GetPodContainerName_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// IsPodCgroup provides a mock function for the type MockPodContainerManager
+func (_mock *MockPodContainerManager) IsPodCgroup(cgroupfs string) (bool, types.UID) {
+	ret := _mock.Called(cgroupfs)
+
+	if len(ret) == 0 {
+		panic("no return value specified for IsPodCgroup")
+	}
+
+	var r0 bool
+	var r1 types.UID
+	if returnFunc, ok := ret.Get(0).(func(string) (bool, types.UID)); ok {
+		return returnFunc(cgroupfs)
+	}
+	if returnFunc, ok := ret.Get(0).(func(string) bool); ok {
+		r0 = returnFunc(cgroupfs)
+	} else {
+		r0 = ret.Get(0).(bool)
+	}
+	if returnFunc, ok := ret.Get(1).(func(string) types.UID); ok {
+		r1 = returnFunc(cgroupfs)
+	} else {
+		r1 = ret.Get(1).(types.UID)
+	}
+	return r0, r1
+}
+
+// MockPodContainerManager_IsPodCgroup_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'IsPodCgroup'
+type MockPodContainerManager_IsPodCgroup_Call struct {
+	*mock.Call
+}
+
+// IsPodCgroup is a helper method to define mock.On call
+//   - cgroupfs string
+func (_e *MockPodContainerManager_Expecter) IsPodCgroup(cgroupfs interface{}) *MockPodContainerManager_IsPodCgroup_Call {
+	return &MockPodContainerManager_IsPodCgroup_Call{Call: _e.mock.On("IsPodCgroup", cgroupfs)}
+}
+
+func (_c *MockPodContainerManager_IsPodCgroup_Call) Run(run func(cgroupfs string)) *MockPodContainerManager_IsPodCgroup_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 string
+		if args[0] != nil {
+			arg0 = args[0].(string)
+		}
+		run(
+			arg0,
+		)
+	})
+	return _c
+}
+
+func (_c *MockPodContainerManager_IsPodCgroup_Call) Return(b bool, uID types.UID) *MockPodContainerManager_IsPodCgroup_Call {
+	_c.Call.Return(b, uID)
+	return _c
+}
+
+func (_c *MockPodContainerManager_IsPodCgroup_Call) RunAndReturn(run func(cgroupfs string) (bool, types.UID)) *MockPodContainerManager_IsPodCgroup_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// ReduceCPULimits provides a mock function for the type MockPodContainerManager
+func (_mock *MockPodContainerManager) ReduceCPULimits(logger klog.Logger, name cm.CgroupName) error {
+	ret := _mock.Called(logger, name)
+
+	if len(ret) == 0 {
+		panic("no return value specified for ReduceCPULimits")
+	}
+
+	var r0 error
+	if returnFunc, ok := ret.Get(0).(func(klog.Logger, cm.CgroupName) error); ok {
+		r0 = returnFunc(logger, name)
+	} else {
+		r0 = ret.Error(0)
+	}
+	return r0
+}
+
+// MockPodContainerManager_ReduceCPULimits_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'ReduceCPULimits'
+type MockPodContainerManager_ReduceCPULimits_Call struct {
+	*mock.Call
+}
+
+// ReduceCPULimits is a helper method to define mock.On call
+//   - logger klog.Logger
+//   - name cm.CgroupName
+func (_e *MockPodContainerManager_Expecter) ReduceCPULimits(logger interface{}, name interface{}) *MockPodContainerManager_ReduceCPULimits_Call {
+	return &MockPodContainerManager_ReduceCPULimits_Call{Call: _e.mock.On("ReduceCPULimits", logger, name)}
+}
+
+func (_c *MockPodContainerManager_ReduceCPULimits_Call) Run(run func(logger klog.Logger, name cm.CgroupName)) *MockPodContainerManager_ReduceCPULimits_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 klog.Logger
+		if args[0] != nil {
+			arg0 = args[0].(klog.Logger)
+		}
+		var arg1 cm.CgroupName
+		if args[1] != nil {
+			arg1 = args[1].(cm.CgroupName)
+		}
+		run(
+			arg0,
+			arg1,
+		)
+	})
+	return _c
+}
+
+func (_c *MockPodContainerManager_ReduceCPULimits_Call) Return(err error) *MockPodContainerManager_ReduceCPULimits_Call {
+	_c.Call.Return(err)
+	return _c
+}
+
+func (_c *MockPodContainerManager_ReduceCPULimits_Call) RunAndReturn(run func(logger klog.Logger, name cm.CgroupName) error) *MockPodContainerManager_ReduceCPULimits_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// SetPodCgroupConfig provides a mock function for the type MockPodContainerManager
+func (_mock *MockPodContainerManager) SetPodCgroupConfig(logger klog.Logger, pod *v1.Pod, resourceConfig *cm.ResourceConfig) error {
+	ret := _mock.Called(logger, pod, resourceConfig)
+
+	if len(ret) == 0 {
+		panic("no return value specified for SetPodCgroupConfig")
+	}
+
+	var r0 error
+	if returnFunc, ok := ret.Get(0).(func(klog.Logger, *v1.Pod, *cm.ResourceConfig) error); ok {
+		r0 = returnFunc(logger, pod, resourceConfig)
+	} else {
+		r0 = ret.Error(0)
+	}
+	return r0
+}
+
+// MockPodContainerManager_SetPodCgroupConfig_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'SetPodCgroupConfig'
+type MockPodContainerManager_SetPodCgroupConfig_Call struct {
+	*mock.Call
+}
+
+// SetPodCgroupConfig is a helper method to define mock.On call
+//   - logger klog.Logger
+//   - pod *v1.Pod
+//   - resourceConfig *cm.ResourceConfig
+func (_e *MockPodContainerManager_Expecter) SetPodCgroupConfig(logger interface{}, pod interface{}, resourceConfig interface{}) *MockPodContainerManager_SetPodCgroupConfig_Call {
+	return &MockPodContainerManager_SetPodCgroupConfig_Call{Call: _e.mock.On("SetPodCgroupConfig", logger, pod, resourceConfig)}
+}
+
+func (_c *MockPodContainerManager_SetPodCgroupConfig_Call) Run(run func(logger klog.Logger, pod *v1.Pod, resourceConfig *cm.ResourceConfig)) *MockPodContainerManager_SetPodCgroupConfig_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 klog.Logger
+		if args[0] != nil {
+			arg0 = args[0].(klog.Logger)
+		}
+		var arg1 *v1.Pod
+		if args[1] != nil {
+			arg1 = args[1].(*v1.Pod)
+		}
+		var arg2 *cm.ResourceConfig
+		if args[2] != nil {
+			arg2 = args[2].(*cm.ResourceConfig)
+		}
+		run(
+			arg0,
+			arg1,
+			arg2,
+		)
+	})
+	return _c
+}
+
+func (_c *MockPodContainerManager_SetPodCgroupConfig_Call) Return(err error) *MockPodContainerManager_SetPodCgroupConfig_Call {
+	_c.Call.Return(err)
+	return _c
+}
+
+func (_c *MockPodContainerManager_SetPodCgroupConfig_Call) RunAndReturn(run func(logger klog.Logger, pod *v1.Pod, resourceConfig *cm.ResourceConfig) error) *MockPodContainerManager_SetPodCgroupConfig_Call {
+	_c.Call.Return(run)
+	return _c
+}
diff --git a/pkg/kubelet/cm/topologymanager/fake_topology_manager.go b/pkg/kubelet/cm/topologymanager/fake_topology_manager.go
index 19b07a719caac..a79a0a388752e 100644
--- a/pkg/kubelet/cm/topologymanager/fake_topology_manager.go
+++ b/pkg/kubelet/cm/topologymanager/fake_topology_manager.go
@@ -17,6 +17,8 @@ limitations under the License.
 package topologymanager
 
 import (
+	"context"
+
 	"k8s.io/api/core/v1"
 	"k8s.io/klog/v2"
 	"k8s.io/kubernetes/pkg/kubelet/cm/admission"
@@ -30,13 +32,17 @@ type fakeManager struct {
 
 // NewFakeManager returns an instance of FakeManager
 func NewFakeManager() Manager {
-	klog.InfoS("NewFakeManager")
+	// Use klog.TODO() because changing NewManager requires changes in too many other components
+	logger := klog.TODO()
+	logger.Info("NewFakeManager")
 	return &fakeManager{}
 }
 
 // NewFakeManagerWithHint returns an instance of fake topology manager with specified topology hints
 func NewFakeManagerWithHint(hint *TopologyHint) Manager {
-	klog.InfoS("NewFakeManagerWithHint")
+	// Use klog.TODO() because changing NewManager requires changes in too many other components
+	logger := klog.TODO()
+	logger.Info("NewFakeManagerWithHint")
 	return &fakeManager{
 		hint:   hint,
 		policy: NewNonePolicy(),
@@ -45,14 +51,20 @@ func NewFakeManagerWithHint(hint *TopologyHint) Manager {
 
 // NewFakeManagerWithPolicy returns an instance of fake topology manager with specified policy
 func NewFakeManagerWithPolicy(policy Policy) Manager {
-	klog.InfoS("NewFakeManagerWithPolicy", "policy", policy.Name())
+	// Use klog.TODO() because changing NewManager requires changes in too many other components
+	logger := klog.TODO()
+	logger.Info("NewFakeManagerWithPolicy", "policy", policy.Name())
 	return &fakeManager{
 		policy: policy,
 	}
 }
 
 func (m *fakeManager) GetAffinity(podUID string, containerName string) TopologyHint {
-	klog.InfoS("GetAffinity", "podUID", podUID, "containerName", containerName)
+	// Use context.TODO() because we currently do not have a proper context to pass in.
+	// Replace this with an appropriate context when refactoring this function to accept a context parameter.
+	ctx := context.TODO()
+	logger := klog.FromContext(ctx)
+	logger.Info("GetAffinity", "podUID", podUID, "containerName", containerName)
 	if m.hint == nil {
 		return TopologyHint{}
 	}
@@ -64,20 +76,32 @@ func (m *fakeManager) GetPolicy() Policy {
 	return m.policy
 }
 
-func (m *fakeManager) AddHintProvider(h HintProvider) {
-	klog.InfoS("AddHintProvider", "hintProvider", h)
+func (m *fakeManager) AddHintProvider(logger klog.Logger, h HintProvider) {
+	logger.Info("AddHintProvider", "hintProvider", h)
 }
 
 func (m *fakeManager) AddContainer(pod *v1.Pod, container *v1.Container, containerID string) {
-	klog.InfoS("AddContainer", "pod", klog.KObj(pod), "containerName", container.Name, "containerID", containerID)
+	// Use context.TODO() because we currently do not have a proper context to pass in.
+	// Replace this with an appropriate context when refactoring this function to accept a context parameter.
+	ctx := context.TODO()
+	logger := klog.FromContext(ctx)
+	logger.Info("AddContainer", "pod", klog.KObj(pod), "containerName", container.Name, "containerID", containerID)
 }
 
 func (m *fakeManager) RemoveContainer(containerID string) error {
-	klog.InfoS("RemoveContainer", "containerID", containerID)
+	// Use context.TODO() because we currently do not have a proper context to pass in.
+	// Replace this with an appropriate context when refactoring this function to accept a context parameter.
+	ctx := context.TODO()
+	logger := klog.FromContext(ctx)
+	logger.Info("RemoveContainer", "containerID", containerID)
 	return nil
 }
 
 func (m *fakeManager) Admit(attrs *lifecycle.PodAdmitAttributes) lifecycle.PodAdmitResult {
-	klog.InfoS("Topology Admit Handler")
+	// TODO: create context here as changing interface https://github.com/kubernetes/kubernetes/blob/09aaf7226056a7964adcb176d789de5507313d00/pkg/kubelet/lifecycle/interfaces.go#L43
+	// requires changes in too many other components
+	ctx := context.TODO()
+	logger := klog.FromContext(ctx)
+	logger.Info("Topology Admit Handler")
 	return admission.GetPodAdmitResult(nil)
 }
diff --git a/pkg/kubelet/cm/topologymanager/policy.go b/pkg/kubelet/cm/topologymanager/policy.go
index 80e9292ae411d..aa332216e336d 100644
--- a/pkg/kubelet/cm/topologymanager/policy.go
+++ b/pkg/kubelet/cm/topologymanager/policy.go
@@ -27,7 +27,7 @@ type Policy interface {
 	Name() string
 	// Returns a merged TopologyHint based on input from hint providers
 	// and a Pod Admit Handler Response based on hints and policy type
-	Merge(providersHints []map[string][]TopologyHint) (TopologyHint, bool)
+	Merge(logger klog.Logger, providersHints []map[string][]TopologyHint) (TopologyHint, bool)
 }
 
 // IsAlignmentGuaranteed return true if the given policy guarantees that either
@@ -68,7 +68,7 @@ func mergePermutation(defaultAffinity bitmask.BitMask, permutation []TopologyHin
 	return TopologyHint{mergedAffinity, preferred}
 }
 
-func filterProvidersHints(providersHints []map[string][]TopologyHint) [][]TopologyHint {
+func filterProvidersHints(logger klog.Logger, providersHints []map[string][]TopologyHint) [][]TopologyHint {
 	// Loop through all hint providers and save an accumulated list of the
 	// hints returned by each hint provider. If no hints are provided, assume
 	// that provider has no preference for topology-aware allocation.
@@ -76,7 +76,7 @@ func filterProvidersHints(providersHints []map[string][]TopologyHint) [][]Topolo
 	for _, hints := range providersHints {
 		// If hints is nil, insert a single, preferred any-numa hint into allProviderHints.
 		if len(hints) == 0 {
-			klog.InfoS("Hint Provider has no preference for NUMA affinity with any resource")
+			logger.Info("Hint Provider has no preference for NUMA affinity with any resource")
 			allProviderHints = append(allProviderHints, []TopologyHint{{nil, true}})
 			continue
 		}
@@ -84,13 +84,13 @@ func filterProvidersHints(providersHints []map[string][]TopologyHint) [][]Topolo
 		// Otherwise, accumulate the hints for each resource type into allProviderHints.
 		for resource := range hints {
 			if hints[resource] == nil {
-				klog.InfoS("Hint Provider has no preference for NUMA affinity with resource", "resource", resource)
+				logger.Info("Hint Provider has no preference for NUMA affinity with resource", "resource", resource)
 				allProviderHints = append(allProviderHints, []TopologyHint{{nil, true}})
 				continue
 			}
 
 			if len(hints[resource]) == 0 {
-				klog.InfoS("Hint Provider has no possible NUMA affinities for resource", "resource", resource)
+				logger.Info("Hint Provider has no possible NUMA affinities for resource", "resource", resource)
 				allProviderHints = append(allProviderHints, []TopologyHint{{nil, false}})
 				continue
 			}
diff --git a/pkg/kubelet/cm/topologymanager/policy_best_effort.go b/pkg/kubelet/cm/topologymanager/policy_best_effort.go
index 5cedad3da705c..e6a92880fe410 100644
--- a/pkg/kubelet/cm/topologymanager/policy_best_effort.go
+++ b/pkg/kubelet/cm/topologymanager/policy_best_effort.go
@@ -16,6 +16,8 @@ limitations under the License.
 
 package topologymanager
 
+import "k8s.io/klog/v2"
+
 type bestEffortPolicy struct {
 	// numaInfo represents list of NUMA Nodes available on the underlying machine and distances between them
 	numaInfo *NUMAInfo
@@ -40,8 +42,8 @@ func (p *bestEffortPolicy) canAdmitPodResult(hint *TopologyHint) bool {
 	return true
 }
 
-func (p *bestEffortPolicy) Merge(providersHints []map[string][]TopologyHint) (TopologyHint, bool) {
-	filteredHints := filterProvidersHints(providersHints)
+func (p *bestEffortPolicy) Merge(logger klog.Logger, providersHints []map[string][]TopologyHint) (TopologyHint, bool) {
+	filteredHints := filterProvidersHints(logger, providersHints)
 	merger := NewHintMerger(p.numaInfo, filteredHints, p.Name(), p.opts)
 	bestHint := merger.Merge()
 	admit := p.canAdmitPodResult(&bestHint)
diff --git a/pkg/kubelet/cm/topologymanager/policy_none.go b/pkg/kubelet/cm/topologymanager/policy_none.go
index 271f9dde79bbd..256f527464bbd 100644
--- a/pkg/kubelet/cm/topologymanager/policy_none.go
+++ b/pkg/kubelet/cm/topologymanager/policy_none.go
@@ -16,6 +16,8 @@ limitations under the License.
 
 package topologymanager
 
+import "k8s.io/klog/v2"
+
 type nonePolicy struct{}
 
 var _ Policy = &nonePolicy{}
@@ -36,6 +38,6 @@ func (p *nonePolicy) canAdmitPodResult(hint *TopologyHint) bool {
 	return true
 }
 
-func (p *nonePolicy) Merge(providersHints []map[string][]TopologyHint) (TopologyHint, bool) {
+func (p *nonePolicy) Merge(logger klog.Logger, providersHints []map[string][]TopologyHint) (TopologyHint, bool) {
 	return TopologyHint{}, p.canAdmitPodResult(nil)
 }
diff --git a/pkg/kubelet/cm/topologymanager/policy_none_test.go b/pkg/kubelet/cm/topologymanager/policy_none_test.go
index 5ce33039bd2d8..8089d5fd90d6b 100644
--- a/pkg/kubelet/cm/topologymanager/policy_none_test.go
+++ b/pkg/kubelet/cm/topologymanager/policy_none_test.go
@@ -18,6 +18,8 @@ package topologymanager
 
 import (
 	"testing"
+
+	"k8s.io/kubernetes/test/utils/ktesting"
 )
 
 func TestPolicyNoneName(t *testing.T) {
@@ -101,9 +103,11 @@ func TestPolicyNoneMerge(t *testing.T) {
 		},
 	}
 
+	logger, _ := ktesting.NewTestContext(t)
+
 	for _, tc := range tcases {
 		policy := NewNonePolicy()
-		result, admit := policy.Merge(tc.providersHints)
+		result, admit := policy.Merge(logger, tc.providersHints)
 		if !result.IsEqual(tc.expectedHint) || admit != tc.expectedAdmit {
 			t.Errorf("Test Case: %s: Expected merge hint to be %v, got %v", tc.name, tc.expectedHint, result)
 		}
diff --git a/pkg/kubelet/cm/topologymanager/policy_options.go b/pkg/kubelet/cm/topologymanager/policy_options.go
index 5490aba112e3e..dd90824014b4b 100644
--- a/pkg/kubelet/cm/topologymanager/policy_options.go
+++ b/pkg/kubelet/cm/topologymanager/policy_options.go
@@ -32,12 +32,11 @@ const (
 )
 
 var (
-	alphaOptions = sets.New[string]()
-	betaOptions  = sets.New[string](
-		MaxAllowableNUMANodes,
-	)
+	alphaOptions  = sets.New[string]()
+	betaOptions   = sets.New[string]()
 	stableOptions = sets.New[string](
 		PreferClosestNUMANodes,
+		MaxAllowableNUMANodes,
 	)
 )
 
@@ -62,7 +61,7 @@ type PolicyOptions struct {
 	MaxAllowableNUMANodes int
 }
 
-func NewPolicyOptions(policyOptions map[string]string) (PolicyOptions, error) {
+func NewPolicyOptions(logger klog.Logger, policyOptions map[string]string) (PolicyOptions, error) {
 	opts := PolicyOptions{
 		// Set MaxAllowableNUMANodes to the default. This will be overwritten
 		// if the user has specified a policy option for MaxAllowableNUMANodes.
@@ -92,7 +91,7 @@ func NewPolicyOptions(policyOptions map[string]string) (PolicyOptions, error) {
 			}
 
 			if optValue > defaultMaxAllowableNUMANodes {
-				klog.InfoS("WARNING: the value of max-allowable-numa-nodes is more than the default recommended value", "max-allowable-numa-nodes", optValue, "defaultMaxAllowableNUMANodes", defaultMaxAllowableNUMANodes)
+				logger.Info("WARNING: the value of max-allowable-numa-nodes is more than the default recommended value", "max-allowable-numa-nodes", optValue, "defaultMaxAllowableNUMANodes", defaultMaxAllowableNUMANodes)
 			}
 			opts.MaxAllowableNUMANodes = optValue
 		default:
diff --git a/pkg/kubelet/cm/topologymanager/policy_options_test.go b/pkg/kubelet/cm/topologymanager/policy_options_test.go
index 833609db228c0..26c750fe4190a 100644
--- a/pkg/kubelet/cm/topologymanager/policy_options_test.go
+++ b/pkg/kubelet/cm/topologymanager/policy_options_test.go
@@ -21,10 +21,12 @@ import (
 	"strings"
 	"testing"
 
+	"k8s.io/apimachinery/pkg/util/sets"
 	utilfeature "k8s.io/apiserver/pkg/util/feature"
 	"k8s.io/component-base/featuregate"
 	featuregatetesting "k8s.io/component-base/featuregate/testing"
 	pkgfeatures "k8s.io/kubernetes/pkg/features"
+	"k8s.io/kubernetes/test/utils/ktesting"
 )
 
 var fancyBetaOption = "fancy-new-option"
@@ -58,9 +60,7 @@ func TestNewTopologyManagerOptions(t *testing.T) {
 			},
 		},
 		{
-			description:       "return TopologyManagerOptions with MaxAllowableNUMANodes set to 12",
-			featureGate:       pkgfeatures.TopologyManagerPolicyBetaOptions,
-			featureGateEnable: true,
+			description: "return TopologyManagerOptions with MaxAllowableNUMANodes set to 12",
 			expectedOptions: PolicyOptions{
 				MaxAllowableNUMANodes: 12,
 			},
@@ -68,14 +68,6 @@ func TestNewTopologyManagerOptions(t *testing.T) {
 				MaxAllowableNUMANodes: "12",
 			},
 		},
-		{
-			description: "fail to set option when TopologyManagerPolicyBetaOptions feature gate is not set",
-			featureGate: pkgfeatures.TopologyManagerPolicyBetaOptions,
-			policyOptions: map[string]string{
-				MaxAllowableNUMANodes: "8",
-			},
-			expectedErr: fmt.Errorf("topology manager policy beta-level options not enabled,"),
-		},
 		{
 			description: "return empty TopologyManagerOptions",
 			expectedOptions: PolicyOptions{
@@ -91,9 +83,7 @@ func TestNewTopologyManagerOptions(t *testing.T) {
 			expectedErr: fmt.Errorf("bad value for option"),
 		},
 		{
-			description:       "fail to parse options with error MaxAllowableNUMANodes",
-			featureGate:       pkgfeatures.TopologyManagerPolicyAlphaOptions,
-			featureGateEnable: true,
+			description: "fail to parse options with error MaxAllowableNUMANodes",
 			policyOptions: map[string]string{
 				MaxAllowableNUMANodes: "can't parse to int",
 			},
@@ -140,17 +130,21 @@ func TestNewTopologyManagerOptions(t *testing.T) {
 		},
 	}
 
-	betaOptions.Insert(fancyBetaOption)
-	alphaOptions.Insert(fancyAlphaOption)
+	setTopologyManagerOptionsDuringTest(t, betaOptions, fancyBetaOption)
+	setTopologyManagerOptionsDuringTest(t, alphaOptions, fancyAlphaOption)
+
+	logger, _ := ktesting.NewTestContext(t)
 
 	for _, tcase := range testCases {
 		t.Run(tcase.description, func(t *testing.T) {
 			if tcase.featureGate != "" {
 				featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, tcase.featureGate, tcase.featureGateEnable)
 			}
-			opts, err := NewPolicyOptions(tcase.policyOptions)
+			opts, err := NewPolicyOptions(logger, tcase.policyOptions)
 			if tcase.expectedErr != nil {
-				if !strings.Contains(err.Error(), tcase.expectedErr.Error()) {
+				if err == nil {
+					t.Errorf("expected error %v, got no error", tcase.expectedErr)
+				} else if !strings.Contains(err.Error(), tcase.expectedErr.Error()) {
 					t.Errorf("Unexpected error message. Have: %s, wants %s", err.Error(), tcase.expectedErr.Error())
 				}
 				return
@@ -163,6 +157,14 @@ func TestNewTopologyManagerOptions(t *testing.T) {
 	}
 }
 
+func setTopologyManagerOptionsDuringTest(t *testing.T, optionGroup sets.Set[string], opts ...string) {
+	t.Helper()
+	t.Cleanup(func() {
+		optionGroup.Delete(opts...)
+	})
+	optionGroup.Insert(opts...)
+}
+
 func TestPolicyDefaultsAvailable(t *testing.T) {
 	testCases := []optionAvailTest{
 		{
@@ -215,6 +217,18 @@ func TestPolicyOptionsAvailable(t *testing.T) {
 			featureGateEnable: false,
 			expectedAvailable: true,
 		},
+		{
+			option:            MaxAllowableNUMANodes,
+			featureGate:       pkgfeatures.TopologyManagerPolicyBetaOptions,
+			featureGateEnable: false,
+			expectedAvailable: true,
+		},
+		{
+			option:            PreferClosestNUMANodes,
+			featureGate:       pkgfeatures.TopologyManagerPolicyAlphaOptions,
+			featureGateEnable: false,
+			expectedAvailable: true,
+		},
 		{
 			option:            fancyAlphaOption,
 			featureGate:       pkgfeatures.TopologyManagerPolicyAlphaOptions,
@@ -240,8 +254,8 @@ func TestPolicyOptionsAvailable(t *testing.T) {
 			expectedAvailable: false,
 		},
 	}
-	betaOptions.Insert(fancyBetaOption)
-	alphaOptions.Insert(fancyAlphaOption)
+	setTopologyManagerOptionsDuringTest(t, betaOptions, fancyBetaOption)
+	setTopologyManagerOptionsDuringTest(t, alphaOptions, fancyAlphaOption)
 	for _, testCase := range testCases {
 		t.Run(testCase.option, func(t *testing.T) {
 			featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, testCase.featureGate, testCase.featureGateEnable)
diff --git a/pkg/kubelet/cm/topologymanager/policy_restricted.go b/pkg/kubelet/cm/topologymanager/policy_restricted.go
index 88422b0087ee4..3fb198350d151 100644
--- a/pkg/kubelet/cm/topologymanager/policy_restricted.go
+++ b/pkg/kubelet/cm/topologymanager/policy_restricted.go
@@ -16,6 +16,8 @@ limitations under the License.
 
 package topologymanager
 
+import "k8s.io/klog/v2"
+
 type restrictedPolicy struct {
 	bestEffortPolicy
 }
@@ -38,8 +40,8 @@ func (p *restrictedPolicy) canAdmitPodResult(hint *TopologyHint) bool {
 	return hint.Preferred
 }
 
-func (p *restrictedPolicy) Merge(providersHints []map[string][]TopologyHint) (TopologyHint, bool) {
-	filteredHints := filterProvidersHints(providersHints)
+func (p *restrictedPolicy) Merge(logger klog.Logger, providersHints []map[string][]TopologyHint) (TopologyHint, bool) {
+	filteredHints := filterProvidersHints(logger, providersHints)
 	merger := NewHintMerger(p.numaInfo, filteredHints, p.Name(), p.opts)
 	bestHint := merger.Merge()
 	admit := p.canAdmitPodResult(&bestHint)
diff --git a/pkg/kubelet/cm/topologymanager/policy_single_numa_node.go b/pkg/kubelet/cm/topologymanager/policy_single_numa_node.go
index d865aa9f18f34..1ba0cf263540c 100644
--- a/pkg/kubelet/cm/topologymanager/policy_single_numa_node.go
+++ b/pkg/kubelet/cm/topologymanager/policy_single_numa_node.go
@@ -16,6 +16,8 @@ limitations under the License.
 
 package topologymanager
 
+import "k8s.io/klog/v2"
+
 type singleNumaNodePolicy struct {
 	// numaInfo represents list of NUMA Nodes available on the underlying machine and distances between them
 	numaInfo *NUMAInfo
@@ -58,8 +60,8 @@ func filterSingleNumaHints(allResourcesHints [][]TopologyHint) [][]TopologyHint
 	return filteredResourcesHints
 }
 
-func (p *singleNumaNodePolicy) Merge(providersHints []map[string][]TopologyHint) (TopologyHint, bool) {
-	filteredHints := filterProvidersHints(providersHints)
+func (p *singleNumaNodePolicy) Merge(logger klog.Logger, providersHints []map[string][]TopologyHint) (TopologyHint, bool) {
+	filteredHints := filterProvidersHints(logger, providersHints)
 	// Filter to only include don't cares and hints with a single NUMA node.
 	singleNumaHints := filterSingleNumaHints(filteredHints)
 
diff --git a/pkg/kubelet/cm/topologymanager/policy_test.go b/pkg/kubelet/cm/topologymanager/policy_test.go
index 56867c65aa271..fb94454b94703 100644
--- a/pkg/kubelet/cm/topologymanager/policy_test.go
+++ b/pkg/kubelet/cm/topologymanager/policy_test.go
@@ -22,6 +22,7 @@ import (
 
 	"k8s.io/api/core/v1"
 	"k8s.io/kubernetes/pkg/kubelet/cm/topologymanager/bitmask"
+	"k8s.io/kubernetes/test/utils/ktesting"
 )
 
 type policyMergeTestCase struct {
@@ -1273,6 +1274,8 @@ func (p *singleNumaNodePolicy) mergeTestCases(numaNodes []int) []policyMergeTest
 }
 
 func testPolicyMerge(policy Policy, tcases []policyMergeTestCase, t *testing.T) {
+	logger, _ := ktesting.NewTestContext(t)
+
 	for _, tc := range tcases {
 		var providersHints []map[string][]TopologyHint
 		for _, provider := range tc.hp {
@@ -1280,7 +1283,7 @@ func testPolicyMerge(policy Policy, tcases []policyMergeTestCase, t *testing.T)
 			providersHints = append(providersHints, hints)
 		}
 
-		actual, _ := policy.Merge(providersHints)
+		actual, _ := policy.Merge(logger, providersHints)
 		if !reflect.DeepEqual(actual, tc.expected) {
 			t.Errorf("%v: Expected Topology Hint to be %v, got %v:", tc.name, tc.expected, actual)
 		}
diff --git a/pkg/kubelet/cm/topologymanager/scope.go b/pkg/kubelet/cm/topologymanager/scope.go
index db3edd63e6478..ff34253df953c 100644
--- a/pkg/kubelet/cm/topologymanager/scope.go
+++ b/pkg/kubelet/cm/topologymanager/scope.go
@@ -17,6 +17,7 @@ limitations under the License.
 package topologymanager
 
 import (
+	"context"
 	"sync"
 
 	"k8s.io/api/core/v1"
@@ -41,7 +42,7 @@ type podTopologyHints map[string]map[string]TopologyHint
 type Scope interface {
 	Name() string
 	GetPolicy() Policy
-	Admit(pod *v1.Pod) lifecycle.PodAdmitResult
+	Admit(ctx context.Context, pod *v1.Pod) lifecycle.PodAdmitResult
 	// AddHintProvider adds a hint provider to manager to indicate the hint provider
 	// wants to be consoluted with when making topology hints
 	AddHintProvider(h HintProvider)
@@ -111,10 +112,14 @@ func (s *scope) AddContainer(pod *v1.Pod, container *v1.Container, containerID s
 // It would be better to implement this function in topologymanager instead of scope
 // but topologymanager do not track mapping anymore
 func (s *scope) RemoveContainer(containerID string) error {
+	// Use context.TODO() because we currently do not have a proper context to pass in.
+	// Replace this with an appropriate context when refactoring this function to accept a context parameter.
+	ctx := context.TODO()
+	logger := klog.FromContext(ctx)
 	s.mutex.Lock()
 	defer s.mutex.Unlock()
 
-	klog.InfoS("RemoveContainer", "containerID", containerID)
+	logger.Info("RemoveContainer", "containerID", containerID)
 	// Get the podUID and containerName associated with the containerID to be removed and remove it
 	podUIDString, containerName, err := s.podMap.GetContainerRef(containerID)
 	if err != nil {
diff --git a/pkg/kubelet/cm/topologymanager/scope_container.go b/pkg/kubelet/cm/topologymanager/scope_container.go
index 7c06c090cc6d1..d8a68ec451558 100644
--- a/pkg/kubelet/cm/topologymanager/scope_container.go
+++ b/pkg/kubelet/cm/topologymanager/scope_container.go
@@ -17,6 +17,8 @@ limitations under the License.
 package topologymanager
 
 import (
+	"context"
+
 	"k8s.io/api/core/v1"
 	"k8s.io/klog/v2"
 	"k8s.io/kubernetes/pkg/kubelet/cm/admission"
@@ -44,10 +46,12 @@ func NewContainerScope(policy Policy) Scope {
 	}
 }
 
-func (s *containerScope) Admit(pod *v1.Pod) lifecycle.PodAdmitResult {
+func (s *containerScope) Admit(ctx context.Context, pod *v1.Pod) lifecycle.PodAdmitResult {
+	logger := klog.FromContext(ctx)
+
 	for _, container := range append(pod.Spec.InitContainers, pod.Spec.Containers...) {
-		bestHint, admit := s.calculateAffinity(pod, &container)
-		klog.InfoS("Best TopologyHint", "bestHint", bestHint, "pod", klog.KObj(pod), "containerName", container.Name)
+		bestHint, admit := s.calculateAffinity(logger, pod, &container)
+		logger.Info("Best TopologyHint", "bestHint", bestHint, "pod", klog.KObj(pod), "containerName", container.Name)
 
 		if !admit {
 			if IsAlignmentGuaranteed(s.policy) {
@@ -56,7 +60,7 @@ func (s *containerScope) Admit(pod *v1.Pod) lifecycle.PodAdmitResult {
 			metrics.TopologyManagerAdmissionErrorsTotal.Inc()
 			return admission.GetPodAdmitResult(&TopologyAffinityError{})
 		}
-		klog.InfoS("Topology Affinity", "bestHint", bestHint, "pod", klog.KObj(pod), "containerName", container.Name)
+		logger.Info("Topology Affinity", "bestHint", bestHint, "pod", klog.KObj(pod), "containerName", container.Name)
 		s.setTopologyHints(string(pod.UID), container.Name, bestHint)
 
 		err := s.allocateAlignedResources(pod, &container)
@@ -66,28 +70,28 @@ func (s *containerScope) Admit(pod *v1.Pod) lifecycle.PodAdmitResult {
 		}
 
 		if IsAlignmentGuaranteed(s.policy) {
-			klog.V(4).InfoS("Resource alignment at container scope guaranteed", "pod", klog.KObj(pod))
+			logger.V(4).Info("Resource alignment at container scope guaranteed", "pod", klog.KObj(pod))
 			metrics.ContainerAlignedComputeResources.WithLabelValues(metrics.AlignScopeContainer, metrics.AlignedNUMANode).Inc()
 		}
 	}
 	return admission.GetPodAdmitResult(nil)
 }
 
-func (s *containerScope) accumulateProvidersHints(pod *v1.Pod, container *v1.Container) []map[string][]TopologyHint {
+func (s *containerScope) accumulateProvidersHints(logger klog.Logger, pod *v1.Pod, container *v1.Container) []map[string][]TopologyHint {
 	var providersHints []map[string][]TopologyHint
 
 	for _, provider := range s.hintProviders {
 		// Get the TopologyHints for a Container from a provider.
 		hints := provider.GetTopologyHints(pod, container)
 		providersHints = append(providersHints, hints)
-		klog.InfoS("TopologyHints", "hints", hints, "pod", klog.KObj(pod), "containerName", container.Name)
+		logger.Info("TopologyHints", "hints", hints, "pod", klog.KObj(pod), "containerName", container.Name)
 	}
 	return providersHints
 }
 
-func (s *containerScope) calculateAffinity(pod *v1.Pod, container *v1.Container) (TopologyHint, bool) {
-	providersHints := s.accumulateProvidersHints(pod, container)
-	bestHint, admit := s.policy.Merge(providersHints)
-	klog.InfoS("ContainerTopologyHint", "bestHint", bestHint, "pod", klog.KObj(pod), "containerName", container.Name)
+func (s *containerScope) calculateAffinity(logger klog.Logger, pod *v1.Pod, container *v1.Container) (TopologyHint, bool) {
+	providersHints := s.accumulateProvidersHints(logger, pod, container)
+	bestHint, admit := s.policy.Merge(logger, providersHints)
+	logger.Info("ContainerTopologyHint", "bestHint", bestHint, "pod", klog.KObj(pod), "containerName", container.Name)
 	return bestHint, admit
 }
diff --git a/pkg/kubelet/cm/topologymanager/scope_container_test.go b/pkg/kubelet/cm/topologymanager/scope_container_test.go
index 67eaf5c5803fd..bb597169ef619 100644
--- a/pkg/kubelet/cm/topologymanager/scope_container_test.go
+++ b/pkg/kubelet/cm/topologymanager/scope_container_test.go
@@ -21,6 +21,7 @@ import (
 	"testing"
 
 	v1 "k8s.io/api/core/v1"
+	"k8s.io/kubernetes/test/utils/ktesting"
 )
 
 func TestContainerCalculateAffinity(t *testing.T) {
@@ -121,6 +122,8 @@ func TestContainerCalculateAffinity(t *testing.T) {
 		},
 	}
 
+	logger, _ := ktesting.NewTestContext(t)
+
 	for _, tc := range tcases {
 		ctnScope := &containerScope{
 			scope{
@@ -130,7 +133,7 @@ func TestContainerCalculateAffinity(t *testing.T) {
 			},
 		}
 
-		ctnScope.calculateAffinity(&v1.Pod{}, &v1.Container{})
+		ctnScope.calculateAffinity(logger, &v1.Pod{}, &v1.Container{})
 		actual := ctnScope.policy.(*mockPolicy).ph
 		if !reflect.DeepEqual(tc.expected, actual) {
 			t.Errorf("Test Case: %s", tc.name)
@@ -254,13 +257,15 @@ func TestContainerAccumulateProvidersHints(t *testing.T) {
 		},
 	}
 
+	logger, _ := ktesting.NewTestContext(t)
+
 	for _, tc := range tcases {
 		ctnScope := containerScope{
 			scope{
 				hintProviders: tc.hp,
 			},
 		}
-		actual := ctnScope.accumulateProvidersHints(&v1.Pod{}, &v1.Container{})
+		actual := ctnScope.accumulateProvidersHints(logger, &v1.Pod{}, &v1.Container{})
 		if !reflect.DeepEqual(actual, tc.expected) {
 			t.Errorf("Test Case %s: Expected NUMANodeAffinity in result to be %v, got %v", tc.name, tc.expected, actual)
 		}
diff --git a/pkg/kubelet/cm/topologymanager/scope_none.go b/pkg/kubelet/cm/topologymanager/scope_none.go
index c82b19e1f9cbc..44f6c32158f1d 100644
--- a/pkg/kubelet/cm/topologymanager/scope_none.go
+++ b/pkg/kubelet/cm/topologymanager/scope_none.go
@@ -17,6 +17,8 @@ limitations under the License.
 package topologymanager
 
 import (
+	"context"
+
 	"k8s.io/api/core/v1"
 	"k8s.io/kubernetes/pkg/kubelet/cm/containermap"
 	"k8s.io/kubernetes/pkg/kubelet/lifecycle"
@@ -41,6 +43,6 @@ func NewNoneScope() Scope {
 	}
 }
 
-func (s *noneScope) Admit(pod *v1.Pod) lifecycle.PodAdmitResult {
+func (s *noneScope) Admit(ctx context.Context, pod *v1.Pod) lifecycle.PodAdmitResult {
 	return s.admitPolicyNone(pod)
 }
diff --git a/pkg/kubelet/cm/topologymanager/scope_pod.go b/pkg/kubelet/cm/topologymanager/scope_pod.go
index bcb421d61e4ab..8498ccbd89a04 100644
--- a/pkg/kubelet/cm/topologymanager/scope_pod.go
+++ b/pkg/kubelet/cm/topologymanager/scope_pod.go
@@ -17,6 +17,8 @@ limitations under the License.
 package topologymanager
 
 import (
+	"context"
+
 	"k8s.io/api/core/v1"
 	"k8s.io/klog/v2"
 	"k8s.io/kubernetes/pkg/kubelet/cm/admission"
@@ -44,9 +46,11 @@ func NewPodScope(policy Policy) Scope {
 	}
 }
 
-func (s *podScope) Admit(pod *v1.Pod) lifecycle.PodAdmitResult {
-	bestHint, admit := s.calculateAffinity(pod)
-	klog.InfoS("Best TopologyHint", "bestHint", bestHint, "pod", klog.KObj(pod))
+func (s *podScope) Admit(ctx context.Context, pod *v1.Pod) lifecycle.PodAdmitResult {
+	logger := klog.FromContext(ctx)
+
+	bestHint, admit := s.calculateAffinity(logger, pod)
+	logger.Info("Best TopologyHint", "bestHint", bestHint, "pod", klog.KObj(pod))
 	if !admit {
 		if IsAlignmentGuaranteed(s.policy) {
 			// increment only if we know we allocate aligned resources.
@@ -57,7 +61,7 @@ func (s *podScope) Admit(pod *v1.Pod) lifecycle.PodAdmitResult {
 	}
 
 	for _, container := range append(pod.Spec.InitContainers, pod.Spec.Containers...) {
-		klog.InfoS("Topology Affinity", "bestHint", bestHint, "pod", klog.KObj(pod), "containerName", container.Name)
+		logger.Info("Topology Affinity", "bestHint", bestHint, "pod", klog.KObj(pod), "containerName", container.Name)
 		s.setTopologyHints(string(pod.UID), container.Name, bestHint)
 
 		err := s.allocateAlignedResources(pod, &container)
@@ -68,27 +72,27 @@ func (s *podScope) Admit(pod *v1.Pod) lifecycle.PodAdmitResult {
 	}
 	if IsAlignmentGuaranteed(s.policy) {
 		// increment only if we know we allocate aligned resources.
-		klog.V(4).InfoS("Resource alignment at pod scope guaranteed", "pod", klog.KObj(pod))
+		logger.V(4).Info("Resource alignment at pod scope guaranteed", "pod", klog.KObj(pod))
 		metrics.ContainerAlignedComputeResources.WithLabelValues(metrics.AlignScopePod, metrics.AlignedNUMANode).Inc()
 	}
 	return admission.GetPodAdmitResult(nil)
 }
 
-func (s *podScope) accumulateProvidersHints(pod *v1.Pod) []map[string][]TopologyHint {
+func (s *podScope) accumulateProvidersHints(logger klog.Logger, pod *v1.Pod) []map[string][]TopologyHint {
 	var providersHints []map[string][]TopologyHint
 
 	for _, provider := range s.hintProviders {
 		// Get the TopologyHints for a Pod from a provider.
 		hints := provider.GetPodTopologyHints(pod)
 		providersHints = append(providersHints, hints)
-		klog.InfoS("TopologyHints", "hints", hints, "pod", klog.KObj(pod))
+		logger.Info("TopologyHints", "hints", hints, "pod", klog.KObj(pod))
 	}
 	return providersHints
 }
 
-func (s *podScope) calculateAffinity(pod *v1.Pod) (TopologyHint, bool) {
-	providersHints := s.accumulateProvidersHints(pod)
-	bestHint, admit := s.policy.Merge(providersHints)
-	klog.InfoS("PodTopologyHint", "bestHint", bestHint, "pod", klog.KObj(pod))
+func (s *podScope) calculateAffinity(logger klog.Logger, pod *v1.Pod) (TopologyHint, bool) {
+	providersHints := s.accumulateProvidersHints(logger, pod)
+	bestHint, admit := s.policy.Merge(logger, providersHints)
+	logger.Info("PodTopologyHint", "bestHint", bestHint, "pod", klog.KObj(pod))
 	return bestHint, admit
 }
diff --git a/pkg/kubelet/cm/topologymanager/scope_pod_test.go b/pkg/kubelet/cm/topologymanager/scope_pod_test.go
index 3d3ec4eb5a582..c8d347f552f34 100644
--- a/pkg/kubelet/cm/topologymanager/scope_pod_test.go
+++ b/pkg/kubelet/cm/topologymanager/scope_pod_test.go
@@ -21,6 +21,7 @@ import (
 	"testing"
 
 	v1 "k8s.io/api/core/v1"
+	"k8s.io/kubernetes/test/utils/ktesting"
 )
 
 func TestPodCalculateAffinity(t *testing.T) {
@@ -121,6 +122,8 @@ func TestPodCalculateAffinity(t *testing.T) {
 		},
 	}
 
+	logger, _ := ktesting.NewTestContext(t)
+
 	for _, tc := range tcases {
 		podScope := &podScope{
 			scope{
@@ -130,7 +133,7 @@ func TestPodCalculateAffinity(t *testing.T) {
 			},
 		}
 
-		podScope.calculateAffinity(&v1.Pod{})
+		podScope.calculateAffinity(logger, &v1.Pod{})
 		actual := podScope.policy.(*mockPolicy).ph
 		if !reflect.DeepEqual(tc.expected, actual) {
 			t.Errorf("Test Case: %s", tc.name)
@@ -254,13 +257,15 @@ func TestPodAccumulateProvidersHints(t *testing.T) {
 		},
 	}
 
+	logger, _ := ktesting.NewTestContext(t)
+
 	for _, tc := range tcases {
 		pScope := podScope{
 			scope{
 				hintProviders: tc.hp,
 			},
 		}
-		actual := pScope.accumulateProvidersHints(&v1.Pod{})
+		actual := pScope.accumulateProvidersHints(logger, &v1.Pod{})
 		if !reflect.DeepEqual(actual, tc.expected) {
 			t.Errorf("Test Case %s: Expected NUMANodeAffinity in result to be %v, got %v", tc.name, tc.expected, actual)
 		}
diff --git a/pkg/kubelet/cm/topologymanager/topology_manager.go b/pkg/kubelet/cm/topologymanager/topology_manager.go
index ccaba099f80a7..458efe178d9ef 100644
--- a/pkg/kubelet/cm/topologymanager/topology_manager.go
+++ b/pkg/kubelet/cm/topologymanager/topology_manager.go
@@ -17,6 +17,7 @@ limitations under the License.
 package topologymanager
 
 import (
+	"context"
 	"fmt"
 	"time"
 
@@ -59,7 +60,7 @@ type Manager interface {
 	lifecycle.PodAdmitHandler
 	// AddHintProvider adds a hint provider to manager to indicate the hint provider
 	// wants to be consulted with when making topology hints
-	AddHintProvider(HintProvider)
+	AddHintProvider(logger klog.Logger, h HintProvider)
 	// AddContainer adds pod to Manager for tracking
 	AddContainer(pod *v1.Pod, container *v1.Container, containerID string)
 	// RemoveContainer removes pod from Manager tracking
@@ -133,18 +134,22 @@ var _ Manager = &manager{}
 
 // NewManager creates a new TopologyManager based on provided policy and scope
 func NewManager(topology []cadvisorapi.Node, topologyPolicyName string, topologyScopeName string, topologyPolicyOptions map[string]string) (Manager, error) {
+	// Use klog.TODO() because we currently do not have a proper logger to pass in.
+	// Replace this with an appropriate logger when refactoring this function to accept a logger parameter.
+	logger := klog.TODO()
+
 	// When policy is none, the scope is not relevant, so we can short circuit here.
 	if topologyPolicyName == PolicyNone {
-		klog.InfoS("Creating topology manager with none policy")
+		logger.Info("Creating topology manager with none policy")
 		return &manager{scope: NewNoneScope()}, nil
 	}
 
-	opts, err := NewPolicyOptions(topologyPolicyOptions)
+	opts, err := NewPolicyOptions(logger, topologyPolicyOptions)
 	if err != nil {
 		return nil, err
 	}
 
-	klog.InfoS("Creating topology manager with policy per scope", "topologyPolicyName", topologyPolicyName, "topologyScopeName", topologyScopeName, "topologyPolicyOptions", opts)
+	logger.Info("Creating topology manager with policy per scope", "topologyPolicyName", topologyPolicyName, "topologyScopeName", topologyScopeName, "topologyPolicyOptions", opts)
 
 	numaInfo, err := NewNUMAInfo(topology, opts)
 	if err != nil {
@@ -209,7 +214,7 @@ func (m *manager) GetPolicy() Policy {
 	return m.scope.GetPolicy()
 }
 
-func (m *manager) AddHintProvider(h HintProvider) {
+func (m *manager) AddHintProvider(_ klog.Logger, h HintProvider) {
 	m.scope.AddHintProvider(h)
 }
 
@@ -222,13 +227,17 @@ func (m *manager) RemoveContainer(containerID string) error {
 }
 
 func (m *manager) Admit(attrs *lifecycle.PodAdmitAttributes) lifecycle.PodAdmitResult {
-	klog.V(4).InfoS("Topology manager admission check", "pod", klog.KObj(attrs.Pod))
+	// TODO: create context here as changing interface https://github.com/kubernetes/kubernetes/blob/09aaf7226056a7964adcb176d789de5507313d00/pkg/kubelet/lifecycle/interfaces.go#L43
+	// requires changes in too many other components
+	ctx := context.TODO()
+	logger := klog.FromContext(ctx)
+	logger.V(4).Info("Topology manager admission check", "pod", klog.KObj(attrs.Pod))
 	metrics.TopologyManagerAdmissionRequestsTotal.Inc()
 
 	startTime := time.Now()
-	podAdmitResult := m.scope.Admit(attrs.Pod)
+	podAdmitResult := m.scope.Admit(ctx, attrs.Pod)
 	metrics.TopologyManagerAdmissionDuration.Observe(float64(time.Since(startTime).Milliseconds()))
 
-	klog.V(4).InfoS("Pod Admit Result", "Message", podAdmitResult.Message, "pod", klog.KObj(attrs.Pod))
+	logger.V(4).Info("Pod Admit Result", "Message", podAdmitResult.Message, "pod", klog.KObj(attrs.Pod))
 	return podAdmitResult
 }
diff --git a/pkg/kubelet/cm/topologymanager/topology_manager_test.go b/pkg/kubelet/cm/topologymanager/topology_manager_test.go
index 7f7c454f68384..64cea9f7d3fc7 100644
--- a/pkg/kubelet/cm/topologymanager/topology_manager_test.go
+++ b/pkg/kubelet/cm/topologymanager/topology_manager_test.go
@@ -22,11 +22,13 @@ import (
 	"testing"
 
 	"k8s.io/api/core/v1"
+	"k8s.io/klog/v2"
 
 	cadvisorapi "github.com/google/cadvisor/info/v1"
 
 	"k8s.io/kubernetes/pkg/kubelet/cm/topologymanager/bitmask"
 	"k8s.io/kubernetes/pkg/kubelet/lifecycle"
+	"k8s.io/kubernetes/test/utils/ktesting"
 )
 
 func NewTestBitMask(sockets ...int) bitmask.BitMask {
@@ -226,7 +228,7 @@ type mockPolicy struct {
 	ph []map[string][]TopologyHint
 }
 
-func (p *mockPolicy) Merge(providersHints []map[string][]TopologyHint) (TopologyHint, bool) {
+func (p *mockPolicy) Merge(logger klog.Logger, providersHints []map[string][]TopologyHint) (TopologyHint, bool) {
 	p.ph = providersHints
 	return TopologyHint{}, true
 }
@@ -247,9 +249,10 @@ func TestAddHintProvider(t *testing.T) {
 	}
 	mngr := manager{}
 	mngr.scope = NewContainerScope(NewNonePolicy())
+	logger, _ := ktesting.NewTestContext(t)
 	for _, tc := range tcases {
 		for _, hp := range tc.hp {
-			mngr.AddHintProvider(hp)
+			mngr.AddHintProvider(logger, hp)
 		}
 		if len(tc.hp) != len(mngr.scope.(*containerScope).hintProviders) {
 			t.Errorf("error")
diff --git a/pkg/kubelet/cm/types.go b/pkg/kubelet/cm/types.go
index 40195e9cd1d62..23426f81c81b0 100644
--- a/pkg/kubelet/cm/types.go
+++ b/pkg/kubelet/cm/types.go
@@ -19,6 +19,7 @@ package cm
 import (
 	v1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/klog/v2"
 	"k8s.io/utils/cpuset"
 )
 
@@ -64,11 +65,11 @@ type CgroupManager interface {
 	// Create creates and applies the cgroup configurations on the cgroup.
 	// It just creates the leaf cgroups.
 	// It expects the parent cgroup to already exist.
-	Create(*CgroupConfig) error
+	Create(klog.Logger, *CgroupConfig) error
 	// Destroy the cgroup.
-	Destroy(*CgroupConfig) error
+	Destroy(klog.Logger, *CgroupConfig) error
 	// Update cgroup configuration.
-	Update(*CgroupConfig) error
+	Update(klog.Logger, *CgroupConfig) error
 	// Validate checks if the cgroup is valid
 	Validate(name CgroupName) error
 	// Exists checks if the cgroup already exists
@@ -82,15 +83,15 @@ type CgroupManager interface {
 	// CgroupName converts the literal cgroupfs name on the host to an internal identifier.
 	CgroupName(name string) CgroupName
 	// Pids scans through all subsystems to find pids associated with specified cgroup.
-	Pids(name CgroupName) []int
+	Pids(logger klog.Logger, name CgroupName) []int
 	// ReduceCPULimits reduces the CPU CFS values to the minimum amount of shares.
-	ReduceCPULimits(cgroupName CgroupName) error
+	ReduceCPULimits(logger klog.Logger, cgroupName CgroupName) error
 	// MemoryUsage returns current memory usage of the specified cgroup, as read from the cgroupfs.
 	MemoryUsage(name CgroupName) (int64, error)
 	// Get the resource config values applied to the cgroup for specified resource type
 	GetCgroupConfig(name CgroupName, resource v1.ResourceName) (*ResourceConfig, error)
 	// Set resource config for the specified resource type on the cgroup
-	SetCgroupConfig(name CgroupName, resourceConfig *ResourceConfig) error
+	SetCgroupConfig(logger klog.Logger, name CgroupName, resourceConfig *ResourceConfig) error
 	// Version of the cgroup implementation on the host
 	Version() int
 	// Toggle whether CPU load balancing should be disabled for new cgroups the kubelet creates
@@ -114,16 +115,16 @@ type PodContainerManager interface {
 	// EnsureExists takes a pod as argument and makes sure that
 	// pod cgroup exists if qos cgroup hierarchy flag is enabled.
 	// If the pod cgroup doesn't already exist this method creates it.
-	EnsureExists(*v1.Pod) error
+	EnsureExists(logger klog.Logger, pod *v1.Pod) error
 
 	// Exists returns true if the pod cgroup exists.
 	Exists(*v1.Pod) bool
 
 	// Destroy takes a pod Cgroup name as argument and destroys the pod's container.
-	Destroy(name CgroupName) error
+	Destroy(logger klog.Logger, name CgroupName) error
 
 	// ReduceCPULimits reduces the CPU CFS values to the minimum amount of shares.
-	ReduceCPULimits(name CgroupName) error
+	ReduceCPULimits(logger klog.Logger, name CgroupName) error
 
 	// GetAllPodsFromCgroups enumerates the set of pod uids to their associated cgroup based on state of cgroupfs system.
 	GetAllPodsFromCgroups() (map[types.UID]CgroupName, error)
@@ -138,5 +139,5 @@ type PodContainerManager interface {
 	GetPodCgroupConfig(pod *v1.Pod, resource v1.ResourceName) (*ResourceConfig, error)
 
 	// Set resource config values for the specified resource type on the pod cgroup
-	SetPodCgroupConfig(pod *v1.Pod, resourceConfig *ResourceConfig) error
+	SetPodCgroupConfig(logger klog.Logger, pod *v1.Pod, resourceConfig *ResourceConfig) error
 }
diff --git a/pkg/kubelet/config/apiserver.go b/pkg/kubelet/config/apiserver.go
index b67f6c34fec4b..60c040299c481 100644
--- a/pkg/kubelet/config/apiserver.go
+++ b/pkg/kubelet/config/apiserver.go
@@ -34,22 +34,22 @@ import (
 const WaitForAPIServerSyncPeriod = 1 * time.Second
 
 // NewSourceApiserver creates a config source that watches and pulls from the apiserver.
-func NewSourceApiserver(c clientset.Interface, nodeName types.NodeName, nodeHasSynced func() bool, updates chan<- interface{}) {
+func NewSourceApiserver(logger klog.Logger, c clientset.Interface, nodeName types.NodeName, nodeHasSynced func() bool, updates chan<- interface{}) {
 	lw := cache.NewListWatchFromClient(c.CoreV1().RESTClient(), "pods", metav1.NamespaceAll, fields.OneTermEqualSelector("spec.nodeName", string(nodeName)))
 
 	// The Reflector responsible for watching pods at the apiserver should be run only after
 	// the node sync with the apiserver has completed.
-	klog.InfoS("Waiting for node sync before watching apiserver pods")
+	logger.Info("Waiting for node sync before watching apiserver pods")
 	go func() {
 		for {
 			if nodeHasSynced() {
-				klog.V(4).InfoS("node sync completed")
+				logger.V(4).Info("node sync completed")
 				break
 			}
 			time.Sleep(WaitForAPIServerSyncPeriod)
-			klog.V(4).InfoS("node sync has not completed yet")
+			logger.V(4).Info("node sync has not completed yet")
 		}
-		klog.InfoS("Watching apiserver")
+		logger.Info("Watching apiserver")
 		newSourceApiserverFromLW(lw, updates)
 	}()
 }
diff --git a/pkg/kubelet/config/apiserver_test.go b/pkg/kubelet/config/apiserver_test.go
index 590d351296204..9bbafecc6eccb 100644
--- a/pkg/kubelet/config/apiserver_test.go
+++ b/pkg/kubelet/config/apiserver_test.go
@@ -41,6 +41,15 @@ func (lw fakePodLW) Watch(options metav1.ListOptions) (watch.Interface, error) {
 	return lw.watchResp, nil
 }
 
+// IsWatchListSemanticsSupported informs the reflector that this client
+// doesn't support WatchList semantics.
+//
+// This is a synthetic method whose sole purpose is to satisfy the optional
+// interface check performed by the reflector.
+// Returning true signals that WatchList can NOT be used.
+// No additional logic is implemented here.
+func (lw fakePodLW) IsWatchListSemanticsUnSupported() bool { return true }
+
 var _ cache.ListerWatcher = fakePodLW{}
 
 func TestNewSourceApiserver_UpdatesAndMultiplePods(t *testing.T) {
diff --git a/pkg/kubelet/config/common.go b/pkg/kubelet/config/common.go
index 48f6ba77ada07..c2076776da8fa 100644
--- a/pkg/kubelet/config/common.go
+++ b/pkg/kubelet/config/common.go
@@ -17,10 +17,10 @@ limitations under the License.
 package config
 
 import (
-	"crypto/md5"
 	"encoding/hex"
 	"errors"
 	"fmt"
+	"hash/fnv"
 	"strings"
 
 	v1 "k8s.io/api/core/v1"
@@ -57,9 +57,9 @@ func generatePodName(name string, nodeName types.NodeName) string {
 	return fmt.Sprintf("%s-%s", name, strings.ToLower(string(nodeName)))
 }
 
-func applyDefaults(pod *api.Pod, source string, isFile bool, nodeName types.NodeName) error {
+func applyDefaults(logger klog.Logger, pod *api.Pod, source string, isFile bool, nodeName types.NodeName) error {
 	if len(pod.UID) == 0 {
-		hasher := md5.New()
+		hasher := fnv.New128a()
 		hash.DeepHashObject(hasher, pod)
 		// DeepHashObject resets the hash, so we should write the pod source
 		// information AFTER it.
@@ -70,16 +70,16 @@ func applyDefaults(pod *api.Pod, source string, isFile bool, nodeName types.Node
 			fmt.Fprintf(hasher, "url:%s", source)
 		}
 		pod.UID = types.UID(hex.EncodeToString(hasher.Sum(nil)[0:]))
-		klog.V(5).InfoS("Generated UID", "pod", klog.KObj(pod), "podUID", pod.UID, "source", source)
+		logger.V(5).Info("Generated UID", "pod", klog.KObj(pod), "podUID", pod.UID, "source", source)
 	}
 
 	pod.Name = generatePodName(pod.Name, nodeName)
-	klog.V(5).InfoS("Generated pod name", "pod", klog.KObj(pod), "podUID", pod.UID, "source", source)
+	logger.V(5).Info("Generated pod name", "pod", klog.KObj(pod), "podUID", pod.UID, "source", source)
 
 	if pod.Namespace == "" {
 		pod.Namespace = metav1.NamespaceDefault
 	}
-	klog.V(5).InfoS("Set namespace for pod", "pod", klog.KObj(pod), "source", source)
+	logger.V(5).Info("Set namespace for pod", "pod", klog.KObj(pod), "source", source)
 
 	// Set the Host field to indicate this pod is scheduled on the current node.
 	pod.Spec.NodeName = string(nodeName)
@@ -104,7 +104,7 @@ func applyDefaults(pod *api.Pod, source string, isFile bool, nodeName types.Node
 	return nil
 }
 
-type defaultFunc func(pod *api.Pod) error
+type defaultFunc func(logger klog.Logger, pod *api.Pod) error
 
 // A static pod tried to use a ClusterTrustBundle projected volume source.
 var ErrStaticPodTriedToUseClusterTrustBundle = errors.New("static pods may not use ClusterTrustBundle projected volume sources")
@@ -113,7 +113,7 @@ var ErrStaticPodTriedToUseClusterTrustBundle = errors.New("static pods may not u
 var ErrStaticPodTriedToUseResourceClaims = errors.New("static pods may not use ResourceClaims")
 
 // tryDecodeSinglePod takes data and tries to extract valid Pod config information from it.
-func tryDecodeSinglePod(data []byte, defaultFn defaultFunc) (parsed bool, pod *v1.Pod, err error) {
+func tryDecodeSinglePod(logger klog.Logger, data []byte, defaultFn defaultFunc) (parsed bool, pod *v1.Pod, err error) {
 	// JSON is valid YAML, so this should work for everything.
 	json, err := utilyaml.ToJSON(data)
 	if err != nil {
@@ -135,15 +135,16 @@ func tryDecodeSinglePod(data []byte, defaultFn defaultFunc) (parsed bool, pod *v
 	}
 
 	// Apply default values and validate the pod.
-	if err = defaultFn(newPod); err != nil {
+	if err = defaultFn(logger, newPod); err != nil {
 		return true, pod, err
 	}
-	if errs := validation.ValidatePodCreate(newPod, validation.PodValidationOptions{}); len(errs) > 0 {
+	opts := podutil.GetValidationOptionsFromPodSpecAndMeta(&newPod.Spec, nil, &newPod.ObjectMeta, nil)
+	if errs := validation.ValidatePodCreate(newPod, opts); len(errs) > 0 {
 		return true, pod, fmt.Errorf("invalid pod: %v", errs)
 	}
 	v1Pod := &v1.Pod{}
 	if err := k8s_api_v1.Convert_core_Pod_To_v1_Pod(newPod, v1Pod, nil); err != nil {
-		klog.ErrorS(err, "Pod failed to convert to v1", "pod", klog.KObj(newPod))
+		logger.Error(err, "Pod failed to convert to v1", "pod", klog.KObj(newPod))
 		return true, nil, err
 	}
 
@@ -177,7 +178,7 @@ func tryDecodeSinglePod(data []byte, defaultFn defaultFunc) (parsed bool, pod *v
 	return true, v1Pod, nil
 }
 
-func tryDecodePodList(data []byte, defaultFn defaultFunc) (parsed bool, pods v1.PodList, err error) {
+func tryDecodePodList(logger klog.Logger, data []byte, defaultFn defaultFunc) (parsed bool, pods v1.PodList, err error) {
 	obj, err := runtime.Decode(legacyscheme.Codecs.UniversalDecoder(), data)
 	if err != nil {
 		return false, pods, err
@@ -196,10 +197,11 @@ func tryDecodePodList(data []byte, defaultFn defaultFunc) (parsed bool, pods v1.
 		if newPod.Name == "" {
 			return true, pods, fmt.Errorf("invalid pod: name is needed for the pod")
 		}
-		if err = defaultFn(newPod); err != nil {
+		if err = defaultFn(logger, newPod); err != nil {
 			return true, pods, err
 		}
-		if errs := validation.ValidatePodCreate(newPod, validation.PodValidationOptions{}); len(errs) > 0 {
+		opts := podutil.GetValidationOptionsFromPodSpecAndMeta(&newPod.Spec, nil, &newPod.ObjectMeta, nil)
+		if errs := validation.ValidatePodCreate(newPod, opts); len(errs) > 0 {
 			err = fmt.Errorf("invalid pod: %v", errs)
 			return true, pods, err
 		}
diff --git a/pkg/kubelet/config/common_test.go b/pkg/kubelet/config/common_test.go
index 4a7c98250caec..8d60d269cad77 100644
--- a/pkg/kubelet/config/common_test.go
+++ b/pkg/kubelet/config/common_test.go
@@ -28,18 +28,24 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/types"
+	utilfeature "k8s.io/apiserver/pkg/util/feature"
 	clientscheme "k8s.io/client-go/kubernetes/scheme"
+	featuregatetesting "k8s.io/component-base/featuregate/testing"
+	"k8s.io/klog/v2"
+	"k8s.io/klog/v2/ktesting"
 	"k8s.io/kubernetes/pkg/api/legacyscheme"
 	podtest "k8s.io/kubernetes/pkg/api/pod/testing"
 	"k8s.io/kubernetes/pkg/apis/core"
 	"k8s.io/kubernetes/pkg/apis/core/validation"
+	"k8s.io/kubernetes/pkg/features"
 	"k8s.io/kubernetes/pkg/securitycontext"
 	"k8s.io/utils/ptr"
 )
 
-func noDefault(*core.Pod) error { return nil }
+func noDefault(klog.Logger, *core.Pod) error { return nil }
 
 func TestDecodeSinglePod(t *testing.T) {
+	logger, _ := ktesting.NewTestContext(t)
 	grace := int64(30)
 	enableServiceLinks := v1.DefaultEnableServiceLinks
 	pod := &v1.Pod{
@@ -80,7 +86,7 @@ func TestDecodeSinglePod(t *testing.T) {
 	if err != nil {
 		t.Errorf("unexpected error: %v", err)
 	}
-	parsed, podOut, err := tryDecodeSinglePod(json, noDefault)
+	parsed, podOut, err := tryDecodeSinglePod(logger, json, noDefault)
 	if !parsed {
 		t.Errorf("expected to have parsed file: (%s)", string(json))
 	}
@@ -98,7 +104,7 @@ func TestDecodeSinglePod(t *testing.T) {
 		if err != nil {
 			t.Errorf("unexpected error: %v", err)
 		}
-		parsed, podOut, err = tryDecodeSinglePod(yaml, noDefault)
+		parsed, podOut, err = tryDecodeSinglePod(logger, yaml, noDefault)
 		if !parsed {
 			t.Errorf("expected to have parsed file: (%s)", string(yaml))
 		}
@@ -112,6 +118,7 @@ func TestDecodeSinglePod(t *testing.T) {
 }
 
 func TestDecodeSinglePodRejectsClusterTrustBundleVolumes(t *testing.T) {
+	logger, _ := ktesting.NewTestContext(t)
 	grace := int64(30)
 	enableServiceLinks := v1.DefaultEnableServiceLinks
 	pod := &v1.Pod{
@@ -175,13 +182,14 @@ func TestDecodeSinglePodRejectsClusterTrustBundleVolumes(t *testing.T) {
 	if err != nil {
 		t.Errorf("unexpected error: %v", err)
 	}
-	_, _, err = tryDecodeSinglePod(json, noDefault)
+	_, _, err = tryDecodeSinglePod(logger, json, noDefault)
 	if !strings.Contains(err.Error(), "may not reference clustertrustbundles") {
 		t.Errorf("Got error %q, want %q", err, fmt.Errorf("static pods may not reference clustertrustbundles API objects"))
 	}
 }
 
 func TestDecodeSinglePodRejectsResourceClaims(t *testing.T) {
+	logger, _ := ktesting.NewTestContext(t)
 	grace := int64(30)
 	enableServiceLinks := v1.DefaultEnableServiceLinks
 	pod := &v1.Pod{
@@ -231,13 +239,53 @@ func TestDecodeSinglePodRejectsResourceClaims(t *testing.T) {
 	if err != nil {
 		t.Errorf("unexpected error: %v", err)
 	}
-	_, _, err = tryDecodeSinglePod(json, noDefault)
+	_, _, err = tryDecodeSinglePod(logger, json, noDefault)
 	if !strings.Contains(err.Error(), "may not reference resourceclaims") {
 		t.Errorf("Got error %q, want %q", err, fmt.Errorf("static pods may not reference resourceclaims API objects"))
 	}
 }
 
+func TestDecodeSinglePodWithOptions(t *testing.T) {
+	featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.ContainerRestartRules, true)
+	logger, _ := ktesting.NewTestContext(t)
+	restartPolicyAlways := v1.ContainerRestartPolicyAlways
+	pod := &v1.Pod{
+		TypeMeta: metav1.TypeMeta{
+			APIVersion: "",
+		},
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "test",
+			UID:       "12345",
+			Namespace: "mynamespace",
+		},
+		Spec: v1.PodSpec{
+			RestartPolicy: v1.RestartPolicyNever,
+			Containers: []v1.Container{{
+				Name:                     "image",
+				Image:                    "test/image",
+				ImagePullPolicy:          "IfNotPresent",
+				TerminationMessagePath:   "/dev/termination-log",
+				TerminationMessagePolicy: v1.TerminationMessageReadFile,
+				SecurityContext:          securitycontext.ValidSecurityContextWithContainerDefaults(),
+				RestartPolicy:            &restartPolicyAlways,
+			}},
+		},
+	}
+	json, err := runtime.Encode(clientscheme.Codecs.LegacyCodec(v1.SchemeGroupVersion), pod)
+	if err != nil {
+		t.Errorf("unexpected error: %v", err)
+	}
+	parsed, _, err := tryDecodeSinglePod(logger, json, noDefault)
+	if err != nil {
+		t.Errorf("unexpected error: %v (%s)", err, string(json))
+	}
+	if !parsed {
+		t.Errorf("expected to have parsed file: (%s)", string(json))
+	}
+}
+
 func TestDecodePodList(t *testing.T) {
+	logger, _ := ktesting.NewTestContext(t)
 	grace := int64(30)
 	enableServiceLinks := v1.DefaultEnableServiceLinks
 	pod := &v1.Pod{
@@ -282,7 +330,7 @@ func TestDecodePodList(t *testing.T) {
 	if err != nil {
 		t.Errorf("unexpected error: %v", err)
 	}
-	parsed, podListOut, err := tryDecodePodList(json, noDefault)
+	parsed, podListOut, err := tryDecodePodList(logger, json, noDefault)
 	if !parsed {
 		t.Errorf("expected to have parsed file: (%s)", string(json))
 	}
@@ -301,7 +349,7 @@ func TestDecodePodList(t *testing.T) {
 			t.Errorf("unexpected error: %v", err)
 		}
 
-		parsed, podListOut, err = tryDecodePodList(yaml, noDefault)
+		parsed, podListOut, err = tryDecodePodList(logger, yaml, noDefault)
 		if !parsed {
 			t.Errorf("expected to have parsed file: (%s): %v", string(yaml), err)
 			continue
diff --git a/pkg/kubelet/config/config.go b/pkg/kubelet/config/config.go
index 10a42c823221e..dc0728c8f3657 100644
--- a/pkg/kubelet/config/config.go
+++ b/pkg/kubelet/config/config.go
@@ -99,9 +99,12 @@ func (c *PodConfig) SeenAllSources(seenSources sets.Set[string]) bool {
 	if c.pods == nil {
 		return false
 	}
+	// Use klog.TODO() because we currently do not have a proper context to pass in.
+	// Replace this with an appropriate logger when refactoring this function to accept a logger parameter.
+	logger := klog.TODO()
 	c.sourcesLock.Lock()
 	defer c.sourcesLock.Unlock()
-	klog.V(5).InfoS("Looking for sources, have seen", "sources", sets.List(c.sources), "seenSources", seenSources)
+	logger.V(5).Info("Looking for sources, have seen", "sources", sets.List(c.sources), "seenSources", seenSources)
 	return seenSources.HasAll(sets.List(c.sources)...) && c.pods.seenSources(sets.List(c.sources)...)
 }
 
@@ -157,12 +160,12 @@ func newPodStorage(updates chan<- kubetypes.PodUpdate, mode PodConfigNotificatio
 // Merge normalizes a set of incoming changes from different sources into a map of all Pods
 // and ensures that redundant changes are filtered out, and then pushes zero or more minimal
 // updates onto the update channel.  Ensures that updates are delivered in order.
-func (s *podStorage) Merge(source string, change interface{}) error {
+func (s *podStorage) Merge(ctx context.Context, source string, change interface{}) error {
 	s.updateLock.Lock()
 	defer s.updateLock.Unlock()
 
 	seenBefore := s.sourcesSeen.Has(source)
-	adds, updates, deletes, removes, reconciles := s.merge(source, change)
+	adds, updates, deletes, removes, reconciles := s.merge(ctx, source, change)
 	firstSet := !seenBefore && s.sourcesSeen.Has(source)
 
 	// deliver update notifications
@@ -216,9 +219,10 @@ func (s *podStorage) Merge(source string, change interface{}) error {
 	return nil
 }
 
-func (s *podStorage) merge(source string, change interface{}) (adds, updates, deletes, removes, reconciles *kubetypes.PodUpdate) {
+func (s *podStorage) merge(ctx context.Context, source string, change interface{}) (adds, updates, deletes, removes, reconciles *kubetypes.PodUpdate) {
 	s.podLock.Lock()
 	defer s.podLock.Unlock()
+	logger := klog.FromContext(ctx)
 
 	addPods := []*v1.Pod{}
 	updatePods := []*v1.Pod{}
@@ -235,7 +239,7 @@ func (s *podStorage) merge(source string, change interface{}) (adds, updates, de
 	// After updated, new pod will be stored in the pod cache *pods*.
 	// Notice that *pods* and *oldPods* could be the same cache.
 	updatePodsFunc := func(newPods []*v1.Pod, oldPods, pods map[types.UID]*v1.Pod) {
-		filtered := filterInvalidPods(newPods, source, s.recorder)
+		filtered := filterInvalidPods(logger, newPods, source, s.recorder)
 		for _, ref := range filtered {
 			// Annotate the pod with the source before any comparison.
 			if ref.Annotations == nil {
@@ -258,7 +262,7 @@ func (s *podStorage) merge(source string, change interface{}) (adds, updates, de
 				}
 				continue
 			}
-			recordFirstSeenTime(ref)
+			recordFirstSeenTime(logger, ref)
 			pods[ref.UID] = ref
 			addPods = append(addPods, ref)
 		}
@@ -268,16 +272,16 @@ func (s *podStorage) merge(source string, change interface{}) (adds, updates, de
 	switch update.Op {
 	case kubetypes.ADD, kubetypes.UPDATE, kubetypes.DELETE:
 		if update.Op == kubetypes.ADD {
-			klog.V(4).InfoS("Adding new pods from source", "source", source, "pods", klog.KObjSlice(update.Pods))
+			logger.V(4).Info("Adding new pods from source", "source", source, "pods", klog.KObjSlice(update.Pods))
 		} else if update.Op == kubetypes.DELETE {
-			klog.V(4).InfoS("Gracefully deleting pods from source", "source", source, "pods", klog.KObjSlice(update.Pods))
+			logger.V(4).Info("Gracefully deleting pods from source", "source", source, "pods", klog.KObjSlice(update.Pods))
 		} else {
-			klog.V(4).InfoS("Updating pods from source", "source", source, "pods", klog.KObjSlice(update.Pods))
+			logger.V(4).Info("Updating pods from source", "source", source, "pods", klog.KObjSlice(update.Pods))
 		}
 		updatePodsFunc(update.Pods, pods, pods)
 
 	case kubetypes.REMOVE:
-		klog.V(4).InfoS("Removing pods from source", "source", source, "pods", klog.KObjSlice(update.Pods))
+		logger.V(4).Info("Removing pods from source", "source", source, "pods", klog.KObjSlice(update.Pods))
 		for _, value := range update.Pods {
 			if existing, found := pods[value.UID]; found {
 				// this is a delete
@@ -289,7 +293,7 @@ func (s *podStorage) merge(source string, change interface{}) (adds, updates, de
 		}
 
 	case kubetypes.SET:
-		klog.V(4).InfoS("Setting pods for source", "source", source)
+		logger.V(4).Info("Setting pods for source", "source", source)
 		s.markSourceSet(source)
 		// Clear the old map entries by just creating a new map
 		oldPods := pods
@@ -303,7 +307,7 @@ func (s *podStorage) merge(source string, change interface{}) (adds, updates, de
 		}
 
 	default:
-		klog.InfoS("Received invalid update type", "type", update)
+		logger.Info("Received invalid update type", "type", update)
 
 	}
 
@@ -330,14 +334,14 @@ func (s *podStorage) seenSources(sources ...string) bool {
 	return s.sourcesSeen.HasAll(sources...)
 }
 
-func filterInvalidPods(pods []*v1.Pod, source string, recorder record.EventRecorder) (filtered []*v1.Pod) {
+func filterInvalidPods(logger klog.Logger, pods []*v1.Pod, source string, recorder record.EventRecorder) (filtered []*v1.Pod) {
 	names := sets.Set[string]{}
 	for i, pod := range pods {
 		// Pods from each source are assumed to have passed validation individually.
 		// This function only checks if there is any naming conflict.
 		name := kubecontainer.GetPodFullName(pod)
 		if names.Has(name) {
-			klog.InfoS("Pod failed validation due to duplicate pod name, ignoring", "index", i, "pod", klog.KObj(pod), "source", source)
+			logger.Info("Pod failed validation due to duplicate pod name, ignoring", "index", i, "pod", klog.KObj(pod), "source", source)
 			recorder.Eventf(pod, v1.EventTypeWarning, events.FailedValidation, "Error validating pod %s from %s due to duplicate pod name %q, ignoring", format.Pod(pod), source, pod.Name)
 			continue
 		} else {
@@ -393,8 +397,8 @@ func isAnnotationMapEqual(existingMap, candidateMap map[string]string) bool {
 }
 
 // recordFirstSeenTime records the first seen time of this pod.
-func recordFirstSeenTime(pod *v1.Pod) {
-	klog.V(4).InfoS("Receiving a new pod", "pod", klog.KObj(pod))
+func recordFirstSeenTime(logger klog.Logger, pod *v1.Pod) {
+	logger.V(4).Info("Receiving a new pod", "pod", klog.KObj(pod))
 	pod.Annotations[kubetypes.ConfigFirstSeenAnnotationKey] = kubetypes.NewTimestamp().GetString()
 }
 
diff --git a/pkg/kubelet/config/defaults.go b/pkg/kubelet/config/defaults.go
deleted file mode 100644
index b8788f9e431a9..0000000000000
--- a/pkg/kubelet/config/defaults.go
+++ /dev/null
@@ -1,34 +0,0 @@
-/*
-Copyright 2017 The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package config
-
-// Defines sane defaults for the kubelet config.
-const (
-	DefaultKubeletPodsDirName                = "pods"
-	DefaultKubeletVolumesDirName             = "volumes"
-	DefaultKubeletVolumeSubpathsDirName      = "volume-subpaths"
-	DefaultKubeletVolumeDevicesDirName       = "volumeDevices"
-	DefaultKubeletPluginsDirName             = "plugins"
-	DefaultKubeletPluginsRegistrationDirName = "plugins_registry"
-	DefaultKubeletContainersDirName          = "containers"
-	DefaultKubeletPluginContainersDirName    = "plugin-containers"
-	DefaultKubeletPodResourcesDirName        = "pod-resources"
-	KubeletPluginsDirSELinuxLabel            = "system_u:object_r:container_file_t:s0"
-	KubeletContainersSharedSELinuxLabel      = "system_u:object_r:container_file_t:s0"
-	DefaultKubeletCheckpointsDirName         = "checkpoints"
-	DefaultKubeletUserNamespacesIDsPerPod    = 65536
-)
diff --git a/pkg/kubelet/config/file.go b/pkg/kubelet/config/file.go
index d2526ec989d97..541f41318b20f 100644
--- a/pkg/kubelet/config/file.go
+++ b/pkg/kubelet/config/file.go
@@ -61,13 +61,13 @@ type sourceFile struct {
 }
 
 // NewSourceFile watches a config file for changes.
-func NewSourceFile(path string, nodeName types.NodeName, period time.Duration, updates chan<- interface{}) {
+func NewSourceFile(logger klog.Logger, path string, nodeName types.NodeName, period time.Duration, updates chan<- interface{}) {
 	// "github.com/sigma/go-inotify" requires a path without trailing "/"
 	path = strings.TrimRight(path, string(os.PathSeparator))
 
 	config := newSourceFile(path, nodeName, period, updates)
-	klog.V(1).InfoS("Watching path", "path", path)
-	config.run()
+	logger.V(1).Info("Watching path", "path", path)
+	config.run(logger)
 }
 
 func newSourceFile(path string, nodeName types.NodeName, period time.Duration, updates chan<- interface{}) *sourceFile {
@@ -90,36 +90,36 @@ func newSourceFile(path string, nodeName types.NodeName, period time.Duration, u
 	}
 }
 
-func (s *sourceFile) run() {
+func (s *sourceFile) run(logger klog.Logger) {
 	listTicker := time.NewTicker(s.period)
 
 	go func() {
 		// Read path immediately to speed up startup.
-		if err := s.listConfig(); err != nil {
-			klog.ErrorS(err, "Unable to read config path", "path", s.path)
+		if err := s.listConfig(logger); err != nil {
+			logger.Error(err, "Unable to read config path", "path", s.path)
 		}
 		for {
 			select {
 			case <-listTicker.C:
-				if err := s.listConfig(); err != nil {
-					klog.ErrorS(err, "Unable to read config path", "path", s.path)
+				if err := s.listConfig(logger); err != nil {
+					logger.Error(err, "Unable to read config path", "path", s.path)
 				}
 			case e := <-s.watchEvents:
-				if err := s.consumeWatchEvent(e); err != nil {
-					klog.ErrorS(err, "Unable to process watch event")
+				if err := s.consumeWatchEvent(logger, e); err != nil {
+					logger.Error(err, "Unable to process watch event")
 				}
 			}
 		}
 	}()
 
-	s.startWatch()
+	s.startWatch(logger)
 }
 
-func (s *sourceFile) applyDefaults(pod *api.Pod, source string) error {
-	return applyDefaults(pod, source, true, s.nodeName)
+func (s *sourceFile) applyDefaults(logger klog.Logger, pod *api.Pod, source string) error {
+	return applyDefaults(logger, pod, source, true, s.nodeName)
 }
 
-func (s *sourceFile) listConfig() error {
+func (s *sourceFile) listConfig(logger klog.Logger) error {
 	path := s.path
 	statInfo, err := os.Stat(path)
 	if err != nil {
@@ -133,7 +133,7 @@ func (s *sourceFile) listConfig() error {
 
 	switch {
 	case statInfo.Mode().IsDir():
-		pods, err := s.extractFromDir(path)
+		pods, err := s.extractFromDir(logger, path)
 		if err != nil {
 			return err
 		}
@@ -145,7 +145,7 @@ func (s *sourceFile) listConfig() error {
 		return s.replaceStore(pods...)
 
 	case statInfo.Mode().IsRegular():
-		pod, err := s.extractFromFile(path)
+		pod, err := s.extractFromFile(logger, path)
 		if err != nil {
 			return err
 		}
@@ -159,7 +159,7 @@ func (s *sourceFile) listConfig() error {
 // Get as many pod manifests as we can from a directory. Return an error if and only if something
 // prevented us from reading anything at all. Do not return an error if only some files
 // were problematic.
-func (s *sourceFile) extractFromDir(name string) ([]*v1.Pod, error) {
+func (s *sourceFile) extractFromDir(logger klog.Logger, name string) ([]*v1.Pod, error) {
 	dirents, err := filepath.Glob(filepath.Join(name, "[^.]*"))
 	if err != nil {
 		return nil, fmt.Errorf("glob failed: %v", err)
@@ -174,32 +174,32 @@ func (s *sourceFile) extractFromDir(name string) ([]*v1.Pod, error) {
 	for _, path := range dirents {
 		statInfo, err := os.Stat(path)
 		if err != nil {
-			klog.ErrorS(err, "Could not get metadata", "path", path)
+			logger.Error(err, "Could not get metadata", "path", path)
 			continue
 		}
 
 		switch {
 		case statInfo.Mode().IsDir():
-			klog.ErrorS(nil, "Provided manifest path is a directory, not recursing into manifest path", "path", path)
+			logger.Error(nil, "Provided manifest path is a directory, not recursing into manifest path", "path", path)
 		case statInfo.Mode().IsRegular():
-			pod, err := s.extractFromFile(path)
+			pod, err := s.extractFromFile(logger, path)
 			if err != nil {
 				if !os.IsNotExist(err) {
-					klog.ErrorS(err, "Could not process manifest file", "path", path)
+					logger.Error(err, "Could not process manifest file", "path", path)
 				}
 			} else {
 				pods = append(pods, pod)
 			}
 		default:
-			klog.ErrorS(nil, "Manifest path is not a directory or file", "path", path, "mode", statInfo.Mode())
+			logger.Error(nil, "Manifest path is not a directory or file", "path", path, "mode", statInfo.Mode())
 		}
 	}
 	return pods, nil
 }
 
 // extractFromFile parses a file for Pod configuration information.
-func (s *sourceFile) extractFromFile(filename string) (pod *v1.Pod, err error) {
-	klog.V(3).InfoS("Reading config file", "path", filename)
+func (s *sourceFile) extractFromFile(logger klog.Logger, filename string) (pod *v1.Pod, err error) {
+	logger.V(3).Info("Reading config file", "path", filename)
 	defer func() {
 		if err == nil && pod != nil {
 			objKey, keyErr := cache.MetaNamespaceKeyFunc(pod)
@@ -222,11 +222,11 @@ func (s *sourceFile) extractFromFile(filename string) (pod *v1.Pod, err error) {
 		return pod, err
 	}
 
-	defaultFn := func(pod *api.Pod) error {
-		return s.applyDefaults(pod, filename)
+	defaultFn := func(logger klog.Logger, pod *api.Pod) error {
+		return s.applyDefaults(logger, pod, filename)
 	}
 
-	parsed, pod, podErr := tryDecodeSinglePod(data, defaultFn)
+	parsed, pod, podErr := tryDecodeSinglePod(logger, data, defaultFn)
 	if parsed {
 		if podErr != nil {
 			return pod, podErr
diff --git a/pkg/kubelet/config/file_linux.go b/pkg/kubelet/config/file_linux.go
index 42d86f868723b..f05010f8ec0aa 100644
--- a/pkg/kubelet/config/file_linux.go
+++ b/pkg/kubelet/config/file_linux.go
@@ -48,7 +48,7 @@ func (e *retryableError) Error() string {
 	return e.message
 }
 
-func (s *sourceFile) startWatch() {
+func (s *sourceFile) startWatch(logger klog.Logger) {
 	backOff := flowcontrol.NewBackOff(retryPeriod, maxRetryPeriod)
 	backOffID := "watch"
 
@@ -57,8 +57,8 @@ func (s *sourceFile) startWatch() {
 			return
 		}
 
-		if err := s.doWatch(); err != nil {
-			klog.ErrorS(err, "Unable to read config path", "path", s.path)
+		if err := s.doWatch(logger); err != nil {
+			logger.Error(err, "Unable to read config path", "path", s.path)
 			if _, retryable := err.(*retryableError); !retryable {
 				backOff.Next(backOffID, time.Now())
 			}
@@ -66,7 +66,7 @@ func (s *sourceFile) startWatch() {
 	}, retryPeriod)
 }
 
-func (s *sourceFile) doWatch() error {
+func (s *sourceFile) doWatch(logger klog.Logger) error {
 	_, err := os.Stat(s.path)
 	if err != nil {
 		if !os.IsNotExist(err) {
@@ -91,7 +91,7 @@ func (s *sourceFile) doWatch() error {
 	for {
 		select {
 		case event := <-w.Events:
-			if err = s.produceWatchEvent(&event); err != nil {
+			if err = s.produceWatchEvent(logger, &event); err != nil {
 				return fmt.Errorf("error while processing inotify event (%+v): %v", event, err)
 			}
 		case err = <-w.Errors:
@@ -100,10 +100,10 @@ func (s *sourceFile) doWatch() error {
 	}
 }
 
-func (s *sourceFile) produceWatchEvent(e *fsnotify.Event) error {
+func (s *sourceFile) produceWatchEvent(logger klog.Logger, e *fsnotify.Event) error {
 	// Ignore file start with dots
 	if strings.HasPrefix(filepath.Base(e.Name), ".") {
-		klog.V(4).InfoS("Ignored pod manifest, because it starts with dots", "eventName", e.Name)
+		logger.V(4).Info("Ignored pod manifest, because it starts with dots", "eventName", e.Name)
 		return nil
 	}
 	var eventType podEventType
@@ -127,10 +127,10 @@ func (s *sourceFile) produceWatchEvent(e *fsnotify.Event) error {
 	return nil
 }
 
-func (s *sourceFile) consumeWatchEvent(e *watchEvent) error {
+func (s *sourceFile) consumeWatchEvent(logger klog.Logger, e *watchEvent) error {
 	switch e.eventType {
 	case podAdd, podModify:
-		pod, err := s.extractFromFile(e.fileName)
+		pod, err := s.extractFromFile(logger, e.fileName)
 		if err != nil {
 			return fmt.Errorf("can't process config file %q: %v", e.fileName, err)
 		}
diff --git a/pkg/kubelet/config/file_linux_test.go b/pkg/kubelet/config/file_linux_test.go
index bcc97de1754de..b7e17eb655058 100644
--- a/pkg/kubelet/config/file_linux_test.go
+++ b/pkg/kubelet/config/file_linux_test.go
@@ -40,20 +40,23 @@ import (
 	"k8s.io/kubernetes/pkg/apis/core/validation"
 	kubetypes "k8s.io/kubernetes/pkg/kubelet/types"
 	"k8s.io/kubernetes/pkg/securitycontext"
+	"k8s.io/kubernetes/test/utils/ktesting"
 )
 
 func TestExtractFromNonExistentFile(t *testing.T) {
+	logger, _ := ktesting.NewTestContext(t)
 	ch := make(chan interface{}, 1)
 	lw := newSourceFile("/some/fake/file", "localhost", time.Millisecond, ch)
-	err := lw.doWatch()
+	err := lw.doWatch(logger)
 	if err == nil {
 		t.Errorf("Expected error")
 	}
 }
 
 func TestUpdateOnNonExistentFile(t *testing.T) {
+	logger, _ := ktesting.NewTestContext(t)
 	ch := make(chan interface{})
-	NewSourceFile("random_non_existent_path", "localhost", time.Millisecond, ch)
+	NewSourceFile(logger, "random_non_existent_path", "localhost", time.Millisecond, ch)
 	select {
 	case got := <-ch:
 		update := got.(kubetypes.PodUpdate)
@@ -68,6 +71,7 @@ func TestUpdateOnNonExistentFile(t *testing.T) {
 }
 
 func TestReadPodsFromFileExistAlready(t *testing.T) {
+	logger, _ := ktesting.NewTestContext(t)
 	hostname := types.NodeName("random-test-hostname")
 	var testCases = getTestCases(hostname)
 
@@ -81,7 +85,7 @@ func TestReadPodsFromFileExistAlready(t *testing.T) {
 			file := testCase.writeToFile(dirName, "test_pod_manifest", t)
 
 			ch := make(chan interface{})
-			NewSourceFile(file, hostname, time.Millisecond, ch)
+			NewSourceFile(logger, file, hostname, time.Millisecond, ch)
 			select {
 			case got := <-ch:
 				update := got.(kubetypes.PodUpdate)
@@ -228,6 +232,7 @@ func createSymbolicLink(link, target, name string, t *testing.T) string {
 }
 
 func watchFileAdded(watchDir bool, symlink bool, t *testing.T) {
+	logger, _ := ktesting.NewTestContext(t)
 	hostname := types.NodeName("random-test-hostname")
 	var testCases = getTestCases(hostname)
 
@@ -253,9 +258,9 @@ func watchFileAdded(watchDir bool, symlink bool, t *testing.T) {
 
 			ch := make(chan interface{})
 			if watchDir {
-				NewSourceFile(dirName, hostname, 100*time.Millisecond, ch)
+				NewSourceFile(logger, dirName, hostname, 100*time.Millisecond, ch)
 			} else {
-				NewSourceFile(filepath.Join(dirName, fileName), hostname, 100*time.Millisecond, ch)
+				NewSourceFile(logger, filepath.Join(dirName, fileName), hostname, 100*time.Millisecond, ch)
 			}
 			expectEmptyUpdate(t, ch)
 
@@ -281,6 +286,7 @@ func watchFileAdded(watchDir bool, symlink bool, t *testing.T) {
 }
 
 func watchFileChanged(watchDir bool, symlink bool, period time.Duration, t *testing.T) {
+	logger, _ := ktesting.NewTestContext(t)
 	hostname := types.NodeName("random-test-hostname")
 	var testCases = getTestCases(hostname)
 
@@ -319,9 +325,9 @@ func watchFileChanged(watchDir bool, symlink bool, period time.Duration, t *test
 			}()
 
 			if watchDir {
-				NewSourceFile(dirName, hostname, period, ch)
+				NewSourceFile(logger, dirName, hostname, period, ch)
 			} else {
-				NewSourceFile(file, hostname, period, ch)
+				NewSourceFile(logger, file, hostname, period, ch)
 			}
 
 			// await fsnotify to be ready
diff --git a/pkg/kubelet/config/file_test.go b/pkg/kubelet/config/file_test.go
index e0b7251788f5d..8aecb35af7849 100644
--- a/pkg/kubelet/config/file_test.go
+++ b/pkg/kubelet/config/file_test.go
@@ -24,6 +24,7 @@ import (
 
 	apiequality "k8s.io/apimachinery/pkg/api/equality"
 	kubetypes "k8s.io/kubernetes/pkg/kubelet/types"
+	"k8s.io/kubernetes/test/utils/ktesting"
 )
 
 func TestExtractFromBadDataFile(t *testing.T) {
@@ -33,6 +34,7 @@ func TestExtractFromBadDataFile(t *testing.T) {
 	}
 	defer removeAll(dirName, t)
 
+	logger, _ := ktesting.NewTestContext(t)
 	fileName := filepath.Join(dirName, "test_pod_config")
 	err = os.WriteFile(fileName, []byte{1, 2, 3}, 0555)
 	if err != nil {
@@ -41,7 +43,7 @@ func TestExtractFromBadDataFile(t *testing.T) {
 
 	ch := make(chan interface{}, 1)
 	lw := newSourceFile(fileName, "localhost", time.Millisecond, ch)
-	err = lw.listConfig()
+	err = lw.listConfig(logger)
 	if err == nil {
 		t.Fatalf("expected error, got nil")
 	}
@@ -55,9 +57,10 @@ func TestExtractFromEmptyDir(t *testing.T) {
 	}
 	defer removeAll(dirName, t)
 
+	logger, _ := ktesting.NewTestContext(t)
 	ch := make(chan interface{}, 1)
 	lw := newSourceFile(dirName, "localhost", time.Millisecond, ch)
-	err = lw.listConfig()
+	err = lw.listConfig(logger)
 	if err != nil {
 		t.Fatalf("unexpected error: %v", err)
 	}
diff --git a/pkg/kubelet/config/file_unsupported.go b/pkg/kubelet/config/file_unsupported.go
index 7d5c77c28d796..1b2c56a6660a6 100644
--- a/pkg/kubelet/config/file_unsupported.go
+++ b/pkg/kubelet/config/file_unsupported.go
@@ -25,10 +25,10 @@ import (
 	"k8s.io/klog/v2"
 )
 
-func (s *sourceFile) startWatch() {
-	klog.ErrorS(nil, "Watching source file is unsupported in this build")
+func (s *sourceFile) startWatch(logger klog.Logger) {
+	logger.Error(nil, "Watching source file is unsupported in this build")
 }
 
-func (s *sourceFile) consumeWatchEvent(e *watchEvent) error {
+func (s *sourceFile) consumeWatchEvent(logger klog.Logger, e *watchEvent) error {
 	return fmt.Errorf("consuming watch event is unsupported in this build")
 }
diff --git a/pkg/kubelet/config/flags.go b/pkg/kubelet/config/flags.go
deleted file mode 100644
index 27473ba7862ac..0000000000000
--- a/pkg/kubelet/config/flags.go
+++ /dev/null
@@ -1,56 +0,0 @@
-/*
-Copyright 2017 The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package config
-
-import (
-	"github.com/spf13/pflag"
-)
-
-// ContainerRuntimeOptions defines options for the container runtime.
-type ContainerRuntimeOptions struct {
-	// General Options.
-
-	// RuntimeCgroups that container runtime is expected to be isolated in.
-	RuntimeCgroups string
-	// Image credential provider plugin options
-
-	// ImageCredentialProviderConfigPath is the path to the credential provider plugin config file or directory.
-	// If a directory is specified, all .json, .yaml, or .yml files in the directory are loaded and merged
-	// in lexicographical order. This config file(s) specify what credential providers are enabled
-	// and invoked by the kubelet. The plugin config should contain information about what plugin binary
-	// to execute and what container images the plugin should be called for.
-	// +optional
-	ImageCredentialProviderConfigPath string
-	// ImageCredentialProviderBinDir is the path to the directory where credential provider plugin
-	// binaries exist. The name of each plugin binary is expected to match the name of the plugin
-	// specified in imageCredentialProviderConfigFile.
-	// +optional
-	ImageCredentialProviderBinDir string
-}
-
-// AddFlags adds flags to the container runtime, according to ContainerRuntimeOptions.
-func (s *ContainerRuntimeOptions) AddFlags(fs *pflag.FlagSet) {
-	var tmp string
-	// General settings.
-	fs.StringVar(&s.RuntimeCgroups, "runtime-cgroups", s.RuntimeCgroups, "Optional absolute name of cgroups to create and run the runtime in.")
-	fs.StringVar(&tmp, "pod-infra-container-image", "", "Specified image will not be pruned by the image garbage collector. CRI implementations have their own configuration to set this image.")
-	_ = fs.MarkDeprecated("pod-infra-container-image", "will be removed in 1.35. Image garbage collector will get sandbox image information from CRI.")
-
-	// Image credential provider settings.
-	fs.StringVar(&s.ImageCredentialProviderConfigPath, "image-credential-provider-config", s.ImageCredentialProviderConfigPath, "Path to a credential provider plugin config file (JSON/YAML/YML) or a directory of such files (merged in lexicographical order; non-recursive search).")
-	fs.StringVar(&s.ImageCredentialProviderBinDir, "image-credential-provider-bin-dir", s.ImageCredentialProviderBinDir, "The path to the directory where credential provider plugin binaries are located.")
-}
diff --git a/pkg/kubelet/config/http.go b/pkg/kubelet/config/http.go
index b376087814334..123f5edf01e07 100644
--- a/pkg/kubelet/config/http.go
+++ b/pkg/kubelet/config/http.go
@@ -43,7 +43,7 @@ type sourceURL struct {
 }
 
 // NewSourceURL specifies the URL where to read the Pod configuration from, then watches it for changes.
-func NewSourceURL(url string, header http.Header, nodeName types.NodeName, period time.Duration, updates chan<- interface{}) {
+func NewSourceURL(logger klog.Logger, url string, header http.Header, nodeName types.NodeName, period time.Duration, updates chan<- interface{}) {
 	config := &sourceURL{
 		url:      url,
 		header:   header,
@@ -54,35 +54,35 @@ func NewSourceURL(url string, header http.Header, nodeName types.NodeName, perio
 		// read the manifest URL passed to kubelet.
 		client: &http.Client{Timeout: 10 * time.Second},
 	}
-	klog.V(1).InfoS("Watching URL", "URL", url)
-	go wait.Until(config.run, period, wait.NeverStop)
+	logger.V(1).Info("Watching URL", "URL", url)
+	go wait.Until(func() { config.run(logger) }, period, wait.NeverStop)
 }
 
-func (s *sourceURL) run() {
-	if err := s.extractFromURL(); err != nil {
+func (s *sourceURL) run(logger klog.Logger) {
+	if err := s.extractFromURL(logger); err != nil {
 		// Don't log this multiple times per minute. The first few entries should be
 		// enough to get the point across.
 		if s.failureLogs < 3 {
-			klog.InfoS("Failed to read pods from URL", "err", err)
+			logger.Info("Failed to read pods from URL", "err", err)
 		} else if s.failureLogs == 3 {
-			klog.InfoS("Failed to read pods from URL. Dropping verbosity of this message to V(4)", "err", err)
+			logger.Info("Failed to read pods from URL. Dropping verbosity of this message to V(4)", "err", err)
 		} else {
-			klog.V(4).InfoS("Failed to read pods from URL", "err", err)
+			logger.V(4).Info("Failed to read pods from URL", "err", err)
 		}
 		s.failureLogs++
 	} else {
 		if s.failureLogs > 0 {
-			klog.InfoS("Successfully read pods from URL")
+			logger.Info("Successfully read pods from URL")
 			s.failureLogs = 0
 		}
 	}
 }
 
-func (s *sourceURL) applyDefaults(pod *api.Pod) error {
-	return applyDefaults(pod, s.url, false, s.nodeName)
+func (s *sourceURL) applyDefaults(logger klog.Logger, pod *api.Pod) error {
+	return applyDefaults(logger, pod, s.url, false, s.nodeName)
 }
 
-func (s *sourceURL) extractFromURL() error {
+func (s *sourceURL) extractFromURL(logger klog.Logger) error {
 	req, err := http.NewRequest("GET", s.url, nil)
 	if err != nil {
 		return err
@@ -112,7 +112,7 @@ func (s *sourceURL) extractFromURL() error {
 	s.data = data
 
 	// First try as it is a single pod.
-	parsed, pod, singlePodErr := tryDecodeSinglePod(data, s.applyDefaults)
+	parsed, pod, singlePodErr := tryDecodeSinglePod(logger, data, s.applyDefaults)
 	if parsed {
 		if singlePodErr != nil {
 			// It parsed but could not be used.
@@ -123,7 +123,7 @@ func (s *sourceURL) extractFromURL() error {
 	}
 
 	// That didn't work, so try a list of pods.
-	parsed, podList, multiPodErr := tryDecodePodList(data, s.applyDefaults)
+	parsed, podList, multiPodErr := tryDecodePodList(logger, data, s.applyDefaults)
 	if parsed {
 		if multiPodErr != nil {
 			// It parsed but could not be used.
diff --git a/pkg/kubelet/config/http_test.go b/pkg/kubelet/config/http_test.go
index 879accb770dc2..d637451e2f2e8 100644
--- a/pkg/kubelet/config/http_test.go
+++ b/pkg/kubelet/config/http_test.go
@@ -34,11 +34,13 @@ import (
 	k8s_api_v1 "k8s.io/kubernetes/pkg/apis/core/v1"
 	"k8s.io/kubernetes/pkg/apis/core/validation"
 	kubetypes "k8s.io/kubernetes/pkg/kubelet/types"
+	"k8s.io/kubernetes/test/utils/ktesting"
 )
 
 func TestURLErrorNotExistNoUpdate(t *testing.T) {
+	logger, _ := ktesting.NewTestContext(t)
 	ch := make(chan interface{})
-	NewSourceURL("http://localhost:49575/_not_found_", http.Header{}, "localhost", time.Millisecond, ch)
+	NewSourceURL(logger, "http://localhost:49575/_not_found_", http.Header{}, "localhost", time.Millisecond, ch)
 	select {
 	case got := <-ch:
 		t.Errorf("Expected no update, Got %#v", got)
@@ -47,15 +49,17 @@ func TestURLErrorNotExistNoUpdate(t *testing.T) {
 }
 
 func TestExtractFromHttpBadness(t *testing.T) {
+	logger, _ := ktesting.NewTestContext(t)
 	ch := make(chan interface{}, 1)
 	c := sourceURL{"http://localhost:49575/_not_found_", http.Header{}, "other", ch, nil, 0, http.DefaultClient}
-	if err := c.extractFromURL(); err == nil {
+	if err := c.extractFromURL(logger); err == nil {
 		t.Errorf("Expected error")
 	}
 	expectEmptyChannel(t, ch)
 }
 
 func TestExtractInvalidPods(t *testing.T) {
+	logger, _ := ktesting.NewTestContext(t)
 	var testCases = []struct {
 		desc string
 		pod  *v1.Pod
@@ -118,13 +122,14 @@ func TestExtractInvalidPods(t *testing.T) {
 		defer testServer.Close()
 		ch := make(chan interface{}, 1)
 		c := sourceURL{testServer.URL, http.Header{}, "localhost", ch, nil, 0, http.DefaultClient}
-		if err := c.extractFromURL(); err == nil {
+		if err := c.extractFromURL(logger); err == nil {
 			t.Errorf("%s: Expected error", testCase.desc)
 		}
 	}
 }
 
 func TestExtractPodsFromHTTP(t *testing.T) {
+	logger, _ := ktesting.NewTestContext(t)
 	nodeName := "different-value"
 
 	grace := int64(30)
@@ -301,7 +306,7 @@ func TestExtractPodsFromHTTP(t *testing.T) {
 		defer testServer.Close()
 		ch := make(chan interface{}, 1)
 		c := sourceURL{testServer.URL, http.Header{}, types.NodeName(nodeName), ch, nil, 0, http.DefaultClient}
-		if err := c.extractFromURL(); err != nil {
+		if err := c.extractFromURL(logger); err != nil {
 			t.Errorf("%s: Unexpected error: %v", testCase.desc, err)
 			continue
 		}
@@ -349,11 +354,13 @@ func TestURLWithHeader(t *testing.T) {
 	}
 	testServer := httptest.NewServer(&fakeHandler)
 	defer testServer.Close()
+
+	logger, _ := ktesting.NewTestContext(t)
 	ch := make(chan interface{}, 1)
 	header := make(http.Header)
 	header.Set("Metadata-Flavor", "Google")
 	c := sourceURL{testServer.URL, header, "localhost", ch, nil, 0, http.DefaultClient}
-	if err := c.extractFromURL(); err != nil {
+	if err := c.extractFromURL(logger); err != nil {
 		t.Fatalf("Unexpected error extracting from URL: %v", err)
 	}
 	update := (<-ch).(kubetypes.PodUpdate)
diff --git a/pkg/kubelet/config/mux.go b/pkg/kubelet/config/mux.go
index a2b3e1e0a5f68..091148f950fd2 100644
--- a/pkg/kubelet/config/mux.go
+++ b/pkg/kubelet/config/mux.go
@@ -28,7 +28,7 @@ type merger interface {
 	// Invoked when a change from a source is received.  May also function as an incremental
 	// merger if you wish to consume changes incrementally.  Must be reentrant when more than
 	// one source is defined.
-	Merge(source string, update interface{}) error
+	Merge(ctx context.Context, source string, update interface{}) error
 }
 
 // mux is a class for merging configuration from multiple sources.  Changes are
@@ -70,14 +70,15 @@ func (m *mux) ChannelWithContext(ctx context.Context, source string) chan interf
 	newChannel := make(chan interface{})
 	m.sources[source] = newChannel
 
-	go wait.Until(func() { m.listen(source, newChannel) }, 0, ctx.Done())
+	go wait.Until(func() { m.listen(ctx, source, newChannel) }, 0, ctx.Done())
 	return newChannel
 }
 
-func (m *mux) listen(source string, listenChannel <-chan interface{}) {
+func (m *mux) listen(ctx context.Context, source string, listenChannel <-chan interface{}) {
+	logger := klog.FromContext(ctx)
 	for update := range listenChannel {
-		if err := m.merger.Merge(source, update); err != nil {
-			klog.InfoS("failed merging update", "err", err)
+		if err := m.merger.Merge(ctx, source, update); err != nil {
+			logger.Info("failed merging update", "err", err)
 		}
 	}
 }
diff --git a/pkg/kubelet/config/mux_test.go b/pkg/kubelet/config/mux_test.go
index b24068505cf76..6033023c87143 100644
--- a/pkg/kubelet/config/mux_test.go
+++ b/pkg/kubelet/config/mux_test.go
@@ -20,11 +20,14 @@ import (
 	"context"
 	"reflect"
 	"testing"
+
+	"k8s.io/kubernetes/test/utils/ktesting"
 )
 
 func TestConfigurationChannels(t *testing.T) {
-	ctx, cancel := context.WithCancel(context.Background())
-	defer cancel()
+	ctx := ktesting.Init(t)
+	ctx = ktesting.WithCancel(ctx)
+	defer ctx.Cancel("TestConfigurationChannels completed")
 
 	mux := newMux(nil)
 	channelOne := mux.ChannelWithContext(ctx, "one")
@@ -43,7 +46,7 @@ type MergeMock struct {
 	t      *testing.T
 }
 
-func (m MergeMock) Merge(source string, update interface{}) error {
+func (m MergeMock) Merge(ctx context.Context, source string, update interface{}) error {
 	if m.source != source {
 		m.t.Errorf("Expected %s, Got %s", m.source, source)
 	}
@@ -54,8 +57,9 @@ func (m MergeMock) Merge(source string, update interface{}) error {
 }
 
 func TestMergeInvoked(t *testing.T) {
-	ctx, cancel := context.WithCancel(context.Background())
-	defer cancel()
+	ctx := ktesting.Init(t)
+	ctx = ktesting.WithCancel(ctx)
+	defer ctx.Cancel("TestMergeInvoked completed")
 
 	merger := MergeMock{"one", "test", t}
 	mux := newMux(&merger)
@@ -63,18 +67,19 @@ func TestMergeInvoked(t *testing.T) {
 }
 
 // mergeFunc implements the Merger interface
-type mergeFunc func(source string, update interface{}) error
+type mergeFunc func(ctx context.Context, source string, update interface{}) error
 
-func (f mergeFunc) Merge(source string, update interface{}) error {
-	return f(source, update)
+func (f mergeFunc) Merge(ctx context.Context, source string, update interface{}) error {
+	return f(ctx, source, update)
 }
 
 func TestSimultaneousMerge(t *testing.T) {
-	ctx, cancel := context.WithCancel(context.Background())
-	defer cancel()
+	ctx := ktesting.Init(t)
+	ctx = ktesting.WithCancel(ctx)
+	defer ctx.Cancel("TestSimultaneousMerge completed")
 
 	ch := make(chan bool, 2)
-	mux := newMux(mergeFunc(func(source string, update interface{}) error {
+	mux := newMux(mergeFunc(func(ctx context.Context, source string, update interface{}) error {
 		switch source {
 		case "one":
 			if update.(string) != "test" {
diff --git a/pkg/kubelet/configmap/configmap_manager.go b/pkg/kubelet/configmap/configmap_manager.go
index 08bc9674668b1..822d08af685bf 100644
--- a/pkg/kubelet/configmap/configmap_manager.go
+++ b/pkg/kubelet/configmap/configmap_manager.go
@@ -23,6 +23,7 @@ import (
 
 	v1 "k8s.io/api/core/v1"
 	clientset "k8s.io/client-go/kubernetes"
+	"k8s.io/client-go/tools/cache"
 	podutil "k8s.io/kubernetes/pkg/api/v1/pod"
 	corev1 "k8s.io/kubernetes/pkg/apis/core/v1"
 	"k8s.io/kubernetes/pkg/kubelet/util/manager"
@@ -151,8 +152,11 @@ func NewWatchingConfigMapManager(kubeClient clientset.Interface, resyncInterval
 		}
 		return false
 	}
+	listWatcherWithWatchListSemanticsWrapper := func(lw *cache.ListWatch) cache.ListerWatcher {
+		return cache.ToListWatcherWithWatchListSemantics(lw, kubeClient)
+	}
 	gr := corev1.Resource("configmap")
 	return &configMapManager{
-		manager: manager.NewWatchBasedManager(listConfigMap, watchConfigMap, newConfigMap, isImmutable, gr, resyncInterval, getConfigMapNames),
+		manager: manager.NewWatchBasedManager(listConfigMap, watchConfigMap, newConfigMap, isImmutable, listWatcherWithWatchListSemanticsWrapper, gr, resyncInterval, getConfigMapNames),
 	}
 }
diff --git a/pkg/kubelet/container/.mockery.yaml b/pkg/kubelet/container/.mockery.yaml
index 84489a0095f0e..b0209296dc4ac 100644
--- a/pkg/kubelet/container/.mockery.yaml
+++ b/pkg/kubelet/container/.mockery.yaml
@@ -1,18 +1,19 @@
 ---
 dir: testing
-filename: "mock_{{.InterfaceName | snakecase}}.go"
-boilerplate-file: ../../../hack/boilerplate/boilerplate.generatego.txt
-outpkg: testing
-with-expecter: true
+pkgname: testing
+template: testify
+template-data:
+  boilerplate-file: ../../../hack/boilerplate/boilerplate.generatego.txt
+  unroll-variadic: true
 packages:
   io/fs:
+    config:
+      filename: mockdirentry.go
     interfaces:
-      DirEntry:
-        config:
-          filename: mockdirentry.go
+      DirEntry: {}
   k8s.io/kubernetes/pkg/kubelet/container:
+    config:
+      filename: mocks.go
     interfaces:
-      Runtime:
-        config:
-          filename: runtime_mock.go
-      RuntimeCache:
+      Runtime: {}
+      RuntimeCache: {}
diff --git a/pkg/kubelet/container/container_gc.go b/pkg/kubelet/container/container_gc.go
index b0a25d50058e8..92aad2cc6121f 100644
--- a/pkg/kubelet/container/container_gc.go
+++ b/pkg/kubelet/container/container_gc.go
@@ -83,6 +83,6 @@ func (cgc *realContainerGC) GarbageCollect(ctx context.Context) error {
 }
 
 func (cgc *realContainerGC) DeleteAllUnusedContainers(ctx context.Context) error {
-	klog.InfoS("Attempting to delete unused containers")
+	klog.FromContext(ctx).Info("Attempting to delete unused containers")
 	return cgc.runtime.GarbageCollect(ctx, cgc.policy, cgc.sourcesReadyProvider.AllReady(), true)
 }
diff --git a/pkg/kubelet/container/helpers.go b/pkg/kubelet/container/helpers.go
index 8e791d465a39d..ddafc82434c93 100644
--- a/pkg/kubelet/container/helpers.go
+++ b/pkg/kubelet/container/helpers.go
@@ -79,7 +79,7 @@ type RuntimeHelper interface {
 
 // ShouldContainerBeRestarted checks whether a container needs to be restarted.
 // TODO(yifan): Think about how to refactor this.
-func ShouldContainerBeRestarted(container *v1.Container, pod *v1.Pod, podStatus *PodStatus) bool {
+func ShouldContainerBeRestarted(logger klog.Logger, container *v1.Container, pod *v1.Pod, podStatus *PodStatus) bool {
 	// Once a pod has been marked deleted, it should not be restarted
 	if pod.DeletionTimestamp != nil {
 		return false
@@ -104,13 +104,78 @@ func ShouldContainerBeRestarted(container *v1.Container, pod *v1.Pod, podStatus
 		return podutil.ContainerShouldRestart(*container, pod.Spec, int32(status.ExitCode))
 	}
 	if pod.Spec.RestartPolicy == v1.RestartPolicyNever {
-		klog.V(4).InfoS("Already ran container, do nothing", "pod", klog.KObj(pod), "containerName", container.Name)
+		logger.V(4).Info("Already ran container, do nothing", "pod", klog.KObj(pod), "containerName", container.Name)
 		return false
 	}
 	if pod.Spec.RestartPolicy == v1.RestartPolicyOnFailure {
 		// Check the exit code.
 		if status.ExitCode == 0 {
-			klog.V(4).InfoS("Already successfully ran container, do nothing", "pod", klog.KObj(pod), "containerName", container.Name)
+			logger.V(4).Info("Already successfully ran container, do nothing", "pod", klog.KObj(pod), "containerName", container.Name)
+			return false
+		}
+	}
+	return true
+}
+
+// ShouldAllContainersRestart checks if the pod should be restarted.
+// First checks whether the apiPodStatus has the AllContainersRestarting condition.
+// Then checks if any container from podStatus are exited with matching rules,
+// or any containers from apiPodStatus are exited with matching rules.
+func ShouldAllContainersRestart(pod *v1.Pod, podStatus *PodStatus, apiPodStatus *v1.PodStatus) bool {
+	if apiPodStatus != nil {
+		for _, cond := range apiPodStatus.Conditions {
+			if cond.Type == v1.AllContainersRestarting && cond.Status == v1.ConditionTrue {
+				return true
+			}
+		}
+	}
+
+	nameToAPIStatus := make(map[string]*v1.ContainerStatus)
+	if apiPodStatus != nil {
+		for i := range apiPodStatus.InitContainerStatuses {
+			nameToAPIStatus[apiPodStatus.InitContainerStatuses[i].Name] = &apiPodStatus.InitContainerStatuses[i]
+		}
+		for i := range apiPodStatus.ContainerStatuses {
+			nameToAPIStatus[apiPodStatus.ContainerStatuses[i].Name] = &apiPodStatus.ContainerStatuses[i]
+		}
+	}
+
+	for c := range podutil.ContainerIter(&pod.Spec, podutil.InitContainers|podutil.Containers) {
+		if c == nil {
+			continue
+		}
+		if podStatus != nil {
+			status := podStatus.FindContainerStatusByName(c.Name)
+			if status == nil || status.State != ContainerStateExited {
+				continue
+			}
+			exitCode := int32(status.ExitCode)
+			rule, ok := podutil.FindMatchingContainerRestartRule(*c, exitCode)
+			if ok && rule.Action == v1.ContainerRestartRuleActionRestartAllContainers {
+				return true
+			}
+		}
+		if apiPodStatus != nil {
+			apiStatus, ok := nameToAPIStatus[c.Name]
+			if !ok || apiStatus.State.Terminated == nil {
+				continue
+			}
+			exitCode := apiStatus.State.Terminated.ExitCode
+			rule, ok := podutil.FindMatchingContainerRestartRule(*c, exitCode)
+			if ok && rule.Action == v1.ContainerRestartRuleActionRestartAllContainers {
+				return true
+			}
+		}
+	}
+
+	return false
+}
+
+// AllContainersRestartCleanedUp returns true if all containers are removed
+// from the runtime and podStatus.
+func AllContainersRestartCleanedUp(pod *v1.Pod, podStatus *PodStatus) bool {
+	for c := range podutil.ContainerIter(&pod.Spec, podutil.Containers|podutil.InitContainers) {
+		if podStatus.FindContainerStatusByName(c.Name) != nil {
 			return false
 		}
 	}
@@ -366,7 +431,7 @@ func AllContainersAreWindowsHostProcess(pod *v1.Pod) bool {
 }
 
 // MakePortMappings creates internal port mapping from api port mapping.
-func MakePortMappings(container *v1.Container) (ports []PortMapping) {
+func MakePortMappings(logger klog.Logger, container *v1.Container) (ports []PortMapping) {
 	names := make(map[string]struct{})
 	for _, p := range container.Ports {
 		pm := PortMapping{
@@ -395,7 +460,7 @@ func MakePortMappings(container *v1.Container) (ports []PortMapping) {
 
 		// Protect against a port name being used more than once in a container.
 		if _, ok := names[name]; ok {
-			klog.InfoS("Port name conflicted, it is defined more than once", "portName", name)
+			logger.Info("Port name conflicted, it is defined more than once", "portName", name)
 			continue
 		}
 		ports = append(ports, pm)
diff --git a/pkg/kubelet/container/helpers_test.go b/pkg/kubelet/container/helpers_test.go
index 80abe5b992006..1dc3064481442 100644
--- a/pkg/kubelet/container/helpers_test.go
+++ b/pkg/kubelet/container/helpers_test.go
@@ -29,6 +29,7 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	runtimeapi "k8s.io/cri-api/pkg/apis/runtime/v1"
+	"k8s.io/kubernetes/test/utils/ktesting"
 	"k8s.io/utils/ptr"
 )
 
@@ -394,6 +395,7 @@ func TestGetContainerSpec(t *testing.T) {
 }
 
 func TestShouldContainerBeRestarted(t *testing.T) {
+	logger, _ := ktesting.NewTestContext(t)
 	pod := &v1.Pod{
 		ObjectMeta: metav1.ObjectMeta{
 			UID:       "12345678",
@@ -463,7 +465,7 @@ func TestShouldContainerBeRestarted(t *testing.T) {
 		for i, policy := range policies {
 			pod.Spec.RestartPolicy = policy
 			e := expected[c.Name][i]
-			r := ShouldContainerBeRestarted(&c, pod, podStatus)
+			r := ShouldContainerBeRestarted(logger, &c, pod, podStatus)
 			if r != e {
 				t.Errorf("Restart for container %q with restart policy %q expected %t, got %t",
 					c.Name, policy, e, r)
@@ -484,7 +486,7 @@ func TestShouldContainerBeRestarted(t *testing.T) {
 		for i, policy := range policies {
 			pod.Spec.RestartPolicy = policy
 			e := expected[c.Name][i]
-			r := ShouldContainerBeRestarted(&c, pod, podStatus)
+			r := ShouldContainerBeRestarted(logger, &c, pod, podStatus)
 			if r != e {
 				t.Errorf("Restart for container %q with restart policy %q expected %t, got %t",
 					c.Name, policy, e, r)
@@ -546,6 +548,7 @@ func TestHasPrivilegedContainer(t *testing.T) {
 }
 
 func TestMakePortMappings(t *testing.T) {
+	logger, _ := ktesting.NewTestContext(t)
 	port := func(name string, protocol v1.Protocol, containerPort, hostPort int32, ip string) v1.ContainerPort {
 		return v1.ContainerPort{
 			Name:          name,
@@ -635,7 +638,7 @@ func TestMakePortMappings(t *testing.T) {
 	}
 
 	for i, tt := range tests {
-		actual := MakePortMappings(tt.container)
+		actual := MakePortMappings(logger, tt.container)
 		assert.Equal(t, tt.expectedPortMappings, actual, "[%d]", i)
 	}
 }
@@ -1513,3 +1516,158 @@ func TestHasAnyRegularContainerStarted(t *testing.T) {
 		})
 	}
 }
+
+func TestShouldAllContainersRestart(t *testing.T) {
+	restartPolicyNever := v1.ContainerRestartPolicyNever
+	restartPolicyAlways := v1.ContainerRestartPolicyAlways
+	restartRuleRestartAllContainers := v1.ContainerRestartRule{
+		Action: v1.ContainerRestartRuleActionRestartAllContainers,
+		ExitCodes: &v1.ContainerRestartRuleOnExitCodes{
+			Operator: v1.ContainerRestartRuleOnExitCodesOpIn,
+			Values:   []int32{42},
+		},
+	}
+	RestartAllContainersCondition := v1.PodCondition{
+		Type:   v1.AllContainersRestarting,
+		Status: v1.ConditionTrue,
+	}
+
+	testcases := []struct {
+		name         string
+		pod          *v1.Pod
+		podStatus    *PodStatus
+		apiPodStatus *v1.PodStatus
+		expected     bool
+	}{
+		{
+			"pod marked with condition",
+			&v1.Pod{
+				Spec: v1.PodSpec{
+					Containers: []v1.Container{
+						{
+							Name:          "regular",
+							RestartPolicy: &restartPolicyNever,
+						},
+					},
+				},
+			},
+			&PodStatus{
+				ContainerStatuses: []*Status{
+					{
+						Name:  "regular",
+						State: ContainerStateRunning,
+					},
+				},
+			},
+			&v1.PodStatus{
+				Conditions: []v1.PodCondition{RestartAllContainersCondition},
+			},
+			true,
+		},
+		{
+			"regular container exited with matching rules",
+			&v1.Pod{
+				Spec: v1.PodSpec{
+					Containers: []v1.Container{
+						{
+							Name:               "regular",
+							RestartPolicy:      &restartPolicyNever,
+							RestartPolicyRules: []v1.ContainerRestartRule{restartRuleRestartAllContainers},
+						},
+					},
+				},
+			},
+			&PodStatus{
+				ContainerStatuses: []*Status{
+					{
+						Name:     "regular",
+						State:    ContainerStateExited,
+						ExitCode: 42,
+					},
+				},
+			},
+			nil,
+			true,
+		},
+		{
+			"init container exited with matching rules",
+			&v1.Pod{
+				Spec: v1.PodSpec{
+					InitContainers: []v1.Container{
+						{
+							Name:               "init",
+							RestartPolicy:      &restartPolicyNever,
+							RestartPolicyRules: []v1.ContainerRestartRule{restartRuleRestartAllContainers},
+						},
+					},
+				},
+			},
+			&PodStatus{
+				ContainerStatuses: []*Status{
+					{
+						Name:     "init",
+						State:    ContainerStateExited,
+						ExitCode: 42,
+					},
+				},
+			},
+			nil,
+			true,
+		},
+		{
+			"sidecar container exited with matching rules",
+			&v1.Pod{
+				Spec: v1.PodSpec{
+					InitContainers: []v1.Container{
+						{
+							Name:               "init",
+							RestartPolicy:      &restartPolicyAlways,
+							RestartPolicyRules: []v1.ContainerRestartRule{restartRuleRestartAllContainers},
+						},
+					},
+				},
+			},
+			&PodStatus{
+				ContainerStatuses: []*Status{
+					{
+						Name:     "init",
+						State:    ContainerStateExited,
+						ExitCode: 42,
+					},
+				},
+			},
+			nil,
+			true,
+		},
+		{
+			"container exited without rules",
+			&v1.Pod{
+				Spec: v1.PodSpec{
+					Containers: []v1.Container{
+						{
+							Name: "regular",
+						},
+					},
+				},
+			},
+			&PodStatus{
+				ContainerStatuses: []*Status{
+					{
+						Name:     "regular",
+						State:    ContainerStateExited,
+						ExitCode: 1,
+					},
+				},
+			},
+			nil,
+			false,
+		},
+	}
+
+	for _, tc := range testcases {
+		t.Run(tc.name, func(t *testing.T) {
+			actual := ShouldAllContainersRestart(tc.pod, tc.podStatus, tc.apiPodStatus)
+			assert.Equal(t, tc.expected, actual, "ShouldAllContainersRestart(%v, %v)", tc.pod, tc.podStatus)
+		})
+	}
+}
diff --git a/pkg/kubelet/container/runtime.go b/pkg/kubelet/container/runtime.go
index a6e8fa9c880b8..46deb9da07b80 100644
--- a/pkg/kubelet/container/runtime.go
+++ b/pkg/kubelet/container/runtime.go
@@ -100,7 +100,7 @@ type Runtime interface {
 	// TODO: Revisit this method and make it cleaner.
 	GarbageCollect(ctx context.Context, gcPolicy GCPolicy, allSourcesReady bool, evictNonDeletedPods bool) error
 	// SyncPod syncs the running pod into the desired pod.
-	SyncPod(ctx context.Context, pod *v1.Pod, podStatus *PodStatus, pullSecrets []v1.Secret, backOff *flowcontrol.Backoff) PodSyncResult
+	SyncPod(ctx context.Context, pod *v1.Pod, podStatus *PodStatus, pullSecrets []v1.Secret, backOff *flowcontrol.Backoff, restartAllContainers bool) PodSyncResult
 	// KillPod kills all the containers of a pod. Pod may be nil, running pod must not be.
 	// TODO(random-liu): Return PodSyncResult in KillPod.
 	// gracePeriodOverride if specified allows the caller to override the pod default grace period.
@@ -138,10 +138,15 @@ type Runtime interface {
 	// ListPodSandboxMetrics retrieves the metrics for all pod sandboxes.
 	ListPodSandboxMetrics(ctx context.Context) ([]*runtimeapi.PodSandboxMetrics, error)
 	// GetContainerStatus returns the status for the container.
-	GetContainerStatus(ctx context.Context, id ContainerID) (*Status, error)
+	GetContainerStatus(ctx context.Context, podUID types.UID, id ContainerID) (*Status, error)
 	// GetContainerSwapBehavior reports whether a container could be swappable.
 	// This is used to decide whether to handle InPlacePodVerticalScaling for containers.
 	GetContainerSwapBehavior(pod *v1.Pod, container *v1.Container) kubelettypes.SwapBehavior
+	// IsPodResizeInProgress checks whether the given pod is in the process of resizing
+	// (allocated resources != actuated resources).
+	IsPodResizeInProgress(allocatedPod *v1.Pod, podStatus *PodStatus) bool
+	// UpdateActuatedPodLevelResources updates pod-level resources in actuatedState
+	UpdateActuatedPodLevelResources(actuatedPod *v1.Pod) error
 }
 
 // StreamingRuntime is the interface implemented by runtimes that handle the serving of the
@@ -235,7 +240,10 @@ func BuildContainerID(typ, ID string) ContainerID {
 func ParseContainerID(containerID string) ContainerID {
 	var id ContainerID
 	if err := id.ParseString(containerID); err != nil {
-		klog.ErrorS(err, "Parsing containerID failed")
+		// Use klog.TODO() because we currently do not have a proper logger to pass in.
+		// This should be replaced with an appropriate logger when refactoring this function to accept a logger parameter.
+		logger := klog.TODO()
+		logger.Error(err, "Parsing containerID failed")
 	}
 	return id
 }
diff --git a/pkg/kubelet/container/runtime_cache_fake.go b/pkg/kubelet/container/runtime_cache_fake.go
index 4a09b3be923d3..5a313478bfb8e 100644
--- a/pkg/kubelet/container/runtime_cache_fake.go
+++ b/pkg/kubelet/container/runtime_cache_fake.go
@@ -27,10 +27,10 @@ type TestRuntimeCache struct {
 }
 
 // UpdateCacheWithLock updates the cache with the lock.
-func (r *TestRuntimeCache) UpdateCacheWithLock() error {
+func (r *TestRuntimeCache) UpdateCacheWithLock(ctx context.Context) error {
 	r.Lock()
 	defer r.Unlock()
-	return r.updateCache(context.Background())
+	return r.updateCache(ctx)
 }
 
 // GetCachedPods returns the cached pods.
diff --git a/pkg/kubelet/container/runtime_cache_test.go b/pkg/kubelet/container/runtime_cache_test.go
index 84af1d561ef07..a7a0e3146f54b 100644
--- a/pkg/kubelet/container/runtime_cache_test.go
+++ b/pkg/kubelet/container/runtime_cache_test.go
@@ -17,13 +17,13 @@ limitations under the License.
 package container_test
 
 import (
-	"context"
 	"reflect"
 	"testing"
 	"time"
 
 	. "k8s.io/kubernetes/pkg/kubelet/container"
 	ctest "k8s.io/kubernetes/pkg/kubelet/container/testing"
+	"k8s.io/kubernetes/test/utils/ktesting"
 )
 
 func comparePods(t *testing.T, expected []*ctest.FakePod, actual []*Pod) {
@@ -38,12 +38,12 @@ func comparePods(t *testing.T, expected []*ctest.FakePod, actual []*Pod) {
 }
 
 func TestGetPods(t *testing.T) {
-	ctx := context.Background()
+	tCtx := ktesting.Init(t)
 	runtime := &ctest.FakeRuntime{}
 	expected := []*ctest.FakePod{{Pod: &Pod{ID: "1111"}}, {Pod: &Pod{ID: "2222"}}, {Pod: &Pod{ID: "3333"}}}
 	runtime.PodList = expected
 	cache := NewTestRuntimeCache(runtime)
-	actual, err := cache.GetPods(ctx)
+	actual, err := cache.GetPods(tCtx)
 	if err != nil {
 		t.Errorf("unexpected error %v", err)
 	}
@@ -52,26 +52,32 @@ func TestGetPods(t *testing.T) {
 }
 
 func TestForceUpdateIfOlder(t *testing.T) {
-	ctx := context.Background()
+	tCtx := ktesting.Init(t)
 	runtime := &ctest.FakeRuntime{}
 	cache := NewTestRuntimeCache(runtime)
 
 	// Cache old pods.
 	oldpods := []*ctest.FakePod{{Pod: &Pod{ID: "1111"}}}
 	runtime.PodList = oldpods
-	cache.UpdateCacheWithLock()
+	if err := cache.UpdateCacheWithLock(tCtx); err != nil {
+		t.Errorf("unexpected error %v", err)
+	}
 
 	// Update the runtime to new pods.
 	newpods := []*ctest.FakePod{{Pod: &Pod{ID: "1111"}}, {Pod: &Pod{ID: "2222"}}, {Pod: &Pod{ID: "3333"}}}
 	runtime.PodList = newpods
 
 	// An older timestamp should not force an update.
-	cache.ForceUpdateIfOlder(ctx, time.Now().Add(-20*time.Minute))
+	if err := cache.ForceUpdateIfOlder(tCtx, time.Now().Add(-20*time.Minute)); err != nil {
+		t.Errorf("unexpected error %v", err)
+	}
 	actual := cache.GetCachedPods()
 	comparePods(t, oldpods, actual)
 
 	// A newer timestamp should force an update.
-	cache.ForceUpdateIfOlder(ctx, time.Now().Add(20*time.Second))
+	if err := cache.ForceUpdateIfOlder(tCtx, time.Now().Add(20*time.Second)); err != nil {
+		t.Errorf("unexpected error %v", err)
+	}
 	actual = cache.GetCachedPods()
 	comparePods(t, newpods, actual)
 }
diff --git a/pkg/kubelet/container/sync_result.go b/pkg/kubelet/container/sync_result.go
index b04456e531497..af5c67a42c0ae 100644
--- a/pkg/kubelet/container/sync_result.go
+++ b/pkg/kubelet/container/sync_result.go
@@ -19,10 +19,58 @@ package container
 import (
 	"errors"
 	"fmt"
+	"time"
 
 	utilerrors "k8s.io/apimachinery/pkg/util/errors"
 )
 
+// BackoffError should be used whenever an error needs to specify a particular backoff duration
+// to the Kubelet.
+type BackoffError struct {
+	error
+	backoffTime time.Time
+}
+
+func NewBackoffError(err error, backoffTime time.Time) *BackoffError {
+	return &BackoffError{
+		error:       err,
+		backoffTime: backoffTime,
+	}
+}
+
+// BackoffTime returns the expected expiration time of the backoff.
+func (e *BackoffError) BackoffTime() time.Time {
+	return e.backoffTime
+}
+
+// MinBackoffExpiration recursively searches through err for BackoffErrors and returns
+// the minimum of all found backoff times.
+func MinBackoffExpiration(err error) (time.Time, bool) {
+	var ae utilerrors.Aggregate
+	var be *BackoffError
+	switch {
+	case errors.As(err, &be):
+		return be.BackoffTime(), true
+	case errors.As(err, &ae):
+		var min time.Time
+		found := false
+		for _, e := range ae.Errors() {
+			if backoff, ok := MinBackoffExpiration(e); ok {
+				if !found || backoff.Before(min) {
+					min = backoff
+					found = true
+				}
+			}
+		}
+		return min, found
+	default:
+		if e := errors.Unwrap(err); e != nil {
+			return MinBackoffExpiration(e)
+		}
+		return time.Time{}, false
+	}
+}
+
 // TODO(random-liu): We need to better organize runtime errors for introspection.
 
 // ErrCrashLoopBackOff returned when a container Terminated and Kubelet is backing off the restart.
@@ -47,6 +95,8 @@ var (
 	ErrKillPodSandbox = errors.New("KillPodSandboxError")
 	// ErrResizePodInPlace returned when runtime failed to resize a pod.
 	ErrResizePodInPlace = errors.New("ResizePodInPlaceError")
+	// ErrRemoveContainer returned when runtime failed to remove a container.
+	ErrRemoveContainer = errors.New("RemoveContainerError")
 )
 
 // SyncAction indicates different kind of actions in SyncPod() and KillPod(). Now there are only actions
@@ -72,6 +122,8 @@ const (
 	KillPodSandbox SyncAction = "KillPodSandbox"
 	// ResizePodInPlace action is included whenever any containers in the pod are resized without restart
 	ResizePodInPlace SyncAction = "ResizePodInPlace"
+	// RemoveContainer action
+	RemoveContainer SyncAction = "RemoveContainer"
 )
 
 // SyncResult is the result of sync action.
@@ -126,11 +178,11 @@ func (p *PodSyncResult) Fail(err error) {
 func (p *PodSyncResult) Error() error {
 	errlist := []error{}
 	if p.SyncError != nil {
-		errlist = append(errlist, fmt.Errorf("failed to SyncPod: %v", p.SyncError))
+		errlist = append(errlist, fmt.Errorf("failed to SyncPod: %w", p.SyncError))
 	}
 	for _, result := range p.SyncResults {
 		if result.Error != nil {
-			errlist = append(errlist, fmt.Errorf("failed to %q for %q with %v: %q", result.Action, result.Target,
+			errlist = append(errlist, fmt.Errorf("failed to %q for %q with %w: %q", result.Action, result.Target,
 				result.Error, result.Message))
 		}
 	}
diff --git a/pkg/kubelet/container/sync_result_test.go b/pkg/kubelet/container/sync_result_test.go
index d39283706e9ff..5ecc6d46eb0f3 100644
--- a/pkg/kubelet/container/sync_result_test.go
+++ b/pkg/kubelet/container/sync_result_test.go
@@ -18,7 +18,11 @@ package container
 
 import (
 	"errors"
+	"fmt"
 	"testing"
+	"time"
+
+	utilerrors "k8s.io/apimachinery/pkg/util/errors"
 )
 
 func TestPodSyncResult(t *testing.T) {
@@ -66,3 +70,165 @@ func TestPodSyncResult(t *testing.T) {
 		t.Errorf("PodSyncResult should be error: %v", result)
 	}
 }
+
+// myCustomError is a custom error type for testing.
+type myCustomError struct {
+	msg string
+}
+
+func (e *myCustomError) Error() string {
+	return e.msg
+}
+
+func TestPodSyncResultPreservesOriginalErrorType(t *testing.T) {
+	t.Run("with custom error in SyncResult", func(t *testing.T) {
+		customErr := &myCustomError{msg: "a special error"}
+		syncResult := NewSyncResult(KillContainer, "container_1")
+		syncResult.Fail(customErr, "a special message")
+		result := &PodSyncResult{
+			SyncResults: []*SyncResult{syncResult},
+		}
+
+		aggErr := result.Error()
+		if aggErr == nil {
+			t.Fatal("expected an aggregate error, but got nil")
+		}
+
+		var ae utilerrors.Aggregate
+		if !errors.As(aggErr, &ae) {
+			t.Fatalf("expected an aggregate error, but got %q", aggErr)
+		}
+		errs := ae.Errors()
+		foundCustomErr := false
+		for _, err := range errs {
+			var ce *myCustomError
+			if errors.As(err, &ce) && ce == customErr {
+				foundCustomErr = true
+			}
+		}
+		if !foundCustomErr {
+			t.Errorf("expected custom error not found in aggregate error. got %q, want %q", aggErr, customErr)
+		}
+	})
+
+	t.Run("with custom error in SyncError", func(t *testing.T) {
+		customErr := &myCustomError{msg: "a special sync error"}
+		result := &PodSyncResult{}
+		result.Fail(customErr)
+
+		aggErr := result.Error()
+		if aggErr == nil {
+			t.Fatal("expected an aggregate error for SyncError, but got nil")
+		}
+
+		var ae utilerrors.Aggregate
+		if !errors.As(aggErr, &ae) {
+			t.Fatalf("expected an aggregate error, but got %q", aggErr)
+		}
+		errs := ae.Errors()
+		foundCustomErr := false
+		for _, err := range errs {
+			var ce *myCustomError
+			if errors.As(err, &ce) && ce == customErr {
+				foundCustomErr = true
+			}
+		}
+		if !foundCustomErr {
+			t.Errorf("expected custom error not found in aggregate error. got %q, want %q", aggErr, customErr)
+		}
+	})
+}
+
+func TestMinBackoffExpiration(t *testing.T) {
+	now := time.Now()
+	testCases := []struct {
+		name            string
+		err             error
+		expectedBackoff time.Time
+		expectedFound   bool
+	}{
+		{
+			name:            "nil error",
+			err:             nil,
+			expectedBackoff: time.Time{},
+			expectedFound:   false,
+		},
+		{
+			name:            "simple error",
+			err:             errors.New("generic error"),
+			expectedBackoff: time.Time{},
+			expectedFound:   false,
+		},
+		{
+			name:            "BackoffError",
+			err:             NewBackoffError(errors.New("backoff"), now.Add(5*time.Second)),
+			expectedBackoff: now.Add(5 * time.Second),
+			expectedFound:   true,
+		},
+		{
+			name:            "wrapped BackoffError",
+			err:             fmt.Errorf("wrapped: %w", NewBackoffError(errors.New("backoff"), now.Add(3*time.Second))),
+			expectedBackoff: now.Add(3 * time.Second),
+			expectedFound:   true,
+		},
+		{
+			name:            "aggregate with no BackoffError",
+			err:             utilerrors.NewAggregate([]error{errors.New("err1"), errors.New("err2")}),
+			expectedBackoff: time.Time{},
+			expectedFound:   false,
+		},
+		{
+			name: "aggregate with one BackoffError",
+			err: utilerrors.NewAggregate([]error{
+				errors.New("err1"),
+				NewBackoffError(errors.New("backoff"), now.Add(7*time.Second)),
+			}),
+			expectedBackoff: now.Add(7 * time.Second),
+			expectedFound:   true,
+		},
+		{
+			name: "aggregate with multiple BackoffErrors, returns minimum",
+			err: utilerrors.NewAggregate([]error{
+				NewBackoffError(errors.New("backoff1"), now.Add(10*time.Second)),
+				NewBackoffError(errors.New("backoff2"), now.Add(3*time.Second)),
+				errors.New("err1"),
+				NewBackoffError(errors.New("backoff3"), now.Add(5*time.Second)),
+			}),
+			expectedBackoff: now.Add(3 * time.Second),
+			expectedFound:   true,
+		},
+		{
+			name: "wrapped aggregate with BackoffError",
+			err: fmt.Errorf("wrapped: %w", utilerrors.NewAggregate([]error{
+				NewBackoffError(errors.New("backoff1"), now.Add(10*time.Second)),
+				NewBackoffError(errors.New("backoff2"), now.Add(3*time.Second)),
+			})),
+			expectedBackoff: now.Add(3 * time.Second),
+			expectedFound:   true,
+		},
+		{
+			name: "nested aggregate with BackoffError",
+			err: utilerrors.NewAggregate([]error{
+				errors.New("err1"),
+				utilerrors.NewAggregate([]error{
+					NewBackoffError(errors.New("backoff nested"), now.Add(2*time.Second)),
+				}),
+				NewBackoffError(errors.New("backoff outer"), now.Add(4*time.Second)),
+			}),
+			expectedBackoff: now.Add(2 * time.Second),
+			expectedFound:   true,
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			backoff, found := MinBackoffExpiration(tc.err)
+			if found != tc.expectedFound {
+				t.Errorf("expected found=%t, got %t", tc.expectedFound, found)
+			}
+			if !backoff.Equal(tc.expectedBackoff) {
+				t.Errorf("expected backoff=%v, got %v", tc.expectedBackoff, backoff)
+			}
+		})
+	}
+}
diff --git a/pkg/kubelet/container/testing/fake_cache.go b/pkg/kubelet/container/testing/fake_cache.go
index 457a941115359..ad20e7efca657 100644
--- a/pkg/kubelet/container/testing/fake_cache.go
+++ b/pkg/kubelet/container/testing/fake_cache.go
@@ -33,7 +33,7 @@ func NewFakeCache(runtime container.Runtime) container.Cache {
 }
 
 func (c *fakeCache) Get(id types.UID) (*container.PodStatus, error) {
-	return c.runtime.GetPodStatus(context.Background(), id, "", "")
+	return c.runtime.GetPodStatus(context.TODO(), id, "", "")
 }
 
 func (c *fakeCache) GetNewerThan(id types.UID, minTime time.Time) (*container.PodStatus, error) {
diff --git a/pkg/kubelet/container/testing/fake_runtime.go b/pkg/kubelet/container/testing/fake_runtime.go
index 9d7ef2191d70d..710c7f4d2bda7 100644
--- a/pkg/kubelet/container/testing/fake_runtime.go
+++ b/pkg/kubelet/container/testing/fake_runtime.go
@@ -46,33 +46,38 @@ type FakePod struct {
 // FakeRuntime is a fake container runtime for testing.
 type FakeRuntime struct {
 	sync.Mutex
-	CalledFunctions   []string
-	PodList           []*FakePod
-	AllPodList        []*FakePod
-	ImageList         []kubecontainer.Image
-	ImageFsStats      []*runtimeapi.FilesystemUsage
-	ContainerFsStats  []*runtimeapi.FilesystemUsage
-	APIPodStatus      v1.PodStatus
-	PodStatus         kubecontainer.PodStatus
-	StartedPods       []string
-	KilledPods        []string
-	StartedContainers []string
-	KilledContainers  []string
-	RuntimeStatus     *kubecontainer.RuntimeStatus
-	VersionInfo       string
-	APIVersionInfo    string
-	RuntimeType       string
-	SyncResults       *kubecontainer.PodSyncResult
-	Err               error
-	InspectErr        error
-	StatusErr         error
+	CalledFunctions     []string
+	PodList             []*FakePod
+	AllPodList          []*FakePod
+	ImageList           []kubecontainer.Image
+	ImageFsStats        []*runtimeapi.FilesystemUsage
+	ContainerFsStats    []*runtimeapi.FilesystemUsage
+	APIPodStatus        v1.PodStatus
+	PodStatus           kubecontainer.PodStatus
+	StartedPods         []string
+	KilledPods          []string
+	StartedContainers   []string
+	KilledContainers    []string
+	RuntimeStatus       *kubecontainer.RuntimeStatus
+	VersionInfo         string
+	APIVersionInfo      string
+	RuntimeType         string
+	PodResizeInProgress bool
+	SyncResults         *kubecontainer.PodSyncResult
+	Err                 error
+	InspectErr          error
+	StatusErr           error
 	// If BlockImagePulls is true, then all PullImage() calls will be blocked until
 	// UnblockImagePulls() is called. This is used to simulate image pull latency
 	// from container runtime.
 	BlockImagePulls      bool
 	imagePullTokenBucket chan bool
-	SwapBehavior         map[string]kubetypes.SwapBehavior
-	T                    TB
+	// imagePullErrBucket sends an error to a PullImage() call
+	// blocked by BlockImagePulls. This is used to simulate
+	// a failure in some of the parallel pull image calls.
+	imagePullErrBucket chan error
+	SwapBehavior       map[string]kubetypes.SwapBehavior
+	T                  TB
 }
 
 const FakeHost = "localhost:12345"
@@ -232,7 +237,7 @@ func (f *FakeRuntime) GetPods(_ context.Context, all bool) ([]*kubecontainer.Pod
 	return pods, f.Err
 }
 
-func (f *FakeRuntime) SyncPod(_ context.Context, pod *v1.Pod, _ *kubecontainer.PodStatus, _ []v1.Secret, backOff *flowcontrol.Backoff) (result kubecontainer.PodSyncResult) {
+func (f *FakeRuntime) SyncPod(_ context.Context, pod *v1.Pod, _ *kubecontainer.PodStatus, _ []v1.Secret, backOff *flowcontrol.Backoff, _ bool) (result kubecontainer.PodSyncResult) {
 	f.Lock()
 	defer f.Unlock()
 
@@ -318,6 +323,30 @@ func (f *FakeRuntime) GetContainerLogs(_ context.Context, pod *v1.Pod, container
 func (f *FakeRuntime) PullImage(ctx context.Context, image kubecontainer.ImageSpec, creds []credentialprovider.TrackedAuthConfig, podSandboxConfig *runtimeapi.PodSandboxConfig) (string, *credentialprovider.TrackedAuthConfig, error) {
 	f.Lock()
 	f.CalledFunctions = append(f.CalledFunctions, "PullImage")
+
+	if f.imagePullTokenBucket == nil {
+		f.imagePullTokenBucket = make(chan bool, 1)
+	}
+	if f.imagePullErrBucket == nil {
+		f.imagePullErrBucket = make(chan error, 1)
+	}
+
+	blockImagePulls := f.BlockImagePulls
+	f.Unlock()
+
+	if blockImagePulls {
+		// Block the function before adding the image to f.ImageList
+		select {
+		case <-ctx.Done():
+		case <-f.imagePullTokenBucket:
+		case pullImageErr := <-f.imagePullErrBucket:
+			return "", nil, pullImageErr
+		}
+	}
+
+	f.Lock()
+	defer f.Unlock()
+
 	if f.Err == nil {
 		i := kubecontainer.Image{
 			ID:   image.Image,
@@ -332,23 +361,7 @@ func (f *FakeRuntime) PullImage(ctx context.Context, image kubecontainer.ImageSp
 		retCreds = &creds[0]
 	}
 
-	if !f.BlockImagePulls {
-		f.Unlock()
-		return image.Image, retCreds, f.Err
-	}
-
-	retErr := f.Err
-	if f.imagePullTokenBucket == nil {
-		f.imagePullTokenBucket = make(chan bool, 1)
-	}
-	// Unlock before waiting for UnblockImagePulls calls, to avoid deadlock.
-	f.Unlock()
-	select {
-	case <-ctx.Done():
-	case <-f.imagePullTokenBucket:
-	}
-
-	return image.Image, retCreds, retErr
+	return image.Image, retCreds, f.Err
 }
 
 // UnblockImagePulls unblocks a certain number of image pulls, if BlockImagePulls is true.
@@ -363,6 +376,17 @@ func (f *FakeRuntime) UnblockImagePulls(count int) {
 	}
 }
 
+// SendImagePullError sends an error to a PullImage() call blocked by BlockImagePulls.
+// PullImage() immediately returns after receiving the error.
+func (f *FakeRuntime) SendImagePullError(err error) {
+	if f.imagePullErrBucket != nil {
+		select {
+		case f.imagePullErrBucket <- err:
+		default:
+		}
+	}
+}
+
 func (f *FakeRuntime) GetImageRef(_ context.Context, image kubecontainer.ImageSpec) (string, error) {
 	f.Lock()
 	defer f.Unlock()
@@ -531,12 +555,12 @@ func (f *FakeContainerCommandRunner) RunInContainer(_ context.Context, container
 	return []byte(f.Stdout), f.Err
 }
 
-func (f *FakeRuntime) GetContainerStatus(_ context.Context, _ kubecontainer.ContainerID) (status *kubecontainer.Status, err error) {
+func (f *FakeRuntime) GetContainerStatus(_ context.Context, _ types.UID, _ kubecontainer.ContainerID) (status *kubecontainer.Status, err error) {
 	f.Lock()
 	defer f.Unlock()
 
 	f.CalledFunctions = append(f.CalledFunctions, "GetContainerStatus")
-	return nil, f.Err
+	return &kubecontainer.Status{}, f.Err
 }
 
 func (f *FakeRuntime) GetContainerSwapBehavior(pod *v1.Pod, container *v1.Container) kubetypes.SwapBehavior {
@@ -545,3 +569,11 @@ func (f *FakeRuntime) GetContainerSwapBehavior(pod *v1.Pod, container *v1.Contai
 	}
 	return kubetypes.NoSwap
 }
+
+func (f *FakeRuntime) IsPodResizeInProgress(allocatedPod *v1.Pod, podStatus *kubecontainer.PodStatus) bool {
+	return f.PodResizeInProgress
+}
+
+func (f *FakeRuntime) UpdateActuatedPodLevelResources(allocatedPod *v1.Pod) error {
+	return nil
+}
diff --git a/pkg/kubelet/container/testing/mock_runtime_cache.go b/pkg/kubelet/container/testing/mock_runtime_cache.go
deleted file mode 100644
index fac6ffa311952..0000000000000
--- a/pkg/kubelet/container/testing/mock_runtime_cache.go
+++ /dev/null
@@ -1,161 +0,0 @@
-/*
-Copyright The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-// Code generated by mockery v2.53.3. DO NOT EDIT.
-
-package testing
-
-import (
-	context "context"
-
-	container "k8s.io/kubernetes/pkg/kubelet/container"
-
-	mock "github.com/stretchr/testify/mock"
-
-	time "time"
-)
-
-// MockRuntimeCache is an autogenerated mock type for the RuntimeCache type
-type MockRuntimeCache struct {
-	mock.Mock
-}
-
-type MockRuntimeCache_Expecter struct {
-	mock *mock.Mock
-}
-
-func (_m *MockRuntimeCache) EXPECT() *MockRuntimeCache_Expecter {
-	return &MockRuntimeCache_Expecter{mock: &_m.Mock}
-}
-
-// ForceUpdateIfOlder provides a mock function with given fields: _a0, _a1
-func (_m *MockRuntimeCache) ForceUpdateIfOlder(_a0 context.Context, _a1 time.Time) error {
-	ret := _m.Called(_a0, _a1)
-
-	if len(ret) == 0 {
-		panic("no return value specified for ForceUpdateIfOlder")
-	}
-
-	var r0 error
-	if rf, ok := ret.Get(0).(func(context.Context, time.Time) error); ok {
-		r0 = rf(_a0, _a1)
-	} else {
-		r0 = ret.Error(0)
-	}
-
-	return r0
-}
-
-// MockRuntimeCache_ForceUpdateIfOlder_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'ForceUpdateIfOlder'
-type MockRuntimeCache_ForceUpdateIfOlder_Call struct {
-	*mock.Call
-}
-
-// ForceUpdateIfOlder is a helper method to define mock.On call
-//   - _a0 context.Context
-//   - _a1 time.Time
-func (_e *MockRuntimeCache_Expecter) ForceUpdateIfOlder(_a0 interface{}, _a1 interface{}) *MockRuntimeCache_ForceUpdateIfOlder_Call {
-	return &MockRuntimeCache_ForceUpdateIfOlder_Call{Call: _e.mock.On("ForceUpdateIfOlder", _a0, _a1)}
-}
-
-func (_c *MockRuntimeCache_ForceUpdateIfOlder_Call) Run(run func(_a0 context.Context, _a1 time.Time)) *MockRuntimeCache_ForceUpdateIfOlder_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run(args[0].(context.Context), args[1].(time.Time))
-	})
-	return _c
-}
-
-func (_c *MockRuntimeCache_ForceUpdateIfOlder_Call) Return(_a0 error) *MockRuntimeCache_ForceUpdateIfOlder_Call {
-	_c.Call.Return(_a0)
-	return _c
-}
-
-func (_c *MockRuntimeCache_ForceUpdateIfOlder_Call) RunAndReturn(run func(context.Context, time.Time) error) *MockRuntimeCache_ForceUpdateIfOlder_Call {
-	_c.Call.Return(run)
-	return _c
-}
-
-// GetPods provides a mock function with given fields: _a0
-func (_m *MockRuntimeCache) GetPods(_a0 context.Context) ([]*container.Pod, error) {
-	ret := _m.Called(_a0)
-
-	if len(ret) == 0 {
-		panic("no return value specified for GetPods")
-	}
-
-	var r0 []*container.Pod
-	var r1 error
-	if rf, ok := ret.Get(0).(func(context.Context) ([]*container.Pod, error)); ok {
-		return rf(_a0)
-	}
-	if rf, ok := ret.Get(0).(func(context.Context) []*container.Pod); ok {
-		r0 = rf(_a0)
-	} else {
-		if ret.Get(0) != nil {
-			r0 = ret.Get(0).([]*container.Pod)
-		}
-	}
-
-	if rf, ok := ret.Get(1).(func(context.Context) error); ok {
-		r1 = rf(_a0)
-	} else {
-		r1 = ret.Error(1)
-	}
-
-	return r0, r1
-}
-
-// MockRuntimeCache_GetPods_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetPods'
-type MockRuntimeCache_GetPods_Call struct {
-	*mock.Call
-}
-
-// GetPods is a helper method to define mock.On call
-//   - _a0 context.Context
-func (_e *MockRuntimeCache_Expecter) GetPods(_a0 interface{}) *MockRuntimeCache_GetPods_Call {
-	return &MockRuntimeCache_GetPods_Call{Call: _e.mock.On("GetPods", _a0)}
-}
-
-func (_c *MockRuntimeCache_GetPods_Call) Run(run func(_a0 context.Context)) *MockRuntimeCache_GetPods_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run(args[0].(context.Context))
-	})
-	return _c
-}
-
-func (_c *MockRuntimeCache_GetPods_Call) Return(_a0 []*container.Pod, _a1 error) *MockRuntimeCache_GetPods_Call {
-	_c.Call.Return(_a0, _a1)
-	return _c
-}
-
-func (_c *MockRuntimeCache_GetPods_Call) RunAndReturn(run func(context.Context) ([]*container.Pod, error)) *MockRuntimeCache_GetPods_Call {
-	_c.Call.Return(run)
-	return _c
-}
-
-// NewMockRuntimeCache creates a new instance of MockRuntimeCache. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
-// The first argument is typically a *testing.T value.
-func NewMockRuntimeCache(t interface {
-	mock.TestingT
-	Cleanup(func())
-}) *MockRuntimeCache {
-	mock := &MockRuntimeCache{}
-	mock.Mock.Test(t)
-
-	t.Cleanup(func() { mock.AssertExpectations(t) })
-
-	return mock
-}
diff --git a/pkg/kubelet/container/testing/mockdirentry.go b/pkg/kubelet/container/testing/mockdirentry.go
index 596f914614c26..a467ae7880ce8 100644
--- a/pkg/kubelet/container/testing/mockdirentry.go
+++ b/pkg/kubelet/container/testing/mockdirentry.go
@@ -14,16 +14,32 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
-// Code generated by mockery v2.53.3. DO NOT EDIT.
+// Code generated by mockery; DO NOT EDIT.
+// github.com/vektra/mockery
+// template: testify
 
 package testing
 
 import (
-	fs "io/fs"
+	"io/fs"
 
 	mock "github.com/stretchr/testify/mock"
 )
 
+// NewMockDirEntry creates a new instance of MockDirEntry. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
+// The first argument is typically a *testing.T value.
+func NewMockDirEntry(t interface {
+	mock.TestingT
+	Cleanup(func())
+}) *MockDirEntry {
+	mock := &MockDirEntry{}
+	mock.Mock.Test(t)
+
+	t.Cleanup(func() { mock.AssertExpectations(t) })
+
+	return mock
+}
+
 // MockDirEntry is an autogenerated mock type for the DirEntry type
 type MockDirEntry struct {
 	mock.Mock
@@ -37,9 +53,9 @@ func (_m *MockDirEntry) EXPECT() *MockDirEntry_Expecter {
 	return &MockDirEntry_Expecter{mock: &_m.Mock}
 }
 
-// Info provides a mock function with no fields
-func (_m *MockDirEntry) Info() (fs.FileInfo, error) {
-	ret := _m.Called()
+// Info provides a mock function for the type MockDirEntry
+func (_mock *MockDirEntry) Info() (fs.FileInfo, error) {
+	ret := _mock.Called()
 
 	if len(ret) == 0 {
 		panic("no return value specified for Info")
@@ -47,23 +63,21 @@ func (_m *MockDirEntry) Info() (fs.FileInfo, error) {
 
 	var r0 fs.FileInfo
 	var r1 error
-	if rf, ok := ret.Get(0).(func() (fs.FileInfo, error)); ok {
-		return rf()
+	if returnFunc, ok := ret.Get(0).(func() (fs.FileInfo, error)); ok {
+		return returnFunc()
 	}
-	if rf, ok := ret.Get(0).(func() fs.FileInfo); ok {
-		r0 = rf()
+	if returnFunc, ok := ret.Get(0).(func() fs.FileInfo); ok {
+		r0 = returnFunc()
 	} else {
 		if ret.Get(0) != nil {
 			r0 = ret.Get(0).(fs.FileInfo)
 		}
 	}
-
-	if rf, ok := ret.Get(1).(func() error); ok {
-		r1 = rf()
+	if returnFunc, ok := ret.Get(1).(func() error); ok {
+		r1 = returnFunc()
 	} else {
 		r1 = ret.Error(1)
 	}
-
 	return r0, r1
 }
 
@@ -84,8 +98,8 @@ func (_c *MockDirEntry_Info_Call) Run(run func()) *MockDirEntry_Info_Call {
 	return _c
 }
 
-func (_c *MockDirEntry_Info_Call) Return(_a0 fs.FileInfo, _a1 error) *MockDirEntry_Info_Call {
-	_c.Call.Return(_a0, _a1)
+func (_c *MockDirEntry_Info_Call) Return(fileInfo fs.FileInfo, err error) *MockDirEntry_Info_Call {
+	_c.Call.Return(fileInfo, err)
 	return _c
 }
 
@@ -94,21 +108,20 @@ func (_c *MockDirEntry_Info_Call) RunAndReturn(run func() (fs.FileInfo, error))
 	return _c
 }
 
-// IsDir provides a mock function with no fields
-func (_m *MockDirEntry) IsDir() bool {
-	ret := _m.Called()
+// IsDir provides a mock function for the type MockDirEntry
+func (_mock *MockDirEntry) IsDir() bool {
+	ret := _mock.Called()
 
 	if len(ret) == 0 {
 		panic("no return value specified for IsDir")
 	}
 
 	var r0 bool
-	if rf, ok := ret.Get(0).(func() bool); ok {
-		r0 = rf()
+	if returnFunc, ok := ret.Get(0).(func() bool); ok {
+		r0 = returnFunc()
 	} else {
 		r0 = ret.Get(0).(bool)
 	}
-
 	return r0
 }
 
@@ -129,8 +142,8 @@ func (_c *MockDirEntry_IsDir_Call) Run(run func()) *MockDirEntry_IsDir_Call {
 	return _c
 }
 
-func (_c *MockDirEntry_IsDir_Call) Return(_a0 bool) *MockDirEntry_IsDir_Call {
-	_c.Call.Return(_a0)
+func (_c *MockDirEntry_IsDir_Call) Return(b bool) *MockDirEntry_IsDir_Call {
+	_c.Call.Return(b)
 	return _c
 }
 
@@ -139,21 +152,20 @@ func (_c *MockDirEntry_IsDir_Call) RunAndReturn(run func() bool) *MockDirEntry_I
 	return _c
 }
 
-// Name provides a mock function with no fields
-func (_m *MockDirEntry) Name() string {
-	ret := _m.Called()
+// Name provides a mock function for the type MockDirEntry
+func (_mock *MockDirEntry) Name() string {
+	ret := _mock.Called()
 
 	if len(ret) == 0 {
 		panic("no return value specified for Name")
 	}
 
 	var r0 string
-	if rf, ok := ret.Get(0).(func() string); ok {
-		r0 = rf()
+	if returnFunc, ok := ret.Get(0).(func() string); ok {
+		r0 = returnFunc()
 	} else {
 		r0 = ret.Get(0).(string)
 	}
-
 	return r0
 }
 
@@ -174,8 +186,8 @@ func (_c *MockDirEntry_Name_Call) Run(run func()) *MockDirEntry_Name_Call {
 	return _c
 }
 
-func (_c *MockDirEntry_Name_Call) Return(_a0 string) *MockDirEntry_Name_Call {
-	_c.Call.Return(_a0)
+func (_c *MockDirEntry_Name_Call) Return(s string) *MockDirEntry_Name_Call {
+	_c.Call.Return(s)
 	return _c
 }
 
@@ -184,21 +196,20 @@ func (_c *MockDirEntry_Name_Call) RunAndReturn(run func() string) *MockDirEntry_
 	return _c
 }
 
-// Type provides a mock function with no fields
-func (_m *MockDirEntry) Type() fs.FileMode {
-	ret := _m.Called()
+// Type provides a mock function for the type MockDirEntry
+func (_mock *MockDirEntry) Type() fs.FileMode {
+	ret := _mock.Called()
 
 	if len(ret) == 0 {
 		panic("no return value specified for Type")
 	}
 
 	var r0 fs.FileMode
-	if rf, ok := ret.Get(0).(func() fs.FileMode); ok {
-		r0 = rf()
+	if returnFunc, ok := ret.Get(0).(func() fs.FileMode); ok {
+		r0 = returnFunc()
 	} else {
 		r0 = ret.Get(0).(fs.FileMode)
 	}
-
 	return r0
 }
 
@@ -219,8 +230,8 @@ func (_c *MockDirEntry_Type_Call) Run(run func()) *MockDirEntry_Type_Call {
 	return _c
 }
 
-func (_c *MockDirEntry_Type_Call) Return(_a0 fs.FileMode) *MockDirEntry_Type_Call {
-	_c.Call.Return(_a0)
+func (_c *MockDirEntry_Type_Call) Return(fileMode fs.FileMode) *MockDirEntry_Type_Call {
+	_c.Call.Return(fileMode)
 	return _c
 }
 
@@ -228,17 +239,3 @@ func (_c *MockDirEntry_Type_Call) RunAndReturn(run func() fs.FileMode) *MockDirE
 	_c.Call.Return(run)
 	return _c
 }
-
-// NewMockDirEntry creates a new instance of MockDirEntry. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
-// The first argument is typically a *testing.T value.
-func NewMockDirEntry(t interface {
-	mock.TestingT
-	Cleanup(func())
-}) *MockDirEntry {
-	mock := &MockDirEntry{}
-	mock.Mock.Test(t)
-
-	t.Cleanup(func() { mock.AssertExpectations(t) })
-
-	return mock
-}
diff --git a/pkg/kubelet/container/testing/mocks.go b/pkg/kubelet/container/testing/mocks.go
new file mode 100644
index 0000000000000..0730274372f40
--- /dev/null
+++ b/pkg/kubelet/container/testing/mocks.go
@@ -0,0 +1,1928 @@
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by mockery; DO NOT EDIT.
+// github.com/vektra/mockery
+// template: testify
+
+package testing
+
+import (
+	"context"
+	"io"
+	"time"
+
+	mock "github.com/stretchr/testify/mock"
+	v10 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/client-go/util/flowcontrol"
+	"k8s.io/cri-api/pkg/apis/runtime/v1"
+	"k8s.io/kubernetes/pkg/credentialprovider"
+	"k8s.io/kubernetes/pkg/kubelet/container"
+	types0 "k8s.io/kubernetes/pkg/kubelet/types"
+)
+
+// NewMockRuntime creates a new instance of MockRuntime. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
+// The first argument is typically a *testing.T value.
+func NewMockRuntime(t interface {
+	mock.TestingT
+	Cleanup(func())
+}) *MockRuntime {
+	mock := &MockRuntime{}
+	mock.Mock.Test(t)
+
+	t.Cleanup(func() { mock.AssertExpectations(t) })
+
+	return mock
+}
+
+// MockRuntime is an autogenerated mock type for the Runtime type
+type MockRuntime struct {
+	mock.Mock
+}
+
+type MockRuntime_Expecter struct {
+	mock *mock.Mock
+}
+
+func (_m *MockRuntime) EXPECT() *MockRuntime_Expecter {
+	return &MockRuntime_Expecter{mock: &_m.Mock}
+}
+
+// APIVersion provides a mock function for the type MockRuntime
+func (_mock *MockRuntime) APIVersion() (container.Version, error) {
+	ret := _mock.Called()
+
+	if len(ret) == 0 {
+		panic("no return value specified for APIVersion")
+	}
+
+	var r0 container.Version
+	var r1 error
+	if returnFunc, ok := ret.Get(0).(func() (container.Version, error)); ok {
+		return returnFunc()
+	}
+	if returnFunc, ok := ret.Get(0).(func() container.Version); ok {
+		r0 = returnFunc()
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(container.Version)
+		}
+	}
+	if returnFunc, ok := ret.Get(1).(func() error); ok {
+		r1 = returnFunc()
+	} else {
+		r1 = ret.Error(1)
+	}
+	return r0, r1
+}
+
+// MockRuntime_APIVersion_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'APIVersion'
+type MockRuntime_APIVersion_Call struct {
+	*mock.Call
+}
+
+// APIVersion is a helper method to define mock.On call
+func (_e *MockRuntime_Expecter) APIVersion() *MockRuntime_APIVersion_Call {
+	return &MockRuntime_APIVersion_Call{Call: _e.mock.On("APIVersion")}
+}
+
+func (_c *MockRuntime_APIVersion_Call) Run(run func()) *MockRuntime_APIVersion_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run()
+	})
+	return _c
+}
+
+func (_c *MockRuntime_APIVersion_Call) Return(version container.Version, err error) *MockRuntime_APIVersion_Call {
+	_c.Call.Return(version, err)
+	return _c
+}
+
+func (_c *MockRuntime_APIVersion_Call) RunAndReturn(run func() (container.Version, error)) *MockRuntime_APIVersion_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// CheckpointContainer provides a mock function for the type MockRuntime
+func (_mock *MockRuntime) CheckpointContainer(ctx context.Context, options *v1.CheckpointContainerRequest) error {
+	ret := _mock.Called(ctx, options)
+
+	if len(ret) == 0 {
+		panic("no return value specified for CheckpointContainer")
+	}
+
+	var r0 error
+	if returnFunc, ok := ret.Get(0).(func(context.Context, *v1.CheckpointContainerRequest) error); ok {
+		r0 = returnFunc(ctx, options)
+	} else {
+		r0 = ret.Error(0)
+	}
+	return r0
+}
+
+// MockRuntime_CheckpointContainer_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'CheckpointContainer'
+type MockRuntime_CheckpointContainer_Call struct {
+	*mock.Call
+}
+
+// CheckpointContainer is a helper method to define mock.On call
+//   - ctx context.Context
+//   - options *v1.CheckpointContainerRequest
+func (_e *MockRuntime_Expecter) CheckpointContainer(ctx interface{}, options interface{}) *MockRuntime_CheckpointContainer_Call {
+	return &MockRuntime_CheckpointContainer_Call{Call: _e.mock.On("CheckpointContainer", ctx, options)}
+}
+
+func (_c *MockRuntime_CheckpointContainer_Call) Run(run func(ctx context.Context, options *v1.CheckpointContainerRequest)) *MockRuntime_CheckpointContainer_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 context.Context
+		if args[0] != nil {
+			arg0 = args[0].(context.Context)
+		}
+		var arg1 *v1.CheckpointContainerRequest
+		if args[1] != nil {
+			arg1 = args[1].(*v1.CheckpointContainerRequest)
+		}
+		run(
+			arg0,
+			arg1,
+		)
+	})
+	return _c
+}
+
+func (_c *MockRuntime_CheckpointContainer_Call) Return(err error) *MockRuntime_CheckpointContainer_Call {
+	_c.Call.Return(err)
+	return _c
+}
+
+func (_c *MockRuntime_CheckpointContainer_Call) RunAndReturn(run func(ctx context.Context, options *v1.CheckpointContainerRequest) error) *MockRuntime_CheckpointContainer_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// DeleteContainer provides a mock function for the type MockRuntime
+func (_mock *MockRuntime) DeleteContainer(ctx context.Context, containerID container.ContainerID) error {
+	ret := _mock.Called(ctx, containerID)
+
+	if len(ret) == 0 {
+		panic("no return value specified for DeleteContainer")
+	}
+
+	var r0 error
+	if returnFunc, ok := ret.Get(0).(func(context.Context, container.ContainerID) error); ok {
+		r0 = returnFunc(ctx, containerID)
+	} else {
+		r0 = ret.Error(0)
+	}
+	return r0
+}
+
+// MockRuntime_DeleteContainer_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'DeleteContainer'
+type MockRuntime_DeleteContainer_Call struct {
+	*mock.Call
+}
+
+// DeleteContainer is a helper method to define mock.On call
+//   - ctx context.Context
+//   - containerID container.ContainerID
+func (_e *MockRuntime_Expecter) DeleteContainer(ctx interface{}, containerID interface{}) *MockRuntime_DeleteContainer_Call {
+	return &MockRuntime_DeleteContainer_Call{Call: _e.mock.On("DeleteContainer", ctx, containerID)}
+}
+
+func (_c *MockRuntime_DeleteContainer_Call) Run(run func(ctx context.Context, containerID container.ContainerID)) *MockRuntime_DeleteContainer_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 context.Context
+		if args[0] != nil {
+			arg0 = args[0].(context.Context)
+		}
+		var arg1 container.ContainerID
+		if args[1] != nil {
+			arg1 = args[1].(container.ContainerID)
+		}
+		run(
+			arg0,
+			arg1,
+		)
+	})
+	return _c
+}
+
+func (_c *MockRuntime_DeleteContainer_Call) Return(err error) *MockRuntime_DeleteContainer_Call {
+	_c.Call.Return(err)
+	return _c
+}
+
+func (_c *MockRuntime_DeleteContainer_Call) RunAndReturn(run func(ctx context.Context, containerID container.ContainerID) error) *MockRuntime_DeleteContainer_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// GarbageCollect provides a mock function for the type MockRuntime
+func (_mock *MockRuntime) GarbageCollect(ctx context.Context, gcPolicy container.GCPolicy, allSourcesReady bool, evictNonDeletedPods bool) error {
+	ret := _mock.Called(ctx, gcPolicy, allSourcesReady, evictNonDeletedPods)
+
+	if len(ret) == 0 {
+		panic("no return value specified for GarbageCollect")
+	}
+
+	var r0 error
+	if returnFunc, ok := ret.Get(0).(func(context.Context, container.GCPolicy, bool, bool) error); ok {
+		r0 = returnFunc(ctx, gcPolicy, allSourcesReady, evictNonDeletedPods)
+	} else {
+		r0 = ret.Error(0)
+	}
+	return r0
+}
+
+// MockRuntime_GarbageCollect_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GarbageCollect'
+type MockRuntime_GarbageCollect_Call struct {
+	*mock.Call
+}
+
+// GarbageCollect is a helper method to define mock.On call
+//   - ctx context.Context
+//   - gcPolicy container.GCPolicy
+//   - allSourcesReady bool
+//   - evictNonDeletedPods bool
+func (_e *MockRuntime_Expecter) GarbageCollect(ctx interface{}, gcPolicy interface{}, allSourcesReady interface{}, evictNonDeletedPods interface{}) *MockRuntime_GarbageCollect_Call {
+	return &MockRuntime_GarbageCollect_Call{Call: _e.mock.On("GarbageCollect", ctx, gcPolicy, allSourcesReady, evictNonDeletedPods)}
+}
+
+func (_c *MockRuntime_GarbageCollect_Call) Run(run func(ctx context.Context, gcPolicy container.GCPolicy, allSourcesReady bool, evictNonDeletedPods bool)) *MockRuntime_GarbageCollect_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 context.Context
+		if args[0] != nil {
+			arg0 = args[0].(context.Context)
+		}
+		var arg1 container.GCPolicy
+		if args[1] != nil {
+			arg1 = args[1].(container.GCPolicy)
+		}
+		var arg2 bool
+		if args[2] != nil {
+			arg2 = args[2].(bool)
+		}
+		var arg3 bool
+		if args[3] != nil {
+			arg3 = args[3].(bool)
+		}
+		run(
+			arg0,
+			arg1,
+			arg2,
+			arg3,
+		)
+	})
+	return _c
+}
+
+func (_c *MockRuntime_GarbageCollect_Call) Return(err error) *MockRuntime_GarbageCollect_Call {
+	_c.Call.Return(err)
+	return _c
+}
+
+func (_c *MockRuntime_GarbageCollect_Call) RunAndReturn(run func(ctx context.Context, gcPolicy container.GCPolicy, allSourcesReady bool, evictNonDeletedPods bool) error) *MockRuntime_GarbageCollect_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// GeneratePodStatus provides a mock function for the type MockRuntime
+func (_mock *MockRuntime) GeneratePodStatus(event *v1.ContainerEventResponse) *container.PodStatus {
+	ret := _mock.Called(event)
+
+	if len(ret) == 0 {
+		panic("no return value specified for GeneratePodStatus")
+	}
+
+	var r0 *container.PodStatus
+	if returnFunc, ok := ret.Get(0).(func(*v1.ContainerEventResponse) *container.PodStatus); ok {
+		r0 = returnFunc(event)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(*container.PodStatus)
+		}
+	}
+	return r0
+}
+
+// MockRuntime_GeneratePodStatus_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GeneratePodStatus'
+type MockRuntime_GeneratePodStatus_Call struct {
+	*mock.Call
+}
+
+// GeneratePodStatus is a helper method to define mock.On call
+//   - event *v1.ContainerEventResponse
+func (_e *MockRuntime_Expecter) GeneratePodStatus(event interface{}) *MockRuntime_GeneratePodStatus_Call {
+	return &MockRuntime_GeneratePodStatus_Call{Call: _e.mock.On("GeneratePodStatus", event)}
+}
+
+func (_c *MockRuntime_GeneratePodStatus_Call) Run(run func(event *v1.ContainerEventResponse)) *MockRuntime_GeneratePodStatus_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 *v1.ContainerEventResponse
+		if args[0] != nil {
+			arg0 = args[0].(*v1.ContainerEventResponse)
+		}
+		run(
+			arg0,
+		)
+	})
+	return _c
+}
+
+func (_c *MockRuntime_GeneratePodStatus_Call) Return(podStatus *container.PodStatus) *MockRuntime_GeneratePodStatus_Call {
+	_c.Call.Return(podStatus)
+	return _c
+}
+
+func (_c *MockRuntime_GeneratePodStatus_Call) RunAndReturn(run func(event *v1.ContainerEventResponse) *container.PodStatus) *MockRuntime_GeneratePodStatus_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// GetContainerLogs provides a mock function for the type MockRuntime
+func (_mock *MockRuntime) GetContainerLogs(ctx context.Context, pod *v10.Pod, containerID container.ContainerID, logOptions *v10.PodLogOptions, stdout io.Writer, stderr io.Writer) error {
+	ret := _mock.Called(ctx, pod, containerID, logOptions, stdout, stderr)
+
+	if len(ret) == 0 {
+		panic("no return value specified for GetContainerLogs")
+	}
+
+	var r0 error
+	if returnFunc, ok := ret.Get(0).(func(context.Context, *v10.Pod, container.ContainerID, *v10.PodLogOptions, io.Writer, io.Writer) error); ok {
+		r0 = returnFunc(ctx, pod, containerID, logOptions, stdout, stderr)
+	} else {
+		r0 = ret.Error(0)
+	}
+	return r0
+}
+
+// MockRuntime_GetContainerLogs_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetContainerLogs'
+type MockRuntime_GetContainerLogs_Call struct {
+	*mock.Call
+}
+
+// GetContainerLogs is a helper method to define mock.On call
+//   - ctx context.Context
+//   - pod *v10.Pod
+//   - containerID container.ContainerID
+//   - logOptions *v10.PodLogOptions
+//   - stdout io.Writer
+//   - stderr io.Writer
+func (_e *MockRuntime_Expecter) GetContainerLogs(ctx interface{}, pod interface{}, containerID interface{}, logOptions interface{}, stdout interface{}, stderr interface{}) *MockRuntime_GetContainerLogs_Call {
+	return &MockRuntime_GetContainerLogs_Call{Call: _e.mock.On("GetContainerLogs", ctx, pod, containerID, logOptions, stdout, stderr)}
+}
+
+func (_c *MockRuntime_GetContainerLogs_Call) Run(run func(ctx context.Context, pod *v10.Pod, containerID container.ContainerID, logOptions *v10.PodLogOptions, stdout io.Writer, stderr io.Writer)) *MockRuntime_GetContainerLogs_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 context.Context
+		if args[0] != nil {
+			arg0 = args[0].(context.Context)
+		}
+		var arg1 *v10.Pod
+		if args[1] != nil {
+			arg1 = args[1].(*v10.Pod)
+		}
+		var arg2 container.ContainerID
+		if args[2] != nil {
+			arg2 = args[2].(container.ContainerID)
+		}
+		var arg3 *v10.PodLogOptions
+		if args[3] != nil {
+			arg3 = args[3].(*v10.PodLogOptions)
+		}
+		var arg4 io.Writer
+		if args[4] != nil {
+			arg4 = args[4].(io.Writer)
+		}
+		var arg5 io.Writer
+		if args[5] != nil {
+			arg5 = args[5].(io.Writer)
+		}
+		run(
+			arg0,
+			arg1,
+			arg2,
+			arg3,
+			arg4,
+			arg5,
+		)
+	})
+	return _c
+}
+
+func (_c *MockRuntime_GetContainerLogs_Call) Return(err error) *MockRuntime_GetContainerLogs_Call {
+	_c.Call.Return(err)
+	return _c
+}
+
+func (_c *MockRuntime_GetContainerLogs_Call) RunAndReturn(run func(ctx context.Context, pod *v10.Pod, containerID container.ContainerID, logOptions *v10.PodLogOptions, stdout io.Writer, stderr io.Writer) error) *MockRuntime_GetContainerLogs_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// GetContainerStatus provides a mock function for the type MockRuntime
+func (_mock *MockRuntime) GetContainerStatus(ctx context.Context, podUID types.UID, id container.ContainerID) (*container.Status, error) {
+	ret := _mock.Called(ctx, podUID, id)
+
+	if len(ret) == 0 {
+		panic("no return value specified for GetContainerStatus")
+	}
+
+	var r0 *container.Status
+	var r1 error
+	if returnFunc, ok := ret.Get(0).(func(context.Context, types.UID, container.ContainerID) (*container.Status, error)); ok {
+		return returnFunc(ctx, podUID, id)
+	}
+	if returnFunc, ok := ret.Get(0).(func(context.Context, types.UID, container.ContainerID) *container.Status); ok {
+		r0 = returnFunc(ctx, podUID, id)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(*container.Status)
+		}
+	}
+	if returnFunc, ok := ret.Get(1).(func(context.Context, types.UID, container.ContainerID) error); ok {
+		r1 = returnFunc(ctx, podUID, id)
+	} else {
+		r1 = ret.Error(1)
+	}
+	return r0, r1
+}
+
+// MockRuntime_GetContainerStatus_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetContainerStatus'
+type MockRuntime_GetContainerStatus_Call struct {
+	*mock.Call
+}
+
+// GetContainerStatus is a helper method to define mock.On call
+//   - ctx context.Context
+//   - podUID types.UID
+//   - id container.ContainerID
+func (_e *MockRuntime_Expecter) GetContainerStatus(ctx interface{}, podUID interface{}, id interface{}) *MockRuntime_GetContainerStatus_Call {
+	return &MockRuntime_GetContainerStatus_Call{Call: _e.mock.On("GetContainerStatus", ctx, podUID, id)}
+}
+
+func (_c *MockRuntime_GetContainerStatus_Call) Run(run func(ctx context.Context, podUID types.UID, id container.ContainerID)) *MockRuntime_GetContainerStatus_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 context.Context
+		if args[0] != nil {
+			arg0 = args[0].(context.Context)
+		}
+		var arg1 types.UID
+		if args[1] != nil {
+			arg1 = args[1].(types.UID)
+		}
+		var arg2 container.ContainerID
+		if args[2] != nil {
+			arg2 = args[2].(container.ContainerID)
+		}
+		run(
+			arg0,
+			arg1,
+			arg2,
+		)
+	})
+	return _c
+}
+
+func (_c *MockRuntime_GetContainerStatus_Call) Return(status *container.Status, err error) *MockRuntime_GetContainerStatus_Call {
+	_c.Call.Return(status, err)
+	return _c
+}
+
+func (_c *MockRuntime_GetContainerStatus_Call) RunAndReturn(run func(ctx context.Context, podUID types.UID, id container.ContainerID) (*container.Status, error)) *MockRuntime_GetContainerStatus_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// GetContainerSwapBehavior provides a mock function for the type MockRuntime
+func (_mock *MockRuntime) GetContainerSwapBehavior(pod *v10.Pod, container1 *v10.Container) types0.SwapBehavior {
+	ret := _mock.Called(pod, container1)
+
+	if len(ret) == 0 {
+		panic("no return value specified for GetContainerSwapBehavior")
+	}
+
+	var r0 types0.SwapBehavior
+	if returnFunc, ok := ret.Get(0).(func(*v10.Pod, *v10.Container) types0.SwapBehavior); ok {
+		r0 = returnFunc(pod, container1)
+	} else {
+		r0 = ret.Get(0).(types0.SwapBehavior)
+	}
+	return r0
+}
+
+// MockRuntime_GetContainerSwapBehavior_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetContainerSwapBehavior'
+type MockRuntime_GetContainerSwapBehavior_Call struct {
+	*mock.Call
+}
+
+// GetContainerSwapBehavior is a helper method to define mock.On call
+//   - pod *v10.Pod
+//   - container1 *v10.Container
+func (_e *MockRuntime_Expecter) GetContainerSwapBehavior(pod interface{}, container1 interface{}) *MockRuntime_GetContainerSwapBehavior_Call {
+	return &MockRuntime_GetContainerSwapBehavior_Call{Call: _e.mock.On("GetContainerSwapBehavior", pod, container1)}
+}
+
+func (_c *MockRuntime_GetContainerSwapBehavior_Call) Run(run func(pod *v10.Pod, container1 *v10.Container)) *MockRuntime_GetContainerSwapBehavior_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 *v10.Pod
+		if args[0] != nil {
+			arg0 = args[0].(*v10.Pod)
+		}
+		var arg1 *v10.Container
+		if args[1] != nil {
+			arg1 = args[1].(*v10.Container)
+		}
+		run(
+			arg0,
+			arg1,
+		)
+	})
+	return _c
+}
+
+func (_c *MockRuntime_GetContainerSwapBehavior_Call) Return(swapBehavior types0.SwapBehavior) *MockRuntime_GetContainerSwapBehavior_Call {
+	_c.Call.Return(swapBehavior)
+	return _c
+}
+
+func (_c *MockRuntime_GetContainerSwapBehavior_Call) RunAndReturn(run func(pod *v10.Pod, container1 *v10.Container) types0.SwapBehavior) *MockRuntime_GetContainerSwapBehavior_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// GetImageRef provides a mock function for the type MockRuntime
+func (_mock *MockRuntime) GetImageRef(ctx context.Context, image container.ImageSpec) (string, error) {
+	ret := _mock.Called(ctx, image)
+
+	if len(ret) == 0 {
+		panic("no return value specified for GetImageRef")
+	}
+
+	var r0 string
+	var r1 error
+	if returnFunc, ok := ret.Get(0).(func(context.Context, container.ImageSpec) (string, error)); ok {
+		return returnFunc(ctx, image)
+	}
+	if returnFunc, ok := ret.Get(0).(func(context.Context, container.ImageSpec) string); ok {
+		r0 = returnFunc(ctx, image)
+	} else {
+		r0 = ret.Get(0).(string)
+	}
+	if returnFunc, ok := ret.Get(1).(func(context.Context, container.ImageSpec) error); ok {
+		r1 = returnFunc(ctx, image)
+	} else {
+		r1 = ret.Error(1)
+	}
+	return r0, r1
+}
+
+// MockRuntime_GetImageRef_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetImageRef'
+type MockRuntime_GetImageRef_Call struct {
+	*mock.Call
+}
+
+// GetImageRef is a helper method to define mock.On call
+//   - ctx context.Context
+//   - image container.ImageSpec
+func (_e *MockRuntime_Expecter) GetImageRef(ctx interface{}, image interface{}) *MockRuntime_GetImageRef_Call {
+	return &MockRuntime_GetImageRef_Call{Call: _e.mock.On("GetImageRef", ctx, image)}
+}
+
+func (_c *MockRuntime_GetImageRef_Call) Run(run func(ctx context.Context, image container.ImageSpec)) *MockRuntime_GetImageRef_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 context.Context
+		if args[0] != nil {
+			arg0 = args[0].(context.Context)
+		}
+		var arg1 container.ImageSpec
+		if args[1] != nil {
+			arg1 = args[1].(container.ImageSpec)
+		}
+		run(
+			arg0,
+			arg1,
+		)
+	})
+	return _c
+}
+
+func (_c *MockRuntime_GetImageRef_Call) Return(s string, err error) *MockRuntime_GetImageRef_Call {
+	_c.Call.Return(s, err)
+	return _c
+}
+
+func (_c *MockRuntime_GetImageRef_Call) RunAndReturn(run func(ctx context.Context, image container.ImageSpec) (string, error)) *MockRuntime_GetImageRef_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// GetImageSize provides a mock function for the type MockRuntime
+func (_mock *MockRuntime) GetImageSize(ctx context.Context, image container.ImageSpec) (uint64, error) {
+	ret := _mock.Called(ctx, image)
+
+	if len(ret) == 0 {
+		panic("no return value specified for GetImageSize")
+	}
+
+	var r0 uint64
+	var r1 error
+	if returnFunc, ok := ret.Get(0).(func(context.Context, container.ImageSpec) (uint64, error)); ok {
+		return returnFunc(ctx, image)
+	}
+	if returnFunc, ok := ret.Get(0).(func(context.Context, container.ImageSpec) uint64); ok {
+		r0 = returnFunc(ctx, image)
+	} else {
+		r0 = ret.Get(0).(uint64)
+	}
+	if returnFunc, ok := ret.Get(1).(func(context.Context, container.ImageSpec) error); ok {
+		r1 = returnFunc(ctx, image)
+	} else {
+		r1 = ret.Error(1)
+	}
+	return r0, r1
+}
+
+// MockRuntime_GetImageSize_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetImageSize'
+type MockRuntime_GetImageSize_Call struct {
+	*mock.Call
+}
+
+// GetImageSize is a helper method to define mock.On call
+//   - ctx context.Context
+//   - image container.ImageSpec
+func (_e *MockRuntime_Expecter) GetImageSize(ctx interface{}, image interface{}) *MockRuntime_GetImageSize_Call {
+	return &MockRuntime_GetImageSize_Call{Call: _e.mock.On("GetImageSize", ctx, image)}
+}
+
+func (_c *MockRuntime_GetImageSize_Call) Run(run func(ctx context.Context, image container.ImageSpec)) *MockRuntime_GetImageSize_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 context.Context
+		if args[0] != nil {
+			arg0 = args[0].(context.Context)
+		}
+		var arg1 container.ImageSpec
+		if args[1] != nil {
+			arg1 = args[1].(container.ImageSpec)
+		}
+		run(
+			arg0,
+			arg1,
+		)
+	})
+	return _c
+}
+
+func (_c *MockRuntime_GetImageSize_Call) Return(v uint64, err error) *MockRuntime_GetImageSize_Call {
+	_c.Call.Return(v, err)
+	return _c
+}
+
+func (_c *MockRuntime_GetImageSize_Call) RunAndReturn(run func(ctx context.Context, image container.ImageSpec) (uint64, error)) *MockRuntime_GetImageSize_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// GetPodStatus provides a mock function for the type MockRuntime
+func (_mock *MockRuntime) GetPodStatus(ctx context.Context, uid types.UID, name string, namespace string) (*container.PodStatus, error) {
+	ret := _mock.Called(ctx, uid, name, namespace)
+
+	if len(ret) == 0 {
+		panic("no return value specified for GetPodStatus")
+	}
+
+	var r0 *container.PodStatus
+	var r1 error
+	if returnFunc, ok := ret.Get(0).(func(context.Context, types.UID, string, string) (*container.PodStatus, error)); ok {
+		return returnFunc(ctx, uid, name, namespace)
+	}
+	if returnFunc, ok := ret.Get(0).(func(context.Context, types.UID, string, string) *container.PodStatus); ok {
+		r0 = returnFunc(ctx, uid, name, namespace)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(*container.PodStatus)
+		}
+	}
+	if returnFunc, ok := ret.Get(1).(func(context.Context, types.UID, string, string) error); ok {
+		r1 = returnFunc(ctx, uid, name, namespace)
+	} else {
+		r1 = ret.Error(1)
+	}
+	return r0, r1
+}
+
+// MockRuntime_GetPodStatus_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetPodStatus'
+type MockRuntime_GetPodStatus_Call struct {
+	*mock.Call
+}
+
+// GetPodStatus is a helper method to define mock.On call
+//   - ctx context.Context
+//   - uid types.UID
+//   - name string
+//   - namespace string
+func (_e *MockRuntime_Expecter) GetPodStatus(ctx interface{}, uid interface{}, name interface{}, namespace interface{}) *MockRuntime_GetPodStatus_Call {
+	return &MockRuntime_GetPodStatus_Call{Call: _e.mock.On("GetPodStatus", ctx, uid, name, namespace)}
+}
+
+func (_c *MockRuntime_GetPodStatus_Call) Run(run func(ctx context.Context, uid types.UID, name string, namespace string)) *MockRuntime_GetPodStatus_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 context.Context
+		if args[0] != nil {
+			arg0 = args[0].(context.Context)
+		}
+		var arg1 types.UID
+		if args[1] != nil {
+			arg1 = args[1].(types.UID)
+		}
+		var arg2 string
+		if args[2] != nil {
+			arg2 = args[2].(string)
+		}
+		var arg3 string
+		if args[3] != nil {
+			arg3 = args[3].(string)
+		}
+		run(
+			arg0,
+			arg1,
+			arg2,
+			arg3,
+		)
+	})
+	return _c
+}
+
+func (_c *MockRuntime_GetPodStatus_Call) Return(podStatus *container.PodStatus, err error) *MockRuntime_GetPodStatus_Call {
+	_c.Call.Return(podStatus, err)
+	return _c
+}
+
+func (_c *MockRuntime_GetPodStatus_Call) RunAndReturn(run func(ctx context.Context, uid types.UID, name string, namespace string) (*container.PodStatus, error)) *MockRuntime_GetPodStatus_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// GetPods provides a mock function for the type MockRuntime
+func (_mock *MockRuntime) GetPods(ctx context.Context, all bool) ([]*container.Pod, error) {
+	ret := _mock.Called(ctx, all)
+
+	if len(ret) == 0 {
+		panic("no return value specified for GetPods")
+	}
+
+	var r0 []*container.Pod
+	var r1 error
+	if returnFunc, ok := ret.Get(0).(func(context.Context, bool) ([]*container.Pod, error)); ok {
+		return returnFunc(ctx, all)
+	}
+	if returnFunc, ok := ret.Get(0).(func(context.Context, bool) []*container.Pod); ok {
+		r0 = returnFunc(ctx, all)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).([]*container.Pod)
+		}
+	}
+	if returnFunc, ok := ret.Get(1).(func(context.Context, bool) error); ok {
+		r1 = returnFunc(ctx, all)
+	} else {
+		r1 = ret.Error(1)
+	}
+	return r0, r1
+}
+
+// MockRuntime_GetPods_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetPods'
+type MockRuntime_GetPods_Call struct {
+	*mock.Call
+}
+
+// GetPods is a helper method to define mock.On call
+//   - ctx context.Context
+//   - all bool
+func (_e *MockRuntime_Expecter) GetPods(ctx interface{}, all interface{}) *MockRuntime_GetPods_Call {
+	return &MockRuntime_GetPods_Call{Call: _e.mock.On("GetPods", ctx, all)}
+}
+
+func (_c *MockRuntime_GetPods_Call) Run(run func(ctx context.Context, all bool)) *MockRuntime_GetPods_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 context.Context
+		if args[0] != nil {
+			arg0 = args[0].(context.Context)
+		}
+		var arg1 bool
+		if args[1] != nil {
+			arg1 = args[1].(bool)
+		}
+		run(
+			arg0,
+			arg1,
+		)
+	})
+	return _c
+}
+
+func (_c *MockRuntime_GetPods_Call) Return(pods []*container.Pod, err error) *MockRuntime_GetPods_Call {
+	_c.Call.Return(pods, err)
+	return _c
+}
+
+func (_c *MockRuntime_GetPods_Call) RunAndReturn(run func(ctx context.Context, all bool) ([]*container.Pod, error)) *MockRuntime_GetPods_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// ImageFsInfo provides a mock function for the type MockRuntime
+func (_mock *MockRuntime) ImageFsInfo(ctx context.Context) (*v1.ImageFsInfoResponse, error) {
+	ret := _mock.Called(ctx)
+
+	if len(ret) == 0 {
+		panic("no return value specified for ImageFsInfo")
+	}
+
+	var r0 *v1.ImageFsInfoResponse
+	var r1 error
+	if returnFunc, ok := ret.Get(0).(func(context.Context) (*v1.ImageFsInfoResponse, error)); ok {
+		return returnFunc(ctx)
+	}
+	if returnFunc, ok := ret.Get(0).(func(context.Context) *v1.ImageFsInfoResponse); ok {
+		r0 = returnFunc(ctx)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(*v1.ImageFsInfoResponse)
+		}
+	}
+	if returnFunc, ok := ret.Get(1).(func(context.Context) error); ok {
+		r1 = returnFunc(ctx)
+	} else {
+		r1 = ret.Error(1)
+	}
+	return r0, r1
+}
+
+// MockRuntime_ImageFsInfo_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'ImageFsInfo'
+type MockRuntime_ImageFsInfo_Call struct {
+	*mock.Call
+}
+
+// ImageFsInfo is a helper method to define mock.On call
+//   - ctx context.Context
+func (_e *MockRuntime_Expecter) ImageFsInfo(ctx interface{}) *MockRuntime_ImageFsInfo_Call {
+	return &MockRuntime_ImageFsInfo_Call{Call: _e.mock.On("ImageFsInfo", ctx)}
+}
+
+func (_c *MockRuntime_ImageFsInfo_Call) Run(run func(ctx context.Context)) *MockRuntime_ImageFsInfo_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 context.Context
+		if args[0] != nil {
+			arg0 = args[0].(context.Context)
+		}
+		run(
+			arg0,
+		)
+	})
+	return _c
+}
+
+func (_c *MockRuntime_ImageFsInfo_Call) Return(imageFsInfoResponse *v1.ImageFsInfoResponse, err error) *MockRuntime_ImageFsInfo_Call {
+	_c.Call.Return(imageFsInfoResponse, err)
+	return _c
+}
+
+func (_c *MockRuntime_ImageFsInfo_Call) RunAndReturn(run func(ctx context.Context) (*v1.ImageFsInfoResponse, error)) *MockRuntime_ImageFsInfo_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// ImageStats provides a mock function for the type MockRuntime
+func (_mock *MockRuntime) ImageStats(ctx context.Context) (*container.ImageStats, error) {
+	ret := _mock.Called(ctx)
+
+	if len(ret) == 0 {
+		panic("no return value specified for ImageStats")
+	}
+
+	var r0 *container.ImageStats
+	var r1 error
+	if returnFunc, ok := ret.Get(0).(func(context.Context) (*container.ImageStats, error)); ok {
+		return returnFunc(ctx)
+	}
+	if returnFunc, ok := ret.Get(0).(func(context.Context) *container.ImageStats); ok {
+		r0 = returnFunc(ctx)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(*container.ImageStats)
+		}
+	}
+	if returnFunc, ok := ret.Get(1).(func(context.Context) error); ok {
+		r1 = returnFunc(ctx)
+	} else {
+		r1 = ret.Error(1)
+	}
+	return r0, r1
+}
+
+// MockRuntime_ImageStats_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'ImageStats'
+type MockRuntime_ImageStats_Call struct {
+	*mock.Call
+}
+
+// ImageStats is a helper method to define mock.On call
+//   - ctx context.Context
+func (_e *MockRuntime_Expecter) ImageStats(ctx interface{}) *MockRuntime_ImageStats_Call {
+	return &MockRuntime_ImageStats_Call{Call: _e.mock.On("ImageStats", ctx)}
+}
+
+func (_c *MockRuntime_ImageStats_Call) Run(run func(ctx context.Context)) *MockRuntime_ImageStats_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 context.Context
+		if args[0] != nil {
+			arg0 = args[0].(context.Context)
+		}
+		run(
+			arg0,
+		)
+	})
+	return _c
+}
+
+func (_c *MockRuntime_ImageStats_Call) Return(imageStats *container.ImageStats, err error) *MockRuntime_ImageStats_Call {
+	_c.Call.Return(imageStats, err)
+	return _c
+}
+
+func (_c *MockRuntime_ImageStats_Call) RunAndReturn(run func(ctx context.Context) (*container.ImageStats, error)) *MockRuntime_ImageStats_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// IsPodResizeInProgress provides a mock function for the type MockRuntime
+func (_mock *MockRuntime) IsPodResizeInProgress(allocatedPod *v10.Pod, podStatus *container.PodStatus) bool {
+	ret := _mock.Called(allocatedPod, podStatus)
+
+	if len(ret) == 0 {
+		panic("no return value specified for IsPodResizeInProgress")
+	}
+
+	var r0 bool
+	if returnFunc, ok := ret.Get(0).(func(*v10.Pod, *container.PodStatus) bool); ok {
+		r0 = returnFunc(allocatedPod, podStatus)
+	} else {
+		r0 = ret.Get(0).(bool)
+	}
+	return r0
+}
+
+// MockRuntime_IsPodResizeInProgress_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'IsPodResizeInProgress'
+type MockRuntime_IsPodResizeInProgress_Call struct {
+	*mock.Call
+}
+
+// IsPodResizeInProgress is a helper method to define mock.On call
+//   - allocatedPod *v10.Pod
+//   - podStatus *container.PodStatus
+func (_e *MockRuntime_Expecter) IsPodResizeInProgress(allocatedPod interface{}, podStatus interface{}) *MockRuntime_IsPodResizeInProgress_Call {
+	return &MockRuntime_IsPodResizeInProgress_Call{Call: _e.mock.On("IsPodResizeInProgress", allocatedPod, podStatus)}
+}
+
+func (_c *MockRuntime_IsPodResizeInProgress_Call) Run(run func(allocatedPod *v10.Pod, podStatus *container.PodStatus)) *MockRuntime_IsPodResizeInProgress_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 *v10.Pod
+		if args[0] != nil {
+			arg0 = args[0].(*v10.Pod)
+		}
+		var arg1 *container.PodStatus
+		if args[1] != nil {
+			arg1 = args[1].(*container.PodStatus)
+		}
+		run(
+			arg0,
+			arg1,
+		)
+	})
+	return _c
+}
+
+func (_c *MockRuntime_IsPodResizeInProgress_Call) Return(b bool) *MockRuntime_IsPodResizeInProgress_Call {
+	_c.Call.Return(b)
+	return _c
+}
+
+func (_c *MockRuntime_IsPodResizeInProgress_Call) RunAndReturn(run func(allocatedPod *v10.Pod, podStatus *container.PodStatus) bool) *MockRuntime_IsPodResizeInProgress_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// KillPod provides a mock function for the type MockRuntime
+func (_mock *MockRuntime) KillPod(ctx context.Context, pod *v10.Pod, runningPod container.Pod, gracePeriodOverride *int64) error {
+	ret := _mock.Called(ctx, pod, runningPod, gracePeriodOverride)
+
+	if len(ret) == 0 {
+		panic("no return value specified for KillPod")
+	}
+
+	var r0 error
+	if returnFunc, ok := ret.Get(0).(func(context.Context, *v10.Pod, container.Pod, *int64) error); ok {
+		r0 = returnFunc(ctx, pod, runningPod, gracePeriodOverride)
+	} else {
+		r0 = ret.Error(0)
+	}
+	return r0
+}
+
+// MockRuntime_KillPod_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'KillPod'
+type MockRuntime_KillPod_Call struct {
+	*mock.Call
+}
+
+// KillPod is a helper method to define mock.On call
+//   - ctx context.Context
+//   - pod *v10.Pod
+//   - runningPod container.Pod
+//   - gracePeriodOverride *int64
+func (_e *MockRuntime_Expecter) KillPod(ctx interface{}, pod interface{}, runningPod interface{}, gracePeriodOverride interface{}) *MockRuntime_KillPod_Call {
+	return &MockRuntime_KillPod_Call{Call: _e.mock.On("KillPod", ctx, pod, runningPod, gracePeriodOverride)}
+}
+
+func (_c *MockRuntime_KillPod_Call) Run(run func(ctx context.Context, pod *v10.Pod, runningPod container.Pod, gracePeriodOverride *int64)) *MockRuntime_KillPod_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 context.Context
+		if args[0] != nil {
+			arg0 = args[0].(context.Context)
+		}
+		var arg1 *v10.Pod
+		if args[1] != nil {
+			arg1 = args[1].(*v10.Pod)
+		}
+		var arg2 container.Pod
+		if args[2] != nil {
+			arg2 = args[2].(container.Pod)
+		}
+		var arg3 *int64
+		if args[3] != nil {
+			arg3 = args[3].(*int64)
+		}
+		run(
+			arg0,
+			arg1,
+			arg2,
+			arg3,
+		)
+	})
+	return _c
+}
+
+func (_c *MockRuntime_KillPod_Call) Return(err error) *MockRuntime_KillPod_Call {
+	_c.Call.Return(err)
+	return _c
+}
+
+func (_c *MockRuntime_KillPod_Call) RunAndReturn(run func(ctx context.Context, pod *v10.Pod, runningPod container.Pod, gracePeriodOverride *int64) error) *MockRuntime_KillPod_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// ListImages provides a mock function for the type MockRuntime
+func (_mock *MockRuntime) ListImages(ctx context.Context) ([]container.Image, error) {
+	ret := _mock.Called(ctx)
+
+	if len(ret) == 0 {
+		panic("no return value specified for ListImages")
+	}
+
+	var r0 []container.Image
+	var r1 error
+	if returnFunc, ok := ret.Get(0).(func(context.Context) ([]container.Image, error)); ok {
+		return returnFunc(ctx)
+	}
+	if returnFunc, ok := ret.Get(0).(func(context.Context) []container.Image); ok {
+		r0 = returnFunc(ctx)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).([]container.Image)
+		}
+	}
+	if returnFunc, ok := ret.Get(1).(func(context.Context) error); ok {
+		r1 = returnFunc(ctx)
+	} else {
+		r1 = ret.Error(1)
+	}
+	return r0, r1
+}
+
+// MockRuntime_ListImages_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'ListImages'
+type MockRuntime_ListImages_Call struct {
+	*mock.Call
+}
+
+// ListImages is a helper method to define mock.On call
+//   - ctx context.Context
+func (_e *MockRuntime_Expecter) ListImages(ctx interface{}) *MockRuntime_ListImages_Call {
+	return &MockRuntime_ListImages_Call{Call: _e.mock.On("ListImages", ctx)}
+}
+
+func (_c *MockRuntime_ListImages_Call) Run(run func(ctx context.Context)) *MockRuntime_ListImages_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 context.Context
+		if args[0] != nil {
+			arg0 = args[0].(context.Context)
+		}
+		run(
+			arg0,
+		)
+	})
+	return _c
+}
+
+func (_c *MockRuntime_ListImages_Call) Return(images []container.Image, err error) *MockRuntime_ListImages_Call {
+	_c.Call.Return(images, err)
+	return _c
+}
+
+func (_c *MockRuntime_ListImages_Call) RunAndReturn(run func(ctx context.Context) ([]container.Image, error)) *MockRuntime_ListImages_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// ListMetricDescriptors provides a mock function for the type MockRuntime
+func (_mock *MockRuntime) ListMetricDescriptors(ctx context.Context) ([]*v1.MetricDescriptor, error) {
+	ret := _mock.Called(ctx)
+
+	if len(ret) == 0 {
+		panic("no return value specified for ListMetricDescriptors")
+	}
+
+	var r0 []*v1.MetricDescriptor
+	var r1 error
+	if returnFunc, ok := ret.Get(0).(func(context.Context) ([]*v1.MetricDescriptor, error)); ok {
+		return returnFunc(ctx)
+	}
+	if returnFunc, ok := ret.Get(0).(func(context.Context) []*v1.MetricDescriptor); ok {
+		r0 = returnFunc(ctx)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).([]*v1.MetricDescriptor)
+		}
+	}
+	if returnFunc, ok := ret.Get(1).(func(context.Context) error); ok {
+		r1 = returnFunc(ctx)
+	} else {
+		r1 = ret.Error(1)
+	}
+	return r0, r1
+}
+
+// MockRuntime_ListMetricDescriptors_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'ListMetricDescriptors'
+type MockRuntime_ListMetricDescriptors_Call struct {
+	*mock.Call
+}
+
+// ListMetricDescriptors is a helper method to define mock.On call
+//   - ctx context.Context
+func (_e *MockRuntime_Expecter) ListMetricDescriptors(ctx interface{}) *MockRuntime_ListMetricDescriptors_Call {
+	return &MockRuntime_ListMetricDescriptors_Call{Call: _e.mock.On("ListMetricDescriptors", ctx)}
+}
+
+func (_c *MockRuntime_ListMetricDescriptors_Call) Run(run func(ctx context.Context)) *MockRuntime_ListMetricDescriptors_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 context.Context
+		if args[0] != nil {
+			arg0 = args[0].(context.Context)
+		}
+		run(
+			arg0,
+		)
+	})
+	return _c
+}
+
+func (_c *MockRuntime_ListMetricDescriptors_Call) Return(metricDescriptors []*v1.MetricDescriptor, err error) *MockRuntime_ListMetricDescriptors_Call {
+	_c.Call.Return(metricDescriptors, err)
+	return _c
+}
+
+func (_c *MockRuntime_ListMetricDescriptors_Call) RunAndReturn(run func(ctx context.Context) ([]*v1.MetricDescriptor, error)) *MockRuntime_ListMetricDescriptors_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// ListPodSandboxMetrics provides a mock function for the type MockRuntime
+func (_mock *MockRuntime) ListPodSandboxMetrics(ctx context.Context) ([]*v1.PodSandboxMetrics, error) {
+	ret := _mock.Called(ctx)
+
+	if len(ret) == 0 {
+		panic("no return value specified for ListPodSandboxMetrics")
+	}
+
+	var r0 []*v1.PodSandboxMetrics
+	var r1 error
+	if returnFunc, ok := ret.Get(0).(func(context.Context) ([]*v1.PodSandboxMetrics, error)); ok {
+		return returnFunc(ctx)
+	}
+	if returnFunc, ok := ret.Get(0).(func(context.Context) []*v1.PodSandboxMetrics); ok {
+		r0 = returnFunc(ctx)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).([]*v1.PodSandboxMetrics)
+		}
+	}
+	if returnFunc, ok := ret.Get(1).(func(context.Context) error); ok {
+		r1 = returnFunc(ctx)
+	} else {
+		r1 = ret.Error(1)
+	}
+	return r0, r1
+}
+
+// MockRuntime_ListPodSandboxMetrics_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'ListPodSandboxMetrics'
+type MockRuntime_ListPodSandboxMetrics_Call struct {
+	*mock.Call
+}
+
+// ListPodSandboxMetrics is a helper method to define mock.On call
+//   - ctx context.Context
+func (_e *MockRuntime_Expecter) ListPodSandboxMetrics(ctx interface{}) *MockRuntime_ListPodSandboxMetrics_Call {
+	return &MockRuntime_ListPodSandboxMetrics_Call{Call: _e.mock.On("ListPodSandboxMetrics", ctx)}
+}
+
+func (_c *MockRuntime_ListPodSandboxMetrics_Call) Run(run func(ctx context.Context)) *MockRuntime_ListPodSandboxMetrics_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 context.Context
+		if args[0] != nil {
+			arg0 = args[0].(context.Context)
+		}
+		run(
+			arg0,
+		)
+	})
+	return _c
+}
+
+func (_c *MockRuntime_ListPodSandboxMetrics_Call) Return(podSandboxMetricss []*v1.PodSandboxMetrics, err error) *MockRuntime_ListPodSandboxMetrics_Call {
+	_c.Call.Return(podSandboxMetricss, err)
+	return _c
+}
+
+func (_c *MockRuntime_ListPodSandboxMetrics_Call) RunAndReturn(run func(ctx context.Context) ([]*v1.PodSandboxMetrics, error)) *MockRuntime_ListPodSandboxMetrics_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// PullImage provides a mock function for the type MockRuntime
+func (_mock *MockRuntime) PullImage(ctx context.Context, image container.ImageSpec, credentials []credentialprovider.TrackedAuthConfig, podSandboxConfig *v1.PodSandboxConfig) (string, *credentialprovider.TrackedAuthConfig, error) {
+	ret := _mock.Called(ctx, image, credentials, podSandboxConfig)
+
+	if len(ret) == 0 {
+		panic("no return value specified for PullImage")
+	}
+
+	var r0 string
+	var r1 *credentialprovider.TrackedAuthConfig
+	var r2 error
+	if returnFunc, ok := ret.Get(0).(func(context.Context, container.ImageSpec, []credentialprovider.TrackedAuthConfig, *v1.PodSandboxConfig) (string, *credentialprovider.TrackedAuthConfig, error)); ok {
+		return returnFunc(ctx, image, credentials, podSandboxConfig)
+	}
+	if returnFunc, ok := ret.Get(0).(func(context.Context, container.ImageSpec, []credentialprovider.TrackedAuthConfig, *v1.PodSandboxConfig) string); ok {
+		r0 = returnFunc(ctx, image, credentials, podSandboxConfig)
+	} else {
+		r0 = ret.Get(0).(string)
+	}
+	if returnFunc, ok := ret.Get(1).(func(context.Context, container.ImageSpec, []credentialprovider.TrackedAuthConfig, *v1.PodSandboxConfig) *credentialprovider.TrackedAuthConfig); ok {
+		r1 = returnFunc(ctx, image, credentials, podSandboxConfig)
+	} else {
+		if ret.Get(1) != nil {
+			r1 = ret.Get(1).(*credentialprovider.TrackedAuthConfig)
+		}
+	}
+	if returnFunc, ok := ret.Get(2).(func(context.Context, container.ImageSpec, []credentialprovider.TrackedAuthConfig, *v1.PodSandboxConfig) error); ok {
+		r2 = returnFunc(ctx, image, credentials, podSandboxConfig)
+	} else {
+		r2 = ret.Error(2)
+	}
+	return r0, r1, r2
+}
+
+// MockRuntime_PullImage_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'PullImage'
+type MockRuntime_PullImage_Call struct {
+	*mock.Call
+}
+
+// PullImage is a helper method to define mock.On call
+//   - ctx context.Context
+//   - image container.ImageSpec
+//   - credentials []credentialprovider.TrackedAuthConfig
+//   - podSandboxConfig *v1.PodSandboxConfig
+func (_e *MockRuntime_Expecter) PullImage(ctx interface{}, image interface{}, credentials interface{}, podSandboxConfig interface{}) *MockRuntime_PullImage_Call {
+	return &MockRuntime_PullImage_Call{Call: _e.mock.On("PullImage", ctx, image, credentials, podSandboxConfig)}
+}
+
+func (_c *MockRuntime_PullImage_Call) Run(run func(ctx context.Context, image container.ImageSpec, credentials []credentialprovider.TrackedAuthConfig, podSandboxConfig *v1.PodSandboxConfig)) *MockRuntime_PullImage_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 context.Context
+		if args[0] != nil {
+			arg0 = args[0].(context.Context)
+		}
+		var arg1 container.ImageSpec
+		if args[1] != nil {
+			arg1 = args[1].(container.ImageSpec)
+		}
+		var arg2 []credentialprovider.TrackedAuthConfig
+		if args[2] != nil {
+			arg2 = args[2].([]credentialprovider.TrackedAuthConfig)
+		}
+		var arg3 *v1.PodSandboxConfig
+		if args[3] != nil {
+			arg3 = args[3].(*v1.PodSandboxConfig)
+		}
+		run(
+			arg0,
+			arg1,
+			arg2,
+			arg3,
+		)
+	})
+	return _c
+}
+
+func (_c *MockRuntime_PullImage_Call) Return(s string, trackedAuthConfig *credentialprovider.TrackedAuthConfig, err error) *MockRuntime_PullImage_Call {
+	_c.Call.Return(s, trackedAuthConfig, err)
+	return _c
+}
+
+func (_c *MockRuntime_PullImage_Call) RunAndReturn(run func(ctx context.Context, image container.ImageSpec, credentials []credentialprovider.TrackedAuthConfig, podSandboxConfig *v1.PodSandboxConfig) (string, *credentialprovider.TrackedAuthConfig, error)) *MockRuntime_PullImage_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// RemoveImage provides a mock function for the type MockRuntime
+func (_mock *MockRuntime) RemoveImage(ctx context.Context, image container.ImageSpec) error {
+	ret := _mock.Called(ctx, image)
+
+	if len(ret) == 0 {
+		panic("no return value specified for RemoveImage")
+	}
+
+	var r0 error
+	if returnFunc, ok := ret.Get(0).(func(context.Context, container.ImageSpec) error); ok {
+		r0 = returnFunc(ctx, image)
+	} else {
+		r0 = ret.Error(0)
+	}
+	return r0
+}
+
+// MockRuntime_RemoveImage_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'RemoveImage'
+type MockRuntime_RemoveImage_Call struct {
+	*mock.Call
+}
+
+// RemoveImage is a helper method to define mock.On call
+//   - ctx context.Context
+//   - image container.ImageSpec
+func (_e *MockRuntime_Expecter) RemoveImage(ctx interface{}, image interface{}) *MockRuntime_RemoveImage_Call {
+	return &MockRuntime_RemoveImage_Call{Call: _e.mock.On("RemoveImage", ctx, image)}
+}
+
+func (_c *MockRuntime_RemoveImage_Call) Run(run func(ctx context.Context, image container.ImageSpec)) *MockRuntime_RemoveImage_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 context.Context
+		if args[0] != nil {
+			arg0 = args[0].(context.Context)
+		}
+		var arg1 container.ImageSpec
+		if args[1] != nil {
+			arg1 = args[1].(container.ImageSpec)
+		}
+		run(
+			arg0,
+			arg1,
+		)
+	})
+	return _c
+}
+
+func (_c *MockRuntime_RemoveImage_Call) Return(err error) *MockRuntime_RemoveImage_Call {
+	_c.Call.Return(err)
+	return _c
+}
+
+func (_c *MockRuntime_RemoveImage_Call) RunAndReturn(run func(ctx context.Context, image container.ImageSpec) error) *MockRuntime_RemoveImage_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// Status provides a mock function for the type MockRuntime
+func (_mock *MockRuntime) Status(ctx context.Context) (*container.RuntimeStatus, error) {
+	ret := _mock.Called(ctx)
+
+	if len(ret) == 0 {
+		panic("no return value specified for Status")
+	}
+
+	var r0 *container.RuntimeStatus
+	var r1 error
+	if returnFunc, ok := ret.Get(0).(func(context.Context) (*container.RuntimeStatus, error)); ok {
+		return returnFunc(ctx)
+	}
+	if returnFunc, ok := ret.Get(0).(func(context.Context) *container.RuntimeStatus); ok {
+		r0 = returnFunc(ctx)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(*container.RuntimeStatus)
+		}
+	}
+	if returnFunc, ok := ret.Get(1).(func(context.Context) error); ok {
+		r1 = returnFunc(ctx)
+	} else {
+		r1 = ret.Error(1)
+	}
+	return r0, r1
+}
+
+// MockRuntime_Status_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Status'
+type MockRuntime_Status_Call struct {
+	*mock.Call
+}
+
+// Status is a helper method to define mock.On call
+//   - ctx context.Context
+func (_e *MockRuntime_Expecter) Status(ctx interface{}) *MockRuntime_Status_Call {
+	return &MockRuntime_Status_Call{Call: _e.mock.On("Status", ctx)}
+}
+
+func (_c *MockRuntime_Status_Call) Run(run func(ctx context.Context)) *MockRuntime_Status_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 context.Context
+		if args[0] != nil {
+			arg0 = args[0].(context.Context)
+		}
+		run(
+			arg0,
+		)
+	})
+	return _c
+}
+
+func (_c *MockRuntime_Status_Call) Return(runtimeStatus *container.RuntimeStatus, err error) *MockRuntime_Status_Call {
+	_c.Call.Return(runtimeStatus, err)
+	return _c
+}
+
+func (_c *MockRuntime_Status_Call) RunAndReturn(run func(ctx context.Context) (*container.RuntimeStatus, error)) *MockRuntime_Status_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// SyncPod provides a mock function for the type MockRuntime
+func (_mock *MockRuntime) SyncPod(ctx context.Context, pod *v10.Pod, podStatus *container.PodStatus, pullSecrets []v10.Secret, backOff *flowcontrol.Backoff, restartAllContainers bool) container.PodSyncResult {
+	ret := _mock.Called(ctx, pod, podStatus, pullSecrets, backOff, restartAllContainers)
+
+	if len(ret) == 0 {
+		panic("no return value specified for SyncPod")
+	}
+
+	var r0 container.PodSyncResult
+	if returnFunc, ok := ret.Get(0).(func(context.Context, *v10.Pod, *container.PodStatus, []v10.Secret, *flowcontrol.Backoff, bool) container.PodSyncResult); ok {
+		r0 = returnFunc(ctx, pod, podStatus, pullSecrets, backOff, restartAllContainers)
+	} else {
+		r0 = ret.Get(0).(container.PodSyncResult)
+	}
+	return r0
+}
+
+// MockRuntime_SyncPod_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'SyncPod'
+type MockRuntime_SyncPod_Call struct {
+	*mock.Call
+}
+
+// SyncPod is a helper method to define mock.On call
+//   - ctx context.Context
+//   - pod *v10.Pod
+//   - podStatus *container.PodStatus
+//   - pullSecrets []v10.Secret
+//   - backOff *flowcontrol.Backoff
+//   - restartAllContainers bool
+func (_e *MockRuntime_Expecter) SyncPod(ctx interface{}, pod interface{}, podStatus interface{}, pullSecrets interface{}, backOff interface{}, restartAllContainers interface{}) *MockRuntime_SyncPod_Call {
+	return &MockRuntime_SyncPod_Call{Call: _e.mock.On("SyncPod", ctx, pod, podStatus, pullSecrets, backOff, restartAllContainers)}
+}
+
+func (_c *MockRuntime_SyncPod_Call) Run(run func(ctx context.Context, pod *v10.Pod, podStatus *container.PodStatus, pullSecrets []v10.Secret, backOff *flowcontrol.Backoff, restartAllContainers bool)) *MockRuntime_SyncPod_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 context.Context
+		if args[0] != nil {
+			arg0 = args[0].(context.Context)
+		}
+		var arg1 *v10.Pod
+		if args[1] != nil {
+			arg1 = args[1].(*v10.Pod)
+		}
+		var arg2 *container.PodStatus
+		if args[2] != nil {
+			arg2 = args[2].(*container.PodStatus)
+		}
+		var arg3 []v10.Secret
+		if args[3] != nil {
+			arg3 = args[3].([]v10.Secret)
+		}
+		var arg4 *flowcontrol.Backoff
+		if args[4] != nil {
+			arg4 = args[4].(*flowcontrol.Backoff)
+		}
+		var arg5 bool
+		if args[5] != nil {
+			arg5 = args[5].(bool)
+		}
+		run(
+			arg0,
+			arg1,
+			arg2,
+			arg3,
+			arg4,
+			arg5,
+		)
+	})
+	return _c
+}
+
+func (_c *MockRuntime_SyncPod_Call) Return(podSyncResult container.PodSyncResult) *MockRuntime_SyncPod_Call {
+	_c.Call.Return(podSyncResult)
+	return _c
+}
+
+func (_c *MockRuntime_SyncPod_Call) RunAndReturn(run func(ctx context.Context, pod *v10.Pod, podStatus *container.PodStatus, pullSecrets []v10.Secret, backOff *flowcontrol.Backoff, restartAllContainers bool) container.PodSyncResult) *MockRuntime_SyncPod_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// Type provides a mock function for the type MockRuntime
+func (_mock *MockRuntime) Type() string {
+	ret := _mock.Called()
+
+	if len(ret) == 0 {
+		panic("no return value specified for Type")
+	}
+
+	var r0 string
+	if returnFunc, ok := ret.Get(0).(func() string); ok {
+		r0 = returnFunc()
+	} else {
+		r0 = ret.Get(0).(string)
+	}
+	return r0
+}
+
+// MockRuntime_Type_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Type'
+type MockRuntime_Type_Call struct {
+	*mock.Call
+}
+
+// Type is a helper method to define mock.On call
+func (_e *MockRuntime_Expecter) Type() *MockRuntime_Type_Call {
+	return &MockRuntime_Type_Call{Call: _e.mock.On("Type")}
+}
+
+func (_c *MockRuntime_Type_Call) Run(run func()) *MockRuntime_Type_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run()
+	})
+	return _c
+}
+
+func (_c *MockRuntime_Type_Call) Return(s string) *MockRuntime_Type_Call {
+	_c.Call.Return(s)
+	return _c
+}
+
+func (_c *MockRuntime_Type_Call) RunAndReturn(run func() string) *MockRuntime_Type_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// UpdateActuatedPodLevelResources provides a mock function for the type MockRuntime
+func (_mock *MockRuntime) UpdateActuatedPodLevelResources(actuatedPod *v10.Pod) error {
+	ret := _mock.Called(actuatedPod)
+
+	if len(ret) == 0 {
+		panic("no return value specified for UpdateActuatedPodLevelResources")
+	}
+
+	var r0 error
+	if returnFunc, ok := ret.Get(0).(func(*v10.Pod) error); ok {
+		r0 = returnFunc(actuatedPod)
+	} else {
+		r0 = ret.Error(0)
+	}
+	return r0
+}
+
+// MockRuntime_UpdateActuatedPodLevelResources_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'UpdateActuatedPodLevelResources'
+type MockRuntime_UpdateActuatedPodLevelResources_Call struct {
+	*mock.Call
+}
+
+// UpdateActuatedPodLevelResources is a helper method to define mock.On call
+//   - actuatedPod *v10.Pod
+func (_e *MockRuntime_Expecter) UpdateActuatedPodLevelResources(actuatedPod interface{}) *MockRuntime_UpdateActuatedPodLevelResources_Call {
+	return &MockRuntime_UpdateActuatedPodLevelResources_Call{Call: _e.mock.On("UpdateActuatedPodLevelResources", actuatedPod)}
+}
+
+func (_c *MockRuntime_UpdateActuatedPodLevelResources_Call) Run(run func(actuatedPod *v10.Pod)) *MockRuntime_UpdateActuatedPodLevelResources_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 *v10.Pod
+		if args[0] != nil {
+			arg0 = args[0].(*v10.Pod)
+		}
+		run(
+			arg0,
+		)
+	})
+	return _c
+}
+
+func (_c *MockRuntime_UpdateActuatedPodLevelResources_Call) Return(err error) *MockRuntime_UpdateActuatedPodLevelResources_Call {
+	_c.Call.Return(err)
+	return _c
+}
+
+func (_c *MockRuntime_UpdateActuatedPodLevelResources_Call) RunAndReturn(run func(actuatedPod *v10.Pod) error) *MockRuntime_UpdateActuatedPodLevelResources_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// UpdatePodCIDR provides a mock function for the type MockRuntime
+func (_mock *MockRuntime) UpdatePodCIDR(ctx context.Context, podCIDR string) error {
+	ret := _mock.Called(ctx, podCIDR)
+
+	if len(ret) == 0 {
+		panic("no return value specified for UpdatePodCIDR")
+	}
+
+	var r0 error
+	if returnFunc, ok := ret.Get(0).(func(context.Context, string) error); ok {
+		r0 = returnFunc(ctx, podCIDR)
+	} else {
+		r0 = ret.Error(0)
+	}
+	return r0
+}
+
+// MockRuntime_UpdatePodCIDR_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'UpdatePodCIDR'
+type MockRuntime_UpdatePodCIDR_Call struct {
+	*mock.Call
+}
+
+// UpdatePodCIDR is a helper method to define mock.On call
+//   - ctx context.Context
+//   - podCIDR string
+func (_e *MockRuntime_Expecter) UpdatePodCIDR(ctx interface{}, podCIDR interface{}) *MockRuntime_UpdatePodCIDR_Call {
+	return &MockRuntime_UpdatePodCIDR_Call{Call: _e.mock.On("UpdatePodCIDR", ctx, podCIDR)}
+}
+
+func (_c *MockRuntime_UpdatePodCIDR_Call) Run(run func(ctx context.Context, podCIDR string)) *MockRuntime_UpdatePodCIDR_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 context.Context
+		if args[0] != nil {
+			arg0 = args[0].(context.Context)
+		}
+		var arg1 string
+		if args[1] != nil {
+			arg1 = args[1].(string)
+		}
+		run(
+			arg0,
+			arg1,
+		)
+	})
+	return _c
+}
+
+func (_c *MockRuntime_UpdatePodCIDR_Call) Return(err error) *MockRuntime_UpdatePodCIDR_Call {
+	_c.Call.Return(err)
+	return _c
+}
+
+func (_c *MockRuntime_UpdatePodCIDR_Call) RunAndReturn(run func(ctx context.Context, podCIDR string) error) *MockRuntime_UpdatePodCIDR_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// Version provides a mock function for the type MockRuntime
+func (_mock *MockRuntime) Version(ctx context.Context) (container.Version, error) {
+	ret := _mock.Called(ctx)
+
+	if len(ret) == 0 {
+		panic("no return value specified for Version")
+	}
+
+	var r0 container.Version
+	var r1 error
+	if returnFunc, ok := ret.Get(0).(func(context.Context) (container.Version, error)); ok {
+		return returnFunc(ctx)
+	}
+	if returnFunc, ok := ret.Get(0).(func(context.Context) container.Version); ok {
+		r0 = returnFunc(ctx)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(container.Version)
+		}
+	}
+	if returnFunc, ok := ret.Get(1).(func(context.Context) error); ok {
+		r1 = returnFunc(ctx)
+	} else {
+		r1 = ret.Error(1)
+	}
+	return r0, r1
+}
+
+// MockRuntime_Version_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Version'
+type MockRuntime_Version_Call struct {
+	*mock.Call
+}
+
+// Version is a helper method to define mock.On call
+//   - ctx context.Context
+func (_e *MockRuntime_Expecter) Version(ctx interface{}) *MockRuntime_Version_Call {
+	return &MockRuntime_Version_Call{Call: _e.mock.On("Version", ctx)}
+}
+
+func (_c *MockRuntime_Version_Call) Run(run func(ctx context.Context)) *MockRuntime_Version_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 context.Context
+		if args[0] != nil {
+			arg0 = args[0].(context.Context)
+		}
+		run(
+			arg0,
+		)
+	})
+	return _c
+}
+
+func (_c *MockRuntime_Version_Call) Return(version container.Version, err error) *MockRuntime_Version_Call {
+	_c.Call.Return(version, err)
+	return _c
+}
+
+func (_c *MockRuntime_Version_Call) RunAndReturn(run func(ctx context.Context) (container.Version, error)) *MockRuntime_Version_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// NewMockRuntimeCache creates a new instance of MockRuntimeCache. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
+// The first argument is typically a *testing.T value.
+func NewMockRuntimeCache(t interface {
+	mock.TestingT
+	Cleanup(func())
+}) *MockRuntimeCache {
+	mock := &MockRuntimeCache{}
+	mock.Mock.Test(t)
+
+	t.Cleanup(func() { mock.AssertExpectations(t) })
+
+	return mock
+}
+
+// MockRuntimeCache is an autogenerated mock type for the RuntimeCache type
+type MockRuntimeCache struct {
+	mock.Mock
+}
+
+type MockRuntimeCache_Expecter struct {
+	mock *mock.Mock
+}
+
+func (_m *MockRuntimeCache) EXPECT() *MockRuntimeCache_Expecter {
+	return &MockRuntimeCache_Expecter{mock: &_m.Mock}
+}
+
+// ForceUpdateIfOlder provides a mock function for the type MockRuntimeCache
+func (_mock *MockRuntimeCache) ForceUpdateIfOlder(context1 context.Context, time1 time.Time) error {
+	ret := _mock.Called(context1, time1)
+
+	if len(ret) == 0 {
+		panic("no return value specified for ForceUpdateIfOlder")
+	}
+
+	var r0 error
+	if returnFunc, ok := ret.Get(0).(func(context.Context, time.Time) error); ok {
+		r0 = returnFunc(context1, time1)
+	} else {
+		r0 = ret.Error(0)
+	}
+	return r0
+}
+
+// MockRuntimeCache_ForceUpdateIfOlder_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'ForceUpdateIfOlder'
+type MockRuntimeCache_ForceUpdateIfOlder_Call struct {
+	*mock.Call
+}
+
+// ForceUpdateIfOlder is a helper method to define mock.On call
+//   - context1 context.Context
+//   - time1 time.Time
+func (_e *MockRuntimeCache_Expecter) ForceUpdateIfOlder(context1 interface{}, time1 interface{}) *MockRuntimeCache_ForceUpdateIfOlder_Call {
+	return &MockRuntimeCache_ForceUpdateIfOlder_Call{Call: _e.mock.On("ForceUpdateIfOlder", context1, time1)}
+}
+
+func (_c *MockRuntimeCache_ForceUpdateIfOlder_Call) Run(run func(context1 context.Context, time1 time.Time)) *MockRuntimeCache_ForceUpdateIfOlder_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 context.Context
+		if args[0] != nil {
+			arg0 = args[0].(context.Context)
+		}
+		var arg1 time.Time
+		if args[1] != nil {
+			arg1 = args[1].(time.Time)
+		}
+		run(
+			arg0,
+			arg1,
+		)
+	})
+	return _c
+}
+
+func (_c *MockRuntimeCache_ForceUpdateIfOlder_Call) Return(err error) *MockRuntimeCache_ForceUpdateIfOlder_Call {
+	_c.Call.Return(err)
+	return _c
+}
+
+func (_c *MockRuntimeCache_ForceUpdateIfOlder_Call) RunAndReturn(run func(context1 context.Context, time1 time.Time) error) *MockRuntimeCache_ForceUpdateIfOlder_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// GetPods provides a mock function for the type MockRuntimeCache
+func (_mock *MockRuntimeCache) GetPods(context1 context.Context) ([]*container.Pod, error) {
+	ret := _mock.Called(context1)
+
+	if len(ret) == 0 {
+		panic("no return value specified for GetPods")
+	}
+
+	var r0 []*container.Pod
+	var r1 error
+	if returnFunc, ok := ret.Get(0).(func(context.Context) ([]*container.Pod, error)); ok {
+		return returnFunc(context1)
+	}
+	if returnFunc, ok := ret.Get(0).(func(context.Context) []*container.Pod); ok {
+		r0 = returnFunc(context1)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).([]*container.Pod)
+		}
+	}
+	if returnFunc, ok := ret.Get(1).(func(context.Context) error); ok {
+		r1 = returnFunc(context1)
+	} else {
+		r1 = ret.Error(1)
+	}
+	return r0, r1
+}
+
+// MockRuntimeCache_GetPods_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetPods'
+type MockRuntimeCache_GetPods_Call struct {
+	*mock.Call
+}
+
+// GetPods is a helper method to define mock.On call
+//   - context1 context.Context
+func (_e *MockRuntimeCache_Expecter) GetPods(context1 interface{}) *MockRuntimeCache_GetPods_Call {
+	return &MockRuntimeCache_GetPods_Call{Call: _e.mock.On("GetPods", context1)}
+}
+
+func (_c *MockRuntimeCache_GetPods_Call) Run(run func(context1 context.Context)) *MockRuntimeCache_GetPods_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 context.Context
+		if args[0] != nil {
+			arg0 = args[0].(context.Context)
+		}
+		run(
+			arg0,
+		)
+	})
+	return _c
+}
+
+func (_c *MockRuntimeCache_GetPods_Call) Return(pods []*container.Pod, err error) *MockRuntimeCache_GetPods_Call {
+	_c.Call.Return(pods, err)
+	return _c
+}
+
+func (_c *MockRuntimeCache_GetPods_Call) RunAndReturn(run func(context1 context.Context) ([]*container.Pod, error)) *MockRuntimeCache_GetPods_Call {
+	_c.Call.Return(run)
+	return _c
+}
diff --git a/pkg/kubelet/container/testing/runtime_mock.go b/pkg/kubelet/container/testing/runtime_mock.go
deleted file mode 100644
index dd5dceb6f4cdd..0000000000000
--- a/pkg/kubelet/container/testing/runtime_mock.go
+++ /dev/null
@@ -1,1419 +0,0 @@
-/*
-Copyright The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-// Code generated by mockery v2.53.3. DO NOT EDIT.
-
-package testing
-
-import (
-	context "context"
-
-	container "k8s.io/kubernetes/pkg/kubelet/container"
-
-	corev1 "k8s.io/api/core/v1"
-
-	credentialprovider "k8s.io/kubernetes/pkg/credentialprovider"
-
-	flowcontrol "k8s.io/client-go/util/flowcontrol"
-
-	io "io"
-
-	mock "github.com/stretchr/testify/mock"
-
-	pkgtypes "k8s.io/apimachinery/pkg/types"
-
-	types "k8s.io/kubernetes/pkg/kubelet/types"
-
-	v1 "k8s.io/cri-api/pkg/apis/runtime/v1"
-)
-
-// MockRuntime is an autogenerated mock type for the Runtime type
-type MockRuntime struct {
-	mock.Mock
-}
-
-type MockRuntime_Expecter struct {
-	mock *mock.Mock
-}
-
-func (_m *MockRuntime) EXPECT() *MockRuntime_Expecter {
-	return &MockRuntime_Expecter{mock: &_m.Mock}
-}
-
-// APIVersion provides a mock function with no fields
-func (_m *MockRuntime) APIVersion() (container.Version, error) {
-	ret := _m.Called()
-
-	if len(ret) == 0 {
-		panic("no return value specified for APIVersion")
-	}
-
-	var r0 container.Version
-	var r1 error
-	if rf, ok := ret.Get(0).(func() (container.Version, error)); ok {
-		return rf()
-	}
-	if rf, ok := ret.Get(0).(func() container.Version); ok {
-		r0 = rf()
-	} else {
-		if ret.Get(0) != nil {
-			r0 = ret.Get(0).(container.Version)
-		}
-	}
-
-	if rf, ok := ret.Get(1).(func() error); ok {
-		r1 = rf()
-	} else {
-		r1 = ret.Error(1)
-	}
-
-	return r0, r1
-}
-
-// MockRuntime_APIVersion_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'APIVersion'
-type MockRuntime_APIVersion_Call struct {
-	*mock.Call
-}
-
-// APIVersion is a helper method to define mock.On call
-func (_e *MockRuntime_Expecter) APIVersion() *MockRuntime_APIVersion_Call {
-	return &MockRuntime_APIVersion_Call{Call: _e.mock.On("APIVersion")}
-}
-
-func (_c *MockRuntime_APIVersion_Call) Run(run func()) *MockRuntime_APIVersion_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run()
-	})
-	return _c
-}
-
-func (_c *MockRuntime_APIVersion_Call) Return(_a0 container.Version, _a1 error) *MockRuntime_APIVersion_Call {
-	_c.Call.Return(_a0, _a1)
-	return _c
-}
-
-func (_c *MockRuntime_APIVersion_Call) RunAndReturn(run func() (container.Version, error)) *MockRuntime_APIVersion_Call {
-	_c.Call.Return(run)
-	return _c
-}
-
-// CheckpointContainer provides a mock function with given fields: ctx, options
-func (_m *MockRuntime) CheckpointContainer(ctx context.Context, options *v1.CheckpointContainerRequest) error {
-	ret := _m.Called(ctx, options)
-
-	if len(ret) == 0 {
-		panic("no return value specified for CheckpointContainer")
-	}
-
-	var r0 error
-	if rf, ok := ret.Get(0).(func(context.Context, *v1.CheckpointContainerRequest) error); ok {
-		r0 = rf(ctx, options)
-	} else {
-		r0 = ret.Error(0)
-	}
-
-	return r0
-}
-
-// MockRuntime_CheckpointContainer_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'CheckpointContainer'
-type MockRuntime_CheckpointContainer_Call struct {
-	*mock.Call
-}
-
-// CheckpointContainer is a helper method to define mock.On call
-//   - ctx context.Context
-//   - options *v1.CheckpointContainerRequest
-func (_e *MockRuntime_Expecter) CheckpointContainer(ctx interface{}, options interface{}) *MockRuntime_CheckpointContainer_Call {
-	return &MockRuntime_CheckpointContainer_Call{Call: _e.mock.On("CheckpointContainer", ctx, options)}
-}
-
-func (_c *MockRuntime_CheckpointContainer_Call) Run(run func(ctx context.Context, options *v1.CheckpointContainerRequest)) *MockRuntime_CheckpointContainer_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run(args[0].(context.Context), args[1].(*v1.CheckpointContainerRequest))
-	})
-	return _c
-}
-
-func (_c *MockRuntime_CheckpointContainer_Call) Return(_a0 error) *MockRuntime_CheckpointContainer_Call {
-	_c.Call.Return(_a0)
-	return _c
-}
-
-func (_c *MockRuntime_CheckpointContainer_Call) RunAndReturn(run func(context.Context, *v1.CheckpointContainerRequest) error) *MockRuntime_CheckpointContainer_Call {
-	_c.Call.Return(run)
-	return _c
-}
-
-// DeleteContainer provides a mock function with given fields: ctx, containerID
-func (_m *MockRuntime) DeleteContainer(ctx context.Context, containerID container.ContainerID) error {
-	ret := _m.Called(ctx, containerID)
-
-	if len(ret) == 0 {
-		panic("no return value specified for DeleteContainer")
-	}
-
-	var r0 error
-	if rf, ok := ret.Get(0).(func(context.Context, container.ContainerID) error); ok {
-		r0 = rf(ctx, containerID)
-	} else {
-		r0 = ret.Error(0)
-	}
-
-	return r0
-}
-
-// MockRuntime_DeleteContainer_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'DeleteContainer'
-type MockRuntime_DeleteContainer_Call struct {
-	*mock.Call
-}
-
-// DeleteContainer is a helper method to define mock.On call
-//   - ctx context.Context
-//   - containerID container.ContainerID
-func (_e *MockRuntime_Expecter) DeleteContainer(ctx interface{}, containerID interface{}) *MockRuntime_DeleteContainer_Call {
-	return &MockRuntime_DeleteContainer_Call{Call: _e.mock.On("DeleteContainer", ctx, containerID)}
-}
-
-func (_c *MockRuntime_DeleteContainer_Call) Run(run func(ctx context.Context, containerID container.ContainerID)) *MockRuntime_DeleteContainer_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run(args[0].(context.Context), args[1].(container.ContainerID))
-	})
-	return _c
-}
-
-func (_c *MockRuntime_DeleteContainer_Call) Return(_a0 error) *MockRuntime_DeleteContainer_Call {
-	_c.Call.Return(_a0)
-	return _c
-}
-
-func (_c *MockRuntime_DeleteContainer_Call) RunAndReturn(run func(context.Context, container.ContainerID) error) *MockRuntime_DeleteContainer_Call {
-	_c.Call.Return(run)
-	return _c
-}
-
-// GarbageCollect provides a mock function with given fields: ctx, gcPolicy, allSourcesReady, evictNonDeletedPods
-func (_m *MockRuntime) GarbageCollect(ctx context.Context, gcPolicy container.GCPolicy, allSourcesReady bool, evictNonDeletedPods bool) error {
-	ret := _m.Called(ctx, gcPolicy, allSourcesReady, evictNonDeletedPods)
-
-	if len(ret) == 0 {
-		panic("no return value specified for GarbageCollect")
-	}
-
-	var r0 error
-	if rf, ok := ret.Get(0).(func(context.Context, container.GCPolicy, bool, bool) error); ok {
-		r0 = rf(ctx, gcPolicy, allSourcesReady, evictNonDeletedPods)
-	} else {
-		r0 = ret.Error(0)
-	}
-
-	return r0
-}
-
-// MockRuntime_GarbageCollect_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GarbageCollect'
-type MockRuntime_GarbageCollect_Call struct {
-	*mock.Call
-}
-
-// GarbageCollect is a helper method to define mock.On call
-//   - ctx context.Context
-//   - gcPolicy container.GCPolicy
-//   - allSourcesReady bool
-//   - evictNonDeletedPods bool
-func (_e *MockRuntime_Expecter) GarbageCollect(ctx interface{}, gcPolicy interface{}, allSourcesReady interface{}, evictNonDeletedPods interface{}) *MockRuntime_GarbageCollect_Call {
-	return &MockRuntime_GarbageCollect_Call{Call: _e.mock.On("GarbageCollect", ctx, gcPolicy, allSourcesReady, evictNonDeletedPods)}
-}
-
-func (_c *MockRuntime_GarbageCollect_Call) Run(run func(ctx context.Context, gcPolicy container.GCPolicy, allSourcesReady bool, evictNonDeletedPods bool)) *MockRuntime_GarbageCollect_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run(args[0].(context.Context), args[1].(container.GCPolicy), args[2].(bool), args[3].(bool))
-	})
-	return _c
-}
-
-func (_c *MockRuntime_GarbageCollect_Call) Return(_a0 error) *MockRuntime_GarbageCollect_Call {
-	_c.Call.Return(_a0)
-	return _c
-}
-
-func (_c *MockRuntime_GarbageCollect_Call) RunAndReturn(run func(context.Context, container.GCPolicy, bool, bool) error) *MockRuntime_GarbageCollect_Call {
-	_c.Call.Return(run)
-	return _c
-}
-
-// GeneratePodStatus provides a mock function with given fields: event
-func (_m *MockRuntime) GeneratePodStatus(event *v1.ContainerEventResponse) *container.PodStatus {
-	ret := _m.Called(event)
-
-	if len(ret) == 0 {
-		panic("no return value specified for GeneratePodStatus")
-	}
-
-	var r0 *container.PodStatus
-	if rf, ok := ret.Get(0).(func(*v1.ContainerEventResponse) *container.PodStatus); ok {
-		r0 = rf(event)
-	} else {
-		if ret.Get(0) != nil {
-			r0 = ret.Get(0).(*container.PodStatus)
-		}
-	}
-
-	return r0
-}
-
-// MockRuntime_GeneratePodStatus_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GeneratePodStatus'
-type MockRuntime_GeneratePodStatus_Call struct {
-	*mock.Call
-}
-
-// GeneratePodStatus is a helper method to define mock.On call
-//   - event *v1.ContainerEventResponse
-func (_e *MockRuntime_Expecter) GeneratePodStatus(event interface{}) *MockRuntime_GeneratePodStatus_Call {
-	return &MockRuntime_GeneratePodStatus_Call{Call: _e.mock.On("GeneratePodStatus", event)}
-}
-
-func (_c *MockRuntime_GeneratePodStatus_Call) Run(run func(event *v1.ContainerEventResponse)) *MockRuntime_GeneratePodStatus_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run(args[0].(*v1.ContainerEventResponse))
-	})
-	return _c
-}
-
-func (_c *MockRuntime_GeneratePodStatus_Call) Return(_a0 *container.PodStatus) *MockRuntime_GeneratePodStatus_Call {
-	_c.Call.Return(_a0)
-	return _c
-}
-
-func (_c *MockRuntime_GeneratePodStatus_Call) RunAndReturn(run func(*v1.ContainerEventResponse) *container.PodStatus) *MockRuntime_GeneratePodStatus_Call {
-	_c.Call.Return(run)
-	return _c
-}
-
-// GetContainerLogs provides a mock function with given fields: ctx, pod, containerID, logOptions, stdout, stderr
-func (_m *MockRuntime) GetContainerLogs(ctx context.Context, pod *corev1.Pod, containerID container.ContainerID, logOptions *corev1.PodLogOptions, stdout io.Writer, stderr io.Writer) error {
-	ret := _m.Called(ctx, pod, containerID, logOptions, stdout, stderr)
-
-	if len(ret) == 0 {
-		panic("no return value specified for GetContainerLogs")
-	}
-
-	var r0 error
-	if rf, ok := ret.Get(0).(func(context.Context, *corev1.Pod, container.ContainerID, *corev1.PodLogOptions, io.Writer, io.Writer) error); ok {
-		r0 = rf(ctx, pod, containerID, logOptions, stdout, stderr)
-	} else {
-		r0 = ret.Error(0)
-	}
-
-	return r0
-}
-
-// MockRuntime_GetContainerLogs_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetContainerLogs'
-type MockRuntime_GetContainerLogs_Call struct {
-	*mock.Call
-}
-
-// GetContainerLogs is a helper method to define mock.On call
-//   - ctx context.Context
-//   - pod *corev1.Pod
-//   - containerID container.ContainerID
-//   - logOptions *corev1.PodLogOptions
-//   - stdout io.Writer
-//   - stderr io.Writer
-func (_e *MockRuntime_Expecter) GetContainerLogs(ctx interface{}, pod interface{}, containerID interface{}, logOptions interface{}, stdout interface{}, stderr interface{}) *MockRuntime_GetContainerLogs_Call {
-	return &MockRuntime_GetContainerLogs_Call{Call: _e.mock.On("GetContainerLogs", ctx, pod, containerID, logOptions, stdout, stderr)}
-}
-
-func (_c *MockRuntime_GetContainerLogs_Call) Run(run func(ctx context.Context, pod *corev1.Pod, containerID container.ContainerID, logOptions *corev1.PodLogOptions, stdout io.Writer, stderr io.Writer)) *MockRuntime_GetContainerLogs_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run(args[0].(context.Context), args[1].(*corev1.Pod), args[2].(container.ContainerID), args[3].(*corev1.PodLogOptions), args[4].(io.Writer), args[5].(io.Writer))
-	})
-	return _c
-}
-
-func (_c *MockRuntime_GetContainerLogs_Call) Return(err error) *MockRuntime_GetContainerLogs_Call {
-	_c.Call.Return(err)
-	return _c
-}
-
-func (_c *MockRuntime_GetContainerLogs_Call) RunAndReturn(run func(context.Context, *corev1.Pod, container.ContainerID, *corev1.PodLogOptions, io.Writer, io.Writer) error) *MockRuntime_GetContainerLogs_Call {
-	_c.Call.Return(run)
-	return _c
-}
-
-// GetContainerStatus provides a mock function with given fields: ctx, id
-func (_m *MockRuntime) GetContainerStatus(ctx context.Context, id container.ContainerID) (*container.Status, error) {
-	ret := _m.Called(ctx, id)
-
-	if len(ret) == 0 {
-		panic("no return value specified for GetContainerStatus")
-	}
-
-	var r0 *container.Status
-	var r1 error
-	if rf, ok := ret.Get(0).(func(context.Context, container.ContainerID) (*container.Status, error)); ok {
-		return rf(ctx, id)
-	}
-	if rf, ok := ret.Get(0).(func(context.Context, container.ContainerID) *container.Status); ok {
-		r0 = rf(ctx, id)
-	} else {
-		if ret.Get(0) != nil {
-			r0 = ret.Get(0).(*container.Status)
-		}
-	}
-
-	if rf, ok := ret.Get(1).(func(context.Context, container.ContainerID) error); ok {
-		r1 = rf(ctx, id)
-	} else {
-		r1 = ret.Error(1)
-	}
-
-	return r0, r1
-}
-
-// MockRuntime_GetContainerStatus_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetContainerStatus'
-type MockRuntime_GetContainerStatus_Call struct {
-	*mock.Call
-}
-
-// GetContainerStatus is a helper method to define mock.On call
-//   - ctx context.Context
-//   - id container.ContainerID
-func (_e *MockRuntime_Expecter) GetContainerStatus(ctx interface{}, id interface{}) *MockRuntime_GetContainerStatus_Call {
-	return &MockRuntime_GetContainerStatus_Call{Call: _e.mock.On("GetContainerStatus", ctx, id)}
-}
-
-func (_c *MockRuntime_GetContainerStatus_Call) Run(run func(ctx context.Context, id container.ContainerID)) *MockRuntime_GetContainerStatus_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run(args[0].(context.Context), args[1].(container.ContainerID))
-	})
-	return _c
-}
-
-func (_c *MockRuntime_GetContainerStatus_Call) Return(_a0 *container.Status, _a1 error) *MockRuntime_GetContainerStatus_Call {
-	_c.Call.Return(_a0, _a1)
-	return _c
-}
-
-func (_c *MockRuntime_GetContainerStatus_Call) RunAndReturn(run func(context.Context, container.ContainerID) (*container.Status, error)) *MockRuntime_GetContainerStatus_Call {
-	_c.Call.Return(run)
-	return _c
-}
-
-// GetContainerSwapBehavior provides a mock function with given fields: pod, _a1
-func (_m *MockRuntime) GetContainerSwapBehavior(pod *corev1.Pod, _a1 *corev1.Container) types.SwapBehavior {
-	ret := _m.Called(pod, _a1)
-
-	if len(ret) == 0 {
-		panic("no return value specified for GetContainerSwapBehavior")
-	}
-
-	var r0 types.SwapBehavior
-	if rf, ok := ret.Get(0).(func(*corev1.Pod, *corev1.Container) types.SwapBehavior); ok {
-		r0 = rf(pod, _a1)
-	} else {
-		r0 = ret.Get(0).(types.SwapBehavior)
-	}
-
-	return r0
-}
-
-// MockRuntime_GetContainerSwapBehavior_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetContainerSwapBehavior'
-type MockRuntime_GetContainerSwapBehavior_Call struct {
-	*mock.Call
-}
-
-// GetContainerSwapBehavior is a helper method to define mock.On call
-//   - pod *corev1.Pod
-//   - _a1 *corev1.Container
-func (_e *MockRuntime_Expecter) GetContainerSwapBehavior(pod interface{}, _a1 interface{}) *MockRuntime_GetContainerSwapBehavior_Call {
-	return &MockRuntime_GetContainerSwapBehavior_Call{Call: _e.mock.On("GetContainerSwapBehavior", pod, _a1)}
-}
-
-func (_c *MockRuntime_GetContainerSwapBehavior_Call) Run(run func(pod *corev1.Pod, _a1 *corev1.Container)) *MockRuntime_GetContainerSwapBehavior_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run(args[0].(*corev1.Pod), args[1].(*corev1.Container))
-	})
-	return _c
-}
-
-func (_c *MockRuntime_GetContainerSwapBehavior_Call) Return(_a0 types.SwapBehavior) *MockRuntime_GetContainerSwapBehavior_Call {
-	_c.Call.Return(_a0)
-	return _c
-}
-
-func (_c *MockRuntime_GetContainerSwapBehavior_Call) RunAndReturn(run func(*corev1.Pod, *corev1.Container) types.SwapBehavior) *MockRuntime_GetContainerSwapBehavior_Call {
-	_c.Call.Return(run)
-	return _c
-}
-
-// GetImageRef provides a mock function with given fields: ctx, image
-func (_m *MockRuntime) GetImageRef(ctx context.Context, image container.ImageSpec) (string, error) {
-	ret := _m.Called(ctx, image)
-
-	if len(ret) == 0 {
-		panic("no return value specified for GetImageRef")
-	}
-
-	var r0 string
-	var r1 error
-	if rf, ok := ret.Get(0).(func(context.Context, container.ImageSpec) (string, error)); ok {
-		return rf(ctx, image)
-	}
-	if rf, ok := ret.Get(0).(func(context.Context, container.ImageSpec) string); ok {
-		r0 = rf(ctx, image)
-	} else {
-		r0 = ret.Get(0).(string)
-	}
-
-	if rf, ok := ret.Get(1).(func(context.Context, container.ImageSpec) error); ok {
-		r1 = rf(ctx, image)
-	} else {
-		r1 = ret.Error(1)
-	}
-
-	return r0, r1
-}
-
-// MockRuntime_GetImageRef_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetImageRef'
-type MockRuntime_GetImageRef_Call struct {
-	*mock.Call
-}
-
-// GetImageRef is a helper method to define mock.On call
-//   - ctx context.Context
-//   - image container.ImageSpec
-func (_e *MockRuntime_Expecter) GetImageRef(ctx interface{}, image interface{}) *MockRuntime_GetImageRef_Call {
-	return &MockRuntime_GetImageRef_Call{Call: _e.mock.On("GetImageRef", ctx, image)}
-}
-
-func (_c *MockRuntime_GetImageRef_Call) Run(run func(ctx context.Context, image container.ImageSpec)) *MockRuntime_GetImageRef_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run(args[0].(context.Context), args[1].(container.ImageSpec))
-	})
-	return _c
-}
-
-func (_c *MockRuntime_GetImageRef_Call) Return(_a0 string, _a1 error) *MockRuntime_GetImageRef_Call {
-	_c.Call.Return(_a0, _a1)
-	return _c
-}
-
-func (_c *MockRuntime_GetImageRef_Call) RunAndReturn(run func(context.Context, container.ImageSpec) (string, error)) *MockRuntime_GetImageRef_Call {
-	_c.Call.Return(run)
-	return _c
-}
-
-// GetImageSize provides a mock function with given fields: ctx, image
-func (_m *MockRuntime) GetImageSize(ctx context.Context, image container.ImageSpec) (uint64, error) {
-	ret := _m.Called(ctx, image)
-
-	if len(ret) == 0 {
-		panic("no return value specified for GetImageSize")
-	}
-
-	var r0 uint64
-	var r1 error
-	if rf, ok := ret.Get(0).(func(context.Context, container.ImageSpec) (uint64, error)); ok {
-		return rf(ctx, image)
-	}
-	if rf, ok := ret.Get(0).(func(context.Context, container.ImageSpec) uint64); ok {
-		r0 = rf(ctx, image)
-	} else {
-		r0 = ret.Get(0).(uint64)
-	}
-
-	if rf, ok := ret.Get(1).(func(context.Context, container.ImageSpec) error); ok {
-		r1 = rf(ctx, image)
-	} else {
-		r1 = ret.Error(1)
-	}
-
-	return r0, r1
-}
-
-// MockRuntime_GetImageSize_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetImageSize'
-type MockRuntime_GetImageSize_Call struct {
-	*mock.Call
-}
-
-// GetImageSize is a helper method to define mock.On call
-//   - ctx context.Context
-//   - image container.ImageSpec
-func (_e *MockRuntime_Expecter) GetImageSize(ctx interface{}, image interface{}) *MockRuntime_GetImageSize_Call {
-	return &MockRuntime_GetImageSize_Call{Call: _e.mock.On("GetImageSize", ctx, image)}
-}
-
-func (_c *MockRuntime_GetImageSize_Call) Run(run func(ctx context.Context, image container.ImageSpec)) *MockRuntime_GetImageSize_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run(args[0].(context.Context), args[1].(container.ImageSpec))
-	})
-	return _c
-}
-
-func (_c *MockRuntime_GetImageSize_Call) Return(_a0 uint64, _a1 error) *MockRuntime_GetImageSize_Call {
-	_c.Call.Return(_a0, _a1)
-	return _c
-}
-
-func (_c *MockRuntime_GetImageSize_Call) RunAndReturn(run func(context.Context, container.ImageSpec) (uint64, error)) *MockRuntime_GetImageSize_Call {
-	_c.Call.Return(run)
-	return _c
-}
-
-// GetPodStatus provides a mock function with given fields: ctx, uid, name, namespace
-func (_m *MockRuntime) GetPodStatus(ctx context.Context, uid pkgtypes.UID, name string, namespace string) (*container.PodStatus, error) {
-	ret := _m.Called(ctx, uid, name, namespace)
-
-	if len(ret) == 0 {
-		panic("no return value specified for GetPodStatus")
-	}
-
-	var r0 *container.PodStatus
-	var r1 error
-	if rf, ok := ret.Get(0).(func(context.Context, pkgtypes.UID, string, string) (*container.PodStatus, error)); ok {
-		return rf(ctx, uid, name, namespace)
-	}
-	if rf, ok := ret.Get(0).(func(context.Context, pkgtypes.UID, string, string) *container.PodStatus); ok {
-		r0 = rf(ctx, uid, name, namespace)
-	} else {
-		if ret.Get(0) != nil {
-			r0 = ret.Get(0).(*container.PodStatus)
-		}
-	}
-
-	if rf, ok := ret.Get(1).(func(context.Context, pkgtypes.UID, string, string) error); ok {
-		r1 = rf(ctx, uid, name, namespace)
-	} else {
-		r1 = ret.Error(1)
-	}
-
-	return r0, r1
-}
-
-// MockRuntime_GetPodStatus_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetPodStatus'
-type MockRuntime_GetPodStatus_Call struct {
-	*mock.Call
-}
-
-// GetPodStatus is a helper method to define mock.On call
-//   - ctx context.Context
-//   - uid pkgtypes.UID
-//   - name string
-//   - namespace string
-func (_e *MockRuntime_Expecter) GetPodStatus(ctx interface{}, uid interface{}, name interface{}, namespace interface{}) *MockRuntime_GetPodStatus_Call {
-	return &MockRuntime_GetPodStatus_Call{Call: _e.mock.On("GetPodStatus", ctx, uid, name, namespace)}
-}
-
-func (_c *MockRuntime_GetPodStatus_Call) Run(run func(ctx context.Context, uid pkgtypes.UID, name string, namespace string)) *MockRuntime_GetPodStatus_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run(args[0].(context.Context), args[1].(pkgtypes.UID), args[2].(string), args[3].(string))
-	})
-	return _c
-}
-
-func (_c *MockRuntime_GetPodStatus_Call) Return(_a0 *container.PodStatus, _a1 error) *MockRuntime_GetPodStatus_Call {
-	_c.Call.Return(_a0, _a1)
-	return _c
-}
-
-func (_c *MockRuntime_GetPodStatus_Call) RunAndReturn(run func(context.Context, pkgtypes.UID, string, string) (*container.PodStatus, error)) *MockRuntime_GetPodStatus_Call {
-	_c.Call.Return(run)
-	return _c
-}
-
-// GetPods provides a mock function with given fields: ctx, all
-func (_m *MockRuntime) GetPods(ctx context.Context, all bool) ([]*container.Pod, error) {
-	ret := _m.Called(ctx, all)
-
-	if len(ret) == 0 {
-		panic("no return value specified for GetPods")
-	}
-
-	var r0 []*container.Pod
-	var r1 error
-	if rf, ok := ret.Get(0).(func(context.Context, bool) ([]*container.Pod, error)); ok {
-		return rf(ctx, all)
-	}
-	if rf, ok := ret.Get(0).(func(context.Context, bool) []*container.Pod); ok {
-		r0 = rf(ctx, all)
-	} else {
-		if ret.Get(0) != nil {
-			r0 = ret.Get(0).([]*container.Pod)
-		}
-	}
-
-	if rf, ok := ret.Get(1).(func(context.Context, bool) error); ok {
-		r1 = rf(ctx, all)
-	} else {
-		r1 = ret.Error(1)
-	}
-
-	return r0, r1
-}
-
-// MockRuntime_GetPods_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetPods'
-type MockRuntime_GetPods_Call struct {
-	*mock.Call
-}
-
-// GetPods is a helper method to define mock.On call
-//   - ctx context.Context
-//   - all bool
-func (_e *MockRuntime_Expecter) GetPods(ctx interface{}, all interface{}) *MockRuntime_GetPods_Call {
-	return &MockRuntime_GetPods_Call{Call: _e.mock.On("GetPods", ctx, all)}
-}
-
-func (_c *MockRuntime_GetPods_Call) Run(run func(ctx context.Context, all bool)) *MockRuntime_GetPods_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run(args[0].(context.Context), args[1].(bool))
-	})
-	return _c
-}
-
-func (_c *MockRuntime_GetPods_Call) Return(_a0 []*container.Pod, _a1 error) *MockRuntime_GetPods_Call {
-	_c.Call.Return(_a0, _a1)
-	return _c
-}
-
-func (_c *MockRuntime_GetPods_Call) RunAndReturn(run func(context.Context, bool) ([]*container.Pod, error)) *MockRuntime_GetPods_Call {
-	_c.Call.Return(run)
-	return _c
-}
-
-// ImageFsInfo provides a mock function with given fields: ctx
-func (_m *MockRuntime) ImageFsInfo(ctx context.Context) (*v1.ImageFsInfoResponse, error) {
-	ret := _m.Called(ctx)
-
-	if len(ret) == 0 {
-		panic("no return value specified for ImageFsInfo")
-	}
-
-	var r0 *v1.ImageFsInfoResponse
-	var r1 error
-	if rf, ok := ret.Get(0).(func(context.Context) (*v1.ImageFsInfoResponse, error)); ok {
-		return rf(ctx)
-	}
-	if rf, ok := ret.Get(0).(func(context.Context) *v1.ImageFsInfoResponse); ok {
-		r0 = rf(ctx)
-	} else {
-		if ret.Get(0) != nil {
-			r0 = ret.Get(0).(*v1.ImageFsInfoResponse)
-		}
-	}
-
-	if rf, ok := ret.Get(1).(func(context.Context) error); ok {
-		r1 = rf(ctx)
-	} else {
-		r1 = ret.Error(1)
-	}
-
-	return r0, r1
-}
-
-// MockRuntime_ImageFsInfo_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'ImageFsInfo'
-type MockRuntime_ImageFsInfo_Call struct {
-	*mock.Call
-}
-
-// ImageFsInfo is a helper method to define mock.On call
-//   - ctx context.Context
-func (_e *MockRuntime_Expecter) ImageFsInfo(ctx interface{}) *MockRuntime_ImageFsInfo_Call {
-	return &MockRuntime_ImageFsInfo_Call{Call: _e.mock.On("ImageFsInfo", ctx)}
-}
-
-func (_c *MockRuntime_ImageFsInfo_Call) Run(run func(ctx context.Context)) *MockRuntime_ImageFsInfo_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run(args[0].(context.Context))
-	})
-	return _c
-}
-
-func (_c *MockRuntime_ImageFsInfo_Call) Return(_a0 *v1.ImageFsInfoResponse, _a1 error) *MockRuntime_ImageFsInfo_Call {
-	_c.Call.Return(_a0, _a1)
-	return _c
-}
-
-func (_c *MockRuntime_ImageFsInfo_Call) RunAndReturn(run func(context.Context) (*v1.ImageFsInfoResponse, error)) *MockRuntime_ImageFsInfo_Call {
-	_c.Call.Return(run)
-	return _c
-}
-
-// ImageStats provides a mock function with given fields: ctx
-func (_m *MockRuntime) ImageStats(ctx context.Context) (*container.ImageStats, error) {
-	ret := _m.Called(ctx)
-
-	if len(ret) == 0 {
-		panic("no return value specified for ImageStats")
-	}
-
-	var r0 *container.ImageStats
-	var r1 error
-	if rf, ok := ret.Get(0).(func(context.Context) (*container.ImageStats, error)); ok {
-		return rf(ctx)
-	}
-	if rf, ok := ret.Get(0).(func(context.Context) *container.ImageStats); ok {
-		r0 = rf(ctx)
-	} else {
-		if ret.Get(0) != nil {
-			r0 = ret.Get(0).(*container.ImageStats)
-		}
-	}
-
-	if rf, ok := ret.Get(1).(func(context.Context) error); ok {
-		r1 = rf(ctx)
-	} else {
-		r1 = ret.Error(1)
-	}
-
-	return r0, r1
-}
-
-// MockRuntime_ImageStats_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'ImageStats'
-type MockRuntime_ImageStats_Call struct {
-	*mock.Call
-}
-
-// ImageStats is a helper method to define mock.On call
-//   - ctx context.Context
-func (_e *MockRuntime_Expecter) ImageStats(ctx interface{}) *MockRuntime_ImageStats_Call {
-	return &MockRuntime_ImageStats_Call{Call: _e.mock.On("ImageStats", ctx)}
-}
-
-func (_c *MockRuntime_ImageStats_Call) Run(run func(ctx context.Context)) *MockRuntime_ImageStats_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run(args[0].(context.Context))
-	})
-	return _c
-}
-
-func (_c *MockRuntime_ImageStats_Call) Return(_a0 *container.ImageStats, _a1 error) *MockRuntime_ImageStats_Call {
-	_c.Call.Return(_a0, _a1)
-	return _c
-}
-
-func (_c *MockRuntime_ImageStats_Call) RunAndReturn(run func(context.Context) (*container.ImageStats, error)) *MockRuntime_ImageStats_Call {
-	_c.Call.Return(run)
-	return _c
-}
-
-// KillPod provides a mock function with given fields: ctx, pod, runningPod, gracePeriodOverride
-func (_m *MockRuntime) KillPod(ctx context.Context, pod *corev1.Pod, runningPod container.Pod, gracePeriodOverride *int64) error {
-	ret := _m.Called(ctx, pod, runningPod, gracePeriodOverride)
-
-	if len(ret) == 0 {
-		panic("no return value specified for KillPod")
-	}
-
-	var r0 error
-	if rf, ok := ret.Get(0).(func(context.Context, *corev1.Pod, container.Pod, *int64) error); ok {
-		r0 = rf(ctx, pod, runningPod, gracePeriodOverride)
-	} else {
-		r0 = ret.Error(0)
-	}
-
-	return r0
-}
-
-// MockRuntime_KillPod_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'KillPod'
-type MockRuntime_KillPod_Call struct {
-	*mock.Call
-}
-
-// KillPod is a helper method to define mock.On call
-//   - ctx context.Context
-//   - pod *corev1.Pod
-//   - runningPod container.Pod
-//   - gracePeriodOverride *int64
-func (_e *MockRuntime_Expecter) KillPod(ctx interface{}, pod interface{}, runningPod interface{}, gracePeriodOverride interface{}) *MockRuntime_KillPod_Call {
-	return &MockRuntime_KillPod_Call{Call: _e.mock.On("KillPod", ctx, pod, runningPod, gracePeriodOverride)}
-}
-
-func (_c *MockRuntime_KillPod_Call) Run(run func(ctx context.Context, pod *corev1.Pod, runningPod container.Pod, gracePeriodOverride *int64)) *MockRuntime_KillPod_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run(args[0].(context.Context), args[1].(*corev1.Pod), args[2].(container.Pod), args[3].(*int64))
-	})
-	return _c
-}
-
-func (_c *MockRuntime_KillPod_Call) Return(_a0 error) *MockRuntime_KillPod_Call {
-	_c.Call.Return(_a0)
-	return _c
-}
-
-func (_c *MockRuntime_KillPod_Call) RunAndReturn(run func(context.Context, *corev1.Pod, container.Pod, *int64) error) *MockRuntime_KillPod_Call {
-	_c.Call.Return(run)
-	return _c
-}
-
-// ListImages provides a mock function with given fields: ctx
-func (_m *MockRuntime) ListImages(ctx context.Context) ([]container.Image, error) {
-	ret := _m.Called(ctx)
-
-	if len(ret) == 0 {
-		panic("no return value specified for ListImages")
-	}
-
-	var r0 []container.Image
-	var r1 error
-	if rf, ok := ret.Get(0).(func(context.Context) ([]container.Image, error)); ok {
-		return rf(ctx)
-	}
-	if rf, ok := ret.Get(0).(func(context.Context) []container.Image); ok {
-		r0 = rf(ctx)
-	} else {
-		if ret.Get(0) != nil {
-			r0 = ret.Get(0).([]container.Image)
-		}
-	}
-
-	if rf, ok := ret.Get(1).(func(context.Context) error); ok {
-		r1 = rf(ctx)
-	} else {
-		r1 = ret.Error(1)
-	}
-
-	return r0, r1
-}
-
-// MockRuntime_ListImages_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'ListImages'
-type MockRuntime_ListImages_Call struct {
-	*mock.Call
-}
-
-// ListImages is a helper method to define mock.On call
-//   - ctx context.Context
-func (_e *MockRuntime_Expecter) ListImages(ctx interface{}) *MockRuntime_ListImages_Call {
-	return &MockRuntime_ListImages_Call{Call: _e.mock.On("ListImages", ctx)}
-}
-
-func (_c *MockRuntime_ListImages_Call) Run(run func(ctx context.Context)) *MockRuntime_ListImages_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run(args[0].(context.Context))
-	})
-	return _c
-}
-
-func (_c *MockRuntime_ListImages_Call) Return(_a0 []container.Image, _a1 error) *MockRuntime_ListImages_Call {
-	_c.Call.Return(_a0, _a1)
-	return _c
-}
-
-func (_c *MockRuntime_ListImages_Call) RunAndReturn(run func(context.Context) ([]container.Image, error)) *MockRuntime_ListImages_Call {
-	_c.Call.Return(run)
-	return _c
-}
-
-// ListMetricDescriptors provides a mock function with given fields: ctx
-func (_m *MockRuntime) ListMetricDescriptors(ctx context.Context) ([]*v1.MetricDescriptor, error) {
-	ret := _m.Called(ctx)
-
-	if len(ret) == 0 {
-		panic("no return value specified for ListMetricDescriptors")
-	}
-
-	var r0 []*v1.MetricDescriptor
-	var r1 error
-	if rf, ok := ret.Get(0).(func(context.Context) ([]*v1.MetricDescriptor, error)); ok {
-		return rf(ctx)
-	}
-	if rf, ok := ret.Get(0).(func(context.Context) []*v1.MetricDescriptor); ok {
-		r0 = rf(ctx)
-	} else {
-		if ret.Get(0) != nil {
-			r0 = ret.Get(0).([]*v1.MetricDescriptor)
-		}
-	}
-
-	if rf, ok := ret.Get(1).(func(context.Context) error); ok {
-		r1 = rf(ctx)
-	} else {
-		r1 = ret.Error(1)
-	}
-
-	return r0, r1
-}
-
-// MockRuntime_ListMetricDescriptors_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'ListMetricDescriptors'
-type MockRuntime_ListMetricDescriptors_Call struct {
-	*mock.Call
-}
-
-// ListMetricDescriptors is a helper method to define mock.On call
-//   - ctx context.Context
-func (_e *MockRuntime_Expecter) ListMetricDescriptors(ctx interface{}) *MockRuntime_ListMetricDescriptors_Call {
-	return &MockRuntime_ListMetricDescriptors_Call{Call: _e.mock.On("ListMetricDescriptors", ctx)}
-}
-
-func (_c *MockRuntime_ListMetricDescriptors_Call) Run(run func(ctx context.Context)) *MockRuntime_ListMetricDescriptors_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run(args[0].(context.Context))
-	})
-	return _c
-}
-
-func (_c *MockRuntime_ListMetricDescriptors_Call) Return(_a0 []*v1.MetricDescriptor, _a1 error) *MockRuntime_ListMetricDescriptors_Call {
-	_c.Call.Return(_a0, _a1)
-	return _c
-}
-
-func (_c *MockRuntime_ListMetricDescriptors_Call) RunAndReturn(run func(context.Context) ([]*v1.MetricDescriptor, error)) *MockRuntime_ListMetricDescriptors_Call {
-	_c.Call.Return(run)
-	return _c
-}
-
-// ListPodSandboxMetrics provides a mock function with given fields: ctx
-func (_m *MockRuntime) ListPodSandboxMetrics(ctx context.Context) ([]*v1.PodSandboxMetrics, error) {
-	ret := _m.Called(ctx)
-
-	if len(ret) == 0 {
-		panic("no return value specified for ListPodSandboxMetrics")
-	}
-
-	var r0 []*v1.PodSandboxMetrics
-	var r1 error
-	if rf, ok := ret.Get(0).(func(context.Context) ([]*v1.PodSandboxMetrics, error)); ok {
-		return rf(ctx)
-	}
-	if rf, ok := ret.Get(0).(func(context.Context) []*v1.PodSandboxMetrics); ok {
-		r0 = rf(ctx)
-	} else {
-		if ret.Get(0) != nil {
-			r0 = ret.Get(0).([]*v1.PodSandboxMetrics)
-		}
-	}
-
-	if rf, ok := ret.Get(1).(func(context.Context) error); ok {
-		r1 = rf(ctx)
-	} else {
-		r1 = ret.Error(1)
-	}
-
-	return r0, r1
-}
-
-// MockRuntime_ListPodSandboxMetrics_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'ListPodSandboxMetrics'
-type MockRuntime_ListPodSandboxMetrics_Call struct {
-	*mock.Call
-}
-
-// ListPodSandboxMetrics is a helper method to define mock.On call
-//   - ctx context.Context
-func (_e *MockRuntime_Expecter) ListPodSandboxMetrics(ctx interface{}) *MockRuntime_ListPodSandboxMetrics_Call {
-	return &MockRuntime_ListPodSandboxMetrics_Call{Call: _e.mock.On("ListPodSandboxMetrics", ctx)}
-}
-
-func (_c *MockRuntime_ListPodSandboxMetrics_Call) Run(run func(ctx context.Context)) *MockRuntime_ListPodSandboxMetrics_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run(args[0].(context.Context))
-	})
-	return _c
-}
-
-func (_c *MockRuntime_ListPodSandboxMetrics_Call) Return(_a0 []*v1.PodSandboxMetrics, _a1 error) *MockRuntime_ListPodSandboxMetrics_Call {
-	_c.Call.Return(_a0, _a1)
-	return _c
-}
-
-func (_c *MockRuntime_ListPodSandboxMetrics_Call) RunAndReturn(run func(context.Context) ([]*v1.PodSandboxMetrics, error)) *MockRuntime_ListPodSandboxMetrics_Call {
-	_c.Call.Return(run)
-	return _c
-}
-
-// PullImage provides a mock function with given fields: ctx, image, credentials, podSandboxConfig
-func (_m *MockRuntime) PullImage(ctx context.Context, image container.ImageSpec, credentials []credentialprovider.TrackedAuthConfig, podSandboxConfig *v1.PodSandboxConfig) (string, *credentialprovider.TrackedAuthConfig, error) {
-	ret := _m.Called(ctx, image, credentials, podSandboxConfig)
-
-	if len(ret) == 0 {
-		panic("no return value specified for PullImage")
-	}
-
-	var r0 string
-	var r1 *credentialprovider.TrackedAuthConfig
-	var r2 error
-	if rf, ok := ret.Get(0).(func(context.Context, container.ImageSpec, []credentialprovider.TrackedAuthConfig, *v1.PodSandboxConfig) (string, *credentialprovider.TrackedAuthConfig, error)); ok {
-		return rf(ctx, image, credentials, podSandboxConfig)
-	}
-	if rf, ok := ret.Get(0).(func(context.Context, container.ImageSpec, []credentialprovider.TrackedAuthConfig, *v1.PodSandboxConfig) string); ok {
-		r0 = rf(ctx, image, credentials, podSandboxConfig)
-	} else {
-		r0 = ret.Get(0).(string)
-	}
-
-	if rf, ok := ret.Get(1).(func(context.Context, container.ImageSpec, []credentialprovider.TrackedAuthConfig, *v1.PodSandboxConfig) *credentialprovider.TrackedAuthConfig); ok {
-		r1 = rf(ctx, image, credentials, podSandboxConfig)
-	} else {
-		if ret.Get(1) != nil {
-			r1 = ret.Get(1).(*credentialprovider.TrackedAuthConfig)
-		}
-	}
-
-	if rf, ok := ret.Get(2).(func(context.Context, container.ImageSpec, []credentialprovider.TrackedAuthConfig, *v1.PodSandboxConfig) error); ok {
-		r2 = rf(ctx, image, credentials, podSandboxConfig)
-	} else {
-		r2 = ret.Error(2)
-	}
-
-	return r0, r1, r2
-}
-
-// MockRuntime_PullImage_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'PullImage'
-type MockRuntime_PullImage_Call struct {
-	*mock.Call
-}
-
-// PullImage is a helper method to define mock.On call
-//   - ctx context.Context
-//   - image container.ImageSpec
-//   - credentials []credentialprovider.TrackedAuthConfig
-//   - podSandboxConfig *v1.PodSandboxConfig
-func (_e *MockRuntime_Expecter) PullImage(ctx interface{}, image interface{}, credentials interface{}, podSandboxConfig interface{}) *MockRuntime_PullImage_Call {
-	return &MockRuntime_PullImage_Call{Call: _e.mock.On("PullImage", ctx, image, credentials, podSandboxConfig)}
-}
-
-func (_c *MockRuntime_PullImage_Call) Run(run func(ctx context.Context, image container.ImageSpec, credentials []credentialprovider.TrackedAuthConfig, podSandboxConfig *v1.PodSandboxConfig)) *MockRuntime_PullImage_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run(args[0].(context.Context), args[1].(container.ImageSpec), args[2].([]credentialprovider.TrackedAuthConfig), args[3].(*v1.PodSandboxConfig))
-	})
-	return _c
-}
-
-func (_c *MockRuntime_PullImage_Call) Return(_a0 string, _a1 *credentialprovider.TrackedAuthConfig, _a2 error) *MockRuntime_PullImage_Call {
-	_c.Call.Return(_a0, _a1, _a2)
-	return _c
-}
-
-func (_c *MockRuntime_PullImage_Call) RunAndReturn(run func(context.Context, container.ImageSpec, []credentialprovider.TrackedAuthConfig, *v1.PodSandboxConfig) (string, *credentialprovider.TrackedAuthConfig, error)) *MockRuntime_PullImage_Call {
-	_c.Call.Return(run)
-	return _c
-}
-
-// RemoveImage provides a mock function with given fields: ctx, image
-func (_m *MockRuntime) RemoveImage(ctx context.Context, image container.ImageSpec) error {
-	ret := _m.Called(ctx, image)
-
-	if len(ret) == 0 {
-		panic("no return value specified for RemoveImage")
-	}
-
-	var r0 error
-	if rf, ok := ret.Get(0).(func(context.Context, container.ImageSpec) error); ok {
-		r0 = rf(ctx, image)
-	} else {
-		r0 = ret.Error(0)
-	}
-
-	return r0
-}
-
-// MockRuntime_RemoveImage_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'RemoveImage'
-type MockRuntime_RemoveImage_Call struct {
-	*mock.Call
-}
-
-// RemoveImage is a helper method to define mock.On call
-//   - ctx context.Context
-//   - image container.ImageSpec
-func (_e *MockRuntime_Expecter) RemoveImage(ctx interface{}, image interface{}) *MockRuntime_RemoveImage_Call {
-	return &MockRuntime_RemoveImage_Call{Call: _e.mock.On("RemoveImage", ctx, image)}
-}
-
-func (_c *MockRuntime_RemoveImage_Call) Run(run func(ctx context.Context, image container.ImageSpec)) *MockRuntime_RemoveImage_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run(args[0].(context.Context), args[1].(container.ImageSpec))
-	})
-	return _c
-}
-
-func (_c *MockRuntime_RemoveImage_Call) Return(_a0 error) *MockRuntime_RemoveImage_Call {
-	_c.Call.Return(_a0)
-	return _c
-}
-
-func (_c *MockRuntime_RemoveImage_Call) RunAndReturn(run func(context.Context, container.ImageSpec) error) *MockRuntime_RemoveImage_Call {
-	_c.Call.Return(run)
-	return _c
-}
-
-// Status provides a mock function with given fields: ctx
-func (_m *MockRuntime) Status(ctx context.Context) (*container.RuntimeStatus, error) {
-	ret := _m.Called(ctx)
-
-	if len(ret) == 0 {
-		panic("no return value specified for Status")
-	}
-
-	var r0 *container.RuntimeStatus
-	var r1 error
-	if rf, ok := ret.Get(0).(func(context.Context) (*container.RuntimeStatus, error)); ok {
-		return rf(ctx)
-	}
-	if rf, ok := ret.Get(0).(func(context.Context) *container.RuntimeStatus); ok {
-		r0 = rf(ctx)
-	} else {
-		if ret.Get(0) != nil {
-			r0 = ret.Get(0).(*container.RuntimeStatus)
-		}
-	}
-
-	if rf, ok := ret.Get(1).(func(context.Context) error); ok {
-		r1 = rf(ctx)
-	} else {
-		r1 = ret.Error(1)
-	}
-
-	return r0, r1
-}
-
-// MockRuntime_Status_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Status'
-type MockRuntime_Status_Call struct {
-	*mock.Call
-}
-
-// Status is a helper method to define mock.On call
-//   - ctx context.Context
-func (_e *MockRuntime_Expecter) Status(ctx interface{}) *MockRuntime_Status_Call {
-	return &MockRuntime_Status_Call{Call: _e.mock.On("Status", ctx)}
-}
-
-func (_c *MockRuntime_Status_Call) Run(run func(ctx context.Context)) *MockRuntime_Status_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run(args[0].(context.Context))
-	})
-	return _c
-}
-
-func (_c *MockRuntime_Status_Call) Return(_a0 *container.RuntimeStatus, _a1 error) *MockRuntime_Status_Call {
-	_c.Call.Return(_a0, _a1)
-	return _c
-}
-
-func (_c *MockRuntime_Status_Call) RunAndReturn(run func(context.Context) (*container.RuntimeStatus, error)) *MockRuntime_Status_Call {
-	_c.Call.Return(run)
-	return _c
-}
-
-// SyncPod provides a mock function with given fields: ctx, pod, podStatus, pullSecrets, backOff
-func (_m *MockRuntime) SyncPod(ctx context.Context, pod *corev1.Pod, podStatus *container.PodStatus, pullSecrets []corev1.Secret, backOff *flowcontrol.Backoff) container.PodSyncResult {
-	ret := _m.Called(ctx, pod, podStatus, pullSecrets, backOff)
-
-	if len(ret) == 0 {
-		panic("no return value specified for SyncPod")
-	}
-
-	var r0 container.PodSyncResult
-	if rf, ok := ret.Get(0).(func(context.Context, *corev1.Pod, *container.PodStatus, []corev1.Secret, *flowcontrol.Backoff) container.PodSyncResult); ok {
-		r0 = rf(ctx, pod, podStatus, pullSecrets, backOff)
-	} else {
-		r0 = ret.Get(0).(container.PodSyncResult)
-	}
-
-	return r0
-}
-
-// MockRuntime_SyncPod_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'SyncPod'
-type MockRuntime_SyncPod_Call struct {
-	*mock.Call
-}
-
-// SyncPod is a helper method to define mock.On call
-//   - ctx context.Context
-//   - pod *corev1.Pod
-//   - podStatus *container.PodStatus
-//   - pullSecrets []corev1.Secret
-//   - backOff *flowcontrol.Backoff
-func (_e *MockRuntime_Expecter) SyncPod(ctx interface{}, pod interface{}, podStatus interface{}, pullSecrets interface{}, backOff interface{}) *MockRuntime_SyncPod_Call {
-	return &MockRuntime_SyncPod_Call{Call: _e.mock.On("SyncPod", ctx, pod, podStatus, pullSecrets, backOff)}
-}
-
-func (_c *MockRuntime_SyncPod_Call) Run(run func(ctx context.Context, pod *corev1.Pod, podStatus *container.PodStatus, pullSecrets []corev1.Secret, backOff *flowcontrol.Backoff)) *MockRuntime_SyncPod_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run(args[0].(context.Context), args[1].(*corev1.Pod), args[2].(*container.PodStatus), args[3].([]corev1.Secret), args[4].(*flowcontrol.Backoff))
-	})
-	return _c
-}
-
-func (_c *MockRuntime_SyncPod_Call) Return(_a0 container.PodSyncResult) *MockRuntime_SyncPod_Call {
-	_c.Call.Return(_a0)
-	return _c
-}
-
-func (_c *MockRuntime_SyncPod_Call) RunAndReturn(run func(context.Context, *corev1.Pod, *container.PodStatus, []corev1.Secret, *flowcontrol.Backoff) container.PodSyncResult) *MockRuntime_SyncPod_Call {
-	_c.Call.Return(run)
-	return _c
-}
-
-// Type provides a mock function with no fields
-func (_m *MockRuntime) Type() string {
-	ret := _m.Called()
-
-	if len(ret) == 0 {
-		panic("no return value specified for Type")
-	}
-
-	var r0 string
-	if rf, ok := ret.Get(0).(func() string); ok {
-		r0 = rf()
-	} else {
-		r0 = ret.Get(0).(string)
-	}
-
-	return r0
-}
-
-// MockRuntime_Type_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Type'
-type MockRuntime_Type_Call struct {
-	*mock.Call
-}
-
-// Type is a helper method to define mock.On call
-func (_e *MockRuntime_Expecter) Type() *MockRuntime_Type_Call {
-	return &MockRuntime_Type_Call{Call: _e.mock.On("Type")}
-}
-
-func (_c *MockRuntime_Type_Call) Run(run func()) *MockRuntime_Type_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run()
-	})
-	return _c
-}
-
-func (_c *MockRuntime_Type_Call) Return(_a0 string) *MockRuntime_Type_Call {
-	_c.Call.Return(_a0)
-	return _c
-}
-
-func (_c *MockRuntime_Type_Call) RunAndReturn(run func() string) *MockRuntime_Type_Call {
-	_c.Call.Return(run)
-	return _c
-}
-
-// UpdatePodCIDR provides a mock function with given fields: ctx, podCIDR
-func (_m *MockRuntime) UpdatePodCIDR(ctx context.Context, podCIDR string) error {
-	ret := _m.Called(ctx, podCIDR)
-
-	if len(ret) == 0 {
-		panic("no return value specified for UpdatePodCIDR")
-	}
-
-	var r0 error
-	if rf, ok := ret.Get(0).(func(context.Context, string) error); ok {
-		r0 = rf(ctx, podCIDR)
-	} else {
-		r0 = ret.Error(0)
-	}
-
-	return r0
-}
-
-// MockRuntime_UpdatePodCIDR_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'UpdatePodCIDR'
-type MockRuntime_UpdatePodCIDR_Call struct {
-	*mock.Call
-}
-
-// UpdatePodCIDR is a helper method to define mock.On call
-//   - ctx context.Context
-//   - podCIDR string
-func (_e *MockRuntime_Expecter) UpdatePodCIDR(ctx interface{}, podCIDR interface{}) *MockRuntime_UpdatePodCIDR_Call {
-	return &MockRuntime_UpdatePodCIDR_Call{Call: _e.mock.On("UpdatePodCIDR", ctx, podCIDR)}
-}
-
-func (_c *MockRuntime_UpdatePodCIDR_Call) Run(run func(ctx context.Context, podCIDR string)) *MockRuntime_UpdatePodCIDR_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run(args[0].(context.Context), args[1].(string))
-	})
-	return _c
-}
-
-func (_c *MockRuntime_UpdatePodCIDR_Call) Return(_a0 error) *MockRuntime_UpdatePodCIDR_Call {
-	_c.Call.Return(_a0)
-	return _c
-}
-
-func (_c *MockRuntime_UpdatePodCIDR_Call) RunAndReturn(run func(context.Context, string) error) *MockRuntime_UpdatePodCIDR_Call {
-	_c.Call.Return(run)
-	return _c
-}
-
-// Version provides a mock function with given fields: ctx
-func (_m *MockRuntime) Version(ctx context.Context) (container.Version, error) {
-	ret := _m.Called(ctx)
-
-	if len(ret) == 0 {
-		panic("no return value specified for Version")
-	}
-
-	var r0 container.Version
-	var r1 error
-	if rf, ok := ret.Get(0).(func(context.Context) (container.Version, error)); ok {
-		return rf(ctx)
-	}
-	if rf, ok := ret.Get(0).(func(context.Context) container.Version); ok {
-		r0 = rf(ctx)
-	} else {
-		if ret.Get(0) != nil {
-			r0 = ret.Get(0).(container.Version)
-		}
-	}
-
-	if rf, ok := ret.Get(1).(func(context.Context) error); ok {
-		r1 = rf(ctx)
-	} else {
-		r1 = ret.Error(1)
-	}
-
-	return r0, r1
-}
-
-// MockRuntime_Version_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Version'
-type MockRuntime_Version_Call struct {
-	*mock.Call
-}
-
-// Version is a helper method to define mock.On call
-//   - ctx context.Context
-func (_e *MockRuntime_Expecter) Version(ctx interface{}) *MockRuntime_Version_Call {
-	return &MockRuntime_Version_Call{Call: _e.mock.On("Version", ctx)}
-}
-
-func (_c *MockRuntime_Version_Call) Run(run func(ctx context.Context)) *MockRuntime_Version_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run(args[0].(context.Context))
-	})
-	return _c
-}
-
-func (_c *MockRuntime_Version_Call) Return(_a0 container.Version, _a1 error) *MockRuntime_Version_Call {
-	_c.Call.Return(_a0, _a1)
-	return _c
-}
-
-func (_c *MockRuntime_Version_Call) RunAndReturn(run func(context.Context) (container.Version, error)) *MockRuntime_Version_Call {
-	_c.Call.Return(run)
-	return _c
-}
-
-// NewMockRuntime creates a new instance of MockRuntime. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
-// The first argument is typically a *testing.T value.
-func NewMockRuntime(t interface {
-	mock.TestingT
-	Cleanup(func())
-}) *MockRuntime {
-	mock := &MockRuntime{}
-	mock.Mock.Test(t)
-
-	t.Cleanup(func() { mock.AssertExpectations(t) })
-
-	return mock
-}
diff --git a/pkg/kubelet/events/event.go b/pkg/kubelet/events/event.go
index 3b3d13705ff5e..209cb07639760 100644
--- a/pkg/kubelet/events/event.go
+++ b/pkg/kubelet/events/event.go
@@ -30,13 +30,16 @@ const (
 
 // Pod event reason list
 const (
-	FailedToKillPod                = "FailedKillPod"
-	FailedToCreatePodContainer     = "FailedCreatePodContainer"
-	FailedToMakePodDataDirectories = "Failed"
-	NetworkNotReady                = "NetworkNotReady"
-	ResizeDeferred                 = "ResizeDeferred"
-	ResizeInfeasible               = "ResizeInfeasible"
-	ResizeCompleted                = "ResizeCompleted"
+	FailedToKillPod                 = "FailedKillPod"
+	FailedToCreatePodContainer      = "FailedCreatePodContainer"
+	FailedToMakePodDataDirectories  = "Failed"
+	NetworkNotReady                 = "NetworkNotReady"
+	ResizeDeferred                  = "ResizeDeferred"
+	ResizeInfeasible                = "ResizeInfeasible"
+	ResizeCompleted                 = "ResizeCompleted"
+	ResizeStarted                   = "ResizeStarted"
+	ResizeError                     = "ResizeError"
+	FailedNodeDeclaredFeaturesCheck = "FailedNodeDeclaredFeaturesCheck"
 )
 
 // Image event reason list
diff --git a/pkg/kubelet/events/resize.go b/pkg/kubelet/events/resize.go
new file mode 100644
index 0000000000000..1d3ea45cafd3d
--- /dev/null
+++ b/pkg/kubelet/events/resize.go
@@ -0,0 +1,93 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package events
+
+import (
+	"encoding/json"
+	"fmt"
+
+	v1 "k8s.io/api/core/v1"
+	"k8s.io/klog/v2"
+	podutil "k8s.io/kubernetes/pkg/api/v1/pod"
+	"k8s.io/kubernetes/pkg/kubelet/util/format"
+)
+
+type containerAllocation struct {
+	Name      string                  `json:"name"`
+	Resources v1.ResourceRequirements `json:"resources,omitempty"`
+}
+
+type podResourceSummary struct {
+	// TODO: resources v1.ResourceRequirements, add pod-level resources here once resizing pod-level resources is supported
+	InitContainers []containerAllocation `json:"initContainers,omitempty"`
+	Containers     []containerAllocation `json:"containers,omitempty"`
+	Generation     int64                 `json:"generation"`
+	Error          string                `json:"error,omitempty"`
+}
+
+// PodResizeCompletedMsg generates the pod resize completed event message.
+func PodResizeCompletedMsg(allocatedPod *v1.Pod, generation int64) string {
+	return podResizeMessage(allocatedPod, generation, "", "Pod resize completed")
+}
+
+// PodResizeStartedMsg generates the pod resize in progress event message.
+func PodResizeStartedMsg(allocatedPod *v1.Pod, generation int64) string {
+	return podResizeMessage(allocatedPod, generation, "", "Pod resize started")
+}
+
+// PodResizeErrorMsg generates the pod resize in progress error event message.
+func PodResizeErrorMsg(allocatedPod *v1.Pod, generation int64, errorMsg string) string {
+	return podResizeMessage(allocatedPod, generation, errorMsg, "Pod resize error")
+}
+
+// PodResizePendingMsg generates the pod resize pending event message.
+func PodResizePendingMsg(pod *v1.Pod, reason, message string, generation int64) string {
+	return podResizeMessage(pod, generation, message, fmt.Sprintf("Pod resize %s", reason))
+}
+
+func podResizeMessage(pod *v1.Pod, generation int64, errorMsg, messagePrefix string) string {
+	resources, err := makeResourceSummaryFromSpec(pod, generation, errorMsg)
+	if err != nil {
+		return messagePrefix
+	}
+	return fmt.Sprintf("%s: %s", messagePrefix, resources)
+
+}
+
+// Returns the desired resources from the podspec.
+func makeResourceSummaryFromSpec(pod *v1.Pod, generation int64, errorMessage string) (string, error) {
+	specResources := &podResourceSummary{Generation: generation, Error: errorMessage}
+	for container, containerType := range podutil.ContainerIter(&pod.Spec, podutil.InitContainers|podutil.Containers) {
+		allocation := containerAllocation{
+			Name:      container.Name,
+			Resources: container.Resources,
+		}
+		switch containerType {
+		case podutil.InitContainers:
+			specResources.InitContainers = append(specResources.InitContainers, allocation)
+		case podutil.Containers:
+			specResources.Containers = append(specResources.Containers, allocation)
+		}
+	}
+
+	message, err := json.Marshal(specResources)
+	if err != nil {
+		klog.ErrorS(err, "Failed to serialize resource summary", "pod", format.Pod(pod))
+		return "", err
+	}
+	return string(message), nil
+}
diff --git a/pkg/kubelet/events/resize_test.go b/pkg/kubelet/events/resize_test.go
new file mode 100644
index 0000000000000..1dc9c38fa36df
--- /dev/null
+++ b/pkg/kubelet/events/resize_test.go
@@ -0,0 +1,345 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package events
+
+import (
+	"fmt"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	v1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/api/resource"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/utils/ptr"
+)
+
+func TestPodResizeCompletedMsg(t *testing.T) {
+	tests := []struct {
+		name               string
+		containers         []testContainer
+		observedGeneration int64
+		expected           string
+	}{{
+		name: "simple running container",
+		containers: []testContainer{{
+			resources: testResources{100, 100, 100, 100},
+		}},
+		observedGeneration: 1,
+		expected:           `Pod resize completed: {"containers":[{"name":"c0","resources":{"limits":{"cpu":"100m","memory":"100"},"requests":{"cpu":"100m","memory":"100"}}}],"generation":1}`,
+	}, {
+		name: "several containers",
+		containers: []testContainer{{
+			resources: testResources{cpuReq: 100, cpuLim: 200},
+			sidecar:   true,
+		}, {
+			resources: testResources{memReq: 100, memLim: 200},
+		}, {
+			resources: testResources{cpuReq: 200, memReq: 100},
+		}},
+		observedGeneration: 2,
+		expected:           `Pod resize completed: {"initContainers":[{"name":"c0","resources":{"limits":{"cpu":"200m"},"requests":{"cpu":"100m"}}}],"containers":[{"name":"c1","resources":{"limits":{"memory":"200"},"requests":{"memory":"100"}}},{"name":"c2","resources":{"requests":{"cpu":"200m","memory":"100"}}}],"generation":2}`,
+	}, {
+		name: "best-effort pod",
+		containers: []testContainer{{
+			resources: testResources{},
+		}},
+		observedGeneration: 3,
+		expected:           `Pod resize completed: {"containers":[{"name":"c0","resources":{}}],"generation":3}`,
+	}}
+
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			pod := &v1.Pod{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "test-pod",
+					UID:  "12345",
+				},
+			}
+
+			for i, c := range test.containers {
+				// Add the container to the pod
+				container := mkContainer(i, c.resources, c.sidecar)
+				if c.nonSidecarInit || c.sidecar {
+					pod.Spec.InitContainers = append(pod.Spec.InitContainers, container)
+				} else {
+					pod.Spec.Containers = append(pod.Spec.Containers, container)
+				}
+			}
+
+			msg := PodResizeCompletedMsg(pod, test.observedGeneration)
+			assert.Equal(t, test.expected, msg)
+		})
+	}
+}
+
+func TestPodResizeStartedMsg(t *testing.T) {
+	tests := []struct {
+		name               string
+		allocated          []testContainer
+		actual             []testContainer
+		observedGeneration int64
+		expected           string
+	}{
+		{
+			name:               "simple running container",
+			allocated:          []testContainer{{resources: testResources{100, 100, 100, 100}}},
+			actual:             []testContainer{{resources: testResources{50, 50, 50, 50}}},
+			observedGeneration: 1,
+			expected:           `Pod resize started: {"containers":[{"name":"c0","resources":{"limits":{"cpu":"100m","memory":"100"},"requests":{"cpu":"100m","memory":"100"}}}],"generation":1}`,
+		}, {
+			name: "several containers",
+			allocated: []testContainer{
+				{resources: testResources{cpuReq: 100, cpuLim: 200}, sidecar: true},
+				{resources: testResources{memReq: 100, memLim: 200}},
+				{resources: testResources{cpuReq: 200, memReq: 100}},
+			},
+			actual: []testContainer{
+				{resources: testResources{cpuReq: 50, cpuLim: 100}, sidecar: true},
+				{resources: testResources{cpuReq: 50, cpuLim: 100}},
+				{resources: testResources{cpuReq: 50, cpuLim: 100}},
+			},
+			observedGeneration: 2,
+			expected:           `Pod resize started: {"initContainers":[{"name":"c0","resources":{"limits":{"cpu":"200m"},"requests":{"cpu":"100m"}}}],"containers":[{"name":"c1","resources":{"limits":{"memory":"200"},"requests":{"memory":"100"}}},{"name":"c2","resources":{"requests":{"cpu":"200m","memory":"100"}}}],"generation":2}`,
+		},
+	}
+
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			allocatedPod := &v1.Pod{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "test-pod",
+					UID:  "12345",
+				},
+			}
+
+			for i, c := range test.actual {
+				actual := mkContainer(i, c.resources, c.sidecar)
+				if c.nonSidecarInit || c.sidecar {
+					allocatedPod.Status.InitContainerStatuses = append(allocatedPod.Status.InitContainerStatuses, v1.ContainerStatus{
+						Name:      actual.Name,
+						Resources: &actual.Resources,
+					})
+				} else {
+					allocatedPod.Status.ContainerStatuses = append(allocatedPod.Status.ContainerStatuses, v1.ContainerStatus{
+						Name:      actual.Name,
+						Resources: &actual.Resources,
+					})
+				}
+			}
+
+			for i, c := range test.allocated {
+				allocated := mkContainer(i, c.resources, c.sidecar)
+				if c.nonSidecarInit || c.sidecar {
+					allocatedPod.Spec.InitContainers = append(allocatedPod.Spec.InitContainers, allocated)
+				} else {
+					allocatedPod.Spec.Containers = append(allocatedPod.Spec.Containers, allocated)
+				}
+			}
+
+			msg := PodResizeStartedMsg(allocatedPod, test.observedGeneration)
+			assert.Equal(t, test.expected, msg)
+		})
+	}
+}
+
+func TestPodResizeErrorMsg(t *testing.T) {
+	tests := []struct {
+		name               string
+		allocated          []testContainer
+		actual             []testContainer
+		observedGeneration int64
+		errMsg             string
+		expected           string
+	}{
+		{
+			name:               "simple running container",
+			allocated:          []testContainer{{resources: testResources{100, 100, 100, 100}}},
+			actual:             []testContainer{{resources: testResources{50, 50, 50, 50}}},
+			observedGeneration: 1,
+			errMsg:             "some error occurred",
+			expected:           `Pod resize error: {"containers":[{"name":"c0","resources":{"limits":{"cpu":"100m","memory":"100"},"requests":{"cpu":"100m","memory":"100"}}}],"generation":1,"error":"some error occurred"}`,
+		}, {
+			name: "several containers",
+			allocated: []testContainer{
+				{resources: testResources{cpuReq: 100, cpuLim: 200}, sidecar: true},
+				{resources: testResources{memReq: 100, memLim: 200}},
+				{resources: testResources{cpuReq: 200, memReq: 100}},
+			},
+			actual: []testContainer{
+				{resources: testResources{cpuReq: 50, cpuLim: 100}, sidecar: true},
+				{resources: testResources{cpuReq: 50, cpuLim: 100}},
+				{resources: testResources{cpuReq: 50, cpuLim: 100}},
+			},
+			observedGeneration: 2,
+			errMsg:             "some error occurred",
+			expected:           `Pod resize error: {"initContainers":[{"name":"c0","resources":{"limits":{"cpu":"200m"},"requests":{"cpu":"100m"}}}],"containers":[{"name":"c1","resources":{"limits":{"memory":"200"},"requests":{"memory":"100"}}},{"name":"c2","resources":{"requests":{"cpu":"200m","memory":"100"}}}],"generation":2,"error":"some error occurred"}`,
+		},
+	}
+
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			allocatedPod := &v1.Pod{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "test-pod",
+					UID:  "12345",
+				},
+			}
+
+			for i, c := range test.actual {
+				actual := mkContainer(i, c.resources, c.sidecar)
+				if c.nonSidecarInit || c.sidecar {
+					allocatedPod.Status.InitContainerStatuses = append(allocatedPod.Status.InitContainerStatuses, v1.ContainerStatus{
+						Name:      actual.Name,
+						Resources: &actual.Resources,
+					})
+				} else {
+					allocatedPod.Status.ContainerStatuses = append(allocatedPod.Status.ContainerStatuses, v1.ContainerStatus{
+						Name:      actual.Name,
+						Resources: &actual.Resources,
+					})
+				}
+			}
+
+			for i, c := range test.allocated {
+				allocated := mkContainer(i, c.resources, c.sidecar)
+				if c.nonSidecarInit || c.sidecar {
+					allocatedPod.Spec.InitContainers = append(allocatedPod.Spec.InitContainers, allocated)
+				} else {
+					allocatedPod.Spec.Containers = append(allocatedPod.Spec.Containers, allocated)
+				}
+			}
+
+			msg := PodResizeErrorMsg(allocatedPod, test.observedGeneration, test.errMsg)
+			assert.Equal(t, test.expected, msg)
+		})
+	}
+}
+
+func TestPodResizePendingMsg(t *testing.T) {
+	tests := []struct {
+		name               string
+		desired            []testContainer
+		allocated          []testContainer
+		reason             string
+		message            string
+		observedGeneration int64
+		expected           string
+	}{
+		{
+			name:               "simple running container",
+			desired:            []testContainer{{resources: testResources{100, 100, 100, 100}}},
+			allocated:          []testContainer{{resources: testResources{50, 50, 50, 50}}},
+			observedGeneration: 1,
+			reason:             "Deferred",
+			message:            "Node didn't have enough resource: memory",
+			expected:           `Pod resize Deferred: {"containers":[{"name":"c0","resources":{"limits":{"cpu":"100m","memory":"100"},"requests":{"cpu":"100m","memory":"100"}}}],"generation":1,"error":"Node didn't have enough resource: memory"}`,
+		}, {
+			name: "several containers",
+			desired: []testContainer{
+				{resources: testResources{cpuReq: 100, cpuLim: 200}, sidecar: true},
+				{resources: testResources{memReq: 100, memLim: 200}},
+				{resources: testResources{cpuReq: 200, memReq: 100}},
+			},
+			allocated: []testContainer{
+				{resources: testResources{cpuReq: 50, cpuLim: 100}, sidecar: true},
+				{resources: testResources{cpuReq: 50, cpuLim: 100}},
+				{resources: testResources{cpuReq: 50, cpuLim: 100}},
+			},
+			observedGeneration: 2,
+			reason:             "Infeasible",
+			message:            "In-place resize of containers with swap is not supported",
+			expected:           `Pod resize Infeasible: {"initContainers":[{"name":"c0","resources":{"limits":{"cpu":"200m"},"requests":{"cpu":"100m"}}}],"containers":[{"name":"c1","resources":{"limits":{"memory":"200"},"requests":{"memory":"100"}}},{"name":"c2","resources":{"requests":{"cpu":"200m","memory":"100"}}}],"generation":2,"error":"In-place resize of containers with swap is not supported"}`,
+		},
+	}
+
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			allocatedPod := &v1.Pod{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "test-pod",
+					UID:  "12345",
+				},
+			}
+			pod := &v1.Pod{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "test-pod",
+					UID:  "12345",
+				},
+			}
+
+			for i, c := range test.allocated {
+				allocated := mkContainer(i, c.resources, c.sidecar)
+				if c.nonSidecarInit || c.sidecar {
+					allocatedPod.Spec.InitContainers = append(allocatedPod.Spec.InitContainers, allocated)
+				} else {
+					allocatedPod.Spec.Containers = append(allocatedPod.Spec.Containers, allocated)
+				}
+			}
+
+			for i, c := range test.desired {
+				desired := mkContainer(i, c.resources, c.sidecar)
+				if c.nonSidecarInit || c.sidecar {
+					pod.Spec.InitContainers = append(pod.Spec.InitContainers, desired)
+				} else {
+					pod.Spec.Containers = append(pod.Spec.Containers, desired)
+				}
+			}
+
+			msg := PodResizePendingMsg(pod, test.reason, test.message, test.observedGeneration)
+			assert.Equal(t, test.expected, msg)
+		})
+	}
+}
+
+type testResources struct {
+	cpuReq, cpuLim, memReq, memLim int64
+}
+type testContainer struct {
+	resources               testResources
+	nonSidecarInit, sidecar bool
+}
+
+func mkRequirements(r testResources) v1.ResourceRequirements {
+	res := v1.ResourceRequirements{
+		Requests: v1.ResourceList{},
+		Limits:   v1.ResourceList{},
+	}
+	if r.cpuReq != 0 {
+		res.Requests[v1.ResourceCPU] = *resource.NewMilliQuantity(r.cpuReq, resource.DecimalSI)
+	}
+	if r.cpuLim != 0 {
+		res.Limits[v1.ResourceCPU] = *resource.NewMilliQuantity(r.cpuLim, resource.DecimalSI)
+	}
+	if r.memReq != 0 {
+		res.Requests[v1.ResourceMemory] = *resource.NewQuantity(r.memReq, resource.DecimalSI)
+	}
+	if r.memLim != 0 {
+		res.Limits[v1.ResourceMemory] = *resource.NewQuantity(r.memLim, resource.DecimalSI)
+	}
+	return res
+}
+
+func mkContainer(index int, resources testResources, sidecar bool) v1.Container {
+	container := v1.Container{
+		Name:      fmt.Sprintf("c%d", index),
+		Resources: mkRequirements(resources),
+	}
+	if sidecar {
+		container.RestartPolicy = ptr.To(v1.ContainerRestartPolicyAlways)
+	}
+	return container
+}
diff --git a/pkg/kubelet/eviction/.mockery.yaml b/pkg/kubelet/eviction/.mockery.yaml
index e179b752c1d53..2e8830bc17d1d 100644
--- a/pkg/kubelet/eviction/.mockery.yaml
+++ b/pkg/kubelet/eviction/.mockery.yaml
@@ -1,12 +1,12 @@
 ---
 dir: .
-filename: "mock_{{.InterfaceName | snakecase}}_test.go"
-boilerplate-file: ../../../hack/boilerplate/boilerplate.generatego.txt
-inpackage: true
-with-expecter: true
+template: testify
+template-data:
+  boilerplate-file: ../../../hack/boilerplate/boilerplate.generatego.txt
+  unroll-variadic: true
 packages:
   k8s.io/kubernetes/pkg/kubelet/eviction:
     interfaces:
-      CgroupNotifier:
-      NotifierFactory:
-      ThresholdNotifier:
+      CgroupNotifier: {}
+      NotifierFactory: {}
+      ThresholdNotifier: {}
diff --git a/pkg/kubelet/eviction/eviction_manager.go b/pkg/kubelet/eviction/eviction_manager.go
index cb981dbb7e8e3..556c0d2a7c4df 100644
--- a/pkg/kubelet/eviction/eviction_manager.go
+++ b/pkg/kubelet/eviction/eviction_manager.go
@@ -146,6 +146,10 @@ func NewManager(
 func (m *managerImpl) Admit(attrs *lifecycle.PodAdmitAttributes) lifecycle.PodAdmitResult {
 	m.RLock()
 	defer m.RUnlock()
+
+	ctx := context.Background()
+	logger := klog.FromContext(ctx)
+
 	if len(m.nodeConditions) == 0 {
 		return lifecycle.PodAdmitResult{Admit: true}
 	}
@@ -165,10 +169,10 @@ func (m *managerImpl) Admit(attrs *lifecycle.PodAdmitAttributes) lifecycle.PodAd
 
 		// When node has memory pressure, check BestEffort Pod's toleration:
 		// admit it if tolerates memory pressure taint, fail for other tolerations, e.g. DiskPressure.
-		if corev1helpers.TolerationsTolerateTaint(attrs.Pod.Spec.Tolerations, &v1.Taint{
+		if corev1helpers.TolerationsTolerateTaint(logger, attrs.Pod.Spec.Tolerations, &v1.Taint{
 			Key:    v1.TaintNodeMemoryPressure,
 			Effect: v1.TaintEffectNoSchedule,
-		}) {
+		}, utilfeature.DefaultFeatureGate.Enabled(features.TaintTolerationComparisonOperators)) {
 			return lifecycle.PodAdmitResult{Admit: true}
 		}
 	}
@@ -181,20 +185,21 @@ func (m *managerImpl) Admit(attrs *lifecycle.PodAdmitAttributes) lifecycle.PodAd
 }
 
 // Start starts the control loop to observe and response to low compute resources.
-func (m *managerImpl) Start(diskInfoProvider DiskInfoProvider, podFunc ActivePodsFunc, podCleanedUpFunc PodCleanedUpFunc, monitoringInterval time.Duration) {
+func (m *managerImpl) Start(ctx context.Context, diskInfoProvider DiskInfoProvider, podFunc ActivePodsFunc, podCleanedUpFunc PodCleanedUpFunc, monitoringInterval time.Duration) {
+	logger := klog.FromContext(ctx)
 	thresholdHandler := func(message string) {
-		klog.InfoS(message)
-		m.synchronize(diskInfoProvider, podFunc)
+		logger.Info(message)
+		_, _ = m.synchronize(ctx, diskInfoProvider, podFunc)
 	}
-	klog.InfoS("Eviction manager: starting control loop")
+	logger.Info("Eviction manager: starting control loop")
 	if m.config.KernelMemcgNotification || runtime.GOOS == "windows" {
 		for _, threshold := range m.config.Thresholds {
 			if threshold.Signal == evictionapi.SignalMemoryAvailable || threshold.Signal == evictionapi.SignalAllocatableMemoryAvailable {
-				notifier, err := NewMemoryThresholdNotifier(threshold, m.config.PodCgroupRoot, &CgroupNotifierFactory{}, thresholdHandler)
+				notifier, err := NewMemoryThresholdNotifier(logger, threshold, m.config.PodCgroupRoot, &CgroupNotifierFactory{}, thresholdHandler)
 				if err != nil {
-					klog.InfoS("Eviction manager: failed to create memory threshold notifier", "err", err)
+					logger.Info("Eviction manager: failed to create memory threshold notifier", "err", err)
 				} else {
-					go notifier.Start()
+					go notifier.Start(ctx)
 					m.thresholdNotifiers = append(m.thresholdNotifiers, notifier)
 				}
 			}
@@ -203,13 +208,13 @@ func (m *managerImpl) Start(diskInfoProvider DiskInfoProvider, podFunc ActivePod
 	// start the eviction manager monitoring
 	go func() {
 		for {
-			evictedPods, err := m.synchronize(diskInfoProvider, podFunc)
+			evictedPods, err := m.synchronize(ctx, diskInfoProvider, podFunc)
 			if evictedPods != nil && err == nil {
-				klog.InfoS("Eviction manager: pods evicted, waiting for pod to be cleaned up", "pods", klog.KObjSlice(evictedPods))
-				m.waitForPodsCleanup(podCleanedUpFunc, evictedPods)
+				logger.Info("Eviction manager: pods evicted, waiting for pod to be cleaned up", "pods", klog.KObjSlice(evictedPods))
+				m.waitForPodsCleanup(logger, podCleanedUpFunc, evictedPods)
 			} else {
 				if err != nil {
-					klog.ErrorS(err, "Eviction manager: failed to synchronize")
+					logger.Error(err, "Eviction manager: failed to synchronize")
 				}
 				time.Sleep(monitoringInterval)
 			}
@@ -240,15 +245,15 @@ func (m *managerImpl) IsUnderPIDPressure() bool {
 
 // synchronize is the main control loop that enforces eviction thresholds.
 // Returns the pod that was killed, or nil if no pod was killed.
-func (m *managerImpl) synchronize(diskInfoProvider DiskInfoProvider, podFunc ActivePodsFunc) ([]*v1.Pod, error) {
-	ctx := context.Background()
+func (m *managerImpl) synchronize(ctx context.Context, diskInfoProvider DiskInfoProvider, podFunc ActivePodsFunc) ([]*v1.Pod, error) {
+	logger := klog.FromContext(ctx)
 	// if we have nothing to do, just return
 	thresholds := m.config.Thresholds
 	if len(thresholds) == 0 && !m.localStorageCapacityIsolation {
 		return nil, nil
 	}
 
-	klog.V(3).InfoS("Eviction manager: synchronize housekeeping")
+	logger.V(3).Info("Eviction manager: synchronize housekeeping")
 	// build the ranking functions (if not yet known)
 	// TODO: have a function in cadvisor that lets us know if global housekeeping has completed
 	if m.dedicatedImageFs == nil {
@@ -256,7 +261,7 @@ func (m *managerImpl) synchronize(diskInfoProvider DiskInfoProvider, podFunc Act
 		if imageFsErr != nil {
 			// TODO: This should be refactored to log an error and retry the HasDedicatedImageFs
 			// If we have a transient error this will never be retried and we will not set eviction signals
-			klog.ErrorS(imageFsErr, "Eviction manager: failed to get HasDedicatedImageFs")
+			logger.Error(imageFsErr, "Eviction manager: failed to get HasDedicatedImageFs")
 			return nil, fmt.Errorf("eviction manager: failed to get HasDedicatedImageFs: %w", imageFsErr)
 		}
 		m.dedicatedImageFs = &hasImageFs
@@ -264,7 +269,7 @@ func (m *managerImpl) synchronize(diskInfoProvider DiskInfoProvider, podFunc Act
 		if splitErr != nil {
 			// A common error case is when there is no split filesystem
 			// there is an error finding the split filesystem label and we want to ignore these errors
-			klog.ErrorS(splitErr, "eviction manager: failed to check if we have separate container filesystem. Ignoring.")
+			logger.Error(splitErr, "eviction manager: failed to check if we have separate container filesystem. Ignoring.")
 		}
 
 		// If we are a split filesystem but the feature is turned off
@@ -277,45 +282,45 @@ func (m *managerImpl) synchronize(diskInfoProvider DiskInfoProvider, podFunc Act
 		thresholds, err := UpdateContainerFsThresholds(m.config.Thresholds, hasImageFs, splitContainerImageFs)
 		m.config.Thresholds = thresholds
 		if err != nil {
-			klog.ErrorS(err, "eviction manager: found conflicting containerfs eviction. Ignoring.")
+			logger.Error(err, "eviction manager: found conflicting containerfs eviction. Ignoring.")
 		}
 		m.splitContainerImageFs = &splitContainerImageFs
 		m.signalToRankFunc = buildSignalToRankFunc(hasImageFs, splitContainerImageFs)
 		m.signalToNodeReclaimFuncs = buildSignalToNodeReclaimFuncs(m.imageGC, m.containerGC, hasImageFs, splitContainerImageFs)
 	}
 
-	klog.V(3).InfoS("FileSystem detection", "DedicatedImageFs", m.dedicatedImageFs, "SplitImageFs", m.splitContainerImageFs)
+	logger.V(3).Info("FileSystem detection", "DedicatedImageFs", m.dedicatedImageFs, "SplitImageFs", m.splitContainerImageFs)
 	activePods := podFunc()
 	updateStats := true
 	summary, err := m.summaryProvider.Get(ctx, updateStats)
 	if err != nil {
-		klog.ErrorS(err, "Eviction manager: failed to get summary stats")
+		logger.Error(err, "Eviction manager: failed to get summary stats")
 		return nil, nil
 	}
 
 	if m.clock.Since(m.thresholdsLastUpdated) > notifierRefreshInterval {
 		m.thresholdsLastUpdated = m.clock.Now()
 		for _, notifier := range m.thresholdNotifiers {
-			if err := notifier.UpdateThreshold(summary); err != nil {
-				klog.InfoS("Eviction manager: failed to update notifier", "notifier", notifier.Description(), "err", err)
+			if err := notifier.UpdateThreshold(ctx, summary); err != nil {
+				logger.Info("Eviction manager: failed to update notifier", "notifier", notifier.Description(), "err", err)
 			}
 		}
 	}
 
 	// make observations and get a function to derive pod usage stats relative to those observations.
-	observations, statsFunc := makeSignalObservations(summary)
-	debugLogObservations("observations", observations)
+	observations, statsFunc := makeSignalObservations(logger, summary)
+	debugLogObservations(logger, "observations", observations)
 
 	// determine the set of thresholds met independent of grace period
-	thresholds = thresholdsMet(thresholds, observations, false)
-	debugLogThresholdsWithObservation("thresholds - ignoring grace period", thresholds, observations)
+	thresholds = thresholdsMet(logger, thresholds, observations, false)
+	debugLogThresholdsWithObservation(logger, "thresholds - ignoring grace period", thresholds, observations)
 
 	// determine the set of thresholds previously met that have not yet satisfied the associated min-reclaim
 	if len(m.thresholdsMet) > 0 {
-		thresholdsNotYetResolved := thresholdsMet(m.thresholdsMet, observations, true)
+		thresholdsNotYetResolved := thresholdsMet(logger, m.thresholdsMet, observations, true)
 		thresholds = mergeThresholds(thresholds, thresholdsNotYetResolved)
 	}
-	debugLogThresholdsWithObservation("thresholds - reclaim not satisfied", thresholds, observations)
+	debugLogThresholdsWithObservation(logger, "thresholds - reclaim not satisfied", thresholds, observations)
 
 	// track when a threshold was first observed
 	now := m.clock.Now()
@@ -324,7 +329,7 @@ func (m *managerImpl) synchronize(diskInfoProvider DiskInfoProvider, podFunc Act
 	// the set of node conditions that are triggered by currently observed thresholds
 	nodeConditions := nodeConditions(thresholds)
 	if len(nodeConditions) > 0 {
-		klog.V(3).InfoS("Eviction manager: node conditions - observed", "nodeCondition", nodeConditions)
+		logger.V(3).Info("Eviction manager: node conditions - observed", "nodeCondition", nodeConditions)
 	}
 
 	// track when a node condition was last observed
@@ -333,12 +338,12 @@ func (m *managerImpl) synchronize(diskInfoProvider DiskInfoProvider, podFunc Act
 	// node conditions report true if it has been observed within the transition period window
 	nodeConditions = nodeConditionsObservedSince(nodeConditionsLastObservedAt, m.config.PressureTransitionPeriod, now)
 	if len(nodeConditions) > 0 {
-		klog.V(3).InfoS("Eviction manager: node conditions - transition period not met", "nodeCondition", nodeConditions)
+		logger.V(3).Info("Eviction manager: node conditions - transition period not met", "nodeCondition", nodeConditions)
 	}
 
 	// determine the set of thresholds we need to drive eviction behavior (i.e. all grace periods are met)
-	thresholds = thresholdsMetGracePeriod(thresholdsFirstObservedAt, now)
-	debugLogThresholdsWithObservation("thresholds - grace periods satisfied", thresholds, observations)
+	thresholds = thresholdsMetGracePeriod(logger, thresholdsFirstObservedAt, now)
+	debugLogThresholdsWithObservation(logger, "thresholds - grace periods satisfied", thresholds, observations)
 
 	// update internal state
 	m.Lock()
@@ -348,8 +353,8 @@ func (m *managerImpl) synchronize(diskInfoProvider DiskInfoProvider, podFunc Act
 	m.thresholdsMet = thresholds
 
 	// determine the set of thresholds whose stats have been updated since the last sync
-	thresholds = thresholdsUpdatedStats(thresholds, observations, m.lastObservations)
-	debugLogThresholdsWithObservation("thresholds - updated stats", thresholds, observations)
+	thresholds = thresholdsUpdatedStats(logger, thresholds, observations, m.lastObservations)
+	debugLogThresholdsWithObservation(logger, "thresholds - updated stats", thresholds, observations)
 
 	m.lastObservations = observations
 	m.Unlock()
@@ -357,52 +362,52 @@ func (m *managerImpl) synchronize(diskInfoProvider DiskInfoProvider, podFunc Act
 	// evict pods if there is a resource usage violation from local volume temporary storage
 	// If eviction happens in localStorageEviction function, skip the rest of eviction action
 	if m.localStorageCapacityIsolation {
-		if evictedPods := m.localStorageEviction(activePods, statsFunc); len(evictedPods) > 0 {
+		if evictedPods := m.localStorageEviction(logger, activePods, statsFunc); len(evictedPods) > 0 {
 			return evictedPods, nil
 		}
 	}
 
 	if len(thresholds) == 0 {
-		klog.V(3).InfoS("Eviction manager: no resources are starved")
+		logger.V(3).Info("Eviction manager: no resources are starved")
 		return nil, nil
 	}
 
 	// rank the thresholds by eviction priority
 	sort.Sort(byEvictionPriority(thresholds))
-	thresholdToReclaim, resourceToReclaim, foundAny := getReclaimableThreshold(thresholds)
+	thresholdToReclaim, resourceToReclaim, foundAny := getReclaimableThreshold(logger, thresholds)
 	if !foundAny {
 		return nil, nil
 	}
-	klog.InfoS("Eviction manager: attempting to reclaim", "resourceName", resourceToReclaim)
+	logger.Info("Eviction manager: attempting to reclaim", "resourceName", resourceToReclaim)
 
 	// record an event about the resources we are now attempting to reclaim via eviction
 	m.recorder.Eventf(m.nodeRef, v1.EventTypeWarning, "EvictionThresholdMet", "Attempting to reclaim %s", resourceToReclaim)
 
 	// check if there are node-level resources we can reclaim to reduce pressure before evicting end-user pods.
 	if m.reclaimNodeLevelResources(ctx, thresholdToReclaim.Signal, resourceToReclaim) {
-		klog.InfoS("Eviction manager: able to reduce resource pressure without evicting pods.", "resourceName", resourceToReclaim)
+		logger.Info("Eviction manager: able to reduce resource pressure without evicting pods.", "resourceName", resourceToReclaim)
 		return nil, nil
 	}
 
-	klog.InfoS("Eviction manager: must evict pod(s) to reclaim", "resourceName", resourceToReclaim)
+	logger.Info("Eviction manager: must evict pod(s) to reclaim", "resourceName", resourceToReclaim)
 
 	// rank the pods for eviction
 	rank, ok := m.signalToRankFunc[thresholdToReclaim.Signal]
 	if !ok {
-		klog.ErrorS(nil, "Eviction manager: no ranking function for signal", "threshold", thresholdToReclaim.Signal)
+		logger.Error(nil, "Eviction manager: no ranking function for signal", "threshold", thresholdToReclaim.Signal)
 		return nil, nil
 	}
 
 	// the only candidates viable for eviction are those pods that had anything running.
 	if len(activePods) == 0 {
-		klog.ErrorS(nil, "Eviction manager: eviction thresholds have been met, but no pods are active to evict")
+		logger.Error(nil, "Eviction manager: eviction thresholds have been met, but no pods are active to evict")
 		return nil, nil
 	}
 
 	// rank the running pods for eviction for the specified resource
 	rank(activePods, statsFunc)
 
-	klog.InfoS("Eviction manager: pods ranked for eviction", "pods", klog.KObjSlice(activePods))
+	logger.Info("Eviction manager: pods ranked for eviction", "pods", klog.KObjSlice(activePods))
 
 	//record age of metrics for met thresholds that we are using for evictions.
 	for _, t := range thresholds {
@@ -418,7 +423,7 @@ func (m *managerImpl) synchronize(diskInfoProvider DiskInfoProvider, podFunc Act
 		gracePeriodOverride := int64(immediateEvictionGracePeriodSeconds)
 		if !isHardEvictionThreshold(thresholdToReclaim) {
 			gracePeriodOverride = m.config.MaxPodGracePeriodSeconds
-			if pod.Spec.TerminationGracePeriodSeconds != nil && !utilfeature.DefaultFeatureGate.Enabled(features.AllowOverwriteTerminationGracePeriodSeconds) {
+			if pod.Spec.TerminationGracePeriodSeconds != nil {
 				gracePeriodOverride = min(m.config.MaxPodGracePeriodSeconds, *pod.Spec.TerminationGracePeriodSeconds)
 			}
 		}
@@ -431,16 +436,16 @@ func (m *managerImpl) synchronize(diskInfoProvider DiskInfoProvider, podFunc Act
 			Reason:             v1.PodReasonTerminationByKubelet,
 			Message:            message,
 		}
-		if m.evictPod(pod, gracePeriodOverride, message, annotations, condition) {
+		if m.evictPod(logger, pod, gracePeriodOverride, message, annotations, condition) {
 			metrics.Evictions.WithLabelValues(string(thresholdToReclaim.Signal)).Inc()
 			return []*v1.Pod{pod}, nil
 		}
 	}
-	klog.InfoS("Eviction manager: unable to evict any pods from the node")
+	logger.Info("Eviction manager: unable to evict any pods from the node")
 	return nil, nil
 }
 
-func (m *managerImpl) waitForPodsCleanup(podCleanedUpFunc PodCleanedUpFunc, pods []*v1.Pod) {
+func (m *managerImpl) waitForPodsCleanup(logger klog.Logger, podCleanedUpFunc PodCleanedUpFunc, pods []*v1.Pod) {
 	timeout := m.clock.NewTimer(podCleanupTimeout)
 	defer timeout.Stop()
 	ticker := m.clock.NewTicker(podCleanupPollFreq)
@@ -448,7 +453,7 @@ func (m *managerImpl) waitForPodsCleanup(podCleanedUpFunc PodCleanedUpFunc, pods
 	for {
 		select {
 		case <-timeout.C():
-			klog.InfoS("Eviction manager: timed out waiting for pods to be cleaned up", "pods", klog.KObjSlice(pods))
+			logger.Info("Eviction manager: timed out waiting for pods to be cleaned up", "pods", klog.KObjSlice(pods))
 			return
 		case <-ticker.C():
 			for i, pod := range pods {
@@ -456,7 +461,7 @@ func (m *managerImpl) waitForPodsCleanup(podCleanedUpFunc PodCleanedUpFunc, pods
 					break
 				}
 				if i == len(pods)-1 {
-					klog.InfoS("Eviction manager: pods successfully cleaned up", "pods", klog.KObjSlice(pods))
+					logger.Info("Eviction manager: pods successfully cleaned up", "pods", klog.KObjSlice(pods))
 					return
 				}
 			}
@@ -466,29 +471,30 @@ func (m *managerImpl) waitForPodsCleanup(podCleanedUpFunc PodCleanedUpFunc, pods
 
 // reclaimNodeLevelResources attempts to reclaim node level resources.  returns true if thresholds were satisfied and no pod eviction is required.
 func (m *managerImpl) reclaimNodeLevelResources(ctx context.Context, signalToReclaim evictionapi.Signal, resourceToReclaim v1.ResourceName) bool {
+	logger := klog.FromContext(ctx)
 	nodeReclaimFuncs := m.signalToNodeReclaimFuncs[signalToReclaim]
 	for _, nodeReclaimFunc := range nodeReclaimFuncs {
 		// attempt to reclaim the pressured resource.
 		if err := nodeReclaimFunc(ctx); err != nil {
-			klog.InfoS("Eviction manager: unexpected error when attempting to reduce resource pressure", "resourceName", resourceToReclaim, "err", err)
+			logger.Info("Eviction manager: unexpected error when attempting to reduce resource pressure", "resourceName", resourceToReclaim, "err", err)
 		}
 
 	}
 	if len(nodeReclaimFuncs) > 0 {
 		summary, err := m.summaryProvider.Get(ctx, true)
 		if err != nil {
-			klog.ErrorS(err, "Eviction manager: failed to get summary stats after resource reclaim")
+			logger.Error(err, "Eviction manager: failed to get summary stats after resource reclaim")
 			return false
 		}
 
 		// make observations and get a function to derive pod usage stats relative to those observations.
-		observations, _ := makeSignalObservations(summary)
-		debugLogObservations("observations after resource reclaim", observations)
+		observations, _ := makeSignalObservations(logger, summary)
+		debugLogObservations(logger, "observations after resource reclaim", observations)
 
 		// evaluate all thresholds independently of their grace period to see if with
 		// the new observations, we think we have met min reclaim goals
-		thresholds := thresholdsMet(m.config.Thresholds, observations, true)
-		debugLogThresholdsWithObservation("thresholds after resource reclaim - ignoring grace period", thresholds, observations)
+		thresholds := thresholdsMet(logger, m.config.Thresholds, observations, true)
+		debugLogThresholdsWithObservation(logger, "thresholds after resource reclaim - ignoring grace period", thresholds, observations)
 
 		if len(thresholds) == 0 {
 			return true
@@ -499,7 +505,7 @@ func (m *managerImpl) reclaimNodeLevelResources(ctx context.Context, signalToRec
 
 // localStorageEviction checks the EmptyDir volume usage for each pod and determine whether it exceeds the specified limit and needs
 // to be evicted. It also checks every container in the pod, if the container overlay usage exceeds the limit, the pod will be evicted too.
-func (m *managerImpl) localStorageEviction(pods []*v1.Pod, statsFunc statsFunc) []*v1.Pod {
+func (m *managerImpl) localStorageEviction(logger klog.Logger, pods []*v1.Pod, statsFunc statsFunc) []*v1.Pod {
 	evicted := []*v1.Pod{}
 	for _, pod := range pods {
 		podStats, ok := statsFunc(pod)
@@ -507,17 +513,17 @@ func (m *managerImpl) localStorageEviction(pods []*v1.Pod, statsFunc statsFunc)
 			continue
 		}
 
-		if m.emptyDirLimitEviction(podStats, pod) {
+		if m.emptyDirLimitEviction(logger, podStats, pod) {
 			evicted = append(evicted, pod)
 			continue
 		}
 
-		if m.podEphemeralStorageLimitEviction(podStats, pod) {
+		if m.podEphemeralStorageLimitEviction(logger, podStats, pod) {
 			evicted = append(evicted, pod)
 			continue
 		}
 
-		if m.containerEphemeralStorageLimitEviction(podStats, pod) {
+		if m.containerEphemeralStorageLimitEviction(logger, podStats, pod) {
 			evicted = append(evicted, pod)
 		}
 	}
@@ -525,7 +531,7 @@ func (m *managerImpl) localStorageEviction(pods []*v1.Pod, statsFunc statsFunc)
 	return evicted
 }
 
-func (m *managerImpl) emptyDirLimitEviction(podStats statsapi.PodStats, pod *v1.Pod) bool {
+func (m *managerImpl) emptyDirLimitEviction(logger klog.Logger, podStats statsapi.PodStats, pod *v1.Pod) bool {
 	podVolumeUsed := make(map[string]*resource.Quantity)
 	for _, volume := range podStats.VolumeStats {
 		podVolumeUsed[volume.Name] = resource.NewQuantity(int64(*volume.UsedBytes), resource.BinarySI)
@@ -537,7 +543,7 @@ func (m *managerImpl) emptyDirLimitEviction(podStats statsapi.PodStats, pod *v1.
 			used := podVolumeUsed[pod.Spec.Volumes[i].Name]
 			if used != nil && size != nil && size.Sign() == 1 && used.Cmp(*size) > 0 {
 				// the emptyDir usage exceeds the size limit, evict the pod
-				if m.evictPod(pod, immediateEvictionGracePeriodSeconds, fmt.Sprintf(emptyDirMessageFmt, pod.Spec.Volumes[i].Name, size.String()), nil, nil) {
+				if m.evictPod(logger, pod, immediateEvictionGracePeriodSeconds, fmt.Sprintf(emptyDirMessageFmt, pod.Spec.Volumes[i].Name, size.String()), nil, nil) {
 					metrics.Evictions.WithLabelValues(signalEmptyDirFsLimit).Inc()
 					return true
 				}
@@ -549,7 +555,7 @@ func (m *managerImpl) emptyDirLimitEviction(podStats statsapi.PodStats, pod *v1.
 	return false
 }
 
-func (m *managerImpl) podEphemeralStorageLimitEviction(podStats statsapi.PodStats, pod *v1.Pod) bool {
+func (m *managerImpl) podEphemeralStorageLimitEviction(logger klog.Logger, podStats statsapi.PodStats, pod *v1.Pod) bool {
 	podLimits := resourcehelper.PodLimits(pod, resourcehelper.PodResourcesOptions{})
 	_, found := podLimits[v1.ResourceEphemeralStorage]
 	if !found {
@@ -565,7 +571,7 @@ func (m *managerImpl) podEphemeralStorageLimitEviction(podStats statsapi.PodStat
 	if podEphemeralStorageTotalUsage.Cmp(podEphemeralStorageLimit) > 0 {
 		// the total usage of pod exceeds the total size limit of containers, evict the pod
 		message := fmt.Sprintf(podEphemeralStorageMessageFmt, podEphemeralStorageLimit.String())
-		if m.evictPod(pod, immediateEvictionGracePeriodSeconds, message, nil, nil) {
+		if m.evictPod(logger, pod, immediateEvictionGracePeriodSeconds, message, nil, nil) {
 			metrics.Evictions.WithLabelValues(signalEphemeralPodFsLimit).Inc()
 			return true
 		}
@@ -574,7 +580,7 @@ func (m *managerImpl) podEphemeralStorageLimitEviction(podStats statsapi.PodStat
 	return false
 }
 
-func (m *managerImpl) containerEphemeralStorageLimitEviction(podStats statsapi.PodStats, pod *v1.Pod) bool {
+func (m *managerImpl) containerEphemeralStorageLimitEviction(logger klog.Logger, podStats statsapi.PodStats, pod *v1.Pod) bool {
 	thresholdsMap := make(map[string]*resource.Quantity)
 	for _, container := range pod.Spec.Containers {
 		ephemeralLimit := container.Resources.Limits.StorageEphemeral()
@@ -591,7 +597,7 @@ func (m *managerImpl) containerEphemeralStorageLimitEviction(podStats statsapi.P
 
 		if ephemeralStorageThreshold, ok := thresholdsMap[containerStat.Name]; ok {
 			if ephemeralStorageThreshold.Cmp(*containerUsed) < 0 {
-				if m.evictPod(pod, immediateEvictionGracePeriodSeconds, fmt.Sprintf(containerEphemeralStorageMessageFmt, containerStat.Name, ephemeralStorageThreshold.String()), nil, nil) {
+				if m.evictPod(logger, pod, immediateEvictionGracePeriodSeconds, fmt.Sprintf(containerEphemeralStorageMessageFmt, containerStat.Name, ephemeralStorageThreshold.String()), nil, nil) {
 					metrics.Evictions.WithLabelValues(signalEphemeralContainerFsLimit).Inc()
 					return true
 				}
@@ -602,18 +608,18 @@ func (m *managerImpl) containerEphemeralStorageLimitEviction(podStats statsapi.P
 	return false
 }
 
-func (m *managerImpl) evictPod(pod *v1.Pod, gracePeriodOverride int64, evictMsg string, annotations map[string]string, condition *v1.PodCondition) bool {
+func (m *managerImpl) evictPod(logger klog.Logger, pod *v1.Pod, gracePeriodOverride int64, evictMsg string, annotations map[string]string, condition *v1.PodCondition) bool {
 	// If the pod is marked as critical and static, and support for critical pod annotations is enabled,
 	// do not evict such pods. Static pods are not re-admitted after evictions.
 	// https://github.com/kubernetes/kubernetes/issues/40573 has more details.
 	if kubelettypes.IsCriticalPod(pod) {
-		klog.ErrorS(nil, "Eviction manager: cannot evict a critical pod", "pod", klog.KObj(pod))
+		logger.Error(nil, "Eviction manager: cannot evict a critical pod", "pod", klog.KObj(pod))
 		return false
 	}
 	// record that we are evicting the pod
 	m.recorder.AnnotatedEventf(pod, annotations, v1.EventTypeWarning, Reason, evictMsg)
 	// this is a blocking call and should only return when the pod and its containers are killed.
-	klog.V(3).InfoS("Evicting pod", "pod", klog.KObj(pod), "podUID", pod.UID, "message", evictMsg)
+	logger.V(3).Info("Evicting pod", "pod", klog.KObj(pod), "podUID", pod.UID, "message", evictMsg)
 	err := m.killPodFunc(pod, true, &gracePeriodOverride, func(status *v1.PodStatus) {
 		status.Phase = v1.PodFailed
 		status.Reason = Reason
@@ -624,9 +630,9 @@ func (m *managerImpl) evictPod(pod *v1.Pod, gracePeriodOverride int64, evictMsg
 		}
 	})
 	if err != nil {
-		klog.ErrorS(err, "Eviction manager: pod failed to evict", "pod", klog.KObj(pod))
+		logger.Error(err, "Eviction manager: pod failed to evict", "pod", klog.KObj(pod))
 	} else {
-		klog.InfoS("Eviction manager: pod is evicted successfully", "pod", klog.KObj(pod))
+		logger.Info("Eviction manager: pod is evicted successfully", "pod", klog.KObj(pod))
 	}
 	return true
 }
diff --git a/pkg/kubelet/eviction/eviction_manager_test.go b/pkg/kubelet/eviction/eviction_manager_test.go
index a72c145409b2e..de8c6984665a0 100644
--- a/pkg/kubelet/eviction/eviction_manager_test.go
+++ b/pkg/kubelet/eviction/eviction_manager_test.go
@@ -25,6 +25,7 @@ import (
 
 	"github.com/google/go-cmp/cmp"
 	"github.com/google/go-cmp/cmp/cmpopts"
+	"github.com/stretchr/testify/mock"
 	v1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/resource"
 	"k8s.io/apimachinery/pkg/types"
@@ -38,6 +39,7 @@ import (
 	evictionapi "k8s.io/kubernetes/pkg/kubelet/eviction/api"
 	"k8s.io/kubernetes/pkg/kubelet/lifecycle"
 	kubelettypes "k8s.io/kubernetes/pkg/kubelet/types"
+	"k8s.io/kubernetes/test/utils/ktesting"
 	testingclock "k8s.io/utils/clock/testing"
 	"k8s.io/utils/ptr"
 )
@@ -279,6 +281,7 @@ type podToMake struct {
 }
 
 func TestMemoryPressure_VerifyPodStatus(t *testing.T) {
+	tCtx := ktesting.Init(t)
 	podMaker := makePodWithMemoryStats
 	summaryStatsMaker := makeMemoryStats
 	podsToMake := []podToMake{
@@ -329,7 +332,7 @@ func TestMemoryPressure_VerifyPodStatus(t *testing.T) {
 	}
 
 	// synchronize to detect the memory pressure
-	_, err := manager.synchronize(diskInfoProvider, activePodsFunc)
+	_, err := manager.synchronize(tCtx, diskInfoProvider, activePodsFunc)
 
 	if err != nil {
 		t.Fatalf("Manager expects no error but got %v", err)
@@ -364,6 +367,7 @@ func TestMemoryPressure_VerifyPodStatus(t *testing.T) {
 }
 
 func TestPIDPressure_VerifyPodStatus(t *testing.T) {
+	tCtx := ktesting.Init(t)
 	if goruntime.GOOS == "windows" {
 		t.Skip("PID pressure is not supported on Windows")
 	}
@@ -429,7 +433,7 @@ func TestPIDPressure_VerifyPodStatus(t *testing.T) {
 		}
 
 		// synchronize to detect the PID pressure
-		_, err := manager.synchronize(diskInfoProvider, activePodsFunc)
+		_, err := manager.synchronize(tCtx, diskInfoProvider, activePodsFunc)
 
 		if err != nil {
 			t.Fatalf("Manager expects no error but got %v", err)
@@ -462,6 +466,7 @@ func TestPIDPressure_VerifyPodStatus(t *testing.T) {
 }
 
 func TestDiskPressureNodeFs_VerifyPodStatus(t *testing.T) {
+	tCtx := ktesting.Init(t)
 	testCases := map[string]struct {
 		nodeFsStats                   string
 		imageFsStats                  string
@@ -605,7 +610,7 @@ func TestDiskPressureNodeFs_VerifyPodStatus(t *testing.T) {
 		}
 
 		// synchronize
-		pods, synchErr := manager.synchronize(diskInfoProvider, activePodsFunc)
+		pods, synchErr := manager.synchronize(tCtx, diskInfoProvider, activePodsFunc)
 
 		if synchErr == nil && tc.expectErr != "" {
 			t.Fatalf("Manager should report error but did not")
@@ -642,6 +647,7 @@ func TestDiskPressureNodeFs_VerifyPodStatus(t *testing.T) {
 
 // TestMemoryPressure
 func TestMemoryPressure(t *testing.T) {
+	tCtx := ktesting.Init(t)
 	podMaker := makePodWithMemoryStats
 	summaryStatsMaker := makeMemoryStats
 	podsToMake := []podToMake{
@@ -709,7 +715,7 @@ func TestMemoryPressure(t *testing.T) {
 	burstablePodToAdmit, _ := podMaker("burst-admit", defaultPriority, newResourceList("100m", "100Mi", ""), newResourceList("200m", "200Mi", ""), "0Gi")
 
 	// synchronize
-	_, err := manager.synchronize(diskInfoProvider, activePodsFunc)
+	_, err := manager.synchronize(tCtx, diskInfoProvider, activePodsFunc)
 
 	if err != nil {
 		t.Fatalf("Manager expects no error but got %v", err)
@@ -731,7 +737,7 @@ func TestMemoryPressure(t *testing.T) {
 	// induce soft threshold
 	fakeClock.Step(1 * time.Minute)
 	summaryProvider.result = summaryStatsMaker("1500Mi", podStats)
-	_, err = manager.synchronize(diskInfoProvider, activePodsFunc)
+	_, err = manager.synchronize(tCtx, diskInfoProvider, activePodsFunc)
 
 	if err != nil {
 		t.Fatalf("Manager expects no error but got %v", err)
@@ -750,7 +756,7 @@ func TestMemoryPressure(t *testing.T) {
 	// step forward in time pass the grace period
 	fakeClock.Step(3 * time.Minute)
 	summaryProvider.result = summaryStatsMaker("1500Mi", podStats)
-	_, err = manager.synchronize(diskInfoProvider, activePodsFunc)
+	_, err = manager.synchronize(tCtx, diskInfoProvider, activePodsFunc)
 
 	if err != nil {
 		t.Fatalf("Manager expects no error but got %v", err)
@@ -779,7 +785,7 @@ func TestMemoryPressure(t *testing.T) {
 	// remove memory pressure
 	fakeClock.Step(20 * time.Minute)
 	summaryProvider.result = summaryStatsMaker("3Gi", podStats)
-	_, err = manager.synchronize(diskInfoProvider, activePodsFunc)
+	_, err = manager.synchronize(tCtx, diskInfoProvider, activePodsFunc)
 
 	if err != nil {
 		t.Fatalf("Manager expects no error but got %v", err)
@@ -793,7 +799,7 @@ func TestMemoryPressure(t *testing.T) {
 	// induce memory pressure!
 	fakeClock.Step(1 * time.Minute)
 	summaryProvider.result = summaryStatsMaker("500Mi", podStats)
-	_, err = manager.synchronize(diskInfoProvider, activePodsFunc)
+	_, err = manager.synchronize(tCtx, diskInfoProvider, activePodsFunc)
 
 	if err != nil {
 		t.Fatalf("Manager expects no error but got %v", err)
@@ -825,7 +831,7 @@ func TestMemoryPressure(t *testing.T) {
 	fakeClock.Step(1 * time.Minute)
 	summaryProvider.result = summaryStatsMaker("2Gi", podStats)
 	podKiller.pod = nil // reset state
-	_, err = manager.synchronize(diskInfoProvider, activePodsFunc)
+	_, err = manager.synchronize(tCtx, diskInfoProvider, activePodsFunc)
 
 	if err != nil {
 		t.Fatalf("Manager expects no error but got %v", err)
@@ -853,7 +859,7 @@ func TestMemoryPressure(t *testing.T) {
 	fakeClock.Step(5 * time.Minute)
 	summaryProvider.result = summaryStatsMaker("2Gi", podStats)
 	podKiller.pod = nil // reset state
-	_, err = manager.synchronize(diskInfoProvider, activePodsFunc)
+	_, err = manager.synchronize(tCtx, diskInfoProvider, activePodsFunc)
 
 	if err != nil {
 		t.Fatalf("Manager expects no error but got %v", err)
@@ -921,6 +927,7 @@ func TestPIDPressure(t *testing.T) {
 
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
+			tCtx := ktesting.Init(t)
 			podMaker := makePodWithPIDStats
 			summaryStatsMaker := makePIDStats
 			pods := []*v1.Pod{}
@@ -979,7 +986,7 @@ func TestPIDPressure(t *testing.T) {
 			podToAdmit, _ := podMaker("pod-to-admit", defaultPriority, 50)
 
 			// synchronize
-			_, err := manager.synchronize(diskInfoProvider, activePodsFunc)
+			_, err := manager.synchronize(tCtx, diskInfoProvider, activePodsFunc)
 
 			if err != nil {
 				t.Fatalf("Manager expects no error but got %v", err)
@@ -998,7 +1005,7 @@ func TestPIDPressure(t *testing.T) {
 			// induce soft threshold for PID pressure
 			fakeClock.Step(1 * time.Minute)
 			summaryProvider.result = summaryStatsMaker(tc.totalPID, tc.pressurePIDUsageWithGracePeriod, podStats)
-			_, err = manager.synchronize(diskInfoProvider, activePodsFunc)
+			_, err = manager.synchronize(tCtx, diskInfoProvider, activePodsFunc)
 
 			if err != nil {
 				t.Fatalf("Manager expects no error but got %v", err)
@@ -1017,7 +1024,7 @@ func TestPIDPressure(t *testing.T) {
 			// step forward in time past the grace period
 			fakeClock.Step(3 * time.Minute)
 			// no change in PID stats to simulate continued pressure
-			_, err = manager.synchronize(diskInfoProvider, activePodsFunc)
+			_, err = manager.synchronize(tCtx, diskInfoProvider, activePodsFunc)
 
 			if err != nil {
 				t.Fatalf("Manager expects no error but got %v", err)
@@ -1047,7 +1054,7 @@ func TestPIDPressure(t *testing.T) {
 			// remove PID pressure by simulating increased PID availability
 			fakeClock.Step(20 * time.Minute)
 			summaryProvider.result = summaryStatsMaker(tc.totalPID, tc.noPressurePIDUsage, podStats) // Simulate increased PID availability
-			_, err = manager.synchronize(diskInfoProvider, activePodsFunc)
+			_, err = manager.synchronize(tCtx, diskInfoProvider, activePodsFunc)
 
 			if err != nil {
 				t.Fatalf("Manager expects no error but got %v", err)
@@ -1061,7 +1068,7 @@ func TestPIDPressure(t *testing.T) {
 			// re-induce PID pressure
 			fakeClock.Step(1 * time.Minute)
 			summaryProvider.result = summaryStatsMaker(tc.totalPID, tc.pressurePIDUsageWithoutGracePeriod, podStats)
-			_, err = manager.synchronize(diskInfoProvider, activePodsFunc)
+			_, err = manager.synchronize(tCtx, diskInfoProvider, activePodsFunc)
 
 			if err != nil {
 				t.Fatalf("Manager expects no error but got %v", err)
@@ -1093,7 +1100,7 @@ func TestPIDPressure(t *testing.T) {
 			fakeClock.Step(1 * time.Minute)
 			summaryProvider.result = summaryStatsMaker(tc.totalPID, tc.noPressurePIDUsage, podStats)
 			podKiller.pod = nil // reset state
-			_, err = manager.synchronize(diskInfoProvider, activePodsFunc)
+			_, err = manager.synchronize(tCtx, diskInfoProvider, activePodsFunc)
 
 			if err != nil {
 				t.Fatalf("Manager expects no error but got %v", err)
@@ -1117,7 +1124,7 @@ func TestPIDPressure(t *testing.T) {
 			// move the clock past the transition period
 			fakeClock.Step(5 * time.Minute)
 			summaryProvider.result = summaryStatsMaker(tc.totalPID, tc.noPressurePIDUsage, podStats)
-			_, err = manager.synchronize(diskInfoProvider, activePodsFunc)
+			_, err = manager.synchronize(tCtx, diskInfoProvider, activePodsFunc)
 
 			if err != nil {
 				t.Fatalf("Manager expects no error but got %v", err)
@@ -1302,6 +1309,7 @@ func TestDiskPressureNodeFs(t *testing.T) {
 
 	for name, tc := range testCases {
 		t.Run(name, func(t *testing.T) {
+			tCtx := ktesting.Init(t)
 			featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.KubeletSeparateDiskGC, tc.kubeletSeparateDiskFeature)
 
 			podMaker := makePodWithDiskStats
@@ -1356,7 +1364,7 @@ func TestDiskPressureNodeFs(t *testing.T) {
 			podToAdmit, _ := podMaker("pod-to-admit", defaultPriority, newResourceList("", "", ""), newResourceList("", "", ""), "0Gi", "0Gi", "0Gi", nil)
 
 			// synchronize
-			_, err := manager.synchronize(diskInfoProvider, activePodsFunc)
+			_, err := manager.synchronize(tCtx, diskInfoProvider, activePodsFunc)
 
 			if err != nil {
 				t.Fatalf("Manager expects no error but got %v", err)
@@ -1383,7 +1391,7 @@ func TestDiskPressureNodeFs(t *testing.T) {
 				diskStatStart.containerFsAvailableBytes = tc.softDiskPressure
 			}
 			summaryProvider.result = summaryStatsMaker(diskStatStart)
-			_, err = manager.synchronize(diskInfoProvider, activePodsFunc)
+			_, err = manager.synchronize(tCtx, diskInfoProvider, activePodsFunc)
 
 			if err != nil {
 				t.Fatalf("Manager expects no error but got %v", err)
@@ -1402,7 +1410,7 @@ func TestDiskPressureNodeFs(t *testing.T) {
 			// step forward in time pass the grace period
 			fakeClock.Step(3 * time.Minute)
 			summaryProvider.result = summaryStatsMaker(diskStatStart)
-			_, err = manager.synchronize(diskInfoProvider, activePodsFunc)
+			_, err = manager.synchronize(tCtx, diskInfoProvider, activePodsFunc)
 
 			if err != nil {
 				t.Fatalf("Manager expects no error but got %v", err)
@@ -1431,7 +1439,7 @@ func TestDiskPressureNodeFs(t *testing.T) {
 			// remove disk pressure
 			fakeClock.Step(20 * time.Minute)
 			summaryProvider.result = summaryStatsMaker(diskStatConst)
-			_, err = manager.synchronize(diskInfoProvider, activePodsFunc)
+			_, err = manager.synchronize(tCtx, diskInfoProvider, activePodsFunc)
 
 			if err != nil {
 				t.Fatalf("Manager expects no error but got %v", err)
@@ -1452,7 +1460,7 @@ func TestDiskPressureNodeFs(t *testing.T) {
 				diskStatStart.containerFsAvailableBytes = tc.hardDiskPressure
 			}
 			summaryProvider.result = summaryStatsMaker(diskStatStart)
-			_, err = manager.synchronize(diskInfoProvider, activePodsFunc)
+			_, err = manager.synchronize(tCtx, diskInfoProvider, activePodsFunc)
 
 			if err != nil {
 				t.Fatalf("Manager expects no error but got %v", err)
@@ -1482,7 +1490,7 @@ func TestDiskPressureNodeFs(t *testing.T) {
 
 			summaryProvider.result = summaryStatsMaker(diskStatConst)
 			podKiller.pod = nil // reset state
-			_, err = manager.synchronize(diskInfoProvider, activePodsFunc)
+			_, err = manager.synchronize(tCtx, diskInfoProvider, activePodsFunc)
 
 			if err != nil {
 				t.Fatalf("Manager should not have an error %v", err)
@@ -1506,7 +1514,7 @@ func TestDiskPressureNodeFs(t *testing.T) {
 			fakeClock.Step(5 * time.Minute)
 			summaryProvider.result = summaryStatsMaker(diskStatConst)
 			podKiller.pod = nil // reset state
-			_, err = manager.synchronize(diskInfoProvider, activePodsFunc)
+			_, err = manager.synchronize(tCtx, diskInfoProvider, activePodsFunc)
 
 			if err != nil {
 				t.Fatalf("Manager should not have an error %v", err)
@@ -1532,6 +1540,7 @@ func TestDiskPressureNodeFs(t *testing.T) {
 
 // TestMinReclaim verifies that min-reclaim works as desired.
 func TestMinReclaim(t *testing.T) {
+	tCtx := ktesting.Init(t)
 	podMaker := makePodWithMemoryStats
 	summaryStatsMaker := makeMemoryStats
 	podsToMake := []podToMake{
@@ -1590,7 +1599,7 @@ func TestMinReclaim(t *testing.T) {
 	}
 
 	// synchronize
-	_, err := manager.synchronize(diskInfoProvider, activePodsFunc)
+	_, err := manager.synchronize(tCtx, diskInfoProvider, activePodsFunc)
 	if err != nil {
 		t.Errorf("Manager should not report any errors")
 	}
@@ -1602,7 +1611,7 @@ func TestMinReclaim(t *testing.T) {
 	// induce memory pressure!
 	fakeClock.Step(1 * time.Minute)
 	summaryProvider.result = summaryStatsMaker("500Mi", podStats)
-	_, err = manager.synchronize(diskInfoProvider, activePodsFunc)
+	_, err = manager.synchronize(tCtx, diskInfoProvider, activePodsFunc)
 
 	if err != nil {
 		t.Fatalf("Manager should not have an error %v", err)
@@ -1626,7 +1635,7 @@ func TestMinReclaim(t *testing.T) {
 	fakeClock.Step(1 * time.Minute)
 	summaryProvider.result = summaryStatsMaker("1.2Gi", podStats)
 	podKiller.pod = nil // reset state
-	_, err = manager.synchronize(diskInfoProvider, activePodsFunc)
+	_, err = manager.synchronize(tCtx, diskInfoProvider, activePodsFunc)
 
 	if err != nil {
 		t.Fatalf("Manager should not have an error %v", err)
@@ -1650,7 +1659,7 @@ func TestMinReclaim(t *testing.T) {
 	fakeClock.Step(1 * time.Minute)
 	summaryProvider.result = summaryStatsMaker("2Gi", podStats)
 	podKiller.pod = nil // reset state
-	_, err = manager.synchronize(diskInfoProvider, activePodsFunc)
+	_, err = manager.synchronize(tCtx, diskInfoProvider, activePodsFunc)
 
 	if err != nil {
 		t.Fatalf("Manager should not have an error %v", err)
@@ -1670,7 +1679,7 @@ func TestMinReclaim(t *testing.T) {
 	fakeClock.Step(5 * time.Minute)
 	summaryProvider.result = summaryStatsMaker("2Gi", podStats)
 	podKiller.pod = nil // reset state
-	_, err = manager.synchronize(diskInfoProvider, activePodsFunc)
+	_, err = manager.synchronize(tCtx, diskInfoProvider, activePodsFunc)
 
 	if err != nil {
 		t.Fatalf("Manager should not have an error %v", err)
@@ -1824,6 +1833,7 @@ func TestNodeReclaimFuncs(t *testing.T) {
 
 	for name, tc := range testCases {
 		t.Run(name, func(t *testing.T) {
+			tCtx := ktesting.Init(t)
 			featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.KubeletSeparateDiskGC, tc.kubeletSeparateDiskFeature)
 
 			podMaker := makePodWithDiskStats
@@ -1875,7 +1885,7 @@ func TestNodeReclaimFuncs(t *testing.T) {
 			}
 
 			// synchronize
-			_, err := manager.synchronize(diskInfoProvider, activePodsFunc)
+			_, err := manager.synchronize(tCtx, diskInfoProvider, activePodsFunc)
 
 			if err != nil {
 				t.Fatalf("Manager should not have an error %v", err)
@@ -1903,7 +1913,7 @@ func TestNodeReclaimFuncs(t *testing.T) {
 			summaryProvider.result = summaryStatsMaker(newDiskAfterHardEviction)
 			// make GC successfully return disk usage to previous levels
 			diskGC.summaryAfterGC = summaryStatsMaker(diskStatConst)
-			_, err = manager.synchronize(diskInfoProvider, activePodsFunc)
+			_, err = manager.synchronize(tCtx, diskInfoProvider, activePodsFunc)
 
 			if err != nil {
 				t.Fatalf("Manager should not have an error %v", err)
@@ -1933,7 +1943,7 @@ func TestNodeReclaimFuncs(t *testing.T) {
 			// remove disk pressure
 			fakeClock.Step(20 * time.Minute)
 			summaryProvider.result = summaryStatsMaker(diskStatConst)
-			_, err = manager.synchronize(diskInfoProvider, activePodsFunc)
+			_, err = manager.synchronize(tCtx, diskInfoProvider, activePodsFunc)
 
 			if err != nil {
 				t.Fatalf("Manager should not have an error %v", err)
@@ -1945,7 +1955,7 @@ func TestNodeReclaimFuncs(t *testing.T) {
 			}
 
 			// synchronize
-			_, err = manager.synchronize(diskInfoProvider, activePodsFunc)
+			_, err = manager.synchronize(tCtx, diskInfoProvider, activePodsFunc)
 
 			if err != nil {
 				t.Fatalf("Manager should not have an error %v", err)
@@ -1963,7 +1973,7 @@ func TestNodeReclaimFuncs(t *testing.T) {
 			// make GC return disk usage bellow the threshold, but not satisfying minReclaim
 			gcBelowThreshold := setDiskStatsBasedOnFs(tc.inducePressureOnWhichFs, "1.1G", newDiskAfterHardEviction)
 			diskGC.summaryAfterGC = summaryStatsMaker(gcBelowThreshold)
-			_, err = manager.synchronize(diskInfoProvider, activePodsFunc)
+			_, err = manager.synchronize(tCtx, diskInfoProvider, activePodsFunc)
 
 			if err != nil {
 				t.Fatalf("Manager should not have an error %v", err)
@@ -1994,7 +2004,7 @@ func TestNodeReclaimFuncs(t *testing.T) {
 			// remove disk pressure
 			fakeClock.Step(20 * time.Minute)
 			summaryProvider.result = summaryStatsMaker(diskStatConst)
-			_, err = manager.synchronize(diskInfoProvider, activePodsFunc)
+			_, err = manager.synchronize(tCtx, diskInfoProvider, activePodsFunc)
 
 			if err != nil {
 				t.Fatalf("Manager should not have an error %v", err)
@@ -2011,7 +2021,7 @@ func TestNodeReclaimFuncs(t *testing.T) {
 			summaryProvider.result = summaryStatsMaker(softDiskPressure)
 			// Don't reclaim any disk
 			diskGC.summaryAfterGC = summaryStatsMaker(softDiskPressure)
-			_, err = manager.synchronize(diskInfoProvider, activePodsFunc)
+			_, err = manager.synchronize(tCtx, diskInfoProvider, activePodsFunc)
 
 			if err != nil {
 				t.Fatalf("Manager should not have an error %v", err)
@@ -2044,7 +2054,7 @@ func TestNodeReclaimFuncs(t *testing.T) {
 			diskGC.imageGCInvoked = false     // reset state
 			diskGC.containerGCInvoked = false // reset state
 			podKiller.pod = nil               // reset state
-			_, err = manager.synchronize(diskInfoProvider, activePodsFunc)
+			_, err = manager.synchronize(tCtx, diskInfoProvider, activePodsFunc)
 
 			if err != nil {
 				t.Fatalf("Manager should not have an error %v", err)
@@ -2070,7 +2080,7 @@ func TestNodeReclaimFuncs(t *testing.T) {
 			diskGC.imageGCInvoked = false     // reset state
 			diskGC.containerGCInvoked = false // reset state
 			podKiller.pod = nil               // reset state
-			_, err = manager.synchronize(diskInfoProvider, activePodsFunc)
+			_, err = manager.synchronize(tCtx, diskInfoProvider, activePodsFunc)
 
 			if err != nil {
 				t.Fatalf("Manager should not have an error %v", err)
@@ -2287,6 +2297,7 @@ func TestInodePressureFsInodes(t *testing.T) {
 
 	for name, tc := range testCases {
 		t.Run(name, func(t *testing.T) {
+			tCtx := ktesting.Init(t)
 			featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.KubeletSeparateDiskGC, tc.kubeletSeparateDiskFeature)
 
 			podMaker := podMaker
@@ -2335,7 +2346,7 @@ func TestInodePressureFsInodes(t *testing.T) {
 			podToAdmit, _ := podMaker("pod-to-admit", defaultPriority, newResourceList("", "", ""), newResourceList("", "", ""), "0", "0", "0")
 
 			// synchronize
-			_, err := manager.synchronize(diskInfoProvider, activePodsFunc)
+			_, err := manager.synchronize(tCtx, diskInfoProvider, activePodsFunc)
 
 			if err != nil {
 				t.Fatalf("Manager should not have an error %v", err)
@@ -2354,7 +2365,7 @@ func TestInodePressureFsInodes(t *testing.T) {
 			// induce soft threshold
 			fakeClock.Step(1 * time.Minute)
 			summaryProvider.result = setINodesFreeBasedOnFs(tc.inducePressureOnWhichFs, tc.softINodePressure, startingStatsModified)
-			_, err = manager.synchronize(diskInfoProvider, activePodsFunc)
+			_, err = manager.synchronize(tCtx, diskInfoProvider, activePodsFunc)
 
 			if err != nil {
 				t.Fatalf("Manager should not have an error %v", err)
@@ -2373,7 +2384,7 @@ func TestInodePressureFsInodes(t *testing.T) {
 			// step forward in time pass the grace period
 			fakeClock.Step(3 * time.Minute)
 			summaryProvider.result = setINodesFreeBasedOnFs(tc.inducePressureOnWhichFs, tc.softINodePressure, startingStatsModified)
-			_, err = manager.synchronize(diskInfoProvider, activePodsFunc)
+			_, err = manager.synchronize(tCtx, diskInfoProvider, activePodsFunc)
 
 			if err != nil {
 				t.Fatalf("Manager should not have an error %v", err)
@@ -2402,7 +2413,7 @@ func TestInodePressureFsInodes(t *testing.T) {
 			// remove inode pressure
 			fakeClock.Step(20 * time.Minute)
 			summaryProvider.result = startingStatsConst
-			_, err = manager.synchronize(diskInfoProvider, activePodsFunc)
+			_, err = manager.synchronize(tCtx, diskInfoProvider, activePodsFunc)
 
 			if err != nil {
 				t.Fatalf("Manager should not have an error %v", err)
@@ -2416,7 +2427,7 @@ func TestInodePressureFsInodes(t *testing.T) {
 			// induce inode pressure!
 			fakeClock.Step(1 * time.Minute)
 			summaryProvider.result = setINodesFreeBasedOnFs(tc.inducePressureOnWhichFs, tc.hardINodePressure, startingStatsModified)
-			_, err = manager.synchronize(diskInfoProvider, activePodsFunc)
+			_, err = manager.synchronize(tCtx, diskInfoProvider, activePodsFunc)
 
 			if err != nil {
 				t.Fatalf("Manager should not have an error %v", err)
@@ -2445,7 +2456,7 @@ func TestInodePressureFsInodes(t *testing.T) {
 			fakeClock.Step(1 * time.Minute)
 			summaryProvider.result = startingStatsConst
 			podKiller.pod = nil // reset state
-			_, err = manager.synchronize(diskInfoProvider, activePodsFunc)
+			_, err = manager.synchronize(tCtx, diskInfoProvider, activePodsFunc)
 
 			if err != nil {
 				t.Fatalf("Manager should not have an error %v", err)
@@ -2470,7 +2481,7 @@ func TestInodePressureFsInodes(t *testing.T) {
 			fakeClock.Step(5 * time.Minute)
 			summaryProvider.result = startingStatsConst
 			podKiller.pod = nil // reset state
-			_, err = manager.synchronize(diskInfoProvider, activePodsFunc)
+			_, err = manager.synchronize(tCtx, diskInfoProvider, activePodsFunc)
 
 			if err != nil {
 				t.Fatalf("Manager should not have an error %v", err)
@@ -2496,6 +2507,7 @@ func TestInodePressureFsInodes(t *testing.T) {
 
 // TestStaticCriticalPodsAreNotEvicted
 func TestStaticCriticalPodsAreNotEvicted(t *testing.T) {
+	tCtx := ktesting.Init(t)
 	podMaker := makePodWithMemoryStats
 	summaryStatsMaker := makeMemoryStats
 	podsToMake := []podToMake{
@@ -2567,7 +2579,7 @@ func TestStaticCriticalPodsAreNotEvicted(t *testing.T) {
 
 	fakeClock.Step(1 * time.Minute)
 	summaryProvider.result = summaryStatsMaker("1500Mi", podStats)
-	_, err := manager.synchronize(diskInfoProvider, activePodsFunc)
+	_, err := manager.synchronize(tCtx, diskInfoProvider, activePodsFunc)
 
 	if err != nil {
 		t.Fatalf("Manager should not have an error %v", err)
@@ -2586,7 +2598,7 @@ func TestStaticCriticalPodsAreNotEvicted(t *testing.T) {
 	// step forward in time pass the grace period
 	fakeClock.Step(3 * time.Minute)
 	summaryProvider.result = summaryStatsMaker("1500Mi", podStats)
-	_, err = manager.synchronize(diskInfoProvider, activePodsFunc)
+	_, err = manager.synchronize(tCtx, diskInfoProvider, activePodsFunc)
 
 	if err != nil {
 		t.Fatalf("Manager should not have an error %v", err)
@@ -2608,7 +2620,7 @@ func TestStaticCriticalPodsAreNotEvicted(t *testing.T) {
 	// remove memory pressure
 	fakeClock.Step(20 * time.Minute)
 	summaryProvider.result = summaryStatsMaker("3Gi", podStats)
-	_, err = manager.synchronize(diskInfoProvider, activePodsFunc)
+	_, err = manager.synchronize(tCtx, diskInfoProvider, activePodsFunc)
 
 	if err != nil {
 		t.Fatalf("Manager should not have an error %v", err)
@@ -2628,7 +2640,7 @@ func TestStaticCriticalPodsAreNotEvicted(t *testing.T) {
 	// induce memory pressure!
 	fakeClock.Step(1 * time.Minute)
 	summaryProvider.result = summaryStatsMaker("500Mi", podStats)
-	_, err = manager.synchronize(diskInfoProvider, activePodsFunc)
+	_, err = manager.synchronize(tCtx, diskInfoProvider, activePodsFunc)
 
 	if err != nil {
 		t.Fatalf("Manager should not have an error %v", err)
@@ -2667,6 +2679,7 @@ func TestStorageLimitEvictions(t *testing.T) {
 	}
 	for name, tc := range testCases {
 		t.Run(name, func(t *testing.T) {
+			tCtx := ktesting.Init(t)
 			podMaker := makePodWithDiskStats
 			summaryStatsMaker := makeDiskStats
 			podsToMake := []podToMake{
@@ -2727,7 +2740,7 @@ func TestStorageLimitEvictions(t *testing.T) {
 				localStorageCapacityIsolation: true,
 			}
 
-			_, err := manager.synchronize(diskInfoProvider, activePodsFunc)
+			_, err := manager.synchronize(tCtx, diskInfoProvider, activePodsFunc)
 			if err != nil {
 				t.Fatalf("Manager expects no error but got %v", err)
 			}
@@ -2747,6 +2760,7 @@ func TestStorageLimitEvictions(t *testing.T) {
 
 // TestAllocatableMemoryPressure
 func TestAllocatableMemoryPressure(t *testing.T) {
+	tCtx := ktesting.Init(t)
 	podMaker := makePodWithMemoryStats
 	summaryStatsMaker := makeMemoryStats
 	podsToMake := []podToMake{
@@ -2806,7 +2820,7 @@ func TestAllocatableMemoryPressure(t *testing.T) {
 	burstablePodToAdmit, _ := podMaker("burst-admit", defaultPriority, newResourceList("100m", "100Mi", ""), newResourceList("200m", "200Mi", ""), "0Gi")
 
 	// synchronize
-	_, err := manager.synchronize(diskInfoProvider, activePodsFunc)
+	_, err := manager.synchronize(tCtx, diskInfoProvider, activePodsFunc)
 
 	if err != nil {
 		t.Fatalf("Manager should not have an error %v", err)
@@ -2830,7 +2844,7 @@ func TestAllocatableMemoryPressure(t *testing.T) {
 	pod, podStat := podMaker("guaranteed-high-2", defaultPriority, newResourceList("100m", "1Gi", ""), newResourceList("100m", "1Gi", ""), "1Gi")
 	podStats[pod] = podStat
 	summaryProvider.result = summaryStatsMaker("500Mi", podStats)
-	_, err = manager.synchronize(diskInfoProvider, activePodsFunc)
+	_, err = manager.synchronize(tCtx, diskInfoProvider, activePodsFunc)
 
 	if err != nil {
 		t.Fatalf("Manager should not have an error %v", err)
@@ -2870,7 +2884,7 @@ func TestAllocatableMemoryPressure(t *testing.T) {
 	}
 	summaryProvider.result = summaryStatsMaker("2Gi", podStats)
 	podKiller.pod = nil // reset state
-	_, err = manager.synchronize(diskInfoProvider, activePodsFunc)
+	_, err = manager.synchronize(tCtx, diskInfoProvider, activePodsFunc)
 
 	if err != nil {
 		t.Fatalf("Manager should not have an error %v", err)
@@ -2898,7 +2912,7 @@ func TestAllocatableMemoryPressure(t *testing.T) {
 	fakeClock.Step(5 * time.Minute)
 	summaryProvider.result = summaryStatsMaker("2Gi", podStats)
 	podKiller.pod = nil // reset state
-	_, err = manager.synchronize(diskInfoProvider, activePodsFunc)
+	_, err = manager.synchronize(tCtx, diskInfoProvider, activePodsFunc)
 
 	if err != nil {
 		t.Fatalf("Manager should not have an error %v", err)
@@ -2924,6 +2938,7 @@ func TestAllocatableMemoryPressure(t *testing.T) {
 }
 
 func TestUpdateMemcgThreshold(t *testing.T) {
+	tCtx := ktesting.Init(t)
 	activePodsFunc := func() []*v1.Pod {
 		return []*v1.Pod{}
 	}
@@ -2951,7 +2966,7 @@ func TestUpdateMemcgThreshold(t *testing.T) {
 	summaryProvider := &fakeSummaryProvider{result: makeMemoryStats("2Gi", map[*v1.Pod]statsapi.PodStats{})}
 
 	thresholdNotifier := NewMockThresholdNotifier(t)
-	thresholdNotifier.EXPECT().UpdateThreshold(summaryProvider.result).Return(nil).Times(2)
+	thresholdNotifier.EXPECT().UpdateThreshold(mock.Anything, summaryProvider.result).Return(nil).Times(2)
 
 	manager := &managerImpl{
 		clock:                        fakeClock,
@@ -2968,14 +2983,14 @@ func TestUpdateMemcgThreshold(t *testing.T) {
 	}
 
 	// The UpdateThreshold method should have been called once, since this is the first run.
-	_, err := manager.synchronize(diskInfoProvider, activePodsFunc)
+	_, err := manager.synchronize(tCtx, diskInfoProvider, activePodsFunc)
 
 	if err != nil {
 		t.Fatalf("Manager should not have an error %v", err)
 	}
 
 	// The UpdateThreshold method should not have been called again, since not enough time has passed
-	_, err = manager.synchronize(diskInfoProvider, activePodsFunc)
+	_, err = manager.synchronize(tCtx, diskInfoProvider, activePodsFunc)
 
 	if err != nil {
 		t.Fatalf("Manager should not have an error %v", err)
@@ -2983,7 +2998,7 @@ func TestUpdateMemcgThreshold(t *testing.T) {
 
 	// The UpdateThreshold method should be called again since enough time has passed
 	fakeClock.Step(2 * notifierRefreshInterval)
-	_, err = manager.synchronize(diskInfoProvider, activePodsFunc)
+	_, err = manager.synchronize(tCtx, diskInfoProvider, activePodsFunc)
 
 	if err != nil {
 		t.Fatalf("Manager should not have an error %v", err)
@@ -2991,14 +3006,14 @@ func TestUpdateMemcgThreshold(t *testing.T) {
 
 	// new memory threshold notifier that returns an error
 	thresholdNotifier = NewMockThresholdNotifier(t)
-	thresholdNotifier.EXPECT().UpdateThreshold(summaryProvider.result).Return(fmt.Errorf("error updating threshold")).Times(1)
+	thresholdNotifier.EXPECT().UpdateThreshold(mock.Anything, summaryProvider.result).Return(fmt.Errorf("error updating threshold")).Times(1)
 	thresholdNotifier.EXPECT().Description().Return("mock thresholdNotifier").Times(1)
 	manager.thresholdNotifiers = []ThresholdNotifier{thresholdNotifier}
 
 	// The UpdateThreshold method should be called because at least notifierRefreshInterval time has passed.
 	// The Description method should be called because UpdateThreshold returned an error
 	fakeClock.Step(2 * notifierRefreshInterval)
-	_, err = manager.synchronize(diskInfoProvider, activePodsFunc)
+	_, err = manager.synchronize(tCtx, diskInfoProvider, activePodsFunc)
 
 	if err != nil {
 		t.Fatalf("Manager should not have an error %v", err)
@@ -3006,6 +3021,7 @@ func TestUpdateMemcgThreshold(t *testing.T) {
 }
 
 func TestManagerWithLocalStorageCapacityIsolationOpen(t *testing.T) {
+	tCtx := ktesting.Init(t)
 	podMaker := makePodWithLocalStorageCapacityIsolationOpen
 	summaryStatsMaker := makeDiskStats
 	podsToMake := []podToMake{
@@ -3066,7 +3082,7 @@ func TestManagerWithLocalStorageCapacityIsolationOpen(t *testing.T) {
 		return pods
 	}
 
-	evictedPods, err := mgr.synchronize(diskInfoProvider, activePodsFunc)
+	evictedPods, err := mgr.synchronize(tCtx, diskInfoProvider, activePodsFunc)
 
 	if err != nil {
 		t.Fatalf("Manager should not have error but got %v", err)
diff --git a/pkg/kubelet/eviction/helpers.go b/pkg/kubelet/eviction/helpers.go
index a9e8d9ebbf6e0..6807dd977cebc 100644
--- a/pkg/kubelet/eviction/helpers.go
+++ b/pkg/kubelet/eviction/helpers.go
@@ -114,12 +114,12 @@ func validSignal(signal evictionapi.Signal) bool {
 }
 
 // getReclaimableThreshold finds the threshold and resource to reclaim
-func getReclaimableThreshold(thresholds []evictionapi.Threshold) (evictionapi.Threshold, v1.ResourceName, bool) {
+func getReclaimableThreshold(logger klog.Logger, thresholds []evictionapi.Threshold) (evictionapi.Threshold, v1.ResourceName, bool) {
 	for _, thresholdToReclaim := range thresholds {
 		if resourceToReclaim, ok := signalToResource[thresholdToReclaim.Signal]; ok {
 			return thresholdToReclaim, resourceToReclaim, true
 		}
-		klog.V(3).InfoS("Eviction manager: threshold was crossed, but reclaim is not implemented for this threshold.", "threshold", thresholdToReclaim.Signal)
+		logger.V(3).Info("Eviction manager: threshold was crossed, but reclaim is not implemented for this threshold.", "threshold", thresholdToReclaim.Signal)
 	}
 	return evictionapi.Threshold{}, "", false
 }
@@ -845,19 +845,19 @@ func (a byEvictionPriority) Less(i, j int) bool {
 }
 
 // makeSignalObservations derives observations using the specified summary provider.
-func makeSignalObservations(summary *statsapi.Summary) (signalObservations, statsFunc) {
+func makeSignalObservations(logger klog.Logger, summary *statsapi.Summary) (signalObservations, statsFunc) {
 	// build the function to work against for pod stats
 	statsFunc := cachedStatsFunc(summary.Pods)
 	// build an evaluation context for current eviction signals
 	result := signalObservations{}
 
-	memoryAvailableSignal := makeMemoryAvailableSignalObservation(summary)
+	memoryAvailableSignal := makeMemoryAvailableSignalObservation(logger, summary)
 	if memoryAvailableSignal != nil {
 		result[evictionapi.SignalMemoryAvailable] = *memoryAvailableSignal
 	}
 
 	if allocatableContainer, err := getSysContainer(summary.Node.SystemContainers, statsapi.SystemContainerPods); err != nil {
-		klog.ErrorS(err, "Eviction manager: failed to construct signal", "signal", evictionapi.SignalAllocatableMemoryAvailable)
+		logger.Error(err, "Eviction manager: failed to construct signal", "signal", evictionapi.SignalAllocatableMemoryAvailable)
 	} else {
 		if memory := allocatableContainer.Memory; memory != nil && memory.AvailableBytes != nil && memory.WorkingSetBytes != nil {
 			result[evictionapi.SignalAllocatableMemoryAvailable] = signalObservation{
@@ -940,13 +940,13 @@ func getSysContainer(sysContainers []statsapi.ContainerStats, name string) (*sta
 }
 
 // thresholdsMet returns the set of thresholds that were met independent of grace period
-func thresholdsMet(thresholds []evictionapi.Threshold, observations signalObservations, enforceMinReclaim bool) []evictionapi.Threshold {
+func thresholdsMet(logger klog.Logger, thresholds []evictionapi.Threshold, observations signalObservations, enforceMinReclaim bool) []evictionapi.Threshold {
 	results := []evictionapi.Threshold{}
 	for i := range thresholds {
 		threshold := thresholds[i]
 		observed, found := observations[threshold.Signal]
 		if !found {
-			klog.InfoS("Eviction manager: no observation found for eviction signal", "signal", threshold.Signal)
+			logger.Info("Eviction manager: no observation found for eviction signal", "signal", threshold.Signal)
 			continue
 		}
 		// determine if we have met the specified threshold
@@ -968,23 +968,21 @@ func thresholdsMet(thresholds []evictionapi.Threshold, observations signalObserv
 	return results
 }
 
-func debugLogObservations(logPrefix string, observations signalObservations) {
-	klogV := klog.V(3)
-	if !klogV.Enabled() {
+func debugLogObservations(logger klog.Logger, logPrefix string, observations signalObservations) {
+	if !logger.V(3).Enabled() {
 		return
 	}
 	for k, v := range observations {
 		if !v.time.IsZero() {
-			klogV.InfoS("Eviction manager:", "log", logPrefix, "signal", k, "resourceName", signalToResource[k], "available", v.available, "capacity", v.capacity, "time", v.time)
+			logger.V(3).Info("Eviction manager:", "log", logPrefix, "signal", k, "resourceName", signalToResource[k], "available", v.available, "capacity", v.capacity, "time", v.time)
 		} else {
-			klogV.InfoS("Eviction manager:", "log", logPrefix, "signal", k, "resourceName", signalToResource[k], "available", v.available, "capacity", v.capacity)
+			logger.V(3).Info("Eviction manager:", "log", logPrefix, "signal", k, "resourceName", signalToResource[k], "available", v.available, "capacity", v.capacity)
 		}
 	}
 }
 
-func debugLogThresholdsWithObservation(logPrefix string, thresholds []evictionapi.Threshold, observations signalObservations) {
-	klogV := klog.V(3)
-	if !klogV.Enabled() {
+func debugLogThresholdsWithObservation(logger klog.Logger, logPrefix string, thresholds []evictionapi.Threshold, observations signalObservations) {
+	if !logger.V(3).Enabled() {
 		return
 	}
 	for i := range thresholds {
@@ -992,20 +990,20 @@ func debugLogThresholdsWithObservation(logPrefix string, thresholds []evictionap
 		observed, found := observations[threshold.Signal]
 		if found {
 			quantity := evictionapi.GetThresholdQuantity(threshold.Value, observed.capacity)
-			klogV.InfoS("Eviction manager: threshold observed resource", "log", logPrefix, "signal", threshold.Signal, "resourceName", signalToResource[threshold.Signal], "quantity", quantity, "available", observed.available)
+			logger.V(3).Info("Eviction manager: threshold observed resource", "log", logPrefix, "signal", threshold.Signal, "resourceName", signalToResource[threshold.Signal], "quantity", quantity, "available", observed.available)
 		} else {
-			klogV.InfoS("Eviction manager: threshold had no observation", "log", logPrefix, "signal", threshold.Signal)
+			logger.V(3).Info("Eviction manager: threshold had no observation", "log", logPrefix, "signal", threshold.Signal)
 		}
 	}
 }
 
-func thresholdsUpdatedStats(thresholds []evictionapi.Threshold, observations, lastObservations signalObservations) []evictionapi.Threshold {
+func thresholdsUpdatedStats(logger klog.Logger, thresholds []evictionapi.Threshold, observations, lastObservations signalObservations) []evictionapi.Threshold {
 	results := []evictionapi.Threshold{}
 	for i := range thresholds {
 		threshold := thresholds[i]
 		observed, found := observations[threshold.Signal]
 		if !found {
-			klog.InfoS("Eviction manager: no observation found for eviction signal", "signal", threshold.Signal)
+			logger.Info("Eviction manager: no observation found for eviction signal", "signal", threshold.Signal)
 			continue
 		}
 		last, found := lastObservations[threshold.Signal]
@@ -1030,12 +1028,12 @@ func thresholdsFirstObservedAt(thresholds []evictionapi.Threshold, lastObservedA
 }
 
 // thresholdsMetGracePeriod returns the set of thresholds that have satisfied associated grace period
-func thresholdsMetGracePeriod(observedAt thresholdsObservedAt, now time.Time) []evictionapi.Threshold {
+func thresholdsMetGracePeriod(logger klog.Logger, observedAt thresholdsObservedAt, now time.Time) []evictionapi.Threshold {
 	results := []evictionapi.Threshold{}
 	for threshold, at := range observedAt {
 		duration := now.Sub(at)
 		if duration < threshold.GracePeriod {
-			klog.V(2).InfoS("Eviction manager: eviction criteria not yet met", "threshold", formatThreshold(threshold), "duration", duration)
+			logger.V(2).Info("Eviction manager: eviction criteria not yet met", "threshold", formatThreshold(threshold), "duration", duration)
 			continue
 		}
 		results = append(results, threshold)
diff --git a/pkg/kubelet/eviction/helpers_others.go b/pkg/kubelet/eviction/helpers_others.go
index 6b424bac47427..b3e9324b51820 100644
--- a/pkg/kubelet/eviction/helpers_others.go
+++ b/pkg/kubelet/eviction/helpers_others.go
@@ -21,10 +21,11 @@ package eviction
 
 import (
 	"k8s.io/apimachinery/pkg/api/resource"
+	"k8s.io/klog/v2"
 	statsapi "k8s.io/kubelet/pkg/apis/stats/v1alpha1"
 )
 
-func makeMemoryAvailableSignalObservation(summary *statsapi.Summary) *signalObservation {
+func makeMemoryAvailableSignalObservation(logger klog.Logger, summary *statsapi.Summary) *signalObservation {
 	if memory := summary.Node.Memory; memory != nil && memory.AvailableBytes != nil && memory.WorkingSetBytes != nil {
 		return &signalObservation{
 			available: resource.NewQuantity(int64(*memory.AvailableBytes), resource.BinarySI),
diff --git a/pkg/kubelet/eviction/helpers_test.go b/pkg/kubelet/eviction/helpers_test.go
index b073d94593608..6b7cd1e4f0b94 100644
--- a/pkg/kubelet/eviction/helpers_test.go
+++ b/pkg/kubelet/eviction/helpers_test.go
@@ -33,6 +33,7 @@ import (
 	"k8s.io/apimachinery/pkg/types"
 	utilfeature "k8s.io/apiserver/pkg/util/feature"
 	featuregatetesting "k8s.io/component-base/featuregate/testing"
+	"k8s.io/klog/v2/ktesting"
 	statsapi "k8s.io/kubelet/pkg/apis/stats/v1alpha1"
 
 	"k8s.io/kubernetes/pkg/features"
@@ -46,6 +47,7 @@ func quantityMustParse(value string) *resource.Quantity {
 }
 
 func TestGetReclaimableThreshold(t *testing.T) {
+	logger, _ := ktesting.NewTestContext(t)
 	testCases := map[string]struct {
 		thresholds                   []evictionapi.Threshold
 		expectedThreshold            evictionapi.Threshold
@@ -132,7 +134,7 @@ func TestGetReclaimableThreshold(t *testing.T) {
 	}
 	for _, testCase := range testCases {
 		sort.Sort(byEvictionPriority(testCase.thresholds))
-		threshold, ressourceName, found := getReclaimableThreshold(testCase.thresholds)
+		threshold, ressourceName, found := getReclaimableThreshold(logger, testCase.thresholds)
 		assert.Equal(t, testCase.expectedReclaimableToBeFound, found)
 		assert.Equal(t, testCase.expectedResourceName, ressourceName)
 		assert.Equal(t, testCase.expectedThreshold.Signal, threshold.Signal)
@@ -1361,6 +1363,7 @@ func newPodStats(pod *v1.Pod, podWorkingSetBytes uint64) statsapi.PodStats {
 }
 
 func TestMakeSignalObservations(t *testing.T) {
+	logger, _ := ktesting.NewTestContext(t)
 	podMaker := func(name, namespace, uid string, numContainers int) *v1.Pod {
 		pod := &v1.Pod{}
 		pod.Name = name
@@ -1456,7 +1459,7 @@ func TestMakeSignalObservations(t *testing.T) {
 	if res.CmpInt64(int64(allocatableMemoryCapacity)) != 0 {
 		t.Errorf("Expected Threshold %v to be equal to value %v", res.Value(), allocatableMemoryCapacity)
 	}
-	actualObservations, statsFunc := makeSignalObservations(fakeStats)
+	actualObservations, statsFunc := makeSignalObservations(logger, fakeStats)
 	allocatableMemQuantity, found := actualObservations[evictionapi.SignalAllocatableMemoryAvailable]
 	if !found {
 		t.Errorf("Expected allocatable memory observation, but didn't find one")
@@ -1560,6 +1563,7 @@ func TestMakeSignalObservations(t *testing.T) {
 }
 
 func TestThresholdsMet(t *testing.T) {
+	logger, _ := ktesting.NewTestContext(t)
 	hardThreshold := evictionapi.Threshold{
 		Signal:   evictionapi.SignalMemoryAvailable,
 		Operator: evictionapi.OpLessThan,
@@ -1624,7 +1628,7 @@ func TestThresholdsMet(t *testing.T) {
 		},
 	}
 	for testName, testCase := range testCases {
-		actual := thresholdsMet(testCase.thresholds, testCase.observations, testCase.enforceMinReclaim)
+		actual := thresholdsMet(logger, testCase.thresholds, testCase.observations, testCase.enforceMinReclaim)
 		if !thresholdList(actual).Equal(thresholdList(testCase.result)) {
 			t.Errorf("Test case: %s, expected: %v, actual: %v", testName, testCase.result, actual)
 		}
@@ -1632,6 +1636,7 @@ func TestThresholdsMet(t *testing.T) {
 }
 
 func TestThresholdsUpdatedStats(t *testing.T) {
+	logger, _ := ktesting.NewTestContext(t)
 	updatedThreshold := evictionapi.Threshold{
 		Signal: evictionapi.SignalMemoryAvailable,
 	}
@@ -1714,7 +1719,7 @@ func TestThresholdsUpdatedStats(t *testing.T) {
 		},
 	}
 	for testName, testCase := range testCases {
-		actual := thresholdsUpdatedStats(testCase.thresholds, testCase.observations, testCase.last)
+		actual := thresholdsUpdatedStats(logger, testCase.thresholds, testCase.observations, testCase.last)
 		if !thresholdList(actual).Equal(thresholdList(testCase.result)) {
 			t.Errorf("Test case: %s, expected: %v, actual: %v", testName, testCase.result, actual)
 		}
@@ -1722,6 +1727,7 @@ func TestThresholdsUpdatedStats(t *testing.T) {
 }
 
 func TestPercentageThresholdsMet(t *testing.T) {
+	logger, _ := ktesting.NewTestContext(t)
 	specificThresholds := []evictionapi.Threshold{
 		{
 			Signal:   evictionapi.SignalMemoryAvailable,
@@ -1832,7 +1838,7 @@ func TestPercentageThresholdsMet(t *testing.T) {
 		},
 	}
 	for testName, testCase := range testCases {
-		actual := thresholdsMet(testCase.thresholds, testCase.observations, testCase.enforceMinRelaim)
+		actual := thresholdsMet(logger, testCase.thresholds, testCase.observations, testCase.enforceMinRelaim)
 		if !thresholdList(actual).Equal(thresholdList(testCase.result)) {
 			t.Errorf("Test case: %s, expected: %v, actual: %v", testName, testCase.result, actual)
 		}
@@ -1889,6 +1895,7 @@ func TestThresholdsFirstObservedAt(t *testing.T) {
 }
 
 func TestThresholdsMetGracePeriod(t *testing.T) {
+	logger, _ := ktesting.NewTestContext(t)
 	now := metav1.Now()
 	hardThreshold := evictionapi.Threshold{
 		Signal:   evictionapi.SignalMemoryAvailable,
@@ -1939,7 +1946,7 @@ func TestThresholdsMetGracePeriod(t *testing.T) {
 		},
 	}
 	for testName, testCase := range testCases {
-		actual := thresholdsMetGracePeriod(testCase.observedAt, now.Time)
+		actual := thresholdsMetGracePeriod(logger, testCase.observedAt, now.Time)
 		if !thresholdList(actual).Equal(thresholdList(testCase.result)) {
 			t.Errorf("Test case: %s, expected: %v, actual: %v", testName, testCase.result, actual)
 		}
diff --git a/pkg/kubelet/eviction/helpers_windows.go b/pkg/kubelet/eviction/helpers_windows.go
index 85ab911c94f3d..f37d4f82b3327 100644
--- a/pkg/kubelet/eviction/helpers_windows.go
+++ b/pkg/kubelet/eviction/helpers_windows.go
@@ -26,15 +26,15 @@ import (
 	evictionapi "k8s.io/kubernetes/pkg/kubelet/eviction/api"
 )
 
-func makeMemoryAvailableSignalObservation(summary *statsapi.Summary) *signalObservation {
-	klog.V(4).InfoS("Eviction manager: building memory signal observations for windows")
+func makeMemoryAvailableSignalObservation(logger klog.Logger, summary *statsapi.Summary) *signalObservation {
+	logger.V(4).Info("Eviction manager: building memory signal observations for windows")
 	sysContainer, err := getSysContainer(summary.Node.SystemContainers, statsapi.SystemContainerWindowsGlobalCommitMemory)
 	if err != nil {
-		klog.ErrorS(err, "Eviction manager: failed to construct signal", "signal", evictionapi.SignalMemoryAvailable)
+		logger.Error(err, "Eviction manager: failed to construct signal", "signal", evictionapi.SignalMemoryAvailable)
 		return nil
 	}
 	if memory := sysContainer.Memory; memory != nil && memory.AvailableBytes != nil && memory.UsageBytes != nil {
-		klog.V(4).InfoS(
+		logger.V(4).Info(
 			"Eviction manager: memory signal observations for windows",
 			"Available", *memory.AvailableBytes,
 			"Usage", *memory.UsageBytes)
diff --git a/pkg/kubelet/eviction/memory_threshold_notifier.go b/pkg/kubelet/eviction/memory_threshold_notifier.go
index 6bc1bc6ab1d9b..fa00a2933f72c 100644
--- a/pkg/kubelet/eviction/memory_threshold_notifier.go
+++ b/pkg/kubelet/eviction/memory_threshold_notifier.go
@@ -16,7 +16,10 @@ limitations under the License.
 
 package eviction
 
-import "time"
+import (
+	"k8s.io/klog/v2"
+	"time"
+)
 
 const (
 	// this prevents constantly updating the memcg notifier if synchronize
@@ -30,6 +33,6 @@ type CgroupNotifierFactory struct{}
 var _ NotifierFactory = &CgroupNotifierFactory{}
 
 // NewCgroupNotifier implements the NotifierFactory interface
-func (n *CgroupNotifierFactory) NewCgroupNotifier(path, attribute string, threshold int64) (CgroupNotifier, error) {
-	return NewCgroupNotifier(path, attribute, threshold)
+func (n *CgroupNotifierFactory) NewCgroupNotifier(logger klog.Logger, path, attribute string, threshold int64) (CgroupNotifier, error) {
+	return NewCgroupNotifier(logger, path, attribute, threshold)
 }
diff --git a/pkg/kubelet/eviction/memory_threshold_notifier_others.go b/pkg/kubelet/eviction/memory_threshold_notifier_others.go
index 1b7bc21e05d3a..140d6be17c716 100644
--- a/pkg/kubelet/eviction/memory_threshold_notifier_others.go
+++ b/pkg/kubelet/eviction/memory_threshold_notifier_others.go
@@ -20,6 +20,7 @@ limitations under the License.
 package eviction
 
 import (
+	"context"
 	"fmt"
 
 	"k8s.io/apimachinery/pkg/api/resource"
@@ -46,7 +47,7 @@ var _ ThresholdNotifier = &linuxMemoryThresholdNotifier{}
 
 // NewMemoryThresholdNotifier creates a ThresholdNotifier which is designed to respond to the given threshold.
 // UpdateThreshold must be called once before the threshold will be active.
-func NewMemoryThresholdNotifier(threshold evictionapi.Threshold, cgroupRoot string, factory NotifierFactory, handler func(string)) (ThresholdNotifier, error) {
+func NewMemoryThresholdNotifier(logger klog.Logger, threshold evictionapi.Threshold, cgroupRoot string, factory NotifierFactory, handler func(string)) (ThresholdNotifier, error) {
 	cgroups, err := cm.GetCgroupSubsystems()
 	if err != nil {
 		return nil, err
@@ -68,7 +69,8 @@ func NewMemoryThresholdNotifier(threshold evictionapi.Threshold, cgroupRoot stri
 	}, nil
 }
 
-func (m *linuxMemoryThresholdNotifier) UpdateThreshold(summary *statsapi.Summary) error {
+func (m *linuxMemoryThresholdNotifier) UpdateThreshold(ctx context.Context, summary *statsapi.Summary) error {
+	logger := klog.FromContext(ctx)
 	memoryStats := summary.Node.Memory
 	if isAllocatableEvictionThreshold(m.threshold) {
 		allocatableContainer, err := getSysContainer(summary.Node.SystemContainers, statsapi.SystemContainerPods)
@@ -88,22 +90,22 @@ func (m *linuxMemoryThresholdNotifier) UpdateThreshold(summary *statsapi.Summary
 	memcgThreshold := capacity.DeepCopy()
 	memcgThreshold.Sub(*evictionThresholdQuantity)
 	memcgThreshold.Add(*inactiveFile)
-
-	klog.V(3).InfoS("Eviction manager: setting notifier to capacity", "notifier", m.Description(), "capacity", memcgThreshold.String())
+	logger.V(3).Info("Eviction manager: setting notifier to capacity", "notifier", m.Description(), "capacity", memcgThreshold.String())
 	if m.notifier != nil {
 		m.notifier.Stop()
 	}
-	newNotifier, err := m.factory.NewCgroupNotifier(m.cgroupPath, memoryUsageAttribute, memcgThreshold.Value())
+	newNotifier, err := m.factory.NewCgroupNotifier(logger, m.cgroupPath, memoryUsageAttribute, memcgThreshold.Value())
 	if err != nil {
 		return err
 	}
 	m.notifier = newNotifier
-	go m.notifier.Start(m.events)
+	go m.notifier.Start(ctx, m.events)
 	return nil
 }
 
-func (m *linuxMemoryThresholdNotifier) Start() {
-	klog.InfoS("Eviction manager: created memoryThresholdNotifier", "notifier", m.Description())
+func (m *linuxMemoryThresholdNotifier) Start(ctx context.Context) {
+	logger := klog.FromContext(ctx)
+	logger.Info("Eviction manager: created memoryThresholdNotifier", "notifier", m.Description())
 	for range m.events {
 		m.handler(fmt.Sprintf("eviction manager: %s crossed", m.Description()))
 	}
diff --git a/pkg/kubelet/eviction/memory_threshold_notifier_test.go b/pkg/kubelet/eviction/memory_threshold_notifier_test.go
index f552f469af1ab..9b1577d7b4a1d 100644
--- a/pkg/kubelet/eviction/memory_threshold_notifier_test.go
+++ b/pkg/kubelet/eviction/memory_threshold_notifier_test.go
@@ -20,6 +20,7 @@ limitations under the License.
 package eviction
 
 import (
+	"context"
 	"fmt"
 	"strings"
 	"sync"
@@ -28,8 +29,10 @@ import (
 
 	"github.com/stretchr/testify/assert"
 	"k8s.io/apimachinery/pkg/api/resource"
+	klogtesting "k8s.io/klog/v2/ktesting"
 	statsapi "k8s.io/kubelet/pkg/apis/stats/v1alpha1"
 	evictionapi "k8s.io/kubernetes/pkg/kubelet/eviction/api"
+	"k8s.io/kubernetes/test/utils/ktesting"
 )
 
 const testCgroupPath = "/sys/fs/cgroups/memory"
@@ -135,14 +138,29 @@ func TestUpdateThreshold(t *testing.T) {
 
 	for _, tc := range testCases {
 		t.Run(tc.description, func(t *testing.T) {
+			logger, tCtx := klogtesting.NewTestContext(t)
 			notifierFactory := NewMockNotifierFactory(t)
 			notifier := NewMockCgroupNotifier(t)
 
 			m := newTestMemoryThresholdNotifier(tc.evictionThreshold, notifierFactory, nil)
-			notifierFactory.EXPECT().NewCgroupNotifier(testCgroupPath, memoryUsageAttribute, tc.expectedThreshold.Value()).Return(notifier, tc.updateThresholdErr).Times(1)
+			notifierFactory.EXPECT().NewCgroupNotifier(logger, testCgroupPath, memoryUsageAttribute, tc.expectedThreshold.Value()).Return(notifier, tc.updateThresholdErr).Times(1)
 			var events chan<- struct{} = m.events
-			notifier.EXPECT().Start(events).Return().Maybe()
-			err := m.UpdateThreshold(nodeSummary(tc.available, tc.workingSet, tc.usage, isAllocatableEvictionThreshold(tc.evictionThreshold)))
+
+			// Use a WaitGroup to ensure the goroutine completes before test ends
+			var wg sync.WaitGroup
+			wg.Add(1)
+			notifier.EXPECT().Start(tCtx, events).Run(func(ctx context.Context, eventCh chan<- struct{}) {
+				defer wg.Done()
+				// Mock implementation completes immediately
+			}).Maybe()
+
+			err := m.UpdateThreshold(tCtx, nodeSummary(tc.available, tc.workingSet, tc.usage, isAllocatableEvictionThreshold(tc.evictionThreshold)))
+
+			// Wait for the goroutine started by UpdateThreshold to complete
+			if err == nil {
+				wg.Wait()
+			}
+
 			if err != nil && !tc.expectErr {
 				t.Errorf("Unexpected error updating threshold: %v", err)
 			} else if err == nil && tc.expectErr {
@@ -183,16 +201,18 @@ func TestUpdateThresholdWithInvalidSummary(t *testing.T) {
 	}
 	for _, tc := range testCases {
 		t.Run(tc.description, func(t *testing.T) {
+			tCtx := ktesting.Init(t)
 			m := newTestMemoryThresholdNotifier(evictionapi.Threshold{}, nil, nil)
 			if tc.allocatableEvictionThreshold {
 				m.threshold.Signal = evictionapi.SignalAllocatableMemoryAvailable
 			}
-			assert.Error(t, m.UpdateThreshold(tc.summary))
+			assert.Error(t, m.UpdateThreshold(tCtx, tc.summary))
 		})
 	}
 }
 
 func TestStart(t *testing.T) {
+	logger, tCtx := klogtesting.NewTestContext(t)
 	noResources := resource.MustParse("0")
 	threshold := evictionapi.Threshold{
 		Signal:   evictionapi.SignalMemoryAvailable,
@@ -209,21 +229,21 @@ func TestStart(t *testing.T) {
 	m := newTestMemoryThresholdNotifier(threshold, notifierFactory, func(string) {
 		wg.Done()
 	})
-	notifierFactory.EXPECT().NewCgroupNotifier(testCgroupPath, memoryUsageAttribute, int64(0)).Return(notifier, nil).Times(1)
+	notifierFactory.EXPECT().NewCgroupNotifier(logger, testCgroupPath, memoryUsageAttribute, int64(0)).Return(notifier, nil).Times(1)
 
 	var events chan<- struct{} = m.events
-	notifier.EXPECT().Start(events).Run(func(events chan<- struct{}) {
+	notifier.EXPECT().Start(tCtx, events).Run(func(ctx context.Context, events chan<- struct{}) {
 		for i := 0; i < 4; i++ {
 			events <- struct{}{}
 		}
 	})
 
-	err := m.UpdateThreshold(nodeSummary(noResources, noResources, noResources, isAllocatableEvictionThreshold(threshold)))
+	err := m.UpdateThreshold(tCtx, nodeSummary(noResources, noResources, noResources, isAllocatableEvictionThreshold(threshold)))
 	if err != nil {
 		t.Errorf("Unexpected error updating threshold: %v", err)
 	}
 
-	go m.Start()
+	go m.Start(tCtx)
 
 	wg.Wait()
 }
diff --git a/pkg/kubelet/eviction/memory_threshold_notifier_windows.go b/pkg/kubelet/eviction/memory_threshold_notifier_windows.go
index 8c014fa972a31..96e9b4f0717d8 100644
--- a/pkg/kubelet/eviction/memory_threshold_notifier_windows.go
+++ b/pkg/kubelet/eviction/memory_threshold_notifier_windows.go
@@ -20,6 +20,7 @@ limitations under the License.
 package eviction
 
 import (
+	"context"
 	"fmt"
 	"time"
 
@@ -38,8 +39,8 @@ type windowsMemoryThresholdNotifier struct {
 
 var _ ThresholdNotifier = &windowsMemoryThresholdNotifier{}
 
-func NewMemoryThresholdNotifier(threshold evictionapi.Threshold, cgroupRoot string, factory NotifierFactory, handler func(string)) (ThresholdNotifier, error) {
-	klog.InfoS("Eviction manager: creating new WindowsMemoryThresholdNotifier")
+func NewMemoryThresholdNotifier(logger klog.Logger, threshold evictionapi.Threshold, cgroupRoot string, factory NotifierFactory, handler func(string)) (ThresholdNotifier, error) {
+	logger.Info("Eviction manager: creating new WindowsMemoryThresholdNotifier")
 	return &windowsMemoryThresholdNotifier{
 		threshold: threshold,
 		events:    make(chan struct{}),
@@ -47,12 +48,13 @@ func NewMemoryThresholdNotifier(threshold evictionapi.Threshold, cgroupRoot stri
 	}, nil
 }
 
-func (m *windowsMemoryThresholdNotifier) Start() {
-	klog.InfoS("Eviction manager: starting windowsMemoryThresholdNotifier", "notifier", m.Description())
+func (m *windowsMemoryThresholdNotifier) Start(ctx context.Context) {
+	logger := klog.FromContext(ctx)
+	logger.Info("Eviction manager: starting windowsMemoryThresholdNotifier", "notifier", m.Description())
 	go func() {
 		for true {
 			time.Sleep(notifierRefreshInterval)
-			m.checkMemoryUsage()
+			m.checkMemoryUsage(logger)
 		}
 	}()
 
@@ -61,11 +63,11 @@ func (m *windowsMemoryThresholdNotifier) Start() {
 	}
 }
 
-func (m *windowsMemoryThresholdNotifier) checkMemoryUsage() {
+func (m *windowsMemoryThresholdNotifier) checkMemoryUsage(logger klog.Logger) {
 	// Get global commit limit
 	perfInfo, err := winstats.GetPerformanceInfo()
 	if err != nil {
-		klog.ErrorS(err, "Eviction manager: error getting global memory status for node")
+		logger.Error(err, "Eviction manager: error getting global memory status for node")
 	}
 
 	commmiLimitBytes := perfInfo.CommitLimitPages * perfInfo.PageSize
@@ -80,7 +82,7 @@ func (m *windowsMemoryThresholdNotifier) checkMemoryUsage() {
 	}
 }
 
-func (m *windowsMemoryThresholdNotifier) UpdateThreshold(summary *statsapi.Summary) error {
+func (m *windowsMemoryThresholdNotifier) UpdateThreshold(ctx context.Context, summary *statsapi.Summary) error {
 	// Windows doesn't use cgroup notifiers to trigger eviction, so this function is a no-op.
 	// Instead the go-routine set up in Start() will poll the system for memory usage and
 	// trigger eviction when the threshold is crossed.
diff --git a/pkg/kubelet/eviction/mock_cgroup_notifier_test.go b/pkg/kubelet/eviction/mock_cgroup_notifier_test.go
deleted file mode 100644
index 618fff9951c2d..0000000000000
--- a/pkg/kubelet/eviction/mock_cgroup_notifier_test.go
+++ /dev/null
@@ -1,113 +0,0 @@
-/*
-Copyright The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-// Code generated by mockery v2.53.3. DO NOT EDIT.
-
-package eviction
-
-import mock "github.com/stretchr/testify/mock"
-
-// MockCgroupNotifier is an autogenerated mock type for the CgroupNotifier type
-type MockCgroupNotifier struct {
-	mock.Mock
-}
-
-type MockCgroupNotifier_Expecter struct {
-	mock *mock.Mock
-}
-
-func (_m *MockCgroupNotifier) EXPECT() *MockCgroupNotifier_Expecter {
-	return &MockCgroupNotifier_Expecter{mock: &_m.Mock}
-}
-
-// Start provides a mock function with given fields: eventCh
-func (_m *MockCgroupNotifier) Start(eventCh chan<- struct{}) {
-	_m.Called(eventCh)
-}
-
-// MockCgroupNotifier_Start_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Start'
-type MockCgroupNotifier_Start_Call struct {
-	*mock.Call
-}
-
-// Start is a helper method to define mock.On call
-//   - eventCh chan<- struct{}
-func (_e *MockCgroupNotifier_Expecter) Start(eventCh interface{}) *MockCgroupNotifier_Start_Call {
-	return &MockCgroupNotifier_Start_Call{Call: _e.mock.On("Start", eventCh)}
-}
-
-func (_c *MockCgroupNotifier_Start_Call) Run(run func(eventCh chan<- struct{})) *MockCgroupNotifier_Start_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run(args[0].(chan<- struct{}))
-	})
-	return _c
-}
-
-func (_c *MockCgroupNotifier_Start_Call) Return() *MockCgroupNotifier_Start_Call {
-	_c.Call.Return()
-	return _c
-}
-
-func (_c *MockCgroupNotifier_Start_Call) RunAndReturn(run func(chan<- struct{})) *MockCgroupNotifier_Start_Call {
-	_c.Run(run)
-	return _c
-}
-
-// Stop provides a mock function with no fields
-func (_m *MockCgroupNotifier) Stop() {
-	_m.Called()
-}
-
-// MockCgroupNotifier_Stop_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Stop'
-type MockCgroupNotifier_Stop_Call struct {
-	*mock.Call
-}
-
-// Stop is a helper method to define mock.On call
-func (_e *MockCgroupNotifier_Expecter) Stop() *MockCgroupNotifier_Stop_Call {
-	return &MockCgroupNotifier_Stop_Call{Call: _e.mock.On("Stop")}
-}
-
-func (_c *MockCgroupNotifier_Stop_Call) Run(run func()) *MockCgroupNotifier_Stop_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run()
-	})
-	return _c
-}
-
-func (_c *MockCgroupNotifier_Stop_Call) Return() *MockCgroupNotifier_Stop_Call {
-	_c.Call.Return()
-	return _c
-}
-
-func (_c *MockCgroupNotifier_Stop_Call) RunAndReturn(run func()) *MockCgroupNotifier_Stop_Call {
-	_c.Run(run)
-	return _c
-}
-
-// NewMockCgroupNotifier creates a new instance of MockCgroupNotifier. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
-// The first argument is typically a *testing.T value.
-func NewMockCgroupNotifier(t interface {
-	mock.TestingT
-	Cleanup(func())
-}) *MockCgroupNotifier {
-	mock := &MockCgroupNotifier{}
-	mock.Mock.Test(t)
-
-	t.Cleanup(func() { mock.AssertExpectations(t) })
-
-	return mock
-}
diff --git a/pkg/kubelet/eviction/mock_notifier_factory_test.go b/pkg/kubelet/eviction/mock_notifier_factory_test.go
deleted file mode 100644
index 4e27024ba2ac7..0000000000000
--- a/pkg/kubelet/eviction/mock_notifier_factory_test.go
+++ /dev/null
@@ -1,108 +0,0 @@
-/*
-Copyright The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-// Code generated by mockery v2.53.3. DO NOT EDIT.
-
-package eviction
-
-import mock "github.com/stretchr/testify/mock"
-
-// MockNotifierFactory is an autogenerated mock type for the NotifierFactory type
-type MockNotifierFactory struct {
-	mock.Mock
-}
-
-type MockNotifierFactory_Expecter struct {
-	mock *mock.Mock
-}
-
-func (_m *MockNotifierFactory) EXPECT() *MockNotifierFactory_Expecter {
-	return &MockNotifierFactory_Expecter{mock: &_m.Mock}
-}
-
-// NewCgroupNotifier provides a mock function with given fields: path, attribute, threshold
-func (_m *MockNotifierFactory) NewCgroupNotifier(path string, attribute string, threshold int64) (CgroupNotifier, error) {
-	ret := _m.Called(path, attribute, threshold)
-
-	if len(ret) == 0 {
-		panic("no return value specified for NewCgroupNotifier")
-	}
-
-	var r0 CgroupNotifier
-	var r1 error
-	if rf, ok := ret.Get(0).(func(string, string, int64) (CgroupNotifier, error)); ok {
-		return rf(path, attribute, threshold)
-	}
-	if rf, ok := ret.Get(0).(func(string, string, int64) CgroupNotifier); ok {
-		r0 = rf(path, attribute, threshold)
-	} else {
-		if ret.Get(0) != nil {
-			r0 = ret.Get(0).(CgroupNotifier)
-		}
-	}
-
-	if rf, ok := ret.Get(1).(func(string, string, int64) error); ok {
-		r1 = rf(path, attribute, threshold)
-	} else {
-		r1 = ret.Error(1)
-	}
-
-	return r0, r1
-}
-
-// MockNotifierFactory_NewCgroupNotifier_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'NewCgroupNotifier'
-type MockNotifierFactory_NewCgroupNotifier_Call struct {
-	*mock.Call
-}
-
-// NewCgroupNotifier is a helper method to define mock.On call
-//   - path string
-//   - attribute string
-//   - threshold int64
-func (_e *MockNotifierFactory_Expecter) NewCgroupNotifier(path interface{}, attribute interface{}, threshold interface{}) *MockNotifierFactory_NewCgroupNotifier_Call {
-	return &MockNotifierFactory_NewCgroupNotifier_Call{Call: _e.mock.On("NewCgroupNotifier", path, attribute, threshold)}
-}
-
-func (_c *MockNotifierFactory_NewCgroupNotifier_Call) Run(run func(path string, attribute string, threshold int64)) *MockNotifierFactory_NewCgroupNotifier_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run(args[0].(string), args[1].(string), args[2].(int64))
-	})
-	return _c
-}
-
-func (_c *MockNotifierFactory_NewCgroupNotifier_Call) Return(_a0 CgroupNotifier, _a1 error) *MockNotifierFactory_NewCgroupNotifier_Call {
-	_c.Call.Return(_a0, _a1)
-	return _c
-}
-
-func (_c *MockNotifierFactory_NewCgroupNotifier_Call) RunAndReturn(run func(string, string, int64) (CgroupNotifier, error)) *MockNotifierFactory_NewCgroupNotifier_Call {
-	_c.Call.Return(run)
-	return _c
-}
-
-// NewMockNotifierFactory creates a new instance of MockNotifierFactory. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
-// The first argument is typically a *testing.T value.
-func NewMockNotifierFactory(t interface {
-	mock.TestingT
-	Cleanup(func())
-}) *MockNotifierFactory {
-	mock := &MockNotifierFactory{}
-	mock.Mock.Test(t)
-
-	t.Cleanup(func() { mock.AssertExpectations(t) })
-
-	return mock
-}
diff --git a/pkg/kubelet/eviction/mock_threshold_notifier_test.go b/pkg/kubelet/eviction/mock_threshold_notifier_test.go
deleted file mode 100644
index 0b2f13d5ed6e4..0000000000000
--- a/pkg/kubelet/eviction/mock_threshold_notifier_test.go
+++ /dev/null
@@ -1,174 +0,0 @@
-/*
-Copyright The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-// Code generated by mockery v2.53.3. DO NOT EDIT.
-
-package eviction
-
-import (
-	mock "github.com/stretchr/testify/mock"
-	v1alpha1 "k8s.io/kubelet/pkg/apis/stats/v1alpha1"
-)
-
-// MockThresholdNotifier is an autogenerated mock type for the ThresholdNotifier type
-type MockThresholdNotifier struct {
-	mock.Mock
-}
-
-type MockThresholdNotifier_Expecter struct {
-	mock *mock.Mock
-}
-
-func (_m *MockThresholdNotifier) EXPECT() *MockThresholdNotifier_Expecter {
-	return &MockThresholdNotifier_Expecter{mock: &_m.Mock}
-}
-
-// Description provides a mock function with no fields
-func (_m *MockThresholdNotifier) Description() string {
-	ret := _m.Called()
-
-	if len(ret) == 0 {
-		panic("no return value specified for Description")
-	}
-
-	var r0 string
-	if rf, ok := ret.Get(0).(func() string); ok {
-		r0 = rf()
-	} else {
-		r0 = ret.Get(0).(string)
-	}
-
-	return r0
-}
-
-// MockThresholdNotifier_Description_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Description'
-type MockThresholdNotifier_Description_Call struct {
-	*mock.Call
-}
-
-// Description is a helper method to define mock.On call
-func (_e *MockThresholdNotifier_Expecter) Description() *MockThresholdNotifier_Description_Call {
-	return &MockThresholdNotifier_Description_Call{Call: _e.mock.On("Description")}
-}
-
-func (_c *MockThresholdNotifier_Description_Call) Run(run func()) *MockThresholdNotifier_Description_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run()
-	})
-	return _c
-}
-
-func (_c *MockThresholdNotifier_Description_Call) Return(_a0 string) *MockThresholdNotifier_Description_Call {
-	_c.Call.Return(_a0)
-	return _c
-}
-
-func (_c *MockThresholdNotifier_Description_Call) RunAndReturn(run func() string) *MockThresholdNotifier_Description_Call {
-	_c.Call.Return(run)
-	return _c
-}
-
-// Start provides a mock function with no fields
-func (_m *MockThresholdNotifier) Start() {
-	_m.Called()
-}
-
-// MockThresholdNotifier_Start_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Start'
-type MockThresholdNotifier_Start_Call struct {
-	*mock.Call
-}
-
-// Start is a helper method to define mock.On call
-func (_e *MockThresholdNotifier_Expecter) Start() *MockThresholdNotifier_Start_Call {
-	return &MockThresholdNotifier_Start_Call{Call: _e.mock.On("Start")}
-}
-
-func (_c *MockThresholdNotifier_Start_Call) Run(run func()) *MockThresholdNotifier_Start_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run()
-	})
-	return _c
-}
-
-func (_c *MockThresholdNotifier_Start_Call) Return() *MockThresholdNotifier_Start_Call {
-	_c.Call.Return()
-	return _c
-}
-
-func (_c *MockThresholdNotifier_Start_Call) RunAndReturn(run func()) *MockThresholdNotifier_Start_Call {
-	_c.Run(run)
-	return _c
-}
-
-// UpdateThreshold provides a mock function with given fields: summary
-func (_m *MockThresholdNotifier) UpdateThreshold(summary *v1alpha1.Summary) error {
-	ret := _m.Called(summary)
-
-	if len(ret) == 0 {
-		panic("no return value specified for UpdateThreshold")
-	}
-
-	var r0 error
-	if rf, ok := ret.Get(0).(func(*v1alpha1.Summary) error); ok {
-		r0 = rf(summary)
-	} else {
-		r0 = ret.Error(0)
-	}
-
-	return r0
-}
-
-// MockThresholdNotifier_UpdateThreshold_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'UpdateThreshold'
-type MockThresholdNotifier_UpdateThreshold_Call struct {
-	*mock.Call
-}
-
-// UpdateThreshold is a helper method to define mock.On call
-//   - summary *v1alpha1.Summary
-func (_e *MockThresholdNotifier_Expecter) UpdateThreshold(summary interface{}) *MockThresholdNotifier_UpdateThreshold_Call {
-	return &MockThresholdNotifier_UpdateThreshold_Call{Call: _e.mock.On("UpdateThreshold", summary)}
-}
-
-func (_c *MockThresholdNotifier_UpdateThreshold_Call) Run(run func(summary *v1alpha1.Summary)) *MockThresholdNotifier_UpdateThreshold_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run(args[0].(*v1alpha1.Summary))
-	})
-	return _c
-}
-
-func (_c *MockThresholdNotifier_UpdateThreshold_Call) Return(_a0 error) *MockThresholdNotifier_UpdateThreshold_Call {
-	_c.Call.Return(_a0)
-	return _c
-}
-
-func (_c *MockThresholdNotifier_UpdateThreshold_Call) RunAndReturn(run func(*v1alpha1.Summary) error) *MockThresholdNotifier_UpdateThreshold_Call {
-	_c.Call.Return(run)
-	return _c
-}
-
-// NewMockThresholdNotifier creates a new instance of MockThresholdNotifier. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
-// The first argument is typically a *testing.T value.
-func NewMockThresholdNotifier(t interface {
-	mock.TestingT
-	Cleanup(func())
-}) *MockThresholdNotifier {
-	mock := &MockThresholdNotifier{}
-	mock.Mock.Test(t)
-
-	t.Cleanup(func() { mock.AssertExpectations(t) })
-
-	return mock
-}
diff --git a/pkg/kubelet/eviction/mocks_test.go b/pkg/kubelet/eviction/mocks_test.go
new file mode 100644
index 0000000000000..94b197b503769
--- /dev/null
+++ b/pkg/kubelet/eviction/mocks_test.go
@@ -0,0 +1,410 @@
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by mockery; DO NOT EDIT.
+// github.com/vektra/mockery
+// template: testify
+
+package eviction
+
+import (
+	"context"
+
+	mock "github.com/stretchr/testify/mock"
+	"k8s.io/klog/v2"
+	"k8s.io/kubelet/pkg/apis/stats/v1alpha1"
+)
+
+// NewMockCgroupNotifier creates a new instance of MockCgroupNotifier. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
+// The first argument is typically a *testing.T value.
+func NewMockCgroupNotifier(t interface {
+	mock.TestingT
+	Cleanup(func())
+}) *MockCgroupNotifier {
+	mock := &MockCgroupNotifier{}
+	mock.Mock.Test(t)
+
+	t.Cleanup(func() { mock.AssertExpectations(t) })
+
+	return mock
+}
+
+// MockCgroupNotifier is an autogenerated mock type for the CgroupNotifier type
+type MockCgroupNotifier struct {
+	mock.Mock
+}
+
+type MockCgroupNotifier_Expecter struct {
+	mock *mock.Mock
+}
+
+func (_m *MockCgroupNotifier) EXPECT() *MockCgroupNotifier_Expecter {
+	return &MockCgroupNotifier_Expecter{mock: &_m.Mock}
+}
+
+// Start provides a mock function for the type MockCgroupNotifier
+func (_mock *MockCgroupNotifier) Start(ctx context.Context, eventCh chan<- struct{}) {
+	_mock.Called(ctx, eventCh)
+	return
+}
+
+// MockCgroupNotifier_Start_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Start'
+type MockCgroupNotifier_Start_Call struct {
+	*mock.Call
+}
+
+// Start is a helper method to define mock.On call
+//   - ctx context.Context
+//   - eventCh chan<- struct{}
+func (_e *MockCgroupNotifier_Expecter) Start(ctx interface{}, eventCh interface{}) *MockCgroupNotifier_Start_Call {
+	return &MockCgroupNotifier_Start_Call{Call: _e.mock.On("Start", ctx, eventCh)}
+}
+
+func (_c *MockCgroupNotifier_Start_Call) Run(run func(ctx context.Context, eventCh chan<- struct{})) *MockCgroupNotifier_Start_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 context.Context
+		if args[0] != nil {
+			arg0 = args[0].(context.Context)
+		}
+		var arg1 chan<- struct{}
+		if args[1] != nil {
+			arg1 = args[1].(chan<- struct{})
+		}
+		run(
+			arg0,
+			arg1,
+		)
+	})
+	return _c
+}
+
+func (_c *MockCgroupNotifier_Start_Call) Return() *MockCgroupNotifier_Start_Call {
+	_c.Call.Return()
+	return _c
+}
+
+func (_c *MockCgroupNotifier_Start_Call) RunAndReturn(run func(ctx context.Context, eventCh chan<- struct{})) *MockCgroupNotifier_Start_Call {
+	_c.Run(run)
+	return _c
+}
+
+// Stop provides a mock function for the type MockCgroupNotifier
+func (_mock *MockCgroupNotifier) Stop() {
+	_mock.Called()
+	return
+}
+
+// MockCgroupNotifier_Stop_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Stop'
+type MockCgroupNotifier_Stop_Call struct {
+	*mock.Call
+}
+
+// Stop is a helper method to define mock.On call
+func (_e *MockCgroupNotifier_Expecter) Stop() *MockCgroupNotifier_Stop_Call {
+	return &MockCgroupNotifier_Stop_Call{Call: _e.mock.On("Stop")}
+}
+
+func (_c *MockCgroupNotifier_Stop_Call) Run(run func()) *MockCgroupNotifier_Stop_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run()
+	})
+	return _c
+}
+
+func (_c *MockCgroupNotifier_Stop_Call) Return() *MockCgroupNotifier_Stop_Call {
+	_c.Call.Return()
+	return _c
+}
+
+func (_c *MockCgroupNotifier_Stop_Call) RunAndReturn(run func()) *MockCgroupNotifier_Stop_Call {
+	_c.Run(run)
+	return _c
+}
+
+// NewMockNotifierFactory creates a new instance of MockNotifierFactory. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
+// The first argument is typically a *testing.T value.
+func NewMockNotifierFactory(t interface {
+	mock.TestingT
+	Cleanup(func())
+}) *MockNotifierFactory {
+	mock := &MockNotifierFactory{}
+	mock.Mock.Test(t)
+
+	t.Cleanup(func() { mock.AssertExpectations(t) })
+
+	return mock
+}
+
+// MockNotifierFactory is an autogenerated mock type for the NotifierFactory type
+type MockNotifierFactory struct {
+	mock.Mock
+}
+
+type MockNotifierFactory_Expecter struct {
+	mock *mock.Mock
+}
+
+func (_m *MockNotifierFactory) EXPECT() *MockNotifierFactory_Expecter {
+	return &MockNotifierFactory_Expecter{mock: &_m.Mock}
+}
+
+// NewCgroupNotifier provides a mock function for the type MockNotifierFactory
+func (_mock *MockNotifierFactory) NewCgroupNotifier(logger klog.Logger, path string, attribute string, threshold int64) (CgroupNotifier, error) {
+	ret := _mock.Called(logger, path, attribute, threshold)
+
+	if len(ret) == 0 {
+		panic("no return value specified for NewCgroupNotifier")
+	}
+
+	var r0 CgroupNotifier
+	var r1 error
+	if returnFunc, ok := ret.Get(0).(func(klog.Logger, string, string, int64) (CgroupNotifier, error)); ok {
+		return returnFunc(logger, path, attribute, threshold)
+	}
+	if returnFunc, ok := ret.Get(0).(func(klog.Logger, string, string, int64) CgroupNotifier); ok {
+		r0 = returnFunc(logger, path, attribute, threshold)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(CgroupNotifier)
+		}
+	}
+	if returnFunc, ok := ret.Get(1).(func(klog.Logger, string, string, int64) error); ok {
+		r1 = returnFunc(logger, path, attribute, threshold)
+	} else {
+		r1 = ret.Error(1)
+	}
+	return r0, r1
+}
+
+// MockNotifierFactory_NewCgroupNotifier_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'NewCgroupNotifier'
+type MockNotifierFactory_NewCgroupNotifier_Call struct {
+	*mock.Call
+}
+
+// NewCgroupNotifier is a helper method to define mock.On call
+//   - logger klog.Logger
+//   - path string
+//   - attribute string
+//   - threshold int64
+func (_e *MockNotifierFactory_Expecter) NewCgroupNotifier(logger interface{}, path interface{}, attribute interface{}, threshold interface{}) *MockNotifierFactory_NewCgroupNotifier_Call {
+	return &MockNotifierFactory_NewCgroupNotifier_Call{Call: _e.mock.On("NewCgroupNotifier", logger, path, attribute, threshold)}
+}
+
+func (_c *MockNotifierFactory_NewCgroupNotifier_Call) Run(run func(logger klog.Logger, path string, attribute string, threshold int64)) *MockNotifierFactory_NewCgroupNotifier_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 klog.Logger
+		if args[0] != nil {
+			arg0 = args[0].(klog.Logger)
+		}
+		var arg1 string
+		if args[1] != nil {
+			arg1 = args[1].(string)
+		}
+		var arg2 string
+		if args[2] != nil {
+			arg2 = args[2].(string)
+		}
+		var arg3 int64
+		if args[3] != nil {
+			arg3 = args[3].(int64)
+		}
+		run(
+			arg0,
+			arg1,
+			arg2,
+			arg3,
+		)
+	})
+	return _c
+}
+
+func (_c *MockNotifierFactory_NewCgroupNotifier_Call) Return(cgroupNotifier CgroupNotifier, err error) *MockNotifierFactory_NewCgroupNotifier_Call {
+	_c.Call.Return(cgroupNotifier, err)
+	return _c
+}
+
+func (_c *MockNotifierFactory_NewCgroupNotifier_Call) RunAndReturn(run func(logger klog.Logger, path string, attribute string, threshold int64) (CgroupNotifier, error)) *MockNotifierFactory_NewCgroupNotifier_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// NewMockThresholdNotifier creates a new instance of MockThresholdNotifier. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
+// The first argument is typically a *testing.T value.
+func NewMockThresholdNotifier(t interface {
+	mock.TestingT
+	Cleanup(func())
+}) *MockThresholdNotifier {
+	mock := &MockThresholdNotifier{}
+	mock.Mock.Test(t)
+
+	t.Cleanup(func() { mock.AssertExpectations(t) })
+
+	return mock
+}
+
+// MockThresholdNotifier is an autogenerated mock type for the ThresholdNotifier type
+type MockThresholdNotifier struct {
+	mock.Mock
+}
+
+type MockThresholdNotifier_Expecter struct {
+	mock *mock.Mock
+}
+
+func (_m *MockThresholdNotifier) EXPECT() *MockThresholdNotifier_Expecter {
+	return &MockThresholdNotifier_Expecter{mock: &_m.Mock}
+}
+
+// Description provides a mock function for the type MockThresholdNotifier
+func (_mock *MockThresholdNotifier) Description() string {
+	ret := _mock.Called()
+
+	if len(ret) == 0 {
+		panic("no return value specified for Description")
+	}
+
+	var r0 string
+	if returnFunc, ok := ret.Get(0).(func() string); ok {
+		r0 = returnFunc()
+	} else {
+		r0 = ret.Get(0).(string)
+	}
+	return r0
+}
+
+// MockThresholdNotifier_Description_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Description'
+type MockThresholdNotifier_Description_Call struct {
+	*mock.Call
+}
+
+// Description is a helper method to define mock.On call
+func (_e *MockThresholdNotifier_Expecter) Description() *MockThresholdNotifier_Description_Call {
+	return &MockThresholdNotifier_Description_Call{Call: _e.mock.On("Description")}
+}
+
+func (_c *MockThresholdNotifier_Description_Call) Run(run func()) *MockThresholdNotifier_Description_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run()
+	})
+	return _c
+}
+
+func (_c *MockThresholdNotifier_Description_Call) Return(s string) *MockThresholdNotifier_Description_Call {
+	_c.Call.Return(s)
+	return _c
+}
+
+func (_c *MockThresholdNotifier_Description_Call) RunAndReturn(run func() string) *MockThresholdNotifier_Description_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// Start provides a mock function for the type MockThresholdNotifier
+func (_mock *MockThresholdNotifier) Start(ctx context.Context) {
+	_mock.Called(ctx)
+	return
+}
+
+// MockThresholdNotifier_Start_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Start'
+type MockThresholdNotifier_Start_Call struct {
+	*mock.Call
+}
+
+// Start is a helper method to define mock.On call
+//   - ctx context.Context
+func (_e *MockThresholdNotifier_Expecter) Start(ctx interface{}) *MockThresholdNotifier_Start_Call {
+	return &MockThresholdNotifier_Start_Call{Call: _e.mock.On("Start", ctx)}
+}
+
+func (_c *MockThresholdNotifier_Start_Call) Run(run func(ctx context.Context)) *MockThresholdNotifier_Start_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 context.Context
+		if args[0] != nil {
+			arg0 = args[0].(context.Context)
+		}
+		run(
+			arg0,
+		)
+	})
+	return _c
+}
+
+func (_c *MockThresholdNotifier_Start_Call) Return() *MockThresholdNotifier_Start_Call {
+	_c.Call.Return()
+	return _c
+}
+
+func (_c *MockThresholdNotifier_Start_Call) RunAndReturn(run func(ctx context.Context)) *MockThresholdNotifier_Start_Call {
+	_c.Run(run)
+	return _c
+}
+
+// UpdateThreshold provides a mock function for the type MockThresholdNotifier
+func (_mock *MockThresholdNotifier) UpdateThreshold(ctx context.Context, summary *v1alpha1.Summary) error {
+	ret := _mock.Called(ctx, summary)
+
+	if len(ret) == 0 {
+		panic("no return value specified for UpdateThreshold")
+	}
+
+	var r0 error
+	if returnFunc, ok := ret.Get(0).(func(context.Context, *v1alpha1.Summary) error); ok {
+		r0 = returnFunc(ctx, summary)
+	} else {
+		r0 = ret.Error(0)
+	}
+	return r0
+}
+
+// MockThresholdNotifier_UpdateThreshold_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'UpdateThreshold'
+type MockThresholdNotifier_UpdateThreshold_Call struct {
+	*mock.Call
+}
+
+// UpdateThreshold is a helper method to define mock.On call
+//   - ctx context.Context
+//   - summary *v1alpha1.Summary
+func (_e *MockThresholdNotifier_Expecter) UpdateThreshold(ctx interface{}, summary interface{}) *MockThresholdNotifier_UpdateThreshold_Call {
+	return &MockThresholdNotifier_UpdateThreshold_Call{Call: _e.mock.On("UpdateThreshold", ctx, summary)}
+}
+
+func (_c *MockThresholdNotifier_UpdateThreshold_Call) Run(run func(ctx context.Context, summary *v1alpha1.Summary)) *MockThresholdNotifier_UpdateThreshold_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 context.Context
+		if args[0] != nil {
+			arg0 = args[0].(context.Context)
+		}
+		var arg1 *v1alpha1.Summary
+		if args[1] != nil {
+			arg1 = args[1].(*v1alpha1.Summary)
+		}
+		run(
+			arg0,
+			arg1,
+		)
+	})
+	return _c
+}
+
+func (_c *MockThresholdNotifier_UpdateThreshold_Call) Return(err error) *MockThresholdNotifier_UpdateThreshold_Call {
+	_c.Call.Return(err)
+	return _c
+}
+
+func (_c *MockThresholdNotifier_UpdateThreshold_Call) RunAndReturn(run func(ctx context.Context, summary *v1alpha1.Summary) error) *MockThresholdNotifier_UpdateThreshold_Call {
+	_c.Call.Return(run)
+	return _c
+}
diff --git a/pkg/kubelet/eviction/threshold_notifier_linux.go b/pkg/kubelet/eviction/threshold_notifier_linux.go
index b43047dc7396f..8db6fb8e676d6 100644
--- a/pkg/kubelet/eviction/threshold_notifier_linux.go
+++ b/pkg/kubelet/eviction/threshold_notifier_linux.go
@@ -17,6 +17,7 @@ limitations under the License.
 package eviction
 
 import (
+	"context"
 	"fmt"
 	"sync"
 	"time"
@@ -46,7 +47,7 @@ var _ CgroupNotifier = &linuxCgroupNotifier{}
 
 // NewCgroupNotifier returns a linuxCgroupNotifier, which performs cgroup control operations required
 // to receive notifications from the cgroup when the threshold is crossed in either direction.
-func NewCgroupNotifier(path, attribute string, threshold int64) (CgroupNotifier, error) {
+func NewCgroupNotifier(logger klog.Logger, path, attribute string, threshold int64) (CgroupNotifier, error) {
 	// cgroupv2 does not support monitoring cgroup memory thresholds using cgroup.event_control.
 	// Instead long term, on cgroupv2 kubelet should rely on combining usage of memory.low on root pods cgroup with inotify notifications on memory.events and or PSI pressure.
 	// For now, let's return a fake "disabled" cgroup notifier on cgroupv2.
@@ -107,13 +108,14 @@ func NewCgroupNotifier(path, attribute string, threshold int64) (CgroupNotifier,
 	}, nil
 }
 
-func (n *linuxCgroupNotifier) Start(eventCh chan<- struct{}) {
+func (n *linuxCgroupNotifier) Start(ctx context.Context, eventCh chan<- struct{}) {
+	logger := klog.FromContext(ctx)
 	err := unix.EpollCtl(n.epfd, unix.EPOLL_CTL_ADD, n.eventfd, &unix.EpollEvent{
 		Fd:     int32(n.eventfd),
 		Events: unix.EPOLLIN,
 	})
 	if err != nil {
-		klog.InfoS("Eviction manager: error adding epoll eventfd", "err", err)
+		logger.Info("Eviction manager: error adding epoll eventfd", "err", err)
 		return
 	}
 	buf := make([]byte, eventSize)
@@ -125,7 +127,7 @@ func (n *linuxCgroupNotifier) Start(eventCh chan<- struct{}) {
 		}
 		event, err := wait(n.epfd, n.eventfd, notifierRefreshInterval)
 		if err != nil {
-			klog.InfoS("Eviction manager: error while waiting for memcg events", "err", err)
+			logger.Info("Eviction manager: error while waiting for memcg events", "err", err)
 			return
 		} else if !event {
 			// Timeout on wait.  This is expected if the threshold was not crossed
@@ -134,7 +136,7 @@ func (n *linuxCgroupNotifier) Start(eventCh chan<- struct{}) {
 		// Consume the event from the eventfd
 		_, err = unix.Read(n.eventfd, buf)
 		if err != nil {
-			klog.InfoS("Eviction manager: error reading memcg events", "err", err)
+			logger.Info("Eviction manager: error reading memcg events", "err", err)
 			return
 		}
 		eventCh <- struct{}{}
@@ -196,5 +198,5 @@ func (n *linuxCgroupNotifier) Stop() {
 // disabledThresholdNotifier is a fake diasbled threshold notifier that performs no-ops.
 type disabledThresholdNotifier struct{}
 
-func (*disabledThresholdNotifier) Start(_ chan<- struct{}) {}
-func (*disabledThresholdNotifier) Stop()                   {}
+func (*disabledThresholdNotifier) Start(context.Context, chan<- struct{}) {}
+func (*disabledThresholdNotifier) Stop()                                  {}
diff --git a/pkg/kubelet/eviction/threshold_notifier_unsupported.go b/pkg/kubelet/eviction/threshold_notifier_unsupported.go
index 073ca5dc16d20..b06a2839e698f 100644
--- a/pkg/kubelet/eviction/threshold_notifier_unsupported.go
+++ b/pkg/kubelet/eviction/threshold_notifier_unsupported.go
@@ -19,16 +19,20 @@ limitations under the License.
 
 package eviction
 
-import "k8s.io/klog/v2"
+import (
+	"context"
+
+	"k8s.io/klog/v2"
+)
 
 // NewCgroupNotifier creates a cgroup notifier that does nothing because cgroups do not exist on non-linux systems.
-func NewCgroupNotifier(path, attribute string, threshold int64) (CgroupNotifier, error) {
-	klog.V(5).InfoS("cgroup notifications not supported")
+func NewCgroupNotifier(logger klog.Logger, path, attribute string, threshold int64) (CgroupNotifier, error) {
+	logger.V(5).Info("cgroup notifications not supported")
 	return &unsupportedThresholdNotifier{}, nil
 }
 
 type unsupportedThresholdNotifier struct{}
 
-func (*unsupportedThresholdNotifier) Start(_ chan<- struct{}) {}
+func (*unsupportedThresholdNotifier) Start(context.Context, chan<- struct{}) {}
 
 func (*unsupportedThresholdNotifier) Stop() {}
diff --git a/pkg/kubelet/eviction/types.go b/pkg/kubelet/eviction/types.go
index 83cdfcdf8534e..7bb09eda79be6 100644
--- a/pkg/kubelet/eviction/types.go
+++ b/pkg/kubelet/eviction/types.go
@@ -24,6 +24,7 @@ import (
 	v1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/resource"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/klog/v2"
 	statsapi "k8s.io/kubelet/pkg/apis/stats/v1alpha1"
 	evictionapi "k8s.io/kubernetes/pkg/kubelet/eviction/api"
 )
@@ -59,7 +60,7 @@ type Config struct {
 // Manager evaluates when an eviction threshold for node stability has been met on the node.
 type Manager interface {
 	// Start starts the control loop to monitor eviction thresholds at specified interval.
-	Start(diskInfoProvider DiskInfoProvider, podFunc ActivePodsFunc, podCleanedUpFunc PodCleanedUpFunc, monitoringInterval time.Duration)
+	Start(ctx context.Context, diskInfoProvider DiskInfoProvider, podFunc ActivePodsFunc, podCleanedUpFunc PodCleanedUpFunc, monitoringInterval time.Duration)
 
 	// IsUnderMemoryPressure returns true if the node is under memory pressure.
 	IsUnderMemoryPressure() bool
@@ -144,7 +145,7 @@ type nodeReclaimFuncs []nodeReclaimFunc
 // CgroupNotifier generates events from cgroup events
 type CgroupNotifier interface {
 	// Start causes the CgroupNotifier to begin notifying on the eventCh
-	Start(eventCh chan<- struct{})
+	Start(ctx context.Context, eventCh chan<- struct{})
 	// Stop stops all processes and cleans up file descriptors associated with the CgroupNotifier
 	Stop()
 }
@@ -153,18 +154,18 @@ type CgroupNotifier interface {
 type NotifierFactory interface {
 	// NewCgroupNotifier creates a CgroupNotifier that creates events when the threshold
 	// on the attribute in the cgroup specified by the path is crossed.
-	NewCgroupNotifier(path, attribute string, threshold int64) (CgroupNotifier, error)
+	NewCgroupNotifier(logger klog.Logger, path, attribute string, threshold int64) (CgroupNotifier, error)
 }
 
 // ThresholdNotifier manages CgroupNotifiers based on memory eviction thresholds, and performs a function
 // when memory eviction thresholds are crossed
 type ThresholdNotifier interface {
 	// Start calls the notifier function when the CgroupNotifier notifies the ThresholdNotifier that an event occurred
-	Start()
+	Start(ctx context.Context)
 	// UpdateThreshold updates the memory cgroup threshold based on the metrics provided.
 	// Calling UpdateThreshold with recent metrics allows the ThresholdNotifier to trigger at the
 	// eviction threshold more accurately
-	UpdateThreshold(summary *statsapi.Summary) error
+	UpdateThreshold(ctx context.Context, summary *statsapi.Summary) error
 	// Description produces a relevant string describing the Memory Threshold Notifier
 	Description() string
 }
diff --git a/pkg/kubelet/images/image_gc_manager.go b/pkg/kubelet/images/image_gc_manager.go
index 03823deca290d..8075c1a4d06de 100644
--- a/pkg/kubelet/images/image_gc_manager.go
+++ b/pkg/kubelet/images/image_gc_manager.go
@@ -60,7 +60,7 @@ const (
 // PostImageGCHook allows external sources to react to GC collect events.
 // `remainingImages` is a list of images that were left on the system after garbage
 // collection finished.
-type PostImageGCHook func(remainingImages []string, gcStart time.Time)
+type PostImageGCHook func(ctx context.Context, remainingImages []string, gcStart time.Time)
 
 // StatsProvider is an interface for fetching stats used during image garbage
 // collection.
@@ -77,7 +77,7 @@ type ImageGCManager interface {
 	GarbageCollect(ctx context.Context, beganGC time.Time) error
 
 	// Start async garbage collection of images.
-	Start()
+	Start(ctx context.Context)
 
 	GetImageList() ([]container.Image, error)
 
@@ -214,12 +214,12 @@ func NewImageGCManager(runtime container.Runtime, statsProvider StatsProvider, p
 	return im, nil
 }
 
-func (im *realImageGCManager) Start() {
-	ctx := context.Background()
+func (im *realImageGCManager) Start(ctx context.Context) {
+	logger := klog.FromContext(ctx)
 	go wait.Until(func() {
 		_, err := im.detectImages(ctx, time.Now())
 		if err != nil {
-			klog.InfoS("Failed to monitor images", "err", err)
+			logger.Info("Failed to monitor images", "err", err)
 		}
 	}, 5*time.Minute, wait.NeverStop)
 
@@ -227,7 +227,7 @@ func (im *realImageGCManager) Start() {
 	go wait.Until(func() {
 		images, err := im.runtime.ListImages(ctx)
 		if err != nil {
-			klog.InfoS("Failed to update image list", "err", err)
+			logger.Info("Failed to update image list", "err", err)
 		} else {
 			im.imageCache.set(images)
 		}
@@ -241,6 +241,7 @@ func (im *realImageGCManager) GetImageList() ([]container.Image, error) {
 }
 
 func (im *realImageGCManager) detectImages(ctx context.Context, detectTime time.Time) (sets.Set[string], error) {
+	logger := klog.FromContext(ctx)
 	isRuntimeClassInImageCriAPIEnabled := utilfeature.DefaultFeatureGate.Enabled(features.RuntimeClassInImageCriAPI)
 	imagesInUse := sets.New[string]()
 
@@ -261,11 +262,11 @@ func (im *realImageGCManager) detectImages(ctx context.Context, detectTime time.
 			}
 
 			if !isRuntimeClassInImageCriAPIEnabled {
-				klog.V(5).InfoS("Container uses image", "pod", klog.KRef(pod.Namespace, pod.Name), "containerName", container.Name, "containerImage", container.Image, "imageID", container.ImageID, "imageRef", container.ImageRef)
+				logger.V(5).Info("Container uses image", "pod", klog.KRef(pod.Namespace, pod.Name), "containerName", container.Name, "containerImage", container.Image, "imageID", container.ImageID, "imageRef", container.ImageRef)
 				imagesInUse.Insert(container.ImageID)
 			} else {
 				imageKey := getImageTuple(container.ImageID, container.ImageRuntimeHandler)
-				klog.V(5).InfoS("Container uses image", "pod", klog.KRef(pod.Namespace, pod.Name), "containerName", container.Name, "containerImage", container.Image, "imageID", container.ImageID, "imageRef", container.ImageRef, "imageKey", imageKey)
+				logger.V(5).Info("Container uses image", "pod", klog.KRef(pod.Namespace, pod.Name), "containerName", container.Name, "containerImage", container.Image, "imageID", container.ImageID, "imageRef", container.ImageRef, "imageKey", imageKey)
 				imagesInUse.Insert(imageKey)
 			}
 		}
@@ -279,17 +280,17 @@ func (im *realImageGCManager) detectImages(ctx context.Context, detectTime time.
 	for _, image := range images {
 		imageKey := image.ID
 		if !isRuntimeClassInImageCriAPIEnabled {
-			klog.V(5).InfoS("Adding image ID to currentImages", "imageID", imageKey)
+			logger.V(5).Info("Adding image ID to currentImages", "imageID", imageKey)
 		} else {
 			imageKey = getImageTuple(image.ID, image.Spec.RuntimeHandler)
-			klog.V(5).InfoS("Adding image ID with runtime class to currentImages", "imageKey", imageKey, "runtimeHandler", image.Spec.RuntimeHandler)
+			logger.V(5).Info("Adding image ID with runtime class to currentImages", "imageKey", imageKey, "runtimeHandler", image.Spec.RuntimeHandler)
 		}
 
 		currentImages.Insert(imageKey)
 
 		// New image, set it as detected now.
 		if _, ok := im.imageRecords[imageKey]; !ok {
-			klog.V(5).InfoS("Image ID is new", "imageID", imageKey, "runtimeHandler", image.Spec.RuntimeHandler)
+			logger.V(5).Info("Image ID is new", "imageID", imageKey, "runtimeHandler", image.Spec.RuntimeHandler)
 			im.imageRecords[imageKey] = &imageRecord{
 				firstDetected:                 detectTime,
 				runtimeHandlerUsedToPullImage: image.Spec.RuntimeHandler,
@@ -298,21 +299,21 @@ func (im *realImageGCManager) detectImages(ctx context.Context, detectTime time.
 
 		// Set last used time to now if the image is being used.
 		if isImageUsed(imageKey, imagesInUse) {
-			klog.V(5).InfoS("Setting Image ID lastUsed", "imageID", imageKey, "lastUsed", now)
+			logger.V(5).Info("Setting Image ID lastUsed", "imageID", imageKey, "lastUsed", now)
 			im.imageRecords[imageKey].lastUsed = now
 		}
 
-		klog.V(5).InfoS("Image ID has size", "imageID", imageKey, "size", image.Size)
+		logger.V(5).Info("Image ID has size", "imageID", imageKey, "size", image.Size)
 		im.imageRecords[imageKey].size = image.Size
 
-		klog.V(5).InfoS("Image ID is pinned", "imageID", imageKey, "pinned", image.Pinned)
+		logger.V(5).Info("Image ID is pinned", "imageID", imageKey, "pinned", image.Pinned)
 		im.imageRecords[imageKey].pinned = image.Pinned
 	}
 
 	// Remove old images from our records.
 	for image := range im.imageRecords {
 		if !currentImages.Has(image) {
-			klog.V(5).InfoS("Image ID is no longer present; removing from imageRecords", "imageID", image)
+			logger.V(5).Info("Image ID is no longer present; removing from imageRecords", "imageID", image)
 			delete(im.imageRecords, image)
 		}
 	}
@@ -322,11 +323,12 @@ func (im *realImageGCManager) detectImages(ctx context.Context, detectTime time.
 
 // handleImageVolumes ensures that image volumes are considered as images in use.
 func (im *realImageGCManager) handleImageVolumes(ctx context.Context, imagesInUse sets.Set[string], container *container.Container, pod *container.Pod, images []container.Image) error {
+	logger := klog.FromContext(ctx)
 	if !utilfeature.DefaultFeatureGate.Enabled(features.ImageVolume) {
 		return nil
 	}
 
-	status, err := im.runtime.GetContainerStatus(ctx, container.ID)
+	status, err := im.runtime.GetContainerStatus(ctx, pod.ID, container.ID)
 	if err != nil {
 		return fmt.Errorf("get container status: %w", err)
 	}
@@ -334,7 +336,7 @@ func (im *realImageGCManager) handleImageVolumes(ctx context.Context, imagesInUs
 	for _, mount := range status.Mounts {
 		for _, image := range images {
 			if mount.Image != nil && mount.Image.Image == image.ID {
-				klog.V(5).InfoS("Container uses image as mount", "pod", klog.KRef(pod.Namespace, pod.Name), "containerName", container.Name, "imageID", image.ID)
+				logger.V(5).Info("Container uses image as mount", "pod", klog.KRef(pod.Namespace, pod.Name), "containerName", container.Name, "imageID", image.ID)
 				imagesInUse.Insert(image.ID)
 			}
 		}
@@ -345,6 +347,7 @@ func (im *realImageGCManager) handleImageVolumes(ctx context.Context, imagesInUs
 
 func (im *realImageGCManager) GarbageCollect(ctx context.Context, beganGC time.Time) error {
 	ctx, otelSpan := im.tracer.Start(ctx, "Images/GarbageCollect")
+	logger := klog.FromContext(ctx)
 	defer otelSpan.End()
 
 	freeTime := time.Now()
@@ -373,7 +376,7 @@ func (im *realImageGCManager) GarbageCollect(ctx context.Context, beganGC time.T
 	}
 
 	if available > capacity {
-		klog.InfoS("Availability is larger than capacity", "available", available, "capacity", capacity)
+		logger.Info("Availability is larger than capacity", "available", available, "capacity", capacity)
 		available = capacity
 	}
 
@@ -388,27 +391,34 @@ func (im *realImageGCManager) GarbageCollect(ctx context.Context, beganGC time.T
 	usagePercent := 100 - int(available*100/capacity)
 	if usagePercent >= im.policy.HighThresholdPercent {
 		amountToFree := capacity*int64(100-im.policy.LowThresholdPercent)/100 - available
-		klog.InfoS("Disk usage on image filesystem is over the high threshold, trying to free bytes down to the low threshold", "usage", usagePercent, "highThreshold", im.policy.HighThresholdPercent, "amountToFree", amountToFree, "lowThreshold", im.policy.LowThresholdPercent)
+		logger.Info("Disk usage on image filesystem is over the high threshold, trying to free bytes down to the low threshold", "usage", usagePercent, "highThreshold", im.policy.HighThresholdPercent, "amountToFree", amountToFree, "lowThreshold", im.policy.LowThresholdPercent)
 		remainingImages, freed, err := im.freeSpace(ctx, amountToFree, freeTime, images)
 		if err != nil {
+			// Failed to delete images, eg due to a read-only filesystem.
 			return err
 		}
 
-		im.runPostGCHooks(remainingImages, freeTime)
+		im.runPostGCHooks(ctx, remainingImages, freeTime)
 
 		if freed < amountToFree {
-			err := fmt.Errorf("Failed to garbage collect required amount of images. Attempted to free %d bytes, but only found %d bytes eligible to free.", amountToFree, freed)
-			im.recorder.Eventf(im.nodeRef, v1.EventTypeWarning, events.FreeDiskSpaceFailed, err.Error())
-			return err
+			// This usually means the disk is full for reasons other than container
+			// images, such as logs, volumes, or other files. However, it could also
+			// be due to an unusually large number or size of in-use container images.
+			message := fmt.Sprintf("Insufficient free disk space on the node's image filesystem (%d%% of %s used). "+
+				"Failed to free sufficient space by deleting unused images (freed %d bytes). "+
+				"Investigate disk usage, as it could be used by active images, logs, volumes, or other data.",
+				usagePercent, formatSize(capacity), freed)
+			im.recorder.Eventf(im.nodeRef, v1.EventTypeWarning, events.FreeDiskSpaceFailed, "%s", message)
+			return fmt.Errorf("%s", message)
 		}
 	}
 
 	return nil
 }
 
-func (im *realImageGCManager) runPostGCHooks(remainingImages []string, gcStartTime time.Time) {
+func (im *realImageGCManager) runPostGCHooks(ctx context.Context, remainingImages []string, gcStartTime time.Time) {
 	for _, h := range im.postGCHooks {
-		h(remainingImages, gcStartTime)
+		h(ctx, remainingImages, gcStartTime)
 	}
 }
 
@@ -423,9 +433,10 @@ func (im *realImageGCManager) freeOldImages(ctx context.Context, images []evicti
 		return images, nil
 	}
 	var deletionErrors []error
+	logger := klog.FromContext(ctx)
 	remainingImages := make([]evictionInfo, 0)
 	for _, image := range images {
-		klog.V(5).InfoS("Evaluating image ID for possible garbage collection based on image age", "imageID", image.id)
+		logger.V(5).Info("Evaluating image ID for possible garbage collection based on image age", "imageID", image.id)
 		// Evaluate whether image is older than MaxAge.
 		if freeTime.Sub(image.lastUsed) > im.policy.MaxAge {
 			if err := im.freeImage(ctx, image, ImageGarbageCollectedTotalReasonAge); err != nil {
@@ -444,7 +455,8 @@ func (im *realImageGCManager) freeOldImages(ctx context.Context, images []evicti
 }
 
 func (im *realImageGCManager) DeleteUnusedImages(ctx context.Context) error {
-	klog.InfoS("Attempting to delete unused images")
+	logger := klog.FromContext(ctx)
+	logger.Info("Attempting to delete unused images")
 	freeTime := time.Now()
 
 	images, err := im.imagesInEvictionOrder(ctx, freeTime)
@@ -457,7 +469,7 @@ func (im *realImageGCManager) DeleteUnusedImages(ctx context.Context) error {
 		return err
 	}
 
-	im.runPostGCHooks(remainingImages, freeTime)
+	im.runPostGCHooks(ctx, remainingImages, freeTime)
 	return nil
 }
 
@@ -470,22 +482,23 @@ func (im *realImageGCManager) DeleteUnusedImages(ctx context.Context) error {
 func (im *realImageGCManager) freeSpace(ctx context.Context, bytesToFree int64, freeTime time.Time, images []evictionInfo) ([]string, int64, error) {
 	// Delete unused images until we've freed up enough space.
 	var deletionErrors []error
+	logger := klog.FromContext(ctx)
 	spaceFreed := int64(0)
 	var imagesLeft []string
 	for _, image := range images {
-		klog.V(5).InfoS("Evaluating image ID for possible garbage collection based on disk usage", "imageID", image.id, "runtimeHandler", image.imageRecord.runtimeHandlerUsedToPullImage)
+		logger.V(5).Info("Evaluating image ID for possible garbage collection based on disk usage", "imageID", image.id, "runtimeHandler", image.runtimeHandlerUsedToPullImage)
 		// Images that are currently in used were given a newer lastUsed.
 		if image.lastUsed.Equal(freeTime) || image.lastUsed.After(freeTime) {
-			klog.V(5).InfoS("Image ID was used too recently, not eligible for garbage collection", "imageID", image.id, "lastUsed", image.lastUsed, "freeTime", freeTime)
 			imagesLeft = append(imagesLeft, image.id)
+			logger.V(5).Info("Image ID was used too recently, not eligible for garbage collection", "imageID", image.id, "lastUsed", image.lastUsed, "freeTime", freeTime)
 			continue
 		}
 
 		// Avoid garbage collect the image if the image is not old enough.
 		// In such a case, the image may have just been pulled down, and will be used by a container right away.
 		if freeTime.Sub(image.firstDetected) < im.policy.MinAge {
-			klog.V(5).InfoS("Image ID's age is less than the policy's minAge, not eligible for garbage collection", "imageID", image.id, "age", freeTime.Sub(image.firstDetected), "minAge", im.policy.MinAge)
 			imagesLeft = append(imagesLeft, image.id)
+			logger.V(5).Info("Image ID's age is less than the policy's minAge, not eligible for garbage collection", "imageID", image.id, "age", freeTime.Sub(image.firstDetected), "minAge", im.policy.MinAge)
 			continue
 		}
 
@@ -511,7 +524,8 @@ func (im *realImageGCManager) freeImage(ctx context.Context, image evictionInfo,
 	isRuntimeClassInImageCriAPIEnabled := utilfeature.DefaultFeatureGate.Enabled(features.RuntimeClassInImageCriAPI)
 	// Remove image. Continue despite errors.
 	var err error
-	klog.InfoS("Removing image to free bytes", "imageID", image.id, "size", image.size, "runtimeHandler", image.runtimeHandlerUsedToPullImage)
+	logger := klog.FromContext(ctx)
+	logger.Info("Removing image to free bytes", "imageID", image.id, "size", image.size, "runtimeHandler", image.runtimeHandlerUsedToPullImage)
 	err = im.runtime.RemoveImage(ctx, container.ImageSpec{Image: image.id, RuntimeHandler: image.runtimeHandlerUsedToPullImage})
 	if err != nil {
 		return err
@@ -540,17 +554,18 @@ func (im *realImageGCManager) imagesInEvictionOrder(ctx context.Context, freeTim
 
 	im.imageRecordsLock.Lock()
 	defer im.imageRecordsLock.Unlock()
+	logger := klog.FromContext(ctx)
 
 	// Get all images in eviction order.
 	images := make([]evictionInfo, 0, len(im.imageRecords))
 	for image, record := range im.imageRecords {
 		if isImageUsed(image, imagesInUse) {
-			klog.V(5).InfoS("Image ID is being used", "imageID", image)
+			logger.V(5).Info("Image ID is being used", "imageID", image)
 			continue
 		}
 		// Check if image is pinned, prevent garbage collection
 		if record.pinned {
-			klog.V(5).InfoS("Image is pinned, skipping garbage collection", "imageID", image)
+			logger.V(5).Info("Image is pinned, skipping garbage collection", "imageID", image)
 			continue
 
 		}
@@ -576,6 +591,31 @@ func (im *realImageGCManager) imagesInEvictionOrder(ctx context.Context, freeTim
 	return images, nil
 }
 
+// formatSize returns a human-readable string for a given size in bytes.
+func formatSize(sizeBytes int64) string {
+	const (
+		KiB = 1024
+		MiB = 1024 * KiB
+		GiB = 1024 * MiB
+		TiB = 1024 * GiB
+	)
+
+	size := float64(sizeBytes)
+
+	switch {
+	case size < KiB:
+		return fmt.Sprintf("%d B", int64(size))
+	case size < MiB:
+		return fmt.Sprintf("%.1f KiB", size/KiB)
+	case size < GiB:
+		return fmt.Sprintf("%.1f MiB", size/MiB)
+	case size < TiB:
+		return fmt.Sprintf("%.1f GiB", size/GiB)
+	default:
+		return fmt.Sprintf("%.1f TiB", size/TiB)
+	}
+}
+
 // If RuntimeClassInImageCriAPI feature gate is enabled, imageRecords
 // are identified by a tuple of (imageId,runtimeHandler) that is passed
 // from ListImages() call. If no runtimehandler is specified in response
diff --git a/pkg/kubelet/images/image_gc_manager_test.go b/pkg/kubelet/images/image_gc_manager_test.go
index 332c12cb02670..65095ccfa04d5 100644
--- a/pkg/kubelet/images/image_gc_manager_test.go
+++ b/pkg/kubelet/images/image_gc_manager_test.go
@@ -37,6 +37,7 @@ import (
 	containertest "k8s.io/kubernetes/pkg/kubelet/container/testing"
 	stats "k8s.io/kubernetes/pkg/kubelet/server/stats"
 	statstest "k8s.io/kubernetes/pkg/kubelet/server/stats/testing"
+	"k8s.io/kubernetes/test/utils/ktesting"
 	testingclock "k8s.io/utils/clock/testing"
 	"k8s.io/utils/ptr"
 )
@@ -125,7 +126,7 @@ func makeContainer(id int) *container.Container {
 }
 
 func TestDetectImagesInitialDetect(t *testing.T) {
-	ctx := context.Background()
+	ctx := ktesting.Init(t)
 	mockStatsProvider := statstest.NewMockProvider(t)
 
 	manager, fakeRuntime := newRealImageGCManager(ImageGCPolicy{}, mockStatsProvider)
@@ -173,7 +174,7 @@ func TestDetectImagesInitialDetect(t *testing.T) {
 func TestDetectImagesInitialDetectWithRuntimeHandlerInImageCriAPIFeatureGate(t *testing.T) {
 	featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.RuntimeClassInImageCriAPI, true)
 	testRuntimeHandler := "test-runtimeHandler"
-	ctx := context.Background()
+	ctx := ktesting.Init(t)
 	mockStatsProvider := statstest.NewMockProvider(t)
 
 	manager, fakeRuntime := newRealImageGCManager(ImageGCPolicy{}, mockStatsProvider)
@@ -227,7 +228,7 @@ func TestDetectImagesInitialDetectWithRuntimeHandlerInImageCriAPIFeatureGate(t *
 }
 
 func TestDetectImagesWithNewImage(t *testing.T) {
-	ctx := context.Background()
+	ctx := ktesting.Init(t)
 	mockStatsProvider := statstest.NewMockProvider(t)
 
 	// Just one image initially.
@@ -279,7 +280,7 @@ func TestDetectImagesWithNewImage(t *testing.T) {
 }
 
 func TestDeleteUnusedImagesExemptSandboxImage(t *testing.T) {
-	ctx := context.Background()
+	ctx := ktesting.Init(t)
 	mockStatsProvider := statstest.NewMockProvider(t)
 
 	manager, fakeRuntime := newRealImageGCManager(ImageGCPolicy{}, mockStatsProvider)
@@ -298,7 +299,7 @@ func TestDeleteUnusedImagesExemptSandboxImage(t *testing.T) {
 }
 
 func TestDeletePinnedImage(t *testing.T) {
-	ctx := context.Background()
+	ctx := ktesting.Init(t)
 	mockStatsProvider := statstest.NewMockProvider(t)
 
 	manager, fakeRuntime := newRealImageGCManager(ImageGCPolicy{}, mockStatsProvider)
@@ -321,7 +322,7 @@ func TestDeletePinnedImage(t *testing.T) {
 }
 
 func TestDoNotDeletePinnedImage(t *testing.T) {
-	ctx := context.Background()
+	ctx := ktesting.Init(t)
 	mockStatsProvider := statstest.NewMockProvider(t)
 
 	manager, fakeRuntime := newRealImageGCManager(ImageGCPolicy{}, mockStatsProvider)
@@ -342,7 +343,7 @@ func TestDoNotDeletePinnedImage(t *testing.T) {
 }
 
 func TestDeleteUnPinnedImage(t *testing.T) {
-	ctx := context.Background()
+	ctx := ktesting.Init(t)
 	mockStatsProvider := statstest.NewMockProvider(t)
 
 	manager, fakeRuntime := newRealImageGCManager(ImageGCPolicy{}, mockStatsProvider)
@@ -363,7 +364,7 @@ func TestDeleteUnPinnedImage(t *testing.T) {
 }
 
 func TestAllPinnedImages(t *testing.T) {
-	ctx := context.Background()
+	ctx := ktesting.Init(t)
 	mockStatsProvider := statstest.NewMockProvider(t)
 
 	manager, fakeRuntime := newRealImageGCManager(ImageGCPolicy{}, mockStatsProvider)
@@ -385,7 +386,7 @@ func TestAllPinnedImages(t *testing.T) {
 }
 
 func TestDetectImagesContainerStopped(t *testing.T) {
-	ctx := context.Background()
+	ctx := ktesting.Init(t)
 	mockStatsProvider := statstest.NewMockProvider(t)
 
 	manager, fakeRuntime := newRealImageGCManager(ImageGCPolicy{}, mockStatsProvider)
@@ -424,7 +425,7 @@ func TestDetectImagesContainerStopped(t *testing.T) {
 }
 
 func TestDetectImagesWithRemovedImages(t *testing.T) {
-	ctx := context.Background()
+	ctx := ktesting.Init(t)
 	mockStatsProvider := statstest.NewMockProvider(t)
 
 	manager, fakeRuntime := newRealImageGCManager(ImageGCPolicy{}, mockStatsProvider)
@@ -453,7 +454,7 @@ func TestDetectImagesWithRemovedImages(t *testing.T) {
 }
 
 func TestFreeSpaceImagesInUseContainersAreIgnored(t *testing.T) {
-	ctx := context.Background()
+	ctx := ktesting.Init(t)
 	mockStatsProvider := statstest.NewMockProvider(t)
 
 	manager, fakeRuntime := newRealImageGCManager(ImageGCPolicy{}, mockStatsProvider)
@@ -474,7 +475,7 @@ func TestFreeSpaceImagesInUseContainersAreIgnored(t *testing.T) {
 }
 
 func TestDeleteUnusedImagesRemoveAllUnusedImages(t *testing.T) {
-	ctx := context.Background()
+	ctx := ktesting.Init(t)
 	mockStatsProvider := statstest.NewMockProvider(t)
 
 	manager, fakeRuntime := newRealImageGCManager(ImageGCPolicy{}, mockStatsProvider)
@@ -498,7 +499,7 @@ func TestDeleteUnusedImagesRemoveAllUnusedImages(t *testing.T) {
 }
 
 func TestDeleteUnusedImagesLimitByImageLiveTime(t *testing.T) {
-	ctx := context.Background()
+	ctx := ktesting.Init(t)
 	mockStatsProvider := statstest.NewMockProvider(t)
 
 	manager, fakeRuntime := newRealImageGCManager(ImageGCPolicy{
@@ -517,7 +518,7 @@ func TestDeleteUnusedImagesLimitByImageLiveTime(t *testing.T) {
 		}},
 	}
 	// start to detect images
-	manager.Start()
+	manager.Start(ctx)
 	// try to delete images, but images are not old enough,so no image will be deleted
 	err := manager.DeleteUnusedImages(ctx)
 	assert := assert.New(t)
@@ -531,7 +532,7 @@ func TestDeleteUnusedImagesLimitByImageLiveTime(t *testing.T) {
 }
 
 func TestFreeSpaceRemoveByLeastRecentlyUsed(t *testing.T) {
-	ctx := context.Background()
+	ctx := ktesting.Init(t)
 	mockStatsProvider := statstest.NewMockProvider(t)
 
 	manager, fakeRuntime := newRealImageGCManager(ImageGCPolicy{}, mockStatsProvider)
@@ -583,7 +584,7 @@ func TestFreeSpaceRemoveByLeastRecentlyUsed(t *testing.T) {
 }
 
 func TestFreeSpaceTiesBrokenByDetectedTime(t *testing.T) {
-	ctx := context.Background()
+	ctx := ktesting.Init(t)
 	mockStatsProvider := statstest.NewMockProvider(t)
 
 	manager, fakeRuntime := newRealImageGCManager(ImageGCPolicy{}, mockStatsProvider)
@@ -617,7 +618,7 @@ func TestFreeSpaceTiesBrokenByDetectedTime(t *testing.T) {
 }
 
 func TestGarbageCollectBelowLowThreshold(t *testing.T) {
-	ctx := context.Background()
+	ctx := ktesting.Init(t)
 	policy := ImageGCPolicy{
 		HighThresholdPercent: 90,
 		LowThresholdPercent:  80,
@@ -636,7 +637,7 @@ func TestGarbageCollectBelowLowThreshold(t *testing.T) {
 }
 
 func TestGarbageCollectCadvisorFailure(t *testing.T) {
-	ctx := context.Background()
+	ctx := ktesting.Init(t)
 	policy := ImageGCPolicy{
 		HighThresholdPercent: 90,
 		LowThresholdPercent:  80,
@@ -645,11 +646,11 @@ func TestGarbageCollectCadvisorFailure(t *testing.T) {
 	manager, _ := newRealImageGCManager(policy, mockStatsProvider)
 
 	mockStatsProvider.EXPECT().ImageFsStats(mock.Anything).Return(&statsapi.FsStats{}, &statsapi.FsStats{}, fmt.Errorf("error"))
-	assert.Error(t, manager.GarbageCollect(ctx, time.Now()))
+	require.Error(t, manager.GarbageCollect(ctx, time.Now()))
 }
 
 func TestGarbageCollectBelowSuccess(t *testing.T) {
-	ctx := context.Background()
+	ctx := ktesting.Init(t)
 	policy := ImageGCPolicy{
 		HighThresholdPercent: 90,
 		LowThresholdPercent:  80,
@@ -672,29 +673,55 @@ func TestGarbageCollectBelowSuccess(t *testing.T) {
 }
 
 func TestGarbageCollectNotEnoughFreed(t *testing.T) {
-	ctx := context.Background()
+	ctx := ktesting.Init(t)
 	policy := ImageGCPolicy{
 		HighThresholdPercent: 90,
 		LowThresholdPercent:  80,
 	}
 	mockStatsProvider := statstest.NewMockProvider(t)
-	manager, fakeRuntime := newRealImageGCManager(policy, mockStatsProvider)
+	fakeRuntime := &containertest.FakeRuntime{}
+	recorder := record.NewFakeRecorder(1)
+	manager := &realImageGCManager{
+		runtime:       fakeRuntime,
+		policy:        policy,
+		imageRecords:  make(map[string]*imageRecord),
+		statsProvider: mockStatsProvider,
+		recorder:      recorder,
+		tracer:        noopoteltrace.NewTracerProvider().Tracer(""),
+	}
 
-	// Expect 95% usage and little of it gets freed.
+	// Initial state: 95% usage, of which 5% is garbage images.
+	capacity := uint64(10 * 1024 * 1024 * 1024)
+	available := capacity / 20 // 5% available, 95% usage
 	imageFs := &statsapi.FsStats{
-		AvailableBytes: ptr.To(uint64(50)),
-		CapacityBytes:  ptr.To(uint64(1000)),
+		AvailableBytes: ptr.To(available),
+		CapacityBytes:  ptr.To(capacity),
 	}
 	mockStatsProvider.EXPECT().ImageFsStats(mock.Anything).Return(imageFs, imageFs, nil)
+	// This image is unused and eligible for deletion.
+	// Its size is less than the required amount to free.
+	imageSize := int64(500 * 1024 * 1024) // 500 MiB
 	fakeRuntime.ImageList = []container.Image{
-		makeImage(0, 50),
+		makeImage(0, imageSize),
 	}
 
-	assert.Error(t, manager.GarbageCollect(ctx, time.Now()))
+	err := manager.GarbageCollect(ctx, time.Now())
+	require.Error(t, err)
+
+	// Check that a warning event was sent
+	expectedEvent := "Warning FreeDiskSpaceFailed Insufficient free disk space on the node's image filesystem" +
+		" (95% of 10.0 GiB used). Failed to free sufficient space by deleting unused images (freed 524288000 bytes)." +
+		" Investigate disk usage, as it could be used by active images, logs, volumes, or other data."
+	select {
+	case event := <-recorder.Events:
+		assert.Equal(t, expectedEvent, event)
+	default:
+		t.Errorf("expected a 'FreeDiskSpaceFailed' event")
+	}
 }
 
 func TestGarbageCollectImageNotOldEnough(t *testing.T) {
-	ctx := context.Background()
+	ctx := ktesting.Init(t)
 	policy := ImageGCPolicy{
 		HighThresholdPercent: 90,
 		LowThresholdPercent:  80,
@@ -747,7 +774,7 @@ func getImagesAndFreeSpace(ctx context.Context, t *testing.T, assert *assert.Ass
 }
 
 func TestGarbageCollectImageTooOld(t *testing.T) {
-	ctx := context.Background()
+	ctx := ktesting.Init(t)
 	policy := ImageGCPolicy{
 		HighThresholdPercent: 90,
 		LowThresholdPercent:  80,
@@ -802,7 +829,7 @@ func TestGarbageCollectImageTooOld(t *testing.T) {
 }
 
 func TestGarbageCollectImageMaxAgeDisabled(t *testing.T) {
-	ctx := context.Background()
+	ctx := ktesting.Init(t)
 	policy := ImageGCPolicy{
 		HighThresholdPercent: 90,
 		LowThresholdPercent:  80,
diff --git a/pkg/kubelet/images/image_manager.go b/pkg/kubelet/images/image_manager.go
index f52297c3ec656..1093359ecc1b8 100644
--- a/pkg/kubelet/images/image_manager.go
+++ b/pkg/kubelet/images/image_manager.go
@@ -42,8 +42,13 @@ import (
 	"k8s.io/kubernetes/pkg/kubelet/images/pullmanager"
 	"k8s.io/kubernetes/pkg/kubelet/metrics"
 	"k8s.io/kubernetes/pkg/util/parsers"
+	"k8s.io/utils/ptr"
 )
 
+func init() {
+	registerMetrics()
+}
+
 type ImagePodPullingTimeRecorder interface {
 	RecordImageStartedPulling(podUID types.UID)
 	RecordImageFinishedPulling(podUID types.UID)
@@ -101,25 +106,33 @@ func NewImageManager(
 
 // imagePullPrecheck inspects the pull policy and checks for image presence accordingly,
 // returning (imageRef, error msg, err) and logging any errors.
-func (m *imageManager) imagePullPrecheck(ctx context.Context, objRef *v1.ObjectReference, logPrefix string, pullPolicy v1.PullPolicy, spec *kubecontainer.ImageSpec, requestedImage string) (imageRef string, msg string, err error) {
+func (m *imageManager) imagePullPrecheck(
+	ctx context.Context,
+	objRef *v1.ObjectReference,
+	logPrefix string,
+	pullPolicy v1.PullPolicy,
+	spec *kubecontainer.ImageSpec,
+	requestedImage string,
+) (imageRef string, imageFound *bool, msg string, err error) {
 	switch pullPolicy {
 	case v1.PullAlways:
-		return "", msg, nil
+		return "", nil, msg, nil
 	case v1.PullIfNotPresent, v1.PullNever:
 		imageRef, err = m.imageService.GetImageRef(ctx, *spec)
 		if err != nil {
 			msg = fmt.Sprintf("Failed to inspect image %q: %v", imageRef, err)
 			m.logIt(objRef, v1.EventTypeWarning, events.FailedToInspectImage, logPrefix, msg, klog.Warning)
-			return "", msg, ErrImageInspect
+			return "", nil, msg, ErrImageInspect
 		}
 	}
 
-	if len(imageRef) == 0 && pullPolicy == v1.PullNever {
+	imageFound = ptr.To(len(imageRef) > 0)
+	if !*imageFound && pullPolicy == v1.PullNever {
 		msg, err = m.imageNotPresentOnNeverPolicyError(logPrefix, objRef, requestedImage)
-		return "", msg, err
+		return "", ptr.To(false), msg, err
 	}
 
-	return imageRef, msg, nil
+	return imageRef, imageFound, msg, nil
 }
 
 // records an event using ref, event msg.  log to glog using prefix, msg, logFn
@@ -151,6 +164,14 @@ func (m *imageManager) imageNotPresentOnNeverPolicyError(logPrefix string, objRe
 func (m *imageManager) EnsureImageExists(ctx context.Context, objRef *v1.ObjectReference, pod *v1.Pod, requestedImage string, pullSecrets []v1.Secret, podSandboxConfig *runtimeapi.PodSandboxConfig, podRuntimeHandler string, pullPolicy v1.PullPolicy) (imageRef, message string, err error) {
 	logPrefix := fmt.Sprintf("%s/%s/%s", pod.Namespace, pod.Name, requestedImage)
 
+	var ( // variables used to record metrics
+		imagePresentLocally *bool
+		imagePullRequired   *bool
+	)
+	defer func() {
+		recordEnsureImageRequest(pullPolicy, imagePresentLocally, imagePullRequired)
+	}()
+
 	// If the image contains no tag or digest, a default tag should be applied.
 	image, err := applyDefaultImageTag(requestedImage)
 	if err != nil {
@@ -173,46 +194,20 @@ func (m *imageManager) EnsureImageExists(ctx context.Context, objRef *v1.ObjectR
 		RuntimeHandler: podRuntimeHandler,
 	}
 
-	imageRef, message, err = m.imagePullPrecheck(ctx, objRef, logPrefix, pullPolicy, &spec, requestedImage)
+	imageRef, imagePresentLocally, message, err = m.imagePullPrecheck(ctx, objRef, logPrefix, pullPolicy, &spec, requestedImage)
 	if err != nil {
 		return "", message, err
 	}
 
-	if imageRef != "" && !utilfeature.DefaultFeatureGate.Enabled(features.KubeletEnsureSecretPulledImages) {
-		msg := fmt.Sprintf("Container image %q already present on machine", requestedImage)
-		m.logIt(objRef, v1.EventTypeNormal, events.PulledImage, logPrefix, msg, klog.Info)
-		return imageRef, msg, nil
-	}
-
-	repoToPull, _, _, err := parsers.ParseImageName(spec.Image)
-	if err != nil {
-		return "", err.Error(), err
-	}
-
-	// construct the dynamic keyring using the providers we have in the kubelet
-	var podName, podNamespace, podUID string
-	if utilfeature.DefaultFeatureGate.Enabled(features.KubeletServiceAccountTokenForCredentialProviders) {
-		sandboxMetadata := podSandboxConfig.GetMetadata()
-
-		podName = sandboxMetadata.Name
-		podNamespace = sandboxMetadata.Namespace
-		podUID = sandboxMetadata.Uid
-	}
-
-	externalCredentialProviderKeyring := credentialproviderplugin.NewExternalCredentialProviderDockerKeyring(
-		podNamespace,
-		podName,
-		podUID,
-		pod.Spec.ServiceAccountName)
-
-	keyring, err := credentialprovidersecrets.MakeDockerKeyring(pullSecrets, credentialprovider.UnionDockerKeyring{m.nodeKeyring, externalCredentialProviderKeyring})
-	if err != nil {
-		return "", err.Error(), err
-	}
+	// wrap the lookup in a function to ensure that we only look up credentials once and no earlier than needed
+	lookupPullCredentials := m.makeLookupPullCredentialsFunc(spec.Image, pod, pullSecrets, podSandboxConfig)
 
-	pullCredentials, _ := keyring.Lookup(repoToPull)
+	getPodCredentials := func() ([]kubeletconfiginternal.ImagePullSecret, *kubeletconfiginternal.ImagePullServiceAccount, error) {
+		pullCredentials, err := lookupPullCredentials()
+		if err != nil {
+			return nil, nil, err
+		}
 
-	if imageRef != "" {
 		var imagePullSecrets []kubeletconfiginternal.ImagePullSecret
 		// we don't take the audience of the service account into account, so there can only
 		// be one imagePullServiceAccount per pod when we try to make a decision.
@@ -239,13 +234,37 @@ func (m *imageManager) EnsureImageExists(ctx context.Context, objRef *v1.ObjectR
 			}
 		}
 
-		pullRequired := m.imagePullManager.MustAttemptImagePull(requestedImage, imageRef, imagePullSecrets, imagePullServiceAccount)
-		if !pullRequired {
+		return imagePullSecrets, imagePullServiceAccount, nil
+	}
+
+	if imageRef != "" {
+		imagePullRequired = ptr.To(false) // should be overridden right after this if-block in case pull was required
+
+		if !utilfeature.DefaultFeatureGate.Enabled(features.KubeletEnsureSecretPulledImages) {
+			msg := fmt.Sprintf("Container image %q already present on machine", requestedImage)
+			m.logIt(objRef, v1.EventTypeNormal, events.PulledImage, logPrefix, msg, klog.Info)
+
+			// we need to stop recording if it is still in progress, as the image
+			// has already been pulled by another pod.
+			m.podPullingTimeRecorder.RecordImageFinishedPulling(pod.UID)
+
+			return imageRef, msg, nil
+		}
+		if pullRequired, err := m.imagePullManager.MustAttemptImagePull(ctx, requestedImage, imageRef, getPodCredentials); err != nil {
+			imagePullRequired = nil
+			return "", err.Error(), err
+		} else if !pullRequired {
 			msg := fmt.Sprintf("Container image %q already present on machine and can be accessed by the pod", requestedImage)
 			m.logIt(objRef, v1.EventTypeNormal, events.PulledImage, logPrefix, msg, klog.Info)
+
+			// we need to stop recording if it is still in progress, as the image
+			// has already been pulled by another pod.
+			m.podPullingTimeRecorder.RecordImageFinishedPulling(pod.UID)
+
 			return imageRef, msg, nil
 		}
 	}
+	imagePullRequired = ptr.To(true)
 
 	if pullPolicy == v1.PullNever {
 		// The image is present as confirmed by imagePullPrecheck but it apparently
@@ -254,9 +273,47 @@ func (m *imageManager) EnsureImageExists(ctx context.Context, objRef *v1.ObjectR
 		return "", msg, err
 	}
 
+	pullCredentials, err := lookupPullCredentials()
+	if err != nil {
+		return "", err.Error(), err
+	}
+
 	return m.pullImage(ctx, logPrefix, objRef, pod.UID, requestedImage, spec, pullCredentials, podSandboxConfig)
 }
 
+func (m *imageManager) makeLookupPullCredentialsFunc(image string, pod *v1.Pod, pullSecrets []v1.Secret, podSandboxConfig *runtimeapi.PodSandboxConfig) func() ([]credentialprovider.TrackedAuthConfig, error) {
+	return sync.OnceValues(func() ([]credentialprovider.TrackedAuthConfig, error) {
+		repoToPull, _, _, err := parsers.ParseImageName(image)
+		if err != nil {
+			return nil, err
+		}
+
+		// construct the dynamic keyring using the providers we have in the kubelet
+		var podName, podNamespace, podUID string
+		if utilfeature.DefaultFeatureGate.Enabled(features.KubeletServiceAccountTokenForCredentialProviders) {
+			sandboxMetadata := podSandboxConfig.GetMetadata()
+
+			podName = sandboxMetadata.Name
+			podNamespace = sandboxMetadata.Namespace
+			podUID = sandboxMetadata.Uid
+		}
+
+		externalCredentialProviderKeyring := credentialproviderplugin.NewExternalCredentialProviderDockerKeyring(
+			podNamespace,
+			podName,
+			podUID,
+			pod.Spec.ServiceAccountName)
+
+		keyring, err := credentialprovidersecrets.MakeDockerKeyring(pullSecrets, credentialprovider.UnionDockerKeyring{m.nodeKeyring, externalCredentialProviderKeyring})
+		if err != nil {
+			return nil, err
+		}
+
+		pullCredentials, _ := keyring.Lookup(repoToPull)
+		return pullCredentials, nil
+	})
+}
+
 func (m *imageManager) pullImage(ctx context.Context, logPrefix string, objRef *v1.ObjectReference, podUID types.UID, image string, imgSpec kubecontainer.ImageSpec, pullCredentials []credentialprovider.TrackedAuthConfig, podSandboxConfig *runtimeapi.PodSandboxConfig) (imageRef, message string, err error) {
 	var pullSucceeded bool
 	var finalPullCredentials *credentialprovider.TrackedAuthConfig
@@ -268,9 +325,9 @@ func (m *imageManager) pullImage(ctx context.Context, logPrefix string, objRef *
 
 		defer func() {
 			if pullSucceeded {
-				m.imagePullManager.RecordImagePulled(image, imageRef, trackedToImagePullCreds(finalPullCredentials))
+				m.imagePullManager.RecordImagePulled(ctx, image, imageRef, trackedToImagePullCreds(finalPullCredentials))
 			} else {
-				m.imagePullManager.RecordImagePullFailed(image)
+				m.imagePullManager.RecordImagePullFailed(ctx, image)
 			}
 		}()
 	}
diff --git a/pkg/kubelet/images/image_manager_test.go b/pkg/kubelet/images/image_manager_test.go
index 1f98d734a72e9..555b58448d9d1 100644
--- a/pkg/kubelet/images/image_manager_test.go
+++ b/pkg/kubelet/images/image_manager_test.go
@@ -61,19 +61,20 @@ type pullerExpects struct {
 }
 
 type pullerTestCase struct {
-	testName            string
-	containerImage      string
-	policy              v1.PullPolicy
-	pullSecrets         []v1.Secret
-	allowedCredentials  *mockImagePullManagerConfig                       // controls what the image pull manager considers "allowed"
-	serviceAccountName  string                                            // for testing service account coordinates
-	registryCredentials map[string][]credentialprovider.TrackedAuthConfig // image -> registry credentials (obtained from credential providers using SA tokens)
-	inspectErr          error
-	pullerErr           error
-	qps                 float32
-	burst               int
-	expected            []pullerExpects
-	enableFeatures      []featuregate.Feature
+	testName                   string
+	containerImage             string
+	policy                     v1.PullPolicy
+	pullSecrets                []v1.Secret
+	allowedCredentials         *mockImagePullManagerConfig                       // controls what the image pull manager considers "allowed"
+	serviceAccountName         string                                            // for testing service account coordinates
+	registryCredentials        map[string][]credentialprovider.TrackedAuthConfig // image -> registry credentials (obtained from credential providers using SA tokens)
+	inspectErr                 error
+	pullerErr                  error
+	qps                        float32
+	burst                      int
+	expected                   []pullerExpects
+	expectedEnsureImageMetrics string
+	enableFeatures             []featuregate.Feature
 }
 
 // mockImagePullManagerConfig configures what credentials the mock pull manager considers "allowed"
@@ -108,7 +109,9 @@ func noFGPullerTestCases() []pullerTestCase {
 						{Reason: "Pulling"},
 						{Reason: "Pulled"},
 					}, ""},
-			}},
+			},
+			expectedEnsureImageMetrics: ensureExistsMetricForLabels("ifnotpresent", "false", "true"),
+		},
 
 		{ // image present, don't pull
 			testName:       "image present, allow all, don't pull ",
@@ -131,10 +134,12 @@ func noFGPullerTestCases() []pullerTestCase {
 					[]v1.Event{
 						{Reason: "Pulled"},
 					}, ""},
-			}},
+			},
+			expectedEnsureImageMetrics: ensureExistsMetricForLabels("ifnotpresent", "true", "false"),
+		},
 		// image present, pull it
 		{containerImage: "present_image",
-			testName:   "image present, pull ",
+			testName:   "image present, pull",
 			policy:     v1.PullAlways,
 			inspectErr: nil,
 			pullerErr:  nil,
@@ -156,7 +161,9 @@ func noFGPullerTestCases() []pullerTestCase {
 						{Reason: "Pulling"},
 						{Reason: "Pulled"},
 					}, ""},
-			}},
+			},
+			expectedEnsureImageMetrics: ensureExistsMetricForLabels("always", "unknown", "true"),
+		},
 		// missing image, error PullNever
 		{containerImage: "missing_image",
 			testName:   "image missing, never pull",
@@ -178,10 +185,12 @@ func noFGPullerTestCases() []pullerTestCase {
 					[]v1.Event{
 						{Reason: "ErrImageNeverPull"},
 					}, ""},
-			}},
+			},
+			expectedEnsureImageMetrics: ensureExistsMetricForLabels("never", "false", "unknown"),
+		},
 		// missing image, unable to inspect
 		{containerImage: "missing_image",
-			testName:   "image missing, pull if not present",
+			testName:   "image missing, pull if not present, fail on image inspect",
 			policy:     v1.PullIfNotPresent,
 			inspectErr: errors.New("unknown inspectError"),
 			pullerErr:  nil,
@@ -200,7 +209,9 @@ func noFGPullerTestCases() []pullerTestCase {
 					[]v1.Event{
 						{Reason: "InspectFailed"},
 					}, ""},
-			}},
+			},
+			expectedEnsureImageMetrics: ensureExistsMetricForLabels("ifnotpresent", "unknown", "unknown"),
+		},
 		// missing image, unable to fetch
 		{containerImage: "typo_image",
 			testName:   "image missing, unable to fetch",
@@ -237,7 +248,9 @@ func noFGPullerTestCases() []pullerTestCase {
 					[]v1.Event{
 						{Reason: "BackOff"},
 					}, ""},
-			}},
+			},
+			expectedEnsureImageMetrics: ensureExistsMetricForLabels("ifnotpresent", "false", "true"),
+		},
 		// image present, non-zero qps, try to pull
 		{containerImage: "present_image",
 			testName:   "image present and qps>0, pull",
@@ -262,7 +275,9 @@ func noFGPullerTestCases() []pullerTestCase {
 						{Reason: "Pulling"},
 						{Reason: "Pulled"},
 					}, ""},
-			}},
+			},
+			expectedEnsureImageMetrics: ensureExistsMetricForLabels("always", "unknown", "true"),
+		},
 		// image present, non-zero qps, try to pull when qps exceeded
 		{containerImage: "present_image",
 			testName:   "image present and excessive qps rate, pull",
@@ -286,7 +301,9 @@ func noFGPullerTestCases() []pullerTestCase {
 					[]v1.Event{
 						{Reason: "BackOff"},
 					}, ""},
-			}},
+			},
+			expectedEnsureImageMetrics: ensureExistsMetricForLabels("always", "unknown", "true"),
+		},
 		// error case if image name fails validation due to invalid reference format
 		{containerImage: "FAILED_IMAGE",
 			testName:   "invalid image name, no pull",
@@ -300,7 +317,9 @@ func noFGPullerTestCases() []pullerTestCase {
 					[]v1.Event{
 						{Reason: "InspectFailed"},
 					}, ""},
-			}},
+			},
+			expectedEnsureImageMetrics: ensureExistsMetricForLabels("always", "unknown", "unknown"),
+		},
 		// error case if image name contains http
 		{containerImage: "http://url",
 			testName:   "invalid image name with http, no pull",
@@ -314,7 +333,9 @@ func noFGPullerTestCases() []pullerTestCase {
 					[]v1.Event{
 						{Reason: "InspectFailed"},
 					}, ""},
-			}},
+			},
+			expectedEnsureImageMetrics: ensureExistsMetricForLabels("always", "unknown", "unknown"),
+		},
 		// error case if image name contains sha256
 		{containerImage: "ba7816bf8f01cfea414140de5dae2223b00361a396177a9cb410ff61f20015ad",
 			testName:   "invalid image name with sha256, no pull",
@@ -328,7 +349,9 @@ func noFGPullerTestCases() []pullerTestCase {
 					[]v1.Event{
 						{Reason: "InspectFailed"},
 					}, ""},
-			}},
+			},
+			expectedEnsureImageMetrics: ensureExistsMetricForLabels("always", "unknown", "unknown"),
+		},
 		{containerImage: "typo_image",
 			testName:   "image missing, SignatureValidationFailed",
 			policy:     v1.PullIfNotPresent,
@@ -360,7 +383,9 @@ func noFGPullerTestCases() []pullerTestCase {
 					[]v1.Event{
 						{Reason: "BackOff"},
 					}, "Back-off pulling image \"typo_image\": SignatureValidationFailed: image pull failed for typo_image because the signature validation failed"},
-			}},
+			},
+			expectedEnsureImageMetrics: ensureExistsMetricForLabels("ifnotpresent", "false", "true"),
+		},
 	}
 }
 
@@ -401,7 +426,9 @@ func ensureSecretImagesTestCases() []pullerTestCase {
 						{Reason: "Pulling"},
 						{Reason: "Pulled"},
 					}, ""},
-			}},
+			},
+			expectedEnsureImageMetrics: ensureExistsMetricForLabels("ifnotpresent", "true", "true"),
+		},
 		{
 			testName:       "[KubeletEnsureSecretPulledImages] image present, unknown secret to image pull manager, pull",
 			containerImage: "present_image",
@@ -435,6 +462,7 @@ func ensureSecretImagesTestCases() []pullerTestCase {
 						{Reason: "Pulled"},
 					}, ""},
 			},
+			expectedEnsureImageMetrics: ensureExistsMetricForLabels("ifnotpresent", "true", "true"),
 		},
 		{
 			testName:       "[KubeletEnsureSecretPulledImages] image present, unknown secret to image pull manager, never pull policy -> fail",
@@ -466,6 +494,7 @@ func ensureSecretImagesTestCases() []pullerTestCase {
 						{Reason: "ErrImageNeverPull"},
 					}, ""},
 			},
+			expectedEnsureImageMetrics: ensureExistsMetricForLabels("never", "true", "true"),
 		},
 		{
 			testName:       "[KubeletEnsureSecretPulledImages] image present, a secret matches one of known to the image pull manager, don't pull",
@@ -500,6 +529,7 @@ func ensureSecretImagesTestCases() []pullerTestCase {
 						{Reason: "Pulled"},
 					}, ""},
 			},
+			expectedEnsureImageMetrics: ensureExistsMetricForLabels("ifnotpresent", "true", "false"),
 		},
 		{
 			testName:           "[KubeletEnsureSecretPulledImages] image present, service account credentials available, don't pull",
@@ -535,6 +565,7 @@ func ensureSecretImagesTestCases() []pullerTestCase {
 						{Reason: "Pulled"},
 					}, ""},
 			},
+			expectedEnsureImageMetrics: ensureExistsMetricForLabels("ifnotpresent", "true", "false"),
 		},
 		{
 			testName:           "[KubeletEnsureSecretPulledImages] image present, service account allowed by pull manager, don't pull",
@@ -580,6 +611,7 @@ func ensureSecretImagesTestCases() []pullerTestCase {
 						{Reason: "Pulled"},
 					}, ""},
 			},
+			expectedEnsureImageMetrics: ensureExistsMetricForLabels("ifnotpresent", "true", "false"),
 		},
 		{
 			testName:           "[KubeletEnsureSecretPulledImages] image present, mixed credentials (secrets + service accounts), pull required",
@@ -623,6 +655,7 @@ func ensureSecretImagesTestCases() []pullerTestCase {
 						{Reason: "Pulled"},
 					}, ""},
 			},
+			expectedEnsureImageMetrics: ensureExistsMetricForLabels("ifnotpresent", "true", "true"),
 		},
 		{
 			testName:       "[KubeletEnsureSecretPulledImages] image present, only node credentials (no source), proceed without tracking",
@@ -651,6 +684,7 @@ func ensureSecretImagesTestCases() []pullerTestCase {
 						{Reason: "Pulled"},
 					}, ""},
 			},
+			expectedEnsureImageMetrics: ensureExistsMetricForLabels("ifnotpresent", "true", "false"),
 		},
 	}
 
@@ -665,27 +699,33 @@ func ensureSecretImagesTestCases() []pullerTestCase {
 
 type mockPodPullingTimeRecorder struct {
 	sync.Mutex
-	startedPullingRecorded  bool
-	finishedPullingRecorded bool
+	startedPullingRecorded  map[types.UID]bool
+	finishedPullingRecorded map[types.UID]bool
 }
 
 func (m *mockPodPullingTimeRecorder) RecordImageStartedPulling(podUID types.UID) {
 	m.Lock()
 	defer m.Unlock()
-	m.startedPullingRecorded = true
+
+	if !m.startedPullingRecorded[podUID] {
+		m.startedPullingRecorded[podUID] = true
+	}
 }
 
 func (m *mockPodPullingTimeRecorder) RecordImageFinishedPulling(podUID types.UID) {
 	m.Lock()
 	defer m.Unlock()
-	m.finishedPullingRecorded = true
+
+	if m.startedPullingRecorded[podUID] {
+		m.finishedPullingRecorded[podUID] = true
+	}
 }
 
 func (m *mockPodPullingTimeRecorder) reset() {
 	m.Lock()
 	defer m.Unlock()
-	m.startedPullingRecorded = false
-	m.finishedPullingRecorded = false
+	clear(m.startedPullingRecorded)
+	clear(m.finishedPullingRecorded)
 }
 
 type mockImagePullManager struct {
@@ -694,9 +734,14 @@ type mockImagePullManager struct {
 	config *mockImagePullManagerConfig
 }
 
-func (m *mockImagePullManager) MustAttemptImagePull(image, _ string, podSecrets []kubeletconfiginternal.ImagePullSecret, podServiceAccount *kubeletconfiginternal.ImagePullServiceAccount) bool {
+func (m *mockImagePullManager) MustAttemptImagePull(ctx context.Context, image, _ string, getPodCredentials pullmanager.GetPodCredentials) (bool, error) {
 	if m.config == nil || m.config.allowAll {
-		return false
+		return false, nil
+	}
+
+	podSecrets, podServiceAccount, err := getPodCredentials()
+	if err != nil {
+		return true, err
 	}
 
 	// Check secrets
@@ -704,7 +749,7 @@ func (m *mockImagePullManager) MustAttemptImagePull(image, _ string, podSecrets
 		for _, s := range podSecrets {
 			for _, allowed := range allowedSecrets {
 				if s.Namespace == allowed.Namespace && s.Name == allowed.Name && s.UID == allowed.UID {
-					return false
+					return false, nil
 				}
 			}
 		}
@@ -714,12 +759,12 @@ func (m *mockImagePullManager) MustAttemptImagePull(image, _ string, podSecrets
 	if podServiceAccount != nil {
 		if allowedServiceAccounts, ok := m.config.allowedServiceAccounts[image]; ok {
 			if slices.Contains(allowedServiceAccounts, *podServiceAccount) {
-				return false
+				return false, nil
 			}
 		}
 	}
 
-	return true
+	return true, nil
 }
 
 // mockImagePullManagerWithTracking tracks calls to MustAttemptImagePull for service account testing
@@ -736,22 +781,28 @@ type mockImagePullManagerWithTracking struct {
 	recordedCredentials *kubeletconfiginternal.ImagePullCredentials
 }
 
-func (m *mockImagePullManagerWithTracking) MustAttemptImagePull(image, imageRef string, podSecrets []kubeletconfiginternal.ImagePullSecret, podServiceAccount *kubeletconfiginternal.ImagePullServiceAccount) bool {
+func (m *mockImagePullManagerWithTracking) MustAttemptImagePull(ctx context.Context, image, imageRef string, getPodCredentials pullmanager.GetPodCredentials) (bool, error) {
 	m.mustAttemptCalled = true
 	m.lastImage = image
 	m.lastImageRef = imageRef
+
+	podSecrets, podServiceAccount, err := getPodCredentials()
+	if err != nil {
+		return true, err
+	}
+
 	m.lastSecrets = podSecrets
 	if podServiceAccount != nil {
 		m.lastServiceAccounts = []kubeletconfiginternal.ImagePullServiceAccount{*podServiceAccount}
 	}
 
 	if m.allowAll {
-		return false
+		return false, nil
 	}
-	return m.mustAttemptReturn
+	return m.mustAttemptReturn, nil
 }
 
-func (m *mockImagePullManagerWithTracking) RecordImagePulled(image, imageRef string, credentials *kubeletconfiginternal.ImagePullCredentials) {
+func (m *mockImagePullManagerWithTracking) RecordImagePulled(ctx context.Context, image, imageRef string, credentials *kubeletconfiginternal.ImagePullCredentials) {
 	m.recordedCredentials = credentials
 }
 
@@ -799,7 +850,10 @@ func pullerTestEnv(
 	fakeRuntime.Err = c.pullerErr
 	fakeRuntime.InspectErr = c.inspectErr
 
-	fakePodPullingTimeRecorder = &mockPodPullingTimeRecorder{}
+	fakePodPullingTimeRecorder = &mockPodPullingTimeRecorder{
+		startedPullingRecorded:  make(map[types.UID]bool),
+		finishedPullingRecorded: make(map[types.UID]bool),
+	}
 
 	pullManager := &mockImagePullManager{
 		config: c.allowedCredentials,
@@ -834,7 +888,7 @@ func TestParallelPuller(t *testing.T) {
 	useSerializedEnv := false
 	for _, c := range cases {
 		t.Run(c.testName, func(t *testing.T) {
-			ctx := context.Background()
+			ctx := ktesting.Init(t)
 			puller, fakeClock, fakeRuntime, container, fakePodPullingTimeRecorder, _ := pullerTestEnv(t, c, useSerializedEnv, nil)
 
 			pod := &v1.Pod{
@@ -865,8 +919,8 @@ func TestParallelPuller(t *testing.T) {
 				_, msg, err := puller.EnsureImageExists(ctx, nil, pod, container.Image, c.pullSecrets, podSandboxConfig, "", container.ImagePullPolicy)
 				fakeRuntime.AssertCalls(expected.calls)
 				assert.Equal(t, expected.err, err)
-				assert.Equal(t, expected.shouldRecordStartedPullingTime, fakePodPullingTimeRecorder.startedPullingRecorded)
-				assert.Equal(t, expected.shouldRecordFinishedPullingTime, fakePodPullingTimeRecorder.finishedPullingRecorded)
+				assert.Equal(t, expected.shouldRecordStartedPullingTime, fakePodPullingTimeRecorder.startedPullingRecorded[pod.UID])
+				assert.Equal(t, expected.shouldRecordFinishedPullingTime, fakePodPullingTimeRecorder.finishedPullingRecorded[pod.UID])
 				assert.Contains(t, msg, expected.msg)
 				fakePodPullingTimeRecorder.reset()
 			}
@@ -880,7 +934,7 @@ func TestSerializedPuller(t *testing.T) {
 	useSerializedEnv := true
 	for _, c := range cases {
 		t.Run(c.testName, func(t *testing.T) {
-			ctx := context.Background()
+			ctx := ktesting.Init(t)
 			puller, fakeClock, fakeRuntime, container, fakePodPullingTimeRecorder, _ := pullerTestEnv(t, c, useSerializedEnv, nil)
 
 			pod := &v1.Pod{
@@ -911,8 +965,8 @@ func TestSerializedPuller(t *testing.T) {
 				_, msg, err := puller.EnsureImageExists(ctx, nil, pod, container.Image, c.pullSecrets, podSandboxConfig, "", container.ImagePullPolicy)
 				fakeRuntime.AssertCalls(expected.calls)
 				assert.Equal(t, expected.err, err)
-				assert.Equal(t, expected.shouldRecordStartedPullingTime, fakePodPullingTimeRecorder.startedPullingRecorded)
-				assert.Equal(t, expected.shouldRecordFinishedPullingTime, fakePodPullingTimeRecorder.finishedPullingRecorded)
+				assert.Equal(t, expected.shouldRecordStartedPullingTime, fakePodPullingTimeRecorder.startedPullingRecorded[pod.UID])
+				assert.Equal(t, expected.shouldRecordFinishedPullingTime, fakePodPullingTimeRecorder.finishedPullingRecorded[pod.UID])
 				assert.Contains(t, msg, expected.msg)
 				fakePodPullingTimeRecorder.reset()
 			}
@@ -975,7 +1029,7 @@ func TestPullAndListImageWithPodAnnotations(t *testing.T) {
 
 	useSerializedEnv := true
 	t.Run(c.testName, func(t *testing.T) {
-		ctx := context.Background()
+		ctx := ktesting.Init(t)
 		puller, fakeClock, fakeRuntime, container, fakePodPullingTimeRecorder, _ := pullerTestEnv(t, c, useSerializedEnv, nil)
 		fakeRuntime.CalledFunctions = nil
 		fakeRuntime.ImageList = []Image{}
@@ -984,8 +1038,8 @@ func TestPullAndListImageWithPodAnnotations(t *testing.T) {
 		_, _, err := puller.EnsureImageExists(ctx, nil, pod, container.Image, c.pullSecrets, podSandboxConfig, "", container.ImagePullPolicy)
 		fakeRuntime.AssertCalls(c.expected[0].calls)
 		assert.Equal(t, c.expected[0].err, err, "tick=%d", 0)
-		assert.Equal(t, c.expected[0].shouldRecordStartedPullingTime, fakePodPullingTimeRecorder.startedPullingRecorded)
-		assert.Equal(t, c.expected[0].shouldRecordFinishedPullingTime, fakePodPullingTimeRecorder.finishedPullingRecorded)
+		assert.Equal(t, c.expected[0].shouldRecordStartedPullingTime, fakePodPullingTimeRecorder.startedPullingRecorded[pod.UID])
+		assert.Equal(t, c.expected[0].shouldRecordFinishedPullingTime, fakePodPullingTimeRecorder.finishedPullingRecorded[pod.UID])
 
 		images, _ := fakeRuntime.ListImages(ctx)
 		assert.Len(t, images, 1, "ListImages() count")
@@ -1039,7 +1093,7 @@ func TestPullAndListImageWithRuntimeHandlerInImageCriAPIFeatureGate(t *testing.T
 	useSerializedEnv := true
 	t.Run(c.testName, func(t *testing.T) {
 		featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.RuntimeClassInImageCriAPI, true)
-		ctx := context.Background()
+		ctx := ktesting.Init(t)
 		puller, fakeClock, fakeRuntime, container, fakePodPullingTimeRecorder, _ := pullerTestEnv(t, c, useSerializedEnv, nil)
 		fakeRuntime.CalledFunctions = nil
 		fakeRuntime.ImageList = []Image{}
@@ -1048,8 +1102,8 @@ func TestPullAndListImageWithRuntimeHandlerInImageCriAPIFeatureGate(t *testing.T
 		_, _, err := puller.EnsureImageExists(ctx, nil, pod, container.Image, c.pullSecrets, podSandboxConfig, runtimeHandler, container.ImagePullPolicy)
 		fakeRuntime.AssertCalls(c.expected[0].calls)
 		assert.Equal(t, c.expected[0].err, err, "tick=%d", 0)
-		assert.Equal(t, c.expected[0].shouldRecordStartedPullingTime, fakePodPullingTimeRecorder.startedPullingRecorded)
-		assert.Equal(t, c.expected[0].shouldRecordFinishedPullingTime, fakePodPullingTimeRecorder.finishedPullingRecorded)
+		assert.Equal(t, c.expected[0].shouldRecordStartedPullingTime, fakePodPullingTimeRecorder.startedPullingRecorded[pod.UID])
+		assert.Equal(t, c.expected[0].shouldRecordFinishedPullingTime, fakePodPullingTimeRecorder.finishedPullingRecorded[pod.UID])
 
 		images, _ := fakeRuntime.ListImages(ctx)
 		assert.Len(t, images, 1, "ListImages() count")
@@ -1071,7 +1125,7 @@ func TestPullAndListImageWithRuntimeHandlerInImageCriAPIFeatureGate(t *testing.T
 }
 
 func TestMaxParallelImagePullsLimit(t *testing.T) {
-	ctx := context.Background()
+	ctx := ktesting.Init(t)
 	pod := &v1.Pod{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:            "test_pod",
@@ -1143,6 +1197,108 @@ func TestMaxParallelImagePullsLimit(t *testing.T) {
 	fakeRuntime.AssertCallCounts("PullImage", 7)
 }
 
+func TestParallelPodPullingTimeRecorderWithErr(t *testing.T) {
+	ctx := context.Background()
+	pod1 := &v1.Pod{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:            "test_pod1",
+			Namespace:       "test-ns",
+			UID:             "bar1",
+			ResourceVersion: "42",
+		}}
+	pod1SandboxConfig := &runtimeapi.PodSandboxConfig{
+		Metadata: &runtimeapi.PodSandboxMetadata{
+			Name:      pod1.Name,
+			Namespace: pod1.Namespace,
+			Uid:       string(pod1.UID),
+		},
+	}
+
+	pod2 := &v1.Pod{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:            "test_pod2",
+			Namespace:       "test-ns",
+			UID:             "bar2",
+			ResourceVersion: "42",
+		}}
+	pod2SandboxConfig := &runtimeapi.PodSandboxConfig{
+		Metadata: &runtimeapi.PodSandboxMetadata{
+			Name:      pod2.Name,
+			Namespace: pod2.Namespace,
+			Uid:       string(pod2.UID),
+		},
+	}
+
+	pods := [2]*v1.Pod{pod1, pod2}
+	podSandboxes := [2]*runtimeapi.PodSandboxConfig{pod1SandboxConfig, pod2SandboxConfig}
+
+	testCase := &pullerTestCase{
+		containerImage: "missing_image",
+		testName:       "missing image, pull if not present",
+		policy:         v1.PullIfNotPresent,
+		inspectErr:     nil,
+		pullerErr:      nil,
+		qps:            0.0,
+		burst:          0,
+	}
+
+	useSerializedEnv := false
+	maxParallelImagePulls := 2
+	var wg sync.WaitGroup
+
+	puller, fakeClock, fakeRuntime, container, fakePodPullingTimeRecorder, _ := pullerTestEnv(t, *testCase, useSerializedEnv, ptr.To(int32(maxParallelImagePulls)))
+	fakeRuntime.BlockImagePulls = true
+	fakeRuntime.CalledFunctions = nil
+	fakeRuntime.T = t
+	fakeClock.Step(time.Second)
+
+	// First, each pod's puller calls EnsureImageExists
+	for i := 0; i < 2; i++ {
+		wg.Add(1)
+		go func(i int) {
+			_, _, _ = puller.EnsureImageExists(ctx, nil, pods[i], container.Image, testCase.pullSecrets, podSandboxes[i], "", container.ImagePullPolicy)
+			wg.Done()
+		}(i)
+	}
+	time.Sleep(1 * time.Second)
+
+	// Assert the number of PullImage calls is 2
+	fakeRuntime.AssertCallCounts("PullImage", 2)
+
+	// Recording for both of the pods should be started but not finished
+	assert.True(t, fakePodPullingTimeRecorder.startedPullingRecorded[pods[0].UID])
+	assert.True(t, fakePodPullingTimeRecorder.startedPullingRecorded[pods[1].UID])
+	assert.False(t, fakePodPullingTimeRecorder.finishedPullingRecorded[pods[0].UID])
+	assert.False(t, fakePodPullingTimeRecorder.finishedPullingRecorded[pods[1].UID])
+
+	// Unblock one of the pods to pull the image
+	fakeRuntime.UnblockImagePulls(1)
+	time.Sleep(1 * time.Second)
+
+	// Introduce a pull error for the second pod and unblock it
+	fakeRuntime.SendImagePullError(errors.New("pull image error"))
+
+	wg.Wait()
+
+	// This time EnsureImageExists will return without pulling
+	for i := 0; i < 2; i++ {
+		wg.Add(1)
+		go func(i int) {
+			_, _, err := puller.EnsureImageExists(ctx, nil, pods[i], container.Image, testCase.pullSecrets, podSandboxes[i], "", container.ImagePullPolicy)
+			assert.NoError(t, err)
+			wg.Done()
+		}(i)
+	}
+	wg.Wait()
+
+	// Assert the number of PullImage calls is still 2
+	fakeRuntime.AssertCallCounts("PullImage", 2)
+
+	// Both recorders should be finished
+	assert.True(t, fakePodPullingTimeRecorder.finishedPullingRecorded[pods[0].UID])
+	assert.True(t, fakePodPullingTimeRecorder.finishedPullingRecorded[pods[1].UID])
+}
+
 func TestEvalCRIPullErr(t *testing.T) {
 	t.Parallel()
 	for _, tc := range []struct {
@@ -1333,15 +1489,16 @@ func TestEnsureImageExistsWithServiceAccountCoordinates(t *testing.T) {
 
 	for _, tc := range cases {
 		t.Run(tc.name, func(t *testing.T) {
-			if tc.enableEnsureSecretImages {
-				featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.KubeletEnsureSecretPulledImages, true)
-			}
+			featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.KubeletEnsureSecretPulledImages, tc.enableEnsureSecretImages)
 
 			ctx := context.Background()
 			fakeClock := testingclock.NewFakeClock(time.Now())
 			fakeRuntime := &ctest.FakeRuntime{T: t}
 			fakeRecorder := testutil.NewFakeRecorder()
-			fakePodPullingTimeRecorder := &mockPodPullingTimeRecorder{}
+			fakePodPullingTimeRecorder := &mockPodPullingTimeRecorder{
+				startedPullingRecorded:  make(map[types.UID]bool),
+				finishedPullingRecorded: make(map[types.UID]bool),
+			}
 
 			fakeRuntime.ImageList = []Image{{ID: "present_image:latest"}}
 
@@ -1429,7 +1586,10 @@ func TestEnsureImageExistsWithNodeCredentialsOnly(t *testing.T) {
 	fakeClock := testingclock.NewFakeClock(time.Now())
 	fakeRuntime := &ctest.FakeRuntime{T: t}
 	fakeRecorder := testutil.NewFakeRecorder()
-	fakePodPullingTimeRecorder := &mockPodPullingTimeRecorder{}
+	fakePodPullingTimeRecorder := &mockPodPullingTimeRecorder{
+		startedPullingRecorded:  make(map[types.UID]bool),
+		finishedPullingRecorded: make(map[types.UID]bool),
+	}
 
 	fakeRuntime.ImageList = []Image{{ID: "present_image:latest"}}
 
@@ -1477,3 +1637,16 @@ func TestEnsureImageExistsWithNodeCredentialsOnly(t *testing.T) {
 	// Image should not be pulled since it's present and accessible
 	fakeRuntime.AssertCalls([]string{"GetImageRef"})
 }
+
+func ensureExistsMetricForLabels(pullPolicy, imagePresentLocally, pullRequired string) string {
+	const desc = `
+# HELP kubelet_image_manager_ensure_image_requests_total [ALPHA] Number of ensure-image requests processed by the kubelet.
+# TYPE kubelet_image_manager_ensure_image_requests_total counter
+`
+	return desc + fmt.Sprintf(
+		"kubelet_image_manager_ensure_image_requests_total{present_locally=\"%s\", pull_policy=\"%s\", pull_required=\"%s\"} 1\n",
+		imagePresentLocally,
+		pullPolicy,
+		pullRequired,
+	)
+}
diff --git a/pkg/kubelet/images/metrics.go b/pkg/kubelet/images/metrics.go
new file mode 100644
index 0000000000000..0a93f12bab1ef
--- /dev/null
+++ b/pkg/kubelet/images/metrics.go
@@ -0,0 +1,65 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package images
+
+import (
+	"strconv"
+	"strings"
+	"sync"
+
+	v1 "k8s.io/api/core/v1"
+	"k8s.io/component-base/metrics"
+	"k8s.io/component-base/metrics/legacyregistry"
+	kubeletmetrics "k8s.io/kubernetes/pkg/kubelet/metrics"
+)
+
+var (
+	ensureImageRequestsCounter = metrics.NewCounterVec(
+		&metrics.CounterOpts{
+			Subsystem:      kubeletmetrics.KubeletSubsystem + "_" + "image_manager",
+			Name:           "ensure_image_requests_total",
+			Help:           "Number of ensure-image requests processed by the kubelet.",
+			StabilityLevel: metrics.ALPHA,
+		},
+		[]string{"pull_policy", "present_locally", "pull_required"},
+	)
+)
+
+var once sync.Once
+
+func registerMetrics() {
+	once.Do(func() {
+		legacyregistry.MustRegister(ensureImageRequestsCounter)
+	})
+}
+
+func recordEnsureImageRequest(pullPolicy v1.PullPolicy, imagePresentLocally, imagePullRequired *bool) {
+	presentLocally := "unknown"
+	if imagePresentLocally != nil {
+		presentLocally = strconv.FormatBool(*imagePresentLocally)
+	}
+	pullRequired := "unknown"
+	if imagePullRequired != nil {
+		pullRequired = strconv.FormatBool(*imagePullRequired)
+	}
+
+	ensureImageRequestsCounter.WithLabelValues(
+		strings.ToLower(string(pullPolicy)),
+		presentLocally,
+		pullRequired,
+	).Inc()
+}
diff --git a/pkg/kubelet/images/metrics_test.go b/pkg/kubelet/images/metrics_test.go
new file mode 100644
index 0000000000000..8625dc0774c73
--- /dev/null
+++ b/pkg/kubelet/images/metrics_test.go
@@ -0,0 +1,63 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package images
+
+import (
+	"strings"
+	"testing"
+
+	v1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	legacyregistry "k8s.io/component-base/metrics/legacyregistry"
+	metricstestutil "k8s.io/component-base/metrics/testutil"
+	runtimeapi "k8s.io/cri-api/pkg/apis/runtime/v1"
+	"k8s.io/kubernetes/test/utils/ktesting"
+)
+
+func TestEnsureImageRequestsMetrics(t *testing.T) {
+	pod := &v1.Pod{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:            "test_pod",
+			Namespace:       "test-ns",
+			UID:             "bar",
+			ResourceVersion: "42",
+		}}
+
+	podSandboxConfig := &runtimeapi.PodSandboxConfig{
+		Metadata: &runtimeapi.PodSandboxMetadata{
+			Name:      pod.Name,
+			Namespace: pod.Namespace,
+			Uid:       string(pod.UID),
+		},
+	}
+
+	cases := pullerTestCases()
+
+	useSerializedEnv := true
+	for _, tt := range cases {
+		t.Run(tt.testName, func(t *testing.T) {
+			ctx := ktesting.Init(t)
+			puller, _, _, container, _, _ := pullerTestEnv(t, tt, useSerializedEnv, nil)
+
+			ensureImageRequestsCounter.Reset()
+			_, _, _ = puller.EnsureImageExists(ctx, &v1.ObjectReference{}, pod, container.Image, tt.pullSecrets, podSandboxConfig, "", container.ImagePullPolicy)
+			if err := metricstestutil.GatherAndCompare(legacyregistry.DefaultGatherer, strings.NewReader(tt.expectedEnsureImageMetrics), "kubelet_image_manager_ensure_image_requests_total"); err != nil {
+				t.Fatal(err)
+			}
+		})
+	}
+}
diff --git a/pkg/kubelet/images/pullmanager/benchmarks_test.go b/pkg/kubelet/images/pullmanager/benchmarks_test.go
index 69c759b30a916..f9750779ba749 100644
--- a/pkg/kubelet/images/pullmanager/benchmarks_test.go
+++ b/pkg/kubelet/images/pullmanager/benchmarks_test.go
@@ -25,6 +25,7 @@ import (
 	"github.com/google/uuid"
 	"k8s.io/apimachinery/pkg/util/rand"
 	kubeletconfig "k8s.io/kubernetes/pkg/kubelet/apis/config"
+	"k8s.io/kubernetes/test/utils/ktesting"
 )
 
 type namedAccessor struct {
@@ -72,9 +73,12 @@ func directRecordReadFunc(expectHit bool) benchmarkedCheckFunc {
 
 func mustAttemptPullReadFunc(expectHit bool) benchmarkedCheckFunc {
 	return func(b *testing.B, pullManager PullManager, imgRef string) {
-		mustPull := pullManager.MustAttemptImagePull("test.repo/org/"+imgRef, imgRef, nil, nil)
-		if mustPull != !expectHit {
-			b.Fatalf("MustAttemptImagePull() expected %t, got %t", !expectHit, mustPull)
+		tCtx := ktesting.Init(b)
+		mustPull, err := pullManager.MustAttemptImagePull(tCtx, "test.repo/org/"+imgRef, imgRef, func() ([]kubeletconfig.ImagePullSecret, *kubeletconfig.ImagePullServiceAccount, error) {
+			return nil, nil, nil
+		})
+		if mustPull != !expectHit || err != nil {
+			b.Fatalf("no error expected (got %v); MustAttemptImagePull() expected %t, got %t", err, !expectHit, mustPull)
 		}
 	}
 }
@@ -93,7 +97,9 @@ func BenchmarkPullManagerWriteImagePullIntent(b *testing.B) {
 
 func BenchmarkPullManagerWriteIfNotChanged(b *testing.B) {
 	benchmarkAllPullAccessorsWrite(b, func(b *testing.B, pullManager PullManager, imgRef string) {
+		tCtx := ktesting.Init(b)
 		if err := pullManager.writePulledRecordIfChanged(
+			tCtx,
 			"test.repo/org/"+imgRef,
 			imgRef,
 			&kubeletconfig.ImagePullCredentials{NodePodsAccessible: true},
@@ -299,8 +305,16 @@ func setupInMemRecordsAccessor(t testing.TB, cacheSize int, authoritative bool)
 
 	fsAccessor := setupFSRecordsAccessor(t)
 	memcacheAccessor := NewCachedPullRecordsAccessor(fsAccessor, int32(cacheSize), int32(cacheSize), int32(runtime.NumCPU()))
-	memcacheAccessor.intents.authoritative.Store(authoritative)
-	memcacheAccessor.pulledRecords.authoritative.Store(authoritative)
+	gotMeteredAccessor, ok := memcacheAccessor.(*meteringRecordsAccessor)
+	if !ok {
+		t.Fatalf("the tested accessor must be a metered records accessor, got %T", memcacheAccessor)
+	}
+	inMemAccessor, ok := gotMeteredAccessor.sizeExposedPullRecordsAccessor.(*cachedPullRecordsAccessor)
+	if !ok {
+		t.Fatalf("the metered accessor's delegate is not an inMemAccesor: %T", gotMeteredAccessor.sizeExposedPullRecordsAccessor)
+	}
+	inMemAccessor.intents.authoritative.Store(authoritative)
+	inMemAccessor.pulledRecords.authoritative.Store(authoritative)
 
 	return memcacheAccessor
 }
diff --git a/pkg/kubelet/images/pullmanager/fs_pullrecords.go b/pkg/kubelet/images/pullmanager/fs_pullrecords.go
index 6dcee5f13c4e1..3e1a249430ca0 100644
--- a/pkg/kubelet/images/pullmanager/fs_pullrecords.go
+++ b/pkg/kubelet/images/pullmanager/fs_pullrecords.go
@@ -19,7 +19,9 @@ package pullmanager
 import (
 	"bytes"
 	"crypto/sha256"
+	"errors"
 	"fmt"
+	"io"
 	"io/fs"
 	"os"
 	"path/filepath"
@@ -27,10 +29,12 @@ import (
 
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/runtime/serializer"
-	"k8s.io/apimachinery/pkg/util/errors"
-	kubeletconfigv1alpha1 "k8s.io/kubelet/config/v1alpha1"
+	utilerrors "k8s.io/apimachinery/pkg/util/errors"
+	"k8s.io/klog/v2"
+	kubeletconfigv1beta1 "k8s.io/kubelet/config/v1beta1"
 	kubeletconfiginternal "k8s.io/kubernetes/pkg/kubelet/apis/config"
-	kubeletconfigvint1alpha1 "k8s.io/kubernetes/pkg/kubelet/apis/config/v1alpha1"
+	kubeletconfigint1alpha1 "k8s.io/kubernetes/pkg/kubelet/apis/config/v1alpha1"
+	kubeletconfigint1beta1 "k8s.io/kubernetes/pkg/kubelet/apis/config/v1beta1"
 )
 
 const (
@@ -38,6 +42,8 @@ const (
 	tmpFilesSuffix         = ".tmp"
 )
 
+var encodeVersion = kubeletconfigv1beta1.SchemeGroupVersion
+
 var _ PullRecordsAccessor = &fsPullRecordsAccessor{}
 
 // fsPullRecordsAccessor uses the filesystem to read/write ImagePullIntent/ImagePulledRecord
@@ -52,7 +58,7 @@ type fsPullRecordsAccessor struct {
 
 // NewFSPullRecordsAccessor returns an accessor for the ImagePullIntent/ImagePulledRecord
 // records with a filesystem as the backing database.
-func NewFSPullRecordsAccessor(kubeletDir string) (*fsPullRecordsAccessor, error) {
+func NewFSPullRecordsAccessor(kubeletDir string) (PullRecordsAccessor, error) {
 	kubeletConfigEncoder, kubeletConfigDecoder, err := createKubeletConfigSchemeEncoderDecoder()
 	if err != nil {
 		return nil, err
@@ -74,7 +80,44 @@ func NewFSPullRecordsAccessor(kubeletDir string) (*fsPullRecordsAccessor, error)
 		return nil, err
 	}
 
-	return accessor, nil
+	accessor.recordsVersionMigration()
+	return NewMeteringRecordsAccessor(accessor, fsPullIntentsSize, fsPulledRecordsSize), nil
+}
+
+func (f *fsPullRecordsAccessor) recordsVersionMigration() {
+	err := processDirFiles(f.pullingDir,
+		func(filePath string, fileContent []byte) error {
+			intent, isCurrentVersion, err := decodeIntent(f.decoder, fileContent)
+			if err != nil {
+				return fmt.Errorf("failed to decode ImagePullIntent from file %q: %w", filePath, err)
+			}
+			if !isCurrentVersion {
+				if err := f.WriteImagePullIntent(intent.Image); err != nil {
+					return fmt.Errorf("failed to migrate ImagePullIntent for image %q to the current version: %w", intent.Image, err)
+				}
+			}
+			return nil
+		})
+	if err != nil {
+		klog.ErrorS(err, "Error migrating image pull intents")
+	}
+	err = processDirFiles(f.pulledDir,
+		func(filePath string, fileContent []byte) error {
+			pullRecord, isCurrentVersion, err := decodePulledRecord(f.decoder, fileContent)
+			if err != nil {
+				return fmt.Errorf("failed to decode ImagePulledRecord from file %q: %w", filePath, err)
+			}
+			if !isCurrentVersion {
+				if err := f.WriteImagePulledRecord(pullRecord); err != nil {
+					return fmt.Errorf("failed to migrate ImagePulledRecord for image ref %q to the current version: %w", pullRecord.ImageRef, err)
+				}
+			}
+			return nil
+		})
+
+	if err != nil {
+		klog.ErrorS(err, "Error migrating image pulled records")
+	}
 }
 
 func (f *fsPullRecordsAccessor) WriteImagePullIntent(image string) error {
@@ -95,7 +138,7 @@ func (f *fsPullRecordsAccessor) ListImagePullIntents() ([]*kubeletconfiginternal
 	// walk the pulling directory for any pull intent records
 	err := processDirFiles(f.pullingDir,
 		func(filePath string, fileContent []byte) error {
-			intent, err := decodeIntent(f.decoder, fileContent)
+			intent, _, err := decodeIntent(f.decoder, fileContent)
 			if err != nil {
 				return fmt.Errorf("failed to deserialize content of file %q into ImagePullIntent: %w", filePath, err)
 			}
@@ -115,7 +158,7 @@ func (f *fsPullRecordsAccessor) ImagePullIntentExists(image string) (bool, error
 		return false, err
 	}
 
-	intent, err := decodeIntent(f.decoder, intentBytes)
+	intent, _, err := decodeIntent(f.decoder, intentBytes)
 	if err != nil {
 		return false, err
 	}
@@ -139,7 +182,7 @@ func (f *fsPullRecordsAccessor) GetImagePulledRecord(imageRef string) (*kubeletc
 		return nil, false, err
 	}
 
-	pulledRecord, err := decodePulledRecord(f.decoder, recordBytes)
+	pulledRecord, _, err := decodePulledRecord(f.decoder, recordBytes)
 	if err != nil {
 		return nil, true, err
 	}
@@ -153,7 +196,7 @@ func (f *fsPullRecordsAccessor) ListImagePulledRecords() ([]*kubeletconfigintern
 	var pullRecords []*kubeletconfiginternal.ImagePulledRecord
 	err := processDirFiles(f.pulledDir,
 		func(filePath string, fileContent []byte) error {
-			pullRecord, err := decodePulledRecord(f.decoder, fileContent)
+			pullRecord, _, err := decodePulledRecord(f.decoder, fileContent)
 			if err != nil {
 				return fmt.Errorf("failed to deserialize content of file %q into ImagePulledRecord: %w", filePath, err)
 			}
@@ -181,10 +224,66 @@ func (f *fsPullRecordsAccessor) DeleteImagePulledRecord(imageRef string) error {
 	return err
 }
 
+func (f *fsPullRecordsAccessor) intentsSize() (uint, error) {
+	intentsCount, err := countCacheFiles(f.pullingDir)
+	if err != nil {
+		return 0, err
+	}
+	return intentsCount, nil
+}
+
+func (f *fsPullRecordsAccessor) pulledRecordsSize() (uint, error) {
+	pulledRecordsCount, err := countCacheFiles(f.pulledDir)
+	if err != nil {
+		return 0, err
+	}
+	return pulledRecordsCount, nil
+}
+
+func countCacheFiles(dirName string) (uint, error) {
+	const readBatch = 20
+
+	var cacheFilesCount uint
+	dir, err := os.Open(dirName)
+	if err != nil {
+		return 0, fmt.Errorf("failed to open directory %q: %w", dirName, err)
+	}
+	// ignoring close error on a readonly open should be safe
+	defer func() { _ = dir.Close() }()
+
+	for {
+		entries, err := dir.ReadDir(readBatch)
+		for _, entry := range entries {
+			if !isValidCacheFile(entry) {
+				continue
+			}
+			cacheFilesCount++
+		}
+		if errors.Is(err, io.EOF) {
+			break
+		}
+		if err != nil {
+			return 0, fmt.Errorf("failed to list all entries in directory %q: %w", dirName, err)
+		}
+	}
+	return cacheFilesCount, nil
+}
+
 func cacheFilename(image string) string {
 	return fmt.Sprintf("%s%x", cacheFilesSHA256Prefix, sha256.Sum256([]byte(image)))
 }
 
+// isValidCacheFile returns true if the info doesn't point to a directory and
+// the filename matches the expectation for a valid, non-temporary cache file.
+func isValidCacheFile(fileInfo os.DirEntry) bool {
+	if fileInfo.IsDir() {
+		return false
+	}
+
+	filename := fileInfo.Name()
+	return strings.HasPrefix(filename, cacheFilesSHA256Prefix) && !strings.HasSuffix(filename, tmpFilesSuffix)
+}
+
 // writeFile writes `content` to the file with name `filename` in directory `dir`.
 // It assures write atomicity by creating a temporary file first and only after
 // a successful write, it move the temp file in place of the target.
@@ -247,16 +346,27 @@ func processDirFiles(dirName string, fileAction func(filePath string, fileConten
 		walkErrors = append(walkErrors, err)
 	}
 
-	return errors.NewAggregate(walkErrors)
+	return utilerrors.NewAggregate(walkErrors)
 }
 
 // createKubeletCOnfigSchemeEncoderDecoder creates strict-encoding encoder and
 // decoder for the internal and alpha kubelet config APIs.
 func createKubeletConfigSchemeEncoderDecoder() (runtime.Encoder, runtime.Decoder, error) {
+	codecs, info, err := getKubeletConfigSerializerInfo()
+	if err != nil {
+		return nil, nil, err
+	}
+	return codecs.EncoderForVersion(info.Serializer, encodeVersion), codecs.UniversalDecoder(), nil
+}
+
+func getKubeletConfigSerializerInfo() (*serializer.CodecFactory, *runtime.SerializerInfo, error) {
 	const mediaType = runtime.ContentTypeJSON
 
 	scheme := runtime.NewScheme()
-	if err := kubeletconfigvint1alpha1.AddToScheme(scheme); err != nil {
+	if err := kubeletconfigint1beta1.AddToScheme(scheme); err != nil {
+		return nil, nil, err
+	}
+	if err := kubeletconfigint1alpha1.AddToScheme(scheme); err != nil {
 		return nil, nil, err
 	}
 	if err := kubeletconfiginternal.AddToScheme(scheme); err != nil {
@@ -270,33 +380,45 @@ func createKubeletConfigSchemeEncoderDecoder() (runtime.Encoder, runtime.Decoder
 	if !ok {
 		return nil, nil, fmt.Errorf("unable to locate encoder -- %q is not a supported media type", mediaType)
 	}
-	return codecs.EncoderForVersion(info.Serializer, kubeletconfigv1alpha1.SchemeGroupVersion), codecs.UniversalDecoder(), nil
+	return &codecs, &info, nil
 }
 
-func decodeIntent(d runtime.Decoder, objBytes []byte) (*kubeletconfiginternal.ImagePullIntent, error) {
-	obj, _, err := d.Decode(objBytes, nil, nil)
+// decodeIntent decodes the image pull intent and converts it to the internal API version.
+// The decoder must be aware of the schemas available for the kubelet config API.
+//
+// The returned object is an internal representation of the image pull intent and a bool
+// that indicates whether the image pull intent appears in the latest known version of the kubelet config API.
+func decodeIntent(d runtime.Decoder, objBytes []byte) (*kubeletconfiginternal.ImagePullIntent, bool, error) {
+	obj, gvk, err := d.Decode(objBytes, nil, nil)
 	if err != nil {
-		return nil, err
+		return nil, false, err
 	}
 
 	intentObj, ok := obj.(*kubeletconfiginternal.ImagePullIntent)
 	if !ok {
-		return nil, fmt.Errorf("failed to convert object to *ImagePullIntent: %T", obj)
+		return nil, false, fmt.Errorf("failed to convert object to *ImagePullIntent: %T", obj)
 	}
 
-	return intentObj, nil
+	isLatestVersion := gvk.Version == encodeVersion.Version
+	return intentObj, isLatestVersion, nil
 }
 
-func decodePulledRecord(d runtime.Decoder, objBytes []byte) (*kubeletconfiginternal.ImagePulledRecord, error) {
-	obj, _, err := d.Decode(objBytes, nil, nil)
+// decodePulledRecord decodes the pulled record and converts it to the internal API version.
+// The decoder must be aware of the schemas available for the kubelet config API.
+//
+// The returned object is an internal representation of the pulled record and a bool
+// that indicates whether the record appears in the latest known version of the kubelet config API.
+func decodePulledRecord(d runtime.Decoder, objBytes []byte) (*kubeletconfiginternal.ImagePulledRecord, bool, error) {
+	obj, gvk, err := d.Decode(objBytes, nil, nil)
 	if err != nil {
-		return nil, err
+		return nil, false, err
 	}
 
 	pulledRecord, ok := obj.(*kubeletconfiginternal.ImagePulledRecord)
 	if !ok {
-		return nil, fmt.Errorf("failed to convert object to *ImagePulledRecord: %T", obj)
+		return nil, false, fmt.Errorf("failed to convert object to *ImagePulledRecord: %T", obj)
 	}
 
-	return pulledRecord, nil
+	isLatestVersion := gvk.Version == encodeVersion.Version
+	return pulledRecord, isLatestVersion, nil
 }
diff --git a/pkg/kubelet/images/pullmanager/fs_pullrecords_test.go b/pkg/kubelet/images/pullmanager/fs_pullrecords_test.go
new file mode 100644
index 0000000000000..ac7cb387d8ecb
--- /dev/null
+++ b/pkg/kubelet/images/pullmanager/fs_pullrecords_test.go
@@ -0,0 +1,201 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package pullmanager
+
+import (
+	"os"
+	"path/filepath"
+	"strings"
+	"testing"
+
+	"github.com/google/go-cmp/cmp"
+)
+
+func TestNewFSPullRecordsAccessor(t *testing.T) {
+	tests := []struct {
+		name            string
+		initRoot        bool
+		initIntents     []string
+		initPulled      []string
+		modIntent       func(string) string
+		modPulledRecord func(string) string
+		wantErr         bool // TODO: do I ever want an error?
+	}{
+		{
+			name:     "kubelet root dir does not exist",
+			initRoot: false,
+		},
+		{
+			name:     "kubelet root dir exists",
+			initRoot: true,
+		},
+		{
+			name:     "only alpha intents",
+			initRoot: true,
+			initIntents: []string{
+				"sha256-6da3dced7eccc7ad0189517c31ec2235b50f730449d738d91525721f7e027fd4",
+				"sha256-b6e1482bb6cb030924530b918e609fff30bbb07ab6845451d89deb823c3f72a9",
+			},
+			modIntent: func(intent string) string {
+				return strings.Replace(intent, "kubelet.config.k8s.io/v1alpha1", "kubelet.config.k8s.io/v1beta1", 1)
+			},
+		},
+		{
+			name:     "alpha and beta intents mixed",
+			initRoot: true,
+			initIntents: []string{
+				"sha256-aef2af226629a35d5f3ef0fdbb29fdbebf038d0acd8850590e8c48e1e283aa56",
+				"sha256-6da3dced7eccc7ad0189517c31ec2235b50f730449d738d91525721f7e027fd4",
+				"sha256-ee81caca15454863449fb55a1d942904d56d5ed9f9b20a7cb3453944ea2c7e11",
+				"sha256-b6e1482bb6cb030924530b918e609fff30bbb07ab6845451d89deb823c3f72a9",
+			},
+			modIntent: func(intent string) string {
+				return strings.Replace(intent, "kubelet.config.k8s.io/v1alpha1", "kubelet.config.k8s.io/v1beta1", 1)
+			},
+		},
+		{
+			name:     "only beta intents",
+			initRoot: true,
+			initIntents: []string{
+				"sha256-aef2af226629a35d5f3ef0fdbb29fdbebf038d0acd8850590e8c48e1e283aa56",
+				"sha256-ee81caca15454863449fb55a1d942904d56d5ed9f9b20a7cb3453944ea2c7e11",
+				"sha256-f24acc752be18b93b0504c86312bbaf482c9efb0c45e925bbccb0a591cebd7af",
+			},
+		},
+		{
+			name:     "only alpha pulled records",
+			initRoot: true,
+			initPulled: []string{
+				"sha256-7045bdd498b0e4b3963d50f906793ffbd68dc98686ec46c5b499a0a640a560b2",
+				"sha256-dd1dd8dc6a329b7e1c2e43951302b23a047cb20fd3e10090e4ce7e8396035405",
+			},
+			modPulledRecord: func(intent string) string {
+				return strings.Replace(intent, "kubelet.config.k8s.io/v1alpha1", "kubelet.config.k8s.io/v1beta1", 1)
+			},
+		},
+		{
+			name:     "alpha and beta pulled records mixed",
+			initRoot: true,
+			initPulled: []string{
+				"sha256-7045bdd498b0e4b3963d50f906793ffbd68dc98686ec46c5b499a0a640a560b2",
+				"sha256-38a8906435c4dd5f4258899d46621bfd8eea3ad6ff494ee3c2f17ef0321625bd",
+				"sha256-dd1dd8dc6a329b7e1c2e43951302b23a047cb20fd3e10090e4ce7e8396035405",
+				"sha256-a2eace2182b24cdbbb730798e47b10709b9ef5e0f0c1624a3bc06c8ca987727a",
+				"sha256-f8778b6393eaf39315e767a58cbeacf2c4b270d94b4d6926ee993d9e49444991",
+			},
+			modPulledRecord: func(intent string) string {
+				return strings.Replace(intent, "kubelet.config.k8s.io/v1alpha1", "kubelet.config.k8s.io/v1beta1", 1)
+			},
+		},
+		{
+			name:     "only beta pulled records",
+			initRoot: true,
+			initPulled: []string{
+				"sha256-38a8906435c4dd5f4258899d46621bfd8eea3ad6ff494ee3c2f17ef0321625bd",
+				"sha256-a2eace2182b24cdbbb730798e47b10709b9ef5e0f0c1624a3bc06c8ca987727a",
+				"sha256-f8778b6393eaf39315e767a58cbeacf2c4b270d94b4d6926ee993d9e49444991",
+			},
+		},
+		{
+			name:     "everything altogether",
+			initRoot: true,
+			initIntents: []string{
+				"sha256-aef2af226629a35d5f3ef0fdbb29fdbebf038d0acd8850590e8c48e1e283aa56",
+				"sha256-6da3dced7eccc7ad0189517c31ec2235b50f730449d738d91525721f7e027fd4",
+				"sha256-ee81caca15454863449fb55a1d942904d56d5ed9f9b20a7cb3453944ea2c7e11",
+				"sha256-b6e1482bb6cb030924530b918e609fff30bbb07ab6845451d89deb823c3f72a9",
+			},
+			modIntent: func(intent string) string {
+				return strings.Replace(intent, "kubelet.config.k8s.io/v1alpha1", "kubelet.config.k8s.io/v1beta1", 1)
+			},
+			initPulled: []string{
+				"sha256-7045bdd498b0e4b3963d50f906793ffbd68dc98686ec46c5b499a0a640a560b2",
+				"sha256-38a8906435c4dd5f4258899d46621bfd8eea3ad6ff494ee3c2f17ef0321625bd",
+				"sha256-dd1dd8dc6a329b7e1c2e43951302b23a047cb20fd3e10090e4ce7e8396035405",
+				"sha256-a2eace2182b24cdbbb730798e47b10709b9ef5e0f0c1624a3bc06c8ca987727a",
+				"sha256-f8778b6393eaf39315e767a58cbeacf2c4b270d94b4d6926ee993d9e49444991",
+			},
+			modPulledRecord: func(intent string) string {
+				return strings.Replace(intent, "kubelet.config.k8s.io/v1alpha1", "kubelet.config.k8s.io/v1beta1", 1)
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			kubeletDir := t.TempDir()
+			if !tt.initRoot {
+				kubeletDir = filepath.Join(kubeletDir, "does-not-exist", "level2dir")
+			}
+
+			intentsDir := filepath.Join(kubeletDir, "image_manager", "pulling")
+			pulledRecordsDir := filepath.Join(kubeletDir, "image_manager", "pulled")
+
+			expectedIntents := teeTestData(t, intentsDir, "pulling", tt.initIntents)
+			if tt.modIntent != nil {
+				for i := range expectedIntents {
+					expectedIntents[i] = tt.modIntent(expectedIntents[i])
+				}
+			}
+			pulledRecordBytes := teeTestData(t, pulledRecordsDir, "pulled", tt.initPulled)
+			if tt.modPulledRecord != nil {
+				for i := range pulledRecordBytes {
+					pulledRecordBytes[i] = tt.modPulledRecord(pulledRecordBytes[i])
+				}
+			}
+
+			_, err := NewFSPullRecordsAccessor(kubeletDir)
+			if (err != nil) != tt.wantErr {
+				t.Errorf("NewFSPullRecordsAccessor() error = %v, wantErr %v", err, tt.wantErr)
+				return
+			}
+
+			for _, dir := range []string{
+				"image_manager",
+				filepath.Join("image_manager", "pulling"),
+				filepath.Join("image_manager", "pulled"),
+			} {
+				if info, err := os.Stat(filepath.Join(kubeletDir, dir)); err != nil {
+					t.Errorf("error encountered accessing %q: %v", dir, err)
+				} else if !info.IsDir() {
+					t.Errorf("%q is not a directory", dir)
+				}
+			}
+
+			for intent, expectedContent := range expectedIntents {
+				filePath := filepath.Join(intentsDir, intent)
+				testFileContentMatch(t, filePath, expectedContent)
+			}
+
+			for pulled, expectedContent := range pulledRecordBytes {
+				filePath := filepath.Join(pulledRecordsDir, pulled)
+				testFileContentMatch(t, filePath, expectedContent)
+			}
+		})
+	}
+}
+
+func testFileContentMatch(t *testing.T, filePath string, expectedContent string) {
+	t.Helper()
+	fileContent, err := os.ReadFile(filePath)
+	if err != nil {
+		t.Fatalf("failed to read file %q: %v", filePath, err)
+	}
+
+	if diff := cmp.Diff(expectedContent, string(fileContent)); diff != "" {
+		t.Errorf("file contents of %q do not match the expectation: %s", filePath, diff)
+	}
+}
diff --git a/pkg/kubelet/images/pullmanager/image_pull_manager.go b/pkg/kubelet/images/pullmanager/image_pull_manager.go
index 0cf489c39f0b2..98fe1b033870d 100644
--- a/pkg/kubelet/images/pullmanager/image_pull_manager.go
+++ b/pkg/kubelet/images/pullmanager/image_pull_manager.go
@@ -89,9 +89,10 @@ func (f *PullManager) RecordPullIntent(image string) error {
 	return nil
 }
 
-func (f *PullManager) RecordImagePulled(image, imageRef string, credentials *kubeletconfiginternal.ImagePullCredentials) {
-	if err := f.writePulledRecordIfChanged(image, imageRef, credentials); err != nil {
-		klog.ErrorS(err, "failed to write image pulled record", "imageRef", imageRef)
+func (f *PullManager) RecordImagePulled(ctx context.Context, image, imageRef string, credentials *kubeletconfiginternal.ImagePullCredentials) {
+	logger := klog.FromContext(ctx)
+	if err := f.writePulledRecordIfChanged(ctx, image, imageRef, credentials); err != nil {
+		logger.Error(err, "failed to write image pulled record", "imageRef", imageRef)
 		return
 	}
 
@@ -100,7 +101,7 @@ func (f *PullManager) RecordImagePulled(image, imageRef string, credentials *kub
 	// This is done so that the successfully pulled image is still considered as pulled by the kubelet.
 	// The kubelet will attempt to turn the imagePullIntent into a pulled record again when
 	// it's restarted.
-	f.decrementImagePullIntent(image)
+	f.decrementImagePullIntent(ctx, image)
 }
 
 // writePulledRecordIfChanged writes an ImagePulledRecord into the f.pulledDir directory.
@@ -113,7 +114,8 @@ func (f *PullManager) RecordImagePulled(image, imageRef string, credentials *kub
 // unknown circumstances. We should record the image as tracked but no credentials
 // should be written in order to force credential verification when the image is
 // accessed the next time.
-func (f *PullManager) writePulledRecordIfChanged(image, imageRef string, credentials *kubeletconfiginternal.ImagePullCredentials) error {
+func (f *PullManager) writePulledRecordIfChanged(ctx context.Context, image, imageRef string, credentials *kubeletconfiginternal.ImagePullCredentials) error {
+	logger := klog.FromContext(ctx)
 	f.pulledAccessors.Lock(imageRef)
 	defer f.pulledAccessors.Unlock(imageRef)
 
@@ -124,7 +126,7 @@ func (f *PullManager) writePulledRecordIfChanged(image, imageRef string, credent
 
 	pulledRecord, _, err := f.recordsAccessor.GetImagePulledRecord(imageRef)
 	if err != nil {
-		klog.InfoS("failed to retrieve an ImagePulledRecord", "image", image, "err", err)
+		logger.Info("failed to retrieve an ImagePulledRecord", "image", image, "err", err)
 		pulledRecord = nil
 	}
 
@@ -154,20 +156,21 @@ func (f *PullManager) writePulledRecordIfChanged(image, imageRef string, credent
 	return f.recordsAccessor.WriteImagePulledRecord(pulledRecord)
 }
 
-func (f *PullManager) RecordImagePullFailed(image string) {
-	f.decrementImagePullIntent(image)
+func (f *PullManager) RecordImagePullFailed(ctx context.Context, image string) {
+	f.decrementImagePullIntent(ctx, image)
 }
 
 // decrementImagePullIntent decreses the number of how many times image pull
 // intent for a given `image` was requested, and removes the ImagePullIntent file
 // if the reference counter for the image reaches zero.
-func (f *PullManager) decrementImagePullIntent(image string) {
+func (f *PullManager) decrementImagePullIntent(ctx context.Context, image string) {
+	logger := klog.FromContext(ctx)
 	f.intentAccessors.Lock(image)
 	defer f.intentAccessors.Unlock(image)
 
 	if f.getIntentCounterForImage(image) <= 1 {
 		if err := f.recordsAccessor.DeleteImagePullIntent(image); err != nil {
-			klog.ErrorS(err, "failed to remove image pull intent", "image", image)
+			logger.Error(err, "failed to remove image pull intent", "image", image)
 			return
 		}
 		// only delete the intent counter once the file was deleted to be consistent
@@ -179,10 +182,19 @@ func (f *PullManager) decrementImagePullIntent(image string) {
 	f.decrementIntentCounterForImage(image)
 }
 
-func (f *PullManager) MustAttemptImagePull(image, imageRef string, podSecrets []kubeletconfiginternal.ImagePullSecret, podServiceAccount *kubeletconfiginternal.ImagePullServiceAccount) bool {
+func (f *PullManager) MustAttemptImagePull(ctx context.Context, image, imageRef string, getPodCredentials GetPodCredentials) (bool, error) {
 	if len(imageRef) == 0 {
-		return true
+		return true, nil
 	}
+	logger := klog.FromContext(ctx)
+
+	var resultForMetrics mustAttemptImagePullResult
+	defer func() {
+		if len(resultForMetrics) == 0 {
+			resultForMetrics = checkResultError
+		}
+		recordMustAttemptImagePullResult(resultForMetrics)
+	}()
 
 	var imagePulledByKubelet bool
 	var pulledRecord *kubeletconfiginternal.ImagePulledRecord
@@ -224,37 +236,50 @@ func (f *PullManager) MustAttemptImagePull(image, imageRef string, podSecrets []
 	}()
 
 	if err != nil {
-		klog.ErrorS(err, "Unable to access cache records about image pulls")
-		return true
+		resultForMetrics = checkResultError
+		logger.Error(err, "Unable to access cache records about image pulls")
+		return true, nil
 	}
 
 	if !f.imagePolicyEnforcer.RequireCredentialVerificationForImage(image, imagePulledByKubelet) {
-		return false
+		resultForMetrics = checkResultCredentialPolicyAllowed
+		return false, nil
 	}
 
 	if pulledRecord == nil {
 		// we have no proper records of the image being pulled in the past, we can short-circuit here
-		return true
+		resultForMetrics = checkResultMustAuthenticate
+		return true, nil
 	}
 
 	sanitizedImage, err := trimImageTagDigest(image)
 	if err != nil {
-		klog.ErrorS(err, "failed to parse image name, forcing image credentials reverification", "image", sanitizedImage)
-		return true
+		resultForMetrics = checkResultError
+		logger.Error(err, "failed to parse image name, forcing image credentials reverification", "image", sanitizedImage)
+		return true, nil
 	}
 
 	cachedCreds, ok := pulledRecord.CredentialMapping[sanitizedImage]
 	if !ok {
-		return true
+		resultForMetrics = checkResultMustAuthenticate
+		return true, nil
 	}
 
 	if cachedCreds.NodePodsAccessible {
 		// anyone on this node can access the image
-		return false
+		resultForMetrics = checkResultCredentialRecordFound
+		return false, nil
 	}
 
 	if len(cachedCreds.KubernetesSecrets) == 0 && len(cachedCreds.KubernetesServiceAccounts) == 0 {
-		return true
+		resultForMetrics = checkResultMustAuthenticate
+		return true, nil
+	}
+
+	podSecrets, podServiceAccount, err := getPodCredentials()
+	if err != nil {
+		resultForMetrics = checkResultError
+		return true, err
 	}
 
 	for _, podSecret := range podSecrets {
@@ -271,11 +296,12 @@ func (f *PullManager) MustAttemptImagePull(image, imageRef string, podSecrets []
 					// While we're only matching at this point, we want to ensure this secret is considered valid in the future
 					// and so we make an additional write to the cache.
 					// writePulledRecord() is a noop in case the secret with the updated hash already appears in the cache.
-					if err := f.writePulledRecordIfChanged(image, imageRef, &kubeletconfiginternal.ImagePullCredentials{KubernetesSecrets: []kubeletconfiginternal.ImagePullSecret{podSecret}}); err != nil {
-						klog.ErrorS(err, "failed to write an image pulled record", "image", image, "imageRef", imageRef)
+					if err := f.writePulledRecordIfChanged(ctx, image, imageRef, &kubeletconfiginternal.ImagePullCredentials{KubernetesSecrets: []kubeletconfiginternal.ImagePullSecret{podSecret}}); err != nil {
+						logger.Error(err, "failed to write an image pulled record", "image", image, "imageRef", imageRef)
 					}
 				}
-				return false
+				resultForMetrics = checkResultCredentialRecordFound
+				return false, nil
 			}
 
 			if secretCoordinatesMatch {
@@ -283,10 +309,11 @@ func (f *PullManager) MustAttemptImagePull(image, imageRef string, podSecrets []
 					// While we're only matching at this point, we want to ensure the updated credentials are considered valid in the future
 					// and so we make an additional write to the cache.
 					// writePulledRecord() is a noop in case the hash got updated in the meantime.
-					if err := f.writePulledRecordIfChanged(image, imageRef, &kubeletconfiginternal.ImagePullCredentials{KubernetesSecrets: []kubeletconfiginternal.ImagePullSecret{podSecret}}); err != nil {
-						klog.ErrorS(err, "failed to write an image pulled record", "image", image, "imageRef", imageRef)
+					if err := f.writePulledRecordIfChanged(ctx, image, imageRef, &kubeletconfiginternal.ImagePullCredentials{KubernetesSecrets: []kubeletconfiginternal.ImagePullSecret{podSecret}}); err != nil {
+						logger.Error(err, "failed to write an image pulled record", "image", image, "imageRef", imageRef)
 					}
-					return false
+					resultForMetrics = checkResultCredentialRecordFound
+					return false, nil
 				}
 			}
 		}
@@ -294,19 +321,22 @@ func (f *PullManager) MustAttemptImagePull(image, imageRef string, podSecrets []
 
 	if podServiceAccount != nil && slices.Contains(cachedCreds.KubernetesServiceAccounts, *podServiceAccount) {
 		// we found a matching service account, no need to pull the image
-		return false
+		resultForMetrics = checkResultCredentialRecordFound
+		return false, nil
 	}
 
-	return true
+	resultForMetrics = checkResultMustAuthenticate
+	return true, nil
 }
 
-func (f *PullManager) PruneUnknownRecords(imageList []string, until time.Time) {
+func (f *PullManager) PruneUnknownRecords(ctx context.Context, imageList []string, until time.Time) {
 	f.pulledAccessors.GlobalLock()
 	defer f.pulledAccessors.GlobalUnlock()
 
+	logger := klog.FromContext(ctx)
 	pulledRecords, err := f.recordsAccessor.ListImagePulledRecords()
 	if err != nil {
-		klog.ErrorS(err, "there were errors listing ImagePulledRecords, garbage collection will proceed with incomplete records list")
+		logger.Error(err, "there were errors listing ImagePulledRecords, garbage collection will proceed with incomplete records list")
 	}
 
 	imagesInUse := sets.New(imageList...)
@@ -321,7 +351,7 @@ func (f *PullManager) PruneUnknownRecords(imageList []string, until time.Time) {
 		}
 
 		if err := f.recordsAccessor.DeleteImagePulledRecord(imageRecord.ImageRef); err != nil {
-			klog.ErrorS(err, "failed to remove an ImagePulledRecord", "imageRef", imageRecord.ImageRef)
+			logger.Error(err, "failed to remove an ImagePulledRecord", "imageRef", imageRecord.ImageRef)
 		}
 	}
 
@@ -335,9 +365,10 @@ func (f *PullManager) PruneUnknownRecords(imageList []string, until time.Time) {
 // This method is not thread-safe and it should only be called upon the creation
 // of the PullManager.
 func (f *PullManager) initialize(ctx context.Context) {
+	logger := klog.FromContext(ctx)
 	pullIntents, err := f.recordsAccessor.ListImagePullIntents()
 	if err != nil {
-		klog.ErrorS(err, "there were errors listing ImagePullIntents, continuing with an incomplete records list")
+		logger.Error(err, "there were errors listing ImagePullIntents, continuing with an incomplete records list")
 	}
 
 	if len(pullIntents) == 0 {
@@ -346,7 +377,7 @@ func (f *PullManager) initialize(ctx context.Context) {
 
 	imageObjs, err := f.imageService.ListImages(ctx)
 	if err != nil {
-		klog.ErrorS(err, "failed to list images")
+		logger.Error(err, "failed to list images")
 	}
 
 	inFlightPulls := sets.New[string]()
@@ -362,13 +393,13 @@ func (f *PullManager) initialize(ctx context.Context) {
 
 		for _, image := range existingRecordedImages.UnsortedList() {
 
-			if err := f.writePulledRecordIfChanged(image, imageObj.ID, nil); err != nil {
-				klog.ErrorS(err, "failed to write an image pull record", "imageRef", imageObj.ID)
+			if err := f.writePulledRecordIfChanged(ctx, image, imageObj.ID, nil); err != nil {
+				logger.Error(err, "failed to write an image pull record", "imageRef", imageObj.ID)
 				continue
 			}
 
 			if err := f.recordsAccessor.DeleteImagePullIntent(image); err != nil {
-				klog.V(2).InfoS("failed to remove image pull intent file", "imageName", image, "error", err)
+				logger.V(2).Info("failed to remove image pull intent file", "imageName", image, "error", err)
 			}
 		}
 	}
diff --git a/pkg/kubelet/images/pullmanager/image_pull_manager_test.go b/pkg/kubelet/images/pullmanager/image_pull_manager_test.go
index 8e05041857d34..c61eb9f553004 100644
--- a/pkg/kubelet/images/pullmanager/image_pull_manager_test.go
+++ b/pkg/kubelet/images/pullmanager/image_pull_manager_test.go
@@ -425,17 +425,18 @@ func Test_pulledRecordMergeNewCreds(t *testing.T) {
 
 func TestFileBasedImagePullManager_MustAttemptImagePull(t *testing.T) {
 	tests := []struct {
-		name               string
-		imagePullPolicy    ImagePullPolicyEnforcer
-		podSecrets         []kubeletconfiginternal.ImagePullSecret
-		podServiceAccount  *kubeletconfiginternal.ImagePullServiceAccount
-		image              string
-		imageRef           string
-		pulledFiles        []string
-		pullingFiles       []string
-		expectedPullRecord *kubeletconfiginternal.ImagePulledRecord
-		want               bool
-		expectedCacheWrite bool
+		name                  string
+		imagePullPolicy       ImagePullPolicyEnforcer
+		podSecrets            []kubeletconfiginternal.ImagePullSecret
+		podServiceAccount     *kubeletconfiginternal.ImagePullServiceAccount
+		image                 string
+		imageRef              string
+		pulledFiles           []string
+		pullingFiles          []string
+		expectedPullRecord    *kubeletconfiginternal.ImagePulledRecord
+		want                  bool
+		wantPodCredsRequested bool
+		expectedCacheWrite    bool
 	}{
 		{
 			name:            "image exists and is recorded with pod's exact secret",
@@ -445,18 +446,20 @@ func TestFileBasedImagePullManager_MustAttemptImagePull(t *testing.T) {
 					UID: "testsecretuid", Namespace: "default", Name: "pull-secret", CredentialHash: "testsecrethash",
 				},
 			},
-			image:       "docker.io/testing/test:latest",
-			imageRef:    "testimageref",
-			pulledFiles: []string{"sha256-b3c0cc4278800b03a308ceb2611161430df571ca733122f0a40ac8b9792a9064"},
-			want:        false,
+			image:                 "docker.io/testing/test:latest",
+			imageRef:              "testimageref",
+			pulledFiles:           []string{"sha256-b3c0cc4278800b03a308ceb2611161430df571ca733122f0a40ac8b9792a9064"},
+			want:                  false,
+			wantPodCredsRequested: true,
 		},
 		{
-			name:            "image exists and is recorded, no pod secrets",
-			imagePullPolicy: NeverVerifyPreloadedPullPolicy(),
-			image:           "docker.io/testing/test:latest",
-			imageRef:        "testimageref",
-			pulledFiles:     []string{"sha256-b3c0cc4278800b03a308ceb2611161430df571ca733122f0a40ac8b9792a9064"},
-			want:            true,
+			name:                  "image exists and is recorded, no pod secrets",
+			imagePullPolicy:       NeverVerifyPreloadedPullPolicy(),
+			image:                 "docker.io/testing/test:latest",
+			imageRef:              "testimageref",
+			pulledFiles:           []string{"sha256-b3c0cc4278800b03a308ceb2611161430df571ca733122f0a40ac8b9792a9064"},
+			want:                  true,
+			wantPodCredsRequested: true,
 		},
 		{
 			name:            "image exists and is recorded with the same secret but different credential hash",
@@ -479,8 +482,9 @@ func TestFileBasedImagePullManager_MustAttemptImagePull(t *testing.T) {
 					},
 				},
 			},
-			want:               false,
-			expectedCacheWrite: true,
+			want:                  false,
+			wantPodCredsRequested: true,
+			expectedCacheWrite:    true,
 		},
 		{
 			name:            "image exists and is recorded with a different secret with a different UID",
@@ -490,10 +494,11 @@ func TestFileBasedImagePullManager_MustAttemptImagePull(t *testing.T) {
 					UID: "different uid", Namespace: "default", Name: "pull-secret", CredentialHash: "differenthash",
 				},
 			},
-			image:       "docker.io/testing/test:latest",
-			imageRef:    "testimageref",
-			pulledFiles: []string{"sha256-b3c0cc4278800b03a308ceb2611161430df571ca733122f0a40ac8b9792a9064"},
-			want:        true,
+			image:                 "docker.io/testing/test:latest",
+			imageRef:              "testimageref",
+			pulledFiles:           []string{"sha256-b3c0cc4278800b03a308ceb2611161430df571ca733122f0a40ac8b9792a9064"},
+			want:                  true,
+			wantPodCredsRequested: true,
 		},
 		{
 			name:            "image exists and is recorded with a different secret",
@@ -503,10 +508,11 @@ func TestFileBasedImagePullManager_MustAttemptImagePull(t *testing.T) {
 					UID: "testsecretuid", Namespace: "differentns", Name: "pull-secret", CredentialHash: "differenthash",
 				},
 			},
-			image:       "docker.io/testing/test:latest",
-			imageRef:    "testimageref",
-			pulledFiles: []string{"sha256-b3c0cc4278800b03a308ceb2611161430df571ca733122f0a40ac8b9792a9064"},
-			want:        true,
+			image:                 "docker.io/testing/test:latest",
+			imageRef:              "testimageref",
+			pulledFiles:           []string{"sha256-b3c0cc4278800b03a308ceb2611161430df571ca733122f0a40ac8b9792a9064"},
+			want:                  true,
+			wantPodCredsRequested: true,
 		},
 		{
 			name:            "image exists and is recorded with a different secret with the same credential hash",
@@ -530,8 +536,9 @@ func TestFileBasedImagePullManager_MustAttemptImagePull(t *testing.T) {
 					},
 				},
 			},
-			want:               false,
-			expectedCacheWrite: true,
+			want:                  false,
+			wantPodCredsRequested: true,
+			expectedCacheWrite:    true,
 		},
 		{
 			name:            "image exists but the pull is recorded with a different image name but with the exact same secret",
@@ -541,39 +548,44 @@ func TestFileBasedImagePullManager_MustAttemptImagePull(t *testing.T) {
 					UID: "testsecretuid", Namespace: "default", Name: "pull-secret", CredentialHash: "testsecrethash",
 				},
 			},
-			image:       "docker.io/testing/different:latest",
-			imageRef:    "testimageref",
-			pulledFiles: []string{"sha256-b3c0cc4278800b03a308ceb2611161430df571ca733122f0a40ac8b9792a9064"},
-			want:        true,
+			image:                 "docker.io/testing/different:latest",
+			imageRef:              "testimageref",
+			pulledFiles:           []string{"sha256-b3c0cc4278800b03a308ceb2611161430df571ca733122f0a40ac8b9792a9064"},
+			want:                  true,
+			wantPodCredsRequested: false,
 		},
 		{
-			name:            "image exists and is recorded with empty credential mapping",
-			imagePullPolicy: NeverVerifyPreloadedPullPolicy(),
-			image:           "docker.io/testing/test:latest",
-			imageRef:        "testemptycredmapping",
-			pulledFiles:     []string{"sha256-f8778b6393eaf39315e767a58cbeacf2c4b270d94b4d6926ee993d9e49444991"},
-			want:            true,
+			name:                  "image exists and is recorded with empty credential mapping",
+			imagePullPolicy:       NeverVerifyPreloadedPullPolicy(),
+			image:                 "docker.io/testing/test:latest",
+			imageRef:              "testemptycredmapping",
+			pulledFiles:           []string{"sha256-f8778b6393eaf39315e767a58cbeacf2c4b270d94b4d6926ee993d9e49444991"},
+			want:                  true,
+			wantPodCredsRequested: false,
 		},
 		{
-			name:            "image does not exist and there are no records of it",
-			imagePullPolicy: NeverVerifyPreloadedPullPolicy(),
-			image:           "docker.io/testing/test:latest",
-			imageRef:        "",
-			want:            true,
+			name:                  "image does not exist and there are no records of it",
+			imagePullPolicy:       NeverVerifyPreloadedPullPolicy(),
+			image:                 "docker.io/testing/test:latest",
+			imageRef:              "",
+			want:                  true,
+			wantPodCredsRequested: false,
 		},
 		{
-			name:            "image exists and there are no records of it with NeverVerifyPreloadedImages pull policy",
-			imagePullPolicy: NeverVerifyPreloadedPullPolicy(),
-			image:           "docker.io/testing/test:latest",
-			imageRef:        "testexistingref",
-			want:            false,
+			name:                  "image exists and there are no records of it with NeverVerifyPreloadedImages pull policy",
+			imagePullPolicy:       NeverVerifyPreloadedPullPolicy(),
+			image:                 "docker.io/testing/test:latest",
+			imageRef:              "testexistingref",
+			want:                  false,
+			wantPodCredsRequested: false,
 		},
 		{
-			name:            "image exists and there are no records of it with AlwaysVerify pull policy",
-			imagePullPolicy: AlwaysVerifyImagePullPolicy(),
-			image:           "docker.io/testing/test:latest",
-			imageRef:        "testexistingref",
-			want:            true,
+			name:                  "image exists and there are no records of it with AlwaysVerify pull policy",
+			imagePullPolicy:       AlwaysVerifyImagePullPolicy(),
+			image:                 "docker.io/testing/test:latest",
+			imageRef:              "testexistingref",
+			want:                  true,
+			wantPodCredsRequested: false,
 		},
 		{
 			name:            "image exists but is only recorded via pulling intent",
@@ -583,10 +595,11 @@ func TestFileBasedImagePullManager_MustAttemptImagePull(t *testing.T) {
 					UID: "testsecretuid", Namespace: "default", Name: "pull-secret", CredentialHash: "testsecrethash",
 				},
 			},
-			image:        "docker.io/testing/test:latest",
-			imageRef:     "testexistingref",
-			pullingFiles: []string{"sha256-aef2af226629a35d5f3ef0fdbb29fdbebf038d0acd8850590e8c48e1e283aa56"},
-			want:         true,
+			image:                 "docker.io/testing/test:latest",
+			imageRef:              "testexistingref",
+			pullingFiles:          []string{"sha256-aef2af226629a35d5f3ef0fdbb29fdbebf038d0acd8850590e8c48e1e283aa56"},
+			want:                  true,
+			wantPodCredsRequested: false,
 		},
 		{
 			name:            "image exists but is only recorded via pulling intent - NeverVerify policy",
@@ -596,18 +609,20 @@ func TestFileBasedImagePullManager_MustAttemptImagePull(t *testing.T) {
 					UID: "testsecretuid", Namespace: "default", Name: "pull-secret", CredentialHash: "testsecrethash",
 				},
 			},
-			image:        "docker.io/testing/test:latest",
-			imageRef:     "testexistingref",
-			pullingFiles: []string{"sha256-aef2af226629a35d5f3ef0fdbb29fdbebf038d0acd8850590e8c48e1e283aa56"},
-			want:         false,
+			image:                 "docker.io/testing/test:latest",
+			imageRef:              "testexistingref",
+			pullingFiles:          []string{"sha256-aef2af226629a35d5f3ef0fdbb29fdbebf038d0acd8850590e8c48e1e283aa56"},
+			want:                  false,
+			wantPodCredsRequested: false,
 		},
 		{
-			name:            "image exists and is recorded as node-accessible, no pod secrets",
-			imagePullPolicy: NeverVerifyPreloadedPullPolicy(),
-			image:           "docker.io/testing/test:latest",
-			imageRef:        "testimage-anonpull",
-			pulledFiles:     []string{"sha256-a2eace2182b24cdbbb730798e47b10709b9ef5e0f0c1624a3bc06c8ca987727a"},
-			want:            false,
+			name:                  "image exists and is recorded as node-accessible, no pod secrets",
+			imagePullPolicy:       NeverVerifyPreloadedPullPolicy(),
+			image:                 "docker.io/testing/test:latest",
+			imageRef:              "testimage-anonpull",
+			pulledFiles:           []string{"sha256-a2eace2182b24cdbbb730798e47b10709b9ef5e0f0c1624a3bc06c8ca987727a"},
+			want:                  false,
+			wantPodCredsRequested: false,
 		},
 		{
 			name:            "image exists and is recorded as node-accessible, request with pod secrets",
@@ -617,10 +632,11 @@ func TestFileBasedImagePullManager_MustAttemptImagePull(t *testing.T) {
 					UID: "testsecretuid", Namespace: "default", Name: "pull-secret", CredentialHash: "testsecrethash",
 				},
 			},
-			image:       "docker.io/testing/test:latest",
-			imageRef:    "testimage-anonpull",
-			pulledFiles: []string{"sha256-a2eace2182b24cdbbb730798e47b10709b9ef5e0f0c1624a3bc06c8ca987727a"},
-			want:        false,
+			image:                 "docker.io/testing/test:latest",
+			imageRef:              "testimage-anonpull",
+			pulledFiles:           []string{"sha256-a2eace2182b24cdbbb730798e47b10709b9ef5e0f0c1624a3bc06c8ca987727a"},
+			want:                  false,
+			wantPodCredsRequested: false,
 		},
 		{
 			name:            "image exists and is recorded with empty hash as its hashing originally failed, the same fail for a different pod secret",
@@ -630,10 +646,11 @@ func TestFileBasedImagePullManager_MustAttemptImagePull(t *testing.T) {
 					UID: "testsecretuid", Namespace: "differentns", Name: "pull-secret", CredentialHash: "",
 				},
 			},
-			image:       "docker.io/testing/test:latest",
-			imageRef:    "test-brokenhash",
-			pulledFiles: []string{"sha256-38a8906435c4dd5f4258899d46621bfd8eea3ad6ff494ee3c2f17ef0321625bd"},
-			want:        true,
+			image:                 "docker.io/testing/test:latest",
+			imageRef:              "test-brokenhash",
+			pulledFiles:           []string{"sha256-38a8906435c4dd5f4258899d46621bfd8eea3ad6ff494ee3c2f17ef0321625bd"},
+			want:                  true,
+			wantPodCredsRequested: true,
 		},
 		{
 			name:            "image exists and is recorded with empty hash as its hashing originally failed, the same fail for the same pod secret",
@@ -643,82 +660,91 @@ func TestFileBasedImagePullManager_MustAttemptImagePull(t *testing.T) {
 					UID: "testsecretuid", Namespace: "default", Name: "pull-secret", CredentialHash: "",
 				},
 			},
-			image:       "docker.io/testing/test:latest",
-			imageRef:    "test-brokenhash",
-			pulledFiles: []string{"sha256-38a8906435c4dd5f4258899d46621bfd8eea3ad6ff494ee3c2f17ef0321625bd"},
-			want:        false,
-		},
-
-		{
-			name:              "image exists and is recorded with pod's exact service account",
-			imagePullPolicy:   NeverVerifyPreloadedPullPolicy(),
-			podServiceAccount: &kubeletconfiginternal.ImagePullServiceAccount{UID: "test-sa-uid", Namespace: "default", Name: "test-sa"},
-			image:             "docker.io/testing/test:latest",
-			imageRef:          "testimageref-sa",
-			pulledFiles:       []string{"sha256-917e8b3439bf8a7a6f37ffd2d2ddfdfafac8a251bf214a0be39675742b420b1a"},
-			want:              false,
-		},
-		{
-			name:            "image exists and is recorded, no pod service accounts",
-			imagePullPolicy: NeverVerifyPreloadedPullPolicy(),
-			image:           "docker.io/testing/test:latest",
-			imageRef:        "testimageref",
-			pulledFiles:     []string{"sha256-b3c0cc4278800b03a308ceb2611161430df571ca733122f0a40ac8b9792a9064"},
-			want:            true,
-		},
-		{
-			name:              "image exists and is recorded with a different service account with different UID",
-			imagePullPolicy:   NeverVerifyPreloadedPullPolicy(),
-			podServiceAccount: &kubeletconfiginternal.ImagePullServiceAccount{UID: "different-sa-uid", Namespace: "default", Name: "test-sa"},
-			image:             "docker.io/testing/test:latest",
-			imageRef:          "testimageref-sa",
-			pulledFiles:       []string{"sha256-917e8b3439bf8a7a6f37ffd2d2ddfdfafac8a251bf214a0be39675742b420b1a"},
-			want:              true,
-		},
-		{
-			name:              "image exists and is recorded with a different service account with different namespace",
-			imagePullPolicy:   NeverVerifyPreloadedPullPolicy(),
-			podServiceAccount: &kubeletconfiginternal.ImagePullServiceAccount{UID: "test-sa-uid", Namespace: "different-ns", Name: "test-sa"},
-			image:             "docker.io/testing/test:latest",
-			imageRef:          "testimageref-sa",
-			pulledFiles:       []string{"sha256-917e8b3439bf8a7a6f37ffd2d2ddfdfafac8a251bf214a0be39675742b420b1a"},
-			want:              true,
-		},
-		{
-			name:              "image exists but the pull is recorded with a different image name but with the exact same service account",
-			imagePullPolicy:   NeverVerifyPreloadedPullPolicy(),
-			podServiceAccount: &kubeletconfiginternal.ImagePullServiceAccount{UID: "test-sa-uid", Namespace: "default", Name: "test-sa"},
-			image:             "docker.io/testing/different:latest",
-			imageRef:          "testimageref-sa",
-			pulledFiles:       []string{"sha256-917e8b3439bf8a7a6f37ffd2d2ddfdfafac8a251bf214a0be39675742b420b1a"},
-			want:              true,
-		},
-		{
-			name:              "image exists but is only recorded via pulling intent with service account",
-			imagePullPolicy:   NeverVerifyPreloadedPullPolicy(),
-			podServiceAccount: &kubeletconfiginternal.ImagePullServiceAccount{UID: "test-sa-uid", Namespace: "default", Name: "test-sa"},
-			image:             "docker.io/testing/test:latest",
-			imageRef:          "testexistingref",
-			pullingFiles:      []string{"sha256-aef2af226629a35d5f3ef0fdbb29fdbebf038d0acd8850590e8c48e1e283aa56"},
-			want:              true,
-		},
-		{
-			name:              "image exists but is only recorded via pulling intent with service account - NeverVerify policy",
-			imagePullPolicy:   NeverVerifyImagePullPolicy(),
-			podServiceAccount: &kubeletconfiginternal.ImagePullServiceAccount{UID: "test-sa-uid", Namespace: "default", Name: "test-sa"},
-			image:             "docker.io/testing/test:latest",
-			imageRef:          "testexistingref",
-			pullingFiles:      []string{"sha256-aef2af226629a35d5f3ef0fdbb29fdbebf038d0acd8850590e8c48e1e283aa56"},
-			want:              false,
-		},
-		{
-			name:              "image exists and is recorded as node-accessible, request with pod service accounts",
-			imagePullPolicy:   NeverVerifyPreloadedPullPolicy(),
-			podServiceAccount: &kubeletconfiginternal.ImagePullServiceAccount{UID: "test-sa-uid", Namespace: "default", Name: "test-sa"},
-			image:             "docker.io/testing/test:latest",
-			imageRef:          "testimage-anonpull",
-			pulledFiles:       []string{"sha256-a2eace2182b24cdbbb730798e47b10709b9ef5e0f0c1624a3bc06c8ca987727a"},
-			want:              false,
+			image:                 "docker.io/testing/test:latest",
+			imageRef:              "test-brokenhash",
+			pulledFiles:           []string{"sha256-38a8906435c4dd5f4258899d46621bfd8eea3ad6ff494ee3c2f17ef0321625bd"},
+			want:                  false,
+			wantPodCredsRequested: true,
+		},
+
+		{
+			name:                  "image exists and is recorded with pod's exact service account",
+			imagePullPolicy:       NeverVerifyPreloadedPullPolicy(),
+			podServiceAccount:     &kubeletconfiginternal.ImagePullServiceAccount{UID: "test-sa-uid", Namespace: "default", Name: "test-sa"},
+			image:                 "docker.io/testing/test:latest",
+			imageRef:              "testimageref-sa",
+			pulledFiles:           []string{"sha256-917e8b3439bf8a7a6f37ffd2d2ddfdfafac8a251bf214a0be39675742b420b1a"},
+			want:                  false,
+			wantPodCredsRequested: true,
+		},
+		{
+			name:                  "image exists and is recorded, no pod service accounts",
+			imagePullPolicy:       NeverVerifyPreloadedPullPolicy(),
+			image:                 "docker.io/testing/test:latest",
+			imageRef:              "testimageref",
+			pulledFiles:           []string{"sha256-b3c0cc4278800b03a308ceb2611161430df571ca733122f0a40ac8b9792a9064"},
+			want:                  true,
+			wantPodCredsRequested: true,
+		},
+		{
+			name:                  "image exists and is recorded with a different service account with different UID",
+			imagePullPolicy:       NeverVerifyPreloadedPullPolicy(),
+			podServiceAccount:     &kubeletconfiginternal.ImagePullServiceAccount{UID: "different-sa-uid", Namespace: "default", Name: "test-sa"},
+			image:                 "docker.io/testing/test:latest",
+			imageRef:              "testimageref-sa",
+			pulledFiles:           []string{"sha256-917e8b3439bf8a7a6f37ffd2d2ddfdfafac8a251bf214a0be39675742b420b1a"},
+			want:                  true,
+			wantPodCredsRequested: true,
+		},
+		{
+			name:                  "image exists and is recorded with a different service account with different namespace",
+			imagePullPolicy:       NeverVerifyPreloadedPullPolicy(),
+			podServiceAccount:     &kubeletconfiginternal.ImagePullServiceAccount{UID: "test-sa-uid", Namespace: "different-ns", Name: "test-sa"},
+			image:                 "docker.io/testing/test:latest",
+			imageRef:              "testimageref-sa",
+			pulledFiles:           []string{"sha256-917e8b3439bf8a7a6f37ffd2d2ddfdfafac8a251bf214a0be39675742b420b1a"},
+			want:                  true,
+			wantPodCredsRequested: true,
+		},
+		{
+			name:                  "image exists but the pull is recorded with a different image name but with the exact same service account",
+			imagePullPolicy:       NeverVerifyPreloadedPullPolicy(),
+			podServiceAccount:     &kubeletconfiginternal.ImagePullServiceAccount{UID: "test-sa-uid", Namespace: "default", Name: "test-sa"},
+			image:                 "docker.io/testing/different:latest",
+			imageRef:              "testimageref-sa",
+			pulledFiles:           []string{"sha256-917e8b3439bf8a7a6f37ffd2d2ddfdfafac8a251bf214a0be39675742b420b1a"},
+			want:                  true,
+			wantPodCredsRequested: false,
+		},
+		{
+			name:                  "image exists but is only recorded via pulling intent with service account",
+			imagePullPolicy:       NeverVerifyPreloadedPullPolicy(),
+			podServiceAccount:     &kubeletconfiginternal.ImagePullServiceAccount{UID: "test-sa-uid", Namespace: "default", Name: "test-sa"},
+			image:                 "docker.io/testing/test:latest",
+			imageRef:              "testexistingref",
+			pullingFiles:          []string{"sha256-aef2af226629a35d5f3ef0fdbb29fdbebf038d0acd8850590e8c48e1e283aa56"},
+			want:                  true,
+			wantPodCredsRequested: false,
+		},
+		{
+			name:                  "image exists but is only recorded via pulling intent with service account - NeverVerify policy",
+			imagePullPolicy:       NeverVerifyImagePullPolicy(),
+			podServiceAccount:     &kubeletconfiginternal.ImagePullServiceAccount{UID: "test-sa-uid", Namespace: "default", Name: "test-sa"},
+			image:                 "docker.io/testing/test:latest",
+			imageRef:              "testexistingref",
+			pullingFiles:          []string{"sha256-aef2af226629a35d5f3ef0fdbb29fdbebf038d0acd8850590e8c48e1e283aa56"},
+			want:                  false,
+			wantPodCredsRequested: false,
+		},
+		{
+			name:                  "image exists and is recorded as node-accessible, request with pod service accounts",
+			imagePullPolicy:       NeverVerifyPreloadedPullPolicy(),
+			podServiceAccount:     &kubeletconfiginternal.ImagePullServiceAccount{UID: "test-sa-uid", Namespace: "default", Name: "test-sa"},
+			image:                 "docker.io/testing/test:latest",
+			imageRef:              "testimage-anonpull",
+			pulledFiles:           []string{"sha256-a2eace2182b24cdbbb730798e47b10709b9ef5e0f0c1624a3bc06c8ca987727a"},
+			want:                  false,
+			wantPodCredsRequested: false,
 		},
 	}
 
@@ -726,13 +752,14 @@ func TestFileBasedImagePullManager_MustAttemptImagePull(t *testing.T) {
 		t.Run(tt.name, func(t *testing.T) {
 			encoder, decoder, err := createKubeletConfigSchemeEncoderDecoder()
 			require.NoError(t, err)
+			_, tCtx := ktesting.NewTestContext(t)
 
 			testDir := t.TempDir()
 			pullingDir := filepath.Join(testDir, "pulling")
 			pulledDir := filepath.Join(testDir, "pulled")
 
-			copyTestData(t, pullingDir, "pulling", tt.pullingFiles)
-			copyTestData(t, pulledDir, "pulled", tt.pulledFiles)
+			_ = teeTestData(t, pullingDir, "pulling", tt.pullingFiles)
+			_ = teeTestData(t, pulledDir, "pulled", tt.pulledFiles)
 
 			fsRecordAccessor := &testWriteCountingFSPullRecordsAccessor{
 				fsPullRecordsAccessor: fsPullRecordsAccessor{
@@ -743,6 +770,11 @@ func TestFileBasedImagePullManager_MustAttemptImagePull(t *testing.T) {
 				},
 			}
 
+			var podCredsRequested bool
+			s := func() ([]kubeletconfiginternal.ImagePullSecret, *kubeletconfiginternal.ImagePullServiceAccount, error) {
+				podCredsRequested = true
+				return tt.podSecrets, tt.podServiceAccount, nil
+			}
 			f := &PullManager{
 				recordsAccessor:     fsRecordAccessor,
 				imagePolicyEnforcer: tt.imagePullPolicy,
@@ -750,8 +782,15 @@ func TestFileBasedImagePullManager_MustAttemptImagePull(t *testing.T) {
 				intentCounters:      &sync.Map{},
 				pulledAccessors:     NewStripedLockSet(10),
 			}
-			if got := f.MustAttemptImagePull(tt.image, tt.imageRef, tt.podSecrets, tt.podServiceAccount); got != tt.want {
+
+			if got, err := f.MustAttemptImagePull(tCtx, tt.image, tt.imageRef, s); err != nil {
+				t.Errorf("FileBasedImagePullManager.MustAttemptImagePull() unexpected error %v", err)
+			} else if got != tt.want {
 				t.Errorf("FileBasedImagePullManager.MustAttemptImagePull() = %v, want %v", got, tt.want)
+			} else if podCredsRequested && !tt.wantPodCredsRequested {
+				t.Error("expected FileBasedImagePullManager.MustAttemptImagePull() to not look up pod credentials, but it did")
+			} else if !podCredsRequested && tt.wantPodCredsRequested {
+				t.Error("expected FileBasedImagePullManager.MustAttemptImagePull() to look up pod credentials, but it did not")
 			}
 
 			if tt.expectedCacheWrite != (fsRecordAccessor.imagePulledRecordsWrites != 0) {
@@ -1110,6 +1149,7 @@ func TestFileBasedImagePullManager_RecordImagePulled(t *testing.T) {
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
+			_, tCtx := ktesting.NewTestContext(t)
 			encoder, decoder, err := createKubeletConfigSchemeEncoderDecoder()
 			require.NoError(t, err)
 
@@ -1117,8 +1157,8 @@ func TestFileBasedImagePullManager_RecordImagePulled(t *testing.T) {
 			pullingDir := filepath.Join(testDir, "pulling")
 			pulledDir := filepath.Join(testDir, "pulled")
 
-			copyTestData(t, pullingDir, "pulling", tt.existingPulling)
-			copyTestData(t, pulledDir, "pulled", tt.existingPulled)
+			_ = teeTestData(t, pullingDir, "pulling", tt.existingPulling)
+			_ = teeTestData(t, pulledDir, "pulled", tt.existingPulled)
 
 			fsRecordAccessor := &fsPullRecordsAccessor{
 				pullingDir: pullingDir,
@@ -1135,7 +1175,7 @@ func TestFileBasedImagePullManager_RecordImagePulled(t *testing.T) {
 			}
 			f.intentCounters.Store(tt.image, tt.pullsInFlight)
 			origIntentCounter := f.getIntentCounterForImage(tt.image)
-			f.RecordImagePulled(tt.image, tt.imageRef, tt.creds)
+			f.RecordImagePulled(tCtx, tt.image, tt.imageRef, tt.creds)
 			require.Equal(t, f.getIntentCounterForImage(tt.image), origIntentCounter-1, "intent counter for %s was not decremented", tt.image)
 
 			for _, fname := range tt.expectPulled {
@@ -1153,7 +1193,7 @@ func TestFileBasedImagePullManager_RecordImagePulled(t *testing.T) {
 				t.Fatalf("failed to read the expected image pulled record: %v", err)
 			}
 
-			got, err := decodePulledRecord(decoder, pulledBytes)
+			got, _, err := decodePulledRecord(decoder, pulledBytes)
 			if err != nil {
 				t.Fatalf("failed to deserialize the image pulled record: %v", err)
 			}
@@ -1292,8 +1332,8 @@ func TestFileBasedImagePullManager_initialize(t *testing.T) {
 				t.Fatal(err)
 			}
 
-			copyTestData(t, pullingDir, "pulling", tt.existingIntents)
-			copyTestData(t, pulledDir, "pulled", tt.existingPulledRecords)
+			_ = teeTestData(t, pullingDir, "pulling", tt.existingIntents)
+			_ = teeTestData(t, pulledDir, "pulled", tt.existingPulledRecords)
 
 			fsRecordAccessor := &fsPullRecordsAccessor{
 				pullingDir: pullingDir,
@@ -1399,6 +1439,7 @@ func TestFileBasedImagePullManager_PruneUnknownRecords(t *testing.T) {
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
+			_, tCtx := ktesting.NewTestContext(t)
 			encoder, decoder, err := createKubeletConfigSchemeEncoderDecoder()
 			require.NoError(t, err)
 
@@ -1408,7 +1449,7 @@ func TestFileBasedImagePullManager_PruneUnknownRecords(t *testing.T) {
 				t.Fatalf("failed to create testing dir %q: %v", pulledDir, err)
 			}
 
-			copyTestData(t, pulledDir, "pulled", tt.pulledFiles)
+			_ = teeTestData(t, pulledDir, "pulled", tt.pulledFiles)
 
 			fsRecordAccessor := &fsPullRecordsAccessor{
 				pulledDir: pulledDir,
@@ -1420,7 +1461,7 @@ func TestFileBasedImagePullManager_PruneUnknownRecords(t *testing.T) {
 				recordsAccessor: fsRecordAccessor,
 				pulledAccessors: NewStripedLockSet(10),
 			}
-			f.PruneUnknownRecords(tt.imageList, tt.gcStartTime)
+			f.PruneUnknownRecords(tCtx, tt.imageList, tt.gcStartTime)
 
 			filesLeft := sets.New[string]()
 			err = filepath.Walk(pulledDir, func(path string, info fs.FileInfo, err error) error {
@@ -1446,7 +1487,9 @@ func TestFileBasedImagePullManager_PruneUnknownRecords(t *testing.T) {
 	}
 }
 
-func copyTestData(t *testing.T, dstDir string, testdataDir string, src []string) {
+func teeTestData(t *testing.T, dstDir string, testdataDir string, src []string) map[string]string {
+	t.Helper()
+	ret := make(map[string]string, len(src))
 	for _, f := range src {
 		testBytes, err := os.ReadFile(filepath.Join("testdata", testdataDir, f))
 		if err != nil {
@@ -1455,7 +1498,9 @@ func copyTestData(t *testing.T, dstDir string, testdataDir string, src []string)
 		if err := writeFile(dstDir, f, testBytes); err != nil {
 			t.Fatalf("failed to write test data: %v", err)
 		}
+		ret[f] = string(testBytes)
 	}
+	return ret
 }
 
 func withImageRecord(r *kubeletconfiginternal.ImagePulledRecord, image string, record kubeletconfiginternal.ImagePullCredentials) *kubeletconfiginternal.ImagePulledRecord {
diff --git a/pkg/kubelet/images/pullmanager/interfaces.go b/pkg/kubelet/images/pullmanager/interfaces.go
index db386ef99d49e..7d8812bc735ad 100644
--- a/pkg/kubelet/images/pullmanager/interfaces.go
+++ b/pkg/kubelet/images/pullmanager/interfaces.go
@@ -17,11 +17,15 @@ limitations under the License.
 package pullmanager
 
 import (
+	"context"
 	"time"
 
 	kubeletconfiginternal "k8s.io/kubernetes/pkg/kubelet/apis/config"
 )
 
+// GetPodCredentials lazily looks up and returns a set of pull credentials.
+type GetPodCredentials func() ([]kubeletconfiginternal.ImagePullSecret, *kubeletconfiginternal.ImagePullServiceAccount, error)
+
 // ImagePullManager keeps the state of images that were pulled and which are
 // currently still being pulled.
 // It should keep an internal state of images currently being pulled by the kubelet
@@ -44,32 +48,37 @@ type ImagePullManager interface {
 	// to `true`.
 	//
 	// `image` is the content of the pod's container `image` field.
-	RecordImagePulled(image, imageRef string, credentials *kubeletconfiginternal.ImagePullCredentials)
+	RecordImagePulled(ctx context.Context, image, imageRef string, credentials *kubeletconfiginternal.ImagePullCredentials)
 	// RecordImagePullFailed should be called if an image failed to pull.
 	//
 	// Internally, it lowers its reference counter for the given image. If the
 	// counter reaches zero, the pull intent record for the image is removed.
 	//
 	// `image` is the content of the pod's container `image` field.
-	RecordImagePullFailed(image string)
+	RecordImagePullFailed(ctx context.Context, image string)
 	// MustAttemptImagePull evaluates the policy for the image specified in
 	// `image` and if the policy demands verification, it checks the internal
 	// cache to see if there's a record of pulling the image with the presented
 	// set of credentials or if the image can be accessed by any of the node's pods
 	// or if the image can be accessed by the specified service account.
 	//
-	// Returns true if the policy demands verification and no record of the pull
+	// `getPodCredentials` is invoked to retrieve the set of credentials after
+	// MustAttemptImagePull evaluates the parts of the policy that do not depend on them.
+	//
+	// Returns true and an error if `getPodCredentials` returns an error.
+	//
+	// Returns true and nil if the policy demands verification and no record of the pull
 	// was found in the cache.
 	//
 	// `image` is the content of the pod's container `image` field.
-	MustAttemptImagePull(image, imageRef string, credentials []kubeletconfiginternal.ImagePullSecret, serviceAccount *kubeletconfiginternal.ImagePullServiceAccount) bool
+	MustAttemptImagePull(ctx context.Context, image, imageRef string, getPodCredentials GetPodCredentials) (bool, error)
 	// PruneUnknownRecords deletes all of the cache ImagePulledRecords for each of the images
 	// whose imageRef does not appear in the `imageList` iff such an record was last updated
 	// _before_ the `until` timestamp.
 	//
 	// This method is only expected to be called by the kubelet's image garbage collector.
 	// `until` is a timestamp created _before_ the `imageList` was requested from the CRI.
-	PruneUnknownRecords(imageList []string, until time.Time)
+	PruneUnknownRecords(ctx context.Context, imageList []string, until time.Time)
 }
 
 // PullRecordsAccessor allows unified access to ImagePullIntents/ImagePulledRecords
diff --git a/pkg/kubelet/images/pullmanager/mem_pullrecords.go b/pkg/kubelet/images/pullmanager/mem_pullrecords.go
index 796a367b856a7..3ed9f7fb12017 100644
--- a/pkg/kubelet/images/pullmanager/mem_pullrecords.go
+++ b/pkg/kubelet/images/pullmanager/mem_pullrecords.go
@@ -98,7 +98,7 @@ type cachedPullRecordsAccessor struct {
 	pulledRecords      *lruCache[string, kubeletconfiginternal.ImagePulledRecord]
 }
 
-func NewCachedPullRecordsAccessor(delegate PullRecordsAccessor, intentsCacheSize, pulledRecordsCacheSize, stripedLocksSize int32) *cachedPullRecordsAccessor {
+func NewCachedPullRecordsAccessor(delegate PullRecordsAccessor, intentsCacheSize, pulledRecordsCacheSize, stripedLocksSize int32) PullRecordsAccessor {
 	intentsCacheSize = min(intentsCacheSize, 1024)
 	pulledRecordsCacheSize = min(pulledRecordsCacheSize, 2000)
 
@@ -119,7 +119,7 @@ func NewCachedPullRecordsAccessor(delegate PullRecordsAccessor, intentsCacheSize
 	if err != nil {
 		klog.InfoS("there was an error initializing the image pulled records cache, the cache will work in a non-authoritative mode until the pulled records are listed successfully", "error", err)
 	}
-	return c
+	return NewMeteringRecordsAccessor(c, inMemIntentsPercent, inMemPulledRecordsPercent)
 }
 
 func (c *cachedPullRecordsAccessor) ListImagePullIntents() ([]*kubeletconfiginternal.ImagePullIntent, error) {
@@ -245,6 +245,16 @@ func (c *cachedPullRecordsAccessor) DeleteImagePulledRecord(imageRef string) err
 	return nil
 }
 
+func (f *cachedPullRecordsAccessor) intentsSize() (uint, error) {
+	intentsUsage := f.intents.Len() * 100 / f.intents.maxSize
+	return uint(intentsUsage), nil
+}
+
+func (f *cachedPullRecordsAccessor) pulledRecordsSize() (uint, error) {
+	pulledRecordsUsage := f.pulledRecords.Len() * 100 / f.pulledRecords.maxSize
+	return uint(pulledRecordsUsage), nil
+}
+
 func cacheRefreshingList[K comparable, V any](
 	cache *lruCache[K, V],
 	delegateLocks *StripedLockSet,
diff --git a/pkg/kubelet/images/pullmanager/mem_pullrecords_test.go b/pkg/kubelet/images/pullmanager/mem_pullrecords_test.go
index 4cee939a5157d..48fc411afbd20 100644
--- a/pkg/kubelet/images/pullmanager/mem_pullrecords_test.go
+++ b/pkg/kubelet/images/pullmanager/mem_pullrecords_test.go
@@ -297,9 +297,17 @@ func TestNewCachedPullRecordsAccessor(t *testing.T) {
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			gotAccessor := NewCachedPullRecordsAccessor(tt.delegate, 50, 100, 10)
+			gotMeteredAccessor, ok := gotAccessor.(*meteringRecordsAccessor)
+			if !ok {
+				t.Fatalf("the tested accessor must be a metered records accessor, got %T", gotAccessor)
+			}
+			inMemAccessor, ok := gotMeteredAccessor.sizeExposedPullRecordsAccessor.(*cachedPullRecordsAccessor)
+			if !ok {
+				t.Fatalf("the metered accessor's delegate is not an inMemAccesor: %T", gotMeteredAccessor.sizeExposedPullRecordsAccessor)
+			}
 
 			expectedCachedIntents := tt.wantCacheIntents
-			if err := cmpRecordsMapAndCache(expectedCachedIntents, gotAccessor.intents); err != nil {
+			if err := cmpRecordsMapAndCache(expectedCachedIntents, inMemAccessor.intents); err != nil {
 				t.Errorf("NewCachedPullRecordsAccessor cache does not match: %v", err)
 			}
 
@@ -312,7 +320,7 @@ func TestNewCachedPullRecordsAccessor(t *testing.T) {
 				t.Errorf("NewCachedPullRecordsAccessor().ListImagePullIntents() errors don't match = %v, want %v", intentsErr, tt.wantIntentsError)
 			}
 			expectedPulledRecords := tt.wantCachePulledRecords
-			if err := cmpRecordsMapAndCache(expectedPulledRecords, gotAccessor.pulledRecords); err != nil {
+			if err := cmpRecordsMapAndCache(expectedPulledRecords, inMemAccessor.pulledRecords); err != nil {
 				t.Errorf("NewCachedPullRecordsAccessor cache does not match: %v", err)
 			}
 
@@ -325,11 +333,11 @@ func TestNewCachedPullRecordsAccessor(t *testing.T) {
 				t.Errorf("NewCachedPullRecordsAccessor().ListImagePullIntents() errors don't match = %v, want %v", pulledRecordsErr, tt.wantPulledRecordsError)
 			}
 
-			if gotIntentsAuthoritative := gotAccessor.intents.authoritative.Load(); gotIntentsAuthoritative != tt.wantIntentsAuthoritative {
+			if gotIntentsAuthoritative := inMemAccessor.intents.authoritative.Load(); gotIntentsAuthoritative != tt.wantIntentsAuthoritative {
 				t.Errorf("NewCachedPullRecordsAccessor().intents.authoritative = %v, want %v", gotIntentsAuthoritative, tt.wantIntentsAuthoritative)
 			}
 
-			if gotPulledRecordsAuthoritative := gotAccessor.pulledRecords.authoritative.Load(); gotPulledRecordsAuthoritative != tt.wantPulledRecordsAuthoritative {
+			if gotPulledRecordsAuthoritative := inMemAccessor.pulledRecords.authoritative.Load(); gotPulledRecordsAuthoritative != tt.wantPulledRecordsAuthoritative {
 				t.Errorf("NewCachedPullRecordsAccessor().pulledRecords.authoritative = %v, want %v", gotPulledRecordsAuthoritative, tt.wantPulledRecordsAuthoritative)
 			}
 		})
diff --git a/pkg/kubelet/images/pullmanager/metrics.go b/pkg/kubelet/images/pullmanager/metrics.go
new file mode 100644
index 0000000000000..7be9812210f0d
--- /dev/null
+++ b/pkg/kubelet/images/pullmanager/metrics.go
@@ -0,0 +1,164 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package pullmanager
+
+import (
+	"k8s.io/component-base/metrics"
+	"k8s.io/component-base/metrics/legacyregistry"
+	"k8s.io/klog/v2"
+	kubeletconfiginternal "k8s.io/kubernetes/pkg/kubelet/apis/config"
+	kubeletmetrics "k8s.io/kubernetes/pkg/kubelet/metrics"
+)
+
+const imageManagerSubsystem = kubeletmetrics.KubeletSubsystem + "_imagemanager"
+
+type mustAttemptImagePullResult string
+
+const (
+	checkResultCredentialPolicyAllowed mustAttemptImagePullResult = "credentialPolicyAllowed"
+	checkResultCredentialRecordFound   mustAttemptImagePullResult = "credentialRecordFound"
+	checkResultMustAuthenticate        mustAttemptImagePullResult = "mustAuthenticate"
+	checkResultError                   mustAttemptImagePullResult = "error"
+)
+
+var (
+	fsPullIntentsSize = metrics.NewGauge(
+		&metrics.GaugeOpts{
+			Subsystem:      imageManagerSubsystem,
+			Name:           "ondisk_pullintents",
+			Help:           "Number of ImagePullIntents stored on disk.",
+			StabilityLevel: metrics.ALPHA,
+		},
+	)
+	fsPulledRecordsSize = metrics.NewGauge(
+		&metrics.GaugeOpts{
+			Subsystem:      imageManagerSubsystem,
+			Name:           "ondisk_pulledrecords",
+			Help:           "Number of ImagePulledRecords stored on disk.",
+			StabilityLevel: metrics.ALPHA,
+		},
+	)
+	inMemIntentsPercent = metrics.NewGauge(
+		&metrics.GaugeOpts{
+			Subsystem:      imageManagerSubsystem,
+			Name:           "inmemory_pullintents_usage_percent",
+			Help:           "The ImagePullIntents in-memory cache usage in percent.",
+			StabilityLevel: metrics.ALPHA,
+		},
+	)
+	inMemPulledRecordsPercent = metrics.NewGauge(
+		&metrics.GaugeOpts{
+			Subsystem:      imageManagerSubsystem,
+			Name:           "inmemory_pulledrecords_usage_percent",
+			Help:           "The ImagePulledRecords in-memory cache usage in percent.",
+			StabilityLevel: metrics.ALPHA,
+		},
+	)
+	mustPullChecksTotal = metrics.NewCounterVec(
+		&metrics.CounterOpts{
+			Subsystem:      imageManagerSubsystem,
+			Name:           "image_mustpull_checks_total",
+			Help:           "Counter for how many times kubelet checked whether credentials need to be re-verified to access an image",
+			StabilityLevel: metrics.ALPHA,
+		},
+		[]string{"result"},
+	)
+)
+
+func init() {
+	legacyregistry.MustRegister(fsPullIntentsSize)
+	legacyregistry.MustRegister(fsPulledRecordsSize)
+	legacyregistry.MustRegister(inMemIntentsPercent)
+	legacyregistry.MustRegister(inMemPulledRecordsPercent)
+	legacyregistry.MustRegister(mustPullChecksTotal)
+}
+
+// meteringRecordsAccessor wraps a PullRecordsAccessor that's capable of reporting its size
+// and updates its record metrics on write operations.
+type meteringRecordsAccessor struct {
+	sizeExposedPullRecordsAccessor
+	intentsSize       *metrics.Gauge
+	pulledRecordsSize *metrics.Gauge
+}
+
+type sizeExposedPullRecordsAccessor interface {
+	PullRecordsAccessor
+	intentsSize() (uint, error)
+	pulledRecordsSize() (uint, error)
+}
+
+func NewMeteringRecordsAccessor(pullRecordsAccessor sizeExposedPullRecordsAccessor, intentsSize, pulledRecordsSize *metrics.Gauge) *meteringRecordsAccessor {
+	return &meteringRecordsAccessor{
+		sizeExposedPullRecordsAccessor: pullRecordsAccessor,
+		intentsSize:                    intentsSize,
+		pulledRecordsSize:              pulledRecordsSize,
+	}
+}
+
+func (m *meteringRecordsAccessor) WriteImagePullIntent(image string) error {
+	if err := m.sizeExposedPullRecordsAccessor.WriteImagePullIntent(image); err != nil {
+		return err
+	}
+	m.recordIntentsSize()
+	return nil
+}
+
+func (m *meteringRecordsAccessor) DeleteImagePullIntent(image string) error {
+	if err := m.sizeExposedPullRecordsAccessor.DeleteImagePullIntent(image); err != nil {
+		return err
+	}
+	m.recordIntentsSize()
+	return nil
+}
+
+func (m *meteringRecordsAccessor) WriteImagePulledRecord(record *kubeletconfiginternal.ImagePulledRecord) error {
+	if err := m.sizeExposedPullRecordsAccessor.WriteImagePulledRecord(record); err != nil {
+		return err
+	}
+	m.recordPulledRecordsSize()
+	return nil
+}
+
+func (m *meteringRecordsAccessor) DeleteImagePulledRecord(imageRef string) error {
+	if err := m.sizeExposedPullRecordsAccessor.DeleteImagePulledRecord(imageRef); err != nil {
+		return err
+	}
+	m.recordPulledRecordsSize()
+	return nil
+}
+
+func (m *meteringRecordsAccessor) recordIntentsSize() {
+	intentsSize, err := m.sizeExposedPullRecordsAccessor.intentsSize()
+	if err != nil {
+		klog.V(4).ErrorS(err, "failed to read number of ImagePullIntents, can't update metric", "metricName", m.intentsSize.Name)
+		return
+	}
+	m.intentsSize.Set(float64(intentsSize))
+}
+
+func (m *meteringRecordsAccessor) recordPulledRecordsSize() {
+	pulledRecordsSize, err := m.sizeExposedPullRecordsAccessor.pulledRecordsSize()
+	if err != nil {
+		klog.V(4).ErrorS(err, "failed to read number of ImagePulledRecords, can't update metric", "metricName", m.pulledRecordsSize.Name)
+		return
+	}
+	m.pulledRecordsSize.Set(float64(pulledRecordsSize))
+}
+
+func recordMustAttemptImagePullResult(result mustAttemptImagePullResult) {
+	mustPullChecksTotal.WithLabelValues(string(result)).Inc()
+}
diff --git a/pkg/kubelet/images/pullmanager/metrics_test.go b/pkg/kubelet/images/pullmanager/metrics_test.go
new file mode 100644
index 0000000000000..51593292e8414
--- /dev/null
+++ b/pkg/kubelet/images/pullmanager/metrics_test.go
@@ -0,0 +1,329 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package pullmanager
+
+import (
+	"context"
+	"fmt"
+	"path/filepath"
+	"strings"
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/require"
+
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/util/sets"
+	"k8s.io/component-base/metrics/legacyregistry"
+	metricstestutil "k8s.io/component-base/metrics/testutil"
+	kubeletconfig "k8s.io/kubernetes/pkg/kubelet/apis/config"
+	containertest "k8s.io/kubernetes/pkg/kubelet/container/testing"
+	"k8s.io/kubernetes/test/utils/ktesting"
+)
+
+func TestFSPullRecordsMetrics(t *testing.T) {
+	tempDir := t.TempDir()
+	legacyregistry.Reset()
+	defer legacyregistry.Reset()
+
+	fsAccessor, err := NewFSPullRecordsAccessor(tempDir)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	const pullIntentsCacheSize, pulledRecordsCacheSize, stripedSetLocksSize int32 = 5, 10, 1
+	inMemoryAccessor := NewCachedPullRecordsAccessor(fsAccessor, pullIntentsCacheSize, pulledRecordsCacheSize, stripedSetLocksSize)
+
+	cmpFSIntents(t, 0)
+	cmpMemIntents(t, 0)
+	require.NoError(t, inMemoryAccessor.WriteImagePullIntent("test-image:latest"))
+	cmpFSIntents(t, 1)
+	cmpMemIntents(t, 20)
+
+	// Test that writing the same record does not increase the count
+	require.NoError(t, inMemoryAccessor.WriteImagePullIntent("test-image:latest"))
+	require.NoError(t, inMemoryAccessor.WriteImagePullIntent("test-image:latest"))
+	cmpFSIntents(t, 1)
+	cmpMemIntents(t, 20)
+
+	// Test adding more records
+	require.NoError(t, inMemoryAccessor.WriteImagePullIntent("test-image:v1"))
+	require.NoError(t, inMemoryAccessor.WriteImagePullIntent("test-image:v1.1"))
+	cmpFSIntents(t, 3)
+	cmpMemIntents(t, 60)
+
+	cmpFSPulledRecords(t, 0)
+	cmpMemPulledRecords(t, 0)
+	require.NoError(t, inMemoryAccessor.WriteImagePulledRecord(&kubeletconfig.ImagePulledRecord{
+		ImageRef:        "test-image-latest-ref",
+		LastUpdatedTime: metav1.NewTime(time.Now()),
+	}))
+	cmpFSPulledRecords(t, 1)
+	cmpMemPulledRecords(t, 10)
+
+	// Test that writing the same record does not increase the count
+	require.NoError(t, inMemoryAccessor.WriteImagePulledRecord(&kubeletconfig.ImagePulledRecord{
+		ImageRef:        "test-image-latest-ref",
+		LastUpdatedTime: metav1.NewTime(time.Now()),
+	}))
+	require.NoError(t, inMemoryAccessor.WriteImagePulledRecord(&kubeletconfig.ImagePulledRecord{
+		ImageRef:        "test-image-latest-ref",
+		LastUpdatedTime: metav1.NewTime(time.Now()),
+	}))
+	cmpFSPulledRecords(t, 1)
+	cmpMemPulledRecords(t, 10)
+
+	// Test adding more records
+	require.NoError(t, inMemoryAccessor.WriteImagePulledRecord(&kubeletconfig.ImagePulledRecord{
+		ImageRef:        "test-image-v1-ref",
+		LastUpdatedTime: metav1.NewTime(time.Now()),
+	}))
+	require.NoError(t, inMemoryAccessor.WriteImagePulledRecord(&kubeletconfig.ImagePulledRecord{
+		ImageRef:        "test-image-v1.1-ref",
+		LastUpdatedTime: metav1.NewTime(time.Now()),
+	}))
+	require.NoError(t, inMemoryAccessor.WriteImagePulledRecord(&kubeletconfig.ImagePulledRecord{
+		ImageRef:        "test-image-v1.2-ref",
+		LastUpdatedTime: metav1.NewTime(time.Now()),
+	}))
+	cmpFSPulledRecords(t, 4)
+	cmpMemPulledRecords(t, 40)
+
+	// double-check that intents count is not affected
+	cmpFSIntents(t, 3)
+	cmpMemIntents(t, 60)
+
+	// Test deletions
+	require.NoError(t, inMemoryAccessor.DeleteImagePullIntent("test-image:latest"))
+	cmpFSIntents(t, 2)
+	cmpMemIntents(t, 40)
+
+	require.NoError(t, inMemoryAccessor.DeleteImagePullIntent("test-image:latest"))
+	require.NoError(t, inMemoryAccessor.DeleteImagePullIntent("test-image:latest"))
+	cmpFSIntents(t, 2)
+	cmpMemIntents(t, 40)
+
+	require.NoError(t, inMemoryAccessor.DeleteImagePullIntent("test-image:v1"))
+	require.NoError(t, inMemoryAccessor.DeleteImagePullIntent("test-image:v1.1"))
+	cmpFSIntents(t, 0)
+	cmpMemIntents(t, 0)
+
+	// double-check that pulled records count is not affected
+	cmpFSPulledRecords(t, 4)
+	cmpMemPulledRecords(t, 40)
+
+	// Test image pulled record deletions
+	require.NoError(t, inMemoryAccessor.DeleteImagePulledRecord("test-image-v1.1-ref"))
+	cmpFSPulledRecords(t, 3)
+	cmpMemPulledRecords(t, 30)
+
+	require.NoError(t, inMemoryAccessor.DeleteImagePulledRecord("test-image-v1.1-ref"))
+	require.NoError(t, inMemoryAccessor.DeleteImagePulledRecord("test-image-v1.1-ref"))
+	cmpFSPulledRecords(t, 3)
+	cmpMemPulledRecords(t, 30)
+
+	require.NoError(t, inMemoryAccessor.DeleteImagePulledRecord("test-image-v1.2-ref"))
+	require.NoError(t, inMemoryAccessor.DeleteImagePulledRecord("test-image-v1-ref"))
+	require.NoError(t, inMemoryAccessor.DeleteImagePulledRecord("test-image-latest-ref"))
+	cmpFSPulledRecords(t, 0)
+	cmpMemPulledRecords(t, 0)
+
+	require.NoError(t, inMemoryAccessor.DeleteImagePulledRecord("test-image-v1-ref"))
+	require.NoError(t, inMemoryAccessor.DeleteImagePulledRecord("test-image-latest-ref"))
+	cmpFSPulledRecords(t, 0)
+	cmpMemPulledRecords(t, 0)
+
+	// test exceeding memory cache sizes
+	for i := range 20 {
+		require.NoError(t, inMemoryAccessor.WriteImagePullIntent(fmt.Sprintf("test-image-%d:latest", i)))
+		require.NoError(t, inMemoryAccessor.WriteImagePulledRecord(&kubeletconfig.ImagePulledRecord{
+			ImageRef:        fmt.Sprintf("test-image-v%d-ref", i),
+			LastUpdatedTime: metav1.NewTime(time.Now()),
+		}))
+	}
+	cmpFSIntents(t, 20)
+	cmpFSPulledRecords(t, 20)
+	cmpMemIntents(t, 100)
+	cmpMemPulledRecords(t, 100)
+
+	// test removing some of the latest records from the cache
+	require.NoError(t, inMemoryAccessor.DeleteImagePullIntent("test-image-19:latest"))
+	cmpFSIntents(t, 19)
+	cmpMemIntents(t, 80)
+
+	require.NoError(t, inMemoryAccessor.DeleteImagePulledRecord("test-image-v19-ref"))
+	cmpFSPulledRecords(t, 19)
+	cmpMemPulledRecords(t, 90)
+
+}
+
+func TestMustAttemptPullMetrics(t *testing.T) {
+	_, ctx := ktesting.NewTestContext(t)
+
+	tempDir := t.TempDir()
+	pulledDir := filepath.Join(tempDir, "image_manager", "pulled")
+	legacyregistry.Reset()
+	defer legacyregistry.Reset()
+
+	fsAccessor, err := NewFSPullRecordsAccessor(tempDir)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	fakeRuntime := &containertest.FakeRuntime{}
+	imageManager, err := NewImagePullManager(ctx,
+		fsAccessor,
+		&NeverVerifyAllowlistedImages{absoluteURLs: sets.New("docker.io/testing/policyexempt")},
+		fakeRuntime,
+		1,
+	)
+	require.NoError(t, err)
+
+	teeTestData(t, pulledDir, "pulled", []string{
+		"sha256-e766e4624f9bc4d3847d6c5b470d9d5362cc8d0c250bd9572daf95278e044263",
+		"sha256-a2eace2182b24cdbbb730798e47b10709b9ef5e0f0c1624a3bc06c8ca987727a",
+		"sha256-f4058727984875eb66ddbf289f7013096d4cbaa167e591fbcb2e447e36391c1f",
+		"sha256-b3c0cc4278800b03a308ceb2611161430df571ca733122f0a40ac8b9792a9064",
+	})
+
+	expectedMetrics := make(map[string]int)
+	testMustAttemptImagePull(t, true, imageManager, ctx, "docker.io/testing/broken", "testbrokenrecord", nil)
+	expectedMetrics[string(checkResultError)]++
+	cmpMustAttemptPullMetrics(t, expectedMetrics)
+
+	testMustAttemptImagePull(t, true, imageManager, ctx, "docker.io/testing/broken", "testbrokenrecord", nil)
+	testMustAttemptImagePull(t, true, imageManager, ctx, "docker.io/testing/broken", "testbrokenrecord", nil)
+	expectedMetrics[string(checkResultError)] += 2
+
+	testMustAttemptImagePull(t, false, imageManager, ctx, "docker.io/testing/test", "testimage-anonpull", nil)
+	expectedMetrics[string(checkResultCredentialRecordFound)]++
+	cmpMustAttemptPullMetrics(t, expectedMetrics)
+
+	testMustAttemptImagePull(t, false, imageManager, ctx, "docker.io/testing/test", "testimage-anonpull", nil)
+	testMustAttemptImagePull(t, false, imageManager, ctx, "docker.io/testing/test", "testimage-anonpull", nil)
+	testMustAttemptImagePull(t, false, imageManager, ctx, "docker.io/testing/test", "testimage-anonpull", nil)
+	expectedMetrics[string(checkResultCredentialRecordFound)] += 3
+	cmpMustAttemptPullMetrics(t, expectedMetrics)
+
+	testMustAttemptImagePull(t, false, imageManager, ctx, "docker.io/testing/policyexempt", "policyallowed", nil)
+	expectedMetrics[string(checkResultCredentialPolicyAllowed)]++
+	cmpMustAttemptPullMetrics(t, expectedMetrics)
+
+	testMustAttemptImagePull(t, false, imageManager, ctx, "docker.io/testing/policyexempt", "policyallowed", nil)
+	expectedMetrics[string(checkResultCredentialPolicyAllowed)]++
+	cmpMustAttemptPullMetrics(t, expectedMetrics)
+
+	testMustAttemptImagePull(t, true, imageManager, ctx, "docker.io/testing/norecords", "somewhatunknown", nil)
+	expectedMetrics[string(checkResultMustAuthenticate)]++
+	cmpMustAttemptPullMetrics(t, expectedMetrics)
+
+	testMustAttemptImagePull(t, false, imageManager, ctx, "docker.io/testing/test", "testimageref",
+		func() ([]kubeletconfig.ImagePullSecret, *kubeletconfig.ImagePullServiceAccount, error) {
+			return []kubeletconfig.ImagePullSecret{
+				{UID: "testsecretuid", Namespace: "default", Name: "pull-secret", CredentialHash: "testsecrethash"},
+			}, nil, nil
+		})
+	expectedMetrics[string(checkResultCredentialRecordFound)]++
+	cmpMustAttemptPullMetrics(t, expectedMetrics)
+}
+
+func testMustAttemptImagePull(t *testing.T, expected bool, f *PullManager, ctx context.Context, image, imageRef string, getPodCredentials GetPodCredentials) {
+	mustPull, err := f.MustAttemptImagePull(ctx, image, imageRef, getPodCredentials)
+	require.NoError(t, err)
+	require.Equal(t, expected, mustPull)
+}
+
+func cmpFSIntents(t *testing.T, expected uint) {
+	t.Helper()
+	const metricFormat = `
+# HELP kubelet_imagemanager_ondisk_pullintents [ALPHA] Number of ImagePullIntents stored on disk.
+# TYPE kubelet_imagemanager_ondisk_pullintents gauge
+kubelet_imagemanager_ondisk_pullintents %d
+`
+
+	err := metricstestutil.GatherAndCompare(
+		legacyregistry.DefaultGatherer, strings.NewReader(fmt.Sprintf(metricFormat, expected)), "kubelet_imagemanager_ondisk_pullintents",
+	)
+	if err != nil {
+		t.Errorf("failed to gather metrics: %v", err)
+	}
+}
+func cmpFSPulledRecords(t *testing.T, expected uint) {
+	t.Helper()
+	const metricFormat = `
+# HELP kubelet_imagemanager_ondisk_pulledrecords [ALPHA] Number of ImagePulledRecords stored on disk.
+# TYPE kubelet_imagemanager_ondisk_pulledrecords gauge
+kubelet_imagemanager_ondisk_pulledrecords %d
+`
+
+	err := metricstestutil.GatherAndCompare(
+		legacyregistry.DefaultGatherer, strings.NewReader(fmt.Sprintf(metricFormat, expected)), "kubelet_imagemanager_ondisk_pulledrecords",
+	)
+	if err != nil {
+		t.Errorf("failed to gather metrics: %v", err)
+	}
+}
+
+func cmpMemIntents(t *testing.T, expected uint) {
+	t.Helper()
+	const metricFormat = `
+# HELP kubelet_imagemanager_inmemory_pullintents_usage_percent [ALPHA] The ImagePullIntents in-memory cache usage in percent.
+# TYPE kubelet_imagemanager_inmemory_pullintents_usage_percent gauge
+kubelet_imagemanager_inmemory_pullintents_usage_percent %d
+`
+
+	err := metricstestutil.GatherAndCompare(
+		legacyregistry.DefaultGatherer, strings.NewReader(fmt.Sprintf(metricFormat, expected)), "kubelet_imagemanager_inmemory_pullintents_usage_percent",
+	)
+	if err != nil {
+		t.Errorf("failed to gather metrics: %v", err)
+	}
+}
+func cmpMemPulledRecords(t *testing.T, expected uint) {
+	t.Helper()
+	const metricFormat = `
+# HELP kubelet_imagemanager_inmemory_pulledrecords_usage_percent [ALPHA] The ImagePulledRecords in-memory cache usage in percent.
+# TYPE kubelet_imagemanager_inmemory_pulledrecords_usage_percent gauge
+kubelet_imagemanager_inmemory_pulledrecords_usage_percent %d
+`
+
+	err := metricstestutil.GatherAndCompare(
+		legacyregistry.DefaultGatherer, strings.NewReader(fmt.Sprintf(metricFormat, expected)), "kubelet_imagemanager_inmemory_pulledrecords_usage_percent",
+	)
+	if err != nil {
+		t.Errorf("failed to gather metrics: %v", err)
+	}
+}
+
+func cmpMustAttemptPullMetrics(t *testing.T, labelMap map[string]int) {
+	t.Helper()
+	const metricFormat = `
+# HELP kubelet_imagemanager_image_mustpull_checks_total [ALPHA] Counter for how many times kubelet checked whether credentials need to be re-verified to access an image
+# TYPE kubelet_imagemanager_image_mustpull_checks_total counter
+`
+	expected := metricFormat
+	for label, val := range labelMap {
+		expected += fmt.Sprintf("kubelet_imagemanager_image_mustpull_checks_total{result=\"%s\"} %d\n", label, val)
+	}
+
+	err := metricstestutil.GatherAndCompare(
+		legacyregistry.DefaultGatherer, strings.NewReader(expected), "kubelet_imagemanager_image_mustpull_checks_total",
+	)
+	if err != nil {
+		t.Errorf("failed to gather metrics: %v", err)
+	}
+}
diff --git a/pkg/kubelet/images/pullmanager/noop_pull_manager.go b/pkg/kubelet/images/pullmanager/noop_pull_manager.go
index 9920383b69133..be9505824aa57 100644
--- a/pkg/kubelet/images/pullmanager/noop_pull_manager.go
+++ b/pkg/kubelet/images/pullmanager/noop_pull_manager.go
@@ -17,6 +17,7 @@ limitations under the License.
 package pullmanager
 
 import (
+	"context"
 	"time"
 
 	kubeletconfiginternal "k8s.io/kubernetes/pkg/kubelet/apis/config"
@@ -26,11 +27,11 @@ var _ ImagePullManager = &NoopImagePullManager{}
 
 type NoopImagePullManager struct{}
 
-func (m *NoopImagePullManager) RecordPullIntent(_ string) error { return nil }
-func (m *NoopImagePullManager) RecordImagePulled(_, _ string, _ *kubeletconfiginternal.ImagePullCredentials) {
+func (m *NoopImagePullManager) RecordPullIntent(string) error { return nil }
+func (m *NoopImagePullManager) RecordImagePulled(context.Context, string, string, *kubeletconfiginternal.ImagePullCredentials) {
 }
-func (m *NoopImagePullManager) RecordImagePullFailed(image string) {}
-func (m *NoopImagePullManager) MustAttemptImagePull(_, _ string, _ []kubeletconfiginternal.ImagePullSecret, _ *kubeletconfiginternal.ImagePullServiceAccount) bool {
-	return false
+func (m *NoopImagePullManager) RecordImagePullFailed(context.Context, string) {}
+func (m *NoopImagePullManager) MustAttemptImagePull(context.Context, string, string, GetPodCredentials) (bool, error) {
+	return false, nil
 }
-func (m *NoopImagePullManager) PruneUnknownRecords(_ []string, _ time.Time) {}
+func (m *NoopImagePullManager) PruneUnknownRecords(context.Context, []string, time.Time) {}
diff --git a/pkg/kubelet/images/pullmanager/testdata/pulled/sha256-38a8906435c4dd5f4258899d46621bfd8eea3ad6ff494ee3c2f17ef0321625bd b/pkg/kubelet/images/pullmanager/testdata/pulled/sha256-38a8906435c4dd5f4258899d46621bfd8eea3ad6ff494ee3c2f17ef0321625bd
index e4c408f6aea24..6d62dc3e91183 100644
--- a/pkg/kubelet/images/pullmanager/testdata/pulled/sha256-38a8906435c4dd5f4258899d46621bfd8eea3ad6ff494ee3c2f17ef0321625bd
+++ b/pkg/kubelet/images/pullmanager/testdata/pulled/sha256-38a8906435c4dd5f4258899d46621bfd8eea3ad6ff494ee3c2f17ef0321625bd
@@ -1 +1 @@
-{"kind":"ImagePulledRecord","apiVersion":"kubelet.config.k8s.io/v1alpha1","lastUpdatedTime":"2024-10-21T12:26:40Z","imageRef":"test-brokenhash","credentialMapping":{"docker.io/testing/test":{"kubernetesSecrets":[{"uid":"testsecretuid","namespace":"default","name":"pull-secret","credentialHash":""}]}}}
\ No newline at end of file
+{"kind":"ImagePulledRecord","apiVersion":"kubelet.config.k8s.io/v1beta1","lastUpdatedTime":"2024-10-21T12:26:40Z","imageRef":"test-brokenhash","credentialMapping":{"docker.io/testing/test":{"kubernetesSecrets":[{"uid":"testsecretuid","namespace":"default","name":"pull-secret","credentialHash":""}]}}}
\ No newline at end of file
diff --git a/pkg/kubelet/images/pullmanager/testdata/pulled/sha256-7045bdd498b0e4b3963d50f906793ffbd68dc98686ec46c5b499a0a640a560b2 b/pkg/kubelet/images/pullmanager/testdata/pulled/sha256-7045bdd498b0e4b3963d50f906793ffbd68dc98686ec46c5b499a0a640a560b2
new file mode 100644
index 0000000000000..873c75ae4f855
--- /dev/null
+++ b/pkg/kubelet/images/pullmanager/testdata/pulled/sha256-7045bdd498b0e4b3963d50f906793ffbd68dc98686ec46c5b499a0a640a560b2
@@ -0,0 +1 @@
+{"kind":"ImagePulledRecord","apiVersion":"kubelet.config.k8s.io/v1alpha1","lastUpdatedTime":"2024-10-21T12:26:40Z","imageRef":"testemptycredmapping-alpha"}
diff --git a/pkg/kubelet/images/pullmanager/testdata/pulled/sha256-a2eace2182b24cdbbb730798e47b10709b9ef5e0f0c1624a3bc06c8ca987727a b/pkg/kubelet/images/pullmanager/testdata/pulled/sha256-a2eace2182b24cdbbb730798e47b10709b9ef5e0f0c1624a3bc06c8ca987727a
index 658ad7f6d18a7..ae286ee45e114 100644
--- a/pkg/kubelet/images/pullmanager/testdata/pulled/sha256-a2eace2182b24cdbbb730798e47b10709b9ef5e0f0c1624a3bc06c8ca987727a
+++ b/pkg/kubelet/images/pullmanager/testdata/pulled/sha256-a2eace2182b24cdbbb730798e47b10709b9ef5e0f0c1624a3bc06c8ca987727a
@@ -1 +1 @@
-{"kind":"ImagePulledRecord","apiVersion":"kubelet.config.k8s.io/v1alpha1","lastUpdatedTime":"2024-10-21T12:26:40Z","imageRef":"testimage-anonpull","credentialMapping":{"docker.io/testing/test":{"nodePodsAccessible":true}}}
\ No newline at end of file
+{"kind":"ImagePulledRecord","apiVersion":"kubelet.config.k8s.io/v1beta1","lastUpdatedTime":"2024-10-21T12:26:40Z","imageRef":"testimage-anonpull","credentialMapping":{"docker.io/testing/test":{"nodePodsAccessible":true}}}
\ No newline at end of file
diff --git a/pkg/kubelet/images/pullmanager/testdata/pulled/sha256-b3c0cc4278800b03a308ceb2611161430df571ca733122f0a40ac8b9792a9064 b/pkg/kubelet/images/pullmanager/testdata/pulled/sha256-b3c0cc4278800b03a308ceb2611161430df571ca733122f0a40ac8b9792a9064
index c80e23d50c5fc..58ca592e3bed1 100644
--- a/pkg/kubelet/images/pullmanager/testdata/pulled/sha256-b3c0cc4278800b03a308ceb2611161430df571ca733122f0a40ac8b9792a9064
+++ b/pkg/kubelet/images/pullmanager/testdata/pulled/sha256-b3c0cc4278800b03a308ceb2611161430df571ca733122f0a40ac8b9792a9064
@@ -1 +1 @@
-{"kind":"ImagePulledRecord","apiVersion":"kubelet.config.k8s.io/v1alpha1","lastUpdatedTime":"2024-10-21T12:26:40Z","imageRef":"testimageref","credentialMapping":{"docker.io/testing/test":{"kubernetesSecrets":[{"uid":"testsecretuid","namespace":"default","name":"pull-secret","credentialHash":"testsecrethash"}]}}}
\ No newline at end of file
+{"kind":"ImagePulledRecord","apiVersion":"kubelet.config.k8s.io/v1beta1","lastUpdatedTime":"2024-10-21T12:26:40Z","imageRef":"testimageref","credentialMapping":{"docker.io/testing/test":{"kubernetesSecrets":[{"uid":"testsecretuid","namespace":"default","name":"pull-secret","credentialHash":"testsecrethash"}]}}}
\ No newline at end of file
diff --git a/pkg/kubelet/images/pullmanager/testdata/pulled/sha256-dd1dd8dc6a329b7e1c2e43951302b23a047cb20fd3e10090e4ce7e8396035405 b/pkg/kubelet/images/pullmanager/testdata/pulled/sha256-dd1dd8dc6a329b7e1c2e43951302b23a047cb20fd3e10090e4ce7e8396035405
new file mode 100644
index 0000000000000..877e8679b9260
--- /dev/null
+++ b/pkg/kubelet/images/pullmanager/testdata/pulled/sha256-dd1dd8dc6a329b7e1c2e43951302b23a047cb20fd3e10090e4ce7e8396035405
@@ -0,0 +1 @@
+{"kind":"ImagePulledRecord","apiVersion":"kubelet.config.k8s.io/v1alpha1","lastUpdatedTime":"2025-06-21T12:26:40Z","imageRef":"testimage-anonpull-alpha","credentialMapping":{"docker.io/testing/test":{"nodePodsAccessible":true}}}
diff --git a/pkg/kubelet/images/pullmanager/testdata/pulled/sha256-e766e4624f9bc4d3847d6c5b470d9d5362cc8d0c250bd9572daf95278e044263 b/pkg/kubelet/images/pullmanager/testdata/pulled/sha256-e766e4624f9bc4d3847d6c5b470d9d5362cc8d0c250bd9572daf95278e044263
new file mode 100644
index 0000000000000..6befff1d2396e
--- /dev/null
+++ b/pkg/kubelet/images/pullmanager/testdata/pulled/sha256-e766e4624f9bc4d3847d6c5b470d9d5362cc8d0c250bd9572daf95278e044263
@@ -0,0 +1 @@
+{"kind":"ImagePulledRecord","apiVersion":"kubelet.config.k8s.io/v1alpha1","lastUpdatedTime":"2024-10-21T12:26:40Z","imageRef":"testbrokenrecord":"credentialMapping":{"docker.io/testing/broken":{"kubernetesSecrets":[{"uid":"testsecretuid","namespace":"default","name":"pull-secret","credentialHash":"testsecrethash"}]}}
\ No newline at end of file
diff --git a/pkg/kubelet/images/pullmanager/testdata/pulled/sha256-f4058727984875eb66ddbf289f7013096d4cbaa167e591fbcb2e447e36391c1f b/pkg/kubelet/images/pullmanager/testdata/pulled/sha256-f4058727984875eb66ddbf289f7013096d4cbaa167e591fbcb2e447e36391c1f
new file mode 100644
index 0000000000000..d0c7ec3fd59da
--- /dev/null
+++ b/pkg/kubelet/images/pullmanager/testdata/pulled/sha256-f4058727984875eb66ddbf289f7013096d4cbaa167e591fbcb2e447e36391c1f
@@ -0,0 +1 @@
+{"kind":"ImagePulledRecord","apiVersion":"kubelet.config.k8s.io/v1alpha1","lastUpdatedTime":"2024-10-21T12:26:40Z","imageRef":"policyallowed","credentialMapping":{"docker.io/testing/policyexempt":{"kubernetesSecrets":[{"uid":"testsecretuid","namespace":"secretns","name":"pull-secret","credentialHash":"testsecrethash"}]}}}
\ No newline at end of file
diff --git a/pkg/kubelet/images/pullmanager/testdata/pulled/sha256-f8778b6393eaf39315e767a58cbeacf2c4b270d94b4d6926ee993d9e49444991 b/pkg/kubelet/images/pullmanager/testdata/pulled/sha256-f8778b6393eaf39315e767a58cbeacf2c4b270d94b4d6926ee993d9e49444991
index b79d714f85123..e819735a4d06e 100644
--- a/pkg/kubelet/images/pullmanager/testdata/pulled/sha256-f8778b6393eaf39315e767a58cbeacf2c4b270d94b4d6926ee993d9e49444991
+++ b/pkg/kubelet/images/pullmanager/testdata/pulled/sha256-f8778b6393eaf39315e767a58cbeacf2c4b270d94b4d6926ee993d9e49444991
@@ -1 +1 @@
-{"kind":"ImagePulledRecord","apiVersion":"kubelet.config.k8s.io/v1alpha1","lastUpdatedTime":"2024-10-21T12:26:40Z","imageRef":"testemptycredmapping"}
\ No newline at end of file
+{"kind":"ImagePulledRecord","apiVersion":"kubelet.config.k8s.io/v1beta1","lastUpdatedTime":"2024-10-21T12:26:40Z","imageRef":"testemptycredmapping"}
\ No newline at end of file
diff --git a/pkg/kubelet/images/pullmanager/testdata/pulling/sha256-6da3dced7eccc7ad0189517c31ec2235b50f730449d738d91525721f7e027fd4 b/pkg/kubelet/images/pullmanager/testdata/pulling/sha256-6da3dced7eccc7ad0189517c31ec2235b50f730449d738d91525721f7e027fd4
new file mode 100644
index 0000000000000..ed9847818e09a
--- /dev/null
+++ b/pkg/kubelet/images/pullmanager/testdata/pulling/sha256-6da3dced7eccc7ad0189517c31ec2235b50f730449d738d91525721f7e027fd4
@@ -0,0 +1 @@
+{"kind":"ImagePullIntent","apiVersion":"kubelet.config.k8s.io/v1alpha1","image":"docker.io/testing/test-alpha:latest"}
diff --git a/pkg/kubelet/images/pullmanager/testdata/pulling/sha256-aef2af226629a35d5f3ef0fdbb29fdbebf038d0acd8850590e8c48e1e283aa56 b/pkg/kubelet/images/pullmanager/testdata/pulling/sha256-aef2af226629a35d5f3ef0fdbb29fdbebf038d0acd8850590e8c48e1e283aa56
index 8096c438df0d1..5360a8f9ef516 100644
--- a/pkg/kubelet/images/pullmanager/testdata/pulling/sha256-aef2af226629a35d5f3ef0fdbb29fdbebf038d0acd8850590e8c48e1e283aa56
+++ b/pkg/kubelet/images/pullmanager/testdata/pulling/sha256-aef2af226629a35d5f3ef0fdbb29fdbebf038d0acd8850590e8c48e1e283aa56
@@ -1 +1 @@
-{"kind":"ImagePullIntent","apiVersion":"kubelet.config.k8s.io/v1alpha1","image":"docker.io/testing/test:latest"}
\ No newline at end of file
+{"kind":"ImagePullIntent","apiVersion":"kubelet.config.k8s.io/v1beta1","image":"docker.io/testing/test:latest"}
\ No newline at end of file
diff --git a/pkg/kubelet/images/pullmanager/testdata/pulling/sha256-b6e1482bb6cb030924530b918e609fff30bbb07ab6845451d89deb823c3f72a9 b/pkg/kubelet/images/pullmanager/testdata/pulling/sha256-b6e1482bb6cb030924530b918e609fff30bbb07ab6845451d89deb823c3f72a9
new file mode 100644
index 0000000000000..aad62c5955e07
--- /dev/null
+++ b/pkg/kubelet/images/pullmanager/testdata/pulling/sha256-b6e1482bb6cb030924530b918e609fff30bbb07ab6845451d89deb823c3f72a9
@@ -0,0 +1 @@
+{"kind":"ImagePullIntent","apiVersion":"kubelet.config.k8s.io/v1alpha1","image":"repo.repo/test/alphatest:v1"}
diff --git a/pkg/kubelet/images/pullmanager/testdata/pulling/sha256-ee81caca15454863449fb55a1d942904d56d5ed9f9b20a7cb3453944ea2c7e11 b/pkg/kubelet/images/pullmanager/testdata/pulling/sha256-ee81caca15454863449fb55a1d942904d56d5ed9f9b20a7cb3453944ea2c7e11
index 5f5989df8221d..c4b4ce49ef40f 100644
--- a/pkg/kubelet/images/pullmanager/testdata/pulling/sha256-ee81caca15454863449fb55a1d942904d56d5ed9f9b20a7cb3453944ea2c7e11
+++ b/pkg/kubelet/images/pullmanager/testdata/pulling/sha256-ee81caca15454863449fb55a1d942904d56d5ed9f9b20a7cb3453944ea2c7e11
@@ -1 +1 @@
-{"kind":"ImagePullIntent","apiVersion":"kubelet.config.k8s.io/v1alpha1","image":"repo.repo/test/test:v1"}
\ No newline at end of file
+{"kind":"ImagePullIntent","apiVersion":"kubelet.config.k8s.io/v1beta1","image":"repo.repo/test/test:v1"}
\ No newline at end of file
diff --git a/pkg/kubelet/images/pullmanager/testdata/pulling/sha256-f24acc752be18b93b0504c86312bbaf482c9efb0c45e925bbccb0a591cebd7af b/pkg/kubelet/images/pullmanager/testdata/pulling/sha256-f24acc752be18b93b0504c86312bbaf482c9efb0c45e925bbccb0a591cebd7af
index 46a6ccde69025..5efd2abd0d86a 100644
--- a/pkg/kubelet/images/pullmanager/testdata/pulling/sha256-f24acc752be18b93b0504c86312bbaf482c9efb0c45e925bbccb0a591cebd7af
+++ b/pkg/kubelet/images/pullmanager/testdata/pulling/sha256-f24acc752be18b93b0504c86312bbaf482c9efb0c45e925bbccb0a591cebd7af
@@ -1 +1 @@
-{"kind":"ImagePullIntent","apiVersion":"kubelet.config.k8s.io/v1alpha1","image":"docker.io/testing/test:something"}
\ No newline at end of file
+{"kind":"ImagePullIntent","apiVersion":"kubelet.config.k8s.io/v1beta1","image":"docker.io/testing/test:something"}
\ No newline at end of file
diff --git a/pkg/kubelet/images/types.go b/pkg/kubelet/images/types.go
index 244451cf5fcd7..c37d0a554bc78 100644
--- a/pkg/kubelet/images/types.go
+++ b/pkg/kubelet/images/types.go
@@ -47,8 +47,8 @@ var (
 // Implementations are expected to abstract the underlying runtimes.
 // Implementations are expected to be thread safe.
 type ImageManager interface {
-	// EnsureImageExists ensures that image specified by `imgRef` exists.
-	EnsureImageExists(ctx context.Context, objRef *v1.ObjectReference, pod *v1.Pod, imgRef string, pullSecrets []v1.Secret, podSandboxConfig *runtimeapi.PodSandboxConfig, podRuntimeHandler string, pullPolicy v1.PullPolicy) (string, string, error)
+	// EnsureImageExists ensures that image specified by `requestedImage` exists.
+	EnsureImageExists(ctx context.Context, objRef *v1.ObjectReference, pod *v1.Pod, requestedImage string, pullSecrets []v1.Secret, podSandboxConfig *runtimeapi.PodSandboxConfig, podRuntimeHandler string, pullPolicy v1.PullPolicy) (imageRef, message string, err error)
 
 	// TODO(ronl): consolidating image managing and deleting operation in this interface
 }
diff --git a/pkg/kubelet/kubelet.go b/pkg/kubelet/kubelet.go
index e72cf3d9b203b..42a399da40384 100644
--- a/pkg/kubelet/kubelet.go
+++ b/pkg/kubelet/kubelet.go
@@ -42,8 +42,11 @@ import (
 	"go.opentelemetry.io/otel/trace"
 
 	"k8s.io/client-go/informers"
+	ndf "k8s.io/component-helpers/nodedeclaredfeatures"
+	ndffeatures "k8s.io/component-helpers/nodedeclaredfeatures/features"
 	"k8s.io/mount-utils"
 
+	apiequality "k8s.io/apimachinery/pkg/api/equality"
 	v1qos "k8s.io/kubernetes/pkg/apis/core/v1/helper/qos"
 	"k8s.io/kubernetes/pkg/scheduler/framework/plugins/tainttoleration"
 	utilfs "k8s.io/kubernetes/pkg/util/filesystem"
@@ -58,7 +61,9 @@ import (
 	"k8s.io/apimachinery/pkg/types"
 	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
 	"k8s.io/apimachinery/pkg/util/sets"
+	versionutil "k8s.io/apimachinery/pkg/util/version"
 	"k8s.io/apimachinery/pkg/util/wait"
+	"k8s.io/apiserver/pkg/server/flagz"
 	utilfeature "k8s.io/apiserver/pkg/util/feature"
 	coreinformersv1 "k8s.io/client-go/informers/core/v1"
 	clientset "k8s.io/client-go/kubernetes"
@@ -69,7 +74,7 @@ import (
 	"k8s.io/client-go/util/certificate"
 	"k8s.io/client-go/util/flowcontrol"
 	cloudprovider "k8s.io/cloud-provider"
-	"k8s.io/component-base/zpages/flagz"
+	"k8s.io/component-base/version"
 	"k8s.io/component-helpers/apimachinery/lease"
 	resourcehelper "k8s.io/component-helpers/resource"
 	internalapi "k8s.io/cri-api/pkg/apis"
@@ -95,6 +100,7 @@ import (
 	"k8s.io/kubernetes/pkg/kubelet/events"
 	"k8s.io/kubernetes/pkg/kubelet/eviction"
 	"k8s.io/kubernetes/pkg/kubelet/images"
+	"k8s.io/kubernetes/pkg/kubelet/kubeletconfig"
 	"k8s.io/kubernetes/pkg/kubelet/kuberuntime"
 	"k8s.io/kubernetes/pkg/kubelet/lifecycle"
 	"k8s.io/kubernetes/pkg/kubelet/logs"
@@ -251,6 +257,7 @@ var (
 		lifecycle.OutOfEphemeralStorage,
 		lifecycle.OutOfPods,
 		lifecycle.PodLevelResourcesNotAdmittedReason,
+		lifecycle.PodFeatureUnsupported,
 		tainttoleration.ErrReasonNotMatch,
 		eviction.Reason,
 		sysctl.ForbiddenReason,
@@ -301,8 +308,8 @@ type Bootstrap interface {
 	GetConfiguration() kubeletconfiginternal.KubeletConfiguration
 	BirthCry()
 	StartGarbageCollection()
-	ListenAndServe(kubeCfg *kubeletconfiginternal.KubeletConfiguration, tlsOptions *server.TLSOptions, auth server.AuthInterface, tp trace.TracerProvider)
-	ListenAndServeReadOnly(address net.IP, port uint, tp trace.TracerProvider)
+	ListenAndServe(ctx context.Context, kubeCfg *kubeletconfiginternal.KubeletConfiguration, tlsOptions *server.TLSOptions, auth server.AuthInterface, tp trace.TracerProvider)
+	ListenAndServeReadOnly(ctx context.Context, address net.IP, port uint, tp trace.TracerProvider)
 	ListenAndServePodResources(ctx context.Context)
 	Run(<-chan kubetypes.PodUpdate)
 }
@@ -381,22 +388,22 @@ func makePodSourceConfig(kubeCfg *kubeletconfiginternal.KubeletConfiguration, ku
 
 	// TODO:  it needs to be replaced by a proper context in the future
 	ctx := context.TODO()
-
+	logger := klog.FromContext(ctx)
 	// define file config source
 	if kubeCfg.StaticPodPath != "" {
 		klog.InfoS("Adding static pod path", "path", kubeCfg.StaticPodPath)
-		config.NewSourceFile(kubeCfg.StaticPodPath, nodeName, kubeCfg.FileCheckFrequency.Duration, cfg.Channel(ctx, kubetypes.FileSource))
+		config.NewSourceFile(logger, kubeCfg.StaticPodPath, nodeName, kubeCfg.FileCheckFrequency.Duration, cfg.Channel(ctx, kubetypes.FileSource))
 	}
 
 	// define url config source
 	if kubeCfg.StaticPodURL != "" {
 		klog.InfoS("Adding pod URL with HTTP header", "URL", kubeCfg.StaticPodURL, "header", manifestURLHeader)
-		config.NewSourceURL(kubeCfg.StaticPodURL, manifestURLHeader, nodeName, kubeCfg.HTTPCheckFrequency.Duration, cfg.Channel(ctx, kubetypes.HTTPSource))
+		config.NewSourceURL(logger, kubeCfg.StaticPodURL, manifestURLHeader, nodeName, kubeCfg.HTTPCheckFrequency.Duration, cfg.Channel(ctx, kubetypes.HTTPSource))
 	}
 
 	if kubeDeps.KubeClient != nil {
 		klog.InfoS("Adding apiserver pod source")
-		config.NewSourceApiserver(kubeDeps.KubeClient, nodeName, nodeHasSynced, cfg.Channel(ctx, kubetypes.ApiserverSource))
+		config.NewSourceApiserver(logger, kubeDeps.KubeClient, nodeName, nodeHasSynced, cfg.Channel(ctx, kubetypes.ApiserverSource))
 	}
 	return cfg, nil
 }
@@ -426,7 +433,7 @@ func PreInitRuntimeService(kubeCfg *kubeletconfiginternal.KubeletConfiguration,
 func NewMainKubelet(ctx context.Context,
 	kubeCfg *kubeletconfiginternal.KubeletConfiguration,
 	kubeDeps *Dependencies,
-	crOptions *config.ContainerRuntimeOptions,
+	crOptions *kubeletconfig.ContainerRuntimeOptions,
 	hostname string,
 	nodeName types.NodeName,
 	nodeIPs []net.IP,
@@ -516,11 +523,7 @@ func NewMainKubelet(ctx context.Context,
 		LowThresholdPercent:  int(kubeCfg.ImageGCLowThresholdPercent),
 	}
 
-	if utilfeature.DefaultFeatureGate.Enabled(features.ImageMaximumGCAge) {
-		imageGCPolicy.MaxAge = kubeCfg.ImageMaximumGCAge.Duration
-	} else if kubeCfg.ImageMaximumGCAge.Duration != 0 {
-		klog.InfoS("ImageMaximumGCAge flag enabled, but corresponding feature gate is not enabled. Ignoring flag.")
-	}
+	imageGCPolicy.MaxAge = kubeCfg.ImageMaximumGCAge.Duration
 
 	enforceNodeAllocatable := kubeCfg.EnforceNodeAllocatable
 	if experimentalNodeAllocatableIgnoreEvictionThreshold {
@@ -558,10 +561,10 @@ func NewMainKubelet(ctx context.Context,
 
 	// construct a node reference used for events
 	nodeRef := &v1.ObjectReference{
-		Kind:      "Node",
-		Name:      string(nodeName),
-		UID:       types.UID(nodeName),
-		Namespace: "",
+		APIVersion: "v1",
+		Kind:       "Node",
+		Name:       string(nodeName),
+		Namespace:  "",
 	}
 
 	oomWatcher, err := oomwatcher.NewWatcher(kubeDeps.Recorder)
@@ -699,7 +702,8 @@ func NewMainKubelet(ctx context.Context,
 	klet.statusManager = status.NewManager(klet.kubeClient, klet.podManager, klet, kubeDeps.PodStartupLatencyTracker)
 	klet.allocationManager = allocation.NewManager(
 		klet.getRootDir(),
-		klet.containerManager,
+		klet.containerManager.GetNodeConfig(),
+		klet.containerManager.GetNodeAllocatableAbsolute(),
 		klet.statusManager,
 		func(pod *v1.Pod) { klet.HandlePodSyncs([]*v1.Pod{pod}) },
 		klet.GetActivePods,
@@ -708,7 +712,7 @@ func NewMainKubelet(ctx context.Context,
 		kubeDeps.Recorder,
 	)
 
-	klet.resourceAnalyzer = serverstats.NewResourceAnalyzer(klet, kubeCfg.VolumeStatsAggPeriod.Duration, kubeDeps.Recorder)
+	klet.resourceAnalyzer = serverstats.NewResourceAnalyzer(ctx, klet, kubeCfg.VolumeStatsAggPeriod.Duration, kubeDeps.Recorder)
 
 	klet.runtimeService = kubeDeps.RemoteRuntimeService
 
@@ -807,7 +811,6 @@ func NewMainKubelet(ctx context.Context,
 		kubeDeps.ContainerManager,
 		klet.containerLogManager,
 		klet.runtimeClassManager,
-		klet.allocationManager,
 		seccompDefault,
 		kubeCfg.MemorySwap.SwapBehavior,
 		kubeDeps.ContainerManager.GetNodeAllocatableAbsolute,
@@ -969,7 +972,8 @@ func NewMainKubelet(ctx context.Context,
 		podCertificateManager := podcertificate.NewIssuingManager(
 			kubeDeps.KubeClient,
 			klet.podManager,
-			kubeInformers.Certificates().V1alpha1().PodCertificateRequests(),
+			kubeDeps.Recorder,
+			kubeInformers.Certificates().V1beta1().PodCertificateRequests(),
 			nodeInformer,
 			nodeName,
 			clock.RealClock{},
@@ -977,6 +981,8 @@ func NewMainKubelet(ctx context.Context,
 		klet.podCertificateManager = podCertificateManager
 		kubeInformers.Start(ctx.Done())
 		go podCertificateManager.Run(ctx)
+
+		metrics.RegisterCollectors(collectors.PodCertificateCollectorFor(podCertificateManager))
 	} else {
 		klet.podCertificateManager = &podcertificate.NoOpManager{}
 		klog.InfoS("Not starting PodCertificateRequest manager because we are in static kubelet mode or the PodCertificateProjection feature gate is disabled")
@@ -1028,6 +1034,22 @@ func NewMainKubelet(ctx context.Context,
 		killPodNow(klet.podWorkers, kubeDeps.Recorder), klet.imageManager, klet.containerGC, kubeDeps.Recorder, nodeRef, klet.clock, kubeCfg.LocalStorageCapacityIsolation)
 
 	klet.evictionManager = evictionManager
+
+	if utilfeature.DefaultFeatureGate.Enabled(features.NodeDeclaredFeatures) {
+		v, err := versionutil.Parse(version.Get().String())
+		if err != nil {
+			return nil, fmt.Errorf("failed to parse version: %w", err)
+		}
+		framework, err := ndf.New(ndffeatures.AllFeatures)
+		if err != nil {
+			return nil, fmt.Errorf("failed to create node feature helper: %w", err)
+		}
+		klet.version = v
+		klet.nodeDeclaredFeaturesFramework = framework
+		klet.nodeDeclaredFeatures = klet.discoverNodeDeclaredFeatures()
+		klet.nodeDeclaredFeaturesSet = ndf.NewFeatureSet(klet.nodeDeclaredFeatures...)
+	}
+
 	handlers := []lifecycle.PodAdmitHandler{}
 	handlers = append(handlers, evictionAdmitHandler)
 
@@ -1051,7 +1073,7 @@ func NewMainKubelet(ctx context.Context,
 	handlers = append(handlers, klet.containerManager.GetAllocateResourcesPodAdmitHandler())
 
 	criticalPodAdmissionHandler := preemption.NewCriticalPodAdmissionHandler(klet.getAllocatedPods, killPodNow(klet.podWorkers, kubeDeps.Recorder), kubeDeps.Recorder)
-	handlers = append(handlers, lifecycle.NewPredicateAdmitHandler(klet.getNodeAnyWay, criticalPodAdmissionHandler, klet.containerManager.UpdatePluginResources))
+	handlers = append(handlers, lifecycle.NewPredicateAdmitHandler(klet.GetCachedNode, criticalPodAdmissionHandler, klet.containerManager.UpdatePluginResources))
 	// apply functional Option's
 	for _, opt := range kubeDeps.Options {
 		opt(klet)
@@ -1065,6 +1087,10 @@ func NewMainKubelet(ctx context.Context,
 
 	handlers = append(handlers, lifecycle.NewPodFeaturesAdmitHandler())
 
+	if utilfeature.DefaultFeatureGate.Enabled(features.NodeDeclaredFeatures) {
+		handlers = append(handlers, lifecycle.NewDeclaredFeaturesAdmitHandler(klet.nodeDeclaredFeaturesFramework, klet.nodeDeclaredFeaturesSet, klet.version))
+	}
+
 	leaseDuration := time.Duration(kubeCfg.NodeLeaseDurationSeconds) * time.Second
 	renewInterval := time.Duration(float64(leaseDuration) * nodeLeaseRenewIntervalFraction)
 	klet.nodeLeaseController = lease.NewController(
@@ -1076,7 +1102,7 @@ func NewMainKubelet(ctx context.Context,
 		renewInterval,
 		string(klet.nodeName),
 		v1.NamespaceNodeLease,
-		util.SetNodeOwnerFunc(klet.heartbeatClient, string(klet.nodeName)))
+		util.SetNodeOwnerFunc(ctx, klet.heartbeatClient, string(klet.nodeName)))
 
 	// setup node shutdown manager
 	shutdownManager := nodeshutdown.NewManager(&nodeshutdown.Config{
@@ -1093,12 +1119,17 @@ func NewMainKubelet(ctx context.Context,
 		StateDirectory:                   rootDirectory,
 	})
 	klet.shutdownManager = shutdownManager
-	klet.usernsManager, err = userns.MakeUserNsManager(klet)
+	handlers = append(handlers, shutdownManager)
+	klet.allocationManager.AddPodAdmitHandlers(handlers)
+
+	var usernsIDsPerPod *int64
+	if kubeCfg.UserNamespaces != nil {
+		usernsIDsPerPod = kubeCfg.UserNamespaces.IDsPerPod
+	}
+	klet.usernsManager, err = userns.MakeUserNsManager(logger, klet, usernsIDsPerPod)
 	if err != nil {
 		return nil, fmt.Errorf("create user namespace manager: %w", err)
 	}
-	handlers = append(handlers, shutdownManager)
-	klet.allocationManager.AddPodAdmitHandlers(handlers)
 
 	// Finally, put the most recent version of the config on the Kubelet, so
 	// people can see how it was configured.
@@ -1123,6 +1154,7 @@ type Kubelet struct {
 	hostname string
 
 	nodeName        types.NodeName
+	cachedNode      *v1.Node
 	runtimeCache    kubecontainer.RuntimeCache
 	kubeClient      clientset.Interface
 	heartbeatClient clientset.Interface
@@ -1266,6 +1298,16 @@ type Kubelet struct {
 	// a list of node labels to register
 	nodeLabels map[string]string
 
+	// nodeDeclaredFeatures is the ordered static list of features that are determined at startup and declared in node status.
+	nodeDeclaredFeatures []string
+	// nodeDeclaredFeaturesSet provides the same features as nodeDeclaredFeatures, but as a set for faster inference.
+	nodeDeclaredFeaturesSet ndf.FeatureSet
+	// nodeDeclaredFeaturesFramework provides the shared logic for feature discovery and pod requirement inference.
+	nodeDeclaredFeaturesFramework *ndf.Framework
+
+	// kubelet version
+	version *versionutil.Version
+
 	// Last timestamp when runtime responded on ping.
 	// Mutex is used to protect this value.
 	runtimeState *runtimeState
@@ -1580,11 +1622,11 @@ func (kl *Kubelet) setupDataDirs() error {
 		}
 	}
 	if selinux.GetEnabled() {
-		err := selinux.SetFileLabel(pluginRegistrationDir, config.KubeletPluginsDirSELinuxLabel)
+		err := selinux.SetFileLabel(pluginRegistrationDir, kubeletconfig.KubeletPluginsDirSELinuxLabel)
 		if err != nil {
 			klog.InfoS("Unprivileged containerized plugins might not work, could not set selinux context on plugin registration dir", "path", pluginRegistrationDir, "err", err)
 		}
-		err = selinux.SetFileLabel(pluginsDir, config.KubeletPluginsDirSELinuxLabel)
+		err = selinux.SetFileLabel(pluginsDir, kubeletconfig.KubeletPluginsDirSELinuxLabel)
 		if err != nil {
 			klog.InfoS("Unprivileged containerized plugins might not work, could not set selinux context on plugins dir", "path", pluginsDir, "err", err)
 		}
@@ -1614,8 +1656,7 @@ func (kl *Kubelet) StartGarbageCollection() {
 
 	// when the high threshold is set to 100, and the max age is 0 (or the max age feature is disabled)
 	// stub the image GC manager
-	if kl.kubeletConfiguration.ImageGCHighThresholdPercent == 100 &&
-		(!utilfeature.DefaultFeatureGate.Enabled(features.ImageMaximumGCAge) || kl.kubeletConfiguration.ImageMaximumGCAge.Duration == 0) {
+	if kl.kubeletConfiguration.ImageGCHighThresholdPercent == 100 && kl.kubeletConfiguration.ImageMaximumGCAge.Duration == 0 {
 		klog.V(2).InfoS("ImageGCHighThresholdPercent is set 100 and ImageMaximumGCAge is 0, Disable image GC")
 		return
 	}
@@ -1628,7 +1669,7 @@ func (kl *Kubelet) StartGarbageCollection() {
 			if prevImageGCFailed {
 				klog.ErrorS(err, "Image garbage collection failed multiple times in a row")
 				// Only create an event for repeated failures
-				kl.recorder.Eventf(kl.nodeRef, v1.EventTypeWarning, events.ImageGCFailed, err.Error())
+				kl.recorder.Event(kl.nodeRef, v1.EventTypeWarning, events.ImageGCFailed, err.Error())
 			} else {
 				klog.ErrorS(err, "Image garbage collection failed once. Stats initialization may not have completed yet")
 			}
@@ -1678,7 +1719,7 @@ func (kl *Kubelet) initializeModules(ctx context.Context) error {
 	}
 
 	// Start the image manager.
-	kl.imageManager.Start()
+	kl.imageManager.Start(ctx)
 
 	// Start the certificate manager if it was enabled.
 	if kl.serverCertificateManager != nil {
@@ -1693,13 +1734,13 @@ func (kl *Kubelet) initializeModules(ctx context.Context) error {
 	}
 
 	// Start resource analyzer
-	kl.resourceAnalyzer.Start()
+	kl.resourceAnalyzer.Start(ctx)
 
 	return nil
 }
 
 // initializeRuntimeDependentModules will initialize internal modules that require the container runtime to be up.
-func (kl *Kubelet) initializeRuntimeDependentModules() {
+func (kl *Kubelet) initializeRuntimeDependentModules(ctx context.Context) {
 	if err := kl.cadvisor.Start(); err != nil {
 		// Fail kubelet and rely on the babysitter to retry starting kubelet.
 		klog.ErrorS(err, "Failed to start cAdvisor")
@@ -1717,18 +1758,18 @@ func (kl *Kubelet) initializeRuntimeDependentModules() {
 		os.Exit(1)
 	}
 	// containerManager must start after cAdvisor because it needs filesystem capacity information
-	if err := kl.containerManager.Start(context.TODO(), node, kl.GetActivePods, kl.getNodeAnyWay, kl.sourcesReady, kl.statusManager, kl.runtimeService, kl.supportLocalStorageCapacityIsolation()); err != nil {
+	if err := kl.containerManager.Start(ctx, node, kl.GetActivePods, kl.getNodeAnyWay, kl.sourcesReady, kl.statusManager, kl.runtimeService, kl.supportLocalStorageCapacityIsolation()); err != nil {
 		// Fail kubelet and rely on the babysitter to retry starting kubelet.
 		klog.ErrorS(err, "Failed to start ContainerManager")
 		os.Exit(1)
 	}
 	// eviction manager must start after cadvisor because it needs to know if the container runtime has a dedicated imagefs
 	// Eviction decisions are based on the allocated (rather than desired) pod resources.
-	kl.evictionManager.Start(kl.StatsProvider, kl.getAllocatedPods, kl.PodIsFinished, evictionMonitoringPeriod)
+	kl.evictionManager.Start(ctx, kl.StatsProvider, kl.getAllocatedPods, kl.PodIsFinished, evictionMonitoringPeriod)
 
 	// container log manager must start after container runtime is up to retrieve information from container runtime
 	// and inform container to reopen log file after log rotation.
-	kl.containerLogManager.Start()
+	kl.containerLogManager.Start(ctx)
 	// Adding Registration Callback function for CSI Driver
 	kl.pluginManager.AddHandler(pluginwatcherapi.CSIPlugin, plugincache.PluginHandler(csi.PluginHandler))
 	// Adding Registration Callback function for DRA Plugin and Device Plugin
@@ -1738,7 +1779,7 @@ func (kl *Kubelet) initializeRuntimeDependentModules() {
 
 	// Start the plugin manager
 	klog.V(4).InfoS("Starting plugin manager")
-	go kl.pluginManager.Run(kl.sourcesReady, wait.NeverStop)
+	go kl.pluginManager.Run(ctx, kl.sourcesReady, wait.NeverStop)
 
 	err = kl.shutdownManager.Start()
 	if err != nil {
@@ -1856,7 +1897,7 @@ func (kl *Kubelet) Run(updates <-chan kubetypes.PodUpdate) {
 		kl.eventedPleg.Start()
 	}
 
-	if utilfeature.DefaultFeatureGate.Enabled(features.SystemdWatchdog) && kl.healthChecker != nil {
+	if kl.healthChecker != nil {
 		kl.healthChecker.SetHealthCheckers(kl, kl.containerManager.GetHealthCheckers())
 	}
 
@@ -1954,8 +1995,14 @@ func (kl *Kubelet) SyncPod(ctx context.Context, updateType kubetypes.SyncPodType
 
 	if utilfeature.DefaultFeatureGate.Enabled(features.InPlacePodVerticalScaling) {
 		// Check whether a resize is in progress so we can set the PodResizeInProgressCondition accordingly.
-		kl.allocationManager.CheckPodResizeInProgress(pod, podStatus)
-		// TODO(#132851): There is a race condition here, where the goroutine in the
+		if kl.containerRuntime.IsPodResizeInProgress(pod, podStatus) {
+			kl.statusManager.SetPodResizeInProgressCondition(pod.UID, "", "", pod.Generation)
+		} else if generation, cleared := kl.statusManager.ClearPodResizeInProgressCondition(pod.UID); cleared {
+			// (Allocated == Actual) => clear the resize in-progress status.
+			msg := events.PodResizeCompletedMsg(pod, generation)
+			kl.recorder.Eventf(pod, v1.EventTypeNormal, events.ResizeCompleted, msg)
+		}
+		// TODO(natasha41575): There is a race condition here, where the goroutine in the
 		// allocation manager may allocate a new resize and unconditionally set the
 		// PodResizeInProgressCondition before we set the status below.
 	}
@@ -2057,13 +2104,19 @@ func (kl *Kubelet) SyncPod(ctx context.Context, updateType kubetypes.SyncPodType
 		}
 		if !podKilled || !runOnce {
 			if !pcm.Exists(pod) {
-				if err := kl.containerManager.UpdateQOSCgroups(); err != nil {
+				// TODO: Pass logger from context once contextual logging migration is complete
+				if err := kl.containerManager.UpdateQOSCgroups(klog.TODO()); err != nil {
 					klog.V(2).InfoS("Failed to update QoS cgroups while syncing pod", "pod", klog.KObj(pod), "err", err)
 				}
-				if err := pcm.EnsureExists(pod); err != nil {
+				// TODO: Pass logger from context once contextual logging migration is complete
+				if err := pcm.EnsureExists(klog.TODO(), pod); err != nil {
 					kl.recorder.Eventf(pod, v1.EventTypeWarning, events.FailedToCreatePodContainer, "unable to ensure pod container exists: %v", err)
 					return false, fmt.Errorf("failed to ensure that the pod: %v cgroups exist and are correctly applied: %v", pod.UID, err)
 				}
+
+				if err = kl.containerRuntime.UpdateActuatedPodLevelResources(pod); err != nil {
+					return false, fmt.Errorf("failed to update the state of pod-level resources for the pod %v : %w", pod.UID, err)
+				}
 			}
 		}
 	}
@@ -2097,7 +2150,7 @@ func (kl *Kubelet) SyncPod(ctx context.Context, updateType kubetypes.SyncPodType
 	pullSecrets := kl.getPullSecretsForPod(pod)
 
 	// Ensure the pod is being probed
-	kl.probeManager.AddPod(pod)
+	kl.probeManager.AddPod(ctx, pod)
 
 	// TODO(#113606): use cancellation from the incoming context parameter, which comes from the pod worker.
 	// Currently, using cancellation from that context causes test failures. To remove this WithoutCancel,
@@ -2106,14 +2159,25 @@ func (kl *Kubelet) SyncPod(ctx context.Context, updateType kubetypes.SyncPodType
 	// Use WithoutCancel instead of a new context.TODO() to propagate trace context
 	// Call the container runtime's SyncPod callback
 	sctx := context.WithoutCancel(ctx)
-	result := kl.containerRuntime.SyncPod(sctx, pod, podStatus, pullSecrets, kl.crashLoopBackOff)
+	restartingAllContainers := false
+	if utilfeature.DefaultFeatureGate.Enabled(features.RestartAllContainersOnContainerExits) {
+		for _, cond := range apiPodStatus.Conditions {
+			if cond.Type == v1.AllContainersRestarting && cond.Status == v1.ConditionTrue {
+				restartingAllContainers = true
+			}
+		}
+	}
+	result := kl.containerRuntime.SyncPod(sctx, pod, podStatus, pullSecrets, kl.crashLoopBackOff, restartingAllContainers)
 	kl.reasonCache.Update(pod.UID, result)
 
 	if utilfeature.DefaultFeatureGate.Enabled(features.InPlacePodVerticalScaling) {
 		for _, r := range result.SyncResults {
 			if r.Action == kubecontainer.ResizePodInPlace && r.Error != nil {
 				// If the condition already exists, the observedGeneration does not get updated.
-				kl.statusManager.SetPodResizeInProgressCondition(pod.UID, v1.PodReasonError, r.Message, pod.Generation)
+				if generation, updated := kl.statusManager.SetPodResizeInProgressCondition(pod.UID, v1.PodReasonError, r.Message, pod.Generation); updated {
+					msg := events.PodResizeErrorMsg(pod, generation, r.Message)
+					kl.recorder.Eventf(pod, v1.EventTypeWarning, events.ResizeError, msg)
+				}
 			}
 		}
 	}
@@ -2130,19 +2194,28 @@ func (kl *Kubelet) SyncPod(ctx context.Context, updateType kubetypes.SyncPodType
 // during eviction). This method is not guaranteed to be called if a pod is force deleted from the
 // configuration and the kubelet is restarted - SyncTerminatingRuntimePod handles those orphaned
 // pods.
-func (kl *Kubelet) SyncTerminatingPod(_ context.Context, pod *v1.Pod, podStatus *kubecontainer.PodStatus, gracePeriod *int64, podStatusFn func(*v1.PodStatus)) error {
+func (kl *Kubelet) SyncTerminatingPod(_ context.Context, pod *v1.Pod, podStatus *kubecontainer.PodStatus, gracePeriod *int64, podStatusFn func(*v1.PodStatus)) (err error) {
 	// TODO(#113606): connect this with the incoming context parameter, which comes from the pod worker.
 	// Currently, using that context causes test failures.
-	ctx, otelSpan := kl.tracer.Start(context.Background(), "syncTerminatingPod", trace.WithAttributes(
+	ctx := context.Background()
+
+	logger := klog.FromContext(ctx)
+	klog.V(4).InfoS("SyncTerminatingPod enter", "pod", klog.KObj(pod), "podUID", pod.UID)
+
+	ctx, otelSpan := kl.tracer.Start(ctx, "syncTerminatingPod", trace.WithAttributes(
 		semconv.K8SPodUIDKey.String(string(pod.UID)),
 		attribute.String("k8s.pod", klog.KObj(pod).String()),
 		semconv.K8SPodNameKey.String(pod.Name),
 		semconv.K8SNamespaceNameKey.String(pod.Namespace),
 	))
-	logger := klog.FromContext(ctx)
-	defer otelSpan.End()
-	klog.V(4).InfoS("SyncTerminatingPod enter", "pod", klog.KObj(pod), "podUID", pod.UID)
-	defer klog.V(4).InfoS("SyncTerminatingPod exit", "pod", klog.KObj(pod), "podUID", pod.UID)
+	defer func() {
+		if err != nil {
+			otelSpan.RecordError(err)
+			otelSpan.SetStatus(codes.Error, err.Error())
+		}
+		otelSpan.End()
+		klog.V(4).InfoS("SyncTerminatingPod exit", "pod", klog.KObj(pod), "podUID", pod.UID)
+	}()
 
 	apiPodStatus := kl.generateAPIPodStatus(pod, podStatus, false)
 	if podStatusFn != nil {
@@ -2332,13 +2405,13 @@ func (kl *Kubelet) SyncTerminatedPod(ctx context.Context, pod *v1.Pod, podStatus
 	if kl.cgroupsPerQOS {
 		pcm := kl.containerManager.NewPodContainerManager()
 		name, _ := pcm.GetPodContainerName(pod)
-		if err := pcm.Destroy(name); err != nil {
+		if err := pcm.Destroy(logger, name); err != nil {
 			return err
 		}
 		klog.V(4).InfoS("Pod termination removed cgroups", "pod", klog.KObj(pod), "podUID", pod.UID)
 	}
 
-	kl.usernsManager.Release(pod.UID)
+	kl.usernsManager.Release(logger, pod.UID)
 
 	// mark the final pod status
 	kl.statusManager.TerminatePod(logger, pod)
@@ -2746,7 +2819,7 @@ func (kl *Kubelet) HandlePodUpdates(pods []*v1.Pod) {
 		}
 
 		if utilfeature.DefaultFeatureGate.Enabled(features.InPlacePodVerticalScaling) {
-			if recordContainerResizeOperations(oldPod, pod) {
+			if recordResizeOperations(oldPod, pod) {
 				_, updatedFromAllocation := kl.allocationManager.UpdatePodFromAllocation(pod)
 				if updatedFromAllocation {
 					kl.allocationManager.PushPendingResize(pod.UID)
@@ -2761,6 +2834,27 @@ func (kl *Kubelet) HandlePodUpdates(pods []*v1.Pod) {
 			}
 		}
 
+		if utilfeature.DefaultFeatureGate.Enabled(features.NodeDeclaredFeatures) {
+			oldPodInfo := &ndf.PodInfo{Spec: &oldPod.Spec, Status: &oldPod.Status}
+			newPodInfo := &ndf.PodInfo{Spec: &pod.Spec, Status: &pod.Status}
+			reqs, err := kl.nodeDeclaredFeaturesFramework.InferForPodUpdate(oldPodInfo, newPodInfo, kl.version)
+			if err != nil {
+				klog.ErrorS(err, "Failed to infer required features for pod update", "pod", klog.KObj(pod))
+			}
+			if reqs.Len() != 0 {
+				matchResult, err := ndf.MatchNodeFeatureSet(reqs, kl.nodeDeclaredFeaturesSet)
+				if err != nil {
+					klog.ErrorS(err, "Failed to match pod features with the node", "pod", klog.KObj(pod))
+
+				}
+				if !matchResult.IsMatch {
+					missingNodeDeclaredFeatures := strings.Join(matchResult.UnsatisfiedRequirements, ", ")
+					klog.ErrorS(nil, "Pod requires node features that are not available", "missingFeatures", missingNodeDeclaredFeatures)
+					kl.recorder.Eventf(pod, v1.EventTypeWarning, events.FailedNodeDeclaredFeaturesCheck, "Pod requires node features that are not available: %s", missingNodeDeclaredFeatures)
+				}
+			}
+		}
+
 		kl.podWorkers.UpdatePod(UpdatePodOptions{
 			Pod:        pod,
 			MirrorPod:  mirrorPod,
@@ -2770,14 +2864,37 @@ func (kl *Kubelet) HandlePodUpdates(pods []*v1.Pod) {
 	}
 }
 
-// recordContainerResizeOperations records if any of the pod's containers needs to be resized, and returns
+// recordResizeOperaations records if any of the pod level resources or
+// containers need to be resized, and returns
 // true if so
-func recordContainerResizeOperations(oldPod, newPod *v1.Pod) bool {
-	hasResize := false
+func recordResizeOperations(oldPod, newPod *v1.Pod) bool {
 	if oldPod == nil {
 		// This should never happen.
 		return true
 	}
+
+	hasResize := recordContainerResizeOperations(oldPod, newPod) || recordPodLevelResourceResizeOperations(oldPod, newPod)
+	return hasResize
+
+}
+
+// recordPodLevelResourceResizeOperations records if any of the pod level resources need to be resized, and returns
+// true if so
+func recordPodLevelResourceResizeOperations(oldPod, newPod *v1.Pod) bool {
+	if !utilfeature.DefaultFeatureGate.Enabled(features.InPlacePodVerticalScaling) {
+		return false
+	}
+
+	// TODO(ndixita): add metrics for pod-level resources resize.
+
+	return !apiequality.Semantic.DeepEqual(oldPod.Spec.Resources, newPod.Spec.Resources)
+}
+
+// recordContainerResizeOperations records if any of the pod's containers needs to be resized, and returns
+// true if so
+func recordContainerResizeOperations(oldPod, newPod *v1.Pod) bool {
+	hasResize := false
+
 	for oldContainer, containerType := range podutil.ContainerIter(&oldPod.Spec, podutil.InitContainers|podutil.Containers) {
 		if !allocation.IsResizableContainer(oldContainer, containerType) {
 			continue
@@ -2896,8 +3013,9 @@ func (kl *Kubelet) HandlePodReconcile(pods []*v1.Pod) {
 			// resources changing.
 			if hasPendingResizes && !retryPendingResizes && oldPod != nil {
 				opts := resourcehelper.PodResourcesOptions{
-					UseStatusResources:    true,
-					SkipPodLevelResources: !utilfeature.DefaultFeatureGate.Enabled(features.PodLevelResources),
+					UseStatusResources:                             true,
+					SkipPodLevelResources:                          !utilfeature.DefaultFeatureGate.Enabled(features.PodLevelResources),
+					InPlacePodLevelResourcesVerticalScalingEnabled: utilfeature.DefaultFeatureGate.Enabled(features.InPlacePodLevelResourcesVerticalScaling),
 				}
 
 				// Ignore desired resources when aggregating the resources.
@@ -3042,7 +3160,9 @@ func (kl *Kubelet) updateRuntimeUp() {
 	kl.runtimeState.setRuntimeState(nil)
 	kl.runtimeState.setRuntimeHandlers(s.Handlers)
 	kl.runtimeState.setRuntimeFeatures(s.Features)
-	kl.oneTimeInitializer.Do(kl.initializeRuntimeDependentModules)
+	kl.oneTimeInitializer.Do(func() {
+		kl.initializeRuntimeDependentModules(ctx)
+	})
 	kl.runtimeState.setRuntimeSync(kl.clock.Now())
 }
 
@@ -3058,14 +3178,14 @@ func (kl *Kubelet) BirthCry() {
 }
 
 // ListenAndServe runs the kubelet HTTP server.
-func (kl *Kubelet) ListenAndServe(kubeCfg *kubeletconfiginternal.KubeletConfiguration, tlsOptions *server.TLSOptions,
+func (kl *Kubelet) ListenAndServe(ctx context.Context, kubeCfg *kubeletconfiginternal.KubeletConfiguration, tlsOptions *server.TLSOptions,
 	auth server.AuthInterface, tp trace.TracerProvider) {
-	server.ListenAndServeKubeletServer(kl, kl.resourceAnalyzer, kl.containerManager.GetHealthCheckers(), kl.flagz, kubeCfg, tlsOptions, auth, tp)
+	server.ListenAndServeKubeletServer(ctx, kl, kl.resourceAnalyzer, kl.containerManager.GetHealthCheckers(), kl.flagz, kubeCfg, tlsOptions, auth, tp)
 }
 
 // ListenAndServeReadOnly runs the kubelet HTTP server in read-only mode.
-func (kl *Kubelet) ListenAndServeReadOnly(address net.IP, port uint, tp trace.TracerProvider) {
-	server.ListenAndServeKubeletReadOnlyServer(kl, kl.resourceAnalyzer, kl.containerManager.GetHealthCheckers(), kl.flagz, address, port, tp)
+func (kl *Kubelet) ListenAndServeReadOnly(ctx context.Context, address net.IP, port uint, tp trace.TracerProvider) {
+	server.ListenAndServeKubeletReadOnlyServer(ctx, kl, kl.resourceAnalyzer, kl.containerManager.GetHealthCheckers(), kl.flagz, address, port, tp)
 }
 
 type kubeletPodsProvider struct {
diff --git a/pkg/kubelet/kubelet_getters.go b/pkg/kubelet/kubelet_getters.go
index 87b7aac502966..b822d4e9d08df 100644
--- a/pkg/kubelet/kubelet_getters.go
+++ b/pkg/kubelet/kubelet_getters.go
@@ -33,8 +33,8 @@ import (
 	v1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/kubernetes/pkg/kubelet/cm"
-	"k8s.io/kubernetes/pkg/kubelet/config"
 	kubecontainer "k8s.io/kubernetes/pkg/kubelet/container"
+	"k8s.io/kubernetes/pkg/kubelet/kubeletconfig"
 	kubelettypes "k8s.io/kubernetes/pkg/kubelet/types"
 	utilnode "k8s.io/kubernetes/pkg/util/node"
 	"k8s.io/kubernetes/pkg/volume/csi"
@@ -58,7 +58,7 @@ func (kl *Kubelet) getPodLogsDir() string {
 // getPodsDir returns the full path to the directory under which pod
 // directories are created.
 func (kl *Kubelet) getPodsDir() string {
-	return filepath.Join(kl.getRootDir(), config.DefaultKubeletPodsDirName)
+	return filepath.Join(kl.getRootDir(), kubeletconfig.DefaultKubeletPodsDirName)
 }
 
 // getPluginsDir returns the full path to the directory under which plugin
@@ -66,7 +66,7 @@ func (kl *Kubelet) getPodsDir() string {
 // they need to persist.  Plugins should create subdirectories under this named
 // after their own names.
 func (kl *Kubelet) getPluginsDir() string {
-	return filepath.Join(kl.getRootDir(), config.DefaultKubeletPluginsDirName)
+	return filepath.Join(kl.getRootDir(), kubeletconfig.DefaultKubeletPluginsDirName)
 }
 
 // getPluginsRegistrationDir returns the full path to the directory under which
@@ -74,7 +74,7 @@ func (kl *Kubelet) getPluginsDir() string {
 // More information is available about plugin registration in the pluginwatcher
 // module
 func (kl *Kubelet) getPluginsRegistrationDir() string {
-	return filepath.Join(kl.getRootDir(), config.DefaultKubeletPluginsRegistrationDirName)
+	return filepath.Join(kl.getRootDir(), kubeletconfig.DefaultKubeletPluginsRegistrationDirName)
 }
 
 // getPluginDir returns a data directory name for a given plugin name.
@@ -87,7 +87,7 @@ func (kl *Kubelet) getPluginDir(pluginName string) string {
 // getCheckpointsDir returns a data directory name for checkpoints.
 // Checkpoints can be stored in this directory for further use.
 func (kl *Kubelet) getCheckpointsDir() string {
-	return filepath.Join(kl.getRootDir(), config.DefaultKubeletCheckpointsDirName)
+	return filepath.Join(kl.getRootDir(), kubeletconfig.DefaultKubeletCheckpointsDirName)
 }
 
 // getVolumeDevicePluginsDir returns the full path to the directory under which plugin
@@ -95,14 +95,14 @@ func (kl *Kubelet) getCheckpointsDir() string {
 // they need to persist.  Plugins should create subdirectories under this named
 // after their own names.
 func (kl *Kubelet) getVolumeDevicePluginsDir() string {
-	return filepath.Join(kl.getRootDir(), config.DefaultKubeletPluginsDirName)
+	return filepath.Join(kl.getRootDir(), kubeletconfig.DefaultKubeletPluginsDirName)
 }
 
 // getVolumeDevicePluginDir returns a data directory name for a given plugin name.
 // Plugins can use these directories to store data that they need to persist.
 // For per-pod plugin data, see getVolumeDevicePluginsDir.
 func (kl *Kubelet) getVolumeDevicePluginDir(pluginName string) string {
-	return filepath.Join(kl.getVolumeDevicePluginsDir(), pluginName, config.DefaultKubeletVolumeDevicesDirName)
+	return filepath.Join(kl.getVolumeDevicePluginsDir(), pluginName, kubeletconfig.DefaultKubeletVolumeDevicesDirName)
 }
 
 // GetPodDir returns the full path to the per-pod data directory for the
@@ -133,8 +133,8 @@ func (kl *Kubelet) HandlerSupportsUserNamespaces(rtHandler string) (bool, error)
 }
 
 // GetKubeletMappings gets the additional IDs allocated for the Kubelet.
-func (kl *Kubelet) GetKubeletMappings() (uint32, uint32, error) {
-	return kl.getKubeletMappings()
+func (kl *Kubelet) GetKubeletMappings(idsPerPod uint32) (uint32, uint32, error) {
+	return kl.getKubeletMappings(idsPerPod)
 }
 
 func (kl *Kubelet) GetMaxPods() int {
@@ -144,11 +144,11 @@ func (kl *Kubelet) GetMaxPods() int {
 func (kl *Kubelet) GetUserNamespacesIDsPerPod() uint32 {
 	userNs := kl.kubeletConfiguration.UserNamespaces
 	if userNs == nil {
-		return config.DefaultKubeletUserNamespacesIDsPerPod
+		return kubeletconfig.DefaultKubeletUserNamespacesIDsPerPod
 	}
 	idsPerPod := userNs.IDsPerPod
 	if idsPerPod == nil || *idsPerPod == 0 {
-		return config.DefaultKubeletUserNamespacesIDsPerPod
+		return kubeletconfig.DefaultKubeletUserNamespacesIDsPerPod
 	}
 	// The value is already validated to be <= MaxUint32,
 	// so we can safely drop the upper bits.
@@ -165,14 +165,14 @@ func (kl *Kubelet) getPodDir(podUID types.UID) string {
 // which subpath volumes are created for the specified pod.  This directory may not
 // exist if the pod does not exist or subpaths are not specified.
 func (kl *Kubelet) getPodVolumeSubpathsDir(podUID types.UID) string {
-	return filepath.Join(kl.getPodDir(podUID), config.DefaultKubeletVolumeSubpathsDirName)
+	return filepath.Join(kl.getPodDir(podUID), kubeletconfig.DefaultKubeletVolumeSubpathsDirName)
 }
 
 // getPodVolumesDir returns the full path to the per-pod data directory under
 // which volumes are created for the specified pod.  This directory may not
 // exist if the pod does not exist.
 func (kl *Kubelet) getPodVolumesDir(podUID types.UID) string {
-	return filepath.Join(kl.getPodDir(podUID), config.DefaultKubeletVolumesDirName)
+	return filepath.Join(kl.getPodDir(podUID), kubeletconfig.DefaultKubeletVolumesDirName)
 }
 
 // getPodVolumeDir returns the full path to the directory which represents the
@@ -186,7 +186,7 @@ func (kl *Kubelet) getPodVolumeDir(podUID types.UID, pluginName string, volumeNa
 // which volumes are created for the specified pod. This directory may not
 // exist if the pod does not exist.
 func (kl *Kubelet) getPodVolumeDevicesDir(podUID types.UID) string {
-	return filepath.Join(kl.getPodDir(podUID), config.DefaultKubeletVolumeDevicesDirName)
+	return filepath.Join(kl.getPodDir(podUID), kubeletconfig.DefaultKubeletVolumeDevicesDirName)
 }
 
 // getPodVolumeDeviceDir returns the full path to the directory which represents the
@@ -199,7 +199,7 @@ func (kl *Kubelet) getPodVolumeDeviceDir(podUID types.UID, pluginName string) st
 // which plugins may store data for the specified pod.  This directory may not
 // exist if the pod does not exist.
 func (kl *Kubelet) getPodPluginsDir(podUID types.UID) string {
-	return filepath.Join(kl.getPodDir(podUID), config.DefaultKubeletPluginsDirName)
+	return filepath.Join(kl.getPodDir(podUID), kubeletconfig.DefaultKubeletPluginsDirName)
 }
 
 // getPodPluginDir returns a data directory name for a given plugin name for a
@@ -213,12 +213,12 @@ func (kl *Kubelet) getPodPluginDir(podUID types.UID, pluginName string) string {
 // which container data is held for the specified pod.  This directory may not
 // exist if the pod or container does not exist.
 func (kl *Kubelet) getPodContainerDir(podUID types.UID, ctrName string) string {
-	return filepath.Join(kl.getPodDir(podUID), config.DefaultKubeletContainersDirName, ctrName)
+	return filepath.Join(kl.getPodDir(podUID), kubeletconfig.DefaultKubeletContainersDirName, ctrName)
 }
 
 // getPodResourcesSocket returns the full path to the directory containing the pod resources socket
 func (kl *Kubelet) getPodResourcesDir() string {
-	return filepath.Join(kl.getRootDir(), config.DefaultKubeletPodResourcesDirName)
+	return filepath.Join(kl.getRootDir(), kubeletconfig.DefaultKubeletPodResourcesDirName)
 }
 
 // GetPods returns all pods bound to the kubelet and their spec, and the mirror
@@ -299,10 +299,8 @@ func (kl *Kubelet) GetNode() (*v1.Node, error) {
 // in which case return a manufactured nodeInfo representing a node with no pods,
 // zero capacity, and the default labels.
 func (kl *Kubelet) getNodeAnyWay() (*v1.Node, error) {
-	if kl.kubeClient != nil {
-		if n, err := kl.nodeLister.Get(string(kl.nodeName)); err == nil {
-			return n, nil
-		}
+	if n, err := kl.GetNode(); err == nil {
+		return n, nil
 	}
 	return kl.initialNode(context.TODO())
 }
diff --git a/pkg/kubelet/kubelet_linux.go b/pkg/kubelet/kubelet_linux.go
index c1f82b1af69bb..6dd637a615285 100644
--- a/pkg/kubelet/kubelet_linux.go
+++ b/pkg/kubelet/kubelet_linux.go
@@ -36,8 +36,8 @@ func (kl *Kubelet) cgroupVersionCheck() error {
 	metrics.CgroupVersion.Set(float64(cgroupVersion))
 	switch cgroupVersion {
 	case 1:
-		kl.recorder.Eventf(kl.nodeRef, v1.EventTypeWarning, events.CgroupV1, cm.CgroupV1MaintenanceModeWarning)
-		return errors.New(cm.CgroupV1MaintenanceModeWarning)
+		kl.recorder.Eventf(kl.nodeRef, v1.EventTypeWarning, events.CgroupV1, cm.CgroupV1DeprecatedWarning)
+		return errors.New(cm.CgroupV1DeprecatedWarning)
 	case 2:
 		cpustat := filepath.Join(util.CgroupRoot, "cpu.stat")
 		if _, err := os.Stat(cpustat); os.IsNotExist(err) {
diff --git a/pkg/kubelet/kubelet_node_declared_features.go b/pkg/kubelet/kubelet_node_declared_features.go
new file mode 100644
index 0000000000000..9bbe246b8f76b
--- /dev/null
+++ b/pkg/kubelet/kubelet_node_declared_features.go
@@ -0,0 +1,50 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package kubelet
+
+import (
+	utilfeature "k8s.io/apiserver/pkg/util/feature"
+	"k8s.io/component-base/featuregate" // Import for the type conversion
+	"k8s.io/component-helpers/nodedeclaredfeatures"
+)
+
+// FeatureGateAdapter adapts a component-base FeatureGate to the nodedeclaredfeatures FeatureGate interface.
+// This is needed because we cannot use featuregate.Feature in the library code (forbidden import).
+type FeatureGateAdapter struct {
+	featuregate.FeatureGate
+}
+
+// Enabled implements the nodedeclaredfeatures.FeatureGate interface
+func (a FeatureGateAdapter) Enabled(key string) bool {
+	// Convert the string key to featuregate.Feature
+	return a.FeatureGate.Enabled(featuregate.Feature(key))
+}
+
+// discoverNodeDeclaredFeatures determines the final set of node features to be declared by using the discovery library.
+func (kl *Kubelet) discoverNodeDeclaredFeatures() []string {
+	staticConfig := nodedeclaredfeatures.StaticConfiguration{
+		CPUManagerPolicy: kl.containerManager.GetNodeConfig().CPUManagerPolicy,
+	}
+
+	adaptedFG := FeatureGateAdapter{FeatureGate: utilfeature.DefaultFeatureGate}
+	cfg := &nodedeclaredfeatures.NodeConfiguration{
+		FeatureGates: adaptedFG,
+		StaticConfig: staticConfig,
+		Version:      kl.version,
+	}
+	return kl.nodeDeclaredFeaturesFramework.DiscoverNodeFeatures(cfg)
+}
diff --git a/pkg/kubelet/kubelet_node_declared_features_test.go b/pkg/kubelet/kubelet_node_declared_features_test.go
new file mode 100644
index 0000000000000..2228845b6a1be
--- /dev/null
+++ b/pkg/kubelet/kubelet_node_declared_features_test.go
@@ -0,0 +1,94 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package kubelet
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	utilfeature "k8s.io/apiserver/pkg/util/feature"
+	featuregatetesting "k8s.io/component-base/featuregate/testing"
+	ndflib "k8s.io/component-helpers/nodedeclaredfeatures"
+	ndffeatures "k8s.io/component-helpers/nodedeclaredfeatures/features"
+	"k8s.io/kubernetes/pkg/features"
+	"k8s.io/kubernetes/pkg/kubelet/cm"
+)
+
+func TestGuaranteedPodExclusiveCPUsFeatureDiscovery(t *testing.T) {
+	featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.NodeDeclaredFeatures, true)
+
+	testcases := []struct {
+		name                                string
+		cpuManagerPolicy                    string
+		inplacePodResizeExclusiveCPUsEnable bool
+		expectedFeature                     string
+		expectFeature                       bool
+	}{
+		{
+			name:                                "feature enabled with static cpu manager policy",
+			cpuManagerPolicy:                    "static",
+			inplacePodResizeExclusiveCPUsEnable: true,
+			expectedFeature:                     "GuaranteedQoSPodCPUResize",
+			expectFeature:                       true,
+		},
+		{
+			name:                                "feature enabled with none cpu manager policy",
+			cpuManagerPolicy:                    "none",
+			inplacePodResizeExclusiveCPUsEnable: true,
+			expectedFeature:                     "GuaranteedQoSPodCPUResize",
+			expectFeature:                       true,
+		},
+		{
+			name:                                "feature disabled with static cpu manager policy",
+			cpuManagerPolicy:                    "static",
+			inplacePodResizeExclusiveCPUsEnable: false,
+			expectedFeature:                     "GuaranteedQoSPodCPUResize",
+			expectFeature:                       false,
+		},
+		{
+			name:                                "feature disabled with none cpu manager policy",
+			cpuManagerPolicy:                    "none",
+			inplacePodResizeExclusiveCPUsEnable: false,
+			expectedFeature:                     "GuaranteedQoSPodCPUResize",
+			expectFeature:                       true,
+		},
+	}
+	for _, tc := range testcases {
+		t.Run(tc.name, func(t *testing.T) {
+			featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.InPlacePodVerticalScalingExclusiveCPUs, tc.inplacePodResizeExclusiveCPUsEnable)
+
+			testKubelet := newTestKubelet(t, false /* controllerAttachDetachEnabled */)
+			defer testKubelet.Cleanup()
+			kubelet := testKubelet.kubelet
+			fakeCM := cm.NewFakeContainerManagerWithNodeConfig(cm.NodeConfig{
+				CPUManagerPolicy: tc.cpuManagerPolicy,
+			})
+			kubelet.containerManager = fakeCM
+			framework, err := ndflib.New(ndffeatures.AllFeatures)
+			require.NoError(t, err)
+			kubelet.nodeDeclaredFeaturesFramework = framework
+
+			features := kubelet.discoverNodeDeclaredFeatures()
+			if tc.expectFeature {
+				assert.Contains(t, features, tc.expectedFeature)
+			} else {
+				assert.NotContains(t, features, tc.expectedFeature)
+			}
+		})
+	}
+}
diff --git a/pkg/kubelet/kubelet_node_status.go b/pkg/kubelet/kubelet_node_status.go
index 246ea90301140..2f64369bc5f71 100644
--- a/pkg/kubelet/kubelet_node_status.go
+++ b/pkg/kubelet/kubelet_node_status.go
@@ -46,7 +46,6 @@ import (
 	"k8s.io/kubernetes/pkg/kubelet/managed"
 	"k8s.io/kubernetes/pkg/kubelet/nodestatus"
 	"k8s.io/kubernetes/pkg/kubelet/sharedcpus"
-	taintutil "k8s.io/kubernetes/pkg/util/taints"
 	volutil "k8s.io/kubernetes/pkg/volume/util"
 )
 
@@ -367,17 +366,6 @@ func (kl *Kubelet) initialNode(ctx context.Context) (*v1.Node, error) {
 
 	nodeTaints := make([]v1.Taint, len(kl.registerWithTaints))
 	copy(nodeTaints, kl.registerWithTaints)
-	unschedulableTaint := v1.Taint{
-		Key:    v1.TaintNodeUnschedulable,
-		Effect: v1.TaintEffectNoSchedule,
-	}
-
-	// Taint node with TaintNodeUnschedulable when initializing
-	// node to avoid race condition; refer to #63897 for more detail.
-	if node.Spec.Unschedulable &&
-		!taintutil.TaintExists(nodeTaints, &unschedulableTaint) {
-		nodeTaints = append(nodeTaints, unschedulableTaint)
-	}
 
 	if kl.externalCloudProvider {
 		taint := v1.Taint{
@@ -727,6 +715,9 @@ func (kl *Kubelet) setNodeStatus(ctx context.Context, node *v1.Node) {
 			klog.ErrorS(err, "Failed to set some node status fields", "node", klog.KObj(node))
 		}
 	}
+	if utilfeature.DefaultFeatureGate.Enabled(features.NodeDeclaredFeatures) && kl.nodeDeclaredFeatures != nil {
+		node.Status.DeclaredFeatures = kl.nodeDeclaredFeatures
+	}
 }
 
 // defaultNodeStatusFuncs is a factory that generates the default set of
diff --git a/pkg/kubelet/kubelet_node_status_test.go b/pkg/kubelet/kubelet_node_status_test.go
index 86f03304701cd..ec87ab284658d 100644
--- a/pkg/kubelet/kubelet_node_status_test.go
+++ b/pkg/kubelet/kubelet_node_status_test.go
@@ -1131,7 +1131,7 @@ func TestUpdateNodeStatusAndVolumesInUseWithNodeLease(t *testing.T) {
 			kubelet.setCachedMachineInfo(&cadvisorapi.MachineInfo{})
 
 			// override test volumeManager
-			fakeVolumeManager := kubeletvolume.NewFakeVolumeManager(tc.existingVolumes, 0, nil)
+			fakeVolumeManager := kubeletvolume.NewFakeVolumeManager(tc.existingVolumes, 0, nil, false)
 			kubelet.volumeManager = fakeVolumeManager
 
 			// Only test VolumesInUse setter
@@ -3161,3 +3161,65 @@ func TestCalculateDelay(t *testing.T) {
 		assert.LessOrEqual(t, randomDelay.Abs(), kubelet.nodeStatusReportFrequency/2)
 	}
 }
+
+func TestSetNodeStatusDeclaredFeatures(t *testing.T) {
+	testCases := []struct {
+		name               string
+		featureGateEnabled bool
+		discoveredFeatures []string
+		expectedFeatures   []string
+	}{
+		{
+			name:               "Feature gate enabled, features discovered",
+			featureGateEnabled: true,
+			discoveredFeatures: []string{"feature1", "feature2"},
+			expectedFeatures:   []string{"feature1", "feature2"},
+		},
+		{
+			name:               "Feature gate disabled",
+			featureGateEnabled: false,
+			discoveredFeatures: []string{"feature1", "feature2"},
+			expectedFeatures:   nil,
+		},
+		{
+			name:               "Feature gate enabled, no features discovered",
+			featureGateEnabled: true,
+			discoveredFeatures: nil,
+			expectedFeatures:   nil,
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.NodeDeclaredFeatures, tc.featureGateEnabled)
+
+			testKubelet := newTestKubelet(t, false /* controllerAttachDetachEnabled */)
+			defer testKubelet.Cleanup()
+			kubelet := testKubelet.kubelet
+			kubelet.nodeDeclaredFeatures = tc.discoveredFeatures
+			kubelet.kubeClient = nil
+
+			kubeClient := testKubelet.fakeKubeClient
+			existingNode := v1.Node{ObjectMeta: metav1.ObjectMeta{Name: testKubeletHostname}}
+			kubeClient.ReactionChain = fake.NewClientset(&v1.NodeList{Items: []v1.Node{existingNode}}).ReactionChain
+			kubelet.nodeLister = delegatingNodeLister{client: kubeClient}
+			machineInfo := &cadvisorapi.MachineInfo{}
+			kubelet.setCachedMachineInfo(machineInfo)
+
+			// We need to force a status update, so we make the last status report time old.
+			kubelet.lastStatusReportTime = time.Now().Add(-time.Hour)
+			require.NoError(t, kubelet.updateNodeStatus(context.TODO()))
+
+			actions := kubeClient.Actions()
+			// We expect a get and a patch
+			require.Len(t, actions, 2)
+			require.True(t, actions[1].Matches("patch", "nodes"))
+			require.Equal(t, "status", actions[1].GetSubresource())
+
+			updatedNode, err := applyNodeStatusPatch(&existingNode, actions[1].(core.PatchActionImpl).GetPatch())
+			require.NoError(t, err)
+
+			assert.Equal(t, tc.expectedFeatures, updatedNode.Status.DeclaredFeatures)
+		})
+	}
+}
diff --git a/pkg/kubelet/kubelet_nodecache.go b/pkg/kubelet/kubelet_nodecache.go
new file mode 100644
index 0000000000000..5491d944c8d9c
--- /dev/null
+++ b/pkg/kubelet/kubelet_nodecache.go
@@ -0,0 +1,103 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package kubelet
+
+import (
+	"context"
+	"strconv"
+
+	v1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/klog/v2"
+)
+
+// GetCachedNode returns the node object either from the cache or by making a synchronous
+// call to the API server based on the useCache parameter.
+func (kl *Kubelet) GetCachedNode(ctx context.Context, useCache bool) (*v1.Node, error) {
+	if useCache {
+		return kl.getCachedNode(ctx)
+	}
+	return kl.getNodeSync()
+}
+
+// getCachedNode compares the currently cached node to the node in the informer,
+// and returns the newer one.
+func (kl *Kubelet) getCachedNode(ctx context.Context) (*v1.Node, error) {
+	logger := klog.FromContext(ctx)
+	informerNode, err := kl.GetNode()
+	if err != nil {
+		if kl.cachedNode != nil {
+			logger.Error(err, "failed to list node; using cached node")
+			return kl.cachedNode, nil
+		}
+		return kl.initialNode(ctx)
+	}
+
+	if kl.cachedNode == nil {
+		kl.cachedNode = informerNode
+		return informerNode, nil
+	}
+
+	isNewer, err := isNewer(informerNode, kl.cachedNode)
+	if err != nil {
+		// In error cases, default to the informer node.
+		logger.Error(err, "failed to check if node is newer; using informer node")
+		kl.cachedNode = informerNode
+	}
+	if isNewer {
+		kl.cachedNode = informerNode
+	}
+	return kl.cachedNode, nil
+}
+
+// getNodeSync forces a refresh of the cache by making a synchronous call to the API server
+// for the most recent node info.
+func (kl *Kubelet) getNodeSync() (*v1.Node, error) {
+	if kl.kubeClient == nil {
+		return kl.initialNode(context.Background())
+	}
+	node, err := kl.kubeClient.CoreV1().Nodes().Get(context.Background(), string(kl.nodeName), metav1.GetOptions{})
+	if err != nil {
+		return nil, err
+	}
+	kl.cachedNode = node
+	return node, nil
+}
+
+// isNewer checks if the informer node is newer than the cached node based on the ResourceVersion.
+func isNewer(informerNode, cachedNode *v1.Node) (bool, error) {
+	if informerNode == cachedNode {
+		return true, nil
+	}
+	informerVersion, err := getObjVersion(informerNode)
+	if err != nil {
+		return false, err
+	}
+	cachedVersion, err := getObjVersion(cachedNode)
+	if err != nil {
+		return false, err
+	}
+	return informerVersion > cachedVersion, nil
+}
+
+func getObjVersion(n *v1.Node) (int64, error) {
+	objResourceVersion, err := strconv.ParseInt(n.ResourceVersion, 10, 64)
+	if err != nil {
+		return -1, err
+	}
+	return objResourceVersion, nil
+}
diff --git a/pkg/kubelet/kubelet_nodecache_test.go b/pkg/kubelet/kubelet_nodecache_test.go
new file mode 100644
index 0000000000000..b68ef1e9ccf43
--- /dev/null
+++ b/pkg/kubelet/kubelet_nodecache_test.go
@@ -0,0 +1,159 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package kubelet
+
+import (
+	"context"
+	"fmt"
+	"reflect"
+	"testing"
+
+	v1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/labels"
+	"k8s.io/client-go/kubernetes/fake"
+)
+
+func TestGetCachedNode(t *testing.T) {
+	tests := []struct {
+		name               string
+		informerNode       *v1.Node
+		cachedNode         *v1.Node
+		nodeListerErr      error
+		expectedNode       *v1.Node
+		expectedErr        bool
+		expectedCachedNode *v1.Node
+	}{
+		{
+			name:         "informer node is newer",
+			informerNode: &v1.Node{ObjectMeta: metav1.ObjectMeta{ResourceVersion: "2"}},
+			cachedNode:   &v1.Node{ObjectMeta: metav1.ObjectMeta{ResourceVersion: "1"}},
+
+			expectedNode:       &v1.Node{ObjectMeta: metav1.ObjectMeta{ResourceVersion: "2"}},
+			expectedCachedNode: &v1.Node{ObjectMeta: metav1.ObjectMeta{ResourceVersion: "2"}},
+		},
+		{
+			name:         "cached node is newer",
+			informerNode: &v1.Node{ObjectMeta: metav1.ObjectMeta{ResourceVersion: "1"}},
+			cachedNode:   &v1.Node{ObjectMeta: metav1.ObjectMeta{ResourceVersion: "2"}},
+
+			expectedNode:       &v1.Node{ObjectMeta: metav1.ObjectMeta{ResourceVersion: "2"}},
+			expectedCachedNode: &v1.Node{ObjectMeta: metav1.ObjectMeta{ResourceVersion: "2"}},
+		},
+		{
+			name:         "resource versions are the same",
+			informerNode: &v1.Node{ObjectMeta: metav1.ObjectMeta{ResourceVersion: "1"}},
+			cachedNode:   &v1.Node{ObjectMeta: metav1.ObjectMeta{ResourceVersion: "1"}},
+
+			expectedNode:       &v1.Node{ObjectMeta: metav1.ObjectMeta{ResourceVersion: "1"}},
+			expectedCachedNode: &v1.Node{ObjectMeta: metav1.ObjectMeta{ResourceVersion: "1"}},
+		},
+		{
+			name:         "informer node cannot be parsed, default to informer node",
+			informerNode: &v1.Node{ObjectMeta: metav1.ObjectMeta{ResourceVersion: "abc"}},
+			cachedNode:   &v1.Node{ObjectMeta: metav1.ObjectMeta{ResourceVersion: "1"}},
+
+			expectedNode:       &v1.Node{ObjectMeta: metav1.ObjectMeta{ResourceVersion: "abc"}},
+			expectedCachedNode: &v1.Node{ObjectMeta: metav1.ObjectMeta{ResourceVersion: "abc"}},
+		},
+		{
+			name:         "cached node cannot be parsed, default to informer node",
+			informerNode: &v1.Node{ObjectMeta: metav1.ObjectMeta{ResourceVersion: "1"}},
+			cachedNode:   &v1.Node{ObjectMeta: metav1.ObjectMeta{ResourceVersion: "abc"}},
+
+			expectedNode:       &v1.Node{ObjectMeta: metav1.ObjectMeta{ResourceVersion: "1"}},
+			expectedCachedNode: &v1.Node{ObjectMeta: metav1.ObjectMeta{ResourceVersion: "1"}},
+		},
+		{
+			name:         "cached node is nil, use informer node",
+			informerNode: &v1.Node{ObjectMeta: metav1.ObjectMeta{ResourceVersion: "1"}},
+			cachedNode:   nil,
+
+			expectedNode:       &v1.Node{ObjectMeta: metav1.ObjectMeta{ResourceVersion: "1"}},
+			expectedCachedNode: &v1.Node{ObjectMeta: metav1.ObjectMeta{ResourceVersion: "1"}},
+		},
+		{
+			name:          "node lister returns error, use cached node",
+			informerNode:  nil,
+			cachedNode:    &v1.Node{ObjectMeta: metav1.ObjectMeta{ResourceVersion: "1"}},
+			nodeListerErr: fmt.Errorf("test error"),
+
+			expectedNode:       &v1.Node{ObjectMeta: metav1.ObjectMeta{ResourceVersion: "1"}},
+			expectedErr:        false,
+			expectedCachedNode: &v1.Node{ObjectMeta: metav1.ObjectMeta{ResourceVersion: "1"}},
+		},
+		{
+			name:          "node lister returns error, cached node is nil, default to initialNode",
+			informerNode:  nil,
+			cachedNode:    nil,
+			nodeListerErr: fmt.Errorf("test error"),
+
+			expectedNode:       nil, // This will be filled in by the test logic below.
+			expectedErr:        false,
+			expectedCachedNode: nil,
+		},
+	}
+
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			kl := Kubelet{
+				cachedNode: test.cachedNode,
+				nodeLister: newFakeNodeLister(test.nodeListerErr, test.informerNode),
+				kubeClient: &fake.Clientset{},
+			}
+			if test.expectedNode == nil {
+				var err error
+				test.expectedNode, err = kl.initialNode(context.TODO())
+				if err != nil {
+					test.expectedErr = true
+				}
+			}
+
+			actualNode, err := kl.GetCachedNode(context.Background(), true)
+
+			if (err != nil) != test.expectedErr {
+				t.Errorf("GetCachedNode() unexpected error status: %v, expected error: %v", err, test.expectedErr)
+			}
+			if !reflect.DeepEqual(actualNode, test.expectedNode) {
+				t.Errorf("GetCachedNode() = %v, expected %v", actualNode, test.expectedNode)
+			}
+			if !reflect.DeepEqual(kl.cachedNode, test.expectedCachedNode) {
+				t.Errorf("kl.cachedNode after GetCachedNode() = %v, expected %v", kl.cachedNode, test.expectedCachedNode)
+			}
+		})
+	}
+}
+
+type fakeNodeLister struct {
+	node *v1.Node
+	err  error
+}
+
+func newFakeNodeLister(err error, node *v1.Node) *fakeNodeLister {
+	ret := &fakeNodeLister{}
+	ret.node = node
+	ret.err = err
+	return ret
+}
+
+func (l *fakeNodeLister) List(selector labels.Selector) (ret []*v1.Node, err error) {
+	return []*v1.Node{l.node}, l.err
+}
+
+func (l *fakeNodeLister) Get(name string) (*v1.Node, error) {
+	return l.node, l.err
+}
diff --git a/pkg/kubelet/kubelet_pods.go b/pkg/kubelet/kubelet_pods.go
index 86eeb0bd26dc1..42a58b0dfdcd5 100644
--- a/pkg/kubelet/kubelet_pods.go
+++ b/pkg/kubelet/kubelet_pods.go
@@ -44,6 +44,7 @@ import (
 	"k8s.io/apimachinery/pkg/util/sets"
 	utilvalidation "k8s.io/apimachinery/pkg/util/validation"
 	utilfeature "k8s.io/apiserver/pkg/util/feature"
+	resourcehelper "k8s.io/component-helpers/resource"
 	runtimeapi "k8s.io/cri-api/pkg/apis/runtime/v1"
 	"k8s.io/klog/v2"
 	"k8s.io/kubelet/pkg/cri/streaming/portforward"
@@ -81,8 +82,9 @@ const (
 
 // Container state reason list
 const (
-	PodInitializing   = "PodInitializing"
-	ContainerCreating = "ContainerCreating"
+	PodInitializing         = "PodInitializing"
+	ContainerCreating       = "ContainerCreating"
+	RestartingAllContainers = "RestartingAllContainers"
 
 	kubeletUser = "kubelet"
 )
@@ -124,11 +126,15 @@ func parseGetSubIdsOutput(input string) (uint32, uint32, error) {
 // If subordinate user or group ID ranges are specified for the kubelet user and the getsubids tool
 // is installed, then the single mapping specified both for user and group IDs will be used.
 // If the tool is not installed, or there are no IDs configured, the default mapping is returned.
-// The default mapping includes the entire IDs range except IDs below 65536.
-func (kl *Kubelet) getKubeletMappings() (uint32, uint32, error) {
+// The default mapping includes the entire IDs range except IDs below idsPerPod.
+func (kl *Kubelet) getKubeletMappings(idsPerPod uint32) (uint32, uint32, error) {
 	// default mappings to return if there is no specific configuration
-	const defaultFirstID = 1 << 16
-	const defaultLen = 1<<32 - defaultFirstID
+	defaultFirstID := idsPerPod
+	// We cast defaultFirstID to 64 bits, as otherwise any operation (including subtraction)
+	// fires the overflow detection (go is not smart enough to realize that if we subtract a
+	// non-negative number, it fits in 32 bits).
+	// Then we cast it back to 32 bits, as this what the function returns.
+	defaultLen := uint32((1 << 32) - uint64(defaultFirstID))
 
 	if !utilfeature.DefaultFeatureGate.Enabled(features.UserNamespacesSupport) {
 		return defaultFirstID, defaultLen, nil
@@ -565,7 +571,9 @@ func truncatePodHostnameIfNeeded(podName, hostname string) (string, error) {
 
 // GetOrCreateUserNamespaceMappings returns the configuration for the sandbox user namespace
 func (kl *Kubelet) GetOrCreateUserNamespaceMappings(pod *v1.Pod, runtimeHandler string) (*runtimeapi.UserNamespace, error) {
-	return kl.usernsManager.GetOrCreateUserNamespaceMappings(pod, runtimeHandler)
+	// Use context.TODO() because we currently do not have a proper logger to pass in.
+	// This should be replaced with an appropriate context when refactoring this function to accept a context parameter.
+	return kl.usernsManager.GetOrCreateUserNamespaceMappings(context.TODO(), pod, runtimeHandler)
 }
 
 // GeneratePodHostNameAndDomain creates a hostname and domain name for a pod,
@@ -926,12 +934,6 @@ func (kl *Kubelet) makeEnvironmentVariables(pod *v1.Pod, container *v1.Container
 					return result, fmt.Errorf("failed to get host path for volume %q: %w", volume, err)
 				}
 
-				// Validate key length, must not exceed 128 characters.
-				// TODO: @HirazawaUi This limit will be relaxed after the EnvFiles feature gate beta stage.
-				if len(key) > 128 {
-					return result, fmt.Errorf("environment variable key %q exceeds maximum length of 128 characters", key)
-				}
-
 				// Construct the full path to the environment variable file
 				// by combining hostPath with the specified path in FileKeyRef
 				envFilePath, err := securejoin.SecureJoin(hostPath, f.Path)
@@ -945,12 +947,6 @@ func (kl *Kubelet) makeEnvironmentVariables(pod *v1.Pod, container *v1.Container
 					return result, fmt.Errorf("couldn't parse env file")
 				}
 
-				// Validate value size, must not exceed 32KB.
-				// TODO: @HirazawaUi This limit will be relaxed after the EnvFiles feature gate beta stage.
-				if len(runtimeVal) > 32*1024 {
-					return result, fmt.Errorf("environment variable value for key %q exceeds maximum size of 32KB", key)
-				}
-
 				// If the key was not found, and it's not optional, return an error
 				if runtimeVal == "" {
 					if optional {
@@ -1044,7 +1040,8 @@ func (kl *Kubelet) killPod(ctx context.Context, pod *v1.Pod, p kubecontainer.Pod
 	if err := kl.containerRuntime.KillPod(ctx, pod, p, gracePeriodOverride); err != nil {
 		return err
 	}
-	if err := kl.containerManager.UpdateQOSCgroups(); err != nil {
+	// TODO: Pass logger from context once contextual logging migration is complete
+	if err := kl.containerManager.UpdateQOSCgroups(klog.TODO()); err != nil {
 		klog.V(2).InfoS("Failed to update QoS cgroups while killing pod", "err", err)
 	}
 	return nil
@@ -1283,7 +1280,7 @@ func (kl *Kubelet) HandlePodCleanups(ctx context.Context) error {
 
 	// Remove orphaned pod user namespace allocations (if any).
 	klog.V(3).InfoS("Clean up orphaned pod user namespace allocations")
-	if err = kl.usernsManager.CleanupOrphanedPodUsernsAllocations(allPods, runningRuntimePods); err != nil {
+	if err = kl.usernsManager.CleanupOrphanedPodUsernsAllocations(ctx, allPods, runningRuntimePods); err != nil {
 		klog.ErrorS(err, "Failed cleaning up orphaned pod user namespaces allocations")
 	}
 
@@ -1669,7 +1666,11 @@ func getPhase(pod *v1.Pod, info []v1.ContainerStatus, podIsTerminal, podHasIniti
 			if exitCode != 0 {
 				failedInitialization++
 				if utilfeature.DefaultFeatureGate.Enabled(features.ContainerRestartRules) {
-					if !podutil.ContainerShouldRestart(container, pod.Spec, exitCode) {
+					restartable := podutil.ContainerShouldRestart(container, pod.Spec, exitCode)
+					if utilfeature.DefaultFeatureGate.Enabled(features.RestartAllContainersOnContainerExits) {
+						restartable = restartable || containerStatus.State.Terminated.Reason == RestartingAllContainers
+					}
+					if !restartable {
 						failedInitializationNotRestartable++
 					}
 				}
@@ -1679,10 +1680,12 @@ func getPhase(pod *v1.Pod, info []v1.ContainerStatus, podIsTerminal, podHasIniti
 				exitCode := containerStatus.LastTerminationState.Terminated.ExitCode
 				if exitCode != 0 {
 					failedInitialization++
-					if utilfeature.DefaultFeatureGate.Enabled(features.ContainerRestartRules) {
-						if !podutil.ContainerShouldRestart(container, pod.Spec, exitCode) {
-							failedInitializationNotRestartable++
-						}
+					restartable := podutil.ContainerShouldRestart(container, pod.Spec, exitCode)
+					if utilfeature.DefaultFeatureGate.Enabled(features.RestartAllContainersOnContainerExits) {
+						restartable = restartable || containerStatus.LastTerminationState.Terminated.Reason == RestartingAllContainers
+					}
+					if !restartable {
+						failedInitializationNotRestartable++
 					}
 				}
 			} else {
@@ -1750,7 +1753,11 @@ func getPhase(pod *v1.Pod, info []v1.ContainerStatus, podIsTerminal, podHasIniti
 			stopped++
 			exitCode := containerStatus.State.Terminated.ExitCode
 			if utilfeature.DefaultFeatureGate.Enabled(features.ContainerRestartRules) {
-				if !podutil.ContainerShouldRestart(container, pod.Spec, exitCode) {
+				restartable := podutil.ContainerShouldRestart(container, pod.Spec, exitCode)
+				if utilfeature.DefaultFeatureGate.Enabled(features.RestartAllContainersOnContainerExits) {
+					restartable = restartable || containerStatus.State.Terminated.Reason == RestartingAllContainers
+				}
+				if !restartable {
 					stoppedNotRestartable++
 				}
 			}
@@ -1762,7 +1769,11 @@ func getPhase(pod *v1.Pod, info []v1.ContainerStatus, podIsTerminal, podHasIniti
 				stopped++
 				if utilfeature.DefaultFeatureGate.Enabled(features.ContainerRestartRules) {
 					exitCode := containerStatus.LastTerminationState.Terminated.ExitCode
-					if !podutil.ContainerShouldRestart(container, pod.Spec, exitCode) {
+					restartable := podutil.ContainerShouldRestart(container, pod.Spec, exitCode)
+					if utilfeature.DefaultFeatureGate.Enabled(features.RestartAllContainersOnContainerExits) {
+						restartable = restartable || containerStatus.LastTerminationState.Terminated.Reason == RestartingAllContainers
+					}
+					if !restartable {
 						stoppedNotRestartable++
 					}
 				}
@@ -1921,8 +1932,10 @@ func (kl *Kubelet) generateAPIPodStatus(pod *v1.Pod, podStatus *kubecontainer.Po
 		}
 	}
 
+	// Use context.TODO() because we currently do not have a proper context to pass in.
+	// Replace this with an appropriate context when refactoring this function to accept a context parameter.
 	// ensure the probe managers have up to date status for containers
-	kl.probeManager.UpdatePodStatus(pod, s)
+	kl.probeManager.UpdatePodStatus(context.TODO(), pod, s)
 
 	// update the allocated resources status
 	if utilfeature.DefaultFeatureGate.Enabled(features.ResourceHealthStatus) {
@@ -1972,6 +1985,11 @@ func (kl *Kubelet) generateAPIPodStatus(pod *v1.Pod, podStatus *kubecontainer.Po
 		ObservedGeneration: podutil.CalculatePodConditionObservedGeneration(&oldPodStatus, pod.Generation, v1.PodScheduled),
 		Status:             v1.ConditionTrue,
 	})
+	if utilfeature.DefaultFeatureGate.Enabled(features.RestartAllContainersOnContainerExits) {
+		if podutil.AllContainersCouldRestart(&pod.Spec) {
+			s.Conditions = append(s.Conditions, status.GenerateAllContainersRestartingCondition(pod, podStatus, &oldPodStatus, s.Phase))
+		}
+	}
 	// set HostIP/HostIPs and initialize PodIP/PodIPs for host network pods
 	if kl.kubeClient != nil {
 		hostIPs, err := kl.getHostIPsAnyWay()
@@ -2069,12 +2087,18 @@ func (kl *Kubelet) convertStatusToAPIStatus(pod *v1.Pod, podStatus *kubecontaine
 	// set status for Pods created on versions of kube older than 1.6
 	apiPodStatus.QOSClass = v1qos.GetPodQOS(pod)
 
+	podRestarting := false
+	if utilfeature.DefaultFeatureGate.Enabled(features.RestartAllContainersOnContainerExits) {
+		podRestarting = kubecontainer.ShouldAllContainersRestart(pod, podStatus, &oldPodStatus)
+	}
+
 	apiPodStatus.ContainerStatuses = kl.convertToAPIContainerStatuses(
 		pod, podStatus,
 		oldPodStatus.ContainerStatuses,
 		pod.Spec.Containers,
 		len(pod.Spec.InitContainers) > 0,
 		false,
+		podRestarting,
 	)
 	apiPodStatus.InitContainerStatuses = kl.convertToAPIContainerStatuses(
 		pod, podStatus,
@@ -2082,6 +2106,7 @@ func (kl *Kubelet) convertStatusToAPIStatus(pod *v1.Pod, podStatus *kubecontaine
 		pod.Spec.InitContainers,
 		len(pod.Spec.InitContainers) > 0,
 		true,
+		podRestarting,
 	)
 	var ecSpecs []v1.Container
 	for i := range pod.Spec.EphemeralContainers {
@@ -2096,14 +2121,133 @@ func (kl *Kubelet) convertStatusToAPIStatus(pod *v1.Pod, podStatus *kubecontaine
 		ecSpecs,
 		len(pod.Spec.InitContainers) > 0,
 		false,
+		podRestarting,
 	)
 
+	if utilfeature.DefaultFeatureGate.Enabled(features.InPlacePodLevelResourcesVerticalScaling) {
+		apiPodStatus.Resources = kl.convertToAPIPodLevelResourcesStatus(pod, oldPodStatus)
+		opts := resourcehelper.PodResourcesOptions{
+			SkipPodLevelResources: !utilfeature.DefaultFeatureGate.Enabled(features.PodLevelResources),
+		}
+		apiPodStatus.AllocatedResources = resourcehelper.PodRequests(pod, opts)
+	}
+
 	return &apiPodStatus
 }
 
+func getEffectiveAllocatedResources(allocatedPod *v1.Pod) *v1.ResourceRequirements {
+	allocatedResources := allocatedPod.Spec.Resources
+	if allocatedResources == nil {
+		allocatedResources = &v1.ResourceRequirements{}
+	}
+	opts := resourcehelper.PodResourcesOptions{
+		SkipPodLevelResources: !utilfeature.DefaultFeatureGate.Enabled(features.PodLevelResources),
+	}
+	allocatedResources.Requests = resourcehelper.PodRequests(allocatedPod, opts)
+	allocatedResources.Limits = resourcehelper.PodLimits(allocatedPod, opts)
+	return allocatedResources
+}
+
+func (kl *Kubelet) convertToAPIPodLevelResourcesStatus(allocatedPod *v1.Pod, oldPodStatus v1.PodStatus) *v1.ResourceRequirements {
+	if allocatedPod.Status.Phase != v1.PodRunning {
+		return getEffectiveAllocatedResources(allocatedPod)
+	}
+
+	// TODO(ndixita): Revisit the decision to output cgroup values in Pod Status.
+	// The internal rounding off logic can introduce minute variability, making the
+	// output inconsistent. We should decide if the information is useful enough to
+	//  outweigh the consistency issues,
+	pcm := kl.containerManager.NewPodContainerManager()
+	memoryConfig, err := pcm.GetPodCgroupConfig(allocatedPod, v1.ResourceMemory)
+	if err != nil {
+		klog.ErrorS(err, "failed to read memory cgroup config for the pod", "podName", allocatedPod.Name)
+	}
+	memoryLimit := cm.MemoryLimitsFromConfig(memoryConfig)
+	cpuConfig, err := pcm.GetPodCgroupConfig(allocatedPod, v1.ResourceCPU)
+	if err != nil {
+		klog.ErrorS(err, "failed to read memory cgroup limits for the pod", "podName", allocatedPod.Name)
+
+	}
+
+	cpuRequest := cm.CPURequestsFromConfig(cpuConfig)
+	cpuLimit := cm.CPULimitsFromConfig(cpuConfig)
+
+	preserveOldResourcesValue := func(rName v1.ResourceName, oldStatusResource, resource v1.ResourceList) {
+		if allocatedPod.Status.Phase == v1.PodRunning && oldPodStatus.Phase == v1.PodRunning && oldPodStatus.Resources != nil {
+			if r, exists := oldStatusResource[rName]; exists {
+				resource[rName] = r.DeepCopy()
+			}
+		}
+	}
+
+	resources := allocatedPod.Spec.Resources.DeepCopy()
+
+	if oldPodStatus.Resources == nil {
+		oldPodStatus.Resources = &v1.ResourceRequirements{}
+	}
+
+	if resources == nil {
+		resources = &v1.ResourceRequirements{}
+	}
+
+	if resources.Requests == nil {
+		resources.Requests = make(v1.ResourceList)
+	}
+
+	if resources.Limits == nil {
+		resources.Limits = make(v1.ResourceList)
+	}
+
+	if cpuRequest != nil {
+		// If both the allocated & actual resources are at
+		// or below MinShares, preserve the allocated value in the API to avoid
+		// confusion and simplify comparisons.
+		if cpuRequest.MilliValue() > cm.MinShares || resources.Requests.Cpu().MilliValue() > cm.MinShares {
+			resources.Requests[v1.ResourceCPU] = cpuRequest.DeepCopy()
+		}
+	} else {
+		preserveOldResourcesValue(v1.ResourceCPU, oldPodStatus.Resources.Requests, resources.Requests)
+	}
+
+	if _, found := resources.Requests[v1.ResourceMemory]; !found {
+		opts := resourcehelper.PodResourcesOptions{
+			SkipPodLevelResources: !utilfeature.DefaultFeatureGate.Enabled(features.PodLevelResources),
+		}
+		aggregatedResources := resourcehelper.PodRequests(allocatedPod, opts)
+		resources.Requests[v1.ResourceMemory] = aggregatedResources[v1.ResourceMemory]
+	}
+
+	// TODO: Once we begin persisting memory Request from the PodSpec to cgroups,
+	// the code needs to persist that value if it is non-nil.
+	preserveOldResourcesValue(v1.ResourceMemory, oldPodStatus.Resources.Requests, resources.Requests)
+
+	if cpuLimit != nil {
+		// If both the allocated & actual resources are at
+		// or below the minimum effective limit, preserve the
+		// allocated value in the API to avoid confusion and simplify comparisons.
+		if cpuLimit.MilliValue() > cm.MinMilliCPULimit || resources.Limits.Cpu().MilliValue() > cm.MinMilliCPULimit {
+			resources.Limits[v1.ResourceCPU] = cpuLimit.DeepCopy()
+		}
+	} else {
+		preserveOldResourcesValue(v1.ResourceCPU, oldPodStatus.Resources.Limits, resources.Limits)
+
+	}
+
+	if memoryLimit != nil {
+		resources.Limits[v1.ResourceMemory] = memoryLimit.DeepCopy()
+	} else {
+		preserveOldResourcesValue(v1.ResourceMemory, oldPodStatus.Resources.Limits, resources.Limits)
+	}
+
+	return resources
+}
+
 // convertToAPIContainerStatuses converts the given internal container
 // statuses into API container statuses.
-func (kl *Kubelet) convertToAPIContainerStatuses(pod *v1.Pod, podStatus *kubecontainer.PodStatus, previousStatus []v1.ContainerStatus, containers []v1.Container, hasInitContainers, isInitContainer bool) []v1.ContainerStatus {
+func (kl *Kubelet) convertToAPIContainerStatuses(pod *v1.Pod, podStatus *kubecontainer.PodStatus, previousStatus []v1.ContainerStatus, containers []v1.Container, hasInitContainers, isInitContainer, podRestarting bool) []v1.ContainerStatus {
+	// Use klog.TODO() because we currently do not have a proper logger to pass in.
+	// This should be replaced with an appropriate logger when refactoring this function to accept a logger parameter.
+	logger := klog.TODO()
 	convertContainerStatus := func(cs *kubecontainer.Status, oldStatus *v1.ContainerStatus) *v1.ContainerStatus {
 		cid := cs.ID.String()
 		status := &v1.ContainerStatus{
@@ -2118,10 +2262,22 @@ func (kl *Kubelet) convertToAPIContainerStatuses(pod *v1.Pod, podStatus *kubecon
 		}
 		if oldStatus != nil {
 			status.VolumeMounts = oldStatus.VolumeMounts // immutable
+			if utilfeature.DefaultFeatureGate.Enabled(features.RestartAllContainersOnContainerExits) {
+				if oldStatus.RestartCount > status.RestartCount {
+					status.RestartCount = oldStatus.RestartCount
+				}
+			}
 		}
 		switch {
 		case cs.State == kubecontainer.ContainerStateRunning:
 			status.State.Running = &v1.ContainerStateRunning{StartedAt: metav1.NewTime(cs.StartedAt)}
+			if utilfeature.DefaultFeatureGate.Enabled(features.RestartAllContainersOnContainerExits) {
+				if oldStatus != nil &&
+					oldStatus.State.Terminated != nil &&
+					oldStatus.RestartCount >= int32(cs.RestartCount) {
+					status.RestartCount = oldStatus.RestartCount + 1
+				}
+			}
 		case cs.State == kubecontainer.ContainerStateCreated:
 			// containers that are created but not running are "waiting to be running"
 			status.State.Waiting = &v1.ContainerStateWaiting{}
@@ -2138,13 +2294,19 @@ func (kl *Kubelet) convertToAPIContainerStatuses(pod *v1.Pod, podStatus *kubecon
 		case cs.State == kubecontainer.ContainerStateUnknown &&
 			oldStatus != nil && // we have an old status
 			oldStatus.State.Running != nil: // our previous status was running
+
+			reason := kubecontainer.ContainerReasonStatusUnknown
+			// If the pod is restarting, the reason should be RestartingAllContainers
+			if utilfeature.DefaultFeatureGate.Enabled(features.RestartAllContainersOnContainerExits) && podRestarting {
+				reason = RestartingAllContainers
+			}
 			// if this happens, then we know that this container was previously running and isn't anymore (assuming the CRI isn't failing to return running containers).
 			// you can imagine this happening in cases where a container failed and the kubelet didn't ask about it in time to see the result.
 			// in this case, the container should not to into waiting state immediately because that can make cases like runonce pods actually run
 			// twice. "container never ran" is different than "container ran and failed".  This is handled differently in the kubelet
 			// and it is handled differently in higher order logic like crashloop detection and handling
 			status.State.Terminated = &v1.ContainerStateTerminated{
-				Reason:   kubecontainer.ContainerReasonStatusUnknown,
+				Reason:   reason,
 				Message:  "The container could not be located when the pod was terminated",
 				ExitCode: 137, // this code indicates an error
 			}
@@ -2222,12 +2384,10 @@ func (kl *Kubelet) convertToAPIContainerStatuses(pod *v1.Pod, podStatus *kubecon
 			} else {
 				preserveOldResourcesValue(v1.ResourceCPU, oldStatus.Resources.Requests, resources.Requests)
 			}
-			// TODO(tallclair,vinaykul,InPlacePodVerticalScaling): Investigate defaulting to actuated resources instead of allocated resources above
-			if _, exists := resources.Requests[v1.ResourceMemory]; exists {
-				// Get memory requests from actuated resources
-				if actuatedResources, found := kl.allocationManager.GetActuatedResources(pod.UID, allocatedContainer.Name); found {
-					resources.Requests[v1.ResourceMemory] = *actuatedResources.Requests.Memory()
-				}
+			if cStatus.Resources != nil && cStatus.Resources.MemoryRequest != nil {
+				resources.Requests[v1.ResourceMemory] = cStatus.Resources.MemoryRequest.DeepCopy()
+			} else {
+				preserveOldResourcesValue(v1.ResourceMemory, oldStatus.Resources.Requests, resources.Requests)
 			}
 		}
 
@@ -2333,6 +2493,27 @@ func (kl *Kubelet) convertToAPIContainerStatuses(pod *v1.Pod, podStatus *kubecon
 		if !ok {
 			continue
 		}
+
+		// If the container is missing, RestartAllContainers in place, and previous status is not waiting, then the container
+		// is removed from runtime. It should be considered Waiting. The LastTerminationState should have a "RestartingAllContainers"
+		// reason to avoid confusion when containers are restarted.
+		if utilfeature.DefaultFeatureGate.Enabled(features.RestartAllContainersOnContainerExits) && podRestarting && oldStatus.State.Waiting == nil {
+			status := statuses[container.Name]
+			status.State.Waiting = &v1.ContainerStateWaiting{
+				Reason:  RestartingAllContainers,
+				Message: "The container is removed because RestartAllContainers in place",
+			}
+			status.State.Terminated = nil
+			status.LastTerminationState.Terminated = &v1.ContainerStateTerminated{
+				Reason:   RestartingAllContainers,
+				Message:  "The container is removed because RestartAllContainers in place",
+				ExitCode: 137,
+			}
+			status.RestartCount = oldStatus.RestartCount + 1
+			statuses[container.Name] = status
+			continue
+		}
+
 		if oldStatus.State.Terminated != nil {
 			// if the old container status was terminated, the lasttermination status is correct
 			continue
@@ -2399,6 +2580,14 @@ func (kl *Kubelet) convertToAPIContainerStatuses(pod *v1.Pod, podStatus *kubecon
 			oldStatusPtr = &oldStatus
 		}
 		status := convertContainerStatus(cStatus, oldStatusPtr)
+		if !utilfeature.DefaultFeatureGate.Enabled(features.ChangeContainerStatusOnKubeletRestart) {
+			if cStatus.State == kubecontainer.ContainerStateRunning {
+				if oldStatus, ok := oldStatuses[status.Name]; ok && oldStatus.Started != nil {
+					status.Started = oldStatus.Started
+				}
+			}
+		}
+
 		if utilfeature.DefaultFeatureGate.Enabled(features.InPlacePodVerticalScaling) {
 			allocatedContainer := kubecontainer.GetContainerSpec(pod, cName)
 			if allocatedContainer != nil {
@@ -2413,6 +2602,7 @@ func (kl *Kubelet) convertToAPIContainerStatuses(pod *v1.Pod, podStatus *kubecon
 		if utilfeature.DefaultFeatureGate.Enabled(features.ContainerStopSignals) {
 			status.StopSignal = cStatus.StopSignal
 		}
+
 		if containerSeen[cName] == 0 {
 			statuses[cName] = status
 		} else {
@@ -2432,7 +2622,7 @@ func (kl *Kubelet) convertToAPIContainerStatuses(pod *v1.Pod, podStatus *kubecon
 			}
 		}
 		// If a container should be restarted in next syncpod, it is *Waiting*.
-		if !kubecontainer.ShouldContainerBeRestarted(&container, pod, podStatus) {
+		if !kubecontainer.ShouldContainerBeRestarted(logger, &container, pod, podStatus) {
 			continue
 		}
 		status := statuses[container.Name]
@@ -2577,17 +2767,24 @@ func (kl *Kubelet) cleanupOrphanedPodCgroups(pcm cm.PodContainerManager, cgroupP
 		// process in the cgroup to the minimum value while we wait.
 		if podVolumesExist := kl.podVolumesExist(uid); podVolumesExist {
 			klog.V(3).InfoS("Orphaned pod found, but volumes not yet removed.  Reducing cpu to minimum", "podUID", uid)
-			if err := pcm.ReduceCPULimits(val); err != nil {
+			// TODO: Pass logger from context once contextual logging migration is complete
+			if err := pcm.ReduceCPULimits(klog.TODO(), val); err != nil {
 				klog.InfoS("Failed to reduce cpu time for pod pending volume cleanup", "podUID", uid, "err", err)
 			}
 			continue
 		}
 		klog.V(3).InfoS("Orphaned pod found, removing pod cgroups", "podUID", uid)
-		// Destroy all cgroups of pod that should not be running,
-		// by first killing all the attached processes to these cgroups.
-		// We ignore errors thrown by the method, as the housekeeping loop would
-		// again try to delete these unwanted pod cgroups
-		go pcm.Destroy(val)
+		// Destroy all cgroups of pods that should not be running,
+		// by first killing all the attached processes in these cgroups.
+		// The error return value of Destroy is explicitly checked and logged,
+		// but errors are tolerated since the housekeeping loop loop would
+		// again try to delete these unwanted pod cgroups.
+		// TODO: Pass logger from context once contextual logging migration is complete
+		go func() {
+			if err := pcm.Destroy(klog.TODO(), val); err != nil {
+				klog.InfoS("Failed to destroy orphaned pod cgroup", "podUID", uid, "err", err)
+			}
+		}()
 	}
 }
 
diff --git a/pkg/kubelet/kubelet_pods_test.go b/pkg/kubelet/kubelet_pods_test.go
index d5f71ca77c842..7678b70c71548 100644
--- a/pkg/kubelet/kubelet_pods_test.go
+++ b/pkg/kubelet/kubelet_pods_test.go
@@ -41,6 +41,7 @@ import (
 	"k8s.io/apimachinery/pkg/labels"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/apimachinery/pkg/util/version"
 	utilfeature "k8s.io/apiserver/pkg/util/feature"
 	core "k8s.io/client-go/testing"
 	"k8s.io/client-go/tools/record"
@@ -2091,6 +2092,24 @@ func waitingStateWithNonZeroTermination(cName string) v1.ContainerStatus {
 		},
 	}
 }
+func waitingStateWithRestartingAllContainers(cName string) v1.ContainerStatus {
+	return v1.ContainerStatus{
+		Name: cName,
+		State: v1.ContainerState{
+			Waiting: &v1.ContainerStateWaiting{
+				Reason:  RestartingAllContainers,
+				Message: "The container is removed because RestartAllContainers in place",
+			},
+		},
+		LastTerminationState: v1.ContainerState{
+			Terminated: &v1.ContainerStateTerminated{
+				Reason:   RestartingAllContainers,
+				Message:  "The container is removed because RestartAllContainers in place",
+				ExitCode: 137,
+			},
+		},
+	}
+}
 func runningState(cName string) v1.ContainerStatus {
 	return v1.ContainerStatus{
 		Name: cName,
@@ -2145,6 +2164,16 @@ func failedState(cName string) v1.ContainerStatus {
 		},
 	}
 }
+func failedStateWithExitCode(cName string, exitCode int32) v1.ContainerStatus {
+	return v1.ContainerStatus{
+		Name: cName,
+		State: v1.ContainerState{
+			Terminated: &v1.ContainerStateTerminated{
+				ExitCode: exitCode,
+			},
+		},
+	}
+}
 func waitingWithLastTerminationUnknown(cName string, restartCount int32) v1.ContainerStatus {
 	return v1.ContainerStatus{
 		Name: cName,
@@ -2169,6 +2198,10 @@ func withID(status v1.ContainerStatus, id string) v1.ContainerStatus {
 	status.ContainerID = id
 	return status
 }
+func withRestartCount(status v1.ContainerStatus, restartCount int32) v1.ContainerStatus {
+	status.RestartCount = restartCount
+	return status
+}
 
 func TestPodPhaseWithRestartAlways(t *testing.T) {
 	desiredState := v1.PodSpec{
@@ -3503,9 +3536,256 @@ func TestPodPhaseWithContainerRestartPolicyInitContainers(t *testing.T) {
 	}
 }
 
-// No special init-specific logic for this, see RestartAlways case
-// func TestPodPhaseWithRestartOnFailureInitContainers(t *testing.T) {
-// }
+func TestPodPhaseWithRestartAllContainers(t *testing.T) {
+	featuregatetesting.SetFeatureGatesDuringTest(t, utilfeature.DefaultFeatureGate, featuregatetesting.FeatureOverrides{
+		features.ContainerRestartRules:                true,
+		features.NodeDeclaredFeatures:                 true,
+		features.RestartAllContainersOnContainerExits: true,
+	})
+	var (
+		containerRestartPolicyAlways = v1.ContainerRestartPolicyAlways
+		containerRestartPolicyNever  = v1.ContainerRestartPolicyNever
+	)
+
+	containerWithRule := v1.Container{
+		Name:          "container",
+		RestartPolicy: &containerRestartPolicyNever,
+		RestartPolicyRules: []v1.ContainerRestartRule{{
+			Action: v1.ContainerRestartRuleActionRestartAllContainers,
+			ExitCodes: &v1.ContainerRestartRuleOnExitCodes{
+				Operator: v1.ContainerRestartRuleOnExitCodesOpIn,
+				Values:   []int32{42},
+			},
+		}},
+	}
+	sidecarContainerWithRule := v1.Container{
+		Name:          "container",
+		RestartPolicy: &containerRestartPolicyAlways,
+		RestartPolicyRules: []v1.ContainerRestartRule{{
+			Action: v1.ContainerRestartRuleActionRestartAllContainers,
+			ExitCodes: &v1.ContainerRestartRuleOnExitCodes{
+				Operator: v1.ContainerRestartRuleOnExitCodesOpIn,
+				Values:   []int32{42},
+			},
+		}},
+	}
+
+	tests := []struct {
+		name          string
+		spec          *v1.PodSpec
+		statuses      []v1.ContainerStatus
+		expectedPhase v1.PodPhase
+	}{
+		// Trigger RestartAllContainers
+		{
+			name: "regular container triggers RestartAllContainers",
+			spec: &v1.PodSpec{
+				Containers:    []v1.Container{containerWithRule},
+				RestartPolicy: v1.RestartPolicyNever,
+			},
+			statuses: []v1.ContainerStatus{
+				failedStateWithExitCode("container", 42),
+			},
+			expectedPhase: v1.PodRunning,
+		},
+		{
+			name: "init container triggers RestartAllContainers",
+			spec: &v1.PodSpec{
+				InitContainers: []v1.Container{containerWithRule},
+				RestartPolicy:  v1.RestartPolicyNever,
+			},
+			statuses: []v1.ContainerStatus{
+				failedStateWithExitCode("container", 42),
+				waitingState("regular"),
+			},
+			expectedPhase: v1.PodPending,
+		},
+		{
+			name: "sidecar container triggers RestartAllContainers",
+			spec: &v1.PodSpec{
+				InitContainers: []v1.Container{sidecarContainerWithRule},
+				Containers:     []v1.Container{{Name: "regular"}},
+				RestartPolicy:  v1.RestartPolicyNever,
+			},
+			statuses: []v1.ContainerStatus{
+				failedStateWithExitCode("container", 42),
+				waitingState("regular"),
+			},
+			expectedPhase: v1.PodPending,
+		},
+		{
+			name: "sidecar container triggers RestartAllContainers, kills another init container",
+			spec: &v1.PodSpec{
+				InitContainers: []v1.Container{sidecarContainerWithRule, {Name: "init"}},
+				Containers:     []v1.Container{{Name: "regular"}},
+				RestartPolicy:  v1.RestartPolicyNever,
+			},
+			statuses: []v1.ContainerStatus{
+				failedStateWithExitCode("container", 42),
+				waitingState("init"),
+				waitingState("regular"),
+			},
+			expectedPhase: v1.PodPending,
+		},
+		// Cleanup phase
+		{
+			name: "regular container triggers RestartAllContainers, cleaned up",
+			spec: &v1.PodSpec{
+				Containers:    []v1.Container{containerWithRule},
+				RestartPolicy: v1.RestartPolicyNever,
+			},
+			statuses: []v1.ContainerStatus{
+				waitingStateWithRestartingAllContainers("container"),
+			},
+			expectedPhase: v1.PodRunning,
+		},
+		{
+			name: "init container triggers RestartAllContainers, cleaned up",
+			spec: &v1.PodSpec{
+				InitContainers: []v1.Container{containerWithRule},
+				RestartPolicy:  v1.RestartPolicyNever,
+			},
+			statuses: []v1.ContainerStatus{
+				waitingStateWithRestartingAllContainers("container"),
+				waitingState("regular"),
+			},
+			expectedPhase: v1.PodPending,
+		},
+		{
+			name: "sidecar container triggers RestartAllContainers, cleaned up",
+			spec: &v1.PodSpec{
+				InitContainers: []v1.Container{sidecarContainerWithRule},
+				Containers:     []v1.Container{{Name: "regular"}},
+				RestartPolicy:  v1.RestartPolicyNever,
+			},
+			statuses: []v1.ContainerStatus{
+				waitingStateWithRestartingAllContainers("container"),
+				waitingState("regular"),
+			},
+			expectedPhase: v1.PodPending,
+		},
+		{
+			name: "sidecar container triggers RestartAllContainers, kills another init container, cleaned up",
+			spec: &v1.PodSpec{
+				InitContainers: []v1.Container{sidecarContainerWithRule, {Name: "init"}},
+				Containers:     []v1.Container{{Name: "regular"}},
+				RestartPolicy:  v1.RestartPolicyNever,
+			},
+			statuses: []v1.ContainerStatus{
+				waitingStateWithRestartingAllContainers("container"),
+				waitingStateWithRestartingAllContainers("container"),
+				waitingState("regular"),
+			},
+			expectedPhase: v1.PodPending,
+		},
+		// Startup phase
+		{
+			name: "regular container triggered RestartAllContainers; init container succeeded",
+			spec: &v1.PodSpec{
+				InitContainers: []v1.Container{{Name: "init"}},
+				Containers:     []v1.Container{containerWithRule},
+				RestartPolicy:  v1.RestartPolicyNever,
+			},
+			statuses: []v1.ContainerStatus{
+				succeededState("init"),
+				waitingStateWithRestartingAllContainers("container"),
+			},
+			expectedPhase: v1.PodRunning,
+		},
+		{
+			name: "regular container triggered RestartAllContainers; init container failed",
+			spec: &v1.PodSpec{
+				InitContainers: []v1.Container{{Name: "init"}},
+				Containers:     []v1.Container{containerWithRule},
+				RestartPolicy:  v1.RestartPolicyNever,
+			},
+			statuses: []v1.ContainerStatus{
+				failedState("init"),
+				waitingStateWithRestartingAllContainers("container"),
+			},
+			expectedPhase: v1.PodFailed,
+		},
+		{
+			name: "init container triggered RestartAllContainers",
+			spec: &v1.PodSpec{
+				InitContainers: []v1.Container{containerWithRule},
+				Containers:     []v1.Container{{Name: "regular"}},
+				RestartPolicy:  v1.RestartPolicyNever,
+			},
+			statuses: []v1.ContainerStatus{
+				failedStateWithExitCode("container", 42),
+				waitingState("regular"),
+			},
+			expectedPhase: v1.PodPending,
+		},
+		{
+			name: "init container triggered RestartAllContainers; init container succeeds",
+			spec: &v1.PodSpec{
+				InitContainers: []v1.Container{containerWithRule},
+				Containers:     []v1.Container{{Name: "regular"}},
+				RestartPolicy:  v1.RestartPolicyNever,
+			},
+			statuses: []v1.ContainerStatus{
+				succeededState("container"),
+				waitingState("regular"),
+			},
+			expectedPhase: v1.PodPending,
+		},
+		{
+			name: "sidecar container triggered RestartAllContainers kills regular container",
+			spec: &v1.PodSpec{
+				InitContainers: []v1.Container{sidecarContainerWithRule},
+				Containers:     []v1.Container{{Name: "regular"}},
+				RestartPolicy:  v1.RestartPolicyNever,
+			},
+			statuses: []v1.ContainerStatus{
+				waitingStateWithRestartingAllContainers("container"),
+				waitingStateWithRestartingAllContainers("regular"),
+			},
+			expectedPhase: v1.PodRunning,
+		},
+		{
+			name: "sidecar container triggered RestartAllContainers kills regular container; sidecar running",
+			spec: &v1.PodSpec{
+				InitContainers: []v1.Container{sidecarContainerWithRule},
+				Containers:     []v1.Container{{Name: "regular"}},
+				RestartPolicy:  v1.RestartPolicyNever,
+			},
+			statuses: []v1.ContainerStatus{
+				runningState("container"),
+				waitingStateWithRestartingAllContainers("regular"),
+			},
+			expectedPhase: v1.PodRunning,
+		},
+		{
+			name: "sidecar container triggered RestartAllContainers; kills init container; sidecar running",
+			spec: &v1.PodSpec{
+				InitContainers: []v1.Container{sidecarContainerWithRule, {Name: "init"}},
+				Containers:     []v1.Container{{Name: "regular"}},
+				RestartPolicy:  v1.RestartPolicyNever,
+			},
+			statuses: []v1.ContainerStatus{
+				runningState("container"),
+				waitingStateWithRestartingAllContainers("container"),
+				waitingState("regular"),
+			},
+			expectedPhase: v1.PodPending,
+		},
+	}
+
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			pod := &v1.Pod{
+				Spec: *tc.spec,
+				Status: v1.PodStatus{
+					ContainerStatuses: tc.statuses,
+				},
+			}
+			phase := getPhase(pod, tc.statuses, false, true)
+			assert.Equal(t, tc.expectedPhase, phase)
+		})
+	}
+}
 
 func TestConvertToAPIContainerStatuses(t *testing.T) {
 	desiredState := v1.PodSpec{
@@ -3526,6 +3806,7 @@ func TestConvertToAPIContainerStatuses(t *testing.T) {
 		containers        []v1.Container
 		hasInitContainers bool
 		isInitContainer   bool
+		podRestarting     bool
 		expected          []v1.ContainerStatus
 	}{
 		{
@@ -3577,7 +3858,212 @@ func TestConvertToAPIContainerStatuses(t *testing.T) {
 				waitingWithLastTerminationUnknown("containerB", 1),
 			},
 		},
+		{
+			name: "no current status, keeping previous restartCount",
+			pod: &v1.Pod{
+				Spec: desiredState,
+			},
+			currentStatus: &kubecontainer.PodStatus{},
+			previousStatus: []v1.ContainerStatus{
+				withRestartCount(failedState("containerA"), 5),
+				withRestartCount(failedState("containerB"), 5),
+			},
+			containers: desiredState.Containers,
+			// no init containers
+			// is not an init container
+			expected: []v1.ContainerStatus{
+				withRestartCount(failedState("containerA"), 5),
+				withRestartCount(failedState("containerB"), 5),
+			},
+		},
+		{
+			name: "currently running with lower reset restartCount; should keeping previous restartCount",
+			pod: &v1.Pod{
+				Spec: desiredState,
+			},
+			currentStatus: &kubecontainer.PodStatus{
+				ContainerStatuses: []*kubecontainer.Status{{
+					Name:         "containerA",
+					ID:           kubecontainer.ContainerID{ID: "containerA"},
+					State:        kubecontainer.ContainerStateRunning,
+					RestartCount: 0,
+				}, {
+					Name:         "containerB",
+					ID:           kubecontainer.ContainerID{ID: "containerB"},
+					State:        kubecontainer.ContainerStateRunning,
+					RestartCount: 0,
+				}},
+			},
+			previousStatus: []v1.ContainerStatus{
+				withRestartCount(failedState("containerA"), 5),
+				withRestartCount(failedState("containerB"), 5),
+			},
+			containers: desiredState.Containers,
+			// no init containers
+			// is not an init container
+			expected: []v1.ContainerStatus{
+				withRestartCount(runningState("containerA"), 6),
+				withRestartCount(runningState("containerB"), 6),
+			},
+		},
+		{
+			name: "containerB dies and triggers RestartAllContainers in place",
+			pod: &v1.Pod{
+				Spec: desiredState,
+			},
+			currentStatus: &kubecontainer.PodStatus{
+				ContainerStatuses: []*kubecontainer.Status{{
+					Name:  "containerA",
+					State: kubecontainer.ContainerStateRunning,
+				}, {
+					Name:     "containerB",
+					State:    kubecontainer.ContainerStateExited,
+					ExitCode: 42,
+				}},
+			},
+			previousStatus: []v1.ContainerStatus{
+				runningState("containerA"),
+				runningState("containerB"),
+			},
+			containers:    desiredState.Containers,
+			podRestarting: true,
+			expected: []v1.ContainerStatus{
+				runningState("containerA"),
+				failedStateWithExitCode("containerB", 42),
+			},
+		},
+		{
+			name: "containerB dies and triggers RestartAllContainers in place, containerA killed",
+			pod: &v1.Pod{
+				Spec: desiredState,
+			},
+			currentStatus: &kubecontainer.PodStatus{
+				ContainerStatuses: []*kubecontainer.Status{{
+					Name:     "containerA",
+					State:    kubecontainer.ContainerStateExited,
+					ExitCode: 137,
+				}},
+			},
+			previousStatus: []v1.ContainerStatus{
+				runningState("containerA"),
+				failedStateWithExitCode("containerB", 42),
+			},
+			containers:    desiredState.Containers,
+			podRestarting: true,
+			expected: []v1.ContainerStatus{
+				failedStateWithExitCode("containerA", 137),
+				withRestartCount(waitingStateWithRestartingAllContainers("containerB"), 1),
+			},
+		},
+		{
+			name: "containerB dies and triggers RestartAllContainers in place, containerA killed then removed",
+			pod: &v1.Pod{
+				Spec: desiredState,
+			},
+			currentStatus: &kubecontainer.PodStatus{},
+			previousStatus: []v1.ContainerStatus{
+				failedStateWithExitCode("containerA", 137),
+				failedStateWithExitCode("containerB", 42),
+			},
+			containers:    desiredState.Containers,
+			podRestarting: true,
+			expected: []v1.ContainerStatus{
+				withRestartCount(waitingStateWithRestartingAllContainers("containerA"), 1),
+				withRestartCount(waitingStateWithRestartingAllContainers("containerB"), 1),
+			},
+		},
+		{
+			name: "containerB dies and triggers RestartAllContainers in place, containerA killed and removed together",
+			pod: &v1.Pod{
+				Spec: desiredState,
+			},
+			currentStatus: &kubecontainer.PodStatus{},
+			previousStatus: []v1.ContainerStatus{
+				runningState("containerA"),
+				failedStateWithExitCode("containerB", 42),
+			},
+			containers:    desiredState.Containers,
+			podRestarting: true,
+			expected: []v1.ContainerStatus{
+				withRestartCount(waitingStateWithRestartingAllContainers("containerA"), 1),
+				withRestartCount(waitingStateWithRestartingAllContainers("containerB"), 1),
+			},
+		},
+		{
+			name: "containerB dies and triggers RestartAllContainers in place, containerA rerun",
+			pod: &v1.Pod{
+				Spec: desiredState,
+			},
+			currentStatus: &kubecontainer.PodStatus{
+				ContainerStatuses: []*kubecontainer.Status{{
+					Name:  "containerA",
+					State: kubecontainer.ContainerStateRunning,
+				}},
+			},
+			previousStatus: []v1.ContainerStatus{
+				withRestartCount(waitingState("containerA"), 1),
+				failedStateWithExitCode("containerB", 42),
+			},
+			containers:    desiredState.Containers,
+			podRestarting: true,
+			expected: []v1.ContainerStatus{
+				withRestartCount(runningState("containerA"), 1),
+				withRestartCount(waitingStateWithRestartingAllContainers("containerB"), 1),
+			},
+		},
+		{
+			name: "containerB dies and triggers RestartAllContainers in place, containerA succeeded",
+			pod: &v1.Pod{
+				Spec: desiredState,
+			},
+			currentStatus: &kubecontainer.PodStatus{
+				ContainerStatuses: []*kubecontainer.Status{{
+					Name:     "containerA",
+					State:    kubecontainer.ContainerStateExited,
+					ExitCode: 0,
+				}},
+			},
+			previousStatus: []v1.ContainerStatus{
+				withRestartCount(runningState("containerA"), 1),
+				failedStateWithExitCode("containerB", 42),
+			},
+			containers:    desiredState.Containers,
+			podRestarting: true,
+			expected: []v1.ContainerStatus{
+				withRestartCount(succeededState("containerA"), 1),
+				withRestartCount(waitingStateWithRestartingAllContainers("containerB"), 1),
+			},
+		},
+		{
+			name: "containerB dies and triggers RestartAllContainers in place, containerA failed",
+			pod: &v1.Pod{
+				Spec: desiredState,
+			},
+			currentStatus: &kubecontainer.PodStatus{
+				ContainerStatuses: []*kubecontainer.Status{{
+					Name:     "containerA",
+					State:    kubecontainer.ContainerStateExited,
+					ExitCode: 1,
+				}},
+			},
+			previousStatus: []v1.ContainerStatus{
+				withRestartCount(runningState("containerA"), 1),
+				failedStateWithExitCode("containerB", 42),
+			},
+			containers:    desiredState.Containers,
+			podRestarting: true,
+			expected: []v1.ContainerStatus{
+				withRestartCount(failedStateWithExitCode("containerA", 1), 1),
+				withRestartCount(waitingStateWithRestartingAllContainers("containerB"), 1),
+			},
+		},
 	}
+	featuregatetesting.SetFeatureGatesDuringTest(t, utilfeature.DefaultFeatureGate, featuregatetesting.FeatureOverrides{
+		features.ContainerRestartRules:                true,
+		features.NodeDeclaredFeatures:                 true,
+		features.RestartAllContainersOnContainerExits: true,
+	})
+
 	for _, test := range tests {
 		t.Run(test.name, func(t *testing.T) {
 			testKubelet := newTestKubelet(t, false /* controllerAttachDetachEnabled */)
@@ -3590,8 +4076,15 @@ func TestConvertToAPIContainerStatuses(t *testing.T) {
 				test.containers,
 				test.hasInitContainers,
 				test.isInitContainer,
+				test.podRestarting,
 			)
 			for i, status := range containerStatuses {
+				// cleanup irrelevant fields
+				status.ContainerID = ""
+				status.Resources = nil
+				if status.State.Terminated != nil {
+					status.State.Terminated.ContainerID = ""
+				}
 				assert.Equal(t, test.expected[i], status, "[test %s]", test.name)
 			}
 		})
@@ -4906,7 +5399,7 @@ func TestConvertToAPIContainerStatusesDataRace(t *testing.T) {
 	// detection, so would catch a race condition consistently, despite only spawning 2 goroutines
 	for i := 0; i < 2; i++ {
 		go func() {
-			kl.convertToAPIContainerStatuses(pod, criStatus, []v1.ContainerStatus{}, []v1.Container{}, false, false)
+			kl.convertToAPIContainerStatuses(pod, criStatus, []v1.ContainerStatus{}, []v1.Container{}, false, false, false)
 		}()
 	}
 }
@@ -5346,7 +5839,7 @@ func TestConvertToAPIContainerStatusesForResources(t *testing.T) {
 				ImageID:            "img1234",
 				State:              v1.ContainerState{Running: &v1.ContainerStateRunning{StartedAt: metav1.NewTime(nowTime)}},
 				AllocatedResources: CPU2AndMem2GAndStorage2G,
-				Resources:          &v1.ResourceRequirements{Limits: CPU1AndMem1GAndStorage2G, Requests: CPU1AndMem2GAndStorage2G},
+				Resources:          &v1.ResourceRequirements{Limits: CPU1AndMem1GAndStorage2G, Requests: CPU1AndMem1GAndStorage2G},
 			},
 		},
 	} {
@@ -5364,9 +5857,10 @@ func TestConvertToAPIContainerStatusesForResources(t *testing.T) {
 			resources := tc.ActualResources
 			if resources == nil {
 				resources = &kubecontainer.ContainerResources{
-					MemoryLimit: tc.Resources.Limits.Memory(),
-					CPULimit:    tc.Resources.Limits.Cpu(),
-					CPURequest:  tc.Resources.Requests.Cpu(),
+					MemoryLimit:   tc.Resources.Limits.Memory(),
+					CPULimit:      tc.Resources.Limits.Cpu(),
+					MemoryRequest: tc.Resources.Requests.Memory(),
+					CPURequest:    tc.Resources.Requests.Cpu(),
 				}
 			}
 			state := kubecontainer.ContainerStateRunning
@@ -5375,7 +5869,12 @@ func TestConvertToAPIContainerStatusesForResources(t *testing.T) {
 			}
 			podStatus := testPodStatus(state, resources)
 
-			cStatuses := kubelet.convertToAPIContainerStatuses(tPod, podStatus, []v1.ContainerStatus{tc.OldStatus}, tPod.Spec.Containers, false, false)
+			cStatuses := kubelet.convertToAPIContainerStatuses(tPod, podStatus, []v1.ContainerStatus{tc.OldStatus}, tPod.Spec.Containers, false, false, false)
+			actual := cStatuses[0]
+			// Explicitly test AllocatedResources and Resources separately for debuggability.
+			assert.Equal(t, tc.Expected.AllocatedResources, actual.AllocatedResources, "AllocatedResources")
+			assert.Equal(t, tc.Expected.Resources, actual.Resources, "Resources")
+			// Catch-all for any other status changes.
 			assert.Equal(t, tc.Expected, cStatuses[0])
 		})
 	}
@@ -5491,10 +5990,12 @@ func TestConvertToAPIContainerStatusesForUser(t *testing.T) {
 			}),
 		},
 	} {
+		// Set emulation version so that the feature gate can be disabled in the test
+		featuregatetesting.SetFeatureGateEmulationVersionDuringTest(t, utilfeature.DefaultFeatureGate, version.MustParse("1.34"))
 		featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.SupplementalGroupsPolicy, tc.featureEnabled)
 		tPod := testPod.DeepCopy()
 		t.Logf("TestCase: %q", tdesc)
-		cStatuses := kubelet.convertToAPIContainerStatuses(tPod, tc.testPodStatus, tPod.Status.ContainerStatuses, tPod.Spec.Containers, false, false)
+		cStatuses := kubelet.convertToAPIContainerStatuses(tPod, tc.testPodStatus, tPod.Status.ContainerStatuses, tPod.Spec.Containers, false, false, false)
 		assert.Equal(t, tc.expectedContainerStatus, cStatuses)
 	}
 }
@@ -7014,7 +7515,7 @@ func TestMakeEnvironmentVariablesWithFileKeyRef(t *testing.T) {
 				{Name: "DATABASE", Value: "mydb"},
 			},
 			setupFiles: func() []string {
-				content := "DATABASE=mydb\nAPI_KEY=secret123\n"
+				content := "DATABASE='mydb'\nAPI_KEY='secret123'\n"
 				return []string{createEnvFile("database.env", content)}
 			},
 		},
@@ -7043,7 +7544,7 @@ func TestMakeEnvironmentVariablesWithFileKeyRef(t *testing.T) {
 				{Name: "API_KEY", Value: "secret123"},
 			},
 			setupFiles: func() []string {
-				content := "# This is a comment\n\nDATABASE=mydb\nAPI_KEY=secret123\n\n# Another comment\n"
+				content := "# This is a comment\n\nDATABASE='mydb'\nAPI_KEY='secret123'\n\n# Another comment\n"
 				return []string{createEnvFile("config.env", content)}
 			},
 		},
@@ -7071,8 +7572,10 @@ func TestMakeEnvironmentVariablesWithFileKeyRef(t *testing.T) {
 			expectedEnvs: []kubecontainer.EnvVar{
 				{Name: "DEBUG_MODE", Value: "true"},
 			},
+			expectedError: true,
+			errorContains: "couldn't parse env file",
 			setupFiles: func() []string {
-				content := "DEBUG_MODE = true\nLOG_LEVEL = info\n"
+				content := "DEBUG_MODE = 'true'\nLOG_LEVEL = 'info'\n"
 				return []string{createEnvFile("debug.env", content)}
 			},
 		},
@@ -7100,7 +7603,7 @@ func TestMakeEnvironmentVariablesWithFileKeyRef(t *testing.T) {
 			expectedError: true,
 			errorContains: "environment variable key \"MISSING_KEY\" not found in file",
 			setupFiles: func() []string {
-				content := "EXISTING_KEY=value\n"
+				content := "EXISTING_KEY='value'\n"
 				return []string{createEnvFile("config.env", content)}
 			},
 		},
@@ -7128,7 +7631,7 @@ func TestMakeEnvironmentVariablesWithFileKeyRef(t *testing.T) {
 			},
 			expectedEnvs: nil,
 			setupFiles: func() []string {
-				content := "EXISTING_KEY=value\n"
+				content := "EXISTING_KEY='value'\n"
 				return []string{createEnvFile("config.env", content)}
 			},
 		},
@@ -7159,63 +7662,6 @@ func TestMakeEnvironmentVariablesWithFileKeyRef(t *testing.T) {
 				return []string{} // No files created
 			},
 		},
-		{
-			name: "key length exceeds 128 characters",
-			container: &v1.Container{
-				Env: []v1.EnvVar{
-					{
-						Name: "LONG_KEY",
-						ValueFrom: &v1.EnvVarSource{
-							FileKeyRef: &v1.FileKeySelector{
-								VolumeName: "config-volume",
-								Path:       "config.env",
-								Key:        strings.Repeat("A", 129),
-							},
-						},
-					},
-				},
-			},
-			podVolumes: map[string]kubecontainer.VolumeInfo{
-				"config-volume": {
-					Mounter: &testVolumeMounter{path: tmpDir},
-				},
-			},
-			expectedError: true,
-			errorContains: "exceeds maximum length of 128 characters",
-			setupFiles: func() []string {
-				content := "EXISTING_KEY=value\n"
-				return []string{createEnvFile("config.env", content)}
-			},
-		},
-		{
-			name: "value size exceeds 32KB",
-			container: &v1.Container{
-				Env: []v1.EnvVar{
-					{
-						Name: "LARGE_VALUE",
-						ValueFrom: &v1.EnvVarSource{
-							FileKeyRef: &v1.FileKeySelector{
-								VolumeName: "config-volume",
-								Path:       "large.env",
-								Key:        "LARGE_VALUE",
-							},
-						},
-					},
-				},
-			},
-			podVolumes: map[string]kubecontainer.VolumeInfo{
-				"config-volume": {
-					Mounter: &testVolumeMounter{path: tmpDir},
-				},
-			},
-			expectedError: true,
-			errorContains: "environment variable value for key \"LARGE_VALUE\" exceeds maximum size of 32KB",
-			setupFiles: func() []string {
-				largeValue := strings.Repeat("A", 33*1024) // 33KB
-				content := fmt.Sprintf("LARGE_VALUE=%s\n", largeValue)
-				return []string{createEnvFile("large.env", content)}
-			},
-		},
 		{
 			name: "volume not found",
 			container: &v1.Container{
@@ -7306,8 +7752,8 @@ func TestMakeEnvironmentVariablesWithFileKeyRef(t *testing.T) {
 				{Name: "API_KEY", Value: "secret123"},
 			},
 			setupFiles: func() []string {
-				dbContent := "DATABASE=mydb\n"
-				apiContent := "API_KEY=secret123\n"
+				dbContent := "DATABASE='mydb'\n"
+				apiContent := "API_KEY='secret123'\n"
 				return []string{
 					createEnvFile("database.env", dbContent),
 					createEnvFile("api.env", apiContent),
@@ -7344,7 +7790,7 @@ func TestMakeEnvironmentVariablesWithFileKeyRef(t *testing.T) {
 				{Name: "FILE_VAR", Value: "file_value"},
 			},
 			setupFiles: func() []string {
-				content := "FILE_VAR=file_value\n"
+				content := "FILE_VAR='file_value'\n"
 				return []string{createEnvFile("config.env", content)}
 			},
 		},
diff --git a/pkg/kubelet/kubelet_test.go b/pkg/kubelet/kubelet_test.go
index 7746458001108..3f69c2432f96a 100644
--- a/pkg/kubelet/kubelet_test.go
+++ b/pkg/kubelet/kubelet_test.go
@@ -32,6 +32,8 @@ import (
 	"testing"
 	"time"
 
+	"github.com/stretchr/testify/mock"
+
 	sdktrace "go.opentelemetry.io/otel/sdk/trace"
 	"go.opentelemetry.io/otel/sdk/trace/tracetest"
 	oteltrace "go.opentelemetry.io/otel/trace"
@@ -52,6 +54,7 @@ import (
 	"k8s.io/apimachinery/pkg/labels"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/sets"
+	utilversion "k8s.io/apimachinery/pkg/util/version"
 	"k8s.io/apimachinery/pkg/util/wait"
 	utilfeature "k8s.io/apiserver/pkg/util/feature"
 	"k8s.io/client-go/kubernetes/fake"
@@ -60,6 +63,8 @@ import (
 	"k8s.io/component-base/featuregate"
 	featuregatetesting "k8s.io/component-base/featuregate/testing"
 	"k8s.io/component-base/metrics/testutil"
+	ndf "k8s.io/component-helpers/nodedeclaredfeatures"
+	ndftesting "k8s.io/component-helpers/nodedeclaredfeatures/testing"
 	internalapi "k8s.io/cri-api/pkg/apis"
 	runtimeapi "k8s.io/cri-api/pkg/apis/runtime/v1"
 	remote "k8s.io/cri-client/pkg"
@@ -79,6 +84,7 @@ import (
 	containertest "k8s.io/kubernetes/pkg/kubelet/container/testing"
 	"k8s.io/kubernetes/pkg/kubelet/eviction"
 	"k8s.io/kubernetes/pkg/kubelet/images"
+	"k8s.io/kubernetes/pkg/kubelet/kubeletconfig"
 	"k8s.io/kubernetes/pkg/kubelet/kuberuntime"
 	"k8s.io/kubernetes/pkg/kubelet/lifecycle"
 	"k8s.io/kubernetes/pkg/kubelet/logs"
@@ -206,7 +212,7 @@ func newTestKubeletWithImageList(
 	excludeAdmitHandlers bool,
 	enableResizing bool,
 ) *TestKubelet {
-	logger, _ := ktesting.NewTestContext(t)
+	logger, tCtx := ktesting.NewTestContext(t)
 
 	fakeRuntime := &containertest.FakeRuntime{
 		ImageList: imageList,
@@ -326,16 +332,18 @@ func newTestKubeletWithImageList(
 	}
 
 	kubelet.allocationManager = allocation.NewInMemoryManager(
-		kubelet.containerManager,
+		kubelet.containerManager.GetNodeConfig(),
+		kubelet.containerManager.GetNodeAllocatableAbsolute(),
 		kubelet.statusManager,
 		func(pod *v1.Pod) { kubelet.HandlePodSyncs([]*v1.Pod{pod}) },
 		kubelet.GetActivePods,
 		kubelet.podManager.GetPodByUID,
 		config.NewSourcesReady(func(_ sets.Set[string]) bool { return enableResizing }),
+		kubelet.recorder,
 	)
 	kubelet.allocationManager.SetContainerRuntime(fakeRuntime)
 	volumeStatsAggPeriod := time.Second * 10
-	kubelet.resourceAnalyzer = serverstats.NewResourceAnalyzer(kubelet, volumeStatsAggPeriod, kubelet.recorder)
+	kubelet.resourceAnalyzer = serverstats.NewResourceAnalyzer(tCtx, kubelet, volumeStatsAggPeriod, kubelet.recorder)
 
 	fakeHostStatsProvider := stats.NewFakeHostStatsProvider(&containertest.FakeOS{})
 
@@ -403,14 +411,14 @@ func newTestKubeletWithImageList(
 		ShutdownGracePeriodCriticalPods: 0,
 	})
 	kubelet.shutdownManager = shutdownManager
-	kubelet.usernsManager, err = userns.MakeUserNsManager(kubelet)
+	kubelet.usernsManager, err = userns.MakeUserNsManager(logger, kubelet, nil)
 	if err != nil {
 		t.Fatalf("Failed to create UserNsManager: %v", err)
 	}
 	handlers = append(handlers, shutdownManager)
 
 	// Add this as cleanup predicate pod admitter
-	handlers = append(handlers, lifecycle.NewPredicateAdmitHandler(kubelet.getNodeAnyWay, lifecycle.NewAdmissionFailureHandlerStub(), kubelet.containerManager.UpdatePluginResources))
+	handlers = append(handlers, lifecycle.NewPredicateAdmitHandler(kubelet.GetCachedNode, lifecycle.NewAdmissionFailureHandlerStub(), kubelet.containerManager.UpdatePluginResources))
 
 	if !excludeAdmitHandlers {
 		kubelet.allocationManager.AddPodAdmitHandlers(handlers)
@@ -747,6 +755,105 @@ func TestHandlePodCleanups(t *testing.T) {
 	fakeRuntime.AssertKilledPods([]string(nil))
 }
 
+func TestVolumeAttachLimitExceededCleanup(t *testing.T) {
+	const podCount = 500
+	tk := newTestKubelet(t, true /* controller-attach-detach enabled */)
+	defer tk.Cleanup()
+	kl := tk.kubelet
+
+	kl.nodeLister = testNodeLister{nodes: []*v1.Node{{
+		ObjectMeta: metav1.ObjectMeta{Name: string(kl.nodeName)},
+		Status: v1.NodeStatus{
+			Allocatable: v1.ResourceList{
+				v1.ResourcePods:   *resource.NewQuantity(1000, resource.DecimalSI),
+				v1.ResourceCPU:    resource.MustParse("10"),
+				v1.ResourceMemory: resource.MustParse("20Gi"),
+			},
+		},
+	}}}
+
+	kl.workQueue = queue.NewBasicWorkQueue(clock.RealClock{})
+	kl.podWorkers = newPodWorkers(
+		kl, kl.recorder, kl.workQueue,
+		kl.resyncInterval, backOffPeriod,
+		kl.podCache, kl.allocationManager,
+	)
+
+	kl.volumeManager = kubeletvolume.NewFakeVolumeManager(nil, 0, nil, true /* volumeAttachLimitExceededError  */)
+
+	pods, _ := newTestPodsWithResources(podCount)
+
+	kl.podManager.SetPods(pods)
+	kl.HandlePodSyncs(pods)
+
+	ctx := context.Background()
+
+	// all pods must reach a terminal, Failed state due to VolumeAttachmentLimitExceeded.
+	if err := wait.PollUntilContextTimeout(
+		ctx, 200*time.Millisecond, 30*time.Second, true,
+		func(ctx context.Context) (bool, error) {
+			for _, p := range pods {
+				st, ok := kl.statusManager.GetPodStatus(p.UID)
+				if !ok || st.Phase != v1.PodFailed && st.Reason != "VolumeAttachmentLimitExceeded" {
+					return false, nil
+				}
+			}
+			return true, nil
+		}); err != nil {
+		t.Fatalf("pods did not reach a terminal, Failed state: %v", err)
+	}
+
+	// validate that SyncTerminatedPod completed successfully for each pod.
+	if err := wait.PollUntilContextTimeout(
+		ctx, 200*time.Millisecond, 30*time.Second, true,
+		func(ctx context.Context) (bool, error) {
+			for _, p := range pods {
+				if !kl.podWorkers.ShouldPodBeFinished(p.UID) {
+					return false, nil
+				}
+			}
+			return true, nil
+		}); err != nil {
+		t.Fatalf("pod workers did not finish cleanup: %v", err)
+	}
+
+	// validate container-level resource allocations are released.
+	for _, p := range pods {
+		cn := p.Spec.Containers[0].Name
+		if _, still := kl.allocationManager.GetContainerResourceAllocation(p.UID, cn); still {
+			t.Fatalf("allocation for pod %q container %q not released", p.Name, cn)
+		}
+	}
+}
+
+func newTestPodsWithResources(count int) (pods []*v1.Pod, containerNames []string) {
+	pods = make([]*v1.Pod, count)
+	containerNames = make([]string, count)
+	for i := 0; i < count; i++ {
+		containerName := fmt.Sprintf("container%d", i)
+		containerNames[i] = containerName
+		pods[i] = &v1.Pod{
+			Spec: v1.PodSpec{
+				HostNetwork: true,
+				Containers: []v1.Container{{
+					Name: containerName,
+					Resources: v1.ResourceRequirements{
+						Requests: v1.ResourceList{
+							v1.ResourceCPU:    resource.MustParse("1m"),
+							v1.ResourceMemory: resource.MustParse("1Mi"),
+						},
+					},
+				}},
+			},
+			ObjectMeta: metav1.ObjectMeta{
+				UID:  types.UID(strconv.Itoa(10000 + i)),
+				Name: fmt.Sprintf("pod%d", i),
+			},
+		}
+	}
+	return pods, containerNames
+}
+
 func TestHandlePodRemovesWhenSourcesAreReady(t *testing.T) {
 	if testing.Short() {
 		t.Skip("skipping test in short mode.")
@@ -1129,7 +1236,7 @@ func TestHandlePluginResources(t *testing.T) {
 	}
 
 	// add updatePluginResourcesFunc to admission handler, to test it's behavior.
-	kl.allocationManager.AddPodAdmitHandlers(lifecycle.PodAdmitHandlers{lifecycle.NewPredicateAdmitHandler(kl.getNodeAnyWay, lifecycle.NewAdmissionFailureHandlerStub(), updatePluginResourcesFunc)})
+	kl.allocationManager.AddPodAdmitHandlers(lifecycle.PodAdmitHandlers{lifecycle.NewPredicateAdmitHandler(kl.GetCachedNode, lifecycle.NewAdmissionFailureHandlerStub(), updatePluginResourcesFunc)})
 
 	recorder := record.NewFakeRecorder(20)
 	nodeRef := &v1.ObjectReference{
@@ -3049,25 +3156,19 @@ func TestSyncLabels(t *testing.T) {
 func waitForVolumeUnmount(
 	volumeManager kubeletvolume.VolumeManager,
 	pod *v1.Pod) error {
-	var podVolumes kubecontainer.VolumeMap
 	err := retryWithExponentialBackOff(
 		time.Duration(50*time.Millisecond),
 		func() (bool, error) {
 			// Verify volumes detached
-			podVolumes = volumeManager.GetMountedVolumesForPod(
+			hasVolumes := volumeManager.HasPossiblyMountedVolumesForPod(
 				util.GetUniquePodName(pod))
-
-			if len(podVolumes) != 0 {
-				return false, nil
-			}
-
-			return true, nil
+			return !hasVolumes, nil
 		},
 	)
 
 	if err != nil {
 		return fmt.Errorf(
-			"Expected volumes to be unmounted. But some volumes are still mounted: %#v", podVolumes)
+			"Expected volumes to be unmounted. But some volumes are still mounted")
 	}
 
 	return nil
@@ -3168,7 +3269,11 @@ func TestNewMainKubeletStandAlone(t *testing.T) {
 		ConfigMapAndSecretChangeDetectionStrategy: kubeletconfiginternal.WatchChangeDetectionStrategy,
 		ContainerLogMaxSize:                       "10Mi",
 		ContainerLogMaxFiles:                      5,
+		ImagePullCredentialsVerificationPolicy:    "NeverVerifyPreloadedImages",
 		MemoryThrottlingFactor:                    ptr.To[float64](0),
+		CrashLoopBackOff: kubeletconfiginternal.CrashLoopBackOffConfig{
+			MaxContainerRestartPeriod: &metav1.Duration{Duration: 5 * time.Minute},
+		},
 	}
 	var prober volume.DynamicPluginProber
 	tp := noopoteltrace.NewTracerProvider()
@@ -3209,7 +3314,7 @@ func TestNewMainKubeletStandAlone(t *testing.T) {
 		DynamicPluginProber:  prober,
 		TLSOptions:           tlsOptions,
 	}
-	crOptions := &config.ContainerRuntimeOptions{}
+	crOptions := &kubeletconfig.ContainerRuntimeOptions{}
 
 	testMainKubelet, err := NewMainKubelet(
 		tCtx,
@@ -3291,6 +3396,8 @@ func TestSyncPodSpans(t *testing.T) {
 		ContainerLogMaxSize:                       "10Mi",
 		ContainerLogMaxFiles:                      5,
 		MemoryThrottlingFactor:                    ptr.To[float64](0),
+		MaxPods:                                   110,
+		MaxParallelImagePulls:                     ptr.To[int32](5),
 	}
 
 	exp := tracetest.NewInMemoryExporter()
@@ -3343,7 +3450,6 @@ func TestSyncPodSpans(t *testing.T) {
 		kubelet.containerManager,
 		kubelet.containerLogManager,
 		kubelet.runtimeClassManager,
-		kubelet.allocationManager,
 		false,
 		kubeCfg.MemorySwap.SwapBehavior,
 		kubelet.containerManager.GetNodeAllocatableAbsolute,
@@ -3635,60 +3741,46 @@ func TestCrashLoopBackOffConfiguration(t *testing.T) {
 	testCases := []struct {
 		name            string
 		featureGates    []featuregate.Feature
-		nodeDecay       metav1.Duration
+		configuredMax   metav1.Duration
 		expectedInitial time.Duration
 		expectedMax     time.Duration
 	}{
-		{
-			name:            "Prior behavior",
-			expectedMax:     time.Duration(300 * time.Second),
-			expectedInitial: time.Duration(10 * time.Second),
-		},
-		{
-			name:            "New default only",
-			featureGates:    []featuregate.Feature{features.ReduceDefaultCrashLoopBackOffDecay},
-			expectedMax:     time.Duration(60 * time.Second),
-			expectedInitial: time.Duration(1 * time.Second),
-		},
 		{
 			name:            "Faster per node config; only node config configured",
-			featureGates:    []featuregate.Feature{features.KubeletCrashLoopBackOffMax},
-			nodeDecay:       metav1.Duration{Duration: 2 * time.Second},
+			configuredMax:   metav1.Duration{Duration: 2 * time.Second},
 			expectedMax:     time.Duration(2 * time.Second),
 			expectedInitial: time.Duration(2 * time.Second),
 		},
 		{
 			name:            "Faster per node config; new default and node config configured",
-			featureGates:    []featuregate.Feature{features.KubeletCrashLoopBackOffMax, features.ReduceDefaultCrashLoopBackOffDecay},
-			nodeDecay:       metav1.Duration{Duration: 2 * time.Second},
+			featureGates:    []featuregate.Feature{features.ReduceDefaultCrashLoopBackOffDecay},
+			configuredMax:   metav1.Duration{Duration: 2 * time.Second},
 			expectedMax:     time.Duration(2 * time.Second),
 			expectedInitial: time.Duration(1 * time.Second),
 		},
 		{
 			name:            "Slower per node config; new default and node config configured, set A",
-			featureGates:    []featuregate.Feature{features.KubeletCrashLoopBackOffMax, features.ReduceDefaultCrashLoopBackOffDecay},
-			nodeDecay:       metav1.Duration{Duration: 10 * time.Second},
+			featureGates:    []featuregate.Feature{features.ReduceDefaultCrashLoopBackOffDecay},
+			configuredMax:   metav1.Duration{Duration: 10 * time.Second},
 			expectedMax:     time.Duration(10 * time.Second),
 			expectedInitial: time.Duration(1 * time.Second),
 		},
 		{
 			name:            "Slower per node config; new default and node config configured, set B",
-			featureGates:    []featuregate.Feature{features.KubeletCrashLoopBackOffMax, features.ReduceDefaultCrashLoopBackOffDecay},
-			nodeDecay:       metav1.Duration{Duration: 300 * time.Second},
+			featureGates:    []featuregate.Feature{features.ReduceDefaultCrashLoopBackOffDecay},
+			configuredMax:   metav1.Duration{Duration: 300 * time.Second},
 			expectedMax:     time.Duration(300 * time.Second),
 			expectedInitial: time.Duration(1 * time.Second),
 		},
 		{
 			name:            "Slower per node config; only node config configured, set A",
-			featureGates:    []featuregate.Feature{features.KubeletCrashLoopBackOffMax},
-			nodeDecay:       metav1.Duration{Duration: 11 * time.Second},
+			configuredMax:   metav1.Duration{Duration: 11 * time.Second},
 			expectedMax:     time.Duration(11 * time.Second),
 			expectedInitial: time.Duration(10 * time.Second),
 		},
 		{
 			name:            "Slower per node config; only node config configured, set B",
-			featureGates:    []featuregate.Feature{features.KubeletCrashLoopBackOffMax},
-			nodeDecay:       metav1.Duration{Duration: 300 * time.Second},
+			configuredMax:   metav1.Duration{Duration: 300 * time.Second},
 			expectedMax:     time.Duration(300 * time.Second),
 			expectedInitial: time.Duration(10 * time.Second),
 		},
@@ -3701,8 +3793,8 @@ func TestCrashLoopBackOffConfiguration(t *testing.T) {
 			for _, f := range tc.featureGates {
 				featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, f, true)
 			}
-			if tc.nodeDecay.Duration > 0 {
-				kubeCfg.CrashLoopBackOff.MaxContainerRestartPeriod = &tc.nodeDecay
+			if tc.configuredMax.Duration > 0 {
+				kubeCfg.CrashLoopBackOff.MaxContainerRestartPeriod = &tc.configuredMax
 			}
 
 			resultMax, resultInitial := newCrashLoopBackOff(kubeCfg)
@@ -3717,18 +3809,24 @@ func TestSyncPodWithErrorsDuringInPlacePodResize(t *testing.T) {
 	testKubelet := newTestKubelet(t, false /* controllerAttachDetachEnabled */)
 	defer testKubelet.Cleanup()
 	kubelet := testKubelet.kubelet
+	kubelet.recorder = record.NewFakeRecorder(20)
 
 	pod := podWithUIDNameNsSpec("12345678", "foo", "new", v1.PodSpec{
 		Containers: []v1.Container{
 			{Name: "bar"},
 		},
 	})
+	pod.Generation = 2
+	kubelet.podManager.SetPods([]*v1.Pod{pod})
+	kubelet.statusManager.SetPodResizeInProgressCondition(pod.UID, "", "", 1)
 
 	testCases := []struct {
 		name                     string
 		syncResults              *kubecontainer.PodSyncResult
+		podResizeInProgress      bool
 		expectedErr              string
 		expectedResizeConditions []*v1.PodCondition
+		expectedEvent            string
 	}{
 		{
 			name: "pod resize error returned from the runtime",
@@ -3740,13 +3838,16 @@ func TestSyncPodWithErrorsDuringInPlacePodResize(t *testing.T) {
 					Message: "could not resize pod",
 				}},
 			},
-			expectedErr: "failed to \"ResizePodInPlace\" for \"12345678\" with ResizePodInPlaceError: \"could not resize pod\"",
+			podResizeInProgress: true,
+			expectedErr:         "failed to \"ResizePodInPlace\" for \"12345678\" with ResizePodInPlaceError: \"could not resize pod\"",
 			expectedResizeConditions: []*v1.PodCondition{{
-				Type:    v1.PodResizeInProgress,
-				Status:  v1.ConditionTrue,
-				Reason:  v1.PodReasonError,
-				Message: "could not resize pod",
+				Type:               v1.PodResizeInProgress,
+				Status:             v1.ConditionTrue,
+				Reason:             v1.PodReasonError,
+				Message:            "could not resize pod",
+				ObservedGeneration: 1,
 			}},
+			expectedEvent: "Warning ResizeError Pod resize error: {\"containers\":[{\"name\":\"bar\",\"resources\":{}}],\"generation\":1,\"error\":\"could not resize pod\"}",
 		},
 		{
 			name: "pod resize error cleared upon successful run",
@@ -3757,6 +3858,7 @@ func TestSyncPodWithErrorsDuringInPlacePodResize(t *testing.T) {
 				}},
 			},
 			expectedResizeConditions: nil,
+			expectedEvent:            "Normal ResizeCompleted Pod resize completed: {\"containers\":[{\"name\":\"bar\",\"resources\":{}}],\"generation\":1}",
 		},
 		{
 			name: "sync results have a non-resize error",
@@ -3795,7 +3897,7 @@ func TestSyncPodWithErrorsDuringInPlacePodResize(t *testing.T) {
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
 			testKubelet.fakeRuntime.SyncResults = tc.syncResults
-			kubelet.podManager.SetPods([]*v1.Pod{pod})
+			testKubelet.fakeRuntime.PodResizeInProgress = tc.podResizeInProgress
 			isTerminal, err := kubelet.SyncPod(context.Background(), kubetypes.SyncPodUpdate, pod, nil, &kubecontainer.PodStatus{})
 			require.False(t, isTerminal)
 			if tc.expectedErr == "" {
@@ -3811,6 +3913,20 @@ func TestSyncPodWithErrorsDuringInPlacePodResize(t *testing.T) {
 				c.LastTransitionTime = metav1.Time{}
 			}
 			require.Equal(t, tc.expectedResizeConditions, gotResizeConditions)
+
+			fakeRecorder := kubelet.recorder.(*record.FakeRecorder)
+			found := false
+			for len(fakeRecorder.Events) > 0 {
+				event := <-fakeRecorder.Events
+				if event == tc.expectedEvent {
+					found = true
+				} else if strings.Contains(event, "Resize") {
+					t.Errorf("Received unexpected resize event: %q", event)
+				}
+			}
+			if tc.expectedEvent != "" {
+				require.True(t, found, "Expected event %q not found", tc.expectedEvent)
+			}
 		})
 	}
 }
@@ -4592,3 +4708,143 @@ func TestHandlePodReconcile_RetryPendingResizes(t *testing.T) {
 		})
 	}
 }
+
+func TestSyncPodNodeDeclaredFeaturesUpdate(t *testing.T) {
+	cpu1000m := resource.MustParse("1")
+	mem1000M := resource.MustParse("1Gi")
+	cpu2000m := resource.MustParse("2")
+	oldPod := &v1.Pod{
+		ObjectMeta: metav1.ObjectMeta{
+			UID:       "1111",
+			Name:      "pod1",
+			Namespace: "ns1",
+		},
+		Spec: v1.PodSpec{
+			Containers: []v1.Container{
+				{
+					Name:  "c1",
+					Image: "i1",
+					Resources: v1.ResourceRequirements{
+						Requests: v1.ResourceList{v1.ResourceCPU: cpu1000m, v1.ResourceMemory: mem1000M},
+					},
+				},
+			},
+		},
+		Status: v1.PodStatus{
+			Phase: v1.PodRunning,
+			ContainerStatuses: []v1.ContainerStatus{
+				{
+					Name:               "c1",
+					AllocatedResources: v1.ResourceList{v1.ResourceCPU: cpu1000m, v1.ResourceMemory: mem1000M},
+					Resources:          &v1.ResourceRequirements{},
+				},
+			},
+		},
+	}
+	newPod := oldPod.DeepCopy()
+	newPod.Spec.Containers[0].Resources.Requests[v1.ResourceCPU] = cpu2000m
+	createMockFeature := func(t *testing.T, name string, inferForUpdate bool, maxVersionStr string) *ndftesting.MockFeature {
+		m := ndftesting.NewMockFeature(t)
+		m.EXPECT().Name().Return(name).Maybe()
+		m.EXPECT().InferForUpdate(mock.Anything, mock.Anything).Return(inferForUpdate).Maybe()
+		if maxVersionStr != "" {
+			maxVersionStr := utilversion.MustParseSemantic(maxVersionStr)
+			m.EXPECT().MaxVersion().Return(maxVersionStr).Maybe()
+		} else {
+			m.EXPECT().MaxVersion().Return(nil).Maybe()
+		}
+		return m
+	}
+
+	testCases := []struct {
+		name               string
+		featureGateEnabled bool
+		nodeFeatures       []string
+		registeredFeatures []ndf.Feature
+		expectEvent        bool
+		expectedEventMsg   string
+		componentVersion   string
+	}{
+		{
+			name:               "Feature gate disabled",
+			featureGateEnabled: false,
+			componentVersion:   "1.35.0",
+			registeredFeatures: []ndf.Feature{},
+			expectEvent:        false,
+		},
+		{
+			name:               "Feature gate enabled, no requirements from update",
+			featureGateEnabled: true,
+			componentVersion:   "1.35.0",
+			nodeFeatures:       []string{"FeatureA"},
+			registeredFeatures: []ndf.Feature{createMockFeature(t, "FeatureA", false, "")},
+			expectEvent:        false,
+		},
+		{
+			name:               "Feature gate enabled, requirements met",
+			featureGateEnabled: true,
+			componentVersion:   "1.35.0",
+			nodeFeatures:       []string{"FeatureA"},
+			registeredFeatures: []ndf.Feature{createMockFeature(t, "FeatureA", true, "")},
+			expectEvent:        false,
+		},
+		{
+			name:               "Feature gate enabled, requirements not met",
+			featureGateEnabled: true,
+			componentVersion:   "1.35.0",
+			nodeFeatures:       []string{"FeatureB"},
+			registeredFeatures: []ndf.Feature{createMockFeature(t, "FeatureA", true, "")},
+			expectEvent:        true,
+			expectedEventMsg:   "Pod requires node features that are not available: FeatureA",
+		},
+		{
+			name:               "feature generally available - not declared",
+			featureGateEnabled: true,
+			componentVersion:   "1.35.0",
+			nodeFeatures:       []string{""},
+			registeredFeatures: []ndf.Feature{createMockFeature(t, "FeatureA", true, "1.34.0")},
+			expectEvent:        false,
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.NodeDeclaredFeatures, tc.featureGateEnabled)
+
+			testKubelet := newTestKubelet(t, false)
+			defer testKubelet.Cleanup()
+			kubelet := testKubelet.kubelet
+
+			// Setup mocks
+			recorder := record.NewFakeRecorder(10)
+			kubelet.recorder = recorder
+
+			framework, err := ndf.New(tc.registeredFeatures)
+			require.NoError(t, err)
+			kubelet.nodeDeclaredFeaturesFramework = framework
+			kubelet.nodeDeclaredFeatures = tc.nodeFeatures
+			kubelet.nodeDeclaredFeaturesSet = ndf.NewFeatureSet(kubelet.nodeDeclaredFeatures...)
+			kubelet.version = utilversion.MustParse("1.35.0")
+
+			kubelet.podManager.SetPods([]*v1.Pod{oldPod})
+			kubelet.statusManager.SetPodStatus(klog.TODO(), newPod, v1.PodStatus{Phase: v1.PodRunning})
+			kubelet.HandlePodUpdates([]*v1.Pod{newPod})
+
+			if tc.expectEvent {
+				select {
+				case event := <-recorder.Events:
+					assert.Contains(t, event, tc.expectedEventMsg)
+				default:
+					t.Errorf("Expected an event but did not receive one.")
+				}
+			} else {
+				select {
+				case event := <-recorder.Events:
+					t.Errorf("Expected no event, but received: %s", event)
+				default:
+					// No event received, which is correct.
+				}
+			}
+		})
+	}
+}
diff --git a/pkg/kubelet/kubelet_volumes.go b/pkg/kubelet/kubelet_volumes.go
index 16a9daaddc719..40320dcdf55af 100644
--- a/pkg/kubelet/kubelet_volumes.go
+++ b/pkg/kubelet/kubelet_volumes.go
@@ -76,9 +76,7 @@ func (kl *Kubelet) ListBlockVolumesForPod(podUID types.UID) (map[string]volume.B
 // podVolumesExist checks with the volume manager and returns true any of the
 // pods for the specified volume are mounted or are uncertain.
 func (kl *Kubelet) podVolumesExist(podUID types.UID) bool {
-	if mountedVolumes :=
-		kl.volumeManager.GetPossiblyMountedVolumesForPod(
-			volumetypes.UniquePodName(podUID)); len(mountedVolumes) > 0 {
+	if kl.volumeManager.HasPossiblyMountedVolumesForPod(volumetypes.UniquePodName(podUID)) {
 		return true
 	}
 	// TODO: This checks pod volume paths and whether they are mounted. If checking returns error, podVolumesExist will return true
diff --git a/pkg/kubelet/kubelet_volumes_test.go b/pkg/kubelet/kubelet_volumes_test.go
index 9ba12c2f31a25..4f8bf7c45ef9e 100644
--- a/pkg/kubelet/kubelet_volumes_test.go
+++ b/pkg/kubelet/kubelet_volumes_test.go
@@ -470,16 +470,12 @@ func TestVolumeUnmountAndDetachControllerDisabled(t *testing.T) {
 	kubelet.podManager.SetPods([]*v1.Pod{})
 
 	assert.NoError(t, kubelet.volumeManager.WaitForUnmount(context.Background(), pod))
-	if actual := kubelet.volumeManager.GetMountedVolumesForPod(util.GetUniquePodName(pod)); len(actual) > 0 {
-		t.Fatalf("expected volume unmount to wait for no volumes: %v", actual)
-	}
 
 	// Verify volumes unmounted
-	podVolumes = kubelet.volumeManager.GetMountedVolumesForPod(
+	hasMountedVolumes := kubelet.volumeManager.HasPossiblyMountedVolumesForPod(
 		util.GetUniquePodName(pod))
 
-	assert.Empty(t, podVolumes,
-		"Expected volumes to be unmounted and detached. But some volumes are still mounted: %#v", podVolumes)
+	assert.False(t, hasMountedVolumes, "Expected volumes to be unmounted and detached. But some volumes are still mounted")
 
 	assert.NoError(t, volumetest.VerifyTearDownCallCount(
 		1 /* expectedTearDownCallCount */, testKubelet.volumePlugin))
@@ -557,9 +553,9 @@ func TestVolumeAttachAndMountControllerEnabled(t *testing.T) {
 
 	podVolumes := kubelet.volumeManager.GetMountedVolumesForPod(
 		util.GetUniquePodName(pod))
-	allPodVolumes := kubelet.volumeManager.GetPossiblyMountedVolumesForPod(
+	hasVolumes := kubelet.volumeManager.HasPossiblyMountedVolumesForPod(
 		util.GetUniquePodName(pod))
-	assert.Equal(t, podVolumes, allPodVolumes, "GetMountedVolumesForPod and GetPossiblyMountedVolumesForPod should return the same volumes")
+	assert.True(t, hasVolumes, "HasPossiblyMountedVolumesForPod should return true")
 
 	expectedPodVolumes := []string{"vol1"}
 	assert.Len(t, podVolumes, len(expectedPodVolumes), "Volumes for pod %+v", pod)
@@ -644,9 +640,9 @@ func TestVolumeUnmountAndDetachControllerEnabled(t *testing.T) {
 
 	podVolumes := kubelet.volumeManager.GetMountedVolumesForPod(
 		util.GetUniquePodName(pod))
-	allPodVolumes := kubelet.volumeManager.GetPossiblyMountedVolumesForPod(
+	hasVolumes := kubelet.volumeManager.HasPossiblyMountedVolumesForPod(
 		util.GetUniquePodName(pod))
-	assert.Equal(t, podVolumes, allPodVolumes, "GetMountedVolumesForPod and GetPossiblyMountedVolumesForPod should return the same volumes")
+	assert.True(t, hasVolumes, "HasPossiblyMountedVolumesForPod should return true")
 
 	expectedPodVolumes := []string{"vol1"}
 	assert.Len(t, podVolumes, len(expectedPodVolumes), "Volumes for pod %+v", pod)
@@ -672,9 +668,9 @@ func TestVolumeUnmountAndDetachControllerEnabled(t *testing.T) {
 	// Verify volumes unmounted
 	podVolumes = kubelet.volumeManager.GetMountedVolumesForPod(
 		util.GetUniquePodName(pod))
-	allPodVolumes = kubelet.volumeManager.GetPossiblyMountedVolumesForPod(
+	hasVolumes = kubelet.volumeManager.HasPossiblyMountedVolumesForPod(
 		util.GetUniquePodName(pod))
-	assert.Equal(t, podVolumes, allPodVolumes, "GetMountedVolumesForPod and GetPossiblyMountedVolumesForPod should return the same volumes")
+	assert.False(t, hasVolumes, "HasPossiblyMountedVolumesForPod should return false")
 
 	assert.Empty(t, podVolumes,
 		"Expected volumes to be unmounted and detached. But some volumes are still mounted")
diff --git a/pkg/kubelet/kubeletconfig/defaults.go b/pkg/kubelet/kubeletconfig/defaults.go
new file mode 100644
index 0000000000000..7f4577ab15dba
--- /dev/null
+++ b/pkg/kubelet/kubeletconfig/defaults.go
@@ -0,0 +1,34 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package kubeletconfig
+
+// Defines sane defaults for the kubelet config.
+const (
+	DefaultKubeletPodsDirName                = "pods"
+	DefaultKubeletVolumesDirName             = "volumes"
+	DefaultKubeletVolumeSubpathsDirName      = "volume-subpaths"
+	DefaultKubeletVolumeDevicesDirName       = "volumeDevices"
+	DefaultKubeletPluginsDirName             = "plugins"
+	DefaultKubeletPluginsRegistrationDirName = "plugins_registry"
+	DefaultKubeletContainersDirName          = "containers"
+	DefaultKubeletPluginContainersDirName    = "plugin-containers"
+	DefaultKubeletPodResourcesDirName        = "pod-resources"
+	KubeletPluginsDirSELinuxLabel            = "system_u:object_r:container_file_t:s0"
+	KubeletContainersSharedSELinuxLabel      = "system_u:object_r:container_file_t:s0"
+	DefaultKubeletCheckpointsDirName         = "checkpoints"
+	DefaultKubeletUserNamespacesIDsPerPod    = 65536
+)
diff --git a/pkg/kubelet/kubeletconfig/types.go b/pkg/kubelet/kubeletconfig/types.go
new file mode 100644
index 0000000000000..70b3e6054bc8f
--- /dev/null
+++ b/pkg/kubelet/kubeletconfig/types.go
@@ -0,0 +1,39 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package kubeletconfig
+
+// ContainerRuntimeOptions defines options for the container runtime.
+type ContainerRuntimeOptions struct {
+	// General Options.
+
+	// RuntimeCgroups that container runtime is expected to be isolated in.
+	RuntimeCgroups string
+	// Image credential provider plugin options
+
+	// ImageCredentialProviderConfigPath is the path to the credential provider plugin config file or directory.
+	// If a directory is specified, all .json, .yaml, or .yml files in the directory are loaded and merged
+	// in lexicographical order. This config file(s) specify what credential providers are enabled
+	// and invoked by the kubelet. The plugin config should contain information about what plugin binary
+	// to execute and what container images the plugin should be called for.
+	// +optional
+	ImageCredentialProviderConfigPath string
+	// ImageCredentialProviderBinDir is the path to the directory where credential provider plugin
+	// binaries exist. The name of each plugin binary is expected to match the name of the plugin
+	// specified in imageCredentialProviderConfigFile.
+	// +optional
+	ImageCredentialProviderBinDir string
+}
diff --git a/pkg/kubelet/kuberuntime/fake_kuberuntime_manager.go b/pkg/kubelet/kuberuntime/fake_kuberuntime_manager.go
index c0548de4b58ab..dad8c88c4de5c 100644
--- a/pkg/kubelet/kuberuntime/fake_kuberuntime_manager.go
+++ b/pkg/kubelet/kuberuntime/fake_kuberuntime_manager.go
@@ -32,7 +32,7 @@ import (
 	"k8s.io/component-base/logs/logreduction"
 	internalapi "k8s.io/cri-api/pkg/apis"
 	"k8s.io/kubernetes/pkg/credentialprovider"
-	"k8s.io/kubernetes/pkg/kubelet/allocation"
+	"k8s.io/kubernetes/pkg/kubelet/allocation/state"
 	"k8s.io/kubernetes/pkg/kubelet/cm"
 	kubecontainer "k8s.io/kubernetes/pkg/kubelet/container"
 	"k8s.io/kubernetes/pkg/kubelet/images"
@@ -119,7 +119,7 @@ func newFakeKubeRuntimeManager(ctx context.Context, runtimeService internalapi.R
 		logManager:             logManager,
 		memoryThrottlingFactor: 0.9,
 		podLogsDirectory:       fakePodLogsDirectory,
-		allocationManager:      allocation.NewInMemoryManager(nil, nil, nil, nil, nil, nil),
+		actuatedState:          state.NewStateMemory(nil),
 	}
 
 	// Initialize swap controller availability check (always false for tests)
diff --git a/pkg/kubelet/kuberuntime/helpers.go b/pkg/kubelet/kuberuntime/helpers.go
index df57bc31747f4..97eb7055953b2 100644
--- a/pkg/kubelet/kuberuntime/helpers.go
+++ b/pkg/kubelet/kuberuntime/helpers.go
@@ -51,9 +51,14 @@ func (b containersByID) Less(i, j int) bool { return b[i].ID.ID < b[j].ID.ID }
 // Newest first.
 type podSandboxByCreated []*runtimeapi.PodSandbox
 
-func (p podSandboxByCreated) Len() int           { return len(p) }
-func (p podSandboxByCreated) Swap(i, j int)      { p[i], p[j] = p[j], p[i] }
-func (p podSandboxByCreated) Less(i, j int) bool { return p[i].CreatedAt > p[j].CreatedAt }
+func (p podSandboxByCreated) Len() int      { return len(p) }
+func (p podSandboxByCreated) Swap(i, j int) { p[i], p[j] = p[j], p[i] }
+func (p podSandboxByCreated) Less(i, j int) bool {
+	if p[i].Metadata == nil || p[j].Metadata == nil {
+		return p[i].CreatedAt > p[j].CreatedAt
+	}
+	return p[i].Metadata.Attempt > p[j].Metadata.Attempt
+}
 
 type containerStatusByCreated []*kubecontainer.Status
 
diff --git a/pkg/kubelet/kuberuntime/helpers_linux.go b/pkg/kubelet/kuberuntime/helpers_linux.go
index 4f56d62b82ebb..a3b1ab2c30064 100644
--- a/pkg/kubelet/kuberuntime/helpers_linux.go
+++ b/pkg/kubelet/kuberuntime/helpers_linux.go
@@ -27,8 +27,6 @@ import (
 )
 
 // sharesToMilliCPU converts CpuShares (cpu.shares) to milli-CPU value
-// TODO(vinaykul,InPlacePodVerticalScaling): Address issue that sets min req/limit to 2m/10m before beta
-// See: https://github.com/kubernetes/kubernetes/pull/102884#discussion_r662552642
 func sharesToMilliCPU(shares int64) int64 {
 	milliCPU := int64(0)
 	if shares >= int64(cm.MinShares) {
diff --git a/pkg/kubelet/kuberuntime/instrumented_services.go b/pkg/kubelet/kuberuntime/instrumented_services.go
index 7d2d2ba4b72aa..52896d59b1fd6 100644
--- a/pkg/kubelet/kuberuntime/instrumented_services.go
+++ b/pkg/kubelet/kuberuntime/instrumented_services.go
@@ -335,6 +335,15 @@ func (in instrumentedImageManagerService) ImageFsInfo(ctx context.Context) (*run
 	return fsInfo, nil
 }
 
+func (in instrumentedImageManagerService) Close() error {
+	const operation = "close"
+	defer recordOperation(operation, time.Now())
+
+	err := in.service.Close()
+	recordError(operation, err)
+	return err
+}
+
 func (in instrumentedRuntimeService) CheckpointContainer(ctx context.Context, options *runtimeapi.CheckpointContainerRequest) error {
 	const operation = "checkpoint_container"
 	defer recordOperation(operation, time.Now())
@@ -379,3 +388,12 @@ func (in instrumentedRuntimeService) RuntimeConfig(ctx context.Context) (*runtim
 	recordError(operation, err)
 	return out, err
 }
+
+func (in instrumentedRuntimeService) Close() error {
+	const operation = "close"
+	defer recordOperation(operation, time.Now())
+
+	err := in.service.Close()
+	recordError(operation, err)
+	return err
+}
diff --git a/pkg/kubelet/kuberuntime/kuberuntime_container.go b/pkg/kubelet/kuberuntime/kuberuntime_container.go
index c837212d98c36..88b34a14ea67a 100644
--- a/pkg/kubelet/kuberuntime/kuberuntime_container.go
+++ b/pkg/kubelet/kuberuntime/kuberuntime_container.go
@@ -59,6 +59,7 @@ import (
 	"k8s.io/kubernetes/pkg/kubelet/managed"
 	proberesults "k8s.io/kubernetes/pkg/kubelet/prober/results"
 	"k8s.io/kubernetes/pkg/kubelet/types"
+	kubeutil "k8s.io/kubernetes/pkg/kubelet/util"
 	"k8s.io/kubernetes/pkg/kubelet/util/format"
 	"k8s.io/kubernetes/pkg/util/tail"
 	volumeutil "k8s.io/kubernetes/pkg/volume/util"
@@ -262,12 +263,12 @@ func (m *kubeGenericRuntimeManager) startContainer(ctx context.Context, podSandb
 	}
 
 	// When creating a container, mark the resources as actuated.
-	if err := m.allocationManager.SetActuatedResources(pod, container); err != nil {
+	if err := m.setActuatedContainerResources(pod, container); err != nil {
 		m.recordContainerEvent(ctx, pod, container, "", v1.EventTypeWarning, events.FailedToCreateContainer, "Error: %v", err)
 		return err.Error(), ErrCreateContainerConfig
 	}
 
-	err = m.internalLifecycle.PreCreateContainer(pod, container, containerConfig)
+	err = m.internalLifecycle.PreCreateContainer(logger, pod, container, containerConfig)
 	if err != nil {
 		s, _ := grpcstatus.FromError(err)
 		m.recordContainerEvent(ctx, pod, container, "", v1.EventTypeWarning, events.FailedToCreateContainer, "Internal PreCreateContainer hook failed: %v", s.Message())
@@ -280,13 +281,13 @@ func (m *kubeGenericRuntimeManager) startContainer(ctx context.Context, podSandb
 		m.recordContainerEvent(ctx, pod, container, containerID, v1.EventTypeWarning, events.FailedToCreateContainer, "Error: %v", s.Message())
 		return s.Message(), ErrCreateContainer
 	}
-	err = m.internalLifecycle.PreStartContainer(pod, container, containerID)
+	err = m.internalLifecycle.PreStartContainer(logger, pod, container, containerID)
 	if err != nil {
 		s, _ := grpcstatus.FromError(err)
 		m.recordContainerEvent(ctx, pod, container, containerID, v1.EventTypeWarning, events.FailedToStartContainer, "Internal PreStartContainer hook failed: %v", s.Message())
 		return s.Message(), ErrPreStartHook
 	}
-	m.recordContainerEvent(ctx, pod, container, containerID, v1.EventTypeNormal, events.CreatedContainer, "Created container: %v", container.Name)
+	m.recordContainerEvent(ctx, pod, container, containerID, v1.EventTypeNormal, events.CreatedContainer, "Container created")
 
 	// Step 3: start the container.
 	err = m.runtimeService.StartContainer(ctx, containerID)
@@ -295,7 +296,7 @@ func (m *kubeGenericRuntimeManager) startContainer(ctx context.Context, podSandb
 		m.recordContainerEvent(ctx, pod, container, containerID, v1.EventTypeWarning, events.FailedToStartContainer, "Error: %v", s.Message())
 		return s.Message(), kubecontainer.ErrRunContainer
 	}
-	m.recordContainerEvent(ctx, pod, container, containerID, v1.EventTypeNormal, events.StartedContainer, "Started container %v", container.Name)
+	m.recordContainerEvent(ctx, pod, container, containerID, v1.EventTypeNormal, events.StartedContainer, "Container started")
 
 	// Symlink container logs to the legacy container log location for cluster logging
 	// support.
@@ -412,16 +413,21 @@ func (m *kubeGenericRuntimeManager) updateContainerResources(ctx context.Context
 	if containerResources == nil {
 		return fmt.Errorf("container %q updateContainerResources failed: cannot generate resources config", containerID.String())
 	}
-	logger := klog.FromContext(ctx)
 	err := m.runtimeService.UpdateContainerResources(ctx, containerID.ID, containerResources)
 	if err == nil {
-		err = m.allocationManager.SetActuatedResources(pod, container)
-	} else {
-		logger.Error(err, "UpdateContainerResources failed", "container", containerID.String())
+		err = m.setActuatedContainerResources(pod, container)
 	}
 	return err
 }
 
+func (m *kubeGenericRuntimeManager) setActuatedContainerResources(pod *v1.Pod, container *v1.Container) error {
+	containerResources := container.Resources
+	if utilfeature.DefaultFeatureGate.Enabled(features.InPlacePodLevelResourcesVerticalScaling) {
+		containerResources.Limits = kubeutil.GetLimits(&kubeutil.ResourceOpts{PodResources: pod.Spec.Resources, ContainerResources: &container.Resources})
+	}
+	return m.actuatedState.SetContainerResources(pod.UID, container.Name, containerResources)
+}
+
 func (m *kubeGenericRuntimeManager) updatePodSandboxResources(ctx context.Context, sandboxID string, pod *v1.Pod, podResources *cm.ResourceConfig) error {
 	logger := klog.FromContext(ctx)
 	podResourcesRequest := m.generateUpdatePodSandboxResourcesRequest(sandboxID, pod, podResources)
@@ -591,8 +597,8 @@ func (m *kubeGenericRuntimeManager) readLastStringFromContainerLogs(ctx context.
 	return buf.String()
 }
 
-func (m *kubeGenericRuntimeManager) convertToKubeContainerStatus(ctx context.Context, status *runtimeapi.ContainerStatus) (cStatus *kubecontainer.Status) {
-	cStatus = toKubeContainerStatus(ctx, status, m.runtimeName)
+func (m *kubeGenericRuntimeManager) convertToKubeContainerStatus(ctx context.Context, podUID kubetypes.UID, status *runtimeapi.ContainerStatus) (cStatus *kubecontainer.Status) {
+	cStatus = m.toKubeContainerStatus(ctx, podUID, status, m.runtimeName)
 	if status.State == runtimeapi.ContainerState_CONTAINER_EXITED {
 		// Populate the termination message if needed.
 		annotatedInfo := getContainerInfoFromAnnotations(ctx, status.Annotations)
@@ -649,7 +655,7 @@ func (m *kubeGenericRuntimeManager) getPodContainerStatuses(ctx context.Context,
 		if status == nil {
 			return nil, nil, remote.ErrContainerStatusNil
 		}
-		cStatus := m.convertToKubeContainerStatus(ctx, status)
+		cStatus := m.convertToKubeContainerStatus(ctx, uid, status)
 		if isManagedPod && cStatus.Resources != nil { // Clear CPU resources for managed pods (workload-pinned)
 			cStatus.Resources.CPURequest, cStatus.Resources.CPULimit = nil, nil
 		}
@@ -664,13 +670,31 @@ func (m *kubeGenericRuntimeManager) getPodContainerStatuses(ctx context.Context,
 	return statuses, activeContainerStatuses, nil
 }
 
-func toKubeContainerStatus(ctx context.Context, status *runtimeapi.ContainerStatus, runtimeName string) *kubecontainer.Status {
+func (m *kubeGenericRuntimeManager) toKubeContainerStatus(ctx context.Context, podUID kubetypes.UID, status *runtimeapi.ContainerStatus, runtimeName string) *kubecontainer.Status {
 	annotatedInfo := getContainerInfoFromAnnotations(ctx, status.Annotations)
 	labeledInfo := getContainerInfoFromLabels(ctx, status.Labels)
 	var cStatusResources *kubecontainer.ContainerResources
 	if utilfeature.DefaultFeatureGate.Enabled(features.InPlacePodVerticalScaling) {
 		// If runtime reports cpu & memory resources info, add it to container status
 		cStatusResources = toKubeContainerResources(status.Resources)
+
+		// Fill missing resource values from the actuated resources.
+		if cStatusResources == nil || cStatusResources.MemoryRequest == nil {
+			if actuatedResources, ok := m.actuatedState.GetContainerResources(podUID, labeledInfo.ContainerName); ok {
+				if cStatusResources == nil {
+					cStatusResources = &kubecontainer.ContainerResources{
+						CPURequest:    actuatedResources.Requests.Cpu(),
+						CPULimit:      actuatedResources.Limits.Cpu(),
+						MemoryRequest: actuatedResources.Requests.Memory(),
+						MemoryLimit:   actuatedResources.Limits.Memory(),
+					}
+				} else if cStatusResources.MemoryRequest == nil {
+					if memReq := actuatedResources.Requests[v1.ResourceMemory]; !memReq.IsZero() {
+						cStatusResources.MemoryRequest = &memReq
+					}
+				}
+			}
+		}
 	}
 
 	// Keep backwards compatibility to older runtimes, status.ImageId has been added in v1.30
@@ -1104,9 +1128,7 @@ func (m *kubeGenericRuntimeManager) computeInitContainerActions(ctx context.Cont
 		case kubecontainer.ContainerStateRunning:
 			if !podutil.IsRestartableInitContainer(container) {
 				break
-			}
-
-			if podutil.IsRestartableInitContainer(container) {
+			} else { // If container is restartable
 				if container.StartupProbe != nil {
 					startup, found := m.startupManager.Get(status.ID)
 					if !found {
@@ -1176,9 +1198,6 @@ func (m *kubeGenericRuntimeManager) computeInitContainerActions(ctx context.Cont
 					// computePodResizeAction updates 'changes' if resize policy requires restarting this container
 					break
 				}
-			} else { // init container
-				// nothing do to but wait for it to finish
-				break
 			}
 
 		// If the init container failed and the restart policy is Never, the pod is terminal.
@@ -1190,7 +1209,7 @@ func (m *kubeGenericRuntimeManager) computeInitContainerActions(ctx context.Cont
 				if isInitContainerFailed(status) {
 					restartOnFailure := restartOnFailure
 					if utilfeature.DefaultFeatureGate.Enabled(features.ContainerRestartRules) {
-						restartOnFailure = kubecontainer.ShouldContainerBeRestarted(container, pod, podStatus)
+						restartOnFailure = kubecontainer.ShouldContainerBeRestarted(logger, container, pod, podStatus)
 					}
 					if !restartOnFailure {
 						changes.KillPod = true
@@ -1345,7 +1364,7 @@ func (m *kubeGenericRuntimeManager) removeContainer(ctx context.Context, contain
 	logger := klog.FromContext(ctx)
 	logger.V(4).Info("Removing container", "containerID", containerID)
 	// Call internal container post-stop lifecycle hook.
-	if err := m.internalLifecycle.PostStopContainer(containerID); err != nil {
+	if err := m.internalLifecycle.PostStopContainer(logger, containerID); err != nil {
 		return err
 	}
 
diff --git a/pkg/kubelet/kuberuntime/kuberuntime_container_linux.go b/pkg/kubelet/kuberuntime/kuberuntime_container_linux.go
index c3cb5fcd23153..3a09289b4ca38 100644
--- a/pkg/kubelet/kuberuntime/kuberuntime_container_linux.go
+++ b/pkg/kubelet/kuberuntime/kuberuntime_container_linux.go
@@ -415,9 +415,7 @@ func toKubeContainerResources(statusResources *runtimeapi.ContainerResources) *k
 // Note: this function variable is being added here so it would be possible to mock
 // the cgroup version for unit tests by assigning a new mocked function into it. Without it,
 // the cgroup version would solely depend on the environment running the test.
-var isCgroup2UnifiedMode = func() bool {
-	return libcontainercgroups.IsCgroup2UnifiedMode()
-}
+var isCgroup2UnifiedMode = libcontainercgroups.IsCgroup2UnifiedMode
 
 // checkSwapControllerAvailability checks if swap controller is available.
 // It returns true if the swap controller is available, false otherwise.
@@ -430,7 +428,7 @@ func checkSwapControllerAvailability(ctx context.Context) bool {
 		// memory.swap.max does not exist in the cgroup root, so we check /sys/fs/cgroup/<SELF>/memory.swap.max
 		cm, err := libcontainercgroups.ParseCgroupFile("/proc/self/cgroup")
 		if err != nil {
-			logger.V(5).Error(fmt.Errorf("failed to parse /proc/self/cgroup: %w", err), warn)
+			logger.V(5).Info(warn, "err", fmt.Errorf("failed to parse /proc/self/cgroup: %w", err))
 			return false
 		}
 		// For cgroup v2 unified hierarchy, there are no per-controller
@@ -441,7 +439,7 @@ func checkSwapControllerAvailability(ctx context.Context) bool {
 	}
 	if _, err := os.Stat(p); err != nil {
 		if !errors.Is(err, os.ErrNotExist) {
-			logger.V(5).Error(err, warn)
+			logger.V(5).Info(warn, "err", err)
 		}
 		return false
 	}
diff --git a/pkg/kubelet/kuberuntime/kuberuntime_container_test.go b/pkg/kubelet/kuberuntime/kuberuntime_container_test.go
index 9a7de58f2f272..ed0f5b534b1fc 100644
--- a/pkg/kubelet/kuberuntime/kuberuntime_container_test.go
+++ b/pkg/kubelet/kuberuntime/kuberuntime_container_test.go
@@ -32,6 +32,7 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/intstr"
+	"k8s.io/apimachinery/pkg/util/version"
 	utilfeature "k8s.io/apiserver/pkg/util/feature"
 	featuregatetesting "k8s.io/component-base/featuregate/testing"
 
@@ -39,7 +40,9 @@ import (
 	runtimeapi "k8s.io/cri-api/pkg/apis/runtime/v1"
 	"k8s.io/kubernetes/test/utils/ktesting"
 
+	kubelettypes "k8s.io/kubelet/pkg/types"
 	"k8s.io/kubernetes/pkg/features"
+	"k8s.io/kubernetes/pkg/kubelet/cm"
 	kubecontainer "k8s.io/kubernetes/pkg/kubelet/container"
 	containertest "k8s.io/kubernetes/pkg/kubelet/container/testing"
 	"k8s.io/kubernetes/pkg/kubelet/lifecycle"
@@ -146,12 +149,15 @@ func TestToKubeContainerStatus(t *testing.T) {
 	cid := &kubecontainer.ContainerID{Type: "testRuntime", ID: "dummyid"}
 	meta := &runtimeapi.ContainerMetadata{Name: "cname", Attempt: 3}
 	imageSpec := &runtimeapi.ImageSpec{Image: "fimage"}
-	var (
-		createdAt  int64 = 327
-		startedAt  int64 = 999
-		finishedAt int64 = 1278
+	const (
+		podUID     types.UID = "12345-abcd"
+		createdAt  int64     = 327
+		startedAt  int64     = 999
+		finishedAt int64     = 1278
 	)
 
+	_, _, m, _ := createTestRuntimeManager(tCtx)
+
 	for desc, test := range map[string]struct {
 		input    *runtimeapi.ContainerStatus
 		expected *kubecontainer.Status
@@ -231,143 +237,200 @@ func TestToKubeContainerStatus(t *testing.T) {
 			},
 		},
 	} {
-		actual := toKubeContainerStatus(tCtx, test.input, cid.Type)
-		assert.Equal(t, test.expected, actual, desc)
+		t.Run(desc, func(t *testing.T) {
+			actual := m.toKubeContainerStatus(tCtx, podUID, test.input, cid.Type)
+			assert.Equal(t, test.expected, actual, desc)
+		})
 	}
 }
 
 // TestToKubeContainerStatusWithResources tests the converting the CRI container status to
 // the internal type (i.e., toKubeContainerStatus()) for containers that returns Resources.
 func TestToKubeContainerStatusWithResources(t *testing.T) {
+	if goruntime.GOOS == "windows" {
+		t.Skip("InPlacePodVerticalScaling is not currently supported on Windows.")
+	}
 	featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.InPlacePodVerticalScaling, true)
 	tCtx := ktesting.Init(t)
+
+	const (
+		podUID    types.UID = "12345-abcd"
+		createdAt int64     = 327
+		startedAt int64     = 999
+		cName               = "cname-abcd"
+	)
 	cid := &kubecontainer.ContainerID{Type: "testRuntime", ID: "dummyid"}
-	meta := &runtimeapi.ContainerMetadata{Name: "cname", Attempt: 3}
+	meta := &runtimeapi.ContainerMetadata{Name: cName, Attempt: 3}
 	imageSpec := &runtimeapi.ImageSpec{Image: "fimage"}
-	var (
-		createdAt int64 = 327
-		startedAt int64 = 999
-	)
+	labels := map[string]string{
+		kubelettypes.KubernetesPodNameLabel:       "pod-12345",
+		kubelettypes.KubernetesPodNamespaceLabel:  "default",
+		kubelettypes.KubernetesPodUIDLabel:        string(podUID),
+		kubelettypes.KubernetesContainerNameLabel: cName,
+	}
+
+	_, _, m, _ := createTestRuntimeManager(tCtx)
 
 	for desc, test := range map[string]struct {
-		input         *runtimeapi.ContainerStatus
-		expected      *kubecontainer.Status
-		skipOnWindows bool
+		reportedResources *runtimeapi.ContainerResources
+		actuatedResources *v1.ResourceRequirements
+		Resources         *kubecontainer.ContainerResources
+		skipOnWindows     bool
 	}{
 		"container reporting cpu and memory": {
-			input: &runtimeapi.ContainerStatus{
-				Id:        cid.ID,
-				Metadata:  meta,
-				Image:     imageSpec,
-				State:     runtimeapi.ContainerState_CONTAINER_RUNNING,
-				CreatedAt: createdAt,
-				StartedAt: startedAt,
-				Resources: func() *runtimeapi.ContainerResources {
-					if goruntime.GOOS == "windows" {
-						return &runtimeapi.ContainerResources{
-							Windows: &runtimeapi.WindowsContainerResources{
-								CpuMaximum:         2500,
-								CpuCount:           1,
-								MemoryLimitInBytes: 524288000,
-							},
-						}
-					}
+			reportedResources: func() *runtimeapi.ContainerResources {
+				if goruntime.GOOS == "windows" {
 					return &runtimeapi.ContainerResources{
-						Linux: &runtimeapi.LinuxContainerResources{
-							CpuQuota:           25000,
-							CpuPeriod:          100000,
+						Windows: &runtimeapi.WindowsContainerResources{
+							CpuMaximum:         2500,
+							CpuCount:           1,
 							MemoryLimitInBytes: 524288000,
-							OomScoreAdj:        -998,
 						},
 					}
-				}(),
-			},
-			expected: &kubecontainer.Status{
-				ID:        *cid,
-				Image:     imageSpec.Image,
-				State:     kubecontainer.ContainerStateRunning,
-				CreatedAt: time.Unix(0, createdAt),
-				StartedAt: time.Unix(0, startedAt),
-				Resources: &kubecontainer.ContainerResources{
-					CPULimit:    resource.NewMilliQuantity(250, resource.DecimalSI),
-					MemoryLimit: resource.NewQuantity(524288000, resource.BinarySI),
-				},
+				}
+				return &runtimeapi.ContainerResources{
+					Linux: &runtimeapi.LinuxContainerResources{
+						CpuQuota:           25000,
+						CpuPeriod:          100000,
+						MemoryLimitInBytes: 524288000,
+						OomScoreAdj:        -998,
+					},
+				}
+			}(),
+			Resources: &kubecontainer.ContainerResources{
+				CPULimit:    resource.NewMilliQuantity(250, resource.DecimalSI),
+				MemoryLimit: resource.NewQuantity(524288000, resource.BinarySI),
 			},
 			skipOnWindows: true,
 		},
 		"container reporting cpu only": {
-			input: &runtimeapi.ContainerStatus{
-				Id:        cid.ID,
-				Metadata:  meta,
-				Image:     imageSpec,
-				State:     runtimeapi.ContainerState_CONTAINER_RUNNING,
-				CreatedAt: createdAt,
-				StartedAt: startedAt,
-				Resources: func() *runtimeapi.ContainerResources {
-					if goruntime.GOOS == "windows" {
-						return &runtimeapi.ContainerResources{
-							Windows: &runtimeapi.WindowsContainerResources{
-								CpuMaximum: 2500,
-								CpuCount:   2,
-							},
-						}
-					}
+			reportedResources: func() *runtimeapi.ContainerResources {
+				if goruntime.GOOS == "windows" {
 					return &runtimeapi.ContainerResources{
-						Linux: &runtimeapi.LinuxContainerResources{
-							CpuQuota:  50000,
-							CpuPeriod: 100000,
+						Windows: &runtimeapi.WindowsContainerResources{
+							CpuMaximum: 2500,
+							CpuCount:   2,
 						},
 					}
-				}(),
-			},
-			expected: &kubecontainer.Status{
-				ID:        *cid,
-				Image:     imageSpec.Image,
-				State:     kubecontainer.ContainerStateRunning,
-				CreatedAt: time.Unix(0, createdAt),
-				StartedAt: time.Unix(0, startedAt),
-				Resources: &kubecontainer.ContainerResources{
-					CPULimit: resource.NewMilliQuantity(500, resource.DecimalSI),
+				}
+				return &runtimeapi.ContainerResources{
+					Linux: &runtimeapi.LinuxContainerResources{
+						CpuShares: int64(cm.MilliCPUToShares(500)),
+						CpuQuota:  50000,
+						CpuPeriod: 100000,
+					},
+				}
+			}(),
+			actuatedResources: &v1.ResourceRequirements{
+				Requests: v1.ResourceList{
+					v1.ResourceCPU:    *resource.NewMilliQuantity(500, resource.BinarySI),
+					v1.ResourceMemory: resource.Quantity{},
 				},
+				Limits: v1.ResourceList{
+					v1.ResourceCPU: *resource.NewMilliQuantity(500, resource.BinarySI),
+				},
+			},
+			Resources: &kubecontainer.ContainerResources{
+				CPURequest: resource.NewMilliQuantity(500, resource.DecimalSI),
+				CPULimit:   resource.NewMilliQuantity(500, resource.DecimalSI),
 			},
 		},
 		"container reporting memory only": {
-			input: &runtimeapi.ContainerStatus{
+			reportedResources: &runtimeapi.ContainerResources{
+				Linux: &runtimeapi.LinuxContainerResources{
+					MemoryLimitInBytes: 524288000,
+					OomScoreAdj:        -998,
+				},
+				Windows: &runtimeapi.WindowsContainerResources{
+					MemoryLimitInBytes: 524288000,
+				},
+			},
+			Resources: &kubecontainer.ContainerResources{
+				MemoryLimit: resource.NewQuantity(524288000, resource.BinarySI),
+			},
+		},
+		"container reporting memory limits, reqs from actuated": {
+			reportedResources: &runtimeapi.ContainerResources{
+				Linux: &runtimeapi.LinuxContainerResources{
+					MemoryLimitInBytes: 524288000,
+					OomScoreAdj:        -998,
+				},
+				Windows: &runtimeapi.WindowsContainerResources{
+					MemoryLimitInBytes: 524288000,
+				},
+			},
+			actuatedResources: &v1.ResourceRequirements{
+				Requests: v1.ResourceList{
+					v1.ResourceMemory: *resource.NewQuantity(262144000, resource.BinarySI),
+				},
+				Limits: v1.ResourceList{
+					v1.ResourceMemory: *resource.NewQuantity(524288000, resource.BinarySI),
+				},
+			},
+			Resources: &kubecontainer.ContainerResources{
+				MemoryRequest: resource.NewQuantity(262144000, resource.BinarySI),
+				MemoryLimit:   resource.NewQuantity(524288000, resource.BinarySI),
+			},
+		},
+		"reported resources take precedence to actuated resources": {
+			reportedResources: &runtimeapi.ContainerResources{
+				Linux: &runtimeapi.LinuxContainerResources{
+					CpuShares: int64(cm.MilliCPUToShares(500)),
+					CpuQuota:  50000,
+					CpuPeriod: 100000,
+				},
+			},
+			actuatedResources: &v1.ResourceRequirements{
+				Requests: v1.ResourceList{
+					v1.ResourceCPU:    *resource.NewMilliQuantity(400, resource.BinarySI),
+					v1.ResourceMemory: *resource.NewQuantity(262144000, resource.BinarySI),
+				},
+				Limits: v1.ResourceList{
+					v1.ResourceCPU: *resource.NewMilliQuantity(400, resource.BinarySI),
+				},
+			},
+			Resources: &kubecontainer.ContainerResources{
+				CPURequest:    resource.NewMilliQuantity(500, resource.DecimalSI),
+				CPULimit:      resource.NewMilliQuantity(500, resource.DecimalSI),
+				MemoryRequest: resource.NewQuantity(262144000, resource.BinarySI),
+			},
+			skipOnWindows: true,
+		},
+	} {
+		t.Run(desc, func(t *testing.T) {
+			if test.skipOnWindows && goruntime.GOOS == "windows" {
+				// TODO: remove skip once the failing test has been fixed.
+				t.Skip("Skip failing test on Windows.")
+			}
+
+			input := &runtimeapi.ContainerStatus{
 				Id:        cid.ID,
 				Metadata:  meta,
+				Labels:    labels,
 				Image:     imageSpec,
 				State:     runtimeapi.ContainerState_CONTAINER_RUNNING,
 				CreatedAt: createdAt,
 				StartedAt: startedAt,
-				Resources: &runtimeapi.ContainerResources{
-					Linux: &runtimeapi.LinuxContainerResources{
-						MemoryLimitInBytes: 524288000,
-						OomScoreAdj:        -998,
-					},
-					Windows: &runtimeapi.WindowsContainerResources{
-						MemoryLimitInBytes: 524288000,
-					},
-				},
-			},
-			expected: &kubecontainer.Status{
+				Resources: test.reportedResources,
+			}
+
+			expected := &kubecontainer.Status{
 				ID:        *cid,
+				Name:      cName,
 				Image:     imageSpec.Image,
 				State:     kubecontainer.ContainerStateRunning,
 				CreatedAt: time.Unix(0, createdAt),
 				StartedAt: time.Unix(0, startedAt),
-				Resources: &kubecontainer.ContainerResources{
-					MemoryLimit: resource.NewQuantity(524288000, resource.BinarySI),
-				},
-			},
-		},
-	} {
-		t.Run(desc, func(t *testing.T) {
-			if test.skipOnWindows && goruntime.GOOS == "windows" {
-				// TODO: remove skip once the failing test has been fixed.
-				t.Skip("Skip failing test on Windows.")
+				Resources: test.Resources,
 			}
-			actual := toKubeContainerStatus(tCtx, test.input, cid.Type)
-			assert.Equal(t, test.expected, actual, desc)
+
+			if test.actuatedResources != nil {
+				require.NoError(t, m.actuatedState.SetContainerResources(podUID, meta.Name, *test.actuatedResources))
+				t.Cleanup(func() { _ = m.actuatedState.RemovePod(podUID) })
+			}
+
+			actual := m.toKubeContainerStatus(tCtx, podUID, input, cid.Type)
+			assert.Equal(t, expected, actual, desc)
 		})
 	}
 }
@@ -381,11 +444,14 @@ func TestToKubeContainerStatusWithUser(t *testing.T) {
 	cid := &kubecontainer.ContainerID{Type: "testRuntime", ID: "dummyid"}
 	meta := &runtimeapi.ContainerMetadata{Name: "cname", Attempt: 3}
 	imageSpec := &runtimeapi.ImageSpec{Image: "fimage"}
-	var (
-		createdAt int64 = 327
-		startedAt int64 = 999
+	const (
+		podUID    types.UID = "12345-abcd"
+		createdAt int64     = 327
+		startedAt int64     = 999
 	)
 
+	_, _, m, _ := createTestRuntimeManager(tCtx)
+
 	for desc, test := range map[string]struct {
 		input          *runtimeapi.ContainerUser
 		expected       *kubecontainer.ContainerUser
@@ -441,6 +507,8 @@ func TestToKubeContainerStatusWithUser(t *testing.T) {
 		},
 	} {
 		t.Run(desc, func(t *testing.T) {
+			// Set emulation version so that the feature gate can be disabled in the test
+			featuregatetesting.SetFeatureGateEmulationVersionDuringTest(t, utilfeature.DefaultFeatureGate, version.MustParse("1.34"))
 			featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.SupplementalGroupsPolicy, test.featureEnabled)
 			cStatus := &runtimeapi.ContainerStatus{
 				Id:        cid.ID,
@@ -451,7 +519,7 @@ func TestToKubeContainerStatusWithUser(t *testing.T) {
 				StartedAt: startedAt,
 				User:      test.input,
 			}
-			actual := toKubeContainerStatus(tCtx, cStatus, cid.Type)
+			actual := m.toKubeContainerStatus(tCtx, podUID, cStatus, cid.Type)
 			assert.EqualValues(t, test.expected, actual.User, desc)
 		})
 	}
diff --git a/pkg/kubelet/kuberuntime/kuberuntime_manager.go b/pkg/kubelet/kuberuntime/kuberuntime_manager.go
index a2a112c4bc3e8..818ca633a1a9c 100644
--- a/pkg/kubelet/kuberuntime/kuberuntime_manager.go
+++ b/pkg/kubelet/kuberuntime/kuberuntime_manager.go
@@ -46,6 +46,7 @@ import (
 	internalapi "k8s.io/cri-api/pkg/apis"
 	runtimeapi "k8s.io/cri-api/pkg/apis/runtime/v1"
 	crierror "k8s.io/cri-api/pkg/errors"
+	remote "k8s.io/cri-client/pkg"
 	"k8s.io/klog/v2"
 	"k8s.io/kubernetes/pkg/api/legacyscheme"
 	podutil "k8s.io/kubernetes/pkg/api/v1/pod"
@@ -53,6 +54,7 @@ import (
 	"k8s.io/kubernetes/pkg/credentialprovider/plugin"
 	"k8s.io/kubernetes/pkg/features"
 	"k8s.io/kubernetes/pkg/kubelet/allocation"
+	"k8s.io/kubernetes/pkg/kubelet/allocation/state"
 	kubeletconfiginternal "k8s.io/kubernetes/pkg/kubelet/apis/config"
 	"k8s.io/kubernetes/pkg/kubelet/cm"
 	kubecontainer "k8s.io/kubernetes/pkg/kubelet/container"
@@ -68,6 +70,7 @@ import (
 	"k8s.io/kubernetes/pkg/kubelet/sysctl"
 	"k8s.io/kubernetes/pkg/kubelet/token"
 	"k8s.io/kubernetes/pkg/kubelet/types"
+	kubeutil "k8s.io/kubernetes/pkg/kubelet/util"
 	"k8s.io/kubernetes/pkg/kubelet/util/cache"
 	"k8s.io/kubernetes/pkg/kubelet/util/format"
 	sc "k8s.io/kubernetes/pkg/securitycontext"
@@ -86,6 +89,8 @@ const (
 	identicalErrorDelay = 1 * time.Minute
 	// OpenTelemetry instrumentation scope name
 	instrumentationScope = "k8s.io/kubernetes/pkg/kubelet/kuberuntime"
+
+	actuatedPodsStateFile = "actuated_pods_state"
 )
 
 var (
@@ -159,8 +164,8 @@ type kubeGenericRuntimeManager struct {
 	// Manage RuntimeClass resources.
 	runtimeClassManager *runtimeclass.Manager
 
-	// Manager allocated & actuated resources.
-	allocationManager allocation.Manager
+	// actuatedState tracks actuated resources.
+	actuatedState state.State
 
 	// Cache last per-container error message to reduce log spam
 	logReduction *logreduction.LogReduction
@@ -227,7 +232,6 @@ func NewKubeGenericRuntimeManager(
 	containerManager cm.ContainerManager,
 	logManager logs.ContainerLogManager,
 	runtimeClassManager *runtimeclass.Manager,
-	allocationManager allocation.Manager,
 	seccompDefault bool,
 	memorySwapBehavior string,
 	getNodeAllocatable func() v1.ResourceList,
@@ -260,7 +264,6 @@ func NewKubeGenericRuntimeManager(
 		internalLifecycle:      containerManager.InternalContainerLifecycle(),
 		logManager:             logManager,
 		runtimeClassManager:    runtimeClassManager,
-		allocationManager:      allocationManager,
 		logReduction:           logreduction.NewLogReduction(identicalErrorDelay),
 		seccompDefault:         seccompDefault,
 		memorySwapBehavior:     memorySwapBehavior,
@@ -355,6 +358,11 @@ func NewKubeGenericRuntimeManager(
 		versionCacheTTL,
 	)
 
+	kubeRuntimeManager.actuatedState, err = state.NewStateCheckpoint(rootDirectory, actuatedPodsStateFile)
+	if err != nil {
+		return nil, nil, fmt.Errorf("failed to initialize actuated state checkpoint: %w", err)
+	}
+
 	return kubeRuntimeManager, imageGCHooks, nil
 }
 
@@ -501,10 +509,11 @@ func (m *kubeGenericRuntimeManager) GetPods(ctx context.Context, all bool) ([]*k
 type containerKillReason string
 
 const (
-	reasonStartupProbe        containerKillReason = "StartupProbe"
-	reasonLivenessProbe       containerKillReason = "LivenessProbe"
-	reasonFailedPostStartHook containerKillReason = "FailedPostStartHook"
-	reasonUnknown             containerKillReason = "Unknown"
+	reasonStartupProbe         containerKillReason = "StartupProbe"
+	reasonLivenessProbe        containerKillReason = "LivenessProbe"
+	reasonFailedPostStartHook  containerKillReason = "FailedPostStartHook"
+	reasonRestartAllContainers containerKillReason = "RestartAllContainers"
+	reasonUnknown              containerKillReason = "Unknown"
 )
 
 // containerToKillInfo contains necessary information to kill a container.
@@ -540,6 +549,16 @@ type containerToUpdateInfo struct {
 	currentContainerResources *containerResources
 }
 
+// containerToRemoveInfo contains necessary information to update a container's resources.
+type containerToRemoveInfo struct {
+	// The ID of the container.
+	containerID kubecontainer.ContainerID
+	// The spec of the container.
+	container *v1.Container
+	// Whether to kill the container before removal.
+	kill bool
+}
+
 // podActions keeps information what to do for a pod.
 type podActions struct {
 	// Stop all running (regular, init and ephemeral) containers and the sandbox for the pod.
@@ -572,11 +591,25 @@ type podActions struct {
 	ContainersToUpdate map[v1.ResourceName][]containerToUpdateInfo
 	// UpdatePodResources is true if container(s) need resource update with restart
 	UpdatePodResources bool
+	// ContainersToReset is a list of containers to be killed (if running) and removed from
+	// runtime for RestartAllContainers. The container that triggered RestartAllContainers
+	// will be reset the last.
+	ContainersToReset []containerToRemoveInfo
+	// UpdatePodLevelResources is true if pod-level resources need to be updated
+	UpdatePodLevelResources bool
+}
+
+// podLevelResources holds the set of resources applicable to the running pod
+type podLevelResources struct {
+	memoryLimit   int64
+	memoryRequest int64
+	cpuLimit      int64
+	cpuRequest    int64
 }
 
 func (p podActions) String() string {
-	return fmt.Sprintf("KillPod: %t, CreateSandbox: %t, UpdatePodResources: %t, Attempt: %d, InitContainersToStart: %v, ContainersToStart: %v, EphemeralContainersToStart: %v,ContainersToUpdate: %v, ContainersToKill: %v",
-		p.KillPod, p.CreateSandbox, p.UpdatePodResources, p.Attempt, p.InitContainersToStart, p.ContainersToStart, p.EphemeralContainersToStart, p.ContainersToUpdate, p.ContainersToKill)
+	return fmt.Sprintf("KillPod: %t, CreateSandbox: %t, UpdatePodResources: %t, UpdatePodLevelResources: %t, Attempt: %d, InitContainersToStart: %v, ContainersToStart: %v, EphemeralContainersToStart: %v,ContainersToUpdate: %v, ContainersToKill: %v, ContainersToRemove: %v",
+		p.KillPod, p.CreateSandbox, p.UpdatePodResources, p.UpdatePodLevelResources, p.Attempt, p.InitContainersToStart, p.ContainersToStart, p.EphemeralContainersToStart, p.ContainersToUpdate, p.ContainersToKill, p.ContainersToReset)
 }
 
 // containerChanged will determine whether the container has changed based on the fields that will affect the running of the container.
@@ -601,8 +634,30 @@ func containerSucceeded(c *v1.Container, podStatus *kubecontainer.PodStatus) boo
 	return cStatus.State == kubecontainer.ContainerStateExited && cStatus.ExitCode == 0
 }
 
-func containerResourcesFromRequirements(requirements *v1.ResourceRequirements) containerResources {
-	return containerResources{
+func containerResourcesFromRequirements(podRequirements, containerRequirements *v1.ResourceRequirements) containerResources {
+	resources := containerResources{
+		memoryLimit:   containerRequirements.Limits.Memory().Value(),
+		memoryRequest: containerRequirements.Requests.Memory().Value(),
+		cpuLimit:      containerRequirements.Limits.Cpu().MilliValue(),
+		cpuRequest:    containerRequirements.Requests.Cpu().MilliValue(),
+	}
+
+	if !utilfeature.DefaultFeatureGate.Enabled(features.InPlacePodLevelResourcesVerticalScaling) {
+		return resources
+	}
+
+	containerLimits := kubeutil.GetLimits(&kubeutil.ResourceOpts{PodResources: podRequirements, ContainerResources: containerRequirements})
+	resources.memoryLimit = containerLimits.Memory().Value()
+	resources.cpuLimit = containerLimits.Cpu().MilliValue()
+	return resources
+}
+
+func podResourcesFromRequirements(requirements *v1.ResourceRequirements) podLevelResources {
+	if requirements == nil {
+		return podLevelResources{}
+	}
+
+	return podLevelResources{
 		memoryLimit:   requirements.Limits.Memory().Value(),
 		memoryRequest: requirements.Requests.Memory().Value(),
 		cpuLimit:      requirements.Limits.Cpu().MilliValue(),
@@ -634,7 +689,7 @@ func (m *kubeGenericRuntimeManager) computePodResizeAction(ctx context.Context,
 		return true
 	}
 
-	actuatedResources, found := m.allocationManager.GetActuatedResources(pod.UID, container.Name)
+	actuatedContainerResources, found := m.actuatedState.GetContainerResources(pod.UID, container.Name)
 	if !found {
 		logger.Error(nil, "Missing actuated resource record", "pod", klog.KObj(pod), "container", container.Name)
 		// Proceed with the zero-value actuated resources. For restart NotRequired, this may
@@ -642,8 +697,13 @@ func (m *kubeGenericRuntimeManager) computePodResizeAction(ctx context.Context,
 		// For RestartContainer, this may trigger a container restart.
 	}
 
-	desiredResources := containerResourcesFromRequirements(&container.Resources)
-	currentResources := containerResourcesFromRequirements(&actuatedResources)
+	var actuatedPodResources *v1.ResourceRequirements
+	if utilfeature.DefaultFeatureGate.Enabled(features.InPlacePodLevelResourcesVerticalScaling) {
+		actuatedPodResources, _ = m.actuatedState.GetPodLevelResources(pod.UID)
+	}
+
+	desiredResources := containerResourcesFromRequirements(pod.Spec.Resources, &container.Resources)
+	currentResources := containerResourcesFromRequirements(actuatedPodResources, &actuatedContainerResources)
 
 	if currentResources == desiredResources {
 		// No resize required.
@@ -759,7 +819,58 @@ func (m *kubeGenericRuntimeManager) doPodResizeAction(ctx context.Context, pod *
 		return resizeResult
 	}
 
-	setPodCgroupConfig := func(rName v1.ResourceName, setLimitValue bool) error {
+	updateActuatedPodLevelResources := func(resourceName v1.ResourceName) error {
+		allocatedResources := pod.Spec.Resources
+		if allocatedResources == nil {
+			return nil
+		}
+
+		// allocated resources will never be nil
+		actuatedPodResources, found := m.actuatedState.GetPodLevelResources(pod.UID)
+		if !found || actuatedPodResources == nil {
+			logger.Error(nil, "Missing actuated resource record", "pod", klog.KObj(pod), "pod", pod.Name)
+			// Proceed with the zero-value actuated resources.
+			actuatedPodResources = &v1.ResourceRequirements{}
+		}
+
+		defaultResourceListIfNil := func(rl v1.ResourceList) v1.ResourceList {
+			if rl == nil {
+				return make(v1.ResourceList)
+			}
+
+			return rl
+		}
+
+		switch resourceName {
+		case v1.ResourceMemory:
+			if allocatedResources.Requests != nil {
+				actuatedPodResources.Requests = defaultResourceListIfNil(actuatedPodResources.Requests)
+				actuatedPodResources.Requests[v1.ResourceMemory] = allocatedResources.Requests[v1.ResourceMemory]
+			}
+			if allocatedResources.Limits != nil {
+				actuatedPodResources.Limits = defaultResourceListIfNil(actuatedPodResources.Limits)
+				actuatedPodResources.Limits[v1.ResourceMemory] = allocatedResources.Limits[v1.ResourceMemory]
+			}
+		case v1.ResourceCPU:
+			if allocatedResources.Requests != nil {
+				actuatedPodResources.Requests = defaultResourceListIfNil(actuatedPodResources.Requests)
+				actuatedPodResources.Requests[v1.ResourceCPU] = allocatedResources.Requests[v1.ResourceCPU]
+			}
+			if allocatedResources.Limits != nil {
+				actuatedPodResources.Limits = defaultResourceListIfNil(actuatedPodResources.Limits)
+				actuatedPodResources.Limits[v1.ResourceCPU] = allocatedResources.Limits[v1.ResourceCPU]
+			}
+
+		}
+		if err = m.actuatedState.SetPodLevelResources(pod.UID, actuatedPodResources); err != nil {
+			logger.Error(err, "SetPodLevelResources failed", "pod", pod.Name, "UID", pod.UID,
+				"pod", format.Pod(pod), "resourceName", resourceName)
+			return err
+		}
+		return nil
+	}
+
+	setPodCgroupConfig := func(logger klog.Logger, rName v1.ResourceName, setLimitValue bool) error {
 		var err error
 		resizedResources := &cm.ResourceConfig{}
 		switch rName {
@@ -777,7 +888,7 @@ func (m *kubeGenericRuntimeManager) doPodResizeAction(ctx context.Context, pod *
 			}
 			resizedResources.Memory = podResources.Memory
 		}
-		err = pcm.SetPodCgroupConfig(pod, resizedResources)
+		err = pcm.SetPodCgroupConfig(logger, pod, resizedResources)
 		if err != nil {
 			logger.Error(err, "Failed to set cgroup config", "resource", rName, "pod", klog.KObj(pod))
 			return err
@@ -787,8 +898,16 @@ func (m *kubeGenericRuntimeManager) doPodResizeAction(ctx context.Context, pod *
 			logger.Error(err, "Failed to notify runtime for UpdatePodSandboxResources", "resource", rName, "pod", klog.KObj(pod))
 			// Don't propagate the error since the updatePodSandboxResources call is best-effort.
 		}
+
+		if utilfeature.DefaultFeatureGate.Enabled(features.InPlacePodLevelResourcesVerticalScaling) {
+			if err = updateActuatedPodLevelResources(rName); err != nil {
+				logger.Error(err, "Failed to update pod-level actuated resources", "resource", rName, "pod", klog.KObj(pod))
+
+			}
+		}
 		return nil
 	}
+
 	// Memory and CPU are updated separately because memory resizes may be ordered differently than CPU resizes.
 	// If resize results in net pod resource increase, set pod cgroup config before resizing containers.
 	// If resize results in net pod resource decrease, set pod cgroup config after resizing containers.
@@ -797,12 +916,14 @@ func (m *kubeGenericRuntimeManager) doPodResizeAction(ctx context.Context, pod *
 		var err error
 		// At upsizing, limits should expand prior to requests in order to keep "requests <= limits".
 		if newPodCgLimValue > currPodCgLimValue {
-			if err = setPodCgroupConfig(rName, true); err != nil {
+			// TODO: Pass logger from context once contextual logging migration is complete
+			if err = setPodCgroupConfig(klog.TODO(), rName, true); err != nil {
 				return err
 			}
 		}
 		if newPodCgReqValue > currPodCgReqValue {
-			if err = setPodCgroupConfig(rName, false); err != nil {
+			// TODO: Pass logger from context once contextual logging migration is complete
+			if err = setPodCgroupConfig(klog.TODO(), rName, false); err != nil {
 				return err
 			}
 		}
@@ -814,12 +935,14 @@ func (m *kubeGenericRuntimeManager) doPodResizeAction(ctx context.Context, pod *
 		}
 		// At downsizing, requests should shrink prior to limits in order to keep "requests <= limits".
 		if newPodCgReqValue < currPodCgReqValue {
-			if err = setPodCgroupConfig(rName, false); err != nil {
+			// TODO: Pass logger from context once contextual logging migration is complete
+			if err = setPodCgroupConfig(klog.TODO(), rName, false); err != nil {
 				return err
 			}
 		}
 		if newPodCgLimValue < currPodCgLimValue {
-			if err = setPodCgroupConfig(rName, true); err != nil {
+			// TODO(#127825): Pass logger from context once contextual logging migration is complete
+			if err = setPodCgroupConfig(klog.TODO(), rName, true); err != nil {
 				return err
 			}
 		}
@@ -830,7 +953,7 @@ func (m *kubeGenericRuntimeManager) doPodResizeAction(ctx context.Context, pod *
 	// partially actuated.
 	defer m.runtimeHelper.SetPodWatchCondition(pod.UID, "doPodResizeAction", func(*kubecontainer.PodStatus) bool { return true })
 
-	if len(podContainerChanges.ContainersToUpdate[v1.ResourceMemory]) > 0 || podContainerChanges.UpdatePodResources {
+	if len(podContainerChanges.ContainersToUpdate[v1.ResourceMemory]) > 0 || podContainerChanges.UpdatePodResources || podContainerChanges.UpdatePodLevelResources {
 		if podResources.Memory == nil {
 			// Default pod memory limit to the current memory limit if unset to prevent it from updating.
 			// TODO(#128675): This does not support removing limits.
@@ -841,7 +964,7 @@ func (m *kubeGenericRuntimeManager) doPodResizeAction(ctx context.Context, pod *
 			return resizeResult
 		}
 	}
-	if len(podContainerChanges.ContainersToUpdate[v1.ResourceCPU]) > 0 || podContainerChanges.UpdatePodResources {
+	if len(podContainerChanges.ContainersToUpdate[v1.ResourceCPU]) > 0 || podContainerChanges.UpdatePodResources || podContainerChanges.UpdatePodLevelResources {
 		if podResources.CPUShares == nil {
 			// This shouldn't happen: ResourceConfigForPod always returns a non-nil value for CPUShares.
 			logger.Error(nil, "podResources.CPUShares is nil", "pod", pod.Name)
@@ -994,7 +1117,7 @@ func (m *kubeGenericRuntimeManager) updatePodContainerResources(ctx context.Cont
 }
 
 // computePodActions checks whether the pod spec has changed and returns the changes if true.
-func (m *kubeGenericRuntimeManager) computePodActions(ctx context.Context, pod *v1.Pod, podStatus *kubecontainer.PodStatus) podActions {
+func (m *kubeGenericRuntimeManager) computePodActions(ctx context.Context, pod *v1.Pod, podStatus *kubecontainer.PodStatus, restartAllContainers bool) podActions {
 	logger := klog.FromContext(ctx)
 	logger.V(5).Info("Syncing Pod", "pod", klog.KObj(pod))
 
@@ -1008,6 +1131,20 @@ func (m *kubeGenericRuntimeManager) computePodActions(ctx context.Context, pod *
 		ContainersToKill:  make(map[kubecontainer.ContainerID]containerToKillInfo),
 	}
 
+	// Needs to kill and remove all containers in reverse order when the pod is marked for RestartAllContainers.
+	if utilfeature.DefaultFeatureGate.Enabled(features.RestartAllContainersOnContainerExits) && restartAllContainers {
+		logger.V(3).Info("Pod marked for RestartAllContainers", "pod", klog.KObj(pod))
+		// Kill and remove containers in reverse order. Source containers (which exited and triggered
+		// RestartAllContainers) are removed last.
+		sourceInitContainers, targetInitContainers := m.getContainersToReset(pod.Spec.InitContainers, podStatus)
+		sourceContainers, targetContainers := m.getContainersToReset(pod.Spec.Containers, podStatus)
+		changes.ContainersToReset = append(changes.ContainersToReset, targetContainers...)
+		changes.ContainersToReset = append(changes.ContainersToReset, targetInitContainers...)
+		changes.ContainersToReset = append(changes.ContainersToReset, sourceContainers...)
+		changes.ContainersToReset = append(changes.ContainersToReset, sourceInitContainers...)
+		return changes
+	}
+
 	// If we need to (re-)create the pod sandbox, everything will need to be
 	// killed and recreated, and init containers should be purged.
 	if createPodSandbox {
@@ -1105,7 +1242,7 @@ func (m *kubeGenericRuntimeManager) computePodActions(ctx context.Context, pod *
 		// allocated cpus are released immediately. If the container is restarted, cpus will be re-allocated
 		// to it.
 		if containerStatus != nil && containerStatus.State != kubecontainer.ContainerStateRunning {
-			if err := m.internalLifecycle.PostStopContainer(containerStatus.ID.ID); err != nil {
+			if err := m.internalLifecycle.PostStopContainer(logger, containerStatus.ID.ID); err != nil {
 				logger.Error(err, "Internal container post-stop lifecycle hook failed for container in pod with error",
 					"containerName", container.Name, "pod", klog.KObj(pod))
 			}
@@ -1114,7 +1251,7 @@ func (m *kubeGenericRuntimeManager) computePodActions(ctx context.Context, pod *
 		// If container does not exist, or is not running, check whether we
 		// need to restart it.
 		if containerStatus == nil || containerStatus.State != kubecontainer.ContainerStateRunning {
-			if kubecontainer.ShouldContainerBeRestarted(&container, pod, podStatus) {
+			if kubecontainer.ShouldContainerBeRestarted(logger, &container, pod, podStatus) {
 				logger.V(3).Info("Container of pod is not in the desired state and shall be started", "containerName", container.Name, "pod", klog.KObj(pod))
 				changes.ContainersToStart = append(changes.ContainersToStart, idx)
 				if containerStatus != nil && containerStatus.State == kubecontainer.ContainerStateUnknown {
@@ -1189,9 +1326,61 @@ func (m *kubeGenericRuntimeManager) computePodActions(ctx context.Context, pod *
 		changes.InitContainersToStart = nil
 	}
 
+	changes.UpdatePodLevelResources = m.computePodLevelResourcesResizeAction(ctx, pod)
 	return changes
 }
 
+// getContainersToReset returns container info about the containers to remove from the runtime.
+// The first list are the containers that triggered the RestartAllContainers; the second list
+// are the containers that are victim of the RestartAllContainers.
+func (m *kubeGenericRuntimeManager) getContainersToReset(containers []v1.Container, podStatus *kubecontainer.PodStatus) (sources []containerToRemoveInfo, targets []containerToRemoveInfo) {
+	for idx, c := range containers {
+		// podStatus.FindContainerStatusByName cannot be used because there can be multiple container
+		// statuses per container, and RestartAllContainers require all container to be purged from runtime.
+		for _, containerStatus := range podStatus.ContainerStatuses {
+			if containerStatus.Name != c.Name {
+				continue
+			}
+			info := containerToRemoveInfo{
+				containerID: containerStatus.ID,
+				container:   &containers[idx],
+			}
+			if containerStatus.State == kubecontainer.ContainerStateExited {
+				exitCode := containerStatus.ExitCode
+				rule, ok := podutil.FindMatchingContainerRestartRule(c, int32(exitCode))
+				if ok && rule.Action == v1.ContainerRestartRuleActionRestartAllContainers {
+					sources = append(sources, info)
+				} else {
+					targets = append(targets, info)
+				}
+			} else {
+				info.kill = true
+				targets = append(targets, info)
+			}
+		}
+	}
+	return
+}
+
+func (m *kubeGenericRuntimeManager) computePodLevelResourcesResizeAction(ctx context.Context, pod *v1.Pod) bool {
+	if !utilfeature.DefaultFeatureGate.Enabled(features.InPlacePodLevelResourcesVerticalScaling) {
+		return false
+	}
+	logger := klog.FromContext(ctx)
+
+	actuatedPodLevelResources, found := m.actuatedState.GetPodLevelResources(pod.UID)
+	if !found {
+		logger.Error(nil, "Missing actuated pod level resource record", "pod", klog.KObj(pod), "pod", pod.Name)
+		// Proceed with the zero-value actuated resources. For restart NotRequired, this may
+		// result in an extra call to UpdateContainerResources, but that call should be idempotent.
+		// For RestartContainer, this may trigger a container restart.
+	}
+
+	desiredPodLevelResources := podResourcesFromRequirements(pod.Spec.Resources)
+	currentPodLevelResources := podResourcesFromRequirements(actuatedPodLevelResources)
+	return currentPodLevelResources != desiredPodLevelResources
+}
+
 // SyncPod syncs the running pod into the desired pod by executing following steps:
 //
 //  1. Compute sandbox and container changes.
@@ -1202,10 +1391,10 @@ func (m *kubeGenericRuntimeManager) computePodActions(ctx context.Context, pod *
 //  6. Create init containers.
 //  7. Resize running containers (if InPlacePodVerticalScaling==true)
 //  8. Create normal containers.
-func (m *kubeGenericRuntimeManager) SyncPod(ctx context.Context, pod *v1.Pod, podStatus *kubecontainer.PodStatus, pullSecrets []v1.Secret, backOff *flowcontrol.Backoff) (result kubecontainer.PodSyncResult) {
+func (m *kubeGenericRuntimeManager) SyncPod(ctx context.Context, pod *v1.Pod, podStatus *kubecontainer.PodStatus, pullSecrets []v1.Secret, backOff *flowcontrol.Backoff, restartAllContainers bool) (result kubecontainer.PodSyncResult) {
 	logger := klog.FromContext(ctx)
 	// Step 1: Compute sandbox and container changes.
-	podContainerChanges := m.computePodActions(ctx, pod, podStatus)
+	podContainerChanges := m.computePodActions(ctx, pod, podStatus, restartAllContainers)
 	logger.V(3).Info("computePodActions got for pod", "podActions", podContainerChanges, "pod", klog.KObj(pod))
 	if podContainerChanges.CreateSandbox {
 		ref, err := ref.GetReference(legacyscheme.Scheme, pod)
@@ -1249,6 +1438,32 @@ func (m *kubeGenericRuntimeManager) SyncPod(ctx context.Context, pod *v1.Pod, po
 				return
 			}
 		}
+
+		// Removes the containers if they are marked for removal (for in-place restart)
+		if utilfeature.DefaultFeatureGate.Enabled(features.RestartAllContainersOnContainerExits) {
+			for _, containerInfo := range podContainerChanges.ContainersToReset {
+				cName := containerInfo.container.Name
+				logger.V(3).Info("Removing container before pod restarts", "containerName", cName, "containerID", containerInfo.containerID, "pod", klog.KObj(pod))
+				removeContainerResult := kubecontainer.NewSyncResult(kubecontainer.RemoveContainer, cName)
+				result.AddSyncResult(removeContainerResult)
+				if containerInfo.kill {
+					logger.V(3).Info("Killing container before removal", "containerName", cName, "containerID", containerInfo.containerID, "pod", klog.KObj(pod))
+					// Killing containers without grace period.
+					var gracePeriod int64 = 0
+					if err := m.killContainer(ctx, pod, containerInfo.containerID, cName, "killing", reasonRestartAllContainers, &gracePeriod, nil); err != nil {
+						removeContainerResult.Fail(kubecontainer.ErrKillContainer, err.Error())
+						logger.Error(err, "killContainer for pod failed", "containerName", cName, "containerID", containerInfo.containerID, "pod", klog.KObj(pod))
+						return
+					}
+				}
+				// TODO(yuanwang04): Revisit whether container logs should be persisted.
+				if err := m.removeContainer(ctx, containerInfo.containerID.ID); err != nil {
+					removeContainerResult.Fail(kubecontainer.ErrRemoveContainer, err.Error())
+					logger.Error(err, "removeContainer for pod failed", "containerName", cName, "containerID", containerInfo.containerID, "pod", klog.KObj(pod))
+					return
+				}
+			}
+		}
 	}
 
 	// Keep terminated init containers fairly aggressively controlled
@@ -1481,7 +1696,7 @@ func (m *kubeGenericRuntimeManager) SyncPod(ctx context.Context, pod *v1.Pod, po
 
 	// Step 7: For containers in podContainerChanges.ContainersToUpdate[CPU,Memory] list, invoke UpdateContainerResources
 	if resizable, _, _ := allocation.IsInPlacePodVerticalScalingAllowed(pod); resizable {
-		if len(podContainerChanges.ContainersToUpdate) > 0 || podContainerChanges.UpdatePodResources {
+		if len(podContainerChanges.ContainersToUpdate) > 0 || podContainerChanges.UpdatePodResources || podContainerChanges.UpdatePodLevelResources {
 			result.SyncResults = append(result.SyncResults, m.doPodResizeAction(ctx, pod, podStatus, podContainerChanges))
 		}
 	}
@@ -1628,9 +1843,10 @@ func (m *kubeGenericRuntimeManager) doBackOff(ctx context.Context, pod *v1.Pod,
 			m.recorder.Eventf(containerRef, v1.EventTypeWarning, events.BackOffStartContainer,
 				fmt.Sprintf("Back-off restarting failed container %s in pod %s", container.Name, format.Pod(pod)))
 		}
-		err := fmt.Errorf("back-off %s restarting failed container=%s pod=%s", backOff.Get(key), container.Name, format.Pod(pod))
+		backoff := backOff.Get(key)
+		err := fmt.Errorf("back-off %s restarting failed container=%s pod=%s", backoff, container.Name, format.Pod(pod))
 		logger.V(3).Info("Back-off restarting failed container", "err", err.Error())
-		return true, err.Error(), kubecontainer.ErrCrashLoopBackOff
+		return true, err.Error(), kubecontainer.NewBackoffError(kubecontainer.ErrCrashLoopBackOff, ts.Add(backoff))
 	}
 
 	backOff.Next(key, ts)
@@ -1671,11 +1887,12 @@ func (m *kubeGenericRuntimeManager) killPodWithSyncResult(ctx context.Context, p
 
 func (m *kubeGenericRuntimeManager) GeneratePodStatus(event *runtimeapi.ContainerEventResponse) *kubecontainer.PodStatus {
 	ctx := context.TODO() // This context will be passed as parameter in the future
+	podUID := kubetypes.UID(event.PodSandboxStatus.Metadata.Uid)
 	podIPs := m.determinePodSandboxIPs(ctx, event.PodSandboxStatus.Metadata.Namespace, event.PodSandboxStatus.Metadata.Name, event.PodSandboxStatus)
 
 	kubeContainerStatuses := []*kubecontainer.Status{}
 	for _, status := range event.ContainersStatuses {
-		kubeContainerStatuses = append(kubeContainerStatuses, m.convertToKubeContainerStatus(ctx, status))
+		kubeContainerStatuses = append(kubeContainerStatuses, m.convertToKubeContainerStatus(ctx, podUID, status))
 	}
 
 	sort.Sort(containerStatusByCreated(kubeContainerStatuses))
@@ -1775,7 +1992,7 @@ func (m *kubeGenericRuntimeManager) GetPodStatus(ctx context.Context, uid kubety
 				// timestamp from sandboxStatus.
 				timestamp = time.Unix(0, resp.Timestamp)
 				for _, cs := range resp.ContainersStatuses {
-					cStatus := m.convertToKubeContainerStatus(ctx, cs)
+					cStatus := m.convertToKubeContainerStatus(ctx, uid, cs)
 					containerStatuses = append(containerStatuses, cStatus)
 				}
 			}
@@ -1806,16 +2023,33 @@ func (m *kubeGenericRuntimeManager) GetPodStatus(ctx context.Context, uid kubety
 	}, nil
 }
 
-func (m *kubeGenericRuntimeManager) GetContainerStatus(ctx context.Context, id kubecontainer.ContainerID) (*kubecontainer.Status, error) {
+func (m *kubeGenericRuntimeManager) GetContainerStatus(ctx context.Context, podUID kubetypes.UID, id kubecontainer.ContainerID) (*kubecontainer.Status, error) {
 	resp, err := m.runtimeService.ContainerStatus(ctx, id.ID, false)
 	if err != nil {
 		return nil, fmt.Errorf("runtime container status: %w", err)
 	}
-	return m.convertToKubeContainerStatus(ctx, resp.GetStatus()), nil
+
+	status := resp.GetStatus()
+	if status == nil {
+		return nil, remote.ErrContainerStatusNil
+	}
+
+	return m.convertToKubeContainerStatus(ctx, podUID, status), nil
 }
 
 // GarbageCollect removes dead containers using the specified container gc policy.
 func (m *kubeGenericRuntimeManager) GarbageCollect(ctx context.Context, gcPolicy kubecontainer.GCPolicy, allSourcesReady bool, evictNonDeletedPods bool) error {
+	logger := klog.FromContext(ctx)
+	// Remove terminated pods from the actuated state.
+	for uid := range m.actuatedState.GetPodResourceInfoMap() {
+		if m.podStateProvider.ShouldPodContentBeRemoved(uid) {
+			if err := m.actuatedState.RemovePod(uid); err != nil {
+				// No need to act on the error beyond logging it here.
+				logger.Error(err, "Failed to remove pod from actuated state", "podUID", uid)
+			}
+		}
+	}
+
 	return m.containerGC.GarbageCollect(ctx, gcPolicy, allSourcesReady, evictNonDeletedPods)
 }
 
@@ -1845,3 +2079,106 @@ func (m *kubeGenericRuntimeManager) ListMetricDescriptors(ctx context.Context) (
 func (m *kubeGenericRuntimeManager) ListPodSandboxMetrics(ctx context.Context) ([]*runtimeapi.PodSandboxMetrics, error) {
 	return m.runtimeService.ListPodSandboxMetrics(ctx)
 }
+
+func (m *kubeGenericRuntimeManager) UpdateActuatedPodLevelResources(actuatedPod *v1.Pod) error {
+	if !utilfeature.DefaultFeatureGate.Enabled(features.InPlacePodVerticalScaling) {
+		return nil
+	}
+
+	if actuatedPod.Spec.Resources == nil {
+		return nil
+	}
+
+	if actuatedPod.Spec.Resources.Requests == nil && actuatedPod.Spec.Resources.Limits == nil {
+		return nil
+	}
+
+	return m.actuatedState.SetPodLevelResources(actuatedPod.UID, actuatedPod.Spec.Resources)
+}
+
+// isPodResizeInProgress checks whether the actuated resizable resources differ from
+// the resources allocated for:
+// * any running containers - Specifically, the following differences are ignored:
+// - Non-resizable containers: non-restartable init containers, ephemeral containers
+// - Non-resizable resources: only CPU & memory are resizable
+// - Non-running containers: they will be sized correctly when (re)started
+// * any running pod if InPlacePodLevelResourcesVerticalScaling is enabled.
+func (m *kubeGenericRuntimeManager) IsPodResizeInProgress(allocatedPod *v1.Pod, podStatus *kubecontainer.PodStatus) bool {
+	if m.isContainerResourceResizeInProgress(allocatedPod, podStatus) {
+		return true
+	}
+
+	return m.isPodLevelResourcesResizeInProgress(allocatedPod, podStatus)
+}
+
+func (m *kubeGenericRuntimeManager) isContainerResourceResizeInProgress(allocatedPod *v1.Pod, podStatus *kubecontainer.PodStatus) bool {
+	return !podutil.VisitContainers(&allocatedPod.Spec, podutil.InitContainers|podutil.Containers,
+		func(allocatedContainer *v1.Container, containerType podutil.ContainerType) (shouldContinue bool) {
+			if !isResizableContainer(allocatedContainer, containerType) {
+				return true
+			}
+
+			containerStatus := podStatus.FindContainerStatusByName(allocatedContainer.Name)
+			if containerStatus == nil || containerStatus.State != kubecontainer.ContainerStateRunning {
+				// If the container isn't running, it doesn't need to be resized.
+				return true
+			}
+
+			actuatedResources, _ := m.actuatedState.GetContainerResources(allocatedPod.UID, allocatedContainer.Name)
+			allocatedResources := allocatedContainer.Resources
+			if utilfeature.DefaultFeatureGate.Enabled(features.InPlacePodLevelResourcesVerticalScaling) {
+				allocatedResources.Limits = kubeutil.GetLimits(&kubeutil.ResourceOpts{PodResources: allocatedPod.Spec.Resources, ContainerResources: &allocatedContainer.Resources})
+			}
+
+			return allocatedResources.Requests[v1.ResourceCPU].Equal(actuatedResources.Requests[v1.ResourceCPU]) &&
+				allocatedResources.Limits[v1.ResourceCPU].Equal(actuatedResources.Limits[v1.ResourceCPU]) &&
+				allocatedResources.Requests[v1.ResourceMemory].Equal(actuatedResources.Requests[v1.ResourceMemory]) &&
+				allocatedResources.Limits[v1.ResourceMemory].Equal(actuatedResources.Limits[v1.ResourceMemory])
+		})
+}
+
+func (m *kubeGenericRuntimeManager) isPodLevelResourcesResizeInProgress(allocatedPod *v1.Pod, podStatus *kubecontainer.PodStatus) bool {
+	if !utilfeature.DefaultFeatureGate.Enabled(features.InPlacePodLevelResourcesVerticalScaling) {
+		return false
+	}
+
+	if allocatedPod.Spec.Resources == nil {
+		return false
+	}
+
+	actuatedPodResources, _ := m.actuatedState.GetPodLevelResources(allocatedPod.UID)
+	allocatedPodResources := allocatedPod.Spec.Resources
+
+	return !cpuMemoryResourcesEqual(actuatedPodResources, allocatedPodResources)
+}
+
+func cpuMemoryResourcesEqual(actuatedPodResources, allocatedPodResources *v1.ResourceRequirements) bool {
+	if actuatedPodResources == nil && allocatedPodResources == nil {
+		return true
+	}
+
+	cmpResources := func(actuated, allocated v1.ResourceList) bool {
+		return actuated[v1.ResourceCPU].Equal(allocated[v1.ResourceCPU]) && actuated[v1.ResourceMemory].Equal(allocated[v1.ResourceMemory])
+	}
+
+	if actuatedPodResources == nil {
+		return cmpResources(nil, allocatedPodResources.Requests) && cmpResources(nil, allocatedPodResources.Limits)
+	}
+
+	if allocatedPodResources == nil {
+		return cmpResources(actuatedPodResources.Requests, nil) && cmpResources(actuatedPodResources.Limits, nil)
+
+	}
+	return cmpResources(actuatedPodResources.Requests, allocatedPodResources.Requests) && cmpResources(actuatedPodResources.Limits, allocatedPodResources.Limits)
+}
+
+func isResizableContainer(container *v1.Container, containerType podutil.ContainerType) bool {
+	switch containerType {
+	case podutil.InitContainers:
+		return podutil.IsRestartableInitContainer(container)
+	case podutil.Containers:
+		return true
+	default:
+		return false
+	}
+}
diff --git a/pkg/kubelet/kuberuntime/kuberuntime_manager_test.go b/pkg/kubelet/kuberuntime/kuberuntime_manager_test.go
index 4dc328bb4998b..b27dcdc128b55 100644
--- a/pkg/kubelet/kuberuntime/kuberuntime_manager_test.go
+++ b/pkg/kubelet/kuberuntime/kuberuntime_manager_test.go
@@ -49,6 +49,7 @@ import (
 	runtimeapi "k8s.io/cri-api/pkg/apis/runtime/v1"
 	apitest "k8s.io/cri-api/pkg/apis/testing"
 	crierror "k8s.io/cri-api/pkg/errors"
+	"k8s.io/klog/v2"
 	statsapi "k8s.io/kubelet/pkg/apis/stats/v1alpha1"
 	podutil "k8s.io/kubernetes/pkg/api/v1/pod"
 	"k8s.io/kubernetes/pkg/features"
@@ -60,6 +61,7 @@ import (
 	"k8s.io/kubernetes/pkg/kubelet/metrics"
 	proberesults "k8s.io/kubernetes/pkg/kubelet/prober/results"
 	"k8s.io/kubernetes/test/utils/ktesting"
+	testingclock "k8s.io/utils/clock/testing"
 	"k8s.io/utils/ptr"
 )
 
@@ -113,7 +115,8 @@ type containerTemplate struct {
 // makeAndSetFakePod is a helper function to create and set one fake sandbox for a pod and
 // one fake container for each of its container.
 func makeAndSetFakePod(t *testing.T, m *kubeGenericRuntimeManager, fakeRuntime *apitest.FakeRuntimeService,
-	pod *v1.Pod) (*apitest.FakePodSandbox, []*apitest.FakeContainer) {
+	pod *v1.Pod,
+) (*apitest.FakePodSandbox, []*apitest.FakeContainer) {
 	sandbox := makeFakePodSandbox(t, m, sandboxTemplate{
 		pod:       pod,
 		createdAt: fakeCreatedAt,
@@ -170,7 +173,6 @@ func makeFakePodSandbox(t *testing.T, m *kubeGenericRuntimeManager, template san
 		podSandBoxStatus.Network.AdditionalIps = additionalPodIPs
 	}
 	return podSandBoxStatus
-
 }
 
 // makeFakePodSandboxes creates a group of fake pod sandboxes based on the sandbox templates.
@@ -659,7 +661,7 @@ func TestSyncPod(t *testing.T) {
 	}
 
 	backOff := flowcontrol.NewBackOff(time.Second, time.Minute)
-	result := m.SyncPod(tCtx, pod, &kubecontainer.PodStatus{}, []v1.Secret{}, backOff)
+	result := m.SyncPod(tCtx, pod, &kubecontainer.PodStatus{}, []v1.Secret{}, backOff, false)
 	assert.NoError(t, result.Error())
 	assert.Len(t, fakeRuntime.Containers, 2)
 	assert.Len(t, fakeImage.Images, 2)
@@ -720,7 +722,7 @@ func TestSyncPodWithConvertedPodSysctls(t *testing.T) {
 	}
 
 	backOff := flowcontrol.NewBackOff(time.Second, time.Minute)
-	result := m.SyncPod(tCtx, pod, &kubecontainer.PodStatus{}, []v1.Secret{}, backOff)
+	result := m.SyncPod(tCtx, pod, &kubecontainer.PodStatus{}, []v1.Secret{}, backOff, false)
 	assert.NoError(t, result.Error())
 	assert.Equal(t, exceptSysctls, pod.Spec.SecurityContext.Sysctls)
 	for _, sandbox := range fakeRuntime.Sandboxes {
@@ -810,7 +812,7 @@ func TestSyncPodWithInitContainers(t *testing.T) {
 	// 1. should only create the init container.
 	podStatus, err := m.GetPodStatus(tCtx, pod.UID, pod.Name, pod.Namespace)
 	assert.NoError(t, err)
-	result := m.SyncPod(tCtx, pod, podStatus, []v1.Secret{}, backOff)
+	result := m.SyncPod(tCtx, pod, podStatus, []v1.Secret{}, backOff, false)
 	assert.NoError(t, result.Error())
 	expected := []*cRecord{
 		{name: initContainers[0].Name, attempt: 0, state: runtimeapi.ContainerState_CONTAINER_RUNNING},
@@ -820,7 +822,7 @@ func TestSyncPodWithInitContainers(t *testing.T) {
 	// 2. should not create app container because init container is still running.
 	podStatus, err = m.GetPodStatus(tCtx, pod.UID, pod.Name, pod.Namespace)
 	assert.NoError(t, err)
-	result = m.SyncPod(tCtx, pod, podStatus, []v1.Secret{}, backOff)
+	result = m.SyncPod(tCtx, pod, podStatus, []v1.Secret{}, backOff, false)
 	assert.NoError(t, result.Error())
 	verifyContainerStatuses(t, fakeRuntime, expected, "init container still running; do nothing")
 
@@ -836,7 +838,7 @@ func TestSyncPodWithInitContainers(t *testing.T) {
 	// Sync again.
 	podStatus, err = m.GetPodStatus(tCtx, pod.UID, pod.Name, pod.Namespace)
 	assert.NoError(t, err)
-	result = m.SyncPod(tCtx, pod, podStatus, []v1.Secret{}, backOff)
+	result = m.SyncPod(tCtx, pod, podStatus, []v1.Secret{}, backOff, false)
 	assert.NoError(t, result.Error())
 	expected = []*cRecord{
 		{name: initContainers[0].Name, attempt: 0, state: runtimeapi.ContainerState_CONTAINER_EXITED},
@@ -852,7 +854,7 @@ func TestSyncPodWithInitContainers(t *testing.T) {
 	// Sync again.
 	podStatus, err = m.GetPodStatus(tCtx, pod.UID, pod.Name, pod.Namespace)
 	assert.NoError(t, err)
-	result = m.SyncPod(tCtx, pod, podStatus, []v1.Secret{}, backOff)
+	result = m.SyncPod(tCtx, pod, podStatus, []v1.Secret{}, backOff, false)
 	assert.NoError(t, result.Error())
 	expected = []*cRecord{
 		// The first init container instance is purged and no longer visible.
@@ -865,6 +867,121 @@ func TestSyncPodWithInitContainers(t *testing.T) {
 	verifyContainerStatuses(t, fakeRuntime, expected, "kill all app containers, purge the existing init container, and restart a new one")
 }
 
+func TestSyncPodWithRestartAllContainers(t *testing.T) {
+	tCtx := ktesting.Init(t)
+	featuregatetesting.SetFeatureGatesDuringTest(t, utilfeature.DefaultFeatureGate, featuregatetesting.FeatureOverrides{
+		features.ContainerRestartRules:                true,
+		features.NodeDeclaredFeatures:                 true,
+		features.RestartAllContainersOnContainerExits: true,
+	})
+	fakeRuntime, _, m, err := createTestRuntimeManager(tCtx)
+	require.NoError(t, err)
+
+	restartPolicyAlways := v1.ContainerRestartPolicyAlways
+	initContainers := []v1.Container{
+		{
+			Name:            "init1",
+			Image:           "init",
+			ImagePullPolicy: v1.PullIfNotPresent,
+		},
+	}
+	containers := []v1.Container{
+		{
+			Name:            "foo1",
+			Image:           "busybox",
+			ImagePullPolicy: v1.PullIfNotPresent,
+		},
+		{
+			Name:            "foo2",
+			Image:           "alpine",
+			ImagePullPolicy: v1.PullIfNotPresent,
+			RestartPolicy:   &restartPolicyAlways,
+			RestartPolicyRules: []v1.ContainerRestartRule{
+				{
+					Action: v1.ContainerRestartRuleActionRestartAllContainers,
+					ExitCodes: &v1.ContainerRestartRuleOnExitCodes{
+						Operator: v1.ContainerRestartRuleOnExitCodesOpIn,
+						Values:   []int32{42},
+					},
+				},
+			},
+		},
+	}
+	pod := &v1.Pod{
+		ObjectMeta: metav1.ObjectMeta{
+			UID:       "12345678",
+			Name:      "foo",
+			Namespace: "new",
+		},
+		Spec: v1.PodSpec{
+			Containers:     containers,
+			InitContainers: initContainers,
+		},
+	}
+
+	backOff := flowcontrol.NewBackOff(time.Second, time.Minute)
+
+	// 1. Run the pod first. First SyncPod should execute the init container.
+	podStatus, err := m.GetPodStatus(tCtx, pod.UID, pod.Name, pod.Namespace)
+	require.NoError(t, err)
+	result := m.SyncPod(tCtx, pod, podStatus, []v1.Secret{}, backOff, false)
+	require.NoError(t, result.Error())
+	expected := []*cRecord{
+		{name: initContainers[0].Name, attempt: 0, state: runtimeapi.ContainerState_CONTAINER_RUNNING},
+	}
+	verifyContainerStatuses(t, fakeRuntime, expected, "start only the init container")
+
+	// 2. should run all app containers because init container finished.
+	// Stop init container instance 0.
+	sandboxIDs, err := m.getSandboxIDByPodUID(tCtx, pod.UID, nil)
+	require.NoError(t, err)
+	sandboxID := sandboxIDs[0]
+	initID0, err := fakeRuntime.GetContainerID(sandboxID, initContainers[0].Name, 0)
+	require.NoError(t, err)
+	err = fakeRuntime.StopContainer(tCtx, initID0, 0)
+	require.NoError(t, err)
+	// Sync again.
+	podStatus, err = m.GetPodStatus(tCtx, pod.UID, pod.Name, pod.Namespace)
+	require.NoError(t, err)
+	result = m.SyncPod(tCtx, pod, podStatus, []v1.Secret{}, backOff, false)
+	require.NoError(t, result.Error())
+	expected = []*cRecord{
+		{name: initContainers[0].Name, attempt: 0, state: runtimeapi.ContainerState_CONTAINER_EXITED},
+		{name: containers[0].Name, attempt: 0, state: runtimeapi.ContainerState_CONTAINER_RUNNING},
+		{name: containers[1].Name, attempt: 0, state: runtimeapi.ContainerState_CONTAINER_RUNNING},
+	}
+	verifyContainerStatuses(t, fakeRuntime, expected, "init container completed; all app containers should be running")
+
+	// 3. Exits the container foo2 with code 42, the pod should be marked for RestartAllContainers, and
+	// should remove all containers.
+	sandboxIDs, err = m.getSandboxIDByPodUID(tCtx, pod.UID, nil)
+	require.NoError(t, err)
+	sandboxID = sandboxIDs[0]
+	foo2ID, err := fakeRuntime.GetContainerID(sandboxID, containers[1].Name, 0)
+	require.NoError(t, err)
+	failedFoo2 := fakeRuntime.Containers[foo2ID]
+	failedFoo2.State = runtimeapi.ContainerState_CONTAINER_EXITED
+	failedFoo2.ExitCode = 42
+	fakeRuntime.Containers[foo2ID] = failedFoo2
+
+	podStatus, err = m.GetPodStatus(tCtx, pod.UID, pod.Name, pod.Namespace)
+	require.NoError(t, err)
+	result = m.SyncPod(tCtx, pod, podStatus, []v1.Secret{}, backOff, true)
+	require.NoError(t, result.Error())
+	expected = []*cRecord{}
+	verifyContainerStatuses(t, fakeRuntime, expected, "kill all containers")
+
+	// 4. Unmark the pod. Now it should start the init container first.
+	podStatus, err = m.GetPodStatus(tCtx, pod.UID, pod.Name, pod.Namespace)
+	require.NoError(t, err)
+	result = m.SyncPod(tCtx, pod, podStatus, []v1.Secret{}, backOff, false)
+	require.NoError(t, result.Error())
+	expected = []*cRecord{
+		{name: initContainers[0].Name, attempt: 0, state: runtimeapi.ContainerState_CONTAINER_RUNNING},
+	}
+	verifyContainerStatuses(t, fakeRuntime, expected, "start only the init container")
+}
+
 // A helper function to get a basic pod and its status assuming all sandbox and
 // containers are running and ready.
 func makeBasePodAndStatus() (*v1.Pod, *kubecontainer.PodStatus) {
@@ -1229,7 +1346,7 @@ func TestComputePodActions(t *testing.T) {
 			test.mutateStatusFn(status)
 		}
 		tCtx := ktesting.Init(t)
-		actions := m.computePodActions(tCtx, pod, status)
+		actions := m.computePodActions(tCtx, pod, status, false)
 		verifyActions(t, &test.actions, &actions, desc)
 		if test.resetStatusFn != nil {
 			test.resetStatusFn(status)
@@ -1237,6 +1354,345 @@ func TestComputePodActions(t *testing.T) {
 	}
 }
 
+func TestComputePodActionsForRestartAllContainers(t *testing.T) {
+	featuregatetesting.SetFeatureGatesDuringTest(t, utilfeature.DefaultFeatureGate, featuregatetesting.FeatureOverrides{
+		features.ContainerRestartRules:                true,
+		features.NodeDeclaredFeatures:                 true,
+		features.RestartAllContainersOnContainerExits: true,
+	})
+	TestComputePodActions(t)
+	TestComputePodActionsWithInitContainers(t)
+
+	tCtx := ktesting.Init(t)
+	_, _, m, err := createTestRuntimeManager(tCtx)
+	require.NoError(t, err)
+
+	allContainersRestartingTrue := []v1.PodCondition{
+		{
+			Type:   v1.AllContainersRestarting,
+			Status: v1.ConditionTrue,
+		},
+	}
+	allContainersRestartingFalse := []v1.PodCondition{
+		{
+			Type:   v1.AllContainersRestarting,
+			Status: v1.ConditionFalse,
+		},
+	}
+
+	restartPolicyAlways := v1.ContainerRestartPolicyAlways
+	restartPolicyNever := v1.ContainerRestartPolicyNever
+	restartAllContainersRules := []v1.ContainerRestartRule{{
+		Action: v1.ContainerRestartRuleActionRestartAllContainers,
+		ExitCodes: &v1.ContainerRestartRuleOnExitCodes{
+			Operator: v1.ContainerRestartRuleOnExitCodesOpIn,
+			Values:   []int32{1},
+		},
+	}}
+
+	for desc, test := range map[string]struct {
+		podFunc               func() *v1.Pod
+		podStatusFunc         func() *kubecontainer.PodStatus
+		restartAllContainers  bool
+		containersToRemove    []containerToRemoveInfo
+		containersToStart     []int
+		initContainersToStart []int
+	}{
+		"pod not marked for RestartAllContainers": {
+			podFunc: func() *v1.Pod {
+				pod, _ := makeBasePodAndStatus()
+				pod.Status.Conditions = allContainersRestartingFalse
+				return pod
+			},
+			podStatusFunc: func() *kubecontainer.PodStatus {
+				_, status := makeBasePodAndStatus()
+				return status
+			},
+		},
+		"pod marked for RestartAllContainers": {
+			podFunc: func() *v1.Pod {
+				pod, _ := makeBasePodAndStatus()
+				pod.Status.Conditions = allContainersRestartingTrue
+				return pod
+			},
+			podStatusFunc: func() *kubecontainer.PodStatus {
+				_, status := makeBasePodAndStatus()
+				return status
+			},
+			restartAllContainers: true,
+			containersToRemove: []containerToRemoveInfo{
+				{container: &v1.Container{Name: "foo1"}, containerID: kubecontainer.ContainerID{ID: "id1"}, kill: true},
+				{container: &v1.Container{Name: "foo2"}, containerID: kubecontainer.ContainerID{ID: "id2"}, kill: true},
+				{container: &v1.Container{Name: "foo3"}, containerID: kubecontainer.ContainerID{ID: "id3"}, kill: true},
+			},
+		},
+		"pod marked for RestartAllContainers with init containers": {
+			podFunc: func() *v1.Pod {
+				pod, _ := makeBasePodAndStatusWithInitContainers()
+				pod.Status.Conditions = allContainersRestartingTrue
+				return pod
+			},
+			podStatusFunc: func() *kubecontainer.PodStatus {
+				_, status := makeBasePodAndStatusWithInitContainers()
+				return status
+			},
+			restartAllContainers: true,
+			containersToRemove: []containerToRemoveInfo{
+				{container: &v1.Container{Name: "init1"}, containerID: kubecontainer.ContainerID{ID: "initid1"}},
+				{container: &v1.Container{Name: "init2"}, containerID: kubecontainer.ContainerID{ID: "initid2"}},
+				{container: &v1.Container{Name: "init3"}, containerID: kubecontainer.ContainerID{ID: "initid3"}},
+			},
+		},
+		"pod marked for RestartAllContainers with restartable init containers": {
+			podFunc: func() *v1.Pod {
+				pod, _ := makeBasePodAndStatusWithRestartableInitContainers()
+				pod.Status.Conditions = allContainersRestartingTrue
+				return pod
+			},
+			podStatusFunc: func() *kubecontainer.PodStatus {
+				_, status := makeBasePodAndStatusWithRestartableInitContainers()
+				return status
+			},
+			restartAllContainers: true,
+			containersToRemove: []containerToRemoveInfo{
+				{container: &v1.Container{Name: "restartable-init-1"}, containerID: kubecontainer.ContainerID{ID: "initid1"}, kill: true},
+				{container: &v1.Container{Name: "restartable-init-2"}, containerID: kubecontainer.ContainerID{ID: "initid2"}, kill: true},
+				{container: &v1.Container{Name: "restartable-init-3"}, containerID: kubecontainer.ContainerID{ID: "initid3"}, kill: true},
+			},
+		},
+		"init container exit triggers RestartAllContainers": {
+			// The init3 container exited and triggers RestartAllContainers,
+			// the init2 container is a running sidecar. First, the init1
+			// should be removed; second, the init2 containers should killed and
+			// be removed; lastly, init3 container should be removed.
+			podFunc: func() *v1.Pod {
+				pod, _ := makeBasePodAndStatusWithInitContainers()
+				sidecar := pod.Spec.InitContainers[1]
+				sidecar.RestartPolicy = &restartPolicyAlways
+				pod.Spec.InitContainers[1] = sidecar
+				source := pod.Spec.InitContainers[2]
+				source.RestartPolicy = &restartPolicyNever
+				source.RestartPolicyRules = restartAllContainersRules
+				pod.Spec.InitContainers[2] = source
+				pod.Status.Conditions = allContainersRestartingTrue
+				return pod
+			},
+			podStatusFunc: func() *kubecontainer.PodStatus {
+				_, status := makeBasePodAndStatusWithInitContainers()
+				sidecarStatus := status.ContainerStatuses[1]
+				sidecarStatus.State = kubecontainer.ContainerStateRunning
+				status.ContainerStatuses[1] = sidecarStatus
+				sourceStatus := status.ContainerStatuses[2]
+				sourceStatus.ExitCode = 1
+				status.ContainerStatuses[2] = sourceStatus
+				return status
+			},
+			restartAllContainers: true,
+			containersToRemove: []containerToRemoveInfo{
+				{container: &v1.Container{Name: "init1"}, containerID: kubecontainer.ContainerID{ID: "initid1"}},
+				{container: &v1.Container{Name: "init2"}, containerID: kubecontainer.ContainerID{ID: "initid2"}, kill: true},
+				{container: &v1.Container{Name: "init3"}, containerID: kubecontainer.ContainerID{ID: "initid3"}},
+			},
+		},
+		"sidecar container exit triggers RestartAllContainres": {
+			// Restartable-init-3 fails and triggers RestartAllContainers.
+			// The running foo1 should be killed and removed first; then init-1 and init-2
+			// should be killed and removed; lastly init-3 should be removed.
+			podFunc: func() *v1.Pod {
+				pod, _ := makeBasePodAndStatusWithRestartableInitContainers()
+				source := pod.Spec.InitContainers[2]
+				source.RestartPolicy = &restartPolicyAlways
+				source.RestartPolicyRules = restartAllContainersRules
+				pod.Spec.InitContainers[2] = source
+				pod.Status.Conditions = allContainersRestartingTrue
+				return pod
+			},
+			podStatusFunc: func() *kubecontainer.PodStatus {
+				pod, status := makeBasePodAndStatusWithRestartableInitContainers()
+				sourceStatus := status.ContainerStatuses[2]
+				sourceStatus.ExitCode = 1
+				sourceStatus.State = kubecontainer.ContainerStateExited
+				status.ContainerStatuses[2] = sourceStatus
+				status.ContainerStatuses = append(status.ContainerStatuses, &kubecontainer.Status{
+					Name:  "foo1",
+					State: kubecontainer.ContainerStateRunning,
+					ID:    kubecontainer.ContainerID{ID: "id1"},
+					Hash:  kubecontainer.HashContainer(&pod.Spec.Containers[0]),
+				})
+				return status
+			},
+			restartAllContainers: true,
+			containersToRemove: []containerToRemoveInfo{
+				{container: &v1.Container{Name: "foo1"}, containerID: kubecontainer.ContainerID{ID: "id1"}, kill: true},
+				{container: &v1.Container{Name: "restartable-init-1"}, containerID: kubecontainer.ContainerID{ID: "initid1"}, kill: true},
+				{container: &v1.Container{Name: "restartable-init-2"}, containerID: kubecontainer.ContainerID{ID: "initid2"}, kill: true},
+				{container: &v1.Container{Name: "restartable-init-3"}, containerID: kubecontainer.ContainerID{ID: "initid3"}},
+			},
+		},
+		"regular container exit triggers RestartAllContainers": {
+			podFunc: func() *v1.Pod {
+				pod, _ := makeBasePodAndStatusWithRestartableInitContainers()
+				source := pod.Spec.Containers[2]
+				source.RestartPolicy = &restartPolicyNever
+				source.RestartPolicyRules = restartAllContainersRules
+				pod.Spec.Containers[2] = source
+				pod.Status.Conditions = allContainersRestartingTrue
+				return pod
+			},
+			podStatusFunc: func() *kubecontainer.PodStatus {
+				_, status := makeBasePodAndStatusWithRestartableInitContainers()
+				status.ContainerStatuses = append(status.ContainerStatuses, &kubecontainer.Status{
+					Name:  "foo1",
+					State: kubecontainer.ContainerStateRunning,
+					ID:    kubecontainer.ContainerID{ID: "id1"},
+				})
+				status.ContainerStatuses = append(status.ContainerStatuses, &kubecontainer.Status{
+					Name:  "foo2",
+					State: kubecontainer.ContainerStateRunning,
+					ID:    kubecontainer.ContainerID{ID: "id2"},
+				})
+				status.ContainerStatuses = append(status.ContainerStatuses, &kubecontainer.Status{
+					Name:     "foo3",
+					State:    kubecontainer.ContainerStateExited,
+					ExitCode: 1,
+					ID:       kubecontainer.ContainerID{ID: "id3"},
+				})
+				return status
+			},
+			restartAllContainers: true,
+			containersToRemove: []containerToRemoveInfo{
+				{container: &v1.Container{Name: "foo1"}, containerID: kubecontainer.ContainerID{ID: "id1"}, kill: true},
+				{container: &v1.Container{Name: "foo2"}, containerID: kubecontainer.ContainerID{ID: "id2"}, kill: true},
+				{container: &v1.Container{Name: "restartable-init-1"}, containerID: kubecontainer.ContainerID{ID: "initid1"}, kill: true},
+				{container: &v1.Container{Name: "restartable-init-2"}, containerID: kubecontainer.ContainerID{ID: "initid2"}, kill: true},
+				{container: &v1.Container{Name: "restartable-init-3"}, containerID: kubecontainer.ContainerID{ID: "initid3"}, kill: true},
+				{container: &v1.Container{Name: "foo3"}, containerID: kubecontainer.ContainerID{ID: "id3"}},
+			},
+		},
+		"removes past terminated statuses": {
+			// foo3 terminated and triggers restart all containers. All containers have started once at t0, and
+			// restarted once at t1. All container statuses should be removed; foo3 should be removed last
+			// because it triggered restart all containers.
+			podFunc: func() *v1.Pod {
+				pod, _ := makeBasePodAndStatus()
+				pod.Spec.RestartPolicy = v1.RestartPolicyAlways
+				source := pod.Spec.Containers[2]
+				source.RestartPolicy = &restartPolicyAlways
+				source.RestartPolicyRules = restartAllContainersRules
+				pod.Spec.Containers[2] = source
+				pod.Status.Conditions = allContainersRestartingTrue
+				return pod
+			},
+			podStatusFunc: func() *kubecontainer.PodStatus {
+				_, status := makeBasePodAndStatus()
+				t1 := time.Now()
+				t0 := t1.Add(-time.Minute)
+				status.ContainerStatuses[0].CreatedAt = t1
+				status.ContainerStatuses[1].CreatedAt = t1
+				status.ContainerStatuses[2] = &kubecontainer.Status{
+					Name:      "foo3",
+					State:     kubecontainer.ContainerStateExited,
+					ExitCode:  1,
+					ID:        kubecontainer.ContainerID{ID: "id3"},
+					CreatedAt: t1,
+				}
+				status.ContainerStatuses = append(status.ContainerStatuses, &kubecontainer.Status{
+					Name:      "foo1",
+					State:     kubecontainer.ContainerStateExited,
+					ExitCode:  99,
+					ID:        kubecontainer.ContainerID{ID: "id1-past"},
+					CreatedAt: t0,
+				})
+				status.ContainerStatuses = append(status.ContainerStatuses, &kubecontainer.Status{
+					Name:      "foo2",
+					State:     kubecontainer.ContainerStateExited,
+					ExitCode:  99,
+					ID:        kubecontainer.ContainerID{ID: "id2-past"},
+					CreatedAt: t0,
+				})
+				status.ContainerStatuses = append(status.ContainerStatuses, &kubecontainer.Status{
+					Name:      "foo3",
+					State:     kubecontainer.ContainerStateExited,
+					ExitCode:  99,
+					ID:        kubecontainer.ContainerID{ID: "id3-past"},
+					CreatedAt: t0,
+				})
+				return status
+			},
+			restartAllContainers: true,
+			containersToRemove: []containerToRemoveInfo{
+				{container: &v1.Container{Name: "foo1"}, containerID: kubecontainer.ContainerID{ID: "id1"}, kill: true},
+				{container: &v1.Container{Name: "foo1"}, containerID: kubecontainer.ContainerID{ID: "id1-past"}},
+				{container: &v1.Container{Name: "foo2"}, containerID: kubecontainer.ContainerID{ID: "id2"}, kill: true},
+				{container: &v1.Container{Name: "foo2"}, containerID: kubecontainer.ContainerID{ID: "id2-past"}},
+				{container: &v1.Container{Name: "foo3"}, containerID: kubecontainer.ContainerID{ID: "id3-past"}},
+				{container: &v1.Container{Name: "foo3"}, containerID: kubecontainer.ContainerID{ID: "id3"}},
+			},
+		},
+		"all containers removed, start init container": {
+			podFunc: func() *v1.Pod {
+				pod, _ := makeBasePodAndStatusWithInitContainers()
+				return pod
+			},
+			podStatusFunc: func() *kubecontainer.PodStatus {
+				_, status := makeBasePodAndStatus()
+				// Remove all containers from PodStatus to simulate cleanup
+				status.ContainerStatuses = []*kubecontainer.Status{}
+				return status
+			},
+			initContainersToStart: []int{0},
+		},
+		"all containers removed, start regular container": {
+			podFunc: func() *v1.Pod {
+				pod, _ := makeBasePodAndStatus()
+				return pod
+			},
+			podStatusFunc: func() *kubecontainer.PodStatus {
+				_, status := makeBasePodAndStatus()
+				// Remove all containers from PodStatus to simulate cleanup
+				status.ContainerStatuses = []*kubecontainer.Status{}
+				return status
+			},
+			containersToStart: []int{0, 1, 2},
+		},
+	} {
+		pod := test.podFunc()
+		status := test.podStatusFunc()
+		tCtx := ktesting.Init(t)
+		actions := m.computePodActions(tCtx, pod, status, test.restartAllContainers)
+
+		expected := &podActions{
+			CreateSandbox:     false,
+			KillPod:           false,
+			SandboxID:         status.SandboxStatuses[0].Id,
+			ContainersToKill:  map[kubecontainer.ContainerID]containerToKillInfo{},
+			ContainersToStart: []int{},
+		}
+		if test.containersToStart != nil {
+			expected.ContainersToStart = test.containersToStart
+		}
+		if test.initContainersToStart != nil {
+			expected.InitContainersToStart = test.initContainersToStart
+		}
+
+		containerSpecByName := make(map[string]*v1.Container)
+		for idx, c := range pod.Spec.Containers {
+			containerSpecByName[c.Name] = &pod.Spec.Containers[idx]
+		}
+		for idx, c := range pod.Spec.InitContainers {
+			containerSpecByName[c.Name] = &pod.Spec.InitContainers[idx]
+		}
+		for _, info := range test.containersToRemove {
+			cName := info.container.Name
+			info.container = containerSpecByName[cName]
+			expected.ContainersToReset = append(expected.ContainersToReset, info)
+		}
+
+		verifyActions(t, expected, &actions, desc)
+	}
+
+}
+
 func getKillMap(pod *v1.Pod, status *kubecontainer.PodStatus, cIndexes []int) map[kubecontainer.ContainerID]containerToKillInfo {
 	m := map[kubecontainer.ContainerID]containerToKillInfo{}
 	for _, i := range cIndexes {
@@ -1501,7 +1957,7 @@ func TestComputePodActionsWithInitContainers(t *testing.T) {
 				test.mutateStatusFn(status)
 			}
 			tCtx := ktesting.Init(t)
-			actions := m.computePodActions(tCtx, pod, status)
+			actions := m.computePodActions(tCtx, pod, status, false)
 			verifyActions(t, &test.actions, &actions, desc)
 		})
 	}
@@ -1908,7 +2364,7 @@ func TestComputePodActionsWithRestartableInitContainers(t *testing.T) {
 			test.mutateStatusFn(pod, status)
 		}
 		tCtx := ktesting.Init(t)
-		actions := m.computePodActions(tCtx, pod, status)
+		actions := m.computePodActions(tCtx, pod, status, false)
 		verifyActions(t, &test.actions, &actions, desc)
 		if test.resetStatusFn != nil {
 			test.resetStatusFn(status)
@@ -2103,7 +2559,7 @@ func TestComputePodActionsWithInitAndEphemeralContainers(t *testing.T) {
 				test.mutateStatusFn(status)
 			}
 			tCtx := ktesting.Init(t)
-			actions := m.computePodActions(tCtx, pod, status)
+			actions := m.computePodActions(tCtx, pod, status, false)
 			verifyActions(t, &test.actions, &actions, desc)
 		})
 	}
@@ -2244,7 +2700,7 @@ func TestComputePodActionsWithContainerRestartRules(t *testing.T) {
 			test.mutateStatusFn(status)
 		}
 		ctx := context.Background()
-		actions := m.computePodActions(ctx, pod, status)
+		actions := m.computePodActions(ctx, pod, status, false)
 		verifyActions(t, &test.actions, &actions, desc)
 		if test.resetStatusFn != nil {
 			test.resetStatusFn(status)
@@ -2284,7 +2740,7 @@ func TestSyncPodWithSandboxAndDeletedPod(t *testing.T) {
 	// the fakePodProvider so they are 'deleted'.
 	podStatus, err := m.GetPodStatus(tCtx, pod.UID, pod.Name, pod.Namespace)
 	assert.NoError(t, err)
-	result := m.SyncPod(tCtx, pod, podStatus, []v1.Secret{}, backOff)
+	result := m.SyncPod(tCtx, pod, podStatus, []v1.Secret{}, backOff, false)
 	// This will return an error if the pod has _not_ been deleted.
 	assert.NoError(t, result.Error())
 }
@@ -2318,7 +2774,11 @@ func makeBasePodAndStatusWithInitAndEphemeralContainers() (*v1.Pod, *kubecontain
 }
 
 func TestComputePodActionsForPodResize(t *testing.T) {
+	if goruntime.GOOS == "windows" {
+		t.Skip("InPlacePodVerticalScaling is currently not supported on Windows")
+	}
 	featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.InPlacePodVerticalScaling, true)
+
 	tCtx := ktesting.Init(t)
 	_, _, m, err := createTestRuntimeManager(tCtx)
 	m.machineInfo.MemoryCapacity = 17179860387 // 16GB
@@ -2328,6 +2788,10 @@ func TestComputePodActionsForPodResize(t *testing.T) {
 	cpu200m := resource.MustParse("200m")
 	mem100M := resource.MustParse("100Mi")
 	mem200M := resource.MustParse("200Mi")
+	cpu300m := resource.MustParse("300m")
+	cpu600m := resource.MustParse("600m")
+	mem300M := resource.MustParse("300Mi")
+	mem600M := resource.MustParse("600Mi")
 	cpuPolicyRestartNotRequired := v1.ContainerResizePolicy{ResourceName: v1.ResourceCPU, RestartPolicy: v1.NotRequired}
 	memPolicyRestartNotRequired := v1.ContainerResizePolicy{ResourceName: v1.ResourceMemory, RestartPolicy: v1.NotRequired}
 	cpuPolicyRestartRequired := v1.ContainerResizePolicy{ResourceName: v1.ResourceCPU, RestartPolicy: v1.RestartContainer}
@@ -2336,14 +2800,89 @@ func TestComputePodActionsForPodResize(t *testing.T) {
 	setupActuatedResources := func(pod *v1.Pod, container *v1.Container, actuatedResources v1.ResourceRequirements) {
 		actuatedContainer := container.DeepCopy()
 		actuatedContainer.Resources = actuatedResources
-		require.NoError(t, m.allocationManager.SetActuatedResources(pod, actuatedContainer))
+		require.NoError(t, m.actuatedState.SetContainerResources(pod.UID, actuatedContainer.Name, actuatedContainer.Resources))
+	}
+
+	setupActuatedPodResources := func(pod *v1.Pod, actuatedPodResources *v1.ResourceRequirements) {
+		require.NoError(t, m.actuatedState.SetPodLevelResources(pod.UID, actuatedPodResources))
+
 	}
 
+	featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.NodeDeclaredFeatures, true)
 	for desc, test := range map[string]struct {
 		setupFn                 func(*v1.Pod)
 		getExpectedPodActionsFn func(*v1.Pod, *kubecontainer.PodStatus) *podActions
+		podLevelResizeEnabled   bool
 	}{
-		"Update container CPU and memory resources": {
+		"Update pod-level CPU and memory resources pod resize disabled": {
+			setupFn: func(pod *v1.Pod) {
+				c := &pod.Spec.Containers[1]
+				c.Resources = v1.ResourceRequirements{
+					Limits: v1.ResourceList{v1.ResourceCPU: cpu100m, v1.ResourceMemory: mem100M},
+				}
+				setupActuatedResources(pod, c, v1.ResourceRequirements{
+					Limits: v1.ResourceList{
+						v1.ResourceCPU:    cpu100m.DeepCopy(),
+						v1.ResourceMemory: mem100M.DeepCopy(),
+					},
+				})
+				setupActuatedPodResources(pod, &v1.ResourceRequirements{
+					Limits: v1.ResourceList{
+						v1.ResourceCPU:    cpu200m.DeepCopy(),
+						v1.ResourceMemory: mem200M.DeepCopy(),
+					},
+				})
+			},
+			getExpectedPodActionsFn: func(pod *v1.Pod, podStatus *kubecontainer.PodStatus) *podActions {
+				pa := podActions{
+					SandboxID:          podStatus.SandboxStatuses[0].Id,
+					ContainersToStart:  []int{},
+					ContainersToKill:   getKillMap(pod, podStatus, []int{}),
+					ContainersToUpdate: map[v1.ResourceName][]containerToUpdateInfo{},
+				}
+				return &pa
+			},
+		},
+		"Update pod-level CPU and memory resources": {
+			setupFn: func(pod *v1.Pod) {
+				for i, container := range pod.Spec.Containers {
+					container.Resources = v1.ResourceRequirements{
+						Limits: v1.ResourceList{v1.ResourceCPU: cpu100m, v1.ResourceMemory: mem100M},
+					}
+					pod.Spec.Containers[i].Resources = container.Resources
+
+					setupActuatedResources(pod, &container, v1.ResourceRequirements{
+						Limits: v1.ResourceList{
+							v1.ResourceCPU:    cpu100m.DeepCopy(),
+							v1.ResourceMemory: mem100M.DeepCopy(),
+						},
+					})
+				}
+
+				pod.Spec.Resources = &v1.ResourceRequirements{
+					Limits: v1.ResourceList{v1.ResourceCPU: cpu200m, v1.ResourceMemory: mem200M},
+				}
+
+				setupActuatedPodResources(pod, &v1.ResourceRequirements{
+					Limits: v1.ResourceList{
+						v1.ResourceCPU:    cpu100m.DeepCopy(),
+						v1.ResourceMemory: mem100M.DeepCopy(),
+					},
+				})
+			},
+			getExpectedPodActionsFn: func(pod *v1.Pod, podStatus *kubecontainer.PodStatus) *podActions {
+				pa := podActions{
+					SandboxID:               podStatus.SandboxStatuses[0].Id,
+					ContainersToStart:       []int{},
+					ContainersToKill:        getKillMap(pod, podStatus, []int{}),
+					ContainersToUpdate:      map[v1.ResourceName][]containerToUpdateInfo{},
+					UpdatePodLevelResources: true,
+				}
+				return &pa
+			},
+			podLevelResizeEnabled: true,
+		},
+		"Update pod-level and container CPU and memory resources pod resize disabled": {
 			setupFn: func(pod *v1.Pod) {
 				c := &pod.Spec.Containers[1]
 				c.Resources = v1.ResourceRequirements{
@@ -2355,6 +2894,12 @@ func TestComputePodActionsForPodResize(t *testing.T) {
 						v1.ResourceMemory: mem200M.DeepCopy(),
 					},
 				})
+				setupActuatedPodResources(pod, &v1.ResourceRequirements{
+					Limits: v1.ResourceList{
+						v1.ResourceCPU:    cpu200m.DeepCopy(),
+						v1.ResourceMemory: mem200M.DeepCopy(),
+					},
+				})
 			},
 			getExpectedPodActionsFn: func(pod *v1.Pod, podStatus *kubecontainer.PodStatus) *podActions {
 				kcs := podStatus.FindContainerStatusByName(pod.Spec.Containers[1].Name)
@@ -2396,16 +2941,35 @@ func TestComputePodActionsForPodResize(t *testing.T) {
 				return &pa
 			},
 		},
-		"Update container CPU resources": {
+		"Update pod-level resources and container CPU and memory resources": {
 			setupFn: func(pod *v1.Pod) {
-				c := &pod.Spec.Containers[1]
-				c.Resources = v1.ResourceRequirements{
+				c0 := &pod.Spec.Containers[0]
+				c0.Resources = v1.ResourceRequirements{
 					Limits: v1.ResourceList{v1.ResourceCPU: cpu100m, v1.ResourceMemory: mem100M},
 				}
-				setupActuatedResources(pod, c, v1.ResourceRequirements{
+				c1 := &pod.Spec.Containers[1]
+				c1.Resources = v1.ResourceRequirements{
+					Limits: v1.ResourceList{v1.ResourceCPU: cpu200m, v1.ResourceMemory: mem200M},
+				}
+				c2 := &pod.Spec.Containers[2]
+				c2.Resources = v1.ResourceRequirements{
+					Limits: v1.ResourceList{v1.ResourceCPU: cpu100m, v1.ResourceMemory: mem100M},
+				}
+				for _, container := range pod.Spec.Containers {
+					setupActuatedResources(pod, &container, v1.ResourceRequirements{
+						Limits: v1.ResourceList{
+							v1.ResourceCPU:    cpu100m.DeepCopy(),
+							v1.ResourceMemory: mem100M.DeepCopy(),
+						},
+					})
+				}
+				pod.Spec.Resources = &v1.ResourceRequirements{
+					Limits: v1.ResourceList{v1.ResourceCPU: cpu600m, v1.ResourceMemory: mem600M},
+				}
+				setupActuatedPodResources(pod, &v1.ResourceRequirements{
 					Limits: v1.ResourceList{
-						v1.ResourceCPU:    cpu200m.DeepCopy(),
-						v1.ResourceMemory: mem100M.DeepCopy(),
+						v1.ResourceCPU:    cpu300m.DeepCopy(),
+						v1.ResourceMemory: mem300M.DeepCopy(),
 					},
 				})
 			},
@@ -2416,40 +2980,77 @@ func TestComputePodActionsForPodResize(t *testing.T) {
 					ContainersToStart: []int{},
 					ContainersToKill:  getKillMap(pod, podStatus, []int{}),
 					ContainersToUpdate: map[v1.ResourceName][]containerToUpdateInfo{
-						v1.ResourceCPU: {
+						v1.ResourceMemory: {
 							{
 								container:       &pod.Spec.Containers[1],
 								kubeContainerID: kcs.ID,
 								desiredContainerResources: containerResources{
+									memoryLimit: mem200M.Value(),
+									cpuLimit:    cpu200m.MilliValue(),
+								},
+								currentContainerResources: &containerResources{
 									memoryLimit: mem100M.Value(),
 									cpuLimit:    cpu100m.MilliValue(),
 								},
+							},
+						},
+						v1.ResourceCPU: {
+							{
+								container:       &pod.Spec.Containers[1],
+								kubeContainerID: kcs.ID,
+								desiredContainerResources: containerResources{
+									memoryLimit: mem200M.Value(),
+									cpuLimit:    cpu200m.MilliValue(),
+								},
 								currentContainerResources: &containerResources{
 									memoryLimit: mem100M.Value(),
-									cpuLimit:    cpu200m.MilliValue(),
+									cpuLimit:    cpu100m.MilliValue(),
 								},
 							},
 						},
 					},
+					UpdatePodLevelResources: true,
 				}
 				return &pa
 			},
+			podLevelResizeEnabled: true,
 		},
-		"Update container memory resources": {
+		"Update pod-level limits and container updated by default": {
 			setupFn: func(pod *v1.Pod) {
-				c := &pod.Spec.Containers[2]
-				c.Resources = v1.ResourceRequirements{
-					Limits: v1.ResourceList{v1.ResourceCPU: cpu200m, v1.ResourceMemory: mem200M},
+				c0 := &pod.Spec.Containers[0]
+				c0.Resources = v1.ResourceRequirements{
+					Limits: v1.ResourceList{v1.ResourceCPU: cpu100m, v1.ResourceMemory: mem100M},
 				}
-				setupActuatedResources(pod, c, v1.ResourceRequirements{
+				setupActuatedResources(pod, c0, v1.ResourceRequirements{
 					Limits: v1.ResourceList{
-						v1.ResourceCPU:    cpu200m.DeepCopy(),
+						v1.ResourceCPU:    cpu100m.DeepCopy(),
+						v1.ResourceMemory: mem100M.DeepCopy(),
+					},
+				})
+				// no resources set for c1 container
+				c2 := &pod.Spec.Containers[2]
+				c2.Resources = v1.ResourceRequirements{
+					Limits: v1.ResourceList{v1.ResourceCPU: cpu100m, v1.ResourceMemory: mem100M},
+				}
+				setupActuatedResources(pod, c2, v1.ResourceRequirements{
+					Limits: v1.ResourceList{
+						v1.ResourceCPU:    cpu100m.DeepCopy(),
 						v1.ResourceMemory: mem100M.DeepCopy(),
 					},
 				})
+
+				pod.Spec.Resources = &v1.ResourceRequirements{
+					Limits: v1.ResourceList{v1.ResourceCPU: cpu600m, v1.ResourceMemory: mem600M},
+				}
+				setupActuatedPodResources(pod, &v1.ResourceRequirements{
+					Limits: v1.ResourceList{
+						v1.ResourceCPU:    cpu300m.DeepCopy(),
+						v1.ResourceMemory: mem300M.DeepCopy(),
+					},
+				})
 			},
 			getExpectedPodActionsFn: func(pod *v1.Pod, podStatus *kubecontainer.PodStatus) *podActions {
-				kcs := podStatus.FindContainerStatusByName(pod.Spec.Containers[2].Name)
+				kcs := podStatus.FindContainerStatusByName(pod.Spec.Containers[1].Name)
 				pa := podActions{
 					SandboxID:         podStatus.SandboxStatuses[0].Id,
 					ContainersToStart: []int{},
@@ -2457,20 +3058,224 @@ func TestComputePodActionsForPodResize(t *testing.T) {
 					ContainersToUpdate: map[v1.ResourceName][]containerToUpdateInfo{
 						v1.ResourceMemory: {
 							{
-								container:       &pod.Spec.Containers[2],
+								container:       &pod.Spec.Containers[1],
 								kubeContainerID: kcs.ID,
 								desiredContainerResources: containerResources{
-									memoryLimit: mem200M.Value(),
-									cpuLimit:    cpu200m.MilliValue(),
+									memoryLimit: mem600M.Value(),
+									cpuLimit:    cpu600m.MilliValue(),
 								},
 								currentContainerResources: &containerResources{
-									memoryLimit: mem100M.Value(),
-									cpuLimit:    cpu200m.MilliValue(),
+									memoryLimit: mem300M.Value(),
+									cpuLimit:    cpu300m.MilliValue(),
 								},
 							},
 						},
-					},
-				}
+						v1.ResourceCPU: {
+							{
+								container:       &pod.Spec.Containers[1],
+								kubeContainerID: kcs.ID,
+								desiredContainerResources: containerResources{
+									memoryLimit: mem600M.Value(),
+									cpuLimit:    cpu600m.MilliValue(),
+								},
+								currentContainerResources: &containerResources{
+									memoryLimit: mem300M.Value(),
+									cpuLimit:    cpu300m.MilliValue(),
+								},
+							},
+						},
+					},
+					UpdatePodLevelResources: true,
+				}
+				return &pa
+			},
+			podLevelResizeEnabled: true,
+		},
+		"Update pod-level limits and container to kill updated by default": {
+			setupFn: func(pod *v1.Pod) {
+				c0 := &pod.Spec.Containers[0]
+				c0.Resources = v1.ResourceRequirements{
+					Limits: v1.ResourceList{v1.ResourceCPU: cpu100m, v1.ResourceMemory: mem100M},
+				}
+
+				setupActuatedResources(pod, c0, v1.ResourceRequirements{
+					Limits: v1.ResourceList{
+						v1.ResourceCPU:    cpu100m.DeepCopy(),
+						v1.ResourceMemory: mem100M.DeepCopy(),
+					},
+				})
+				// no resources set for c1 container
+				c1 := &pod.Spec.Containers[1]
+				setupActuatedResources(pod, c1, v1.ResourceRequirements{})
+				c1.ResizePolicy = []v1.ContainerResizePolicy{cpuPolicyRestartRequired, memPolicyRestartNotRequired}
+				c2 := &pod.Spec.Containers[2]
+				c2.Resources = v1.ResourceRequirements{
+					Limits: v1.ResourceList{v1.ResourceCPU: cpu100m, v1.ResourceMemory: mem100M},
+				}
+				setupActuatedResources(pod, c2, v1.ResourceRequirements{
+					Limits: v1.ResourceList{
+						v1.ResourceCPU:    cpu100m.DeepCopy(),
+						v1.ResourceMemory: mem100M.DeepCopy(),
+					},
+				})
+
+				pod.Spec.Resources = &v1.ResourceRequirements{
+					Limits: v1.ResourceList{v1.ResourceCPU: cpu600m, v1.ResourceMemory: mem600M},
+				}
+				setupActuatedPodResources(pod, &v1.ResourceRequirements{
+					Limits: v1.ResourceList{
+						v1.ResourceCPU:    cpu300m.DeepCopy(),
+						v1.ResourceMemory: mem300M.DeepCopy(),
+					},
+				})
+			},
+			getExpectedPodActionsFn: func(pod *v1.Pod, podStatus *kubecontainer.PodStatus) *podActions {
+				kcs := podStatus.FindContainerStatusByName(pod.Spec.Containers[1].Name)
+				killMap := make(map[kubecontainer.ContainerID]containerToKillInfo)
+				killMap[kcs.ID] = containerToKillInfo{
+					container: &pod.Spec.Containers[1],
+					name:      pod.Spec.Containers[1].Name,
+				}
+				pa := podActions{
+					SandboxID:               podStatus.SandboxStatuses[0].Id,
+					ContainersToStart:       []int{1},
+					ContainersToKill:        killMap,
+					ContainersToUpdate:      map[v1.ResourceName][]containerToUpdateInfo{},
+					UpdatePodLevelResources: true,
+					UpdatePodResources:      true,
+				}
+				return &pa
+			},
+			podLevelResizeEnabled: true,
+		},
+		"Update container CPU and memory resources": {
+			setupFn: func(pod *v1.Pod) {
+				c := &pod.Spec.Containers[1]
+				c.Resources = v1.ResourceRequirements{
+					Limits: v1.ResourceList{v1.ResourceCPU: cpu100m, v1.ResourceMemory: mem100M},
+				}
+				setupActuatedResources(pod, c, v1.ResourceRequirements{
+					Limits: v1.ResourceList{
+						v1.ResourceCPU:    cpu200m.DeepCopy(),
+						v1.ResourceMemory: mem200M.DeepCopy(),
+					},
+				})
+			},
+			getExpectedPodActionsFn: func(pod *v1.Pod, podStatus *kubecontainer.PodStatus) *podActions {
+				kcs := podStatus.FindContainerStatusByName(pod.Spec.Containers[1].Name)
+				pa := podActions{
+					SandboxID:         podStatus.SandboxStatuses[0].Id,
+					ContainersToStart: []int{},
+					ContainersToKill:  getKillMap(pod, podStatus, []int{}),
+					ContainersToUpdate: map[v1.ResourceName][]containerToUpdateInfo{
+						v1.ResourceMemory: {
+							{
+								container:       &pod.Spec.Containers[1],
+								kubeContainerID: kcs.ID,
+								desiredContainerResources: containerResources{
+									memoryLimit: mem100M.Value(),
+									cpuLimit:    cpu100m.MilliValue(),
+								},
+								currentContainerResources: &containerResources{
+									memoryLimit: mem200M.Value(),
+									cpuLimit:    cpu200m.MilliValue(),
+								},
+							},
+						},
+						v1.ResourceCPU: {
+							{
+								container:       &pod.Spec.Containers[1],
+								kubeContainerID: kcs.ID,
+								desiredContainerResources: containerResources{
+									memoryLimit: mem100M.Value(),
+									cpuLimit:    cpu100m.MilliValue(),
+								},
+								currentContainerResources: &containerResources{
+									memoryLimit: mem200M.Value(),
+									cpuLimit:    cpu200m.MilliValue(),
+								},
+							},
+						},
+					},
+				}
+				return &pa
+			},
+		},
+		"Update container CPU resources": {
+			setupFn: func(pod *v1.Pod) {
+				c := &pod.Spec.Containers[1]
+				c.Resources = v1.ResourceRequirements{
+					Limits: v1.ResourceList{v1.ResourceCPU: cpu100m, v1.ResourceMemory: mem100M},
+				}
+				setupActuatedResources(pod, c, v1.ResourceRequirements{
+					Limits: v1.ResourceList{
+						v1.ResourceCPU:    cpu200m.DeepCopy(),
+						v1.ResourceMemory: mem100M.DeepCopy(),
+					},
+				})
+			},
+			getExpectedPodActionsFn: func(pod *v1.Pod, podStatus *kubecontainer.PodStatus) *podActions {
+				kcs := podStatus.FindContainerStatusByName(pod.Spec.Containers[1].Name)
+				pa := podActions{
+					SandboxID:         podStatus.SandboxStatuses[0].Id,
+					ContainersToStart: []int{},
+					ContainersToKill:  getKillMap(pod, podStatus, []int{}),
+					ContainersToUpdate: map[v1.ResourceName][]containerToUpdateInfo{
+						v1.ResourceCPU: {
+							{
+								container:       &pod.Spec.Containers[1],
+								kubeContainerID: kcs.ID,
+								desiredContainerResources: containerResources{
+									memoryLimit: mem100M.Value(),
+									cpuLimit:    cpu100m.MilliValue(),
+								},
+								currentContainerResources: &containerResources{
+									memoryLimit: mem100M.Value(),
+									cpuLimit:    cpu200m.MilliValue(),
+								},
+							},
+						},
+					},
+				}
+				return &pa
+			},
+		},
+		"Update container memory resources": {
+			setupFn: func(pod *v1.Pod) {
+				c := &pod.Spec.Containers[2]
+				c.Resources = v1.ResourceRequirements{
+					Limits: v1.ResourceList{v1.ResourceCPU: cpu200m, v1.ResourceMemory: mem200M},
+				}
+				setupActuatedResources(pod, c, v1.ResourceRequirements{
+					Limits: v1.ResourceList{
+						v1.ResourceCPU:    cpu200m.DeepCopy(),
+						v1.ResourceMemory: mem100M.DeepCopy(),
+					},
+				})
+			},
+			getExpectedPodActionsFn: func(pod *v1.Pod, podStatus *kubecontainer.PodStatus) *podActions {
+				kcs := podStatus.FindContainerStatusByName(pod.Spec.Containers[2].Name)
+				pa := podActions{
+					SandboxID:         podStatus.SandboxStatuses[0].Id,
+					ContainersToStart: []int{},
+					ContainersToKill:  getKillMap(pod, podStatus, []int{}),
+					ContainersToUpdate: map[v1.ResourceName][]containerToUpdateInfo{
+						v1.ResourceMemory: {
+							{
+								container:       &pod.Spec.Containers[2],
+								kubeContainerID: kcs.ID,
+								desiredContainerResources: containerResources{
+									memoryLimit: mem200M.Value(),
+									cpuLimit:    cpu200m.MilliValue(),
+								},
+								currentContainerResources: &containerResources{
+									memoryLimit: mem100M.Value(),
+									cpuLimit:    cpu200m.MilliValue(),
+								},
+							},
+						},
+					},
+				}
 				return &pa
 			},
 		},
@@ -2746,6 +3551,9 @@ func TestComputePodActionsForPodResize(t *testing.T) {
 		},
 	} {
 		t.Run(desc, func(t *testing.T) {
+			if test.podLevelResizeEnabled {
+				featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.InPlacePodLevelResourcesVerticalScaling, true)
+			}
 			pod, status := makeBasePodAndStatus()
 			for idx := range pod.Spec.Containers {
 				// default resize policy when pod resize feature is enabled
@@ -2754,7 +3562,7 @@ func TestComputePodActionsForPodResize(t *testing.T) {
 			if test.setupFn != nil {
 				test.setupFn(pod)
 			}
-			t.Cleanup(func() { m.allocationManager.RemovePod(pod.UID) })
+			t.Cleanup(func() { _ = m.actuatedState.RemovePod(pod.UID) })
 
 			for idx := range pod.Spec.Containers {
 				// compute hash
@@ -2765,7 +3573,7 @@ func TestComputePodActionsForPodResize(t *testing.T) {
 
 			tCtx := ktesting.Init(t)
 			expectedActions := test.getExpectedPodActionsFn(pod, status)
-			actions := m.computePodActions(tCtx, pod, status)
+			actions := m.computePodActions(tCtx, pod, status, false)
 			verifyActions(t, expectedActions, &actions, desc)
 		})
 	}
@@ -2976,7 +3784,6 @@ func TestToKubeContainerImageVolumes(t *testing.T) {
 
 func TestGetImageVolumes(t *testing.T) {
 	tCtx := ktesting.Init(t)
-	featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.ImageVolume, true)
 
 	_, _, manager, err := createTestRuntimeManager(tCtx)
 	require.NoError(t, err)
@@ -3207,7 +4014,8 @@ func TestDoPodResizeAction(t *testing.T) {
 				CPUQuota:  ptr.To(cm.MilliCPUToQuota(podCPULimit, cm.QuotaPeriod)),
 			}, nil).Maybe()
 			if tc.expectPodCgroupUpdates > 0 {
-				mockPCM.EXPECT().SetPodCgroupConfig(mock.Anything, mock.Anything).Return(nil).Times(tc.expectPodCgroupUpdates)
+				// TODO: Update to use proper logger once contextual logging migration is complete
+				mockPCM.EXPECT().SetPodCgroupConfig(klog.TODO(), mock.Anything, mock.Anything).Return(nil).Times(tc.expectPodCgroupUpdates)
 			}
 
 			pod, kps := makeBasePodAndStatus()
@@ -3252,7 +4060,8 @@ func TestDoPodResizeAction(t *testing.T) {
 								UsageBytes: ptr.To[uint64](10),
 							},
 						}},
-					}},
+					},
+				},
 			}
 
 			updateInfo := containerToUpdateInfo{
@@ -3287,7 +4096,7 @@ func TestDoPodResizeAction(t *testing.T) {
 	metrics.PodResizeDurationMilliseconds.Reset()
 }
 
-func TestCheckPodResize(t *testing.T) {
+func TestValidatePodResizeAction(t *testing.T) {
 	if goruntime.GOOS != "linux" {
 		t.Skip("unsupported OS")
 	}
@@ -3543,10 +4352,9 @@ func TestCheckPodResize(t *testing.T) {
 }
 
 func TestIncrementImageVolumeMetrics(t *testing.T) {
-	featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.ImageVolume, true)
-	legacyregistry.MustRegister(metrics.ImageVolumeRequestedTotal)
-	legacyregistry.MustRegister(metrics.ImageVolumeMountedSucceedTotal)
-	legacyregistry.MustRegister(metrics.ImageVolumeMountedErrorsTotal)
+	legacyregistry.Register(metrics.ImageVolumeRequestedTotal)      //nolint:errcheck
+	legacyregistry.Register(metrics.ImageVolumeMountedSucceedTotal) //nolint:errcheck
+	legacyregistry.Register(metrics.ImageVolumeMountedErrorsTotal)  //nolint:errcheck
 
 	testCases := map[string]struct {
 		err          error
@@ -3566,13 +4374,13 @@ func TestIncrementImageVolumeMetrics(t *testing.T) {
 				"mount3": {Image: "image3"},
 			},
 			wants: `
-				# HELP kubelet_image_volume_mounted_errors_total [ALPHA] Number of failed image volume mounts.
+				# HELP kubelet_image_volume_mounted_errors_total [BETA] Number of failed image volume mounts.
 				# TYPE kubelet_image_volume_mounted_errors_total counter
         		kubelet_image_volume_mounted_errors_total 0
-        		# HELP kubelet_image_volume_mounted_succeed_total [ALPHA] Number of successful image volume mounts.
+        		# HELP kubelet_image_volume_mounted_succeed_total [BETA] Number of successful image volume mounts.
         		# TYPE kubelet_image_volume_mounted_succeed_total counter
         		kubelet_image_volume_mounted_succeed_total 2
-        		# HELP kubelet_image_volume_requested_total [ALPHA] Number of requested image volumes.
+        		# HELP kubelet_image_volume_requested_total [BETA] Number of requested image volumes.
         		# TYPE kubelet_image_volume_requested_total counter
         		kubelet_image_volume_requested_total 3
 			`,
@@ -3590,13 +4398,13 @@ func TestIncrementImageVolumeMetrics(t *testing.T) {
 				"mount3": {Image: "image3"},
 			},
 			wants: `
-				# HELP kubelet_image_volume_mounted_errors_total [ALPHA] Number of failed image volume mounts.
+				# HELP kubelet_image_volume_mounted_errors_total [BETA] Number of failed image volume mounts.
 				# TYPE kubelet_image_volume_mounted_errors_total counter
         		kubelet_image_volume_mounted_errors_total 2
-        		# HELP kubelet_image_volume_mounted_succeed_total [ALPHA] Number of successful image volume mounts.
+        		# HELP kubelet_image_volume_mounted_succeed_total [BETA] Number of successful image volume mounts.
         		# TYPE kubelet_image_volume_mounted_succeed_total counter
         		kubelet_image_volume_mounted_succeed_total 0
-        		# HELP kubelet_image_volume_requested_total [ALPHA] Number of requested image volumes.
+        		# HELP kubelet_image_volume_requested_total [BETA] Number of requested image volumes.
         		# TYPE kubelet_image_volume_requested_total counter
         		kubelet_image_volume_requested_total 3
 			`,
@@ -3614,13 +4422,13 @@ func TestIncrementImageVolumeMetrics(t *testing.T) {
 				"mount3": {Image: "image3"},
 			},
 			wants: `
-				# HELP kubelet_image_volume_mounted_errors_total [ALPHA] Number of failed image volume mounts.
+				# HELP kubelet_image_volume_mounted_errors_total [BETA] Number of failed image volume mounts.
 				# TYPE kubelet_image_volume_mounted_errors_total counter
         		kubelet_image_volume_mounted_errors_total 0
-        		# HELP kubelet_image_volume_mounted_succeed_total [ALPHA] Number of successful image volume mounts.
+        		# HELP kubelet_image_volume_mounted_succeed_total [BETA] Number of successful image volume mounts.
         		# TYPE kubelet_image_volume_mounted_succeed_total counter
         		kubelet_image_volume_mounted_succeed_total 2
-        		# HELP kubelet_image_volume_requested_total [ALPHA] Number of requested image volumes.
+        		# HELP kubelet_image_volume_requested_total [BETA] Number of requested image volumes.
         		# TYPE kubelet_image_volume_requested_total counter
         		kubelet_image_volume_requested_total 3
 			`,
@@ -3631,13 +4439,13 @@ func TestIncrementImageVolumeMetrics(t *testing.T) {
 			},
 			imageVolumes: kubecontainer.ImageVolumes{},
 			wants: `
-				# HELP kubelet_image_volume_mounted_errors_total [ALPHA] Number of failed image volume mounts.
+				# HELP kubelet_image_volume_mounted_errors_total [BETA] Number of failed image volume mounts.
 				# TYPE kubelet_image_volume_mounted_errors_total counter
         		kubelet_image_volume_mounted_errors_total 0
-        		# HELP kubelet_image_volume_mounted_succeed_total [ALPHA] Number of successful image volume mounts.
+        		# HELP kubelet_image_volume_mounted_succeed_total [BETA] Number of successful image volume mounts.
         		# TYPE kubelet_image_volume_mounted_succeed_total counter
         		kubelet_image_volume_mounted_succeed_total 0
-        		# HELP kubelet_image_volume_requested_total [ALPHA] Number of requested image volumes.
+        		# HELP kubelet_image_volume_requested_total [BETA] Number of requested image volumes.
         		# TYPE kubelet_image_volume_requested_total counter
         		kubelet_image_volume_requested_total 0
 			`,
@@ -3664,3 +4472,652 @@ func TestIncrementImageVolumeMetrics(t *testing.T) {
 		})
 	}
 }
+
+func TestIsPodResizeInProgress(t *testing.T) {
+	type testResources struct {
+		cpuReq, cpuLim, memReq, memLim int64
+	}
+	type testContainer struct {
+		allocated               testResources
+		actuated                *testResources
+		nonSidecarInit, sidecar bool
+		isRunning               bool
+		unstarted               bool // Whether the container is missing from the pod status
+	}
+
+	featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.NodeDeclaredFeatures, true)
+	type testPLR struct {
+		allocated testResources
+		actuated  *testResources
+	}
+
+	tests := []struct {
+		name                         string
+		podLevelResources            *testPLR
+		containers                   []testContainer
+		expectHasResize              bool
+		inplacePodLevelResizeEnabled bool
+	}{{
+		name: "simple running container",
+		containers: []testContainer{{
+			allocated: testResources{100, 100, 100, 100},
+			actuated:  &testResources{100, 100, 100, 100},
+			isRunning: true,
+		}},
+		expectHasResize: false,
+	}, {
+		name: "simple unstarted container",
+		containers: []testContainer{{
+			allocated: testResources{100, 100, 100, 100},
+			unstarted: true,
+		}},
+		expectHasResize: false,
+	}, {
+		name: "simple resized container/cpu req",
+		containers: []testContainer{{
+			allocated: testResources{100, 200, 100, 200},
+			actuated:  &testResources{150, 200, 100, 200},
+			isRunning: true,
+		}},
+		expectHasResize: true,
+	}, {
+		name: "simple resized container/cpu limit",
+		containers: []testContainer{{
+			allocated: testResources{100, 200, 100, 200},
+			actuated:  &testResources{100, 300, 100, 200},
+			isRunning: true,
+		}},
+		expectHasResize: true,
+	}, {
+		name: "simple resized container/mem req",
+		containers: []testContainer{{
+			allocated: testResources{100, 200, 100, 200},
+			actuated:  &testResources{100, 200, 150, 200},
+			isRunning: true,
+		}},
+		expectHasResize: true,
+	}, {
+		name: "simple resized container/cpu+mem req",
+		containers: []testContainer{{
+			allocated: testResources{100, 200, 100, 200},
+			actuated:  &testResources{150, 200, 150, 200},
+			isRunning: true,
+		}},
+		expectHasResize: true,
+	}, {
+		name: "simple resized container/mem limit",
+		containers: []testContainer{{
+			allocated: testResources{100, 200, 100, 200},
+			actuated:  &testResources{100, 200, 100, 300},
+			isRunning: true,
+		}},
+		expectHasResize: true,
+	}, {
+		name: "terminated resized container",
+		containers: []testContainer{{
+			allocated: testResources{100, 200, 100, 200},
+			actuated:  &testResources{200, 200, 100, 200},
+			isRunning: false,
+		}},
+		expectHasResize: false,
+	}, {
+		name: "non-sidecar init container",
+		containers: []testContainer{{
+			allocated:      testResources{100, 200, 100, 200},
+			nonSidecarInit: true,
+			isRunning:      true,
+		}, {
+			allocated: testResources{100, 200, 100, 200},
+			actuated:  &testResources{100, 200, 100, 200},
+			isRunning: true,
+		}},
+		expectHasResize: false,
+	}, {
+		name: "non-resized sidecar",
+		containers: []testContainer{{
+			allocated: testResources{100, 200, 100, 200},
+			actuated:  &testResources{100, 200, 100, 200},
+			sidecar:   true,
+			isRunning: true,
+		}, {
+			allocated: testResources{100, 200, 100, 200},
+			actuated:  &testResources{100, 200, 100, 200},
+			isRunning: true,
+		}},
+		expectHasResize: false,
+	}, {
+		name: "resized sidecar",
+		containers: []testContainer{{
+			allocated: testResources{100, 200, 100, 200},
+			actuated:  &testResources{200, 200, 100, 200},
+			sidecar:   true,
+			isRunning: true,
+		}, {
+			allocated: testResources{100, 200, 100, 200},
+			actuated:  &testResources{100, 200, 100, 200},
+			isRunning: true,
+		}},
+		expectHasResize: true,
+	}, {
+		name: "several containers and a resize",
+		containers: []testContainer{{
+			allocated:      testResources{100, 200, 100, 200},
+			nonSidecarInit: true,
+			isRunning:      true,
+		}, {
+			allocated: testResources{100, 200, 100, 200},
+			actuated:  &testResources{100, 200, 100, 200},
+			isRunning: true,
+		}, {
+			allocated: testResources{100, 200, 100, 200},
+			unstarted: true,
+		}, {
+			allocated: testResources{100, 200, 100, 200},
+			actuated:  &testResources{200, 200, 100, 200}, // Resized
+			isRunning: true,
+		}},
+		expectHasResize: true,
+	}, {
+		name: "several containers",
+		containers: []testContainer{{
+			allocated: testResources{cpuReq: 100, cpuLim: 200},
+			actuated:  &testResources{cpuReq: 100, cpuLim: 200},
+			sidecar:   true,
+			isRunning: true,
+		}, {
+			allocated: testResources{memReq: 100, memLim: 200},
+			actuated:  &testResources{memReq: 100, memLim: 200},
+			isRunning: true,
+		}, {
+			allocated: testResources{cpuReq: 200, memReq: 100},
+			actuated:  &testResources{cpuReq: 200, memReq: 100},
+			isRunning: true,
+		}},
+		expectHasResize: false,
+	}, {
+		name: "best-effort pod",
+		containers: []testContainer{{
+			allocated: testResources{},
+			actuated:  &testResources{},
+			isRunning: true,
+		}},
+		expectHasResize: false,
+	}, {
+		name: "burstable pod/not resizing",
+		containers: []testContainer{{
+			allocated: testResources{cpuReq: 100},
+			actuated:  &testResources{cpuReq: 100},
+			isRunning: true,
+		}},
+		expectHasResize: false,
+	}, {
+		name: "burstable pod/resized",
+		containers: []testContainer{{
+			allocated: testResources{cpuReq: 100},
+			actuated:  &testResources{cpuReq: 500},
+			isRunning: true,
+		}},
+		expectHasResize: true,
+	}, {
+		name: "only-plr/not resizing",
+		podLevelResources: &testPLR{
+			allocated: testResources{cpuReq: 100},
+			actuated:  &testResources{cpuReq: 100},
+		},
+		containers: []testContainer{{
+			allocated: testResources{},
+			actuated:  &testResources{},
+			isRunning: true,
+		}},
+		expectHasResize: false,
+	}, {
+		name: "only-plr/resizing",
+		podLevelResources: &testPLR{
+			allocated: testResources{cpuReq: 200},
+			actuated:  &testResources{cpuReq: 100},
+		},
+		containers: []testContainer{{
+			allocated: testResources{},
+			actuated:  &testResources{},
+			isRunning: true,
+		}},
+		expectHasResize:              true,
+		inplacePodLevelResizeEnabled: true,
+	}, {
+		name: "only-plr/resizing feature gate disabled",
+		podLevelResources: &testPLR{
+			allocated: testResources{cpuReq: 200},
+			actuated:  &testResources{cpuReq: 100},
+		},
+		containers: []testContainer{{
+			allocated: testResources{},
+			actuated:  &testResources{},
+			isRunning: true,
+		}},
+		expectHasResize:              false,
+		inplacePodLevelResizeEnabled: false,
+	}, {
+		name: "plr/container resizing featuregate disabled",
+		podLevelResources: &testPLR{
+			allocated: testResources{cpuReq: 100},
+			actuated:  &testResources{cpuReq: 100},
+		},
+		containers: []testContainer{{
+			allocated: testResources{cpuReq: 100},
+			actuated:  &testResources{cpuReq: 50},
+			isRunning: true,
+		}},
+		expectHasResize:              true,
+		inplacePodLevelResizeEnabled: false,
+	}, {
+		name: "plr/container resizing",
+		podLevelResources: &testPLR{
+			allocated: testResources{cpuReq: 100},
+			actuated:  &testResources{cpuReq: 100},
+		},
+		containers: []testContainer{{
+			allocated: testResources{cpuReq: 100},
+			actuated:  &testResources{cpuReq: 50},
+			isRunning: true,
+		}},
+		expectHasResize:              true,
+		inplacePodLevelResizeEnabled: true,
+	}, {
+		name: "plr/pod resizing",
+		podLevelResources: &testPLR{
+			allocated: testResources{memReq: 100},
+			actuated:  &testResources{memReq: 200},
+		},
+		containers: []testContainer{{
+			allocated: testResources{memReq: 100},
+			actuated:  &testResources{memReq: 100},
+			isRunning: true,
+		}},
+		expectHasResize:              true,
+		inplacePodLevelResizeEnabled: true,
+	}}
+
+	mkRequirements := func(r testResources) v1.ResourceRequirements {
+		res := v1.ResourceRequirements{
+			Requests: v1.ResourceList{},
+			Limits:   v1.ResourceList{},
+		}
+		if r.cpuReq != 0 {
+			res.Requests[v1.ResourceCPU] = *resource.NewMilliQuantity(r.cpuReq, resource.DecimalSI)
+		}
+		if r.cpuLim != 0 {
+			res.Limits[v1.ResourceCPU] = *resource.NewMilliQuantity(r.cpuLim, resource.DecimalSI)
+		}
+		if r.memReq != 0 {
+			res.Requests[v1.ResourceMemory] = *resource.NewQuantity(r.memReq, resource.DecimalSI)
+		}
+		if r.memLim != 0 {
+			res.Limits[v1.ResourceMemory] = *resource.NewQuantity(r.memLim, resource.DecimalSI)
+		}
+		return res
+	}
+	mkContainer := func(index int, c testContainer) v1.Container {
+		container := v1.Container{
+			Name:      fmt.Sprintf("c%d", index),
+			Resources: mkRequirements(c.allocated),
+		}
+		if c.sidecar {
+			container.RestartPolicy = ptr.To(v1.ContainerRestartPolicyAlways)
+		}
+		return container
+	}
+
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			if test.inplacePodLevelResizeEnabled {
+				featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.InPlacePodLevelResourcesVerticalScaling, true)
+			}
+			tCtx := ktesting.Init(t)
+			_, _, m, err := createTestRuntimeManager(tCtx)
+			require.NoError(t, err)
+
+			pod := &v1.Pod{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "test-pod",
+					UID:  "12345",
+				},
+			}
+			podStatus := &kubecontainer.PodStatus{
+				ID:   pod.UID,
+				Name: pod.Name,
+			}
+
+			for i, c := range test.containers {
+				// Add the container to the pod
+				container := mkContainer(i, c)
+				if c.nonSidecarInit || c.sidecar {
+					pod.Spec.InitContainers = append(pod.Spec.InitContainers, container)
+				} else {
+					pod.Spec.Containers = append(pod.Spec.Containers, container)
+				}
+
+				// Add the container to the pod status, if it's started.
+				if !test.containers[i].unstarted {
+					cs := kubecontainer.Status{
+						Name: container.Name,
+					}
+					if test.containers[i].isRunning {
+						cs.State = kubecontainer.ContainerStateRunning
+					} else {
+						cs.State = kubecontainer.ContainerStateExited
+					}
+					podStatus.ContainerStatuses = append(podStatus.ContainerStatuses, &cs)
+				}
+
+				// Register the actuated container (if needed)
+				if c.actuated != nil {
+					actuatedContainer := container.DeepCopy()
+					actuatedContainer.Resources = mkRequirements(*c.actuated)
+					require.NoError(t, m.actuatedState.SetContainerResources(pod.UID, actuatedContainer.Name, actuatedContainer.Resources))
+
+					fetched, found := m.actuatedState.GetContainerResources(pod.UID, container.Name)
+					require.True(t, found)
+					assert.Equal(t, actuatedContainer.Resources, fetched)
+				} else {
+					_, found := m.actuatedState.GetContainerResources(pod.UID, container.Name)
+					require.False(t, found)
+				}
+			}
+
+			if test.podLevelResources != nil {
+				reqs := mkRequirements(test.podLevelResources.allocated)
+				pod.Spec.Resources = &reqs
+
+				if test.podLevelResources.actuated != nil {
+					actuatedReqs := mkRequirements(*test.podLevelResources.actuated)
+					require.NoError(t, m.actuatedState.SetPodLevelResources(pod.UID, &actuatedReqs))
+
+					fetched, found := m.actuatedState.GetPodLevelResources(pod.UID)
+					require.True(t, found)
+					assert.Equal(t, &actuatedReqs, fetched)
+				}
+			}
+
+			resizeInProgress := m.IsPodResizeInProgress(pod, podStatus)
+			assert.Equal(t, test.expectHasResize, resizeInProgress)
+		})
+	}
+}
+
+func TestDoBackOff(t *testing.T) {
+	fakeClock := testingclock.NewFakeClock(time.Now())
+	tests := []struct {
+		name              string
+		podStatus         *kubecontainer.PodStatus
+		backoff           *flowcontrol.Backoff
+		backoffUpdateFn   func(*flowcontrol.Backoff, *v1.Pod, *kubecontainer.PodStatus)
+		expectedInBackOff bool
+		expectedError     error
+	}{
+		{
+			name: "container running",
+			podStatus: &kubecontainer.PodStatus{
+				ContainerStatuses: []*kubecontainer.Status{
+					{
+						Name:  "foocontainer",
+						State: kubecontainer.ContainerStateRunning,
+					},
+				},
+			},
+			backoff:           flowcontrol.NewFakeBackOff(time.Second, time.Minute, fakeClock),
+			expectedInBackOff: false,
+		},
+		{
+			name: "not in backoff",
+			podStatus: &kubecontainer.PodStatus{
+				ContainerStatuses: []*kubecontainer.Status{
+					{
+						Name:       "foocontainer",
+						State:      kubecontainer.ContainerStateExited,
+						FinishedAt: fakeClock.Now(),
+					},
+				},
+			},
+			backoff:           flowcontrol.NewFakeBackOff(time.Second, time.Minute, fakeClock),
+			expectedInBackOff: false,
+		},
+		{
+			name: "in backoff",
+			podStatus: &kubecontainer.PodStatus{
+				ContainerStatuses: []*kubecontainer.Status{
+					{
+						Name:       "foocontainer",
+						State:      kubecontainer.ContainerStateExited,
+						FinishedAt: fakeClock.Now(),
+					},
+				},
+			},
+			backoff: flowcontrol.NewFakeBackOff(time.Second, time.Minute, fakeClock),
+			backoffUpdateFn: func(backoff *flowcontrol.Backoff, pod *v1.Pod, podStatus *kubecontainer.PodStatus) {
+				key := GetBackoffKey(pod, &pod.Spec.Containers[0])
+				backoff.Next(key, podStatus.ContainerStatuses[0].FinishedAt)
+			},
+			expectedInBackOff: true,
+			expectedError:     kubecontainer.NewBackoffError(kubecontainer.ErrCrashLoopBackOff, fakeClock.Now().Add(time.Second)),
+		},
+	}
+
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			tCtx := ktesting.Init(t)
+			_, _, m, err := createTestRuntimeManager(tCtx)
+			require.NoError(t, err)
+
+			pod := &v1.Pod{
+				ObjectMeta: metav1.ObjectMeta{
+					UID:       "12345678",
+					Name:      "foo",
+					Namespace: "new",
+				},
+				Spec: v1.PodSpec{
+					Containers: []v1.Container{
+						{
+							Name:  "foocontainer",
+							Image: "busybox",
+						},
+					},
+				},
+			}
+			container := &pod.Spec.Containers[0]
+
+			if tc.backoffUpdateFn != nil {
+				tc.backoffUpdateFn(tc.backoff, pod, tc.podStatus)
+			}
+
+			inBackOff, msg, err := m.doBackOff(tCtx, pod, container, tc.podStatus, tc.backoff)
+			assert.Equal(t, tc.expectedInBackOff, inBackOff)
+			assert.Equal(t, tc.expectedError, err)
+			if tc.expectedInBackOff {
+				assert.NotEmpty(t, msg)
+			} else {
+				assert.Empty(t, msg)
+			}
+		})
+	}
+}
+
+func TestCmpActuatedAllocated(t *testing.T) {
+	tests := []struct {
+		name               string
+		actuatedResources  *v1.ResourceRequirements
+		allocatedResources *v1.ResourceRequirements
+		cpuMemoryequal     bool
+	}{
+		{
+			name:               "both nil",
+			actuatedResources:  nil,
+			allocatedResources: nil,
+			cpuMemoryequal:     true,
+		},
+		{
+			name:               "actuated nil and allocated empty",
+			actuatedResources:  nil,
+			allocatedResources: &v1.ResourceRequirements{},
+			cpuMemoryequal:     true,
+		},
+		{
+			name:               "actuated empty allocated nil",
+			actuatedResources:  &v1.ResourceRequirements{},
+			allocatedResources: nil,
+			cpuMemoryequal:     true,
+		},
+		{
+			name: "actuated empty and allocated empty",
+			actuatedResources: &v1.ResourceRequirements{
+				Requests: v1.ResourceList{},
+				Limits:   v1.ResourceList{},
+			},
+			allocatedResources: &v1.ResourceRequirements{},
+			cpuMemoryequal:     true,
+		},
+		{
+			name:              "actuated empty and allocated requests limits empty",
+			actuatedResources: &v1.ResourceRequirements{},
+			allocatedResources: &v1.ResourceRequirements{
+				Requests: v1.ResourceList{},
+				Limits:   v1.ResourceList{},
+			},
+			cpuMemoryequal: true,
+		},
+		{
+			name:              "actuated empty and allocated request limits nil",
+			actuatedResources: &v1.ResourceRequirements{},
+			allocatedResources: &v1.ResourceRequirements{
+				Requests: nil,
+				Limits:   nil,
+			},
+			cpuMemoryequal: true,
+		},
+		{
+			name: "actuated requests limits nil and allocated empty",
+			actuatedResources: &v1.ResourceRequirements{
+				Requests: nil,
+				Limits:   nil,
+			},
+			allocatedResources: &v1.ResourceRequirements{},
+			cpuMemoryequal:     true,
+		},
+		{
+			name: "actuated requests limits nil and allocated requests non-nil",
+			actuatedResources: &v1.ResourceRequirements{
+				Requests: nil,
+				Limits:   nil,
+			},
+			allocatedResources: &v1.ResourceRequirements{
+				Requests: v1.ResourceList{
+					v1.ResourceCPU: resource.MustParse("10m"),
+				},
+				Limits: nil,
+			},
+		},
+		{
+			name: "actuated requests limits nil and allocated requests non-nil limits nil",
+			actuatedResources: &v1.ResourceRequirements{
+				Requests: nil,
+				Limits:   nil,
+			},
+			allocatedResources: &v1.ResourceRequirements{
+				Requests: v1.ResourceList{
+					v1.ResourceMemory: resource.MustParse("10Mi"),
+					v1.ResourceCPU:    resource.MustParse("10m"),
+				},
+				Limits: nil,
+			},
+		},
+		{
+			name: "actuated requests non-nil limits nil and allocated requests non-nil limits nil",
+			actuatedResources: &v1.ResourceRequirements{
+				Requests: v1.ResourceList{
+					v1.ResourceMemory: resource.MustParse("10Mi"),
+					v1.ResourceCPU:    resource.MustParse("10m"),
+				},
+				Limits: nil,
+			},
+			allocatedResources: &v1.ResourceRequirements{
+				Requests: v1.ResourceList{
+					v1.ResourceMemory: resource.MustParse("10Mi"),
+					v1.ResourceCPU:    resource.MustParse("10m"),
+				},
+				Limits: nil,
+			},
+			cpuMemoryequal: true,
+		},
+		{
+			name: "actuated requests non-nil limits nil and allocated requests nil limits non-nil",
+			actuatedResources: &v1.ResourceRequirements{
+				Requests: v1.ResourceList{
+					v1.ResourceMemory: resource.MustParse("10Mi"),
+					v1.ResourceCPU:    resource.MustParse("10m"),
+				},
+				Limits: nil,
+			},
+			allocatedResources: &v1.ResourceRequirements{
+				Requests: nil,
+				Limits: v1.ResourceList{
+					v1.ResourceMemory: resource.MustParse("10Mi"),
+					v1.ResourceCPU:    resource.MustParse("10m"),
+				},
+			},
+		},
+		{
+			name: "actuated equals allocated",
+			actuatedResources: &v1.ResourceRequirements{
+				Requests: v1.ResourceList{
+					v1.ResourceMemory: resource.MustParse("20Mi"),
+					v1.ResourceCPU:    resource.MustParse("10m"),
+				},
+				Limits: v1.ResourceList{
+					v1.ResourceMemory: resource.MustParse("10Mi"),
+					v1.ResourceCPU:    resource.MustParse("20m"),
+				},
+			},
+			allocatedResources: &v1.ResourceRequirements{
+				Requests: v1.ResourceList{
+					v1.ResourceMemory: resource.MustParse("20Mi"),
+					v1.ResourceCPU:    resource.MustParse("10m"),
+				},
+				Limits: v1.ResourceList{
+					v1.ResourceMemory: resource.MustParse("10Mi"),
+					v1.ResourceCPU:    resource.MustParse("20m"),
+				},
+			},
+			cpuMemoryequal: true,
+		},
+		{
+			name: "actuated equals allocated for resizable resources",
+			actuatedResources: &v1.ResourceRequirements{
+				Requests: v1.ResourceList{
+					v1.ResourceMemory: resource.MustParse("20Mi"),
+					v1.ResourceCPU:    resource.MustParse("10m"),
+				},
+				Limits: v1.ResourceList{
+					v1.ResourceMemory: resource.MustParse("10Mi"),
+					v1.ResourceCPU:    resource.MustParse("20m"),
+				},
+			},
+			allocatedResources: &v1.ResourceRequirements{
+				Requests: v1.ResourceList{
+					v1.ResourceMemory: resource.MustParse("20Mi"),
+					v1.ResourceCPU:    resource.MustParse("10m"),
+				},
+				Limits: v1.ResourceList{
+					v1.ResourceMemory: resource.MustParse("10Mi"),
+					v1.ResourceCPU:    resource.MustParse("20m"),
+				},
+			},
+			cpuMemoryequal: true,
+		},
+	}
+
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			gotEqual := cpuMemoryResourcesEqual(test.actuatedResources, test.allocatedResources)
+			assert.Equal(t, test.cpuMemoryequal, gotEqual)
+		})
+	}
+}
diff --git a/pkg/kubelet/kuberuntime/kuberuntime_sandbox.go b/pkg/kubelet/kuberuntime/kuberuntime_sandbox.go
index d4bd23398a41e..0b9293c780d88 100644
--- a/pkg/kubelet/kuberuntime/kuberuntime_sandbox.go
+++ b/pkg/kubelet/kuberuntime/kuberuntime_sandbox.go
@@ -116,7 +116,7 @@ func (m *kubeGenericRuntimeManager) generatePodSandboxConfig(ctx context.Context
 
 	portMappings := []*runtimeapi.PortMapping{}
 	for _, c := range pod.Spec.Containers {
-		containerPortMappings := kubecontainer.MakePortMappings(&c)
+		containerPortMappings := kubecontainer.MakePortMappings(logger, &c)
 
 		for idx := range containerPortMappings {
 			port := containerPortMappings[idx]
diff --git a/pkg/kubelet/lifecycle/handlers.go b/pkg/kubelet/lifecycle/handlers.go
index da14ba3d1b41b..9ff769a648ea0 100644
--- a/pkg/kubelet/lifecycle/handlers.go
+++ b/pkg/kubelet/lifecycle/handlers.go
@@ -23,15 +23,15 @@ import (
 	"io"
 	"net/http"
 	"net/url"
-	"strconv"
 	"strings"
 	"time"
 
 	v1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/types"
-	"k8s.io/apimachinery/pkg/util/intstr"
+	versionutil "k8s.io/apimachinery/pkg/util/version"
 	utilfeature "k8s.io/apiserver/pkg/util/feature"
 	"k8s.io/client-go/tools/record"
+	ndf "k8s.io/component-helpers/nodedeclaredfeatures"
 	"k8s.io/klog/v2"
 	"k8s.io/kubernetes/pkg/features"
 	kubecontainer "k8s.io/kubernetes/pkg/kubelet/container"
@@ -47,6 +47,9 @@ const (
 
 	AppArmorNotAdmittedReason          = "AppArmor"
 	PodLevelResourcesNotAdmittedReason = "PodLevelResourcesNotSupported"
+
+	// Reasons for pod features admission failure
+	PodFeatureUnsupported = "PodFeatureUnsupported"
 )
 
 type handlerRunner struct {
@@ -79,7 +82,7 @@ func (hr *handlerRunner) Run(ctx context.Context, containerID kubecontainer.Cont
 		output, err := hr.commandRunner.RunInContainer(ctx, containerID, handler.Exec.Command, 0)
 		if err != nil {
 			msg = fmt.Sprintf("Exec lifecycle hook (%v) for Container %q in Pod %q failed - error: %v, message: %q", handler.Exec.Command, container.Name, format.Pod(pod), err, string(output))
-			logger.V(1).Error(err, "Exec lifecycle hook for Container in Pod failed", "execCommand", handler.Exec.Command, "containerName", container.Name, "pod", klog.KObj(pod), "message", string(output))
+			logger.V(1).Info("Exec lifecycle hook for Container in Pod failed", "execCommand", handler.Exec.Command, "containerName", container.Name, "pod", klog.KObj(pod), "message", string(output), "err", err)
 		}
 		return msg, err
 	case handler.HTTPGet != nil:
@@ -87,7 +90,7 @@ func (hr *handlerRunner) Run(ctx context.Context, containerID kubecontainer.Cont
 		var msg string
 		if err != nil {
 			msg = fmt.Sprintf("HTTP lifecycle hook (%s) for Container %q in Pod %q failed - error: %v", handler.HTTPGet.Path, container.Name, format.Pod(pod), err)
-			logger.V(1).Error(err, "HTTP lifecycle hook for Container in Pod failed", "path", handler.HTTPGet.Path, "containerName", container.Name, "pod", klog.KObj(pod))
+			logger.V(1).Info("HTTP lifecycle hook for Container in Pod failed", "path", handler.HTTPGet.Path, "containerName", container.Name, "pod", klog.KObj(pod), "err", err)
 		}
 		return msg, err
 	case handler.Sleep != nil:
@@ -95,7 +98,7 @@ func (hr *handlerRunner) Run(ctx context.Context, containerID kubecontainer.Cont
 		var msg string
 		if err != nil {
 			msg = fmt.Sprintf("Sleep lifecycle hook (%d) for Container %q in Pod %q failed - error: %v", handler.Sleep.Seconds, container.Name, format.Pod(pod), err)
-			logger.V(1).Error(err, "Sleep lifecycle hook for Container in Pod failed", "sleepSeconds", handler.Sleep.Seconds, "containerName", container.Name, "pod", klog.KObj(pod))
+			logger.V(1).Info("Sleep lifecycle hook for Container in Pod failed", "sleepSeconds", handler.Sleep.Seconds, "containerName", container.Name, "pod", klog.KObj(pod), "err", err)
 		}
 		return msg, err
 	default:
@@ -106,29 +109,6 @@ func (hr *handlerRunner) Run(ctx context.Context, containerID kubecontainer.Cont
 	}
 }
 
-// resolvePort attempts to turn an IntOrString port reference into a concrete port number.
-// If portReference has an int value, it is treated as a literal, and simply returns that value.
-// If portReference is a string, an attempt is first made to parse it as an integer.  If that fails,
-// an attempt is made to find a port with the same name in the container spec.
-// If a port with the same name is found, it's ContainerPort value is returned.  If no matching
-// port is found, an error is returned.
-func resolvePort(portReference intstr.IntOrString, container *v1.Container) (int, error) {
-	if portReference.Type == intstr.Int {
-		return portReference.IntValue(), nil
-	}
-	portName := portReference.StrVal
-	port, err := strconv.Atoi(portName)
-	if err == nil {
-		return port, nil
-	}
-	for _, portSpec := range container.Ports {
-		if portSpec.Name == portName {
-			return int(portSpec.ContainerPort), nil
-		}
-	}
-	return -1, fmt.Errorf("couldn't find port: %v in %v", portReference, container)
-}
-
 func (hr *handlerRunner) runSleepHandler(ctx context.Context, seconds int64) error {
 	if !utilfeature.DefaultFeatureGate.Enabled(features.PodLifecycleSleepAction) {
 		return nil
@@ -169,7 +149,7 @@ func (hr *handlerRunner) runHTTPHandler(ctx context.Context, pod *v1.Pod, contai
 	discardHTTPRespBody(resp)
 
 	if isHTTPResponseError(err) {
-		logger.V(1).Error(err, "HTTPS request to lifecycle hook got HTTP response, retrying with HTTP.", "pod", klog.KObj(pod), "host", req.URL.Host)
+		logger.V(1).Info("HTTPS request to lifecycle hook got HTTP response, retrying with HTTP.", "pod", klog.KObj(pod), "host", req.URL.Host, "err", err)
 
 		req := req.Clone(ctx)
 		req.URL.Scheme = "http"
@@ -256,3 +236,57 @@ type podFeaturesAdmitHandler struct{}
 func (h *podFeaturesAdmitHandler) Admit(attrs *PodAdmitAttributes) PodAdmitResult {
 	return isPodLevelResourcesSupported(attrs.Pod)
 }
+
+// declaredFeaturesAdmitHandler is a PodAdmitHandler that checks a pod's feature requirements.
+type declaredFeaturesAdmitHandler struct {
+	ndfFramework *ndf.Framework
+	ndfSet       ndf.FeatureSet
+	version      *versionutil.Version
+}
+
+// NewDeclaredFeaturesAdmitHandler returns a new features admit handler.
+func NewDeclaredFeaturesAdmitHandler(nodeDeclaredFeaturesHelper *ndf.Framework, nodeDeclaredFeaturesSet ndf.FeatureSet, version *versionutil.Version) PodAdmitHandler {
+	return &declaredFeaturesAdmitHandler{
+		ndfFramework: nodeDeclaredFeaturesHelper,
+		ndfSet:       nodeDeclaredFeaturesSet,
+		version:      version,
+	}
+}
+
+// Admit checks if a pod's feature requirements are met by the node.
+func (c *declaredFeaturesAdmitHandler) Admit(attrs *PodAdmitAttributes) PodAdmitResult {
+	pod := attrs.Pod
+
+	podInfo := &ndf.PodInfo{Spec: &pod.Spec, Status: &pod.Status}
+	reqs, err := c.ndfFramework.InferForPodScheduling(podInfo, c.version)
+	if err != nil {
+		return PodAdmitResult{
+			Admit:   false,
+			Reason:  PodFeatureUnsupported,
+			Message: fmt.Sprintf("Failed to infer pod's feature requirements: %v", err),
+		}
+	}
+
+	if reqs.Len() == 0 {
+		return PodAdmitResult{Admit: true}
+	}
+
+	matchResult, err := ndf.MatchNodeFeatureSet(reqs, c.ndfSet)
+	if err != nil {
+		return PodAdmitResult{
+			Admit:   false,
+			Reason:  PodFeatureUnsupported,
+			Message: fmt.Sprintf("Failed to match pod's feature requirements against the node: %v", err),
+		}
+	}
+
+	if !matchResult.IsMatch {
+		return PodAdmitResult{
+			Admit:   false,
+			Reason:  PodFeatureUnsupported,
+			Message: fmt.Sprintf("Pod requires node features that are not available: %s", strings.Join(matchResult.UnsatisfiedRequirements, ", ")),
+		}
+	}
+
+	return PodAdmitResult{Admit: true}
+}
diff --git a/pkg/kubelet/lifecycle/handlers_test.go b/pkg/kubelet/lifecycle/handlers_test.go
index 3e48303889c98..d4441054f5f00 100644
--- a/pkg/kubelet/lifecycle/handlers_test.go
+++ b/pkg/kubelet/lifecycle/handlers_test.go
@@ -29,59 +29,24 @@ import (
 	"time"
 
 	"github.com/google/go-cmp/cmp"
+	"github.com/stretchr/testify/mock"
+	"github.com/stretchr/testify/require"
 	v1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/intstr"
+	"k8s.io/apimachinery/pkg/util/version"
 	"k8s.io/client-go/tools/record"
 	"k8s.io/component-base/metrics/legacyregistry"
 	"k8s.io/component-base/metrics/testutil"
+	ndf "k8s.io/component-helpers/nodedeclaredfeatures"
+	ndftesting "k8s.io/component-helpers/nodedeclaredfeatures/testing"
 	kubecontainer "k8s.io/kubernetes/pkg/kubelet/container"
 	"k8s.io/kubernetes/pkg/kubelet/metrics"
 	"k8s.io/kubernetes/pkg/kubelet/util/format"
 	"k8s.io/kubernetes/test/utils/ktesting"
 )
 
-func TestResolvePort(t *testing.T) {
-	for _, testCase := range []struct {
-		container  *v1.Container
-		stringPort string
-		expected   int
-	}{
-		{
-			stringPort: "foo",
-			container: &v1.Container{
-				Ports: []v1.ContainerPort{{Name: "foo", ContainerPort: int32(80)}},
-			},
-			expected: 80,
-		},
-		{
-			container:  &v1.Container{},
-			stringPort: "80",
-			expected:   80,
-		},
-		{
-			container: &v1.Container{
-				Ports: []v1.ContainerPort{
-					{Name: "bar", ContainerPort: int32(80)},
-				},
-			},
-			stringPort: "foo",
-			expected:   -1,
-		},
-	} {
-		port, err := resolvePort(intstr.FromString(testCase.stringPort), testCase.container)
-		if testCase.expected != -1 && err != nil {
-			t.Fatalf("unexpected error while resolving port: %s", err)
-		}
-		if testCase.expected == -1 && err == nil {
-			t.Errorf("expected error when a port fails to resolve")
-		}
-		if testCase.expected != port {
-			t.Errorf("failed to resolve port, expected %d, got %d", testCase.expected, port)
-		}
-	}
-}
-
 type fakeContainerCommandRunner struct {
 	Cmd []string
 	ID  kubecontainer.ContainerID
@@ -873,3 +838,88 @@ func TestRunSleepHandler(t *testing.T) {
 		})
 	}
 }
+
+func TestDeclaredFeaturesAdmitHandler(t *testing.T) {
+	pod := &v1.Pod{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: "test-pod",
+		},
+	}
+	createMockFeature := func(t *testing.T, name string, inferForSched bool, maxVersionStr string) *ndftesting.MockFeature {
+		m := ndftesting.NewMockFeature(t)
+		m.EXPECT().Name().Return(name).Maybe()
+		m.EXPECT().InferForScheduling(mock.Anything).Return(inferForSched).Maybe()
+		if maxVersionStr != "" {
+			maxVersionStr := version.MustParseSemantic(maxVersionStr)
+			m.EXPECT().MaxVersion().Return(maxVersionStr).Maybe()
+		} else {
+			m.EXPECT().MaxVersion().Return(nil).Maybe()
+		}
+		return m
+	}
+	testCases := []struct {
+		name                 string
+		nodeDeclaredFeatures []string
+		version              *version.Version
+		registeredFeatures   []ndf.Feature
+		expectedAdmit        bool
+		expectedReason       string
+		expectedMessage      string
+	}{
+		{
+			name:                 "Admit: no requirements",
+			nodeDeclaredFeatures: []string{"FeatureA"},
+			version:              version.MustParseSemantic("1.30.0"),
+			registeredFeatures: []ndf.Feature{
+				createMockFeature(t, "FeatureA", true, ""),
+			},
+			expectedAdmit: true,
+		},
+		{
+			name:                 "Admit: requirements met",
+			nodeDeclaredFeatures: []string{"FeatureA"},
+			version:              version.MustParseSemantic("1.30.0"),
+			registeredFeatures: []ndf.Feature{
+				createMockFeature(t, "FeatureA", true, ""),
+			},
+			expectedAdmit: true,
+		},
+		{
+			name:                 "Reject: requirements not met",
+			nodeDeclaredFeatures: []string{},
+			version:              version.MustParseSemantic("1.30.0"),
+			registeredFeatures: []ndf.Feature{
+				createMockFeature(t, "FeatureA", true, ""),
+			},
+			expectedAdmit:   false,
+			expectedReason:  PodFeatureUnsupported,
+			expectedMessage: "Pod requires node features that are not available: FeatureA",
+		},
+		{
+			name:                 "Admit without feature declared - feature generally available",
+			nodeDeclaredFeatures: []string{},
+			version:              version.MustParseSemantic("1.35.0"),
+			registeredFeatures: []ndf.Feature{
+				createMockFeature(t, "FeatureA", true, "1.34.0"),
+			},
+			expectedAdmit: true,
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			framework, err := ndf.New(tc.registeredFeatures)
+			require.NoError(t, err)
+			handler := NewDeclaredFeaturesAdmitHandler(framework, ndf.NewFeatureSet(tc.nodeDeclaredFeatures...), tc.version)
+			attrs := &PodAdmitAttributes{Pod: pod}
+
+			result := handler.Admit(attrs)
+
+			require.Equal(t, tc.expectedAdmit, result.Admit)
+			if !result.Admit {
+				require.Equal(t, tc.expectedReason, result.Reason)
+				require.Contains(t, result.Message, tc.expectedMessage, "Expected message '%s' to contain '%s'", result.Message, tc.expectedMessage)
+			}
+		})
+	}
+}
diff --git a/pkg/kubelet/lifecycle/predicate.go b/pkg/kubelet/lifecycle/predicate.go
index 8ea89d6e928bb..62c9c30008067 100644
--- a/pkg/kubelet/lifecycle/predicate.go
+++ b/pkg/kubelet/lifecycle/predicate.go
@@ -31,6 +31,7 @@ import (
 	"k8s.io/kubernetes/pkg/kubelet/types"
 	"k8s.io/kubernetes/pkg/scheduler"
 	schedulerframework "k8s.io/kubernetes/pkg/scheduler/framework"
+	"k8s.io/kubernetes/pkg/scheduler/framework/plugins/nodeaffinity"
 	"k8s.io/kubernetes/pkg/scheduler/framework/plugins/tainttoleration"
 	"k8s.io/utils/ptr"
 )
@@ -86,7 +87,7 @@ const (
 	OutOfPods             = "OutOfpods"
 )
 
-type getNodeAnyWayFuncType func() (*v1.Node, error)
+type getNodeAnyWayFuncType func(ctx context.Context, useCache bool) (*v1.Node, error)
 
 type pluginResourceUpdateFuncType func(*schedulerframework.NodeInfo, *PodAdmitAttributes) error
 
@@ -119,7 +120,7 @@ func (w *predicateAdmitHandler) Admit(attrs *PodAdmitAttributes) PodAdmitResult
 	// contextual logging
 	ctx := context.TODO()
 	logger := klog.FromContext(ctx)
-	node, err := w.getNodeAnyWayFunc()
+	node, err := w.getNodeAnyWayFunc(ctx, true)
 	if err != nil {
 		logger.Error(err, "Cannot get Node info")
 		return PodAdmitResult{
@@ -182,7 +183,7 @@ func (w *predicateAdmitHandler) Admit(attrs *PodAdmitAttributes) PodAdmitResult
 	// the Resource Class API in the future.
 	podWithoutMissingExtendedResources := removeMissingExtendedResources(admitPod, nodeInfo)
 
-	reasons := generalFilter(podWithoutMissingExtendedResources, nodeInfo)
+	reasons := w.generalFilter(ctx, podWithoutMissingExtendedResources, nodeInfo)
 	fit := len(reasons) == 0
 	if !fit {
 		reasons, err = w.admissionFailureHandler.HandleAdmissionFailure(ctx, admitPod, reasons)
@@ -247,6 +248,32 @@ func (w *predicateAdmitHandler) Admit(attrs *PodAdmitAttributes) PodAdmitResult
 	}
 }
 
+// generalFilter checks a group of filterings that the kubelet cares about.
+func (w *predicateAdmitHandler) generalFilter(ctx context.Context, pod *v1.Pod, nodeInfo *schedulerframework.NodeInfo) []PredicateFailureReason {
+	logger := klog.FromContext(ctx)
+
+	reasons := generalFilter(logger, pod, nodeInfo)
+	for _, r := range reasons {
+		if r.GetReason() != nodeaffinity.ErrReasonPod {
+			return reasons
+		}
+	}
+	if len(reasons) > 0 {
+		// If the only reason for failure is the node affinity labels, fetch the node synchronously
+		// and try again.
+
+		node, err := w.getNodeAnyWayFunc(ctx, false)
+		if err != nil {
+			logger.Error(err, "Failed to synchronously fetch node info")
+			return reasons
+		}
+		nodeInfo.SetNode(node)
+		reasons = generalFilter(logger, pod, nodeInfo)
+	}
+
+	return reasons
+}
+
 // rejectPodAdmissionBasedOnOSSelector rejects pod if it's nodeSelector doesn't match
 // We expect the kubelet status reconcile which happens every 10sec to update the node labels if there is a mismatch.
 func rejectPodAdmissionBasedOnOSSelector(pod *v1.Pod, node *v1.Node) bool {
@@ -387,7 +414,7 @@ func (e *PredicateFailureError) GetReason() string {
 }
 
 // generalFilter checks a group of filterings that the kubelet cares about.
-func generalFilter(pod *v1.Pod, nodeInfo *schedulerframework.NodeInfo) []PredicateFailureReason {
+func generalFilter(logger klog.Logger, pod *v1.Pod, nodeInfo *schedulerframework.NodeInfo) []PredicateFailureReason {
 	admissionResults := scheduler.AdmissionCheck(pod, nodeInfo, true)
 	var reasons []PredicateFailureReason
 	for _, r := range admissionResults {
@@ -405,10 +432,10 @@ func generalFilter(pod *v1.Pod, nodeInfo *schedulerframework.NodeInfo) []Predica
 
 	// Check taint/toleration except for static pods
 	if !types.IsStaticPod(pod) {
-		_, isUntolerated := corev1.FindMatchingUntoleratedTaint(nodeInfo.Node().Spec.Taints, pod.Spec.Tolerations, func(t *v1.Taint) bool {
+		_, isUntolerated := corev1.FindMatchingUntoleratedTaint(logger, nodeInfo.Node().Spec.Taints, pod.Spec.Tolerations, func(t *v1.Taint) bool {
 			// Kubelet is only interested in the NoExecute taint.
 			return t.Effect == v1.TaintEffectNoExecute
-		})
+		}, utilfeature.DefaultFeatureGate.Enabled(features.TaintTolerationComparisonOperators))
 		if isUntolerated {
 			reasons = append(reasons, &PredicateFailureError{tainttoleration.Name, tainttoleration.ErrReasonNotMatch})
 		}
diff --git a/pkg/kubelet/lifecycle/predicate_test.go b/pkg/kubelet/lifecycle/predicate_test.go
index 80a85a0256842..477b1debb2f86 100644
--- a/pkg/kubelet/lifecycle/predicate_test.go
+++ b/pkg/kubelet/lifecycle/predicate_test.go
@@ -17,6 +17,7 @@ limitations under the License.
 package lifecycle
 
 import (
+	"context"
 	goruntime "runtime"
 	"testing"
 
@@ -30,6 +31,7 @@ import (
 	v1helper "k8s.io/kubernetes/pkg/apis/core/v1/helper"
 	"k8s.io/kubernetes/pkg/kubelet/types"
 	schedulerframework "k8s.io/kubernetes/pkg/scheduler/framework"
+	"k8s.io/kubernetes/pkg/scheduler/framework/plugins/nodeaffinity"
 	"k8s.io/kubernetes/pkg/scheduler/framework/plugins/nodename"
 	"k8s.io/kubernetes/pkg/scheduler/framework/plugins/nodeports"
 	"k8s.io/kubernetes/pkg/scheduler/framework/plugins/tainttoleration"
@@ -189,11 +191,12 @@ func newPodWithPort(hostPorts ...int) *v1.Pod {
 
 func TestGeneralPredicates(t *testing.T) {
 	resourceTests := []struct {
-		pod      *v1.Pod
-		nodeInfo *schedulerframework.NodeInfo
-		node     *v1.Node
-		name     string
-		reasons  []PredicateFailureReason
+		pod        *v1.Pod
+		nodeInfo   *schedulerframework.NodeInfo
+		cachedNode *v1.Node
+		syncNode   *v1.Node
+		name       string
+		reasons    []PredicateFailureReason
 	}{
 		{
 			pod: &v1.Pod{},
@@ -202,7 +205,7 @@ func TestGeneralPredicates(t *testing.T) {
 					v1.ResourceCPU:    *resource.NewMilliQuantity(9, resource.DecimalSI),
 					v1.ResourceMemory: *resource.NewQuantity(19, resource.BinarySI),
 				})),
-			node: &v1.Node{
+			cachedNode: &v1.Node{
 				ObjectMeta: metav1.ObjectMeta{Name: "machine1"},
 				Status:     v1.NodeStatus{Capacity: makeResources(10, 20, 32, 0, 0, 0), Allocatable: makeAllocatableResources(10, 20, 32, 0, 0, 0)},
 			},
@@ -218,7 +221,7 @@ func TestGeneralPredicates(t *testing.T) {
 					v1.ResourceCPU:    *resource.NewMilliQuantity(5, resource.DecimalSI),
 					v1.ResourceMemory: *resource.NewQuantity(19, resource.BinarySI),
 				})),
-			node: &v1.Node{
+			cachedNode: &v1.Node{
 				ObjectMeta: metav1.ObjectMeta{Name: "machine1"},
 				Status:     v1.NodeStatus{Capacity: makeResources(10, 20, 32, 0, 0, 0), Allocatable: makeAllocatableResources(10, 20, 32, 0, 0, 0)},
 			},
@@ -235,7 +238,7 @@ func TestGeneralPredicates(t *testing.T) {
 				},
 			},
 			nodeInfo: schedulerframework.NewNodeInfo(),
-			node: &v1.Node{
+			cachedNode: &v1.Node{
 				ObjectMeta: metav1.ObjectMeta{Name: "machine1"},
 				Status:     v1.NodeStatus{Capacity: makeResources(10, 20, 32, 0, 0, 0), Allocatable: makeAllocatableResources(10, 20, 32, 0, 0, 0)},
 			},
@@ -245,7 +248,7 @@ func TestGeneralPredicates(t *testing.T) {
 		{
 			pod:      newPodWithPort(123),
 			nodeInfo: schedulerframework.NewNodeInfo(newPodWithPort(123)),
-			node: &v1.Node{
+			cachedNode: &v1.Node{
 				ObjectMeta: metav1.ObjectMeta{Name: "machine1"},
 				Status:     v1.NodeStatus{Capacity: makeResources(10, 20, 32, 0, 0, 0), Allocatable: makeAllocatableResources(10, 20, 32, 0, 0, 0)},
 			},
@@ -262,7 +265,7 @@ func TestGeneralPredicates(t *testing.T) {
 				},
 			},
 			nodeInfo: schedulerframework.NewNodeInfo(),
-			node: &v1.Node{
+			cachedNode: &v1.Node{
 				ObjectMeta: metav1.ObjectMeta{Name: "machine1"},
 				Spec: v1.NodeSpec{
 					Taints: []v1.Taint{
@@ -277,7 +280,7 @@ func TestGeneralPredicates(t *testing.T) {
 		{
 			pod:      &v1.Pod{},
 			nodeInfo: schedulerframework.NewNodeInfo(),
-			node: &v1.Node{
+			cachedNode: &v1.Node{
 				ObjectMeta: metav1.ObjectMeta{Name: "machine1"},
 				Spec: v1.NodeSpec{
 					Taints: []v1.Taint{
@@ -291,7 +294,7 @@ func TestGeneralPredicates(t *testing.T) {
 		{
 			pod:      &v1.Pod{},
 			nodeInfo: schedulerframework.NewNodeInfo(),
-			node: &v1.Node{
+			cachedNode: &v1.Node{
 				ObjectMeta: metav1.ObjectMeta{Name: "machine1"},
 				Spec: v1.NodeSpec{
 					Taints: []v1.Taint{
@@ -306,7 +309,7 @@ func TestGeneralPredicates(t *testing.T) {
 		{
 			pod:      &v1.Pod{},
 			nodeInfo: schedulerframework.NewNodeInfo(),
-			node: &v1.Node{
+			cachedNode: &v1.Node{
 				ObjectMeta: metav1.ObjectMeta{Name: "machine1"},
 				Spec: v1.NodeSpec{
 					Taints: []v1.Taint{
@@ -326,7 +329,7 @@ func TestGeneralPredicates(t *testing.T) {
 				},
 			},
 			nodeInfo: schedulerframework.NewNodeInfo(),
-			node: &v1.Node{
+			cachedNode: &v1.Node{
 				ObjectMeta: metav1.ObjectMeta{Name: "machine1"},
 				Spec: v1.NodeSpec{
 					Taints: []v1.Taint{
@@ -338,11 +341,197 @@ func TestGeneralPredicates(t *testing.T) {
 			},
 			name: "static pods ignore taints",
 		},
+		{
+			pod: &v1.Pod{
+				ObjectMeta: metav1.ObjectMeta{
+					Annotations: map[string]string{
+						types.ConfigSourceAnnotationKey: types.FileSource,
+					},
+				},
+				Spec: v1.PodSpec{
+					Affinity: &v1.Affinity{
+						NodeAffinity: &v1.NodeAffinity{
+							RequiredDuringSchedulingIgnoredDuringExecution: &v1.NodeSelector{
+								NodeSelectorTerms: []v1.NodeSelectorTerm{
+									{
+										MatchExpressions: []v1.NodeSelectorRequirement{
+											{
+												Key:      "foo",
+												Operator: v1.NodeSelectorOpExists,
+											},
+										},
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+			nodeInfo: schedulerframework.NewNodeInfo(),
+			cachedNode: &v1.Node{
+				ObjectMeta: metav1.ObjectMeta{Name: "machine1"},
+				Spec:       v1.NodeSpec{},
+				Status:     v1.NodeStatus{Capacity: makeResources(10, 20, 32, 0, 0, 0), Allocatable: makeAllocatableResources(10, 20, 32, 0, 0, 0)},
+			},
+			syncNode: &v1.Node{
+				ObjectMeta: metav1.ObjectMeta{Name: "machine1"},
+				Spec:       v1.NodeSpec{},
+				Status:     v1.NodeStatus{Capacity: makeResources(10, 20, 32, 0, 0, 0), Allocatable: makeAllocatableResources(10, 20, 32, 0, 0, 0)},
+			},
+			name: "node affinity failure",
+			reasons: []PredicateFailureReason{
+				&PredicateFailureError{nodeaffinity.Name, nodeaffinity.ErrReasonPod},
+			},
+		},
+		{
+			pod: &v1.Pod{
+				ObjectMeta: metav1.ObjectMeta{
+					Annotations: map[string]string{
+						types.ConfigSourceAnnotationKey: types.FileSource,
+					},
+				},
+				Spec: v1.PodSpec{
+					NodeName: "some-node-name",
+					Affinity: &v1.Affinity{
+						NodeAffinity: &v1.NodeAffinity{
+							RequiredDuringSchedulingIgnoredDuringExecution: &v1.NodeSelector{
+								NodeSelectorTerms: []v1.NodeSelectorTerm{
+									{
+										MatchExpressions: []v1.NodeSelectorRequirement{
+											{
+												Key:      "foo",
+												Operator: v1.NodeSelectorOpExists,
+											},
+										},
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+			nodeInfo: schedulerframework.NewNodeInfo(),
+			cachedNode: &v1.Node{
+				ObjectMeta: metav1.ObjectMeta{Name: "machine1"},
+				Spec:       v1.NodeSpec{},
+				Status:     v1.NodeStatus{Capacity: makeResources(10, 20, 32, 0, 0, 0), Allocatable: makeAllocatableResources(10, 20, 32, 0, 0, 0)},
+			},
+			syncNode: &v1.Node{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "machine1",
+					Labels: map[string]string{
+						"foo": "bar",
+					},
+				},
+				Spec:   v1.NodeSpec{},
+				Status: v1.NodeStatus{Capacity: makeResources(10, 20, 32, 0, 0, 0), Allocatable: makeAllocatableResources(10, 20, 32, 0, 0, 0)},
+			},
+			name: "node affinity failure on cached node and node name doesn't match",
+			// Ensure that both reasons are returned, because we do not fetch the node synchronously on multiple failures.
+			reasons: []PredicateFailureReason{
+				&PredicateFailureError{nodeaffinity.Name, nodeaffinity.ErrReasonPod},
+				&PredicateFailureError{nodename.Name, nodename.ErrReason},
+			},
+		},
+		{
+			pod: &v1.Pod{
+				ObjectMeta: metav1.ObjectMeta{
+					Annotations: map[string]string{
+						types.ConfigSourceAnnotationKey: types.FileSource,
+					},
+				},
+				Spec: v1.PodSpec{
+					Affinity: &v1.Affinity{
+						NodeAffinity: &v1.NodeAffinity{
+							RequiredDuringSchedulingIgnoredDuringExecution: &v1.NodeSelector{
+								NodeSelectorTerms: []v1.NodeSelectorTerm{
+									{
+										MatchExpressions: []v1.NodeSelectorRequirement{
+											{
+												Key:      "foo",
+												Operator: v1.NodeSelectorOpExists,
+											},
+										},
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+			nodeInfo: schedulerframework.NewNodeInfo(),
+			cachedNode: &v1.Node{
+				ObjectMeta: metav1.ObjectMeta{Name: "machine1"},
+				Spec:       v1.NodeSpec{},
+				Status:     v1.NodeStatus{Capacity: makeResources(10, 20, 32, 0, 0, 0), Allocatable: makeAllocatableResources(10, 20, 32, 0, 0, 0)},
+			},
+			syncNode: &v1.Node{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "machine1",
+					Labels: map[string]string{
+						"foo": "bar",
+					},
+				},
+				Spec:   v1.NodeSpec{},
+				Status: v1.NodeStatus{Capacity: makeResources(10, 20, 32, 0, 0, 0), Allocatable: makeAllocatableResources(10, 20, 32, 0, 0, 0)},
+			},
+			name: "node affinity failure on cached node, but not the fresh one",
+		},
+		{
+			pod: &v1.Pod{
+				ObjectMeta: metav1.ObjectMeta{
+					Annotations: map[string]string{
+						types.ConfigSourceAnnotationKey: types.FileSource,
+					},
+				},
+				Spec: v1.PodSpec{
+					Affinity: &v1.Affinity{
+						NodeAffinity: &v1.NodeAffinity{
+							RequiredDuringSchedulingIgnoredDuringExecution: &v1.NodeSelector{
+								NodeSelectorTerms: []v1.NodeSelectorTerm{
+									{
+										MatchExpressions: []v1.NodeSelectorRequirement{
+											{
+												Key:      "foo",
+												Operator: v1.NodeSelectorOpExists,
+											},
+										},
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+			nodeInfo: schedulerframework.NewNodeInfo(),
+			cachedNode: &v1.Node{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "machine1",
+					Labels: map[string]string{
+						"foo": "bar",
+					},
+				},
+				Spec:   v1.NodeSpec{},
+				Status: v1.NodeStatus{Capacity: makeResources(10, 20, 32, 0, 0, 0), Allocatable: makeAllocatableResources(10, 20, 32, 0, 0, 0)},
+			},
+			syncNode: &v1.Node{
+				ObjectMeta: metav1.ObjectMeta{Name: "machine1"},
+				Spec:       v1.NodeSpec{},
+				Status:     v1.NodeStatus{Capacity: makeResources(10, 20, 32, 0, 0, 0), Allocatable: makeAllocatableResources(10, 20, 32, 0, 0, 0)},
+			},
+			name: "node affinity failure on fresh node, but not the cached one",
+		},
 	}
 	for _, test := range resourceTests {
 		t.Run(test.name, func(t *testing.T) {
-			test.nodeInfo.SetNode(test.node)
-			reasons := generalFilter(test.pod, test.nodeInfo)
+			test.nodeInfo.SetNode(test.cachedNode)
+			w := &predicateAdmitHandler{getNodeAnyWayFunc: func(ctx context.Context, useCache bool) (*v1.Node, error) {
+				if useCache {
+					return test.cachedNode, nil
+				}
+				return test.syncNode, nil
+			}}
+			reasons := w.generalFilter(context.Background(), test.pod, test.nodeInfo)
 			if diff := cmp.Diff(test.reasons, reasons); diff != "" {
 				t.Errorf("unexpected failure reasons (-want, +got):\n%s", diff)
 			}
diff --git a/pkg/kubelet/logs/container_log_manager.go b/pkg/kubelet/logs/container_log_manager.go
index a3e5f46d9c6af..9e93fb195b72e 100644
--- a/pkg/kubelet/logs/container_log_manager.go
+++ b/pkg/kubelet/logs/container_log_manager.go
@@ -54,7 +54,7 @@ const (
 // Implementation is thread-safe.
 type ContainerLogManager interface {
 	// Start container log manager.
-	Start()
+	Start(ctx context.Context)
 	// Clean removes all logs of specified container.
 	Clean(ctx context.Context, containerID string) error
 }
@@ -141,9 +141,9 @@ func NewContainerLogManager(runtimeService internalapi.RuntimeService, osInterfa
 }
 
 // Start the container log manager.
-func (c *containerLogManager) Start() {
-	ctx := context.Background()
-	klog.InfoS("Initializing container log rotate workers", "workers", c.maxWorkers, "monitorPeriod", c.monitoringPeriod)
+func (c *containerLogManager) Start(ctx context.Context) {
+	logger := klog.FromContext(ctx)
+	logger.Info("Initializing container log rotate workers", "workers", c.maxWorkers, "monitorPeriod", c.monitoringPeriod)
 	for i := 0; i < c.maxWorkers; i++ {
 		worker := i + 1
 		go c.processQueueItems(ctx, worker)
@@ -151,7 +151,7 @@ func (c *containerLogManager) Start() {
 	// Start a goroutine periodically does container log rotation.
 	go wait.Forever(func() {
 		if err := c.rotateLogs(ctx); err != nil {
-			klog.ErrorS(err, "Failed to rotate container logs")
+			logger.Error(err, "Failed to rotate container logs")
 		}
 	}, c.monitoringPeriod.Duration)
 }
@@ -183,16 +183,19 @@ func (c *containerLogManager) Clean(ctx context.Context, containerID string) err
 }
 
 func (c *containerLogManager) processQueueItems(ctx context.Context, worker int) {
-	klog.V(4).InfoS("Starting container log rotation worker", "workerID", worker)
+	logger := klog.FromContext(ctx)
+	logger.V(4).Info("Starting container log rotation worker", "workerID", worker)
 	for c.processContainer(ctx, worker) {
 	}
-	klog.V(4).InfoS("Terminating container log rotation worker", "workerID", worker)
+	logger.V(4).Info("Terminating container log rotation worker", "workerID", worker)
 }
 
 func (c *containerLogManager) rotateLogs(ctx context.Context) error {
+	logger := klog.FromContext(ctx)
 	c.mutex.Lock()
 	defer c.mutex.Unlock()
-	klog.V(4).InfoS("Starting container log rotation sequence")
+	logger.V(4).Info("Starting container log rotation sequence")
+	// TODO(#59998): Use kubelet pod cache.
 	containers, err := c.runtimeService.ListContainers(ctx, &runtimeapi.ContainerFilter{})
 	if err != nil {
 		return fmt.Errorf("failed to list containers: %w", err)
@@ -204,8 +207,8 @@ func (c *containerLogManager) rotateLogs(ctx context.Context) error {
 			continue
 		}
 		// Doing this to avoid additional overhead with logging of label like arguments that can prove costly
-		if v := klog.V(4); v.Enabled() {
-			klog.V(4).InfoS("Adding new entry to the queue for processing", "id", container.GetId(), "name", container.Metadata.GetName(), "labels", container.GetLabels())
+		if v := logger.V(4); v.Enabled() {
+			logger.V(4).Info("Adding new entry to the queue for processing", "id", container.GetId(), "name", container.Metadata.GetName(), "labels", container.GetLabels())
 		}
 		c.queue.Add(container.GetId())
 	}
@@ -224,14 +227,14 @@ func (c *containerLogManager) processContainer(ctx context.Context, worker int)
 	// Always default the return to true to keep the processing of Queue ongoing
 	ok = true
 	id := key
-
+	logger := klog.FromContext(ctx)
 	resp, err := c.runtimeService.ContainerStatus(ctx, id, false)
 	if err != nil {
-		klog.ErrorS(err, "Failed to get container status", "worker", worker, "containerID", id)
+		logger.Error(err, "Failed to get container status", "worker", worker, "containerID", id)
 		return
 	}
 	if resp.GetStatus() == nil {
-		klog.ErrorS(err, "Container status is nil", "worker", worker, "containerID", id)
+		logger.Error(err, "Container status is nil", "worker", worker, "containerID", id)
 		return
 	}
 	path := resp.GetStatus().GetLogPath()
@@ -239,28 +242,28 @@ func (c *containerLogManager) processContainer(ctx context.Context, worker int)
 
 	if err != nil {
 		if !os.IsNotExist(err) {
-			klog.ErrorS(err, "Failed to stat container log", "worker", worker, "containerID", id, "path", path)
+			logger.Error(err, "Failed to stat container log", "worker", worker, "containerID", id, "path", path)
 			return
 		}
 
 		if err = c.runtimeService.ReopenContainerLog(ctx, id); err != nil {
-			klog.ErrorS(err, "Container log doesn't exist, reopen container log failed", "worker", worker, "containerID", id, "path", path)
+			logger.Error(err, "Container log doesn't exist, reopen container log failed", "worker", worker, "containerID", id, "path", path)
 			return
 		}
 
 		info, err = c.osInterface.Stat(path)
 		if err != nil {
-			klog.ErrorS(err, "Failed to stat container log after reopen", "worker", worker, "containerID", id, "path", path)
+			logger.Error(err, "Failed to stat container log after reopen", "worker", worker, "containerID", id, "path", path)
 			return
 		}
 	}
 	if info.Size() < c.policy.MaxSize {
-		klog.V(7).InfoS("log file doesn't need to be rotated", "worker", worker, "containerID", id, "path", path, "currentSize", info.Size(), "maxSize", c.policy.MaxSize)
+		logger.V(7).Info("log file doesn't need to be rotated", "worker", worker, "containerID", id, "path", path, "currentSize", info.Size(), "maxSize", c.policy.MaxSize)
 		return
 	}
 
 	if err := c.rotateLog(ctx, id, path); err != nil {
-		klog.ErrorS(err, "Failed to rotate log for container", "worker", worker, "containerID", id, "path", path, "currentSize", info.Size(), "maxSize", c.policy.MaxSize)
+		logger.Error(err, "Failed to rotate log for container", "worker", worker, "containerID", id, "path", path, "currentSize", info.Size(), "maxSize", c.policy.MaxSize)
 		return
 	}
 	return
@@ -411,6 +414,7 @@ func (c *containerLogManager) compressLog(log string) error {
 // rotateLatestLog rotates latest log without compression, so that container can still write
 // and fluentd can finish reading.
 func (c *containerLogManager) rotateLatestLog(ctx context.Context, id, log string) error {
+	logger := klog.FromContext(ctx)
 	timestamp := c.clock.Now().Format(timestampFormat)
 	rotated := fmt.Sprintf("%s.%s", log, timestamp)
 	if err := c.osInterface.Rename(log, rotated); err != nil {
@@ -424,7 +428,7 @@ func (c *containerLogManager) rotateLatestLog(ctx context.Context, id, log strin
 			// This shouldn't happen.
 			// Report an error if this happens, because we will lose original
 			// log.
-			klog.ErrorS(renameErr, "Failed to rename rotated log", "rotatedLog", rotated, "newLog", log, "containerID", id)
+			logger.Error(renameErr, "Failed to rename rotated log", "rotatedLog", rotated, "newLog", log, "containerID", id)
 		}
 		return fmt.Errorf("failed to reopen container log %q: %w", id, err)
 	}
diff --git a/pkg/kubelet/logs/container_log_manager_stub.go b/pkg/kubelet/logs/container_log_manager_stub.go
index f0a2ef9fdf26a..80d684224bc55 100644
--- a/pkg/kubelet/logs/container_log_manager_stub.go
+++ b/pkg/kubelet/logs/container_log_manager_stub.go
@@ -20,7 +20,7 @@ import "context"
 
 type containerLogManagerStub struct{}
 
-func (*containerLogManagerStub) Start() {}
+func (*containerLogManagerStub) Start(ctx context.Context) {}
 
 func (*containerLogManagerStub) Clean(ctx context.Context, containerID string) error {
 	return nil
diff --git a/pkg/kubelet/logs/container_log_manager_test.go b/pkg/kubelet/logs/container_log_manager_test.go
index 3760d1c727f56..dbb69b828b0dd 100644
--- a/pkg/kubelet/logs/container_log_manager_test.go
+++ b/pkg/kubelet/logs/container_log_manager_test.go
@@ -31,6 +31,7 @@ import (
 	"k8s.io/apimachinery/pkg/util/wait"
 	"k8s.io/client-go/util/workqueue"
 	"k8s.io/kubernetes/pkg/kubelet/container"
+	"k8s.io/kubernetes/test/utils/ktesting"
 
 	runtimeapi "k8s.io/cri-api/pkg/apis/runtime/v1"
 	critest "k8s.io/cri-api/pkg/apis/testing"
@@ -77,7 +78,7 @@ func TestGetAllLogs(t *testing.T) {
 }
 
 func TestRotateLogs(t *testing.T) {
-	ctx := context.Background()
+	tCtx := ktesting.Init(t)
 	dir, err := os.MkdirTemp("", "test-rotate-logs")
 	require.NoError(t, err)
 	defer os.RemoveAll(dir)
@@ -160,12 +161,12 @@ func TestRotateLogs(t *testing.T) {
 	f.SetFakeContainers(testContainers)
 
 	// Push the items into the queue for before starting the worker to avoid issue with the queue being empty.
-	require.NoError(t, c.rotateLogs(ctx))
+	require.NoError(t, c.rotateLogs(tCtx))
 
 	// Start a routine that can monitor the queue and shutdown the queue to trigger the retrun from the processQueueItems
 	// Keeping the monitor duration smaller in order to keep the unwanted delay in the test to a minimal.
 	go func() {
-		pollTimeoutCtx, cancel := context.WithTimeout(ctx, 10*time.Second)
+		pollTimeoutCtx, cancel := context.WithTimeout(tCtx, 10*time.Second)
 		defer cancel()
 		err = wait.PollUntilContextCancel(pollTimeoutCtx, 5*time.Millisecond, false, func(ctx context.Context) (done bool, err error) {
 			return c.queue.Len() == 0, nil
@@ -176,7 +177,7 @@ func TestRotateLogs(t *testing.T) {
 		c.queue.ShutDown()
 	}()
 	// This is a blocking call. But the above routine takes care of ensuring that this is terminated once the queue is shutdown
-	c.processQueueItems(ctx, 1)
+	c.processQueueItems(tCtx, 1)
 
 	timestamp := now.Format(timestampFormat)
 	logs, err := os.ReadDir(dir)
@@ -190,7 +191,7 @@ func TestRotateLogs(t *testing.T) {
 }
 
 func TestClean(t *testing.T) {
-	ctx := context.Background()
+	tCtx := ktesting.Init(t)
 	dir, err := os.MkdirTemp("", "test-clean")
 	require.NoError(t, err)
 	defer os.RemoveAll(dir)
@@ -256,7 +257,7 @@ func TestClean(t *testing.T) {
 	}
 	f.SetFakeContainers(testContainers)
 
-	err = c.Clean(ctx, "container-3")
+	err = c.Clean(tCtx, "container-3")
 	require.NoError(t, err)
 
 	logs, err := os.ReadDir(dir)
@@ -387,7 +388,7 @@ func TestCompressLog(t *testing.T) {
 }
 
 func TestRotateLatestLog(t *testing.T) {
-	ctx := context.Background()
+	tCtx := ktesting.Init(t)
 	dir, err := os.MkdirTemp("", "test-rotate-latest-log")
 	require.NoError(t, err)
 	defer os.RemoveAll(dir)
@@ -438,7 +439,7 @@ func TestRotateLatestLog(t *testing.T) {
 		defer testFile.Close()
 		testLog := testFile.Name()
 		rotatedLog := fmt.Sprintf("%s.%s", testLog, now.Format(timestampFormat))
-		err = c.rotateLatestLog(ctx, "test-id", testLog)
+		err = c.rotateLatestLog(tCtx, "test-id", testLog)
 		assert.Equal(t, test.expectError, err != nil)
 		_, err = os.Stat(testLog)
 		assert.Equal(t, test.expectOriginal, err == nil)
diff --git a/pkg/kubelet/metrics/collectors/cri_metrics.go b/pkg/kubelet/metrics/collectors/cri_metrics.go
index 8736eb9e3197c..f8fd35e74d3f9 100644
--- a/pkg/kubelet/metrics/collectors/cri_metrics.go
+++ b/pkg/kubelet/metrics/collectors/cri_metrics.go
@@ -41,7 +41,8 @@ var _ metrics.StableCollector = &criMetricsCollector{}
 func NewCRIMetricsCollector(ctx context.Context, listPodSandboxMetricsFn func(context.Context) ([]*runtimeapi.PodSandboxMetrics, error), listMetricDescriptorsFn func(context.Context) ([]*runtimeapi.MetricDescriptor, error)) metrics.StableCollector {
 	descs, err := listMetricDescriptorsFn(ctx)
 	if err != nil {
-		klog.ErrorS(err, "Error reading MetricDescriptors")
+		logger := klog.FromContext(ctx)
+		logger.Error(err, "Error reading MetricDescriptors")
 		return &criMetricsCollector{
 			listPodSandboxMetricsFn: listPodSandboxMetricsFn,
 		}
@@ -68,22 +69,26 @@ func (c *criMetricsCollector) DescribeWithStability(ch chan<- *metrics.Desc) {
 // Collect implements the metrics.CollectWithStability interface.
 // TODO(haircommander): would it be better if these were processed async?
 func (c *criMetricsCollector) CollectWithStability(ch chan<- metrics.Metric) {
-	podMetrics, err := c.listPodSandboxMetricsFn(context.Background())
+	// Use context.TODO() because we currently do not have a proper context to pass in.
+	// Replace this with an appropriate context when refactoring this function to accept a context parameter.
+	ctx := context.TODO()
+	logger := klog.FromContext(ctx)
+	podMetrics, err := c.listPodSandboxMetricsFn(ctx)
 	if err != nil {
-		klog.ErrorS(err, "Failed to get pod metrics")
+		logger.Error(err, "Failed to get pod metrics")
 		return
 	}
 
 	for _, podMetric := range podMetrics {
 		for _, metric := range podMetric.GetMetrics() {
-			promMetric, err := c.criMetricToProm(metric)
+			promMetric, err := c.criMetricToProm(logger, metric)
 			if err == nil {
 				ch <- promMetric
 			}
 		}
 		for _, ctrMetric := range podMetric.GetContainerMetrics() {
 			for _, metric := range ctrMetric.GetMetrics() {
-				promMetric, err := c.criMetricToProm(metric)
+				promMetric, err := c.criMetricToProm(logger, metric)
 				if err == nil {
 					ch <- promMetric
 				}
@@ -98,11 +103,11 @@ func criDescToProm(m *runtimeapi.MetricDescriptor) *metrics.Desc {
 	return metrics.NewDesc(m.Name, m.Help, m.LabelKeys, nil, metrics.INTERNAL, "")
 }
 
-func (c *criMetricsCollector) criMetricToProm(m *runtimeapi.Metric) (metrics.Metric, error) {
+func (c *criMetricsCollector) criMetricToProm(logger klog.Logger, m *runtimeapi.Metric) (metrics.Metric, error) {
 	desc, ok := c.descriptors[m.Name]
 	if !ok {
 		err := fmt.Errorf("error converting CRI Metric to prometheus format")
-		klog.V(5).ErrorS(err, "Descriptor not present in pre-populated list of descriptors", "name", m.Name)
+		logger.V(5).Info("Descriptor not present in pre-populated list of descriptors", "name", m.Name, "err", err)
 		return nil, err
 	}
 
@@ -110,7 +115,7 @@ func (c *criMetricsCollector) criMetricToProm(m *runtimeapi.Metric) (metrics.Met
 
 	pm, err := metrics.NewConstMetric(desc, typ, float64(m.GetValue().Value), m.LabelValues...)
 	if err != nil {
-		klog.ErrorS(err, "Error getting CRI prometheus metric", "descriptor", desc.String())
+		logger.Error(err, "Error getting CRI prometheus metric", "descriptor", desc.String())
 		return nil, err
 	}
 	// If Timestamp is 0, then the runtime did not cache the result.
diff --git a/pkg/kubelet/metrics/collectors/log_metrics.go b/pkg/kubelet/metrics/collectors/log_metrics.go
index 4b2237fbbadd0..1443557a1f66f 100644
--- a/pkg/kubelet/metrics/collectors/log_metrics.go
+++ b/pkg/kubelet/metrics/collectors/log_metrics.go
@@ -63,9 +63,13 @@ func (c *logMetricsCollector) DescribeWithStability(ch chan<- *metrics.Desc) {
 
 // CollectWithStability implements the metrics.StableCollector interface.
 func (c *logMetricsCollector) CollectWithStability(ch chan<- metrics.Metric) {
-	podStats, err := c.podStats(context.Background())
+	// Use context.TODO() because we currently do not have a proper context to pass in.
+	// Replace this with an appropriate context when refactoring this function to accept a context parameter.
+	ctx := context.TODO()
+	logger := klog.FromContext(ctx)
+	podStats, err := c.podStats(ctx)
 	if err != nil {
-		klog.ErrorS(err, "Failed to get pod stats")
+		logger.Error(err, "Failed to get pod stats")
 		return
 	}
 
diff --git a/pkg/kubelet/metrics/collectors/podcertificate_metrics.go b/pkg/kubelet/metrics/collectors/podcertificate_metrics.go
new file mode 100644
index 0000000000000..ecebe43464920
--- /dev/null
+++ b/pkg/kubelet/metrics/collectors/podcertificate_metrics.go
@@ -0,0 +1,66 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package collectors
+
+import (
+	"k8s.io/component-base/metrics"
+	kubeletmetrics "k8s.io/kubernetes/pkg/kubelet/metrics"
+	"k8s.io/kubernetes/pkg/kubelet/podcertificate"
+)
+
+var (
+	// A gauge vector (implemented by a custom collector) reporting the current
+	// number of pod certificate projected volume sources being maintained by
+	// this kubelet instance.
+	podCertificateStatesDesc = metrics.NewDesc(
+		metrics.BuildFQName("", kubeletmetrics.KubeletSubsystem, kubeletmetrics.PodCertificateStatesKey),
+		"Gauge vector reporting the number of pod certificate projected volume sources, faceted by signer_name and state.",
+		[]string{"signer_name", "state"},
+		nil,
+		metrics.ALPHA,
+		"",
+	)
+)
+
+type podCertificateCollector struct {
+	metrics.BaseStableCollector
+	manager podcertificate.Manager
+}
+
+func PodCertificateCollectorFor(m podcertificate.Manager) *podCertificateCollector {
+	return &podCertificateCollector{
+		manager: m,
+	}
+}
+
+func (c *podCertificateCollector) DescribeWithStability(ch chan<- *metrics.Desc) {
+	ch <- podCertificateStatesDesc
+}
+
+func (c *podCertificateCollector) CollectWithStability(ch chan<- metrics.Metric) {
+	report := c.manager.MetricReport()
+
+	for k, count := range report.PodCertificateStates {
+		ch <- metrics.NewLazyConstMetric(
+			podCertificateStatesDesc,
+			metrics.GaugeValue,
+			float64(count),
+			k.SignerName,
+			k.State,
+		)
+	}
+}
diff --git a/pkg/kubelet/metrics/collectors/podcertificate_metrics_test.go b/pkg/kubelet/metrics/collectors/podcertificate_metrics_test.go
new file mode 100644
index 0000000000000..364fbfca5a3d5
--- /dev/null
+++ b/pkg/kubelet/metrics/collectors/podcertificate_metrics_test.go
@@ -0,0 +1,82 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package collectors
+
+import (
+	"context"
+	"fmt"
+	"strings"
+	"testing"
+
+	corev1 "k8s.io/api/core/v1"
+	"k8s.io/component-base/metrics/testutil"
+	"k8s.io/kubernetes/pkg/kubelet/podcertificate"
+)
+
+type fakePodCertificateManager struct {
+	report *podcertificate.MetricReport
+}
+
+func (m *fakePodCertificateManager) TrackPod(ctx context.Context, pod *corev1.Pod)  {}
+func (m *fakePodCertificateManager) ForgetPod(ctx context.Context, pod *corev1.Pod) {}
+func (m *fakePodCertificateManager) GetPodCertificateCredentialBundle(ctx context.Context, namespace, podName, podUID, volumeName string, sourceIndex int) (privKey []byte, certChain []byte, err error) {
+	return nil, nil, fmt.Errorf("unimplemented")
+}
+func (m *fakePodCertificateManager) MetricReport() *podcertificate.MetricReport {
+	return m.report
+}
+
+func TestPodCertificateCollector(t *testing.T) {
+	collector := &podCertificateCollector{
+		manager: &fakePodCertificateManager{
+			report: &podcertificate.MetricReport{
+				PodCertificateStates: map[podcertificate.SignerAndState]int{
+					{SignerName: "example.com/foo", State: "fresh"}:               1,
+					{SignerName: "example.com/foo", State: "overdue_for_refresh"}: 1,
+					{SignerName: "example.com/foo", State: "expired"}:             0,
+					{SignerName: "example.com/bar", State: "fresh"}:               2,
+					{SignerName: "example.com/bar", State: "overdue_for_refresh"}: 0,
+					{SignerName: "example.com/bar", State: "expired"}:             1,
+				},
+			},
+		},
+	}
+
+	// Fixed metadata on type and help text. We prepend this to every expected
+	// output so we only have to modify a single place when doing adjustments.
+	const metadata = `
+		# HELP kubelet_podcertificate_states [ALPHA] Gauge vector reporting the number of pod certificate projected volume sources, faceted by signer_name and state.
+		# TYPE kubelet_podcertificate_states gauge
+		`
+
+	want := metadata + `
+			kubelet_podcertificate_states{signer_name="example.com/foo",state="fresh"} 1.0
+			kubelet_podcertificate_states{signer_name="example.com/foo",state="overdue_for_refresh"} 1.0
+			kubelet_podcertificate_states{signer_name="example.com/foo",state="expired"} 0.0
+			kubelet_podcertificate_states{signer_name="example.com/bar",state="fresh"} 2.0
+			kubelet_podcertificate_states{signer_name="example.com/bar",state="overdue_for_refresh"} 0.0
+			kubelet_podcertificate_states{signer_name="example.com/bar",state="expired"} 1.0
+			`
+
+	metrics := []string{
+		"kubelet_podcertificate_states",
+	}
+
+	if err := testutil.CustomCollectAndCompare(collector, strings.NewReader(want), metrics...); err != nil {
+		t.Errorf("unexpected collecting result:\n%s", err)
+	}
+}
diff --git a/pkg/kubelet/metrics/collectors/resource_metrics.go b/pkg/kubelet/metrics/collectors/resource_metrics.go
index dff6a812a04f6..39a8c940f5fe8 100644
--- a/pkg/kubelet/metrics/collectors/resource_metrics.go
+++ b/pkg/kubelet/metrics/collectors/resource_metrics.go
@@ -157,7 +157,9 @@ func (rc *resourceMetricsCollector) DescribeWithStability(ch chan<- *metrics.Des
 // leak metric collectors for containers or pods that no longer exist.  Instead, implement
 // custom collector in a way that only collects metrics for active containers.
 func (rc *resourceMetricsCollector) CollectWithStability(ch chan<- metrics.Metric) {
-	ctx := context.Background()
+	// Use context.TODO() because we currently do not have a proper context to pass in.
+	// Replace this with an appropriate context when refactoring this function to accept a context parameter.
+	ctx := context.TODO()
 	var errorCount float64
 	defer func() {
 		ch <- metrics.NewLazyConstMetric(resourceScrapeResultDesc, metrics.GaugeValue, errorCount)
@@ -165,8 +167,9 @@ func (rc *resourceMetricsCollector) CollectWithStability(ch chan<- metrics.Metri
 	}()
 	statsSummary, err := rc.provider.GetCPUAndMemoryStats(ctx)
 	if err != nil {
+		logger := klog.FromContext(ctx)
 		errorCount = 1
-		klog.ErrorS(err, "Error getting summary for resourceMetric prometheus endpoint")
+		logger.Error(err, "Error getting summary for resourceMetric prometheus endpoint")
 		return
 	}
 
@@ -210,7 +213,7 @@ func (rc *resourceMetricsCollector) collectNodeSwapMetrics(ch chan<- metrics.Met
 		return
 	}
 
-	ch <- metrics.NewLazyMetricWithTimestamp(s.Memory.Time.Time,
+	ch <- metrics.NewLazyMetricWithTimestamp(s.Swap.Time.Time,
 		metrics.NewLazyConstMetric(nodeSwapUsageDesc, metrics.GaugeValue, float64(*s.Swap.SwapUsageBytes)))
 }
 
diff --git a/pkg/kubelet/metrics/collectors/resource_metrics_test.go b/pkg/kubelet/metrics/collectors/resource_metrics_test.go
index 40953dd0abf1c..212b818b69a5f 100644
--- a/pkg/kubelet/metrics/collectors/resource_metrics_test.go
+++ b/pkg/kubelet/metrics/collectors/resource_metrics_test.go
@@ -33,7 +33,9 @@ import (
 func TestCollectResourceMetrics(t *testing.T) {
 	// a static timestamp: 2021-06-23 05:11:18.302091597 +0800
 	staticTimestamp := time.Unix(0, 1624396278302091597)
+	swapTimestamp := staticTimestamp.Add(10 * time.Second)
 	testTime := metav1.NewTime(staticTimestamp)
+	swapTestTime := metav1.NewTime(swapTimestamp)
 	interestedMetrics := []string{
 		"scrape_error",
 		"resource_scrape_error",
@@ -106,6 +108,43 @@ func TestCollectResourceMetrics(t *testing.T) {
 				resource_scrape_error 0
 			`,
 		},
+		{
+			name: "node metrics with different timestamps",
+			summary: &statsapi.Summary{
+				Node: statsapi.NodeStats{
+					CPU: &statsapi.CPUStats{
+						Time:                 testTime,
+						UsageCoreNanoSeconds: ptr.To[uint64](10000000000),
+					},
+					Memory: &statsapi.MemoryStats{
+						Time:            testTime,
+						WorkingSetBytes: ptr.To[uint64](1000),
+					},
+					Swap: &statsapi.SwapStats{
+						Time:           swapTestTime,
+						SwapUsageBytes: ptr.To[uint64](500),
+					},
+				},
+			},
+			summaryErr: nil,
+			expectedMetrics: `
+				# HELP node_cpu_usage_seconds_total [STABLE] Cumulative cpu time consumed by the node in core-seconds
+				# TYPE node_cpu_usage_seconds_total counter
+				node_cpu_usage_seconds_total 10 1624396278302
+				# HELP node_memory_working_set_bytes [STABLE] Current working set of the node in bytes
+				# TYPE node_memory_working_set_bytes gauge
+				node_memory_working_set_bytes 1000 1624396278302
+				# HELP node_swap_usage_bytes [ALPHA] Current swap usage of the node in bytes. Reported only on non-windows systems
+				# TYPE node_swap_usage_bytes gauge
+				node_swap_usage_bytes 500 1624396288302
+				# HELP scrape_error [ALPHA] 1 if there was an error while getting container metrics, 0 otherwise
+				# TYPE scrape_error gauge
+				scrape_error 0
+				# HELP resource_scrape_error [STABLE] 1 if there was an error while getting container metrics, 0 otherwise
+				# TYPE resource_scrape_error gauge
+				resource_scrape_error 0
+			`,
+		},
 		{
 			name: "nil node metrics",
 			summary: &statsapi.Summary{
@@ -410,7 +449,7 @@ func TestCollectResourceMetrics(t *testing.T) {
 	for _, test := range tests {
 		tc := test
 		t.Run(tc.name, func(t *testing.T) {
-			ctx := context.Background()
+			ctx := context.TODO()
 			provider := summaryprovidertest.NewMockSummaryProvider(t)
 			provider.EXPECT().GetCPUAndMemoryStats(ctx).Return(tc.summary, tc.summaryErr).Maybe()
 			collector := NewResourceMetricsCollector(provider)
diff --git a/pkg/kubelet/metrics/collectors/volume_stats.go b/pkg/kubelet/metrics/collectors/volume_stats.go
index b139cf5eaecb1..6b8aaac51ec7f 100644
--- a/pkg/kubelet/metrics/collectors/volume_stats.go
+++ b/pkg/kubelet/metrics/collectors/volume_stats.go
@@ -98,7 +98,9 @@ func (collector *volumeStatsCollector) DescribeWithStability(ch chan<- *metrics.
 
 // CollectWithStability implements the metrics.StableCollector interface.
 func (collector *volumeStatsCollector) CollectWithStability(ch chan<- metrics.Metric) {
-	ctx := context.Background()
+	// Use context.TODO() because we currently do not have a proper context to pass in.
+	// Replace this with an appropriate context when refactoring this function to accept a context parameter.
+	ctx := context.TODO()
 	podStats, err := collector.statsProvider.ListPodStats(ctx)
 	if err != nil {
 		return
diff --git a/pkg/kubelet/metrics/collectors/volume_stats_test.go b/pkg/kubelet/metrics/collectors/volume_stats_test.go
index 73bc1541610e9..f0caf19672ada 100644
--- a/pkg/kubelet/metrics/collectors/volume_stats_test.go
+++ b/pkg/kubelet/metrics/collectors/volume_stats_test.go
@@ -29,7 +29,7 @@ import (
 )
 
 func TestVolumeStatsCollector(t *testing.T) {
-	ctx := context.Background()
+	ctx := context.TODO()
 	// Fixed metadata on type and help text. We prepend this to every expected
 	// output so we only have to modify a single place when doing adjustments.
 	const metadata = `
@@ -148,7 +148,7 @@ func TestVolumeStatsCollector(t *testing.T) {
 }
 
 func TestVolumeStatsCollectorWithNullVolumeStatus(t *testing.T) {
-	ctx := context.Background()
+	ctx := context.TODO()
 	// Fixed metadata on type and help text. We prepend this to every expected
 	// output so we only have to modify a single place when doing adjustments.
 	const metadata = `
diff --git a/pkg/kubelet/metrics/metrics.go b/pkg/kubelet/metrics/metrics.go
index d960989d2bd17..7ae4c1b669a2f 100644
--- a/pkg/kubelet/metrics/metrics.go
+++ b/pkg/kubelet/metrics/metrics.go
@@ -136,7 +136,7 @@ const (
 	// Metric for tracking garbage collected images
 	ImageGarbageCollectedTotalKey = "image_garbage_collected_total"
 
-	// Metric for tracking aligment of compute resources
+	// Metric for tracking alignment of compute resources
 	ContainerAlignedComputeResourcesNameKey          = "container_aligned_compute_resources_count"
 	ContainerAlignedComputeResourcesFailureNameKey   = "container_aligned_compute_resources_failure_count"
 	ContainerAlignedComputeResourcesScopeLabelKey    = "scope"
@@ -176,6 +176,9 @@ const (
 	PodInfeasibleResizesKey          = "pod_infeasible_resizes_total"
 	PodInProgressResizesKey          = "pod_in_progress_resizes"
 	PodDeferredAcceptedResizesKey    = "pod_deferred_accepted_resizes_total"
+
+	// Metric key for podcertificate states.
+	PodCertificateStatesKey = "podcertificate_states"
 )
 
 type imageSizeBucket struct {
@@ -924,7 +927,7 @@ var (
 		},
 	)
 
-	// TopologyManagerAdmissionDuration is a Histogram that tracks the duration (in seconds) to serve a pod admission request.
+	// TopologyManagerAdmissionDuration is a Histogram that tracks the duration (in milliseconds) to serve a pod admission request.
 	TopologyManagerAdmissionDuration = metrics.NewHistogram(
 		&metrics.HistogramOpts{
 			Subsystem:      KubeletSubsystem,
@@ -944,7 +947,7 @@ var (
 			StabilityLevel: metrics.ALPHA,
 		},
 	)
-	// OrphanPodCleanedVolumes is number of times that removeOrphanedPodVolumeDirs failed.
+	// OrphanPodCleanedVolumesErrors is the number of times that removeOrphanedPodVolumeDirs failed.
 	OrphanPodCleanedVolumesErrors = metrics.NewGauge(
 		&metrics.GaugeOpts{
 			Subsystem:      KubeletSubsystem,
@@ -1075,7 +1078,8 @@ var (
 		[]string{"driver_name", "method_name", "grpc_status_code"},
 	)
 
-	DRAResourceClaimsInUseDesc = metrics.NewDesc(DRASubsystem+"_resource_claims_in_use",
+	DRAResourceClaimsInUseDesc = metrics.NewDesc(
+		metrics.BuildFQName("", DRASubsystem, "resource_claims_in_use"),
 		"The number of ResourceClaims that are currently in use on the node, by driver name (driver_name label value) and across all drivers (special value <any> for driver_name). Note that the sum of all by-driver counts is not the total number of in-use ResourceClaims because the same ResourceClaim might use devices from different drivers. Instead, use the count for the <any> driver_name.",
 		[]string{"driver_name"},
 		nil,
@@ -1094,13 +1098,13 @@ var (
 		[]string{"reason"},
 	)
 
-	// ImageVolumeRequestedTotal trakcs the number of requested image volumes.
+	// ImageVolumeRequestedTotal tracks the number of requested image volumes.
 	ImageVolumeRequestedTotal = metrics.NewCounter(
 		&metrics.CounterOpts{
 			Subsystem:      KubeletSubsystem,
 			Name:           ImageVolumeRequestedTotalKey,
 			Help:           "Number of requested image volumes.",
-			StabilityLevel: metrics.ALPHA,
+			StabilityLevel: metrics.BETA,
 		},
 	)
 
@@ -1110,7 +1114,7 @@ var (
 			Subsystem:      KubeletSubsystem,
 			Name:           ImageVolumeMountedSucceedTotalKey,
 			Help:           "Number of successful image volume mounts.",
-			StabilityLevel: metrics.ALPHA,
+			StabilityLevel: metrics.BETA,
 		},
 	)
 
@@ -1120,7 +1124,7 @@ var (
 			Subsystem:      KubeletSubsystem,
 			Name:           ImageVolumeMountedErrorsTotalKey,
 			Help:           "Number of failed image volume mounts.",
-			StabilityLevel: metrics.ALPHA,
+			StabilityLevel: metrics.BETA,
 		},
 	)
 
diff --git a/pkg/kubelet/nodeshutdown/nodeshutdown_manager_linux.go b/pkg/kubelet/nodeshutdown/nodeshutdown_manager_linux.go
index 5b1f2f5aa0530..8a78f874cb94b 100644
--- a/pkg/kubelet/nodeshutdown/nodeshutdown_manager_linux.go
+++ b/pkg/kubelet/nodeshutdown/nodeshutdown_manager_linux.go
@@ -27,6 +27,7 @@ import (
 	"time"
 
 	v1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/util/wait"
 	utilfeature "k8s.io/apiserver/pkg/util/feature"
 	"k8s.io/client-go/tools/record"
 	"k8s.io/klog/v2"
@@ -191,15 +192,38 @@ func (m *managerImpl) start() (chan struct{}, error) {
 			return nil, err
 		}
 
-		// Read the current inhibitDelay again, if the override was successful, currentInhibitDelay will be equal to shutdownGracePeriodRequested.
-		updatedInhibitDelay, err := m.dbusCon.CurrentInhibitDelay()
+		// The ReloadLogindConf call is asynchronous. Poll with exponential backoff until the configuration is updated.
+		backoff := wait.Backoff{
+			Duration: 100 * time.Millisecond,
+			Factor:   2.0,
+			Steps:    5,
+		}
+		var updatedInhibitDelay time.Duration
+		attempt := 0
+		err = wait.ExponentialBackoff(backoff, func() (bool, error) {
+			attempt += 1
+			// Read the current inhibitDelay again, if the override was successful, currentInhibitDelay will be equal to shutdownGracePeriodRequested.
+			updatedInhibitDelay, err = m.dbusCon.CurrentInhibitDelay()
+			if err != nil {
+				return false, err
+			}
+			if periodRequested <= updatedInhibitDelay {
+				return true, nil
+			}
+			if attempt < backoff.Steps {
+				m.logger.V(3).Info("InhibitDelayMaxSec still less than requested, retrying", "attempt", attempt, "current", updatedInhibitDelay, "requested", periodRequested)
+			}
+			return false, nil
+		})
 		if err != nil {
-			return nil, err
+			if !wait.Interrupted(err) {
+				return nil, err
+			}
+			if periodRequested > updatedInhibitDelay {
+				return nil, fmt.Errorf("node shutdown manager was timed out after %d attempts waiting for logind InhibitDelayMaxSec to update to %v (ShutdownGracePeriod), current value is %v", attempt, periodRequested, updatedInhibitDelay)
+			}
 		}
 
-		if periodRequested > updatedInhibitDelay {
-			return nil, fmt.Errorf("node shutdown manager was unable to update logind InhibitDelayMaxSec to %v (ShutdownGracePeriod), current value of InhibitDelayMaxSec (%v) is less than requested ShutdownGracePeriod", periodRequested, updatedInhibitDelay)
-		}
 	}
 
 	err = m.acquireInhibitLock()
diff --git a/pkg/kubelet/nodeshutdown/nodeshutdown_manager_linux_test.go b/pkg/kubelet/nodeshutdown/nodeshutdown_manager_linux_test.go
index 85ef3aeb9f454..9662d7f4c27c8 100644
--- a/pkg/kubelet/nodeshutdown/nodeshutdown_manager_linux_test.go
+++ b/pkg/kubelet/nodeshutdown/nodeshutdown_manager_linux_test.go
@@ -278,7 +278,7 @@ func TestManager(t *testing.T) {
 			overrideSystemInhibitDelay:       time.Duration(5 * time.Second),
 			expectedDidOverrideInhibitDelay:  true,
 			expectedPodToGracePeriodOverride: map[string]int64{"normal-pod-nil-grace-period": 5, "critical-pod-nil-grace-period": 0},
-			expectedError:                    fmt.Errorf("unable to update logind InhibitDelayMaxSec to 30s (ShutdownGracePeriod), current value of InhibitDelayMaxSec (5s) is less than requested ShutdownGracePeriod"),
+			expectedError:                    fmt.Errorf("node shutdown manager was timed out after 5 attempts waiting for logind InhibitDelayMaxSec to update to 30s (ShutdownGracePeriod), current value is 5s"),
 		},
 		{
 			desc:                            "override unsuccessful, zero time",
@@ -287,7 +287,7 @@ func TestManager(t *testing.T) {
 			shutdownGracePeriodCriticalPods: time.Duration(5 * time.Second),
 			systemInhibitDelay:              time.Duration(0 * time.Second),
 			overrideSystemInhibitDelay:      time.Duration(0 * time.Second),
-			expectedError:                   fmt.Errorf("unable to update logind InhibitDelayMaxSec to 5s (ShutdownGracePeriod), current value of InhibitDelayMaxSec (0s) is less than requested ShutdownGracePeriod"),
+			expectedError:                   fmt.Errorf("node shutdown manager was timed out after 5 attempts waiting for logind InhibitDelayMaxSec to update to 5s (ShutdownGracePeriod), current value is 0s"),
 		},
 		{
 			desc:                             "no override, all time to critical pods",
@@ -335,7 +335,7 @@ func TestManager(t *testing.T) {
 			featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, pkgfeatures.GracefulNodeShutdown, true)
 
 			fakeRecorder := &record.FakeRecorder{}
-			fakeVolumeManager := volumemanager.NewFakeVolumeManager([]v1.UniqueVolumeName{}, 0, nil)
+			fakeVolumeManager := volumemanager.NewFakeVolumeManager([]v1.UniqueVolumeName{}, 0, nil, false)
 			nodeRef := &v1.ObjectReference{Kind: "Node", Name: "test", UID: types.UID("test"), Namespace: ""}
 			manager := NewManager(&Config{
 				Logger:                          logger,
@@ -439,7 +439,7 @@ func TestFeatureEnabled(t *testing.T) {
 			featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, pkgfeatures.GracefulNodeShutdown, tc.featureGateEnabled)
 
 			fakeRecorder := &record.FakeRecorder{}
-			fakeVolumeManager := volumemanager.NewFakeVolumeManager([]v1.UniqueVolumeName{}, 0, nil)
+			fakeVolumeManager := volumemanager.NewFakeVolumeManager([]v1.UniqueVolumeName{}, 0, nil, false)
 			nodeRef := &v1.ObjectReference{Kind: "Node", Name: "test", UID: types.UID("test"), Namespace: ""}
 
 			manager := NewManager(&Config{
@@ -496,7 +496,7 @@ func TestRestart(t *testing.T) {
 	}
 
 	fakeRecorder := &record.FakeRecorder{}
-	fakeVolumeManager := volumemanager.NewFakeVolumeManager([]v1.UniqueVolumeName{}, 0, nil)
+	fakeVolumeManager := volumemanager.NewFakeVolumeManager([]v1.UniqueVolumeName{}, 0, nil, false)
 	nodeRef := &v1.ObjectReference{Kind: "Node", Name: "test", UID: types.UID("test"), Namespace: ""}
 	manager := NewManager(&Config{
 		Logger:                          logger,
@@ -534,7 +534,7 @@ func TestRestart(t *testing.T) {
 func Test_managerImpl_processShutdownEvent(t *testing.T) {
 	var (
 		fakeRecorder      = &record.FakeRecorder{}
-		fakeVolumeManager = volumemanager.NewFakeVolumeManager([]v1.UniqueVolumeName{}, 0, nil)
+		fakeVolumeManager = volumemanager.NewFakeVolumeManager([]v1.UniqueVolumeName{}, 0, nil, false)
 		syncNodeStatus    = func() {}
 		nodeRef           = &v1.ObjectReference{Kind: "Node", Name: "test", UID: types.UID("test"), Namespace: ""}
 		fakeclock         = testingclock.NewFakeClock(time.Now())
@@ -651,7 +651,7 @@ func Test_processShutdownEvent_VolumeUnmountTimeout(t *testing.T) {
 		[]v1.UniqueVolumeName{},
 		3*time.Second, // This value is intentionally longer than the shutdownGracePeriodSeconds (2s) to test the behavior
 		// for volume unmount operations that take longer than the allowed grace period.
-		fmt.Errorf("unmount timeout"),
+		fmt.Errorf("unmount timeout"), false,
 	)
 	logger := ktesting.NewLogger(t, ktesting.NewConfig(ktesting.BufferLogs(true)))
 	m := &managerImpl{
diff --git a/pkg/kubelet/nodeshutdown/nodeshutdown_manager_windows_test.go b/pkg/kubelet/nodeshutdown/nodeshutdown_manager_windows_test.go
index 02946a04c70fc..f0598a7025e4e 100644
--- a/pkg/kubelet/nodeshutdown/nodeshutdown_manager_windows_test.go
+++ b/pkg/kubelet/nodeshutdown/nodeshutdown_manager_windows_test.go
@@ -81,7 +81,7 @@ func TestFeatureEnabled(t *testing.T) {
 			featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, pkgfeatures.WindowsGracefulNodeShutdown, tc.featureGateEnabled)
 
 			fakeRecorder := &record.FakeRecorder{}
-			fakeVolumeManager := volumemanager.NewFakeVolumeManager([]v1.UniqueVolumeName{}, 0, nil)
+			fakeVolumeManager := volumemanager.NewFakeVolumeManager([]v1.UniqueVolumeName{}, 0, nil, false)
 			nodeRef := &v1.ObjectReference{Kind: "Node", Name: "test", UID: types.UID("test"), Namespace: ""}
 
 			manager := NewManager(&Config{
@@ -104,7 +104,7 @@ func TestFeatureEnabled(t *testing.T) {
 func Test_managerImpl_ProcessShutdownEvent(t *testing.T) {
 	var (
 		fakeRecorder      = &record.FakeRecorder{}
-		fakeVolumeManager = volumemanager.NewFakeVolumeManager([]v1.UniqueVolumeName{}, 0, nil)
+		fakeVolumeManager = volumemanager.NewFakeVolumeManager([]v1.UniqueVolumeName{}, 0, nil, false)
 		syncNodeStatus    = func() {}
 		nodeRef           = &v1.ObjectReference{Kind: "Node", Name: "test", UID: types.UID("test"), Namespace: ""}
 		fakeclock         = testingclock.NewFakeClock(time.Now())
@@ -201,7 +201,7 @@ func Test_managerImpl_ProcessShutdownEvent(t *testing.T) {
 					[]v1.UniqueVolumeName{},
 					3*time.Second, // This value is intentionally longer than the shutdownGracePeriodSeconds (2s) to test the behavior
 					// for volume unmount operations that take longer than the allowed grace period.
-					fmt.Errorf("unmount timeout"),
+					fmt.Errorf("unmount timeout"), false,
 				),
 				shutdownGracePeriodByPodPriority: []kubeletconfig.ShutdownGracePeriodByPodPriority{
 					{
diff --git a/pkg/kubelet/nodestatus/setters.go b/pkg/kubelet/nodestatus/setters.go
index 24728267a302d..4a22a830febf7 100644
--- a/pkg/kubelet/nodestatus/setters.go
+++ b/pkg/kubelet/nodestatus/setters.go
@@ -81,17 +81,18 @@ func NodeAddress(nodeIPs []net.IP, // typically Kubelet.nodeIPs
 	secondaryNodeIPSpecified := secondaryNodeIP != nil && !secondaryNodeIP.IsUnspecified()
 
 	return func(ctx context.Context, node *v1.Node) error {
+		logger := klog.FromContext(ctx)
 		if nodeIPSpecified {
 			if err := validateNodeIPFunc(nodeIP); err != nil {
 				return fmt.Errorf("failed to validate nodeIP: %v", err)
 			}
-			klog.V(4).InfoS("Using node IP", "IP", nodeIP.String())
+			logger.V(4).Info("Using node IP", "IP", nodeIP.String())
 		}
 		if secondaryNodeIPSpecified {
 			if err := validateNodeIPFunc(secondaryNodeIP); err != nil {
 				return fmt.Errorf("failed to validate secondaryNodeIP: %v", err)
 			}
-			klog.V(4).InfoS("Using secondary node IP", "IP", secondaryNodeIP.String())
+			logger.V(4).Info("Using secondary node IP", "IP", secondaryNodeIP.String())
 		}
 
 		if externalCloudProvider && nodeIPSpecified {
@@ -202,6 +203,7 @@ func MachineInfo(nodeName string,
 	localStorageCapacityIsolation bool,
 ) Setter {
 	return func(ctx context.Context, node *v1.Node) error {
+		logger := klog.FromContext(ctx)
 		// Note: avoid blindly overwriting the capacity in case opaque
 		//       resources are being advertised.
 		if node.Status.Capacity == nil {
@@ -221,7 +223,7 @@ func MachineInfo(nodeName string,
 			node.Status.Capacity[v1.ResourceCPU] = *resource.NewMilliQuantity(0, resource.DecimalSI)
 			node.Status.Capacity[v1.ResourceMemory] = resource.MustParse("0Gi")
 			node.Status.Capacity[v1.ResourcePods] = *resource.NewQuantity(int64(maxPods), resource.DecimalSI)
-			klog.ErrorS(err, "Error getting machine info")
+			logger.Error(err, "Error getting machine info")
 		} else {
 			node.Status.NodeInfo.MachineID = info.MachineID
 			node.Status.NodeInfo.SystemUUID = info.SystemUUID
@@ -263,13 +265,13 @@ func MachineInfo(nodeName string,
 			devicePluginCapacity, devicePluginAllocatable, removedDevicePlugins = devicePluginResourceCapacityFunc()
 			for k, v := range devicePluginCapacity {
 				if old, ok := node.Status.Capacity[k]; !ok || old.Value() != v.Value() {
-					klog.V(2).InfoS("Updated capacity for device plugin", "plugin", k, "capacity", v.Value())
+					logger.V(2).Info("Updated capacity for device plugin", "plugin", k, "capacity", v.Value())
 				}
 				node.Status.Capacity[k] = v
 			}
 
 			for _, removedResource := range removedDevicePlugins {
-				klog.V(2).InfoS("Set capacity for removed resource to 0 on device removal", "device", removedResource)
+				logger.V(2).Info("Set capacity for removed resource to 0 on device removal", "device", removedResource)
 				// Set the capacity of the removed resource to 0 instead of
 				// removing the resource from the node status. This is to indicate
 				// that the resource is managed by device plugin and had been
@@ -315,7 +317,7 @@ func MachineInfo(nodeName string,
 
 		for k, v := range devicePluginAllocatable {
 			if old, ok := node.Status.Allocatable[k]; !ok || old.Value() != v.Value() {
-				klog.V(2).InfoS("Updated allocatable", "device", k, "allocatable", v.Value())
+				logger.V(2).Info("Updated allocatable", "device", k, "allocatable", v.Value())
 			}
 			node.Status.Allocatable[k] = v
 		}
@@ -540,7 +542,8 @@ func ReadyCondition(
 				recordEventFunc(v1.EventTypeNormal, events.NodeReady)
 			} else {
 				recordEventFunc(v1.EventTypeNormal, events.NodeNotReady)
-				klog.InfoS("Node became not ready", "node", klog.KObj(node), "condition", newNodeReadyCondition)
+				logger := klog.FromContext(ctx)
+				logger.Info("Node became not ready", "node", klog.KObj(node), "condition", newNodeReadyCondition)
 			}
 		}
 		return nil
diff --git a/pkg/kubelet/nodestatus/setters_test.go b/pkg/kubelet/nodestatus/setters_test.go
index 6e5971ed9afa6..c7f441a9dc3f5 100644
--- a/pkg/kubelet/nodestatus/setters_test.go
+++ b/pkg/kubelet/nodestatus/setters_test.go
@@ -47,6 +47,7 @@ import (
 	kubecontainertest "k8s.io/kubernetes/pkg/kubelet/container/testing"
 	"k8s.io/kubernetes/pkg/kubelet/events"
 	"k8s.io/kubernetes/pkg/kubelet/util/sliceutils"
+	"k8s.io/kubernetes/test/utils/ktesting"
 	netutils "k8s.io/utils/net"
 	"k8s.io/utils/ptr"
 )
@@ -279,7 +280,7 @@ func TestNodeAddress(t *testing.T) {
 	}
 	for _, testCase := range cases {
 		t.Run(testCase.name, func(t *testing.T) {
-			ctx := context.Background()
+			ctx := ktesting.Init(t)
 			// testCase setup
 			existingNode := &v1.Node{
 				ObjectMeta: metav1.ObjectMeta{
@@ -385,7 +386,7 @@ func TestNodeAddress_NoCloudProvider(t *testing.T) {
 	}
 	for _, testCase := range cases {
 		t.Run(testCase.name, func(t *testing.T) {
-			ctx := context.Background()
+			ctx := ktesting.Init(t)
 			// testCase setup
 			existingNode := &v1.Node{
 				ObjectMeta: metav1.ObjectMeta{Name: testKubeletHostname, Annotations: make(map[string]string)},
@@ -914,7 +915,7 @@ func TestMachineInfo(t *testing.T) {
 		}
 
 		t.Run(tc.desc, func(t *testing.T) {
-			ctx := context.Background()
+			ctx := ktesting.Init(t)
 			machineInfoFunc := func() (*cadvisorapiv1.MachineInfo, error) {
 				return tc.machineInfo, tc.machineInfoError
 			}
@@ -1081,7 +1082,7 @@ func TestVersionInfo(t *testing.T) {
 		t.Run(tc.desc, func(t *testing.T) {
 			featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.DisableNodeKubeProxyVersion, !tc.kubeProxyVersion)
 
-			ctx := context.Background()
+			ctx := ktesting.Init(t)
 			versionInfoFunc := func() (*cadvisorapiv1.VersionInfo, error) {
 				return tc.versionInfo, tc.versionInfoError
 			}
@@ -1158,7 +1159,7 @@ func TestImages(t *testing.T) {
 
 	for _, tc := range cases {
 		t.Run(tc.desc, func(t *testing.T) {
-			ctx := context.Background()
+			ctx := ktesting.Init(t)
 			imageListFunc := func() ([]kubecontainer.Image, error) {
 				// today, imageListFunc is expected to return a sorted list,
 				// but we may choose to sort in the setter at some future point
@@ -1324,7 +1325,7 @@ func TestReadyCondition(t *testing.T) {
 	}
 	for _, tc := range cases {
 		t.Run(tc.desc, func(t *testing.T) {
-			ctx := context.Background()
+			ctx := ktesting.Init(t)
 			runtimeErrorsFunc := func() error {
 				return tc.runtimeErrors
 			}
@@ -1458,7 +1459,7 @@ func TestMemoryPressureCondition(t *testing.T) {
 	}
 	for _, tc := range cases {
 		t.Run(tc.desc, func(t *testing.T) {
-			ctx := context.Background()
+			ctx := ktesting.Init(t)
 			events := []testEvent{}
 			recordEventFunc := func(eventType, event string) {
 				events = append(events, testEvent{
@@ -1580,7 +1581,7 @@ func TestPIDPressureCondition(t *testing.T) {
 	}
 	for _, tc := range cases {
 		t.Run(tc.desc, func(t *testing.T) {
-			ctx := context.Background()
+			ctx := ktesting.Init(t)
 			events := []testEvent{}
 			recordEventFunc := func(eventType, event string) {
 				events = append(events, testEvent{
@@ -1702,7 +1703,7 @@ func TestDiskPressureCondition(t *testing.T) {
 	}
 	for _, tc := range cases {
 		t.Run(tc.desc, func(t *testing.T) {
-			ctx := context.Background()
+			ctx := ktesting.Init(t)
 			events := []testEvent{}
 			recordEventFunc := func(eventType, event string) {
 				events = append(events, testEvent{
@@ -1763,7 +1764,7 @@ func TestVolumesInUse(t *testing.T) {
 
 	for _, tc := range cases {
 		t.Run(tc.desc, func(t *testing.T) {
-			ctx := context.Background()
+			ctx := ktesting.Init(t)
 			syncedFunc := func() bool {
 				return tc.synced
 			}
@@ -1801,7 +1802,7 @@ func TestDaemonEndpoints(t *testing.T) {
 		},
 	} {
 		t.Run(test.name, func(t *testing.T) {
-			ctx := context.Background()
+			ctx := ktesting.Init(t)
 			existingNode := &v1.Node{
 				ObjectMeta: metav1.ObjectMeta{
 					Name: testKubeletHostname,
diff --git a/pkg/kubelet/pleg/generic.go b/pkg/kubelet/pleg/generic.go
index f89a6d02bd5e4..5db6ae40e4a5d 100644
--- a/pkg/kubelet/pleg/generic.go
+++ b/pkg/kubelet/pleg/generic.go
@@ -297,7 +297,7 @@ func (g *GenericPLEG) Relist() {
 		status, updated, err := g.updateCache(ctx, pod, pid)
 		if err != nil {
 			// Rely on updateCache calling GetPodStatus to log the actual error.
-			g.logger.V(4).Error(err, "PLEG: Ignoring events for pod", "pod", klog.KRef(pod.Namespace, pod.Name))
+			g.logger.V(4).Info("PLEG: Ignoring events for pod", "pod", klog.KRef(pod.Namespace, pod.Name), "err", err)
 
 			// make sure we try to reinspect the pod during the next relisting
 			needsReinspection[pid] = pod
diff --git a/pkg/kubelet/pluginmanager/cache/actual_state_of_world.go b/pkg/kubelet/pluginmanager/cache/actual_state_of_world.go
index cdaa42c0a3a73..c68c748bdc996 100644
--- a/pkg/kubelet/pluginmanager/cache/actual_state_of_world.go
+++ b/pkg/kubelet/pluginmanager/cache/actual_state_of_world.go
@@ -21,6 +21,7 @@ keep track of registered plugins.
 package cache
 
 import (
+	"context"
 	"fmt"
 	"sync"
 	"time"
@@ -47,7 +48,7 @@ type ActualStateOfWorld interface {
 	// because the plugin should have been unregistered in the reconciler and therefore
 	// removed from the actual state of world cache first before adding it back into
 	// the actual state of world cache again with the new timestamp
-	AddPlugin(pluginInfo PluginInfo) error
+	AddPlugin(ctx context.Context, pluginInfo PluginInfo) error
 
 	// RemovePlugin deletes the plugin with the given socket path from the actual
 	// state of world.
@@ -92,15 +93,17 @@ type PluginInfo struct {
 	Endpoint   string
 }
 
-func (asw *actualStateOfWorld) AddPlugin(pluginInfo PluginInfo) error {
+func (asw *actualStateOfWorld) AddPlugin(ctx context.Context, pluginInfo PluginInfo) error {
 	asw.Lock()
 	defer asw.Unlock()
 
+	logger := klog.FromContext(ctx)
+
 	if pluginInfo.SocketPath == "" {
 		return fmt.Errorf("socket path is empty")
 	}
 	if _, ok := asw.socketFileToInfo[pluginInfo.SocketPath]; ok {
-		klog.V(2).InfoS("Plugin exists in actual state cache", "path", pluginInfo.SocketPath)
+		logger.V(2).Info("Plugin exists in actual state cache", "path", pluginInfo.SocketPath)
 	}
 	asw.socketFileToInfo[pluginInfo.SocketPath] = pluginInfo
 	return nil
diff --git a/pkg/kubelet/pluginmanager/cache/actual_state_of_world_test.go b/pkg/kubelet/pluginmanager/cache/actual_state_of_world_test.go
index fcc463c4a74b8..b72e1041a3c64 100644
--- a/pkg/kubelet/pluginmanager/cache/actual_state_of_world_test.go
+++ b/pkg/kubelet/pluginmanager/cache/actual_state_of_world_test.go
@@ -23,6 +23,7 @@ import (
 
 	"github.com/stretchr/testify/require"
 	"k8s.io/apimachinery/pkg/util/uuid"
+	"k8s.io/kubernetes/test/utils/ktesting"
 )
 
 // Calls AddPlugin() to add a plugin
@@ -30,6 +31,7 @@ import (
 // Verifies PluginExistsWithCorrectUUID returns true for the plugin
 // Verifies PluginExistsWithCorrectTimestamp returns true for the plugin (excluded on Windows)
 func Test_ASW_AddPlugin_Positive_NewPlugin(t *testing.T) {
+	tCtx := ktesting.Init(t)
 	pluginInfo := PluginInfo{
 		SocketPath: "/var/lib/kubelet/device-plugins/test-plugin.sock",
 		Timestamp:  time.Now(),
@@ -38,7 +40,7 @@ func Test_ASW_AddPlugin_Positive_NewPlugin(t *testing.T) {
 		Name:       "test",
 	}
 	asw := NewActualStateOfWorld()
-	err := asw.AddPlugin(pluginInfo)
+	err := asw.AddPlugin(tCtx, pluginInfo)
 	// Assert
 	if err != nil {
 		t.Fatalf("AddPlugin failed. Expected: <no error> Actual: <%v>", err)
@@ -71,6 +73,7 @@ func Test_ASW_AddPlugin_Positive_NewPlugin(t *testing.T) {
 // Verifies PluginExistsWithCorrectUUID returns false
 // Verifies PluginExistsWithCorrectTimestamp returns false (excluded on Windows)
 func Test_ASW_AddPlugin_Negative_EmptySocketPath(t *testing.T) {
+	tCtx := ktesting.Init(t)
 	asw := NewActualStateOfWorld()
 	pluginInfo := PluginInfo{
 		SocketPath: "",
@@ -79,7 +82,7 @@ func Test_ASW_AddPlugin_Negative_EmptySocketPath(t *testing.T) {
 		Handler:    nil,
 		Name:       "test",
 	}
-	err := asw.AddPlugin(pluginInfo)
+	err := asw.AddPlugin(tCtx, pluginInfo)
 	require.EqualError(t, err, "socket path is empty")
 
 	// Get registered plugins and check the newly added plugin is there
@@ -106,6 +109,7 @@ func Test_ASW_AddPlugin_Negative_EmptySocketPath(t *testing.T) {
 // Verifies PluginExistsWithCorrectUUID returns false
 // Verifies PluginExistsWithCorrectTimestamp returns false (excluded on Windows)
 func Test_ASW_RemovePlugin_Positive(t *testing.T) {
+	tCtx := ktesting.Init(t)
 	// First, add a plugin
 	asw := NewActualStateOfWorld()
 	pluginInfo := PluginInfo{
@@ -115,7 +119,7 @@ func Test_ASW_RemovePlugin_Positive(t *testing.T) {
 		Handler:    nil,
 		Name:       "test",
 	}
-	err := asw.AddPlugin(pluginInfo)
+	err := asw.AddPlugin(tCtx, pluginInfo)
 	// Assert
 	if err != nil {
 		t.Fatalf("AddPlugin failed. Expected: <no error> Actual: <%v>", err)
@@ -146,6 +150,7 @@ func Test_ASW_RemovePlugin_Positive(t *testing.T) {
 // Verifies PluginExistsWithCorrectUUID returns false for an existing
 // plugin with the wrong UUID
 func Test_ASW_PluginExistsWithCorrectUUID_Negative_WrongUUID(t *testing.T) {
+	tCtx := ktesting.Init(t)
 	// First, add a plugin
 	asw := NewActualStateOfWorld()
 	pluginInfo := PluginInfo{
@@ -155,7 +160,7 @@ func Test_ASW_PluginExistsWithCorrectUUID_Negative_WrongUUID(t *testing.T) {
 		Handler:    nil,
 		Name:       "test",
 	}
-	err := asw.AddPlugin(pluginInfo)
+	err := asw.AddPlugin(tCtx, pluginInfo)
 	// Assert
 	if err != nil {
 		t.Fatalf("AddPlugin failed. Expected: <no error> Actual: <%v>", err)
diff --git a/pkg/kubelet/pluginmanager/cache/desired_state_of_world.go b/pkg/kubelet/pluginmanager/cache/desired_state_of_world.go
index 90e38ddd736f9..6316724a55eb5 100644
--- a/pkg/kubelet/pluginmanager/cache/desired_state_of_world.go
+++ b/pkg/kubelet/pluginmanager/cache/desired_state_of_world.go
@@ -21,6 +21,7 @@ keep track of registered plugins.
 package cache
 
 import (
+	"context"
 	"errors"
 	"fmt"
 	"sync"
@@ -38,7 +39,7 @@ type DesiredStateOfWorld interface {
 	// AddOrUpdatePlugin add the given plugin in the cache if it doesn't already exist.
 	// If it does exist in the cache, then the timestamp of the PluginInfo object in the cache will be updated.
 	// An error will be returned if socketPath is empty.
-	AddOrUpdatePlugin(socketPath string) error
+	AddOrUpdatePlugin(ctx context.Context, socketPath string) error
 
 	// RemovePlugin deletes the plugin with the given socket path from the desired
 	// state of world.
@@ -122,15 +123,17 @@ func errSuffix(err error) string {
 	return errStr
 }
 
-func (dsw *desiredStateOfWorld) AddOrUpdatePlugin(socketPath string) error {
+func (dsw *desiredStateOfWorld) AddOrUpdatePlugin(ctx context.Context, socketPath string) error {
 	dsw.Lock()
 	defer dsw.Unlock()
 
+	logger := klog.FromContext(ctx)
+
 	if socketPath == "" {
 		return fmt.Errorf("socket path is empty")
 	}
 	if _, ok := dsw.socketFileToInfo[socketPath]; ok {
-		klog.V(2).InfoS("Plugin exists in desired state cache, timestamp will be updated", "path", socketPath)
+		logger.V(2).Info("Plugin exists in desired state cache, timestamp will be updated", "path", socketPath)
 	}
 
 	// Update the PluginInfo object.
diff --git a/pkg/kubelet/pluginmanager/cache/desired_state_of_world_test.go b/pkg/kubelet/pluginmanager/cache/desired_state_of_world_test.go
index 5b4f227c12e10..f6a302ae6dd2a 100644
--- a/pkg/kubelet/pluginmanager/cache/desired_state_of_world_test.go
+++ b/pkg/kubelet/pluginmanager/cache/desired_state_of_world_test.go
@@ -20,15 +20,17 @@ import (
 	"testing"
 
 	"github.com/stretchr/testify/require"
+	"k8s.io/kubernetes/test/utils/ktesting"
 )
 
 // Calls AddOrUpdatePlugin() to add a plugin
 // Verifies newly added plugin exists in GetPluginsToRegister()
 // Verifies newly added plugin returns true for PluginExists()
 func Test_DSW_AddOrUpdatePlugin_Positive_NewPlugin(t *testing.T) {
+	tCtx := ktesting.Init(t)
 	dsw := NewDesiredStateOfWorld()
 	socketPath := "/var/lib/kubelet/device-plugins/test-plugin.sock"
-	err := dsw.AddOrUpdatePlugin(socketPath)
+	err := dsw.AddOrUpdatePlugin(tCtx, socketPath)
 	// Assert
 	if err != nil {
 		t.Fatalf("AddOrUpdatePlugin failed. Expected: <no error> Actual: <%v>", err)
@@ -53,10 +55,11 @@ func Test_DSW_AddOrUpdatePlugin_Positive_NewPlugin(t *testing.T) {
 // Verifies the timestamp the existing plugin is updated
 // Verifies newly added plugin returns true for PluginExists()
 func Test_DSW_AddOrUpdatePlugin_Positive_ExistingPlugin(t *testing.T) {
+	tCtx := ktesting.Init(t)
 	dsw := NewDesiredStateOfWorld()
 	socketPath := "/var/lib/kubelet/device-plugins/test-plugin.sock"
 	// Adding the plugin for the first time
-	err := dsw.AddOrUpdatePlugin(socketPath)
+	err := dsw.AddOrUpdatePlugin(tCtx, socketPath)
 	if err != nil {
 		t.Fatalf("AddOrUpdatePlugin failed. Expected: <no error> Actual: <%v>", err)
 	}
@@ -72,7 +75,7 @@ func Test_DSW_AddOrUpdatePlugin_Positive_ExistingPlugin(t *testing.T) {
 	oldUUID := dswPlugins[0].UUID
 
 	// Adding the plugin again so that the timestamp will be updated
-	err = dsw.AddOrUpdatePlugin(socketPath)
+	err = dsw.AddOrUpdatePlugin(tCtx, socketPath)
 	if err != nil {
 		t.Fatalf("AddOrUpdatePlugin failed. Expected: <no error> Actual: <%v>", err)
 	}
@@ -95,9 +98,10 @@ func Test_DSW_AddOrUpdatePlugin_Positive_ExistingPlugin(t *testing.T) {
 // Verifies the plugin does not exist in GetPluginsToRegister() after AddOrUpdatePlugin()
 // Verifies the plugin returns false for PluginExists()
 func Test_DSW_AddOrUpdatePlugin_Negative_PluginMissingInfo(t *testing.T) {
+	tCtx := ktesting.Init(t)
 	dsw := NewDesiredStateOfWorld()
 	socketPath := ""
-	err := dsw.AddOrUpdatePlugin(socketPath)
+	err := dsw.AddOrUpdatePlugin(tCtx, socketPath)
 	require.EqualError(t, err, "socket path is empty")
 
 	// Get pluginsToRegister and check the newly added plugin is there
@@ -116,10 +120,11 @@ func Test_DSW_AddOrUpdatePlugin_Negative_PluginMissingInfo(t *testing.T) {
 // Verifies newly removed plugin no longer exists in GetPluginsToRegister()
 // Verifies newly removed plugin returns false for PluginExists()
 func Test_DSW_RemovePlugin_Positive(t *testing.T) {
+	tCtx := ktesting.Init(t)
 	// First, add a plugin
 	dsw := NewDesiredStateOfWorld()
 	socketPath := "/var/lib/kubelet/device-plugins/test-plugin.sock"
-	err := dsw.AddOrUpdatePlugin(socketPath)
+	err := dsw.AddOrUpdatePlugin(tCtx, socketPath)
 	// Assert
 	if err != nil {
 		t.Fatalf("AddOrUpdatePlugin failed. Expected: <no error> Actual: <%v>", err)
diff --git a/pkg/kubelet/pluginmanager/metrics/metrics_test.go b/pkg/kubelet/pluginmanager/metrics/metrics_test.go
index 700a6396636d3..751e9a81cd4cb 100644
--- a/pkg/kubelet/pluginmanager/metrics/metrics_test.go
+++ b/pkg/kubelet/pluginmanager/metrics/metrics_test.go
@@ -21,22 +21,24 @@ import (
 	"testing"
 
 	"k8s.io/kubernetes/pkg/kubelet/pluginmanager/cache"
+	"k8s.io/kubernetes/test/utils/ktesting"
 )
 
 func TestMetricCollection(t *testing.T) {
+	tCtx := ktesting.Init(t)
 	dsw := cache.NewDesiredStateOfWorld()
 	asw := cache.NewActualStateOfWorld()
 	fakePlugin := cache.PluginInfo{
 		SocketPath: fmt.Sprintf("fake/path/plugin.sock"),
 	}
 	// Add one plugin to DesiredStateOfWorld
-	err := dsw.AddOrUpdatePlugin(fakePlugin.SocketPath)
+	err := dsw.AddOrUpdatePlugin(tCtx, fakePlugin.SocketPath)
 	if err != nil {
 		t.Fatalf("AddOrUpdatePlugin failed. Expected: <no error> Actual: <%v>", err)
 	}
 
 	// Add one plugin to ActualStateOfWorld
-	err = asw.AddPlugin(fakePlugin)
+	err = asw.AddPlugin(tCtx, fakePlugin)
 	if err != nil {
 		t.Fatalf("AddOrUpdatePlugin failed. Expected: <no error> Actual: <%v>", err)
 	}
diff --git a/pkg/kubelet/pluginmanager/operationexecutor/operation_executor.go b/pkg/kubelet/pluginmanager/operationexecutor/operation_executor.go
index a1bb6517e81d2..2330d85f4600f 100644
--- a/pkg/kubelet/pluginmanager/operationexecutor/operation_executor.go
+++ b/pkg/kubelet/pluginmanager/operationexecutor/operation_executor.go
@@ -21,6 +21,8 @@ limitations under the License.
 package operationexecutor
 
 import (
+	"context"
+
 	"k8s.io/apimachinery/pkg/types"
 
 	"k8s.io/kubernetes/pkg/kubelet/pluginmanager/cache"
@@ -45,11 +47,11 @@ import (
 type OperationExecutor interface {
 	// RegisterPlugin registers the given plugin using a handler in the plugin handler map.
 	// It then updates the actual state of the world to reflect that.
-	RegisterPlugin(socketPath string, UUID types.UID, pluginHandlers map[string]cache.PluginHandler, actualStateOfWorld ActualStateOfWorldUpdater) error
+	RegisterPlugin(ctx context.Context, socketPath string, UUID types.UID, pluginHandlers map[string]cache.PluginHandler, actualStateOfWorld ActualStateOfWorldUpdater) error
 
 	// UnregisterPlugin deregisters the given plugin using a handler in the given plugin handler map.
 	// It then updates the actual state of the world to reflect that.
-	UnregisterPlugin(pluginInfo cache.PluginInfo, actualStateOfWorld ActualStateOfWorldUpdater) error
+	UnregisterPlugin(ctx context.Context, pluginInfo cache.PluginInfo, actualStateOfWorld ActualStateOfWorldUpdater) error
 }
 
 // NewOperationExecutor returns a new instance of OperationExecutor.
@@ -68,7 +70,7 @@ type ActualStateOfWorldUpdater interface {
 	// AddPlugin add the given plugin in the cache if no existing plugin
 	// in the cache has the same socket path.
 	// An error will be returned if socketPath is empty.
-	AddPlugin(pluginInfo cache.PluginInfo) error
+	AddPlugin(ctx context.Context, pluginInfo cache.PluginInfo) error
 
 	// RemovePlugin deletes the plugin with the given socket path from the actual
 	// state of world.
@@ -93,22 +95,24 @@ func (oe *operationExecutor) IsOperationPending(socketPath string) bool {
 }
 
 func (oe *operationExecutor) RegisterPlugin(
+	ctx context.Context,
 	socketPath string,
 	pluginUUID types.UID,
 	pluginHandlers map[string]cache.PluginHandler,
 	actualStateOfWorld ActualStateOfWorldUpdater) error {
 	generatedOperation :=
-		oe.operationGenerator.GenerateRegisterPluginFunc(socketPath, pluginUUID, pluginHandlers, actualStateOfWorld)
+		oe.operationGenerator.GenerateRegisterPluginFunc(ctx, socketPath, pluginUUID, pluginHandlers, actualStateOfWorld)
 
 	return oe.pendingOperations.Run(
 		socketPath, generatedOperation)
 }
 
 func (oe *operationExecutor) UnregisterPlugin(
+	ctx context.Context,
 	pluginInfo cache.PluginInfo,
 	actualStateOfWorld ActualStateOfWorldUpdater) error {
 	generatedOperation :=
-		oe.operationGenerator.GenerateUnregisterPluginFunc(pluginInfo, actualStateOfWorld)
+		oe.operationGenerator.GenerateUnregisterPluginFunc(ctx, pluginInfo, actualStateOfWorld)
 
 	return oe.pendingOperations.Run(
 		pluginInfo.SocketPath, generatedOperation)
diff --git a/pkg/kubelet/pluginmanager/operationexecutor/operation_executor_test.go b/pkg/kubelet/pluginmanager/operationexecutor/operation_executor_test.go
index 573146bc7d29c..f9e62c66ddc4c 100644
--- a/pkg/kubelet/pluginmanager/operationexecutor/operation_executor_test.go
+++ b/pkg/kubelet/pluginmanager/operationexecutor/operation_executor_test.go
@@ -17,6 +17,7 @@ limitations under the License.
 package operationexecutor
 
 import (
+	"context"
 	"fmt"
 	"os"
 	"strconv"
@@ -27,6 +28,7 @@ import (
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/uuid"
 	"k8s.io/kubernetes/pkg/kubelet/pluginmanager/cache"
+	"k8s.io/kubernetes/test/utils/ktesting"
 )
 
 const (
@@ -46,10 +48,10 @@ func init() {
 }
 
 func TestOperationExecutor_RegisterPlugin_ConcurrentRegisterPlugin(t *testing.T) {
-	ch, quit, oe := setup()
+	tCtx, ch, quit, oe := setup(t)
 	for i := 0; i < numPluginsToRegister; i++ {
 		socketPath := fmt.Sprintf("%s/plugin-%d.sock", socketDir, i)
-		err := oe.RegisterPlugin(socketPath, uuid.NewUUID(), nil /* plugin handlers */, nil /* actual state of the world updator */)
+		err := oe.RegisterPlugin(tCtx, socketPath, uuid.NewUUID(), nil /* plugin handlers */, nil /* actual state of the world updator */)
 		assert.NoError(t, err)
 	}
 	if !isOperationRunConcurrently(ch, quit, numPluginsToRegister) {
@@ -58,15 +60,15 @@ func TestOperationExecutor_RegisterPlugin_ConcurrentRegisterPlugin(t *testing.T)
 }
 
 func TestOperationExecutor_RegisterPlugin_SerialRegisterPlugin(t *testing.T) {
-	ch, quit, oe := setup()
+	tCtx, ch, quit, oe := setup(t)
 	socketPath := fmt.Sprintf("%s/plugin-serial.sock", socketDir)
 
 	// First registration should not fail.
-	err := oe.RegisterPlugin(socketPath, uuid.NewUUID(), nil /* plugin handlers */, nil /* actual state of the world updator */)
+	err := oe.RegisterPlugin(tCtx, socketPath, uuid.NewUUID(), nil /* plugin handlers */, nil /* actual state of the world updator */)
 	assert.NoError(t, err)
 
 	for i := 1; i < numPluginsToRegister; i++ {
-		err := oe.RegisterPlugin(socketPath, uuid.NewUUID(), nil /* plugin handlers */, nil /* actual state of the world updator */)
+		err := oe.RegisterPlugin(tCtx, socketPath, uuid.NewUUID(), nil /* plugin handlers */, nil /* actual state of the world updator */)
 		if err == nil {
 			t.Fatalf("RegisterPlugin did not fail. Expected: <Failed to create operation with name \"%s\". An operation with that name is already executing.> Actual: <no error>", socketPath)
 		}
@@ -78,12 +80,11 @@ func TestOperationExecutor_RegisterPlugin_SerialRegisterPlugin(t *testing.T) {
 }
 
 func TestOperationExecutor_UnregisterPlugin_ConcurrentUnregisterPlugin(t *testing.T) {
-	ch, quit, oe := setup()
+	tCtx, ch, quit, oe := setup(t)
 	for i := 0; i < numPluginsToUnregister; i++ {
 		socketPath := "socket-path" + strconv.Itoa(i)
 		pluginInfo := cache.PluginInfo{SocketPath: socketPath}
-		oe.UnregisterPlugin(pluginInfo, nil /* actual state of the world updator */)
-
+		_ = oe.UnregisterPlugin(tCtx, pluginInfo, nil /* actual state of the world updator */)
 	}
 	if !isOperationRunConcurrently(ch, quit, numPluginsToUnregister) {
 		t.Fatalf("Unable to start unregister operations in Concurrent for plugins")
@@ -91,12 +92,11 @@ func TestOperationExecutor_UnregisterPlugin_ConcurrentUnregisterPlugin(t *testin
 }
 
 func TestOperationExecutor_UnregisterPlugin_SerialUnregisterPlugin(t *testing.T) {
-	ch, quit, oe := setup()
+	tCtx, ch, quit, oe := setup(t)
 	socketPath := fmt.Sprintf("%s/plugin-serial.sock", socketDir)
 	for i := 0; i < numPluginsToUnregister; i++ {
 		pluginInfo := cache.PluginInfo{SocketPath: socketPath}
-		oe.UnregisterPlugin(pluginInfo, nil /* actual state of the world updator */)
-
+		_ = oe.UnregisterPlugin(tCtx, pluginInfo, nil /* actual state of the world updator */)
 	}
 	if !isOperationRunSerially(ch, quit) {
 		t.Fatalf("Unable to start unregister operations serially for plugins")
@@ -116,6 +116,7 @@ func newFakeOperationGenerator(ch chan interface{}, quit chan interface{}) Opera
 }
 
 func (fopg *fakeOperationGenerator) GenerateRegisterPluginFunc(
+	ctx context.Context,
 	socketPath string,
 	pluginUUID types.UID,
 	pluginHandlers map[string]cache.PluginHandler,
@@ -129,6 +130,7 @@ func (fopg *fakeOperationGenerator) GenerateRegisterPluginFunc(
 }
 
 func (fopg *fakeOperationGenerator) GenerateUnregisterPluginFunc(
+	ctx context.Context,
 	pluginInfo cache.PluginInfo,
 	actualStateOfWorldUpdater ActualStateOfWorldUpdater) func() error {
 	opFunc := func() error {
@@ -174,9 +176,10 @@ loop:
 	return false
 }
 
-func setup() (chan interface{}, chan interface{}, OperationExecutor) {
+func setup(t *testing.T) (context.Context, chan interface{}, chan interface{}, OperationExecutor) {
+	tCtx := ktesting.Init(t)
 	ch, quit := make(chan interface{}), make(chan interface{})
-	return ch, quit, NewOperationExecutor(newFakeOperationGenerator(ch, quit))
+	return tCtx, ch, quit, NewOperationExecutor(newFakeOperationGenerator(ch, quit))
 }
 
 // This function starts by writing to ch and blocks on the quit channel
diff --git a/pkg/kubelet/pluginmanager/operationexecutor/operation_generator.go b/pkg/kubelet/pluginmanager/operationexecutor/operation_generator.go
index 7b6fbba5b5031..745ca23154712 100644
--- a/pkg/kubelet/pluginmanager/operationexecutor/operation_generator.go
+++ b/pkg/kubelet/pluginmanager/operationexecutor/operation_generator.go
@@ -62,6 +62,7 @@ func NewOperationGenerator(recorder record.EventRecorder) OperationGenerator {
 type OperationGenerator interface {
 	// Generates the RegisterPlugin function needed to perform the registration of a plugin
 	GenerateRegisterPluginFunc(
+		ctx context.Context,
 		socketPath string,
 		UUID types.UID,
 		pluginHandlers map[string]cache.PluginHandler,
@@ -69,34 +70,39 @@ type OperationGenerator interface {
 
 	// Generates the UnregisterPlugin function needed to perform the unregistration of a plugin
 	GenerateUnregisterPluginFunc(
+		ctx context.Context,
 		pluginInfo cache.PluginInfo,
 		actualStateOfWorldUpdater ActualStateOfWorldUpdater) func() error
 }
 
 func (og *operationGenerator) GenerateRegisterPluginFunc(
+	ctx context.Context,
 	socketPath string,
 	pluginUUID types.UID,
 	pluginHandlers map[string]cache.PluginHandler,
 	actualStateOfWorldUpdater ActualStateOfWorldUpdater) func() error {
 
 	registerPluginFunc := func() error {
-		client, conn, err := dial(socketPath, dialTimeoutDuration)
+		logger := klog.FromContext(ctx)
+
+		client, conn, err := dial(ctx, socketPath, dialTimeoutDuration)
 		if err != nil {
 			return fmt.Errorf("RegisterPlugin error -- dial failed at socket %s, err: %v", socketPath, err)
 		}
 		defer conn.Close()
 
-		ctx, cancel := context.WithTimeout(context.Background(), time.Second)
+		// Create separate context from parent context
+		ctxWithTimeout, cancel := context.WithTimeout(ctx, time.Second)
 		defer cancel()
 
-		infoResp, err := client.GetInfo(ctx, &registerapi.InfoRequest{})
+		infoResp, err := client.GetInfo(ctxWithTimeout, &registerapi.InfoRequest{})
 		if err != nil {
 			return fmt.Errorf("RegisterPlugin error -- failed to get plugin info using RPC GetInfo at socket %s, err: %v", socketPath, err)
 		}
 
 		handler, ok := pluginHandlers[infoResp.Type]
 		if !ok {
-			if err := og.notifyPlugin(client, false, fmt.Sprintf("RegisterPlugin error -- no handler registered for plugin type: %s at socket %s", infoResp.Type, socketPath)); err != nil {
+			if err := og.notifyPlugin(ctx, client, false, fmt.Sprintf("RegisterPlugin error -- no handler registered for plugin type: %s at socket %s", infoResp.Type, socketPath)); err != nil {
 				return fmt.Errorf("RegisterPlugin error -- failed to send error at socket %s, err: %v", socketPath, err)
 			}
 			return fmt.Errorf("RegisterPlugin error -- no handler registered for plugin type: %s at socket %s", infoResp.Type, socketPath)
@@ -106,14 +112,14 @@ func (og *operationGenerator) GenerateRegisterPluginFunc(
 			infoResp.Endpoint = socketPath
 		}
 		if err := handler.ValidatePlugin(infoResp.Name, infoResp.Endpoint, infoResp.SupportedVersions); err != nil {
-			if err = og.notifyPlugin(client, false, fmt.Sprintf("RegisterPlugin error -- plugin validation failed with err: %v", err)); err != nil {
+			if err = og.notifyPlugin(ctx, client, false, fmt.Sprintf("RegisterPlugin error -- plugin validation failed with err: %v", err)); err != nil {
 				return fmt.Errorf("RegisterPlugin error -- failed to send error at socket %s, err: %v", socketPath, err)
 			}
 			return fmt.Errorf("RegisterPlugin error -- pluginHandler.ValidatePluginFunc failed")
 		}
 		// We add the plugin to the actual state of world cache before calling a plugin consumer's Register handle
 		// so that if we receive a delete event during Register Plugin, we can process it as a DeRegister call.
-		err = actualStateOfWorldUpdater.AddPlugin(cache.PluginInfo{
+		err = actualStateOfWorldUpdater.AddPlugin(ctx, cache.PluginInfo{
 			SocketPath: socketPath,
 			UUID:       pluginUUID,
 			Handler:    handler,
@@ -121,14 +127,14 @@ func (og *operationGenerator) GenerateRegisterPluginFunc(
 			Endpoint:   infoResp.Endpoint,
 		})
 		if err != nil {
-			klog.ErrorS(err, "RegisterPlugin error -- failed to add plugin", "path", socketPath)
+			logger.Error(err, "RegisterPlugin error -- failed to add plugin", "path", socketPath)
 		}
 		if err := handler.RegisterPlugin(infoResp.Name, infoResp.Endpoint, infoResp.SupportedVersions, nil); err != nil {
-			return og.notifyPlugin(client, false, fmt.Sprintf("RegisterPlugin error -- plugin registration failed with err: %v", err))
+			return og.notifyPlugin(ctx, client, false, fmt.Sprintf("RegisterPlugin error -- plugin registration failed with err: %v", err))
 		}
 
 		// Notify is called after register to guarantee that even if notify throws an error Register will always be called after validate
-		if err := og.notifyPlugin(client, true, ""); err != nil {
+		if err := og.notifyPlugin(ctx, client, true, ""); err != nil {
 			return fmt.Errorf("RegisterPlugin error -- failed to send registration status at socket %s, err: %v", socketPath, err)
 		}
 		return nil
@@ -137,10 +143,13 @@ func (og *operationGenerator) GenerateRegisterPluginFunc(
 }
 
 func (og *operationGenerator) GenerateUnregisterPluginFunc(
+	ctx context.Context,
 	pluginInfo cache.PluginInfo,
 	actualStateOfWorldUpdater ActualStateOfWorldUpdater) func() error {
 
 	unregisterPluginFunc := func() error {
+		logger := klog.FromContext(ctx)
+
 		if pluginInfo.Handler == nil {
 			return fmt.Errorf("UnregisterPlugin error -- failed to get plugin handler for %s", pluginInfo.SocketPath)
 		}
@@ -150,14 +159,14 @@ func (og *operationGenerator) GenerateUnregisterPluginFunc(
 
 		pluginInfo.Handler.DeRegisterPlugin(pluginInfo.Name, pluginInfo.Endpoint)
 
-		klog.V(4).InfoS("DeRegisterPlugin called", "pluginName", pluginInfo.Name, "pluginHandler", pluginInfo.Handler)
+		logger.V(4).Info("DeRegisterPlugin called", "pluginName", pluginInfo.Name, "pluginHandler", pluginInfo.Handler)
 		return nil
 	}
 	return unregisterPluginFunc
 }
 
-func (og *operationGenerator) notifyPlugin(client registerapi.RegistrationClient, registered bool, errStr string) error {
-	ctx, cancel := context.WithTimeout(context.Background(), notifyTimeoutDuration)
+func (og *operationGenerator) notifyPlugin(ctx context.Context, client registerapi.RegistrationClient, registered bool, errStr string) error {
+	ctx, cancel := context.WithTimeout(ctx, notifyTimeoutDuration)
 	defer cancel()
 
 	status := &registerapi.RegistrationStatus{
@@ -177,8 +186,8 @@ func (og *operationGenerator) notifyPlugin(client registerapi.RegistrationClient
 }
 
 // Dial establishes the gRPC communication with the picked up plugin socket. https://godoc.org/google.golang.org/grpc#Dial
-func dial(unixSocketPath string, timeout time.Duration) (registerapi.RegistrationClient, *grpc.ClientConn, error) {
-	ctx, cancel := context.WithTimeout(context.Background(), timeout)
+func dial(ctx context.Context, unixSocketPath string, timeout time.Duration) (registerapi.RegistrationClient, *grpc.ClientConn, error) {
+	ctx, cancel := context.WithTimeout(ctx, timeout)
 	defer cancel()
 
 	c, err := grpc.DialContext(ctx, unixSocketPath,
diff --git a/pkg/kubelet/pluginmanager/plugin_manager.go b/pkg/kubelet/pluginmanager/plugin_manager.go
index e1491165febcf..754c30ba31599 100644
--- a/pkg/kubelet/pluginmanager/plugin_manager.go
+++ b/pkg/kubelet/pluginmanager/plugin_manager.go
@@ -17,6 +17,7 @@ limitations under the License.
 package pluginmanager
 
 import (
+	"context"
 	"time"
 
 	"k8s.io/apimachinery/pkg/util/runtime"
@@ -34,7 +35,7 @@ import (
 // need to be registered/deregistered and makes it so.
 type PluginManager interface {
 	// Starts the plugin manager and all the asynchronous loops that it controls
-	Run(sourcesReady config.SourcesReady, stopCh <-chan struct{})
+	Run(ctx context.Context, sourcesReady config.SourcesReady, stopCh <-chan struct{})
 
 	// AddHandler adds the given plugin handler for a specific plugin type, which
 	// will be added to the actual state of world cache so that it can be passed to
@@ -105,22 +106,24 @@ type pluginManager struct {
 
 var _ PluginManager = &pluginManager{}
 
-func (pm *pluginManager) Run(sourcesReady config.SourcesReady, stopCh <-chan struct{}) {
+func (pm *pluginManager) Run(ctx context.Context, sourcesReady config.SourcesReady, stopCh <-chan struct{}) {
 	defer runtime.HandleCrash()
 
-	if err := pm.desiredStateOfWorldPopulator.Start(stopCh); err != nil {
-		klog.ErrorS(err, "The desired_state_of_world populator (plugin watcher) starts failed!")
+	logger := klog.FromContext(ctx)
+
+	if err := pm.desiredStateOfWorldPopulator.Start(ctx, stopCh); err != nil {
+		logger.Error(err, "The desired_state_of_world populator (plugin watcher) starts failed!")
 		return
 	}
 
-	klog.V(2).InfoS("The desired_state_of_world populator (plugin watcher) starts")
+	logger.V(2).Info("The desired_state_of_world populator (plugin watcher) starts")
 
-	klog.InfoS("Starting Kubelet Plugin Manager")
+	logger.Info("Starting Kubelet Plugin Manager")
 	go pm.reconciler.Run(stopCh)
 
 	metrics.Register(pm.actualStateOfWorld, pm.desiredStateOfWorld)
 	<-stopCh
-	klog.InfoS("Shutting down Kubelet Plugin Manager")
+	logger.Info("Shutting down Kubelet Plugin Manager")
 }
 
 func (pm *pluginManager) AddHandler(pluginType string, handler cache.PluginHandler) {
diff --git a/pkg/kubelet/pluginmanager/plugin_manager_test.go b/pkg/kubelet/pluginmanager/plugin_manager_test.go
index 99aa22ad7ae22..9f1c737d6047b 100644
--- a/pkg/kubelet/pluginmanager/plugin_manager_test.go
+++ b/pkg/kubelet/pluginmanager/plugin_manager_test.go
@@ -34,6 +34,7 @@ import (
 
 	"k8s.io/kubernetes/pkg/kubelet/config"
 	"k8s.io/kubernetes/pkg/kubelet/pluginmanager/pluginwatcher"
+	"k8s.io/kubernetes/test/utils/ktesting"
 )
 
 var (
@@ -141,6 +142,7 @@ func retryWithExponentialBackOff(initialDuration time.Duration, fn wait.Conditio
 func TestPluginManager(t *testing.T) {
 	defer cleanup(t)
 
+	tCtx := ktesting.Init(t)
 	pluginManager := newTestPluginManager(socketDir)
 
 	// Start the plugin manager
@@ -148,7 +150,7 @@ func TestPluginManager(t *testing.T) {
 	defer close(stopChan)
 	go func() {
 		sourcesReady := config.NewSourcesReady(func(_ sets.Set[string]) bool { return true })
-		pluginManager.Run(sourcesReady, stopChan)
+		pluginManager.Run(tCtx, sourcesReady, stopChan)
 	}()
 
 	// Add handler for device plugin
@@ -170,14 +172,14 @@ func TestPluginManager(t *testing.T) {
 		// Add a new plugin
 		pluginName := fmt.Sprintf("example-plugin-%d", i)
 		p := pluginwatcher.NewTestExamplePlugin(pluginName, registerapi.DevicePlugin, socketPath, supportedVersions...)
-		require.NoError(t, p.Serve("v1beta1", "v1beta2"))
+		require.NoError(t, p.Serve(tCtx, "v1beta1", "v1beta2"))
 
 		// Verify that the plugin is registered
 		waitForRegistration(t, fakeHandler, pluginName, socketPath)
 
 		// And unregister.
 		fakeHandler.Reset()
-		require.NoError(t, p.Stop())
+		require.NoError(t, p.Stop(tCtx))
 		waitForDeRegistration(t, fakeHandler, pluginName, socketPath)
 	}
 }
diff --git a/pkg/kubelet/pluginmanager/pluginwatcher/example_handler.go b/pkg/kubelet/pluginmanager/pluginwatcher/example_handler.go
index 3c845a7bc24f6..3f94ad951363b 100644
--- a/pkg/kubelet/pluginmanager/pluginwatcher/example_handler.go
+++ b/pkg/kubelet/pluginmanager/pluginwatcher/example_handler.go
@@ -64,8 +64,8 @@ func NewExampleHandler(supportedVersions []string, permitDeprecatedDir bool) *ex
 	}
 }
 
-func (p *exampleHandler) ValidatePlugin(pluginName string, endpoint string, versions []string) error {
-	p.SendEvent(pluginName, exampleEventValidate)
+func (p *exampleHandler) ValidatePlugin(ctx context.Context, pluginName string, endpoint string, versions []string) error {
+	p.SendEvent(ctx, pluginName, exampleEventValidate)
 
 	n, ok := p.DecreasePluginCount(pluginName)
 	if !ok && n > 0 {
@@ -84,11 +84,11 @@ func (p *exampleHandler) ValidatePlugin(pluginName string, endpoint string, vers
 	return nil
 }
 
-func (p *exampleHandler) RegisterPlugin(pluginName, endpoint string, versions []string) error {
-	p.SendEvent(pluginName, exampleEventRegister)
+func (p *exampleHandler) RegisterPlugin(ctx context.Context, pluginName, endpoint string, versions []string) error {
+	p.SendEvent(ctx, pluginName, exampleEventRegister)
 
 	// Verifies the grpcServer is ready to serve services.
-	_, conn, err := dial(endpoint, time.Second)
+	_, conn, err := dial(ctx, endpoint, time.Second)
 	if err != nil {
 		return fmt.Errorf("failed dialing endpoint (%s): %v", endpoint, err)
 	}
@@ -99,13 +99,13 @@ func (p *exampleHandler) RegisterPlugin(pluginName, endpoint string, versions []
 	v1beta2Client := v1beta2.NewExampleClient(conn)
 
 	// Tests v1beta1 GetExampleInfo
-	_, err = v1beta1Client.GetExampleInfo(context.Background(), &v1beta1.ExampleRequest{})
+	_, err = v1beta1Client.GetExampleInfo(ctx, &v1beta1.ExampleRequest{})
 	if err != nil {
 		return fmt.Errorf("failed GetExampleInfo for v1beta2Client(%s): %v", endpoint, err)
 	}
 
 	// Tests v1beta1 GetExampleInfo
-	_, err = v1beta2Client.GetExampleInfo(context.Background(), &v1beta2.ExampleRequest{})
+	_, err = v1beta2Client.GetExampleInfo(ctx, &v1beta2.ExampleRequest{})
 	if err != nil {
 		return fmt.Errorf("failed GetExampleInfo for v1beta2Client(%s): %v", endpoint, err)
 	}
@@ -113,12 +113,13 @@ func (p *exampleHandler) RegisterPlugin(pluginName, endpoint string, versions []
 	return nil
 }
 
-func (p *exampleHandler) DeRegisterPlugin(pluginName string) {
-	p.SendEvent(pluginName, exampleEventDeRegister)
+func (p *exampleHandler) DeRegisterPlugin(ctx context.Context, pluginName string) {
+	p.SendEvent(ctx, pluginName, exampleEventDeRegister)
 }
 
-func (p *exampleHandler) SendEvent(pluginName string, event examplePluginEvent) {
-	klog.V(2).InfoS("Sending event for plugin", "pluginName", pluginName, "event", event, "channel", p.eventChans[pluginName])
+func (p *exampleHandler) SendEvent(ctx context.Context, pluginName string, event examplePluginEvent) {
+	logger := klog.FromContext(ctx)
+	logger.V(2).Info("Sending event for plugin", "pluginName", pluginName, "event", event, "channel", p.eventChans[pluginName])
 	p.eventChans[pluginName] <- event
 }
 
@@ -135,8 +136,8 @@ func (p *exampleHandler) DecreasePluginCount(pluginName string) (old int, ok boo
 }
 
 // Dial establishes the gRPC communication with the picked up plugin socket. https://godoc.org/google.golang.org/grpc#Dial
-func dial(unixSocketPath string, timeout time.Duration) (registerapi.RegistrationClient, *grpc.ClientConn, error) {
-	ctx, cancel := context.WithTimeout(context.Background(), timeout)
+func dial(ctx context.Context, unixSocketPath string, timeout time.Duration) (registerapi.RegistrationClient, *grpc.ClientConn, error) {
+	ctx, cancel := context.WithTimeout(ctx, timeout)
 	defer cancel()
 
 	c, err := grpc.DialContext(ctx, unixSocketPath,
diff --git a/pkg/kubelet/pluginmanager/pluginwatcher/example_plugin.go b/pkg/kubelet/pluginmanager/pluginwatcher/example_plugin.go
index 85b9cc3b28952..0e43ceaf5e2ed 100644
--- a/pkg/kubelet/pluginmanager/pluginwatcher/example_plugin.go
+++ b/pkg/kubelet/pluginmanager/pluginwatcher/example_plugin.go
@@ -53,7 +53,8 @@ type pluginServiceV1Beta1 struct {
 }
 
 func (s *pluginServiceV1Beta1) GetExampleInfo(ctx context.Context, rqt *v1beta1.ExampleRequest) (*v1beta1.ExampleResponse, error) {
-	klog.InfoS("GetExampleInfo v1beta1field", "field", rqt.V1Beta1Field)
+	logger := klog.FromContext(ctx)
+	logger.Info("GetExampleInfo v1beta1field", "field", rqt.V1Beta1Field)
 	return &v1beta1.ExampleResponse{}, nil
 }
 
@@ -67,7 +68,8 @@ type pluginServiceV1Beta2 struct {
 }
 
 func (s *pluginServiceV1Beta2) GetExampleInfo(ctx context.Context, rqt *v1beta2.ExampleRequest) (*v1beta2.ExampleResponse, error) {
-	klog.InfoS("GetExampleInfo v1beta2_field", "field", rqt.V1Beta2Field)
+	logger := klog.FromContext(ctx)
+	logger.Info("GetExampleInfo v1beta2_field", "field", rqt.V1Beta2Field)
 	return &v1beta2.ExampleResponse{}, nil
 }
 
@@ -109,7 +111,8 @@ func (e *examplePlugin) GetInfo(ctx context.Context, req *registerapi.InfoReques
 }
 
 func (e *examplePlugin) NotifyRegistrationStatus(ctx context.Context, status *registerapi.RegistrationStatus) (*registerapi.RegistrationStatusResponse, error) {
-	klog.InfoS("Notify registration status", "status", status)
+	logger := klog.FromContext(ctx)
+	logger.Info("Notify registration status", "status", status)
 
 	if e.registrationStatus != nil {
 		e.registrationStatus <- *status
@@ -119,14 +122,15 @@ func (e *examplePlugin) NotifyRegistrationStatus(ctx context.Context, status *re
 }
 
 // Serve starts a pluginwatcher server and one or more of the plugin services
-func (e *examplePlugin) Serve(services ...string) error {
-	klog.InfoS("Starting example server", "endpoint", e.endpoint)
+func (e *examplePlugin) Serve(ctx context.Context, services ...string) error {
+	logger := klog.FromContext(ctx)
+	logger.Info("Starting example server", "endpoint", e.endpoint)
 	lis, err := net.Listen("unix", e.endpoint)
 	if err != nil {
 		return err
 	}
 
-	klog.InfoS("Example server started", "endpoint", e.endpoint)
+	logger.Info("Example server started", "endpoint", e.endpoint)
 	e.grpcServer = grpc.NewServer()
 
 	// Registers kubelet plugin watcher api.
@@ -151,15 +155,16 @@ func (e *examplePlugin) Serve(services ...string) error {
 		defer e.wg.Done()
 		// Blocking call to accept incoming connections.
 		if err := e.grpcServer.Serve(lis); err != nil {
-			klog.ErrorS(err, "Example server stopped serving")
+			logger.Error(err, "Example server stopped serving")
 		}
 	}()
 
 	return nil
 }
 
-func (e *examplePlugin) Stop() error {
-	klog.InfoS("Stopping example server", "endpoint", e.endpoint)
+func (e *examplePlugin) Stop(ctx context.Context) error {
+	logger := klog.FromContext(ctx)
+	logger.Info("Stopping example server", "endpoint", e.endpoint)
 
 	e.grpcServer.Stop()
 	c := make(chan struct{})
diff --git a/pkg/kubelet/pluginmanager/pluginwatcher/plugin_watcher.go b/pkg/kubelet/pluginmanager/pluginwatcher/plugin_watcher.go
index 44a08012c0dc2..dc3e6a7d08732 100644
--- a/pkg/kubelet/pluginmanager/pluginwatcher/plugin_watcher.go
+++ b/pkg/kubelet/pluginmanager/pluginwatcher/plugin_watcher.go
@@ -17,6 +17,7 @@ limitations under the License.
 package pluginwatcher
 
 import (
+	"context"
 	"fmt"
 	"os"
 	"strings"
@@ -47,12 +48,13 @@ func NewWatcher(sockDir string, desiredStateOfWorld cache.DesiredStateOfWorld) *
 }
 
 // Start watches for the creation and deletion of plugin sockets at the path
-func (w *Watcher) Start(stopCh <-chan struct{}) error {
-	klog.V(2).InfoS("Plugin Watcher Start", "path", w.path)
+func (w *Watcher) Start(ctx context.Context, stopCh <-chan struct{}) error {
+	logger := klog.FromContext(ctx)
+	logger.V(2).Info("Plugin Watcher Start", "path", w.path)
 
 	// Creating the directory to be watched if it doesn't exist yet,
 	// and walks through the directory to discover the existing plugins.
-	if err := w.init(); err != nil {
+	if err := w.init(ctx); err != nil {
 		return err
 	}
 
@@ -63,8 +65,8 @@ func (w *Watcher) Start(stopCh <-chan struct{}) error {
 	w.fsWatcher = fsWatcher
 
 	// Traverse plugin dir and add filesystem watchers before starting the plugin processing goroutine.
-	if err := w.traversePluginDir(w.path); err != nil {
-		klog.ErrorS(err, "Failed to traverse plugin socket path", "path", w.path)
+	if err := w.traversePluginDir(ctx, w.path); err != nil {
+		logger.Error(err, "Failed to traverse plugin socket path", "path", w.path)
 	}
 
 	go func(fsWatcher *fsnotify.Watcher) {
@@ -73,17 +75,17 @@ func (w *Watcher) Start(stopCh <-chan struct{}) error {
 			case event := <-fsWatcher.Events:
 				//TODO: Handle errors by taking corrective measures
 				if event.Has(fsnotify.Create) {
-					err := w.handleCreateEvent(event)
+					err := w.handleCreateEvent(ctx, event)
 					if err != nil {
-						klog.ErrorS(err, "Error when handling create event", "event", event)
+						logger.Error(err, "Error when handling create event", "event", event)
 					}
 				} else if event.Has(fsnotify.Remove) {
-					w.handleDeleteEvent(event)
+					w.handleDeleteEvent(ctx, event)
 				}
 				continue
 			case err := <-fsWatcher.Errors:
 				if err != nil {
-					klog.ErrorS(err, "FsWatcher received error")
+					logger.Error(err, "FsWatcher received error")
 				}
 				continue
 			case <-stopCh:
@@ -96,8 +98,9 @@ func (w *Watcher) Start(stopCh <-chan struct{}) error {
 	return nil
 }
 
-func (w *Watcher) init() error {
-	klog.V(4).InfoS("Ensuring Plugin directory", "path", w.path)
+func (w *Watcher) init(ctx context.Context) error {
+	logger := klog.FromContext(ctx)
+	logger.V(4).Info("Ensuring Plugin directory", "path", w.path)
 
 	if err := w.fs.MkdirAll(w.path, 0755); err != nil {
 		return fmt.Errorf("error (re-)creating root %s: %v", w.path, err)
@@ -108,7 +111,9 @@ func (w *Watcher) init() error {
 
 // Walks through the plugin directory discover any existing plugin sockets.
 // Ignore all errors except root dir not being walkable
-func (w *Watcher) traversePluginDir(dir string) error {
+func (w *Watcher) traversePluginDir(ctx context.Context, dir string) error {
+	logger := klog.FromContext(ctx)
+
 	// watch the new dir
 	err := w.fsWatcher.Add(dir)
 	if err != nil {
@@ -121,7 +126,7 @@ func (w *Watcher) traversePluginDir(dir string) error {
 				return fmt.Errorf("error accessing path: %s error: %v", path, err)
 			}
 
-			klog.ErrorS(err, "Error accessing path", "path", path)
+			logger.Error(err, "Error accessing path", "path", path)
 			return nil
 		}
 
@@ -141,11 +146,11 @@ func (w *Watcher) traversePluginDir(dir string) error {
 				Op:   fsnotify.Create,
 			}
 			//TODO: Handle errors by taking corrective measures
-			if err := w.handleCreateEvent(event); err != nil {
-				klog.ErrorS(err, "Error when handling create", "event", event)
+			if err := w.handleCreateEvent(ctx, event); err != nil {
+				logger.Error(err, "Error when handling create", "event", event)
 			}
 		} else {
-			klog.V(5).InfoS("Ignoring file", "path", path, "mode", mode)
+			logger.V(5).Info("Ignoring file", "path", path, "mode", mode)
 		}
 
 		return nil
@@ -155,8 +160,9 @@ func (w *Watcher) traversePluginDir(dir string) error {
 // Handle filesystem notify event.
 // Files names:
 // - MUST NOT start with a '.'
-func (w *Watcher) handleCreateEvent(event fsnotify.Event) error {
-	klog.V(6).InfoS("Handling create event", "event", event)
+func (w *Watcher) handleCreateEvent(ctx context.Context, event fsnotify.Event) error {
+	logger := klog.FromContext(ctx)
+	logger.V(6).Info("Handling create event", "event", event)
 
 	fi, err := getStat(event)
 	if err != nil {
@@ -164,7 +170,7 @@ func (w *Watcher) handleCreateEvent(event fsnotify.Event) error {
 	}
 
 	if strings.HasPrefix(fi.Name(), ".") {
-		klog.V(5).InfoS("Ignoring file (starts with '.')", "path", fi.Name())
+		logger.V(5).Info("Ignoring file (starts with '.')", "path", fi.Name())
 		return nil
 	}
 
@@ -174,35 +180,37 @@ func (w *Watcher) handleCreateEvent(event fsnotify.Event) error {
 			return fmt.Errorf("failed to determine if file: %s is a unix domain socket: %v", event.Name, err)
 		}
 		if !isSocket {
-			klog.V(5).InfoS("Ignoring non socket file", "path", fi.Name())
+			logger.V(5).Info("Ignoring non socket file", "path", fi.Name())
 			return nil
 		}
 
-		return w.handlePluginRegistration(event.Name)
+		return w.handlePluginRegistration(ctx, event.Name)
 	}
 
-	return w.traversePluginDir(event.Name)
+	return w.traversePluginDir(ctx, event.Name)
 }
 
-func (w *Watcher) handlePluginRegistration(socketPath string) error {
+func (w *Watcher) handlePluginRegistration(ctx context.Context, socketPath string) error {
+	logger := klog.FromContext(ctx)
 	socketPath = getSocketPath(socketPath)
 	// Update desired state of world list of plugins
 	// If the socket path does exist in the desired world cache, there's still
 	// a possibility that it has been deleted and recreated again before it is
 	// removed from the desired world cache, so we still need to call AddOrUpdatePlugin
 	// in this case to update the timestamp
-	klog.V(2).InfoS("Adding socket path or updating timestamp to desired state cache", "path", socketPath)
-	err := w.desiredStateOfWorld.AddOrUpdatePlugin(socketPath)
+	logger.V(2).Info("Adding socket path or updating timestamp to desired state cache", "path", socketPath)
+	err := w.desiredStateOfWorld.AddOrUpdatePlugin(ctx, socketPath)
 	if err != nil {
 		return fmt.Errorf("error adding socket path %s or updating timestamp to desired state cache: %v", socketPath, err)
 	}
 	return nil
 }
 
-func (w *Watcher) handleDeleteEvent(event fsnotify.Event) {
-	klog.V(6).InfoS("Handling delete event", "event", event)
+func (w *Watcher) handleDeleteEvent(ctx context.Context, event fsnotify.Event) {
+	logger := klog.FromContext(ctx)
+	logger.V(6).Info("Handling delete event", "event", event)
 
 	socketPath := event.Name
-	klog.V(2).InfoS("Removing socket path from desired state cache", "path", socketPath)
+	logger.V(2).Info("Removing socket path from desired state cache", "path", socketPath)
 	w.desiredStateOfWorld.RemovePlugin(socketPath)
 }
diff --git a/pkg/kubelet/pluginmanager/pluginwatcher/plugin_watcher_test.go b/pkg/kubelet/pluginmanager/pluginwatcher/plugin_watcher_test.go
index d610d37a9cef5..072fdbfcfcaae 100644
--- a/pkg/kubelet/pluginmanager/pluginwatcher/plugin_watcher_test.go
+++ b/pkg/kubelet/pluginmanager/pluginwatcher/plugin_watcher_test.go
@@ -30,6 +30,7 @@ import (
 	"k8s.io/klog/v2"
 	registerapi "k8s.io/kubelet/pkg/apis/pluginregistration/v1"
 	"k8s.io/kubernetes/pkg/kubelet/pluginmanager/cache"
+	"k8s.io/kubernetes/test/utils/ktesting"
 )
 
 var (
@@ -39,7 +40,8 @@ var (
 func init() {
 	var logLevel string
 
-	klog.InitFlags(flag.CommandLine)
+	flags := &flag.FlagSet{}
+	klog.InitFlags(flags)
 	flag.Set("alsologtostderr", fmt.Sprintf("%t", true))
 	flag.StringVar(&logLevel, "logLevel", "6", "test")
 	flag.Lookup("v").Value.Set(logLevel)
@@ -107,6 +109,7 @@ func TestPluginRegistration(t *testing.T) {
 	socketDir := initTempDir(t)
 	defer os.RemoveAll(socketDir)
 
+	tCtx := ktesting.Init(t)
 	dsw := cache.NewDesiredStateOfWorld()
 	newWatcher(t, socketDir, dsw, wait.NeverStop)
 
@@ -115,7 +118,7 @@ func TestPluginRegistration(t *testing.T) {
 		pluginName := fmt.Sprintf("example-plugin-%d", i)
 
 		p := NewTestExamplePlugin(pluginName, registerapi.DevicePlugin, socketPath, supportedVersions...)
-		require.NoError(t, p.Serve("v1beta1", "v1beta2"))
+		require.NoError(t, p.Serve(tCtx, "v1beta1", "v1beta2"))
 
 		pluginInfo := GetPluginInfo(p)
 		waitForRegistration(t, pluginInfo.SocketPath, dsw)
@@ -127,7 +130,7 @@ func TestPluginRegistration(t *testing.T) {
 		}
 
 		// Stop the plugin; the plugin should be removed from the desired state of world cache
-		require.NoError(t, p.Stop())
+		require.NoError(t, p.Stop(tCtx))
 		// The following doesn't work when running the unit tests locally: event.Op of plugin watcher won't pick up the delete event
 		waitForUnregistration(t, pluginInfo.SocketPath, dsw)
 		dswPlugins = dsw.GetPluginsToRegister()
@@ -141,6 +144,7 @@ func TestPluginRegistrationSameName(t *testing.T) {
 	socketDir := initTempDir(t)
 	defer os.RemoveAll(socketDir)
 
+	tCtx := ktesting.Init(t)
 	dsw := cache.NewDesiredStateOfWorld()
 	newWatcher(t, socketDir, dsw, wait.NeverStop)
 
@@ -150,7 +154,7 @@ func TestPluginRegistrationSameName(t *testing.T) {
 	for i := 0; i < 10; i++ {
 		socketPath := filepath.Join(socketDir, fmt.Sprintf("plugin-%d.sock", i))
 		p := NewTestExamplePlugin(pluginName, registerapi.DevicePlugin, socketPath, supportedVersions...)
-		require.NoError(t, p.Serve("v1beta1", "v1beta2"))
+		require.NoError(t, p.Serve(tCtx, "v1beta1", "v1beta2"))
 
 		pluginInfo := GetPluginInfo(p)
 		waitForRegistration(t, pluginInfo.SocketPath, dsw)
@@ -167,6 +171,7 @@ func TestPluginReRegistration(t *testing.T) {
 	socketDir := initTempDir(t)
 	defer os.RemoveAll(socketDir)
 
+	tCtx := ktesting.Init(t)
 	dsw := cache.NewDesiredStateOfWorld()
 	newWatcher(t, socketDir, dsw, wait.NeverStop)
 
@@ -175,7 +180,7 @@ func TestPluginReRegistration(t *testing.T) {
 	socketPath := filepath.Join(socketDir, "plugin-reregistration.sock")
 	pluginName := "reregister-plugin"
 	p := NewTestExamplePlugin(pluginName, registerapi.DevicePlugin, socketPath, supportedVersions...)
-	require.NoError(t, p.Serve("v1beta1", "v1beta2"))
+	require.NoError(t, p.Serve(tCtx, "v1beta1", "v1beta2"))
 	pluginInfo := GetPluginInfo(p)
 	lastTimestamp := time.Now()
 	waitForRegistration(t, pluginInfo.SocketPath, dsw)
@@ -185,13 +190,13 @@ func TestPluginReRegistration(t *testing.T) {
 	for i := 0; i < 10; i++ {
 		// Stop the plugin; the plugin should be removed from the desired state of world cache
 		// The plugin removal doesn't work when running the unit tests locally: event.Op of plugin watcher won't pick up the delete event
-		require.NoError(t, p.Stop())
+		require.NoError(t, p.Stop(tCtx))
 		waitForUnregistration(t, pluginInfo.SocketPath, dsw)
 
 		// Add the plugin again
 		pluginName := fmt.Sprintf("dep-example-plugin-%d", i)
 		p := NewTestExamplePlugin(pluginName, registerapi.DevicePlugin, socketPath, supportedVersions...)
-		require.NoError(t, p.Serve("v1beta1", "v1beta2"))
+		require.NoError(t, p.Serve(tCtx, "v1beta1", "v1beta2"))
 		waitForRegistration(t, pluginInfo.SocketPath, dsw)
 
 		// Check the dsw cache. The updated plugin should be the only plugin in it
@@ -210,6 +215,7 @@ func TestPluginRegistrationAtKubeletStart(t *testing.T) {
 	socketDir := initTempDir(t)
 	defer os.RemoveAll(socketDir)
 
+	tCtx := ktesting.Init(t)
 	plugins := make([]*examplePlugin, 10)
 
 	for i := 0; i < len(plugins); i++ {
@@ -217,9 +223,9 @@ func TestPluginRegistrationAtKubeletStart(t *testing.T) {
 		pluginName := fmt.Sprintf("example-plugin-%d", i)
 
 		p := NewTestExamplePlugin(pluginName, registerapi.DevicePlugin, socketPath, supportedVersions...)
-		require.NoError(t, p.Serve("v1beta1", "v1beta2"))
+		require.NoError(t, p.Serve(tCtx, "v1beta1", "v1beta2"))
 		defer func(p *examplePlugin) {
-			require.NoError(t, p.Stop())
+			require.NoError(t, p.Stop(tCtx))
 		}(p)
 
 		plugins[i] = p
@@ -255,8 +261,9 @@ func TestPluginRegistrationAtKubeletStart(t *testing.T) {
 }
 
 func newWatcher(t *testing.T, socketDir string, desiredStateOfWorldCache cache.DesiredStateOfWorld, stopCh <-chan struct{}) *Watcher {
+	tCtx := ktesting.Init(t)
 	w := NewWatcher(socketDir, desiredStateOfWorldCache)
-	require.NoError(t, w.Start(stopCh))
+	require.NoError(t, w.Start(tCtx, stopCh))
 
 	return w
 }
diff --git a/pkg/kubelet/pluginmanager/reconciler/reconciler.go b/pkg/kubelet/pluginmanager/reconciler/reconciler.go
index 730f9823fd964..083a81ac69bf9 100644
--- a/pkg/kubelet/pluginmanager/reconciler/reconciler.go
+++ b/pkg/kubelet/pluginmanager/reconciler/reconciler.go
@@ -20,6 +20,7 @@ limitations under the License.
 package reconciler
 
 import (
+	"context"
 	"sync"
 	"time"
 
@@ -83,8 +84,12 @@ type reconciler struct {
 var _ Reconciler = &reconciler{}
 
 func (rc *reconciler) Run(stopCh <-chan struct{}) {
+	// Use context.TODO() because we currently do not have a proper context to pass in.
+	// Replace this with an appropriate context when refactoring this function to accept a context parameter.
+	ctx := context.TODO()
+
 	wait.Until(func() {
-		rc.reconcile()
+		rc.reconcile(ctx)
 	},
 		rc.loopSleepDuration,
 		stopCh)
@@ -108,7 +113,8 @@ func (rc *reconciler) getHandlers() map[string]cache.PluginHandler {
 	return copyHandlers
 }
 
-func (rc *reconciler) reconcile() {
+func (rc *reconciler) reconcile(ctx context.Context) {
+	logger := klog.FromContext(ctx)
 	// Unregisterations are triggered before registrations
 
 	// Ensure plugins that should be unregistered are unregistered.
@@ -123,7 +129,7 @@ func (rc *reconciler) reconcile() {
 			// with the same socket path but different timestamp.
 			for _, dswPlugin := range rc.desiredStateOfWorld.GetPluginsToRegister() {
 				if dswPlugin.SocketPath == registeredPlugin.SocketPath && dswPlugin.UUID != registeredPlugin.UUID {
-					klog.V(5).InfoS("An updated version of plugin has been found, unregistering the plugin first before reregistering", "plugin", registeredPlugin)
+					logger.V(5).Info("An updated version of plugin has been found, unregistering the plugin first before reregistering", "plugin", registeredPlugin)
 					unregisterPlugin = true
 					break
 				}
@@ -131,17 +137,17 @@ func (rc *reconciler) reconcile() {
 		}
 
 		if unregisterPlugin {
-			klog.V(5).InfoS("Starting operationExecutor.UnregisterPlugin", "plugin", registeredPlugin)
-			err := rc.operationExecutor.UnregisterPlugin(registeredPlugin, rc.actualStateOfWorld)
+			logger.V(5).Info("Starting operationExecutor.UnregisterPlugin", "plugin", registeredPlugin)
+			err := rc.operationExecutor.UnregisterPlugin(ctx, registeredPlugin, rc.actualStateOfWorld)
 			if err != nil &&
 				!goroutinemap.IsAlreadyExists(err) &&
 				!exponentialbackoff.IsExponentialBackoff(err) {
 				// Ignore goroutinemap.IsAlreadyExists and exponentialbackoff.IsExponentialBackoff errors, they are expected.
 				// Log all other errors.
-				klog.ErrorS(err, "OperationExecutor.UnregisterPlugin failed", "plugin", registeredPlugin)
+				logger.Error(err, "OperationExecutor.UnregisterPlugin failed", "plugin", registeredPlugin)
 			}
 			if err == nil {
-				klog.V(1).InfoS("OperationExecutor.UnregisterPlugin started", "plugin", registeredPlugin)
+				logger.V(1).Info("OperationExecutor.UnregisterPlugin started", "plugin", registeredPlugin)
 			}
 		}
 	}
@@ -149,16 +155,16 @@ func (rc *reconciler) reconcile() {
 	// Ensure plugins that should be registered are registered
 	for _, pluginToRegister := range rc.desiredStateOfWorld.GetPluginsToRegister() {
 		if !rc.actualStateOfWorld.PluginExistsWithCorrectUUID(pluginToRegister) {
-			klog.V(5).InfoS("Starting operationExecutor.RegisterPlugin", "plugin", pluginToRegister)
-			err := rc.operationExecutor.RegisterPlugin(pluginToRegister.SocketPath, pluginToRegister.UUID, rc.getHandlers(), rc.actualStateOfWorld)
+			logger.V(5).Info("Starting operationExecutor.RegisterPlugin", "plugin", pluginToRegister)
+			err := rc.operationExecutor.RegisterPlugin(ctx, pluginToRegister.SocketPath, pluginToRegister.UUID, rc.getHandlers(), rc.actualStateOfWorld)
 			if err != nil &&
 				!goroutinemap.IsAlreadyExists(err) &&
 				!exponentialbackoff.IsExponentialBackoff(err) {
 				// Ignore goroutinemap.IsAlreadyExists and exponentialbackoff.IsExponentialBackoff errors, they are expected.
-				klog.ErrorS(err, "OperationExecutor.RegisterPlugin failed", "plugin", pluginToRegister)
+				logger.Error(err, "OperationExecutor.RegisterPlugin failed", "plugin", pluginToRegister)
 			}
 			if err == nil {
-				klog.V(1).InfoS("OperationExecutor.RegisterPlugin started", "plugin", pluginToRegister)
+				logger.V(1).Info("OperationExecutor.RegisterPlugin started", "plugin", pluginToRegister)
 			}
 		}
 	}
diff --git a/pkg/kubelet/pluginmanager/reconciler/reconciler_test.go b/pkg/kubelet/pluginmanager/reconciler/reconciler_test.go
index 68e72ddcaae08..f7b8822dccf6e 100644
--- a/pkg/kubelet/pluginmanager/reconciler/reconciler_test.go
+++ b/pkg/kubelet/pluginmanager/reconciler/reconciler_test.go
@@ -31,6 +31,7 @@ import (
 	"k8s.io/kubernetes/pkg/kubelet/pluginmanager/cache"
 	"k8s.io/kubernetes/pkg/kubelet/pluginmanager/operationexecutor"
 	"k8s.io/kubernetes/pkg/kubelet/pluginmanager/pluginwatcher"
+	"k8s.io/kubernetes/test/utils/ktesting"
 )
 
 const (
@@ -170,6 +171,7 @@ func Test_Run_Positive_DoNothing(t *testing.T) {
 func Test_Run_Positive_Register(t *testing.T) {
 	defer cleanup(t)
 
+	tCtx := ktesting.Init(t)
 	dsw := cache.NewDesiredStateOfWorld()
 	asw := cache.NewActualStateOfWorld()
 	di := NewDummyImpl()
@@ -192,11 +194,12 @@ func Test_Run_Positive_Register(t *testing.T) {
 	socketPath := filepath.Join(socketDir, "plugin.sock")
 	pluginName := fmt.Sprintf("example-plugin")
 	p := pluginwatcher.NewTestExamplePlugin(pluginName, registerapi.DevicePlugin, socketPath, supportedVersions...)
-	require.NoError(t, p.Serve("v1beta1", "v1beta2"))
+	require.NoError(t, p.Serve(tCtx, "v1beta1", "v1beta2"))
 	defer func() {
-		require.NoError(t, p.Stop())
+		require.NoError(t, p.Stop(tCtx))
 	}()
-	dsw.AddOrUpdatePlugin(socketPath)
+	require.NoError(t, dsw.AddOrUpdatePlugin(tCtx, socketPath))
+
 	plugins := dsw.GetPluginsToRegister()
 	waitForRegistration(t, socketPath, plugins[0].UUID, asw)
 
@@ -218,6 +221,7 @@ func Test_Run_Positive_Register(t *testing.T) {
 func Test_Run_Positive_RegisterThenUnregister(t *testing.T) {
 	defer cleanup(t)
 
+	tCtx := ktesting.Init(t)
 	dsw := cache.NewDesiredStateOfWorld()
 	asw := cache.NewActualStateOfWorld()
 	di := NewDummyImpl()
@@ -241,8 +245,8 @@ func Test_Run_Positive_RegisterThenUnregister(t *testing.T) {
 	socketPath := filepath.Join(socketDir, "plugin.sock")
 	pluginName := fmt.Sprintf("example-plugin")
 	p := pluginwatcher.NewTestExamplePlugin(pluginName, registerapi.DevicePlugin, socketPath, supportedVersions...)
-	require.NoError(t, p.Serve("v1beta1", "v1beta2"))
-	dsw.AddOrUpdatePlugin(socketPath)
+	require.NoError(t, p.Serve(tCtx, "v1beta1", "v1beta2"))
+	require.NoError(t, dsw.AddOrUpdatePlugin(tCtx, socketPath))
 	plugins := dsw.GetPluginsToRegister()
 	waitForRegistration(t, socketPath, plugins[0].UUID, asw)
 
@@ -274,6 +278,7 @@ func Test_Run_Positive_RegisterThenUnregister(t *testing.T) {
 func Test_Run_Positive_ReRegister(t *testing.T) {
 	defer cleanup(t)
 
+	tCtx := ktesting.Init(t)
 	dsw := cache.NewDesiredStateOfWorld()
 	asw := cache.NewActualStateOfWorld()
 	di := NewDummyImpl()
@@ -297,13 +302,13 @@ func Test_Run_Positive_ReRegister(t *testing.T) {
 	socketPath := filepath.Join(socketDir, "plugin2.sock")
 	pluginName := fmt.Sprintf("example-plugin2")
 	p := pluginwatcher.NewTestExamplePlugin(pluginName, registerapi.DevicePlugin, socketPath, supportedVersions...)
-	require.NoError(t, p.Serve("v1beta1", "v1beta2"))
-	dsw.AddOrUpdatePlugin(socketPath)
+	require.NoError(t, p.Serve(tCtx, "v1beta1", "v1beta2"))
+	require.NoError(t, dsw.AddOrUpdatePlugin(tCtx, socketPath))
 	plugins := dsw.GetPluginsToRegister()
 	waitForRegistration(t, socketPath, plugins[0].UUID, asw)
 
 	// Add the plugin again to update the timestamp
-	dsw.AddOrUpdatePlugin(socketPath)
+	require.NoError(t, dsw.AddOrUpdatePlugin(tCtx, socketPath))
 	// This should trigger a deregistration and a regitration
 	// The process of unregistration and reregistration can happen so fast that
 	// we are not able to catch it with waitForUnregistration, so here we are checking
diff --git a/pkg/kubelet/pod/.mockery.yaml b/pkg/kubelet/pod/.mockery.yaml
index 3a60e89a749cb..f450628a6c9c0 100644
--- a/pkg/kubelet/pod/.mockery.yaml
+++ b/pkg/kubelet/pod/.mockery.yaml
@@ -1,10 +1,12 @@
 ---
 dir: testing
-filename: "mock_{{.InterfaceName | snakecase}}.go"
-boilerplate-file: ../../../hack/boilerplate/boilerplate.generatego.txt
-outpkg: testing
-with-expecter: true
+filename: mocks.go
+pkgname: testing
+template: testify
+template-data:
+  boilerplate-file: ../../../hack/boilerplate/boilerplate.generatego.txt
+  unroll-variadic: true
 packages:
   k8s.io/kubernetes/pkg/kubelet/pod:
     interfaces:
-      Manager:
+      Manager: {}
diff --git a/pkg/kubelet/pod/testing/mock_manager.go b/pkg/kubelet/pod/testing/mock_manager.go
deleted file mode 100644
index a12a6eeff9ad9..0000000000000
--- a/pkg/kubelet/pod/testing/mock_manager.go
+++ /dev/null
@@ -1,812 +0,0 @@
-/*
-Copyright The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-// Code generated by mockery v2.53.3. DO NOT EDIT.
-
-package testing
-
-import (
-	mock "github.com/stretchr/testify/mock"
-	kubelettypes "k8s.io/kubernetes/pkg/kubelet/types"
-
-	types "k8s.io/apimachinery/pkg/types"
-
-	v1 "k8s.io/api/core/v1"
-)
-
-// MockManager is an autogenerated mock type for the Manager type
-type MockManager struct {
-	mock.Mock
-}
-
-type MockManager_Expecter struct {
-	mock *mock.Mock
-}
-
-func (_m *MockManager) EXPECT() *MockManager_Expecter {
-	return &MockManager_Expecter{mock: &_m.Mock}
-}
-
-// AddPod provides a mock function with given fields: _a0
-func (_m *MockManager) AddPod(_a0 *v1.Pod) {
-	_m.Called(_a0)
-}
-
-// MockManager_AddPod_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'AddPod'
-type MockManager_AddPod_Call struct {
-	*mock.Call
-}
-
-// AddPod is a helper method to define mock.On call
-//   - _a0 *v1.Pod
-func (_e *MockManager_Expecter) AddPod(_a0 interface{}) *MockManager_AddPod_Call {
-	return &MockManager_AddPod_Call{Call: _e.mock.On("AddPod", _a0)}
-}
-
-func (_c *MockManager_AddPod_Call) Run(run func(_a0 *v1.Pod)) *MockManager_AddPod_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run(args[0].(*v1.Pod))
-	})
-	return _c
-}
-
-func (_c *MockManager_AddPod_Call) Return() *MockManager_AddPod_Call {
-	_c.Call.Return()
-	return _c
-}
-
-func (_c *MockManager_AddPod_Call) RunAndReturn(run func(*v1.Pod)) *MockManager_AddPod_Call {
-	_c.Run(run)
-	return _c
-}
-
-// GetMirrorPodByPod provides a mock function with given fields: _a0
-func (_m *MockManager) GetMirrorPodByPod(_a0 *v1.Pod) (*v1.Pod, bool) {
-	ret := _m.Called(_a0)
-
-	if len(ret) == 0 {
-		panic("no return value specified for GetMirrorPodByPod")
-	}
-
-	var r0 *v1.Pod
-	var r1 bool
-	if rf, ok := ret.Get(0).(func(*v1.Pod) (*v1.Pod, bool)); ok {
-		return rf(_a0)
-	}
-	if rf, ok := ret.Get(0).(func(*v1.Pod) *v1.Pod); ok {
-		r0 = rf(_a0)
-	} else {
-		if ret.Get(0) != nil {
-			r0 = ret.Get(0).(*v1.Pod)
-		}
-	}
-
-	if rf, ok := ret.Get(1).(func(*v1.Pod) bool); ok {
-		r1 = rf(_a0)
-	} else {
-		r1 = ret.Get(1).(bool)
-	}
-
-	return r0, r1
-}
-
-// MockManager_GetMirrorPodByPod_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetMirrorPodByPod'
-type MockManager_GetMirrorPodByPod_Call struct {
-	*mock.Call
-}
-
-// GetMirrorPodByPod is a helper method to define mock.On call
-//   - _a0 *v1.Pod
-func (_e *MockManager_Expecter) GetMirrorPodByPod(_a0 interface{}) *MockManager_GetMirrorPodByPod_Call {
-	return &MockManager_GetMirrorPodByPod_Call{Call: _e.mock.On("GetMirrorPodByPod", _a0)}
-}
-
-func (_c *MockManager_GetMirrorPodByPod_Call) Run(run func(_a0 *v1.Pod)) *MockManager_GetMirrorPodByPod_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run(args[0].(*v1.Pod))
-	})
-	return _c
-}
-
-func (_c *MockManager_GetMirrorPodByPod_Call) Return(_a0 *v1.Pod, _a1 bool) *MockManager_GetMirrorPodByPod_Call {
-	_c.Call.Return(_a0, _a1)
-	return _c
-}
-
-func (_c *MockManager_GetMirrorPodByPod_Call) RunAndReturn(run func(*v1.Pod) (*v1.Pod, bool)) *MockManager_GetMirrorPodByPod_Call {
-	_c.Call.Return(run)
-	return _c
-}
-
-// GetPodAndMirrorPod provides a mock function with given fields: _a0
-func (_m *MockManager) GetPodAndMirrorPod(_a0 *v1.Pod) (*v1.Pod, *v1.Pod, bool) {
-	ret := _m.Called(_a0)
-
-	if len(ret) == 0 {
-		panic("no return value specified for GetPodAndMirrorPod")
-	}
-
-	var r0 *v1.Pod
-	var r1 *v1.Pod
-	var r2 bool
-	if rf, ok := ret.Get(0).(func(*v1.Pod) (*v1.Pod, *v1.Pod, bool)); ok {
-		return rf(_a0)
-	}
-	if rf, ok := ret.Get(0).(func(*v1.Pod) *v1.Pod); ok {
-		r0 = rf(_a0)
-	} else {
-		if ret.Get(0) != nil {
-			r0 = ret.Get(0).(*v1.Pod)
-		}
-	}
-
-	if rf, ok := ret.Get(1).(func(*v1.Pod) *v1.Pod); ok {
-		r1 = rf(_a0)
-	} else {
-		if ret.Get(1) != nil {
-			r1 = ret.Get(1).(*v1.Pod)
-		}
-	}
-
-	if rf, ok := ret.Get(2).(func(*v1.Pod) bool); ok {
-		r2 = rf(_a0)
-	} else {
-		r2 = ret.Get(2).(bool)
-	}
-
-	return r0, r1, r2
-}
-
-// MockManager_GetPodAndMirrorPod_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetPodAndMirrorPod'
-type MockManager_GetPodAndMirrorPod_Call struct {
-	*mock.Call
-}
-
-// GetPodAndMirrorPod is a helper method to define mock.On call
-//   - _a0 *v1.Pod
-func (_e *MockManager_Expecter) GetPodAndMirrorPod(_a0 interface{}) *MockManager_GetPodAndMirrorPod_Call {
-	return &MockManager_GetPodAndMirrorPod_Call{Call: _e.mock.On("GetPodAndMirrorPod", _a0)}
-}
-
-func (_c *MockManager_GetPodAndMirrorPod_Call) Run(run func(_a0 *v1.Pod)) *MockManager_GetPodAndMirrorPod_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run(args[0].(*v1.Pod))
-	})
-	return _c
-}
-
-func (_c *MockManager_GetPodAndMirrorPod_Call) Return(_a0 *v1.Pod, mirrorPod *v1.Pod, wasMirror bool) *MockManager_GetPodAndMirrorPod_Call {
-	_c.Call.Return(_a0, mirrorPod, wasMirror)
-	return _c
-}
-
-func (_c *MockManager_GetPodAndMirrorPod_Call) RunAndReturn(run func(*v1.Pod) (*v1.Pod, *v1.Pod, bool)) *MockManager_GetPodAndMirrorPod_Call {
-	_c.Call.Return(run)
-	return _c
-}
-
-// GetPodByFullName provides a mock function with given fields: podFullName
-func (_m *MockManager) GetPodByFullName(podFullName string) (*v1.Pod, bool) {
-	ret := _m.Called(podFullName)
-
-	if len(ret) == 0 {
-		panic("no return value specified for GetPodByFullName")
-	}
-
-	var r0 *v1.Pod
-	var r1 bool
-	if rf, ok := ret.Get(0).(func(string) (*v1.Pod, bool)); ok {
-		return rf(podFullName)
-	}
-	if rf, ok := ret.Get(0).(func(string) *v1.Pod); ok {
-		r0 = rf(podFullName)
-	} else {
-		if ret.Get(0) != nil {
-			r0 = ret.Get(0).(*v1.Pod)
-		}
-	}
-
-	if rf, ok := ret.Get(1).(func(string) bool); ok {
-		r1 = rf(podFullName)
-	} else {
-		r1 = ret.Get(1).(bool)
-	}
-
-	return r0, r1
-}
-
-// MockManager_GetPodByFullName_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetPodByFullName'
-type MockManager_GetPodByFullName_Call struct {
-	*mock.Call
-}
-
-// GetPodByFullName is a helper method to define mock.On call
-//   - podFullName string
-func (_e *MockManager_Expecter) GetPodByFullName(podFullName interface{}) *MockManager_GetPodByFullName_Call {
-	return &MockManager_GetPodByFullName_Call{Call: _e.mock.On("GetPodByFullName", podFullName)}
-}
-
-func (_c *MockManager_GetPodByFullName_Call) Run(run func(podFullName string)) *MockManager_GetPodByFullName_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run(args[0].(string))
-	})
-	return _c
-}
-
-func (_c *MockManager_GetPodByFullName_Call) Return(_a0 *v1.Pod, _a1 bool) *MockManager_GetPodByFullName_Call {
-	_c.Call.Return(_a0, _a1)
-	return _c
-}
-
-func (_c *MockManager_GetPodByFullName_Call) RunAndReturn(run func(string) (*v1.Pod, bool)) *MockManager_GetPodByFullName_Call {
-	_c.Call.Return(run)
-	return _c
-}
-
-// GetPodByMirrorPod provides a mock function with given fields: _a0
-func (_m *MockManager) GetPodByMirrorPod(_a0 *v1.Pod) (*v1.Pod, bool) {
-	ret := _m.Called(_a0)
-
-	if len(ret) == 0 {
-		panic("no return value specified for GetPodByMirrorPod")
-	}
-
-	var r0 *v1.Pod
-	var r1 bool
-	if rf, ok := ret.Get(0).(func(*v1.Pod) (*v1.Pod, bool)); ok {
-		return rf(_a0)
-	}
-	if rf, ok := ret.Get(0).(func(*v1.Pod) *v1.Pod); ok {
-		r0 = rf(_a0)
-	} else {
-		if ret.Get(0) != nil {
-			r0 = ret.Get(0).(*v1.Pod)
-		}
-	}
-
-	if rf, ok := ret.Get(1).(func(*v1.Pod) bool); ok {
-		r1 = rf(_a0)
-	} else {
-		r1 = ret.Get(1).(bool)
-	}
-
-	return r0, r1
-}
-
-// MockManager_GetPodByMirrorPod_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetPodByMirrorPod'
-type MockManager_GetPodByMirrorPod_Call struct {
-	*mock.Call
-}
-
-// GetPodByMirrorPod is a helper method to define mock.On call
-//   - _a0 *v1.Pod
-func (_e *MockManager_Expecter) GetPodByMirrorPod(_a0 interface{}) *MockManager_GetPodByMirrorPod_Call {
-	return &MockManager_GetPodByMirrorPod_Call{Call: _e.mock.On("GetPodByMirrorPod", _a0)}
-}
-
-func (_c *MockManager_GetPodByMirrorPod_Call) Run(run func(_a0 *v1.Pod)) *MockManager_GetPodByMirrorPod_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run(args[0].(*v1.Pod))
-	})
-	return _c
-}
-
-func (_c *MockManager_GetPodByMirrorPod_Call) Return(_a0 *v1.Pod, _a1 bool) *MockManager_GetPodByMirrorPod_Call {
-	_c.Call.Return(_a0, _a1)
-	return _c
-}
-
-func (_c *MockManager_GetPodByMirrorPod_Call) RunAndReturn(run func(*v1.Pod) (*v1.Pod, bool)) *MockManager_GetPodByMirrorPod_Call {
-	_c.Call.Return(run)
-	return _c
-}
-
-// GetPodByName provides a mock function with given fields: namespace, name
-func (_m *MockManager) GetPodByName(namespace string, name string) (*v1.Pod, bool) {
-	ret := _m.Called(namespace, name)
-
-	if len(ret) == 0 {
-		panic("no return value specified for GetPodByName")
-	}
-
-	var r0 *v1.Pod
-	var r1 bool
-	if rf, ok := ret.Get(0).(func(string, string) (*v1.Pod, bool)); ok {
-		return rf(namespace, name)
-	}
-	if rf, ok := ret.Get(0).(func(string, string) *v1.Pod); ok {
-		r0 = rf(namespace, name)
-	} else {
-		if ret.Get(0) != nil {
-			r0 = ret.Get(0).(*v1.Pod)
-		}
-	}
-
-	if rf, ok := ret.Get(1).(func(string, string) bool); ok {
-		r1 = rf(namespace, name)
-	} else {
-		r1 = ret.Get(1).(bool)
-	}
-
-	return r0, r1
-}
-
-// MockManager_GetPodByName_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetPodByName'
-type MockManager_GetPodByName_Call struct {
-	*mock.Call
-}
-
-// GetPodByName is a helper method to define mock.On call
-//   - namespace string
-//   - name string
-func (_e *MockManager_Expecter) GetPodByName(namespace interface{}, name interface{}) *MockManager_GetPodByName_Call {
-	return &MockManager_GetPodByName_Call{Call: _e.mock.On("GetPodByName", namespace, name)}
-}
-
-func (_c *MockManager_GetPodByName_Call) Run(run func(namespace string, name string)) *MockManager_GetPodByName_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run(args[0].(string), args[1].(string))
-	})
-	return _c
-}
-
-func (_c *MockManager_GetPodByName_Call) Return(_a0 *v1.Pod, _a1 bool) *MockManager_GetPodByName_Call {
-	_c.Call.Return(_a0, _a1)
-	return _c
-}
-
-func (_c *MockManager_GetPodByName_Call) RunAndReturn(run func(string, string) (*v1.Pod, bool)) *MockManager_GetPodByName_Call {
-	_c.Call.Return(run)
-	return _c
-}
-
-// GetPodByUID provides a mock function with given fields: _a0
-func (_m *MockManager) GetPodByUID(_a0 types.UID) (*v1.Pod, bool) {
-	ret := _m.Called(_a0)
-
-	if len(ret) == 0 {
-		panic("no return value specified for GetPodByUID")
-	}
-
-	var r0 *v1.Pod
-	var r1 bool
-	if rf, ok := ret.Get(0).(func(types.UID) (*v1.Pod, bool)); ok {
-		return rf(_a0)
-	}
-	if rf, ok := ret.Get(0).(func(types.UID) *v1.Pod); ok {
-		r0 = rf(_a0)
-	} else {
-		if ret.Get(0) != nil {
-			r0 = ret.Get(0).(*v1.Pod)
-		}
-	}
-
-	if rf, ok := ret.Get(1).(func(types.UID) bool); ok {
-		r1 = rf(_a0)
-	} else {
-		r1 = ret.Get(1).(bool)
-	}
-
-	return r0, r1
-}
-
-// MockManager_GetPodByUID_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetPodByUID'
-type MockManager_GetPodByUID_Call struct {
-	*mock.Call
-}
-
-// GetPodByUID is a helper method to define mock.On call
-//   - _a0 types.UID
-func (_e *MockManager_Expecter) GetPodByUID(_a0 interface{}) *MockManager_GetPodByUID_Call {
-	return &MockManager_GetPodByUID_Call{Call: _e.mock.On("GetPodByUID", _a0)}
-}
-
-func (_c *MockManager_GetPodByUID_Call) Run(run func(_a0 types.UID)) *MockManager_GetPodByUID_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run(args[0].(types.UID))
-	})
-	return _c
-}
-
-func (_c *MockManager_GetPodByUID_Call) Return(_a0 *v1.Pod, _a1 bool) *MockManager_GetPodByUID_Call {
-	_c.Call.Return(_a0, _a1)
-	return _c
-}
-
-func (_c *MockManager_GetPodByUID_Call) RunAndReturn(run func(types.UID) (*v1.Pod, bool)) *MockManager_GetPodByUID_Call {
-	_c.Call.Return(run)
-	return _c
-}
-
-// GetPods provides a mock function with no fields
-func (_m *MockManager) GetPods() []*v1.Pod {
-	ret := _m.Called()
-
-	if len(ret) == 0 {
-		panic("no return value specified for GetPods")
-	}
-
-	var r0 []*v1.Pod
-	if rf, ok := ret.Get(0).(func() []*v1.Pod); ok {
-		r0 = rf()
-	} else {
-		if ret.Get(0) != nil {
-			r0 = ret.Get(0).([]*v1.Pod)
-		}
-	}
-
-	return r0
-}
-
-// MockManager_GetPods_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetPods'
-type MockManager_GetPods_Call struct {
-	*mock.Call
-}
-
-// GetPods is a helper method to define mock.On call
-func (_e *MockManager_Expecter) GetPods() *MockManager_GetPods_Call {
-	return &MockManager_GetPods_Call{Call: _e.mock.On("GetPods")}
-}
-
-func (_c *MockManager_GetPods_Call) Run(run func()) *MockManager_GetPods_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run()
-	})
-	return _c
-}
-
-func (_c *MockManager_GetPods_Call) Return(_a0 []*v1.Pod) *MockManager_GetPods_Call {
-	_c.Call.Return(_a0)
-	return _c
-}
-
-func (_c *MockManager_GetPods_Call) RunAndReturn(run func() []*v1.Pod) *MockManager_GetPods_Call {
-	_c.Call.Return(run)
-	return _c
-}
-
-// GetPodsAndMirrorPods provides a mock function with no fields
-func (_m *MockManager) GetPodsAndMirrorPods() ([]*v1.Pod, []*v1.Pod, []string) {
-	ret := _m.Called()
-
-	if len(ret) == 0 {
-		panic("no return value specified for GetPodsAndMirrorPods")
-	}
-
-	var r0 []*v1.Pod
-	var r1 []*v1.Pod
-	var r2 []string
-	if rf, ok := ret.Get(0).(func() ([]*v1.Pod, []*v1.Pod, []string)); ok {
-		return rf()
-	}
-	if rf, ok := ret.Get(0).(func() []*v1.Pod); ok {
-		r0 = rf()
-	} else {
-		if ret.Get(0) != nil {
-			r0 = ret.Get(0).([]*v1.Pod)
-		}
-	}
-
-	if rf, ok := ret.Get(1).(func() []*v1.Pod); ok {
-		r1 = rf()
-	} else {
-		if ret.Get(1) != nil {
-			r1 = ret.Get(1).([]*v1.Pod)
-		}
-	}
-
-	if rf, ok := ret.Get(2).(func() []string); ok {
-		r2 = rf()
-	} else {
-		if ret.Get(2) != nil {
-			r2 = ret.Get(2).([]string)
-		}
-	}
-
-	return r0, r1, r2
-}
-
-// MockManager_GetPodsAndMirrorPods_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetPodsAndMirrorPods'
-type MockManager_GetPodsAndMirrorPods_Call struct {
-	*mock.Call
-}
-
-// GetPodsAndMirrorPods is a helper method to define mock.On call
-func (_e *MockManager_Expecter) GetPodsAndMirrorPods() *MockManager_GetPodsAndMirrorPods_Call {
-	return &MockManager_GetPodsAndMirrorPods_Call{Call: _e.mock.On("GetPodsAndMirrorPods")}
-}
-
-func (_c *MockManager_GetPodsAndMirrorPods_Call) Run(run func()) *MockManager_GetPodsAndMirrorPods_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run()
-	})
-	return _c
-}
-
-func (_c *MockManager_GetPodsAndMirrorPods_Call) Return(allPods []*v1.Pod, allMirrorPods []*v1.Pod, orphanedMirrorPodFullnames []string) *MockManager_GetPodsAndMirrorPods_Call {
-	_c.Call.Return(allPods, allMirrorPods, orphanedMirrorPodFullnames)
-	return _c
-}
-
-func (_c *MockManager_GetPodsAndMirrorPods_Call) RunAndReturn(run func() ([]*v1.Pod, []*v1.Pod, []string)) *MockManager_GetPodsAndMirrorPods_Call {
-	_c.Call.Return(run)
-	return _c
-}
-
-// GetStaticPodToMirrorPodMap provides a mock function with no fields
-func (_m *MockManager) GetStaticPodToMirrorPodMap() map[*v1.Pod]*v1.Pod {
-	ret := _m.Called()
-
-	if len(ret) == 0 {
-		panic("no return value specified for GetStaticPodToMirrorPodMap")
-	}
-
-	var r0 map[*v1.Pod]*v1.Pod
-	if rf, ok := ret.Get(0).(func() map[*v1.Pod]*v1.Pod); ok {
-		r0 = rf()
-	} else {
-		if ret.Get(0) != nil {
-			r0 = ret.Get(0).(map[*v1.Pod]*v1.Pod)
-		}
-	}
-
-	return r0
-}
-
-// MockManager_GetStaticPodToMirrorPodMap_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetStaticPodToMirrorPodMap'
-type MockManager_GetStaticPodToMirrorPodMap_Call struct {
-	*mock.Call
-}
-
-// GetStaticPodToMirrorPodMap is a helper method to define mock.On call
-func (_e *MockManager_Expecter) GetStaticPodToMirrorPodMap() *MockManager_GetStaticPodToMirrorPodMap_Call {
-	return &MockManager_GetStaticPodToMirrorPodMap_Call{Call: _e.mock.On("GetStaticPodToMirrorPodMap")}
-}
-
-func (_c *MockManager_GetStaticPodToMirrorPodMap_Call) Run(run func()) *MockManager_GetStaticPodToMirrorPodMap_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run()
-	})
-	return _c
-}
-
-func (_c *MockManager_GetStaticPodToMirrorPodMap_Call) Return(_a0 map[*v1.Pod]*v1.Pod) *MockManager_GetStaticPodToMirrorPodMap_Call {
-	_c.Call.Return(_a0)
-	return _c
-}
-
-func (_c *MockManager_GetStaticPodToMirrorPodMap_Call) RunAndReturn(run func() map[*v1.Pod]*v1.Pod) *MockManager_GetStaticPodToMirrorPodMap_Call {
-	_c.Call.Return(run)
-	return _c
-}
-
-// GetUIDTranslations provides a mock function with no fields
-func (_m *MockManager) GetUIDTranslations() (map[kubelettypes.ResolvedPodUID]kubelettypes.MirrorPodUID, map[kubelettypes.MirrorPodUID]kubelettypes.ResolvedPodUID) {
-	ret := _m.Called()
-
-	if len(ret) == 0 {
-		panic("no return value specified for GetUIDTranslations")
-	}
-
-	var r0 map[kubelettypes.ResolvedPodUID]kubelettypes.MirrorPodUID
-	var r1 map[kubelettypes.MirrorPodUID]kubelettypes.ResolvedPodUID
-	if rf, ok := ret.Get(0).(func() (map[kubelettypes.ResolvedPodUID]kubelettypes.MirrorPodUID, map[kubelettypes.MirrorPodUID]kubelettypes.ResolvedPodUID)); ok {
-		return rf()
-	}
-	if rf, ok := ret.Get(0).(func() map[kubelettypes.ResolvedPodUID]kubelettypes.MirrorPodUID); ok {
-		r0 = rf()
-	} else {
-		if ret.Get(0) != nil {
-			r0 = ret.Get(0).(map[kubelettypes.ResolvedPodUID]kubelettypes.MirrorPodUID)
-		}
-	}
-
-	if rf, ok := ret.Get(1).(func() map[kubelettypes.MirrorPodUID]kubelettypes.ResolvedPodUID); ok {
-		r1 = rf()
-	} else {
-		if ret.Get(1) != nil {
-			r1 = ret.Get(1).(map[kubelettypes.MirrorPodUID]kubelettypes.ResolvedPodUID)
-		}
-	}
-
-	return r0, r1
-}
-
-// MockManager_GetUIDTranslations_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetUIDTranslations'
-type MockManager_GetUIDTranslations_Call struct {
-	*mock.Call
-}
-
-// GetUIDTranslations is a helper method to define mock.On call
-func (_e *MockManager_Expecter) GetUIDTranslations() *MockManager_GetUIDTranslations_Call {
-	return &MockManager_GetUIDTranslations_Call{Call: _e.mock.On("GetUIDTranslations")}
-}
-
-func (_c *MockManager_GetUIDTranslations_Call) Run(run func()) *MockManager_GetUIDTranslations_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run()
-	})
-	return _c
-}
-
-func (_c *MockManager_GetUIDTranslations_Call) Return(podToMirror map[kubelettypes.ResolvedPodUID]kubelettypes.MirrorPodUID, mirrorToPod map[kubelettypes.MirrorPodUID]kubelettypes.ResolvedPodUID) *MockManager_GetUIDTranslations_Call {
-	_c.Call.Return(podToMirror, mirrorToPod)
-	return _c
-}
-
-func (_c *MockManager_GetUIDTranslations_Call) RunAndReturn(run func() (map[kubelettypes.ResolvedPodUID]kubelettypes.MirrorPodUID, map[kubelettypes.MirrorPodUID]kubelettypes.ResolvedPodUID)) *MockManager_GetUIDTranslations_Call {
-	_c.Call.Return(run)
-	return _c
-}
-
-// RemovePod provides a mock function with given fields: _a0
-func (_m *MockManager) RemovePod(_a0 *v1.Pod) {
-	_m.Called(_a0)
-}
-
-// MockManager_RemovePod_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'RemovePod'
-type MockManager_RemovePod_Call struct {
-	*mock.Call
-}
-
-// RemovePod is a helper method to define mock.On call
-//   - _a0 *v1.Pod
-func (_e *MockManager_Expecter) RemovePod(_a0 interface{}) *MockManager_RemovePod_Call {
-	return &MockManager_RemovePod_Call{Call: _e.mock.On("RemovePod", _a0)}
-}
-
-func (_c *MockManager_RemovePod_Call) Run(run func(_a0 *v1.Pod)) *MockManager_RemovePod_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run(args[0].(*v1.Pod))
-	})
-	return _c
-}
-
-func (_c *MockManager_RemovePod_Call) Return() *MockManager_RemovePod_Call {
-	_c.Call.Return()
-	return _c
-}
-
-func (_c *MockManager_RemovePod_Call) RunAndReturn(run func(*v1.Pod)) *MockManager_RemovePod_Call {
-	_c.Run(run)
-	return _c
-}
-
-// SetPods provides a mock function with given fields: pods
-func (_m *MockManager) SetPods(pods []*v1.Pod) {
-	_m.Called(pods)
-}
-
-// MockManager_SetPods_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'SetPods'
-type MockManager_SetPods_Call struct {
-	*mock.Call
-}
-
-// SetPods is a helper method to define mock.On call
-//   - pods []*v1.Pod
-func (_e *MockManager_Expecter) SetPods(pods interface{}) *MockManager_SetPods_Call {
-	return &MockManager_SetPods_Call{Call: _e.mock.On("SetPods", pods)}
-}
-
-func (_c *MockManager_SetPods_Call) Run(run func(pods []*v1.Pod)) *MockManager_SetPods_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run(args[0].([]*v1.Pod))
-	})
-	return _c
-}
-
-func (_c *MockManager_SetPods_Call) Return() *MockManager_SetPods_Call {
-	_c.Call.Return()
-	return _c
-}
-
-func (_c *MockManager_SetPods_Call) RunAndReturn(run func([]*v1.Pod)) *MockManager_SetPods_Call {
-	_c.Run(run)
-	return _c
-}
-
-// TranslatePodUID provides a mock function with given fields: uid
-func (_m *MockManager) TranslatePodUID(uid types.UID) kubelettypes.ResolvedPodUID {
-	ret := _m.Called(uid)
-
-	if len(ret) == 0 {
-		panic("no return value specified for TranslatePodUID")
-	}
-
-	var r0 kubelettypes.ResolvedPodUID
-	if rf, ok := ret.Get(0).(func(types.UID) kubelettypes.ResolvedPodUID); ok {
-		r0 = rf(uid)
-	} else {
-		r0 = ret.Get(0).(kubelettypes.ResolvedPodUID)
-	}
-
-	return r0
-}
-
-// MockManager_TranslatePodUID_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'TranslatePodUID'
-type MockManager_TranslatePodUID_Call struct {
-	*mock.Call
-}
-
-// TranslatePodUID is a helper method to define mock.On call
-//   - uid types.UID
-func (_e *MockManager_Expecter) TranslatePodUID(uid interface{}) *MockManager_TranslatePodUID_Call {
-	return &MockManager_TranslatePodUID_Call{Call: _e.mock.On("TranslatePodUID", uid)}
-}
-
-func (_c *MockManager_TranslatePodUID_Call) Run(run func(uid types.UID)) *MockManager_TranslatePodUID_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run(args[0].(types.UID))
-	})
-	return _c
-}
-
-func (_c *MockManager_TranslatePodUID_Call) Return(_a0 kubelettypes.ResolvedPodUID) *MockManager_TranslatePodUID_Call {
-	_c.Call.Return(_a0)
-	return _c
-}
-
-func (_c *MockManager_TranslatePodUID_Call) RunAndReturn(run func(types.UID) kubelettypes.ResolvedPodUID) *MockManager_TranslatePodUID_Call {
-	_c.Call.Return(run)
-	return _c
-}
-
-// UpdatePod provides a mock function with given fields: _a0
-func (_m *MockManager) UpdatePod(_a0 *v1.Pod) {
-	_m.Called(_a0)
-}
-
-// MockManager_UpdatePod_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'UpdatePod'
-type MockManager_UpdatePod_Call struct {
-	*mock.Call
-}
-
-// UpdatePod is a helper method to define mock.On call
-//   - _a0 *v1.Pod
-func (_e *MockManager_Expecter) UpdatePod(_a0 interface{}) *MockManager_UpdatePod_Call {
-	return &MockManager_UpdatePod_Call{Call: _e.mock.On("UpdatePod", _a0)}
-}
-
-func (_c *MockManager_UpdatePod_Call) Run(run func(_a0 *v1.Pod)) *MockManager_UpdatePod_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run(args[0].(*v1.Pod))
-	})
-	return _c
-}
-
-func (_c *MockManager_UpdatePod_Call) Return() *MockManager_UpdatePod_Call {
-	_c.Call.Return()
-	return _c
-}
-
-func (_c *MockManager_UpdatePod_Call) RunAndReturn(run func(*v1.Pod)) *MockManager_UpdatePod_Call {
-	_c.Run(run)
-	return _c
-}
-
-// NewMockManager creates a new instance of MockManager. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
-// The first argument is typically a *testing.T value.
-func NewMockManager(t interface {
-	mock.TestingT
-	Cleanup(func())
-}) *MockManager {
-	mock := &MockManager{}
-	mock.Mock.Test(t)
-
-	t.Cleanup(func() { mock.AssertExpectations(t) })
-
-	return mock
-}
diff --git a/pkg/kubelet/pod/testing/mocks.go b/pkg/kubelet/pod/testing/mocks.go
new file mode 100644
index 0000000000000..b08370f5b9e5b
--- /dev/null
+++ b/pkg/kubelet/pod/testing/mocks.go
@@ -0,0 +1,866 @@
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by mockery; DO NOT EDIT.
+// github.com/vektra/mockery
+// template: testify
+
+package testing
+
+import (
+	mock "github.com/stretchr/testify/mock"
+	"k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/types"
+	types0 "k8s.io/kubernetes/pkg/kubelet/types"
+)
+
+// NewMockManager creates a new instance of MockManager. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
+// The first argument is typically a *testing.T value.
+func NewMockManager(t interface {
+	mock.TestingT
+	Cleanup(func())
+}) *MockManager {
+	mock := &MockManager{}
+	mock.Mock.Test(t)
+
+	t.Cleanup(func() { mock.AssertExpectations(t) })
+
+	return mock
+}
+
+// MockManager is an autogenerated mock type for the Manager type
+type MockManager struct {
+	mock.Mock
+}
+
+type MockManager_Expecter struct {
+	mock *mock.Mock
+}
+
+func (_m *MockManager) EXPECT() *MockManager_Expecter {
+	return &MockManager_Expecter{mock: &_m.Mock}
+}
+
+// AddPod provides a mock function for the type MockManager
+func (_mock *MockManager) AddPod(pod *v1.Pod) {
+	_mock.Called(pod)
+	return
+}
+
+// MockManager_AddPod_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'AddPod'
+type MockManager_AddPod_Call struct {
+	*mock.Call
+}
+
+// AddPod is a helper method to define mock.On call
+//   - pod *v1.Pod
+func (_e *MockManager_Expecter) AddPod(pod interface{}) *MockManager_AddPod_Call {
+	return &MockManager_AddPod_Call{Call: _e.mock.On("AddPod", pod)}
+}
+
+func (_c *MockManager_AddPod_Call) Run(run func(pod *v1.Pod)) *MockManager_AddPod_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 *v1.Pod
+		if args[0] != nil {
+			arg0 = args[0].(*v1.Pod)
+		}
+		run(
+			arg0,
+		)
+	})
+	return _c
+}
+
+func (_c *MockManager_AddPod_Call) Return() *MockManager_AddPod_Call {
+	_c.Call.Return()
+	return _c
+}
+
+func (_c *MockManager_AddPod_Call) RunAndReturn(run func(pod *v1.Pod)) *MockManager_AddPod_Call {
+	_c.Run(run)
+	return _c
+}
+
+// GetMirrorPodByPod provides a mock function for the type MockManager
+func (_mock *MockManager) GetMirrorPodByPod(pod *v1.Pod) (*v1.Pod, bool) {
+	ret := _mock.Called(pod)
+
+	if len(ret) == 0 {
+		panic("no return value specified for GetMirrorPodByPod")
+	}
+
+	var r0 *v1.Pod
+	var r1 bool
+	if returnFunc, ok := ret.Get(0).(func(*v1.Pod) (*v1.Pod, bool)); ok {
+		return returnFunc(pod)
+	}
+	if returnFunc, ok := ret.Get(0).(func(*v1.Pod) *v1.Pod); ok {
+		r0 = returnFunc(pod)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(*v1.Pod)
+		}
+	}
+	if returnFunc, ok := ret.Get(1).(func(*v1.Pod) bool); ok {
+		r1 = returnFunc(pod)
+	} else {
+		r1 = ret.Get(1).(bool)
+	}
+	return r0, r1
+}
+
+// MockManager_GetMirrorPodByPod_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetMirrorPodByPod'
+type MockManager_GetMirrorPodByPod_Call struct {
+	*mock.Call
+}
+
+// GetMirrorPodByPod is a helper method to define mock.On call
+//   - pod *v1.Pod
+func (_e *MockManager_Expecter) GetMirrorPodByPod(pod interface{}) *MockManager_GetMirrorPodByPod_Call {
+	return &MockManager_GetMirrorPodByPod_Call{Call: _e.mock.On("GetMirrorPodByPod", pod)}
+}
+
+func (_c *MockManager_GetMirrorPodByPod_Call) Run(run func(pod *v1.Pod)) *MockManager_GetMirrorPodByPod_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 *v1.Pod
+		if args[0] != nil {
+			arg0 = args[0].(*v1.Pod)
+		}
+		run(
+			arg0,
+		)
+	})
+	return _c
+}
+
+func (_c *MockManager_GetMirrorPodByPod_Call) Return(pod1 *v1.Pod, b bool) *MockManager_GetMirrorPodByPod_Call {
+	_c.Call.Return(pod1, b)
+	return _c
+}
+
+func (_c *MockManager_GetMirrorPodByPod_Call) RunAndReturn(run func(pod *v1.Pod) (*v1.Pod, bool)) *MockManager_GetMirrorPodByPod_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// GetPodAndMirrorPod provides a mock function for the type MockManager
+func (_mock *MockManager) GetPodAndMirrorPod(pod *v1.Pod) (*v1.Pod, *v1.Pod, bool) {
+	ret := _mock.Called(pod)
+
+	if len(ret) == 0 {
+		panic("no return value specified for GetPodAndMirrorPod")
+	}
+
+	var r0 *v1.Pod
+	var r1 *v1.Pod
+	var r2 bool
+	if returnFunc, ok := ret.Get(0).(func(*v1.Pod) (*v1.Pod, *v1.Pod, bool)); ok {
+		return returnFunc(pod)
+	}
+	if returnFunc, ok := ret.Get(0).(func(*v1.Pod) *v1.Pod); ok {
+		r0 = returnFunc(pod)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(*v1.Pod)
+		}
+	}
+	if returnFunc, ok := ret.Get(1).(func(*v1.Pod) *v1.Pod); ok {
+		r1 = returnFunc(pod)
+	} else {
+		if ret.Get(1) != nil {
+			r1 = ret.Get(1).(*v1.Pod)
+		}
+	}
+	if returnFunc, ok := ret.Get(2).(func(*v1.Pod) bool); ok {
+		r2 = returnFunc(pod)
+	} else {
+		r2 = ret.Get(2).(bool)
+	}
+	return r0, r1, r2
+}
+
+// MockManager_GetPodAndMirrorPod_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetPodAndMirrorPod'
+type MockManager_GetPodAndMirrorPod_Call struct {
+	*mock.Call
+}
+
+// GetPodAndMirrorPod is a helper method to define mock.On call
+//   - pod *v1.Pod
+func (_e *MockManager_Expecter) GetPodAndMirrorPod(pod interface{}) *MockManager_GetPodAndMirrorPod_Call {
+	return &MockManager_GetPodAndMirrorPod_Call{Call: _e.mock.On("GetPodAndMirrorPod", pod)}
+}
+
+func (_c *MockManager_GetPodAndMirrorPod_Call) Run(run func(pod *v1.Pod)) *MockManager_GetPodAndMirrorPod_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 *v1.Pod
+		if args[0] != nil {
+			arg0 = args[0].(*v1.Pod)
+		}
+		run(
+			arg0,
+		)
+	})
+	return _c
+}
+
+func (_c *MockManager_GetPodAndMirrorPod_Call) Return(pod1 *v1.Pod, mirrorPod *v1.Pod, wasMirror bool) *MockManager_GetPodAndMirrorPod_Call {
+	_c.Call.Return(pod1, mirrorPod, wasMirror)
+	return _c
+}
+
+func (_c *MockManager_GetPodAndMirrorPod_Call) RunAndReturn(run func(pod *v1.Pod) (*v1.Pod, *v1.Pod, bool)) *MockManager_GetPodAndMirrorPod_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// GetPodByFullName provides a mock function for the type MockManager
+func (_mock *MockManager) GetPodByFullName(podFullName string) (*v1.Pod, bool) {
+	ret := _mock.Called(podFullName)
+
+	if len(ret) == 0 {
+		panic("no return value specified for GetPodByFullName")
+	}
+
+	var r0 *v1.Pod
+	var r1 bool
+	if returnFunc, ok := ret.Get(0).(func(string) (*v1.Pod, bool)); ok {
+		return returnFunc(podFullName)
+	}
+	if returnFunc, ok := ret.Get(0).(func(string) *v1.Pod); ok {
+		r0 = returnFunc(podFullName)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(*v1.Pod)
+		}
+	}
+	if returnFunc, ok := ret.Get(1).(func(string) bool); ok {
+		r1 = returnFunc(podFullName)
+	} else {
+		r1 = ret.Get(1).(bool)
+	}
+	return r0, r1
+}
+
+// MockManager_GetPodByFullName_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetPodByFullName'
+type MockManager_GetPodByFullName_Call struct {
+	*mock.Call
+}
+
+// GetPodByFullName is a helper method to define mock.On call
+//   - podFullName string
+func (_e *MockManager_Expecter) GetPodByFullName(podFullName interface{}) *MockManager_GetPodByFullName_Call {
+	return &MockManager_GetPodByFullName_Call{Call: _e.mock.On("GetPodByFullName", podFullName)}
+}
+
+func (_c *MockManager_GetPodByFullName_Call) Run(run func(podFullName string)) *MockManager_GetPodByFullName_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 string
+		if args[0] != nil {
+			arg0 = args[0].(string)
+		}
+		run(
+			arg0,
+		)
+	})
+	return _c
+}
+
+func (_c *MockManager_GetPodByFullName_Call) Return(pod *v1.Pod, b bool) *MockManager_GetPodByFullName_Call {
+	_c.Call.Return(pod, b)
+	return _c
+}
+
+func (_c *MockManager_GetPodByFullName_Call) RunAndReturn(run func(podFullName string) (*v1.Pod, bool)) *MockManager_GetPodByFullName_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// GetPodByMirrorPod provides a mock function for the type MockManager
+func (_mock *MockManager) GetPodByMirrorPod(pod *v1.Pod) (*v1.Pod, bool) {
+	ret := _mock.Called(pod)
+
+	if len(ret) == 0 {
+		panic("no return value specified for GetPodByMirrorPod")
+	}
+
+	var r0 *v1.Pod
+	var r1 bool
+	if returnFunc, ok := ret.Get(0).(func(*v1.Pod) (*v1.Pod, bool)); ok {
+		return returnFunc(pod)
+	}
+	if returnFunc, ok := ret.Get(0).(func(*v1.Pod) *v1.Pod); ok {
+		r0 = returnFunc(pod)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(*v1.Pod)
+		}
+	}
+	if returnFunc, ok := ret.Get(1).(func(*v1.Pod) bool); ok {
+		r1 = returnFunc(pod)
+	} else {
+		r1 = ret.Get(1).(bool)
+	}
+	return r0, r1
+}
+
+// MockManager_GetPodByMirrorPod_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetPodByMirrorPod'
+type MockManager_GetPodByMirrorPod_Call struct {
+	*mock.Call
+}
+
+// GetPodByMirrorPod is a helper method to define mock.On call
+//   - pod *v1.Pod
+func (_e *MockManager_Expecter) GetPodByMirrorPod(pod interface{}) *MockManager_GetPodByMirrorPod_Call {
+	return &MockManager_GetPodByMirrorPod_Call{Call: _e.mock.On("GetPodByMirrorPod", pod)}
+}
+
+func (_c *MockManager_GetPodByMirrorPod_Call) Run(run func(pod *v1.Pod)) *MockManager_GetPodByMirrorPod_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 *v1.Pod
+		if args[0] != nil {
+			arg0 = args[0].(*v1.Pod)
+		}
+		run(
+			arg0,
+		)
+	})
+	return _c
+}
+
+func (_c *MockManager_GetPodByMirrorPod_Call) Return(pod1 *v1.Pod, b bool) *MockManager_GetPodByMirrorPod_Call {
+	_c.Call.Return(pod1, b)
+	return _c
+}
+
+func (_c *MockManager_GetPodByMirrorPod_Call) RunAndReturn(run func(pod *v1.Pod) (*v1.Pod, bool)) *MockManager_GetPodByMirrorPod_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// GetPodByName provides a mock function for the type MockManager
+func (_mock *MockManager) GetPodByName(namespace string, name string) (*v1.Pod, bool) {
+	ret := _mock.Called(namespace, name)
+
+	if len(ret) == 0 {
+		panic("no return value specified for GetPodByName")
+	}
+
+	var r0 *v1.Pod
+	var r1 bool
+	if returnFunc, ok := ret.Get(0).(func(string, string) (*v1.Pod, bool)); ok {
+		return returnFunc(namespace, name)
+	}
+	if returnFunc, ok := ret.Get(0).(func(string, string) *v1.Pod); ok {
+		r0 = returnFunc(namespace, name)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(*v1.Pod)
+		}
+	}
+	if returnFunc, ok := ret.Get(1).(func(string, string) bool); ok {
+		r1 = returnFunc(namespace, name)
+	} else {
+		r1 = ret.Get(1).(bool)
+	}
+	return r0, r1
+}
+
+// MockManager_GetPodByName_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetPodByName'
+type MockManager_GetPodByName_Call struct {
+	*mock.Call
+}
+
+// GetPodByName is a helper method to define mock.On call
+//   - namespace string
+//   - name string
+func (_e *MockManager_Expecter) GetPodByName(namespace interface{}, name interface{}) *MockManager_GetPodByName_Call {
+	return &MockManager_GetPodByName_Call{Call: _e.mock.On("GetPodByName", namespace, name)}
+}
+
+func (_c *MockManager_GetPodByName_Call) Run(run func(namespace string, name string)) *MockManager_GetPodByName_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 string
+		if args[0] != nil {
+			arg0 = args[0].(string)
+		}
+		var arg1 string
+		if args[1] != nil {
+			arg1 = args[1].(string)
+		}
+		run(
+			arg0,
+			arg1,
+		)
+	})
+	return _c
+}
+
+func (_c *MockManager_GetPodByName_Call) Return(pod *v1.Pod, b bool) *MockManager_GetPodByName_Call {
+	_c.Call.Return(pod, b)
+	return _c
+}
+
+func (_c *MockManager_GetPodByName_Call) RunAndReturn(run func(namespace string, name string) (*v1.Pod, bool)) *MockManager_GetPodByName_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// GetPodByUID provides a mock function for the type MockManager
+func (_mock *MockManager) GetPodByUID(uID types.UID) (*v1.Pod, bool) {
+	ret := _mock.Called(uID)
+
+	if len(ret) == 0 {
+		panic("no return value specified for GetPodByUID")
+	}
+
+	var r0 *v1.Pod
+	var r1 bool
+	if returnFunc, ok := ret.Get(0).(func(types.UID) (*v1.Pod, bool)); ok {
+		return returnFunc(uID)
+	}
+	if returnFunc, ok := ret.Get(0).(func(types.UID) *v1.Pod); ok {
+		r0 = returnFunc(uID)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(*v1.Pod)
+		}
+	}
+	if returnFunc, ok := ret.Get(1).(func(types.UID) bool); ok {
+		r1 = returnFunc(uID)
+	} else {
+		r1 = ret.Get(1).(bool)
+	}
+	return r0, r1
+}
+
+// MockManager_GetPodByUID_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetPodByUID'
+type MockManager_GetPodByUID_Call struct {
+	*mock.Call
+}
+
+// GetPodByUID is a helper method to define mock.On call
+//   - uID types.UID
+func (_e *MockManager_Expecter) GetPodByUID(uID interface{}) *MockManager_GetPodByUID_Call {
+	return &MockManager_GetPodByUID_Call{Call: _e.mock.On("GetPodByUID", uID)}
+}
+
+func (_c *MockManager_GetPodByUID_Call) Run(run func(uID types.UID)) *MockManager_GetPodByUID_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 types.UID
+		if args[0] != nil {
+			arg0 = args[0].(types.UID)
+		}
+		run(
+			arg0,
+		)
+	})
+	return _c
+}
+
+func (_c *MockManager_GetPodByUID_Call) Return(pod *v1.Pod, b bool) *MockManager_GetPodByUID_Call {
+	_c.Call.Return(pod, b)
+	return _c
+}
+
+func (_c *MockManager_GetPodByUID_Call) RunAndReturn(run func(uID types.UID) (*v1.Pod, bool)) *MockManager_GetPodByUID_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// GetPods provides a mock function for the type MockManager
+func (_mock *MockManager) GetPods() []*v1.Pod {
+	ret := _mock.Called()
+
+	if len(ret) == 0 {
+		panic("no return value specified for GetPods")
+	}
+
+	var r0 []*v1.Pod
+	if returnFunc, ok := ret.Get(0).(func() []*v1.Pod); ok {
+		r0 = returnFunc()
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).([]*v1.Pod)
+		}
+	}
+	return r0
+}
+
+// MockManager_GetPods_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetPods'
+type MockManager_GetPods_Call struct {
+	*mock.Call
+}
+
+// GetPods is a helper method to define mock.On call
+func (_e *MockManager_Expecter) GetPods() *MockManager_GetPods_Call {
+	return &MockManager_GetPods_Call{Call: _e.mock.On("GetPods")}
+}
+
+func (_c *MockManager_GetPods_Call) Run(run func()) *MockManager_GetPods_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run()
+	})
+	return _c
+}
+
+func (_c *MockManager_GetPods_Call) Return(pods []*v1.Pod) *MockManager_GetPods_Call {
+	_c.Call.Return(pods)
+	return _c
+}
+
+func (_c *MockManager_GetPods_Call) RunAndReturn(run func() []*v1.Pod) *MockManager_GetPods_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// GetPodsAndMirrorPods provides a mock function for the type MockManager
+func (_mock *MockManager) GetPodsAndMirrorPods() ([]*v1.Pod, []*v1.Pod, []string) {
+	ret := _mock.Called()
+
+	if len(ret) == 0 {
+		panic("no return value specified for GetPodsAndMirrorPods")
+	}
+
+	var r0 []*v1.Pod
+	var r1 []*v1.Pod
+	var r2 []string
+	if returnFunc, ok := ret.Get(0).(func() ([]*v1.Pod, []*v1.Pod, []string)); ok {
+		return returnFunc()
+	}
+	if returnFunc, ok := ret.Get(0).(func() []*v1.Pod); ok {
+		r0 = returnFunc()
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).([]*v1.Pod)
+		}
+	}
+	if returnFunc, ok := ret.Get(1).(func() []*v1.Pod); ok {
+		r1 = returnFunc()
+	} else {
+		if ret.Get(1) != nil {
+			r1 = ret.Get(1).([]*v1.Pod)
+		}
+	}
+	if returnFunc, ok := ret.Get(2).(func() []string); ok {
+		r2 = returnFunc()
+	} else {
+		if ret.Get(2) != nil {
+			r2 = ret.Get(2).([]string)
+		}
+	}
+	return r0, r1, r2
+}
+
+// MockManager_GetPodsAndMirrorPods_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetPodsAndMirrorPods'
+type MockManager_GetPodsAndMirrorPods_Call struct {
+	*mock.Call
+}
+
+// GetPodsAndMirrorPods is a helper method to define mock.On call
+func (_e *MockManager_Expecter) GetPodsAndMirrorPods() *MockManager_GetPodsAndMirrorPods_Call {
+	return &MockManager_GetPodsAndMirrorPods_Call{Call: _e.mock.On("GetPodsAndMirrorPods")}
+}
+
+func (_c *MockManager_GetPodsAndMirrorPods_Call) Run(run func()) *MockManager_GetPodsAndMirrorPods_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run()
+	})
+	return _c
+}
+
+func (_c *MockManager_GetPodsAndMirrorPods_Call) Return(allPods []*v1.Pod, allMirrorPods []*v1.Pod, orphanedMirrorPodFullnames []string) *MockManager_GetPodsAndMirrorPods_Call {
+	_c.Call.Return(allPods, allMirrorPods, orphanedMirrorPodFullnames)
+	return _c
+}
+
+func (_c *MockManager_GetPodsAndMirrorPods_Call) RunAndReturn(run func() ([]*v1.Pod, []*v1.Pod, []string)) *MockManager_GetPodsAndMirrorPods_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// GetStaticPodToMirrorPodMap provides a mock function for the type MockManager
+func (_mock *MockManager) GetStaticPodToMirrorPodMap() map[*v1.Pod]*v1.Pod {
+	ret := _mock.Called()
+
+	if len(ret) == 0 {
+		panic("no return value specified for GetStaticPodToMirrorPodMap")
+	}
+
+	var r0 map[*v1.Pod]*v1.Pod
+	if returnFunc, ok := ret.Get(0).(func() map[*v1.Pod]*v1.Pod); ok {
+		r0 = returnFunc()
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(map[*v1.Pod]*v1.Pod)
+		}
+	}
+	return r0
+}
+
+// MockManager_GetStaticPodToMirrorPodMap_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetStaticPodToMirrorPodMap'
+type MockManager_GetStaticPodToMirrorPodMap_Call struct {
+	*mock.Call
+}
+
+// GetStaticPodToMirrorPodMap is a helper method to define mock.On call
+func (_e *MockManager_Expecter) GetStaticPodToMirrorPodMap() *MockManager_GetStaticPodToMirrorPodMap_Call {
+	return &MockManager_GetStaticPodToMirrorPodMap_Call{Call: _e.mock.On("GetStaticPodToMirrorPodMap")}
+}
+
+func (_c *MockManager_GetStaticPodToMirrorPodMap_Call) Run(run func()) *MockManager_GetStaticPodToMirrorPodMap_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run()
+	})
+	return _c
+}
+
+func (_c *MockManager_GetStaticPodToMirrorPodMap_Call) Return(podToPod map[*v1.Pod]*v1.Pod) *MockManager_GetStaticPodToMirrorPodMap_Call {
+	_c.Call.Return(podToPod)
+	return _c
+}
+
+func (_c *MockManager_GetStaticPodToMirrorPodMap_Call) RunAndReturn(run func() map[*v1.Pod]*v1.Pod) *MockManager_GetStaticPodToMirrorPodMap_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// GetUIDTranslations provides a mock function for the type MockManager
+func (_mock *MockManager) GetUIDTranslations() (map[types0.ResolvedPodUID]types0.MirrorPodUID, map[types0.MirrorPodUID]types0.ResolvedPodUID) {
+	ret := _mock.Called()
+
+	if len(ret) == 0 {
+		panic("no return value specified for GetUIDTranslations")
+	}
+
+	var r0 map[types0.ResolvedPodUID]types0.MirrorPodUID
+	var r1 map[types0.MirrorPodUID]types0.ResolvedPodUID
+	if returnFunc, ok := ret.Get(0).(func() (map[types0.ResolvedPodUID]types0.MirrorPodUID, map[types0.MirrorPodUID]types0.ResolvedPodUID)); ok {
+		return returnFunc()
+	}
+	if returnFunc, ok := ret.Get(0).(func() map[types0.ResolvedPodUID]types0.MirrorPodUID); ok {
+		r0 = returnFunc()
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(map[types0.ResolvedPodUID]types0.MirrorPodUID)
+		}
+	}
+	if returnFunc, ok := ret.Get(1).(func() map[types0.MirrorPodUID]types0.ResolvedPodUID); ok {
+		r1 = returnFunc()
+	} else {
+		if ret.Get(1) != nil {
+			r1 = ret.Get(1).(map[types0.MirrorPodUID]types0.ResolvedPodUID)
+		}
+	}
+	return r0, r1
+}
+
+// MockManager_GetUIDTranslations_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetUIDTranslations'
+type MockManager_GetUIDTranslations_Call struct {
+	*mock.Call
+}
+
+// GetUIDTranslations is a helper method to define mock.On call
+func (_e *MockManager_Expecter) GetUIDTranslations() *MockManager_GetUIDTranslations_Call {
+	return &MockManager_GetUIDTranslations_Call{Call: _e.mock.On("GetUIDTranslations")}
+}
+
+func (_c *MockManager_GetUIDTranslations_Call) Run(run func()) *MockManager_GetUIDTranslations_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run()
+	})
+	return _c
+}
+
+func (_c *MockManager_GetUIDTranslations_Call) Return(podToMirror map[types0.ResolvedPodUID]types0.MirrorPodUID, mirrorToPod map[types0.MirrorPodUID]types0.ResolvedPodUID) *MockManager_GetUIDTranslations_Call {
+	_c.Call.Return(podToMirror, mirrorToPod)
+	return _c
+}
+
+func (_c *MockManager_GetUIDTranslations_Call) RunAndReturn(run func() (map[types0.ResolvedPodUID]types0.MirrorPodUID, map[types0.MirrorPodUID]types0.ResolvedPodUID)) *MockManager_GetUIDTranslations_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// RemovePod provides a mock function for the type MockManager
+func (_mock *MockManager) RemovePod(pod *v1.Pod) {
+	_mock.Called(pod)
+	return
+}
+
+// MockManager_RemovePod_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'RemovePod'
+type MockManager_RemovePod_Call struct {
+	*mock.Call
+}
+
+// RemovePod is a helper method to define mock.On call
+//   - pod *v1.Pod
+func (_e *MockManager_Expecter) RemovePod(pod interface{}) *MockManager_RemovePod_Call {
+	return &MockManager_RemovePod_Call{Call: _e.mock.On("RemovePod", pod)}
+}
+
+func (_c *MockManager_RemovePod_Call) Run(run func(pod *v1.Pod)) *MockManager_RemovePod_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 *v1.Pod
+		if args[0] != nil {
+			arg0 = args[0].(*v1.Pod)
+		}
+		run(
+			arg0,
+		)
+	})
+	return _c
+}
+
+func (_c *MockManager_RemovePod_Call) Return() *MockManager_RemovePod_Call {
+	_c.Call.Return()
+	return _c
+}
+
+func (_c *MockManager_RemovePod_Call) RunAndReturn(run func(pod *v1.Pod)) *MockManager_RemovePod_Call {
+	_c.Run(run)
+	return _c
+}
+
+// SetPods provides a mock function for the type MockManager
+func (_mock *MockManager) SetPods(pods []*v1.Pod) {
+	_mock.Called(pods)
+	return
+}
+
+// MockManager_SetPods_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'SetPods'
+type MockManager_SetPods_Call struct {
+	*mock.Call
+}
+
+// SetPods is a helper method to define mock.On call
+//   - pods []*v1.Pod
+func (_e *MockManager_Expecter) SetPods(pods interface{}) *MockManager_SetPods_Call {
+	return &MockManager_SetPods_Call{Call: _e.mock.On("SetPods", pods)}
+}
+
+func (_c *MockManager_SetPods_Call) Run(run func(pods []*v1.Pod)) *MockManager_SetPods_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 []*v1.Pod
+		if args[0] != nil {
+			arg0 = args[0].([]*v1.Pod)
+		}
+		run(
+			arg0,
+		)
+	})
+	return _c
+}
+
+func (_c *MockManager_SetPods_Call) Return() *MockManager_SetPods_Call {
+	_c.Call.Return()
+	return _c
+}
+
+func (_c *MockManager_SetPods_Call) RunAndReturn(run func(pods []*v1.Pod)) *MockManager_SetPods_Call {
+	_c.Run(run)
+	return _c
+}
+
+// TranslatePodUID provides a mock function for the type MockManager
+func (_mock *MockManager) TranslatePodUID(uid types.UID) types0.ResolvedPodUID {
+	ret := _mock.Called(uid)
+
+	if len(ret) == 0 {
+		panic("no return value specified for TranslatePodUID")
+	}
+
+	var r0 types0.ResolvedPodUID
+	if returnFunc, ok := ret.Get(0).(func(types.UID) types0.ResolvedPodUID); ok {
+		r0 = returnFunc(uid)
+	} else {
+		r0 = ret.Get(0).(types0.ResolvedPodUID)
+	}
+	return r0
+}
+
+// MockManager_TranslatePodUID_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'TranslatePodUID'
+type MockManager_TranslatePodUID_Call struct {
+	*mock.Call
+}
+
+// TranslatePodUID is a helper method to define mock.On call
+//   - uid types.UID
+func (_e *MockManager_Expecter) TranslatePodUID(uid interface{}) *MockManager_TranslatePodUID_Call {
+	return &MockManager_TranslatePodUID_Call{Call: _e.mock.On("TranslatePodUID", uid)}
+}
+
+func (_c *MockManager_TranslatePodUID_Call) Run(run func(uid types.UID)) *MockManager_TranslatePodUID_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 types.UID
+		if args[0] != nil {
+			arg0 = args[0].(types.UID)
+		}
+		run(
+			arg0,
+		)
+	})
+	return _c
+}
+
+func (_c *MockManager_TranslatePodUID_Call) Return(resolvedPodUID types0.ResolvedPodUID) *MockManager_TranslatePodUID_Call {
+	_c.Call.Return(resolvedPodUID)
+	return _c
+}
+
+func (_c *MockManager_TranslatePodUID_Call) RunAndReturn(run func(uid types.UID) types0.ResolvedPodUID) *MockManager_TranslatePodUID_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// UpdatePod provides a mock function for the type MockManager
+func (_mock *MockManager) UpdatePod(pod *v1.Pod) {
+	_mock.Called(pod)
+	return
+}
+
+// MockManager_UpdatePod_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'UpdatePod'
+type MockManager_UpdatePod_Call struct {
+	*mock.Call
+}
+
+// UpdatePod is a helper method to define mock.On call
+//   - pod *v1.Pod
+func (_e *MockManager_Expecter) UpdatePod(pod interface{}) *MockManager_UpdatePod_Call {
+	return &MockManager_UpdatePod_Call{Call: _e.mock.On("UpdatePod", pod)}
+}
+
+func (_c *MockManager_UpdatePod_Call) Run(run func(pod *v1.Pod)) *MockManager_UpdatePod_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 *v1.Pod
+		if args[0] != nil {
+			arg0 = args[0].(*v1.Pod)
+		}
+		run(
+			arg0,
+		)
+	})
+	return _c
+}
+
+func (_c *MockManager_UpdatePod_Call) Return() *MockManager_UpdatePod_Call {
+	_c.Call.Return()
+	return _c
+}
+
+func (_c *MockManager_UpdatePod_Call) RunAndReturn(run func(pod *v1.Pod)) *MockManager_UpdatePod_Call {
+	_c.Run(run)
+	return _c
+}
diff --git a/pkg/kubelet/pod_workers.go b/pkg/kubelet/pod_workers.go
index 68d47ff5bfaa0..d2539a8bd70b4 100644
--- a/pkg/kubelet/pod_workers.go
+++ b/pkg/kubelet/pod_workers.go
@@ -1519,8 +1519,18 @@ func (p *podWorkers) completeWork(podUID types.UID, phaseTransition bool, syncEr
 		// Network is not ready; back off for short period of time and retry as network might be ready soon.
 		p.workQueue.Enqueue(podUID, wait.Jitter(backOffOnTransientErrorPeriod, workerBackOffPeriodJitterFactor))
 	default:
-		// Error occurred during the sync; back off and then retry.
-		p.workQueue.Enqueue(podUID, wait.Jitter(p.backOffPeriod, workerBackOffPeriodJitterFactor))
+		// Error occurred during the sync; back off and then retry. If the error includes a backoff expiration,
+		// wait until then instead of the default to avoid adding extra time to the backoff.
+		backoff := p.backOffPeriod
+		if backoffAt, isBackoffErr := kubecontainer.MinBackoffExpiration(syncErr); isBackoffErr {
+			backoff = backoffAt.Sub(p.clock.Now())
+		}
+		if backoff < 0 {
+			backoff = 0
+		} else if backoff > p.resyncInterval {
+			backoff = p.resyncInterval
+		}
+		p.workQueue.Enqueue(podUID, wait.Jitter(backoff, workerBackOffPeriodJitterFactor))
 	}
 
 	// if there is a pending update for this worker, requeue immediately, otherwise
diff --git a/pkg/kubelet/pod_workers_test.go b/pkg/kubelet/pod_workers_test.go
index b318ed630f032..4dc418744a000 100644
--- a/pkg/kubelet/pod_workers_test.go
+++ b/pkg/kubelet/pod_workers_test.go
@@ -18,6 +18,7 @@ package kubelet
 
 import (
 	"context"
+	"errors"
 	"reflect"
 	"strconv"
 	"sync"
@@ -30,9 +31,11 @@ import (
 	v1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
+	utilerrors "k8s.io/apimachinery/pkg/util/errors"
 	"k8s.io/apimachinery/pkg/util/sets"
 	"k8s.io/client-go/tools/record"
 	"k8s.io/kubernetes/pkg/kubelet/allocation"
+	"k8s.io/kubernetes/pkg/kubelet/cm"
 	kubecontainer "k8s.io/kubernetes/pkg/kubelet/container"
 	containertest "k8s.io/kubernetes/pkg/kubelet/container/testing"
 	kubetypes "k8s.io/kubernetes/pkg/kubelet/types"
@@ -452,7 +455,7 @@ func createPodWorkers() (*podWorkers, *containertest.FakeRuntime, map[types.UID]
 		time.Second,
 		time.Millisecond,
 		fakeCache,
-		allocation.NewInMemoryManager(nil, nil, nil, nil, nil, nil),
+		allocation.NewInMemoryManager(cm.NodeConfig{}, nil, nil, nil, nil, nil, nil, nil),
 	)
 	workers := w.(*podWorkers)
 	workers.clock = clock
@@ -882,6 +885,191 @@ func TestUpdatePod(t *testing.T) {
 	}
 }
 
+func TestCompleteWork_Enqueue(t *testing.T) {
+	const noJitter = 0.0
+
+	defaultBackoff := 10 * time.Second
+	resyncInterval := 20 * time.Second
+	clock := clocktesting.NewFakePassiveClock(time.Unix(1, 0))
+
+	testCases := []struct {
+		name            string
+		phaseTransition bool
+		syncErr         error
+		expectedMin     time.Duration
+		jitterFactor    float64
+	}{
+		{
+			name:            "phase transition requeues for immediate processing",
+			phaseTransition: true,
+			expectedMin:     0,
+			jitterFactor:    noJitter,
+		},
+		{
+			name:         "no error uses regular resync interval",
+			syncErr:      nil,
+			expectedMin:  resyncInterval,
+			jitterFactor: workerResyncIntervalJitterFactor,
+		},
+		{
+			name:         "generic error uses default backoff",
+			syncErr:      errors.New("generic error"),
+			expectedMin:  defaultBackoff,
+			jitterFactor: workerBackOffPeriodJitterFactor,
+		},
+		{
+			name: "BackoffError uses error's backoff",
+			syncErr: kubecontainer.NewBackoffError(
+				errors.New("backoff error"),
+				clock.Now().Add(5*time.Second),
+			),
+			expectedMin:  5 * time.Second,
+			jitterFactor: workerBackOffPeriodJitterFactor,
+		},
+		{
+			name: "Aggregate error with one BackoffError uses its backoff",
+			syncErr: utilerrors.NewAggregate([]error{
+				errors.New("some other error"),
+				kubecontainer.NewBackoffError(
+					errors.New("backoff error in aggregate"),
+					clock.Now().Add(7*time.Second),
+				),
+			}),
+			expectedMin:  7 * time.Second,
+			jitterFactor: workerBackOffPeriodJitterFactor,
+		},
+		{
+			name: "Aggregate error with multiple BackoffErrors uses minimum backoff",
+			syncErr: utilerrors.NewAggregate([]error{
+				kubecontainer.NewBackoffError(
+					errors.New("backoff error 1"),
+					clock.Now().Add(10*time.Second),
+				),
+				kubecontainer.NewBackoffError(
+					errors.New("backoff error 2"),
+					clock.Now().Add(3*time.Second),
+				),
+			}),
+			expectedMin:  3 * time.Second,
+			jitterFactor: workerBackOffPeriodJitterFactor,
+		},
+		{
+			name:         "BackoffError in the past enqueues for immediate processing with jitter",
+			syncErr:      kubecontainer.NewBackoffError(errors.New("backoff error"), clock.Now().Add(-5*time.Second)),
+			expectedMin:  0,
+			jitterFactor: workerBackOffPeriodJitterFactor,
+		},
+		{
+			name:         "Excessively long backoff duration enqueues for the maximum allowed",
+			syncErr:      kubecontainer.NewBackoffError(errors.New("backoff error"), clock.Now().Add(resyncInterval*2)),
+			expectedMin:  resyncInterval,
+			jitterFactor: workerBackOffPeriodJitterFactor,
+		},
+		{
+			name:         "NetworkNotReadyError uses backOffOnTransientErrorPeriod",
+			syncErr:      errors.New(NetworkNotReadyErrorMsg),
+			expectedMin:  backOffOnTransientErrorPeriod,
+			jitterFactor: workerBackOffPeriodJitterFactor,
+		},
+		{
+			name: "Aggregate with NetworkNotReadyError",
+			syncErr: utilerrors.NewAggregate([]error{
+				errors.New("some other error"),
+				errors.New(NetworkNotReadyErrorMsg),
+			}),
+			expectedMin:  backOffOnTransientErrorPeriod,
+			jitterFactor: workerBackOffPeriodJitterFactor,
+		},
+		{
+			name: "Aggregate with NetworkNotReadyError and BackoffError",
+			syncErr: utilerrors.NewAggregate([]error{
+				errors.New("some other error"),
+				errors.New(NetworkNotReadyErrorMsg),
+				kubecontainer.NewBackoffError(
+					errors.New("backoff error 2"),
+					clock.Now().Add(3*time.Second),
+				),
+			}),
+			expectedMin:  backOffOnTransientErrorPeriod,
+			jitterFactor: workerBackOffPeriodJitterFactor,
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			podWorkers, _, _ := createPodWorkers()
+			podWorkers.clock = clock
+			fakeQueue := podWorkers.workQueue.(*fakeQueue)
+			podUID := types.UID("12345")
+
+			podWorkers.resyncInterval = resyncInterval
+			podWorkers.backOffPeriod = defaultBackoff
+			podWorkers.podSyncStatuses[podUID] = &podSyncStatus{}
+			podWorkers.completeWork(podUID, tc.phaseTransition, tc.syncErr)
+
+			if fakeQueue.Empty() {
+				t.Fatalf("work queue should not be empty")
+			}
+			items := fakeQueue.Items()
+			if len(items) != 1 {
+				t.Fatalf("expected 1 item in queue, got %d", len(items))
+			}
+			item := items[0]
+			if item.UID != podUID {
+				t.Errorf("expected pod UID %q, got %q", podUID, item.UID)
+			}
+
+			expectedMax := tc.expectedMin + time.Duration(float64(tc.expectedMin)*tc.jitterFactor)
+			if item.Delay < tc.expectedMin || item.Delay > expectedMax {
+				t.Errorf("expected delay in range [%v, %v], got %v", tc.expectedMin, expectedMax, item.Delay)
+			}
+		})
+	}
+}
+
+func TestCompleteWork_PendingUpdate(t *testing.T) {
+	podUID := types.UID("pod-with-pending-update-check")
+
+	t.Run("with nil pendingUpdate, clears working status", func(t *testing.T) {
+		p := &podWorkers{
+			podSyncStatuses: make(map[types.UID]*podSyncStatus),
+			workQueue:       &fakeQueue{},
+		}
+		p.podSyncStatuses[podUID] = &podSyncStatus{working: true, pendingUpdate: nil}
+
+		p.completeWork(podUID, false, nil)
+
+		p.podLock.Lock()
+		defer p.podLock.Unlock()
+		if p.podSyncStatuses[podUID].working {
+			t.Error("expected pod status 'working' to be false, but it was true")
+		}
+	})
+
+	t.Run("with non-nil pendingUpdate, queues an update signal", func(t *testing.T) {
+		p := &podWorkers{
+			podSyncStatuses: make(map[types.UID]*podSyncStatus),
+			podUpdates:      make(map[types.UID]chan struct{}),
+			workQueue:       &fakeQueue{},
+		}
+		p.podUpdates[podUID] = make(chan struct{}, 1)
+
+		dummyUpdate := &UpdatePodOptions{
+			Pod: newNamedPod("1", "ns", "running-pod", false),
+		}
+		p.podSyncStatuses[podUID] = &podSyncStatus{working: true, pendingUpdate: dummyUpdate}
+
+		p.completeWork(podUID, false, nil)
+
+		select {
+		case <-p.podUpdates[podUID]:
+			// Success! The channel received the signal as expected.
+		default:
+			t.Fatal("expected an update to be queued on the podUpdates channel, but none was received")
+		}
+	})
+}
+
 func TestUpdatePodForRuntimePod(t *testing.T) {
 	podWorkers, _, processed := createPodWorkers()
 
@@ -1947,7 +2135,7 @@ func TestFakePodWorkers(t *testing.T) {
 		time.Second,
 		time.Second,
 		fakeCache,
-		allocation.NewInMemoryManager(nil, nil, nil, nil, nil, nil),
+		allocation.NewInMemoryManager(cm.NodeConfig{}, nil, nil, nil, nil, nil, nil, nil),
 	)
 	fakePodWorkers := &fakePodWorkers{
 		syncPodFn: kubeletForFakeWorkers.SyncPod,
diff --git a/pkg/kubelet/podcertificate/podcertificatemanager.go b/pkg/kubelet/podcertificate/podcertificatemanager.go
index 77078c33fdf97..ec8c5127e85fa 100644
--- a/pkg/kubelet/podcertificate/podcertificatemanager.go
+++ b/pkg/kubelet/podcertificate/podcertificatemanager.go
@@ -33,19 +33,20 @@ import (
 	"sync"
 	"time"
 
-	certificatesv1alpha1 "k8s.io/api/certificates/v1alpha1"
+	certificatesv1beta1 "k8s.io/api/certificates/v1beta1"
 	corev1 "k8s.io/api/core/v1"
 	k8serrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
 	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
 	"k8s.io/apimachinery/pkg/util/wait"
-	certinformersv1alpha1 "k8s.io/client-go/informers/certificates/v1alpha1"
+	certinformersv1beta1 "k8s.io/client-go/informers/certificates/v1beta1"
 	coreinformersv1 "k8s.io/client-go/informers/core/v1"
 	"k8s.io/client-go/kubernetes"
-	certlistersv1alpha1 "k8s.io/client-go/listers/certificates/v1alpha1"
+	certlistersv1beta1 "k8s.io/client-go/listers/certificates/v1beta1"
 	corelistersv1 "k8s.io/client-go/listers/core/v1"
 	"k8s.io/client-go/tools/cache"
+	"k8s.io/client-go/tools/record"
 	"k8s.io/client-go/util/workqueue"
 	"k8s.io/klog/v2"
 	"k8s.io/utils/clock"
@@ -68,12 +69,30 @@ type Manager interface {
 	// GetPodCertificateCredentialBundle is called by the volume host to
 	// retrieve the credential bundle for a given pod certificate volume.
 	GetPodCertificateCredentialBundle(ctx context.Context, namespace, podName, podUID, volumeName string, sourceIndex int) (privKey []byte, certChain []byte, err error)
+
+	// MetricReport returns a snapshot of current pod certificate states for this manager.
+	MetricReport() *MetricReport
+}
+
+// MetricReport contains metrics about the current state of pod certificate projected volume sources.
+type MetricReport struct {
+	PodCertificateStates map[SignerAndState]int
+}
+
+// SignerAndState represents a combination of a signer name and the state of a pod certificate.
+type SignerAndState struct {
+	SignerName string
+	State      string
 }
 
 // After this amount of time (plus jitter), we can assume that a PCR that we
 // created, but isn't showing up on our informer, must have been deleted.
 const assumeDeletedThreshold = 10 * time.Minute
 
+// After this amount of time since the BeginRefreshAt of the certificate, we
+// consider a certificate to be overdue for refresh.
+const refreshOverdueDuration = 10 * time.Minute
+
 // IssuingManager is the main implementation of Manager.
 //
 // The core construct is a workqueue that contains one entry for each
@@ -92,10 +111,12 @@ type IssuingManager struct {
 
 	podManager PodManager
 
+	recorder record.EventRecorder
+
 	projectionQueue workqueue.TypedRateLimitingInterface[projectionKey]
 
 	pcrInformer cache.SharedIndexInformer
-	pcrLister   certlistersv1alpha1.PodCertificateRequestLister
+	pcrLister   certlistersv1beta1.PodCertificateRequestLister
 
 	nodeInformer cache.SharedIndexInformer
 	nodeLister   corelistersv1.NodeLister
@@ -136,6 +157,7 @@ type projectionRecord struct {
 // Interface type for all projection record states.
 type credState interface {
 	getCredBundle() (privKey, certChain []byte, err error)
+	metricsState(now time.Time) string
 }
 
 type credStateInitial struct {
@@ -145,6 +167,10 @@ func (c *credStateInitial) getCredBundle() ([]byte, []byte, error) {
 	return nil, nil, fmt.Errorf("credential bundle is not issued yet")
 }
 
+func (c *credStateInitial) metricsState(_ time.Time) string {
+	return "not_yet_issued"
+}
+
 type credStateWait struct {
 	privateKey []byte
 	pcrName    string
@@ -157,6 +183,10 @@ func (c *credStateWait) getCredBundle() ([]byte, []byte, error) {
 	return nil, nil, fmt.Errorf("credential bundle is not issued yet")
 }
 
+func (c *credStateWait) metricsState(_ time.Time) string {
+	return "not_yet_issued"
+}
+
 type credStateDenied struct {
 	Reason  string
 	Message string
@@ -166,6 +196,10 @@ func (c *credStateDenied) getCredBundle() ([]byte, []byte, error) {
 	return nil, nil, fmt.Errorf("PodCertificateRequest was permanently denied: reason=%q message=%q", c.Reason, c.Message)
 }
 
+func (c *credStateDenied) metricsState(_ time.Time) string {
+	return "denied"
+}
+
 type credStateFailed struct {
 	Reason  string
 	Message string
@@ -175,20 +209,40 @@ func (c *credStateFailed) getCredBundle() ([]byte, []byte, error) {
 	return nil, nil, fmt.Errorf("PodCertificateRequest was permanently failed: reason=%q message=%q", c.Reason, c.Message)
 }
 
+func (c *credStateFailed) metricsState(_ time.Time) string {
+	return "failed"
+}
+
 type credStateFresh struct {
-	privateKey     []byte
-	certChain      []byte
-	beginRefreshAt time.Time
+	privateKey                       []byte
+	certChain                        []byte
+	beginRefreshAt                   time.Time
+	notAfter                         time.Time
+	eventEmittedForOverdueForRefresh bool
+	eventEmittedForExpiration        bool
 }
 
 func (c *credStateFresh) getCredBundle() ([]byte, []byte, error) {
 	return c.privateKey, c.certChain, nil
 }
 
+func (c *credStateFresh) metricsState(now time.Time) string {
+	if now.After(c.notAfter) {
+		return "expired"
+	}
+	if now.After(c.beginRefreshAt.Add(refreshOverdueDuration)) {
+		return "overdue_for_refresh"
+	}
+	return "fresh"
+}
+
 type credStateWaitRefresh struct {
-	privateKey     []byte
-	certChain      []byte
-	beginRefreshAt time.Time
+	privateKey                       []byte
+	certChain                        []byte
+	beginRefreshAt                   time.Time
+	notAfter                         time.Time
+	eventEmittedForOverdueForRefresh bool
+	eventEmittedForExpiration        bool
 
 	refreshPrivateKey []byte
 	refreshPCRName    string
@@ -201,13 +255,24 @@ func (c *credStateWaitRefresh) getCredBundle() ([]byte, []byte, error) {
 	return c.privateKey, c.certChain, nil
 }
 
+func (c *credStateWaitRefresh) metricsState(now time.Time) string {
+	if now.After(c.notAfter) {
+		return "expired"
+	}
+	if now.After(c.beginRefreshAt.Add(refreshOverdueDuration)) {
+		return "overdue_for_refresh"
+	}
+	return "fresh"
+}
+
 var _ Manager = (*IssuingManager)(nil)
 
-func NewIssuingManager(kc kubernetes.Interface, podManager PodManager, pcrInformer certinformersv1alpha1.PodCertificateRequestInformer, nodeInformer coreinformersv1.NodeInformer, nodeName types.NodeName, clock clock.WithTicker) *IssuingManager {
+func NewIssuingManager(kc kubernetes.Interface, podManager PodManager, recorder record.EventRecorder, pcrInformer certinformersv1beta1.PodCertificateRequestInformer, nodeInformer coreinformersv1.NodeInformer, nodeName types.NodeName, clock clock.WithTicker) *IssuingManager {
 	m := &IssuingManager{
 		kc: kc,
 
 		podManager:      podManager,
+		recorder:        recorder,
 		projectionQueue: workqueue.NewTypedRateLimitingQueue(workqueue.DefaultTypedControllerRateLimiter[projectionKey]()),
 
 		pcrInformer:  pcrInformer.Informer(),
@@ -227,15 +292,15 @@ func NewIssuingManager(kc kubernetes.Interface, podManager PodManager, pcrInform
 	// for us to notice immediately once the certificate is issued.
 	m.pcrInformer.AddEventHandler(cache.ResourceEventHandlerFuncs{
 		AddFunc: func(obj any) {
-			pcr := obj.(*certificatesv1alpha1.PodCertificateRequest)
+			pcr := obj.(*certificatesv1beta1.PodCertificateRequest)
 			m.queueAllProjectionsForPod(pcr.Spec.PodUID)
 		},
 		UpdateFunc: func(old, new any) {
-			pcr := new.(*certificatesv1alpha1.PodCertificateRequest)
+			pcr := new.(*certificatesv1beta1.PodCertificateRequest)
 			m.queueAllProjectionsForPod(pcr.Spec.PodUID)
 		},
 		DeleteFunc: func(obj any) {
-			pcr := obj.(*certificatesv1alpha1.PodCertificateRequest)
+			pcr := obj.(*certificatesv1beta1.PodCertificateRequest)
 			m.queueAllProjectionsForPod(pcr.Spec.PodUID)
 		},
 	})
@@ -276,6 +341,7 @@ func (m *IssuingManager) Run(ctx context.Context) {
 	if !cache.WaitForCacheSync(ctx.Done(), m.pcrInformer.HasSynced, m.nodeInformer.HasSynced) {
 		return
 	}
+
 	go wait.JitterUntilWithContext(ctx, m.runRefreshPass, 1*time.Minute, 1.0, false)
 	go wait.UntilWithContext(ctx, m.runProjectionProcessor, time.Second)
 	<-ctx.Done()
@@ -317,14 +383,7 @@ func (m *IssuingManager) handleProjection(ctx context.Context, key projectionKey
 		// If we can't find the pod anymore, it's been deleted.  Clear all our
 		// internal state associated with the pod and return a nil error so it
 		// is forgotten from the queue.
-
-		m.lock.Lock()
-		defer m.lock.Unlock()
-		for k := range m.credStore {
-			if k.Namespace == key.Namespace && k.PodName == key.PodName && k.PodUID == key.PodUID {
-				delete(m.credStore, k)
-			}
-		}
+		m.cleanupCredStoreForPod(key.Namespace, key.PodName, key.PodUID)
 
 		return nil
 	}
@@ -388,7 +447,7 @@ func (m *IssuingManager) handleProjection(ctx context.Context, key projectionKey
 			pod.ObjectMeta.Name, pod.ObjectMeta.UID,
 			pod.Spec.ServiceAccountName, serviceAccount.ObjectMeta.UID,
 			m.nodeName, node.ObjectMeta.UID,
-			source.SignerName, source.KeyType, source.MaxExpirationSeconds,
+			source.SignerName, source.KeyType, source.MaxExpirationSeconds, source.UserAnnotations,
 		)
 		if err != nil {
 			return fmt.Errorf("while creating initial PodCertificateRequest: %w", err)
@@ -422,7 +481,7 @@ func (m *IssuingManager) handleProjection(ctx context.Context, key projectionKey
 			// remember creating the PCR, then we must be in case 2.  Return to
 			// credStateInitial so we create a new PCR.
 			rec.curState = &credStateInitial{}
-			return fmt.Errorf("PodCertificateRequest %q appears to have been deleted", pcr.ObjectMeta.Namespace+"/"+pcr.ObjectMeta.Name)
+			return fmt.Errorf("PodCertificateRequest %q appears to have been deleted", key.Namespace+"/"+state.pcrName)
 		} else if err != nil {
 			return fmt.Errorf("while getting PodCertificateRequest %q: %w", key.Namespace+"/"+state.pcrName, err)
 		}
@@ -431,25 +490,30 @@ func (m *IssuingManager) handleProjection(ctx context.Context, key projectionKey
 		// our state machine accordingly.
 		for _, cond := range pcr.Status.Conditions {
 			switch cond.Type {
-			case certificatesv1alpha1.PodCertificateRequestConditionTypeDenied:
+			case certificatesv1beta1.PodCertificateRequestConditionTypeDenied:
 				rec.curState = &credStateDenied{
 					Reason:  cond.Reason,
 					Message: cond.Message,
 				}
 				klog.V(4).InfoS("PodCertificateRequest denied, moving to credStateDenied", "key", key, "pcr", pcr.ObjectMeta.Namespace+"/"+pcr.ObjectMeta.Name)
+				eventMessage := fmt.Sprintf("PodCertificateRequest %s was denied, reason=%q, message=%q", pcr.ObjectMeta.Namespace+"/"+pcr.ObjectMeta.Name, cond.Reason, cond.Message)
+				m.recorder.Eventf(pod, corev1.EventTypeWarning, certificatesv1beta1.PodCertificateRequestConditionTypeDenied, cond.Reason, eventMessage)
 				return nil
-			case certificatesv1alpha1.PodCertificateRequestConditionTypeFailed:
+			case certificatesv1beta1.PodCertificateRequestConditionTypeFailed:
 				rec.curState = &credStateFailed{
 					Reason:  cond.Reason,
 					Message: cond.Message,
 				}
-				klog.V(4).InfoS("PodCertificateRequest denied, moving to credStateFailed", "key", key, "pcr", pcr.ObjectMeta.Namespace+"/"+pcr.ObjectMeta.Name)
+				klog.V(4).InfoS("PodCertificateRequest failed, moving to credStateFailed", "key", key, "pcr", pcr.ObjectMeta.Namespace+"/"+pcr.ObjectMeta.Name)
+				eventMessage := fmt.Sprintf("PodCertificateRequest %s failed, reason=%q, message=%q", pcr.ObjectMeta.Namespace+"/"+pcr.ObjectMeta.Name, cond.Reason, cond.Message)
+				m.recorder.Eventf(pod, corev1.EventTypeWarning, certificatesv1beta1.PodCertificateRequestConditionTypeFailed, cond.Reason, eventMessage)
 				return nil
-			case certificatesv1alpha1.PodCertificateRequestConditionTypeIssued:
+			case certificatesv1beta1.PodCertificateRequestConditionTypeIssued:
 				rec.curState = &credStateFresh{
 					privateKey:     state.privateKey,
 					certChain:      cleanCertificateChain([]byte(pcr.Status.CertificateChain)),
 					beginRefreshAt: pcr.Status.BeginRefreshAt.Time.Add(jitterDuration()),
+					notAfter:       pcr.Status.NotAfter.Time,
 				}
 				klog.V(4).InfoS("PodCertificateRequest issued, moving to credStateFresh", "key", key, "pcr", pcr.ObjectMeta.Namespace+"/"+pcr.ObjectMeta.Name)
 				return nil
@@ -483,6 +547,20 @@ func (m *IssuingManager) handleProjection(ctx context.Context, key projectionKey
 
 		klog.V(4).InfoS("Time to refresh", "key", key)
 
+		// The current time is more than 10 minutes past the most recently issued certificate's `beginRefreshAt` timestamp but the state has not been labeled with overdue for refresh.
+		if m.clock.Now().After(state.beginRefreshAt.Add(refreshOverdueDuration)) && !state.eventEmittedForOverdueForRefresh {
+			klog.V(4).InfoS("Refresh overdue", "key", key)
+			m.recorder.Eventf(pod, corev1.EventTypeWarning, "CertificateOverdueForRefresh", "PodCertificate refresh overdue")
+			state.eventEmittedForOverdueForRefresh = true
+		}
+
+		// The current time is past the most recently issued certificate's `notAfter` timestamp but the state has not been labelled with expired.
+		if m.clock.Now().After(state.notAfter) && !state.eventEmittedForExpiration {
+			klog.V(4).InfoS("Certificates expired", "key", key)
+			m.recorder.Eventf(pod, corev1.EventTypeWarning, "CertificateExpired", "PodCertificate expired")
+			state.eventEmittedForExpiration = true
+		}
+
 		// We fetch the service account so we can know its UID.  Ideally, Kubelet
 		// would have a central component that tracks all service accounts related
 		// to pods on the node using a single-item watch.
@@ -502,16 +580,19 @@ func (m *IssuingManager) handleProjection(ctx context.Context, key projectionKey
 			pod.ObjectMeta.Name, pod.ObjectMeta.UID,
 			pod.Spec.ServiceAccountName, serviceAccount.ObjectMeta.UID,
 			m.nodeName, node.ObjectMeta.UID,
-			source.SignerName, source.KeyType, source.MaxExpirationSeconds,
+			source.SignerName, source.KeyType, source.MaxExpirationSeconds, source.UserAnnotations,
 		)
 		if err != nil {
 			return fmt.Errorf("while creating refresh PodCertificateRequest: %w", err)
 		}
 
 		rec.curState = &credStateWaitRefresh{
-			privateKey:     state.privateKey,
-			certChain:      state.certChain,
-			beginRefreshAt: state.beginRefreshAt,
+			privateKey:                       state.privateKey,
+			certChain:                        state.certChain,
+			beginRefreshAt:                   state.beginRefreshAt,
+			notAfter:                         state.notAfter,
+			eventEmittedForOverdueForRefresh: state.eventEmittedForOverdueForRefresh,
+			eventEmittedForExpiration:        state.eventEmittedForExpiration,
 
 			refreshPrivateKey:   privKey,
 			refreshPCRName:      pcr.ObjectMeta.Name,
@@ -538,9 +619,12 @@ func (m *IssuingManager) handleProjection(ctx context.Context, key projectionKey
 			// remember creating the PCR, then we must be in case 2.  Return to
 			// credStateFresh so we create a new PCR.
 			rec.curState = &credStateFresh{
-				privateKey:     state.privateKey,
-				certChain:      state.certChain,
-				beginRefreshAt: state.beginRefreshAt,
+				privateKey:                       state.privateKey,
+				certChain:                        state.certChain,
+				beginRefreshAt:                   state.beginRefreshAt,
+				notAfter:                         state.notAfter,
+				eventEmittedForOverdueForRefresh: state.eventEmittedForOverdueForRefresh,
+				eventEmittedForExpiration:        state.eventEmittedForExpiration,
 			}
 			return fmt.Errorf("PodCertificateRequest appears to have been deleted")
 		} else if err != nil {
@@ -551,25 +635,30 @@ func (m *IssuingManager) handleProjection(ctx context.Context, key projectionKey
 		// our state machine accordingly.
 		for _, cond := range pcr.Status.Conditions {
 			switch cond.Type {
-			case certificatesv1alpha1.PodCertificateRequestConditionTypeDenied:
+			case certificatesv1beta1.PodCertificateRequestConditionTypeDenied:
 				rec.curState = &credStateDenied{
 					Reason:  cond.Reason,
 					Message: cond.Message,
 				}
 				klog.V(4).InfoS("PodCertificateRequest denied, moving to credStateDenied", "key", key, "pcr", pcr.ObjectMeta.Namespace+"/"+pcr.ObjectMeta.Name)
+				eventMessage := fmt.Sprintf("PodCertificateRequest %s was denied, reason=%q, message=%q", pcr.ObjectMeta.Namespace+"/"+pcr.ObjectMeta.Name, cond.Reason, cond.Message)
+				m.recorder.Eventf(pod, corev1.EventTypeWarning, certificatesv1beta1.PodCertificateRequestConditionTypeDenied, cond.Reason, eventMessage)
 				return nil
-			case certificatesv1alpha1.PodCertificateRequestConditionTypeFailed:
+			case certificatesv1beta1.PodCertificateRequestConditionTypeFailed:
 				rec.curState = &credStateFailed{
 					Reason:  cond.Reason,
 					Message: cond.Message,
 				}
-				klog.V(4).InfoS("PodCertificateRequest denied, moving to credStateFailed", "key", key, "pcr", pcr.ObjectMeta.Namespace+"/"+pcr.ObjectMeta.Name)
+				klog.V(4).InfoS("PodCertificateRequest failed, moving to credStateFailed", "key", key, "pcr", pcr.ObjectMeta.Namespace+"/"+pcr.ObjectMeta.Name)
+				eventMessage := fmt.Sprintf("PodCertificateRequest %s failed, reason=%q, message=%q", pcr.ObjectMeta.Namespace+"/"+pcr.ObjectMeta.Name, cond.Reason, cond.Message)
+				m.recorder.Eventf(pod, corev1.EventTypeWarning, certificatesv1beta1.PodCertificateRequestConditionTypeFailed, cond.Reason, eventMessage)
 				return nil
-			case certificatesv1alpha1.PodCertificateRequestConditionTypeIssued:
+			case certificatesv1beta1.PodCertificateRequestConditionTypeIssued:
 				rec.curState = &credStateFresh{
 					privateKey:     state.refreshPrivateKey,
 					certChain:      cleanCertificateChain([]byte(pcr.Status.CertificateChain)),
 					beginRefreshAt: pcr.Status.BeginRefreshAt.Time.Add(jitterDuration()),
+					notAfter:       pcr.Status.NotAfter.Time,
 				}
 				klog.V(4).InfoS("PodCertificateRequest issued, moving to credStateFresh", "key", key, "pcr", pcr.ObjectMeta.Namespace+"/"+pcr.ObjectMeta.Name)
 				return nil
@@ -580,6 +669,20 @@ func (m *IssuingManager) handleProjection(ctx context.Context, key projectionKey
 		// projection from the workqueue.  It will be redriven when the
 		// PodCertificateRequest gets an update.
 		klog.V(4).InfoS("PodCertificateRequest not in terminal state, remaining in credStateWaitRefresh", "key", key, "pcr", pcr.ObjectMeta.Namespace+"/"+pcr.ObjectMeta.Name)
+
+		// The current time is more than 10 minutes past the most recently issued certificate's `beginRefreshAt` timestamp but the state has not been labeled with overdue for refresh.
+		if m.clock.Now().After(state.beginRefreshAt.Add(refreshOverdueDuration)) && !state.eventEmittedForOverdueForRefresh {
+			klog.V(4).InfoS("Refresh overdue", "key", key)
+			m.recorder.Eventf(pod, corev1.EventTypeWarning, "CertificateOverdueForRefresh", "PodCertificate refresh overdue")
+			state.eventEmittedForOverdueForRefresh = true
+		}
+
+		// The current time is past the most recently issued certificate's `notAfter` timestamp but the state has not been labeled with expired.
+		if m.clock.Now().After(state.notAfter) && !state.eventEmittedForExpiration {
+			klog.V(4).InfoS("Certificates expired", "key", key)
+			m.recorder.Eventf(pod, corev1.EventTypeWarning, "CertificateExpired", "PodCertificate expired")
+			state.eventEmittedForExpiration = true
+		}
 		return nil
 	}
 
@@ -608,12 +711,25 @@ func (m *IssuingManager) TrackPod(ctx context.Context, pod *corev1.Pod) {
 	m.queueAllProjectionsForPod(pod.ObjectMeta.UID)
 }
 
-// ForgetPod queues the pod's podCertificate projected volume sources for processing.
+// cleanupCredStoreForPod removes all credStore entries for the specified pod.
+func (m *IssuingManager) cleanupCredStoreForPod(namespace, podName, podUID string) {
+	m.lock.Lock()
+	defer m.lock.Unlock()
+
+	for k := range m.credStore {
+		if k.Namespace == namespace && k.PodName == podName && k.PodUID == podUID {
+			delete(m.credStore, k)
+		}
+	}
+}
+
+// ForgetPod cleans up all pod certificate credentials for the specified pod.
 //
 // The pod worker will notice that the pod no longer exists and clear any
 // pending and live credentials associated with it.
 func (m *IssuingManager) ForgetPod(ctx context.Context, pod *corev1.Pod) {
-	m.queueAllProjectionsForPod(pod.ObjectMeta.UID)
+	// Immediately clean up credStore entries for this pod to prevent race conditions
+	m.cleanupCredStoreForPod(pod.Namespace, pod.Name, string(pod.UID))
 }
 
 // createPodCertificateRequest creates a PodCertificateRequest.
@@ -623,7 +739,7 @@ func (m *IssuingManager) createPodCertificateRequest(
 	podName string, podUID types.UID,
 	serviceAccountName string, serviceAccountUID types.UID,
 	nodeName types.NodeName, nodeUID types.UID,
-	signerName, keyType string, maxExpirationSeconds *int32) ([]byte, *certificatesv1alpha1.PodCertificateRequest, error) {
+	signerName, keyType string, maxExpirationSeconds *int32, userAnnotations map[string]string) ([]byte, *certificatesv1beta1.PodCertificateRequest, error) {
 
 	privateKey, publicKey, proof, err := generateKeyAndProof(keyType, []byte(podUID))
 	if err != nil {
@@ -640,7 +756,7 @@ func (m *IssuingManager) createPodCertificateRequest(
 		return nil, nil, fmt.Errorf("while PEM-encoding private key: %w", err)
 	}
 
-	req := &certificatesv1alpha1.PodCertificateRequest{
+	req := &certificatesv1beta1.PodCertificateRequest{
 		ObjectMeta: metav1.ObjectMeta{
 			Namespace:    namespace,
 			GenerateName: "req-",
@@ -653,21 +769,22 @@ func (m *IssuingManager) createPodCertificateRequest(
 				},
 			},
 		},
-		Spec: certificatesv1alpha1.PodCertificateRequestSpec{
-			SignerName:           signerName,
-			PodName:              podName,
-			PodUID:               podUID,
-			ServiceAccountName:   serviceAccountName,
-			ServiceAccountUID:    serviceAccountUID,
-			NodeName:             nodeName,
-			NodeUID:              nodeUID,
-			MaxExpirationSeconds: maxExpirationSeconds,
-			PKIXPublicKey:        pkixPublicKey,
-			ProofOfPossession:    proof,
+		Spec: certificatesv1beta1.PodCertificateRequestSpec{
+			SignerName:                signerName,
+			PodName:                   podName,
+			PodUID:                    podUID,
+			ServiceAccountName:        serviceAccountName,
+			ServiceAccountUID:         serviceAccountUID,
+			NodeName:                  nodeName,
+			NodeUID:                   nodeUID,
+			MaxExpirationSeconds:      maxExpirationSeconds,
+			PKIXPublicKey:             pkixPublicKey,
+			ProofOfPossession:         proof,
+			UnverifiedUserAnnotations: userAnnotations,
 		},
 	}
 
-	req, err = m.kc.CertificatesV1alpha1().PodCertificateRequests(namespace).Create(ctx, req, metav1.CreateOptions{})
+	req, err = m.kc.CertificatesV1beta1().PodCertificateRequests(namespace).Create(ctx, req, metav1.CreateOptions{})
 	if err != nil {
 		return nil, nil, fmt.Errorf("while creating on API: %w", err)
 	}
@@ -701,6 +818,62 @@ func (m *IssuingManager) GetPodCertificateCredentialBundle(ctx context.Context,
 	return rec.curState.getCredBundle()
 }
 
+func (m *IssuingManager) MetricReport() *MetricReport {
+	report := &MetricReport{
+		PodCertificateStates: map[SignerAndState]int{},
+	}
+
+	// Iterate through all pods and their podCertificate projected volume sources
+	// instead of iterating through credStore, so that we can use the SignerName
+	// of the podCertificate projection source.
+	allPods := m.podManager.GetPods()
+	for _, pod := range allPods {
+		for _, v := range pod.Spec.Volumes {
+			if v.Projected == nil {
+				continue
+			}
+
+			for sourceIndex, source := range v.Projected.Sources {
+				if source.PodCertificate == nil {
+					continue
+				}
+
+				key := projectionKey{
+					Namespace:   pod.ObjectMeta.Namespace,
+					PodName:     pod.ObjectMeta.Name,
+					PodUID:      string(pod.ObjectMeta.UID),
+					VolumeName:  v.Name,
+					SourceIndex: sourceIndex,
+				}
+
+				var rec *projectionRecord
+				func() {
+					m.lock.Lock()
+					defer m.lock.Unlock()
+					rec = m.credStore[key]
+				}()
+				if rec == nil {
+					continue
+				}
+
+				func() {
+					rec.lock.Lock()
+					defer rec.lock.Unlock()
+
+					metricsKey := SignerAndState{
+						SignerName: source.PodCertificate.SignerName,
+						State:      rec.curState.metricsState(m.clock.Now()),
+					}
+					report.PodCertificateStates[metricsKey]++
+				}()
+
+			}
+		}
+	}
+
+	return report
+}
+
 func hashBytes(in []byte) []byte {
 	out := sha256.Sum256(in)
 	return out[:]
@@ -820,3 +993,7 @@ func (m *NoOpManager) ForgetPod(ctx context.Context, pod *corev1.Pod) {
 func (m *NoOpManager) GetPodCertificateCredentialBundle(ctx context.Context, namespace, podName, podUID, volumeName string, sourceIndex int) ([]byte, []byte, error) {
 	return nil, nil, fmt.Errorf("unimplemented")
 }
+
+func (m *NoOpManager) MetricReport() *MetricReport {
+	return &MetricReport{}
+}
diff --git a/pkg/kubelet/podcertificate/podcertificatemanager_test.go b/pkg/kubelet/podcertificate/podcertificatemanager_test.go
index 76adf7c1959b5..331a2c4e8e700 100644
--- a/pkg/kubelet/podcertificate/podcertificatemanager_test.go
+++ b/pkg/kubelet/podcertificate/podcertificatemanager_test.go
@@ -18,13 +18,15 @@ package podcertificate
 
 import (
 	"context"
+	"crypto/x509"
+	"encoding/pem"
 	"fmt"
 	"slices"
 	"testing"
 	"time"
 
 	"github.com/google/go-cmp/cmp"
-	certsv1alpha1 "k8s.io/api/certificates/v1alpha1"
+	certsv1beta1 "k8s.io/api/certificates/v1beta1"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/labels"
@@ -32,7 +34,7 @@ import (
 	"k8s.io/apimachinery/pkg/util/wait"
 	"k8s.io/client-go/informers"
 	"k8s.io/client-go/kubernetes/fake"
-	certlistersv1alpha1 "k8s.io/client-go/listers/certificates/v1alpha1"
+	certlistersv1beta1 "k8s.io/client-go/listers/certificates/v1beta1"
 	corelistersv1 "k8s.io/client-go/listers/core/v1"
 	"k8s.io/client-go/tools/cache"
 	"k8s.io/kubernetes/test/utils/hermeticpodcertificatesigner"
@@ -51,7 +53,7 @@ func TestTransitionInitialToWait(t *testing.T) {
 	signerName := "foo.com/signer"
 
 	pcrStore := cache.NewIndexer(cache.MetaNamespaceKeyFunc, cache.Indexers{})
-	pcrLister := certlistersv1alpha1.NewPodCertificateRequestLister(pcrStore)
+	pcrLister := certlistersv1beta1.NewPodCertificateRequestLister(pcrStore)
 
 	nodeStore := cache.NewIndexer(cache.MetaNamespaceKeyFunc, cache.Indexers{})
 	nodeLister := corelistersv1.NewNodeLister(nodeStore)
@@ -109,6 +111,7 @@ func TestTransitionInitialToWait(t *testing.T) {
 										KeyType:              "ED25519",
 										CredentialBundlePath: "creds.pem",
 										MaxExpirationSeconds: ptr.To[int32](86400), // Defaulting doesn't work with a fake client.
+										UserAnnotations:      map[string]string{"test.domain/foo": "bar"},
 									},
 								},
 							},
@@ -135,7 +138,7 @@ func TestTransitionInitialToWait(t *testing.T) {
 		t.Fatalf("Unexpected error while running handleProjection: %v", err)
 	}
 
-	gotPCRs, err := kc.CertificatesV1alpha1().PodCertificateRequests("ns1").List(ctx, metav1.ListOptions{})
+	gotPCRs, err := kc.CertificatesV1beta1().PodCertificateRequests("ns1").List(ctx, metav1.ListOptions{})
 	if err != nil {
 		t.Fatalf("Unexpected error listing PodCertificateRequests in fake client: %v", err)
 	}
@@ -148,19 +151,20 @@ func TestTransitionInitialToWait(t *testing.T) {
 
 	// Check that the created PCR spec matches expectations.  Blank out fields on
 	// gotPCR that we don't care about.
-	wantPCR := &certsv1alpha1.PodCertificateRequest{
+	wantPCR := &certsv1beta1.PodCertificateRequest{
 		ObjectMeta: metav1.ObjectMeta{
 			Namespace: "ns1",
 		},
-		Spec: certsv1alpha1.PodCertificateRequestSpec{
-			SignerName:           workloadPod.Spec.Volumes[0].VolumeSource.Projected.Sources[0].PodCertificate.SignerName,
-			PodName:              workloadPod.ObjectMeta.Name,
-			PodUID:               workloadPod.ObjectMeta.UID,
-			ServiceAccountName:   workloadSA.ObjectMeta.Name,
-			ServiceAccountUID:    workloadSA.ObjectMeta.UID,
-			NodeName:             types.NodeName("node1"),
-			NodeUID:              node1.ObjectMeta.UID,
-			MaxExpirationSeconds: ptr.To[int32](86400),
+		Spec: certsv1beta1.PodCertificateRequestSpec{
+			SignerName:                workloadPod.Spec.Volumes[0].VolumeSource.Projected.Sources[0].PodCertificate.SignerName,
+			PodName:                   workloadPod.ObjectMeta.Name,
+			PodUID:                    workloadPod.ObjectMeta.UID,
+			ServiceAccountName:        workloadSA.ObjectMeta.Name,
+			ServiceAccountUID:         workloadSA.ObjectMeta.UID,
+			NodeName:                  types.NodeName("node1"),
+			NodeUID:                   node1.ObjectMeta.UID,
+			MaxExpirationSeconds:      ptr.To[int32](86400),
+			UnverifiedUserAnnotations: map[string]string{"test.domain/foo": "bar"},
 		},
 	}
 	gotPCRClone := gotPCR.DeepCopy()
@@ -168,12 +172,123 @@ func TestTransitionInitialToWait(t *testing.T) {
 	gotPCRClone.ObjectMeta.Namespace = gotPCR.ObjectMeta.Namespace
 	gotPCRClone.Spec.PKIXPublicKey = nil
 	gotPCRClone.Spec.ProofOfPossession = nil
-	gotPCRClone.Status = certsv1alpha1.PodCertificateRequestStatus{}
+	gotPCRClone.Status = certsv1beta1.PodCertificateRequestStatus{}
 	if diff := cmp.Diff(gotPCRClone, wantPCR); diff != "" {
 		t.Fatalf("PodCertificateManager created a bad PCR; diff (-got +want)\n%s", diff)
 	}
 }
 
+func TestPCRDeletedWhileWaiting(t *testing.T) {
+	ctx, cancel := context.WithCancel(ktesting.Init(t))
+	defer cancel()
+
+	kc := fake.NewClientset()
+	clock := testclock.NewFakeClock(mustRFC3339(t, "2010-01-01T00:00:00Z"))
+
+	signerName := "foo.com/signer"
+
+	pcrStore := cache.NewIndexer(cache.MetaNamespaceKeyFunc, cache.Indexers{})
+	pcrLister := certlistersv1beta1.NewPodCertificateRequestLister(pcrStore)
+
+	nodeStore := cache.NewIndexer(cache.MetaNamespaceKeyFunc, cache.Indexers{})
+	nodeLister := corelistersv1.NewNodeLister(nodeStore)
+	node1 := &corev1.Node{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: "node1",
+			UID:  "node1-uid",
+		},
+	}
+	if err := nodeStore.Add(node1); err != nil {
+		t.Fatalf("Unexpected error adding node: %v", err)
+	}
+
+	workloadSA, err := kc.CoreV1().ServiceAccounts("ns1").Create(ctx, &corev1.ServiceAccount{
+		ObjectMeta: metav1.ObjectMeta{
+			Namespace: "ns1",
+			Name:      "workload",
+		},
+	}, metav1.CreateOptions{})
+	if err != nil {
+		t.Fatalf("Unexpected error creating workload serviceaccount: %v", err)
+	}
+
+	node1PodManager := &FakeSynchronousPodManager{
+		pods: []*corev1.Pod{},
+	}
+
+	workloadPod := &corev1.Pod{
+		ObjectMeta: metav1.ObjectMeta{
+			Namespace: "ns1",
+			Name:      "workload",
+		},
+		Spec: corev1.PodSpec{
+			ServiceAccountName: workloadSA.ObjectMeta.Name,
+			NodeName:           "node1",
+			Containers: []corev1.Container{
+				{
+					Name:  "main",
+					Image: "notarealimage",
+					VolumeMounts: []corev1.VolumeMount{
+						{
+							Name:      "certificate",
+							MountPath: "/run/foo-cert",
+						},
+					},
+				},
+			},
+			Volumes: []corev1.Volume{
+				{
+					Name: "certificate",
+					VolumeSource: corev1.VolumeSource{
+						Projected: &corev1.ProjectedVolumeSource{
+							Sources: []corev1.VolumeProjection{
+								{
+									PodCertificate: &corev1.PodCertificateProjection{
+										SignerName:           signerName,
+										KeyType:              "ED25519",
+										CredentialBundlePath: "creds.pem",
+										MaxExpirationSeconds: ptr.To[int32](86400), // Defaulting doesn't work with a fake client.
+										UserAnnotations:      map[string]string{"test.domain/foo": "bar"},
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+		},
+	}
+
+	node1PodManager.pods = append(node1PodManager.pods, workloadPod)
+
+	node1PodCertificateManager := &IssuingManager{
+		kc:         kc,
+		podManager: node1PodManager,
+		pcrLister:  pcrLister,
+		nodeLister: nodeLister,
+		nodeName:   types.NodeName("node1"),
+		clock:      clock,
+		credStore:  map[projectionKey]*projectionRecord{},
+	}
+
+	// Step the handling state machine by one step.  We should now be in wait state.
+	if err := node1PodCertificateManager.handleProjection(ctx, projectionKey{workloadPod.ObjectMeta.Namespace, workloadPod.ObjectMeta.Name, string(workloadPod.ObjectMeta.UID), "certificate", 0}); err != nil {
+		t.Fatalf("Unexpected error while running handleProjection: %v", err)
+	}
+
+	// Clear all PCRs and advance time past assumeDeletedThreshold.
+	if err := kc.CertificatesV1beta1().PodCertificateRequests("ns1").DeleteCollection(ctx, metav1.DeleteOptions{}, metav1.ListOptions{}); err != nil {
+		t.Fatalf("Unexpected error while deleting all PCRs in ns1: %v", err)
+	}
+	clock.Step(assumeDeletedThreshold + 1*time.Minute)
+
+	// Calling handleProjection again should return an error, *not* nil panic.
+	err = node1PodCertificateManager.handleProjection(ctx, projectionKey{workloadPod.ObjectMeta.Namespace, workloadPod.ObjectMeta.Name, string(workloadPod.ObjectMeta.UID), "certificate", 0})
+	if err == nil { // EQUALS nil
+		t.Fatalf("Got no error from handleProjection, but wanted an error")
+	}
+}
+
 func TestFullFlow(t *testing.T) {
 	ctx, cancel := context.WithCancel(ktesting.Init(t))
 	defer cancel()
@@ -215,7 +330,8 @@ func TestFullFlow(t *testing.T) {
 	node1PodCertificateManager := NewIssuingManager(
 		kc,
 		node1PodManager,
-		informerFactory.Certificates().V1alpha1().PodCertificateRequests(),
+		nil,
+		informerFactory.Certificates().V1beta1().PodCertificateRequests(),
 		informerFactory.Core().V1().Nodes(),
 		types.NodeName(node1.ObjectMeta.Name),
 		clock,
@@ -279,6 +395,7 @@ func TestFullFlow(t *testing.T) {
 										KeyType:              "ED25519",
 										CredentialBundlePath: "creds.pem",
 										MaxExpirationSeconds: ptr.To[int32](86400), // Defaulting doesn't work with a fake client.
+										UserAnnotations:      map[string]string{hermeticpodcertificatesigner.SpiffePathKey: "workload"},
 									},
 								},
 							},
@@ -294,21 +411,21 @@ func TestFullFlow(t *testing.T) {
 
 	// Because our fake podManager is based on an informer, we need to poll
 	// until workloadPod is reflected in the informer.
-	err = wait.PollUntilContextTimeout(ctx, 1*time.Second, 15*time.Second, true, func(ctx context.Context) (bool, error) {
+	err = wait.PollUntilContextTimeout(ctx, 1*time.Second, 30*time.Second, true, func(ctx context.Context) (bool, error) {
 		_, ok := node1PodManager.GetPodByUID(workloadPod.ObjectMeta.UID)
 		return ok, nil
 	})
 	if err != nil {
-		t.Fatalf("Error while waiting node1 podManager to know about workloadPod: %v", err)
+		t.Fatalf("Error while waiting for node1 podManager to know about workloadPod: %v", err)
 	}
 
 	node1PodCertificateManager.TrackPod(ctx, workloadPod)
 
 	// Within a few seconds, we should see a PodCertificateRequest created for
 	// this pod.
-	var gotPCR *certsv1alpha1.PodCertificateRequest
-	err = wait.PollUntilContextTimeout(ctx, 1*time.Second, 15*time.Second, true, func(ctx context.Context) (bool, error) {
-		pcrs, err := kc.CertificatesV1alpha1().PodCertificateRequests(workloadNS.ObjectMeta.Name).List(ctx, metav1.ListOptions{})
+	var gotPCR *certsv1beta1.PodCertificateRequest
+	err = wait.PollUntilContextTimeout(ctx, 1*time.Second, 30*time.Second, true, func(ctx context.Context) (bool, error) {
+		pcrs, err := kc.CertificatesV1beta1().PodCertificateRequests(workloadNS.ObjectMeta.Name).List(ctx, metav1.ListOptions{})
 		if err != nil {
 			return false, fmt.Errorf("while listing PodCertificateRequests: %w", err)
 		}
@@ -327,19 +444,20 @@ func TestFullFlow(t *testing.T) {
 	// Check that the created PCR spec matches expectations.  Blank out fields on
 	// gotPCR that we don't care about.  Blank out status, because the
 	// controller might have already signed it.
-	wantPCR := &certsv1alpha1.PodCertificateRequest{
+	wantPCR := &certsv1beta1.PodCertificateRequest{
 		ObjectMeta: metav1.ObjectMeta{
 			Namespace: workloadNS.ObjectMeta.Name,
 		},
-		Spec: certsv1alpha1.PodCertificateRequestSpec{
-			SignerName:           workloadPod.Spec.Volumes[0].VolumeSource.Projected.Sources[0].PodCertificate.SignerName,
-			PodName:              workloadPod.ObjectMeta.Name,
-			PodUID:               workloadPod.ObjectMeta.UID,
-			ServiceAccountName:   workloadSA.ObjectMeta.Name,
-			ServiceAccountUID:    workloadSA.ObjectMeta.UID,
-			NodeName:             types.NodeName(node1.ObjectMeta.Name),
-			NodeUID:              node1.ObjectMeta.UID,
-			MaxExpirationSeconds: ptr.To[int32](86400),
+		Spec: certsv1beta1.PodCertificateRequestSpec{
+			SignerName:                workloadPod.Spec.Volumes[0].VolumeSource.Projected.Sources[0].PodCertificate.SignerName,
+			PodName:                   workloadPod.ObjectMeta.Name,
+			PodUID:                    workloadPod.ObjectMeta.UID,
+			ServiceAccountName:        workloadSA.ObjectMeta.Name,
+			ServiceAccountUID:         workloadSA.ObjectMeta.UID,
+			NodeName:                  types.NodeName(node1.ObjectMeta.Name),
+			NodeUID:                   node1.ObjectMeta.UID,
+			MaxExpirationSeconds:      ptr.To[int32](86400),
+			UnverifiedUserAnnotations: map[string]string{hermeticpodcertificatesigner.SpiffePathKey: "workload"},
 		},
 	}
 	gotPCRClone := gotPCR.DeepCopy()
@@ -347,14 +465,14 @@ func TestFullFlow(t *testing.T) {
 	gotPCRClone.ObjectMeta.Namespace = gotPCR.ObjectMeta.Namespace
 	gotPCRClone.Spec.PKIXPublicKey = nil
 	gotPCRClone.Spec.ProofOfPossession = nil
-	gotPCRClone.Status = certsv1alpha1.PodCertificateRequestStatus{}
+	gotPCRClone.Status = certsv1beta1.PodCertificateRequestStatus{}
 	if diff := cmp.Diff(gotPCRClone, wantPCR); diff != "" {
 		t.Fatalf("PodCertificateManager created a bad PCR; diff (-got +want)\n%s", diff)
 	}
 
 	// Wait some more time for the PCR to be issued.
-	err = wait.PollUntilContextTimeout(ctx, 1*time.Second, 15*time.Second, true, func(ctx context.Context) (bool, error) {
-		pcrs, err := kc.CertificatesV1alpha1().PodCertificateRequests(workloadNS.ObjectMeta.Name).List(ctx, metav1.ListOptions{})
+	err = wait.PollUntilContextTimeout(ctx, 1*time.Second, 30*time.Second, true, func(ctx context.Context) (bool, error) {
+		pcrs, err := kc.CertificatesV1beta1().PodCertificateRequests(workloadNS.ObjectMeta.Name).List(ctx, metav1.ListOptions{})
 		if err != nil {
 			return false, fmt.Errorf("while listing PodCertificateRequests: %w", err)
 		}
@@ -367,9 +485,9 @@ func TestFullFlow(t *testing.T) {
 
 		for _, cond := range gotPCR.Status.Conditions {
 			switch cond.Type {
-			case certsv1alpha1.PodCertificateRequestConditionTypeDenied,
-				certsv1alpha1.PodCertificateRequestConditionTypeFailed,
-				certsv1alpha1.PodCertificateRequestConditionTypeIssued:
+			case certsv1beta1.PodCertificateRequestConditionTypeDenied,
+				certsv1beta1.PodCertificateRequestConditionTypeFailed,
+				certsv1beta1.PodCertificateRequestConditionTypeIssued:
 				return true, nil
 			}
 		}
@@ -380,15 +498,28 @@ func TestFullFlow(t *testing.T) {
 	}
 
 	isIssued := slices.ContainsFunc(gotPCR.Status.Conditions, func(cond metav1.Condition) bool {
-		return cond.Type == certsv1alpha1.PodCertificateRequestConditionTypeIssued
+		return cond.Type == certsv1beta1.PodCertificateRequestConditionTypeIssued
 	})
 	if !isIssued {
 		t.Fatalf("The test signingController didn't issue the PCR:\n%+v", gotPCR)
 	}
 
+	// Check the spiffe path has been overridden with the UserAnnotations.
+	issuedCertPem := []byte(gotPCR.Status.CertificateChain)
+	block, _ := pem.Decode(issuedCertPem)
+	cert, err := x509.ParseCertificate(block.Bytes)
+	if err != nil {
+		t.Fatalf("Failed to parse the issued certificate: %v", err)
+	}
+
+	if cert.URIs[0].Path != "/workload" {
+		t.Logf("Certificate path is %s", cert.URIs[0].Path)
+		t.Fatalf("Failed to override the spiffe path with the user annotations")
+	}
+
 	// Now we know that the PCR was issued, so we can wait for the
 	// podcertificate manager to return some valid credentials.
-	err = wait.PollUntilContextTimeout(ctx, 1*time.Second, 15*time.Second, true, func(ctx context.Context) (bool, error) {
+	err = wait.PollUntilContextTimeout(ctx, 1*time.Second, 30*time.Second, true, func(ctx context.Context) (bool, error) {
 		_, _, err := node1PodCertificateManager.GetPodCertificateCredentialBundle(ctx, workloadPod.ObjectMeta.Namespace, workloadPod.ObjectMeta.Name, string(workloadPod.ObjectMeta.UID), "certificate", 0)
 		if err != nil {
 			return false, err
@@ -413,8 +544,8 @@ func TestFullFlow(t *testing.T) {
 
 	// Within a few seconds, we should see a new PodCertificateRequest created for
 	// this pod.
-	err = wait.PollUntilContextTimeout(ctx, 1*time.Second, 15*time.Second, true, func(ctx context.Context) (bool, error) {
-		pcrs, err := kc.CertificatesV1alpha1().PodCertificateRequests(workloadNS.ObjectMeta.Name).List(ctx, metav1.ListOptions{})
+	err = wait.PollUntilContextTimeout(ctx, 1*time.Second, 30*time.Second, true, func(ctx context.Context) (bool, error) {
+		pcrs, err := kc.CertificatesV1beta1().PodCertificateRequests(workloadNS.ObjectMeta.Name).List(ctx, metav1.ListOptions{})
 		if err != nil {
 			return false, fmt.Errorf("while listing PodCertificateRequests: %w", err)
 		}
@@ -433,8 +564,8 @@ func TestFullFlow(t *testing.T) {
 	// We will assume that the created PCR matches our expectations.
 
 	// Wait some more time for the new PCR to be issued.
-	err = wait.PollUntilContextTimeout(ctx, 1*time.Second, 15*time.Second, true, func(ctx context.Context) (bool, error) {
-		pcrs, err := kc.CertificatesV1alpha1().PodCertificateRequests(workloadNS.ObjectMeta.Name).List(ctx, metav1.ListOptions{})
+	err = wait.PollUntilContextTimeout(ctx, 1*time.Second, 30*time.Second, true, func(ctx context.Context) (bool, error) {
+		pcrs, err := kc.CertificatesV1beta1().PodCertificateRequests(workloadNS.ObjectMeta.Name).List(ctx, metav1.ListOptions{})
 		if err != nil {
 			return false, fmt.Errorf("while listing PodCertificateRequests: %w", err)
 		}
@@ -447,9 +578,9 @@ func TestFullFlow(t *testing.T) {
 
 		for _, cond := range gotPCR.Status.Conditions {
 			switch cond.Type {
-			case certsv1alpha1.PodCertificateRequestConditionTypeDenied,
-				certsv1alpha1.PodCertificateRequestConditionTypeFailed,
-				certsv1alpha1.PodCertificateRequestConditionTypeIssued:
+			case certsv1beta1.PodCertificateRequestConditionTypeDenied,
+				certsv1beta1.PodCertificateRequestConditionTypeFailed,
+				certsv1beta1.PodCertificateRequestConditionTypeIssued:
 				return true, nil
 			}
 		}
@@ -461,7 +592,7 @@ func TestFullFlow(t *testing.T) {
 
 	// Now we know that the PCR was issued, so we can wait for the
 	// podcertificate manager to start returning the new certificate
-	err = wait.PollUntilContextTimeout(ctx, 1*time.Second, 15*time.Second, true, func(ctx context.Context) (bool, error) {
+	err = wait.PollUntilContextTimeout(ctx, 1*time.Second, 30*time.Second, true, func(ctx context.Context) (bool, error) {
 		_, certChain, err := node1PodCertificateManager.GetPodCertificateCredentialBundle(ctx, workloadPod.ObjectMeta.Namespace, workloadPod.ObjectMeta.Name, string(workloadPod.ObjectMeta.UID), "certificate", 0)
 		if err != nil {
 			return false, err
diff --git a/pkg/kubelet/preemption/preemption_test.go b/pkg/kubelet/preemption/preemption_test.go
index 74591a59c63eb..886a8bc2d838a 100644
--- a/pkg/kubelet/preemption/preemption_test.go
+++ b/pkg/kubelet/preemption/preemption_test.go
@@ -26,6 +26,7 @@ import (
 	"k8s.io/client-go/tools/record"
 	kubeapi "k8s.io/kubernetes/pkg/apis/core"
 	"k8s.io/kubernetes/pkg/apis/scheduling"
+	"k8s.io/kubernetes/pkg/kubelet/lifecycle"
 	"k8s.io/kubernetes/test/utils/ktesting"
 )
 
@@ -91,71 +92,120 @@ func getTestCriticalPodAdmissionHandler(podProvider *fakePodProvider, podKiller
 	}
 }
 
-func TestEvictPodsToFreeRequests(t *testing.T) {
+func TestHandleAdmissionFailure(t *testing.T) {
 	tCtx := ktesting.Init(t)
 	type testRun struct {
-		testName              string
-		isPodKillerWithError  bool
-		inputPods             []*v1.Pod
-		insufficientResources admissionRequirementList
-		expectErr             bool
-		expectedOutput        []*v1.Pod
+		testName             string
+		isPodKillerWithError bool
+		inputPods            []*v1.Pod
+		admitPodType         string
+		failReasons          []lifecycle.PredicateFailureReason
+		expectErr            bool
+		expectedOutput       []*v1.Pod
+		expectReasons        []lifecycle.PredicateFailureReason
 	}
 	allPods := getTestPods()
 	runs := []testRun{
 		{
-			testName:              "critical pods cannot be preempted",
-			isPodKillerWithError:  false,
-			inputPods:             []*v1.Pod{allPods[clusterCritical]},
-			insufficientResources: getAdmissionRequirementList(0, 0, 1),
-			expectErr:             true,
-			expectedOutput:        nil,
+			testName:             "critical pods cannot be preempted - no other failure reason",
+			isPodKillerWithError: false,
+			inputPods:            []*v1.Pod{allPods[clusterCritical]},
+			admitPodType:         clusterCritical,
+			failReasons:          getPredicateFailureReasons(0, 0, 1, false),
+			expectErr:            true,
+			expectedOutput:       nil,
+			expectReasons:        getPredicateFailureReasons(0, 0, 0, false),
 		},
 		{
-			testName:              "best effort pods are not preempted when attempting to free resources",
-			isPodKillerWithError:  false,
-			inputPods:             []*v1.Pod{allPods[bestEffort]},
-			insufficientResources: getAdmissionRequirementList(0, 1, 0),
-			expectErr:             true,
-			expectedOutput:        nil,
+			testName:             "non-critical pod should not trigger eviction - no other failure reason",
+			isPodKillerWithError: false,
+			inputPods:            []*v1.Pod{allPods[burstable]},
+			admitPodType:         guaranteed,
+			failReasons:          getPredicateFailureReasons(0, 1, 0, false),
+			expectErr:            false,
+			expectedOutput:       nil,
+			expectReasons:        getPredicateFailureReasons(0, 1, 0, false),
 		},
 		{
-			testName:             "multiple pods evicted",
+			testName:             "best effort pods are not preempted when attempting to free resources - no other failure reason",
+			isPodKillerWithError: false,
+			inputPods:            []*v1.Pod{allPods[bestEffort]},
+			admitPodType:         clusterCritical,
+			failReasons:          getPredicateFailureReasons(0, 1, 0, false),
+			expectErr:            true,
+			expectedOutput:       nil,
+			expectReasons:        getPredicateFailureReasons(0, 0, 0, false),
+		},
+		{
+			testName:             "multiple pods evicted - no other failure reason",
 			isPodKillerWithError: false,
 			inputPods: []*v1.Pod{
 				allPods[clusterCritical], allPods[bestEffort], allPods[burstable], allPods[highRequestBurstable],
 				allPods[guaranteed], allPods[highRequestGuaranteed]},
-			insufficientResources: getAdmissionRequirementList(0, 550, 0),
-			expectErr:             false,
-			expectedOutput:        []*v1.Pod{allPods[highRequestBurstable], allPods[highRequestGuaranteed]},
+			admitPodType:   clusterCritical,
+			failReasons:    getPredicateFailureReasons(0, 550, 0, false),
+			expectErr:      false,
+			expectedOutput: []*v1.Pod{allPods[highRequestBurstable], allPods[highRequestGuaranteed]},
+			expectReasons:  getPredicateFailureReasons(0, 0, 0, false),
 		},
 		{
-			testName:             "multiple pods with eviction error",
+			testName:             "multiple pods with eviction error - no other failure reason",
 			isPodKillerWithError: true,
 			inputPods: []*v1.Pod{
 				allPods[clusterCritical], allPods[bestEffort], allPods[burstable], allPods[highRequestBurstable],
 				allPods[guaranteed], allPods[highRequestGuaranteed]},
-			insufficientResources: getAdmissionRequirementList(0, 550, 0),
-			expectErr:             false,
-			expectedOutput:        nil,
+			admitPodType:   clusterCritical,
+			failReasons:    getPredicateFailureReasons(0, 550, 0, false),
+			expectErr:      false,
+			expectedOutput: nil,
+			expectReasons:  getPredicateFailureReasons(0, 0, 0, false),
+		},
+		{
+			testName:             "non-critical pod should not trigger eviction - with other failure reason",
+			isPodKillerWithError: false,
+			inputPods:            []*v1.Pod{allPods[burstable]},
+			admitPodType:         guaranteed,
+			failReasons:          getPredicateFailureReasons(0, 1, 0, true),
+			expectErr:            false,
+			expectedOutput:       nil,
+			expectReasons:        getPredicateFailureReasons(0, 1, 0, true),
+		},
+		{
+			testName:             "critical pods cannot be preempted - with other failure reason",
+			isPodKillerWithError: false,
+			inputPods:            []*v1.Pod{allPods[clusterCritical]},
+			admitPodType:         clusterCritical,
+			failReasons:          getPredicateFailureReasons(0, 0, 1, true),
+			expectErr:            false,
+			expectedOutput:       nil,
+			expectReasons:        getPredicateFailureReasons(0, 0, 0, true),
 		},
 	}
 	for _, r := range runs {
 		t.Run(r.testName, func(t *testing.T) {
 			podProvider := newFakePodProvider()
 			podKiller := newFakePodKiller(r.isPodKillerWithError)
+			defer podKiller.clear()
 			criticalPodAdmissionHandler := getTestCriticalPodAdmissionHandler(podProvider, podKiller)
 			podProvider.setPods(r.inputPods)
-			outErr := criticalPodAdmissionHandler.evictPodsToFreeRequests(tCtx, allPods[clusterCritical], r.insufficientResources)
+			admitPodRef := allPods[r.admitPodType]
+			filteredReason, outErr := criticalPodAdmissionHandler.HandleAdmissionFailure(tCtx, admitPodRef, r.failReasons)
 			outputPods := podKiller.getKilledPods()
 			if !r.expectErr && outErr != nil {
-				t.Errorf("evictPodsToFreeRequests returned an unexpected error during the %s test.  Err: %v", r.testName, outErr)
+				t.Errorf("HandleAdmissionFailure returned an unexpected error during the %s test.  Err: %v", r.testName, outErr)
 			} else if r.expectErr && outErr == nil {
-				t.Errorf("evictPodsToFreeRequests expected an error but returned a successful output=%v during the %s test.", outputPods, r.testName)
+				t.Errorf("HandleAdmissionFailure expected an error but returned a successful output=%v during the %s test.", outputPods, r.testName)
 			} else if !podListEqual(r.expectedOutput, outputPods) {
-				t.Errorf("evictPodsToFreeRequests expected %v but got %v during the %s test.", r.expectedOutput, outputPods, r.testName)
+				t.Errorf("HandleAdmissionFailure expected %v but got %v during the %s test.", r.expectedOutput, outputPods, r.testName)
+			}
+			if len(filteredReason) != len(r.expectReasons) {
+				t.Fatalf("expect reasons %v, got reasons %v", r.expectReasons, filteredReason)
+			}
+			for i, reason := range filteredReason {
+				if reason.GetReason() != r.expectReasons[i].GetReason() {
+					t.Fatalf("expect reasons %v, got reasons %v", r.expectReasons, filteredReason)
+				}
 			}
-			podKiller.clear()
 		})
 	}
 }
@@ -392,6 +442,84 @@ func TestAdmissionRequirementsSubtract(t *testing.T) {
 	}
 }
 
+func TestSmallerResourceRequest(t *testing.T) {
+	type testRun struct {
+		testName       string
+		pod1           *v1.Pod
+		pod2           *v1.Pod
+		expectedResult bool
+	}
+
+	podWithNoRequests := getPodWithResources("no-requests", v1.ResourceRequirements{})
+	podWithLowMemory := getPodWithResources("low-memory", v1.ResourceRequirements{
+		Requests: v1.ResourceList{
+			v1.ResourceMemory: resource.MustParse("50Mi"),
+			v1.ResourceCPU:    resource.MustParse("100m"),
+		},
+	})
+	podWithHighMemory := getPodWithResources("high-memory", v1.ResourceRequirements{
+		Requests: v1.ResourceList{
+			v1.ResourceMemory: resource.MustParse("200Mi"),
+			v1.ResourceCPU:    resource.MustParse("100m"),
+		},
+	})
+	podWithHighCPU := getPodWithResources("high-cpu", v1.ResourceRequirements{
+		Requests: v1.ResourceList{
+			v1.ResourceMemory: resource.MustParse("50Mi"),
+			v1.ResourceCPU:    resource.MustParse("200m"),
+		},
+	})
+	runs := []testRun{
+		{
+			testName:       "some requests vs no requests should return false",
+			pod1:           podWithLowMemory,
+			pod2:           podWithNoRequests,
+			expectedResult: false,
+		},
+		{
+			testName:       "lower memory should return true",
+			pod1:           podWithLowMemory,
+			pod2:           podWithHighMemory,
+			expectedResult: true,
+		},
+		{
+			testName:       "memory priority over CPU",
+			pod1:           podWithHighMemory,
+			pod2:           podWithHighCPU,
+			expectedResult: false,
+		},
+		{
+			testName:       "equal resource request should return true",
+			pod1:           podWithLowMemory,
+			pod2:           podWithLowMemory,
+			expectedResult: true,
+		},
+		{
+			testName: "resource type other than CPU and memory are ignored",
+			pod1: getPodWithResources("high-storage", v1.ResourceRequirements{
+				Requests: v1.ResourceList{
+					v1.ResourceStorage: resource.MustParse("300Mi"),
+				},
+			}),
+			pod2: getPodWithResources("low-storage", v1.ResourceRequirements{
+				Requests: v1.ResourceList{
+					v1.ResourceStorage: resource.MustParse("200Mi"),
+				},
+			}),
+			expectedResult: true,
+		},
+	}
+	for _, run := range runs {
+		t.Run(run.testName, func(t *testing.T) {
+			result := smallerResourceRequest(run.pod1, run.pod2)
+			if result != run.expectedResult {
+				t.Fatalf("smallerResourceRequest(%s, %s) = %v, expected %v",
+					run.pod1.Name, run.pod2.Name, result, run.expectedResult)
+			}
+		})
+	}
+}
+
 func getTestPods() map[string]*v1.Pod {
 	allPods := map[string]*v1.Pod{
 		tinyBurstable: getPodWithResources(tinyBurstable, v1.ResourceRequirements{
@@ -509,6 +637,43 @@ func getAdmissionRequirementList(cpu, memory, pods int) admissionRequirementList
 	return admissionRequirementList(reqs)
 }
 
+func getPredicateFailureReasons(insufficientCPU, insufficientMemory, insufficientPods int, otherReasonExist bool) (reasonByPredicate []lifecycle.PredicateFailureReason) {
+	if insufficientCPU > 0 {
+		parsedN := parseCPUToInt64(fmt.Sprintf("%dm", insufficientCPU))
+		reasonByPredicate = append(reasonByPredicate, &lifecycle.InsufficientResourceError{
+			ResourceName: v1.ResourceCPU,
+			Requested:    parsedN,
+			Capacity:     parsedN * 5 / 4,
+			Used:         parsedN * 5 / 4,
+		})
+	}
+	if insufficientMemory > 0 {
+		parsedN := parseNonCPUResourceToInt64(fmt.Sprintf("%dMi", insufficientMemory))
+		reasonByPredicate = append(reasonByPredicate, &lifecycle.InsufficientResourceError{
+			ResourceName: v1.ResourceMemory,
+			Requested:    parsedN,
+			Capacity:     parsedN * 5 / 4,
+			Used:         parsedN * 5 / 4,
+		})
+	}
+	if insufficientPods > 0 {
+		parsedN := int64(insufficientPods)
+		reasonByPredicate = append(reasonByPredicate, &lifecycle.InsufficientResourceError{
+			ResourceName: v1.ResourcePods,
+			Requested:    parsedN,
+			Capacity:     parsedN + 1,
+			Used:         parsedN + 1,
+		})
+	}
+	if otherReasonExist {
+		reasonByPredicate = append(reasonByPredicate, &lifecycle.PredicateFailureError{
+			PredicateName: "mock predicate error name",
+			PredicateDesc: "mock predicate error reason",
+		})
+	}
+	return
+}
+
 // this checks if the lists contents contain all of the same elements.
 // this is not correct if there are duplicate pods in the list.
 // for example: podListEqual([a, a, b], [a, b, b]) will return true
diff --git a/pkg/kubelet/prober/common_test.go b/pkg/kubelet/prober/common_test.go
index 5c9f9e0112f53..abf98452911ef 100644
--- a/pkg/kubelet/prober/common_test.go
+++ b/pkg/kubelet/prober/common_test.go
@@ -63,6 +63,49 @@ func getTestRunningStatusWithStarted(started bool) v1.PodStatus {
 	return podStatus
 }
 
+func getTestRunningStatusWithFailedContainer() v1.PodStatus {
+	return v1.PodStatus{
+		Phase: v1.PodRunning,
+		ContainerStatuses: []v1.ContainerStatus{{
+			Name:        testContainerName,
+			ContainerID: testContainerID.String(),
+			State: v1.ContainerState{
+				Terminated: &v1.ContainerStateTerminated{
+					ExitCode: 1,
+				},
+			},
+		}},
+	}
+}
+
+func getTestRunningStatusWithSucceededContainer() v1.PodStatus {
+	return v1.PodStatus{
+		Phase: v1.PodRunning,
+		ContainerStatuses: []v1.ContainerStatus{{
+			Name:        testContainerName,
+			ContainerID: testContainerID.String(),
+			State: v1.ContainerState{
+				Terminated: &v1.ContainerStateTerminated{
+					ExitCode: 0,
+				},
+			},
+		}},
+	}
+}
+
+func getTestPendingStatus() v1.PodStatus {
+	return v1.PodStatus{
+		Phase: v1.PodPending,
+		ContainerStatuses: []v1.ContainerStatus{{
+			Name:        testContainerName,
+			ContainerID: testContainerID.String(),
+			State: v1.ContainerState{
+				Waiting: &v1.ContainerStateWaiting{},
+			},
+		}},
+	}
+}
+
 func getTestPod() *v1.Pod {
 	container := v1.Container{
 		Name: testContainerName,
diff --git a/pkg/kubelet/prober/patch_prober.go b/pkg/kubelet/prober/patch_prober.go
index 02add8ae82512..7d551510fcd6c 100644
--- a/pkg/kubelet/prober/patch_prober.go
+++ b/pkg/kubelet/prober/patch_prober.go
@@ -1,6 +1,7 @@
 package prober
 
 import (
+	"context"
 	"net/http"
 	"strings"
 	"time"
@@ -37,7 +38,7 @@ func (pb *prober) maybeProbeForBody(prober httpprobe.Prober, req *http.Request,
 		}
 
 		// in fact, they are so interesting we'll try to send events for them
-		pb.recordContainerEvent(pod, &container, v1.EventTypeWarning, reason, "%s probe error: %s\nbody: %s\n", probeType, output, body)
+		pb.recordContainerEvent(context.TODO(), pod, &container, v1.EventTypeWarning, reason, "%s probe error: %s\nbody: %s\n", probeType, output, body)
 		return result, output, probeError
 	default:
 		return result, output, probeError
diff --git a/pkg/kubelet/prober/prober.go b/pkg/kubelet/prober/prober.go
index be2c9533463eb..554f607cbcec7 100644
--- a/pkg/kubelet/prober/prober.go
+++ b/pkg/kubelet/prober/prober.go
@@ -69,10 +69,11 @@ func newProber(
 }
 
 // recordContainerEvent should be used by the prober for all container related events.
-func (pb *prober) recordContainerEvent(pod *v1.Pod, container *v1.Container, eventType, reason, message string, args ...interface{}) {
+func (pb *prober) recordContainerEvent(ctx context.Context, pod *v1.Pod, container *v1.Container, eventType, reason, message string, args ...interface{}) {
+	logger := klog.FromContext(ctx)
 	ref, err := kubecontainer.GenerateContainerRef(pod, container)
 	if err != nil {
-		klog.ErrorS(err, "Can't make a ref to pod and container", "pod", klog.KObj(pod), "containerName", container.Name)
+		logger.Error(err, "Can't make a ref to pod and container", "pod", klog.KObj(pod), "containerName", container.Name)
 		return
 	}
 	pb.recorder.Eventf(ref, eventType, reason, message, args...)
@@ -92,8 +93,9 @@ func (pb *prober) probe(ctx context.Context, probeType probeType, pod *v1.Pod, s
 		return results.Failure, fmt.Errorf("unknown probe type: %q", probeType)
 	}
 
+	logger := klog.FromContext(ctx)
 	if probeSpec == nil {
-		klog.InfoS("Probe is nil", "probeType", probeType, "pod", klog.KObj(pod), "podUID", pod.UID, "containerName", container.Name)
+		logger.Info("Probe is nil", "probeType", probeType, "pod", klog.KObj(pod), "podUID", pod.UID, "containerName", container.Name)
 		return results.Success, nil
 	}
 
@@ -101,32 +103,32 @@ func (pb *prober) probe(ctx context.Context, probeType probeType, pod *v1.Pod, s
 
 	if err != nil {
 		// Handle probe error
-		klog.V(1).ErrorS(err, "Probe errored", "probeType", probeType, "pod", klog.KObj(pod), "podUID", pod.UID, "containerName", container.Name, "probeResult", result)
-		pb.recordContainerEvent(pod, &container, v1.EventTypeWarning, events.ContainerUnhealthy, "%s probe errored and resulted in %s state: %s", probeType, result, err)
+		logger.V(1).Info("Probe errored", "probeType", probeType, "pod", klog.KObj(pod), "podUID", pod.UID, "containerName", container.Name, "probeResult", result, "err", err)
+		pb.recordContainerEvent(ctx, pod, &container, v1.EventTypeWarning, events.ContainerUnhealthy, "%s probe errored and resulted in %s state: %s", probeType, result, err)
 		return results.Failure, err
 	}
 
 	switch result {
 	case probe.Success:
-		klog.V(3).InfoS("Probe succeeded", "probeType", probeType, "pod", klog.KObj(pod), "podUID", pod.UID, "containerName", container.Name)
+		logger.V(3).Info("Probe succeeded", "probeType", probeType, "pod", klog.KObj(pod), "podUID", pod.UID, "containerName", container.Name)
 		return results.Success, nil
 
 	case probe.Warning:
-		pb.recordContainerEvent(pod, &container, v1.EventTypeWarning, events.ContainerProbeWarning, "%s probe warning: %s", probeType, output)
-		klog.V(3).InfoS("Probe succeeded with a warning", "probeType", probeType, "pod", klog.KObj(pod), "podUID", pod.UID, "containerName", container.Name, "output", output)
+		pb.recordContainerEvent(ctx, pod, &container, v1.EventTypeWarning, events.ContainerProbeWarning, "%s probe warning: %s", probeType, output)
+		logger.V(3).Info("Probe succeeded with a warning", "probeType", probeType, "pod", klog.KObj(pod), "podUID", pod.UID, "containerName", container.Name, "output", output)
 		return results.Success, nil
 
 	case probe.Failure:
-		klog.V(1).InfoS("Probe failed", "probeType", probeType, "pod", klog.KObj(pod), "podUID", pod.UID, "containerName", container.Name, "probeResult", result, "output", output)
-		pb.recordContainerEvent(pod, &container, v1.EventTypeWarning, events.ContainerUnhealthy, "%s probe failed: %s", probeType, output)
+		logger.V(1).Info("Probe failed", "probeType", probeType, "pod", klog.KObj(pod), "podUID", pod.UID, "containerName", container.Name, "probeResult", result, "output", output)
+		pb.recordContainerEvent(ctx, pod, &container, v1.EventTypeWarning, events.ContainerUnhealthy, "%s probe failed: %s", probeType, output)
 		return results.Failure, nil
 
 	case probe.Unknown:
-		klog.V(1).InfoS("Probe unknown without error", "probeType", probeType, "pod", klog.KObj(pod), "podUID", pod.UID, "containerName", container.Name, "probeResult", result)
+		logger.V(1).Info("Probe unknown without error", "probeType", probeType, "pod", klog.KObj(pod), "podUID", pod.UID, "containerName", container.Name, "probeResult", result)
 		return results.Failure, nil
 
 	default:
-		klog.V(1).InfoS("Unsupported probe result", "probeType", probeType, "pod", klog.KObj(pod), "podUID", pod.UID, "containerName", container.Name, "probeResult", result)
+		logger.V(1).Info("Unsupported probe result", "probeType", probeType, "pod", klog.KObj(pod), "podUID", pod.UID, "containerName", container.Name, "probeResult", result)
 		return results.Failure, nil
 	}
 }
@@ -147,10 +149,11 @@ func (pb *prober) runProbeWithRetries(ctx context.Context, probeType probeType,
 }
 
 func (pb *prober) runProbe(ctx context.Context, probeType probeType, p *v1.Probe, pod *v1.Pod, status v1.PodStatus, container v1.Container, containerID kubecontainer.ContainerID) (probe.Result, string, error) {
+	logger := klog.FromContext(ctx)
 	timeout := time.Duration(p.TimeoutSeconds) * time.Second
 	switch {
 	case p.Exec != nil:
-		klog.V(4).InfoS("Exec-Probe runProbe", "pod", klog.KObj(pod), "containerName", container.Name, "execCommand", p.Exec.Command)
+		logger.V(4).Info("Exec-Probe runProbe", "pod", klog.KObj(pod), "containerName", container.Name, "execCommand", p.Exec.Command)
 		command := kubecontainer.ExpandContainerCommandOnlyStatic(p.Exec.Command, container.Env)
 		return pb.exec.Probe(pb.newExecInContainer(ctx, pod, container, containerID, command, timeout))
 
@@ -158,30 +161,30 @@ func (pb *prober) runProbe(ctx context.Context, probeType probeType, p *v1.Probe
 		req, err := httpprobe.NewRequestForHTTPGetAction(p.HTTPGet, &container, status.PodIP, "probe")
 		if err != nil {
 			// Log and record event for Unknown result
-			klog.V(4).InfoS("HTTP-Probe failed to create request", "error", err)
+			logger.V(4).Info("HTTP-Probe failed to create request", "error", err)
 			return probe.Unknown, "", err
 		}
-		if klogV4 := klog.V(4); klogV4.Enabled() {
+		if loggerV4 := logger.V(4); logger.Enabled() {
 			port := req.URL.Port()
 			host := req.URL.Hostname()
 			path := req.URL.Path
 			scheme := req.URL.Scheme
 			headers := p.HTTPGet.HTTPHeaders
-			klogV4.InfoS("HTTP-Probe", "scheme", scheme, "host", host, "port", port, "path", path, "timeout", timeout, "headers", headers, "probeType", probeType)
+			loggerV4.Info("HTTP-Probe", "scheme", scheme, "host", host, "port", port, "path", path, "timeout", timeout, "headers", headers, "probeType", probeType)
 		}
 		return pb.maybeProbeForBody(pb.http, req, timeout, pod, container, probeType)
 
 	case p.TCPSocket != nil:
 		port, err := probe.ResolveContainerPort(p.TCPSocket.Port, &container)
 		if err != nil {
-			klog.V(4).InfoS("TCP-Probe failed to resolve port", "error", err)
+			logger.V(4).Info("TCP-Probe failed to resolve port", "error", err)
 			return probe.Unknown, "", err
 		}
 		host := p.TCPSocket.Host
 		if host == "" {
 			host = status.PodIP
 		}
-		klog.V(4).InfoS("TCP-Probe", "host", host, "port", port, "timeout", timeout)
+		logger.V(4).Info("TCP-Probe", "host", host, "port", port, "timeout", timeout)
 		return pb.tcp.Probe(host, port, timeout)
 
 	case p.GRPC != nil:
@@ -190,11 +193,11 @@ func (pb *prober) runProbe(ctx context.Context, probeType probeType, p *v1.Probe
 		if p.GRPC.Service != nil {
 			service = *p.GRPC.Service
 		}
-		klog.V(4).InfoS("GRPC-Probe", "host", host, "service", service, "port", p.GRPC.Port, "timeout", timeout)
+		logger.V(4).Info("GRPC-Probe", "host", host, "service", service, "port", p.GRPC.Port, "timeout", timeout)
 		return pb.grpc.Probe(host, service, int(p.GRPC.Port), timeout)
 
 	default:
-		klog.V(4).InfoS("Failed to find probe builder for container", "containerName", container.Name)
+		logger.V(4).Info("Failed to find probe builder for container", "containerName", container.Name)
 		return probe.Unknown, "", fmt.Errorf("missing probe handler for %s:%s", format.Pod(pod), container.Name)
 	}
 }
@@ -257,7 +260,9 @@ func (eic *execInContainer) Start() error {
 	if eic.writer != nil {
 		// only record the write error, do not cover the command run error
 		if p, err := eic.writer.Write(data); err != nil {
-			klog.ErrorS(err, "Unable to write all bytes from execInContainer", "expectedBytes", len(data), "actualBytes", p, "pod", klog.KObj(eic.pod), "containerName", eic.container.Name)
+			// Use klog.TODO() because we currently do not have a proper context/logger to pass in.
+			// Replace this with an appropriate context/logger when refactoring this function to accept a context parameter.
+			klog.TODO().Error(err, "Unable to write all bytes from execInContainer", "expectedBytes", len(data), "actualBytes", p, "pod", klog.KObj(eic.pod), "containerName", eic.container.Name)
 		}
 	}
 	return err
diff --git a/pkg/kubelet/prober/prober_manager.go b/pkg/kubelet/prober/prober_manager.go
index 3d107d3050a72..7595c0f7c5763 100644
--- a/pkg/kubelet/prober/prober_manager.go
+++ b/pkg/kubelet/prober/prober_manager.go
@@ -17,16 +17,20 @@ limitations under the License.
 package prober
 
 import (
+	"context"
+
 	"sync"
 	"time"
 
 	v1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/sets"
+	utilfeature "k8s.io/apiserver/pkg/util/feature"
 	"k8s.io/client-go/tools/record"
 	"k8s.io/component-base/metrics"
 	"k8s.io/klog/v2"
 	podutil "k8s.io/kubernetes/pkg/api/v1/pod"
+	"k8s.io/kubernetes/pkg/features"
 	kubecontainer "k8s.io/kubernetes/pkg/kubelet/container"
 	"k8s.io/kubernetes/pkg/kubelet/prober/results"
 	"k8s.io/kubernetes/pkg/kubelet/status"
@@ -71,7 +75,7 @@ var ProberDuration = metrics.NewHistogramVec(
 type Manager interface {
 	// AddPod creates new probe workers for every container probe. This should be called for every
 	// pod created.
-	AddPod(pod *v1.Pod)
+	AddPod(ctx context.Context, pod *v1.Pod)
 
 	// StopLivenessAndStartup handles stopping liveness and startup probes during termination.
 	StopLivenessAndStartup(pod *v1.Pod)
@@ -86,7 +90,7 @@ type Manager interface {
 
 	// UpdatePodStatus modifies the given PodStatus with the appropriate Ready state for each
 	// container based on container running status, cached probe results and worker states.
-	UpdatePodStatus(*v1.Pod, *v1.PodStatus)
+	UpdatePodStatus(context.Context, *v1.Pod, *v1.PodStatus)
 }
 
 type manager struct {
@@ -178,10 +182,11 @@ func getRestartableInitContainers(pod *v1.Pod) []v1.Container {
 	return restartableInitContainers
 }
 
-func (m *manager) AddPod(pod *v1.Pod) {
+func (m *manager) AddPod(ctx context.Context, pod *v1.Pod) {
 	m.workerLock.Lock()
 	defer m.workerLock.Unlock()
 
+	logger := klog.FromContext(ctx)
 	key := probeKey{podUID: pod.UID}
 	for _, c := range append(pod.Spec.Containers, getRestartableInitContainers(pod)...) {
 		key.containerName = c.Name
@@ -189,37 +194,37 @@ func (m *manager) AddPod(pod *v1.Pod) {
 		if c.StartupProbe != nil {
 			key.probeType = startup
 			if _, ok := m.workers[key]; ok {
-				klog.V(8).ErrorS(nil, "Startup probe already exists for container",
+				logger.V(8).Info("Startup probe already exists for container",
 					"pod", klog.KObj(pod), "containerName", c.Name)
 				return
 			}
 			w := newWorker(m, startup, pod, c)
 			m.workers[key] = w
-			go w.run()
+			go w.run(ctx)
 		}
 
 		if c.ReadinessProbe != nil {
 			key.probeType = readiness
 			if _, ok := m.workers[key]; ok {
-				klog.V(8).ErrorS(nil, "Readiness probe already exists for container",
+				logger.V(8).Info("Readiness probe already exists for container",
 					"pod", klog.KObj(pod), "containerName", c.Name)
 				return
 			}
 			w := newWorker(m, readiness, pod, c)
 			m.workers[key] = w
-			go w.run()
+			go w.run(ctx)
 		}
 
 		if c.LivenessProbe != nil {
 			key.probeType = liveness
 			if _, ok := m.workers[key]; ok {
-				klog.V(8).ErrorS(nil, "Liveness probe already exists for container",
+				logger.V(8).Info("Liveness probe already exists for container",
 					"pod", klog.KObj(pod), "containerName", c.Name)
 				return
 			}
 			w := newWorker(m, liveness, pod, c)
 			m.workers[key] = w
-			go w.run()
+			go w.run(ctx)
 		}
 	}
 }
@@ -276,6 +281,10 @@ func (m *manager) isContainerStarted(pod *v1.Pod, containerStatus *v1.ContainerS
 		return result == results.Success
 	}
 
+	if !utilfeature.DefaultFeatureGate.Enabled(features.ChangeContainerStatusOnKubeletRestart) && containerStatus.Started != nil && *containerStatus.Started {
+		return true
+	}
+
 	// if there is a startup probe which hasn't run yet, the container is not
 	// started.
 	if _, exists := m.getWorker(pod.UID, containerStatus.Name, startup); exists {
@@ -286,7 +295,42 @@ func (m *manager) isContainerStarted(pod *v1.Pod, containerStatus *v1.ContainerS
 	return true
 }
 
-func (m *manager) UpdatePodStatus(pod *v1.Pod, podStatus *v1.PodStatus) {
+// setReadyStateOnKubeletRestart sets the ready state of a container to false if it was started
+// before kubelet restarted and has a readiness probe, but the pod is not ready yet.
+// This is to avoid flapping ready status of containers that were ready before kubelet restarted.
+func (m *manager) setReadyStateOnKubeletRestart(ready *bool, pod *v1.Pod, containerStatus *v1.ContainerStatus, containerSpec *v1.Container) {
+	var containerStartTime time.Time
+	if containerStatus.State.Running != nil {
+		containerStartTime = containerStatus.State.Running.StartedAt.Time
+	}
+
+	if !containerStartTime.IsZero() && containerStartTime.Before(kubeletRestartGracePeriod(m.start)) {
+		// At this point, the Pod may be in one of the following two states:
+		// - It has not yet been added to the readinessManager. In this case, we directly set the container status to Ready.
+		// - It has been added to the readinessManager, but the probe has not yet started execution.
+		// Therefore, in this case, we also need to set the container status to Ready.
+		if !*ready {
+			if _, ok := m.readinessManager.Get(kubecontainer.ParseContainerID(containerStatus.ContainerID)); !ok {
+				*ready = true
+			}
+		}
+		if containerSpec.ReadinessProbe != nil {
+			podIsReady := false
+			for _, c := range pod.Status.Conditions {
+				if c.Type == v1.PodReady && c.Status == v1.ConditionTrue {
+					podIsReady = true
+					break
+				}
+			}
+			if !podIsReady {
+				*ready = false
+			}
+		}
+	}
+}
+
+func (m *manager) UpdatePodStatus(ctx context.Context, pod *v1.Pod, podStatus *v1.PodStatus) {
+	logger := klog.FromContext(ctx)
 	for i, c := range podStatus.ContainerStatuses {
 		started := m.isContainerStarted(pod, &podStatus.ContainerStatuses[i])
 		podStatus.ContainerStatuses[i].Started = &started
@@ -309,7 +353,21 @@ func (m *manager) UpdatePodStatus(pod *v1.Pod, podStatus *v1.PodStatus) {
 				select {
 				case w.manualTriggerCh <- struct{}{}:
 				default: // Non-blocking.
-					klog.InfoS("Failed to trigger a manual run", "probe", w.probeType.String())
+					logger.Info("Failed to trigger a manual run", "probe", w.probeType.String())
+				}
+			}
+
+			if !utilfeature.DefaultFeatureGate.Enabled(features.ChangeContainerStatusOnKubeletRestart) {
+				// Find the container spec for the container status.
+				var containerSpec *v1.Container
+				for j := range pod.Spec.Containers {
+					if pod.Spec.Containers[j].Name == c.Name {
+						containerSpec = &pod.Spec.Containers[j]
+						break
+					}
+				}
+				if containerSpec != nil {
+					m.setReadyStateOnKubeletRestart(&ready, pod, &podStatus.ContainerStatuses[i], containerSpec)
 				}
 			}
 		}
@@ -322,7 +380,7 @@ func (m *manager) UpdatePodStatus(pod *v1.Pod, podStatus *v1.PodStatus) {
 
 		initContainer, ok := kubeutil.GetContainerByIndex(pod.Spec.InitContainers, podStatus.InitContainerStatuses, i)
 		if !ok {
-			klog.V(4).InfoS("Mismatch between pod spec and status, likely programmer error", "pod", klog.KObj(pod), "containerName", c.Name)
+			logger.V(4).Info("Mismatch between pod spec and status, likely programmer error", "pod", klog.KObj(pod), "containerName", c.Name)
 			continue
 		}
 		if !podutil.IsRestartableInitContainer(&initContainer) {
@@ -350,9 +408,12 @@ func (m *manager) UpdatePodStatus(pod *v1.Pod, podStatus *v1.PodStatus) {
 				select {
 				case w.manualTriggerCh <- struct{}{}:
 				default: // Non-blocking.
-					klog.InfoS("Failed to trigger a manual run", "probe", w.probeType.String())
+					logger.Info("Failed to trigger a manual run", "probe", w.probeType.String())
 				}
 			}
+			if !utilfeature.DefaultFeatureGate.Enabled(features.ChangeContainerStatusOnKubeletRestart) {
+				m.setReadyStateOnKubeletRestart(&ready, pod, &podStatus.InitContainerStatuses[i], &initContainer)
+			}
 		}
 		podStatus.InitContainerStatuses[i].Ready = ready
 	}
@@ -378,3 +439,12 @@ func (m *manager) workerCount() int {
 	defer m.workerLock.RUnlock()
 	return len(m.workers)
 }
+
+// kubeletRestartGracePeriod returns a time point that is 10 seconds before the kubelet start time.
+// This grace period is used to determine if a container was already running before kubelet restarted.
+// If a container's start time is before this grace period, it indicates the container was running
+// prior to kubelet restart and should not be immediately marked as failed to avoid unnecessary
+// status changes for containers that were previously ready.
+func kubeletRestartGracePeriod(start time.Time) time.Time {
+	return start.Add(-time.Second * 10)
+}
diff --git a/pkg/kubelet/prober/prober_manager_test.go b/pkg/kubelet/prober/prober_manager_test.go
index b66d3460f457d..2bb0c7faf6f3d 100644
--- a/pkg/kubelet/prober/prober_manager_test.go
+++ b/pkg/kubelet/prober/prober_manager_test.go
@@ -48,6 +48,7 @@ var defaultProbe = &v1.Probe{
 }
 
 func TestAddRemovePods(t *testing.T) {
+	ctx := ktesting.Init(t)
 	noProbePod := v1.Pod{
 		ObjectMeta: metav1.ObjectMeta{
 			UID: "no_probe_pod",
@@ -94,13 +95,13 @@ func TestAddRemovePods(t *testing.T) {
 	}
 
 	// Adding a pod with no probes should be a no-op.
-	m.AddPod(&noProbePod)
+	m.AddPod(ctx, &noProbePod)
 	if err := expectProbes(m, nil); err != nil {
 		t.Error(err)
 	}
 
 	// Adding a pod with probes.
-	m.AddPod(&probePod)
+	m.AddPod(ctx, &probePod)
 	probePaths := []probeKey{
 		{"probe_pod", "readiness", readiness},
 		{"probe_pod", "liveness", liveness},
@@ -170,6 +171,7 @@ func TestAddRemovePodsWithRestartableInitContainer(t *testing.T) {
 
 	for _, tc := range testCases {
 		t.Run(tc.desc, func(t *testing.T) {
+			ctx := ktesting.Init(t)
 			probePod := v1.Pod{
 				ObjectMeta: metav1.ObjectMeta{
 					UID: "restartable_init_container_pod",
@@ -191,7 +193,7 @@ func TestAddRemovePodsWithRestartableInitContainer(t *testing.T) {
 			}
 
 			// Adding a pod with probes.
-			m.AddPod(&probePod)
+			m.AddPod(ctx, &probePod)
 			if err := expectProbes(m, tc.probePaths); err != nil {
 				t.Error(err)
 			}
@@ -215,6 +217,7 @@ func TestAddRemovePodsWithRestartableInitContainer(t *testing.T) {
 }
 
 func TestCleanupPods(t *testing.T) {
+	ctx := ktesting.Init(t)
 	m := newTestManager()
 	defer cleanup(t, m)
 	podToCleanup := v1.Pod{
@@ -251,8 +254,8 @@ func TestCleanupPods(t *testing.T) {
 			}},
 		},
 	}
-	m.AddPod(&podToCleanup)
-	m.AddPod(&podToKeep)
+	m.AddPod(ctx, &podToCleanup)
+	m.AddPod(ctx, &podToKeep)
 
 	desiredPods := map[types.UID]sets.Empty{}
 	desiredPods[podToKeep.UID] = sets.Empty{}
@@ -277,6 +280,7 @@ func TestCleanupPods(t *testing.T) {
 }
 
 func TestCleanupRepeated(t *testing.T) {
+	ctx := ktesting.Init(t)
 	m := newTestManager()
 	defer cleanup(t, m)
 	podTemplate := v1.Pod{
@@ -294,7 +298,7 @@ func TestCleanupRepeated(t *testing.T) {
 	for i := 0; i < numTestPods; i++ {
 		pod := podTemplate
 		pod.UID = types.UID(strconv.Itoa(i))
-		m.AddPod(&pod)
+		m.AddPod(ctx, &pod)
 	}
 
 	for i := 0; i < 10; i++ {
@@ -303,6 +307,7 @@ func TestCleanupRepeated(t *testing.T) {
 }
 
 func TestUpdatePodStatus(t *testing.T) {
+	ctx := ktesting.Init(t)
 	unprobed := v1.ContainerStatus{
 		Name:        "unprobed_container",
 		ContainerID: "test://unprobed_container_id",
@@ -377,7 +382,7 @@ func TestUpdatePodStatus(t *testing.T) {
 	m.startupManager.Set(kubecontainer.ParseContainerID(startedNoReadiness.ContainerID), results.Success, &v1.Pod{})
 	m.readinessManager.Set(kubecontainer.ParseContainerID(terminated.ContainerID), results.Success, &v1.Pod{})
 
-	m.UpdatePodStatus(&v1.Pod{
+	m.UpdatePodStatus(ctx, &v1.Pod{
 		ObjectMeta: metav1.ObjectMeta{
 			UID: testPodUID,
 		},
@@ -494,6 +499,7 @@ func TestUpdatePodStatusWithInitContainers(t *testing.T) {
 
 	for _, tc := range testCases {
 		t.Run(tc.desc, func(t *testing.T) {
+			ctx := ktesting.Init(t)
 			podStatus := v1.PodStatus{
 				Phase: v1.PodRunning,
 				InitContainerStatuses: []v1.ContainerStatus{
@@ -501,7 +507,7 @@ func TestUpdatePodStatusWithInitContainers(t *testing.T) {
 				},
 			}
 
-			m.UpdatePodStatus(&v1.Pod{
+			m.UpdatePodStatus(ctx, &v1.Pod{
 				ObjectMeta: metav1.ObjectMeta{
 					UID: testPodUID,
 				},
@@ -557,7 +563,7 @@ func (m *manager) extractedReadinessHandling(logger klog.Logger) {
 }
 
 func TestUpdateReadiness(t *testing.T) {
-	logger, _ := ktesting.NewTestContext(t)
+	logger, ctx := ktesting.NewTestContext(t)
 	testPod := getTestPod()
 	setTestProbe(testPod, readiness, v1.Probe{})
 	m := newTestManager()
@@ -578,7 +584,7 @@ func TestUpdateReadiness(t *testing.T) {
 
 	m.statusManager.SetPodStatus(logger, testPod, getTestRunningStatus())
 
-	m.AddPod(testPod)
+	m.AddPod(ctx, testPod)
 	probePaths := []probeKey{{testPodUID, testContainerName, readiness}}
 	if err := expectProbes(m, probePaths); err != nil {
 		t.Error(err)
diff --git a/pkg/kubelet/prober/prober_test.go b/pkg/kubelet/prober/prober_test.go
index d06091c5d8ab9..3f17e3bc3fd5b 100644
--- a/pkg/kubelet/prober/prober_test.go
+++ b/pkg/kubelet/prober/prober_test.go
@@ -18,7 +18,6 @@ package prober
 
 import (
 	"bytes"
-	"context"
 	"errors"
 	"fmt"
 	"reflect"
@@ -138,7 +137,7 @@ func TestGetTCPAddrParts(t *testing.T) {
 }
 
 func TestProbe(t *testing.T) {
-	ctx := context.Background()
+	ctx := ktesting.Init(t)
 	containerID := kubecontainer.ContainerID{Type: "test", ID: "foobar"}
 
 	execProbe := &v1.Probe{
@@ -423,6 +422,7 @@ func TestRecordContainerEventUnknownStatus(t *testing.T) {
 
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
+			tCtx := ktesting.Init(t)
 			bufferSize := len(tc.expected) + 1
 			fakeRecorder := record.NewFakeRecorder(bufferSize)
 
@@ -430,8 +430,8 @@ func TestRecordContainerEventUnknownStatus(t *testing.T) {
 				recorder: fakeRecorder,
 			}
 
-			pb.recordContainerEvent(pod, &container, v1.EventTypeWarning, "ContainerProbeWarning", "%s probe warning: %s", tc.probeType, output)
-			pb.recordContainerEvent(pod, &container, v1.EventTypeWarning, "ContainerProbeWarning", "Unknown %s probe status: %s", tc.probeType, tc.result)
+			pb.recordContainerEvent(tCtx, pod, &container, v1.EventTypeWarning, "ContainerProbeWarning", "%s probe warning: %s", tc.probeType, output)
+			pb.recordContainerEvent(tCtx, pod, &container, v1.EventTypeWarning, "ContainerProbeWarning", "Unknown %s probe status: %s", tc.probeType, tc.result)
 
 			assert.Equal(t, len(tc.expected), len(fakeRecorder.Events), "unexpected number of events")
 			for _, expected := range tc.expected {
diff --git a/pkg/kubelet/prober/scale_test.go b/pkg/kubelet/prober/scale_test.go
index 6cef4cc59585b..47997a201e731 100644
--- a/pkg/kubelet/prober/scale_test.go
+++ b/pkg/kubelet/prober/scale_test.go
@@ -17,7 +17,6 @@ limitations under the License.
 package prober
 
 import (
-	"context"
 	"fmt"
 	"net"
 	"net/http"
@@ -81,7 +80,7 @@ func TestTCPPortExhaustion(t *testing.T) {
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			logger, _ := ktesting.NewTestContext(t)
+			logger, tCtx := ktesting.NewTestContext(t)
 			podManager := kubepod.NewBasicPodManager()
 			podStartupLatencyTracker := kubeletutil.NewPodStartupLatencyTracker()
 			m := NewManager(
@@ -136,12 +135,12 @@ func TestTCPPortExhaustion(t *testing.T) {
 				}
 				podManager.AddPod(&pod)
 				m.statusManager.SetPodStatus(logger, &pod, pod.Status)
-				m.AddPod(&pod)
+				m.AddPod(tCtx, &pod)
 			}
 			t.Logf("Adding %d pods with %d containers each in %v", numTestPods, numContainers, time.Since(now))
 
-			ctx, cancel := context.WithTimeout(context.Background(), 59*time.Second)
-			defer cancel()
+			ctx := ktesting.WithTimeout(tCtx, 59*time.Second, "timeout 59 Second")
+			defer ctx.Cancel("TestTCPPortExhaustion completed")
 			var wg sync.WaitGroup
 
 			wg.Add(1)
diff --git a/pkg/kubelet/prober/testing/fake_manager.go b/pkg/kubelet/prober/testing/fake_manager.go
index d3b31c9e79303..c8ff03b0a0a2f 100644
--- a/pkg/kubelet/prober/testing/fake_manager.go
+++ b/pkg/kubelet/prober/testing/fake_manager.go
@@ -17,6 +17,8 @@ limitations under the License.
 package testing
 
 import (
+	"context"
+
 	v1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/sets"
@@ -28,7 +30,7 @@ type FakeManager struct{}
 // Unused methods below.
 
 // AddPod simulates adding a Pod.
-func (FakeManager) AddPod(_ *v1.Pod) {}
+func (FakeManager) AddPod(_ context.Context, _ *v1.Pod) {}
 
 // RemovePod simulates removing a Pod.
 func (FakeManager) RemovePod(_ *v1.Pod) {}
@@ -43,7 +45,7 @@ func (FakeManager) CleanupPods(_ map[types.UID]sets.Empty) {}
 func (FakeManager) Start() {}
 
 // UpdatePodStatus simulates updating the Pod Status.
-func (FakeManager) UpdatePodStatus(_ *v1.Pod, podStatus *v1.PodStatus) {
+func (FakeManager) UpdatePodStatus(_ context.Context, _ *v1.Pod, podStatus *v1.PodStatus) {
 	for i := range podStatus.ContainerStatuses {
 		podStatus.ContainerStatuses[i].Ready = true
 	}
diff --git a/pkg/kubelet/prober/worker.go b/pkg/kubelet/prober/worker.go
index 60461165bdafd..2cbda7f20d043 100644
--- a/pkg/kubelet/prober/worker.go
+++ b/pkg/kubelet/prober/worker.go
@@ -155,8 +155,8 @@ func newWorker(
 }
 
 // run periodically probes the container.
-func (w *worker) run() {
-	ctx := context.Background()
+func (w *worker) run(ctx context.Context) {
+	logger := klog.FromContext(ctx)
 	probeTickerPeriod := time.Duration(w.spec.PeriodSeconds) * time.Second
 
 	// If kubelet restarted the probes could be started in rapid succession.
@@ -195,7 +195,7 @@ probeLoop:
 			// Updating the periodic timer to run the probe again at intervals of probeTickerPeriod
 			// starting from the moment a manual run occurs.
 			probeTicker.Reset(probeTickerPeriod)
-			klog.V(4).InfoS("Triggered Probe by manual run", "probeType", w.probeType, "pod", klog.KObj(w.pod), "podUID", w.pod.UID, "containerName", w.container.Name)
+			logger.V(4).Info("Triggered Probe by manual run", "probeType", w.probeType, "pod", klog.KObj(w.pod), "podUID", w.pod.UID, "containerName", w.container.Name)
 			// continue
 		}
 	}
@@ -216,17 +216,18 @@ func (w *worker) doProbe(ctx context.Context) (keepGoing bool) {
 	defer func() { recover() }() // Actually eat panics (HandleCrash takes care of logging)
 	defer runtime.HandleCrash(func(_ interface{}) { keepGoing = true })
 
+	logger := klog.FromContext(ctx)
 	startTime := time.Now()
 	status, ok := w.probeManager.statusManager.GetPodStatus(w.pod.UID)
 	if !ok {
 		// Either the pod has not been created yet, or it was already deleted.
-		klog.V(3).InfoS("No status for pod", "pod", klog.KObj(w.pod))
+		logger.V(3).Info("No status for pod", "pod", klog.KObj(w.pod))
 		return true
 	}
 
 	// Worker should terminate if pod is terminated.
 	if status.Phase == v1.PodFailed || status.Phase == v1.PodSucceeded {
-		klog.V(3).InfoS("Pod is terminated, exiting probe worker",
+		logger.V(3).Info("Pod is terminated, exiting probe worker",
 			"pod", klog.KObj(w.pod), "phase", status.Phase)
 		return false
 	}
@@ -236,7 +237,7 @@ func (w *worker) doProbe(ctx context.Context) (keepGoing bool) {
 		c, ok = podutil.GetContainerStatus(status.InitContainerStatuses, w.container.Name)
 		if !ok || len(c.ContainerID) == 0 {
 			// Either the container has not been created yet, or it was deleted.
-			klog.V(3).InfoS("Probe target container not found",
+			logger.V(3).Info("Probe target container not found",
 				"pod", klog.KObj(w.pod), "containerName", w.container.Name)
 			return true // Wait for more information.
 		}
@@ -246,8 +247,25 @@ func (w *worker) doProbe(ctx context.Context) (keepGoing bool) {
 		if !w.containerID.IsEmpty() {
 			w.resultsManager.Remove(w.containerID)
 		}
+
 		w.containerID = kubecontainer.ParseContainerID(c.ContainerID)
-		w.resultsManager.Set(w.containerID, w.initialValue, w.pod)
+		if !utilfeature.DefaultFeatureGate.Enabled(features.ChangeContainerStatusOnKubeletRestart) {
+			// On kubelet restart, we don't want to immediately set the probe result to Failure,
+			// as this could cause a container that was Ready to become NotReady.
+			isRestart := false
+			if c.State.Running != nil {
+				containerStartTime := c.State.Running.StartedAt.Time
+				if !containerStartTime.IsZero() && containerStartTime.Before(kubeletRestartGracePeriod(w.probeManager.start)) {
+					isRestart = true
+				}
+			}
+			if !isRestart {
+				w.resultsManager.Set(w.containerID, w.initialValue, w.pod)
+			}
+		} else {
+			w.resultsManager.Set(w.containerID, w.initialValue, w.pod)
+		}
+
 		// We've got a new container; resume probing.
 		w.onHold = false
 	}
@@ -258,7 +276,7 @@ func (w *worker) doProbe(ctx context.Context) (keepGoing bool) {
 	}
 
 	if c.State.Running == nil {
-		klog.V(3).InfoS("Non-running container probed",
+		logger.V(3).Info("Non-running container probed",
 			"pod", klog.KObj(w.pod), "containerName", w.container.Name)
 		if !w.containerID.IsEmpty() {
 			w.resultsManager.Set(w.containerID, results.Failure, w.pod)
@@ -269,7 +287,12 @@ func (w *worker) doProbe(ctx context.Context) (keepGoing bool) {
 
 		// Abort if the container will not be restarted.
 		if utilfeature.DefaultFeatureGate.Enabled(features.ContainerRestartRules) {
-			return c.State.Terminated != nil || podutil.IsContainerRestartable(w.pod.Spec, w.container)
+			if c.State.Terminated == nil {
+				return true
+			}
+			containerShouldRestart := podutil.ContainerShouldRestart(w.container, w.pod.Spec, c.State.Terminated.ExitCode)
+			allContainersRestarting := utilfeature.DefaultFeatureGate.Enabled(features.RestartAllContainersOnContainerExits) && kubecontainer.ShouldAllContainersRestart(w.pod, nil, &status)
+			return containerShouldRestart || allContainersRestarting
 		}
 		return c.State.Terminated == nil ||
 			w.pod.Spec.RestartPolicy != v1.RestartPolicyNever ||
@@ -278,10 +301,10 @@ func (w *worker) doProbe(ctx context.Context) (keepGoing bool) {
 
 	// Graceful shutdown of the pod.
 	if w.pod.ObjectMeta.DeletionTimestamp != nil && (w.probeType == liveness || w.probeType == startup) {
-		klog.V(3).InfoS("Pod deletion requested, setting probe result to success",
+		logger.V(3).Info("Pod deletion requested, setting probe result to success",
 			"probeType", w.probeType, "pod", klog.KObj(w.pod), "containerName", w.container.Name)
 		if w.probeType == startup {
-			klog.InfoS("Pod deletion requested before container has fully started",
+			logger.Info("Pod deletion requested before container has fully started",
 				"pod", klog.KObj(w.pod), "containerName", w.container.Name)
 		}
 		// Set a last result to ensure quiet shutdown.
diff --git a/pkg/kubelet/prober/worker_test.go b/pkg/kubelet/prober/worker_test.go
index 946f183528642..243140b7a1082 100644
--- a/pkg/kubelet/prober/worker_test.go
+++ b/pkg/kubelet/prober/worker_test.go
@@ -24,7 +24,11 @@ import (
 	v1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/util/wait"
+	utilfeature "k8s.io/apiserver/pkg/util/feature"
 	"k8s.io/client-go/kubernetes/fake"
+	featuregatetesting "k8s.io/component-base/featuregate/testing"
+	"k8s.io/kubernetes/pkg/features"
+	kubecontainer "k8s.io/kubernetes/pkg/kubelet/container"
 	kubepod "k8s.io/kubernetes/pkg/kubelet/pod"
 	"k8s.io/kubernetes/pkg/kubelet/prober/results"
 	"k8s.io/kubernetes/pkg/kubelet/status"
@@ -176,6 +180,240 @@ func TestDoProbe(t *testing.T) {
 	}
 }
 
+func TestDoProbeWithContainerRestartRules(t *testing.T) {
+	featuregatetesting.SetFeatureGatesDuringTest(t, utilfeature.DefaultFeatureGate, featuregatetesting.FeatureOverrides{
+		features.ContainerRestartRules: true,
+	})
+	TestDoProbe(t)
+
+	var (
+		restartPolicyAlways    = v1.ContainerRestartPolicyAlways
+		restartPolicyNever     = v1.ContainerRestartPolicyNever
+		restartPolicyOnFailure = v1.ContainerRestartPolicyOnFailure
+	)
+
+	logger, ctx := ktesting.NewTestContext(t)
+	m := newTestManager()
+	for _, probeType := range [...]probeType{liveness, readiness, startup} {
+		testcases := []struct {
+			name           string
+			container      v1.Container
+			podStatus      v1.PodStatus
+			expectContinue bool
+		}{
+			{
+				name: "container failed with container restartPolicy=OnFailure",
+				container: v1.Container{
+					RestartPolicy: &restartPolicyOnFailure,
+				},
+				podStatus:      getTestRunningStatusWithFailedContainer(),
+				expectContinue: true,
+			},
+			{
+				name: "container succeeded with containerRestartPolicy=OnFailure",
+				container: v1.Container{
+					RestartPolicy: &restartPolicyOnFailure,
+				},
+				podStatus:      getTestRunningStatusWithSucceededContainer(),
+				expectContinue: false,
+			},
+			{
+				name: "container failed with containerRestartPolicy=Always",
+				container: v1.Container{
+					RestartPolicy: &restartPolicyAlways,
+				},
+				podStatus:      getTestRunningStatusWithFailedContainer(),
+				expectContinue: true,
+			},
+			{
+				name: "container succeeded with containerRestartPolicy=Always",
+				container: v1.Container{
+					RestartPolicy: &restartPolicyAlways,
+				},
+				podStatus:      getTestRunningStatusWithSucceededContainer(),
+				expectContinue: true,
+			},
+			{
+				name: "container failed with containerRestartPolicy=Never",
+				container: v1.Container{
+					RestartPolicy: &restartPolicyNever,
+				},
+				podStatus:      getTestRunningStatusWithFailedContainer(),
+				expectContinue: false,
+			},
+			{
+				name: "container succeeded with containerRestartPolicy=Never",
+				container: v1.Container{
+					RestartPolicy: &restartPolicyNever,
+				},
+				podStatus:      getTestRunningStatusWithSucceededContainer(),
+				expectContinue: false,
+			},
+			{
+				name: "container terminated with matching restartPolicyRules",
+				container: v1.Container{
+					RestartPolicy: &restartPolicyNever,
+					RestartPolicyRules: []v1.ContainerRestartRule{{
+						Action: v1.ContainerRestartRuleActionRestart,
+						ExitCodes: &v1.ContainerRestartRuleOnExitCodes{
+							Operator: v1.ContainerRestartRuleOnExitCodesOpIn,
+							Values:   []int32{1},
+						},
+					}},
+				},
+				podStatus:      getTestRunningStatusWithFailedContainer(),
+				expectContinue: true,
+			},
+			{
+				name: "container terminated with non-matching restartPolicyRules",
+				container: v1.Container{
+					RestartPolicy: &restartPolicyNever,
+					RestartPolicyRules: []v1.ContainerRestartRule{{
+						Action: v1.ContainerRestartRuleActionRestart,
+						ExitCodes: &v1.ContainerRestartRuleOnExitCodes{
+							Operator: v1.ContainerRestartRuleOnExitCodesOpIn,
+							Values:   []int32{99},
+						},
+					}},
+				},
+				podStatus:      getTestRunningStatusWithFailedContainer(),
+				expectContinue: false,
+			},
+		}
+
+		for _, tc := range testcases {
+			pod := getTestPod()
+			setTestProbe(pod, probeType, v1.Probe{})
+			c := pod.Spec.Containers[0]
+			c.RestartPolicy = tc.container.RestartPolicy
+			c.RestartPolicyRules = tc.container.RestartPolicyRules
+			pod.Spec.Containers[0] = c
+			w := newWorker(m, probeType, pod, pod.Spec.Containers[0])
+
+			m.statusManager.SetPodStatus(logger, w.pod, tc.podStatus)
+
+			if c := w.doProbe(ctx); c != tc.expectContinue {
+				t.Errorf("[%s-%s] Expected continue to be %v but got %v", probeType, tc.name, tc.expectContinue, c)
+			}
+		}
+	}
+}
+
+func TestDoProbeWithContainerRestartAllContainers(t *testing.T) {
+	featuregatetesting.SetFeatureGatesDuringTest(t, utilfeature.DefaultFeatureGate, featuregatetesting.FeatureOverrides{
+		features.ContainerRestartRules:                true,
+		features.NodeDeclaredFeatures:                 true,
+		features.RestartAllContainersOnContainerExits: true,
+	})
+	TestDoProbe(t)
+	TestDoProbeWithContainerRestartRules(t)
+
+	var (
+		restartPolicyNever = v1.ContainerRestartPolicyNever
+	)
+
+	logger, ctx := ktesting.NewTestContext(t)
+	m := newTestManager()
+	for _, probeType := range [...]probeType{liveness, readiness, startup} {
+		testcases := []struct {
+			name           string
+			pod            func() v1.Pod
+			podStatus      func() v1.PodStatus
+			expectContinue bool
+		}{
+			{
+				name: "container terminated with matching restartAllContainers",
+				pod: func() v1.Pod {
+					pod := getTestPod()
+					setTestProbe(pod, probeType, v1.Probe{})
+					c := pod.Spec.Containers[0]
+					c.RestartPolicy = &restartPolicyNever
+					c.RestartPolicyRules = []v1.ContainerRestartRule{{
+						Action: v1.ContainerRestartRuleActionRestartAllContainers,
+						ExitCodes: &v1.ContainerRestartRuleOnExitCodes{
+							Operator: v1.ContainerRestartRuleOnExitCodesOpIn,
+							Values:   []int32{1},
+						},
+					}}
+					pod.Spec.Containers[0] = c
+					return *pod
+				},
+				podStatus:      getTestRunningStatusWithFailedContainer,
+				expectContinue: true,
+			},
+			{
+				name: "container terminated by restartAllContainers",
+				pod: func() v1.Pod {
+					pod := getTestPod()
+					setTestProbe(pod, probeType, v1.Probe{})
+					triggerContainer := v1.Container{
+						Name:          "trigger",
+						RestartPolicy: &restartPolicyNever,
+						RestartPolicyRules: []v1.ContainerRestartRule{{
+							Action: v1.ContainerRestartRuleActionRestartAllContainers,
+							ExitCodes: &v1.ContainerRestartRuleOnExitCodes{
+								Operator: v1.ContainerRestartRuleOnExitCodesOpIn,
+								Values:   []int32{1},
+							},
+						}},
+					}
+					pod.Spec.Containers = append(pod.Spec.Containers, triggerContainer)
+					return *pod
+				},
+				podStatus: func() v1.PodStatus {
+					status := getTestRunningStatusWithFailedContainer()
+					// Mark the trigger container as terminated.
+					status.ContainerStatuses = append(status.ContainerStatuses, v1.ContainerStatus{
+						Name: "trigger",
+						State: v1.ContainerState{
+							Terminated: &v1.ContainerStateTerminated{
+								ExitCode: 1,
+							},
+						},
+					})
+					return status
+				},
+				expectContinue: true,
+			},
+			{
+				name: "container cleaned up by restartAllContainers",
+				pod: func() v1.Pod {
+					pod := getTestPod()
+					setTestProbe(pod, probeType, v1.Probe{})
+					triggerContainer := v1.Container{
+						Name:          "trigger",
+						RestartPolicy: &restartPolicyNever,
+						RestartPolicyRules: []v1.ContainerRestartRule{{
+							Action: v1.ContainerRestartRuleActionRestartAllContainers,
+							ExitCodes: &v1.ContainerRestartRuleOnExitCodes{
+								Operator: v1.ContainerRestartRuleOnExitCodesOpIn,
+								Values:   []int32{1},
+							},
+						}},
+					}
+					pod.Spec.Containers = append(pod.Spec.Containers, triggerContainer)
+					return *pod
+				},
+				// After cleanup, the container will be in Waiting state, and pod in Pending state
+				podStatus:      getTestPendingStatus,
+				expectContinue: true,
+			},
+		}
+
+		for _, tc := range testcases {
+			pod := tc.pod()
+			podStatus := tc.podStatus()
+			w := newWorker(m, probeType, &pod, pod.Spec.Containers[0])
+
+			m.statusManager.SetPodStatus(logger, w.pod, podStatus)
+
+			if c := w.doProbe(ctx); c != tc.expectContinue {
+				t.Errorf("[%s: %s] Expected continue to be %v but got %v", probeType, tc.name, tc.expectContinue, c)
+			}
+		}
+	}
+}
+
 func TestInitialDelay(t *testing.T) {
 	logger, ctx := ktesting.NewTestContext(t)
 	m := newTestManager()
@@ -365,14 +603,14 @@ func TestStartupProbeFailureThreshold(t *testing.T) {
 }
 
 func TestCleanUp(t *testing.T) {
-	logger, _ := ktesting.NewTestContext(t)
+	logger, ctx := ktesting.NewTestContext(t)
 	m := newTestManager()
 
 	for _, probeType := range [...]probeType{liveness, readiness, startup} {
 		key := probeKey{testPodUID, testContainerName, probeType}
 		w := newTestWorker(m, probeType, v1.Probe{})
 		m.statusManager.SetPodStatus(logger, w.pod, getTestRunningStatusWithStarted(probeType != startup))
-		go w.run()
+		go w.run(ctx)
 		m.workers[key] = w
 
 		// Wait for worker to run.
@@ -515,6 +753,7 @@ func TestResultRunOnLivenessCheckFailure(t *testing.T) {
 
 func TestResultRunOnStartupCheckFailure(t *testing.T) {
 	logger, ctx := ktesting.NewTestContext(t)
+
 	m := newTestManager()
 	w := newTestWorker(m, startup, v1.Probe{SuccessThreshold: 1, FailureThreshold: 3})
 	m.statusManager.SetPodStatus(logger, w.pod, getTestRunningStatusWithStarted(false))
@@ -636,6 +875,7 @@ func TestLivenessProbeDisabledByStarted(t *testing.T) {
 
 func TestStartupProbeDisabledByStarted(t *testing.T) {
 	logger, ctx := ktesting.NewTestContext(t)
+
 	m := newTestManager()
 	w := newTestWorker(m, startup, v1.Probe{SuccessThreshold: 1, FailureThreshold: 2})
 	m.statusManager.SetPodStatus(logger, w.pod, getTestRunningStatusWithStarted(false))
@@ -657,3 +897,140 @@ func TestStartupProbeDisabledByStarted(t *testing.T) {
 	expectContinue(t, w, w.doProbe(ctx), msg)
 	expectResult(t, w, results.Success, msg)
 }
+
+func TestChangeContainerStatusOnKubeletRestart(t *testing.T) {
+	logger, ctx := ktesting.NewTestContext(t)
+
+	tests := []struct {
+		name           string
+		featureEnabled bool
+		isRestart      bool
+		probeType      probeType
+		initialValue   results.Result
+		expectSet      bool
+	}{
+		{
+			name:           "feature enabled, is restart, readiness",
+			featureEnabled: true,
+			isRestart:      true,
+			probeType:      readiness,
+			initialValue:   results.Failure,
+			expectSet:      true,
+		},
+		{
+			name:           "feature enabled, is restart, liveness",
+			featureEnabled: true,
+			isRestart:      true,
+			probeType:      liveness,
+			initialValue:   results.Success,
+			expectSet:      true,
+		},
+		{
+			name:           "feature enabled, is restart, startup",
+			featureEnabled: true,
+			isRestart:      true,
+			probeType:      startup,
+			initialValue:   results.Unknown,
+			expectSet:      true,
+		},
+		{
+			name:           "feature enabled, not restart, readiness",
+			featureEnabled: true,
+			isRestart:      false,
+			probeType:      readiness,
+			initialValue:   results.Failure,
+			expectSet:      true,
+		},
+		{
+			name:           "feature enabled, not restart, liveness",
+			featureEnabled: true,
+			isRestart:      false,
+			probeType:      liveness,
+			initialValue:   results.Success,
+			expectSet:      true,
+		},
+		{
+			name:           "feature enabled, not restart, startup",
+			featureEnabled: true,
+			isRestart:      false,
+			probeType:      startup,
+			initialValue:   results.Unknown,
+			expectSet:      true,
+		},
+		{
+			name:           "feature disabled, is restart, readiness",
+			featureEnabled: false,
+			isRestart:      true,
+			probeType:      readiness,
+			expectSet:      false,
+		},
+		{
+			name:           "feature disabled, is restart, liveness",
+			featureEnabled: false,
+			isRestart:      true,
+			probeType:      liveness,
+			expectSet:      false,
+		},
+		{
+			name:           "feature disabled, is restart, startup",
+			featureEnabled: false,
+			isRestart:      true,
+			probeType:      startup,
+			expectSet:      false,
+		},
+		{
+			name:           "feature disabled, not restart, readiness",
+			featureEnabled: false,
+			isRestart:      false,
+			probeType:      readiness,
+			initialValue:   results.Failure,
+			expectSet:      true,
+		},
+		{
+			name:           "feature disabled, not restart, liveness",
+			featureEnabled: false,
+			isRestart:      false,
+			probeType:      liveness,
+			initialValue:   results.Success,
+			expectSet:      true,
+		},
+		{
+			name:           "feature disabled, not restart, startup",
+			featureEnabled: false,
+			isRestart:      false,
+			probeType:      startup,
+			initialValue:   results.Unknown,
+			expectSet:      true,
+		},
+	}
+
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.ChangeContainerStatusOnKubeletRestart, tc.featureEnabled)
+
+			m := newTestManager()
+			podStatus := getTestRunningStatus()
+			podStatus.ContainerStatuses[0].ContainerID = "test://container-id"
+			if tc.isRestart {
+				podStatus.ContainerStatuses[0].State.Running.StartedAt = metav1.Time{Time: m.start.Add(-5 * time.Minute)}
+			} else {
+				podStatus.ContainerStatuses[0].State.Running.StartedAt = metav1.Time{Time: m.start.Add(5 * time.Minute)}
+			}
+
+			w := newTestWorker(m, tc.probeType, v1.Probe{InitialDelaySeconds: 1000})
+			m.statusManager.SetPodStatus(logger, w.pod, podStatus)
+
+			w.doProbe(ctx)
+
+			containerID := kubecontainer.ParseContainerID(podStatus.ContainerStatuses[0].ContainerID)
+			result, ok := resultsManager(m, tc.probeType).Get(containerID)
+
+			if ok != tc.expectSet {
+				t.Errorf("Expected result to be set: %v, but got: %v", tc.expectSet, ok)
+			}
+			if tc.expectSet && result != tc.initialValue {
+				t.Errorf("Expected result %v, but got: %v", tc.initialValue, result)
+			}
+		})
+	}
+}
diff --git a/pkg/kubelet/secret/secret_manager.go b/pkg/kubelet/secret/secret_manager.go
index dd6ec256ad6eb..eace33c5a142d 100644
--- a/pkg/kubelet/secret/secret_manager.go
+++ b/pkg/kubelet/secret/secret_manager.go
@@ -23,6 +23,7 @@ import (
 
 	v1 "k8s.io/api/core/v1"
 	clientset "k8s.io/client-go/kubernetes"
+	"k8s.io/client-go/tools/cache"
 	podutil "k8s.io/kubernetes/pkg/api/v1/pod"
 	corev1 "k8s.io/kubernetes/pkg/apis/core/v1"
 	"k8s.io/kubernetes/pkg/kubelet/util/manager"
@@ -152,8 +153,11 @@ func NewWatchingSecretManager(kubeClient clientset.Interface, resyncInterval tim
 		}
 		return false
 	}
+	listWatcherWithWatchListSemanticsWrapper := func(lw *cache.ListWatch) cache.ListerWatcher {
+		return cache.ToListWatcherWithWatchListSemantics(lw, kubeClient)
+	}
 	gr := corev1.Resource("secret")
 	return &secretManager{
-		manager: manager.NewWatchBasedManager(listSecret, watchSecret, newSecret, isImmutable, gr, resyncInterval, getSecretNames),
+		manager: manager.NewWatchBasedManager(listSecret, watchSecret, newSecret, isImmutable, listWatcherWithWatchListSemanticsWrapper, gr, resyncInterval, getSecretNames),
 	}
 }
diff --git a/pkg/kubelet/server/auth.go b/pkg/kubelet/server/auth.go
index 176f6a95379d4..b5d8255d4ca49 100644
--- a/pkg/kubelet/server/auth.go
+++ b/pkg/kubelet/server/auth.go
@@ -17,6 +17,7 @@ limitations under the License.
 package server
 
 import (
+	"context"
 	"net/http"
 	"strings"
 
@@ -24,11 +25,11 @@ import (
 	"k8s.io/apiserver/pkg/authentication/authenticator"
 	"k8s.io/apiserver/pkg/authentication/user"
 	"k8s.io/apiserver/pkg/authorization/authorizer"
+	"k8s.io/apiserver/pkg/server/flagz"
 	"k8s.io/apiserver/pkg/server/healthz"
+	"k8s.io/apiserver/pkg/server/statusz"
 	utilfeature "k8s.io/apiserver/pkg/util/feature"
 	"k8s.io/component-base/configz"
-	"k8s.io/component-base/zpages/flagz"
-	"k8s.io/component-base/zpages/statusz"
 	"k8s.io/klog/v2"
 	"k8s.io/kubernetes/pkg/features"
 )
@@ -76,8 +77,8 @@ func isSubpath(subpath, path string) bool {
 //	/healthz/* 		=> verb=<api verb from request>, resource=nodes, name=<node name>, subresource(s)=healthz,proxy
 //	/configz 		=> verb=<api verb from request>, resource=nodes, name=<node name>, subresource(s)=configz,proxy
 //	/flagz 		    => verb=<api verb from request>, resource=nodes, name=<node name>, subresource(s)=configz,proxy
-func (n nodeAuthorizerAttributesGetter) GetRequestAttributes(u user.Info, r *http.Request) []authorizer.Attributes {
-
+func (n nodeAuthorizerAttributesGetter) GetRequestAttributes(ctx context.Context, u user.Info, r *http.Request) []authorizer.Attributes {
+	logger := klog.FromContext(ctx)
 	apiVerb := ""
 	switch r.Method {
 	case "POST":
@@ -145,7 +146,7 @@ func (n nodeAuthorizerAttributesGetter) GetRequestAttributes(u user.Info, r *htt
 		attrs = append(attrs, attr)
 	}
 
-	klog.V(5).InfoS("Node request attributes", "user", attrs[0].GetUser().GetName(), "verb", attrs[0].GetVerb(), "resource", attrs[0].GetResource(), "subresource(s)", subresources)
+	logger.V(5).Info("Node request attributes", "user", attrs[0].GetUser().GetName(), "verb", attrs[0].GetVerb(), "resource", attrs[0].GetResource(), "subresource(s)", subresources)
 
 	return attrs
 }
diff --git a/pkg/kubelet/server/auth_test.go b/pkg/kubelet/server/auth_test.go
index 05874015bc978..27f001f99fa7f 100644
--- a/pkg/kubelet/server/auth_test.go
+++ b/pkg/kubelet/server/auth_test.go
@@ -27,6 +27,7 @@ import (
 	utilfeature "k8s.io/apiserver/pkg/util/feature"
 	featuregatetesting "k8s.io/component-base/featuregate/testing"
 	"k8s.io/kubernetes/pkg/features"
+	"k8s.io/kubernetes/test/utils/ktesting"
 )
 
 func TestIsSubPath(t *testing.T) {
@@ -64,6 +65,7 @@ func TestIsSubPath(t *testing.T) {
 }
 
 func TestGetRequestAttributes(t *testing.T) {
+	tCtx := ktesting.Init(t)
 	for _, fineGrained := range []bool{false, true} {
 		featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.KubeletFineGrainedAuthz, fineGrained)
 		for _, test := range AuthzTestCases(fineGrained) {
@@ -72,7 +74,7 @@ func TestGetRequestAttributes(t *testing.T) {
 
 				req, err := http.NewRequest(test.Method, "https://localhost:1234"+test.Path, nil)
 				require.NoError(t, err)
-				attrs := getter.GetRequestAttributes(AuthzTestUser(), req)
+				attrs := getter.GetRequestAttributes(tCtx, AuthzTestUser(), req)
 
 				test.AssertAttributes(t, attrs)
 			})
diff --git a/pkg/kubelet/server/server.go b/pkg/kubelet/server/server.go
index 4496a5a937d8c..31ecfe6567270 100644
--- a/pkg/kubelet/server/server.go
+++ b/pkg/kubelet/server/server.go
@@ -56,9 +56,11 @@ import (
 	"k8s.io/apiserver/pkg/authentication/authenticator"
 	"k8s.io/apiserver/pkg/authentication/user"
 	"k8s.io/apiserver/pkg/authorization/authorizer"
+	"k8s.io/apiserver/pkg/server/flagz"
 	"k8s.io/apiserver/pkg/server/healthz"
 	"k8s.io/apiserver/pkg/server/httplog"
 	"k8s.io/apiserver/pkg/server/routes"
+	"k8s.io/apiserver/pkg/server/statusz"
 	"k8s.io/apiserver/pkg/util/compatibility"
 	utilfeature "k8s.io/apiserver/pkg/util/feature"
 	"k8s.io/apiserver/pkg/util/flushwriter"
@@ -69,8 +71,6 @@ import (
 	"k8s.io/component-base/metrics/legacyregistry"
 	"k8s.io/component-base/metrics/prometheus/slis"
 	zpagesfeatures "k8s.io/component-base/zpages/features"
-	"k8s.io/component-base/zpages/flagz"
-	"k8s.io/component-base/zpages/statusz"
 	runtimeapi "k8s.io/cri-api/pkg/apis/runtime/v1"
 	"k8s.io/cri-client/pkg/util"
 	podresourcesapi "k8s.io/kubelet/pkg/apis/podresources/v1"
@@ -166,6 +166,7 @@ func (a *filteringContainer) RegisteredHandlePaths() []string {
 
 // ListenAndServeKubeletServer initializes a server to respond to HTTP network requests on the Kubelet.
 func ListenAndServeKubeletServer(
+	ctx context.Context,
 	host HostInterface,
 	resourceAnalyzer stats.ResourceAnalyzer,
 	checkers []healthz.HealthChecker,
@@ -177,8 +178,9 @@ func ListenAndServeKubeletServer(
 
 	address := netutils.ParseIPSloppy(kubeCfg.Address)
 	port := uint(kubeCfg.Port)
-	klog.InfoS("Starting to listen", "address", address, "port", port)
-	handler := NewServer(host, resourceAnalyzer, checkers, flagz, auth, kubeCfg)
+	logger := klog.FromContext(ctx)
+	logger.Info("Starting to listen", "address", address, "port", port)
+	handler := NewServer(ctx, host, resourceAnalyzer, checkers, flagz, auth, kubeCfg)
 	handler.InstallTracingFilter(tp)
 
 	s := &http.Server{
@@ -196,17 +198,18 @@ func ListenAndServeKubeletServer(
 		// cert/keys are specified and GetCertificate in the TLSConfig
 		// should be called instead.
 		if err := s.ListenAndServeTLS(tlsOptions.CertFile, tlsOptions.KeyFile); err != nil {
-			klog.ErrorS(err, "Failed to listen and serve")
+			logger.Error(err, "Failed to listen and serve")
 			os.Exit(1)
 		}
 	} else if err := s.ListenAndServe(); err != nil {
-		klog.ErrorS(err, "Failed to listen and serve")
+		logger.Error(err, "Failed to listen and serve")
 		os.Exit(1)
 	}
 }
 
 // ListenAndServeKubeletReadOnlyServer initializes a server to respond to HTTP network requests on the Kubelet.
 func ListenAndServeKubeletReadOnlyServer(
+	ctx context.Context,
 	host HostInterface,
 	resourceAnalyzer stats.ResourceAnalyzer,
 	checkers []healthz.HealthChecker,
@@ -214,8 +217,9 @@ func ListenAndServeKubeletReadOnlyServer(
 	address net.IP,
 	port uint,
 	tp oteltrace.TracerProvider) {
-	klog.InfoS("Starting to listen read-only", "address", address, "port", port)
-	s := NewServer(host, resourceAnalyzer, checkers, nil, nil, nil)
+	logger := klog.FromContext(ctx)
+	logger.Info("Starting to listen read-only", "address", address, "port", port)
+	s := NewServer(ctx, host, resourceAnalyzer, checkers, nil, nil, nil)
 	s.InstallTracingFilter(tp, otelrestful.WithPublicEndpoint())
 
 	server := &http.Server{
@@ -228,13 +232,14 @@ func ListenAndServeKubeletReadOnlyServer(
 	}
 
 	if err := server.ListenAndServe(); err != nil {
-		klog.ErrorS(err, "Failed to listen and serve")
+		logger.Error(err, "Failed to listen and serve")
 		os.Exit(1)
 	}
 }
 
 // ListenAndServePodResources initializes a gRPC server to serve the PodResources service
 func ListenAndServePodResources(ctx context.Context, endpoint string, providers podresources.PodResourcesProviders) {
+	logger := klog.FromContext(ctx)
 	server := grpc.NewServer(apisgrpc.WithRateLimiter(ctx, "podresources", podresources.DefaultQPS, podresources.DefaultBurstTokens))
 
 	podresourcesapiv1alpha1.RegisterPodResourcesListerServer(server, podresources.NewV1alpha1PodResourcesServer(providers))
@@ -242,19 +247,19 @@ func ListenAndServePodResources(ctx context.Context, endpoint string, providers
 
 	l, err := util.CreateListener(endpoint)
 	if err != nil {
-		klog.ErrorS(err, "Failed to create listener for podResources endpoint")
+		logger.Error(err, "Failed to create listener for podResources endpoint")
 		os.Exit(1)
 	}
 
-	klog.InfoS("Starting to serve the podresources API", "endpoint", endpoint)
+	logger.Info("Starting to serve the podresources API", "endpoint", endpoint)
 	if err := server.Serve(l); err != nil {
-		klog.ErrorS(err, "Failed to serve")
+		logger.Error(err, "Failed to serve")
 		os.Exit(1)
 	}
 }
 
 type NodeRequestAttributesGetter interface {
-	GetRequestAttributes(u user.Info, r *http.Request) []authorizer.Attributes
+	GetRequestAttributes(ctx context.Context, u user.Info, r *http.Request) []authorizer.Attributes
 }
 
 // AuthInterface contains all methods required by the auth filters
@@ -285,6 +290,7 @@ type HostInterface interface {
 
 // NewServer initializes and configures a kubelet.Server object to handle HTTP requests.
 func NewServer(
+	ctx context.Context,
 	host HostInterface,
 	resourceAnalyzer stats.ResourceAnalyzer,
 	checkers []healthz.HealthChecker,
@@ -292,6 +298,7 @@ func NewServer(
 	auth AuthInterface,
 	kubeCfg *kubeletconfiginternal.KubeletConfiguration) Server {
 
+	logger := klog.FromContext(ctx)
 	server := Server{
 		flagz:                flagz,
 		host:                 host,
@@ -303,12 +310,12 @@ func NewServer(
 		extendedCheckers:     checkers,
 	}
 	if auth != nil {
-		server.InstallAuthFilter()
+		server.InstallAuthFilter(ctx)
 	}
-	server.InstallAuthNotRequiredHandlers()
+	server.InstallAuthNotRequiredHandlers(ctx)
 	if kubeCfg != nil && kubeCfg.EnableDebuggingHandlers {
-		klog.InfoS("Adding debug handlers to kubelet server")
-		server.InstallAuthRequiredHandlers()
+		logger.Info("Adding debug handlers to kubelet server")
+		server.InstallAuthRequiredHandlers(ctx)
 		// To maintain backward compatibility serve logs and pprof only when enableDebuggingHandlers is also enabled
 		// see https://github.com/kubernetes/kubernetes/pull/87273
 		server.InstallSystemLogHandler(kubeCfg.EnableSystemLogHandler, kubeCfg.EnableSystemLogQuery)
@@ -317,16 +324,20 @@ func NewServer(
 	} else {
 		server.InstallDebuggingDisabledHandlers()
 	}
+
+	server.installStatusZ()
+
 	return server
 }
 
 // InstallAuthFilter installs authentication filters with the restful Container.
-func (s *Server) InstallAuthFilter() {
+func (s *Server) InstallAuthFilter(ctx context.Context) {
+	logger := klog.FromContext(ctx)
 	s.restfulCont.Filter(func(req *restful.Request, resp *restful.Response, chain *restful.FilterChain) {
 		// Authenticate
 		info, ok, err := s.auth.AuthenticateRequest(req.Request)
 		if err != nil {
-			klog.ErrorS(err, "Unable to authenticate the request due to an error")
+			logger.Error(err, "Unable to authenticate the request due to an error")
 			resp.WriteErrorString(http.StatusUnauthorized, "Unauthorized")
 			return
 		}
@@ -336,7 +347,7 @@ func (s *Server) InstallAuthFilter() {
 		}
 
 		// Get authorization attributes
-		attrs := s.auth.GetRequestAttributes(info.User, req.Request)
+		attrs := s.auth.GetRequestAttributes(ctx, info.User, req.Request)
 		var allowed bool
 		var msg string
 		var subresources []string
@@ -344,7 +355,7 @@ func (s *Server) InstallAuthFilter() {
 			subresources = append(subresources, attr.GetSubresource())
 			decision, _, err := s.auth.Authorize(req.Request.Context(), attr)
 			if err != nil {
-				klog.ErrorS(err, "Authorization error", "user", attr.GetUser().GetName(), "verb", attr.GetVerb(), "resource", attr.GetResource(), "subresource", attr.GetSubresource())
+				logger.Error(err, "Authorization error", "user", attr.GetUser().GetName(), "verb", attr.GetVerb(), "resource", attr.GetResource(), "subresource", attr.GetSubresource())
 				msg = fmt.Sprintf("Authorization error (user=%s, verb=%s, resource=%s, subresource=%s)", attr.GetUser().GetName(), attr.GetVerb(), attr.GetResource(), attr.GetSubresource())
 				resp.WriteErrorString(http.StatusInternalServerError, msg)
 				return
@@ -359,12 +370,12 @@ func (s *Server) InstallAuthFilter() {
 
 		if !allowed {
 			if len(attrs) == 0 {
-				klog.ErrorS(fmt.Errorf("could not determine attributes for request"), "Authorization error")
+				logger.Error(fmt.Errorf("could not determine attributes for request"), "Authorization error")
 				resp.WriteErrorString(http.StatusForbidden, "Authorization error: could not determine attributes for request")
 				return
 			}
 			// The attributes only differ by subresource so we just use the first one.
-			klog.V(2).InfoS("Forbidden", "user", attrs[0].GetUser().GetName(), "verb", attrs[0].GetVerb(), "resource", attrs[0].GetResource(), "subresource(s)", subresources)
+			logger.V(2).Info("Forbidden", "user", attrs[0].GetUser().GetName(), "verb", attrs[0].GetVerb(), "resource", attrs[0].GetResource(), "subresource(s)", subresources)
 			resp.WriteErrorString(http.StatusForbidden, fmt.Sprintf("Forbidden (user=%s, verb=%s, resource=%s, subresource(s)=%v)\n", attrs[0].GetUser().GetName(), attrs[0].GetVerb(), attrs[0].GetResource(), subresources))
 			return
 		}
@@ -379,6 +390,13 @@ func (s *Server) InstallTracingFilter(tp oteltrace.TracerProvider, opts ...otelr
 	s.restfulCont.Filter(otelrestful.OTelFilter("kubelet", append(opts, otelrestful.WithTracerProvider(tp))...))
 }
 
+func (s *Server) installStatusZ() {
+	if utilfeature.DefaultFeatureGate.Enabled(zpagesfeatures.ComponentStatusz) {
+		s.addMetricsBucketMatcher("statusz")
+		statusz.Install(s.restfulCont, ComponentKubelet, statusz.NewRegistry(compatibility.DefaultBuildEffectiveVersion(), statusz.WithListedPaths(s.restfulCont.RegisteredHandlePaths())))
+	}
+}
+
 // addMetricsBucketMatcher adds a regexp matcher and the relevant bucket to use when
 // it matches. Please be aware this is not thread safe and should not be used dynamically
 func (s *Server) addMetricsBucketMatcher(bucket string) {
@@ -406,7 +424,8 @@ func (s *Server) getMetricMethodBucket(method string) string {
 // installed on both the unsecured and secured (TLS) servers.
 // NOTE: This method is maintained for backwards compatibility, but no new endpoints should be added
 // to this set. New handlers should be added under InstallAuthorizedHandlers.
-func (s *Server) InstallAuthNotRequiredHandlers() {
+func (s *Server) InstallAuthNotRequiredHandlers(ctx context.Context) {
+	logger := klog.FromContext(ctx)
 	s.addMetricsBucketMatcher("healthz")
 	checkers := []healthz.HealthChecker{
 		healthz.PingHealthz,
@@ -424,7 +443,9 @@ func (s *Server) InstallAuthNotRequiredHandlers() {
 		Path(podsPath).
 		Produces(restful.MIME_JSON)
 	ws.Route(ws.GET("").
-		To(s.getPods).
+		To(func(r1 *restful.Request, r2 *restful.Response) {
+			s.getPods(logger, r1, r2)
+		}).
 		Operation("getPods"))
 	s.restfulCont.Add(ws)
 
@@ -495,16 +516,20 @@ func (s *Server) InstallAuthNotRequiredHandlers() {
 // InstallAuthRequiredHandlers registers the HTTP handlers that should only be installed on servers
 // with authorization enabled.
 // NOTE: New endpoints must require authorization.
-func (s *Server) InstallAuthRequiredHandlers() {
+func (s *Server) InstallAuthRequiredHandlers(ctx context.Context) {
+	logger := klog.FromContext(ctx)
 	s.addMetricsBucketMatcher("run")
 	ws := new(restful.WebService)
+	getRun := func(request *restful.Request, response *restful.Response) {
+		s.getRun(logger, request, response)
+	}
 	ws.
 		Path("/run")
 	ws.Route(ws.POST("/{podNamespace}/{podID}/{containerName}").
-		To(s.getRun).
+		To(getRun).
 		Operation("getRun"))
 	ws.Route(ws.POST("/{podNamespace}/{podID}/{uid}/{containerName}").
-		To(s.getRun).
+		To(getRun).
 		Operation("getRun"))
 	s.restfulCont.Add(ws)
 
@@ -574,11 +599,6 @@ func (s *Server) InstallAuthRequiredHandlers() {
 	s.addMetricsBucketMatcher("configz")
 	configz.InstallHandler(s.restfulCont)
 
-	if utilfeature.DefaultFeatureGate.Enabled(zpagesfeatures.ComponentStatusz) {
-		s.addMetricsBucketMatcher("statusz")
-		statusz.Install(s.restfulCont, ComponentKubelet, statusz.NewRegistry(compatibility.DefaultBuildEffectiveVersion()))
-	}
-
 	if utilfeature.DefaultFeatureGate.Enabled(zpagesfeatures.ComponentFlagz) {
 		if s.flagz != nil {
 			s.addMetricsBucketMatcher("flagz")
@@ -836,14 +856,14 @@ func encodePods(pods []*v1.Pod) (data []byte, err error) {
 }
 
 // getPods returns a list of pods bound to the Kubelet and their spec.
-func (s *Server) getPods(request *restful.Request, response *restful.Response) {
+func (s *Server) getPods(logger klog.Logger, request *restful.Request, response *restful.Response) {
 	pods := s.host.GetPods()
 	data, err := encodePods(pods)
 	if err != nil {
 		response.WriteError(http.StatusInternalServerError, err)
 		return
 	}
-	writeJSONResponse(response, data)
+	writeJSONResponse(logger, response, data)
 }
 
 // getRunningPods returns a list of pods running on Kubelet. The list is
@@ -851,6 +871,7 @@ func (s *Server) getPods(request *restful.Request, response *restful.Response) {
 // by getPods, which is a set of desired pods to run.
 func (s *Server) getRunningPods(request *restful.Request, response *restful.Response) {
 	ctx := request.Request.Context()
+	logger := klog.FromContext(ctx)
 	pods, err := s.host.GetRunningPods(ctx)
 	if err != nil {
 		response.WriteError(http.StatusInternalServerError, err)
@@ -861,7 +882,7 @@ func (s *Server) getRunningPods(request *restful.Request, response *restful.Resp
 		response.WriteError(http.StatusInternalServerError, err)
 		return
 	}
-	writeJSONResponse(response, data)
+	writeJSONResponse(logger, response, data)
 }
 
 // getLogs handles logs requests against the Kubelet.
@@ -904,7 +925,10 @@ func getPortForwardRequestParams(req *restful.Request) portForwardRequestParams
 type responder struct{}
 
 func (r *responder) Error(w http.ResponseWriter, req *http.Request, err error) {
-	klog.ErrorS(err, "Error while proxying request")
+	// Use context.TODO() because we currently do not have a proper context to pass in.
+	// Replace this with an appropriate context when refactoring this function to accept a context parameter.
+	logger := klog.FromContext(context.TODO())
+	logger.Error(err, "Error while proxying request")
 	http.Error(w, err.Error(), http.StatusInternalServerError)
 }
 
@@ -965,7 +989,7 @@ func (s *Server) getExec(request *restful.Request, response *restful.Response) {
 }
 
 // getRun handles requests to run a command inside a container.
-func (s *Server) getRun(request *restful.Request, response *restful.Response) {
+func (s *Server) getRun(logger klog.Logger, request *restful.Request, response *restful.Response) {
 	params := getExecRequestParams(request)
 	pod, ok := s.host.GetPodByName(params.podNamespace, params.podName)
 	if !ok {
@@ -980,11 +1004,11 @@ func (s *Server) getRun(request *restful.Request, response *restful.Response) {
 		response.WriteError(http.StatusInternalServerError, err)
 		return
 	}
-	writeJSONResponse(response, data)
+	writeJSONResponse(logger, response, data)
 }
 
 // Derived from go-restful writeJSON.
-func writeJSONResponse(response *restful.Response, data []byte) {
+func writeJSONResponse(logger klog.Logger, response *restful.Response, data []byte) {
 	if data == nil {
 		response.WriteHeader(http.StatusOK)
 		// do not write a nil representation
@@ -993,7 +1017,7 @@ func writeJSONResponse(response *restful.Response, data []byte) {
 	response.Header().Set(restful.HEADER_ContentType, restful.MIME_JSON)
 	response.WriteHeader(http.StatusOK)
 	if _, err := response.Write(data); err != nil {
-		klog.ErrorS(err, "Error writing response")
+		logger.Error(err, "Error writing response")
 	}
 }
 
@@ -1031,6 +1055,7 @@ func (s *Server) getPortForward(request *restful.Request, response *restful.Resp
 // to the runtime to actually checkpoint the container.
 func (s *Server) checkpoint(request *restful.Request, response *restful.Response) {
 	ctx := request.Request.Context()
+	logger := klog.FromContext(ctx)
 	pod, ok := s.host.GetPodByName(request.PathParameter("podNamespace"), request.PathParameter("podID"))
 	if !ok {
 		response.WriteError(http.StatusNotFound, fmt.Errorf("pod does not exist"))
@@ -1102,6 +1127,7 @@ func (s *Server) checkpoint(request *restful.Request, response *restful.Response
 		return
 	}
 	writeJSONResponse(
+		logger,
 		response,
 		[]byte(fmt.Sprintf("{\"items\":[\"%s\"]}", options.Location)),
 	)
diff --git a/pkg/kubelet/server/server_test.go b/pkg/kubelet/server/server_test.go
index 89c55f0e97b83..97091722ef537 100644
--- a/pkg/kubelet/server/server_test.go
+++ b/pkg/kubelet/server/server_test.go
@@ -28,6 +28,7 @@ import (
 	"net/http/httputil"
 	"net/url"
 	"reflect"
+	"regexp"
 	"strconv"
 	"strings"
 	"testing"
@@ -53,13 +54,14 @@ import (
 	runtimeapi "k8s.io/cri-api/pkg/apis/runtime/v1"
 	statsapi "k8s.io/kubelet/pkg/apis/stats/v1alpha1"
 	api "k8s.io/kubernetes/pkg/apis/core"
+	"k8s.io/kubernetes/test/utils/ktesting"
 
 	// Do some initialization to decode the query parameters correctly.
+	"k8s.io/apiserver/pkg/server/flagz"
 	"k8s.io/apiserver/pkg/server/healthz"
 	utilfeature "k8s.io/apiserver/pkg/util/feature"
 	featuregatetesting "k8s.io/component-base/featuregate/testing"
 	zpagesfeatures "k8s.io/component-base/zpages/features"
-	"k8s.io/component-base/zpages/flagz"
 	"k8s.io/kubelet/pkg/cri/streaming"
 	"k8s.io/kubelet/pkg/cri/streaming/portforward"
 	remotecommandserver "k8s.io/kubelet/pkg/cri/streaming/remotecommand"
@@ -279,15 +281,15 @@ func (fk *fakeKubelet) ListVolumesForPod(podUID types.UID) (map[string]volume.Vo
 func (*fakeKubelet) ListBlockVolumesForPod(podUID types.UID) (map[string]volume.BlockVolume, bool) {
 	return map[string]volume.BlockVolume{}, true
 }
-func (*fakeKubelet) RootFsStats() (*statsapi.FsStats, error)                     { return nil, nil }
-func (*fakeKubelet) ListPodStats(_ context.Context) ([]statsapi.PodStats, error) { return nil, nil }
-func (*fakeKubelet) ListPodStatsAndUpdateCPUNanoCoreUsage(_ context.Context) ([]statsapi.PodStats, error) {
+func (*fakeKubelet) RootFsStats() (*statsapi.FsStats, error)                   { return nil, nil }
+func (*fakeKubelet) ListPodStats(context.Context) ([]statsapi.PodStats, error) { return nil, nil }
+func (*fakeKubelet) ListPodStatsAndUpdateCPUNanoCoreUsage(context.Context) ([]statsapi.PodStats, error) {
 	return nil, nil
 }
-func (*fakeKubelet) ListPodCPUAndMemoryStats(_ context.Context) ([]statsapi.PodStats, error) {
+func (*fakeKubelet) ListPodCPUAndMemoryStats(context.Context) ([]statsapi.PodStats, error) {
 	return nil, nil
 }
-func (*fakeKubelet) ImageFsStats(_ context.Context) (*statsapi.FsStats, *statsapi.FsStats, error) {
+func (*fakeKubelet) ImageFsStats(context.Context) (*statsapi.FsStats, *statsapi.FsStats, error) {
 	return nil, nil, nil
 }
 func (*fakeKubelet) RlimitStats() (*statsapi.RlimitStats, error) { return nil, nil }
@@ -307,7 +309,7 @@ type fakeAuth struct {
 func (f *fakeAuth) AuthenticateRequest(req *http.Request) (*authenticator.Response, bool, error) {
 	return f.authenticateFunc(req)
 }
-func (f *fakeAuth) GetRequestAttributes(u user.Info, req *http.Request) []authorizer.Attributes {
+func (f *fakeAuth) GetRequestAttributes(ctx context.Context, u user.Info, req *http.Request) []authorizer.Attributes {
 	return f.attributesFunc(u, req)
 }
 func (f *fakeAuth) Authorize(ctx context.Context, a authorizer.Attributes) (authorized authorizer.Decision, reason string, err error) {
@@ -321,21 +323,21 @@ type serverTestFramework struct {
 	testHTTPServer  *httptest.Server
 }
 
-func newServerTest() *serverTestFramework {
-	return newServerTestWithDebug(true, nil)
+func newServerTest(ctx context.Context) *serverTestFramework {
+	return newServerTestWithDebug(ctx, true, nil)
 }
 
-func newServerTestWithDebug(enableDebugging bool, streamingServer streaming.Server) *serverTestFramework {
+func newServerTestWithDebug(ctx context.Context, enableDebugging bool, streamingServer streaming.Server) *serverTestFramework {
 	kubeCfg := &kubeletconfiginternal.KubeletConfiguration{
 		EnableDebuggingHandlers: enableDebugging,
 		EnableSystemLogHandler:  enableDebugging,
 		EnableProfilingHandler:  enableDebugging,
 		EnableDebugFlagsHandler: enableDebugging,
 	}
-	return newServerTestWithDebuggingHandlers(kubeCfg, streamingServer)
+	return newServerTestWithDebuggingHandlers(ctx, kubeCfg, streamingServer)
 }
 
-func newServerTestWithDebuggingHandlers(kubeCfg *kubeletconfiginternal.KubeletConfiguration, streamingServer streaming.Server) *serverTestFramework {
+func newServerTestWithDebuggingHandlers(ctx context.Context, kubeCfg *kubeletconfiginternal.KubeletConfiguration, streamingServer streaming.Server) *serverTestFramework {
 
 	fw := &serverTestFramework{}
 	fw.fakeKubelet = &fakeKubelet{
@@ -363,8 +365,9 @@ func newServerTestWithDebuggingHandlers(kubeCfg *kubeletconfiginternal.KubeletCo
 		},
 	}
 	server := NewServer(
+		ctx,
 		fw.fakeKubelet,
-		stats.NewResourceAnalyzer(fw.fakeKubelet, time.Minute, &record.FakeRecorder{}),
+		stats.NewResourceAnalyzer(ctx, fw.fakeKubelet, time.Minute, &record.FakeRecorder{}),
 		[]healthz.HealthChecker{},
 		flagz.NamedFlagSetsReader{},
 		fw.fakeAuth,
@@ -384,7 +387,8 @@ func getPodName(name, namespace string) string {
 }
 
 func TestServeLogs(t *testing.T) {
-	fw := newServerTest()
+	tCtx := ktesting.Init(t)
+	fw := newServerTest(tCtx)
 	defer fw.testHTTPServer.Close()
 
 	content := string(`<pre><a href="kubelet.log">kubelet.log</a><a href="google.log">google.log</a></pre>`)
@@ -413,7 +417,8 @@ func TestServeLogs(t *testing.T) {
 }
 
 func TestServeRunInContainer(t *testing.T) {
-	fw := newServerTest()
+	tCtx := ktesting.Init(t)
+	fw := newServerTest(tCtx)
 	defer fw.testHTTPServer.Close()
 	output := "foo bar"
 	podNamespace := "other"
@@ -454,7 +459,8 @@ func TestServeRunInContainer(t *testing.T) {
 }
 
 func TestServeRunInContainerWithUID(t *testing.T) {
-	fw := newServerTest()
+	tCtx := ktesting.Init(t)
+	fw := newServerTest(tCtx)
 	defer fw.testHTTPServer.Close()
 	output := "foo bar"
 	podNamespace := "other"
@@ -497,7 +503,8 @@ func TestServeRunInContainerWithUID(t *testing.T) {
 }
 
 func TestHealthCheck(t *testing.T) {
-	fw := newServerTest()
+	tCtx := ktesting.Init(t)
+	fw := newServerTest(tCtx)
 	defer fw.testHTTPServer.Close()
 
 	assertHealthIsOk(t, fw.testHTTPServer.URL+"/healthz")
@@ -514,9 +521,46 @@ func assertHealthFails(t *testing.T, httpURL string, expectedErrorCode int) {
 	}
 }
 
+func TestStatusz(t *testing.T) {
+	tCtx := ktesting.Init(t)
+	featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, zpagesfeatures.ComponentStatusz, true)
+
+	fw := newServerTest(tCtx)
+	defer fw.testHTTPServer.Close()
+
+	req, err := http.NewRequest(http.MethodGet, fw.testHTTPServer.URL+"/statusz", nil)
+	if err != nil {
+		t.Fatalf("Got error creating request: %v", err)
+	}
+	req.Header.Set("Accept", "text/plain")
+	resp, err := http.DefaultClient.Do(req)
+	if err != nil {
+		t.Fatalf("Got error GETing: %v", err)
+	}
+	defer func(resp *http.Response) {
+		closeErr := resp.Body.Close()
+		if closeErr != nil {
+			t.Errorf("Got error closing response body: %v", err)
+		}
+	}(resp)
+	if resp.StatusCode != http.StatusOK {
+		t.Errorf("expected status code %d, got %d", http.StatusOK, resp.StatusCode)
+	}
+	resBody, err := io.ReadAll(resp.Body)
+	if err != nil {
+		t.Fatalf("Got error reading response body: %v", err)
+	}
+
+	reg := regexp.MustCompile(`Paths([:=\s]+)/configz /debug /healthz /metrics\n$`)
+	if reg.FindStringSubmatch(string(resBody)) == nil {
+		t.Errorf("statusz paths missing: %s\n\nExpected: %q", string(resBody), "Paths<delimter> /configz /debug /healthz /metrics")
+	}
+}
+
 // Ensure all registered handlers & services have an associated testcase.
 func TestAuthzCoverage(t *testing.T) {
-	fw := newServerTest()
+	tCtx := ktesting.Init(t)
+	fw := newServerTest(tCtx)
 	defer fw.testHTTPServer.Close()
 
 	for _, fineGrained := range []bool{false, true} {
@@ -561,7 +605,8 @@ func TestAuthzCoverage(t *testing.T) {
 }
 
 func TestInstallAuthNotRequiredHandlers(t *testing.T) {
-	fw := newServerTestWithDebug(false, nil)
+	tCtx := ktesting.Init(t)
+	fw := newServerTestWithDebug(tCtx, false, nil)
 	defer fw.testHTTPServer.Close()
 
 	// No new handlers should be added to this list.
@@ -627,12 +672,15 @@ func TestInstallAuthNotRequiredHandlers(t *testing.T) {
 }
 
 func TestAuthFilters(t *testing.T) {
+	tCtx := ktesting.Init(t)
 	// Enable features.ContainerCheckpoint during test
-	featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.ContainerCheckpoint, true)
-	featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, zpagesfeatures.ComponentStatusz, true)
-	featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, zpagesfeatures.ComponentFlagz, true)
+	featuregatetesting.SetFeatureGatesDuringTest(t, utilfeature.DefaultFeatureGate, featuregatetesting.FeatureOverrides{
+		features.ContainerCheckpoint:    true,
+		zpagesfeatures.ComponentStatusz: true,
+		zpagesfeatures.ComponentFlagz:   true,
+	})
 
-	fw := newServerTest()
+	fw := newServerTest(tCtx)
 	defer fw.testHTTPServer.Close()
 
 	attributesGetter := NewNodeAuthorizerAttributesGetter(authzTestNodeName)
@@ -656,7 +704,7 @@ func TestAuthFilters(t *testing.T) {
 				fw.fakeAuth.attributesFunc = func(u user.Info, req *http.Request) []authorizer.Attributes {
 					calledAttributes = true
 					require.Equal(t, expectedUser, u)
-					attrs := attributesGetter.GetRequestAttributes(u, req)
+					attrs := attributesGetter.GetRequestAttributes(tCtx, u, req)
 					tc.AssertAttributes(t, attrs)
 					return attrs
 				}
@@ -682,6 +730,7 @@ func TestAuthFilters(t *testing.T) {
 }
 
 func TestAuthenticationError(t *testing.T) {
+	tCtx := ktesting.Init(t)
 	var (
 		expectedUser       = &user.DefaultInfo{Name: "test"}
 		expectedAttributes = []authorizer.Attributes{&authorizer.AttributesRecord{User: expectedUser}}
@@ -691,7 +740,7 @@ func TestAuthenticationError(t *testing.T) {
 		calledAttributes   = false
 	)
 
-	fw := newServerTest()
+	fw := newServerTest(tCtx)
 	defer fw.testHTTPServer.Close()
 	fw.fakeAuth.authenticateFunc = func(req *http.Request) (*authenticator.Response, bool, error) {
 		calledAuthenticate = true
@@ -720,6 +769,7 @@ func TestAuthenticationError(t *testing.T) {
 }
 
 func TestAuthenticationFailure(t *testing.T) {
+	tCtx := ktesting.Init(t)
 	var (
 		expectedUser       = &user.DefaultInfo{Name: "test"}
 		expectedAttributes = []authorizer.Attributes{&authorizer.AttributesRecord{User: expectedUser}}
@@ -729,7 +779,7 @@ func TestAuthenticationFailure(t *testing.T) {
 		calledAttributes   = false
 	)
 
-	fw := newServerTest()
+	fw := newServerTest(tCtx)
 	defer fw.testHTTPServer.Close()
 	fw.fakeAuth.authenticateFunc = func(req *http.Request) (*authenticator.Response, bool, error) {
 		calledAuthenticate = true
@@ -758,6 +808,7 @@ func TestAuthenticationFailure(t *testing.T) {
 }
 
 func TestAuthorizationSuccess(t *testing.T) {
+	tCtx := ktesting.Init(t)
 	var (
 		expectedUser       = &user.DefaultInfo{Name: "test"}
 		expectedAttributes = []authorizer.Attributes{&authorizer.AttributesRecord{User: expectedUser}}
@@ -767,7 +818,7 @@ func TestAuthorizationSuccess(t *testing.T) {
 		calledAttributes   = false
 	)
 
-	fw := newServerTest()
+	fw := newServerTest(tCtx)
 	defer fw.testHTTPServer.Close()
 	fw.fakeAuth.authenticateFunc = func(req *http.Request) (*authenticator.Response, bool, error) {
 		calledAuthenticate = true
@@ -796,7 +847,8 @@ func TestAuthorizationSuccess(t *testing.T) {
 }
 
 func TestSyncLoopCheck(t *testing.T) {
-	fw := newServerTest()
+	tCtx := ktesting.Init(t)
+	fw := newServerTest(tCtx)
 	defer fw.testHTTPServer.Close()
 
 	fw.fakeKubelet.resyncInterval = time.Minute
@@ -866,7 +918,8 @@ func setGetContainerLogsFunc(fw *serverTestFramework, t *testing.T, expectedPodN
 }
 
 func TestContainerLogs(t *testing.T) {
-	fw := newServerTest()
+	tCtx := ktesting.Init(t)
+	fw := newServerTest(tCtx)
 	defer fw.testHTTPServer.Close()
 
 	tests := map[string]struct {
@@ -920,7 +973,8 @@ func TestContainerLogs(t *testing.T) {
 }
 
 func TestContainerLogsWithInvalidTail(t *testing.T) {
-	fw := newServerTest()
+	tCtx := ktesting.Init(t)
+	fw := newServerTest(tCtx)
 	defer fw.testHTTPServer.Close()
 	output := "foo bar"
 	podNamespace := "other"
@@ -940,6 +994,7 @@ func TestContainerLogsWithInvalidTail(t *testing.T) {
 }
 
 func TestContainerLogsWithSeparateStream(t *testing.T) {
+	tCtx := ktesting.Init(t)
 	featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.PodLogsQuerySplitStreams, true)
 
 	type logEntry struct {
@@ -947,7 +1002,7 @@ func TestContainerLogsWithSeparateStream(t *testing.T) {
 		msg    string
 	}
 
-	fw := newServerTest()
+	fw := newServerTest(tCtx)
 	defer fw.testHTTPServer.Close()
 
 	var (
@@ -1154,6 +1209,7 @@ func TestContainerLogsWithSeparateStream(t *testing.T) {
 }
 
 func TestCheckpointContainer(t *testing.T) {
+	tCtx := ktesting.Init(t)
 	podNamespace := "other"
 	podName := "foo"
 	expectedContainerName := "baz"
@@ -1162,7 +1218,7 @@ func TestCheckpointContainer(t *testing.T) {
 		// Enable features.ContainerCheckpoint during test
 		featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.ContainerCheckpoint, featureGate)
 
-		fw := newServerTest()
+		fw := newServerTest(tCtx)
 		// GetPodByName() should always fail
 		fw.fakeKubelet.podByNameFunc = func(namespace, name string) (*v1.Pod, bool) {
 			return nil, false
@@ -1255,10 +1311,11 @@ func makeReq(t *testing.T, method, url, clientProtocol string) *http.Request {
 }
 
 func TestServeExecInContainerIdleTimeout(t *testing.T) {
+	tCtx := ktesting.Init(t)
 	ss, err := newTestStreamingServer(100 * time.Millisecond)
 	require.NoError(t, err)
 	defer ss.testHTTPServer.Close()
-	fw := newServerTestWithDebug(true, ss)
+	fw := newServerTestWithDebug(tCtx, true, ss)
 	defer fw.testHTTPServer.Close()
 
 	podNamespace := "other"
@@ -1295,6 +1352,7 @@ func TestServeExecInContainerIdleTimeout(t *testing.T) {
 }
 
 func testExecAttach(t *testing.T, verb string) {
+	tCtx := ktesting.Init(t)
 	tests := map[string]struct {
 		stdin              bool
 		stdout             bool
@@ -1318,7 +1376,7 @@ func testExecAttach(t *testing.T, verb string) {
 			ss, err := newTestStreamingServer(0)
 			require.NoError(t, err)
 			defer ss.testHTTPServer.Close()
-			fw := newServerTestWithDebug(true, ss)
+			fw := newServerTestWithDebug(tCtx, true, ss)
 			defer fw.testHTTPServer.Close()
 			fmt.Println(desc)
 
@@ -1514,10 +1572,11 @@ func TestServeAttachContainer(t *testing.T) {
 }
 
 func TestServePortForwardIdleTimeout(t *testing.T) {
+	tCtx := ktesting.Init(t)
 	ss, err := newTestStreamingServer(100 * time.Millisecond)
 	require.NoError(t, err)
 	defer ss.testHTTPServer.Close()
-	fw := newServerTestWithDebug(true, ss)
+	fw := newServerTestWithDebug(tCtx, true, ss)
 	defer fw.testHTTPServer.Close()
 
 	podNamespace := "other"
@@ -1551,6 +1610,7 @@ func TestServePortForwardIdleTimeout(t *testing.T) {
 }
 
 func TestServePortForward(t *testing.T) {
+	tCtx := ktesting.Init(t)
 	tests := map[string]struct {
 		port          string
 		uid           bool
@@ -1579,7 +1639,7 @@ func TestServePortForward(t *testing.T) {
 			ss, err := newTestStreamingServer(0)
 			require.NoError(t, err)
 			defer ss.testHTTPServer.Close()
-			fw := newServerTestWithDebug(true, ss)
+			fw := newServerTestWithDebug(tCtx, true, ss)
 			defer fw.testHTTPServer.Close()
 
 			portForwardFuncDone := make(chan struct{})
@@ -1677,6 +1737,7 @@ func TestServePortForward(t *testing.T) {
 }
 
 func TestMetricBuckets(t *testing.T) {
+	tCtx := ktesting.Init(t)
 	featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, zpagesfeatures.ComponentStatusz, true)
 
 	tests := map[string]struct {
@@ -1716,7 +1777,7 @@ func TestMetricBuckets(t *testing.T) {
 		"invalid path starting with good": {url: "/healthzjunk", bucket: "other"},
 	}
 	featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, zpagesfeatures.ComponentFlagz, true)
-	fw := newServerTest()
+	fw := newServerTest(tCtx)
 	defer fw.testHTTPServer.Close()
 
 	for _, test := range tests {
@@ -1727,6 +1788,7 @@ func TestMetricBuckets(t *testing.T) {
 }
 
 func TestMetricMethodBuckets(t *testing.T) {
+	tCtx := ktesting.Init(t)
 	tests := map[string]struct {
 		method string
 		bucket string
@@ -1736,7 +1798,7 @@ func TestMetricMethodBuckets(t *testing.T) {
 		"invalid method": {method: "WEIRD", bucket: "other"},
 	}
 
-	fw := newServerTest()
+	fw := newServerTest(tCtx)
 	defer fw.testHTTPServer.Close()
 
 	for _, test := range tests {
@@ -1747,6 +1809,7 @@ func TestMetricMethodBuckets(t *testing.T) {
 }
 
 func TestDebuggingDisabledHandlers(t *testing.T) {
+	tCtx := ktesting.Init(t)
 	// for backward compatibility even if enablesystemLogHandler or enableProfilingHandler is set but not
 	// enableDebuggingHandler then /logs, /pprof and /flags shouldn't be served.
 	kubeCfg := &kubeletconfiginternal.KubeletConfiguration{
@@ -1755,7 +1818,7 @@ func TestDebuggingDisabledHandlers(t *testing.T) {
 		EnableDebugFlagsHandler: true,
 		EnableProfilingHandler:  true,
 	}
-	fw := newServerTestWithDebuggingHandlers(kubeCfg, nil)
+	fw := newServerTestWithDebuggingHandlers(tCtx, kubeCfg, nil)
 	defer fw.testHTTPServer.Close()
 
 	paths := []string{
@@ -1770,10 +1833,11 @@ func TestDebuggingDisabledHandlers(t *testing.T) {
 }
 
 func TestDisablingLogAndProfilingHandler(t *testing.T) {
+	tCtx := ktesting.Init(t)
 	kubeCfg := &kubeletconfiginternal.KubeletConfiguration{
 		EnableDebuggingHandlers: true,
 	}
-	fw := newServerTestWithDebuggingHandlers(kubeCfg, nil)
+	fw := newServerTestWithDebuggingHandlers(tCtx, kubeCfg, nil)
 	defer fw.testHTTPServer.Close()
 
 	// verify debug endpoints are disabled
@@ -1783,7 +1847,8 @@ func TestDisablingLogAndProfilingHandler(t *testing.T) {
 }
 
 func TestFailedParseParamsSummaryHandler(t *testing.T) {
-	fw := newServerTest()
+	tCtx := ktesting.Init(t)
+	fw := newServerTest(tCtx)
 	defer fw.testHTTPServer.Close()
 
 	resp, err := http.Post(fw.testHTTPServer.URL+"/stats/summary", "invalid/content/type", nil)
@@ -1833,10 +1898,11 @@ func TestTrimURLPath(t *testing.T) {
 }
 
 func TestFineGrainedAuthz(t *testing.T) {
+	tCtx := ktesting.Init(t)
 	// Enable features.ContainerCheckpoint during test
 	featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.KubeletFineGrainedAuthz, true)
 
-	fw := newServerTest()
+	fw := newServerTest(tCtx)
 	defer fw.testHTTPServer.Close()
 
 	attributesGetter := NewNodeAuthorizerAttributesGetter(authzTestNodeName)
@@ -1908,7 +1974,7 @@ func TestFineGrainedAuthz(t *testing.T) {
 			}
 			fw.fakeAuth.attributesFunc = func(u user.Info, req *http.Request) []authorizer.Attributes {
 				calledAttributes = true
-				attrs := attributesGetter.GetRequestAttributes(u, req)
+				attrs := attributesGetter.GetRequestAttributes(tCtx, u, req)
 				var gotSubresources []string
 				for _, attr := range attrs {
 					gotSubresources = append(gotSubresources, attr.GetSubresource())
@@ -1937,11 +2003,12 @@ func TestFineGrainedAuthz(t *testing.T) {
 }
 
 func TestNewServerRegistersMetricsSLIsEndpointTwice(t *testing.T) {
+	tCtx := ktesting.Init(t)
 	host := &fakeKubelet{}
-	resourceAnalyzer := stats.NewResourceAnalyzer(nil, time.Minute, &record.FakeRecorder{})
+	resourceAnalyzer := stats.NewResourceAnalyzer(tCtx, nil, time.Minute, &record.FakeRecorder{})
 
-	server1 := NewServer(host, resourceAnalyzer, []healthz.HealthChecker{}, flagz.NamedFlagSetsReader{}, nil, nil)
-	server2 := NewServer(host, resourceAnalyzer, []healthz.HealthChecker{}, flagz.NamedFlagSetsReader{}, nil, nil)
+	server1 := NewServer(tCtx, host, resourceAnalyzer, []healthz.HealthChecker{}, flagz.NamedFlagSetsReader{}, nil, nil)
+	server2 := NewServer(tCtx, host, resourceAnalyzer, []healthz.HealthChecker{}, flagz.NamedFlagSetsReader{}, nil, nil)
 
 	// Check if both servers registered the /metrics/slis endpoint
 	assert.Contains(t, server1.restfulCont.RegisteredHandlePaths(), "/metrics/slis", "First server should register /metrics/slis")
diff --git a/pkg/kubelet/server/server_websocket_test.go b/pkg/kubelet/server/server_websocket_test.go
index 75b6712a5403f..3a32091299f0c 100644
--- a/pkg/kubelet/server/server_websocket_test.go
+++ b/pkg/kubelet/server/server_websocket_test.go
@@ -30,6 +30,7 @@ import (
 
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/kubelet/pkg/cri/streaming/portforward"
+	"k8s.io/kubernetes/test/utils/ktesting"
 )
 
 const (
@@ -38,6 +39,7 @@ const (
 )
 
 func TestServeWSPortForward(t *testing.T) {
+	tCtx := ktesting.Init(t)
 	tests := map[string]struct {
 		port          string
 		uid           bool
@@ -66,7 +68,7 @@ func TestServeWSPortForward(t *testing.T) {
 			ss, err := newTestStreamingServer(0)
 			require.NoError(t, err)
 			defer ss.testHTTPServer.Close()
-			fw := newServerTestWithDebug(true, ss)
+			fw := newServerTestWithDebug(tCtx, true, ss)
 			defer fw.testHTTPServer.Close()
 
 			portForwardFuncDone := make(chan struct{})
@@ -150,6 +152,7 @@ func TestServeWSPortForward(t *testing.T) {
 }
 
 func TestServeWSMultiplePortForward(t *testing.T) {
+	tCtx := ktesting.Init(t)
 	portsText := []string{"7000,8000", "9000"}
 	ports := []uint16{7000, 8000, 9000}
 	podNamespace := "other"
@@ -158,7 +161,7 @@ func TestServeWSMultiplePortForward(t *testing.T) {
 	ss, err := newTestStreamingServer(0)
 	require.NoError(t, err)
 	defer ss.testHTTPServer.Close()
-	fw := newServerTestWithDebug(true, ss)
+	fw := newServerTestWithDebug(tCtx, true, ss)
 	defer fw.testHTTPServer.Close()
 
 	portForwardWG := sync.WaitGroup{}
diff --git a/pkg/kubelet/server/stats/.mockery.yaml b/pkg/kubelet/server/stats/.mockery.yaml
index f419d6d8c5c75..48e361a7d4793 100644
--- a/pkg/kubelet/server/stats/.mockery.yaml
+++ b/pkg/kubelet/server/stats/.mockery.yaml
@@ -1,13 +1,13 @@
 ---
 dir: testing
-filename: "mock_{{.InterfaceName | snakecase}}.go"
-boilerplate-file: ../../../../hack/boilerplate/boilerplate.generatego.txt
-outpkg: testing
-with-expecter: true
+filename: mocks.go
+pkgname: testing
+template: testify
+template-data:
+  boilerplate-file: ../../../../hack/boilerplate/boilerplate.generatego.txt
+  unroll-variadic: true
 packages:
   k8s.io/kubernetes/pkg/kubelet/server/stats:
     interfaces:
-      Provider:
-        config:
-          filename: mock_stats_provider.go
-      SummaryProvider:
+      Provider: {}
+      SummaryProvider: {}
diff --git a/pkg/kubelet/server/stats/fs_resource_analyzer.go b/pkg/kubelet/server/stats/fs_resource_analyzer.go
index 01ad396422ac4..5c837635b5b56 100644
--- a/pkg/kubelet/server/stats/fs_resource_analyzer.go
+++ b/pkg/kubelet/server/stats/fs_resource_analyzer.go
@@ -17,6 +17,7 @@ limitations under the License.
 package stats
 
 import (
+	"context"
 	"sync"
 	"sync/atomic"
 	"time"
@@ -58,26 +59,27 @@ func newFsResourceAnalyzer(statsProvider Provider, calcVolumePeriod time.Duratio
 }
 
 // Start eager background caching of volume stats.
-func (s *fsResourceAnalyzer) Start() {
+func (s *fsResourceAnalyzer) Start(ctx context.Context) {
+	logger := klog.FromContext(ctx)
 	s.startOnce.Do(func() {
 		if s.calcPeriod <= 0 {
-			klog.InfoS("Volume stats collection disabled")
+			logger.Info("Volume stats collection disabled")
 			return
 		}
-		klog.InfoS("Starting FS ResourceAnalyzer")
-		go wait.Forever(func() { s.updateCachedPodVolumeStats() }, s.calcPeriod)
+		logger.Info("Starting FS ResourceAnalyzer")
+		go wait.Forever(func() { s.updateCachedPodVolumeStats(logger) }, s.calcPeriod)
 	})
 }
 
 // updateCachedPodVolumeStats calculates and caches the PodVolumeStats for every Pod known to the kubelet.
-func (s *fsResourceAnalyzer) updateCachedPodVolumeStats() {
+func (s *fsResourceAnalyzer) updateCachedPodVolumeStats(logger klog.Logger) {
 	oldCache := s.cachedVolumeStats.Load().(statCache)
 	newCache := make(statCache)
 
 	// Copy existing entries to new map, creating/starting new entries for pods missing from the cache
 	for _, pod := range s.statsProvider.GetPods() {
 		if value, found := oldCache[pod.GetUID()]; !found {
-			newCache[pod.GetUID()] = newVolumeStatCalculator(s.statsProvider, s.calcPeriod, pod, s.eventRecorder).StartOnce()
+			newCache[pod.GetUID()] = newVolumeStatCalculator(s.statsProvider, s.calcPeriod, pod, s.eventRecorder).StartOnce(logger)
 		} else {
 			newCache[pod.GetUID()] = value
 		}
diff --git a/pkg/kubelet/server/stats/handler.go b/pkg/kubelet/server/stats/handler.go
index 09c8cfbc21292..61b7576c9f828 100644
--- a/pkg/kubelet/server/stats/handler.go
+++ b/pkg/kubelet/server/stats/handler.go
@@ -138,10 +138,11 @@ func CreateHandlers(rootPath string, provider Provider, summaryProvider SummaryP
 // If "only_cpu_and_memory" GET param is true then only cpu and memory is returned in response.
 func (h *handler) handleSummary(request *restful.Request, response *restful.Response) {
 	ctx := request.Request.Context()
+	logger := klog.FromContext(ctx)
 	onlyCPUAndMemory := false
 	err := request.Request.ParseForm()
 	if err != nil {
-		handleError(response, "/stats/summary", fmt.Errorf("parse form failed: %w", err))
+		handleError(logger, response, "/stats/summary", fmt.Errorf("parse form failed: %w", err))
 		return
 	}
 	if onlyCluAndMemoryParam, found := request.Request.Form["only_cpu_and_memory"]; found &&
@@ -157,27 +158,27 @@ func (h *handler) handleSummary(request *restful.Request, response *restful.Resp
 		summary, err = h.summaryProvider.Get(ctx, forceStatsUpdate)
 	}
 	if err != nil {
-		handleError(response, "/stats/summary", err)
+		handleError(logger, response, "/stats/summary", err)
 	} else {
-		writeResponse(response, summary)
+		writeResponse(logger, response, summary)
 	}
 }
 
-func writeResponse(response *restful.Response, stats interface{}) {
+func writeResponse(logger klog.Logger, response *restful.Response, stats interface{}) {
 	if err := response.WriteAsJson(stats); err != nil {
-		klog.ErrorS(err, "Error writing response")
+		logger.Error(err, "Error writing response")
 	}
 }
 
 // handleError serializes an error object into an HTTP response.
 // request is provided for logging.
-func handleError(response *restful.Response, request string, err error) {
+func handleError(logger klog.Logger, response *restful.Response, request string, err error) {
 	switch err {
 	case kubecontainer.ErrContainerNotFound:
 		response.WriteError(http.StatusNotFound, err)
 	default:
 		msg := fmt.Sprintf("Internal Error: %v", err)
-		klog.ErrorS(err, "HTTP InternalServerError serving", "request", request)
+		logger.Error(err, "HTTP InternalServerError serving", "request", request)
 		response.WriteErrorString(http.StatusInternalServerError, msg)
 	}
 }
diff --git a/pkg/kubelet/server/stats/resource_analyzer.go b/pkg/kubelet/server/stats/resource_analyzer.go
index 853eeb67b0f47..0da817afb62c9 100644
--- a/pkg/kubelet/server/stats/resource_analyzer.go
+++ b/pkg/kubelet/server/stats/resource_analyzer.go
@@ -17,13 +17,15 @@ limitations under the License.
 package stats
 
 import (
-	"k8s.io/client-go/tools/record"
+	"context"
 	"time"
+
+	"k8s.io/client-go/tools/record"
 )
 
 // ResourceAnalyzer provides statistics on node resource consumption
 type ResourceAnalyzer interface {
-	Start()
+	Start(context.Context)
 
 	fsResourceAnalyzerInterface
 	SummaryProvider
@@ -38,13 +40,13 @@ type resourceAnalyzer struct {
 var _ ResourceAnalyzer = &resourceAnalyzer{}
 
 // NewResourceAnalyzer returns a new ResourceAnalyzer
-func NewResourceAnalyzer(statsProvider Provider, calVolumeFrequency time.Duration, eventRecorder record.EventRecorder) ResourceAnalyzer {
+func NewResourceAnalyzer(ctx context.Context, statsProvider Provider, calVolumeFrequency time.Duration, eventRecorder record.EventRecorder) ResourceAnalyzer {
 	fsAnalyzer := newFsResourceAnalyzer(statsProvider, calVolumeFrequency, eventRecorder)
-	summaryProvider := NewSummaryProvider(statsProvider)
+	summaryProvider := NewSummaryProvider(ctx, statsProvider)
 	return &resourceAnalyzer{fsAnalyzer, summaryProvider}
 }
 
 // Start starts background functions necessary for the ResourceAnalyzer to function
-func (ra *resourceAnalyzer) Start() {
-	ra.fsResourceAnalyzer.Start()
+func (ra *resourceAnalyzer) Start(ctx context.Context) {
+	ra.fsResourceAnalyzer.Start(ctx)
 }
diff --git a/pkg/kubelet/server/stats/summary.go b/pkg/kubelet/server/stats/summary.go
index 0e21717ddd0d2..d371b7042c314 100644
--- a/pkg/kubelet/server/stats/summary.go
+++ b/pkg/kubelet/server/stats/summary.go
@@ -53,12 +53,13 @@ var _ SummaryProvider = &summaryProviderImpl{}
 
 // NewSummaryProvider returns a SummaryProvider using the stats provided by the
 // specified statsProvider.
-func NewSummaryProvider(statsProvider Provider) SummaryProvider {
+func NewSummaryProvider(ctx context.Context, statsProvider Provider) SummaryProvider {
+	logger := klog.FromContext(ctx)
 	kubeletCreationTime := metav1.Now()
 	bootTime, err := util.GetBootTime()
 	if err != nil {
 		// bootTime will be zero if we encounter an error getting the boot time.
-		klog.InfoS("Error getting system boot time. Node metrics will have an incorrect start time", "err", err)
+		logger.Info("Error getting system boot time. Node metrics will have an incorrect start time", "err", err)
 	}
 
 	return &summaryProviderImpl{
@@ -113,7 +114,7 @@ func (sp *summaryProviderImpl) Get(ctx context.Context, updateStats bool) (*stat
 		Fs:               rootFsStats,
 		Runtime:          &statsapi.RuntimeStats{ContainerFs: containerFsStats, ImageFs: imageFsStats},
 		Rlimit:           rlimit,
-		SystemContainers: sp.GetSystemContainersStats(nodeConfig, podStats, updateStats),
+		SystemContainers: sp.GetSystemContainersStats(ctx, nodeConfig, podStats, updateStats),
 	}
 	if utilfeature.DefaultFeatureGate.Enabled(features.KubeletPSI) {
 		nodeStats.IO = rootStats.IO
@@ -149,7 +150,7 @@ func (sp *summaryProviderImpl) GetCPUAndMemoryStats(ctx context.Context) (*stats
 		Memory:           rootStats.Memory,
 		Swap:             rootStats.Swap,
 		StartTime:        rootStats.StartTime,
-		SystemContainers: sp.GetSystemContainersCPUAndMemoryStats(nodeConfig, podStats, false),
+		SystemContainers: sp.GetSystemContainersCPUAndMemoryStats(ctx, nodeConfig, podStats, false),
 	}
 	summary := statsapi.Summary{
 		Node: nodeStats,
diff --git a/pkg/kubelet/server/stats/summary_sys_containers.go b/pkg/kubelet/server/stats/summary_sys_containers.go
index 35d1135c630a0..8ec6ca1f30b2a 100644
--- a/pkg/kubelet/server/stats/summary_sys_containers.go
+++ b/pkg/kubelet/server/stats/summary_sys_containers.go
@@ -20,6 +20,7 @@ limitations under the License.
 package stats
 
 import (
+	"context"
 	"errors"
 
 	"k8s.io/klog/v2"
@@ -30,7 +31,8 @@ import (
 	"k8s.io/kubernetes/pkg/kubelet/cm"
 )
 
-func (sp *summaryProviderImpl) GetSystemContainersStats(nodeConfig cm.NodeConfig, podStats []statsapi.PodStats, updateStats bool) (stats []statsapi.ContainerStats) {
+func (sp *summaryProviderImpl) GetSystemContainersStats(ctx context.Context, nodeConfig cm.NodeConfig, podStats []statsapi.PodStats, updateStats bool) (stats []statsapi.ContainerStats) {
+	logger := klog.FromContext(ctx)
 	systemContainers := map[string]struct {
 		name             string
 		forceStatsUpdate bool
@@ -48,7 +50,7 @@ func (sp *summaryProviderImpl) GetSystemContainersStats(nodeConfig cm.NodeConfig
 		}
 		s, _, err := sp.provider.GetCgroupStats(cont.name, cont.forceStatsUpdate)
 		if err != nil {
-			klog.ErrorS(err, "Failed to get system container stats", "containerName", cont.name)
+			logger.Error(err, "Failed to get system container stats", "containerName", cont.name)
 			continue
 		}
 		// System containers don't have a filesystem associated with them.
@@ -65,7 +67,8 @@ func (sp *summaryProviderImpl) GetSystemContainersStats(nodeConfig cm.NodeConfig
 	return stats
 }
 
-func (sp *summaryProviderImpl) GetSystemContainersCPUAndMemoryStats(nodeConfig cm.NodeConfig, podStats []statsapi.PodStats, updateStats bool) (stats []statsapi.ContainerStats) {
+func (sp *summaryProviderImpl) GetSystemContainersCPUAndMemoryStats(ctx context.Context, nodeConfig cm.NodeConfig, podStats []statsapi.PodStats, updateStats bool) (stats []statsapi.ContainerStats) {
+	logger := klog.FromContext(ctx)
 	systemContainers := map[string]struct {
 		name             string
 		forceStatsUpdate bool
@@ -84,9 +87,9 @@ func (sp *summaryProviderImpl) GetSystemContainersCPUAndMemoryStats(nodeConfig c
 		s, err := sp.provider.GetCgroupCPUAndMemoryStats(cont.name, cont.forceStatsUpdate)
 		if err != nil {
 			if errors.Is(err, cadvisormemory.ErrDataNotFound) {
-				klog.V(4).InfoS("cgroup stats not found in memory cache", "containerName", cont.name)
+				logger.V(4).Info("cgroup stats not found in memory cache", "containerName", cont.name)
 			} else {
-				klog.ErrorS(err, "Failed to get system container stats", "containerName", cont.name)
+				logger.Error(err, "Failed to get system container stats", "containerName", cont.name)
 			}
 			continue
 		}
diff --git a/pkg/kubelet/server/stats/summary_sys_containers_windows.go b/pkg/kubelet/server/stats/summary_sys_containers_windows.go
index b651c943a1c1b..ac6fae1f42c89 100644
--- a/pkg/kubelet/server/stats/summary_sys_containers_windows.go
+++ b/pkg/kubelet/server/stats/summary_sys_containers_windows.go
@@ -20,6 +20,7 @@ limitations under the License.
 package stats
 
 import (
+	"context"
 	"time"
 
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -29,13 +30,13 @@ import (
 	"k8s.io/kubernetes/pkg/kubelet/winstats"
 )
 
-func (sp *summaryProviderImpl) GetSystemContainersStats(nodeConfig cm.NodeConfig, podStats []statsapi.PodStats, updateStats bool) (stats []statsapi.ContainerStats) {
+func (sp *summaryProviderImpl) GetSystemContainersStats(_ context.Context, nodeConfig cm.NodeConfig, podStats []statsapi.PodStats, updateStats bool) (stats []statsapi.ContainerStats) {
 	stats = append(stats, sp.getSystemPodsCPUAndMemoryStats(nodeConfig, podStats, updateStats))
 	stats = append(stats, sp.getSystemWindowsGlobalmemoryStats())
 	return stats
 }
 
-func (sp *summaryProviderImpl) GetSystemContainersCPUAndMemoryStats(nodeConfig cm.NodeConfig, podStats []statsapi.PodStats, updateStats bool) (stats []statsapi.ContainerStats) {
+func (sp *summaryProviderImpl) GetSystemContainersCPUAndMemoryStats(_ context.Context, nodeConfig cm.NodeConfig, podStats []statsapi.PodStats, updateStats bool) (stats []statsapi.ContainerStats) {
 	stats = append(stats, sp.getSystemPodsCPUAndMemoryStats(nodeConfig, podStats, updateStats))
 	stats = append(stats, sp.getSystemWindowsGlobalmemoryStats())
 	return stats
diff --git a/pkg/kubelet/server/stats/summary_test.go b/pkg/kubelet/server/stats/summary_test.go
index 0fbdd30e888b7..bbca2fa501f08 100644
--- a/pkg/kubelet/server/stats/summary_test.go
+++ b/pkg/kubelet/server/stats/summary_test.go
@@ -288,7 +288,7 @@ func TestSummaryProviderGetCPUAndMemoryStats(t *testing.T) {
 	mockStatsProvider.EXPECT().GetCgroupCPUAndMemoryStats("/kubelet", false).Return(cgroupStatsMap["/kubelet"].cs, nil)
 	mockStatsProvider.EXPECT().GetCgroupCPUAndMemoryStats("/kubepods", false).Return(cgroupStatsMap["/pods"].cs, nil)
 
-	provider := NewSummaryProvider(mockStatsProvider)
+	provider := NewSummaryProvider(ctx, mockStatsProvider)
 	summary, err := provider.GetCPUAndMemoryStats(ctx)
 	assert.NoError(err)
 
diff --git a/pkg/kubelet/server/stats/testing/mock_stats_provider.go b/pkg/kubelet/server/stats/testing/mock_stats_provider.go
deleted file mode 100644
index b3c94442f6714..0000000000000
--- a/pkg/kubelet/server/stats/testing/mock_stats_provider.go
+++ /dev/null
@@ -1,1034 +0,0 @@
-/*
-Copyright The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-// Code generated by mockery v2.53.3. DO NOT EDIT.
-
-package testing
-
-import (
-	context "context"
-
-	cm "k8s.io/kubernetes/pkg/kubelet/cm"
-
-	infov1 "github.com/google/cadvisor/info/v1"
-
-	mock "github.com/stretchr/testify/mock"
-
-	types "k8s.io/apimachinery/pkg/types"
-
-	v1 "k8s.io/api/core/v1"
-
-	v1alpha1 "k8s.io/kubelet/pkg/apis/stats/v1alpha1"
-
-	v2 "github.com/google/cadvisor/info/v2"
-
-	volume "k8s.io/kubernetes/pkg/volume"
-)
-
-// MockProvider is an autogenerated mock type for the Provider type
-type MockProvider struct {
-	mock.Mock
-}
-
-type MockProvider_Expecter struct {
-	mock *mock.Mock
-}
-
-func (_m *MockProvider) EXPECT() *MockProvider_Expecter {
-	return &MockProvider_Expecter{mock: &_m.Mock}
-}
-
-// GetCgroupCPUAndMemoryStats provides a mock function with given fields: cgroupName, updateStats
-func (_m *MockProvider) GetCgroupCPUAndMemoryStats(cgroupName string, updateStats bool) (*v1alpha1.ContainerStats, error) {
-	ret := _m.Called(cgroupName, updateStats)
-
-	if len(ret) == 0 {
-		panic("no return value specified for GetCgroupCPUAndMemoryStats")
-	}
-
-	var r0 *v1alpha1.ContainerStats
-	var r1 error
-	if rf, ok := ret.Get(0).(func(string, bool) (*v1alpha1.ContainerStats, error)); ok {
-		return rf(cgroupName, updateStats)
-	}
-	if rf, ok := ret.Get(0).(func(string, bool) *v1alpha1.ContainerStats); ok {
-		r0 = rf(cgroupName, updateStats)
-	} else {
-		if ret.Get(0) != nil {
-			r0 = ret.Get(0).(*v1alpha1.ContainerStats)
-		}
-	}
-
-	if rf, ok := ret.Get(1).(func(string, bool) error); ok {
-		r1 = rf(cgroupName, updateStats)
-	} else {
-		r1 = ret.Error(1)
-	}
-
-	return r0, r1
-}
-
-// MockProvider_GetCgroupCPUAndMemoryStats_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetCgroupCPUAndMemoryStats'
-type MockProvider_GetCgroupCPUAndMemoryStats_Call struct {
-	*mock.Call
-}
-
-// GetCgroupCPUAndMemoryStats is a helper method to define mock.On call
-//   - cgroupName string
-//   - updateStats bool
-func (_e *MockProvider_Expecter) GetCgroupCPUAndMemoryStats(cgroupName interface{}, updateStats interface{}) *MockProvider_GetCgroupCPUAndMemoryStats_Call {
-	return &MockProvider_GetCgroupCPUAndMemoryStats_Call{Call: _e.mock.On("GetCgroupCPUAndMemoryStats", cgroupName, updateStats)}
-}
-
-func (_c *MockProvider_GetCgroupCPUAndMemoryStats_Call) Run(run func(cgroupName string, updateStats bool)) *MockProvider_GetCgroupCPUAndMemoryStats_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run(args[0].(string), args[1].(bool))
-	})
-	return _c
-}
-
-func (_c *MockProvider_GetCgroupCPUAndMemoryStats_Call) Return(_a0 *v1alpha1.ContainerStats, _a1 error) *MockProvider_GetCgroupCPUAndMemoryStats_Call {
-	_c.Call.Return(_a0, _a1)
-	return _c
-}
-
-func (_c *MockProvider_GetCgroupCPUAndMemoryStats_Call) RunAndReturn(run func(string, bool) (*v1alpha1.ContainerStats, error)) *MockProvider_GetCgroupCPUAndMemoryStats_Call {
-	_c.Call.Return(run)
-	return _c
-}
-
-// GetCgroupStats provides a mock function with given fields: cgroupName, updateStats
-func (_m *MockProvider) GetCgroupStats(cgroupName string, updateStats bool) (*v1alpha1.ContainerStats, *v1alpha1.NetworkStats, error) {
-	ret := _m.Called(cgroupName, updateStats)
-
-	if len(ret) == 0 {
-		panic("no return value specified for GetCgroupStats")
-	}
-
-	var r0 *v1alpha1.ContainerStats
-	var r1 *v1alpha1.NetworkStats
-	var r2 error
-	if rf, ok := ret.Get(0).(func(string, bool) (*v1alpha1.ContainerStats, *v1alpha1.NetworkStats, error)); ok {
-		return rf(cgroupName, updateStats)
-	}
-	if rf, ok := ret.Get(0).(func(string, bool) *v1alpha1.ContainerStats); ok {
-		r0 = rf(cgroupName, updateStats)
-	} else {
-		if ret.Get(0) != nil {
-			r0 = ret.Get(0).(*v1alpha1.ContainerStats)
-		}
-	}
-
-	if rf, ok := ret.Get(1).(func(string, bool) *v1alpha1.NetworkStats); ok {
-		r1 = rf(cgroupName, updateStats)
-	} else {
-		if ret.Get(1) != nil {
-			r1 = ret.Get(1).(*v1alpha1.NetworkStats)
-		}
-	}
-
-	if rf, ok := ret.Get(2).(func(string, bool) error); ok {
-		r2 = rf(cgroupName, updateStats)
-	} else {
-		r2 = ret.Error(2)
-	}
-
-	return r0, r1, r2
-}
-
-// MockProvider_GetCgroupStats_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetCgroupStats'
-type MockProvider_GetCgroupStats_Call struct {
-	*mock.Call
-}
-
-// GetCgroupStats is a helper method to define mock.On call
-//   - cgroupName string
-//   - updateStats bool
-func (_e *MockProvider_Expecter) GetCgroupStats(cgroupName interface{}, updateStats interface{}) *MockProvider_GetCgroupStats_Call {
-	return &MockProvider_GetCgroupStats_Call{Call: _e.mock.On("GetCgroupStats", cgroupName, updateStats)}
-}
-
-func (_c *MockProvider_GetCgroupStats_Call) Run(run func(cgroupName string, updateStats bool)) *MockProvider_GetCgroupStats_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run(args[0].(string), args[1].(bool))
-	})
-	return _c
-}
-
-func (_c *MockProvider_GetCgroupStats_Call) Return(_a0 *v1alpha1.ContainerStats, _a1 *v1alpha1.NetworkStats, _a2 error) *MockProvider_GetCgroupStats_Call {
-	_c.Call.Return(_a0, _a1, _a2)
-	return _c
-}
-
-func (_c *MockProvider_GetCgroupStats_Call) RunAndReturn(run func(string, bool) (*v1alpha1.ContainerStats, *v1alpha1.NetworkStats, error)) *MockProvider_GetCgroupStats_Call {
-	_c.Call.Return(run)
-	return _c
-}
-
-// GetNode provides a mock function with no fields
-func (_m *MockProvider) GetNode() (*v1.Node, error) {
-	ret := _m.Called()
-
-	if len(ret) == 0 {
-		panic("no return value specified for GetNode")
-	}
-
-	var r0 *v1.Node
-	var r1 error
-	if rf, ok := ret.Get(0).(func() (*v1.Node, error)); ok {
-		return rf()
-	}
-	if rf, ok := ret.Get(0).(func() *v1.Node); ok {
-		r0 = rf()
-	} else {
-		if ret.Get(0) != nil {
-			r0 = ret.Get(0).(*v1.Node)
-		}
-	}
-
-	if rf, ok := ret.Get(1).(func() error); ok {
-		r1 = rf()
-	} else {
-		r1 = ret.Error(1)
-	}
-
-	return r0, r1
-}
-
-// MockProvider_GetNode_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetNode'
-type MockProvider_GetNode_Call struct {
-	*mock.Call
-}
-
-// GetNode is a helper method to define mock.On call
-func (_e *MockProvider_Expecter) GetNode() *MockProvider_GetNode_Call {
-	return &MockProvider_GetNode_Call{Call: _e.mock.On("GetNode")}
-}
-
-func (_c *MockProvider_GetNode_Call) Run(run func()) *MockProvider_GetNode_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run()
-	})
-	return _c
-}
-
-func (_c *MockProvider_GetNode_Call) Return(_a0 *v1.Node, _a1 error) *MockProvider_GetNode_Call {
-	_c.Call.Return(_a0, _a1)
-	return _c
-}
-
-func (_c *MockProvider_GetNode_Call) RunAndReturn(run func() (*v1.Node, error)) *MockProvider_GetNode_Call {
-	_c.Call.Return(run)
-	return _c
-}
-
-// GetNodeConfig provides a mock function with no fields
-func (_m *MockProvider) GetNodeConfig() cm.NodeConfig {
-	ret := _m.Called()
-
-	if len(ret) == 0 {
-		panic("no return value specified for GetNodeConfig")
-	}
-
-	var r0 cm.NodeConfig
-	if rf, ok := ret.Get(0).(func() cm.NodeConfig); ok {
-		r0 = rf()
-	} else {
-		r0 = ret.Get(0).(cm.NodeConfig)
-	}
-
-	return r0
-}
-
-// MockProvider_GetNodeConfig_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetNodeConfig'
-type MockProvider_GetNodeConfig_Call struct {
-	*mock.Call
-}
-
-// GetNodeConfig is a helper method to define mock.On call
-func (_e *MockProvider_Expecter) GetNodeConfig() *MockProvider_GetNodeConfig_Call {
-	return &MockProvider_GetNodeConfig_Call{Call: _e.mock.On("GetNodeConfig")}
-}
-
-func (_c *MockProvider_GetNodeConfig_Call) Run(run func()) *MockProvider_GetNodeConfig_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run()
-	})
-	return _c
-}
-
-func (_c *MockProvider_GetNodeConfig_Call) Return(_a0 cm.NodeConfig) *MockProvider_GetNodeConfig_Call {
-	_c.Call.Return(_a0)
-	return _c
-}
-
-func (_c *MockProvider_GetNodeConfig_Call) RunAndReturn(run func() cm.NodeConfig) *MockProvider_GetNodeConfig_Call {
-	_c.Call.Return(run)
-	return _c
-}
-
-// GetPodByCgroupfs provides a mock function with given fields: cgroupfs
-func (_m *MockProvider) GetPodByCgroupfs(cgroupfs string) (*v1.Pod, bool) {
-	ret := _m.Called(cgroupfs)
-
-	if len(ret) == 0 {
-		panic("no return value specified for GetPodByCgroupfs")
-	}
-
-	var r0 *v1.Pod
-	var r1 bool
-	if rf, ok := ret.Get(0).(func(string) (*v1.Pod, bool)); ok {
-		return rf(cgroupfs)
-	}
-	if rf, ok := ret.Get(0).(func(string) *v1.Pod); ok {
-		r0 = rf(cgroupfs)
-	} else {
-		if ret.Get(0) != nil {
-			r0 = ret.Get(0).(*v1.Pod)
-		}
-	}
-
-	if rf, ok := ret.Get(1).(func(string) bool); ok {
-		r1 = rf(cgroupfs)
-	} else {
-		r1 = ret.Get(1).(bool)
-	}
-
-	return r0, r1
-}
-
-// MockProvider_GetPodByCgroupfs_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetPodByCgroupfs'
-type MockProvider_GetPodByCgroupfs_Call struct {
-	*mock.Call
-}
-
-// GetPodByCgroupfs is a helper method to define mock.On call
-//   - cgroupfs string
-func (_e *MockProvider_Expecter) GetPodByCgroupfs(cgroupfs interface{}) *MockProvider_GetPodByCgroupfs_Call {
-	return &MockProvider_GetPodByCgroupfs_Call{Call: _e.mock.On("GetPodByCgroupfs", cgroupfs)}
-}
-
-func (_c *MockProvider_GetPodByCgroupfs_Call) Run(run func(cgroupfs string)) *MockProvider_GetPodByCgroupfs_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run(args[0].(string))
-	})
-	return _c
-}
-
-func (_c *MockProvider_GetPodByCgroupfs_Call) Return(_a0 *v1.Pod, _a1 bool) *MockProvider_GetPodByCgroupfs_Call {
-	_c.Call.Return(_a0, _a1)
-	return _c
-}
-
-func (_c *MockProvider_GetPodByCgroupfs_Call) RunAndReturn(run func(string) (*v1.Pod, bool)) *MockProvider_GetPodByCgroupfs_Call {
-	_c.Call.Return(run)
-	return _c
-}
-
-// GetPodByName provides a mock function with given fields: namespace, name
-func (_m *MockProvider) GetPodByName(namespace string, name string) (*v1.Pod, bool) {
-	ret := _m.Called(namespace, name)
-
-	if len(ret) == 0 {
-		panic("no return value specified for GetPodByName")
-	}
-
-	var r0 *v1.Pod
-	var r1 bool
-	if rf, ok := ret.Get(0).(func(string, string) (*v1.Pod, bool)); ok {
-		return rf(namespace, name)
-	}
-	if rf, ok := ret.Get(0).(func(string, string) *v1.Pod); ok {
-		r0 = rf(namespace, name)
-	} else {
-		if ret.Get(0) != nil {
-			r0 = ret.Get(0).(*v1.Pod)
-		}
-	}
-
-	if rf, ok := ret.Get(1).(func(string, string) bool); ok {
-		r1 = rf(namespace, name)
-	} else {
-		r1 = ret.Get(1).(bool)
-	}
-
-	return r0, r1
-}
-
-// MockProvider_GetPodByName_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetPodByName'
-type MockProvider_GetPodByName_Call struct {
-	*mock.Call
-}
-
-// GetPodByName is a helper method to define mock.On call
-//   - namespace string
-//   - name string
-func (_e *MockProvider_Expecter) GetPodByName(namespace interface{}, name interface{}) *MockProvider_GetPodByName_Call {
-	return &MockProvider_GetPodByName_Call{Call: _e.mock.On("GetPodByName", namespace, name)}
-}
-
-func (_c *MockProvider_GetPodByName_Call) Run(run func(namespace string, name string)) *MockProvider_GetPodByName_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run(args[0].(string), args[1].(string))
-	})
-	return _c
-}
-
-func (_c *MockProvider_GetPodByName_Call) Return(_a0 *v1.Pod, _a1 bool) *MockProvider_GetPodByName_Call {
-	_c.Call.Return(_a0, _a1)
-	return _c
-}
-
-func (_c *MockProvider_GetPodByName_Call) RunAndReturn(run func(string, string) (*v1.Pod, bool)) *MockProvider_GetPodByName_Call {
-	_c.Call.Return(run)
-	return _c
-}
-
-// GetPodCgroupRoot provides a mock function with no fields
-func (_m *MockProvider) GetPodCgroupRoot() string {
-	ret := _m.Called()
-
-	if len(ret) == 0 {
-		panic("no return value specified for GetPodCgroupRoot")
-	}
-
-	var r0 string
-	if rf, ok := ret.Get(0).(func() string); ok {
-		r0 = rf()
-	} else {
-		r0 = ret.Get(0).(string)
-	}
-
-	return r0
-}
-
-// MockProvider_GetPodCgroupRoot_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetPodCgroupRoot'
-type MockProvider_GetPodCgroupRoot_Call struct {
-	*mock.Call
-}
-
-// GetPodCgroupRoot is a helper method to define mock.On call
-func (_e *MockProvider_Expecter) GetPodCgroupRoot() *MockProvider_GetPodCgroupRoot_Call {
-	return &MockProvider_GetPodCgroupRoot_Call{Call: _e.mock.On("GetPodCgroupRoot")}
-}
-
-func (_c *MockProvider_GetPodCgroupRoot_Call) Run(run func()) *MockProvider_GetPodCgroupRoot_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run()
-	})
-	return _c
-}
-
-func (_c *MockProvider_GetPodCgroupRoot_Call) Return(_a0 string) *MockProvider_GetPodCgroupRoot_Call {
-	_c.Call.Return(_a0)
-	return _c
-}
-
-func (_c *MockProvider_GetPodCgroupRoot_Call) RunAndReturn(run func() string) *MockProvider_GetPodCgroupRoot_Call {
-	_c.Call.Return(run)
-	return _c
-}
-
-// GetPods provides a mock function with no fields
-func (_m *MockProvider) GetPods() []*v1.Pod {
-	ret := _m.Called()
-
-	if len(ret) == 0 {
-		panic("no return value specified for GetPods")
-	}
-
-	var r0 []*v1.Pod
-	if rf, ok := ret.Get(0).(func() []*v1.Pod); ok {
-		r0 = rf()
-	} else {
-		if ret.Get(0) != nil {
-			r0 = ret.Get(0).([]*v1.Pod)
-		}
-	}
-
-	return r0
-}
-
-// MockProvider_GetPods_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetPods'
-type MockProvider_GetPods_Call struct {
-	*mock.Call
-}
-
-// GetPods is a helper method to define mock.On call
-func (_e *MockProvider_Expecter) GetPods() *MockProvider_GetPods_Call {
-	return &MockProvider_GetPods_Call{Call: _e.mock.On("GetPods")}
-}
-
-func (_c *MockProvider_GetPods_Call) Run(run func()) *MockProvider_GetPods_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run()
-	})
-	return _c
-}
-
-func (_c *MockProvider_GetPods_Call) Return(_a0 []*v1.Pod) *MockProvider_GetPods_Call {
-	_c.Call.Return(_a0)
-	return _c
-}
-
-func (_c *MockProvider_GetPods_Call) RunAndReturn(run func() []*v1.Pod) *MockProvider_GetPods_Call {
-	_c.Call.Return(run)
-	return _c
-}
-
-// GetRequestedContainersInfo provides a mock function with given fields: containerName, options
-func (_m *MockProvider) GetRequestedContainersInfo(containerName string, options v2.RequestOptions) (map[string]*infov1.ContainerInfo, error) {
-	ret := _m.Called(containerName, options)
-
-	if len(ret) == 0 {
-		panic("no return value specified for GetRequestedContainersInfo")
-	}
-
-	var r0 map[string]*infov1.ContainerInfo
-	var r1 error
-	if rf, ok := ret.Get(0).(func(string, v2.RequestOptions) (map[string]*infov1.ContainerInfo, error)); ok {
-		return rf(containerName, options)
-	}
-	if rf, ok := ret.Get(0).(func(string, v2.RequestOptions) map[string]*infov1.ContainerInfo); ok {
-		r0 = rf(containerName, options)
-	} else {
-		if ret.Get(0) != nil {
-			r0 = ret.Get(0).(map[string]*infov1.ContainerInfo)
-		}
-	}
-
-	if rf, ok := ret.Get(1).(func(string, v2.RequestOptions) error); ok {
-		r1 = rf(containerName, options)
-	} else {
-		r1 = ret.Error(1)
-	}
-
-	return r0, r1
-}
-
-// MockProvider_GetRequestedContainersInfo_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetRequestedContainersInfo'
-type MockProvider_GetRequestedContainersInfo_Call struct {
-	*mock.Call
-}
-
-// GetRequestedContainersInfo is a helper method to define mock.On call
-//   - containerName string
-//   - options v2.RequestOptions
-func (_e *MockProvider_Expecter) GetRequestedContainersInfo(containerName interface{}, options interface{}) *MockProvider_GetRequestedContainersInfo_Call {
-	return &MockProvider_GetRequestedContainersInfo_Call{Call: _e.mock.On("GetRequestedContainersInfo", containerName, options)}
-}
-
-func (_c *MockProvider_GetRequestedContainersInfo_Call) Run(run func(containerName string, options v2.RequestOptions)) *MockProvider_GetRequestedContainersInfo_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run(args[0].(string), args[1].(v2.RequestOptions))
-	})
-	return _c
-}
-
-func (_c *MockProvider_GetRequestedContainersInfo_Call) Return(_a0 map[string]*infov1.ContainerInfo, _a1 error) *MockProvider_GetRequestedContainersInfo_Call {
-	_c.Call.Return(_a0, _a1)
-	return _c
-}
-
-func (_c *MockProvider_GetRequestedContainersInfo_Call) RunAndReturn(run func(string, v2.RequestOptions) (map[string]*infov1.ContainerInfo, error)) *MockProvider_GetRequestedContainersInfo_Call {
-	_c.Call.Return(run)
-	return _c
-}
-
-// ImageFsStats provides a mock function with given fields: ctx
-func (_m *MockProvider) ImageFsStats(ctx context.Context) (*v1alpha1.FsStats, *v1alpha1.FsStats, error) {
-	ret := _m.Called(ctx)
-
-	if len(ret) == 0 {
-		panic("no return value specified for ImageFsStats")
-	}
-
-	var r0 *v1alpha1.FsStats
-	var r1 *v1alpha1.FsStats
-	var r2 error
-	if rf, ok := ret.Get(0).(func(context.Context) (*v1alpha1.FsStats, *v1alpha1.FsStats, error)); ok {
-		return rf(ctx)
-	}
-	if rf, ok := ret.Get(0).(func(context.Context) *v1alpha1.FsStats); ok {
-		r0 = rf(ctx)
-	} else {
-		if ret.Get(0) != nil {
-			r0 = ret.Get(0).(*v1alpha1.FsStats)
-		}
-	}
-
-	if rf, ok := ret.Get(1).(func(context.Context) *v1alpha1.FsStats); ok {
-		r1 = rf(ctx)
-	} else {
-		if ret.Get(1) != nil {
-			r1 = ret.Get(1).(*v1alpha1.FsStats)
-		}
-	}
-
-	if rf, ok := ret.Get(2).(func(context.Context) error); ok {
-		r2 = rf(ctx)
-	} else {
-		r2 = ret.Error(2)
-	}
-
-	return r0, r1, r2
-}
-
-// MockProvider_ImageFsStats_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'ImageFsStats'
-type MockProvider_ImageFsStats_Call struct {
-	*mock.Call
-}
-
-// ImageFsStats is a helper method to define mock.On call
-//   - ctx context.Context
-func (_e *MockProvider_Expecter) ImageFsStats(ctx interface{}) *MockProvider_ImageFsStats_Call {
-	return &MockProvider_ImageFsStats_Call{Call: _e.mock.On("ImageFsStats", ctx)}
-}
-
-func (_c *MockProvider_ImageFsStats_Call) Run(run func(ctx context.Context)) *MockProvider_ImageFsStats_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run(args[0].(context.Context))
-	})
-	return _c
-}
-
-func (_c *MockProvider_ImageFsStats_Call) Return(imageFs *v1alpha1.FsStats, containerFs *v1alpha1.FsStats, callErr error) *MockProvider_ImageFsStats_Call {
-	_c.Call.Return(imageFs, containerFs, callErr)
-	return _c
-}
-
-func (_c *MockProvider_ImageFsStats_Call) RunAndReturn(run func(context.Context) (*v1alpha1.FsStats, *v1alpha1.FsStats, error)) *MockProvider_ImageFsStats_Call {
-	_c.Call.Return(run)
-	return _c
-}
-
-// ListBlockVolumesForPod provides a mock function with given fields: podUID
-func (_m *MockProvider) ListBlockVolumesForPod(podUID types.UID) (map[string]volume.BlockVolume, bool) {
-	ret := _m.Called(podUID)
-
-	if len(ret) == 0 {
-		panic("no return value specified for ListBlockVolumesForPod")
-	}
-
-	var r0 map[string]volume.BlockVolume
-	var r1 bool
-	if rf, ok := ret.Get(0).(func(types.UID) (map[string]volume.BlockVolume, bool)); ok {
-		return rf(podUID)
-	}
-	if rf, ok := ret.Get(0).(func(types.UID) map[string]volume.BlockVolume); ok {
-		r0 = rf(podUID)
-	} else {
-		if ret.Get(0) != nil {
-			r0 = ret.Get(0).(map[string]volume.BlockVolume)
-		}
-	}
-
-	if rf, ok := ret.Get(1).(func(types.UID) bool); ok {
-		r1 = rf(podUID)
-	} else {
-		r1 = ret.Get(1).(bool)
-	}
-
-	return r0, r1
-}
-
-// MockProvider_ListBlockVolumesForPod_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'ListBlockVolumesForPod'
-type MockProvider_ListBlockVolumesForPod_Call struct {
-	*mock.Call
-}
-
-// ListBlockVolumesForPod is a helper method to define mock.On call
-//   - podUID types.UID
-func (_e *MockProvider_Expecter) ListBlockVolumesForPod(podUID interface{}) *MockProvider_ListBlockVolumesForPod_Call {
-	return &MockProvider_ListBlockVolumesForPod_Call{Call: _e.mock.On("ListBlockVolumesForPod", podUID)}
-}
-
-func (_c *MockProvider_ListBlockVolumesForPod_Call) Run(run func(podUID types.UID)) *MockProvider_ListBlockVolumesForPod_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run(args[0].(types.UID))
-	})
-	return _c
-}
-
-func (_c *MockProvider_ListBlockVolumesForPod_Call) Return(_a0 map[string]volume.BlockVolume, _a1 bool) *MockProvider_ListBlockVolumesForPod_Call {
-	_c.Call.Return(_a0, _a1)
-	return _c
-}
-
-func (_c *MockProvider_ListBlockVolumesForPod_Call) RunAndReturn(run func(types.UID) (map[string]volume.BlockVolume, bool)) *MockProvider_ListBlockVolumesForPod_Call {
-	_c.Call.Return(run)
-	return _c
-}
-
-// ListPodCPUAndMemoryStats provides a mock function with given fields: ctx
-func (_m *MockProvider) ListPodCPUAndMemoryStats(ctx context.Context) ([]v1alpha1.PodStats, error) {
-	ret := _m.Called(ctx)
-
-	if len(ret) == 0 {
-		panic("no return value specified for ListPodCPUAndMemoryStats")
-	}
-
-	var r0 []v1alpha1.PodStats
-	var r1 error
-	if rf, ok := ret.Get(0).(func(context.Context) ([]v1alpha1.PodStats, error)); ok {
-		return rf(ctx)
-	}
-	if rf, ok := ret.Get(0).(func(context.Context) []v1alpha1.PodStats); ok {
-		r0 = rf(ctx)
-	} else {
-		if ret.Get(0) != nil {
-			r0 = ret.Get(0).([]v1alpha1.PodStats)
-		}
-	}
-
-	if rf, ok := ret.Get(1).(func(context.Context) error); ok {
-		r1 = rf(ctx)
-	} else {
-		r1 = ret.Error(1)
-	}
-
-	return r0, r1
-}
-
-// MockProvider_ListPodCPUAndMemoryStats_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'ListPodCPUAndMemoryStats'
-type MockProvider_ListPodCPUAndMemoryStats_Call struct {
-	*mock.Call
-}
-
-// ListPodCPUAndMemoryStats is a helper method to define mock.On call
-//   - ctx context.Context
-func (_e *MockProvider_Expecter) ListPodCPUAndMemoryStats(ctx interface{}) *MockProvider_ListPodCPUAndMemoryStats_Call {
-	return &MockProvider_ListPodCPUAndMemoryStats_Call{Call: _e.mock.On("ListPodCPUAndMemoryStats", ctx)}
-}
-
-func (_c *MockProvider_ListPodCPUAndMemoryStats_Call) Run(run func(ctx context.Context)) *MockProvider_ListPodCPUAndMemoryStats_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run(args[0].(context.Context))
-	})
-	return _c
-}
-
-func (_c *MockProvider_ListPodCPUAndMemoryStats_Call) Return(_a0 []v1alpha1.PodStats, _a1 error) *MockProvider_ListPodCPUAndMemoryStats_Call {
-	_c.Call.Return(_a0, _a1)
-	return _c
-}
-
-func (_c *MockProvider_ListPodCPUAndMemoryStats_Call) RunAndReturn(run func(context.Context) ([]v1alpha1.PodStats, error)) *MockProvider_ListPodCPUAndMemoryStats_Call {
-	_c.Call.Return(run)
-	return _c
-}
-
-// ListPodStats provides a mock function with given fields: ctx
-func (_m *MockProvider) ListPodStats(ctx context.Context) ([]v1alpha1.PodStats, error) {
-	ret := _m.Called(ctx)
-
-	if len(ret) == 0 {
-		panic("no return value specified for ListPodStats")
-	}
-
-	var r0 []v1alpha1.PodStats
-	var r1 error
-	if rf, ok := ret.Get(0).(func(context.Context) ([]v1alpha1.PodStats, error)); ok {
-		return rf(ctx)
-	}
-	if rf, ok := ret.Get(0).(func(context.Context) []v1alpha1.PodStats); ok {
-		r0 = rf(ctx)
-	} else {
-		if ret.Get(0) != nil {
-			r0 = ret.Get(0).([]v1alpha1.PodStats)
-		}
-	}
-
-	if rf, ok := ret.Get(1).(func(context.Context) error); ok {
-		r1 = rf(ctx)
-	} else {
-		r1 = ret.Error(1)
-	}
-
-	return r0, r1
-}
-
-// MockProvider_ListPodStats_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'ListPodStats'
-type MockProvider_ListPodStats_Call struct {
-	*mock.Call
-}
-
-// ListPodStats is a helper method to define mock.On call
-//   - ctx context.Context
-func (_e *MockProvider_Expecter) ListPodStats(ctx interface{}) *MockProvider_ListPodStats_Call {
-	return &MockProvider_ListPodStats_Call{Call: _e.mock.On("ListPodStats", ctx)}
-}
-
-func (_c *MockProvider_ListPodStats_Call) Run(run func(ctx context.Context)) *MockProvider_ListPodStats_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run(args[0].(context.Context))
-	})
-	return _c
-}
-
-func (_c *MockProvider_ListPodStats_Call) Return(_a0 []v1alpha1.PodStats, _a1 error) *MockProvider_ListPodStats_Call {
-	_c.Call.Return(_a0, _a1)
-	return _c
-}
-
-func (_c *MockProvider_ListPodStats_Call) RunAndReturn(run func(context.Context) ([]v1alpha1.PodStats, error)) *MockProvider_ListPodStats_Call {
-	_c.Call.Return(run)
-	return _c
-}
-
-// ListPodStatsAndUpdateCPUNanoCoreUsage provides a mock function with given fields: ctx
-func (_m *MockProvider) ListPodStatsAndUpdateCPUNanoCoreUsage(ctx context.Context) ([]v1alpha1.PodStats, error) {
-	ret := _m.Called(ctx)
-
-	if len(ret) == 0 {
-		panic("no return value specified for ListPodStatsAndUpdateCPUNanoCoreUsage")
-	}
-
-	var r0 []v1alpha1.PodStats
-	var r1 error
-	if rf, ok := ret.Get(0).(func(context.Context) ([]v1alpha1.PodStats, error)); ok {
-		return rf(ctx)
-	}
-	if rf, ok := ret.Get(0).(func(context.Context) []v1alpha1.PodStats); ok {
-		r0 = rf(ctx)
-	} else {
-		if ret.Get(0) != nil {
-			r0 = ret.Get(0).([]v1alpha1.PodStats)
-		}
-	}
-
-	if rf, ok := ret.Get(1).(func(context.Context) error); ok {
-		r1 = rf(ctx)
-	} else {
-		r1 = ret.Error(1)
-	}
-
-	return r0, r1
-}
-
-// MockProvider_ListPodStatsAndUpdateCPUNanoCoreUsage_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'ListPodStatsAndUpdateCPUNanoCoreUsage'
-type MockProvider_ListPodStatsAndUpdateCPUNanoCoreUsage_Call struct {
-	*mock.Call
-}
-
-// ListPodStatsAndUpdateCPUNanoCoreUsage is a helper method to define mock.On call
-//   - ctx context.Context
-func (_e *MockProvider_Expecter) ListPodStatsAndUpdateCPUNanoCoreUsage(ctx interface{}) *MockProvider_ListPodStatsAndUpdateCPUNanoCoreUsage_Call {
-	return &MockProvider_ListPodStatsAndUpdateCPUNanoCoreUsage_Call{Call: _e.mock.On("ListPodStatsAndUpdateCPUNanoCoreUsage", ctx)}
-}
-
-func (_c *MockProvider_ListPodStatsAndUpdateCPUNanoCoreUsage_Call) Run(run func(ctx context.Context)) *MockProvider_ListPodStatsAndUpdateCPUNanoCoreUsage_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run(args[0].(context.Context))
-	})
-	return _c
-}
-
-func (_c *MockProvider_ListPodStatsAndUpdateCPUNanoCoreUsage_Call) Return(_a0 []v1alpha1.PodStats, _a1 error) *MockProvider_ListPodStatsAndUpdateCPUNanoCoreUsage_Call {
-	_c.Call.Return(_a0, _a1)
-	return _c
-}
-
-func (_c *MockProvider_ListPodStatsAndUpdateCPUNanoCoreUsage_Call) RunAndReturn(run func(context.Context) ([]v1alpha1.PodStats, error)) *MockProvider_ListPodStatsAndUpdateCPUNanoCoreUsage_Call {
-	_c.Call.Return(run)
-	return _c
-}
-
-// ListVolumesForPod provides a mock function with given fields: podUID
-func (_m *MockProvider) ListVolumesForPod(podUID types.UID) (map[string]volume.Volume, bool) {
-	ret := _m.Called(podUID)
-
-	if len(ret) == 0 {
-		panic("no return value specified for ListVolumesForPod")
-	}
-
-	var r0 map[string]volume.Volume
-	var r1 bool
-	if rf, ok := ret.Get(0).(func(types.UID) (map[string]volume.Volume, bool)); ok {
-		return rf(podUID)
-	}
-	if rf, ok := ret.Get(0).(func(types.UID) map[string]volume.Volume); ok {
-		r0 = rf(podUID)
-	} else {
-		if ret.Get(0) != nil {
-			r0 = ret.Get(0).(map[string]volume.Volume)
-		}
-	}
-
-	if rf, ok := ret.Get(1).(func(types.UID) bool); ok {
-		r1 = rf(podUID)
-	} else {
-		r1 = ret.Get(1).(bool)
-	}
-
-	return r0, r1
-}
-
-// MockProvider_ListVolumesForPod_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'ListVolumesForPod'
-type MockProvider_ListVolumesForPod_Call struct {
-	*mock.Call
-}
-
-// ListVolumesForPod is a helper method to define mock.On call
-//   - podUID types.UID
-func (_e *MockProvider_Expecter) ListVolumesForPod(podUID interface{}) *MockProvider_ListVolumesForPod_Call {
-	return &MockProvider_ListVolumesForPod_Call{Call: _e.mock.On("ListVolumesForPod", podUID)}
-}
-
-func (_c *MockProvider_ListVolumesForPod_Call) Run(run func(podUID types.UID)) *MockProvider_ListVolumesForPod_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run(args[0].(types.UID))
-	})
-	return _c
-}
-
-func (_c *MockProvider_ListVolumesForPod_Call) Return(_a0 map[string]volume.Volume, _a1 bool) *MockProvider_ListVolumesForPod_Call {
-	_c.Call.Return(_a0, _a1)
-	return _c
-}
-
-func (_c *MockProvider_ListVolumesForPod_Call) RunAndReturn(run func(types.UID) (map[string]volume.Volume, bool)) *MockProvider_ListVolumesForPod_Call {
-	_c.Call.Return(run)
-	return _c
-}
-
-// RlimitStats provides a mock function with no fields
-func (_m *MockProvider) RlimitStats() (*v1alpha1.RlimitStats, error) {
-	ret := _m.Called()
-
-	if len(ret) == 0 {
-		panic("no return value specified for RlimitStats")
-	}
-
-	var r0 *v1alpha1.RlimitStats
-	var r1 error
-	if rf, ok := ret.Get(0).(func() (*v1alpha1.RlimitStats, error)); ok {
-		return rf()
-	}
-	if rf, ok := ret.Get(0).(func() *v1alpha1.RlimitStats); ok {
-		r0 = rf()
-	} else {
-		if ret.Get(0) != nil {
-			r0 = ret.Get(0).(*v1alpha1.RlimitStats)
-		}
-	}
-
-	if rf, ok := ret.Get(1).(func() error); ok {
-		r1 = rf()
-	} else {
-		r1 = ret.Error(1)
-	}
-
-	return r0, r1
-}
-
-// MockProvider_RlimitStats_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'RlimitStats'
-type MockProvider_RlimitStats_Call struct {
-	*mock.Call
-}
-
-// RlimitStats is a helper method to define mock.On call
-func (_e *MockProvider_Expecter) RlimitStats() *MockProvider_RlimitStats_Call {
-	return &MockProvider_RlimitStats_Call{Call: _e.mock.On("RlimitStats")}
-}
-
-func (_c *MockProvider_RlimitStats_Call) Run(run func()) *MockProvider_RlimitStats_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run()
-	})
-	return _c
-}
-
-func (_c *MockProvider_RlimitStats_Call) Return(_a0 *v1alpha1.RlimitStats, _a1 error) *MockProvider_RlimitStats_Call {
-	_c.Call.Return(_a0, _a1)
-	return _c
-}
-
-func (_c *MockProvider_RlimitStats_Call) RunAndReturn(run func() (*v1alpha1.RlimitStats, error)) *MockProvider_RlimitStats_Call {
-	_c.Call.Return(run)
-	return _c
-}
-
-// RootFsStats provides a mock function with no fields
-func (_m *MockProvider) RootFsStats() (*v1alpha1.FsStats, error) {
-	ret := _m.Called()
-
-	if len(ret) == 0 {
-		panic("no return value specified for RootFsStats")
-	}
-
-	var r0 *v1alpha1.FsStats
-	var r1 error
-	if rf, ok := ret.Get(0).(func() (*v1alpha1.FsStats, error)); ok {
-		return rf()
-	}
-	if rf, ok := ret.Get(0).(func() *v1alpha1.FsStats); ok {
-		r0 = rf()
-	} else {
-		if ret.Get(0) != nil {
-			r0 = ret.Get(0).(*v1alpha1.FsStats)
-		}
-	}
-
-	if rf, ok := ret.Get(1).(func() error); ok {
-		r1 = rf()
-	} else {
-		r1 = ret.Error(1)
-	}
-
-	return r0, r1
-}
-
-// MockProvider_RootFsStats_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'RootFsStats'
-type MockProvider_RootFsStats_Call struct {
-	*mock.Call
-}
-
-// RootFsStats is a helper method to define mock.On call
-func (_e *MockProvider_Expecter) RootFsStats() *MockProvider_RootFsStats_Call {
-	return &MockProvider_RootFsStats_Call{Call: _e.mock.On("RootFsStats")}
-}
-
-func (_c *MockProvider_RootFsStats_Call) Run(run func()) *MockProvider_RootFsStats_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run()
-	})
-	return _c
-}
-
-func (_c *MockProvider_RootFsStats_Call) Return(_a0 *v1alpha1.FsStats, _a1 error) *MockProvider_RootFsStats_Call {
-	_c.Call.Return(_a0, _a1)
-	return _c
-}
-
-func (_c *MockProvider_RootFsStats_Call) RunAndReturn(run func() (*v1alpha1.FsStats, error)) *MockProvider_RootFsStats_Call {
-	_c.Call.Return(run)
-	return _c
-}
-
-// NewMockProvider creates a new instance of MockProvider. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
-// The first argument is typically a *testing.T value.
-func NewMockProvider(t interface {
-	mock.TestingT
-	Cleanup(func())
-}) *MockProvider {
-	mock := &MockProvider{}
-	mock.Mock.Test(t)
-
-	t.Cleanup(func() { mock.AssertExpectations(t) })
-
-	return mock
-}
diff --git a/pkg/kubelet/server/stats/testing/mock_summary_provider.go b/pkg/kubelet/server/stats/testing/mock_summary_provider.go
deleted file mode 100644
index 3a39a51e9eec9..0000000000000
--- a/pkg/kubelet/server/stats/testing/mock_summary_provider.go
+++ /dev/null
@@ -1,171 +0,0 @@
-/*
-Copyright The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-// Code generated by mockery v2.53.3. DO NOT EDIT.
-
-package testing
-
-import (
-	context "context"
-
-	mock "github.com/stretchr/testify/mock"
-
-	v1alpha1 "k8s.io/kubelet/pkg/apis/stats/v1alpha1"
-)
-
-// MockSummaryProvider is an autogenerated mock type for the SummaryProvider type
-type MockSummaryProvider struct {
-	mock.Mock
-}
-
-type MockSummaryProvider_Expecter struct {
-	mock *mock.Mock
-}
-
-func (_m *MockSummaryProvider) EXPECT() *MockSummaryProvider_Expecter {
-	return &MockSummaryProvider_Expecter{mock: &_m.Mock}
-}
-
-// Get provides a mock function with given fields: ctx, updateStats
-func (_m *MockSummaryProvider) Get(ctx context.Context, updateStats bool) (*v1alpha1.Summary, error) {
-	ret := _m.Called(ctx, updateStats)
-
-	if len(ret) == 0 {
-		panic("no return value specified for Get")
-	}
-
-	var r0 *v1alpha1.Summary
-	var r1 error
-	if rf, ok := ret.Get(0).(func(context.Context, bool) (*v1alpha1.Summary, error)); ok {
-		return rf(ctx, updateStats)
-	}
-	if rf, ok := ret.Get(0).(func(context.Context, bool) *v1alpha1.Summary); ok {
-		r0 = rf(ctx, updateStats)
-	} else {
-		if ret.Get(0) != nil {
-			r0 = ret.Get(0).(*v1alpha1.Summary)
-		}
-	}
-
-	if rf, ok := ret.Get(1).(func(context.Context, bool) error); ok {
-		r1 = rf(ctx, updateStats)
-	} else {
-		r1 = ret.Error(1)
-	}
-
-	return r0, r1
-}
-
-// MockSummaryProvider_Get_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Get'
-type MockSummaryProvider_Get_Call struct {
-	*mock.Call
-}
-
-// Get is a helper method to define mock.On call
-//   - ctx context.Context
-//   - updateStats bool
-func (_e *MockSummaryProvider_Expecter) Get(ctx interface{}, updateStats interface{}) *MockSummaryProvider_Get_Call {
-	return &MockSummaryProvider_Get_Call{Call: _e.mock.On("Get", ctx, updateStats)}
-}
-
-func (_c *MockSummaryProvider_Get_Call) Run(run func(ctx context.Context, updateStats bool)) *MockSummaryProvider_Get_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run(args[0].(context.Context), args[1].(bool))
-	})
-	return _c
-}
-
-func (_c *MockSummaryProvider_Get_Call) Return(_a0 *v1alpha1.Summary, _a1 error) *MockSummaryProvider_Get_Call {
-	_c.Call.Return(_a0, _a1)
-	return _c
-}
-
-func (_c *MockSummaryProvider_Get_Call) RunAndReturn(run func(context.Context, bool) (*v1alpha1.Summary, error)) *MockSummaryProvider_Get_Call {
-	_c.Call.Return(run)
-	return _c
-}
-
-// GetCPUAndMemoryStats provides a mock function with given fields: ctx
-func (_m *MockSummaryProvider) GetCPUAndMemoryStats(ctx context.Context) (*v1alpha1.Summary, error) {
-	ret := _m.Called(ctx)
-
-	if len(ret) == 0 {
-		panic("no return value specified for GetCPUAndMemoryStats")
-	}
-
-	var r0 *v1alpha1.Summary
-	var r1 error
-	if rf, ok := ret.Get(0).(func(context.Context) (*v1alpha1.Summary, error)); ok {
-		return rf(ctx)
-	}
-	if rf, ok := ret.Get(0).(func(context.Context) *v1alpha1.Summary); ok {
-		r0 = rf(ctx)
-	} else {
-		if ret.Get(0) != nil {
-			r0 = ret.Get(0).(*v1alpha1.Summary)
-		}
-	}
-
-	if rf, ok := ret.Get(1).(func(context.Context) error); ok {
-		r1 = rf(ctx)
-	} else {
-		r1 = ret.Error(1)
-	}
-
-	return r0, r1
-}
-
-// MockSummaryProvider_GetCPUAndMemoryStats_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetCPUAndMemoryStats'
-type MockSummaryProvider_GetCPUAndMemoryStats_Call struct {
-	*mock.Call
-}
-
-// GetCPUAndMemoryStats is a helper method to define mock.On call
-//   - ctx context.Context
-func (_e *MockSummaryProvider_Expecter) GetCPUAndMemoryStats(ctx interface{}) *MockSummaryProvider_GetCPUAndMemoryStats_Call {
-	return &MockSummaryProvider_GetCPUAndMemoryStats_Call{Call: _e.mock.On("GetCPUAndMemoryStats", ctx)}
-}
-
-func (_c *MockSummaryProvider_GetCPUAndMemoryStats_Call) Run(run func(ctx context.Context)) *MockSummaryProvider_GetCPUAndMemoryStats_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run(args[0].(context.Context))
-	})
-	return _c
-}
-
-func (_c *MockSummaryProvider_GetCPUAndMemoryStats_Call) Return(_a0 *v1alpha1.Summary, _a1 error) *MockSummaryProvider_GetCPUAndMemoryStats_Call {
-	_c.Call.Return(_a0, _a1)
-	return _c
-}
-
-func (_c *MockSummaryProvider_GetCPUAndMemoryStats_Call) RunAndReturn(run func(context.Context) (*v1alpha1.Summary, error)) *MockSummaryProvider_GetCPUAndMemoryStats_Call {
-	_c.Call.Return(run)
-	return _c
-}
-
-// NewMockSummaryProvider creates a new instance of MockSummaryProvider. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
-// The first argument is typically a *testing.T value.
-func NewMockSummaryProvider(t interface {
-	mock.TestingT
-	Cleanup(func())
-}) *MockSummaryProvider {
-	mock := &MockSummaryProvider{}
-	mock.Mock.Test(t)
-
-	t.Cleanup(func() { mock.AssertExpectations(t) })
-
-	return mock
-}
diff --git a/pkg/kubelet/server/stats/testing/mocks.go b/pkg/kubelet/server/stats/testing/mocks.go
new file mode 100644
index 0000000000000..f1742d3ca6d9a
--- /dev/null
+++ b/pkg/kubelet/server/stats/testing/mocks.go
@@ -0,0 +1,1239 @@
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by mockery; DO NOT EDIT.
+// github.com/vektra/mockery
+// template: testify
+
+package testing
+
+import (
+	"context"
+
+	v10 "github.com/google/cadvisor/info/v1"
+	"github.com/google/cadvisor/info/v2"
+	mock "github.com/stretchr/testify/mock"
+	"k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/kubelet/pkg/apis/stats/v1alpha1"
+	"k8s.io/kubernetes/pkg/kubelet/cm"
+	"k8s.io/kubernetes/pkg/volume"
+)
+
+// NewMockProvider creates a new instance of MockProvider. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
+// The first argument is typically a *testing.T value.
+func NewMockProvider(t interface {
+	mock.TestingT
+	Cleanup(func())
+}) *MockProvider {
+	mock := &MockProvider{}
+	mock.Mock.Test(t)
+
+	t.Cleanup(func() { mock.AssertExpectations(t) })
+
+	return mock
+}
+
+// MockProvider is an autogenerated mock type for the Provider type
+type MockProvider struct {
+	mock.Mock
+}
+
+type MockProvider_Expecter struct {
+	mock *mock.Mock
+}
+
+func (_m *MockProvider) EXPECT() *MockProvider_Expecter {
+	return &MockProvider_Expecter{mock: &_m.Mock}
+}
+
+// GetCgroupCPUAndMemoryStats provides a mock function for the type MockProvider
+func (_mock *MockProvider) GetCgroupCPUAndMemoryStats(cgroupName string, updateStats bool) (*v1alpha1.ContainerStats, error) {
+	ret := _mock.Called(cgroupName, updateStats)
+
+	if len(ret) == 0 {
+		panic("no return value specified for GetCgroupCPUAndMemoryStats")
+	}
+
+	var r0 *v1alpha1.ContainerStats
+	var r1 error
+	if returnFunc, ok := ret.Get(0).(func(string, bool) (*v1alpha1.ContainerStats, error)); ok {
+		return returnFunc(cgroupName, updateStats)
+	}
+	if returnFunc, ok := ret.Get(0).(func(string, bool) *v1alpha1.ContainerStats); ok {
+		r0 = returnFunc(cgroupName, updateStats)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(*v1alpha1.ContainerStats)
+		}
+	}
+	if returnFunc, ok := ret.Get(1).(func(string, bool) error); ok {
+		r1 = returnFunc(cgroupName, updateStats)
+	} else {
+		r1 = ret.Error(1)
+	}
+	return r0, r1
+}
+
+// MockProvider_GetCgroupCPUAndMemoryStats_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetCgroupCPUAndMemoryStats'
+type MockProvider_GetCgroupCPUAndMemoryStats_Call struct {
+	*mock.Call
+}
+
+// GetCgroupCPUAndMemoryStats is a helper method to define mock.On call
+//   - cgroupName string
+//   - updateStats bool
+func (_e *MockProvider_Expecter) GetCgroupCPUAndMemoryStats(cgroupName interface{}, updateStats interface{}) *MockProvider_GetCgroupCPUAndMemoryStats_Call {
+	return &MockProvider_GetCgroupCPUAndMemoryStats_Call{Call: _e.mock.On("GetCgroupCPUAndMemoryStats", cgroupName, updateStats)}
+}
+
+func (_c *MockProvider_GetCgroupCPUAndMemoryStats_Call) Run(run func(cgroupName string, updateStats bool)) *MockProvider_GetCgroupCPUAndMemoryStats_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 string
+		if args[0] != nil {
+			arg0 = args[0].(string)
+		}
+		var arg1 bool
+		if args[1] != nil {
+			arg1 = args[1].(bool)
+		}
+		run(
+			arg0,
+			arg1,
+		)
+	})
+	return _c
+}
+
+func (_c *MockProvider_GetCgroupCPUAndMemoryStats_Call) Return(containerStats *v1alpha1.ContainerStats, err error) *MockProvider_GetCgroupCPUAndMemoryStats_Call {
+	_c.Call.Return(containerStats, err)
+	return _c
+}
+
+func (_c *MockProvider_GetCgroupCPUAndMemoryStats_Call) RunAndReturn(run func(cgroupName string, updateStats bool) (*v1alpha1.ContainerStats, error)) *MockProvider_GetCgroupCPUAndMemoryStats_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// GetCgroupStats provides a mock function for the type MockProvider
+func (_mock *MockProvider) GetCgroupStats(cgroupName string, updateStats bool) (*v1alpha1.ContainerStats, *v1alpha1.NetworkStats, error) {
+	ret := _mock.Called(cgroupName, updateStats)
+
+	if len(ret) == 0 {
+		panic("no return value specified for GetCgroupStats")
+	}
+
+	var r0 *v1alpha1.ContainerStats
+	var r1 *v1alpha1.NetworkStats
+	var r2 error
+	if returnFunc, ok := ret.Get(0).(func(string, bool) (*v1alpha1.ContainerStats, *v1alpha1.NetworkStats, error)); ok {
+		return returnFunc(cgroupName, updateStats)
+	}
+	if returnFunc, ok := ret.Get(0).(func(string, bool) *v1alpha1.ContainerStats); ok {
+		r0 = returnFunc(cgroupName, updateStats)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(*v1alpha1.ContainerStats)
+		}
+	}
+	if returnFunc, ok := ret.Get(1).(func(string, bool) *v1alpha1.NetworkStats); ok {
+		r1 = returnFunc(cgroupName, updateStats)
+	} else {
+		if ret.Get(1) != nil {
+			r1 = ret.Get(1).(*v1alpha1.NetworkStats)
+		}
+	}
+	if returnFunc, ok := ret.Get(2).(func(string, bool) error); ok {
+		r2 = returnFunc(cgroupName, updateStats)
+	} else {
+		r2 = ret.Error(2)
+	}
+	return r0, r1, r2
+}
+
+// MockProvider_GetCgroupStats_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetCgroupStats'
+type MockProvider_GetCgroupStats_Call struct {
+	*mock.Call
+}
+
+// GetCgroupStats is a helper method to define mock.On call
+//   - cgroupName string
+//   - updateStats bool
+func (_e *MockProvider_Expecter) GetCgroupStats(cgroupName interface{}, updateStats interface{}) *MockProvider_GetCgroupStats_Call {
+	return &MockProvider_GetCgroupStats_Call{Call: _e.mock.On("GetCgroupStats", cgroupName, updateStats)}
+}
+
+func (_c *MockProvider_GetCgroupStats_Call) Run(run func(cgroupName string, updateStats bool)) *MockProvider_GetCgroupStats_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 string
+		if args[0] != nil {
+			arg0 = args[0].(string)
+		}
+		var arg1 bool
+		if args[1] != nil {
+			arg1 = args[1].(bool)
+		}
+		run(
+			arg0,
+			arg1,
+		)
+	})
+	return _c
+}
+
+func (_c *MockProvider_GetCgroupStats_Call) Return(containerStats *v1alpha1.ContainerStats, networkStats *v1alpha1.NetworkStats, err error) *MockProvider_GetCgroupStats_Call {
+	_c.Call.Return(containerStats, networkStats, err)
+	return _c
+}
+
+func (_c *MockProvider_GetCgroupStats_Call) RunAndReturn(run func(cgroupName string, updateStats bool) (*v1alpha1.ContainerStats, *v1alpha1.NetworkStats, error)) *MockProvider_GetCgroupStats_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// GetNode provides a mock function for the type MockProvider
+func (_mock *MockProvider) GetNode() (*v1.Node, error) {
+	ret := _mock.Called()
+
+	if len(ret) == 0 {
+		panic("no return value specified for GetNode")
+	}
+
+	var r0 *v1.Node
+	var r1 error
+	if returnFunc, ok := ret.Get(0).(func() (*v1.Node, error)); ok {
+		return returnFunc()
+	}
+	if returnFunc, ok := ret.Get(0).(func() *v1.Node); ok {
+		r0 = returnFunc()
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(*v1.Node)
+		}
+	}
+	if returnFunc, ok := ret.Get(1).(func() error); ok {
+		r1 = returnFunc()
+	} else {
+		r1 = ret.Error(1)
+	}
+	return r0, r1
+}
+
+// MockProvider_GetNode_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetNode'
+type MockProvider_GetNode_Call struct {
+	*mock.Call
+}
+
+// GetNode is a helper method to define mock.On call
+func (_e *MockProvider_Expecter) GetNode() *MockProvider_GetNode_Call {
+	return &MockProvider_GetNode_Call{Call: _e.mock.On("GetNode")}
+}
+
+func (_c *MockProvider_GetNode_Call) Run(run func()) *MockProvider_GetNode_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run()
+	})
+	return _c
+}
+
+func (_c *MockProvider_GetNode_Call) Return(node *v1.Node, err error) *MockProvider_GetNode_Call {
+	_c.Call.Return(node, err)
+	return _c
+}
+
+func (_c *MockProvider_GetNode_Call) RunAndReturn(run func() (*v1.Node, error)) *MockProvider_GetNode_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// GetNodeConfig provides a mock function for the type MockProvider
+func (_mock *MockProvider) GetNodeConfig() cm.NodeConfig {
+	ret := _mock.Called()
+
+	if len(ret) == 0 {
+		panic("no return value specified for GetNodeConfig")
+	}
+
+	var r0 cm.NodeConfig
+	if returnFunc, ok := ret.Get(0).(func() cm.NodeConfig); ok {
+		r0 = returnFunc()
+	} else {
+		r0 = ret.Get(0).(cm.NodeConfig)
+	}
+	return r0
+}
+
+// MockProvider_GetNodeConfig_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetNodeConfig'
+type MockProvider_GetNodeConfig_Call struct {
+	*mock.Call
+}
+
+// GetNodeConfig is a helper method to define mock.On call
+func (_e *MockProvider_Expecter) GetNodeConfig() *MockProvider_GetNodeConfig_Call {
+	return &MockProvider_GetNodeConfig_Call{Call: _e.mock.On("GetNodeConfig")}
+}
+
+func (_c *MockProvider_GetNodeConfig_Call) Run(run func()) *MockProvider_GetNodeConfig_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run()
+	})
+	return _c
+}
+
+func (_c *MockProvider_GetNodeConfig_Call) Return(nodeConfig cm.NodeConfig) *MockProvider_GetNodeConfig_Call {
+	_c.Call.Return(nodeConfig)
+	return _c
+}
+
+func (_c *MockProvider_GetNodeConfig_Call) RunAndReturn(run func() cm.NodeConfig) *MockProvider_GetNodeConfig_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// GetPodByCgroupfs provides a mock function for the type MockProvider
+func (_mock *MockProvider) GetPodByCgroupfs(cgroupfs string) (*v1.Pod, bool) {
+	ret := _mock.Called(cgroupfs)
+
+	if len(ret) == 0 {
+		panic("no return value specified for GetPodByCgroupfs")
+	}
+
+	var r0 *v1.Pod
+	var r1 bool
+	if returnFunc, ok := ret.Get(0).(func(string) (*v1.Pod, bool)); ok {
+		return returnFunc(cgroupfs)
+	}
+	if returnFunc, ok := ret.Get(0).(func(string) *v1.Pod); ok {
+		r0 = returnFunc(cgroupfs)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(*v1.Pod)
+		}
+	}
+	if returnFunc, ok := ret.Get(1).(func(string) bool); ok {
+		r1 = returnFunc(cgroupfs)
+	} else {
+		r1 = ret.Get(1).(bool)
+	}
+	return r0, r1
+}
+
+// MockProvider_GetPodByCgroupfs_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetPodByCgroupfs'
+type MockProvider_GetPodByCgroupfs_Call struct {
+	*mock.Call
+}
+
+// GetPodByCgroupfs is a helper method to define mock.On call
+//   - cgroupfs string
+func (_e *MockProvider_Expecter) GetPodByCgroupfs(cgroupfs interface{}) *MockProvider_GetPodByCgroupfs_Call {
+	return &MockProvider_GetPodByCgroupfs_Call{Call: _e.mock.On("GetPodByCgroupfs", cgroupfs)}
+}
+
+func (_c *MockProvider_GetPodByCgroupfs_Call) Run(run func(cgroupfs string)) *MockProvider_GetPodByCgroupfs_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 string
+		if args[0] != nil {
+			arg0 = args[0].(string)
+		}
+		run(
+			arg0,
+		)
+	})
+	return _c
+}
+
+func (_c *MockProvider_GetPodByCgroupfs_Call) Return(pod *v1.Pod, b bool) *MockProvider_GetPodByCgroupfs_Call {
+	_c.Call.Return(pod, b)
+	return _c
+}
+
+func (_c *MockProvider_GetPodByCgroupfs_Call) RunAndReturn(run func(cgroupfs string) (*v1.Pod, bool)) *MockProvider_GetPodByCgroupfs_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// GetPodByName provides a mock function for the type MockProvider
+func (_mock *MockProvider) GetPodByName(namespace string, name string) (*v1.Pod, bool) {
+	ret := _mock.Called(namespace, name)
+
+	if len(ret) == 0 {
+		panic("no return value specified for GetPodByName")
+	}
+
+	var r0 *v1.Pod
+	var r1 bool
+	if returnFunc, ok := ret.Get(0).(func(string, string) (*v1.Pod, bool)); ok {
+		return returnFunc(namespace, name)
+	}
+	if returnFunc, ok := ret.Get(0).(func(string, string) *v1.Pod); ok {
+		r0 = returnFunc(namespace, name)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(*v1.Pod)
+		}
+	}
+	if returnFunc, ok := ret.Get(1).(func(string, string) bool); ok {
+		r1 = returnFunc(namespace, name)
+	} else {
+		r1 = ret.Get(1).(bool)
+	}
+	return r0, r1
+}
+
+// MockProvider_GetPodByName_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetPodByName'
+type MockProvider_GetPodByName_Call struct {
+	*mock.Call
+}
+
+// GetPodByName is a helper method to define mock.On call
+//   - namespace string
+//   - name string
+func (_e *MockProvider_Expecter) GetPodByName(namespace interface{}, name interface{}) *MockProvider_GetPodByName_Call {
+	return &MockProvider_GetPodByName_Call{Call: _e.mock.On("GetPodByName", namespace, name)}
+}
+
+func (_c *MockProvider_GetPodByName_Call) Run(run func(namespace string, name string)) *MockProvider_GetPodByName_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 string
+		if args[0] != nil {
+			arg0 = args[0].(string)
+		}
+		var arg1 string
+		if args[1] != nil {
+			arg1 = args[1].(string)
+		}
+		run(
+			arg0,
+			arg1,
+		)
+	})
+	return _c
+}
+
+func (_c *MockProvider_GetPodByName_Call) Return(pod *v1.Pod, b bool) *MockProvider_GetPodByName_Call {
+	_c.Call.Return(pod, b)
+	return _c
+}
+
+func (_c *MockProvider_GetPodByName_Call) RunAndReturn(run func(namespace string, name string) (*v1.Pod, bool)) *MockProvider_GetPodByName_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// GetPodCgroupRoot provides a mock function for the type MockProvider
+func (_mock *MockProvider) GetPodCgroupRoot() string {
+	ret := _mock.Called()
+
+	if len(ret) == 0 {
+		panic("no return value specified for GetPodCgroupRoot")
+	}
+
+	var r0 string
+	if returnFunc, ok := ret.Get(0).(func() string); ok {
+		r0 = returnFunc()
+	} else {
+		r0 = ret.Get(0).(string)
+	}
+	return r0
+}
+
+// MockProvider_GetPodCgroupRoot_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetPodCgroupRoot'
+type MockProvider_GetPodCgroupRoot_Call struct {
+	*mock.Call
+}
+
+// GetPodCgroupRoot is a helper method to define mock.On call
+func (_e *MockProvider_Expecter) GetPodCgroupRoot() *MockProvider_GetPodCgroupRoot_Call {
+	return &MockProvider_GetPodCgroupRoot_Call{Call: _e.mock.On("GetPodCgroupRoot")}
+}
+
+func (_c *MockProvider_GetPodCgroupRoot_Call) Run(run func()) *MockProvider_GetPodCgroupRoot_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run()
+	})
+	return _c
+}
+
+func (_c *MockProvider_GetPodCgroupRoot_Call) Return(s string) *MockProvider_GetPodCgroupRoot_Call {
+	_c.Call.Return(s)
+	return _c
+}
+
+func (_c *MockProvider_GetPodCgroupRoot_Call) RunAndReturn(run func() string) *MockProvider_GetPodCgroupRoot_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// GetPods provides a mock function for the type MockProvider
+func (_mock *MockProvider) GetPods() []*v1.Pod {
+	ret := _mock.Called()
+
+	if len(ret) == 0 {
+		panic("no return value specified for GetPods")
+	}
+
+	var r0 []*v1.Pod
+	if returnFunc, ok := ret.Get(0).(func() []*v1.Pod); ok {
+		r0 = returnFunc()
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).([]*v1.Pod)
+		}
+	}
+	return r0
+}
+
+// MockProvider_GetPods_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetPods'
+type MockProvider_GetPods_Call struct {
+	*mock.Call
+}
+
+// GetPods is a helper method to define mock.On call
+func (_e *MockProvider_Expecter) GetPods() *MockProvider_GetPods_Call {
+	return &MockProvider_GetPods_Call{Call: _e.mock.On("GetPods")}
+}
+
+func (_c *MockProvider_GetPods_Call) Run(run func()) *MockProvider_GetPods_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run()
+	})
+	return _c
+}
+
+func (_c *MockProvider_GetPods_Call) Return(pods []*v1.Pod) *MockProvider_GetPods_Call {
+	_c.Call.Return(pods)
+	return _c
+}
+
+func (_c *MockProvider_GetPods_Call) RunAndReturn(run func() []*v1.Pod) *MockProvider_GetPods_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// GetRequestedContainersInfo provides a mock function for the type MockProvider
+func (_mock *MockProvider) GetRequestedContainersInfo(containerName string, options v2.RequestOptions) (map[string]*v10.ContainerInfo, error) {
+	ret := _mock.Called(containerName, options)
+
+	if len(ret) == 0 {
+		panic("no return value specified for GetRequestedContainersInfo")
+	}
+
+	var r0 map[string]*v10.ContainerInfo
+	var r1 error
+	if returnFunc, ok := ret.Get(0).(func(string, v2.RequestOptions) (map[string]*v10.ContainerInfo, error)); ok {
+		return returnFunc(containerName, options)
+	}
+	if returnFunc, ok := ret.Get(0).(func(string, v2.RequestOptions) map[string]*v10.ContainerInfo); ok {
+		r0 = returnFunc(containerName, options)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(map[string]*v10.ContainerInfo)
+		}
+	}
+	if returnFunc, ok := ret.Get(1).(func(string, v2.RequestOptions) error); ok {
+		r1 = returnFunc(containerName, options)
+	} else {
+		r1 = ret.Error(1)
+	}
+	return r0, r1
+}
+
+// MockProvider_GetRequestedContainersInfo_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetRequestedContainersInfo'
+type MockProvider_GetRequestedContainersInfo_Call struct {
+	*mock.Call
+}
+
+// GetRequestedContainersInfo is a helper method to define mock.On call
+//   - containerName string
+//   - options v2.RequestOptions
+func (_e *MockProvider_Expecter) GetRequestedContainersInfo(containerName interface{}, options interface{}) *MockProvider_GetRequestedContainersInfo_Call {
+	return &MockProvider_GetRequestedContainersInfo_Call{Call: _e.mock.On("GetRequestedContainersInfo", containerName, options)}
+}
+
+func (_c *MockProvider_GetRequestedContainersInfo_Call) Run(run func(containerName string, options v2.RequestOptions)) *MockProvider_GetRequestedContainersInfo_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 string
+		if args[0] != nil {
+			arg0 = args[0].(string)
+		}
+		var arg1 v2.RequestOptions
+		if args[1] != nil {
+			arg1 = args[1].(v2.RequestOptions)
+		}
+		run(
+			arg0,
+			arg1,
+		)
+	})
+	return _c
+}
+
+func (_c *MockProvider_GetRequestedContainersInfo_Call) Return(stringToContainerInfo map[string]*v10.ContainerInfo, err error) *MockProvider_GetRequestedContainersInfo_Call {
+	_c.Call.Return(stringToContainerInfo, err)
+	return _c
+}
+
+func (_c *MockProvider_GetRequestedContainersInfo_Call) RunAndReturn(run func(containerName string, options v2.RequestOptions) (map[string]*v10.ContainerInfo, error)) *MockProvider_GetRequestedContainersInfo_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// ImageFsStats provides a mock function for the type MockProvider
+func (_mock *MockProvider) ImageFsStats(ctx context.Context) (*v1alpha1.FsStats, *v1alpha1.FsStats, error) {
+	ret := _mock.Called(ctx)
+
+	if len(ret) == 0 {
+		panic("no return value specified for ImageFsStats")
+	}
+
+	var r0 *v1alpha1.FsStats
+	var r1 *v1alpha1.FsStats
+	var r2 error
+	if returnFunc, ok := ret.Get(0).(func(context.Context) (*v1alpha1.FsStats, *v1alpha1.FsStats, error)); ok {
+		return returnFunc(ctx)
+	}
+	if returnFunc, ok := ret.Get(0).(func(context.Context) *v1alpha1.FsStats); ok {
+		r0 = returnFunc(ctx)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(*v1alpha1.FsStats)
+		}
+	}
+	if returnFunc, ok := ret.Get(1).(func(context.Context) *v1alpha1.FsStats); ok {
+		r1 = returnFunc(ctx)
+	} else {
+		if ret.Get(1) != nil {
+			r1 = ret.Get(1).(*v1alpha1.FsStats)
+		}
+	}
+	if returnFunc, ok := ret.Get(2).(func(context.Context) error); ok {
+		r2 = returnFunc(ctx)
+	} else {
+		r2 = ret.Error(2)
+	}
+	return r0, r1, r2
+}
+
+// MockProvider_ImageFsStats_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'ImageFsStats'
+type MockProvider_ImageFsStats_Call struct {
+	*mock.Call
+}
+
+// ImageFsStats is a helper method to define mock.On call
+//   - ctx context.Context
+func (_e *MockProvider_Expecter) ImageFsStats(ctx interface{}) *MockProvider_ImageFsStats_Call {
+	return &MockProvider_ImageFsStats_Call{Call: _e.mock.On("ImageFsStats", ctx)}
+}
+
+func (_c *MockProvider_ImageFsStats_Call) Run(run func(ctx context.Context)) *MockProvider_ImageFsStats_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 context.Context
+		if args[0] != nil {
+			arg0 = args[0].(context.Context)
+		}
+		run(
+			arg0,
+		)
+	})
+	return _c
+}
+
+func (_c *MockProvider_ImageFsStats_Call) Return(imageFs *v1alpha1.FsStats, containerFs *v1alpha1.FsStats, callErr error) *MockProvider_ImageFsStats_Call {
+	_c.Call.Return(imageFs, containerFs, callErr)
+	return _c
+}
+
+func (_c *MockProvider_ImageFsStats_Call) RunAndReturn(run func(ctx context.Context) (*v1alpha1.FsStats, *v1alpha1.FsStats, error)) *MockProvider_ImageFsStats_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// ListBlockVolumesForPod provides a mock function for the type MockProvider
+func (_mock *MockProvider) ListBlockVolumesForPod(podUID types.UID) (map[string]volume.BlockVolume, bool) {
+	ret := _mock.Called(podUID)
+
+	if len(ret) == 0 {
+		panic("no return value specified for ListBlockVolumesForPod")
+	}
+
+	var r0 map[string]volume.BlockVolume
+	var r1 bool
+	if returnFunc, ok := ret.Get(0).(func(types.UID) (map[string]volume.BlockVolume, bool)); ok {
+		return returnFunc(podUID)
+	}
+	if returnFunc, ok := ret.Get(0).(func(types.UID) map[string]volume.BlockVolume); ok {
+		r0 = returnFunc(podUID)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(map[string]volume.BlockVolume)
+		}
+	}
+	if returnFunc, ok := ret.Get(1).(func(types.UID) bool); ok {
+		r1 = returnFunc(podUID)
+	} else {
+		r1 = ret.Get(1).(bool)
+	}
+	return r0, r1
+}
+
+// MockProvider_ListBlockVolumesForPod_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'ListBlockVolumesForPod'
+type MockProvider_ListBlockVolumesForPod_Call struct {
+	*mock.Call
+}
+
+// ListBlockVolumesForPod is a helper method to define mock.On call
+//   - podUID types.UID
+func (_e *MockProvider_Expecter) ListBlockVolumesForPod(podUID interface{}) *MockProvider_ListBlockVolumesForPod_Call {
+	return &MockProvider_ListBlockVolumesForPod_Call{Call: _e.mock.On("ListBlockVolumesForPod", podUID)}
+}
+
+func (_c *MockProvider_ListBlockVolumesForPod_Call) Run(run func(podUID types.UID)) *MockProvider_ListBlockVolumesForPod_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 types.UID
+		if args[0] != nil {
+			arg0 = args[0].(types.UID)
+		}
+		run(
+			arg0,
+		)
+	})
+	return _c
+}
+
+func (_c *MockProvider_ListBlockVolumesForPod_Call) Return(stringToBlockVolume map[string]volume.BlockVolume, b bool) *MockProvider_ListBlockVolumesForPod_Call {
+	_c.Call.Return(stringToBlockVolume, b)
+	return _c
+}
+
+func (_c *MockProvider_ListBlockVolumesForPod_Call) RunAndReturn(run func(podUID types.UID) (map[string]volume.BlockVolume, bool)) *MockProvider_ListBlockVolumesForPod_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// ListPodCPUAndMemoryStats provides a mock function for the type MockProvider
+func (_mock *MockProvider) ListPodCPUAndMemoryStats(ctx context.Context) ([]v1alpha1.PodStats, error) {
+	ret := _mock.Called(ctx)
+
+	if len(ret) == 0 {
+		panic("no return value specified for ListPodCPUAndMemoryStats")
+	}
+
+	var r0 []v1alpha1.PodStats
+	var r1 error
+	if returnFunc, ok := ret.Get(0).(func(context.Context) ([]v1alpha1.PodStats, error)); ok {
+		return returnFunc(ctx)
+	}
+	if returnFunc, ok := ret.Get(0).(func(context.Context) []v1alpha1.PodStats); ok {
+		r0 = returnFunc(ctx)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).([]v1alpha1.PodStats)
+		}
+	}
+	if returnFunc, ok := ret.Get(1).(func(context.Context) error); ok {
+		r1 = returnFunc(ctx)
+	} else {
+		r1 = ret.Error(1)
+	}
+	return r0, r1
+}
+
+// MockProvider_ListPodCPUAndMemoryStats_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'ListPodCPUAndMemoryStats'
+type MockProvider_ListPodCPUAndMemoryStats_Call struct {
+	*mock.Call
+}
+
+// ListPodCPUAndMemoryStats is a helper method to define mock.On call
+//   - ctx context.Context
+func (_e *MockProvider_Expecter) ListPodCPUAndMemoryStats(ctx interface{}) *MockProvider_ListPodCPUAndMemoryStats_Call {
+	return &MockProvider_ListPodCPUAndMemoryStats_Call{Call: _e.mock.On("ListPodCPUAndMemoryStats", ctx)}
+}
+
+func (_c *MockProvider_ListPodCPUAndMemoryStats_Call) Run(run func(ctx context.Context)) *MockProvider_ListPodCPUAndMemoryStats_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 context.Context
+		if args[0] != nil {
+			arg0 = args[0].(context.Context)
+		}
+		run(
+			arg0,
+		)
+	})
+	return _c
+}
+
+func (_c *MockProvider_ListPodCPUAndMemoryStats_Call) Return(podStatss []v1alpha1.PodStats, err error) *MockProvider_ListPodCPUAndMemoryStats_Call {
+	_c.Call.Return(podStatss, err)
+	return _c
+}
+
+func (_c *MockProvider_ListPodCPUAndMemoryStats_Call) RunAndReturn(run func(ctx context.Context) ([]v1alpha1.PodStats, error)) *MockProvider_ListPodCPUAndMemoryStats_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// ListPodStats provides a mock function for the type MockProvider
+func (_mock *MockProvider) ListPodStats(ctx context.Context) ([]v1alpha1.PodStats, error) {
+	ret := _mock.Called(ctx)
+
+	if len(ret) == 0 {
+		panic("no return value specified for ListPodStats")
+	}
+
+	var r0 []v1alpha1.PodStats
+	var r1 error
+	if returnFunc, ok := ret.Get(0).(func(context.Context) ([]v1alpha1.PodStats, error)); ok {
+		return returnFunc(ctx)
+	}
+	if returnFunc, ok := ret.Get(0).(func(context.Context) []v1alpha1.PodStats); ok {
+		r0 = returnFunc(ctx)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).([]v1alpha1.PodStats)
+		}
+	}
+	if returnFunc, ok := ret.Get(1).(func(context.Context) error); ok {
+		r1 = returnFunc(ctx)
+	} else {
+		r1 = ret.Error(1)
+	}
+	return r0, r1
+}
+
+// MockProvider_ListPodStats_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'ListPodStats'
+type MockProvider_ListPodStats_Call struct {
+	*mock.Call
+}
+
+// ListPodStats is a helper method to define mock.On call
+//   - ctx context.Context
+func (_e *MockProvider_Expecter) ListPodStats(ctx interface{}) *MockProvider_ListPodStats_Call {
+	return &MockProvider_ListPodStats_Call{Call: _e.mock.On("ListPodStats", ctx)}
+}
+
+func (_c *MockProvider_ListPodStats_Call) Run(run func(ctx context.Context)) *MockProvider_ListPodStats_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 context.Context
+		if args[0] != nil {
+			arg0 = args[0].(context.Context)
+		}
+		run(
+			arg0,
+		)
+	})
+	return _c
+}
+
+func (_c *MockProvider_ListPodStats_Call) Return(podStatss []v1alpha1.PodStats, err error) *MockProvider_ListPodStats_Call {
+	_c.Call.Return(podStatss, err)
+	return _c
+}
+
+func (_c *MockProvider_ListPodStats_Call) RunAndReturn(run func(ctx context.Context) ([]v1alpha1.PodStats, error)) *MockProvider_ListPodStats_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// ListPodStatsAndUpdateCPUNanoCoreUsage provides a mock function for the type MockProvider
+func (_mock *MockProvider) ListPodStatsAndUpdateCPUNanoCoreUsage(ctx context.Context) ([]v1alpha1.PodStats, error) {
+	ret := _mock.Called(ctx)
+
+	if len(ret) == 0 {
+		panic("no return value specified for ListPodStatsAndUpdateCPUNanoCoreUsage")
+	}
+
+	var r0 []v1alpha1.PodStats
+	var r1 error
+	if returnFunc, ok := ret.Get(0).(func(context.Context) ([]v1alpha1.PodStats, error)); ok {
+		return returnFunc(ctx)
+	}
+	if returnFunc, ok := ret.Get(0).(func(context.Context) []v1alpha1.PodStats); ok {
+		r0 = returnFunc(ctx)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).([]v1alpha1.PodStats)
+		}
+	}
+	if returnFunc, ok := ret.Get(1).(func(context.Context) error); ok {
+		r1 = returnFunc(ctx)
+	} else {
+		r1 = ret.Error(1)
+	}
+	return r0, r1
+}
+
+// MockProvider_ListPodStatsAndUpdateCPUNanoCoreUsage_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'ListPodStatsAndUpdateCPUNanoCoreUsage'
+type MockProvider_ListPodStatsAndUpdateCPUNanoCoreUsage_Call struct {
+	*mock.Call
+}
+
+// ListPodStatsAndUpdateCPUNanoCoreUsage is a helper method to define mock.On call
+//   - ctx context.Context
+func (_e *MockProvider_Expecter) ListPodStatsAndUpdateCPUNanoCoreUsage(ctx interface{}) *MockProvider_ListPodStatsAndUpdateCPUNanoCoreUsage_Call {
+	return &MockProvider_ListPodStatsAndUpdateCPUNanoCoreUsage_Call{Call: _e.mock.On("ListPodStatsAndUpdateCPUNanoCoreUsage", ctx)}
+}
+
+func (_c *MockProvider_ListPodStatsAndUpdateCPUNanoCoreUsage_Call) Run(run func(ctx context.Context)) *MockProvider_ListPodStatsAndUpdateCPUNanoCoreUsage_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 context.Context
+		if args[0] != nil {
+			arg0 = args[0].(context.Context)
+		}
+		run(
+			arg0,
+		)
+	})
+	return _c
+}
+
+func (_c *MockProvider_ListPodStatsAndUpdateCPUNanoCoreUsage_Call) Return(podStatss []v1alpha1.PodStats, err error) *MockProvider_ListPodStatsAndUpdateCPUNanoCoreUsage_Call {
+	_c.Call.Return(podStatss, err)
+	return _c
+}
+
+func (_c *MockProvider_ListPodStatsAndUpdateCPUNanoCoreUsage_Call) RunAndReturn(run func(ctx context.Context) ([]v1alpha1.PodStats, error)) *MockProvider_ListPodStatsAndUpdateCPUNanoCoreUsage_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// ListVolumesForPod provides a mock function for the type MockProvider
+func (_mock *MockProvider) ListVolumesForPod(podUID types.UID) (map[string]volume.Volume, bool) {
+	ret := _mock.Called(podUID)
+
+	if len(ret) == 0 {
+		panic("no return value specified for ListVolumesForPod")
+	}
+
+	var r0 map[string]volume.Volume
+	var r1 bool
+	if returnFunc, ok := ret.Get(0).(func(types.UID) (map[string]volume.Volume, bool)); ok {
+		return returnFunc(podUID)
+	}
+	if returnFunc, ok := ret.Get(0).(func(types.UID) map[string]volume.Volume); ok {
+		r0 = returnFunc(podUID)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(map[string]volume.Volume)
+		}
+	}
+	if returnFunc, ok := ret.Get(1).(func(types.UID) bool); ok {
+		r1 = returnFunc(podUID)
+	} else {
+		r1 = ret.Get(1).(bool)
+	}
+	return r0, r1
+}
+
+// MockProvider_ListVolumesForPod_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'ListVolumesForPod'
+type MockProvider_ListVolumesForPod_Call struct {
+	*mock.Call
+}
+
+// ListVolumesForPod is a helper method to define mock.On call
+//   - podUID types.UID
+func (_e *MockProvider_Expecter) ListVolumesForPod(podUID interface{}) *MockProvider_ListVolumesForPod_Call {
+	return &MockProvider_ListVolumesForPod_Call{Call: _e.mock.On("ListVolumesForPod", podUID)}
+}
+
+func (_c *MockProvider_ListVolumesForPod_Call) Run(run func(podUID types.UID)) *MockProvider_ListVolumesForPod_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 types.UID
+		if args[0] != nil {
+			arg0 = args[0].(types.UID)
+		}
+		run(
+			arg0,
+		)
+	})
+	return _c
+}
+
+func (_c *MockProvider_ListVolumesForPod_Call) Return(stringToVolume map[string]volume.Volume, b bool) *MockProvider_ListVolumesForPod_Call {
+	_c.Call.Return(stringToVolume, b)
+	return _c
+}
+
+func (_c *MockProvider_ListVolumesForPod_Call) RunAndReturn(run func(podUID types.UID) (map[string]volume.Volume, bool)) *MockProvider_ListVolumesForPod_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// RlimitStats provides a mock function for the type MockProvider
+func (_mock *MockProvider) RlimitStats() (*v1alpha1.RlimitStats, error) {
+	ret := _mock.Called()
+
+	if len(ret) == 0 {
+		panic("no return value specified for RlimitStats")
+	}
+
+	var r0 *v1alpha1.RlimitStats
+	var r1 error
+	if returnFunc, ok := ret.Get(0).(func() (*v1alpha1.RlimitStats, error)); ok {
+		return returnFunc()
+	}
+	if returnFunc, ok := ret.Get(0).(func() *v1alpha1.RlimitStats); ok {
+		r0 = returnFunc()
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(*v1alpha1.RlimitStats)
+		}
+	}
+	if returnFunc, ok := ret.Get(1).(func() error); ok {
+		r1 = returnFunc()
+	} else {
+		r1 = ret.Error(1)
+	}
+	return r0, r1
+}
+
+// MockProvider_RlimitStats_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'RlimitStats'
+type MockProvider_RlimitStats_Call struct {
+	*mock.Call
+}
+
+// RlimitStats is a helper method to define mock.On call
+func (_e *MockProvider_Expecter) RlimitStats() *MockProvider_RlimitStats_Call {
+	return &MockProvider_RlimitStats_Call{Call: _e.mock.On("RlimitStats")}
+}
+
+func (_c *MockProvider_RlimitStats_Call) Run(run func()) *MockProvider_RlimitStats_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run()
+	})
+	return _c
+}
+
+func (_c *MockProvider_RlimitStats_Call) Return(rlimitStats *v1alpha1.RlimitStats, err error) *MockProvider_RlimitStats_Call {
+	_c.Call.Return(rlimitStats, err)
+	return _c
+}
+
+func (_c *MockProvider_RlimitStats_Call) RunAndReturn(run func() (*v1alpha1.RlimitStats, error)) *MockProvider_RlimitStats_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// RootFsStats provides a mock function for the type MockProvider
+func (_mock *MockProvider) RootFsStats() (*v1alpha1.FsStats, error) {
+	ret := _mock.Called()
+
+	if len(ret) == 0 {
+		panic("no return value specified for RootFsStats")
+	}
+
+	var r0 *v1alpha1.FsStats
+	var r1 error
+	if returnFunc, ok := ret.Get(0).(func() (*v1alpha1.FsStats, error)); ok {
+		return returnFunc()
+	}
+	if returnFunc, ok := ret.Get(0).(func() *v1alpha1.FsStats); ok {
+		r0 = returnFunc()
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(*v1alpha1.FsStats)
+		}
+	}
+	if returnFunc, ok := ret.Get(1).(func() error); ok {
+		r1 = returnFunc()
+	} else {
+		r1 = ret.Error(1)
+	}
+	return r0, r1
+}
+
+// MockProvider_RootFsStats_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'RootFsStats'
+type MockProvider_RootFsStats_Call struct {
+	*mock.Call
+}
+
+// RootFsStats is a helper method to define mock.On call
+func (_e *MockProvider_Expecter) RootFsStats() *MockProvider_RootFsStats_Call {
+	return &MockProvider_RootFsStats_Call{Call: _e.mock.On("RootFsStats")}
+}
+
+func (_c *MockProvider_RootFsStats_Call) Run(run func()) *MockProvider_RootFsStats_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run()
+	})
+	return _c
+}
+
+func (_c *MockProvider_RootFsStats_Call) Return(fsStats *v1alpha1.FsStats, err error) *MockProvider_RootFsStats_Call {
+	_c.Call.Return(fsStats, err)
+	return _c
+}
+
+func (_c *MockProvider_RootFsStats_Call) RunAndReturn(run func() (*v1alpha1.FsStats, error)) *MockProvider_RootFsStats_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// NewMockSummaryProvider creates a new instance of MockSummaryProvider. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
+// The first argument is typically a *testing.T value.
+func NewMockSummaryProvider(t interface {
+	mock.TestingT
+	Cleanup(func())
+}) *MockSummaryProvider {
+	mock := &MockSummaryProvider{}
+	mock.Mock.Test(t)
+
+	t.Cleanup(func() { mock.AssertExpectations(t) })
+
+	return mock
+}
+
+// MockSummaryProvider is an autogenerated mock type for the SummaryProvider type
+type MockSummaryProvider struct {
+	mock.Mock
+}
+
+type MockSummaryProvider_Expecter struct {
+	mock *mock.Mock
+}
+
+func (_m *MockSummaryProvider) EXPECT() *MockSummaryProvider_Expecter {
+	return &MockSummaryProvider_Expecter{mock: &_m.Mock}
+}
+
+// Get provides a mock function for the type MockSummaryProvider
+func (_mock *MockSummaryProvider) Get(ctx context.Context, updateStats bool) (*v1alpha1.Summary, error) {
+	ret := _mock.Called(ctx, updateStats)
+
+	if len(ret) == 0 {
+		panic("no return value specified for Get")
+	}
+
+	var r0 *v1alpha1.Summary
+	var r1 error
+	if returnFunc, ok := ret.Get(0).(func(context.Context, bool) (*v1alpha1.Summary, error)); ok {
+		return returnFunc(ctx, updateStats)
+	}
+	if returnFunc, ok := ret.Get(0).(func(context.Context, bool) *v1alpha1.Summary); ok {
+		r0 = returnFunc(ctx, updateStats)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(*v1alpha1.Summary)
+		}
+	}
+	if returnFunc, ok := ret.Get(1).(func(context.Context, bool) error); ok {
+		r1 = returnFunc(ctx, updateStats)
+	} else {
+		r1 = ret.Error(1)
+	}
+	return r0, r1
+}
+
+// MockSummaryProvider_Get_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Get'
+type MockSummaryProvider_Get_Call struct {
+	*mock.Call
+}
+
+// Get is a helper method to define mock.On call
+//   - ctx context.Context
+//   - updateStats bool
+func (_e *MockSummaryProvider_Expecter) Get(ctx interface{}, updateStats interface{}) *MockSummaryProvider_Get_Call {
+	return &MockSummaryProvider_Get_Call{Call: _e.mock.On("Get", ctx, updateStats)}
+}
+
+func (_c *MockSummaryProvider_Get_Call) Run(run func(ctx context.Context, updateStats bool)) *MockSummaryProvider_Get_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 context.Context
+		if args[0] != nil {
+			arg0 = args[0].(context.Context)
+		}
+		var arg1 bool
+		if args[1] != nil {
+			arg1 = args[1].(bool)
+		}
+		run(
+			arg0,
+			arg1,
+		)
+	})
+	return _c
+}
+
+func (_c *MockSummaryProvider_Get_Call) Return(summary *v1alpha1.Summary, err error) *MockSummaryProvider_Get_Call {
+	_c.Call.Return(summary, err)
+	return _c
+}
+
+func (_c *MockSummaryProvider_Get_Call) RunAndReturn(run func(ctx context.Context, updateStats bool) (*v1alpha1.Summary, error)) *MockSummaryProvider_Get_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// GetCPUAndMemoryStats provides a mock function for the type MockSummaryProvider
+func (_mock *MockSummaryProvider) GetCPUAndMemoryStats(ctx context.Context) (*v1alpha1.Summary, error) {
+	ret := _mock.Called(ctx)
+
+	if len(ret) == 0 {
+		panic("no return value specified for GetCPUAndMemoryStats")
+	}
+
+	var r0 *v1alpha1.Summary
+	var r1 error
+	if returnFunc, ok := ret.Get(0).(func(context.Context) (*v1alpha1.Summary, error)); ok {
+		return returnFunc(ctx)
+	}
+	if returnFunc, ok := ret.Get(0).(func(context.Context) *v1alpha1.Summary); ok {
+		r0 = returnFunc(ctx)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(*v1alpha1.Summary)
+		}
+	}
+	if returnFunc, ok := ret.Get(1).(func(context.Context) error); ok {
+		r1 = returnFunc(ctx)
+	} else {
+		r1 = ret.Error(1)
+	}
+	return r0, r1
+}
+
+// MockSummaryProvider_GetCPUAndMemoryStats_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetCPUAndMemoryStats'
+type MockSummaryProvider_GetCPUAndMemoryStats_Call struct {
+	*mock.Call
+}
+
+// GetCPUAndMemoryStats is a helper method to define mock.On call
+//   - ctx context.Context
+func (_e *MockSummaryProvider_Expecter) GetCPUAndMemoryStats(ctx interface{}) *MockSummaryProvider_GetCPUAndMemoryStats_Call {
+	return &MockSummaryProvider_GetCPUAndMemoryStats_Call{Call: _e.mock.On("GetCPUAndMemoryStats", ctx)}
+}
+
+func (_c *MockSummaryProvider_GetCPUAndMemoryStats_Call) Run(run func(ctx context.Context)) *MockSummaryProvider_GetCPUAndMemoryStats_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 context.Context
+		if args[0] != nil {
+			arg0 = args[0].(context.Context)
+		}
+		run(
+			arg0,
+		)
+	})
+	return _c
+}
+
+func (_c *MockSummaryProvider_GetCPUAndMemoryStats_Call) Return(summary *v1alpha1.Summary, err error) *MockSummaryProvider_GetCPUAndMemoryStats_Call {
+	_c.Call.Return(summary, err)
+	return _c
+}
+
+func (_c *MockSummaryProvider_GetCPUAndMemoryStats_Call) RunAndReturn(run func(ctx context.Context) (*v1alpha1.Summary, error)) *MockSummaryProvider_GetCPUAndMemoryStats_Call {
+	_c.Call.Return(run)
+	return _c
+}
diff --git a/pkg/kubelet/server/stats/volume_stat_calculator.go b/pkg/kubelet/server/stats/volume_stat_calculator.go
index fc6bea1adc7e3..5d7f15ccfadcf 100644
--- a/pkg/kubelet/server/stats/volume_stat_calculator.go
+++ b/pkg/kubelet/server/stats/volume_stat_calculator.go
@@ -66,10 +66,10 @@ func newVolumeStatCalculator(statsProvider Provider, jitterPeriod time.Duration,
 }
 
 // StartOnce starts pod volume calc that will occur periodically in the background until s.StopOnce is called
-func (s *volumeStatCalculator) StartOnce() *volumeStatCalculator {
+func (s *volumeStatCalculator) StartOnce(logger klog.Logger) *volumeStatCalculator {
 	s.startO.Do(func() {
 		go wait.JitterUntil(func() {
-			s.calcAndStoreStats()
+			s.calcAndStoreStats(logger)
 		}, s.jitterPeriod, 1.0, true, s.stopChannel)
 	})
 	return s
@@ -95,7 +95,7 @@ func (s *volumeStatCalculator) GetLatest() (PodVolumeStats, bool) {
 
 // calcAndStoreStats calculates PodVolumeStats for a given pod and writes the result to the s.latest cache.
 // If the pod references PVCs, the prometheus metrics for those are updated with the result.
-func (s *volumeStatCalculator) calcAndStoreStats() {
+func (s *volumeStatCalculator) calcAndStoreStats(logger klog.Logger) {
 	// Find all Volumes for the Pod
 	volumes, found := s.statsProvider.ListVolumesForPod(s.pod.UID)
 	blockVolumes, bvFound := s.statsProvider.ListBlockVolumesForPod(s.pod.UID)
@@ -142,7 +142,7 @@ func (s *volumeStatCalculator) calcAndStoreStats() {
 		if err != nil {
 			// Expected for Volumes that don't support Metrics
 			if !volume.IsNotSupported(err) {
-				klog.V(4).InfoS("Failed to calculate volume metrics", "pod", klog.KObj(s.pod), "podUID", s.pod.UID, "volumeName", name, "err", err)
+				logger.V(4).Info("Failed to calculate volume metrics", "pod", klog.KObj(s.pod), "podUID", s.pod.UID, "volumeName", name, "err", err)
 			}
 			continue
 		}
diff --git a/pkg/kubelet/server/stats/volume_stat_calculator_test.go b/pkg/kubelet/server/stats/volume_stat_calculator_test.go
index fe8cc68331f01..2c35bfdf5d152 100644
--- a/pkg/kubelet/server/stats/volume_stat_calculator_test.go
+++ b/pkg/kubelet/server/stats/volume_stat_calculator_test.go
@@ -35,6 +35,7 @@ import (
 	"k8s.io/kubernetes/pkg/features"
 	statstest "k8s.io/kubernetes/pkg/kubelet/server/stats/testing"
 	"k8s.io/kubernetes/pkg/volume"
+	"k8s.io/kubernetes/test/utils/ktesting"
 )
 
 const (
@@ -104,6 +105,7 @@ var (
 )
 
 func TestPVCRef(t *testing.T) {
+	logger, _ := ktesting.NewTestContext(t)
 	// Setup mock stats provider
 	mockStats := statstest.NewMockProvider(t)
 	volumes := map[string]volume.Volume{vol0: &fakeVolume{}, vol1: &fakeVolume{}, vol3: &fakeVolume{}}
@@ -118,7 +120,7 @@ func TestPVCRef(t *testing.T) {
 
 	// Calculate stats for pod
 	statsCalculator := newVolumeStatCalculator(mockStats, time.Minute, fakePod, &fakeEventRecorder)
-	statsCalculator.calcAndStoreStats()
+	statsCalculator.calcAndStoreStats(logger)
 	vs, _ := statsCalculator.GetLatest()
 
 	assert.Len(t, append(vs.EphemeralVolumes, vs.PersistentVolumes...), 4)
@@ -161,6 +163,7 @@ func TestPVCRef(t *testing.T) {
 }
 
 func TestNormalVolumeEvent(t *testing.T) {
+	logger, _ := ktesting.NewTestContext(t)
 	mockStats := statstest.NewMockProvider(t)
 
 	volumes := map[string]volume.Volume{vol0: &fakeVolume{}, vol1: &fakeVolume{}}
@@ -175,7 +178,7 @@ func TestNormalVolumeEvent(t *testing.T) {
 
 	// Calculate stats for pod
 	statsCalculator := newVolumeStatCalculator(mockStats, time.Minute, fakePod, &fakeEventRecorder)
-	statsCalculator.calcAndStoreStats()
+	statsCalculator.calcAndStoreStats(logger)
 
 	event, err := WatchEvent(eventStore)
 	assert.Error(t, err)
@@ -183,6 +186,7 @@ func TestNormalVolumeEvent(t *testing.T) {
 }
 
 func TestAbnormalVolumeEvent(t *testing.T) {
+	logger, _ := ktesting.NewTestContext(t)
 	featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.CSIVolumeHealth, true)
 
 	// Setup mock stats provider
@@ -203,7 +207,7 @@ func TestAbnormalVolumeEvent(t *testing.T) {
 		volumeCondition.Abnormal = true
 	}
 	statsCalculator := newVolumeStatCalculator(mockStats, time.Minute, fakePod, &fakeEventRecorder)
-	statsCalculator.calcAndStoreStats()
+	statsCalculator.calcAndStoreStats(logger)
 
 	event, err := WatchEvent(eventStore)
 	assert.NoError(t, err)
diff --git a/pkg/kubelet/stats/cadvisor_stats_provider.go b/pkg/kubelet/stats/cadvisor_stats_provider.go
index d0a2a3228abb4..028230f4b388c 100644
--- a/pkg/kubelet/stats/cadvisor_stats_provider.go
+++ b/pkg/kubelet/stats/cadvisor_stats_provider.go
@@ -94,12 +94,12 @@ func (p *cadvisorStatsProvider) ListPodStats(ctx context.Context) ([]statsapi.Po
 	if err != nil {
 		return nil, fmt.Errorf("failed to get imageFs info: %v", err)
 	}
-	infos, err := getCadvisorContainerInfo(p.cadvisor)
+	logger := klog.FromContext(ctx)
+	infos, err := getCadvisorContainerInfo(logger, p.cadvisor)
 	if err != nil {
 		return nil, fmt.Errorf("failed to get container info from cadvisor: %v", err)
 	}
-
-	filteredInfos, allInfos := filterTerminatedContainerInfoAndAssembleByPodCgroupKey(infos)
+	filteredInfos, allInfos := filterTerminatedContainerInfoAndAssembleByPodCgroupKey(logger, infos)
 	// Map each container to a pod and update the PodStats with container data.
 	podToStats := map[statsapi.PodReference]*statsapi.PodStats{}
 	for key, cinfo := range filteredInfos {
@@ -111,7 +111,7 @@ func (p *cadvisorStatsProvider) ListPodStats(ctx context.Context) ([]statsapi.Po
 			continue
 		}
 		// Build the Pod key if this container is managed by a Pod
-		if !isPodManagedContainer(&cinfo) {
+		if !isPodManagedContainer(logger, &cinfo) {
 			continue
 		}
 		ref := buildPodRef(cinfo.Spec.Labels)
@@ -132,13 +132,13 @@ func (p *cadvisorStatsProvider) ListPodStats(ctx context.Context) ([]statsapi.Po
 			// the user and has network stats.
 			podStats.Network = cadvisorInfoToNetworkStats(&cinfo)
 		} else {
-			containerStat := cadvisorInfoToContainerStats(containerName, &cinfo, &rootFsInfo, &imageFsInfo)
+			containerStat := cadvisorInfoToContainerStats(logger, containerName, &cinfo, &rootFsInfo, &imageFsInfo)
 			// NOTE: This doesn't support the old pod log path, `/var/log/pods/UID`. For containers
 			// using old log path, they will be populated by cadvisorInfoToContainerStats.
 			podUID := types.UID(podStats.PodRef.UID)
 			logs, err := p.hostStatsProvider.getPodContainerLogStats(podStats.PodRef.Namespace, podStats.PodRef.Name, podUID, containerName, &rootFsInfo)
 			if err != nil {
-				klog.ErrorS(err, "Unable to fetch container log stats", "containerName", containerName)
+				logger.Error(err, "Unable to fetch container log stats", "containerName", containerName)
 			} else {
 				containerStat.Logs = logs
 			}
@@ -151,7 +151,7 @@ func (p *cadvisorStatsProvider) ListPodStats(ctx context.Context) ([]statsapi.Po
 	// Add each PodStats to the result.
 	result := make([]statsapi.PodStats, 0, len(podToStats))
 	for _, podStats := range podToStats {
-		makePodStorageStats(podStats, &rootFsInfo, p.resourceAnalyzer, p.hostStatsProvider, false)
+		makePodStorageStats(logger, podStats, &rootFsInfo, p.resourceAnalyzer, p.hostStatsProvider, false)
 
 		podUID := types.UID(podStats.PodRef.UID)
 		// Lookup the pod-level cgroup's CPU and memory stats
@@ -224,12 +224,13 @@ func (p *cadvisorStatsProvider) PodCPUAndMemoryStats(ctx context.Context, pod *v
 }
 
 // ListPodCPUAndMemoryStats returns the cpu and memory stats of all the pod-managed containers.
-func (p *cadvisorStatsProvider) ListPodCPUAndMemoryStats(_ context.Context) ([]statsapi.PodStats, error) {
-	infos, err := getCadvisorContainerInfo(p.cadvisor)
+func (p *cadvisorStatsProvider) ListPodCPUAndMemoryStats(ctx context.Context) ([]statsapi.PodStats, error) {
+	logger := klog.FromContext(ctx)
+	infos, err := getCadvisorContainerInfo(logger, p.cadvisor)
 	if err != nil {
 		return nil, fmt.Errorf("failed to get container info from cadvisor: %v", err)
 	}
-	filteredInfos, allInfos := filterTerminatedContainerInfoAndAssembleByPodCgroupKey(infos)
+	filteredInfos, allInfos := filterTerminatedContainerInfoAndAssembleByPodCgroupKey(logger, infos)
 	// Map each container to a pod and update the PodStats with container data.
 	podToStats := map[statsapi.PodReference]*statsapi.PodStats{}
 	for key, cinfo := range filteredInfos {
@@ -241,7 +242,7 @@ func (p *cadvisorStatsProvider) ListPodCPUAndMemoryStats(_ context.Context) ([]s
 			continue
 		}
 		// Build the Pod key if this container is managed by a Pod
-		if !isPodManagedContainer(&cinfo) {
+		if !isPodManagedContainer(logger, &cinfo) {
 			continue
 		}
 		ref := buildPodRef(cinfo.Spec.Labels)
@@ -362,7 +363,8 @@ func (p *cadvisorStatsProvider) ImageFsStats(ctx context.Context) (imageFsRet *s
 		return fsStats, fsStats, nil
 	}
 
-	klog.InfoS("Detect Split Filesystem", "ImageFilesystems", imageStats.ImageFilesystems[0], "ContainerFilesystems", imageStats.ContainerFilesystems[0])
+	logger := klog.FromContext(ctx)
+	logger.Info("Detect Split Filesystem", "ImageFilesystems", imageStats.ImageFilesystems[0], "ContainerFilesystems", imageStats.ContainerFilesystems[0])
 
 	var containerFsInodesUsed *uint64
 	if containerFsInfo.Inodes != nil && containerFsInfo.InodesFree != nil {
@@ -406,12 +408,12 @@ func buildPodRef(containerLabels map[string]string) statsapi.PodReference {
 }
 
 // isPodManagedContainer returns true if the cinfo container is managed by a Pod
-func isPodManagedContainer(cinfo *cadvisorapiv2.ContainerInfo) bool {
+func isPodManagedContainer(logger klog.Logger, cinfo *cadvisorapiv2.ContainerInfo) bool {
 	podName := kubetypes.GetPodName(cinfo.Spec.Labels)
 	podNamespace := kubetypes.GetPodNamespace(cinfo.Spec.Labels)
 	managed := podName != "" && podNamespace != ""
 	if !managed && podName != podNamespace {
-		klog.InfoS(
+		logger.Info(
 			"Expect container to have either both podName and podNamespace labels, or neither",
 			"podNameLabel", podName, "podNamespaceLabel", podNamespace)
 	}
@@ -432,7 +434,7 @@ func getCadvisorPodInfoFromPodUID(podUID types.UID, infos map[string]cadvisorapi
 // the second return map is pod cgroup key <-> ContainerInfo.
 // A ContainerInfo is considered to be of a terminated container if it has an
 // older CreationTime and zero CPU instantaneous and memory RSS usage.
-func filterTerminatedContainerInfoAndAssembleByPodCgroupKey(containerInfo map[string]cadvisorapiv2.ContainerInfo) (map[string]cadvisorapiv2.ContainerInfo, map[string]cadvisorapiv2.ContainerInfo) {
+func filterTerminatedContainerInfoAndAssembleByPodCgroupKey(logger klog.Logger, containerInfo map[string]cadvisorapiv2.ContainerInfo) (map[string]cadvisorapiv2.ContainerInfo, map[string]cadvisorapiv2.ContainerInfo) {
 	cinfoMap := make(map[containerID][]containerInfoWithCgroup)
 	cinfosByPodCgroupKey := make(map[string]cadvisorapiv2.ContainerInfo)
 	for key, cinfo := range containerInfo {
@@ -446,7 +448,7 @@ func filterTerminatedContainerInfoAndAssembleByPodCgroupKey(containerInfo map[st
 			podCgroupKey = filepath.Base(key)
 		}
 		cinfosByPodCgroupKey[podCgroupKey] = cinfo
-		if !isPodManagedContainer(&cinfo) {
+		if !isPodManagedContainer(logger, &cinfo) {
 			continue
 		}
 		cinfoID := containerID{
@@ -554,7 +556,7 @@ func isContainerTerminated(info *cadvisorapiv2.ContainerInfo) bool {
 	return cstat.CpuInst.Usage.Total == 0 && cstat.Memory.RSS == 0
 }
 
-func getCadvisorContainerInfo(ca cadvisor.Interface) (map[string]cadvisorapiv2.ContainerInfo, error) {
+func getCadvisorContainerInfo(logger klog.Logger, ca cadvisor.Interface) (map[string]cadvisorapiv2.ContainerInfo, error) {
 	infos, err := ca.ContainerInfoV2("/", cadvisorapiv2.RequestOptions{
 		IdType:    cadvisorapiv2.TypeName,
 		Count:     2, // 2 samples are needed to compute "instantaneous" CPU
@@ -564,7 +566,7 @@ func getCadvisorContainerInfo(ca cadvisor.Interface) (map[string]cadvisorapiv2.C
 		if _, ok := infos["/"]; ok {
 			// If the failure is partial, log it and return a best-effort
 			// response.
-			klog.ErrorS(err, "Partial failure issuing cadvisor.ContainerInfoV2")
+			logger.Error(err, "Partial failure issuing cadvisor.ContainerInfoV2")
 		} else {
 			return nil, fmt.Errorf("failed to get root cgroup stats: %w", err)
 		}
diff --git a/pkg/kubelet/stats/cadvisor_stats_provider_test.go b/pkg/kubelet/stats/cadvisor_stats_provider_test.go
index 2461e4815591a..a5b1498c1f95d 100644
--- a/pkg/kubelet/stats/cadvisor_stats_provider_test.go
+++ b/pkg/kubelet/stats/cadvisor_stats_provider_test.go
@@ -43,6 +43,7 @@ import (
 	serverstats "k8s.io/kubernetes/pkg/kubelet/server/stats"
 	statustest "k8s.io/kubernetes/pkg/kubelet/status/testing"
 	"k8s.io/kubernetes/pkg/volume"
+	"k8s.io/kubernetes/test/utils/ktesting"
 )
 
 func TestFilterTerminatedContainerInfoAndAssembleByPodCgroupKey(t *testing.T) {
@@ -91,7 +92,8 @@ func TestFilterTerminatedContainerInfoAndAssembleByPodCgroupKey(t *testing.T) {
 		//ContainerInfo with no CPU/memory usage but has network usage for uncleaned cgroups, should not be filtered out
 		"/pod2-c222-zerocpumem-1": getContainerInfoWithZeroCpuMem(seedPastPod0Container0, pName2, namespace, cName222),
 	}
-	filteredInfos, allInfos := filterTerminatedContainerInfoAndAssembleByPodCgroupKey(infos)
+	logger, _ := ktesting.NewTestContext(t)
+	filteredInfos, allInfos := filterTerminatedContainerInfoAndAssembleByPodCgroupKey(logger, infos)
 	assert.Len(t, filteredInfos, 5)
 	assert.Len(t, allInfos, 11)
 	for _, c := range []string{"/pod0-i", "/pod0-c0"} {
@@ -370,7 +372,7 @@ func TestCadvisorListPodStats(t *testing.T) {
 }
 
 func TestCadvisorPodCPUAndMemoryStats(t *testing.T) {
-	ctx := context.Background()
+	tCtx := ktesting.Init(t)
 	const (
 		namespace = "test0"
 		podName   = "pod0"
@@ -420,7 +422,7 @@ func TestCadvisorPodCPUAndMemoryStats(t *testing.T) {
 
 	p := NewCadvisorStatsProvider(mockCadvisor, &fakeResourceAnalyzer{}, nil, nil, nil, NewFakeHostStatsProvider(&containertest.FakeOS{}), mockCM)
 
-	ps, err := p.PodCPUAndMemoryStats(ctx, pod, nil)
+	ps, err := p.PodCPUAndMemoryStats(tCtx, pod, nil)
 	require.NoError(t, err)
 	assert.Equal(t, podName, ps.PodRef.Name)
 	assert.Equal(t, namespace, ps.PodRef.Namespace)
@@ -463,8 +465,8 @@ func TestCadvisorPodCPUAndMemoryStats(t *testing.T) {
 }
 
 func TestCadvisorListPodCPUAndMemoryStats(t *testing.T) {
+	ctx := ktesting.Init(t)
 	featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.KubeletPSI, true)
-	ctx := context.Background()
 	const (
 		namespace0 = "test0"
 		namespace2 = "test2"
diff --git a/pkg/kubelet/stats/cri_stats_provider.go b/pkg/kubelet/stats/cri_stats_provider.go
index edfe92d17be21..a2f2d2fd368eb 100644
--- a/pkg/kubelet/stats/cri_stats_provider.go
+++ b/pkg/kubelet/stats/cri_stats_provider.go
@@ -152,6 +152,7 @@ func (p *criStatsProvider) listPodStats(ctx context.Context, updateCPUNanoCoreUs
 		return nil, fmt.Errorf("failed to get pod or container map: %v", err)
 	}
 
+	logger := klog.FromContext(ctx)
 	if p.podAndContainerStatsFromCRI {
 		result, err := p.listPodStatsStrictlyFromCRI(ctx, updateCPUNanoCoreUsage, containerMap, podSandboxMap, &rootFsInfo)
 		if err == nil {
@@ -164,8 +165,9 @@ func (p *criStatsProvider) listPodStats(ctx context.Context, updateCPUNanoCoreUs
 			return nil, err
 		}
 		// CRI implementation doesn't support ListPodSandboxStats, warn and fallback.
-		klog.V(5).ErrorS(err,
+		logger.V(5).Info(
 			"CRI implementation must be updated to support ListPodSandboxStats if PodAndContainerStatsFromCRI feature gate is enabled. Falling back to populating with cAdvisor; this call will fail in the future.",
+			"err", err,
 		)
 	}
 	return p.listPodStatsPartiallyFromCRI(ctx, updateCPUNanoCoreUsage, containerMap, podSandboxMap, &rootFsInfo)
@@ -184,19 +186,20 @@ func (p *criStatsProvider) listPodStatsPartiallyFromCRI(ctx context.Context, upd
 	if err != nil {
 		return nil, fmt.Errorf("failed to list all container stats: %v", err)
 	}
-	allInfos, err := getCadvisorContainerInfo(p.cadvisor)
+
+	logger := klog.FromContext(ctx)
+	allInfos, err := getCadvisorContainerInfo(logger, p.cadvisor)
 	if err != nil {
 		return nil, fmt.Errorf("failed to fetch cadvisor stats: %v", err)
 	}
-	caInfos, allInfos := getCRICadvisorStats(allInfos)
+	caInfos, allInfos := getCRICadvisorStats(logger, allInfos)
 
 	// get network stats for containers.
 	// This is only used on Windows. For other platforms, (nil, nil) should be returned.
-	containerNetworkStats, err := p.listContainerNetworkStats()
+	containerNetworkStats, err := p.listContainerNetworkStats(logger)
 	if err != nil {
 		return nil, fmt.Errorf("failed to list container network stats: %v", err)
 	}
-
 	for _, stats := range resp {
 		containerID := stats.Attributes.Id
 		container, found := containerMap[containerID]
@@ -219,11 +222,11 @@ func (p *criStatsProvider) listPodStatsPartiallyFromCRI(ctx context.Context, upd
 		}
 
 		// Fill available stats for full set of required pod stats
-		cs, err := p.makeContainerStats(stats, container, rootFsInfo, fsIDtoInfo, podSandbox.GetMetadata(), updateCPUNanoCoreUsage)
+		cs, err := p.makeContainerStats(logger, stats, container, rootFsInfo, fsIDtoInfo, podSandbox.GetMetadata(), updateCPUNanoCoreUsage)
 		if err != nil {
 			return nil, fmt.Errorf("make container stats: %w", err)
 		}
-		p.addPodNetworkStats(ps, podSandboxID, caInfos, cs, containerNetworkStats[podSandboxID])
+		p.addPodNetworkStats(logger, ps, podSandboxID, caInfos, cs, containerNetworkStats[podSandboxID])
 		p.addPodCPUMemoryStats(ps, types.UID(podSandbox.Metadata.Uid), allInfos, cs)
 		p.addSwapStats(ps, types.UID(podSandbox.Metadata.Uid), allInfos, cs)
 		p.addIOStats(ps, types.UID(podSandbox.Metadata.Uid), allInfos, cs)
@@ -232,9 +235,9 @@ func (p *criStatsProvider) listPodStatsPartiallyFromCRI(ctx context.Context, upd
 		// container stats
 		caStats, caFound := caInfos[containerID]
 		if !caFound {
-			klog.V(5).InfoS("Unable to find cadvisor stats for container", "containerID", containerID)
+			logger.V(5).Info("Unable to find cadvisor stats for container", "containerID", containerID)
 		} else {
-			p.addCadvisorContainerStats(cs, &caStats)
+			p.addCadvisorContainerStats(logger, cs, &caStats)
 			p.addProcessStats(ps, &caStats)
 		}
 
@@ -245,7 +248,7 @@ func (p *criStatsProvider) listPodStatsPartiallyFromCRI(ctx context.Context, upd
 
 	result := make([]statsapi.PodStats, 0, len(sandboxIDToPodStats))
 	for _, s := range sandboxIDToPodStats {
-		makePodStorageStats(s, rootFsInfo, p.resourceAnalyzer, p.hostStatsProvider, true)
+		makePodStorageStats(logger, s, rootFsInfo, p.resourceAnalyzer, p.hostStatsProvider, true)
 		result = append(result, *s)
 	}
 	return result, nil
@@ -256,12 +259,13 @@ func (p *criStatsProvider) listPodStatsStrictlyFromCRI(ctx context.Context, upda
 	if err != nil {
 		return nil, err
 	}
+	logger := klog.FromContext(ctx)
 
 	fsIDtoInfo := make(map[string]*cadvisorapiv2.FsInfo)
 	summarySandboxStats := make([]statsapi.PodStats, 0, len(podSandboxMap))
 	for _, criSandboxStat := range criSandboxStats {
 		if criSandboxStat == nil || criSandboxStat.Attributes == nil {
-			klog.V(5).InfoS("Unable to find CRI stats for sandbox")
+			logger.V(5).Info("Unable to find CRI stats for sandbox")
 			continue
 		}
 		podSandbox, found := podSandboxMap[criSandboxStat.Attributes.Id]
@@ -269,7 +273,7 @@ func (p *criStatsProvider) listPodStatsStrictlyFromCRI(ctx context.Context, upda
 			continue
 		}
 		ps := buildPodStats(podSandbox)
-		if err := p.addCRIPodContainerStats(criSandboxStat, ps, fsIDtoInfo, containerMap, podSandbox, rootFsInfo, updateCPUNanoCoreUsage); err != nil {
+		if err := p.addCRIPodContainerStats(logger, criSandboxStat, ps, fsIDtoInfo, containerMap, podSandbox, rootFsInfo, updateCPUNanoCoreUsage); err != nil {
 			return nil, fmt.Errorf("add CRI pod container stats: %w", err)
 		}
 		addCRIPodNetworkStats(ps, criSandboxStat)
@@ -277,7 +281,7 @@ func (p *criStatsProvider) listPodStatsStrictlyFromCRI(ctx context.Context, upda
 		addCRIPodMemoryStats(ps, criSandboxStat)
 		addCRIPodProcessStats(ps, criSandboxStat)
 		addCRIPodIOStats(ps, criSandboxStat)
-		makePodStorageStats(ps, rootFsInfo, p.resourceAnalyzer, p.hostStatsProvider, true)
+		makePodStorageStats(logger, ps, rootFsInfo, p.resourceAnalyzer, p.hostStatsProvider, true)
 		summarySandboxStats = append(summarySandboxStats, *ps)
 	}
 	return summarySandboxStats, nil
@@ -382,6 +386,7 @@ func (p *criStatsProvider) ListPodCPUAndMemoryStats(ctx context.Context) ([]stat
 	if err != nil {
 		return nil, fmt.Errorf("failed to get pod or container map: %v", err)
 	}
+	logger := klog.FromContext(ctx)
 
 	result := make([]statsapi.PodStats, 0, len(podSandboxMap))
 	if p.podAndContainerStatsFromCRI {
@@ -407,7 +412,7 @@ func (p *criStatsProvider) ListPodCPUAndMemoryStats(ctx context.Context) ([]stat
 			return nil, err
 		}
 		// CRI implementation doesn't support ListPodSandboxStats, warn and fallback.
-		klog.ErrorS(err,
+		logger.Error(err,
 			"CRI implementation must be updated to support ListPodSandboxStats if PodAndContainerStatsFromCRI feature gate is enabled. Falling back to populating with cAdvisor; this call will fail in the future.",
 		)
 	}
@@ -417,11 +422,11 @@ func (p *criStatsProvider) ListPodCPUAndMemoryStats(ctx context.Context) ([]stat
 		return nil, fmt.Errorf("failed to list all container stats: %v", err)
 	}
 
-	allInfos, err := getCadvisorContainerInfo(p.cadvisor)
+	allInfos, err := getCadvisorContainerInfo(logger, p.cadvisor)
 	if err != nil {
 		return nil, fmt.Errorf("failed to fetch cadvisor stats: %v", err)
 	}
-	caInfos, allInfos := getCRICadvisorStats(allInfos)
+	caInfos, allInfos := getCRICadvisorStats(logger, allInfos)
 
 	for _, stats := range resp {
 		containerID := stats.Attributes.Id
@@ -453,9 +458,9 @@ func (p *criStatsProvider) ListPodCPUAndMemoryStats(ctx context.Context) ([]stat
 		// container stats
 		caStats, caFound := caInfos[containerID]
 		if !caFound {
-			klog.V(4).InfoS("Unable to find cadvisor stats for container", "containerID", containerID)
+			logger.V(4).Info("Unable to find cadvisor stats for container", "containerID", containerID)
 		} else {
-			p.addCadvisorContainerCPUAndMemoryStats(cs, &caStats)
+			p.addCadvisorContainerCPUAndMemoryStats(logger, cs, &caStats)
 		}
 		ps.Containers = append(ps.Containers, *cs)
 	}
@@ -516,7 +521,7 @@ func (p *criStatsProvider) ImageFsStats(ctx context.Context) (imageFsRet *statsa
 	if fs.InodesUsed != nil {
 		imageFsRet.InodesUsed = &fs.InodesUsed.Value
 	}
-	imageFsInfo, err := p.getFsInfo(fs.GetFsId())
+	imageFsInfo, err := p.getFsInfo(klog.FromContext(ctx), fs.GetFsId())
 	if err != nil {
 		return nil, nil, fmt.Errorf("get filesystem info: %w", err)
 	}
@@ -542,7 +547,7 @@ func (p *criStatsProvider) ImageFsDevice(ctx context.Context) (string, error) {
 		return "", err
 	}
 	for _, fs := range resp.GetImageFilesystems() {
-		fsInfo, err := p.getFsInfo(fs.GetFsId())
+		fsInfo, err := p.getFsInfo(klog.FromContext(ctx), fs.GetFsId())
 		if err != nil {
 			return "", fmt.Errorf("get filesystem info: %w", err)
 		}
@@ -556,9 +561,9 @@ func (p *criStatsProvider) ImageFsDevice(ctx context.Context) (string, error) {
 // getFsInfo returns the information of the filesystem with the specified
 // fsID. If any error occurs, this function logs the error and returns
 // nil.
-func (p *criStatsProvider) getFsInfo(fsID *runtimeapi.FilesystemIdentifier) (*cadvisorapiv2.FsInfo, error) {
+func (p *criStatsProvider) getFsInfo(logger klog.Logger, fsID *runtimeapi.FilesystemIdentifier) (*cadvisorapiv2.FsInfo, error) {
 	if fsID == nil {
-		klog.V(2).InfoS("Failed to get filesystem info: fsID is nil")
+		logger.V(2).Info("Failed to get filesystem info: fsID is nil")
 		return nil, nil
 	}
 	mountpoint := fsID.GetMountpoint()
@@ -568,9 +573,9 @@ func (p *criStatsProvider) getFsInfo(fsID *runtimeapi.FilesystemIdentifier) (*ca
 		if errors.Is(err, cadvisorfs.ErrNoSuchDevice) ||
 			errors.Is(err, cadvisorfs.ErrDeviceNotInPartitionsMap) ||
 			errors.Is(err, cadvisormemory.ErrDataNotFound) {
-			klog.V(2).InfoS(msg, "mountpoint", mountpoint, "err", err)
+			logger.V(2).Info(msg, "mountpoint", mountpoint, "err", err)
 		} else {
-			klog.ErrorS(err, msg, "mountpoint", mountpoint)
+			logger.Error(err, msg, "mountpoint", mountpoint)
 			return nil, fmt.Errorf("%s: %w", msg, err)
 		}
 		return nil, nil
@@ -592,6 +597,7 @@ func buildPodStats(podSandbox *runtimeapi.PodSandbox) *statsapi.PodStats {
 }
 
 func (p *criStatsProvider) addPodNetworkStats(
+	logger klog.Logger,
 	ps *statsapi.PodStats,
 	podSandboxID string,
 	caInfos map[string]cadvisorapiv2.ContainerInfo,
@@ -615,7 +621,7 @@ func (p *criStatsProvider) addPodNetworkStats(
 	}
 
 	// TODO: sum Pod network stats from container stats.
-	klog.V(4).InfoS("Unable to find network stats for sandbox", "sandboxID", podSandboxID)
+	logger.V(4).Info("Unable to find network stats for sandbox", "sandboxID", podSandboxID)
 }
 
 func (p *criStatsProvider) addPodCPUMemoryStats(
@@ -640,8 +646,8 @@ func (p *criStatsProvider) addPodCPUMemoryStats(
 		}
 
 		ps.CPU.Time = cs.CPU.Time
-		usageCoreNanoSeconds := getUint64Value(cs.CPU.UsageCoreNanoSeconds) + getUint64Value(ps.CPU.UsageCoreNanoSeconds)
-		usageNanoCores := getUint64Value(cs.CPU.UsageNanoCores) + getUint64Value(ps.CPU.UsageNanoCores)
+		usageCoreNanoSeconds := ptr.Deref(cs.CPU.UsageCoreNanoSeconds, 0) + ptr.Deref(ps.CPU.UsageCoreNanoSeconds, 0)
+		usageNanoCores := ptr.Deref(cs.CPU.UsageNanoCores, 0) + ptr.Deref(ps.CPU.UsageNanoCores, 0)
 		ps.CPU.UsageCoreNanoSeconds = &usageCoreNanoSeconds
 		ps.CPU.UsageNanoCores = &usageNanoCores
 		// Pod level PSI stats cannot be calculated from container level
@@ -653,12 +659,12 @@ func (p *criStatsProvider) addPodCPUMemoryStats(
 		}
 
 		ps.Memory.Time = cs.Memory.Time
-		availableBytes := getUint64Value(cs.Memory.AvailableBytes) + getUint64Value(ps.Memory.AvailableBytes)
-		usageBytes := getUint64Value(cs.Memory.UsageBytes) + getUint64Value(ps.Memory.UsageBytes)
-		workingSetBytes := getUint64Value(cs.Memory.WorkingSetBytes) + getUint64Value(ps.Memory.WorkingSetBytes)
-		rSSBytes := getUint64Value(cs.Memory.RSSBytes) + getUint64Value(ps.Memory.RSSBytes)
-		pageFaults := getUint64Value(cs.Memory.PageFaults) + getUint64Value(ps.Memory.PageFaults)
-		majorPageFaults := getUint64Value(cs.Memory.MajorPageFaults) + getUint64Value(ps.Memory.MajorPageFaults)
+		availableBytes := ptr.Deref(cs.Memory.AvailableBytes, 0) + ptr.Deref(ps.Memory.AvailableBytes, 0)
+		usageBytes := ptr.Deref(cs.Memory.UsageBytes, 0) + ptr.Deref(ps.Memory.UsageBytes, 0)
+		workingSetBytes := ptr.Deref(cs.Memory.WorkingSetBytes, 0) + ptr.Deref(ps.Memory.WorkingSetBytes, 0)
+		rSSBytes := ptr.Deref(cs.Memory.RSSBytes, 0) + ptr.Deref(ps.Memory.RSSBytes, 0)
+		pageFaults := ptr.Deref(cs.Memory.PageFaults, 0) + ptr.Deref(ps.Memory.PageFaults, 0)
+		majorPageFaults := ptr.Deref(cs.Memory.MajorPageFaults, 0) + ptr.Deref(ps.Memory.MajorPageFaults, 0)
 		ps.Memory.AvailableBytes = &availableBytes
 		ps.Memory.UsageBytes = &usageBytes
 		ps.Memory.WorkingSetBytes = &workingSetBytes
@@ -687,8 +693,8 @@ func (p *criStatsProvider) addSwapStats(
 		if ps.Swap == nil {
 			ps.Swap = &statsapi.SwapStats{Time: cs.Swap.Time}
 		}
-		swapAvailableBytes := getUint64Value(cs.Swap.SwapAvailableBytes) + getUint64Value(ps.Swap.SwapAvailableBytes)
-		swapUsageBytes := getUint64Value(cs.Swap.SwapUsageBytes) + getUint64Value(ps.Swap.SwapUsageBytes)
+		swapAvailableBytes := ptr.Deref(cs.Swap.SwapAvailableBytes, 0) + ptr.Deref(ps.Swap.SwapAvailableBytes, 0)
+		swapUsageBytes := ptr.Deref(cs.Swap.SwapUsageBytes, 0) + ptr.Deref(ps.Swap.SwapUsageBytes, 0)
 		ps.Swap.SwapAvailableBytes = &swapAvailableBytes
 		ps.Swap.SwapUsageBytes = &swapUsageBytes
 	}
@@ -728,6 +734,7 @@ func (p *criStatsProvider) addProcessStats(
 }
 
 func (p *criStatsProvider) makeContainerStats(
+	logger klog.Logger,
 	stats *runtimeapi.ContainerStats,
 	container *runtimeapi.Container,
 	rootFsInfo *cadvisorapiv2.FsInfo,
@@ -752,7 +759,7 @@ func (p *criStatsProvider) makeContainerStats(
 		}
 		var usageNanoCores *uint64
 		if updateCPUNanoCoreUsage {
-			usageNanoCores = p.getAndUpdateContainerUsageNanoCores(stats)
+			usageNanoCores = p.getAndUpdateContainerUsageNanoCores(logger, stats)
 		} else {
 			usageNanoCores = p.getContainerUsageNanoCores(stats)
 		}
@@ -819,7 +826,7 @@ func (p *criStatsProvider) makeContainerStats(
 	if fsID != nil {
 		imageFsInfo, found := fsIDtoInfo[fsID.Mountpoint]
 		if !found {
-			imageFsInfo, err = p.getFsInfo(fsID)
+			imageFsInfo, err = p.getFsInfo(logger, fsID)
 			if err != nil {
 				return nil, fmt.Errorf("get filesystem info: %w", err)
 			}
@@ -841,7 +848,7 @@ func (p *criStatsProvider) makeContainerStats(
 	// officially support in-place upgrade anyway.
 	result.Logs, err = p.hostStatsProvider.getPodContainerLogStats(meta.GetNamespace(), meta.GetName(), types.UID(meta.GetUid()), container.GetMetadata().GetName(), rootFsInfo)
 	if err != nil {
-		klog.ErrorS(err, "Unable to fetch container log stats", "containerName", container.GetMetadata().GetName())
+		logger.Error(err, "Unable to fetch container log stats", "containerName", container.GetMetadata().GetName())
 	}
 	return result, nil
 }
@@ -973,7 +980,7 @@ func (p *criStatsProvider) getContainerUsageNanoCores(stats *runtimeapi.Containe
 // getAndUpdateContainerUsageNanoCores first attempts to get the usage nano cores from the stats reported
 // by the CRI. If it is unable to, it computes usageNanoCores based on the given and the cached usageCoreNanoSeconds,
 // updates the cache with the computed usageNanoCores, and returns the usageNanoCores.
-func (p *criStatsProvider) getAndUpdateContainerUsageNanoCores(stats *runtimeapi.ContainerStats) *uint64 {
+func (p *criStatsProvider) getAndUpdateContainerUsageNanoCores(logger klog.Logger, stats *runtimeapi.ContainerStats) *uint64 {
 	if stats == nil || stats.Attributes == nil || stats.Cpu == nil {
 		return nil
 	}
@@ -1015,7 +1022,7 @@ func (p *criStatsProvider) getAndUpdateContainerUsageNanoCores(stats *runtimeapi
 
 	if err != nil {
 		// This should not happen. Log now to raise visibility
-		klog.ErrorS(err, "Failed updating cpu usage nano core")
+		logger.Error(err, "Failed updating cpu usage nano core")
 	}
 	return usage
 }
@@ -1105,11 +1112,12 @@ func removeTerminatedContainers(containers []*runtimeapi.Container) []*runtimeap
 }
 
 func (p *criStatsProvider) addCadvisorContainerStats(
+	logger klog.Logger,
 	cs *statsapi.ContainerStats,
 	caPodStats *cadvisorapiv2.ContainerInfo,
 ) {
 	if caPodStats.Spec.HasCustomMetrics {
-		cs.UserDefinedMetrics = cadvisorInfoToUserDefinedMetrics(caPodStats)
+		cs.UserDefinedMetrics = cadvisorInfoToUserDefinedMetrics(logger, caPodStats)
 	}
 
 	cpu, memory := cadvisorInfoToCPUandMemoryStats(caPodStats)
@@ -1134,11 +1142,12 @@ func (p *criStatsProvider) addCadvisorContainerStats(
 }
 
 func (p *criStatsProvider) addCadvisorContainerCPUAndMemoryStats(
+	logger klog.Logger,
 	cs *statsapi.ContainerStats,
 	caPodStats *cadvisorapiv2.ContainerInfo,
 ) {
 	if caPodStats.Spec.HasCustomMetrics {
-		cs.UserDefinedMetrics = cadvisorInfoToUserDefinedMetrics(caPodStats)
+		cs.UserDefinedMetrics = cadvisorInfoToUserDefinedMetrics(logger, caPodStats)
 	}
 
 	cpu, memory := cadvisorInfoToCPUandMemoryStats(caPodStats)
@@ -1150,9 +1159,9 @@ func (p *criStatsProvider) addCadvisorContainerCPUAndMemoryStats(
 	}
 }
 
-func getCRICadvisorStats(infos map[string]cadvisorapiv2.ContainerInfo) (map[string]cadvisorapiv2.ContainerInfo, map[string]cadvisorapiv2.ContainerInfo) {
+func getCRICadvisorStats(logger klog.Logger, infos map[string]cadvisorapiv2.ContainerInfo) (map[string]cadvisorapiv2.ContainerInfo, map[string]cadvisorapiv2.ContainerInfo) {
 	stats := make(map[string]cadvisorapiv2.ContainerInfo)
-	filteredInfos, cinfosByPodCgroupKey := filterTerminatedContainerInfoAndAssembleByPodCgroupKey(infos)
+	filteredInfos, cinfosByPodCgroupKey := filterTerminatedContainerInfoAndAssembleByPodCgroupKey(logger, infos)
 	for key, info := range filteredInfos {
 		// On systemd using devicemapper each mount into the container has an
 		// associated cgroup. We ignore them to ensure we do not get duplicate
@@ -1162,7 +1171,7 @@ func getCRICadvisorStats(infos map[string]cadvisorapiv2.ContainerInfo) (map[stri
 			continue
 		}
 		// Build the Pod key if this container is managed by a Pod
-		if !isPodManagedContainer(&info) {
+		if !isPodManagedContainer(logger, &info) {
 			continue
 		}
 		stats[extractIDFromCgroupPath(key)] = info
diff --git a/pkg/kubelet/stats/cri_stats_provider_linux.go b/pkg/kubelet/stats/cri_stats_provider_linux.go
index b3bb466288fbf..576df556de56e 100644
--- a/pkg/kubelet/stats/cri_stats_provider_linux.go
+++ b/pkg/kubelet/stats/cri_stats_provider_linux.go
@@ -28,12 +28,16 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	utilfeature "k8s.io/apiserver/pkg/util/feature"
 	runtimeapi "k8s.io/cri-api/pkg/apis/runtime/v1"
+	"k8s.io/klog/v2"
 	statsapi "k8s.io/kubelet/pkg/apis/stats/v1alpha1"
 	"k8s.io/kubernetes/pkg/features"
 )
 
-func (p *criStatsProvider) addCRIPodContainerStats(criSandboxStat *runtimeapi.PodSandboxStats,
-	ps *statsapi.PodStats, fsIDtoInfo map[string]*cadvisorapiv2.FsInfo,
+func (p *criStatsProvider) addCRIPodContainerStats(
+	logger klog.Logger,
+	criSandboxStat *runtimeapi.PodSandboxStats,
+	ps *statsapi.PodStats,
+	fsIDtoInfo map[string]*cadvisorapiv2.FsInfo,
 	containerMap map[string]*runtimeapi.Container,
 	podSandbox *runtimeapi.PodSandbox,
 	rootFsInfo *cadvisorapiv2.FsInfo, updateCPUNanoCoreUsage bool) error {
@@ -43,7 +47,7 @@ func (p *criStatsProvider) addCRIPodContainerStats(criSandboxStat *runtimeapi.Po
 			continue
 		}
 		// Fill available stats for full set of required pod stats
-		cs, err := p.makeContainerStats(criContainerStat, container, rootFsInfo, fsIDtoInfo, podSandbox.GetMetadata(),
+		cs, err := p.makeContainerStats(logger, criContainerStat, container, rootFsInfo, fsIDtoInfo, podSandbox.GetMetadata(),
 			updateCPUNanoCoreUsage)
 		if err != nil {
 			return fmt.Errorf("make container stats: %w", err)
@@ -124,6 +128,6 @@ func addCRIPodProcessStats(ps *statsapi.PodStats, criPodStat *runtimeapi.PodSand
 
 // listContainerNetworkStats returns the network stats of all the running containers.
 // It should return (nil, nil) for platforms other than Windows.
-func (p *criStatsProvider) listContainerNetworkStats() (map[string]*statsapi.NetworkStats, error) {
+func (p *criStatsProvider) listContainerNetworkStats(klog.Logger) (map[string]*statsapi.NetworkStats, error) {
 	return nil, nil
 }
diff --git a/pkg/kubelet/stats/cri_stats_provider_others.go b/pkg/kubelet/stats/cri_stats_provider_others.go
index 589419b16a2a9..f8188fb48329b 100644
--- a/pkg/kubelet/stats/cri_stats_provider_others.go
+++ b/pkg/kubelet/stats/cri_stats_provider_others.go
@@ -23,20 +23,25 @@ import (
 	cadvisorapiv2 "github.com/google/cadvisor/info/v2"
 
 	runtimeapi "k8s.io/cri-api/pkg/apis/runtime/v1"
+	"k8s.io/klog/v2"
 	statsapi "k8s.io/kubelet/pkg/apis/stats/v1alpha1"
 )
 
 // listContainerNetworkStats returns the network stats of all the running containers.
 // It should return (nil, nil) for platforms other than Windows.
-func (p *criStatsProvider) listContainerNetworkStats() (map[string]*statsapi.NetworkStats, error) {
+func (p *criStatsProvider) listContainerNetworkStats(klog.Logger) (map[string]*statsapi.NetworkStats, error) {
 	return nil, nil
 }
 
-func (p *criStatsProvider) addCRIPodContainerStats(criSandboxStat *runtimeapi.PodSandboxStats,
-	ps *statsapi.PodStats, fsIDtoInfo map[string]*cadvisorapiv2.FsInfo,
-	containerMap map[string]*runtimeapi.Container,
-	podSandbox *runtimeapi.PodSandbox,
-	rootFsInfo *cadvisorapiv2.FsInfo, updateCPUNanoCoreUsage bool) error {
+func (p *criStatsProvider) addCRIPodContainerStats(
+	klog.Logger,
+	*runtimeapi.PodSandboxStats,
+	*statsapi.PodStats,
+	map[string]*cadvisorapiv2.FsInfo,
+	map[string]*runtimeapi.Container,
+	*runtimeapi.PodSandbox,
+	*cadvisorapiv2.FsInfo,
+	bool) error {
 	return nil
 }
 
diff --git a/pkg/kubelet/stats/cri_stats_provider_test.go b/pkg/kubelet/stats/cri_stats_provider_test.go
index 8dce61a9631dd..b1deca169c154 100644
--- a/pkg/kubelet/stats/cri_stats_provider_test.go
+++ b/pkg/kubelet/stats/cri_stats_provider_test.go
@@ -17,7 +17,6 @@ limitations under the License.
 package stats
 
 import (
-	"context"
 	"math/rand"
 	"os"
 	"path/filepath"
@@ -51,6 +50,7 @@ import (
 	kubepodtest "k8s.io/kubernetes/pkg/kubelet/pod/testing"
 	serverstats "k8s.io/kubernetes/pkg/kubelet/server/stats"
 	"k8s.io/kubernetes/pkg/volume"
+	"k8s.io/kubernetes/test/utils/ktesting"
 	"k8s.io/utils/ptr"
 )
 
@@ -100,7 +100,7 @@ const testPodLogDirectory = "/var/log/kube/pods/" // Use non-default path to ens
 
 func TestCRIListPodStats(t *testing.T) {
 	featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.KubeletPSI, true)
-	ctx := context.Background()
+	tCtx := ktesting.Init(t)
 	var (
 		imageFsMountpoint = "/test/mount/point"
 		unknownMountpoint = "/unknown/mount/point"
@@ -248,7 +248,7 @@ func TestCRIListPodStats(t *testing.T) {
 		fakeContainerStatsProvider{},
 	)
 
-	stats, err := provider.ListPodStats(ctx)
+	stats, err := provider.ListPodStats(tCtx)
 	assert := assert.New(t)
 	assert.NoError(err)
 	assert.Len(stats, 4)
@@ -351,12 +351,12 @@ func TestCRIListPodStats(t *testing.T) {
 }
 
 func TestListPodStatsStrictlyFromCRI(t *testing.T) {
+	logger, tCtx := ktesting.NewTestContext(t)
 	featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.KubeletPSI, true)
 	if runtime.GOOS == "windows" {
 		// TODO: remove skip once the failing test has been fixed.
 		t.Skip("Skip failing test on Windows.")
 	}
-	ctx := context.Background()
 	var (
 		imageFsMountpoint = "/test/mount/point"
 		unknownMountpoint = "/unknown/mount/point"
@@ -483,11 +483,11 @@ func TestListPodStatsStrictlyFromCRI(t *testing.T) {
 		fakeContainerStatsProvider{},
 	)
 
-	cadvisorInfos, err := getCadvisorContainerInfo(mockCadvisor)
+	cadvisorInfos, err := getCadvisorContainerInfo(logger, mockCadvisor)
 	if err != nil {
 		t.Errorf("failed to get container info from cadvisor: %v", err)
 	}
-	stats, err := provider.ListPodStats(ctx)
+	stats, err := provider.ListPodStats(tCtx)
 	assert := assert.New(t)
 	assert.NoError(err)
 	assert.Len(stats, 2)
@@ -552,7 +552,7 @@ func TestListPodStatsStrictlyFromCRI(t *testing.T) {
 }
 func TestCRIListPodCPUAndMemoryStats(t *testing.T) {
 	featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.KubeletPSI, true)
-	ctx := context.Background()
+	tCtx := ktesting.Init(t)
 
 	var (
 		imageFsMountpoint = "/test/mount/point"
@@ -661,7 +661,7 @@ func TestCRIListPodCPUAndMemoryStats(t *testing.T) {
 		fakeContainerStatsProvider{},
 	)
 
-	stats, err := provider.ListPodCPUAndMemoryStats(ctx)
+	stats, err := provider.ListPodCPUAndMemoryStats(tCtx)
 	assert := assert.New(t)
 	assert.NoError(err)
 	assert.Len(stats, 5)
@@ -765,7 +765,7 @@ func TestCRIListPodCPUAndMemoryStats(t *testing.T) {
 }
 
 func TestCRIPodCPUAndMemoryStats(t *testing.T) {
-	ctx := context.Background()
+	tCtx := ktesting.Init(t)
 
 	const (
 		podName      = "test-pod"
@@ -830,7 +830,7 @@ func TestCRIPodCPUAndMemoryStats(t *testing.T) {
 		},
 	}
 
-	stats, err := provider.PodCPUAndMemoryStats(ctx, pod, podStatus)
+	stats, err := provider.PodCPUAndMemoryStats(tCtx, pod, podStatus)
 	assert := assert.New(t)
 	require.NoError(t, err)
 
@@ -866,7 +866,7 @@ func TestCRIPodCPUAndMemoryStats(t *testing.T) {
 }
 
 func TestCRIImagesFsStats(t *testing.T) {
-	ctx := context.Background()
+	tCtx := ktesting.Init(t)
 	var (
 		imageFsMountpoint = "/test/mount/point"
 		imageFsInfo       = getTestFsInfo(2000)
@@ -896,7 +896,7 @@ func TestCRIImagesFsStats(t *testing.T) {
 		fakeContainerStatsProvider{},
 	)
 
-	stats, containerStats, err := provider.ImageFsStats(ctx)
+	stats, containerStats, err := provider.ImageFsStats(tCtx)
 	assert := assert.New(t)
 	assert.NoError(err)
 
@@ -1513,6 +1513,7 @@ func TestGetContainerUsageNanoCores(t *testing.T) {
 			expected: nil,
 		},
 	}
+	logger, _ := ktesting.NewTestContext(t)
 	for _, test := range tests {
 		provider := &criStatsProvider{cpuUsageCache: test.cpuUsageCache}
 		// Before the update, the cached value should be nil
@@ -1520,7 +1521,7 @@ func TestGetContainerUsageNanoCores(t *testing.T) {
 		assert.Nil(t, cached)
 
 		// Update the cache and get the latest value.
-		real := provider.getAndUpdateContainerUsageNanoCores(test.stats)
+		real := provider.getAndUpdateContainerUsageNanoCores(logger, test.stats)
 		assert.Equal(t, test.expected, real, test.desc)
 
 		// After the update, the cached value should be up-to-date
diff --git a/pkg/kubelet/stats/cri_stats_provider_windows.go b/pkg/kubelet/stats/cri_stats_provider_windows.go
index dc7ff2d7da168..367a46516b827 100644
--- a/pkg/kubelet/stats/cri_stats_provider_windows.go
+++ b/pkg/kubelet/stats/cri_stats_provider_windows.go
@@ -52,12 +52,11 @@ func (s networkStats) GetHNSEndpointStats(endpointName string) (*hnslib.HNSEndpo
 }
 
 // listContainerNetworkStats returns the network stats of all the running containers.
-func (p *criStatsProvider) listContainerNetworkStats() (map[string]*statsapi.NetworkStats, error) {
+func (p *criStatsProvider) listContainerNetworkStats(logger klog.Logger) (map[string]*statsapi.NetworkStats, error) {
 	networkStatsProvider := newNetworkStatsProvider(p)
-
 	endpoints, err := networkStatsProvider.HNSListEndpointRequest()
 	if err != nil {
-		klog.ErrorS(err, "Failed to fetch current HNS endpoints")
+		logger.Error(err, "Failed to fetch current HNS endpoints")
 		return nil, err
 	}
 
@@ -65,7 +64,7 @@ func (p *criStatsProvider) listContainerNetworkStats() (map[string]*statsapi.Net
 	for _, endpoint := range endpoints {
 		endpointStats, err := networkStatsProvider.GetHNSEndpointStats(endpoint.Id)
 		if err != nil {
-			klog.V(2).InfoS("Failed to fetch statistics for endpoint, continue to get stats for other endpoints", "endpointId", endpoint.Id, "containers", endpoint.SharedContainers)
+			logger.V(2).Info("Failed to fetch statistics for endpoint, continue to get stats for other endpoints", "endpointId", endpoint.Id, "containers", endpoint.SharedContainers)
 			continue
 		}
 
@@ -84,7 +83,7 @@ func (p *criStatsProvider) listContainerNetworkStats() (map[string]*statsapi.Net
 	return networkStats, nil
 }
 
-func (p *criStatsProvider) addCRIPodContainerStats(criSandboxStat *runtimeapi.PodSandboxStats,
+func (p *criStatsProvider) addCRIPodContainerStats(logger klog.Logger, criSandboxStat *runtimeapi.PodSandboxStats,
 	ps *statsapi.PodStats, fsIDtoInfo map[string]*cadvisorapiv2.FsInfo,
 	containerMap map[string]*runtimeapi.Container,
 	podSandbox *runtimeapi.PodSandbox,
@@ -96,7 +95,7 @@ func (p *criStatsProvider) addCRIPodContainerStats(criSandboxStat *runtimeapi.Po
 			continue
 		}
 		// Fill available stats for full set of required pod stats
-		cs, err := p.makeWinContainerStats(criContainerStat, container, rootFsInfo, fsIDtoInfo, podSandbox.GetMetadata())
+		cs, err := p.makeWinContainerStats(logger, criContainerStat, container, rootFsInfo, fsIDtoInfo, podSandbox.GetMetadata())
 		if err != nil {
 			return fmt.Errorf("make container stats: %w", err)
 
@@ -108,6 +107,7 @@ func (p *criStatsProvider) addCRIPodContainerStats(criSandboxStat *runtimeapi.Po
 }
 
 func (p *criStatsProvider) makeWinContainerStats(
+	logger klog.Logger,
 	stats *runtimeapi.WindowsContainerStats,
 	container *runtimeapi.Container,
 	rootFsInfo *cadvisorapiv2.FsInfo,
@@ -163,7 +163,7 @@ func (p *criStatsProvider) makeWinContainerStats(
 	if fsID != nil {
 		imageFsInfo, found := fsIDtoInfo[fsID.Mountpoint]
 		if !found {
-			imageFsInfo, err = p.getFsInfo(fsID)
+			imageFsInfo, err = p.getFsInfo(logger, fsID)
 			if err != nil {
 				return nil, fmt.Errorf("get filesystem info: %w", err)
 			}
@@ -183,7 +183,7 @@ func (p *criStatsProvider) makeWinContainerStats(
 	// officially support in-place upgrade anyway.
 	result.Logs, err = p.hostStatsProvider.getPodContainerLogStats(meta.GetNamespace(), meta.GetName(), types.UID(meta.GetUid()), container.GetMetadata().GetName(), rootFsInfo)
 	if err != nil {
-		klog.ErrorS(err, "Unable to fetch container log stats", "containerName", container.GetMetadata().GetName())
+		logger.Error(err, "Unable to fetch container log stats", "containerName", container.GetMetadata().GetName())
 	}
 	return result, nil
 }
diff --git a/pkg/kubelet/stats/cri_stats_provider_windows_test.go b/pkg/kubelet/stats/cri_stats_provider_windows_test.go
index b8a8fbb015d2b..d7c77522c669b 100644
--- a/pkg/kubelet/stats/cri_stats_provider_windows_test.go
+++ b/pkg/kubelet/stats/cri_stats_provider_windows_test.go
@@ -32,6 +32,7 @@ import (
 	kubecontainertest "k8s.io/kubernetes/pkg/kubelet/container/testing"
 	"k8s.io/kubernetes/pkg/kubelet/kuberuntime"
 	"k8s.io/kubernetes/pkg/volume"
+	"k8s.io/kubernetes/test/utils/ktesting"
 	testingclock "k8s.io/utils/clock/testing"
 	"k8s.io/utils/ptr"
 )
@@ -423,6 +424,7 @@ func Test_criStatsProvider_listContainerNetworkStats(t *testing.T) {
 			skipped: true,
 		},
 	}
+	logger, _ := ktesting.NewTestContext(t)
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			// TODO: Remove skip once https://github.com/kubernetes/kubernetes/issues/116692 is fixed.
@@ -435,7 +437,7 @@ func Test_criStatsProvider_listContainerNetworkStats(t *testing.T) {
 				},
 				clock: fakeClock,
 			}
-			got, err := p.listContainerNetworkStats()
+			got, err := p.listContainerNetworkStats(logger)
 			if (err != nil) != tt.wantErr {
 				t.Errorf("listContainerNetworkStats() error = %v, wantErr %v", err, tt.wantErr)
 				return
@@ -522,7 +524,8 @@ func Test_criStatsProvider_makeWinContainerStats(t *testing.T) {
 		Uid:       "sb0-uid",
 	}
 
-	got, err := p.makeWinContainerStats(inputStats, inputContainer, inputRootFsInfo, make(map[string]*cadvisorapiv2.FsInfo), inputPodSandboxMetadata)
+	logger, _ := ktesting.NewTestContext(t)
+	got, err := p.makeWinContainerStats(logger, inputStats, inputContainer, inputRootFsInfo, make(map[string]*cadvisorapiv2.FsInfo), inputPodSandboxMetadata)
 
 	expected := &statsapi.ContainerStats{
 		Name:      "c0",
diff --git a/pkg/kubelet/stats/helper.go b/pkg/kubelet/stats/helper.go
index cb7460a41662c..9631a7d9d57bb 100644
--- a/pkg/kubelet/stats/helper.go
+++ b/pkg/kubelet/stats/helper.go
@@ -91,7 +91,7 @@ func cadvisorInfoToCPUandMemoryStats(info *cadvisorapiv2.ContainerInfo) (*statsa
 
 // cadvisorInfoToContainerStats returns the statsapi.ContainerStats converted
 // from the container and filesystem info.
-func cadvisorInfoToContainerStats(name string, info *cadvisorapiv2.ContainerInfo, rootFs, imageFs *cadvisorapiv2.FsInfo) *statsapi.ContainerStats {
+func cadvisorInfoToContainerStats(logger klog.Logger, name string, info *cadvisorapiv2.ContainerInfo, rootFs, imageFs *cadvisorapiv2.FsInfo) *statsapi.ContainerStats {
 	result := &statsapi.ContainerStats{
 		StartTime: metav1.NewTime(info.Spec.CreationTime),
 		Name:      name,
@@ -151,7 +151,7 @@ func cadvisorInfoToContainerStats(name string, info *cadvisorapiv2.ContainerInfo
 		})
 	}
 
-	result.UserDefinedMetrics = cadvisorInfoToUserDefinedMetrics(info)
+	result.UserDefinedMetrics = cadvisorInfoToUserDefinedMetrics(logger, info)
 
 	return result
 }
@@ -247,7 +247,7 @@ func cadvisorInfoToNetworkStats(info *cadvisorapiv2.ContainerInfo) *statsapi.Net
 
 // cadvisorInfoToUserDefinedMetrics returns the statsapi.UserDefinedMetric
 // converted from the container info from cadvisor.
-func cadvisorInfoToUserDefinedMetrics(info *cadvisorapiv2.ContainerInfo) []statsapi.UserDefinedMetric {
+func cadvisorInfoToUserDefinedMetrics(logger klog.Logger, info *cadvisorapiv2.ContainerInfo) []statsapi.UserDefinedMetric {
 	type specVal struct {
 		ref     statsapi.UserDefinedMetricDescriptor
 		valType cadvisorapiv1.DataType
@@ -269,7 +269,7 @@ func cadvisorInfoToUserDefinedMetrics(info *cadvisorapiv2.ContainerInfo) []stats
 		for name, values := range stat.CustomMetrics {
 			specVal, ok := udmMap[name]
 			if !ok {
-				klog.InfoS("Spec for custom metric is missing from cAdvisor output", "metric", name, "spec", info.Spec, "metrics", stat.CustomMetrics)
+				logger.Info("Spec for custom metric is missing from cAdvisor output", "metric", name, "spec", info.Spec, "metrics", stat.CustomMetrics)
 				continue
 			}
 			for _, value := range values {
@@ -423,14 +423,6 @@ func buildRootfsStats(cstat *cadvisorapiv2.ContainerStats, imageFs *cadvisorapiv
 	}
 }
 
-func getUint64Value(value *uint64) uint64 {
-	if value == nil {
-		return 0
-	}
-
-	return *value
-}
-
 func calcEphemeralStorage(containers []statsapi.ContainerStats, volumes []statsapi.VolumeStats, rootFsInfo *cadvisorapiv2.FsInfo,
 	podLogStats *statsapi.FsStats, etcHostsStats *statsapi.FsStats, isCRIStatsProvider bool) *statsapi.FsStats {
 	result := &statsapi.FsStats{
@@ -494,7 +486,7 @@ func addUsage(first, second *uint64) *uint64 {
 	return &total
 }
 
-func makePodStorageStats(s *statsapi.PodStats, rootFsInfo *cadvisorapiv2.FsInfo, resourceAnalyzer stats.ResourceAnalyzer, hostStatsProvider HostStatsProvider, isCRIStatsProvider bool) {
+func makePodStorageStats(logger klog.Logger, s *statsapi.PodStats, rootFsInfo *cadvisorapiv2.FsInfo, resourceAnalyzer stats.ResourceAnalyzer, hostStatsProvider HostStatsProvider, isCRIStatsProvider bool) {
 	podNs := s.PodRef.Namespace
 	podName := s.PodRef.Name
 	podUID := types.UID(s.PodRef.UID)
@@ -503,11 +495,11 @@ func makePodStorageStats(s *statsapi.PodStats, rootFsInfo *cadvisorapiv2.FsInfo,
 		ephemeralStats = make([]statsapi.VolumeStats, len(vstats.EphemeralVolumes))
 		copy(ephemeralStats, vstats.EphemeralVolumes)
 		s.VolumeStats = append(append([]statsapi.VolumeStats{}, vstats.EphemeralVolumes...), vstats.PersistentVolumes...)
-
 	}
+
 	logStats, err := hostStatsProvider.getPodLogStats(podNs, podName, podUID, rootFsInfo)
 	if err != nil {
-		klog.V(6).ErrorS(err, "Unable to fetch pod log stats", "pod", klog.KRef(podNs, podName))
+		logger.V(6).Info("Unable to fetch pod log stats", "pod", klog.KRef(podNs, podName), "err", err)
 		// If people do in-place upgrade, there might be pods still using
 		// the old log path. For those pods, no pod log stats is returned.
 		// We should continue generating other stats in that case.
@@ -515,7 +507,7 @@ func makePodStorageStats(s *statsapi.PodStats, rootFsInfo *cadvisorapiv2.FsInfo,
 	}
 	etcHostsStats, err := hostStatsProvider.getPodEtcHostsStats(podUID, rootFsInfo)
 	if err != nil {
-		klog.V(6).ErrorS(err, "Unable to fetch pod etc hosts stats", "pod", klog.KRef(podNs, podName))
+		logger.V(6).Info("Unable to fetch pod etc hosts stats", "pod", klog.KRef(podNs, podName), "err", err)
 	}
 	s.EphemeralStorage = calcEphemeralStorage(s.Containers, ephemeralStats, rootFsInfo, logStats, etcHostsStats, isCRIStatsProvider)
 }
diff --git a/pkg/kubelet/stats/helper_test.go b/pkg/kubelet/stats/helper_test.go
index 3c111363bc1e3..4cf4d60bc1a4e 100644
--- a/pkg/kubelet/stats/helper_test.go
+++ b/pkg/kubelet/stats/helper_test.go
@@ -29,6 +29,7 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/util/sets"
 	statsapi "k8s.io/kubelet/pkg/apis/stats/v1alpha1"
+	"k8s.io/kubernetes/test/utils/ktesting"
 	"k8s.io/utils/ptr"
 )
 
@@ -81,7 +82,8 @@ func TestCustomMetrics(t *testing.T) {
 			},
 		},
 	}
-	assert.Contains(t, cadvisorInfoToUserDefinedMetrics(&cInfo),
+	logger, _ := ktesting.NewTestContext(t)
+	assert.Contains(t, cadvisorInfoToUserDefinedMetrics(logger, &cInfo),
 		statsapi.UserDefinedMetric{
 			UserDefinedMetricDescriptor: statsapi.UserDefinedMetricDescriptor{
 				Name:  "qos",
diff --git a/pkg/kubelet/stats/provider.go b/pkg/kubelet/stats/provider.go
index 71fa3115f0b4e..924cc28eb67b6 100644
--- a/pkg/kubelet/stats/provider.go
+++ b/pkg/kubelet/stats/provider.go
@@ -26,6 +26,7 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
 	internalapi "k8s.io/cri-api/pkg/apis"
+	"k8s.io/klog/v2"
 	statsapi "k8s.io/kubelet/pkg/apis/stats/v1alpha1"
 	"k8s.io/kubernetes/pkg/kubelet/cadvisor"
 	"k8s.io/kubernetes/pkg/kubelet/cm"
@@ -121,8 +122,11 @@ func (p *Provider) GetCgroupStats(cgroupName string, updateStats bool) (*statsap
 		}
 		return nil, nil, fmt.Errorf("failed to get cgroup stats for %q: %v", cgroupName, err)
 	}
+	// Use klog.TODO() because we currently do not have a proper logger to pass in.
+	// Replace this with an appropriate logger when refactoring this function to accept a context parameter.
+	logger := klog.TODO()
 	// Rootfs and imagefs doesn't make sense for raw cgroup.
-	s := cadvisorInfoToContainerStats(cgroupName, info, nil, nil)
+	s := cadvisorInfoToContainerStats(logger, cgroupName, info, nil, nil)
 	n := cadvisorInfoToNetworkStats(info)
 	return s, n, nil
 }
diff --git a/pkg/kubelet/stats/provider_test.go b/pkg/kubelet/stats/provider_test.go
index b1372f32eaadf..c4bb2d79e9d58 100644
--- a/pkg/kubelet/stats/provider_test.go
+++ b/pkg/kubelet/stats/provider_test.go
@@ -41,6 +41,7 @@ import (
 	kubepodtest "k8s.io/kubernetes/pkg/kubelet/pod/testing"
 	serverstats "k8s.io/kubernetes/pkg/kubelet/server/stats"
 	"k8s.io/kubernetes/pkg/volume"
+	"k8s.io/kubernetes/test/utils/ktesting"
 	"k8s.io/utils/ptr"
 )
 
@@ -172,7 +173,7 @@ func TestRootFsStats(t *testing.T) {
 }
 
 func TestHasDedicatedImageFs(t *testing.T) {
-	ctx := context.Background()
+	tCtx := ktesting.Init(t)
 	imageStatsExpected := &statsapi.FsStats{AvailableBytes: ptr.To[uint64](1)}
 
 	for desc, test := range map[string]struct {
@@ -215,7 +216,7 @@ func TestHasDedicatedImageFs(t *testing.T) {
 			containerFs: test.containerFsStats,
 		})
 
-		dedicated, err := provider.HasDedicatedImageFs(ctx)
+		dedicated, err := provider.HasDedicatedImageFs(tCtx)
 		assert.NoError(t, err)
 		assert.Equal(t, test.dedicated, dedicated)
 	}
@@ -616,7 +617,7 @@ type fakeResourceAnalyzer struct {
 	podVolumeStats serverstats.PodVolumeStats
 }
 
-func (o *fakeResourceAnalyzer) Start()                                               {}
+func (o *fakeResourceAnalyzer) Start(context.Context)                                {}
 func (o *fakeResourceAnalyzer) Get(context.Context, bool) (*statsapi.Summary, error) { return nil, nil }
 func (o *fakeResourceAnalyzer) GetCPUAndMemoryStats(context.Context) (*statsapi.Summary, error) {
 	return nil, nil
diff --git a/pkg/kubelet/status/.mockery.yaml b/pkg/kubelet/status/.mockery.yaml
index e57d22e2ee21b..ead47cb8501c0 100644
--- a/pkg/kubelet/status/.mockery.yaml
+++ b/pkg/kubelet/status/.mockery.yaml
@@ -1,10 +1,12 @@
 ---
 dir: testing
-filename: "mock_{{.InterfaceName | snakecase}}.go"
-boilerplate-file: ../../../hack/boilerplate/boilerplate.generatego.txt
-outpkg: testing
-with-expecter: true
+filename: mocks.go
+pkgname: testing
+template: testify
+template-data:
+  boilerplate-file: ../../../hack/boilerplate/boilerplate.generatego.txt
+  unroll-variadic: true
 packages:
   k8s.io/kubernetes/pkg/kubelet/status:
     interfaces:
-      PodStatusProvider:
+      PodStatusProvider: {}
diff --git a/pkg/kubelet/status/generate.go b/pkg/kubelet/status/generate.go
index 21fa6aba02fe4..79783fba06b53 100644
--- a/pkg/kubelet/status/generate.go
+++ b/pkg/kubelet/status/generate.go
@@ -21,7 +21,9 @@ import (
 	"strings"
 
 	v1 "k8s.io/api/core/v1"
+	utilfeature "k8s.io/apiserver/pkg/util/feature"
 	podutil "k8s.io/kubernetes/pkg/api/v1/pod"
+	"k8s.io/kubernetes/pkg/features"
 	kubecontainer "k8s.io/kubernetes/pkg/kubelet/container"
 	runtimeutil "k8s.io/kubernetes/pkg/kubelet/kuberuntime/util"
 )
@@ -39,6 +41,8 @@ const (
 	ContainersNotInitialized = "ContainersNotInitialized"
 	// ReadinessGatesNotReady says that one or more pod readiness gates are not ready.
 	ReadinessGatesNotReady = "ReadinessGatesNotReady"
+	// RestartAllContainersStarted says that a container exited and triggered RestartAllContainer action.
+	RestartAllContainersStarted = "RestartAllContainersStarted"
 )
 
 // GenerateContainersReadyCondition returns the status of "ContainersReady" condition.
@@ -233,6 +237,20 @@ func GeneratePodInitializedCondition(pod *v1.Pod, oldPodStatus *v1.PodStatus, co
 	}
 	unreadyMessage := strings.Join(unreadyMessages, ", ")
 	if unreadyMessage != "" {
+		// During pod in-place restart, init container status can change from completed to waiting.
+		// However, it is assumed that once a pod is initialized, it cannot be uninitialized. If
+		// the pod is already initialized, the condition is kept.
+		if utilfeature.DefaultFeatureGate.Enabled(features.RestartAllContainersOnContainerExits) {
+			for _, cond := range oldPodStatus.Conditions {
+				if cond.Type == v1.PodInitialized && cond.Status == v1.ConditionTrue {
+					return v1.PodCondition{
+						Type:               v1.PodInitialized,
+						ObservedGeneration: podutil.CalculatePodConditionObservedGeneration(oldPodStatus, pod.Generation, v1.PodInitialized),
+						Status:             v1.ConditionTrue,
+					}
+				}
+			}
+		}
 		return v1.PodCondition{
 			Type:               v1.PodInitialized,
 			ObservedGeneration: podutil.CalculatePodConditionObservedGeneration(oldPodStatus, pod.Generation, v1.PodInitialized),
@@ -300,3 +318,39 @@ func generatePodReadyConditionForTerminalPhase(pod *v1.Pod, oldPodStatus *v1.Pod
 
 	return condition
 }
+
+func GenerateAllContainersRestartingCondition(pod *v1.Pod, podStatus *kubecontainer.PodStatus, oldPodStatus *v1.PodStatus, podPhase v1.PodPhase) v1.PodCondition {
+	if podPhase == v1.PodSucceeded {
+		return v1.PodCondition{
+			Type:   v1.AllContainersRestarting,
+			Status: v1.ConditionFalse,
+			Reason: PodCompleted,
+		}
+	}
+	if podPhase == v1.PodFailed {
+		return v1.PodCondition{
+			Type:   v1.AllContainersRestarting,
+			Status: v1.ConditionFalse,
+			Reason: PodFailed,
+		}
+	}
+
+	if !kubecontainer.ShouldAllContainersRestart(pod, podStatus, oldPodStatus) {
+		return v1.PodCondition{
+			Type:   v1.AllContainersRestarting,
+			Status: v1.ConditionFalse,
+		}
+	}
+	if kubecontainer.AllContainersRestartCleanedUp(pod, podStatus) {
+		return v1.PodCondition{
+			Type:   v1.AllContainersRestarting,
+			Status: v1.ConditionFalse,
+		}
+	}
+	return v1.PodCondition{
+		Type:    v1.AllContainersRestarting,
+		Status:  v1.ConditionTrue,
+		Reason:  RestartAllContainersStarted,
+		Message: "container exited with restart policy rule",
+	}
+}
diff --git a/pkg/kubelet/status/generate_test.go b/pkg/kubelet/status/generate_test.go
index 9de500f9a6692..76915a8150510 100644
--- a/pkg/kubelet/status/generate_test.go
+++ b/pkg/kubelet/status/generate_test.go
@@ -24,7 +24,10 @@ import (
 	"github.com/stretchr/testify/require"
 
 	v1 "k8s.io/api/core/v1"
+	utilfeature "k8s.io/apiserver/pkg/util/feature"
+	featuregatetesting "k8s.io/component-base/featuregate/testing"
 	runtimeapi "k8s.io/cri-api/pkg/apis/runtime/v1"
+	"k8s.io/kubernetes/pkg/features"
 	kubecontainer "k8s.io/kubernetes/pkg/kubelet/container"
 	"k8s.io/utils/ptr"
 )
@@ -541,8 +544,30 @@ func TestGeneratePodInitializedCondition(t *testing.T) {
 				Status: v1.ConditionTrue,
 			},
 		},
+		{
+			spec: oneInitContainer,
+			containerStatuses: []v1.ContainerStatus{{
+				Name: "1234",
+				State: v1.ContainerState{
+					Waiting: &v1.ContainerStateWaiting{},
+				},
+			}, {
+				Name: "regular",
+				State: v1.ContainerState{
+					Terminated: &v1.ContainerStateTerminated{},
+				},
+			}},
+			podPhase: v1.PodRunning,
+			expected: v1.PodCondition{
+				Status: v1.ConditionTrue,
+			},
+		},
 	}
-
+	featuregatetesting.SetFeatureGatesDuringTest(t, utilfeature.DefaultFeatureGate, featuregatetesting.FeatureOverrides{
+		features.ContainerRestartRules:                true,
+		features.NodeDeclaredFeatures:                 true,
+		features.RestartAllContainersOnContainerExits: true,
+	})
 	for _, test := range tests {
 		test.expected.Type = v1.PodInitialized
 		pod := &v1.Pod{Spec: *test.spec}
@@ -625,6 +650,131 @@ func TestGeneratePodReadyToStartContainersCondition(t *testing.T) {
 	}
 }
 
+func TestGenerateAllContainersRestartingCondition(t *testing.T) {
+	featuregatetesting.SetFeatureGatesDuringTest(t, utilfeature.DefaultFeatureGate, featuregatetesting.FeatureOverrides{
+		features.ContainerRestartRules:                true,
+		features.NodeDeclaredFeatures:                 true,
+		features.RestartAllContainersOnContainerExits: true,
+	})
+
+	restartPolicyNever := v1.ContainerRestartPolicyNever
+	defaultPod := &v1.Pod{
+		Spec: v1.PodSpec{
+			Containers: []v1.Container{{
+				Name: "container1",
+			}, {
+				Name:          "trigger",
+				RestartPolicy: &restartPolicyNever,
+				RestartPolicyRules: []v1.ContainerRestartRule{{
+					Action: v1.ContainerRestartRuleActionRestartAllContainers,
+					ExitCodes: &v1.ContainerRestartRuleOnExitCodes{
+						Operator: v1.ContainerRestartRuleOnExitCodesOpIn,
+						Values:   []int32{42},
+					},
+				}},
+			}},
+		},
+	}
+
+	for desc, test := range map[string]struct {
+		podStatus    *kubecontainer.PodStatus
+		oldAPIStatus *v1.PodStatus
+		phase        v1.PodPhase
+		expected     v1.PodCondition
+	}{
+		"pod pending": {
+			phase: v1.PodPending,
+			expected: v1.PodCondition{
+				Status: v1.ConditionFalse,
+			},
+		},
+		"pod failed": {
+			phase: v1.PodFailed,
+			expected: v1.PodCondition{
+				Status: v1.ConditionFalse,
+				Reason: PodFailed,
+			},
+		},
+		"pod succeeded": {
+			phase: v1.PodSucceeded,
+			expected: v1.PodCondition{
+				Status: v1.ConditionFalse,
+				Reason: PodCompleted,
+			},
+		},
+		"container triggers RestartAllContainers rule": {
+			podStatus: &kubecontainer.PodStatus{
+				ContainerStatuses: []*kubecontainer.Status{
+					{
+						Name:  "container",
+						State: kubecontainer.ContainerStateRunning,
+					},
+					{
+						Name:     "trigger",
+						State:    kubecontainer.ContainerStateExited,
+						ExitCode: 42,
+					},
+				},
+			},
+			phase: v1.PodRunning,
+			expected: v1.PodCondition{
+				Status:  v1.ConditionTrue,
+				Reason:  "RestartAllContainersStarted",
+				Message: "container exited with restart policy rule",
+			},
+		},
+		"container triggres RestartAllContainers rule, cleaning up": {
+			podStatus: &kubecontainer.PodStatus{
+				ContainerStatuses: []*kubecontainer.Status{
+					{
+						Name:  "container",
+						State: kubecontainer.ContainerStateExited,
+					},
+					{
+						Name:     "trigger",
+						State:    kubecontainer.ContainerStateExited,
+						ExitCode: 42,
+					},
+				},
+			},
+			oldAPIStatus: &v1.PodStatus{
+				Conditions: []v1.PodCondition{{
+					Type:   v1.AllContainersRestarting,
+					Status: v1.ConditionTrue,
+				}},
+			},
+			phase: v1.PodRunning,
+			expected: v1.PodCondition{
+				Status:  v1.ConditionTrue,
+				Reason:  "RestartAllContainersStarted",
+				Message: "container exited with restart policy rule",
+			},
+		},
+		"container triggres RestartAllContainers rule, cleaned up": {
+			oldAPIStatus: &v1.PodStatus{
+				Conditions: []v1.PodCondition{{
+					Type:   v1.AllContainersRestarting,
+					Status: v1.ConditionTrue,
+				}},
+			},
+			phase: v1.PodPending,
+			expected: v1.PodCondition{
+				Status: v1.ConditionFalse,
+			},
+		},
+	} {
+		t.Run(desc, func(t *testing.T) {
+			test.expected.Type = v1.AllContainersRestarting
+			podStatus := &kubecontainer.PodStatus{}
+			if test.podStatus != nil {
+				podStatus = test.podStatus
+			}
+			condition := GenerateAllContainersRestartingCondition(defaultPod, podStatus, test.oldAPIStatus, test.phase)
+			require.Equal(t, test.expected, condition)
+		})
+	}
+}
+
 func getPodCondition(conditionType v1.PodConditionType, status v1.ConditionStatus, reason, message string) v1.PodCondition {
 	return v1.PodCondition{
 		Type:    conditionType,
diff --git a/pkg/kubelet/status/status_manager.go b/pkg/kubelet/status/status_manager.go
index 236e06576e7e6..f4334b59ce9ca 100644
--- a/pkg/kubelet/status/status_manager.go
+++ b/pkg/kubelet/status/status_manager.go
@@ -20,6 +20,7 @@ package status
 import (
 	"context"
 	"fmt"
+	"reflect"
 	"sort"
 	"strings"
 	"sync"
@@ -156,19 +157,23 @@ type Manager interface {
 	GetPodResizeConditions(podUID types.UID) []*v1.PodCondition
 
 	// SetPodResizePendingCondition caches the last PodResizePending condition for the pod.
-	SetPodResizePendingCondition(podUID types.UID, reason, message string, observedGeneration int64)
+	// It returns true if the condition reason or observedGeneration is modified as a result of this call.
+	SetPodResizePendingCondition(podUID types.UID, reason, message string, observedGeneration int64) bool
 
 	// SetPodResizeInProgressCondition caches the last PodResizeInProgress condition for the pod.
 	// This function does not update observedGeneration if the condition already exists, nor does
 	// it allow the reason or message to be cleared.
-	SetPodResizeInProgressCondition(podUID types.UID, reason, message string, observedGeneration int64)
+	// It returns true if the condition is modified as a result of this call, and it returns
+	// the observedGeneration of the condition.
+	SetPodResizeInProgressCondition(podUID types.UID, reason, message string, observedGeneration int64) (int64, bool)
 
 	// ClearPodResizePendingCondition clears the PodResizePending condition for the pod from the cache.
 	ClearPodResizePendingCondition(podUID types.UID)
 
 	// ClearPodResizeInProgressCondition clears the PodResizeInProgress condition for the pod from the cache.
-	// Returns true if the condition was cleared, false if it was not set.
-	ClearPodResizeInProgressCondition(podUID types.UID) bool
+	// If the condition was cleared, it returns the observedGeneration of the cleared condition and true.
+	// Otherwise it returns zero and false.
+	ClearPodResizeInProgressCondition(podUID types.UID) (int64, bool)
 
 	// IsPodResizeDeferred returns true if the pod resize is currently deferred.
 	IsPodResizeDeferred(podUID types.UID) bool
@@ -269,30 +274,35 @@ func (m *manager) GetPodResizeConditions(podUID types.UID) []*v1.PodCondition {
 }
 
 // SetPodResizePendingCondition caches the last PodResizePending condition for the pod.
-func (m *manager) SetPodResizePendingCondition(podUID types.UID, reason, message string, observedGeneration int64) {
+// It returns true if the condition reason or observedGeneration is modified as a result of this call.
+func (m *manager) SetPodResizePendingCondition(podUID types.UID, reason, message string, observedGeneration int64) bool {
 	m.podStatusesLock.Lock()
 	defer m.podStatusesLock.Unlock()
 
-	alreadyPending := m.podResizeConditions[podUID].PodResizePending != nil
+	previousCondition := m.podResizeConditions[podUID].PodResizePending
 
 	m.podResizeConditions[podUID] = podResizeConditions{
 		PodResizePending:    updatedPodResizeCondition(v1.PodResizePending, m.podResizeConditions[podUID].PodResizePending, reason, message, observedGeneration),
 		PodResizeInProgress: m.podResizeConditions[podUID].PodResizeInProgress,
 	}
 
-	if !alreadyPending {
+	if previousCondition == nil {
 		m.recordPendingResizeCount()
+		return true
+	} else {
+		return previousCondition.Reason != reason || previousCondition.ObservedGeneration != observedGeneration
 	}
 }
 
 // This function does not update observedGeneration if the condition already exists, nor does
 // it allow the reason or message to be cleared.
-func (m *manager) SetPodResizeInProgressCondition(podUID types.UID, reason, message string, observedGeneration int64) {
+// It returns true if the condition is modified as a result of this call, and it returns
+// the observedGeneration of the condition.
+func (m *manager) SetPodResizeInProgressCondition(podUID types.UID, reason, message string, observedGeneration int64) (int64, bool) {
 	m.podStatusesLock.Lock()
 	defer m.podStatusesLock.Unlock()
 
-	alreadyInProgress := m.podResizeConditions[podUID].PodResizeInProgress != nil
-
+	previousCondition := m.podResizeConditions[podUID].PodResizeInProgress
 	if c := m.podResizeConditions[podUID].PodResizeInProgress; c != nil {
 		// Preserve the old reason, message if they exist.
 		if reason == "" && message == "" {
@@ -309,9 +319,15 @@ func (m *manager) SetPodResizeInProgressCondition(podUID types.UID, reason, mess
 		PodResizePending:    m.podResizeConditions[podUID].PodResizePending,
 	}
 
-	if !alreadyInProgress {
+	if previousCondition == nil {
 		m.recordInProgressResizeCount()
+	} else {
+		// Ignore lastProbeTime when comparing conditions.
+		previousCondition.LastProbeTime = m.podResizeConditions[podUID].PodResizeInProgress.LastProbeTime
+		previousCondition.LastTransitionTime = m.podResizeConditions[podUID].PodResizeInProgress.LastTransitionTime
 	}
+
+	return observedGeneration, !reflect.DeepEqual(previousCondition, m.podResizeConditions[podUID].PodResizeInProgress)
 }
 
 // ClearPodResizePendingCondition clears the PodResizePending condition for the pod from the cache.
@@ -332,22 +348,24 @@ func (m *manager) ClearPodResizePendingCondition(podUID types.UID) {
 }
 
 // ClearPodResizeInProgressCondition clears the PodResizeInProgress condition for the pod from the cache.
-// Returns true if the condition was cleared, false if it was not set.
-func (m *manager) ClearPodResizeInProgressCondition(podUID types.UID) bool {
+// If the condition was cleared, it returns the observedGeneration of the cleared condition and true.
+// Otherwise it returns zero and false.
+func (m *manager) ClearPodResizeInProgressCondition(podUID types.UID) (int64, bool) {
 	m.podStatusesLock.Lock()
 	defer m.podStatusesLock.Unlock()
 
 	if m.podResizeConditions[podUID].PodResizeInProgress == nil {
-		return false
+		return 0, false
 	}
 
+	generation := m.podResizeConditions[podUID].PodResizeInProgress.ObservedGeneration
 	m.podResizeConditions[podUID] = podResizeConditions{
 		PodResizePending:    m.podResizeConditions[podUID].PodResizePending,
 		PodResizeInProgress: nil,
 	}
 
 	m.recordInProgressResizeCount()
-	return true
+	return generation, true
 }
 
 func (m *manager) BackfillPodResizeConditions(pods []*v1.Pod) {
@@ -683,6 +701,12 @@ func checkContainerStateTransition(oldStatuses, newStatuses *v1.PodStatus, podSp
 	if podSpec.RestartPolicy == v1.RestartPolicyAlways {
 		return nil
 	}
+	// If the pod can restart in-place, allow all containers to leave the terminated state.
+	if utilfeature.DefaultFeatureGate.Enabled(features.RestartAllContainersOnContainerExits) {
+		if podutil.AllContainersCouldRestart(podSpec) {
+			return nil
+		}
+	}
 	for _, oldStatus := range oldStatuses.ContainerStatuses {
 		// Skip any container that wasn't terminated
 		if oldStatus.State.Terminated == nil {
@@ -794,6 +818,9 @@ func (m *manager) updateStatusInternal(logger klog.Logger, pod *v1.Pod, status v
 	// Set DisruptionTarget.LastTransitionTime.
 	updateLastTransitionTime(&status, &oldStatus, v1.DisruptionTarget)
 
+	// Set AllContainersRestarting.LastTransitionTime
+	updateLastTransitionTime(&status, &oldStatus, v1.AllContainersRestarting)
+
 	// ensure that the start time does not change across updates.
 	if oldStatus.StartTime != nil && !oldStatus.StartTime.IsZero() {
 		status.StartTime = oldStatus.StartTime
diff --git a/pkg/kubelet/status/status_manager_test.go b/pkg/kubelet/status/status_manager_test.go
index 67ecb3a2b068a..0b3c7da275dc1 100644
--- a/pkg/kubelet/status/status_manager_test.go
+++ b/pkg/kubelet/status/status_manager_test.go
@@ -2079,8 +2079,9 @@ func TestPodResizeConditions(t *testing.T) {
 
 	testCases := []struct {
 		name                          string
-		updateFunc                    func(types.UID)
+		updateFunc                    func(types.UID) bool
 		expected                      []*v1.PodCondition
+		expectedUpdateFuncReturnVal   bool
 		expectedIsPodResizeDeferred   bool
 		expectedIsPodResizeInfeasible bool
 	}{
@@ -2091,9 +2092,11 @@ func TestPodResizeConditions(t *testing.T) {
 		},
 		{
 			name: "set pod resize in progress condition with reason and message",
-			updateFunc: func(podUID types.UID) {
-				m.SetPodResizeInProgressCondition(podUID, "some-reason", "some-message", 1)
+			updateFunc: func(podUID types.UID) bool {
+				_, b := m.SetPodResizeInProgressCondition(podUID, "some-reason", "some-message", 1)
+				return b
 			},
+			expectedUpdateFuncReturnVal: true,
 			expected: []*v1.PodCondition{
 				{
 					Type:               v1.PodResizeInProgress,
@@ -2106,9 +2109,11 @@ func TestPodResizeConditions(t *testing.T) {
 		},
 		{
 			name: "set pod resize in progress condition without reason and message",
-			updateFunc: func(podUID types.UID) {
-				m.SetPodResizeInProgressCondition(podUID, "", "", 1)
+			updateFunc: func(podUID types.UID) bool {
+				_, b := m.SetPodResizeInProgressCondition(podUID, "", "", 1)
+				return b
 			},
+			expectedUpdateFuncReturnVal: false,
 			expected: []*v1.PodCondition{
 				{
 					Type:               v1.PodResizeInProgress,
@@ -2121,9 +2126,11 @@ func TestPodResizeConditions(t *testing.T) {
 		},
 		{
 			name: "attempt to overwrite pod resize in progress condition with a new observedGeneration",
-			updateFunc: func(podUID types.UID) {
-				m.SetPodResizeInProgressCondition(podUID, "", "", 2)
+			updateFunc: func(podUID types.UID) bool {
+				_, b := m.SetPodResizeInProgressCondition(podUID, "", "", 2)
+				return b
 			},
+			expectedUpdateFuncReturnVal: false,
 			expected: []*v1.PodCondition{
 				{
 					Type:               v1.PodResizeInProgress,
@@ -2136,11 +2143,13 @@ func TestPodResizeConditions(t *testing.T) {
 		},
 		{
 			name: "clear the pod resize in progress condition and set a new one",
-			updateFunc: func(podUID types.UID) {
+			updateFunc: func(podUID types.UID) bool {
 				m.ClearPodResizeInProgressCondition(podUID)
 				// Set a new condition with a different observedGeneration
-				m.SetPodResizeInProgressCondition(podUID, "", "", 2)
+				_, b := m.SetPodResizeInProgressCondition(podUID, "", "", 2)
+				return b
 			},
+			expectedUpdateFuncReturnVal: true,
 			expected: []*v1.PodCondition{
 				{
 					Type:               v1.PodResizeInProgress,
@@ -2151,9 +2160,10 @@ func TestPodResizeConditions(t *testing.T) {
 		},
 		{
 			name: "set pod resize pending condition to deferred with message",
-			updateFunc: func(podUID types.UID) {
-				m.SetPodResizePendingCondition(podUID, v1.PodReasonDeferred, "some-message", 1)
+			updateFunc: func(podUID types.UID) bool {
+				return m.SetPodResizePendingCondition(podUID, v1.PodReasonDeferred, "some-message", 1)
 			},
+			expectedUpdateFuncReturnVal: true,
 			expected: []*v1.PodCondition{
 				{
 					Type:               v1.PodResizePending,
@@ -2170,11 +2180,34 @@ func TestPodResizeConditions(t *testing.T) {
 			},
 			expectedIsPodResizeDeferred: true,
 		},
+		{
+			name: "change the deferred message",
+			updateFunc: func(podUID types.UID) bool {
+				return m.SetPodResizePendingCondition(podUID, v1.PodReasonDeferred, "some-other-message", 1)
+			},
+			expectedUpdateFuncReturnVal: false,
+			expected: []*v1.PodCondition{
+				{
+					Type:               v1.PodResizePending,
+					Status:             v1.ConditionTrue,
+					Reason:             v1.PodReasonDeferred,
+					Message:            "some-other-message",
+					ObservedGeneration: 1,
+				},
+				{
+					Type:               v1.PodResizeInProgress,
+					Status:             v1.ConditionTrue,
+					ObservedGeneration: 2,
+				},
+			},
+			expectedIsPodResizeDeferred: true,
+		},
 		{
 			name: "set pod resize pending condition to infeasible with message",
-			updateFunc: func(podUID types.UID) {
-				m.SetPodResizePendingCondition(podUID, v1.PodReasonInfeasible, "some-message", 3)
+			updateFunc: func(podUID types.UID) bool {
+				return m.SetPodResizePendingCondition(podUID, v1.PodReasonInfeasible, "some-message", 3)
 			},
+			expectedUpdateFuncReturnVal: true,
 			expected: []*v1.PodCondition{
 				{
 					Type:               v1.PodResizePending,
@@ -2193,9 +2226,11 @@ func TestPodResizeConditions(t *testing.T) {
 		},
 		{
 			name: "clear pod resize in progress condition",
-			updateFunc: func(podUID types.UID) {
-				m.ClearPodResizeInProgressCondition(podUID)
+			updateFunc: func(podUID types.UID) bool {
+				_, b := m.ClearPodResizeInProgressCondition(podUID)
+				return b
 			},
+			expectedUpdateFuncReturnVal: true,
 			expected: []*v1.PodCondition{
 				{
 					Type:               v1.PodResizePending,
@@ -2209,8 +2244,9 @@ func TestPodResizeConditions(t *testing.T) {
 		},
 		{
 			name: "clear pod resize pending condition",
-			updateFunc: func(podUID types.UID) {
+			updateFunc: func(podUID types.UID) bool {
 				m.ClearPodResizePendingCondition(podUID)
+				return false
 			},
 			expected: nil,
 		},
@@ -2219,7 +2255,7 @@ func TestPodResizeConditions(t *testing.T) {
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
 			if tc.updateFunc != nil {
-				tc.updateFunc(podUID)
+				require.Equal(t, tc.expectedUpdateFuncReturnVal, tc.updateFunc(podUID))
 			}
 			resizeConditions := m.GetPodResizeConditions(podUID)
 			if tc.expected == nil {
@@ -2246,28 +2282,34 @@ func TestClearPodResizeInProgressCondition(t *testing.T) {
 		name               string
 		existingConditions podResizeConditions
 		expectedConditions []*v1.PodCondition
-		expected           bool
+		expectedGeneration int64
+		expectedBool       bool
 	}{
 		{
-			name:     "no existing conditions",
-			expected: false,
+			name:               "no existing conditions",
+			expectedGeneration: 0,
+			expectedBool:       false,
 		},
 		{
 			name: "existing pod resize in progress condition",
 			existingConditions: podResizeConditions{
 				PodResizeInProgress: &v1.PodCondition{
-					Type:   v1.PodResizeInProgress,
-					Status: v1.ConditionTrue,
+					Type:               v1.PodResizeInProgress,
+					Status:             v1.ConditionTrue,
+					ObservedGeneration: 1,
 				},
 			},
-			expected: true,
+			expectedGeneration: 1,
+			expectedBool:       true,
 		},
 	}
 
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
 			m.(*manager).podResizeConditions[podUID] = tc.existingConditions
-			assert.Equal(t, tc.expected, m.ClearPodResizeInProgressCondition(podUID))
+			gen, b := m.ClearPodResizeInProgressCondition(podUID)
+			assert.Equal(t, tc.expectedGeneration, gen)
+			assert.Equal(t, tc.expectedBool, b)
 			resizeConditions := m.GetPodResizeConditions(podUID)
 			if tc.expectedConditions == nil {
 				require.Nil(t, resizeConditions)
diff --git a/pkg/kubelet/status/testing/mock_pod_status_provider.go b/pkg/kubelet/status/testing/mock_pod_status_provider.go
deleted file mode 100644
index dcfe31b4dc1ca..0000000000000
--- a/pkg/kubelet/status/testing/mock_pod_status_provider.go
+++ /dev/null
@@ -1,110 +0,0 @@
-/*
-Copyright The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-// Code generated by mockery v2.53.3. DO NOT EDIT.
-
-package testing
-
-import (
-	mock "github.com/stretchr/testify/mock"
-
-	types "k8s.io/apimachinery/pkg/types"
-
-	v1 "k8s.io/api/core/v1"
-)
-
-// MockPodStatusProvider is an autogenerated mock type for the PodStatusProvider type
-type MockPodStatusProvider struct {
-	mock.Mock
-}
-
-type MockPodStatusProvider_Expecter struct {
-	mock *mock.Mock
-}
-
-func (_m *MockPodStatusProvider) EXPECT() *MockPodStatusProvider_Expecter {
-	return &MockPodStatusProvider_Expecter{mock: &_m.Mock}
-}
-
-// GetPodStatus provides a mock function with given fields: uid
-func (_m *MockPodStatusProvider) GetPodStatus(uid types.UID) (v1.PodStatus, bool) {
-	ret := _m.Called(uid)
-
-	if len(ret) == 0 {
-		panic("no return value specified for GetPodStatus")
-	}
-
-	var r0 v1.PodStatus
-	var r1 bool
-	if rf, ok := ret.Get(0).(func(types.UID) (v1.PodStatus, bool)); ok {
-		return rf(uid)
-	}
-	if rf, ok := ret.Get(0).(func(types.UID) v1.PodStatus); ok {
-		r0 = rf(uid)
-	} else {
-		r0 = ret.Get(0).(v1.PodStatus)
-	}
-
-	if rf, ok := ret.Get(1).(func(types.UID) bool); ok {
-		r1 = rf(uid)
-	} else {
-		r1 = ret.Get(1).(bool)
-	}
-
-	return r0, r1
-}
-
-// MockPodStatusProvider_GetPodStatus_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetPodStatus'
-type MockPodStatusProvider_GetPodStatus_Call struct {
-	*mock.Call
-}
-
-// GetPodStatus is a helper method to define mock.On call
-//   - uid types.UID
-func (_e *MockPodStatusProvider_Expecter) GetPodStatus(uid interface{}) *MockPodStatusProvider_GetPodStatus_Call {
-	return &MockPodStatusProvider_GetPodStatus_Call{Call: _e.mock.On("GetPodStatus", uid)}
-}
-
-func (_c *MockPodStatusProvider_GetPodStatus_Call) Run(run func(uid types.UID)) *MockPodStatusProvider_GetPodStatus_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run(args[0].(types.UID))
-	})
-	return _c
-}
-
-func (_c *MockPodStatusProvider_GetPodStatus_Call) Return(_a0 v1.PodStatus, _a1 bool) *MockPodStatusProvider_GetPodStatus_Call {
-	_c.Call.Return(_a0, _a1)
-	return _c
-}
-
-func (_c *MockPodStatusProvider_GetPodStatus_Call) RunAndReturn(run func(types.UID) (v1.PodStatus, bool)) *MockPodStatusProvider_GetPodStatus_Call {
-	_c.Call.Return(run)
-	return _c
-}
-
-// NewMockPodStatusProvider creates a new instance of MockPodStatusProvider. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
-// The first argument is typically a *testing.T value.
-func NewMockPodStatusProvider(t interface {
-	mock.TestingT
-	Cleanup(func())
-}) *MockPodStatusProvider {
-	mock := &MockPodStatusProvider{}
-	mock.Mock.Test(t)
-
-	t.Cleanup(func() { mock.AssertExpectations(t) })
-
-	return mock
-}
diff --git a/pkg/kubelet/status/testing/mocks.go b/pkg/kubelet/status/testing/mocks.go
new file mode 100644
index 0000000000000..f0415c9c788a1
--- /dev/null
+++ b/pkg/kubelet/status/testing/mocks.go
@@ -0,0 +1,114 @@
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by mockery; DO NOT EDIT.
+// github.com/vektra/mockery
+// template: testify
+
+package testing
+
+import (
+	mock "github.com/stretchr/testify/mock"
+	"k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/types"
+)
+
+// NewMockPodStatusProvider creates a new instance of MockPodStatusProvider. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
+// The first argument is typically a *testing.T value.
+func NewMockPodStatusProvider(t interface {
+	mock.TestingT
+	Cleanup(func())
+}) *MockPodStatusProvider {
+	mock := &MockPodStatusProvider{}
+	mock.Mock.Test(t)
+
+	t.Cleanup(func() { mock.AssertExpectations(t) })
+
+	return mock
+}
+
+// MockPodStatusProvider is an autogenerated mock type for the PodStatusProvider type
+type MockPodStatusProvider struct {
+	mock.Mock
+}
+
+type MockPodStatusProvider_Expecter struct {
+	mock *mock.Mock
+}
+
+func (_m *MockPodStatusProvider) EXPECT() *MockPodStatusProvider_Expecter {
+	return &MockPodStatusProvider_Expecter{mock: &_m.Mock}
+}
+
+// GetPodStatus provides a mock function for the type MockPodStatusProvider
+func (_mock *MockPodStatusProvider) GetPodStatus(uid types.UID) (v1.PodStatus, bool) {
+	ret := _mock.Called(uid)
+
+	if len(ret) == 0 {
+		panic("no return value specified for GetPodStatus")
+	}
+
+	var r0 v1.PodStatus
+	var r1 bool
+	if returnFunc, ok := ret.Get(0).(func(types.UID) (v1.PodStatus, bool)); ok {
+		return returnFunc(uid)
+	}
+	if returnFunc, ok := ret.Get(0).(func(types.UID) v1.PodStatus); ok {
+		r0 = returnFunc(uid)
+	} else {
+		r0 = ret.Get(0).(v1.PodStatus)
+	}
+	if returnFunc, ok := ret.Get(1).(func(types.UID) bool); ok {
+		r1 = returnFunc(uid)
+	} else {
+		r1 = ret.Get(1).(bool)
+	}
+	return r0, r1
+}
+
+// MockPodStatusProvider_GetPodStatus_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetPodStatus'
+type MockPodStatusProvider_GetPodStatus_Call struct {
+	*mock.Call
+}
+
+// GetPodStatus is a helper method to define mock.On call
+//   - uid types.UID
+func (_e *MockPodStatusProvider_Expecter) GetPodStatus(uid interface{}) *MockPodStatusProvider_GetPodStatus_Call {
+	return &MockPodStatusProvider_GetPodStatus_Call{Call: _e.mock.On("GetPodStatus", uid)}
+}
+
+func (_c *MockPodStatusProvider_GetPodStatus_Call) Run(run func(uid types.UID)) *MockPodStatusProvider_GetPodStatus_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 types.UID
+		if args[0] != nil {
+			arg0 = args[0].(types.UID)
+		}
+		run(
+			arg0,
+		)
+	})
+	return _c
+}
+
+func (_c *MockPodStatusProvider_GetPodStatus_Call) Return(podStatus v1.PodStatus, b bool) *MockPodStatusProvider_GetPodStatus_Call {
+	_c.Call.Return(podStatus, b)
+	return _c
+}
+
+func (_c *MockPodStatusProvider_GetPodStatus_Call) RunAndReturn(run func(uid types.UID) (v1.PodStatus, bool)) *MockPodStatusProvider_GetPodStatus_Call {
+	_c.Call.Return(run)
+	return _c
+}
diff --git a/pkg/kubelet/types/pod_status.go b/pkg/kubelet/types/pod_status.go
index 24612e40df53e..435f016f2261b 100644
--- a/pkg/kubelet/types/pod_status.go
+++ b/pkg/kubelet/types/pod_status.go
@@ -44,6 +44,11 @@ func PodConditionByKubelet(conditionType v1.PodConditionType) bool {
 			return true
 		}
 	}
+	if utilfeature.DefaultFeatureGate.Enabled(features.RestartAllContainersOnContainerExits) {
+		if conditionType == v1.AllContainersRestarting {
+			return true
+		}
+	}
 	return false
 }
 
diff --git a/pkg/kubelet/userns/types.go b/pkg/kubelet/userns/types.go
index 820c2aaadcafd..e494ca212e6d1 100644
--- a/pkg/kubelet/userns/types.go
+++ b/pkg/kubelet/userns/types.go
@@ -24,7 +24,6 @@ type userNsPodsManager interface {
 	HandlerSupportsUserNamespaces(runtimeHandler string) (bool, error)
 	GetPodDir(podUID types.UID) string
 	ListPodsFromDisk() ([]types.UID, error)
-	GetKubeletMappings() (uint32, uint32, error)
+	GetKubeletMappings(idsPerPod uint32) (uint32, uint32, error)
 	GetMaxPods() int
-	GetUserNamespacesIDsPerPod() uint32
 }
diff --git a/pkg/kubelet/userns/userns_manager.go b/pkg/kubelet/userns/userns_manager.go
index 728757b4f1920..edd2e4e97d40b 100644
--- a/pkg/kubelet/userns/userns_manager.go
+++ b/pkg/kubelet/userns/userns_manager.go
@@ -20,6 +20,7 @@ limitations under the License.
 package userns
 
 import (
+	"context"
 	"encoding/json"
 	"fmt"
 	"os"
@@ -34,6 +35,7 @@ import (
 	"k8s.io/klog/v2"
 	"k8s.io/kubernetes/pkg/features"
 	kubecontainer "k8s.io/kubernetes/pkg/kubelet/container"
+	"k8s.io/kubernetes/pkg/kubelet/kubeletconfig"
 	utilstore "k8s.io/kubernetes/pkg/kubelet/util/store"
 	"k8s.io/kubernetes/pkg/registry/core/service/allocator"
 	utilfs "k8s.io/kubernetes/pkg/util/filesystem"
@@ -128,14 +130,22 @@ func (m *UsernsManager) readMappingsFromFile(pod types.UID) ([]byte, error) {
 	return fstore.Read(mappingsFile)
 }
 
-func MakeUserNsManager(kl userNsPodsManager) (*UsernsManager, error) {
-	kubeletMappingID, kubeletMappingLen, err := kl.GetKubeletMappings()
+func MakeUserNsManager(logger klog.Logger, kl userNsPodsManager, idsPerPod *int64) (*UsernsManager, error) {
+	if !utilfeature.DefaultFeatureGate.Enabled(features.UserNamespacesSupport) {
+		return nil, nil
+	}
+
+	userNsLength := uint32(kubeletconfig.DefaultKubeletUserNamespacesIDsPerPod)
+	if idsPerPod != nil {
+		// The value is already validated as part of kubelet config validation, so we can safely
+		// cast it.
+		userNsLength = uint32(*idsPerPod)
+	}
+	kubeletMappingID, kubeletMappingLen, err := kl.GetKubeletMappings(userNsLength)
 	if err != nil {
 		return nil, fmt.Errorf("kubelet mappings: %w", err)
 	}
 
-	userNsLength := kl.GetUserNamespacesIDsPerPod()
-
 	if userNsLength%userNsUnitLength != 0 {
 		return nil, fmt.Errorf("kubelet user namespace length %v is not a multiple of %d", userNsLength, userNsUnitLength)
 	}
@@ -154,7 +164,7 @@ func MakeUserNsManager(kl userNsPodsManager) (*UsernsManager, error) {
 	}
 	off := int(kubeletMappingID / userNsLength)
 	len := int(kubeletMappingLen / userNsLength)
-	klog.V(5).InfoS("User namespace manager mapping", "offset", off, "length", len, "idsPerPod", userNsLength)
+	logger.V(5).Info("User namespace manager mapping", "offset", off, "length", len, "idsPerPod", userNsLength)
 
 	m := UsernsManager{
 		used:         allocator.NewAllocationMap(len, "user namespaces"),
@@ -165,11 +175,6 @@ func MakeUserNsManager(kl userNsPodsManager) (*UsernsManager, error) {
 		userNsLength: userNsLength,
 	}
 
-	// do not bother reading the list of pods if user namespaces are not enabled.
-	if !utilfeature.DefaultFeatureGate.Enabled(features.UserNamespacesSupport) {
-		return &m, nil
-	}
-
 	found, err := kl.ListPodsFromDisk()
 	if err != nil {
 		if os.IsNotExist(err) {
@@ -179,9 +184,9 @@ func MakeUserNsManager(kl userNsPodsManager) (*UsernsManager, error) {
 
 	}
 	for _, podUID := range found {
-		klog.V(5).InfoS("reading pod from disk for user namespace", "podUID", podUID)
-		if err := m.recordPodMappings(podUID); err != nil {
-			return nil, fmt.Errorf("record pod mappings: %w", err)
+		logger.V(5).Info("reading pod from disk for user namespace", "podUID", podUID)
+		if err := m.recordPodMappings(logger, podUID); err != nil {
+			return nil, fmt.Errorf("record pod mappings for existing pod %q: %w", podUID, err)
 		}
 	}
 
@@ -190,7 +195,7 @@ func MakeUserNsManager(kl userNsPodsManager) (*UsernsManager, error) {
 
 // recordPodMappings registers the range used for the user namespace if the
 // usernsConfFile exists in the pod directory.
-func (m *UsernsManager) recordPodMappings(pod types.UID) error {
+func (m *UsernsManager) recordPodMappings(logger klog.Logger, pod types.UID) error {
 	content, err := m.readMappingsFromFile(pod)
 	if err != nil && err != utilstore.ErrKeyNotFound {
 		return err
@@ -201,7 +206,7 @@ func (m *UsernsManager) recordPodMappings(pod types.UID) error {
 		return nil
 	}
 
-	_, err = m.parseUserNsFileAndRecord(pod, content)
+	_, err = m.parseUserNsFileAndRecord(logger, pod, content)
 	return err
 }
 
@@ -217,7 +222,7 @@ func (m *UsernsManager) isSet(v uint32) bool {
 // allocateOne finds a free user namespace and allocate it to the specified pod.
 // The first return value is the first ID in the user namespace, the second returns
 // the length for the user namespace range.
-func (m *UsernsManager) allocateOne(pod types.UID) (firstID uint32, length uint32, err error) {
+func (m *UsernsManager) allocateOne(logger klog.Logger, pod types.UID) (firstID uint32, length uint32, err error) {
 	firstZero, found, err := m.used.AllocateNext()
 	if err != nil {
 		return 0, 0, err
@@ -226,7 +231,7 @@ func (m *UsernsManager) allocateOne(pod types.UID) (firstID uint32, length uint3
 		return 0, 0, fmt.Errorf("could not find an empty slot to allocate a user namespace")
 	}
 
-	klog.V(5).InfoS("new pod user namespace allocation", "podUID", pod)
+	logger.V(5).Info("new pod user namespace allocation", "podUID", pod)
 
 	firstID = uint32((firstZero + m.off)) * m.userNsLength
 	m.usedBy[pod] = firstID
@@ -234,7 +239,7 @@ func (m *UsernsManager) allocateOne(pod types.UID) (firstID uint32, length uint3
 }
 
 // record stores the user namespace [from; from+length] to the specified pod.
-func (m *UsernsManager) record(pod types.UID, from, length uint32) (err error) {
+func (m *UsernsManager) record(logger klog.Logger, pod types.UID, from, length uint32) (err error) {
 	if length != m.userNsLength {
 		return fmt.Errorf("wrong user namespace length %v", length)
 	}
@@ -258,7 +263,7 @@ func (m *UsernsManager) record(pod types.UID, from, length uint32) (err error) {
 		return nil
 	}
 
-	klog.V(5).InfoS("new pod user namespace allocation", "podUID", pod)
+	logger.V(5).Info("new pod user namespace allocation", "podUID", pod)
 
 	// "from" is a ID (UID/GID), set the corresponding userns of size
 	// userNsLength in the bit-array.
@@ -268,7 +273,7 @@ func (m *UsernsManager) record(pod types.UID, from, length uint32) (err error) {
 }
 
 // Release releases the user namespace allocated to the specified pod.
-func (m *UsernsManager) Release(podUID types.UID) {
+func (m *UsernsManager) Release(logger klog.Logger, podUID types.UID) {
 	if !utilfeature.DefaultFeatureGate.Enabled(features.UserNamespacesSupport) {
 		return
 	}
@@ -276,7 +281,7 @@ func (m *UsernsManager) Release(podUID types.UID) {
 	m.lock.Lock()
 	defer m.lock.Unlock()
 
-	m.releaseWithLock(podUID)
+	m.releaseWithLock(logger, podUID)
 }
 
 // podAllocated returns true if the pod is allocated, false otherwise.
@@ -292,15 +297,15 @@ func (m *UsernsManager) podAllocated(podUID types.UID) bool {
 	return ok
 }
 
-func (m *UsernsManager) releaseWithLock(pod types.UID) {
+func (m *UsernsManager) releaseWithLock(logger klog.Logger, pod types.UID) {
 	v, ok := m.usedBy[pod]
 	if !ok {
-		klog.V(5).InfoS("pod user namespace allocation not present", "podUID", pod)
+		logger.V(5).Info("pod user namespace allocation not present", "podUID", pod)
 		return
 	}
 	delete(m.usedBy, pod)
 
-	klog.V(5).InfoS("releasing pod user namespace allocation", "podUID", pod)
+	logger.V(5).Info("releasing pod user namespace allocation", "podUID", pod)
 	m.removed++
 
 	_ = os.Remove(filepath.Join(m.kl.GetPodDir(pod), mappingsFile))
@@ -316,7 +321,7 @@ func (m *UsernsManager) releaseWithLock(pod types.UID) {
 	_ = m.used.Release(int(v/m.userNsLength) - m.off)
 }
 
-func (m *UsernsManager) parseUserNsFileAndRecord(pod types.UID, content []byte) (userNs userNamespace, err error) {
+func (m *UsernsManager) parseUserNsFileAndRecord(logger klog.Logger, pod types.UID, content []byte) (userNs userNamespace, err error) {
 	if err = json.Unmarshal([]byte(content), &userNs); err != nil {
 		err = fmt.Errorf("invalid user namespace mappings file: %w", err)
 		return
@@ -352,19 +357,19 @@ func (m *UsernsManager) parseUserNsFileAndRecord(pod types.UID, content []byte)
 	hostId := userNs.UIDMappings[0].HostId
 	length := userNs.UIDMappings[0].Length
 
-	err = m.record(pod, hostId, length)
+	err = m.record(logger, pod, hostId, length)
 	return
 }
 
-func (m *UsernsManager) createUserNs(pod *v1.Pod) (userNs userNamespace, err error) {
-	firstID, length, err := m.allocateOne(pod.UID)
+func (m *UsernsManager) createUserNs(logger klog.Logger, pod *v1.Pod) (userNs userNamespace, err error) {
+	firstID, length, err := m.allocateOne(logger, pod.UID)
 	if err != nil {
 		return
 	}
 
 	defer func() {
 		if err != nil {
-			m.releaseWithLock(pod.UID)
+			m.releaseWithLock(logger, pod.UID)
 		}
 	}()
 
@@ -389,7 +394,8 @@ func (m *UsernsManager) createUserNs(pod *v1.Pod) (userNs userNamespace, err err
 }
 
 // GetOrCreateUserNamespaceMappings returns the configuration for the sandbox user namespace
-func (m *UsernsManager) GetOrCreateUserNamespaceMappings(pod *v1.Pod, runtimeHandler string) (*runtimeapi.UserNamespace, error) {
+func (m *UsernsManager) GetOrCreateUserNamespaceMappings(ctx context.Context, pod *v1.Pod, runtimeHandler string) (*runtimeapi.UserNamespace, error) {
+	logger := klog.FromContext(ctx)
 	featureEnabled := utilfeature.DefaultFeatureGate.Enabled(features.UserNamespacesSupport)
 
 	// TODO: If the default value for hostUsers ever changes, change the default value of
@@ -438,12 +444,12 @@ func (m *UsernsManager) GetOrCreateUserNamespaceMappings(pod *v1.Pod, runtimeHan
 
 	var userNs userNamespace
 	if string(content) != "" {
-		userNs, err = m.parseUserNsFileAndRecord(pod.UID, content)
+		userNs, err = m.parseUserNsFileAndRecord(logger, pod.UID, content)
 		if err != nil {
 			return nil, fmt.Errorf("user namespace: %w", err)
 		}
 	} else {
-		userNs, err = m.createUserNs(pod)
+		userNs, err = m.createUserNs(logger, pod)
 		if err != nil {
 			return nil, fmt.Errorf("create user namespace: %w", err)
 		}
@@ -477,10 +483,11 @@ func (m *UsernsManager) GetOrCreateUserNamespaceMappings(pod *v1.Pod, runtimeHan
 // CleanupOrphanedPodUsernsAllocations reconciliates the state of user namespace
 // allocations with the pods actually running. It frees any user namespace
 // allocation for orphaned pods.
-func (m *UsernsManager) CleanupOrphanedPodUsernsAllocations(pods []*v1.Pod, runningPods []*kubecontainer.Pod) error {
+func (m *UsernsManager) CleanupOrphanedPodUsernsAllocations(ctx context.Context, pods []*v1.Pod, runningPods []*kubecontainer.Pod) error {
 	if !utilfeature.DefaultFeatureGate.Enabled(features.UserNamespacesSupport) {
 		return nil
 	}
+	logger := klog.FromContext(ctx)
 
 	m.lock.Lock()
 	defer m.lock.Unlock()
@@ -509,8 +516,8 @@ func (m *UsernsManager) CleanupOrphanedPodUsernsAllocations(pods []*v1.Pod, runn
 			continue
 		}
 
-		klog.V(5).InfoS("Clean up orphaned pod user namespace possible allocation", "podUID", podUID)
-		m.releaseWithLock(podUID)
+		logger.V(5).Info("Clean up orphaned pod user namespace possible allocation", "podUID", podUID)
+		m.releaseWithLock(logger, podUID)
 	}
 
 	// Lets remove any existing allocation for a pod that is not "found".
@@ -519,8 +526,8 @@ func (m *UsernsManager) CleanupOrphanedPodUsernsAllocations(pods []*v1.Pod, runn
 			continue
 		}
 
-		klog.V(5).InfoS("Clean up orphaned pod user namespace possible allocation", "podUID", podUID)
-		m.releaseWithLock(podUID)
+		logger.V(5).Info("Clean up orphaned pod user namespace possible allocation", "podUID", podUID)
+		m.releaseWithLock(logger, podUID)
 	}
 
 	return nil
diff --git a/pkg/kubelet/userns/userns_manager_disabled_test.go b/pkg/kubelet/userns/userns_manager_disabled_test.go
index a4099d0a79dc4..67f633009efad 100644
--- a/pkg/kubelet/userns/userns_manager_disabled_test.go
+++ b/pkg/kubelet/userns/userns_manager_disabled_test.go
@@ -28,26 +28,29 @@ import (
 	utilfeature "k8s.io/apiserver/pkg/util/feature"
 	featuregatetesting "k8s.io/component-base/featuregate/testing"
 	pkgfeatures "k8s.io/kubernetes/pkg/features"
+	"k8s.io/kubernetes/test/utils/ktesting"
 )
 
 // Test all public methods behave ok when the feature gate is disabled.
 
 func TestMakeUserNsManagerDisabled(t *testing.T) {
+	logger, _ := ktesting.NewTestContext(t)
 	featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, pkgfeatures.UserNamespacesSupport, false)
 
 	testUserNsPodsManager := &testUserNsPodsManager{}
-	_, err := MakeUserNsManager(testUserNsPodsManager)
+	_, err := MakeUserNsManager(logger, testUserNsPodsManager, nil)
 	assert.NoError(t, err)
 }
 
 func TestReleaseDisabled(t *testing.T) {
+	logger, _ := ktesting.NewTestContext(t)
 	featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, pkgfeatures.UserNamespacesSupport, false)
 
 	testUserNsPodsManager := &testUserNsPodsManager{}
-	m, err := MakeUserNsManager(testUserNsPodsManager)
+	m, err := MakeUserNsManager(logger, testUserNsPodsManager, nil)
 	require.NoError(t, err)
 
-	m.Release("some-pod")
+	m.Release(logger, "some-pod")
 }
 
 func TestGetOrCreateUserNamespaceMappingsDisabled(t *testing.T) {
@@ -95,11 +98,12 @@ func TestGetOrCreateUserNamespaceMappingsDisabled(t *testing.T) {
 
 	for _, test := range tests {
 		t.Run(test.name, func(t *testing.T) {
+			logger, ctx := ktesting.NewTestContext(t)
 			testUserNsPodsManager := &testUserNsPodsManager{}
-			m, err := MakeUserNsManager(testUserNsPodsManager)
+			m, err := MakeUserNsManager(logger, testUserNsPodsManager, nil)
 			require.NoError(t, err)
 
-			userns, err := m.GetOrCreateUserNamespaceMappings(test.pod, "")
+			userns, err := m.GetOrCreateUserNamespaceMappings(ctx, test.pod, "")
 			assert.Nil(t, userns)
 			if test.success {
 				assert.NoError(t, err)
@@ -111,12 +115,13 @@ func TestGetOrCreateUserNamespaceMappingsDisabled(t *testing.T) {
 }
 
 func TestCleanupOrphanedPodUsernsAllocationsDisabled(t *testing.T) {
+	logger, ctx := ktesting.NewTestContext(t)
 	featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, pkgfeatures.UserNamespacesSupport, false)
 
 	testUserNsPodsManager := &testUserNsPodsManager{}
-	m, err := MakeUserNsManager(testUserNsPodsManager)
+	m, err := MakeUserNsManager(logger, testUserNsPodsManager, nil)
 	require.NoError(t, err)
 
-	err = m.CleanupOrphanedPodUsernsAllocations(nil, nil)
+	err = m.CleanupOrphanedPodUsernsAllocations(ctx, nil, nil)
 	assert.NoError(t, err)
 }
diff --git a/pkg/kubelet/userns/userns_manager_switch_test.go b/pkg/kubelet/userns/userns_manager_switch_test.go
index 233b5c7fab32d..0177914023d2b 100644
--- a/pkg/kubelet/userns/userns_manager_switch_test.go
+++ b/pkg/kubelet/userns/userns_manager_switch_test.go
@@ -30,9 +30,11 @@ import (
 	utilfeature "k8s.io/apiserver/pkg/util/feature"
 	featuregatetesting "k8s.io/component-base/featuregate/testing"
 	pkgfeatures "k8s.io/kubernetes/pkg/features"
+	"k8s.io/kubernetes/test/utils/ktesting"
 )
 
 func TestMakeUserNsManagerSwitch(t *testing.T) {
+	logger, ctx := ktesting.NewTestContext(t)
 	// Create the manager with the feature gate enabled, to record some pods on disk.
 	featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, pkgfeatures.UserNamespacesSupport, true)
 
@@ -44,20 +46,20 @@ func TestMakeUserNsManagerSwitch(t *testing.T) {
 		// manager, it will find these pods on disk with userns data.
 		podList: pods,
 	}
-	m, err := MakeUserNsManager(testUserNsPodsManager)
+	m, err := MakeUserNsManager(logger, testUserNsPodsManager, nil)
 	require.NoError(t, err)
 
 	// Record the pods on disk.
 	for _, podUID := range pods {
 		pod := v1.Pod{ObjectMeta: metav1.ObjectMeta{UID: podUID}}
-		_, err := m.GetOrCreateUserNamespaceMappings(&pod, "")
+		_, err := m.GetOrCreateUserNamespaceMappings(ctx, &pod, "")
 		require.NoError(t, err, "failed to record userns range for pod %v", podUID)
 	}
 
 	// Test re-init works when the feature gate is disabled and there were some
 	// pods written on disk.
 	featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, pkgfeatures.UserNamespacesSupport, false)
-	m2, err := MakeUserNsManager(testUserNsPodsManager)
+	m2, err := MakeUserNsManager(logger, testUserNsPodsManager, nil)
 	require.NoError(t, err)
 
 	// The feature gate is off, no pods should be allocated.
@@ -68,6 +70,7 @@ func TestMakeUserNsManagerSwitch(t *testing.T) {
 }
 
 func TestGetOrCreateUserNamespaceMappingsSwitch(t *testing.T) {
+	logger, ctx := ktesting.NewTestContext(t)
 	// Enable the feature gate to create some pods on disk.
 	featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, pkgfeatures.UserNamespacesSupport, true)
 
@@ -79,13 +82,13 @@ func TestGetOrCreateUserNamespaceMappingsSwitch(t *testing.T) {
 		// manager, it will find these pods on disk with userns data.
 		podList: pods,
 	}
-	m, err := MakeUserNsManager(testUserNsPodsManager)
+	m, err := MakeUserNsManager(logger, testUserNsPodsManager, nil)
 	require.NoError(t, err)
 
 	// Record the pods on disk.
 	for _, podUID := range pods {
 		pod := v1.Pod{ObjectMeta: metav1.ObjectMeta{UID: podUID}}
-		_, err := m.GetOrCreateUserNamespaceMappings(&pod, "")
+		_, err := m.GetOrCreateUserNamespaceMappings(ctx, &pod, "")
 		require.NoError(t, err, "failed to record userns range for pod %v", podUID)
 	}
 
@@ -93,12 +96,12 @@ func TestGetOrCreateUserNamespaceMappingsSwitch(t *testing.T) {
 	// pods registered on disk.
 	featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, pkgfeatures.UserNamespacesSupport, false)
 	// Create a new manager with the feature gate off and verify the userns range is nil.
-	m2, err := MakeUserNsManager(testUserNsPodsManager)
+	m2, err := MakeUserNsManager(logger, testUserNsPodsManager, nil)
 	require.NoError(t, err)
 
 	for _, podUID := range pods {
 		pod := v1.Pod{ObjectMeta: metav1.ObjectMeta{UID: podUID}}
-		userns, err := m2.GetOrCreateUserNamespaceMappings(&pod, "")
+		userns, err := m2.GetOrCreateUserNamespaceMappings(ctx, &pod, "")
 
 		assert.NoError(t, err, "failed to record userns range for pod %v", podUID)
 		assert.Nil(t, userns, "userns range should be nil for pod %v", podUID)
@@ -106,6 +109,7 @@ func TestGetOrCreateUserNamespaceMappingsSwitch(t *testing.T) {
 }
 
 func TestCleanupOrphanedPodUsernsAllocationsSwitch(t *testing.T) {
+	logger, ctx := ktesting.NewTestContext(t)
 	// Enable the feature gate to create some pods on disk.
 	featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, pkgfeatures.UserNamespacesSupport, true)
 
@@ -116,20 +120,20 @@ func TestCleanupOrphanedPodUsernsAllocationsSwitch(t *testing.T) {
 		podList: listPods,
 	}
 
-	m, err := MakeUserNsManager(testUserNsPodsManager)
+	m, err := MakeUserNsManager(logger, testUserNsPodsManager, nil)
 	require.NoError(t, err)
 
 	// Record the pods on disk.
 	for _, podUID := range pods {
 		pod := v1.Pod{ObjectMeta: metav1.ObjectMeta{UID: podUID}}
-		_, err := m.GetOrCreateUserNamespaceMappings(&pod, "")
+		_, err := m.GetOrCreateUserNamespaceMappings(ctx, &pod, "")
 		require.NoError(t, err, "failed to record userns range for pod %v", podUID)
 	}
 
 	// Test cleanup works when the feature gate is disabled and there were some
 	// pods registered.
 	featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, pkgfeatures.UserNamespacesSupport, false)
-	err = m.CleanupOrphanedPodUsernsAllocations(nil, nil)
+	err = m.CleanupOrphanedPodUsernsAllocations(ctx, nil, nil)
 	require.NoError(t, err)
 
 	// The feature gate is off, no pods should be allocated.
diff --git a/pkg/kubelet/userns/userns_manager_test.go b/pkg/kubelet/userns/userns_manager_test.go
index 206c8f4f1fec5..90e56418c8d5e 100644
--- a/pkg/kubelet/userns/userns_manager_test.go
+++ b/pkg/kubelet/userns/userns_manager_test.go
@@ -35,6 +35,7 @@ import (
 	runtimeapi "k8s.io/cri-api/pkg/apis/runtime/v1"
 	pkgfeatures "k8s.io/kubernetes/pkg/features"
 	kubecontainer "k8s.io/kubernetes/pkg/kubelet/container"
+	"k8s.io/kubernetes/test/utils/ktesting"
 )
 
 const (
@@ -77,7 +78,7 @@ func (m *testUserNsPodsManager) HandlerSupportsUserNamespaces(runtimeHandler str
 	return m.userns, nil
 }
 
-func (m *testUserNsPodsManager) GetKubeletMappings() (uint32, uint32, error) {
+func (m *testUserNsPodsManager) GetKubeletMappings(idsPerPod uint32) (uint32, uint32, error) {
 	if m.mappingFirstID != 0 {
 		return m.mappingFirstID, m.mappingLen, nil
 	}
@@ -92,14 +93,8 @@ func (m *testUserNsPodsManager) GetMaxPods() int {
 	return testMaxPods
 }
 
-func (m *testUserNsPodsManager) GetUserNamespacesIDsPerPod() uint32 {
-	if m.userNsLength != 0 {
-		return m.userNsLength
-	}
-	return testUserNsLength
-}
-
 func TestUserNsManagerAllocate(t *testing.T) {
+	logger, _ := ktesting.NewTestContext(t)
 	featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, pkgfeatures.UserNamespacesSupport, true)
 
 	customUserNsLength := uint32(1048576)
@@ -131,34 +126,35 @@ func TestUserNsManagerAllocate(t *testing.T) {
 				mappingFirstID: tc.mappingFirstID,
 				mappingLen:     tc.mappingLen,
 			}
-			m, err := MakeUserNsManager(testUserNsPodsManager)
+			idsPerPod := int64(tc.userNsLength)
+			m, err := MakeUserNsManager(logger, testUserNsPodsManager, &idsPerPod)
 			require.NoError(t, err)
 
-			allocated, length, err := m.allocateOne("one")
+			allocated, length, err := m.allocateOne(logger, "one")
 			require.NoError(t, err)
 			assert.Equal(t, tc.userNsLength, length, "m.isSet(%d).length=%v", allocated, length)
 			assert.True(t, m.isSet(allocated), "m.isSet(%d)", allocated)
 
-			allocated2, length2, err := m.allocateOne("two")
+			allocated2, length2, err := m.allocateOne(logger, "two")
 			require.NoError(t, err)
 			assert.NotEqual(t, allocated, allocated2, "allocated != allocated2")
 			assert.Equal(t, length, length2, "length == length2")
 
 			// verify that re-adding the same pod with the same settings won't fail
-			err = m.record("two", allocated2, length2)
+			err = m.record(logger, "two", allocated2, length2)
 			require.NoError(t, err)
 			// but it fails if anyting is different
-			err = m.record("two", allocated2+1, length2)
+			err = m.record(logger, "two", allocated2+1, length2)
 			require.Error(t, err)
 
-			m.Release("one")
-			m.Release("two")
+			m.Release(logger, "one")
+			m.Release(logger, "two")
 			assert.False(t, m.isSet(allocated), "m.isSet(%d)", allocated)
 			assert.False(t, m.isSet(allocated2), "m.nsSet(%d)", allocated2)
 
 			var allocs []uint32
 			for i := 0; i < 1000; i++ {
-				allocated, length, err = m.allocateOne(types.UID(fmt.Sprintf("%d", i)))
+				allocated, length, err = m.allocateOne(logger, types.UID(fmt.Sprintf("%d", i)))
 				assert.Equal(t, tc.userNsLength, length, "length is not the expected. iter: %v", i)
 				require.NoError(t, err)
 				assert.GreaterOrEqual(t, allocated, tc.mappingFirstID)
@@ -168,12 +164,12 @@ func TestUserNsManagerAllocate(t *testing.T) {
 			}
 			for i, v := range allocs {
 				assert.True(t, m.isSet(v), "m.isSet(%d) should be true", v)
-				m.Release(types.UID(fmt.Sprintf("%d", i)))
+				m.Release(logger, types.UID(fmt.Sprintf("%d", i)))
 				assert.False(t, m.isSet(v), "m.isSet(%d) should be false", v)
 
-				err = m.record(types.UID(fmt.Sprintf("%d", i)), v, tc.userNsLength)
+				err = m.record(logger, types.UID(fmt.Sprintf("%d", i)), v, tc.userNsLength)
 				require.NoError(t, err)
-				m.Release(types.UID(fmt.Sprintf("%d", i)))
+				m.Release(logger, types.UID(fmt.Sprintf("%d", i)))
 				assert.False(t, m.isSet(v), "m.isSet(%d) should be false", v)
 			}
 		})
@@ -181,6 +177,7 @@ func TestUserNsManagerAllocate(t *testing.T) {
 }
 
 func TestMakeUserNsManager(t *testing.T) {
+	logger, _ := ktesting.NewTestContext(t)
 	featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, pkgfeatures.UserNamespacesSupport, true)
 
 	cases := []struct {
@@ -223,7 +220,7 @@ func TestMakeUserNsManager(t *testing.T) {
 				mappingLen:     tc.mappingLen,
 				maxPods:        tc.maxPods,
 			}
-			_, err := MakeUserNsManager(testUserNsPodsManager)
+			_, err := MakeUserNsManager(logger, testUserNsPodsManager, nil)
 
 			if tc.success {
 				assert.NoError(t, err)
@@ -235,6 +232,7 @@ func TestMakeUserNsManager(t *testing.T) {
 }
 
 func TestUserNsManagerParseUserNsFile(t *testing.T) {
+	logger, _ := ktesting.NewTestContext(t)
 	featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, pkgfeatures.UserNamespacesSupport, true)
 
 	cases := []struct {
@@ -301,13 +299,13 @@ func TestUserNsManagerParseUserNsFile(t *testing.T) {
 	}
 
 	testUserNsPodsManager := &testUserNsPodsManager{}
-	m, err := MakeUserNsManager(testUserNsPodsManager)
+	m, err := MakeUserNsManager(logger, testUserNsPodsManager, nil)
 	assert.NoError(t, err)
 
 	for _, tc := range cases {
 		t.Run(tc.name, func(t *testing.T) {
 			// We don't validate the result. It was parsed with the json parser, we trust that.
-			_, err = m.parseUserNsFileAndRecord(types.UID(tc.name), []byte(tc.file))
+			_, err = m.parseUserNsFileAndRecord(logger, types.UID(tc.name), []byte(tc.file))
 			if (tc.success && err == nil) || (!tc.success && err != nil) {
 				return
 			}
@@ -392,10 +390,11 @@ func TestGetOrCreateUserNamespaceMappings(t *testing.T) {
 				podDir: t.TempDir(),
 				userns: tc.runtimeUserns,
 			}
-			m, err := MakeUserNsManager(testUserNsPodsManager)
+			logger, ctx := ktesting.NewTestContext(t)
+			m, err := MakeUserNsManager(logger, testUserNsPodsManager, nil)
 			assert.NoError(t, err)
 
-			userns, err := m.GetOrCreateUserNamespaceMappings(tc.pod, tc.runtimeHandler)
+			userns, err := m.GetOrCreateUserNamespaceMappings(ctx, tc.pod, tc.runtimeHandler)
 			if (tc.success && err != nil) || (!tc.success && err == nil) {
 				t.Errorf("expected success: %v but got error: %v", tc.success, err)
 			}
@@ -408,6 +407,7 @@ func TestGetOrCreateUserNamespaceMappings(t *testing.T) {
 }
 
 func TestCleanupOrphanedPodUsernsAllocations(t *testing.T) {
+	logger, ctx := ktesting.NewTestContext(t)
 	featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, pkgfeatures.UserNamespacesSupport, true)
 
 	cases := []struct {
@@ -464,16 +464,16 @@ func TestCleanupOrphanedPodUsernsAllocations(t *testing.T) {
 				podDir:  t.TempDir(),
 				podList: tc.listPods,
 			}
-			m, err := MakeUserNsManager(testUserNsPodsManager)
+			m, err := MakeUserNsManager(logger, testUserNsPodsManager, nil)
 			require.NoError(t, err)
 
 			// Record the userns range as used
 			for i, pod := range tc.podSetBeforeCleanup {
-				err := m.record(pod, uint32((i+1)*65536), 65536)
+				err := m.record(logger, pod, uint32((i+1)*65536), 65536)
 				require.NoError(t, err)
 			}
 
-			err = m.CleanupOrphanedPodUsernsAllocations(tc.pods, tc.runningPods)
+			err = m.CleanupOrphanedPodUsernsAllocations(ctx, tc.pods, tc.runningPods)
 			require.NoError(t, err)
 
 			for _, pod := range tc.podSetAfterCleanup {
@@ -498,15 +498,17 @@ func (m *failingUserNsPodsManager) ListPodsFromDisk() ([]types.UID, error) {
 }
 
 func TestMakeUserNsManagerFailsListPod(t *testing.T) {
+	logger, _ := ktesting.NewTestContext(t)
 	featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, pkgfeatures.UserNamespacesSupport, true)
 
 	testUserNsPodsManager := &failingUserNsPodsManager{}
-	_, err := MakeUserNsManager(testUserNsPodsManager)
+	_, err := MakeUserNsManager(logger, testUserNsPodsManager, nil)
 	assert.Error(t, err)
 	assert.ErrorContains(t, err, "read pods from disk")
 }
 
 func TestRecordBounds(t *testing.T) {
+	logger, _ := ktesting.NewTestContext(t)
 	featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, pkgfeatures.UserNamespacesSupport, true)
 
 	// Allow exactly for 1 pod
@@ -515,15 +517,15 @@ func TestRecordBounds(t *testing.T) {
 		mappingLen:     65536,
 		maxPods:        1,
 	}
-	m, err := MakeUserNsManager(testUserNsPodsManager)
+	m, err := MakeUserNsManager(logger, testUserNsPodsManager, nil)
 	require.NoError(t, err)
 
 	// The first pod allocation should succeed.
-	err = m.record(types.UID(fmt.Sprintf("%d", 0)), 65536, 65536)
+	err = m.record(logger, types.UID(fmt.Sprintf("%d", 0)), 65536, 65536)
 	require.NoError(t, err)
 
 	// The next allocation should fail, as there is no space left.
-	err = m.record(types.UID(fmt.Sprintf("%d", 2)), uint32(2*65536), 65536)
+	err = m.record(logger, types.UID(fmt.Sprintf("%d", 2)), uint32(2*65536), 65536)
 	assert.Error(t, err)
 	assert.ErrorContains(t, err, "out of range")
 }
diff --git a/pkg/kubelet/userns/userns_manager_windows.go b/pkg/kubelet/userns/userns_manager_windows.go
index bc40b7187987f..2bd5c8390d45f 100644
--- a/pkg/kubelet/userns/userns_manager_windows.go
+++ b/pkg/kubelet/userns/userns_manager_windows.go
@@ -17,31 +17,34 @@ limitations under the License.
 package userns
 
 import (
+	"context"
+
 	v1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/types"
 	runtimeapi "k8s.io/cri-api/pkg/apis/runtime/v1"
+	"k8s.io/klog/v2"
 	kubecontainer "k8s.io/kubernetes/pkg/kubelet/container"
 )
 
 type UsernsManager struct{}
 
-func MakeUserNsManager(kl userNsPodsManager) (*UsernsManager, error) {
+func MakeUserNsManager(klog.Logger, userNsPodsManager, *int64) (*UsernsManager, error) {
 	return nil, nil
 }
 
 // Release releases the user namespace allocated to the specified pod.
-func (m *UsernsManager) Release(podUID types.UID) {
+func (m *UsernsManager) Release(klog.Logger, types.UID) {
 	return
 }
 
-func (m *UsernsManager) GetOrCreateUserNamespaceMappings(pod *v1.Pod, runtimeHandler string) (*runtimeapi.UserNamespace, error) {
+func (m *UsernsManager) GetOrCreateUserNamespaceMappings(context.Context, *v1.Pod, string) (*runtimeapi.UserNamespace, error) {
 	return nil, nil
 }
 
 // CleanupOrphanedPodUsernsAllocations reconciliates the state of user namespace
 // allocations with the pods actually running. It frees any user namespace
 // allocation for orphaned pods.
-func (m *UsernsManager) CleanupOrphanedPodUsernsAllocations(pods []*v1.Pod, runningPods []*kubecontainer.Pod) error {
+func (m *UsernsManager) CleanupOrphanedPodUsernsAllocations(context.Context, []*v1.Pod, []*kubecontainer.Pod) error {
 	return nil
 }
 
diff --git a/pkg/kubelet/util/boottime_util_linux.go b/pkg/kubelet/util/boottime_util_linux.go
index 935b3d80341b6..67c9b191cfe7d 100644
--- a/pkg/kubelet/util/boottime_util_linux.go
+++ b/pkg/kubelet/util/boottime_util_linux.go
@@ -20,6 +20,7 @@ limitations under the License.
 package util
 
 import (
+	"context"
 	"fmt"
 	"os"
 	"strconv"
@@ -36,7 +37,10 @@ import (
 func GetBootTime() (time.Time, error) {
 	bootTime, err := getBootTimeWithProcStat()
 	if err != nil {
-		klog.InfoS("Failed to get boot time from /proc/uptime. Will retry with unix.Sysinfo.", "error", err)
+		// TODO: it needs to be replaced by a proper context in the future
+		ctx := context.TODO()
+		logger := klog.FromContext(ctx)
+		logger.Info("Failed to get boot time from /proc/uptime. Will retry with unix.Sysinfo.", "error", err)
 		return getBootTimeWithSysinfo()
 	}
 	return bootTime, nil
diff --git a/pkg/kubelet/util/env/env_util.go b/pkg/kubelet/util/env/env_util.go
index c01d90687e338..1de9317377b55 100644
--- a/pkg/kubelet/util/env/env_util.go
+++ b/pkg/kubelet/util/env/env_util.go
@@ -23,16 +23,19 @@ import (
 	"strings"
 )
 
-// ParseEnv implements a strict parser for .env environment files,
-// adhering to the format defined in the RFC documentation at https://smartmob-rfc.readthedocs.io/en/latest/2-dotenv.html.
+// ParseEnv implements a strict parser for environment files using a subset of POSIX shell syntax.
+// The parser enforces that all variable values must be enclosed in single quotes.
 //
-// This function implements a strict parser for environment files similar to the requirements in the OCI and Docker env file RFCs:
-//   - Leading whitespace is ignored for all lines.
-//   - Blank lines (including those with only whitespace) are ignored.
-//   - Lines starting with '#' are treated as comments and ignored.
-//   - Each variable must be declared as VAR=VAL. Whitespace around '=' and at the end of the line is ignored.
-//   - A backslash ('\') at the end of a variable declaration line indicates the value continues on the next line. The lines are joined with a single space, and the backslash is not included.
-//   - If a continuation line is interrupted by a blank line or comment, it is considered invalid and an error is returned.
+// Supported format:
+//   - VAR='value' - Values must be enclosed in single quotes
+//   - Content within single quotes is preserved literally (no escape sequences or expansions)
+//   - Multi-line values are supported (newlines within single quotes are preserved)
+//   - Inline comments after the closing quote are supported (e.g., VAR='value' # comment)
+//   - Leading whitespace before the variable name is ignored
+//   - Blank lines (including those with only whitespace) are ignored when not within quotes
+//   - Lines starting with '#' are treated as comments and ignored
+//   - Whitespace before '=' is invalid (e.g., VAR = 'value' is rejected)
+//   - Whitespace after '=' but before the quote results in empty assignment (e.g., VAR= 'value' assigns empty string)
 func ParseEnv(envFilePath, key string) (string, error) {
 	file, err := os.Open(envFilePath)
 	if err != nil {
@@ -41,67 +44,85 @@ func ParseEnv(envFilePath, key string) (string, error) {
 	defer func() { _ = file.Close() }()
 
 	scanner := bufio.NewScanner(file)
-	var (
-		currentLine    string
-		inContinuation bool
-		lineNum        int
-	)
+	lineNum := 0
 
 	for scanner.Scan() {
 		lineNum++
 		line := scanner.Text()
 		line = strings.TrimLeft(line, " \t")
 
+		// Skip blank lines
 		if line == "" {
-			if inContinuation {
-				return "", fmt.Errorf("invalid environment variable format at line %d: blank line in continuation", lineNum)
-			}
 			continue
 		}
+
+		// Skip comments
 		if strings.HasPrefix(line, "#") {
-			if inContinuation {
-				return "", fmt.Errorf("invalid environment variable format at line %d: comment in continuation", lineNum)
-			}
 			continue
 		}
 
-		if inContinuation {
-			trimmed := strings.TrimRight(line, " \t")
-			if strings.HasSuffix(trimmed, "\\") {
-				currentLine += " " + strings.TrimRight(trimmed[:len(trimmed)-1], " \t")
-				continue
-			} else {
-				currentLine += " " + trimmed
-				line = currentLine
-				inContinuation = false
-				currentLine = ""
-			}
-		} else {
-			trimmed := strings.TrimRight(line, " \t")
-			if strings.HasSuffix(trimmed, "\\") {
-				currentLine = strings.TrimRight(trimmed[:len(trimmed)-1], " \t")
-				inContinuation = true
-				continue
-			}
-		}
-
 		eqIdx := strings.Index(line, "=")
 		if eqIdx == -1 {
-			return "", fmt.Errorf("invalid environment variable format at line %d", lineNum)
+			return "", fmt.Errorf("invalid environment variable format at line %d: missing '='", lineNum)
 		}
-		varName := strings.TrimSpace(line[:eqIdx])
-		varValue := strings.TrimRight(strings.TrimSpace(line[eqIdx+1:]), " \t")
 
+		// Variable name must not contain whitespace or trailing whitespace before '='
+		varNamePart := line[:eqIdx]
+		varName := strings.TrimRight(varNamePart, " \t")
 		if varName == "" {
-			return "", fmt.Errorf("invalid environment variable format at line %d", lineNum)
+			return "", fmt.Errorf("invalid environment variable format at line %d: empty variable name", lineNum)
 		}
-		if varName == key {
-			return varValue, nil
+
+		// If trimming removed whitespace, it means there was whitespace before '='
+		if varNamePart != varName {
+			return "", fmt.Errorf("invalid environment variable format at line %d: whitespace before '=' is not allowed", lineNum)
 		}
-	}
+		valuePart := line[eqIdx+1:]
 
-	if inContinuation {
-		return "", fmt.Errorf("unexpected end of file: unfinished line continuation")
+		// Check if there's whitespace before any non-whitespace character
+		trimmedValue := strings.TrimLeft(valuePart, " \t")
+		if valuePart != trimmedValue {
+			// There is whitespace between '=' and the value
+			// This matches bash behavior: KEY= 'val1' results in KEY being empty
+			if varName == key {
+				return "", nil
+			}
+			continue
+		}
+
+		// Value must start with single quote
+		if !strings.HasPrefix(trimmedValue, "'") {
+			return "", fmt.Errorf("invalid environment variable format at line %d: value must be enclosed in single quotes", lineNum)
+		}
+
+		// Find the closing single quote (may span multiple lines)
+		var valueBuilder strings.Builder
+		rest := trimmedValue[1:]
+		startLineNum := lineNum
+
+		for {
+			closingIdx := strings.Index(rest, "'")
+			if closingIdx != -1 {
+				valueBuilder.WriteString(rest[:closingIdx])
+				afterQuote := strings.TrimLeft(rest[closingIdx+1:], " \t")
+				if afterQuote != "" && !strings.HasPrefix(afterQuote, "#") {
+					return "", fmt.Errorf("invalid environment variable format at line %d: unexpected content after closing quote", lineNum)
+				}
+
+				if varName == key {
+					return valueBuilder.String(), nil
+				}
+				break
+			}
+
+			valueBuilder.WriteString(rest)
+			valueBuilder.WriteString("\n")
+			if !scanner.Scan() {
+				return "", fmt.Errorf("invalid environment variable format starting at line %d: unclosed single quote", startLineNum)
+			}
+			lineNum++
+			rest = scanner.Text()
+		}
 	}
 
 	if err := scanner.Err(); err != nil {
diff --git a/pkg/kubelet/util/env/env_util_test.go b/pkg/kubelet/util/env/env_util_test.go
index 0b570e5e9d421..5a542d5d32874 100644
--- a/pkg/kubelet/util/env/env_util_test.go
+++ b/pkg/kubelet/util/env/env_util_test.go
@@ -18,10 +18,42 @@ package env
 
 import (
 	"os"
+	"os/exec"
+	"runtime"
 	"strings"
 	"testing"
 )
 
+// testShellBehavior tests how a POSIX shell would interpret the given environment file content
+// and returns the value that would be assigned to the given key
+// This test will not run on Windows.
+func testShellBehavior(t *testing.T, envContent, key string) (string, error) {
+	tmpFile, err := os.CreateTemp("", "shell_test_*")
+	if err != nil {
+		t.Fatalf("failed to create temp file: %v", err)
+	}
+	defer func() { _ = os.Remove(tmpFile.Name()) }()
+
+	if _, err := tmpFile.Write([]byte(envContent)); err != nil {
+		t.Fatalf("failed to write to temp file: %v", err)
+	}
+	if err := tmpFile.Close(); err != nil {
+		t.Fatalf("failed to close temp file: %v", err)
+	}
+
+	// Use bash with POSIX mode to source the file and print the variable
+	// We use . instead of source for POSIX compliance
+	cmd := exec.Command("bash", "--posix", "-c",
+		"set -a && . \""+tmpFile.Name()+"\" && printf '%s' \"${"+key+"}\"")
+
+	output, err := cmd.CombinedOutput()
+	if err != nil {
+		return "", err
+	}
+
+	return string(output), nil
+}
+
 func TestParseEnv(t *testing.T) {
 	tempDir := t.TempDir()
 
@@ -36,245 +68,498 @@ func TestParseEnv(t *testing.T) {
 	tests := []testCase{
 		{
 			name: "ignore leading whitespace",
-			envContent: `   KEY1=val1
-		KEY2=val2
-KEY3=val3
+			envContent: `   KEY1='val1'
+		KEY2='val2'
+KEY3='val3'
 `,
 			key:       "KEY2",
-			wantValue: "val2",
+			wantValue: `val2`,
 		},
 		{
 			name: "ignore blank and comment lines",
 			envContent: `# comment
 
-KEY1=foo
+KEY1='foo'
    # another comment
-	
-KEY2=bar
+
+KEY2='bar'
+`,
+			key:       "KEY2",
+			wantValue: `bar`,
+		},
+		{
+			name: "whitespace around = and not allowed",
+			envContent: `KEY1 = 'val1'
+KEY2=   'val2'
+KEY3='val3'
+`,
+			key:         "KEY2",
+			wantErr:     true,
+			errContains: `whitespace before '=' is not allowed`,
+		},
+		{
+			name: "key not found returns empty",
+			envContent: `KEY1='foo'
+KEY2='bar'
+`,
+			key:       "KEY3",
+			wantValue: ``,
+		},
+		{
+			name: "value with embedded #",
+			envContent: `KEY1='foo#notcomment'
+KEY2='bar'
+`,
+			key:       "KEY1",
+			wantValue: `foo#notcomment`,
+		},
+		{
+			name: "key with whitespace (should error)",
+			envContent: `KEY1 ='foo'
+KEY2='bar'
+`,
+			key:         "KEY1",
+			wantErr:     true,
+			errContains: "whitespace before '=' is not allowed",
+		},
+		{
+			name: "value with leading and trailing whitespace",
+			envContent: `KEY1='   foo bar   '
+KEY2='bar'
+`,
+			key:       "KEY1",
+			wantValue: `   foo bar   `,
+		},
+		{
+			name: "multiple comments and blank lines",
+			envContent: `# first comment
+
+# second comment
+KEY1='foo'
+
+# third comment
+KEY2='bar'
 `,
 			key:       "KEY2",
-			wantValue: "bar",
+			wantValue: `bar`,
 		},
 		{
-			name: "whitespace around = and trailing",
-			envContent: `KEY1 = val1   
-KEY2=   val2	
-KEY3=val3   	
+			name: "empty value",
+			envContent: `KEY1='foo'
+KEY2=''
+KEY3='bar'
 `,
 			key:       "KEY2",
-			wantValue: "val2",
+			wantValue: ``,
+		},
+		{
+			name: "key is empty (should error)",
+			envContent: `='foo'
+KEY2='bar'
+`,
+			key:         "KEY2",
+			wantErr:     true,
+			errContains: "invalid environment variable format",
 		},
 		{
-			name: "continuation line with \\",
-			envContent: `KEY1=foo \
-bar \
-baz
-KEY2=val2
+			name: "multiple = in value",
+			envContent: `KEY1='foo=bar=baz'
+KEY2='bar'
 `,
 			key:       "KEY1",
-			wantValue: "foo bar baz",
+			wantValue: `foo=bar=baz`,
 		},
 		{
-			name: "continuation with whitespace and comment",
-			envContent: `KEY1=foo \
-  bar
-# comment
-KEY2=val2
+			name: "comment after key value pair",
+			envContent: `KEY1='foo'
+KEY2='bar' # comment
 `,
+			key:       "KEY2",
+			wantValue: `bar`,
+		},
+		{
+			name: "missing key triggers error with line number",
+			envContent: `='foo'
+KEY2='bar'`,
+			key:         "KEY2",
+			wantErr:     true,
+			errContains: "at line 1",
+		},
+		{
+			name: "value contains $VAR, should not expand",
+			envContent: `KEY1='$VAR'
+KEY2='bar'`,
+			key:       "KEY1",
+			wantValue: `$VAR`,
+		},
+		{
+			name: "value contains ${VAR}, should not expand",
+			envContent: `KEY1='${VAR}'
+KEY2='bar'`,
 			key:       "KEY1",
-			wantValue: "foo bar",
+			wantValue: `${VAR}`,
+		},
+		{
+			name: "value contains $HOME, should not expand",
+			envContent: `KEY1='$HOME'
+KEY2='bar'`,
+			key:       "KEY1",
+			wantValue: `$HOME`,
+		},
+		{
+			name: "value contains mixed shell variable syntax, should not expand",
+			envContent: `KEY1='foo$BAR-${HOME}_$'
+KEY2='bar'`,
+			key:       "KEY1",
+			wantValue: `foo$BAR-${HOME}_$`,
 		},
 		{
 			name: "invalid line triggers error with line number",
-			envContent: `KEY1=foo
+			envContent: `KEY1='foo'
 INVALID_LINE
-KEY2=bar
+KEY2='bar'
 `,
 			key:         "KEY2",
 			wantErr:     true,
 			errContains: "at line 2",
 		},
 		{
-			name: "unfinished continuation triggers error",
-			envContent: `KEY1=foo \
-bar \
+			name: "unquoted value triggers error",
+			envContent: `KEY1='foo'
+KEY2=bar
+KEY3='baz'
 `,
+			key:         "KEY2",
+			wantErr:     true,
+			errContains: "value must be enclosed in single quotes",
+		},
+		{
+			name: "double quoted value triggers error",
+			envContent: `KEY1='foo'
+KEY2="bar"
+KEY3='baz'
+`,
+			key:         "KEY2",
+			wantErr:     true,
+			errContains: "value must be enclosed in single quotes",
+		},
+		{
+			name:        "value with multiple adjacent quoted strings",
+			envContent:  `KEY1='foo''bar'`,
 			key:         "KEY1",
 			wantErr:     true,
-			errContains: "unfinished line continuation",
+			errContains: `unexpected content after closing quote`,
 		},
 		{
-			name: "key not found returns empty",
-			envContent: `KEY1=foo
-KEY2=bar
+			name: "unclosed single quote triggers error",
+			envContent: `KEY1='foo'
+KEY2='bar
+KEY3='baz'
 `,
-			key:       "KEY3",
-			wantValue: "",
+			key:         "KEY2",
+			wantErr:     true,
+			errContains: "unexpected content after closing quote",
 		},
 		{
-			name: "value with embedded #",
-			envContent: `KEY1=foo#notcomment
-KEY2=bar
+			name: "content after closing quote triggers error",
+			envContent: `KEY1='foo'
+KEY2='bar'baz
+KEY3='baz'
+`,
+			key:         "KEY2",
+			wantErr:     true,
+			errContains: "unexpected content after closing quote",
+		},
+		{
+			name: "empty quotes preserve literal content",
+			envContent: `KEY1=''
+KEY2='   '
+KEY3='bar'
 `,
 			key:       "KEY1",
-			wantValue: "foo#notcomment",
+			wantValue: ``,
 		},
 		{
-			name: "key with trailing whitespace",
-			envContent: `KEY1 =foo
-KEY2=bar
+			name: "quotes preserve all literal content including spaces",
+			envContent: `KEY1='  foo  bar  '
+KEY2='bar'
 `,
 			key:       "KEY1",
-			wantValue: "foo",
+			wantValue: `  foo  bar  `,
 		},
 		{
-			name: "value with leading and trailing whitespace",
-			envContent: `KEY1=   foo bar   
-KEY2=bar
+			name: "special characters in value",
+			envContent: `KEY1='!@#$%^&*()_+-=[]{}|;:,.<>?/'
+KEY2='bar'
 `,
 			key:       "KEY1",
-			wantValue: "foo bar",
+			wantValue: `!@#$%^&*()_+-=[]{}|;:,.<>?/`,
 		},
 		{
-			name: "multiple comments and blank lines",
-			envContent: `# first comment
-
-# second comment
-KEY1=foo
-
-# third comment
-KEY2=bar
+			name: "newlines and tabs in value",
+			envContent: `KEY1='line1\nline2\tline3'
+KEY2='bar'
 `,
-			key:       "KEY2",
-			wantValue: "bar",
+			key:       "KEY1",
+			wantValue: `line1\nline2\tline3`,
 		},
 		{
-			name: "continuation with blank line in between (should error)",
-			envContent: `KEY1=foo \
-
-bar
+			name: "unicode characters in value",
+			envContent: `KEY1='中文 Español Français 🌍'
+KEY2='bar'
 `,
-			key:         "KEY1",
-			wantErr:     true,
-			errContains: "invalid environment variable format",
+			key:       "KEY1",
+			wantValue: `中文 Español Français 🌍`,
+		},
+		{
+			name: "backslashes in value",
+			envContent: `KEY1='path\\to\\file'
+KEY2='bar'
+`,
+			key:       "KEY1",
+			wantValue: `path\\to\\file`,
 		},
 		{
-			name: "continuation with comment in between (should error)",
-			envContent: `KEY1=foo \
-# comment
-bar
+			name: "single quotes within value quotes",
+			envContent: `KEY1='value with \'nested\' quotes'
+KEY2='bar'
 `,
 			key:         "KEY1",
 			wantErr:     true,
-			errContains: "invalid environment variable format",
+			errContains: "unexpected content after closing quote",
 		},
 		{
-			name: "empty value",
-			envContent: `KEY1=foo
-KEY2=
-KEY3=bar
+			name: "double quotes within value quotes",
+			envContent: `KEY1='value with "nested" quotes'
+KEY2='bar'
 `,
-			key:       "KEY2",
-			wantValue: "",
+			key:       "KEY1",
+			wantErr:   false,
+			wantValue: `value with "nested" quotes`,
 		},
 		{
-			name: "value with only spaces",
-			envContent: `KEY1=foo
-KEY2=   
-KEY3=bar
+			name: "empty single quotes",
+			envContent: `KEY1=''
+KEY2=''
+KEY3='bar'
 `,
 			key:       "KEY2",
-			wantValue: "",
+			wantValue: ``,
 		},
 		{
-			name: "key is empty (should error)",
-			envContent: `=foo
-KEY2=bar
+			name: "only whitespace in quotes",
+			envContent: `KEY1='   '
+KEY2='\t\n'
+KEY3='bar'
 `,
-			key:         "KEY2",
-			wantValue:   "bar",
-			wantErr:     true,
-			errContains: "invalid environment variable format",
+			key:       "KEY1",
+			wantValue: "   ",
 		},
 		{
-			name: "multiple = in value",
-			envContent: `KEY1=foo=bar=baz
-KEY2=bar
+			name: "complex JSON-like value",
+			envContent: `KEY1='{"name": "test", "value": 123, "nested": {"key": "val"}}'
+KEY2='bar'
 `,
 			key:       "KEY1",
-			wantValue: "foo=bar=baz",
+			wantValue: `{"name": "test", "value": 123, "nested": {"key": "val"}}`,
 		},
 		{
-			name: "continuation with trailing spaces",
-			envContent: `KEY1=foo   \
-  bar   \
-  baz   
-KEY2=bar
+			name: "URL with special characters",
+			envContent: `KEY1='https://example.com/path?query=value&another=param'
+KEY2='bar'
 `,
 			key:       "KEY1",
-			wantValue: "foo bar baz",
+			wantValue: `https://example.com/path?query=value&another=param`,
 		},
 		{
-			name: "comment after key value pair",
-			envContent: `KEY1=foo
-KEY2=bar # comment
+			name: "XML-like content",
+			envContent: `KEY1='<root><element attr="value">content</element></root>'
+KEY2='bar'
 `,
-			key:       "KEY2",
-			wantValue: "bar # comment",
+			key:       "KEY1",
+			wantValue: `<root><element attr="value">content</element></root>`,
 		},
 		{
-			name: "blank line in continuation triggers error with line number",
-			envContent: `KEY1=foo \
+			name: "base64 encoded data",
+			envContent: `KEY1='SGVsbG8gV29ybGQh'
+KEY2='bar'
+`,
+			key:       "KEY1",
+			wantValue: `SGVsbG8gV29ybGQh`,
+		},
+		{
+			name: "regex pattern",
+			envContent: `KEY1='^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\\.[a-zA-Z]{2,}$'
+KEY2='bar'
+`,
+			key:       "KEY1",
+			wantValue: `^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\\.[a-zA-Z]{2,}$`,
+		},
+		{
+			name: "multi-line value with spaces",
+			envContent: `KEY1='line one
+  line two with spaces
+    line three with more spaces'
+KEY2='bar'
+`,
+			key: "KEY1",
+			wantValue: `line one
+  line two with spaces
+    line three with more spaces`,
+		},
+		{
+			name: "multi-line value with special characters",
+			envContent: `KEY1='line1: !@#$%^&*()
+line2: []{}|;:,.<>?/
+line3: \\\\tabs\\nnewlines'
+KEY2='bar'
+`,
+			key: "KEY1",
+			wantValue: `line1: !@#$%^&*()
+line2: []{}|;:,.<>?/
+line3: \\\\tabs\\nnewlines`,
+		},
+		{
+			name: "multi-line value with mixed content",
+			envContent: `KEY1='First line
+Second line with $VAR and ${HOME}
+Third line with spaces    and    tabs\\t
+Fourth line with special chars: !@#$%^&*()_+'
+KEY2='bar'
+`,
+			key: "KEY1",
+			wantValue: `First line
+Second line with $VAR and ${HOME}
+Third line with spaces    and    tabs\\t
+Fourth line with special chars: !@#$%^&*()_+`,
+		},
+		{
+			name: "multi-line value with empty lines",
+			envContent: `KEY1='line1
 
-bar=val`,
-			key:         "bar",
-			wantErr:     true,
-			errContains: "at line 2",
+line3 after empty line
+
+line5 after another empty'
+KEY2='bar'
+`,
+			key: "KEY1",
+			wantValue: `line1
+
+line3 after empty line
+
+line5 after another empty`,
 		},
 		{
-			name: "comment in continuation triggers error with line number",
-			envContent: `KEY1=foo \
-# comment
-bar=val`,
-			key:         "bar",
-			wantErr:     true,
-			errContains: "at line 2",
+			name: "multi-line value with trailing spaces",
+			envContent: `KEY1='line1
+line2 with trailing spaces
+line3   '
+KEY2='bar'
+`,
+			key: "KEY1",
+			wantValue: `line1
+line2 with trailing spaces
+line3   `,
 		},
 		{
-			name: "missing key triggers error with line number",
-			envContent: `=foo
-KEY2=bar`,
-			key:         "KEY2",
-			wantErr:     true,
-			errContains: "at line 1",
+			name: "multi-line value with unicode characters",
+			envContent: `KEY1='中文 第一行
+English second line
+Français troisième ligne 🌍
+Русский четвертая строка'
+KEY2='bar'
+`,
+			key: "KEY1",
+			wantValue: `中文 第一行
+English second line
+Français troisième ligne 🌍
+Русский четвертая строка`,
 		},
 		{
-			name: "value contains $VAR, should not expand",
-			envContent: `KEY1=$VAR
-KEY2=bar`,
-			key:       "KEY1",
-			wantValue: "$VAR",
+			name: "multi-line value with code-like content",
+			envContent: `KEY1='func main() {
+    fmt.Println(\"Hello, World!\")
+    for i := 0; i < 10; i++ {
+        fmt.Printf(\"i=%d\\n\", i)
+    }
+}'
+KEY2='bar'
+`,
+			key: "KEY1",
+			wantValue: `func main() {
+    fmt.Println(\"Hello, World!\")
+    for i := 0; i < 10; i++ {
+        fmt.Printf(\"i=%d\\n\", i)
+    }
+}`,
 		},
 		{
-			name: "value contains ${VAR}, should not expand",
-			envContent: `KEY1=${VAR}
-KEY2=bar`,
-			key:       "KEY1",
-			wantValue: "${VAR}",
+			name: "multi-line value with JSON content",
+			envContent: `KEY1='{
+  "name": "test",
+  "value": 123,
+  "nested": {
+    "key": "val",
+    "array": [1, 2, 3]
+  }
+}'
+KEY2='bar'
+`,
+			key: "KEY1",
+			wantValue: `{
+  "name": "test",
+  "value": 123,
+  "nested": {
+    "key": "val",
+    "array": [1, 2, 3]
+  }
+}`,
 		},
 		{
-			name: "value contains $HOME, should not expand",
-			envContent: `KEY1=$HOME
-KEY2=bar`,
-			key:       "KEY1",
-			wantValue: "$HOME",
+			name: "multi-line value with YAML content",
+			envContent: `KEY1='name: test
+value: 123
+nested:
+  key: val
+  array:
+    - 1
+    - 2
+    - 3'
+KEY2='bar'
+`,
+			key: "KEY1",
+			wantValue: `name: test
+value: 123
+nested:
+  key: val
+  array:
+    - 1
+    - 2
+    - 3`,
 		},
 		{
-			name: "value contains mixed shell variable syntax, should not expand",
-			envContent: `KEY1=foo$BAR-${HOME}_$
-KEY2=bar`,
-			key:       "KEY1",
-			wantValue: "foo$BAR-${HOME}_$",
+			name: "multi-line value with Cert",
+			envContent: `KEY1='-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQSSSSSSSSSSSSSBlwAAAAdzc2gtcn
+NhAAAAAwEAAQAAAYEAyUgx65kBQf/Nl+EcOFkP8q7n7FDetNrH7WYAnpYnaWG8w4rA9ht9
+upttTNyRbCVpb32f5m8DFvVug0vAa/ksX8iSKzD53bWTuTQiN/i9Q/iG0eCNPR0KoW/gLV
+SS9pIWWVYNav6dBjknR85202+YryJkn8THAf8Kg5Lwl0dom41dZvN1DirbcqWOU1BKG2sl
+pFIq8BdXedRjwoNYngMvLBOb4CAfvQyKr1+ARQecqzPn4pTovYtIZRasIgrBOpSpHGZa70
+pTAVP5+KGXN5DigjQUWaje1AiEx5zk8J3T5AA0abSaNn0uE53tjgalTzcY9kxHdo2rgHJC
+huHhWsWslkcntkKp0V1Jc8oGv86Dp5mPhpfpMOK+vCe2TrS/saes9fNVxjorSpLl4xTU/V
+-----END OPENSSH PRIVATE KEY-----'
+KEY2='bar'
+`,
+			key: "KEY1",
+			wantValue: `-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQSSSSSSSSSSSSSBlwAAAAdzc2gtcn
+NhAAAAAwEAAQAAAYEAyUgx65kBQf/Nl+EcOFkP8q7n7FDetNrH7WYAnpYnaWG8w4rA9ht9
+upttTNyRbCVpb32f5m8DFvVug0vAa/ksX8iSKzD53bWTuTQiN/i9Q/iG0eCNPR0KoW/gLV
+SS9pIWWVYNav6dBjknR85202+YryJkn8THAf8Kg5Lwl0dom41dZvN1DirbcqWOU1BKG2sl
+pFIq8BdXedRjwoNYngMvLBOb4CAfvQyKr1+ARQecqzPn4pTovYtIZRasIgrBOpSpHGZa70
+pTAVP5+KGXN5DigjQUWaje1AiEx5zk8J3T5AA0abSaNn0uE53tjgalTzcY9kxHdo2rgHJC
+huHhWsWslkcntkKp0V1Jc8oGv86Dp5mPhpfpMOK+vCe2TrS/saes9fNVxjorSpLl4xTU/V
+-----END OPENSSH PRIVATE KEY-----`,
 		},
 	}
 
@@ -310,6 +595,18 @@ KEY2=bar`,
 			if gotValue != tt.wantValue {
 				t.Errorf("got %q, want %q", gotValue, tt.wantValue)
 			}
+
+			// Verify shell behavior matches our parser
+			if runtime.GOOS != "windows" {
+				shellValue, shellErr := testShellBehavior(t, tt.envContent, tt.key)
+				if shellErr != nil {
+					t.Errorf("shell failed to parse valid syntax: %v", shellErr)
+					return
+				}
+				if gotValue != shellValue {
+					t.Errorf("shell behavior mismatch: ParseEnv=%q, shell=%q", gotValue, shellValue)
+				}
+			}
 		})
 	}
 }
diff --git a/pkg/kubelet/util/manager/cache_based_manager_test.go b/pkg/kubelet/util/manager/cache_based_manager_test.go
index 6f27712bc1dd7..38e174651a65d 100644
--- a/pkg/kubelet/util/manager/cache_based_manager_test.go
+++ b/pkg/kubelet/util/manager/cache_based_manager_test.go
@@ -37,6 +37,7 @@ import (
 	"k8s.io/client-go/kubernetes/fake"
 	core "k8s.io/client-go/testing"
 	podutil "k8s.io/kubernetes/pkg/api/v1/pod"
+	"k8s.io/kubernetes/test/utils/ktesting"
 	"k8s.io/utils/clock"
 	testingclock "k8s.io/utils/clock/testing"
 
@@ -57,15 +58,15 @@ func noObjectTTL() (time.Duration, bool) {
 	return time.Duration(0), false
 }
 
-func getSecret(fakeClient clientset.Interface) GetObjectFunc {
+func getSecret(ctx context.Context, fakeClient clientset.Interface) GetObjectFunc {
 	return func(namespace, name string, opts metav1.GetOptions) (runtime.Object, error) {
-		return fakeClient.CoreV1().Secrets(namespace).Get(context.TODO(), name, opts)
+		return fakeClient.CoreV1().Secrets(namespace).Get(ctx, name, opts)
 	}
 }
 
-func newSecretStore(fakeClient clientset.Interface, clock clock.Clock, getTTL GetObjectTTLFunc, ttl time.Duration) *objectStore {
+func newSecretStore(ctx context.Context, fakeClient clientset.Interface, clock clock.Clock, getTTL GetObjectTTLFunc, ttl time.Duration) *objectStore {
 	return &objectStore{
-		getObject:  getSecret(fakeClient),
+		getObject:  getSecret(ctx, fakeClient),
 		clock:      clock,
 		items:      make(map[objectKey]*objectStoreItem),
 		defaultTTL: ttl,
@@ -87,8 +88,9 @@ func newCacheBasedSecretManager(store Store) Manager {
 }
 
 func TestSecretStore(t *testing.T) {
+	tCtx := ktesting.Init(t)
 	fakeClient := &fake.Clientset{}
-	store := newSecretStore(fakeClient, clock.RealClock{}, noObjectTTL, 0)
+	store := newSecretStore(tCtx, fakeClient, clock.RealClock{}, noObjectTTL, 0)
 	store.AddReference("ns1", "name1", "pod1")
 	store.AddReference("ns2", "name2", "pod2")
 	store.AddReference("ns1", "name1", "pod3")
@@ -121,8 +123,9 @@ func TestSecretStore(t *testing.T) {
 }
 
 func TestSecretStoreDeletingSecret(t *testing.T) {
+	tCtx := ktesting.Init(t)
 	fakeClient := &fake.Clientset{}
-	store := newSecretStore(fakeClient, clock.RealClock{}, noObjectTTL, 0)
+	store := newSecretStore(tCtx, fakeClient, clock.RealClock{}, noObjectTTL, 0)
 	store.AddReference("ns", "name", "pod")
 
 	result := &v1.Secret{ObjectMeta: metav1.ObjectMeta{Namespace: "ns", Name: "name", ResourceVersion: "10"}}
@@ -150,9 +153,10 @@ func TestSecretStoreDeletingSecret(t *testing.T) {
 }
 
 func TestSecretStoreGetAlwaysRefresh(t *testing.T) {
+	tCtx := ktesting.Init(t)
 	fakeClient := &fake.Clientset{}
 	fakeClock := testingclock.NewFakeClock(time.Now())
-	store := newSecretStore(fakeClient, fakeClock, noObjectTTL, 0)
+	store := newSecretStore(tCtx, fakeClient, fakeClock, noObjectTTL, 0)
 
 	for i := 0; i < 10; i++ {
 		store.AddReference(fmt.Sprintf("ns-%d", i), fmt.Sprintf("name-%d", i), types.UID(fmt.Sprintf("pod-%d", i)))
@@ -177,9 +181,10 @@ func TestSecretStoreGetAlwaysRefresh(t *testing.T) {
 }
 
 func TestSecretStoreGetNeverRefresh(t *testing.T) {
+	tCtx := ktesting.Init(t)
 	fakeClient := &fake.Clientset{}
 	fakeClock := testingclock.NewFakeClock(time.Now())
-	store := newSecretStore(fakeClient, fakeClock, noObjectTTL, time.Minute)
+	store := newSecretStore(tCtx, fakeClient, fakeClock, noObjectTTL, time.Minute)
 
 	for i := 0; i < 10; i++ {
 		store.AddReference(fmt.Sprintf("ns-%d", i), fmt.Sprintf("name-%d", i), types.UID(fmt.Sprintf("pod-%d", i)))
@@ -207,9 +212,10 @@ func TestCustomTTL(t *testing.T) {
 		return ttl, ttlExists
 	}
 
+	tCtx := ktesting.Init(t)
 	fakeClient := &fake.Clientset{}
 	fakeClock := testingclock.NewFakeClock(time.Time{})
-	store := newSecretStore(fakeClient, fakeClock, customTTL, time.Minute)
+	store := newSecretStore(tCtx, fakeClient, fakeClock, customTTL, time.Minute)
 
 	store.AddReference("ns", "name", "pod")
 	store.Get("ns", "name")
@@ -383,9 +389,10 @@ func podWithSecretsAndUID(ns, podName, podUID string, toAttach secretsToAttach)
 }
 
 func TestCacheInvalidation(t *testing.T) {
+	tCtx := ktesting.Init(t)
 	fakeClient := &fake.Clientset{}
 	fakeClock := testingclock.NewFakeClock(time.Now())
-	store := newSecretStore(fakeClient, fakeClock, noObjectTTL, time.Minute)
+	store := newSecretStore(tCtx, fakeClient, fakeClock, noObjectTTL, time.Minute)
 	manager := newCacheBasedSecretManager(store)
 
 	// Create a pod with some secrets.
@@ -438,9 +445,10 @@ func TestCacheInvalidation(t *testing.T) {
 }
 
 func TestResourceContentExpired(t *testing.T) {
+	tCtx := ktesting.Init(t)
 	fakeClient := &fake.Clientset{}
 	fakeClock := testingclock.NewFakeClock(time.Now())
-	store := newSecretStore(fakeClient, fakeClock, noObjectTTL, time.Minute)
+	store := newSecretStore(tCtx, fakeClient, fakeClock, noObjectTTL, time.Minute)
 	manager := newCacheBasedSecretManager(store)
 
 	// Create a pod with some secrets.
@@ -463,9 +471,10 @@ func TestResourceContentExpired(t *testing.T) {
 }
 
 func TestRegisterIdempotence(t *testing.T) {
+	tCtx := ktesting.Init(t)
 	fakeClient := &fake.Clientset{}
 	fakeClock := testingclock.NewFakeClock(time.Now())
-	store := newSecretStore(fakeClient, fakeClock, noObjectTTL, time.Minute)
+	store := newSecretStore(tCtx, fakeClient, fakeClock, noObjectTTL, time.Minute)
 	manager := newCacheBasedSecretManager(store)
 
 	s1 := secretsToAttach{
@@ -498,9 +507,10 @@ func TestRegisterIdempotence(t *testing.T) {
 }
 
 func TestCacheRefcounts(t *testing.T) {
+	tCtx := ktesting.Init(t)
 	fakeClient := &fake.Clientset{}
 	fakeClock := testingclock.NewFakeClock(time.Now())
-	store := newSecretStore(fakeClient, fakeClock, noObjectTTL, time.Minute)
+	store := newSecretStore(tCtx, fakeClient, fakeClock, noObjectTTL, time.Minute)
 	manager := newCacheBasedSecretManager(store)
 
 	s1 := secretsToAttach{
@@ -619,8 +629,9 @@ func TestCacheRefcounts(t *testing.T) {
 }
 
 func TestCacheBasedSecretManager(t *testing.T) {
+	tCtx := ktesting.Init(t)
 	fakeClient := &fake.Clientset{}
-	store := newSecretStore(fakeClient, clock.RealClock{}, noObjectTTL, 0)
+	store := newSecretStore(tCtx, fakeClient, clock.RealClock{}, noObjectTTL, 0)
 	manager := newCacheBasedSecretManager(store)
 
 	// Create a pod with some secrets.
diff --git a/pkg/kubelet/util/manager/watch_based_manager.go b/pkg/kubelet/util/manager/watch_based_manager.go
index cbc42fa6bf1dc..6abf0b31ddd9f 100644
--- a/pkg/kubelet/util/manager/watch_based_manager.go
+++ b/pkg/kubelet/util/manager/watch_based_manager.go
@@ -17,6 +17,7 @@ limitations under the License.
 package manager
 
 import (
+	"context"
 	"fmt"
 	"sync"
 	"time"
@@ -43,6 +44,8 @@ type watchObjectFunc func(string, metav1.ListOptions) (watch.Interface, error)
 type newObjectFunc func() runtime.Object
 type isImmutableFunc func(runtime.Object) bool
 
+type listWatcherWithWatchListSemanticsWrapperFunc func(lw *cache.ListWatch) cache.ListerWatcher
+
 // objectCacheItem is a single item stored in objectCache.
 type objectCacheItem struct {
 	refMap    map[types.UID]int
@@ -157,13 +160,14 @@ func (c *cacheStore) unsetInitialized() {
 // objectCache is a local cache of objects propagated via
 // individual watches.
 type objectCache struct {
-	listObject    listObjectFunc
-	watchObject   watchObjectFunc
-	newObject     newObjectFunc
-	isImmutable   isImmutableFunc
-	groupResource schema.GroupResource
-	clock         clock.Clock
-	maxIdleTime   time.Duration
+	listObject                               listObjectFunc
+	watchObject                              watchObjectFunc
+	newObject                                newObjectFunc
+	isImmutable                              isImmutableFunc
+	listWatcherWithWatchListSemanticsWrapper listWatcherWithWatchListSemanticsWrapperFunc
+	groupResource                            schema.GroupResource
+	clock                                    clock.Clock
+	maxIdleTime                              time.Duration
 
 	lock    sync.RWMutex
 	items   map[objectKey]*objectCacheItem
@@ -178,6 +182,7 @@ func NewObjectCache(
 	watchObject watchObjectFunc,
 	newObject newObjectFunc,
 	isImmutable isImmutableFunc,
+	listWatcherWithWatchListSemanticsWrapper listWatcherWithWatchListSemanticsWrapperFunc,
 	groupResource schema.GroupResource,
 	clock clock.Clock,
 	maxIdleTime time.Duration,
@@ -188,14 +193,15 @@ func NewObjectCache(
 	}
 
 	store := &objectCache{
-		listObject:    listObject,
-		watchObject:   watchObject,
-		newObject:     newObject,
-		isImmutable:   isImmutable,
-		groupResource: groupResource,
-		clock:         clock,
-		maxIdleTime:   maxIdleTime,
-		items:         make(map[objectKey]*objectCacheItem),
+		listObject:                               listObject,
+		watchObject:                              watchObject,
+		newObject:                                newObject,
+		isImmutable:                              isImmutable,
+		listWatcherWithWatchListSemanticsWrapper: listWatcherWithWatchListSemanticsWrapper,
+		groupResource:                            groupResource,
+		clock:                                    clock,
+		maxIdleTime:                              maxIdleTime,
+		items:                                    make(map[objectKey]*objectCacheItem),
 	}
 
 	go wait.Until(store.startRecycleIdleWatch, time.Minute, stopCh)
@@ -225,7 +231,7 @@ func (c *objectCache) newReflectorLocked(namespace, name string) *objectCacheIte
 	}
 	store := c.newStore()
 	reflector := cache.NewReflectorWithOptions(
-		&cache.ListWatch{ListFunc: listFunc, WatchFunc: watchFunc},
+		c.listWatcherWithWatchListSemanticsWrapper(&cache.ListWatch{ListFunc: listFunc, WatchFunc: watchFunc}),
 		c.newObject(),
 		store,
 		cache.ReflectorOptions{
@@ -343,7 +349,10 @@ func (c *objectCache) Get(namespace, name string) (runtime.Object, error) {
 		if c.isImmutable(object) {
 			item.setImmutable()
 			if item.stop() {
-				klog.V(4).InfoS("Stopped watching for changes - object is immutable", "obj", klog.KRef(namespace, name))
+				// TODO: it needs to be replaced by a proper context in the future
+				ctx := context.TODO()
+				logger := klog.FromContext(ctx)
+				logger.V(4).Info("Stopped watching for changes - object is immutable", "obj", klog.KRef(namespace, name))
 			}
 		}
 		return object, nil
@@ -352,12 +361,15 @@ func (c *objectCache) Get(namespace, name string) (runtime.Object, error) {
 }
 
 func (c *objectCache) startRecycleIdleWatch() {
+	// TODO: it needs to be replaced by a proper context in the future
+	ctx := context.TODO()
+	logger := klog.FromContext(ctx)
 	c.lock.Lock()
 	defer c.lock.Unlock()
 
 	for key, item := range c.items {
 		if item.stopIfIdle(c.clock.Now(), c.maxIdleTime) {
-			klog.V(4).InfoS("Not acquired for long time, Stopped watching for changes", "objectKey", key, "maxIdleTime", c.maxIdleTime)
+			logger.V(4).Info("Not acquired for long time, Stopped watching for changes", "objectKey", key, "maxIdleTime", c.maxIdleTime)
 		}
 	}
 }
@@ -385,6 +397,7 @@ func NewWatchBasedManager(
 	watchObject watchObjectFunc,
 	newObject newObjectFunc,
 	isImmutable isImmutableFunc,
+	listWatcherWithWatchListSemanticsWrapper listWatcherWithWatchListSemanticsWrapperFunc,
 	groupResource schema.GroupResource,
 	resyncInterval time.Duration,
 	getReferencedObjects func(*v1.Pod) sets.Set[string]) Manager {
@@ -396,6 +409,6 @@ func NewWatchBasedManager(
 	maxIdleTime := resyncInterval * 5
 
 	// TODO propagate stopCh from the higher level.
-	objectStore := NewObjectCache(listObject, watchObject, newObject, isImmutable, groupResource, clock.RealClock{}, maxIdleTime, wait.NeverStop)
+	objectStore := NewObjectCache(listObject, watchObject, newObject, isImmutable, listWatcherWithWatchListSemanticsWrapper, groupResource, clock.RealClock{}, maxIdleTime, wait.NeverStop)
 	return NewCacheBasedManager(objectStore, getReferencedObjects)
 }
diff --git a/pkg/kubelet/util/manager/watch_based_manager_test.go b/pkg/kubelet/util/manager/watch_based_manager_test.go
index bebac3b04b22b..5e793b652e6ac 100644
--- a/pkg/kubelet/util/manager/watch_based_manager_test.go
+++ b/pkg/kubelet/util/manager/watch_based_manager_test.go
@@ -19,6 +19,8 @@ package manager
 import (
 	"context"
 	"fmt"
+	"net/http"
+	"net/http/httptest"
 	"strings"
 	"testing"
 	"time"
@@ -29,15 +31,17 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/apimachinery/pkg/util/json"
 	"k8s.io/apimachinery/pkg/util/wait"
 	"k8s.io/apimachinery/pkg/watch"
-
+	clientfeatures "k8s.io/client-go/features"
+	clientfeaturestesting "k8s.io/client-go/features/testing"
 	clientset "k8s.io/client-go/kubernetes"
 	"k8s.io/client-go/kubernetes/fake"
+	"k8s.io/client-go/rest"
 	core "k8s.io/client-go/testing"
-
+	"k8s.io/client-go/tools/cache"
 	corev1 "k8s.io/kubernetes/pkg/apis/core/v1"
-
 	"k8s.io/kubernetes/test/utils/ktesting"
 	"k8s.io/utils/clock"
 	testingclock "k8s.io/utils/clock/testing"
@@ -45,15 +49,15 @@ import (
 	"github.com/stretchr/testify/assert"
 )
 
-func listSecret(fakeClient clientset.Interface) listObjectFunc {
+func listSecret(ctx context.Context, fakeClient clientset.Interface) listObjectFunc {
 	return func(namespace string, opts metav1.ListOptions) (runtime.Object, error) {
-		return fakeClient.CoreV1().Secrets(namespace).List(context.TODO(), opts)
+		return fakeClient.CoreV1().Secrets(namespace).List(ctx, opts)
 	}
 }
 
-func watchSecret(fakeClient clientset.Interface) watchObjectFunc {
+func watchSecret(ctx context.Context, fakeClient clientset.Interface) watchObjectFunc {
 	return func(namespace string, opts metav1.ListOptions) (watch.Interface, error) {
-		return fakeClient.CoreV1().Secrets(namespace).Watch(context.TODO(), opts)
+		return fakeClient.CoreV1().Secrets(namespace).Watch(ctx, opts)
 	}
 }
 
@@ -64,12 +68,15 @@ func isSecretImmutable(object runtime.Object) bool {
 	return false
 }
 
-func newSecretCache(fakeClient clientset.Interface, fakeClock clock.Clock, maxIdleTime time.Duration) *objectCache {
+func newSecretCache(ctx context.Context, fakeClient clientset.Interface, fakeClock clock.Clock, maxIdleTime time.Duration) *objectCache {
 	return &objectCache{
-		listObject:    listSecret(fakeClient),
-		watchObject:   watchSecret(fakeClient),
-		newObject:     func() runtime.Object { return &v1.Secret{} },
-		isImmutable:   isSecretImmutable,
+		listObject:  listSecret(ctx, fakeClient),
+		watchObject: watchSecret(ctx, fakeClient),
+		newObject:   func() runtime.Object { return &v1.Secret{} },
+		isImmutable: isSecretImmutable,
+		listWatcherWithWatchListSemanticsWrapper: func(lw *cache.ListWatch) cache.ListerWatcher {
+			return cache.ToListWatcherWithWatchListSemantics(lw, fakeClient)
+		},
 		groupResource: corev1.Resource("secret"),
 		clock:         fakeClock,
 		maxIdleTime:   maxIdleTime,
@@ -78,6 +85,7 @@ func newSecretCache(fakeClient clientset.Interface, fakeClock clock.Clock, maxId
 }
 
 func TestSecretCache(t *testing.T) {
+	tCtx := ktesting.Init(t)
 	fakeClient := &fake.Clientset{}
 
 	listReactor := func(a core.Action) (bool, runtime.Object, error) {
@@ -93,7 +101,7 @@ func TestSecretCache(t *testing.T) {
 	fakeClient.AddWatchReactor("secrets", core.DefaultWatchReactor(fakeWatch, nil))
 
 	fakeClock := testingclock.NewFakeClock(time.Now())
-	store := newSecretCache(fakeClient, fakeClock, time.Minute)
+	store := newSecretCache(tCtx, fakeClient, fakeClock, time.Minute)
 
 	store.AddReference("ns", "name", "pod")
 	_, err := store.Get("ns", "name")
@@ -121,7 +129,6 @@ func TestSecretCache(t *testing.T) {
 		return true, nil
 	}
 
-	tCtx := ktesting.Init(t)
 	if err := wait.PollUntilContextCancel(tCtx, 10*time.Millisecond, true, getFn); err != nil {
 		t.Errorf("unexpected error: %v", err)
 	}
@@ -152,6 +159,7 @@ func TestSecretCache(t *testing.T) {
 }
 
 func TestSecretCacheMultipleRegistrations(t *testing.T) {
+	tCtx := ktesting.Init(t)
 	fakeClient := &fake.Clientset{}
 
 	listReactor := func(a core.Action) (bool, runtime.Object, error) {
@@ -167,7 +175,7 @@ func TestSecretCacheMultipleRegistrations(t *testing.T) {
 	fakeClient.AddWatchReactor("secrets", core.DefaultWatchReactor(fakeWatch, nil))
 
 	fakeClock := testingclock.NewFakeClock(time.Now())
-	store := newSecretCache(fakeClient, fakeClock, time.Minute)
+	store := newSecretCache(tCtx, fakeClient, fakeClock, time.Minute)
 
 	store.AddReference("ns", "name", "pod")
 	// This should trigger List and Watch actions eventually.
@@ -184,7 +192,6 @@ func TestSecretCacheMultipleRegistrations(t *testing.T) {
 		}
 		return true, nil
 	}
-	tCtx := ktesting.Init(t)
 	if err := wait.PollUntilContextCancel(tCtx, 10*time.Millisecond, true, actionsFn); err != nil {
 		t.Errorf("unexpected error: %v", err)
 	}
@@ -257,6 +264,7 @@ func TestImmutableSecretStopsTheReflector(t *testing.T) {
 
 	for _, tc := range tests {
 		t.Run(tc.desc, func(t *testing.T) {
+			tCtx := ktesting.Init(t)
 			fakeClient := &fake.Clientset{}
 			listReactor := func(a core.Action) (bool, runtime.Object, error) {
 				result := &v1.SecretList{
@@ -274,7 +282,7 @@ func TestImmutableSecretStopsTheReflector(t *testing.T) {
 			fakeClient.AddWatchReactor("secrets", core.DefaultWatchReactor(fakeWatch, nil))
 
 			fakeClock := testingclock.NewFakeClock(time.Now())
-			store := newSecretCache(fakeClient, fakeClock, time.Minute)
+			store := newSecretCache(tCtx, fakeClient, fakeClock, time.Minute)
 
 			key := objectKey{namespace: "ns", name: "name"}
 			itemExists := func(_ context.Context) (bool, error) {
@@ -295,7 +303,6 @@ func TestImmutableSecretStopsTheReflector(t *testing.T) {
 
 			// AddReference should start reflector.
 			store.AddReference("ns", "name", "pod")
-			tCtx := ktesting.Init(t)
 			if err := wait.PollUntilContextCancel(tCtx, 10*time.Millisecond, false, itemExists); err != nil {
 				t.Errorf("item wasn't added to cache")
 			}
@@ -340,6 +347,7 @@ func TestImmutableSecretStopsTheReflector(t *testing.T) {
 }
 
 func TestMaxIdleTimeStopsTheReflector(t *testing.T) {
+	tCtx := ktesting.Init(t)
 	secret := &v1.Secret{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:            "name",
@@ -364,7 +372,7 @@ func TestMaxIdleTimeStopsTheReflector(t *testing.T) {
 	fakeWatch := watch.NewFake()
 	fakeClient.AddWatchReactor("secrets", core.DefaultWatchReactor(fakeWatch, nil))
 	fakeClock := testingclock.NewFakeClock(time.Now())
-	store := newSecretCache(fakeClient, fakeClock, time.Minute)
+	store := newSecretCache(tCtx, fakeClient, fakeClock, time.Minute)
 
 	key := objectKey{namespace: "ns", name: "name"}
 	itemExists := func(_ context.Context) (bool, error) {
@@ -386,7 +394,6 @@ func TestMaxIdleTimeStopsTheReflector(t *testing.T) {
 
 	// AddReference should start reflector.
 	store.AddReference("ns", "name", "pod")
-	tCtx := ktesting.Init(t)
 	if err := wait.PollUntilContextCancel(tCtx, 10*time.Millisecond, false, itemExists); err != nil {
 		t.Errorf("item wasn't added to cache")
 	}
@@ -420,6 +427,7 @@ func TestMaxIdleTimeStopsTheReflector(t *testing.T) {
 }
 
 func TestReflectorNotStoppedOnSlowInitialization(t *testing.T) {
+	tCtx := ktesting.Init(t)
 	secret := &v1.Secret{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:            "name",
@@ -447,7 +455,7 @@ func TestReflectorNotStoppedOnSlowInitialization(t *testing.T) {
 	fakeClient.AddReactor("list", "secrets", listReactor)
 	fakeWatch := watch.NewFake()
 	fakeClient.AddWatchReactor("secrets", core.DefaultWatchReactor(fakeWatch, nil))
-	store := newSecretCache(fakeClient, fakeClock, time.Minute)
+	store := newSecretCache(tCtx, fakeClient, fakeClock, time.Minute)
 
 	key := objectKey{namespace: "ns", name: "name"}
 	itemExists := func(_ context.Context) (bool, error) {
@@ -479,7 +487,6 @@ func TestReflectorNotStoppedOnSlowInitialization(t *testing.T) {
 
 	// AddReference should start reflector.
 	store.AddReference("ns", "name", "pod")
-	tCtx := ktesting.Init(t)
 	if err := wait.PollUntilContextCancel(tCtx, 10*time.Millisecond, false, itemExists); err != nil {
 		t.Errorf("item wasn't added to cache")
 	}
@@ -592,6 +599,7 @@ func TestRefMapHandlesReferencesCorrectly(t *testing.T) {
 	}
 	for _, tc := range tests {
 		t.Run(tc.desc, func(t *testing.T) {
+			tCtx := ktesting.Init(t)
 			fakeClient := &fake.Clientset{}
 			listReactor := func(a core.Action) (bool, runtime.Object, error) {
 				result := &v1.SecretList{
@@ -606,7 +614,7 @@ func TestRefMapHandlesReferencesCorrectly(t *testing.T) {
 			fakeWatch := watch.NewFake()
 			fakeClient.AddWatchReactor("secrets", core.DefaultWatchReactor(fakeWatch, nil))
 			fakeClock := testingclock.NewFakeClock(time.Now())
-			store := newSecretCache(fakeClient, fakeClock, time.Minute)
+			store := newSecretCache(tCtx, fakeClient, fakeClock, time.Minute)
 
 			for i, step := range tc.steps {
 				expect := tc.expects[i]
@@ -632,3 +640,91 @@ func TestRefMapHandlesReferencesCorrectly(t *testing.T) {
 		})
 	}
 }
+
+func TestUnSupportWatchListSemantics(t *testing.T) {
+	clientfeaturestesting.SetFeatureDuringTest(t, clientfeatures.WatchListClient, true)
+
+	fakeClock := testingclock.NewFakeClock(time.Now())
+	// The fake client doesn’t support WatchList semantics,
+	// so we don’t need to prepare a response.
+	fakeClient := fake.NewClientset()
+	ctx, cancel := context.WithTimeout(context.TODO(), 5*time.Second)
+	defer cancel()
+	target := newSecretCache(context.TODO(), fakeClient, fakeClock, time.Minute)
+
+	ret := target.newReflectorLocked("ns", "obj")
+	defer ret.stop()
+
+	if err := wait.PollUntilContextTimeout(ctx, 100*time.Millisecond, 3*time.Second, true, func(ctx context.Context) (bool, error) {
+		return ret.store.hasSynced(), nil
+	}); err != nil {
+		t.Fatal(err)
+	}
+}
+
+func TestWatchListSemanticsSimple(t *testing.T) {
+	clientfeaturestesting.SetFeatureDuringTest(t, clientfeatures.WatchListClient, true)
+
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
+		if _, ok := req.URL.Query()["watch"]; !ok {
+			t.Errorf("expected a watch request, params: %v", req.URL.Query())
+			http.Error(w, fmt.Errorf("unexpected request").Error(), http.StatusInternalServerError)
+			return
+		}
+
+		obj := &v1.Secret{
+			TypeMeta: metav1.TypeMeta{
+				APIVersion: "v1",
+				Kind:       "Secret",
+			},
+			ObjectMeta: metav1.ObjectMeta{
+				Annotations: map[string]string{
+					metav1.InitialEventsAnnotationKey: "true",
+				},
+			},
+		}
+		rawObj, err := json.Marshal(obj)
+		if err != nil {
+			t.Errorf("failed to marshal rawObj: %v", err)
+			http.Error(w, err.Error(), http.StatusInternalServerError)
+			return
+		}
+
+		watchEvent := &metav1.WatchEvent{
+			Type:   string(watch.Bookmark),
+			Object: runtime.RawExtension{Raw: rawObj},
+		}
+		rawRsp, err := json.Marshal(watchEvent)
+		if err != nil {
+			t.Errorf("failed to marshal watchEvent: %v", err)
+			http.Error(w, err.Error(), http.StatusInternalServerError)
+			return
+		}
+		w.Header().Set("Content-Type", "application/json")
+		_, err = w.Write(rawRsp)
+		if err != nil {
+			t.Fatalf("failed to write response: %v", err)
+		}
+	}))
+	defer server.Close()
+
+	cfg := &rest.Config{Host: server.URL}
+	client, err := clientset.NewForConfig(cfg)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	fakeClock := testingclock.NewFakeClock(time.Now())
+	ctx, cancel := context.WithTimeout(context.TODO(), 5*time.Second)
+	defer cancel()
+	target := newSecretCache(context.TODO(), client, fakeClock, time.Second)
+
+	ret := target.newReflectorLocked("ns", "obj")
+	defer ret.stop()
+
+	if err := wait.PollUntilContextTimeout(ctx, 100*time.Millisecond, 3*time.Second, true, func(ctx context.Context) (bool, error) {
+		return ret.store.hasSynced(), nil
+	}); err != nil {
+		t.Fatal(err)
+	}
+}
diff --git a/pkg/kubelet/util/nodelease.go b/pkg/kubelet/util/nodelease.go
index 9e1b00b76242e..dc1fa6fc3e670 100644
--- a/pkg/kubelet/util/nodelease.go
+++ b/pkg/kubelet/util/nodelease.go
@@ -29,14 +29,14 @@ import (
 
 // SetNodeOwnerFunc helps construct a newLeasePostProcessFunc which sets
 // a node OwnerReference to the given lease object
-func SetNodeOwnerFunc(c clientset.Interface, nodeName string) func(lease *coordinationv1.Lease) error {
+func SetNodeOwnerFunc(ctx context.Context, c clientset.Interface, nodeName string) func(lease *coordinationv1.Lease) error {
 	return func(lease *coordinationv1.Lease) error {
 		// Setting owner reference needs node's UID. Note that it is different from
 		// kubelet.nodeRef.UID. When lease is initially created, it is possible that
 		// the connection between master and node is not ready yet. So try to set
 		// owner reference every time when renewing the lease, until successful.
 		if len(lease.OwnerReferences) == 0 {
-			if node, err := c.CoreV1().Nodes().Get(context.TODO(), nodeName, metav1.GetOptions{}); err == nil {
+			if node, err := c.CoreV1().Nodes().Get(ctx, nodeName, metav1.GetOptions{}); err == nil {
 				lease.OwnerReferences = []metav1.OwnerReference{
 					{
 						APIVersion: corev1.SchemeGroupVersion.WithKind("Node").Version,
@@ -46,7 +46,8 @@ func SetNodeOwnerFunc(c clientset.Interface, nodeName string) func(lease *coordi
 					},
 				}
 			} else {
-				klog.ErrorS(err, "Failed to get node when trying to set owner ref to the node lease", "node", klog.KRef("", nodeName))
+				logger := klog.FromContext(ctx)
+				logger.Error(err, "Failed to get node when trying to set owner ref to the node lease", "node", klog.KRef("", nodeName))
 				return err
 			}
 		}
diff --git a/pkg/kubelet/util/pod_startup_latency_tracker.go b/pkg/kubelet/util/pod_startup_latency_tracker.go
index 3ab3d2aaae537..d972815a7817d 100644
--- a/pkg/kubelet/util/pod_startup_latency_tracker.go
+++ b/pkg/kubelet/util/pod_startup_latency_tracker.go
@@ -17,6 +17,7 @@ limitations under the License.
 package util
 
 import (
+	"context"
 	"sync"
 	"time"
 
@@ -97,11 +98,14 @@ func (p *basicPodStartupLatencyTracker) ObservedPodOnWatch(pod *v1.Pod, when tim
 	}
 
 	if hasPodStartedSLO(pod) {
+		// TODO: it needs to be replaced by a proper context in the future
+		ctx := context.TODO()
+		logger := klog.FromContext(ctx)
 		podStartingDuration := when.Sub(pod.CreationTimestamp.Time)
 		imagePullingDuration := state.lastFinishedPulling.Sub(state.firstStartedPulling)
 		podStartSLOduration := (podStartingDuration - imagePullingDuration).Seconds()
 
-		klog.InfoS("Observed pod startup duration",
+		logger.Info("Observed pod startup duration",
 			"pod", klog.KObj(pod),
 			"podStartSLOduration", podStartSLOduration,
 			"podStartE2EDuration", podStartingDuration,
@@ -146,7 +150,9 @@ func (p *basicPodStartupLatencyTracker) RecordImageFinishedPulling(podUID types.
 		return
 	}
 
-	state.lastFinishedPulling = p.clock.Now() // Now is always grater than values from the past.
+	if !state.firstStartedPulling.IsZero() {
+		state.lastFinishedPulling = p.clock.Now() // Now is always grater than values from the past.
+	}
 }
 
 func (p *basicPodStartupLatencyTracker) RecordStatusUpdated(pod *v1.Pod) {
@@ -168,8 +174,11 @@ func (p *basicPodStartupLatencyTracker) RecordStatusUpdated(pod *v1.Pod) {
 		return
 	}
 
+	// TODO: it needs to be replaced by a proper context in the future
+	ctx := context.TODO()
+	logger := klog.FromContext(ctx)
 	if hasPodStartedSLO(pod) {
-		klog.V(3).InfoS("Mark when the pod was running for the first time", "pod", klog.KObj(pod), "rv", pod.ResourceVersion)
+		logger.V(3).Info("Mark when the pod was running for the first time", "pod", klog.KObj(pod), "rv", pod.ResourceVersion)
 		state.observedRunningTime = p.clock.Now()
 	}
 }
diff --git a/pkg/kubelet/util/swap/swap_util.go b/pkg/kubelet/util/swap/swap_util.go
index 20f0e45ef5ff4..f64232ad26fbb 100644
--- a/pkg/kubelet/util/swap/swap_util.go
+++ b/pkg/kubelet/util/swap/swap_util.go
@@ -18,6 +18,7 @@ package swap
 
 import (
 	"bytes"
+	"context"
 	"errors"
 	"os"
 	sysruntime "runtime"
@@ -42,6 +43,9 @@ var (
 const TmpfsNoswapOption = "noswap"
 
 func IsTmpfsNoswapOptionSupported(mounter mount.Interface, mountPath string) bool {
+	// TODO: it needs to be replaced by a proper context in the future
+	ctx := context.TODO()
+	logger := klog.FromContext(ctx)
 	isTmpfsNoswapOptionSupportedHelper := func() bool {
 		if sysruntime.GOOS == "windows" {
 			return false
@@ -51,13 +55,13 @@ func IsTmpfsNoswapOptionSupported(mounter mount.Interface, mountPath string) boo
 			// Turning off swap in unprivileged tmpfs mounts unsupported
 			// https://github.com/torvalds/linux/blob/v6.8/mm/shmem.c#L4004-L4011
 			// https://github.com/kubernetes/kubernetes/issues/125137
-			klog.InfoS("Running under a user namespace - tmpfs noswap is not supported")
+			logger.Info("Running under a user namespace - tmpfs noswap is not supported")
 			return false
 		}
 
 		kernelVersion, err := utilkernel.GetVersion()
 		if err != nil {
-			klog.ErrorS(err, "cannot determine kernel version, unable to determine is tmpfs noswap is supported")
+			logger.Error(err, "cannot determine kernel version, unable to determine is tmpfs noswap is supported")
 			return false
 		}
 
@@ -66,31 +70,31 @@ func IsTmpfsNoswapOptionSupported(mounter mount.Interface, mountPath string) boo
 		}
 
 		if mountPath == "" {
-			klog.ErrorS(errors.New("mount path is empty, falling back to /tmp"), "")
+			logger.Error(errors.New("mount path is empty, falling back to /tmp"), "")
 		}
 
 		mountPath, err = os.MkdirTemp(mountPath, "tmpfs-noswap-test-")
 		if err != nil {
-			klog.InfoS("error creating dir to test if tmpfs noswap is enabled. Assuming not supported", "mount path", mountPath, "error", err)
+			logger.Info("error creating dir to test if tmpfs noswap is enabled. Assuming not supported", "mount path", mountPath, "error", err)
 			return false
 		}
 
 		defer func() {
 			err = os.RemoveAll(mountPath)
 			if err != nil {
-				klog.ErrorS(err, "error removing test tmpfs dir", "mount path", mountPath)
+				logger.Error(err, "error removing test tmpfs dir", "mount path", mountPath)
 			}
 		}()
 
 		err = mounter.MountSensitiveWithoutSystemd("tmpfs", mountPath, "tmpfs", []string{TmpfsNoswapOption}, nil)
 		if err != nil {
-			klog.InfoS("error mounting tmpfs with the noswap option. Assuming not supported", "error", err)
+			logger.Info("error mounting tmpfs with the noswap option. Assuming not supported", "error", err)
 			return false
 		}
 
 		err = mounter.Unmount(mountPath)
 		if err != nil {
-			klog.ErrorS(err, "error unmounting test tmpfs dir", "mount path", mountPath)
+			logger.Error(err, "error unmounting test tmpfs dir", "mount path", mountPath)
 		}
 
 		return true
@@ -104,7 +108,7 @@ func IsTmpfsNoswapOptionSupported(mounter mount.Interface, mountPath string) boo
 }
 
 // gets /proc/swaps's content as an input, returns true if swap is enabled.
-func isSwapOnAccordingToProcSwaps(procSwapsContent []byte) bool {
+func isSwapOnAccordingToProcSwaps(logger klog.Logger, procSwapsContent []byte) bool {
 	procSwapsContent = bytes.TrimSpace(procSwapsContent) // extra trailing \n
 	procSwapsStr := string(procSwapsContent)
 	procSwapsLines := strings.Split(procSwapsStr, "\n")
@@ -112,7 +116,7 @@ func isSwapOnAccordingToProcSwaps(procSwapsContent []byte) bool {
 	// If there is more than one line (table headers) in /proc/swaps then swap is enabled
 	isSwapOn := len(procSwapsLines) > 1
 	if isSwapOn {
-		klog.InfoS("Swap is on", "/proc/swaps contents", procSwapsStr)
+		logger.Info("Swap is on", "/proc/swaps contents", procSwapsStr)
 	}
 
 	return isSwapOn
@@ -127,18 +131,22 @@ func IsSwapOn() (bool, error) {
 			return false, nil
 		}
 
+		// TODO: it needs to be replaced by a proper context in the future
+		ctx := context.TODO()
+		logger := klog.FromContext(ctx)
+
 		const swapFilePath = "/proc/swaps"
 		procSwapsContent, err := os.ReadFile(swapFilePath)
 		if err != nil {
 			if os.IsNotExist(err) {
-				klog.InfoS("File does not exist, assuming that swap is disabled", "path", swapFilePath)
+				logger.Info("File does not exist, assuming that swap is disabled", "path", swapFilePath)
 				return false, nil
 			}
 
 			return false, err
 		}
 
-		return isSwapOnAccordingToProcSwaps(procSwapsContent), nil
+		return isSwapOnAccordingToProcSwaps(logger, procSwapsContent), nil
 	}
 
 	swapOnOnce.Do(func() {
diff --git a/pkg/kubelet/util/swap/swap_util_test.go b/pkg/kubelet/util/swap/swap_util_test.go
index 611c464b70fdd..1fe5cbb210e5a 100644
--- a/pkg/kubelet/util/swap/swap_util_test.go
+++ b/pkg/kubelet/util/swap/swap_util_test.go
@@ -16,7 +16,12 @@ limitations under the License.
 
 package swap
 
-import "testing"
+import (
+	"testing"
+
+	"k8s.io/klog/v2"
+	"k8s.io/kubernetes/test/utils/ktesting"
+)
 
 func TestIsSwapEnabled(t *testing.T) {
 	testCases := []struct {
@@ -54,10 +59,12 @@ Filename				Type		Size		Used		Priority
 			expectedEnabled: false,
 		},
 	}
+	tCtx := ktesting.Init(t)
+	logger := klog.FromContext(tCtx)
 
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
-			isEnabled := isSwapOnAccordingToProcSwaps([]byte(tc.procSwapsContent))
+			isEnabled := isSwapOnAccordingToProcSwaps(logger, []byte(tc.procSwapsContent))
 			if isEnabled != tc.expectedEnabled {
 				t.Errorf("expected %v, got %v", tc.expectedEnabled, isEnabled)
 			}
diff --git a/pkg/kubelet/util/util.go b/pkg/kubelet/util/util.go
index 79473a1818436..8aa025abe3124 100644
--- a/pkg/kubelet/util/util.go
+++ b/pkg/kubelet/util/util.go
@@ -60,3 +60,52 @@ func GetContainerByIndex(containers []v1.Container, statuses []v1.ContainerStatu
 	}
 	return containers[idx], true
 }
+
+type ResourceOpts struct {
+	PodResources       *v1.ResourceRequirements
+	ContainerResources *v1.ResourceRequirements
+}
+
+// GetLimits calculates the resource limits for the container.
+// It uses the container's explicit limits first. If limits for CPU or Memory
+// are not explicitly set at the container level (i.e., they are zero),
+// the corresponding limits from the Pod's resource requirements are applied
+// as defaults to the returned map.
+// TODO(ndixita): Consolidate resource limit logic
+// The implementation of CPU/Memory limit calculation is duplicated here and in
+// pkg/kubelet/kuberuntime/kuberuntime_container_linux.go (getCPULimits/getMemoryLimits).
+// Refactor into a shared utility function.
+func GetLimits(res *ResourceOpts) v1.ResourceList {
+	if res == nil {
+		return v1.ResourceList{}
+	}
+
+	limitsOrEmpty := func(containerResources *v1.ResourceRequirements) v1.ResourceList {
+		if containerResources == nil || containerResources.Limits == nil {
+			return v1.ResourceList{}
+		}
+		return containerResources.Limits
+	}
+
+	containerLimits := limitsOrEmpty(res.ContainerResources)
+
+	if res.PodResources == nil || len(res.PodResources.Limits) == 0 {
+		// if pod-level limits are not set, return container-level limits
+		return containerLimits
+	}
+
+	podLevelLimits := res.PodResources.Limits
+
+	// When container-level CPU limit is not set, the pod-level
+	// limit CPU is applied at container-level
+	if containerLimits.Cpu().IsZero() && !podLevelLimits.Cpu().IsZero() {
+		containerLimits[v1.ResourceCPU] = podLevelLimits[v1.ResourceCPU]
+	}
+
+	// When container-level Memory limit is not set, the pod-level
+	// limit Memory is applied at container-level
+	if containerLimits.Memory().IsZero() && !podLevelLimits.Memory().IsZero() {
+		containerLimits[v1.ResourceMemory] = podLevelLimits[v1.ResourceMemory]
+	}
+	return containerLimits
+}
diff --git a/pkg/kubelet/util/util_test.go b/pkg/kubelet/util/util_test.go
index 8daeda9701b49..0a2cb990e5c7e 100644
--- a/pkg/kubelet/util/util_test.go
+++ b/pkg/kubelet/util/util_test.go
@@ -17,11 +17,13 @@ limitations under the License.
 package util
 
 import (
+	"reflect"
 	"testing"
 
 	"github.com/stretchr/testify/assert"
 
 	v1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/api/resource"
 )
 
 func TestGetNodenameForKernel(t *testing.T) {
@@ -143,3 +145,163 @@ func TestGetContainerByIndex(t *testing.T) {
 		}
 	}
 }
+
+func TestGetLimits(t *testing.T) {
+	testCases := []struct {
+		name               string
+		containerResources *v1.ResourceRequirements
+		podResources       *v1.ResourceRequirements
+		expectedLimits     v1.ResourceList
+	}{
+		{
+			name:               "empty resources",
+			containerResources: &v1.ResourceRequirements{},
+			podResources:       &v1.ResourceRequirements{},
+			expectedLimits:     v1.ResourceList{},
+		},
+		{
+			name:               "nil resources",
+			containerResources: nil,
+			podResources:       nil,
+			expectedLimits:     v1.ResourceList{},
+		},
+		{
+			name: "nil pod-resources",
+			containerResources: &v1.ResourceRequirements{
+				Limits: v1.ResourceList{
+					v1.ResourceCPU:    resource.MustParse("100m"),
+					v1.ResourceMemory: resource.MustParse("10Mi"),
+				}},
+			podResources: nil,
+			expectedLimits: v1.ResourceList{
+				v1.ResourceCPU:    resource.MustParse("100m"),
+				v1.ResourceMemory: resource.MustParse("10Mi"),
+			},
+		},
+		{
+			name:               "nil container-resources",
+			containerResources: nil,
+			podResources: &v1.ResourceRequirements{
+				Limits: v1.ResourceList{
+					v1.ResourceCPU:    resource.MustParse("100m"),
+					v1.ResourceMemory: resource.MustParse("10Mi"),
+				}},
+			expectedLimits: v1.ResourceList{
+				v1.ResourceCPU:    resource.MustParse("100m"),
+				v1.ResourceMemory: resource.MustParse("10Mi"),
+			},
+		},
+		{
+			name: "container limits not set",
+			containerResources: &v1.ResourceRequirements{
+				Limits: v1.ResourceList{},
+			},
+			podResources: &v1.ResourceRequirements{
+				Limits: v1.ResourceList{
+					v1.ResourceCPU:    resource.MustParse("100m"),
+					v1.ResourceMemory: resource.MustParse("10Mi"),
+				},
+			},
+			expectedLimits: v1.ResourceList{
+				v1.ResourceCPU:    resource.MustParse("100m"),
+				v1.ResourceMemory: resource.MustParse("10Mi"),
+			},
+		},
+		{
+			name: "container cpu limits not set",
+			containerResources: &v1.ResourceRequirements{
+				Limits: v1.ResourceList{
+					v1.ResourceMemory: resource.MustParse("5Mi"),
+				},
+			},
+			podResources: &v1.ResourceRequirements{
+				Limits: v1.ResourceList{
+					v1.ResourceCPU:    resource.MustParse("100m"),
+					v1.ResourceMemory: resource.MustParse("10Mi"),
+				},
+			},
+			expectedLimits: v1.ResourceList{
+				v1.ResourceCPU:    resource.MustParse("100m"),
+				v1.ResourceMemory: resource.MustParse("5Mi"),
+			},
+		},
+		{
+			name: "container memory limits not set",
+			containerResources: &v1.ResourceRequirements{
+				Limits: v1.ResourceList{
+					v1.ResourceCPU: resource.MustParse("50m"),
+				},
+			},
+			podResources: &v1.ResourceRequirements{
+				Limits: v1.ResourceList{
+					v1.ResourceCPU:    resource.MustParse("100m"),
+					v1.ResourceMemory: resource.MustParse("10Mi"),
+				},
+			},
+			expectedLimits: v1.ResourceList{
+				v1.ResourceCPU:    resource.MustParse("50m"),
+				v1.ResourceMemory: resource.MustParse("10Mi"),
+			},
+		},
+		{
+			name: "container and pod memory limits not set",
+			containerResources: &v1.ResourceRequirements{
+				Limits: v1.ResourceList{
+					v1.ResourceCPU: resource.MustParse("50m"),
+				},
+			},
+			podResources: &v1.ResourceRequirements{
+				Limits: v1.ResourceList{
+					v1.ResourceCPU: resource.MustParse("100m"),
+				},
+			},
+			expectedLimits: v1.ResourceList{
+				v1.ResourceCPU: resource.MustParse("50m"),
+			},
+		},
+		{
+			name: "container and pod cpu limits not set",
+			containerResources: &v1.ResourceRequirements{
+				Limits: v1.ResourceList{
+					v1.ResourceMemory: resource.MustParse("5Mi"),
+				},
+			},
+			podResources: &v1.ResourceRequirements{
+				Limits: v1.ResourceList{
+					v1.ResourceMemory: resource.MustParse("10Mi"),
+				},
+			},
+			expectedLimits: v1.ResourceList{
+				v1.ResourceMemory: resource.MustParse("5Mi"),
+			},
+		},
+		{
+			name: "container and pod cpu memory limits set",
+			containerResources: &v1.ResourceRequirements{
+				Limits: v1.ResourceList{
+					v1.ResourceMemory: resource.MustParse("5Mi"),
+					v1.ResourceCPU:    resource.MustParse("50m"),
+				},
+			},
+			podResources: &v1.ResourceRequirements{
+				Limits: v1.ResourceList{
+					v1.ResourceMemory: resource.MustParse("10Mi"),
+					v1.ResourceCPU:    resource.MustParse("60m"),
+				},
+			},
+			expectedLimits: v1.ResourceList{
+				v1.ResourceMemory: resource.MustParse("5Mi"),
+				v1.ResourceCPU:    resource.MustParse("50m"),
+			},
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			gotLimits := GetLimits(&ResourceOpts{PodResources: tc.podResources, ContainerResources: tc.containerResources})
+			if !reflect.DeepEqual(tc.expectedLimits, gotLimits) {
+				t.Errorf("got limits: %v, expected limits: %v", gotLimits, tc.expectedLimits)
+			}
+		})
+	}
+}
diff --git a/pkg/kubelet/volume_host_test.go b/pkg/kubelet/volume_host_test.go
index d7af0a2ab8f3e..a13656868618c 100644
--- a/pkg/kubelet/volume_host_test.go
+++ b/pkg/kubelet/volume_host_test.go
@@ -22,6 +22,7 @@ import (
 
 	"github.com/google/go-cmp/cmp"
 	corev1 "k8s.io/api/core/v1"
+	"k8s.io/kubernetes/pkg/kubelet/podcertificate"
 )
 
 type recordingPodCertificateManager struct {
@@ -46,6 +47,10 @@ func (f *recordingPodCertificateManager) TrackPod(ctx context.Context, pod *core
 
 func (f *recordingPodCertificateManager) ForgetPod(ctx context.Context, pod *corev1.Pod) {}
 
+func (f *recordingPodCertificateManager) MetricReport() *podcertificate.MetricReport {
+	return &podcertificate.MetricReport{}
+}
+
 // Check that GetPodCertificateCredentialBundle forwards its arguments in the
 // correct order.  Seems excessive, but we got here because I put the arguments
 // in the wrong order...
diff --git a/pkg/kubelet/volumemanager/cache/actual_state_of_world.go b/pkg/kubelet/volumemanager/cache/actual_state_of_world.go
index ea5cf573da388..899d87da6ef1b 100644
--- a/pkg/kubelet/volumemanager/cache/actual_state_of_world.go
+++ b/pkg/kubelet/volumemanager/cache/actual_state_of_world.go
@@ -149,9 +149,9 @@ type ActualStateOfWorld interface {
 	// current actual state of the world.
 	GetMountedVolumesForPod(podName volumetypes.UniquePodName) []MountedVolume
 
-	// GetMountedVolumeForPodByOuterVolumeSpecName returns the volume and true if
-	// the given outerVolumeSpecName is mounted on the given pod.
-	GetMountedVolumeForPodByOuterVolumeSpecName(podName volumetypes.UniquePodName, outerVolumeSpecName string) (MountedVolume, bool)
+	// GetMountedVolumeForPod returns the volume and true if
+	// the given name is mounted on the given pod.
+	GetMountedVolumeForPod(podName volumetypes.UniquePodName, volumeName v1.UniqueVolumeName) (MountedVolume, bool)
 
 	// GetPossiblyMountedVolumesForPod generates and returns a list of volumes for
 	// the specified pod that either are attached and mounted or are "uncertain",
@@ -356,12 +356,6 @@ type mountedPod struct {
 	// /var/lib/kubelet/pods/{podUID}/volumes/{escapeQualifiedPluginName}/{volumeSpecName}/
 	volumeSpec *volume.Spec
 
-	// outerVolumeSpecName is the volume.Spec.Name() of the volume as referenced
-	// directly in the pod. If the volume was referenced through a persistent
-	// volume claim, this contains the volume.Spec.Name() of the persistent
-	// volume claim
-	outerVolumeSpecName string
-
 	// remountRequired indicates the underlying volume has been successfully
 	// mounted to this pod but it should be remounted to reflect changes in the
 	// referencing pod.
@@ -484,7 +478,6 @@ func (asw *actualStateOfWorld) CheckAndMarkVolumeAsUncertainViaReconstruction(op
 	volumeName := opts.VolumeName
 	mounter := opts.Mounter
 	blockVolumeMapper := opts.BlockVolumeMapper
-	outerVolumeSpecName := opts.OuterVolumeSpecName
 	volumeGIDValue := opts.VolumeGIDVolume
 	volumeSpec := opts.VolumeSpec
 
@@ -493,7 +486,6 @@ func (asw *actualStateOfWorld) CheckAndMarkVolumeAsUncertainViaReconstruction(op
 		podUID:                 podUID,
 		mounter:                mounter,
 		blockVolumeMapper:      blockVolumeMapper,
-		outerVolumeSpecName:    outerVolumeSpecName,
 		volumeGIDValue:         volumeGIDValue,
 		volumeSpec:             volumeSpec,
 		remountRequired:        false,
@@ -731,7 +723,6 @@ func (asw *actualStateOfWorld) AddPodToVolume(markVolumeOpts operationexecutor.M
 	volumeName := markVolumeOpts.VolumeName
 	mounter := markVolumeOpts.Mounter
 	blockVolumeMapper := markVolumeOpts.BlockVolumeMapper
-	outerVolumeSpecName := markVolumeOpts.OuterVolumeSpecName
 	volumeGIDValue := markVolumeOpts.VolumeGIDVolume
 	volumeSpec := markVolumeOpts.VolumeSpec
 	asw.Lock()
@@ -760,7 +751,6 @@ func (asw *actualStateOfWorld) AddPodToVolume(markVolumeOpts operationexecutor.M
 			podUID:                 podUID,
 			mounter:                mounter,
 			blockVolumeMapper:      blockVolumeMapper,
-			outerVolumeSpecName:    outerVolumeSpecName,
 			volumeGIDValue:         volumeGIDValue,
 			volumeSpec:             volumeSpec,
 			volumeMountStateForPod: markVolumeOpts.VolumeMountState,
@@ -1102,15 +1092,14 @@ func (asw *actualStateOfWorld) GetMountedVolumesForPod(
 	return mountedVolume
 }
 
-func (asw *actualStateOfWorld) GetMountedVolumeForPodByOuterVolumeSpecName(
-	podName volumetypes.UniquePodName, outerVolumeSpecName string) (MountedVolume, bool) {
+func (asw *actualStateOfWorld) GetMountedVolumeForPod(
+	podName volumetypes.UniquePodName, volumeName v1.UniqueVolumeName) (MountedVolume, bool) {
 	asw.RLock()
 	defer asw.RUnlock()
-	for _, volumeObj := range asw.attachedVolumes {
-		if podObj, hasPod := volumeObj.mountedPods[podName]; hasPod {
-			if podObj.volumeMountStateForPod == operationexecutor.VolumeMounted && podObj.outerVolumeSpecName == outerVolumeSpecName {
-				return getMountedVolume(&podObj, &volumeObj), true
-			}
+	volumeObj := asw.attachedVolumes[volumeName]
+	if podObj, hasPod := volumeObj.mountedPods[podName]; hasPod {
+		if podObj.volumeMountStateForPod == operationexecutor.VolumeMounted {
+			return getMountedVolume(&podObj, &volumeObj), true
 		}
 	}
 
@@ -1308,7 +1297,6 @@ func getMountedVolume(
 			PodName:             mountedPod.podName,
 			VolumeName:          attachedVolume.volumeName,
 			InnerVolumeSpecName: mountedPod.volumeSpec.Name(),
-			OuterVolumeSpecName: mountedPod.outerVolumeSpecName,
 			PluginName:          attachedVolume.pluginName,
 			PodUID:              mountedPod.podUID,
 			Mounter:             mountedPod.mounter,
diff --git a/pkg/kubelet/volumemanager/cache/actual_state_of_world_test.go b/pkg/kubelet/volumemanager/cache/actual_state_of_world_test.go
index f7ccaded3ce8c..1b4f7fb7e0c8d 100644
--- a/pkg/kubelet/volumemanager/cache/actual_state_of_world_test.go
+++ b/pkg/kubelet/volumemanager/cache/actual_state_of_world_test.go
@@ -232,13 +232,12 @@ func Test_AddPodToVolume_Positive_ExistingVolumeNewNode(t *testing.T) {
 
 	// Act
 	markVolumeOpts := operationexecutor.MarkVolumeOpts{
-		PodName:             podName,
-		PodUID:              pod.UID,
-		VolumeName:          generatedVolumeName,
-		Mounter:             mounter,
-		BlockVolumeMapper:   mapper,
-		OuterVolumeSpecName: volumeSpec.Name(),
-		VolumeSpec:          volumeSpec,
+		PodName:           podName,
+		PodUID:            pod.UID,
+		VolumeName:        generatedVolumeName,
+		Mounter:           mounter,
+		BlockVolumeMapper: mapper,
+		VolumeSpec:        volumeSpec,
 	}
 	err = asw.AddPodToVolume(markVolumeOpts)
 	// Assert
@@ -307,13 +306,12 @@ func Test_AddPodToVolume_Positive_ExistingVolumeExistingNode(t *testing.T) {
 	}
 
 	markVolumeOpts := operationexecutor.MarkVolumeOpts{
-		PodName:             podName,
-		PodUID:              pod.UID,
-		VolumeName:          generatedVolumeName,
-		Mounter:             mounter,
-		BlockVolumeMapper:   mapper,
-		OuterVolumeSpecName: volumeSpec.Name(),
-		VolumeSpec:          volumeSpec,
+		PodName:           podName,
+		PodUID:            pod.UID,
+		VolumeName:        generatedVolumeName,
+		Mounter:           mounter,
+		BlockVolumeMapper: mapper,
+		VolumeSpec:        volumeSpec,
 	}
 	err = asw.AddPodToVolume(markVolumeOpts)
 	if err != nil {
@@ -415,13 +413,12 @@ func Test_AddTwoPodsToVolume_Positive(t *testing.T) {
 	}
 
 	markVolumeOpts1 := operationexecutor.MarkVolumeOpts{
-		PodName:             podName1,
-		PodUID:              pod1.UID,
-		VolumeName:          generatedVolumeName1,
-		Mounter:             mounter1,
-		BlockVolumeMapper:   mapper1,
-		OuterVolumeSpecName: volumeSpec1.Name(),
-		VolumeSpec:          volumeSpec1,
+		PodName:           podName1,
+		PodUID:            pod1.UID,
+		VolumeName:        generatedVolumeName1,
+		Mounter:           mounter1,
+		BlockVolumeMapper: mapper1,
+		VolumeSpec:        volumeSpec1,
 	}
 	err = asw.AddPodToVolume(markVolumeOpts1)
 	if err != nil {
@@ -441,13 +438,12 @@ func Test_AddTwoPodsToVolume_Positive(t *testing.T) {
 	}
 
 	markVolumeOpts2 := operationexecutor.MarkVolumeOpts{
-		PodName:             podName2,
-		PodUID:              pod2.UID,
-		VolumeName:          generatedVolumeName1,
-		Mounter:             mounter2,
-		BlockVolumeMapper:   mapper2,
-		OuterVolumeSpecName: volumeSpec2.Name(),
-		VolumeSpec:          volumeSpec2,
+		PodName:           podName2,
+		PodUID:            pod2.UID,
+		VolumeName:        generatedVolumeName1,
+		Mounter:           mounter2,
+		BlockVolumeMapper: mapper2,
+		VolumeSpec:        volumeSpec2,
 	}
 	err = asw.AddPodToVolume(markVolumeOpts2)
 	if err != nil {
@@ -603,14 +599,13 @@ func TestActualStateOfWorld_FoundDuringReconstruction(t *testing.T) {
 			}
 
 			markVolumeOpts1 := operationexecutor.MarkVolumeOpts{
-				PodName:             podName1,
-				PodUID:              pod1.UID,
-				VolumeName:          generatedVolumeName1,
-				Mounter:             mounter1,
-				BlockVolumeMapper:   mapper1,
-				OuterVolumeSpecName: volumeSpec1.Name(),
-				VolumeSpec:          volumeSpec1,
-				VolumeMountState:    operationexecutor.VolumeMountUncertain,
+				PodName:           podName1,
+				PodUID:            pod1.UID,
+				VolumeName:        generatedVolumeName1,
+				Mounter:           mounter1,
+				BlockVolumeMapper: mapper1,
+				VolumeSpec:        volumeSpec1,
+				VolumeMountState:  operationexecutor.VolumeMountUncertain,
 			}
 			_, err = asw.CheckAndMarkVolumeAsUncertainViaReconstruction(markVolumeOpts1)
 			if err != nil {
@@ -687,13 +682,12 @@ func Test_MarkVolumeAsDetached_Negative_PodInVolume(t *testing.T) {
 	}
 
 	markVolumeOpts := operationexecutor.MarkVolumeOpts{
-		PodName:             podName,
-		PodUID:              pod.UID,
-		VolumeName:          generatedVolumeName,
-		Mounter:             mounter,
-		BlockVolumeMapper:   mapper,
-		OuterVolumeSpecName: volumeSpec.Name(),
-		VolumeSpec:          volumeSpec,
+		PodName:           podName,
+		PodUID:            pod.UID,
+		VolumeName:        generatedVolumeName,
+		Mounter:           mounter,
+		BlockVolumeMapper: mapper,
+		VolumeSpec:        volumeSpec,
 	}
 	err = asw.AddPodToVolume(markVolumeOpts)
 	if err != nil {
@@ -794,13 +788,12 @@ func Test_AddPodToVolume_Negative_VolumeDoesntExist(t *testing.T) {
 
 	// Act
 	markVolumeOpts := operationexecutor.MarkVolumeOpts{
-		PodName:             podName,
-		PodUID:              pod.UID,
-		VolumeName:          volumeName,
-		Mounter:             mounter,
-		BlockVolumeMapper:   mapper,
-		OuterVolumeSpecName: volumeSpec.Name(),
-		VolumeSpec:          volumeSpec,
+		PodName:           podName,
+		PodUID:            pod.UID,
+		VolumeName:        volumeName,
+		Mounter:           mounter,
+		BlockVolumeMapper: mapper,
+		VolumeSpec:        volumeSpec,
 	}
 	err = asw.AddPodToVolume(markVolumeOpts)
 	// Assert
@@ -930,7 +923,6 @@ func Test_AddPodToVolume_Positive_SELinux(t *testing.T) {
 		VolumeName:          generatedVolumeName,
 		Mounter:             mounter,
 		BlockVolumeMapper:   mapper,
-		OuterVolumeSpecName: volumeSpec.Name(),
 		VolumeSpec:          volumeSpec,
 		SELinuxMountContext: "system_u:object_r:container_file_t:s0:c0,c1",
 		VolumeMountState:    operationexecutor.VolumeMounted,
@@ -1044,13 +1036,12 @@ func TestUncertainVolumeMounts(t *testing.T) {
 	}
 
 	markVolumeOpts1 := operationexecutor.MarkVolumeOpts{
-		PodName:             podName1,
-		PodUID:              pod1.UID,
-		VolumeName:          generatedVolumeName1,
-		Mounter:             mounter1,
-		OuterVolumeSpecName: volumeSpec1.Name(),
-		VolumeSpec:          volumeSpec1,
-		VolumeMountState:    operationexecutor.VolumeMountUncertain,
+		PodName:          podName1,
+		PodUID:           pod1.UID,
+		VolumeName:       generatedVolumeName1,
+		Mounter:          mounter1,
+		VolumeSpec:       volumeSpec1,
+		VolumeMountState: operationexecutor.VolumeMountUncertain,
 	}
 	err = asw.AddPodToVolume(markVolumeOpts1)
 	if err != nil {
diff --git a/pkg/kubelet/volumemanager/cache/desired_state_of_world.go b/pkg/kubelet/volumemanager/cache/desired_state_of_world.go
index f09c4bec21b2e..e61e859fe85a2 100644
--- a/pkg/kubelet/volumemanager/cache/desired_state_of_world.go
+++ b/pkg/kubelet/volumemanager/cache/desired_state_of_world.go
@@ -22,6 +22,7 @@ package cache
 
 import (
 	"fmt"
+	"slices"
 	"sync"
 	"time"
 
@@ -99,6 +100,9 @@ type DesiredStateOfWorld interface {
 	// attached volumes, false is returned.
 	PodExistsInVolume(podName types.UniquePodName, volumeName v1.UniqueVolumeName, seLinuxMountContext string) bool
 
+	// GetVolumeName returns the UniqueVolumeName for the given pod, indexed by outerVolumeSpecName.
+	GetVolumeNamesForPod(podName types.UniquePodName) map[string]v1.UniqueVolumeName
+
 	// GetVolumesToMount generates and returns a list of volumes that should be
 	// attached to this node and the pods they should be mounted to based on the
 	// current desired state of the world.
@@ -242,11 +246,8 @@ type podToMount struct {
 	// PVC volumes it is from the dereferenced PV object.
 	volumeSpec *volume.Spec
 
-	// outerVolumeSpecName is the volume.Spec.Name() of the volume as referenced
-	// directly in the pod. If the volume was referenced through a persistent
-	// volume claim, this contains the volume.Spec.Name() of the persistent
-	// volume claim
-	outerVolumeSpecName string
+	// outerVolumeSpecNames are the podSpec.Volume[x].Name of the volume.
+	outerVolumeSpecNames []string
 	// mountRequestTime stores time at which mount was requested
 	mountRequestTime time.Time
 }
@@ -356,8 +357,15 @@ func (dsw *desiredStateOfWorld) AddPodToVolume(
 
 	oldPodMount, ok := dsw.volumesToMount[volumeName].podsToMount[podName]
 	mountRequestTime := time.Now()
-	if ok && !volumePlugin.RequiresRemount(volumeSpec) {
-		mountRequestTime = oldPodMount.mountRequestTime
+	var outerVolumeSpecNames []string
+	if ok {
+		if !volumePlugin.RequiresRemount(volumeSpec) {
+			mountRequestTime = oldPodMount.mountRequestTime
+		}
+		outerVolumeSpecNames = oldPodMount.outerVolumeSpecNames
+	}
+	if !slices.Contains(outerVolumeSpecNames, outerVolumeSpecName) {
+		outerVolumeSpecNames = append(outerVolumeSpecNames, outerVolumeSpecName)
 	}
 
 	if !ok {
@@ -385,11 +393,11 @@ func (dsw *desiredStateOfWorld) AddPodToVolume(
 	// updated values (this is required for volumes that require remounting on
 	// pod update, like Downward API volumes).
 	dsw.volumesToMount[volumeName].podsToMount[podName] = podToMount{
-		podName:             podName,
-		pod:                 pod,
-		volumeSpec:          volumeSpec,
-		outerVolumeSpecName: outerVolumeSpecName,
-		mountRequestTime:    mountRequestTime,
+		podName:              podName,
+		pod:                  pod,
+		volumeSpec:           volumeSpec,
+		outerVolumeSpecNames: outerVolumeSpecNames,
+		mountRequestTime:     mountRequestTime,
 	}
 	return volumeName, nil
 }
@@ -562,6 +570,19 @@ func (dsw *desiredStateOfWorld) GetPods() map[types.UniquePodName]bool {
 	return podList
 }
 
+func (dsw *desiredStateOfWorld) GetVolumeNamesForPod(podName types.UniquePodName) map[string]v1.UniqueVolumeName {
+	dsw.RLock()
+	defer dsw.RUnlock()
+
+	volumeNames := make(map[string]v1.UniqueVolumeName)
+	for volumeName, volumeObj := range dsw.volumesToMount {
+		for _, outerVolumeSpecName := range volumeObj.podsToMount[podName].outerVolumeSpecNames {
+			volumeNames[outerVolumeSpecName] = volumeName
+		}
+	}
+	return volumeNames
+}
+
 func (dsw *desiredStateOfWorld) GetVolumesToMount() []VolumeToMount {
 	dsw.RLock()
 	defer dsw.RUnlock()
@@ -577,7 +598,7 @@ func (dsw *desiredStateOfWorld) GetVolumesToMount() []VolumeToMount {
 					VolumeSpec:              podObj.volumeSpec,
 					PluginIsAttachable:      volumeObj.pluginIsAttachable,
 					PluginIsDeviceMountable: volumeObj.pluginIsDeviceMountable,
-					OuterVolumeSpecName:     podObj.outerVolumeSpecName,
+					OuterVolumeSpecNames:    podObj.outerVolumeSpecNames,
 					VolumeGIDValue:          volumeObj.volumeGIDValue,
 					ReportedInUse:           volumeObj.reportedInUse,
 					MountRequestTime:        podObj.mountRequestTime,
@@ -649,7 +670,7 @@ func handleSELinuxMetricError(logger klog.Logger, err error, seLinuxSupported bo
 
 	// This is not an error yet, but it will be when support for other access modes is added.
 	warningMetric.Add(1.0)
-	logger.V(4).Error(err, "Please report this error in https://github.com/kubernetes/enhancements/issues/1710, together with full Pod yaml file")
+	logger.V(4).Info("Please report this error in https://github.com/kubernetes/enhancements/issues/1710, together with full Pod yaml file", "err", err)
 	return nil
 }
 
@@ -664,7 +685,7 @@ func getVolumePluginNameWithDriver(logger klog.Logger, plugin volume.VolumePlugi
 	driverName, err := csi.GetCSIDriverName(spec)
 	if err != nil {
 		// In theory this is unreachable - such volume would not pass validation.
-		logger.V(4).Error(err, "failed to get CSI driver name from volume spec")
+		logger.V(4).Info("failed to get CSI driver name from volume spec", "err", err)
 		driverName = "unknown"
 	}
 	// `/` is used to separate plugin + CSI driver in util.GetUniqueVolumeName() too
diff --git a/pkg/kubelet/volumemanager/cache/desired_state_of_world_test.go b/pkg/kubelet/volumemanager/cache/desired_state_of_world_test.go
index 33b21e7a50343..b8269c8b7e651 100644
--- a/pkg/kubelet/volumemanager/cache/desired_state_of_world_test.go
+++ b/pkg/kubelet/volumemanager/cache/desired_state_of_world_test.go
@@ -17,6 +17,8 @@ limitations under the License.
 package cache
 
 import (
+	"maps"
+	"slices"
 	"testing"
 
 	v1 "k8s.io/api/core/v1"
@@ -76,7 +78,7 @@ func Test_AddPodToVolume_Positive_NewPodNewVolume(t *testing.T) {
 
 	verifyVolumeExistsDsw(t, generatedVolumeName, "" /* SELinuxContext */, dsw)
 	verifyVolumeExistsInVolumesToMount(
-		t, generatedVolumeName, false /* expectReportedInUse */, dsw)
+		t, generatedVolumeName, []string{"volume-name"}, false /* expectReportedInUse */, dsw)
 	verifyPodExistsInVolumeDsw(t, podName, generatedVolumeName, "" /* SELinuxContext */, dsw)
 	verifyVolumeExistsWithSpecNameInVolumeDsw(t, podName, volumeSpec.Name(), dsw)
 }
@@ -130,14 +132,14 @@ func Test_AddPodToVolume_Positive_ExistingPodExistingVolume(t *testing.T) {
 	}
 	verifyVolumeExistsDsw(t, generatedVolumeName, "" /* SELinuxContext */, dsw)
 	verifyVolumeExistsInVolumesToMount(
-		t, generatedVolumeName, false /* expectReportedInUse */, dsw)
+		t, generatedVolumeName, []string{"volume-name"}, false /* expectReportedInUse */, dsw)
 	verifyPodExistsInVolumeDsw(t, podName, generatedVolumeName, "" /* SELinuxContext */, dsw)
 	verifyVolumeExistsWithSpecNameInVolumeDsw(t, podName, volumeSpec.Name(), dsw)
 }
 
 // Call AddPodToVolume() on different pods for different kinds of volumes
-// Verities generated names are same for different pods if volume is device mountable or attachable
-// Verities generated names are different for different pods if volume is not device mountble and attachable
+// Verifies generated names are same for different pods if volume is device mountable or attachable
+// Verifies generated names are different for different pods if volume is not device mountble and attachable
 func Test_AddPodToVolume_Positive_NamesForDifferentPodsAndDifferentVolumes(t *testing.T) {
 	logger, _ := ktesting.NewTestContext(t)
 	// Arrange
@@ -299,6 +301,59 @@ func Test_AddPodToVolume_Positive_NamesForDifferentPodsAndDifferentVolumes(t *te
 
 }
 
+func Test_AddPodToVolume_Positive_MultiOuterNames(t *testing.T) {
+	logger, _ := ktesting.NewTestContext(t)
+	// Arrange
+	volumePluginMgr, _ := volumetesting.GetTestKubeletVolumePluginMgr(t)
+	seLinuxTranslator := util.NewFakeSELinuxLabelTranslator()
+	dsw := NewDesiredStateOfWorld(volumePluginMgr, seLinuxTranslator)
+	pod := &v1.Pod{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: "pod5",
+			UID:  "pod5uid",
+		},
+		Spec: v1.PodSpec{
+			Volumes: []v1.Volume{
+				{
+					Name: "volume-name-1",
+					VolumeSource: v1.VolumeSource{
+						GCEPersistentDisk: &v1.GCEPersistentDiskVolumeSource{
+							PDName: "fake-device1",
+						},
+					},
+				}, {
+					Name: "volume-name-2",
+					VolumeSource: v1.VolumeSource{
+						GCEPersistentDisk: &v1.GCEPersistentDiskVolumeSource{
+							PDName: "fake-device1",
+						},
+					},
+				},
+			},
+		},
+	}
+
+	volumeSpec1 := &volume.Spec{Volume: &pod.Spec.Volumes[0]}
+	volumeSpec2 := &volume.Spec{Volume: &pod.Spec.Volumes[1]}
+	podName := util.GetUniquePodName(pod)
+
+	// Act
+	_, err := dsw.AddPodToVolume(
+		logger, podName, pod, volumeSpec1, volumeSpec1.Name(), "" /* volumeGIDValue */, nil /* seLinuxContainerContexts */)
+	if err != nil {
+		t.Fatalf("AddPodToVolume failed. Expected: <no error> Actual: <%v>", err)
+	}
+	generatedVolumeName, err := dsw.AddPodToVolume(
+		logger, podName, pod, volumeSpec2, volumeSpec2.Name(), "" /* volumeGIDValue */, nil /* seLinuxContainerContexts */)
+	if err != nil {
+		t.Fatalf("AddPodToVolume failed. Expected: <no error> Actual: <%v>", err)
+	}
+
+	// Assert
+	verifyVolumeExistsInVolumesToMount(
+		t, generatedVolumeName, []string{"volume-name-1", "volume-name-2"}, false /* expectReportedInUse */, dsw)
+}
+
 // Populates data struct with a new volume/pod
 // Calls DeletePodFromVolume() to removes the pod
 // Verifies newly added pod/volume are deleted
@@ -336,7 +391,7 @@ func Test_DeletePodFromVolume_Positive_PodExistsVolumeExists(t *testing.T) {
 	}
 	verifyVolumeExistsDsw(t, generatedVolumeName, "" /* SELinuxContext */, dsw)
 	verifyVolumeExistsInVolumesToMount(
-		t, generatedVolumeName, false /* expectReportedInUse */, dsw)
+		t, generatedVolumeName, []string{"volume-name"}, false /* expectReportedInUse */, dsw)
 	verifyPodExistsInVolumeDsw(t, podName, generatedVolumeName, "" /* SELinuxContext */, dsw)
 
 	// Act
@@ -454,15 +509,15 @@ func Test_MarkVolumesReportedInUse_Positive_NewPodNewVolume(t *testing.T) {
 	// Assert
 	verifyVolumeExistsDsw(t, generatedVolume1Name, "" /* SELinuxContext */, dsw)
 	verifyVolumeExistsInVolumesToMount(
-		t, generatedVolume1Name, false /* expectReportedInUse */, dsw)
+		t, generatedVolume1Name, []string{"volume1-name"}, false /* expectReportedInUse */, dsw)
 	verifyPodExistsInVolumeDsw(t, pod1Name, generatedVolume1Name, "" /* SELinuxContext */, dsw)
 	verifyVolumeExistsDsw(t, generatedVolume2Name, "" /* SELinuxContext */, dsw)
 	verifyVolumeExistsInVolumesToMount(
-		t, generatedVolume2Name, true /* expectReportedInUse */, dsw)
+		t, generatedVolume2Name, []string{"volume2-name"}, true /* expectReportedInUse */, dsw)
 	verifyPodExistsInVolumeDsw(t, pod2Name, generatedVolume2Name, "" /* SELinuxContext */, dsw)
 	verifyVolumeExistsDsw(t, generatedVolume3Name, "" /* SELinuxContext */, dsw)
 	verifyVolumeExistsInVolumesToMount(
-		t, generatedVolume3Name, false /* expectReportedInUse */, dsw)
+		t, generatedVolume3Name, []string{"volume3-name"}, false /* expectReportedInUse */, dsw)
 	verifyPodExistsInVolumeDsw(t, pod3Name, generatedVolume3Name, "" /* SELinuxContext */, dsw)
 
 	// Act
@@ -472,15 +527,15 @@ func Test_MarkVolumesReportedInUse_Positive_NewPodNewVolume(t *testing.T) {
 	// Assert
 	verifyVolumeExistsDsw(t, generatedVolume1Name, "" /* SELinuxContext */, dsw)
 	verifyVolumeExistsInVolumesToMount(
-		t, generatedVolume1Name, false /* expectReportedInUse */, dsw)
+		t, generatedVolume1Name, []string{"volume1-name"}, false /* expectReportedInUse */, dsw)
 	verifyPodExistsInVolumeDsw(t, pod1Name, generatedVolume1Name, "" /* SELinuxContext */, dsw)
 	verifyVolumeExistsDsw(t, generatedVolume2Name, "" /* SELinuxContext */, dsw)
 	verifyVolumeExistsInVolumesToMount(
-		t, generatedVolume2Name, false /* expectReportedInUse */, dsw)
+		t, generatedVolume2Name, []string{"volume2-name"}, false /* expectReportedInUse */, dsw)
 	verifyPodExistsInVolumeDsw(t, pod2Name, generatedVolume2Name, "" /* SELinuxContext */, dsw)
 	verifyVolumeExistsDsw(t, generatedVolume3Name, "" /* SELinuxContext */, dsw)
 	verifyVolumeExistsInVolumesToMount(
-		t, generatedVolume3Name, true /* expectReportedInUse */, dsw)
+		t, generatedVolume3Name, []string{"volume3-name"}, true /* expectReportedInUse */, dsw)
 	verifyPodExistsInVolumeDsw(t, pod3Name, generatedVolume3Name, "" /* SELinuxContext */, dsw)
 }
 
@@ -880,7 +935,7 @@ func Test_AddPodToVolume_SELinuxSinglePod(t *testing.T) {
 
 			// Act
 			generatedVolumeName, err := dsw.AddPodToVolume(
-				logger, podName, pod, volumeSpec, volumeSpec.Name(), "" /* volumeGIDValue */, seLinuxContainerContexts)
+				logger, podName, pod, volumeSpec, pod.Spec.Volumes[0].Name, "" /* volumeGIDValue */, seLinuxContainerContexts)
 
 			// Assert
 			if tc.expectError {
@@ -895,7 +950,7 @@ func Test_AddPodToVolume_SELinuxSinglePod(t *testing.T) {
 
 			verifyVolumeExistsDsw(t, generatedVolumeName, tc.expectedSELinuxLabel, dsw)
 			verifyVolumeExistsInVolumesToMount(
-				t, generatedVolumeName, false /* expectReportedInUse */, dsw)
+				t, generatedVolumeName, []string{"volume-name"}, false /* expectReportedInUse */, dsw)
 			verifyPodExistsInVolumeDsw(t, podName, generatedVolumeName, tc.expectedSELinuxLabel, dsw)
 			verifyVolumeExistsWithSpecNameInVolumeDsw(t, podName, volumeSpec.Name(), dsw)
 		})
@@ -1230,7 +1285,7 @@ func Test_AddPodToVolume_SELinux_MultiplePods(t *testing.T) {
 
 			// Act
 			generatedVolumeName, err := dsw.AddPodToVolume(
-				logger, podName, pod, volumeSpec, volumeSpec.Name(), "" /* volumeGIDValue */, seLinuxContainerContexts)
+				logger, podName, pod, volumeSpec, pod.Spec.Volumes[0].Name, "" /* volumeGIDValue */, seLinuxContainerContexts)
 
 			// Assert
 			if err != nil {
@@ -1239,7 +1294,7 @@ func Test_AddPodToVolume_SELinux_MultiplePods(t *testing.T) {
 
 			verifyVolumeExistsDsw(t, generatedVolumeName, tc.expectedSELinuxLabel, dsw)
 			verifyVolumeExistsInVolumesToMount(
-				t, generatedVolumeName, false /* expectReportedInUse */, dsw)
+				t, generatedVolumeName, []string{"volume-name"}, false /* expectReportedInUse */, dsw)
 			verifyPodExistsInVolumeDsw(t, podName, generatedVolumeName, tc.expectedSELinuxLabel, dsw)
 			verifyVolumeExistsWithSpecNameInVolumeDsw(t, podName, volumeSpec.Name(), dsw)
 
@@ -1254,7 +1309,7 @@ func Test_AddPodToVolume_SELinux_MultiplePods(t *testing.T) {
 
 			// Act
 			generatedVolumeName2, err := dsw.AddPodToVolume(
-				logger, pod2Name, pod2, volumeSpec, volumeSpec.Name(), "" /* volumeGIDValue */, seLinuxContainerContexts)
+				logger, pod2Name, pod2, volumeSpec, pod2.Spec.Volumes[0].Name, "" /* volumeGIDValue */, seLinuxContainerContexts)
 			// Assert
 			if tc.expectError {
 				if err == nil {
@@ -1275,6 +1330,102 @@ func Test_AddPodToVolume_SELinux_MultiplePods(t *testing.T) {
 	}
 }
 
+func TestGetVolumeNamesForPod(t *testing.T) {
+	logger, _ := ktesting.NewTestContext(t)
+	volumePluginMgr, _ := volumetesting.GetTestKubeletVolumePluginMgr(t)
+	seLinuxTranslator := util.NewFakeSELinuxLabelTranslator()
+	dsw := NewDesiredStateOfWorld(volumePluginMgr, seLinuxTranslator)
+
+	pod1 := &v1.Pod{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: "pod1",
+			UID:  "pod1-uid",
+		},
+		Spec: v1.PodSpec{
+			Volumes: []v1.Volume{
+				{
+					Name: "volume1-name",
+					VolumeSource: v1.VolumeSource{
+						GCEPersistentDisk: &v1.GCEPersistentDiskVolumeSource{
+							PDName: "fake-device1",
+						},
+					},
+				},
+				{
+					Name: "volume1-dup",
+					VolumeSource: v1.VolumeSource{
+						GCEPersistentDisk: &v1.GCEPersistentDiskVolumeSource{
+							PDName: "fake-device1",
+						},
+					},
+				},
+				{
+					Name: "volume3-name",
+					VolumeSource: v1.VolumeSource{
+						GCEPersistentDisk: &v1.GCEPersistentDiskVolumeSource{
+							PDName: "fake-device3",
+						},
+					},
+				},
+			},
+		},
+	}
+	pod2 := &v1.Pod{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: "pod2",
+			UID:  "pod2-uid",
+		},
+		Spec: v1.PodSpec{
+			Volumes: []v1.Volume{
+				{
+					Name: "volume2-name",
+					VolumeSource: v1.VolumeSource{
+						GCEPersistentDisk: &v1.GCEPersistentDiskVolumeSource{
+							PDName: "fake-device2",
+						},
+					},
+				},
+			},
+		},
+	}
+
+	addVolume := func(pod *v1.Pod, index int) {
+		volumeSpec := &volume.Spec{
+			Volume: &pod.Spec.Volumes[index],
+		}
+		podName := util.GetUniquePodName(pod)
+		_, err := dsw.AddPodToVolume(
+			logger, podName, pod, volumeSpec, volumeSpec.Name(), "" /* volumeGIDValue */, nil /* seLinuxContainerContexts */)
+		if err != nil {
+			t.Fatalf("AddPodToVolume failed. Expected: <no error> Actual: <%v>", err)
+		}
+	}
+
+	addVolume(pod1, 0)
+	addVolume(pod1, 1)
+	addVolume(pod1, 2)
+	addVolume(pod2, 0)
+
+	verifyVolumeNames := func(pod *v1.Pod, expectedVolumeNames map[string]v1.UniqueVolumeName) {
+		t.Run(pod.Name, func(t *testing.T) {
+			podName := util.GetUniquePodName(pod)
+			actualVolumeNames := dsw.GetVolumeNamesForPod(podName)
+			if !maps.Equal(expectedVolumeNames, actualVolumeNames) {
+				t.Errorf("GetVolumeNamesForPod returned incorrect value. Expected: <%v> Actual: <%v>",
+					expectedVolumeNames, actualVolumeNames)
+			}
+		})
+	}
+	verifyVolumeNames(pod1, map[string]v1.UniqueVolumeName{
+		"volume1-name": "fake-plugin/fake-device1",
+		"volume1-dup":  "fake-plugin/fake-device1",
+		"volume3-name": "fake-plugin/fake-device3",
+	})
+	verifyVolumeNames(pod2, map[string]v1.UniqueVolumeName{
+		"volume2-name": "fake-plugin/fake-device2",
+	})
+}
+
 func verifyVolumeExistsDsw(
 	t *testing.T, expectedVolumeName v1.UniqueVolumeName, expectedSELinuxContext string, dsw DesiredStateOfWorld) {
 	volumeExists := dsw.VolumeExists(expectedVolumeName, expectedSELinuxContext)
@@ -1300,6 +1451,7 @@ func verifyVolumeDoesntExist(
 func verifyVolumeExistsInVolumesToMount(
 	t *testing.T,
 	expectedVolumeName v1.UniqueVolumeName,
+	expectedOuterNames []string,
 	expectReportedInUse bool,
 	dsw DesiredStateOfWorld) {
 	volumesToMount := dsw.GetVolumesToMount()
@@ -1313,6 +1465,12 @@ func verifyVolumeExistsInVolumesToMount(
 					volume.ReportedInUse)
 			}
 
+			names := volume.OuterVolumeSpecNames
+			slices.Sort(names)
+			if !slices.Equal(names, expectedOuterNames) {
+				t.Fatalf("Expected outer volume spec names to be %v, got %v", expectedOuterNames, names)
+			}
+
 			return
 		}
 	}
diff --git a/pkg/kubelet/volumemanager/metrics/metrics_test.go b/pkg/kubelet/volumemanager/metrics/metrics_test.go
index d2df2e3a66e63..d819b1ea8a2b6 100644
--- a/pkg/kubelet/volumemanager/metrics/metrics_test.go
+++ b/pkg/kubelet/volumemanager/metrics/metrics_test.go
@@ -83,14 +83,13 @@ func TestMetricCollection(t *testing.T) {
 	}
 
 	markVolumeOpts := operationexecutor.MarkVolumeOpts{
-		PodName:             podName,
-		PodUID:              pod.UID,
-		VolumeName:          generatedVolumeName,
-		Mounter:             mounter,
-		BlockVolumeMapper:   mapper,
-		OuterVolumeSpecName: volumeSpec.Name(),
-		VolumeSpec:          volumeSpec,
-		VolumeMountState:    operationexecutor.VolumeMounted,
+		PodName:           podName,
+		PodUID:            pod.UID,
+		VolumeName:        generatedVolumeName,
+		Mounter:           mounter,
+		BlockVolumeMapper: mapper,
+		VolumeSpec:        volumeSpec,
+		VolumeMountState:  operationexecutor.VolumeMounted,
 	}
 	err = asw.AddPodToVolume(markVolumeOpts)
 	if err != nil {
diff --git a/pkg/kubelet/volumemanager/populator/desired_state_of_world_populator_test.go b/pkg/kubelet/volumemanager/populator/desired_state_of_world_populator_test.go
index f3404b0c43fff..005c3bf71c1b9 100644
--- a/pkg/kubelet/volumemanager/populator/desired_state_of_world_populator_test.go
+++ b/pkg/kubelet/volumemanager/populator/desired_state_of_world_populator_test.go
@@ -406,13 +406,12 @@ func TestFindAndRemoveDeletedPodsWithUncertain(t *testing.T) {
 
 	// Mark the volume as uncertain
 	opts := operationexecutor.MarkVolumeOpts{
-		PodName:             util.GetUniquePodName(pod),
-		PodUID:              pod.UID,
-		VolumeName:          expectedVolumeName,
-		OuterVolumeSpecName: "dswp-test-volume-name",
-		VolumeGIDVolume:     "",
-		VolumeSpec:          volume.NewSpecFromPersistentVolume(pv, false),
-		VolumeMountState:    operationexecutor.VolumeMountUncertain,
+		PodName:          util.GetUniquePodName(pod),
+		PodUID:           pod.UID,
+		VolumeName:       expectedVolumeName,
+		VolumeGIDVolume:  "",
+		VolumeSpec:       volume.NewSpecFromPersistentVolume(pv, false),
+		VolumeMountState: operationexecutor.VolumeMountUncertain,
 	}
 	err := dswp.actualStateOfWorld.MarkVolumeMountAsUncertain(opts)
 	if err != nil {
@@ -1394,13 +1393,12 @@ func reconcileASW(asw cache.ActualStateOfWorld, dsw cache.DesiredStateOfWorld, t
 			t.Fatalf("Unexpected error when MarkVolumeAsAttached: %v", err)
 		}
 		markVolumeOpts := operationexecutor.MarkVolumeOpts{
-			PodName:             volumeToMount.PodName,
-			PodUID:              volumeToMount.Pod.UID,
-			VolumeName:          volumeToMount.VolumeName,
-			OuterVolumeSpecName: volumeToMount.OuterVolumeSpecName,
-			VolumeGIDVolume:     volumeToMount.VolumeGIDValue,
-			VolumeSpec:          volumeToMount.VolumeSpec,
-			VolumeMountState:    operationexecutor.VolumeMounted,
+			PodName:          volumeToMount.PodName,
+			PodUID:           volumeToMount.Pod.UID,
+			VolumeName:       volumeToMount.VolumeName,
+			VolumeGIDVolume:  volumeToMount.VolumeGIDValue,
+			VolumeSpec:       volumeToMount.VolumeSpec,
+			VolumeMountState: operationexecutor.VolumeMounted,
 		}
 		err = asw.MarkVolumeAsMounted(markVolumeOpts)
 		if err != nil {
diff --git a/pkg/kubelet/volumemanager/reconciler/reconciler_test.go b/pkg/kubelet/volumemanager/reconciler/reconciler_test.go
index fc898038e4890..ec907e886bb60 100644
--- a/pkg/kubelet/volumemanager/reconciler/reconciler_test.go
+++ b/pkg/kubelet/volumemanager/reconciler/reconciler_test.go
@@ -18,8 +18,8 @@ package reconciler
 
 import (
 	"context"
-	"crypto/md5"
 	"fmt"
+	"hash/fnv"
 	"path/filepath"
 	"sync"
 	"testing"
@@ -1523,13 +1523,14 @@ func Test_UncertainDeviceGlobalMounts(t *testing.T) {
 
 	modes := []v1.PersistentVolumeMode{v1.PersistentVolumeBlock, v1.PersistentVolumeFilesystem}
 
+	hasher := fnv.New128a()
 	for modeIndex := range modes {
 		for tcIndex := range tests {
 			mode := modes[modeIndex]
 			tc := tests[tcIndex]
 			testName := fmt.Sprintf("%s [%s]", tc.name, mode)
 			uniqueTestString := fmt.Sprintf("global-mount-%s", testName)
-			uniquePodDir := fmt.Sprintf("%s-%x", kubeletPodsDir, md5.Sum([]byte(uniqueTestString)))
+			uniquePodDir := fmt.Sprintf("%s-%x", kubeletPodsDir, hasher.Sum([]byte(uniqueTestString)))
 			t.Run(testName+"[", func(t *testing.T) {
 				t.Parallel()
 				pv := &v1.PersistentVolume{
@@ -1736,13 +1737,14 @@ func Test_UncertainVolumeMountState(t *testing.T) {
 	}
 	modes := []v1.PersistentVolumeMode{v1.PersistentVolumeBlock, v1.PersistentVolumeFilesystem}
 
+	hasher := fnv.New128a()
 	for modeIndex := range modes {
 		for tcIndex := range tests {
 			mode := modes[modeIndex]
 			tc := tests[tcIndex]
 			testName := fmt.Sprintf("%s [%s]", tc.name, mode)
 			uniqueTestString := fmt.Sprintf("local-mount-%s", testName)
-			uniquePodDir := fmt.Sprintf("%s-%x", kubeletPodsDir, md5.Sum([]byte(uniqueTestString)))
+			uniquePodDir := fmt.Sprintf("%s-%x", kubeletPodsDir, hasher.Sum([]byte(uniqueTestString)))
 			t.Run(testName, func(t *testing.T) {
 				t.Parallel()
 				pv := &v1.PersistentVolume{
diff --git a/pkg/kubelet/volumemanager/reconciler/reconstruct.go b/pkg/kubelet/volumemanager/reconciler/reconstruct.go
index 44bbf6cd517e5..30edb1c9fc3f4 100644
--- a/pkg/kubelet/volumemanager/reconciler/reconstruct.go
+++ b/pkg/kubelet/volumemanager/reconciler/reconstruct.go
@@ -114,7 +114,6 @@ func (rc *reconciler) updateStates(logger klog.Logger, reconstructedVolumes map[
 				VolumeName:          volume.volumeName,
 				Mounter:             volume.mounter,
 				BlockVolumeMapper:   volume.blockVolumeMapper,
-				OuterVolumeSpecName: volume.outerVolumeSpecName,
 				VolumeGIDVolume:     volume.volumeGIDValue,
 				VolumeSpec:          volume.volumeSpec,
 				VolumeMountState:    operationexecutor.VolumeMountUncertain,
@@ -186,7 +185,7 @@ func (rc *reconciler) updateReconstructedFromNodeStatus(ctx context.Context) {
 	node, fetchErr := rc.kubeClient.CoreV1().Nodes().Get(ctx, string(rc.nodeName), metav1.GetOptions{})
 	if fetchErr != nil {
 		// This may repeat few times per second until kubelet is able to read its own status for the first time.
-		logger.V(4).Error(fetchErr, "Failed to get Node status to reconstruct device paths")
+		logger.V(4).Info("Failed to get Node status to reconstruct device paths", "err", fetchErr)
 		return
 	}
 
diff --git a/pkg/kubelet/volumemanager/reconciler/reconstruct_common.go b/pkg/kubelet/volumemanager/reconciler/reconstruct_common.go
index d685a3de00439..ef8716abcc9fa 100644
--- a/pkg/kubelet/volumemanager/reconciler/reconstruct_common.go
+++ b/pkg/kubelet/volumemanager/reconciler/reconstruct_common.go
@@ -28,7 +28,7 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/klog/v2"
-	"k8s.io/kubernetes/pkg/kubelet/config"
+	"k8s.io/kubernetes/pkg/kubelet/kubeletconfig"
 	"k8s.io/kubernetes/pkg/kubelet/volumemanager/metrics"
 	volumepkg "k8s.io/kubernetes/pkg/volume"
 	"k8s.io/kubernetes/pkg/volume/util"
@@ -72,7 +72,6 @@ type reconstructedVolume struct {
 	volumeName          v1.UniqueVolumeName
 	podName             volumetypes.UniquePodName
 	volumeSpec          *volumepkg.Spec
-	outerVolumeSpecName string
 	pod                 *v1.Pod
 	volumeGIDValue      string
 	devicePath          string
@@ -87,7 +86,6 @@ func (rv reconstructedVolume) MarshalLog() interface{} {
 		VolumeName          string `json:"volumeName"`
 		PodName             string `json:"podName"`
 		VolumeSpecName      string `json:"volumeSpecName"`
-		OuterVolumeSpecName string `json:"outerVolumeSpecName"`
 		PodUID              string `json:"podUID"`
 		VolumeGIDValue      string `json:"volumeGIDValue"`
 		DevicePath          string `json:"devicePath"`
@@ -96,7 +94,6 @@ func (rv reconstructedVolume) MarshalLog() interface{} {
 		VolumeName:          string(rv.volumeName),
 		PodName:             string(rv.podName),
 		VolumeSpecName:      rv.volumeSpec.Name(),
-		OuterVolumeSpecName: rv.outerVolumeSpecName,
 		PodUID:              string(rv.pod.UID),
 		VolumeGIDValue:      rv.volumeGIDValue,
 		DevicePath:          rv.devicePath,
@@ -210,11 +207,11 @@ func getVolumesFromPodDir(logger klog.Logger, podDir string) ([]podVolume, error
 		// Find filesystem volume information
 		// ex. filesystem volume: /pods/{podUid}/volumes/{escapeQualifiedPluginName}/{volumeName}
 		volumesDirs := map[v1.PersistentVolumeMode]string{
-			v1.PersistentVolumeFilesystem: filepath.Join(podDir, config.DefaultKubeletVolumesDirName),
+			v1.PersistentVolumeFilesystem: filepath.Join(podDir, kubeletconfig.DefaultKubeletVolumesDirName),
 		}
 		// Find block volume information
 		// ex. block volume: /pods/{podUid}/volumeDevices/{escapeQualifiedPluginName}/{volumeName}
-		volumesDirs[v1.PersistentVolumeBlock] = filepath.Join(podDir, config.DefaultKubeletVolumeDevicesDirName)
+		volumesDirs[v1.PersistentVolumeBlock] = filepath.Join(podDir, kubeletconfig.DefaultKubeletVolumeDevicesDirName)
 
 		for volumeMode, volumesDir := range volumesDirs {
 			var volumesDirInfo []fs.DirEntry
@@ -376,17 +373,12 @@ func (rc *reconciler) reconstructVolume(volume podVolume) (rvolume *reconstructe
 	}
 
 	reconstructedVolume := &reconstructedVolume{
-		volumeName: uniqueVolumeName,
-		podName:    volume.podName,
-		volumeSpec: volumeSpec,
-		// volume.volumeSpecName is actually InnerVolumeSpecName. It will not be used
-		// for volume cleanup.
-		// in case reconciler calls mountOrAttachVolumes, outerVolumeSpecName will
-		// be updated from dsw information in ASW.MarkVolumeAsMounted().
-		outerVolumeSpecName: volume.volumeSpecName,
-		pod:                 pod,
-		deviceMounter:       deviceMounter,
-		volumeGIDValue:      "",
+		volumeName:     uniqueVolumeName,
+		podName:        volume.podName,
+		volumeSpec:     volumeSpec,
+		pod:            pod,
+		deviceMounter:  deviceMounter,
+		volumeGIDValue: "",
 		// devicePath is updated during updateStates() by checking node status's VolumesAttached data.
 		// TODO: get device path directly from the volume mount path.
 		devicePath:          "",
diff --git a/pkg/kubelet/volumemanager/volume_manager.go b/pkg/kubelet/volumemanager/volume_manager.go
index b23a840ae2d77..f0c58f3bad1d2 100644
--- a/pkg/kubelet/volumemanager/volume_manager.go
+++ b/pkg/kubelet/volumemanager/volume_manager.go
@@ -120,19 +120,17 @@ type VolumeManager interface {
 	WaitForAllPodsUnmount(ctx context.Context, pods []*v1.Pod) error
 
 	// GetMountedVolumesForPod returns a VolumeMap containing the volumes
-	// referenced by the specified pod that are successfully attached and
+	// referenced by the specified pod that are desired and actually attached and
 	// mounted. The key in the map is the OuterVolumeSpecName (i.e.
 	// pod.Spec.Volumes[x].Name). It returns an empty VolumeMap if pod has no
 	// volumes.
 	GetMountedVolumesForPod(podName types.UniquePodName) container.VolumeMap
 
-	// GetPossiblyMountedVolumesForPod returns a VolumeMap containing the volumes
-	// referenced by the specified pod that are either successfully attached
+	// HasPossiblyMountedVolumesForPod returns whether the pod has
+	// any volumes that are either successfully attached
 	// and mounted or are "uncertain", i.e. a volume plugin may be mounting
-	// them right now. The key in the map is the OuterVolumeSpecName (i.e.
-	// pod.Spec.Volumes[x].Name). It returns an empty VolumeMap if pod has no
-	// volumes.
-	GetPossiblyMountedVolumesForPod(podName types.UniquePodName) container.VolumeMap
+	// them right now.
+	HasPossiblyMountedVolumesForPod(podName types.UniquePodName) bool
 
 	// GetExtraSupplementalGroupsForPod returns a list of the extra
 	// supplemental groups for the Pod. These extra supplemental groups come
@@ -321,8 +319,8 @@ func (vm *volumeManager) Run(ctx context.Context, sourcesReady config.SourcesRea
 
 func (vm *volumeManager) GetMountedVolumesForPod(podName types.UniquePodName) container.VolumeMap {
 	podVolumes := make(container.VolumeMap)
-	for _, mountedVolume := range vm.actualStateOfWorld.GetMountedVolumesForPod(podName) {
-		podVolumes[mountedVolume.OuterVolumeSpecName] = container.VolumeInfo{
+	for name, mountedVolume := range vm.getMountedVolumes(podName) {
+		podVolumes[name] = container.VolumeInfo{
 			Mounter:             mountedVolume.Mounter,
 			BlockVolumeMapper:   mountedVolume.BlockVolumeMapper,
 			ReadOnly:            mountedVolume.VolumeSpec.ReadOnly,
@@ -332,17 +330,8 @@ func (vm *volumeManager) GetMountedVolumesForPod(podName types.UniquePodName) co
 	return podVolumes
 }
 
-func (vm *volumeManager) GetPossiblyMountedVolumesForPod(podName types.UniquePodName) container.VolumeMap {
-	podVolumes := make(container.VolumeMap)
-	for _, mountedVolume := range vm.actualStateOfWorld.GetPossiblyMountedVolumesForPod(podName) {
-		podVolumes[mountedVolume.OuterVolumeSpecName] = container.VolumeInfo{
-			Mounter:             mountedVolume.Mounter,
-			BlockVolumeMapper:   mountedVolume.BlockVolumeMapper,
-			ReadOnly:            mountedVolume.VolumeSpec.ReadOnly,
-			InnerVolumeSpecName: mountedVolume.InnerVolumeSpecName,
-		}
-	}
-	return podVolumes
+func (vm *volumeManager) HasPossiblyMountedVolumesForPod(podName types.UniquePodName) bool {
+	return len(vm.actualStateOfWorld.GetPossiblyMountedVolumesForPod(podName)) > 0
 }
 
 func (vm *volumeManager) GetExtraSupplementalGroupsForPod(pod *v1.Pod) []int64 {
@@ -448,7 +437,7 @@ func (vm *volumeManager) WaitForAttachAndMount(ctx context.Context, pod *v1.Pod)
 
 		unattachedVolumes := []string{}
 		for _, volumeToMount := range unattachedVolumeMounts {
-			unattachedVolumes = append(unattachedVolumes, volumeToMount.OuterVolumeSpecName)
+			unattachedVolumes = append(unattachedVolumes, volumeToMount.OuterVolumeSpecNames...)
 		}
 		slices.Sort(unattachedVolumes)
 
@@ -502,9 +491,9 @@ func (vm *volumeManager) WaitForUnmount(ctx context.Context, pod *v1.Pod) error
 		vm.verifyVolumesUnmountedFunc(uniquePodName))
 
 	if err != nil {
-		var mountedVolumes []string
+		var mountedVolumes []v1.UniqueVolumeName
 		for _, v := range vm.actualStateOfWorld.GetMountedVolumesForPod(uniquePodName) {
-			mountedVolumes = append(mountedVolumes, v.OuterVolumeSpecName)
+			mountedVolumes = append(mountedVolumes, v.VolumeName)
 		}
 		if len(mountedVolumes) == 0 {
 			return nil
@@ -544,7 +533,7 @@ func (vm *volumeManager) getVolumesNotInDSW(uniquePodName types.UniquePodName, e
 
 	for _, volumeToMount := range vm.desiredStateOfWorld.GetVolumesToMount() {
 		if volumeToMount.PodName == uniquePodName {
-			volumesNotInDSW.Delete(volumeToMount.OuterVolumeSpecName)
+			volumesNotInDSW.Delete(volumeToMount.OuterVolumeSpecNames...)
 		}
 	}
 
@@ -572,13 +561,7 @@ func (vm *volumeManager) verifyVolumesMountedFunc(podName types.UniquePodName, e
 		if errs := vm.desiredStateOfWorld.PopPodErrors(podName); len(errs) > 0 {
 			return true, errors.New(strings.Join(errs, "; "))
 		}
-		for _, expectedVolume := range expectedVolumes {
-			_, found := vm.actualStateOfWorld.GetMountedVolumeForPodByOuterVolumeSpecName(podName, expectedVolume)
-			if !found {
-				return false, nil
-			}
-		}
-		return true, nil
+		return len(vm.getUnmountedVolumes(podName, expectedVolumes)) == 0, nil
 	}
 }
 
@@ -593,25 +576,42 @@ func (vm *volumeManager) verifyVolumesUnmountedFunc(podName types.UniquePodName)
 	}
 }
 
-// getUnmountedVolumes fetches the current list of mounted volumes from
-// the actual state of the world, and uses it to process the list of
-// expectedVolumes. It returns a list of unmounted volumes.
-// The list also includes volume that may be mounted in uncertain state.
-func (vm *volumeManager) getUnmountedVolumes(podName types.UniquePodName, expectedVolumes []string) []string {
-	mountedVolumes := sets.New[string]()
-	for _, mountedVolume := range vm.actualStateOfWorld.GetMountedVolumesForPod(podName) {
-		mountedVolumes.Insert(mountedVolume.OuterVolumeSpecName)
+// getMountedVolumes returns volumes that are desired and actually mounted,
+// indexed by the outer volume spec name.
+func (vm *volumeManager) getMountedVolumes(podName types.UniquePodName) map[string]*cache.MountedVolume {
+	volumes := vm.actualStateOfWorld.GetMountedVolumesForPod(podName)
+	volumesByName := make(map[v1.UniqueVolumeName]*cache.MountedVolume, len(volumes))
+	for i, mountedVolume := range volumes {
+		volumesByName[mountedVolume.VolumeName] = &volumes[i]
+	}
+
+	volumeNames := vm.desiredStateOfWorld.GetVolumeNamesForPod(podName)
+	volumesByOuterName := make(map[string]*cache.MountedVolume, len(volumeNames))
+	for outerName, volumeName := range volumeNames {
+		mountedVolume, ok := volumesByName[volumeName]
+		if ok {
+			volumesByOuterName[outerName] = mountedVolume
+		}
 	}
-	return filterUnmountedVolumes(mountedVolumes, expectedVolumes)
+
+	return volumesByOuterName
 }
 
-// filterUnmountedVolumes adds each element of expectedVolumes that is not in
-// mountedVolumes to a list of unmountedVolumes and returns it.
-func filterUnmountedVolumes(mountedVolumes sets.Set[string], expectedVolumes []string) []string {
+// getUnmountedVolumes returns a list of unmounted volumes.
+// This includes the volumes in expectedVolumes, but not in one of DSW/ASW.
+// The list also includes volume that may be mounted in uncertain state.
+func (vm *volumeManager) getUnmountedVolumes(podName types.UniquePodName, expectedVolumes []string) []string {
 	unmountedVolumes := []string{}
-	for _, expectedVolume := range expectedVolumes {
-		if !mountedVolumes.Has(expectedVolume) {
-			unmountedVolumes = append(unmountedVolumes, expectedVolume)
+	volumeNames := vm.desiredStateOfWorld.GetVolumeNamesForPod(podName)
+	for _, outerName := range expectedVolumes {
+		volumeName, ok := volumeNames[outerName]
+		if !ok {
+			unmountedVolumes = append(unmountedVolumes, outerName)
+			continue
+		}
+		_, ok = vm.actualStateOfWorld.GetMountedVolumeForPod(podName, volumeName)
+		if !ok {
+			unmountedVolumes = append(unmountedVolumes, outerName)
 		}
 	}
 	slices.Sort(unmountedVolumes)
diff --git a/pkg/kubelet/volumemanager/volume_manager_fake.go b/pkg/kubelet/volumemanager/volume_manager_fake.go
index 02c424c380154..ebfdc2037d728 100644
--- a/pkg/kubelet/volumemanager/volume_manager_fake.go
+++ b/pkg/kubelet/volumemanager/volume_manager_fake.go
@@ -28,25 +28,27 @@ import (
 
 // FakeVolumeManager is a test implementation that just tracks calls
 type FakeVolumeManager struct {
-	volumes       map[v1.UniqueVolumeName]bool
-	reportedInUse map[v1.UniqueVolumeName]bool
-	unmountDelay  time.Duration
-	unmountError  error
+	volumes                   map[v1.UniqueVolumeName]bool
+	reportedInUse             map[v1.UniqueVolumeName]bool
+	unmountDelay              time.Duration
+	unmountError              error
+	volumeAttachLimitExceeded bool
 }
 
 var _ VolumeManager = &FakeVolumeManager{}
 
 // NewFakeVolumeManager creates a new VolumeManager test instance
-func NewFakeVolumeManager(initialVolumes []v1.UniqueVolumeName, unmountDelay time.Duration, unmountError error) *FakeVolumeManager {
+func NewFakeVolumeManager(initialVolumes []v1.UniqueVolumeName, unmountDelay time.Duration, unmountError error, volumeAttachLimitExceeded bool) *FakeVolumeManager {
 	volumes := map[v1.UniqueVolumeName]bool{}
 	for _, v := range initialVolumes {
 		volumes[v] = true
 	}
 	return &FakeVolumeManager{
-		volumes:       volumes,
-		reportedInUse: map[v1.UniqueVolumeName]bool{},
-		unmountDelay:  unmountDelay,
-		unmountError:  unmountError,
+		volumes:                   volumes,
+		reportedInUse:             map[v1.UniqueVolumeName]bool{},
+		unmountDelay:              unmountDelay,
+		unmountError:              unmountError,
+		volumeAttachLimitExceeded: volumeAttachLimitExceeded,
 	}
 }
 
@@ -56,6 +58,9 @@ func (f *FakeVolumeManager) Run(ctx context.Context, sourcesReady config.Sources
 
 // WaitForAttachAndMount is not implemented
 func (f *FakeVolumeManager) WaitForAttachAndMount(ctx context.Context, pod *v1.Pod) error {
+	if f.volumeAttachLimitExceeded {
+		return &VolumeAttachLimitExceededError{}
+	}
 	return nil
 }
 
@@ -78,9 +83,9 @@ func (f *FakeVolumeManager) GetMountedVolumesForPod(podName types.UniquePodName)
 	return nil
 }
 
-// GetPossiblyMountedVolumesForPod is not implemented
-func (f *FakeVolumeManager) GetPossiblyMountedVolumesForPod(podName types.UniquePodName) container.VolumeMap {
-	return nil
+// HasPossiblyMountedVolumesForPod is not implemented
+func (f *FakeVolumeManager) HasPossiblyMountedVolumesForPod(podName types.UniquePodName) bool {
+	return false
 }
 
 // GetExtraSupplementalGroupsForPod is not implemented
diff --git a/pkg/kubelet/volumemanager/volume_manager_test.go b/pkg/kubelet/volumemanager/volume_manager_test.go
index 08492d8891acd..c9946e7b95caf 100644
--- a/pkg/kubelet/volumemanager/volume_manager_test.go
+++ b/pkg/kubelet/volumemanager/volume_manager_test.go
@@ -656,7 +656,6 @@ func delayClaimBecomesBound(
 }
 
 func TestWaitForAllPodsUnmount(t *testing.T) {
-	tCtx := ktesting.Init(t)
 	tmpDir, err := utiltesting.MkTmpdir("volumeManagerTest")
 	require.NoError(t, err, "Failed to create temp directory")
 	defer func() {
@@ -684,6 +683,7 @@ func TestWaitForAllPodsUnmount(t *testing.T) {
 
 	for _, test := range tests {
 		t.Run(test.name, func(t *testing.T) {
+			var ctx context.Context = ktesting.Init(t)
 			podManager := kubepod.NewBasicPodManager()
 
 			node, pod, pv, claim := createObjects(test.podMode, test.podMode)
@@ -691,8 +691,6 @@ func TestWaitForAllPodsUnmount(t *testing.T) {
 
 			manager := newTestVolumeManager(t, tmpDir, podManager, kubeClient, node)
 
-			ctx, cancel := context.WithTimeout(tCtx, 1*time.Second)
-			defer cancel()
 			sourcesReady := config.NewSourcesReady(func(_ sets.Set[string]) bool { return true })
 			go manager.Run(ctx, sourcesReady)
 
@@ -706,11 +704,12 @@ func TestWaitForAllPodsUnmount(t *testing.T) {
 			err := manager.WaitForAttachAndMount(ctx, pod)
 			require.NoError(t, err, "Failed to wait for attach and mount")
 
+			ctx, cancel := context.WithTimeout(ctx, 1*time.Second)
+			defer cancel()
 			err = manager.WaitForAllPodsUnmount(ctx, []*v1.Pod{pod})
 
 			if test.expectedError {
-				require.Error(t, err, "Expected error due to timeout")
-				require.Contains(t, err.Error(), "context deadline exceeded", "Expected deadline exceeded error")
+				require.ErrorIs(t, err, context.DeadlineExceeded, "Expected error due to timeout")
 			} else {
 				require.NoError(t, err, "Expected no error")
 			}
diff --git a/pkg/kubelet/watchdog/watchdog_linux.go b/pkg/kubelet/watchdog/watchdog_linux.go
index 6a6d04a32615e..912e7e5ebcc01 100644
--- a/pkg/kubelet/watchdog/watchdog_linux.go
+++ b/pkg/kubelet/watchdog/watchdog_linux.go
@@ -75,7 +75,7 @@ const minimalNotifyInterval = time.Second
 // NewHealthChecker creates a new HealthChecker instance.
 // This function initializes the health checker and configures its behavior based on the status of the systemd watchdog.
 // If the watchdog is not enabled, the function returns an error.
-func NewHealthChecker(opts ...Option) (HealthChecker, error) {
+func NewHealthChecker(logger klog.Logger, opts ...Option) (HealthChecker, error) {
 	hc := &healthChecker{
 		watchdog: &DefaultWatchdogClient{},
 	}
@@ -92,7 +92,7 @@ func NewHealthChecker(opts ...Option) (HealthChecker, error) {
 		return nil, fmt.Errorf("configure watchdog: %w", err)
 	}
 	if watchdogVal == 0 {
-		klog.InfoS("Systemd watchdog is not enabled")
+		logger.Info("Systemd watchdog is not enabled")
 		return &healthChecker{}, nil
 	}
 	if watchdogVal <= minimalNotifyInterval {
@@ -133,33 +133,34 @@ func (hc *healthChecker) getHealthCheckers() []healthz.HealthChecker {
 }
 
 func (hc *healthChecker) Start(ctx context.Context) {
+	logger := klog.FromContext(ctx)
 	if hc.interval <= 0 {
-		klog.InfoS("Systemd watchdog is not enabled or the interval is invalid, so health checking will not be started.")
+		logger.Info("Systemd watchdog is not enabled or the interval is invalid, so health checking will not be started.")
 		return
 	}
-	klog.InfoS("Starting systemd watchdog with interval", "interval", hc.interval)
+	logger.Info("Starting systemd watchdog with interval", "interval", hc.interval)
 
 	go wait.UntilWithContext(ctx, func(ctx context.Context) {
 		if err := hc.doCheck(); err != nil {
-			klog.ErrorS(err, "Do not notify watchdog this iteration as the kubelet is reportedly not healthy")
+			logger.Error(err, "Do not notify watchdog this iteration as the kubelet is reportedly not healthy")
 			return
 		}
 
 		err := wait.ExponentialBackoffWithContext(ctx, hc.retryBackoff, func(_ context.Context) (bool, error) {
 			ack, err := hc.watchdog.SdNotify(false)
 			if err != nil {
-				klog.V(5).InfoS("Failed to notify systemd watchdog, retrying", "error", err)
+				logger.V(5).Info("Failed to notify systemd watchdog, retrying", "error", err)
 				return false, nil
 			}
 			if !ack {
 				return false, fmt.Errorf("failed to notify systemd watchdog, notification not supported - (i.e. NOTIFY_SOCKET is unset)")
 			}
 
-			klog.V(5).InfoS("Watchdog plugin notified", "acknowledgment", ack, "state", daemon.SdNotifyWatchdog)
+			logger.V(5).Info("Watchdog plugin notified", "acknowledgment", ack, "state", daemon.SdNotifyWatchdog)
 			return true, nil
 		})
 		if err != nil {
-			klog.ErrorS(err, "Failed to notify watchdog")
+			logger.Error(err, "Failed to notify watchdog")
 		}
 	}, hc.interval)
 }
diff --git a/pkg/kubelet/watchdog/watchdog_linux_test.go b/pkg/kubelet/watchdog/watchdog_linux_test.go
index 67cfda4520eb9..36f273a9d61f0 100644
--- a/pkg/kubelet/watchdog/watchdog_linux_test.go
+++ b/pkg/kubelet/watchdog/watchdog_linux_test.go
@@ -20,17 +20,14 @@ limitations under the License.
 package watchdog
 
 import (
-	"bytes"
 	"errors"
-	"flag"
-	"io"
 	"net/http"
 	"strings"
 	"testing"
 	"time"
 
-	"k8s.io/klog/v2"
 	"k8s.io/kubernetes/test/utils/ktesting"
+	"k8s.io/kubernetes/test/utils/ktesting/initoption"
 )
 
 // Mock syncLoopHealthChecker
@@ -84,8 +81,8 @@ func TestNewHealthChecker(t *testing.T) {
 				enabledVal: tt.mockEnabled,
 				enabledErr: tt.mockErr,
 			}
-
-			_, err := NewHealthChecker(WithWatchdogClient(mockClient))
+			logger, _ := ktesting.NewTestContext(t)
+			_, err := NewHealthChecker(logger, WithWatchdogClient(mockClient))
 			if (err != nil) != tt.wantErr {
 				t.Errorf("NewHealthChecker() error = %v, wantErr %v", err, tt.wantErr)
 			}
@@ -150,19 +147,11 @@ func TestHealthCheckerStart(t *testing.T) {
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			tCtx := ktesting.Init(t)
+			tCtx := ktesting.Init(t, initoption.BufferLogs(true))
+			logger := tCtx.Logger()
 			defer func() {
 				tCtx.Cancel("test has completed")
 			}()
-			// Capture logs
-			var logBuffer bytes.Buffer
-			flags := &flag.FlagSet{}
-			klog.InitFlags(flags)
-			if err := flags.Set("v", "5"); err != nil {
-				t.Fatal(err)
-			}
-			klog.LogToStderr(false)
-			klog.SetOutput(&logBuffer)
 
 			// Mock SdWatchdogEnabled to return a valid value
 			mockClient := &mockWatchdogClient{
@@ -172,7 +161,7 @@ func TestHealthCheckerStart(t *testing.T) {
 			}
 
 			// Create a healthChecker
-			hc, err := NewHealthChecker(WithWatchdogClient(mockClient))
+			hc, err := NewHealthChecker(logger, WithWatchdogClient(mockClient))
 			if err != nil {
 				t.Fatalf("NewHealthChecker() failed: %v", err)
 			}
@@ -187,10 +176,11 @@ func TestHealthCheckerStart(t *testing.T) {
 			time.Sleep(2 * interval)
 
 			// Check logs to verify the health check ran
-			klog.Flush()
-			// prevent further writes into buf
-			klog.SetOutput(io.Discard)
-			logs := logBuffer.String()
+			underlier, ok := logger.GetSink().(ktesting.Underlier)
+			if !ok {
+				t.Fatalf("Should have had a ktesting LogSink, got %T", logger.GetSink())
+			}
+			logs := underlier.GetBuffer().String()
 			for _, expectedLog := range tt.expectedLogs {
 				if !strings.Contains(logs, expectedLog) {
 					t.Errorf("Expected log '%s' not found in logs: %s", expectedLog, logs)
diff --git a/pkg/kubelet/watchdog/watchdog_unsupported.go b/pkg/kubelet/watchdog/watchdog_unsupported.go
index 1030b20123b30..2595549e6ec77 100644
--- a/pkg/kubelet/watchdog/watchdog_unsupported.go
+++ b/pkg/kubelet/watchdog/watchdog_unsupported.go
@@ -23,6 +23,7 @@ import (
 	"context"
 
 	"k8s.io/apiserver/pkg/server/healthz"
+	"k8s.io/klog/v2"
 )
 
 type healthCheckerUnsupported struct{}
@@ -36,7 +37,7 @@ func WithExtendedCheckers([]healthz.HealthChecker) Option {
 }
 
 // NewHealthChecker creates a fake one here
-func NewHealthChecker(...Option) (HealthChecker, error) {
+func NewHealthChecker(klog.Logger, ...Option) (HealthChecker, error) {
 	return &healthCheckerUnsupported{}, nil
 }
 
diff --git a/pkg/kubelet/winstats/perfcounter_nodestats_test.go b/pkg/kubelet/winstats/perfcounter_nodestats_test.go
index 4ae39d55999aa..a16393b18f151 100644
--- a/pkg/kubelet/winstats/perfcounter_nodestats_test.go
+++ b/pkg/kubelet/winstats/perfcounter_nodestats_test.go
@@ -143,8 +143,9 @@ func TestCollectMetricsData(t *testing.T) {
 		memoryPrivWorkingSetBytes: 2,
 		memoryCommittedBytes:      3,
 		interfaceStats:            networkAdapterCounter.listInterfaceStats(),
-		timeStamp:                 time.Now(),
 	}
+	assert.WithinDuration(t, time.Now(), metrics.timeStamp, 20*time.Millisecond)
+	expectedMetrics.timeStamp = metrics.timeStamp
 	assert.Equal(t, expectedMetrics, metrics)
 }
 
diff --git a/pkg/printers/internalversion/printers.go b/pkg/printers/internalversion/printers.go
index d3e7e7cb55392..079786473fbff 100644
--- a/pkg/printers/internalversion/printers.go
+++ b/pkg/printers/internalversion/printers.go
@@ -31,7 +31,6 @@ import (
 	autoscalingv2beta1 "k8s.io/api/autoscaling/v2beta1"
 	batchv1 "k8s.io/api/batch/v1"
 	batchv1beta1 "k8s.io/api/batch/v1beta1" // should this change, too? there are still certv1beta1.CSR printers, but not their v1 versions
-	certificatesv1alpha1 "k8s.io/api/certificates/v1alpha1"
 	certificatesv1beta1 "k8s.io/api/certificates/v1beta1"
 	coordinationv1 "k8s.io/api/coordination/v1"
 	coordinationv1alpha2 "k8s.io/api/coordination/v1alpha2"
@@ -75,7 +74,7 @@ import (
 	"k8s.io/kubernetes/pkg/apis/scheduling"
 	"k8s.io/kubernetes/pkg/apis/storage"
 	storageutil "k8s.io/kubernetes/pkg/apis/storage/util"
-	svmv1alpha1 "k8s.io/kubernetes/pkg/apis/storagemigration"
+	"k8s.io/kubernetes/pkg/apis/storagemigration"
 	"k8s.io/kubernetes/pkg/printers"
 	"k8s.io/kubernetes/pkg/util/node"
 )
@@ -299,7 +298,6 @@ func AddHandlers(h printers.PrintHandler) {
 
 	serviceAccountColumnDefinitions := []metav1.TableColumnDefinition{
 		{Name: "Name", Type: "string", Format: "name", Description: metav1.ObjectMeta{}.SwaggerDoc()["name"]},
-		{Name: "Secrets", Type: "string", Description: apiv1.ServiceAccount{}.SwaggerDoc()["secrets"]},
 		{Name: "Age", Type: "string", Description: metav1.ObjectMeta{}.SwaggerDoc()["creationTimestamp"]},
 	}
 	_ = h.TableHandler(serviceAccountColumnDefinitions, printServiceAccount)
@@ -427,11 +425,12 @@ func AddHandlers(h printers.PrintHandler) {
 
 	podCertificateRequestColumnDefinitions := []metav1.TableColumnDefinition{
 		{Name: "Name", Type: "string", Format: "name", Description: metav1.ObjectMeta{}.SwaggerDoc()["name"]},
-		{Name: "PodName", Type: "string", Description: certificatesv1alpha1.PodCertificateRequestSpec{}.SwaggerDoc()["podName"]},
-		{Name: "ServiceAccountName", Type: "string", Description: certificatesv1alpha1.PodCertificateRequestSpec{}.SwaggerDoc()["serviceAccountName"]},
-		{Name: "NodeName", Type: "string", Description: certificatesv1alpha1.PodCertificateRequestSpec{}.SwaggerDoc()["nodeName"]},
-		{Name: "SignerName", Type: "string", Description: certificatesv1alpha1.PodCertificateRequestSpec{}.SwaggerDoc()["signerName"]},
+		{Name: "PodName", Type: "string", Description: certificatesv1beta1.PodCertificateRequestSpec{}.SwaggerDoc()["podName"]},
+		{Name: "ServiceAccountName", Type: "string", Description: certificatesv1beta1.PodCertificateRequestSpec{}.SwaggerDoc()["serviceAccountName"]},
+		{Name: "NodeName", Type: "string", Description: certificatesv1beta1.PodCertificateRequestSpec{}.SwaggerDoc()["nodeName"]},
+		{Name: "SignerName", Type: "string", Description: certificatesv1beta1.PodCertificateRequestSpec{}.SwaggerDoc()["signerName"]},
 		{Name: "State", Type: "string", Description: "Is the request Pending, Issued, Denied, or Failed?"},
+		{Name: "UnverifiedUserAnnotations", Type: "string", Description: certificatesv1beta1.PodCertificateRequestSpec{}.SwaggerDoc()["unverifiedUserAnnotations"]},
 	}
 	h.TableHandler(podCertificateRequestColumnDefinitions, printPodCertificateRequest)
 	h.TableHandler(podCertificateRequestColumnDefinitions, printPodCertificateRequestList)
@@ -602,7 +601,7 @@ func AddHandlers(h printers.PrintHandler) {
 	validatingAdmissionPolicyBinding := []metav1.TableColumnDefinition{
 		{Name: "Name", Type: "string", Format: "name", Description: metav1.ObjectMeta{}.SwaggerDoc()["name"]},
 		{Name: "PolicyName", Type: "string", Description: "PolicyName indicates the policy definition which the policy binding binded to"},
-		{Name: "ParamRef", Type: "string", Description: "ParamRef indicates the param resource which sets the configration param"},
+		{Name: "ParamRef", Type: "string", Description: "ParamRef indicates the param resource which sets the configuration param"},
 		{Name: "Age", Type: "string", Description: metav1.ObjectMeta{}.SwaggerDoc()["creationTimestamp"]},
 	}
 	_ = h.TableHandler(validatingAdmissionPolicyBinding, printValidatingAdmissionPolicyBinding)
@@ -620,7 +619,7 @@ func AddHandlers(h printers.PrintHandler) {
 	mutatingAdmissionPolicyBinding := []metav1.TableColumnDefinition{
 		{Name: "Name", Type: "string", Format: "name", Description: metav1.ObjectMeta{}.SwaggerDoc()["name"]},
 		{Name: "PolicyName", Type: "string", Description: "PolicyName indicates the policy definition which the policy binding binded to"},
-		{Name: "ParamRef", Type: "string", Description: "ParamRef indicates the param resource which sets the configration param"},
+		{Name: "ParamRef", Type: "string", Description: "ParamRef indicates the param resource which sets the configuration param"},
 		{Name: "Age", Type: "string", Description: metav1.ObjectMeta{}.SwaggerDoc()["creationTimestamp"]},
 	}
 	_ = h.TableHandler(mutatingAdmissionPolicyBinding, printMutatingAdmissionPolicyBinding)
@@ -733,10 +732,18 @@ func AddHandlers(h printers.PrintHandler) {
 
 	storageVersionMigrationColumnDefinitions := []metav1.TableColumnDefinition{
 		{Name: "Name", Type: "string", Description: metav1.ObjectMeta{}.SwaggerDoc()["name"]},
-		{Name: "Resource", Type: "string", Description: "Fully qualified resource to migrate"},
+		{Name: "Resource", Type: "string", Description: "GroupResource to migrate"},
+		{Name: "Status", Type: "string", Description: "Status of the migration"},
 	}
 	_ = h.TableHandler(storageVersionMigrationColumnDefinitions, printStorageVersionMigration)
 	_ = h.TableHandler(storageVersionMigrationColumnDefinitions, printStorageVersionMigrationList)
+
+	workloadColumnDefinitions := []metav1.TableColumnDefinition{
+		{Name: "Name", Type: "string", Format: "name", Description: metav1.ObjectMeta{}.SwaggerDoc()["name"]},
+		{Name: "Age", Type: "string", Description: metav1.ObjectMeta{}.SwaggerDoc()["creationTimestamp"]},
+	}
+	_ = h.TableHandler(workloadColumnDefinitions, printWorkload)
+	_ = h.TableHandler(workloadColumnDefinitions, printWorkloadList)
 }
 
 // Pass ports=nil for all ports.
@@ -983,6 +990,7 @@ func printPod(pod *api.Pod, options printers.GenerateOptions) ([]metav1.TableRow
 		restarts = restartableInitContainerRestarts
 		lastRestartDate = lastRestartableInitContainerRestartDate
 		hasRunning := false
+		errorReason := ""
 		for i := len(pod.Status.ContainerStatuses) - 1; i >= 0; i-- {
 			container := pod.Status.ContainerStatuses[i]
 
@@ -993,27 +1001,33 @@ func printPod(pod *api.Pod, options printers.GenerateOptions) ([]metav1.TableRow
 					lastRestartDate = terminatedDate
 				}
 			}
-			if container.State.Waiting != nil && container.State.Waiting.Reason != "" {
+			switch {
+			case container.State.Waiting != nil && container.State.Waiting.Reason != "":
 				reason = container.State.Waiting.Reason
-			} else if container.State.Terminated != nil && container.State.Terminated.Reason != "" {
-				reason = container.State.Terminated.Reason
-			} else if container.State.Terminated != nil && container.State.Terminated.Reason == "" {
-				if container.State.Terminated.Signal != 0 {
+			case container.State.Terminated != nil:
+				if len(container.State.Terminated.Reason) > 0 {
+					reason = container.State.Terminated.Reason
+				} else if container.State.Terminated.Signal != 0 {
 					reason = fmt.Sprintf("Signal:%d", container.State.Terminated.Signal)
 				} else {
 					reason = fmt.Sprintf("ExitCode:%d", container.State.Terminated.ExitCode)
 				}
-			} else if container.Ready && container.State.Running != nil {
+				if container.State.Terminated.ExitCode != 0 {
+					errorReason = reason
+				}
+			case container.Ready && container.State.Running != nil:
 				hasRunning = true
 				readyContainers++
 			}
 		}
 
 		// change pod status back to "Running" if there is at least one container still reporting as "Running" status
-		if reason == "Completed" && hasRunning {
-			if hasPodReadyCondition(pod.Status.Conditions) {
+		if reason == "Completed" {
+			if hasRunning && hasPodReadyCondition(pod.Status.Conditions) {
 				reason = "Running"
-			} else {
+			} else if errorReason != "" {
+				reason = errorReason
+			} else if hasRunning {
 				reason = "NotReady"
 			}
 		}
@@ -1915,7 +1929,7 @@ func printServiceAccount(obj *api.ServiceAccount, options printers.GenerateOptio
 	row := metav1.TableRow{
 		Object: runtime.RawExtension{Object: obj},
 	}
-	row.Cells = append(row.Cells, obj.Name, int64(len(obj.Secrets)), translateTimestampSince(obj.CreationTimestamp))
+	row.Cells = append(row.Cells, obj.Name, translateTimestampSince(obj.CreationTimestamp))
 	return []metav1.TableRow{row}, nil
 }
 
@@ -2359,6 +2373,9 @@ func printPodCertificateRequest(obj *certificates.PodCertificateRequest, options
 	}
 
 	row.Cells = append(row.Cells, obj.Name, obj.Spec.PodName, obj.Spec.ServiceAccountName, string(obj.Spec.NodeName), obj.Spec.SignerName, state)
+	if options.Wide {
+		row.Cells = append(row.Cells, labels.FormatLabels(obj.Spec.UnverifiedUserAnnotations))
+	}
 	return []metav1.TableRow{row}, nil
 }
 
@@ -3261,19 +3278,29 @@ func printDeviceTaintRuleList(list *resource.DeviceTaintRuleList, options printe
 	return rows, nil
 }
 
-func printStorageVersionMigration(obj *svmv1alpha1.StorageVersionMigration, options printers.GenerateOptions) ([]metav1.TableRow, error) {
+func printStorageVersionMigration(obj *storagemigration.StorageVersionMigration, options printers.GenerateOptions) ([]metav1.TableRow, error) {
 	row := metav1.TableRow{
 		Object: runtime.RawExtension{Object: obj},
 	}
+	migrationGR := obj.Spec.Resource.String()
+	row.Cells = append(row.Cells, obj.Name, migrationGR)
 
-	migrationGVR := obj.Spec.Resource.Resource + "." + obj.Spec.Resource.Version + "." + obj.Spec.Resource.Group
-	row.Cells = append(row.Cells, obj.Name, migrationGVR)
-	//ToDo: add migration condition 'status' and 'type' (migration successful | failed)
+	condStatus := "Unknown"
+	for _, cond := range obj.Status.Conditions {
+		if cond.Status != metav1.ConditionTrue {
+			continue
+		}
+		switch cond.Type {
+		case string(storagemigration.MigrationRunning), string(storagemigration.MigrationFailed), string(storagemigration.MigrationSucceeded):
+			condStatus = cond.Type
+		}
+	}
+	row.Cells = append(row.Cells, condStatus)
 
 	return []metav1.TableRow{row}, nil
 }
 
-func printStorageVersionMigrationList(list *svmv1alpha1.StorageVersionMigrationList, options printers.GenerateOptions) ([]metav1.TableRow, error) {
+func printStorageVersionMigrationList(list *storagemigration.StorageVersionMigrationList, options printers.GenerateOptions) ([]metav1.TableRow, error) {
 	rows := make([]metav1.TableRow, 0, len(list.Items))
 
 	for i := range list.Items {
@@ -3286,6 +3313,27 @@ func printStorageVersionMigrationList(list *svmv1alpha1.StorageVersionMigrationL
 	return rows, nil
 }
 
+func printWorkload(obj *scheduling.Workload, options printers.GenerateOptions) ([]metav1.TableRow, error) {
+	row := metav1.TableRow{
+		Object: runtime.RawExtension{Object: obj},
+	}
+
+	row.Cells = append(row.Cells, obj.Name, translateTimestampSince(obj.CreationTimestamp))
+
+	return []metav1.TableRow{row}, nil
+}
+
+func printWorkloadList(list *scheduling.WorkloadList, options printers.GenerateOptions) ([]metav1.TableRow, error) {
+	rows := make([]metav1.TableRow, 0, len(list.Items))
+	for i := range list.Items {
+		r, err := printWorkload(&list.Items[i], options)
+		if err != nil {
+			return nil, err
+		}
+		rows = append(rows, r...)
+	}
+	return rows, nil
+}
 func printBoolPtr(value *bool) string {
 	if value != nil {
 		return printBool(*value)
diff --git a/pkg/printers/internalversion/printers_test.go b/pkg/printers/internalversion/printers_test.go
index 7aec7b01ff1ce..bbf83082e3460 100644
--- a/pkg/printers/internalversion/printers_test.go
+++ b/pkg/printers/internalversion/printers_test.go
@@ -468,7 +468,7 @@ func TestPrintServiceAccount(t *testing.T) {
 				Secrets: []api.ObjectReference{},
 			},
 			// Columns: Name, (Num) Secrets, Age
-			expected: []metav1.TableRow{{Cells: []interface{}{"sa1", int64(0), "0s"}}},
+			expected: []metav1.TableRow{{Cells: []interface{}{"sa1", "0s"}}},
 		},
 		// Basic service account with two secrets.
 		{
@@ -483,7 +483,7 @@ func TestPrintServiceAccount(t *testing.T) {
 				},
 			},
 			// Columns: Name, (Num) Secrets, Age
-			expected: []metav1.TableRow{{Cells: []interface{}{"sa1", int64(2), "0s"}}},
+			expected: []metav1.TableRow{{Cells: []interface{}{"sa1", "0s"}}},
 		},
 	}
 
@@ -1536,9 +1536,8 @@ func TestPrintPod(t *testing.T) {
 					Phase: api.PodSucceeded,
 					ContainerStatuses: []api.ContainerStatus{
 						{
-							Ready:        false,
-							RestartCount: 0,
-							State:        api.ContainerState{Terminated: &api.ContainerStateTerminated{Reason: "Completed", ExitCode: 0}},
+							Ready: false,
+							State: api.ContainerState{Terminated: &api.ContainerStateTerminated{Reason: "Completed", ExitCode: 0}},
 						},
 					},
 				},
@@ -1554,9 +1553,8 @@ func TestPrintPod(t *testing.T) {
 					Phase: api.PodFailed,
 					ContainerStatuses: []api.ContainerStatus{
 						{
-							Ready:        false,
-							RestartCount: 0,
-							State:        api.ContainerState{Terminated: &api.ContainerStateTerminated{Reason: "Error", ExitCode: 1}},
+							Ready: false,
+							State: api.ContainerState{Terminated: &api.ContainerStateTerminated{Reason: "Error", ExitCode: 1}},
 						},
 					},
 				},
@@ -1572,9 +1570,8 @@ func TestPrintPod(t *testing.T) {
 					Phase: api.PodSucceeded,
 					ContainerStatuses: []api.ContainerStatus{
 						{
-							Ready:        false,
-							RestartCount: 0,
-							State:        api.ContainerState{Terminated: &api.ContainerStateTerminated{Reason: "Completed", ExitCode: 0}},
+							Ready: false,
+							State: api.ContainerState{Terminated: &api.ContainerStateTerminated{Reason: "Completed", ExitCode: 0}},
 						},
 					},
 				},
@@ -1587,12 +1584,11 @@ func TestPrintPod(t *testing.T) {
 				ObjectMeta: metav1.ObjectMeta{Name: "test19", DeletionTimestamp: &deleteTime},
 				Spec:       api.PodSpec{Containers: make([]api.Container, 1)},
 				Status: api.PodStatus{
-					Phase: "Running",
+					Phase: api.PodRunning,
 					ContainerStatuses: []api.ContainerStatus{
 						{
-							Ready:        false,
-							RestartCount: 0,
-							State:        api.ContainerState{Running: &api.ContainerStateRunning{}},
+							Ready: false,
+							State: api.ContainerState{Running: &api.ContainerStateRunning{}},
 						},
 					},
 				},
@@ -1604,11 +1600,165 @@ func TestPrintPod(t *testing.T) {
 				ObjectMeta: metav1.ObjectMeta{Name: "test20", DeletionTimestamp: &deleteTime},
 				Spec:       api.PodSpec{Containers: make([]api.Container, 1)},
 				Status: api.PodStatus{
-					Phase: "Pending",
+					Phase: api.PodPending,
 				},
 			},
 			[]metav1.TableRow{{Cells: []interface{}{"test20", "0/1", "Terminating", "0", "<unknown>"}}},
 		},
+		// Test the two containers. They are ready and State are Error/Running
+		// reference: https://github.com/kubernetes/kubernetes/issues/107713
+		{
+			api.Pod{
+				ObjectMeta: metav1.ObjectMeta{Name: "test21"},
+				Spec:       api.PodSpec{Containers: make([]api.Container, 2)},
+				Status: api.PodStatus{
+					Phase: api.PodFailed,
+					ContainerStatuses: []api.ContainerStatus{
+						{
+							Ready: false,
+							State: api.ContainerState{Terminated: &api.ContainerStateTerminated{
+								FinishedAt: metav1.NewTime(time.Now()),
+								ExitCode:   1,
+								Reason:     "podCrash"},
+							},
+							LastTerminationState: api.ContainerState{},
+						},
+						{
+							Ready: true,
+							State: api.ContainerState{Running: &api.ContainerStateRunning{
+								StartedAt: metav1.NewTime(time.Now())},
+							},
+							LastTerminationState: api.ContainerState{},
+						},
+					},
+				},
+			},
+			[]metav1.TableRow{
+				{
+					Cells:      []interface{}{"test21", "1/2", "podCrash", "0", "<unknown>"},
+					Conditions: podFailedConditions,
+				},
+			},
+		},
+		// Test the two containers. They are ready and State are Running/Error
+		// reference: https://github.com/kubernetes/kubernetes/issues/107713
+		{
+			api.Pod{
+				ObjectMeta: metav1.ObjectMeta{Name: "test22"},
+				Spec:       api.PodSpec{Containers: make([]api.Container, 2)},
+				Status: api.PodStatus{
+					Phase: api.PodFailed,
+					ContainerStatuses: []api.ContainerStatus{
+						{
+							Ready: true,
+							State: api.ContainerState{Running: &api.ContainerStateRunning{
+								StartedAt: metav1.NewTime(time.Now())},
+							},
+							LastTerminationState: api.ContainerState{},
+						},
+						{
+							Ready: false,
+							State: api.ContainerState{Terminated: &api.ContainerStateTerminated{
+								FinishedAt: metav1.NewTime(time.Now()),
+								ExitCode:   1,
+								Reason:     "podCrash"},
+							},
+							LastTerminationState: api.ContainerState{},
+						},
+					},
+				},
+			},
+			[]metav1.TableRow{
+				{
+					Cells:      []interface{}{"test22", "1/2", "podCrash", "0", "<unknown>"},
+					Conditions: podFailedConditions,
+				},
+			},
+		},
+		{
+			// Test the three containers. They are ready and State are Running/Error/Completed
+			api.Pod{
+				ObjectMeta: metav1.ObjectMeta{Name: "test23"},
+				Spec:       api.PodSpec{Containers: make([]api.Container, 3)},
+				Status: api.PodStatus{
+					Phase: "Failed",
+					ContainerStatuses: []api.ContainerStatus{
+						{
+							Ready: true,
+							State: api.ContainerState{Running: &api.ContainerStateRunning{
+								StartedAt: metav1.NewTime(time.Now())},
+							},
+							LastTerminationState: api.ContainerState{},
+						},
+						{
+							Ready: true,
+							State: api.ContainerState{Terminated: &api.ContainerStateTerminated{
+								FinishedAt: metav1.NewTime(time.Now()),
+								ExitCode:   1,
+								Reason:     "podCrash"},
+							},
+							LastTerminationState: api.ContainerState{},
+						},
+						{
+							Ready: true,
+							State: api.ContainerState{Terminated: &api.ContainerStateTerminated{
+								FinishedAt: metav1.NewTime(time.Now()),
+								ExitCode:   0},
+							},
+							LastTerminationState: api.ContainerState{},
+						},
+					},
+				},
+			},
+			[]metav1.TableRow{
+				{
+					Cells:      []interface{}{"test23", "1/3", "podCrash", "0", "<unknown>"},
+					Conditions: podFailedConditions,
+				},
+			},
+		},
+		{
+			// Test the three containers. They are notReady and State are Running/Error/Completed
+			api.Pod{
+				ObjectMeta: metav1.ObjectMeta{Name: "test24"},
+				Spec:       api.PodSpec{Containers: make([]api.Container, 3)},
+				Status: api.PodStatus{
+					Phase: "Failed",
+					ContainerStatuses: []api.ContainerStatus{
+						{
+							Ready: false,
+							State: api.ContainerState{Running: &api.ContainerStateRunning{
+								StartedAt: metav1.NewTime(time.Now())},
+							},
+							LastTerminationState: api.ContainerState{},
+						},
+						{
+							Ready: false,
+							State: api.ContainerState{Terminated: &api.ContainerStateTerminated{
+								FinishedAt: metav1.NewTime(time.Now()),
+								ExitCode:   1,
+								Reason:     "podCrash"},
+							},
+							LastTerminationState: api.ContainerState{},
+						},
+						{
+							Ready: false,
+							State: api.ContainerState{Terminated: &api.ContainerStateTerminated{
+								FinishedAt: metav1.NewTime(time.Now()),
+								ExitCode:   0},
+							},
+							LastTerminationState: api.ContainerState{},
+						},
+					},
+				},
+			},
+			[]metav1.TableRow{
+				{
+					Cells:      []interface{}{"test24", "0/3", "podCrash", "0", "<unknown>"},
+					Conditions: podFailedConditions,
+				},
+			},
+		},
 	}
 
 	for i, test := range tests {
@@ -6851,6 +7001,81 @@ func TestPrintClusterTrustBundle(t *testing.T) {
 	}
 }
 
+func TestPrintPodCertificateRequest(t *testing.T) {
+	tests := []struct {
+		bundle   certificates.PodCertificateRequest
+		options  printers.GenerateOptions
+		expected []metav1.TableRow
+	}{
+		{
+			bundle: certificates.PodCertificateRequest{
+				ObjectMeta: metav1.ObjectMeta{
+					Namespace: "foo",
+					Name:      "bar",
+				},
+				Spec: certificates.PodCertificateRequestSpec{
+					SignerName:                "foo.com/abc",
+					PodName:                   "pod-1",
+					ServiceAccountName:        "sa-1",
+					NodeName:                  types.NodeName("node-1"),
+					UnverifiedUserAnnotations: map[string]string{"test/domain": "bar", "test/foo": "abc"},
+				},
+				Status: certificates.PodCertificateRequestStatus{
+					Conditions: []metav1.Condition{
+						{
+							Type: certificates.PodCertificateRequestConditionTypeIssued,
+						},
+					}},
+			},
+			expected: []metav1.TableRow{
+				{
+					Cells: []interface{}{"bar", "pod-1", "sa-1", "node-1", "foo.com/abc", "Issued", "test/domain=bar,test/foo=abc"},
+				},
+			},
+			options: printers.GenerateOptions{Wide: true},
+		},
+		{
+			bundle: certificates.PodCertificateRequest{
+				ObjectMeta: metav1.ObjectMeta{
+					Namespace: "foo",
+					Name:      "bar",
+				},
+				Spec: certificates.PodCertificateRequestSpec{
+					SignerName:                "foo.com/abc",
+					PodName:                   "pod-1",
+					ServiceAccountName:        "sa-1",
+					NodeName:                  types.NodeName("node-1"),
+					UnverifiedUserAnnotations: map[string]string{"test/domain": "bar", "test/foo": "abc"},
+				},
+				Status: certificates.PodCertificateRequestStatus{
+					Conditions: []metav1.Condition{
+						{
+							Type: certificates.PodCertificateRequestConditionTypeIssued,
+						},
+					}},
+			},
+			expected: []metav1.TableRow{
+				{
+					Cells: []interface{}{"bar", "pod-1", "sa-1", "node-1", "foo.com/abc", "Issued"},
+				},
+			},
+		},
+	}
+
+	for i, test := range tests {
+		rows, err := printPodCertificateRequest(&test.bundle, test.options)
+		if err != nil {
+			t.Fatal(err)
+		}
+		for i := range rows {
+			rows[i].Object.Object = nil
+		}
+		if !reflect.DeepEqual(test.expected, rows) {
+			t.Errorf("%d mismatch: %s", i, cmp.Diff(test.expected, rows))
+		}
+	}
+}
+
 func TestPrintValidatingAdmissionPolicyBinding(t *testing.T) {
 	tests := []struct {
 		validatingAdmissionPolicyBinding admissionregistration.ValidatingAdmissionPolicyBinding
@@ -7170,6 +7395,12 @@ func TestTableRowDeepCopyShouldNotPanic(t *testing.T) {
 				return printPersistentVolumeClaim(&api.PersistentVolumeClaim{}, printers.GenerateOptions{})
 			},
 		},
+		{
+			name: "PodCertificateRequest",
+			printer: func() ([]metav1.TableRow, error) {
+				return printPodCertificateRequest(&certificates.PodCertificateRequest{}, printers.GenerateOptions{})
+			},
+		},
 		{
 			name: "Event",
 			printer: func() ([]metav1.TableRow, error) {
@@ -7573,16 +7804,27 @@ func TestPrintStorageVersionMigration(t *testing.T) {
 			Name: "print-test",
 		},
 		Spec: storagemigration.StorageVersionMigrationSpec{
-			Resource: storagemigration.GroupVersionResource{
+			Resource: metav1.GroupResource{
 				Group:    "test-group",
-				Version:  "test-version",
 				Resource: "test-resource",
 			},
 		},
+		Status: storagemigration.StorageVersionMigrationStatus{
+			Conditions: []metav1.Condition{
+				{
+					Type:   string(storagemigration.MigrationRunning),
+					Status: metav1.ConditionFalse,
+				},
+				{
+					Type:   string(storagemigration.MigrationSucceeded),
+					Status: metav1.ConditionTrue,
+				},
+			},
+		},
 	}
 
-	// Columns: Name, GVRTOMIGRATE
-	expected := []metav1.TableRow{{Cells: []interface{}{"print-test", "test-resource.test-version.test-group"}}}
+	// Columns: Name, Resource, Status
+	expected := []metav1.TableRow{{Cells: []interface{}{"print-test", "test-resource.test-group", "Succeeded"}}}
 
 	rows, err := printStorageVersionMigration(&storageVersionMigration, printers.GenerateOptions{})
 	if err != nil {
@@ -7606,12 +7848,23 @@ func TestPrintStorageVersionMigrationList(t *testing.T) {
 					Name: "print-test",
 				},
 				Spec: storagemigration.StorageVersionMigrationSpec{
-					Resource: storagemigration.GroupVersionResource{
-						Group:    "test-group",
-						Version:  "test-version",
+					Resource: metav1.GroupResource{
+						Group:    "",
 						Resource: "test-resource",
 					},
 				},
+				Status: storagemigration.StorageVersionMigrationStatus{
+					Conditions: []metav1.Condition{
+						{
+							Type:   string(storagemigration.MigrationRunning),
+							Status: metav1.ConditionFalse,
+						},
+						{
+							Type:   string(storagemigration.MigrationSucceeded),
+							Status: metav1.ConditionTrue,
+						},
+					},
+				},
 			},
 			{
 				TypeMeta: metav1.TypeMeta{
@@ -7622,20 +7875,27 @@ func TestPrintStorageVersionMigrationList(t *testing.T) {
 					Name: "print-test2",
 				},
 				Spec: storagemigration.StorageVersionMigrationSpec{
-					Resource: storagemigration.GroupVersionResource{
+					Resource: metav1.GroupResource{
 						Group:    "test-group2",
-						Version:  "test-version2",
 						Resource: "test-resource2",
 					},
 				},
+				Status: storagemigration.StorageVersionMigrationStatus{
+					Conditions: []metav1.Condition{
+						{
+							Type:   string(storagemigration.MigrationRunning),
+							Status: metav1.ConditionTrue,
+						},
+					},
+				},
 			},
 		},
 	}
 
-	// Columns: Name, GVRTOMIGRATE
+	// Columns: Name, Resource, Status
 	expected := []metav1.TableRow{
-		{Cells: []interface{}{"print-test", "test-resource.test-version.test-group"}},
-		{Cells: []interface{}{"print-test2", "test-resource2.test-version2.test-group2"}},
+		{Cells: []interface{}{"print-test", "test-resource", "Succeeded"}},
+		{Cells: []interface{}{"print-test2", "test-resource2.test-group2", "Running"}},
 	}
 
 	rows, err := printStorageVersionMigrationList(&storageVersionMigrationList, printers.GenerateOptions{})
@@ -7651,3 +7911,99 @@ func TestPrintStorageVersionMigrationList(t *testing.T) {
 		t.Errorf("mismatch: %s", cmp.Diff(expected, rows))
 	}
 }
+
+func TestPrintWorkload(t *testing.T) {
+	workload := &scheduling.Workload{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "workload1",
+			Namespace: "ns1",
+		},
+		Spec: scheduling.WorkloadSpec{
+			PodGroups: []scheduling.PodGroup{
+				{
+					Name: "foo",
+					Policy: scheduling.PodGroupPolicy{
+						Gang: &scheduling.GangSchedulingPolicy{
+							MinCount: 5,
+						},
+					},
+				},
+			},
+		},
+	}
+
+	// Columns: Name, Age
+	expected := []metav1.TableRow{{Cells: []interface{}{"workload1", "<unknown>"}}}
+
+	rows, err := printWorkload(workload, printers.GenerateOptions{})
+	if err != nil {
+		t.Fatalf("Error generating table rows for Workload: %#v", err)
+	}
+	rows[0].Object.Object = nil
+	if !reflect.DeepEqual(expected, rows) {
+		t.Errorf("mismatch: %s", cmp.Diff(expected, rows))
+	}
+}
+
+func TestPrintWorkloadList(t *testing.T) {
+	workloadList := &scheduling.WorkloadList{
+		Items: []scheduling.Workload{
+			{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      "workload1",
+					Namespace: "ns1",
+				},
+				Spec: scheduling.WorkloadSpec{
+					PodGroups: []scheduling.PodGroup{
+						{
+							Name: "foo",
+							Policy: scheduling.PodGroupPolicy{
+								Gang: &scheduling.GangSchedulingPolicy{
+									MinCount: 5,
+								},
+							},
+						},
+					},
+				},
+			},
+			{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:              "workload2",
+					Namespace:         "ns1",
+					CreationTimestamp: metav1.Time{Time: time.Now().Add(1.9e9)},
+				},
+				Spec: scheduling.WorkloadSpec{
+					PodGroups: []scheduling.PodGroup{
+						{
+							Name: "bar",
+							Policy: scheduling.PodGroupPolicy{
+								Gang: &scheduling.GangSchedulingPolicy{
+									MinCount: 5,
+								},
+							},
+						},
+					},
+				},
+			},
+		},
+	}
+
+	// Columns: Name, Age
+	expected := []metav1.TableRow{
+		{Cells: []interface{}{"workload1", "<unknown>"}},
+		{Cells: []interface{}{"workload2", "0s"}},
+	}
+
+	rows, err := printWorkloadList(workloadList, printers.GenerateOptions{})
+	if err != nil {
+		t.Fatalf("Error generating table rows for WorkloadList: %#v", err)
+	}
+
+	for i := range rows {
+		rows[i].Object.Object = nil
+	}
+
+	if !reflect.DeepEqual(expected, rows) {
+		t.Errorf("mismatch: %s", cmp.Diff(expected, rows))
+	}
+}
diff --git a/pkg/probe/exec/exec.go b/pkg/probe/exec/exec.go
index 5b32f2494e5bd..251bf3dbdd089 100644
--- a/pkg/probe/exec/exec.go
+++ b/pkg/probe/exec/exec.go
@@ -20,9 +20,7 @@ import (
 	"bytes"
 	"errors"
 
-	utilfeature "k8s.io/apiserver/pkg/util/feature"
 	remote "k8s.io/cri-client/pkg"
-	"k8s.io/kubernetes/pkg/features"
 	"k8s.io/kubernetes/pkg/kubelet/util/ioutils"
 	"k8s.io/kubernetes/pkg/probe"
 
@@ -72,11 +70,7 @@ func (pr execProber) Probe(e exec.Cmd) (probe.Result, string, error) {
 		}
 
 		if errors.Is(err, remote.ErrCommandTimedOut) {
-			if utilfeature.DefaultFeatureGate.Enabled(features.ExecProbeTimeout) {
-				return probe.Failure, err.Error(), nil
-			}
-
-			klog.Warningf("Exec probe timed out but ExecProbeTimeout feature gate was disabled")
+			return probe.Failure, err.Error(), nil
 		}
 
 		return probe.Unknown, "", err
diff --git a/pkg/probe/exec/exec_test.go b/pkg/probe/exec/exec_test.go
index a4aef26e5d135..854ddd957ab7e 100644
--- a/pkg/probe/exec/exec_test.go
+++ b/pkg/probe/exec/exec_test.go
@@ -22,10 +22,7 @@ import (
 	"strings"
 	"testing"
 
-	utilfeature "k8s.io/apiserver/pkg/util/feature"
-	featuregatetesting "k8s.io/component-base/featuregate/testing"
 	remote "k8s.io/cri-client/pkg"
-	"k8s.io/kubernetes/pkg/features"
 	"k8s.io/kubernetes/pkg/probe"
 )
 
@@ -110,31 +107,27 @@ func TestExec(t *testing.T) {
 	elevenKilobyte := strings.Repeat("logs-123", 8*128*11) // 8*128*11=11264 = 11KB of text.
 
 	tests := []struct {
-		expectedStatus   probe.Result
-		expectError      bool
-		execProbeTimeout bool
-		input            string
-		output           string
-		err              error
+		expectedStatus probe.Result
+		expectError    bool
+		input          string
+		output         string
+		err            error
 	}{
 		// Ok
-		{probe.Success, false, true, "OK", "OK", nil},
+		{probe.Success, false, "OK", "OK", nil},
 		// Ok
-		{probe.Success, false, true, "OK", "OK", &fakeExitError{true, 0}},
+		{probe.Success, false, "OK", "OK", &fakeExitError{true, 0}},
 		// Ok - truncated output
-		{probe.Success, false, true, elevenKilobyte, tenKilobyte, nil},
+		{probe.Success, false, elevenKilobyte, tenKilobyte, nil},
 		// Run returns error
-		{probe.Unknown, true, true, "", "", fmt.Errorf("test error")},
+		{probe.Unknown, true, "", "", fmt.Errorf("test error")},
 		// Unhealthy
-		{probe.Failure, false, true, "Fail", "", &fakeExitError{true, 1}},
+		{probe.Failure, false, "Fail", "", &fakeExitError{true, 1}},
 		// Timeout
-		{probe.Failure, false, true, "", remote.ErrCommandTimedOut.Error() + ": command testcmd timed out", fmt.Errorf("%w: command testcmd timed out", remote.ErrCommandTimedOut)},
-		// ExecProbeTimeout
-		{probe.Unknown, true, false, "", "", fmt.Errorf("%w: command testcmd timed out", remote.ErrCommandTimedOut)},
+		{probe.Failure, false, "", remote.ErrCommandTimedOut.Error() + ": command testcmd timed out", fmt.Errorf("%w: command testcmd timed out", remote.ErrCommandTimedOut)},
 	}
 
 	for i, test := range tests {
-		featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.ExecProbeTimeout, test.execProbeTimeout)
 		fake := FakeCmd{
 			out: []byte(test.output),
 			err: test.err,
diff --git a/pkg/proxy/apis/config/validation/validation_test.go b/pkg/proxy/apis/config/validation/validation_test.go
index b80ab4354e448..6275d4ee399ac 100644
--- a/pkg/proxy/apis/config/validation/validation_test.go
+++ b/pkg/proxy/apis/config/validation/validation_test.go
@@ -56,7 +56,8 @@ func TestValidateKubeProxyConfiguration(t *testing.T) {
 			MasqueradeAll: true,
 		},
 		Logging: logsapi.LoggingConfiguration{
-			Format: "text",
+			Format:         "text",
+			FlushFrequency: logsapi.TimeOrMetaDuration{Duration: metav1.Duration{Duration: logsapi.LogFlushFreqDefault}},
 		},
 	}
 	newPath := field.NewPath("KubeProxyConfiguration")
@@ -174,7 +175,8 @@ func TestValidateKubeProxyConfiguration(t *testing.T) {
 		"invalid logging format": {
 			mutateConfigFunc: func(config *kubeproxyconfig.KubeProxyConfiguration) {
 				config.Logging = logsapi.LoggingConfiguration{
-					Format: "unsupported format",
+					Format:         "unsupported format",
+					FlushFrequency: logsapi.TimeOrMetaDuration{Duration: metav1.Duration{Duration: logsapi.LogFlushFreqDefault}},
 				}
 			},
 			expectedErrs: field.ErrorList{field.Invalid(newPath.Child("logging.format"), "unsupported format", "Unsupported log format")},
diff --git a/pkg/proxy/healthcheck/service_health.go b/pkg/proxy/healthcheck/service_health.go
index 0d4f066dd0b10..e470f94c36dcd 100644
--- a/pkg/proxy/healthcheck/service_health.go
+++ b/pkg/proxy/healthcheck/service_health.go
@@ -136,10 +136,10 @@ func (hcs *server) SyncServices(newServices map[types.NamespacedName]uint16) err
 			if hcs.recorder != nil {
 				hcs.recorder.Eventf(
 					&v1.ObjectReference{
-						Kind:      "Service",
-						Namespace: nsn.Namespace,
-						Name:      nsn.Name,
-						UID:       types.UID(nsn.String()),
+						APIVersion: "v1",
+						Kind:       "Service",
+						Namespace:  nsn.Namespace,
+						Name:       nsn.Name,
 					}, nil, api.EventTypeWarning, "FailedToStartServiceHealthcheck", "Listen", msg)
 			}
 			klog.ErrorS(err, "Failed to start healthcheck", "node", hcs.nodeName, "service", nsn, "port", port)
diff --git a/pkg/proxy/iptables/proxier.go b/pkg/proxy/iptables/proxier.go
index 8f204e6bfb760..d4f8cf13dba2a 100644
--- a/pkg/proxy/iptables/proxier.go
+++ b/pkg/proxy/iptables/proxier.go
@@ -404,7 +404,7 @@ var iptablesCleanupOnlyChains = []iptablesJumpChain{}
 // CleanupLeftovers removes all iptables rules and chains created by the Proxier
 // It returns true if an error was encountered. Errors are logged.
 func CleanupLeftovers(ctx context.Context) (encounteredError bool) {
-	ipts, _ := utiliptables.NewDualStack()
+	ipts := utiliptables.NewBestEffort()
 	for _, ipt := range ipts {
 		encounteredError = cleanupLeftoversForFamily(ctx, ipt) || encounteredError
 	}
@@ -937,21 +937,6 @@ func (proxier *Proxier) syncProxyRules() (retryError error) {
 		allEndpoints := proxier.endpointsMap[svcName]
 		clusterEndpoints, localEndpoints, allLocallyReachableEndpoints, hasEndpoints := proxy.CategorizeEndpoints(allEndpoints, svcInfo, proxier.nodeName, proxier.topologyLabels)
 
-		// Prefer local endpoint for the DNS service.
-		// Fixes <https://bugzilla.redhat.com/show_bug.cgi?id=1919737>.
-		// TODO: Delete this once node-level topology is
-		// implemented and the DNS operator is updated to use it.
-		if svcPortNameString == "openshift-dns/dns-default:dns" || svcPortNameString == "openshift-dns/dns-default:dns-tcp" {
-			for _, ep := range clusterEndpoints {
-				if ep.IsLocal() {
-					klog.V(4).Infof("Found a local endpoint %q for service %q; preferring the local endpoint and ignoring %d other endpoints", ep.String(), svcPortNameString, len(clusterEndpoints)-1)
-					clusterEndpoints = []proxy.Endpoint{ep}
-					allLocallyReachableEndpoints = clusterEndpoints
-					break
-				}
-			}
-		}
-
 		// clusterPolicyChain contains the endpoints used with "Cluster" traffic policy
 		clusterPolicyChain := svcInfo.clusterPolicyChainName
 		usesClusterPolicyChain := len(clusterEndpoints) > 0 && svcInfo.UsesClusterEndpoints()
diff --git a/pkg/proxy/iptables/proxier_test.go b/pkg/proxy/iptables/proxier_test.go
index 10da84efa867b..ca8d9a168cc80 100644
--- a/pkg/proxy/iptables/proxier_test.go
+++ b/pkg/proxy/iptables/proxier_test.go
@@ -42,14 +42,10 @@ import (
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/intstr"
 	"k8s.io/apimachinery/pkg/util/sets"
-	"k8s.io/apimachinery/pkg/util/version"
-	utilfeature "k8s.io/apiserver/pkg/util/feature"
-	featuregatetesting "k8s.io/component-base/featuregate/testing"
 	"k8s.io/component-base/metrics/legacyregistry"
 	"k8s.io/component-base/metrics/testutil"
 	"k8s.io/klog/v2"
 	klogtesting "k8s.io/klog/v2/ktesting"
-	"k8s.io/kubernetes/pkg/features"
 	"k8s.io/kubernetes/pkg/proxy"
 	kubeproxyconfig "k8s.io/kubernetes/pkg/proxy/apis/config"
 	"k8s.io/kubernetes/pkg/proxy/conntrack"
@@ -2082,173 +2078,6 @@ func TestClusterIPGeneral(t *testing.T) {
 	})
 }
 
-func TestOpenShiftDNSHackTCP(t *testing.T) {
-	ipt := iptablestest.NewFake()
-	fp := NewFakeProxier(ipt)
-	svcIP := "172.30.0.10"
-	svcPort := 53
-	podPort := 5353
-	svcPortName := proxy.ServicePortName{
-		NamespacedName: makeNSN("openshift-dns", "dns-default"),
-		Port:           "dns-tcp",
-		Protocol:       v1.ProtocolTCP,
-	}
-
-	makeServiceMap(fp,
-		makeTestService(svcPortName.Namespace, svcPortName.Name, func(svc *v1.Service) {
-			svc.Spec.ClusterIP = svcIP
-			svc.Spec.Ports = []v1.ServicePort{{
-				Name:     svcPortName.Port,
-				Port:     int32(svcPort),
-				Protocol: svcPortName.Protocol,
-			}}
-		}),
-	)
-
-	populateEndpointSlices(fp,
-		makeTestEndpointSlice(svcPortName.Namespace, svcPortName.Name, 1, func(eps *discovery.EndpointSlice) {
-			eps.AddressType = discovery.AddressTypeIPv4
-			eps.Endpoints = []discovery.Endpoint{{
-				// This endpoint is ignored because it's remote
-				Addresses: []string{"10.180.0.2"},
-				NodeName:  ptr.To("node2"),
-			}, {
-				Addresses: []string{"10.180.0.1"},
-				NodeName:  ptr.To(testNodeName),
-			}}
-			eps.Ports = []discovery.EndpointPort{{
-				Name:     ptr.To(svcPortName.Port),
-				Port:     ptr.To[int32](int32(podPort)),
-				Protocol: &svcPortName.Protocol,
-			}}
-		}),
-	)
-
-	fp.syncProxyRules()
-
-	runPacketFlowTests(t, getLine(), ipt, testNodeIPs, []packetFlowTest{
-		{
-			name:     "TCP DNS only goes to local endpoint",
-			sourceIP: "10.0.0.2",
-			destIP:   "172.30.0.10",
-			destPort: 53,
-			output:   "10.180.0.1:5353",
-		},
-	})
-}
-
-func TestOpenShiftDNSHackUDP(t *testing.T) {
-	ipt := iptablestest.NewFake()
-	fp := NewFakeProxier(ipt)
-	svcIP := "172.30.0.10"
-	svcPort := 53
-	podPort := 5353
-	svcPortName := proxy.ServicePortName{
-		NamespacedName: makeNSN("openshift-dns", "dns-default"),
-		Port:           "dns",
-		Protocol:       v1.ProtocolUDP,
-	}
-
-	makeServiceMap(fp,
-		makeTestService(svcPortName.Namespace, svcPortName.Name, func(svc *v1.Service) {
-			svc.Spec.ClusterIP = svcIP
-			svc.Spec.Ports = []v1.ServicePort{{
-				Name:     svcPortName.Port,
-				Port:     int32(svcPort),
-				Protocol: svcPortName.Protocol,
-			}}
-		}),
-	)
-
-	populateEndpointSlices(fp,
-		makeTestEndpointSlice(svcPortName.Namespace, svcPortName.Name, 1, func(eps *discovery.EndpointSlice) {
-			eps.AddressType = discovery.AddressTypeIPv4
-			eps.Endpoints = []discovery.Endpoint{{
-				// This endpoint is ignored because it's remote
-				Addresses: []string{"10.180.0.2"},
-				NodeName:  ptr.To("node2"),
-			}, {
-				Addresses: []string{"10.180.0.1"},
-				NodeName:  ptr.To(testNodeName),
-			}}
-			eps.Ports = []discovery.EndpointPort{{
-				Name:     ptr.To(svcPortName.Port),
-				Port:     ptr.To[int32](int32(podPort)),
-				Protocol: &svcPortName.Protocol,
-			}}
-		}),
-	)
-
-	fp.syncProxyRules()
-
-	runPacketFlowTests(t, getLine(), ipt, testNodeIPs, []packetFlowTest{
-		{
-			name:     "UDP DNS only goes to local endpoint",
-			sourceIP: "10.0.0.2",
-			protocol: v1.ProtocolUDP,
-			destIP:   "172.30.0.10",
-			destPort: 53,
-			output:   "10.180.0.1:5353",
-		},
-	})
-}
-
-func TestOpenShiftDNSHackFallback(t *testing.T) {
-	ipt := iptablestest.NewFake()
-	fp := NewFakeProxier(ipt)
-	svcIP := "172.30.0.10"
-	svcPort := 53
-	podPort := 5353
-	svcPortName := proxy.ServicePortName{
-		NamespacedName: makeNSN("openshift-dns", "dns-default"),
-		Port:           "dns",
-		Protocol:       v1.ProtocolUDP,
-	}
-
-	makeServiceMap(fp,
-		makeTestService(svcPortName.Namespace, svcPortName.Name, func(svc *v1.Service) {
-			svc.Spec.ClusterIP = svcIP
-			svc.Spec.Ports = []v1.ServicePort{{
-				Name:     svcPortName.Port,
-				Port:     int32(svcPort),
-				Protocol: svcPortName.Protocol,
-			}}
-		}),
-	)
-
-	populateEndpointSlices(fp,
-		makeTestEndpointSlice(svcPortName.Namespace, svcPortName.Name, 1, func(eps *discovery.EndpointSlice) {
-			eps.AddressType = discovery.AddressTypeIPv4
-			// Both endpoints are used because neither is local
-			eps.Endpoints = []discovery.Endpoint{{
-				Addresses: []string{"10.180.1.2"},
-				NodeName:  ptr.To("node2"),
-			}, {
-				Addresses: []string{"10.180.2.3"},
-				NodeName:  ptr.To("node3"),
-			}}
-			eps.Ports = []discovery.EndpointPort{{
-				Name:     ptr.To(svcPortName.Port),
-				Port:     ptr.To[int32](int32(podPort)),
-				Protocol: &svcPortName.Protocol,
-			}}
-		}),
-	)
-
-	fp.syncProxyRules()
-
-	runPacketFlowTests(t, getLine(), ipt, testNodeIPs, []packetFlowTest{
-		{
-			name:     "DNS goes to all endpoints when none are local",
-			sourceIP: "10.0.0.2",
-			protocol: v1.ProtocolUDP,
-			destIP:   "172.30.0.10",
-			destPort: 53,
-			output:   "10.180.1.2:5353, 10.180.2.3:5353",
-		},
-	})
-}
-
 func TestLoadBalancer(t *testing.T) {
 	ipt := iptablestest.NewFake()
 	fp := NewFakeProxier(ipt)
@@ -6694,62 +6523,32 @@ func TestNoEndpointsMetric(t *testing.T) {
 
 func TestLoadBalancerIngressRouteTypeProxy(t *testing.T) {
 	testCases := []struct {
-		name          string
-		ipModeEnabled bool
-		svcIP         string
-		svcLBIP       string
-		ipMode        *v1.LoadBalancerIPMode
-		expectedRule  bool
+		name         string
+		svcIP        string
+		svcLBIP      string
+		ipMode       *v1.LoadBalancerIPMode
+		expectedRule bool
 	}{
-		/* LoadBalancerIPMode disabled */
-		{
-			name:          "LoadBalancerIPMode disabled, ipMode Proxy",
-			ipModeEnabled: false,
-			svcIP:         "10.20.30.41",
-			svcLBIP:       "1.2.3.4",
-			ipMode:        ptr.To(v1.LoadBalancerIPModeProxy),
-			expectedRule:  true,
-		},
-		{
-			name:          "LoadBalancerIPMode disabled, ipMode VIP",
-			ipModeEnabled: false,
-			svcIP:         "10.20.30.42",
-			svcLBIP:       "1.2.3.5",
-			ipMode:        ptr.To(v1.LoadBalancerIPModeVIP),
-			expectedRule:  true,
-		},
-		{
-			name:          "LoadBalancerIPMode disabled, ipMode nil",
-			ipModeEnabled: false,
-			svcIP:         "10.20.30.43",
-			svcLBIP:       "1.2.3.6",
-			ipMode:        nil,
-			expectedRule:  true,
-		},
-		/* LoadBalancerIPMode enabled */
 		{
-			name:          "LoadBalancerIPMode enabled, ipMode Proxy",
-			ipModeEnabled: true,
-			svcIP:         "10.20.30.41",
-			svcLBIP:       "1.2.3.4",
-			ipMode:        ptr.To(v1.LoadBalancerIPModeProxy),
-			expectedRule:  false,
+			name:         "ipMode Proxy",
+			svcIP:        "10.20.30.41",
+			svcLBIP:      "1.2.3.4",
+			ipMode:       ptr.To(v1.LoadBalancerIPModeProxy),
+			expectedRule: false,
 		},
 		{
-			name:          "LoadBalancerIPMode enabled, ipMode VIP",
-			ipModeEnabled: true,
-			svcIP:         "10.20.30.42",
-			svcLBIP:       "1.2.3.5",
-			ipMode:        ptr.To(v1.LoadBalancerIPModeVIP),
-			expectedRule:  true,
+			name:         "ipMode VIP",
+			svcIP:        "10.20.30.42",
+			svcLBIP:      "1.2.3.5",
+			ipMode:       ptr.To(v1.LoadBalancerIPModeVIP),
+			expectedRule: true,
 		},
 		{
-			name:          "LoadBalancerIPMode enabled, ipMode nil",
-			ipModeEnabled: true,
-			svcIP:         "10.20.30.43",
-			svcLBIP:       "1.2.3.6",
-			ipMode:        nil,
-			expectedRule:  true,
+			name:         "ipMode nil",
+			svcIP:        "10.20.30.43",
+			svcLBIP:      "1.2.3.6",
+			ipMode:       nil,
+			expectedRule: true,
 		},
 	}
 
@@ -6763,10 +6562,6 @@ func TestLoadBalancerIngressRouteTypeProxy(t *testing.T) {
 
 	for _, testCase := range testCases {
 		t.Run(testCase.name, func(t *testing.T) {
-			if !testCase.ipModeEnabled {
-				featuregatetesting.SetFeatureGateEmulationVersionDuringTest(t, utilfeature.DefaultFeatureGate, version.MustParse("1.31"))
-			}
-			featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.LoadBalancerIPMode, testCase.ipModeEnabled)
 			ipt := iptablestest.NewFake()
 			fp := NewFakeProxier(ipt)
 			makeServiceMap(fp,
diff --git a/pkg/proxy/ipvs/proxier.go b/pkg/proxy/ipvs/proxier.go
index 8fc01b2979841..9e80d35a4f11f 100644
--- a/pkg/proxy/ipvs/proxier.go
+++ b/pkg/proxy/ipvs/proxier.go
@@ -401,8 +401,8 @@ func NewProxier(
 		proxier.ipsetList[is.name] = NewIPSet(ipset, is.name, is.setType, (ipFamily == v1.IPv6Protocol), is.comment)
 	}
 
-	logger.V(2).Info("ipvs sync params", "minSyncPeriod", minSyncPeriod, "syncPeriod", syncPeriod, "maxSyncPeriod", proxyutil.FullSyncPeriod)
-	proxier.syncRunner = runner.NewBoundedFrequencyRunner("sync-runner", proxier.syncProxyRules, minSyncPeriod, syncPeriod, proxyutil.FullSyncPeriod)
+	logger.V(2).Info("ipvs sync params", "minSyncPeriod", minSyncPeriod, "syncPeriod", syncPeriod, "maxSyncPeriod", syncPeriod)
+	proxier.syncRunner = runner.NewBoundedFrequencyRunner("sync-runner", proxier.syncProxyRules, minSyncPeriod, syncPeriod, syncPeriod)
 
 	proxier.gracefuldeleteManager.Run()
 	return proxier, nil
@@ -706,7 +706,7 @@ func CleanupLeftovers(ctx context.Context) (encounteredError bool) {
 		return false
 	}
 
-	ipts, _ := utiliptables.NewDualStack()
+	ipts := utiliptables.NewBestEffort()
 	ipsetInterface := utilipset.New()
 	ipvsInterface := utilipvs.New()
 
diff --git a/pkg/proxy/ipvs/proxier_test.go b/pkg/proxy/ipvs/proxier_test.go
index 5400b49ac54d8..16187009c9e83 100644
--- a/pkg/proxy/ipvs/proxier_test.go
+++ b/pkg/proxy/ipvs/proxier_test.go
@@ -39,11 +39,7 @@ import (
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/intstr"
 	"k8s.io/apimachinery/pkg/util/sets"
-	"k8s.io/apimachinery/pkg/util/version"
-	utilfeature "k8s.io/apiserver/pkg/util/feature"
-	featuregatetesting "k8s.io/component-base/featuregate/testing"
 	"k8s.io/component-base/metrics/testutil"
-	"k8s.io/kubernetes/pkg/features"
 	"k8s.io/kubernetes/pkg/proxy"
 	kubeproxyconfig "k8s.io/kubernetes/pkg/proxy/apis/config"
 	"k8s.io/kubernetes/pkg/proxy/conntrack"
@@ -5762,57 +5758,27 @@ func TestDismissLocalhostRuleExist(t *testing.T) {
 func TestLoadBalancerIngressRouteTypeProxy(t *testing.T) {
 	testCases := []struct {
 		name             string
-		ipModeEnabled    bool
 		svcIP            string
 		svcLBIP          string
 		ipMode           *v1.LoadBalancerIPMode
 		expectedServices int
 	}{
-		/* LoadBalancerIPMode disabled */
 		{
-			name:             "LoadBalancerIPMode disabled, ipMode Proxy",
-			ipModeEnabled:    false,
-			svcIP:            "10.20.30.41",
-			svcLBIP:          "1.2.3.4",
-			ipMode:           ptr.To(v1.LoadBalancerIPModeProxy),
-			expectedServices: 2,
-		},
-		{
-			name:             "LoadBalancerIPMode disabled, ipMode VIP",
-			ipModeEnabled:    false,
-			svcIP:            "10.20.30.42",
-			svcLBIP:          "1.2.3.5",
-			ipMode:           ptr.To(v1.LoadBalancerIPModeVIP),
-			expectedServices: 2,
-		},
-		{
-			name:             "LoadBalancerIPMode disabled, ipMode nil",
-			ipModeEnabled:    false,
-			svcIP:            "10.20.30.43",
-			svcLBIP:          "1.2.3.6",
-			ipMode:           nil,
-			expectedServices: 2,
-		},
-		/* LoadBalancerIPMode enabled */
-		{
-			name:             "LoadBalancerIPMode enabled, ipMode Proxy",
-			ipModeEnabled:    true,
+			name:             "ipMode Proxy",
 			svcIP:            "10.20.30.41",
 			svcLBIP:          "1.2.3.4",
 			ipMode:           ptr.To(v1.LoadBalancerIPModeProxy),
 			expectedServices: 1,
 		},
 		{
-			name:             "LoadBalancerIPMode enabled, ipMode VIP",
-			ipModeEnabled:    true,
+			name:             "ipMode VIP",
 			svcIP:            "10.20.30.42",
 			svcLBIP:          "1.2.3.5",
 			ipMode:           ptr.To(v1.LoadBalancerIPModeVIP),
 			expectedServices: 2,
 		},
 		{
-			name:             "LoadBalancerIPMode enabled, ipMode nil",
-			ipModeEnabled:    true,
+			name:             "ipMode nil",
 			svcIP:            "10.20.30.43",
 			svcLBIP:          "1.2.3.6",
 			ipMode:           nil,
@@ -5829,10 +5795,6 @@ func TestLoadBalancerIngressRouteTypeProxy(t *testing.T) {
 
 	for _, testCase := range testCases {
 		t.Run(testCase.name, func(t *testing.T) {
-			if !testCase.ipModeEnabled {
-				featuregatetesting.SetFeatureGateEmulationVersionDuringTest(t, utilfeature.DefaultFeatureGate, version.MustParse("1.31"))
-			}
-			featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.LoadBalancerIPMode, testCase.ipModeEnabled)
 			_, fp := buildFakeProxier(t)
 			makeServiceMap(fp,
 				makeTestService(svcPortName.Namespace, svcPortName.Name, func(svc *v1.Service) {
diff --git a/pkg/proxy/kubemark/hollow_proxy.go b/pkg/proxy/kubemark/hollow_proxy.go
index 34fdc94896c32..9f7b821b60f3d 100644
--- a/pkg/proxy/kubemark/hollow_proxy.go
+++ b/pkg/proxy/kubemark/hollow_proxy.go
@@ -24,7 +24,6 @@ import (
 	v1 "k8s.io/api/core/v1"
 	discoveryv1 "k8s.io/api/discovery/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/apimachinery/pkg/types"
 	clientset "k8s.io/client-go/kubernetes"
 	v1core "k8s.io/client-go/kubernetes/typed/core/v1"
 	"k8s.io/client-go/tools/events"
@@ -76,10 +75,10 @@ func NewHollowProxy(
 			Broadcaster: broadcaster,
 			Recorder:    recorder,
 			NodeRef: &v1.ObjectReference{
-				Kind:      "Node",
-				Name:      nodeName,
-				UID:       types.UID(nodeName),
-				Namespace: "",
+				APIVersion: "v1",
+				Kind:       "Node",
+				Name:       nodeName,
+				Namespace:  "",
 			},
 		},
 	}
diff --git a/pkg/proxy/nftables/proxier_test.go b/pkg/proxy/nftables/proxier_test.go
index d9a141764540c..be9ca16a9c9ff 100644
--- a/pkg/proxy/nftables/proxier_test.go
+++ b/pkg/proxy/nftables/proxier_test.go
@@ -36,11 +36,7 @@ import (
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/intstr"
 	"k8s.io/apimachinery/pkg/util/sets"
-	"k8s.io/apimachinery/pkg/util/version"
-	utilfeature "k8s.io/apiserver/pkg/util/feature"
-	featuregatetesting "k8s.io/component-base/featuregate/testing"
 	"k8s.io/component-base/metrics/testutil"
-	"k8s.io/kubernetes/pkg/features"
 	"k8s.io/kubernetes/pkg/proxy"
 	kubeproxyconfig "k8s.io/kubernetes/pkg/proxy/apis/config"
 	"k8s.io/kubernetes/pkg/proxy/conntrack"
@@ -4616,62 +4612,32 @@ func TestNoEndpointsMetric(t *testing.T) {
 
 func TestLoadBalancerIngressRouteTypeProxy(t *testing.T) {
 	testCases := []struct {
-		name          string
-		ipModeEnabled bool
-		svcIP         string
-		svcLBIP       string
-		ipMode        *v1.LoadBalancerIPMode
-		expectedRule  bool
+		name         string
+		svcIP        string
+		svcLBIP      string
+		ipMode       *v1.LoadBalancerIPMode
+		expectedRule bool
 	}{
-		/* LoadBalancerIPMode disabled */
-		{
-			name:          "LoadBalancerIPMode disabled, ipMode Proxy",
-			ipModeEnabled: false,
-			svcIP:         "10.20.30.41",
-			svcLBIP:       "1.2.3.4",
-			ipMode:        ptr.To(v1.LoadBalancerIPModeProxy),
-			expectedRule:  true,
-		},
 		{
-			name:          "LoadBalancerIPMode disabled, ipMode VIP",
-			ipModeEnabled: false,
-			svcIP:         "10.20.30.42",
-			svcLBIP:       "1.2.3.5",
-			ipMode:        ptr.To(v1.LoadBalancerIPModeVIP),
-			expectedRule:  true,
+			name:         "ipMode Proxy",
+			svcIP:        "10.20.30.41",
+			svcLBIP:      "1.2.3.4",
+			ipMode:       ptr.To(v1.LoadBalancerIPModeProxy),
+			expectedRule: false,
 		},
 		{
-			name:          "LoadBalancerIPMode disabled, ipMode nil",
-			ipModeEnabled: false,
-			svcIP:         "10.20.30.43",
-			svcLBIP:       "1.2.3.6",
-			ipMode:        nil,
-			expectedRule:  true,
-		},
-		/* LoadBalancerIPMode enabled */
-		{
-			name:          "LoadBalancerIPMode enabled, ipMode Proxy",
-			ipModeEnabled: true,
-			svcIP:         "10.20.30.41",
-			svcLBIP:       "1.2.3.4",
-			ipMode:        ptr.To(v1.LoadBalancerIPModeProxy),
-			expectedRule:  false,
+			name:         "ipMode VIP",
+			svcIP:        "10.20.30.42",
+			svcLBIP:      "1.2.3.5",
+			ipMode:       ptr.To(v1.LoadBalancerIPModeVIP),
+			expectedRule: true,
 		},
 		{
-			name:          "LoadBalancerIPMode enabled, ipMode VIP",
-			ipModeEnabled: true,
-			svcIP:         "10.20.30.42",
-			svcLBIP:       "1.2.3.5",
-			ipMode:        ptr.To(v1.LoadBalancerIPModeVIP),
-			expectedRule:  true,
-		},
-		{
-			name:          "LoadBalancerIPMode enabled, ipMode nil",
-			ipModeEnabled: true,
-			svcIP:         "10.20.30.43",
-			svcLBIP:       "1.2.3.6",
-			ipMode:        nil,
-			expectedRule:  true,
+			name:         "ipMode nil",
+			svcIP:        "10.20.30.43",
+			svcLBIP:      "1.2.3.6",
+			ipMode:       nil,
+			expectedRule: true,
 		},
 	}
 
@@ -4685,10 +4651,6 @@ func TestLoadBalancerIngressRouteTypeProxy(t *testing.T) {
 
 	for _, testCase := range testCases {
 		t.Run(testCase.name, func(t *testing.T) {
-			if !testCase.ipModeEnabled {
-				featuregatetesting.SetFeatureGateEmulationVersionDuringTest(t, utilfeature.DefaultFeatureGate, version.MustParse("1.31"))
-			}
-			featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.LoadBalancerIPMode, testCase.ipModeEnabled)
 			nft, fp := NewFakeProxier(v1.IPv4Protocol)
 			makeServiceMap(fp,
 				makeTestService(svcPortName.Namespace, svcPortName.Name, func(svc *v1.Service) {
diff --git a/pkg/proxy/node.go b/pkg/proxy/node.go
index d8c3afd0e9a9e..556ca5905f0b4 100644
--- a/pkg/proxy/node.go
+++ b/pkg/proxy/node.go
@@ -81,7 +81,7 @@ func newNodeManager(ctx context.Context, client clientset.Interface, resyncInter
 
 	// initialize the informer and wait for cache sync
 	thisNodeInformerFactory.Start(wait.NeverStop)
-	if !cache.WaitForNamedCacheSync("node informer cache", ctx.Done(), nodeInformer.Informer().HasSynced) {
+	if !cache.WaitForNamedCacheSyncWithContext(ctx, nodeInformer.Informer().HasSynced) {
 		return nil, fmt.Errorf("can not sync node informer")
 	}
 
diff --git a/pkg/proxy/servicechangetracker_test.go b/pkg/proxy/servicechangetracker_test.go
index df52618c419b2..21e645db10dac 100644
--- a/pkg/proxy/servicechangetracker_test.go
+++ b/pkg/proxy/servicechangetracker_test.go
@@ -27,10 +27,6 @@ import (
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/dump"
 	"k8s.io/apimachinery/pkg/util/intstr"
-	"k8s.io/apimachinery/pkg/util/version"
-	utilfeature "k8s.io/apiserver/pkg/util/feature"
-	featuregatetesting "k8s.io/component-base/featuregate/testing"
-	"k8s.io/kubernetes/pkg/features"
 	netutils "k8s.io/utils/net"
 )
 
@@ -117,11 +113,10 @@ func TestServiceToServiceMap(t *testing.T) {
 	ipModeProxy := v1.LoadBalancerIPModeProxy
 
 	testCases := []struct {
-		desc          string
-		service       *v1.Service
-		expected      map[ServicePortName]*BaseServicePortInfo
-		ipFamily      v1.IPFamily
-		ipModeEnabled bool
+		desc     string
+		service  *v1.Service
+		expected map[ServicePortName]*BaseServicePortInfo
+		ipFamily v1.IPFamily
 	}{
 		{
 			desc:     "nothing",
@@ -214,7 +209,7 @@ func TestServiceToServiceMap(t *testing.T) {
 			},
 		},
 		{
-			desc:     "load balancer service ipMode VIP feature gate disable",
+			desc:     "load balancer service ipMode VIP",
 			ipFamily: v1.IPv4Protocol,
 
 			service: makeTestService("ns1", "load-balancer", func(svc *v1.Service) {
@@ -235,53 +230,9 @@ func TestServiceToServiceMap(t *testing.T) {
 			},
 		},
 		{
-			desc:     "load balancer service ipMode Proxy feature gate disable",
+			desc:     "load balancer service ipMode Proxy",
 			ipFamily: v1.IPv4Protocol,
 
-			service: makeTestService("ns1", "load-balancer", func(svc *v1.Service) {
-				svc.Spec.Type = v1.ServiceTypeLoadBalancer
-				svc.Spec.ClusterIP = "172.16.55.11"
-				svc.Spec.LoadBalancerIP = "5.6.7.8"
-				svc.Spec.Ports = addTestPort(svc.Spec.Ports, "port3", "UDP", 8675, 30061, 7000)
-				svc.Spec.Ports = addTestPort(svc.Spec.Ports, "port4", "UDP", 8676, 30062, 7001)
-				svc.Status.LoadBalancer.Ingress = []v1.LoadBalancerIngress{{IP: "10.1.2.4", IPMode: &ipModeProxy}}
-			}),
-			expected: map[ServicePortName]*BaseServicePortInfo{
-				makeServicePortName("ns1", "load-balancer", "port3", v1.ProtocolUDP): makeTestServiceInfo("172.16.55.11", 8675, "UDP", 0, func(bsvcPortInfo *BaseServicePortInfo) {
-					bsvcPortInfo.loadBalancerVIPs = makeIPs("10.1.2.4")
-				}),
-				makeServicePortName("ns1", "load-balancer", "port4", v1.ProtocolUDP): makeTestServiceInfo("172.16.55.11", 8676, "UDP", 0, func(bsvcPortInfo *BaseServicePortInfo) {
-					bsvcPortInfo.loadBalancerVIPs = makeIPs("10.1.2.4")
-				}),
-			},
-		},
-		{
-			desc:          "load balancer service ipMode VIP feature gate enabled",
-			ipFamily:      v1.IPv4Protocol,
-			ipModeEnabled: true,
-
-			service: makeTestService("ns1", "load-balancer", func(svc *v1.Service) {
-				svc.Spec.Type = v1.ServiceTypeLoadBalancer
-				svc.Spec.ClusterIP = "172.16.55.11"
-				svc.Spec.LoadBalancerIP = "5.6.7.8"
-				svc.Spec.Ports = addTestPort(svc.Spec.Ports, "port3", "UDP", 8675, 30061, 7000)
-				svc.Spec.Ports = addTestPort(svc.Spec.Ports, "port4", "UDP", 8676, 30062, 7001)
-				svc.Status.LoadBalancer.Ingress = []v1.LoadBalancerIngress{{IP: "10.1.2.4", IPMode: &ipModeVIP}}
-			}),
-			expected: map[ServicePortName]*BaseServicePortInfo{
-				makeServicePortName("ns1", "load-balancer", "port3", v1.ProtocolUDP): makeTestServiceInfo("172.16.55.11", 8675, "UDP", 0, func(bsvcPortInfo *BaseServicePortInfo) {
-					bsvcPortInfo.loadBalancerVIPs = makeIPs("10.1.2.4")
-				}),
-				makeServicePortName("ns1", "load-balancer", "port4", v1.ProtocolUDP): makeTestServiceInfo("172.16.55.11", 8676, "UDP", 0, func(bsvcPortInfo *BaseServicePortInfo) {
-					bsvcPortInfo.loadBalancerVIPs = makeIPs("10.1.2.4")
-				}),
-			},
-		},
-		{
-			desc:          "load balancer service ipMode Proxy feature gate enabled",
-			ipFamily:      v1.IPv4Protocol,
-			ipModeEnabled: true,
-
 			service: makeTestService("ns1", "load-balancer", func(svc *v1.Service) {
 				svc.Spec.Type = v1.ServiceTypeLoadBalancer
 				svc.Spec.ClusterIP = "172.16.55.11"
@@ -573,10 +524,6 @@ func TestServiceToServiceMap(t *testing.T) {
 
 	for _, tc := range testCases {
 		t.Run(tc.desc, func(t *testing.T) {
-			if !tc.ipModeEnabled {
-				featuregatetesting.SetFeatureGateEmulationVersionDuringTest(t, utilfeature.DefaultFeatureGate, version.MustParse("1.31"))
-			}
-			featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.LoadBalancerIPMode, tc.ipModeEnabled)
 			svcTracker := NewServiceChangeTracker(tc.ipFamily, nil, nil)
 			// outputs
 			newServices := svcTracker.serviceToServiceMap(tc.service)
diff --git a/pkg/proxy/topology_test.go b/pkg/proxy/topology_test.go
index ad523c23306c6..8e9ed4333d2ae 100644
--- a/pkg/proxy/topology_test.go
+++ b/pkg/proxy/topology_test.go
@@ -23,6 +23,7 @@ import (
 	v1 "k8s.io/api/core/v1"
 	kerrors "k8s.io/apimachinery/pkg/util/errors"
 	"k8s.io/apimachinery/pkg/util/sets"
+	"k8s.io/apimachinery/pkg/util/version"
 	utilfeature "k8s.io/apiserver/pkg/util/feature"
 	featuregatetesting "k8s.io/component-base/featuregate/testing"
 	"k8s.io/kubernetes/pkg/features"
@@ -401,6 +402,9 @@ func TestCategorizeEndpoints(t *testing.T) {
 
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
+			if !tc.preferSameEnabled {
+				featuregatetesting.SetFeatureGateEmulationVersionDuringTest(t, utilfeature.DefaultFeatureGate, version.MustParse("1.34"))
+			}
 			featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.PreferSameTrafficDistribution, tc.preferSameEnabled)
 
 			clusterEndpoints, localEndpoints, allEndpoints, hasAnyEndpoints := CategorizeEndpoints(tc.endpoints, tc.serviceInfo, tc.nodeName, tc.nodeLabels)
diff --git a/pkg/proxy/util/nfacct/nfacct_linux_test.go b/pkg/proxy/util/nfacct/nfacct_linux_test.go
index 175aa180a1d9d..54185098dc500 100644
--- a/pkg/proxy/util/nfacct/nfacct_linux_test.go
+++ b/pkg/proxy/util/nfacct/nfacct_linux_test.go
@@ -1,5 +1,5 @@
-//go:build linux
-// +build linux
+//go:build linux && !s390x
+// +build linux,!s390x
 
 /*
 Copyright 2024 The Kubernetes Authors.
@@ -17,6 +17,9 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
+// Skip s390x: This test is disabled on s390x due to failures caused by little-endian specific input data.
+// See issue: https://github.com/kubernetes/kubernetes/issues/130343
+
 package nfacct
 
 import (
diff --git a/pkg/proxy/util/utils.go b/pkg/proxy/util/utils.go
index cfcce4834ebd3..59d85a54d6205 100644
--- a/pkg/proxy/util/utils.go
+++ b/pkg/proxy/util/utils.go
@@ -24,11 +24,9 @@ import (
 
 	v1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/util/sets"
-	utilfeature "k8s.io/apiserver/pkg/util/feature"
 	utilsysctl "k8s.io/component-helpers/node/util/sysctl"
 	"k8s.io/klog/v2"
 	"k8s.io/kubernetes/pkg/apis/core/v1/helper"
-	"k8s.io/kubernetes/pkg/features"
 	netutils "k8s.io/utils/net"
 )
 
@@ -216,9 +214,6 @@ func GetClusterIPByFamily(ipFamily v1.IPFamily, service *v1.Service) string {
 }
 
 func IsVIPMode(ing v1.LoadBalancerIngress) bool {
-	if !utilfeature.DefaultFeatureGate.Enabled(features.LoadBalancerIPMode) {
-		return true // backwards compat
-	}
 	if ing.IPMode == nil {
 		return true
 	}
diff --git a/pkg/proxy/winkernel/hns.go b/pkg/proxy/winkernel/hns.go
index 80bb208adff10..6c9aaa857903a 100644
--- a/pkg/proxy/winkernel/hns.go
+++ b/pkg/proxy/winkernel/hns.go
@@ -202,7 +202,7 @@ func (hns hns) getEndpointByIpAddress(ip string, networkName string) (*endpointI
 	}
 	for _, endpoint := range endpoints {
 		equal := false
-		if endpoint.IpConfigurations != nil && len(endpoint.IpConfigurations) > 0 {
+		if len(endpoint.IpConfigurations) > 0 {
 			equal = endpoint.IpConfigurations[0].IpAddress == ip
 
 			if !equal && len(endpoint.IpConfigurations) > 1 {
@@ -276,11 +276,13 @@ func (hns hns) createEndpoint(ep *endpointInfo, networkName string) (*endpointIn
 		if err != nil {
 			return nil, err
 		}
+		klog.V(3).InfoS("Created remote endpoint resource", "hnsID", createdEndpoint.Id)
 	} else {
 		createdEndpoint, err = hns.hcn.CreateEndpoint(hnsNetwork, hnsEndpoint)
 		if err != nil {
 			return nil, err
 		}
+		klog.V(3).InfoS("Created local endpoint resource", "hnsID", createdEndpoint.Id)
 	}
 	return &endpointInfo{
 		ip:              createdEndpoint.IpConfigurations[0].IpAddress,
@@ -304,17 +306,14 @@ func (hns hns) deleteEndpoint(hnsID string) error {
 }
 
 // findLoadBalancerID will construct a id from the provided loadbalancer fields
-func findLoadBalancerID(endpoints []endpointInfo, vip string, protocol, internalPort, externalPort uint16) (loadBalancerIdentifier, error) {
+func findLoadBalancerID(endpoints []endpointInfo, vip string, protocol, internalPort, externalPort uint16, isIpv6 bool) (loadBalancerIdentifier, error) {
 	// Compute hash from backends (endpoint IDs)
 	hash, err := hashEndpoints(endpoints)
 	if err != nil {
 		klog.V(2).ErrorS(err, "Error hashing endpoints", "endpoints", endpoints)
 		return loadBalancerIdentifier{}, err
 	}
-	if len(vip) > 0 {
-		return loadBalancerIdentifier{protocol: protocol, internalPort: internalPort, externalPort: externalPort, vip: vip, endpointsHash: hash}, nil
-	}
-	return loadBalancerIdentifier{protocol: protocol, internalPort: internalPort, externalPort: externalPort, endpointsHash: hash}, nil
+	return loadBalancerIdentifier{protocol: protocol, internalPort: internalPort, externalPort: externalPort, vip: vip, endpointsHash: hash, isIPv6: isIpv6}, nil
 }
 
 func (hns hns) getAllLoadBalancers() (map[loadBalancerIdentifier]*loadBalancerInfo, error) {
@@ -325,6 +324,7 @@ func (hns hns) getAllLoadBalancers() (map[loadBalancerIdentifier]*loadBalancerIn
 	}
 	loadBalancers := make(map[loadBalancerIdentifier]*(loadBalancerInfo))
 	for _, lb := range lbs {
+		isIPv6 := (lb.Flags & LoadBalancerFlagsIPv6) == LoadBalancerFlagsIPv6
 		portMap := lb.PortMappings[0]
 		// Compute hash from backends (endpoint IDs)
 		hash, err := hashEndpoints(lb.HostComputeEndpoints)
@@ -334,9 +334,9 @@ func (hns hns) getAllLoadBalancers() (map[loadBalancerIdentifier]*loadBalancerIn
 		}
 		if len(lb.FrontendVIPs) == 0 {
 			// Leave VIP uninitialized
-			id = loadBalancerIdentifier{protocol: uint16(portMap.Protocol), internalPort: portMap.InternalPort, externalPort: portMap.ExternalPort, endpointsHash: hash}
+			id = loadBalancerIdentifier{protocol: uint16(portMap.Protocol), internalPort: portMap.InternalPort, externalPort: portMap.ExternalPort, endpointsHash: hash, isIPv6: isIPv6}
 		} else {
-			id = loadBalancerIdentifier{protocol: uint16(portMap.Protocol), internalPort: portMap.InternalPort, externalPort: portMap.ExternalPort, vip: lb.FrontendVIPs[0], endpointsHash: hash}
+			id = loadBalancerIdentifier{protocol: uint16(portMap.Protocol), internalPort: portMap.InternalPort, externalPort: portMap.ExternalPort, vip: lb.FrontendVIPs[0], endpointsHash: hash, isIPv6: isIPv6}
 		}
 		loadBalancers[id] = &loadBalancerInfo{
 			hnsID: lb.Id,
@@ -355,6 +355,7 @@ func (hns hns) getLoadBalancer(endpoints []endpointInfo, flags loadBalancerFlags
 		protocol,
 		internalPort,
 		externalPort,
+		flags.isIPv6,
 	)
 
 	if lbIdErr != nil {
@@ -461,10 +462,10 @@ func (hns hns) updateLoadBalancer(hnsID string,
 		return nil, err
 	}
 	if len(vip) > 0 {
-		id = loadBalancerIdentifier{protocol: protocol, internalPort: internalPort, externalPort: externalPort, vip: vip, endpointsHash: hash}
+		id = loadBalancerIdentifier{protocol: protocol, internalPort: internalPort, externalPort: externalPort, vip: vip, endpointsHash: hash, isIPv6: flags.isIPv6}
 		vips = append(vips, vip)
 	} else {
-		id = loadBalancerIdentifier{protocol: protocol, internalPort: internalPort, externalPort: externalPort, endpointsHash: hash}
+		id = loadBalancerIdentifier{protocol: protocol, internalPort: internalPort, externalPort: externalPort, endpointsHash: hash, isIPv6: flags.isIPv6}
 	}
 
 	if lb, found := previousLoadBalancers[id]; found {
@@ -531,8 +532,13 @@ func (hns hns) deleteLoadBalancer(hnsID string) error {
 		// There is a bug in Windows Server 2019, that can cause the delete call to fail sometimes. We retry one more time.
 		// TODO: The logic in syncProxyRules  should be rewritten in the future to better stage and handle a call like this failing using the policyApplied fields.
 		klog.V(1).ErrorS(err, "Error deleting Hns loadbalancer policy resource. Attempting one more time...", "loadBalancer", lb)
-		return hns.hcn.DeleteLoadBalancer(lb)
+		err = hns.hcn.DeleteLoadBalancer(lb)
+	}
+	if err != nil {
+		klog.V(2).ErrorS(err, "Error deleting Hns loadbalancer policy resource again.", "hnsID", hnsID)
+		return err
 	}
+	klog.V(3).InfoS("Deleted Hns loadbalancer policy resource", "hnsID", hnsID)
 	return err
 }
 
diff --git a/pkg/proxy/winkernel/hns_test.go b/pkg/proxy/winkernel/hns_test.go
index b859ad639efb6..604eec7444396 100644
--- a/pkg/proxy/winkernel/hns_test.go
+++ b/pkg/proxy/winkernel/hns_test.go
@@ -30,21 +30,24 @@ import (
 )
 
 const (
-	sourceVip         = "192.168.1.2"
-	serviceVip        = "11.0.0.1"
-	addressPrefix     = "192.168.1.0/24"
-	gatewayAddress    = "192.168.1.1"
-	epMacAddress      = "00-11-22-33-44-55"
-	epIpAddress       = "192.168.1.3"
-	epIpv6Address     = "192::3"
-	epIpAddressB      = "192.168.1.4"
-	epIpAddressRemote = "192.168.2.3"
-	epIpAddressLocal1 = "192.168.4.4"
-	epIpAddressLocal2 = "192.168.4.5"
-	epPaAddress       = "10.0.0.3"
-	protocol          = 6
-	internalPort      = 80
-	externalPort      = 32440
+	sourceVip           = "192.168.1.2"
+	serviceVip          = "11.0.0.1"
+	addressPrefix       = "192.168.1.0/24"
+	gatewayAddress      = "192.168.1.1"
+	epMacAddress        = "00-11-22-33-44-55"
+	epIpAddress         = "192.168.1.3"
+	epIpv6Address       = "192::3"
+	epIpAddressB        = "192.168.1.4"
+	epIpAddressLocal    = "192.168.5.3"
+	epIpAddressLocalv6  = "192::5:3"
+	epIpAddressRemote   = "192.168.2.3"
+	epIpAddressRemotev6 = "192::2:3"
+	epIpAddressLocal1   = "192.168.4.4"
+	epIpAddressLocal2   = "192.168.4.5"
+	epPaAddress         = "10.0.0.3"
+	protocol            = 6
+	internalPort        = 80
+	externalPort        = 32440
 )
 
 func TestGetNetworkByName(t *testing.T) {
diff --git a/pkg/proxy/winkernel/proxier.go b/pkg/proxy/winkernel/proxier.go
index ad3bd26fd61ec..46ed064b62fef 100644
--- a/pkg/proxy/winkernel/proxier.go
+++ b/pkg/proxy/winkernel/proxier.go
@@ -120,6 +120,7 @@ type loadBalancerIdentifier struct {
 	externalPort  uint16
 	vip           string
 	endpointsHash [20]byte
+	isIPv6        bool // isIPv6 flag makes the identifier unique per IP family. In a dualstack etp:local service, nodeport lb will be configured with empty vip, same port and protocol. Since ids of only localendpoints (both ipv4 and v6 ips present in same object) are considered for ep hash, endpointsHash will also be same.
 }
 
 func (info loadBalancerIdentifier) String() string {
@@ -604,15 +605,14 @@ func (proxier *Proxier) newServiceInfo(port *v1.ServicePort, service *v1.Service
 	info.winProxyOptimization = winProxyOptimization
 	klog.V(3).InfoS("Flags enabled for service", "service", service.Name, "localTrafficDSR", localTrafficDSR, "internalTrafficLocal", internalTrafficLocal, "preserveDIP", preserveDIP, "winProxyOptimization", winProxyOptimization)
 
-	for _, eip := range service.Spec.ExternalIPs {
-		info.externalIPs = append(info.externalIPs, &externalIPInfo{ip: eip})
+	for _, eip := range info.ExternalIPs() {
+		info.externalIPs = append(info.externalIPs, &externalIPInfo{ip: eip.String()})
 	}
 
-	for _, ingress := range service.Status.LoadBalancer.Ingress {
-		if netutils.ParseIPSloppy(ingress.IP) != nil {
-			info.loadBalancerIngressIPs = append(info.loadBalancerIngressIPs, &loadBalancerIngressInfo{ip: ingress.IP})
-		}
+	for _, ingress := range info.LoadBalancerVIPs() {
+		info.loadBalancerIngressIPs = append(info.loadBalancerIngressIPs, &loadBalancerIngressInfo{ip: ingress.String()})
 	}
+
 	return info
 }
 
@@ -750,8 +750,8 @@ func NewProxier(
 		return nil, err
 	}
 
-	klog.V(3).Info("Record sync params", "minSyncPeriod", minSyncPeriod, "syncPeriod", syncPeriod, "maxSyncPeriod", proxyutil.FullSyncPeriod)
-	proxier.syncRunner = runner.NewBoundedFrequencyRunner("sync-runner", proxier.syncProxyRules, minSyncPeriod, syncPeriod, proxyutil.FullSyncPeriod)
+	klog.V(3).Info("Record sync params", "minSyncPeriod", minSyncPeriod, "syncPeriod", syncPeriod, "maxSyncPeriod", syncPeriod)
+	proxier.syncRunner = runner.NewBoundedFrequencyRunner("sync-runner", proxier.syncProxyRules, minSyncPeriod, syncPeriod, syncPeriod)
 
 	return proxier, nil
 }
@@ -1271,7 +1271,9 @@ func (proxier *Proxier) syncProxyRules() (retryError error) {
 		}
 	}
 
-	klog.V(3).InfoS("Syncing Policies")
+	klog.V(3).InfoS("Syncing Policies", "proxierFamily", proxier.ipFamily, "serviceCount", len(proxier.svcPortMap), "endpointCount", len(proxier.endpointsMap), "queriedEndpointsCount", len(queriedEndpoints), "queriedLoadBalancersCount", len(queriedLoadBalancers))
+
+	defer klog.V(3).InfoS("Syncing Policies complete", "proxierFamily", proxier.ipFamily)
 
 	// Program HNS by adding corresponding policies for each service.
 	for svcName, svc := range proxier.svcPortMap {
@@ -1545,12 +1547,12 @@ func (proxier *Proxier) syncProxyRules() (retryError error) {
 					queriedLoadBalancers,
 				)
 				if err != nil {
-					klog.ErrorS(err, "ClusterIP policy creation failed")
+					klog.ErrorS(err, "ClusterIP policy creation failed", "clusterIP", svcInfo.ClusterIP(), "serviceName", svcName, "proxierIPFamily", proxier.ipFamily)
 					continue
 				}
 
 				svcInfo.hnsID = hnsLoadBalancer.hnsID
-				klog.V(3).InfoS("Hns LoadBalancer resource created for cluster ip resources", "clusterIP", svcInfo.ClusterIP(), "hnsID", hnsLoadBalancer.hnsID)
+				klog.V(3).InfoS("Hns LoadBalancer resource created for cluster ip resources", "clusterIP", svcInfo.ClusterIP(), "hnsID", hnsLoadBalancer.hnsID, "serviceName", svcName, "proxierIPFamily", proxier.ipFamily)
 
 			} else {
 				klog.V(3).InfoS("Skipped creating Hns LoadBalancer for cluster ip resources. Reason : all endpoints are terminating", "clusterIP", svcInfo.ClusterIP(), "nodeport", svcInfo.NodePort(), "allEndpointsTerminating", allEndpointsTerminating)
@@ -1599,16 +1601,18 @@ func (proxier *Proxier) syncProxyRules() (retryError error) {
 						queriedLoadBalancers,
 					)
 					if err != nil {
-						klog.ErrorS(err, "Nodeport policy creation failed")
+						klog.ErrorS(err, "Nodeport policy creation failed", "nodeport", svcInfo.NodePort(), "sourceVip", sourceVip, "proxierIPFamily", proxier.ipFamily, "nodeIP", proxier.nodeIP.String())
 						continue
 					}
 
 					svcInfo.nodePorthnsID = hnsLoadBalancer.hnsID
-					klog.V(3).InfoS("Hns LoadBalancer resource created for nodePort resources", "clusterIP", svcInfo.ClusterIP(), "nodeport", svcInfo.NodePort(), "hnsID", hnsLoadBalancer.hnsID)
+					klog.V(3).InfoS("Hns LoadBalancer resource created for nodePort resources", "clusterIP", svcInfo.ClusterIP(), "nodeport", svcInfo.NodePort(), "hnsID", hnsLoadBalancer.hnsID, "sourceVip", sourceVip, "proxierIPFamily", proxier.ipFamily, "nodeIP", proxier.nodeIP.String())
 				} else {
 					klog.V(3).InfoS("Skipped creating Hns LoadBalancer for nodePort resources", "clusterIP", svcInfo.ClusterIP(), "nodeport", svcInfo.NodePort(), "allEndpointsTerminating", allEndpointsTerminating)
 				}
 			}
+		} else {
+			klog.V(3).InfoS("Skipped configuring NodePort for service", "serviceName", svcName, "nodePort", svcInfo.NodePort(), "proxierIPFamily", proxier.ipFamily)
 		}
 
 		// Create a Load Balancer Policy for each external IP
@@ -1653,7 +1657,7 @@ func (proxier *Proxier) syncProxyRules() (retryError error) {
 						queriedLoadBalancers,
 					)
 					if err != nil {
-						klog.ErrorS(err, "ExternalIP policy creation failed")
+						klog.ErrorS(err, "ExternalIP policy creation failed", "externalIP", externalIP.ip)
 						continue
 					}
 					externalIP.hnsID = hnsLoadBalancer.hnsID
@@ -1663,6 +1667,7 @@ func (proxier *Proxier) syncProxyRules() (retryError error) {
 				}
 			}
 		}
+
 		// Create a Load Balancer Policy for each loadbalancer ingress
 		for _, lbIngressIP := range svcInfo.loadBalancerIngressIPs {
 			// Try loading existing policies, if already available
@@ -1703,11 +1708,11 @@ func (proxier *Proxier) syncProxyRules() (retryError error) {
 						queriedLoadBalancers,
 					)
 					if err != nil {
-						klog.ErrorS(err, "IngressIP policy creation failed")
+						klog.ErrorS(err, "IngressIP policy creation failed", "lbIngressIP", lbIngressIP.ip, "serviceName", svcName, "proxierIPFamily", proxier.ipFamily)
 						continue
 					}
 					lbIngressIP.hnsID = hnsLoadBalancer.hnsID
-					klog.V(3).InfoS("Hns LoadBalancer resource created for loadBalancer Ingress resources", "lbIngressIPInfo", lbIngressIP)
+					klog.V(3).InfoS("Hns LoadBalancer resource created for loadBalancer Ingress resources", "lbIngressIPInfo", lbIngressIP, "hnsID", hnsLoadBalancer.hnsID, "serviceName", svcName, "proxierIPFamily", proxier.ipFamily)
 				} else {
 					klog.V(3).InfoS("Skipped creating Hns LoadBalancer for loadBalancer Ingress resources", "lbIngressIPInfo", lbIngressIP)
 				}
@@ -1753,7 +1758,7 @@ func (proxier *Proxier) syncProxyRules() (retryError error) {
 						queriedLoadBalancers,
 					)
 					if err != nil {
-						klog.ErrorS(err, "Healthcheck loadbalancer policy creation failed")
+						klog.ErrorS(err, "Healthcheck loadbalancer policy creation failed", "lbIngressIP", lbIngressIP.ip, "serviceName", svcName, "proxierIPFamily", proxier.ipFamily)
 						continue
 					}
 					lbIngressIP.healthCheckHnsID = hnsHealthCheckLoadBalancer.hnsID
@@ -1817,6 +1822,7 @@ func (proxier *Proxier) deleteExistingLoadBalancer(hns HostNetworkService, winPr
 		protocol,
 		intPort,
 		extPort,
+		proxier.ipFamily == v1.IPv6Protocol,
 	)
 
 	if lbIdErr != nil {
@@ -1832,10 +1838,13 @@ func (proxier *Proxier) deleteExistingLoadBalancer(hns HostNetworkService, winPr
 }
 
 func (proxier *Proxier) deleteLoadBalancer(hns HostNetworkService, lbHnsID *string) bool {
-	klog.V(3).InfoS("Hns LoadBalancer delete triggered for loadBalancer resources", "lbHnsID", *lbHnsID)
+	klog.V(3).InfoS("Hns LoadBalancer delete triggered for loadBalancer resources", "lbHnsID", *lbHnsID, "proxierIPFamily", proxier.ipFamily)
 	if err := hns.deleteLoadBalancer(*lbHnsID); err != nil {
+		klog.ErrorS(err, "LoadBalancer deletion failed. Adding to stale loadbalancers.", "hnsID", *lbHnsID)
 		// This will be cleanup by cleanupStaleLoadbalancer fnction.
 		proxier.mapStaleLoadbalancers[*lbHnsID] = true
+	} else {
+		klog.V(3).InfoS("Hns LoadBalancer resource deleted for loadBalancer resources", "lbHnsID", *lbHnsID)
 	}
 	*lbHnsID = ""
 	return true
diff --git a/pkg/proxy/winkernel/proxier_test.go b/pkg/proxy/winkernel/proxier_test.go
index aaa39ded01caa..d6492a929704d 100644
--- a/pkg/proxy/winkernel/proxier_test.go
+++ b/pkg/proxy/winkernel/proxier_test.go
@@ -57,15 +57,21 @@ const (
 	guid              = "123ABC"
 	networkId         = "123ABC"
 	endpointGuid1     = "EPID-1"
+	emptyLbID         = ""
 	loadbalancerGuid1 = "LBID-1"
 	loadbalancerGuid2 = "LBID-2"
 	endpointLocal1    = "EP-LOCAL-1"
 	endpointLocal2    = "EP-LOCAL-2"
 	endpointGw        = "EP-GW"
 	epIpAddressGw     = "192.168.2.1"
+	epIpAddressGwv6   = "192::1"
 	epMacAddressGw    = "00-11-22-33-44-66"
 )
 
+var (
+	loadbalancerGuids = []string{emptyLbID, "LBID-1", "LBID-2", "LBID-3", "LBID-4", "LBID-5", "LBID-6", "LBID-7", "LBID-8"}
+)
+
 func newHnsNetwork(networkInfo *hnsNetworkInfo) *hcn.HostComputeNetwork {
 	var policies []hcn.NetworkPolicy
 	for _, remoteSubnet := range networkInfo.remoteSubnets {
@@ -92,9 +98,19 @@ func newHnsNetwork(networkInfo *hnsNetworkInfo) *hcn.HostComputeNetwork {
 	return network
 }
 
-func NewFakeProxier(t *testing.T, nodeName string, nodeIP net.IP, networkType string, enableDSR bool) *Proxier {
+func NewFakeProxier(t *testing.T, nodeName string, nodeIP net.IP, networkType string, enableDSR bool, ipFamily ...v1.IPFamily) *Proxier {
 	sourceVip := "192.168.1.2"
 
+	// Default to IPv4 if no ipFamily is provided
+	family := v1.IPv4Protocol
+	if len(ipFamily) > 0 {
+		family = ipFamily[0]
+	}
+
+	if family == v1.IPv6Protocol {
+		sourceVip = "192::1:2"
+	}
+
 	// enable `WinDSR` feature gate
 	featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, kubefeatures.WinDSR, true)
 
@@ -108,7 +124,7 @@ func NewFakeProxier(t *testing.T, nodeName string, nodeIP net.IP, networkType st
 	hcnMock := getHcnMock(networkType)
 
 	proxier, _ := newProxierInternal(
-		v1.IPv4Protocol,
+		family,
 		nodeName,
 		nodeIP,
 		healthcheck.NewFakeServiceHealthServer(),
@@ -1715,6 +1731,203 @@ func TestWinDSRWithOverlayEnabled(t *testing.T) {
 	}
 }
 
+func testDualStackService(t *testing.T, enableDsr bool, dualStackFamilyPolicy v1.IPFamilyPolicy, trafficPolicy v1.ServiceExternalTrafficPolicy) {
+	baseFlag := hcn.LoadBalancerFlagsNone
+	if trafficPolicy == v1.ServiceExternalTrafficPolicyLocal {
+		baseFlag = hcn.LoadBalancerFlagsDSR
+	}
+
+	v4Proxier := NewFakeProxier(t, testNodeName, netutils.ParseIPSloppy("10.0.0.1"), NETWORK_TYPE_OVERLAY, enableDsr)
+	if v4Proxier == nil {
+		t.Error()
+	}
+	v6Proxier := NewFakeProxier(t, testNodeName, netutils.ParseIPSloppy("10::1"), NETWORK_TYPE_OVERLAY, enableDsr, v1.IPv6Protocol)
+	if v6Proxier == nil {
+		t.Error()
+	}
+	v6Proxier.hcn = v4Proxier.hcn // Share the same HCN mock to simulate dual stack behavior
+
+	svcPort := 80
+	svcNodePort := 3001
+	svcPortName := proxy.ServicePortName{
+		NamespacedName: makeNSN("ns1", "svc1"),
+		Port:           "p80",
+		Protocol:       v1.ProtocolTCP,
+	}
+
+	v4ClusterIP, v6ClusterIP := "10.20.30.41", "fd00::21"
+	v4LbIP, v6LbIP := "11.21.31.41", "fd00::1"
+
+	testService := makeTestService(svcPortName.Namespace, svcPortName.Name, func(svc *v1.Service) {
+		svc.Spec.Type = v1.ServiceTypeLoadBalancer
+		svc.Spec.ClusterIP = v4ClusterIP
+		svc.Spec.ClusterIPs = []string{v4ClusterIP, v6ClusterIP}
+		svc.Spec.IPFamilyPolicy = &dualStackFamilyPolicy
+		svc.Spec.IPFamilies = []v1.IPFamily{v1.IPv4Protocol, v1.IPv6Protocol}
+		svc.Spec.ExternalTrafficPolicy = trafficPolicy
+		svc.Spec.Ports = []v1.ServicePort{{
+			Name:     svcPortName.Port,
+			Port:     int32(svcPort),
+			Protocol: v1.ProtocolTCP,
+			NodePort: int32(svcNodePort),
+		}}
+		svc.Status.LoadBalancer.Ingress = []v1.LoadBalancerIngress{
+			{IP: v4LbIP},
+			{IP: v6LbIP},
+		}
+	})
+
+	v4Endpoints := []discovery.Endpoint{{
+		Addresses: []string{epIpAddressLocal},
+		NodeName:  ptr.To(testNodeName),
+	}}
+
+	v6Endpoints := []discovery.Endpoint{{
+		Addresses: []string{epIpAddressLocalv6},
+		NodeName:  ptr.To(testNodeName),
+	}}
+
+	if trafficPolicy == v1.ServiceExternalTrafficPolicyCluster {
+		v4Endpoints = append(v4Endpoints, discovery.Endpoint{
+			Addresses: []string{epIpAddressRemote},
+		})
+		v6Endpoints = append(v6Endpoints, discovery.Endpoint{
+			Addresses: []string{epIpAddressRemotev6},
+		})
+	}
+
+	testEpSliceV4 := makeTestEndpointSlice(svcPortName.Namespace, svcPortName.Name, 1, func(eps *discovery.EndpointSlice) {
+		eps.AddressType = discovery.AddressTypeIPv4
+		eps.Endpoints = v4Endpoints
+		eps.Ports = []discovery.EndpointPort{{
+			Name:     ptr.To(svcPortName.Port),
+			Port:     ptr.To(int32(svcPort)),
+			Protocol: ptr.To(v1.ProtocolTCP),
+		}}
+	})
+
+	testEpSliceV6 := makeTestEndpointSlice(svcPortName.Namespace, svcPortName.Name, 1, func(eps *discovery.EndpointSlice) {
+		eps.AddressType = discovery.AddressTypeIPv6
+		eps.Endpoints = v6Endpoints
+		eps.Ports = []discovery.EndpointPort{{
+			Name:     ptr.To(svcPortName.Port),
+			Port:     ptr.To(int32(svcPort)),
+			Protocol: ptr.To(v1.ProtocolTCP),
+		}}
+	})
+
+	makeServiceMap(v4Proxier, testService)
+	makeServiceMap(v6Proxier, testService)
+
+	populateEndpointSlices(v4Proxier, testEpSliceV4)
+	populateEndpointSlices(v6Proxier, testEpSliceV6)
+
+	hcnMock := (v4Proxier.hcn).(*fakehcn.HcnMock)
+	v4Proxier.rootHnsEndpointName = endpointGw
+	v6Proxier.rootHnsEndpointName = endpointGw
+	hcnMock.PopulateQueriedEndpoints(endpointLocal1, guid, epIpAddressLocal, macAddress, prefixLen)
+	hcnMock.PopulateQueriedEndpoints(endpointLocal1, guid, epIpAddressLocalv6, macAddress, prefixLen)
+	hcnMock.PopulateQueriedEndpoints(endpointGw, guid, epIpAddressGw, epMacAddressGw, prefixLen)
+	hcnMock.PopulateQueriedEndpoints(endpointGw, guid, epIpAddressGwv6, epMacAddressGw, prefixLen)
+	v4Proxier.setInitialized(true)
+	v4Proxier.syncProxyRules()
+
+	v4Svc := v4Proxier.svcPortMap[svcPortName]
+	v4SvcInfo, ok := v4Svc.(*serviceInfo)
+	assert.True(t, ok, "Failed to cast serviceInfo %q", svcPortName.String())
+	assert.Equal(t, loadbalancerGuids[1], v4SvcInfo.hnsID, "The Hns Loadbalancer Id %v does not match %v. ServicePortName %q", v4SvcInfo.hnsID, loadbalancerGuids[1], svcPortName.String())
+	assert.Equal(t, v4LbIP, v4SvcInfo.loadBalancerIngressIPs[0].ip, "LoadBalancer Ingress IP 0 should be %s", v4LbIP)
+	assert.Equal(t, loadbalancerGuids[2], v4SvcInfo.nodePorthnsID, "The Hns NodePort Loadbalancer Id %v does not match %v. ServicePortName %q", v4SvcInfo.nodePorthnsID, loadbalancerGuids[2], svcPortName.String())
+	assert.Equal(t, 1, len(v4SvcInfo.loadBalancerIngressIPs), "Expected 1 LoadBalancer Ingress IP, found %d", len(v4SvcInfo.loadBalancerIngressIPs))
+	assert.Equal(t, loadbalancerGuids[3], v4SvcInfo.loadBalancerIngressIPs[0].hnsID, "The Hns Loadbalancer Ingress Id %v does not match %v. ServicePortName %q", v4SvcInfo.loadBalancerIngressIPs[0].hnsID, loadbalancerGuids[3], svcPortName.String())
+	assert.Equal(t, loadbalancerGuids[4], v4SvcInfo.loadBalancerIngressIPs[0].healthCheckHnsID, "The Hns Loadbalancer HealthCheck Id %v does not match %v. ServicePortName %q", v4SvcInfo.loadBalancerIngressIPs[0].healthCheckHnsID, loadbalancerGuids[4], svcPortName.String())
+
+	// Validating ClusterIP Loadbalancer
+	clusterIPLb, err := v4Proxier.hcn.GetLoadBalancerByID(v4SvcInfo.hnsID)
+	assert.Equal(t, nil, err, "Failed to fetch loadbalancer: %v", err)
+	assert.NotEqual(t, nil, clusterIPLb, "Loadbalancer object should not be nil")
+	assert.Equal(t, baseFlag, clusterIPLb.Flags, "Loadbalancer Flags should be %v for IPv4 stack", baseFlag)
+
+	// Validating NodePort Loadbalancer
+	nodePortLb, err := v4Proxier.hcn.GetLoadBalancerByID(v4SvcInfo.nodePorthnsID)
+	assert.Equal(t, nil, err, "Failed to fetch NodePort loadbalancer: %v", err)
+	assert.NotEqual(t, nil, nodePortLb, "NodePort Loadbalancer object should not be nil")
+	assert.Equal(t, baseFlag, nodePortLb.Flags, "NodePort Loadbalancer Flags should be %v for IPv4 stack", baseFlag)
+
+	// Validating V4 IngressIP Loadbalancer
+	ingressLb, err := v4Proxier.hcn.GetLoadBalancerByID(v4SvcInfo.loadBalancerIngressIPs[0].hnsID)
+	assert.Equal(t, nil, err, "Failed to fetch IngressIP loadbalancer: %v", err)
+	assert.NotEqual(t, nil, ingressLb, "IngressIP Loadbalancer object should not be nil")
+	assert.Equal(t, baseFlag, ingressLb.Flags, "IngressIP Loadbalancer Flags should be %v for IPv4 stack", baseFlag)
+
+	if trafficPolicy == v1.ServiceExternalTrafficPolicyLocal {
+		assert.Equal(t, 1, len(clusterIPLb.HostComputeEndpoints), "Expected 1 endpoint for local traffic policy, found %d", len(clusterIPLb.HostComputeEndpoints))
+		assert.Equal(t, 1, len(nodePortLb.HostComputeEndpoints), "Expected 1 endpoint for local traffic policy, found %d", len(nodePortLb.HostComputeEndpoints))
+		assert.Equal(t, 1, len(ingressLb.HostComputeEndpoints), "Expected 1 endpoint for local traffic policy, found %d", len(ingressLb.HostComputeEndpoints))
+	} else {
+		assert.Equal(t, 2, len(clusterIPLb.HostComputeEndpoints), "Expected 2 endpoints for cluster traffic policy, found %d", len(clusterIPLb.HostComputeEndpoints))
+		assert.Equal(t, 2, len(nodePortLb.HostComputeEndpoints), "Expected 2 endpoints for cluster traffic policy, found %d", len(nodePortLb.HostComputeEndpoints))
+		assert.Equal(t, 2, len(ingressLb.HostComputeEndpoints), "Expected 2 endpoints for cluster traffic policy, found %d", len(ingressLb.HostComputeEndpoints))
+	}
+
+	// Initiating v6 tests.
+	v6Proxier.setInitialized(true)
+	v6Proxier.syncProxyRules()
+
+	v6Svc := v6Proxier.svcPortMap[svcPortName]
+	v6SvcInfo, ok := v6Svc.(*serviceInfo)
+	assert.True(t, ok, "Failed to cast serviceInfo %q", svcPortName.String())
+	assert.Equal(t, loadbalancerGuids[5], v6SvcInfo.hnsID, "The Hns Loadbalancer Id %v does not match %v. ServicePortName %q", v6SvcInfo.hnsID, loadbalancerGuids[5], svcPortName.String())
+	assert.Equal(t, loadbalancerGuids[6], v6SvcInfo.nodePorthnsID, "The Hns NodePort Loadbalancer Id %v does not match %v. ServicePortName %q", v6SvcInfo.nodePorthnsID, loadbalancerGuids[6], svcPortName.String())
+	assert.Equal(t, 1, len(v6SvcInfo.loadBalancerIngressIPs), "Expected 1 LoadBalancer Ingress IP, found %d", len(v6SvcInfo.loadBalancerIngressIPs))
+	assert.Equal(t, v6LbIP, v6SvcInfo.loadBalancerIngressIPs[0].ip, "LoadBalancer Ingress IP 0 should be %s", v6LbIP)
+	assert.Equal(t, loadbalancerGuids[7], v6SvcInfo.loadBalancerIngressIPs[0].hnsID, "The Hns Loadbalancer Ingress Id %v does not match %v for IPv6 LB. ServicePortName %q", v6SvcInfo.loadBalancerIngressIPs[0].hnsID, loadbalancerGuids[7], svcPortName.String())
+	assert.Equal(t, loadbalancerGuids[8], v6SvcInfo.loadBalancerIngressIPs[0].healthCheckHnsID, "The Hns Loadbalancer HealthCheck Id %v does not match %v. ServicePortName %q", v6SvcInfo.loadBalancerIngressIPs[0].healthCheckHnsID, loadbalancerGuids[8], svcPortName.String())
+
+	// Validating ClusterIP Loadbalancer
+	clusterIPLb, err = v6Proxier.hcn.GetLoadBalancerByID(v6SvcInfo.hnsID)
+	assert.Equal(t, nil, err, "Failed to fetch loadbalancer: %v", err)
+	assert.NotEqual(t, nil, clusterIPLb, "Loadbalancer object should not be nil")
+	assert.Equal(t, baseFlag|hcn.LoadBalancerFlagsIPv6, clusterIPLb.Flags, "Loadbalancer Flags should be %v for IPv6 stack", baseFlag|hcn.LoadBalancerFlagsIPv6)
+
+	// Validating V6 IngressIP Loadbalancer
+	ingressLb, err = v6Proxier.hcn.GetLoadBalancerByID(v6SvcInfo.loadBalancerIngressIPs[0].hnsID)
+	assert.Equal(t, nil, err, "Failed to fetch IngressIP loadbalancer: %v", err)
+	assert.NotEqual(t, nil, ingressLb, "IngressIP Loadbalancer object should not be nil")
+	assert.Equal(t, baseFlag|hcn.LoadBalancerFlagsIPv6, ingressLb.Flags, "IngressIP Loadbalancer Flags should be %v for IPv6 stack", baseFlag|hcn.LoadBalancerFlagsIPv6)
+
+	eps, _ := hcnMock.ListEndpoints()
+	if trafficPolicy == v1.ServiceExternalTrafficPolicyLocal {
+		assert.Equal(t, 10, len(eps), "Expected 10 endpoints for local traffic policy, found %d", len(eps))
+
+		assert.Equal(t, 1, len(clusterIPLb.HostComputeEndpoints), "Expected 1 endpoint for local traffic policy, found %d", len(clusterIPLb.HostComputeEndpoints))
+		assert.Equal(t, 1, len(nodePortLb.HostComputeEndpoints), "Expected 1 endpoint for local traffic policy, found %d", len(nodePortLb.HostComputeEndpoints))
+		assert.Equal(t, 1, len(ingressLb.HostComputeEndpoints), "Expected 1 endpoint for local traffic policy, found %d", len(ingressLb.HostComputeEndpoints))
+	} else {
+		assert.Equal(t, 14, len(eps), "Expected 14 endpoints for cluster traffic policy, found %d", len(eps))
+
+		assert.Equal(t, 2, len(clusterIPLb.HostComputeEndpoints), "Expected 2 endpoints for cluster traffic policy, found %d", len(clusterIPLb.HostComputeEndpoints))
+		assert.Equal(t, 2, len(nodePortLb.HostComputeEndpoints), "Expected 2 endpoints for cluster traffic policy, found %d", len(nodePortLb.HostComputeEndpoints))
+		assert.Equal(t, 2, len(ingressLb.HostComputeEndpoints), "Expected 2 endpoints for cluster traffic policy, found %d", len(ingressLb.HostComputeEndpoints))
+	}
+}
+
+func TestETPLocalIngressIPServiceWithPreferDualStack(t *testing.T) {
+	testDualStackService(t, true, v1.IPFamilyPolicyPreferDualStack, v1.ServiceExternalTrafficPolicyLocal)
+}
+
+func TestETPLocalIngressIPServiceWithRequireDualStack(t *testing.T) {
+	testDualStackService(t, true, v1.IPFamilyPolicyRequireDualStack, v1.ServiceExternalTrafficPolicyLocal)
+}
+
+func TestETPClusterIngressIPServiceWithPreferDualStack(t *testing.T) {
+	testDualStackService(t, false, v1.IPFamilyPolicyPreferDualStack, v1.ServiceExternalTrafficPolicyCluster)
+}
+
+func TestETPClusterIngressIPServiceWithRequireDualStack(t *testing.T) {
+	testDualStackService(t, false, v1.IPFamilyPolicyRequireDualStack, v1.ServiceExternalTrafficPolicyCluster)
+}
+
 func makeNSN(namespace, name string) types.NamespacedName {
 	return types.NamespacedName{Namespace: namespace, Name: name}
 }
@@ -1766,6 +1979,10 @@ func populateEndpointSlices(proxier *Proxier, allEndpointSlices ...*discovery.En
 	for i := range allEndpointSlices {
 		proxier.OnEndpointSliceAdd(allEndpointSlices[i])
 	}
+
+	proxier.mu.Lock()
+	defer proxier.mu.Unlock()
+	proxier.endpointSlicesSynced = true
 }
 
 func makeTestEndpointSlice(namespace, name string, sliceNum int, epsFunc func(*discovery.EndpointSlice)) *discovery.EndpointSlice {
diff --git a/pkg/proxy/winkernel/testing/hcnutils_mock.go b/pkg/proxy/winkernel/testing/hcnutils_mock.go
index 26843f2f0042a..bea3eb1753904 100644
--- a/pkg/proxy/winkernel/testing/hcnutils_mock.go
+++ b/pkg/proxy/winkernel/testing/hcnutils_mock.go
@@ -70,6 +70,15 @@ func NewHcnMock(hnsNetwork *hcn.HostComputeNetwork) *HcnMock {
 }
 
 func (hcnObj HcnMock) PopulateQueriedEndpoints(epId, hnsId, ipAddress, mac string, prefixLen uint8) {
+
+	if endpoint, ok := endpointMap[epId]; ok {
+		endpoint.IpConfigurations = append(endpoint.IpConfigurations, hcn.IpConfig{
+			IpAddress:    ipAddress,
+			PrefixLength: prefixLen,
+		})
+		return
+	}
+
 	endpoint := &hcn.HostComputeEndpoint{
 		Id:                 epId,
 		Name:               epId,
@@ -179,6 +188,17 @@ func (hcnObj HcnMock) CreateLoadBalancer(loadBalancer *hcn.HostComputeLoadBalanc
 	if _, ok := loadbalancerMap[loadBalancer.Id]; ok {
 		return nil, fmt.Errorf("LoadBalancer id %s Already Present", loadBalancer.Id)
 	}
+	for _, lb := range loadbalancerMap {
+		portMappingMatched := lb.PortMappings != nil && lb.PortMappings[0].ExternalPort == loadBalancer.PortMappings[0].ExternalPort && lb.PortMappings[0].Protocol == loadBalancer.PortMappings[0].Protocol
+		portMappingMatched = portMappingMatched && (lb.PortMappings[0].InternalPort == loadBalancer.PortMappings[0].InternalPort)
+		portMappingMatched = portMappingMatched && len(lb.FrontendVIPs) != 0 && len(loadBalancer.FrontendVIPs) != 0 && lb.FrontendVIPs[0] == loadBalancer.FrontendVIPs[0]
+		if portMappingMatched && ((lb.Flags & hcn.LoadBalancerFlagsIPv6) == (loadBalancer.Flags & hcn.LoadBalancerFlagsIPv6)) {
+			return nil, fmt.Errorf("The specified port already exists.")
+		}
+		if portMappingMatched && lb.PortMappings[0].Flags&hcn.LoadBalancerPortMappingFlagsLocalRoutedVIP == 0 && lb.FrontendVIPs[0] == loadBalancer.FrontendVIPs[0] {
+			return nil, fmt.Errorf("The specified port already exists.")
+		}
+	}
 	loadBalancer.Id = hcnObj.generateLoadbalancerGuid()
 	loadbalancerMap[loadBalancer.Id] = loadBalancer
 	return loadBalancer, nil
diff --git a/pkg/quota/v1/evaluator/core/pods.go b/pkg/quota/v1/evaluator/core/pods.go
index 8f91588db2e9f..00c364298bde9 100644
--- a/pkg/quota/v1/evaluator/core/pods.go
+++ b/pkg/quota/v1/evaluator/core/pods.go
@@ -22,6 +22,7 @@ import (
 	"time"
 
 	corev1 "k8s.io/api/core/v1"
+	resourceapi "k8s.io/api/resource/v1"
 	"k8s.io/apimachinery/pkg/api/resource"
 	"k8s.io/apimachinery/pkg/labels"
 	"k8s.io/apimachinery/pkg/runtime"
@@ -39,10 +40,12 @@ import (
 	"k8s.io/kubernetes/pkg/apis/core/v1/helper"
 	"k8s.io/kubernetes/pkg/apis/core/v1/helper/qos"
 	"k8s.io/kubernetes/pkg/features"
+	schedutil "k8s.io/kubernetes/pkg/scheduler/util"
 )
 
 // the name used for object count quota
 var podObjectCountName = generic.ObjectCountQuotaResourceNameFor(corev1.SchemeGroupVersion.WithResource("pods").GroupResource())
+var resourceRequestsDeviceClassPrefix = corev1.DefaultResourceRequestsPrefix + resourceapi.ResourceDeviceClassPrefix
 
 // podResources are the set of resources managed by quota associated with pods.
 var podResources = []corev1.ResourceName{
@@ -82,8 +85,15 @@ func maskResourceWithPrefix(resource corev1.ResourceName, prefix string) corev1.
 // has the quota related resource prefix.
 func isExtendedResourceNameForQuota(name corev1.ResourceName) bool {
 	// As overcommit is not supported by extended resources for now,
-	// only quota objects in format of "requests.resourceName" is allowed.
-	return !helper.IsNativeResource(name) && strings.HasPrefix(string(name), corev1.DefaultResourceRequestsPrefix)
+	// quota objects in format of "requests.resourceName" is allowed
+	nonNative := !helper.IsNativeResource(name)
+	// allow the implicit extended resource name in the format of
+	// requests.deviceclass.resource.kubernetes.io/device-class-name
+	implicitExtendedResource := strings.HasPrefix(string(name), resourceRequestsDeviceClassPrefix)
+	// name starts with 'requests.'
+	isQuotaRequest := strings.HasPrefix(string(name), corev1.DefaultResourceRequestsPrefix)
+
+	return (nonNative || implicitExtendedResource) && isQuotaRequest
 }
 
 // NOTE: it was a mistake, but if a quota tracks cpu or memory related resources,
@@ -312,7 +322,7 @@ func podComputeUsageHelper(requests corev1.ResourceList, limits corev1.ResourceL
 			result[maskResourceWithPrefix(resource, corev1.DefaultResourceRequestsPrefix)] = request
 		}
 		// for extended resources
-		if helper.IsExtendedResourceName(resource) {
+		if schedutil.IsDRAExtendedResourceName(resource) {
 			// only quota objects in format of "requests.resourceName" is allowed for extended resource.
 			result[maskResourceWithPrefix(resource, corev1.DefaultResourceRequestsPrefix)] = request
 		}
diff --git a/pkg/quota/v1/evaluator/core/pods_test.go b/pkg/quota/v1/evaluator/core/pods_test.go
index b7c99e416f21e..05984005c3219 100644
--- a/pkg/quota/v1/evaluator/core/pods_test.go
+++ b/pkg/quota/v1/evaluator/core/pods_test.go
@@ -276,6 +276,23 @@ func TestPodEvaluatorUsage(t *testing.T) {
 				generic.ObjectCountQuotaResourceNameFor(schema.GroupResource{Resource: "pods"}): resource.MustParse("1"),
 			},
 		},
+		"init container implicit extended resources": {
+			pod: &api.Pod{
+				Spec: api.PodSpec{
+					InitContainers: []api.Container{{
+						Resources: api.ResourceRequirements{
+							Requests: api.ResourceList{api.ResourceName("deviceclass.resource.kubernetes.io/dongle"): resource.MustParse("3")},
+							Limits:   api.ResourceList{api.ResourceName("deviceclass.resource.kubernetes.io/dongle"): resource.MustParse("3")},
+						},
+					}},
+				},
+			},
+			usage: corev1.ResourceList{
+				corev1.ResourceName("requests.deviceclass.resource.kubernetes.io/dongle"): resource.MustParse("3"),
+				corev1.ResourcePods: resource.MustParse("1"),
+				generic.ObjectCountQuotaResourceNameFor(schema.GroupResource{Resource: "pods"}): resource.MustParse("1"),
+			},
+		},
 		"container CPU": {
 			pod: &api.Pod{
 				Spec: api.PodSpec{
@@ -367,6 +384,23 @@ func TestPodEvaluatorUsage(t *testing.T) {
 				generic.ObjectCountQuotaResourceNameFor(schema.GroupResource{Resource: "pods"}): resource.MustParse("1"),
 			},
 		},
+		"container implicit extended resources": {
+			pod: &api.Pod{
+				Spec: api.PodSpec{
+					Containers: []api.Container{{
+						Resources: api.ResourceRequirements{
+							Requests: api.ResourceList{api.ResourceName("deviceclass.resource.kubernetes.io/dongle"): resource.MustParse("3")},
+							Limits:   api.ResourceList{api.ResourceName("deviceclass.resource.kubernetes.io/dongle"): resource.MustParse("3")},
+						},
+					}},
+				},
+			},
+			usage: corev1.ResourceList{
+				corev1.ResourceName("requests.deviceclass.resource.kubernetes.io/dongle"): resource.MustParse("3"),
+				corev1.ResourcePods: resource.MustParse("1"),
+				generic.ObjectCountQuotaResourceNameFor(schema.GroupResource{Resource: "pods"}): resource.MustParse("1"),
+			},
+		},
 		"terminated generic count still appears": {
 			pod: &api.Pod{
 				Spec: api.PodSpec{
@@ -991,9 +1025,8 @@ func TestPodEvaluatorUsageResourceResize(t *testing.T) {
 	evaluator := NewPodEvaluator(nil, fakeClock)
 
 	testCases := map[string]struct {
-		pod             *api.Pod
-		usageFgEnabled  corev1.ResourceList
-		usageFgDisabled corev1.ResourceList
+		pod   *api.Pod
+		usage corev1.ResourceList
 	}{
 		"verify Max(Container.Spec.Requests, ContainerStatus.Resources) for memory resource": {
 			pod: &api.Pod{
@@ -1023,14 +1056,7 @@ func TestPodEvaluatorUsageResourceResize(t *testing.T) {
 					},
 				},
 			},
-			usageFgEnabled: corev1.ResourceList{
-				corev1.ResourceRequestsMemory: resource.MustParse("200Mi"),
-				corev1.ResourceLimitsMemory:   resource.MustParse("400Mi"),
-				corev1.ResourcePods:           resource.MustParse("1"),
-				corev1.ResourceMemory:         resource.MustParse("200Mi"),
-				generic.ObjectCountQuotaResourceNameFor(schema.GroupResource{Resource: "pods"}): resource.MustParse("1"),
-			},
-			usageFgDisabled: corev1.ResourceList{
+			usage: corev1.ResourceList{
 				corev1.ResourceRequestsMemory: resource.MustParse("200Mi"),
 				corev1.ResourceLimitsMemory:   resource.MustParse("400Mi"),
 				corev1.ResourcePods:           resource.MustParse("1"),
@@ -1066,20 +1092,13 @@ func TestPodEvaluatorUsageResourceResize(t *testing.T) {
 					},
 				},
 			},
-			usageFgEnabled: corev1.ResourceList{
+			usage: corev1.ResourceList{
 				corev1.ResourceRequestsCPU: resource.MustParse("150m"),
 				corev1.ResourceLimitsCPU:   resource.MustParse("200m"),
 				corev1.ResourcePods:        resource.MustParse("1"),
 				corev1.ResourceCPU:         resource.MustParse("150m"),
 				generic.ObjectCountQuotaResourceNameFor(schema.GroupResource{Resource: "pods"}): resource.MustParse("1"),
 			},
-			usageFgDisabled: corev1.ResourceList{
-				corev1.ResourceRequestsCPU: resource.MustParse("100m"),
-				corev1.ResourceLimitsCPU:   resource.MustParse("200m"),
-				corev1.ResourcePods:        resource.MustParse("1"),
-				corev1.ResourceCPU:         resource.MustParse("100m"),
-				generic.ObjectCountQuotaResourceNameFor(schema.GroupResource{Resource: "pods"}): resource.MustParse("1"),
-			},
 		},
 		"verify Max(Container.Spec.Requests, ContainerStatus.Resources) for CPU and memory resource": {
 			pod: &api.Pod{
@@ -1112,7 +1131,7 @@ func TestPodEvaluatorUsageResourceResize(t *testing.T) {
 					},
 				},
 			},
-			usageFgEnabled: corev1.ResourceList{
+			usage: corev1.ResourceList{
 				corev1.ResourceRequestsCPU:    resource.MustParse("150m"),
 				corev1.ResourceLimitsCPU:      resource.MustParse("200m"),
 				corev1.ResourceRequestsMemory: resource.MustParse("250Mi"),
@@ -1122,16 +1141,6 @@ func TestPodEvaluatorUsageResourceResize(t *testing.T) {
 				corev1.ResourceMemory:         resource.MustParse("250Mi"),
 				generic.ObjectCountQuotaResourceNameFor(schema.GroupResource{Resource: "pods"}): resource.MustParse("1"),
 			},
-			usageFgDisabled: corev1.ResourceList{
-				corev1.ResourceRequestsCPU:    resource.MustParse("100m"),
-				corev1.ResourceLimitsCPU:      resource.MustParse("200m"),
-				corev1.ResourceRequestsMemory: resource.MustParse("200Mi"),
-				corev1.ResourceLimitsMemory:   resource.MustParse("400Mi"),
-				corev1.ResourcePods:           resource.MustParse("1"),
-				corev1.ResourceCPU:            resource.MustParse("100m"),
-				corev1.ResourceMemory:         resource.MustParse("200Mi"),
-				generic.ObjectCountQuotaResourceNameFor(schema.GroupResource{Resource: "pods"}): resource.MustParse("1"),
-			},
 		},
 		"verify Max(Container.Spec.Requests, ContainerStatus.Resources==nil) for CPU and memory resource": {
 			pod: &api.Pod{
@@ -1157,17 +1166,7 @@ func TestPodEvaluatorUsageResourceResize(t *testing.T) {
 					},
 				},
 			},
-			usageFgEnabled: corev1.ResourceList{
-				corev1.ResourceRequestsCPU:    resource.MustParse("100m"),
-				corev1.ResourceLimitsCPU:      resource.MustParse("200m"),
-				corev1.ResourceRequestsMemory: resource.MustParse("200Mi"),
-				corev1.ResourceLimitsMemory:   resource.MustParse("400Mi"),
-				corev1.ResourcePods:           resource.MustParse("1"),
-				corev1.ResourceCPU:            resource.MustParse("100m"),
-				corev1.ResourceMemory:         resource.MustParse("200Mi"),
-				generic.ObjectCountQuotaResourceNameFor(schema.GroupResource{Resource: "pods"}): resource.MustParse("1"),
-			},
-			usageFgDisabled: corev1.ResourceList{
+			usage: corev1.ResourceList{
 				corev1.ResourceRequestsCPU:    resource.MustParse("100m"),
 				corev1.ResourceLimitsCPU:      resource.MustParse("200m"),
 				corev1.ResourceRequestsMemory: resource.MustParse("200Mi"),
@@ -1180,23 +1179,18 @@ func TestPodEvaluatorUsageResourceResize(t *testing.T) {
 		},
 	}
 	t.Parallel()
-	for _, enabled := range []bool{true, false} {
-		for testName, testCase := range testCases {
-			t.Run(testName, func(t *testing.T) {
-				featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.InPlacePodVerticalScaling, enabled)
-				actual, err := evaluator.Usage(testCase.pod)
-				if err != nil {
-					t.Error(err)
-				}
-				usage := testCase.usageFgEnabled
-				if !enabled {
-					usage = testCase.usageFgDisabled
-				}
-				if !quota.Equals(usage, actual) {
-					t.Errorf("FG enabled: %v, expected: %v, actual: %v", enabled, usage, actual)
-				}
-			})
-		}
+	for testName, testCase := range testCases {
+		t.Run(testName, func(t *testing.T) {
+			actual, err := evaluator.Usage(testCase.pod)
+			if err != nil {
+				t.Error(err)
+			}
+			usage := testCase.usage
+			if !quota.Equals(usage, actual) {
+				t.Errorf("expected: %v, actual: %v", usage, actual)
+			}
+		})
+
 	}
 }
 
diff --git a/pkg/quota/v1/evaluator/core/registry.go b/pkg/quota/v1/evaluator/core/registry.go
index 4958055cd20b5..c75f877421a0c 100644
--- a/pkg/quota/v1/evaluator/core/registry.go
+++ b/pkg/quota/v1/evaluator/core/registry.go
@@ -17,11 +17,17 @@ limitations under the License.
 package core
 
 import (
+	"context"
+
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	quota "k8s.io/apiserver/pkg/quota/v1"
 	"k8s.io/apiserver/pkg/quota/v1/generic"
 	utilfeature "k8s.io/apiserver/pkg/util/feature"
+	"k8s.io/client-go/informers"
+	corev1listers "k8s.io/client-go/listers/core/v1"
+	"k8s.io/dynamic-resource-allocation/deviceclass/extendedresourcecache"
+	"k8s.io/klog/v2"
 	"k8s.io/kubernetes/pkg/features"
 	"k8s.io/utils/clock"
 )
@@ -35,7 +41,7 @@ var legacyObjectCountAliases = map[schema.GroupVersionResource]corev1.ResourceNa
 }
 
 // NewEvaluators returns the list of static evaluators that manage more than counts
-func NewEvaluators(f quota.ListerForResourceFunc) []quota.Evaluator {
+func NewEvaluators(f quota.ListerForResourceFunc, i informers.SharedInformerFactory) []quota.Evaluator {
 	// these evaluators have special logic
 	result := []quota.Evaluator{
 		NewPodEvaluator(f, clock.RealClock{}),
@@ -43,7 +49,17 @@ func NewEvaluators(f quota.ListerForResourceFunc) []quota.Evaluator {
 		NewPersistentVolumeClaimEvaluator(f),
 	}
 	if utilfeature.DefaultFeatureGate.Enabled(features.DynamicResourceAllocation) {
-		result = append(result, NewResourceClaimEvaluator(f))
+		var podLister corev1listers.PodLister
+		var deviceClassMapping *extendedresourcecache.ExtendedResourceCache
+		if utilfeature.DefaultFeatureGate.Enabled(features.DRAExtendedResource) {
+			podLister = i.Core().V1().Pods().Lister()
+			logger := klog.FromContext(context.Background())
+			deviceClassMapping = extendedresourcecache.NewExtendedResourceCache(logger)
+			if _, err := i.Resource().V1().DeviceClasses().Informer().AddEventHandler(deviceClassMapping); err != nil {
+				logger.Error(err, "failed to add device class informer event handler")
+			}
+		}
+		result = append(result, NewResourceClaimEvaluator(f, deviceClassMapping, podLister))
 	}
 
 	// these evaluators require an alias for backwards compatibility
diff --git a/pkg/quota/v1/evaluator/core/resource_claims.go b/pkg/quota/v1/evaluator/core/resource_claims.go
index f1d23be90be99..f9bf5c1498a6f 100644
--- a/pkg/quota/v1/evaluator/core/resource_claims.go
+++ b/pkg/quota/v1/evaluator/core/resource_claims.go
@@ -23,13 +23,19 @@ import (
 	corev1 "k8s.io/api/core/v1"
 	resourceapi "k8s.io/api/resource/v1"
 	"k8s.io/apimachinery/pkg/api/resource"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/apiserver/pkg/admission"
 	quota "k8s.io/apiserver/pkg/quota/v1"
 	"k8s.io/apiserver/pkg/quota/v1/generic"
+	utilfeature "k8s.io/apiserver/pkg/util/feature"
+	corev1listers "k8s.io/client-go/listers/core/v1"
+	"k8s.io/dynamic-resource-allocation/deviceclass/extendedresourcecache"
 	resourceinternal "k8s.io/kubernetes/pkg/apis/resource"
 	resourceversioned "k8s.io/kubernetes/pkg/apis/resource/v1"
+	"k8s.io/kubernetes/pkg/features"
+	"k8s.io/utils/clock"
 )
 
 // The name used for object count quota. This evaluator takes over counting
@@ -38,14 +44,15 @@ import (
 var ClaimObjectCountName = generic.ObjectCountQuotaResourceNameFor(resourceapi.SchemeGroupVersion.WithResource("resourceclaims").GroupResource())
 
 // V1ResourceByDeviceClass returns a quota resource name by device class.
+// gpuclass -> gpuclass.deviceclass.resource.k8s.io/devices
 func V1ResourceByDeviceClass(className string) corev1.ResourceName {
 	return corev1.ResourceName(className + corev1.ResourceClaimsPerClass)
 }
 
 // NewResourceClaimEvaluator returns an evaluator that can evaluate resource claims
-func NewResourceClaimEvaluator(f quota.ListerForResourceFunc) quota.Evaluator {
+func NewResourceClaimEvaluator(f quota.ListerForResourceFunc, m *extendedresourcecache.ExtendedResourceCache, podsGetter corev1listers.PodLister) quota.Evaluator {
 	listFuncByNamespace := generic.ListResourceUsingListerFunc(f, resourceapi.SchemeGroupVersion.WithResource("resourceclaims"))
-	claimEvaluator := &claimEvaluator{listFuncByNamespace: listFuncByNamespace}
+	claimEvaluator := &claimEvaluator{listFuncByNamespace: listFuncByNamespace, deviceClassMapping: m, podsGetter: podsGetter}
 	return claimEvaluator
 }
 
@@ -53,6 +60,10 @@ func NewResourceClaimEvaluator(f quota.ListerForResourceFunc) quota.Evaluator {
 type claimEvaluator struct {
 	// listFuncByNamespace knows how to list resource claims
 	listFuncByNamespace generic.ListFuncByNamespace
+	// a global cache of device class and extended resource mapping
+	deviceClassMapping *extendedresourcecache.ExtendedResourceCache
+	// podsGetter is used to get pods
+	podsGetter corev1listers.PodLister
 }
 
 // Constraints verifies that all required resources are present on the item.
@@ -98,11 +109,91 @@ func (p *claimEvaluator) MatchingResources(items []corev1.ResourceName) []corev1
 		if item == ClaimObjectCountName /* object count quota fields */ ||
 			strings.HasSuffix(string(item), corev1.ResourceClaimsPerClass /* by device class */) {
 			result = append(result, item)
+			continue
+		}
+		if utilfeature.DefaultFeatureGate.Enabled(features.DRAExtendedResource) {
+			if strings.HasPrefix(string(item), corev1.ResourceImplicitExtendedClaimsPerClass /* by implicit extended resource name */) {
+				className := string(item[len(corev1.ResourceImplicitExtendedClaimsPerClass):])
+				if p.deviceClassMapping.GetExtendedResource(className) != "" {
+					result = append(result, item)
+					continue
+				}
+			}
+			if isExtendedResourceNameForQuota(item) /* by extended resource name */ {
+				resourceName := string(item[len(corev1.DefaultResourceRequestsPrefix):])
+				if p.deviceClassMapping.GetDeviceClass(corev1.ResourceName(resourceName)) != nil {
+					result = append(result, item)
+				}
+			}
 		}
 	}
 	return result
 }
 
+func (p *claimEvaluator) addExtendedResourceQuota(resourceClaimUsage map[corev1.ResourceName]resource.Quantity, podUsage corev1.ResourceList) {
+	extendedResourceUsage := make(map[corev1.ResourceName]resource.Quantity)
+	for name, quantity := range resourceClaimUsage {
+		// e.g. myclass
+		deviceClassName, isDeviceClassUsage := strings.CutSuffix(string(name), corev1.ResourceClaimsPerClass)
+		if !isDeviceClassUsage || len(deviceClassName) == 0 {
+			continue
+		}
+
+		// requests.deviceclass.resource.kubernetes.io/myclass
+		extendedResourceUsage[corev1.ResourceName(corev1.ResourceImplicitExtendedClaimsPerClass+deviceClassName)] = quantity
+
+		// e.g. example.com/mygpu
+		if extendedResourceName := p.deviceClassMapping.GetExtendedResource(deviceClassName); len(extendedResourceName) > 0 {
+			// requests.example.com/gpu
+			extendedResourceUsage[corev1.ResourceName(corev1.DefaultResourceRequestsPrefix+extendedResourceName)] = quantity
+		}
+	}
+
+	for name, quantity := range extendedResourceUsage {
+		// Subtract any amount already accounted for in the pod
+		if podQuantity, found := podUsage[name]; found {
+			quantity.Sub(podQuantity)
+		}
+		// Add any remaining amount to the resource claim resources
+		if quantity.CmpInt64(0) > 0 {
+			resourceClaimUsage[name] = quantity
+		}
+	}
+}
+
+// Verify extended resource claim owning pod exists, and the pod's ExtendedResourceClaimStatus points
+// back to the claim if it's not nil, and returns the pod's quota usage. If any error is encountered, nil is returned.
+func (p *claimEvaluator) getVerifiedPodUsage(claim *resourceapi.ResourceClaim) corev1.ResourceList {
+	if claim.Annotations[resourceapi.ExtendedResourceClaimAnnotation] != "true" {
+		return nil
+	}
+	controllerRef := metav1.GetControllerOf(claim)
+	if controllerRef == nil {
+		return nil
+	}
+	if controllerRef.Kind != "Pod" || controllerRef.APIVersion != "v1" {
+		return nil
+	}
+	if p.podsGetter == nil {
+		return nil
+	}
+	pod, err := p.podsGetter.Pods(claim.Namespace).Get(controllerRef.Name)
+	if err != nil {
+		return nil
+	}
+	if controllerRef.UID != pod.UID {
+		return nil
+	}
+	if pod.Status.ExtendedResourceClaimStatus != nil && pod.Status.ExtendedResourceClaimStatus.ResourceClaimName != claim.Name {
+		return nil
+	}
+	quotaReqs, err := PodUsageFunc(pod, clock.RealClock{})
+	if err != nil {
+		return nil
+	}
+	return quotaReqs
+}
+
 // Usage knows how to measure usage associated with item.
 func (p *claimEvaluator) Usage(item runtime.Object) (corev1.ResourceList, error) {
 	result := corev1.ResourceList{}
@@ -168,6 +259,10 @@ func (p *claimEvaluator) Usage(item runtime.Object) (corev1.ResourceList, error)
 		}
 	}
 
+	if utilfeature.DefaultFeatureGate.Enabled(features.DRAExtendedResource) {
+		p.addExtendedResourceQuota(result, p.getVerifiedPodUsage(claim))
+	}
+
 	return result, nil
 }
 
diff --git a/pkg/quota/v1/evaluator/core/resource_claims_test.go b/pkg/quota/v1/evaluator/core/resource_claims_test.go
index a1fc47eeaa7e1..eeefb16fe3247 100644
--- a/pkg/quota/v1/evaluator/core/resource_claims_test.go
+++ b/pkg/quota/v1/evaluator/core/resource_claims_test.go
@@ -17,30 +17,54 @@ limitations under the License.
 package core
 
 import (
+	"context"
 	"strings"
 	"testing"
+	"time"
 
 	"github.com/google/go-cmp/cmp"
 	corev1 "k8s.io/api/core/v1"
+	resourceapi "k8s.io/api/resource/v1"
 	"k8s.io/apimachinery/pkg/api/resource"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/apiserver/pkg/admission"
+	quota "k8s.io/apiserver/pkg/quota/v1"
+	utilfeature "k8s.io/apiserver/pkg/util/feature"
+	"k8s.io/client-go/informers"
+	"k8s.io/client-go/kubernetes/fake"
+	featuregatetesting "k8s.io/component-base/featuregate/testing"
+	"k8s.io/dynamic-resource-allocation/deviceclass/extendedresourcecache"
+	"k8s.io/klog/v2/ktesting"
 	api "k8s.io/kubernetes/pkg/apis/resource"
+	"k8s.io/kubernetes/pkg/features"
 	"k8s.io/utils/ptr"
 )
 
-func testResourceClaim(name string, namespace string, spec api.ResourceClaimSpec) *api.ResourceClaim {
-	return &api.ResourceClaim{
+func testResourceClaim(name string, namespace string, isExtended bool, podName string, spec api.ResourceClaimSpec) *api.ResourceClaim {
+	claim := &api.ResourceClaim{
 		ObjectMeta: metav1.ObjectMeta{Name: name, Namespace: namespace},
 		Spec:       spec,
 	}
+	if isExtended {
+		claim.Annotations = map[string]string{resourceapi.ExtendedResourceClaimAnnotation: "true"}
+		claim.OwnerReferences = []metav1.OwnerReference{
+			{
+				APIVersion: "v1",
+				Kind:       "Pod",
+				Name:       podName,
+				UID:        "uid",
+				Controller: ptr.To(true),
+			},
+		}
+	}
+	return claim
 }
 
 func TestResourceClaimEvaluatorUsage(t *testing.T) {
 	classGpu := "gpu"
 	classTpu := "tpu"
-	validClaim := testResourceClaim("foo", "ns", api.ResourceClaimSpec{
+	validClaim := testResourceClaim("foo", "ns", false, "", api.ResourceClaimSpec{
 		Devices: api.DeviceClaim{
 			Requests: []api.DeviceRequest{
 				{
@@ -54,7 +78,7 @@ func TestResourceClaimEvaluatorUsage(t *testing.T) {
 			},
 		},
 	})
-	validClaimWithPrioritizedList := testResourceClaim("foo", "ns", api.ResourceClaimSpec{
+	validClaimWithPrioritizedList := testResourceClaim("foo", "ns", false, "", api.ResourceClaimSpec{
 		Devices: api.DeviceClaim{
 			Requests: []api.DeviceRequest{
 				{
@@ -71,18 +95,362 @@ func TestResourceClaimEvaluatorUsage(t *testing.T) {
 			},
 		},
 	})
+	explicitExtendedResourceClaim := testResourceClaim("foo", "ns", true, "pod-explicit", api.ResourceClaimSpec{
+		Devices: api.DeviceClaim{
+			Requests: []api.DeviceRequest{
+				{
+					Name: "container-0-request-0",
+					Exactly: &api.ExactDeviceRequest{
+						DeviceClassName: classGpu,
+						AllocationMode:  api.DeviceAllocationModeExactCount,
+						Count:           1,
+					},
+				},
+			},
+		},
+	})
+	implicitExtendedResourceClaim := testResourceClaim("foo", "ns", true, "pod-implicit", api.ResourceClaimSpec{
+		Devices: api.DeviceClaim{
+			Requests: []api.DeviceRequest{
+				{
+					Name: "container-0-request-0",
+					Exactly: &api.ExactDeviceRequest{
+						DeviceClassName: classGpu,
+						AllocationMode:  api.DeviceAllocationModeExactCount,
+						Count:           1,
+					},
+				},
+			},
+		},
+	})
+	hybridExtendedResourceClaim := testResourceClaim("foo", "ns", true, "pod-hybrid", api.ResourceClaimSpec{
+		Devices: api.DeviceClaim{
+			Requests: []api.DeviceRequest{
+				{
+					Name: "container-1-request-0",
+					Exactly: &api.ExactDeviceRequest{
+						DeviceClassName: classGpu,
+						AllocationMode:  api.DeviceAllocationModeExactCount,
+						Count:           1,
+					},
+				},
+				{
+					Name: "container-1-request-1",
+					Exactly: &api.ExactDeviceRequest{
+						DeviceClassName: classGpu,
+						AllocationMode:  api.DeviceAllocationModeExactCount,
+						Count:           1,
+					},
+				},
+			},
+		},
+	})
+	nilStatusExtendedResourceClaim := testResourceClaim("foo", "ns", true, "pod-nil-status", api.ResourceClaimSpec{
+		Devices: api.DeviceClaim{
+			Requests: []api.DeviceRequest{
+				{
+					Name: "request-0",
+					Exactly: &api.ExactDeviceRequest{
+						DeviceClassName: classGpu,
+						AllocationMode:  api.DeviceAllocationModeExactCount,
+						Count:           1,
+					},
+				},
+				{
+					Name: "container-1-request-0",
+					Exactly: &api.ExactDeviceRequest{
+						DeviceClassName: classGpu,
+						AllocationMode:  api.DeviceAllocationModeExactCount,
+						Count:           1,
+					},
+				},
+			},
+		},
+	})
+	initExtendedResourceClaim := testResourceClaim("foo", "ns", true, "pod-init", api.ResourceClaimSpec{
+		Devices: api.DeviceClaim{
+			Requests: []api.DeviceRequest{
+				{
+					Name: "container-2-request-0",
+					Exactly: &api.ExactDeviceRequest{
+						DeviceClassName: classGpu,
+						AllocationMode:  api.DeviceAllocationModeExactCount,
+						Count:           1,
+					},
+				},
+				{
+					Name: "container-2-request-1",
+					Exactly: &api.ExactDeviceRequest{
+						DeviceClassName: classGpu,
+						AllocationMode:  api.DeviceAllocationModeExactCount,
+						Count:           1,
+					},
+				},
+			},
+		},
+	})
 
-	evaluator := NewResourceClaimEvaluator(nil)
+	podImplicit := &corev1.Pod{
+		TypeMeta: metav1.TypeMeta{
+			APIVersion: "v1",
+		},
+		ObjectMeta: metav1.ObjectMeta{
+			Namespace: "ns",
+			Name:      "pod-implicit",
+			UID:       "uid",
+		},
+		Spec: corev1.PodSpec{
+			Containers: []corev1.Container{
+				{
+					Resources: corev1.ResourceRequirements{
+						Requests: corev1.ResourceList{
+							corev1.ResourceName("deviceclass.resource.kubernetes.io/" + classGpu): resource.MustParse("1"),
+						},
+					},
+				},
+			},
+		},
+		Status: corev1.PodStatus{
+			ExtendedResourceClaimStatus: &corev1.PodExtendedResourceClaimStatus{
+				ResourceClaimName: "foo",
+			},
+		},
+	}
+	podExplicit := &corev1.Pod{
+		TypeMeta: metav1.TypeMeta{
+			APIVersion: "v1",
+		},
+		ObjectMeta: metav1.ObjectMeta{
+			Namespace: "ns",
+			Name:      "pod-explicit",
+			UID:       "uid",
+		},
+		Spec: corev1.PodSpec{
+			InitContainers: []corev1.Container{
+				{
+					Resources: corev1.ResourceRequirements{
+						Requests: corev1.ResourceList{
+							"example.com/gpu": resource.MustParse("1"),
+						},
+					},
+				},
+			},
+		},
+		Status: corev1.PodStatus{
+			ExtendedResourceClaimStatus: &corev1.PodExtendedResourceClaimStatus{
+				ResourceClaimName: "foo",
+			},
+		},
+	}
+	podHybrid := &corev1.Pod{
+		TypeMeta: metav1.TypeMeta{
+			APIVersion: "v1",
+		},
+		ObjectMeta: metav1.ObjectMeta{
+			Namespace: "ns",
+			Name:      "pod-hybrid",
+			UID:       "uid",
+		},
+		Spec: corev1.PodSpec{
+			InitContainers: []corev1.Container{
+				{
+					Resources: corev1.ResourceRequirements{
+						Requests: corev1.ResourceList{
+							"example.com/gpu": resource.MustParse("1"),
+							corev1.ResourceName("deviceclass.resource.kubernetes.io/" + classGpu): resource.MustParse("1"),
+						},
+					},
+				},
+			},
+			Containers: []corev1.Container{
+				{
+					Resources: corev1.ResourceRequirements{
+						Requests: corev1.ResourceList{
+							"example.com/gpu": resource.MustParse("1"),
+							corev1.ResourceName("deviceclass.resource.kubernetes.io/" + classGpu): resource.MustParse("1"),
+						},
+					},
+				},
+			},
+		},
+		Status: corev1.PodStatus{
+			ExtendedResourceClaimStatus: &corev1.PodExtendedResourceClaimStatus{
+				ResourceClaimName: "foo",
+			},
+		},
+	}
+	podNilStatus := &corev1.Pod{
+		TypeMeta: metav1.TypeMeta{
+			APIVersion: "v1",
+		},
+		ObjectMeta: metav1.ObjectMeta{
+			Namespace: "ns",
+			Name:      "pod-nil-status",
+			UID:       "uid",
+		},
+		Spec: corev1.PodSpec{
+			InitContainers: []corev1.Container{
+				{
+					Resources: corev1.ResourceRequirements{
+						Requests: corev1.ResourceList{
+							"example.com/gpu": resource.MustParse("1"),
+						},
+					},
+				},
+			},
+			Containers: []corev1.Container{
+				{
+					Resources: corev1.ResourceRequirements{
+						Requests: corev1.ResourceList{
+							corev1.ResourceName("deviceclass.resource.kubernetes.io/" + classGpu): resource.MustParse("1"),
+						},
+					},
+				},
+			},
+		},
+		Status: corev1.PodStatus{},
+	}
+	podInit := &corev1.Pod{
+		TypeMeta: metav1.TypeMeta{
+			APIVersion: "v1",
+		},
+		ObjectMeta: metav1.ObjectMeta{
+			Namespace: "ns",
+			Name:      "pod-init",
+			UID:       "uid",
+		},
+		Spec: corev1.PodSpec{
+			InitContainers: []corev1.Container{
+				{
+					Name: "init-container-1",
+					Resources: corev1.ResourceRequirements{
+						Requests: corev1.ResourceList{
+							"example.com/gpu": resource.MustParse("1"),
+							corev1.ResourceName("deviceclass.resource.kubernetes.io/" + classGpu): resource.MustParse("1"),
+						},
+					},
+				},
+				{
+					Name: "init-container-2",
+					Resources: corev1.ResourceRequirements{
+						Requests: corev1.ResourceList{
+							"example.com/gpu": resource.MustParse("1"),
+							corev1.ResourceName("deviceclass.resource.kubernetes.io/" + classGpu): resource.MustParse("1"),
+						},
+					},
+				},
+			},
+			Containers: []corev1.Container{
+				{
+					Name: "container-1",
+					Resources: corev1.ResourceRequirements{
+						Requests: corev1.ResourceList{
+							"example.com/gpu": resource.MustParse("1"),
+							corev1.ResourceName("deviceclass.resource.kubernetes.io/" + classGpu): resource.MustParse("1"),
+						},
+					},
+				},
+			},
+		},
+		Status: corev1.PodStatus{
+			ExtendedResourceClaimStatus: &corev1.PodExtendedResourceClaimStatus{
+				ResourceClaimName: "foo",
+			},
+		},
+	}
+
+	deviceClass1 := &resourceapi.DeviceClass{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: classGpu,
+		},
+		Spec: resourceapi.DeviceClassSpec{
+			ExtendedResourceName: ptr.To("example.com/gpu"),
+		},
+	}
+
+	logger, ctx := ktesting.NewTestContext(t)
+	tCtx, tCancel := context.WithCancel(ctx)
+	client := fake.NewClientset(deviceClass1, podImplicit, podExplicit, podHybrid, podNilStatus, podInit)
+	informerFactory := informers.NewSharedInformerFactory(client, 0)
+	deviceclassmapping := extendedresourcecache.NewExtendedResourceCache(logger)
+	if _, err := informerFactory.Resource().V1().DeviceClasses().Informer().AddEventHandler(deviceclassmapping); err != nil {
+		logger.Error(err, "failed to add device class informer event handler")
+	}
+	evaluatorWithDeviceMapping := NewResourceClaimEvaluator(nil, deviceclassmapping, informerFactory.Core().V1().Pods().Lister())
+
+	informerFactory.Start(tCtx.Done())
+	t.Cleanup(func() {
+		// Need to cancel before waiting for the shutdown.
+		tCancel()
+		// Now we can wait for all goroutines to stop.
+		informerFactory.Shutdown()
+	})
+	informerFactory.WaitForCacheSync(tCtx.Done())
+
+	// wait for informer sync
+	time.Sleep(1 * time.Second)
+
+	evaluator := NewResourceClaimEvaluator(nil, nil, nil)
 	testCases := map[string]struct {
-		claim  *api.ResourceClaim
-		usage  corev1.ResourceList
-		errMsg string
+		evaluator quota.Evaluator
+		claim     *api.ResourceClaim
+		usage     corev1.ResourceList
+		errMsg    string
 	}{
-		"simple": {
-			claim: validClaim,
+		"implicit-extended-resource-claim": {
+			evaluator: evaluatorWithDeviceMapping,
+			claim:     implicitExtendedResourceClaim,
 			usage: corev1.ResourceList{
 				"count/resourceclaims.resource.k8s.io":    resource.MustParse("1"),
 				"gpu.deviceclass.resource.k8s.io/devices": resource.MustParse("1"),
+				"requests.example.com/gpu":                resource.MustParse("1"),
+			},
+		},
+		"explicit-extended-resource-claim": {
+			evaluator: evaluatorWithDeviceMapping,
+			claim:     explicitExtendedResourceClaim,
+			usage: corev1.ResourceList{
+				"count/resourceclaims.resource.k8s.io":            resource.MustParse("1"),
+				"gpu.deviceclass.resource.k8s.io/devices":         resource.MustParse("1"),
+				"requests.deviceclass.resource.kubernetes.io/gpu": resource.MustParse("1"),
+			},
+		},
+		"hybrid-extended-resource-claim": {
+			evaluator: evaluatorWithDeviceMapping,
+			claim:     hybridExtendedResourceClaim,
+			usage: corev1.ResourceList{
+				"count/resourceclaims.resource.k8s.io":            resource.MustParse("1"),
+				"gpu.deviceclass.resource.k8s.io/devices":         resource.MustParse("2"),
+				"requests.deviceclass.resource.kubernetes.io/gpu": resource.MustParse("1"),
+				"requests.example.com/gpu":                        resource.MustParse("1"),
+			},
+		},
+		"ni-status-extended-resource-claim": {
+			evaluator: evaluatorWithDeviceMapping,
+			claim:     nilStatusExtendedResourceClaim,
+			usage: corev1.ResourceList{
+				"count/resourceclaims.resource.k8s.io":            resource.MustParse("1"),
+				"gpu.deviceclass.resource.k8s.io/devices":         resource.MustParse("2"),
+				"requests.deviceclass.resource.kubernetes.io/gpu": resource.MustParse("1"),
+				"requests.example.com/gpu":                        resource.MustParse("1"),
+			},
+		},
+		"init-extended-resource-claim": {
+			evaluator: evaluatorWithDeviceMapping,
+			claim:     initExtendedResourceClaim,
+			usage: corev1.ResourceList{
+				"count/resourceclaims.resource.k8s.io":            resource.MustParse("1"),
+				"gpu.deviceclass.resource.k8s.io/devices":         resource.MustParse("2"),
+				"requests.deviceclass.resource.kubernetes.io/gpu": resource.MustParse("1"),
+				"requests.example.com/gpu":                        resource.MustParse("1"),
+			},
+		},
+		"simple": {
+			claim: validClaim,
+			usage: corev1.ResourceList{
+				"count/resourceclaims.resource.k8s.io":            resource.MustParse("1"),
+				"gpu.deviceclass.resource.k8s.io/devices":         resource.MustParse("1"),
+				"requests.deviceclass.resource.kubernetes.io/gpu": resource.MustParse("1"),
 			},
 		},
 		"many-requests": {
@@ -94,8 +462,9 @@ func TestResourceClaimEvaluatorUsage(t *testing.T) {
 				return claim
 			}(),
 			usage: corev1.ResourceList{
-				"count/resourceclaims.resource.k8s.io":    resource.MustParse("1"),
-				"gpu.deviceclass.resource.k8s.io/devices": resource.MustParse("5"),
+				"count/resourceclaims.resource.k8s.io":            resource.MustParse("1"),
+				"gpu.deviceclass.resource.k8s.io/devices":         resource.MustParse("5"),
+				"requests.deviceclass.resource.kubernetes.io/gpu": resource.MustParse("5"),
 			},
 		},
 		"count": {
@@ -105,8 +474,9 @@ func TestResourceClaimEvaluatorUsage(t *testing.T) {
 				return claim
 			}(),
 			usage: corev1.ResourceList{
-				"count/resourceclaims.resource.k8s.io":    resource.MustParse("1"),
-				"gpu.deviceclass.resource.k8s.io/devices": resource.MustParse("5"),
+				"count/resourceclaims.resource.k8s.io":            resource.MustParse("1"),
+				"gpu.deviceclass.resource.k8s.io/devices":         resource.MustParse("5"),
+				"requests.deviceclass.resource.kubernetes.io/gpu": resource.MustParse("5"),
 			},
 		},
 		"all": {
@@ -116,8 +486,9 @@ func TestResourceClaimEvaluatorUsage(t *testing.T) {
 				return claim
 			}(),
 			usage: corev1.ResourceList{
-				"count/resourceclaims.resource.k8s.io":    resource.MustParse("1"),
-				"gpu.deviceclass.resource.k8s.io/devices": *resource.NewQuantity(api.AllocationResultsMaxSize, resource.DecimalSI),
+				"count/resourceclaims.resource.k8s.io":            resource.MustParse("1"),
+				"gpu.deviceclass.resource.k8s.io/devices":         *resource.NewQuantity(api.AllocationResultsMaxSize, resource.DecimalSI),
+				"requests.deviceclass.resource.kubernetes.io/gpu": *resource.NewQuantity(api.AllocationResultsMaxSize, resource.DecimalSI),
 			},
 		},
 		"unknown-count-mode": {
@@ -139,15 +510,17 @@ func TestResourceClaimEvaluatorUsage(t *testing.T) {
 				return claim
 			}(),
 			usage: corev1.ResourceList{
-				"count/resourceclaims.resource.k8s.io":    resource.MustParse("1"),
-				"gpu.deviceclass.resource.k8s.io/devices": resource.MustParse("1"),
+				"count/resourceclaims.resource.k8s.io":            resource.MustParse("1"),
+				"gpu.deviceclass.resource.k8s.io/devices":         resource.MustParse("1"),
+				"requests.deviceclass.resource.kubernetes.io/gpu": resource.MustParse("1"),
 			},
 		},
 		"prioritized-list": {
 			claim: validClaimWithPrioritizedList,
 			usage: corev1.ResourceList{
-				"count/resourceclaims.resource.k8s.io":    resource.MustParse("1"),
-				"gpu.deviceclass.resource.k8s.io/devices": resource.MustParse("1"),
+				"count/resourceclaims.resource.k8s.io":            resource.MustParse("1"),
+				"gpu.deviceclass.resource.k8s.io/devices":         resource.MustParse("1"),
+				"requests.deviceclass.resource.kubernetes.io/gpu": resource.MustParse("1"),
 			},
 		},
 		"prioritized-list-multiple-subrequests": {
@@ -163,8 +536,9 @@ func TestResourceClaimEvaluatorUsage(t *testing.T) {
 				return claim
 			}(),
 			usage: corev1.ResourceList{
-				"count/resourceclaims.resource.k8s.io":    resource.MustParse("1"),
-				"gpu.deviceclass.resource.k8s.io/devices": resource.MustParse("2"),
+				"count/resourceclaims.resource.k8s.io":            resource.MustParse("1"),
+				"gpu.deviceclass.resource.k8s.io/devices":         resource.MustParse("2"),
+				"requests.deviceclass.resource.kubernetes.io/gpu": resource.MustParse("2"),
 			},
 		},
 		"prioritized-list-multiple-subrequests-allocation-mode-all": {
@@ -178,8 +552,9 @@ func TestResourceClaimEvaluatorUsage(t *testing.T) {
 				return claim
 			}(),
 			usage: corev1.ResourceList{
-				"count/resourceclaims.resource.k8s.io":    resource.MustParse("1"),
-				"gpu.deviceclass.resource.k8s.io/devices": resource.MustParse("32"),
+				"count/resourceclaims.resource.k8s.io":            resource.MustParse("1"),
+				"gpu.deviceclass.resource.k8s.io/devices":         resource.MustParse("32"),
+				"requests.deviceclass.resource.kubernetes.io/gpu": resource.MustParse("32"),
 			},
 		},
 		"prioritized-list-multiple-subrequests-different-device-classes": {
@@ -193,15 +568,21 @@ func TestResourceClaimEvaluatorUsage(t *testing.T) {
 				return claim
 			}(),
 			usage: corev1.ResourceList{
-				"count/resourceclaims.resource.k8s.io":    resource.MustParse("1"),
-				"gpu.deviceclass.resource.k8s.io/devices": resource.MustParse("1"),
-				"tpu.deviceclass.resource.k8s.io/devices": resource.MustParse("32"),
+				"count/resourceclaims.resource.k8s.io":            resource.MustParse("1"),
+				"gpu.deviceclass.resource.k8s.io/devices":         resource.MustParse("1"),
+				"requests.deviceclass.resource.kubernetes.io/gpu": resource.MustParse("1"),
+				"tpu.deviceclass.resource.k8s.io/devices":         resource.MustParse("32"),
+				"requests.deviceclass.resource.kubernetes.io/tpu": resource.MustParse("32"),
 			},
 		},
 	}
 	for testName, testCase := range testCases {
 		t.Run(testName, func(t *testing.T) {
-			actual, err := evaluator.Usage(testCase.claim)
+			featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.DRAExtendedResource, true)
+			if testCase.evaluator == nil {
+				testCase.evaluator = evaluator
+			}
+			actual, err := testCase.evaluator.Usage(testCase.claim)
 			if err != nil {
 				if testCase.errMsg == "" {
 					t.Fatalf("Unexpected error: %v", err)
@@ -222,7 +603,37 @@ func TestResourceClaimEvaluatorUsage(t *testing.T) {
 }
 
 func TestResourceClaimEvaluatorMatchingResources(t *testing.T) {
-	evaluator := NewResourceClaimEvaluator(nil)
+	deviceClass1 := &resourceapi.DeviceClass{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: "gpu",
+		},
+		Spec: resourceapi.DeviceClassSpec{
+			ExtendedResourceName: ptr.To("example.com/gpu"),
+		},
+	}
+
+	logger, ctx := ktesting.NewTestContext(t)
+	tCtx, tCancel := context.WithCancel(ctx)
+	client := fake.NewClientset(deviceClass1)
+	informerFactory := informers.NewSharedInformerFactory(client, 0)
+	deviceclassmapping := extendedresourcecache.NewExtendedResourceCache(logger)
+	if _, err := informerFactory.Resource().V1().DeviceClasses().Informer().AddEventHandler(deviceclassmapping); err != nil {
+		logger.Error(err, "failed to add device class informer event handler")
+	}
+	evaluator := NewResourceClaimEvaluator(nil, deviceclassmapping, informerFactory.Core().V1().Pods().Lister())
+
+	informerFactory.Start(tCtx.Done())
+	t.Cleanup(func() {
+		// Need to cancel before waiting for the shutdown.
+		tCancel()
+		// Now we can wait for all goroutines to stop.
+		informerFactory.Shutdown()
+	})
+	informerFactory.WaitForCacheSync(tCtx.Done())
+
+	// wait for informer sync
+	time.Sleep(1 * time.Second)
+
 	testCases := map[string]struct {
 		items []corev1.ResourceName
 		want  []corev1.ResourceName
@@ -231,11 +642,15 @@ func TestResourceClaimEvaluatorMatchingResources(t *testing.T) {
 			items: []corev1.ResourceName{
 				"count/resourceclaims.resource.k8s.io",
 				"gpu.deviceclass.resource.k8s.io/devices",
+				"requests.example.com/gpu",
+				"requests.deviceclass.resource.kubernetes.io/gpu",
 			},
 
 			want: []corev1.ResourceName{
 				"count/resourceclaims.resource.k8s.io",
 				"gpu.deviceclass.resource.k8s.io/devices",
+				"requests.example.com/gpu",
+				"requests.deviceclass.resource.kubernetes.io/gpu",
 			},
 		},
 		"unsupported-resources": {
@@ -251,6 +666,7 @@ func TestResourceClaimEvaluatorMatchingResources(t *testing.T) {
 	}
 	for testName, testCase := range testCases {
 		t.Run(testName, func(t *testing.T) {
+			featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.DRAExtendedResource, true)
 			actual := evaluator.MatchingResources(testCase.items)
 
 			if diff := cmp.Diff(testCase.want, actual); diff != "" {
@@ -261,7 +677,7 @@ func TestResourceClaimEvaluatorMatchingResources(t *testing.T) {
 }
 
 func TestResourceClaimEvaluatorHandles(t *testing.T) {
-	evaluator := NewResourceClaimEvaluator(nil)
+	evaluator := NewResourceClaimEvaluator(nil, nil, nil)
 	testCases := []struct {
 		name  string
 		attrs admission.Attributes
diff --git a/pkg/quota/v1/install/registry.go b/pkg/quota/v1/install/registry.go
index 15d41ffaae9aa..dae800f6e3393 100644
--- a/pkg/quota/v1/install/registry.go
+++ b/pkg/quota/v1/install/registry.go
@@ -21,20 +21,21 @@ import (
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	quota "k8s.io/apiserver/pkg/quota/v1"
 	"k8s.io/apiserver/pkg/quota/v1/generic"
+	"k8s.io/client-go/informers"
 	"k8s.io/kubernetes/pkg/apis/authentication"
 	"k8s.io/kubernetes/pkg/apis/authorization"
 	"k8s.io/kubernetes/pkg/quota/v1/evaluator/core"
 )
 
 // NewQuotaConfigurationForAdmission returns a quota configuration for admission control.
-func NewQuotaConfigurationForAdmission() quota.Configuration {
-	evaluators := core.NewEvaluators(nil)
+func NewQuotaConfigurationForAdmission(i informers.SharedInformerFactory) quota.Configuration {
+	evaluators := core.NewEvaluators(nil, i)
 	return generic.NewConfiguration(evaluators, DefaultIgnoredResources())
 }
 
 // NewQuotaConfigurationForControllers returns a quota configuration for controllers.
-func NewQuotaConfigurationForControllers(f quota.ListerForResourceFunc) quota.Configuration {
-	evaluators := core.NewEvaluators(f)
+func NewQuotaConfigurationForControllers(f quota.ListerForResourceFunc, i informers.SharedInformerFactory) quota.Configuration {
+	evaluators := core.NewEvaluators(f, i)
 	return generic.NewConfiguration(evaluators, DefaultIgnoredResources())
 }
 
diff --git a/pkg/registry/apps/statefulset/strategy.go b/pkg/registry/apps/statefulset/strategy.go
index bd81741e114cc..ed33e5eeadbc7 100644
--- a/pkg/registry/apps/statefulset/strategy.go
+++ b/pkg/registry/apps/statefulset/strategy.go
@@ -118,11 +118,6 @@ func (statefulSetStrategy) PrepareForUpdate(ctx context.Context, obj, old runtim
 //	    newSvc.Spec.MyFeature = nil
 //	}
 func dropStatefulSetDisabledFields(newSS *apps.StatefulSet, oldSS *apps.StatefulSet) {
-	if !utilfeature.DefaultFeatureGate.Enabled(features.StatefulSetAutoDeletePVC) {
-		if oldSS == nil || oldSS.Spec.PersistentVolumeClaimRetentionPolicy == nil {
-			newSS.Spec.PersistentVolumeClaimRetentionPolicy = nil
-		}
-	}
 	if !utilfeature.DefaultFeatureGate.Enabled(features.MaxUnavailableStatefulSet) && !maxUnavailableInUse(oldSS) {
 		if newSS.Spec.UpdateStrategy.RollingUpdate != nil {
 			newSS.Spec.UpdateStrategy.RollingUpdate.MaxUnavailable = nil
diff --git a/pkg/registry/apps/statefulset/strategy_test.go b/pkg/registry/apps/statefulset/strategy_test.go
index 672a25e34376a..25a49812dfea9 100644
--- a/pkg/registry/apps/statefulset/strategy_test.go
+++ b/pkg/registry/apps/statefulset/strategy_test.go
@@ -187,8 +187,7 @@ func TestStatefulSetStrategy(t *testing.T) {
 		Status: apps.StatefulSetStatus{Replicas: 4},
 	}
 
-	t.Run("when StatefulSetAutoDeletePVC feature gate is enabled, PersistentVolumeClaimRetentionPolicy should be updated", func(t *testing.T) {
-		featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.StatefulSetAutoDeletePVC, true)
+	t.Run("PersistentVolumeClaimRetentionPolicy should be updated", func(t *testing.T) {
 		// Test creation
 		ps := &apps.StatefulSet{
 			ObjectMeta: metav1.ObjectMeta{Name: "abc", Namespace: metav1.NamespaceDefault},
@@ -227,8 +226,7 @@ func TestStatefulSetStrategy(t *testing.T) {
 			t.Errorf("expected PersistentVolumeClaimRetentionPolicy to be updated: %v", errs)
 		}
 	})
-	t.Run("when StatefulSetAutoDeletePVC feature gate is disabled, PersistentVolumeClaimRetentionPolicy should not be updated", func(t *testing.T) {
-		featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.StatefulSetAutoDeletePVC, true)
+	t.Run("PersistentVolumeClaimRetentionPolicy should not be updated", func(t *testing.T) {
 		// Test creation
 		ps := &apps.StatefulSet{
 			ObjectMeta: metav1.ObjectMeta{Name: "abc", Namespace: metav1.NamespaceDefault},
@@ -261,7 +259,7 @@ func TestStatefulSetStrategy(t *testing.T) {
 		Strategy.PrepareForUpdate(ctx, validPs, invalidPs)
 		errs = Strategy.ValidateUpdate(ctx, validPs, ps)
 		if len(errs) != 0 {
-			t.Errorf("should ignore updates to PersistentVolumeClaimRetentionPolicyType")
+			t.Errorf("unexpected failure with PersistentVolumeClaimRetentionPolicy: %v", errs)
 		}
 	})
 
@@ -331,15 +329,6 @@ func TestStatefulSetStatusStrategy(t *testing.T) {
 	}
 }
 
-// generateStatefulSetWithMinReadySeconds generates a StatefulSet with min values
-func generateStatefulSetWithMinReadySeconds(minReadySeconds int32) *apps.StatefulSet {
-	return &apps.StatefulSet{
-		Spec: apps.StatefulSetSpec{
-			MinReadySeconds: minReadySeconds,
-		},
-	}
-}
-
 func makeStatefulSetWithMaxUnavailable(maxUnavailable *int) *apps.StatefulSet {
 	rollingUpdate := apps.RollingUpdateStatefulSetStrategy{}
 	if maxUnavailable != nil {
@@ -359,38 +348,6 @@ func makeStatefulSetWithMaxUnavailable(maxUnavailable *int) *apps.StatefulSet {
 	}
 }
 
-func createOrdinalsWithStart(start int) *apps.StatefulSetOrdinals {
-	return &apps.StatefulSetOrdinals{
-		Start: int32(start),
-	}
-}
-
-func makeStatefulSetWithStatefulSetOrdinals(ordinals *apps.StatefulSetOrdinals) *apps.StatefulSet {
-	validSelector := map[string]string{"a": "b"}
-	validPodTemplate := api.PodTemplate{
-		Template: api.PodTemplateSpec{
-			ObjectMeta: metav1.ObjectMeta{
-				Labels: validSelector,
-			},
-			Spec: api.PodSpec{
-				RestartPolicy: api.RestartPolicyAlways,
-				DNSPolicy:     api.DNSClusterFirst,
-				Containers:    []api.Container{{Name: "abc", Image: "image", ImagePullPolicy: "IfNotPresent"}},
-			},
-		},
-	}
-	return &apps.StatefulSet{
-		ObjectMeta: metav1.ObjectMeta{Name: "ss", Namespace: metav1.NamespaceDefault},
-		Spec: apps.StatefulSetSpec{
-			Ordinals:            ordinals,
-			Selector:            &metav1.LabelSelector{MatchLabels: validSelector},
-			Template:            validPodTemplate.Template,
-			UpdateStrategy:      apps.StatefulSetUpdateStrategy{Type: apps.RollingUpdateStatefulSetStrategyType},
-			PodManagementPolicy: apps.OrderedReadyPodManagement,
-		},
-	}
-}
-
 // TestDropStatefulSetDisabledFields tests if the drop functionality is working fine or not
 func TestDropStatefulSetDisabledFields(t *testing.T) {
 	testCases := []struct {
@@ -400,24 +357,6 @@ func TestDropStatefulSetDisabledFields(t *testing.T) {
 		oldSS                *apps.StatefulSet
 		expectedSS           *apps.StatefulSet
 	}{
-		{
-			name:       "set minReadySeconds, no update",
-			ss:         generateStatefulSetWithMinReadySeconds(10),
-			oldSS:      generateStatefulSetWithMinReadySeconds(20),
-			expectedSS: generateStatefulSetWithMinReadySeconds(10),
-		},
-		{
-			name:       "set minReadySeconds, oldSS field set to nil",
-			ss:         generateStatefulSetWithMinReadySeconds(10),
-			oldSS:      nil,
-			expectedSS: generateStatefulSetWithMinReadySeconds(10),
-		},
-		{
-			name:       "set minReadySeconds, oldSS field is set to 0",
-			ss:         generateStatefulSetWithMinReadySeconds(10),
-			oldSS:      generateStatefulSetWithMinReadySeconds(0),
-			expectedSS: generateStatefulSetWithMinReadySeconds(10),
-		},
 		{
 			name:       "MaxUnavailable not enabled, field not used",
 			ss:         makeStatefulSetWithMaxUnavailable(nil),
@@ -452,18 +391,6 @@ func TestDropStatefulSetDisabledFields(t *testing.T) {
 			oldSS:                makeStatefulSetWithMaxUnavailable(ptr.To(3)),
 			expectedSS:           makeStatefulSetWithMaxUnavailable(ptr.To(1)),
 		},
-		{
-			name:       "set ordinals, ordinals in use in new only",
-			ss:         makeStatefulSetWithStatefulSetOrdinals(createOrdinalsWithStart(2)),
-			oldSS:      nil,
-			expectedSS: makeStatefulSetWithStatefulSetOrdinals(createOrdinalsWithStart(2)),
-		},
-		{
-			name:       "set ordinals, ordinals in use in both old and new",
-			ss:         makeStatefulSetWithStatefulSetOrdinals(createOrdinalsWithStart(2)),
-			oldSS:      makeStatefulSetWithStatefulSetOrdinals(createOrdinalsWithStart(1)),
-			expectedSS: makeStatefulSetWithStatefulSetOrdinals(createOrdinalsWithStart(2)),
-		},
 	}
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
diff --git a/pkg/registry/batch/OWNERS b/pkg/registry/batch/OWNERS
index a2e4043c870e2..c6d302e5ea268 100644
--- a/pkg/registry/batch/OWNERS
+++ b/pkg/registry/batch/OWNERS
@@ -1,4 +1,8 @@
 # See the OWNERS docs at https://go.k8s.io/owners
 
+approvers:
+  - sig-apps-approvers
 reviewers:
-  - deads2k
+  - sig-apps-reviewers
+labels:
+  - sig/apps
diff --git a/pkg/registry/batch/job/strategy.go b/pkg/registry/batch/job/strategy.go
index 23f343e754d02..d0b9f4f3d8a43 100644
--- a/pkg/registry/batch/job/strategy.go
+++ b/pkg/registry/batch/job/strategy.go
@@ -186,13 +186,17 @@ func validationOptionsForJob(newJob, oldJob *batch.Job) batchvalidation.JobValid
 	}
 	if oldJob != nil {
 		opts.AllowInvalidLabelValueInSelector = opts.AllowInvalidLabelValueInSelector || metav1validation.LabelSelectorHasInvalidLabelValue(oldJob.Spec.Selector)
-
 		// Updating node affinity, node selector and tolerations is allowed
 		// only for suspended jobs that never started before.
 		suspended := oldJob.Spec.Suspend != nil && *oldJob.Spec.Suspend
 		notStarted := oldJob.Status.StartTime == nil
 		opts.AllowMutableSchedulingDirectives = suspended && notStarted
-
+		if utilfeature.DefaultFeatureGate.Enabled(features.MutablePodResourcesForSuspendedJobs) {
+			opts.AllowMutablePodResources = batchvalidation.IsConditionTrue(oldJob.Status.Conditions, batch.JobSuspended) && oldJob.Status.Active == 0
+		}
+		if utilfeature.DefaultFeatureGate.Enabled(features.MutableSchedulingDirectivesForSuspendedJobs) {
+			opts.AllowMutableSchedulingDirectives = suspended && batchvalidation.IsConditionTrue(oldJob.Status.Conditions, batch.JobSuspended) && oldJob.Status.Active == 0
+		}
 		// Validation should not fail jobs if they don't have the new labels.
 		// This can be removed once we have high confidence that both labels exist (1.30 at least)
 		_, hadJobName := oldJob.Spec.Template.Labels[batch.JobNameLabel]
diff --git a/pkg/registry/batch/job/strategy_test.go b/pkg/registry/batch/job/strategy_test.go
index 58b4a540448c7..58da8cd5a5776 100644
--- a/pkg/registry/batch/job/strategy_test.go
+++ b/pkg/registry/batch/job/strategy_test.go
@@ -22,6 +22,7 @@ import (
 
 	"github.com/google/go-cmp/cmp"
 	"github.com/google/go-cmp/cmp/cmpopts"
+	"k8s.io/apimachinery/pkg/api/resource"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/labels"
 	"k8s.io/apimachinery/pkg/types"
@@ -520,9 +521,11 @@ func TestJobStrategy_PrepareForUpdate(t *testing.T) {
 				// TODO: this will be removed in 1.37.
 				featuregatetesting.SetFeatureGateEmulationVersionDuringTest(t, utilfeature.DefaultFeatureGate, utilversion.MustParse("1.33"))
 			}
-			featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.JobBackoffLimitPerIndex, tc.enableJobBackoffLimitPerIndex)
-			featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.JobPodReplacementPolicy, tc.enableJobPodReplacementPolicy)
-			featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.JobSuccessPolicy, tc.enableJobSuccessPolicy)
+			featuregatetesting.SetFeatureGatesDuringTest(t, utilfeature.DefaultFeatureGate, featuregatetesting.FeatureOverrides{
+				features.JobBackoffLimitPerIndex: tc.enableJobBackoffLimitPerIndex,
+				features.JobPodReplacementPolicy: tc.enableJobPodReplacementPolicy,
+				features.JobSuccessPolicy:        tc.enableJobSuccessPolicy,
+			})
 			ctx := genericapirequest.NewDefaultContext()
 
 			Strategy.PrepareForUpdate(ctx, &tc.updatedJob, &tc.job)
@@ -905,10 +908,12 @@ func TestJobStrategy_PrepareForCreate(t *testing.T) {
 				// TODO: this will be removed in 1.36
 				featuregatetesting.SetFeatureGateEmulationVersionDuringTest(t, utilfeature.DefaultFeatureGate, utilversion.MustParse("1.32"))
 			}
-			featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.JobBackoffLimitPerIndex, tc.enableJobBackoffLimitPerIndex)
-			featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.JobPodReplacementPolicy, tc.enableJobPodReplacementPolicy)
-			featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.JobManagedBy, tc.enableJobManageBy)
-			featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.JobSuccessPolicy, tc.enableJobSuccessPolicy)
+			featuregatetesting.SetFeatureGatesDuringTest(t, utilfeature.DefaultFeatureGate, featuregatetesting.FeatureOverrides{
+				features.JobBackoffLimitPerIndex: tc.enableJobBackoffLimitPerIndex,
+				features.JobPodReplacementPolicy: tc.enableJobPodReplacementPolicy,
+				features.JobManagedBy:            tc.enableJobManageBy,
+				features.JobSuccessPolicy:        tc.enableJobSuccessPolicy,
+			})
 			ctx := genericapirequest.NewDefaultContext()
 
 			Strategy.PrepareForCreate(ctx, &tc.job)
@@ -1000,7 +1005,7 @@ func TestJobStrategy_ValidateUpdate(t *testing.T) {
 				{Type: field.ErrorTypeInvalid, Field: "spec.completions"},
 			},
 		},
-		"updating node selector for unsuspended job disallowed": {
+		"updating node selector for unsuspended job disallowed with MutablePodResourcesForSuspendedJobs disabled": {
 			job: &batch.Job{
 				ObjectMeta: metav1.ObjectMeta{
 					Name:            "myjob",
@@ -1022,7 +1027,7 @@ func TestJobStrategy_ValidateUpdate(t *testing.T) {
 				{Type: field.ErrorTypeInvalid, Field: "spec.template"},
 			},
 		},
-		"updating node selector for suspended but previously started job disallowed": {
+		"updating node selector for suspended but previously started job disallowed with MutablePodResourcesForSuspendedJobs disabled": {
 			job: &batch.Job{
 				ObjectMeta: metav1.ObjectMeta{
 					Name:            "myjob",
@@ -1048,7 +1053,7 @@ func TestJobStrategy_ValidateUpdate(t *testing.T) {
 				{Type: field.ErrorTypeInvalid, Field: "spec.template"},
 			},
 		},
-		"updating node selector for suspended and not previously started job allowed": {
+		"updating node selector for suspended and not previously started job allowed with MutablePodResourcesForSuspendedJobs disabled": {
 			job: &batch.Job{
 				ObjectMeta: metav1.ObjectMeta{
 					Name:            "myjob",
@@ -1192,6 +1197,273 @@ func TestJobStrategy_ValidateUpdate(t *testing.T) {
 	}
 }
 
+func TestJobStrategy_ValidateUpdate_MutablePodResources(t *testing.T) {
+	ctx := genericapirequest.NewDefaultContext()
+	now := metav1.Now()
+	validSelector := &metav1.LabelSelector{
+		MatchLabels: map[string]string{"a": "b"},
+	}
+	validPodTemplateSpec := api.PodTemplateSpec{
+		ObjectMeta: metav1.ObjectMeta{
+			Labels: validSelector.MatchLabels,
+		},
+		Spec: podtest.MakePodSpec(podtest.SetRestartPolicy(api.RestartPolicyOnFailure)),
+	}
+
+	cases := map[string]struct {
+		enableFeatureGate bool
+		job               *batch.Job
+		update            func(*batch.Job)
+		wantErrs          field.ErrorList
+	}{
+		"feature gate disabled - pod resource updates rejected": {
+			enableFeatureGate: false,
+			job: &batch.Job{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:            "myjob",
+					Namespace:       metav1.NamespaceDefault,
+					ResourceVersion: "0",
+				},
+				Spec: batch.JobSpec{
+					Selector:       validSelector,
+					Template:       validPodTemplateSpec,
+					ManualSelector: ptr.To(true),
+					Parallelism:    ptr.To[int32](1),
+					Suspend:        ptr.To(true),
+				},
+				Status: batch.JobStatus{
+					Active: 0,
+					Conditions: []batch.JobCondition{
+						{
+							Type:   batch.JobSuspended,
+							Status: api.ConditionStatus(metav1.ConditionTrue),
+						},
+					},
+				},
+			},
+			update: func(job *batch.Job) {
+				job.Spec.Template.Spec.Containers[0].Resources.Requests = api.ResourceList{
+					api.ResourceCPU: resource.MustParse("200m"),
+				}
+			},
+			wantErrs: field.ErrorList{
+				{Type: field.ErrorTypeInvalid, Field: "spec.template"},
+			},
+		},
+		"feature gate enabled - job suspended, but with remaining active Pods  resource updates rejected": {
+			enableFeatureGate: true,
+			job: &batch.Job{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:            "myjob",
+					Namespace:       metav1.NamespaceDefault,
+					ResourceVersion: "0",
+				},
+				Spec: batch.JobSpec{
+					Selector:       validSelector,
+					Template:       validPodTemplateSpec,
+					ManualSelector: ptr.To(true),
+					Parallelism:    ptr.To[int32](1),
+					Suspend:        ptr.To(true),
+				},
+				Status: batch.JobStatus{
+					Active: 1,
+					Conditions: []batch.JobCondition{
+						{
+							Type:   batch.JobSuspended,
+							Status: api.ConditionStatus(metav1.ConditionFalse),
+						},
+					},
+				},
+			},
+			update: func(job *batch.Job) {
+				job.Spec.Template.Spec.Containers[0].Resources.Requests = api.ResourceList{
+					api.ResourceCPU: resource.MustParse("200m"),
+				}
+			},
+			wantErrs: field.ErrorList{
+				{Type: field.ErrorTypeInvalid, Field: "spec.template"},
+			},
+		},
+		"feature gate enabled - job suspended, with the suspended condition, but pods remain active - reject": {
+			enableFeatureGate: true,
+			job: &batch.Job{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:            "myjob",
+					Namespace:       metav1.NamespaceDefault,
+					ResourceVersion: "0",
+				},
+				Spec: batch.JobSpec{
+					Selector:       validSelector,
+					Template:       validPodTemplateSpec,
+					ManualSelector: ptr.To(true),
+					Parallelism:    ptr.To[int32](1),
+					Suspend:        ptr.To(true),
+				},
+				Status: batch.JobStatus{
+					Active: 1,
+					Conditions: []batch.JobCondition{
+						{
+							Type:   batch.JobSuspended,
+							Status: api.ConditionStatus(metav1.ConditionTrue),
+						},
+					},
+				},
+			},
+			update: func(job *batch.Job) {
+				job.Spec.Template.Spec.Containers[0].Resources.Requests = api.ResourceList{
+					api.ResourceCPU: resource.MustParse("200m"),
+				}
+			},
+			wantErrs: field.ErrorList{
+				{Type: field.ErrorTypeInvalid, Field: "spec.template"},
+			},
+		},
+		"feature gate enabled - unsuspended job resource updates rejected": {
+			enableFeatureGate: true,
+			job: &batch.Job{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:            "myjob",
+					Namespace:       metav1.NamespaceDefault,
+					ResourceVersion: "0",
+				},
+				Spec: batch.JobSpec{
+					Selector:       validSelector,
+					Template:       validPodTemplateSpec,
+					ManualSelector: ptr.To(true),
+					Parallelism:    ptr.To[int32](1),
+					Suspend:        ptr.To(false),
+				},
+				Status: batch.JobStatus{
+					Active: 1,
+					Conditions: []batch.JobCondition{
+						{
+							Type:   batch.JobSuspended,
+							Status: api.ConditionStatus(metav1.ConditionFalse),
+						},
+					},
+				},
+			},
+			update: func(job *batch.Job) {
+				job.Spec.Template.Spec.Containers[0].Resources.Requests = api.ResourceList{
+					api.ResourceCPU: resource.MustParse("200m"),
+				}
+			},
+			wantErrs: field.ErrorList{
+				{Type: field.ErrorTypeInvalid, Field: "spec.template"},
+			},
+		},
+		"feature gate enabled - suspended but started job resource updates allowed": {
+			enableFeatureGate: true,
+			job: &batch.Job{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:            "myjob",
+					Namespace:       metav1.NamespaceDefault,
+					ResourceVersion: "0",
+				},
+				Spec: batch.JobSpec{
+					Selector:       validSelector,
+					Template:       validPodTemplateSpec,
+					ManualSelector: ptr.To(true),
+					Parallelism:    ptr.To[int32](1),
+					Suspend:        ptr.To(true),
+				},
+				Status: batch.JobStatus{
+					StartTime: &now,
+					Active:    0,
+					Conditions: []batch.JobCondition{
+						{
+							Type:   batch.JobSuspended,
+							Status: api.ConditionStatus(metav1.ConditionTrue),
+						},
+					},
+				},
+			},
+			update: func(job *batch.Job) {
+				job.Spec.Template.Spec.Containers[0].Resources.Requests = api.ResourceList{
+					api.ResourceCPU: resource.MustParse("200m"),
+				}
+			},
+		},
+		"feature gate enabled - suspended and not started job resource updates allowed": {
+			enableFeatureGate: true,
+			job: &batch.Job{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:            "myjob",
+					Namespace:       metav1.NamespaceDefault,
+					ResourceVersion: "0",
+				},
+				Spec: batch.JobSpec{
+					Selector:       validSelector,
+					Template:       validPodTemplateSpec,
+					ManualSelector: ptr.To(true),
+					Parallelism:    ptr.To[int32](1),
+					Suspend:        ptr.To(true),
+				},
+				Status: batch.JobStatus{
+					Active: 0,
+					Conditions: []batch.JobCondition{
+						{
+							Type:   batch.JobSuspended,
+							Status: api.ConditionStatus(metav1.ConditionTrue),
+						},
+					},
+				},
+			},
+			update: func(job *batch.Job) {
+				job.Spec.Template.Spec.Containers[0].Resources.Requests = api.ResourceList{
+					api.ResourceCPU: resource.MustParse("200m"),
+				}
+			},
+		},
+		"feature gate enabled - non-resource field updates still rejected": {
+			enableFeatureGate: true,
+			job: &batch.Job{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:            "myjob",
+					Namespace:       metav1.NamespaceDefault,
+					ResourceVersion: "0",
+				},
+				Spec: batch.JobSpec{
+					Selector:       validSelector,
+					Template:       validPodTemplateSpec,
+					ManualSelector: ptr.To(true),
+					Parallelism:    ptr.To[int32](1),
+					Suspend:        ptr.To(true),
+				},
+				Status: batch.JobStatus{
+					Active: 0,
+					Conditions: []batch.JobCondition{
+						{
+							Type:   batch.JobSuspended,
+							Status: api.ConditionStatus(metav1.ConditionTrue),
+						},
+					},
+				},
+			},
+			update: func(job *batch.Job) {
+				job.Spec.Template.Spec.Containers[0].Image = "different-image"
+			},
+			wantErrs: field.ErrorList{
+				{Type: field.ErrorTypeInvalid, Field: "spec.template.spec"},
+			},
+		},
+	}
+
+	for name, tc := range cases {
+		t.Run(name, func(t *testing.T) {
+			featuregatetesting.SetFeatureGateEmulationVersionDuringTest(t, utilfeature.DefaultFeatureGate, utilversion.MustParse("1.35"))
+			featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.MutablePodResourcesForSuspendedJobs, tc.enableFeatureGate)
+
+			newJob := tc.job.DeepCopy()
+			tc.update(newJob)
+			errs := Strategy.ValidateUpdate(ctx, newJob, tc.job)
+			if diff := cmp.Diff(tc.wantErrs, errs, ignoreErrValueDetail); diff != "" {
+				t.Errorf("Unexpected errors (-want,+got):\n%s", diff)
+			}
+		})
+	}
+}
+
 func TestJobStrategy_WarningsOnUpdate(t *testing.T) {
 	ctx := genericapirequest.NewDefaultContext()
 	validSelector := &metav1.LabelSelector{
@@ -3605,9 +3877,11 @@ func TestStatusStrategy_ValidateUpdate(t *testing.T) {
 				// TODO: this will be removed in 1.37.
 				featuregatetesting.SetFeatureGateEmulationVersionDuringTest(t, utilfeature.DefaultFeatureGate, utilversion.MustParse("1.33"))
 			}
-			featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.JobManagedBy, tc.enableJobManagedBy)
-			featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.JobSuccessPolicy, tc.enableJobSuccessPolicy)
-			featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.JobPodReplacementPolicy, tc.enableJobPodReplacementPolicy)
+			featuregatetesting.SetFeatureGatesDuringTest(t, utilfeature.DefaultFeatureGate, featuregatetesting.FeatureOverrides{
+				features.JobManagedBy:            tc.enableJobManagedBy,
+				features.JobSuccessPolicy:        tc.enableJobSuccessPolicy,
+				features.JobPodReplacementPolicy: tc.enableJobPodReplacementPolicy,
+			})
 
 			errs := StatusStrategy.ValidateUpdate(ctx, tc.newJob, tc.job)
 			if diff := cmp.Diff(tc.wantErrs, errs, ignoreErrValueDetail); diff != "" {
@@ -3699,6 +3973,301 @@ func TestJobStrategy_GetAttrs(t *testing.T) {
 	}
 }
 
+func TestJobStrategy_ValidateUpdate_MutableSchedulingDirectives(t *testing.T) {
+	ctx := genericapirequest.NewDefaultContext()
+	now := metav1.Now()
+	validSelector := &metav1.LabelSelector{
+		MatchLabels: map[string]string{"a": "b"},
+	}
+	validPodTemplateSpec := api.PodTemplateSpec{
+		ObjectMeta: metav1.ObjectMeta{
+			Labels: validSelector.MatchLabels,
+		},
+		Spec: podtest.MakePodSpec(podtest.SetRestartPolicy(api.RestartPolicyOnFailure)),
+	}
+
+	cases := map[string]struct {
+		enableFeatureGate bool
+		job               *batch.Job
+		update            func(*batch.Job)
+		wantErrs          field.ErrorList
+	}{
+		"feature gate disabled - scheduling directives update allowed for suspended job never started": {
+			enableFeatureGate: false,
+			job: &batch.Job{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:            "myjob",
+					Namespace:       metav1.NamespaceDefault,
+					ResourceVersion: "0",
+				},
+				Spec: batch.JobSpec{
+					Selector:       validSelector,
+					Template:       validPodTemplateSpec,
+					ManualSelector: ptr.To(true),
+					Parallelism:    ptr.To[int32](1),
+					Suspend:        ptr.To(true),
+				},
+				Status: batch.JobStatus{
+					Active:    0,
+					StartTime: nil,
+					Conditions: []batch.JobCondition{
+						{
+							Type:   batch.JobSuspended,
+							Status: api.ConditionStatus(metav1.ConditionTrue),
+						},
+					},
+				},
+			},
+			update: func(job *batch.Job) {
+				job.Spec.Template.Spec.NodeSelector = map[string]string{
+					"key": "value",
+				}
+			},
+		},
+		"feature gate enabled - scheduling directives update allowed for suspended job never started": {
+			enableFeatureGate: true,
+			job: &batch.Job{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:            "myjob",
+					Namespace:       metav1.NamespaceDefault,
+					ResourceVersion: "0",
+				},
+				Spec: batch.JobSpec{
+					Selector:       validSelector,
+					Template:       validPodTemplateSpec,
+					ManualSelector: ptr.To(true),
+					Parallelism:    ptr.To[int32](1),
+					Suspend:        ptr.To(true),
+				},
+				Status: batch.JobStatus{
+					Active:    0,
+					StartTime: nil,
+					Conditions: []batch.JobCondition{
+						{
+							Type:   batch.JobSuspended,
+							Status: api.ConditionStatus(metav1.ConditionTrue),
+						},
+					},
+				},
+			},
+			update: func(job *batch.Job) {
+				job.Spec.Template.Spec.NodeSelector = map[string]string{
+					"key": "value",
+				}
+			},
+		},
+		"feature gate disabled - scheduling directives update rejected for unsuspended Job": {
+			enableFeatureGate: false,
+			job: &batch.Job{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:            "myjob",
+					Namespace:       metav1.NamespaceDefault,
+					ResourceVersion: "0",
+				},
+				Spec: batch.JobSpec{
+					Selector:       validSelector,
+					Template:       validPodTemplateSpec,
+					ManualSelector: ptr.To(true),
+					Parallelism:    ptr.To[int32](1),
+					Suspend:        ptr.To(true),
+				},
+				Status: batch.JobStatus{
+					Active:    1,
+					StartTime: &now,
+				},
+			},
+			update: func(job *batch.Job) {
+				job.Spec.Template.Spec.NodeSelector = map[string]string{
+					"key": "value",
+				}
+			},
+			wantErrs: field.ErrorList{
+				{Type: field.ErrorTypeInvalid, Field: "spec.template"},
+			},
+		},
+		"feature gate enabled - scheduling directives update rejected for unsuspended Job": {
+			enableFeatureGate: true,
+			job: &batch.Job{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:            "myjob",
+					Namespace:       metav1.NamespaceDefault,
+					ResourceVersion: "0",
+				},
+				Spec: batch.JobSpec{
+					Selector:       validSelector,
+					Template:       validPodTemplateSpec,
+					ManualSelector: ptr.To(true),
+					Parallelism:    ptr.To[int32](1),
+					Suspend:        ptr.To(false),
+				},
+				Status: batch.JobStatus{
+					Active:    1,
+					StartTime: &now,
+				},
+			},
+			update: func(job *batch.Job) {
+				job.Spec.Template.Spec.NodeSelector = map[string]string{
+					"key": "value",
+				}
+			},
+			wantErrs: field.ErrorList{
+				{Type: field.ErrorTypeInvalid, Field: "spec.template"},
+			},
+		},
+		"feature gate disabled - scheduling directives update rejected for suspended Job which was running in the past": {
+			enableFeatureGate: false,
+			job: &batch.Job{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:            "myjob",
+					Namespace:       metav1.NamespaceDefault,
+					ResourceVersion: "0",
+				},
+				Spec: batch.JobSpec{
+					Selector:       validSelector,
+					Template:       validPodTemplateSpec,
+					ManualSelector: ptr.To(true),
+					Parallelism:    ptr.To[int32](1),
+					Suspend:        ptr.To(true),
+				},
+				Status: batch.JobStatus{
+					StartTime: &now,
+					Active:    0,
+					Conditions: []batch.JobCondition{
+						{
+							Type:   batch.JobSuspended,
+							Status: api.ConditionStatus(metav1.ConditionTrue),
+						},
+					},
+				},
+			},
+			update: func(job *batch.Job) {
+				job.Spec.Template.Spec.NodeSelector = map[string]string{
+					"key": "value",
+				}
+			},
+			wantErrs: field.ErrorList{
+				{Type: field.ErrorTypeInvalid, Field: "spec.template"},
+			},
+		},
+		"feature gate enabled - scheduling directives update allowed for suspended Job which was running in the past": {
+			enableFeatureGate: true,
+			job: &batch.Job{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:            "myjob",
+					Namespace:       metav1.NamespaceDefault,
+					ResourceVersion: "0",
+				},
+				Spec: batch.JobSpec{
+					Selector:       validSelector,
+					Template:       validPodTemplateSpec,
+					ManualSelector: ptr.To(true),
+					Parallelism:    ptr.To[int32](1),
+					Suspend:        ptr.To(true),
+				},
+				Status: batch.JobStatus{
+					StartTime: &now,
+					Active:    0,
+					Conditions: []batch.JobCondition{
+						{
+							Type:   batch.JobSuspended,
+							Status: api.ConditionStatus(metav1.ConditionTrue),
+						},
+					},
+				},
+			},
+			update: func(job *batch.Job) {
+				job.Spec.Template.Spec.NodeSelector = map[string]string{
+					"key": "value",
+				}
+			},
+		},
+		"feature gate enabled - scheduling directives update rejected for suspended Job still have active pods": {
+			enableFeatureGate: true,
+			job: &batch.Job{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:            "myjob",
+					Namespace:       metav1.NamespaceDefault,
+					ResourceVersion: "0",
+				},
+				Spec: batch.JobSpec{
+					Selector:       validSelector,
+					Template:       validPodTemplateSpec,
+					ManualSelector: ptr.To(true),
+					Parallelism:    ptr.To[int32](1),
+					Suspend:        ptr.To(true),
+				},
+				Status: batch.JobStatus{
+					StartTime: &now,
+					Active:    1,
+					Conditions: []batch.JobCondition{
+						{
+							Type:   batch.JobSuspended,
+							Status: api.ConditionStatus(metav1.ConditionTrue),
+						},
+					},
+				},
+			},
+			update: func(job *batch.Job) {
+				job.Spec.Template.Spec.NodeSelector = map[string]string{
+					"key": "value",
+				}
+			},
+			wantErrs: field.ErrorList{
+				{Type: field.ErrorTypeInvalid, Field: "spec.template"},
+			},
+		},
+		"feature gate enabled - scheduling directives update rejected for suspended Job without Suspended condition": {
+			enableFeatureGate: true,
+			job: &batch.Job{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:            "myjob",
+					Namespace:       metav1.NamespaceDefault,
+					ResourceVersion: "0",
+				},
+				Spec: batch.JobSpec{
+					Selector:       validSelector,
+					Template:       validPodTemplateSpec,
+					ManualSelector: ptr.To(true),
+					Parallelism:    ptr.To[int32](1),
+					Suspend:        ptr.To(true),
+				},
+				Status: batch.JobStatus{
+					StartTime: &now,
+					Active:    1,
+					Conditions: []batch.JobCondition{
+						{
+							Type:   batch.JobSuspended,
+							Status: api.ConditionStatus(metav1.ConditionFalse),
+						},
+					},
+				},
+			},
+			update: func(job *batch.Job) {
+				job.Spec.Template.Spec.NodeSelector = map[string]string{
+					"key": "value",
+				}
+			},
+			wantErrs: field.ErrorList{
+				{Type: field.ErrorTypeInvalid, Field: "spec.template"},
+			},
+		},
+	}
+
+	for name, tc := range cases {
+		t.Run(name, func(t *testing.T) {
+			featuregatetesting.SetFeatureGateEmulationVersionDuringTest(t, utilfeature.DefaultFeatureGate, utilversion.MustParse("1.35"))
+			featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.MutableSchedulingDirectivesForSuspendedJobs, tc.enableFeatureGate)
+
+			newJob := tc.job.DeepCopy()
+			tc.update(newJob)
+			errs := Strategy.ValidateUpdate(ctx, newJob, tc.job)
+			if diff := cmp.Diff(tc.wantErrs, errs, ignoreErrValueDetail); diff != "" {
+				t.Errorf("Unexpected errors (-want,+got):\n%s", diff)
+			}
+		})
+	}
+}
+
 func TestJobToSelectiableFields(t *testing.T) {
 	apitesting.TestSelectableFieldLabelConversionsOfKind(t,
 		"batch/v1",
diff --git a/pkg/registry/certificates/certificates/declarative_validation_test.go b/pkg/registry/certificates/certificates/declarative_validation_test.go
index 7e8fd4c59bc84..4039bc682c5ab 100644
--- a/pkg/registry/certificates/certificates/declarative_validation_test.go
+++ b/pkg/registry/certificates/certificates/declarative_validation_test.go
@@ -29,12 +29,9 @@ import (
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/util/validation/field"
 	genericapirequest "k8s.io/apiserver/pkg/endpoints/request"
-	utilfeature "k8s.io/apiserver/pkg/util/feature"
-	featuregatetesting "k8s.io/component-base/featuregate/testing"
 	apitesting "k8s.io/kubernetes/pkg/api/testing"
 	api "k8s.io/kubernetes/pkg/apis/certificates"
 	"k8s.io/kubernetes/pkg/apis/core"
-	"k8s.io/kubernetes/pkg/features"
 	"k8s.io/utils/ptr"
 )
 
@@ -60,31 +57,31 @@ func testDeclarativeValidateForDeclarative(t *testing.T, apiVersion string) {
 		input        api.CertificateSigningRequest
 		expectedErrs field.ErrorList
 	}{
-		"no conditions - valid": {
+		"status.conditions: none = valid": {
 			input: makeValidCSR(),
 		},
-		"approved condition - valid": {
+		"status.conditions: Approved = valid": {
 			input: makeValidCSR(withApprovedCondition()),
 		},
-		"denied condition - valid": {
+		"status.conditions: Denied = valid": {
 			input: makeValidCSR(withDeniedCondition()),
 		},
-		"failed condition - valid": {
+		"status.conditions: Failed = valid": {
 			input: makeValidCSR(withFailedCondition()),
 		},
-		"approved+failed conditions - valid": {
+		"status.conditions: Approved+Failed = valid": {
 			input: makeValidCSR(withApprovedCondition(), withFailedCondition()),
 		},
-		"denied+failed conditions - valid": {
+		"status.conditions: Denied+Failed = valid": {
 			input: makeValidCSR(withDeniedCondition(), withFailedCondition()),
 		},
-		"approved+denied conditions - invalid": {
+		"status.conditions: Approved+Denied = invalid": {
 			input: makeValidCSR(withApprovedCondition(), withDeniedCondition()),
 			expectedErrs: field.ErrorList{
 				field.Invalid(field.NewPath("status", "conditions"), nil, "").WithOrigin("zeroOrOneOf"),
 			},
 		},
-		"denied+approved conditions - invalid": {
+		"status.conditions: Denied+Approved = invalid": {
 			input: makeValidCSR(withDeniedCondition(), withApprovedCondition()),
 			expectedErrs: field.ErrorList{
 				field.Invalid(field.NewPath("status", "conditions"), nil, "").WithOrigin("zeroOrOneOf"),
@@ -93,35 +90,7 @@ func testDeclarativeValidateForDeclarative(t *testing.T, apiVersion string) {
 	}
 	for k, tc := range testCases {
 		t.Run(k, func(t *testing.T) {
-			var declarativeTakeoverErrs field.ErrorList
-			var imperativeErrs field.ErrorList
-			for _, gateVal := range []bool{true, false} {
-				// We only need to test both gate enabled and disabled together, because
-				// 1) the DeclarativeValidationTakeover won't take effect if DeclarativeValidation is disabled.
-				// 2) the validation output, when only DeclarativeValidation is enabled, is the same as when both gates are disabled.
-				featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.DeclarativeValidation, gateVal)
-				featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.DeclarativeValidationTakeover, gateVal)
-
-				errs := Strategy.Validate(ctx, &tc.input)
-				if gateVal {
-					declarativeTakeoverErrs = errs
-				} else {
-					imperativeErrs = errs
-				}
-				// The errOutputMatcher is used to verify the output matches the expected errors in test cases.
-				errOutputMatcher := field.ErrorMatcher{}.ByType().ByField().ByOrigin()
-				if len(tc.expectedErrs) > 0 {
-					errOutputMatcher.Test(t, tc.expectedErrs, errs)
-				} else if len(errs) != 0 {
-					t.Errorf("expected no errors, but got: %v", errs)
-				}
-			}
-			// The equivalenceMatcher is used to verify the output errors from hand-written imperative validation
-			// are equivalent to the output errors when DeclarativeValidationTakeover is enabled.
-			equivalenceMatcher := field.ErrorMatcher{}.ByType().ByField().ByOrigin()
-			equivalenceMatcher.Test(t, imperativeErrs, declarativeTakeoverErrs)
-
-			apitesting.VerifyVersionedValidationEquivalence(t, &tc.input, nil)
+			apitesting.VerifyValidationEquivalence(t, ctx, &tc.input, Strategy.Validate, tc.expectedErrs)
 		})
 	}
 }
@@ -208,6 +177,11 @@ func testValidateUpdateForDeclarative(t *testing.T, apiVersion string) {
 			),
 			subresources: []string{"/approval"}, // Can only modify Approved and Denied conditions on /approval subresource
 		},
+		"ratcheting: allow existing duplicate types - valid": {
+			old:          makeValidCSR(withApprovedCondition(), withApprovedCondition(), withDeniedCondition(), withDeniedCondition()),
+			update:       makeValidCSR(withDeniedCondition(), withDeniedCondition(), withApprovedCondition(), withApprovedCondition()),
+			subresources: []string{"/status"},
+		},
 	}
 
 	for k, tc := range testCases {
@@ -226,49 +200,7 @@ func testValidateUpdateForDeclarative(t *testing.T, apiVersion string) {
 
 				tc.old.ResourceVersion = "1"
 				tc.update.ResourceVersion = "1"
-				var declarativeTakeoverErrs field.ErrorList
-				var imperativeErrs field.ErrorList
-				for _, gateVal := range []bool{true, false} {
-					// We only need to test both gate enabled and disabled together, because
-					// 1) the DeclarativeValidationTakeover won't take effect if DeclarativeValidation is disabled.
-					// 2) the validation output, when only DeclarativeValidation is enabled, is the same as when both gates are disabled.
-					featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.DeclarativeValidation, gateVal)
-					featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.DeclarativeValidationTakeover, gateVal)
-					errs := strategy.ValidateUpdate(ctx, &tc.update, &tc.old)
-					if gateVal {
-						declarativeTakeoverErrs = errs
-					} else {
-						imperativeErrs = errs
-					}
-					// The errOutputMatcher is used to verify the output matches the expected errors in test cases.
-					errOutputMatcher := field.ErrorMatcher{}.ByType().ByField().ByOrigin()
-
-					if len(tc.expectedErrs) > 0 {
-						errOutputMatcher.Test(t, tc.expectedErrs, errs)
-					} else if len(errs) != 0 {
-						t.Errorf("expected no errors, but got: %v", errs)
-					}
-				}
-				// The equivalenceMatcher is used to verify the output errors from hand-written imperative validation
-				// are equivalent to the output errors when DeclarativeValidationTakeover is enabled.
-				equivalenceMatcher := field.ErrorMatcher{}.ByType().ByField().ByOrigin()
-				// TODO: remove this once ErrorMatcher has been extended to handle this form of deduplication.
-				dedupedImperativeErrs := field.ErrorList{}
-				for _, err := range imperativeErrs {
-					found := false
-					for _, existingErr := range dedupedImperativeErrs {
-						if equivalenceMatcher.Matches(existingErr, err) {
-							found = true
-							break
-						}
-					}
-					if !found {
-						dedupedImperativeErrs = append(dedupedImperativeErrs, err)
-					}
-				}
-				equivalenceMatcher.Test(t, dedupedImperativeErrs, declarativeTakeoverErrs)
-
-				apitesting.VerifyVersionedValidationEquivalence(t, &tc.update, &tc.old)
+				apitesting.VerifyUpdateValidationEquivalence(t, ctx, &tc.update, &tc.old, strategy.ValidateUpdate, tc.expectedErrs)
 			})
 		}
 	}
diff --git a/pkg/registry/certificates/certificates/strategy.go b/pkg/registry/certificates/certificates/strategy.go
index fde7fa70fe33e..6954100415bc9 100644
--- a/pkg/registry/certificates/certificates/strategy.go
+++ b/pkg/registry/certificates/certificates/strategy.go
@@ -20,6 +20,7 @@ import (
 	"context"
 	"fmt"
 
+	"k8s.io/apimachinery/pkg/api/operation"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/fields"
 	"k8s.io/apimachinery/pkg/labels"
@@ -29,11 +30,9 @@ import (
 	"k8s.io/apiserver/pkg/registry/generic"
 	"k8s.io/apiserver/pkg/registry/rest"
 	"k8s.io/apiserver/pkg/storage/names"
-	utilfeature "k8s.io/apiserver/pkg/util/feature"
 	"k8s.io/kubernetes/pkg/api/legacyscheme"
 	"k8s.io/kubernetes/pkg/apis/certificates"
 	"k8s.io/kubernetes/pkg/apis/certificates/validation"
-	"k8s.io/kubernetes/pkg/features"
 	"sigs.k8s.io/structured-merge-diff/v6/fieldpath"
 )
 
@@ -116,24 +115,7 @@ func (csrStrategy) PrepareForUpdate(ctx context.Context, obj, old runtime.Object
 func (csrStrategy) Validate(ctx context.Context, obj runtime.Object) field.ErrorList {
 	csr := obj.(*certificates.CertificateSigningRequest)
 	allErrs := validation.ValidateCertificateSigningRequestCreate(csr)
-
-	// If DeclarativeValidation feature gate is enabled, also run declarative validation
-	if utilfeature.DefaultFeatureGate.Enabled(features.DeclarativeValidation) {
-		// Determine if takeover is enabled
-		takeover := utilfeature.DefaultFeatureGate.Enabled(features.DeclarativeValidationTakeover)
-
-		// Run declarative validation with panic recovery
-		declarativeErrs := rest.ValidateDeclaratively(ctx, legacyscheme.Scheme, csr, rest.WithTakeover(takeover))
-
-		// Compare imperative and declarative errors and log + emit metric if there's a mismatch
-		rest.CompareDeclarativeErrorsAndEmitMismatches(ctx, allErrs, declarativeErrs, takeover)
-
-		// Only apply declarative errors if takeover is enabled
-		if takeover {
-			allErrs = append(allErrs.RemoveCoveredByDeclarative(), declarativeErrs...)
-		}
-	}
-	return allErrs
+	return rest.ValidateDeclarativelyWithMigrationChecks(ctx, legacyscheme.Scheme, csr, nil, allErrs, operation.Create)
 }
 
 // WarningsOnCreate returns warnings for the creation of the given object.
@@ -147,24 +129,7 @@ func (csrStrategy) ValidateUpdate(ctx context.Context, obj, old runtime.Object)
 	oldCSR := old.(*certificates.CertificateSigningRequest)
 	newCSR := obj.(*certificates.CertificateSigningRequest)
 	errs := validation.ValidateCertificateSigningRequestUpdate(newCSR, oldCSR)
-	// If DeclarativeValidation feature gate is enabled, also run declarative validation
-	if utilfeature.DefaultFeatureGate.Enabled(features.DeclarativeValidation) {
-		// Determine if takeover is enabled
-		takeover := utilfeature.DefaultFeatureGate.Enabled(features.DeclarativeValidationTakeover)
-
-		// Run declarative update validation with panic recovery
-		declarativeErrs := rest.ValidateUpdateDeclaratively(ctx, legacyscheme.Scheme, newCSR, oldCSR, rest.WithTakeover(takeover))
-
-		// Compare imperative and declarative errors and emit metric if there's a mismatch
-		rest.CompareDeclarativeErrorsAndEmitMismatches(ctx, errs, declarativeErrs, takeover)
-
-		// Only apply declarative errors if takeover is enabled
-		if takeover {
-			errs = append(errs.RemoveCoveredByDeclarative(), declarativeErrs...)
-		}
-	}
-
-	return errs
+	return rest.ValidateDeclarativelyWithMigrationChecks(ctx, legacyscheme.Scheme, newCSR, oldCSR, errs, operation.Update)
 }
 
 // WarningsOnUpdate returns warnings for the given update.
@@ -280,22 +245,7 @@ func (csrStatusStrategy) ValidateUpdate(ctx context.Context, obj, old runtime.Ob
 	newCSR := obj.(*certificates.CertificateSigningRequest)
 	oldCSR := old.(*certificates.CertificateSigningRequest)
 	errs := validation.ValidateCertificateSigningRequestStatusUpdate(newCSR, oldCSR)
-	if utilfeature.DefaultFeatureGate.Enabled(features.DeclarativeValidation) {
-		// Determine if takeover is enabled
-		takeover := utilfeature.DefaultFeatureGate.Enabled(features.DeclarativeValidationTakeover)
-
-		// Run declarative update validation with panic recovery
-		declarativeErrs := rest.ValidateUpdateDeclaratively(ctx, legacyscheme.Scheme, newCSR, oldCSR, rest.WithTakeover(takeover))
-
-		// Compare imperative and declarative errors and emit metric if there's a mismatch
-		rest.CompareDeclarativeErrorsAndEmitMismatches(ctx, errs, declarativeErrs, takeover)
-
-		// Only apply declarative errors if takeover is enabled
-		if takeover {
-			errs = append(errs.RemoveCoveredByDeclarative(), declarativeErrs...)
-		}
-	}
-	return errs
+	return rest.ValidateDeclarativelyWithMigrationChecks(ctx, legacyscheme.Scheme, newCSR, oldCSR, errs, operation.Update)
 }
 
 // WarningsOnUpdate returns warnings for the given update.
@@ -350,22 +300,7 @@ func (csrApprovalStrategy) ValidateUpdate(ctx context.Context, obj, old runtime.
 	newCSR := obj.(*certificates.CertificateSigningRequest)
 	oldCSR := old.(*certificates.CertificateSigningRequest)
 	errs := validation.ValidateCertificateSigningRequestApprovalUpdate(newCSR, oldCSR)
-	if utilfeature.DefaultFeatureGate.Enabled(features.DeclarativeValidation) {
-		// Determine if takeover is enabled
-		takeover := utilfeature.DefaultFeatureGate.Enabled(features.DeclarativeValidationTakeover)
-
-		// Run declarative update validation with panic recovery
-		declarativeErrs := rest.ValidateUpdateDeclaratively(ctx, legacyscheme.Scheme, newCSR, oldCSR, rest.WithTakeover(takeover))
-
-		// Compare imperative and declarative errors and emit metric if there's a mismatch
-		rest.CompareDeclarativeErrorsAndEmitMismatches(ctx, errs, declarativeErrs, takeover)
-
-		// Only apply declarative errors if takeover is enabled
-		if takeover {
-			errs = append(errs.RemoveCoveredByDeclarative(), declarativeErrs...)
-		}
-	}
-	return errs
+	return rest.ValidateDeclarativelyWithMigrationChecks(ctx, legacyscheme.Scheme, newCSR, oldCSR, errs, operation.Update)
 }
 
 // WarningsOnUpdate returns warnings for the given update.
diff --git a/pkg/registry/certificates/podcertificaterequest/storage/storage_test.go b/pkg/registry/certificates/podcertificaterequest/storage/storage_test.go
index 423cd41331a52..8300d04651e03 100644
--- a/pkg/registry/certificates/podcertificaterequest/storage/storage_test.go
+++ b/pkg/registry/certificates/podcertificaterequest/storage/storage_test.go
@@ -95,16 +95,17 @@ func TestCreate(t *testing.T) {
 				Name:      "foo",
 			},
 			Spec: certificates.PodCertificateRequestSpec{
-				SignerName:           "k8s.io/foo",
-				PodName:              "pod-1",
-				PodUID:               podUID1,
-				ServiceAccountName:   "sa-1",
-				ServiceAccountUID:    types.UID("sa-uid-1"),
-				NodeName:             "node-1",
-				NodeUID:              types.UID("node-uid-1"),
-				MaxExpirationSeconds: ptr.To[int32](86400),
-				PKIXPublicKey:        ed25519PubPKIX1,
-				ProofOfPossession:    ed25519Proof1,
+				SignerName:                "k8s.io/foo",
+				PodName:                   "pod-1",
+				PodUID:                    podUID1,
+				ServiceAccountName:        "sa-1",
+				ServiceAccountUID:         types.UID("sa-uid-1"),
+				NodeName:                  "node-1",
+				NodeUID:                   types.UID("node-uid-1"),
+				MaxExpirationSeconds:      ptr.To[int32](86400),
+				PKIXPublicKey:             ed25519PubPKIX1,
+				ProofOfPossession:         ed25519Proof1,
+				UnverifiedUserAnnotations: map[string]string{"test/foo": "bar"},
 			},
 		},
 		// Invalid PCR -- proof-of-possession signed wrong value
@@ -114,16 +115,17 @@ func TestCreate(t *testing.T) {
 				Name:      "foo",
 			},
 			Spec: certificates.PodCertificateRequestSpec{
-				SignerName:           "k8s.io/foo",
-				PodName:              "pod-1",
-				PodUID:               podUID1,
-				ServiceAccountName:   "sa-1",
-				ServiceAccountUID:    types.UID("sa-uid-1"),
-				NodeName:             "node-1",
-				NodeUID:              types.UID("node-uid-1"),
-				MaxExpirationSeconds: ptr.To[int32](86400),
-				PKIXPublicKey:        ed25519PubPKIX2,
-				ProofOfPossession:    ed25519Proof2,
+				SignerName:                "k8s.io/foo",
+				PodName:                   "pod-1",
+				PodUID:                    podUID1,
+				ServiceAccountName:        "sa-1",
+				ServiceAccountUID:         types.UID("sa-uid-1"),
+				NodeName:                  "node-1",
+				NodeUID:                   types.UID("node-uid-1"),
+				MaxExpirationSeconds:      ptr.To[int32](86400),
+				PKIXPublicKey:             ed25519PubPKIX2,
+				ProofOfPossession:         ed25519Proof2,
+				UnverifiedUserAnnotations: map[string]string{"test/foo": "bar"},
 			},
 		},
 	)
@@ -153,16 +155,17 @@ func TestUpdate(t *testing.T) {
 				Name:      "foo",
 			},
 			Spec: certificates.PodCertificateRequestSpec{
-				SignerName:           "k8s.io/foo",
-				PodName:              "pod-1",
-				PodUID:               podUID1,
-				ServiceAccountName:   "sa-1",
-				ServiceAccountUID:    types.UID("sa-uid-1"),
-				NodeName:             "node-1",
-				NodeUID:              types.UID("node-uid-1"),
-				MaxExpirationSeconds: ptr.To[int32](86400),
-				PKIXPublicKey:        ed25519PubPKIX1,
-				ProofOfPossession:    ed25519Proof1,
+				SignerName:                "k8s.io/foo",
+				PodName:                   "pod-1",
+				PodUID:                    podUID1,
+				ServiceAccountName:        "sa-1",
+				ServiceAccountUID:         types.UID("sa-uid-1"),
+				NodeName:                  "node-1",
+				NodeUID:                   types.UID("node-uid-1"),
+				MaxExpirationSeconds:      ptr.To[int32](86400),
+				PKIXPublicKey:             ed25519PubPKIX1,
+				ProofOfPossession:         ed25519Proof1,
+				UnverifiedUserAnnotations: map[string]string{"test/foo": "bar"},
 			},
 		},
 		// Valid update function
@@ -207,16 +210,17 @@ func TestUpdateStompsStatus(t *testing.T) {
 				Name:      "foo",
 			},
 			Spec: certificates.PodCertificateRequestSpec{
-				SignerName:           "k8s.io/foo",
-				PodName:              "pod-1",
-				PodUID:               podUID1,
-				ServiceAccountName:   "sa-1",
-				ServiceAccountUID:    types.UID("sa-uid-1"),
-				NodeName:             "node-1",
-				NodeUID:              types.UID("node-uid-1"),
-				MaxExpirationSeconds: ptr.To[int32](86400),
-				PKIXPublicKey:        ed25519PubPKIX1,
-				ProofOfPossession:    ed25519Proof1,
+				SignerName:                "k8s.io/foo",
+				PodName:                   "pod-1",
+				PodUID:                    podUID1,
+				ServiceAccountName:        "sa-1",
+				ServiceAccountUID:         types.UID("sa-uid-1"),
+				NodeName:                  "node-1",
+				NodeUID:                   types.UID("node-uid-1"),
+				MaxExpirationSeconds:      ptr.To[int32](86400),
+				PKIXPublicKey:             ed25519PubPKIX1,
+				ProofOfPossession:         ed25519Proof1,
+				UnverifiedUserAnnotations: map[string]string{"test/foo": "bar"},
 			},
 		},
 		// Valid update function
diff --git a/pkg/registry/certificates/rest/storage_certificates.go b/pkg/registry/certificates/rest/storage_certificates.go
index b55df4a9140a5..0f1f2efde855f 100644
--- a/pkg/registry/certificates/rest/storage_certificates.go
+++ b/pkg/registry/certificates/rest/storage_certificates.go
@@ -103,6 +103,19 @@ func (p RESTStorageProvider) v1beta1Storage(apiResourceConfigSource serverstorag
 		}
 	}
 
+	if resource := "podcertificaterequests"; apiResourceConfigSource.ResourceEnabled(certificatesapiv1beta1.SchemeGroupVersion.WithResource(resource)) {
+		if utilfeature.DefaultFeatureGate.Enabled(features.PodCertificateRequest) {
+			pcrStorage, pcrStatusStorage, err := podcertificaterequeststore.NewREST(restOptionsGetter, p.Authorizer, clock.RealClock{})
+			if err != nil {
+				return nil, err
+			}
+			storage[resource] = pcrStorage
+			storage[resource+"/status"] = pcrStatusStorage
+		} else {
+			klog.Warning("PodCertificateRequest storage is disabled because the PodCertificateRequest feature gate is disabled")
+		}
+	}
+
 	return storage, nil
 }
 
@@ -121,19 +134,6 @@ func (p RESTStorageProvider) v1alpha1Storage(apiResourceConfigSource serverstora
 		}
 	}
 
-	if resource := "podcertificaterequests"; apiResourceConfigSource.ResourceEnabled(certificatesapiv1alpha1.SchemeGroupVersion.WithResource(resource)) {
-		if utilfeature.DefaultFeatureGate.Enabled(features.PodCertificateRequest) {
-			pcrStorage, pcrStatusStorage, err := podcertificaterequeststore.NewREST(restOptionsGetter, p.Authorizer, clock.RealClock{})
-			if err != nil {
-				return nil, err
-			}
-			storage[resource] = pcrStorage
-			storage[resource+"/status"] = pcrStatusStorage
-		} else {
-			klog.Warning("PodCertificateRequest storage is disabled because the PodCertificateRequest feature gate is disabled")
-		}
-	}
-
 	return storage, nil
 }
 
diff --git a/pkg/registry/core/namespace/storage/storage_test.go b/pkg/registry/core/namespace/storage/storage_test.go
index a1bfd9e9af828..f9d3a5b34b946 100644
--- a/pkg/registry/core/namespace/storage/storage_test.go
+++ b/pkg/registry/core/namespace/storage/storage_test.go
@@ -151,7 +151,7 @@ func TestDeleteNamespaceWithIncompleteFinalizers(t *testing.T) {
 	storage, server := newStorage(t)
 	defer server.Terminate(t)
 	defer storage.store.DestroyFunc()
-	key := "namespaces/foo"
+	key := "/namespaces/foo"
 	ctx := genericapirequest.WithNamespace(genericapirequest.NewContext(), metav1.NamespaceNone)
 	now := metav1.Now()
 	namespace := &api.Namespace{
@@ -188,7 +188,7 @@ func TestUpdateDeletingNamespaceWithIncompleteMetadataFinalizers(t *testing.T) {
 	storage, server := newStorage(t)
 	defer server.Terminate(t)
 	defer storage.store.DestroyFunc()
-	key := "namespaces/foo"
+	key := "/namespaces/foo"
 	ctx := genericapirequest.WithNamespace(genericapirequest.NewContext(), metav1.NamespaceNone)
 	now := metav1.Now()
 	namespace := &api.Namespace{
@@ -224,7 +224,7 @@ func TestUpdateDeletingNamespaceWithIncompleteSpecFinalizers(t *testing.T) {
 	storage, server := newStorage(t)
 	defer server.Terminate(t)
 	defer storage.store.DestroyFunc()
-	key := "namespaces/foo"
+	key := "/namespaces/foo"
 	ctx := genericapirequest.WithNamespace(genericapirequest.NewContext(), metav1.NamespaceNone)
 	now := metav1.Now()
 	namespace := &api.Namespace{
@@ -259,7 +259,7 @@ func TestUpdateDeletingNamespaceWithCompleteFinalizers(t *testing.T) {
 	storage, server := newStorage(t)
 	defer server.Terminate(t)
 	defer storage.store.DestroyFunc()
-	key := "namespaces/foo"
+	key := "/namespaces/foo"
 	ctx := genericapirequest.WithNamespace(genericapirequest.NewContext(), metav1.NamespaceNone)
 	now := metav1.Now()
 	namespace := &api.Namespace{
@@ -301,7 +301,7 @@ func TestFinalizeDeletingNamespaceWithCompleteFinalizers(t *testing.T) {
 	defer server.Terminate(t)
 	defer storage.store.DestroyFunc()
 	defer finalizeStorage.store.DestroyFunc()
-	key := "namespaces/foo"
+	key := "/namespaces/foo"
 	ctx := genericapirequest.WithNamespace(genericapirequest.NewContext(), metav1.NamespaceNone)
 	now := metav1.Now()
 	namespace := &api.Namespace{
@@ -345,7 +345,7 @@ func TestFinalizeDeletingNamespaceWithIncompleteMetadataFinalizers(t *testing.T)
 	defer server.Terminate(t)
 	defer storage.store.DestroyFunc()
 	defer finalizeStorage.store.DestroyFunc()
-	key := "namespaces/foo"
+	key := "/namespaces/foo"
 	ctx := genericapirequest.WithNamespace(genericapirequest.NewContext(), metav1.NamespaceNone)
 	now := metav1.Now()
 	namespace := &api.Namespace{
@@ -382,7 +382,7 @@ func TestDeleteNamespaceWithCompleteFinalizers(t *testing.T) {
 	storage, server := newStorage(t)
 	defer server.Terminate(t)
 	defer storage.store.DestroyFunc()
-	key := "namespaces/foo"
+	key := "/namespaces/foo"
 	ctx := genericapirequest.WithNamespace(genericapirequest.NewContext(), metav1.NamespaceNone)
 	now := metav1.Now()
 	namespace := &api.Namespace{
@@ -585,7 +585,7 @@ func TestDeleteWithGCFinalizers(t *testing.T) {
 	}
 
 	for _, test := range tests {
-		key := "namespaces/" + test.name
+		key := "/namespaces/" + test.name
 		ctx := genericapirequest.WithNamespace(genericapirequest.NewContext(), metav1.NamespaceNone)
 		namespace := &api.Namespace{
 			ObjectMeta: metav1.ObjectMeta{
diff --git a/pkg/registry/core/node/strategy.go b/pkg/registry/core/node/strategy.go
index c7c4b4dca1311..7588971d4d269 100644
--- a/pkg/registry/core/node/strategy.go
+++ b/pkg/registry/core/node/strategy.go
@@ -111,6 +111,10 @@ func dropDisabledFields(node *api.Node, oldNode *api.Node) {
 	if !utilfeature.DefaultFeatureGate.Enabled(features.SupplementalGroupsPolicy) && !supplementalGroupsPolicyInUse(oldNode) {
 		node.Status.Features = nil
 	}
+
+	if !utilfeature.DefaultFeatureGate.Enabled(features.NodeDeclaredFeatures) && !nodeDeclaredFeaturesInUse(oldNode) {
+		node.Status.DeclaredFeatures = nil
+	}
 }
 
 // nodeConfigSourceInUse returns true if node's Spec ConfigSource is set(used)
@@ -316,3 +320,8 @@ func supplementalGroupsPolicyInUse(node *api.Node) bool {
 	}
 	return node.Status.Features != nil
 }
+
+// nodeDeclaredFeaturesInUse returns true if the node.status has DeclaredFeatures
+func nodeDeclaredFeaturesInUse(node *api.Node) bool {
+	return node != nil && node.Status.DeclaredFeatures != nil
+}
diff --git a/pkg/registry/core/node/strategy_test.go b/pkg/registry/core/node/strategy_test.go
index 5addfc9e7b01a..5e393a4ae6b51 100644
--- a/pkg/registry/core/node/strategy_test.go
+++ b/pkg/registry/core/node/strategy_test.go
@@ -19,6 +19,7 @@ package node
 import (
 	"context"
 	"reflect"
+	"slices"
 	"strings"
 	"testing"
 
@@ -27,8 +28,11 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/fields"
 	"k8s.io/apimachinery/pkg/labels"
+	utilfeature "k8s.io/apiserver/pkg/util/feature"
+	featuregatetesting "k8s.io/component-base/featuregate/testing"
 	apitesting "k8s.io/kubernetes/pkg/api/testing"
 	api "k8s.io/kubernetes/pkg/apis/core"
+	"k8s.io/kubernetes/pkg/features"
 
 	// ensure types are installed
 	_ "k8s.io/kubernetes/pkg/apis/core/install"
@@ -365,3 +369,162 @@ func TestWarningOnUpdateAndCreate(t *testing.T) {
 		}
 	}
 }
+
+func TestDropNodeDeclaredFeaturesFieldDuringCreate(t *testing.T) {
+	testCases := []struct {
+		name               string
+		featureGateEnabled bool
+		initialNode        *api.Node
+		expectedNode       *api.Node
+	}{
+		{
+			name:               "feature gate disabled, field present",
+			featureGateEnabled: false,
+			initialNode: &api.Node{
+				Status: api.NodeStatus{
+					DeclaredFeatures: []string{"TestFeature"},
+				},
+			},
+			expectedNode: &api.Node{
+				Status: api.NodeStatus{
+					DeclaredFeatures: nil,
+				},
+			},
+		},
+		{
+			name:               "feature gate enabled, field present",
+			featureGateEnabled: true,
+			initialNode: &api.Node{
+				Status: api.NodeStatus{
+					DeclaredFeatures: []string{"TestFeature"},
+				},
+			},
+			expectedNode: &api.Node{
+				Status: api.NodeStatus{
+					DeclaredFeatures: []string{"TestFeature"},
+				},
+			},
+		},
+		{
+			name:               "feature gate disabled, field absent",
+			featureGateEnabled: false,
+			initialNode: &api.Node{
+				Status: api.NodeStatus{},
+			},
+			expectedNode: &api.Node{
+				Status: api.NodeStatus{},
+			},
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.NodeDeclaredFeatures, tc.featureGateEnabled)
+
+			nodeCreate := tc.initialNode.DeepCopy()
+			Strategy.PrepareForCreate(context.TODO(), nodeCreate)
+			if !slices.Equal(tc.expectedNode.Status.DeclaredFeatures, nodeCreate.Status.DeclaredFeatures) {
+				t.Fatalf("PrepareForCreate: expected %v, got %v", tc.expectedNode.Status.DeclaredFeatures, nodeCreate.Status.DeclaredFeatures)
+			}
+		})
+	}
+}
+
+func TestDropNodeDeclaredFeaturesFieldDuringUpdate(t *testing.T) {
+	testCases := []struct {
+		name               string
+		featureGateEnabled bool
+		oldNode            *api.Node
+		newNode            *api.Node
+		expectedNode       *api.Node
+	}{
+		{
+			name:               "feature gate disabled, field not removed if in-use",
+			featureGateEnabled: false,
+			oldNode: &api.Node{
+				Status: api.NodeStatus{
+					DeclaredFeatures: []string{"TestFeature"},
+				},
+			},
+			newNode: &api.Node{
+				Status: api.NodeStatus{
+					DeclaredFeatures: []string{"TestFeature"},
+				},
+			},
+			expectedNode: &api.Node{
+				Status: api.NodeStatus{
+					DeclaredFeatures: []string{"TestFeature"},
+				},
+			},
+		},
+		{
+			name:               "feature gate disabled, field reset if not in-use",
+			featureGateEnabled: false,
+			oldNode: &api.Node{
+				Status: api.NodeStatus{
+					DeclaredFeatures: nil,
+				},
+			},
+			newNode: &api.Node{
+				Status: api.NodeStatus{
+					DeclaredFeatures: []string{"TestFeature"},
+				},
+			},
+			expectedNode: &api.Node{
+				Status: api.NodeStatus{
+					DeclaredFeatures: nil,
+				},
+			},
+		},
+		{
+			name:               "feature gate enabled, field not removed",
+			featureGateEnabled: true,
+			oldNode: &api.Node{
+				Status: api.NodeStatus{
+					DeclaredFeatures: []string{"TestFeature"},
+				},
+			},
+			newNode: &api.Node{
+				Status: api.NodeStatus{
+					DeclaredFeatures: []string{"TestFeature"},
+				},
+			},
+			expectedNode: &api.Node{
+				Status: api.NodeStatus{
+					DeclaredFeatures: []string{"TestFeature"},
+				},
+			},
+		},
+		{
+			name:               "feature gate enabled, status copied from old node",
+			featureGateEnabled: true,
+			oldNode: &api.Node{
+				Status: api.NodeStatus{
+					DeclaredFeatures: []string{"TestFeature"},
+				},
+			},
+			newNode: &api.Node{
+				Status: api.NodeStatus{
+					DeclaredFeatures: nil,
+				},
+			},
+			expectedNode: &api.Node{
+				Status: api.NodeStatus{
+					DeclaredFeatures: []string{"TestFeature"},
+				},
+			},
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.NodeDeclaredFeatures, tc.featureGateEnabled)
+
+			newNode := tc.newNode.DeepCopy()
+			Strategy.PrepareForUpdate(context.TODO(), newNode, tc.oldNode)
+			if !slices.Equal(tc.expectedNode.Status.DeclaredFeatures, newNode.Status.DeclaredFeatures) {
+				t.Fatalf("PrepareForUpdate: expected %v, got %v", tc.expectedNode.Status.DeclaredFeatures, newNode.Status.DeclaredFeatures)
+			}
+		})
+	}
+}
diff --git a/pkg/registry/core/persistentvolumeclaim/strategy.go b/pkg/registry/core/persistentvolumeclaim/strategy.go
index 2500ed1b52a03..a35cee7d9a8c8 100644
--- a/pkg/registry/core/persistentvolumeclaim/strategy.go
+++ b/pkg/registry/core/persistentvolumeclaim/strategy.go
@@ -122,8 +122,7 @@ func (persistentvolumeclaimStrategy) ValidateUpdate(ctx context.Context, obj, ol
 	newPvc := obj.(*api.PersistentVolumeClaim)
 	oldPvc := old.(*api.PersistentVolumeClaim)
 	opts := validation.ValidationOptionsForPersistentVolumeClaim(newPvc, oldPvc)
-	errorList := validation.ValidatePersistentVolumeClaim(newPvc, opts)
-	return append(errorList, validation.ValidatePersistentVolumeClaimUpdate(newPvc, oldPvc, opts)...)
+	return validation.ValidatePersistentVolumeClaimUpdate(newPvc, oldPvc, opts)
 }
 
 // WarningsOnUpdate returns warnings for the given update.
diff --git a/pkg/registry/core/persistentvolumeclaim/strategy_test.go b/pkg/registry/core/persistentvolumeclaim/strategy_test.go
index 5964f3c52606e..3704f07e37068 100644
--- a/pkg/registry/core/persistentvolumeclaim/strategy_test.go
+++ b/pkg/registry/core/persistentvolumeclaim/strategy_test.go
@@ -346,8 +346,10 @@ func TestPrepareForCreate(t *testing.T) {
 		t.Run(testName, func(t *testing.T) {
 			// TODO: this will be removed in 1.36
 			featuregatetesting.SetFeatureGateEmulationVersionDuringTest(t, utilfeature.DefaultFeatureGate, version.MustParse("1.32"))
-			featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.AnyVolumeDataSource, test.anyEnabled)
-			featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.CrossNamespaceVolumeDataSource, test.xnsEnabled)
+			featuregatetesting.SetFeatureGatesDuringTest(t, utilfeature.DefaultFeatureGate, featuregatetesting.FeatureOverrides{
+				features.AnyVolumeDataSource:            test.anyEnabled,
+				features.CrossNamespaceVolumeDataSource: test.xnsEnabled,
+			})
 			pvc := api.PersistentVolumeClaim{
 				Spec: api.PersistentVolumeClaimSpec{
 					DataSource:    test.dataSource,
diff --git a/pkg/registry/core/pod/rest/authorize.go b/pkg/registry/core/pod/rest/authorize.go
new file mode 100644
index 0000000000000..d5b825b482a78
--- /dev/null
+++ b/pkg/registry/core/pod/rest/authorize.go
@@ -0,0 +1,72 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package rest
+
+import (
+	"context"
+	"errors"
+	"fmt"
+
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/apiserver/pkg/authorization/authorizer"
+	"k8s.io/apiserver/pkg/endpoints/filters"
+	genericapirequest "k8s.io/apiserver/pkg/endpoints/request"
+)
+
+// Pod subresources differs on the REST verbs depending on the protocol used
+// SPDY uses POST that at the authz layer is translated to "create".
+// Websockets uses GET that is translated to "get".
+// Since the defaulting to websocket for kubectl in KEP-4006 this caused an
+// unexpected side effect and in order to keep existing policies backwards
+// compatible we always check that the "create" verb is allowed.
+// Ref: https://issues.k8s.io/133515
+func ensureAuthorizedForVerb(ctx context.Context, a authorizer.Authorizer, verb string) error {
+	requestInfo, ok := genericapirequest.RequestInfoFrom(ctx)
+	if !ok {
+		return apierrors.NewInternalError(errors.New("no request info in context"))
+	}
+	if requestInfo.Verb == verb {
+		// already authorized
+		return nil
+	}
+
+	if a == nil {
+		return apierrors.NewInternalError(errors.New("no authorizer available"))
+	}
+	originalAttrs, err := filters.GetAuthorizerAttributes(ctx)
+	if err != nil {
+		return apierrors.NewInternalError(fmt.Errorf("error building authorizer attributes: %w", err))
+	}
+	authorized, reason, err := a.Authorize(ctx, &overrideVerb{Attributes: originalAttrs, verb: verb})
+	if err != nil {
+		return err
+	}
+	if authorized != authorizer.DecisionAllow {
+		return apierrors.NewForbidden(schema.GroupResource{Group: requestInfo.APIGroup, Resource: requestInfo.Resource}, requestInfo.Name, errors.New(reason))
+	}
+	return nil
+}
+
+type overrideVerb struct {
+	authorizer.Attributes
+	verb string
+}
+
+func (o *overrideVerb) GetVerb() string {
+	return o.verb
+}
diff --git a/pkg/registry/core/pod/rest/authorize_test.go b/pkg/registry/core/pod/rest/authorize_test.go
new file mode 100644
index 0000000000000..4c5962bde8240
--- /dev/null
+++ b/pkg/registry/core/pod/rest/authorize_test.go
@@ -0,0 +1,118 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package rest
+
+import (
+	"context"
+	"errors"
+	"reflect"
+	"testing"
+
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
+	"k8s.io/apiserver/pkg/authorization/authorizer"
+	genericapirequest "k8s.io/apiserver/pkg/endpoints/request"
+)
+
+// mockAuthorizer provides a mock implementation of the authorizer.Interface.
+type mockAuthorizer struct {
+	decision authorizer.Decision
+	reason   string
+	err      error
+}
+
+func (a *mockAuthorizer) Authorize(ctx context.Context, attrs authorizer.Attributes) (authorized authorizer.Decision, reason string, err error) {
+	return a.decision, a.reason, a.err
+}
+
+func TestEnsureAuthorizedForVerb(t *testing.T) {
+	tests := []struct {
+		name          string
+		ctx           context.Context
+		authorizer    authorizer.Authorizer
+		verb          string
+		expectErr     string
+		expectErrType interface{}
+	}{
+		{
+			name:          "no request info in context",
+			ctx:           context.Background(),
+			verb:          "create",
+			expectErr:     `Internal error occurred: no request info in context`,
+			expectErrType: &apierrors.StatusError{},
+		},
+		{
+			name: "verb already matches",
+			ctx: genericapirequest.WithRequestInfo(context.Background(), &genericapirequest.RequestInfo{
+				Verb: "create",
+			}),
+			verb: "create",
+		},
+		{
+			name: "nil authorizer",
+			ctx: genericapirequest.WithRequestInfo(context.Background(), &genericapirequest.RequestInfo{
+				Verb: "get",
+			}),
+			authorizer:    nil,
+			verb:          "create",
+			expectErr:     `Internal error occurred: no authorizer available`,
+			expectErrType: &apierrors.StatusError{},
+		},
+		{
+			name:       "authorizer returns error",
+			ctx:        genericapirequest.WithRequestInfo(context.Background(), &genericapirequest.RequestInfo{Verb: "get"}),
+			authorizer: &mockAuthorizer{err: errors.New("auth error")},
+			verb:       "create",
+			expectErr:  "auth error",
+		},
+		{
+			name:          "authorizer denies",
+			ctx:           genericapirequest.WithRequestInfo(context.Background(), &genericapirequest.RequestInfo{Verb: "get", Resource: "pods", Name: "my-pod"}),
+			authorizer:    &mockAuthorizer{decision: authorizer.DecisionDeny, reason: "no reason"},
+			verb:          "create",
+			expectErr:     `pods "my-pod" is forbidden: no reason`,
+			expectErrType: &apierrors.StatusError{},
+		},
+		{
+			name:       "authorizer allows",
+			ctx:        genericapirequest.WithRequestInfo(context.Background(), &genericapirequest.RequestInfo{Verb: "get"}),
+			authorizer: &mockAuthorizer{decision: authorizer.DecisionAllow},
+			verb:       "create",
+		},
+	}
+
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			err := ensureAuthorizedForVerb(tc.ctx, tc.authorizer, tc.verb)
+
+			if len(tc.expectErr) > 0 {
+				if err == nil {
+					t.Fatalf("expected error %q, got nil", tc.expectErr)
+				}
+				if err.Error() != tc.expectErr {
+					t.Errorf("expected error %q, got %q", tc.expectErr, err.Error())
+				}
+				if tc.expectErrType != nil {
+					if reflect.TypeOf(err) != reflect.TypeOf(tc.expectErrType) {
+						t.Errorf("expected error type %T, got %T", tc.expectErrType, err)
+					}
+				}
+			} else if err != nil {
+				t.Fatalf("expected no error, got %v", err)
+			}
+		})
+	}
+}
diff --git a/pkg/registry/core/pod/rest/log_test.go b/pkg/registry/core/pod/rest/log_test.go
index 77c0b66c137fc..159f952b19fef 100644
--- a/pkg/registry/core/pod/rest/log_test.go
+++ b/pkg/registry/core/pod/rest/log_test.go
@@ -36,7 +36,7 @@ import (
 func TestPodLogValidates(t *testing.T) {
 	config, server := registrytest.NewEtcdStorage(t, "")
 	defer server.Terminate(t)
-	s, destroyFunc, err := generic.NewRawStorage(config, nil, nil, "")
+	s, destroyFunc, err := generic.NewRawStorage(config, nil, nil, "/pods")
 	if err != nil {
 		t.Fatalf("Unexpected error: %v", err)
 	}
diff --git a/pkg/registry/core/pod/rest/subresources.go b/pkg/registry/core/pod/rest/subresources.go
index 87787678271ec..e6ffa3408ff39 100644
--- a/pkg/registry/core/pod/rest/subresources.go
+++ b/pkg/registry/core/pod/rest/subresources.go
@@ -26,6 +26,7 @@ import (
 	"k8s.io/apimachinery/pkg/util/httpstream/wsstream"
 	"k8s.io/apimachinery/pkg/util/net"
 	"k8s.io/apimachinery/pkg/util/proxy"
+	"k8s.io/apiserver/pkg/authorization/authorizer"
 	genericregistry "k8s.io/apiserver/pkg/registry/generic/registry"
 	"k8s.io/apiserver/pkg/registry/rest"
 	utilfeature "k8s.io/apiserver/pkg/util/feature"
@@ -91,6 +92,7 @@ var upgradeableMethods = []string{"GET", "POST"}
 type AttachREST struct {
 	Store       *genericregistry.Store
 	KubeletConn client.ConnectionInfoGetter
+	Authorizer  authorizer.Authorizer
 }
 
 // Implement Connecter
@@ -109,6 +111,14 @@ func (r *AttachREST) Destroy() {
 
 // Connect returns a handler for the pod exec proxy
 func (r *AttachREST) Connect(ctx context.Context, name string, opts runtime.Object, responder rest.Responder) (http.Handler, error) {
+	// Forces a authz check for "create", if feature gate enabled.
+	// See: https://github.com/kubernetes/kubernetes/issues/133515
+	if utilfeature.DefaultFeatureGate.Enabled(features.AuthorizePodWebsocketUpgradeCreatePermission) {
+		if err := ensureAuthorizedForVerb(ctx, r.Authorizer, "create"); err != nil {
+			return nil, err
+		}
+	}
+
 	attachOpts, ok := opts.(*api.PodAttachOptions)
 	if !ok {
 		return nil, fmt.Errorf("Invalid options object: %#v", opts)
@@ -148,6 +158,7 @@ func (r *AttachREST) ConnectMethods() []string {
 type ExecREST struct {
 	Store       *genericregistry.Store
 	KubeletConn client.ConnectionInfoGetter
+	Authorizer  authorizer.Authorizer
 }
 
 // Implement Connecter
@@ -166,6 +177,14 @@ func (r *ExecREST) Destroy() {
 
 // Connect returns a handler for the pod exec proxy
 func (r *ExecREST) Connect(ctx context.Context, name string, opts runtime.Object, responder rest.Responder) (http.Handler, error) {
+	// Forces a authz check for "create", if feature gate enabled.
+	// See: https://github.com/kubernetes/kubernetes/issues/133515
+	if utilfeature.DefaultFeatureGate.Enabled(features.AuthorizePodWebsocketUpgradeCreatePermission) {
+		if err := ensureAuthorizedForVerb(ctx, r.Authorizer, "create"); err != nil {
+			return nil, err
+		}
+	}
+
 	execOpts, ok := opts.(*api.PodExecOptions)
 	if !ok {
 		return nil, fmt.Errorf("invalid options object: %#v", opts)
@@ -205,6 +224,7 @@ func (r *ExecREST) ConnectMethods() []string {
 type PortForwardREST struct {
 	Store       *genericregistry.Store
 	KubeletConn client.ConnectionInfoGetter
+	Authorizer  authorizer.Authorizer
 }
 
 // Implement Connecter
@@ -234,6 +254,14 @@ func (r *PortForwardREST) ConnectMethods() []string {
 
 // Connect returns a handler for the pod portforward proxy
 func (r *PortForwardREST) Connect(ctx context.Context, name string, opts runtime.Object, responder rest.Responder) (http.Handler, error) {
+	// Forces a authz check for "create", if feature gate enabled.
+	// See: https://github.com/kubernetes/kubernetes/issues/133515
+	if utilfeature.DefaultFeatureGate.Enabled(features.AuthorizePodWebsocketUpgradeCreatePermission) {
+		if err := ensureAuthorizedForVerb(ctx, r.Authorizer, "create"); err != nil {
+			return nil, err
+		}
+	}
+
 	portForwardOpts, ok := opts.(*api.PodPortForwardOptions)
 	if !ok {
 		return nil, fmt.Errorf("invalid options object: %#v", opts)
diff --git a/pkg/registry/core/pod/storage/eviction.go b/pkg/registry/core/pod/storage/eviction.go
index f088cf37de365..2a6561530a736 100644
--- a/pkg/registry/core/pod/storage/eviction.go
+++ b/pkg/registry/core/pod/storage/eviction.go
@@ -273,7 +273,7 @@ func (r *EvictionREST) Create(ctx context.Context, name string, obj runtime.Obje
 		})
 		return err
 	}()
-	if err == wait.ErrWaitTimeout {
+	if wait.Interrupted(err) {
 		err = errors.NewTimeoutError(fmt.Sprintf("couldn't update PodDisruptionBudget %q due to conflicts", pdbName), 10)
 	}
 	if err != nil {
@@ -434,7 +434,26 @@ func (r *EvictionREST) checkAndDecrement(namespace string, podName string, pdb p
 	}
 	if pdb.Status.DisruptionsAllowed == 0 {
 		err := errors.NewTooManyRequests("Cannot evict pod as it would violate the pod's disruption budget.", 0)
-		err.ErrStatus.Details.Causes = append(err.ErrStatus.Details.Causes, metav1.StatusCause{Type: policyv1.DisruptionBudgetCause, Message: fmt.Sprintf("The disruption budget %s needs %d healthy pods and has %d currently", pdb.Name, pdb.Status.DesiredHealthy, pdb.Status.CurrentHealthy)})
+		condition := meta.FindStatusCondition(pdb.Status.Conditions, policyv1.DisruptionAllowedCondition)
+		var msg string
+		switch {
+		// check whether sync is failed first because DesiredHealthy and CurrentHealthy are not trustworthy when the sync is failed
+		case condition != nil && condition.Status == metav1.ConditionFalse && len(condition.Message) > 0 && condition.Reason == policyv1.SyncFailedReason:
+			msg = fmt.Sprintf("The disruption budget %s does not allow evicting pods currently because it failed sync: %s", pdb.Name, condition.Message)
+		case pdb.Status.CurrentHealthy <= pdb.Status.DesiredHealthy:
+			msg = fmt.Sprintf("The disruption budget %s needs %d healthy pods and has %d currently", pdb.Name, pdb.Status.DesiredHealthy, pdb.Status.CurrentHealthy)
+		case condition != nil && condition.Status == metav1.ConditionFalse && len(condition.Message) > 0:
+			msg = fmt.Sprintf("The disruption budget %s does not allow evicting pods currently (%s): %s", pdb.Name, condition.Reason, condition.Message)
+		default:
+			msg = fmt.Sprintf("The disruption budget %s does not allow evicting pods currently", pdb.Name)
+		}
+		err.ErrStatus.Details.Causes = append(
+			err.ErrStatus.Details.Causes,
+			metav1.StatusCause{
+				Type:    policyv1.DisruptionBudgetCause,
+				Message: msg,
+			},
+		)
 		return err
 	}
 
diff --git a/pkg/registry/core/pod/storage/eviction_test.go b/pkg/registry/core/pod/storage/eviction_test.go
index a9d398ff7cd22..4cbdcfede7905 100644
--- a/pkg/registry/core/pod/storage/eviction_test.go
+++ b/pkg/registry/core/pod/storage/eviction_test.go
@@ -45,7 +45,7 @@ import (
 	"k8s.io/utils/ptr"
 )
 
-func TestEviction(t *testing.T) {
+func TestEvictionWithETCD(t *testing.T) {
 	testcases := []struct {
 		name     string
 		pdbs     []runtime.Object
@@ -248,7 +248,7 @@ func TestEviction(t *testing.T) {
 	}
 }
 
-func TestEvictionIgnorePDB(t *testing.T) {
+func TestEviction(t *testing.T) {
 	testcases := []struct {
 		name     string
 		pdbs     []runtime.Object
@@ -521,6 +521,64 @@ func TestEvictionIgnorePDB(t *testing.T) {
 				Status: api.ConditionTrue,
 			},
 		},
+		{
+			name: "the error is about sync failure when the condition reason is SyncFailedReason",
+			pdbs: []runtime.Object{&policyv1.PodDisruptionBudget{
+				ObjectMeta: metav1.ObjectMeta{Name: "foo", Namespace: "default"},
+				Spec:       policyv1.PodDisruptionBudgetSpec{Selector: &metav1.LabelSelector{}},
+				Status: policyv1.PodDisruptionBudgetStatus{
+					DisruptionsAllowed: 0,
+					Conditions: []metav1.Condition{
+						{
+							Type:    policyv1.DisruptionAllowedCondition,
+							Status:  metav1.ConditionFalse,
+							Reason:  policyv1.SyncFailedReason,
+							Message: "hoge",
+						},
+					},
+				},
+			}},
+			eviction:            &policy.Eviction{ObjectMeta: metav1.ObjectMeta{Name: "t12", Namespace: "default"}, DeleteOptions: metav1.NewDeleteOptions(0)},
+			expectError:         "Cannot evict pod as it would violate the pod's disruption budget.: TooManyRequests: The disruption budget foo does not allow evicting pods currently because it failed sync: hoge",
+			podName:             "t12",
+			expectedDeleteCount: 0,
+			podTerminating:      false,
+			podPhase:            api.PodRunning,
+			prc: &api.PodCondition{
+				Type:   api.PodReady,
+				Status: api.ConditionTrue,
+			},
+		},
+		{
+			name: "the error includes the reason when the condition.Status is False",
+			pdbs: []runtime.Object{&policyv1.PodDisruptionBudget{
+				ObjectMeta: metav1.ObjectMeta{Name: "foo", Namespace: "default"},
+				Spec:       policyv1.PodDisruptionBudgetSpec{Selector: &metav1.LabelSelector{}},
+				Status: policyv1.PodDisruptionBudgetStatus{
+					DisruptionsAllowed: 0,
+					CurrentHealthy:     4,
+					DesiredHealthy:     3,
+					Conditions: []metav1.Condition{
+						{
+							Type:    policyv1.DisruptionAllowedCondition,
+							Status:  metav1.ConditionFalse,
+							Reason:  "bar-reason",
+							Message: "hoge",
+						},
+					},
+				},
+			}},
+			eviction:            &policy.Eviction{ObjectMeta: metav1.ObjectMeta{Name: "t12", Namespace: "default"}, DeleteOptions: metav1.NewDeleteOptions(0)},
+			expectError:         "Cannot evict pod as it would violate the pod's disruption budget.: TooManyRequests: The disruption budget foo does not allow evicting pods currently (bar-reason): hoge",
+			podName:             "t12",
+			expectedDeleteCount: 0,
+			podTerminating:      false,
+			podPhase:            api.PodRunning,
+			prc: &api.PodCondition{
+				Type:   api.PodReady,
+				Status: api.ConditionTrue,
+			},
+		},
 	}
 
 	for _, unhealthyPodEvictionPolicy := range []*policyv1.UnhealthyPodEvictionPolicyType{unhealthyPolicyPtr(policyv1.AlwaysAllow), nil, unhealthyPolicyPtr(policyv1.IfHealthyBudget)} {
diff --git a/pkg/registry/core/pod/storage/storage.go b/pkg/registry/core/pod/storage/storage.go
index 37334a9e5b511..45b98c9997f12 100644
--- a/pkg/registry/core/pod/storage/storage.go
+++ b/pkg/registry/core/pod/storage/storage.go
@@ -22,11 +22,14 @@ import (
 	"net/http"
 	"net/url"
 
+	"sigs.k8s.io/structured-merge-diff/v6/fieldpath"
+
 	"k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/api/meta"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/apiserver/pkg/authorization/authorizer"
 	"k8s.io/apiserver/pkg/registry/generic"
 	genericregistry "k8s.io/apiserver/pkg/registry/generic/registry"
 	"k8s.io/apiserver/pkg/registry/rest"
@@ -45,7 +48,6 @@ import (
 	printerstorage "k8s.io/kubernetes/pkg/printers/storage"
 	registrypod "k8s.io/kubernetes/pkg/registry/core/pod"
 	podrest "k8s.io/kubernetes/pkg/registry/core/pod/rest"
-	"sigs.k8s.io/structured-merge-diff/v6/fieldpath"
 )
 
 // PodStorage includes storage for pods and all sub resources
@@ -71,7 +73,7 @@ type REST struct {
 }
 
 // NewStorage returns a RESTStorage object that will work against pods.
-func NewStorage(optsGetter generic.RESTOptionsGetter, k client.ConnectionInfoGetter, proxyTransport http.RoundTripper, podDisruptionBudgetClient policyclient.PodDisruptionBudgetsGetter) (PodStorage, error) {
+func NewStorage(optsGetter generic.RESTOptionsGetter, k client.ConnectionInfoGetter, proxyTransport http.RoundTripper, podDisruptionBudgetClient policyclient.PodDisruptionBudgetsGetter, authorizer authorizer.Authorizer) (PodStorage, error) {
 
 	store := &genericregistry.Store{
 		NewFunc:                   func() runtime.Object { return &api.Pod{} },
@@ -117,9 +119,9 @@ func NewStorage(optsGetter generic.RESTOptionsGetter, k client.ConnectionInfoGet
 		Resize:              &ResizeREST{store: &resizeStore},
 		Log:                 &podrest.LogREST{Store: store, KubeletConn: k},
 		Proxy:               &podrest.ProxyREST{Store: store, ProxyTransport: proxyTransport},
-		Exec:                &podrest.ExecREST{Store: store, KubeletConn: k},
-		Attach:              &podrest.AttachREST{Store: store, KubeletConn: k},
-		PortForward:         &podrest.PortForwardREST{Store: store, KubeletConn: k},
+		Exec:                &podrest.ExecREST{Store: store, KubeletConn: k, Authorizer: authorizer},
+		Attach:              &podrest.AttachREST{Store: store, KubeletConn: k, Authorizer: authorizer},
+		PortForward:         &podrest.PortForwardREST{Store: store, KubeletConn: k, Authorizer: authorizer},
 	}, nil
 }
 
diff --git a/pkg/registry/core/pod/storage/storage_test.go b/pkg/registry/core/pod/storage/storage_test.go
index cff8ef035e83b..02b5638ef9787 100644
--- a/pkg/registry/core/pod/storage/storage_test.go
+++ b/pkg/registry/core/pod/storage/storage_test.go
@@ -59,7 +59,7 @@ func newStorage(t *testing.T) (*REST, *BindingREST, *StatusREST, *etcd3testing.E
 		DeleteCollectionWorkers: 3,
 		ResourcePrefix:          "pods",
 	}
-	storage, err := NewStorage(restOptions, nil, nil, nil)
+	storage, err := NewStorage(restOptions, nil, nil, nil, nil)
 	if err != nil {
 		t.Fatalf("unexpected error from REST storage: %v", err)
 	}
@@ -163,7 +163,7 @@ func newFailDeleteStorage(t *testing.T, called *bool) (*REST, *etcd3testing.Etcd
 		DeleteCollectionWorkers: 3,
 		ResourcePrefix:          "pods",
 	}
-	storage, err := NewStorage(restOptions, nil, nil, nil)
+	storage, err := NewStorage(restOptions, nil, nil, nil, nil)
 	if err != nil {
 		t.Fatalf("unexpected error from REST storage: %v", err)
 	}
diff --git a/pkg/registry/core/pod/strategy.go b/pkg/registry/core/pod/strategy.go
index ccdf35e76f47b..a77ad05142310 100644
--- a/pkg/registry/core/pod/strategy.go
+++ b/pkg/registry/core/pod/strategy.go
@@ -355,7 +355,10 @@ var ResizeStrategy = podResizeStrategy{
 	),
 }
 
-// dropNonResizeUpdates discards all changes except for pod.Spec.Containers[*].Resources, pod.Spec.InitContainers[*].Resources, ResizePolicy and certain metadata
+// dropNonResizeUpdates discards all changes except for
+// pod.Spec.Containers[*].Resources, pod.Spec.InitContainers[*].Resources,
+// ResizePolicy and certain metadata. If InPlacePodLevelResourcesVerticalScaling
+// feature is enabled, pod-level resources are also preserved.
 func dropNonResizeUpdates(newPod, oldPod *api.Pod) *api.Pod {
 	// Containers are not allowed to be added, removed, re-ordered, or renamed.
 	// If we detect any of these changes, we will return new podspec as-is and
@@ -364,10 +367,19 @@ func dropNonResizeUpdates(newPod, oldPod *api.Pod) *api.Pod {
 		return newPod
 	}
 
+	// Preserve the incoming pod-level resource from the new pod object.
+	newPodResources := newPod.Spec.Resources
+
 	containers := dropNonResizeUpdatesForContainers(newPod.Spec.Containers, oldPod.Spec.Containers)
 	initContainers := dropNonResizeUpdatesForContainers(newPod.Spec.InitContainers, oldPod.Spec.InitContainers)
 
 	newPod.Spec = oldPod.Spec
+	// If PodLevelResources and InPlacePodLevelResourcesVerticalScaling feature gates is enabled,
+	// restore the saved pod-level resource requests to the new pod's spec.
+	if utilfeature.DefaultFeatureGate.Enabled(features.InPlacePodLevelResourcesVerticalScaling) {
+		newPod.Spec.Resources = newPodResources
+	}
+
 	newPod.Status = oldPod.Status
 	metav1.ResetObjectMetaForStatus(&newPod.ObjectMeta, &oldPod.ObjectMeta)
 
diff --git a/pkg/registry/core/pod/strategy_test.go b/pkg/registry/core/pod/strategy_test.go
index 65fe5dbbf11bc..6af91ed615b7c 100644
--- a/pkg/registry/core/pod/strategy_test.go
+++ b/pkg/registry/core/pod/strategy_test.go
@@ -2000,55 +2000,14 @@ func Test_mutateTopologySpreadConstraints(t *testing.T) {
 				},
 			},
 		},
-		{
-			name:                               "matchLabelKeys are not merged into labelSelector when MatchLabelKeysInPodTopologySpread is false and MatchLabelKeysInPodTopologySpreadSelectorMerge is true",
-			matchLabelKeysEnabled:              false,
-			matchLabelKeysSelectorMergeEnabled: true,
-			pod: &api.Pod{
-				ObjectMeta: metav1.ObjectMeta{
-					Labels: map[string]string{
-						"country": "Japan",
-						"city":    "Tokyo",
-					},
-				},
-				Spec: api.PodSpec{
-					TopologySpreadConstraints: []api.TopologySpreadConstraint{
-						{
-							MaxSkew:           1,
-							TopologyKey:       "kubernetes.io/hostname",
-							WhenUnsatisfiable: api.DoNotSchedule,
-							LabelSelector:     &metav1.LabelSelector{},
-							MatchLabelKeys:    []string{"country", "city"},
-						},
-					},
-				},
-			},
-			wantPod: &api.Pod{
-				ObjectMeta: metav1.ObjectMeta{
-					Labels: map[string]string{
-						"country": "Japan",
-						"city":    "Tokyo",
-					},
-				},
-				Spec: api.PodSpec{
-					TopologySpreadConstraints: []api.TopologySpreadConstraint{
-						{
-							MaxSkew:           1,
-							TopologyKey:       "kubernetes.io/hostname",
-							WhenUnsatisfiable: api.DoNotSchedule,
-							LabelSelector:     &metav1.LabelSelector{},
-							MatchLabelKeys:    []string{"country", "city"},
-						},
-					},
-				},
-			},
-		},
 	}
 
 	for _, tc := range tests {
 		t.Run(tc.name, func(t *testing.T) {
-			featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.MatchLabelKeysInPodTopologySpread, tc.matchLabelKeysEnabled)
-			featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.MatchLabelKeysInPodTopologySpreadSelectorMerge, tc.matchLabelKeysSelectorMergeEnabled)
+			featuregatetesting.SetFeatureGatesDuringTest(t, utilfeature.DefaultFeatureGate, featuregatetesting.FeatureOverrides{
+				features.MatchLabelKeysInPodTopologySpread:              tc.matchLabelKeysEnabled,
+				features.MatchLabelKeysInPodTopologySpreadSelectorMerge: tc.matchLabelKeysSelectorMergeEnabled,
+			})
 
 			pod := tc.pod
 			mutateTopologySpreadConstraints(pod)
@@ -2233,8 +2192,10 @@ func TestUpdateLabelOnPodWithTopologySpreadConstraintsEnabled(t *testing.T) {
 
 	for _, tc := range tests {
 		t.Run(tc.name, func(t *testing.T) {
-			featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.MatchLabelKeysInPodTopologySpread, tc.matchLabelKeysEnabled)
-			featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.MatchLabelKeysInPodTopologySpreadSelectorMerge, tc.matchLabelKeysSelectorMergeEnabled)
+			featuregatetesting.SetFeatureGatesDuringTest(t, utilfeature.DefaultFeatureGate, featuregatetesting.FeatureOverrides{
+				features.MatchLabelKeysInPodTopologySpread:              tc.matchLabelKeysEnabled,
+				features.MatchLabelKeysInPodTopologySpreadSelectorMerge: tc.matchLabelKeysSelectorMergeEnabled,
+			})
 
 			Strategy.PrepareForCreate(genericapirequest.NewContext(), tc.pod)
 			if errs := Strategy.Validate(genericapirequest.NewContext(), tc.pod); len(errs) != 0 {
@@ -3516,8 +3477,10 @@ func TestPodResizePrepareForUpdate(t *testing.T) {
 
 	for _, tc := range tests {
 		t.Run(tc.name, func(t *testing.T) {
-			featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.InPlacePodVerticalScaling, true)
-			featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.SidecarContainers, true)
+			featuregatetesting.SetFeatureGatesDuringTest(t, utilfeature.DefaultFeatureGate, featuregatetesting.FeatureOverrides{
+				features.InPlacePodVerticalScaling: true,
+				features.SidecarContainers:         true,
+			})
 			ctx := context.Background()
 			ResizeStrategy.PrepareForUpdate(ctx, tc.newPod, tc.oldPod)
 			if !cmp.Equal(tc.expected, tc.newPod) {
@@ -4178,9 +4141,10 @@ func TestStatusPrepareForUpdate(t *testing.T) {
 
 	for _, tc := range testCases {
 		t.Run(tc.description, func(t *testing.T) {
-			for f, v := range tc.features {
-				featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, f, v)
+			if draEnabled, draExists := tc.features[features.DynamicResourceAllocation]; draExists && !draEnabled {
+				featuregatetesting.SetFeatureGateEmulationVersionDuringTest(t, utilfeature.DefaultFeatureGate, version.MustParse("1.34"))
 			}
+			featuregatetesting.SetFeatureGatesDuringTest(t, utilfeature.DefaultFeatureGate, tc.features)
 			StatusStrategy.PrepareForUpdate(genericapirequest.NewContext(), tc.newPod, tc.oldPod)
 			if !cmp.Equal(tc.expected, tc.newPod) {
 				t.Errorf("StatusStrategy.PrepareForUpdate() diff = %v", cmp.Diff(tc.expected, tc.newPod))
diff --git a/pkg/registry/core/replicationcontroller/declarative_validation_test.go b/pkg/registry/core/replicationcontroller/declarative_validation_test.go
index 099b0402f42cf..e3ad7f6efaff1 100644
--- a/pkg/registry/core/replicationcontroller/declarative_validation_test.go
+++ b/pkg/registry/core/replicationcontroller/declarative_validation_test.go
@@ -17,17 +17,16 @@ limitations under the License.
 package replicationcontroller
 
 import (
+	"fmt"
+	"strings"
 	"testing"
 
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/util/validation/field"
 	genericapirequest "k8s.io/apiserver/pkg/endpoints/request"
-	utilfeature "k8s.io/apiserver/pkg/util/feature"
-	featuregatetesting "k8s.io/component-base/featuregate/testing"
 	podtest "k8s.io/kubernetes/pkg/api/pod/testing"
 	apitesting "k8s.io/kubernetes/pkg/api/testing"
 	api "k8s.io/kubernetes/pkg/apis/core"
-	"k8s.io/kubernetes/pkg/features"
 	"k8s.io/utils/ptr"
 )
 
@@ -44,8 +43,117 @@ func TestDeclarativeValidateForDeclarative(t *testing.T) {
 		"empty resource": {
 			input: mkValidReplicationController(),
 		},
+		// metadata.name
+		"name: empty": {
+			input: mkValidReplicationController(func(rc *api.ReplicationController) {
+				rc.Name = ""
+			}),
+			expectedErrs: field.ErrorList{
+				field.Required(field.NewPath("metadata.name"), ""),
+			},
+		},
+		"name: label format": {
+			input: mkValidReplicationController(func(rc *api.ReplicationController) {
+				rc.Name = "this-is-a-label"
+			}),
+		},
+		"name: subdomain format": {
+			input: mkValidReplicationController(func(rc *api.ReplicationController) {
+				rc.Name = "this.is.a.subdomain"
+			}),
+		},
+		"name: invalid label format": {
+			input: mkValidReplicationController(func(rc *api.ReplicationController) {
+				rc.Name = "-this-is-not-a-label"
+			}),
+			expectedErrs: field.ErrorList{
+				field.Invalid(field.NewPath("metadata.name"), nil, "").WithOrigin("format=k8s-long-name"),
+			},
+		},
+		"name: invalid subdomain format": {
+			input: mkValidReplicationController(func(rc *api.ReplicationController) {
+				rc.Name = ".this.is.not.a.subdomain"
+			}),
+			expectedErrs: field.ErrorList{
+				field.Invalid(field.NewPath("metadata.name"), nil, "").WithOrigin("format=k8s-long-name"),
+			},
+		},
+		"name: label format with trailing dash": {
+			input: mkValidReplicationController(func(rc *api.ReplicationController) {
+				rc.Name = "this-is-a-label-"
+			}),
+			expectedErrs: field.ErrorList{
+				field.Invalid(field.NewPath("metadata.name"), nil, "").WithOrigin("format=k8s-long-name"),
+			},
+		},
+		"name: subdomain format with trailing dash": {
+			input: mkValidReplicationController(func(rc *api.ReplicationController) {
+				rc.Name = "this.is.a.subdomain-"
+			}),
+			expectedErrs: field.ErrorList{
+				field.Invalid(field.NewPath("metadata.name"), nil, "").WithOrigin("format=k8s-long-name"),
+			},
+		},
+		"name: long label format": {
+			input: mkValidReplicationController(func(rc *api.ReplicationController) {
+				rc.Name = strings.Repeat("x", 253)
+			}),
+		},
+		"name: long subdomain format": {
+			input: mkValidReplicationController(func(rc *api.ReplicationController) {
+				rc.Name = strings.Repeat("x.", 126) + "x"
+			}),
+		},
+		"name: too long label format": {
+			input: mkValidReplicationController(func(rc *api.ReplicationController) {
+				rc.Name = strings.Repeat("x", 254)
+			}),
+			expectedErrs: field.ErrorList{
+				field.Invalid(field.NewPath("metadata.name"), nil, "").WithOrigin("format=k8s-long-name"),
+			},
+		},
+		"name: too long subdomain format": {
+			input: mkValidReplicationController(func(rc *api.ReplicationController) {
+				rc.Name = strings.Repeat("x.", 126) + "xx"
+			}),
+			expectedErrs: field.ErrorList{
+				field.Invalid(field.NewPath("metadata.name"), nil, "").WithOrigin("format=k8s-long-name"),
+			},
+		},
+		// metadata.generateName (note: it's is not really validated)
+		"generateName: valid with empty name": {
+			input: mkValidReplicationController(func(rc *api.ReplicationController) {
+				rc.Name = ""
+				rc.GenerateName = "name"
+			}),
+			expectedErrs: field.ErrorList{
+				field.Required(field.NewPath("metadata.name"), ""),
+				field.InternalError(field.NewPath("metadata.name"), fmt.Errorf("")),
+			},
+		},
+
+		"generateName: label format": {
+			input: mkValidReplicationController(func(rc *api.ReplicationController) {
+				rc.GenerateName = "this-is-a-label"
+			}),
+		},
+		"generateName: subdomain format": {
+			input: mkValidReplicationController(func(rc *api.ReplicationController) {
+				rc.GenerateName = "this.is.a.subdomain"
+			}),
+		},
+		"generateName: invalid format": {
+			input: mkValidReplicationController(func(rc *api.ReplicationController) {
+				rc.GenerateName = "Obviously not a valid generateName!!"
+			}),
+		},
+		"generateName: too long": {
+			input: mkValidReplicationController(func(rc *api.ReplicationController) {
+				rc.GenerateName = strings.Repeat("x", 4096)
+			}),
+		},
 		// spec.replicas
-		"nil replicas": {
+		"replicas: nil": {
 			input: mkValidReplicationController(func(rc *api.ReplicationController) {
 				rc.Spec.Replicas = nil
 			}),
@@ -53,32 +161,26 @@ func TestDeclarativeValidateForDeclarative(t *testing.T) {
 				field.Required(field.NewPath("spec.replicas"), ""),
 			},
 		},
-		"0 replicas": {
+		"replicas: 0": {
 			input: mkValidReplicationController(setSpecReplicas(0)),
 		},
-		"1 replicas": {
-			input: mkValidReplicationController(setSpecReplicas(1)),
-		},
-		"positive replicas": {
+		"replicas: positive": {
 			input: mkValidReplicationController(setSpecReplicas(100)),
 		},
-		"negative replicas": {
+		"replicas: negative": {
 			input: mkValidReplicationController(setSpecReplicas(-1)),
 			expectedErrs: field.ErrorList{
 				field.Invalid(field.NewPath("spec.replicas"), nil, "").WithOrigin("minimum"),
 			},
 		},
 		// spec.minReadySeconds
-		"0 minReadySeconds": {
+		"minReadySeconds: 0": {
 			input: mkValidReplicationController(setSpecMinReadySeconds(0)),
 		},
-		"1 minReadySeconds": {
-			input: mkValidReplicationController(setSpecMinReadySeconds(1)),
-		},
-		"positive minReadySeconds": {
+		"minReadySeconds: positive": {
 			input: mkValidReplicationController(setSpecMinReadySeconds(100)),
 		},
-		"negative minReadySeconds": {
+		"minReadySeconds: negative": {
 			input: mkValidReplicationController(setSpecMinReadySeconds(-1)),
 			expectedErrs: field.ErrorList{
 				field.Invalid(field.NewPath("spec.minReadySeconds"), nil, "").WithOrigin("minimum"),
@@ -87,35 +189,7 @@ func TestDeclarativeValidateForDeclarative(t *testing.T) {
 	}
 	for k, tc := range testCases {
 		t.Run(k, func(t *testing.T) {
-			var declarativeTakeoverErrs field.ErrorList
-			var imperativeErrs field.ErrorList
-			for _, gateVal := range []bool{true, false} {
-				// We only need to test both gate enabled and disabled together, because
-				// 1) the DeclarativeValidationTakeover won't take effect if DeclarativeValidation is disabled.
-				// 2) the validation output, when only DeclarativeValidation is enabled, is the same as when both gates are disabled.
-				featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.DeclarativeValidation, gateVal)
-				featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.DeclarativeValidationTakeover, gateVal)
-
-				errs := Strategy.Validate(ctx, &tc.input)
-				if gateVal {
-					declarativeTakeoverErrs = errs
-				} else {
-					imperativeErrs = errs
-				}
-				// The errOutputMatcher is used to verify the output matches the expected errors in test cases.
-				errOutputMatcher := field.ErrorMatcher{}.ByType().ByField().ByOrigin()
-				if len(tc.expectedErrs) > 0 {
-					errOutputMatcher.Test(t, tc.expectedErrs, errs)
-				} else if len(errs) != 0 {
-					t.Errorf("expected no errors, but got: %v", errs)
-				}
-			}
-			// The equivalenceMatcher is used to verify the output errors from hand-written imperative validation
-			// are equivalent to the output errors when DeclarativeValidationTakeover is enabled.
-			equivalenceMatcher := field.ErrorMatcher{}.ByType().ByField().ByOrigin()
-			equivalenceMatcher.Test(t, imperativeErrs, declarativeTakeoverErrs)
-
-			apitesting.VerifyVersionedValidationEquivalence(t, &tc.input, nil)
+			apitesting.VerifyValidationEquivalence(t, ctx, &tc.input, Strategy.Validate, tc.expectedErrs)
 		})
 	}
 }
@@ -131,12 +205,31 @@ func TestValidateUpdateForDeclarative(t *testing.T) {
 		expectedErrs field.ErrorList
 	}{
 		// baseline
-		"baseline": {
+		"no change": {
 			old:    mkValidReplicationController(),
 			update: mkValidReplicationController(),
 		},
+		// metadata.name
+		"name: changed": {
+			old: mkValidReplicationController(),
+			update: mkValidReplicationController(func(rc *api.ReplicationController) {
+				rc.Name += "x"
+			}),
+			expectedErrs: field.ErrorList{
+				field.Invalid(field.NewPath("metadata.name"), nil, ""),
+			},
+		},
+		// metadata.generateName
+		"generateName: changed": {
+			old: mkValidReplicationController(),
+			update: mkValidReplicationController(func(rc *api.ReplicationController) {
+				rc.GenerateName += "x"
+			}),
+			// This is, oddly, mutable.  We should probably ratchet this off
+			// and make it immutable.
+		},
 		// spec.replicas
-		"nil replicas": {
+		"replicas: nil": {
 			old: mkValidReplicationController(),
 			update: mkValidReplicationController(func(rc *api.ReplicationController) {
 				rc.Spec.Replicas = nil
@@ -145,19 +238,15 @@ func TestValidateUpdateForDeclarative(t *testing.T) {
 				field.Required(field.NewPath("spec.replicas"), ""),
 			},
 		},
-		"0 replicas": {
+		"replicas: 0": {
 			old:    mkValidReplicationController(),
 			update: mkValidReplicationController(setSpecReplicas(0)),
 		},
-		"1 replicas": {
-			old:    mkValidReplicationController(),
-			update: mkValidReplicationController(setSpecReplicas(1)),
-		},
-		"positive replicas": {
+		"replicas: positive": {
 			old:    mkValidReplicationController(),
 			update: mkValidReplicationController(setSpecReplicas(100)),
 		},
-		"negative replicas": {
+		"replicas: negative": {
 			old:    mkValidReplicationController(),
 			update: mkValidReplicationController(setSpecReplicas(-1)),
 			expectedErrs: field.ErrorList{
@@ -165,19 +254,15 @@ func TestValidateUpdateForDeclarative(t *testing.T) {
 			},
 		},
 		// spec.minReadySeconds
-		"0 minReadySeconds": {
+		"minReadySeconds: 0": {
 			old:    mkValidReplicationController(),
 			update: mkValidReplicationController(setSpecMinReadySeconds(0)),
 		},
-		"1 minReadySeconds": {
-			old:    mkValidReplicationController(),
-			update: mkValidReplicationController(setSpecMinReadySeconds(1)),
-		},
-		"positive minReadySeconds": {
+		"minReadySeconds: positive": {
 			old:    mkValidReplicationController(),
 			update: mkValidReplicationController(setSpecMinReadySeconds(3)),
 		},
-		"negative minReadySeconds": {
+		"minReadySeconds: negative": {
 			old:    mkValidReplicationController(),
 			update: mkValidReplicationController(setSpecMinReadySeconds(-1)),
 			expectedErrs: field.ErrorList{
@@ -189,49 +274,7 @@ func TestValidateUpdateForDeclarative(t *testing.T) {
 		t.Run(k, func(t *testing.T) {
 			tc.old.ObjectMeta.ResourceVersion = "1"
 			tc.update.ObjectMeta.ResourceVersion = "1"
-			var declarativeTakeoverErrs field.ErrorList
-			var imperativeErrs field.ErrorList
-			for _, gateVal := range []bool{true, false} {
-				// We only need to test both gate enabled and disabled together, because
-				// 1) the DeclarativeValidationTakeover won't take effect if DeclarativeValidation is disabled.
-				// 2) the validation output, when only DeclarativeValidation is enabled, is the same as when both gates are disabled.
-				featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.DeclarativeValidation, gateVal)
-				featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.DeclarativeValidationTakeover, gateVal)
-				errs := Strategy.ValidateUpdate(ctx, &tc.update, &tc.old)
-				if gateVal {
-					declarativeTakeoverErrs = errs
-				} else {
-					imperativeErrs = errs
-				}
-				// The errOutputMatcher is used to verify the output matches the expected errors in test cases.
-				errOutputMatcher := field.ErrorMatcher{}.ByType().ByField().ByOrigin()
-
-				if len(tc.expectedErrs) > 0 {
-					errOutputMatcher.Test(t, tc.expectedErrs, errs)
-				} else if len(errs) != 0 {
-					t.Errorf("expected no errors, but got: %v", errs)
-				}
-			}
-			// The equivalenceMatcher is used to verify the output errors from hand-written imperative validation
-			// are equivalent to the output errors when DeclarativeValidationTakeover is enabled.
-			equivalenceMatcher := field.ErrorMatcher{}.ByType().ByField().ByOrigin()
-			// TODO: remove this once RC's validation is fixed to not return duplicate errors.
-			dedupedImperativeErrs := field.ErrorList{}
-			for _, err := range imperativeErrs {
-				found := false
-				for _, existingErr := range dedupedImperativeErrs {
-					if equivalenceMatcher.Matches(existingErr, err) {
-						found = true
-						break
-					}
-				}
-				if !found {
-					dedupedImperativeErrs = append(dedupedImperativeErrs, err)
-				}
-			}
-			equivalenceMatcher.Test(t, dedupedImperativeErrs, declarativeTakeoverErrs)
-
-			apitesting.VerifyVersionedValidationEquivalence(t, &tc.update, &tc.old)
+			apitesting.VerifyUpdateValidationEquivalence(t, ctx, &tc.update, &tc.old, Strategy.ValidateUpdate, tc.expectedErrs)
 		})
 	}
 }
diff --git a/pkg/registry/core/replicationcontroller/storage/scale_declarative_validation_test.go b/pkg/registry/core/replicationcontroller/storage/scale_declarative_validation_test.go
index 6c7eeacb77e3d..daae0911072e6 100644
--- a/pkg/registry/core/replicationcontroller/storage/scale_declarative_validation_test.go
+++ b/pkg/registry/core/replicationcontroller/storage/scale_declarative_validation_test.go
@@ -25,12 +25,12 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/util/validation/field"
 	genericapirequest "k8s.io/apiserver/pkg/endpoints/request"
+	"k8s.io/apiserver/pkg/features"
 	"k8s.io/apiserver/pkg/registry/rest"
 	utilfeature "k8s.io/apiserver/pkg/util/feature"
 	featuregatetesting "k8s.io/component-base/featuregate/testing"
 	apitesting "k8s.io/kubernetes/pkg/api/testing"
 	"k8s.io/kubernetes/pkg/apis/autoscaling"
-	"k8s.io/kubernetes/pkg/features"
 )
 
 func TestValidateScaleForDeclarative(t *testing.T) {
@@ -77,8 +77,10 @@ func TestValidateScaleForDeclarative(t *testing.T) {
 					// We only need to test both gate enabled and disabled together, because
 					// 1) the DeclarativeValidationTakeover won't take effect if DeclarativeValidation is disabled.
 					// 2) the validation output, when only DeclarativeValidation is enabled, is the same as when both gates are disabled.
-					featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.DeclarativeValidation, gateVal)
-					featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.DeclarativeValidationTakeover, gateVal)
+					featuregatetesting.SetFeatureGatesDuringTest(t, utilfeature.DefaultFeatureGate, featuregatetesting.FeatureOverrides{
+						features.DeclarativeValidation:         gateVal,
+						features.DeclarativeValidationTakeover: gateVal,
+					})
 
 					_, _, err := storage.Scale.Update(ctx, tc.input.Name, rest.DefaultUpdatedObjectInfo(&tc.input), rest.ValidateAllObjectFunc, rest.ValidateAllObjectUpdateFunc, false, &metav1.UpdateOptions{})
 					errs := errorListFromStatusError(t, err)
@@ -109,7 +111,7 @@ func TestValidateScaleForDeclarative(t *testing.T) {
 			equivalenceMatcher := field.ErrorMatcher{}.ByType().ByField()
 			equivalenceMatcher.Test(t, imperativeErrs, declarativeTakeoverErrs)
 
-			apitesting.VerifyVersionedValidationEquivalence(t, &tc.input, nil, "scale")
+			apitesting.VerifyVersionedValidationEquivalence(t, &tc.input, nil, apitesting.WithSubResources("scale"))
 		})
 	}
 }
diff --git a/pkg/registry/core/replicationcontroller/storage/storage.go b/pkg/registry/core/replicationcontroller/storage/storage.go
index a43c700c4c1a6..bee5ffb8c2890 100644
--- a/pkg/registry/core/replicationcontroller/storage/storage.go
+++ b/pkg/registry/core/replicationcontroller/storage/storage.go
@@ -23,6 +23,7 @@ import (
 	"fmt"
 
 	"k8s.io/apimachinery/pkg/api/errors"
+	"k8s.io/apimachinery/pkg/api/operation"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/labels"
 	"k8s.io/apimachinery/pkg/runtime"
@@ -32,7 +33,6 @@ import (
 	"k8s.io/apiserver/pkg/registry/generic"
 	genericregistry "k8s.io/apiserver/pkg/registry/generic/registry"
 	"k8s.io/apiserver/pkg/registry/rest"
-	utilfeature "k8s.io/apiserver/pkg/util/feature"
 	"k8s.io/klog/v2"
 	"k8s.io/kubernetes/pkg/api/legacyscheme"
 	"k8s.io/kubernetes/pkg/apis/autoscaling"
@@ -40,7 +40,6 @@ import (
 	"k8s.io/kubernetes/pkg/apis/autoscaling/validation"
 	api "k8s.io/kubernetes/pkg/apis/core"
 	extensionsv1beta1 "k8s.io/kubernetes/pkg/apis/extensions/v1beta1"
-	"k8s.io/kubernetes/pkg/features"
 	"k8s.io/kubernetes/pkg/printers"
 	printersinternal "k8s.io/kubernetes/pkg/printers/internalversion"
 	printerstorage "k8s.io/kubernetes/pkg/printers/storage"
@@ -315,24 +314,7 @@ func (i *scaleUpdatedObjectInfo) UpdatedObject(ctx context.Context, oldObj runti
 	}
 
 	errs := validation.ValidateScale(scale)
-
-	// If DeclarativeValidation feature gate is enabled, also run declarative validation
-	if utilfeature.DefaultFeatureGate.Enabled(features.DeclarativeValidation) {
-		// Determine if takeover is enabled
-		takeover := utilfeature.DefaultFeatureGate.Enabled(features.DeclarativeValidationTakeover)
-
-		// Run declarative validation with panic recovery
-		declarativeErrs := rest.ValidateUpdateDeclaratively(
-			ctx, legacyscheme.Scheme, scale, oldScale, rest.WithTakeover(takeover), rest.WithSubresourceMapper(i.scaleGVKMapper))
-
-		// Compare imperative and declarative errors and log + emit metric if there's a mismatch
-		rest.CompareDeclarativeErrorsAndEmitMismatches(ctx, errs, declarativeErrs, takeover)
-
-		// Only apply declarative errors if takeover is enabled
-		if takeover {
-			errs = append(errs.RemoveCoveredByDeclarative(), declarativeErrs...)
-		}
-	}
+	errs = rest.ValidateDeclarativelyWithMigrationChecks(ctx, legacyscheme.Scheme, scale, oldScale, errs, operation.Update, rest.WithSubresourceMapper(i.scaleGVKMapper))
 
 	if len(errs) > 0 {
 		return nil, errors.NewInvalid(autoscaling.Kind("Scale"), replicationcontroller.Name, errs)
diff --git a/pkg/registry/core/replicationcontroller/strategy.go b/pkg/registry/core/replicationcontroller/strategy.go
index b2a5c85f36edf..9fed503ca6309 100644
--- a/pkg/registry/core/replicationcontroller/strategy.go
+++ b/pkg/registry/core/replicationcontroller/strategy.go
@@ -28,6 +28,7 @@ import (
 
 	corev1 "k8s.io/api/core/v1"
 	apiequality "k8s.io/apimachinery/pkg/api/equality"
+	"k8s.io/apimachinery/pkg/api/operation"
 	"k8s.io/apimachinery/pkg/fields"
 	"k8s.io/apimachinery/pkg/labels"
 	"k8s.io/apimachinery/pkg/runtime"
@@ -39,13 +40,11 @@ import (
 	"k8s.io/apiserver/pkg/registry/rest"
 	apistorage "k8s.io/apiserver/pkg/storage"
 	"k8s.io/apiserver/pkg/storage/names"
-	utilfeature "k8s.io/apiserver/pkg/util/feature"
 	"k8s.io/kubernetes/pkg/api/legacyscheme"
 	"k8s.io/kubernetes/pkg/api/pod"
 	api "k8s.io/kubernetes/pkg/apis/core"
 	"k8s.io/kubernetes/pkg/apis/core/helper"
 	corevalidation "k8s.io/kubernetes/pkg/apis/core/validation"
-	"k8s.io/kubernetes/pkg/features"
 )
 
 // rcStrategy implements verification logic for Replication Controllers.
@@ -129,24 +128,7 @@ func (rcStrategy) Validate(ctx context.Context, obj runtime.Object) field.ErrorL
 
 	// Run imperative validation
 	allErrs := corevalidation.ValidateReplicationController(controller, opts)
-
-	// If DeclarativeValidation feature gate is enabled, also run declarative validation
-	if utilfeature.DefaultFeatureGate.Enabled(features.DeclarativeValidation) {
-		// Determine if takeover is enabled
-		takeover := utilfeature.DefaultFeatureGate.Enabled(features.DeclarativeValidationTakeover)
-
-		// Run declarative validation with panic recovery
-		declarativeErrs := rest.ValidateDeclaratively(ctx, legacyscheme.Scheme, controller, rest.WithTakeover(takeover))
-
-		// Compare imperative and declarative errors and log + emit metric if there's a mismatch
-		rest.CompareDeclarativeErrorsAndEmitMismatches(ctx, allErrs, declarativeErrs, takeover)
-
-		// Only apply declarative errors if takeover is enabled
-		if takeover {
-			allErrs = append(allErrs.RemoveCoveredByDeclarative(), declarativeErrs...)
-		}
-	}
-	return allErrs
+	return rest.ValidateDeclarativelyWithMigrationChecks(ctx, legacyscheme.Scheme, controller, nil, allErrs, operation.Create)
 }
 
 // WarningsOnCreate returns warnings for the creation of the given object.
@@ -176,10 +158,7 @@ func (rcStrategy) ValidateUpdate(ctx context.Context, obj, old runtime.Object) f
 	newRc := obj.(*api.ReplicationController)
 
 	opts := pod.GetValidationOptionsFromPodTemplate(newRc.Spec.Template, oldRc.Spec.Template)
-	// This should be fixed to avoid the redundant calls, but carefully.
-	validationErrorList := corevalidation.ValidateReplicationController(newRc, opts)
-	updateErrorList := corevalidation.ValidateReplicationControllerUpdate(newRc, oldRc, opts)
-	errs := append(validationErrorList, updateErrorList...)
+	errs := corevalidation.ValidateReplicationControllerUpdate(newRc, oldRc, opts)
 
 	for key, value := range helper.NonConvertibleFields(oldRc.Annotations) {
 		parts := strings.Split(key, "/")
@@ -198,24 +177,7 @@ func (rcStrategy) ValidateUpdate(ctx context.Context, obj, old runtime.Object) f
 		}
 	}
 
-	// If DeclarativeValidation feature gate is enabled, also run declarative validation
-	if utilfeature.DefaultFeatureGate.Enabled(features.DeclarativeValidation) {
-		// Determine if takeover is enabled
-		takeover := utilfeature.DefaultFeatureGate.Enabled(features.DeclarativeValidationTakeover)
-
-		// Run declarative update validation with panic recovery
-		declarativeErrs := rest.ValidateUpdateDeclaratively(ctx, legacyscheme.Scheme, newRc, oldRc, rest.WithTakeover(takeover))
-
-		// Compare imperative and declarative errors and emit metric if there's a mismatch
-		rest.CompareDeclarativeErrorsAndEmitMismatches(ctx, errs, declarativeErrs, takeover)
-
-		// Only apply declarative errors if takeover is enabled
-		if takeover {
-			errs = append(errs.RemoveCoveredByDeclarative(), declarativeErrs...)
-		}
-	}
-
-	return errs
+	return rest.ValidateDeclarativelyWithMigrationChecks(ctx, legacyscheme.Scheme, newRc, oldRc, errs, operation.Update)
 }
 
 // WarningsOnUpdate returns warnings for the given update.
diff --git a/pkg/registry/core/resourcequota/strategy.go b/pkg/registry/core/resourcequota/strategy.go
index a57416d3fd001..5a6dda4820fb8 100644
--- a/pkg/registry/core/resourcequota/strategy.go
+++ b/pkg/registry/core/resourcequota/strategy.go
@@ -18,6 +18,7 @@ package resourcequota
 
 import (
 	"context"
+	"fmt"
 
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/util/validation/field"
@@ -74,9 +75,36 @@ func (resourcequotaStrategy) Validate(ctx context.Context, obj runtime.Object) f
 	return validation.ValidateResourceQuota(resourcequota)
 }
 
+// all known resource names that we want to check for request <= limit
+var knownResourceNames = []api.ResourceName{
+	api.ResourceCPU,
+	api.ResourceMemory,
+	api.ResourceStorage,
+	api.ResourceEphemeralStorage,
+}
+
 // WarningsOnCreate returns warnings for the creation of the given object.
 func (resourcequotaStrategy) WarningsOnCreate(ctx context.Context, obj runtime.Object) []string {
-	return nil
+	resourcequota := obj.(*api.ResourceQuota)
+	var allWarnings []string
+	for _, resourceName := range knownResourceNames {
+		requestResourceName := api.ResourceName(fmt.Sprintf("requests.%s", resourceName))
+		request, requestOK := resourcequota.Spec.Hard[requestResourceName]
+		if !requestOK && (resourceName == api.ResourceCPU || resourceName == api.ResourceMemory) {
+			// try the bare name for cpu and memory
+			request, requestOK = resourcequota.Spec.Hard[resourceName]
+			if requestOK {
+				requestResourceName = resourceName
+			}
+		}
+		limitResourceName := api.ResourceName(fmt.Sprintf("limits.%s", resourceName))
+		limit, limitOK := resourcequota.Spec.Hard[limitResourceName]
+		if requestOK && limitOK && request.Cmp(limit) > 0 {
+			allWarnings = append(allWarnings, fmt.Sprintf("ResourceQuota %s (%s) should be less than %s (%s)",
+				requestResourceName, request.String(), limitResourceName, limit.String()))
+		}
+	}
+	return allWarnings
 }
 
 // Canonicalize normalizes the object after validation.
diff --git a/pkg/registry/core/resourcequota/strategy_test.go b/pkg/registry/core/resourcequota/strategy_test.go
index c571c2a336dc3..4066ec9407a48 100644
--- a/pkg/registry/core/resourcequota/strategy_test.go
+++ b/pkg/registry/core/resourcequota/strategy_test.go
@@ -17,6 +17,8 @@ limitations under the License.
 package resourcequota
 
 import (
+	"context"
+	"reflect"
 	"testing"
 
 	"k8s.io/apimachinery/pkg/api/resource"
@@ -58,3 +60,84 @@ func TestResourceQuotaStrategy(t *testing.T) {
 		t.Errorf("ResourceQuota does not allow setting status on create")
 	}
 }
+
+func Test_WarningsOnCreate(t *testing.T) {
+	tests := []struct {
+		name         string
+		args         *api.ResourceQuota
+		wantWarnings []string
+	}{
+		{
+			name:         "Empty Hard Spec",
+			args:         &api.ResourceQuota{},
+			wantWarnings: []string{},
+		},
+		{
+			name: "Request less than limit",
+			args: &api.ResourceQuota{
+				Spec: api.ResourceQuotaSpec{
+					Hard: api.ResourceList{
+						api.ResourceName("requests.cpu"):               resource.MustParse("500m"),
+						api.ResourceName("limits.cpu"):                 resource.MustParse("1"),
+						api.ResourceName("requests.memory"):            resource.MustParse("1Gi"),
+						api.ResourceName("limits.memory"):              resource.MustParse("2Gi"),
+						api.ResourceName("requests.storage"):           resource.MustParse("1Gi"),
+						api.ResourceName("limits.storage"):             resource.MustParse("2Gi"),
+						api.ResourceName("requests.ephemeral-storage"): resource.MustParse("1Gi"),
+						api.ResourceName("limits.ephemeral-storage"):   resource.MustParse("2Gi"),
+					},
+				},
+			},
+			wantWarnings: []string{},
+		},
+		{
+			name: "Request greater than limit",
+			args: &api.ResourceQuota{
+				Spec: api.ResourceQuotaSpec{
+					Hard: api.ResourceList{
+						api.ResourceName("requests.cpu"):               resource.MustParse("2"),
+						api.ResourceName("limits.cpu"):                 resource.MustParse("1"),
+						api.ResourceName("requests.memory"):            resource.MustParse("3Gi"),
+						api.ResourceName("limits.memory"):              resource.MustParse("2Gi"),
+						api.ResourceName("requests.storage"):           resource.MustParse("3Gi"),
+						api.ResourceName("limits.storage"):             resource.MustParse("2Gi"),
+						api.ResourceName("requests.ephemeral-storage"): resource.MustParse("3Gi"),
+						api.ResourceName("limits.ephemeral-storage"):   resource.MustParse("2Gi"),
+					},
+				},
+			},
+			wantWarnings: []string{
+				"ResourceQuota requests.cpu (2) should be less than limits.cpu (1)",
+				"ResourceQuota requests.memory (3Gi) should be less than limits.memory (2Gi)",
+				"ResourceQuota requests.storage (3Gi) should be less than limits.storage (2Gi)",
+				"ResourceQuota requests.ephemeral-storage (3Gi) should be less than limits.ephemeral-storage (2Gi)",
+			},
+		},
+		{
+			name: "Request greater than limit, bare names",
+			args: &api.ResourceQuota{
+				Spec: api.ResourceQuotaSpec{
+					Hard: api.ResourceList{
+						api.ResourceName("cpu"):           resource.MustParse("2"),
+						api.ResourceName("limits.cpu"):    resource.MustParse("1"),
+						api.ResourceName("memory"):        resource.MustParse("3Gi"),
+						api.ResourceName("limits.memory"): resource.MustParse("2Gi"),
+					},
+				},
+			},
+			wantWarnings: []string{
+				"ResourceQuota cpu (2) should be less than limits.cpu (1)",
+				"ResourceQuota memory (3Gi) should be less than limits.memory (2Gi)",
+			},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			warnings := Strategy.WarningsOnCreate(context.Background(), tt.args)
+			if len(warnings)+len(tt.wantWarnings) > 0 && !reflect.DeepEqual(warnings, tt.wantWarnings) {
+				t.Errorf("WarningsOnCreate()\n   got: %q\n  want: %q", warnings, tt.wantWarnings)
+			}
+		})
+	}
+}
diff --git a/pkg/registry/core/rest/storage_core.go b/pkg/registry/core/rest/storage_core.go
index da2384aae056e..3ad71470cfb3d 100644
--- a/pkg/registry/core/rest/storage_core.go
+++ b/pkg/registry/core/rest/storage_core.go
@@ -28,6 +28,7 @@ import (
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	utilnet "k8s.io/apimachinery/pkg/util/net"
+	"k8s.io/apiserver/pkg/authorization/authorizer"
 	"k8s.io/apiserver/pkg/registry/generic"
 	"k8s.io/apiserver/pkg/registry/rest"
 	genericapiserver "k8s.io/apiserver/pkg/server"
@@ -99,11 +100,12 @@ type legacyProvider struct {
 	primaryServiceClusterIPAllocator ipallocator.Interface
 	serviceClusterIPAllocators       map[api.IPFamily]ipallocator.Interface
 	serviceNodePortAllocator         *portallocator.PortAllocator
+	authorizer                       authorizer.Authorizer
 
 	startServiceNodePortsRepair, startServiceClusterIPRepair func(onFirstSuccess func(), stopCh chan struct{})
 }
 
-func New(c Config) (*legacyProvider, error) {
+func New(c Config, authorizer authorizer.Authorizer) (*legacyProvider, error) {
 	rangeRegistries, serviceClusterIPAllocator, serviceIPAllocators, serviceNodePortAllocator, err := c.newServiceIPAllocators()
 	if err != nil {
 		return nil, err
@@ -115,6 +117,7 @@ func New(c Config) (*legacyProvider, error) {
 		primaryServiceClusterIPAllocator: serviceClusterIPAllocator,
 		serviceClusterIPAllocators:       serviceIPAllocators,
 		serviceNodePortAllocator:         serviceNodePortAllocator,
+		authorizer:                       authorizer,
 	}
 
 	// create service node port repair controller
@@ -193,6 +196,7 @@ func (p *legacyProvider) NewRESTStorage(apiResourceConfigSource serverstorage.AP
 		nodeStorage.KubeletConnectionInfo,
 		p.Proxy.Transport,
 		podDisruptionClient,
+		p.authorizer,
 	)
 	if err != nil {
 		return genericapiserver.APIGroupInfo{}, err
diff --git a/pkg/registry/core/service/allocator/storage/storage.go b/pkg/registry/core/service/allocator/storage/storage.go
index 66599b2fa3e0f..11601537b33c5 100644
--- a/pkg/registry/core/service/allocator/storage/storage.go
+++ b/pkg/registry/core/service/allocator/storage/storage.go
@@ -63,9 +63,9 @@ var _ rangeallocation.RangeRegistry = &Etcd{}
 // NewEtcd returns an allocator that is backed by Etcd and can manage
 // persisting the snapshot state of allocation after each allocation is made.
 func NewEtcd(alloc allocator.Snapshottable, baseKey string, config *storagebackend.ConfigForResource) (*Etcd, error) {
-	// note that newFunc, newListFunc and resourcePrefix
+	// note that newFunc, newListFunc
 	// can be left blank unless the storage.Watch method is used
-	storage, d, err := generic.NewRawStorage(config, nil, nil, "")
+	storage, d, err := generic.NewRawStorage(config, nil, nil, baseKey)
 	if err != nil {
 		return nil, err
 	}
diff --git a/pkg/registry/core/service/ipallocator/cidrallocator.go b/pkg/registry/core/service/ipallocator/cidrallocator.go
index 7ec7e9cebd914..cbb3b1c03d3cc 100644
--- a/pkg/registry/core/service/ipallocator/cidrallocator.go
+++ b/pkg/registry/core/service/ipallocator/cidrallocator.go
@@ -17,6 +17,7 @@ limitations under the License.
 package ipallocator
 
 import (
+	"errors"
 	"fmt"
 	"net"
 	"net/netip"
@@ -392,6 +393,10 @@ func (c *MetaAllocator) AllocateNextService(service *api.Service) (net.IP, error
 		if err == nil {
 			return ip, nil
 		}
+		// only keep trying if the allocator is full or not ready
+		if !errors.Is(err, ErrFull) && !errors.Is(err, ErrNotReady) {
+			return nil, err
+		}
 	}
 	return nil, ErrFull
 }
diff --git a/pkg/registry/core/service/ipallocator/cidrallocator_test.go b/pkg/registry/core/service/ipallocator/cidrallocator_test.go
index 38aec78e256c8..e4bf3ccf75166 100644
--- a/pkg/registry/core/service/ipallocator/cidrallocator_test.go
+++ b/pkg/registry/core/service/ipallocator/cidrallocator_test.go
@@ -18,6 +18,7 @@ package ipallocator
 
 import (
 	"context"
+	"errors"
 	"fmt"
 	"net/netip"
 	"testing"
@@ -32,8 +33,10 @@ import (
 	utilfeature "k8s.io/apiserver/pkg/util/feature"
 	"k8s.io/client-go/informers"
 	"k8s.io/client-go/kubernetes/fake"
+	networkingv1fake "k8s.io/client-go/kubernetes/typed/networking/v1/fake"
 	k8stesting "k8s.io/client-go/testing"
 	featuregatetesting "k8s.io/component-base/featuregate/testing"
+	"k8s.io/component-base/metrics/testutil"
 	"k8s.io/kubernetes/pkg/features"
 	netutils "k8s.io/utils/net"
 )
@@ -658,3 +661,328 @@ func Test_isNotContained(t *testing.T) {
 		})
 	}
 }
+
+func TestCIDRAllocatorClusterIPAllocatedMetrics(t *testing.T) {
+	featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.DisableAllocatorDualWrite, true)
+	clearMetrics()
+
+	r, err := newTestMetaAllocator()
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer r.Destroy()
+
+	// Enable metrics for the meta allocator
+	r.EnableMetrics()
+
+	// Create first CIDR - small /30 network (only 2 usable IPs)
+	cidr1 := newServiceCIDR("test1", "192.168.1.0/30")
+	_, err = r.client.ServiceCIDRs().Create(context.Background(), cidr1, metav1.CreateOptions{})
+	if err != nil {
+		t.Fatal(err)
+	}
+	r.enqueueServiceCIDR(cidr1)
+
+	// Wait for the first CIDR to be processed
+	err = wait.PollUntilContextTimeout(context.Background(), 100*time.Millisecond, 5*time.Second, true, func(ctx context.Context) (bool, error) {
+		allocator, err := r.getAllocator(netutils.ParseIPSloppy("192.168.1.1"), true)
+		if err != nil {
+			t.Logf("unexpected error %v", err)
+			return false, nil
+		}
+		allocator.ipAddressSynced = func() bool { return true }
+		return allocator.ready.Load(), nil
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// Check initial metrics for first CIDR
+	em1 := testMetrics{
+		free:      0,
+		used:      0,
+		allocated: 0,
+		errors:    0,
+	}
+	expectMetrics(t, "192.168.1.0/30", em1)
+
+	// Allocate all IPs from first CIDR (should be 2 usable IPs: .1 and .2)
+	found := sets.NewString()
+	allocatedFromCIDR1 := 0
+	for r.Free() > 0 && allocatedFromCIDR1 < 2 {
+		ip, err := r.AllocateNext()
+		if err != nil {
+			t.Fatalf("error allocating from first CIDR @ allocated: %d: %v", allocatedFromCIDR1, err)
+		}
+		allocatedFromCIDR1++
+		if found.Has(ip.String()) {
+			t.Fatalf("allocated %s twice", ip)
+		}
+		found.Insert(ip.String())
+	}
+
+	// Verify we allocated 2 IPs from first CIDR
+	if allocatedFromCIDR1 != 2 {
+		t.Fatalf("expected 2 IPs from first CIDR, got %d", allocatedFromCIDR1)
+	}
+
+	// Check metrics after filling first CIDR
+	dynamicAllocatedCidr1, err := testutil.GetCounterMetricValue(clusterIPAllocations.WithLabelValues("192.168.1.0/30", "dynamic"))
+	if err != nil {
+		t.Errorf("failed to get %s value, err: %v", clusterIPAllocations.Name, err)
+	}
+	if dynamicAllocatedCidr1 != 2 {
+		t.Fatalf("Expected 2 dynamic allocations from first CIDR, received %f", dynamicAllocatedCidr1)
+	}
+
+	// Create second CIDR - small /29 network (6 usable IPs)
+	cidr2 := newServiceCIDR("test2", "10.0.0.0/29")
+	_, err = r.client.ServiceCIDRs().Create(context.Background(), cidr2, metav1.CreateOptions{})
+	if err != nil {
+		t.Fatal(err)
+	}
+	r.enqueueServiceCIDR(cidr2)
+
+	// Wait for the second CIDR to be processed
+	err = wait.PollUntilContextTimeout(context.Background(), 100*time.Millisecond, 5*time.Second, true, func(ctx context.Context) (bool, error) {
+		allocator, err := r.getAllocator(netutils.ParseIPSloppy("10.0.0.1"), true)
+		if err != nil {
+			return false, nil
+		}
+		allocator.ipAddressSynced = func() bool { return true }
+		return allocator.ready.Load(), nil
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// Check initial metrics for second CIDR
+	em2 := testMetrics{
+		free:      0,
+		used:      0,
+		allocated: 0,
+		errors:    0,
+	}
+	expectMetrics(t, "10.0.0.0/29", em2)
+
+	// Allocate all remaining IPs from second CIDR (should be 6 usable IPs)
+	allocatedFromCIDR2 := 0
+	for r.Free() > 0 && allocatedFromCIDR2 < 6 {
+		ip, err := r.AllocateNext()
+		if err != nil {
+			t.Fatalf("error allocating from second CIDR @ allocated: %d: %v", allocatedFromCIDR2, err)
+		}
+		allocatedFromCIDR2++
+		if found.Has(ip.String()) {
+			t.Fatalf("allocated %s twice", ip)
+		}
+		found.Insert(ip.String())
+	}
+
+	// Verify we allocated 6 IPs from second CIDR
+	if allocatedFromCIDR2 != 6 {
+		t.Fatalf("expected 6 IPs from second CIDR, got %d", allocatedFromCIDR2)
+	}
+
+	// Check total allocated IPs
+	totalAllocated := allocatedFromCIDR1 + allocatedFromCIDR2
+	if totalAllocated != 8 {
+		t.Fatalf("expected 8 total IPs allocated, got %d", totalAllocated)
+	}
+
+	// Check metrics after filling second CIDR
+	dynamicAllocatedCidr2, err := testutil.GetCounterMetricValue(clusterIPAllocations.WithLabelValues("10.0.0.0/29", "dynamic"))
+	if err != nil {
+		t.Errorf("failed to get %s value, err: %v", clusterIPAllocations.Name, err)
+	}
+	if dynamicAllocatedCidr2 != 6 {
+		t.Fatalf("Expected 6 dynamic allocations from second CIDR, received %f", dynamicAllocatedCidr2)
+	}
+
+	// Try to allocate more IPs - should fail since both CIDRs are exhausted
+	if _, err := r.AllocateNext(); err == nil {
+		t.Fatal("expected error when trying to allocate from exhausted CIDRs")
+	}
+
+	// Parse the CIDRs for proper IP containment checking
+	_, cidr1Net, err := netutils.ParseCIDRSloppy("192.168.1.0/30")
+	if err != nil {
+		t.Fatalf("failed to parse CIDR1: %v", err)
+	}
+	_, cidr2Net, err := netutils.ParseCIDRSloppy("10.0.0.0/29")
+	if err != nil {
+		t.Fatalf("failed to parse CIDR2: %v", err)
+	}
+
+	// Try to allocate the same IP addresses to generate static allocation errors
+	errorCount1 := 0
+	errorCount2 := 0
+	for s := range found {
+		ip := netutils.ParseIPSloppy(s)
+		if err := r.Allocate(ip); !errors.Is(err, ErrAllocated) {
+			t.Fatalf("expected ErrAllocated when trying to allocate existing IP %s, got: %v", s, err)
+		}
+		// Count which CIDR the error belongs to using proper CIDR containment
+		if cidr1Net.Contains(ip) {
+			errorCount1++
+		} else if cidr2Net.Contains(ip) {
+			errorCount2++
+		} else {
+			t.Fatalf("IP %s does not belong to any expected CIDR", ip.String())
+		}
+	}
+
+	// Check static allocation errors for first CIDR
+	staticErrorsCidr1, err := testutil.GetCounterMetricValue(clusterIPAllocationErrors.WithLabelValues("192.168.1.0/30", "static"))
+	if err != nil {
+		t.Errorf("failed to get %s value, err: %v", clusterIPAllocationErrors.Name, err)
+	}
+	if staticErrorsCidr1 != float64(errorCount1) {
+		t.Fatalf("Expected %d static allocation errors from first CIDR, received %f", errorCount1, staticErrorsCidr1)
+	}
+
+	// Check static allocation errors for second CIDR
+	staticErrorsCidr2, err := testutil.GetCounterMetricValue(clusterIPAllocationErrors.WithLabelValues("10.0.0.0/29", "static"))
+	if err != nil {
+		t.Errorf("failed to get %s value, err: %v", clusterIPAllocationErrors.Name, err)
+	}
+	if staticErrorsCidr2 != float64(errorCount2) {
+		t.Fatalf("Expected %d static allocation errors from second CIDR, received %f", errorCount2, staticErrorsCidr2)
+	}
+}
+
+func TestCIDRAllocateNextStopOnError(t *testing.T) {
+	r, err := newTestMetaAllocator()
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer r.Destroy()
+
+	// add a CIDR
+	cidr1 := newServiceCIDR("test1", "192.168.0.0/24")
+	_, err = r.client.ServiceCIDRs().Create(context.Background(), cidr1, metav1.CreateOptions{})
+	if err != nil {
+		t.Fatal(err)
+	}
+	r.enqueueServiceCIDR(cidr1)
+	// wait for the cidr to be processed
+	err = wait.PollUntilContextTimeout(context.Background(), 100*time.Millisecond, 5*time.Second, true, func(ctx context.Context) (bool, error) {
+		allocator, err := r.getAllocator(netutils.ParseIPSloppy("192.168.0.1"), true)
+		if err != nil {
+			return false, nil
+		}
+		allocator.ipAddressSynced = func() bool { return true }
+		return allocator.ready.Load(), nil
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// add a second CIDR
+	cidr2 := newServiceCIDR("test2", "192.168.1.0/24")
+	_, err = r.client.ServiceCIDRs().Create(context.Background(), cidr2, metav1.CreateOptions{})
+	if err != nil {
+		t.Fatal(err)
+	}
+	r.enqueueServiceCIDR(cidr2)
+
+	// wait for the cidr to be processed
+	err = wait.PollUntilContextTimeout(context.Background(), 100*time.Millisecond, 5*time.Second, true, func(ctx context.Context) (bool, error) {
+		allocator, err := r.getAllocator(netutils.ParseIPSloppy("192.168.1.1"), true)
+		if err != nil {
+			return false, nil
+		}
+		allocator.ipAddressSynced = func() bool { return true }
+		return allocator.ready.Load(), nil
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	calls := 0
+	// override the client to inject the reactor to fail the allocation
+	fakeclient, ok := r.client.(*networkingv1fake.FakeNetworkingV1)
+	if !ok {
+		t.Fatal("invalid client")
+	}
+	fakeclient.PrependReactor("create", "ipaddresses", k8stesting.ReactionFunc(func(action k8stesting.Action) (bool, runtime.Object, error) {
+		calls++
+		return true, nil, fmt.Errorf("server error")
+	}))
+
+	_, err = r.AllocateNext()
+	if err == nil {
+		t.Fatal("expected error")
+	}
+	if err.Error() != "server error" {
+		t.Fatalf("expected 'server error', got %v", err)
+	}
+	if calls != 1 {
+		t.Fatalf("expected 1 call, got %d", calls)
+	}
+}
+
+func TestCIDRAllocateNextDontStopOnNot(t *testing.T) {
+	r, err := newTestMetaAllocator()
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer r.Destroy()
+
+	// add a CIDR
+	cidr1 := newServiceCIDR("test1", "192.168.0.0/24")
+	_, err = r.client.ServiceCIDRs().Create(context.Background(), cidr1, metav1.CreateOptions{})
+	if err != nil {
+		t.Fatal(err)
+	}
+	r.enqueueServiceCIDR(cidr1)
+	// wait for the cidr to be processed
+	err = wait.PollUntilContextTimeout(context.Background(), 100*time.Millisecond, 5*time.Second, true, func(ctx context.Context) (bool, error) {
+		allocator, err := r.getAllocator(netutils.ParseIPSloppy("192.168.0.1"), true)
+		if err != nil {
+			return false, nil
+		}
+		allocator.ipAddressSynced = func() bool { return false }
+		return allocator.ready.Load(), nil
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// add a second CIDR
+	cidr2 := newServiceCIDR("test2", "192.168.1.0/24")
+	_, err = r.client.ServiceCIDRs().Create(context.Background(), cidr2, metav1.CreateOptions{})
+	if err != nil {
+		t.Fatal(err)
+	}
+	r.enqueueServiceCIDR(cidr2)
+
+	// wait for the cidr to be processed
+	err = wait.PollUntilContextTimeout(context.Background(), 100*time.Millisecond, 5*time.Second, true, func(ctx context.Context) (bool, error) {
+		allocator, err := r.getAllocator(netutils.ParseIPSloppy("192.168.1.1"), true)
+		if err != nil {
+			return false, nil
+		}
+		allocator.ipAddressSynced = func() bool { return true }
+		return allocator.ready.Load(), nil
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// make the first allocator not ready
+	r.allocators["192.168.0.0/24"].allocator.ready.Store(false)
+	_, secondSubnet, err := netutils.ParseCIDRSloppy("192.168.1.0/24")
+	if err != nil {
+		t.Fatal(err)
+	}
+	for i := 0; i < 200; i++ {
+		ip, err := r.AllocateNext()
+		if err != nil {
+			t.Fatalf("unexpected error: %v", err)
+		}
+		if !secondSubnet.Contains(ip) {
+			t.Fatalf("expected IP %s to be in %s", ip.String(), secondSubnet.String())
+		}
+	}
+}
diff --git a/pkg/registry/core/service/ipallocator/ipallocator.go b/pkg/registry/core/service/ipallocator/ipallocator.go
index 6613523f4df93..0c07f8e94bfe1 100644
--- a/pkg/registry/core/service/ipallocator/ipallocator.go
+++ b/pkg/registry/core/service/ipallocator/ipallocator.go
@@ -18,6 +18,7 @@ package ipallocator
 
 import (
 	"context"
+	"errors"
 	"fmt"
 	"math"
 	"math/big"
@@ -73,7 +74,7 @@ type Allocator struct {
 var _ Interface = &Allocator{}
 
 // NewIPAllocator returns an IP allocator associated to a network range
-// that use the IPAddress objectto track the assigned IP addresses,
+// that use the IPAddress object to track the assigned IP addresses,
 // using an informer cache as storage.
 func NewIPAllocator(
 	cidr *net.IPNet,
@@ -253,7 +254,11 @@ func (a *Allocator) allocateNextService(svc *api.Service, dryRun bool) (net.IP,
 	var offset uint64
 	switch {
 	case rangeSize >= math.MaxInt64:
-		offset = rand.Uint64()
+		offset = a.rand.Uint64()
+		// a.offsetAddress + offset should not overflow a 64 bit CIDR.
+		if math.MaxUint64-offset < uint64(a.rangeOffset) {
+			offset -= uint64(a.rangeOffset)
+		}
 	case rangeSize == 0:
 		return net.IP{}, ErrFull
 	default:
@@ -265,8 +270,8 @@ func (a *Allocator) allocateNextService(svc *api.Service, dryRun bool) (net.IP,
 		a.metrics.setLatency(a.metricLabel, time.Since(start))
 		return ip, nil
 	}
-	// check the lower range
-	if a.rangeOffset != 0 {
+	// if the upper range is full, try to allocate from the lower range
+	if errors.Is(err, ErrFull) && a.rangeOffset != 0 {
 		offset = uint64(a.rand.Intn(a.rangeOffset))
 		iterator = ipIterator(a.firstAddress, a.offsetAddress.Prev(), offset)
 		ip, err = a.allocateFromRange(iterator, svc)
@@ -275,9 +280,13 @@ func (a *Allocator) allocateNextService(svc *api.Service, dryRun bool) (net.IP,
 			return ip, nil
 		}
 	}
-	// update metrics
+	// no IP available
+	if err == nil {
+		klog.Info("[SHOULD NOT HAPPEN] - No IP Allocated and no error")
+		err = ErrFull
+	}
 	a.metrics.incrementAllocationErrors(a.metricLabel, "dynamic")
-	return net.IP{}, ErrFull
+	return net.IP{}, err
 }
 
 // IP iterator allows to iterate over all the IP addresses
@@ -339,11 +348,17 @@ func (a *Allocator) allocateFromRange(iterator func() netip.Addr, svc *api.Servi
 		}
 		// address is not present on the cache, try to allocate it
 		err = a.createIPAddress(name, svc, "dynamic")
-		// an error can happen if there is a race and our informer was not updated
-		// swallow the error and try with the next IP address
+		// an error can happen if there is a TOCTOU race and the IP address
+		// was allocated by another instance, in that case, swallow the error
+		// and try with the next IP address, but abort on other errors.
+		// Ref: https://issues.k8s.io/135333
 		if err != nil {
+			if errors.Is(err, ErrAllocated) {
+				klog.Infof("mid-air collision trying to allocate IP %s that already exists, retrying ...", name)
+				continue
+			}
 			klog.Infof("can not create IPAddress %s: %v", name, err)
-			continue
+			return nil, err
 		}
 		return ip.AsSlice(), nil
 	}
@@ -420,12 +435,44 @@ func (a *Allocator) Used() int {
 	if err != nil {
 		return 0
 	}
-	return len(ips)
+
+	// Count only IPs that belong to this allocator's CIDR
+	count := 0
+	for _, ipAddress := range ips {
+		// Parse the IP address string to netip.Addr type
+		ip, err := netip.ParseAddr(ipAddress.Name)
+		if err != nil {
+			continue
+		}
+		// Only count valid IPs that fall within this allocator's CIDR range
+		if a.prefix.Contains(ip) {
+			count++
+		}
+	}
+	return count
 }
 
 // for testing, it assumes this is the allocator is unique for the ipFamily
 func (a *Allocator) Free() int {
-	return int(a.size) - a.Used()
+	used := a.Used()
+
+	// Prevent integer overflow: if a.size exceeds int max value, use MaxInt
+	if a.size > math.MaxInt {
+		// In this case, used is definitely less than MaxInt, so no negative values
+		return math.MaxInt - used
+	}
+
+	size := int(a.size)
+
+	// Prevent negative return values due to data inconsistency
+	if used > size {
+		// This usually indicates data inconsistency, log a warning and return 0
+		klog.Warningf("IP allocator inconsistency detected: used (%d) > size (%d) for CIDR %s",
+			used, size, a.cidr.String())
+		return 0
+	}
+
+	return size - used
 }
 
 // Destroy
@@ -493,7 +540,7 @@ func (dry dryRunAllocator) EnableMetrics() {
 func addOffsetAddress(address netip.Addr, offset uint64) (netip.Addr, error) {
 	addressBytes := address.AsSlice()
 	addressBig := big.NewInt(0).SetBytes(addressBytes)
-	r := big.NewInt(0).Add(addressBig, big.NewInt(int64(offset))).Bytes()
+	r := big.NewInt(0).Add(addressBig, big.NewInt(0).SetUint64(offset)).Bytes()
 	// r must be 4 or 16 bytes depending of the ip family
 	// bigInt conversion to bytes will not take this into consideration
 	// and drop the leading zeros, so we have to take this into account.
diff --git a/pkg/registry/core/service/ipallocator/ipallocator_test.go b/pkg/registry/core/service/ipallocator/ipallocator_test.go
index 62e5409b54f18..1746113e33286 100644
--- a/pkg/registry/core/service/ipallocator/ipallocator_test.go
+++ b/pkg/registry/core/service/ipallocator/ipallocator_test.go
@@ -26,6 +26,8 @@ import (
 	"time"
 
 	networkingv1 "k8s.io/api/networking/v1"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/util/sets"
 	"k8s.io/client-go/informers"
@@ -198,6 +200,58 @@ func TestAllocateIPAllocator(t *testing.T) {
 	}
 }
 
+func TestAddOffsetAddress(t *testing.T) {
+	baseAddr := netip.MustParseAddr("fd54:ceea:51ad:2f00::0")
+	for _, tc := range []struct {
+		offset   uint64
+		wantAddr netip.Addr
+	}{
+		{
+			offset:   0,
+			wantAddr: netip.MustParseAddr("fd54:ceea:51ad:2f00::0"),
+		},
+		{
+			offset:   1,
+			wantAddr: netip.MustParseAddr("fd54:ceea:51ad:2f00::1"),
+		},
+		{
+			offset:   math.MaxInt64,
+			wantAddr: netip.MustParseAddr("fd54:ceea:51ad:2f00:7fff:ffff:ffff:ffff"),
+		},
+		{
+			offset:   math.MaxInt64 + 1,
+			wantAddr: netip.MustParseAddr("fd54:ceea:51ad:2f00:8000::"),
+		},
+		{
+			offset:   math.MaxUint64,
+			wantAddr: netip.MustParseAddr("fd54:ceea:51ad:2f00:ffff:ffff:ffff:ffff"),
+		},
+		{
+			offset:   math.MaxUint64 - 1,
+			wantAddr: netip.MustParseAddr("fd54:ceea:51ad:2f00:ffff:ffff:ffff:fffe"),
+		},
+		{
+			offset:   math.MaxUint64>>13 - 1,
+			wantAddr: netip.MustParseAddr("fd54:ceea:51ad:2f00:7:ffff:ffff:fffe"),
+		},
+		{
+			offset:   math.MaxUint64 >> 59,
+			wantAddr: netip.MustParseAddr("fd54:ceea:51ad:2f00::1f"),
+		},
+	} {
+		t.Run(fmt.Sprintf("base:%s,offset:%x,want:%s", baseAddr, tc.offset, tc.wantAddr), func(t *testing.T) {
+			gotAddr, err := addOffsetAddress(baseAddr, tc.offset)
+			if err != nil {
+				t.Fatalf("err: %v", err)
+			}
+
+			if gotAddr.Compare(tc.wantAddr) != 0 {
+				t.Fatalf("compareAddr: got %s, want %s", gotAddr, tc.wantAddr)
+			}
+		})
+	}
+}
+
 func TestAllocateTinyIPAllocator(t *testing.T) {
 	_, cidr, err := netutils.ParseCIDRSloppy("192.168.1.0/32")
 	if err != nil {
@@ -960,3 +1014,307 @@ func BenchmarkIPAllocatorAllocateNextIPv6Size65535(b *testing.B) {
 		r.AllocateNext()
 	}
 }
+
+// TestUsedWithCIDRFiltering tests that Used() method only counts IPs within the allocator's CIDR
+func TestUsedWithCIDRFiltering(t *testing.T) {
+	// Create an allocator for 192.168.1.0/24
+	_, cidr, err := netutils.ParseCIDRSloppy("192.168.1.0/24")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// Create test components
+	client := fake.NewClientset()
+	informerFactory := informers.NewSharedInformerFactory(client, 0*time.Second)
+	ipInformer := informerFactory.Networking().V1().IPAddresses()
+	ipStore := ipInformer.Informer().GetIndexer()
+
+	r, err := NewIPAllocator(cidr, client.NetworkingV1(), ipInformer)
+	if err != nil {
+		t.Fatal(err)
+	}
+	r.ipAddressSynced = func() bool { return true }
+	defer r.Destroy()
+
+	// Add valid IPs (within CIDR) with correct labels
+	validIPAddr1 := &networkingv1.IPAddress{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: "192.168.1.10",
+			Labels: map[string]string{
+				networkingv1.LabelIPAddressFamily: string(r.IPFamily()),
+				networkingv1.LabelManagedBy:       ControllerName,
+			},
+		},
+	}
+	validIPAddr2 := &networkingv1.IPAddress{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: "192.168.1.20",
+			Labels: map[string]string{
+				networkingv1.LabelIPAddressFamily: string(r.IPFamily()),
+				networkingv1.LabelManagedBy:       ControllerName,
+			},
+		},
+	}
+	if err := ipStore.Add(validIPAddr1); err != nil {
+		t.Fatal(err)
+	}
+	if err := ipStore.Add(validIPAddr2); err != nil {
+		t.Fatal(err)
+	}
+
+	// Add invalid IPs (outside CIDR) with correct labels - these should not be counted
+	invalidIP1 := &networkingv1.IPAddress{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: "192.168.2.10", // different subnet
+			Labels: map[string]string{
+				networkingv1.LabelIPAddressFamily: string(r.IPFamily()),
+				networkingv1.LabelManagedBy:       ControllerName,
+			},
+		},
+	}
+	invalidIP2 := &networkingv1.IPAddress{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: "10.0.0.1", // completely different network
+			Labels: map[string]string{
+				networkingv1.LabelIPAddressFamily: string(r.IPFamily()),
+				networkingv1.LabelManagedBy:       ControllerName,
+			},
+		},
+	}
+	if err := ipStore.Add(invalidIP1); err != nil {
+		t.Fatal(err)
+	}
+	if err := ipStore.Add(invalidIP2); err != nil {
+		t.Fatal(err)
+	}
+
+	// Used() should only count valid IPs (2), not all IPs (4)
+	used := r.Used()
+	if used != 2 {
+		t.Errorf("Expected Used() to return 2 (only IPs in CIDR), got %d", used)
+	}
+}
+
+// TestFreeWithOverflowProtection tests the overflow protection in Free() method
+func TestFreeWithOverflowProtection(t *testing.T) {
+	testCases := []struct {
+		name         string
+		cidr         string
+		simulateSize uint64
+		simulateUsed int
+		expectedFree int
+	}{
+		{
+			name:         "normal case",
+			cidr:         "192.168.1.0/30", // size = 2 (4 total - 2 reserved)
+			simulateSize: 2,
+			simulateUsed: 1,
+			expectedFree: 1,
+		},
+		{
+			name:         "size exceeds MaxInt",
+			cidr:         "192.168.1.0/24",
+			simulateSize: uint64(math.MaxInt) + 1,
+			simulateUsed: 100,
+			expectedFree: math.MaxInt - 100,
+		},
+		{
+			name:         "used exceeds size (data inconsistency)",
+			cidr:         "192.168.1.0/30",
+			simulateSize: 2,
+			simulateUsed: 5, // More than size
+			expectedFree: 0,
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			_, cidr, err := netutils.ParseCIDRSloppy(tc.cidr)
+			if err != nil {
+				t.Fatal(err)
+			}
+
+			// Create test components
+			client := fake.NewClientset()
+			informerFactory := informers.NewSharedInformerFactory(client, 0*time.Second)
+			ipInformer := informerFactory.Networking().V1().IPAddresses()
+			ipStore := ipInformer.Informer().GetIndexer()
+
+			r, err := NewIPAllocator(cidr, client.NetworkingV1(), ipInformer)
+			if err != nil {
+				t.Fatal(err)
+			}
+			r.ipAddressSynced = func() bool { return true }
+			defer r.Destroy()
+
+			// Override the size for testing overflow scenarios
+			r.size = tc.simulateSize
+
+			// Mock the Used() method by adding IP addresses to simulate usage
+			for i := 0; i < tc.simulateUsed; i++ {
+				// Add valid IPs within the CIDR with correct labels
+				ip := &networkingv1.IPAddress{
+					ObjectMeta: metav1.ObjectMeta{
+						Name: fmt.Sprintf("192.168.1.%d", i+1),
+						Labels: map[string]string{
+							networkingv1.LabelIPAddressFamily: string(r.IPFamily()),
+							networkingv1.LabelManagedBy:       ControllerName,
+						},
+					},
+				}
+				if err := ipStore.Add(ip); err != nil {
+					t.Fatal(err)
+				}
+			}
+
+			free := r.Free()
+			if free != tc.expectedFree {
+				t.Errorf("Expected Free() to return %d, got %d", tc.expectedFree, free)
+			}
+		})
+	}
+}
+
+// TestUsedWithInvalidIPs tests that Used() handles invalid IP addresses gracefully
+func TestUsedWithInvalidIPs(t *testing.T) {
+	_, cidr, err := netutils.ParseCIDRSloppy("192.168.1.0/24")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// Create test components
+	client := fake.NewClientset()
+	informerFactory := informers.NewSharedInformerFactory(client, 0*time.Second)
+	ipInformer := informerFactory.Networking().V1().IPAddresses()
+	ipStore := ipInformer.Informer().GetIndexer()
+
+	r, err := NewIPAllocator(cidr, client.NetworkingV1(), ipInformer)
+	if err != nil {
+		t.Fatal(err)
+	}
+	r.ipAddressSynced = func() bool { return true }
+	defer r.Destroy()
+
+	// Add valid IP with correct labels
+	validIP := &networkingv1.IPAddress{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: "192.168.1.10",
+			Labels: map[string]string{
+				networkingv1.LabelIPAddressFamily: string(r.IPFamily()),
+				networkingv1.LabelManagedBy:       ControllerName,
+			},
+		},
+	}
+	if err := ipStore.Add(validIP); err != nil {
+		t.Fatal(err)
+	}
+
+	// Add invalid IP address (malformed) with correct labels
+	invalidIP := &networkingv1.IPAddress{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: "invalid-ip-address",
+			Labels: map[string]string{
+				networkingv1.LabelIPAddressFamily: string(r.IPFamily()),
+				networkingv1.LabelManagedBy:       ControllerName,
+			},
+		},
+	}
+	if err := ipStore.Add(invalidIP); err != nil {
+		t.Fatal(err)
+	}
+
+	// Used() should only count the valid IP
+	used := r.Used()
+	if used != 1 {
+		t.Errorf("Expected Used() to return 1 (only valid IPs), got %d", used)
+	}
+}
+
+func TestAllocateNextStopOnError(t *testing.T) {
+	_, cidr, err := netutils.ParseCIDRSloppy("192.168.1.0/24")
+	if err != nil {
+		t.Fatal(err)
+	}
+	client := fake.NewClientset()
+	informerFactory := informers.NewSharedInformerFactory(client, 0*time.Second)
+	ipInformer := informerFactory.Networking().V1().IPAddresses()
+
+	calls := 0
+	client.PrependReactor("create", "ipaddresses", k8stesting.ReactionFunc(func(action k8stesting.Action) (bool, runtime.Object, error) {
+		calls++
+		return true, nil, fmt.Errorf("server error")
+	}))
+
+	c, err := NewIPAllocator(cidr, client.NetworkingV1(), ipInformer)
+	if err != nil {
+		t.Fatal(err)
+	}
+	c.ipAddressSynced = func() bool { return true }
+	defer c.Destroy()
+
+	_, err = c.AllocateNext()
+	if err == nil {
+		t.Fatal("expected error")
+	}
+	if err.Error() != "server error" {
+		t.Fatalf("expected 'server error', got %v", err)
+	}
+	if calls != 1 {
+		t.Fatalf("expected 1 call, got %d", calls)
+	}
+}
+
+func TestAllocateNext_Collision(t *testing.T) {
+	_, cidr, err := netutils.ParseCIDRSloppy("192.168.1.0/24")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	client := fake.NewClientset()
+	informerFactory := informers.NewSharedInformerFactory(client, 0*time.Second)
+	ipInformer := informerFactory.Networking().V1().IPAddresses()
+	ipStore := ipInformer.Informer().GetIndexer()
+
+	// Inject collision reactor FIRST
+	// We want to simulate that the first IP tried is already allocated in the underlying storage
+	// but NOT in the cache (so it passes the cache check in allocateFromRange).
+	// The allocator picks a random IP. To make it deterministic or easier to hit,
+	collisionCount := 0
+	client.PrependReactor("create", "ipaddresses", k8stesting.ReactionFunc(func(action k8stesting.Action) (bool, runtime.Object, error) {
+		if collisionCount == 0 {
+			collisionCount++
+			// Simulate ErrAllocated (AlreadyExists)
+			return true, nil, apierrors.NewAlreadyExists(networkingv1.Resource("ipaddresses"), action.(k8stesting.CreateAction).GetObject().(*networkingv1.IPAddress).Name)
+		}
+		ip := action.(k8stesting.CreateAction).GetObject().(*networkingv1.IPAddress)
+		_, exists, err := ipStore.GetByKey(ip.Name)
+		if err != nil {
+			return false, nil, fmt.Errorf("failed to get ip %s from cache: %w", ip.Name, err)
+		}
+		if exists {
+			return false, nil, fmt.Errorf("ip already exist")
+		}
+		ip.Generation = 1
+		err = ipStore.Add(ip)
+		return false, ip, err
+	}))
+
+	a, err := NewIPAllocator(cidr, client.NetworkingV1(), ipInformer)
+	if err != nil {
+		t.Fatal(err)
+	}
+	a.ipAddressSynced = func() bool { return true }
+	defer a.Destroy()
+
+	// AllocateNext should succeed even if the first attempt hits a collision
+	ip, err := a.AllocateNext()
+	if err != nil {
+		t.Fatalf("AllocateNext failed: %v", err)
+	}
+	if collisionCount != 1 {
+		t.Errorf("Expected 1 collision, got %d", collisionCount)
+	}
+	if !cidr.Contains(ip) {
+		t.Errorf("Allocated IP %s not in CIDR %s", ip, cidr)
+	}
+}
diff --git a/pkg/registry/core/service/ipallocator/storage/storage_test.go b/pkg/registry/core/service/ipallocator/storage/storage_test.go
index 9d5b368288cdf..fb7aa138a4329 100644
--- a/pkg/registry/core/service/ipallocator/storage/storage_test.go
+++ b/pkg/registry/core/service/ipallocator/storage/storage_test.go
@@ -56,7 +56,7 @@ func newStorage(t *testing.T) (*etcd3testing.EtcdTestServer, ipallocator.Interfa
 	if err != nil {
 		t.Fatalf("unexpected error creating etcd: %v", err)
 	}
-	s, d, err := generic.NewRawStorage(configForAllocations, nil, nil, "")
+	s, d, err := generic.NewRawStorage(configForAllocations, nil, nil, "/ranges/serviceips")
 	if err != nil {
 		t.Fatalf("Couldn't create storage: %v", err)
 	}
diff --git a/pkg/registry/core/service/portallocator/storage/storage_test.go b/pkg/registry/core/service/portallocator/storage/storage_test.go
index d2925fc7bda5d..4629bed0002f8 100644
--- a/pkg/registry/core/service/portallocator/storage/storage_test.go
+++ b/pkg/registry/core/service/portallocator/storage/storage_test.go
@@ -58,7 +58,7 @@ func newStorage(t *testing.T) (*etcd3testing.EtcdTestServer, portallocator.Inter
 	if err != nil {
 		t.Fatalf("unexpected error creating etcd: %v", err)
 	}
-	s, d, err := generic.NewRawStorage(configForAllocations, nil, nil, "")
+	s, d, err := generic.NewRawStorage(configForAllocations, nil, nil, "/ranges/servicenodeports")
 	if err != nil {
 		t.Fatalf("Couldn't create storage: %v", err)
 	}
diff --git a/pkg/registry/core/service/storage/alloc.go b/pkg/registry/core/service/storage/alloc.go
index 8285f08804e25..2fc4873753895 100644
--- a/pkg/registry/core/service/storage/alloc.go
+++ b/pkg/registry/core/service/storage/alloc.go
@@ -17,10 +17,11 @@ limitations under the License.
 package storage
 
 import (
+	"errors"
 	"fmt"
 	"net"
 
-	"k8s.io/apimachinery/pkg/api/errors"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
 	"k8s.io/apimachinery/pkg/util/validation/field"
 	utilfeature "k8s.io/apiserver/pkg/util/feature"
@@ -152,7 +153,7 @@ func (al *Allocators) initIPFamilyFields(after After, before Before) error {
 	// Do some loose pre-validation of the input.  This makes it easier in the
 	// rest of allocation code to not have to consider corner cases.
 	if el := validation.ValidateServiceClusterIPsRelatedFields(service, oldService); len(el) != 0 {
-		return errors.NewInvalid(api.Kind("Service"), service.Name, el)
+		return apierrors.NewInvalid(api.Kind("Service"), service.Name, el)
 	}
 
 	//TODO(thockin): Move this logic to validation?
@@ -225,7 +226,7 @@ func (al *Allocators) initIPFamilyFields(after After, before Before) error {
 
 	// If we have validation errors, bail out now so we don't make them worse.
 	if len(el) > 0 {
-		return errors.NewInvalid(api.Kind("Service"), service.Name, el)
+		return apierrors.NewInvalid(api.Kind("Service"), service.Name, el)
 	}
 
 	// Special-case: headless + selectorless.  This has to happen before other
@@ -277,7 +278,7 @@ func (al *Allocators) initIPFamilyFields(after After, before Before) error {
 
 	// If we have validation errors, don't bother with the rest.
 	if len(el) > 0 {
-		return errors.NewInvalid(api.Kind("Service"), service.Name, el)
+		return apierrors.NewInvalid(api.Kind("Service"), service.Name, el)
 	}
 
 	// nil families, gets cluster default
@@ -414,13 +415,17 @@ func (al *Allocators) allocIPs(service *api.Service, toAlloc map[api.IPFamily]st
 				allocatedIP, err = allocator.AllocateNext()
 			}
 			if err != nil {
-				return allocated, errors.NewInternalError(fmt.Errorf("failed to allocate a serviceIP: %v", err))
+				if !errors.Is(err, ipallocator.ErrFull) {
+					el := field.ErrorList{field.Invalid(field.NewPath("spec", "clusterIPs"), service.Spec.ClusterIPs, fmt.Sprintf("failed to allocate IP: %v", err))}
+					return allocated, apierrors.NewInvalid(api.Kind("Service"), service.Name, el)
+				}
+				return allocated, apierrors.NewInternalError(fmt.Errorf("failed to allocate a serviceIP: %w", err))
 			}
 			allocated[family] = allocatedIP.String()
 		} else {
 			parsedIP := netutils.ParseIPSloppy(ip)
 			if parsedIP == nil {
-				return allocated, errors.NewInternalError(fmt.Errorf("failed to parse service IP %q", ip))
+				return allocated, apierrors.NewInternalError(fmt.Errorf("failed to parse service IP %q", ip))
 			}
 			var err error
 			if utilfeature.DefaultFeatureGate.Enabled(features.MultiCIDRServiceAllocator) {
@@ -436,7 +441,7 @@ func (al *Allocators) allocIPs(service *api.Service, toAlloc map[api.IPFamily]st
 			}
 			if err != nil {
 				el := field.ErrorList{field.Invalid(field.NewPath("spec", "clusterIPs"), service.Spec.ClusterIPs, fmt.Sprintf("failed to allocate IP %v: %v", ip, err))}
-				return allocated, errors.NewInvalid(api.Kind("Service"), service.Name, el)
+				return allocated, apierrors.NewInvalid(api.Kind("Service"), service.Name, el)
 			}
 			allocated[family] = ip
 		}
@@ -462,7 +467,7 @@ func (al *Allocators) releaseIPs(toRelease map[api.IPFamily]string) (map[api.IPF
 
 		parsedIP := netutils.ParseIPSloppy(ip)
 		if parsedIP == nil {
-			return released, errors.NewInternalError(fmt.Errorf("failed to parse service IP %q", ip))
+			return released, apierrors.NewInternalError(fmt.Errorf("failed to parse service IP %q", ip))
 		}
 		if err := allocator.Release(parsedIP); err != nil {
 			return released, err
@@ -502,7 +507,7 @@ func (al *Allocators) txnAllocNodePorts(service *api.Service, dryRun bool) (tran
 	if apiservice.NeedsHealthCheck(service) {
 		if err := al.allocHealthCheckNodePort(service, nodePortOp); err != nil {
 			txn.Revert()
-			return nil, errors.NewInternalError(err)
+			return nil, apierrors.NewInternalError(err)
 		}
 	}
 
@@ -528,7 +533,7 @@ func initNodePorts(service *api.Service, nodePortOp *portallocator.PortAllocatio
 				if err != nil {
 					// TODO: when validation becomes versioned, this gets more complicated.
 					el := field.ErrorList{field.Invalid(field.NewPath("spec", "ports").Index(i).Child("nodePort"), np, err.Error())}
-					return errors.NewInvalid(api.Kind("Service"), service.Name, el)
+					return apierrors.NewInvalid(api.Kind("Service"), service.Name, el)
 				}
 				servicePort.NodePort = int32(np)
 				svcPortToNodePort[int(servicePort.Port)] = np
@@ -538,7 +543,7 @@ func initNodePorts(service *api.Service, nodePortOp *portallocator.PortAllocatio
 					// TODO: what error should be returned here?  It's not a
 					// field-level validation failure (the field is valid), and it's
 					// not really an internal error.
-					return errors.NewInternalError(fmt.Errorf("failed to allocate a nodePort: %v", err))
+					return apierrors.NewInternalError(fmt.Errorf("failed to allocate a nodePort: %w", err))
 				}
 				servicePort.NodePort = int32(nodePort)
 				svcPortToNodePort[int(servicePort.Port)] = nodePort
@@ -553,7 +558,7 @@ func initNodePorts(service *api.Service, nodePortOp *portallocator.PortAllocatio
 				if err != nil {
 					// TODO: when validation becomes versioned, this gets more complicated.
 					el := field.ErrorList{field.Invalid(field.NewPath("spec", "ports").Index(i).Child("nodePort"), servicePort.NodePort, err.Error())}
-					return errors.NewInvalid(api.Kind("Service"), service.Name, el)
+					return apierrors.NewInvalid(api.Kind("Service"), service.Name, el)
 				}
 			}
 		}
@@ -816,7 +821,7 @@ func (al *Allocators) updateNodePorts(after After, before Before, nodePortOp *po
 				err := nodePortOp.Allocate(int(nodePort.NodePort))
 				if err != nil {
 					el := field.ErrorList{field.Invalid(field.NewPath("spec", "ports").Index(i).Child("nodePort"), nodePort.NodePort, err.Error())}
-					return errors.NewInvalid(api.Kind("Service"), newService.Name, el)
+					return apierrors.NewInvalid(api.Kind("Service"), newService.Name, el)
 				}
 				portAllocated[int(nodePort.NodePort)] = true
 			}
@@ -826,7 +831,7 @@ func (al *Allocators) updateNodePorts(after After, before Before, nodePortOp *po
 				// TODO: what error should be returned here?  It's not a
 				// field-level validation failure (the field is valid), and it's
 				// not really an internal error.
-				return errors.NewInternalError(fmt.Errorf("failed to allocate a nodePort: %v", err))
+				return apierrors.NewInternalError(fmt.Errorf("failed to allocate a nodePort: %w", err))
 			}
 			servicePort.NodePort = int32(nodePortNumber)
 			nodePort.NodePort = servicePort.NodePort
@@ -867,7 +872,7 @@ func (al *Allocators) updateHealthCheckNodePort(after After, before Before, node
 	// Insert health check node port into the service's HealthCheckNodePort field if needed.
 	case !neededHealthCheckNodePort && needsHealthCheckNodePort:
 		if err := al.allocHealthCheckNodePort(service, nodePortOp); err != nil {
-			return false, errors.NewInternalError(err)
+			return false, apierrors.NewInternalError(err)
 		}
 
 	// Case 2: Transition from needs HealthCheckNodePort to don't need HealthCheckNodePort.
diff --git a/pkg/registry/core/service/storage/storage_test.go b/pkg/registry/core/service/storage/storage_test.go
index c0b4ebc40a830..8ab63e9894e24 100644
--- a/pkg/registry/core/service/storage/storage_test.go
+++ b/pkg/registry/core/service/storage/storage_test.go
@@ -35,18 +35,14 @@ import (
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/apimachinery/pkg/util/intstr"
 	machineryutilnet "k8s.io/apimachinery/pkg/util/net"
-	"k8s.io/apimachinery/pkg/util/version"
 	genericapirequest "k8s.io/apiserver/pkg/endpoints/request"
 	"k8s.io/apiserver/pkg/registry/generic"
 	genericregistrytest "k8s.io/apiserver/pkg/registry/generic/testing"
 	"k8s.io/apiserver/pkg/registry/rest"
 	etcd3testing "k8s.io/apiserver/pkg/storage/etcd3/testing"
-	utilfeature "k8s.io/apiserver/pkg/util/feature"
-	featuregatetesting "k8s.io/component-base/featuregate/testing"
 	epstest "k8s.io/kubernetes/pkg/api/endpoints/testing"
 	svctest "k8s.io/kubernetes/pkg/api/service/testing"
 	api "k8s.io/kubernetes/pkg/apis/core"
-	"k8s.io/kubernetes/pkg/features"
 	endpointstore "k8s.io/kubernetes/pkg/registry/core/endpoint/storage"
 	podstore "k8s.io/kubernetes/pkg/registry/core/pod/storage"
 	"k8s.io/kubernetes/pkg/registry/core/service/ipallocator"
@@ -91,7 +87,7 @@ func newStorageWithPods(t *testing.T, ipFamilies []api.IPFamily, pods []api.Pod,
 		Decorator:               generic.UndecoratedStorage,
 		DeleteCollectionWorkers: 3,
 		ResourcePrefix:          "pods",
-	}, nil, nil, nil)
+	}, nil, nil, nil, nil)
 	if err != nil {
 		t.Fatalf("unexpected error from REST storage: %v", err)
 	}
@@ -11763,132 +11759,14 @@ func TestUpdateServiceLoadBalancerStatus(t *testing.T) {
 
 	testCases := []struct {
 		name                   string
-		ipModeEnabled          bool
 		statusBeforeUpdate     api.ServiceStatus
 		newStatus              api.ServiceStatus
 		expectedStatus         api.ServiceStatus
 		expectErr              bool
 		expectedReasonForError metav1.StatusReason
 	}{
-		/*LoadBalancerIPMode disabled*/
 		{
-			name:               "LoadBalancerIPMode disabled, ipMode not used in old, not used in new",
-			ipModeEnabled:      false,
-			statusBeforeUpdate: api.ServiceStatus{},
-			newStatus: api.ServiceStatus{
-				LoadBalancer: api.LoadBalancerStatus{
-					Ingress: []api.LoadBalancerIngress{{
-						IP: "1.2.3.4",
-					}},
-				},
-			},
-			expectedStatus: api.ServiceStatus{
-				LoadBalancer: api.LoadBalancerStatus{
-					Ingress: []api.LoadBalancerIngress{{
-						IP: "1.2.3.4",
-					}},
-				},
-			},
-			expectErr: false,
-		}, {
-			name:          "LoadBalancerIPMode disabled, ipMode used in old and in new",
-			ipModeEnabled: false,
-			statusBeforeUpdate: api.ServiceStatus{
-				LoadBalancer: api.LoadBalancerStatus{
-					Ingress: []api.LoadBalancerIngress{{
-						IP:     "1.2.3.4",
-						IPMode: &ipModeVIP,
-					}},
-				},
-			},
-			newStatus: api.ServiceStatus{
-				LoadBalancer: api.LoadBalancerStatus{
-					Ingress: []api.LoadBalancerIngress{{
-						IP:     "1.2.3.4",
-						IPMode: &ipModeProxy,
-					}},
-				},
-			},
-			expectedStatus: api.ServiceStatus{
-				LoadBalancer: api.LoadBalancerStatus{
-					Ingress: []api.LoadBalancerIngress{{
-						IP:     "1.2.3.4",
-						IPMode: &ipModeProxy,
-					}},
-				},
-			},
-			expectErr: false,
-		}, {
-			name:          "LoadBalancerIPMode disabled, ipMode not used in old, used in new",
-			ipModeEnabled: false,
-			statusBeforeUpdate: api.ServiceStatus{
-				LoadBalancer: api.LoadBalancerStatus{
-					Ingress: []api.LoadBalancerIngress{{
-						IP: "1.2.3.4",
-					}},
-				},
-			},
-			newStatus: api.ServiceStatus{
-				LoadBalancer: api.LoadBalancerStatus{
-					Ingress: []api.LoadBalancerIngress{{
-						IP:     "1.2.3.4",
-						IPMode: &ipModeProxy,
-					}},
-				},
-			},
-			expectedStatus: api.ServiceStatus{
-				LoadBalancer: api.LoadBalancerStatus{
-					Ingress: []api.LoadBalancerIngress{{
-						IP: "1.2.3.4",
-					}},
-				},
-			},
-			expectErr: false,
-		}, {
-			name:          "LoadBalancerIPMode disabled, ipMode used in old, not used in new",
-			ipModeEnabled: false,
-			statusBeforeUpdate: api.ServiceStatus{
-				LoadBalancer: api.LoadBalancerStatus{
-					Ingress: []api.LoadBalancerIngress{{
-						IP:     "1.2.3.4",
-						IPMode: &ipModeVIP,
-					}},
-				},
-			},
-			newStatus: api.ServiceStatus{
-				LoadBalancer: api.LoadBalancerStatus{
-					Ingress: []api.LoadBalancerIngress{{
-						IP: "1.2.3.4",
-					}},
-				},
-			},
-			expectedStatus: api.ServiceStatus{
-				LoadBalancer: api.LoadBalancerStatus{
-					Ingress: []api.LoadBalancerIngress{{
-						IP: "1.2.3.4",
-					}},
-				},
-			},
-			expectErr: false,
-		},
-		/*LoadBalancerIPMode enabled*/
-		{
-			name:               "LoadBalancerIPMode enabled, ipMode not used in old, not used in new",
-			ipModeEnabled:      true,
-			statusBeforeUpdate: api.ServiceStatus{},
-			newStatus: api.ServiceStatus{
-				LoadBalancer: api.LoadBalancerStatus{
-					Ingress: []api.LoadBalancerIngress{{
-						IP: "1.2.3.4",
-					}},
-				},
-			},
-			expectedStatus:         api.ServiceStatus{},
-			expectErr:              true,
-			expectedReasonForError: metav1.StatusReasonInvalid,
-		}, {
-			name:          "LoadBalancerIPMode enabled, ipMode used in old and in new",
-			ipModeEnabled: true,
+			name: "ipMode used in old and in new",
 			statusBeforeUpdate: api.ServiceStatus{
 				LoadBalancer: api.LoadBalancerStatus{
 					Ingress: []api.LoadBalancerIngress{{
@@ -11915,35 +11793,7 @@ func TestUpdateServiceLoadBalancerStatus(t *testing.T) {
 			},
 			expectErr: false,
 		}, {
-			name:          "LoadBalancerIPMode enabled, ipMode not used in old, used in new",
-			ipModeEnabled: true,
-			statusBeforeUpdate: api.ServiceStatus{
-				LoadBalancer: api.LoadBalancerStatus{
-					Ingress: []api.LoadBalancerIngress{{
-						IP: "1.2.3.4",
-					}},
-				},
-			},
-			newStatus: api.ServiceStatus{
-				LoadBalancer: api.LoadBalancerStatus{
-					Ingress: []api.LoadBalancerIngress{{
-						IP:     "1.2.3.4",
-						IPMode: &ipModeProxy,
-					}},
-				},
-			},
-			expectedStatus: api.ServiceStatus{
-				LoadBalancer: api.LoadBalancerStatus{
-					Ingress: []api.LoadBalancerIngress{{
-						IP:     "1.2.3.4",
-						IPMode: &ipModeProxy,
-					}},
-				},
-			},
-			expectErr: false,
-		}, {
-			name:          "LoadBalancerIPMode enabled, ipMode used in old, not used in new",
-			ipModeEnabled: true,
+			name: "ipMode used in old, not used in new",
 			statusBeforeUpdate: api.ServiceStatus{
 				LoadBalancer: api.LoadBalancerStatus{
 					Ingress: []api.LoadBalancerIngress{{
@@ -11963,12 +11813,12 @@ func TestUpdateServiceLoadBalancerStatus(t *testing.T) {
 			expectErr:              true,
 			expectedReasonForError: metav1.StatusReasonInvalid,
 		}, {
-			name:          "LoadBalancerIPMode enabled, ipMode not used in old, invalid value used in new",
-			ipModeEnabled: true,
+			name: "ipMode used in old, invalid value used in new",
 			statusBeforeUpdate: api.ServiceStatus{
 				LoadBalancer: api.LoadBalancerStatus{
 					Ingress: []api.LoadBalancerIngress{{
-						IP: "1.2.3.4",
+						IP:     "1.2.3.4",
+						IPMode: &ipModeVIP,
 					}},
 				},
 			},
@@ -11993,28 +11843,18 @@ func TestUpdateServiceLoadBalancerStatus(t *testing.T) {
 			ctx := genericapirequest.NewDefaultContext()
 			obj, err := storage.Create(ctx, svc, rest.ValidateAllObjectFunc, &metav1.CreateOptions{})
 			if err != nil {
-				t.Errorf("created svc: %s", err)
+				t.Fatalf("created svc: %s", err)
 			}
 			defer storage.Delete(ctx, svc.Name, rest.ValidateAllObjectFunc, &metav1.DeleteOptions{})
 
 			// prepare status
-			// Test here is negative, because starting with v1.30 the feature gate is enabled by default, so we should
-			// now disable it to do the proper test
-			if !loadbalancerIPModeInUse(tc.statusBeforeUpdate) {
-				featuregatetesting.SetFeatureGateEmulationVersionDuringTest(t, utilfeature.DefaultFeatureGate, version.MustParse("1.31"))
-				featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.LoadBalancerIPMode, false)
-			}
 			oldSvc := obj.(*api.Service).DeepCopy()
 			oldSvc.Status = tc.statusBeforeUpdate
 			obj, _, err = statusStorage.Update(ctx, oldSvc.Name, rest.DefaultUpdatedObjectInfo(oldSvc), rest.ValidateAllObjectFunc, rest.ValidateAllObjectUpdateFunc, false, &metav1.UpdateOptions{})
 			if err != nil {
-				t.Errorf("updated status: %s", err)
+				t.Fatalf("updated status: %s", err)
 			}
 
-			if !tc.ipModeEnabled {
-				featuregatetesting.SetFeatureGateEmulationVersionDuringTest(t, utilfeature.DefaultFeatureGate, version.MustParse("1.31"))
-			}
-			featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.LoadBalancerIPMode, tc.ipModeEnabled)
 			newSvc := obj.(*api.Service).DeepCopy()
 			newSvc.Status = tc.newStatus
 			obj, _, err = statusStorage.Update(ctx, newSvc.Name, rest.DefaultUpdatedObjectInfo(newSvc), rest.ValidateAllObjectFunc, rest.ValidateAllObjectUpdateFunc, false, &metav1.UpdateOptions{})
@@ -12022,7 +11862,7 @@ func TestUpdateServiceLoadBalancerStatus(t *testing.T) {
 				if tc.expectErr && tc.expectedReasonForError == errors.ReasonForError(err) {
 					return
 				}
-				t.Errorf("updated status: %s", err)
+				t.Fatalf("updated status: %s", err)
 			}
 
 			updated := obj.(*api.Service)
@@ -12032,12 +11872,3 @@ func TestUpdateServiceLoadBalancerStatus(t *testing.T) {
 		})
 	}
 }
-
-func loadbalancerIPModeInUse(status api.ServiceStatus) bool {
-	for _, ing := range status.LoadBalancer.Ingress {
-		if ing.IPMode != nil {
-			return true
-		}
-	}
-	return false
-}
diff --git a/pkg/registry/core/service/strategy.go b/pkg/registry/core/service/strategy.go
index 2c53bcbeda653..fec2ae4920be7 100644
--- a/pkg/registry/core/service/strategy.go
+++ b/pkg/registry/core/service/strategy.go
@@ -218,26 +218,7 @@ func SelectableFields(service *api.Service) fields.Set {
 //	if !utilfeature.DefaultFeatureGate.Enabled(features.MyFeature) && !myFeatureInUse(oldSvc) {
 //	    newSvc.Status.MyFeature = nil
 //	}
-func dropServiceStatusDisabledFields(newSvc *api.Service, oldSvc *api.Service) {
-	if !utilfeature.DefaultFeatureGate.Enabled(features.LoadBalancerIPMode) && !loadbalancerIPModeInUse(oldSvc) {
-		for i := range newSvc.Status.LoadBalancer.Ingress {
-			newSvc.Status.LoadBalancer.Ingress[i].IPMode = nil
-		}
-	}
-}
-
-// returns true when the LoadBalancer Ingress IPMode fields are in use.
-func loadbalancerIPModeInUse(svc *api.Service) bool {
-	if svc == nil {
-		return false
-	}
-	for _, ing := range svc.Status.LoadBalancer.Ingress {
-		if ing.IPMode != nil {
-			return true
-		}
-	}
-	return false
-}
+func dropServiceStatusDisabledFields(newSvc *api.Service, oldSvc *api.Service) {}
 
 func sameStringSlice(a []string, b []string) bool {
 	if len(a) != len(b) {
diff --git a/pkg/registry/core/service/strategy_test.go b/pkg/registry/core/service/strategy_test.go
index 5ee914ff054d6..121fa632a98ef 100644
--- a/pkg/registry/core/service/strategy_test.go
+++ b/pkg/registry/core/service/strategy_test.go
@@ -28,14 +28,10 @@ import (
 	"k8s.io/apimachinery/pkg/labels"
 	"k8s.io/apimachinery/pkg/selection"
 	"k8s.io/apimachinery/pkg/util/intstr"
-	"k8s.io/apimachinery/pkg/util/version"
 	genericapirequest "k8s.io/apiserver/pkg/endpoints/request"
 	"k8s.io/apiserver/pkg/registry/rest"
-	utilfeature "k8s.io/apiserver/pkg/util/feature"
-	featuregatetesting "k8s.io/component-base/featuregate/testing"
 	api "k8s.io/kubernetes/pkg/apis/core"
 	_ "k8s.io/kubernetes/pkg/apis/core/install"
-	"k8s.io/kubernetes/pkg/features"
 	"k8s.io/utils/ptr"
 )
 
@@ -253,254 +249,6 @@ func TestDropDisabledField(t *testing.T) {
 
 }
 
-func TestDropServiceStatusDisabledFields(t *testing.T) {
-	ipModeVIP := api.LoadBalancerIPModeVIP
-	ipModeProxy := api.LoadBalancerIPModeProxy
-
-	testCases := []struct {
-		name          string
-		ipModeEnabled bool
-		svc           *api.Service
-		oldSvc        *api.Service
-		compareSvc    *api.Service
-	}{
-		/*LoadBalancerIPMode disabled*/
-		{
-			name:          "LoadBalancerIPMode disabled, ipMode not used in old, not used in new",
-			ipModeEnabled: false,
-			svc: makeValidServiceCustom(func(svc *api.Service) {
-				svc.Spec.Type = api.ServiceTypeLoadBalancer
-				svc.Status.LoadBalancer = api.LoadBalancerStatus{
-					Ingress: []api.LoadBalancerIngress{{
-						IP: "1.2.3.4",
-					}},
-				}
-			}),
-			oldSvc: makeValidServiceCustom(func(svc *api.Service) {
-				svc.Spec.Type = api.ServiceTypeLoadBalancer
-				svc.Status.LoadBalancer = api.LoadBalancerStatus{}
-			}),
-			compareSvc: makeValidServiceCustom(func(svc *api.Service) {
-				svc.Spec.Type = api.ServiceTypeLoadBalancer
-				svc.Status.LoadBalancer = api.LoadBalancerStatus{
-					Ingress: []api.LoadBalancerIngress{{
-						IP: "1.2.3.4",
-					}},
-				}
-			}),
-		}, {
-			name:          "LoadBalancerIPMode disabled, ipMode used in old and in new",
-			ipModeEnabled: false,
-			svc: makeValidServiceCustom(func(svc *api.Service) {
-				svc.Spec.Type = api.ServiceTypeLoadBalancer
-				svc.Status.LoadBalancer = api.LoadBalancerStatus{
-					Ingress: []api.LoadBalancerIngress{{
-						IP:     "1.2.3.4",
-						IPMode: &ipModeProxy,
-					}},
-				}
-			}),
-			oldSvc: makeValidServiceCustom(func(svc *api.Service) {
-				svc.Spec.Type = api.ServiceTypeLoadBalancer
-				svc.Status.LoadBalancer = api.LoadBalancerStatus{
-					Ingress: []api.LoadBalancerIngress{{
-						IP:     "1.2.3.4",
-						IPMode: &ipModeVIP,
-					}},
-				}
-			}),
-			compareSvc: makeValidServiceCustom(func(svc *api.Service) {
-				svc.Spec.Type = api.ServiceTypeLoadBalancer
-				svc.Status.LoadBalancer = api.LoadBalancerStatus{
-					Ingress: []api.LoadBalancerIngress{{
-						IP:     "1.2.3.4",
-						IPMode: &ipModeProxy,
-					}},
-				}
-			}),
-		}, {
-			name:          "LoadBalancerIPMode disabled, ipMode not used in old, used in new",
-			ipModeEnabled: false,
-			svc: makeValidServiceCustom(func(svc *api.Service) {
-				svc.Spec.Type = api.ServiceTypeLoadBalancer
-				svc.Status.LoadBalancer = api.LoadBalancerStatus{
-					Ingress: []api.LoadBalancerIngress{{
-						IP:     "1.2.3.4",
-						IPMode: &ipModeVIP,
-					}},
-				}
-			}),
-			oldSvc: makeValidServiceCustom(func(svc *api.Service) {
-				svc.Spec.Type = api.ServiceTypeLoadBalancer
-				svc.Status.LoadBalancer = api.LoadBalancerStatus{
-					Ingress: []api.LoadBalancerIngress{{
-						IP: "1.2.3.4",
-					}},
-				}
-			}),
-			compareSvc: makeValidServiceCustom(func(svc *api.Service) {
-				svc.Spec.Type = api.ServiceTypeLoadBalancer
-				svc.Status.LoadBalancer = api.LoadBalancerStatus{
-					Ingress: []api.LoadBalancerIngress{{
-						IP: "1.2.3.4",
-					}},
-				}
-			}),
-		}, {
-			name:          "LoadBalancerIPMode disabled, ipMode used in old, not used in new",
-			ipModeEnabled: false,
-			svc: makeValidServiceCustom(func(svc *api.Service) {
-				svc.Spec.Type = api.ServiceTypeLoadBalancer
-				svc.Status.LoadBalancer = api.LoadBalancerStatus{
-					Ingress: []api.LoadBalancerIngress{{
-						IP: "1.2.3.4",
-					}},
-				}
-			}),
-			oldSvc: makeValidServiceCustom(func(svc *api.Service) {
-				svc.Spec.Type = api.ServiceTypeLoadBalancer
-				svc.Status.LoadBalancer = api.LoadBalancerStatus{
-					Ingress: []api.LoadBalancerIngress{{
-						IP:     "1.2.3.4",
-						IPMode: &ipModeProxy,
-					}},
-				}
-			}),
-			compareSvc: makeValidServiceCustom(func(svc *api.Service) {
-				svc.Spec.Type = api.ServiceTypeLoadBalancer
-				svc.Status.LoadBalancer = api.LoadBalancerStatus{
-					Ingress: []api.LoadBalancerIngress{{
-						IP: "1.2.3.4",
-					}},
-				}
-			}),
-		},
-		/*LoadBalancerIPMode enabled*/
-		{
-			name:          "LoadBalancerIPMode enabled, ipMode not used in old, not used in new",
-			ipModeEnabled: true,
-			svc: makeValidServiceCustom(func(svc *api.Service) {
-				svc.Spec.Type = api.ServiceTypeLoadBalancer
-				svc.Status.LoadBalancer = api.LoadBalancerStatus{
-					Ingress: []api.LoadBalancerIngress{{
-						IP: "1.2.3.4",
-					}},
-				}
-			}),
-			oldSvc: nil,
-			compareSvc: makeValidServiceCustom(func(svc *api.Service) {
-				svc.Spec.Type = api.ServiceTypeLoadBalancer
-				svc.Status.LoadBalancer = api.LoadBalancerStatus{
-					Ingress: []api.LoadBalancerIngress{{
-						IP: "1.2.3.4",
-					}},
-				}
-			}),
-		}, {
-			name:          "LoadBalancerIPMode enabled, ipMode used in old and in new",
-			ipModeEnabled: true,
-			svc: makeValidServiceCustom(func(svc *api.Service) {
-				svc.Spec.Type = api.ServiceTypeLoadBalancer
-				svc.Status.LoadBalancer = api.LoadBalancerStatus{
-					Ingress: []api.LoadBalancerIngress{{
-						IP:     "1.2.3.4",
-						IPMode: &ipModeProxy,
-					}},
-				}
-			}),
-			oldSvc: makeValidServiceCustom(func(svc *api.Service) {
-				svc.Spec.Type = api.ServiceTypeLoadBalancer
-				svc.Status.LoadBalancer = api.LoadBalancerStatus{
-					Ingress: []api.LoadBalancerIngress{{
-						IP:     "1.2.3.4",
-						IPMode: &ipModeVIP,
-					}},
-				}
-			}),
-			compareSvc: makeValidServiceCustom(func(svc *api.Service) {
-				svc.Spec.Type = api.ServiceTypeLoadBalancer
-				svc.Status.LoadBalancer = api.LoadBalancerStatus{
-					Ingress: []api.LoadBalancerIngress{{
-						IP:     "1.2.3.4",
-						IPMode: &ipModeProxy,
-					}},
-				}
-			}),
-		}, {
-			name:          "LoadBalancerIPMode enabled, ipMode not used in old, used in new",
-			ipModeEnabled: true,
-			svc: makeValidServiceCustom(func(svc *api.Service) {
-				svc.Spec.Type = api.ServiceTypeLoadBalancer
-				svc.Status.LoadBalancer = api.LoadBalancerStatus{
-					Ingress: []api.LoadBalancerIngress{{
-						IP:     "1.2.3.4",
-						IPMode: &ipModeVIP,
-					}},
-				}
-			}),
-			oldSvc: makeValidServiceCustom(func(svc *api.Service) {
-				svc.Spec.Type = api.ServiceTypeLoadBalancer
-				svc.Status.LoadBalancer = api.LoadBalancerStatus{
-					Ingress: []api.LoadBalancerIngress{{
-						IP: "1.2.3.4",
-					}},
-				}
-			}),
-			compareSvc: makeValidServiceCustom(func(svc *api.Service) {
-				svc.Spec.Type = api.ServiceTypeLoadBalancer
-				svc.Status.LoadBalancer = api.LoadBalancerStatus{
-					Ingress: []api.LoadBalancerIngress{{
-						IP:     "1.2.3.4",
-						IPMode: &ipModeVIP,
-					}},
-				}
-			}),
-		}, {
-			name:          "LoadBalancerIPMode enabled, ipMode used in old, not used in new",
-			ipModeEnabled: true,
-			svc: makeValidServiceCustom(func(svc *api.Service) {
-				svc.Spec.Type = api.ServiceTypeLoadBalancer
-				svc.Status.LoadBalancer = api.LoadBalancerStatus{
-					Ingress: []api.LoadBalancerIngress{{
-						IP: "1.2.3.4",
-					}},
-				}
-			}),
-			oldSvc: makeValidServiceCustom(func(svc *api.Service) {
-				svc.Spec.Type = api.ServiceTypeLoadBalancer
-				svc.Status.LoadBalancer = api.LoadBalancerStatus{
-					Ingress: []api.LoadBalancerIngress{{
-						IP:     "1.2.3.4",
-						IPMode: &ipModeProxy,
-					}},
-				}
-			}),
-			compareSvc: makeValidServiceCustom(func(svc *api.Service) {
-				svc.Spec.Type = api.ServiceTypeLoadBalancer
-				svc.Status.LoadBalancer = api.LoadBalancerStatus{
-					Ingress: []api.LoadBalancerIngress{{
-						IP: "1.2.3.4",
-					}},
-				}
-			}),
-		},
-	}
-
-	for _, tc := range testCases {
-		t.Run(tc.name, func(t *testing.T) {
-			if !tc.ipModeEnabled {
-				featuregatetesting.SetFeatureGateEmulationVersionDuringTest(t, utilfeature.DefaultFeatureGate, version.MustParse("1.31"))
-			}
-			featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.LoadBalancerIPMode, tc.ipModeEnabled)
-			dropServiceStatusDisabledFields(tc.svc, tc.oldSvc)
-
-			if !reflect.DeepEqual(tc.svc, tc.compareSvc) {
-				t.Errorf("%v: unexpected svc spec: %v", tc.name, cmp.Diff(tc.svc, tc.compareSvc))
-			}
-		})
-	}
-}
-
 func TestDropTypeDependentFields(t *testing.T) {
 	// Tweaks used below.
 	setTypeExternalName := func(svc *api.Service) {
diff --git a/pkg/registry/discovery/endpointslice/strategy_test.go b/pkg/registry/discovery/endpointslice/strategy_test.go
index 3113fc3242dc0..ad8e2bfcd8ad8 100644
--- a/pkg/registry/discovery/endpointslice/strategy_test.go
+++ b/pkg/registry/discovery/endpointslice/strategy_test.go
@@ -115,7 +115,10 @@ func Test_dropDisabledFieldsOnCreate(t *testing.T) {
 
 	for _, testcase := range testcases {
 		t.Run(testcase.name, func(t *testing.T) {
-			featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.PreferSameTrafficDistribution, testcase.preferSameEnabled)
+			if !testcase.preferSameEnabled {
+				featuregatetesting.SetFeatureGateEmulationVersionDuringTest(t, utilfeature.DefaultFeatureGate, version.MustParse("1.34"))
+				featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.PreferSameTrafficDistribution, false)
+			}
 
 			dropDisabledFieldsOnCreate(testcase.eps)
 			if !apiequality.Semantic.DeepEqual(testcase.eps, testcase.expectedEPS) {
@@ -413,9 +416,9 @@ func Test_dropDisabledFieldsOnUpdate(t *testing.T) {
 		t.Run(testcase.name, func(t *testing.T) {
 			if !testcase.hintsGateEnabled {
 				featuregatetesting.SetFeatureGateEmulationVersionDuringTest(t, utilfeature.DefaultFeatureGate, version.MustParse("1.32"))
-			}
-			featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.TopologyAwareHints, testcase.hintsGateEnabled)
-			if testcase.hintsGateEnabled {
+				featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.TopologyAwareHints, testcase.hintsGateEnabled)
+			} else if !testcase.preferSameEnabled {
+				featuregatetesting.SetFeatureGateEmulationVersionDuringTest(t, utilfeature.DefaultFeatureGate, version.MustParse("1.34"))
 				featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.PreferSameTrafficDistribution, testcase.preferSameEnabled)
 			}
 
diff --git a/pkg/registry/flowcontrol/rest/storage_flowcontrol.go b/pkg/registry/flowcontrol/rest/storage_flowcontrol.go
index ca00bb71fcebc..055f858e15d58 100644
--- a/pkg/registry/flowcontrol/rest/storage_flowcontrol.go
+++ b/pkg/registry/flowcontrol/rest/storage_flowcontrol.go
@@ -37,7 +37,6 @@ import (
 	"k8s.io/kubernetes/pkg/api/legacyscheme"
 	"k8s.io/kubernetes/pkg/apis/flowcontrol"
 	flowcontrolapisv1 "k8s.io/kubernetes/pkg/apis/flowcontrol/v1"
-	flowcontrolapisv1beta3 "k8s.io/kubernetes/pkg/apis/flowcontrol/v1beta3"
 	"k8s.io/kubernetes/pkg/registry/flowcontrol/ensurer"
 	flowschemastore "k8s.io/kubernetes/pkg/registry/flowcontrol/flowschema/storage"
 	prioritylevelconfigurationstore "k8s.io/kubernetes/pkg/registry/flowcontrol/prioritylevelconfiguration/storage"
@@ -57,12 +56,6 @@ const PostStartHookName = "priority-and-fairness-config-producer"
 func (p RESTStorageProvider) NewRESTStorage(apiResourceConfigSource serverstorage.APIResourceConfigSource, restOptionsGetter generic.RESTOptionsGetter) (genericapiserver.APIGroupInfo, error) {
 	apiGroupInfo := genericapiserver.NewDefaultAPIGroupInfo(flowcontrol.GroupName, legacyscheme.Scheme, legacyscheme.ParameterCodec, legacyscheme.Codecs)
 
-	if storageMap, err := p.storage(apiResourceConfigSource, restOptionsGetter, flowcontrolapisv1beta3.SchemeGroupVersion); err != nil {
-		return genericapiserver.APIGroupInfo{}, err
-	} else if len(storageMap) > 0 {
-		apiGroupInfo.VersionedResourcesStorageMap[flowcontrolapisv1beta3.SchemeGroupVersion.Version] = storageMap
-	}
-
 	if storageMap, err := p.storage(apiResourceConfigSource, restOptionsGetter, flowcontrolapisv1.SchemeGroupVersion); err != nil {
 		return genericapiserver.APIGroupInfo{}, err
 	} else if len(storageMap) > 0 {
diff --git a/pkg/registry/policy/OWNERS b/pkg/registry/policy/OWNERS
index 50dc329afb3f1..c6d302e5ea268 100644
--- a/pkg/registry/policy/OWNERS
+++ b/pkg/registry/policy/OWNERS
@@ -1,8 +1,8 @@
 # See the OWNERS docs at https://go.k8s.io/owners
 
 approvers:
-  - sig-auth-policy-approvers
+  - sig-apps-approvers
 reviewers:
-  - sig-auth-policy-reviewers
+  - sig-apps-reviewers
 labels:
-  - sig/auth
+  - sig/apps
diff --git a/pkg/registry/rbac/clusterrole/declarative_validation_test.go b/pkg/registry/rbac/clusterrole/declarative_validation_test.go
new file mode 100644
index 0000000000000..89689554eee50
--- /dev/null
+++ b/pkg/registry/rbac/clusterrole/declarative_validation_test.go
@@ -0,0 +1,77 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package clusterrole
+
+import (
+	"testing"
+
+	"k8s.io/apimachinery/pkg/util/validation/field"
+	genericapirequest "k8s.io/apiserver/pkg/endpoints/request"
+	apitesting "k8s.io/kubernetes/pkg/api/testing"
+	rbac "k8s.io/kubernetes/pkg/apis/rbac"
+)
+
+var apiVersions = []string{"v1", "v1alpha1", "v1beta1"}
+
+func TestDeclarativeValidateForDeclarative(t *testing.T) {
+	for _, apiVersion := range apiVersions {
+		testDeclarativeValidateForDeclarative(t, apiVersion)
+	}
+}
+
+func testDeclarativeValidateForDeclarative(t *testing.T, apiVersion string) {
+	ctx := genericapirequest.WithRequestInfo(genericapirequest.NewDefaultContext(), &genericapirequest.RequestInfo{
+		APIGroup:   "rbac.authorization.k8s.io",
+		APIVersion: apiVersion,
+	})
+	testCases := map[string]struct {
+		input        rbac.ClusterRole
+		expectedErrs field.ErrorList
+	}{
+		// TODO: Add more test cases
+	}
+	for k, tc := range testCases {
+		t.Run(k, func(t *testing.T) {
+			apitesting.VerifyValidationEquivalence(t, ctx, &tc.input, Strategy.Validate, tc.expectedErrs)
+		})
+	}
+}
+
+func TestValidateUpdateForDeclarative(t *testing.T) {
+	for _, apiVersion := range apiVersions {
+		testValidateUpdateForDeclarative(t, apiVersion)
+	}
+}
+
+func testValidateUpdateForDeclarative(t *testing.T, apiVersion string) {
+	ctx := genericapirequest.WithRequestInfo(genericapirequest.NewDefaultContext(), &genericapirequest.RequestInfo{
+		APIGroup:   "rbac.authorization.k8s.io",
+		APIVersion: apiVersion,
+	})
+	testCases := map[string]struct {
+		old          rbac.ClusterRole
+		update       rbac.ClusterRole
+		expectedErrs field.ErrorList
+	}{
+		// TODO: Add more test cases
+	}
+	for k, tc := range testCases {
+		t.Run(k, func(t *testing.T) {
+			apitesting.VerifyUpdateValidationEquivalence(t, ctx, &tc.update, &tc.old, Strategy.ValidateUpdate, tc.expectedErrs)
+		})
+	}
+}
diff --git a/pkg/registry/rbac/clusterrole/strategy.go b/pkg/registry/rbac/clusterrole/strategy.go
index ab5d6fcda0618..13062cfdda459 100644
--- a/pkg/registry/rbac/clusterrole/strategy.go
+++ b/pkg/registry/rbac/clusterrole/strategy.go
@@ -19,6 +19,7 @@ package clusterrole
 import (
 	"context"
 
+	"k8s.io/apimachinery/pkg/api/operation"
 	metav1validation "k8s.io/apimachinery/pkg/apis/meta/v1/validation"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/util/validation/field"
@@ -75,7 +76,9 @@ func (strategy) Validate(ctx context.Context, obj runtime.Object) field.ErrorLis
 	opts := validation.ClusterRoleValidationOptions{
 		AllowInvalidLabelValueInSelector: false,
 	}
-	return validation.ValidateClusterRole(clusterRole, opts)
+	allErrs := validation.ValidateClusterRole(clusterRole, opts)
+
+	return rest.ValidateDeclarativelyWithMigrationChecks(ctx, legacyscheme.Scheme, clusterRole, nil, allErrs, operation.Create)
 }
 
 // WarningsOnCreate returns warnings for the creation of the given object.
@@ -93,8 +96,9 @@ func (strategy) ValidateUpdate(ctx context.Context, obj, old runtime.Object) fie
 	opts := validation.ClusterRoleValidationOptions{
 		AllowInvalidLabelValueInSelector: hasInvalidLabelValueInLabelSelector(oldObj),
 	}
-	errorList := validation.ValidateClusterRole(newObj, opts)
-	return append(errorList, validation.ValidateClusterRoleUpdate(newObj, old.(*rbac.ClusterRole), opts)...)
+	errs := validation.ValidateClusterRoleUpdate(newObj, oldObj, opts)
+
+	return rest.ValidateDeclarativelyWithMigrationChecks(ctx, legacyscheme.Scheme, newObj, oldObj, errs, operation.Update)
 }
 
 // WarningsOnUpdate returns warnings for the given update.
diff --git a/pkg/registry/rbac/clusterrolebinding/strategy.go b/pkg/registry/rbac/clusterrolebinding/strategy.go
index 83f0a54fadcef..7bfd68c17e1c3 100644
--- a/pkg/registry/rbac/clusterrolebinding/strategy.go
+++ b/pkg/registry/rbac/clusterrolebinding/strategy.go
@@ -84,9 +84,7 @@ func (strategy) Canonicalize(obj runtime.Object) {
 
 // ValidateUpdate is the default update validation for an end user.
 func (strategy) ValidateUpdate(ctx context.Context, obj, old runtime.Object) field.ErrorList {
-	newObj := obj.(*rbac.ClusterRoleBinding)
-	errorList := validation.ValidateClusterRoleBinding(newObj)
-	return append(errorList, validation.ValidateClusterRoleBindingUpdate(newObj, old.(*rbac.ClusterRoleBinding))...)
+	return validation.ValidateClusterRoleBindingUpdate(obj.(*rbac.ClusterRoleBinding), old.(*rbac.ClusterRoleBinding))
 }
 
 // WarningsOnUpdate returns warnings for the given update.
diff --git a/pkg/registry/rbac/role/strategy.go b/pkg/registry/rbac/role/strategy.go
index a7c0b04284bd6..d3688a73e4f77 100644
--- a/pkg/registry/rbac/role/strategy.go
+++ b/pkg/registry/rbac/role/strategy.go
@@ -84,9 +84,7 @@ func (strategy) Canonicalize(obj runtime.Object) {
 
 // ValidateUpdate is the default update validation for an end user.
 func (strategy) ValidateUpdate(ctx context.Context, obj, old runtime.Object) field.ErrorList {
-	newObj := obj.(*rbac.Role)
-	errorList := validation.ValidateRole(newObj)
-	return append(errorList, validation.ValidateRoleUpdate(newObj, old.(*rbac.Role))...)
+	return validation.ValidateRoleUpdate(obj.(*rbac.Role), old.(*rbac.Role))
 }
 
 // WarningsOnUpdate returns warnings for the given update.
diff --git a/pkg/registry/rbac/rolebinding/declarative_validation_test.go b/pkg/registry/rbac/rolebinding/declarative_validation_test.go
new file mode 100644
index 0000000000000..e26671ee10f3e
--- /dev/null
+++ b/pkg/registry/rbac/rolebinding/declarative_validation_test.go
@@ -0,0 +1,105 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package rolebinding
+
+import (
+	"testing"
+
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/util/validation/field"
+	genericapirequest "k8s.io/apiserver/pkg/endpoints/request"
+	apitesting "k8s.io/kubernetes/pkg/api/testing"
+	rbac "k8s.io/kubernetes/pkg/apis/rbac"
+)
+
+var apiVersions = []string{"v1", "v1alpha1", "v1beta1"}
+
+func TestDeclarativeValidateForDeclarative(t *testing.T) {
+	for _, apiVersion := range apiVersions {
+		t.Run(apiVersion, func(t *testing.T) {
+			testDeclarativeValidateForDeclarative(t, apiVersion)
+		})
+	}
+}
+
+func testDeclarativeValidateForDeclarative(t *testing.T, apiVersion string) {
+	ctx := genericapirequest.WithRequestInfo(genericapirequest.NewDefaultContext(), &genericapirequest.RequestInfo{
+		APIGroup:   "rbac.authorization.k8s.io",
+		APIVersion: apiVersion,
+	})
+
+	testCases := map[string]struct {
+		input        rbac.RoleBinding
+		expectedErrs field.ErrorList
+	}{
+		"missing roleRef.name": {
+			input: rbac.RoleBinding{
+				ObjectMeta: metav1.ObjectMeta{Name: "test-binding", Namespace: "test-ns"},
+				RoleRef: rbac.RoleRef{
+					APIGroup: "rbac.authorization.k8s.io",
+					Kind:     "ClusterRole",
+					// Name is intentionally missing here
+				},
+				Subjects: []rbac.Subject{
+					{Kind: rbac.UserKind, APIGroup: rbac.GroupName, Name: "user1"},
+				},
+			},
+			expectedErrs: field.ErrorList{
+				field.Required(field.NewPath("roleRef", "name"), "name is required"),
+			},
+		},
+
+		"missing subject.name": {
+			input: rbac.RoleBinding{
+				ObjectMeta: metav1.ObjectMeta{Name: "test-binding", Namespace: "test-ns"},
+				RoleRef: rbac.RoleRef{
+					APIGroup: "rbac.authorization.k8s.io",
+					Kind:     "Role",
+					Name:     "reader",
+				},
+				Subjects: []rbac.Subject{
+					{Kind: rbac.UserKind, APIGroup: rbac.GroupName},
+				},
+			},
+			expectedErrs: field.ErrorList{
+				field.Required(field.NewPath("subjects").Index(0).Child("name"), "name is required"),
+			},
+		},
+
+		"valid binding": {
+			input: rbac.RoleBinding{
+				ObjectMeta: metav1.ObjectMeta{Name: "valid-binding", Namespace: "test-ns"},
+				RoleRef: rbac.RoleRef{
+					APIGroup: "rbac.authorization.k8s.io",
+					Kind:     "Role",
+					Name:     "admin",
+				},
+				Subjects: []rbac.Subject{
+					{Kind: rbac.UserKind, APIGroup: rbac.GroupName, Name: "user1"},
+				},
+			},
+			expectedErrs: field.ErrorList{},
+		},
+		// TODO: Add more test cases
+	}
+
+	for name, tc := range testCases {
+		t.Run(name, func(t *testing.T) {
+			apitesting.VerifyValidationEquivalence(t, ctx, &tc.input, Strategy.Validate, tc.expectedErrs)
+		})
+	}
+}
diff --git a/pkg/registry/rbac/rolebinding/strategy.go b/pkg/registry/rbac/rolebinding/strategy.go
index aa003ae1ca83f..a2fba90516900 100644
--- a/pkg/registry/rbac/rolebinding/strategy.go
+++ b/pkg/registry/rbac/rolebinding/strategy.go
@@ -19,6 +19,7 @@ package rolebinding
 import (
 	"context"
 
+	"k8s.io/apimachinery/pkg/api/operation"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/util/validation/field"
 	"k8s.io/apiserver/pkg/registry/rest"
@@ -71,7 +72,8 @@ func (strategy) PrepareForUpdate(ctx context.Context, obj, old runtime.Object) {
 // Validate validates a new RoleBinding. Validation must check for a correct signature.
 func (strategy) Validate(ctx context.Context, obj runtime.Object) field.ErrorList {
 	roleBinding := obj.(*rbac.RoleBinding)
-	return validation.ValidateRoleBinding(roleBinding)
+	allErrs := validation.ValidateRoleBinding(roleBinding)
+	return rest.ValidateDeclarativelyWithMigrationChecks(ctx, legacyscheme.Scheme, roleBinding, nil, allErrs, operation.Create)
 }
 
 // WarningsOnCreate returns warnings for the creation of the given object.
@@ -84,9 +86,13 @@ func (strategy) Canonicalize(obj runtime.Object) {
 
 // ValidateUpdate is the default update validation for an end user.
 func (strategy) ValidateUpdate(ctx context.Context, obj, old runtime.Object) field.ErrorList {
-	newObj := obj.(*rbac.RoleBinding)
-	errorList := validation.ValidateRoleBinding(newObj)
-	return append(errorList, validation.ValidateRoleBindingUpdate(newObj, old.(*rbac.RoleBinding))...)
+
+	newRoleBinding := obj.(*rbac.RoleBinding)
+	oldRoleBinding := old.(*rbac.RoleBinding)
+
+	allErrs := validation.ValidateRoleBindingUpdate(newRoleBinding, oldRoleBinding)
+
+	return rest.ValidateDeclarativelyWithMigrationChecks(ctx, legacyscheme.Scheme, newRoleBinding, oldRoleBinding, allErrs, operation.Update)
 }
 
 // WarningsOnUpdate returns warnings for the given update.
diff --git a/pkg/registry/resource/deviceclass/declarative_validation_test.go b/pkg/registry/resource/deviceclass/declarative_validation_test.go
new file mode 100644
index 0000000000000..85fc6f175ce48
--- /dev/null
+++ b/pkg/registry/resource/deviceclass/declarative_validation_test.go
@@ -0,0 +1,335 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package deviceclass
+
+import (
+	"fmt"
+	"strings"
+	"testing"
+
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/util/validation/field"
+	genericapirequest "k8s.io/apiserver/pkg/endpoints/request"
+	apitesting "k8s.io/kubernetes/pkg/api/testing"
+	"k8s.io/kubernetes/pkg/apis/resource"
+	_ "k8s.io/kubernetes/pkg/apis/resource/install"
+	"k8s.io/utils/ptr"
+)
+
+var apiVersions = []string{"v1", "v1beta1", "v1beta2"}
+
+func TestDeclarativeValidate(t *testing.T) {
+	for _, apiVersion := range apiVersions {
+		t.Run(apiVersion, func(t *testing.T) {
+			ctx := genericapirequest.WithRequestInfo(genericapirequest.NewDefaultContext(), &genericapirequest.RequestInfo{
+				APIGroup:   "resource.k8s.io",
+				APIVersion: apiVersion,
+				Resource:   "deviceclasses",
+			})
+
+			strategy := Strategy
+
+			testCases := map[string]struct {
+				input        resource.DeviceClass
+				expectedErrs field.ErrorList
+			}{
+				"valid": {
+					input: mkDeviceClass(),
+				},
+				// metadata.name
+				"name: empty": {
+					input: mkDeviceClass(tweakName("")),
+					expectedErrs: field.ErrorList{
+						field.Required(field.NewPath("metadata", "name"), ""),
+					},
+				},
+				"name: valid": {
+					input: mkDeviceClass(tweakName("example.com")),
+				},
+				"name: invalid (uppercase)": {
+					input: mkDeviceClass(tweakName("Invalid-Name")),
+					expectedErrs: field.ErrorList{
+						field.Invalid(field.NewPath("metadata", "name"), "Invalid-Name", "").WithOrigin("format=k8s-long-name"),
+					},
+				},
+				"name: invalid (start with dash)": {
+					input: mkDeviceClass(tweakName("-invalid")),
+					expectedErrs: field.ErrorList{
+						field.Invalid(field.NewPath("metadata", "name"), "-invalid", "").WithOrigin("format=k8s-long-name"),
+					},
+				},
+				"name: max length": {
+					input: mkDeviceClass(tweakName(strings.Repeat("a", 253))),
+				},
+				"name: too long": {
+					input: mkDeviceClass(tweakName(strings.Repeat("a", 254))),
+					expectedErrs: field.ErrorList{
+						field.Invalid(field.NewPath("metadata", "name"), strings.Repeat("a", 254), "").WithOrigin("format=k8s-long-name"),
+					},
+				},
+				// spec.selectors.
+				"valid: at limit selectors": {
+					input: mkDeviceClass(tweakSelectors(32)),
+				},
+				"too many selectors": {
+					input: mkDeviceClass(tweakSelectors(33)),
+					expectedErrs: field.ErrorList{
+						field.TooMany(field.NewPath("spec", "selectors"), 33, 32).WithOrigin("maxItems"),
+					},
+				},
+				// spec.config
+				"too many configs": {
+					input: mkDeviceClass(tweakConfig(33)),
+					expectedErrs: field.ErrorList{
+						field.TooMany(field.NewPath("spec", "config"), 33, 32).WithOrigin("maxItems"),
+					},
+				},
+				"valid: at limit configs": {
+					input: mkDeviceClass(tweakConfig(32)),
+				},
+
+				// ExtendedResourceName
+				"valid extended resource name": {
+					input: mkDeviceClass(tweakExtendedResourceName("example.com/my-resource")),
+				},
+				"invalid extended resource name": {
+					input: mkDeviceClass(tweakExtendedResourceName("invalid_name")),
+					expectedErrs: field.ErrorList{
+						field.Invalid(field.NewPath("spec", "extendedResourceName"), "invalid_name", "").WithOrigin("format=k8s-extended-resource-name"),
+					},
+				},
+				"invalid extended resource name, no slash": {
+					input: mkDeviceClass(tweakExtendedResourceName("noslash")),
+					expectedErrs: field.ErrorList{
+						field.Invalid(field.NewPath("spec", "extendedResourceName"), "noslash", "").WithOrigin("format=k8s-extended-resource-name"),
+					},
+				},
+				"invalid extended resource name, kubernetes.io domain": {
+					input: mkDeviceClass(tweakExtendedResourceName("kubernetes.io/foo")),
+					expectedErrs: field.ErrorList{
+						field.Invalid(field.NewPath("spec", "extendedResourceName"), "kubernetes.io/foo", "").WithOrigin("format=k8s-extended-resource-name"),
+					},
+				},
+				"invalid extended resource name, requests. prefix": {
+					input: mkDeviceClass(tweakExtendedResourceName("requests.example.com/foo")),
+					expectedErrs: field.ErrorList{
+						field.Invalid(field.NewPath("spec", "extendedResourceName"), "requests.example.com/foo", "").WithOrigin("format=k8s-extended-resource-name"),
+					},
+				},
+				"invalid extended resource name, too long": {
+					input: mkDeviceClass(tweakExtendedResourceName("example.com/" + strings.Repeat("a", 64))),
+					expectedErrs: field.ErrorList{
+						field.Invalid(field.NewPath("spec", "extendedResourceName"), "example.com/"+strings.Repeat("a", 64), "").WithOrigin("format=k8s-extended-resource-name"),
+					},
+				},
+				// TODO: Add more test cases
+			}
+
+			for k, tc := range testCases {
+				t.Run(k, func(t *testing.T) {
+					apitesting.VerifyValidationEquivalence(t, ctx, &tc.input, strategy.Validate, tc.expectedErrs)
+				})
+			}
+		})
+	}
+}
+
+func TestDeclarativeValidateUpdate(t *testing.T) {
+	for _, apiVersion := range apiVersions {
+		t.Run(apiVersion, func(t *testing.T) {
+			ctx := genericapirequest.WithRequestInfo(genericapirequest.NewDefaultContext(), &genericapirequest.RequestInfo{
+				APIGroup:   "resource.k8s.io",
+				APIVersion: apiVersion,
+				Resource:   "deviceclasses",
+			})
+
+			strategy := Strategy
+
+			testCases := map[string]struct {
+				old          resource.DeviceClass
+				update       resource.DeviceClass
+				expectedErrs field.ErrorList
+			}{
+				"valid no changes": {
+					old:    mkDeviceClass(),
+					update: mkDeviceClass(),
+				},
+				// metadata.name
+				"name: changed": {
+					old:    mkDeviceClass(),
+					update: mkDeviceClass(tweakName("test-classx")),
+					expectedErrs: field.ErrorList{
+						field.Invalid(field.NewPath("metadata", "name"), "test-classx", "field is immutable"),
+					},
+				},
+				"valid update: at limit selectors": {
+					old:    mkDeviceClass(),
+					update: mkDeviceClass(tweakSelectors(32)),
+				},
+				"update with too many selectors": {
+					old:    mkDeviceClass(),
+					update: mkDeviceClass(tweakSelectors(33)),
+					expectedErrs: field.ErrorList{
+						field.TooMany(field.NewPath("spec", "selectors"), 33, 32).WithOrigin("maxItems"),
+					},
+				},
+				"valid update: at limit configs": {
+					old:    mkDeviceClass(),
+					update: mkDeviceClass(tweakConfig(32)),
+				},
+				"update with too many configs": {
+					old:    mkDeviceClass(),
+					update: mkDeviceClass(tweakConfig(33)),
+					expectedErrs: field.ErrorList{
+						field.TooMany(field.NewPath("spec", "config"), 33, 32).WithOrigin("maxItems"),
+					},
+				},
+
+				// spec.ExtendedResourceName
+				"valid extended resource name update": {
+					old:    mkDeviceClass(),
+					update: mkDeviceClass(tweakExtendedResourceName("example.com/my-resource")),
+				},
+				"invalid extended resource name update": {
+					old:    mkDeviceClass(),
+					update: mkDeviceClass(tweakExtendedResourceName("invalid_name")),
+					expectedErrs: field.ErrorList{
+						field.Invalid(field.NewPath("spec", "extendedResourceName"), "invalid_name", "").WithOrigin("format=k8s-extended-resource-name"),
+					},
+				},
+				"invalid extended resource name update, no slash": {
+					old:    mkDeviceClass(),
+					update: mkDeviceClass(tweakExtendedResourceName("noslash")),
+					expectedErrs: field.ErrorList{
+						field.Invalid(field.NewPath("spec", "extendedResourceName"), "noslash", "").WithOrigin("format=k8s-extended-resource-name"),
+					},
+				},
+				"invalid extended resource name update, kubernetes.io domain": {
+					old:    mkDeviceClass(),
+					update: mkDeviceClass(tweakExtendedResourceName("kubernetes.io/foo")),
+					expectedErrs: field.ErrorList{
+						field.Invalid(field.NewPath("spec", "extendedResourceName"), "kubernetes.io/foo", "").WithOrigin("format=k8s-extended-resource-name"),
+					},
+				},
+				"invalid extended resource name update, requests. prefix": {
+					old:    mkDeviceClass(),
+					update: mkDeviceClass(tweakExtendedResourceName("requests.example.com/foo")),
+					expectedErrs: field.ErrorList{
+						field.Invalid(field.NewPath("spec", "extendedResourceName"), "requests.example.com/foo", "").WithOrigin("format=k8s-extended-resource-name"),
+					},
+				},
+				"invalid extended resource name update, too long": {
+					old:    mkDeviceClass(),
+					update: mkDeviceClass(tweakExtendedResourceName("example.com/" + strings.Repeat("a", 64))),
+					expectedErrs: field.ErrorList{
+						field.Invalid(field.NewPath("spec", "extendedResourceName"), "example.com/"+strings.Repeat("a", 64), "").WithOrigin("format=k8s-extended-resource-name"),
+					},
+				},
+				// TODO: Add more test cases
+			}
+
+			for k, tc := range testCases {
+				t.Run(k, func(t *testing.T) {
+					tc.old.ResourceVersion = "1"
+					tc.update.ResourceVersion = "1"
+					apitesting.VerifyUpdateValidationEquivalence(t, ctx, &tc.update, &tc.old, strategy.ValidateUpdate, tc.expectedErrs)
+				})
+			}
+		})
+	}
+}
+
+// Helper function to create a DeviceClass with default values and optional mutators
+func mkDeviceClass(mutators ...func(*resource.DeviceClass)) resource.DeviceClass {
+	dc := resource.DeviceClass{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: "test-class",
+		},
+		Spec: resource.DeviceClassSpec{
+			ExtendedResourceName: ptr.To("example.com/my-resource"),
+			Selectors: []resource.DeviceSelector{
+				{
+					CEL: &resource.CELDeviceSelector{
+						Expression: "device.driver == \"test.driver.io\"",
+					},
+				},
+			},
+			Config: []resource.DeviceClassConfiguration{
+				{
+					DeviceConfiguration: resource.DeviceConfiguration{
+						Opaque: &resource.OpaqueDeviceConfiguration{
+							Driver: "test.driver.io",
+							Parameters: runtime.RawExtension{
+								Raw: []byte(`{"key":"value"}`),
+							},
+						},
+					},
+				},
+			},
+		},
+	}
+	for _, mutate := range mutators {
+		mutate(&dc)
+	}
+	return dc
+}
+
+func tweakName(name string) func(*resource.DeviceClass) {
+	return func(dc *resource.DeviceClass) {
+		dc.Name = name
+	}
+}
+
+func tweakSelectors(count int) func(*resource.DeviceClass) {
+	return func(dc *resource.DeviceClass) {
+		dc.Spec.Selectors = []resource.DeviceSelector{}
+
+		for i := 0; i < count; i++ {
+			dc.Spec.Selectors = append(dc.Spec.Selectors, resource.DeviceSelector{
+				CEL: &resource.CELDeviceSelector{
+					Expression: fmt.Sprintf("device.driver == \"test.driver.io%d\"", i),
+				},
+			})
+		}
+	}
+}
+
+func tweakConfig(count int) func(*resource.DeviceClass) {
+	return func(dc *resource.DeviceClass) {
+		dc.Spec.Config = []resource.DeviceClassConfiguration{}
+		for i := 0; i < count; i++ {
+			dc.Spec.Config = append(dc.Spec.Config, resource.DeviceClassConfiguration{
+				DeviceConfiguration: resource.DeviceConfiguration{
+					Opaque: &resource.OpaqueDeviceConfiguration{
+						Driver: "test.driver.io",
+						Parameters: runtime.RawExtension{
+							Raw: []byte(fmt.Sprintf(`{"key":"value%d"}`, i)),
+						},
+					},
+				},
+			})
+		}
+	}
+}
+
+func tweakExtendedResourceName(name string) func(*resource.DeviceClass) {
+	return func(dc *resource.DeviceClass) {
+		nameCopy := name
+		dc.Spec.ExtendedResourceName = &nameCopy
+	}
+}
diff --git a/pkg/registry/resource/deviceclass/strategy.go b/pkg/registry/resource/deviceclass/strategy.go
index d682ef28ebb13..5815dfae0c1bb 100644
--- a/pkg/registry/resource/deviceclass/strategy.go
+++ b/pkg/registry/resource/deviceclass/strategy.go
@@ -20,8 +20,10 @@ import (
 	"context"
 
 	apiequality "k8s.io/apimachinery/pkg/api/equality"
+	"k8s.io/apimachinery/pkg/api/operation"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/util/validation/field"
+	"k8s.io/apiserver/pkg/registry/rest"
 	"k8s.io/apiserver/pkg/storage/names"
 	utilfeature "k8s.io/apiserver/pkg/util/feature"
 	"k8s.io/kubernetes/pkg/api/legacyscheme"
@@ -50,7 +52,9 @@ func (deviceClassStrategy) PrepareForCreate(ctx context.Context, obj runtime.Obj
 
 func (deviceClassStrategy) Validate(ctx context.Context, obj runtime.Object) field.ErrorList {
 	deviceClass := obj.(*resource.DeviceClass)
-	return validation.ValidateDeviceClass(deviceClass)
+	errorList := validation.ValidateDeviceClass(deviceClass)
+
+	return rest.ValidateDeclarativelyWithMigrationChecks(ctx, legacyscheme.Scheme, deviceClass, nil, errorList, operation.Create)
 }
 
 func (deviceClassStrategy) WarningsOnCreate(ctx context.Context, obj runtime.Object) []string {
@@ -77,8 +81,10 @@ func (deviceClassStrategy) PrepareForUpdate(ctx context.Context, obj, old runtim
 }
 
 func (deviceClassStrategy) ValidateUpdate(ctx context.Context, obj, old runtime.Object) field.ErrorList {
-	errorList := validation.ValidateDeviceClass(obj.(*resource.DeviceClass))
-	return append(errorList, validation.ValidateDeviceClassUpdate(obj.(*resource.DeviceClass), old.(*resource.DeviceClass))...)
+	newClass := obj.(*resource.DeviceClass)
+	oldClass := old.(*resource.DeviceClass)
+	errorList := validation.ValidateDeviceClassUpdate(newClass, oldClass)
+	return rest.ValidateDeclarativelyWithMigrationChecks(ctx, legacyscheme.Scheme, newClass, oldClass, errorList, operation.Update)
 }
 
 func (deviceClassStrategy) WarningsOnUpdate(ctx context.Context, obj, old runtime.Object) []string {
diff --git a/pkg/registry/resource/devicetaintrule/storage/storage.go b/pkg/registry/resource/devicetaintrule/storage/storage.go
index 64ff2fb3972b1..9919426979e3c 100644
--- a/pkg/registry/resource/devicetaintrule/storage/storage.go
+++ b/pkg/registry/resource/devicetaintrule/storage/storage.go
@@ -17,14 +17,19 @@ limitations under the License.
 package storage
 
 import (
+	"context"
+
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apiserver/pkg/registry/generic"
 	genericregistry "k8s.io/apiserver/pkg/registry/generic/registry"
+	"k8s.io/apiserver/pkg/registry/rest"
 	"k8s.io/kubernetes/pkg/apis/resource"
 	"k8s.io/kubernetes/pkg/printers"
 	printersinternal "k8s.io/kubernetes/pkg/printers/internalversion"
 	printerstorage "k8s.io/kubernetes/pkg/printers/storage"
 	"k8s.io/kubernetes/pkg/registry/resource/devicetaintrule"
+	"sigs.k8s.io/structured-merge-diff/v6/fieldpath"
 )
 
 // REST implements a RESTStorage for DeviceTaintRule.
@@ -33,7 +38,7 @@ type REST struct {
 }
 
 // NewREST returns a RESTStorage object that will work against DeviceTaintRule.
-func NewREST(optsGetter generic.RESTOptionsGetter) (*REST, error) {
+func NewREST(optsGetter generic.RESTOptionsGetter) (*REST, *StatusREST, error) {
 	store := &genericregistry.Store{
 		NewFunc:                   func() runtime.Object { return &resource.DeviceTaintRule{} },
 		NewListFunc:               func() runtime.Object { return &resource.DeviceTaintRuleList{} },
@@ -44,13 +49,50 @@ func NewREST(optsGetter generic.RESTOptionsGetter) (*REST, error) {
 		UpdateStrategy:      devicetaintrule.Strategy,
 		DeleteStrategy:      devicetaintrule.Strategy,
 		ReturnDeletedObject: true,
+		ResetFieldsStrategy: devicetaintrule.Strategy,
 
 		TableConvertor: printerstorage.TableConvertor{TableGenerator: printers.NewTableGenerator().With(printersinternal.AddHandlers)},
 	}
 	options := &generic.StoreOptions{RESTOptions: optsGetter}
 	if err := store.CompleteWithOptions(options); err != nil {
-		return nil, err
+		return nil, nil, err
 	}
 
-	return &REST{store}, nil
+	statusStore := *store
+	statusStore.UpdateStrategy = devicetaintrule.StatusStrategy
+	statusStore.ResetFieldsStrategy = devicetaintrule.StatusStrategy
+
+	return &REST{store}, &StatusREST{store: &statusStore}, nil
+}
+
+// StatusREST implements the REST endpoint for changing the status of a DeviceTaintRule.
+type StatusREST struct {
+	store *genericregistry.Store
+}
+
+// New creates a new DeviceTaintRule object.
+func (r *StatusREST) New() runtime.Object {
+	return &resource.DeviceTaintRule{}
+}
+
+func (r *StatusREST) Destroy() {
+	// Given that underlying store is shared with REST,
+	// we don't destroy it here explicitly.
+}
+
+// Get retrieves the object from the storage. It is required to support Patch.
+func (r *StatusREST) Get(ctx context.Context, name string, options *metav1.GetOptions) (runtime.Object, error) {
+	return r.store.Get(ctx, name, options)
+}
+
+// Update alters the status subset of an object.
+func (r *StatusREST) Update(ctx context.Context, name string, objInfo rest.UpdatedObjectInfo, createValidation rest.ValidateObjectFunc, updateValidation rest.ValidateObjectUpdateFunc, forceAllowCreate bool, options *metav1.UpdateOptions) (runtime.Object, bool, error) {
+	// We are explicitly setting forceAllowCreate to false in the call to the underlying storage because
+	// subresources should never allow create on update.
+	return r.store.Update(ctx, name, objInfo, createValidation, updateValidation, false, options)
+}
+
+// GetResetFields implements rest.ResetFieldsStrategy
+func (r *StatusREST) GetResetFields() map[fieldpath.APIVersion]*fieldpath.Set {
+	return r.store.GetResetFields()
 }
diff --git a/pkg/registry/resource/devicetaintrule/storage/storage_test.go b/pkg/registry/resource/devicetaintrule/storage/storage_test.go
index c45701a17ccd7..fa4a88d34341d 100644
--- a/pkg/registry/resource/devicetaintrule/storage/storage_test.go
+++ b/pkg/registry/resource/devicetaintrule/storage/storage_test.go
@@ -20,19 +20,24 @@ import (
 	"testing"
 	"time"
 
+	"github.com/google/go-cmp/cmp"
+
+	apiequality "k8s.io/apimachinery/pkg/api/equality"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/fields"
 	"k8s.io/apimachinery/pkg/labels"
 	"k8s.io/apimachinery/pkg/runtime"
+	genericapirequest "k8s.io/apiserver/pkg/endpoints/request"
 	"k8s.io/apiserver/pkg/registry/generic"
 	genericregistrytest "k8s.io/apiserver/pkg/registry/generic/testing"
+	"k8s.io/apiserver/pkg/registry/rest"
 	etcd3testing "k8s.io/apiserver/pkg/storage/etcd3/testing"
 	"k8s.io/kubernetes/pkg/apis/resource"
 	_ "k8s.io/kubernetes/pkg/apis/resource/install"
 	"k8s.io/kubernetes/pkg/registry/registrytest"
 )
 
-func newStorage(t *testing.T) (*REST, *etcd3testing.EtcdTestServer) {
+func newStorage(t *testing.T) (*REST, *StatusREST, *etcd3testing.EtcdTestServer) {
 	etcdStorage, server := registrytest.NewEtcdStorageForResource(t, resource.Resource("devicetaintrules"))
 	restOptions := generic.RESTOptions{
 		StorageConfig:           etcdStorage,
@@ -40,11 +45,11 @@ func newStorage(t *testing.T) (*REST, *etcd3testing.EtcdTestServer) {
 		DeleteCollectionWorkers: 1,
 		ResourcePrefix:          "devicetaintrules",
 	}
-	deviceTaintStorage, err := NewREST(restOptions)
+	deviceTaintStorage, statusStorage, err := NewREST(restOptions)
 	if err != nil {
 		t.Fatalf("unexpected error from REST storage: %v", err)
 	}
-	return deviceTaintStorage, server
+	return deviceTaintStorage, statusStorage, server
 }
 
 func validNewDeviceTaint(name string) *resource.DeviceTaintRule {
@@ -63,7 +68,7 @@ func validNewDeviceTaint(name string) *resource.DeviceTaintRule {
 }
 
 func TestCreate(t *testing.T) {
-	storage, server := newStorage(t)
+	storage, _, server := newStorage(t)
 	defer server.Terminate(t)
 	defer storage.Store.DestroyFunc()
 	test := genericregistrytest.New(t, storage.Store).ClusterScope()
@@ -80,7 +85,7 @@ func TestCreate(t *testing.T) {
 }
 
 func TestUpdate(t *testing.T) {
-	storage, server := newStorage(t)
+	storage, _, server := newStorage(t)
 	defer server.Terminate(t)
 	defer storage.Store.DestroyFunc()
 	test := genericregistrytest.New(t, storage.Store).ClusterScope()
@@ -98,7 +103,7 @@ func TestUpdate(t *testing.T) {
 }
 
 func TestDelete(t *testing.T) {
-	storage, server := newStorage(t)
+	storage, _, server := newStorage(t)
 	defer server.Terminate(t)
 	defer storage.Store.DestroyFunc()
 	test := genericregistrytest.New(t, storage.Store).ClusterScope().ReturnDeletedObject()
@@ -106,7 +111,7 @@ func TestDelete(t *testing.T) {
 }
 
 func TestGet(t *testing.T) {
-	storage, server := newStorage(t)
+	storage, _, server := newStorage(t)
 	defer server.Terminate(t)
 	defer storage.Store.DestroyFunc()
 	test := genericregistrytest.New(t, storage.Store).ClusterScope()
@@ -114,7 +119,7 @@ func TestGet(t *testing.T) {
 }
 
 func TestList(t *testing.T) {
-	storage, server := newStorage(t)
+	storage, _, server := newStorage(t)
 	defer server.Terminate(t)
 	defer storage.Store.DestroyFunc()
 	test := genericregistrytest.New(t, storage.Store).ClusterScope()
@@ -122,7 +127,7 @@ func TestList(t *testing.T) {
 }
 
 func TestWatch(t *testing.T) {
-	storage, server := newStorage(t)
+	storage, _, server := newStorage(t)
 	defer server.Terminate(t)
 	defer storage.Store.DestroyFunc()
 	test := genericregistrytest.New(t, storage.Store).ClusterScope()
@@ -144,3 +149,39 @@ func TestWatch(t *testing.T) {
 		},
 	)
 }
+
+func TestUpdateStatus(t *testing.T) {
+	storage, statusStorage, server := newStorage(t)
+	defer server.Terminate(t)
+	defer storage.Store.DestroyFunc()
+	ctx := genericapirequest.NewDefaultContext()
+
+	key, _ := storage.KeyFunc(ctx, "foo")
+	deviceTaintStart := validNewDeviceTaint("foo")
+	err := storage.Storage.Create(ctx, key, deviceTaintStart, nil, 0, false)
+	if err != nil {
+		t.Fatalf("Unexpected error: %v", err)
+	}
+
+	deviceTaint := deviceTaintStart.DeepCopy()
+	deviceTaint.Status.Conditions = []metav1.Condition{{
+		Type:               "EvicitionInProgress",
+		Status:             metav1.ConditionTrue,
+		Reason:             "PodsLeft",
+		Message:            "100 pods left",
+		LastTransitionTime: metav1.Time{Time: time.Now().Truncate(time.Second)},
+	}}
+	_, _, err = statusStorage.Update(ctx, deviceTaint.Name, rest.DefaultUpdatedObjectInfo(deviceTaint), rest.ValidateAllObjectFunc, rest.ValidateAllObjectUpdateFunc, false, &metav1.UpdateOptions{})
+	if err != nil {
+		t.Fatalf("Unexpected error: %v", err)
+	}
+	obj, err := storage.Get(ctx, "foo", &metav1.GetOptions{})
+	if err != nil {
+		t.Errorf("unexpected error: %v", err)
+	}
+	deviceTaintOut := obj.(*resource.DeviceTaintRule)
+	// only compare relevant changes b/c of difference in metadata
+	if !apiequality.Semantic.DeepEqual(deviceTaint.Status, deviceTaintOut.Status) {
+		t.Errorf("unexpected object: %s", cmp.Diff(deviceTaint.Status, deviceTaintOut.Status))
+	}
+}
diff --git a/pkg/registry/resource/devicetaintrule/strategy.go b/pkg/registry/resource/devicetaintrule/strategy.go
index d458fc7d53817..dc8325ea0518a 100644
--- a/pkg/registry/resource/devicetaintrule/strategy.go
+++ b/pkg/registry/resource/devicetaintrule/strategy.go
@@ -20,12 +20,14 @@ import (
 	"context"
 
 	apiequality "k8s.io/apimachinery/pkg/api/equality"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/util/validation/field"
 	"k8s.io/apiserver/pkg/storage/names"
 	"k8s.io/kubernetes/pkg/api/legacyscheme"
 	"k8s.io/kubernetes/pkg/apis/resource"
 	"k8s.io/kubernetes/pkg/apis/resource/validation"
+	"sigs.k8s.io/structured-merge-diff/v6/fieldpath"
 )
 
 // deviceTaintRuleStrategy implements behavior for DeviceTaintRule objects
@@ -34,51 +36,105 @@ type deviceTaintRuleStrategy struct {
 	names.NameGenerator
 }
 
-var Strategy = deviceTaintRuleStrategy{legacyscheme.Scheme, names.SimpleNameGenerator}
+var (
+	Strategy       = &deviceTaintRuleStrategy{legacyscheme.Scheme, names.SimpleNameGenerator}
+	StatusStrategy = &deviceTaintRuleStatusStrategy{deviceTaintRuleStrategy: Strategy}
+)
 
 func (deviceTaintRuleStrategy) NamespaceScoped() bool {
 	return false
 }
 
-func (deviceTaintRuleStrategy) PrepareForCreate(ctx context.Context, obj runtime.Object) {
-	patch := obj.(*resource.DeviceTaintRule)
-	patch.Generation = 1
+// GetResetFields returns the set of fields that get reset by the strategy and
+// should not be modified by the user. For a new DeviceTaintRule that is the
+// status.
+func (*deviceTaintRuleStrategy) GetResetFields() map[fieldpath.APIVersion]*fieldpath.Set {
+	fields := map[fieldpath.APIVersion]*fieldpath.Set{
+		"resource.k8s.io/v1alpha3": fieldpath.NewSet(
+			fieldpath.MakePathOrDie("status"),
+		),
+	}
+
+	return fields
+}
+
+func (*deviceTaintRuleStrategy) PrepareForCreate(ctx context.Context, obj runtime.Object) {
+	rule := obj.(*resource.DeviceTaintRule)
+	// Status must not be set by user on create.
+	rule.Status = resource.DeviceTaintRuleStatus{}
+	rule.Generation = 1
 }
 
-func (deviceTaintRuleStrategy) Validate(ctx context.Context, obj runtime.Object) field.ErrorList {
-	patch := obj.(*resource.DeviceTaintRule)
-	return validation.ValidateDeviceTaintRule(patch)
+func (*deviceTaintRuleStrategy) Validate(ctx context.Context, obj runtime.Object) field.ErrorList {
+	rule := obj.(*resource.DeviceTaintRule)
+	return validation.ValidateDeviceTaintRule(rule)
 }
 
-func (deviceTaintRuleStrategy) WarningsOnCreate(ctx context.Context, obj runtime.Object) []string {
+func (*deviceTaintRuleStrategy) WarningsOnCreate(ctx context.Context, obj runtime.Object) []string {
 	return nil
 }
 
-func (deviceTaintRuleStrategy) Canonicalize(obj runtime.Object) {
+func (*deviceTaintRuleStrategy) Canonicalize(obj runtime.Object) {
 }
 
-func (deviceTaintRuleStrategy) AllowCreateOnUpdate() bool {
+func (*deviceTaintRuleStrategy) AllowCreateOnUpdate() bool {
 	return false
 }
 
-func (deviceTaintRuleStrategy) PrepareForUpdate(ctx context.Context, obj, old runtime.Object) {
-	patch := obj.(*resource.DeviceTaintRule)
-	oldPatch := old.(*resource.DeviceTaintRule)
+func (*deviceTaintRuleStrategy) PrepareForUpdate(ctx context.Context, obj, old runtime.Object) {
+	rule := obj.(*resource.DeviceTaintRule)
+	oldRule := old.(*resource.DeviceTaintRule)
+	rule.Status = oldRule.Status
 
 	// Any changes to the spec increment the generation number.
-	if !apiequality.Semantic.DeepEqual(oldPatch.Spec, patch.Spec) {
-		patch.Generation = oldPatch.Generation + 1
+	if !apiequality.Semantic.DeepEqual(oldRule.Spec, rule.Spec) {
+		rule.Generation = oldRule.Generation + 1
 	}
 }
 
-func (deviceTaintRuleStrategy) ValidateUpdate(ctx context.Context, obj, old runtime.Object) field.ErrorList {
+func (*deviceTaintRuleStrategy) ValidateUpdate(ctx context.Context, obj, old runtime.Object) field.ErrorList {
 	return validation.ValidateDeviceTaintRuleUpdate(obj.(*resource.DeviceTaintRule), old.(*resource.DeviceTaintRule))
 }
 
-func (deviceTaintRuleStrategy) WarningsOnUpdate(ctx context.Context, obj, old runtime.Object) []string {
+func (*deviceTaintRuleStrategy) WarningsOnUpdate(ctx context.Context, obj, old runtime.Object) []string {
 	return nil
 }
 
-func (deviceTaintRuleStrategy) AllowUnconditionalUpdate() bool {
+func (*deviceTaintRuleStrategy) AllowUnconditionalUpdate() bool {
 	return true
 }
+
+type deviceTaintRuleStatusStrategy struct {
+	*deviceTaintRuleStrategy
+}
+
+// GetResetFields returns the set of fields that get reset by the strategy and
+// should not be modified by the user. For a status update that is the spec.
+func (*deviceTaintRuleStatusStrategy) GetResetFields() map[fieldpath.APIVersion]*fieldpath.Set {
+	fields := map[fieldpath.APIVersion]*fieldpath.Set{
+		"resource.k8s.io/v1alpha3": fieldpath.NewSet(
+			fieldpath.MakePathOrDie("metadata"),
+			fieldpath.MakePathOrDie("spec"),
+		),
+	}
+
+	return fields
+}
+
+func (*deviceTaintRuleStatusStrategy) PrepareForUpdate(ctx context.Context, obj, old runtime.Object) {
+	newRule := obj.(*resource.DeviceTaintRule)
+	oldRule := old.(*resource.DeviceTaintRule)
+	newRule.Spec = oldRule.Spec
+	metav1.ResetObjectMetaForStatus(&newRule.ObjectMeta, &oldRule.ObjectMeta)
+}
+
+func (r *deviceTaintRuleStatusStrategy) ValidateUpdate(ctx context.Context, obj, old runtime.Object) field.ErrorList {
+	newRule := obj.(*resource.DeviceTaintRule)
+	oldRule := old.(*resource.DeviceTaintRule)
+	return validation.ValidateDeviceTaintRuleStatusUpdate(newRule, oldRule)
+}
+
+// WarningsOnUpdate returns warnings for the given update.
+func (*deviceTaintRuleStatusStrategy) WarningsOnUpdate(ctx context.Context, obj, old runtime.Object) []string {
+	return nil
+}
diff --git a/pkg/registry/resource/devicetaintrule/strategy_test.go b/pkg/registry/resource/devicetaintrule/strategy_test.go
index 7923a8e981c7f..19993748c0983 100644
--- a/pkg/registry/resource/devicetaintrule/strategy_test.go
+++ b/pkg/registry/resource/devicetaintrule/strategy_test.go
@@ -19,14 +19,30 @@ package devicetaintrule
 import (
 	"testing"
 
+	"github.com/stretchr/testify/assert"
+
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	genericapirequest "k8s.io/apiserver/pkg/endpoints/request"
 	"k8s.io/kubernetes/pkg/apis/resource"
 )
 
-var patch = &resource.DeviceTaintRule{
+var obj = &resource.DeviceTaintRule{
+	ObjectMeta: metav1.ObjectMeta{
+		Name:       "valid-patch",
+		Generation: 1,
+	},
+	Spec: resource.DeviceTaintRuleSpec{
+		Taint: resource.DeviceTaint{
+			Key:    "example.com/tainted",
+			Effect: resource.DeviceTaintEffectNoExecute,
+		},
+	},
+}
+
+var objWithStatus = &resource.DeviceTaintRule{
 	ObjectMeta: metav1.ObjectMeta{
-		Name: "valid-patch",
+		Name:       "valid-patch",
+		Generation: 1,
 	},
 	Spec: resource.DeviceTaintRuleSpec{
 		Taint: resource.DeviceTaint{
@@ -34,8 +50,20 @@ var patch = &resource.DeviceTaintRule{
 			Effect: resource.DeviceTaintEffectNoExecute,
 		},
 	},
+	Status: resource.DeviceTaintRuleStatus{
+		Conditions: []metav1.Condition{{
+			Type:               "foo",
+			Status:             metav1.ConditionFalse,
+			LastTransitionTime: metav1.Now(),
+			Reason:             "something",
+			Message:            "else",
+		}},
+	},
 }
 
+var fieldImmutableError = "field is immutable"
+var metadataError = "a lowercase RFC 1123 subdomain must consist of lower case alphanumeric characters"
+
 func TestDeviceTaintRuleStrategy(t *testing.T) {
 	if Strategy.NamespaceScoped() {
 		t.Errorf("DeviceTaintRule must not be namespace scoped")
@@ -47,40 +75,202 @@ func TestDeviceTaintRuleStrategy(t *testing.T) {
 
 func TestDeviceTaintRuleStrategyCreate(t *testing.T) {
 	ctx := genericapirequest.NewDefaultContext()
-	patch := patch.DeepCopy()
+	testcases := map[string]struct {
+		obj                   *resource.DeviceTaintRule
+		expectValidationError string
+		expectObj             *resource.DeviceTaintRule
+	}{
+		"simple": {
+			obj:       obj,
+			expectObj: obj,
+		},
+		"validation-error": {
+			obj: func() *resource.DeviceTaintRule {
+				obj := obj.DeepCopy()
+				obj.Name = "%#@$%$"
+				return obj
+			}(),
+			expectValidationError: metadataError,
+		},
+		"drop-status": {
+			obj:       objWithStatus,
+			expectObj: obj,
+		},
+		"set-generation": {
+			obj: func() *resource.DeviceTaintRule {
+				obj := obj.DeepCopy()
+				obj.Generation = 42 // Cannot be set by client on create, overwritten with 1.
+				return obj
+			}(),
+			expectObj: obj,
+		},
+	}
 
-	Strategy.PrepareForCreate(ctx, patch)
-	errs := Strategy.Validate(ctx, patch)
-	if len(errs) != 0 {
-		t.Errorf("unexpected error validating for create %v", errs)
+	for name, tc := range testcases {
+		t.Run(name, func(t *testing.T) {
+			obj := tc.obj.DeepCopy()
+			Strategy.PrepareForCreate(ctx, obj)
+			if errs := Strategy.Validate(ctx, obj); len(errs) != 0 {
+				if tc.expectValidationError == "" {
+					t.Fatalf("unexpected error(s): %v", errs)
+				}
+				assert.ErrorContains(t, errs[0], tc.expectValidationError, "the error message should have contained the expected error message")
+				return
+			}
+			if tc.expectValidationError != "" {
+				t.Fatal("expected validation error(s), got none")
+			}
+			if warnings := Strategy.WarningsOnCreate(ctx, obj); len(warnings) != 0 {
+				t.Fatalf("unexpected warnings: %q", warnings)
+			}
+			Strategy.Canonicalize(obj)
+			assert.Equal(t, tc.expectObj, obj)
+		})
 	}
 }
 
 func TestDeviceTaintRuleStrategyUpdate(t *testing.T) {
-	t.Run("no-changes-okay", func(t *testing.T) {
-		ctx := genericapirequest.NewDefaultContext()
-		patch := patch.DeepCopy()
-		newPatch := patch.DeepCopy()
-		newPatch.ResourceVersion = "4"
-
-		Strategy.PrepareForUpdate(ctx, newPatch, patch)
-		errs := Strategy.ValidateUpdate(ctx, newPatch, patch)
-		if len(errs) != 0 {
-			t.Errorf("unexpected validation errors: %v", errs)
-		}
-	})
-
-	t.Run("name-change-not-allowed", func(t *testing.T) {
-		ctx := genericapirequest.NewDefaultContext()
-		patch := patch.DeepCopy()
-		newPatch := patch.DeepCopy()
-		newPatch.Name = "valid-patch-2"
-		newPatch.ResourceVersion = "4"
-
-		Strategy.PrepareForUpdate(ctx, newPatch, patch)
-		errs := Strategy.ValidateUpdate(ctx, newPatch, patch)
-		if len(errs) == 0 {
-			t.Errorf("expected a validation error")
-		}
-	})
+	ctx := genericapirequest.NewDefaultContext()
+
+	testcases := map[string]struct {
+		oldObj                *resource.DeviceTaintRule
+		newObj                *resource.DeviceTaintRule
+		expectValidationError string
+		expectObj             *resource.DeviceTaintRule
+	}{
+		"no-changes-okay": {
+			oldObj:    obj,
+			newObj:    obj,
+			expectObj: obj,
+		},
+		"name-change-not-allowed": {
+			oldObj: obj,
+			newObj: func() *resource.DeviceTaintRule {
+				obj := obj.DeepCopy()
+				obj.Name += "-2"
+				return obj
+			}(),
+			expectValidationError: fieldImmutableError,
+		},
+		"drop-status": {
+			oldObj:    obj,
+			newObj:    objWithStatus,
+			expectObj: obj,
+		},
+		"bump-generation": {
+			oldObj: obj,
+			newObj: func() *resource.DeviceTaintRule {
+				obj := obj.DeepCopy()
+				obj.Spec.Taint.Effect = resource.DeviceTaintEffectNone
+				return obj
+			}(),
+			expectObj: func() *resource.DeviceTaintRule {
+				obj := obj.DeepCopy()
+				obj.Spec.Taint.Effect = resource.DeviceTaintEffectNone
+				obj.Generation++
+				return obj
+			}(),
+		},
+	}
+
+	for name, tc := range testcases {
+		t.Run(name, func(t *testing.T) {
+			oldObj := tc.oldObj.DeepCopy()
+			newObj := tc.newObj.DeepCopy()
+			newObj.ResourceVersion = "4"
+
+			Strategy.PrepareForUpdate(ctx, newObj, oldObj)
+			if errs := Strategy.ValidateUpdate(ctx, newObj, oldObj); len(errs) != 0 {
+				if tc.expectValidationError == "" {
+					t.Fatalf("unexpected error(s): %v", errs)
+				}
+				assert.ErrorContains(t, errs[0], tc.expectValidationError, "the error message should have contained the expected error message")
+				return
+			}
+			if tc.expectValidationError != "" {
+				t.Fatal("expected validation error(s), got none")
+			}
+			if warnings := Strategy.WarningsOnUpdate(ctx, newObj, oldObj); len(warnings) != 0 {
+				t.Fatalf("unexpected warnings: %q", warnings)
+			}
+			Strategy.Canonicalize(newObj)
+			expectObj := tc.expectObj.DeepCopy()
+			expectObj.ResourceVersion = "4"
+			assert.Equal(t, expectObj, newObj)
+		})
+	}
+}
+
+func TestStatusStrategyUpdate(t *testing.T) {
+	ctx := genericapirequest.NewDefaultContext()
+	testcases := map[string]struct {
+		oldObj                *resource.DeviceTaintRule
+		newObj                *resource.DeviceTaintRule
+		expectValidationError string
+		expectObj             *resource.DeviceTaintRule
+	}{
+		"no-changes-okay": {
+			oldObj:    obj,
+			newObj:    obj,
+			expectObj: obj,
+		},
+		"name-change-not-allowed": {
+			oldObj: obj,
+			newObj: func() *resource.DeviceTaintRule {
+				obj := obj.DeepCopy()
+				obj.Name += "-2"
+				return obj
+			}(),
+			expectValidationError: fieldImmutableError,
+		},
+		// Cannot add finalizers, annotations and labels during status update.
+		"drop-meta-changes": {
+			oldObj: obj,
+			newObj: func() *resource.DeviceTaintRule {
+				obj := obj.DeepCopy()
+				obj.Finalizers = []string{"foo"}
+				obj.Annotations = map[string]string{"foo": "bar"}
+				obj.Labels = map[string]string{"foo": "bar"}
+				return obj
+			}(),
+			expectObj: obj,
+		},
+		"drop-spec": {
+			oldObj: obj,
+			newObj: func() *resource.DeviceTaintRule {
+				obj := obj.DeepCopy()
+				obj.Spec.Taint.Effect = resource.DeviceTaintEffectNone
+				return obj
+			}(),
+			expectObj: obj,
+		},
+	}
+
+	for name, tc := range testcases {
+		t.Run(name, func(t *testing.T) {
+			oldObj := tc.oldObj.DeepCopy()
+			newObj := tc.newObj.DeepCopy()
+			newObj.ResourceVersion = "4"
+
+			StatusStrategy.PrepareForUpdate(ctx, newObj, oldObj)
+			if errs := StatusStrategy.ValidateUpdate(ctx, newObj, oldObj); len(errs) != 0 {
+				if tc.expectValidationError == "" {
+					t.Fatalf("unexpected error(s): %v", errs)
+				}
+				assert.ErrorContains(t, errs[0], tc.expectValidationError, "the error message should have contained the expected error message")
+				return
+			}
+			if tc.expectValidationError != "" {
+				t.Fatal("expected validation error(s), got none")
+			}
+			if warnings := StatusStrategy.WarningsOnUpdate(ctx, newObj, oldObj); len(warnings) != 0 {
+				t.Fatalf("unexpected warnings: %q", warnings)
+			}
+			StatusStrategy.Canonicalize(newObj)
+
+			expectObj := tc.expectObj.DeepCopy()
+			expectObj.ResourceVersion = "4"
+			assert.Equal(t, expectObj, newObj)
+		})
+	}
 }
diff --git a/pkg/registry/resource/resourceclaim/declarative_validation_test.go b/pkg/registry/resource/resourceclaim/declarative_validation_test.go
new file mode 100644
index 0000000000000..6527fe379af3b
--- /dev/null
+++ b/pkg/registry/resource/resourceclaim/declarative_validation_test.go
@@ -0,0 +1,1740 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package resourceclaim
+
+import (
+	"fmt"
+	"strings"
+	"testing"
+
+	"github.com/google/uuid"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/apimachinery/pkg/util/validation/field"
+	genericapirequest "k8s.io/apiserver/pkg/endpoints/request"
+	"k8s.io/client-go/kubernetes/fake"
+	apitesting "k8s.io/kubernetes/pkg/api/testing"
+	"k8s.io/kubernetes/pkg/apis/resource"
+	"k8s.io/kubernetes/pkg/apis/resource/validation"
+	pointer "k8s.io/utils/ptr"
+)
+
+var apiVersions = []string{"v1beta1", "v1beta2", "v1"} // "v1alpha3" is excluded because it doesn't have ResourceClaim
+
+const (
+	validUUID  = "550e8400-e29b-41d4-a716-446655440000"
+	validUUID1 = "550e8400-e29b-41d4-a716-446655440001"
+)
+
+func TestDeclarativeValidate(t *testing.T) {
+	for _, apiVersion := range apiVersions {
+		t.Run(apiVersion, func(t *testing.T) {
+			testDeclarativeValidate(t, apiVersion)
+		})
+	}
+}
+
+func testDeclarativeValidate(t *testing.T, apiVersion string) {
+	ctx := genericapirequest.WithRequestInfo(genericapirequest.NewDefaultContext(), &genericapirequest.RequestInfo{
+		APIGroup:   "resource.k8s.io",
+		APIVersion: apiVersion,
+		Resource:   "resourceclaims",
+	})
+	fakeClient := fake.NewClientset()
+	mockNSClient := fakeClient.CoreV1().Namespaces()
+	Strategy := NewStrategy(mockNSClient)
+
+	opaqueDriverPath := field.NewPath("spec", "devices", "config").Index(0).Child("opaque", "driver")
+
+	// TODO: As we accumulate more and more test cases, consider breaking this
+	// up into smaller tests for maintainability.
+	testCases := map[string]struct {
+		input        resource.ResourceClaim
+		expectedErrs field.ErrorList
+	}{
+		"valid": {
+			input: mkValidResourceClaim(),
+		},
+		"valid requests, max allowed": {
+			input: mkValidResourceClaim(tweakDevicesConfigs(32)),
+		},
+		"valid constraints, max allowed": {
+			input: mkValidResourceClaim(tweakDevicesConstraints(32)),
+		},
+		"valid config, max allowed": {
+			input: mkValidResourceClaim(tweakDevicesConfigs(32)),
+		},
+		"invalid requests, too many": {
+			input: mkValidResourceClaim(tweakDevicesRequests(33)),
+			expectedErrs: field.ErrorList{
+				field.TooMany(field.NewPath("spec", "devices", "requests"), 33, 32).WithOrigin("maxItems"),
+			},
+		},
+		"invalid requests, duplicate name": {
+			input: mkValidResourceClaim(tweakAddDeviceRequest(mkDeviceRequest("req-0"))),
+			expectedErrs: field.ErrorList{
+				field.Duplicate(field.NewPath("spec", "devices", "requests").Index(1), "req-0"),
+			},
+		},
+		"invalid requests, too many AND duplicate name (short-circuit check)": {
+			input: mkValidResourceClaim(tweakDevicesRequests(33), tweakAddDeviceRequest(mkDeviceRequest("req-0"))),
+			expectedErrs: field.ErrorList{
+				// We expect ONLY TooMany, suppressing the Duplicate error because of short-circuiting
+				field.TooMany(field.NewPath("spec", "devices", "requests"), 33, 32).WithOrigin("maxItems"),
+			},
+		},
+		"invalid constraints, too many": {
+			input: mkValidResourceClaim(tweakDevicesConstraints(33)),
+			expectedErrs: field.ErrorList{
+				field.TooMany(field.NewPath("spec", "devices", "constraints"), 33, 32).WithOrigin("maxItems"),
+			},
+		},
+		"invalid config, too many": {
+			input: mkValidResourceClaim(tweakDevicesConfigs(33)),
+			expectedErrs: field.ErrorList{
+				field.TooMany(field.NewPath("spec", "devices", "config"), 33, 32).WithOrigin("maxItems"),
+			},
+		},
+		"invalid firstAvailable, too many": {
+			input: mkValidResourceClaim(tweakFirstAvailable(9)),
+			expectedErrs: field.ErrorList{
+				field.TooMany(field.NewPath("spec", "devices", "requests").Index(0).Child("firstAvailable"), 9, 8).WithOrigin("maxItems"),
+			},
+		},
+		"invalid firstAvailable, duplicate name": {
+			input: mkValidResourceClaim(tweakDuplicateFirstAvailableName("sub-0")),
+			expectedErrs: field.ErrorList{
+				field.Duplicate(field.NewPath("spec", "devices", "requests").Index(0).Child("firstAvailable").Index(1), "sub-0"),
+			},
+		},
+		"invalid selectors, too many": {
+			input: mkValidResourceClaim(tweakExactlySelectors(33)),
+			expectedErrs: field.ErrorList{
+				field.TooMany(field.NewPath("spec", "devices", "requests").Index(0).Child("exactly", "selectors"), 33, 32).WithOrigin("maxItems").MarkCoveredByDeclarative(),
+			},
+		},
+		"invalid subrequest selectors, too many": {
+			input: mkValidResourceClaim(tweakSubRequestSelectors(33)),
+			expectedErrs: field.ErrorList{
+				field.TooMany(field.NewPath("spec", "devices", "requests").Index(0).Child("firstAvailable").Index(0).Child("selectors"), 33, 32).WithOrigin("maxItems"),
+			},
+		},
+		"invalid constraint requests, too many": {
+			input: mkValidResourceClaim(tweakConstraintRequests(33)),
+			expectedErrs: field.ErrorList{
+				field.TooMany(field.NewPath("spec", "devices", "requests"), 33, 32).WithOrigin("maxItems"),
+				field.TooMany(field.NewPath("spec", "devices", "constraints").Index(0).Child("requests"), 33, 32).WithOrigin("maxItems"),
+			},
+		},
+		"invalid config requests, too many": {
+			input: mkValidResourceClaim(tweakConfigRequests(33)),
+			expectedErrs: field.ErrorList{
+				field.TooMany(field.NewPath("spec", "devices", "requests"), 33, 32).WithOrigin("maxItems"),
+				field.TooMany(field.NewPath("spec", "devices", "config").Index(0).Child("requests"), 33, 32).WithOrigin("maxItems"),
+			},
+		},
+		"invalid constraint requests, duplicate name": {
+			input: mkValidResourceClaim(tweakDuplicateConstraintRequest("req-0")),
+			expectedErrs: field.ErrorList{
+				field.Duplicate(field.NewPath("spec", "devices", "constraints").Index(0).Child("requests").Index(1), "req-0"),
+			},
+		},
+		"invalid config requests, duplicate name": {
+			input: mkValidResourceClaim(tweakDuplicateConfigRequest("req-0")),
+			expectedErrs: field.ErrorList{
+				field.Duplicate(field.NewPath("spec", "devices", "config").Index(0).Child("requests").Index(1), "req-0"),
+			},
+		},
+		"valid firstAvailable, max allowed": {
+			input: mkValidResourceClaim(tweakFirstAvailable(8)),
+		},
+		"valid selectors, max allowed": {
+			input: mkValidResourceClaim(tweakExactlySelectors(32)),
+		},
+		"valid subrequest selectors, max allowed": {
+			input: mkValidResourceClaim(tweakSubRequestSelectors(32)),
+		},
+		"valid constraint requests, max allowed": {
+			input: mkValidResourceClaim(tweakConstraintRequests(32)),
+		},
+		"valid config requests, max allowed": {
+			input: mkValidResourceClaim(tweakConfigRequests(32)),
+		},
+		"valid opaque driver, lowercase": {
+			input: mkValidResourceClaim(tweakDeviceConfigWithDriver("dra.example.com")),
+		},
+		"valid opaque driver, mixed case": {
+			input: mkValidResourceClaim(tweakDeviceConfigWithDriver("DRA.Example.COM")),
+		},
+		"valid opaque driver, max length": {
+			input: mkValidResourceClaim(tweakDeviceConfigWithDriver(strings.Repeat("a", 63))),
+		},
+		"invalid opaque driver, empty": {
+			input: mkValidResourceClaim(tweakDeviceConfigWithDriver("")),
+			expectedErrs: field.ErrorList{
+				field.Required(opaqueDriverPath, ""),
+			},
+		},
+		"invalid opaque driver, too long": {
+			input: mkValidResourceClaim(tweakDeviceConfigWithDriver(strings.Repeat("a", 64))),
+			expectedErrs: field.ErrorList{
+				field.TooLong(opaqueDriverPath, "", 63),
+			},
+		},
+		"invalid opaque driver, invalid character": {
+			input: mkValidResourceClaim(tweakDeviceConfigWithDriver("dra_example.com")),
+			expectedErrs: field.ErrorList{
+				field.Invalid(opaqueDriverPath, "dra_example.com", "").WithOrigin("format=k8s-long-name-caseless"),
+			},
+		},
+		"invalid opaque driver, invalid DNS name (leading dot)": {
+			input: mkValidResourceClaim(tweakDeviceConfigWithDriver(".example.com")),
+			expectedErrs: field.ErrorList{
+				field.Invalid(opaqueDriverPath, ".example.com", "").WithOrigin("format=k8s-long-name-caseless"),
+			},
+		},
+		// spec.Devices.Requests[%d].Exactly.Tolerations.Key
+		"valid Exactly.Tolerations.Key": {
+			input: mkValidResourceClaim(tweakExactlyTolerations([]resource.DeviceToleration{
+				{Key: "valid-key", Operator: resource.DeviceTolerationOpExists, Effect: resource.DeviceTaintEffectNoSchedule},
+			})),
+		},
+		"valid Exactly.Tolerations.Key empty": {
+			input: mkValidResourceClaim(tweakExactlyTolerations([]resource.DeviceToleration{
+				{Key: "", Operator: resource.DeviceTolerationOpExists, Effect: resource.DeviceTaintEffectNoSchedule},
+			})),
+		},
+		"invalid Exactly.Tolerations.Key": {
+			input: mkValidResourceClaim(tweakExactlyTolerations([]resource.DeviceToleration{
+				{Key: "invalid_key!", Operator: resource.DeviceTolerationOpExists, Effect: resource.DeviceTaintEffectNoSchedule},
+			})),
+			expectedErrs: field.ErrorList{
+				field.Invalid(field.NewPath("spec", "devices", "requests").Index(0).Child("exactly", "tolerations").Index(0).Child("key"), "invalid_key!", "").WithOrigin("format=k8s-label-key"),
+			},
+		},
+		"invalid  Exactly.Tolerations.Key - multiple slashes": {
+			input: mkValidResourceClaim(tweakExactlyTolerations([]resource.DeviceToleration{
+				{Key: "a/b/c", Operator: resource.DeviceTolerationOpExists, Effect: resource.DeviceTaintEffectNoSchedule},
+			})),
+			expectedErrs: field.ErrorList{
+				field.Invalid(field.NewPath("spec", "devices", "requests").Index(0).Child("exactly", "tolerations").Index(0).Child("key"), "a/b/c", "").WithOrigin("format=k8s-label-key"),
+			},
+		},
+		// spec.Devices.Requests[%d].FirsAvailable[%d].Tolerations.Key
+		"valid FirstAvailable.Tolerations.Key": {
+			input: mkValidResourceClaim(tweakFirstAvailable(1), tweakFirstAvailableTolerations([]resource.DeviceToleration{
+				{Key: "valid-key", Operator: resource.DeviceTolerationOpExists, Effect: resource.DeviceTaintEffectNoSchedule},
+			})),
+		},
+		"valid FirstAvailable.Tolerations.Key empty": {
+			input: mkValidResourceClaim(tweakFirstAvailable(1), tweakFirstAvailableTolerations([]resource.DeviceToleration{
+				{Key: "", Operator: resource.DeviceTolerationOpExists, Effect: resource.DeviceTaintEffectNoSchedule},
+			})),
+		},
+		"invalid FirstAvailable.Tolerations.Key": {
+			input: mkValidResourceClaim(tweakFirstAvailable(1), tweakFirstAvailableTolerations([]resource.DeviceToleration{
+				{Key: "invalid_key!", Operator: resource.DeviceTolerationOpExists, Effect: resource.DeviceTaintEffectNoSchedule},
+			})),
+			expectedErrs: field.ErrorList{
+				field.Invalid(field.NewPath("spec", "devices", "requests").Index(0).Child("firstAvailable").Index(0).Child("tolerations").Index(0).Child("key"), "invalid_key!", "").WithOrigin("format=k8s-label-key"),
+			},
+		},
+		"invalid FirstAvailable.Tolerations.Key - multiple slashes": {
+			input: mkValidResourceClaim(tweakFirstAvailable(1), tweakFirstAvailableTolerations([]resource.DeviceToleration{
+				{Key: "a/b/c", Operator: resource.DeviceTolerationOpExists, Effect: resource.DeviceTaintEffectNoSchedule},
+			})),
+			expectedErrs: field.ErrorList{
+				field.Invalid(field.NewPath("spec", "devices", "requests").Index(0).Child("firstAvailable").Index(0).Child("tolerations").Index(0).Child("key"), "a/b/c", "").WithOrigin("format=k8s-label-key"),
+			},
+		},
+		"valid DeviceAllocationMode - All": {
+			input: mkValidResourceClaim(tweakExactlyAllocationMode(resource.DeviceAllocationModeAll, 0)),
+		},
+		"invalid DeviceAllocationMode - Exactly": {
+			input: mkValidResourceClaim(tweakExactlyAllocationMode("InvalidMode", 1)),
+			expectedErrs: field.ErrorList{
+				field.NotSupported(
+					field.NewPath("spec", "devices", "requests").Index(0).Child("exactly", "allocationMode"),
+					resource.DeviceAllocationMode("InvalidMode"),
+					[]string{"All", "ExactCount"},
+				),
+			},
+		},
+		"valid DeviceAllocationMode - FirstAvailable": {
+			input: mkValidResourceClaim(tweakFirstAvailableAllocationMode(resource.DeviceAllocationModeAll, 0)),
+		},
+		"invalid DeviceAllocationMode - FirstAvailable": {
+			input: mkValidResourceClaim(tweakFirstAvailableAllocationMode("InvalidMode", 1)),
+			expectedErrs: field.ErrorList{
+				field.NotSupported(
+					field.NewPath("spec", "devices", "requests").Index(0).Child("firstAvailable").Index(0).Child("allocationMode"),
+					resource.DeviceAllocationMode("InvalidMode"),
+					[]string{"All", "ExactCount"},
+				),
+			},
+		},
+		// spec.devices.requests[%d].firstAvailable[%d].deviceClassName
+		"valid firstAvailable class name": {
+			input:        mkValidResourceClaim(tweakFirstAvailableDeviceClassName("class")),
+			expectedErrs: field.ErrorList{},
+		},
+		"invalid firstAvailable class name - invalid characters": {
+			input: mkValidResourceClaim(tweakFirstAvailableDeviceClassName("Class&")),
+			expectedErrs: field.ErrorList{
+				field.Invalid(field.NewPath("spec", "devices", "requests").Index(0).Child("firstAvailable").Index(0).Child("deviceClassName"), "Class&", "").WithOrigin("format=k8s-long-name"),
+			},
+		},
+		"invalid firstAvailable class name - long name": {
+			input: mkValidResourceClaim(tweakFirstAvailableDeviceClassName(strings.Repeat("a", 254))),
+			expectedErrs: field.ErrorList{
+				field.Invalid(field.NewPath("spec", "devices", "requests").Index(0).Child("firstAvailable").Index(0).Child("deviceClassName"), "Class&", "").WithOrigin("format=k8s-long-name"),
+			},
+		},
+		"invalid firstAvailable class name - empty": {
+			input: mkValidResourceClaim(tweakFirstAvailableDeviceClassName("")),
+			expectedErrs: field.ErrorList{
+				field.Required(field.NewPath("spec", "devices", "requests").Index(0).Child("firstAvailable").Index(0).Child("deviceClassName"), ""),
+			},
+		},
+		"valid DeviceTolerationOperator/Effect - Exactly": {
+			input: mkValidResourceClaim(tweakExactlyTolerations([]resource.DeviceToleration{
+				{
+					Key:      "key",
+					Operator: resource.DeviceTolerationOpEqual,
+					Value:    "value",
+					Effect:   resource.DeviceTaintEffectNoSchedule,
+				},
+			})),
+		},
+		"invalid DeviceTolerationOperator - Exactly": {
+			input: mkValidResourceClaim(tweakExactlyTolerations([]resource.DeviceToleration{
+				{
+					Key:      "key",
+					Operator: "InvalidOp",
+					Value:    "value",
+					Effect:   resource.DeviceTaintEffectNoSchedule,
+				},
+			})),
+			expectedErrs: field.ErrorList{
+				field.NotSupported(
+					field.NewPath("spec", "devices", "requests").Index(0).Child("exactly", "tolerations").Index(0).Child("operator"),
+					resource.DeviceTolerationOperator("InvalidOp"),
+					[]string{"Equal", "Exists"},
+				),
+			},
+		},
+		"invalid DeviceTaintEffect - Exactly": {
+			input: mkValidResourceClaim(tweakExactlyTolerations([]resource.DeviceToleration{
+				{
+					Key:      "key",
+					Operator: resource.DeviceTolerationOpEqual,
+					Value:    "value",
+					Effect:   "InvalidEffect",
+				},
+			})),
+			expectedErrs: field.ErrorList{
+				field.NotSupported(
+					field.NewPath("spec", "devices", "requests").Index(0).Child("exactly", "tolerations").Index(0).Child("effect"),
+					resource.DeviceTaintEffect("InvalidEffect"),
+					[]string{"NoExecute", "NoSchedule"},
+				),
+			},
+		},
+		"valid DeviceTolerationOperator/Effect - FirstAvailable": {
+			input: mkValidResourceClaim(tweakFirstAvailable(1), tweakFirstAvailableTolerations([]resource.DeviceToleration{
+				{
+					Key:      "key",
+					Operator: resource.DeviceTolerationOpEqual,
+					Value:    "value",
+					Effect:   resource.DeviceTaintEffectNoSchedule,
+				},
+			})),
+		},
+		"invalid DeviceTolerationOperator - FirstAvailable": {
+			input: mkValidResourceClaim(tweakFirstAvailable(1), tweakFirstAvailableTolerations([]resource.DeviceToleration{
+				{
+					Key:      "key",
+					Operator: "InvalidOp",
+					Value:    "value",
+					Effect:   resource.DeviceTaintEffectNoSchedule,
+				},
+			})),
+			expectedErrs: field.ErrorList{
+				field.NotSupported(
+					field.NewPath("spec", "devices", "requests").Index(0).Child("firstAvailable").Index(0).Child("tolerations").Index(0).Child("operator"),
+					resource.DeviceTolerationOperator("InvalidOp"),
+					[]string{"Equal", "Exists"},
+				),
+			},
+		},
+		"invalid DeviceTaintEffect - FirstAvailable": {
+			input: mkValidResourceClaim(tweakFirstAvailable(1), tweakFirstAvailableTolerations([]resource.DeviceToleration{
+				{
+					Key:      "key",
+					Operator: resource.DeviceTolerationOpEqual,
+					Value:    "value",
+					Effect:   "InvalidEffect",
+				},
+			})),
+			expectedErrs: field.ErrorList{
+				field.NotSupported(
+					field.NewPath("spec", "devices", "requests").Index(0).Child("firstAvailable").Index(0).Child("tolerations").Index(0).Child("effect"),
+					resource.DeviceTaintEffect("InvalidEffect"),
+					[]string{"NoExecute", "NoSchedule"},
+				),
+			},
+		},
+		// Spec.Devices.Constraints[%d].MatchAttribute
+		"invalid match attribute": {
+			input: mkValidResourceClaim(
+				tweakMatchAttribute("invalid!"),
+			),
+			expectedErrs: field.ErrorList{
+				field.Invalid(field.NewPath("spec", "devices", "constraints").Index(0).Child("matchAttribute"), "invalid!", "").WithOrigin("format=k8s-resource-fully-qualified-name"),
+			},
+		},
+		"match attribute without domain": {
+			input: mkValidResourceClaim(
+				tweakMatchAttribute("nodomain"),
+			),
+			expectedErrs: field.ErrorList{
+				field.Invalid(field.NewPath("spec", "devices", "constraints").Index(0).Child("matchAttribute"), "nodomain", "a fully qualified name must be a domain and a name separated by a slash").WithOrigin("format=k8s-resource-fully-qualified-name"),
+			},
+		},
+		"match attribute empty": {
+			input: mkValidResourceClaim(
+				tweakMatchAttribute(""),
+			),
+			expectedErrs: field.ErrorList{
+				field.Invalid(field.NewPath("spec", "devices", "constraints").Index(0).Child("matchAttribute"), "", "").WithOrigin("format=k8s-resource-fully-qualified-name"),
+			},
+		},
+		"match attribute with empty domain": {
+			input: mkValidResourceClaim(
+				tweakMatchAttribute("/foo"),
+			),
+			expectedErrs: field.ErrorList{
+				field.Invalid(field.NewPath("spec", "devices", "constraints").Index(0).Child("matchAttribute"), "", "").WithOrigin("format=k8s-resource-fully-qualified-name"),
+			},
+		},
+		"match attribute with empty name": {
+			input: mkValidResourceClaim(
+				tweakMatchAttribute("foo/"),
+			),
+			expectedErrs: field.ErrorList{
+				field.Invalid(field.NewPath("spec", "devices", "constraints").Index(0).Child("matchAttribute"), "", "").WithOrigin("format=k8s-resource-fully-qualified-name"),
+			},
+		},
+		"match attribute with invalid domain": {
+			input: mkValidResourceClaim(
+				tweakMatchAttribute("invalid_domain/foo"),
+			),
+			expectedErrs: field.ErrorList{
+				field.Invalid(field.NewPath("spec", "devices", "constraints").Index(0).Child("matchAttribute"), "invalid_domain", "").WithOrigin("format=k8s-resource-fully-qualified-name"),
+			},
+		},
+		"match attribute with invalid name": {
+			input: mkValidResourceClaim(
+				tweakMatchAttribute("domain/invalid-name"),
+			),
+			expectedErrs: field.ErrorList{
+				field.Invalid(field.NewPath("spec", "devices", "constraints").Index(0).Child("matchAttribute"), "invalid-name", "").WithOrigin("format=k8s-resource-fully-qualified-name"),
+			},
+		},
+		"match attribute with long name": {
+			input: mkValidResourceClaim(
+				tweakMatchAttribute("domain/" + strings.Repeat("a", 65)),
+			),
+			expectedErrs: field.ErrorList{
+				field.TooLong(field.NewPath("spec", "devices", "constraints").Index(0).Child("matchAttribute"), "", 64).WithOrigin("format=k8s-resource-fully-qualified-name"),
+			},
+		},
+		"match attribute with long domain": {
+			input: mkValidResourceClaim(
+				tweakMatchAttribute(strings.Repeat("a", 254) + "/name"),
+			),
+			expectedErrs: field.ErrorList{
+				field.TooLong(field.NewPath("spec", "devices", "constraints").Index(0).Child("matchAttribute"), "", 63).WithOrigin("format=k8s-resource-fully-qualified-name"),
+				field.Invalid(field.NewPath("spec", "devices", "constraints").Index(0).Child("matchAttribute"), "", "").WithOrigin("format=k8s-resource-fully-qualified-name"),
+			},
+		},
+		// TODO: Add more test cases
+	}
+	for k, tc := range testCases {
+		t.Run(k, func(t *testing.T) {
+			apitesting.VerifyValidationEquivalence(t, ctx, &tc.input, Strategy.Validate, tc.expectedErrs, apitesting.WithNormalizationRules(validation.ResourceNormalizationRules...))
+		})
+	}
+}
+
+func tweakDevicesConfigs(items int) func(*resource.ResourceClaim) {
+	return func(rc *resource.ResourceClaim) {
+		for i := 0; i < items; i++ {
+			rc.Spec.Devices.Config = append(rc.Spec.Devices.Config, mkDeviceClaimConfiguration())
+		}
+	}
+}
+
+func tweakDevicesConstraints(items int) func(*resource.ResourceClaim) {
+	return func(rc *resource.ResourceClaim) {
+		for i := 0; i < items; i++ {
+			rc.Spec.Devices.Constraints = append(rc.Spec.Devices.Constraints, mkDeviceConstraint())
+		}
+	}
+}
+
+func tweakDevicesRequests(items int) func(*resource.ResourceClaim) {
+	return func(rc *resource.ResourceClaim) {
+		// The first request already exists in the valid template
+		for i := 1; i < items; i++ {
+			rc.Spec.Devices.Requests = append(rc.Spec.Devices.Requests, mkDeviceRequest(fmt.Sprintf("req-%d", i)))
+		}
+	}
+}
+
+func tweakDuplicateFirstAvailableName(name string) func(*resource.ResourceClaim) {
+	return func(rc *resource.ResourceClaim) {
+		rc.Spec.Devices.Requests[0].Exactly = nil
+		rc.Spec.Devices.Requests[0].FirstAvailable = []resource.DeviceSubRequest{
+			{
+				Name:            name,
+				DeviceClassName: "class",
+				AllocationMode:  resource.DeviceAllocationModeAll,
+			},
+			{
+				Name:            name,
+				DeviceClassName: "class",
+				AllocationMode:  resource.DeviceAllocationModeAll,
+			},
+		}
+	}
+}
+
+func tweakExactlySelectors(items int) func(*resource.ResourceClaim) {
+	return func(rc *resource.ResourceClaim) {
+		for i := 0; i < items; i++ {
+			rc.Spec.Devices.Requests[0].Exactly.Selectors = append(rc.Spec.Devices.Requests[0].Exactly.Selectors,
+				resource.DeviceSelector{
+					CEL: &resource.CELDeviceSelector{
+						Expression: fmt.Sprintf("device.driver == \"test.driver.io%d\"", i),
+					},
+				},
+			)
+		}
+	}
+}
+
+func tweakSubRequestSelectors(items int) func(*resource.ResourceClaim) {
+	return func(rc *resource.ResourceClaim) {
+		rc.Spec.Devices.Requests[0].Exactly = nil
+		rc.Spec.Devices.Requests[0].FirstAvailable = []resource.DeviceSubRequest{
+			{
+				Name:            "sub-0",
+				DeviceClassName: "class",
+				AllocationMode:  resource.DeviceAllocationModeAll,
+			},
+		}
+		for i := 0; i < items; i++ {
+			rc.Spec.Devices.Requests[0].FirstAvailable[0].Selectors = append(rc.Spec.Devices.Requests[0].FirstAvailable[0].Selectors,
+				resource.DeviceSelector{
+					CEL: &resource.CELDeviceSelector{
+						Expression: fmt.Sprintf("device.driver == \"test.driver.io%d\"", i),
+					},
+				},
+			)
+		}
+	}
+}
+
+func tweakConstraintRequests(count int) func(*resource.ResourceClaim) {
+	return func(rc *resource.ResourceClaim) {
+		tweakDevicesRequests(count)(rc)
+		if len(rc.Spec.Devices.Constraints) == 0 {
+			rc.Spec.Devices.Constraints = append(rc.Spec.Devices.Constraints, mkDeviceConstraint())
+		}
+		rc.Spec.Devices.Constraints[0].Requests = []string{}
+		for i := 0; i < count; i++ {
+			rc.Spec.Devices.Constraints[0].Requests = append(rc.Spec.Devices.Constraints[0].Requests, fmt.Sprintf("req-%d", i))
+		}
+	}
+}
+
+func tweakConfigRequests(count int) func(*resource.ResourceClaim) {
+	return func(rc *resource.ResourceClaim) {
+		tweakDevicesRequests(count)(rc)
+		if len(rc.Spec.Devices.Config) == 0 {
+			rc.Spec.Devices.Config = append(rc.Spec.Devices.Config, mkDeviceClaimConfiguration())
+		}
+		rc.Spec.Devices.Config[0].Requests = []string{}
+		for i := 0; i < count; i++ {
+			rc.Spec.Devices.Config[0].Requests = append(rc.Spec.Devices.Config[0].Requests, fmt.Sprintf("req-%d", i))
+		}
+	}
+}
+
+func tweakDuplicateConstraintRequest(name string) func(*resource.ResourceClaim) {
+	return func(rc *resource.ResourceClaim) {
+		if len(rc.Spec.Devices.Constraints) == 0 {
+			rc.Spec.Devices.Constraints = append(rc.Spec.Devices.Constraints, mkDeviceConstraint())
+		}
+		rc.Spec.Devices.Constraints[0].Requests = append(rc.Spec.Devices.Constraints[0].Requests, name)
+	}
+}
+
+func tweakDuplicateConfigRequest(name string) func(*resource.ResourceClaim) {
+	return func(rc *resource.ResourceClaim) {
+		if len(rc.Spec.Devices.Config) == 0 {
+			rc.Spec.Devices.Config = append(rc.Spec.Devices.Config, mkDeviceClaimConfiguration())
+		}
+		rc.Spec.Devices.Config[0].Requests = append(rc.Spec.Devices.Config[0].Requests, name)
+	}
+}
+
+func tweakFirstAvailable(items int) func(*resource.ResourceClaim) {
+	return func(rc *resource.ResourceClaim) {
+		rc.Spec.Devices.Requests[0].Exactly = nil
+		for i := 0; i < items; i++ {
+			rc.Spec.Devices.Requests[0].FirstAvailable = append(rc.Spec.Devices.Requests[0].FirstAvailable,
+				resource.DeviceSubRequest{
+					Name:            fmt.Sprintf("sub-%d", i),
+					DeviceClassName: "class",
+					AllocationMode:  resource.DeviceAllocationModeAll,
+				},
+			)
+		}
+	}
+}
+
+func tweakExactlyAllocationMode(mode resource.DeviceAllocationMode, count int64) func(*resource.ResourceClaim) {
+	return func(rc *resource.ResourceClaim) {
+		if len(rc.Spec.Devices.Requests) > 0 && rc.Spec.Devices.Requests[0].Exactly != nil {
+			rc.Spec.Devices.Requests[0].Exactly.AllocationMode = mode
+			rc.Spec.Devices.Requests[0].Exactly.Count = count
+		}
+	}
+}
+
+func tweakFirstAvailableAllocationMode(mode resource.DeviceAllocationMode, count int64) func(*resource.ResourceClaim) {
+	return func(rc *resource.ResourceClaim) {
+		if len(rc.Spec.Devices.Requests) > 0 {
+			// Clear Exactly and set FirstAvailable
+			rc.Spec.Devices.Requests[0].Exactly = nil
+			rc.Spec.Devices.Requests[0].FirstAvailable = []resource.DeviceSubRequest{
+				{
+					Name:            "sub-0",
+					DeviceClassName: "class",
+					AllocationMode:  mode,
+					Count:           count,
+				},
+			}
+		}
+	}
+}
+
+func mkDeviceClaimConfiguration() resource.DeviceClaimConfiguration {
+	return resource.DeviceClaimConfiguration{
+		Requests: []string{"req-0"},
+		DeviceConfiguration: resource.DeviceConfiguration{
+			Opaque: &resource.OpaqueDeviceConfiguration{
+				Driver: "dra.example.com",
+				Parameters: runtime.RawExtension{
+					Raw: []byte(`{"kind": "foo", "apiVersion": "dra.example.com/v1"}`),
+				}},
+		},
+	}
+}
+
+func mkDeviceConstraint() resource.DeviceConstraint {
+	return resource.DeviceConstraint{
+		Requests:       []string{"req-0"},
+		MatchAttribute: pointer.To(resource.FullyQualifiedName("foo/bar")),
+	}
+}
+
+func mkDeviceRequest(name string) resource.DeviceRequest {
+	return resource.DeviceRequest{
+		Name: name,
+		Exactly: &resource.ExactDeviceRequest{
+			DeviceClassName: "class",
+			AllocationMode:  resource.DeviceAllocationModeExactCount,
+			Count:           1,
+		},
+	}
+}
+
+func TestDeclarativeValidateUpdate(t *testing.T) {
+	for _, apiVersion := range apiVersions {
+		t.Run(apiVersion, func(t *testing.T) {
+			testDeclarativeValidateUpdate(t, apiVersion)
+		})
+	}
+}
+
+func testDeclarativeValidateUpdate(t *testing.T, apiVersion string) {
+	ctx := genericapirequest.WithRequestInfo(genericapirequest.NewDefaultContext(), &genericapirequest.RequestInfo{
+		APIGroup:   "resource.k8s.io",
+		APIVersion: apiVersion,
+		Resource:   "resourceclaims",
+	})
+	fakeClient := fake.NewClientset()
+	mockNSClient := fakeClient.CoreV1().Namespaces()
+	Strategy := NewStrategy(mockNSClient)
+	validClaim := mkValidResourceClaim()
+	// TODO: As we accumulate more and more test cases, consider breaking this
+	// up into smaller tests for maintainability.
+	testCases := map[string]struct {
+		update       resource.ResourceClaim
+		old          resource.ResourceClaim
+		expectedErrs field.ErrorList
+	}{
+		"valid": {
+			update: validClaim,
+			old:    validClaim,
+		},
+		"spec immutable: modify request class name": {
+			update: mkValidResourceClaim(tweakSpecChangeClassName("another-class")),
+			old:    validClaim,
+			expectedErrs: field.ErrorList{
+				field.Invalid(field.NewPath("spec"), "field is immutable", "").WithOrigin("immutable"),
+			},
+		},
+		"spec immutable: add request": {
+			update: mkValidResourceClaim(tweakAddDeviceRequest(mkDeviceRequest("req-1"))),
+			old:    validClaim,
+			expectedErrs: field.ErrorList{
+				field.Invalid(field.NewPath("spec"), "field is immutable", "").WithOrigin("immutable"),
+			},
+		},
+		"spec immutable: remove request": {
+			update: mkValidResourceClaim(tweakSpecRemoveRequest(0)),
+			old:    validClaim,
+			expectedErrs: field.ErrorList{
+				field.Invalid(field.NewPath("spec"), "field is immutable", "").WithOrigin("immutable"),
+			},
+		},
+		"spec immutable: add constraint": {
+			update: mkValidResourceClaim(tweakSpecAddConstraint(mkDeviceConstraint())),
+			old:    validClaim,
+			expectedErrs: field.ErrorList{
+				field.Invalid(field.NewPath("spec"), "field is immutable", "").WithOrigin("immutable"),
+			},
+		},
+		"spec immutable: short-circuits other errors (e.g. TooMany)": {
+			update: mkValidResourceClaim(tweakDevicesRequests(33)),
+			old:    mkValidResourceClaim(),
+			expectedErrs: field.ErrorList{
+				field.Invalid(field.NewPath("spec"), "field is immutable", "").WithOrigin("immutable"),
+			},
+		},
+		"spec immutable: add Exactly.Tolerations": {
+			update: mkValidResourceClaim(tweakExactlyTolerations([]resource.DeviceToleration{
+				{Key: "valid-key", Operator: resource.DeviceTolerationOpExists, Effect: resource.DeviceTaintEffectNoSchedule},
+			})),
+			old: validClaim,
+			expectedErrs: field.ErrorList{
+				field.Invalid(field.NewPath("spec"), "field is immutable", "").WithOrigin("immutable"),
+			},
+		},
+		"spec immutable: change Exactly.Tolerations.Key": {
+			update: mkValidResourceClaim(tweakExactlyTolerations([]resource.DeviceToleration{
+				{Key: "another-valid-key", Operator: resource.DeviceTolerationOpExists, Effect: resource.DeviceTaintEffectNoSchedule},
+			})),
+			old: mkValidResourceClaim(tweakExactlyTolerations([]resource.DeviceToleration{
+				{Key: "valid-key", Operator: resource.DeviceTolerationOpExists, Effect: resource.DeviceTaintEffectNoSchedule},
+			})),
+			expectedErrs: field.ErrorList{
+				field.Invalid(field.NewPath("spec"), "field is immutable", "").WithOrigin("immutable"),
+			},
+		},
+		// spec.Devices.Requests[%d].FirsAvailable[%d].Tolerations.Key
+		"spec immutable: add FirstAvailable.Tolerations": {
+			update: mkValidResourceClaim(tweakFirstAvailable(1), tweakFirstAvailableTolerations([]resource.DeviceToleration{
+				{Key: "valid-key", Operator: resource.DeviceTolerationOpExists, Effect: resource.DeviceTaintEffectNoSchedule},
+			})),
+			old: mkValidResourceClaim(tweakFirstAvailable(1)),
+			expectedErrs: field.ErrorList{
+				field.Invalid(field.NewPath("spec"), "field is immutable", "").WithOrigin("immutable"),
+			},
+		},
+		"spec immutable: change FirstAvailable.Tolerations.Key": {
+			update: mkValidResourceClaim(tweakFirstAvailable(1), tweakFirstAvailableTolerations([]resource.DeviceToleration{
+				{Key: "another-valid-key", Operator: resource.DeviceTolerationOpExists, Effect: resource.DeviceTaintEffectNoSchedule},
+			})),
+			old: mkValidResourceClaim(tweakFirstAvailable(1), tweakFirstAvailableTolerations([]resource.DeviceToleration{
+				{Key: "valid-key", Operator: resource.DeviceTolerationOpExists, Effect: resource.DeviceTaintEffectNoSchedule},
+			})),
+			expectedErrs: field.ErrorList{
+				field.Invalid(field.NewPath("spec"), "field is immutable", "").WithOrigin("immutable"),
+			},
+		},
+		"spec immutable: short-circuits deviceClassName error": {
+			update: mkValidResourceClaim(tweakFirstAvailableDeviceClassName("Class")),
+			old:    mkValidResourceClaim(),
+			expectedErrs: field.ErrorList{
+				field.Invalid(field.NewPath("spec"), "field is immutable", "").WithOrigin("immutable"),
+			},
+		},
+		// TODO: Add more test cases
+	}
+	for k, tc := range testCases {
+		t.Run(k, func(t *testing.T) {
+			tc.old.ResourceVersion = "1"
+			tc.update.ResourceVersion = "2"
+			apitesting.VerifyUpdateValidationEquivalence(t, ctx, &tc.update, &tc.old, Strategy.ValidateUpdate, tc.expectedErrs, apitesting.WithNormalizationRules(validation.ResourceNormalizationRules...))
+		})
+	}
+}
+
+func TestValidateStatusUpdateForDeclarative(t *testing.T) {
+	for _, apiVersion := range apiVersions {
+		t.Run(apiVersion, func(t *testing.T) {
+			testValidateStatusUpdateForDeclarative(t, apiVersion)
+		})
+	}
+}
+
+func testValidateStatusUpdateForDeclarative(t *testing.T, apiVersion string) {
+	fakeClient := fake.NewClientset()
+	mockNSClient := fakeClient.CoreV1().Namespaces()
+	Strategy := NewStrategy(mockNSClient)
+	strategy := NewStatusStrategy(Strategy)
+
+	ctx := genericapirequest.WithRequestInfo(genericapirequest.NewDefaultContext(), &genericapirequest.RequestInfo{
+		APIGroup:    "resource.k8s.io",
+		APIVersion:  apiVersion,
+		Resource:    "resourceclaims",
+		Subresource: "status",
+	})
+	poolPath := field.NewPath("status", "allocation", "devices", "results").Index(0).Child("pool")
+	configSourcePath := field.NewPath("status", "allocation", "devices", "config").Index(0).Child("source")
+	driverPath := field.NewPath("status", "allocation", "devices", "results").Index(0).Child("driver")
+
+	testCases := map[string]struct {
+		old          resource.ResourceClaim
+		update       resource.ResourceClaim
+		expectedErrs field.ErrorList
+	}{
+		// .Status.Allocation.Devices.Results[%d].Driver
+		"valid driver name, lowercase": {
+			old:    mkValidResourceClaim(),
+			update: mkResourceClaimWithStatus(tweakStatusDeviceRequestAllocationResultDriver("dra.example.com")),
+		},
+		"valid driver name, mixed case": {
+			old:    mkValidResourceClaim(),
+			update: mkResourceClaimWithStatus(tweakStatusDeviceRequestAllocationResultDriver("DRA.Example.COM")),
+		},
+		"valid driver name, max length": {
+			old:    mkValidResourceClaim(),
+			update: mkResourceClaimWithStatus(tweakStatusDeviceRequestAllocationResultDriver(strings.Repeat("a", 63))),
+		},
+		"invalid driver name, empty": {
+			old:    mkValidResourceClaim(),
+			update: mkResourceClaimWithStatus(tweakStatusDeviceRequestAllocationResultDriver("")),
+			expectedErrs: field.ErrorList{
+				field.Required(driverPath, ""),
+			},
+		},
+		"invalid driver name, too long": {
+			old:    mkValidResourceClaim(),
+			update: mkResourceClaimWithStatus(tweakStatusDeviceRequestAllocationResultDriver(strings.Repeat("a", 64))),
+			expectedErrs: field.ErrorList{
+				field.TooLong(driverPath, "", 63),
+			},
+		},
+		"invalid driver name, invalid character": {
+			old:    mkValidResourceClaim(),
+			update: mkResourceClaimWithStatus(tweakStatusDeviceRequestAllocationResultDriver("dra_example.com")),
+			expectedErrs: field.ErrorList{
+				field.Invalid(driverPath, "dra_example.com", "").WithOrigin("format=k8s-long-name-caseless"),
+			},
+		},
+		"invalid driver name, invalid DNS name (leading dot)": {
+			old:    mkValidResourceClaim(),
+			update: mkResourceClaimWithStatus(tweakStatusDeviceRequestAllocationResultDriver(".example.com")),
+			expectedErrs: field.ErrorList{
+				field.Invalid(driverPath, ".example.com", "").WithOrigin("format=k8s-long-name-caseless"),
+			},
+		},
+		// .Status.Allocation.Devices.Results[%d].Pool
+		"valid pool name": {
+			old:    mkValidResourceClaim(),
+			update: mkResourceClaimWithStatus(tweakStatusDeviceRequestAllocationResultPool("dra.example.com/pool-a")),
+		},
+		"valid pool name, max length": {
+			old:    mkValidResourceClaim(),
+			update: mkResourceClaimWithStatus(tweakStatusDeviceRequestAllocationResultPool(strings.Repeat("a", 63) + "." + strings.Repeat("b", 63) + "." + strings.Repeat("c", 63) + "." + strings.Repeat("d", 55))),
+		},
+		"invalid pool name, required": {
+			old:    mkValidResourceClaim(),
+			update: mkResourceClaimWithStatus(tweakStatusDeviceRequestAllocationResultPool("")),
+			expectedErrs: field.ErrorList{
+				field.Required(poolPath, ""),
+			},
+		},
+		"invalid pool name, too long": {
+			old:    mkValidResourceClaim(),
+			update: mkResourceClaimWithStatus(tweakStatusDeviceRequestAllocationResultPool(strings.Repeat("a", 253) + "/" + strings.Repeat("a", 253))),
+			expectedErrs: field.ErrorList{
+				field.TooLong(poolPath, "", 253).WithOrigin("format=k8s-resource-pool-name"),
+			},
+		},
+		"invalid pool name, format": {
+			old:    mkValidResourceClaim(),
+			update: mkResourceClaimWithStatus(tweakStatusDeviceRequestAllocationResultPool("a/Not_Valid")),
+			expectedErrs: field.ErrorList{
+				field.Invalid(poolPath, "Not_Valid", "").WithOrigin("format=k8s-resource-pool-name"),
+			},
+		},
+		"invalid pool name, leading slash": {
+			old:    mkValidResourceClaim(),
+			update: mkResourceClaimWithStatus(tweakStatusDeviceRequestAllocationResultPool("/a")),
+			expectedErrs: field.ErrorList{
+				field.Invalid(poolPath, "", "").WithOrigin("format=k8s-resource-pool-name"),
+			},
+		},
+		"invalid pool name, trailing slash": {
+			old:    mkValidResourceClaim(),
+			update: mkResourceClaimWithStatus(tweakStatusDeviceRequestAllocationResultPool("a/")),
+			expectedErrs: field.ErrorList{
+				field.Invalid(poolPath, "", "").WithOrigin("format=k8s-resource-pool-name"),
+			},
+		},
+		"invalid pool name, double slash": {
+			old:    mkValidResourceClaim(),
+			update: mkResourceClaimWithStatus(tweakStatusDeviceRequestAllocationResultPool("a//b")),
+			expectedErrs: field.ErrorList{
+				field.Invalid(poolPath, "", "").WithOrigin("format=k8s-resource-pool-name"),
+			},
+		},
+		// .Status.Allocation.Devices.Results[%d].ShareID
+		"valid status.Allocation.Devices.Results[].ShareID": {
+			old:    mkValidResourceClaim(),
+			update: mkResourceClaimWithStatus(tweakStatusDeviceRequestAllocationResultShareID(validUUID)),
+		},
+		"invalid status.Allocation.Devices.Results[].ShareID": {
+			old:    mkValidResourceClaim(),
+			update: mkResourceClaimWithStatus(tweakStatusDeviceRequestAllocationResultShareID("invalid-uid")),
+			expectedErrs: field.ErrorList{
+				field.Invalid(field.NewPath("status", "allocation", "devices", "results").Index(0).Child("shareID"), "invalid-uid", "").WithOrigin("format=k8s-uuid"),
+			},
+		},
+		"invalid uppercase status.Allocation.Devices.Results[].ShareID ": {
+			old:    mkValidResourceClaim(),
+			update: mkResourceClaimWithStatus(tweakStatusDeviceRequestAllocationResultShareID("123e4567-E89b-12d3-A456-426614174000")),
+			expectedErrs: field.ErrorList{
+				field.Invalid(field.NewPath("status", "allocation", "devices", "results").Index(0).Child("shareID"), "invalid-uid", "").WithOrigin("format=k8s-uuid"),
+			},
+		},
+		// .Status.Devices[%d].ShareID
+		"valid status.Devices[].ShareID": {
+			old: mkValidResourceClaim(),
+			update: mkResourceClaimWithStatus(
+				tweakStatusDevices(standardAllocatedDeviceStatus()),
+				tweakStatusDeviceRequestAllocationResultShareID(validUUID),
+				tweakStatusAllocatedDeviceStatusShareID(validUUID),
+			),
+		},
+		"invalid status.Devices[].ShareID": {
+			old: mkValidResourceClaim(),
+			update: mkResourceClaimWithStatus(
+				tweakStatusDevices(standardAllocatedDeviceStatus()),
+				tweakStatusDeviceRequestAllocationResultShareID("invalid-uid"),
+				tweakStatusAllocatedDeviceStatusShareID("invalid-uid"),
+			),
+			expectedErrs: field.ErrorList{
+				field.Invalid(field.NewPath("status", "allocation", "devices", "results").Index(0).Child("shareID"), "invalid-uid", "must be a lowercase UUID in 8-4-4-4-12 format").WithOrigin("format=k8s-uuid"),
+				field.Invalid(field.NewPath("status", "devices").Index(0).Child("shareID"), "invalid-uid", "must be a lowercase UUID in 8-4-4-4-12 format").WithOrigin("format=k8s-uuid"),
+			},
+		},
+		"invalid upper case status.Devices[].ShareID": {
+			old: mkValidResourceClaim(),
+			update: mkResourceClaimWithStatus(
+				tweakStatusDevices(standardAllocatedDeviceStatus()),
+				tweakStatusDeviceRequestAllocationResultShareID("123e4567-E89b-12d3-A456-426614174000"),
+				tweakStatusAllocatedDeviceStatusShareID("123e4567-E89b-12d3-A456-426614174000"),
+			),
+			expectedErrs: field.ErrorList{
+				field.Invalid(field.NewPath("status", "allocation", "devices", "results").Index(0).Child("shareID"), "invalid-uid", "must be a lowercase UUID in 8-4-4-4-12 format").WithOrigin("format=k8s-uuid"),
+				field.Invalid(field.NewPath("status", "devices").Index(0).Child("shareID"), "invalid-uid", "must be a lowercase UUID in 8-4-4-4-12 format").WithOrigin("format=k8s-uuid"),
+			},
+		},
+		// UID in status.ReservedFor
+		"duplicate uid in status.ReservedFor": {
+			old: mkValidResourceClaim(),
+			update: mkResourceClaimWithStatus(
+				tweakStatusReservedFor(
+					resourceClaimReference(validUUID),
+					resourceClaimReference(uuid.New().String()),
+					resourceClaimReference(validUUID),
+				)),
+			expectedErrs: field.ErrorList{
+				field.Duplicate(field.NewPath("status", "reservedFor").Index(2), ""),
+			},
+		},
+		"multiple- duplicate uid in status.ReservedFor": {
+			old: mkValidResourceClaim(),
+			update: mkResourceClaimWithStatus(tweakStatusReservedFor(
+				resourceClaimReference(validUUID),
+				resourceClaimReference(uuid.New().String()),
+				resourceClaimReference(validUUID),
+				resourceClaimReference(validUUID1),
+				resourceClaimReference(validUUID1),
+				resourceClaimReference(uuid.New().String()),
+			)),
+			expectedErrs: field.ErrorList{
+				field.Duplicate(field.NewPath("status", "reservedFor").Index(2), ""),
+				field.Duplicate(field.NewPath("status", "reservedFor").Index(4), ""),
+			},
+		},
+		"invalid status.ReservedFor, too many": {
+			old: mkValidResourceClaim(),
+			update: mkResourceClaimWithStatus(
+				tweakStatusReservedFor(generateResourceClaimReferences(257)...),
+			),
+			expectedErrs: field.ErrorList{
+				field.TooMany(field.NewPath("status", "reservedFor"), 257, 256).WithOrigin("maxItems"),
+			},
+		},
+		"valid status.ReservedFor, max items": {
+			old: mkValidResourceClaim(),
+			update: mkResourceClaimWithStatus(
+				tweakStatusReservedFor(generateResourceClaimReferences(256)...),
+			),
+		},
+		"valid status.allocation.devices.results, max items": {
+			old: mkValidResourceClaim(),
+			update: mkResourceClaimWithStatus(
+				tweakStatusAllocationDevicesResults(32),
+			),
+		},
+		"valid status.allocation unchanged": {
+			old:    mkResourceClaimWithStatus(),
+			update: mkResourceClaimWithStatus(),
+		},
+		"valid status.allocation set from nil": {
+			old:    mkValidResourceClaim(),
+			update: mkResourceClaimWithStatus(),
+		},
+		"valid status.allocation cleared (Unset is allowed)": {
+			old:    mkResourceClaimWithStatus(),
+			update: mkValidResourceClaim(),
+		},
+		"invalid status.allocation changed device (NoModify)": {
+			old:    mkResourceClaimWithStatus(),
+			update: tweakStatusAllocationDevice(mkResourceClaimWithStatus(), "device-different"),
+			expectedErrs: field.ErrorList{
+				field.Invalid(field.NewPath("status", "allocation"), nil, "field is immutable").WithOrigin("update"),
+			},
+		},
+		"invalid status.allocation changed driver (NoModify)": {
+			old:    mkResourceClaimWithStatus(),
+			update: tweakStatusAllocationDriver(mkResourceClaimWithStatus(), "different.example.com"),
+			expectedErrs: field.ErrorList{
+				field.Invalid(field.NewPath("status", "allocation"), nil, "field is immutable").WithOrigin("update"),
+			},
+		},
+		"invalid status.allocation changed pool (NoModify)": {
+			old:    mkResourceClaimWithStatus(),
+			update: tweakStatusAllocationPool(mkResourceClaimWithStatus(), "different-pool"),
+			expectedErrs: field.ErrorList{
+				field.Invalid(field.NewPath("status", "allocation"), nil, "field is immutable").WithOrigin("update"),
+			},
+		},
+		"invalid status.allocation added result (NoModify)": {
+			old:    mkResourceClaimWithStatus(),
+			update: addStatusAllocationResult(mkResourceClaimWithStatus()),
+			expectedErrs: field.ErrorList{
+				field.Invalid(field.NewPath("status", "allocation"), nil, "field is immutable").WithOrigin("update"),
+			},
+		},
+		"invalid status.allocation removed result (NoModify)": {
+			old:    addStatusAllocationResult(mkResourceClaimWithStatus()),
+			update: mkResourceClaimWithStatus(),
+			expectedErrs: field.ErrorList{
+				field.Invalid(field.NewPath("status", "allocation"), nil, "field is immutable").WithOrigin("update"),
+			},
+		},
+		"invalid status.allocation.devices.results, too many": {
+			old: mkValidResourceClaim(),
+			update: mkResourceClaimWithStatus(
+				tweakStatusAllocationDevicesResults(33),
+			),
+			expectedErrs: field.ErrorList{
+				field.TooMany(field.NewPath("status", "allocation", "devices", "results"), 33, 32).WithOrigin("maxItems"),
+			},
+		},
+		"valid status.allocation.devices.config, max items": {
+			old: mkValidResourceClaim(),
+			update: mkResourceClaimWithStatus(
+				tweakStatusAllocationDevicesConfig(64),
+			),
+		},
+		"invalid status.allocation.devices.config, too many": {
+			old: mkValidResourceClaim(),
+			update: mkResourceClaimWithStatus(
+				tweakStatusAllocationDevicesConfig(65),
+			),
+			expectedErrs: field.ErrorList{
+				field.TooMany(field.NewPath("status", "allocation", "devices", "config"), 33, 32).WithOrigin("maxItems"),
+			},
+		},
+		"invalid status.allocation.devices.config requests, duplicate": {
+			old: mkValidResourceClaim(),
+			update: mkResourceClaimWithStatus(
+				tweakAddStatusAllocationConfigRequest("req-0"),
+			),
+			expectedErrs: field.ErrorList{
+				field.Duplicate(field.NewPath("status", "allocation", "devices", "config").Index(0).Child("requests").Index(1), "req-0"),
+			},
+		},
+		// .Status.Allocation.Devices.Config[%d].Source
+		"valid status.allocation.devices.config source FromClass": {
+			old:    mkValidResourceClaim(),
+			update: mkResourceClaimWithStatus(tweakStatusAllocationConfigSource(resource.AllocationConfigSourceClass)),
+		},
+		"valid status.allocation.devices.config source FromClaim": {
+			old:    mkValidResourceClaim(),
+			update: mkResourceClaimWithStatus(tweakStatusAllocationConfigSource(resource.AllocationConfigSourceClaim)),
+		},
+		"invalid status.allocation.devices.config source empty": {
+			old:    mkValidResourceClaim(),
+			update: mkResourceClaimWithStatus(tweakStatusAllocationConfigSource("")),
+			expectedErrs: field.ErrorList{
+				field.Required(configSourcePath, "").MarkCoveredByDeclarative(),
+			},
+		},
+		"invalid status.allocation.devices.config source invalid": {
+			old:    mkValidResourceClaim(),
+			update: mkResourceClaimWithStatus(tweakStatusAllocationConfigSource("invalid")),
+			expectedErrs: field.ErrorList{
+				field.NotSupported(configSourcePath, resource.AllocationConfigSource("invalid"), []string{string(resource.AllocationConfigSourceClaim), string(resource.AllocationConfigSourceClass)}).MarkCoveredByDeclarative(),
+			},
+		},
+		// .Status.Devices
+		"valid devices: without share Id": {
+			old: mkValidResourceClaim(),
+			update: mkResourceClaimWithStatus(
+				tweakStatusAllocation(
+					resource.DeviceRequestAllocationResult{Request: "req-0", Driver: "driver1", Pool: "pool1", Device: "device1"},
+					resource.DeviceRequestAllocationResult{Request: "req-0", Driver: "driver2", Pool: "pool1", Device: "device1"},
+				),
+				tweakStatusDevices(
+					resource.AllocatedDeviceStatus{Driver: "driver1", Pool: "pool1", Device: "device1"},
+					resource.AllocatedDeviceStatus{Driver: "driver2", Pool: "pool1", Device: "device1"},
+				),
+			),
+		},
+		"valid devices: with share Id": {
+			old: mkValidResourceClaim(),
+			update: mkResourceClaimWithStatus(
+				tweakStatusAllocation(
+					resource.DeviceRequestAllocationResult{Request: "req-0", Driver: "driver1", Pool: "pool1", Device: "device1", ShareID: pointer.To(types.UID(validUUID))},
+					resource.DeviceRequestAllocationResult{Request: "req-0", Driver: "driver2", Pool: "pool1", Device: "device1", ShareID: pointer.To(types.UID(validUUID1))},
+				),
+				tweakStatusDevices(
+					resource.AllocatedDeviceStatus{Driver: "driver1", Pool: "pool1", Device: "device1", ShareID: pointer.To(validUUID)},
+					resource.AllocatedDeviceStatus{Driver: "driver2", Pool: "pool1", Device: "device1", ShareID: pointer.To(validUUID1)},
+				),
+			),
+		},
+		"invalid devices, duplicate": {
+			old: mkValidResourceClaim(),
+			update: mkResourceClaimWithStatus(
+				tweakStatusAllocation(
+					resource.DeviceRequestAllocationResult{Request: "req-0", Driver: "driver1", Pool: "pool1", Device: "device1"},
+				),
+				tweakStatusDevices(
+					resource.AllocatedDeviceStatus{Driver: "driver1", Pool: "pool1", Device: "device1"},
+					resource.AllocatedDeviceStatus{Driver: "driver1", Pool: "pool1", Device: "device1"},
+				),
+			),
+			expectedErrs: field.ErrorList{
+				field.Duplicate(field.NewPath("status", "devices").Index(1), "driver1/pool1/device1"),
+			},
+		},
+		"invalid devices, duplicate with share ID": {
+			old: mkValidResourceClaim(),
+			update: mkResourceClaimWithStatus(
+				tweakStatusAllocation(
+					resource.DeviceRequestAllocationResult{Request: "req-0", Driver: "driver1", Pool: "pool1", Device: "device1", ShareID: pointer.To(types.UID(validUUID1))},
+				),
+				tweakStatusDevices(
+					resource.AllocatedDeviceStatus{Driver: "driver1", Pool: "pool1", Device: "device1", ShareID: pointer.To(validUUID1)},
+					resource.AllocatedDeviceStatus{Driver: "driver1", Pool: "pool1", Device: "device1", ShareID: pointer.To(validUUID1)},
+				),
+			),
+			expectedErrs: field.ErrorList{
+				field.Duplicate(field.NewPath("status", "devices").Index(1), "driver1/pool1/device1"),
+			},
+		},
+		// .Status.Allocation.Devices.Results[%d].BindingConditions
+		"valid binding conditions, max items": {
+			old: mkValidResourceClaim(),
+			update: mkResourceClaimWithStatus(
+				tweakStatusBindingConditions(resource.BindingConditionsMaxSize),
+				tweakStatusBindingFailureConditions(1),
+			),
+		},
+		"invalid binding conditions, too many": {
+			old: mkValidResourceClaim(),
+			update: mkResourceClaimWithStatus(
+				tweakStatusBindingConditions(resource.BindingConditionsMaxSize+1),
+				tweakStatusBindingFailureConditions(1),
+			),
+			expectedErrs: field.ErrorList{
+				field.TooMany(field.NewPath("status", "allocation", "devices", "results").Index(0).Child("bindingConditions"), resource.BindingConditionsMaxSize+1, resource.BindingConditionsMaxSize).WithOrigin("maxItems"),
+			},
+		},
+		"valid binding failure conditions, max items": {
+			old: mkValidResourceClaim(),
+			update: mkResourceClaimWithStatus(
+				tweakStatusBindingConditions(1),
+				tweakStatusBindingFailureConditions(resource.BindingFailureConditionsMaxSize),
+			),
+		},
+		"invalid binding failure conditions, too many": {
+			old: mkValidResourceClaim(),
+			update: mkResourceClaimWithStatus(
+				tweakStatusBindingConditions(1),
+				tweakStatusBindingFailureConditions(resource.BindingFailureConditionsMaxSize+1),
+			),
+			expectedErrs: field.ErrorList{
+				field.TooMany(field.NewPath("status", "allocation", "devices", "results").Index(0).Child("bindingFailureConditions"), resource.BindingFailureConditionsMaxSize+1, resource.BindingFailureConditionsMaxSize).WithOrigin("maxItems"),
+			},
+		},
+		// .Status.Devices[%d].NetworkData.InterfaceName
+		"valid networkdevicedata interfacename": {
+			old: mkValidResourceClaim(),
+			update: mkResourceClaimWithStatus(
+				tweakStatusDevices(
+					resource.AllocatedDeviceStatus{
+						Driver: "dra.example.com",
+						Pool:   "pool-0",
+						Device: "device-0",
+						NetworkData: &resource.NetworkDeviceData{
+							InterfaceName: strings.Repeat("a", resource.NetworkDeviceDataInterfaceNameMaxLength),
+						},
+					},
+				),
+			),
+		},
+		"invalid networkdevicedata interfacename too long": {
+			old: mkValidResourceClaim(),
+			update: mkResourceClaimWithStatus(
+				tweakStatusDevices(
+					resource.AllocatedDeviceStatus{
+						Driver: "dra.example.com",
+						Pool:   "pool-0",
+						Device: "device-0",
+						NetworkData: &resource.NetworkDeviceData{
+							InterfaceName: strings.Repeat("a", resource.NetworkDeviceDataInterfaceNameMaxLength+1),
+						},
+					},
+				),
+			),
+			expectedErrs: field.ErrorList{
+				field.TooLong(field.NewPath("status", "devices").Index(0).Child("networkData", "interfaceName"), "", resource.NetworkDeviceDataInterfaceNameMaxLength).MarkCoveredByDeclarative().WithOrigin("maxLength"),
+			},
+		},
+		"valid status.devices.networkData.hardwareAddress": {
+			old: mkValidResourceClaim(),
+			update: mkResourceClaimWithStatus(
+				tweakStatusDevices(
+					resource.AllocatedDeviceStatus{
+						Driver: "dra.example.com",
+						Pool:   "pool-0",
+						Device: "device-0",
+						NetworkData: &resource.NetworkDeviceData{
+							HardwareAddress: strings.Repeat("a", resource.NetworkDeviceDataHardwareAddressMaxLength),
+						},
+					},
+				),
+			),
+		},
+		"invalid status.devices.networkData.hardwareAddress too long": {
+			old: mkValidResourceClaim(),
+			update: mkResourceClaimWithStatus(
+				tweakStatusDevices(
+					resource.AllocatedDeviceStatus{
+						Driver: "dra.example.com",
+						Pool:   "pool-0",
+						Device: "device-0",
+						NetworkData: &resource.NetworkDeviceData{
+							HardwareAddress: strings.Repeat("a", resource.NetworkDeviceDataHardwareAddressMaxLength+1),
+						},
+					},
+				),
+			),
+			expectedErrs: field.ErrorList{
+				field.TooLong(field.NewPath("status", "devices").Index(0).Child("networkData", "hardwareAddress"), "", resource.NetworkDeviceDataHardwareAddressMaxLength).MarkCoveredByDeclarative().WithOrigin("maxLength"),
+			},
+		},
+		"invalid status.devices.networkData.ips duplicate": {
+			old: mkValidResourceClaim(),
+			update: mkResourceClaimWithStatus(
+				tweakStatusDevices(
+					resource.AllocatedDeviceStatus{
+						Driver: "dra.example.com",
+						Pool:   "pool-0",
+						Device: "device-0",
+						NetworkData: &resource.NetworkDeviceData{
+							IPs: []string{"1.2.3.4/32", "1.2.3.4/32"},
+						},
+					},
+				),
+			),
+			expectedErrs: field.ErrorList{
+				field.Duplicate(field.NewPath("status", "devices").Index(0).Child("networkData", "ips").Index(1), "1.2.3.4/32"),
+			},
+		},
+		"invalid status.allocation.devices.config.requests too many": {
+			old: mkValidResourceClaim(tweakDevicesRequests(33)),
+			update: mkResourceClaimWithStatus(
+				tweakStatusAllocationConfigRequests(33),
+			),
+			expectedErrs: field.ErrorList{
+				field.TooMany(field.NewPath("status", "allocation", "devices", "config").Index(0).Child("requests"), 33, 32).WithOrigin("maxItems"),
+			},
+		},
+		"valid status.allocation.devices.config.requests, max allowed": {
+			old: mkValidResourceClaim(tweakDevicesRequests(32)),
+			update: mkResourceClaimWithStatus(
+				tweakStatusAllocationConfigRequests(32),
+			),
+		},
+		"invalid status.devices.networkData.ips, too many items": {
+			old: mkValidResourceClaim(),
+			update: mkResourceClaimWithStatus(
+				tweakStatusDevicesTooManyIPs(17),
+			),
+			expectedErrs: field.ErrorList{
+				field.TooMany(field.NewPath("status", "devices").Index(0).Child("networkData", "ips"), 17, 16).WithOrigin("maxItems"),
+			},
+		},
+		"invalid status.devices.networkData.ips, max allowed": {
+			old: mkValidResourceClaim(),
+			update: mkResourceClaimWithStatus(
+				tweakStatusDevicesTooManyIPs(16),
+			),
+		},
+	}
+
+	for k, tc := range testCases {
+		t.Run(k, func(t *testing.T) {
+			tc.old.ObjectMeta.ResourceVersion = "1"
+			tc.update.ObjectMeta.ResourceVersion = "1"
+			apitesting.VerifyUpdateValidationEquivalence(t, ctx, &tc.update, &tc.old, strategy.ValidateUpdate, tc.expectedErrs, apitesting.WithSubResources("status"))
+		})
+	}
+}
+
+func tweakStatusAllocation(results ...resource.DeviceRequestAllocationResult) func(rc *resource.ResourceClaim) {
+	return func(rc *resource.ResourceClaim) {
+		if rc.Status.Allocation == nil {
+			rc.Status.Allocation = &resource.AllocationResult{}
+		}
+		rc.Status.Allocation.Devices.Results = append(rc.Status.Allocation.Devices.Results, results...)
+	}
+}
+
+func mkValidResourceClaim(tweaks ...func(rc *resource.ResourceClaim)) resource.ResourceClaim {
+	rc := resource.ResourceClaim{
+		ObjectMeta: v1.ObjectMeta{
+			Name:      "valid-claim",
+			Namespace: "default",
+		},
+		Spec: resource.ResourceClaimSpec{
+			Devices: resource.DeviceClaim{
+				Requests: []resource.DeviceRequest{
+					mkDeviceRequest("req-0"),
+				},
+			},
+		},
+	}
+
+	for _, tweak := range tweaks {
+		tweak(&rc)
+	}
+	return rc
+}
+
+func mkResourceClaimWithStatus(tweaks ...func(rc *resource.ResourceClaim)) resource.ResourceClaim {
+	rc := mkValidResourceClaim()
+	rc.Status = resource.ResourceClaimStatus{
+		Allocation: &resource.AllocationResult{
+			Devices: resource.DeviceAllocationResult{
+				Results: []resource.DeviceRequestAllocationResult{
+					{
+						Request: "req-0",
+						Driver:  "dra.example.com",
+						Pool:    "pool-0",
+						Device:  "device-0",
+					},
+				},
+			},
+		},
+	}
+	for _, tweak := range tweaks {
+		tweak(&rc)
+	}
+	return rc
+}
+
+func tweakStatusDevices(devices ...resource.AllocatedDeviceStatus) func(rc *resource.ResourceClaim) {
+	return func(rc *resource.ResourceClaim) {
+		rc.Status.Devices = devices
+	}
+}
+
+func tweakStatusDeviceRequestAllocationResultPool(pool string) func(rc *resource.ResourceClaim) {
+	return func(rc *resource.ResourceClaim) {
+		for i := range rc.Status.Allocation.Devices.Results {
+			rc.Status.Allocation.Devices.Results[i].Pool = pool
+		}
+	}
+}
+
+func tweakStatusDeviceRequestAllocationResultDriver(driver string) func(rc *resource.ResourceClaim) {
+	return func(rc *resource.ResourceClaim) {
+		for i := range rc.Status.Allocation.Devices.Results {
+			rc.Status.Allocation.Devices.Results[i].Driver = driver
+		}
+	}
+}
+
+func tweakStatusDeviceRequestAllocationResultShareID(shareID types.UID) func(rc *resource.ResourceClaim) {
+	return func(rc *resource.ResourceClaim) {
+		for i := range rc.Status.Allocation.Devices.Results {
+			rc.Status.Allocation.Devices.Results[i].ShareID = &shareID
+		}
+	}
+}
+
+func tweakSpecChangeClassName(deviceClassName string) func(rc *resource.ResourceClaim) {
+	return func(rc *resource.ResourceClaim) {
+		if len(rc.Spec.Devices.Requests) > 0 && rc.Spec.Devices.Requests[0].Exactly != nil {
+			rc.Spec.Devices.Requests[0].Exactly.DeviceClassName = deviceClassName
+		}
+	}
+}
+
+func tweakStatusAllocatedDeviceStatusShareID(shareID string) func(rc *resource.ResourceClaim) {
+	return func(rc *resource.ResourceClaim) {
+		for i := range rc.Status.Devices {
+			rc.Status.Devices[i].ShareID = &shareID
+		}
+	}
+}
+
+func tweakAddDeviceRequest(req resource.DeviceRequest) func(rc *resource.ResourceClaim) {
+	return func(rc *resource.ResourceClaim) {
+		rc.Spec.Devices.Requests = append(rc.Spec.Devices.Requests, req)
+	}
+}
+
+func tweakSpecRemoveRequest(index int) func(rc *resource.ResourceClaim) {
+	return func(rc *resource.ResourceClaim) {
+		if index >= 0 && index < len(rc.Spec.Devices.Requests) {
+			rc.Spec.Devices.Requests = append(rc.Spec.Devices.Requests[:index], rc.Spec.Devices.Requests[index+1:]...)
+		}
+	}
+}
+
+func tweakStatusBindingConditions(count int) func(rc *resource.ResourceClaim) {
+	return func(rc *resource.ResourceClaim) {
+		if rc.Status.Allocation == nil {
+			return
+		}
+		for i := range rc.Status.Allocation.Devices.Results {
+			rc.Status.Allocation.Devices.Results[i].BindingConditions = []string{}
+			for j := 0; j < count; j++ {
+				rc.Status.Allocation.Devices.Results[i].BindingConditions = append(rc.Status.Allocation.Devices.Results[i].BindingConditions, fmt.Sprintf("condition-%d", j))
+			}
+		}
+	}
+}
+
+func tweakStatusBindingFailureConditions(count int) func(rc *resource.ResourceClaim) {
+	return func(rc *resource.ResourceClaim) {
+		if rc.Status.Allocation == nil {
+			return
+		}
+		for i := range rc.Status.Allocation.Devices.Results {
+			rc.Status.Allocation.Devices.Results[i].BindingFailureConditions = []string{}
+			for j := 0; j < count; j++ {
+				rc.Status.Allocation.Devices.Results[i].BindingFailureConditions = append(rc.Status.Allocation.Devices.Results[i].BindingFailureConditions, fmt.Sprintf("failure-condition-%d", j))
+			}
+		}
+	}
+}
+
+func standardAllocatedDeviceStatus() resource.AllocatedDeviceStatus {
+	return resource.AllocatedDeviceStatus{
+		Driver: "dra.example.com",
+		Pool:   "pool-0",
+		Device: "device-0",
+	}
+}
+
+func resourceClaimReference(uid string) resource.ResourceClaimConsumerReference {
+	return resource.ResourceClaimConsumerReference{
+		UID:      types.UID(uid),
+		Resource: "Pod",
+		Name:     "pod-name",
+	}
+}
+
+func generateResourceClaimReferences(count int) []resource.ResourceClaimConsumerReference {
+	refs := make([]resource.ResourceClaimConsumerReference, count)
+	for i := 0; i < count; i++ {
+		refs[i] = resource.ResourceClaimConsumerReference{
+			Resource: "pods",
+			Name:     fmt.Sprintf("pod-%d", i),
+			UID:      types.UID(uuid.New().String()),
+		}
+	}
+	return refs
+}
+
+func tweakStatusReservedFor(refs ...resource.ResourceClaimConsumerReference) func(rc *resource.ResourceClaim) {
+	return func(rc *resource.ResourceClaim) {
+		rc.Status.ReservedFor = refs
+	}
+}
+
+func tweakStatusAllocationDevicesResults(count int) func(rc *resource.ResourceClaim) {
+	return func(rc *resource.ResourceClaim) {
+		rc.Status.Allocation.Devices.Results = []resource.DeviceRequestAllocationResult{}
+		for i := 0; i < count; i++ {
+			rc.Status.Allocation.Devices.Results = append(rc.Status.Allocation.Devices.Results, resource.DeviceRequestAllocationResult{
+				Request: "req-0",
+				Driver:  "dra.example.com",
+				Pool:    fmt.Sprintf("pool-%d", i),
+				Device:  fmt.Sprintf("device-%d", i),
+			})
+		}
+	}
+}
+
+func tweakStatusAllocationDevicesConfig(count int) func(rc *resource.ResourceClaim) {
+	return func(rc *resource.ResourceClaim) {
+		if rc.Status.Allocation == nil {
+			return
+		}
+		rc.Status.Allocation.Devices.Config = []resource.DeviceAllocationConfiguration{}
+		for i := 0; i < count; i++ {
+			rc.Status.Allocation.Devices.Config = append(rc.Status.Allocation.Devices.Config, resource.DeviceAllocationConfiguration{
+				Source:   resource.AllocationConfigSourceClaim,
+				Requests: []string{"req-0"},
+				DeviceConfiguration: resource.DeviceConfiguration{
+					Opaque: &resource.OpaqueDeviceConfiguration{
+						Driver: "dra.example.com",
+						Parameters: runtime.RawExtension{
+							Raw: []byte(fmt.Sprintf(`{"item": %d}`, i)),
+						},
+					},
+				},
+			})
+		}
+	}
+}
+
+func tweakSpecAddConstraint(c resource.DeviceConstraint) func(rc *resource.ResourceClaim) {
+	return func(rc *resource.ResourceClaim) {
+		rc.Spec.Devices.Constraints = append(rc.Spec.Devices.Constraints, c)
+	}
+}
+
+func tweakFirstAvailableDeviceClassName(name string) func(rc *resource.ResourceClaim) {
+	return func(rc *resource.ResourceClaim) {
+		rc.Spec.Devices.Requests[0].Exactly = nil
+		rc.Spec.Devices.Requests[0].FirstAvailable = []resource.DeviceSubRequest{
+			{
+				Name:            "sub-0",
+				DeviceClassName: name,
+				AllocationMode:  resource.DeviceAllocationModeAll,
+			},
+		}
+	}
+}
+
+func tweakDeviceConfigWithDriver(driverName string) func(rc *resource.ResourceClaim) {
+	return func(rc *resource.ResourceClaim) {
+		rc.Spec.Devices.Config = []resource.DeviceClaimConfiguration{
+			{
+				Requests: []string{"req-0"},
+				DeviceConfiguration: resource.DeviceConfiguration{
+					Opaque: &resource.OpaqueDeviceConfiguration{
+						Driver:     driverName,
+						Parameters: runtime.RawExtension{Raw: []byte(`{"key":"value"}`)},
+					},
+				},
+			},
+		}
+	}
+}
+
+func tweakExactlyTolerations(tolerations []resource.DeviceToleration) func(rc *resource.ResourceClaim) {
+	return func(rc *resource.ResourceClaim) {
+		for i := range rc.Spec.Devices.Requests {
+			rc.Spec.Devices.Requests[i].Exactly.Tolerations = tolerations
+		}
+	}
+}
+
+func tweakFirstAvailableTolerations(tolerations []resource.DeviceToleration) func(rc *resource.ResourceClaim) {
+	return func(rc *resource.ResourceClaim) {
+		for i := range rc.Spec.Devices.Requests {
+			for j := range rc.Spec.Devices.Requests[i].FirstAvailable {
+				rc.Spec.Devices.Requests[i].FirstAvailable[j].Tolerations = tolerations
+			}
+		}
+	}
+}
+
+func tweakStatusAllocationDevice(obj resource.ResourceClaim, device string) resource.ResourceClaim {
+	if obj.Status.Allocation != nil && len(obj.Status.Allocation.Devices.Results) > 0 {
+		obj.Status.Allocation.Devices.Results[0].Device = device
+	}
+	return obj
+}
+
+func tweakStatusAllocationDriver(obj resource.ResourceClaim, driver string) resource.ResourceClaim {
+	if obj.Status.Allocation != nil && len(obj.Status.Allocation.Devices.Results) > 0 {
+		obj.Status.Allocation.Devices.Results[0].Driver = driver
+	}
+	return obj
+}
+
+func tweakStatusAllocationPool(obj resource.ResourceClaim, pool string) resource.ResourceClaim {
+	if obj.Status.Allocation != nil && len(obj.Status.Allocation.Devices.Results) > 0 {
+		obj.Status.Allocation.Devices.Results[0].Pool = pool
+	}
+	return obj
+}
+
+func addStatusAllocationResult(obj resource.ResourceClaim) resource.ResourceClaim {
+	if obj.Status.Allocation != nil {
+		obj.Status.Allocation.Devices.Results = append(obj.Status.Allocation.Devices.Results,
+			resource.DeviceRequestAllocationResult{
+				Request: "req-0",
+				Driver:  "another.example.com",
+				Pool:    "pool-1",
+				Device:  "device-1",
+			})
+	}
+	return obj
+}
+
+func tweakStatusAllocationConfigSource(source resource.AllocationConfigSource) func(rc *resource.ResourceClaim) {
+	return func(rc *resource.ResourceClaim) {
+		if rc.Status.Allocation == nil {
+			rc.Status.Allocation = &resource.AllocationResult{}
+		}
+		if len(rc.Status.Allocation.Devices.Config) == 0 {
+			rc.Status.Allocation.Devices.Config = append(rc.Status.Allocation.Devices.Config, resource.DeviceAllocationConfiguration{
+				Source:   resource.AllocationConfigSourceClaim,
+				Requests: []string{"req-0"},
+				DeviceConfiguration: resource.DeviceConfiguration{
+					Opaque: &resource.OpaqueDeviceConfiguration{
+						Driver: "dra.example.com",
+						Parameters: runtime.RawExtension{
+							Raw: []byte(`{"kind": "foo", "apiVersion": "dra.example.com/v1"}`),
+						},
+					},
+				},
+			})
+		}
+		rc.Status.Allocation.Devices.Config[0].Source = source
+	}
+}
+
+func tweakMatchAttribute(val string) func(*resource.ResourceClaim) {
+	return func(obj *resource.ResourceClaim) {
+		fullyQualifiedName := resource.FullyQualifiedName(val)
+		obj.Spec.Devices.Constraints = []resource.DeviceConstraint{
+			{
+				MatchAttribute: &fullyQualifiedName,
+			},
+		}
+	}
+}
+
+func tweakAddStatusAllocationConfigRequest(req string) func(rc *resource.ResourceClaim) {
+	return func(rc *resource.ResourceClaim) {
+		if rc.Status.Allocation == nil {
+			rc.Status.Allocation = &resource.AllocationResult{}
+		}
+		if len(rc.Status.Allocation.Devices.Config) == 0 {
+			rc.Status.Allocation.Devices.Config = append(rc.Status.Allocation.Devices.Config, resource.DeviceAllocationConfiguration{
+				Source:   resource.AllocationConfigSourceClaim,
+				Requests: []string{"req-0"},
+				DeviceConfiguration: resource.DeviceConfiguration{
+					Opaque: &resource.OpaqueDeviceConfiguration{
+						Driver: "dra.example.com",
+						Parameters: runtime.RawExtension{
+							Raw: []byte(`{"kind": "foo", "apiVersion": "dra.example.com/v1"}`),
+						},
+					},
+				},
+			})
+		}
+		rc.Status.Allocation.Devices.Config[0].Requests = append(rc.Status.Allocation.Devices.Config[0].Requests, req)
+	}
+}
+
+func tweakStatusAllocationConfigRequests(count int) func(rc *resource.ResourceClaim) {
+	return func(rc *resource.ResourceClaim) {
+		if rc.Status.Allocation == nil {
+			rc.Status.Allocation = &resource.AllocationResult{}
+		}
+		tweakDevicesRequests(count)(rc)
+		if len(rc.Status.Allocation.Devices.Config) == 0 {
+			rc.Status.Allocation.Devices.Config = append(rc.Status.Allocation.Devices.Config, resource.DeviceAllocationConfiguration{
+				Source:   resource.AllocationConfigSourceClaim,
+				Requests: []string{},
+				DeviceConfiguration: resource.DeviceConfiguration{
+					Opaque: &resource.OpaqueDeviceConfiguration{
+						Driver: "dra.example.com",
+						Parameters: runtime.RawExtension{
+							Raw: []byte(`{"kind": "foo", "apiVersion": "dra.example.com/v1"}`),
+						},
+					},
+				},
+			})
+		}
+		for i := 0; i < count; i++ {
+			rc.Status.Allocation.Devices.Config[0].Requests = append(rc.Status.Allocation.Devices.Config[0].Requests, fmt.Sprintf("req-%d", i))
+		}
+	}
+}
+
+func tweakStatusDevicesTooManyIPs(count int) func(rc *resource.ResourceClaim) {
+	return func(rc *resource.ResourceClaim) {
+		if len(rc.Status.Devices) == 0 {
+			rc.Status.Devices = append(rc.Status.Devices, standardAllocatedDeviceStatus())
+		}
+		if rc.Status.Devices[0].NetworkData == nil {
+			rc.Status.Devices[0].NetworkData = &resource.NetworkDeviceData{}
+		}
+		rc.Status.Devices[0].NetworkData.IPs = []string{}
+		for i := 0; i < count; i++ {
+			rc.Status.Devices[0].NetworkData.IPs = append(rc.Status.Devices[0].NetworkData.IPs, fmt.Sprintf("1.2.3.%d/32", i))
+		}
+	}
+}
diff --git a/pkg/registry/resource/resourceclaim/strategy.go b/pkg/registry/resource/resourceclaim/strategy.go
index 5b57d4c842a20..8ddb811be1e6e 100644
--- a/pkg/registry/resource/resourceclaim/strategy.go
+++ b/pkg/registry/resource/resourceclaim/strategy.go
@@ -20,6 +20,9 @@ import (
 	"context"
 	"errors"
 
+	"sigs.k8s.io/structured-merge-diff/v6/fieldpath"
+
+	"k8s.io/apimachinery/pkg/api/operation"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/fields"
 	"k8s.io/apimachinery/pkg/labels"
@@ -28,18 +31,19 @@ import (
 	"k8s.io/apimachinery/pkg/util/sets"
 	"k8s.io/apimachinery/pkg/util/validation/field"
 	"k8s.io/apiserver/pkg/registry/generic"
+	"k8s.io/apiserver/pkg/registry/rest"
 	"k8s.io/apiserver/pkg/storage"
 	"k8s.io/apiserver/pkg/storage/names"
 	utilfeature "k8s.io/apiserver/pkg/util/feature"
 	v1 "k8s.io/client-go/kubernetes/typed/core/v1"
 	"k8s.io/dynamic-resource-allocation/structured"
 	"k8s.io/kubernetes/pkg/api/legacyscheme"
+	"k8s.io/kubernetes/pkg/api/resourceclaimspec"
 	"k8s.io/kubernetes/pkg/apis/resource"
 	"k8s.io/kubernetes/pkg/apis/resource/validation"
 	"k8s.io/kubernetes/pkg/features"
 	resourceutils "k8s.io/kubernetes/pkg/registry/resource"
 	"k8s.io/utils/ptr"
-	"sigs.k8s.io/structured-merge-diff/v6/fieldpath"
 )
 
 // resourceclaimStrategy implements behavior for ResourceClaim objects
@@ -89,14 +93,15 @@ func (*resourceclaimStrategy) PrepareForCreate(ctx context.Context, obj runtime.
 	// Status must not be set by user on create.
 	claim.Status = resource.ResourceClaimStatus{}
 
-	dropDisabledFields(claim, nil)
+	dropDisabledSpecFields(claim, nil)
 }
 
 func (s *resourceclaimStrategy) Validate(ctx context.Context, obj runtime.Object) field.ErrorList {
 	claim := obj.(*resource.ResourceClaim)
 
 	allErrs := resourceutils.AuthorizedForAdmin(ctx, claim.Spec.Devices.Requests, claim.Namespace, s.nsClient)
-	return append(allErrs, validation.ValidateResourceClaim(claim)...)
+	allErrs = append(allErrs, validation.ValidateResourceClaim(claim)...)
+	return rest.ValidateDeclarativelyWithMigrationChecks(ctx, legacyscheme.Scheme, claim, nil, allErrs, operation.Create, rest.WithNormalizationRules(validation.ResourceNormalizationRules))
 }
 
 func (*resourceclaimStrategy) WarningsOnCreate(ctx context.Context, obj runtime.Object) []string {
@@ -115,15 +120,15 @@ func (*resourceclaimStrategy) PrepareForUpdate(ctx context.Context, obj, old run
 	oldClaim := old.(*resource.ResourceClaim)
 	newClaim.Status = oldClaim.Status
 
-	dropDisabledFields(newClaim, oldClaim)
+	dropDisabledSpecFields(newClaim, oldClaim)
 }
 
 func (s *resourceclaimStrategy) ValidateUpdate(ctx context.Context, obj, old runtime.Object) field.ErrorList {
 	newClaim := obj.(*resource.ResourceClaim)
 	oldClaim := old.(*resource.ResourceClaim)
 	// AuthorizedForAdmin isn't needed here because the spec is immutable.
-	errorList := validation.ValidateResourceClaim(newClaim)
-	return append(errorList, validation.ValidateResourceClaimUpdate(newClaim, oldClaim)...)
+	errorList := validation.ValidateResourceClaimUpdate(newClaim, oldClaim)
+	return rest.ValidateDeclarativelyWithMigrationChecks(ctx, legacyscheme.Scheme, newClaim, oldClaim, errorList, operation.Update, rest.WithNormalizationRules(validation.ResourceNormalizationRules))
 }
 
 func (*resourceclaimStrategy) WarningsOnUpdate(ctx context.Context, obj, old runtime.Object) []string {
@@ -148,15 +153,19 @@ func NewStatusStrategy(resourceclaimStrategy *resourceclaimStrategy) *resourcecl
 func (*resourceclaimStatusStrategy) GetResetFields() map[fieldpath.APIVersion]*fieldpath.Set {
 	fields := map[fieldpath.APIVersion]*fieldpath.Set{
 		"resource.k8s.io/v1alpha3": fieldpath.NewSet(
+			fieldpath.MakePathOrDie("metadata"),
 			fieldpath.MakePathOrDie("spec"),
 		),
 		"resource.k8s.io/v1beta1": fieldpath.NewSet(
+			fieldpath.MakePathOrDie("metadata"),
 			fieldpath.MakePathOrDie("spec"),
 		),
 		"resource.k8s.io/v1beta2": fieldpath.NewSet(
+			fieldpath.MakePathOrDie("metadata"),
 			fieldpath.MakePathOrDie("spec"),
 		),
 		"resource.k8s.io/v1": fieldpath.NewSet(
+			fieldpath.MakePathOrDie("metadata"),
 			fieldpath.MakePathOrDie("spec"),
 		),
 	}
@@ -170,8 +179,8 @@ func (*resourceclaimStatusStrategy) PrepareForUpdate(ctx context.Context, obj, o
 	newClaim.Spec = oldClaim.Spec
 	metav1.ResetObjectMetaForStatus(&newClaim.ObjectMeta, &oldClaim.ObjectMeta)
 
-	dropDeallocatedStatusDevices(newClaim, oldClaim)
-	dropDisabledFields(newClaim, oldClaim)
+	dropDisabledStatusFields(newClaim, oldClaim)
+	dropDeallocatedStatusDevices(newClaim, oldClaim) // NOP if fields got dropped, so do this last.
 }
 
 func (r *resourceclaimStatusStrategy) ValidateUpdate(ctx context.Context, obj, old runtime.Object) field.ErrorList {
@@ -184,8 +193,9 @@ func (r *resourceclaimStatusStrategy) ValidateUpdate(ctx context.Context, obj, o
 	if oldClaim.Status.Allocation != nil {
 		oldAllocationResult = oldClaim.Status.Allocation.Devices.Results
 	}
-	allErrs := resourceutils.AuthorizedForAdminStatus(ctx, newAllocationResult, oldAllocationResult, newClaim.Namespace, r.nsClient)
-	return append(allErrs, validation.ValidateResourceClaimStatusUpdate(newClaim, oldClaim)...)
+	errs := resourceutils.AuthorizedForAdminStatus(ctx, newAllocationResult, oldAllocationResult, newClaim.Namespace, r.nsClient)
+	errs = append(errs, validation.ValidateResourceClaimStatusUpdate(newClaim, oldClaim)...)
+	return rest.ValidateDeclarativelyWithMigrationChecks(ctx, legacyscheme.Scheme, newClaim, oldClaim, errs, operation.Update)
 }
 
 // WarningsOnUpdate returns warnings for the given update.
@@ -217,43 +227,24 @@ func toSelectableFields(claim *resource.ResourceClaim) fields.Set {
 	return fields
 }
 
-// dropDisabledFields removes fields which are covered by a feature gate.
-func dropDisabledFields(newClaim, oldClaim *resource.ResourceClaim) {
-	dropDisabledDRAPrioritizedListFields(newClaim, oldClaim)
-	dropDisabledDRAAdminAccessFields(newClaim, oldClaim)
-	dropDisabledDRAResourceClaimDeviceStatusFields(newClaim, oldClaim)
-	dropDisabledDRADeviceBindingConditionsFields(newClaim, oldClaim)
-	dropDisabledDRAResourceClaimConsumableCapacityFields(newClaim, oldClaim)
-}
-
-func dropDisabledDRAPrioritizedListFields(newClaim, oldClaim *resource.ResourceClaim) {
-	if utilfeature.DefaultFeatureGate.Enabled(features.DRAPrioritizedList) {
-		return
-	}
-	if draPrioritizedListFeatureInUse(oldClaim) {
-		return
-	}
-
-	for i := range newClaim.Spec.Devices.Requests {
-		newClaim.Spec.Devices.Requests[i].FirstAvailable = nil
+// dropDisabledSpecFields removes fields from the spec which are covered by a feature gate.
+func dropDisabledSpecFields(newClaim, oldClaim *resource.ResourceClaim) {
+	var oldClaimSpec *resource.ResourceClaimSpec
+	if oldClaim != nil {
+		oldClaimSpec = &oldClaim.Spec
 	}
+	resourceclaimspec.DropDisabledFields(&newClaim.Spec, oldClaimSpec)
 }
 
-func draPrioritizedListFeatureInUse(claim *resource.ResourceClaim) bool {
-	if claim == nil {
-		return false
-	}
-
-	for _, request := range claim.Spec.Devices.Requests {
-		if len(request.FirstAvailable) > 0 {
-			return true
-		}
-	}
-
-	return false
+// dropDisabledStatusFields removes fields from the status which are covered by a feature gate.
+func dropDisabledStatusFields(newClaim, oldClaim *resource.ResourceClaim) {
+	dropDisabledDRAResourceClaimDeviceStatusFields(newClaim, oldClaim)
+	dropDisabledDRAAdminAccessStatusFields(newClaim, oldClaim)
+	dropDisabledDRAResourceClaimConsumableCapacityStatusFields(newClaim, oldClaim)
+	dropDeviceBindingConditionsFields(newClaim, oldClaim)
 }
 
-func dropDisabledDRAAdminAccessFields(newClaim, oldClaim *resource.ResourceClaim) {
+func dropDisabledDRAAdminAccessStatusFields(newClaim, oldClaim *resource.ResourceClaim) {
 	if utilfeature.DefaultFeatureGate.Enabled(features.DRAAdminAccess) {
 		// No need to drop anything.
 		return
@@ -268,15 +259,10 @@ func dropDisabledDRAAdminAccessFields(newClaim, oldClaim *resource.ResourceClaim
 		return
 	}
 
-	for i := range newClaim.Spec.Devices.Requests {
-		if newClaim.Spec.Devices.Requests[i].Exactly != nil {
-			newClaim.Spec.Devices.Requests[i].Exactly.AdminAccess = nil
-		}
-	}
-
 	if newClaim.Status.Allocation == nil {
 		return
 	}
+
 	for i := range newClaim.Status.Allocation.Devices.Results {
 		newClaim.Status.Allocation.Devices.Results[i].AdminAccess = nil
 	}
@@ -287,10 +273,8 @@ func draAdminAccessFeatureInUse(claim *resource.ResourceClaim) bool {
 		return false
 	}
 
-	for _, request := range claim.Spec.Devices.Requests {
-		if request.Exactly != nil && request.Exactly.AdminAccess != nil {
-			return true
-		}
+	if resourceclaimspec.DRAAdminAccessFeatureInUse(&claim.Spec) {
+		return true
 	}
 
 	if allocation := claim.Status.Allocation; allocation != nil {
@@ -317,6 +301,10 @@ func dropDisabledDRAResourceClaimDeviceStatusFields(newClaim, oldClaim *resource
 
 // dropDeallocatedStatusDevices removes the status.devices that were allocated
 // in the oldClaim and that have been removed in the newClaim.
+//
+// In other words, it removes stale status entries after deallocation. Doing
+// this in the apiserver avoids having to update clients which might be unaware
+// of the status feature.
 func dropDeallocatedStatusDevices(newClaim, oldClaim *resource.ResourceClaim) {
 	if !utilfeature.DefaultFeatureGate.Enabled(features.DRAResourceClaimDeviceStatus) && !isDRAResourceClaimDeviceStatusInUse(oldClaim) {
 		return
@@ -363,64 +351,13 @@ func dropDeallocatedStatusDevices(newClaim, oldClaim *resource.ResourceClaim) {
 	}
 }
 
-// TODO: add tests after partitionable devices is merged (code conflict!)
-
-// dropDisabledDRADeviceBindingConditionsFields removes fields which are covered by a feature gate.
-func dropDisabledDRADeviceBindingConditionsFields(newClaim, oldClaim *resource.ResourceClaim) {
-	if utilfeature.DefaultFeatureGate.Enabled(features.DRADeviceBindingConditions) && utilfeature.DefaultFeatureGate.Enabled(features.DRAResourceClaimDeviceStatus) ||
-		draBindingConditionsFeatureInUse(oldClaim) {
-		return
-	}
-
-	if newClaim.Status.Allocation == nil {
-		return
-	}
-	newClaim.Status.Allocation.AllocationTimestamp = nil
-
-	for i := range newClaim.Status.Allocation.Devices.Results {
-		newClaim.Status.Allocation.Devices.Results[i].BindingConditions = nil
-		newClaim.Status.Allocation.Devices.Results[i].BindingFailureConditions = nil
-	}
-}
-
-func draBindingConditionsFeatureInUse(claim *resource.ResourceClaim) bool {
-	if claim == nil || claim.Status.Allocation == nil {
-		return false
-	}
-
-	if claim.Status.Allocation.AllocationTimestamp != nil {
-		return true
-	}
-
-	for _, result := range claim.Status.Allocation.Devices.Results {
-		if len(result.BindingConditions) != 0 || len(result.BindingFailureConditions) != 0 {
-			return true
-		}
-	}
-
-	return false
-}
-
 func draConsumableCapacityFeatureInUse(claim *resource.ResourceClaim) bool {
 	if claim == nil {
 		return false
 	}
 
-	for _, constaint := range claim.Spec.Devices.Constraints {
-		if constaint.DistinctAttribute != nil {
-			return true
-		}
-	}
-
-	for _, request := range claim.Spec.Devices.Requests {
-		if request.Exactly != nil && request.Exactly.Capacity != nil {
-			return true
-		}
-		for _, subRequest := range request.FirstAvailable {
-			if subRequest.Capacity != nil {
-				return true
-			}
-		}
+	if resourceclaimspec.DRAConsumableCapacityFeatureInUse(&claim.Spec) {
+		return true
 	}
 
 	if allocation := claim.Status.Allocation; allocation != nil {
@@ -441,30 +378,29 @@ func draConsumableCapacityFeatureInUse(claim *resource.ResourceClaim) bool {
 	return false
 }
 
-// dropDisabledDRAResourceClaimConsumableCapacityFields drops any new feature fields
-// from the newClaim if they were not used in the oldClaim.
-func dropDisabledDRAResourceClaimConsumableCapacityFields(newClaim, oldClaim *resource.ResourceClaim) {
+func draDeviceBindingConditionsInUse(claim *resource.ResourceClaim) bool {
+	if claim == nil {
+		return false
+	}
+	if allocation := claim.Status.Allocation; allocation != nil {
+		for _, result := range allocation.Devices.Results {
+			if result.BindingConditions != nil || result.BindingFailureConditions != nil {
+				return true
+			}
+		}
+	}
+	return false
+}
+
+// dropDisabledDRAResourceClaimConsumableCapacityStatusFields drops any new feature fields
+// from the newClaim status if they were not used in the oldClaim.
+func dropDisabledDRAResourceClaimConsumableCapacityStatusFields(newClaim, oldClaim *resource.ResourceClaim) {
 	if utilfeature.DefaultFeatureGate.Enabled(features.DRAConsumableCapacity) ||
 		draConsumableCapacityFeatureInUse(oldClaim) {
 		// No need to drop anything.
 		return
 	}
 
-	for _, constaint := range newClaim.Spec.Devices.Constraints {
-		constaint.DistinctAttribute = nil
-	}
-
-	// Drop any CapacityRequests newly added.
-	for i := range newClaim.Spec.Devices.Requests {
-		if newClaim.Spec.Devices.Requests[i].Exactly != nil {
-			newClaim.Spec.Devices.Requests[i].Exactly.Capacity = nil
-		}
-		request := newClaim.Spec.Devices.Requests[i]
-		for j := range request.FirstAvailable {
-			newClaim.Spec.Devices.Requests[i].FirstAvailable[j].Capacity = nil
-		}
-	}
-
 	if allocation := newClaim.Status.Allocation; allocation != nil {
 		for i := range allocation.Devices.Results {
 			newClaim.Status.Allocation.Devices.Results[i].ShareID = nil
@@ -478,3 +414,20 @@ func dropDisabledDRAResourceClaimConsumableCapacityFields(newClaim, oldClaim *re
 		}
 	}
 }
+
+// dropDeviceBindingConditionsFields drops any new feature fields
+// from the newClaim status if they were not used in the oldClaim.
+func dropDeviceBindingConditionsFields(newClaim, oldClaim *resource.ResourceClaim) {
+	if utilfeature.DefaultFeatureGate.Enabled(features.DRADeviceBindingConditions) ||
+		draDeviceBindingConditionsInUse(oldClaim) {
+		// No need to drop anything.
+		return
+	}
+
+	if allocation := newClaim.Status.Allocation; allocation != nil {
+		for i := range allocation.Devices.Results {
+			newClaim.Status.Allocation.Devices.Results[i].BindingConditions = nil
+			newClaim.Status.Allocation.Devices.Results[i].BindingFailureConditions = nil
+		}
+	}
+}
diff --git a/pkg/registry/resource/resourceclaim/strategy_test.go b/pkg/registry/resource/resourceclaim/strategy_test.go
index c4e77313b014a..4481b620f3fa1 100644
--- a/pkg/registry/resource/resourceclaim/strategy_test.go
+++ b/pkg/registry/resource/resourceclaim/strategy_test.go
@@ -152,7 +152,7 @@ var objWithAdminAccessInNonAdminNamespace = &resource.ResourceClaim{
 	},
 }
 
-var objStatusInNonAdminNamespace = &resource.ResourceClaim{
+var objWithAdminAccessStatusInNonAdminNamespace = &resource.ResourceClaim{
 	ObjectMeta: metav1.ObjectMeta{
 		Name:      "valid-claim",
 		Namespace: "default",
@@ -165,6 +165,7 @@ var objStatusInNonAdminNamespace = &resource.ResourceClaim{
 					Exactly: &resource.ExactDeviceRequest{
 						DeviceClassName: "class",
 						AllocationMode:  resource.DeviceAllocationModeAll,
+						AdminAccess:     ptr.To(true),
 					},
 				},
 			},
@@ -175,20 +176,22 @@ var objStatusInNonAdminNamespace = &resource.ResourceClaim{
 			Devices: resource.DeviceAllocationResult{
 				Results: []resource.DeviceRequestAllocationResult{
 					{
-						Request: "req-0",
-						Driver:  "dra.example.com",
-						Pool:    "pool-0",
-						Device:  "device-0",
+						Request:     "req-0",
+						Driver:      "dra.example.com",
+						Pool:        "pool-0",
+						Device:      "device-0",
+						AdminAccess: ptr.To(true),
 					},
 				},
 			},
 		},
 	},
 }
-var objWithAdminAccessStatusInNonAdminNamespace = &resource.ResourceClaim{
+
+var objWithDeviceTaints = &resource.ResourceClaim{
 	ObjectMeta: metav1.ObjectMeta{
 		Name:      "valid-claim",
-		Namespace: "default",
+		Namespace: "kube-system",
 	},
 	Spec: resource.ResourceClaimSpec{
 		Devices: resource.DeviceClaim{
@@ -198,22 +201,31 @@ var objWithAdminAccessStatusInNonAdminNamespace = &resource.ResourceClaim{
 					Exactly: &resource.ExactDeviceRequest{
 						DeviceClassName: "class",
 						AllocationMode:  resource.DeviceAllocationModeAll,
-						AdminAccess:     ptr.To(true),
+						Tolerations:     []resource.DeviceToleration{{Key: "some-key", Operator: resource.DeviceTolerationOpExists}},
 					},
 				},
 			},
 		},
 	},
-	Status: resource.ResourceClaimStatus{
-		Allocation: &resource.AllocationResult{
-			Devices: resource.DeviceAllocationResult{
-				Results: []resource.DeviceRequestAllocationResult{
-					{
-						Request:     "req-0",
-						Driver:      "dra.example.com",
-						Pool:        "pool-0",
-						Device:      "device-0",
-						AdminAccess: ptr.To(true),
+}
+
+var objWithPrioritizedList = &resource.ResourceClaim{
+	ObjectMeta: metav1.ObjectMeta{
+		Name:      "valid-claim",
+		Namespace: "kube-system",
+	},
+	Spec: resource.ResourceClaimSpec{
+		Devices: resource.DeviceClaim{
+			Requests: []resource.DeviceRequest{
+				{
+					Name: "req-0",
+					FirstAvailable: []resource.DeviceSubRequest{
+						{
+							Name:            "subreq-0",
+							DeviceClassName: "class",
+							AllocationMode:  resource.DeviceAllocationModeExactCount,
+							Count:           1,
+						},
 					},
 				},
 			},
@@ -221,10 +233,10 @@ var objWithAdminAccessStatusInNonAdminNamespace = &resource.ResourceClaim{
 	},
 }
 
-var objWithPrioritizedList = &resource.ResourceClaim{
+var objWithDeviceTaintsInPrioritizedList = &resource.ResourceClaim{
 	ObjectMeta: metav1.ObjectMeta{
 		Name:      "valid-claim",
-		Namespace: "default",
+		Namespace: "kube-system",
 	},
 	Spec: resource.ResourceClaimSpec{
 		Devices: resource.DeviceClaim{
@@ -237,6 +249,7 @@ var objWithPrioritizedList = &resource.ResourceClaim{
 							DeviceClassName: "class",
 							AllocationMode:  resource.DeviceAllocationModeExactCount,
 							Count:           1,
+							Tolerations:     []resource.DeviceToleration{{Key: "some-key", Operator: resource.DeviceTolerationOpExists}},
 						},
 					},
 				},
@@ -294,7 +307,6 @@ var objWithDeviceBindingConditions = &resource.ResourceClaim{
 					Exactly: &resource.ExactDeviceRequest{
 						DeviceClassName: "class",
 						AllocationMode:  resource.DeviceAllocationModeAll,
-						AdminAccess:     ptr.To(true),
 					},
 				},
 			},
@@ -318,6 +330,31 @@ var objWithDeviceBindingConditions = &resource.ResourceClaim{
 	},
 }
 
+var objWithCapacityRequests = &resource.ResourceClaim{
+	ObjectMeta: metav1.ObjectMeta{
+		Name:      "valid-claim",
+		Namespace: "kube-system",
+	},
+	Spec: resource.ResourceClaimSpec{
+		Devices: resource.DeviceClaim{
+			Requests: []resource.DeviceRequest{
+				{
+					Name: "req-0",
+					Exactly: &resource.ExactDeviceRequest{
+						DeviceClassName: "class",
+						AllocationMode:  resource.DeviceAllocationModeAll,
+						Capacity: &resource.CapacityRequirements{
+							Requests: map[resource.QualifiedName]apiresource.Quantity{
+								resource.QualifiedName("test-capacity"): apiresource.MustParse("1"),
+							},
+						},
+					},
+				},
+			},
+		},
+	},
+}
+
 var ns1 = &corev1.Namespace{
 	ObjectMeta: metav1.ObjectMeta{
 		Name:   "default",
@@ -335,13 +372,17 @@ var adminAccessError = "Forbidden: admin access to devices requires the `resourc
 var fieldImmutableError = "field is immutable"
 var metadataError = "a lowercase RFC 1123 subdomain must consist of lower case alphanumeric characters"
 var deviceRequestError = "exactly one of `exactly` or `firstAvailable` is required"
+var constraintError = "matchAttribute: Required value"
 
 const (
+	req0        = "req-0"
+	subReq0     = "subreq-0"
+	req0SubReq0 = "req-0/subreq-0"
+
 	testRequest = "test-request"
 	testDriver  = "test-driver"
 	testPool    = "test-pool"
 	testDevice  = "test-device"
-	testClass   = "test-class"
 )
 
 var (
@@ -352,12 +393,6 @@ var testCapacity = map[resource.QualifiedName]apiresource.Quantity{
 	resource.QualifiedName("test-capacity"): apiresource.MustParse("1"),
 }
 
-var objWithCapacityRequests = func() *resource.ResourceClaim {
-	obj := obj.DeepCopy()
-	addSpecDeviceRequestWithCapacityRequests(obj, testRequest, testClass, testCapacity, false)
-	return obj
-}()
-
 func TestStrategy(t *testing.T) {
 	fakeClient := fake.NewSimpleClientset()
 	mockNSClient := fakeClient.CoreV1().Namespaces()
@@ -375,6 +410,7 @@ func TestStrategyCreate(t *testing.T) {
 	testcases := map[string]struct {
 		obj                   *resource.ResourceClaim
 		adminAccess           bool
+		deviceTaints          bool
 		prioritizedList       bool
 		bindingConditions     bool
 		deviceStatus          bool
@@ -430,6 +466,48 @@ func TestStrategyCreate(t *testing.T) {
 				}
 			},
 		},
+		"drop-fields-device-taints": {
+			obj:          objWithDeviceTaints,
+			deviceTaints: false,
+			expectObj:    obj,
+			verify: func(t *testing.T, as []testclient.Action) {
+				if len(as) != 0 {
+					t.Errorf("expected no action to be taken")
+				}
+			},
+		},
+		"keep-fields-device-taints": {
+			obj:          objWithDeviceTaints,
+			deviceTaints: true,
+			expectObj:    objWithDeviceTaints,
+			verify: func(t *testing.T, as []testclient.Action) {
+				if len(as) != 0 {
+					t.Errorf("expected no action to be taken")
+				}
+			},
+		},
+		"drop-fields-device-taints-in-prioritized-list": {
+			obj:             objWithDeviceTaintsInPrioritizedList,
+			deviceTaints:    false,
+			prioritizedList: true,
+			expectObj:       objWithPrioritizedList,
+			verify: func(t *testing.T, as []testclient.Action) {
+				if len(as) != 0 {
+					t.Errorf("expected no action to be taken")
+				}
+			},
+		},
+		"keep-fields-device-taints-in-prioritized-list": {
+			obj:             objWithDeviceTaintsInPrioritizedList,
+			deviceTaints:    true,
+			prioritizedList: true,
+			expectObj:       objWithDeviceTaintsInPrioritizedList,
+			verify: func(t *testing.T, as []testclient.Action) {
+				if len(as) != 0 {
+					t.Errorf("expected no action to be taken")
+				}
+			},
+		},
 		"drop-fields-prioritized-list": {
 			obj:                   objWithPrioritizedList,
 			prioritizedList:       false,
@@ -494,11 +572,22 @@ func TestStrategyCreate(t *testing.T) {
 		"drop-fields-consumable-capacity-disabled-feature": {
 			obj:                objWithCapacityRequests,
 			consumableCapacity: false,
-			expectObj: func() *resource.ResourceClaim {
+			expectObj:          obj,
+			verify: func(t *testing.T, as []testclient.Action) {
+				if len(as) != 0 {
+					t.Errorf("expected no action to be taken")
+				}
+			},
+		},
+		"drop-fields-consumable-capacity-disabled-feature-with-distinct-attribute": {
+			obj: func() *resource.ResourceClaim {
 				obj := obj.DeepCopy()
-				addSpecDeviceRequestWithCapacityRequests(obj, testRequest, testClass, nil, false)
+				modifySpecDeviceRequestWithCapacityRequests(obj, nil, false)
+				addDistinctAttribute(obj)
 				return obj
 			}(),
+			consumableCapacity:    false,
+			expectValidationError: constraintError,
 			verify: func(t *testing.T, as []testclient.Action) {
 				if len(as) != 0 {
 					t.Errorf("expected no action to be taken")
@@ -507,15 +596,15 @@ func TestStrategyCreate(t *testing.T) {
 		},
 		"drop-fields-consumable-capacity-disabled-feature-with-prioritized-list": {
 			obj: func() *resource.ResourceClaim {
-				obj := obj.DeepCopy()
-				addSpecDeviceRequestWithCapacityRequests(obj, testRequest, testClass, testCapacity, true)
+				obj := objWithPrioritizedList.DeepCopy()
+				modifySpecDeviceRequestWithCapacityRequests(obj, testCapacity, true)
 				return obj
 			}(),
 			consumableCapacity: false,
 			prioritizedList:    true,
 			expectObj: func() *resource.ResourceClaim {
-				obj := obj.DeepCopy()
-				addSpecDeviceRequestWithCapacityRequests(obj, testRequest, testClass, nil, true)
+				obj := objWithPrioritizedList.DeepCopy()
+				modifySpecDeviceRequestWithCapacityRequests(obj, nil, true)
 				return obj
 			}(),
 			verify: func(t *testing.T, as []testclient.Action) {
@@ -530,14 +619,21 @@ func TestStrategyCreate(t *testing.T) {
 		t.Run(name, func(t *testing.T) {
 			fakeClient := fake.NewSimpleClientset(ns1, ns2)
 			mockNSClient := fakeClient.CoreV1().Namespaces()
-			featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.DRAAdminAccess, tc.adminAccess)
-			featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.DRAPrioritizedList, tc.prioritizedList)
-			featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.DRAConsumableCapacity, tc.consumableCapacity)
+			featuregatetesting.SetFeatureGatesDuringTest(t, utilfeature.DefaultFeatureGate, featuregatetesting.FeatureOverrides{
+				features.DRAAdminAccess:        tc.adminAccess,
+				features.DRADeviceTaints:       tc.deviceTaints,
+				features.DRAPrioritizedList:    tc.prioritizedList,
+				features.DRAConsumableCapacity: tc.consumableCapacity,
+			})
 			strategy := NewStrategy(mockNSClient)
 
 			obj := tc.obj.DeepCopy()
 			strategy.PrepareForCreate(ctx, obj)
 			if errs := strategy.Validate(ctx, obj); len(errs) != 0 {
+				if tc.expectValidationError == "" {
+					t.Fatalf("unexpected error(s): %v", errs)
+				}
+				assert.Len(t, errs, 1, "exactly one error expected")
 				assert.ErrorContains(t, errs[0], tc.expectValidationError, "the error message should have contained the expected error message")
 				return
 			}
@@ -560,9 +656,10 @@ func TestStrategyUpdate(t *testing.T) {
 		oldObj                *resource.ResourceClaim
 		newObj                *resource.ResourceClaim
 		adminAccess           bool
-		expectValidationError string
+		deviceTaints          bool
 		prioritizedList       bool
 		consumableCapacity    bool
+		expectValidationError string
 		expectObj             *resource.ResourceClaim
 		verify                func(*testing.T, []testclient.Action)
 	}{
@@ -649,7 +746,7 @@ func TestStrategyUpdate(t *testing.T) {
 			oldObj:                obj,
 			newObj:                objWithPrioritizedList,
 			prioritizedList:       false,
-			expectValidationError: deviceRequestError,
+			expectValidationError: fieldImmutableError,
 			verify: func(t *testing.T, as []testclient.Action) {
 				if len(as) != 0 {
 					t.Errorf("expected no action to be taken")
@@ -690,7 +787,7 @@ func TestStrategyUpdate(t *testing.T) {
 			},
 		},
 		"keep-existing-fields-consumable-capacity": {
-			oldObj:             obj,
+			oldObj:             objWithCapacityRequests,
 			newObj:             objWithCapacityRequests,
 			consumableCapacity: true,
 			expectObj:          objWithCapacityRequests,
@@ -717,7 +814,7 @@ func TestStrategyUpdate(t *testing.T) {
 			consumableCapacity: false,
 			expectObj: func() *resource.ResourceClaim {
 				obj := obj.DeepCopy()
-				addSpecDeviceRequestWithCapacityRequests(obj, testRequest, testClass, nil, false)
+				modifySpecDeviceRequestWithCapacityRequests(obj, nil, false)
 				return obj
 			}(),
 			verify: func(t *testing.T, as []testclient.Action) {
@@ -728,16 +825,20 @@ func TestStrategyUpdate(t *testing.T) {
 		},
 		"drop-fields-consumable-capacity-disabled-feature-with-prioritized-list": {
 			oldObj: func() *resource.ResourceClaim {
-				obj := obj.DeepCopy()
-				addSpecDeviceRequestWithCapacityRequests(obj, testRequest, testClass, nil, true)
+				obj := objWithPrioritizedList.DeepCopy()
+				modifySpecDeviceRequestWithCapacityRequests(obj, nil, true)
+				return obj
+			}(),
+			newObj: func() *resource.ResourceClaim {
+				obj := objWithPrioritizedList.DeepCopy()
+				modifySpecDeviceRequestWithCapacityRequests(obj, testCapacity, true)
 				return obj
 			}(),
-			newObj:             objWithCapacityRequests,
 			consumableCapacity: false,
 			prioritizedList:    true,
 			expectObj: func() *resource.ResourceClaim {
-				obj := obj.DeepCopy()
-				addSpecDeviceRequestWithCapacityRequests(obj, testRequest, testClass, nil, true)
+				obj := objWithPrioritizedList.DeepCopy()
+				modifySpecDeviceRequestWithCapacityRequests(obj, nil, true)
 				return obj
 			}(),
 			verify: func(t *testing.T, as []testclient.Action) {
@@ -746,6 +847,102 @@ func TestStrategyUpdate(t *testing.T) {
 				}
 			},
 		},
+		"drop-fields-device-taints": {
+			oldObj:          obj,
+			newObj:          objWithDeviceTaints,
+			deviceTaints:    false,
+			prioritizedList: true,
+			expectObj:       obj,
+			verify: func(t *testing.T, as []testclient.Action) {
+				if len(as) != 0 {
+					t.Errorf("expected no action to be taken")
+				}
+			},
+		},
+		"keep-fields-device-taints": {
+			oldObj:                obj,
+			newObj:                objWithDeviceTaints,
+			deviceTaints:          true,
+			prioritizedList:       true,
+			expectValidationError: fieldImmutableError, // Spec is immutable, cannot add tolerations.
+			verify: func(t *testing.T, as []testclient.Action) {
+				if len(as) != 0 {
+					t.Errorf("expected no action to be taken")
+				}
+			},
+		},
+		"keep-existing-fields-device-taints": {
+			oldObj:          objWithDeviceTaints,
+			newObj:          objWithDeviceTaints,
+			deviceTaints:    true,
+			prioritizedList: true,
+			expectObj:       objWithDeviceTaints,
+			verify: func(t *testing.T, as []testclient.Action) {
+				if len(as) != 0 {
+					t.Errorf("expected no action to be taken")
+				}
+			},
+		},
+		"keep-existing-fields-device-taints-disabled-feature": {
+			oldObj:          objWithDeviceTaints,
+			newObj:          objWithDeviceTaints,
+			deviceTaints:    false,
+			prioritizedList: true,
+			expectObj:       objWithDeviceTaints,
+			verify: func(t *testing.T, as []testclient.Action) {
+				if len(as) != 0 {
+					t.Errorf("expected no action to be taken")
+				}
+			},
+		},
+		"drop-fields-device-taints-in-prioritized-list": {
+			oldObj:          objWithPrioritizedList,
+			newObj:          objWithDeviceTaintsInPrioritizedList,
+			deviceTaints:    false,
+			prioritizedList: true,
+			expectObj:       objWithPrioritizedList,
+			verify: func(t *testing.T, as []testclient.Action) {
+				if len(as) != 0 {
+					t.Errorf("expected no action to be taken")
+				}
+			},
+		},
+		"keep-fields-device-taints-in-prioritized-list": {
+			oldObj:                objWithPrioritizedList,
+			newObj:                objWithDeviceTaintsInPrioritizedList,
+			deviceTaints:          true,
+			prioritizedList:       true,
+			expectValidationError: fieldImmutableError, // Spec is immutable, cannot add tolerations.
+			verify: func(t *testing.T, as []testclient.Action) {
+				if len(as) != 0 {
+					t.Errorf("expected no action to be taken")
+				}
+			},
+		},
+		"keep-existing-fields-device-taints-in-prioritized-list": {
+			oldObj:          objWithDeviceTaintsInPrioritizedList,
+			newObj:          objWithDeviceTaintsInPrioritizedList,
+			deviceTaints:    true,
+			prioritizedList: true,
+			expectObj:       objWithDeviceTaintsInPrioritizedList,
+			verify: func(t *testing.T, as []testclient.Action) {
+				if len(as) != 0 {
+					t.Errorf("expected no action to be taken")
+				}
+			},
+		},
+		"keep-existing-fields-device-taints-in-prioritized-list-disabled-feature": {
+			oldObj:          objWithDeviceTaintsInPrioritizedList,
+			newObj:          objWithDeviceTaintsInPrioritizedList,
+			deviceTaints:    false,
+			prioritizedList: true,
+			expectObj:       objWithDeviceTaintsInPrioritizedList,
+			verify: func(t *testing.T, as []testclient.Action) {
+				if len(as) != 0 {
+					t.Errorf("expected no action to be taken")
+				}
+			},
+		},
 	}
 
 	for name, tc := range testcases {
@@ -753,9 +950,12 @@ func TestStrategyUpdate(t *testing.T) {
 			fakeClient := fake.NewSimpleClientset(ns1, ns2)
 			mockNSClient := fakeClient.CoreV1().Namespaces()
 
-			featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.DRAAdminAccess, tc.adminAccess)
-			featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.DRAPrioritizedList, tc.prioritizedList)
-			featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.DRAConsumableCapacity, tc.consumableCapacity)
+			featuregatetesting.SetFeatureGatesDuringTest(t, utilfeature.DefaultFeatureGate, featuregatetesting.FeatureOverrides{
+				features.DRAAdminAccess:        tc.adminAccess,
+				features.DRADeviceTaints:       tc.deviceTaints,
+				features.DRAPrioritizedList:    tc.prioritizedList,
+				features.DRAConsumableCapacity: tc.consumableCapacity,
+			})
 
 			strategy := NewStrategy(mockNSClient)
 
@@ -765,6 +965,10 @@ func TestStrategyUpdate(t *testing.T) {
 
 			strategy.PrepareForUpdate(ctx, newObj, oldObj)
 			if errs := strategy.ValidateUpdate(ctx, newObj, oldObj); len(errs) != 0 {
+				if tc.expectValidationError == "" {
+					t.Fatalf("unexpected error(s): %v", errs)
+				}
+				assert.Len(t, errs, 1, "exactly one error expected")
 				assert.ErrorContains(t, errs[0], tc.expectValidationError, "the error message should have contained the expected error message")
 				return
 			}
@@ -871,7 +1075,7 @@ func TestStatusStrategyUpdate(t *testing.T) {
 			},
 		},
 		"keep-fields-admin-access-NonAdminNamespace": {
-			oldObj:                objStatusInNonAdminNamespace,
+			oldObj:                objInNonAdminNamespace,
 			newObj:                objWithAdminAccessStatusInNonAdminNamespace,
 			adminAccess:           true,
 			expectValidationError: adminAccessError,
@@ -1061,7 +1265,7 @@ func TestStatusStrategyUpdate(t *testing.T) {
 			},
 		},
 		"keep-fields-binding-conditions": {
-			oldObj:    objWithStatus,
+			oldObj:    obj,
 			newObj:    objWithDeviceBindingConditions,
 			expectObj: objWithDeviceBindingConditions,
 			verify: func(t *testing.T, as []testclient.Action) {
@@ -1073,13 +1277,8 @@ func TestStatusStrategyUpdate(t *testing.T) {
 			deviceStatusFeatureGate: true,
 		},
 		"keep-exist-fields-disable-bindingconditions-feature-gate": {
-			oldObj: objWithDeviceBindingConditions,
-			newObj: func() *resource.ResourceClaim {
-				obj := objWithDeviceBindingConditions.DeepCopy()
-				obj.Status.Allocation.Devices.Results[0].BindingConditions = nil
-				obj.Status.Allocation.Devices.Results[0].BindingFailureConditions = nil
-				return obj
-			}(),
+			oldObj:    objWithDeviceBindingConditions,
+			newObj:    objWithDeviceBindingConditions,
 			expectObj: objWithDeviceBindingConditions,
 			verify: func(t *testing.T, as []testclient.Action) {
 				if len(as) != 0 {
@@ -1090,7 +1289,7 @@ func TestStatusStrategyUpdate(t *testing.T) {
 			deviceStatusFeatureGate: true,
 		},
 		"drop-fields-binding-conditions": {
-			oldObj:    objWithStatus,
+			oldObj:    obj,
 			newObj:    objWithDeviceBindingConditions,
 			expectObj: objWithStatus,
 			verify: func(t *testing.T, as []testclient.Action) {
@@ -1102,7 +1301,7 @@ func TestStatusStrategyUpdate(t *testing.T) {
 			deviceStatusFeatureGate: true,
 		},
 		"drop-fields-binding-conditions-disable-feature-gate": {
-			oldObj:    objWithStatus,
+			oldObj:    obj,
 			newObj:    objWithDeviceBindingConditions,
 			expectObj: objWithStatus,
 			verify: func(t *testing.T, as []testclient.Action) {
@@ -1114,7 +1313,7 @@ func TestStatusStrategyUpdate(t *testing.T) {
 			deviceStatusFeatureGate: false,
 		},
 		"drop-fields-binding-conditions-disable-binding-conditions-feature-gate": {
-			oldObj:    objWithStatus,
+			oldObj:    obj,
 			newObj:    objWithDeviceBindingConditions,
 			expectObj: objWithStatus,
 			verify: func(t *testing.T, as []testclient.Action) {
@@ -1125,29 +1324,19 @@ func TestStatusStrategyUpdate(t *testing.T) {
 			bindingConditions:       false,
 			deviceStatusFeatureGate: true,
 		},
-		"drop-fields-binding-conditions-disable-device-status-feature-gate": {
-			oldObj:    objWithStatus,
-			newObj:    objWithDeviceBindingConditions,
-			expectObj: objWithStatus,
-			verify: func(t *testing.T, as []testclient.Action) {
-				if len(as) != 0 {
-					t.Errorf("expected no action to be taken")
-				}
-			},
-			bindingConditions:       true,
-			deviceStatusFeatureGate: false,
-		},
 		"keep-fields-consumable-capacity-with-device-status": {
 			oldObj: func() *resource.ResourceClaim {
 				obj := obj.DeepCopy()
-				addSpecDeviceRequestWithCapacityRequests(obj, testRequest, testClass, testCapacity, false)
-				addStatusAllocationDevicesResults(obj, testDriver, testPool, testDevice, testRequest, testShareID, testCapacity)
+				modifySpecDeviceRequestWithCapacityRequests(obj, testCapacity, false)
+				addDistinctAttribute(obj)
+				addStatusAllocationDevicesResults(obj, testDriver, testPool, testDevice, req0, testShareID, testCapacity)
 				return obj
 			}(),
 			newObj: func() *resource.ResourceClaim { // Status is added with share id and consumed capacities
 				obj := obj.DeepCopy()
-				addSpecDeviceRequestWithCapacityRequests(obj, testRequest, testClass, testCapacity, false)
-				addStatusAllocationDevicesResults(obj, testDriver, testPool, testDevice, testRequest, testShareID, testCapacity)
+				modifySpecDeviceRequestWithCapacityRequests(obj, testCapacity, false)
+				addDistinctAttribute(obj)
+				addStatusAllocationDevicesResults(obj, testDriver, testPool, testDevice, req0, testShareID, testCapacity)
 				addStatusDevices(obj, testDriver, testPool, testDevice, testShareID)
 				return obj
 			}(),
@@ -1156,8 +1345,9 @@ func TestStatusStrategyUpdate(t *testing.T) {
 			prioritizedListFeatureGate:    false,
 			expectObj: func() *resource.ResourceClaim {
 				obj := obj.DeepCopy()
-				addSpecDeviceRequestWithCapacityRequests(obj, testRequest, testClass, testCapacity, false)
-				addStatusAllocationDevicesResults(obj, testDriver, testPool, testDevice, testRequest, testShareID, testCapacity)
+				modifySpecDeviceRequestWithCapacityRequests(obj, testCapacity, false)
+				addDistinctAttribute(obj)
+				addStatusAllocationDevicesResults(obj, testDriver, testPool, testDevice, req0, testShareID, testCapacity)
 				addStatusDevices(obj, testDriver, testPool, testDevice, testShareID)
 				return obj
 			}(),
@@ -1170,14 +1360,16 @@ func TestStatusStrategyUpdate(t *testing.T) {
 		"keep-fields-consumable-capacity-disabled-feature-gate-with-device-status": {
 			oldObj: func() *resource.ResourceClaim {
 				obj := obj.DeepCopy()
-				addSpecDeviceRequestWithCapacityRequests(obj, testRequest, testClass, testCapacity, false)
-				addStatusAllocationDevicesResults(obj, testDriver, testPool, testDevice, testRequest, testShareID, testCapacity)
+				modifySpecDeviceRequestWithCapacityRequests(obj, testCapacity, false)
+				addDistinctAttribute(obj)
+				addStatusAllocationDevicesResults(obj, testDriver, testPool, testDevice, req0, testShareID, testCapacity)
 				return obj
 			}(),
 			newObj: func() *resource.ResourceClaim { // Status is added with share id and consumed capacities
 				obj := obj.DeepCopy()
-				addSpecDeviceRequestWithCapacityRequests(obj, testRequest, testClass, testCapacity, false)
-				addStatusAllocationDevicesResults(obj, testDriver, testPool, testDevice, testRequest, testShareID, testCapacity)
+				modifySpecDeviceRequestWithCapacityRequests(obj, testCapacity, false)
+				addDistinctAttribute(obj)
+				addStatusAllocationDevicesResults(obj, testDriver, testPool, testDevice, req0, testShareID, testCapacity)
 				addStatusDevices(obj, testDriver, testPool, testDevice, testShareID)
 				return obj
 			}(),
@@ -1185,8 +1377,9 @@ func TestStatusStrategyUpdate(t *testing.T) {
 			consumableCapacityFeatureGate: false,
 			expectObj: func() *resource.ResourceClaim {
 				obj := obj.DeepCopy()
-				addSpecDeviceRequestWithCapacityRequests(obj, testRequest, testClass, testCapacity, false)
-				addStatusAllocationDevicesResults(obj, testDriver, testPool, testDevice, testRequest, testShareID, testCapacity)
+				modifySpecDeviceRequestWithCapacityRequests(obj, testCapacity, false)
+				addDistinctAttribute(obj)
+				addStatusAllocationDevicesResults(obj, testDriver, testPool, testDevice, req0, testShareID, testCapacity)
 				addStatusDevices(obj, testDriver, testPool, testDevice, testShareID)
 				return obj
 			}(),
@@ -1199,14 +1392,16 @@ func TestStatusStrategyUpdate(t *testing.T) {
 		"keep-fields-consumable-capacity-with-device-status-disabled-feature-gate": {
 			oldObj: func() *resource.ResourceClaim {
 				obj := obj.DeepCopy()
-				addSpecDeviceRequestWithCapacityRequests(obj, testRequest, testClass, testCapacity, false)
-				addStatusAllocationDevicesResults(obj, testDriver, testPool, testDevice, testRequest, testShareID, testCapacity)
+				modifySpecDeviceRequestWithCapacityRequests(obj, testCapacity, false)
+				addDistinctAttribute(obj)
+				addStatusAllocationDevicesResults(obj, testDriver, testPool, testDevice, req0, testShareID, testCapacity)
 				return obj
 			}(),
 			newObj: func() *resource.ResourceClaim { // Status should not be added
 				obj := obj.DeepCopy()
-				addSpecDeviceRequestWithCapacityRequests(obj, testRequest, testClass, testCapacity, false)
-				addStatusAllocationDevicesResults(obj, testDriver, testPool, testDevice, testRequest, testShareID, testCapacity)
+				modifySpecDeviceRequestWithCapacityRequests(obj, testCapacity, false)
+				addDistinctAttribute(obj)
+				addStatusAllocationDevicesResults(obj, testDriver, testPool, testDevice, req0, testShareID, testCapacity)
 				addStatusDevices(obj, testDriver, testPool, testDevice, testShareID)
 				return obj
 			}(),
@@ -1214,8 +1409,9 @@ func TestStatusStrategyUpdate(t *testing.T) {
 			consumableCapacityFeatureGate: true,
 			expectObj: func() *resource.ResourceClaim {
 				obj := obj.DeepCopy()
-				addSpecDeviceRequestWithCapacityRequests(obj, testRequest, testClass, testCapacity, false)
-				addStatusAllocationDevicesResults(obj, testDriver, testPool, testDevice, testRequest, testShareID, testCapacity)
+				modifySpecDeviceRequestWithCapacityRequests(obj, testCapacity, false)
+				addDistinctAttribute(obj)
+				addStatusAllocationDevicesResults(obj, testDriver, testPool, testDevice, req0, testShareID, testCapacity)
 				return obj
 			}(),
 			verify: func(t *testing.T, as []testclient.Action) {
@@ -1226,14 +1422,16 @@ func TestStatusStrategyUpdate(t *testing.T) {
 		},
 		"keep-fields-consumable-capacity-with-device-status-with-prioritized-list-disabled-feature-gate": {
 			oldObj: func() *resource.ResourceClaim {
-				obj := obj.DeepCopy()
-				addSpecDeviceRequestWithCapacityRequests(obj, testRequest, testClass, testCapacity, false)
+				obj := objWithPrioritizedList.DeepCopy()
+				modifySpecDeviceRequestWithCapacityRequests(obj, testCapacity, true)
+				addDistinctAttribute(obj)
 				return obj
 			}(),
 			newObj: func() *resource.ResourceClaim { // Status is added with share id and consumed capacities but FirstAvailable should not be set
-				obj := obj.DeepCopy()
-				addSpecDeviceRequestWithCapacityRequests(obj, testRequest, testClass, testCapacity, true)
-				addStatusAllocationDevicesResults(obj, testDriver, testPool, testDevice, testRequest, testShareID, testCapacity)
+				obj := objWithPrioritizedList.DeepCopy()
+				modifySpecDeviceRequestWithCapacityRequests(obj, testCapacity, true)
+				addDistinctAttribute(obj)
+				addStatusAllocationDevicesResults(obj, testDriver, testPool, testDevice, req0SubReq0, testShareID, testCapacity)
 				addStatusDevices(obj, testDriver, testPool, testDevice, testShareID)
 				return obj
 			}(),
@@ -1241,9 +1439,10 @@ func TestStatusStrategyUpdate(t *testing.T) {
 			consumableCapacityFeatureGate: true,
 			prioritizedListFeatureGate:    false,
 			expectObj: func() *resource.ResourceClaim {
-				obj := obj.DeepCopy()
-				addSpecDeviceRequestWithCapacityRequests(obj, testRequest, testClass, testCapacity, false)
-				addStatusAllocationDevicesResults(obj, testDriver, testPool, testDevice, testRequest, testShareID, testCapacity)
+				obj := objWithPrioritizedList.DeepCopy()
+				modifySpecDeviceRequestWithCapacityRequests(obj, testCapacity, true)
+				addDistinctAttribute(obj)
+				addStatusAllocationDevicesResults(obj, testDriver, testPool, testDevice, req0SubReq0, testShareID, testCapacity)
 				addStatusDevices(obj, testDriver, testPool, testDevice, testShareID)
 				return obj
 			}(),
@@ -1256,18 +1455,18 @@ func TestStatusStrategyUpdate(t *testing.T) {
 		"drop-fields-consumable-capacity-disabled-feature-gate": {
 			oldObj: func() *resource.ResourceClaim {
 				obj := obj.DeepCopy()
-				addSpecDevicesRequest(obj, testRequest)
+				addSpecDevicesRequest(obj, req0)
 				return obj
 			}(),
 			newObj: func() *resource.ResourceClaim {
 				obj := obj.DeepCopy()
-				addSpecDeviceRequestWithCapacityRequests(obj, testRequest, testClass, testCapacity, false)
+				modifySpecDeviceRequestWithCapacityRequests(obj, testCapacity, false)
 				return obj
 			}(),
 			consumableCapacityFeatureGate: false,
 			expectObj: func() *resource.ResourceClaim {
 				obj := obj.DeepCopy()
-				addSpecDevicesRequest(obj, testRequest)
+				addSpecDevicesRequest(obj, req0)
 				return obj
 			}(),
 			verify: func(t *testing.T, as []testclient.Action) {
@@ -1277,23 +1476,16 @@ func TestStatusStrategyUpdate(t *testing.T) {
 			},
 		},
 		"drop-fields-consumable-capacity-disabled-feature-gate-with-prioritized-list": {
-			oldObj: func() *resource.ResourceClaim {
-				obj := obj.DeepCopy()
-				addSpecDevicesRequest(obj, testRequest)
-				return obj
-			}(),
+			oldObj: objWithPrioritizedList,
 			newObj: func() *resource.ResourceClaim {
-				obj := obj.DeepCopy()
-				addSpecDeviceRequestWithCapacityRequests(obj, testRequest, testClass, testCapacity, true)
+				obj := objWithPrioritizedList.DeepCopy()
+				modifySpecDeviceRequestWithCapacityRequests(obj, testCapacity, true)
+				addDistinctAttribute(obj)
 				return obj
 			}(),
 			prioritizedListFeatureGate:    true,
 			consumableCapacityFeatureGate: false,
-			expectObj: func() *resource.ResourceClaim {
-				obj := obj.DeepCopy()
-				addSpecDevicesRequest(obj, testRequest)
-				return obj
-			}(),
+			expectObj:                     objWithPrioritizedList,
 			verify: func(t *testing.T, as []testclient.Action) {
 				if len(as) != 0 {
 					t.Errorf("expected no action to be taken")
@@ -1303,13 +1495,14 @@ func TestStatusStrategyUpdate(t *testing.T) {
 		"drop-fields-consumable-capacity-disabled-feature-gate-with-device-status": {
 			oldObj: func() *resource.ResourceClaim {
 				obj := obj.DeepCopy()
-				addSpecDevicesRequest(obj, testRequest)
+				addSpecDevicesRequest(obj, req0)
 				return obj
 			}(),
 			newObj: func() *resource.ResourceClaim {
 				obj := obj.DeepCopy()
-				addSpecDeviceRequestWithCapacityRequests(obj, testRequest, testClass, testCapacity, false)
-				addStatusAllocationDevicesResults(obj, testDriver, testPool, testDevice, testRequest, testShareID, testCapacity)
+				modifySpecDeviceRequestWithCapacityRequests(obj, testCapacity, false)
+				addDistinctAttribute(obj)
+				addStatusAllocationDevicesResults(obj, testDriver, testPool, testDevice, req0, testShareID, testCapacity)
 				addStatusDevices(obj, testDriver, testPool, testDevice, testShareID)
 				return obj
 			}(),
@@ -1317,8 +1510,8 @@ func TestStatusStrategyUpdate(t *testing.T) {
 			consumableCapacityFeatureGate: false,
 			expectObj: func() *resource.ResourceClaim {
 				obj := obj.DeepCopy()
-				addSpecDevicesRequest(obj, testRequest)
-				addStatusAllocationDevicesResults(obj, testDriver, testPool, testDevice, testRequest, nil, nil)
+				addSpecDevicesRequest(obj, req0)
+				addStatusAllocationDevicesResults(obj, testDriver, testPool, testDevice, req0, nil, nil)
 				addStatusDevices(obj, testDriver, testPool, testDevice, nil)
 				return obj
 			}(),
@@ -1331,13 +1524,13 @@ func TestStatusStrategyUpdate(t *testing.T) {
 		"drop-fields-consumable-capacity-disabled-feature-gate-with-device-status-default-shareid": {
 			oldObj: func() *resource.ResourceClaim {
 				obj := obj.DeepCopy()
-				addSpecDevicesRequest(obj, testRequest)
+				addSpecDevicesRequest(obj, req0)
 				return obj
 			}(),
 			newObj: func() *resource.ResourceClaim {
 				obj := obj.DeepCopy()
-				addSpecDevicesRequest(obj, testRequest)
-				addStatusAllocationDevicesResults(obj, testDriver, testPool, testDevice, testRequest, nil, nil)
+				addSpecDevicesRequest(obj, req0)
+				addStatusAllocationDevicesResults(obj, testDriver, testPool, testDevice, req0, nil, nil)
 				addStatusDevices(obj, testDriver, testPool, testDevice, nil)
 				return obj
 			}(),
@@ -1345,8 +1538,8 @@ func TestStatusStrategyUpdate(t *testing.T) {
 			consumableCapacityFeatureGate: false,
 			expectObj: func() *resource.ResourceClaim {
 				obj := obj.DeepCopy()
-				addSpecDevicesRequest(obj, testRequest)
-				addStatusAllocationDevicesResults(obj, testDriver, testPool, testDevice, testRequest, nil, nil)
+				addSpecDevicesRequest(obj, req0)
+				addStatusAllocationDevicesResults(obj, testDriver, testPool, testDevice, req0, nil, nil)
 				addStatusDevices(obj, testDriver, testPool, testDevice, nil)
 				return obj
 			}(),
@@ -1364,13 +1557,17 @@ func TestStatusStrategyUpdate(t *testing.T) {
 			mockNSClient := fakeClient.CoreV1().Namespaces()
 			strategy := NewStrategy(mockNSClient)
 
-			featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.DRAAdminAccess, tc.adminAccess)
-			featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.DRAResourceClaimDeviceStatus, tc.deviceStatusFeatureGate)
-			featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.DRADeviceBindingConditions, tc.bindingConditions)
+			featuregatetesting.SetFeatureGatesDuringTest(t, utilfeature.DefaultFeatureGate, featuregatetesting.FeatureOverrides{
+				features.DRAAdminAccess:               tc.adminAccess,
+				features.DRAResourceClaimDeviceStatus: tc.deviceStatusFeatureGate,
+				features.DRADeviceBindingConditions:   tc.bindingConditions,
+			})
 			klog.InfoS("Testing strategy", "adminAccess", tc.adminAccess, "bindingConditions", tc.bindingConditions, "deviceStatus", tc.deviceStatusFeatureGate)
 
-			featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.DRAConsumableCapacity, tc.consumableCapacityFeatureGate)
-			featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.DRAPrioritizedList, tc.prioritizedListFeatureGate)
+			featuregatetesting.SetFeatureGatesDuringTest(t, utilfeature.DefaultFeatureGate, featuregatetesting.FeatureOverrides{
+				features.DRAConsumableCapacity: tc.consumableCapacityFeatureGate,
+				features.DRAPrioritizedList:    tc.prioritizedListFeatureGate,
+			})
 			statusStrategy := NewStatusStrategy(strategy)
 
 			oldObj := tc.oldObj.DeepCopy()
@@ -1379,6 +1576,10 @@ func TestStatusStrategyUpdate(t *testing.T) {
 
 			statusStrategy.PrepareForUpdate(ctx, newObj, oldObj)
 			if errs := statusStrategy.ValidateUpdate(ctx, newObj, oldObj); len(errs) != 0 {
+				if tc.expectValidationError == "" {
+					t.Fatalf("unexpected error(s): %v", errs)
+				}
+				assert.Len(t, errs, 1, "exactly one error expected")
 				assert.ErrorContains(t, errs[0], tc.expectValidationError, "the error message should have contained the expected error message")
 				return
 			}
@@ -1404,40 +1605,26 @@ func addSpecDevicesRequest(resourceClaim *resource.ResourceClaim, request string
 	})
 }
 
-func addSpecDeviceRequestWithCapacityRequests(resourceClaim *resource.ResourceClaim,
-	request, class string, capacity map[resource.QualifiedName]apiresource.Quantity, prioritizedListFeature bool) {
-	r := resource.DeviceRequest{
-		Name: request,
-		Exactly: &resource.ExactDeviceRequest{
-			DeviceClassName: class,
-			AllocationMode:  resource.DeviceAllocationModeAll,
-		},
-	}
-	distinctConstraint := resource.DeviceConstraint{
-		Requests:          []string{request},
-		DistinctAttribute: ptr.To(resource.FullyQualifiedName("")),
-	}
-	if prioritizedListFeature {
-		r.FirstAvailable = []resource.DeviceSubRequest{
-			{
-				Name:            testRequest,
-				DeviceClassName: class,
-				AllocationMode:  resource.DeviceAllocationModeExactCount,
-				Count:           1,
-			},
-		}
-	}
+func modifySpecDeviceRequestWithCapacityRequests(resourceClaim *resource.ResourceClaim,
+	capacity map[resource.QualifiedName]apiresource.Quantity, prioritizedListFeature bool) {
 	if capacity != nil {
-		r.Exactly.Capacity = &resource.CapacityRequirements{
-			Requests: capacity,
-		}
 		if prioritizedListFeature {
-			r.FirstAvailable[0].Capacity = &resource.CapacityRequirements{
+			resourceClaim.Spec.Devices.Requests[0].FirstAvailable[0].Capacity = &resource.CapacityRequirements{
+				Requests: capacity,
+			}
+		} else {
+			resourceClaim.Spec.Devices.Requests[0].Exactly.Capacity = &resource.CapacityRequirements{
 				Requests: capacity,
 			}
 		}
 	}
-	resourceClaim.Spec.Devices.Requests = append(resourceClaim.Spec.Devices.Requests, r)
+}
+
+func addDistinctAttribute(resourceClaim *resource.ResourceClaim) {
+	distinctConstraint := resource.DeviceConstraint{
+		Requests:          []string{req0},
+		DistinctAttribute: ptr.To(resource.FullyQualifiedName("driver-a/attr")),
+	}
 	resourceClaim.Spec.Devices.Constraints = append(resourceClaim.Spec.Devices.Constraints, distinctConstraint)
 }
 
@@ -1457,14 +1644,10 @@ func addStatusAllocationDevicesResults(resourceClaim *resource.ResourceClaim, dr
 }
 
 func addStatusDevices(resourceClaim *resource.ResourceClaim, driver string, pool string, device string, shareID *types.UID) {
-	var shareIDStr *string
-	if shareID != nil {
-		shareIDStr = ptr.To(string(*shareID))
-	}
 	resourceClaim.Status.Devices = append(resourceClaim.Status.Devices, resource.AllocatedDeviceStatus{
 		Driver:  driver,
 		Pool:    pool,
 		Device:  device,
-		ShareID: shareIDStr,
+		ShareID: (*string)(shareID),
 	})
 }
diff --git a/pkg/registry/resource/resourceclaimtemplate/strategy.go b/pkg/registry/resource/resourceclaimtemplate/strategy.go
index 967bf85286ba2..f53e31ba753b5 100644
--- a/pkg/registry/resource/resourceclaimtemplate/strategy.go
+++ b/pkg/registry/resource/resourceclaimtemplate/strategy.go
@@ -26,12 +26,11 @@ import (
 	"k8s.io/apimachinery/pkg/util/validation/field"
 	"k8s.io/apiserver/pkg/registry/generic"
 	"k8s.io/apiserver/pkg/storage/names"
-	utilfeature "k8s.io/apiserver/pkg/util/feature"
 	v1 "k8s.io/client-go/kubernetes/typed/core/v1"
 	"k8s.io/kubernetes/pkg/api/legacyscheme"
+	"k8s.io/kubernetes/pkg/api/resourceclaimspec"
 	"k8s.io/kubernetes/pkg/apis/resource"
 	"k8s.io/kubernetes/pkg/apis/resource/validation"
-	"k8s.io/kubernetes/pkg/features"
 	resourceutils "k8s.io/kubernetes/pkg/registry/resource"
 )
 
@@ -112,115 +111,9 @@ func toSelectableFields(template *resource.ResourceClaimTemplate) fields.Set {
 }
 
 func dropDisabledFields(newClaimTemplate, oldClaimTemplate *resource.ResourceClaimTemplate) {
-	dropDisabledDRAPrioritizedListFields(newClaimTemplate, oldClaimTemplate)
-	dropDisabledDRAAdminAccessFields(newClaimTemplate, oldClaimTemplate)
-	dropDisabledDRAResourceClaimConsumableCapacityFields(newClaimTemplate, oldClaimTemplate)
-}
-
-func dropDisabledDRAPrioritizedListFields(newClaimTemplate, oldClaimTemplate *resource.ResourceClaimTemplate) {
-	if utilfeature.DefaultFeatureGate.Enabled(features.DRAPrioritizedList) {
-		return
-	}
-	if draPrioritizedListFeatureInUse(oldClaimTemplate) {
-		return
-	}
-
-	for i := range newClaimTemplate.Spec.Spec.Devices.Requests {
-		newClaimTemplate.Spec.Spec.Devices.Requests[i].FirstAvailable = nil
-	}
-}
-
-func draPrioritizedListFeatureInUse(claimTemplate *resource.ResourceClaimTemplate) bool {
-	if claimTemplate == nil {
-		return false
-	}
-
-	for _, request := range claimTemplate.Spec.Spec.Devices.Requests {
-		if len(request.FirstAvailable) > 0 {
-			return true
-		}
-	}
-
-	return false
-}
-
-func dropDisabledDRAAdminAccessFields(newClaimTemplate, oldClaimTemplate *resource.ResourceClaimTemplate) {
-	if utilfeature.DefaultFeatureGate.Enabled(features.DRAAdminAccess) {
-		// No need to drop anything.
-		return
-	}
-	if draAdminAccessFeatureInUse(oldClaimTemplate) {
-		// If anything was set in the past, then fields must not get
-		// dropped on potentially unrelated updates.
-		return
-	}
-
-	for i := range newClaimTemplate.Spec.Spec.Devices.Requests {
-		if newClaimTemplate.Spec.Spec.Devices.Requests[i].Exactly != nil {
-			newClaimTemplate.Spec.Spec.Devices.Requests[i].Exactly.AdminAccess = nil
-		}
-	}
-}
-
-func draAdminAccessFeatureInUse(claimTemplate *resource.ResourceClaimTemplate) bool {
-	if claimTemplate == nil {
-		return false
-	}
-
-	for _, request := range claimTemplate.Spec.Spec.Devices.Requests {
-		if request.Exactly != nil && request.Exactly.AdminAccess != nil {
-			return true
-		}
-	}
-
-	return false
-}
-
-func draConsumableCapacityFeatureInUse(claimTemplate *resource.ResourceClaimTemplate) bool {
-	if claimTemplate == nil {
-		return false
-	}
-
-	for _, constaint := range claimTemplate.Spec.Spec.Devices.Constraints {
-		if constaint.DistinctAttribute != nil {
-			return true
-		}
-	}
-
-	for _, request := range claimTemplate.Spec.Spec.Devices.Requests {
-		if request.Exactly != nil && request.Exactly.Capacity != nil {
-			return true
-		}
-		for _, subRequest := range request.FirstAvailable {
-			if subRequest.Capacity != nil {
-				return true
-			}
-		}
-	}
-
-	return false
-}
-
-// dropDisabledDRAResourceClaimConsumableCapacityFields drops any new feature field
-// from the newClaimTemplate if they were not used in the oldClaimTemplate.
-func dropDisabledDRAResourceClaimConsumableCapacityFields(newClaimTemplate, oldClaimTemplate *resource.ResourceClaimTemplate) {
-	if utilfeature.DefaultFeatureGate.Enabled(features.DRAConsumableCapacity) ||
-		draConsumableCapacityFeatureInUse(oldClaimTemplate) {
-		// No need to drop anything.
-		return
-	}
-
-	for _, constaint := range newClaimTemplate.Spec.Spec.Devices.Constraints {
-		constaint.DistinctAttribute = nil
-	}
-
-	for i := range newClaimTemplate.Spec.Spec.Devices.Requests {
-		if newClaimTemplate.Spec.Spec.Devices.Requests[i].Exactly != nil {
-			newClaimTemplate.Spec.Spec.Devices.Requests[i].Exactly.Capacity = nil
-		}
-		request := newClaimTemplate.Spec.Spec.Devices.Requests[i]
-		for j := range request.FirstAvailable {
-			newClaimTemplate.Spec.Spec.Devices.Requests[i].FirstAvailable[j].Capacity = nil
-		}
+	var oldClaimSpec *resource.ResourceClaimSpec
+	if oldClaimTemplate != nil {
+		oldClaimSpec = &oldClaimTemplate.Spec.Spec
 	}
+	resourceclaimspec.DropDisabledFields(&newClaimTemplate.Spec.Spec, oldClaimSpec)
 }
diff --git a/pkg/registry/resource/resourceclaimtemplate/strategy_test.go b/pkg/registry/resource/resourceclaimtemplate/strategy_test.go
index 201e6475312c9..73f2fae829685 100644
--- a/pkg/registry/resource/resourceclaimtemplate/strategy_test.go
+++ b/pkg/registry/resource/resourceclaimtemplate/strategy_test.go
@@ -79,6 +79,28 @@ var objWithAdminAccess = &resource.ResourceClaimTemplate{
 	},
 }
 
+var objInNonAdminNamespace = &resource.ResourceClaimTemplate{
+	ObjectMeta: metav1.ObjectMeta{
+		Name:      "valid-claim-template",
+		Namespace: "default",
+	},
+	Spec: resource.ResourceClaimTemplateSpec{
+		Spec: resource.ResourceClaimSpec{
+			Devices: resource.DeviceClaim{
+				Requests: []resource.DeviceRequest{
+					{
+						Name: "req-0",
+						Exactly: &resource.ExactDeviceRequest{
+							DeviceClassName: "class",
+							AllocationMode:  resource.DeviceAllocationModeAll,
+						},
+					},
+				},
+			},
+		},
+	},
+}
+
 var objWithAdminAccessInNonAdminNamespace = &resource.ResourceClaimTemplate{
 	ObjectMeta: metav1.ObjectMeta{
 		Name:      "valid-claim-template",
@@ -102,10 +124,33 @@ var objWithAdminAccessInNonAdminNamespace = &resource.ResourceClaimTemplate{
 	},
 }
 
+var objWithDeviceTaints = &resource.ResourceClaimTemplate{
+	ObjectMeta: metav1.ObjectMeta{
+		Name:      "valid-claim-template",
+		Namespace: "kube-system",
+	},
+	Spec: resource.ResourceClaimTemplateSpec{
+		Spec: resource.ResourceClaimSpec{
+			Devices: resource.DeviceClaim{
+				Requests: []resource.DeviceRequest{
+					{
+						Name: "req-0",
+						Exactly: &resource.ExactDeviceRequest{
+							DeviceClassName: "class",
+							AllocationMode:  resource.DeviceAllocationModeAll,
+							Tolerations:     []resource.DeviceToleration{{Key: "some-key", Operator: resource.DeviceTolerationOpExists}},
+						},
+					},
+				},
+			},
+		},
+	},
+}
+
 var objWithPrioritizedList = &resource.ResourceClaimTemplate{
 	ObjectMeta: metav1.ObjectMeta{
 		Name:      "valid-claim-template",
-		Namespace: "default",
+		Namespace: "kube-system",
 	},
 	Spec: resource.ResourceClaimTemplateSpec{
 		Spec: resource.ResourceClaimSpec{
@@ -141,11 +186,7 @@ var objWithCapacityRequests = func() *resource.ResourceClaimTemplate {
 func addSpecDeviceRequestWithCapacityRequests(resourceClaimTemplate *resource.ResourceClaimTemplate,
 	capacity map[resource.QualifiedName]apiresource.Quantity, prioritizedListFeature bool) {
 	r := resource.DeviceRequest{
-		Name: "req-0",
-		Exactly: &resource.ExactDeviceRequest{
-			DeviceClassName: "class",
-			AllocationMode:  resource.DeviceAllocationModeAll,
-		},
+		Name: "cap-req-0",
 	}
 	if prioritizedListFeature {
 		r.FirstAvailable = []resource.DeviceSubRequest{
@@ -156,20 +197,53 @@ func addSpecDeviceRequestWithCapacityRequests(resourceClaimTemplate *resource.Re
 				Count:           1,
 			},
 		}
+	} else {
+		r.Exactly = &resource.ExactDeviceRequest{
+			DeviceClassName: "class",
+			AllocationMode:  resource.DeviceAllocationModeAll,
+		}
 	}
 	if capacity != nil {
-		r.Exactly.Capacity = &resource.CapacityRequirements{
-			Requests: capacity,
-		}
 		if prioritizedListFeature {
 			r.FirstAvailable[0].Capacity = &resource.CapacityRequirements{
 				Requests: capacity,
 			}
+		} else {
+			r.Exactly.Capacity = &resource.CapacityRequirements{
+				Requests: capacity,
+			}
 		}
 	}
 	resourceClaimTemplate.Spec.Spec.Devices.Requests = append(resourceClaimTemplate.Spec.Spec.Devices.Requests, r)
 }
 
+var objWithDeviceTaintsInPrioritizedList = &resource.ResourceClaimTemplate{
+	ObjectMeta: metav1.ObjectMeta{
+		Name:      "valid-claim-template",
+		Namespace: "kube-system",
+	},
+	Spec: resource.ResourceClaimTemplateSpec{
+		Spec: resource.ResourceClaimSpec{
+			Devices: resource.DeviceClaim{
+				Requests: []resource.DeviceRequest{
+					{
+						Name: "req-0",
+						FirstAvailable: []resource.DeviceSubRequest{
+							{
+								Name:            "subreq-0",
+								DeviceClassName: "class",
+								AllocationMode:  resource.DeviceAllocationModeExactCount,
+								Count:           1,
+								Tolerations:     []resource.DeviceToleration{{Key: "some-key", Operator: resource.DeviceTolerationOpExists}},
+							},
+						},
+					},
+				},
+			},
+		},
+	},
+}
+
 var ns1 = &corev1.Namespace{
 	ObjectMeta: metav1.ObjectMeta{
 		Name:   "default",
@@ -206,9 +280,10 @@ func TestClaimTemplateStrategyCreate(t *testing.T) {
 	testcases := map[string]struct {
 		obj                   *resource.ResourceClaimTemplate
 		adminAccess           bool
-		expectValidationError string
+		deviceTaints          bool
 		prioritizedList       bool
 		consumableCapacity    bool
+		expectValidationError string
 		expectObj             *resource.ResourceClaimTemplate
 		verify                func(*testing.T, []testclient.Action)
 	}{
@@ -259,6 +334,48 @@ func TestClaimTemplateStrategyCreate(t *testing.T) {
 				}
 			},
 		},
+		"drop-fields-device-taints": {
+			obj:          objWithDeviceTaints,
+			deviceTaints: false,
+			expectObj:    obj,
+			verify: func(t *testing.T, as []testclient.Action) {
+				if len(as) != 0 {
+					t.Errorf("expected no action to be taken")
+				}
+			},
+		},
+		"keep-fields-device-taints": {
+			obj:          objWithDeviceTaints,
+			deviceTaints: true,
+			expectObj:    objWithDeviceTaints,
+			verify: func(t *testing.T, as []testclient.Action) {
+				if len(as) != 0 {
+					t.Errorf("expected no action to be taken")
+				}
+			},
+		},
+		"drop-fields-device-taints-in-prioritized-list": {
+			obj:             objWithDeviceTaintsInPrioritizedList,
+			deviceTaints:    false,
+			prioritizedList: true,
+			expectObj:       objWithPrioritizedList,
+			verify: func(t *testing.T, as []testclient.Action) {
+				if len(as) != 0 {
+					t.Errorf("expected no action to be taken")
+				}
+			},
+		},
+		"keep-fields-device-taints-in-prioritized-list": {
+			obj:             objWithDeviceTaintsInPrioritizedList,
+			deviceTaints:    true,
+			prioritizedList: true,
+			expectObj:       objWithDeviceTaintsInPrioritizedList,
+			verify: func(t *testing.T, as []testclient.Action) {
+				if len(as) != 0 {
+					t.Errorf("expected no action to be taken")
+				}
+			},
+		},
 		"drop-fields-prioritized-list": {
 			obj:                   objWithPrioritizedList,
 			prioritizedList:       false,
@@ -359,13 +476,21 @@ func TestClaimTemplateStrategyCreate(t *testing.T) {
 		t.Run(name, func(t *testing.T) {
 			fakeClient := fake.NewSimpleClientset(ns1, ns2)
 			mockNSClient := fakeClient.CoreV1().Namespaces()
-			featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.DRAAdminAccess, tc.adminAccess)
-			featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.DRAPrioritizedList, tc.prioritizedList)
+			featuregatetesting.SetFeatureGatesDuringTest(t, utilfeature.DefaultFeatureGate, featuregatetesting.FeatureOverrides{
+				features.DRAAdminAccess:        tc.adminAccess,
+				features.DRADeviceTaints:       tc.deviceTaints,
+				features.DRAPrioritizedList:    tc.prioritizedList,
+				features.DRAConsumableCapacity: tc.consumableCapacity,
+			})
 			strategy := NewStrategy(mockNSClient)
 
 			obj := tc.obj.DeepCopy()
 			strategy.PrepareForCreate(ctx, obj)
 			if errs := strategy.Validate(ctx, obj); len(errs) != 0 {
+				if tc.expectValidationError == "" {
+					t.Fatalf("unexpected error(s): %v", errs)
+				}
+				assert.Len(t, errs, 1, "exactly one error expected")
 				assert.ErrorContains(t, errs[0], tc.expectValidationError, "the error message should have contained the expected error message")
 				return
 			}
@@ -437,6 +562,9 @@ func TestClaimTemplateStrategyUpdate(t *testing.T) {
 		strategy.PrepareForUpdate(ctx, newClaimTemplate, resourceClaimTemplate)
 		errs := strategy.ValidateUpdate(ctx, newClaimTemplate, resourceClaimTemplate)
 		if len(errs) != 0 {
+			if fieldImmutableError == "" {
+				t.Fatalf("unexpected error(s): %v", errs)
+			}
 			assert.ErrorContains(t, errs[0], fieldImmutableError, "the error message should have contained the expected error message")
 			return
 		}
@@ -448,3 +576,310 @@ func TestClaimTemplateStrategyUpdate(t *testing.T) {
 		}
 	})
 }
+
+func TestStrategyUpdate(t *testing.T) {
+	ctx := genericapirequest.NewDefaultContext()
+	testcases := map[string]struct {
+		oldObj                 *resource.ResourceClaimTemplate
+		newObj                 *resource.ResourceClaimTemplate
+		adminAccess            bool
+		deviceTaints           bool
+		prioritizedList        bool
+		consumableCapacity     bool
+		expectValidationErrors []string
+		expectObj              *resource.ResourceClaimTemplate
+		verify                 func(*testing.T, []testclient.Action)
+	}{
+		"no-changes-okay": {
+			oldObj:    obj,
+			newObj:    obj,
+			expectObj: obj,
+			verify: func(t *testing.T, as []testclient.Action) {
+				if len(as) != 0 {
+					t.Errorf("expected no action to be taken")
+				}
+			},
+		},
+		"name-change-not-allowed": {
+			oldObj: obj,
+			newObj: func() *resource.ResourceClaimTemplate {
+				obj := obj.DeepCopy()
+				obj.Name += "-2"
+				return obj
+			}(),
+			expectValidationErrors: []string{fieldImmutableError},
+			verify: func(t *testing.T, as []testclient.Action) {
+				if len(as) != 0 {
+					t.Errorf("expected no action to be taken")
+				}
+			},
+		},
+		"drop-fields-admin-access": {
+			oldObj:      obj,
+			newObj:      objWithAdminAccess,
+			adminAccess: false,
+			expectObj:   obj,
+			verify: func(t *testing.T, as []testclient.Action) {
+				if len(as) != 0 {
+					t.Errorf("expected no action to be taken")
+				}
+			},
+		},
+		"keep-fields-admin-access": {
+			oldObj:                 obj,
+			newObj:                 objWithAdminAccess,
+			adminAccess:            true,
+			expectValidationErrors: []string{fieldImmutableError}, // Spec is immutable.
+			verify: func(t *testing.T, as []testclient.Action) {
+				if len(as) != 0 {
+					t.Errorf("expected no action to be taken")
+				}
+			},
+		},
+		"keep-existing-fields-admin-access": {
+			oldObj:      objWithAdminAccess,
+			newObj:      objWithAdminAccess,
+			adminAccess: true,
+			expectObj:   objWithAdminAccess,
+			verify: func(t *testing.T, as []testclient.Action) {
+				if len(as) != 0 {
+					t.Errorf("expected no action to be taken")
+				}
+			},
+		},
+		"admin-access-admin-namespace": {
+			oldObj:      objWithAdminAccess,
+			newObj:      objWithAdminAccess,
+			adminAccess: true,
+			expectObj:   objWithAdminAccess,
+			verify: func(t *testing.T, as []testclient.Action) {
+				if len(as) != 0 {
+					t.Errorf("expected no action to be taken")
+				}
+			},
+		},
+		"admin-access-non-admin-namespace": {
+			oldObj:                 objInNonAdminNamespace,
+			newObj:                 objWithAdminAccessInNonAdminNamespace,
+			adminAccess:            true,
+			expectValidationErrors: []string{fieldImmutableError},
+			verify: func(t *testing.T, as []testclient.Action) {
+				if len(as) != 0 {
+					t.Errorf("expected no action to be taken")
+				}
+			},
+		},
+		"drop-fields-prioritized-list": {
+			oldObj:                 obj,
+			newObj:                 objWithPrioritizedList,
+			prioritizedList:        false,
+			expectValidationErrors: []string{deviceRequestError, fieldImmutableError},
+			verify: func(t *testing.T, as []testclient.Action) {
+				if len(as) != 0 {
+					t.Errorf("expected no action to be taken")
+				}
+			},
+		},
+		"keep-fields-prioritized-list": {
+			oldObj:                 obj,
+			newObj:                 objWithPrioritizedList,
+			prioritizedList:        true,
+			expectValidationErrors: []string{fieldImmutableError}, // Spec is immutable.
+			verify: func(t *testing.T, as []testclient.Action) {
+				if len(as) != 0 {
+					t.Errorf("expected no action to be taken")
+				}
+			},
+		},
+		"keep-existing-fields-prioritized-list": {
+			oldObj:          objWithPrioritizedList,
+			newObj:          objWithPrioritizedList,
+			prioritizedList: true,
+			expectObj:       objWithPrioritizedList,
+			verify: func(t *testing.T, as []testclient.Action) {
+				if len(as) != 0 {
+					t.Errorf("expected no action to be taken")
+				}
+			},
+		},
+		"keep-existing-fields-prioritized-list-disabled-feature": {
+			oldObj:          objWithPrioritizedList,
+			newObj:          objWithPrioritizedList,
+			prioritizedList: false,
+			expectObj:       objWithPrioritizedList,
+			verify: func(t *testing.T, as []testclient.Action) {
+				if len(as) != 0 {
+					t.Errorf("expected no action to be taken")
+				}
+			},
+		},
+		"drop-fields-device-taints": {
+			oldObj:          obj,
+			newObj:          objWithDeviceTaints,
+			deviceTaints:    false,
+			prioritizedList: true,
+			expectObj:       obj,
+			verify: func(t *testing.T, as []testclient.Action) {
+				if len(as) != 0 {
+					t.Errorf("expected no action to be taken")
+				}
+			},
+		},
+		"keep-fields-device-taints": {
+			oldObj:                 obj,
+			newObj:                 objWithDeviceTaints,
+			deviceTaints:           true,
+			prioritizedList:        true,
+			expectValidationErrors: []string{fieldImmutableError}, // Spec is immutable, cannot add tolerations.
+			verify: func(t *testing.T, as []testclient.Action) {
+				if len(as) != 0 {
+					t.Errorf("expected no action to be taken")
+				}
+			},
+		},
+		"keep-existing-fields-device-taints": {
+			oldObj:          objWithDeviceTaints,
+			newObj:          objWithDeviceTaints,
+			deviceTaints:    true,
+			prioritizedList: true,
+			expectObj:       objWithDeviceTaints,
+			verify: func(t *testing.T, as []testclient.Action) {
+				if len(as) != 0 {
+					t.Errorf("expected no action to be taken")
+				}
+			},
+		},
+		"keep-existing-fields-device-taints-disabled-feature": {
+			oldObj:          objWithDeviceTaints,
+			newObj:          objWithDeviceTaints,
+			deviceTaints:    false,
+			prioritizedList: true,
+			expectObj:       objWithDeviceTaints,
+			verify: func(t *testing.T, as []testclient.Action) {
+				if len(as) != 0 {
+					t.Errorf("expected no action to be taken")
+				}
+			},
+		},
+		"drop-fields-device-taints-in-prioritized-list": {
+			oldObj:          objWithPrioritizedList,
+			newObj:          objWithDeviceTaintsInPrioritizedList,
+			deviceTaints:    false,
+			prioritizedList: true,
+			expectObj:       objWithPrioritizedList,
+			verify: func(t *testing.T, as []testclient.Action) {
+				if len(as) != 0 {
+					t.Errorf("expected no action to be taken")
+				}
+			},
+		},
+		"keep-fields-device-taints-in-prioritized-list": {
+			oldObj:                 objWithPrioritizedList,
+			newObj:                 objWithDeviceTaintsInPrioritizedList,
+			deviceTaints:           true,
+			prioritizedList:        true,
+			expectValidationErrors: []string{fieldImmutableError}, // Spec is immutable, cannot add tolerations.
+			verify: func(t *testing.T, as []testclient.Action) {
+				if len(as) != 0 {
+					t.Errorf("expected no action to be taken")
+				}
+			},
+		},
+		"keep-existing-fields-device-taints-in-prioritized-list": {
+			oldObj:          objWithDeviceTaintsInPrioritizedList,
+			newObj:          objWithDeviceTaintsInPrioritizedList,
+			deviceTaints:    true,
+			prioritizedList: true,
+			expectObj:       objWithDeviceTaintsInPrioritizedList,
+			verify: func(t *testing.T, as []testclient.Action) {
+				if len(as) != 0 {
+					t.Errorf("expected no action to be taken")
+				}
+			},
+		},
+		"keep-existing-fields-device-taints-in-prioritized-list-disabled-feature": {
+			oldObj:          objWithDeviceTaintsInPrioritizedList,
+			newObj:          objWithDeviceTaintsInPrioritizedList,
+			deviceTaints:    false,
+			prioritizedList: true,
+			expectObj:       objWithDeviceTaintsInPrioritizedList,
+			verify: func(t *testing.T, as []testclient.Action) {
+				if len(as) != 0 {
+					t.Errorf("expected no action to be taken")
+				}
+			},
+		},
+		"keep-existing-fields-consumable-capacity": {
+			oldObj:             objWithCapacityRequests,
+			newObj:             objWithCapacityRequests,
+			consumableCapacity: true,
+			expectObj:          objWithCapacityRequests,
+			verify: func(t *testing.T, as []testclient.Action) {
+				if len(as) != 0 {
+					t.Errorf("expected no action to be taken")
+				}
+			},
+		},
+		"keep-existing-fields-consumable-capacity-disabled-feature": {
+			oldObj:             objWithCapacityRequests,
+			newObj:             objWithCapacityRequests,
+			consumableCapacity: false,
+			expectObj:          objWithCapacityRequests,
+			verify: func(t *testing.T, as []testclient.Action) {
+				if len(as) != 0 {
+					t.Errorf("expected no action to be taken")
+				}
+			},
+		},
+		"drop-fields-consumable-capacity": {
+			oldObj:                 obj,
+			newObj:                 objWithCapacityRequests,
+			consumableCapacity:     false,
+			expectValidationErrors: []string{fieldImmutableError}, // Spec is immutable.
+			verify: func(t *testing.T, as []testclient.Action) {
+				if len(as) != 0 {
+					t.Errorf("expected no action to be taken")
+				}
+			},
+		},
+	}
+
+	for name, tc := range testcases {
+		t.Run(name, func(t *testing.T) {
+			fakeClient := fake.NewSimpleClientset(ns1, ns2)
+			mockNSClient := fakeClient.CoreV1().Namespaces()
+
+			featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.DRAAdminAccess, tc.adminAccess)
+			featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.DRADeviceTaints, tc.deviceTaints)
+			featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.DRAPrioritizedList, tc.prioritizedList)
+			featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.DRAConsumableCapacity, tc.consumableCapacity)
+			strategy := NewStrategy(mockNSClient)
+
+			oldObj := tc.oldObj.DeepCopy()
+			newObj := tc.newObj.DeepCopy()
+			newObj.ResourceVersion = "4"
+
+			strategy.PrepareForUpdate(ctx, newObj, oldObj)
+			expectedErrLen := len(tc.expectValidationErrors)
+			if errs := strategy.ValidateUpdate(ctx, newObj, oldObj); len(errs) != 0 {
+				if assert.Len(t, errs, expectedErrLen, "exact number of errors expected") {
+					for i, expectErr := range tc.expectValidationErrors {
+						assert.ErrorContains(t, errs[i], expectErr, "the error message should have contained the expected error message")
+					}
+					return
+				}
+			}
+			if expectedErrLen > 0 {
+				t.Fatal("expected validation error(s), got none")
+			}
+			if warnings := strategy.WarningsOnUpdate(ctx, newObj, oldObj); len(warnings) != 0 {
+				t.Fatalf("unexpected warnings: %q", warnings)
+			}
+			strategy.Canonicalize(newObj)
+			expectObj := tc.expectObj.DeepCopy()
+			expectObj.ResourceVersion = "4"
+			assert.Equal(t, expectObj, newObj)
+			tc.verify(t, fakeClient.Actions())
+		})
+	}
+}
diff --git a/pkg/registry/resource/resourceslice/declarative_validation_test.go b/pkg/registry/resource/resourceslice/declarative_validation_test.go
new file mode 100644
index 0000000000000..307efe7f44889
--- /dev/null
+++ b/pkg/registry/resource/resourceslice/declarative_validation_test.go
@@ -0,0 +1,542 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package resourceslice
+
+import (
+	"fmt"
+	"testing"
+
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/util/validation/field"
+	genericapirequest "k8s.io/apiserver/pkg/endpoints/request"
+	apitesting "k8s.io/kubernetes/pkg/api/testing"
+	"k8s.io/kubernetes/pkg/apis/resource"
+	_ "k8s.io/kubernetes/pkg/apis/resource/install"
+	"k8s.io/kubernetes/pkg/apis/resource/validation"
+	"k8s.io/utils/ptr"
+)
+
+var apiVersions = []string{"v1", "v1beta1", "v1beta2"}
+
+func TestDeclarativeValidate(t *testing.T) {
+	for _, apiVersion := range apiVersions {
+		t.Run(apiVersion, func(t *testing.T) {
+			ctx := genericapirequest.WithRequestInfo(genericapirequest.NewDefaultContext(), &genericapirequest.RequestInfo{
+				APIGroup:   "resource.k8s.io",
+				APIVersion: apiVersion,
+				Resource:   "ResourceSlice",
+			})
+
+			strategy := Strategy
+
+			testCases := map[string]struct {
+				input        resource.ResourceSlice
+				expectedErrs field.ErrorList
+			}{
+				"valid": {
+					input: mkResourceSliceWithDevices(),
+				},
+				// spec.devices[%d].bindingConditions
+				"valid: one binding condition": {
+					input: mkResourceSliceWithDevices(tweakBindingConditions(1)),
+				},
+				"valid: at limit binding conditions": {
+					input: mkResourceSliceWithDevices(tweakBindingConditions(resource.BindingConditionsMaxSize)),
+				},
+				"invalid: too many binding conditions": {
+					input: mkResourceSliceWithDevices(tweakBindingConditions(resource.BindingConditionsMaxSize + 1)),
+					expectedErrs: field.ErrorList{
+						field.TooMany(field.NewPath("spec", "devices").Index(0).Child("bindingConditions"), resource.BindingConditionsMaxSize+1, resource.BindingConditionsMaxSize).WithOrigin("maxItems"),
+					},
+				},
+				// spec.devices[%d].bindingFailureConditions
+				"valid: one binding failure conditions": {
+					input: mkResourceSliceWithDevices(tweakBindingFailureConditions(1)),
+				},
+				"valid: at limit binding failure conditions": {
+					input: mkResourceSliceWithDevices(tweakBindingFailureConditions(resource.BindingFailureConditionsMaxSize)),
+				},
+				"invalid: too many binding failure conditions": {
+					input: mkResourceSliceWithDevices(tweakBindingFailureConditions(resource.BindingFailureConditionsMaxSize + 1)),
+					expectedErrs: field.ErrorList{
+						field.TooMany(field.NewPath("spec", "devices").Index(0).Child("bindingFailureConditions"), resource.BindingFailureConditionsMaxSize+1, resource.BindingFailureConditionsMaxSize).WithOrigin("maxItems"),
+					},
+				},
+				// spec.Devices[%d].Taints[%d].Effect
+				"valid: taint NoSchedule": {
+					input: mkResourceSliceWithDevices(tweakDeviceTaintEffect(string(resource.DeviceTaintEffectNoSchedule))),
+				},
+				"valid: taint NoExecute": {
+					input: mkResourceSliceWithDevices(tweakDeviceTaintEffect(string(resource.DeviceTaintEffectNoExecute))),
+				},
+				"invalid: taint Invalid": {
+					input: mkResourceSliceWithDevices(tweakDeviceTaintEffect("Invalid")),
+					expectedErrs: field.ErrorList{
+						field.NotSupported(
+							field.NewPath("spec", "devices").Index(0).Child("taints").Index(0).Child("effect"),
+							resource.DeviceTaintEffect("Invalid"), []string{}),
+					},
+				},
+				"invalid: taint empty": {
+					input: mkResourceSliceWithDevices(tweakDeviceTaintEffect("")),
+					expectedErrs: field.ErrorList{
+						field.Required(field.NewPath("spec", "devices").Index(0).Child("taints").Index(0).Child("effect"), ""),
+					},
+				},
+				// spec.Devices[%].attribute
+				"valid: device attribute int": {
+					input: mkResourceSliceWithDevices(tweakDeviceAttribute("test.io/int", resource.DeviceAttribute{IntValue: ptr.To[int64](123)})),
+				},
+				"valid: device attribute bool": {
+					input: mkResourceSliceWithDevices(tweakDeviceAttribute("test.io/bool", resource.DeviceAttribute{BoolValue: ptr.To(true)})),
+				},
+				"valid: device attribute string": {
+					input: mkResourceSliceWithDevices(tweakDeviceAttribute("test.io/string", resource.DeviceAttribute{StringValue: ptr.To("value")})),
+				},
+				"valid: device attribute version": {
+					input: mkResourceSliceWithDevices(tweakDeviceAttribute("test.io/version", resource.DeviceAttribute{VersionValue: ptr.To("1.2.3")})),
+				},
+				"invalid: device attribute with multiple values": {
+					input: mkResourceSliceWithDevices(tweakDeviceAttribute("test.io/multiple", resource.DeviceAttribute{IntValue: ptr.To[int64](123), BoolValue: ptr.To(true)})),
+					expectedErrs: field.ErrorList{
+						field.Invalid(field.NewPath("spec", "devices").Index(0).Child("attributes").Key("test.io/multiple"), "", ""),
+					},
+				},
+				"invalid: device attribute no value": {
+					input: mkResourceSliceWithDevices(tweakDeviceAttribute("test.io/multiple", resource.DeviceAttribute{})),
+					expectedErrs: field.ErrorList{
+						field.Invalid(field.NewPath("spec", "devices").Index(0).Child("attributes").Key("test.io/multiple"), "", ""),
+					},
+				},
+				// spec.sharedCounters
+				"valid: at limit shared counters": {
+					input: mkResourceSliceWithSharedCounters(tweakSharedCounters(resource.ResourceSliceMaxCounterSets)),
+				},
+				"invalid: too many shared counters": {
+					input: mkResourceSliceWithSharedCounters(tweakSharedCounters(resource.ResourceSliceMaxCounterSets + 1)),
+					expectedErrs: field.ErrorList{
+						field.TooMany(field.NewPath("spec").Child("sharedCounters"), resource.ResourceSliceMaxCounterSets+1, resource.ResourceSliceMaxCounterSets).WithOrigin("maxItems"),
+					},
+				},
+				// spec.devices.consumesCounters
+				"valid: at limit device consumes counters": {
+					input: mkResourceSliceWithDevices(tweakDeviceConsumesCounters(resource.ResourceSliceMaxDeviceCounterConsumptionsPerDevice)),
+				},
+				"invalid: too many device consumes counters": {
+					input: mkResourceSliceWithDevices(tweakDeviceConsumesCounters(resource.ResourceSliceMaxDeviceCounterConsumptionsPerDevice + 1)),
+					expectedErrs: field.ErrorList{
+						field.TooMany(field.NewPath("spec", "devices").Index(0).Child("consumesCounters"), resource.ResourceSliceMaxDeviceCounterConsumptionsPerDevice+1, resource.ResourceSliceMaxDeviceCounterConsumptionsPerDevice).WithOrigin("maxItems"),
+					},
+				},
+				// spec.sharedCounters.name
+				"valid: counter set name": {
+					input: mkResourceSliceWithSharedCounters(tweakSharedCountersName("valid-key")),
+				},
+				"invalid: counter set name": {
+					input: mkResourceSliceWithSharedCounters(tweakSharedCountersName("InvalidKey")),
+					expectedErrs: field.ErrorList{
+						field.Invalid(field.NewPath("spec", "sharedCounters").Index(0).Child("name"), "InvalidKey", "").WithOrigin("format=k8s-short-name"),
+					},
+				},
+				"invalid: counter set name not set": {
+					input: mkResourceSliceWithSharedCounters(tweakSharedCountersName("")),
+					expectedErrs: field.ErrorList{
+						field.Required(field.NewPath("spec", "sharedCounters").Index(0).Child("name"), ""),
+					},
+				},
+				// spec.devices.consumesCounters.counterSet
+				"valid: device consumes counters counter set name": {
+					input: mkResourceSliceWithDevices(tweakDeviceConsumesCountersCounterSetName("valid-key")),
+				},
+				"invalid: device consumes counters counter set name": {
+					input: mkResourceSliceWithDevices(tweakDeviceConsumesCountersCounterSetName("InvalidKey")),
+					expectedErrs: field.ErrorList{
+						field.Invalid(field.NewPath("spec", "devices").Index(0).Child("consumesCounters").Index(0).Child("counterSet"), "InvalidKey", "").WithOrigin("format=k8s-short-name"),
+					},
+				},
+				"invalid: device consumes counters counter set name not set": {
+					input: mkResourceSliceWithDevices(tweakDeviceConsumesCountersCounterSetName("")),
+					expectedErrs: field.ErrorList{
+						field.Required(field.NewPath("spec", "devices").Index(0).Child("consumesCounters").Index(0).Child("counterSet"), ""),
+					},
+				},
+				// spec.sharedCounters
+				"valid: distinct names for shared counters": {
+					input: mkResourceSliceWithSharedCounters(tweakSharedCountersName("valid-key-1", "valid-key-2")),
+				},
+				"invalid: duplicate names for shared counters": {
+					input: mkResourceSliceWithSharedCounters(tweakSharedCountersName("duplicate-key", "duplicate-key")),
+					expectedErrs: field.ErrorList{
+						field.Duplicate(field.NewPath("spec").Child("sharedCounters").Index(1), "duplicate-key"),
+					},
+				},
+				// spec.devices.consumesCounters
+				"valid: distinct names for counter set in device counter consumption": {
+					input: mkResourceSliceWithDevices(tweakDeviceConsumesCountersCounterSetName("valid-key-1", "valid-key-2")),
+				},
+				"invalid: duplicate names for counter set in device counter consumption": {
+					input: mkResourceSliceWithDevices(tweakDeviceConsumesCountersCounterSetName("duplicate-key", "duplicate-key")),
+					expectedErrs: field.ErrorList{
+						field.Duplicate(field.NewPath("spec").Child("devices").Index(0).Child("consumesCounters").Index(1), "duplicate-key"),
+					},
+				},
+				// TODO: Add more test cases
+			}
+
+			for k, tc := range testCases {
+				t.Run(k, func(t *testing.T) {
+					apitesting.VerifyValidationEquivalence(t, ctx, &tc.input, strategy.Validate, tc.expectedErrs, apitesting.WithNormalizationRules(validation.ResourceNormalizationRules...))
+				})
+			}
+		})
+	}
+}
+
+func TestDeclarativeValidateUpdate(t *testing.T) {
+	for _, apiVersion := range apiVersions {
+		t.Run(apiVersion, func(t *testing.T) {
+			ctx := genericapirequest.WithRequestInfo(genericapirequest.NewDefaultContext(), &genericapirequest.RequestInfo{
+				APIGroup:   "resource.k8s.io",
+				APIVersion: apiVersion,
+				Resource:   "ResourceSlice",
+			})
+
+			strategy := Strategy
+
+			testCases := map[string]struct {
+				old          resource.ResourceSlice
+				update       resource.ResourceSlice
+				expectedErrs field.ErrorList
+			}{
+				"valid no changes": {
+					old:    mkResourceSliceWithDevices(),
+					update: mkResourceSliceWithDevices(),
+				},
+				// spec.devices[%d].bindingConditions
+				"valid update: at limit binding conditions": {
+					old:    mkResourceSliceWithDevices(),
+					update: mkResourceSliceWithDevices(tweakBindingConditions(resource.BindingConditionsMaxSize)),
+				},
+				"invalid update:update with too many binding conditions": {
+					old:    mkResourceSliceWithDevices(),
+					update: mkResourceSliceWithDevices(tweakBindingConditions(resource.BindingConditionsMaxSize + 1)),
+					expectedErrs: field.ErrorList{
+						field.TooMany(field.NewPath("spec", "devices").Index(0).Child("bindingConditions"), resource.BindingConditionsMaxSize+1, resource.BindingConditionsMaxSize).WithOrigin("maxItems"),
+					},
+				},
+				// spec.devices[%d].bindingFailureConditions
+				"valid update: at limit binding failure conditions": {
+					old:    mkResourceSliceWithDevices(),
+					update: mkResourceSliceWithDevices(tweakBindingFailureConditions(resource.BindingFailureConditionsMaxSize)),
+				},
+				"update with too many binding failure conditions": {
+					old:    mkResourceSliceWithDevices(),
+					update: mkResourceSliceWithDevices(tweakBindingFailureConditions(resource.BindingFailureConditionsMaxSize + 1)),
+					expectedErrs: field.ErrorList{
+						field.TooMany(field.NewPath("spec", "devices").Index(0).Child("bindingFailureConditions"), resource.BindingFailureConditionsMaxSize+1, resource.BindingFailureConditionsMaxSize).WithOrigin("maxItems"),
+					},
+				},
+				// spec.devices.taints.effect
+				"valid update: NoSchedule taint effect": {
+					old:    mkResourceSliceWithDevices(),
+					update: mkResourceSliceWithDevices(tweakDeviceTaintEffect(string(resource.DeviceTaintEffectNoSchedule))),
+				},
+				"valid update: NoExecute taint effect": {
+					old:    mkResourceSliceWithDevices(),
+					update: mkResourceSliceWithDevices(tweakDeviceTaintEffect(string(resource.DeviceTaintEffectNoExecute))),
+				},
+				"invalid update: unsupported taint effect": {
+					old:    mkResourceSliceWithDevices(),
+					update: mkResourceSliceWithDevices(tweakDeviceTaintEffect("InvalidEffect")),
+					expectedErrs: field.ErrorList{
+						field.NotSupported(field.NewPath("spec", "devices").Index(0).Child("taints").Index(0).Child("effect"), "InvalidEffect", []string{string(resource.DeviceTaintEffectNoSchedule), string(resource.DeviceTaintEffectNoExecute)}),
+					},
+				},
+				"invalid update: empty taint effect": {
+					old:    mkResourceSliceWithDevices(),
+					update: mkResourceSliceWithDevices(tweakDeviceTaintEffect("")),
+					expectedErrs: field.ErrorList{
+						field.Required(field.NewPath("spec", "devices").Index(0).Child("taints").Index(0).Child("effect"), ""),
+					},
+				},
+				"valid update: device attribute": {
+					old:    mkResourceSliceWithDevices(tweakDeviceAttribute("test.io/int", resource.DeviceAttribute{IntValue: ptr.To[int64](123)})),
+					update: mkResourceSliceWithDevices(tweakDeviceAttribute("test.io/int", resource.DeviceAttribute{BoolValue: ptr.To(true)})),
+				},
+				"invalid update: device attribute with multiple values": {
+					old:    mkResourceSliceWithDevices(),
+					update: mkResourceSliceWithDevices(tweakDeviceAttribute("test.io/multiple", resource.DeviceAttribute{IntValue: ptr.To[int64](123), BoolValue: ptr.To(true)})),
+					expectedErrs: field.ErrorList{
+						field.Invalid(field.NewPath("spec", "devices").Index(0).Child("attributes").Key("test.io/multiple"), "", "may have only one of the following fields set: bool, int, string, version"),
+					},
+				},
+				// spec.sharedCounters
+				"valid update: at limit shared counters": {
+					old:    mkResourceSliceWithSharedCounters(),
+					update: mkResourceSliceWithSharedCounters(tweakSharedCounters(resource.ResourceSliceMaxCounterSets)),
+				},
+				"invalid update: too many shared counters": {
+					old:    mkResourceSliceWithSharedCounters(),
+					update: mkResourceSliceWithSharedCounters(tweakSharedCounters(resource.ResourceSliceMaxCounterSets + 1)),
+					expectedErrs: field.ErrorList{
+						field.TooMany(field.NewPath("spec").Child("sharedCounters"), resource.ResourceSliceMaxCounterSets+1, resource.ResourceSliceMaxCounterSets).WithOrigin("maxItems"),
+					},
+				},
+				// spec.devices.consumesCounters
+				"valid update: at limit device consumes counters": {
+					old:    mkResourceSliceWithDevices(),
+					update: mkResourceSliceWithDevices(tweakDeviceConsumesCounters(resource.ResourceSliceMaxDeviceCounterConsumptionsPerDevice)),
+				},
+				"invalid update: too many device consumes counters": {
+					old:    mkResourceSliceWithDevices(),
+					update: mkResourceSliceWithDevices(tweakDeviceConsumesCounters(resource.ResourceSliceMaxDeviceCounterConsumptionsPerDevice + 1)),
+					expectedErrs: field.ErrorList{
+						field.TooMany(field.NewPath("spec", "devices").Index(0).Child("consumesCounters"), resource.ResourceSliceMaxDeviceCounterConsumptionsPerDevice+1, resource.ResourceSliceMaxDeviceCounterConsumptionsPerDevice).WithOrigin("maxItems"),
+					},
+				},
+				// spec.sharedCounters.name
+				"valid update: counter set name": {
+					old:    mkResourceSliceWithSharedCounters(),
+					update: mkResourceSliceWithSharedCounters(tweakSharedCountersName("valid-key")),
+				},
+				"invalid update: counter set name": {
+					old:    mkResourceSliceWithSharedCounters(),
+					update: mkResourceSliceWithSharedCounters(tweakSharedCountersName("InvalidKey")),
+					expectedErrs: field.ErrorList{
+						field.Invalid(field.NewPath("spec", "sharedCounters").Index(0).Child("name"), "InvalidKey", "").WithOrigin("format=k8s-short-name"),
+					},
+				},
+				"invalid update: counter set name not set": {
+					old:    mkResourceSliceWithSharedCounters(),
+					update: mkResourceSliceWithSharedCounters(tweakSharedCountersName("")),
+					expectedErrs: field.ErrorList{
+						field.Required(field.NewPath("spec", "sharedCounters").Index(0).Child("name"), ""),
+					},
+				},
+				// spec.devices.consumesCounters.counterSet
+				"valid update: device consumes counters counter set name": {
+					old:    mkResourceSliceWithDevices(),
+					update: mkResourceSliceWithDevices(tweakDeviceConsumesCountersCounterSetName("valid-key")),
+				},
+				"invalid update: device consumes counters counter set name": {
+					old:    mkResourceSliceWithDevices(),
+					update: mkResourceSliceWithDevices(tweakDeviceConsumesCountersCounterSetName("InvalidKey")),
+					expectedErrs: field.ErrorList{
+						field.Invalid(field.NewPath("spec", "devices").Index(0).Child("consumesCounters").Index(0).Child("counterSet"), "InvalidKey", "").WithOrigin("format=k8s-short-name"),
+					},
+				},
+				"invalidupdate: device consumes counters counter set name not set": {
+					old:    mkResourceSliceWithDevices(),
+					update: mkResourceSliceWithDevices(tweakDeviceConsumesCountersCounterSetName("")),
+					expectedErrs: field.ErrorList{
+						field.Required(field.NewPath("spec", "devices").Index(0).Child("consumesCounters").Index(0).Child("counterSet"), ""),
+					},
+				},
+				// spec.sharedCounters
+				"valid update: distinct names for shared counters": {
+					old:    mkResourceSliceWithSharedCounters(),
+					update: mkResourceSliceWithSharedCounters(tweakSharedCountersName("valid-key-1", "valid-key-2")),
+				},
+				"invalid update: duplicate names for shared counters": {
+					old:    mkResourceSliceWithSharedCounters(),
+					update: mkResourceSliceWithSharedCounters(tweakSharedCountersName("duplicate-key", "duplicate-key")),
+					expectedErrs: field.ErrorList{
+						field.Duplicate(field.NewPath("spec").Child("sharedCounters").Index(1), "duplicate-key"),
+					},
+				},
+				// spec.devices.consumesCounters
+				"valid update: distinct names for counter set in device counter consumption": {
+					old:    mkResourceSliceWithDevices(),
+					update: mkResourceSliceWithDevices(tweakDeviceConsumesCountersCounterSetName("valid-key-1", "valid-key-2")),
+				},
+				"invalid update: duplicate names for counter set in device counter consumption": {
+					old:    mkResourceSliceWithDevices(),
+					update: mkResourceSliceWithDevices(tweakDeviceConsumesCountersCounterSetName("duplicate-key", "duplicate-key")),
+					expectedErrs: field.ErrorList{
+						field.Duplicate(field.NewPath("spec").Child("devices").Index(0).Child("consumesCounters").Index(1), "duplicate-key"),
+					},
+				},
+			}
+			for k, tc := range testCases {
+				t.Run(k, func(t *testing.T) {
+					tc.old.ResourceVersion = "1"
+					tc.update.ResourceVersion = "1"
+					apitesting.VerifyUpdateValidationEquivalence(t, ctx, &tc.update, &tc.old, strategy.ValidateUpdate, tc.expectedErrs, apitesting.WithNormalizationRules(validation.ResourceNormalizationRules...))
+				})
+			}
+		})
+	}
+}
+
+func mkResourceSliceWithDevices(mutators ...func(*resource.ResourceSlice)) resource.ResourceSlice {
+	rs := resource.ResourceSlice{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: "test-slice",
+		},
+		Spec: resource.ResourceSliceSpec{
+			Driver:   "test.driver.io",
+			NodeName: ptr.To("test-node"),
+			Pool: resource.ResourcePool{
+				Name:               "test-pool",
+				ResourceSliceCount: 5,
+			},
+			Devices: []resource.Device{
+				{
+					Name: "device-1",
+					Taints: []resource.DeviceTaint{
+						{
+							Key:    "key1",
+							Value:  "value1",
+							Effect: resource.DeviceTaintEffectNoSchedule,
+						},
+					},
+				},
+			},
+		},
+	}
+	for _, mutate := range mutators {
+		mutate(&rs)
+	}
+	return rs
+}
+
+func mkResourceSliceWithSharedCounters(mutators ...func(*resource.ResourceSlice)) resource.ResourceSlice {
+	rs := resource.ResourceSlice{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: "test-slice",
+		},
+		Spec: resource.ResourceSliceSpec{
+			Driver:   "test.driver.io",
+			NodeName: ptr.To("test-node"),
+			Pool: resource.ResourcePool{
+				Name:               "test-pool",
+				ResourceSliceCount: 5,
+			},
+			SharedCounters: []resource.CounterSet{
+				{
+					Name: "shared-counter-set",
+					Counters: map[string]resource.Counter{
+						"valid-key": {},
+					},
+				},
+			},
+		},
+	}
+	for _, mutate := range mutators {
+		mutate(&rs)
+	}
+	return rs
+}
+
+func tweakBindingFailureConditions(count int) func(*resource.ResourceSlice) {
+	return func(rs *resource.ResourceSlice) {
+		if rs.Spec.Devices[0].BindingConditions == nil {
+			rs.Spec.Devices[0].BindingConditions = []string{"conditions"}
+		}
+		rs.Spec.Devices[0].BindingFailureConditions = []string{}
+		for i := 0; i < count; i++ {
+			rs.Spec.Devices[0].BindingFailureConditions = append(rs.Spec.Devices[0].BindingFailureConditions, fmt.Sprintf("failure-condition-%d", i))
+		}
+	}
+}
+
+func tweakBindingConditions(count int) func(*resource.ResourceSlice) {
+	return func(rs *resource.ResourceSlice) {
+		if rs.Spec.Devices[0].BindingFailureConditions == nil {
+			rs.Spec.Devices[0].BindingFailureConditions = []string{"failure-conditions"}
+		}
+		rs.Spec.Devices[0].BindingConditions = []string{}
+		for i := 0; i < count; i++ {
+			rs.Spec.Devices[0].BindingConditions = append(rs.Spec.Devices[0].BindingConditions, fmt.Sprintf("condition-%d", i))
+		}
+	}
+}
+
+func tweakDeviceTaintEffect(effect string) func(*resource.ResourceSlice) {
+	return func(rs *resource.ResourceSlice) {
+		rs.Spec.Devices[0].Taints[0].Effect = resource.DeviceTaintEffect(effect)
+	}
+}
+
+func tweakDeviceAttribute(name resource.QualifiedName, value resource.DeviceAttribute) func(*resource.ResourceSlice) {
+	return func(rs *resource.ResourceSlice) {
+		if rs.Spec.Devices[0].Attributes == nil {
+			rs.Spec.Devices[0].Attributes = make(map[resource.QualifiedName]resource.DeviceAttribute)
+		}
+		rs.Spec.Devices[0].Attributes[name] = value
+	}
+}
+
+func tweakSharedCountersName(names ...string) func(*resource.ResourceSlice) {
+	return func(rs *resource.ResourceSlice) {
+		var sharedCounters []resource.CounterSet
+		for _, name := range names {
+			sharedCounters = append(sharedCounters, resource.CounterSet{
+				Name: name,
+				Counters: map[string]resource.Counter{
+					"valid-key": {},
+				},
+			})
+		}
+		rs.Spec.SharedCounters = sharedCounters
+	}
+}
+
+func tweakSharedCounters(count int) func(*resource.ResourceSlice) {
+	return func(rs *resource.ResourceSlice) {
+		var counterSets []resource.CounterSet
+		for i := 0; i < count; i++ {
+			counterSets = append(counterSets, resource.CounterSet{
+				Name: fmt.Sprintf("shared-counter-set-%d", i),
+				Counters: map[string]resource.Counter{
+					"valid-key": {},
+				},
+			})
+		}
+		rs.Spec.SharedCounters = counterSets
+	}
+}
+
+func tweakDeviceConsumesCounters(count int) func(*resource.ResourceSlice) {
+	return func(rs *resource.ResourceSlice) {
+		var consumesCounters []resource.DeviceCounterConsumption
+		for i := 0; i < count; i++ {
+			consumesCounters = append(consumesCounters, resource.DeviceCounterConsumption{
+				CounterSet: fmt.Sprintf("shared-counter-set-%d", i),
+				Counters: map[string]resource.Counter{
+					"valid-key": {},
+				},
+			})
+		}
+		rs.Spec.Devices[0].ConsumesCounters = consumesCounters
+	}
+}
+
+func tweakDeviceConsumesCountersCounterSetName(counterSets ...string) func(*resource.ResourceSlice) {
+	return func(rs *resource.ResourceSlice) {
+		var consumesCounters []resource.DeviceCounterConsumption
+		for _, counterSet := range counterSets {
+			consumesCounters = append(consumesCounters, resource.DeviceCounterConsumption{
+				CounterSet: counterSet,
+				Counters: map[string]resource.Counter{
+					"valid-key": {},
+				},
+			})
+		}
+		rs.Spec.Devices[0].ConsumesCounters = consumesCounters
+	}
+}
diff --git a/pkg/registry/resource/resourceslice/strategy.go b/pkg/registry/resource/resourceslice/strategy.go
index 5df06d3e08e35..54f054b4dd3da 100644
--- a/pkg/registry/resource/resourceslice/strategy.go
+++ b/pkg/registry/resource/resourceslice/strategy.go
@@ -19,13 +19,16 @@ package resourceslice
 import (
 	"context"
 	"fmt"
+	"strings"
 
 	apiequality "k8s.io/apimachinery/pkg/api/equality"
+	"k8s.io/apimachinery/pkg/api/operation"
 	"k8s.io/apimachinery/pkg/fields"
 	"k8s.io/apimachinery/pkg/labels"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/util/validation/field"
 	"k8s.io/apiserver/pkg/registry/generic"
+	"k8s.io/apiserver/pkg/registry/rest"
 	"k8s.io/apiserver/pkg/storage"
 	"k8s.io/apiserver/pkg/storage/names"
 	utilfeature "k8s.io/apiserver/pkg/util/feature"
@@ -57,11 +60,22 @@ func (resourceSliceStrategy) PrepareForCreate(ctx context.Context, obj runtime.O
 
 func (resourceSliceStrategy) Validate(ctx context.Context, obj runtime.Object) field.ErrorList {
 	slice := obj.(*resource.ResourceSlice)
-	return validation.ValidateResourceSlice(slice)
+	errorList := validation.ValidateResourceSlice(slice)
+	return rest.ValidateDeclarativelyWithMigrationChecks(ctx, legacyscheme.Scheme, slice, nil, errorList, operation.Create, rest.WithNormalizationRules(validation.ResourceNormalizationRules))
+
 }
 
+// WarningsOnCreate returns warnings for the creation of the given object.
 func (resourceSliceStrategy) WarningsOnCreate(ctx context.Context, obj runtime.Object) []string {
-	return nil
+	newResourceSlice := obj.(*resource.ResourceSlice)
+	var warnings []string
+
+	if newResourceSlice.Spec.Driver != strings.ToLower(newResourceSlice.Spec.Driver) {
+		warnings = append(warnings,
+			fmt.Sprintf("spec.driver: driver names should be lowercase; %q contains uppercase characters", newResourceSlice.Spec.Driver))
+	}
+
+	return warnings
 }
 
 func (resourceSliceStrategy) Canonicalize(obj runtime.Object) {
@@ -84,11 +98,21 @@ func (resourceSliceStrategy) PrepareForUpdate(ctx context.Context, obj, old runt
 }
 
 func (resourceSliceStrategy) ValidateUpdate(ctx context.Context, obj, old runtime.Object) field.ErrorList {
-	return validation.ValidateResourceSliceUpdate(obj.(*resource.ResourceSlice), old.(*resource.ResourceSlice))
+	errorList := validation.ValidateResourceSliceUpdate(obj.(*resource.ResourceSlice), old.(*resource.ResourceSlice))
+	return rest.ValidateDeclarativelyWithMigrationChecks(ctx, legacyscheme.Scheme, obj, old, errorList, operation.Update, rest.WithNormalizationRules(validation.ResourceNormalizationRules))
 }
 
+// WarningsOnUpdate returns warnings for the given update.
 func (resourceSliceStrategy) WarningsOnUpdate(ctx context.Context, obj, old runtime.Object) []string {
-	return nil
+	newResourceSlice := obj.(*resource.ResourceSlice)
+	var warnings []string
+
+	if newResourceSlice.Spec.Driver != strings.ToLower(newResourceSlice.Spec.Driver) {
+		warnings = append(warnings,
+			fmt.Sprintf("spec.driver: driver names should be lowercase; %q contains uppercase characters", newResourceSlice.Spec.Driver))
+	}
+
+	return warnings
 }
 
 func (resourceSliceStrategy) AllowUnconditionalUpdate() bool {
diff --git a/pkg/registry/resource/resourceslice/strategy_test.go b/pkg/registry/resource/resourceslice/strategy_test.go
index 9632624107ba4..9ae889d5f1a31 100644
--- a/pkg/registry/resource/resourceslice/strategy_test.go
+++ b/pkg/registry/resource/resourceslice/strategy_test.go
@@ -20,6 +20,7 @@ import (
 	"testing"
 
 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 
 	k8sresource "k8s.io/apimachinery/pkg/api/resource"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -65,7 +66,7 @@ var sliceWithBindingConditions = func() *resource.ResourceSlice {
 	return slice
 }()
 
-var sliceWithPartitionableDevices = &resource.ResourceSlice{
+var sliceWithPartitionableDevicesPerDeviceNodeSelection = &resource.ResourceSlice{
 	ObjectMeta: metav1.ObjectMeta{
 		Name: "valid-resource-slice",
 	},
@@ -80,16 +81,30 @@ var sliceWithPartitionableDevices = &resource.ResourceSlice{
 			ResourceSliceCount: 1,
 			Generation:         1,
 		},
-		SharedCounters: []resource.CounterSet{
+		Devices: []resource.Device{
 			{
-				Name: "pool-1",
-				Counters: map[string]resource.Counter{
-					"memory": {
-						Value: k8sresource.MustParse("40Gi"),
-					},
-				},
+				Name: "device",
+				NodeName: func() *string {
+					r := "valid-node-name"
+					return &r
+				}(),
 			},
 		},
+	},
+}
+
+var sliceWithPartitionableDevicesConsumesCounters = &resource.ResourceSlice{
+	ObjectMeta: metav1.ObjectMeta{
+		Name: "valid-resource-slice",
+	},
+	Spec: resource.ResourceSliceSpec{
+		NodeName: ptr.To("valid-node-name"),
+		Driver:   "testdriver.example.com",
+		Pool: resource.ResourcePool{
+			Name:               "valid-pool-name",
+			ResourceSliceCount: 1,
+			Generation:         1,
+		},
 		Devices: []resource.Device{
 			{
 				Name: "device",
@@ -103,10 +118,6 @@ var sliceWithPartitionableDevices = &resource.ResourceSlice{
 						},
 					},
 				},
-				NodeName: func() *string {
-					r := "valid-node-name"
-					return &r
-				}(),
 				Attributes: map[resource.QualifiedName]resource.DeviceAttribute{
 					resource.QualifiedName("version"): {
 						StringValue: func() *string {
@@ -125,6 +136,31 @@ var sliceWithPartitionableDevices = &resource.ResourceSlice{
 	},
 }
 
+var sliceWithPartitionableDevicesSharedCounters = &resource.ResourceSlice{
+	ObjectMeta: metav1.ObjectMeta{
+		Name: "valid-resource-slice",
+	},
+	Spec: resource.ResourceSliceSpec{
+		NodeName: ptr.To("valid-node-name"),
+		Driver:   "testdriver.example.com",
+		Pool: resource.ResourcePool{
+			Name:               "valid-pool-name",
+			ResourceSliceCount: 1,
+			Generation:         1,
+		},
+		SharedCounters: []resource.CounterSet{
+			{
+				Name: "pool-1",
+				Counters: map[string]resource.Counter{
+					"memory": {
+						Value: k8sresource.MustParse("40Gi"),
+					},
+				},
+			},
+		},
+	},
+}
+
 var sliceWithCapacity = func() *resource.ResourceSlice {
 	obj := slice.DeepCopy()
 	obj.Spec.Devices[0].Capacity = map[resource.QualifiedName]resource.DeviceCapacity{
@@ -206,26 +242,15 @@ func TestResourceSliceStrategyCreate(t *testing.T) {
 				return obj
 			}(),
 		},
-		"drop-fields-partitionable-devices": {
+		"drop-fields-partitionable-devices-with-consumes-counters": {
 			obj: func() *resource.ResourceSlice {
-				obj := sliceWithPartitionableDevices.DeepCopy()
-				obj.Spec.PerDeviceNodeSelection = func() *bool {
-					r := false
-					return &r
-				}()
-				obj.Spec.NodeName = ptr.To("valid-node-name")
+				obj := sliceWithPartitionableDevicesConsumesCounters.DeepCopy()
 				return obj
 			}(),
 			partitionableDevices: false,
 			expectObj: func() *resource.ResourceSlice {
-				obj := sliceWithPartitionableDevices.DeepCopy()
+				obj := sliceWithPartitionableDevicesConsumesCounters.DeepCopy()
 				obj.ObjectMeta.Generation = 1
-				obj.Spec.SharedCounters = nil
-				obj.Spec.PerDeviceNodeSelection = nil
-				obj.Spec.NodeName = ptr.To("valid-node-name")
-				obj.Spec.Devices[0].NodeName = nil
-				obj.Spec.Devices[0].NodeSelector = nil
-				obj.Spec.Devices[0].AllNodes = nil
 				obj.Spec.Devices[0].ConsumesCounters = nil
 				return obj
 			}(),
@@ -234,32 +259,53 @@ func TestResourceSliceStrategyCreate(t *testing.T) {
 		// have a node selector after the perDeviceNodeSelection field got
 		// dropped.
 		"drop-fields-partitionable-devices-with-per-device-node-selection": {
-			obj:                     sliceWithPartitionableDevices,
+			obj:                     sliceWithPartitionableDevicesPerDeviceNodeSelection,
 			partitionableDevices:    false,
 			expectedValidationError: true,
 		},
-		"keep-fields-partitionable-devices": {
-			obj:                  sliceWithPartitionableDevices,
+		"drop-fields-partitionable-devices-with-shared-counters": {
+			obj: func() *resource.ResourceSlice {
+				obj := sliceWithPartitionableDevicesSharedCounters.DeepCopy()
+				return obj
+			}(),
+			partitionableDevices: false,
+			expectObj: func() *resource.ResourceSlice {
+				obj := sliceWithPartitionableDevicesSharedCounters.DeepCopy()
+				obj.ObjectMeta.Generation = 1
+				obj.Spec.SharedCounters = nil
+				return obj
+			}(),
+		},
+		"keep-fields-partitionable-devices-with-consumes-counters": {
+			obj:                  sliceWithPartitionableDevicesConsumesCounters,
 			partitionableDevices: true,
 			expectObj: func() *resource.ResourceSlice {
-				obj := sliceWithPartitionableDevices.DeepCopy()
+				obj := sliceWithPartitionableDevicesConsumesCounters.DeepCopy()
 				obj.Generation = 1
 				return obj
 			}(),
 		},
-		"drop-fields-binding-conditions": {
-			obj:               sliceWithBindingConditions,
-			bindingConditions: false,
-			deviceStatus:      false,
+		"keep-fields-partitionable-devices-with-per-device-node-selection": {
+			obj:                  sliceWithPartitionableDevicesPerDeviceNodeSelection,
+			partitionableDevices: true,
 			expectObj: func() *resource.ResourceSlice {
-				obj := slice.DeepCopy()
+				obj := sliceWithPartitionableDevicesPerDeviceNodeSelection.DeepCopy()
 				obj.Generation = 1
 				return obj
 			}(),
 		},
-		"drop-fields-binding-conditions-with-device-status": {
+		"keep-fields-partitionable-devices-with-shared-counters": {
+			obj:                  sliceWithPartitionableDevicesSharedCounters,
+			partitionableDevices: true,
+			expectObj: func() *resource.ResourceSlice {
+				obj := sliceWithPartitionableDevicesSharedCounters.DeepCopy()
+				obj.Generation = 1
+				return obj
+			}(),
+		},
+		"drop-fields-binding-conditions": {
 			obj:               sliceWithBindingConditions,
-			bindingConditions: true,
+			bindingConditions: false,
 			deviceStatus:      false,
 			expectObj: func() *resource.ResourceSlice {
 				obj := slice.DeepCopy()
@@ -309,11 +355,13 @@ func TestResourceSliceStrategyCreate(t *testing.T) {
 
 	for name, tc := range testCases {
 		t.Run(name, func(t *testing.T) {
-			featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.DRADeviceTaints, tc.deviceTaints)
-			featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.DRAPartitionableDevices, tc.partitionableDevices)
-			featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.DRADeviceBindingConditions, tc.bindingConditions)
-			featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.DRAResourceClaimDeviceStatus, tc.deviceStatus)
-			featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.DRAConsumableCapacity, tc.consumableCapacity)
+			featuregatetesting.SetFeatureGatesDuringTest(t, utilfeature.DefaultFeatureGate, featuregatetesting.FeatureOverrides{
+				features.DRADeviceTaints:              tc.deviceTaints,
+				features.DRAPartitionableDevices:      tc.partitionableDevices,
+				features.DRADeviceBindingConditions:   tc.bindingConditions,
+				features.DRAResourceClaimDeviceStatus: tc.deviceStatus,
+				features.DRAConsumableCapacity:        tc.consumableCapacity,
+			})
 
 			obj := tc.obj.DeepCopy()
 
@@ -427,107 +475,173 @@ func TestResourceSliceStrategyUpdate(t *testing.T) {
 				return obj
 			}(),
 		},
-		"drop-fields-partitionable-devices": {
+		"drop-fields-partitionable-devices-with-consumes-counters": {
 			oldObj: slice,
 			newObj: func() *resource.ResourceSlice {
-				obj := sliceWithPartitionableDevices.DeepCopy()
+				obj := sliceWithPartitionableDevicesConsumesCounters.DeepCopy()
 				obj.ResourceVersion = "4"
-				obj.Spec.PerDeviceNodeSelection = func() *bool {
-					r := false
-					return &r
-				}()
-				obj.Spec.NodeName = ptr.To("valid-node-name")
 				return obj
 			}(),
 			partitionableDevices: false,
 			expectObj: func() *resource.ResourceSlice {
-				obj := sliceWithPartitionableDevices.DeepCopy()
+				obj := sliceWithPartitionableDevicesConsumesCounters.DeepCopy()
 				obj.ResourceVersion = "4"
 				obj.Generation = 1
-				obj.Spec.SharedCounters = nil
-				obj.Spec.PerDeviceNodeSelection = nil
-				obj.Spec.NodeName = ptr.To("valid-node-name")
 				obj.Spec.Devices[0].ConsumesCounters = nil
-				obj.Spec.Devices[0].NodeName = nil
 				return obj
 			}(),
 		},
 		"drop-fields-partitionable-devices-with-per-device-node-selection": {
 			oldObj: slice,
 			newObj: func() *resource.ResourceSlice {
-				obj := sliceWithPartitionableDevices.DeepCopy()
+				obj := sliceWithPartitionableDevicesPerDeviceNodeSelection.DeepCopy()
 				obj.ResourceVersion = "4"
 				return obj
 			}(),
 			partitionableDevices:  false,
 			expectValidationError: true,
 		},
-		"keep-fields-partitionable-devices": {
+		"drop-fields-partitionable-devices-with-shared-counters": {
+			oldObj: slice,
+			newObj: func() *resource.ResourceSlice {
+				obj := sliceWithPartitionableDevicesSharedCounters.DeepCopy()
+				obj.ResourceVersion = "4"
+				return obj
+			}(),
+			partitionableDevices: false,
+			expectObj: func() *resource.ResourceSlice {
+				obj := sliceWithPartitionableDevicesSharedCounters.DeepCopy()
+				obj.ResourceVersion = "4"
+				obj.Generation = 1
+				obj.Spec.SharedCounters = nil
+				return obj
+			}(),
+		},
+		"keep-fields-partitionable-devices-with-consumes-counters": {
+			oldObj: slice,
+			newObj: func() *resource.ResourceSlice {
+				obj := sliceWithPartitionableDevicesConsumesCounters.DeepCopy()
+				obj.ResourceVersion = "4"
+				return obj
+			}(),
+			partitionableDevices: true,
+			expectObj: func() *resource.ResourceSlice {
+				obj := sliceWithPartitionableDevicesConsumesCounters.DeepCopy()
+				obj.ResourceVersion = "4"
+				obj.Generation = 1
+				return obj
+			}(),
+		},
+		"keep-fields-partitionable-devices-with-per-device-node-selection": {
 			oldObj: slice,
 			newObj: func() *resource.ResourceSlice {
-				obj := sliceWithPartitionableDevices.DeepCopy()
+				obj := sliceWithPartitionableDevicesPerDeviceNodeSelection.DeepCopy()
+				obj.ResourceVersion = "4"
+				return obj
+			}(),
+			partitionableDevices:  true,
+			expectValidationError: true, // Spec.NodeName is immutable.
+		},
+		"keep-fields-partitionable-devices-with-shared-counters": {
+			oldObj: slice,
+			newObj: func() *resource.ResourceSlice {
+				obj := sliceWithPartitionableDevicesSharedCounters.DeepCopy()
 				obj.ResourceVersion = "4"
-				obj.Spec.NodeName = ptr.To("valid-node-name")
-				obj.Spec.PerDeviceNodeSelection = nil
-				obj.Spec.Devices[0].NodeName = nil
 				return obj
 			}(),
 			partitionableDevices: true,
 			expectObj: func() *resource.ResourceSlice {
-				obj := sliceWithPartitionableDevices.DeepCopy()
+				obj := sliceWithPartitionableDevicesSharedCounters.DeepCopy()
 				obj.ResourceVersion = "4"
 				obj.Generation = 1
-				obj.Spec.NodeName = ptr.To("valid-node-name")
-				obj.Spec.PerDeviceNodeSelection = nil
-				obj.Spec.Devices[0].NodeName = nil
 				return obj
 			}(),
 		},
-		"keep-existing-fields-partitionable-devices": {
-			oldObj: sliceWithPartitionableDevices,
+		"keep-existing-fields-partitionable-devices-with-consumes-counters": {
+			oldObj: sliceWithPartitionableDevicesConsumesCounters,
 			newObj: func() *resource.ResourceSlice {
-				obj := sliceWithPartitionableDevices.DeepCopy()
+				obj := sliceWithPartitionableDevicesConsumesCounters.DeepCopy()
 				obj.ResourceVersion = "4"
 				return obj
 			}(),
 			partitionableDevices: true,
 			expectObj: func() *resource.ResourceSlice {
-				obj := sliceWithPartitionableDevices.DeepCopy()
+				obj := sliceWithPartitionableDevicesConsumesCounters.DeepCopy()
 				obj.ResourceVersion = "4"
 				return obj
 			}(),
 		},
-		"keep-existing-fields-partitionable-devices-disabled-feature": {
-			oldObj: sliceWithPartitionableDevices,
+		"keep-existing-fields-partitionable-devices-with-per-device-node-selection": {
+			oldObj: sliceWithPartitionableDevicesPerDeviceNodeSelection,
 			newObj: func() *resource.ResourceSlice {
-				obj := sliceWithPartitionableDevices.DeepCopy()
+				obj := sliceWithPartitionableDevicesPerDeviceNodeSelection.DeepCopy()
+				obj.ResourceVersion = "4"
+				return obj
+			}(),
+			partitionableDevices: true,
+			expectObj: func() *resource.ResourceSlice {
+				obj := sliceWithPartitionableDevicesPerDeviceNodeSelection.DeepCopy()
+				obj.ResourceVersion = "4"
+				return obj
+			}(),
+		},
+		"keep-existing-fields-partitionable-devices-with-shared-counters": {
+			oldObj: sliceWithPartitionableDevicesSharedCounters,
+			newObj: func() *resource.ResourceSlice {
+				obj := sliceWithPartitionableDevicesSharedCounters.DeepCopy()
+				obj.ResourceVersion = "4"
+				return obj
+			}(),
+			partitionableDevices: true,
+			expectObj: func() *resource.ResourceSlice {
+				obj := sliceWithPartitionableDevicesSharedCounters.DeepCopy()
+				obj.ResourceVersion = "4"
+				return obj
+			}(),
+		},
+		"keep-existing-fields-partitionable-devices-consumes-counters-disabled-feature": {
+			oldObj: sliceWithPartitionableDevicesConsumesCounters,
+			newObj: func() *resource.ResourceSlice {
+				obj := sliceWithPartitionableDevicesConsumesCounters.DeepCopy()
 				obj.ResourceVersion = "4"
 				return obj
 			}(),
 			partitionableDevices: false,
 			expectObj: func() *resource.ResourceSlice {
-				obj := sliceWithPartitionableDevices.DeepCopy()
+				obj := sliceWithPartitionableDevicesConsumesCounters.DeepCopy()
 				obj.ResourceVersion = "4"
 				return obj
 			}(),
 		},
-		"drop-fields-binding-conditions": {
-			oldObj: slice,
+		"keep-existing-fields-partitionable-devices-per-device-node-selection-disabled-feature": {
+			oldObj: sliceWithPartitionableDevicesPerDeviceNodeSelection,
 			newObj: func() *resource.ResourceSlice {
-				obj := sliceWithBindingConditions.DeepCopy()
+				obj := sliceWithPartitionableDevicesPerDeviceNodeSelection.DeepCopy()
 				obj.ResourceVersion = "4"
 				return obj
 			}(),
+			partitionableDevices: false,
 			expectObj: func() *resource.ResourceSlice {
-				obj := slice.DeepCopy()
+				obj := sliceWithPartitionableDevicesPerDeviceNodeSelection.DeepCopy()
+				obj.ResourceVersion = "4"
+				return obj
+			}(),
+		},
+		"keep-existing-fields-partitionable-devices-shared-counters-disabled-feature": {
+			oldObj: sliceWithPartitionableDevicesSharedCounters,
+			newObj: func() *resource.ResourceSlice {
+				obj := sliceWithPartitionableDevicesSharedCounters.DeepCopy()
+				obj.ResourceVersion = "4"
+				return obj
+			}(),
+			partitionableDevices: false,
+			expectObj: func() *resource.ResourceSlice {
+				obj := sliceWithPartitionableDevicesSharedCounters.DeepCopy()
 				obj.ResourceVersion = "4"
-				obj.Generation = 1
 				return obj
 			}(),
-			bindingConditions: false,
-			deviceStatus:      false,
 		},
-		"drop-fields-binding-conditions-with-device-status": {
+		"drop-fields-binding-conditions": {
 			oldObj: slice,
 			newObj: func() *resource.ResourceSlice {
 				obj := sliceWithBindingConditions.DeepCopy()
@@ -540,7 +654,7 @@ func TestResourceSliceStrategyUpdate(t *testing.T) {
 				obj.Generation = 1
 				return obj
 			}(),
-			bindingConditions: true,
+			bindingConditions: false,
 			deviceStatus:      false,
 		},
 		"drop-fields-binding-conditions-with-binding-conditions": {
@@ -640,11 +754,13 @@ func TestResourceSliceStrategyUpdate(t *testing.T) {
 
 	for name, tc := range testcases {
 		t.Run(name, func(t *testing.T) {
-			featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.DRADeviceTaints, tc.deviceTaints)
-			featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.DRAPartitionableDevices, tc.partitionableDevices)
-			featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.DRADeviceBindingConditions, tc.bindingConditions)
-			featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.DRAResourceClaimDeviceStatus, tc.deviceStatus)
-			featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.DRAConsumableCapacity, tc.consumableCapacity)
+			featuregatetesting.SetFeatureGatesDuringTest(t, utilfeature.DefaultFeatureGate, featuregatetesting.FeatureOverrides{
+				features.DRADeviceTaints:              tc.deviceTaints,
+				features.DRAPartitionableDevices:      tc.partitionableDevices,
+				features.DRADeviceBindingConditions:   tc.bindingConditions,
+				features.DRAResourceClaimDeviceStatus: tc.deviceStatus,
+				features.DRAConsumableCapacity:        tc.consumableCapacity,
+			})
 
 			oldObj := tc.oldObj.DeepCopy()
 			newObj := tc.newObj.DeepCopy()
@@ -669,3 +785,74 @@ func TestResourceSliceStrategyUpdate(t *testing.T) {
 		})
 	}
 }
+
+func TestWarningsOnCreate(t *testing.T) {
+	ctx := genericapirequest.NewDefaultContext()
+
+	testCases := map[string]struct {
+		obj                 *resource.ResourceSlice
+		wantWarningMessages []string
+	}{
+		"valid driver": {
+			obj:                 slice,
+			wantWarningMessages: []string{},
+		},
+		"uppercase driver warning": {
+			obj: func() *resource.ResourceSlice {
+				obj := slice.DeepCopy()
+				obj.Spec.Driver = "Foo.COM"
+				return obj
+			}(),
+			wantWarningMessages: []string{
+				`spec.driver: driver names should be lowercase; "Foo.COM" contains uppercase characters`,
+			},
+		},
+	}
+
+	for name, tc := range testCases {
+		t.Run(name, func(t *testing.T) {
+			warnings := Strategy.WarningsOnCreate(ctx, tc.obj)
+			if warnings == nil {
+				warnings = []string{}
+			}
+			require.Equal(t, tc.wantWarningMessages, warnings)
+		})
+	}
+}
+
+func TestWarningsOnUpdate(t *testing.T) {
+	ctx := genericapirequest.NewDefaultContext()
+
+	testCases := map[string]struct {
+		newObj              *resource.ResourceSlice
+		oldObj              *resource.ResourceSlice
+		wantWarningMessages []string
+	}{
+		"valid driver update": {
+			newObj:              slice.DeepCopy(),
+			oldObj:              slice.DeepCopy(),
+			wantWarningMessages: []string{},
+		},
+		"uppercase driver warning on update": {
+			newObj: func() *resource.ResourceSlice {
+				obj := slice.DeepCopy()
+				obj.Spec.Driver = "Foo.COM"
+				return obj
+			}(),
+			oldObj: slice.DeepCopy(),
+			wantWarningMessages: []string{
+				`spec.driver: driver names should be lowercase; "Foo.COM" contains uppercase characters`,
+			},
+		},
+	}
+
+	for name, tc := range testCases {
+		t.Run(name, func(t *testing.T) {
+			warnings := Strategy.WarningsOnUpdate(ctx, tc.newObj, tc.oldObj)
+			if warnings == nil {
+				warnings = []string{}
+			}
+			require.Equal(t, tc.wantWarningMessages, warnings)
+		})
+	}
+}
diff --git a/pkg/registry/resource/rest/storage_resource.go b/pkg/registry/resource/rest/storage_resource.go
index 27660fea478ec..f960b6a6462bc 100644
--- a/pkg/registry/resource/rest/storage_resource.go
+++ b/pkg/registry/resource/rest/storage_resource.go
@@ -118,11 +118,12 @@ func (p RESTStorageProvider) v1alpha3Storage(apiResourceConfigSource serverstora
 	storage := map[string]rest.Storage{}
 
 	if resource := "devicetaintrules"; apiResourceConfigSource.ResourceEnabled(resourcev1alpha3.SchemeGroupVersion.WithResource(resource)) {
-		deviceTaintStorage, err := devicetaintrulestore.NewREST(restOptionsGetter)
+		deviceTaintStorage, deviceTaintStatusStorage, err := devicetaintrulestore.NewREST(restOptionsGetter)
 		if err != nil {
 			return nil, err
 		}
 		storage[resource] = deviceTaintStorage
+		storage[resource+"/status"] = deviceTaintStatusStorage
 	}
 
 	return storage, nil
diff --git a/pkg/registry/scheduling/priorityclass/storage/storage.go b/pkg/registry/scheduling/priorityclass/storage/storage.go
index 428ed730131c2..e1822af7b08ad 100644
--- a/pkg/registry/scheduling/priorityclass/storage/storage.go
+++ b/pkg/registry/scheduling/priorityclass/storage/storage.go
@@ -19,6 +19,7 @@ package storage
 import (
 	"context"
 	"errors"
+
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
@@ -70,9 +71,9 @@ func (r *REST) ShortNames() []string {
 
 // Delete ensures that system priority classes are not deleted.
 func (r *REST) Delete(ctx context.Context, name string, deleteValidation rest.ValidateObjectFunc, options *metav1.DeleteOptions) (runtime.Object, bool, error) {
-	for _, spc := range schedulingapiv1.SystemPriorityClasses() {
-		if name == spc.Name {
-			return nil, false, apierrors.NewForbidden(scheduling.Resource("priorityclasses"), spc.Name, errors.New("this is a system priority class and cannot be deleted"))
+	for _, spcName := range schedulingapiv1.SystemPriorityClassNames() {
+		if name == spcName {
+			return nil, false, apierrors.NewForbidden(scheduling.Resource("priorityclasses"), spcName, errors.New("this is a system priority class and cannot be deleted"))
 		}
 	}
 
diff --git a/pkg/registry/scheduling/priorityclass/storage/storage_test.go b/pkg/registry/scheduling/priorityclass/storage/storage_test.go
index de6eba809991a..a74f685baa8e5 100644
--- a/pkg/registry/scheduling/priorityclass/storage/storage_test.go
+++ b/pkg/registry/scheduling/priorityclass/storage/storage_test.go
@@ -117,7 +117,7 @@ func TestDeleteSystemPriorityClass(t *testing.T) {
 	storage, server := newStorage(t)
 	defer server.Terminate(t)
 	defer storage.Store.DestroyFunc()
-	key := "test/system-node-critical"
+	key := "/priorityclasses/test/system-node-critical"
 	ctx := genericapirequest.NewContext()
 	pc := schedulingapiv1.SystemPriorityClasses()[0]
 	internalPc := &scheduling.PriorityClass{}
diff --git a/pkg/registry/scheduling/rest/storage_scheduling.go b/pkg/registry/scheduling/rest/storage_scheduling.go
index 01bd84de35701..3fb62fbfddfa9 100644
--- a/pkg/registry/scheduling/rest/storage_scheduling.go
+++ b/pkg/registry/scheduling/rest/storage_scheduling.go
@@ -31,11 +31,15 @@ import (
 	"k8s.io/apiserver/pkg/registry/rest"
 	genericapiserver "k8s.io/apiserver/pkg/server"
 	serverstorage "k8s.io/apiserver/pkg/server/storage"
+	utilfeature "k8s.io/apiserver/pkg/util/feature"
 	schedulingclient "k8s.io/client-go/kubernetes/typed/scheduling/v1"
 	"k8s.io/kubernetes/pkg/api/legacyscheme"
 	"k8s.io/kubernetes/pkg/apis/scheduling"
 	schedulingapiv1 "k8s.io/kubernetes/pkg/apis/scheduling/v1"
+	schedulingapiv1alpha1 "k8s.io/kubernetes/pkg/apis/scheduling/v1alpha1"
+	"k8s.io/kubernetes/pkg/features"
 	priorityclassstore "k8s.io/kubernetes/pkg/registry/scheduling/priorityclass/storage"
+	workloadstore "k8s.io/kubernetes/pkg/registry/scheduling/workload/storage"
 )
 
 const PostStartHookName = "scheduling/bootstrap-system-priority-classes"
@@ -53,6 +57,12 @@ func (p RESTStorageProvider) NewRESTStorage(apiResourceConfigSource serverstorag
 		apiGroupInfo.VersionedResourcesStorageMap[schedulingapiv1.SchemeGroupVersion.Version] = storageMap
 	}
 
+	if storageMap, err := p.v1alpha1Storage(apiResourceConfigSource, restOptionsGetter); err != nil {
+		return genericapiserver.APIGroupInfo{}, err
+	} else if len(storageMap) > 0 {
+		apiGroupInfo.VersionedResourcesStorageMap[schedulingapiv1alpha1.SchemeGroupVersion.Version] = storageMap
+	}
+
 	return apiGroupInfo, nil
 }
 
@@ -71,6 +81,24 @@ func (p RESTStorageProvider) v1Storage(apiResourceConfigSource serverstorage.API
 	return storage, nil
 }
 
+func (p RESTStorageProvider) v1alpha1Storage(apiResourceConfigSource serverstorage.APIResourceConfigSource, restOptionsGetter generic.RESTOptionsGetter) (map[string]rest.Storage, error) {
+	storage := map[string]rest.Storage{}
+
+	if resource := "workloads"; apiResourceConfigSource.ResourceEnabled(schedulingapiv1alpha1.SchemeGroupVersion.WithResource(resource)) {
+		if utilfeature.DefaultFeatureGate.Enabled(features.GenericWorkload) {
+			workloadStorage, err := workloadstore.NewREST(restOptionsGetter)
+			if err != nil {
+				return nil, err
+			}
+			storage[resource] = workloadStorage
+		} else {
+			klog.Warning("Workload storage is disabled because the GenericWorkload feature gate is disabled")
+		}
+	}
+
+	return storage, nil
+}
+
 func (p RESTStorageProvider) PostStartHook() (string, genericapiserver.PostStartHookFunc, error) {
 	return PostStartHookName, AddSystemPriorityClasses(), nil
 }
diff --git a/pkg/registry/scheduling/workload/doc.go b/pkg/registry/scheduling/workload/doc.go
new file mode 100644
index 0000000000000..0339b9bb33f5b
--- /dev/null
+++ b/pkg/registry/scheduling/workload/doc.go
@@ -0,0 +1,17 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package workload
diff --git a/pkg/registry/scheduling/workload/storage/storage.go b/pkg/registry/scheduling/workload/storage/storage.go
new file mode 100644
index 0000000000000..97e7c2b9e6864
--- /dev/null
+++ b/pkg/registry/scheduling/workload/storage/storage.go
@@ -0,0 +1,55 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package storage
+
+import (
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apiserver/pkg/registry/generic"
+	genericregistry "k8s.io/apiserver/pkg/registry/generic/registry"
+	"k8s.io/kubernetes/pkg/apis/scheduling"
+	"k8s.io/kubernetes/pkg/printers"
+	printersinternal "k8s.io/kubernetes/pkg/printers/internalversion"
+	printerstorage "k8s.io/kubernetes/pkg/printers/storage"
+	"k8s.io/kubernetes/pkg/registry/scheduling/workload"
+)
+
+// REST implements a RESTStorage for workloads against etcd
+type REST struct {
+	*genericregistry.Store
+}
+
+// NewREST returns a RESTStorage object that will work against workloads.
+func NewREST(optsGetter generic.RESTOptionsGetter) (*REST, error) {
+	store := &genericregistry.Store{
+		NewFunc:                   func() runtime.Object { return &scheduling.Workload{} },
+		NewListFunc:               func() runtime.Object { return &scheduling.WorkloadList{} },
+		DefaultQualifiedResource:  scheduling.Resource("workloads"),
+		SingularQualifiedResource: scheduling.Resource("workload"),
+
+		CreateStrategy: workload.Strategy,
+		UpdateStrategy: workload.Strategy,
+		DeleteStrategy: workload.Strategy,
+
+		TableConvertor: printerstorage.TableConvertor{TableGenerator: printers.NewTableGenerator().With(printersinternal.AddHandlers)},
+	}
+	options := &generic.StoreOptions{RESTOptions: optsGetter}
+	if err := store.CompleteWithOptions(options); err != nil {
+		return nil, err
+	}
+
+	return &REST{store}, nil
+}
diff --git a/pkg/registry/scheduling/workload/storage/storage_test.go b/pkg/registry/scheduling/workload/storage/storage_test.go
new file mode 100644
index 0000000000000..36c646a82eb21
--- /dev/null
+++ b/pkg/registry/scheduling/workload/storage/storage_test.go
@@ -0,0 +1,159 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package storage
+
+import (
+	"testing"
+
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/fields"
+	"k8s.io/apimachinery/pkg/labels"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apiserver/pkg/registry/generic"
+	genericregistrytest "k8s.io/apiserver/pkg/registry/generic/testing"
+	etcd3testing "k8s.io/apiserver/pkg/storage/etcd3/testing"
+	"k8s.io/kubernetes/pkg/apis/scheduling"
+	_ "k8s.io/kubernetes/pkg/apis/scheduling/install"
+	"k8s.io/kubernetes/pkg/registry/registrytest"
+)
+
+func newStorage(t *testing.T) (*REST, *etcd3testing.EtcdTestServer) {
+	etcdStorage, server := registrytest.NewEtcdStorageForResource(t, scheduling.Resource("workloads"))
+	restOptions := generic.RESTOptions{
+		StorageConfig:           etcdStorage,
+		Decorator:               generic.UndecoratedStorage,
+		DeleteCollectionWorkers: 1,
+		ResourcePrefix:          "workloads",
+	}
+	rest, err := NewREST(restOptions)
+	if err != nil {
+		t.Fatalf("Unable to create REST %v", err)
+	}
+	return rest, server
+}
+
+func validNewWorkload() *scheduling.Workload {
+	return &scheduling.Workload{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: "foo",
+		},
+		Spec: scheduling.WorkloadSpec{
+			PodGroups: []scheduling.PodGroup{
+				{
+					Name: "bar",
+					Policy: scheduling.PodGroupPolicy{
+						Gang: &scheduling.GangSchedulingPolicy{
+							MinCount: 5,
+						},
+					},
+				},
+			},
+		},
+	}
+}
+
+func TestCreate(t *testing.T) {
+	storage, server := newStorage(t)
+	defer server.Terminate(t)
+	defer storage.Store.DestroyFunc()
+	test := genericregistrytest.New(t, storage.Store)
+	test.TestCreate(
+		validNewWorkload(),
+		// invalid cases
+		&scheduling.Workload{
+			ObjectMeta: metav1.ObjectMeta{
+				Name: "*badName",
+			},
+		},
+	)
+}
+
+func TestUpdate(t *testing.T) {
+	storage, server := newStorage(t)
+	defer server.Terminate(t)
+	defer storage.Store.DestroyFunc()
+	test := genericregistrytest.New(t, storage.Store)
+	test.TestUpdate(
+		// valid
+		validNewWorkload(),
+		// valid update
+		// Set ControllerRef
+		func(obj runtime.Object) runtime.Object {
+			w := obj.(*scheduling.Workload)
+			w.Spec.ControllerRef = &scheduling.TypedLocalObjectReference{
+				Kind: "foo",
+				Name: "baz",
+			}
+			return w
+		},
+		// invalid update
+		// Update MinCount
+		func(obj runtime.Object) runtime.Object {
+			w := obj.(*scheduling.Workload)
+			w.Spec.PodGroups[0].Policy.Gang.MinCount = 4
+			return w
+		},
+	)
+}
+
+func TestDelete(t *testing.T) {
+	storage, server := newStorage(t)
+	defer server.Terminate(t)
+	defer storage.Store.DestroyFunc()
+	test := genericregistrytest.New(t, storage.Store)
+	test.TestDelete(validNewWorkload())
+}
+
+func TestGet(t *testing.T) {
+	storage, server := newStorage(t)
+	defer server.Terminate(t)
+	defer storage.Store.DestroyFunc()
+	test := genericregistrytest.New(t, storage.Store)
+	test.TestGet(validNewWorkload())
+}
+
+func TestList(t *testing.T) {
+	storage, server := newStorage(t)
+	defer server.Terminate(t)
+	defer storage.Store.DestroyFunc()
+	test := genericregistrytest.New(t, storage.Store)
+	test.TestList(validNewWorkload())
+}
+
+func TestWatch(t *testing.T) {
+	storage, server := newStorage(t)
+	defer server.Terminate(t)
+	defer storage.Store.DestroyFunc()
+	test := genericregistrytest.New(t, storage.Store)
+	test.TestWatch(
+		validNewWorkload(),
+		// matching labels
+		[]labels.Set{},
+		// not matching labels
+		[]labels.Set{
+			{"foo": "bar"},
+		},
+		// matching fields
+		[]fields.Set{
+			{"metadata.name": "foo"},
+		},
+		// not matching fields
+		[]fields.Set{
+			{"metadata.name": "bar"},
+		},
+	)
+}
diff --git a/pkg/registry/scheduling/workload/strategy.go b/pkg/registry/scheduling/workload/strategy.go
new file mode 100644
index 0000000000000..4878cfeb44e20
--- /dev/null
+++ b/pkg/registry/scheduling/workload/strategy.go
@@ -0,0 +1,71 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package workload
+
+import (
+	"context"
+
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/util/validation/field"
+	"k8s.io/apiserver/pkg/storage/names"
+	"k8s.io/kubernetes/pkg/api/legacyscheme"
+	"k8s.io/kubernetes/pkg/apis/scheduling"
+	"k8s.io/kubernetes/pkg/apis/scheduling/validation"
+)
+
+// workloadStrategy implements behavior for Workload objects.
+type workloadStrategy struct {
+	runtime.ObjectTyper
+	names.NameGenerator
+}
+
+// Strategy is the default logic that applies when creating and updating Workload objects.
+var Strategy = workloadStrategy{legacyscheme.Scheme, names.SimpleNameGenerator}
+
+func (workloadStrategy) NamespaceScoped() bool {
+	return true
+}
+
+func (workloadStrategy) PrepareForCreate(ctx context.Context, obj runtime.Object) {}
+
+func (workloadStrategy) Validate(ctx context.Context, obj runtime.Object) field.ErrorList {
+	return validation.ValidateWorkload(obj.(*scheduling.Workload))
+}
+
+func (workloadStrategy) WarningsOnCreate(ctx context.Context, obj runtime.Object) []string {
+	return nil
+}
+
+func (workloadStrategy) Canonicalize(obj runtime.Object) {}
+
+func (workloadStrategy) AllowCreateOnUpdate() bool {
+	return false
+}
+
+func (workloadStrategy) PrepareForUpdate(ctx context.Context, obj, old runtime.Object) {}
+
+func (workloadStrategy) ValidateUpdate(ctx context.Context, obj, old runtime.Object) field.ErrorList {
+	return validation.ValidateWorkloadUpdate(obj.(*scheduling.Workload), old.(*scheduling.Workload))
+}
+
+func (workloadStrategy) WarningsOnUpdate(ctx context.Context, obj, old runtime.Object) []string {
+	return nil
+}
+
+func (workloadStrategy) AllowUnconditionalUpdate() bool {
+	return true
+}
diff --git a/pkg/registry/scheduling/workload/strategy_test.go b/pkg/registry/scheduling/workload/strategy_test.go
new file mode 100644
index 0000000000000..3378b9b8a1a1b
--- /dev/null
+++ b/pkg/registry/scheduling/workload/strategy_test.go
@@ -0,0 +1,138 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package workload
+
+import (
+	"testing"
+
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	genericapirequest "k8s.io/apiserver/pkg/endpoints/request"
+	"k8s.io/kubernetes/pkg/apis/scheduling"
+)
+
+var workload = &scheduling.Workload{
+	ObjectMeta: metav1.ObjectMeta{
+		Name:      "foo",
+		Namespace: metav1.NamespaceDefault,
+	},
+	Spec: scheduling.WorkloadSpec{
+		PodGroups: []scheduling.PodGroup{
+			{
+				Name: "bar",
+				Policy: scheduling.PodGroupPolicy{
+					Gang: &scheduling.GangSchedulingPolicy{
+						MinCount: 5,
+					},
+				},
+			},
+		},
+	},
+}
+
+func TestWorkloadStrategy(t *testing.T) {
+	if !Strategy.NamespaceScoped() {
+		t.Errorf("Workload must be namespace scoped")
+	}
+	if Strategy.AllowCreateOnUpdate() {
+		t.Errorf("Workload should not allow create on update")
+	}
+}
+
+func TestPodSchedulingStrategyCreate(t *testing.T) {
+	t.Run("simple", func(t *testing.T) {
+		ctx := genericapirequest.NewDefaultContext()
+		workload := workload.DeepCopy()
+
+		Strategy.PrepareForCreate(ctx, workload)
+		errs := Strategy.Validate(ctx, workload)
+		if len(errs) != 0 {
+			t.Errorf("Unexpected validation error: %v", errs)
+		}
+	})
+
+	t.Run("failed validation", func(t *testing.T) {
+		ctx := genericapirequest.NewDefaultContext()
+		workload := workload.DeepCopy()
+		workload.Spec.PodGroups[0].Policy.Gang.MinCount = -1
+
+		Strategy.PrepareForCreate(ctx, workload)
+		errs := Strategy.Validate(ctx, workload)
+		if len(errs) == 0 {
+			t.Errorf("Expected validation error")
+		}
+	})
+}
+
+func TestPodSchedulingStrategyUpdate(t *testing.T) {
+	t.Run("no changes", func(t *testing.T) {
+		ctx := genericapirequest.NewDefaultContext()
+		workload := workload.DeepCopy()
+		newWorkload := workload.DeepCopy()
+		newWorkload.ResourceVersion = "4"
+
+		Strategy.PrepareForUpdate(ctx, newWorkload, workload)
+		errs := Strategy.ValidateUpdate(ctx, newWorkload, workload)
+		if len(errs) != 0 {
+			t.Errorf("Unexpected validation error: %v", errs)
+		}
+	})
+
+	t.Run("name update", func(t *testing.T) {
+		ctx := genericapirequest.NewDefaultContext()
+		workload := workload.DeepCopy()
+		newWorkload := workload.DeepCopy()
+		newWorkload.Name += "bar"
+		newWorkload.ResourceVersion = "4"
+
+		Strategy.PrepareForUpdate(ctx, newWorkload, workload)
+		errs := Strategy.ValidateUpdate(ctx, newWorkload, workload)
+		if len(errs) == 0 {
+			t.Errorf("Expected validation error")
+		}
+	})
+
+	t.Run("spec update", func(t *testing.T) {
+		ctx := genericapirequest.NewDefaultContext()
+		workload := workload.DeepCopy()
+		newWorkload := workload.DeepCopy()
+		newWorkload.Spec.ControllerRef = &scheduling.TypedLocalObjectReference{
+			Kind: "foo",
+			Name: "baz",
+		}
+		newWorkload.ResourceVersion = "4"
+
+		Strategy.PrepareForUpdate(ctx, newWorkload, workload)
+		errs := Strategy.ValidateUpdate(ctx, newWorkload, workload)
+		if len(errs) != 0 {
+			t.Errorf("Unexpected validation error: %v", errs)
+		}
+	})
+
+	t.Run("invalid spec update", func(t *testing.T) {
+		ctx := genericapirequest.NewDefaultContext()
+		workload := workload.DeepCopy()
+		newWorkload := workload.DeepCopy()
+		newWorkload.Spec.PodGroups[0].Policy.Gang.MinCount = 4
+		newWorkload.ResourceVersion = "4"
+
+		Strategy.PrepareForUpdate(ctx, newWorkload, workload)
+		errs := Strategy.ValidateUpdate(ctx, newWorkload, workload)
+		if len(errs) == 0 {
+			t.Errorf("Expected validation error")
+		}
+	})
+}
diff --git a/pkg/registry/storage/csidriver/strategy.go b/pkg/registry/storage/csidriver/strategy.go
index bbc8332cfbddc..03cd1963c1c04 100644
--- a/pkg/registry/storage/csidriver/strategy.go
+++ b/pkg/registry/storage/csidriver/strategy.go
@@ -30,6 +30,10 @@ import (
 	"k8s.io/kubernetes/pkg/features"
 )
 
+const (
+	warningServiceAccountTokenInSecretsRecommended = "spec.serviceAccountTokenInSecrets is unset; if supported by this CSI driver, set to true to prevent possible logging of tokens in volume attributes"
+)
+
 // csiDriverStrategy implements behavior for CSIDriver objects
 type csiDriverStrategy struct {
 	runtime.ObjectTyper
@@ -53,6 +57,9 @@ func (csiDriverStrategy) PrepareForCreate(ctx context.Context, obj runtime.Objec
 	if !utilfeature.DefaultFeatureGate.Enabled(features.MutableCSINodeAllocatableCount) {
 		csiDriver.Spec.NodeAllocatableUpdatePeriodSeconds = nil
 	}
+	if !utilfeature.DefaultFeatureGate.Enabled(features.CSIServiceAccountTokenSecrets) {
+		csiDriver.Spec.ServiceAccountTokenInSecrets = nil
+	}
 }
 
 func (csiDriverStrategy) Validate(ctx context.Context, obj runtime.Object) field.ErrorList {
@@ -63,7 +70,17 @@ func (csiDriverStrategy) Validate(ctx context.Context, obj runtime.Object) field
 
 // WarningsOnCreate returns warnings for the creation of the given object.
 func (csiDriverStrategy) WarningsOnCreate(ctx context.Context, obj runtime.Object) []string {
-	return nil
+	csiDriver := obj.(*storage.CSIDriver)
+	var warnings []string
+
+	// Warn if tokenRequests is configured but serviceAccountTokenInSecrets is not enabled
+	if utilfeature.DefaultFeatureGate.Enabled(features.CSIServiceAccountTokenSecrets) &&
+		len(csiDriver.Spec.TokenRequests) > 0 &&
+		csiDriver.Spec.ServiceAccountTokenInSecrets == nil {
+		warnings = append(warnings, warningServiceAccountTokenInSecretsRecommended)
+	}
+
+	return warnings
 }
 
 // Canonicalize normalizes the object after validation.
@@ -86,6 +103,11 @@ func (csiDriverStrategy) PrepareForUpdate(ctx context.Context, obj, old runtime.
 		newCSIDriver.Spec.SELinuxMount = nil
 	}
 
+	if oldCSIDriver.Spec.ServiceAccountTokenInSecrets == nil &&
+		!utilfeature.DefaultFeatureGate.Enabled(features.CSIServiceAccountTokenSecrets) {
+		newCSIDriver.Spec.ServiceAccountTokenInSecrets = nil
+	}
+
 	if oldCSIDriver.Spec.NodeAllocatableUpdatePeriodSeconds == nil &&
 		!utilfeature.DefaultFeatureGate.Enabled(features.MutableCSINodeAllocatableCount) {
 		newCSIDriver.Spec.NodeAllocatableUpdatePeriodSeconds = nil
@@ -105,7 +127,20 @@ func (csiDriverStrategy) ValidateUpdate(ctx context.Context, obj, old runtime.Ob
 
 // WarningsOnUpdate returns warnings for the given update.
 func (csiDriverStrategy) WarningsOnUpdate(ctx context.Context, obj, old runtime.Object) []string {
-	return nil
+	newCSIDriver := obj.(*storage.CSIDriver)
+	oldCSIDriver := old.(*storage.CSIDriver)
+
+	var warnings []string
+
+	// Warn if tokenRequests is being changed and serviceAccountTokenInSecrets is not enabled
+	if utilfeature.DefaultFeatureGate.Enabled(features.CSIServiceAccountTokenSecrets) &&
+		!apiequality.Semantic.DeepEqual(oldCSIDriver.Spec.TokenRequests, newCSIDriver.Spec.TokenRequests) &&
+		len(newCSIDriver.Spec.TokenRequests) > 0 &&
+		newCSIDriver.Spec.ServiceAccountTokenInSecrets == nil {
+		warnings = append(warnings, warningServiceAccountTokenInSecretsRecommended)
+	}
+
+	return warnings
 }
 
 func (csiDriverStrategy) AllowUnconditionalUpdate() bool {
diff --git a/pkg/registry/storage/csidriver/strategy_test.go b/pkg/registry/storage/csidriver/strategy_test.go
index 39c48c3fd864e..ae69c69edf96e 100644
--- a/pkg/registry/storage/csidriver/strategy_test.go
+++ b/pkg/registry/storage/csidriver/strategy_test.go
@@ -17,6 +17,7 @@ limitations under the License.
 package csidriver
 
 import (
+	"slices"
 	"testing"
 
 	"github.com/stretchr/testify/require"
@@ -27,6 +28,7 @@ import (
 	featuregatetesting "k8s.io/component-base/featuregate/testing"
 	"k8s.io/kubernetes/pkg/apis/storage"
 	"k8s.io/kubernetes/pkg/features"
+	"k8s.io/utils/ptr"
 )
 
 func getValidCSIDriver(name string) *storage.CSIDriver {
@@ -191,6 +193,24 @@ func TestCSIDriverPrepareForUpdate(t *testing.T) {
 			SELinuxMount: &disabled,
 		},
 	}
+	driverWithServiceAccountTokenInSecretsEnabled := &storage.CSIDriver{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: "foo",
+		},
+		Spec: storage.CSIDriverSpec{
+			ServiceAccountTokenInSecrets: &enabled,
+			TokenRequests:                []storage.TokenRequest{{Audience: gcp}},
+		},
+	}
+	driverWithServiceAccountTokenInSecretsDisabled := &storage.CSIDriver{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: "foo",
+		},
+		Spec: storage.CSIDriverSpec{
+			ServiceAccountTokenInSecrets: &disabled,
+			TokenRequests:                []storage.TokenRequest{{Audience: gcp}},
+		},
+	}
 
 	thirty := int64(30)
 	sixty := int64(60)
@@ -218,6 +238,7 @@ func TestCSIDriverPrepareForUpdate(t *testing.T) {
 		old, update                            *storage.CSIDriver
 		seLinuxMountReadWriteOncePodEnabled    bool
 		mutableCSINodeAllocatableCountEnabled  bool
+		csiServiceAccountTokenSecretsEnabled   bool
 		wantCapacity                           *bool
 		wantModes                              []storage.VolumeLifecycleMode
 		wantTokenRequests                      []storage.TokenRequest
@@ -225,6 +246,7 @@ func TestCSIDriverPrepareForUpdate(t *testing.T) {
 		wantGeneration                         int64
 		wantSELinuxMount                       *bool
 		wantNodeAllocatableUpdatePeriodSeconds *int64
+		wantServiceAccountTokenInSecrets       *bool
 	}{
 		{
 			name:           "podInfoOnMount feature enabled, before: none, update: enabled",
@@ -393,12 +415,51 @@ func TestCSIDriverPrepareForUpdate(t *testing.T) {
 			wantNodeAllocatableUpdatePeriodSeconds: nil,
 			wantGeneration:                         0,
 		},
+		{
+			name:                                 "ServiceAccountTokenInSecrets feature enabled, before: nil, update: enabled",
+			csiServiceAccountTokenSecretsEnabled: true,
+			old:                                  driverWithNothing,
+			update:                               driverWithServiceAccountTokenInSecretsEnabled,
+			wantServiceAccountTokenInSecrets:     &enabled,
+			wantTokenRequests:                    []storage.TokenRequest{{Audience: gcp}},
+			wantGeneration:                       1,
+		},
+		{
+			name:                                 "ServiceAccountTokenInSecrets feature enabled, before: enabled, update: disabled",
+			csiServiceAccountTokenSecretsEnabled: true,
+			old:                                  driverWithServiceAccountTokenInSecretsEnabled,
+			update:                               driverWithServiceAccountTokenInSecretsDisabled,
+			wantServiceAccountTokenInSecrets:     &disabled,
+			wantTokenRequests:                    []storage.TokenRequest{{Audience: gcp}},
+			wantGeneration:                       1,
+		},
+		{
+			name:                                 "ServiceAccountTokenInSecrets feature disabled, before: nil, update: enabled",
+			csiServiceAccountTokenSecretsEnabled: false,
+			old:                                  driverWithNothing,
+			update:                               driverWithServiceAccountTokenInSecretsEnabled,
+			wantServiceAccountTokenInSecrets:     nil,
+			wantTokenRequests:                    []storage.TokenRequest{{Audience: gcp}},
+			wantGeneration:                       1,
+		},
+		{
+			name:                                 "ServiceAccountTokenInSecrets feature disabled, before: enabled, update: enabled",
+			csiServiceAccountTokenSecretsEnabled: false,
+			old:                                  driverWithServiceAccountTokenInSecretsEnabled,
+			update:                               driverWithServiceAccountTokenInSecretsEnabled,
+			wantServiceAccountTokenInSecrets:     &enabled,
+			wantTokenRequests:                    []storage.TokenRequest{{Audience: gcp}},
+			wantGeneration:                       0,
+		},
 	}
 
 	for _, test := range tests {
 		t.Run(test.name, func(t *testing.T) {
-			featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.SELinuxMountReadWriteOncePod, test.seLinuxMountReadWriteOncePodEnabled)
-			featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.MutableCSINodeAllocatableCount, test.mutableCSINodeAllocatableCountEnabled)
+			featuregatetesting.SetFeatureGatesDuringTest(t, utilfeature.DefaultFeatureGate, featuregatetesting.FeatureOverrides{
+				features.SELinuxMountReadWriteOncePod:   test.seLinuxMountReadWriteOncePodEnabled,
+				features.MutableCSINodeAllocatableCount: test.mutableCSINodeAllocatableCountEnabled,
+				features.CSIServiceAccountTokenSecrets:  test.csiServiceAccountTokenSecretsEnabled,
+			})
 
 			csiDriver := test.update.DeepCopy()
 			Strategy.PrepareForUpdate(ctx, csiDriver, test.old)
@@ -409,6 +470,7 @@ func TestCSIDriverPrepareForUpdate(t *testing.T) {
 			require.Equal(t, test.wantRequiresRepublish, csiDriver.Spec.RequiresRepublish)
 			require.Equal(t, test.wantSELinuxMount, csiDriver.Spec.SELinuxMount)
 			require.Equal(t, test.wantNodeAllocatableUpdatePeriodSeconds, csiDriver.Spec.NodeAllocatableUpdatePeriodSeconds)
+			require.Equal(t, test.wantServiceAccountTokenInSecrets, csiDriver.Spec.ServiceAccountTokenInSecrets)
 		})
 	}
 }
@@ -419,6 +481,7 @@ func TestCSIDriverValidation(t *testing.T) {
 	gcp := "gcp"
 	validNodeAllocatableUpdatePeriodSeconds := int64(30)
 	invalidNodeAllocatableUpdatePeriodSeconds := int64(3)
+	tokenRequests := []storage.TokenRequest{{Audience: gcp}}
 
 	tests := []struct {
 		name        string
@@ -453,7 +516,8 @@ func TestCSIDriverValidation(t *testing.T) {
 					Name: "foo",
 				},
 				Spec: storage.CSIDriverSpec{
-					AttachRequired:    &disabled,
+					AttachRequired: &disabled,
+
 					PodInfoOnMount:    &disabled,
 					StorageCapacity:   &disabled,
 					RequiresRepublish: &disabled,
@@ -619,13 +683,50 @@ func TestCSIDriverValidation(t *testing.T) {
 			},
 			true,
 		},
+		{
+			"valid ServiceAccountTokenInSecrets with TokenRequests",
+			&storage.CSIDriver{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "foo",
+				},
+				Spec: storage.CSIDriverSpec{
+					AttachRequired:               &enabled,
+					PodInfoOnMount:               &enabled,
+					StorageCapacity:              &enabled,
+					SELinuxMount:                 &enabled,
+					ServiceAccountTokenInSecrets: &enabled,
+					TokenRequests:                tokenRequests,
+				},
+			},
+			false,
+		},
+		{
+			"invalid ServiceAccountTokenInSecrets without TokenRequests",
+			&storage.CSIDriver{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "foo",
+				},
+				Spec: storage.CSIDriverSpec{
+					AttachRequired:               &enabled,
+					PodInfoOnMount:               &enabled,
+					StorageCapacity:              &enabled,
+					SELinuxMount:                 &enabled,
+					ServiceAccountTokenInSecrets: &enabled,
+				},
+			},
+			true,
+		},
 	}
 
 	for _, test := range tests {
 		t.Run(test.name, func(t *testing.T) {
 			// assume this feature is on for this test, detailed enabled/disabled tests in TestCSIDriverValidationSELinuxMountEnabledDisabled
-			featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.SELinuxMountReadWriteOncePod, true)
-			featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.MutableCSINodeAllocatableCount, true)
+			// and TestCSIDriverValidationServiceAccountTokenInSecretsEnabledDisabled
+			featuregatetesting.SetFeatureGatesDuringTest(t, utilfeature.DefaultFeatureGate, featuregatetesting.FeatureOverrides{
+				features.SELinuxMountReadWriteOncePod:   true,
+				features.MutableCSINodeAllocatableCount: true,
+				features.CSIServiceAccountTokenSecrets:  true,
+			})
 
 			testValidation := func(csiDriver *storage.CSIDriver, apiVersion string) field.ErrorList {
 				ctx := genericapirequest.WithRequestInfo(genericapirequest.NewContext(), &genericapirequest.RequestInfo{
@@ -646,3 +747,330 @@ func TestCSIDriverValidation(t *testing.T) {
 		})
 	}
 }
+
+func TestWarningsOnCreate(t *testing.T) {
+	ctx := genericapirequest.NewDefaultContext()
+
+	tests := []struct {
+		name                                 string
+		csiDriver                            *storage.CSIDriver
+		csiServiceAccountTokenSecretsEnabled bool
+		wantWarnings                         []string
+	}{
+		{
+			name: "no warnings, serviceAccountTokenInSecrets=true, feature enabled",
+			csiDriver: &storage.CSIDriver{
+				Spec: storage.CSIDriverSpec{
+					TokenRequests:                []storage.TokenRequest{{Audience: "aud"}},
+					ServiceAccountTokenInSecrets: ptr.To(true),
+				},
+			},
+			csiServiceAccountTokenSecretsEnabled: true,
+		},
+		{
+			name: "no warning for serviceAccountTokenInSecrets=false, feature enabled",
+			csiDriver: &storage.CSIDriver{
+				Spec: storage.CSIDriverSpec{
+					TokenRequests:                []storage.TokenRequest{{Audience: "aud"}},
+					ServiceAccountTokenInSecrets: ptr.To(false),
+				},
+			},
+			csiServiceAccountTokenSecretsEnabled: true,
+		},
+		{
+			name: "warning for missing serviceAccountTokenInSecrets, feature enabled",
+			csiDriver: &storage.CSIDriver{
+				Spec: storage.CSIDriverSpec{
+					TokenRequests: []storage.TokenRequest{{Audience: "aud"}},
+				},
+			},
+			csiServiceAccountTokenSecretsEnabled: true,
+			wantWarnings:                         []string{warningServiceAccountTokenInSecretsRecommended},
+		},
+		{
+			name: "no warning when no TokenRequests, feature enabled",
+			csiDriver: &storage.CSIDriver{
+				Spec: storage.CSIDriverSpec{},
+			},
+			csiServiceAccountTokenSecretsEnabled: true,
+		},
+		{
+			name: "no warning when feature disabled, even with tokenRequests and no serviceAccountTokenInSecrets",
+			csiDriver: &storage.CSIDriver{
+				Spec: storage.CSIDriverSpec{
+					TokenRequests: []storage.TokenRequest{{Audience: "aud"}},
+				},
+			},
+			csiServiceAccountTokenSecretsEnabled: false,
+		},
+	}
+
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			featuregatetesting.SetFeatureGatesDuringTest(t, utilfeature.DefaultFeatureGate, featuregatetesting.FeatureOverrides{
+				features.CSIServiceAccountTokenSecrets: test.csiServiceAccountTokenSecretsEnabled,
+			})
+
+			warnings := Strategy.WarningsOnCreate(ctx, test.csiDriver)
+			if len(warnings) != len(test.wantWarnings) {
+				t.Errorf("got %d warnings, want %d warnings: %v", len(warnings), len(test.wantWarnings), warnings)
+			}
+			if slices.Compare(warnings, test.wantWarnings) != 0 {
+				t.Errorf("got warnings %v, want %v", warnings, test.wantWarnings)
+			}
+		})
+	}
+}
+
+func TestWarningsOnUpdate(t *testing.T) {
+	ctx := genericapirequest.NewDefaultContext()
+
+	tests := []struct {
+		name                                 string
+		oldObj                               *storage.CSIDriver
+		newObj                               *storage.CSIDriver
+		csiServiceAccountTokenSecretsEnabled bool
+		wantWarnings                         []string
+	}{
+		{
+			name: "no warnings when tokenRequests unchanged and serviceAccountTokenInSecrets=true, feature enabled",
+			oldObj: &storage.CSIDriver{
+				Spec: storage.CSIDriverSpec{
+					TokenRequests:                []storage.TokenRequest{{Audience: "aud"}},
+					ServiceAccountTokenInSecrets: ptr.To(true),
+				},
+			},
+			newObj: &storage.CSIDriver{
+				Spec: storage.CSIDriverSpec{
+					TokenRequests:                []storage.TokenRequest{{Audience: "aud"}},
+					ServiceAccountTokenInSecrets: ptr.To(true),
+				},
+			},
+			csiServiceAccountTokenSecretsEnabled: true,
+		},
+		{
+			name: "no warnings when tokenRequests unchanged even if serviceAccountTokenInSecrets=false, feature enabled",
+			oldObj: &storage.CSIDriver{
+				Spec: storage.CSIDriverSpec{
+					TokenRequests:                []storage.TokenRequest{{Audience: "aud"}},
+					ServiceAccountTokenInSecrets: ptr.To(false),
+				},
+			},
+			newObj: &storage.CSIDriver{
+				Spec: storage.CSIDriverSpec{
+					TokenRequests:                []storage.TokenRequest{{Audience: "aud"}},
+					ServiceAccountTokenInSecrets: ptr.To(false),
+				},
+			},
+			csiServiceAccountTokenSecretsEnabled: true,
+		},
+		{
+			name: "no warnings when tokenRequests unchanged even if serviceAccountTokenInSecrets=nil, feature enabled",
+			oldObj: &storage.CSIDriver{
+				Spec: storage.CSIDriverSpec{
+					TokenRequests: []storage.TokenRequest{{Audience: "aud"}},
+				},
+			},
+			newObj: &storage.CSIDriver{
+				Spec: storage.CSIDriverSpec{
+					TokenRequests: []storage.TokenRequest{{Audience: "aud"}},
+				},
+			},
+			csiServiceAccountTokenSecretsEnabled: true,
+		},
+		{
+			name: "warning when adding tokenRequests with serviceAccountTokenInSecrets=nil, feature enabled",
+			oldObj: &storage.CSIDriver{
+				Spec: storage.CSIDriverSpec{},
+			},
+			newObj: &storage.CSIDriver{
+				Spec: storage.CSIDriverSpec{
+					TokenRequests: []storage.TokenRequest{{Audience: "aud"}},
+				},
+			},
+			csiServiceAccountTokenSecretsEnabled: true,
+			wantWarnings:                         []string{warningServiceAccountTokenInSecretsRecommended},
+		},
+		{
+			name: "no warning when adding tokenRequests with serviceAccountTokenInSecrets=false, feature enabled",
+			oldObj: &storage.CSIDriver{
+				Spec: storage.CSIDriverSpec{},
+			},
+			newObj: &storage.CSIDriver{
+				Spec: storage.CSIDriverSpec{
+					TokenRequests:                []storage.TokenRequest{{Audience: "aud"}},
+					ServiceAccountTokenInSecrets: ptr.To(false),
+				},
+			},
+			csiServiceAccountTokenSecretsEnabled: true,
+		},
+		{
+			name: "no warning when adding tokenRequests with serviceAccountTokenInSecrets=true, feature enabled",
+			oldObj: &storage.CSIDriver{
+				Spec: storage.CSIDriverSpec{},
+			},
+			newObj: &storage.CSIDriver{
+				Spec: storage.CSIDriverSpec{
+					TokenRequests:                []storage.TokenRequest{{Audience: "aud"}},
+					ServiceAccountTokenInSecrets: ptr.To(true),
+				},
+			},
+			csiServiceAccountTokenSecretsEnabled: true,
+		},
+		{
+			name: "warning when changing tokenRequests audience with serviceAccountTokenInSecrets=nil, feature enabled",
+			oldObj: &storage.CSIDriver{
+				Spec: storage.CSIDriverSpec{
+					TokenRequests: []storage.TokenRequest{{Audience: "old-aud"}},
+				},
+			},
+			newObj: &storage.CSIDriver{
+				Spec: storage.CSIDriverSpec{
+					TokenRequests: []storage.TokenRequest{{Audience: "new-aud"}},
+				},
+			},
+			csiServiceAccountTokenSecretsEnabled: true,
+			wantWarnings:                         []string{warningServiceAccountTokenInSecretsRecommended},
+		},
+		{
+			name: "no warning when removing tokenRequests, feature enabled",
+			oldObj: &storage.CSIDriver{
+				Spec: storage.CSIDriverSpec{
+					TokenRequests: []storage.TokenRequest{{Audience: "aud"}},
+				},
+			},
+			newObj: &storage.CSIDriver{
+				Spec: storage.CSIDriverSpec{},
+			},
+			csiServiceAccountTokenSecretsEnabled: true,
+		},
+		{
+			name: "no warning when updating unrelated field, feature enabled",
+			oldObj: &storage.CSIDriver{
+				Spec: storage.CSIDriverSpec{
+					TokenRequests:  []storage.TokenRequest{{Audience: "aud"}},
+					PodInfoOnMount: ptr.To(false),
+				},
+			},
+			newObj: &storage.CSIDriver{
+				Spec: storage.CSIDriverSpec{
+					TokenRequests:  []storage.TokenRequest{{Audience: "aud"}},
+					PodInfoOnMount: ptr.To(true),
+				},
+			},
+			csiServiceAccountTokenSecretsEnabled: true,
+		},
+		{
+			name: "no warning when adding tokenRequests with feature disabled",
+			oldObj: &storage.CSIDriver{
+				Spec: storage.CSIDriverSpec{},
+			},
+			newObj: &storage.CSIDriver{
+				Spec: storage.CSIDriverSpec{
+					TokenRequests: []storage.TokenRequest{{Audience: "aud"}},
+				},
+			},
+			csiServiceAccountTokenSecretsEnabled: false,
+		},
+	}
+
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			featuregatetesting.SetFeatureGatesDuringTest(t, utilfeature.DefaultFeatureGate, featuregatetesting.FeatureOverrides{
+				features.CSIServiceAccountTokenSecrets: test.csiServiceAccountTokenSecretsEnabled,
+			})
+
+			warnings := Strategy.WarningsOnUpdate(ctx, test.newObj, test.oldObj)
+			if len(warnings) != len(test.wantWarnings) {
+				t.Errorf("got %d warnings, want %d warnings: %v", len(warnings), len(test.wantWarnings), warnings)
+			}
+			if slices.Compare(warnings, test.wantWarnings) != 0 {
+				t.Errorf("got warnings %v, want %v", warnings, test.wantWarnings)
+			}
+		})
+	}
+}
+
+func TestCSIDriverPrepareForCreate(t *testing.T) {
+	ctx := genericapirequest.WithRequestInfo(genericapirequest.NewContext(), &genericapirequest.RequestInfo{
+		APIGroup:   "storage.k8s.io",
+		APIVersion: "v1",
+		Resource:   "csidrivers",
+	})
+
+	enabled := true
+
+	tests := []struct {
+		name                                 string
+		csiDriver                            *storage.CSIDriver
+		csiServiceAccountTokenSecretsEnabled bool
+		wantServiceAccountTokenInSecrets     *bool
+	}{
+		{
+			name: "ServiceAccountTokenInSecrets feature enabled, field set to true",
+			csiDriver: &storage.CSIDriver{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "foo",
+				},
+				Spec: storage.CSIDriverSpec{
+					ServiceAccountTokenInSecrets: &enabled,
+					TokenRequests:                []storage.TokenRequest{{Audience: "aud"}},
+				},
+			},
+			csiServiceAccountTokenSecretsEnabled: true,
+			wantServiceAccountTokenInSecrets:     &enabled,
+		},
+		{
+			name: "ServiceAccountTokenInSecrets feature disabled, field set to true should be cleared",
+			csiDriver: &storage.CSIDriver{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "foo",
+				},
+				Spec: storage.CSIDriverSpec{
+					ServiceAccountTokenInSecrets: &enabled,
+					TokenRequests:                []storage.TokenRequest{{Audience: "aud"}},
+				},
+			},
+			csiServiceAccountTokenSecretsEnabled: false,
+			wantServiceAccountTokenInSecrets:     nil,
+		},
+		{
+			name: "ServiceAccountTokenInSecrets feature enabled, field not set",
+			csiDriver: &storage.CSIDriver{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "foo",
+				},
+				Spec: storage.CSIDriverSpec{
+					TokenRequests: []storage.TokenRequest{{Audience: "aud"}},
+				},
+			},
+			csiServiceAccountTokenSecretsEnabled: true,
+			wantServiceAccountTokenInSecrets:     nil,
+		},
+		{
+			name: "ServiceAccountTokenInSecrets feature disabled, field not set",
+			csiDriver: &storage.CSIDriver{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "foo",
+				},
+				Spec: storage.CSIDriverSpec{
+					TokenRequests: []storage.TokenRequest{{Audience: "aud"}},
+				},
+			},
+			csiServiceAccountTokenSecretsEnabled: false,
+			wantServiceAccountTokenInSecrets:     nil,
+		},
+	}
+
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			featuregatetesting.SetFeatureGatesDuringTest(t, utilfeature.DefaultFeatureGate, featuregatetesting.FeatureOverrides{
+				features.CSIServiceAccountTokenSecrets: test.csiServiceAccountTokenSecretsEnabled,
+			})
+
+			csiDriver := test.csiDriver.DeepCopy()
+			Strategy.PrepareForCreate(ctx, csiDriver)
+			require.Equal(t, test.wantServiceAccountTokenInSecrets, csiDriver.Spec.ServiceAccountTokenInSecrets)
+		})
+	}
+}
diff --git a/pkg/registry/storage/rest/storage_storage.go b/pkg/registry/storage/rest/storage_storage.go
index 2606e540d6719..8d5201d1a75e2 100644
--- a/pkg/registry/storage/rest/storage_storage.go
+++ b/pkg/registry/storage/rest/storage_storage.go
@@ -18,7 +18,6 @@ package rest
 
 import (
 	storageapiv1 "k8s.io/api/storage/v1"
-	storageapiv1alpha1 "k8s.io/api/storage/v1alpha1"
 	storageapiv1beta1 "k8s.io/api/storage/v1beta1"
 	"k8s.io/apiserver/pkg/registry/generic"
 	"k8s.io/apiserver/pkg/registry/rest"
@@ -42,11 +41,6 @@ func (p RESTStorageProvider) NewRESTStorage(apiResourceConfigSource serverstorag
 	// If you add a version here, be sure to add an entry in `k8s.io/kubernetes/cmd/kube-apiserver/app/aggregator.go with specific priorities.
 	// TODO refactor the plumbing to provide the information in the APIGroupInfo
 
-	if storageMap, err := p.v1alpha1Storage(apiResourceConfigSource, restOptionsGetter); err != nil {
-		return genericapiserver.APIGroupInfo{}, err
-	} else if len(storageMap) > 0 {
-		apiGroupInfo.VersionedResourcesStorageMap[storageapiv1alpha1.SchemeGroupVersion.Version] = storageMap
-	}
 	if storageMap, err := p.v1beta1Storage(apiResourceConfigSource, restOptionsGetter); err != nil {
 		return genericapiserver.APIGroupInfo{}, err
 	} else if len(storageMap) > 0 {
@@ -61,21 +55,6 @@ func (p RESTStorageProvider) NewRESTStorage(apiResourceConfigSource serverstorag
 	return apiGroupInfo, nil
 }
 
-func (p RESTStorageProvider) v1alpha1Storage(apiResourceConfigSource serverstorage.APIResourceConfigSource, restOptionsGetter generic.RESTOptionsGetter) (map[string]rest.Storage, error) {
-	storage := map[string]rest.Storage{}
-
-	// register volumeattributesclasses
-	if resource := "volumeattributesclasses"; apiResourceConfigSource.ResourceEnabled(storageapiv1alpha1.SchemeGroupVersion.WithResource(resource)) {
-		volumeAttributesClassStorage, err := volumeattributesclassstore.NewREST(restOptionsGetter)
-		if err != nil {
-			return storage, err
-		}
-		storage[resource] = volumeAttributesClassStorage
-	}
-
-	return storage, nil
-}
-
 func (p RESTStorageProvider) v1beta1Storage(apiResourceConfigSource serverstorage.APIResourceConfigSource, restOptionsGetter generic.RESTOptionsGetter) (map[string]rest.Storage, error) {
 	storage := map[string]rest.Storage{}
 
diff --git a/pkg/registry/storage/storageclass/declarative_validation_test.go b/pkg/registry/storage/storageclass/declarative_validation_test.go
new file mode 100644
index 0000000000000..47c598b259c2a
--- /dev/null
+++ b/pkg/registry/storage/storageclass/declarative_validation_test.go
@@ -0,0 +1,134 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package storageclass
+
+import (
+	"testing"
+
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/util/validation/field"
+	genericapirequest "k8s.io/apiserver/pkg/endpoints/request"
+	apitesting "k8s.io/kubernetes/pkg/api/testing"
+	api "k8s.io/kubernetes/pkg/apis/core"
+	"k8s.io/kubernetes/pkg/apis/storage"
+)
+
+func TestDeclarativeValidate(t *testing.T) {
+	apiVersions := []string{"v1beta1", "v1"} // StorageClass.Provisioner not in v1alpha1
+	for _, apiVersion := range apiVersions {
+		t.Run(apiVersion, func(t *testing.T) {
+			testDeclarativeValidate(t, apiVersion)
+		})
+	}
+}
+
+func testDeclarativeValidate(t *testing.T, apiVersion string) {
+	ctx := genericapirequest.WithRequestInfo(genericapirequest.NewDefaultContext(), &genericapirequest.RequestInfo{
+		APIGroup:          "storage.k8s.io",
+		APIVersion:        apiVersion,
+		Resource:          "storageclasses",
+		IsResourceRequest: true,
+		Verb:              "create",
+	})
+
+	testCases := map[string]struct {
+		input        storage.StorageClass
+		expectedErrs field.ErrorList
+	}{
+		"valid": {
+			input: mkValidStorageClass(),
+		},
+		"invalid provisioner": {
+			input: mkValidStorageClass(func(obj *storage.StorageClass) {
+				obj.Provisioner = ""
+			}),
+			expectedErrs: field.ErrorList{
+				field.Required(field.NewPath("provisioner"), ""),
+			},
+		},
+		// TODO: Add more test cases
+	}
+	for k, tc := range testCases {
+		t.Run(k, func(t *testing.T) {
+			apitesting.VerifyValidationEquivalence(t, ctx, &tc.input, Strategy.Validate, tc.expectedErrs)
+		})
+	}
+}
+
+func TestDeclarativeValidateUpdate(t *testing.T) {
+	apiVersions := []string{"v1beta1", "v1"} // StorageClass.Provisioner not in v1alpha1
+	for _, apiVersion := range apiVersions {
+		t.Run(apiVersion, func(t *testing.T) {
+			testDeclarativeValidateUpdate(t, apiVersion)
+		})
+	}
+}
+
+func testDeclarativeValidateUpdate(t *testing.T, apiVersion string) {
+	testCases := map[string]struct {
+		oldObj       storage.StorageClass
+		updateObj    storage.StorageClass
+		expectedErrs field.ErrorList
+	}{
+		"valid update": {
+			oldObj:    mkValidStorageClass(func(obj *storage.StorageClass) { obj.ResourceVersion = "1" }),
+			updateObj: mkValidStorageClass(func(obj *storage.StorageClass) { obj.ResourceVersion = "1" }),
+		},
+		"invalid update provisioner": {
+			oldObj: mkValidStorageClass(func(obj *storage.StorageClass) { obj.ResourceVersion = "1" }),
+			updateObj: mkValidStorageClass(func(obj *storage.StorageClass) {
+				obj.ResourceVersion = "1"
+				obj.Provisioner = ""
+			}),
+			expectedErrs: field.ErrorList{
+				field.Required(field.NewPath("provisioner"), ""),
+				field.Forbidden(field.NewPath("provisioner"), "updates to provisioner are forbidden."),
+			},
+		},
+	}
+	for k, tc := range testCases {
+		t.Run(k, func(t *testing.T) {
+			ctx := genericapirequest.WithRequestInfo(genericapirequest.NewDefaultContext(), &genericapirequest.RequestInfo{
+				APIPrefix:         "apis",
+				APIGroup:          "storage.k8s.io",
+				APIVersion:        apiVersion,
+				Resource:          "storageclasses",
+				Name:              "valid-storage-class",
+				IsResourceRequest: true,
+				Verb:              "update",
+			})
+			apitesting.VerifyUpdateValidationEquivalence(t, ctx, &tc.updateObj, &tc.oldObj, Strategy.ValidateUpdate, tc.expectedErrs)
+		})
+	}
+}
+
+func mkValidStorageClass(tweaks ...func(obj *storage.StorageClass)) storage.StorageClass {
+	reclaimPolicy := api.PersistentVolumeReclaimDelete
+	volumeBindingMode := storage.VolumeBindingImmediate
+	obj := storage.StorageClass{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: "valid-storage-class",
+		},
+		Provisioner:       "kubernetes.io/gce-pd",
+		ReclaimPolicy:     &reclaimPolicy,
+		VolumeBindingMode: &volumeBindingMode,
+	}
+	for _, tweak := range tweaks {
+		tweak(&obj)
+	}
+	return obj
+}
diff --git a/pkg/registry/storage/storageclass/strategy.go b/pkg/registry/storage/storageclass/strategy.go
index 7e833a06f4f78..8634170f2cec0 100644
--- a/pkg/registry/storage/storageclass/strategy.go
+++ b/pkg/registry/storage/storageclass/strategy.go
@@ -18,6 +18,8 @@ package storageclass
 
 import (
 	"context"
+	"k8s.io/apimachinery/pkg/api/operation"
+	"k8s.io/apiserver/pkg/registry/rest"
 
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/util/validation/field"
@@ -48,7 +50,8 @@ func (storageClassStrategy) PrepareForCreate(ctx context.Context, obj runtime.Ob
 
 func (storageClassStrategy) Validate(ctx context.Context, obj runtime.Object) field.ErrorList {
 	storageClass := obj.(*storage.StorageClass)
-	return validation.ValidateStorageClass(storageClass)
+	allErrs := validation.ValidateStorageClass(storageClass)
+	return rest.ValidateDeclarativelyWithMigrationChecks(ctx, legacyscheme.Scheme, obj, nil, allErrs, operation.Create)
 }
 
 // WarningsOnCreate returns warnings for the creation of the given object.
@@ -69,8 +72,9 @@ func (storageClassStrategy) PrepareForUpdate(ctx context.Context, obj, old runti
 }
 
 func (storageClassStrategy) ValidateUpdate(ctx context.Context, obj, old runtime.Object) field.ErrorList {
-	errorList := validation.ValidateStorageClass(obj.(*storage.StorageClass))
-	return append(errorList, validation.ValidateStorageClassUpdate(obj.(*storage.StorageClass), old.(*storage.StorageClass))...)
+	allErrs := validation.ValidateStorageClass(obj.(*storage.StorageClass))
+	allErrs = append(allErrs, validation.ValidateStorageClassUpdate(obj.(*storage.StorageClass), old.(*storage.StorageClass))...)
+	return rest.ValidateDeclarativelyWithMigrationChecks(ctx, legacyscheme.Scheme, obj, old, allErrs, operation.Update)
 }
 
 // WarningsOnUpdate returns warnings for the given update.
diff --git a/pkg/registry/storage/volumeattachment/strategy.go b/pkg/registry/storage/volumeattachment/strategy.go
index 51a064c9edccb..a79d7406e2e45 100644
--- a/pkg/registry/storage/volumeattachment/strategy.go
+++ b/pkg/registry/storage/volumeattachment/strategy.go
@@ -99,8 +99,7 @@ func (volumeAttachmentStrategy) PrepareForUpdate(ctx context.Context, obj, old r
 func (volumeAttachmentStrategy) ValidateUpdate(ctx context.Context, obj, old runtime.Object) field.ErrorList {
 	newVolumeAttachmentObj := obj.(*storage.VolumeAttachment)
 	oldVolumeAttachmentObj := old.(*storage.VolumeAttachment)
-	errorList := validation.ValidateVolumeAttachment(newVolumeAttachmentObj)
-	return append(errorList, validation.ValidateVolumeAttachmentUpdate(newVolumeAttachmentObj, oldVolumeAttachmentObj)...)
+	return validation.ValidateVolumeAttachmentUpdate(newVolumeAttachmentObj, oldVolumeAttachmentObj)
 }
 
 // WarningsOnUpdate returns warnings for the given update.
diff --git a/pkg/registry/storage/volumeattributesclass/strategy.go b/pkg/registry/storage/volumeattributesclass/strategy.go
index d816c2599e1e2..f7652bc46a455 100644
--- a/pkg/registry/storage/volumeattributesclass/strategy.go
+++ b/pkg/registry/storage/volumeattributesclass/strategy.go
@@ -68,8 +68,7 @@ func (volumeAttributesClassStrategy) PrepareForUpdate(ctx context.Context, obj,
 }
 
 func (volumeAttributesClassStrategy) ValidateUpdate(ctx context.Context, obj, old runtime.Object) field.ErrorList {
-	errorList := validation.ValidateVolumeAttributesClass(obj.(*storage.VolumeAttributesClass))
-	return append(errorList, validation.ValidateVolumeAttributesClassUpdate(obj.(*storage.VolumeAttributesClass), old.(*storage.VolumeAttributesClass))...)
+	return validation.ValidateVolumeAttributesClassUpdate(obj.(*storage.VolumeAttributesClass), old.(*storage.VolumeAttributesClass))
 }
 
 // WarningsOnUpdate returns warnings for the given update.
diff --git a/pkg/registry/storagemigration/rest/storage_storagemigration.go b/pkg/registry/storagemigration/rest/storage_storagemigration.go
index 9efba52ac57da..f9548dba7aad8 100644
--- a/pkg/registry/storagemigration/rest/storage_storagemigration.go
+++ b/pkg/registry/storagemigration/rest/storage_storagemigration.go
@@ -24,7 +24,7 @@ import (
 	"k8s.io/kubernetes/pkg/apis/storagemigration"
 	"k8s.io/kubernetes/pkg/features"
 
-	svmv1alpha1 "k8s.io/api/storagemigration/v1alpha1"
+	svmv1beta1 "k8s.io/api/storagemigration/v1beta1"
 	genericapiserver "k8s.io/apiserver/pkg/server"
 	serverstorage "k8s.io/apiserver/pkg/server/storage"
 	utilfeature "k8s.io/apiserver/pkg/util/feature"
@@ -36,19 +36,19 @@ type RESTStorageProvider struct{}
 func (p RESTStorageProvider) NewRESTStorage(apiResourceConfigSource serverstorage.APIResourceConfigSource, restOptionsGetter generic.RESTOptionsGetter) (genericapiserver.APIGroupInfo, error) {
 	apiGroupInfo := genericapiserver.NewDefaultAPIGroupInfo(storagemigration.GroupName, legacyscheme.Scheme, legacyscheme.ParameterCodec, legacyscheme.Codecs)
 
-	if storageMap, err := p.v1alpha1Storage(apiResourceConfigSource, restOptionsGetter); err != nil {
+	if storageMap, err := p.v1beta1Storage(apiResourceConfigSource, restOptionsGetter); err != nil {
 		return genericapiserver.APIGroupInfo{}, err
 	} else if len(storageMap) > 0 {
-		apiGroupInfo.VersionedResourcesStorageMap[svmv1alpha1.SchemeGroupVersion.Version] = storageMap
+		apiGroupInfo.VersionedResourcesStorageMap[svmv1beta1.SchemeGroupVersion.Version] = storageMap
 	}
 
 	return apiGroupInfo, nil
 }
 
-func (p RESTStorageProvider) v1alpha1Storage(apiResourceConfigSource serverstorage.APIResourceConfigSource, restOptionsGetter generic.RESTOptionsGetter) (map[string]rest.Storage, error) {
+func (p RESTStorageProvider) v1beta1Storage(apiResourceConfigSource serverstorage.APIResourceConfigSource, restOptionsGetter generic.RESTOptionsGetter) (map[string]rest.Storage, error) {
 	storage := map[string]rest.Storage{}
 
-	if resource := "storageversionmigrations"; apiResourceConfigSource.ResourceEnabled(svmv1alpha1.SchemeGroupVersion.WithResource(resource)) {
+	if resource := "storageversionmigrations"; apiResourceConfigSource.ResourceEnabled(svmv1beta1.SchemeGroupVersion.WithResource(resource)) {
 		if utilfeature.DefaultFeatureGate.Enabled(features.StorageVersionMigrator) {
 			svm, svmStatus, err := storagemigrationstore.NewREST(restOptionsGetter)
 			if err != nil {
diff --git a/pkg/registry/storagemigration/storagemigration/strategy.go b/pkg/registry/storagemigration/storagemigration/strategy.go
index 6890c86bee22e..330a6d9224cea 100644
--- a/pkg/registry/storagemigration/storagemigration/strategy.go
+++ b/pkg/registry/storagemigration/storagemigration/strategy.go
@@ -54,7 +54,7 @@ func (strategy) NamespaceScoped() bool {
 // and should not be modified by the user.
 func (strategy) GetResetFields() map[fieldpath.APIVersion]*fieldpath.Set {
 	fields := map[fieldpath.APIVersion]*fieldpath.Set{
-		"storagemigration.k8s.io/v1alpha1": fieldpath.NewSet(
+		"storagemigration.k8s.io/v1beta1": fieldpath.NewSet(
 			fieldpath.MakePathOrDie("status"),
 		),
 	}
@@ -113,7 +113,7 @@ var StatusStrategy = statusStrategy{Strategy}
 // and should not be modified by the user.
 func (statusStrategy) GetResetFields() map[fieldpath.APIVersion]*fieldpath.Set {
 	fields := map[fieldpath.APIVersion]*fieldpath.Set{
-		"storagemigration.k8s.io/v1alpha1": fieldpath.NewSet(
+		"storagemigration.k8s.io/v1beta1": fieldpath.NewSet(
 			fieldpath.MakePathOrDie("metadata"),
 			fieldpath.MakePathOrDie("spec"),
 		),
diff --git a/pkg/scheduler/apis/config/scheme/scheme_test.go b/pkg/scheduler/apis/config/scheme/scheme_test.go
index 1c2e366f7c124..2096bcd8ba371 100644
--- a/pkg/scheduler/apis/config/scheme/scheme_test.go
+++ b/pkg/scheduler/apis/config/scheme/scheme_test.go
@@ -57,6 +57,7 @@ profiles:
   - name: DynamicResources
     args:
       filterTimeout: 10s
+      bindingTimeout: 30s
   - name: InterPodAffinity
     args:
       hardPodAffinityWeight: 5
@@ -107,7 +108,10 @@ profiles:
 						},
 						{
 							Name: "DynamicResources",
-							Args: &config.DynamicResourcesArgs{FilterTimeout: &metav1.Duration{Duration: 10 * time.Second}},
+							Args: &config.DynamicResourcesArgs{
+								FilterTimeout:  &metav1.Duration{Duration: 10 * time.Second},
+								BindingTimeout: &metav1.Duration{Duration: 30 * time.Second},
+							},
 						},
 						{
 							Name: "InterPodAffinity",
diff --git a/pkg/scheduler/apis/config/testing/defaults/defaults.go b/pkg/scheduler/apis/config/testing/defaults/defaults.go
index 3037d66435a37..237b7f2738b8f 100644
--- a/pkg/scheduler/apis/config/testing/defaults/defaults.go
+++ b/pkg/scheduler/apis/config/testing/defaults/defaults.go
@@ -42,7 +42,7 @@ var PluginsV1 = &config.Plugins{
 			{Name: names.VolumeZone},
 			{Name: names.PodTopologySpread, Weight: 2},
 			{Name: names.InterPodAffinity, Weight: 2},
-			{Name: names.DynamicResources},
+			{Name: names.DynamicResources, Weight: 2},
 			{Name: names.DefaultPreemption},
 			{Name: names.NodeResourcesBalancedAllocation, Weight: 1},
 			{Name: names.ImageLocality, Weight: 1},
@@ -124,10 +124,6 @@ var ExpandedPluginsV1 = &config.Plugins{
 			// - This is a score coming from user preference.
 			{Name: names.NodeAffinity, Weight: 2},
 			{Name: names.NodeResourcesFit, Weight: 1},
-			// Weight is tripled because:
-			// - This is a score coming from user preference.
-			// - Usage of node tainting to group nodes in the cluster is increasing becoming a use-case
-			//	 for many user workloads
 			{Name: names.VolumeBinding, Weight: 1},
 			// Weight is doubled because:
 			// - This is a score coming from user preference.
@@ -136,6 +132,9 @@ var ExpandedPluginsV1 = &config.Plugins{
 			// Weight is doubled because:
 			// - This is a score coming from user preference.
 			{Name: names.InterPodAffinity, Weight: 2},
+			// Weight is doubled because:
+			// - This is a score coming from user preference.
+			{Name: names.DynamicResources, Weight: 2},
 			{Name: names.NodeResourcesBalancedAllocation, Weight: 1},
 			{Name: names.ImageLocality, Weight: 1},
 		},
diff --git a/pkg/scheduler/apis/config/types_pluginargs.go b/pkg/scheduler/apis/config/types_pluginargs.go
index fdcfc1b27fb9e..4cccfa517bbd6 100644
--- a/pkg/scheduler/apis/config/types_pluginargs.go
+++ b/pkg/scheduler/apis/config/types_pluginargs.go
@@ -257,6 +257,33 @@ type DynamicResourcesArgs struct {
 	//
 	// Setting it to zero completely disables the timeout.
 	FilterTimeout *metav1.Duration
+
+	// BindingTimeout limits how long the PreBind extension point may wait for
+	// ResourceClaim device BindingConditions to become satisfied when such
+	// conditions are present. While waiting, the scheduler periodically checks
+	// device status. If the timeout elapses before all required conditions are
+	// true (or any bindingFailureConditions become true), the allocation is
+	// cleared and the Pod re-enters scheduling queue. Note that the same or other node may be
+	// chosen if feasible; otherwise the Pod is placed in the unschedulable queue and
+	// retried based on cluster changes and backoff.
+	//
+	// Defaults & feature gates:
+	//   - Defaults to 10 minutes when the DRADeviceBindingConditions feature gate is enabled.
+	//   - Has effect only when BOTH DRADeviceBindingConditions and
+	//     DRAResourceClaimDeviceStatus are enabled; otherwise omit this field.
+	//   - When DRADeviceBindingConditions is disabled, setting this field is considered an error.
+	//
+	// Valid values:
+	//   - >=1s (non-zero). No upper bound is enforced.
+	//
+	// Tuning guidance:
+	//   - Lower values reduce time-to-retry when devices aren’t ready but can
+	//     increase churn if drivers typically need longer to report readiness.
+	//   - Review scheduler latency metrics (e.g. PreBind duration in
+	//     `scheduler_framework_extension_point_duration_seconds`) and driver
+	//     readiness behavior before tightening this timeout.
+	BindingTimeout *metav1.Duration
 }
 
 const DynamicResourcesFilterTimeoutDefault = 10 * time.Second
+const DynamicResourcesBindingTimeoutDefault = 600 * time.Second
diff --git a/pkg/scheduler/apis/config/v1/default_plugins.go b/pkg/scheduler/apis/config/v1/default_plugins.go
index bc4440e68d902..7920ee6f1d395 100644
--- a/pkg/scheduler/apis/config/v1/default_plugins.go
+++ b/pkg/scheduler/apis/config/v1/default_plugins.go
@@ -58,9 +58,15 @@ func getDefaultPlugins() *v1.Plugins {
 }
 
 func applyFeatureGates(config *v1.Plugins) {
+	if utilfeature.DefaultFeatureGate.Enabled(features.NodeDeclaredFeatures) {
+		config.MultiPoint.Enabled = append(config.MultiPoint.Enabled, v1.Plugin{Name: names.NodeDeclaredFeatures})
+	}
 	if utilfeature.DefaultFeatureGate.Enabled(features.DynamicResourceAllocation) {
 		applyDynamicResources(config)
 	}
+	if utilfeature.DefaultFeatureGate.Enabled(features.GangScheduling) {
+		applyGangScheduling(config)
+	}
 }
 
 func applyDynamicResources(config *v1.Plugins) {
@@ -73,7 +79,7 @@ func applyDynamicResources(config *v1.Plugins) {
 		if config.MultiPoint.Enabled[i].Name == names.DefaultPreemption {
 			extended := make([]v1.Plugin, 0, len(config.MultiPoint.Enabled)+1)
 			extended = append(extended, config.MultiPoint.Enabled[:i]...)
-			extended = append(extended, v1.Plugin{Name: names.DynamicResources})
+			extended = append(extended, v1.Plugin{Name: names.DynamicResources, Weight: ptr.To[int32](2)})
 			extended = append(extended, config.MultiPoint.Enabled[i:]...)
 			config.MultiPoint.Enabled = extended
 			break
@@ -81,6 +87,10 @@ func applyDynamicResources(config *v1.Plugins) {
 	}
 }
 
+func applyGangScheduling(config *v1.Plugins) {
+	config.MultiPoint.Enabled = append(config.MultiPoint.Enabled, v1.Plugin{Name: names.GangScheduling})
+}
+
 // mergePlugins merges the custom set into the given default one, handling disabled sets.
 func mergePlugins(logger klog.Logger, defaultPlugins, customPlugins *v1.Plugins) *v1.Plugins {
 	if customPlugins == nil {
diff --git a/pkg/scheduler/apis/config/v1/default_plugins_test.go b/pkg/scheduler/apis/config/v1/default_plugins_test.go
index c170958eb373e..07deb47f71fe0 100644
--- a/pkg/scheduler/apis/config/v1/default_plugins_test.go
+++ b/pkg/scheduler/apis/config/v1/default_plugins_test.go
@@ -20,6 +20,7 @@ import (
 	"testing"
 
 	"github.com/google/go-cmp/cmp"
+	"k8s.io/apimachinery/pkg/util/version"
 	"k8s.io/apiserver/pkg/util/feature"
 	"k8s.io/component-base/featuregate"
 	featuregatetesting "k8s.io/component-base/featuregate/testing"
@@ -88,7 +89,7 @@ func TestApplyFeatureGates(t *testing.T) {
 						{Name: names.VolumeZone},
 						{Name: names.PodTopologySpread, Weight: ptr.To[int32](2)},
 						{Name: names.InterPodAffinity, Weight: ptr.To[int32](2)},
-						{Name: names.DynamicResources},
+						{Name: names.DynamicResources, Weight: ptr.To[int32](2)},
 						{Name: names.DefaultPreemption},
 						{Name: names.NodeResourcesBalancedAllocation, Weight: ptr.To[int32](1)},
 						{Name: names.ImageLocality, Weight: ptr.To[int32](1)},
@@ -97,13 +98,110 @@ func TestApplyFeatureGates(t *testing.T) {
 				},
 			},
 		},
+		{
+			name: "Feature gate NodeDeclaredFeatures enabled",
+			features: map[featuregate.Feature]bool{
+				features.NodeDeclaredFeatures: true,
+			},
+			wantConfig: &v1.Plugins{
+				MultiPoint: v1.PluginSet{
+					Enabled: []v1.Plugin{
+						{Name: names.SchedulingGates},
+						{Name: names.PrioritySort},
+						{Name: names.NodeUnschedulable},
+						{Name: names.NodeName},
+						{Name: names.TaintToleration, Weight: ptr.To[int32](3)},
+						{Name: names.NodeAffinity, Weight: ptr.To[int32](2)},
+						{Name: names.NodePorts},
+						{Name: names.NodeResourcesFit, Weight: ptr.To[int32](1)},
+						{Name: names.VolumeRestrictions},
+						{Name: names.NodeVolumeLimits},
+						{Name: names.VolumeBinding},
+						{Name: names.VolumeZone},
+						{Name: names.PodTopologySpread, Weight: ptr.To[int32](2)},
+						{Name: names.InterPodAffinity, Weight: ptr.To[int32](2)},
+						{Name: names.DynamicResources, Weight: ptr.To[int32](2)},
+						{Name: names.DefaultPreemption},
+						{Name: names.NodeResourcesBalancedAllocation, Weight: ptr.To[int32](1)},
+						{Name: names.ImageLocality, Weight: ptr.To[int32](1)},
+						{Name: names.DefaultBinder},
+						{Name: names.NodeDeclaredFeatures},
+					},
+				},
+			},
+		},
+		{
+			name: "Feature gate NodeDeclaredFeatures disabled",
+			features: map[featuregate.Feature]bool{
+				features.NodeDeclaredFeatures: false,
+			},
+			wantConfig: &v1.Plugins{
+				MultiPoint: v1.PluginSet{
+					Enabled: []v1.Plugin{
+						{Name: names.SchedulingGates},
+						{Name: names.PrioritySort},
+						{Name: names.NodeUnschedulable},
+						{Name: names.NodeName},
+						{Name: names.TaintToleration, Weight: ptr.To[int32](3)},
+						{Name: names.NodeAffinity, Weight: ptr.To[int32](2)},
+						{Name: names.NodePorts},
+						{Name: names.NodeResourcesFit, Weight: ptr.To[int32](1)},
+						{Name: names.VolumeRestrictions},
+						{Name: names.NodeVolumeLimits},
+						{Name: names.VolumeBinding},
+						{Name: names.VolumeZone},
+						{Name: names.PodTopologySpread, Weight: ptr.To[int32](2)},
+						{Name: names.InterPodAffinity, Weight: ptr.To[int32](2)},
+						{Name: names.DynamicResources, Weight: ptr.To[int32](2)},
+						{Name: names.DefaultPreemption},
+						{Name: names.NodeResourcesBalancedAllocation, Weight: ptr.To[int32](1)},
+						{Name: names.ImageLocality, Weight: ptr.To[int32](1)},
+						{Name: names.DefaultBinder},
+					},
+				},
+			},
+		},
+		{
+			name: "Feature gate GangScheduling enabled",
+			features: map[featuregate.Feature]bool{
+				features.GangScheduling:  true,
+				features.GenericWorkload: true,
+			},
+			wantConfig: &v1.Plugins{
+				MultiPoint: v1.PluginSet{
+					Enabled: []v1.Plugin{
+						{Name: names.SchedulingGates},
+						{Name: names.PrioritySort},
+						{Name: names.NodeUnschedulable},
+						{Name: names.NodeName},
+						{Name: names.TaintToleration, Weight: ptr.To[int32](3)},
+						{Name: names.NodeAffinity, Weight: ptr.To[int32](2)},
+						{Name: names.NodePorts},
+						{Name: names.NodeResourcesFit, Weight: ptr.To[int32](1)},
+						{Name: names.VolumeRestrictions},
+						{Name: names.NodeVolumeLimits},
+						{Name: names.VolumeBinding},
+						{Name: names.VolumeZone},
+						{Name: names.PodTopologySpread, Weight: ptr.To[int32](2)},
+						{Name: names.InterPodAffinity, Weight: ptr.To[int32](2)},
+						{Name: names.DynamicResources, Weight: ptr.To[int32](2)},
+						{Name: names.DefaultPreemption},
+						{Name: names.NodeResourcesBalancedAllocation, Weight: ptr.To[int32](1)},
+						{Name: names.ImageLocality, Weight: ptr.To[int32](1)},
+						{Name: names.DefaultBinder},
+						{Name: names.GangScheduling},
+					},
+				},
+			},
+		},
 	}
 
 	for _, test := range tests {
 		t.Run(test.name, func(t *testing.T) {
-			for k, v := range test.features {
-				featuregatetesting.SetFeatureGateDuringTest(t, feature.DefaultFeatureGate, k, v)
+			if draEnabled, draExists := test.features[features.DynamicResourceAllocation]; draExists && !draEnabled {
+				featuregatetesting.SetFeatureGateEmulationVersionDuringTest(t, feature.DefaultFeatureGate, version.MustParse("1.34"))
 			}
+			featuregatetesting.SetFeatureGatesDuringTest(t, feature.DefaultFeatureGate, test.features)
 
 			gotConfig := getDefaultPlugins()
 			if diff := cmp.Diff(test.wantConfig, gotConfig); diff != "" {
diff --git a/pkg/scheduler/apis/config/v1/defaults.go b/pkg/scheduler/apis/config/v1/defaults.go
index 9b8017cbf1088..225ce267d45f9 100644
--- a/pkg/scheduler/apis/config/v1/defaults.go
+++ b/pkg/scheduler/apis/config/v1/defaults.go
@@ -248,4 +248,10 @@ func SetDefaults_DynamicResourcesArgs(obj *configv1.DynamicResourcesArgs) {
 	if obj.FilterTimeout == nil && feature.DefaultFeatureGate.Enabled(features.DRASchedulerFilterTimeout) {
 		obj.FilterTimeout = &metav1.Duration{Duration: configv1.DynamicResourcesFilterTimeoutDefault}
 	}
+
+	if obj.BindingTimeout == nil &&
+		feature.DefaultFeatureGate.Enabled(features.DRADeviceBindingConditions) &&
+		feature.DefaultFeatureGate.Enabled(features.DRAResourceClaimDeviceStatus) {
+		obj.BindingTimeout = &metav1.Duration{Duration: configv1.DynamicResourcesBindingTimeoutDefault}
+	}
 }
diff --git a/pkg/scheduler/apis/config/v1/defaults_test.go b/pkg/scheduler/apis/config/v1/defaults_test.go
index 41380d4c09859..437467bfe0c19 100644
--- a/pkg/scheduler/apis/config/v1/defaults_test.go
+++ b/pkg/scheduler/apis/config/v1/defaults_test.go
@@ -366,7 +366,7 @@ func TestSchedulerDefaults(t *testing.T) {
 									{Name: names.VolumeZone},
 									{Name: names.PodTopologySpread, Weight: ptr.To[int32](2)},
 									{Name: names.InterPodAffinity, Weight: ptr.To[int32](2)},
-									{Name: names.DynamicResources},
+									{Name: names.DynamicResources, Weight: ptr.To[int32](2)},
 									{Name: names.DefaultPreemption},
 									{Name: names.NodeResourcesBalancedAllocation, Weight: ptr.To[int32](1)},
 									{Name: names.ImageLocality, Weight: ptr.To[int32](1)},
@@ -702,9 +702,7 @@ func TestSchedulerDefaults(t *testing.T) {
 
 	for _, tc := range tests {
 		t.Run(tc.name, func(t *testing.T) {
-			for featureName, enabled := range tc.features {
-				featuregatetesting.SetFeatureGateDuringTest(t, feature.DefaultFeatureGate, featureName, enabled)
-			}
+			featuregatetesting.SetFeatureGatesDuringTest(t, feature.DefaultFeatureGate, tc.features)
 			SetDefaults_KubeSchedulerConfiguration(tc.config)
 			if diff := cmp.Diff(tc.expected, tc.config); diff != "" {
 				t.Errorf("Got unexpected defaults (-want, +got):\n%s", diff)
@@ -894,14 +892,24 @@ func TestPluginArgsDefaults(t *testing.T) {
 				},
 			},
 		},
+		{
+			name: "DynamicResourcesArgs defaults, DRADeviceBindingConditions enabled",
+			features: map[featuregate.Feature]bool{
+				features.DRADeviceBindingConditions:   true,
+				features.DRAResourceClaimDeviceStatus: true,
+			},
+			in: &configv1.DynamicResourcesArgs{},
+			want: &configv1.DynamicResourcesArgs{
+				FilterTimeout:  &metav1.Duration{Duration: 10 * time.Second},
+				BindingTimeout: &metav1.Duration{Duration: 600 * time.Second},
+			},
+		},
 	}
 	for _, tc := range tests {
 		scheme := runtime.NewScheme()
 		utilruntime.Must(AddToScheme(scheme))
 		t.Run(tc.name, func(t *testing.T) {
-			for k, v := range tc.features {
-				featuregatetesting.SetFeatureGateDuringTest(t, feature.DefaultFeatureGate, k, v)
-			}
+			featuregatetesting.SetFeatureGatesDuringTest(t, feature.DefaultFeatureGate, tc.features)
 			scheme.Default(tc.in)
 			if diff := cmp.Diff(tc.want, tc.in); diff != "" {
 				t.Errorf("Got unexpected defaults (-want, +got):\n%s", diff)
diff --git a/pkg/scheduler/apis/config/v1/zz_generated.conversion.go b/pkg/scheduler/apis/config/v1/zz_generated.conversion.go
index 5470b2455bf11..63240b7d1125d 100644
--- a/pkg/scheduler/apis/config/v1/zz_generated.conversion.go
+++ b/pkg/scheduler/apis/config/v1/zz_generated.conversion.go
@@ -285,6 +285,7 @@ func Convert_config_DefaultPreemptionArgs_To_v1_DefaultPreemptionArgs(in *config
 
 func autoConvert_v1_DynamicResourcesArgs_To_config_DynamicResourcesArgs(in *configv1.DynamicResourcesArgs, out *config.DynamicResourcesArgs, s conversion.Scope) error {
 	out.FilterTimeout = (*metav1.Duration)(unsafe.Pointer(in.FilterTimeout))
+	out.BindingTimeout = (*metav1.Duration)(unsafe.Pointer(in.BindingTimeout))
 	return nil
 }
 
@@ -295,6 +296,7 @@ func Convert_v1_DynamicResourcesArgs_To_config_DynamicResourcesArgs(in *configv1
 
 func autoConvert_config_DynamicResourcesArgs_To_v1_DynamicResourcesArgs(in *config.DynamicResourcesArgs, out *configv1.DynamicResourcesArgs, s conversion.Scope) error {
 	out.FilterTimeout = (*metav1.Duration)(unsafe.Pointer(in.FilterTimeout))
+	out.BindingTimeout = (*metav1.Duration)(unsafe.Pointer(in.BindingTimeout))
 	return nil
 }
 
diff --git a/pkg/scheduler/apis/config/validation/validation_pluginargs.go b/pkg/scheduler/apis/config/validation/validation_pluginargs.go
index 7900b2ea51ee2..d50881630d614 100644
--- a/pkg/scheduler/apis/config/validation/validation_pluginargs.go
+++ b/pkg/scheduler/apis/config/validation/validation_pluginargs.go
@@ -19,6 +19,7 @@ package validation
 import (
 	"fmt"
 	"strings"
+	"time"
 
 	v1 "k8s.io/api/core/v1"
 	metav1validation "k8s.io/apimachinery/pkg/apis/meta/v1/validation"
@@ -343,5 +344,22 @@ func ValidateDynamicResourcesArgs(path *field.Path, args *config.DynamicResource
 			allErrs = append(allErrs, field.Forbidden(path.Child("filterTimeout"), "DRASchedulingFilterTimeout feature gate is disabled"))
 		}
 	}
+
+	if fts.EnableDRADeviceBindingConditions && fts.EnableDRAResourceClaimDeviceStatus {
+		if args.BindingTimeout != nil && args.BindingTimeout.Duration < 1*time.Second {
+			allErrs = append(allErrs, field.Invalid(
+				path.Child("bindingTimeout"),
+				args.BindingTimeout,
+				"must be at least 1 second",
+			))
+		}
+	} else {
+		if args.BindingTimeout != nil {
+			allErrs = append(allErrs, field.Forbidden(
+				path.Child("bindingTimeout"),
+				"DRADeviceBindingConditions or DRAResourceClaimDeviceStatus feature gate is disabled",
+			))
+		}
+	}
 	return allErrs.ToAggregate()
 }
diff --git a/pkg/scheduler/apis/config/validation/validation_pluginargs_test.go b/pkg/scheduler/apis/config/validation/validation_pluginargs_test.go
index 121e134a0b585..aec89d5a4a6fd 100644
--- a/pkg/scheduler/apis/config/validation/validation_pluginargs_test.go
+++ b/pkg/scheduler/apis/config/validation/validation_pluginargs_test.go
@@ -656,9 +656,7 @@ func TestValidateVolumeBindingArgs(t *testing.T) {
 
 	for _, tc := range cases {
 		t.Run(tc.name, func(t *testing.T) {
-			for k, v := range tc.features {
-				featuregatetesting.SetFeatureGateDuringTest(t, feature.DefaultFeatureGate, k, v)
-			}
+			featuregatetesting.SetFeatureGatesDuringTest(t, feature.DefaultFeatureGate, tc.features)
 			err := ValidateVolumeBindingArgs(nil, &tc.args)
 			if diff := cmp.Diff(tc.wantErr, err, ignoreBadValueDetail); diff != "" {
 				t.Errorf("ValidateVolumeBindingArgs returned err (-want,+got):\n%s", diff)
@@ -686,7 +684,7 @@ func TestValidateFitArgs(t *testing.T) {
 				IgnoredResources: []string{fmt.Sprintf("longvalue%s", strings.Repeat("a", 64))},
 				ScoringStrategy:  defaultScoringStrategy,
 			},
-			expect: "name part must be no more than 63 characters",
+			expect: "name part must be no more than 63 bytes",
 		},
 		{
 			name: "IgnoredResources: name is empty",
@@ -702,7 +700,7 @@ func TestValidateFitArgs(t *testing.T) {
 				IgnoredResources: []string{"example.com/aaa/bbb"},
 				ScoringStrategy:  defaultScoringStrategy,
 			},
-			expect: "a qualified name must consist of alphanumeric characters",
+			expect: "a valid label key must consist of",
 		},
 		{
 			name: "IgnoredResources: valid args",
@@ -732,7 +730,7 @@ func TestValidateFitArgs(t *testing.T) {
 				IgnoredResourceGroups: []string{strings.Repeat("a", 64)},
 				ScoringStrategy:       defaultScoringStrategy,
 			},
-			expect: "name part must be no more than 63 characters",
+			expect: "name part must be no more than 63 bytes",
 		},
 		{
 			name: "IgnoredResourceGroups: name cannot be contain slash",
@@ -1160,13 +1158,16 @@ func TestValidateRequestedToCapacityRatioScoringStrategy(t *testing.T) {
 
 func TestValidateDynamicResourcesArgs(t *testing.T) {
 	cases := map[string]struct {
-		args                  config.DynamicResourcesArgs
-		wantErrs              field.ErrorList
-		filterTimeoutDisabled bool
+		args                      config.DynamicResourcesArgs
+		wantErrs                  field.ErrorList
+		filterTimeoutDisabled     bool
+		bindingConditionsDisabled bool
+		deviceStatusDisabled      bool
 	}{
 		"valid args (default)": {
 			args: config.DynamicResourcesArgs{
-				FilterTimeout: &metav1.Duration{Duration: config.DynamicResourcesFilterTimeoutDefault},
+				FilterTimeout:  &metav1.Duration{Duration: config.DynamicResourcesFilterTimeoutDefault},
+				BindingTimeout: &metav1.Duration{Duration: config.DynamicResourcesBindingTimeoutDefault},
 			},
 		},
 		"valid args (disabled)": {
@@ -1197,11 +1198,76 @@ func TestValidateDynamicResourcesArgs(t *testing.T) {
 				},
 			},
 		},
+
+		// BindingTimeout tests
+		"valid BindingTimeout": {
+			args: config.DynamicResourcesArgs{
+				BindingTimeout: &metav1.Duration{Duration: 30 * time.Second},
+			},
+		},
+		"BindingTimeout < 1s (0s)": {
+			args: config.DynamicResourcesArgs{
+				BindingTimeout: &metav1.Duration{Duration: 0},
+			},
+			wantErrs: field.ErrorList{
+				&field.Error{
+					Type:   field.ErrorTypeInvalid,
+					Field:  "bindingTimeout",
+					Detail: "must be at least 1 second",
+				},
+			},
+		},
+		"BindingTimeout < 1s (negative)": {
+			args: config.DynamicResourcesArgs{
+				BindingTimeout: &metav1.Duration{Duration: -time.Second},
+			},
+			wantErrs: field.ErrorList{
+				&field.Error{
+					Type:   field.ErrorTypeInvalid,
+					Field:  "bindingTimeout",
+					Detail: "must be at least 1 second",
+				},
+			},
+		},
+		"BindingTimeout set but DRADeviceBindingConditions disabled": {
+			args: config.DynamicResourcesArgs{
+				BindingTimeout: &metav1.Duration{Duration: time.Second},
+			},
+			bindingConditionsDisabled: true,
+			wantErrs: field.ErrorList{
+				&field.Error{
+					Type:   field.ErrorTypeForbidden,
+					Field:  "bindingTimeout",
+					Detail: "requires DRADeviceBindingConditions and DRAResourceClaimDeviceStatus feature gates to be enabled",
+				},
+			},
+		},
+		"BindingTimeout set but DRAResourceClaimDeviceStatus disabled": {
+			args: config.DynamicResourcesArgs{
+				BindingTimeout: &metav1.Duration{Duration: time.Second},
+			},
+			deviceStatusDisabled: true,
+			wantErrs: field.ErrorList{
+				&field.Error{
+					Type:   field.ErrorTypeForbidden,
+					Field:  "bindingTimeout",
+					Detail: "requires DRADeviceBindingConditions and DRAResourceClaimDeviceStatus feature gates to be enabled",
+				},
+			},
+		},
 	}
 
 	for name, tc := range cases {
 		t.Run(name, func(t *testing.T) {
-			err := ValidateDynamicResourcesArgs(nil, &tc.args, schedfeature.Features{EnableDRASchedulerFilterTimeout: !tc.filterTimeoutDisabled})
+			err := ValidateDynamicResourcesArgs(
+				nil,
+				&tc.args,
+				schedfeature.Features{
+					EnableDRASchedulerFilterTimeout:    !tc.filterTimeoutDisabled,
+					EnableDRADeviceBindingConditions:   !tc.bindingConditionsDisabled,
+					EnableDRAResourceClaimDeviceStatus: !tc.deviceStatusDisabled,
+				},
+			)
 			if diff := cmp.Diff(tc.wantErrs.ToAggregate(), err, ignoreBadValueDetail); diff != "" {
 				t.Errorf("ValidateDynamicResourcesArgs returned err (-want,+got):\n%s", diff)
 			}
diff --git a/pkg/scheduler/apis/config/zz_generated.deepcopy.go b/pkg/scheduler/apis/config/zz_generated.deepcopy.go
index d8e9a5db9973d..2d78d58e58749 100644
--- a/pkg/scheduler/apis/config/zz_generated.deepcopy.go
+++ b/pkg/scheduler/apis/config/zz_generated.deepcopy.go
@@ -61,6 +61,11 @@ func (in *DynamicResourcesArgs) DeepCopyInto(out *DynamicResourcesArgs) {
 		*out = new(v1.Duration)
 		**out = **in
 	}
+	if in.BindingTimeout != nil {
+		in, out := &in.BindingTimeout, &out.BindingTimeout
+		*out = new(v1.Duration)
+		**out = **in
+	}
 	return
 }
 
diff --git a/pkg/scheduler/backend/api_cache/api_cache.go b/pkg/scheduler/backend/api_cache/api_cache.go
index 7a021042da0b3..872c8fe8dda15 100644
--- a/pkg/scheduler/backend/api_cache/api_cache.go
+++ b/pkg/scheduler/backend/api_cache/api_cache.go
@@ -23,7 +23,6 @@ import (
 	fwk "k8s.io/kube-scheduler/framework"
 	internalcache "k8s.io/kubernetes/pkg/scheduler/backend/cache"
 	internalqueue "k8s.io/kubernetes/pkg/scheduler/backend/queue"
-	"k8s.io/kubernetes/pkg/scheduler/framework"
 )
 
 // APICache is responsible for sending API calls' requests through scheduling queue or cache.
@@ -42,7 +41,7 @@ func New(schedulingQueue internalqueue.SchedulingQueue, cache internalcache.Cach
 // PatchPodStatus sends a patch request for a Pod's status through a scheduling queue.
 // The patch could be first applied to the cached Pod object and then the API call is executed asynchronously.
 // It returns a channel that can be used to wait for the call's completion.
-func (c *APICache) PatchPodStatus(pod *v1.Pod, condition *v1.PodCondition, nominatingInfo *framework.NominatingInfo) (<-chan error, error) {
+func (c *APICache) PatchPodStatus(pod *v1.Pod, condition *v1.PodCondition, nominatingInfo *fwk.NominatingInfo) (<-chan error, error) {
 	return c.schedulingQueue.PatchPodStatus(pod, condition, nominatingInfo)
 }
 
diff --git a/pkg/scheduler/backend/api_dispatcher/api_dispatcher.go b/pkg/scheduler/backend/api_dispatcher/api_dispatcher.go
index 4f003b174268c..f0451ec9f4bcd 100644
--- a/pkg/scheduler/backend/api_dispatcher/api_dispatcher.go
+++ b/pkg/scheduler/backend/api_dispatcher/api_dispatcher.go
@@ -32,17 +32,15 @@ import (
 type APIDispatcher struct {
 	cancel func()
 
-	client            clientset.Interface
-	callQueue         *callQueue
-	goroutinesLimiter *goroutinesLimiter
+	client    clientset.Interface
+	callQueue *callQueue
 }
 
 // New returns a new APIDispatcher object.
 func New(client clientset.Interface, parallelization int, apiCallRelevances fwk.APICallRelevances) *APIDispatcher {
 	d := APIDispatcher{
-		client:            client,
-		callQueue:         newCallQueue(apiCallRelevances),
-		goroutinesLimiter: newGoroutinesLimiter(parallelization),
+		client:    client,
+		callQueue: newCallQueue(apiCallRelevances),
 	}
 
 	return &d
@@ -80,28 +78,17 @@ func (ad *APIDispatcher) Run(logger klog.Logger) {
 			default:
 			}
 
-			// Acquire a goroutine before popping a call. This ordering prevents a popped
-			// call from waiting (being in in-flight) for a long time.
-			acquired := ad.goroutinesLimiter.acquire()
-			if !acquired {
-				// goroutinesLimiter is closed.
-				return
-			}
 			apiCall, err := ad.callQueue.pop()
 			if err != nil {
 				utilruntime.HandleErrorWithLogger(logger, err, "popping API call from call controller failed")
-				ad.goroutinesLimiter.release()
 				continue
 			}
 			if apiCall == nil {
 				// callController is closed.
-				ad.goroutinesLimiter.release()
 				return
 			}
 
 			go func() {
-				defer ad.goroutinesLimiter.release()
-
 				startTime := time.Now()
 
 				err := apiCall.Execute(ctx, ad.client)
@@ -124,7 +111,6 @@ func (ad *APIDispatcher) Run(logger klog.Logger) {
 // Close shuts down the APIDispatcher.
 func (ad *APIDispatcher) Close() {
 	ad.callQueue.close()
-	ad.goroutinesLimiter.close()
 	if ad.cancel != nil {
 		ad.cancel()
 	}
diff --git a/pkg/scheduler/backend/api_dispatcher/call_queue.go b/pkg/scheduler/backend/api_dispatcher/call_queue.go
index 14c1719234cb3..6b4fb96e0bf00 100644
--- a/pkg/scheduler/backend/api_dispatcher/call_queue.go
+++ b/pkg/scheduler/backend/api_dispatcher/call_queue.go
@@ -122,12 +122,14 @@ func (cq *callQueue) merge(oldAPICall, apiCall *queuedAPICall) error {
 		return err
 	}
 	if oldAPICall.CallType() != apiCall.CallType() {
+		if cq.inFlightEntities.Has(oldAPICall.UID()) {
+			// Old API call is in-flight. The new call needs to wait for the old one to finish.
+			return nil
+		}
 		// API call types don't match, so we overwrite the old one.
 		// Update the pending calls metric if the old call is not in-flight.
-		if !cq.inFlightEntities.Has(oldAPICall.UID()) {
-			metrics.AsyncAPIPendingCalls.WithLabelValues(string(oldAPICall.CallType())).Dec()
-			metrics.AsyncAPIPendingCalls.WithLabelValues(string(apiCall.CallType())).Inc()
-		}
+		metrics.AsyncAPIPendingCalls.WithLabelValues(string(oldAPICall.CallType())).Dec()
+		metrics.AsyncAPIPendingCalls.WithLabelValues(string(apiCall.CallType())).Inc()
 		oldAPICall.sendOnFinish(fmt.Errorf("a more relevant call was enqueued for this object: %w", fwk.ErrCallOverwritten))
 		return nil
 	}
diff --git a/pkg/scheduler/backend/cache/cache.go b/pkg/scheduler/backend/cache/cache.go
index 4908be60df7bc..a55f8440d67f7 100644
--- a/pkg/scheduler/backend/cache/cache.go
+++ b/pkg/scheduler/backend/cache/cache.go
@@ -419,12 +419,15 @@ func (cache *cacheImpl) ForgetPod(logger klog.Logger, pod *v1.Pod) error {
 	defer cache.mu.Unlock()
 
 	currState, ok := cache.podStates[key]
-	if ok && currState.pod.Spec.NodeName != pod.Spec.NodeName {
+	if !ok {
+		// Pod does not exist in the cache anymore.
+		return nil
+	}
+	if currState.pod.Spec.NodeName != pod.Spec.NodeName {
 		return fmt.Errorf("pod %v(%v) was assumed on %v but assigned to %v", key, klog.KObj(pod), pod.Spec.NodeName, currState.pod.Spec.NodeName)
 	}
-
 	// Only assumed pod can be forgotten.
-	if ok && cache.assumedPods.Has(key) {
+	if cache.assumedPods.Has(key) {
 		return cache.removePod(logger, pod)
 	}
 	return fmt.Errorf("pod %v(%v) wasn't assumed so cannot be forgotten", key, klog.KObj(pod))
diff --git a/pkg/scheduler/backend/cache/cache_test.go b/pkg/scheduler/backend/cache/cache_test.go
index c86df82864ca1..925ee9c759439 100644
--- a/pkg/scheduler/backend/cache/cache_test.go
+++ b/pkg/scheduler/backend/cache/cache_test.go
@@ -1043,9 +1043,9 @@ func TestForgetPod(t *testing.T) {
 		if err := isForgottenFromCache(pod, cache); err != nil {
 			t.Errorf("pod %q: %v", pod.Name, err)
 		}
-		// trying to forget a pod already forgotten should return an error
-		if err := cache.ForgetPod(logger, pod); err == nil {
-			t.Error("expected error, no error found")
+		// trying to forget a pod already forgotten should return nil
+		if err := cache.ForgetPod(logger, pod); err != nil {
+			t.Error("expected no error, error found")
 		}
 	}
 }
diff --git a/pkg/scheduler/backend/cache/snapshot.go b/pkg/scheduler/backend/cache/snapshot.go
index 06aca1a0bafb1..b8d34da321f12 100644
--- a/pkg/scheduler/backend/cache/snapshot.go
+++ b/pkg/scheduler/backend/cache/snapshot.go
@@ -43,7 +43,7 @@ type Snapshot struct {
 	generation int64
 }
 
-var _ framework.SharedLister = &Snapshot{}
+var _ fwk.SharedLister = &Snapshot{}
 
 // NewEmptySnapshot initializes a Snapshot struct and returns it.
 func NewEmptySnapshot() *Snapshot {
@@ -156,12 +156,12 @@ func createImageExistenceMap(nodes []*v1.Node) map[string]sets.Set[string] {
 }
 
 // NodeInfos returns a NodeInfoLister.
-func (s *Snapshot) NodeInfos() framework.NodeInfoLister {
+func (s *Snapshot) NodeInfos() fwk.NodeInfoLister {
 	return s
 }
 
 // StorageInfos returns a StorageInfoLister.
-func (s *Snapshot) StorageInfos() framework.StorageInfoLister {
+func (s *Snapshot) StorageInfos() fwk.StorageInfoLister {
 	return s
 }
 
diff --git a/pkg/scheduler/backend/queue/active_queue.go b/pkg/scheduler/backend/queue/active_queue.go
index 620579d7adcaa..de722833d4446 100644
--- a/pkg/scheduler/backend/queue/active_queue.go
+++ b/pkg/scheduler/backend/queue/active_queue.go
@@ -32,15 +32,11 @@ import (
 )
 
 // activeQueuer is a wrapper for activeQ related operations.
-// Its methods, except "unlocked" ones, take the lock inside.
-// Note: be careful when using unlocked() methods.
-// getLock() methods should be used only for unlocked() methods
-// and it is forbidden to call any other activeQueuer's method under this lock.
+// Its methods take the lock inside.
 type activeQueuer interface {
 	underLock(func(unlockedActiveQ unlockedActiveQueuer))
 	underRLock(func(unlockedActiveQ unlockedActiveQueueReader))
 
-	update(newPod *v1.Pod, oldPodInfo *framework.QueuedPodInfo) *framework.QueuedPodInfo
 	delete(pInfo *framework.QueuedPodInfo) error
 	pop(logger klog.Logger) (*framework.QueuedPodInfo, error)
 	list() []*v1.Pod
@@ -66,7 +62,13 @@ type unlockedActiveQueuer interface {
 	// add adds a new pod to the activeQ.
 	// The event should show which event triggered this addition and is used for the metric recording.
 	// This method should be called in activeQueue.underLock().
-	add(pInfo *framework.QueuedPodInfo, event string)
+	add(logger klog.Logger, pInfo *framework.QueuedPodInfo, event string)
+	// update updates the pod in activeQ if oldPodInfo is already in the queue.
+	// It returns new pod info if updated, nil otherwise.
+	update(newPod *v1.Pod, oldPodInfo *framework.QueuedPodInfo) *framework.QueuedPodInfo
+	// addEventsIfPodInFlight adds events to inFlightEvents if the newPod is in inFlightPods.
+	// It returns true if pushed the event to the inFlightEvents.
+	addEventsIfPodInFlight(oldPod, newPod *v1.Pod, events []fwk.ClusterEvent) bool
 }
 
 // unlockedActiveQueueReader defines activeQ read-only methods that are not protected by the lock itself.
@@ -84,21 +86,56 @@ type unlockedActiveQueueReader interface {
 // unlockedActiveQueue defines activeQ methods that are not protected by the lock itself.
 // activeQueue.underLock() or activeQueue.underRLock() method should be used to protect these methods.
 type unlockedActiveQueue struct {
-	queue *heap.Heap[*framework.QueuedPodInfo]
+	queue           *heap.Heap[*framework.QueuedPodInfo]
+	inFlightPods    map[types.UID]*list.Element
+	inFlightEvents  *list.List
+	metricsRecorder *metrics.MetricAsyncRecorder
 }
 
-func newUnlockedActiveQueue(queue *heap.Heap[*framework.QueuedPodInfo]) *unlockedActiveQueue {
+func newUnlockedActiveQueue(queue *heap.Heap[*framework.QueuedPodInfo], inFlightPods map[types.UID]*list.Element, inFlightEvents *list.List, metricsRecorder *metrics.MetricAsyncRecorder) *unlockedActiveQueue {
 	return &unlockedActiveQueue{
-		queue: queue,
+		queue:           queue,
+		inFlightPods:    inFlightPods,
+		inFlightEvents:  inFlightEvents,
+		metricsRecorder: metricsRecorder,
 	}
 }
 
 // add adds a new pod to the activeQ.
 // The event should show which event triggered this addition and is used for the metric recording.
 // This method should be called in activeQueue.underLock().
-func (uaq *unlockedActiveQueue) add(pInfo *framework.QueuedPodInfo, event string) {
+func (uaq *unlockedActiveQueue) add(logger klog.Logger, pInfo *framework.QueuedPodInfo, event string) {
 	uaq.queue.AddOrUpdate(pInfo)
 	metrics.SchedulerQueueIncomingPods.WithLabelValues("active", event).Inc()
+	logger.V(5).Info("Pod moved to an internal scheduling queue", "pod", klog.KObj(pInfo.Pod), "event", event, "queue", activeQ)
+}
+
+// update updates the pod in activeQ if oldPodInfo is already in the queue.
+// It returns new pod info if updated, nil otherwise.
+func (uaq *unlockedActiveQueue) update(newPod *v1.Pod, oldPodInfo *framework.QueuedPodInfo) *framework.QueuedPodInfo {
+	if pInfo, exists := uaq.queue.Get(oldPodInfo); exists {
+		_ = pInfo.Update(newPod)
+		uaq.queue.AddOrUpdate(pInfo)
+		return pInfo
+	}
+	return nil
+}
+
+// addEventsIfPodInFlight adds events to inFlightEvents if the newPod is in inFlightPods.
+// It returns true if pushed the event to the inFlightEvents.
+func (uaq *unlockedActiveQueue) addEventsIfPodInFlight(oldPod, newPod *v1.Pod, events []fwk.ClusterEvent) bool {
+	_, ok := uaq.inFlightPods[newPod.UID]
+	if ok {
+		for _, event := range events {
+			uaq.metricsRecorder.ObserveInFlightEventsAsync(event.Label(), 1, false)
+			uaq.inFlightEvents.PushBack(&clusterEvent{
+				event:  event,
+				oldObj: oldPod,
+				newObj: newPod,
+			})
+		}
+	}
+	return ok
 }
 
 // get returns the pod matching pInfo inside the activeQ.
@@ -181,24 +218,24 @@ type activeQueue struct {
 	// isSchedulingQueueHintEnabled indicates whether the feature gate for the scheduling queue is enabled.
 	isSchedulingQueueHintEnabled bool
 
-	metricsRecorder metrics.MetricAsyncRecorder
+	metricsRecorder *metrics.MetricAsyncRecorder
 
 	// backoffQPopper is used to pop from backoffQ when activeQ is empty.
 	// It is non-nil only when SchedulerPopFromBackoffQ feature is enabled.
 	backoffQPopper backoffQPopper
 }
 
-func newActiveQueue(queue *heap.Heap[*framework.QueuedPodInfo], isSchedulingQueueHintEnabled bool, metricRecorder metrics.MetricAsyncRecorder, backoffQPopper backoffQPopper) *activeQueue {
+func newActiveQueue(queue *heap.Heap[*framework.QueuedPodInfo], isSchedulingQueueHintEnabled bool, metricRecorder *metrics.MetricAsyncRecorder, backoffQPopper backoffQPopper) *activeQueue {
 	aq := &activeQueue{
 		queue:                        queue,
 		inFlightPods:                 make(map[types.UID]*list.Element),
 		inFlightEvents:               list.New(),
 		isSchedulingQueueHintEnabled: isSchedulingQueueHintEnabled,
 		metricsRecorder:              metricRecorder,
-		unlockedQueue:                newUnlockedActiveQueue(queue),
 		backoffQPopper:               backoffQPopper,
 	}
 	aq.cond.L = &aq.lock
+	aq.unlockedQueue = newUnlockedActiveQueue(queue, aq.inFlightPods, aq.inFlightEvents, metricRecorder)
 
 	return aq
 }
@@ -221,20 +258,6 @@ func (aq *activeQueue) underRLock(fn func(unlockedActiveQ unlockedActiveQueueRea
 	fn(aq.unlockedQueue)
 }
 
-// update updates the pod in activeQ if oldPodInfo is already in the queue.
-// It returns new pod info if updated, nil otherwise.
-func (aq *activeQueue) update(newPod *v1.Pod, oldPodInfo *framework.QueuedPodInfo) *framework.QueuedPodInfo {
-	aq.lock.Lock()
-	defer aq.lock.Unlock()
-
-	if pInfo, exists := aq.queue.Get(oldPodInfo); exists {
-		_ = pInfo.Update(newPod)
-		aq.queue.AddOrUpdate(pInfo)
-		return pInfo
-	}
-	return nil
-}
-
 // delete deletes the pod info from activeQ.
 func (aq *activeQueue) delete(pInfo *framework.QueuedPodInfo) error {
 	aq.lock.Lock()
@@ -383,24 +406,13 @@ func (aq *activeQueue) clusterEventsForPod(logger klog.Logger, pInfo *framework.
 	return events, nil
 }
 
-// addEventsIfPodInFlight adds clusterEvent to inFlightEvents if the newPod is in inFlightPods.
+// addEventsIfPodInFlight adds events to inFlightEvents if the newPod is in inFlightPods.
 // It returns true if pushed the event to the inFlightEvents.
 func (aq *activeQueue) addEventsIfPodInFlight(oldPod, newPod *v1.Pod, events []fwk.ClusterEvent) bool {
 	aq.lock.Lock()
 	defer aq.lock.Unlock()
 
-	_, ok := aq.inFlightPods[newPod.UID]
-	if ok {
-		for _, event := range events {
-			aq.metricsRecorder.ObserveInFlightEventsAsync(event.Label(), 1, false)
-			aq.inFlightEvents.PushBack(&clusterEvent{
-				event:  event,
-				oldObj: oldPod,
-				newObj: newPod,
-			})
-		}
-	}
-	return ok
+	return aq.unlockedQueue.addEventsIfPodInFlight(oldPod, newPod, events)
 }
 
 // addEventIfAnyInFlight adds clusterEvent to inFlightEvents if any pod is in inFlightPods.
diff --git a/pkg/scheduler/backend/queue/active_queue_test.go b/pkg/scheduler/backend/queue/active_queue_test.go
index fe242defde6ca..a17642ea2f88a 100644
--- a/pkg/scheduler/backend/queue/active_queue_test.go
+++ b/pkg/scheduler/backend/queue/active_queue_test.go
@@ -30,11 +30,11 @@ import (
 func TestClose(t *testing.T) {
 	logger, ctx := ktesting.NewTestContext(t)
 	rr := metrics.NewMetricsAsyncRecorder(10, time.Second, ctx.Done())
-	aq := newActiveQueue(heap.NewWithRecorder(podInfoKeyFunc, heap.LessFunc[*framework.QueuedPodInfo](convertLessFn(newDefaultQueueSort())), metrics.NewActivePodsRecorder()), true, *rr, nil)
+	aq := newActiveQueue(heap.NewWithRecorder(podInfoKeyFunc, heap.LessFunc[*framework.QueuedPodInfo](convertLessFn(newDefaultQueueSort())), metrics.NewActivePodsRecorder()), true, rr, nil)
 
 	aq.underLock(func(unlockedActiveQ unlockedActiveQueuer) {
-		unlockedActiveQ.add(&framework.QueuedPodInfo{PodInfo: &framework.PodInfo{Pod: st.MakePod().Namespace("foo").Name("p1").UID("p1").Obj()}}, framework.EventUnscheduledPodAdd.Label())
-		unlockedActiveQ.add(&framework.QueuedPodInfo{PodInfo: &framework.PodInfo{Pod: st.MakePod().Namespace("bar").Name("p2").UID("p2").Obj()}}, framework.EventUnscheduledPodAdd.Label())
+		unlockedActiveQ.add(logger, &framework.QueuedPodInfo{PodInfo: &framework.PodInfo{Pod: st.MakePod().Namespace("foo").Name("p1").UID("p1").Obj()}}, framework.EventUnscheduledPodAdd.Label())
+		unlockedActiveQ.add(logger, &framework.QueuedPodInfo{PodInfo: &framework.PodInfo{Pod: st.MakePod().Namespace("bar").Name("p2").UID("p2").Obj()}}, framework.EventUnscheduledPodAdd.Label())
 	})
 
 	_, err := aq.pop(logger)
diff --git a/pkg/scheduler/backend/queue/backoff_queue.go b/pkg/scheduler/backend/queue/backoff_queue.go
index 5d20f2593ce9f..925e8b34dec2a 100644
--- a/pkg/scheduler/backend/queue/backoff_queue.go
+++ b/pkg/scheduler/backend/queue/backoff_queue.go
@@ -23,6 +23,7 @@ import (
 	v1 "k8s.io/api/core/v1"
 	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
 	"k8s.io/klog/v2"
+	fwk "k8s.io/kube-scheduler/framework"
 	"k8s.io/kubernetes/pkg/scheduler/backend/heap"
 	"k8s.io/kubernetes/pkg/scheduler/framework"
 	"k8s.io/kubernetes/pkg/scheduler/metrics"
@@ -100,13 +101,13 @@ type backoffQueue struct {
 	podMaxBackoff     time.Duration
 	// activeQLessFn is used as an eventual less function if two backoff times are equal,
 	// when the SchedulerPopFromBackoffQ feature is enabled.
-	activeQLessFn framework.LessFunc
+	activeQLessFn fwk.LessFunc
 
 	// isPopFromBackoffQEnabled indicates whether the feature gate SchedulerPopFromBackoffQ is enabled.
 	isPopFromBackoffQEnabled bool
 }
 
-func newBackoffQueue(clock clock.WithTicker, podInitialBackoffDuration time.Duration, podMaxBackoffDuration time.Duration, activeQLessFn framework.LessFunc, popFromBackoffQEnabled bool) *backoffQueue {
+func newBackoffQueue(clock clock.WithTicker, podInitialBackoffDuration time.Duration, podMaxBackoffDuration time.Duration, activeQLessFn fwk.LessFunc, popFromBackoffQEnabled bool) *backoffQueue {
 	bq := &backoffQueue{
 		clock:                    clock,
 		podInitialBackoff:        podInitialBackoffDuration,
@@ -306,6 +307,7 @@ func (bq *backoffQueue) add(logger klog.Logger, pInfo *framework.QueuedPodInfo,
 			return
 		}
 		metrics.SchedulerQueueIncomingPods.WithLabelValues("backoff", event).Inc()
+		logger.V(5).Info("Pod moved to an internal scheduling queue", "pod", klog.KObj(pInfo.Pod), "event", event, "queue", backoffQ)
 		return
 	}
 	bq.podBackoffQ.AddOrUpdate(pInfo)
@@ -316,6 +318,7 @@ func (bq *backoffQueue) add(logger klog.Logger, pInfo *framework.QueuedPodInfo,
 		return
 	}
 	metrics.SchedulerQueueIncomingPods.WithLabelValues("backoff", event).Inc()
+	logger.V(5).Info("Pod moved to an internal scheduling queue", "pod", klog.KObj(pInfo.Pod), "event", event, "queue", backoffQ)
 }
 
 // update updates the pod in backoffQueue if oldPodInfo is already in the queue.
diff --git a/pkg/scheduler/backend/queue/nominator.go b/pkg/scheduler/backend/queue/nominator.go
index c11e7c97373ab..e871b940dfd2b 100644
--- a/pkg/scheduler/backend/queue/nominator.go
+++ b/pkg/scheduler/backend/queue/nominator.go
@@ -26,7 +26,6 @@ import (
 	listersv1 "k8s.io/client-go/listers/core/v1"
 	"k8s.io/klog/v2"
 	fwk "k8s.io/kube-scheduler/framework"
-	"k8s.io/kubernetes/pkg/scheduler/framework"
 )
 
 // nominator is a structure that stores pods nominated to run on nodes.
@@ -61,25 +60,25 @@ func newPodNominator(podLister listersv1.PodLister) *nominator {
 	}
 }
 
-// AddNominatedPod adds a pod to the nominated pods of the given node.
-// This is called during the preemption process after a node is nominated to run
-// the pod. We update the structure before sending a request to update the pod
-// object to avoid races with the following scheduling cycles.
-func (npm *nominator) AddNominatedPod(logger klog.Logger, pi fwk.PodInfo, nominatingInfo *framework.NominatingInfo) {
+// addNominatedPod adds a pod to the nominated pods of the given node.
+// This is called during the preemption process when a node is nominated to run
+// the pod. We update the nominator's structure before sending an API request to update the pod
+// object, to avoid races with the following scheduling cycles.
+func (npm *nominator) addNominatedPod(logger klog.Logger, pi fwk.PodInfo, nominatingInfo *fwk.NominatingInfo) {
 	npm.nLock.Lock()
 	npm.addNominatedPodUnlocked(logger, pi, nominatingInfo)
 	npm.nLock.Unlock()
 }
 
-func (npm *nominator) addNominatedPodUnlocked(logger klog.Logger, pi fwk.PodInfo, nominatingInfo *framework.NominatingInfo) {
+func (npm *nominator) addNominatedPodUnlocked(logger klog.Logger, pi fwk.PodInfo, nominatingInfo *fwk.NominatingInfo) {
 	// Always delete the pod if it already exists, to ensure we never store more than
 	// one instance of the pod.
 	npm.deleteUnlocked(pi.GetPod())
 
 	var nodeName string
-	if nominatingInfo.Mode() == framework.ModeOverride {
+	if nominatingInfo.Mode() == fwk.ModeOverride {
 		nodeName = nominatingInfo.NominatedNodeName
-	} else if nominatingInfo.Mode() == framework.ModeNoop {
+	} else if nominatingInfo.Mode() == fwk.ModeNoop {
 		if pi.GetPod().Status.NominatedNodeName == "" {
 			return
 		}
@@ -116,7 +115,7 @@ func (npm *nominator) UpdateNominatedPod(logger klog.Logger, oldPod *v1.Pod, new
 	// In some cases, an Update event with no "NominatedNode" present is received right
 	// after a node("NominatedNode") is reserved for this pod in memory.
 	// In this case, we need to keep reserving the NominatedNode when updating the pod pointer.
-	var nominatingInfo *framework.NominatingInfo
+	var nominatingInfo *fwk.NominatingInfo
 	// We won't fall into below `if` block if the Update event represents:
 	// (1) NominatedNode info is added
 	// (2) NominatedNode info is updated
@@ -124,8 +123,8 @@ func (npm *nominator) UpdateNominatedPod(logger klog.Logger, oldPod *v1.Pod, new
 	if nominatedNodeName(oldPod) == "" && nominatedNodeName(newPodInfo.GetPod()) == "" {
 		if nnn, ok := npm.nominatedPodToNode[oldPod.UID]; ok {
 			// This is the only case we should continue reserving the NominatedNode
-			nominatingInfo = &framework.NominatingInfo{
-				NominatingMode:    framework.ModeOverride,
+			nominatingInfo = &fwk.NominatingInfo{
+				NominatingMode:    fwk.ModeOverride,
 				NominatedNodeName: nnn,
 			}
 		}
diff --git a/pkg/scheduler/backend/queue/scheduling_queue.go b/pkg/scheduler/backend/queue/scheduling_queue.go
index 798794c371835..717b55656f142 100644
--- a/pkg/scheduler/backend/queue/scheduling_queue.go
+++ b/pkg/scheduler/backend/queue/scheduling_queue.go
@@ -49,7 +49,7 @@ import (
 	"k8s.io/kubernetes/pkg/features"
 	"k8s.io/kubernetes/pkg/scheduler/backend/heap"
 	"k8s.io/kubernetes/pkg/scheduler/framework"
-	"k8s.io/kubernetes/pkg/scheduler/framework/api_calls"
+	apicalls "k8s.io/kubernetes/pkg/scheduler/framework/api_calls"
 	"k8s.io/kubernetes/pkg/scheduler/framework/plugins/interpodaffinity"
 	"k8s.io/kubernetes/pkg/scheduler/framework/plugins/podtopologyspread"
 	"k8s.io/kubernetes/pkg/scheduler/metrics"
@@ -92,7 +92,7 @@ type PreEnqueueCheck func(pod *v1.Pod) bool
 // The interface follows a pattern similar to cache.FIFO and cache.Heap and
 // makes it easy to use those data structures as a SchedulingQueue.
 type SchedulingQueue interface {
-	framework.PodNominator
+	fwk.PodNominator
 	Add(logger klog.Logger, pod *v1.Pod)
 	// Activate moves the given pods to activeQ.
 	// If a pod isn't found in unschedulablePods or backoffQ and it's in-flight,
@@ -131,7 +131,7 @@ type SchedulingQueue interface {
 
 	// PatchPodStatus handles the pod status update by sending an update API call through API dispatcher.
 	// This method should be used only if the SchedulerAsyncAPICalls feature gate is enabled.
-	PatchPodStatus(pod *v1.Pod, condition *v1.PodCondition, nominatingInfo *framework.NominatingInfo) (<-chan error, error)
+	PatchPodStatus(pod *v1.Pod, condition *v1.PodCondition, nominatingInfo *fwk.NominatingInfo) (<-chan error, error)
 
 	// The following functions are supposed to be used only for testing or debugging.
 	GetPod(name, namespace string) (*framework.QueuedPodInfo, bool)
@@ -145,7 +145,7 @@ type SchedulingQueue interface {
 
 // NewSchedulingQueue initializes a priority queue as a new scheduling queue.
 func NewSchedulingQueue(
-	lessFn framework.LessFunc,
+	lessFn fwk.LessFunc,
 	informerFactory informers.SharedInformerFactory,
 	opts ...Option) SchedulingQueue {
 	return NewPriorityQueue(lessFn, informerFactory, opts...)
@@ -186,7 +186,7 @@ type PriorityQueue struct {
 	moveRequestCycle int64
 
 	// preEnqueuePluginMap is keyed with profile and plugin name, valued with registered preEnqueue plugins.
-	preEnqueuePluginMap map[string]map[string]framework.PreEnqueuePlugin
+	preEnqueuePluginMap map[string]map[string]fwk.PreEnqueuePlugin
 	// queueingHintMap is keyed with profile name, valued with registered queueing hint functions.
 	queueingHintMap QueueingHintMapPerProfile
 	// pluginToEventsMap shows which plugin is interested in which events.
@@ -194,7 +194,7 @@ type PriorityQueue struct {
 
 	nsLister listersv1.NamespaceLister
 
-	metricsRecorder metrics.MetricAsyncRecorder
+	metricsRecorder *metrics.MetricAsyncRecorder
 	// pluginMetricsSamplePercent is the percentage of plugin metrics to be sampled.
 	pluginMetricsSamplePercent int
 
@@ -229,9 +229,9 @@ type priorityQueueOptions struct {
 	podMaxBackoffDuration             time.Duration
 	podMaxInUnschedulablePodsDuration time.Duration
 	podLister                         listersv1.PodLister
-	metricsRecorder                   metrics.MetricAsyncRecorder
+	metricsRecorder                   *metrics.MetricAsyncRecorder
 	pluginMetricsSamplePercent        int
-	preEnqueuePluginMap               map[string]map[string]framework.PreEnqueuePlugin
+	preEnqueuePluginMap               map[string]map[string]fwk.PreEnqueuePlugin
 	queueingHintMap                   QueueingHintMapPerProfile
 	apiDispatcher                     fwk.APIDispatcher
 }
@@ -288,14 +288,14 @@ func WithQueueingHintMapPerProfile(m QueueingHintMapPerProfile) Option {
 }
 
 // WithPreEnqueuePluginMap sets preEnqueuePluginMap for PriorityQueue.
-func WithPreEnqueuePluginMap(m map[string]map[string]framework.PreEnqueuePlugin) Option {
+func WithPreEnqueuePluginMap(m map[string]map[string]fwk.PreEnqueuePlugin) Option {
 	return func(o *priorityQueueOptions) {
 		o.preEnqueuePluginMap = m
 	}
 }
 
 // WithMetricsRecorder sets metrics recorder.
-func WithMetricsRecorder(recorder metrics.MetricAsyncRecorder) Option {
+func WithMetricsRecorder(recorder *metrics.MetricAsyncRecorder) Option {
 	return func(o *priorityQueueOptions) {
 		o.metricsRecorder = recorder
 	}
@@ -337,7 +337,7 @@ func newQueuedPodInfoForLookup(pod *v1.Pod, plugins ...string) *framework.Queued
 
 // NewPriorityQueue creates a PriorityQueue object.
 func NewPriorityQueue(
-	lessFn framework.LessFunc,
+	lessFn fwk.LessFunc,
 	informerFactory informers.SharedInformerFactory,
 	opts ...Option,
 ) *PriorityQueue {
@@ -381,8 +381,8 @@ func NewPriorityQueue(
 	return pq
 }
 
-// Helper function that wraps framework.LessFunc and converts it to take *framework.QueuedPodInfo as arguments.
-func convertLessFn(lessFn framework.LessFunc) func(podInfo1, podInfo2 *framework.QueuedPodInfo) bool {
+// Helper function that wraps fwk.LessFunc and converts it to take *framework.QueuedPodInfo as arguments.
+func convertLessFn(lessFn fwk.LessFunc) func(podInfo1, podInfo2 *framework.QueuedPodInfo) bool {
 	return func(podInfo1, podInfo2 *framework.QueuedPodInfo) bool {
 		return lessFn(podInfo1, podInfo2)
 	}
@@ -599,7 +599,7 @@ func (p *PriorityQueue) runPreEnqueuePlugins(ctx context.Context, pInfo *framewo
 }
 
 // runPreEnqueuePlugin runs the PreEnqueue plugin and update pInfo's fields accordingly if needed.
-func (p *PriorityQueue) runPreEnqueuePlugin(ctx context.Context, logger klog.Logger, pl framework.PreEnqueuePlugin, pInfo *framework.QueuedPodInfo, shouldRecordMetric bool) *fwk.Status {
+func (p *PriorityQueue) runPreEnqueuePlugin(ctx context.Context, logger klog.Logger, pl fwk.PreEnqueuePlugin, pInfo *framework.QueuedPodInfo, shouldRecordMetric bool) *fwk.Status {
 	pod := pInfo.Pod
 	startTime := p.clock.Now()
 	s := pl.PreEnqueue(ctx, pod)
@@ -623,15 +623,25 @@ func (p *PriorityQueue) runPreEnqueuePlugin(ctx context.Context, logger klog.Log
 	return s
 }
 
+// AddNominatedPod adds the given pod to the nominator.
+// It locks the PriorityQueue to make sure it won't race with any other method.
+func (p *PriorityQueue) AddNominatedPod(logger klog.Logger, pi fwk.PodInfo, nominatingInfo *fwk.NominatingInfo) {
+	p.lock.Lock()
+	p.nominator.addNominatedPod(logger, pi, nominatingInfo)
+	p.lock.Unlock()
+}
+
 // moveToActiveQ tries to add the pod to the active queue.
 // If the pod doesn't pass PreEnqueue plugins, it gets added to unschedulablePods instead.
+// movesFromBackoffQ should be set to true, if the pod directly moves from the backoffQ, so the PreEnqueue call can be skipped.
 // It returns a boolean flag to indicate whether the pod is added successfully.
-func (p *PriorityQueue) moveToActiveQ(logger klog.Logger, pInfo *framework.QueuedPodInfo, event string) bool {
+func (p *PriorityQueue) moveToActiveQ(logger klog.Logger, pInfo *framework.QueuedPodInfo, event string, movesFromBackoffQ bool) bool {
 	gatedBefore := pInfo.Gated()
 	// If SchedulerPopFromBackoffQ feature gate is enabled,
 	// PreEnqueue plugins were called when the pod was added to the backoffQ.
 	// Don't need to repeat it here when the pod is directly moved from the backoffQ.
-	if !p.isPopFromBackoffQEnabled || event != framework.BackoffComplete {
+	skipPreEnqueue := p.isPopFromBackoffQEnabled && movesFromBackoffQ
+	if !skipPreEnqueue {
 		p.runPreEnqueuePlugins(context.Background(), pInfo)
 	}
 
@@ -656,15 +666,13 @@ func (p *PriorityQueue) moveToActiveQ(logger klog.Logger, pInfo *framework.Queue
 			now := p.clock.Now()
 			pInfo.InitialAttemptTimestamp = &now
 		}
-
-		unlockedActiveQ.add(pInfo, event)
-		added = true
-
 		p.unschedulablePods.delete(pInfo.Pod, gatedBefore)
 		p.backoffQ.delete(pInfo)
-		logger.V(5).Info("Pod moved to an internal scheduling queue", "pod", klog.KObj(pInfo.Pod), "event", event, "queue", activeQ)
+
+		unlockedActiveQ.add(logger, pInfo, event)
+		added = true
 		if event == framework.EventUnscheduledPodAdd.Label() || event == framework.EventUnscheduledPodUpdate.Label() {
-			p.AddNominatedPod(logger, pInfo.PodInfo, nil)
+			p.nominator.addNominatedPod(logger, pInfo.PodInfo, nil)
 		}
 	})
 	return added
@@ -674,6 +682,7 @@ func (p *PriorityQueue) moveToActiveQ(logger klog.Logger, pInfo *framework.Queue
 // If SchedulerPopFromBackoffQ feature gate is enabled and the pod doesn't pass PreEnqueue plugins, it gets added to unschedulablePods instead.
 // It returns a boolean flag to indicate whether the pod is added successfully.
 func (p *PriorityQueue) moveToBackoffQ(logger klog.Logger, pInfo *framework.QueuedPodInfo, event string) bool {
+	gatedBefore := pInfo.Gated()
 	// If SchedulerPopFromBackoffQ feature gate is enabled,
 	// PreEnqueue plugins are called on inserting pods to the backoffQ,
 	// not to call them again on popping out.
@@ -687,8 +696,9 @@ func (p *PriorityQueue) moveToBackoffQ(logger klog.Logger, pInfo *framework.Queu
 			return false
 		}
 	}
+	p.unschedulablePods.delete(pInfo.Pod, gatedBefore)
+
 	p.backoffQ.add(logger, pInfo, event)
-	logger.V(5).Info("Pod moved to an internal scheduling queue", "pod", klog.KObj(pInfo.Pod), "event", event, "queue", backoffQ)
 	return true
 }
 
@@ -699,7 +709,7 @@ func (p *PriorityQueue) Add(logger klog.Logger, pod *v1.Pod) {
 	defer p.lock.Unlock()
 
 	pInfo := p.newQueuedPodInfo(pod)
-	if added := p.moveToActiveQ(logger, pInfo, framework.EventUnscheduledPodAdd.Label()); added {
+	if added := p.moveToActiveQ(logger, pInfo, framework.EventUnscheduledPodAdd.Label(), false); added {
 		p.activeQ.broadcast()
 	}
 }
@@ -735,6 +745,7 @@ func (p *PriorityQueue) Activate(logger klog.Logger, pods map[string]*v1.Pod) {
 
 func (p *PriorityQueue) activate(logger klog.Logger, pod *v1.Pod) bool {
 	var pInfo *framework.QueuedPodInfo
+	var movesFromBackoffQ bool
 	// Verify if the pod is present in unschedulablePods or backoffQ.
 	if pInfo = p.unschedulablePods.get(pod); pInfo == nil {
 		// If the pod doesn't belong to unschedulablePods or backoffQ, don't activate it.
@@ -750,6 +761,7 @@ func (p *PriorityQueue) activate(logger klog.Logger, pod *v1.Pod) bool {
 			// Pod was popped from the backoffQ in the meantime. Don't activate it.
 			return false
 		}
+		movesFromBackoffQ = true
 	}
 
 	if pInfo == nil {
@@ -758,7 +770,7 @@ func (p *PriorityQueue) activate(logger klog.Logger, pod *v1.Pod) bool {
 		return false
 	}
 
-	return p.moveToActiveQ(logger, pInfo, framework.ForceActivate)
+	return p.moveToActiveQ(logger, pInfo, framework.ForceActivate, movesFromBackoffQ)
 }
 
 // SchedulingCycle returns current scheduling cycle.
@@ -916,7 +928,7 @@ func (p *PriorityQueue) flushBackoffQCompleted(logger klog.Logger) {
 	activated := false
 	podsCompletedBackoff := p.backoffQ.popAllBackoffCompleted(logger)
 	for _, pInfo := range podsCompletedBackoff {
-		if added := p.moveToActiveQ(logger, pInfo, framework.BackoffComplete); added {
+		if added := p.moveToActiveQ(logger, pInfo, framework.BackoffComplete, true); added {
 			activated = true
 		}
 	}
@@ -1006,37 +1018,51 @@ func (p *PriorityQueue) Update(logger klog.Logger, oldPod, newPod *v1.Pod) {
 	var events []fwk.ClusterEvent
 	if p.isSchedulingQueueHintEnabled {
 		events = framework.PodSchedulingPropertiesChange(newPod, oldPod)
-		// The inflight pod will be requeued using the latest version from the informer cache, which matches what the event delivers.
-		// Record this Pod update because
-		// this update may make the Pod schedulable in case it gets rejected and comes back to the queue.
-		// We can clean it up once we change updatePodInSchedulingQueue to call MoveAllToActiveOrBackoffQueue.
-		// See https://github.com/kubernetes/kubernetes/pull/125578#discussion_r1648338033 for more context.
-		if exists := p.activeQ.addEventsIfPodInFlight(oldPod, newPod, events); exists {
-			logger.V(6).Info("The pod doesn't be queued for now because it's being scheduled and will be queued back if necessary", "pod", klog.KObj(newPod))
-			return
-		}
 	}
 
-	if oldPod != nil {
-		oldPodInfo := newQueuedPodInfoForLookup(oldPod)
-		// If the pod is already in the active queue, just update it there.
-		if pInfo := p.activeQ.update(newPod, oldPodInfo); pInfo != nil {
-			p.UpdateNominatedPod(logger, oldPod, pInfo.PodInfo)
-			return
+	updated := false
+	// Run the following code under the activeQ lock to make sure that in the meantime pod is not popped from either activeQ or backoffQ.
+	// This way, the event will be registered or the pod will be updated consistently.
+	// Locking only the part of Update method is sufficient, because in the other part the pod is in the unscheduledPods
+	// which is protected by p.lock anyway.
+	p.activeQ.underLock(func(unlockedActiveQ unlockedActiveQueuer) {
+		if p.isSchedulingQueueHintEnabled {
+			// The inflight pod will be requeued using the latest version from the informer cache, which matches what the event delivers.
+			// Record this Pod update because
+			// this update may make the Pod schedulable in case it gets rejected and comes back to the queue.
+			// We can clean it up once we change updatePodInSchedulingQueue to call MoveAllToActiveOrBackoffQueue.
+			// See https://github.com/kubernetes/kubernetes/pull/125578#discussion_r1648338033 for more context.
+			if exists := unlockedActiveQ.addEventsIfPodInFlight(oldPod, newPod, events); exists {
+				logger.V(6).Info("The pod doesn't need to be queued for now because it's being scheduled and will be queued back if necessary", "pod", klog.KObj(newPod))
+				updated = true
+				return
+			}
 		}
+		if oldPod != nil {
+			oldPodInfo := newQueuedPodInfoForLookup(oldPod)
+			// If the pod is already in the active queue, just update it there.
+			if pInfo := unlockedActiveQ.update(newPod, oldPodInfo); pInfo != nil {
+				p.UpdateNominatedPod(logger, oldPod, pInfo.PodInfo)
+				updated = true
+				return
+			}
 
-		// If the pod is in the backoff queue, update it there.
-		if pInfo := p.backoffQ.update(newPod, oldPodInfo); pInfo != nil {
-			p.UpdateNominatedPod(logger, oldPod, pInfo.PodInfo)
-			return
+			// If the pod is in the backoff queue, update it there.
+			if pInfo := p.backoffQ.update(newPod, oldPodInfo); pInfo != nil {
+				p.UpdateNominatedPod(logger, oldPod, pInfo.PodInfo)
+				updated = true
+				return
+			}
 		}
+	})
+	if updated {
+		return
 	}
 
 	// If the pod is in the unschedulable queue, updating it may make it schedulable.
 	if pInfo := p.unschedulablePods.get(newPod); pInfo != nil {
 		_ = pInfo.Update(newPod)
 		p.UpdateNominatedPod(logger, oldPod, pInfo.PodInfo)
-		gated := pInfo.Gated()
 		if p.isSchedulingQueueHintEnabled {
 			// When unscheduled Pods are updated, we check with QueueingHint
 			// whether the update may make the pods schedulable.
@@ -1047,7 +1073,6 @@ func (p *PriorityQueue) Update(logger klog.Logger, oldPod, newPod *v1.Pod) {
 				queue := p.requeuePodWithQueueingStrategy(logger, pInfo, hint, evt.Label())
 				if queue != unschedulableQ {
 					logger.V(5).Info("Pod moved to an internal scheduling queue because the Pod is updated", "pod", klog.KObj(newPod), "event", evt.Label(), "queue", queue)
-					p.unschedulablePods.delete(pInfo.Pod, gated)
 				}
 				if queue == activeQ || (p.isPopFromBackoffQEnabled && queue == backoffQ) {
 					p.activeQ.broadcast()
@@ -1061,7 +1086,6 @@ func (p *PriorityQueue) Update(logger klog.Logger, oldPod, newPod *v1.Pod) {
 			// so we should check isPodBackingoff before moving the pod to backoffQ.
 			if p.backoffQ.isPodBackingoff(pInfo) {
 				if added := p.moveToBackoffQ(logger, pInfo, framework.EventUnscheduledPodUpdate.Label()); added {
-					p.unschedulablePods.delete(pInfo.Pod, gated)
 					if p.isPopFromBackoffQEnabled {
 						p.activeQ.broadcast()
 					}
@@ -1069,7 +1093,7 @@ func (p *PriorityQueue) Update(logger klog.Logger, oldPod, newPod *v1.Pod) {
 				return
 			}
 
-			if added := p.moveToActiveQ(logger, pInfo, framework.EventUnscheduledPodUpdate.Label()); added {
+			if added := p.moveToActiveQ(logger, pInfo, framework.EventUnscheduledPodUpdate.Label(), false); added {
 				p.activeQ.broadcast()
 			}
 			return
@@ -1081,7 +1105,7 @@ func (p *PriorityQueue) Update(logger klog.Logger, oldPod, newPod *v1.Pod) {
 	}
 	// If pod is not in any of the queues, we put it in the active queue.
 	pInfo := p.newQueuedPodInfo(newPod)
-	if added := p.moveToActiveQ(logger, pInfo, framework.EventUnscheduledPodUpdate.Label()); added {
+	if added := p.moveToActiveQ(logger, pInfo, framework.EventUnscheduledPodUpdate.Label(), false); added {
 		p.activeQ.broadcast()
 	}
 }
@@ -1182,7 +1206,7 @@ func (p *PriorityQueue) requeuePodWithQueueingStrategy(logger klog.Logger, pInfo
 	}
 
 	// Reach here if schedulingHint is QueueImmediately, or schedulingHint is Queue but the pod is not backing off.
-	if added := p.moveToActiveQ(logger, pInfo, event); added {
+	if added := p.moveToActiveQ(logger, pInfo, event, false); added {
 		return activeQ
 	}
 	// Pod is gated. We don't have to push it back to unschedulable queue, because moveToActiveQ should already have done that.
@@ -1213,7 +1237,6 @@ func (p *PriorityQueue) movePodsToActiveOrBackoffQueue(logger klog.Logger, podIn
 
 		p.unschedulablePods.delete(pInfo.Pod, pInfo.Gated())
 		queue := p.requeuePodWithQueueingStrategy(logger, pInfo, schedulingHint, event.Label())
-		logger.V(4).Info("Pod moved to an internal scheduling queue", "pod", klog.KObj(pInfo.Pod), "event", event.Label(), "queue", queue, "hint", schedulingHint)
 		if queue == activeQ || (p.isPopFromBackoffQEnabled && queue == backoffQ) {
 			activated = true
 		}
@@ -1329,7 +1352,7 @@ func (p *PriorityQueue) PendingPods() ([]*v1.Pod, string) {
 
 // PatchPodStatus handles the pod status update by sending an update API call through API dispatcher.
 // This method should be used only if the SchedulerAsyncAPICalls feature gate is enabled.
-func (p *PriorityQueue) PatchPodStatus(pod *v1.Pod, condition *v1.PodCondition, nominatingInfo *framework.NominatingInfo) (<-chan error, error) {
+func (p *PriorityQueue) PatchPodStatus(pod *v1.Pod, condition *v1.PodCondition, nominatingInfo *fwk.NominatingInfo) (<-chan error, error) {
 	// Don't store anything in the cache. This might be extended in the next releases.
 	onFinish := make(chan error, 1)
 	err := p.apiDispatcher.Add(apicalls.Implementations.PodStatusPatch(pod, condition, nominatingInfo), fwk.APICallOptions{
diff --git a/pkg/scheduler/backend/queue/scheduling_queue_test.go b/pkg/scheduler/backend/queue/scheduling_queue_test.go
index 905d6bd25c2cb..505d2bbe8b99a 100644
--- a/pkg/scheduler/backend/queue/scheduling_queue_test.go
+++ b/pkg/scheduler/backend/queue/scheduling_queue_test.go
@@ -166,7 +166,7 @@ func TestPriorityQueue_Add(t *testing.T) {
 	}
 }
 
-func newDefaultQueueSort() framework.LessFunc {
+func newDefaultQueueSort() fwk.LessFunc {
 	sort := &queuesort.PrioritySort{}
 	return sort.Less
 }
@@ -706,7 +706,7 @@ func Test_InFlightPods(t *testing.T) {
 				// Simulate a bug, putting pod into activeQ, while pod is being scheduled.
 				{callback: func(t *testing.T, q *PriorityQueue) {
 					q.activeQ.underLock(func(unlocked unlockedActiveQueuer) {
-						unlocked.add(newQueuedPodInfoForLookup(pod1), framework.EventUnscheduledPodAdd.Label())
+						unlocked.add(logger, newQueuedPodInfoForLookup(pod1), framework.EventUnscheduledPodAdd.Label())
 					})
 				}},
 				// At this point, in the activeQ, we have pod1 and pod3 in this order.
@@ -1458,7 +1458,7 @@ func TestPriorityQueue_Activate(t *testing.T) {
 			if tt.qPodInInFlightPod != nil {
 				// Put -> Pop the Pod to make it registered in inFlightPods.
 				q.activeQ.underLock(func(unlockedActiveQ unlockedActiveQueuer) {
-					unlockedActiveQ.add(newQueuedPodInfoForLookup(tt.qPodInInFlightPod), framework.EventUnscheduledPodAdd.Label())
+					unlockedActiveQ.add(logger, newQueuedPodInfoForLookup(tt.qPodInInFlightPod), framework.EventUnscheduledPodAdd.Label())
 				})
 				p, err := q.activeQ.pop(logger)
 				if err != nil {
@@ -1547,9 +1547,10 @@ func (pl *preEnqueuePlugin) PreEnqueue(ctx context.Context, p *v1.Pod) *fwk.Stat
 func TestPriorityQueue_moveToActiveQ(t *testing.T) {
 	tests := []struct {
 		name                   string
-		plugins                []framework.PreEnqueuePlugin
+		plugins                []fwk.PreEnqueuePlugin
 		pod                    *v1.Pod
 		event                  string
+		movesFromBackoffQ      bool
 		popFromBackoffQEnabled []bool
 		wantUnschedulablePods  int
 		wantSuccess            bool
@@ -1563,7 +1564,7 @@ func TestPriorityQueue_moveToActiveQ(t *testing.T) {
 		},
 		{
 			name:                  "preEnqueue plugin registered, pod name not in allowlists",
-			plugins:               []framework.PreEnqueuePlugin{&preEnqueuePlugin{}, &preEnqueuePlugin{}},
+			plugins:               []fwk.PreEnqueuePlugin{&preEnqueuePlugin{}, &preEnqueuePlugin{}},
 			pod:                   st.MakePod().Name("p").Label("p", "").Obj(),
 			event:                 framework.EventUnscheduledPodAdd.Label(),
 			wantUnschedulablePods: 1,
@@ -1571,7 +1572,7 @@ func TestPriorityQueue_moveToActiveQ(t *testing.T) {
 		},
 		{
 			name: "preEnqueue plugin registered, pod failed one preEnqueue plugin",
-			plugins: []framework.PreEnqueuePlugin{
+			plugins: []fwk.PreEnqueuePlugin{
 				&preEnqueuePlugin{allowlists: []string{"foo", "bar"}},
 				&preEnqueuePlugin{allowlists: []string{"foo"}},
 			},
@@ -1581,10 +1582,8 @@ func TestPriorityQueue_moveToActiveQ(t *testing.T) {
 			wantSuccess:           false,
 		},
 		{
-			// With SchedulerPopFromBackoffQ enabled, the queue assumes the pod has already passed PreEnqueue,
-			// and it doesn't run PreEnqueue again, always puts the pod to activeQ.
-			name: "preEnqueue plugin registered, preEnqueue plugin would reject the pod, but isn't run",
-			plugins: []framework.PreEnqueuePlugin{
+			name: "preEnqueue plugin registered, preEnqueue rejects the pod, even if it is after backoff",
+			plugins: []fwk.PreEnqueuePlugin{
 				&preEnqueuePlugin{allowlists: []string{"foo", "bar"}},
 				&preEnqueuePlugin{allowlists: []string{"foo"}},
 			},
@@ -1595,20 +1594,49 @@ func TestPriorityQueue_moveToActiveQ(t *testing.T) {
 			wantSuccess:            false,
 		},
 		{
-			name: "preEnqueue plugin registered, pod would fail one preEnqueue plugin, but is after backoff",
-			plugins: []framework.PreEnqueuePlugin{
+			// With SchedulerPopFromBackoffQ enabled, the queue assumes the pod has already passed PreEnqueue,
+			// and it doesn't run PreEnqueue again, always puts the pod to activeQ.
+			name: "preEnqueue plugin registered, pod would fail one preEnqueue plugin, but it is moved from backoffQ after completing backoff, so preEnqueue is not executed",
+			plugins: []fwk.PreEnqueuePlugin{
 				&preEnqueuePlugin{allowlists: []string{"foo", "bar"}},
 				&preEnqueuePlugin{allowlists: []string{"foo"}},
 			},
 			pod:                    st.MakePod().Name("bar").Label("bar", "").Obj(),
 			event:                  framework.BackoffComplete,
+			movesFromBackoffQ:      true,
+			popFromBackoffQEnabled: []bool{true},
+			wantUnschedulablePods:  0,
+			wantSuccess:            true,
+		},
+		{
+			name: "preEnqueue plugin registered, pod failed one preEnqueue plugin when activated from unschedulablePods",
+			plugins: []fwk.PreEnqueuePlugin{
+				&preEnqueuePlugin{allowlists: []string{"foo", "bar"}},
+				&preEnqueuePlugin{allowlists: []string{"foo"}},
+			},
+			pod:                    st.MakePod().Name("bar").Label("bar", "").Obj(),
+			event:                  framework.ForceActivate,
+			movesFromBackoffQ:      false,
+			popFromBackoffQEnabled: []bool{true},
+			wantUnschedulablePods:  1,
+			wantSuccess:            false,
+		},
+		{
+			name: "preEnqueue plugin registered, pod would fail one preEnqueue plugin, but was activated from backoffQ, so preEnqueue is not executed",
+			plugins: []fwk.PreEnqueuePlugin{
+				&preEnqueuePlugin{allowlists: []string{"foo", "bar"}},
+				&preEnqueuePlugin{allowlists: []string{"foo"}},
+			},
+			pod:                    st.MakePod().Name("bar").Label("bar", "").Obj(),
+			event:                  framework.ForceActivate,
+			movesFromBackoffQ:      true,
 			popFromBackoffQEnabled: []bool{true},
 			wantUnschedulablePods:  0,
 			wantSuccess:            true,
 		},
 		{
 			name: "preEnqueue plugin registered, pod passed all preEnqueue plugins",
-			plugins: []framework.PreEnqueuePlugin{
+			plugins: []fwk.PreEnqueuePlugin{
 				&preEnqueuePlugin{allowlists: []string{"foo", "bar"}},
 				&preEnqueuePlugin{allowlists: []string{"bar"}},
 			},
@@ -1630,13 +1658,13 @@ func TestPriorityQueue_moveToActiveQ(t *testing.T) {
 				ctx, cancel := context.WithCancel(ctx)
 				defer cancel()
 
-				m := map[string]map[string]framework.PreEnqueuePlugin{"": make(map[string]framework.PreEnqueuePlugin, len(tt.plugins))}
+				m := map[string]map[string]fwk.PreEnqueuePlugin{"": make(map[string]fwk.PreEnqueuePlugin, len(tt.plugins))}
 				for _, plugin := range tt.plugins {
 					m[""][plugin.Name()] = plugin
 				}
 				q := NewTestQueueWithObjects(ctx, newDefaultQueueSort(), []runtime.Object{tt.pod}, WithPreEnqueuePluginMap(m),
 					WithPodInitialBackoffDuration(time.Second*30), WithPodMaxBackoffDuration(time.Second*60))
-				got := q.moveToActiveQ(logger, q.newQueuedPodInfo(tt.pod), tt.event)
+				got := q.moveToActiveQ(logger, q.newQueuedPodInfo(tt.pod), tt.event, tt.movesFromBackoffQ)
 				if got != tt.wantSuccess {
 					t.Errorf("Unexpected result: want %v, but got %v", tt.wantSuccess, got)
 				}
@@ -1660,7 +1688,7 @@ func TestPriorityQueue_moveToActiveQ(t *testing.T) {
 func TestPriorityQueue_moveToBackoffQ(t *testing.T) {
 	tests := []struct {
 		name                   string
-		plugins                []framework.PreEnqueuePlugin
+		plugins                []fwk.PreEnqueuePlugin
 		pod                    *v1.Pod
 		popFromBackoffQEnabled []bool
 		wantSuccess            bool
@@ -1672,21 +1700,21 @@ func TestPriorityQueue_moveToBackoffQ(t *testing.T) {
 		},
 		{
 			name:                   "preEnqueue plugin registered, pod name would not be in allowlists",
-			plugins:                []framework.PreEnqueuePlugin{&preEnqueuePlugin{}, &preEnqueuePlugin{}},
+			plugins:                []fwk.PreEnqueuePlugin{&preEnqueuePlugin{}, &preEnqueuePlugin{}},
 			pod:                    st.MakePod().Name("p").Label("p", "").Obj(),
 			popFromBackoffQEnabled: []bool{false},
 			wantSuccess:            true,
 		},
 		{
 			name:                   "preEnqueue plugin registered, pod name not in allowlists",
-			plugins:                []framework.PreEnqueuePlugin{&preEnqueuePlugin{}, &preEnqueuePlugin{}},
+			plugins:                []fwk.PreEnqueuePlugin{&preEnqueuePlugin{}, &preEnqueuePlugin{}},
 			pod:                    st.MakePod().Name("p").Label("p", "").Obj(),
 			popFromBackoffQEnabled: []bool{true},
 			wantSuccess:            false,
 		},
 		{
 			name: "preEnqueue plugin registered, preEnqueue plugin would reject the pod, but isn't run",
-			plugins: []framework.PreEnqueuePlugin{
+			plugins: []fwk.PreEnqueuePlugin{
 				&preEnqueuePlugin{allowlists: []string{"foo", "bar"}},
 				&preEnqueuePlugin{allowlists: []string{"foo"}},
 			},
@@ -1696,7 +1724,7 @@ func TestPriorityQueue_moveToBackoffQ(t *testing.T) {
 		},
 		{
 			name: "preEnqueue plugin registered, pod failed one preEnqueue plugin",
-			plugins: []framework.PreEnqueuePlugin{
+			plugins: []fwk.PreEnqueuePlugin{
 				&preEnqueuePlugin{allowlists: []string{"foo", "bar"}},
 				&preEnqueuePlugin{allowlists: []string{"foo"}},
 			},
@@ -1706,7 +1734,7 @@ func TestPriorityQueue_moveToBackoffQ(t *testing.T) {
 		},
 		{
 			name: "preEnqueue plugin registered, pod passed all preEnqueue plugins",
-			plugins: []framework.PreEnqueuePlugin{
+			plugins: []fwk.PreEnqueuePlugin{
 				&preEnqueuePlugin{allowlists: []string{"foo", "bar"}},
 				&preEnqueuePlugin{allowlists: []string{"bar"}},
 			},
@@ -1726,7 +1754,7 @@ func TestPriorityQueue_moveToBackoffQ(t *testing.T) {
 				ctx, cancel := context.WithCancel(ctx)
 				defer cancel()
 
-				m := map[string]map[string]framework.PreEnqueuePlugin{"": make(map[string]framework.PreEnqueuePlugin, len(tt.plugins))}
+				m := map[string]map[string]fwk.PreEnqueuePlugin{"": make(map[string]fwk.PreEnqueuePlugin, len(tt.plugins))}
 				for _, plugin := range tt.plugins {
 					m[""][plugin.Name()] = plugin
 				}
@@ -1960,8 +1988,8 @@ func TestPriorityQueue_MoveAllToActiveOrBackoffQueueWithQueueingHint(t *testing.
 			}
 			cl := testingclock.NewFakeClock(now)
 			plugin, _ := schedulinggates.New(ctx, nil, nil, plfeature.Features{})
-			preEnqM := map[string]map[string]framework.PreEnqueuePlugin{"": {
-				names.SchedulingGates: plugin.(framework.PreEnqueuePlugin),
+			preEnqM := map[string]map[string]fwk.PreEnqueuePlugin{"": {
+				names.SchedulingGates: plugin.(fwk.PreEnqueuePlugin),
 				"foo":                 &preEnqueuePlugin{allowlists: []string{"foo"}},
 			}}
 			q := NewTestQueue(ctx, newDefaultQueueSort(), WithQueueingHintMapPerProfile(m), WithClock(cl), WithPreEnqueuePluginMap(preEnqM))
@@ -2633,11 +2661,11 @@ func TestPriorityQueue_UpdateNominatedPodForNode(t *testing.T) {
 	q.Add(logger, medPriorityPodInfo.Pod)
 	// Update unschedulablePodInfo on a different node than specified in the pod.
 	q.AddNominatedPod(logger, mustNewTestPodInfo(t, unschedulablePodInfo.Pod),
-		&framework.NominatingInfo{NominatingMode: framework.ModeOverride, NominatedNodeName: "node5"})
+		&fwk.NominatingInfo{NominatingMode: fwk.ModeOverride, NominatedNodeName: "node5"})
 
 	// Update nominated node name of a pod on a node that is not specified in the pod object.
 	q.AddNominatedPod(logger, mustNewTestPodInfo(t, highPriorityPodInfo.Pod),
-		&framework.NominatingInfo{NominatingMode: framework.ModeOverride, NominatedNodeName: "node2"})
+		&fwk.NominatingInfo{NominatingMode: fwk.ModeOverride, NominatedNodeName: "node2"})
 	expectedNominatedPods := &nominator{
 		nominatedPodToNode: map[types.UID]string{
 			medPriorityPodInfo.Pod.UID:   "node1",
@@ -2662,7 +2690,7 @@ func TestPriorityQueue_UpdateNominatedPodForNode(t *testing.T) {
 	}
 	// Update one of the nominated pods that doesn't have nominatedNodeName in the
 	// pod object. It should be updated correctly.
-	q.AddNominatedPod(logger, highPriorityPodInfo, &framework.NominatingInfo{NominatingMode: framework.ModeOverride, NominatedNodeName: "node4"})
+	q.AddNominatedPod(logger, highPriorityPodInfo, &fwk.NominatingInfo{NominatingMode: fwk.ModeOverride, NominatedNodeName: "node4"})
 	expectedNominatedPods = &nominator{
 		nominatedPodToNode: map[types.UID]string{
 			medPriorityPodInfo.Pod.UID:   "node1",
@@ -2681,7 +2709,7 @@ func TestPriorityQueue_UpdateNominatedPodForNode(t *testing.T) {
 
 	// Attempt to nominate a pod that was deleted from the informer cache.
 	// Nothing should change.
-	q.AddNominatedPod(logger, nonExistentPodInfo, &framework.NominatingInfo{NominatingMode: framework.ModeOverride, NominatedNodeName: "node1"})
+	q.AddNominatedPod(logger, nonExistentPodInfo, &fwk.NominatingInfo{NominatingMode: fwk.ModeOverride, NominatedNodeName: "node1"})
 	if diff := cmp.Diff(q.nominator, expectedNominatedPods, nominatorCmpOpts...); diff != "" {
 		t.Errorf("Unexpected diff after nominating a deleted pod (-want, +got):\n%s", diff)
 	}
@@ -2689,7 +2717,7 @@ func TestPriorityQueue_UpdateNominatedPodForNode(t *testing.T) {
 	// Nothing should change.
 	scheduledPodCopy := scheduledPodInfo.Pod.DeepCopy()
 	scheduledPodInfo.Pod.Spec.NodeName = ""
-	q.AddNominatedPod(logger, mustNewTestPodInfo(t, scheduledPodCopy), &framework.NominatingInfo{NominatingMode: framework.ModeOverride, NominatedNodeName: "node1"})
+	q.AddNominatedPod(logger, mustNewTestPodInfo(t, scheduledPodCopy), &fwk.NominatingInfo{NominatingMode: fwk.ModeOverride, NominatedNodeName: "node1"})
 	if diff := cmp.Diff(q.nominator, expectedNominatedPods, nominatorCmpOpts...); diff != "" {
 		t.Errorf("Unexpected diff after nominating a scheduled pod (-want, +got):\n%s", diff)
 	}
@@ -3128,7 +3156,7 @@ var (
 	}
 	addPodActiveQDirectly = func(t *testing.T, logger klog.Logger, queue *PriorityQueue, pInfo *framework.QueuedPodInfo) {
 		queue.activeQ.underLock(func(unlockedActiveQ unlockedActiveQueuer) {
-			unlockedActiveQ.add(pInfo, framework.EventUnscheduledPodAdd.Label())
+			unlockedActiveQ.add(logger, pInfo, framework.EventUnscheduledPodAdd.Label())
 		})
 	}
 	addPodUnschedulablePods = func(t *testing.T, logger klog.Logger, queue *PriorityQueue, pInfo *framework.QueuedPodInfo) {
@@ -3540,9 +3568,9 @@ scheduler_plugin_execution_duration_seconds_count{extension_point="PreEnqueue",p
 					QueueingHintFn: queueHintReturnQueue,
 				},
 			}
-			preenq := map[string]map[string]framework.PreEnqueuePlugin{"": {(&preEnqueuePlugin{}).Name(): &preEnqueuePlugin{allowlists: []string{queueable}}}}
+			preenq := map[string]map[string]fwk.PreEnqueuePlugin{"": {(&preEnqueuePlugin{}).Name(): &preEnqueuePlugin{allowlists: []string{queueable}}}}
 			recorder := metrics.NewMetricsAsyncRecorder(3, 20*time.Microsecond, ctx.Done())
-			queue := NewTestQueue(ctx, newDefaultQueueSort(), WithClock(testingclock.NewFakeClock(timestamp)), WithPreEnqueuePluginMap(preenq), WithPluginMetricsSamplePercent(test.pluginMetricsSamplePercent), WithMetricsRecorder(*recorder), WithQueueingHintMapPerProfile(m))
+			queue := NewTestQueue(ctx, newDefaultQueueSort(), WithClock(testingclock.NewFakeClock(timestamp)), WithPreEnqueuePluginMap(preenq), WithPluginMetricsSamplePercent(test.pluginMetricsSamplePercent), WithMetricsRecorder(recorder), WithQueueingHintMapPerProfile(m))
 			for i, op := range test.operations {
 				for _, pInfo := range test.operands[i] {
 					op(t, logger, queue, pInfo)
@@ -3631,7 +3659,7 @@ func TestPerPodSchedulingMetrics(t *testing.T) {
 			name: "A gated pod is created and scheduled after lifting gate",
 			perPodSchedulingMetricsScenario: func(c *testingclock.FakeClock, queue *PriorityQueue, pod *v1.Pod) {
 				// Create a queue with PreEnqueuePlugin
-				queue.preEnqueuePluginMap = map[string]map[string]framework.PreEnqueuePlugin{"": {(&preEnqueuePlugin{}).Name(): &preEnqueuePlugin{allowlists: []string{"foo"}}}}
+				queue.preEnqueuePluginMap = map[string]map[string]fwk.PreEnqueuePlugin{"": {(&preEnqueuePlugin{}).Name(): &preEnqueuePlugin{allowlists: []string{"foo"}}}}
 				queue.pluginMetricsSamplePercent = 0
 				queue.Add(logger, pod)
 				// Check pod is added to the unschedulablePods queue.
@@ -4281,7 +4309,7 @@ func Test_isPodWorthRequeuing(t *testing.T) {
 func Test_queuedPodInfo_gatedSetUponCreationAndUnsetUponUpdate(t *testing.T) {
 	logger, ctx := ktesting.NewTestContext(t)
 	plugin, _ := schedulinggates.New(ctx, nil, nil, plfeature.Features{})
-	m := map[string]map[string]framework.PreEnqueuePlugin{"": {names.SchedulingGates: plugin.(framework.PreEnqueuePlugin)}}
+	m := map[string]map[string]fwk.PreEnqueuePlugin{"": {names.SchedulingGates: plugin.(fwk.PreEnqueuePlugin)}}
 	q := NewTestQueue(ctx, newDefaultQueueSort(), WithPreEnqueuePluginMap(m))
 
 	gatedPod := st.MakePod().SchedulingGates([]string{"hello world"}).Obj()
@@ -4324,7 +4352,7 @@ func TestPriorityQueue_GetPod(t *testing.T) {
 	logger, ctx := ktesting.NewTestContext(t)
 	q := NewTestQueue(ctx, newDefaultQueueSort())
 	q.activeQ.underLock(func(unlockedActiveQ unlockedActiveQueuer) {
-		unlockedActiveQ.add(newQueuedPodInfoForLookup(activeQPod), framework.EventUnscheduledPodAdd.Label())
+		unlockedActiveQ.add(logger, newQueuedPodInfoForLookup(activeQPod), framework.EventUnscheduledPodAdd.Label())
 	})
 	q.backoffQ.add(logger, newQueuedPodInfoForLookup(backoffQPod), framework.EventUnscheduledPodAdd.Label())
 	q.unschedulablePods.addOrUpdate(newQueuedPodInfoForLookup(unschedPod), framework.EventUnscheduledPodAdd.Label())
diff --git a/pkg/scheduler/backend/queue/testing.go b/pkg/scheduler/backend/queue/testing.go
index f619bac849595..40b59832be638 100644
--- a/pkg/scheduler/backend/queue/testing.go
+++ b/pkg/scheduler/backend/queue/testing.go
@@ -23,12 +23,12 @@ import (
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/client-go/informers"
 	"k8s.io/client-go/kubernetes/fake"
-	"k8s.io/kubernetes/pkg/scheduler/framework"
+	fwk "k8s.io/kube-scheduler/framework"
 	"k8s.io/kubernetes/pkg/scheduler/metrics"
 )
 
 // NewTestQueue creates a priority queue with an empty informer factory.
-func NewTestQueue(ctx context.Context, lessFn framework.LessFunc, opts ...Option) *PriorityQueue {
+func NewTestQueue(ctx context.Context, lessFn fwk.LessFunc, opts ...Option) *PriorityQueue {
 	return NewTestQueueWithObjects(ctx, lessFn, nil, opts...)
 }
 
@@ -36,7 +36,7 @@ func NewTestQueue(ctx context.Context, lessFn framework.LessFunc, opts ...Option
 // populated with the provided objects.
 func NewTestQueueWithObjects(
 	ctx context.Context,
-	lessFn framework.LessFunc,
+	lessFn fwk.LessFunc,
 	objs []runtime.Object,
 	opts ...Option,
 ) *PriorityQueue {
@@ -46,13 +46,13 @@ func NewTestQueueWithObjects(
 	// we always set a metric recorder here.
 	recorder := metrics.NewMetricsAsyncRecorder(10, 20*time.Microsecond, ctx.Done())
 	// We set it before the options that users provide, so that users can override it.
-	opts = append([]Option{WithMetricsRecorder(*recorder)}, opts...)
+	opts = append([]Option{WithMetricsRecorder(recorder)}, opts...)
 	return NewTestQueueWithInformerFactory(ctx, lessFn, informerFactory, opts...)
 }
 
 func NewTestQueueWithInformerFactory(
 	ctx context.Context,
-	lessFn framework.LessFunc,
+	lessFn fwk.LessFunc,
 	informerFactory informers.SharedInformerFactory,
 	opts ...Option,
 ) *PriorityQueue {
diff --git a/pkg/scheduler/backend/workloadmanager/podgroupinfo.go b/pkg/scheduler/backend/workloadmanager/podgroupinfo.go
new file mode 100644
index 0000000000000..5d60db349eb05
--- /dev/null
+++ b/pkg/scheduler/backend/workloadmanager/podgroupinfo.go
@@ -0,0 +1,197 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package workloadmanager
+
+import (
+	"sync"
+	"time"
+
+	v1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/apimachinery/pkg/util/sets"
+	"k8s.io/utils/ptr"
+)
+
+// DefaultSchedulingTimeoutDuration defines how long the gang pods should wait at the
+// Permit stage for a quorum before being rejected.
+// Variable is exported only for testing purposes.
+var DefaultSchedulingTimeoutDuration = 5 * time.Minute
+
+// podGroupKey uniquely identifies a specific instance of a PodGroup.
+type podGroupKey struct {
+	namespace    string
+	workloadName string
+	podGroupName string
+	replicaKey   string
+}
+
+func newPodGroupKey(namespace string, workloadRef *v1.WorkloadReference) podGroupKey {
+	return podGroupKey{
+		namespace:    namespace,
+		workloadName: workloadRef.Name,
+		podGroupName: workloadRef.PodGroup,
+		replicaKey:   workloadRef.PodGroupReplicaKey,
+	}
+}
+
+// podGroupInfo holds the runtime state of a pod group.
+type podGroupInfo struct {
+	lock sync.RWMutex
+	// allPods tracks all pods belonging to the group that are known to the scheduler.
+	allPods map[types.UID]*v1.Pod
+	// unscheduledPods tracks all pods that are unscheduled for this group,
+	// i.e., are neither assumed nor scheduled.
+	unscheduledPods sets.Set[types.UID]
+	// assumedPods tracks pods that have reached the Reserve stage and are waiting
+	// for the rest of the gang to arrive before being allowed to bind.
+	assumedPods sets.Set[types.UID]
+	// assignedPods tracks all pods belonging to the group that are assigned (bound).
+	assignedPods sets.Set[types.UID]
+	// schedulingDeadline stores the time at which the gang will time out.
+	// It is initialized when the first pod from the group enters the Permit stage.
+	schedulingDeadline *time.Time
+}
+
+func newPodGroupInfo() *podGroupInfo {
+	return &podGroupInfo{
+		allPods:         make(map[types.UID]*v1.Pod),
+		unscheduledPods: sets.New[types.UID](),
+		assumedPods:     sets.New[types.UID](),
+		assignedPods:    sets.New[types.UID](),
+	}
+}
+
+// addPod adds the pod to this group.
+// Depending on the NodeName, it can insert the pod to assignedPods set.
+func (pgs *podGroupInfo) addPod(pod *v1.Pod) {
+	pgs.lock.Lock()
+	defer pgs.lock.Unlock()
+
+	pgs.allPods[pod.UID] = pod
+	if pod.Spec.NodeName != "" {
+		pgs.assignedPods.Insert(pod.UID)
+	} else {
+		pgs.unscheduledPods.Insert(pod.UID)
+	}
+}
+
+// updatePod updates the pod in this group.
+// In case of binding, it moves the pod to assignedPods.
+func (pgs *podGroupInfo) updatePod(oldPod, newPod *v1.Pod) {
+	pgs.lock.Lock()
+	defer pgs.lock.Unlock()
+
+	pgs.allPods[newPod.UID] = newPod
+	if oldPod.Spec.NodeName == "" && newPod.Spec.NodeName != "" {
+		pgs.assignedPods.Insert(newPod.UID)
+		// Clear pod from unscheduled and assumed when it is assigned.
+		pgs.unscheduledPods.Delete(newPod.UID)
+		pgs.assumedPods.Delete(newPod.UID)
+	}
+}
+
+// deletePod completely deletes the pod from this group.
+func (pgs *podGroupInfo) deletePod(podUID types.UID) {
+	pgs.lock.Lock()
+	defer pgs.lock.Unlock()
+
+	delete(pgs.allPods, podUID)
+	pgs.unscheduledPods.Delete(podUID)
+	pgs.assumedPods.Delete(podUID)
+	pgs.assignedPods.Delete(podUID)
+}
+
+// empty returns true when the group is empty.
+func (pgs *podGroupInfo) empty() bool {
+	pgs.lock.Lock()
+	defer pgs.lock.Unlock()
+
+	return len(pgs.allPods) == 0
+}
+
+// AllPods returns the UIDs of all pods known to the scheduler for this group.
+func (pgs *podGroupInfo) AllPods() sets.Set[types.UID] {
+	pgs.lock.RLock()
+	defer pgs.lock.RUnlock()
+
+	return sets.KeySet(pgs.allPods)
+}
+
+// UnscheduledPods returns all pods that are unscheduled for this group,
+// i.e., are neither assumed nor assigned.
+// The returned map type corresponds to the argument of the PodActivator.Activate method.
+func (pgs *podGroupInfo) UnscheduledPods() map[string]*v1.Pod {
+	pgs.lock.RLock()
+	defer pgs.lock.RUnlock()
+
+	unscheduledPods := make(map[string]*v1.Pod, len(pgs.unscheduledPods))
+	for podUID := range pgs.unscheduledPods {
+		pod := pgs.allPods[podUID]
+		unscheduledPods[pod.Name] = pod
+	}
+	return unscheduledPods
+}
+
+// AssumedPods returns the UIDs of all pods for this group in the assumed state,
+// i.e., passed the Reserve gate.
+func (pgs *podGroupInfo) AssumedPods() sets.Set[types.UID] {
+	pgs.lock.RLock()
+	defer pgs.lock.RUnlock()
+
+	return pgs.assumedPods.Clone()
+}
+
+// AssignedPods returns the UIDs of all pods already assigned (bound) for this group.
+func (pgs *podGroupInfo) AssignedPods() sets.Set[types.UID] {
+	pgs.lock.RLock()
+	defer pgs.lock.RUnlock()
+
+	return pgs.assignedPods.Clone()
+}
+
+// SchedulingTimeout returns the remaining time until the pod group scheduling times out.
+// A new deadline is created if one doesn't exist, or if the previous one has expired.
+func (pgs *podGroupInfo) SchedulingTimeout() time.Duration {
+	pgs.lock.Lock()
+	defer pgs.lock.Unlock()
+
+	now := time.Now()
+	// A new deadline is set if one doesn't exist, or if the old one has passed.
+	// This allows a new attempt to form a gang after a previous attempt timed out.
+	if pgs.schedulingDeadline == nil || pgs.schedulingDeadline.Before(now) {
+		pgs.schedulingDeadline = ptr.To(now.Add(DefaultSchedulingTimeoutDuration))
+	}
+	return pgs.schedulingDeadline.Sub(now)
+}
+
+// AssumePod marks a pod as having reached the Reserve stage.
+func (pgs *podGroupInfo) AssumePod(podUID types.UID) {
+	pgs.lock.Lock()
+	defer pgs.lock.Unlock()
+
+	pgs.assumedPods.Insert(podUID)
+	pgs.unscheduledPods.Delete(podUID)
+}
+
+// ForgetPod removes a pod from the assumed state.
+func (pgs *podGroupInfo) ForgetPod(podUID types.UID) {
+	pgs.lock.Lock()
+	defer pgs.lock.Unlock()
+
+	pgs.unscheduledPods.Insert(podUID)
+	pgs.assumedPods.Delete(podUID)
+}
diff --git a/pkg/scheduler/backend/workloadmanager/podgroupinfo_test.go b/pkg/scheduler/backend/workloadmanager/podgroupinfo_test.go
new file mode 100644
index 0000000000000..ce47acb2eb8aa
--- /dev/null
+++ b/pkg/scheduler/backend/workloadmanager/podgroupinfo_test.go
@@ -0,0 +1,94 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package workloadmanager
+
+import (
+	"testing"
+	"time"
+
+	v1 "k8s.io/api/core/v1"
+	st "k8s.io/kubernetes/pkg/scheduler/testing"
+	"k8s.io/utils/ptr"
+)
+
+func TestPodGroupInfo_AssumeForget(t *testing.T) {
+	pgi := newPodGroupInfo()
+	pod := st.MakePod().Namespace("ns1").Name("p1").UID("p1").
+		WorkloadRef(&v1.WorkloadReference{Name: "w1", PodGroup: "pg1"}).Obj()
+
+	pgi.addPod(pod)
+	if pgi.AssumedPods().Has(pod.UID) {
+		t.Fatal("AssumedPods should be initially empty")
+	}
+	if !pgi.unscheduledPods.Has(pod.UID) {
+		t.Fatal("Pod should be initially in UnscheduledPods")
+	}
+
+	pgi.AssumePod(pod.UID)
+	if !pgi.AssumedPods().Has(pod.UID) {
+		t.Fatal("Pod should be in AssumedPods after AssumePod")
+	}
+	if pgi.unscheduledPods.Has(pod.UID) {
+		t.Fatal("UnscheduledPods should be empty after AssumePod")
+	}
+
+	pgi.ForgetPod(pod.UID)
+	if pgi.AssumedPods().Has(pod.UID) {
+		t.Fatal("Pod should not be in AssumedPods after ForgetPod")
+	}
+	if !pgi.unscheduledPods.Has(pod.UID) {
+		t.Fatal("Pod should be in UnscheduledPods after ForgetPod")
+	}
+}
+
+func TestPodGroupInfo_SchedulingTimeout(t *testing.T) {
+	pgi := newPodGroupInfo()
+
+	timeout := pgi.SchedulingTimeout()
+	if pgi.schedulingDeadline == nil {
+		t.Fatal("Scheduling deadline should be set after SchedulingTimeout call, but is nil")
+	}
+	if timeout <= 0 {
+		t.Errorf("Expected positive timeout duration, got %v", timeout)
+	}
+
+	// Sleep for a while to ensure that the time has increased,
+	// especially when testing on Windows machines with lower resolution.
+	time.Sleep(10 * time.Millisecond)
+
+	deadline := *pgi.schedulingDeadline
+	newTimeout := pgi.SchedulingTimeout()
+	if !deadline.Equal(*pgi.schedulingDeadline) {
+		t.Errorf("Previous deadline should not be changed: previous: %v, current: %v", deadline, *pgi.schedulingDeadline)
+	}
+	if newTimeout >= timeout {
+		t.Errorf("Expected lower timeout duration: previous: %v, current: %v", timeout, newTimeout)
+	}
+
+	// Sleep for a while to ensure that the time has increased,
+	// especially when testing on Windows machines with lower resolution.
+	time.Sleep(10 * time.Millisecond)
+
+	pgi.schedulingDeadline = ptr.To(time.Now().Add(-1 * time.Second))
+	newTimeout = pgi.SchedulingTimeout()
+	if deadline.Equal(*pgi.schedulingDeadline) {
+		t.Error("Deadline should be reset after it has expired, but it wasn't")
+	}
+	if newTimeout <= 0 {
+		t.Errorf("Expected positive timeout duration after reset, got %v", timeout)
+	}
+}
diff --git a/pkg/scheduler/backend/workloadmanager/workloadmanager.go b/pkg/scheduler/backend/workloadmanager/workloadmanager.go
new file mode 100644
index 0000000000000..088d852cb2154
--- /dev/null
+++ b/pkg/scheduler/backend/workloadmanager/workloadmanager.go
@@ -0,0 +1,129 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package workloadmanager
+
+import (
+	"fmt"
+	"sync"
+
+	v1 "k8s.io/api/core/v1"
+	fwk "k8s.io/kube-scheduler/framework"
+)
+
+// WorkloadManager is the central source of truth for the state of pods belonging to Workload objects.
+// It is designed to be driven explicitly by the scheduler's event handlers to ensure thread safety
+// and avoid race conditions with the main scheduling queue.
+// Note: The current implementation assumes that pod.Spec.Workload is immutable.
+// Allowing mutability would require changes to the manager, e.g., by properly handling pod updates.
+type WorkloadManager interface {
+	fwk.WorkloadManager
+
+	// AddPod is called by the scheduler when a Pod/Add event is observed.
+	AddPod(pod *v1.Pod)
+	// UpdatePod is called by the scheduler when a Pod/Update event is observed.
+	UpdatePod(oldPod, newPod *v1.Pod)
+	// DeletePod is called by the scheduler when a Pod/Delete event is observed.
+	DeletePod(pod *v1.Pod)
+}
+
+// workloadManager is the concrete implementation of the WorkloadManager.
+type workloadManager struct {
+	lock sync.RWMutex
+
+	// podGroupInfos stores the runtime state for each known pod group.
+	podGroupInfos map[podGroupKey]*podGroupInfo
+}
+
+// New initializes a new workload manager and returns it.
+func New() *workloadManager {
+	return &workloadManager{
+		podGroupInfos: make(map[podGroupKey]*podGroupInfo),
+	}
+}
+
+// AddPod adds a pod to the workload manager if it has a workload reference.
+// Pod is added to the available pods set for its corresponding pod group.
+func (wm *workloadManager) AddPod(pod *v1.Pod) {
+	if pod.Spec.WorkloadRef == nil {
+		return
+	}
+	wm.lock.Lock()
+	defer wm.lock.Unlock()
+
+	key := newPodGroupKey(pod.Namespace, pod.Spec.WorkloadRef)
+	info, ok := wm.podGroupInfos[key]
+	if !ok {
+		info = newPodGroupInfo()
+		wm.podGroupInfos[key] = info
+	}
+	info.addPod(pod)
+}
+
+// UpdatePod updates a pod in the workload manager if it has a workload reference.
+// Note: The current implementation assumes that newPod.Spec.Workload is immutable.
+func (wm *workloadManager) UpdatePod(oldPod, newPod *v1.Pod) {
+	if newPod.Spec.WorkloadRef == nil {
+		return
+	}
+	wm.lock.Lock()
+	defer wm.lock.Unlock()
+
+	key := newPodGroupKey(newPod.Namespace, newPod.Spec.WorkloadRef)
+	info, ok := wm.podGroupInfos[key]
+	if !ok {
+		// Shouldn't happen, but handling this case gracefully.
+		info = newPodGroupInfo()
+		wm.podGroupInfos[key] = info
+		info.addPod(newPod)
+		return
+	}
+	info.updatePod(oldPod, newPod)
+}
+
+// DeletePod removes a pod from the workload manager if it has a workload reference.
+// Pod is removed from the pods sets for its corresponding pod group.
+func (wm *workloadManager) DeletePod(pod *v1.Pod) {
+	if pod.Spec.WorkloadRef == nil {
+		return
+	}
+	wm.lock.Lock()
+	defer wm.lock.Unlock()
+
+	key := newPodGroupKey(pod.Namespace, pod.Spec.WorkloadRef)
+	info, ok := wm.podGroupInfos[key]
+	if !ok {
+		// The pod group may have already been cleaned up, or the pod was never added.
+		return
+	}
+	info.deletePod(pod.UID)
+	// Clean up the map entry if no pods are left in the group.
+	if info.empty() {
+		delete(wm.podGroupInfos, key)
+	}
+}
+
+// PodGroupInfo returns the state of a pod group.
+func (wm *workloadManager) PodGroupInfo(namespace string, workloadRef *v1.WorkloadReference) (fwk.PodGroupInfo, error) {
+	wm.lock.RLock()
+	defer wm.lock.RUnlock()
+
+	state, ok := wm.podGroupInfos[newPodGroupKey(namespace, workloadRef)]
+	if !ok {
+		return nil, fmt.Errorf("internal pod group state doesn't exist for a pod's workload")
+	}
+	return state, nil
+}
diff --git a/pkg/scheduler/backend/workloadmanager/workloadmanager_test.go b/pkg/scheduler/backend/workloadmanager/workloadmanager_test.go
new file mode 100644
index 0000000000000..00af92c2d38b0
--- /dev/null
+++ b/pkg/scheduler/backend/workloadmanager/workloadmanager_test.go
@@ -0,0 +1,278 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package workloadmanager
+
+import (
+	"testing"
+
+	v1 "k8s.io/api/core/v1"
+	st "k8s.io/kubernetes/pkg/scheduler/testing"
+)
+
+func TestWorkloadManager_AddPod(t *testing.T) {
+	p1 := st.MakePod().Namespace("ns1").Name("p1").UID("p1").
+		WorkloadRef(&v1.WorkloadReference{Name: "w1", PodGroup: "pg1"}).Obj()
+	// Assigned
+	p2 := st.MakePod().Namespace("ns1").Name("p2").UID("p2").Node("node1").
+		WorkloadRef(&v1.WorkloadReference{Name: "w1", PodGroup: "pg1"}).Obj()
+	// Different ns
+	p3 := st.MakePod().Namespace("ns2").Name("p3").UID("p3").
+		WorkloadRef(&v1.WorkloadReference{Name: "w1", PodGroup: "pg1"}).Obj()
+	nonWorkloadPod := st.MakePod().Namespace("ns1").Name("non-workload").Obj()
+
+	tests := []struct {
+		name     string
+		initPods []*v1.Pod
+		podToAdd *v1.Pod
+
+		expectedPodGroups       int
+		expectInAllPods         bool
+		expectInUnscheduledPods bool
+		expectInAssumedPods     bool
+		expectInAssignedPods    bool
+	}{
+		{
+			name:                    "adding an unscheduled pod",
+			podToAdd:                p1,
+			expectedPodGroups:       1,
+			expectInAllPods:         true,
+			expectInUnscheduledPods: true,
+		},
+		{
+			name:                 "adding an assigned pod",
+			podToAdd:             p2,
+			expectedPodGroups:    1,
+			expectInAllPods:      true,
+			expectInAssignedPods: true,
+		},
+		{
+			name:                    "adding pod with different namespace",
+			initPods:                []*v1.Pod{p1},
+			podToAdd:                p3,
+			expectedPodGroups:       2,
+			expectInAllPods:         true,
+			expectInUnscheduledPods: true,
+		},
+		{
+			name:              "adding a non-workload pod is a no-op",
+			podToAdd:          nonWorkloadPod,
+			expectedPodGroups: 0,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			manager := New()
+			for _, p := range tt.initPods {
+				manager.AddPod(p)
+			}
+
+			manager.AddPod(tt.podToAdd)
+
+			gotPodGroups := len(manager.podGroupInfos)
+			if gotPodGroups != tt.expectedPodGroups {
+				t.Fatalf("Expected %v pod group(s), got %v", tt.expectedPodGroups, gotPodGroups)
+			}
+			if gotPodGroups == 0 {
+				return
+			}
+			info, err := manager.PodGroupInfo(tt.podToAdd.Namespace, tt.podToAdd.Spec.WorkloadRef)
+			if err != nil {
+				t.Fatalf("Unexpected error getting pod group info: %v", err)
+			}
+			if inAll := info.AllPods().Has(tt.podToAdd.UID); inAll != tt.expectInAllPods {
+				t.Errorf("Unexpected AllPods state, want: %v, got: %v", tt.expectInAllPods, inAll)
+			}
+			if inAssumed := info.AssumedPods().Has(tt.podToAdd.UID); inAssumed != tt.expectInAssumedPods {
+				t.Errorf("Unexpected AssumedPods state, want: %v, got: %v", tt.expectInAssumedPods, inAssumed)
+			}
+			if inAssigned := info.AssignedPods().Has(tt.podToAdd.UID); inAssigned != tt.expectInAssignedPods {
+				t.Errorf("Unexpected AssignedPods state, want: %v, got: %v", tt.expectInAssignedPods, inAssigned)
+			}
+		})
+	}
+}
+
+func TestWorkloadManager_UpdatePod(t *testing.T) {
+	pod := st.MakePod().Namespace("ns1").Name("p1").UID("p1").
+		WorkloadRef(&v1.WorkloadReference{Name: "w1", PodGroup: "pg1"}).Obj()
+	updatedPod := st.MakePod().Namespace("ns1").Name("p1").UID("p1").Labels(map[string]string{"foo": "bar"}).
+		WorkloadRef(&v1.WorkloadReference{Name: "w1", PodGroup: "pg1"}).Obj()
+
+	assignedPod := st.MakePod().Namespace("ns1").Name("p2").UID("p2").Node("node1").
+		WorkloadRef(&v1.WorkloadReference{Name: "w1", PodGroup: "pg1"}).Obj()
+	updatedAssignedPod := st.MakePod().Namespace("ns1").Name("p2").UID("p2").Node("node1").Labels(map[string]string{"foo": "bar"}).
+		WorkloadRef(&v1.WorkloadReference{Name: "w1", PodGroup: "pg1"}).Obj()
+
+	nonWorkloadPod := st.MakePod().Namespace("ns1").Name("non-workload").Obj()
+	updatedNonWorkloadPod := st.MakePod().Namespace("ns1").Name("non-workload").Labels(map[string]string{"foo": "bar"}).Obj()
+
+	tests := []struct {
+		name      string
+		assumePod bool
+		oldPod    *v1.Pod
+		newPod    *v1.Pod
+
+		expectInAllPods         bool
+		expectInUnscheduledPods bool
+		expectInAssumedPods     bool
+		expectInAssignedPods    bool
+	}{
+		{
+			name:                    "updating an unscheduled pod",
+			oldPod:                  pod,
+			newPod:                  updatedPod,
+			expectInAllPods:         true,
+			expectInUnscheduledPods: true,
+		},
+		{
+			name:                "updating an assumed pod",
+			assumePod:           true,
+			oldPod:              pod,
+			newPod:              updatedPod,
+			expectInAllPods:     true,
+			expectInAssumedPods: true,
+		},
+		{
+			name:                 "updating an assigned pod",
+			oldPod:               assignedPod,
+			newPod:               updatedAssignedPod,
+			expectInAllPods:      true,
+			expectInAssignedPods: true,
+		},
+		{
+			name:                 "binding an unscheduled pod",
+			oldPod:               pod,
+			newPod:               assignedPod,
+			expectInAllPods:      true,
+			expectInAssignedPods: true,
+		},
+		{
+			name:                 "binding an assumed pod",
+			assumePod:            true,
+			oldPod:               pod,
+			newPod:               assignedPod,
+			expectInAllPods:      true,
+			expectInAssignedPods: true,
+		},
+		{
+			name:   "updating a non-workload pod is a no-op",
+			oldPod: nonWorkloadPod,
+			newPod: updatedNonWorkloadPod,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			manager := New()
+
+			manager.AddPod(tt.oldPod)
+			if tt.assumePod {
+				info, err := manager.PodGroupInfo(tt.oldPod.Namespace, tt.oldPod.Spec.WorkloadRef)
+				if err != nil {
+					t.Fatalf("Unexpected error getting pod group info: %v", err)
+				}
+				info.AssumePod(tt.oldPod.UID)
+			}
+
+			manager.UpdatePod(tt.oldPod, tt.newPod)
+
+			gotPodGroups := len(manager.podGroupInfos)
+			if gotPodGroups == 0 {
+				if tt.expectInAllPods {
+					t.Fatalf("Expected pod group, but got none")
+				}
+				return
+			}
+			if !tt.expectInAllPods {
+				t.Fatalf("Expected no pod groups, but got %v", gotPodGroups)
+			}
+			info, err := manager.PodGroupInfo(tt.newPod.Namespace, tt.newPod.Spec.WorkloadRef)
+			if err != nil {
+				t.Fatalf("Unexpected error getting pod group info: %v", err)
+			}
+			if inAll := info.AllPods().Has(tt.newPod.UID); inAll != tt.expectInAllPods {
+				t.Errorf("Unexpected AllPods state, want: %v, got: %v", tt.expectInAllPods, inAll)
+			}
+			if inAssumed := info.AssumedPods().Has(tt.newPod.UID); inAssumed != tt.expectInAssumedPods {
+				t.Errorf("Unexpected AssumedPods state, want: %v, got: %v", tt.expectInAssumedPods, inAssumed)
+			}
+			if inAssigned := info.AssignedPods().Has(tt.newPod.UID); inAssigned != tt.expectInAssignedPods {
+				t.Errorf("Unexpected AssignedPods state, want: %v, got: %v", tt.expectInAssignedPods, inAssigned)
+			}
+		})
+	}
+}
+
+func TestWorkloadManager_DeletePod(t *testing.T) {
+	p1 := st.MakePod().Namespace("ns1").Name("p1").UID("p1").
+		WorkloadRef(&v1.WorkloadReference{Name: "w1", PodGroup: "pg1"}).Obj()
+	p2 := st.MakePod().Namespace("ns1").Name("p2").UID("p2").
+		WorkloadRef(&v1.WorkloadReference{Name: "w1", PodGroup: "pg1"}).Obj()
+
+	tests := []struct {
+		name        string
+		initPods    []*v1.Pod
+		podToDelete *v1.Pod
+
+		expectedPodGroups int
+	}{
+		{
+			name:              "deleting a pod from a group with multiple pods",
+			initPods:          []*v1.Pod{p1, p2},
+			podToDelete:       p1,
+			expectedPodGroups: 1,
+		},
+		{
+			name:        "deleting the last pod cleans up the info",
+			initPods:    []*v1.Pod{p1},
+			podToDelete: p1,
+		},
+		{
+			name:        "deleting a non-existent pod is a no-op",
+			podToDelete: p1,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			manager := New()
+			for _, p := range tt.initPods {
+				manager.AddPod(p)
+			}
+			manager.DeletePod(tt.podToDelete)
+
+			gotPodGroups := len(manager.podGroupInfos)
+			if gotPodGroups != tt.expectedPodGroups {
+				t.Fatalf("Expected %v pod group(s), got %v", tt.expectedPodGroups, gotPodGroups)
+			}
+			if gotPodGroups == 0 {
+				return
+			}
+			info, err := manager.PodGroupInfo(tt.podToDelete.Namespace, tt.podToDelete.Spec.WorkloadRef)
+			if err != nil {
+				t.Fatalf("Unexpected error getting pod group info: %v", err)
+			}
+			if len(info.AllPods()) == 0 {
+				t.Errorf("Expected AllPods to be non-empty")
+			}
+			if info.AllPods().Has(p1.UID) {
+				t.Errorf("Expected pod to be deleted")
+			}
+		})
+	}
+}
diff --git a/pkg/scheduler/eventhandlers.go b/pkg/scheduler/eventhandlers.go
index 3b1688de1c5b6..2febf790f5370 100644
--- a/pkg/scheduler/eventhandlers.go
+++ b/pkg/scheduler/eventhandlers.go
@@ -33,6 +33,7 @@ import (
 	"k8s.io/client-go/tools/cache"
 	corev1helpers "k8s.io/component-helpers/scheduling/corev1"
 	corev1nodeaffinity "k8s.io/component-helpers/scheduling/corev1/nodeaffinity"
+	"k8s.io/dynamic-resource-allocation/deviceclass/extendedresourcecache"
 	resourceslicetracker "k8s.io/dynamic-resource-allocation/resourceslice/tracker"
 	"k8s.io/klog/v2"
 	fwk "k8s.io/kube-scheduler/framework"
@@ -62,7 +63,7 @@ func (sched *Scheduler) addNodeToCache(obj interface{}) {
 
 	logger.V(3).Info("Add event for node", "node", klog.KObj(node))
 	nodeInfo := sched.Cache.AddNode(logger, node)
-	sched.SchedulingQueue.MoveAllToActiveOrBackoffQueue(logger, evt, nil, node, preCheckForNode(nodeInfo))
+	sched.SchedulingQueue.MoveAllToActiveOrBackoffQueue(logger, evt, nil, node, preCheckForNode(logger, nodeInfo))
 }
 
 func (sched *Scheduler) updateNodeInCache(oldObj, newObj interface{}) {
@@ -89,7 +90,7 @@ func (sched *Scheduler) updateNodeInCache(oldObj, newObj interface{}) {
 	// Only requeue unschedulable pods if the node became more schedulable.
 	for _, evt := range events {
 		startMoving := time.Now()
-		sched.SchedulingQueue.MoveAllToActiveOrBackoffQueue(logger, evt, oldNode, newNode, preCheckForNode(nodeInfo))
+		sched.SchedulingQueue.MoveAllToActiveOrBackoffQueue(logger, evt, oldNode, newNode, preCheckForNode(logger, nodeInfo))
 		movingDuration := metrics.SinceInSeconds(startMoving)
 
 		metrics.EventHandlingLatency.WithLabelValues(evt.Label()).Observe(updatingDuration + movingDuration)
@@ -126,14 +127,114 @@ func (sched *Scheduler) deleteNodeFromCache(obj interface{}) {
 	}
 }
 
-func (sched *Scheduler) addPodToSchedulingQueue(obj interface{}) {
+func (sched *Scheduler) addPod(obj interface{}) {
+	logger := sched.logger
+	pod, ok := obj.(*v1.Pod)
+	if !ok {
+		utilruntime.HandleErrorWithLogger(logger, nil, "Cannot convert to *v1.Pod", "obj", obj)
+		return
+	}
+
+	if sched.WorkloadManager != nil {
+		// Register pod into workload manager before adding to the cache or scheduling queue.
+		sched.WorkloadManager.AddPod(pod)
+	}
+	if assignedPod(pod) {
+		sched.addAssignedPodToCache(pod)
+	} else if responsibleForPod(pod, sched.Profiles) {
+		sched.addPodToSchedulingQueue(pod)
+	}
+}
+
+func (sched *Scheduler) updatePod(oldObj, newObj interface{}) {
+	logger := sched.logger
+	oldPod, ok := oldObj.(*v1.Pod)
+	if !ok {
+		utilruntime.HandleErrorWithLogger(logger, nil, "Cannot convert oldObj to *v1.Pod", "oldObj", oldObj)
+		return
+	}
+	newPod, ok := newObj.(*v1.Pod)
+	if !ok {
+		utilruntime.HandleErrorWithLogger(logger, nil, "Cannot convert newObj to *v1.Pod", "newObj", newObj)
+		return
+	}
+
+	if sched.WorkloadManager != nil {
+		// Update pod in workload manager before updating it in the cache or scheduling queue.
+		sched.WorkloadManager.UpdatePod(oldPod, newPod)
+	}
+	if assignedPod(oldPod) {
+		sched.updateAssignedPodInCache(oldPod, newPod)
+	} else if assignedPod(newPod) {
+		// This update means binding operation. We can treat it as adding the pod to a cache
+		// (addition to the cache will handle this binding appropriately).
+		sched.addAssignedPodToCache(newPod)
+		if responsibleForPod(oldPod, sched.Profiles) {
+			// Pod shouldn't be in the scheduling queue, but in unlikely event that the pod has been bound
+			// by another component, it should be removed from scheduling queue for correctness.
+			// Passing "true" means that removal from the scheduling queue is caused by a binding event,
+			// not by removal of the pod from the cluster.
+			sched.deletePodFromSchedulingQueue(oldPod, true)
+		}
+	} else if responsibleForPod(oldPod, sched.Profiles) {
+		sched.updatePodInSchedulingQueue(oldPod, newPod)
+	}
+}
+
+func (sched *Scheduler) deletePod(obj interface{}) {
+	logger := sched.logger
+	var pod *v1.Pod
+	switch t := obj.(type) {
+	case *v1.Pod:
+		pod = t
+		if sched.WorkloadManager != nil {
+			// Delete pod from workload manager before deleting the pod from cache or scheduling queue.
+			sched.WorkloadManager.DeletePod(pod)
+		}
+		if assignedPod(pod) {
+			sched.deleteAssignedPodFromCache(pod)
+		} else if responsibleForPod(pod, sched.Profiles) {
+			// Passing "false" means that removal from the scheduling queue is caused by
+			// removal of the pod from the cluster, not by a binding event.
+			sched.deletePodFromSchedulingQueue(pod, false)
+		}
+		return
+	case cache.DeletedFinalStateUnknown:
+		var ok bool
+		pod, ok = t.Obj.(*v1.Pod)
+		if !ok {
+			utilruntime.HandleErrorWithLogger(logger, nil, "Cannot convert to *v1.Pod", "obj", t.Obj)
+			return
+		}
+		if sched.WorkloadManager != nil {
+			// Delete pod from workload manager before deleting the pod from cache or scheduling queue.
+			sched.WorkloadManager.DeletePod(pod)
+		}
+		// The carried object may be stale, so we don't use it to check if
+		// it's assigned or not. Attempting to cleanup anyways.
+		sched.deleteAssignedPodFromCache(pod)
+		if responsibleForPod(pod, sched.Profiles) {
+			// Passing "false" means that removal from the scheduling queue is caused by
+			// removal of the pod from the cluster, not by a binding event.
+			sched.deletePodFromSchedulingQueue(pod, false)
+		}
+		return
+	default:
+		utilruntime.HandleErrorWithLogger(logger, nil, "Unable to handle object", "objType", fmt.Sprintf("%T", obj), "obj", obj)
+		return
+	}
+}
+
+func (sched *Scheduler) addPodToSchedulingQueue(pod *v1.Pod) {
 	start := time.Now()
 	defer metrics.EventHandlingLatency.WithLabelValues(framework.EventUnscheduledPodAdd.Label()).Observe(metrics.SinceInSeconds(start))
 
 	logger := sched.logger
-	pod := obj.(*v1.Pod)
 	logger.V(3).Info("Add event for unscheduled pod", "pod", klog.KObj(pod))
 	sched.SchedulingQueue.Add(logger, pod)
+	if utilfeature.DefaultFeatureGate.Enabled(features.GangScheduling) {
+		sched.SchedulingQueue.MoveAllToActiveOrBackoffQueue(logger, framework.EventUnscheduledPodAdd, nil, pod, nil)
+	}
 }
 
 func (sched *Scheduler) syncPodWithDispatcher(pod *v1.Pod) *v1.Pod {
@@ -150,10 +251,52 @@ func (sched *Scheduler) syncPodWithDispatcher(pod *v1.Pod) *v1.Pod {
 	return enrichedPod
 }
 
-func (sched *Scheduler) updatePodInSchedulingQueue(oldObj, newObj interface{}) {
+// handleAssumedPodDeletion is an event handler that deals with the deletion of an assumed pod.
+// We must remove it from the scheduler's cache immediately to prevent it from blocking resources for other pending pods,
+// causing unnecessary preemption attempts. Note that PreBinding/Binding will continue, but is eventually expected to fail
+// as the pod does not exist in the kube-apiserver anymore and so in the scheduler cache.
+func (sched *Scheduler) handleAssumedPodDeletion(pod *v1.Pod) {
+	logger := sched.logger
+	// We must operate on the pod from the scheduler's cache, not the one from the event.
+	// The cached version has the assigned NodeName and represents the resources being consumed.
+	assumedPod, err := sched.Cache.GetPod(pod)
+	if err != nil {
+		// This is not an error. The pod may have already completed its binding cycle and been
+		// removed from the cache. Nothing more to do.
+		logger.V(5).Info("Assumed pod was already forgotten", "pod", klog.KObj(pod))
+		return
+	}
+	pod = assumedPod
+
+	fwk, err := sched.frameworkForPod(pod)
+	if err != nil {
+		// This shouldn't happen, because we only accept for scheduling the pods
+		// which specify a scheduler name that matches one of the profiles.
+		utilruntime.HandleErrorWithLogger(logger, err, "Unable to get profile for pod", "pod", klog.KObj(pod))
+		return
+	}
+
+	// The pod might be in one of two states:
+	// 1. If the pod is waiting on WaitOnPermit, we reject it. This causes the pod's scheduling
+	//    cycle to quickly fail gracefully, and it will clean itself up via `handleBindingCycleError`.
+	if !fwk.RejectWaitingPod(pod.UID) {
+		// 2. If the pod is no longer waiting (e.g., it's in PreBind or Bind), we can't quickly reject it.
+		//    We must explicitly remove it from the cache here to free up its assumed resources.
+		if err := sched.Cache.ForgetPod(logger, pod); err != nil {
+			utilruntime.HandleErrorWithLogger(logger, err, "Scheduler cache ForgetPod failed", "pod", klog.KObj(pod))
+		}
+	}
+
+	// The removal of this assumed pod may have freed up resources. We trigger the AssignedPodDelete event
+	// to move other unscheduled pods, giving them a chance to be scheduled.
+	// If the forgotten pod reserved some resources in memory,
+	// it will wake up the pods again after freeing up the resources in `handleBindingCycleError`.
+	sched.SchedulingQueue.MoveAllToActiveOrBackoffQueue(logger, framework.EventAssignedPodDelete, pod, nil, nil)
+}
+
+func (sched *Scheduler) updatePodInSchedulingQueue(oldPod, newPod *v1.Pod) {
 	start := time.Now()
 	logger := sched.logger
-	oldPod, newPod := oldObj.(*v1.Pod), newObj.(*v1.Pod)
 	// Bypass update event that carries identical objects; otherwise, a duplicated
 	// Pod may go through scheduling and cause unexpected behavior (see #96071).
 	if oldPod.ResourceVersion == newPod.ResourceVersion {
@@ -178,6 +321,11 @@ func (sched *Scheduler) updatePodInSchedulingQueue(oldObj, newObj interface{}) {
 		utilruntime.HandleErrorWithLogger(logger, err, "Failed to check whether pod is assumed", "pod", klog.KObj(newPod))
 	}
 	if isAssumed {
+		if newPod.DeletionTimestamp != nil && oldPod.DeletionTimestamp == nil {
+			// Assumed pod deletion has started. We should handle that differently,
+			// because we can't update such pod in any structure directly.
+			sched.handleAssumedPodDeletion(newPod)
+		}
 		return
 	}
 
@@ -195,45 +343,33 @@ func hasNominatedNodeNameChanged(oldPod, newPod *v1.Pod) bool {
 	return len(oldPod.Status.NominatedNodeName) > 0 && oldPod.Status.NominatedNodeName != newPod.Status.NominatedNodeName
 }
 
-func (sched *Scheduler) deletePodFromSchedulingQueue(obj interface{}) {
+func (sched *Scheduler) deletePodFromSchedulingQueue(pod *v1.Pod, inBinding bool) {
 	start := time.Now()
 	defer metrics.EventHandlingLatency.WithLabelValues(framework.EventUnscheduledPodDelete.Label()).Observe(metrics.SinceInSeconds(start))
 
 	logger := sched.logger
-	var pod *v1.Pod
-	switch t := obj.(type) {
-	case *v1.Pod:
-		pod = obj.(*v1.Pod)
-	case cache.DeletedFinalStateUnknown:
-		var ok bool
-		pod, ok = t.Obj.(*v1.Pod)
-		if !ok {
-			utilruntime.HandleErrorWithLogger(logger, nil, "Cannot convert to *v1.Pod", "obj", t.Obj)
-			return
-		}
-	default:
-		utilruntime.HandleErrorWithLogger(logger, nil, "Unable to handle object", "objType", fmt.Sprintf("%T", obj), "obj", obj)
-		return
-	}
 
 	logger.V(3).Info("Delete event for unscheduled pod", "pod", klog.KObj(pod))
 	sched.SchedulingQueue.Delete(pod)
-	fwk, err := sched.frameworkForPod(pod)
-	if err != nil {
-		// This shouldn't happen, because we only accept for scheduling the pods
-		// which specify a scheduler name that matches one of the profiles.
-		utilruntime.HandleErrorWithLogger(logger, err, "Unable to get profile", "pod", klog.KObj(pod))
+	if inBinding {
+		// In the case of a binding, the rest can be skipped because it is not really a pod removal operation, but a binding.
+		// Any necessary notifications will be sent by the binding process, unless it was an unlikely external binding.
+		// In that case, we need to notify about the release of resources that were held by different assume/nomination
+		// once the https://github.com/kubernetes/kubernetes/issues/134859 is fixed.
 		return
 	}
-	// If a waiting pod is rejected, it indicates it's previously assumed and we're
-	// removing it from the scheduler cache. In this case, signal a AssignedPodDelete
-	// event to immediately retry some unscheduled Pods.
-	// Similarly when a pod that had nominated node is deleted, it can unblock scheduling of other pods,
-	// because the lower or equal priority pods treat such a pod as if it was assigned.
-	if fwk.RejectWaitingPod(pod.UID) {
-		sched.SchedulingQueue.MoveAllToActiveOrBackoffQueue(logger, framework.EventAssignedPodDelete, pod, nil, nil)
+	isAssumed, err := sched.Cache.IsAssumedPod(pod)
+	if err != nil {
+		utilruntime.HandleErrorWithLogger(logger, err, "Failed to check whether pod is assumed", "pod", klog.KObj(pod))
+	}
+	if isAssumed {
+		// Assumed pod is deleted. We should handle that differently,
+		// because we can't delete such pod from any structure directly.
+		sched.handleAssumedPodDeletion(pod)
 	} else if pod.Status.NominatedNodeName != "" {
-		// Note that a nominated pod can fall into `RejectWaitingPod` case as well,
+		// When a pod that had nominated node is deleted, it can unblock scheduling of other pods,
+		// because the lower or equal priority pods treat such a pod as if it was assigned.
+		// Note that a nominated pod can fall into `handleAssumedPodDeletion` case as well,
 		// but in that case the `MoveAllToActiveOrBackoffQueue` already covered lower priority pods.
 		sched.SchedulingQueue.MoveAllToActiveOrBackoffQueue(logger, framework.EventAssignedPodDelete, pod, nil, getLEPriorityPreCheck(corev1helpers.PodPriority(pod)))
 	}
@@ -246,16 +382,11 @@ func getLEPriorityPreCheck(priority int32) queue.PreEnqueueCheck {
 	}
 }
 
-func (sched *Scheduler) addPodToCache(obj interface{}) {
+func (sched *Scheduler) addAssignedPodToCache(pod *v1.Pod) {
 	start := time.Now()
 	defer metrics.EventHandlingLatency.WithLabelValues(framework.EventAssignedPodAdd.Label()).Observe(metrics.SinceInSeconds(start))
 
 	logger := sched.logger
-	pod, ok := obj.(*v1.Pod)
-	if !ok {
-		utilruntime.HandleErrorWithLogger(logger, nil, "Cannot convert to *v1.Pod", "obj", obj)
-		return
-	}
 
 	logger.V(3).Info("Add event for scheduled pod", "pod", klog.KObj(pod))
 	if err := sched.Cache.AddPod(logger, pod); err != nil {
@@ -278,21 +409,11 @@ func (sched *Scheduler) addPodToCache(obj interface{}) {
 	}
 }
 
-func (sched *Scheduler) updatePodInCache(oldObj, newObj interface{}) {
+func (sched *Scheduler) updateAssignedPodInCache(oldPod, newPod *v1.Pod) {
 	start := time.Now()
 	defer metrics.EventHandlingLatency.WithLabelValues(framework.EventAssignedPodUpdate.Label()).Observe(metrics.SinceInSeconds(start))
 
 	logger := sched.logger
-	oldPod, ok := oldObj.(*v1.Pod)
-	if !ok {
-		utilruntime.HandleErrorWithLogger(logger, nil, "Cannot convert oldObj to *v1.Pod", "oldObj", oldObj)
-		return
-	}
-	newPod, ok := newObj.(*v1.Pod)
-	if !ok {
-		utilruntime.HandleErrorWithLogger(logger, nil, "Cannot convert newObj to *v1.Pod", "newObj", newObj)
-		return
-	}
 
 	if sched.APIDispatcher != nil {
 		// If the API dispatcher is available, sync the new pod with the details.
@@ -331,26 +452,11 @@ func (sched *Scheduler) updatePodInCache(oldObj, newObj interface{}) {
 	}
 }
 
-func (sched *Scheduler) deletePodFromCache(obj interface{}) {
+func (sched *Scheduler) deleteAssignedPodFromCache(pod *v1.Pod) {
 	start := time.Now()
 	defer metrics.EventHandlingLatency.WithLabelValues(framework.EventAssignedPodDelete.Label()).Observe(metrics.SinceInSeconds(start))
 
 	logger := sched.logger
-	var pod *v1.Pod
-	switch t := obj.(type) {
-	case *v1.Pod:
-		pod = t
-	case cache.DeletedFinalStateUnknown:
-		var ok bool
-		pod, ok = t.Obj.(*v1.Pod)
-		if !ok {
-			utilruntime.HandleErrorWithLogger(logger, nil, "Cannot convert to *v1.Pod", "obj", t.Obj)
-			return
-		}
-	default:
-		utilruntime.HandleErrorWithLogger(logger, nil, "Unable to handle object", "objType", fmt.Sprintf("%T", obj), "obj", obj)
-		return
-	}
 
 	logger.V(3).Info("Delete event for scheduled pod", "pod", klog.KObj(pod))
 	if err := sched.Cache.RemovePod(logger, pod); err != nil {
@@ -396,6 +502,7 @@ func addAllEventHandlers(
 	dynInformerFactory dynamicinformer.DynamicSharedInformerFactory,
 	resourceClaimCache *assumecache.AssumeCache,
 	resourceSliceTracker *resourceslicetracker.Tracker,
+	draManager fwk.SharedDRAManager,
 	gvkMap map[fwk.EventResource]fwk.ActionType,
 ) error {
 	var (
@@ -405,64 +512,12 @@ func addAllEventHandlers(
 	)
 
 	logger := sched.logger
-	// scheduled pod cache
-	if handlerRegistration, err = informerFactory.Core().V1().Pods().Informer().AddEventHandler(
-		cache.FilteringResourceEventHandler{
-			FilterFunc: func(obj interface{}) bool {
-				switch t := obj.(type) {
-				case *v1.Pod:
-					return assignedPod(t)
-				case cache.DeletedFinalStateUnknown:
-					if _, ok := t.Obj.(*v1.Pod); ok {
-						// The carried object may be stale, so we don't use it to check if
-						// it's assigned or not. Attempting to cleanup anyways.
-						return true
-					}
-					utilruntime.HandleErrorWithLogger(logger, nil, "Cannot convert to *v1.Pod", "obj", t.Obj)
-					return false
-				default:
-					utilruntime.HandleErrorWithLogger(logger, nil, "Unable to handle object", "objType", fmt.Sprintf("%T", obj), "obj", obj)
-					return false
-				}
-			},
-			Handler: cache.ResourceEventHandlerFuncs{
-				AddFunc:    sched.addPodToCache,
-				UpdateFunc: sched.updatePodInCache,
-				DeleteFunc: sched.deletePodFromCache,
-			},
-		},
-	); err != nil {
-		return err
-	}
-	handlers = append(handlers, handlerRegistration)
 
-	// unscheduled pod queue
-	if handlerRegistration, err = informerFactory.Core().V1().Pods().Informer().AddEventHandler(
-		cache.FilteringResourceEventHandler{
-			FilterFunc: func(obj interface{}) bool {
-				switch t := obj.(type) {
-				case *v1.Pod:
-					return !assignedPod(t) && responsibleForPod(t, sched.Profiles)
-				case cache.DeletedFinalStateUnknown:
-					if pod, ok := t.Obj.(*v1.Pod); ok {
-						// The carried object may be stale, so we don't use it to check if
-						// it's assigned or not.
-						return responsibleForPod(pod, sched.Profiles)
-					}
-					utilruntime.HandleErrorWithLogger(logger, nil, "Cannot convert to *v1.Pod", "obj", t.Obj)
-					return false
-				default:
-					utilruntime.HandleErrorWithLogger(logger, nil, "Unable to handle object", "objType", fmt.Sprintf("%T", obj), "obj", obj)
-					return false
-				}
-			},
-			Handler: cache.ResourceEventHandlerFuncs{
-				AddFunc:    sched.addPodToSchedulingQueue,
-				UpdateFunc: sched.updatePodInSchedulingQueue,
-				DeleteFunc: sched.deletePodFromSchedulingQueue,
-			},
-		},
-	); err != nil {
+	if handlerRegistration, err = informerFactory.Core().V1().Pods().Informer().AddEventHandler(cache.ResourceEventHandlerFuncs{
+		AddFunc:    sched.addPod,
+		UpdateFunc: sched.updatePod,
+		DeleteFunc: sched.deletePod,
+	}); err != nil {
 		return err
 	}
 	handlers = append(handlers, handlerRegistration)
@@ -595,8 +650,20 @@ func addAllEventHandlers(
 			}
 		case fwk.DeviceClass:
 			if utilfeature.DefaultFeatureGate.Enabled(features.DynamicResourceAllocation) {
+				handler := cache.ResourceEventHandler(buildEvtResHandler(at, fwk.DeviceClass))
+				if utilfeature.DefaultFeatureGate.Enabled(features.DRAExtendedResource) {
+					// Inject updating of the cache before the scheduler event handlers ("chaining")
+					// to ensure that the cache gets updated before the scheduler kicks off
+					// pod scheduling based on a DeviceClass event.
+					//
+					// We know that this is a DefaultDRAManager and we know that it
+					// uses an ExtendedResourceCache, so no need for type checks.
+					erCache := draManager.DeviceClassResolver().(*extendedresourcecache.ExtendedResourceCache)
+					erCache.AddEventHandler(handler)
+					handler = erCache
+				}
 				if handlerRegistration, err = informerFactory.Resource().V1().DeviceClasses().Informer().AddEventHandler(
-					buildEvtResHandler(at, fwk.DeviceClass),
+					handler,
 				); err != nil {
 					return err
 				}
@@ -616,6 +683,15 @@ func addAllEventHandlers(
 				return err
 			}
 			handlers = append(handlers, handlerRegistration)
+		case fwk.Workload:
+			if utilfeature.DefaultFeatureGate.Enabled(features.GenericWorkload) {
+				if handlerRegistration, err = informerFactory.Scheduling().V1alpha1().Workloads().Informer().AddEventHandler(
+					buildEvtResHandler(at, fwk.Workload),
+				); err != nil {
+					return err
+				}
+				handlers = append(handlers, handlerRegistration)
+			}
 		default:
 			// Tests may not instantiate dynInformerFactory.
 			if dynInformerFactory == nil {
@@ -648,7 +724,7 @@ func addAllEventHandlers(
 	return nil
 }
 
-func preCheckForNode(nodeInfo *framework.NodeInfo) queue.PreEnqueueCheck {
+func preCheckForNode(logger klog.Logger, nodeInfo *framework.NodeInfo) queue.PreEnqueueCheck {
 	if utilfeature.DefaultFeatureGate.Enabled(features.SchedulerQueueingHints) {
 		// QHint is initially created from the motivation of replacing this preCheck.
 		// It assumes that the scheduler only has in-tree plugins, which is problematic for our extensibility.
@@ -664,7 +740,9 @@ func preCheckForNode(nodeInfo *framework.NodeInfo) queue.PreEnqueueCheck {
 		if len(admissionResults) != 0 {
 			return false
 		}
-		_, isUntolerated := corev1helpers.FindMatchingUntoleratedTaint(nodeInfo.Node().Spec.Taints, pod.Spec.Tolerations, helper.DoNotScheduleTaintsFilterFunc())
+		_, isUntolerated := corev1helpers.FindMatchingUntoleratedTaint(logger, nodeInfo.Node().Spec.Taints, pod.Spec.Tolerations,
+			helper.DoNotScheduleTaintsFilterFunc(),
+			utilfeature.DefaultFeatureGate.Enabled(features.TaintTolerationComparisonOperators))
 		return !isUntolerated
 	}
 }
@@ -675,7 +753,7 @@ func preCheckForNode(nodeInfo *framework.NodeInfo) queue.PreEnqueueCheck {
 // returns all failures.
 func AdmissionCheck(pod *v1.Pod, nodeInfo *framework.NodeInfo, includeAllFailures bool) []AdmissionResult {
 	var admissionResults []AdmissionResult
-	insufficientResources := noderesources.Fits(pod, nodeInfo, noderesources.ResourceRequestsOptions{
+	insufficientResources := noderesources.Fits(pod, nodeInfo, nil, noderesources.ResourceRequestsOptions{
 		EnablePodLevelResources:   utilfeature.DefaultFeatureGate.Enabled(features.PodLevelResources),
 		EnableDRAExtendedResource: utilfeature.DefaultFeatureGate.Enabled(features.DRAExtendedResource),
 	})
diff --git a/pkg/scheduler/eventhandlers_test.go b/pkg/scheduler/eventhandlers_test.go
index d8f6a6707a88d..2684074b6ec3b 100644
--- a/pkg/scheduler/eventhandlers_test.go
+++ b/pkg/scheduler/eventhandlers_test.go
@@ -30,6 +30,7 @@ import (
 	v1 "k8s.io/api/core/v1"
 	resourceapi "k8s.io/api/resource/v1"
 	resourcealphaapi "k8s.io/api/resource/v1alpha3"
+	schedulingapi "k8s.io/api/scheduling/v1alpha1"
 	storagev1 "k8s.io/api/storage/v1"
 	"k8s.io/apimachinery/pkg/api/resource"
 	"k8s.io/apimachinery/pkg/runtime"
@@ -41,24 +42,30 @@ import (
 	dyfake "k8s.io/client-go/dynamic/fake"
 	"k8s.io/client-go/informers"
 	"k8s.io/client-go/kubernetes/fake"
+	"k8s.io/client-go/tools/cache"
 	featuregatetesting "k8s.io/component-base/featuregate/testing"
 	resourceslicetracker "k8s.io/dynamic-resource-allocation/resourceslice/tracker"
 	"k8s.io/klog/v2"
 	"k8s.io/klog/v2/ktesting"
 	fwk "k8s.io/kube-scheduler/framework"
 	"k8s.io/kubernetes/pkg/features"
-	"k8s.io/kubernetes/pkg/scheduler/backend/api_dispatcher"
+	apidispatcher "k8s.io/kubernetes/pkg/scheduler/backend/api_dispatcher"
 	internalcache "k8s.io/kubernetes/pkg/scheduler/backend/cache"
 	internalqueue "k8s.io/kubernetes/pkg/scheduler/backend/queue"
 	"k8s.io/kubernetes/pkg/scheduler/framework"
-	"k8s.io/kubernetes/pkg/scheduler/framework/api_calls"
+	apicalls "k8s.io/kubernetes/pkg/scheduler/framework/api_calls"
+	"k8s.io/kubernetes/pkg/scheduler/framework/plugins/defaultbinder"
+	"k8s.io/kubernetes/pkg/scheduler/framework/plugins/dynamicresources"
 	"k8s.io/kubernetes/pkg/scheduler/framework/plugins/nodeaffinity"
 	"k8s.io/kubernetes/pkg/scheduler/framework/plugins/nodename"
 	"k8s.io/kubernetes/pkg/scheduler/framework/plugins/nodeports"
 	"k8s.io/kubernetes/pkg/scheduler/framework/plugins/noderesources"
 	"k8s.io/kubernetes/pkg/scheduler/framework/plugins/queuesort"
+	frameworkruntime "k8s.io/kubernetes/pkg/scheduler/framework/runtime"
 	"k8s.io/kubernetes/pkg/scheduler/metrics"
+	"k8s.io/kubernetes/pkg/scheduler/profile"
 	st "k8s.io/kubernetes/pkg/scheduler/testing"
+	tf "k8s.io/kubernetes/pkg/scheduler/testing/framework"
 	"k8s.io/kubernetes/pkg/scheduler/util"
 	"k8s.io/kubernetes/pkg/scheduler/util/assumecache"
 )
@@ -127,7 +134,7 @@ func TestEventHandlers_MoveToActiveOnNominatedNodeUpdate(t *testing.T) {
 		{
 			name: "Removal of a pod that had nominated node name should trigger rescheduling of lower priority pods",
 			updateFunc: func(s *Scheduler) {
-				s.deletePodFromSchedulingQueue(medNominatedPriorityPod)
+				s.deletePodFromSchedulingQueue(medNominatedPriorityPod, false)
 			},
 			wantInActiveOrBackoff: sets.New(lowPriorityPod.Name, medPriorityPod.Name),
 		},
@@ -171,7 +178,7 @@ func TestEventHandlers_MoveToActiveOnNominatedNodeUpdate(t *testing.T) {
 				queue := internalqueue.NewPriorityQueue(
 					newDefaultQueueSort(),
 					informerFactory,
-					internalqueue.WithMetricsRecorder(*recorder),
+					internalqueue.WithMetricsRecorder(recorder),
 					internalqueue.WithQueueingHintMapPerProfile(queueingHintMap),
 					internalqueue.WithAPIDispatcher(apiDispatcher),
 					// disable backoff queue
@@ -217,29 +224,29 @@ func TestEventHandlers_MoveToActiveOnNominatedNodeUpdate(t *testing.T) {
 	}
 }
 
-func newDefaultQueueSort() framework.LessFunc {
+func newDefaultQueueSort() fwk.LessFunc {
 	sort := &queuesort.PrioritySort{}
 	return sort.Less
 }
 
-func TestUpdatePodInCache(t *testing.T) {
+func TestUpdateAssignedPodInCache(t *testing.T) {
 	ttl := 10 * time.Second
 	nodeName := "node"
 
 	tests := []struct {
 		name   string
-		oldObj interface{}
-		newObj interface{}
+		oldPod *v1.Pod
+		newPod *v1.Pod
 	}{
 		{
 			name:   "pod updated with the same UID",
-			oldObj: withPodName(podWithPort("oldUID", nodeName, 80), "pod"),
-			newObj: withPodName(podWithPort("oldUID", nodeName, 8080), "pod"),
+			oldPod: withPodName(podWithPort("oldUID", nodeName, 80), "pod"),
+			newPod: withPodName(podWithPort("oldUID", nodeName, 8080), "pod"),
 		},
 		{
 			name:   "pod updated with different UIDs",
-			oldObj: withPodName(podWithPort("oldUID", nodeName, 80), "pod"),
-			newObj: withPodName(podWithPort("newUID", nodeName, 8080), "pod"),
+			oldPod: withPodName(podWithPort("oldUID", nodeName, 80), "pod"),
+			newPod: withPodName(podWithPort("newUID", nodeName, 8080), "pod"),
 		},
 	}
 	for _, tt := range tests {
@@ -252,20 +259,20 @@ func TestUpdatePodInCache(t *testing.T) {
 				SchedulingQueue: internalqueue.NewTestQueue(ctx, nil),
 				logger:          logger,
 			}
-			sched.addPodToCache(tt.oldObj)
-			sched.updatePodInCache(tt.oldObj, tt.newObj)
+			sched.addAssignedPodToCache(tt.oldPod)
+			sched.updateAssignedPodInCache(tt.oldPod, tt.newPod)
 
-			if tt.oldObj.(*v1.Pod).UID != tt.newObj.(*v1.Pod).UID {
-				if pod, err := sched.Cache.GetPod(tt.oldObj.(*v1.Pod)); err == nil {
+			if tt.oldPod.UID != tt.newPod.UID {
+				if pod, err := sched.Cache.GetPod(tt.oldPod); err == nil {
 					t.Errorf("Get pod UID %v from cache but it should not happen", pod.UID)
 				}
 			}
-			pod, err := sched.Cache.GetPod(tt.newObj.(*v1.Pod))
+			pod, err := sched.Cache.GetPod(tt.newPod)
 			if err != nil {
 				t.Errorf("Failed to get pod from scheduler: %v", err)
 			}
-			if pod.UID != tt.newObj.(*v1.Pod).UID {
-				t.Errorf("Want pod UID %v, got %v", tt.newObj.(*v1.Pod).UID, pod.UID)
+			if pod.UID != tt.newPod.UID {
+				t.Errorf("Want pod UID %v, got %v", tt.newPod.UID, pod.UID)
 			}
 		})
 	}
@@ -277,6 +284,8 @@ func withPodName(pod *v1.Pod, name string) *v1.Pod {
 }
 
 func TestPreCheckForNode(t *testing.T) {
+	logger, _ := ktesting.NewTestContext(t)
+
 	cpu4 := map[v1.ResourceName]string{v1.ResourceCPU: "4"}
 	cpu8 := map[v1.ResourceName]string{v1.ResourceCPU: "8"}
 	cpu16 := map[v1.ResourceName]string{v1.ResourceCPU: "16"}
@@ -414,7 +423,7 @@ func TestPreCheckForNode(t *testing.T) {
 
 			nodeInfo := framework.NewNodeInfo(tt.existingPods...)
 			nodeInfo.SetNode(tt.nodeFn())
-			preCheckFn := preCheckForNode(nodeInfo)
+			preCheckFn := preCheckForNode(logger, nodeInfo)
 
 			got := make([]bool, 0, len(tt.pods))
 			for _, pod := range tt.pods {
@@ -431,12 +440,15 @@ func TestPreCheckForNode(t *testing.T) {
 // test for informers of resources we care about is registered
 func TestAddAllEventHandlers(t *testing.T) {
 	tests := []struct {
-		name                   string
-		gvkMap                 map[fwk.EventResource]fwk.ActionType
-		enableDRA              bool
-		enableDRADeviceTaints  bool
-		expectStaticInformers  map[reflect.Type]bool
-		expectDynamicInformers map[schema.GroupVersionResource]bool
+		name                      string
+		gvkMap                    map[fwk.EventResource]fwk.ActionType
+		enableDRA                 bool
+		enableDRADeviceTaints     bool
+		enableDRADeviceTaintRules bool
+		enableDRAExtendedResource bool
+		enableGenericWorkload     bool
+		expectStaticInformers     map[reflect.Type]bool
+		expectDynamicInformers    map[schema.GroupVersionResource]bool
 	}{
 		{
 			name:   "default handlers in framework",
@@ -481,7 +493,7 @@ func TestAddAllEventHandlers(t *testing.T) {
 			expectDynamicInformers: map[schema.GroupVersionResource]bool{},
 		},
 		{
-			name: "all DRA events enabled",
+			name: "device taints partially enabled",
 			gvkMap: map[fwk.EventResource]fwk.ActionType{
 				fwk.ResourceClaim: fwk.Add,
 				fwk.ResourceSlice: fwk.Add,
@@ -489,6 +501,26 @@ func TestAddAllEventHandlers(t *testing.T) {
 			},
 			enableDRA:             true,
 			enableDRADeviceTaints: true,
+			expectStaticInformers: map[reflect.Type]bool{
+				reflect.TypeOf(&v1.Pod{}):                    true,
+				reflect.TypeOf(&v1.Node{}):                   true,
+				reflect.TypeOf(&v1.Namespace{}):              true,
+				reflect.TypeOf(&resourceapi.ResourceClaim{}): true,
+				reflect.TypeOf(&resourceapi.ResourceSlice{}): true,
+				reflect.TypeOf(&resourceapi.DeviceClass{}):   true,
+			},
+			expectDynamicInformers: map[schema.GroupVersionResource]bool{},
+		},
+		{
+			name: "all DRA events enabled",
+			gvkMap: map[fwk.EventResource]fwk.ActionType{
+				fwk.ResourceClaim: fwk.Add,
+				fwk.ResourceSlice: fwk.Add,
+				fwk.DeviceClass:   fwk.Add,
+			},
+			enableDRA:                 true,
+			enableDRADeviceTaints:     true,
+			enableDRADeviceTaintRules: true,
 			expectStaticInformers: map[reflect.Type]bool{
 				reflect.TypeOf(&v1.Pod{}):                           true,
 				reflect.TypeOf(&v1.Node{}):                          true,
@@ -500,6 +532,35 @@ func TestAddAllEventHandlers(t *testing.T) {
 			},
 			expectDynamicInformers: map[schema.GroupVersionResource]bool{},
 		},
+		{
+			name: "Workload events disabled",
+			gvkMap: map[fwk.EventResource]fwk.ActionType{
+				fwk.Workload: fwk.Add,
+			},
+			expectStaticInformers: map[reflect.Type]bool{
+				reflect.TypeOf(&v1.Pod{}):       true,
+				reflect.TypeOf(&v1.Node{}):      true,
+				reflect.TypeOf(&v1.Namespace{}): true,
+			},
+			expectDynamicInformers: map[schema.GroupVersionResource]bool{},
+		},
+		{
+			name: "Workload events enabled",
+			gvkMap: map[fwk.EventResource]fwk.ActionType{
+				fwk.Workload: fwk.Add,
+			},
+			enableDRA:             true,
+			enableGenericWorkload: true,
+			expectStaticInformers: map[reflect.Type]bool{
+				reflect.TypeOf(&v1.Pod{}):                    true,
+				reflect.TypeOf(&v1.Node{}):                   true,
+				reflect.TypeOf(&v1.Namespace{}):              true,
+				reflect.TypeOf(&resourceapi.ResourceClaim{}): true,
+				reflect.TypeOf(&resourceapi.ResourceSlice{}): true,
+				reflect.TypeOf(&schedulingapi.Workload{}):    true,
+			},
+			expectDynamicInformers: map[schema.GroupVersionResource]bool{},
+		},
 		{
 			name: "add GVKs handlers defined in framework dynamically",
 			gvkMap: map[fwk.EventResource]fwk.ActionType{
@@ -558,8 +619,19 @@ func TestAddAllEventHandlers(t *testing.T) {
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.DynamicResourceAllocation, tt.enableDRA)
-			featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.DRADeviceTaints, tt.enableDRADeviceTaints)
+			overrides := featuregatetesting.FeatureOverrides{
+				features.DynamicResourceAllocation: tt.enableDRA,
+				features.DRADeviceTaints:           tt.enableDRADeviceTaints,
+				features.DRAExtendedResource:       tt.enableDRAExtendedResource,
+			}
+			if !tt.enableDRA {
+				featuregatetesting.SetFeatureGateEmulationVersionDuringTest(t, utilfeature.DefaultFeatureGate, version.MustParse("1.34"))
+			} else {
+				// Making this depend on the emulated version avoids "cannot set feature gate DRADeviceTaintRules to false, feature is PreAlpha at emulated version 1.34".
+				overrides[features.DRADeviceTaintRules] = tt.enableDRADeviceTaintRules
+				overrides[features.GenericWorkload] = tt.enableGenericWorkload
+			}
+			featuregatetesting.SetFeatureGatesDuringTest(t, utilfeature.DefaultFeatureGate, overrides)
 
 			logger, ctx := ktesting.NewTestContext(t)
 			ctx, cancel := context.WithCancel(ctx)
@@ -577,15 +649,16 @@ func TestAddAllEventHandlers(t *testing.T) {
 			dynInformerFactory := dynamicinformer.NewDynamicSharedInformerFactory(dynclient, 0)
 			var resourceClaimCache *assumecache.AssumeCache
 			var resourceSliceTracker *resourceslicetracker.Tracker
+			var draManager fwk.SharedDRAManager
 			if utilfeature.DefaultFeatureGate.Enabled(features.DynamicResourceAllocation) {
 				resourceClaimInformer := informerFactory.Resource().V1().ResourceClaims().Informer()
 				resourceClaimCache = assumecache.NewAssumeCache(logger, resourceClaimInformer, "ResourceClaim", "", nil)
 				var err error
 				opts := resourceslicetracker.Options{
-					EnableDeviceTaints: utilfeature.DefaultFeatureGate.Enabled(features.DRADeviceTaints),
-					SliceInformer:      informerFactory.Resource().V1().ResourceSlices(),
+					EnableDeviceTaintRules: utilfeature.DefaultFeatureGate.Enabled(features.DRADeviceTaintRules),
+					SliceInformer:          informerFactory.Resource().V1().ResourceSlices(),
 				}
-				if opts.EnableDeviceTaints {
+				if opts.EnableDeviceTaintRules {
 					opts.TaintInformer = informerFactory.Resource().V1alpha3().DeviceTaintRules()
 					opts.ClassInformer = informerFactory.Resource().V1().DeviceClasses()
 
@@ -594,9 +667,13 @@ func TestAddAllEventHandlers(t *testing.T) {
 				if err != nil {
 					t.Fatalf("couldn't start resource slice tracker: %v", err)
 				}
+
+				if tt.enableDRAExtendedResource {
+					draManager = dynamicresources.NewDRAManager(ctx, resourceClaimCache, resourceSliceTracker, informerFactory)
+				}
 			}
 
-			if err := addAllEventHandlers(&testSched, informerFactory, dynInformerFactory, resourceClaimCache, resourceSliceTracker, tt.gvkMap); err != nil {
+			if err := addAllEventHandlers(&testSched, informerFactory, dynInformerFactory, resourceClaimCache, resourceSliceTracker, draManager, tt.gvkMap); err != nil {
 				t.Fatalf("Add event handlers failed, error = %v", err)
 			}
 
@@ -672,3 +749,317 @@ func TestAdmissionCheck(t *testing.T) {
 		})
 	}
 }
+
+func TestAddPod(t *testing.T) {
+	tests := []struct {
+		name          string
+		pod           *v1.Pod
+		expectInQueue bool
+		expectInCache bool
+	}{
+		{
+			name:          "add unscheduled pod",
+			pod:           st.MakePod().Name("pod1").Namespace("ns1").UID("pod1").SchedulerName("supported-scheduler").Obj(),
+			expectInQueue: true,
+		},
+		{
+			name: "add unscheduled pod with other scheduler name",
+			pod:  st.MakePod().Name("pod1").Namespace("ns1").UID("pod1").SchedulerName("other-scheduler").Obj(),
+		},
+		{
+			name:          "add scheduled pod",
+			pod:           st.MakePod().Name("pod1").Namespace("ns1").UID("pod1").Node("node1").Obj(),
+			expectInCache: true,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			logger, ctx := ktesting.NewTestContext(t)
+			ctx, cancel := context.WithCancel(ctx)
+			defer cancel()
+
+			sched := &Scheduler{
+				Cache:           internalcache.New(ctx, 0, nil),
+				SchedulingQueue: internalqueue.NewTestQueue(ctx, nil),
+				logger:          logger,
+				Profiles: profile.Map{
+					"supported-scheduler": nil,
+				},
+			}
+
+			sched.addPod(tt.pod)
+
+			_, ok := sched.SchedulingQueue.GetPod(tt.pod.Name, tt.pod.Namespace)
+			if tt.expectInQueue && !ok {
+				t.Errorf("Expected pod to be in scheduling queue")
+			} else if !tt.expectInQueue && ok {
+				t.Errorf("Expected pod not to be in scheduling queue")
+			}
+			_, err := sched.Cache.GetPod(tt.pod)
+			if tt.expectInCache && err != nil {
+				t.Errorf("Expected pod to be in cache: %v", err)
+			} else if !tt.expectInCache && err == nil {
+				t.Errorf("Expected pod not to be in cache")
+			}
+		})
+	}
+}
+
+func TestUpdatePod(t *testing.T) {
+	pod := st.MakePod().Name("pod1").Namespace("ns1").UID("pod1").SchedulerName("supported-scheduler").Obj()
+	updatedPod := st.MakePod().Name("pod1").Namespace("ns1").UID("pod1").Labels(map[string]string{"foo": "bar"}).ResourceVersion("2").SchedulerName("supported-scheduler").Obj()
+
+	podWithDeletionTimestamp := st.MakePod().Name("pod1").Namespace("ns1").UID("pod1").Terminating().ResourceVersion("2").SchedulerName("supported-scheduler").Obj()
+
+	otherPod := st.MakePod().Name("pod1").Namespace("ns1").UID("pod1").SchedulerName("other-scheduler").Obj()
+	updatedOtherPod := st.MakePod().Name("pod1").Namespace("ns1").UID("pod1").Labels(map[string]string{"foo": "bar"}).ResourceVersion("2").SchedulerName("other-scheduler").Obj()
+
+	scheduledPod := st.MakePod().Name("pod1").Namespace("ns1").UID("pod1").Node("node1").SchedulerName("supported-scheduler").Obj()
+	updatedScheduledPod := st.MakePod().Name("pod1").Namespace("ns1").UID("pod1").Labels(map[string]string{"foo": "bar"}).ResourceVersion("2").Node("node1").SchedulerName("supported-scheduler").Obj()
+
+	otherScheduledPod := st.MakePod().Name("pod1").Namespace("ns1").UID("pod1").Node("node1").SchedulerName("other-scheduler").Obj()
+	updatedOtherScheduledPod := st.MakePod().Name("pod1").Namespace("ns1").UID("pod1").Labels(map[string]string{"foo": "bar"}).ResourceVersion("2").Node("node1").SchedulerName("other-scheduler").Obj()
+
+	scheduledPodOtherNode := st.MakePod().Name("pod1").Namespace("ns1").UID("pod1").Node("node2").SchedulerName("supported-scheduler").Obj()
+
+	tests := []struct {
+		name          string
+		oldPod        *v1.Pod
+		assumedPod    *v1.Pod
+		newPod        *v1.Pod
+		expectInQueue *v1.Pod
+		expectInCache *v1.Pod
+	}{
+		{
+			name:          "update unscheduled pod",
+			oldPod:        pod,
+			newPod:        updatedPod,
+			expectInQueue: updatedPod,
+		},
+		{
+			name:   "update unscheduled pod with other scheduler name",
+			oldPod: otherPod,
+			newPod: updatedOtherPod,
+		},
+		{
+			name:          "update assumed pod",
+			oldPod:        pod,
+			assumedPod:    scheduledPod,
+			newPod:        updatedPod,
+			expectInCache: scheduledPod,
+		},
+		{
+			name:          "update scheduled pod",
+			oldPod:        scheduledPod,
+			newPod:        updatedScheduledPod,
+			expectInCache: updatedScheduledPod,
+		},
+		{
+			name:          "update scheduled pod with other scheduler name",
+			oldPod:        otherScheduledPod,
+			newPod:        updatedOtherScheduledPod,
+			expectInCache: updatedOtherScheduledPod,
+		},
+		{
+			name:          "bind unscheduled pod",
+			oldPod:        pod,
+			newPod:        scheduledPod,
+			expectInCache: scheduledPod,
+		},
+		{
+			name:          "bind unscheduled pod with other scheduler name",
+			oldPod:        pod,
+			newPod:        scheduledPod,
+			expectInCache: scheduledPod,
+		},
+		{
+			name:          "bind assumed pod",
+			oldPod:        pod,
+			assumedPod:    scheduledPod,
+			newPod:        scheduledPod,
+			expectInCache: scheduledPod,
+		},
+		{
+			name:          "bind assumed pod to a different node",
+			oldPod:        pod,
+			assumedPod:    scheduledPod,
+			newPod:        scheduledPodOtherNode,
+			expectInCache: scheduledPodOtherNode,
+		},
+		{
+			name:       "delete assumed pod with deletion timestamp",
+			oldPod:     pod,
+			assumedPod: scheduledPod,
+			newPod:     podWithDeletionTimestamp,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			logger, ctx := ktesting.NewTestContext(t)
+			ctx, cancel := context.WithCancel(ctx)
+			defer cancel()
+
+			registerPluginFuncs := []tf.RegisterPluginFunc{
+				tf.RegisterQueueSortPlugin(queuesort.Name, queuesort.New),
+				tf.RegisterBindPlugin(defaultbinder.Name, defaultbinder.New),
+			}
+			waitingPods := frameworkruntime.NewWaitingPodsMap()
+			schedFramework, err := tf.NewFramework(
+				ctx,
+				registerPluginFuncs,
+				"supported-scheduler",
+				frameworkruntime.WithWaitingPods(waitingPods),
+			)
+			if err != nil {
+				t.Fatalf("Failed to create framework: %v", err)
+			}
+			sched := &Scheduler{
+				Cache:           internalcache.New(ctx, 0, nil),
+				SchedulingQueue: internalqueue.NewTestQueue(ctx, nil),
+				logger:          logger,
+				Profiles: profile.Map{
+					"supported-scheduler": schedFramework,
+				},
+			}
+
+			if tt.assumedPod != nil {
+				err := sched.Cache.AssumePod(logger, tt.assumedPod)
+				if err != nil {
+					t.Fatalf("Failed to assume pod: %v", err)
+				}
+			} else {
+				sched.addPod(tt.oldPod)
+			}
+
+			sched.updatePod(tt.oldPod, tt.newPod)
+
+			qPod, ok := sched.SchedulingQueue.GetPod(tt.newPod.Name, tt.newPod.Namespace)
+			if tt.expectInQueue != nil {
+				if !ok {
+					t.Errorf("Expected pod to be in scheduling queue")
+				} else if diff := cmp.Diff(tt.expectInQueue, qPod.Pod); diff != "" {
+					t.Errorf("Unexpected pod after update (-want,+got):\n%s", diff)
+				}
+			} else if ok {
+				t.Errorf("Expected pod not to be in scheduling queue")
+			}
+			pod, err := sched.Cache.GetPod(tt.newPod)
+			if tt.expectInCache != nil {
+				if err != nil {
+					t.Errorf("Expected pod to be in cache: %v", err)
+				} else if diff := cmp.Diff(tt.expectInCache, pod); diff != "" {
+					t.Errorf("Unexpected pod after update (-want,+got):\n%s", diff)
+				}
+			} else if err == nil {
+				t.Errorf("Expected pod not to be in cache")
+			}
+		})
+	}
+}
+
+func TestDeletePod(t *testing.T) {
+	pod := st.MakePod().Name("pod1").Namespace("ns1").UID("pod1").SchedulerName("supported-scheduler").Obj()
+	otherPod := st.MakePod().Name("pod1").Namespace("ns1").UID("pod1").SchedulerName("other-scheduler").Obj()
+	scheduledPod := st.MakePod().Name("pod1").Namespace("ns1").UID("pod1").Node("node1").SchedulerName("supported-scheduler").Obj()
+	otherScheduledPod := st.MakePod().Name("pod1").Namespace("ns1").UID("pod1").Node("node1").SchedulerName("other-scheduler").Obj()
+
+	tests := []struct {
+		name            string
+		initialPod      *v1.Pod
+		assumed         bool
+		waitingOnPermit bool
+		podToDelete     any
+	}{
+		{
+			name:        "delete unscheduled pod",
+			initialPod:  pod,
+			podToDelete: pod,
+		},
+		{
+			name:        "delete unscheduled pod with other scheduler name",
+			initialPod:  otherPod,
+			podToDelete: otherPod,
+		},
+		{
+			name:        "delete unscheduled pod with unknown state",
+			initialPod:  pod,
+			podToDelete: cache.DeletedFinalStateUnknown{Obj: pod},
+		},
+		{
+			name:        "delete assumed pod",
+			initialPod:  scheduledPod,
+			assumed:     true,
+			podToDelete: pod,
+		},
+		{
+			name:        "delete scheduled pod",
+			initialPod:  scheduledPod,
+			podToDelete: scheduledPod,
+		},
+		{
+			name:        "delete scheduled pod with other scheduler name",
+			initialPod:  otherScheduledPod,
+			podToDelete: otherScheduledPod,
+		},
+		{
+			name:        "delete scheduled pod with unknown state",
+			initialPod:  scheduledPod,
+			podToDelete: cache.DeletedFinalStateUnknown{Obj: scheduledPod},
+		},
+		{
+			name:        "delete scheduled pod with unknown older state",
+			initialPod:  scheduledPod,
+			podToDelete: cache.DeletedFinalStateUnknown{Obj: pod},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			logger, ctx := ktesting.NewTestContext(t)
+			ctx, cancel := context.WithCancel(ctx)
+			defer cancel()
+
+			registerPluginFuncs := []tf.RegisterPluginFunc{
+				tf.RegisterQueueSortPlugin(queuesort.Name, queuesort.New),
+				tf.RegisterBindPlugin(defaultbinder.Name, defaultbinder.New),
+			}
+			waitingPods := frameworkruntime.NewWaitingPodsMap()
+			schedFramework, err := tf.NewFramework(
+				ctx,
+				registerPluginFuncs,
+				"supported-scheduler",
+				frameworkruntime.WithWaitingPods(waitingPods),
+			)
+			if err != nil {
+				t.Fatalf("Failed to create framework: %v", err)
+			}
+			sched := &Scheduler{
+				Cache:           internalcache.New(ctx, 0, nil),
+				SchedulingQueue: internalqueue.NewTestQueue(ctx, nil),
+				logger:          logger,
+				Profiles: profile.Map{
+					"supported-scheduler": schedFramework,
+				},
+			}
+
+			if tt.assumed {
+				err := sched.Cache.AssumePod(logger, tt.initialPod)
+				if err != nil {
+					t.Fatalf("Failed to assume pod: %v", err)
+				}
+			} else {
+				sched.addPod(tt.initialPod)
+			}
+
+			sched.deletePod(tt.podToDelete)
+
+			_, err = sched.Cache.GetPod(tt.initialPod)
+			if err == nil {
+				t.Errorf("Unexpected pod in cache after removal")
+			}
+			_, ok := sched.SchedulingQueue.GetPod(tt.initialPod.Name, tt.initialPod.Namespace)
+			if ok {
+				t.Errorf("Unexpected pod in scheduling queue after removal")
+			}
+		})
+	}
+}
diff --git a/pkg/scheduler/extender.go b/pkg/scheduler/extender.go
index 518574b7e6692..5c8be28da45f5 100644
--- a/pkg/scheduler/extender.go
+++ b/pkg/scheduler/extender.go
@@ -85,7 +85,7 @@ func makeTransport(config *schedulerapi.Extender) (http.RoundTripper, error) {
 }
 
 // NewHTTPExtender creates an HTTPExtender object.
-func NewHTTPExtender(config *schedulerapi.Extender) (framework.Extender, error) {
+func NewHTTPExtender(config *schedulerapi.Extender) (fwk.Extender, error) {
 	if config.HTTPTimeout.Duration.Nanoseconds() == 0 {
 		config.HTTPTimeout.Duration = time.Duration(DefaultExtenderTimeout)
 	}
@@ -137,7 +137,7 @@ func (h *HTTPExtender) SupportsPreemption() bool {
 func (h *HTTPExtender) ProcessPreemption(
 	pod *v1.Pod,
 	nodeNameToVictims map[string]*extenderv1.Victims,
-	nodeInfos framework.NodeInfoLister,
+	nodeInfos fwk.NodeInfoLister,
 ) (map[string]*extenderv1.Victims, error) {
 	var (
 		result extenderv1.ExtenderPreemptionResult
@@ -180,7 +180,7 @@ func (h *HTTPExtender) ProcessPreemption(
 // such as UIDs and names, to object pointers.
 func (h *HTTPExtender) convertToVictims(
 	nodeNameToMetaVictims map[string]*extenderv1.MetaVictims,
-	nodeInfos framework.NodeInfoLister,
+	nodeInfos fwk.NodeInfoLister,
 ) (map[string]*extenderv1.Victims, error) {
 	nodeNameToVictims := map[string]*extenderv1.Victims{}
 	for nodeName, metaVictims := range nodeNameToMetaVictims {
diff --git a/pkg/scheduler/extender_test.go b/pkg/scheduler/extender_test.go
index 78412ed8eff76..c701ba84a511c 100644
--- a/pkg/scheduler/extender_test.go
+++ b/pkg/scheduler/extender_test.go
@@ -325,7 +325,7 @@ func TestSchedulerWithExtenders(t *testing.T) {
 			client := clientsetfake.NewClientset()
 			informerFactory := informers.NewSharedInformerFactory(client, 0)
 
-			var extenders []framework.Extender
+			var extenders []fwk.Extender
 			for ii := range test.extenders {
 				extenders = append(extenders, &test.extenders[ii])
 			}
@@ -501,7 +501,7 @@ func TestConvertToVictims(t *testing.T) {
 		nodeNameToMetaVictims map[string]*extenderv1.MetaVictims
 		nodeNames             []string
 		podsInNodeList        []*v1.Pod
-		nodeInfos             framework.NodeInfoLister
+		nodeInfos             fwk.NodeInfoLister
 		want                  map[string]*extenderv1.Victims
 		wantErr               bool
 	}{
diff --git a/pkg/scheduler/framework/api_calls/api_calls.go b/pkg/scheduler/framework/api_calls/api_calls.go
index 6a37e4ac73b43..352ad1e709aeb 100644
--- a/pkg/scheduler/framework/api_calls/api_calls.go
+++ b/pkg/scheduler/framework/api_calls/api_calls.go
@@ -18,7 +18,6 @@ package apicalls
 
 import (
 	fwk "k8s.io/kube-scheduler/framework"
-	"k8s.io/kubernetes/pkg/scheduler/framework"
 )
 
 const (
@@ -39,7 +38,7 @@ var Relevances = fwk.APICallRelevances{
 // Implementation is a built-in mapping types to calls' constructors.
 // It's used to construct calls' objects in the scheduler framework and for easier replacement of those.
 // This mapping can be replaced by the out-of-tree plugin in its init() function, if needed.
-var Implementations = framework.APICallImplementations[*PodStatusPatchCall, *PodBindingCall]{
+var Implementations = fwk.APICallImplementations[*PodStatusPatchCall, *PodBindingCall]{
 	PodStatusPatch: NewPodStatusPatchCall,
 	PodBinding:     NewPodBindingCall,
 }
diff --git a/pkg/scheduler/framework/api_calls/pod_status_patch.go b/pkg/scheduler/framework/api_calls/pod_status_patch.go
index e0619a617530d..8229745cbdb2f 100644
--- a/pkg/scheduler/framework/api_calls/pod_status_patch.go
+++ b/pkg/scheduler/framework/api_calls/pod_status_patch.go
@@ -28,7 +28,6 @@ import (
 	"k8s.io/klog/v2"
 	fwk "k8s.io/kube-scheduler/framework"
 	podutil "k8s.io/kubernetes/pkg/api/v1/pod"
-	"k8s.io/kubernetes/pkg/scheduler/framework"
 	"k8s.io/kubernetes/pkg/scheduler/util"
 )
 
@@ -48,10 +47,10 @@ type PodStatusPatchCall struct {
 	// newCondition is a condition to update.
 	newCondition *v1.PodCondition
 	// nominatingInfo is a nominating info to update.
-	nominatingInfo *framework.NominatingInfo
+	nominatingInfo *fwk.NominatingInfo
 }
 
-func NewPodStatusPatchCall(pod *v1.Pod, condition *v1.PodCondition, nominatingInfo *framework.NominatingInfo) *PodStatusPatchCall {
+func NewPodStatusPatchCall(pod *v1.Pod, condition *v1.PodCondition, nominatingInfo *fwk.NominatingInfo) *PodStatusPatchCall {
 	return &PodStatusPatchCall{
 		podUID:         pod.UID,
 		podRef:         klog.KObj(pod),
@@ -70,8 +69,8 @@ func (psuc *PodStatusPatchCall) UID() types.UID {
 }
 
 // syncStatus syncs the given status with condition and nominatingInfo. It returns true if anything was actually updated.
-func syncStatus(status *v1.PodStatus, condition *v1.PodCondition, nominatingInfo *framework.NominatingInfo) bool {
-	nnnNeedsUpdate := nominatingInfo.Mode() == framework.ModeOverride && status.NominatedNodeName != nominatingInfo.NominatedNodeName
+func syncStatus(status *v1.PodStatus, condition *v1.PodCondition, nominatingInfo *fwk.NominatingInfo) bool {
+	nnnNeedsUpdate := nominatingInfo.Mode() == fwk.ModeOverride && status.NominatedNodeName != nominatingInfo.NominatedNodeName
 	if condition != nil {
 		if !podutil.UpdatePodCondition(status, condition) && !nnnNeedsUpdate {
 			return false
@@ -144,7 +143,7 @@ func (psuc *PodStatusPatchCall) Merge(oldCall fwk.APICall) error {
 	if !ok {
 		return fmt.Errorf("unexpected error: call of type %T is not of type *PodStatusPatchCall", oldCall)
 	}
-	if psuc.nominatingInfo.Mode() == framework.ModeNoop && oldPsuc.nominatingInfo.Mode() == framework.ModeOverride {
+	if psuc.nominatingInfo.Mode() == fwk.ModeNoop && oldPsuc.nominatingInfo.Mode() == fwk.ModeOverride {
 		// Set a nominatingInfo from an old call if the new one is no-op.
 		psuc.nominatingInfo = oldPsuc.nominatingInfo
 	}
@@ -173,7 +172,7 @@ func conditionNeedsUpdate(status *v1.PodStatus, condition *v1.PodCondition) bool
 }
 
 func (psuc *PodStatusPatchCall) IsNoOp() bool {
-	nnnNeedsUpdate := psuc.nominatingInfo.Mode() == framework.ModeOverride && psuc.podStatus.NominatedNodeName != psuc.nominatingInfo.NominatedNodeName
+	nnnNeedsUpdate := psuc.nominatingInfo.Mode() == fwk.ModeOverride && psuc.podStatus.NominatedNodeName != psuc.nominatingInfo.NominatedNodeName
 	if nnnNeedsUpdate {
 		return false
 	}
diff --git a/pkg/scheduler/framework/api_calls/pod_status_patch_test.go b/pkg/scheduler/framework/api_calls/pod_status_patch_test.go
index 4b38c334bcf59..29318fc31261d 100644
--- a/pkg/scheduler/framework/api_calls/pod_status_patch_test.go
+++ b/pkg/scheduler/framework/api_calls/pod_status_patch_test.go
@@ -25,7 +25,7 @@ import (
 	"k8s.io/client-go/kubernetes/fake"
 	clienttesting "k8s.io/client-go/testing"
 	"k8s.io/klog/v2/ktesting"
-	"k8s.io/kubernetes/pkg/scheduler/framework"
+	fwk "k8s.io/kube-scheduler/framework"
 )
 
 func TestPodStatusPatchCall_IsNoOp(t *testing.T) {
@@ -48,42 +48,42 @@ func TestPodStatusPatchCall_IsNoOp(t *testing.T) {
 		name           string
 		pod            *v1.Pod
 		condition      *v1.PodCondition
-		nominatingInfo *framework.NominatingInfo
+		nominatingInfo *fwk.NominatingInfo
 		want           bool
 	}{
 		{
 			name:           "No-op when condition and node name match",
 			pod:            podWithNode,
 			condition:      &v1.PodCondition{Type: v1.PodScheduled, Status: v1.ConditionFalse},
-			nominatingInfo: &framework.NominatingInfo{NominatedNodeName: "node-a", NominatingMode: framework.ModeOverride},
+			nominatingInfo: &fwk.NominatingInfo{NominatedNodeName: "node-a", NominatingMode: fwk.ModeOverride},
 			want:           true,
 		},
 		{
 			name:           "Not no-op when condition is different",
 			pod:            podWithNode,
 			condition:      &v1.PodCondition{Type: v1.PodScheduled, Status: v1.ConditionTrue},
-			nominatingInfo: &framework.NominatingInfo{NominatedNodeName: "node-a", NominatingMode: framework.ModeOverride},
+			nominatingInfo: &fwk.NominatingInfo{NominatedNodeName: "node-a", NominatingMode: fwk.ModeOverride},
 			want:           false,
 		},
 		{
 			name:           "Not no-op when nominated node name is different",
 			pod:            podWithNode,
 			condition:      &v1.PodCondition{Type: v1.PodScheduled, Status: v1.ConditionFalse},
-			nominatingInfo: &framework.NominatingInfo{NominatedNodeName: "node-b", NominatingMode: framework.ModeOverride},
+			nominatingInfo: &fwk.NominatingInfo{NominatedNodeName: "node-b", NominatingMode: fwk.ModeOverride},
 			want:           false,
 		},
 		{
 			name:           "No-op when condition is nil and node name matches",
 			pod:            podWithNode,
 			condition:      nil,
-			nominatingInfo: &framework.NominatingInfo{NominatedNodeName: "node-a", NominatingMode: framework.ModeOverride},
+			nominatingInfo: &fwk.NominatingInfo{NominatedNodeName: "node-a", NominatingMode: fwk.ModeOverride},
 			want:           true,
 		},
 		{
 			name:           "Not no-op when condition is nil but node name differs",
 			pod:            podWithNode,
 			condition:      nil,
-			nominatingInfo: &framework.NominatingInfo{NominatedNodeName: "node-b", NominatingMode: framework.ModeOverride},
+			nominatingInfo: &fwk.NominatingInfo{NominatedNodeName: "node-b", NominatingMode: fwk.ModeOverride},
 			want:           false,
 		},
 	}
@@ -106,9 +106,9 @@ func TestPodStatusPatchCall_Merge(t *testing.T) {
 
 	t.Run("Merges nominating info and condition from the old call", func(t *testing.T) {
 		oldCall := NewPodStatusPatchCall(pod, &v1.PodCondition{Type: v1.PodScheduled, Status: v1.ConditionFalse},
-			&framework.NominatingInfo{NominatedNodeName: "node-a", NominatingMode: framework.ModeOverride},
+			&fwk.NominatingInfo{NominatedNodeName: "node-a", NominatingMode: fwk.ModeOverride},
 		)
-		newCall := NewPodStatusPatchCall(pod, nil, &framework.NominatingInfo{NominatingMode: framework.ModeNoop})
+		newCall := NewPodStatusPatchCall(pod, nil, &fwk.NominatingInfo{NominatingMode: fwk.ModeNoop})
 
 		if err := newCall.Merge(oldCall); err != nil {
 			t.Fatalf("Unexpected error returned by Merge(): %v", err)
@@ -122,9 +122,9 @@ func TestPodStatusPatchCall_Merge(t *testing.T) {
 	})
 
 	t.Run("Doesn't overwrite nominating info and condition of a new call", func(t *testing.T) {
-		oldCall := NewPodStatusPatchCall(pod, nil, &framework.NominatingInfo{NominatingMode: framework.ModeNoop})
+		oldCall := NewPodStatusPatchCall(pod, nil, &fwk.NominatingInfo{NominatingMode: fwk.ModeNoop})
 		newCall := NewPodStatusPatchCall(pod, &v1.PodCondition{Type: v1.PodScheduled, Status: v1.ConditionFalse},
-			&framework.NominatingInfo{NominatedNodeName: "node-b", NominatingMode: framework.ModeOverride})
+			&fwk.NominatingInfo{NominatedNodeName: "node-b", NominatingMode: fwk.ModeOverride})
 
 		if err := newCall.Merge(oldCall); err != nil {
 			t.Fatalf("Unexpected error returned by Merge(): %v", err)
@@ -156,7 +156,7 @@ func TestPodStatusPatchCall_Sync(t *testing.T) {
 
 	t.Run("Syncs the status before execution and updates the pod", func(t *testing.T) {
 		call := NewPodStatusPatchCall(pod, nil,
-			&framework.NominatingInfo{NominatedNodeName: "node-c", NominatingMode: framework.ModeOverride})
+			&fwk.NominatingInfo{NominatedNodeName: "node-c", NominatingMode: fwk.ModeOverride})
 
 		updatedPod := pod.DeepCopy()
 		updatedPod.Status.NominatedNodeName = "node-b"
@@ -176,7 +176,7 @@ func TestPodStatusPatchCall_Sync(t *testing.T) {
 
 	t.Run("Doesn't sync internal status during or after execution, but updates the pod", func(t *testing.T) {
 		call := NewPodStatusPatchCall(pod, nil,
-			&framework.NominatingInfo{NominatedNodeName: "node-c", NominatingMode: framework.ModeOverride})
+			&fwk.NominatingInfo{NominatedNodeName: "node-c", NominatingMode: fwk.ModeOverride})
 		call.executed = true
 
 		updatedPod := pod.DeepCopy()
@@ -218,7 +218,7 @@ func TestPodStatusPatchCall_Execute(t *testing.T) {
 		})
 
 		call := NewPodStatusPatchCall(pod, &v1.PodCondition{Type: v1.PodScheduled, Status: v1.ConditionFalse},
-			&framework.NominatingInfo{NominatingMode: framework.ModeNoop})
+			&fwk.NominatingInfo{NominatingMode: fwk.ModeNoop})
 		if err := call.Execute(ctx, client); err != nil {
 			t.Fatalf("Unexpected error returned by Execute(): %v", err)
 		}
@@ -239,7 +239,7 @@ func TestPodStatusPatchCall_Execute(t *testing.T) {
 		})
 
 		noOpCall := NewPodStatusPatchCall(pod, nil,
-			&framework.NominatingInfo{NominatedNodeName: "node-a", NominatingMode: framework.ModeOverride})
+			&fwk.NominatingInfo{NominatedNodeName: "node-a", NominatingMode: fwk.ModeOverride})
 		if err := noOpCall.Execute(ctx, client); err != nil {
 			t.Fatalf("Unexpected error returned by Execute(): %v", err)
 		}
diff --git a/pkg/scheduler/framework/autoscaler_contract/framework_contract_test.go b/pkg/scheduler/framework/autoscaler_contract/framework_contract_test.go
index d210a2cac3b4b..17ba61b0fc0e5 100644
--- a/pkg/scheduler/framework/autoscaler_contract/framework_contract_test.go
+++ b/pkg/scheduler/framework/autoscaler_contract/framework_contract_test.go
@@ -35,7 +35,7 @@ import (
 )
 
 type frameworkContract interface {
-	RunPreFilterPlugins(ctx context.Context, state fwk.CycleState, pod *v1.Pod) (*framework.PreFilterResult, *fwk.Status, sets.Set[string])
+	RunPreFilterPlugins(ctx context.Context, state fwk.CycleState, pod *v1.Pod) (*fwk.PreFilterResult, *fwk.Status, sets.Set[string])
 	RunFilterPlugins(context.Context, fwk.CycleState, *v1.Pod, fwk.NodeInfo) *fwk.Status
 	RunReservePluginsReserve(ctx context.Context, state fwk.CycleState, pod *v1.Pod, nodeName string) *fwk.Status
 }
diff --git a/pkg/scheduler/framework/autoscaler_contract/lister_contract_test.go b/pkg/scheduler/framework/autoscaler_contract/lister_contract_test.go
index 02f38f00bcd78..ad1b79e2e3715 100644
--- a/pkg/scheduler/framework/autoscaler_contract/lister_contract_test.go
+++ b/pkg/scheduler/framework/autoscaler_contract/lister_contract_test.go
@@ -21,21 +21,22 @@ limitations under the License.
 package contract
 
 import (
+	v1 "k8s.io/api/core/v1"
 	resourceapi "k8s.io/api/resource/v1"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/sets"
-	"k8s.io/dynamic-resource-allocation/structured"
+	"k8s.io/dynamic-resource-allocation/structured/schedulerapi"
 	fwk "k8s.io/kube-scheduler/framework"
-	"k8s.io/kubernetes/pkg/scheduler/framework"
 )
 
-var _ framework.NodeInfoLister = &nodeInfoListerContract{}
-var _ framework.StorageInfoLister = &storageInfoListerContract{}
-var _ framework.SharedLister = &shareListerContract{}
-var _ framework.ResourceSliceLister = &resourceSliceListerContract{}
-var _ framework.DeviceClassLister = &deviceClassListerContract{}
-var _ framework.ResourceClaimTracker = &resourceClaimTrackerContract{}
-var _ framework.SharedDRAManager = &sharedDRAManagerContract{}
+var _ fwk.NodeInfoLister = &nodeInfoListerContract{}
+var _ fwk.StorageInfoLister = &storageInfoListerContract{}
+var _ fwk.SharedLister = &shareListerContract{}
+var _ fwk.ResourceSliceLister = &resourceSliceListerContract{}
+var _ fwk.DeviceClassLister = &deviceClassListerContract{}
+var _ fwk.ResourceClaimTracker = &resourceClaimTrackerContract{}
+var _ fwk.DeviceClassResolver = &deviceClassResolverContract{}
+var _ fwk.SharedDRAManager = &sharedDRAManagerContract{}
 
 type nodeInfoListerContract struct{}
 
@@ -63,11 +64,11 @@ func (c *storageInfoListerContract) IsPVCUsedByPods(_ string) bool {
 
 type shareListerContract struct{}
 
-func (c *shareListerContract) NodeInfos() framework.NodeInfoLister {
+func (c *shareListerContract) NodeInfos() fwk.NodeInfoLister {
 	return nil
 }
 
-func (c *shareListerContract) StorageInfos() framework.StorageInfoLister {
+func (c *shareListerContract) StorageInfos() fwk.StorageInfoLister {
 	return nil
 }
 
@@ -97,11 +98,11 @@ func (r *resourceClaimTrackerContract) Get(_, _ string) (*resourceapi.ResourceCl
 	return nil, nil
 }
 
-func (r *resourceClaimTrackerContract) ListAllAllocatedDevices() (sets.Set[structured.DeviceID], error) {
+func (r *resourceClaimTrackerContract) ListAllAllocatedDevices() (sets.Set[schedulerapi.DeviceID], error) {
 	return nil, nil
 }
 
-func (r *resourceClaimTrackerContract) GatherAllocatedState() (*structured.AllocatedState, error) {
+func (r *resourceClaimTrackerContract) GatherAllocatedState() (*schedulerapi.AllocatedState, error) {
 	return nil, nil
 }
 
@@ -126,14 +127,24 @@ func (r *resourceClaimTrackerContract) AssumedClaimRestore(_, _ string) {
 
 type sharedDRAManagerContract struct{}
 
-func (s *sharedDRAManagerContract) ResourceClaims() framework.ResourceClaimTracker {
+func (s *sharedDRAManagerContract) ResourceClaims() fwk.ResourceClaimTracker {
 	return nil
 }
 
-func (s *sharedDRAManagerContract) ResourceSlices() framework.ResourceSliceLister {
+func (s *sharedDRAManagerContract) ResourceSlices() fwk.ResourceSliceLister {
 	return nil
 }
 
-func (s *sharedDRAManagerContract) DeviceClasses() framework.DeviceClassLister {
+func (s *sharedDRAManagerContract) DeviceClasses() fwk.DeviceClassLister {
+	return nil
+}
+
+func (s *sharedDRAManagerContract) DeviceClassResolver() fwk.DeviceClassResolver {
+	return nil
+}
+
+type deviceClassResolverContract struct{}
+
+func (d *deviceClassResolverContract) GetDeviceClass(_ v1.ResourceName) *resourceapi.DeviceClass {
 	return nil
 }
diff --git a/pkg/scheduler/framework/events.go b/pkg/scheduler/framework/events.go
index 24cdd103a910c..52264c61cb44d 100644
--- a/pkg/scheduler/framework/events.go
+++ b/pkg/scheduler/framework/events.go
@@ -17,6 +17,8 @@ limitations under the License.
 package framework
 
 import (
+	"slices"
+
 	v1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/equality"
 	utilfeature "k8s.io/apiserver/pkg/util/feature"
@@ -100,6 +102,7 @@ type podChangeExtractor func(newPod *v1.Pod, oldPod *v1.Pod) fwk.ActionType
 func extractPodScaleDown(newPod, oldPod *v1.Pod) fwk.ActionType {
 	opt := resource.PodResourcesOptions{
 		UseStatusResources: utilfeature.DefaultFeatureGate.Enabled(features.InPlacePodVerticalScaling),
+		InPlacePodLevelResourcesVerticalScalingEnabled: utilfeature.DefaultFeatureGate.Enabled(features.InPlacePodLevelResourcesVerticalScaling),
 	}
 	newPodRequests := resource.PodRequests(newPod, opt)
 	oldPodRequests := resource.PodRequests(oldPod, opt)
@@ -168,6 +171,10 @@ func NodeSchedulingPropertiesChange(newNode *v1.Node, oldNode *v1.Node) (events
 		extractNodeAnnotationsChange,
 	}
 
+	if utilfeature.DefaultFeatureGate.Enabled(features.NodeDeclaredFeatures) {
+		nodeChangeExtracters = append(nodeChangeExtracters, extractNodeFeaturesChange)
+	}
+
 	for _, fn := range nodeChangeExtracters {
 		if event := fn(newNode, oldNode); event != fwk.None {
 			events = append(events, fwk.ClusterEvent{Resource: fwk.Node, ActionType: event})
@@ -231,3 +238,11 @@ func extractNodeAnnotationsChange(newNode *v1.Node, oldNode *v1.Node) fwk.Action
 	}
 	return fwk.None
 }
+
+func extractNodeFeaturesChange(newNode *v1.Node, oldNode *v1.Node) fwk.ActionType {
+	// DeclaredFeatures is maintained in a sorted order, so slice comparison is safe.
+	if !slices.Equal(oldNode.Status.DeclaredFeatures, newNode.Status.DeclaredFeatures) {
+		return fwk.UpdateNodeDeclaredFeature
+	}
+	return fwk.None
+}
diff --git a/pkg/scheduler/framework/events_test.go b/pkg/scheduler/framework/events_test.go
index 603a9bd748cbc..4021a821d7920 100644
--- a/pkg/scheduler/framework/events_test.go
+++ b/pkg/scheduler/framework/events_test.go
@@ -26,6 +26,7 @@ import (
 	v1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/resource"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/util/version"
 	utilfeature "k8s.io/apiserver/pkg/util/feature"
 	featuregatetesting "k8s.io/component-base/featuregate/testing"
 	fwk "k8s.io/kube-scheduler/framework"
@@ -277,6 +278,73 @@ func TestNodeSchedulingPropertiesChange(t *testing.T) {
 	}
 }
 
+func TestExtractNodeFeaturesChange(t *testing.T) {
+	testCases := []struct {
+		name    string
+		oldNode *v1.Node
+		newNode *v1.Node
+		want    fwk.ActionType
+	}{
+		{
+			name:    "no features changed",
+			oldNode: &v1.Node{Status: v1.NodeStatus{DeclaredFeatures: []string{"featA", "featB"}}},
+			newNode: &v1.Node{Status: v1.NodeStatus{DeclaredFeatures: []string{"featA", "featB"}}},
+			want:    fwk.None,
+		},
+		{
+			name:    "features added",
+			oldNode: &v1.Node{Status: v1.NodeStatus{DeclaredFeatures: []string{"featA"}}},
+			newNode: &v1.Node{Status: v1.NodeStatus{DeclaredFeatures: []string{"featA", "featB"}}},
+			want:    fwk.UpdateNodeDeclaredFeature,
+		},
+		{
+			name:    "features removed",
+			oldNode: &v1.Node{Status: v1.NodeStatus{DeclaredFeatures: []string{"featA", "featB"}}},
+			newNode: &v1.Node{Status: v1.NodeStatus{DeclaredFeatures: []string{"featA"}}},
+			want:    fwk.UpdateNodeDeclaredFeature,
+		},
+		{
+			name:    "features different",
+			oldNode: &v1.Node{Status: v1.NodeStatus{DeclaredFeatures: []string{"featA"}}},
+			newNode: &v1.Node{Status: v1.NodeStatus{DeclaredFeatures: []string{"featC"}}},
+			want:    fwk.UpdateNodeDeclaredFeature,
+		},
+		{
+			name:    "old features nil, new has features",
+			oldNode: &v1.Node{Status: v1.NodeStatus{DeclaredFeatures: nil}},
+			newNode: &v1.Node{Status: v1.NodeStatus{DeclaredFeatures: []string{"featA"}}},
+			want:    fwk.UpdateNodeDeclaredFeature,
+		},
+		{
+			name:    "old features empty, new has features",
+			oldNode: &v1.Node{Status: v1.NodeStatus{DeclaredFeatures: []string{}}},
+			newNode: &v1.Node{Status: v1.NodeStatus{DeclaredFeatures: []string{"featA"}}},
+			want:    fwk.UpdateNodeDeclaredFeature,
+		},
+		{
+			name:    "old has features, new is nil",
+			oldNode: &v1.Node{Status: v1.NodeStatus{DeclaredFeatures: []string{"featA"}}},
+			newNode: &v1.Node{Status: v1.NodeStatus{DeclaredFeatures: nil}},
+			want:    fwk.UpdateNodeDeclaredFeature,
+		},
+		{
+			name:    "both nil",
+			oldNode: &v1.Node{Status: v1.NodeStatus{DeclaredFeatures: nil}},
+			newNode: &v1.Node{Status: v1.NodeStatus{DeclaredFeatures: nil}},
+			want:    fwk.None,
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			got := extractNodeFeaturesChange(tc.newNode, tc.oldNode)
+			if got != tc.want {
+				t.Errorf("extractNodeFeaturesChange() = %v, want %v", got, tc.want)
+			}
+		})
+	}
+}
+
 func Test_podSchedulingPropertiesChange(t *testing.T) {
 	podWithBigRequest := &v1.Pod{
 		Spec: v1.PodSpec{
@@ -466,6 +534,9 @@ func Test_podSchedulingPropertiesChange(t *testing.T) {
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
+			if tt.draDisabled {
+				featuregatetesting.SetFeatureGateEmulationVersionDuringTest(t, utilfeature.DefaultFeatureGate, version.MustParse("1.34"))
+			}
 			featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.DynamicResourceAllocation, !tt.draDisabled)
 			got := PodSchedulingPropertiesChange(tt.newPod, tt.oldPod)
 			if diff := cmp.Diff(tt.want, got, cmpopts.EquateComparable(fwk.ClusterEvent{})); diff != "" {
diff --git a/pkg/scheduler/framework/interface.go b/pkg/scheduler/framework/interface.go
index e167789d7e355..bca3dfab900ef 100644
--- a/pkg/scheduler/framework/interface.go
+++ b/pkg/scheduler/framework/interface.go
@@ -20,46 +20,14 @@ package framework
 
 import (
 	"context"
-	"math"
 	"sync"
-	"time"
 
 	v1 "k8s.io/api/core/v1"
-	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/sets"
-	"k8s.io/client-go/informers"
-	clientset "k8s.io/client-go/kubernetes"
-	restclient "k8s.io/client-go/rest"
-	"k8s.io/client-go/tools/events"
-	"k8s.io/klog/v2"
 	fwk "k8s.io/kube-scheduler/framework"
 	"k8s.io/kubernetes/pkg/scheduler/apis/config"
-	"k8s.io/kubernetes/pkg/scheduler/framework/parallelize"
 )
 
-// NodeScoreList declares a list of nodes and their scores.
-type NodeScoreList []NodeScore
-
-// NodeScore is a struct with node name and score.
-type NodeScore struct {
-	Name  string
-	Score int64
-}
-
-// NodeToStatusReader is a read-only interface of NodeToStatus passed to each PostFilter plugin.
-type NodeToStatusReader interface {
-	// Get returns the status for given nodeName.
-	// If the node is not in the map, the AbsentNodesStatus is returned.
-	Get(nodeName string) *fwk.Status
-	// NodesForStatusCode returns a list of NodeInfos for the nodes that have a given status code.
-	// It returns the NodeInfos for all matching nodes denoted by AbsentNodesStatus as well.
-	NodesForStatusCode(nodeLister NodeInfoLister, code fwk.Code) ([]fwk.NodeInfo, error)
-}
-
-// NodeToStatusMap is an alias for NodeToStatusReader to keep partial backwards compatibility.
-// NodeToStatusReader should be used if possible.
-type NodeToStatusMap = NodeToStatusReader
-
 // NodeToStatus contains the statuses of the Nodes where the incoming Pod was not schedulable.
 type NodeToStatus struct {
 	// nodeToStatus contains specific statuses of the nodes.
@@ -128,7 +96,7 @@ func (m *NodeToStatus) ForEachExplicitNode(fn func(nodeName string, status *fwk.
 // and filtered using NodeToStatus.Get.
 // If the absentNodesStatus doesn't match the code, nodeToStatus map is used to create a list of nodes
 // and nodeLister.Get is used to obtain NodeInfo for each.
-func (m *NodeToStatus) NodesForStatusCode(nodeLister NodeInfoLister, code fwk.Code) ([]fwk.NodeInfo, error) {
+func (m *NodeToStatus) NodesForStatusCode(nodeLister fwk.NodeInfoLister, code fwk.Code) ([]fwk.NodeInfo, error) {
 	var resultNodes []fwk.NodeInfo
 
 	if m.AbsentNodesStatus().Code() == code {
@@ -161,34 +129,6 @@ func (m *NodeToStatus) NodesForStatusCode(nodeLister NodeInfoLister, code fwk.Co
 	return resultNodes, nil
 }
 
-// NodePluginScores is a struct with node name and scores for that node.
-type NodePluginScores struct {
-	// Name is node name.
-	Name string
-	// Scores is scores from plugins and extenders.
-	Scores []PluginScore
-	// TotalScore is the total score in Scores.
-	TotalScore int64
-}
-
-// PluginScore is a struct with plugin/extender name and score.
-type PluginScore struct {
-	// Name is the name of plugin or extender.
-	Name  string
-	Score int64
-}
-
-const (
-	// MaxNodeScore is the maximum score a Score plugin is expected to return.
-	MaxNodeScore int64 = 100
-
-	// MinNodeScore is the minimum score a Score plugin is expected to return.
-	MinNodeScore int64 = 0
-
-	// MaxTotalScore is the maximum total score.
-	MaxTotalScore int64 = math.MaxInt64
-)
-
 // PodsToActivateKey is a reserved state key for stashing pods.
 // If the stashed pods are present in unschedulablePods or backoffQ，they will be
 // activated (i.e., moved to activeQ) in two phases:
@@ -213,294 +153,32 @@ func NewPodsToActivate() *PodsToActivate {
 	return &PodsToActivate{Map: make(map[string]*v1.Pod)}
 }
 
-// WaitingPod represents a pod currently waiting in the permit phase.
-type WaitingPod interface {
-	// GetPod returns a reference to the waiting pod.
-	GetPod() *v1.Pod
-	// GetPendingPlugins returns a list of pending Permit plugin's name.
-	GetPendingPlugins() []string
-	// Allow declares the waiting pod is allowed to be scheduled by the plugin named as "pluginName".
-	// If this is the last remaining plugin to allow, then a success signal is delivered
-	// to unblock the pod.
-	Allow(pluginName string)
-	// Reject declares the waiting pod unschedulable.
-	Reject(pluginName, msg string)
-}
-
-// Plugin is the parent type for all the scheduling framework plugins.
-type Plugin interface {
-	Name() string
-}
-
-// PreEnqueuePlugin is an interface that must be implemented by "PreEnqueue" plugins.
-// These plugins are called prior to adding Pods to activeQ.
-// Note: an preEnqueue plugin is expected to be lightweight and efficient, so it's not expected to
-// involve expensive calls like accessing external endpoints; otherwise it'd block other
-// Pods' enqueuing in event handlers.
-type PreEnqueuePlugin interface {
-	Plugin
-	// PreEnqueue is called prior to adding Pods to activeQ.
-	PreEnqueue(ctx context.Context, p *v1.Pod) *fwk.Status
-}
-
-// LessFunc is the function to sort pod info
-type LessFunc func(podInfo1, podInfo2 fwk.QueuedPodInfo) bool
-
-// QueueSortPlugin is an interface that must be implemented by "QueueSort" plugins.
-// These plugins are used to sort pods in the scheduling queue. Only one queue sort
-// plugin may be enabled at a time.
-type QueueSortPlugin interface {
-	Plugin
-	// Less are used to sort pods in the scheduling queue.
-	Less(fwk.QueuedPodInfo, fwk.QueuedPodInfo) bool
-}
-
-// EnqueueExtensions is an optional interface that plugins can implement to efficiently
-// move unschedulable Pods in internal scheduling queues.
-// In the scheduler, Pods can be unschedulable by PreEnqueue, PreFilter, Filter, Reserve, and Permit plugins,
-// and Pods rejected by these plugins are requeued based on this extension point.
-// Failures from other extension points are regarded as temporal errors (e.g., network failure),
-// and the scheduler requeue Pods without this extension point - always requeue Pods to activeQ after backoff.
-// This is because such temporal errors cannot be resolved by specific cluster events,
-// and we have no choose but keep retrying scheduling until the failure is resolved.
-//
-// Plugins that make pod unschedulable (PreEnqueue, PreFilter, Filter, Reserve, and Permit plugins) must implement this interface,
-// otherwise the default implementation will be used, which is less efficient in requeueing Pods rejected by the plugin.
-//
-// Also, if EventsToRegister returns an empty list, that means the Pods failed by the plugin are not requeued by any events,
-// which doesn't make sense in most cases (very likely misuse)
-// since the pods rejected by the plugin could be stuck in the unschedulable pod pool forever.
-//
-// If plugins other than above extension points support this interface, they are just ignored.
-type EnqueueExtensions interface {
-	Plugin
-	// EventsToRegister returns a series of possible events that may cause a Pod
-	// failed by this plugin schedulable. Each event has a callback function that
-	// filters out events to reduce useless retry of Pod's scheduling.
-	// The events will be registered when instantiating the internal scheduling queue,
-	// and leveraged to build event handlers dynamically.
-	// When it returns an error, the scheduler fails to start.
-	// Note: the returned list needs to be determined at a startup,
-	// and the scheduler only evaluates it once during start up.
-	// Do not change the result during runtime, for example, based on the cluster's state etc.
-	//
-	// Appropriate implementation of this function will make Pod's re-scheduling accurate and performant.
-	EventsToRegister(context.Context) ([]fwk.ClusterEventWithHint, error)
-}
-
-// PreFilterExtensions is an interface that is included in plugins that allow specifying
-// callbacks to make incremental updates to its supposedly pre-calculated
-// state.
-type PreFilterExtensions interface {
-	// AddPod is called by the framework while trying to evaluate the impact
-	// of adding podToAdd to the node while scheduling podToSchedule.
-	AddPod(ctx context.Context, state fwk.CycleState, podToSchedule *v1.Pod, podInfoToAdd fwk.PodInfo, nodeInfo fwk.NodeInfo) *fwk.Status
-	// RemovePod is called by the framework while trying to evaluate the impact
-	// of removing podToRemove from the node while scheduling podToSchedule.
-	RemovePod(ctx context.Context, state fwk.CycleState, podToSchedule *v1.Pod, podInfoToRemove fwk.PodInfo, nodeInfo fwk.NodeInfo) *fwk.Status
-}
-
-// PreFilterPlugin is an interface that must be implemented by "PreFilter" plugins.
-// These plugins are called at the beginning of the scheduling cycle.
-type PreFilterPlugin interface {
-	Plugin
-	// PreFilter is called at the beginning of the scheduling cycle. All PreFilter
-	// plugins must return success or the pod will be rejected. PreFilter could optionally
-	// return a PreFilterResult to influence which nodes to evaluate downstream. This is useful
-	// for cases where it is possible to determine the subset of nodes to process in O(1) time.
-	// When PreFilterResult filters out some Nodes, the framework considers Nodes that are filtered out as getting "UnschedulableAndUnresolvable".
-	// i.e., those Nodes will be out of the candidates of the preemption.
-	//
-	// When it returns Skip status, returned PreFilterResult and other fields in status are just ignored,
-	// and coupled Filter plugin/PreFilterExtensions() will be skipped in this scheduling cycle.
-	PreFilter(ctx context.Context, state fwk.CycleState, p *v1.Pod, nodes []fwk.NodeInfo) (*PreFilterResult, *fwk.Status)
-	// PreFilterExtensions returns a PreFilterExtensions interface if the plugin implements one,
-	// or nil if it does not. A Pre-filter plugin can provide extensions to incrementally
-	// modify its pre-processed info. The framework guarantees that the extensions
-	// AddPod/RemovePod will only be called after PreFilter, possibly on a cloned
-	// CycleState, and may call those functions more than once before calling
-	// Filter again on a specific node.
-	PreFilterExtensions() PreFilterExtensions
-}
-
-// FilterPlugin is an interface for Filter plugins. These plugins are called at the
-// filter extension point for filtering out hosts that cannot run a pod.
-// This concept used to be called 'predicate' in the original scheduler.
-// These plugins should return "Success", "Unschedulable" or "Error" in Status.code.
-// However, the scheduler accepts other valid codes as well.
-// Anything other than "Success" will lead to exclusion of the given host from
-// running the pod.
-type FilterPlugin interface {
-	Plugin
-	// Filter is called by the scheduling framework.
-	// All FilterPlugins should return "Success" to declare that
-	// the given node fits the pod. If Filter doesn't return "Success",
-	// it will return "Unschedulable", "UnschedulableAndUnresolvable" or "Error".
-	//
-	// "Error" aborts pod scheduling and puts the pod into the backoff queue.
-	//
-	// For the node being evaluated, Filter plugins should look at the passed
-	// nodeInfo reference for this particular node's information (e.g., pods
-	// considered to be running on the node) instead of looking it up in the
-	// NodeInfoSnapshot because we don't guarantee that they will be the same.
-	// For example, during preemption, we may pass a copy of the original
-	// nodeInfo object that has some pods removed from it to evaluate the
-	// possibility of preempting them to schedule the target pod.
-	//
-	// Plugins are encouraged to check the context for cancellation.
-	// Once canceled, they should return as soon as possible with
-	// an UnschedulableAndUnresolvable status that includes the
-	// `context.Cause(ctx)` error explanation. For example, the
-	// context gets canceled when a sufficient number of suitable
-	// nodes have been found and searching for more isn't necessary
-	// anymore.
-	Filter(ctx context.Context, state fwk.CycleState, pod *v1.Pod, nodeInfo fwk.NodeInfo) *fwk.Status
-}
-
-// PostFilterPlugin is an interface for "PostFilter" plugins. These plugins are called
-// after a pod cannot be scheduled.
-type PostFilterPlugin interface {
-	Plugin
-	// PostFilter is called by the scheduling framework
-	// when the scheduling cycle failed at PreFilter or Filter by Unschedulable or UnschedulableAndUnresolvable.
-	// NodeToStatusReader has statuses that each Node got in PreFilter or Filter phase.
-	//
-	// If you're implementing a custom preemption with PostFilter, ignoring Nodes with UnschedulableAndUnresolvable is the responsibility of your plugin,
-	// meaning NodeToStatusReader could have Nodes with UnschedulableAndUnresolvable
-	// and the scheduling framework does call PostFilter plugins even when all Nodes in NodeToStatusReader are UnschedulableAndUnresolvable.
-	//
-	// A PostFilter plugin should return one of the following statuses:
-	// - Unschedulable: the plugin gets executed successfully but the pod cannot be made schedulable.
-	// - Success: the plugin gets executed successfully and the pod can be made schedulable.
-	// - Error: the plugin aborts due to some internal error.
-	//
-	// Informational plugins should be configured ahead of other ones, and always return Unschedulable status.
-	// Optionally, a non-nil PostFilterResult may be returned along with a Success status. For example,
-	// a preemption plugin may choose to return nominatedNodeName, so that framework can reuse that to update the
-	// preemptor pod's .spec.status.nominatedNodeName field.
-	PostFilter(ctx context.Context, state fwk.CycleState, pod *v1.Pod, filteredNodeStatusMap NodeToStatusReader) (*PostFilterResult, *fwk.Status)
-}
-
-// PreScorePlugin is an interface for "PreScore" plugin. PreScore is an
-// informational extension point. Plugins will be called with a list of nodes
-// that passed the filtering phase. A plugin may use this data to update internal
-// state or to generate logs/metrics.
-type PreScorePlugin interface {
-	Plugin
-	// PreScore is called by the scheduling framework after a list of nodes
-	// passed the filtering phase. All prescore plugins must return success or
-	// the pod will be rejected
-	// When it returns Skip status, other fields in status are just ignored,
-	// and coupled Score plugin will be skipped in this scheduling cycle.
-	PreScore(ctx context.Context, state fwk.CycleState, pod *v1.Pod, nodes []fwk.NodeInfo) *fwk.Status
-}
-
-// ScoreExtensions is an interface for Score extended functionality.
-type ScoreExtensions interface {
-	// NormalizeScore is called for all node scores produced by the same plugin's "Score"
-	// method. A successful run of NormalizeScore will update the scores list and return
-	// a success status.
-	NormalizeScore(ctx context.Context, state fwk.CycleState, p *v1.Pod, scores NodeScoreList) *fwk.Status
-}
-
-// ScorePlugin is an interface that must be implemented by "Score" plugins to rank
-// nodes that passed the filtering phase.
-type ScorePlugin interface {
-	Plugin
-	// Score is called on each filtered node. It must return success and an integer
-	// indicating the rank of the node. All scoring plugins must return success or
-	// the pod will be rejected.
-	Score(ctx context.Context, state fwk.CycleState, p *v1.Pod, nodeInfo fwk.NodeInfo) (int64, *fwk.Status)
-
-	// ScoreExtensions returns a ScoreExtensions interface if it implements one, or nil if does not.
-	ScoreExtensions() ScoreExtensions
-}
-
-// ReservePlugin is an interface for plugins with Reserve and Unreserve
-// methods. These are meant to update the state of the plugin. This concept
-// used to be called 'assume' in the original scheduler. These plugins should
-// return only Success or Error in Status.code. However, the scheduler accepts
-// other valid codes as well. Anything other than Success will lead to
-// rejection of the pod.
-type ReservePlugin interface {
-	Plugin
-	// Reserve is called by the scheduling framework when the scheduler cache is
-	// updated. If this method returns a failed Status, the scheduler will call
-	// the Unreserve method for all enabled ReservePlugins.
-	Reserve(ctx context.Context, state fwk.CycleState, p *v1.Pod, nodeName string) *fwk.Status
-	// Unreserve is called by the scheduling framework when a reserved pod was
-	// rejected, an error occurred during reservation of subsequent plugins, or
-	// in a later phase. The Unreserve method implementation must be idempotent
-	// and may be called by the scheduler even if the corresponding Reserve
-	// method for the same plugin was not called.
-	Unreserve(ctx context.Context, state fwk.CycleState, p *v1.Pod, nodeName string)
-}
-
-// PreBindPlugin is an interface that must be implemented by "PreBind" plugins.
-// These plugins are called before a pod being scheduled.
-type PreBindPlugin interface {
-	Plugin
-	// PreBindPreFlight is called before PreBind, and the plugin is supposed to return Success, Skip, or Error status
-	// to tell the scheduler whether the plugin will do something in PreBind or not.
-	// If it returns Success, it means this PreBind plugin will handle this pod.
-	// If it returns Skip, it means this PreBind plugin has nothing to do with the pod, and PreBind will be skipped.
-	// This function should be lightweight, and shouldn't do any actual operation, e.g., creating a volume etc.
-	PreBindPreFlight(ctx context.Context, state fwk.CycleState, p *v1.Pod, nodeName string) *fwk.Status
-	// PreBind is called before binding a pod. All prebind plugins must return
-	// success or the pod will be rejected and won't be sent for binding.
-	PreBind(ctx context.Context, state fwk.CycleState, p *v1.Pod, nodeName string) *fwk.Status
-}
-
-// PostBindPlugin is an interface that must be implemented by "PostBind" plugins.
-// These plugins are called after a pod is successfully bound to a node.
-type PostBindPlugin interface {
-	Plugin
-	// PostBind is called after a pod is successfully bound. These plugins are
-	// informational. A common application of this extension point is for cleaning
-	// up. If a plugin needs to clean-up its state after a pod is scheduled and
-	// bound, PostBind is the extension point that it should register.
-	PostBind(ctx context.Context, state fwk.CycleState, p *v1.Pod, nodeName string)
-}
-
-// PermitPlugin is an interface that must be implemented by "Permit" plugins.
-// These plugins are called before a pod is bound to a node.
-type PermitPlugin interface {
-	Plugin
-	// Permit is called before binding a pod (and before prebind plugins). Permit
-	// plugins are used to prevent or delay the binding of a Pod. A permit plugin
-	// must return success or wait with timeout duration, or the pod will be rejected.
-	// The pod will also be rejected if the wait timeout or the pod is rejected while
-	// waiting. Note that if the plugin returns "wait", the framework will wait only
-	// after running the remaining plugins given that no other plugin rejects the pod.
-	Permit(ctx context.Context, state fwk.CycleState, p *v1.Pod, nodeName string) (*fwk.Status, time.Duration)
-}
-
-// BindPlugin is an interface that must be implemented by "Bind" plugins. Bind
-// plugins are used to bind a pod to a Node.
-type BindPlugin interface {
-	Plugin
-	// Bind plugins will not be called until all pre-bind plugins have completed. Each
-	// bind plugin is called in the configured order. A bind plugin may choose whether
-	// or not to handle the given Pod. If a bind plugin chooses to handle a Pod, the
-	// remaining bind plugins are skipped. When a bind plugin does not handle a pod,
-	// it must return Skip in its Status code. If a bind plugin returns an Error, the
-	// pod is rejected and will not be bound.
-	Bind(ctx context.Context, state fwk.CycleState, p *v1.Pod, nodeName string) *fwk.Status
+// SortedScoredNodes is a list of scored nodes, returned from scheduling.
+type SortedScoredNodes interface {
+	Pop() string
+	Len() int
 }
 
 // Framework manages the set of plugins in use by the scheduling framework.
 // Configured plugins are called at specified points in a scheduling context.
 type Framework interface {
-	Handle
+	fwk.Handle
 
 	// PreEnqueuePlugins returns the registered preEnqueue plugins.
-	PreEnqueuePlugins() []PreEnqueuePlugin
+	PreEnqueuePlugins() []fwk.PreEnqueuePlugin
 
 	// EnqueueExtensions returns the registered Enqueue extensions.
-	EnqueueExtensions() []EnqueueExtensions
+	EnqueueExtensions() []fwk.EnqueueExtensions
 
 	// QueueSortFunc returns the function to sort pods in scheduling queue
-	QueueSortFunc() LessFunc
+	QueueSortFunc() fwk.LessFunc
+
+	// Create a scheduling signature for a given pod, if possible. Two pods with the same signature
+	// should get the same feasibility and scores for any given set of nodes even after one of them gets assigned. If some plugins
+	// are unable to create a signature, the pod may be "unsignable" which disables results caching
+	// and gang scheduling optimizations.
+	// See https://github.com/kubernetes/enhancements/tree/master/keps/sig-scheduling/5598-opportunistic-batching
+	SignPod(ctx context.Context, pod *v1.Pod, recordPluginStats bool) fwk.PodSignature
 
 	// RunPreFilterPlugins runs the set of configured PreFilter plugins. It returns
 	// *fwk.Status and its code is set to non-success if any of the plugins returns
@@ -511,13 +189,22 @@ type Framework interface {
 	// The third returns value contains PreFilter plugin that rejected some or all Nodes with PreFilterResult.
 	// But, note that it doesn't contain any plugin when a plugin rejects this Pod with non-success status,
 	// not with PreFilterResult.
-	RunPreFilterPlugins(ctx context.Context, state fwk.CycleState, pod *v1.Pod) (*PreFilterResult, *fwk.Status, sets.Set[string])
+	RunPreFilterPlugins(ctx context.Context, state fwk.CycleState, pod *v1.Pod) (*fwk.PreFilterResult, *fwk.Status, sets.Set[string])
 
 	// RunPostFilterPlugins runs the set of configured PostFilter plugins.
 	// PostFilter plugins can either be informational, in which case should be configured
 	// to execute first and return Unschedulable status, or ones that try to change the
 	// cluster state to make the pod potentially schedulable in a future scheduling cycle.
-	RunPostFilterPlugins(ctx context.Context, state fwk.CycleState, pod *v1.Pod, filteredNodeStatusMap NodeToStatusReader) (*PostFilterResult, *fwk.Status)
+	RunPostFilterPlugins(ctx context.Context, state fwk.CycleState, pod *v1.Pod, filteredNodeStatusMap fwk.NodeToStatusReader) (*fwk.PostFilterResult, *fwk.Status)
+
+	// Get a "node hint" for a given pod. A node hint is the name of a node provided by the batching code when information
+	// from the previous scheduling cycle can be reused for this cycle.
+	// If the batching code cannot provide a hint, the function returns "".
+	// See git.k8s.io/enhancements/keps/sig-scheduling/5598-opportunistic-batching
+	GetNodeHint(ctx context.Context, pod *v1.Pod, state fwk.CycleState, cycleCount int64) (hint string, signature fwk.PodSignature)
+
+	// StoreScheduleResults stores the results after we have sorted and filtered nodes.
+	StoreScheduleResults(ctx context.Context, signature fwk.PodSignature, hintedNode, chosenNode string, otherNodes SortedScoredNodes, cycleCount int64)
 
 	// RunPreBindPlugins runs the set of configured PreBind plugins. It returns
 	// *fwk.Status and its code is set to non-success if any of the plugins returns
@@ -576,238 +263,25 @@ type Framework interface {
 	// ListPlugins returns a map of extension point name to list of configured Plugins.
 	ListPlugins() *config.Plugins
 
-	// ProfileName returns the profile name associated to a profile.
-	ProfileName() string
-
 	// PercentageOfNodesToScore returns percentageOfNodesToScore associated to a profile.
 	PercentageOfNodesToScore() *int32
 
 	// SetPodNominator sets the PodNominator
-	SetPodNominator(nominator PodNominator)
+	SetPodNominator(nominator fwk.PodNominator)
 	// SetPodActivator sets the PodActivator
-	SetPodActivator(activator PodActivator)
+	SetPodActivator(activator fwk.PodActivator)
 	// SetAPICacher sets the APICacher
-	SetAPICacher(apiCacher APICacher)
+	SetAPICacher(apiCacher fwk.APICacher)
 
 	// Close calls Close method of each plugin.
 	Close() error
 }
 
-// Handle provides data and some tools that plugins can use. It is
-// passed to the plugin factories at the time of plugin initialization. Plugins
-// must store and use this handle to call framework functions.
-type Handle interface {
-	// PodNominator abstracts operations to maintain nominated Pods.
-	PodNominator
-	// PluginsRunner abstracts operations to run some plugins.
-	PluginsRunner
-	// PodActivator abstracts operations in the scheduling queue.
-	PodActivator
-	// SnapshotSharedLister returns listers from the latest NodeInfo Snapshot. The snapshot
-	// is taken at the beginning of a scheduling cycle and remains unchanged until
-	// a pod finishes "Permit" point.
-	//
-	// It should be used only during scheduling cycle:
-	// - There is no guarantee that the information remains unchanged in the binding phase of scheduling.
-	//   So, plugins shouldn't use it in the binding cycle (pre-bind/bind/post-bind/un-reserve plugin)
-	//   otherwise, a concurrent read/write error might occur.
-	// - There is no guarantee that the information is always up-to-date.
-	//   So, plugins shouldn't use it in QueueingHint and PreEnqueue
-	//   otherwise, they might make a decision based on stale information.
-	//
-	// Instead, they should use the resources getting from Informer created from SharedInformerFactory().
-	SnapshotSharedLister() SharedLister
-
-	// IterateOverWaitingPods acquires a read lock and iterates over the WaitingPods map.
-	IterateOverWaitingPods(callback func(WaitingPod))
-
-	// GetWaitingPod returns a waiting pod given its UID.
-	GetWaitingPod(uid types.UID) WaitingPod
-
-	// RejectWaitingPod rejects a waiting pod given its UID.
-	// The return value indicates if the pod is waiting or not.
-	RejectWaitingPod(uid types.UID) bool
-
-	// ClientSet returns a kubernetes clientSet.
-	ClientSet() clientset.Interface
-
-	// KubeConfig returns the raw kube config.
-	KubeConfig() *restclient.Config
-
-	// EventRecorder returns an event recorder.
-	EventRecorder() events.EventRecorder
-
-	SharedInformerFactory() informers.SharedInformerFactory
-
-	// SharedDRAManager can be used to obtain DRA objects, and track modifications to them in-memory - mainly by the DRA plugin.
-	// A non-default implementation can be plugged into the framework to simulate the state of DRA objects.
-	SharedDRAManager() SharedDRAManager
-
-	// RunFilterPluginsWithNominatedPods runs the set of configured filter plugins for nominated pod on the given node.
-	RunFilterPluginsWithNominatedPods(ctx context.Context, state fwk.CycleState, pod *v1.Pod, info fwk.NodeInfo) *fwk.Status
-
-	// Extenders returns registered scheduler extenders.
-	Extenders() []Extender
-
-	// Parallelizer returns a parallelizer holding parallelism for scheduler.
-	Parallelizer() parallelize.Parallelizer
-
-	// APIDispatcher returns a fwk.APIDispatcher that can be used to dispatch API calls directly.
-	// This is non-nil if the SchedulerAsyncAPICalls feature gate is enabled.
-	APIDispatcher() fwk.APIDispatcher
-
-	// APICacher returns an APICacher that coordinates API calls with the scheduler's internal cache.
-	// Use this to ensure the scheduler's view of the cluster remains consistent.
-	// This is non-nil if the SchedulerAsyncAPICalls feature gate is enabled.
-	APICacher() APICacher
-}
-
-// APICacher defines methods that send API calls through the scheduler's cache
-// before they are executed asynchronously by the APIDispatcher.
-// This ensures the scheduler's internal state is updated optimistically,
-// reflecting the intended outcome of the call.
-// This methods should be used only if the SchedulerAsyncAPICalls feature gate is enabled.
-type APICacher interface {
-	// PatchPodStatus sends a patch request for a Pod's status.
-	// The patch could be first applied to the cached Pod object and then the API call is executed asynchronously.
-	// It returns a channel that can be used to wait for the call's completion.
-	PatchPodStatus(pod *v1.Pod, condition *v1.PodCondition, nominatingInfo *NominatingInfo) (<-chan error, error)
-
-	// BindPod sends a binding request. The binding could be first applied to the cached Pod object
-	// and then the API call is executed asynchronously.
-	// It returns a channel that can be used to wait for the call's completion.
-	BindPod(binding *v1.Binding) (<-chan error, error)
-
-	// WaitOnFinish blocks until the result of an API call is sent to the given onFinish channel
-	// (returned by methods BindPod or PreemptPod).
-	//
-	// It returns the error received from the channel.
-	// It also returns nil if the call was skipped or overwritten,
-	// as these are considered successful lifecycle outcomes.
-	// Direct onFinish channel read can be used to access these results.
-	WaitOnFinish(ctx context.Context, onFinish <-chan error) error
-}
-
-// APICallImplementations define constructors for each fwk.APICall that is used by the scheduler internally.
-type APICallImplementations[T, K fwk.APICall] struct {
-	// PodStatusPatch is a constructor used to create fwk.APICall object for pod status patch.
-	PodStatusPatch func(pod *v1.Pod, condition *v1.PodCondition, nominatingInfo *NominatingInfo) T
-	// PodBinding is a constructor used to create fwk.APICall object for pod binding.
-	PodBinding func(binding *v1.Binding) K
-}
-
-// PreFilterResult wraps needed info for scheduler framework to act upon PreFilter phase.
-type PreFilterResult struct {
-	// The set of nodes that should be considered downstream; if nil then
-	// all nodes are eligible.
-	NodeNames sets.Set[string]
-}
-
-func (p *PreFilterResult) AllNodes() bool {
-	return p == nil || p.NodeNames == nil
-}
-
-func (p *PreFilterResult) Merge(in *PreFilterResult) *PreFilterResult {
-	if p.AllNodes() && in.AllNodes() {
-		return nil
-	}
-
-	r := PreFilterResult{}
-	if p.AllNodes() {
-		r.NodeNames = in.NodeNames.Clone()
-		return &r
-	}
-	if in.AllNodes() {
-		r.NodeNames = p.NodeNames.Clone()
-		return &r
-	}
-
-	r.NodeNames = p.NodeNames.Intersection(in.NodeNames)
-	return &r
-}
-
-type NominatingMode int
-
-const (
-	ModeNoop NominatingMode = iota
-	ModeOverride
-)
-
-type NominatingInfo struct {
-	NominatedNodeName string
-	NominatingMode    NominatingMode
-}
-
-// PostFilterResult wraps needed info for scheduler framework to act upon PostFilter phase.
-type PostFilterResult struct {
-	*NominatingInfo
-}
-
-func NewPostFilterResultWithNominatedNode(name string) *PostFilterResult {
-	return &PostFilterResult{
-		NominatingInfo: &NominatingInfo{
+func NewPostFilterResultWithNominatedNode(name string) *fwk.PostFilterResult {
+	return &fwk.PostFilterResult{
+		NominatingInfo: &fwk.NominatingInfo{
 			NominatedNodeName: name,
-			NominatingMode:    ModeOverride,
+			NominatingMode:    fwk.ModeOverride,
 		},
 	}
 }
-
-func (ni *NominatingInfo) Mode() NominatingMode {
-	if ni == nil {
-		return ModeNoop
-	}
-	return ni.NominatingMode
-}
-
-// PodActivator abstracts operations in the scheduling queue.
-type PodActivator interface {
-	// Activate moves the given pods to activeQ.
-	// If a pod isn't found in unschedulablePods or backoffQ and it's in-flight,
-	// the wildcard event is registered so that the pod will be requeued when it comes back.
-	// But, if a pod isn't found in unschedulablePods or backoffQ and it's not in-flight (i.e., completely unknown pod),
-	// Activate would ignore the pod.
-	Activate(logger klog.Logger, pods map[string]*v1.Pod)
-}
-
-// PodNominator abstracts operations to maintain nominated Pods.
-type PodNominator interface {
-	// AddNominatedPod adds the given pod to the nominator or
-	// updates it if it already exists.
-	AddNominatedPod(logger klog.Logger, pod fwk.PodInfo, nominatingInfo *NominatingInfo)
-	// DeleteNominatedPodIfExists deletes nominatedPod from internal cache. It's a no-op if it doesn't exist.
-	DeleteNominatedPodIfExists(pod *v1.Pod)
-	// UpdateNominatedPod updates the <oldPod> with <newPod>.
-	UpdateNominatedPod(logger klog.Logger, oldPod *v1.Pod, newPodInfo fwk.PodInfo)
-	// NominatedPodsForNode returns nominatedPods on the given node.
-	NominatedPodsForNode(nodeName string) []fwk.PodInfo
-}
-
-// PluginsRunner abstracts operations to run some plugins.
-// This is used by preemption PostFilter plugins when evaluating the feasibility of
-// scheduling the pod on nodes when certain running pods get evicted.
-type PluginsRunner interface {
-	// RunPreScorePlugins runs the set of configured PreScore plugins. If any
-	// of these plugins returns any status other than "Success", the given pod is rejected.
-	RunPreScorePlugins(context.Context, fwk.CycleState, *v1.Pod, []fwk.NodeInfo) *fwk.Status
-	// RunScorePlugins runs the set of configured scoring plugins.
-	// It returns a list that stores scores from each plugin and total score for each Node.
-	// It also returns *fwk.Status, which is set to non-success if any of the plugins returns
-	// a non-success status.
-	RunScorePlugins(context.Context, fwk.CycleState, *v1.Pod, []fwk.NodeInfo) ([]NodePluginScores, *fwk.Status)
-	// RunFilterPlugins runs the set of configured Filter plugins for pod on
-	// the given node. Note that for the node being evaluated, the passed nodeInfo
-	// reference could be different from the one in NodeInfoSnapshot map (e.g., pods
-	// considered to be running on the node could be different). For example, during
-	// preemption, we may pass a copy of the original nodeInfo object that has some pods
-	// removed from it to evaluate the possibility of preempting them to
-	// schedule the target pod.
-	RunFilterPlugins(context.Context, fwk.CycleState, *v1.Pod, fwk.NodeInfo) *fwk.Status
-	// RunPreFilterExtensionAddPod calls the AddPod interface for the set of configured
-	// PreFilter plugins. It returns directly if any of the plugins return any
-	// status other than Success.
-	RunPreFilterExtensionAddPod(ctx context.Context, state fwk.CycleState, podToSchedule *v1.Pod, podInfoToAdd fwk.PodInfo, nodeInfo fwk.NodeInfo) *fwk.Status
-	// RunPreFilterExtensionRemovePod calls the RemovePod interface for the set of configured
-	// PreFilter plugins. It returns directly if any of the plugins return any
-	// status other than Success.
-	RunPreFilterExtensionRemovePod(ctx context.Context, state fwk.CycleState, podToSchedule *v1.Pod, podInfoToRemove fwk.PodInfo, nodeInfo fwk.NodeInfo) *fwk.Status
-}
diff --git a/pkg/scheduler/framework/interface_test.go b/pkg/scheduler/framework/interface_test.go
index 7777a89e5b4aa..46a8e2279bb49 100644
--- a/pkg/scheduler/framework/interface_test.go
+++ b/pkg/scheduler/framework/interface_test.go
@@ -17,252 +17,14 @@ limitations under the License.
 package framework
 
 import (
-	"errors"
 	"fmt"
 	"testing"
 
-	"github.com/google/go-cmp/cmp"
-
 	"k8s.io/apimachinery/pkg/util/sets"
 	fwk "k8s.io/kube-scheduler/framework"
 	st "k8s.io/kubernetes/pkg/scheduler/testing"
 )
 
-var errorStatus = fwk.NewStatus(fwk.Error, "internal error")
-var statusWithErr = fwk.AsStatus(errors.New("internal error"))
-
-func TestStatus(t *testing.T) {
-	tests := []struct {
-		name              string
-		status            *fwk.Status
-		expectedCode      fwk.Code
-		expectedMessage   string
-		expectedIsSuccess bool
-		expectedIsWait    bool
-		expectedIsSkip    bool
-		expectedAsError   error
-	}{
-		{
-			name:              "success status",
-			status:            fwk.NewStatus(fwk.Success, ""),
-			expectedCode:      fwk.Success,
-			expectedMessage:   "",
-			expectedIsSuccess: true,
-			expectedIsWait:    false,
-			expectedIsSkip:    false,
-			expectedAsError:   nil,
-		},
-		{
-			name:              "wait status",
-			status:            fwk.NewStatus(fwk.Wait, ""),
-			expectedCode:      fwk.Wait,
-			expectedMessage:   "",
-			expectedIsSuccess: false,
-			expectedIsWait:    true,
-			expectedIsSkip:    false,
-			expectedAsError:   nil,
-		},
-		{
-			name:              "error status",
-			status:            fwk.NewStatus(fwk.Error, "unknown error"),
-			expectedCode:      fwk.Error,
-			expectedMessage:   "unknown error",
-			expectedIsSuccess: false,
-			expectedIsWait:    false,
-			expectedIsSkip:    false,
-			expectedAsError:   errors.New("unknown error"),
-		},
-		{
-			name:              "skip status",
-			status:            fwk.NewStatus(fwk.Skip, ""),
-			expectedCode:      fwk.Skip,
-			expectedMessage:   "",
-			expectedIsSuccess: false,
-			expectedIsWait:    false,
-			expectedIsSkip:    true,
-			expectedAsError:   nil,
-		},
-		{
-			name:              "nil status",
-			status:            nil,
-			expectedCode:      fwk.Success,
-			expectedMessage:   "",
-			expectedIsSuccess: true,
-			expectedIsSkip:    false,
-			expectedAsError:   nil,
-		},
-	}
-
-	for _, test := range tests {
-		t.Run(test.name, func(t *testing.T) {
-			if test.status.Code() != test.expectedCode {
-				t.Errorf("expect status.Code() returns %v, but %v", test.expectedCode, test.status.Code())
-			}
-
-			if test.status.Message() != test.expectedMessage {
-				t.Errorf("expect status.Message() returns %v, but %v", test.expectedMessage, test.status.Message())
-			}
-
-			if test.status.IsSuccess() != test.expectedIsSuccess {
-				t.Errorf("expect status.IsSuccess() returns %v, but %v", test.expectedIsSuccess, test.status.IsSuccess())
-			}
-
-			if test.status.IsWait() != test.expectedIsWait {
-				t.Errorf("status.IsWait() returns %v, but want %v", test.status.IsWait(), test.expectedIsWait)
-			}
-
-			if test.status.IsSkip() != test.expectedIsSkip {
-				t.Errorf("status.IsSkip() returns %v, but want %v", test.status.IsSkip(), test.expectedIsSkip)
-			}
-
-			if test.status.AsError() == test.expectedAsError {
-				return
-			}
-
-			if test.status.AsError().Error() != test.expectedAsError.Error() {
-				t.Errorf("expect status.AsError() returns %v, but %v", test.expectedAsError, test.status.AsError())
-			}
-		})
-	}
-}
-
-func TestPreFilterResultMerge(t *testing.T) {
-	tests := map[string]struct {
-		receiver *PreFilterResult
-		in       *PreFilterResult
-		want     *PreFilterResult
-	}{
-		"all nil": {},
-		"nil receiver empty input": {
-			in:   &PreFilterResult{NodeNames: sets.New[string]()},
-			want: &PreFilterResult{NodeNames: sets.New[string]()},
-		},
-		"empty receiver nil input": {
-			receiver: &PreFilterResult{NodeNames: sets.New[string]()},
-			want:     &PreFilterResult{NodeNames: sets.New[string]()},
-		},
-		"empty receiver empty input": {
-			receiver: &PreFilterResult{NodeNames: sets.New[string]()},
-			in:       &PreFilterResult{NodeNames: sets.New[string]()},
-			want:     &PreFilterResult{NodeNames: sets.New[string]()},
-		},
-		"nil receiver populated input": {
-			in:   &PreFilterResult{NodeNames: sets.New("node1")},
-			want: &PreFilterResult{NodeNames: sets.New("node1")},
-		},
-		"empty receiver populated input": {
-			receiver: &PreFilterResult{NodeNames: sets.New[string]()},
-			in:       &PreFilterResult{NodeNames: sets.New("node1")},
-			want:     &PreFilterResult{NodeNames: sets.New[string]()},
-		},
-
-		"populated receiver nil input": {
-			receiver: &PreFilterResult{NodeNames: sets.New("node1")},
-			want:     &PreFilterResult{NodeNames: sets.New("node1")},
-		},
-		"populated receiver empty input": {
-			receiver: &PreFilterResult{NodeNames: sets.New("node1")},
-			in:       &PreFilterResult{NodeNames: sets.New[string]()},
-			want:     &PreFilterResult{NodeNames: sets.New[string]()},
-		},
-		"populated receiver and input": {
-			receiver: &PreFilterResult{NodeNames: sets.New("node1", "node2")},
-			in:       &PreFilterResult{NodeNames: sets.New("node2", "node3")},
-			want:     &PreFilterResult{NodeNames: sets.New("node2")},
-		},
-	}
-	for name, test := range tests {
-		t.Run(name, func(t *testing.T) {
-			got := test.receiver.Merge(test.in)
-			if diff := cmp.Diff(test.want, got); diff != "" {
-				t.Errorf("unexpected diff (-want, +got):\n%s", diff)
-			}
-		})
-	}
-}
-
-func TestIsStatusEqual(t *testing.T) {
-	tests := []struct {
-		name string
-		x, y *fwk.Status
-		want bool
-	}{
-		{
-			name: "two nil should be equal",
-			x:    nil,
-			y:    nil,
-			want: true,
-		},
-		{
-			name: "nil should be equal to success status",
-			x:    nil,
-			y:    fwk.NewStatus(fwk.Success),
-			want: true,
-		},
-		{
-			name: "nil should not be equal with status except success",
-			x:    nil,
-			y:    fwk.NewStatus(fwk.Error, "internal error"),
-			want: false,
-		},
-		{
-			name: "one status should be equal to itself",
-			x:    errorStatus,
-			y:    errorStatus,
-			want: true,
-		},
-		{
-			name: "same type statuses without reasons should be equal",
-			x:    fwk.NewStatus(fwk.Success),
-			y:    fwk.NewStatus(fwk.Success),
-			want: true,
-		},
-		{
-			name: "statuses with same message should be equal",
-			x:    fwk.NewStatus(fwk.Unschedulable, "unschedulable"),
-			y:    fwk.NewStatus(fwk.Unschedulable, "unschedulable"),
-			want: true,
-		},
-		{
-			name: "error statuses with same message should be equal",
-			x:    fwk.NewStatus(fwk.Error, "error"),
-			y:    fwk.NewStatus(fwk.Error, "error"),
-			want: true,
-		},
-		{
-			name: "statuses with different reasons should not be equal",
-			x:    fwk.NewStatus(fwk.Unschedulable, "unschedulable"),
-			y:    fwk.NewStatus(fwk.Unschedulable, "unschedulable", "injected filter status"),
-			want: false,
-		},
-		{
-			name: "statuses with different codes should not be equal",
-			x:    fwk.NewStatus(fwk.Error, "internal error"),
-			y:    fwk.NewStatus(fwk.Unschedulable, "internal error"),
-			want: false,
-		},
-		{
-			name: "wrap error status should be equal with original one",
-			x:    statusWithErr,
-			y:    fwk.AsStatus(fmt.Errorf("error: %w", statusWithErr.AsError())),
-			want: true,
-		},
-		{
-			name: "statues with different errors that have the same message shouldn't be equal",
-			x:    fwk.AsStatus(errors.New("error")),
-			y:    fwk.AsStatus(errors.New("error")),
-			want: false,
-		},
-	}
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			if got := tt.x.Equal(tt.y); got != tt.want {
-				t.Errorf("cmp.Equal() = %v, want %v", got, tt.want)
-			}
-		})
-	}
-}
-
 type nodeInfoLister []fwk.NodeInfo
 
 func (nodes nodeInfoLister) Get(nodeName string) (fwk.NodeInfo, error) {
diff --git a/pkg/scheduler/framework/listers.go b/pkg/scheduler/framework/listers.go
deleted file mode 100644
index 54f4c8eb966a5..0000000000000
--- a/pkg/scheduler/framework/listers.go
+++ /dev/null
@@ -1,120 +0,0 @@
-/*
-Copyright 2019 The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package framework
-
-import (
-	resourceapi "k8s.io/api/resource/v1"
-	"k8s.io/apimachinery/pkg/types"
-	"k8s.io/apimachinery/pkg/util/sets"
-	"k8s.io/dynamic-resource-allocation/structured"
-	fwk "k8s.io/kube-scheduler/framework"
-)
-
-// NodeInfoLister interface represents anything that can list/get NodeInfo objects from node name.
-type NodeInfoLister interface {
-	// List returns the list of NodeInfos.
-	List() ([]fwk.NodeInfo, error)
-	// HavePodsWithAffinityList returns the list of NodeInfos of nodes with pods with affinity terms.
-	HavePodsWithAffinityList() ([]fwk.NodeInfo, error)
-	// HavePodsWithRequiredAntiAffinityList returns the list of NodeInfos of nodes with pods with required anti-affinity terms.
-	HavePodsWithRequiredAntiAffinityList() ([]fwk.NodeInfo, error)
-	// Get returns the NodeInfo of the given node name.
-	Get(nodeName string) (fwk.NodeInfo, error)
-}
-
-// StorageInfoLister interface represents anything that handles storage-related operations and resources.
-type StorageInfoLister interface {
-	// IsPVCUsedByPods returns true/false on whether the PVC is used by one or more scheduled pods,
-	// keyed in the format "namespace/name".
-	IsPVCUsedByPods(key string) bool
-}
-
-// SharedLister groups scheduler-specific listers.
-type SharedLister interface {
-	NodeInfos() NodeInfoLister
-	StorageInfos() StorageInfoLister
-}
-
-// ResourceSliceLister can be used to obtain ResourceSlices.
-type ResourceSliceLister interface {
-	// ListWithDeviceTaintRules returns a list of all ResourceSlices with DeviceTaintRules applied
-	// if the DRADeviceTaints feature is enabled, otherwise without them.
-	//
-	// k8s.io/dynamic-resource-allocation/resourceslice/tracker provides an implementation
-	// of the necessary logic. That tracker can be instantiated as a replacement for
-	// a normal ResourceSlice informer and provides a ListPatchedResourceSlices method.
-	ListWithDeviceTaintRules() ([]*resourceapi.ResourceSlice, error)
-}
-
-// DeviceClassLister can be used to obtain DeviceClasses.
-type DeviceClassLister interface {
-	// List returns a list of all DeviceClasses.
-	List() ([]*resourceapi.DeviceClass, error)
-	// Get returns the DeviceClass with the given className.
-	Get(className string) (*resourceapi.DeviceClass, error)
-}
-
-// ResourceClaimTracker can be used to obtain ResourceClaims, and track changes to ResourceClaims in-memory.
-//
-// If the claims are meant to be allocated in the API during the binding phase (when used by scheduler), the tracker helps avoid
-// race conditions between scheduling and binding phases (as well as between the binding phase and the informer cache update).
-//
-// If the binding phase is not run (e.g. when used by Cluster Autoscaler which only runs the scheduling phase, and simulates binding in-memory),
-// the tracker allows the framework user to obtain the claim allocations produced by the DRA plugin, and persist them outside of the API (e.g. in-memory).
-type ResourceClaimTracker interface {
-	// List lists ResourceClaims. The result is guaranteed to immediately include any changes made via AssumeClaimAfterAPICall(),
-	// and SignalClaimPendingAllocation().
-	List() ([]*resourceapi.ResourceClaim, error)
-	// Get works like List(), but for a single claim.
-	Get(namespace, claimName string) (*resourceapi.ResourceClaim, error)
-	// ListAllAllocatedDevices lists all allocated Devices from allocated ResourceClaims. The result is guaranteed to immediately include
-	// any changes made via AssumeClaimAfterAPICall(), and SignalClaimPendingAllocation().
-	ListAllAllocatedDevices() (sets.Set[structured.DeviceID], error)
-	// GatherAllocatedState gathers information about allocated devices from allocated ResourceClaims. The result is guaranteed to immediately include
-	// any changes made via AssumeClaimAfterAPICall(), and SignalClaimPendingAllocation().
-	GatherAllocatedState() (*structured.AllocatedState, error)
-
-	// SignalClaimPendingAllocation signals to the tracker that the given ResourceClaim will be allocated via an API call in the
-	// binding phase. This change is immediately reflected in the result of List() and the other accessors.
-	SignalClaimPendingAllocation(claimUID types.UID, allocatedClaim *resourceapi.ResourceClaim) error
-	// ClaimHasPendingAllocation answers whether a given claim has a pending allocation during the binding phase. It can be used to avoid
-	// race conditions in subsequent scheduling phases.
-	ClaimHasPendingAllocation(claimUID types.UID) bool
-	// RemoveClaimPendingAllocation removes the pending allocation for the given ResourceClaim from the tracker if any was signaled via
-	// SignalClaimPendingAllocation(). Returns whether there was a pending allocation to remove. List() and the other accessors immediately
-	// stop reflecting the pending allocation in the results.
-	RemoveClaimPendingAllocation(claimUID types.UID) (deleted bool)
-
-	// AssumeClaimAfterAPICall signals to the tracker that an API call modifying the given ResourceClaim was made in the binding phase, and the
-	// changes should be reflected in informers very soon. This change is immediately reflected in the result of List() and the other accessors.
-	// This mechanism can be used to avoid race conditions between the informer update and subsequent scheduling phases.
-	AssumeClaimAfterAPICall(claim *resourceapi.ResourceClaim) error
-	// AssumedClaimRestore signals to the tracker that something went wrong with the API call modifying the given ResourceClaim, and
-	// the changes won't be reflected in informers after all. List() and the other accessors immediately stop reflecting the assumed change,
-	// and go back to the informer version.
-	AssumedClaimRestore(namespace, claimName string)
-}
-
-// SharedDRAManager can be used to obtain DRA objects, and track modifications to them in-memory - mainly by the DRA plugin.
-// The plugin's default implementation obtains the objects from the API. A different implementation can be
-// plugged into the framework in order to simulate the state of DRA objects. For example, Cluster Autoscaler
-// can use this to provide the correct DRA object state to the DRA plugin when simulating scheduling changes in-memory.
-type SharedDRAManager interface {
-	ResourceClaims() ResourceClaimTracker
-	ResourceSlices() ResourceSliceLister
-	DeviceClasses() DeviceClassLister
-}
diff --git a/pkg/scheduler/framework/parallelize/parallelism.go b/pkg/scheduler/framework/parallelize/parallelism.go
index 2ac14289a0c9d..8cd801ff3433a 100644
--- a/pkg/scheduler/framework/parallelize/parallelism.go
+++ b/pkg/scheduler/framework/parallelize/parallelism.go
@@ -27,12 +27,13 @@ import (
 // DefaultParallelism is the default parallelism used in scheduler.
 const DefaultParallelism int = 16
 
-// Parallelizer holds the parallelism for scheduler.
+// Parallelizer implements k8s.io/kube-scheduler/framework.Parallelizer helps run scheduling operations in parallel chunks where possible, to improve performance and CPU utilization.
+// It wraps logic of k8s.io/client-go/util/workqueue to run operations on multiple workers.
 type Parallelizer struct {
 	parallelism int
 }
 
-// NewParallelizer returns an object holding the parallelism.
+// NewParallelizer returns an object holding the parallelism (number of workers).
 func NewParallelizer(p int) Parallelizer {
 	return Parallelizer{parallelism: p}
 }
diff --git a/pkg/scheduler/framework/plugins/defaultbinder/default_binder.go b/pkg/scheduler/framework/plugins/defaultbinder/default_binder.go
index eb9207fa4b3d4..5e11c5d8755e3 100644
--- a/pkg/scheduler/framework/plugins/defaultbinder/default_binder.go
+++ b/pkg/scheduler/framework/plugins/defaultbinder/default_binder.go
@@ -24,7 +24,6 @@ import (
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/klog/v2"
 	fwk "k8s.io/kube-scheduler/framework"
-	"k8s.io/kubernetes/pkg/scheduler/framework"
 	"k8s.io/kubernetes/pkg/scheduler/framework/plugins/names"
 )
 
@@ -33,13 +32,13 @@ const Name = names.DefaultBinder
 
 // DefaultBinder binds pods to nodes using a k8s client.
 type DefaultBinder struct {
-	handle framework.Handle
+	handle fwk.Handle
 }
 
-var _ framework.BindPlugin = &DefaultBinder{}
+var _ fwk.BindPlugin = &DefaultBinder{}
 
 // New creates a DefaultBinder.
-func New(_ context.Context, _ runtime.Object, handle framework.Handle) (framework.Plugin, error) {
+func New(_ context.Context, _ runtime.Object, handle fwk.Handle) (fwk.Plugin, error) {
 	return &DefaultBinder{handle: handle}, nil
 }
 
diff --git a/pkg/scheduler/framework/plugins/defaultpreemption/default_preemption.go b/pkg/scheduler/framework/plugins/defaultpreemption/default_preemption.go
index 9858b950eba31..bc3d55b49e6e2 100644
--- a/pkg/scheduler/framework/plugins/defaultpreemption/default_preemption.go
+++ b/pkg/scheduler/framework/plugins/defaultpreemption/default_preemption.go
@@ -27,16 +27,12 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/labels"
 	"k8s.io/apimachinery/pkg/runtime"
-	"k8s.io/client-go/informers"
-	corelisters "k8s.io/client-go/listers/core/v1"
-	policylisters "k8s.io/client-go/listers/policy/v1"
 	corev1helpers "k8s.io/component-helpers/scheduling/corev1"
 	"k8s.io/klog/v2"
 	extenderv1 "k8s.io/kube-scheduler/extender/v1"
 	fwk "k8s.io/kube-scheduler/framework"
 	"k8s.io/kubernetes/pkg/scheduler/apis/config"
 	"k8s.io/kubernetes/pkg/scheduler/apis/config/validation"
-	"k8s.io/kubernetes/pkg/scheduler/framework"
 	"k8s.io/kubernetes/pkg/scheduler/framework/plugins/feature"
 	"k8s.io/kubernetes/pkg/scheduler/framework/plugins/names"
 	"k8s.io/kubernetes/pkg/scheduler/framework/preemption"
@@ -66,11 +62,9 @@ type MoreImportantPodFunc func(pod1, pod2 *v1.Pod) bool
 
 // DefaultPreemption is a PostFilter plugin implements the preemption logic.
 type DefaultPreemption struct {
-	fh        framework.Handle
+	fh        fwk.Handle
 	fts       feature.Features
 	args      config.DefaultPreemptionArgs
-	podLister corelisters.PodLister
-	pdbLister policylisters.PodDisruptionBudgetLister
 	Evaluator *preemption.Evaluator
 
 	// IsEligiblePod returns whether a victim pod is allowed to be preempted by a preemptor pod.
@@ -86,8 +80,8 @@ type DefaultPreemption struct {
 	MoreImportantPod MoreImportantPodFunc
 }
 
-var _ framework.PostFilterPlugin = &DefaultPreemption{}
-var _ framework.PreEnqueuePlugin = &DefaultPreemption{}
+var _ fwk.PostFilterPlugin = &DefaultPreemption{}
+var _ fwk.PreEnqueuePlugin = &DefaultPreemption{}
 
 // Name returns name of the plugin. It is used in logs, etc.
 func (pl *DefaultPreemption) Name() string {
@@ -95,7 +89,7 @@ func (pl *DefaultPreemption) Name() string {
 }
 
 // New initializes a new plugin and returns it. The plugin type is retained to allow modification.
-func New(_ context.Context, dpArgs runtime.Object, fh framework.Handle, fts feature.Features) (*DefaultPreemption, error) {
+func New(_ context.Context, dpArgs runtime.Object, fh fwk.Handle, fts feature.Features) (*DefaultPreemption, error) {
 	args, ok := dpArgs.(*config.DefaultPreemptionArgs)
 	if !ok {
 		return nil, fmt.Errorf("got args of type %T, want *DefaultPreemptionArgs", dpArgs)
@@ -104,15 +98,10 @@ func New(_ context.Context, dpArgs runtime.Object, fh framework.Handle, fts feat
 		return nil, err
 	}
 
-	podLister := fh.SharedInformerFactory().Core().V1().Pods().Lister()
-	pdbLister := getPDBLister(fh.SharedInformerFactory())
-
 	pl := DefaultPreemption{
-		fh:        fh,
-		fts:       fts,
-		args:      *args,
-		podLister: podLister,
-		pdbLister: pdbLister,
+		fh:   fh,
+		fts:  fts,
+		args: *args,
 	}
 	pl.Evaluator = preemption.NewEvaluator(Name, fh, &pl, fts.EnableAsyncPreemption)
 
@@ -129,7 +118,7 @@ func New(_ context.Context, dpArgs runtime.Object, fh framework.Handle, fts feat
 }
 
 // PostFilter invoked at the postFilter extension point.
-func (pl *DefaultPreemption) PostFilter(ctx context.Context, state fwk.CycleState, pod *v1.Pod, m framework.NodeToStatusReader) (*framework.PostFilterResult, *fwk.Status) {
+func (pl *DefaultPreemption) PostFilter(ctx context.Context, state fwk.CycleState, pod *v1.Pod, m fwk.NodeToStatusReader) (*fwk.PostFilterResult, *fwk.Status) {
 	defer func() {
 		metrics.PreemptionAttempts.Inc()
 	}()
@@ -428,7 +417,3 @@ func filterPodsWithPDBViolation(podInfos []fwk.PodInfo, pdbs []*policy.PodDisrup
 	}
 	return violatingPodInfos, nonViolatingPodInfos
 }
-
-func getPDBLister(informerFactory informers.SharedInformerFactory) policylisters.PodDisruptionBudgetLister {
-	return informerFactory.Policy().V1().PodDisruptionBudgets().Lister()
-}
diff --git a/pkg/scheduler/framework/plugins/defaultpreemption/default_preemption_test.go b/pkg/scheduler/framework/plugins/defaultpreemption/default_preemption_test.go
index ae7cdc40c3326..83204427db492 100644
--- a/pkg/scheduler/framework/plugins/defaultpreemption/default_preemption_test.go
+++ b/pkg/scheduler/framework/plugins/defaultpreemption/default_preemption_test.go
@@ -123,7 +123,7 @@ type TestPlugin struct {
 	name string
 }
 
-func newTestPlugin(_ context.Context, injArgs runtime.Object, f framework.Handle) (framework.Plugin, error) {
+func newTestPlugin(_ context.Context, injArgs runtime.Object, f fwk.Handle) (fwk.Plugin, error) {
 	return &TestPlugin{name: "test-plugin"}, nil
 }
 
@@ -145,11 +145,11 @@ func (pl *TestPlugin) Name() string {
 	return pl.name
 }
 
-func (pl *TestPlugin) PreFilterExtensions() framework.PreFilterExtensions {
+func (pl *TestPlugin) PreFilterExtensions() fwk.PreFilterExtensions {
 	return pl
 }
 
-func (pl *TestPlugin) PreFilter(ctx context.Context, state fwk.CycleState, p *v1.Pod, nodes []fwk.NodeInfo) (*framework.PreFilterResult, *fwk.Status) {
+func (pl *TestPlugin) PreFilter(ctx context.Context, state fwk.CycleState, p *v1.Pod, nodes []fwk.NodeInfo) (*fwk.PreFilterResult, *fwk.Status) {
 	return nil, nil
 }
 
@@ -173,8 +173,8 @@ func TestPostFilter(t *testing.T) {
 		pdbs                  []*policy.PodDisruptionBudget
 		nodes                 []*v1.Node
 		filteredNodesStatuses *framework.NodeToStatus
-		extender              framework.Extender
-		wantResult            *framework.PostFilterResult
+		extender              fwk.Extender
+		wantResult            *fwk.PostFilterResult
 		wantStatus            *fwk.Status
 	}{
 		{
@@ -223,7 +223,7 @@ func TestPostFilter(t *testing.T) {
 			wantStatus: fwk.NewStatus(fwk.Unschedulable, "preemption: 0/1 nodes are available: 1 Preemption is not helpful for scheduling."),
 		},
 		{
-			name: "preemption should respect absent NodeToStatusMap entry meaning UnschedulableAndUnresolvable",
+			name: "preemption should respect absent NodeToStatusReader entry meaning UnschedulableAndUnresolvable",
 			pod:  st.MakePod().Name("p").UID("p").Namespace(v1.NamespaceDefault).Priority(highPriority).Obj(),
 			pods: []*v1.Pod{
 				st.MakePod().Name("p1").UID("p1").Namespace(v1.NamespaceDefault).Node("node1").Obj(),
@@ -426,7 +426,7 @@ func TestPostFilter(t *testing.T) {
 					tf.RegisterPluginAsExtensions("test-plugin", newTestPlugin, "PreFilter"),
 					tf.RegisterBindPlugin(defaultbinder.Name, defaultbinder.New),
 				}
-				var extenders []framework.Extender
+				var extenders []fwk.Extender
 				if tt.extender != nil {
 					extenders = append(extenders, tt.extender)
 				}
@@ -1156,7 +1156,7 @@ func TestDryRunPreemption(t *testing.T) {
 			registeredPlugins := append([]tf.RegisterPluginFunc{
 				tf.RegisterFilterPlugin(
 					"FakeFilter",
-					func(_ context.Context, _ runtime.Object, fh framework.Handle) (framework.Plugin, error) {
+					func(_ context.Context, _ runtime.Object, fh fwk.Handle) (fwk.Plugin, error) {
 						return &fakePlugin, nil
 					},
 				)},
@@ -1843,7 +1843,6 @@ func TestCustomOrdering(t *testing.T) {
 func TestPodEligibleToPreemptOthers(t *testing.T) {
 	tests := []struct {
 		name                string
-		fts                 feature.Features
 		pod                 *v1.Pod
 		pods                []*v1.Pod
 		nodes               []string
@@ -1939,7 +1938,7 @@ func TestPreempt(t *testing.T) {
 		extenders      []*tf.FakeExtender
 		nodeNames      []string
 		registerPlugin tf.RegisterPluginFunc
-		want           *framework.PostFilterResult
+		want           *fwk.PostFilterResult
 		expectedPods   []string // list of preempted pods
 	}{
 		{
@@ -2196,7 +2195,7 @@ func TestPreempt(t *testing.T) {
 						cachedNodeInfo.SetNode(node)
 						cachedNodeInfoMap[node.Name] = cachedNodeInfo
 					}
-					var extenders []framework.Extender
+					var extenders []fwk.Extender
 					for _, extender := range test.extenders {
 						// Set nodeInfoMap as extenders cached node information.
 						extender.CachedNodeNameToInfo = cachedNodeInfoMap
diff --git a/pkg/scheduler/framework/plugins/dynamicresources/allocateddevices.go b/pkg/scheduler/framework/plugins/dynamicresources/allocateddevices.go
index 24d6f8c97c352..21d192ffc8930 100644
--- a/pkg/scheduler/framework/plugins/dynamicresources/allocateddevices.go
+++ b/pkg/scheduler/framework/plugins/dynamicresources/allocateddevices.go
@@ -85,11 +85,18 @@ func foreachAllocatedDevice(claim *resourceapi.ResourceClaim,
 // This is cheaper than repeatedly calling List, making strings unique, and building the set
 // each time PreFilter is called.
 //
+// To simplify detecting concurrent changes, each modification bumps a revision counter,
+// similar to ResourceVersion in the apiserver. Get and Capacities include the
+// current value in their result. A caller than can compare againt the current value
+// to determine whether some prior results are still up-to-date, without having to get
+// and compare them.
+//
 // All methods are thread-safe. Get returns a cloned set.
 type allocatedDevices struct {
 	logger klog.Logger
 
 	mutex                     sync.RWMutex
+	revision                  int64
 	ids                       sets.Set[structured.DeviceID]
 	shareIDs                  sets.Set[structured.SharedDeviceID]
 	capacities                structured.ConsumedCapacityCollection
@@ -106,18 +113,25 @@ func newAllocatedDevices(logger klog.Logger) *allocatedDevices {
 	}
 }
 
-func (a *allocatedDevices) Get() sets.Set[structured.DeviceID] {
+func (a *allocatedDevices) Get() (sets.Set[structured.DeviceID], int64) {
 	a.mutex.RLock()
 	defer a.mutex.RUnlock()
 
-	return a.ids.Clone()
+	return a.ids.Clone(), a.revision
 }
 
-func (a *allocatedDevices) Capacities() structured.ConsumedCapacityCollection {
+func (a *allocatedDevices) Capacities() (structured.ConsumedCapacityCollection, int64) {
 	a.mutex.RLock()
 	defer a.mutex.RUnlock()
 
-	return a.capacities.Clone()
+	return a.capacities.Clone(), a.revision
+}
+
+func (a *allocatedDevices) Revision() int64 {
+	a.mutex.RLock()
+	defer a.mutex.RUnlock()
+
+	return a.revision
 }
 
 func (a *allocatedDevices) handlers() cache.ResourceEventHandler {
@@ -200,8 +214,13 @@ func (a *allocatedDevices) addDevices(claim *resourceapi.ResourceClaim) {
 		},
 	)
 
+	if len(deviceIDs) == 0 && len(shareIDs) == 0 && len(deviceCapacities) == 0 {
+		return
+	}
+
 	a.mutex.Lock()
 	defer a.mutex.Unlock()
+	a.revision++
 	for _, deviceID := range deviceIDs {
 		a.ids.Insert(deviceID)
 	}
@@ -241,8 +260,14 @@ func (a *allocatedDevices) removeDevices(claim *resourceapi.ResourceClaim) {
 			a.logger.V(6).Info("Observed consumed capacity release", "device id", capacity.DeviceID, "consumed capacity", capacity.ConsumedCapacity, "claim", klog.KObj(claim))
 			deviceCapacities = append(deviceCapacities, capacity)
 		})
+
+	if len(deviceIDs) == 0 && len(shareIDs) == 0 && len(deviceCapacities) == 0 {
+		return
+	}
+
 	a.mutex.Lock()
 	defer a.mutex.Unlock()
+	a.revision++
 	for _, deviceID := range deviceIDs {
 		a.ids.Delete(deviceID)
 	}
diff --git a/pkg/scheduler/framework/plugins/dynamicresources/dra_manager.go b/pkg/scheduler/framework/plugins/dynamicresources/dra_manager.go
index eadada3520e57..2be14d10ec691 100644
--- a/pkg/scheduler/framework/plugins/dynamicresources/dra_manager.go
+++ b/pkg/scheduler/framework/plugins/dynamicresources/dra_manager.go
@@ -18,6 +18,7 @@ package dynamicresources
 
 import (
 	"context"
+	"errors"
 	"fmt"
 	"sync"
 
@@ -28,28 +29,29 @@ import (
 	utilfeature "k8s.io/apiserver/pkg/util/feature"
 	"k8s.io/client-go/informers"
 	resourcelisters "k8s.io/client-go/listers/resource/v1"
+	"k8s.io/dynamic-resource-allocation/deviceclass/extendedresourcecache"
 	resourceslicetracker "k8s.io/dynamic-resource-allocation/resourceslice/tracker"
 	"k8s.io/dynamic-resource-allocation/structured"
 	"k8s.io/klog/v2"
+	fwk "k8s.io/kube-scheduler/framework"
 	"k8s.io/kubernetes/pkg/features"
-	"k8s.io/kubernetes/pkg/scheduler/framework"
 	"k8s.io/kubernetes/pkg/scheduler/util/assumecache"
 )
 
-var _ framework.SharedDRAManager = &DefaultDRAManager{}
+var _ fwk.SharedDRAManager = &DefaultDRAManager{}
 
 // DefaultDRAManager is the default implementation of SharedDRAManager. It obtains the DRA objects
 // from API informers, and uses an AssumeCache and a map of in-flight allocations in order
 // to avoid race conditions when modifying ResourceClaims.
 type DefaultDRAManager struct {
-	resourceClaimTracker *claimTracker
-	resourceSliceLister  *resourceSliceLister
-	deviceClassLister    *deviceClassLister
+	resourceClaimTracker  *claimTracker
+	resourceSliceLister   *resourceSliceLister
+	deviceClassLister     *deviceClassLister
+	extendedResourceCache *extendedresourcecache.ExtendedResourceCache
 }
 
 func NewDRAManager(ctx context.Context, claimsCache *assumecache.AssumeCache, resourceSliceTracker *resourceslicetracker.Tracker, informerFactory informers.SharedInformerFactory) *DefaultDRAManager {
 	logger := klog.FromContext(ctx)
-
 	manager := &DefaultDRAManager{
 		resourceClaimTracker: &claimTracker{
 			cache:               claimsCache,
@@ -61,6 +63,10 @@ func NewDRAManager(ctx context.Context, claimsCache *assumecache.AssumeCache, re
 		deviceClassLister:   &deviceClassLister{classLister: informerFactory.Resource().V1().DeviceClasses().Lister()},
 	}
 
+	if utilfeature.DefaultFeatureGate.Enabled(features.DRAExtendedResource) {
+		manager.extendedResourceCache = extendedresourcecache.NewExtendedResourceCache(logger)
+	}
+
 	// Reacting to events is more efficient than iterating over the list
 	// repeatedly in PreFilter.
 	manager.resourceClaimTracker.cache.AddEventHandler(manager.resourceClaimTracker.allocatedDevices.handlers())
@@ -68,19 +74,29 @@ func NewDRAManager(ctx context.Context, claimsCache *assumecache.AssumeCache, re
 	return manager
 }
 
-func (s *DefaultDRAManager) ResourceClaims() framework.ResourceClaimTracker {
+func (s *DefaultDRAManager) ResourceClaims() fwk.ResourceClaimTracker {
 	return s.resourceClaimTracker
 }
 
-func (s *DefaultDRAManager) ResourceSlices() framework.ResourceSliceLister {
+func (s *DefaultDRAManager) ResourceSlices() fwk.ResourceSliceLister {
 	return s.resourceSliceLister
 }
 
-func (s *DefaultDRAManager) DeviceClasses() framework.DeviceClassLister {
+func (s *DefaultDRAManager) DeviceClasses() fwk.DeviceClassLister {
 	return s.deviceClassLister
 }
 
-var _ framework.ResourceSliceLister = &resourceSliceLister{}
+// DeviceClassResolver will always return a valid interface implementation. It
+// wraps a nil extendedresourcecache.ExtendedResourceCache if the feature is
+// disabled.
+//
+// That's okay, extendedresourcecache.ExtendedResourceCache.GetDeviceClass
+// returns nil if called for nil.
+func (s *DefaultDRAManager) DeviceClassResolver() fwk.DeviceClassResolver {
+	return s.extendedResourceCache
+}
+
+var _ fwk.ResourceSliceLister = &resourceSliceLister{}
 
 type resourceSliceLister struct {
 	tracker *resourceslicetracker.Tracker
@@ -90,7 +106,7 @@ func (l *resourceSliceLister) ListWithDeviceTaintRules() ([]*resourceapi.Resourc
 	return l.tracker.ListPatchedResourceSlices()
 }
 
-var _ framework.DeviceClassLister = &deviceClassLister{}
+var _ fwk.DeviceClassLister = &deviceClassLister{}
 
 type deviceClassLister struct {
 	classLister resourcelisters.DeviceClassLister
@@ -104,7 +120,7 @@ func (l *deviceClassLister) List() ([]*resourceapi.DeviceClass, error) {
 	return l.classLister.List(labels.Everything())
 }
 
-var _ framework.ResourceClaimTracker = &claimTracker{}
+var _ fwk.ResourceClaimTracker = &claimTracker{}
 
 type claimTracker struct {
 	// cache enables temporarily storing a newer claim object
@@ -203,10 +219,29 @@ func (c *claimTracker) List() ([]*resourceapi.ResourceClaim, error) {
 	return result, nil
 }
 
+// errClaimTrackerConcurrentModification gets returned if ListAllAllocatedDevices
+// or GatherAllocatedState need to be retried.
+//
+// There is a rare race when a claim is initially in-flight:
+// - allocated is created from cache (claim not there)
+// - someone removes from the in-flight claims and adds to the cache
+// - we start checking in-flight claims (claim not there anymore)
+// => claim ignored
+//
+// A proper fix would be to rewrite the assume cache, allocatedDevices,
+// and the in-flight map so that they are under a single lock. But that's
+// a pretty big change and prevents reusing the assume cache. So instead
+// we check for changes in the set of allocated devices and keep trying
+// until we get an attempt with no concurrent changes.
+//
+// A claim being first in the cache, then only in-flight cannot happen,
+// so we don't need to re-check the in-flight claims.
+var errClaimTrackerConcurrentModification = errors.New("conflicting concurrent modification")
+
 func (c *claimTracker) ListAllAllocatedDevices() (sets.Set[structured.DeviceID], error) {
 	// Start with a fresh set that matches the current known state of the
 	// world according to the informers.
-	allocated := c.allocatedDevices.Get()
+	allocated, revision := c.allocatedDevices.Get()
 
 	// Whatever is in flight also has to be checked.
 	c.inFlightAllocations.Range(func(key, value any) bool {
@@ -217,16 +252,26 @@ func (c *claimTracker) ListAllAllocatedDevices() (sets.Set[structured.DeviceID],
 		}, false, func(structured.SharedDeviceID) {}, func(structured.DeviceConsumedCapacity) {})
 		return true
 	})
-	// There's no reason to return an error in this implementation, but the error might be helpful for other implementations.
-	return allocated, nil
+
+	if revision == c.allocatedDevices.Revision() {
+		// Our current result is valid, nothing changed in the meantime.
+		return allocated, nil
+	}
+
+	return nil, errClaimTrackerConcurrentModification
 }
 
 func (c *claimTracker) GatherAllocatedState() (*structured.AllocatedState, error) {
 	// Start with a fresh set that matches the current known state of the
 	// world according to the informers.
-	allocated := c.allocatedDevices.Get()
+	allocated, revision1 := c.allocatedDevices.Get()
 	allocatedSharedDeviceIDs := sets.New[structured.SharedDeviceID]()
-	aggregatedCapacity := c.allocatedDevices.Capacities()
+	aggregatedCapacity, revision2 := c.allocatedDevices.Capacities()
+
+	if revision1 != revision2 {
+		// Already not consistent. Try again.
+		return nil, errClaimTrackerConcurrentModification
+	}
 
 	enabledConsumableCapacity := utilfeature.DefaultFeatureGate.Enabled(features.DRAConsumableCapacity)
 
@@ -248,12 +293,16 @@ func (c *claimTracker) GatherAllocatedState() (*structured.AllocatedState, error
 		return true
 	})
 
-	// There's no reason to return an error in this implementation, but the error might be helpful for other implementations.
-	return &structured.AllocatedState{
-		AllocatedDevices:         allocated,
-		AllocatedSharedDeviceIDs: allocatedSharedDeviceIDs,
-		AggregatedCapacity:       aggregatedCapacity,
-	}, nil
+	if revision1 == c.allocatedDevices.Revision() {
+		// Our current result is valid, nothing changed in the meantime.
+		return &structured.AllocatedState{
+			AllocatedDevices:         allocated,
+			AllocatedSharedDeviceIDs: allocatedSharedDeviceIDs,
+			AggregatedCapacity:       aggregatedCapacity,
+		}, nil
+	}
+
+	return nil, errClaimTrackerConcurrentModification
 }
 
 func (c *claimTracker) AssumeClaimAfterAPICall(claim *resourceapi.ResourceClaim) error {
diff --git a/pkg/scheduler/framework/plugins/dynamicresources/dynamicresources.go b/pkg/scheduler/framework/plugins/dynamicresources/dynamicresources.go
index 7f6c4ddca9f1f..75551dc98055d 100644
--- a/pkg/scheduler/framework/plugins/dynamicresources/dynamicresources.go
+++ b/pkg/scheduler/framework/plugins/dynamicresources/dynamicresources.go
@@ -20,6 +20,7 @@ import (
 	"context"
 	"errors"
 	"fmt"
+	"iter"
 	"slices"
 	"strings"
 	"sync"
@@ -30,33 +31,26 @@ import (
 	apiequality "k8s.io/apimachinery/pkg/api/equality"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	apimeta "k8s.io/apimachinery/pkg/api/meta"
-	"k8s.io/apimachinery/pkg/api/resource"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/diff"
 	"k8s.io/apimachinery/pkg/util/sets"
-	"k8s.io/apimachinery/pkg/util/uuid"
 	"k8s.io/apimachinery/pkg/util/wait"
 	"k8s.io/client-go/kubernetes"
 	"k8s.io/client-go/util/retry"
-	resourcehelper "k8s.io/component-helpers/resource"
 	"k8s.io/component-helpers/scheduling/corev1/nodeaffinity"
 	"k8s.io/dynamic-resource-allocation/cel"
 	"k8s.io/dynamic-resource-allocation/resourceclaim"
 	"k8s.io/dynamic-resource-allocation/structured"
 	"k8s.io/klog/v2"
 	fwk "k8s.io/kube-scheduler/framework"
-	v1helper "k8s.io/kubernetes/pkg/apis/core/v1/helper"
 	"k8s.io/kubernetes/pkg/scheduler/apis/config"
 	"k8s.io/kubernetes/pkg/scheduler/apis/config/validation"
-	"k8s.io/kubernetes/pkg/scheduler/framework"
-	"k8s.io/kubernetes/pkg/scheduler/framework/plugins/dynamicresources/extended"
 	"k8s.io/kubernetes/pkg/scheduler/framework/plugins/feature"
+	"k8s.io/kubernetes/pkg/scheduler/framework/plugins/helper"
 	"k8s.io/kubernetes/pkg/scheduler/framework/plugins/names"
 	schedutil "k8s.io/kubernetes/pkg/scheduler/util"
-	"k8s.io/kubernetes/pkg/scheduler/util/assumecache"
-	"k8s.io/kubernetes/pkg/util/slice"
 	"k8s.io/utils/ptr"
 )
 
@@ -65,22 +59,6 @@ const (
 	Name = names.DynamicResources
 
 	stateKey fwk.StateKey = Name
-
-	// specialClaimInMemName is the name of the special resource claim that
-	// exists only in memory. The claim will get a generated name when it is
-	// written to API server.
-	//
-	// It's intentionally not a valid ResourceClaim name to avoid conflicts with
-	// some actual ResourceClaim in the apiserver.
-	specialClaimInMemName = "<extended-resources>"
-
-	// BindingTimeoutDefaultSeconds is the default timeout for waiting for
-	// BindingConditions to be ready.
-	BindingTimeoutDefaultSeconds = 600
-
-	// AssumeExtendedResourceTimeoutDefaultSeconds is the default timeout for waiting
-	// for the extended resource claim to be updated in assumed cache.
-	AssumeExtendedResourceTimeoutDefaultSeconds = 120
 )
 
 // The state is initialized in PreFilter phase. Because we save the pointer in
@@ -135,15 +113,6 @@ func (d *stateData) Clone() fwk.StateData {
 	return d
 }
 
-// draExtendedResource stores data for extended resources backed by DRA.
-// It will remain empty when the DRAExtendedResource feature is disabled.
-type draExtendedResource struct {
-	// May have extended resource backed by DRA.
-	podScalarResources map[v1.ResourceName]int64
-	// The mapping of extended resource to device class name
-	resourceToDeviceClass map[v1.ResourceName]string
-}
-
 type informationForClaim struct {
 	// Node selector based on the claim status if allocated.
 	availableOnNodes *nodeaffinity.NodeSelector
@@ -152,7 +121,7 @@ type informationForClaim struct {
 	allocation *resourceapi.AllocationResult
 }
 
-// nodeAllocation holds the the allocation results and extended resource claim per node.
+// nodeAllocation holds the allocation results and extended resource claim per node.
 type nodeAllocation struct {
 	// allocationResults has the allocation results, matching the order of
 	// claims which had to be allocated.
@@ -160,31 +129,25 @@ type nodeAllocation struct {
 	// extendedResourceClaim has the special claim for extended resource backed by DRA
 	// created during Filter for the nodes.
 	extendedResourceClaim *resourceapi.ResourceClaim
+	// containerResourceRequestMappings has the container, extended resource, and device request mappings
+	// calculated at the Filter phase, and used at the PreBind phase.
+	containerResourceRequestMappings []v1.ContainerExtendedResourceRequest
 }
 
 // DynamicResources is a plugin that ensures that ResourceClaims are allocated.
 type DynamicResources struct {
-	enabled                       bool
-	enableAdminAccess             bool
-	enablePrioritizedList         bool
-	enableSchedulingQueueHint     bool
-	enablePartitionableDevices    bool
-	enableDeviceTaints            bool
-	enableDeviceBindingConditions bool
-	enableDeviceStatus            bool
-	enableExtendedResource        bool
-	enableFilterTimeout           bool
-	filterTimeout                 time.Duration
-	enableConsumableCapacity      bool
-
-	fh         framework.Handle
-	clientset  kubernetes.Interface
-	celCache   *cel.Cache
-	draManager framework.SharedDRAManager
+	enabled        bool
+	fts            feature.Features
+	filterTimeout  time.Duration
+	bindingTimeout time.Duration
+	fh             fwk.Handle
+	clientset      kubernetes.Interface
+	celCache       *cel.Cache
+	draManager     fwk.SharedDRAManager
 }
 
 // New initializes a new plugin and returns it.
-func New(ctx context.Context, plArgs runtime.Object, fh framework.Handle, fts feature.Features) (framework.Plugin, error) {
+func New(ctx context.Context, plArgs runtime.Object, fh fwk.Handle, fts feature.Features) (fwk.Plugin, error) {
 	if !fts.EnableDynamicResourceAllocation {
 		// Disabled, won't do anything.
 		return &DynamicResources{}, nil
@@ -199,44 +162,50 @@ func New(ctx context.Context, plArgs runtime.Object, fh framework.Handle, fts fe
 	}
 
 	pl := &DynamicResources{
-		enabled:                       true,
-		enableAdminAccess:             fts.EnableDRAAdminAccess,
-		enableDeviceTaints:            fts.EnableDRADeviceTaints,
-		enablePrioritizedList:         fts.EnableDRAPrioritizedList,
-		enableFilterTimeout:           fts.EnableDRASchedulerFilterTimeout,
-		enableSchedulingQueueHint:     fts.EnableSchedulingQueueHint,
-		enablePartitionableDevices:    fts.EnablePartitionableDevices,
-		enableExtendedResource:        fts.EnableDRAExtendedResource,
-		enableConsumableCapacity:      fts.EnableConsumableCapacity,
-		filterTimeout:                 ptr.Deref(args.FilterTimeout, metav1.Duration{}).Duration,
-		enableDeviceBindingConditions: fts.EnableDRADeviceBindingConditions,
-		enableDeviceStatus:            fts.EnableDRAResourceClaimDeviceStatus,
-
+		enabled:       true,
+		fts:           fts,
+		filterTimeout: ptr.Deref(args.FilterTimeout, metav1.Duration{}).Duration,
+		bindingTimeout: ptr.Deref(
+			args.BindingTimeout,
+			metav1.Duration{Duration: config.DynamicResourcesBindingTimeoutDefault},
+		).Duration,
 		fh:        fh,
 		clientset: fh.ClientSet(),
 		// This is a LRU cache for compiled CEL expressions. The most
 		// recent 10 of them get reused across different scheduling
 		// cycles.
-		celCache:   cel.NewCache(10, cel.Features{EnableConsumableCapacity: fts.EnableConsumableCapacity}),
+		celCache:   cel.NewCache(10, cel.Features{EnableConsumableCapacity: fts.EnableDRAConsumableCapacity}),
 		draManager: fh.SharedDRAManager(),
 	}
 
 	return pl, nil
 }
 
-var _ framework.PreEnqueuePlugin = &DynamicResources{}
-var _ framework.PreFilterPlugin = &DynamicResources{}
-var _ framework.FilterPlugin = &DynamicResources{}
-var _ framework.PostFilterPlugin = &DynamicResources{}
-var _ framework.ReservePlugin = &DynamicResources{}
-var _ framework.EnqueueExtensions = &DynamicResources{}
-var _ framework.PreBindPlugin = &DynamicResources{}
+var _ fwk.PreEnqueuePlugin = &DynamicResources{}
+var _ fwk.PreFilterPlugin = &DynamicResources{}
+var _ fwk.FilterPlugin = &DynamicResources{}
+var _ fwk.PostFilterPlugin = &DynamicResources{}
+var _ fwk.ScorePlugin = &DynamicResources{}
+var _ fwk.ReservePlugin = &DynamicResources{}
+var _ fwk.EnqueueExtensions = &DynamicResources{}
+var _ fwk.PreBindPlugin = &DynamicResources{}
+var _ fwk.SignPlugin = &DynamicResources{}
 
 // Name returns name of the plugin. It is used in logs, etc.
 func (pl *DynamicResources) Name() string {
 	return Name
 }
 
+// Because it isn't simple to determine if DRA claims are single host or more complex,
+// we exclude any pod with a DRA claim from signatures. We should improve this.
+// See https://github.com/kubernetes/kubernetes/issues/134986
+func (pl *DynamicResources) SignPod(ctx context.Context, pod *v1.Pod) ([]fwk.SignFragment, *fwk.Status) {
+	if len(pod.Spec.ResourceClaims) > 0 {
+		return nil, fwk.NewStatus(fwk.Unschedulable, "pods with dra resource claims are not signable")
+	}
+	return nil, nil
+}
+
 // EventsToRegister returns the possible events that may make a Pod
 // failed by this plugin schedulable.
 func (pl *DynamicResources) EventsToRegister(_ context.Context) ([]fwk.ClusterEventWithHint, error) {
@@ -251,7 +220,7 @@ func (pl *DynamicResources) EventsToRegister(_ context.Context) ([]fwk.ClusterEv
 	// But, we may miss Node/Add event due to preCheck, and we decided to register UpdateNodeTaint | UpdateNodeLabel for all plugins registering Node/Add.
 	// See: https://github.com/kubernetes/kubernetes/issues/109437
 	nodeActionType := fwk.Add | fwk.UpdateNodeLabel | fwk.UpdateNodeTaint | fwk.UpdateNodeAllocatable
-	if pl.enableSchedulingQueueHint {
+	if pl.fts.EnableSchedulingQueueHint {
 		// When QHint is enabled, the problematic preCheck is already removed, and we can remove UpdateNodeTaint.
 		nodeActionType = fwk.Add | fwk.UpdateNodeLabel | fwk.UpdateNodeAllocatable
 	}
@@ -427,126 +396,10 @@ func (pl *DynamicResources) foreachPodResourceClaim(pod *v1.Pod, cb func(podReso
 	return nil
 }
 
-// hasDeviceClassMappedExtendedResource returns true when the given resource list has an extended resource, that has
-// a mapping to a device class.
-func hasDeviceClassMappedExtendedResource(reqs v1.ResourceList, deviceClassMapping map[v1.ResourceName]string) bool {
-	for rName, rValue := range reqs {
-		if rValue.IsZero() {
-			// We only care about the resources requested by the pod we are trying to schedule.
-			continue
-		}
-		if v1helper.IsExtendedResourceName(rName) {
-			_, ok := deviceClassMapping[rName]
-			if ok {
-				return true
-			}
-		}
-	}
-	return false
-}
-
-// findExtendedResourceClaim looks for the extended resource claim, i.e., the claim with special annotation
-// set to "true", and with the pod as owner. It must be called with all ResourceClaims in the cluster.
-// The returned ResourceClaim is read-only.
-func findExtendedResourceClaim(pod *v1.Pod, resourceClaims []*resourceapi.ResourceClaim) *resourceapi.ResourceClaim {
-	for _, c := range resourceClaims {
-		if c.Annotations[resourceapi.ExtendedResourceClaimAnnotation] == "true" {
-			for _, or := range c.OwnerReferences {
-				if or.Name == pod.Name && *or.Controller && or.UID == pod.UID {
-					return c
-				}
-			}
-		}
-	}
-	return nil
-}
-
-// preFilterExtendedResources checks if there is any extended resource in the
-// pod requests that has a device class mapping, i.e., there is a device class
-// that has spec.ExtendedResourceName or its implicit extended resource name
-// matching the given extended resource in that pod requests.
-//
-// It looks for the special resource claim for the pod created from prior scheduling
-// cycle. If not found, it creates the special claim with no Requests in the Spec,
-// with a temporary UID, and the specialClaimInMemName name.
-// Either way, the special claim is stored in state.claims.
-//
-// In addition, draExtendedResource is also stored in the cycle state.
-//
-// It returns the special ResourceClaim and an error status. It returns nil for both
-// if the feature is disabled or not required for the Pod.
-func (pl *DynamicResources) preFilterExtendedResources(pod *v1.Pod, logger klog.Logger, s *stateData) (*resourceapi.ResourceClaim, *fwk.Status) {
-	if !pl.enableExtendedResource {
-		return nil, nil
-	}
-
-	deviceClassMapping, err := extended.DeviceClassMapping(pl.draManager)
-	if err != nil {
-		return nil, statusError(logger, err, "retrieving extended resource to DeviceClass mapping")
-	}
-
-	reqs := resourcehelper.PodRequests(pod, resourcehelper.PodResourcesOptions{})
-	hasExtendedResource := hasDeviceClassMappedExtendedResource(reqs, deviceClassMapping)
-	if !hasExtendedResource {
-		return nil, nil
-	}
-
-	s.draExtendedResource.resourceToDeviceClass = deviceClassMapping
-	r := framework.NewResource(reqs)
-	s.draExtendedResource.podScalarResources = r.ScalarResources
-
-	resourceClaims, err := pl.draManager.ResourceClaims().List()
-	if err != nil {
-		return nil, statusError(logger, err, "listing ResourceClaims")
-	}
-
-	// Check if the special resource claim has been created from prior scheduling cycle.
-	//
-	// If it was already allocated earlier, that allocation might not be valid anymore.
-	// We could try to check that, but it depends on various factors that are difficult to
-	// cover (basically needs to replicate allocator logic) and if it turns out that the
-	// allocation is stale, we would have to schedule with those allocated devices not
-	// available for a new allocation. This situation should be rare (= binding failure),
-	// so we solve it via brute-force
-	// - Kick off deallocation in the background.
-	// - Mark the pod as unschedulable. Successful deallocation will make it schedulable again.
-	extendedResourceClaim := findExtendedResourceClaim(pod, resourceClaims)
-	if extendedResourceClaim == nil {
-		// Create one special claim for all extended resources backed by DRA in the Pod.
-		// Create the ResourceClaim with pod as owner, with a generated name that uses
-		// <pod name>-extended-resources- as base. The final name will get truncated if it
-		// would be too long.
-		extendedResourceClaim = &resourceapi.ResourceClaim{
-			ObjectMeta: metav1.ObjectMeta{
-				Namespace: pod.Namespace,
-				Name:      specialClaimInMemName,
-				// fake temporary UID for use in SignalClaimPendingAllocation
-				UID:          types.UID(uuid.NewUUID()),
-				GenerateName: pod.Name + "-extended-resources-",
-				OwnerReferences: []metav1.OwnerReference{
-					{
-						APIVersion:         "v1",
-						Kind:               "Pod",
-						Name:               pod.Name,
-						UID:                pod.UID,
-						Controller:         ptr.To(true),
-						BlockOwnerDeletion: ptr.To(true),
-					},
-				},
-				Annotations: map[string]string{
-					resourceapi.ExtendedResourceClaimAnnotation: "true",
-				},
-			},
-			Spec: resourceapi.ResourceClaimSpec{},
-		}
-	}
-	return extendedResourceClaim, nil
-}
-
 // PreFilter invoked at the prefilter extension point to check if pod has all
 // immediate claims bound. UnschedulableAndUnresolvable is returned if
 // the pod cannot be scheduled at the moment on any node.
-func (pl *DynamicResources) PreFilter(ctx context.Context, state fwk.CycleState, pod *v1.Pod, nodes []fwk.NodeInfo) (*framework.PreFilterResult, *fwk.Status) {
+func (pl *DynamicResources) PreFilter(ctx context.Context, state fwk.CycleState, pod *v1.Pod, nodes []fwk.NodeInfo) (*fwk.PreFilterResult, *fwk.Status) {
 	if !pl.enabled {
 		return nil, fwk.NewStatus(fwk.Skip)
 	}
@@ -628,7 +481,7 @@ func (pl *DynamicResources) PreFilter(ctx context.Context, state fwk.CycleState,
 						return nil, status
 					}
 				case len(request.FirstAvailable) > 0:
-					if !pl.enablePrioritizedList {
+					if !pl.fts.EnableDRAPrioritizedList {
 						return nil, statusUnschedulable(logger, fmt.Sprintf("resource claim %s, request %s: has subrequests, but the DRAPrioritizedList feature is disabled", klog.KObj(claim), request.Name))
 					}
 					for _, subRequest := range request.FirstAvailable {
@@ -665,39 +518,51 @@ func (pl *DynamicResources) PreFilter(ctx context.Context, state fwk.CycleState,
 		// Claims (and thus their devices) are treated as "allocated" if they are in the assume cache
 		// or currently their allocation is in-flight. This does not change
 		// during filtering, so we can determine that once.
+		//
+		// This might have to be retried in the unlikely case that some concurrent modification made
+		// the result invalid.
 		var allocatedState *structured.AllocatedState
-		if pl.enableConsumableCapacity {
-			allocatedState, err = pl.draManager.ResourceClaims().GatherAllocatedState()
-			if err != nil {
-				return nil, statusError(logger, err)
-			}
-			if allocatedState == nil {
-				return nil, statusError(logger, errors.New("nil allocated state"))
-			}
-		} else {
-			allocatedDevices, err := pl.draManager.ResourceClaims().ListAllAllocatedDevices()
-			if err != nil {
-				return nil, statusError(logger, err)
-			}
-			allocatedState = &structured.AllocatedState{
-				AllocatedDevices:         allocatedDevices,
-				AllocatedSharedDeviceIDs: sets.New[structured.SharedDeviceID](),
-				AggregatedCapacity:       structured.NewConsumedCapacityCollection(),
+		err = wait.PollUntilContextTimeout(ctx, time.Microsecond, 5*time.Second, true /* immediate */, func(context.Context) (bool, error) {
+			if pl.fts.EnableDRAConsumableCapacity {
+				allocatedState, err = pl.draManager.ResourceClaims().GatherAllocatedState()
+				if err != nil {
+					if errors.Is(err, errClaimTrackerConcurrentModification) {
+						logger.V(6).Info("Conflicting modification during GatherAllocatedState, trying again")
+						return false, nil
+					}
+					return false, err
+				}
+				if allocatedState == nil {
+					return false, errors.New("nil allocated state")
+				}
+				// Done.
+				return true, nil
+			} else {
+				allocatedDevices, err := pl.draManager.ResourceClaims().ListAllAllocatedDevices()
+				if err != nil {
+					if errors.Is(err, errClaimTrackerConcurrentModification) {
+						logger.V(6).Info("Conflicting modification during ListAllAllocatedDevices, trying again")
+						return false, nil
+					}
+					return false, err
+				}
+				allocatedState = &structured.AllocatedState{
+					AllocatedDevices:         allocatedDevices,
+					AllocatedSharedDeviceIDs: sets.New[structured.SharedDeviceID](),
+					AggregatedCapacity:       structured.NewConsumedCapacityCollection(),
+				}
+				// Done.
+				return true, nil
 			}
+		})
+		if err != nil {
+			return nil, statusError(logger, fmt.Errorf("gather allocation state: %w", err))
 		}
 		slices, err := pl.draManager.ResourceSlices().ListWithDeviceTaintRules()
 		if err != nil {
 			return nil, statusError(logger, err)
 		}
-		features := structured.Features{
-			AdminAccess:          pl.enableAdminAccess,
-			PrioritizedList:      pl.enablePrioritizedList,
-			PartitionableDevices: pl.enablePartitionableDevices,
-			DeviceTaints:         pl.enableDeviceTaints,
-			DeviceBinding:        pl.enableDeviceBindingConditions,
-			DeviceStatus:         pl.enableDeviceStatus,
-			ConsumableCapacity:   pl.enableConsumableCapacity,
-		}
+		features := AllocatorFeatures(pl.fts)
 		allocator, err := structured.NewAllocator(ctx, features, *allocatedState, pl.draManager.DeviceClasses(), slices, pl.celCache)
 		if err != nil {
 			return nil, statusError(logger, err)
@@ -709,6 +574,17 @@ func (pl *DynamicResources) PreFilter(ctx context.Context, state fwk.CycleState,
 	return nil, nil
 }
 
+func AllocatorFeatures(fts feature.Features) structured.Features {
+	return structured.Features{
+		AdminAccess:            fts.EnableDRAAdminAccess,
+		PrioritizedList:        fts.EnableDRAPrioritizedList,
+		PartitionableDevices:   fts.EnableDRAPartitionableDevices,
+		DeviceTaints:           fts.EnableDRADeviceTaints,
+		DeviceBindingAndStatus: fts.EnableDRADeviceBindingConditions && fts.EnableDRAResourceClaimDeviceStatus,
+		ConsumableCapacity:     fts.EnableDRAConsumableCapacity,
+	}
+}
+
 func (pl *DynamicResources) validateDeviceClass(logger klog.Logger, deviceClassName, requestName string) *fwk.Status {
 	if deviceClassName == "" {
 		return statusError(logger, fmt.Errorf("request %s: unsupported request type", requestName))
@@ -727,7 +603,7 @@ func (pl *DynamicResources) validateDeviceClass(logger klog.Logger, deviceClassN
 }
 
 // PreFilterExtensions returns prefilter extensions, pod add and remove.
-func (pl *DynamicResources) PreFilterExtensions() framework.PreFilterExtensions {
+func (pl *DynamicResources) PreFilterExtensions() fwk.PreFilterExtensions {
 	return nil
 }
 
@@ -743,149 +619,6 @@ func getStateData(cs fwk.CycleState) (*stateData, error) {
 	return s, nil
 }
 
-// filterExtendedResources computes the special claim's Requests based on the
-// node's Allocatable. It returns the special claim updated to match what needs
-// to be allocated through DRA for the node or nil if nothing needs to be allocated.
-//
-// It returns an error when the pod's extended resource requests cannot be allocated
-// from node's Allocatable, nor matching any device class's explicit or implicit
-// ExtendedResourceName.
-func (pl *DynamicResources) filterExtendedResources(state *stateData, pod *v1.Pod, nodeInfo fwk.NodeInfo, logger klog.Logger) (*resourceapi.ResourceClaim, *fwk.Status) {
-	extendedResourceClaim := state.claims.extendedResourceClaim()
-	if extendedResourceClaim == nil {
-		// Nothing to do.
-		return nil, nil
-	}
-
-	// The claim is from the prior scheduling cycle, return unschedulable such that it can be
-	// deleted at the PostFilter phase, and retry anew.
-	if extendedResourceClaim.Spec.Devices.Requests != nil {
-		return nil, statusUnschedulable(logger, "cannot schedule extended resource claim", "pod", klog.KObj(pod), "node", klog.KObj(nodeInfo.Node()), "claim", klog.KObj(extendedResourceClaim))
-	}
-
-	extendedResources := make(map[v1.ResourceName]int64)
-	hasExtendedResource := false
-	for rName, rQuant := range state.draExtendedResource.podScalarResources {
-		if !v1helper.IsExtendedResourceName(rName) {
-			continue
-		}
-		// Skip in case request quantity is zero
-		if rQuant == 0 {
-			continue
-		}
-
-		_, okScalar := nodeInfo.GetAllocatable().GetScalarResources()[rName]
-		_, okDynamic := state.draExtendedResource.resourceToDeviceClass[rName]
-		if okDynamic {
-			if okScalar {
-				// node provides the resource via device plugin
-				extendedResources[rName] = 0
-			} else {
-				// node needs to provide the resource via DRA
-				extendedResources[rName] = rQuant
-				hasExtendedResource = true
-			}
-		} else if !okScalar {
-			// has request neither provided by device plugin, nor backed by DRA,
-			// hence the pod does not fit the node.
-			return nil, statusUnschedulable(logger, "cannot fit resource", "pod", klog.KObj(pod), "node", klog.KObj(nodeInfo.Node()), "resource", rName)
-		}
-	}
-
-	// No extended resources backed by DRA on this node.
-	// The pod may have extended resources, but they are all backed by device
-	// plugin, hence the noderesources plugin should have checked if the node
-	// can fit the pod.
-	// This dynamic resources plugin Filter phase has nothing left to do.
-	if state.claims.noUserClaim() && !hasExtendedResource {
-		// It cannot be allocated when reaching here, as the claim from prior scheduling cycle
-		// would return unschedulable earlier in this function.
-		return nil, nil
-	}
-
-	// Each node needs its own, potentially different variant of the claim.
-	nodeExtendedResourceClaim := extendedResourceClaim.DeepCopy()
-	nodeExtendedResourceClaim.Spec.Devices.Requests = createDeviceRequests(pod, extendedResources, state.draExtendedResource.resourceToDeviceClass)
-
-	if extendedResourceClaim.Status.Allocation != nil {
-		// If it is already allocated, then we cannot simply allocate it again.
-		//
-		// It cannot be allocated when reaching here, as the claim found from prior scheduling cycle
-		// would return unschedulable earlier in this function.
-		return nil, nil
-	}
-
-	return nodeExtendedResourceClaim, nil
-}
-
-// createDeviceRequests computes the special claim's Requests based on the pod's extended resources
-// that are not satisfied by the node's Allocatable.
-//
-// the device request name has the format: container-%d-request-%d,
-// the first %d is the container's index in the pod's initContainer and containers
-// the second %d is the extended resource's index in that container's sorted resource requests.
-func createDeviceRequests(pod *v1.Pod, extendedResources map[v1.ResourceName]int64, deviceClassMapping map[v1.ResourceName]string) []resourceapi.DeviceRequest {
-	var deviceRequests []resourceapi.DeviceRequest
-	// Creating the extended resource claim's Requests by
-	// iterating over the containers, and the resources in the containers,
-	// and create one request per <container, extended resource>.
-
-	// pod level resources currently have only cpu and memory, they are not considered here for now.
-	// if extended resources are added to pod level resources in the future, they need to be
-	// supported separately.
-	containers := slices.Clone(pod.Spec.InitContainers)
-	containers = append(containers, pod.Spec.Containers...)
-	for r := range extendedResources {
-		for i, c := range containers {
-			creqs := c.Resources.Requests
-			if creqs == nil {
-				continue
-			}
-			var rQuant resource.Quantity
-			var ok bool
-			if rQuant, ok = creqs[r]; !ok {
-				continue
-			}
-			crq, ok := (&rQuant).AsInt64()
-			if !ok || crq == 0 {
-				continue
-			}
-			className, ok := deviceClassMapping[r]
-			// skip if the request does not map to a device class
-			if !ok || className == "" {
-				continue
-			}
-			keys := make([]string, 0, len(creqs))
-			for k := range creqs {
-				keys = append(keys, k.String())
-			}
-			// resource requests in a container is a map, their names must
-			// be sorted to determine the resource's index order.
-			slice.SortStrings(keys)
-			ridx := 0
-			for j := range keys {
-				if keys[j] == r.String() {
-					ridx = j
-					break
-				}
-			}
-			// i is the index of the container if the list of initContainers + containers.
-			// ridx is the index of the extended resource request in the sorted all requests in the container.
-			// crq is the quantity of the extended resource request.
-			deviceRequests = append(deviceRequests,
-				resourceapi.DeviceRequest{
-					Name: fmt.Sprintf("container-%d-request-%d", i, ridx), // need to be container name index - extended resource name index
-					Exactly: &resourceapi.ExactDeviceRequest{
-						DeviceClassName: className, // map external resource name -> device class name
-						AllocationMode:  resourceapi.DeviceAllocationModeExactCount,
-						Count:           crq,
-					},
-				})
-		}
-	}
-	return deviceRequests
-}
-
 // Filter invoked at the filter extension point.
 // It evaluates if a pod can fit due to the resources it requests,
 // for both allocated and unallocated claims.
@@ -909,7 +642,7 @@ func (pl *DynamicResources) Filter(ctx context.Context, cs fwk.CycleState, pod *
 
 	logger := klog.FromContext(ctx)
 	node := nodeInfo.Node()
-	nodeExtendedResourceClaim, status := pl.filterExtendedResources(state, pod, nodeInfo, logger)
+	nodeExtendedResourceClaim, containerResourceRequestMappings, status := pl.filterExtendedResources(state, pod, nodeInfo, logger)
 	if status != nil {
 		return status
 	}
@@ -937,7 +670,7 @@ func (pl *DynamicResources) Filter(ctx context.Context, cs fwk.CycleState, pod *
 		}
 
 		// The claim is allocated, check whether it is ready for binding.
-		if pl.enableDeviceBindingConditions && pl.enableDeviceStatus {
+		if pl.fts.EnableDRADeviceBindingConditions && pl.fts.EnableDRAResourceClaimDeviceStatus {
 			ready, err := pl.isClaimReadyForBinding(claim)
 			// If the claim is not ready yet (ready false, no error) and binding has timed out
 			// or binding has failed (err non-nil), then the scheduler should consider deallocating this
@@ -957,7 +690,7 @@ func (pl *DynamicResources) Filter(ctx context.Context, cs fwk.CycleState, pod *
 		}
 
 		// Apply timeout to the operation?
-		if pl.enableFilterTimeout && pl.filterTimeout > 0 {
+		if pl.fts.EnableDRASchedulerFilterTimeout && pl.filterTimeout > 0 {
 			c, cancel := context.WithTimeout(allocCtx, pl.filterTimeout)
 			defer cancel()
 			allocCtx = c
@@ -979,6 +712,10 @@ func (pl *DynamicResources) Filter(ctx context.Context, cs fwk.CycleState, pod *
 		switch {
 		case errors.Is(err, context.DeadlineExceeded):
 			return statusUnschedulable(logger, "timed out trying to allocate devices", "pod", klog.KObj(pod), "node", klog.KObj(node), "resourceclaims", klog.KObjSlice(claimsToAllocate))
+		case errors.Is(err, structured.ErrFailedAllocationOnNode):
+			// Not a fatal error, allocation on other nodes may proceed.
+			// The error is only surfaced if allocation fails on all nodes.
+			return statusUnschedulable(logger, err.Error(), "pod", klog.KObj(pod), "node", klog.KObj(node))
 		case ctx.Err() != nil:
 			return statusUnschedulable(logger, fmt.Sprintf("asked by caller to stop allocating devices: %v", context.Cause(ctx)), "pod", klog.KObj(pod), "node", klog.KObj(node), "resourceclaims", klog.KObjSlice(claimsToAllocate))
 		case err != nil:
@@ -1024,24 +761,20 @@ func (pl *DynamicResources) Filter(ctx context.Context, cs fwk.CycleState, pod *
 
 	if state.allocator != nil {
 		state.nodeAllocations[node.Name] = nodeAllocation{
-			allocationResults:     allocations,
-			extendedResourceClaim: nodeExtendedResourceClaim,
+			allocationResults:                allocations,
+			extendedResourceClaim:            nodeExtendedResourceClaim,
+			containerResourceRequestMappings: containerResourceRequestMappings,
 		}
 	}
 
 	return nil
 }
 
-// isSpecialClaimName return true when the name is the specialClaimInMemName.
-func isSpecialClaimName(name string) bool {
-	return name == specialClaimInMemName
-}
-
 // PostFilter checks whether there are allocated claims that could get
 // deallocated to help get the Pod schedulable. If yes, it picks one and
 // requests its deallocation.  This only gets called when filtering found no
 // suitable node.
-func (pl *DynamicResources) PostFilter(ctx context.Context, cs fwk.CycleState, pod *v1.Pod, filteredNodeStatusMap framework.NodeToStatusReader) (*framework.PostFilterResult, *fwk.Status) {
+func (pl *DynamicResources) PostFilter(ctx context.Context, cs fwk.CycleState, pod *v1.Pod, filteredNodeStatusMap fwk.NodeToStatusReader) (*fwk.PostFilterResult, *fwk.Status) {
 	if !pl.enabled {
 		return nil, fwk.NewStatus(fwk.Unschedulable, "plugin disabled")
 	}
@@ -1096,6 +829,76 @@ func (pl *DynamicResources) PostFilter(ctx context.Context, cs fwk.CycleState, p
 	return nil, fwk.NewStatus(fwk.Unschedulable, "still not schedulable")
 }
 
+func (pl *DynamicResources) Score(ctx context.Context, cs fwk.CycleState, pod *v1.Pod, nodeInfo fwk.NodeInfo) (int64, *fwk.Status) {
+	if !pl.enabled {
+		return 0, nil
+	}
+	logger := klog.FromContext(ctx)
+
+	state, err := getStateData(cs)
+	if err != nil {
+		return 0, statusError(logger, err)
+	}
+
+	// If there are no claims, no need to do anything.
+	if state.claims.empty() {
+		return 0, nil
+	}
+
+	allocations, found := state.nodeAllocations[nodeInfo.Node().Name]
+	if !found {
+		return 0, nil
+	}
+
+	score, err := computeScore(state.claims.all(), allocations)
+	if err != nil {
+		return 0, statusError(logger, err)
+	}
+	return score, nil
+}
+
+func computeScore(iterator iter.Seq2[int, *resourceapi.ResourceClaim], allocations nodeAllocation) (int64, error) {
+	var score int64
+	for i, claim := range iterator {
+		// Collect the names for all allocated subrequests.
+		allocatedSubRequests := sets.New[string]()
+		if i >= len(allocations.allocationResults) {
+			return 0, fmt.Errorf("number of allocations %d is smaller than number of claims", len(allocations.allocationResults))
+		}
+		allocation := allocations.allocationResults[i]
+		for _, res := range allocation.Devices.Results {
+			request := res.Request
+			if resourceclaim.IsSubRequestRef(request) {
+				allocatedSubRequests.Insert(request)
+			}
+		}
+
+		for _, req := range claim.Spec.Devices.Requests {
+			if req.Exactly != nil {
+				continue
+			}
+			for i, subReq := range req.FirstAvailable {
+				subRequestRef := resourceclaim.CreateSubRequestRef(req.Name, subReq.Name)
+				if allocatedSubRequests.Has(subRequestRef) {
+					score += int64(resourceapi.FirstAvailableDeviceRequestMaxSize - i)
+				}
+			}
+		}
+	}
+	return score, nil
+}
+
+func (pl *DynamicResources) ScoreExtensions() fwk.ScoreExtensions {
+	return pl
+}
+
+func (pl *DynamicResources) NormalizeScore(ctx context.Context, cs fwk.CycleState, pod *v1.Pod, scores fwk.NodeScoreList) *fwk.Status {
+	if !pl.enabled {
+		return nil
+	}
+	return helper.DefaultNormalizeScore(fwk.MaxNodeScore, false, scores)
+}
+
 // Reserve reserves claims for the pod.
 func (pl *DynamicResources) Reserve(ctx context.Context, cs fwk.CycleState, pod *v1.Pod, nodeName string) (status *fwk.Status) {
 	if !pl.enabled {
@@ -1235,62 +1038,7 @@ func (pl *DynamicResources) Unreserve(ctx context.Context, cs fwk.CycleState, po
 			}
 		}
 	}
-
-	extendedResourceClaim := state.claims.extendedResourceClaim()
-	if extendedResourceClaim == nil {
-		// there is no extended resource claim
-		return
-	}
-
-	if deleted := pl.draManager.ResourceClaims().RemoveClaimPendingAllocation(state.claims.getInitialExtendedResourceClaimUID()); deleted {
-		pl.draManager.ResourceClaims().AssumedClaimRestore(extendedResourceClaim.Namespace, extendedResourceClaim.Name)
-	}
-	if isSpecialClaimName(extendedResourceClaim.Name) {
-		// In memory temporary extended resource claim does not need to be deleted
-		return
-	}
-	logger.V(5).Info("delete extended resource backed by DRA", "resourceclaim", klog.KObj(extendedResourceClaim), "pod", klog.KObj(pod), "claim.UID", extendedResourceClaim.UID)
-	extendedResourceClaim = extendedResourceClaim.DeepCopy()
-	if err := pl.deleteClaim(ctx, extendedResourceClaim, logger); err != nil {
-		logger.Error(err, "delete", "resourceclaim", klog.KObj(extendedResourceClaim))
-	}
-}
-
-// deleteClaim deletes the claim after removing the finalizer from the claim, if there is any.
-func (pl *DynamicResources) deleteClaim(ctx context.Context, claim *resourceapi.ResourceClaim, logger klog.Logger) error {
-	refreshClaim := false
-	retryErr := retry.RetryOnConflict(retry.DefaultRetry, func() error {
-		if refreshClaim {
-			updatedClaim, err := pl.clientset.ResourceV1().ResourceClaims(claim.Namespace).Get(ctx, claim.Name, metav1.GetOptions{})
-			if err != nil {
-				return fmt.Errorf("get resourceclaim %s/%s: %w", claim.Namespace, claim.Name, err)
-			}
-			claim = updatedClaim
-		} else {
-			refreshClaim = true
-		}
-		// Remove the finalizer to unblock removal first.
-		builtinControllerFinalizer := slices.Index(claim.Finalizers, resourceapi.Finalizer)
-		if builtinControllerFinalizer >= 0 {
-			claim.Finalizers = slices.Delete(claim.Finalizers, builtinControllerFinalizer, builtinControllerFinalizer+1)
-		}
-
-		_, err := pl.clientset.ResourceV1().ResourceClaims(claim.Namespace).Update(ctx, claim, metav1.UpdateOptions{})
-		if err != nil {
-			return fmt.Errorf("update resourceclaim %s/%s: %w", claim.Namespace, claim.Name, err)
-		}
-		return nil
-	})
-	if retryErr != nil {
-		return retryErr
-	}
-
-	logger.V(5).Info("Delete", "resourceclaim", klog.KObj(claim))
-	err := pl.clientset.ResourceV1().ResourceClaims(claim.Namespace).Delete(ctx, claim.Name, metav1.DeleteOptions{})
-	if err != nil {
-		return err
-	}
-	return nil
+	pl.unreserveExtendedResourceClaim(ctx, logger, pod, state)
 }
 
 // PreBind gets called in a separate goroutine after it has been determined
@@ -1326,7 +1074,7 @@ func (pl *DynamicResources) PreBind(ctx context.Context, cs fwk.CycleState, pod
 		}
 	}
 
-	if !pl.enableDeviceBindingConditions || !pl.enableDeviceStatus {
+	if !pl.fts.EnableDRADeviceBindingConditions || !pl.fts.EnableDRAResourceClaimDeviceStatus {
 		// If we don't have binding conditions, we can return early.
 		// The claim is now reserved for the pod and the scheduler can proceed with binding.
 		return nil
@@ -1342,7 +1090,7 @@ func (pl *DynamicResources) PreBind(ctx context.Context, cs fwk.CycleState, pod
 
 	// We need to wait for the device to be attached to the node.
 	pl.fh.EventRecorder().Eventf(pod, nil, v1.EventTypeNormal, "BindingConditionsPending", "Scheduling", "waiting for binding conditions for device on node %s", nodeName)
-	err = wait.PollUntilContextTimeout(ctx, 5*time.Second, time.Duration(BindingTimeoutDefaultSeconds)*time.Second, true,
+	err = wait.PollUntilContextTimeout(ctx, 5*time.Second, pl.bindingTimeout, true,
 		func(ctx context.Context) (bool, error) {
 			return pl.isPodReadyForBinding(state)
 		})
@@ -1377,61 +1125,10 @@ func (pl *DynamicResources) PreBindPreFlight(ctx context.Context, cs fwk.CycleSt
 	return nil
 }
 
-// createRequestMappings creates the requestMappings for the special extended resource claim.
-// For each device request in the claim, it finds the container name, and
-// the extended resource name in that container matching the device request.
-// the device request name has the format: container-%d-request-%d,
-// the first %d is the container's index in the pod's initContainer and containers
-// the second %d is the extended resource's index in that container's sorted resource requests.
-func createRequestMappings(claim *resourceapi.ResourceClaim, pod *v1.Pod) []v1.ContainerExtendedResourceRequest {
-	var cer []v1.ContainerExtendedResourceRequest
-	deviceReqNames := make([]string, 0, len(claim.Spec.Devices.Requests))
-	for _, r := range claim.Spec.Devices.Requests {
-		deviceReqNames = append(deviceReqNames, r.Name)
-	}
-	// pod level resources currently have only cpu and memory, they are not considered here for now.
-	// if extended resources are added to pod level resources in the future, they need to be
-	// supported separately.
-	containers := slices.Clone(pod.Spec.InitContainers)
-	containers = append(containers, pod.Spec.Containers...)
-	for i, c := range containers {
-		creqs := c.Resources.Requests
-		keys := make([]string, 0, len(creqs))
-		for k := range creqs {
-			keys = append(keys, k.String())
-		}
-		// resource requests in a container is a map, their names must
-		// be sorted to determine the resource's index order.
-		slice.SortStrings(keys)
-		for rName := range creqs {
-			ridx := 0
-			for j := range keys {
-				if keys[j] == rName.String() {
-					ridx = j
-					break
-				}
-			}
-			for _, devReqName := range deviceReqNames {
-				// During filter phase, device request name is set to be
-				// container name index "-" extended resource name index
-				if fmt.Sprintf("container-%d-request-%d", i, ridx) == devReqName {
-					cer = append(cer,
-						v1.ContainerExtendedResourceRequest{
-							ContainerName: c.Name,
-							ResourceName:  rName.String(),
-							RequestName:   devReqName,
-						})
-				}
-			}
-		}
-	}
-	return cer
-}
-
 // bindClaim gets called by PreBind for claim which is not reserved for the pod yet.
 // It might not even be allocated. bindClaim then ensures that the allocation
 // and reservation are recorded. This finishes the work started in Reserve.
-func (pl *DynamicResources) bindClaim(ctx context.Context, state *stateData, index int, pod *v1.Pod, nodeName string) (patchedClaim *resourceapi.ResourceClaim, finalErr error) {
+func (pl *DynamicResources) bindClaim(ctx context.Context, state *stateData, index int, pod *v1.Pod, nodeName string) (*resourceapi.ResourceClaim, error) {
 	logger := klog.FromContext(ctx)
 	claim := state.claims.get(index)
 	allocation := state.informationsForClaim[index].allocation
@@ -1444,38 +1141,22 @@ func (pl *DynamicResources) bindClaim(ctx context.Context, state *stateData, ind
 		isExtendedResourceClaim = true
 	}
 	claimUIDs := []types.UID{claim.UID}
+	resourceClaimModified := false
 	defer func() {
-		if allocation != nil {
-			// The scheduler was handling allocation. Now that has
-			// completed, either successfully or with a failure.
-			if finalErr == nil {
+		// The scheduler was handling allocation. Now that has
+		// completed, either successfully or with a failure.
+		if resourceClaimModified {
+			if isExtendedResourceClaim {
+				pl.waitForExtendedClaimInAssumeCache(ctx, logger, claim)
+			} else {
 				// This can fail, but only for reasons that are okay (concurrent delete or update).
 				// Shouldn't happen in this case.
-				if isExtendedResourceClaim {
-					// Unlike other claims, extended resource claim is created in API server below.
-					// AssumeClaimAfterAPICall returns ErrNotFound when the informer update has not reached assumed cache yet.
-					// Hence we must poll and wait for it.
-					pollErr := wait.PollUntilContextTimeout(ctx, 1*time.Second, time.Duration(AssumeExtendedResourceTimeoutDefaultSeconds)*time.Second, true,
-						func(ctx context.Context) (bool, error) {
-							if err := pl.draManager.ResourceClaims().AssumeClaimAfterAPICall(claim); err != nil {
-								if errors.Is(err, assumecache.ErrNotFound) {
-									return false, nil
-								}
-								logger.V(5).Info("Claim not stored in assume cache", "claim", klog.KObj(claim), "err", err)
-								return false, err
-							}
-							return true, nil
-						})
-					if pollErr != nil {
-						logger.V(5).Info("Claim not stored in assume cache after retries", "claim", klog.KObj(claim), "err", pollErr)
-					}
-				} else {
-					if err := pl.draManager.ResourceClaims().AssumeClaimAfterAPICall(claim); err != nil {
-						logger.V(5).Info("Claim not stored in assume cache", "err", err)
-					}
+				if err := pl.draManager.ResourceClaims().AssumeClaimAfterAPICall(claim); err != nil {
+					logger.V(5).Info("Claim not stored in assume cache", "err", err)
 				}
 			}
-
+		}
+		if allocation != nil {
 			for _, claimUID := range claimUIDs {
 				pl.draManager.ResourceClaims().RemoveClaimPendingAllocation(claimUID)
 			}
@@ -1484,25 +1165,13 @@ func (pl *DynamicResources) bindClaim(ctx context.Context, state *stateData, ind
 
 	// Create the special claim for extended resource backed by DRA
 	if isExtendedResourceClaim && isSpecialClaimName(claim.Name) {
-		logger.V(5).Info("preparing to create claim for extended resources", "pod", klog.KObj(pod), "node", nodeName, "resourceclaim", klog.Format(claim))
-		// Replace claim template with instantiated claim for the node.
-		if nodeAllocation, ok := state.nodeAllocations[nodeName]; ok && nodeAllocation.extendedResourceClaim != nil {
-			claim = nodeAllocation.extendedResourceClaim.DeepCopy()
-		} else {
-			return nil, fmt.Errorf("extended resource claim not found for node %s", nodeName)
-		}
-		logger.V(5).Info("create claim for extended resources", "pod", klog.KObj(pod), "node", nodeName, "resourceclaim", klog.Format(claim))
-		// Clear fields which must or can not be set during creation.
-		claim.Status.Allocation = nil
-		claim.Name = ""
-		claim.UID = ""
 		var err error
-		claim, err = pl.clientset.ResourceV1().ResourceClaims(claim.Namespace).Create(ctx, claim, metav1.CreateOptions{})
+		claim, err = pl.createExtendedResourceClaimInAPI(ctx, logger, pod, nodeName, state)
 		if err != nil {
-			return nil, fmt.Errorf("create claim for extended resources %v: %w", klog.KObj(claim), err)
+			return nil, err
 		}
-		logger.V(5).Info("created claim for extended resources", "pod", klog.KObj(pod), "node", nodeName, "resourceclaim", klog.Format(claim))
 
+		resourceClaimModified = true
 		// Track the actual extended ResourceClaim from now.
 		// Relevant if we need to delete again in Unreserve.
 		if err := state.claims.updateExtendedResourceClaim(claim); err != nil {
@@ -1557,7 +1226,7 @@ func (pl *DynamicResources) bindClaim(ctx context.Context, state *stateData, ind
 		// preconditions. The apiserver will tell us with a
 		// non-conflict error if this isn't possible.
 		claim.Status.ReservedFor = append(claim.Status.ReservedFor, resourceapi.ResourceClaimConsumerReference{Resource: "pods", Name: pod.Name, UID: pod.UID})
-		if pl.enableDeviceBindingConditions && pl.enableDeviceStatus && claim.Status.Allocation.AllocationTimestamp == nil {
+		if pl.fts.EnableDRADeviceBindingConditions && pl.fts.EnableDRAResourceClaimDeviceStatus && claim.Status.Allocation.AllocationTimestamp == nil {
 			claim.Status.Allocation.AllocationTimestamp = &metav1.Time{Time: time.Now()}
 		}
 		updatedClaim, err := pl.clientset.ResourceV1().ResourceClaims(claim.Namespace).UpdateStatus(ctx, claim, metav1.UpdateOptions{})
@@ -1568,6 +1237,7 @@ func (pl *DynamicResources) bindClaim(ctx context.Context, state *stateData, ind
 			return fmt.Errorf("add reservation to claim %s: %w", klog.KObj(claim), err)
 		}
 		claim = updatedClaim
+		resourceClaimModified = true
 		return nil
 	})
 
@@ -1580,15 +1250,9 @@ func (pl *DynamicResources) bindClaim(ctx context.Context, state *stateData, ind
 	// Patch the pod status with the new information about the generated
 	// special resource claim.
 	if isExtendedResourceClaim {
-		cer := createRequestMappings(claim, pod)
-		podStatusCopy := pod.Status.DeepCopy()
-		podStatusCopy.ExtendedResourceClaimStatus = &v1.PodExtendedResourceClaimStatus{
-			RequestMappings:   cer,
-			ResourceClaimName: claim.Name,
-		}
-		err := schedutil.PatchPodStatus(ctx, pl.clientset, pod.Name, pod.Namespace, &pod.Status, podStatusCopy)
+		err := pl.patchPodExtendedResourceClaimStatus(ctx, pod, claim, nodeName, state)
 		if err != nil {
-			return nil, fmt.Errorf("update pod %s/%s ExtendedResourceClaimStatus: %w", pod.Namespace, pod.Name, err)
+			return nil, err
 		}
 	}
 
@@ -1636,7 +1300,7 @@ func (pl *DynamicResources) isClaimReadyForBinding(claim *resourceapi.ResourceCl
 // It returns true if the binding timeout is reached.
 // It returns false if the binding timeout is not reached.
 func (pl *DynamicResources) isClaimTimeout(claim *resourceapi.ResourceClaim) bool {
-	if !pl.enableDeviceBindingConditions || !pl.enableDeviceStatus {
+	if !pl.fts.EnableDRADeviceBindingConditions || !pl.fts.EnableDRAResourceClaimDeviceStatus {
 		return false
 	}
 	if claim.Status.Allocation == nil || claim.Status.Allocation.AllocationTimestamp == nil {
@@ -1647,7 +1311,7 @@ func (pl *DynamicResources) isClaimTimeout(claim *resourceapi.ResourceClaim) boo
 		if deviceRequest.BindingConditions == nil {
 			continue
 		}
-		if claim.Status.Allocation.AllocationTimestamp.Add(time.Duration(BindingTimeoutDefaultSeconds) * time.Second).Before(time.Now()) {
+		if claim.Status.Allocation.AllocationTimestamp.Add(pl.bindingTimeout).Before(time.Now()) {
 			return true
 		}
 	}
diff --git a/pkg/scheduler/framework/plugins/dynamicresources/dynamicresources_test.go b/pkg/scheduler/framework/plugins/dynamicresources/dynamicresources_test.go
index 16016b1b0a8c7..fc089251eab1c 100644
--- a/pkg/scheduler/framework/plugins/dynamicresources/dynamicresources_test.go
+++ b/pkg/scheduler/framework/plugins/dynamicresources/dynamicresources_test.go
@@ -20,7 +20,10 @@ import (
 	"context"
 	"errors"
 	"fmt"
+	"math"
+	"slices"
 	"sort"
+	"strings"
 	"sync"
 	"testing"
 	"time"
@@ -31,50 +34,64 @@ import (
 	"github.com/google/go-cmp/cmp/cmpopts"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
-
 	v1 "k8s.io/api/core/v1"
 	resourceapi "k8s.io/api/resource/v1"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	apiruntime "k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/wait"
+	utilfeature "k8s.io/apiserver/pkg/util/feature"
 	"k8s.io/client-go/informers"
 	"k8s.io/client-go/kubernetes/fake"
 	cgotesting "k8s.io/client-go/testing"
 	"k8s.io/client-go/tools/cache"
 	"k8s.io/client-go/tools/events"
+	featuregatetesting "k8s.io/component-base/featuregate/testing"
+	compbasemetrics "k8s.io/component-base/metrics"
+	"k8s.io/component-base/metrics/testutil"
+	"k8s.io/dynamic-resource-allocation/deviceclass/extendedresourcecache"
 	resourceslicetracker "k8s.io/dynamic-resource-allocation/resourceslice/tracker"
+	"k8s.io/dynamic-resource-allocation/structured"
 	kubeschedulerconfigv1 "k8s.io/kube-scheduler/config/v1"
 	fwk "k8s.io/kube-scheduler/framework"
+	"k8s.io/kubernetes/pkg/features"
 	"k8s.io/kubernetes/pkg/scheduler/apis/config"
 	configv1 "k8s.io/kubernetes/pkg/scheduler/apis/config/v1"
 	"k8s.io/kubernetes/pkg/scheduler/framework"
 	"k8s.io/kubernetes/pkg/scheduler/framework/plugins/feature"
 	"k8s.io/kubernetes/pkg/scheduler/framework/runtime"
+	"k8s.io/kubernetes/pkg/scheduler/metrics"
 	st "k8s.io/kubernetes/pkg/scheduler/testing"
 	"k8s.io/kubernetes/pkg/scheduler/util/assumecache"
 	"k8s.io/kubernetes/test/utils/ktesting"
 	"k8s.io/utils/ptr"
 )
 
+func init() {
+	metrics.InitMetrics()
+}
+
 var (
 	podKind = v1.SchemeGroupVersion.WithKind("Pod")
 
-	nodeName             = "worker"
-	node2Name            = "worker-2"
-	node3Name            = "worker-3"
-	driver               = "some-driver"
-	driver2              = "some-driver-2"
-	podName              = "my-pod"
-	podUID               = "1234"
-	resourceName         = "my-resource"
-	resourceName2        = resourceName + "-2"
-	claimName            = podName + "-" + resourceName
-	claimName2           = podName + "-" + resourceName2
-	className            = "my-resource-class"
-	namespace            = "default"
-	attrName             = resourceapi.QualifiedName("healthy") // device attribute only available on non-default node
-	extendedResourceName = "example.com/gpu"
+	nodeName                     = "worker"
+	node2Name                    = "worker-2"
+	node3Name                    = "worker-3"
+	driver                       = "some-driver"
+	driver2                      = "some-driver-2"
+	podName                      = "my-pod"
+	podUID                       = "1234"
+	resourceName                 = "my-resource"
+	resourceName2                = resourceName + "-2"
+	claimName                    = podName + "-" + resourceName
+	claimName2                   = podName + "-" + resourceName2
+	className                    = "my-resource-class"
+	namespace                    = "default"
+	attrName                     = resourceapi.QualifiedName("healthy") // device attribute only available on non-default node
+	extendedResourceName         = "example.com/gpu"
+	extendedResourceName2        = "example.com/gpu2"
+	implicitExtendedResourceName = "deviceclass.resource.kubernetes.io/my-resource-class"
 
 	deviceClass = &resourceapi.DeviceClass{
 		ObjectMeta: metav1.ObjectMeta{
@@ -89,7 +106,14 @@ var (
 			ExtendedResourceName: &extendedResourceName,
 		},
 	}
-
+	deviceClassWithExtendResourceName2 = &resourceapi.DeviceClass{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: className + "2",
+		},
+		Spec: resourceapi.DeviceClassSpec{
+			ExtendedResourceName: &extendedResourceName2,
+		},
+	}
 	podWithClaimName = st.MakePod().Name(podName).Namespace(namespace).
 				UID(podUID).
 				PodResourceClaims(v1.PodResourceClaim{Name: resourceName, ResourceClaimName: &claimName}).
@@ -124,6 +148,29 @@ var (
 			v1.ResourceName(extendedResourceName): "1",
 		}).
 		Obj()
+	podWithExtendedResourceName2 = st.MakePod().Name(podName).Namespace(namespace).
+					UID(podUID).
+					Req(map[v1.ResourceName]string{
+			v1.ResourceName(extendedResourceName):  "1",
+			v1.ResourceName(extendedResourceName2): "1",
+		}).
+		Obj()
+	podWithImplicitExtendedResourceName = st.MakePod().Name(podName).Namespace(namespace).
+						UID(podUID).
+						Req(map[v1.ResourceName]string{
+			v1.ResourceName(implicitExtendedResourceName): "1",
+			v1.ResourceName(extendedResourceName):         "2",
+		}).
+		Obj()
+	podWithImplicitExtendedResourceNameTwoContainers = st.MakePod().Name(podName).Namespace(namespace).
+								UID(podUID).
+								Req(map[v1.ResourceName]string{
+			v1.ResourceName(implicitExtendedResourceName): "1",
+		}).
+		Req(map[v1.ResourceName]string{
+			v1.ResourceName(extendedResourceName): "2",
+		}).
+		Obj()
 
 	// Node with "instance-1" device and no device attributes.
 	workerNode           = &st.MakeNode().Name(nodeName).Label("kubernetes.io/hostname", nodeName).Node
@@ -138,8 +185,9 @@ var (
 	workerNode3      = &st.MakeNode().Name(node3Name).Label("kubernetes.io/hostname", node3Name).Node
 	workerNode3Slice = st.MakeResourceSlice(node3Name, driver).Device("instance-1", map[resourceapi.QualifiedName]resourceapi.DeviceAttribute{attrName: {BoolValue: ptr.To(true)}}).Obj()
 
-	workerNodeWithExtendedResource = &st.MakeNode().Name(nodeName).Label("kubernetes.io/hostname", nodeName).Capacity(map[v1.ResourceName]string{v1.ResourceName(extendedResourceName): "1"}).Node
-	brokenSelector                 = resourceapi.DeviceSelector{
+	workerNodeWithExtendedResource                = &st.MakeNode().Name(nodeName).Label("kubernetes.io/hostname", nodeName).Capacity(map[v1.ResourceName]string{v1.ResourceName(extendedResourceName): "1"}).Node
+	workerNodeWithExtendedResourceZeroAllocatable = &st.MakeNode().Name(nodeName).Label("kubernetes.io/hostname", nodeName).Capacity(map[v1.ResourceName]string{v1.ResourceName(extendedResourceName): "0"}).Node
+	brokenSelector                                = resourceapi.DeviceSelector{
 		CEL: &resourceapi.CELDeviceSelector{
 			// Not set for workerNode.
 			Expression: fmt.Sprintf(`device.attributes["%s"].%s`, driver, attrName),
@@ -168,8 +216,39 @@ var (
 	claimWithPrioritzedList = st.MakeResourceClaim().
 				Name(claimName).
 				Namespace(namespace).
-				RequestWithPrioritizedList(className).
-				Obj()
+				RequestWithPrioritizedList(
+			st.SubRequest("subreq-1", className, 1),
+		).
+		Obj()
+	claimWithPrioritizedListAndSelector = st.MakeResourceClaim().
+						Name(claimName).
+						Namespace(namespace).
+						RequestWithPrioritizedList(
+			st.SubRequestWithSelector("subreq-1", className, fmt.Sprintf(`device.attributes["%s"].%s`, driver, attrName)),
+			st.SubRequest("subreq-2", className, 1),
+		).
+		Obj()
+	claimWithMultiplePrioritizedListRequests = st.MakeResourceClaim().
+							Name(claimName).
+							Namespace(namespace).
+							RequestWithPrioritizedList(
+			st.SubRequest("subreq-1", className, 2),
+			st.SubRequest("subreq-2", className, 1),
+		).
+		RequestWithPrioritizedList(
+			st.SubRequest("subreq-1", className, 2),
+			st.SubRequest("subreq-2", className, 1),
+		).Obj()
+	claim2WithPrioritizedListAndMultipleSubrequests = st.MakeResourceClaim().
+							Name(claimName2).
+							Namespace(namespace).
+							RequestWithPrioritizedList(
+			st.SubRequest("subreq-1", className, 4),
+			st.SubRequest("subreq-2", className, 3),
+			st.SubRequest("subreq-3", className, 2),
+			st.SubRequest("subreq-4", className, 1),
+		).Obj()
+
 	pendingClaim = st.FromResourceClaim(claim).
 			OwnerReference(podName, podUID, podKind).
 			Obj()
@@ -179,6 +258,15 @@ var (
 	pendingClaimWithPrioritizedList = st.FromResourceClaim(claimWithPrioritzedList).
 					OwnerReference(podName, podUID, podKind).
 					Obj()
+	pendingClaimWithPrioritizedListAndSelector = st.FromResourceClaim(claimWithPrioritizedListAndSelector).
+							OwnerReference(podName, podUID, podKind).
+							Obj()
+	pendingClaim2WithPrioritizedListAndMultipleSubrequests = st.FromResourceClaim(claim2WithPrioritizedListAndMultipleSubrequests).
+								OwnerReference(podName, podUID, podKind).
+								Obj()
+	pendingClaimWithMultiplePrioritizedListRequests = st.FromResourceClaim(claimWithMultiplePrioritizedListRequests).
+							OwnerReference(podName, podUID, podKind).
+							Obj()
 	allocationResult = &resourceapi.AllocationResult{
 		Devices: resourceapi.DeviceAllocationResult{
 			Results: []resourceapi.DeviceRequestAllocationResult{{
@@ -218,6 +306,73 @@ var (
 			return st.MakeNodeSelector().In("metadata.name", []string{nodeName}, st.NodeSelectorTypeMatchFields).Obj()
 		}(),
 	}
+	extendedResourceAllocationResult2 = &resourceapi.AllocationResult{
+		Devices: resourceapi.DeviceAllocationResult{
+			Results: []resourceapi.DeviceRequestAllocationResult{{
+				Driver:  driver,
+				Pool:    nodeName,
+				Device:  "instance-1",
+				Request: "container-0-request-1",
+			}},
+		},
+		NodeSelector: func() *v1.NodeSelector {
+			return st.MakeNodeSelector().In("metadata.name", []string{nodeName}, st.NodeSelectorTypeMatchFields).Obj()
+		}(),
+	}
+	implicitExtendedResourceAllocationResult = &resourceapi.AllocationResult{
+		Devices: resourceapi.DeviceAllocationResult{
+			Results: []resourceapi.DeviceRequestAllocationResult{
+				{
+					Driver:  driver,
+					Pool:    nodeName,
+					Device:  "instance-1",
+					Request: "container-0-request-0",
+				},
+				{
+					Driver:  driver,
+					Pool:    nodeName,
+					Device:  "instance-2",
+					Request: "container-0-request-1",
+				},
+				{
+					Driver:  driver,
+					Pool:    nodeName,
+					Device:  "instance-3",
+					Request: "container-0-request-1",
+				},
+			},
+		},
+		NodeSelector: func() *v1.NodeSelector {
+			return st.MakeNodeSelector().In("metadata.name", []string{nodeName}, st.NodeSelectorTypeMatchFields).Obj()
+		}(),
+	}
+	implicitExtendedResourceAllocationResultTwoContainers = &resourceapi.AllocationResult{
+		Devices: resourceapi.DeviceAllocationResult{
+			Results: []resourceapi.DeviceRequestAllocationResult{
+				{
+					Driver:  driver,
+					Pool:    nodeName,
+					Device:  "instance-1",
+					Request: "container-0-request-0",
+				},
+				{
+					Driver:  driver,
+					Pool:    nodeName,
+					Device:  "instance-2",
+					Request: "container-1-request-0",
+				},
+				{
+					Driver:  driver,
+					Pool:    nodeName,
+					Device:  "instance-3",
+					Request: "container-1-request-0",
+				},
+			},
+		},
+		NodeSelector: func() *v1.NodeSelector {
+			return st.MakeNodeSelector().In("metadata.name", []string{nodeName}, st.NodeSelectorTypeMatchFields).Obj()
+		}(),
+	}
 	extendedResourceAllocationResultNode2 = &resourceapi.AllocationResult{
 		Devices: resourceapi.DeviceAllocationResult{
 			Results: []resourceapi.DeviceRequestAllocationResult{{
@@ -245,6 +400,79 @@ var (
 			return st.MakeNodeSelector().In("metadata.name", []string{nodeName}, st.NodeSelectorTypeMatchFields).Obj()
 		}(),
 	}
+	allocationResultWithPrioritizedListAndSelector = &resourceapi.AllocationResult{
+		Devices: resourceapi.DeviceAllocationResult{
+			Results: []resourceapi.DeviceRequestAllocationResult{{
+				Driver:  driver,
+				Pool:    nodeName,
+				Device:  "instance-1",
+				Request: "req-1/subreq-1",
+			}},
+		},
+		NodeSelector: func() *v1.NodeSelector {
+			return st.MakeNodeSelector().In("metadata.name", []string{nodeName}, st.NodeSelectorTypeMatchFields).Obj()
+		}(),
+	}
+	allocationResultWithPrioritizedListAndMultipleSubrequests = &resourceapi.AllocationResult{
+		Devices: resourceapi.DeviceAllocationResult{
+			Results: []resourceapi.DeviceRequestAllocationResult{
+				{
+					Driver:  driver,
+					Pool:    nodeName,
+					Device:  "instance-1",
+					Request: "req-1/subreq-2",
+				},
+				{
+					Driver:  driver,
+					Pool:    nodeName,
+					Device:  "instance-2",
+					Request: "req-1/subreq-2",
+				},
+				{
+					Driver:  driver,
+					Pool:    nodeName,
+					Device:  "instance-3",
+					Request: "req-1/subreq-2",
+				},
+			},
+		},
+		NodeSelector: func() *v1.NodeSelector {
+			return st.MakeNodeSelector().In("metadata.name", []string{nodeName}, st.NodeSelectorTypeMatchFields).Obj()
+		}(),
+	}
+	allocationResultWithMultiplePrioritizedListRequests = &resourceapi.AllocationResult{
+		Devices: resourceapi.DeviceAllocationResult{
+			Results: []resourceapi.DeviceRequestAllocationResult{
+				{
+					Driver:  driver,
+					Pool:    nodeName,
+					Device:  "instance-1",
+					Request: "req-1/subreq-1",
+				},
+				{
+					Driver:  driver,
+					Pool:    nodeName,
+					Device:  "instance-2",
+					Request: "req-1/subreq-1",
+				},
+				{
+					Driver:  driver,
+					Pool:    nodeName,
+					Device:  "instance-1",
+					Request: "req-2/subreq-1",
+				},
+				{
+					Driver:  driver,
+					Pool:    nodeName,
+					Device:  "instance-2",
+					Request: "req-2/subreq-1",
+				},
+			},
+		},
+		NodeSelector: func() *v1.NodeSelector {
+			return st.MakeNodeSelector().In("metadata.name", []string{nodeName}, st.NodeSelectorTypeMatchFields).Obj()
+		}(),
+	}
 	inUseClaim = st.FromResourceClaim(pendingClaim).
 			Allocation(allocationResult).
 			ReservedForPod(podName, types.UID(podUID)).
@@ -253,6 +481,18 @@ var (
 					Allocation(allocationResultWithPrioritizedList).
 					ReservedForPod(podName, types.UID(podUID)).
 					Obj()
+	inUseClaimWithPrioritizedListAndSelector = st.FromResourceClaim(pendingClaimWithPrioritizedListAndSelector).
+							Allocation(allocationResultWithPrioritizedListAndSelector).
+							ReservedForPod(podName, types.UID(podUID)).
+							Obj()
+	inUseClaim2WithPrioritizedListAndMultipleSubrequests = st.FromResourceClaim(pendingClaim2WithPrioritizedListAndMultipleSubrequests).
+								Allocation(allocationResultWithPrioritizedListAndMultipleSubrequests).
+								ReservedForPod(podName, types.UID(podUID)).
+								Obj()
+	inUseClaimWithMultiplePrioritizedListRequests = st.FromResourceClaim(pendingClaimWithMultiplePrioritizedListRequests).
+							Allocation(allocationResultWithMultiplePrioritizedListRequests).
+							ReservedForPod(podName, types.UID(podUID)).
+							Obj()
 	allocatedClaim = st.FromResourceClaim(pendingClaim).
 			Allocation(allocationResult).
 			Obj()
@@ -262,7 +502,15 @@ var (
 	allocatedClaimWithPrioritizedList = st.FromResourceClaim(pendingClaimWithPrioritizedList).
 						Allocation(allocationResultWithPrioritizedList).
 						Obj()
-
+	allocatedClaimWithPrioritizedListAndSelector = st.FromResourceClaim(pendingClaimWithPrioritizedListAndSelector).
+							Allocation(allocationResultWithPrioritizedListAndSelector).
+							Obj()
+	allocatedClaim2WithPrioritizedListAndMultipleSubrequests = st.FromResourceClaim(pendingClaim2WithPrioritizedListAndMultipleSubrequests).
+									Allocation(allocationResultWithPrioritizedListAndMultipleSubrequests).
+									Obj()
+	allocatedClaimWithMultiplePrioritizedListRequests = st.FromResourceClaim(pendingClaimWithMultiplePrioritizedListRequests).
+								Allocation(allocationResultWithMultiplePrioritizedListRequests).
+								Obj()
 	allocatedClaimWithWrongTopology = st.FromResourceClaim(allocatedClaim).
 					Allocation(&resourceapi.AllocationResult{NodeSelector: st.MakeNodeSelector().In("no-such-label", []string{"no-such-value"}, st.NodeSelectorTypeMatchExpressions).Obj()}).
 					Obj()
@@ -284,16 +532,31 @@ var (
 				Annotations(map[string]string{"resource.kubernetes.io/extended-resource-claim": "true"}).
 				OwnerRef(
 			metav1.OwnerReference{
-				APIVersion:         "v1",
-				Kind:               "Pod",
-				Name:               podName,
-				UID:                types.UID(podUID),
-				Controller:         ptr.To(true),
-				BlockOwnerDeletion: ptr.To(true),
+				APIVersion: "v1",
+				Kind:       "Pod",
+				Name:       podName,
+				UID:        types.UID(podUID),
+				Controller: ptr.To(true),
 			}).
 		RequestWithName("container-0-request-0", className).
 		Allocation(extendedResourceAllocationResult).
 		Obj()
+	extendedResourceClaim2 = st.MakeResourceClaim().
+				Name("my-pod-extended-resources-0").
+				GenerateName("my-pod-extended-resources-").
+				Namespace(namespace).
+				Annotations(map[string]string{"resource.kubernetes.io/extended-resource-claim": "true"}).
+				OwnerRef(
+			metav1.OwnerReference{
+				APIVersion: "v1",
+				Kind:       "Pod",
+				Name:       podName,
+				UID:        types.UID(podUID),
+				Controller: ptr.To(true),
+			}).
+		RequestWithName("container-0-request-1", className+"2").
+		Allocation(extendedResourceAllocationResult2).
+		Obj()
 	extendedResourceClaimNoName = st.MakeResourceClaim().
 					Name(specialClaimInMemName).
 					GenerateName("my-pod-extended-resources-").
@@ -301,17 +564,99 @@ var (
 					Annotations(map[string]string{"resource.kubernetes.io/extended-resource-claim": "true"}).
 					OwnerRef(
 			metav1.OwnerReference{
-				APIVersion:         "v1",
-				Kind:               "Pod",
-				Name:               podName,
-				UID:                types.UID(podUID),
-				Controller:         ptr.To(true),
-				BlockOwnerDeletion: ptr.To(true),
+				APIVersion: "v1",
+				Kind:       "Pod",
+				Name:       podName,
+				UID:        types.UID(podUID),
+				Controller: ptr.To(true),
 			}).
 		RequestWithName("container-0-request-0", className).
 		Allocation(extendedResourceAllocationResult).
 		Obj()
-
+	extendedResourceClaimNoName2 = st.MakeResourceClaim().
+					Name(specialClaimInMemName).
+					GenerateName("my-pod-extended-resources-").
+					Namespace(namespace).
+					Annotations(map[string]string{"resource.kubernetes.io/extended-resource-claim": "true"}).
+					OwnerRef(
+			metav1.OwnerReference{
+				APIVersion: "v1",
+				Kind:       "Pod",
+				Name:       podName,
+				UID:        types.UID(podUID),
+				Controller: ptr.To(true),
+			}).
+		RequestWithName("container-0-request-1", className+"2").
+		Allocation(extendedResourceAllocationResult2).
+		Obj()
+	implicitExtendedResourceClaim = st.MakeResourceClaim().
+					Name("my-pod-extended-resources-0").
+					GenerateName("my-pod-extended-resources-").
+					Namespace(namespace).
+					Annotations(map[string]string{"resource.kubernetes.io/extended-resource-claim": "true"}).
+					OwnerRef(
+			metav1.OwnerReference{
+				APIVersion: "v1",
+				Kind:       "Pod",
+				Name:       podName,
+				UID:        types.UID(podUID),
+				Controller: ptr.To(true),
+			}).
+		RequestWithName("container-0-request-0", className).
+		RequestWithNameCount("container-0-request-1", className, 2).
+		Allocation(implicitExtendedResourceAllocationResult).
+		Obj()
+	implicitExtendedResourceClaimNoName = st.MakeResourceClaim().
+						Name(specialClaimInMemName).
+						GenerateName("my-pod-extended-resources-").
+						Namespace(namespace).
+						Annotations(map[string]string{"resource.kubernetes.io/extended-resource-claim": "true"}).
+						OwnerRef(
+			metav1.OwnerReference{
+				APIVersion: "v1",
+				Kind:       "Pod",
+				Name:       podName,
+				UID:        types.UID(podUID),
+				Controller: ptr.To(true),
+			}).
+		RequestWithName("container-0-request-0", className).
+		RequestWithNameCount("container-0-request-1", className, 2).
+		Allocation(implicitExtendedResourceAllocationResult).
+		Obj()
+	implicitExtendedResourceClaimTwoContainers = st.MakeResourceClaim().
+							Name("my-pod-extended-resources-0").
+							GenerateName("my-pod-extended-resources-").
+							Namespace(namespace).
+							Annotations(map[string]string{"resource.kubernetes.io/extended-resource-claim": "true"}).
+							OwnerRef(
+			metav1.OwnerReference{
+				APIVersion: "v1",
+				Kind:       "Pod",
+				Name:       podName,
+				UID:        types.UID(podUID),
+				Controller: ptr.To(true),
+			}).
+		RequestWithName("container-0-request-0", className).
+		RequestWithNameCount("container-1-request-0", className, 2).
+		Allocation(implicitExtendedResourceAllocationResultTwoContainers).
+		Obj()
+	implicitExtendedResourceClaimNoNameTwoContainers = st.MakeResourceClaim().
+								Name(specialClaimInMemName).
+								GenerateName("my-pod-extended-resources-").
+								Namespace(namespace).
+								Annotations(map[string]string{"resource.kubernetes.io/extended-resource-claim": "true"}).
+								OwnerRef(
+			metav1.OwnerReference{
+				APIVersion: "v1",
+				Kind:       "Pod",
+				Name:       podName,
+				UID:        types.UID(podUID),
+				Controller: ptr.To(true),
+			}).
+		RequestWithName("container-0-request-0", className).
+		RequestWithNameCount("container-1-request-0", className, 2).
+		Allocation(implicitExtendedResourceAllocationResultTwoContainers).
+		Obj()
 	extendedResourceClaimNode2 = st.MakeResourceClaim().
 					Name("my-pod-extended-resources-0").
 					GenerateName("my-pod-extended-resources-").
@@ -319,12 +664,11 @@ var (
 					Annotations(map[string]string{"resource.kubernetes.io/extended-resource-claim": "true"}).
 					OwnerRef(
 			metav1.OwnerReference{
-				APIVersion:         "v1",
-				Kind:               "Pod",
-				Name:               podName,
-				UID:                types.UID(podUID),
-				Controller:         ptr.To(true),
-				BlockOwnerDeletion: ptr.To(true),
+				APIVersion: "v1",
+				Kind:       "Pod",
+				Name:       podName,
+				UID:        types.UID(podUID),
+				Controller: ptr.To(true),
 			}).
 		RequestWithName("container-0-request-0", className).
 		Allocation(extendedResourceAllocationResultNode2).
@@ -544,9 +888,9 @@ type result struct {
 	// nil if none.
 	assumedClaim *resourceapi.ResourceClaim
 
-	// inFlightClaim is the one claim which is expected to be tracked as
+	// inFlightClaims is a list of claims which are expected to be tracked as
 	// in flight, nil if none.
-	inFlightClaim *resourceapi.ResourceClaim
+	inFlightClaims []metav1.Object
 }
 
 // change contains functions for modifying objects of a certain type. These
@@ -564,19 +908,32 @@ func (p perNodeResult) forNode(nodeName string) result {
 	return p[nodeName]
 }
 
+type perNodeScoreResult map[string]int64
+
+func (p perNodeScoreResult) forNode(nodeName string) int64 {
+	if p == nil {
+		return 0
+	}
+	return p[nodeName]
+}
+
 type want struct {
-	preenqueue       result
-	preFilterResult  *framework.PreFilterResult
-	prefilter        result
-	filter           perNodeResult
-	prescore         result
-	reserve          result
-	unreserve        result
-	prebindPreFlight *fwk.Status
-	prebind          result
-	postbind         result
-	postFilterResult *framework.PostFilterResult
-	postfilter       result
+	preenqueue           result
+	preFilterResult      *fwk.PreFilterResult
+	prefilter            result
+	filter               perNodeResult
+	prescore             result
+	scoreResult          perNodeScoreResult
+	score                perNodeResult
+	normalizeScoreResult fwk.NodeScoreList
+	normalizeScore       result
+	reserve              result
+	unreserve            result
+	prebindPreFlight     *fwk.Status
+	prebind              result
+	postbind             result
+	postFilterResult     *fwk.PostFilterResult
+	postfilter           result
 
 	// unreserveAfterBindFailure, if set, triggers a call to Unreserve
 	// after PreBind, as if the actual Bind had failed.
@@ -634,6 +991,9 @@ func TestPlugin(t *testing.T) {
 		enableDRADeviceTaints            bool
 		disableDRASchedulerFilterTimeout bool
 		skipOnWindows                    string
+		failPatch                        bool
+		reactors                         []cgotesting.Reactor
+		metrics                          func(*testing.T, compbasemetrics.Gatherer)
 	}{
 		"empty": {
 			pod: st.MakePod().Name("foo").Namespace("default").Obj(),
@@ -665,6 +1025,7 @@ func TestPlugin(t *testing.T) {
 			claims: []*resourceapi.ResourceClaim{allocatedClaim, otherClaim},
 			want: want{
 				prebind: result{
+					assumedClaim: reserve(allocatedClaim, podWithClaimName),
 					changes: change{
 						claim: func(claim *resourceapi.ResourceClaim) *resourceapi.ResourceClaim {
 							if claim.Name == claimName {
@@ -682,6 +1043,7 @@ func TestPlugin(t *testing.T) {
 			claims: []*resourceapi.ResourceClaim{allocatedClaim, otherClaim},
 			want: want{
 				prebind: result{
+					assumedClaim: reserve(allocatedClaim, podWithClaimTemplateInStatus),
 					changes: change{
 						claim: func(claim *resourceapi.ResourceClaim) *resourceapi.ResourceClaim {
 							if claim.Name == claimName {
@@ -751,7 +1113,7 @@ func TestPlugin(t *testing.T) {
 			objs:    []apiruntime.Object{workerNodeSlice},
 			want: want{
 				reserve: result{
-					inFlightClaim: allocatedClaim,
+					inFlightClaims: []metav1.Object{allocatedClaim},
 				},
 				prebind: result{
 					assumedClaim: reserve(allocatedClaim, podWithClaimName),
@@ -784,7 +1146,7 @@ func TestPlugin(t *testing.T) {
 			objs:    []apiruntime.Object{workerNodeSlice},
 			want: want{
 				reserve: result{
-					inFlightClaim: allocatedClaim,
+					inFlightClaims: []metav1.Object{allocatedClaim},
 				},
 				prebind: result{
 					assumedClaim: reserve(allocatedClaim, podWithClaimName),
@@ -824,7 +1186,7 @@ func TestPlugin(t *testing.T) {
 			},
 			want: want{
 				reserve: result{
-					inFlightClaim: allocatedClaim,
+					inFlightClaims: []metav1.Object{allocatedClaim},
 				},
 				prebind: result{
 					assumedClaim: reserve(allocatedClaim, podWithClaimName),
@@ -861,7 +1223,7 @@ func TestPlugin(t *testing.T) {
 			},
 			want: want{
 				reserve: result{
-					inFlightClaim: allocatedClaim,
+					inFlightClaims: []metav1.Object{allocatedClaim},
 				},
 				prebind: result{
 					assumedClaim: reserve(allocatedClaim, podWithClaimName),
@@ -887,7 +1249,7 @@ func TestPlugin(t *testing.T) {
 			objs:    []apiruntime.Object{workerNodeSlice},
 			want: want{
 				reserve: result{
-					inFlightClaim: allocatedClaim,
+					inFlightClaims: []metav1.Object{allocatedClaim},
 				},
 				unreserveBeforePreBind: &result{},
 			},
@@ -921,7 +1283,7 @@ func TestPlugin(t *testing.T) {
 			objs:                  []apiruntime.Object{taintDevices(workerNodeSlice)},
 			want: want{
 				reserve: result{
-					inFlightClaim: allocatedClaim,
+					inFlightClaims: []metav1.Object{allocatedClaim},
 				},
 				prebind: result{
 					assumedClaim: reserve(allocatedClaim, podWithClaimName),
@@ -969,7 +1331,7 @@ func TestPlugin(t *testing.T) {
 			objs:    []apiruntime.Object{workerNodeSlice},
 			want: want{
 				reserve: result{
-					inFlightClaim: adminAccess(allocatedClaim),
+					inFlightClaims: []metav1.Object{adminAccess(allocatedClaim)},
 				},
 				prebind: result{
 					assumedClaim: reserve(adminAccess(allocatedClaim), podWithClaimName),
@@ -1017,7 +1379,7 @@ func TestPlugin(t *testing.T) {
 			objs:    []apiruntime.Object{workerNodeSlice},
 			want: want{
 				reserve: result{
-					inFlightClaim: allocatedClaim,
+					inFlightClaims: []metav1.Object{allocatedClaim},
 				},
 				prebind: result{
 					assumedClaim: reserve(allocatedClaim, podWithClaimName),
@@ -1147,6 +1509,7 @@ func TestPlugin(t *testing.T) {
 			claims: []*resourceapi.ResourceClaim{allocatedClaimWithGoodTopology},
 			want: want{
 				prebind: result{
+					assumedClaim: reserve(allocatedClaimWithGoodTopology, podWithClaimName),
 					changes: change{
 						claim: func(in *resourceapi.ResourceClaim) *resourceapi.ResourceClaim {
 							return st.FromResourceClaim(in).
@@ -1162,6 +1525,7 @@ func TestPlugin(t *testing.T) {
 			claims: []*resourceapi.ResourceClaim{allocatedClaimWithGoodTopology},
 			want: want{
 				prebind: result{
+					assumedClaim: reserve(allocatedClaimWithGoodTopology, podWithClaimName),
 					changes: change{
 						claim: func(in *resourceapi.ResourceClaim) *resourceapi.ResourceClaim {
 							return st.FromResourceClaim(in).
@@ -1171,6 +1535,7 @@ func TestPlugin(t *testing.T) {
 					},
 				},
 				unreserveAfterBindFailure: &result{
+					assumedClaim: reserve(allocatedClaimWithGoodTopology, podWithClaimName),
 					changes: change{
 						claim: func(in *resourceapi.ResourceClaim) *resourceapi.ResourceClaim {
 							out := in.DeepCopy()
@@ -1246,7 +1611,7 @@ func TestPlugin(t *testing.T) {
 			objs:                     []apiruntime.Object{workerNodeSlice},
 			want: want{
 				reserve: result{
-					inFlightClaim: allocatedClaimWithPrioritizedList,
+					inFlightClaims: []metav1.Object{allocatedClaimWithPrioritizedList},
 				},
 				prebind: result{
 					assumedClaim: reserve(allocatedClaimWithPrioritizedList, podWithClaimName),
@@ -1263,7 +1628,7 @@ func TestPlugin(t *testing.T) {
 				},
 			},
 		},
-		"extended-resource-name-wth-node-resource": {
+		"extended-resource-name-with-node-resource": {
 			enableDRAExtendedResource:          true,
 			enableDRADeviceBindingConditions:   true,
 			enableDRAResourceClaimDeviceStatus: true,
@@ -1271,6 +1636,63 @@ func TestPlugin(t *testing.T) {
 			pod:                                podWithExtendedResourceName,
 			classes:                            []*resourceapi.DeviceClass{deviceClassWithExtendResourceName},
 			want:                               want{},
+			metrics: func(t *testing.T, g compbasemetrics.Gatherer) {
+				_, err := testutil.GetCounterValuesFromGatherer(g, "scheduler_resourceclaim_creates_total", map[string]string{}, "status")
+				require.ErrorContains(t, err, "not found")
+			},
+		},
+		"extended-resource-one-device-plugin-one-dra": {
+			enableDRAExtendedResource:          true,
+			enableDRADeviceBindingConditions:   true,
+			enableDRAResourceClaimDeviceStatus: true,
+			nodes:                              []*v1.Node{workerNodeWithExtendedResource},
+			pod:                                podWithExtendedResourceName2,
+			classes:                            []*resourceapi.DeviceClass{deviceClassWithExtendResourceName, deviceClassWithExtendResourceName2},
+			objs:                               []apiruntime.Object{workerNodeSlice, podWithExtendedResourceName2},
+			want: want{
+				reserve: result{
+					inFlightClaims: []metav1.Object{extendedResourceClaimNoName2},
+				},
+				prebind: result{
+					assumedClaim: reserve(extendedResourceClaim2, podWithExtendedResourceName2),
+					added:        []metav1.Object{reserve(extendedResourceClaim2, podWithExtendedResourceName2)},
+				},
+				postbind: result{
+					assumedClaim: reserve(extendedResourceClaim2, podWithExtendedResourceName2),
+				},
+			},
+		},
+		"extended-resource-name-with-zero-allocatable": {
+			enableDRAExtendedResource: true,
+			nodes:                     []*v1.Node{workerNodeWithExtendedResourceZeroAllocatable},
+			pod:                       podWithExtendedResourceName,
+			classes:                   []*resourceapi.DeviceClass{deviceClassWithExtendResourceName},
+			objs:                      []apiruntime.Object{workerNodeSlice, podWithExtendedResourceName},
+			want: want{
+				reserve: result{
+					inFlightClaims: []metav1.Object{extendedResourceClaimNoName},
+				},
+				prebind: result{
+					assumedClaim: reserve(extendedResourceClaim, podWithExtendedResourceName),
+					added:        []metav1.Object{reserve(extendedResourceClaim, podWithExtendedResourceName)},
+				},
+				postbind: result{
+					assumedClaim: reserve(extendedResourceClaim, podWithExtendedResourceName),
+				},
+			},
+		},
+		"non-DRA-extended-resource-name-with-zero-allocatable": {
+			enableDRAExtendedResource: true,
+			nodes:                     []*v1.Node{workerNodeWithExtendedResourceZeroAllocatable},
+			pod:                       podWithExtendedResourceName,
+			classes:                   []*resourceapi.DeviceClass{deviceClass},
+			objs:                      []apiruntime.Object{workerNodeSlice, podWithExtendedResourceName},
+			want: want{
+				prefilter: result{
+					status: fwk.NewStatus(fwk.Skip),
+				},
+				prebindPreFlight: fwk.NewStatus(fwk.Skip),
+			},
 		},
 		"extended-resource-name-no-resource": {
 			enableDRAExtendedResource: true,
@@ -1286,6 +1708,10 @@ func TestPlugin(t *testing.T) {
 					status: fwk.NewStatus(fwk.Unschedulable, `still not schedulable`),
 				},
 			},
+			metrics: func(t *testing.T, g compbasemetrics.Gatherer) {
+				_, err := testutil.GetCounterValuesFromGatherer(g, "scheduler_resourceclaim_creates_total", map[string]string{}, "status")
+				require.ErrorContains(t, err, "not found")
+			},
 		},
 		"extended-resource-name-with-resources": {
 			enableDRAExtendedResource: true,
@@ -1294,7 +1720,7 @@ func TestPlugin(t *testing.T) {
 			objs:                      []apiruntime.Object{workerNodeSlice, podWithExtendedResourceName},
 			want: want{
 				reserve: result{
-					inFlightClaim: extendedResourceClaimNoName,
+					inFlightClaims: []metav1.Object{extendedResourceClaimNoName},
 				},
 				prebind: result{
 					assumedClaim: reserve(extendedResourceClaim, podWithExtendedResourceName),
@@ -1304,6 +1730,82 @@ func TestPlugin(t *testing.T) {
 					assumedClaim: reserve(extendedResourceClaim, podWithExtendedResourceName),
 				},
 			},
+			metrics: func(t *testing.T, g compbasemetrics.Gatherer) {
+				metric, err := testutil.GetCounterValuesFromGatherer(g, "scheduler_resourceclaim_creates_total", map[string]string{}, "status")
+				require.NoError(t, err)
+				require.Equal(t, 1, int(metric["success"]))
+			},
+		},
+		"implicit-extended-resource-name-with-resources": {
+			enableDRAExtendedResource: true,
+			pod:                       podWithImplicitExtendedResourceName,
+			classes:                   []*resourceapi.DeviceClass{deviceClassWithExtendResourceName},
+			objs:                      []apiruntime.Object{largeWorkerNodeSlice, podWithImplicitExtendedResourceName},
+			want: want{
+				reserve: result{
+					inFlightClaims: []metav1.Object{implicitExtendedResourceClaimNoName},
+				},
+				prebind: result{
+					assumedClaim: reserve(implicitExtendedResourceClaim, podWithImplicitExtendedResourceName),
+					added:        []metav1.Object{reserve(implicitExtendedResourceClaim, podWithImplicitExtendedResourceName)},
+				},
+				postbind: result{
+					assumedClaim: reserve(implicitExtendedResourceClaim, podWithImplicitExtendedResourceName),
+				},
+			},
+			metrics: func(t *testing.T, g compbasemetrics.Gatherer) {
+				metric, err := testutil.GetCounterValuesFromGatherer(g, "scheduler_resourceclaim_creates_total", map[string]string{}, "status")
+				require.NoError(t, err)
+				require.Equal(t, 1, int(metric["success"]))
+			},
+		},
+		"implicit-extended-resource-name-two-containers-with-resources": {
+			enableDRAExtendedResource: true,
+			pod:                       podWithImplicitExtendedResourceNameTwoContainers,
+			classes:                   []*resourceapi.DeviceClass{deviceClassWithExtendResourceName},
+			objs:                      []apiruntime.Object{largeWorkerNodeSlice, podWithImplicitExtendedResourceNameTwoContainers},
+			want: want{
+				reserve: result{
+					inFlightClaims: []metav1.Object{implicitExtendedResourceClaimNoNameTwoContainers},
+				},
+				prebind: result{
+					assumedClaim: reserve(implicitExtendedResourceClaimTwoContainers, podWithImplicitExtendedResourceNameTwoContainers),
+					added:        []metav1.Object{reserve(implicitExtendedResourceClaimTwoContainers, podWithImplicitExtendedResourceNameTwoContainers)},
+				},
+				postbind: result{
+					assumedClaim: reserve(implicitExtendedResourceClaimTwoContainers, podWithImplicitExtendedResourceNameTwoContainers),
+				},
+			},
+			metrics: func(t *testing.T, g compbasemetrics.Gatherer) {
+				metric, err := testutil.GetCounterValuesFromGatherer(g, "scheduler_resourceclaim_creates_total", map[string]string{}, "status")
+				require.NoError(t, err)
+				require.Equal(t, 1, int(metric["success"]))
+			},
+		},
+		"extended-resource-name-with-resources-fail-patch": {
+			enableDRAExtendedResource: true,
+			failPatch:                 true,
+			pod:                       podWithExtendedResourceName,
+			classes:                   []*resourceapi.DeviceClass{deviceClassWithExtendResourceName},
+			objs:                      []apiruntime.Object{workerNodeSlice, podWithExtendedResourceName},
+			want: want{
+				reserve: result{
+					inFlightClaims: []metav1.Object{extendedResourceClaimNoName},
+				},
+				prebind: result{
+					assumedClaim: reserve(extendedResourceClaim, podWithExtendedResourceName),
+					added:        []metav1.Object{reserve(extendedResourceClaim, podWithExtendedResourceName)},
+					status:       fwk.NewStatus(fwk.Unschedulable, `patch error`),
+				},
+				postbind: result{
+					assumedClaim: reserve(extendedResourceClaim, podWithExtendedResourceName),
+				},
+			},
+			metrics: func(t *testing.T, g compbasemetrics.Gatherer) {
+				metric, err := testutil.GetCounterValuesFromGatherer(g, "scheduler_resourceclaim_creates_total", map[string]string{}, "status")
+				require.NoError(t, err)
+				require.Equal(t, 1, int(metric["success"]))
+			},
 		},
 		"extended-resource-name-with-resources-has-claim": {
 			enableDRAExtendedResource: true,
@@ -1322,6 +1824,10 @@ func TestPlugin(t *testing.T) {
 					removed: []metav1.Object{extendedResourceClaim},
 				},
 			},
+			metrics: func(t *testing.T, g compbasemetrics.Gatherer) {
+				_, err := testutil.GetCounterValuesFromGatherer(g, "scheduler_resourceclaim_creates_total", map[string]string{}, "status")
+				require.ErrorContains(t, err, "not found")
+			},
 		},
 		"extended-resource-name-with-resources-delete-claim": {
 			enableDRAExtendedResource: true,
@@ -1340,6 +1846,10 @@ func TestPlugin(t *testing.T) {
 					removed: []metav1.Object{extendedResourceClaimNode2},
 				},
 			},
+			metrics: func(t *testing.T, g compbasemetrics.Gatherer) {
+				_, err := testutil.GetCounterValuesFromGatherer(g, "scheduler_resourceclaim_creates_total", map[string]string{}, "status")
+				require.ErrorContains(t, err, "not found")
+			},
 		},
 		"extended-resource-name-bind-failure": {
 			enableDRAExtendedResource: true,
@@ -1348,7 +1858,7 @@ func TestPlugin(t *testing.T) {
 			objs:                      []apiruntime.Object{workerNodeSlice, podWithExtendedResourceName},
 			want: want{
 				reserve: result{
-					inFlightClaim: extendedResourceClaimNoName,
+					inFlightClaims: []metav1.Object{extendedResourceClaimNoName},
 				},
 				prebind: result{
 					assumedClaim: reserve(extendedResourceClaim, podWithExtendedResourceName),
@@ -1358,6 +1868,11 @@ func TestPlugin(t *testing.T) {
 					removed: []metav1.Object{reserve(extendedResourceClaim, podWithExtendedResourceName)},
 				},
 			},
+			metrics: func(t *testing.T, g compbasemetrics.Gatherer) {
+				metric, err := testutil.GetCounterValuesFromGatherer(g, "scheduler_resourceclaim_creates_total", map[string]string{}, "status")
+				require.NoError(t, err)
+				require.Equal(t, 1, int(metric["success"]))
+			},
 		},
 		"extended-resource-name-skip-bind": {
 			enableDRAExtendedResource: true,
@@ -1366,10 +1881,46 @@ func TestPlugin(t *testing.T) {
 			objs:                      []apiruntime.Object{workerNodeSlice, podWithExtendedResourceName},
 			want: want{
 				reserve: result{
-					inFlightClaim: extendedResourceClaimNoName,
+					inFlightClaims: []metav1.Object{extendedResourceClaimNoName},
 				},
 				unreserveBeforePreBind: &result{},
 			},
+			metrics: func(t *testing.T, g compbasemetrics.Gatherer) {
+				metric, err := testutil.GetCounterValuesFromGatherer(g, "scheduler_resourceclaim_creates_total", map[string]string{}, "status")
+				require.NoError(t, err)
+				require.Equal(t, 1, int(metric["success"]))
+			},
+		},
+		"extended-resource-name-claim-creation-failure": {
+			enableDRAExtendedResource: true,
+			pod:                       podWithExtendedResourceName,
+			classes:                   []*resourceapi.DeviceClass{deviceClassWithExtendResourceName},
+			objs:                      []apiruntime.Object{workerNodeSlice, podWithExtendedResourceName},
+			want: want{
+				reserve: result{
+					inFlightClaims: []metav1.Object{extendedResourceClaimNoName},
+				},
+				prebind: result{
+					status: fwk.NewStatus(fwk.Unschedulable, `claim creation errors`),
+				},
+				unreserveAfterBindFailure: &result{
+					removed: []metav1.Object{reserve(extendedResourceClaim, podWithExtendedResourceName)},
+				},
+			},
+			reactors: []cgotesting.Reactor{
+				&cgotesting.SimpleReactor{
+					Verb:     "create",
+					Resource: "resourceclaims",
+					Reaction: func(action cgotesting.Action) (handled bool, ret apiruntime.Object, err error) {
+						return true, nil, apierrors.NewBadRequest("claim creation errors")
+					},
+				},
+			},
+			metrics: func(t *testing.T, g compbasemetrics.Gatherer) {
+				metric, err := testutil.GetCounterValuesFromGatherer(g, "scheduler_resourceclaim_creates_total", map[string]string{}, "status")
+				require.NoError(t, err)
+				require.Equal(t, 1, int(metric["failure"]))
+			},
 		},
 		"canceled": {
 			cancelFilter: true,
@@ -1427,7 +1978,7 @@ func TestPlugin(t *testing.T) {
 			objs:                             []apiruntime.Object{workerNodeSlice},
 			want: want{
 				reserve: result{
-					inFlightClaim: allocatedClaim,
+					inFlightClaims: []metav1.Object{allocatedClaim},
 				},
 				prebind: result{
 					assumedClaim: reserve(allocatedClaim, podWithClaimName),
@@ -1457,7 +2008,7 @@ func TestPlugin(t *testing.T) {
 			objs:    []apiruntime.Object{workerNodeSlice},
 			want: want{
 				reserve: result{
-					inFlightClaim: allocatedClaim,
+					inFlightClaims: []metav1.Object{allocatedClaim},
 				},
 				prebind: result{
 					assumedClaim: reserve(allocatedClaim, podWithClaimName),
@@ -1484,6 +2035,7 @@ func TestPlugin(t *testing.T) {
 			claims:                             []*resourceapi.ResourceClaim{boundClaim},
 			want: want{
 				prebind: result{
+					assumedClaim: reserve(boundClaim, podWithClaimName),
 					changes: change{
 						claim: func(in *resourceapi.ResourceClaim) *resourceapi.ResourceClaim {
 							return st.FromResourceClaim(in).
@@ -1560,7 +2112,10 @@ func TestPlugin(t *testing.T) {
 		"prebind-fail-with-binding-timeout": {
 			enableDRADeviceBindingConditions:   true,
 			enableDRAResourceClaimDeviceStatus: true,
-			pod:                                podWithClaimName,
+			args: &config.DynamicResourcesArgs{
+				BindingTimeout: &metav1.Duration{Duration: 600 * time.Second},
+			},
+			pod: podWithClaimName,
 			claims: func() []*resourceapi.ResourceClaim {
 				claim := allocatedClaim.DeepCopy()
 				claim.Status.Allocation = allocationResultWithBindingConditions.DeepCopy()
@@ -1577,6 +2132,20 @@ func TestPlugin(t *testing.T) {
 			}(),
 			want: want{
 				prebind: result{
+					assumedClaim: reserve(func() *resourceapi.ResourceClaim {
+						claim := allocatedClaim.DeepCopy()
+						claim.Status.Allocation = allocationResultWithBindingConditions.DeepCopy()
+						// This claim has binding conditions but is not timed out.
+						claim.Status.Allocation.AllocationTimestamp = ptr.To(metav1.NewTime(time.Now().Add(-9*time.Minute - 50*time.Second)))
+						claim.Status.Devices = []resourceapi.AllocatedDeviceStatus{
+							{
+								Driver: driver,
+								Pool:   nodeName,
+								Device: "instance-1",
+							},
+						}
+						return claim
+					}(), podWithClaimName),
 					changes: change{
 						claim: func(in *resourceapi.ResourceClaim) *resourceapi.ResourceClaim {
 							return st.FromResourceClaim(in).
@@ -1639,6 +2208,7 @@ func TestPlugin(t *testing.T) {
 			claims: []*resourceapi.ResourceClaim{allocatedClaim, otherClaim},
 			want: want{
 				prebind: result{
+					assumedClaim: reserve(allocatedClaim, podWithClaimTemplateInStatus),
 					changes: change{
 						claim: func(claim *resourceapi.ResourceClaim) *resourceapi.ResourceClaim {
 							if claim.Name == claimName {
@@ -1662,6 +2232,7 @@ func TestPlugin(t *testing.T) {
 			objs:                               []apiruntime.Object{fabricSlice, fabricSlice2},
 			want: want{
 				prebind: result{
+					assumedClaim: reserve(boundClaim, podWithTwoClaimNames),
 					changes: change{
 						claim: func(in *resourceapi.ResourceClaim) *resourceapi.ResourceClaim {
 							return st.FromResourceClaim(in).
@@ -1704,21 +2275,181 @@ func TestPlugin(t *testing.T) {
 				},
 			},
 		},
+		"single-claim-prioritized-list-scoring": {
+			enableDRAPrioritizedList: true,
+			pod:                      podWithClaimName,
+			claims:                   []*resourceapi.ResourceClaim{pendingClaimWithPrioritizedListAndSelector},
+			classes:                  []*resourceapi.DeviceClass{deviceClass},
+			nodes:                    []*v1.Node{workerNode, workerNode2},
+			objs: []apiruntime.Object{
+				st.MakeResourceSlice(nodeName, driver).Device("instance-1", map[resourceapi.QualifiedName]resourceapi.DeviceAttribute{attrName: {BoolValue: ptr.To(true)}}).Obj(),
+				st.MakeResourceSlice(node2Name, driver).Device("instance-1", map[resourceapi.QualifiedName]resourceapi.DeviceAttribute{attrName: {BoolValue: ptr.To(false)}}).Obj(),
+			},
+			want: want{
+				scoreResult: perNodeScoreResult{
+					nodeName:  8,
+					node2Name: 7,
+				},
+				normalizeScoreResult: fwk.NodeScoreList{
+					{
+						Name:  nodeName,
+						Score: 100,
+					},
+					{
+						Name:  node2Name,
+						Score: 87,
+					},
+				},
+				reserve: result{
+					inFlightClaims: []metav1.Object{allocatedClaimWithPrioritizedListAndSelector},
+				},
+				prebind: result{
+					assumedClaim: reserve(allocatedClaimWithPrioritizedListAndSelector, podWithClaimName),
+					changes: change{
+						claim: func(claim *resourceapi.ResourceClaim) *resourceapi.ResourceClaim {
+							if claim.Name == claimName {
+								claim = claim.DeepCopy()
+								claim.Finalizers = allocatedClaimWithPrioritizedListAndSelector.Finalizers
+								claim.Status = inUseClaimWithPrioritizedListAndSelector.Status
+							}
+							return claim
+						},
+					},
+				},
+			},
+		},
+		"multiple-claims-prioritized-list-scoring": {
+			enableDRAPrioritizedList: true,
+			pod:                      podWithTwoClaimNames,
+			claims:                   []*resourceapi.ResourceClaim{pendingClaimWithPrioritizedList, pendingClaim2WithPrioritizedListAndMultipleSubrequests},
+			classes:                  []*resourceapi.DeviceClass{deviceClass},
+			nodes:                    []*v1.Node{workerNode, workerNode2, workerNode3},
+			objs: []apiruntime.Object{
+				st.MakeResourceSlice(nodeName, driver).
+					Device("instance-1").
+					Device("instance-2").
+					Device("instance-3").
+					Device("instance-4").Obj(),
+				st.MakeResourceSlice(node2Name, driver).
+					Device("instance-1").
+					Device("instance-2").Obj(),
+				st.MakeResourceSlice(node3Name, driver).
+					Device("instance-1").Obj(),
+			},
+			want: want{
+				filter: perNodeResult{
+					workerNode3.Name: {
+						status: fwk.NewStatus(fwk.UnschedulableAndUnresolvable, `cannot allocate all claims`),
+					},
+				},
+				scoreResult: perNodeScoreResult{
+					workerNode.Name:  15,
+					workerNode2.Name: 13,
+				},
+				normalizeScoreResult: fwk.NodeScoreList{
+					{
+						Name:  workerNode.Name,
+						Score: 100,
+					},
+					{
+						Name:  workerNode2.Name,
+						Score: 86,
+					},
+				},
+				reserve: result{
+					inFlightClaims: []metav1.Object{allocatedClaimWithPrioritizedList, allocatedClaim2WithPrioritizedListAndMultipleSubrequests},
+				},
+				prebind: result{
+					assumedClaim: reserve(allocatedClaimWithPrioritizedList, podWithTwoClaimNames),
+					changes: change{
+						claim: func(claim *resourceapi.ResourceClaim) *resourceapi.ResourceClaim {
+							if claim.Name == claimName {
+								claim = claim.DeepCopy()
+								claim.Finalizers = inUseClaimWithPrioritizedList.Finalizers
+								claim.Status = inUseClaimWithPrioritizedList.Status
+							}
+							if claim.Name == claimName2 {
+								claim = claim.DeepCopy()
+								claim.Finalizers = inUseClaim2WithPrioritizedListAndMultipleSubrequests.Finalizers
+								claim.Status = inUseClaim2WithPrioritizedListAndMultipleSubrequests.Status
+							}
+							return claim
+						},
+					},
+				},
+			},
+		},
+		"multiple-requests-prioritized-list-scoring": {
+			enableDRAPrioritizedList: true,
+			pod:                      podWithClaimName,
+			claims:                   []*resourceapi.ResourceClaim{pendingClaimWithMultiplePrioritizedListRequests},
+			classes:                  []*resourceapi.DeviceClass{deviceClass},
+			nodes:                    []*v1.Node{workerNode, workerNode2, workerNode3},
+			objs: []apiruntime.Object{
+				st.MakeResourceSlice(nodeName, driver).
+					Device("instance-1").
+					Device("instance-2").
+					Device("instance-3").
+					Device("instance-4").Obj(),
+				st.MakeResourceSlice(node2Name, driver).
+					Device("instance-1").
+					Device("instance-2").
+					Device("instance-3").Obj(),
+				st.MakeResourceSlice(node3Name, driver).
+					Device("instance-1").
+					Device("instance-2").Obj(),
+			},
+			want: want{
+				scoreResult: perNodeScoreResult{
+					workerNode.Name:  16,
+					workerNode2.Name: 15,
+					workerNode3.Name: 14,
+				},
+				normalizeScoreResult: fwk.NodeScoreList{
+					{
+						Name:  workerNode.Name,
+						Score: 100,
+					},
+					{
+						Name:  workerNode2.Name,
+						Score: 93,
+					},
+					{
+						Name:  workerNode3.Name,
+						Score: 87,
+					},
+				},
+				reserve: result{
+					inFlightClaims: []metav1.Object{allocatedClaimWithMultiplePrioritizedListRequests},
+				},
+				prebind: result{
+					assumedClaim: reserve(allocatedClaimWithMultiplePrioritizedListRequests, podWithClaimName),
+					changes: change{
+						claim: func(claim *resourceapi.ResourceClaim) *resourceapi.ResourceClaim {
+							if claim.Name == claimName {
+								claim = claim.DeepCopy()
+								claim.Finalizers = inUseClaimWithMultiplePrioritizedListRequests.Finalizers
+								claim.Status = inUseClaimWithMultiplePrioritizedListRequests.Status
+							}
+							return claim
+						},
+					},
+				},
+			},
+		},
 	}
 
 	for name, tc := range testcases {
 		if len(tc.skipOnWindows) > 0 && goruntime.GOOS == "windows" {
 			t.Skipf("Skipping '%s' test case on Windows, reason: %s", name, tc.skipOnWindows)
 		}
-		// We can run in parallel because logging is per-test.
 		tc := tc
 		t.Run(name, func(t *testing.T) {
-			t.Parallel()
 			nodes := tc.nodes
 			if nodes == nil {
 				nodes = []*v1.Node{workerNode}
 			}
-			features := feature.Features{
+			feats := feature.Features{
 				EnableDRAAdminAccess:               tc.enableDRAAdminAccess,
 				EnableDRADeviceBindingConditions:   tc.enableDRADeviceBindingConditions,
 				EnableDRAResourceClaimDeviceStatus: tc.enableDRAResourceClaimDeviceStatus,
@@ -1728,8 +2459,14 @@ func TestPlugin(t *testing.T) {
 				EnableDRAPrioritizedList:           tc.enableDRAPrioritizedList,
 				EnableDRAExtendedResource:          tc.enableDRAExtendedResource,
 			}
-			testCtx := setup(t, tc.args, nodes, tc.claims, tc.classes, tc.objs, features)
+
+			featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.DRAExtendedResource, tc.enableDRAExtendedResource)
+			testCtx := setup(t, tc.args, nodes, tc.claims, tc.classes, tc.objs, feats, tc.failPatch, tc.reactors)
 			initialObjects := testCtx.listAll(t)
+			var registry compbasemetrics.KubeRegistry
+			if tc.metrics != nil {
+				registry = setupMetrics(feats)
+			}
 
 			status := testCtx.p.PreEnqueue(testCtx.ctx, tc.pod)
 			t.Run("PreEnqueue", func(t *testing.T) {
@@ -1778,18 +2515,47 @@ func TestPlugin(t *testing.T) {
 				}
 			}
 
+			var scores fwk.NodeScoreList
 			if !unschedulable && len(potentialNodes) > 1 {
 				initialObjects = testCtx.listAll(t)
 				initialObjects = testCtx.updateAPIServer(t, initialObjects, tc.prepare.prescore)
+
+				for _, potentialNode := range potentialNodes {
+					initialObjects = testCtx.listAll(t)
+					score, status := testCtx.p.Score(testCtx.ctx, testCtx.state, tc.pod, potentialNode)
+					nodeName := potentialNode.Node().Name
+					t.Run(fmt.Sprintf("score/%s", nodeName), func(t *testing.T) {
+						assert.Equal(t, tc.want.scoreResult.forNode(nodeName), score)
+						testCtx.verify(t, tc.want.score.forNode(nodeName), initialObjects, nil, status)
+					})
+					scores = append(scores, fwk.NodeScore{Name: nodeName, Score: score})
+				}
+
+				initialObjects = testCtx.listAll(t)
+				status := testCtx.p.NormalizeScore(testCtx.ctx, testCtx.state, tc.pod, scores)
+				t.Run("normalizeScore", func(t *testing.T) {
+					assert.Equal(t, tc.want.normalizeScoreResult, scores)
+					testCtx.verify(t, tc.want.normalizeScore, initialObjects, nil, status)
+				})
 			}
 
-			var selectedNode fwk.NodeInfo
+			var selectedNodeName string
 			if !unschedulable && len(potentialNodes) > 0 {
-				selectedNode = potentialNodes[0]
+				if len(scores) > 0 {
+					nodeScore := scores[0]
+					for _, score := range scores {
+						if score.Score > nodeScore.Score {
+							nodeScore = score
+						}
+					}
+					selectedNodeName = nodeScore.Name
+				} else {
+					selectedNodeName = potentialNodes[0].Node().Name
+				}
 
 				initialObjects = testCtx.listAll(t)
 				initialObjects = testCtx.updateAPIServer(t, initialObjects, tc.prepare.reserve)
-				status := testCtx.p.Reserve(testCtx.ctx, testCtx.state, tc.pod, selectedNode.Node().Name)
+				status := testCtx.p.Reserve(testCtx.ctx, testCtx.state, tc.pod, selectedNodeName)
 				t.Run("reserve", func(t *testing.T) {
 					testCtx.verify(t, tc.want.reserve, initialObjects, nil, status)
 				})
@@ -1798,18 +2564,18 @@ func TestPlugin(t *testing.T) {
 				}
 			}
 
-			if selectedNode != nil {
+			if selectedNodeName != "" {
 				if unschedulable {
 					initialObjects = testCtx.listAll(t)
 					initialObjects = testCtx.updateAPIServer(t, initialObjects, tc.prepare.unreserve)
-					testCtx.p.Unreserve(testCtx.ctx, testCtx.state, tc.pod, selectedNode.Node().Name)
+					testCtx.p.Unreserve(testCtx.ctx, testCtx.state, tc.pod, selectedNodeName)
 					t.Run("unreserve", func(t *testing.T) {
 						testCtx.verify(t, tc.want.unreserve, initialObjects, nil, status)
 					})
 				} else {
 					if tc.want.unreserveBeforePreBind != nil {
 						initialObjects = testCtx.listAll(t)
-						testCtx.p.Unreserve(testCtx.ctx, testCtx.state, tc.pod, selectedNode.Node().Name)
+						testCtx.p.Unreserve(testCtx.ctx, testCtx.state, tc.pod, selectedNodeName)
 						t.Run("unreserveBeforePreBind", func(t *testing.T) {
 							testCtx.verify(t, *tc.want.unreserveBeforePreBind, initialObjects, nil, status)
 						})
@@ -1818,17 +2584,17 @@ func TestPlugin(t *testing.T) {
 
 					initialObjects = testCtx.listAll(t)
 					initialObjects = testCtx.updateAPIServer(t, initialObjects, tc.prepare.prebind)
-					preBindPreFlightStatus := testCtx.p.PreBindPreFlight(testCtx.ctx, testCtx.state, tc.pod, selectedNode.Node().Name)
+					preBindPreFlightStatus := testCtx.p.PreBindPreFlight(testCtx.ctx, testCtx.state, tc.pod, selectedNodeName)
 					t.Run("prebindPreFlight", func(t *testing.T) {
 						assert.Equal(t, tc.want.prebindPreFlight, preBindPreFlightStatus)
 					})
-					preBindStatus := testCtx.p.PreBind(testCtx.ctx, testCtx.state, tc.pod, selectedNode.Node().Name)
+					preBindStatus := testCtx.p.PreBind(testCtx.ctx, testCtx.state, tc.pod, selectedNodeName)
 					t.Run("prebind", func(t *testing.T) {
 						testCtx.verify(t, tc.want.prebind, initialObjects, nil, preBindStatus)
 					})
 					if tc.want.unreserveAfterBindFailure != nil {
 						initialObjects = testCtx.listAll(t)
-						testCtx.p.Unreserve(testCtx.ctx, testCtx.state, tc.pod, selectedNode.Node().Name)
+						testCtx.p.Unreserve(testCtx.ctx, testCtx.state, tc.pod, selectedNodeName)
 						t.Run("unreserverAfterBindFailure", func(t *testing.T) {
 							testCtx.verify(t, *tc.want.unreserveAfterBindFailure, initialObjects, nil, status)
 						})
@@ -1846,10 +2612,24 @@ func TestPlugin(t *testing.T) {
 					testCtx.verify(t, tc.want.postfilter, initialObjects, nil, status)
 				})
 			}
+			if tc.metrics != nil {
+				tc.metrics(t, registry)
+			}
 		})
 	}
 }
 
+func setupMetrics(features feature.Features) compbasemetrics.KubeRegistry {
+	// Since feature gate is not set globally, we can't use metrics.Register().
+	// We use a new registry instead of using global registry.
+	testRegistry := compbasemetrics.NewKubeRegistry()
+	if features.EnableDRAExtendedResource {
+		testRegistry.MustRegister(metrics.ResourceClaimCreatesTotal)
+		metrics.ResourceClaimCreatesTotal.Reset()
+	}
+	return testRegistry
+}
+
 type testContext struct {
 	ctx             context.Context
 	client          *fake.Clientset
@@ -1895,6 +2675,8 @@ func (tc *testContext) verify(t *testing.T, expected result, initialObjects []me
 	ignoreFieldsInResourceClaims := []cmp.Option{
 		cmpopts.IgnoreFields(metav1.ObjectMeta{}, "UID", "ResourceVersion"),
 		cmpopts.IgnoreFields(resourceapi.AllocationResult{}, "AllocationTimestamp"),
+		// It does not matter which specific device is allocated for the testing purpose.
+		cmpopts.IgnoreFields(resourceapi.DeviceRequestAllocationResult{}, "Device"),
 	}
 	if diff := cmp.Diff(wantObjects, objects, ignoreFieldsInResourceClaims...); diff != "" {
 		t.Errorf("Stored objects are different (- expected, + actual):\n%s", diff)
@@ -1942,12 +2724,8 @@ func (tc *testContext) verify(t *testing.T, expected result, initialObjects []me
 		}
 	}
 
-	var expectInFlightClaims []metav1.Object
-	if expected.inFlightClaim != nil {
-		expectInFlightClaims = append(expectInFlightClaims, expected.inFlightClaim)
-	}
 	actualInFlightClaims := tc.listInFlightClaims()
-	if diff := cmp.Diff(expectInFlightClaims, actualInFlightClaims, ignoreFieldsInResourceClaims...); diff != "" {
+	if diff := cmp.Diff(expected.inFlightClaims, actualInFlightClaims, ignoreFieldsInResourceClaims...); diff != "" {
 		t.Errorf("In-flight claims are different (- expected, + actual):\n%s", diff)
 	}
 }
@@ -2042,7 +2820,7 @@ func update(t *testing.T, objects []metav1.Object, updates change) []metav1.Obje
 	return updated
 }
 
-func setup(t *testing.T, args *config.DynamicResourcesArgs, nodes []*v1.Node, claims []*resourceapi.ResourceClaim, classes []*resourceapi.DeviceClass, objs []apiruntime.Object, features feature.Features) (result *testContext) {
+func setup(t *testing.T, args *config.DynamicResourcesArgs, nodes []*v1.Node, claims []*resourceapi.ResourceClaim, classes []*resourceapi.DeviceClass, objs []apiruntime.Object, features feature.Features, failPatch bool, apiReactors []cgotesting.Reactor) (result *testContext) {
 	t.Helper()
 
 	tc := &testContext{}
@@ -2050,16 +2828,18 @@ func setup(t *testing.T, args *config.DynamicResourcesArgs, nodes []*v1.Node, cl
 	tc.ctx = tCtx
 
 	tc.client = fake.NewSimpleClientset(objs...)
-	reactor := createReactor(tc.client.Tracker())
+	reactor := createReactor(tc.client.Tracker(), failPatch)
 	tc.client.PrependReactor("*", "*", reactor)
+	// Prepends reactors to the client.
+	tc.client.ReactionChain = append(apiReactors, tc.client.ReactionChain...)
 
 	tc.informerFactory = informers.NewSharedInformerFactory(tc.client, 0)
 	resourceSliceTrackerOpts := resourceslicetracker.Options{
-		EnableDeviceTaints: true,
-		SliceInformer:      tc.informerFactory.Resource().V1().ResourceSlices(),
-		TaintInformer:      tc.informerFactory.Resource().V1alpha3().DeviceTaintRules(),
-		ClassInformer:      tc.informerFactory.Resource().V1().DeviceClasses(),
-		KubeClient:         tc.client,
+		EnableDeviceTaintRules: true,
+		SliceInformer:          tc.informerFactory.Resource().V1().ResourceSlices(),
+		TaintInformer:          tc.informerFactory.Resource().V1alpha3().DeviceTaintRules(),
+		ClassInformer:          tc.informerFactory.Resource().V1().DeviceClasses(),
+		KubeClient:             tc.client,
 	}
 	resourceSliceTracker, err := resourceslicetracker.StartTracker(tCtx, resourceSliceTrackerOpts)
 	require.NoError(t, err, "couldn't start resource slice tracker")
@@ -2078,6 +2858,13 @@ func setup(t *testing.T, args *config.DynamicResourcesArgs, nodes []*v1.Node, cl
 	registeredHandler := claimsCache.AddEventHandler(cache.ResourceEventHandlerFuncs{})
 
 	tc.draManager = NewDRAManager(tCtx, claimsCache, resourceSliceTracker, tc.informerFactory)
+	if features.EnableDRAExtendedResource {
+		cache := tc.draManager.DeviceClassResolver().(*extendedresourcecache.ExtendedResourceCache)
+		if _, err := tc.informerFactory.Resource().V1().DeviceClasses().Informer().AddEventHandler(cache); err != nil {
+			tCtx.Logger().Error(err, "failed to add device class informer event handler")
+		}
+	}
+
 	opts := []runtime.Option{
 		runtime.WithClientSet(tc.client),
 		runtime.WithInformerFactory(tc.informerFactory),
@@ -2122,7 +2909,7 @@ func setup(t *testing.T, args *config.DynamicResourcesArgs, nodes []*v1.Node, cl
 	// is synced, we need to wait until HasSynced of the handler returns
 	// true, this ensures that the assume cache is in sync with the informer's
 	// store which has been informed by at least one full LIST of the underlying storage.
-	cache.WaitForCacheSync(tc.ctx.Done(), registeredHandler.HasSynced)
+	cache.WaitForCacheSync(tc.ctx.Done(), registeredHandler.HasSynced, resourceSliceTracker.HasSynced)
 
 	for _, node := range nodes {
 		nodeInfo := framework.NewNodeInfo()
@@ -2138,13 +2925,19 @@ func setup(t *testing.T, args *config.DynamicResourcesArgs, nodes []*v1.Node, cl
 // fields to work when using the fake client. Add it with client.PrependReactor
 // to your fake client. ResourceVersion handling is required for conflict
 // detection during updates, which is covered by some scenarios.
-func createReactor(tracker cgotesting.ObjectTracker) func(action cgotesting.Action) (handled bool, ret apiruntime.Object, err error) {
+func createReactor(tracker cgotesting.ObjectTracker, failPatch bool) func(action cgotesting.Action) (handled bool, ret apiruntime.Object, err error) {
 	var nameCounter int
 	var uidCounter int
 	var resourceVersionCounter int
 	var mutex sync.Mutex
 
 	return func(action cgotesting.Action) (handled bool, ret apiruntime.Object, err error) {
+		if failPatch {
+			if _, ok := action.(cgotesting.PatchAction); ok {
+				return true, nil, errors.New("patch error")
+			}
+		}
+
 		createAction, ok := action.(cgotesting.CreateAction)
 		if !ok {
 			return false, nil, nil
@@ -2294,7 +3087,7 @@ func Test_isSchedulableAfterClaimChange(t *testing.T) {
 				EnableDRASchedulerFilterTimeout: true,
 				EnableDynamicResourceAllocation: true,
 			}
-			testCtx := setup(t, nil, nil, tc.claims, nil, nil, features)
+			testCtx := setup(t, nil, nil, tc.claims, nil, nil, features, false, nil)
 			oldObj := tc.oldObj
 			newObj := tc.newObj
 			if claim, ok := tc.newObj.(*resourceapi.ResourceClaim); ok {
@@ -2418,7 +3211,7 @@ func Test_isSchedulableAfterPodChange(t *testing.T) {
 				EnableDRASchedulerFilterTimeout: true,
 				EnableDynamicResourceAllocation: true,
 			}
-			testCtx := setup(t, nil, nil, tc.claims, nil, tc.objs, features)
+			testCtx := setup(t, nil, nil, tc.claims, nil, tc.objs, features, false, nil)
 			gotHint, err := testCtx.p.isSchedulableAfterPodChange(logger, tc.pod, nil, tc.obj)
 			if tc.wantErr {
 				if err == nil {
@@ -2437,275 +3230,486 @@ func Test_isSchedulableAfterPodChange(t *testing.T) {
 	}
 }
 
-func Test_createDeviceRequests(t *testing.T) {
-	pod1 := st.MakePod().Name(podName).Namespace(namespace).
-		UID(podUID).
-		Res(map[v1.ResourceName]string{
-			v1.ResourceName(extendedResourceName):       "1",
-			v1.ResourceName(extendedResourceName + "1"): "2",
-		}).
-		Obj()
-	pod2 := st.MakePod().Name(podName).Namespace(namespace).
-		UID(podUID).
-		Res(map[v1.ResourceName]string{
-			v1.ResourceName(extendedResourceName): "1",
-		}).
-		Res(map[v1.ResourceName]string{
-			v1.ResourceName(extendedResourceName + "1"): "2",
-		}).
-		Obj()
+// mockDeviceClassResolver is a simple mock implementation of fwk.DeviceClassResolver for testing
+type mockDeviceClassResolver struct {
+	mapping map[v1.ResourceName]*resourceapi.DeviceClass
+}
 
-	podInit := st.MakePod().Name(podName).Namespace(namespace).
-		UID(podUID).
-		Res(map[v1.ResourceName]string{
-			v1.ResourceName(extendedResourceName): "1",
-		}).
-		InitReq(map[v1.ResourceName]string{
-			v1.ResourceName(extendedResourceName + "init"): "2",
-		}).
-		Obj()
+func (m *mockDeviceClassResolver) GetDeviceClass(resourceName v1.ResourceName) *resourceapi.DeviceClass {
+	return m.mapping[resourceName]
+}
 
-	res := map[v1.ResourceName]int64{
-		v1.ResourceName(extendedResourceName): 1,
-	}
-	res2 := map[v1.ResourceName]int64{
-		v1.ResourceName(extendedResourceName):       1,
-		v1.ResourceName(extendedResourceName + "1"): 2,
-	}
-	resInit := map[v1.ResourceName]int64{
-		v1.ResourceName(extendedResourceName):          1,
-		v1.ResourceName(extendedResourceName + "init"): 2,
-	}
-	devMap := map[v1.ResourceName]string{
-		v1.ResourceName(extendedResourceName): "class",
-	}
-	devMap2 := map[v1.ResourceName]string{
-		v1.ResourceName(extendedResourceName):       "class",
-		v1.ResourceName(extendedResourceName + "1"): "class1",
-	}
-	devMapInit := map[v1.ResourceName]string{
-		v1.ResourceName(extendedResourceName):          "class",
-		v1.ResourceName(extendedResourceName + "init"): "classInit",
-	}
-	devReq := resourceapi.DeviceRequest{
-		Name: "container-0-request-0",
-		Exactly: &resourceapi.ExactDeviceRequest{
-			DeviceClassName: "class",
-			AllocationMode:  resourceapi.DeviceAllocationModeExactCount,
-			Count:           1,
-		},
-	}
-	devReq2 := resourceapi.DeviceRequest{
-		Name: "container-0-request-1",
-		Exactly: &resourceapi.ExactDeviceRequest{
-			DeviceClassName: "class1",
-			AllocationMode:  resourceapi.DeviceAllocationModeExactCount,
-			Count:           2,
-		},
-	}
-	devReq3 := resourceapi.DeviceRequest{
-		Name: "container-1-request-0",
-		Exactly: &resourceapi.ExactDeviceRequest{
-			DeviceClassName: "class1",
-			AllocationMode:  resourceapi.DeviceAllocationModeExactCount,
-			Count:           2,
+// TestAllocatorSelection covers the selection of a structured allocation implementation
+// based on actual Kubernetes feature gates. This test lives here instead of
+// k8s.io/dynamic-resource-allocation/structured because that code has no access
+// to feature gate definitions.
+func TestAllocatorSelection(t *testing.T) {
+	for name, tc := range map[string]struct {
+		features             string
+		expectImplementation string
+	}{
+		// The most conservative implementation: only used when explicitly asking
+		// for the most stable Kubernetes (no alpha or beta features).
+		"only-GA": {
+			features:             "AllAlpha=false,AllBeta=false",
+			expectImplementation: "stable",
 		},
-	}
-	devReqInit := resourceapi.DeviceRequest{
-		Name: "container-1-request-0",
-		Exactly: &resourceapi.ExactDeviceRequest{
-			DeviceClassName: "class",
-			AllocationMode:  resourceapi.DeviceAllocationModeExactCount,
-			Count:           1,
+
+		// By default, some beta features are on and the incubating implementation
+		// is used.
+		"default": {
+			features:             "",
+			expectImplementation: "incubating",
 		},
-	}
-	devReq2Init := resourceapi.DeviceRequest{
-		Name: "container-0-request-0",
-		Exactly: &resourceapi.ExactDeviceRequest{
-			DeviceClassName: "classInit",
-			AllocationMode:  resourceapi.DeviceAllocationModeExactCount,
-			Count:           2,
+
+		// Alpha features need the experimental implementation.
+		"alpha": {
+			features:             "AllAlpha=true,AllBeta=true",
+			expectImplementation: "experimental",
 		},
+	} {
+		t.Run(name, func(t *testing.T) {
+			tCtx := ktesting.Init(t)
+			featureGate := utilfeature.DefaultFeatureGate.DeepCopy()
+			tCtx.ExpectNoError(featureGate.Set(tc.features), "set features")
+			fts := feature.NewSchedulerFeaturesFromGates(featureGate)
+			features := AllocatorFeatures(fts)
+
+			// Slightly hacky: most arguments are not valid and the constructor
+			// is expected to not use them yet.
+			allocator, err := structured.NewAllocator(tCtx, features, structured.AllocatedState{}, nil, nil, nil)
+			tCtx.ExpectNoError(err, "create allocator")
+			allocatorType := fmt.Sprintf("%T", allocator)
+			if !strings.Contains(allocatorType, tc.expectImplementation) {
+				tCtx.Fatalf("Expected allocator implementation %q, got %s", tc.expectImplementation, allocatorType)
+			}
+		})
 	}
+}
 
+func Test_computesScore(t *testing.T) {
 	testcases := map[string]struct {
-		pod                *v1.Pod
-		extendedResources  map[v1.ResourceName]int64
-		deviceClassMapping map[v1.ResourceName]string
-		wantDeviceRequests []resourceapi.DeviceRequest
+		claims        []*resourceapi.ResourceClaim
+		allocations   nodeAllocation
+		expectedScore int64
+		expectErr     bool
 	}{
-		"nil": {
-			pod:                pod1,
-			wantDeviceRequests: nil,
-		},
-		"one resource match": {
-			pod:                pod1,
-			extendedResources:  res,
-			deviceClassMapping: devMap,
-			wantDeviceRequests: []resourceapi.DeviceRequest{devReq},
-		},
-		"one resource match, one resource not match": {
-			pod:                pod1,
-			extendedResources:  res2,
-			deviceClassMapping: devMap,
-			wantDeviceRequests: []resourceapi.DeviceRequest{devReq},
-		},
-		"two resources match": {
-			pod:                pod1,
-			extendedResources:  res2,
-			deviceClassMapping: devMap2,
-			wantDeviceRequests: []resourceapi.DeviceRequest{devReq, devReq2},
-		},
-		"two containers match": {
-			pod:                pod2,
-			extendedResources:  res2,
-			deviceClassMapping: devMap2,
-			wantDeviceRequests: []resourceapi.DeviceRequest{devReq, devReq3},
-		},
-		"one init container, one regular container": {
-			pod:                podInit,
-			extendedResources:  resInit,
-			deviceClassMapping: devMapInit,
-			wantDeviceRequests: []resourceapi.DeviceRequest{devReq2Init, devReqInit},
+		"more-claims-than-allocations": {
+			claims: []*resourceapi.ResourceClaim{
+				st.MakeResourceClaim().
+					NamedRequestWithPrioritizedList("req-1",
+						st.SubRequest("subreq-1", className, 1),
+					).
+					Obj(),
+				st.MakeResourceClaim().
+					NamedRequestWithPrioritizedList("req-2",
+						st.SubRequest("subreq-1", className, 1),
+					).
+					Obj(),
+			},
+			allocations: nodeAllocation{},
+			expectErr:   true,
+		},
+		"single-request-only-subrequest-allocated": {
+			claims: []*resourceapi.ResourceClaim{
+				st.MakeResourceClaim().
+					NamedRequestWithPrioritizedList("req-1",
+						st.SubRequest("subreq-1", className, 1),
+					).
+					Obj(),
+			},
+			allocations: nodeAllocation{
+				allocationResults: []resourceapi.AllocationResult{
+					{
+						Devices: resourceapi.DeviceAllocationResult{
+							Results: []resourceapi.DeviceRequestAllocationResult{
+								{
+									Request: "req-1/subreq-1",
+								},
+							},
+						},
+					},
+				},
+			},
+			expectedScore: 8,
+		},
+		"single-request-last-subrequest-allocated": {
+			claims: []*resourceapi.ResourceClaim{
+				st.MakeResourceClaim().
+					NamedRequestWithPrioritizedList("req-1",
+						st.SubRequest("subreq-1", className, 1),
+						st.SubRequest("subreq-2", className, 1),
+						st.SubRequest("subreq-3", className, 1),
+						st.SubRequest("subreq-4", className, 1),
+						st.SubRequest("subreq-5", className, 1),
+						st.SubRequest("subreq-6", className, 1),
+						st.SubRequest("subreq-7", className, 1),
+						st.SubRequest("subreq-8", className, 1),
+					).
+					Obj(),
+			},
+			allocations: nodeAllocation{
+				allocationResults: []resourceapi.AllocationResult{
+					{
+						Devices: resourceapi.DeviceAllocationResult{
+							Results: []resourceapi.DeviceRequestAllocationResult{
+								{
+									Request: "req-1/subreq-8",
+								},
+							},
+						},
+					},
+				},
+			},
+			expectedScore: 1,
+		},
+		"multiple-requests-with-middle-subrequests-allocated": {
+			claims: []*resourceapi.ResourceClaim{
+				st.MakeResourceClaim().
+					NamedRequestWithPrioritizedList("req-1",
+						st.SubRequest("subreq-1", className, 1),
+						st.SubRequest("subreq-2", className, 1),
+						st.SubRequest("subreq-3", className, 1),
+						st.SubRequest("subreq-4", className, 1),
+					).
+					NamedRequestWithPrioritizedList("req-2",
+						st.SubRequest("subreq-1", className, 1),
+						st.SubRequest("subreq-2", className, 1),
+						st.SubRequest("subreq-3", className, 1),
+						st.SubRequest("subreq-4", className, 1),
+						st.SubRequest("subreq-5", className, 1),
+					).
+					Obj(),
+			},
+			allocations: nodeAllocation{
+				allocationResults: []resourceapi.AllocationResult{
+					{
+						Devices: resourceapi.DeviceAllocationResult{
+							Results: []resourceapi.DeviceRequestAllocationResult{
+								{
+									Request: "req-1/subreq-4",
+								},
+								{
+									Request: "req-2/subreq-5",
+								},
+							},
+						},
+					},
+				},
+			},
+			expectedScore: 9,
+		},
+		"multiple-requests-with-top-subrequests-allocated": {
+			claims: []*resourceapi.ResourceClaim{
+				st.MakeResourceClaim().
+					NamedRequestWithPrioritizedList("req-1",
+						st.SubRequest("subreq-1", className, 1),
+						st.SubRequest("subreq-2", className, 1),
+						st.SubRequest("subreq-3", className, 1),
+						st.SubRequest("subreq-4", className, 1),
+						st.SubRequest("subreq-5", className, 1),
+						st.SubRequest("subreq-6", className, 1),
+						st.SubRequest("subreq-7", className, 1),
+						st.SubRequest("subreq-8", className, 1),
+					).
+					NamedRequestWithPrioritizedList("req-2",
+						st.SubRequest("subreq-1", className, 1),
+					).
+					Obj(),
+			},
+			allocations: nodeAllocation{
+				allocationResults: []resourceapi.AllocationResult{
+					{
+						Devices: resourceapi.DeviceAllocationResult{
+							Results: []resourceapi.DeviceRequestAllocationResult{
+								{
+									Request: "req-1/subreq-8",
+								},
+								{
+									Request: "req-2/subreq-1",
+								},
+							},
+						},
+					},
+				},
+			},
+			expectedScore: 9,
+		},
+		"multiple-claims-with-last-subrequests-allocated": {
+			claims: []*resourceapi.ResourceClaim{
+				st.MakeResourceClaim().
+					NamedRequestWithPrioritizedList("req-1",
+						st.SubRequest("subreq-1", className, 1),
+						st.SubRequest("subreq-2", className, 1),
+						st.SubRequest("subreq-3", className, 1),
+						st.SubRequest("subreq-4", className, 1),
+						st.SubRequest("subreq-5", className, 1),
+						st.SubRequest("subreq-6", className, 1),
+						st.SubRequest("subreq-7", className, 1),
+						st.SubRequest("subreq-8", className, 1),
+					).
+					Obj(),
+				st.MakeResourceClaim().
+					NamedRequestWithPrioritizedList("req-2",
+						st.SubRequest("subreq-1", className, 1),
+						st.SubRequest("subreq-2", className, 1),
+						st.SubRequest("subreq-3", className, 1),
+						st.SubRequest("subreq-4", className, 1),
+						st.SubRequest("subreq-5", className, 1),
+						st.SubRequest("subreq-6", className, 1),
+						st.SubRequest("subreq-7", className, 1),
+						st.SubRequest("subreq-8", className, 1),
+					).
+					Obj(),
+			},
+			allocations: nodeAllocation{
+				allocationResults: []resourceapi.AllocationResult{
+					{
+						Devices: resourceapi.DeviceAllocationResult{
+							Results: []resourceapi.DeviceRequestAllocationResult{
+								{
+									Request: "req-1/subreq-8",
+								},
+							},
+						},
+					},
+					{
+						Devices: resourceapi.DeviceAllocationResult{
+							Results: []resourceapi.DeviceRequestAllocationResult{
+								{
+									Request: "req-2/subreq-8",
+								},
+							},
+						},
+					},
+				},
+			},
+			expectedScore: 2,
+		},
+		"multiple-claims-with-top-subrequests-allocated": {
+			claims: []*resourceapi.ResourceClaim{
+				st.MakeResourceClaim().
+					NamedRequestWithPrioritizedList("req-1",
+						st.SubRequest("subreq-1", className, 1),
+					).
+					Obj(),
+				st.MakeResourceClaim().
+					NamedRequestWithPrioritizedList("req-2",
+						st.SubRequest("subreq-1", className, 1),
+					).
+					Obj(),
+			},
+			allocations: nodeAllocation{
+				allocationResults: []resourceapi.AllocationResult{
+					{
+						Devices: resourceapi.DeviceAllocationResult{
+							Results: []resourceapi.DeviceRequestAllocationResult{
+								{
+									Request: "req-1/subreq-1",
+								},
+							},
+						},
+					},
+					{
+						Devices: resourceapi.DeviceAllocationResult{
+							Results: []resourceapi.DeviceRequestAllocationResult{
+								{
+									Request: "req-2/subreq-1",
+								},
+							},
+						},
+					},
+				},
+			},
+			expectedScore: 16,
 		},
 	}
 
 	for name, tc := range testcases {
 		t.Run(name, func(t *testing.T) {
-			gotDeviceRequests := createDeviceRequests(tc.pod, tc.extendedResources, tc.deviceClassMapping)
-			if len(tc.wantDeviceRequests) != len(gotDeviceRequests) {
-				t.Fatalf("different length, want %#v, got %#v", tc.wantDeviceRequests, gotDeviceRequests)
-			}
-			sort.Slice(gotDeviceRequests, func(i, j int) bool { return gotDeviceRequests[i].Name < gotDeviceRequests[j].Name })
-			for i, r := range tc.wantDeviceRequests {
-				if r.Name != gotDeviceRequests[i].Name {
-					t.Fatalf("different name, want %#v, got %#v", r, gotDeviceRequests[i])
-				}
-				if r.Exactly.DeviceClassName != gotDeviceRequests[i].Exactly.DeviceClassName {
-					t.Fatalf("different deviceClassName, want %#v, got %#v", r, gotDeviceRequests[i])
-				}
-				if r.Exactly.AllocationMode != gotDeviceRequests[i].Exactly.AllocationMode {
-					t.Fatalf("different allocationMode, want %#v, got %#v", r, gotDeviceRequests[i])
-				}
-				if r.Exactly.Count != gotDeviceRequests[i].Exactly.Count {
-					t.Fatalf("different count, want %#v, got %#v", r, gotDeviceRequests[i])
+			iterator := slices.All(tc.claims)
+			score, err := computeScore(iterator, tc.allocations)
+			if err != nil {
+				if !tc.expectErr {
+					t.Fatalf("unexpected error: %v", err)
 				}
+				return
+			}
+			if tc.expectErr {
+				t.Fatal("expected error, got none")
 			}
+			assert.Equal(t, tc.expectedScore, score)
 		})
 	}
 }
 
-func Test_createRequestMappings(t *testing.T) {
-	pod1 := st.MakePod().Name(podName).Namespace(namespace).
-		UID(podUID).
-		Res(map[v1.ResourceName]string{
-			v1.ResourceName(extendedResourceName):       "1",
-			v1.ResourceName(extendedResourceName + "1"): "2",
-		}).
-		Obj()
-	pod2 := st.MakePod().Name(podName).Namespace(namespace).
-		UID(podUID).
-		Res(map[v1.ResourceName]string{
-			v1.ResourceName(extendedResourceName): "1",
-		}).
-		Res(map[v1.ResourceName]string{
-			v1.ResourceName(extendedResourceName + "1"): "2",
-		}).
-		Obj()
-
-	podInit := st.MakePod().Name(podName).Namespace(namespace).
-		UID(podUID).
-		Res(map[v1.ResourceName]string{
-			v1.ResourceName(extendedResourceName): "1",
-		}).
-		InitReq(map[v1.ResourceName]string{
-			v1.ResourceName(extendedResourceName + "init"): "2",
-		}).
-		Obj()
-
-	claim := st.MakeResourceClaim().
-		Name(claimName).
-		Namespace(namespace).
-		RequestWithName("container-0-request-0", className).
-		Obj()
-	claim2 := st.MakeResourceClaim().
-		Name(claimName).
-		Namespace(namespace).
-		RequestWithName("container-0-request-0", className).
-		RequestWithName("container-1-request-0", className).
-		Obj()
-
-	cer := v1.ContainerExtendedResourceRequest{
-		ContainerName: "con0",
-		ResourceName:  extendedResourceName,
-		RequestName:   "container-0-request-0",
-	}
-	cer2 := v1.ContainerExtendedResourceRequest{
-		ContainerName: "con1",
-		ResourceName:  extendedResourceName + "1",
-		RequestName:   "container-1-request-0",
-	}
-	cer3 := v1.ContainerExtendedResourceRequest{
-		ContainerName: "con0",
-		ResourceName:  extendedResourceName,
-		RequestName:   "container-1-request-0",
-	}
-	cerInit := v1.ContainerExtendedResourceRequest{
-		ContainerName: "init-con0",
-		ResourceName:  extendedResourceName + "init",
-		RequestName:   "container-0-request-0",
-	}
-
+func TestNormalizeScore(t *testing.T) {
 	testcases := map[string]struct {
-		claim           *resourceapi.ResourceClaim
-		pod             *v1.Pod
-		wantReqMappings []v1.ContainerExtendedResourceRequest
+		scores         fwk.NodeScoreList
+		expectedScores fwk.NodeScoreList
 	}{
-		"one container, one request": {
-			claim:           claim,
-			pod:             pod1,
-			wantReqMappings: []v1.ContainerExtendedResourceRequest{cer},
-		},
-		"two containers, one request": {
-			claim:           claim,
-			pod:             pod2,
-			wantReqMappings: []v1.ContainerExtendedResourceRequest{cer},
-		},
-		"one init container, one regular container, one request": {
-			claim:           claim,
-			pod:             podInit,
-			wantReqMappings: []v1.ContainerExtendedResourceRequest{cerInit},
-		},
-		"two containers, two requests": {
-			claim:           claim2,
-			pod:             pod2,
-			wantReqMappings: []v1.ContainerExtendedResourceRequest{cer, cer2},
-		},
-		"two containers (one is init container), two requests": {
-			claim:           claim2,
-			pod:             podInit,
-			wantReqMappings: []v1.ContainerExtendedResourceRequest{cerInit, cer3},
+		"empty": {
+			scores:         fwk.NodeScoreList{},
+			expectedScores: fwk.NodeScoreList{},
+		},
+		"single-score": {
+			scores: fwk.NodeScoreList{
+				{
+					Name:  "node-1",
+					Score: 42,
+				},
+			},
+			expectedScores: fwk.NodeScoreList{
+				{
+					Name:  "node-1",
+					Score: 100,
+				},
+			},
+		},
+		"all-same": {
+			scores: fwk.NodeScoreList{
+				{
+					Name:  "node-1",
+					Score: 8,
+				},
+				{
+					Name:  "node-2",
+					Score: 8,
+				},
+			},
+			expectedScores: fwk.NodeScoreList{
+				{
+					Name:  "node-1",
+					Score: 100,
+				},
+				{
+					Name:  "node-2",
+					Score: 100,
+				},
+			},
+		},
+		"all-same-very-large": {
+			scores: fwk.NodeScoreList{
+				{
+					Name:  "node-1",
+					Score: math.MaxInt32,
+				},
+				{
+					Name:  "node-2",
+					Score: math.MaxInt32,
+				},
+			},
+			expectedScores: fwk.NodeScoreList{
+				{
+					Name:  "node-1",
+					Score: 100,
+				},
+				{
+					Name:  "node-2",
+					Score: 100,
+				},
+			},
+		},
+		"max-and-min-values": {
+			scores: fwk.NodeScoreList{
+				{
+					Name:  "node-1",
+					Score: math.MaxInt32,
+				},
+				{
+					Name:  "node-2",
+					Score: 0,
+				},
+			},
+			expectedScores: fwk.NodeScoreList{
+				{
+					Name:  "node-1",
+					Score: 100,
+				},
+				{
+					Name:  "node-2",
+					Score: 0,
+				},
+			},
+		},
+		"mid-value": {
+			scores: fwk.NodeScoreList{
+				{
+					Name:  "node-1",
+					Score: 99,
+				},
+				{
+					Name:  "node-2",
+					Score: 98,
+				},
+				{
+					Name:  "node-3",
+					Score: 97,
+				},
+			},
+			expectedScores: fwk.NodeScoreList{
+				{
+					Name:  "node-1",
+					Score: 100,
+				},
+				{
+					Name:  "node-2",
+					Score: 98,
+				},
+				{
+					Name:  "node-3",
+					Score: 97,
+				},
+			},
+		},
+		"large-spread-lost-precision": {
+			scores: fwk.NodeScoreList{
+				{
+					Name:  "node-1",
+					Score: math.MaxInt32,
+				},
+				{
+					Name:  "node-2",
+					Score: math.MaxInt32 - 1,
+				},
+				{
+					Name:  "node-3",
+					Score: 1,
+				},
+				{
+					Name:  "node-4",
+					Score: 0,
+				},
+			},
+			expectedScores: fwk.NodeScoreList{
+				{
+					Name:  "node-1",
+					Score: 100,
+				},
+				{
+					Name:  "node-2",
+					Score: 99,
+				},
+				{
+					Name:  "node-3",
+					Score: 0,
+				},
+				{
+					Name:  "node-4",
+					Score: 0,
+				},
+			},
 		},
 	}
 
 	for name, tc := range testcases {
 		t.Run(name, func(t *testing.T) {
-			gotReqMappings := createRequestMappings(tc.claim, tc.pod)
-			if len(tc.wantReqMappings) != len(gotReqMappings) {
-				t.Fatalf("different length, want %#v, got %#v", tc.wantReqMappings, gotReqMappings)
-			}
-			sort.Slice(gotReqMappings, func(i, j int) bool { return gotReqMappings[i].RequestName < gotReqMappings[j].RequestName })
-			for i, r := range tc.wantReqMappings {
-				if r.RequestName != gotReqMappings[i].RequestName {
-					t.Fatalf("different request name, want %#v, got %#v", r, gotReqMappings[i])
-				}
-				if r.ContainerName != gotReqMappings[i].ContainerName {
-					t.Fatalf("different container name, want %#v, got %#v", r, gotReqMappings[i])
-				}
-				if r.ResourceName != gotReqMappings[i].ResourceName {
-					t.Fatalf("different resource name, want %#v, got %#v", r, gotReqMappings[i])
-				}
+			pl := &DynamicResources{
+				enabled: true,
 			}
+			scores := tc.scores
+			_ = pl.NormalizeScore(context.Background(), nil, nil, scores)
+			assert.Equal(t, tc.expectedScores, scores)
 		})
 	}
 }
diff --git a/pkg/scheduler/framework/plugins/dynamicresources/extended/util.go b/pkg/scheduler/framework/plugins/dynamicresources/extended/util.go
deleted file mode 100644
index 7c3acf137a4b3..0000000000000
--- a/pkg/scheduler/framework/plugins/dynamicresources/extended/util.go
+++ /dev/null
@@ -1,39 +0,0 @@
-/*
-Copyright 2025 The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package extended
-
-import (
-	v1 "k8s.io/api/core/v1"
-	"k8s.io/api/resource/v1beta1"
-	"k8s.io/kubernetes/pkg/scheduler/framework"
-)
-
-func DeviceClassMapping(draManager framework.SharedDRAManager) (map[v1.ResourceName]string, error) {
-	classes, err := draManager.DeviceClasses().List()
-	extendedResources := make(map[v1.ResourceName]string, len(classes))
-	if err != nil {
-		return nil, err
-	}
-	for _, c := range classes {
-		if c.Spec.ExtendedResourceName == nil {
-			extendedResources[v1.ResourceName(v1beta1.ResourceDeviceClassPrefix+c.Name)] = c.Name
-		} else {
-			extendedResources[v1.ResourceName(*c.Spec.ExtendedResourceName)] = c.Name
-		}
-	}
-	return extendedResources, nil
-}
diff --git a/pkg/scheduler/framework/plugins/dynamicresources/extended/util_test.go b/pkg/scheduler/framework/plugins/dynamicresources/extended/util_test.go
deleted file mode 100644
index 2968f551acebf..0000000000000
--- a/pkg/scheduler/framework/plugins/dynamicresources/extended/util_test.go
+++ /dev/null
@@ -1,154 +0,0 @@
-/*
-Copyright 2025 The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package extended
-
-import (
-	"testing"
-
-	v1 "k8s.io/api/core/v1"
-	resourceapi "k8s.io/api/resource/v1"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/apimachinery/pkg/labels"
-	"k8s.io/client-go/informers"
-	"k8s.io/client-go/kubernetes/fake"
-	resourcelisters "k8s.io/client-go/listers/resource/v1"
-	"k8s.io/kubernetes/pkg/scheduler/framework"
-	"k8s.io/kubernetes/test/utils/ktesting"
-)
-
-type fakeDRAManager struct {
-	deviceClassLister *deviceClassLister
-}
-
-var _ framework.DeviceClassLister = &deviceClassLister{}
-
-func (f *fakeDRAManager) ResourceClaims() framework.ResourceClaimTracker {
-	return nil
-}
-
-func (f *fakeDRAManager) ResourceSlices() framework.ResourceSliceLister {
-	return nil
-}
-
-func (f *fakeDRAManager) DeviceClasses() framework.DeviceClassLister {
-	return f.deviceClassLister
-}
-
-type deviceClassLister struct {
-	classLister resourcelisters.DeviceClassLister
-}
-
-func (l *deviceClassLister) Get(className string) (*resourceapi.DeviceClass, error) {
-	return l.classLister.Get(className)
-}
-
-func (l *deviceClassLister) List() ([]*resourceapi.DeviceClass, error) {
-	return l.classLister.List(labels.Everything())
-}
-
-func TestDeviceClassMapping(t *testing.T) {
-	tCtx := ktesting.Init(t)
-
-	ern1 := "example.com/gpu1"
-	class1 := &resourceapi.DeviceClass{
-		ObjectMeta: metav1.ObjectMeta{
-			Name: "class1",
-		},
-		Spec: resourceapi.DeviceClassSpec{
-			ExtendedResourceName: &ern1,
-		},
-	}
-	ern2 := "example.com/gpu2"
-	class2 := &resourceapi.DeviceClass{
-		ObjectMeta: metav1.ObjectMeta{
-			Name: "class2",
-		},
-		Spec: resourceapi.DeviceClassSpec{
-			ExtendedResourceName: &ern2,
-		},
-	}
-	class3 := &resourceapi.DeviceClass{
-		ObjectMeta: metav1.ObjectMeta{
-			Name: "class3",
-		},
-	}
-
-	client := fake.NewSimpleClientset(class1, class2, class3)
-
-	informerFactory := informers.NewSharedInformerFactory(client, 0)
-	draManager := &fakeDRAManager{
-		deviceClassLister: &deviceClassLister{classLister: informerFactory.Resource().V1().DeviceClasses().Lister()},
-	}
-
-	informerFactory.Start(tCtx.Done())
-	t.Cleanup(func() {
-		// Need to cancel before waiting for the shutdown.
-		tCtx.Cancel("test is done")
-		// Now we can wait for all goroutines to stop.
-		informerFactory.Shutdown()
-	})
-
-	informerFactory.WaitForCacheSync(tCtx.Done())
-
-	rm, err := DeviceClassMapping(draManager)
-	if err != nil {
-		t.Fatalf("calling DeviceClassMapping: %v", err)
-	}
-	c, ok := rm[v1.ResourceName(ern1)]
-	if !ok {
-		t.Errorf("result does not contain extended resource %s", ern1)
-	}
-	if c != "class1" {
-		t.Errorf("result does not match device class name %s", "class1")
-	}
-	c, ok = rm[v1.ResourceName(ern2)]
-	if !ok {
-		t.Errorf("result does not contain extended resource %s", ern2)
-	}
-	if c != "class2" {
-		t.Errorf("result does not match device class name %s", "class2")
-	}
-}
-
-func TestNoDeviceClassMapping(t *testing.T) {
-	tCtx := ktesting.Init(t)
-
-	client := fake.NewSimpleClientset()
-
-	informerFactory := informers.NewSharedInformerFactory(client, 0)
-	draManager := &fakeDRAManager{
-		deviceClassLister: &deviceClassLister{classLister: informerFactory.Resource().V1().DeviceClasses().Lister()},
-	}
-
-	informerFactory.Start(tCtx.Done())
-	t.Cleanup(func() {
-		// Need to cancel before waiting for the shutdown.
-		tCtx.Cancel("test is done")
-		// Now we can wait for all goroutines to stop.
-		informerFactory.Shutdown()
-	})
-
-	informerFactory.WaitForCacheSync(tCtx.Done())
-
-	rm, err := DeviceClassMapping(draManager)
-	if err != nil {
-		t.Fatalf("calling DeviceClassMapping: %v", err)
-	}
-	if len(rm) != 0 {
-		t.Errorf("result should not contain extended resource")
-	}
-}
diff --git a/pkg/scheduler/framework/plugins/dynamicresources/extendeddynamicresources.go b/pkg/scheduler/framework/plugins/dynamicresources/extendeddynamicresources.go
new file mode 100644
index 0000000000000..1c677e728cd9a
--- /dev/null
+++ b/pkg/scheduler/framework/plugins/dynamicresources/extendeddynamicresources.go
@@ -0,0 +1,616 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package dynamicresources
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"slices"
+	"sort"
+	"time"
+
+	"k8s.io/apimachinery/pkg/util/wait"
+	"k8s.io/kubernetes/pkg/scheduler/metrics"
+
+	v1 "k8s.io/api/core/v1"
+	resourceapi "k8s.io/api/resource/v1"
+	"k8s.io/apimachinery/pkg/api/resource"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/apimachinery/pkg/util/sets"
+	"k8s.io/apimachinery/pkg/util/uuid"
+	"k8s.io/client-go/util/retry"
+	resourcehelper "k8s.io/component-helpers/resource"
+	"k8s.io/klog/v2"
+	fwk "k8s.io/kube-scheduler/framework"
+	"k8s.io/kubernetes/pkg/scheduler/framework"
+	schedutil "k8s.io/kubernetes/pkg/scheduler/util"
+	"k8s.io/kubernetes/pkg/scheduler/util/assumecache"
+	"k8s.io/kubernetes/pkg/util/slice"
+	"k8s.io/utils/ptr"
+)
+
+// Extended Resources Backed by DRA - Scheduler Plugin Workflow by each extension points
+//
+// PreFilter - preFilterExtendedResources()
+// - for pods using extended resources, find existing claim or create in-memory claim with temporary name "<extended-resources>"
+// - the in-memory claim is used to track and allocate resources, claim object is created in PreBind extension point.
+// - store the claim in stateData for Filter extension point
+//
+// Filter - filterExtendedResources()
+// - if stale claim with Spec is identified, return Unschedulable for PostFilter extension point to cleanup
+// - check which resources satisfied by device plugin vs need DRA
+// - if extended resources need to be allocated through DRA, create node-specific claim
+//
+// PostFilter
+// - if extended resource claim has real name (not "<extended-resources>"):
+//   - it's stale from prior cycle -> delete it -> trigger retry
+//
+// Reserve
+// - Store allocation results from Filter in stateData
+// - Mark the claim as "allocation in-flight" via SignalClaimPendingAllocation()
+//
+// Unreserve
+// - Remove claim from in-flight allocations and restore assume cache
+// - Delete claim from API server if it has real name
+//
+// PreBind - bindClaim()
+// - For "<extended-resources>" claims: create in API server and update stateData
+// - Update claim status: add finalizer, allocation, and pod reservation
+// - Store in assume cache (poll for extended resource claims)
+// - Update pod.Status.ExtendedResourceClaimStatus with request mappings
+
+const (
+	// specialClaimInMemName is the name of the special resource claim that
+	// exists only in memory. The claim will get a generated name when it is
+	// written to API server.
+	//
+	// It's intentionally not a valid ResourceClaim name to avoid conflicts with
+	// some actual ResourceClaim in the apiserver.
+	specialClaimInMemName = "<extended-resources>"
+
+	// AssumeExtendedResourceTimeoutDefaultSeconds is the default timeout for waiting
+	// for the extended resource claim to be updated in assumed cache.
+	AssumeExtendedResourceTimeoutDefaultSeconds = 120
+)
+
+// draExtendedResource stores data for extended resources backed by DRA.
+// It will remain empty when the DRAExtendedResource feature is disabled.
+type draExtendedResource struct {
+	// May have extended resource backed by DRA.
+	podScalarResources map[v1.ResourceName]int64
+}
+
+// hasDeviceClassMappedExtendedResource returns true when the given resource list has an extended resource, that has
+// a mapping to a device class.
+func hasDeviceClassMappedExtendedResource(reqs v1.ResourceList, cache fwk.DeviceClassResolver) bool {
+	for rName, rValue := range reqs {
+		if rValue.IsZero() {
+			// We only care about the resources requested by the pod we are trying to schedule.
+			continue
+		}
+		if schedutil.IsDRAExtendedResourceName(rName) {
+			if cache.GetDeviceClass(rName) != nil {
+				return true
+			}
+		}
+	}
+	return false
+}
+
+// findExtendedResourceClaim looks for the extended resource claim, i.e., the claim with special annotation
+// set to "true", and with the pod as owner. It must be called with all ResourceClaims in the cluster.
+// The returned ResourceClaim is read-only.
+func findExtendedResourceClaim(pod *v1.Pod, resourceClaims []*resourceapi.ResourceClaim) *resourceapi.ResourceClaim {
+	for _, c := range resourceClaims {
+		if c.Annotations[resourceapi.ExtendedResourceClaimAnnotation] == "true" {
+			for _, or := range c.OwnerReferences {
+				if or.Name == pod.Name && *or.Controller && or.UID == pod.UID {
+					return c
+				}
+			}
+		}
+	}
+	return nil
+}
+
+// preFilterExtendedResources checks if there is any extended resource in the
+// pod requests that has a device class mapping, i.e., there is a device class
+// that has spec.ExtendedResourceName or its implicit extended resource name
+// matching the given extended resource in that pod requests.
+//
+// It looks for the special resource claim for the pod created from prior scheduling
+// cycle. If not found, it creates the special claim with no Requests in the Spec,
+// with a temporary UID, and the specialClaimInMemName name.
+// Either way, the special claim is stored in state.claims.
+//
+// In addition, draExtendedResource is also stored in the cycle state.
+//
+// It returns the special ResourceClaim and an error status. It returns nil for both
+// if the feature is disabled or not required for the Pod.
+func (pl *DynamicResources) preFilterExtendedResources(pod *v1.Pod, logger klog.Logger, s *stateData) (*resourceapi.ResourceClaim, *fwk.Status) {
+	if !pl.fts.EnableDRAExtendedResource {
+		return nil, nil
+	}
+
+	// Try to build device class mapping from cache
+	cache := pl.draManager.DeviceClassResolver()
+	reqs := resourcehelper.PodRequests(pod, resourcehelper.PodResourcesOptions{})
+
+	hasExtendedResource := hasDeviceClassMappedExtendedResource(reqs, cache)
+	if !hasExtendedResource {
+		return nil, nil
+	}
+	r := framework.NewResource(reqs)
+	s.draExtendedResource.podScalarResources = r.ScalarResources
+
+	resourceClaims, err := pl.draManager.ResourceClaims().List()
+	if err != nil {
+		return nil, statusError(logger, err, "listing ResourceClaims")
+	}
+
+	// Check if the special resource claim has been created from prior scheduling cycle.
+	//
+	// If it was already allocated earlier, that allocation might not be valid anymore.
+	// We could try to check that, but it depends on various factors that are difficult to
+	// cover (basically needs to replicate allocator logic) and if it turns out that the
+	// allocation is stale, we would have to schedule with those allocated devices not
+	// available for a new allocation. This situation should be rare (= binding failure),
+	// so we solve it via brute-force
+	// - Kick off deallocation in the background.
+	// - Mark the pod as unschedulable. Successful deallocation will make it schedulable again.
+	extendedResourceClaim := findExtendedResourceClaim(pod, resourceClaims)
+	if extendedResourceClaim != nil {
+		return extendedResourceClaim, nil
+	}
+	// Create one special claim for all extended resources backed by DRA in the Pod.
+	// Create the ResourceClaim with pod as owner, with a generated name that uses
+	// <pod name>-extended-resources- as base. The final name will get truncated if it
+	// would be too long.
+	return &resourceapi.ResourceClaim{
+		ObjectMeta: metav1.ObjectMeta{
+			Namespace: pod.Namespace,
+			Name:      specialClaimInMemName,
+			// fake temporary UID for use in SignalClaimPendingAllocation
+			UID:          types.UID(uuid.NewUUID()),
+			GenerateName: pod.Name + "-extended-resources-",
+			OwnerReferences: []metav1.OwnerReference{
+				{
+					APIVersion: "v1",
+					Kind:       "Pod",
+					Name:       pod.Name,
+					UID:        pod.UID,
+					Controller: ptr.To(true),
+				},
+			},
+			Annotations: map[string]string{
+				resourceapi.ExtendedResourceClaimAnnotation: "true",
+			},
+		},
+		Spec: resourceapi.ResourceClaimSpec{},
+	}, nil
+}
+
+// filterExtendedResources computes the special claim's Requests based on the
+// node's Allocatable. It returns:
+// - nil if nothing needs to be allocated, all the extended resources are satisfied by device plugin, or
+// - the special claim updated to match what needs to be allocated through DRA for the node
+//
+// It returns an error when the pod's extended resource requests cannot be allocated
+// from node's Allocatable, nor matching any device class's explicit or implicit
+// ExtendedResourceName.
+func (pl *DynamicResources) filterExtendedResources(state *stateData, pod *v1.Pod, nodeInfo fwk.NodeInfo, logger klog.Logger) (*resourceapi.ResourceClaim, []v1.ContainerExtendedResourceRequest, *fwk.Status) {
+	extendedResourceClaim := state.claims.extendedResourceClaim()
+	if extendedResourceClaim == nil {
+		// Nothing to do.
+		return nil, nil, nil
+	}
+
+	// The claim is from the prior scheduling cycle, return unschedulable such that it can be
+	// deleted at the PostFilter phase, and retry anew.
+	if extendedResourceClaim.Spec.Devices.Requests != nil {
+		return nil, nil, statusUnschedulable(logger, "cannot schedule extended resource claim", "pod", klog.KObj(pod), "node", klog.KObj(nodeInfo.Node()), "claim", klog.KObj(extendedResourceClaim))
+	}
+
+	extendedResources := make(map[v1.ResourceName]int64)
+	hasExtendedResource := false
+	cache := pl.draManager.DeviceClassResolver()
+	for rName, rQuant := range state.draExtendedResource.podScalarResources {
+		if !schedutil.IsDRAExtendedResourceName(rName) {
+			continue
+		}
+		// Skip in case request quantity is zero
+		if rQuant == 0 {
+			continue
+		}
+		allocatable, okScalar := nodeInfo.GetAllocatable().GetScalarResources()[rName]
+		isBackedByDRA := cache.GetDeviceClass(rName) != nil
+		if isBackedByDRA && allocatable == 0 {
+			// node needs to provide the resource via DRA
+			extendedResources[rName] = rQuant
+			hasExtendedResource = true
+		} else if !okScalar {
+			// has request neither provided by device plugin, nor backed by DRA,
+			// hence the pod does not fit the node.
+			return nil, nil, statusUnschedulable(logger, "cannot fit resource", "pod", klog.KObj(pod), "node", klog.KObj(nodeInfo.Node()), "resource", rName)
+		}
+	}
+	// No extended resources backed by DRA on this node.
+	// The pod may have extended resources, but they are all backed by device
+	// plugin, hence the noderesources plugin should have checked if the node
+	// can fit the pod.
+	// This dynamic resources plugin Filter phase has nothing left to do.
+	if state.claims.noUserClaim() && !hasExtendedResource {
+		// It cannot be allocated when reaching here, as the claim from prior scheduling cycle
+		// would return unschedulable earlier in this function.
+		return nil, nil, nil
+	}
+
+	if extendedResourceClaim.Status.Allocation != nil {
+		// If it is already allocated, then we cannot simply allocate it again.
+		//
+		// It cannot be allocated when reaching here, as the claim found from prior scheduling cycle
+		// would return unschedulable earlier in this function.
+		return nil, nil, nil
+	}
+
+	// Each node needs its own, potentially different variant of the claim.
+	nodeExtendedResourceClaim := extendedResourceClaim.DeepCopy()
+	reqs, mappings := createRequestsAndMappings(pod, extendedResources, logger, cache)
+	nodeExtendedResourceClaim.Spec.Devices.Requests = reqs
+
+	return nodeExtendedResourceClaim, mappings, nil
+}
+
+// isSpecialClaimName return true when the name is the specialClaimInMemName.
+func isSpecialClaimName(name string) bool {
+	return name == specialClaimInMemName
+}
+
+// deleteClaim deletes the claim after removing the finalizer from the claim, if there is any.
+func (pl *DynamicResources) deleteClaim(ctx context.Context, claim *resourceapi.ResourceClaim, logger klog.Logger) error {
+	refreshClaim := false
+	retryErr := retry.RetryOnConflict(retry.DefaultRetry, func() error {
+		if refreshClaim {
+			updatedClaim, err := pl.clientset.ResourceV1().ResourceClaims(claim.Namespace).Get(ctx, claim.Name, metav1.GetOptions{})
+			if err != nil {
+				return fmt.Errorf("get resourceclaim %s/%s: %w", claim.Namespace, claim.Name, err)
+			}
+			claim = updatedClaim
+		} else {
+			refreshClaim = true
+		}
+		// Remove the finalizer to unblock removal first.
+		builtinControllerFinalizer := slices.Index(claim.Finalizers, resourceapi.Finalizer)
+		if builtinControllerFinalizer >= 0 {
+			claim.Finalizers = slices.Delete(claim.Finalizers, builtinControllerFinalizer, builtinControllerFinalizer+1)
+		}
+
+		_, err := pl.clientset.ResourceV1().ResourceClaims(claim.Namespace).Update(ctx, claim, metav1.UpdateOptions{})
+		if err != nil {
+			return fmt.Errorf("update resourceclaim %s/%s: %w", claim.Namespace, claim.Name, err)
+		}
+		return nil
+	})
+	if retryErr != nil {
+		return retryErr
+	}
+
+	logger.V(5).Info("Delete", "resourceclaim", klog.KObj(claim))
+	err := pl.clientset.ResourceV1().ResourceClaims(claim.Namespace).Delete(ctx, claim.Name, metav1.DeleteOptions{})
+	if err != nil {
+		return err
+	}
+	return nil
+}
+
+func partitionContainerIndices(containers []v1.Container, numInitContainers int) ([]int, []int) {
+	longLivedContainerIndices := make([]int, 0, len(containers))
+	shortLivedInitContainerIndices := make([]int, 0, numInitContainers)
+	for i, c := range containers {
+		isInit := i < numInitContainers
+		isSidecar := c.RestartPolicy != nil && *c.RestartPolicy == v1.ContainerRestartPolicyAlways
+		if isInit && !isSidecar {
+			shortLivedInitContainerIndices = append(shortLivedInitContainerIndices, i)
+			continue
+		}
+		longLivedContainerIndices = append(longLivedContainerIndices, i)
+	}
+	return longLivedContainerIndices, shortLivedInitContainerIndices
+}
+
+// createResourceRequestAndMappings returns the request and mappings for the given container and resource.
+// reusableRequests is a list of other DeviceRequests this container can use before requesting its own.
+// items in reusableRequests may be nil.
+// The returned request may be nil if no additional request was required.
+// The returned mappings may be empty if this container does not use this resource.
+func createResourceRequestAndMappings(containerIndex int, container *v1.Container, rName v1.ResourceName, className string, reusableRequests []*resourceapi.DeviceRequest) (*resourceapi.DeviceRequest, []v1.ContainerExtendedResourceRequest) {
+	var mappings []v1.ContainerExtendedResourceRequest
+	creqs := container.Resources.Requests
+	if creqs == nil {
+		return nil, nil
+	}
+	var rQuant resource.Quantity
+	var ok bool
+	if rQuant, ok = creqs[rName]; !ok {
+		return nil, nil
+	}
+	crq, ok := (&rQuant).AsInt64()
+	if !ok || crq == 0 {
+		return nil, nil
+	}
+	sum := int64(0)
+	for _, r := range reusableRequests {
+		if r != nil {
+			sum += r.Exactly.Count
+			mappings = append(mappings, v1.ContainerExtendedResourceRequest{
+				ContainerName: container.Name,
+				ResourceName:  rName.String(),
+				RequestName:   r.Name,
+			})
+			if sum >= crq {
+				return nil, mappings
+			}
+		}
+	}
+	keys := make([]string, 0, len(creqs))
+	for k := range creqs {
+		keys = append(keys, k.String())
+	}
+	// resource requests in a container is a map, their names must
+	// be sorted to determine the resource's index order.
+	slice.SortStrings(keys)
+	ridx := 0
+	for j := range keys {
+		if keys[j] == rName.String() {
+			ridx = j
+			break
+		}
+	}
+	// containerIndex is the index of the container in the list of initContainers + containers.
+	// ridx is the index of the extended resource request in the sorted all requests in the container.
+	// crq is the quantity of the extended resource request.
+	reqName := fmt.Sprintf("container-%d-request-%d", containerIndex, ridx)
+	deviceReq := resourceapi.DeviceRequest{
+		Name: reqName, // need to be container name index - extended resource name index
+		Exactly: &resourceapi.ExactDeviceRequest{
+			DeviceClassName: className,
+			AllocationMode:  resourceapi.DeviceAllocationModeExactCount,
+			Count:           crq - sum, // the extra devices to request
+		},
+	}
+	mappings = append(mappings, v1.ContainerExtendedResourceRequest{
+		ContainerName: container.Name,
+		ResourceName:  rName.String(),
+		RequestName:   reqName,
+	})
+
+	return &deviceReq, mappings
+}
+
+func createRequestsAndMappings(pod *v1.Pod, extendedResources map[v1.ResourceName]int64, logger klog.Logger, deviceClassMapping fwk.DeviceClassResolver) ([]resourceapi.DeviceRequest, []v1.ContainerExtendedResourceRequest) {
+	containers := slices.Clone(pod.Spec.InitContainers)
+	containers = append(containers, pod.Spec.Containers...)
+	longLivedContainerIndices, shortLivedInitContainerIndices := partitionContainerIndices(containers, len(pod.Spec.InitContainers))
+
+	// all requests across all containers and resource types
+	var deviceRequests []resourceapi.DeviceRequest
+	// all mappings across all containers and resource types
+	var mappings []v1.ContainerExtendedResourceRequest
+
+	// Sort resource names to ensure deterministic ordering of device requests and mappings.
+	// Maps have non-deterministic iteration order in Go, so we extract and sort the keys.
+	resourceNames := make([]v1.ResourceName, 0, len(extendedResources))
+	for resource := range extendedResources {
+		resourceNames = append(resourceNames, resource)
+	}
+	sort.Slice(resourceNames, func(i, j int) bool {
+		return resourceNames[i] < resourceNames[j]
+	})
+
+	for _, resource := range resourceNames {
+		class := deviceClassMapping.GetDeviceClass(resource)
+		// skip if the resource does not map to a device class
+		if class == nil {
+			continue
+		}
+
+		// shortLivedResourceMappings is the mapping of container+resource→request for short lived containers (init non-sidecar container)
+		var shortLivedResourceMappings []v1.ContainerExtendedResourceRequest
+		// longLivedResourceMappings is the mapping of container+resource→request for long lived containers (init sidecar or regular container)
+		var longLivedResourceMappings []v1.ContainerExtendedResourceRequest
+
+		// longLivedResourceRequests is the list of requests for a given resource by long-lived containers.
+		// The length of this list is the same as the length of containers.
+		// Entries may be nil if the container at that index did not produce a request for that resource.
+		// Requests at later indices are reusable by non-sidecar initContainers at earlier indices.
+		longLivedResourceRequests := make([]*resourceapi.DeviceRequest, len(containers))
+		for _, i := range longLivedContainerIndices {
+			containerRequest, containerMappings := createResourceRequestAndMappings(i, &containers[i], resource, class.Name, nil)
+			longLivedResourceRequests[i] = containerRequest                                     // might be nil
+			longLivedResourceMappings = append(longLivedResourceMappings, containerMappings...) // might be zero-length
+		}
+
+		// maxShortLivedResourceRequest is the maximum request for a given resource by short-lived containers
+		var maxShortLivedResourceRequest *resourceapi.DeviceRequest
+		// shortLivedRequestNames is all request names for a given resource by short-lived containers. All mappings to any name in
+		// this set will be replaced by maxShortLivedResourceRequest.Name.
+		shortLivedRequestNames := sets.New[string]()
+		for _, i := range shortLivedInitContainerIndices {
+			containerRequest, containerMappings := createResourceRequestAndMappings(i, &containers[i], resource, class.Name, longLivedResourceRequests[i:])
+			if containerRequest != nil {
+				shortLivedRequestNames.Insert(containerRequest.Name)
+				if maxShortLivedResourceRequest == nil || maxShortLivedResourceRequest.Exactly.Count < containerRequest.Exactly.Count {
+					maxShortLivedResourceRequest = containerRequest
+				}
+			}
+			shortLivedResourceMappings = append(shortLivedResourceMappings, containerMappings...) // might be zero-length
+		}
+
+		// rewrite mappings to short-lived requests to use the maximum short-lived request name
+		if maxShortLivedResourceRequest != nil && len(shortLivedRequestNames) > 1 {
+			shortLivedRequestNames.Delete(maxShortLivedResourceRequest.Name)
+			for i := range shortLivedResourceMappings {
+				if shortLivedRequestNames.Has(shortLivedResourceMappings[i].RequestName) {
+					shortLivedResourceMappings[i].RequestName = maxShortLivedResourceRequest.Name
+				}
+			}
+		}
+
+		// append non-nil requests
+		if maxShortLivedResourceRequest != nil {
+			deviceRequests = append(deviceRequests, *maxShortLivedResourceRequest)
+		}
+		for _, request := range longLivedResourceRequests {
+			if request != nil {
+				deviceRequests = append(deviceRequests, *request)
+			}
+		}
+		// append mappings
+		mappings = append(mappings, longLivedResourceMappings...)
+		mappings = append(mappings, shortLivedResourceMappings...)
+	}
+
+	sort.Slice(deviceRequests, func(i, j int) bool {
+		return deviceRequests[i].Name < deviceRequests[j].Name
+	})
+	return deviceRequests, mappings
+}
+
+// waitForExtendedClaimInAssumeCache polls the assume cache until the extended resource claim
+// becomes visible. This is necessary because extended resource claims are created in the API
+// server, and the informer update may not have reached the assume cache yet.
+//
+// AssumeClaimAfterAPICall returns ErrNotFound when the informer update hasn't arrived,
+// so we poll with a timeout.
+func (pl *DynamicResources) waitForExtendedClaimInAssumeCache(
+	ctx context.Context,
+	logger klog.Logger,
+	claim *resourceapi.ResourceClaim,
+) {
+	pollErr := wait.PollUntilContextTimeout(
+		ctx,
+		1*time.Second,
+		time.Duration(AssumeExtendedResourceTimeoutDefaultSeconds)*time.Second,
+		true,
+		func(ctx context.Context) (bool, error) {
+			if err := pl.draManager.ResourceClaims().AssumeClaimAfterAPICall(claim); err != nil {
+				if errors.Is(err, assumecache.ErrNotFound) {
+					return false, nil
+				}
+				logger.V(5).Info("Claim not stored in assume cache", "claim", klog.KObj(claim), "err", err)
+				return false, err
+			}
+			return true, nil
+		},
+	)
+
+	if pollErr != nil {
+		logger.V(5).Info("Claim not stored in assume cache after retries", "claim", klog.KObj(claim), "err", pollErr)
+		// Note: We log but don't fail - the claim was created successfully
+	}
+}
+
+// createExtendedResourceClaimInAPI creates an extended resource claim in the API server.
+func (pl *DynamicResources) createExtendedResourceClaimInAPI(
+	ctx context.Context,
+	logger klog.Logger,
+	pod *v1.Pod,
+	nodeName string,
+	state *stateData,
+) (*resourceapi.ResourceClaim, error) {
+	logger.V(5).Info("preparing to create claim for extended resources", "pod", klog.KObj(pod), "node", nodeName)
+	// Get the node-specific claim that was prepared during Filter phase
+	nodeAllocation, ok := state.nodeAllocations[nodeName]
+	if !ok || nodeAllocation.extendedResourceClaim == nil {
+		return nil, fmt.Errorf("extended resource claim not found for node %s", nodeName)
+	}
+	claim := nodeAllocation.extendedResourceClaim.DeepCopy()
+
+	logger.V(5).Info("create claim for extended resources", "pod", klog.KObj(pod), "node", nodeName, "resourceclaim", klog.Format(claim))
+	// Clear fields which must or can not be set during creation.
+	claim.Status.Allocation = nil
+	claim.Name = ""
+	claim.UID = ""
+
+	createdClaim, err := pl.clientset.ResourceV1().ResourceClaims(claim.Namespace).Create(ctx, claim, metav1.CreateOptions{})
+	if err != nil {
+		metrics.ResourceClaimCreatesTotal.WithLabelValues("failure").Inc()
+		return nil, fmt.Errorf("create claim for extended resources %v: %w", klog.KObj(claim), err)
+	}
+	metrics.ResourceClaimCreatesTotal.WithLabelValues("success").Inc()
+	logger.V(5).Info("created claim for extended resources", "pod", klog.KObj(pod), "node", nodeName, "resourceclaim", klog.Format(createdClaim))
+
+	return createdClaim, nil
+}
+
+// patchPodExtendedResourceClaimStatus updates the pod's status with information about
+// the extended resource claim.
+func (pl *DynamicResources) patchPodExtendedResourceClaimStatus(
+	ctx context.Context,
+	pod *v1.Pod,
+	claim *resourceapi.ResourceClaim,
+	nodeName string,
+	state *stateData,
+) error {
+	var cer []v1.ContainerExtendedResourceRequest
+	if nodeAllocation, ok := state.nodeAllocations[nodeName]; ok {
+		cer = nodeAllocation.containerResourceRequestMappings
+	}
+	if len(cer) == 0 {
+		return fmt.Errorf("nil or empty request mappings, no update of pod %s/%s ExtendedResourceClaimStatus", pod.Namespace, pod.Name)
+	}
+
+	podStatusCopy := pod.Status.DeepCopy()
+	podStatusCopy.ExtendedResourceClaimStatus = &v1.PodExtendedResourceClaimStatus{
+		RequestMappings:   cer,
+		ResourceClaimName: claim.Name,
+	}
+	err := schedutil.PatchPodStatus(ctx, pl.clientset, pod.Name, pod.Namespace, &pod.Status, podStatusCopy)
+	if err != nil {
+		return fmt.Errorf("update pod %s/%s ExtendedResourceClaimStatus: %w", pod.Namespace, pod.Name, err)
+	}
+	return nil
+}
+
+// unreserveExtendedResourceClaim cleans up the scheduler-owned extended resource claim
+// when scheduling fails. It reverts the assume cache, and deletes the claim from the API
+// server if it was already created.
+func (pl *DynamicResources) unreserveExtendedResourceClaim(ctx context.Context, logger klog.Logger, pod *v1.Pod, state *stateData) {
+	extendedResourceClaim := state.claims.extendedResourceClaim()
+	if extendedResourceClaim == nil {
+		// there is no extended resource claim
+		return
+	}
+
+	// If the claim was marked as pending allocation (in-flight), remove that marker and restore
+	// the assumed claim state to what it was before this scheduling attempt.
+	if deleted := pl.draManager.ResourceClaims().RemoveClaimPendingAllocation(state.claims.getInitialExtendedResourceClaimUID()); deleted {
+		pl.draManager.ResourceClaims().AssumedClaimRestore(extendedResourceClaim.Namespace, extendedResourceClaim.Name)
+	}
+	if isSpecialClaimName(extendedResourceClaim.Name) {
+		// In memory temporary extended resource claim does not need to be deleted
+		return
+	}
+	// Claim was written to API server, need to delete it to prevent orphaned resources.
+	logger.V(5).Info("delete extended resource backed by DRA", "resourceclaim", klog.KObj(extendedResourceClaim), "pod", klog.KObj(pod), "claim.UID", extendedResourceClaim.UID)
+	extendedResourceClaim = extendedResourceClaim.DeepCopy()
+	if err := pl.deleteClaim(ctx, extendedResourceClaim, logger); err != nil {
+		logger.Error(err, "delete", "resourceclaim", klog.KObj(extendedResourceClaim))
+	}
+}
diff --git a/pkg/scheduler/framework/plugins/dynamicresources/extendeddynamicresources_test.go b/pkg/scheduler/framework/plugins/dynamicresources/extendeddynamicresources_test.go
new file mode 100644
index 0000000000000..d3c39c6172ec5
--- /dev/null
+++ b/pkg/scheduler/framework/plugins/dynamicresources/extendeddynamicresources_test.go
@@ -0,0 +1,565 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package dynamicresources
+
+import (
+	"sort"
+	"testing"
+
+	v1 "k8s.io/api/core/v1"
+	resourceapi "k8s.io/api/resource/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	fwk "k8s.io/kube-scheduler/framework"
+	st "k8s.io/kubernetes/pkg/scheduler/testing"
+	"k8s.io/kubernetes/test/utils/ktesting"
+)
+
+func Test_createRequestsAndMappings_requests(t *testing.T) {
+	pod1 := st.MakePod().Name(podName).Namespace(namespace).
+		UID(podUID).
+		Res(map[v1.ResourceName]string{
+			v1.ResourceName(extendedResourceName):       "1",
+			v1.ResourceName(extendedResourceName + "1"): "2",
+		}).
+		Obj()
+	pod2 := st.MakePod().Name(podName).Namespace(namespace).
+		UID(podUID).
+		Res(map[v1.ResourceName]string{
+			v1.ResourceName(extendedResourceName): "1",
+		}).
+		Res(map[v1.ResourceName]string{
+			v1.ResourceName(extendedResourceName + "1"): "2",
+		}).
+		Obj()
+
+	podInit := st.MakePod().Name(podName).Namespace(namespace).
+		UID(podUID).
+		Res(map[v1.ResourceName]string{
+			v1.ResourceName(extendedResourceName): "1",
+		}).
+		InitReq(map[v1.ResourceName]string{
+			v1.ResourceName(extendedResourceName + "init"): "2",
+		}).
+		Obj()
+	podInit2 := st.MakePod().Name(podName).Namespace(namespace).
+		UID(podUID).
+		Res(map[v1.ResourceName]string{
+			v1.ResourceName(extendedResourceName): "1",
+		}).
+		InitReq(map[v1.ResourceName]string{
+			v1.ResourceName(extendedResourceName + "init"): "1",
+		}).
+		InitReq(map[v1.ResourceName]string{
+			v1.ResourceName(extendedResourceName + "init"): "2",
+		}).
+		Obj()
+	podInit3 := st.MakePod().Name(podName).Namespace(namespace).
+		UID(podUID).
+		Res(map[v1.ResourceName]string{
+			v1.ResourceName(extendedResourceName): "1",
+		}).
+		InitReq(map[v1.ResourceName]string{
+			v1.ResourceName(extendedResourceName + "init"): "1",
+		}).
+		SidecarReq(map[v1.ResourceName]string{
+			v1.ResourceName(extendedResourceName + "init"): "1",
+		}).
+		InitReq(map[v1.ResourceName]string{
+			v1.ResourceName(extendedResourceName + "init"): "2",
+		}).
+		Obj()
+
+	res := map[v1.ResourceName]int64{
+		v1.ResourceName(extendedResourceName): 1,
+	}
+	res2 := map[v1.ResourceName]int64{
+		v1.ResourceName(extendedResourceName):       1,
+		v1.ResourceName(extendedResourceName + "1"): 2,
+	}
+	resInit := map[v1.ResourceName]int64{
+		v1.ResourceName(extendedResourceName):          1,
+		v1.ResourceName(extendedResourceName + "init"): 2,
+	}
+	devMap := map[v1.ResourceName]*resourceapi.DeviceClass{
+		v1.ResourceName(extendedResourceName): {
+			ObjectMeta: metav1.ObjectMeta{
+				Name: "class",
+			},
+		},
+	}
+	devMap2 := map[v1.ResourceName]*resourceapi.DeviceClass{
+		v1.ResourceName(extendedResourceName): {
+			ObjectMeta: metav1.ObjectMeta{
+				Name: "class",
+			},
+		},
+		v1.ResourceName(extendedResourceName + "1"): {
+			ObjectMeta: metav1.ObjectMeta{
+				Name: "class1",
+			},
+		},
+	}
+	devMapInit := map[v1.ResourceName]*resourceapi.DeviceClass{
+		v1.ResourceName(extendedResourceName): {
+			ObjectMeta: metav1.ObjectMeta{
+				Name: "class",
+			},
+		},
+		v1.ResourceName(extendedResourceName + "init"): {
+			ObjectMeta: metav1.ObjectMeta{
+				Name: "classInit",
+			},
+		},
+	}
+	devReq := resourceapi.DeviceRequest{
+		Name: "container-0-request-0",
+		Exactly: &resourceapi.ExactDeviceRequest{
+			DeviceClassName: "class",
+			AllocationMode:  resourceapi.DeviceAllocationModeExactCount,
+			Count:           1,
+		},
+	}
+	devReq2 := resourceapi.DeviceRequest{
+		Name: "container-0-request-1",
+		Exactly: &resourceapi.ExactDeviceRequest{
+			DeviceClassName: "class1",
+			AllocationMode:  resourceapi.DeviceAllocationModeExactCount,
+			Count:           2,
+		},
+	}
+	devReq3 := resourceapi.DeviceRequest{
+		Name: "container-1-request-0",
+		Exactly: &resourceapi.ExactDeviceRequest{
+			DeviceClassName: "class1",
+			AllocationMode:  resourceapi.DeviceAllocationModeExactCount,
+			Count:           2,
+		},
+	}
+	devReqInit := resourceapi.DeviceRequest{
+		Name: "container-1-request-0",
+		Exactly: &resourceapi.ExactDeviceRequest{
+			DeviceClassName: "class",
+			AllocationMode:  resourceapi.DeviceAllocationModeExactCount,
+			Count:           1,
+		},
+	}
+	devReqSidecar := resourceapi.DeviceRequest{
+		Name: "container-1-request-0",
+		Exactly: &resourceapi.ExactDeviceRequest{
+			DeviceClassName: "classInit",
+			AllocationMode:  resourceapi.DeviceAllocationModeExactCount,
+			Count:           1,
+		},
+	}
+	devReq2Init := resourceapi.DeviceRequest{
+		Name: "container-1-request-0",
+		Exactly: &resourceapi.ExactDeviceRequest{
+			DeviceClassName: "classInit",
+			AllocationMode:  resourceapi.DeviceAllocationModeExactCount,
+			Count:           2,
+		},
+	}
+	devReq6Init := resourceapi.DeviceRequest{
+		Name: "container-0-request-0",
+		Exactly: &resourceapi.ExactDeviceRequest{
+			DeviceClassName: "classInit",
+			AllocationMode:  resourceapi.DeviceAllocationModeExactCount,
+			Count:           2,
+		},
+	}
+	devReq3Init := resourceapi.DeviceRequest{
+		Name: "container-2-request-0",
+		Exactly: &resourceapi.ExactDeviceRequest{
+			DeviceClassName: "class",
+			AllocationMode:  resourceapi.DeviceAllocationModeExactCount,
+			Count:           1,
+		},
+	}
+	devReq4Init := resourceapi.DeviceRequest{
+		Name: "container-3-request-0",
+		Exactly: &resourceapi.ExactDeviceRequest{
+			DeviceClassName: "class",
+			AllocationMode:  resourceapi.DeviceAllocationModeExactCount,
+			Count:           1,
+		},
+	}
+	devReq5Init := resourceapi.DeviceRequest{
+		Name: "container-2-request-0",
+		Exactly: &resourceapi.ExactDeviceRequest{
+			DeviceClassName: "classInit",
+			AllocationMode:  resourceapi.DeviceAllocationModeExactCount,
+			Count:           2,
+		},
+	}
+
+	testcases := map[string]struct {
+		pod                *v1.Pod
+		extendedResources  map[v1.ResourceName]int64
+		cache              fwk.DeviceClassResolver
+		wantDeviceRequests []resourceapi.DeviceRequest
+	}{
+		"nil": {
+			pod:                pod1,
+			wantDeviceRequests: nil,
+		},
+		"one resource match": {
+			pod:                pod1,
+			extendedResources:  res,
+			cache:              &mockDeviceClassResolver{mapping: devMap},
+			wantDeviceRequests: []resourceapi.DeviceRequest{devReq},
+		},
+		"one resource match, one resource not match": {
+			pod:                pod1,
+			extendedResources:  res2,
+			cache:              &mockDeviceClassResolver{mapping: devMap},
+			wantDeviceRequests: []resourceapi.DeviceRequest{devReq},
+		},
+		"two resources match": {
+			pod:                pod1,
+			extendedResources:  res2,
+			cache:              &mockDeviceClassResolver{mapping: devMap2},
+			wantDeviceRequests: []resourceapi.DeviceRequest{devReq, devReq2},
+		},
+		"two containers match": {
+			pod:                pod2,
+			extendedResources:  res2,
+			cache:              &mockDeviceClassResolver{mapping: devMap2},
+			wantDeviceRequests: []resourceapi.DeviceRequest{devReq, devReq3},
+		},
+		"one init container, one regular container": {
+			pod:                podInit,
+			extendedResources:  resInit,
+			cache:              &mockDeviceClassResolver{mapping: devMapInit},
+			wantDeviceRequests: []resourceapi.DeviceRequest{devReq6Init, devReqInit},
+		},
+		"two init containers, one regular container": {
+			pod:                podInit2,
+			extendedResources:  resInit,
+			cache:              &mockDeviceClassResolver{mapping: devMapInit},
+			wantDeviceRequests: []resourceapi.DeviceRequest{devReq2Init, devReq3Init},
+		},
+		"three init containers, one sidecar, one regular container": {
+			pod:                podInit3,
+			extendedResources:  resInit,
+			cache:              &mockDeviceClassResolver{mapping: devMapInit},
+			wantDeviceRequests: []resourceapi.DeviceRequest{devReqSidecar, devReq5Init, devReq4Init},
+		},
+	}
+
+	for name, tc := range testcases {
+		t.Run(name, func(t *testing.T) {
+			logger, _ := ktesting.NewTestContext(t)
+			gotDeviceRequests, _ := createRequestsAndMappings(tc.pod, tc.extendedResources, logger, tc.cache)
+			if len(tc.wantDeviceRequests) != len(gotDeviceRequests) {
+				t.Fatalf("different length, want %#v, len=%v, got %#v, len=%v", tc.wantDeviceRequests, len(tc.wantDeviceRequests), gotDeviceRequests, len(gotDeviceRequests))
+			}
+			// gotDeviceRequests should already be sorted by createRequestsAndMappings
+			for i, r := range tc.wantDeviceRequests {
+				if r.Name != gotDeviceRequests[i].Name {
+					t.Errorf("different name, want %#v, got %#v", r, gotDeviceRequests[i])
+				}
+				if r.Exactly.DeviceClassName != gotDeviceRequests[i].Exactly.DeviceClassName {
+					t.Errorf("different deviceClassName, want %#v, got %#v", r, gotDeviceRequests[i])
+				}
+				if r.Exactly.AllocationMode != gotDeviceRequests[i].Exactly.AllocationMode {
+					t.Errorf("different allocationMode, want %#v, got %#v", r, gotDeviceRequests[i])
+				}
+				if r.Exactly.Count != gotDeviceRequests[i].Exactly.Count {
+					t.Errorf("different count, want %#v, got %#v", r.Exactly.Count, gotDeviceRequests[i].Exactly.Count)
+				}
+			}
+		})
+	}
+}
+
+func Test_createRequestsAndMappings_mappings(t *testing.T) {
+	pod1 := st.MakePod().Name(podName).Namespace(namespace).
+		UID(podUID).
+		Res(map[v1.ResourceName]string{
+			v1.ResourceName(extendedResourceName):       "1",
+			v1.ResourceName(extendedResourceName + "1"): "2",
+		}).
+		Obj()
+	pod1InitImplicit := st.MakePod().Name(podName).Namespace(namespace).
+		UID(podUID).
+		InitReq(map[v1.ResourceName]string{
+			v1.ResourceName(extendedResourceName + "init"):                       "1",
+			v1.ResourceName(resourceapi.ResourceDeviceClassPrefix + "classInit"): "2",
+		}).
+		Obj()
+	pod2 := st.MakePod().Name(podName).Namespace(namespace).
+		UID(podUID).
+		Res(map[v1.ResourceName]string{
+			v1.ResourceName(extendedResourceName): "1",
+		}).
+		Res(map[v1.ResourceName]string{
+			v1.ResourceName(extendedResourceName + "1"): "2",
+		}).
+		Obj()
+
+	podInit := st.MakePod().Name(podName).Namespace(namespace).
+		UID(podUID).
+		Res(map[v1.ResourceName]string{
+			v1.ResourceName(extendedResourceName): "1",
+		}).
+		InitReq(map[v1.ResourceName]string{
+			v1.ResourceName(extendedResourceName + "init"): "2",
+		}).
+		Obj()
+	podInit2 := st.MakePod().Name(podName).Namespace(namespace).
+		UID(podUID).
+		Res(map[v1.ResourceName]string{
+			v1.ResourceName(extendedResourceName): "1",
+		}).
+		InitReq(map[v1.ResourceName]string{
+			v1.ResourceName(extendedResourceName + "init"): "1",
+		}).
+		InitReq(map[v1.ResourceName]string{
+			v1.ResourceName(extendedResourceName + "init"): "2",
+		}).
+		Obj()
+	podInitImplicit := st.MakePod().Name(podName).Namespace(namespace).
+		UID(podUID).
+		Res(map[v1.ResourceName]string{
+			v1.ResourceName(extendedResourceName): "1",
+		}).
+		InitReq(map[v1.ResourceName]string{
+			v1.ResourceName(extendedResourceName + "init"): "1",
+		}).
+		InitReq(map[v1.ResourceName]string{
+			v1.ResourceName(resourceapi.ResourceDeviceClassPrefix + "classInit"): "2",
+		}).
+		Obj()
+	podInit3 := st.MakePod().Name(podName).Namespace(namespace).
+		UID(podUID).
+		Res(map[v1.ResourceName]string{
+			v1.ResourceName(extendedResourceName): "1",
+		}).
+		InitReq(map[v1.ResourceName]string{
+			v1.ResourceName(extendedResourceName + "init"): "1",
+		}).
+		SidecarReq(map[v1.ResourceName]string{
+			v1.ResourceName(extendedResourceName + "init"): "1",
+		}).
+		InitReq(map[v1.ResourceName]string{
+			v1.ResourceName(extendedResourceName + "init"): "2",
+		}).
+		Obj()
+	res := map[v1.ResourceName]int64{
+		v1.ResourceName(extendedResourceName):       1,
+		v1.ResourceName(extendedResourceName + "1"): 2,
+	}
+	resInit := map[v1.ResourceName]int64{
+		v1.ResourceName(extendedResourceName):          1,
+		v1.ResourceName(extendedResourceName + "init"): 2,
+	}
+	resInitImplicit := map[v1.ResourceName]int64{
+		v1.ResourceName(extendedResourceName):                                1,
+		v1.ResourceName(extendedResourceName + "init"):                       2,
+		v1.ResourceName(resourceapi.ResourceDeviceClassPrefix + "classInit"): 2,
+	}
+	devMap := map[v1.ResourceName]*resourceapi.DeviceClass{
+		v1.ResourceName(extendedResourceName): {
+			ObjectMeta: metav1.ObjectMeta{
+				Name: "class",
+			},
+		},
+		v1.ResourceName(extendedResourceName + "1"): {
+			ObjectMeta: metav1.ObjectMeta{
+				Name: "class1",
+			},
+		},
+	}
+	devMapInit := map[v1.ResourceName]*resourceapi.DeviceClass{
+		v1.ResourceName(extendedResourceName): {
+			ObjectMeta: metav1.ObjectMeta{
+				Name: "class",
+			},
+		},
+		v1.ResourceName(extendedResourceName + "init"): {
+			ObjectMeta: metav1.ObjectMeta{
+				Name: "classInit",
+			},
+		},
+		v1.ResourceName(resourceapi.ResourceDeviceClassPrefix + "classInit"): {
+			ObjectMeta: metav1.ObjectMeta{
+				Name: "classInit",
+			},
+		},
+	}
+	cer := v1.ContainerExtendedResourceRequest{
+		ContainerName: "con0",
+		ResourceName:  extendedResourceName,
+		RequestName:   "container-0-request-0",
+	}
+	cer1 := v1.ContainerExtendedResourceRequest{
+		ContainerName: "con0",
+		ResourceName:  extendedResourceName + "1",
+		RequestName:   "container-0-request-1",
+	}
+	cer2 := v1.ContainerExtendedResourceRequest{
+		ContainerName: "con1",
+		ResourceName:  extendedResourceName + "1",
+		RequestName:   "container-1-request-0",
+	}
+	cer3 := v1.ContainerExtendedResourceRequest{
+		ContainerName: "con0",
+		ResourceName:  extendedResourceName,
+		RequestName:   "container-1-request-0",
+	}
+	cer4 := v1.ContainerExtendedResourceRequest{
+		ContainerName: "con0",
+		ResourceName:  extendedResourceName,
+		RequestName:   "container-2-request-0",
+	}
+	cer5 := v1.ContainerExtendedResourceRequest{
+		ContainerName: "con0",
+		ResourceName:  extendedResourceName,
+		RequestName:   "container-3-request-0",
+	}
+	cerInit := v1.ContainerExtendedResourceRequest{
+		ContainerName: "init-con0",
+		ResourceName:  extendedResourceName + "init",
+		RequestName:   "container-1-request-0",
+	}
+	cerInit0 := v1.ContainerExtendedResourceRequest{
+		ContainerName: "init-con0",
+		ResourceName:  extendedResourceName + "init",
+		RequestName:   "container-0-request-0",
+	}
+	cerInit1 := v1.ContainerExtendedResourceRequest{
+		ContainerName: "init-con0",
+		ResourceName:  extendedResourceName + "init",
+		RequestName:   "container-1-request-0",
+	}
+	cerInit2 := v1.ContainerExtendedResourceRequest{
+		ContainerName: "init-con1",
+		ResourceName:  extendedResourceName + "init",
+		RequestName:   "container-1-request-0",
+	}
+	cerInit3 := v1.ContainerExtendedResourceRequest{
+		ContainerName: "init-con2",
+		ResourceName:  extendedResourceName + "init",
+		RequestName:   "container-2-request-0",
+	}
+	cerSidecar := v1.ContainerExtendedResourceRequest{
+		ContainerName: "sidecar-con1",
+		ResourceName:  extendedResourceName + "init",
+		RequestName:   "container-1-request-0",
+	}
+
+	cerInitImplicit := v1.ContainerExtendedResourceRequest{
+		ContainerName: "init-con0",
+		ResourceName:  extendedResourceName + "init",
+		RequestName:   "container-0-request-0",
+	}
+	cerInit4Implicit := v1.ContainerExtendedResourceRequest{
+		ContainerName: "init-con0",
+		ResourceName:  extendedResourceName + "init",
+		RequestName:   "container-0-request-1",
+	}
+	cerInit2Implicit := v1.ContainerExtendedResourceRequest{
+		ContainerName: "init-con1",
+		ResourceName:  resourceapi.ResourceDeviceClassPrefix + "classInit",
+		RequestName:   "container-1-request-0",
+	}
+	cerInit3Implicit := v1.ContainerExtendedResourceRequest{
+		ContainerName: "init-con0",
+		ResourceName:  resourceapi.ResourceDeviceClassPrefix + "classInit",
+		RequestName:   "container-0-request-0",
+	}
+
+	testcases := map[string]struct {
+		pod                *v1.Pod
+		extnededResources  map[v1.ResourceName]int64
+		deviceClassMapping fwk.DeviceClassResolver
+		wantReqMappings    []v1.ContainerExtendedResourceRequest
+	}{
+		"one container, two requests": {
+			pod:                pod1,
+			extnededResources:  res,
+			deviceClassMapping: &mockDeviceClassResolver{devMap},
+			wantReqMappings:    []v1.ContainerExtendedResourceRequest{cer, cer1},
+		},
+		"one container, one explicit and one implicit request": {
+			pod:                pod1InitImplicit,
+			extnededResources:  resInitImplicit,
+			deviceClassMapping: &mockDeviceClassResolver{devMapInit},
+			wantReqMappings:    []v1.ContainerExtendedResourceRequest{cerInit3Implicit, cerInit4Implicit},
+		},
+		"two containers, two requests": {
+			pod:                pod2,
+			extnededResources:  res,
+			deviceClassMapping: &mockDeviceClassResolver{devMap},
+			wantReqMappings:    []v1.ContainerExtendedResourceRequest{cer, cer2},
+		},
+		"one init container, one regular container, one request": {
+			pod:                podInit,
+			extnededResources:  resInit,
+			deviceClassMapping: &mockDeviceClassResolver{devMapInit},
+			wantReqMappings:    []v1.ContainerExtendedResourceRequest{cerInit0, cer3},
+		},
+		"three containers (two are init container), two requests": {
+			pod:                podInit2,
+			extnededResources:  resInit,
+			deviceClassMapping: &mockDeviceClassResolver{devMapInit},
+			wantReqMappings:    []v1.ContainerExtendedResourceRequest{cerInit, cerInit2, cer4},
+		},
+		"three containers (two are init container), both explicit and implicit resources": {
+			pod:                podInitImplicit,
+			extnededResources:  resInitImplicit,
+			deviceClassMapping: &mockDeviceClassResolver{devMapInit},
+			wantReqMappings:    []v1.ContainerExtendedResourceRequest{cerInitImplicit, cerInit2Implicit, cer4},
+		},
+		"four containers (two are init container, one sidecar), three requests": {
+			pod:                podInit3,
+			extnededResources:  resInit,
+			deviceClassMapping: &mockDeviceClassResolver{devMapInit},
+			wantReqMappings:    []v1.ContainerExtendedResourceRequest{cerInit1, cerSidecar, cerInit3, cer5},
+		},
+	}
+
+	for name, tc := range testcases {
+		t.Run(name, func(t *testing.T) {
+			logger, _ := ktesting.NewTestContext(t)
+			_, gotReqMappings := createRequestsAndMappings(tc.pod, tc.extnededResources, logger, tc.deviceClassMapping)
+			if len(tc.wantReqMappings) != len(gotReqMappings) {
+				t.Fatalf("different length, want %#v, got %#v", tc.wantReqMappings, gotReqMappings)
+			}
+			sort.Slice(gotReqMappings, func(i, j int) bool {
+				if gotReqMappings[i].RequestName < gotReqMappings[j].RequestName {
+					return true
+				}
+				if gotReqMappings[i].RequestName > gotReqMappings[j].RequestName {
+					return false
+				}
+				return gotReqMappings[i].ContainerName < gotReqMappings[j].ContainerName
+			})
+			for i, r := range tc.wantReqMappings {
+				if r.RequestName != gotReqMappings[i].RequestName {
+					t.Errorf("different request name, want %#v, got %#v", r, gotReqMappings[i])
+				}
+				if r.ContainerName != gotReqMappings[i].ContainerName {
+					t.Errorf("different container name, want %#v, got %#v", r, gotReqMappings[i])
+				}
+				if r.ResourceName != gotReqMappings[i].ResourceName {
+					t.Errorf("different resource name, want %#v, got %#v", r, gotReqMappings[i])
+				}
+			}
+		})
+	}
+}
diff --git a/pkg/scheduler/framework/plugins/feature/feature.go b/pkg/scheduler/framework/plugins/feature/feature.go
index 41b29c0f859d6..f15c64edbd6f1 100644
--- a/pkg/scheduler/framework/plugins/feature/feature.go
+++ b/pkg/scheduler/framework/plugins/feature/feature.go
@@ -25,50 +25,60 @@ import (
 // This struct allows us to break the dependency of the plugins on
 // the internal k8s features pkg.
 type Features struct {
-	EnableDRAExtendedResource                    bool
-	EnableDRAPrioritizedList                     bool
-	EnableDRAAdminAccess                         bool
-	EnableDRADeviceTaints                        bool
-	EnableDRADeviceBindingConditions             bool
-	EnableDRAResourceClaimDeviceStatus           bool
-	EnableDRASchedulerFilterTimeout              bool
-	EnableDynamicResourceAllocation              bool
-	EnableVolumeAttributesClass                  bool
-	EnableCSIMigrationPortworx                   bool
-	EnableNodeInclusionPolicyInPodTopologySpread bool
-	EnableMatchLabelKeysInPodTopologySpread      bool
-	EnableInPlacePodVerticalScaling              bool
-	EnableSidecarContainers                      bool
-	EnableSchedulingQueueHint                    bool
-	EnableAsyncPreemption                        bool
-	EnablePodLevelResources                      bool
-	EnablePartitionableDevices                   bool
-	EnableStorageCapacityScoring                 bool
-	EnableConsumableCapacity                     bool
+	EnableDRAExtendedResource                     bool
+	EnableDRAPrioritizedList                      bool
+	EnableDRAAdminAccess                          bool
+	EnableDRAConsumableCapacity                   bool
+	EnableDRADeviceTaints                         bool
+	EnableDRADeviceBindingConditions              bool
+	EnableDRAPartitionableDevices                 bool
+	EnableDRAResourceClaimDeviceStatus            bool
+	EnableDRASchedulerFilterTimeout               bool
+	EnableDynamicResourceAllocation               bool
+	EnableVolumeAttributesClass                   bool
+	EnableCSIMigrationPortworx                    bool
+	EnableVolumeLimitScaling                      bool
+	EnableNodeInclusionPolicyInPodTopologySpread  bool
+	EnableMatchLabelKeysInPodTopologySpread       bool
+	EnableInPlacePodVerticalScaling               bool
+	EnableSidecarContainers                       bool
+	EnableSchedulingQueueHint                     bool
+	EnableAsyncPreemption                         bool
+	EnablePodLevelResources                       bool
+	EnableStorageCapacityScoring                  bool
+	EnableNodeDeclaredFeatures                    bool
+	EnableGangScheduling                          bool
+	EnableTaintTolerationComparisonOperators      bool
+	EnableInPlacePodLevelResourcesVerticalScaling bool
 }
 
 // NewSchedulerFeaturesFromGates copies the current state of the feature gates into the struct.
 func NewSchedulerFeaturesFromGates(featureGate featuregate.FeatureGate) Features {
 	return Features{
-		EnableDRAExtendedResource:                    featureGate.Enabled(features.DRAExtendedResource),
-		EnableDRAPrioritizedList:                     featureGate.Enabled(features.DRAPrioritizedList),
-		EnableDRAAdminAccess:                         featureGate.Enabled(features.DRAAdminAccess),
-		EnableConsumableCapacity:                     featureGate.Enabled(features.DRAConsumableCapacity),
-		EnableDRADeviceTaints:                        featureGate.Enabled(features.DRADeviceTaints),
-		EnableDRASchedulerFilterTimeout:              featureGate.Enabled(features.DRASchedulerFilterTimeout),
-		EnableDRAResourceClaimDeviceStatus:           featureGate.Enabled(features.DRAResourceClaimDeviceStatus),
-		EnableDRADeviceBindingConditions:             featureGate.Enabled(features.DRADeviceBindingConditions),
-		EnableDynamicResourceAllocation:              featureGate.Enabled(features.DynamicResourceAllocation),
-		EnableVolumeAttributesClass:                  featureGate.Enabled(features.VolumeAttributesClass),
-		EnableCSIMigrationPortworx:                   featureGate.Enabled(features.CSIMigrationPortworx),
-		EnableNodeInclusionPolicyInPodTopologySpread: featureGate.Enabled(features.NodeInclusionPolicyInPodTopologySpread),
-		EnableMatchLabelKeysInPodTopologySpread:      featureGate.Enabled(features.MatchLabelKeysInPodTopologySpread),
-		EnableInPlacePodVerticalScaling:              featureGate.Enabled(features.InPlacePodVerticalScaling),
-		EnableSidecarContainers:                      featureGate.Enabled(features.SidecarContainers),
-		EnableSchedulingQueueHint:                    featureGate.Enabled(features.SchedulerQueueingHints),
-		EnableAsyncPreemption:                        featureGate.Enabled(features.SchedulerAsyncPreemption),
-		EnablePodLevelResources:                      featureGate.Enabled(features.PodLevelResources),
-		EnablePartitionableDevices:                   featureGate.Enabled(features.DRAPartitionableDevices),
-		EnableStorageCapacityScoring:                 featureGate.Enabled(features.StorageCapacityScoring),
+		EnableDRAExtendedResource:                     featureGate.Enabled(features.DRAExtendedResource),
+		EnableDRAPrioritizedList:                      featureGate.Enabled(features.DRAPrioritizedList),
+		EnableDRAAdminAccess:                          featureGate.Enabled(features.DRAAdminAccess),
+		EnableDRAConsumableCapacity:                   featureGate.Enabled(features.DRAConsumableCapacity),
+		EnableDRADeviceTaints:                         featureGate.Enabled(features.DRADeviceTaints),
+		EnableDRASchedulerFilterTimeout:               featureGate.Enabled(features.DRASchedulerFilterTimeout),
+		EnableDRAResourceClaimDeviceStatus:            featureGate.Enabled(features.DRAResourceClaimDeviceStatus),
+		EnableDRADeviceBindingConditions:              featureGate.Enabled(features.DRADeviceBindingConditions),
+		EnableDynamicResourceAllocation:               featureGate.Enabled(features.DynamicResourceAllocation),
+		EnableVolumeAttributesClass:                   featureGate.Enabled(features.VolumeAttributesClass),
+		EnableCSIMigrationPortworx:                    featureGate.Enabled(features.CSIMigrationPortworx),
+		EnableVolumeLimitScaling:                      featureGate.Enabled(features.VolumeLimitScaling),
+		EnableNodeInclusionPolicyInPodTopologySpread:  featureGate.Enabled(features.NodeInclusionPolicyInPodTopologySpread),
+		EnableMatchLabelKeysInPodTopologySpread:       featureGate.Enabled(features.MatchLabelKeysInPodTopologySpread),
+		EnableInPlacePodVerticalScaling:               featureGate.Enabled(features.InPlacePodVerticalScaling),
+		EnableSidecarContainers:                       featureGate.Enabled(features.SidecarContainers),
+		EnableSchedulingQueueHint:                     featureGate.Enabled(features.SchedulerQueueingHints),
+		EnableAsyncPreemption:                         featureGate.Enabled(features.SchedulerAsyncPreemption),
+		EnablePodLevelResources:                       featureGate.Enabled(features.PodLevelResources),
+		EnableDRAPartitionableDevices:                 featureGate.Enabled(features.DRAPartitionableDevices),
+		EnableStorageCapacityScoring:                  featureGate.Enabled(features.StorageCapacityScoring),
+		EnableNodeDeclaredFeatures:                    featureGate.Enabled(features.NodeDeclaredFeatures),
+		EnableGangScheduling:                          featureGate.Enabled(features.GangScheduling),
+		EnableTaintTolerationComparisonOperators:      featureGate.Enabled(features.TaintTolerationComparisonOperators),
+		EnableInPlacePodLevelResourcesVerticalScaling: featureGate.Enabled(features.InPlacePodLevelResourcesVerticalScaling),
 	}
 }
diff --git a/pkg/scheduler/framework/plugins/gangscheduling/gangscheduling.go b/pkg/scheduler/framework/plugins/gangscheduling/gangscheduling.go
new file mode 100644
index 0000000000000..df9f0dd32dcea
--- /dev/null
+++ b/pkg/scheduler/framework/plugins/gangscheduling/gangscheduling.go
@@ -0,0 +1,251 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package gangscheduling
+
+import (
+	"context"
+	"fmt"
+	"time"
+
+	v1 "k8s.io/api/core/v1"
+	schedulingapi "k8s.io/api/scheduling/v1alpha1"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
+	"k8s.io/apimachinery/pkg/runtime"
+	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
+	schedulinglisters "k8s.io/client-go/listers/scheduling/v1alpha1"
+	"k8s.io/klog/v2"
+	fwk "k8s.io/kube-scheduler/framework"
+	"k8s.io/kubernetes/pkg/scheduler/framework/plugins/feature"
+	"k8s.io/kubernetes/pkg/scheduler/framework/plugins/names"
+	"k8s.io/kubernetes/pkg/scheduler/util"
+)
+
+const (
+	// Name is the name of the plugin used in the plugin registry and configurations.
+	Name = names.GangScheduling
+)
+
+// GangScheduling is a plugin that enforces "all-or-nothing" scheduling for pods
+// belonging to a Workload with a Gang scheduling policy.
+type GangScheduling struct {
+	handle         fwk.Handle
+	workloadLister schedulinglisters.WorkloadLister
+}
+
+var _ fwk.EnqueueExtensions = &GangScheduling{}
+var _ fwk.PreEnqueuePlugin = &GangScheduling{}
+var _ fwk.ReservePlugin = &GangScheduling{}
+var _ fwk.PermitPlugin = &GangScheduling{}
+
+// New initializes a new plugin and returns it.
+func New(_ context.Context, _ runtime.Object, fh fwk.Handle, fts feature.Features) (fwk.Plugin, error) {
+	return &GangScheduling{
+		handle:         fh,
+		workloadLister: fh.SharedInformerFactory().Scheduling().V1alpha1().Workloads().Lister(),
+	}, nil
+}
+
+// Name returns name of the plugin.
+func (pl *GangScheduling) Name() string {
+	return Name
+}
+
+// EventsToRegister returns the possible events that may make a Pod failed by this plugin schedulable.
+func (pl *GangScheduling) EventsToRegister(_ context.Context) ([]fwk.ClusterEventWithHint, error) {
+	return []fwk.ClusterEventWithHint{
+		// A new pod being added might be the one that completes a gang, meeting its MinCount requirement.
+		// Workload reference is immutable, so there is no need to subscribe on Pod/Update event.
+		{Event: fwk.ClusterEvent{Resource: fwk.Pod, ActionType: fwk.Add}, QueueingHintFn: pl.isSchedulableAfterPodAdded},
+		// A Workload being added can be making a waiting gang schedulable.
+		// Workload's PodGroups are immutable, so there's no need to handle Workload/Update event.
+		{Event: fwk.ClusterEvent{Resource: fwk.Workload, ActionType: fwk.Add}, QueueingHintFn: pl.isSchedulableAfterWorkloadAdded},
+	}, nil
+}
+
+// matchingWorkloadReference returns true if two pods belong to the same workload, including their pod group and replica key.
+func matchingWorkloadReference(pod1, pod2 *v1.Pod) bool {
+	return pod1.Spec.WorkloadRef != nil && pod2.Spec.WorkloadRef != nil && pod1.Namespace == pod2.Namespace && *pod1.Spec.WorkloadRef == *pod2.Spec.WorkloadRef
+}
+
+func (pl *GangScheduling) isSchedulableAfterPodAdded(logger klog.Logger, pod *v1.Pod, oldObj, newObj interface{}) (fwk.QueueingHint, error) {
+	_, addedPod, err := util.As[*v1.Pod](oldObj, newObj)
+	if err != nil {
+		return fwk.Queue, err
+	}
+
+	if !matchingWorkloadReference(pod, addedPod) {
+		logger.V(5).Info("another pod was added but it doesn't match the target pod's workload",
+			"pod", klog.KObj(pod), "workloadRef", pod.Spec.WorkloadRef, "addedPod", klog.KObj(addedPod), "addedWorkloadRef", pod.Spec.WorkloadRef)
+		return fwk.QueueSkip, nil
+	}
+
+	logger.V(5).Info("another pod was added and it matches the target pod's workload, which may make the pod schedulable",
+		"pod", klog.KObj(pod), "workloadRef", pod.Spec.WorkloadRef, "addedPod", klog.KObj(addedPod), "addedWorkloadRef", pod.Spec.WorkloadRef)
+	return fwk.Queue, nil
+}
+
+func (pl *GangScheduling) isSchedulableAfterWorkloadAdded(logger klog.Logger, pod *v1.Pod, oldObj, newObj interface{}) (fwk.QueueingHint, error) {
+	_, addedWorkload, err := util.As[*schedulingapi.Workload](oldObj, newObj)
+	if err != nil {
+		return fwk.Queue, err
+	}
+
+	if pod.Spec.WorkloadRef == nil || pod.Namespace != addedWorkload.Namespace || pod.Spec.WorkloadRef.Name != addedWorkload.Name {
+		logger.V(5).Info("workload was added but it doesn't match the target pod's workloadRef",
+			"pod", klog.KObj(pod), "workloadRef", pod.Spec.WorkloadRef, "addedWorkload", klog.KObj(addedWorkload))
+		return fwk.QueueSkip, nil
+	}
+
+	logger.V(5).Info("workload was added and it matches the target pod's workload, which may make the pod schedulable",
+		"pod", klog.KObj(pod), "workloadRef", pod.Spec.WorkloadRef, "addedWorkload", klog.KObj(addedWorkload))
+	return fwk.Queue, nil
+}
+
+// PreEnqueue checks if the pod belongs to a gang and, if so, whether the gang has met its MinCount of available pods.
+// If not, the pod is rejected until more pods arrive.
+func (pl *GangScheduling) PreEnqueue(ctx context.Context, pod *v1.Pod) *fwk.Status {
+	if pod.Spec.WorkloadRef == nil {
+		return nil
+	}
+
+	namespace := pod.Namespace
+	workloadRef := pod.Spec.WorkloadRef
+
+	workload, err := pl.workloadLister.Workloads(namespace).Get(workloadRef.Name)
+	if err != nil {
+		if apierrors.IsNotFound(err) {
+			// The pod is unschedulable until its Workload object is created.
+			return fwk.NewStatus(fwk.UnschedulableAndUnresolvable, fmt.Sprintf("waiting for pods's workload %q to appear in scheduling queue", workloadRef.Name))
+		}
+		klog.FromContext(ctx).Error(err, "Failed to get workload", "pod", klog.KObj(pod), "workloadRef", pod.Spec.WorkloadRef)
+		return fwk.AsStatus(fmt.Errorf("failed to get workload %s/%s", namespace, workloadRef.Name))
+	}
+
+	policy, ok := podGroupPolicy(workload, workloadRef.PodGroup)
+	if !ok {
+		return fwk.NewStatus(fwk.UnschedulableAndUnresolvable, fmt.Sprintf("pod group %q doesn't exist for a workload %q", workloadRef.PodGroup, workload.Name))
+	}
+	// This plugin only cares about pods with a Gang scheduling policy.
+	if policy.Gang == nil {
+		return nil
+	}
+
+	podGroupInfo, err := pl.handle.WorkloadManager().PodGroupInfo(namespace, workloadRef)
+	if err != nil {
+		return fwk.AsStatus(err)
+	}
+	allPods := podGroupInfo.AllPods()
+	if len(allPods) < int(policy.Gang.MinCount) {
+		return fwk.NewStatus(fwk.UnschedulableAndUnresolvable, "waiting for minCount pods from a gang to appear in scheduling queue")
+	}
+
+	// The quorum is met, allow the pod to enter the scheduling queue.
+	return nil
+}
+
+// Reserve is called after a node has been selected for the pod. For gang pods,
+// this stage marks the pod as "assumed" in the WorkloadManager,
+// contributing to the count of pods ready to be co-scheduled at the Permit stage.
+func (pl *GangScheduling) Reserve(ctx context.Context, cs fwk.CycleState, pod *v1.Pod, nodeName string) *fwk.Status {
+	if pod.Spec.WorkloadRef == nil {
+		return nil
+	}
+	podGroupInfo, err := pl.handle.WorkloadManager().PodGroupInfo(pod.Namespace, pod.Spec.WorkloadRef)
+	if err != nil {
+		return fwk.AsStatus(err)
+	}
+	podGroupInfo.AssumePod(pod.UID)
+	return nil
+}
+
+// Unreserve removes the gang pod from the "assumed" state in the WorkloadManager,
+// ensuring it doesn't count towards the Permit quorum.
+func (pl *GangScheduling) Unreserve(ctx context.Context, cs fwk.CycleState, pod *v1.Pod, nodeName string) {
+	if pod.Spec.WorkloadRef == nil {
+		return
+	}
+	podGroupInfo, err := pl.handle.WorkloadManager().PodGroupInfo(pod.Namespace, pod.Spec.WorkloadRef)
+	if err != nil {
+		utilruntime.HandleErrorWithContext(ctx, err, "Failed to get pod group info", "pod", klog.KObj(pod), "workloadRef", pod.Spec.WorkloadRef)
+		return
+	}
+	podGroupInfo.ForgetPod(pod.UID)
+}
+
+// podGroupPolicy is a helper to find the policy for a specific pod group name in a workload.
+func podGroupPolicy(workload *schedulingapi.Workload, podGroupName string) (schedulingapi.PodGroupPolicy, bool) {
+	for _, podGroup := range workload.Spec.PodGroups {
+		if podGroup.Name == podGroupName {
+			return podGroup.Policy, true
+		}
+	}
+	return schedulingapi.PodGroupPolicy{}, false
+}
+
+// Permit forces all pods in a gang to wait at this stage. Once the number of waiting (assumed) pods
+// reaches the gang's MinCount, all pods in the gang are permitted to proceed to binding simultaneously.
+func (pl *GangScheduling) Permit(ctx context.Context, state fwk.CycleState, pod *v1.Pod, nodeName string) (*fwk.Status, time.Duration) {
+	if pod.Spec.WorkloadRef == nil {
+		return nil, 0
+	}
+
+	logger := klog.FromContext(ctx)
+	namespace := pod.Namespace
+	workloadRef := pod.Spec.WorkloadRef
+
+	workload, err := pl.workloadLister.Workloads(namespace).Get(workloadRef.Name)
+	if err != nil {
+		// It's likely that the workload was removed or another error happened.
+		// Returning error to retry the Pod when the Workload is added again.
+		return fwk.AsStatus(fmt.Errorf("failed to get workload %s/%s: %w", namespace, workloadRef.Name, err)), 0
+	}
+
+	policy, ok := podGroupPolicy(workload, workloadRef.PodGroup)
+	if !ok {
+		return fwk.AsStatus(fmt.Errorf("pod group %q doesn't exist for a workload %q", workloadRef.PodGroup, workload.Name)), 0
+	}
+	// This plugin only cares about pods with a Gang scheduling policy.
+	if policy.Gang == nil {
+		return nil, 0
+	}
+
+	podGroupInfo, err := pl.handle.WorkloadManager().PodGroupInfo(namespace, workloadRef)
+	if err != nil {
+		return fwk.AsStatus(err), 0
+	}
+	assumedPods := podGroupInfo.AssumedPods()
+	assumedOrAssignedPods := assumedPods.Union(podGroupInfo.AssignedPods())
+	if len(assumedOrAssignedPods) < int(policy.Gang.MinCount) {
+		// Activate unscheduled pods from this pod group in case they were waiting for this pod to be scheduled.
+		unscheduledPods := podGroupInfo.UnscheduledPods()
+		pl.handle.Activate(klog.FromContext(ctx), unscheduledPods)
+		logger.V(4).Info("Quorum is not met for a gang. Waiting for another pod to allow", "pod", klog.KObj(pod), "workloadRef", pod.Spec.WorkloadRef, "activatedPods", len(unscheduledPods))
+		return fwk.NewStatus(fwk.Wait, "waiting for minCount pods from a gang to be waiting on permit"), podGroupInfo.SchedulingTimeout()
+	}
+
+	logger.V(4).Info("Quorum is met for a gang. Allowing other pods from a gang waiting on permit", "pod", klog.KObj(pod), "workloadRef", pod.Spec.WorkloadRef, "allowedPods", len(assumedPods))
+
+	// The quorum is met. Allow this pod and signal all other waiting pods from the same gang to proceed.
+	for podUID := range assumedPods {
+		waitingPod := pl.handle.GetWaitingPod(podUID)
+		if waitingPod != nil {
+			waitingPod.Allow(Name)
+		}
+	}
+
+	return nil, 0
+}
diff --git a/pkg/scheduler/framework/plugins/gangscheduling/gangscheduling_test.go b/pkg/scheduler/framework/plugins/gangscheduling/gangscheduling_test.go
new file mode 100644
index 0000000000000..39db244116ead
--- /dev/null
+++ b/pkg/scheduler/framework/plugins/gangscheduling/gangscheduling_test.go
@@ -0,0 +1,352 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package gangscheduling
+
+import (
+	"context"
+	"testing"
+
+	"github.com/google/go-cmp/cmp"
+
+	v1 "k8s.io/api/core/v1"
+	schedulingapi "k8s.io/api/scheduling/v1alpha1"
+	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/client-go/informers"
+	"k8s.io/client-go/kubernetes/fake"
+	"k8s.io/klog/v2"
+	"k8s.io/klog/v2/ktesting"
+	fwk "k8s.io/kube-scheduler/framework"
+	"k8s.io/kubernetes/pkg/scheduler/backend/workloadmanager"
+	"k8s.io/kubernetes/pkg/scheduler/framework/plugins/feature"
+	frameworkruntime "k8s.io/kubernetes/pkg/scheduler/framework/runtime"
+	st "k8s.io/kubernetes/pkg/scheduler/testing"
+)
+
+func Test_isSchedulableAfterPodAdded(t *testing.T) {
+	tests := []struct {
+		name         string
+		pod          *v1.Pod
+		newPod       *v1.Pod
+		expectedHint fwk.QueueingHint
+	}{
+		{
+			name:         "add a newPod which matches the pod's workload and pod group",
+			pod:          st.MakePod().Name("p").WorkloadRef(&v1.WorkloadReference{Name: "w1", PodGroup: "pg"}).Obj(),
+			newPod:       st.MakePod().WorkloadRef(&v1.WorkloadReference{Name: "w1", PodGroup: "pg"}).Obj(),
+			expectedHint: fwk.Queue,
+		},
+		{
+			name:         "add a newPod which matches the pod's workload, pod group and replica key",
+			pod:          st.MakePod().Name("p").WorkloadRef(&v1.WorkloadReference{Name: "w1", PodGroup: "pg", PodGroupReplicaKey: "3"}).Obj(),
+			newPod:       st.MakePod().WorkloadRef(&v1.WorkloadReference{Name: "w1", PodGroup: "pg", PodGroupReplicaKey: "3"}).Obj(),
+			expectedHint: fwk.Queue,
+		},
+		{
+			name:         "add a newPod which doesn't match the pod's namespace",
+			pod:          st.MakePod().Name("p").WorkloadRef(&v1.WorkloadReference{Name: "w1", PodGroup: "pg"}).Obj(),
+			newPod:       st.MakePod().Namespace("foo").WorkloadRef(&v1.WorkloadReference{Name: "w1", PodGroup: "pg"}).Obj(),
+			expectedHint: fwk.QueueSkip,
+		},
+		{
+			name:         "add a newPod which doesn't match the pod's workload name",
+			pod:          st.MakePod().Name("p").WorkloadRef(&v1.WorkloadReference{Name: "w1", PodGroup: "pg"}).Obj(),
+			newPod:       st.MakePod().WorkloadRef(&v1.WorkloadReference{Name: "w2", PodGroup: "pg"}).Obj(),
+			expectedHint: fwk.QueueSkip,
+		},
+		{
+			name:         "add a newPod which doesn't match the pod's pod group name",
+			pod:          st.MakePod().Name("p").WorkloadRef(&v1.WorkloadReference{Name: "w1", PodGroup: "pg"}).Obj(),
+			newPod:       st.MakePod().WorkloadRef(&v1.WorkloadReference{Name: "w1", PodGroup: "pg2"}).Obj(),
+			expectedHint: fwk.QueueSkip,
+		},
+		{
+			name:         "add a newPod which doesn't match the pod's replica key",
+			pod:          st.MakePod().Name("p").WorkloadRef(&v1.WorkloadReference{Name: "w1", PodGroup: "pg", PodGroupReplicaKey: "3"}).Obj(),
+			newPod:       st.MakePod().WorkloadRef(&v1.WorkloadReference{Name: "w1", PodGroup: "pg", PodGroupReplicaKey: "4"}).Obj(),
+			expectedHint: fwk.QueueSkip,
+		},
+	}
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			logger, ctx := ktesting.NewTestContext(t)
+
+			informerFactory := informers.NewSharedInformerFactory(fake.NewClientset(), 0)
+			fh, err := frameworkruntime.NewFramework(ctx, nil, nil,
+				frameworkruntime.WithInformerFactory(informerFactory),
+			)
+			if err != nil {
+				t.Fatalf("Failed to create framework: %v", err)
+			}
+
+			p, err := New(ctx, nil, fh, feature.Features{})
+			if err != nil {
+				t.Fatal(err)
+			}
+			actualHint, err := p.(*GangScheduling).isSchedulableAfterPodAdded(logger, tc.pod, nil, tc.newPod)
+			if err != nil {
+				t.Errorf("Unexpected error: %v", err)
+			}
+			if diff := cmp.Diff(tc.expectedHint, actualHint); diff != "" {
+				t.Errorf("Expected QueuingHint doesn't match (-want,+got):\n%s", diff)
+			}
+		})
+	}
+}
+
+func Test_isSchedulableAfterWorkloadAdded(t *testing.T) {
+	tests := []struct {
+		name         string
+		pod          *v1.Pod
+		newWorkload  *schedulingapi.Workload
+		expectedHint fwk.QueueingHint
+	}{
+		{
+			name:         "add a workload which matches the pod's workload name",
+			pod:          st.MakePod().Name("p").WorkloadRef(&v1.WorkloadReference{Name: "w1", PodGroup: "pg"}).Obj(),
+			newWorkload:  st.MakeWorkload().Name("w1").PodGroup(st.MakePodGroup().Name("pg").MinCount(1).Obj()).Obj(),
+			expectedHint: fwk.Queue,
+		},
+		{
+			name:         "add a workload which doesn't match the pod's workload name",
+			pod:          st.MakePod().Name("p").WorkloadRef(&v1.WorkloadReference{Name: "w2", PodGroup: "pg"}).Obj(),
+			newWorkload:  st.MakeWorkload().Name("w1").PodGroup(st.MakePodGroup().Name("pg").MinCount(1).Obj()).Obj(),
+			expectedHint: fwk.QueueSkip,
+		},
+		{
+			name:         "add a workload which doesn't match the pod's workload namespace",
+			pod:          st.MakePod().Namespace("ns1").Name("p").WorkloadRef(&v1.WorkloadReference{Name: "w1", PodGroup: "pg"}).Obj(),
+			newWorkload:  st.MakeWorkload().Namespace("ns2").Name("w1").PodGroup(st.MakePodGroup().Name("pg").MinCount(1).Obj()).Obj(),
+			expectedHint: fwk.QueueSkip,
+		},
+	}
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			logger, ctx := ktesting.NewTestContext(t)
+
+			informerFactory := informers.NewSharedInformerFactory(fake.NewClientset(), 0)
+			fh, err := frameworkruntime.NewFramework(ctx, nil, nil,
+				frameworkruntime.WithInformerFactory(informerFactory),
+			)
+			if err != nil {
+				t.Fatalf("Failed to create framework: %v", err)
+			}
+
+			p, err := New(ctx, nil, fh, feature.Features{})
+			if err != nil {
+				t.Fatal(err)
+			}
+			actualHint, err := p.(*GangScheduling).isSchedulableAfterWorkloadAdded(logger, tc.pod, nil, tc.newWorkload)
+			if err != nil {
+				t.Errorf("Unexpected error: %v", err)
+			}
+			if diff := cmp.Diff(tc.expectedHint, actualHint); diff != "" {
+				t.Errorf("Expected QueuingHint doesn't match (-want,+got):\n%s", diff)
+			}
+		})
+	}
+}
+
+type podActivatorMock struct {
+	activatedPods []*v1.Pod
+}
+
+func (pam *podActivatorMock) Activate(_ klog.Logger, pods map[string]*v1.Pod) {
+	for _, pod := range pods {
+		pam.activatedPods = append(pam.activatedPods, pod)
+	}
+}
+
+func TestGangSchedulingFlow(t *testing.T) {
+	workload := st.MakeWorkload().Namespace("ns1").Name("gang-wl").
+		PodGroup(st.MakePodGroup().Name("pg1").MinCount(3).Obj()).
+		PodGroup(st.MakePodGroup().Name("pg2").MinCount(4).Obj()).Obj()
+
+	basicPolicyWorkload := st.MakeWorkload().Namespace("ns1").Name("basic-wl").
+		PodGroup(st.MakePodGroup().Name("pg1").BasicPolicy().Obj()).Obj()
+
+	p1 := st.MakePod().Namespace("ns1").Name("p1").UID("p1").
+		WorkloadRef(&v1.WorkloadReference{Name: "gang-wl", PodGroup: "pg1"}).Obj()
+	p2 := st.MakePod().Namespace("ns1").Name("p2").UID("p2").
+		WorkloadRef(&v1.WorkloadReference{Name: "gang-wl", PodGroup: "pg1"}).Obj()
+	p3 := st.MakePod().Namespace("ns1").Name("p3").UID("p3").
+		WorkloadRef(&v1.WorkloadReference{Name: "gang-wl", PodGroup: "pg1"}).Obj()
+
+	p4 := st.MakePod().Namespace("ns1").Name("p4").UID("p4").
+		WorkloadRef(&v1.WorkloadReference{Name: "gang-wl", PodGroup: "pg2"}).Obj()
+
+	p5 := st.MakePod().Namespace("ns1").Name("p5").UID("p5").
+		WorkloadRef(&v1.WorkloadReference{Name: "gang-wl", PodGroup: "pg1", PodGroupReplicaKey: "2"}).Obj()
+
+	basicPolicyPod := st.MakePod().Namespace("ns1").Name("basic-pod").UID("basic-pod").
+		WorkloadRef(&v1.WorkloadReference{Name: "basic-wl", PodGroup: "pg1"}).Obj()
+
+	nonGangPod := st.MakePod().Namespace("ns1").Name("non-gang").UID("non-gang").Obj()
+
+	tests := []struct {
+		name                 string
+		pod                  *v1.Pod
+		initialPods          []*v1.Pod
+		initialWorkloads     []*schedulingapi.Workload
+		podsWaitingOnPermit  []*v1.Pod
+		wantPreEnqueueStatus *fwk.Status
+		wantPermitStatus     *fwk.Status
+		wantActivatedPods    []*v1.Pod
+		wantAllowedPods      []types.UID
+	}{
+		{
+			name:                 "non-gang pod succeeds immediately",
+			pod:                  nonGangPod,
+			initialWorkloads:     []*schedulingapi.Workload{workload, basicPolicyWorkload},
+			wantPreEnqueueStatus: nil,
+			wantPermitStatus:     nil,
+		},
+		{
+			name:                 "basic policy pod succeeds immediately",
+			pod:                  basicPolicyPod,
+			initialWorkloads:     []*schedulingapi.Workload{workload, basicPolicyWorkload},
+			wantPreEnqueueStatus: nil,
+			wantPermitStatus:     nil,
+		},
+		{
+			name:                 "gang pod fails PreEnqueue when workload is not yet created",
+			pod:                  p1,
+			initialPods:          []*v1.Pod{p2, p3, p4, p5},
+			initialWorkloads:     []*schedulingapi.Workload{},
+			wantPreEnqueueStatus: fwk.NewStatus(fwk.UnschedulableAndUnresolvable, "waiting for pods's workload \"gang-wl\" to appear in scheduling queue"),
+		},
+		{
+			name:                 "gang pod fails PreEnqueue when quorum is not met",
+			pod:                  p1,
+			initialPods:          []*v1.Pod{p2, p4, p5}, // Only p1 and p2 exist from their gang, minCount is 3.
+			initialWorkloads:     []*schedulingapi.Workload{workload},
+			wantPreEnqueueStatus: fwk.NewStatus(fwk.UnschedulableAndUnresolvable, "waiting for minCount pods from a gang to appear in scheduling queue"),
+		},
+		{
+			name:                 "gang pod passes PreEnqueue, but waits at Permit",
+			pod:                  p1,
+			initialPods:          []*v1.Pod{p2, p3, p4, p5}, // All pods are available.
+			initialWorkloads:     []*schedulingapi.Workload{workload},
+			podsWaitingOnPermit:  []*v1.Pod{p2, p4, p5},
+			wantPreEnqueueStatus: nil,
+			wantActivatedPods:    []*v1.Pod{p3},
+			// At Permit, p1 will be assumed, but the count (2) is less than the quorum (3), so it must wait.
+			wantPermitStatus: fwk.NewStatus(fwk.Wait, "waiting for minCount pods from a gang to be waiting on permit"),
+		},
+		{
+			name:                 "final gang pod arrives at Permit and allows all waiting pods from a gang",
+			pod:                  p1, // p3 is the pod being scheduled in this cycle.
+			initialPods:          []*v1.Pod{p2, p3, p4, p5},
+			initialWorkloads:     []*schedulingapi.Workload{workload},
+			podsWaitingOnPermit:  []*v1.Pod{p2, p3, p4, p5},
+			wantPreEnqueueStatus: nil,
+			wantPermitStatus:     nil,
+			wantAllowedPods:      []types.UID{"p1", "p2", "p3"},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			_, ctx := ktesting.NewTestContext(t)
+			ctx, cancel := context.WithCancel(ctx)
+			defer cancel()
+
+			manager := workloadmanager.New()
+
+			informerFactory := informers.NewSharedInformerFactory(fake.NewClientset(), 0)
+			workloadInformer := informerFactory.Scheduling().V1alpha1().Workloads()
+
+			fakeActivator := &podActivatorMock{}
+
+			fh, err := frameworkruntime.NewFramework(ctx, nil, nil,
+				frameworkruntime.WithInformerFactory(informerFactory),
+				frameworkruntime.WithWorkloadManager(manager),
+				frameworkruntime.WithWaitingPods(frameworkruntime.NewWaitingPodsMap()),
+				frameworkruntime.WithPodActivator(fakeActivator),
+			)
+			if err != nil {
+				t.Fatalf("Failed to create framework: %v", err)
+			}
+
+			// Populate informers and manager state for the test case.
+			for _, wl := range tt.initialWorkloads {
+				err := workloadInformer.Informer().GetStore().Add(wl)
+				if err != nil {
+					t.Fatalf("Failed to add workload %s to store: %v", wl.Name, err)
+				}
+			}
+			for _, p := range tt.initialPods {
+				manager.AddPod(p)
+			}
+			manager.AddPod(tt.pod)
+
+			p, err := New(ctx, nil, fh, feature.Features{EnableGangScheduling: true})
+			if err != nil {
+				t.Fatalf("Failed to create plugin: %v", err)
+			}
+			pl := p.(*GangScheduling)
+
+			gotPreEnqueueStatus := pl.PreEnqueue(ctx, tt.pod)
+			if diff := cmp.Diff(tt.wantPreEnqueueStatus, gotPreEnqueueStatus); diff != "" {
+				t.Fatalf("Unexpected PreEnqueue status (-want,+got):\n%s", diff)
+			}
+			if !gotPreEnqueueStatus.IsSuccess() {
+				// Pod is rejected.
+				return
+			}
+
+			// Simulate that other pods have already hit Permit and are now waiting.
+			for _, p := range tt.podsWaitingOnPermit {
+				// Run Reserve and Permit for these pods to get them into the "assumed" state inside the manager.
+				status := pl.Reserve(ctx, nil, p, "some-node")
+				if !status.IsSuccess() {
+					t.Fatalf("Unexpected Reserve status for pod %q: %v", p.Name, status)
+				}
+				status, _ = pl.Permit(ctx, nil, p, "some-node")
+				if status.Code() != fwk.Wait {
+					t.Fatalf("Expected Wait status while permitting a pod %q: %v", p.Name, status)
+				}
+			}
+
+			status := pl.Reserve(ctx, nil, tt.pod, "some-node")
+			if !status.IsSuccess() {
+				t.Fatalf("Unexpected Reserve status: %v", status)
+			}
+
+			// Clear activated pods to assert those activated in tt.pod Permit.
+			fakeActivator.activatedPods = nil
+
+			gotPermitStatus, _ := pl.Permit(ctx, nil, tt.pod, "some-node")
+			if diff := cmp.Diff(tt.wantPermitStatus, gotPermitStatus); diff != "" {
+				t.Fatalf("Unexpected Permit status (-want, +got):\n%s", diff)
+			}
+			if gotPermitStatus.Code() == fwk.Wait {
+				// Pod waits for others from a gang. Simulate its eventual Unreserve.
+				pl.Unreserve(ctx, nil, tt.pod, "some-node")
+				return
+			}
+
+			if diff := cmp.Diff(tt.wantActivatedPods, fakeActivator.activatedPods); diff != "" {
+				t.Errorf("Unexpected activated pods (-want, +got):\n%s", diff)
+			}
+			for _, p := range tt.wantAllowedPods {
+				if wp := fh.GetWaitingPod(p); wp != nil {
+					t.Errorf("Expected pod %q to be allowed", p)
+				}
+			}
+		})
+	}
+}
diff --git a/pkg/scheduler/framework/plugins/helper/normalize_score.go b/pkg/scheduler/framework/plugins/helper/normalize_score.go
index c6d9e3ce4eb65..29a44c4688563 100644
--- a/pkg/scheduler/framework/plugins/helper/normalize_score.go
+++ b/pkg/scheduler/framework/plugins/helper/normalize_score.go
@@ -18,14 +18,13 @@ package helper
 
 import (
 	fwk "k8s.io/kube-scheduler/framework"
-	"k8s.io/kubernetes/pkg/scheduler/framework"
 )
 
 // DefaultNormalizeScore generates a Normalize Score function that can normalize the
 // scores from [0, max(scores)] to [0, maxPriority]. If reverse is set to true, it
 // reverses the scores by subtracting it from maxPriority.
 // Note: The input scores are always assumed to be non-negative integers.
-func DefaultNormalizeScore(maxPriority int64, reverse bool, scores framework.NodeScoreList) *fwk.Status {
+func DefaultNormalizeScore(maxPriority int64, reverse bool, scores fwk.NodeScoreList) *fwk.Status {
 	var maxCount int64
 	for i := range scores {
 		if scores[i].Score > maxCount {
diff --git a/pkg/scheduler/framework/plugins/helper/normalize_score_test.go b/pkg/scheduler/framework/plugins/helper/normalize_score_test.go
index a72cbf9950b14..b51246d5e8a97 100644
--- a/pkg/scheduler/framework/plugins/helper/normalize_score_test.go
+++ b/pkg/scheduler/framework/plugins/helper/normalize_score_test.go
@@ -21,8 +21,7 @@ import (
 	"testing"
 
 	"github.com/google/go-cmp/cmp"
-
-	"k8s.io/kubernetes/pkg/scheduler/framework"
+	fwk "k8s.io/kube-scheduler/framework"
 )
 
 func TestDefaultNormalizeScore(t *testing.T) {
@@ -75,17 +74,17 @@ func TestDefaultNormalizeScore(t *testing.T) {
 
 	for i, test := range tests {
 		t.Run(fmt.Sprintf("case_%d", i), func(t *testing.T) {
-			scores := framework.NodeScoreList{}
+			scores := fwk.NodeScoreList{}
 			for _, score := range test.scores {
-				scores = append(scores, framework.NodeScore{Score: score})
+				scores = append(scores, fwk.NodeScore{Score: score})
 			}
 
-			expectedScores := framework.NodeScoreList{}
+			expectedScores := fwk.NodeScoreList{}
 			for _, score := range test.expectedScores {
-				expectedScores = append(expectedScores, framework.NodeScore{Score: score})
+				expectedScores = append(expectedScores, fwk.NodeScore{Score: score})
 			}
 
-			DefaultNormalizeScore(framework.MaxNodeScore, test.reverse, scores)
+			DefaultNormalizeScore(fwk.MaxNodeScore, test.reverse, scores)
 			if diff := cmp.Diff(expectedScores, scores); diff != "" {
 				t.Errorf("Unexpected scores (-want, +got):\n%s", diff)
 			}
diff --git a/pkg/scheduler/framework/plugins/imagelocality/image_locality.go b/pkg/scheduler/framework/plugins/imagelocality/image_locality.go
index 3aa678856d925..f23d9d9e7e0ce 100644
--- a/pkg/scheduler/framework/plugins/imagelocality/image_locality.go
+++ b/pkg/scheduler/framework/plugins/imagelocality/image_locality.go
@@ -22,8 +22,8 @@ import (
 
 	v1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/util/sets"
 	fwk "k8s.io/kube-scheduler/framework"
-	"k8s.io/kubernetes/pkg/scheduler/framework"
 	"k8s.io/kubernetes/pkg/scheduler/framework/plugins/names"
 )
 
@@ -37,10 +37,11 @@ const (
 
 // ImageLocality is a score plugin that favors nodes that already have requested pod container's images.
 type ImageLocality struct {
-	handle framework.Handle
+	handle fwk.Handle
 }
 
-var _ framework.ScorePlugin = &ImageLocality{}
+var _ fwk.ScorePlugin = &ImageLocality{}
+var _ fwk.SignPlugin = &ImageLocality{}
 
 // Name is the name of the plugin used in the plugin registry and configurations.
 const Name = names.ImageLocality
@@ -50,6 +51,21 @@ func (pl *ImageLocality) Name() string {
 	return Name
 }
 
+// Filtering and scoring based on container image names.
+func (pl *ImageLocality) SignPod(ctx context.Context, pod *v1.Pod) ([]fwk.SignFragment, *fwk.Status) {
+	nameSet := sets.New[string]()
+
+	containers := []v1.Container{}
+	containers = append(containers, pod.Spec.Containers...)
+	containers = append(containers, pod.Spec.InitContainers...)
+
+	for _, container := range containers {
+		nameSet.Insert(normalizedImageName(container.Image))
+	}
+	names := sets.List(nameSet)
+	return []fwk.SignFragment{{Key: fwk.ImageNamesSignerName, Value: names}}, nil
+}
+
 // Score invoked at the score extension point.
 func (pl *ImageLocality) Score(ctx context.Context, state fwk.CycleState, pod *v1.Pod, nodeInfo fwk.NodeInfo) (int64, *fwk.Status) {
 	nodeInfos, err := pl.handle.SnapshotSharedLister().NodeInfos().List()
@@ -65,12 +81,12 @@ func (pl *ImageLocality) Score(ctx context.Context, state fwk.CycleState, pod *v
 }
 
 // ScoreExtensions of the Score plugin.
-func (pl *ImageLocality) ScoreExtensions() framework.ScoreExtensions {
+func (pl *ImageLocality) ScoreExtensions() fwk.ScoreExtensions {
 	return nil
 }
 
 // New initializes a new plugin and returns it.
-func New(_ context.Context, _ runtime.Object, h framework.Handle) (framework.Plugin, error) {
+func New(_ context.Context, _ runtime.Object, h fwk.Handle) (fwk.Plugin, error) {
 	return &ImageLocality{handle: h}, nil
 }
 
@@ -84,7 +100,7 @@ func calculatePriority(sumScores int64, numContainers int) int64 {
 		sumScores = maxThreshold
 	}
 
-	return framework.MaxNodeScore * (sumScores - minThreshold) / (maxThreshold - minThreshold)
+	return fwk.MaxNodeScore * (sumScores - minThreshold) / (maxThreshold - minThreshold)
 }
 
 // sumImageScores returns the sum of image scores of all the containers that are already on the node.
diff --git a/pkg/scheduler/framework/plugins/imagelocality/image_locality_test.go b/pkg/scheduler/framework/plugins/imagelocality/image_locality_test.go
index 8813c20c8feaf..27c37be8b3a39 100644
--- a/pkg/scheduler/framework/plugins/imagelocality/image_locality_test.go
+++ b/pkg/scheduler/framework/plugins/imagelocality/image_locality_test.go
@@ -27,6 +27,7 @@ import (
 	v1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/klog/v2/ktesting"
+	fwk "k8s.io/kube-scheduler/framework"
 	"k8s.io/kubernetes/pkg/scheduler/backend/cache"
 	"k8s.io/kubernetes/pkg/scheduler/framework"
 	"k8s.io/kubernetes/pkg/scheduler/framework/runtime"
@@ -239,7 +240,7 @@ func TestImageLocalityPriority(t *testing.T) {
 		pod          *v1.Pod
 		pods         []*v1.Pod
 		nodes        []*v1.Node
-		expectedList framework.NodeScoreList
+		expectedList fwk.NodeScoreList
 		name         string
 	}{
 		{
@@ -254,7 +255,7 @@ func TestImageLocalityPriority(t *testing.T) {
 			// Score: 100 * (250M/2 - 23M)/(1000M * 2 - 23M) = 5
 			pod:          &v1.Pod{Spec: test40250},
 			nodes:        []*v1.Node{makeImageNode("node1", node403002000), makeImageNode("node2", node25010)},
-			expectedList: []framework.NodeScore{{Name: "node1", Score: 0}, {Name: "node2", Score: 5}},
+			expectedList: []fwk.NodeScore{{Name: "node1", Score: 0}, {Name: "node2", Score: 5}},
 			name:         "two images spread on two nodes, prefer the larger image one",
 		},
 		{
@@ -269,7 +270,7 @@ func TestImageLocalityPriority(t *testing.T) {
 			// Score: 0
 			pod:          &v1.Pod{Spec: test40300},
 			nodes:        []*v1.Node{makeImageNode("node1", node403002000), makeImageNode("node2", node25010)},
-			expectedList: []framework.NodeScore{{Name: "node1", Score: 7}, {Name: "node2", Score: 0}},
+			expectedList: []fwk.NodeScore{{Name: "node1", Score: 7}, {Name: "node2", Score: 0}},
 			name:         "two images on one node, prefer this node",
 		},
 		{
@@ -284,7 +285,7 @@ func TestImageLocalityPriority(t *testing.T) {
 			// Score: 0 (10M/2 < 23M, min-threshold)
 			pod:          &v1.Pod{Spec: testMinMax},
 			nodes:        []*v1.Node{makeImageNode("node1", node400030), makeImageNode("node2", node25010)},
-			expectedList: []framework.NodeScore{{Name: "node1", Score: framework.MaxNodeScore}, {Name: "node2", Score: 0}},
+			expectedList: []fwk.NodeScore{{Name: "node1", Score: fwk.MaxNodeScore}, {Name: "node2", Score: 0}},
 			name:         "if exceed limit, use limit",
 		},
 		{
@@ -303,7 +304,7 @@ func TestImageLocalityPriority(t *testing.T) {
 			// Score: 0
 			pod:          &v1.Pod{Spec: testMinMax},
 			nodes:        []*v1.Node{makeImageNode("node1", node400030), makeImageNode("node2", node25010), makeImageNode("node3", nodeWithNoImages)},
-			expectedList: []framework.NodeScore{{Name: "node1", Score: 66}, {Name: "node2", Score: 0}, {Name: "node3", Score: 0}},
+			expectedList: []fwk.NodeScore{{Name: "node1", Score: 66}, {Name: "node2", Score: 0}, {Name: "node3", Score: 0}},
 			name:         "if exceed limit, use limit (with node which has no images present)",
 		},
 		{
@@ -322,7 +323,7 @@ func TestImageLocalityPriority(t *testing.T) {
 			// Score: 0
 			pod:          &v1.Pod{Spec: test300600900},
 			nodes:        []*v1.Node{makeImageNode("node1", node60040900), makeImageNode("node2", node300600900), makeImageNode("node3", nodeWithNoImages)},
-			expectedList: []framework.NodeScore{{Name: "node1", Score: 32}, {Name: "node2", Score: 36}, {Name: "node3", Score: 0}},
+			expectedList: []fwk.NodeScore{{Name: "node1", Score: 32}, {Name: "node2", Score: 36}, {Name: "node3", Score: 0}},
 			name:         "pod with multiple large images, node2 is preferred",
 		},
 		{
@@ -337,7 +338,7 @@ func TestImageLocalityPriority(t *testing.T) {
 			// Score: 0
 			pod:          &v1.Pod{Spec: test3040},
 			nodes:        []*v1.Node{makeImageNode("node1", node203040), makeImageNode("node2", node400030)},
-			expectedList: []framework.NodeScore{{Name: "node1", Score: 1}, {Name: "node2", Score: 0}},
+			expectedList: []fwk.NodeScore{{Name: "node1", Score: 1}, {Name: "node2", Score: 0}},
 			name:         "pod with multiple small images",
 		},
 		{
@@ -352,7 +353,7 @@ func TestImageLocalityPriority(t *testing.T) {
 			// Score: 100 * (30M * 1/2  - 23M) / (1000M * 2 - 23M) = 0
 			pod:          &v1.Pod{Spec: test30Init300},
 			nodes:        []*v1.Node{makeImageNode("node1", node403002000), makeImageNode("node2", node203040)},
-			expectedList: []framework.NodeScore{{Name: "node1", Score: 6}, {Name: "node2", Score: 0}},
+			expectedList: []fwk.NodeScore{{Name: "node1", Score: 6}, {Name: "node2", Score: 0}},
 			name:         "include InitContainers: two images spread on two nodes, prefer the larger image one",
 		},
 	}
@@ -371,7 +372,7 @@ func TestImageLocalityPriority(t *testing.T) {
 			if err != nil {
 				t.Fatalf("creating plugin: %v", err)
 			}
-			var gotList framework.NodeScoreList
+			var gotList fwk.NodeScoreList
 			for _, n := range test.nodes {
 				nodeName := n.ObjectMeta.Name
 				// Currently, we use the snapshot instead of the tf.BuildNodeInfos to build the nodeInfo since some
@@ -381,11 +382,11 @@ func TestImageLocalityPriority(t *testing.T) {
 				if err != nil {
 					t.Errorf("failed to get node %q from snapshot: %v", nodeName, err)
 				}
-				score, status := p.(framework.ScorePlugin).Score(ctx, state, test.pod, nodeInfo)
+				score, status := p.(fwk.ScorePlugin).Score(ctx, state, test.pod, nodeInfo)
 				if !status.IsSuccess() {
 					t.Errorf("unexpected error: %v", status)
 				}
-				gotList = append(gotList, framework.NodeScore{Name: nodeName, Score: score})
+				gotList = append(gotList, fwk.NodeScore{Name: nodeName, Score: score})
 			}
 
 			if diff := cmp.Diff(test.expectedList, gotList); diff != "" {
@@ -395,6 +396,82 @@ func TestImageLocalityPriority(t *testing.T) {
 	}
 }
 
+func TestImageSignature(t *testing.T) {
+	tests := []struct {
+		name              string
+		pod               *v1.Pod
+		expectedSignature []fwk.SignFragment
+	}{
+		{
+			name: "no images",
+			pod: &v1.Pod{
+				Spec: v1.PodSpec{
+					Containers: []v1.Container{},
+				},
+			},
+			expectedSignature: []fwk.SignFragment{
+				{
+					Key:   fwk.ImageNamesSignerName,
+					Value: []string{},
+				},
+			},
+		},
+		{
+			name: "one image",
+			pod: &v1.Pod{
+				Spec: v1.PodSpec{
+					Containers: []v1.Container{{Name: "c", Image: "myimage"}},
+				},
+			},
+			expectedSignature: []fwk.SignFragment{
+				{
+					Key:   fwk.ImageNamesSignerName,
+					Value: []string{"myimage:latest"},
+				},
+			},
+		},
+		{
+			name: "two images unsorted",
+			pod: &v1.Pod{
+				Spec: v1.PodSpec{
+					Containers: []v1.Container{
+						{Name: "c", Image: "zmyimage"},
+						{Name: "c2", Image: "myimage"},
+					},
+				},
+			},
+			expectedSignature: []fwk.SignFragment{
+				{
+					Key:   fwk.ImageNamesSignerName,
+					Value: []string{"myimage:latest", "zmyimage:latest"},
+				},
+			},
+		},
+	}
+
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			_, ctx := ktesting.NewTestContext(t)
+			ctx, cancel := context.WithCancel(ctx)
+			defer cancel()
+
+			snapshot := cache.NewSnapshot(nil, nil)
+			fh, _ := runtime.NewFramework(ctx, nil, nil, runtime.WithSnapshotSharedLister(snapshot))
+
+			p, err := New(ctx, nil, fh)
+			if err != nil {
+				t.Fatalf("creating plugin: %v", err)
+			}
+			signature, _ := p.(*ImageLocality).SignPod(ctx, test.pod)
+
+			if diff := cmp.Diff(test.expectedSignature, signature); diff != "" {
+				t.Fatalf("Diff %s", diff)
+			}
+		})
+	}
+
+}
+
 func TestNormalizedImageName(t *testing.T) {
 	for _, testCase := range []struct {
 		Name   string
diff --git a/pkg/scheduler/framework/plugins/interpodaffinity/filtering.go b/pkg/scheduler/framework/plugins/interpodaffinity/filtering.go
index 375f7954709f5..2b07766b38005 100644
--- a/pkg/scheduler/framework/plugins/interpodaffinity/filtering.go
+++ b/pkg/scheduler/framework/plugins/interpodaffinity/filtering.go
@@ -271,7 +271,7 @@ func (pl *InterPodAffinity) getIncomingAffinityAntiAffinityCounts(ctx context.Co
 }
 
 // PreFilter invoked at the prefilter extension point.
-func (pl *InterPodAffinity) PreFilter(ctx context.Context, cycleState fwk.CycleState, pod *v1.Pod, allNodes []fwk.NodeInfo) (*framework.PreFilterResult, *fwk.Status) {
+func (pl *InterPodAffinity) PreFilter(ctx context.Context, cycleState fwk.CycleState, pod *v1.Pod, allNodes []fwk.NodeInfo) (*fwk.PreFilterResult, *fwk.Status) {
 	var nodesWithRequiredAntiAffinityPods []fwk.NodeInfo
 	var err error
 	if nodesWithRequiredAntiAffinityPods, err = pl.sharedLister.NodeInfos().HavePodsWithRequiredAntiAffinityList(); err != nil {
@@ -309,7 +309,7 @@ func (pl *InterPodAffinity) PreFilter(ctx context.Context, cycleState fwk.CycleS
 }
 
 // PreFilterExtensions returns prefilter extensions, pod add and remove.
-func (pl *InterPodAffinity) PreFilterExtensions() framework.PreFilterExtensions {
+func (pl *InterPodAffinity) PreFilterExtensions() fwk.PreFilterExtensions {
 	return pl
 }
 
diff --git a/pkg/scheduler/framework/plugins/interpodaffinity/filtering_test.go b/pkg/scheduler/framework/plugins/interpodaffinity/filtering_test.go
index 83f557d0c632f..5a68a447f75d6 100644
--- a/pkg/scheduler/framework/plugins/interpodaffinity/filtering_test.go
+++ b/pkg/scheduler/framework/plugins/interpodaffinity/filtering_test.go
@@ -558,7 +558,7 @@ func TestRequiredAffinitySingleNode(t *testing.T) {
 			}
 			p := plugintesting.SetupPluginWithInformers(ctx, t, schedruntime.FactoryAdapter(feature.Features{}, New), &config.InterPodAffinityArgs{}, snapshot, namespaces)
 			state := framework.NewCycleState()
-			_, preFilterStatus := p.(framework.PreFilterPlugin).PreFilter(ctx, state, test.pod, nodeInfos)
+			_, preFilterStatus := p.(fwk.PreFilterPlugin).PreFilter(ctx, state, test.pod, nodeInfos)
 			if diff := cmp.Diff(test.wantPreFilterStatus, preFilterStatus); diff != "" {
 				t.Errorf("PreFilter: status does not match (-want,+got):\n%s", diff)
 			}
@@ -567,7 +567,7 @@ func TestRequiredAffinitySingleNode(t *testing.T) {
 			}
 
 			nodeInfo := mustGetNodeInfo(t, snapshot, test.node.Name)
-			gotStatus := p.(framework.FilterPlugin).Filter(ctx, state, test.pod, nodeInfo)
+			gotStatus := p.(fwk.FilterPlugin).Filter(ctx, state, test.pod, nodeInfo)
 			if diff := cmp.Diff(test.wantFilterStatus, gotStatus); diff != "" {
 				t.Errorf("Filter: status does not match (-want,+got):\n%s", diff)
 			}
@@ -977,7 +977,7 @@ func TestRequiredAffinityMultipleNodes(t *testing.T) {
 					&v1.Namespace{ObjectMeta: metav1.ObjectMeta{Name: "NS1"}},
 				})
 			state := framework.NewCycleState()
-			_, preFilterStatus := p.(framework.PreFilterPlugin).PreFilter(ctx, state, test.pod, nodeInfos)
+			_, preFilterStatus := p.(fwk.PreFilterPlugin).PreFilter(ctx, state, test.pod, nodeInfos)
 			if diff := cmp.Diff(test.wantPreFilterStatus, preFilterStatus); diff != "" {
 				t.Errorf("PreFilter: status does not match (-want,+got):\n%s", diff)
 			}
@@ -986,7 +986,7 @@ func TestRequiredAffinityMultipleNodes(t *testing.T) {
 			}
 			for indexNode, node := range test.nodes {
 				nodeInfo := mustGetNodeInfo(t, snapshot, node.Name)
-				gotStatus := p.(framework.FilterPlugin).Filter(ctx, state, test.pod, nodeInfo)
+				gotStatus := p.(fwk.FilterPlugin).Filter(ctx, state, test.pod, nodeInfo)
 				if diff := cmp.Diff(test.wantFilterStatuses[indexNode], gotStatus); diff != "" {
 					t.Errorf("index: %d: Filter: status does not match (-want,+got):\n%s", indexTest, diff)
 				}
@@ -1005,7 +1005,7 @@ func TestPreFilterDisabled(t *testing.T) {
 	defer cancel()
 	p := plugintesting.SetupPluginWithInformers(ctx, t, schedruntime.FactoryAdapter(feature.Features{}, New), &config.InterPodAffinityArgs{}, cache.NewEmptySnapshot(), nil)
 	cycleState := framework.NewCycleState()
-	gotStatus := p.(framework.FilterPlugin).Filter(ctx, cycleState, pod, nodeInfo)
+	gotStatus := p.(fwk.FilterPlugin).Filter(ctx, cycleState, pod, nodeInfo)
 	wantStatus := fwk.AsStatus(fwk.ErrNotFound)
 	if diff := cmp.Diff(gotStatus, wantStatus); diff != "" {
 		t.Errorf("Status does not match (-want,+got):\n%s", diff)
@@ -1254,7 +1254,7 @@ func TestPreFilterStateAddRemovePod(t *testing.T) {
 				}
 				p := plugintesting.SetupPluginWithInformers(ctx, t, schedruntime.FactoryAdapter(feature.Features{}, New), &config.InterPodAffinityArgs{}, snapshot, nil)
 				cycleState := framework.NewCycleState()
-				_, preFilterStatus := p.(framework.PreFilterPlugin).PreFilter(ctx, cycleState, test.pendingPod, nodeInfos)
+				_, preFilterStatus := p.(fwk.PreFilterPlugin).PreFilter(ctx, cycleState, test.pendingPod, nodeInfos)
 				if !preFilterStatus.IsSuccess() {
 					t.Errorf("prefilter failed with status: %v", preFilterStatus)
 				}
diff --git a/pkg/scheduler/framework/plugins/interpodaffinity/plugin.go b/pkg/scheduler/framework/plugins/interpodaffinity/plugin.go
index f3f6c89e3d5b6..e5d8463c7241b 100644
--- a/pkg/scheduler/framework/plugins/interpodaffinity/plugin.go
+++ b/pkg/scheduler/framework/plugins/interpodaffinity/plugin.go
@@ -28,8 +28,6 @@ import (
 	fwk "k8s.io/kube-scheduler/framework"
 	"k8s.io/kubernetes/pkg/scheduler/apis/config"
 	"k8s.io/kubernetes/pkg/scheduler/apis/config/validation"
-	"k8s.io/kubernetes/pkg/scheduler/framework"
-	"k8s.io/kubernetes/pkg/scheduler/framework/parallelize"
 	"k8s.io/kubernetes/pkg/scheduler/framework/plugins/feature"
 	"k8s.io/kubernetes/pkg/scheduler/framework/plugins/names"
 	"k8s.io/kubernetes/pkg/scheduler/util"
@@ -38,17 +36,18 @@ import (
 // Name is the name of the plugin used in the plugin registry and configurations.
 const Name = names.InterPodAffinity
 
-var _ framework.PreFilterPlugin = &InterPodAffinity{}
-var _ framework.FilterPlugin = &InterPodAffinity{}
-var _ framework.PreScorePlugin = &InterPodAffinity{}
-var _ framework.ScorePlugin = &InterPodAffinity{}
-var _ framework.EnqueueExtensions = &InterPodAffinity{}
+var _ fwk.PreFilterPlugin = &InterPodAffinity{}
+var _ fwk.FilterPlugin = &InterPodAffinity{}
+var _ fwk.PreScorePlugin = &InterPodAffinity{}
+var _ fwk.ScorePlugin = &InterPodAffinity{}
+var _ fwk.EnqueueExtensions = &InterPodAffinity{}
+var _ fwk.SignPlugin = &InterPodAffinity{}
 
 // InterPodAffinity is a plugin that checks inter pod affinity
 type InterPodAffinity struct {
-	parallelizer              parallelize.Parallelizer
+	parallelizer              fwk.Parallelizer
 	args                      config.InterPodAffinityArgs
-	sharedLister              framework.SharedLister
+	sharedLister              fwk.SharedLister
 	nsLister                  listersv1.NamespaceLister
 	enableSchedulingQueueHint bool
 }
@@ -58,6 +57,27 @@ func (pl *InterPodAffinity) Name() string {
 	return Name
 }
 
+// Inter pod affinity make feasibility and scoring dependent on the placement of other
+// pods in addition the current pod and node, so we cannot sign pods with these
+// constraints.
+func (pl *InterPodAffinity) SignPod(ctx context.Context, pod *v1.Pod) ([]fwk.SignFragment, *fwk.Status) {
+	if pod.Spec.Affinity != nil && (pod.Spec.Affinity.PodAffinity != nil || pod.Spec.Affinity.PodAntiAffinity != nil) {
+		return nil, fwk.NewStatus(fwk.Unschedulable, "pods with InterPodAffinity are not signable")
+	}
+
+	// If this option is set then we only consider affinity between pods that have affinity configured,
+	// so we can ignore the pods labels if it doesn't have rules set.
+	// Otherwise we need to include the pod's labels to ensure we catch affinity between the pod
+	// and other pods which may have affinity rules set.
+	if pl.args.IgnorePreferredTermsOfExistingPods {
+		return nil, nil
+	}
+
+	return []fwk.SignFragment{
+		{Key: fwk.LabelsSignerName, Value: pod.Labels},
+	}, nil
+}
+
 // EventsToRegister returns the possible events that may make a failed Pod
 // schedulable
 func (pl *InterPodAffinity) EventsToRegister(_ context.Context) ([]fwk.ClusterEventWithHint, error) {
@@ -84,7 +104,7 @@ func (pl *InterPodAffinity) EventsToRegister(_ context.Context) ([]fwk.ClusterEv
 }
 
 // New initializes a new plugin and returns it.
-func New(_ context.Context, plArgs runtime.Object, h framework.Handle, fts feature.Features) (framework.Plugin, error) {
+func New(_ context.Context, plArgs runtime.Object, h fwk.Handle, fts feature.Features) (fwk.Plugin, error) {
 	if h.SnapshotSharedLister() == nil {
 		return nil, fmt.Errorf("SnapshotSharedlister is nil")
 	}
@@ -159,12 +179,12 @@ func (pl *InterPodAffinity) isSchedulableAfterPodChange(logger klog.Logger, pod
 		return fwk.QueueSkip, nil
 	}
 
-	terms, err := framework.GetAffinityTerms(pod, framework.GetPodAffinityTerms(pod.Spec.Affinity))
+	terms, err := fwk.GetAffinityTerms(pod, fwk.GetPodAffinityTerms(pod.Spec.Affinity))
 	if err != nil {
 		return fwk.Queue, err
 	}
 
-	antiTerms, err := framework.GetAffinityTerms(pod, framework.GetPodAntiAffinityTerms(pod.Spec.Affinity))
+	antiTerms, err := fwk.GetAffinityTerms(pod, fwk.GetPodAntiAffinityTerms(pod.Spec.Affinity))
 	if err != nil {
 		return fwk.Queue, err
 	}
@@ -217,7 +237,7 @@ func (pl *InterPodAffinity) isSchedulableAfterNodeChange(logger klog.Logger, pod
 		return fwk.Queue, err
 	}
 
-	terms, err := framework.GetAffinityTerms(pod, framework.GetPodAffinityTerms(pod.Spec.Affinity))
+	terms, err := fwk.GetAffinityTerms(pod, fwk.GetPodAffinityTerms(pod.Spec.Affinity))
 	if err != nil {
 		return fwk.Queue, err
 	}
@@ -254,7 +274,7 @@ func (pl *InterPodAffinity) isSchedulableAfterNodeChange(logger klog.Logger, pod
 		}
 	}
 
-	antiTerms, err := framework.GetAffinityTerms(pod, framework.GetPodAntiAffinityTerms(pod.Spec.Affinity))
+	antiTerms, err := fwk.GetAffinityTerms(pod, fwk.GetPodAntiAffinityTerms(pod.Spec.Affinity))
 	if err != nil {
 		return fwk.Queue, err
 	}
diff --git a/pkg/scheduler/framework/plugins/interpodaffinity/plugin_test.go b/pkg/scheduler/framework/plugins/interpodaffinity/plugin_test.go
index 9c6fbc8455e9f..7e7753a4b9222 100644
--- a/pkg/scheduler/framework/plugins/interpodaffinity/plugin_test.go
+++ b/pkg/scheduler/framework/plugins/interpodaffinity/plugin_test.go
@@ -259,3 +259,82 @@ func Test_isSchedulableAfterNodeChange(t *testing.T) {
 		})
 	}
 }
+
+func TestPodAffinitySignature(t *testing.T) {
+	tests := []struct {
+		name              string
+		pod               *v1.Pod
+		expectedSignature []fwk.SignFragment
+		schedulable       bool
+		config            config.InterPodAffinityArgs
+	}{
+		{
+			name: "no affinity, default settings",
+			pod: &v1.Pod{
+				ObjectMeta: metav1.ObjectMeta{
+					Labels: map[string]string{"foo": "bar"},
+				},
+				Spec: v1.PodSpec{},
+			},
+			expectedSignature: []fwk.SignFragment{
+				{
+					Key:   fwk.LabelsSignerName,
+					Value: map[string]string{"foo": "bar"},
+				},
+			},
+			schedulable: true,
+		},
+		{
+			name: "no affinity, ignore setting set",
+			pod: &v1.Pod{
+				ObjectMeta: metav1.ObjectMeta{
+					Labels: map[string]string{"foo": "bar"},
+				},
+				Spec: v1.PodSpec{},
+			},
+			schedulable: true,
+			config: config.InterPodAffinityArgs{
+				IgnorePreferredTermsOfExistingPods: true,
+			},
+		},
+		{
+			name: "affinity set",
+			pod: &v1.Pod{
+				ObjectMeta: metav1.ObjectMeta{
+					Labels: map[string]string{"foo": "bar"},
+				},
+				Spec: v1.PodSpec{
+					Affinity: &v1.Affinity{
+						PodAffinity: &v1.PodAffinity{
+							RequiredDuringSchedulingIgnoredDuringExecution: []v1.PodAffinityTerm{
+								{},
+							},
+						},
+					},
+				},
+			},
+			schedulable: false,
+		},
+	}
+
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			_, ctx := ktesting.NewTestContext(t)
+			ctx, cancel := context.WithCancel(ctx)
+			defer cancel()
+
+			snapshot := cache.NewSnapshot(nil, nil)
+			pl := plugintesting.SetupPluginWithInformers(ctx, t, schedruntime.FactoryAdapter(feature.Features{}, New), &test.config, snapshot, namespaces)
+			p := pl.(*InterPodAffinity)
+			signature, status := p.SignPod(ctx, test.pod)
+
+			if !status.IsSuccess() && test.schedulable {
+				t.Fatalf("Expected success, got %v", status)
+			}
+
+			if diff := cmp.Diff(test.expectedSignature, signature); diff != "" {
+				t.Fatalf("Diff %s", diff)
+			}
+		})
+	}
+}
diff --git a/pkg/scheduler/framework/plugins/interpodaffinity/scoring.go b/pkg/scheduler/framework/plugins/interpodaffinity/scoring.go
index 3cfc118d84f82..642089e581ad5 100644
--- a/pkg/scheduler/framework/plugins/interpodaffinity/scoring.go
+++ b/pkg/scheduler/framework/plugins/interpodaffinity/scoring.go
@@ -255,7 +255,7 @@ func (pl *InterPodAffinity) Score(ctx context.Context, cycleState fwk.CycleState
 }
 
 // NormalizeScore normalizes the score for each filteredNode.
-func (pl *InterPodAffinity) NormalizeScore(ctx context.Context, cycleState fwk.CycleState, pod *v1.Pod, scores framework.NodeScoreList) *fwk.Status {
+func (pl *InterPodAffinity) NormalizeScore(ctx context.Context, cycleState fwk.CycleState, pod *v1.Pod, scores fwk.NodeScoreList) *fwk.Status {
 	s, err := getPreScoreState(cycleState)
 	if err != nil {
 		return fwk.AsStatus(err)
@@ -280,7 +280,7 @@ func (pl *InterPodAffinity) NormalizeScore(ctx context.Context, cycleState fwk.C
 	for i := range scores {
 		fScore := float64(0)
 		if maxMinDiff > 0 {
-			fScore = float64(framework.MaxNodeScore) * (float64(scores[i].Score-minCount) / float64(maxMinDiff))
+			fScore = float64(fwk.MaxNodeScore) * (float64(scores[i].Score-minCount) / float64(maxMinDiff))
 		}
 
 		scores[i].Score = int64(fScore)
@@ -290,6 +290,6 @@ func (pl *InterPodAffinity) NormalizeScore(ctx context.Context, cycleState fwk.C
 }
 
 // ScoreExtensions of the Score plugin.
-func (pl *InterPodAffinity) ScoreExtensions() framework.ScoreExtensions {
+func (pl *InterPodAffinity) ScoreExtensions() fwk.ScoreExtensions {
 	return pl
 }
diff --git a/pkg/scheduler/framework/plugins/interpodaffinity/scoring_test.go b/pkg/scheduler/framework/plugins/interpodaffinity/scoring_test.go
index 39cfdb1dadd7a..9135077730dc1 100644
--- a/pkg/scheduler/framework/plugins/interpodaffinity/scoring_test.go
+++ b/pkg/scheduler/framework/plugins/interpodaffinity/scoring_test.go
@@ -378,7 +378,7 @@ func TestPreferredAffinity(t *testing.T) {
 		pod                                *v1.Pod
 		pods                               []*v1.Pod
 		nodes                              []*v1.Node
-		expectedList                       framework.NodeScoreList
+		expectedList                       fwk.NodeScoreList
 		name                               string
 		ignorePreferredTermsOfExistingPods bool
 		wantStatus                         *fwk.Status
@@ -410,7 +410,7 @@ func TestPreferredAffinity(t *testing.T) {
 				{ObjectMeta: metav1.ObjectMeta{Name: "node2", Labels: labelRgIndia}},
 				{ObjectMeta: metav1.ObjectMeta{Name: "node3", Labels: labelAzAz1}},
 			},
-			expectedList: []framework.NodeScore{{Name: "node1", Score: framework.MaxNodeScore}, {Name: "node2", Score: 0}, {Name: "node3", Score: 0}},
+			expectedList: []fwk.NodeScore{{Name: "node1", Score: fwk.MaxNodeScore}, {Name: "node2", Score: 0}, {Name: "node3", Score: 0}},
 		},
 		// the node1(node1) that have the label {"region": "China"} (match the topology key) and that have existing pods that match the labelSelector get high score
 		// the node2(node2) that have the label {"region": "China"}, match the topology key and have the same label value with node1, get the same high score with node1
@@ -427,7 +427,7 @@ func TestPreferredAffinity(t *testing.T) {
 				{ObjectMeta: metav1.ObjectMeta{Name: "node2", Labels: labelRgChinaAzAz1}},
 				{ObjectMeta: metav1.ObjectMeta{Name: "node3", Labels: labelRgIndia}},
 			},
-			expectedList: []framework.NodeScore{{Name: "node1", Score: framework.MaxNodeScore}, {Name: "node2", Score: framework.MaxNodeScore}, {Name: "node3", Score: 0}},
+			expectedList: []fwk.NodeScore{{Name: "node1", Score: fwk.MaxNodeScore}, {Name: "node2", Score: fwk.MaxNodeScore}, {Name: "node3", Score: 0}},
 		},
 		// there are 2 regions, say regionChina(node1,node3,node4) and regionIndia(node2,node5), both regions have nodes that match the preference.
 		// But there are more nodes(actually more existing pods) in regionChina that match the preference than regionIndia.
@@ -451,7 +451,7 @@ func TestPreferredAffinity(t *testing.T) {
 				{ObjectMeta: metav1.ObjectMeta{Name: "node4", Labels: labelRgChina}},
 				{ObjectMeta: metav1.ObjectMeta{Name: "node5", Labels: labelRgIndia}},
 			},
-			expectedList: []framework.NodeScore{{Name: "node1", Score: framework.MaxNodeScore}, {Name: "node2", Score: 0}, {Name: "node3", Score: framework.MaxNodeScore}, {Name: "node4", Score: framework.MaxNodeScore}, {Name: "node5", Score: 0}},
+			expectedList: []fwk.NodeScore{{Name: "node1", Score: fwk.MaxNodeScore}, {Name: "node2", Score: 0}, {Name: "node3", Score: fwk.MaxNodeScore}, {Name: "node4", Score: fwk.MaxNodeScore}, {Name: "node5", Score: 0}},
 		},
 		// Test with the different operators and values for pod affinity scheduling preference, including some match failures.
 		{
@@ -467,7 +467,7 @@ func TestPreferredAffinity(t *testing.T) {
 				{ObjectMeta: metav1.ObjectMeta{Name: "node2", Labels: labelRgIndia}},
 				{ObjectMeta: metav1.ObjectMeta{Name: "node3", Labels: labelAzAz1}},
 			},
-			expectedList: []framework.NodeScore{{Name: "node1", Score: 20}, {Name: "node2", Score: framework.MaxNodeScore}, {Name: "node3", Score: 0}},
+			expectedList: []fwk.NodeScore{{Name: "node1", Score: 20}, {Name: "node2", Score: fwk.MaxNodeScore}, {Name: "node3", Score: 0}},
 		},
 		// Test the symmetry cases for affinity, the difference between affinity and symmetry is not the pod wants to run together with some existing pods,
 		// but the existing pods have the inter pod affinity preference while the pod to schedule satisfy the preference.
@@ -483,7 +483,7 @@ func TestPreferredAffinity(t *testing.T) {
 				{ObjectMeta: metav1.ObjectMeta{Name: "node2", Labels: labelRgIndia}},
 				{ObjectMeta: metav1.ObjectMeta{Name: "node3", Labels: labelAzAz1}},
 			},
-			expectedList: []framework.NodeScore{{Name: "node1", Score: 0}, {Name: "node2", Score: framework.MaxNodeScore}, {Name: "node3", Score: 0}},
+			expectedList: []fwk.NodeScore{{Name: "node1", Score: 0}, {Name: "node2", Score: fwk.MaxNodeScore}, {Name: "node3", Score: 0}},
 		},
 		{
 			name: "Affinity symmetry with namespace selector",
@@ -497,7 +497,7 @@ func TestPreferredAffinity(t *testing.T) {
 				{ObjectMeta: metav1.ObjectMeta{Name: "node2", Labels: labelRgIndia}},
 				{ObjectMeta: metav1.ObjectMeta{Name: "node3", Labels: labelAzAz1}},
 			},
-			expectedList: []framework.NodeScore{{Name: "node1", Score: framework.MaxNodeScore}, {Name: "node2", Score: 0}, {Name: "node3", Score: 0}},
+			expectedList: []fwk.NodeScore{{Name: "node1", Score: fwk.MaxNodeScore}, {Name: "node2", Score: 0}, {Name: "node3", Score: 0}},
 		},
 		{
 			name: "AntiAffinity symmetry with namespace selector",
@@ -511,7 +511,7 @@ func TestPreferredAffinity(t *testing.T) {
 				{ObjectMeta: metav1.ObjectMeta{Name: "node2", Labels: labelRgIndia}},
 				{ObjectMeta: metav1.ObjectMeta{Name: "node3", Labels: labelAzAz1}},
 			},
-			expectedList: []framework.NodeScore{{Name: "node1", Score: 0}, {Name: "node2", Score: framework.MaxNodeScore}, {Name: "node3", Score: framework.MaxNodeScore}},
+			expectedList: []fwk.NodeScore{{Name: "node1", Score: 0}, {Name: "node2", Score: fwk.MaxNodeScore}, {Name: "node3", Score: fwk.MaxNodeScore}},
 		},
 		{
 			name: "Affinity symmetry: considered RequiredDuringSchedulingIgnoredDuringExecution in pod affinity symmetry",
@@ -525,7 +525,7 @@ func TestPreferredAffinity(t *testing.T) {
 				{ObjectMeta: metav1.ObjectMeta{Name: "node2", Labels: labelRgIndia}},
 				{ObjectMeta: metav1.ObjectMeta{Name: "node3", Labels: labelAzAz1}},
 			},
-			expectedList: []framework.NodeScore{{Name: "node1", Score: framework.MaxNodeScore}, {Name: "node2", Score: framework.MaxNodeScore}, {Name: "node3", Score: 0}},
+			expectedList: []fwk.NodeScore{{Name: "node1", Score: fwk.MaxNodeScore}, {Name: "node2", Score: fwk.MaxNodeScore}, {Name: "node3", Score: 0}},
 		},
 
 		// The pod to schedule prefer to stay away from some existing pods at node level using the pod anti affinity.
@@ -545,7 +545,7 @@ func TestPreferredAffinity(t *testing.T) {
 				{ObjectMeta: metav1.ObjectMeta{Name: "node1", Labels: labelAzAz1}},
 				{ObjectMeta: metav1.ObjectMeta{Name: "node2", Labels: labelRgChina}},
 			},
-			expectedList: []framework.NodeScore{{Name: "node1", Score: 0}, {Name: "node2", Score: framework.MaxNodeScore}},
+			expectedList: []fwk.NodeScore{{Name: "node1", Score: 0}, {Name: "node2", Score: fwk.MaxNodeScore}},
 		},
 		{
 			name: "Anti Affinity: pod that does not match topology key & match the pods in nodes will get higher score comparing to others ",
@@ -558,7 +558,7 @@ func TestPreferredAffinity(t *testing.T) {
 				{ObjectMeta: metav1.ObjectMeta{Name: "node1", Labels: labelAzAz1}},
 				{ObjectMeta: metav1.ObjectMeta{Name: "node2", Labels: labelRgChina}},
 			},
-			expectedList: []framework.NodeScore{{Name: "node1", Score: 0}, {Name: "node2", Score: framework.MaxNodeScore}},
+			expectedList: []fwk.NodeScore{{Name: "node1", Score: 0}, {Name: "node2", Score: fwk.MaxNodeScore}},
 		},
 		{
 			name: "Anti Affinity: one node has more matching pods comparing to other node, so the node which has more unmatches will get high score",
@@ -572,7 +572,7 @@ func TestPreferredAffinity(t *testing.T) {
 				{ObjectMeta: metav1.ObjectMeta{Name: "node1", Labels: labelAzAz1}},
 				{ObjectMeta: metav1.ObjectMeta{Name: "node2", Labels: labelRgIndia}},
 			},
-			expectedList: []framework.NodeScore{{Name: "node1", Score: 0}, {Name: "node2", Score: framework.MaxNodeScore}},
+			expectedList: []fwk.NodeScore{{Name: "node1", Score: 0}, {Name: "node2", Score: fwk.MaxNodeScore}},
 		},
 		// Test the symmetry cases for anti affinity
 		{
@@ -586,7 +586,7 @@ func TestPreferredAffinity(t *testing.T) {
 				{ObjectMeta: metav1.ObjectMeta{Name: "node1", Labels: labelAzAz1}},
 				{ObjectMeta: metav1.ObjectMeta{Name: "node2", Labels: labelAzAz2}},
 			},
-			expectedList: []framework.NodeScore{{Name: "node1", Score: 0}, {Name: "node2", Score: framework.MaxNodeScore}},
+			expectedList: []fwk.NodeScore{{Name: "node1", Score: 0}, {Name: "node2", Score: fwk.MaxNodeScore}},
 		},
 		// Test both  affinity and anti-affinity
 		{
@@ -600,7 +600,7 @@ func TestPreferredAffinity(t *testing.T) {
 				{ObjectMeta: metav1.ObjectMeta{Name: "node1", Labels: labelRgChina}},
 				{ObjectMeta: metav1.ObjectMeta{Name: "node2", Labels: labelAzAz1}},
 			},
-			expectedList: []framework.NodeScore{{Name: "node1", Score: framework.MaxNodeScore}, {Name: "node2", Score: 0}},
+			expectedList: []fwk.NodeScore{{Name: "node1", Score: fwk.MaxNodeScore}, {Name: "node2", Score: 0}},
 		},
 		// Combined cases considering both affinity and anti-affinity, the pod to schedule and existing pods have the same labels (they are in the same RC/service),
 		// the pod prefer to run together with its brother pods in the same region, but wants to stay away from them at node level,
@@ -625,7 +625,7 @@ func TestPreferredAffinity(t *testing.T) {
 				{ObjectMeta: metav1.ObjectMeta{Name: "node4", Labels: labelRgChina}},
 				{ObjectMeta: metav1.ObjectMeta{Name: "node5", Labels: labelRgIndia}},
 			},
-			expectedList: []framework.NodeScore{{Name: "node1", Score: framework.MaxNodeScore}, {Name: "node2", Score: 0}, {Name: "node3", Score: framework.MaxNodeScore}, {Name: "node4", Score: framework.MaxNodeScore}, {Name: "node5", Score: 0}},
+			expectedList: []fwk.NodeScore{{Name: "node1", Score: fwk.MaxNodeScore}, {Name: "node2", Score: 0}, {Name: "node3", Score: fwk.MaxNodeScore}, {Name: "node4", Score: fwk.MaxNodeScore}, {Name: "node5", Score: 0}},
 		},
 		// Consider Affinity, Anti Affinity and symmetry together.
 		// for Affinity, the weights are:                8,  0,  0,  0
@@ -647,7 +647,7 @@ func TestPreferredAffinity(t *testing.T) {
 				{ObjectMeta: metav1.ObjectMeta{Name: "node3", Labels: labelRgIndia}},
 				{ObjectMeta: metav1.ObjectMeta{Name: "node4", Labels: labelAzAz2}},
 			},
-			expectedList: []framework.NodeScore{{Name: "node1", Score: framework.MaxNodeScore}, {Name: "node2", Score: 0}, {Name: "node3", Score: framework.MaxNodeScore}, {Name: "node4", Score: 0}},
+			expectedList: []fwk.NodeScore{{Name: "node1", Score: fwk.MaxNodeScore}, {Name: "node2", Score: 0}, {Name: "node3", Score: fwk.MaxNodeScore}, {Name: "node4", Score: 0}},
 		},
 		// Cover https://github.com/kubernetes/kubernetes/issues/82796 which panics upon:
 		// 1. Some nodes in a topology don't have pods with affinity, but other nodes in the same topology have.
@@ -663,7 +663,7 @@ func TestPreferredAffinity(t *testing.T) {
 				{ObjectMeta: metav1.ObjectMeta{Name: "node1", Labels: labelRgChina}},
 				{ObjectMeta: metav1.ObjectMeta{Name: "node2", Labels: labelRgChina}},
 			},
-			expectedList: []framework.NodeScore{{Name: "node1", Score: 0}, {Name: "node2", Score: 0}},
+			expectedList: []fwk.NodeScore{{Name: "node1", Score: 0}, {Name: "node2", Score: 0}},
 		},
 		{
 			name:       "invalid Affinity fails PreScore",
@@ -696,7 +696,7 @@ func TestPreferredAffinity(t *testing.T) {
 				{ObjectMeta: metav1.ObjectMeta{Name: "node1", Labels: labelRgChina}},
 				{ObjectMeta: metav1.ObjectMeta{Name: "node2", Labels: labelRgIndia}},
 			},
-			expectedList: []framework.NodeScore{{Name: "node1", Score: framework.MaxNodeScore}, {Name: "node2", Score: 0}},
+			expectedList: []fwk.NodeScore{{Name: "node1", Score: fwk.MaxNodeScore}, {Name: "node2", Score: 0}},
 		},
 		{
 			name: "Affinity with pods matching both NamespaceSelector and Namespaces fields",
@@ -711,7 +711,7 @@ func TestPreferredAffinity(t *testing.T) {
 				{ObjectMeta: metav1.ObjectMeta{Name: "node1", Labels: labelRgChina}},
 				{ObjectMeta: metav1.ObjectMeta{Name: "node2", Labels: labelRgIndia}},
 			},
-			expectedList: []framework.NodeScore{{Name: "node1", Score: framework.MaxNodeScore}, {Name: "node2", Score: 0}},
+			expectedList: []fwk.NodeScore{{Name: "node1", Score: fwk.MaxNodeScore}, {Name: "node2", Score: 0}},
 		},
 		{
 			name: "Affinity with pods matching NamespaceSelector",
@@ -726,7 +726,7 @@ func TestPreferredAffinity(t *testing.T) {
 				{ObjectMeta: metav1.ObjectMeta{Name: "node1", Labels: labelRgChina}},
 				{ObjectMeta: metav1.ObjectMeta{Name: "node2", Labels: labelRgIndia}},
 			},
-			expectedList: []framework.NodeScore{{Name: "node1", Score: 0}, {Name: "node2", Score: framework.MaxNodeScore}},
+			expectedList: []fwk.NodeScore{{Name: "node1", Score: 0}, {Name: "node2", Score: fwk.MaxNodeScore}},
 		},
 		{
 			name: "Affinity with pods matching both NamespaceSelector and Namespaces fields",
@@ -741,7 +741,7 @@ func TestPreferredAffinity(t *testing.T) {
 				{ObjectMeta: metav1.ObjectMeta{Name: "node1", Labels: labelRgChina}},
 				{ObjectMeta: metav1.ObjectMeta{Name: "node2", Labels: labelRgIndia}},
 			},
-			expectedList: []framework.NodeScore{{Name: "node1", Score: 0}, {Name: "node2", Score: framework.MaxNodeScore}},
+			expectedList: []fwk.NodeScore{{Name: "node1", Score: 0}, {Name: "node2", Score: fwk.MaxNodeScore}},
 		},
 		{
 			name: "Ignore preferred terms of existing pods",
@@ -754,7 +754,7 @@ func TestPreferredAffinity(t *testing.T) {
 				{ObjectMeta: metav1.ObjectMeta{Name: "node1", Labels: labelRgChina}},
 				{ObjectMeta: metav1.ObjectMeta{Name: "node2", Labels: labelRgIndia}},
 			},
-			expectedList:                       []framework.NodeScore{{Name: "node1", Score: 0}, {Name: "node2", Score: 0}},
+			expectedList:                       []fwk.NodeScore{{Name: "node1", Score: 0}, {Name: "node2", Score: 0}},
 			wantStatus:                         fwk.NewStatus(fwk.Skip),
 			ignorePreferredTermsOfExistingPods: true,
 		},
@@ -769,7 +769,7 @@ func TestPreferredAffinity(t *testing.T) {
 				{ObjectMeta: metav1.ObjectMeta{Name: "node1", Labels: labelRgChina}},
 				{ObjectMeta: metav1.ObjectMeta{Name: "node2", Labels: labelRgIndia}},
 			},
-			expectedList:                       []framework.NodeScore{{Name: "node1", Score: 0}, {Name: "node2", Score: framework.MaxNodeScore}},
+			expectedList:                       []fwk.NodeScore{{Name: "node1", Score: 0}, {Name: "node2", Score: fwk.MaxNodeScore}},
 			ignorePreferredTermsOfExistingPods: false,
 		},
 		{
@@ -788,7 +788,7 @@ func TestPreferredAffinity(t *testing.T) {
 			state := framework.NewCycleState()
 			p := plugintesting.SetupPluginWithInformers(ctx, t, schedruntime.FactoryAdapter(feature.Features{}, New), &config.InterPodAffinityArgs{HardPodAffinityWeight: 1, IgnorePreferredTermsOfExistingPods: test.ignorePreferredTermsOfExistingPods}, cache.NewSnapshot(test.pods, test.nodes), namespaces)
 			nodeInfos := tf.BuildNodeInfos(test.nodes)
-			status := p.(framework.PreScorePlugin).PreScore(ctx, state, test.pod, nodeInfos)
+			status := p.(fwk.PreScorePlugin).PreScore(ctx, state, test.pod, nodeInfos)
 
 			if !status.IsSuccess() {
 				if status.Code() != test.wantStatus.Code() {
@@ -801,17 +801,17 @@ func TestPreferredAffinity(t *testing.T) {
 				return
 			}
 
-			var gotList framework.NodeScoreList
+			var gotList fwk.NodeScoreList
 			for _, nodeInfo := range nodeInfos {
 				nodeName := nodeInfo.Node().Name
-				score, status := p.(framework.ScorePlugin).Score(ctx, state, test.pod, nodeInfo)
+				score, status := p.(fwk.ScorePlugin).Score(ctx, state, test.pod, nodeInfo)
 				if !status.IsSuccess() {
 					t.Errorf("unexpected error from Score: %v", status)
 				}
-				gotList = append(gotList, framework.NodeScore{Name: nodeName, Score: score})
+				gotList = append(gotList, fwk.NodeScore{Name: nodeName, Score: score})
 			}
 
-			status = p.(framework.ScorePlugin).ScoreExtensions().NormalizeScore(ctx, state, test.pod, gotList)
+			status = p.(fwk.ScorePlugin).ScoreExtensions().NormalizeScore(ctx, state, test.pod, gotList)
 			if !status.IsSuccess() {
 				t.Errorf("unexpected error from NormalizeScore: %v", status)
 			}
@@ -869,7 +869,7 @@ func TestPreferredAffinityWithHardPodAffinitySymmetricWeight(t *testing.T) {
 		pods                  []*v1.Pod
 		nodes                 []*v1.Node
 		hardPodAffinityWeight int32
-		expectedList          framework.NodeScoreList
+		expectedList          fwk.NodeScoreList
 		name                  string
 		wantStatus            *fwk.Status
 	}{
@@ -886,7 +886,7 @@ func TestPreferredAffinityWithHardPodAffinitySymmetricWeight(t *testing.T) {
 				{ObjectMeta: metav1.ObjectMeta{Name: "node3", Labels: labelAzAz1}},
 			},
 			hardPodAffinityWeight: v1.DefaultHardPodAffinitySymmetricWeight,
-			expectedList:          []framework.NodeScore{{Name: "node1", Score: framework.MaxNodeScore}, {Name: "node2", Score: framework.MaxNodeScore}, {Name: "node3", Score: 0}},
+			expectedList:          []fwk.NodeScore{{Name: "node1", Score: fwk.MaxNodeScore}, {Name: "node2", Score: fwk.MaxNodeScore}, {Name: "node3", Score: 0}},
 		},
 		{
 			name: "with zero weight",
@@ -931,7 +931,7 @@ func TestPreferredAffinityWithHardPodAffinitySymmetricWeight(t *testing.T) {
 				{ObjectMeta: metav1.ObjectMeta{Name: "node3", Labels: labelAzAz1}},
 			},
 			hardPodAffinityWeight: v1.DefaultHardPodAffinitySymmetricWeight,
-			expectedList:          []framework.NodeScore{{Name: "node1", Score: framework.MaxNodeScore}, {Name: "node2", Score: framework.MaxNodeScore}, {Name: "node3", Score: 0}},
+			expectedList:          []fwk.NodeScore{{Name: "node1", Score: fwk.MaxNodeScore}, {Name: "node2", Score: fwk.MaxNodeScore}, {Name: "node3", Score: 0}},
 		},
 		{
 			name: "with matching Namespaces",
@@ -946,7 +946,7 @@ func TestPreferredAffinityWithHardPodAffinitySymmetricWeight(t *testing.T) {
 				{ObjectMeta: metav1.ObjectMeta{Name: "node3", Labels: labelAzAz1}},
 			},
 			hardPodAffinityWeight: v1.DefaultHardPodAffinitySymmetricWeight,
-			expectedList:          []framework.NodeScore{{Name: "node1", Score: framework.MaxNodeScore}, {Name: "node2", Score: framework.MaxNodeScore}, {Name: "node3", Score: 0}},
+			expectedList:          []fwk.NodeScore{{Name: "node1", Score: fwk.MaxNodeScore}, {Name: "node2", Score: fwk.MaxNodeScore}, {Name: "node3", Score: 0}},
 		},
 	}
 	for _, test := range tests {
@@ -957,7 +957,7 @@ func TestPreferredAffinityWithHardPodAffinitySymmetricWeight(t *testing.T) {
 			state := framework.NewCycleState()
 			p := plugintesting.SetupPluginWithInformers(ctx, t, schedruntime.FactoryAdapter(feature.Features{}, New), &config.InterPodAffinityArgs{HardPodAffinityWeight: test.hardPodAffinityWeight}, cache.NewSnapshot(test.pods, test.nodes), namespaces)
 			nodeInfos := tf.BuildNodeInfos(test.nodes)
-			status := p.(framework.PreScorePlugin).PreScore(ctx, state, test.pod, nodeInfos)
+			status := p.(fwk.PreScorePlugin).PreScore(ctx, state, test.pod, nodeInfos)
 			if !test.wantStatus.Equal(status) {
 				t.Errorf("InterPodAffinity#PreScore() returned unexpected status.Code got: %v, want: %v", status.Code(), test.wantStatus.Code())
 			}
@@ -965,21 +965,21 @@ func TestPreferredAffinityWithHardPodAffinitySymmetricWeight(t *testing.T) {
 				return
 			}
 
-			var gotList framework.NodeScoreList
+			var gotList fwk.NodeScoreList
 			for _, nodeInfo := range nodeInfos {
 				nodeName := nodeInfo.Node().Name
 				nodeInfo, err := p.(*InterPodAffinity).sharedLister.NodeInfos().Get(nodeName)
 				if err != nil {
 					t.Errorf("failed to get node %q from snapshot: %v", nodeName, err)
 				}
-				score, status := p.(framework.ScorePlugin).Score(ctx, state, test.pod, nodeInfo)
+				score, status := p.(fwk.ScorePlugin).Score(ctx, state, test.pod, nodeInfo)
 				if !status.IsSuccess() {
 					t.Errorf("unexpected error: %v", status)
 				}
-				gotList = append(gotList, framework.NodeScore{Name: nodeName, Score: score})
+				gotList = append(gotList, fwk.NodeScore{Name: nodeName, Score: score})
 			}
 
-			status = p.(framework.ScorePlugin).ScoreExtensions().NormalizeScore(ctx, state, test.pod, gotList)
+			status = p.(fwk.ScorePlugin).ScoreExtensions().NormalizeScore(ctx, state, test.pod, gotList)
 			if !status.IsSuccess() {
 				t.Errorf("unexpected error: %v", status)
 			}
diff --git a/pkg/scheduler/framework/plugins/names/names.go b/pkg/scheduler/framework/plugins/names/names.go
index a3cf13423389a..60915c352ad1b 100644
--- a/pkg/scheduler/framework/plugins/names/names.go
+++ b/pkg/scheduler/framework/plugins/names/names.go
@@ -21,9 +21,11 @@ const (
 	DefaultBinder                   = "DefaultBinder"
 	DefaultPreemption               = "DefaultPreemption"
 	DynamicResources                = "DynamicResources"
+	GangScheduling                  = "GangScheduling"
 	ImageLocality                   = "ImageLocality"
 	InterPodAffinity                = "InterPodAffinity"
 	NodeAffinity                    = "NodeAffinity"
+	NodeDeclaredFeatures            = "NodeDeclaredFeatures"
 	NodeName                        = "NodeName"
 	NodePorts                       = "NodePorts"
 	NodeResourcesBalancedAllocation = "NodeResourcesBalancedAllocation"
diff --git a/pkg/scheduler/framework/plugins/nodeaffinity/node_affinity.go b/pkg/scheduler/framework/plugins/nodeaffinity/node_affinity.go
index 8b1f7afb00522..83cbff01793b5 100644
--- a/pkg/scheduler/framework/plugins/nodeaffinity/node_affinity.go
+++ b/pkg/scheduler/framework/plugins/nodeaffinity/node_affinity.go
@@ -29,7 +29,6 @@ import (
 	fwk "k8s.io/kube-scheduler/framework"
 	"k8s.io/kubernetes/pkg/scheduler/apis/config"
 	"k8s.io/kubernetes/pkg/scheduler/apis/config/validation"
-	"k8s.io/kubernetes/pkg/scheduler/framework"
 	"k8s.io/kubernetes/pkg/scheduler/framework/plugins/feature"
 	"k8s.io/kubernetes/pkg/scheduler/framework/plugins/helper"
 	"k8s.io/kubernetes/pkg/scheduler/framework/plugins/names"
@@ -38,17 +37,18 @@ import (
 
 // NodeAffinity is a plugin that checks if a pod node selector matches the node label.
 type NodeAffinity struct {
-	handle                    framework.Handle
+	handle                    fwk.Handle
 	addedNodeSelector         *nodeaffinity.NodeSelector
 	addedPrefSchedTerms       *nodeaffinity.PreferredSchedulingTerms
 	enableSchedulingQueueHint bool
 }
 
-var _ framework.PreFilterPlugin = &NodeAffinity{}
-var _ framework.FilterPlugin = &NodeAffinity{}
-var _ framework.PreScorePlugin = &NodeAffinity{}
-var _ framework.ScorePlugin = &NodeAffinity{}
-var _ framework.EnqueueExtensions = &NodeAffinity{}
+var _ fwk.PreFilterPlugin = &NodeAffinity{}
+var _ fwk.FilterPlugin = &NodeAffinity{}
+var _ fwk.PreScorePlugin = &NodeAffinity{}
+var _ fwk.ScorePlugin = &NodeAffinity{}
+var _ fwk.EnqueueExtensions = &NodeAffinity{}
+var _ fwk.SignPlugin = &NodeAffinity{}
 
 const (
 	// Name is the name of the plugin used in the plugin registry and configurations.
@@ -75,6 +75,18 @@ func (pl *NodeAffinity) Name() string {
 	return Name
 }
 
+// Node affinity filtering and scoring depend on NodeAffinity and NodeSelectors.
+func (pl *NodeAffinity) SignPod(ctx context.Context, pod *v1.Pod) ([]fwk.SignFragment, *fwk.Status) {
+	aff, err := fwk.NodeAffinitySigner(pod)
+	if err != nil {
+		return nil, fwk.AsStatus(err)
+	}
+	return []fwk.SignFragment{
+		{Key: fwk.NodeAffinitySignerName, Value: aff},
+		{Key: fwk.NodeSelectorSignerName, Value: pod.Spec.NodeSelector},
+	}, nil
+}
+
 type preFilterState struct {
 	requiredNodeSelectorAndAffinity nodeaffinity.RequiredNodeAffinity
 }
@@ -144,7 +156,7 @@ func (pl *NodeAffinity) isSchedulableAfterNodeChange(logger klog.Logger, pod *v1
 }
 
 // PreFilter builds and writes cycle state used by Filter.
-func (pl *NodeAffinity) PreFilter(ctx context.Context, cycleState fwk.CycleState, pod *v1.Pod, nodes []fwk.NodeInfo) (*framework.PreFilterResult, *fwk.Status) {
+func (pl *NodeAffinity) PreFilter(ctx context.Context, cycleState fwk.CycleState, pod *v1.Pod, nodes []fwk.NodeInfo) (*fwk.PreFilterResult, *fwk.Status) {
 	affinity := pod.Spec.Affinity
 	noNodeAffinity := (affinity == nil ||
 		affinity.NodeAffinity == nil ||
@@ -190,14 +202,14 @@ func (pl *NodeAffinity) PreFilter(ctx context.Context, cycleState fwk.CycleState
 	if nodeNames != nil && len(nodeNames) == 0 {
 		return nil, fwk.NewStatus(fwk.UnschedulableAndUnresolvable, errReasonConflict)
 	} else if len(nodeNames) > 0 {
-		return &framework.PreFilterResult{NodeNames: nodeNames}, nil
+		return &fwk.PreFilterResult{NodeNames: nodeNames}, nil
 	}
 	return nil, nil
 
 }
 
 // PreFilterExtensions not necessary for this plugin as state doesn't depend on pod additions or deletions.
-func (pl *NodeAffinity) PreFilterExtensions() framework.PreFilterExtensions {
+func (pl *NodeAffinity) PreFilterExtensions() fwk.PreFilterExtensions {
 	return nil
 }
 
@@ -285,17 +297,17 @@ func (pl *NodeAffinity) Score(ctx context.Context, state fwk.CycleState, pod *v1
 }
 
 // NormalizeScore invoked after scoring all nodes.
-func (pl *NodeAffinity) NormalizeScore(ctx context.Context, state fwk.CycleState, pod *v1.Pod, scores framework.NodeScoreList) *fwk.Status {
-	return helper.DefaultNormalizeScore(framework.MaxNodeScore, false, scores)
+func (pl *NodeAffinity) NormalizeScore(ctx context.Context, state fwk.CycleState, pod *v1.Pod, scores fwk.NodeScoreList) *fwk.Status {
+	return helper.DefaultNormalizeScore(fwk.MaxNodeScore, false, scores)
 }
 
 // ScoreExtensions of the Score plugin.
-func (pl *NodeAffinity) ScoreExtensions() framework.ScoreExtensions {
+func (pl *NodeAffinity) ScoreExtensions() fwk.ScoreExtensions {
 	return pl
 }
 
 // New initializes a new plugin and returns it.
-func New(_ context.Context, plArgs runtime.Object, h framework.Handle, fts feature.Features) (framework.Plugin, error) {
+func New(_ context.Context, plArgs runtime.Object, h fwk.Handle, fts feature.Features) (fwk.Plugin, error) {
 	args, err := getArgs(plArgs)
 	if err != nil {
 		return nil, err
diff --git a/pkg/scheduler/framework/plugins/nodeaffinity/node_affinity_test.go b/pkg/scheduler/framework/plugins/nodeaffinity/node_affinity_test.go
index 7802614561e79..d1314e35791a2 100644
--- a/pkg/scheduler/framework/plugins/nodeaffinity/node_affinity_test.go
+++ b/pkg/scheduler/framework/plugins/nodeaffinity/node_affinity_test.go
@@ -46,7 +46,7 @@ func TestNodeAffinity(t *testing.T) {
 		nodeName            string
 		wantStatus          *fwk.Status
 		wantPreFilterStatus *fwk.Status
-		wantPreFilterResult *framework.PreFilterResult
+		wantPreFilterResult *fwk.PreFilterResult
 		args                config.NodeAffinityArgs
 		runPreFilter        bool
 	}{
@@ -497,7 +497,7 @@ func TestNodeAffinity(t *testing.T) {
 				},
 			},
 			nodeName:            "node1",
-			wantPreFilterResult: &framework.PreFilterResult{NodeNames: sets.New("node1")},
+			wantPreFilterResult: &fwk.PreFilterResult{NodeNames: sets.New("node1")},
 			runPreFilter:        true,
 		},
 		{
@@ -525,7 +525,7 @@ func TestNodeAffinity(t *testing.T) {
 			},
 			nodeName:            "node2",
 			wantStatus:          fwk.NewStatus(fwk.UnschedulableAndUnresolvable, ErrReasonPod),
-			wantPreFilterResult: &framework.PreFilterResult{NodeNames: sets.New("node1")},
+			wantPreFilterResult: &fwk.PreFilterResult{NodeNames: sets.New("node1")},
 			runPreFilter:        true,
 		},
 		{
@@ -601,7 +601,7 @@ func TestNodeAffinity(t *testing.T) {
 			},
 			nodeName:            "node2",
 			labels:              map[string]string{"foo": "bar"},
-			wantPreFilterResult: &framework.PreFilterResult{NodeNames: sets.New("node1")},
+			wantPreFilterResult: &fwk.PreFilterResult{NodeNames: sets.New("node1")},
 			wantStatus:          fwk.NewStatus(fwk.UnschedulableAndUnresolvable, ErrReasonPod),
 			runPreFilter:        true,
 		},
@@ -637,7 +637,7 @@ func TestNodeAffinity(t *testing.T) {
 			},
 			nodeName:            "node1",
 			labels:              map[string]string{"foo": "bar"},
-			wantPreFilterResult: &framework.PreFilterResult{NodeNames: sets.New("node1")},
+			wantPreFilterResult: &fwk.PreFilterResult{NodeNames: sets.New("node1")},
 			runPreFilter:        true,
 		},
 		{
@@ -710,7 +710,7 @@ func TestNodeAffinity(t *testing.T) {
 				},
 			},
 			nodeName:            "node2",
-			wantPreFilterResult: &framework.PreFilterResult{NodeNames: sets.New("node1", "node2")},
+			wantPreFilterResult: &fwk.PreFilterResult{NodeNames: sets.New("node1", "node2")},
 			runPreFilter:        true,
 		},
 		{
@@ -917,7 +917,7 @@ func TestNodeAffinity(t *testing.T) {
 			state := framework.NewCycleState()
 			var gotStatus *fwk.Status
 			if test.runPreFilter {
-				gotPreFilterResult, gotStatus := p.(framework.PreFilterPlugin).PreFilter(ctx, state, test.pod, nil)
+				gotPreFilterResult, gotStatus := p.(fwk.PreFilterPlugin).PreFilter(ctx, state, test.pod, nil)
 				if diff := cmp.Diff(test.wantPreFilterStatus, gotStatus); diff != "" {
 					t.Errorf("unexpected PreFilter Status (-want,+got):\n%s", diff)
 				}
@@ -925,7 +925,7 @@ func TestNodeAffinity(t *testing.T) {
 					t.Errorf("unexpected PreFilterResult (-want,+got):\n%s", diff)
 				}
 			}
-			gotStatus = p.(framework.FilterPlugin).Filter(ctx, state, test.pod, nodeInfo)
+			gotStatus = p.(fwk.FilterPlugin).Filter(ctx, state, test.pod, nodeInfo)
 			if diff := cmp.Diff(test.wantStatus, gotStatus); diff != "" {
 				t.Errorf("unexpected Filter Status (-want,+got):\n%s", diff)
 			}
@@ -1012,7 +1012,7 @@ func TestNodeAffinityPriority(t *testing.T) {
 		name               string
 		pod                *v1.Pod
 		nodes              []*v1.Node
-		expectedList       framework.NodeScoreList
+		expectedList       fwk.NodeScoreList
 		args               config.NodeAffinityArgs
 		runPreScore        bool
 		wantPreScoreStatus *fwk.Status
@@ -1029,7 +1029,7 @@ func TestNodeAffinityPriority(t *testing.T) {
 				{ObjectMeta: metav1.ObjectMeta{Name: "node2", Labels: label2}},
 				{ObjectMeta: metav1.ObjectMeta{Name: "node3", Labels: label3}},
 			},
-			expectedList: []framework.NodeScore{{Name: "node1", Score: 0}, {Name: "node2", Score: 0}, {Name: "node3", Score: 0}},
+			expectedList: []fwk.NodeScore{{Name: "node1", Score: 0}, {Name: "node2", Score: 0}, {Name: "node3", Score: 0}},
 		},
 		{
 			// PreScore returns Skip.
@@ -1090,7 +1090,7 @@ func TestNodeAffinityPriority(t *testing.T) {
 				{ObjectMeta: metav1.ObjectMeta{Name: "node2", Labels: label2}},
 				{ObjectMeta: metav1.ObjectMeta{Name: "node3", Labels: label3}},
 			},
-			expectedList: []framework.NodeScore{{Name: "node1", Score: 0}, {Name: "node2", Score: 0}, {Name: "node3", Score: 0}},
+			expectedList: []fwk.NodeScore{{Name: "node1", Score: 0}, {Name: "node2", Score: 0}, {Name: "node3", Score: 0}},
 			runPreScore:  true,
 		},
 		{
@@ -1105,7 +1105,7 @@ func TestNodeAffinityPriority(t *testing.T) {
 				{ObjectMeta: metav1.ObjectMeta{Name: "node2", Labels: label2}},
 				{ObjectMeta: metav1.ObjectMeta{Name: "node3", Labels: label3}},
 			},
-			expectedList: []framework.NodeScore{{Name: "node1", Score: framework.MaxNodeScore}, {Name: "node2", Score: 0}, {Name: "node3", Score: 0}},
+			expectedList: []fwk.NodeScore{{Name: "node1", Score: fwk.MaxNodeScore}, {Name: "node2", Score: 0}, {Name: "node3", Score: 0}},
 			runPreScore:  true,
 		},
 		{
@@ -1120,7 +1120,7 @@ func TestNodeAffinityPriority(t *testing.T) {
 				{ObjectMeta: metav1.ObjectMeta{Name: "node5", Labels: label5}},
 				{ObjectMeta: metav1.ObjectMeta{Name: "node2", Labels: label2}},
 			},
-			expectedList: []framework.NodeScore{{Name: "node1", Score: 18}, {Name: "node5", Score: framework.MaxNodeScore}, {Name: "node2", Score: 36}},
+			expectedList: []fwk.NodeScore{{Name: "node1", Score: 18}, {Name: "node5", Score: fwk.MaxNodeScore}, {Name: "node2", Score: 36}},
 			runPreScore:  true,
 		},
 		{
@@ -1130,7 +1130,7 @@ func TestNodeAffinityPriority(t *testing.T) {
 				{ObjectMeta: metav1.ObjectMeta{Name: "node1", Labels: label1}},
 				{ObjectMeta: metav1.ObjectMeta{Name: "node2", Labels: label2}},
 			},
-			expectedList: []framework.NodeScore{{Name: "node1", Score: framework.MaxNodeScore}, {Name: "node2", Score: 0}},
+			expectedList: []fwk.NodeScore{{Name: "node1", Score: fwk.MaxNodeScore}, {Name: "node2", Score: 0}},
 			args: config.NodeAffinityArgs{
 				AddedAffinity: affinity1.NodeAffinity,
 			},
@@ -1148,7 +1148,7 @@ func TestNodeAffinityPriority(t *testing.T) {
 				{ObjectMeta: metav1.ObjectMeta{Name: "node2", Labels: label2}},
 				{ObjectMeta: metav1.ObjectMeta{Name: "node3", Labels: label5}},
 			},
-			expectedList: []framework.NodeScore{{Name: "node1", Score: 40}, {Name: "node2", Score: 60}, {Name: "node3", Score: framework.MaxNodeScore}},
+			expectedList: []fwk.NodeScore{{Name: "node1", Score: 40}, {Name: "node2", Score: 60}, {Name: "node3", Score: fwk.MaxNodeScore}},
 			args: config.NodeAffinityArgs{
 				AddedAffinity: &v1.NodeAffinity{
 					PreferredDuringSchedulingIgnoredDuringExecution: []v1.PreferredSchedulingTerm{
@@ -1181,7 +1181,7 @@ func TestNodeAffinityPriority(t *testing.T) {
 				{ObjectMeta: metav1.ObjectMeta{Name: "node5", Labels: label5}},
 				{ObjectMeta: metav1.ObjectMeta{Name: "node2", Labels: label2}},
 			},
-			expectedList: []framework.NodeScore{{Name: "node1", Score: 18}, {Name: "node5", Score: framework.MaxNodeScore}, {Name: "node2", Score: 36}},
+			expectedList: []fwk.NodeScore{{Name: "node1", Score: 18}, {Name: "node5", Score: fwk.MaxNodeScore}, {Name: "node2", Score: 36}},
 		},
 	}
 
@@ -1199,7 +1199,7 @@ func TestNodeAffinityPriority(t *testing.T) {
 			}
 			var status *fwk.Status
 			if test.runPreScore {
-				status = p.(framework.PreScorePlugin).PreScore(ctx, state, test.pod, tf.BuildNodeInfos(test.nodes))
+				status = p.(fwk.PreScorePlugin).PreScore(ctx, state, test.pod, tf.BuildNodeInfos(test.nodes))
 				if status.Code() != test.wantPreScoreStatus.Code() {
 					t.Errorf("unexpected status code from PreScore: want: %v got: %v", test.wantPreScoreStatus.Code().String(), status.Code().String())
 				}
@@ -1211,18 +1211,18 @@ func TestNodeAffinityPriority(t *testing.T) {
 					return
 				}
 			}
-			var gotList framework.NodeScoreList
+			var gotList fwk.NodeScoreList
 			nodeInfos := tf.BuildNodeInfos(test.nodes)
 			for _, nodeInfo := range nodeInfos {
 				nodeName := nodeInfo.Node().Name
-				score, status := p.(framework.ScorePlugin).Score(ctx, state, test.pod, nodeInfo)
+				score, status := p.(fwk.ScorePlugin).Score(ctx, state, test.pod, nodeInfo)
 				if !status.IsSuccess() {
 					t.Errorf("unexpected error: %v", status)
 				}
-				gotList = append(gotList, framework.NodeScore{Name: nodeName, Score: score})
+				gotList = append(gotList, fwk.NodeScore{Name: nodeName, Score: score})
 			}
 
-			status = p.(framework.ScorePlugin).ScoreExtensions().NormalizeScore(ctx, state, test.pod, gotList)
+			status = p.(fwk.ScorePlugin).ScoreExtensions().NormalizeScore(ctx, state, test.pod, gotList)
 			if !status.IsSuccess() {
 				t.Errorf("unexpected error: %v", status)
 			}
diff --git a/pkg/scheduler/framework/plugins/nodedeclaredfeatures/nodedeclaredfeatures.go b/pkg/scheduler/framework/plugins/nodedeclaredfeatures/nodedeclaredfeatures.go
new file mode 100644
index 0000000000000..330f8ed7a35db
--- /dev/null
+++ b/pkg/scheduler/framework/plugins/nodedeclaredfeatures/nodedeclaredfeatures.go
@@ -0,0 +1,214 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package nodedeclaredfeatures
+
+import (
+	"context"
+	"fmt"
+	"slices"
+	"strings"
+
+	v1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/util/sets"
+	versionutil "k8s.io/apimachinery/pkg/util/version"
+	"k8s.io/component-base/version"
+	ndf "k8s.io/component-helpers/nodedeclaredfeatures"
+	"k8s.io/component-helpers/nodedeclaredfeatures/features"
+	"k8s.io/klog/v2"
+	fwk "k8s.io/kube-scheduler/framework"
+	"k8s.io/kubernetes/pkg/scheduler/framework/plugins/feature"
+	"k8s.io/kubernetes/pkg/scheduler/framework/plugins/names"
+	"k8s.io/kubernetes/pkg/scheduler/util"
+)
+
+const (
+	// Name is the name of the plugin used in the plugin registry and configurations.
+	Name = names.NodeDeclaredFeatures
+	// preFilterStateKey is the key in CycleState used to store the pod's feature requirements.
+	preFilterStateKey fwk.StateKey = "PreFilter" + Name
+)
+
+// preFilterState computed at PreFilter and used at Filter.
+type preFilterState struct {
+	reqs ndf.FeatureSet
+}
+
+// Clone implements StateData.
+func (s *preFilterState) Clone() fwk.StateData {
+	return s
+}
+
+// NodeDeclaredFeatures is a plugin that checks if a node has all the features required by a pod.
+type NodeDeclaredFeatures struct {
+	ndfFramework *ndf.Framework
+	version      *versionutil.Version
+	enabled      bool
+}
+
+var _ fwk.PreFilterPlugin = &NodeDeclaredFeatures{}
+var _ fwk.FilterPlugin = &NodeDeclaredFeatures{}
+var _ fwk.EnqueueExtensions = &NodeDeclaredFeatures{}
+var _ fwk.SignPlugin = &NodeDeclaredFeatures{}
+
+// Name returns name of the plugin. It is used in logs, etc.
+func (pl *NodeDeclaredFeatures) Name() string {
+	return Name
+}
+
+// New initializes a new plugin and returns it.
+func New(ctx context.Context, plArgs runtime.Object, fh fwk.Handle, fts feature.Features) (fwk.Plugin, error) {
+	if !fts.EnableNodeDeclaredFeatures {
+		// Disabled, won't do anything.
+		return &NodeDeclaredFeatures{}, nil
+	}
+	ndfFramework, err := ndf.New(features.AllFeatures)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create node feature framework: %w", err)
+	}
+	ver, err := versionutil.Parse(version.Get().String())
+	if err != nil {
+		return nil, fmt.Errorf("failed to parse version: %w", err)
+	}
+	return &NodeDeclaredFeatures{ndfFramework: ndfFramework, version: ver, enabled: true}, nil
+}
+
+// PreFilter checks if the pod has any feature requirements.
+func (pl *NodeDeclaredFeatures) PreFilter(ctx context.Context, cycleState fwk.CycleState, pod *v1.Pod, nodes []fwk.NodeInfo) (*fwk.PreFilterResult, *fwk.Status) {
+	if !pl.enabled {
+		return nil, fwk.NewStatus(fwk.Skip)
+	}
+	// Pod status is not updated yet, we just pass the spec to node declared features library
+	podInfo := &ndf.PodInfo{Spec: &pod.Spec}
+	reqs, err := pl.ndfFramework.InferForPodScheduling(podInfo, pl.version)
+	if err != nil {
+		return nil, fwk.AsStatus(err)
+	}
+	if reqs.Len() == 0 {
+		return nil, fwk.NewStatus(fwk.Skip)
+	}
+	cycleState.Write(preFilterStateKey, &preFilterState{reqs: reqs})
+	return nil, nil
+}
+
+// PreFilterExtensions returns pre-filter extensions, pod add and remove.
+func (pl *NodeDeclaredFeatures) PreFilterExtensions() fwk.PreFilterExtensions {
+	return nil
+}
+
+// Filter checks if the node has the required features.
+func (pl *NodeDeclaredFeatures) Filter(ctx context.Context, cycleState fwk.CycleState, pod *v1.Pod, nodeInfo fwk.NodeInfo) *fwk.Status {
+	if !pl.enabled {
+		return nil
+	}
+	s, err := getPreFilterState(cycleState)
+	if err != nil {
+		return fwk.AsStatus(err)
+	}
+	result, err := ndf.MatchNodeFeatureSet(s.reqs, nodeInfo.GetNodeDeclaredFeatures())
+	if err != nil {
+		return fwk.AsStatus(err)
+	}
+	if !result.IsMatch {
+		return fwk.NewStatus(fwk.UnschedulableAndUnresolvable, fmt.Sprintf("node declared features check failed - unsatisfied requirements: %s", strings.Join(result.UnsatisfiedRequirements, ", ")))
+	}
+	return nil
+}
+
+func (pl *NodeDeclaredFeatures) SignPod(ctx context.Context, pod *v1.Pod) ([]fwk.SignFragment, *fwk.Status) {
+	podInfo := &ndf.PodInfo{Spec: &pod.Spec}
+	fs, err := pl.ndfFramework.InferForPodScheduling(podInfo, pl.version)
+	if err != nil {
+		return nil, fwk.AsStatus(err)
+	}
+	featuresList := sets.List(fs.Set)
+	return []fwk.SignFragment{
+		{Key: fwk.FeaturesSignerName, Value: featuresList},
+	}, nil
+}
+
+// EventsToRegister returns events that may make a pod schedulable. It is required for the EnqueueExtensions interface.
+func (pl *NodeDeclaredFeatures) EventsToRegister(_ context.Context) ([]fwk.ClusterEventWithHint, error) {
+	if !pl.enabled {
+		return nil, nil
+	}
+	return []fwk.ClusterEventWithHint{
+		{
+			Event:          fwk.ClusterEvent{Resource: fwk.Node, ActionType: fwk.Add | fwk.UpdateNodeDeclaredFeature},
+			QueueingHintFn: pl.isSchedulableAfterNodeChange,
+		},
+		{
+			Event:          fwk.ClusterEvent{Resource: fwk.Pod, ActionType: fwk.Update},
+			QueueingHintFn: pl.isSchedulableAfterPodUpdate,
+		},
+	}, nil
+}
+
+func getPreFilterState(cycleState fwk.CycleState) (*preFilterState, error) {
+	c, err := cycleState.Read(preFilterStateKey)
+	if err != nil {
+		return nil, fmt.Errorf("error reading %q from cycle-state: %w", preFilterStateKey, err)
+	}
+	s, ok := c.(*preFilterState)
+	if !ok {
+		return nil, fmt.Errorf("invalid PreFilter state, got type %T, expected %T", c, &preFilterState{})
+	}
+	return s, nil
+}
+
+func (pl *NodeDeclaredFeatures) isSchedulableAfterPodUpdate(logger klog.Logger, pod *v1.Pod, oldObj, newObj interface{}) (fwk.QueueingHint, error) {
+	oldPod, newPod, err := util.As[*v1.Pod](oldObj, newObj)
+	if err != nil {
+		return fwk.Queue, err
+	}
+	// If the pod that was updated is not the target pod, then we don't need to re-evaluate it.
+	if pod.UID != newPod.UID {
+		logger.V(5).Info("the update event is not for targetPod, skipping queueing", "pod", klog.KObj(newPod))
+		return fwk.QueueSkip, nil
+	}
+	oldPodInfo := &ndf.PodInfo{Spec: &oldPod.Spec}
+	newPodInfo := &ndf.PodInfo{Spec: &newPod.Spec}
+	oldReqs, err := pl.ndfFramework.InferForPodScheduling(oldPodInfo, pl.version)
+	if err != nil {
+		logger.Error(err, "failed to infer old pod feature requirements", "pod", klog.KObj(pod))
+		return fwk.Queue, err
+	}
+	newReqs, err := pl.ndfFramework.InferForPodScheduling(newPodInfo, pl.version)
+	if err != nil {
+		logger.Error(err, "failed to infer new pod feature requirements", "pod", klog.KObj(pod))
+		return fwk.Queue, err
+	}
+	if newReqs.Equal(oldReqs) {
+		logger.V(5).Info("pod feature requirements didn't change, skipping queueing", "pod", klog.KObj(newPod))
+		return fwk.QueueSkip, nil
+	}
+	logger.V(4).Info("pod feature requirements changed, queueing", "pod", klog.KObj(pod))
+	return fwk.Queue, nil
+}
+
+func (pl *NodeDeclaredFeatures) isSchedulableAfterNodeChange(logger klog.Logger, pod *v1.Pod, oldObj, newObj interface{}) (fwk.QueueingHint, error) {
+	oldNode, newNode, err := util.As[*v1.Node](oldObj, newObj)
+	if err != nil {
+		return fwk.Queue, err
+	}
+	if oldNode != nil && slices.Equal(oldNode.Status.DeclaredFeatures, newNode.Status.DeclaredFeatures) {
+		logger.V(5).Info("node's declared features didn't change, skipping queueing", "pod", klog.KObj(pod), "node", klog.KObj(newNode))
+		return fwk.QueueSkip, nil
+	}
+	logger.V(4).Info("Node declared features updated, queueing", "pod", klog.KObj(pod), "node", klog.KObj(newNode))
+	return fwk.Queue, nil
+}
diff --git a/pkg/scheduler/framework/plugins/nodedeclaredfeatures/nodedeclaredfeatures_test.go b/pkg/scheduler/framework/plugins/nodedeclaredfeatures/nodedeclaredfeatures_test.go
new file mode 100644
index 0000000000000..5bdf3f8344ee4
--- /dev/null
+++ b/pkg/scheduler/framework/plugins/nodedeclaredfeatures/nodedeclaredfeatures_test.go
@@ -0,0 +1,434 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package nodedeclaredfeatures
+
+import (
+	"fmt"
+	"strings"
+	"testing"
+
+	"github.com/google/go-cmp/cmp"
+	"github.com/stretchr/testify/mock"
+	v1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/util/version"
+	"k8s.io/klog/v2/ktesting"
+	fwk "k8s.io/kube-scheduler/framework"
+	"k8s.io/kubernetes/pkg/features"
+	"k8s.io/kubernetes/pkg/scheduler/framework"
+	st "k8s.io/kubernetes/pkg/scheduler/testing"
+
+	utilfeature "k8s.io/apiserver/pkg/util/feature"
+	featuregatetesting "k8s.io/component-base/featuregate/testing"
+	ndf "k8s.io/component-helpers/nodedeclaredfeatures"
+	ndftesting "k8s.io/component-helpers/nodedeclaredfeatures/testing"
+)
+
+// createMockFeature is a helper function to create and configure a MockFeature.
+func createMockFeature(t *testing.T, name string, infer bool, maxVersionStr string) *ndftesting.MockFeature {
+	m := ndftesting.NewMockFeature(t)
+	m.EXPECT().Name().Return(name).Maybe()
+	m.EXPECT().InferForScheduling(mock.Anything).Return(infer).Maybe()
+	if maxVersionStr != "" {
+		minVersion := version.MustParseSemantic(maxVersionStr)
+		m.EXPECT().MaxVersion().Return(minVersion).Maybe()
+	} else {
+		m.EXPECT().MaxVersion().Return(nil).Maybe()
+	}
+	return m
+}
+
+func TestPreFilter(t *testing.T) {
+	_, ctx := ktesting.NewTestContext(t)
+	testCases := []struct {
+		name              string
+		pluginEnabled     bool
+		pod               *v1.Pod
+		nodeFeatures      []ndf.Feature
+		expectedStatus    *fwk.Status
+		expectedState     *preFilterState
+		componenetVersion string
+	}{
+		{
+			name:              "plugin disabled",
+			pluginEnabled:     false,
+			pod:               st.MakePod().Name("test-pod").Obj(),
+			componenetVersion: "1.35.0",
+			nodeFeatures: []ndf.Feature{
+				createMockFeature(t, "TestFeature", true, ""),
+			},
+			expectedStatus: fwk.NewStatus(fwk.Skip),
+			expectedState:  nil,
+		},
+		{
+			name:              "Pod with feature requirements",
+			pluginEnabled:     true,
+			pod:               st.MakePod().Name("test-pod").Obj(),
+			componenetVersion: "1.35.0",
+			nodeFeatures: []ndf.Feature{
+				createMockFeature(t, "TestFeature", true, ""),
+			},
+			expectedStatus: fwk.NewStatus(fwk.Success),
+			expectedState:  &preFilterState{reqs: ndf.NewFeatureSet("TestFeature")},
+		},
+		{
+			name:              "Pod with multiple feature requirements",
+			pluginEnabled:     true,
+			pod:               st.MakePod().Name("test-pod").Obj(),
+			componenetVersion: "1.35.0",
+			nodeFeatures: []ndf.Feature{
+				createMockFeature(t, "TestFeature1", true, "1.38.0"),
+				createMockFeature(t, "TestFeature2", true, "1.38.0"),
+			},
+			expectedStatus: fwk.NewStatus(fwk.Success),
+			expectedState:  &preFilterState{reqs: ndf.NewFeatureSet("TestFeature1", "TestFeature2")},
+		},
+		{
+			name:              "Pod with no requirements",
+			pluginEnabled:     true,
+			pod:               st.MakePod().Name("test-pod").Obj(),
+			componenetVersion: "1.35.0",
+			nodeFeatures: []ndf.Feature{
+				createMockFeature(t, "TestFeature", false, ""),
+			},
+			expectedStatus: fwk.NewStatus(fwk.Skip),
+			expectedState:  nil,
+		},
+		{
+			name:              "Feature not required, version > MaxVersion",
+			pluginEnabled:     true,
+			pod:               st.MakePod().Name("test-pod").Obj(),
+			componenetVersion: "1.34.0",
+			nodeFeatures: []ndf.Feature{
+				createMockFeature(t, "TestFeature", true, "1.33.0"),
+			},
+			expectedStatus: fwk.NewStatus(fwk.Skip),
+			expectedState:  nil,
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			ndfFramework, err := ndf.New(tc.nodeFeatures)
+			if err != nil {
+				t.Fatalf("Failed to create framework: %v", err)
+			}
+
+			plugin := &NodeDeclaredFeatures{
+				ndfFramework: ndfFramework,
+				version:      version.MustParseSemantic(tc.componenetVersion),
+				enabled:      tc.pluginEnabled,
+			}
+			cycleState := framework.NewCycleState()
+			result, status := plugin.PreFilter(ctx, cycleState, tc.pod, nil)
+
+			if result != nil {
+				t.Errorf("PreFilter should always return a nil for result")
+			}
+
+			if diff := cmp.Diff(tc.expectedStatus, status); diff != "" {
+				t.Errorf("unexpected status (-want,+got):\n%s", diff)
+			}
+
+			if tc.expectedState != nil {
+				state, err := getPreFilterState(cycleState)
+				if err != nil {
+					t.Fatalf("getPreFilterState returned unexpected error: %v", err)
+				}
+				if !tc.expectedState.reqs.Equal(state.reqs) {
+					t.Errorf("unexpected preFilterState reqs: want %v, got %v", tc.expectedState.reqs, state.reqs)
+				}
+			} else {
+				_, err := getPreFilterState(cycleState)
+				if err == nil {
+					t.Fatalf("get prefilter state: %v", err)
+				}
+			}
+		})
+	}
+}
+
+func TestFilter(t *testing.T) {
+	_, ctx := ktesting.NewTestContext(t)
+
+	testCases := []struct {
+		name           string
+		pluginEnabled  bool
+		pod            *v1.Pod
+		node           *v1.Node
+		preFilterReqs  []string
+		expectedStatus *fwk.Status
+	}{
+		{
+			name:           "plugin disabled",
+			pluginEnabled:  false,
+			pod:            st.MakePod().Name("test-pod").Obj(),
+			node:           st.MakeNode().Name("node-1").DeclaredFeatures([]string{"FeatureA", "FeatureB"}).Obj(),
+			preFilterReqs:  nil,
+			expectedStatus: nil,
+		},
+		{
+			name:           "Node matches requirements",
+			pluginEnabled:  true,
+			pod:            st.MakePod().Name("test-pod").Obj(),
+			node:           st.MakeNode().Name("node-1").DeclaredFeatures([]string{"FeatureA", "FeatureB"}).Obj(),
+			preFilterReqs:  []string{"FeatureA"},
+			expectedStatus: fwk.NewStatus(fwk.Success),
+		},
+		{
+			name:           "Node does not match requirements",
+			pluginEnabled:  true,
+			pod:            st.MakePod().Name("test-pod").Obj(),
+			node:           st.MakeNode().Name("node-1").DeclaredFeatures([]string{"FeatureB"}).Obj(),
+			preFilterReqs:  []string{"FeatureA"},
+			expectedStatus: fwk.NewStatus(fwk.UnschedulableAndUnresolvable, "node declared features check failed - unsatisfied requirements: FeatureA"),
+		},
+		{
+			name:           "Node with multiple features, pod requires subset",
+			pod:            st.MakePod().Name("test-pod").Obj(),
+			node:           st.MakeNode().Name("node-multi").DeclaredFeatures([]string{"FeatureA", "FeatureB", "FeatureC"}).Obj(),
+			preFilterReqs:  []string{"FeatureA", "FeatureC"},
+			expectedStatus: fwk.NewStatus(fwk.Success),
+		},
+		{
+			name:           "Node has no declared features",
+			pluginEnabled:  true,
+			pod:            st.MakePod().Name("test-pod").Obj(),
+			node:           st.MakeNode().Name("node-1").Obj(),
+			preFilterReqs:  []string{"FeatureA"},
+			expectedStatus: fwk.NewStatus(fwk.UnschedulableAndUnresolvable, "node declared features check failed - unsatisfied requirements: FeatureA"),
+		},
+		{
+			name:           "Node with some but not all required features",
+			pluginEnabled:  true,
+			pod:            st.MakePod().Name("test-pod").Obj(),
+			node:           st.MakeNode().Name("node-1").DeclaredFeatures([]string{"FeatureA"}).Obj(),
+			preFilterReqs:  []string{"FeatureA", "FeatureB"},
+			expectedStatus: fwk.NewStatus(fwk.UnschedulableAndUnresolvable, "node declared features check failed - unsatisfied requirements: FeatureB"),
+		},
+		{
+			name:           "Error getting pre-filter state",
+			pluginEnabled:  true,
+			pod:            st.MakePod().Name("test-pod").Obj(),
+			node:           st.MakeNode().Name("node-1").Obj(),
+			preFilterReqs:  nil, // This will cause getPreFilterState to fail
+			expectedStatus: fwk.AsStatus(fmt.Errorf("error reading %q from cycle-state: %w", preFilterStateKey, fwk.ErrNotFound)),
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			// Setting feature gate is still needed as we check for it in SetNode()
+			featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.NodeDeclaredFeatures, tc.pluginEnabled)
+			nodeInfo := framework.NewNodeInfo()
+			nodeInfo.SetNode(tc.node)
+
+			ndfFramework, err := ndf.New([]ndf.Feature{})
+			if err != nil {
+				t.Fatalf("Failed to create framework: %v", err)
+			}
+			plugin := &NodeDeclaredFeatures{
+				ndfFramework: ndfFramework,
+				version:      version.MustParseSemantic("1.35.0"),
+				enabled:      tc.pluginEnabled,
+			}
+			cycleState := framework.NewCycleState()
+			if tc.preFilterReqs != nil {
+				cycleState.Write(preFilterStateKey, &preFilterState{reqs: ndf.NewFeatureSet(tc.preFilterReqs...)})
+			}
+
+			status := plugin.Filter(ctx, cycleState, tc.pod, nodeInfo)
+			if !status.IsSuccess() {
+				if tc.expectedStatus.Code() != status.Code() {
+					t.Errorf("unexpected status code: want %d, got %d", tc.expectedStatus.Code(), status.Code())
+				}
+				if tc.expectedStatus.Message() != status.Message() {
+					t.Errorf("unexpected status message: want %q, got %q", tc.expectedStatus.Message(), status.Message())
+				}
+			} else if diff := cmp.Diff(tc.expectedStatus, status); diff != "" {
+				t.Errorf("unexpected status (-want,+got):\n%s", diff)
+			}
+		})
+	}
+}
+
+func TestEnqueueExtensionsNodeUpdate(t *testing.T) {
+	logger, _ := ktesting.NewTestContext(t)
+	targetPodName := "test-pod"
+
+	testCases := []struct {
+		name          string
+		pluginEnabled bool
+		oldNode       *v1.Node
+		newNode       *v1.Node
+		expectedHint  fwk.QueueingHint
+	}{
+		{
+			name:         "Node Add with feature",
+			oldNode:      nil,
+			newNode:      st.MakeNode().Name("node-1").DeclaredFeatures([]string{"FeatureA"}).Obj(),
+			expectedHint: fwk.Queue,
+		},
+		{
+			name:         "Node Update (Features Added)",
+			oldNode:      st.MakeNode().Name("node-1").Obj(),
+			newNode:      st.MakeNode().Name("node-1").DeclaredFeatures([]string{"FeatureA"}).Obj(),
+			expectedHint: fwk.Queue,
+		},
+		{
+			name:         "Node Update (Features Unchanged)",
+			oldNode:      st.MakeNode().Name("node-1").DeclaredFeatures([]string{"FeatureA"}).Obj(),
+			newNode:      st.MakeNode().Name("node-1").DeclaredFeatures([]string{"FeatureA"}).Obj(),
+			expectedHint: fwk.QueueSkip,
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			ndfFramework, err := ndf.New([]ndf.Feature{})
+			if err != nil {
+				t.Fatalf("Failed to create framework: %v", err)
+			}
+			plugin := &NodeDeclaredFeatures{
+				ndfFramework: ndfFramework,
+				version:      version.MustParseSemantic("1.35.0"),
+				enabled:      true,
+			}
+
+			hint, err := plugin.isSchedulableAfterNodeChange(logger, st.MakePod().Name(targetPodName).Obj(), tc.oldNode, tc.newNode)
+			if err != nil {
+				t.Fatalf("isSchedulableAfterNodeChange returned unexpected error: %v", err)
+			}
+			if tc.expectedHint != hint {
+				t.Errorf("unexpected hint: want %v, got %v", tc.expectedHint, hint)
+			}
+		})
+	}
+}
+
+func TestEnqueueExtensionsPodUpdate(t *testing.T) {
+	logger, _ := ktesting.NewTestContext(t)
+
+	targetPodName := "test-pod"
+	targetPodUID := "123"
+
+	// Test isSchedulableAfterPodUpdate
+	testCases := []struct {
+		name              string
+		oldPod            *v1.Pod
+		newPod            *v1.Pod
+		setupMock         func(m *ndftesting.MockFeature)
+		nodeFeatures      []ndf.Feature
+		expectedHint      fwk.QueueingHint
+		componenetVersion *version.Version
+		expectedErr       string
+	}{
+		{
+			name:              "Pod Update adds requirement",
+			oldPod:            st.MakePod().Name(targetPodName).UID(targetPodUID).Obj(),
+			newPod:            st.MakePod().Name(targetPodName).UID(targetPodUID).Label("foo", "bar").Obj(),
+			componenetVersion: version.MustParseSemantic("1.35.0"),
+			setupMock: func(m *ndftesting.MockFeature) {
+				m.EXPECT().InferForScheduling(mock.Anything).Return(false).Once()
+				m.EXPECT().InferForScheduling(mock.Anything).Return(true).Once()
+				m.EXPECT().Name().Return("TestFeature").Maybe()
+				m.EXPECT().MaxVersion().Return(nil).Maybe()
+			},
+			expectedHint: fwk.Queue,
+		},
+		{
+			name:              "Pod Update removes requirement",
+			oldPod:            st.MakePod().Name(targetPodName).UID(targetPodUID).Label("foo", "bar").Obj(),
+			newPod:            st.MakePod().Name(targetPodName).UID(targetPodUID).Obj(),
+			componenetVersion: version.MustParseSemantic("1.35.0"),
+			setupMock: func(m *ndftesting.MockFeature) {
+				m.EXPECT().InferForScheduling(mock.Anything).Return(true).Once()
+				m.EXPECT().InferForScheduling(mock.Anything).Return(false).Once()
+				m.EXPECT().Name().Return("TestFeature").Maybe()
+				m.EXPECT().MaxVersion().Return(nil).Maybe()
+			},
+			expectedHint: fwk.Queue,
+		},
+		{
+			name:              "Pod Update with no change in requirements",
+			oldPod:            st.MakePod().Name(targetPodName).UID(targetPodUID).Obj(),
+			newPod:            st.MakePod().Name(targetPodName).UID(targetPodUID).Obj(),
+			componenetVersion: version.MustParseSemantic("1.35.0"),
+			setupMock: func(m *ndftesting.MockFeature) {
+				m.EXPECT().InferForScheduling(mock.Anything).Return(false)
+				m.EXPECT().Name().Return("TestFeature").Maybe()
+				m.EXPECT().MaxVersion().Return(nil).Maybe()
+			},
+			expectedHint: fwk.QueueSkip,
+		},
+		{
+			name:              "Updated pod not the same as target pod",
+			oldPod:            st.MakePod().Name("another-test-pod").UID("456").Label("foo", "bar").Obj(),
+			newPod:            st.MakePod().Name("another-test-pod").UID("456").Obj(),
+			componenetVersion: version.MustParseSemantic("1.35.0"),
+			setupMock: func(m *ndftesting.MockFeature) {
+				m.EXPECT().InferForScheduling(mock.Anything).Return(false).Maybe()
+				m.EXPECT().Name().Return("TestFeature").Maybe()
+				m.EXPECT().MaxVersion().Return(nil).Maybe()
+			},
+			expectedHint: fwk.QueueSkip,
+		},
+		{
+			name:              "Infer returns error",
+			oldPod:            st.MakePod().Name(targetPodName).UID(targetPodUID).Obj(),
+			newPod:            st.MakePod().Name(targetPodName).UID(targetPodUID).Label("foo", "bar").Obj(),
+			componenetVersion: nil,
+			setupMock: func(m *ndftesting.MockFeature) {
+				m.EXPECT().InferForScheduling(mock.Anything).Return(true).Maybe()
+				m.EXPECT().Name().Return("TestFeature").Maybe()
+				m.EXPECT().MaxVersion().Return(nil).Maybe()
+			},
+			expectedHint: fwk.Queue, // Queued again in case of error
+			expectedErr:  "target version cannot be nil",
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			mockF := ndftesting.NewMockFeature(t)
+			tc.setupMock(mockF)
+
+			ndfFramework, err := ndf.New([]ndf.Feature{mockF})
+			if err != nil {
+				t.Fatalf("Failed to create framework: %v", err)
+			}
+			plugin := &NodeDeclaredFeatures{
+				ndfFramework: ndfFramework,
+				version:      tc.componenetVersion,
+				enabled:      true,
+			}
+			hint, err := plugin.isSchedulableAfterPodUpdate(logger, st.MakePod().Name(targetPodName).UID(targetPodUID).Obj(), tc.oldPod, tc.newPod)
+			if tc.expectedErr != "" {
+				if err == nil {
+					t.Fatalf("expected error containing %q, got nil", tc.expectedErr)
+				} else if !strings.Contains(err.Error(), tc.expectedErr) {
+					t.Fatalf("expected error containing %q, got %v", tc.expectedErr, err)
+				}
+			} else if err != nil {
+				t.Fatalf("expected no error, got %v", err)
+			}
+
+			if tc.expectedHint != hint {
+				t.Errorf("unexpected hint: want %v, got %v", tc.expectedHint, hint)
+			}
+		})
+	}
+}
diff --git a/pkg/scheduler/framework/plugins/nodename/node_name.go b/pkg/scheduler/framework/plugins/nodename/node_name.go
index 4ae46e36bb94a..84d73a0598e1a 100644
--- a/pkg/scheduler/framework/plugins/nodename/node_name.go
+++ b/pkg/scheduler/framework/plugins/nodename/node_name.go
@@ -22,7 +22,6 @@ import (
 	v1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	fwk "k8s.io/kube-scheduler/framework"
-	"k8s.io/kubernetes/pkg/scheduler/framework"
 	"k8s.io/kubernetes/pkg/scheduler/framework/plugins/feature"
 	"k8s.io/kubernetes/pkg/scheduler/framework/plugins/names"
 )
@@ -32,8 +31,9 @@ type NodeName struct {
 	enableSchedulingQueueHint bool
 }
 
-var _ framework.FilterPlugin = &NodeName{}
-var _ framework.EnqueueExtensions = &NodeName{}
+var _ fwk.FilterPlugin = &NodeName{}
+var _ fwk.EnqueueExtensions = &NodeName{}
+var _ fwk.SignPlugin = &NodeName{}
 
 const (
 	// Name is the name of the plugin used in the plugin registry and configurations.
@@ -68,6 +68,13 @@ func (pl *NodeName) Name() string {
 	return Name
 }
 
+// NodeName scoring and feasibility are dependent on the NodeName field.
+func (pl *NodeName) SignPod(ctx context.Context, pod *v1.Pod) ([]fwk.SignFragment, *fwk.Status) {
+	return []fwk.SignFragment{
+		{Key: fwk.NodeNameSignerName, Value: pod.Spec.NodeName},
+	}, nil
+}
+
 // Filter invoked at the filter extension point.
 func (pl *NodeName) Filter(ctx context.Context, _ fwk.CycleState, pod *v1.Pod, nodeInfo fwk.NodeInfo) *fwk.Status {
 
@@ -83,7 +90,7 @@ func Fits(pod *v1.Pod, nodeInfo fwk.NodeInfo) bool {
 }
 
 // New initializes a new plugin and returns it.
-func New(_ context.Context, _ runtime.Object, _ framework.Handle, fts feature.Features) (framework.Plugin, error) {
+func New(_ context.Context, _ runtime.Object, _ fwk.Handle, fts feature.Features) (fwk.Plugin, error) {
 	return &NodeName{
 		enableSchedulingQueueHint: fts.EnableSchedulingQueueHint,
 	}, nil
diff --git a/pkg/scheduler/framework/plugins/nodename/node_name_test.go b/pkg/scheduler/framework/plugins/nodename/node_name_test.go
index c3dafd7ac7981..989a19171c175 100644
--- a/pkg/scheduler/framework/plugins/nodename/node_name_test.go
+++ b/pkg/scheduler/framework/plugins/nodename/node_name_test.go
@@ -63,7 +63,7 @@ func TestNodeName(t *testing.T) {
 			if err != nil {
 				t.Fatalf("creating plugin: %v", err)
 			}
-			gotStatus := p.(framework.FilterPlugin).Filter(ctx, nil, test.pod, nodeInfo)
+			gotStatus := p.(fwk.FilterPlugin).Filter(ctx, nil, test.pod, nodeInfo)
 			if diff := cmp.Diff(test.wantStatus, gotStatus); diff != "" {
 				t.Errorf("status does not match (-want,+got):\n%s", diff)
 			}
diff --git a/pkg/scheduler/framework/plugins/nodeports/node_ports.go b/pkg/scheduler/framework/plugins/nodeports/node_ports.go
index 3566bfab0c9c7..6e3793fdcc96b 100644
--- a/pkg/scheduler/framework/plugins/nodeports/node_ports.go
+++ b/pkg/scheduler/framework/plugins/nodeports/node_ports.go
@@ -24,7 +24,6 @@ import (
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/klog/v2"
 	fwk "k8s.io/kube-scheduler/framework"
-	"k8s.io/kubernetes/pkg/scheduler/framework"
 	"k8s.io/kubernetes/pkg/scheduler/framework/plugins/feature"
 	"k8s.io/kubernetes/pkg/scheduler/framework/plugins/names"
 	"k8s.io/kubernetes/pkg/scheduler/util"
@@ -35,9 +34,10 @@ type NodePorts struct {
 	enableSchedulingQueueHint bool
 }
 
-var _ framework.PreFilterPlugin = &NodePorts{}
-var _ framework.FilterPlugin = &NodePorts{}
-var _ framework.EnqueueExtensions = &NodePorts{}
+var _ fwk.PreFilterPlugin = &NodePorts{}
+var _ fwk.FilterPlugin = &NodePorts{}
+var _ fwk.EnqueueExtensions = &NodePorts{}
+var _ fwk.SignPlugin = &NodePorts{}
 
 const (
 	// Name is the name of the plugin used in the plugin registry and configurations.
@@ -64,8 +64,15 @@ func (pl *NodePorts) Name() string {
 	return Name
 }
 
+// NodePort feasibility and scheduling is based on the host ports for the containers.
+func (pl *NodePorts) SignPod(ctx context.Context, pod *v1.Pod) ([]fwk.SignFragment, *fwk.Status) {
+	return []fwk.SignFragment{
+		{Key: fwk.HostPortsSignerName, Value: fwk.HostPortsSigner(pod)},
+	}, nil
+}
+
 // PreFilter invoked at the prefilter extension point.
-func (pl *NodePorts) PreFilter(ctx context.Context, cycleState fwk.CycleState, pod *v1.Pod, nodes []fwk.NodeInfo) (*framework.PreFilterResult, *fwk.Status) {
+func (pl *NodePorts) PreFilter(ctx context.Context, cycleState fwk.CycleState, pod *v1.Pod, nodes []fwk.NodeInfo) (*fwk.PreFilterResult, *fwk.Status) {
 	s := util.GetHostPorts(pod)
 	// Skip if a pod has no ports.
 	if len(s) == 0 {
@@ -76,7 +83,7 @@ func (pl *NodePorts) PreFilter(ctx context.Context, cycleState fwk.CycleState, p
 }
 
 // PreFilterExtensions do not exist for this plugin.
-func (pl *NodePorts) PreFilterExtensions() framework.PreFilterExtensions {
+func (pl *NodePorts) PreFilterExtensions() fwk.PreFilterExtensions {
 	return nil
 }
 
@@ -136,15 +143,13 @@ func (pl *NodePorts) isSchedulableAfterPodDeleted(logger klog.Logger, pod *v1.Po
 		return fwk.QueueSkip, nil
 	}
 
-	// Construct a fake NodeInfo that only has the deleted Pod.
-	// If we can schedule `pod` to this fake node, it means that `pod` and the deleted pod don't have any common port(s).
+	// Verify that `pod` and the deleted pod don't have any common port(s).
 	// So, deleting that pod couldn't make `pod` schedulable.
-	usedPorts := make(fwk.HostPortInfo, len(ports))
+	portsInUse := make(fwk.HostPortInfo, len(ports))
 	for _, p := range ports {
-		usedPorts.Add(p.HostIP, string(p.Protocol), p.HostPort)
+		portsInUse.Add(p.HostIP, string(p.Protocol), p.HostPort)
 	}
-	nodeInfo := framework.NodeInfo{UsedPorts: usedPorts}
-	if Fits(pod, &nodeInfo) {
+	if fitsPorts(util.GetHostPorts(pod), portsInUse) {
 		logger.V(4).Info("the deleted pod and the target pod don't have any common port(s), returning QueueSkip as deleting this Pod won't make the Pod schedulable", "pod", klog.KObj(pod), "deletedPod", klog.KObj(deletedPod))
 		return fwk.QueueSkip, nil
 	}
@@ -160,7 +165,7 @@ func (pl *NodePorts) Filter(ctx context.Context, cycleState fwk.CycleState, pod
 		return fwk.AsStatus(err)
 	}
 
-	fits := fitsPorts(wantPorts, nodeInfo)
+	fits := fitsPorts(wantPorts, nodeInfo.GetUsedPorts())
 	if !fits {
 		return fwk.NewStatus(fwk.Unschedulable, ErrReason)
 	}
@@ -168,16 +173,16 @@ func (pl *NodePorts) Filter(ctx context.Context, cycleState fwk.CycleState, pod
 	return nil
 }
 
-// Fits checks if the pod fits the node.
+// Fits checks if the pod has any ports conflicting with nodeInfo's ports.
+// It returns true if there are no conflicts (which means that pod fits the node), otherwise false.
 func Fits(pod *v1.Pod, nodeInfo fwk.NodeInfo) bool {
-	return fitsPorts(util.GetHostPorts(pod), nodeInfo)
+	return fitsPorts(util.GetHostPorts(pod), nodeInfo.GetUsedPorts())
 }
 
-func fitsPorts(wantPorts []v1.ContainerPort, nodeInfo fwk.NodeInfo) bool {
-	// try to see whether existingPorts and wantPorts will conflict or not
-	existingPorts := nodeInfo.GetUsedPorts()
+func fitsPorts(wantPorts []v1.ContainerPort, portsInUse fwk.HostPortInfo) bool {
+	// try to see whether portsInUse and wantPorts will conflict or not
 	for _, cp := range wantPorts {
-		if existingPorts.CheckConflict(cp.HostIP, string(cp.Protocol), cp.HostPort) {
+		if portsInUse.CheckConflict(cp.HostIP, string(cp.Protocol), cp.HostPort) {
 			return false
 		}
 	}
@@ -185,7 +190,7 @@ func fitsPorts(wantPorts []v1.ContainerPort, nodeInfo fwk.NodeInfo) bool {
 }
 
 // New initializes a new plugin and returns it.
-func New(_ context.Context, _ runtime.Object, _ framework.Handle, fts feature.Features) (framework.Plugin, error) {
+func New(_ context.Context, _ runtime.Object, _ fwk.Handle, fts feature.Features) (fwk.Plugin, error) {
 	return &NodePorts{
 		enableSchedulingQueueHint: fts.EnableSchedulingQueueHint,
 	}, nil
diff --git a/pkg/scheduler/framework/plugins/nodeports/node_ports_test.go b/pkg/scheduler/framework/plugins/nodeports/node_ports_test.go
index e31a365eb0122..639647b4adeee 100644
--- a/pkg/scheduler/framework/plugins/nodeports/node_ports_test.go
+++ b/pkg/scheduler/framework/plugins/nodeports/node_ports_test.go
@@ -48,6 +48,10 @@ func newPod(host string, hostPortInfos ...string) *v1.Pod {
 	return st.MakePod().Node(host).ContainerPort(networkPorts).Obj()
 }
 
+func newNodeInfo(hostPortInfos ...string) fwk.NodeInfo {
+	return framework.NewNodeInfo(newPod("p1", hostPortInfos...))
+}
+
 func TestNodePorts(t *testing.T) {
 	tests := []struct {
 		pod                 *v1.Pod
@@ -180,7 +184,7 @@ func TestNodePorts(t *testing.T) {
 				t.Fatalf("creating plugin: %v", err)
 			}
 			cycleState := framework.NewCycleState()
-			_, preFilterStatus := p.(framework.PreFilterPlugin).PreFilter(ctx, cycleState, test.pod, nil)
+			_, preFilterStatus := p.(fwk.PreFilterPlugin).PreFilter(ctx, cycleState, test.pod, nil)
 			if diff := cmp.Diff(test.wantPreFilterStatus, preFilterStatus); diff != "" {
 				t.Errorf("preFilter status does not match (-want,+got): %s", diff)
 			}
@@ -190,7 +194,7 @@ func TestNodePorts(t *testing.T) {
 			if !preFilterStatus.IsSuccess() {
 				t.Errorf("prefilter failed with status: %v", preFilterStatus)
 			}
-			gotStatus := p.(framework.FilterPlugin).Filter(ctx, cycleState, test.pod, test.nodeInfo)
+			gotStatus := p.(fwk.FilterPlugin).Filter(ctx, cycleState, test.pod, test.nodeInfo)
 			if diff := cmp.Diff(test.wantFilterStatus, gotStatus); diff != "" {
 				t.Errorf("filter status does not match (-want, +got): %s", diff)
 			}
@@ -209,7 +213,7 @@ func TestPreFilterDisabled(t *testing.T) {
 		t.Fatalf("creating plugin: %v", err)
 	}
 	cycleState := framework.NewCycleState()
-	gotStatus := p.(framework.FilterPlugin).Filter(ctx, cycleState, pod, nodeInfo)
+	gotStatus := p.(fwk.FilterPlugin).Filter(ctx, cycleState, pod, nodeInfo)
 	wantStatus := fwk.AsStatus(fwk.ErrNotFound)
 	if diff := cmp.Diff(wantStatus, gotStatus); diff != "" {
 		t.Errorf("status does not match (-want,+got):\n%s", diff)
@@ -270,3 +274,67 @@ func Test_isSchedulableAfterPodDeleted(t *testing.T) {
 		})
 	}
 }
+
+// This test is similar to TestHostPortInfo_Check in k8s.io/kube-scheduler/framework/types_test.go,
+// but it tests a smaller set of cases. We could consider using a fake HostPortInfo to verify the logic
+// of Fits, instead of the logic of CheckConflict.
+func TestFits(t *testing.T) {
+	tests := []struct {
+		desc     string
+		pod      *v1.Pod
+		existing fwk.NodeInfo
+		expect   bool
+	}{
+		{
+			desc:     "non-conflicting ports",
+			pod:      newPod("p", "TCP/127.0.0.1/80"),
+			existing: newNodeInfo("TCP/127.0.0.1/9090"),
+			expect:   true,
+		},
+		{
+			desc: "multiple non-conflicting ports",
+			pod: newPod("p",
+				"TCP/127.0.0.1/80",
+				"TCP/127.0.1.1/80",
+				"TCP/127.0.1.1/90",
+				"TCP/127.0.1.1/100"),
+			existing: newNodeInfo(
+				"TCP/127.0.0.1/9090",
+				"TCP/127.0.0.1/9191",
+				"TCP/127.0.1.1/8080"),
+			expect: true,
+		},
+		{
+			desc:     "same ports on different protocols",
+			pod:      newPod("m1", "TCP/127.0.0.1/80"),
+			existing: newNodeInfo("UDP/127.0.0.1/80"),
+			expect:   true,
+		},
+		{
+			desc:     "conflicting ports",
+			pod:      newPod("m1", "TCP/127.0.0.1/80"),
+			existing: newNodeInfo("TCP/127.0.0.1/80"),
+			expect:   false,
+		},
+		{
+			desc: "multiple ports, some conflicting",
+			pod: newPod("p",
+				"TCP/127.0.0.1/80",
+				"TCP/127.0.1.1/80",
+				"TCP/127.0.1.1/90",
+				"TCP/127.0.1.1/100"),
+			existing: newNodeInfo(
+				"TCP/127.0.0.1/9090",
+				"TCP/127.0.1.1/90",
+				"TCP/127.0.1.1/8080"),
+			expect: false,
+		},
+	}
+	for _, test := range tests {
+		t.Run(test.desc, func(t *testing.T) {
+			if Fits(test.pod, test.existing) != test.expect {
+				t.Errorf("expected %t; got %t", test.expect, !test.expect)
+			}
+		})
+	}
+}
diff --git a/pkg/scheduler/framework/plugins/noderesources/balanced_allocation.go b/pkg/scheduler/framework/plugins/noderesources/balanced_allocation.go
index bcde0f655f9de..035c77b334889 100644
--- a/pkg/scheduler/framework/plugins/noderesources/balanced_allocation.go
+++ b/pkg/scheduler/framework/plugins/noderesources/balanced_allocation.go
@@ -22,11 +22,12 @@ import (
 	"math"
 
 	v1 "k8s.io/api/core/v1"
+	resourceapi "k8s.io/api/resource/v1"
 	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/dynamic-resource-allocation/structured"
 	fwk "k8s.io/kube-scheduler/framework"
 	"k8s.io/kubernetes/pkg/scheduler/apis/config"
 	"k8s.io/kubernetes/pkg/scheduler/apis/config/validation"
-	"k8s.io/kubernetes/pkg/scheduler/framework"
 	"k8s.io/kubernetes/pkg/scheduler/framework/plugins/feature"
 	"k8s.io/kubernetes/pkg/scheduler/framework/plugins/names"
 )
@@ -34,12 +35,13 @@ import (
 // BalancedAllocation is a score plugin that calculates the difference between the cpu and memory fraction
 // of capacity, and prioritizes the host based on how close the two metrics are to each other.
 type BalancedAllocation struct {
-	handle framework.Handle
+	handle fwk.Handle
 	resourceAllocationScorer
 }
 
-var _ framework.PreScorePlugin = &BalancedAllocation{}
-var _ framework.ScorePlugin = &BalancedAllocation{}
+var _ fwk.PreScorePlugin = &BalancedAllocation{}
+var _ fwk.ScorePlugin = &BalancedAllocation{}
+var _ fwk.SignPlugin = &BalancedAllocation{}
 
 // BalancedAllocationName is the name of the plugin used in the plugin registry and configurations.
 const (
@@ -49,11 +51,21 @@ const (
 	balancedAllocationPreScoreStateKey = "PreScore" + BalancedAllocationName
 )
 
+// draPreScoreState holds the pre-computed data for DRA extended resources scoring.
+type draPreScoreState struct {
+	// allocatedState holds the DRA allocated state for DRA extended resources scoring.
+	allocatedState *structured.AllocatedState
+	// resourceSlices holds the list of resource slices for DRA extended resource scoring.
+	resourceSlices []*resourceapi.ResourceSlice
+}
+
 // balancedAllocationPreScoreState computed at PreScore and used at Score.
 type balancedAllocationPreScoreState struct {
 	// podRequests have the same order of the resources defined in NodeResourcesFitArgs.Resources,
 	// same for other place we store a list like that.
 	podRequests []int64
+	// DRA extended resource scoring state.
+	*draPreScoreState
 }
 
 // Clone implements the mandatory Clone interface. We don't really copy the data since
@@ -74,6 +86,15 @@ func (ba *BalancedAllocation) PreScore(ctx context.Context, cycleState fwk.Cycle
 	state := &balancedAllocationPreScoreState{
 		podRequests: podRequests,
 	}
+	if ba.enableDRAExtendedResource {
+		draPreScoreState, status := getDRAPreScoredParams(ba.draManager, ba.resources)
+		if status != nil {
+			return status
+		}
+		if draPreScoreState != nil {
+			state.draPreScoreState = draPreScoreState
+		}
+	}
 	cycleState.Write(balancedAllocationPreScoreStateKey, state)
 	return nil
 }
@@ -96,6 +117,22 @@ func (ba *BalancedAllocation) Name() string {
 	return BalancedAllocationName
 }
 
+// Filtering and scoring based on the container resources and overheads.
+func (pl *BalancedAllocation) SignPod(ctx context.Context, pod *v1.Pod) ([]fwk.SignFragment, *fwk.Status) {
+	opts := ResourceRequestsOptions{
+		EnablePodLevelResources:   pl.enablePodLevelResources,
+		EnableDRAExtendedResource: pl.enableDRAExtendedResource,
+	}
+
+	if pl.enableDRAExtendedResource {
+		return nil, fwk.NewStatus(fwk.Unschedulable, "signature disabled when dra extended resources enabled")
+	}
+
+	return []fwk.SignFragment{
+		{Key: fwk.ResourcesSignerName, Value: computePodResourceRequest(pod, opts)},
+	}, nil
+}
+
 // Score invoked at the score extension point.
 func (ba *BalancedAllocation) Score(ctx context.Context, state fwk.CycleState, pod *v1.Pod, nodeInfo fwk.NodeInfo) (int64, *fwk.Status) {
 	s, err := getBalancedAllocationPreScoreState(state)
@@ -104,6 +141,15 @@ func (ba *BalancedAllocation) Score(ctx context.Context, state fwk.CycleState, p
 		if ba.isBestEffortPod(s.podRequests) {
 			return 0, nil
 		}
+		if ba.enableDRAExtendedResource {
+			draPreScoreState, status := getDRAPreScoredParams(ba.draManager, ba.resources)
+			if status != nil {
+				return 0, status
+			}
+			if draPreScoreState != nil {
+				s.draPreScoreState = draPreScoreState
+			}
+		}
 	}
 
 	// ba.score favors nodes with balanced resource usage rate.
@@ -111,16 +157,16 @@ func (ba *BalancedAllocation) Score(ctx context.Context, state fwk.CycleState, p
 	// Detail: score = (1 - std) * MaxNodeScore, where std is calculated by the root square of Σ((fraction(i)-mean)^2)/len(resources)
 	// The algorithm is partly inspired by:
 	// "Wei Huang et al. An Energy Efficient Virtual Machine Placement Algorithm with Balanced Resource Utilization"
-	return ba.score(ctx, pod, nodeInfo, s.podRequests)
+	return ba.score(ctx, pod, nodeInfo, s.podRequests, s.draPreScoreState)
 }
 
 // ScoreExtensions of the Score plugin.
-func (ba *BalancedAllocation) ScoreExtensions() framework.ScoreExtensions {
+func (ba *BalancedAllocation) ScoreExtensions() fwk.ScoreExtensions {
 	return nil
 }
 
 // NewBalancedAllocation initializes a new plugin and returns it.
-func NewBalancedAllocation(_ context.Context, baArgs runtime.Object, h framework.Handle, fts feature.Features) (framework.Plugin, error) {
+func NewBalancedAllocation(_ context.Context, baArgs runtime.Object, h fwk.Handle, fts feature.Features) (fwk.Plugin, error) {
 	args, ok := baArgs.(*config.NodeResourcesBalancedAllocationArgs)
 	if !ok {
 		return nil, fmt.Errorf("want args to be of type NodeResourcesBalancedAllocationArgs, got %T", baArgs)
@@ -136,9 +182,11 @@ func NewBalancedAllocation(_ context.Context, baArgs runtime.Object, h framework
 			Name:                            BalancedAllocationName,
 			enableInPlacePodVerticalScaling: fts.EnableInPlacePodVerticalScaling,
 			enablePodLevelResources:         fts.EnablePodLevelResources,
+			enableDRAExtendedResource:       fts.EnableDRAExtendedResource,
 			scorer:                          balancedResourceScorer,
 			useRequested:                    true,
 			resources:                       args.Resources,
+			enableInPlacePodLevelResourcesVerticalScaling: fts.EnableInPlacePodLevelResourcesVerticalScaling,
 		},
 	}, nil
 }
@@ -176,5 +224,5 @@ func balancedResourceScorer(requested, allocable []int64) int64 {
 
 	// STD (standard deviation) is always a positive value. 1-deviation lets the score to be higher for node which has least deviation and
 	// multiplying it with `MaxNodeScore` provides the scaling factor needed.
-	return int64((1 - std) * float64(framework.MaxNodeScore))
+	return int64((1 - std) * float64(fwk.MaxNodeScore))
 }
diff --git a/pkg/scheduler/framework/plugins/noderesources/balanced_allocation_test.go b/pkg/scheduler/framework/plugins/noderesources/balanced_allocation_test.go
index 2155685cb3dc7..998c68f711765 100644
--- a/pkg/scheduler/framework/plugins/noderesources/balanced_allocation_test.go
+++ b/pkg/scheduler/framework/plugins/noderesources/balanced_allocation_test.go
@@ -114,7 +114,7 @@ func TestNodeResourcesBalancedAllocation(t *testing.T) {
 		pod                    *v1.Pod
 		pods                   []*v1.Pod
 		nodes                  []*v1.Node
-		expectedList           framework.NodeScoreList
+		expectedList           fwk.NodeScoreList
 		name                   string
 		args                   config.NodeResourcesBalancedAllocationArgs
 		runPreScore            bool
@@ -142,7 +142,7 @@ func TestNodeResourcesBalancedAllocation(t *testing.T) {
 			// Node2 Score: (1-0) * MaxNodeScore = MaxNodeScore
 			pod:          &v1.Pod{Spec: cpuAndMemory},
 			nodes:        []*v1.Node{makeNode("node1", 4000, 10000, nil), makeNode("node2", 6000, 10000, nil)},
-			expectedList: []framework.NodeScore{{Name: "node1", Score: 87}, {Name: "node2", Score: framework.MaxNodeScore}},
+			expectedList: []fwk.NodeScore{{Name: "node1", Score: 87}, {Name: "node2", Score: fwk.MaxNodeScore}},
 			name:         "nothing scheduled, resources requested, differently sized nodes",
 			args:         config.NodeResourcesBalancedAllocationArgs{Resources: defaultResourceBalancedAllocationSet},
 			runPreScore:  true,
@@ -160,7 +160,7 @@ func TestNodeResourcesBalancedAllocation(t *testing.T) {
 			// Node2 Score: (1 - 0.05)*MaxNodeScore = 95
 			pod:          &v1.Pod{Spec: cpuAndMemory},
 			nodes:        []*v1.Node{makeNode("node1", 10000, 20000, nil), makeNode("node2", 10000, 20000, nil)},
-			expectedList: []framework.NodeScore{{Name: "node1", Score: 82}, {Name: "node2", Score: 95}},
+			expectedList: []fwk.NodeScore{{Name: "node1", Score: 82}, {Name: "node2", Score: 95}},
 			name:         "resources requested, pods scheduled with resources",
 			pods: []*v1.Pod{
 				{Spec: cpuOnly},
@@ -182,7 +182,7 @@ func TestNodeResourcesBalancedAllocation(t *testing.T) {
 			// Node2 Score: (1 - 0.2)*MaxNodeScore = 80
 			pod:          &v1.Pod{Spec: cpuAndMemory},
 			nodes:        []*v1.Node{makeNode("node1", 10000, 20000, nil), makeNode("node2", 10000, 50000, nil)},
-			expectedList: []framework.NodeScore{{Name: "node1", Score: 82}, {Name: "node2", Score: 80}},
+			expectedList: []fwk.NodeScore{{Name: "node1", Score: 82}, {Name: "node2", Score: 80}},
 			name:         "resources requested, pods scheduled with resources, differently sized nodes",
 			pods: []*v1.Pod{
 				{Spec: cpuOnly},
@@ -205,7 +205,7 @@ func TestNodeResourcesBalancedAllocation(t *testing.T) {
 			// Node2 Score: (1 - 0.25)*MaxNodeScore = 75
 			pod:          &v1.Pod{Spec: cpuOnly},
 			nodes:        []*v1.Node{makeNode("node1", 6000, 10000, nil), makeNode("node2", 6000, 10000, nil)},
-			expectedList: []framework.NodeScore{{Name: "node1", Score: 50}, {Name: "node2", Score: 75}},
+			expectedList: []fwk.NodeScore{{Name: "node1", Score: 50}, {Name: "node2", Score: 75}},
 			name:         "requested resources at node capacity",
 			pods: []*v1.Pod{
 				{Spec: cpuOnly},
@@ -232,7 +232,7 @@ func TestNodeResourcesBalancedAllocation(t *testing.T) {
 				"nvidia.com/gpu":  "1",
 			}).Obj(),
 			nodes:        []*v1.Node{makeNode("node1", 3500, 40000, scalarResource), makeNode("node2", 3500, 40000, scalarResource)},
-			expectedList: []framework.NodeScore{{Name: "node1", Score: 70}, {Name: "node2", Score: 65}},
+			expectedList: []fwk.NodeScore{{Name: "node1", Score: 70}, {Name: "node2", Score: 65}},
 			name:         "include scalar resource on a node for balanced resource allocation",
 			pods: []*v1.Pod{
 				{Spec: cpuAndMemory},
@@ -259,7 +259,7 @@ func TestNodeResourcesBalancedAllocation(t *testing.T) {
 		{
 			pod:          &v1.Pod{Spec: cpuAndMemory},
 			nodes:        []*v1.Node{makeNode("node1", 3500, 40000, scalarResource), makeNode("node2", 3500, 40000, nil)},
-			expectedList: []framework.NodeScore{{Name: "node1", Score: 63}, {Name: "node2", Score: 63}},
+			expectedList: []fwk.NodeScore{{Name: "node1", Score: 63}, {Name: "node2", Score: 63}},
 			name:         "node without the scalar resource should skip the scalar resource",
 			pods:         []*v1.Pod{},
 			args: config.NodeResourcesBalancedAllocationArgs{Resources: []config.ResourceSpec{
@@ -282,7 +282,7 @@ func TestNodeResourcesBalancedAllocation(t *testing.T) {
 			// Node2 Score: (1 - 0.05)*MaxNodeScore = 95
 			pod:          &v1.Pod{Spec: cpuAndMemory},
 			nodes:        []*v1.Node{makeNode("node1", 10000, 20000, nil), makeNode("node2", 10000, 20000, nil)},
-			expectedList: []framework.NodeScore{{Name: "node1", Score: 82}, {Name: "node2", Score: 95}},
+			expectedList: []fwk.NodeScore{{Name: "node1", Score: 82}, {Name: "node2", Score: 95}},
 			name:         "resources requested, pods scheduled with resources if PreScore not called",
 			pods: []*v1.Pod{
 				{Spec: cpuOnly},
@@ -303,7 +303,7 @@ func TestNodeResourcesBalancedAllocation(t *testing.T) {
 			p, _ := NewBalancedAllocation(ctx, &test.args, fh, feature.Features{})
 			state := framework.NewCycleState()
 			if test.runPreScore {
-				status := p.(framework.PreScorePlugin).PreScore(ctx, state, test.pod, tf.BuildNodeInfos(test.nodes))
+				status := p.(fwk.PreScorePlugin).PreScore(ctx, state, test.pod, tf.BuildNodeInfos(test.nodes))
 				if status.Code() != test.wantPreScoreStatusCode {
 					t.Errorf("unexpected status code, want: %v, got: %v", test.wantPreScoreStatusCode, status.Code())
 				}
@@ -317,7 +317,7 @@ func TestNodeResourcesBalancedAllocation(t *testing.T) {
 				if err != nil {
 					t.Errorf("failed to get node %q from snapshot: %v", test.nodes[i].Name, err)
 				}
-				hostResult, status := p.(framework.ScorePlugin).Score(ctx, state, test.pod, nodeInfo)
+				hostResult, status := p.(fwk.ScorePlugin).Score(ctx, state, test.pod, nodeInfo)
 				if !status.IsSuccess() {
 					t.Errorf("Score is expected to return success, but didn't. Got status: %v", status)
 				}
diff --git a/pkg/scheduler/framework/plugins/noderesources/fit.go b/pkg/scheduler/framework/plugins/noderesources/fit.go
index 1159a8d8b2ccc..a423986d5c460 100644
--- a/pkg/scheduler/framework/plugins/noderesources/fit.go
+++ b/pkg/scheduler/framework/plugins/noderesources/fit.go
@@ -22,27 +22,31 @@ import (
 	"strings"
 
 	v1 "k8s.io/api/core/v1"
+	resourceapi "k8s.io/api/resource/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/util/diff"
 	"k8s.io/apimachinery/pkg/util/sets"
 	"k8s.io/component-helpers/resource"
+	"k8s.io/dynamic-resource-allocation/cel"
 	"k8s.io/klog/v2"
 	fwk "k8s.io/kube-scheduler/framework"
 	v1helper "k8s.io/kubernetes/pkg/apis/core/v1/helper"
 	"k8s.io/kubernetes/pkg/scheduler/apis/config"
 	"k8s.io/kubernetes/pkg/scheduler/apis/config/validation"
 	"k8s.io/kubernetes/pkg/scheduler/framework"
-	"k8s.io/kubernetes/pkg/scheduler/framework/plugins/dynamicresources/extended"
+	"k8s.io/kubernetes/pkg/scheduler/framework/plugins/dynamicresources"
 	"k8s.io/kubernetes/pkg/scheduler/framework/plugins/feature"
 	"k8s.io/kubernetes/pkg/scheduler/framework/plugins/names"
 	schedutil "k8s.io/kubernetes/pkg/scheduler/util"
+	"k8s.io/utils/ptr"
 )
 
-var _ framework.PreFilterPlugin = &Fit{}
-var _ framework.FilterPlugin = &Fit{}
-var _ framework.EnqueueExtensions = &Fit{}
-var _ framework.PreScorePlugin = &Fit{}
-var _ framework.ScorePlugin = &Fit{}
+var _ fwk.PreFilterPlugin = &Fit{}
+var _ fwk.FilterPlugin = &Fit{}
+var _ fwk.EnqueueExtensions = &Fit{}
+var _ fwk.PreScorePlugin = &Fit{}
+var _ fwk.ScorePlugin = &Fit{}
+var _ fwk.SignPlugin = &Fit{}
 
 const (
 	// Name is the name of the plugin used in the plugin registry and configurations.
@@ -86,27 +90,26 @@ var nodeResourceStrategyTypeMap = map[config.ScoringStrategyType]scorer{
 
 // Fit is a plugin that checks if a node has sufficient resources.
 type Fit struct {
-	ignoredResources                sets.Set[string]
-	ignoredResourceGroups           sets.Set[string]
-	enableInPlacePodVerticalScaling bool
-	enableSidecarContainers         bool
-	enableSchedulingQueueHint       bool
-	enablePodLevelResources         bool
-	enableDRAExtendedResource       bool
-	handle                          framework.Handle
-	resourceAllocationScorer
+	ignoredResources                              sets.Set[string]
+	ignoredResourceGroups                         sets.Set[string]
+	enableInPlacePodVerticalScaling               bool
+	enableSidecarContainers                       bool
+	enableSchedulingQueueHint                     bool
+	enablePodLevelResources                       bool
+	enableDRAExtendedResource                     bool
+	enableInPlacePodLevelResourcesVerticalScaling bool
+	handle                                        fwk.Handle
+	*resourceAllocationScorer
 }
 
 // ScoreExtensions of the Score plugin.
-func (f *Fit) ScoreExtensions() framework.ScoreExtensions {
+func (f *Fit) ScoreExtensions() fwk.ScoreExtensions {
 	return nil
 }
 
 // preFilterState computed at PreFilter and used at Filter.
 type preFilterState struct {
 	framework.Resource
-	// resourceToDeviceClass holds the mapping of extended resource to device class name.
-	resourceToDeviceClass map[v1.ResourceName]string
 }
 
 // Clone the prefilter state.
@@ -119,6 +122,8 @@ type preScoreState struct {
 	// podRequests have the same order as the resources defined in NodeResourcesBalancedAllocationArgs.Resources,
 	// same for other place we store a list like that.
 	podRequests []int64
+	// DRA extended resource scoring related info.
+	*draPreScoreState
 }
 
 // Clone implements the mandatory Clone interface. We don't really copy the data since
@@ -129,9 +134,20 @@ func (s *preScoreState) Clone() fwk.StateData {
 
 // PreScore calculates incoming pod's resource requests and writes them to the cycle state used.
 func (f *Fit) PreScore(ctx context.Context, cycleState fwk.CycleState, pod *v1.Pod, nodes []fwk.NodeInfo) *fwk.Status {
+	podRequests := f.calculatePodResourceRequestList(pod, f.resources)
 	state := &preScoreState{
-		podRequests: f.calculatePodResourceRequestList(pod, f.resources),
+		podRequests: podRequests,
 	}
+	if f.enableDRAExtendedResource {
+		draPreScoreState, status := getDRAPreScoredParams(f.draManager, f.resources)
+		if status != nil {
+			return status
+		}
+		if draPreScoreState != nil {
+			state.draPreScoreState = draPreScoreState
+		}
+	}
+
 	cycleState.Write(preScoreStateKey, state)
 	return nil
 }
@@ -154,8 +170,22 @@ func (f *Fit) Name() string {
 	return Name
 }
 
+// Filtering and scoring based on the container resources and overheads.
+func (pl *Fit) SignPod(ctx context.Context, pod *v1.Pod) ([]fwk.SignFragment, *fwk.Status) {
+	opts := ResourceRequestsOptions{
+		EnablePodLevelResources:   pl.enablePodLevelResources,
+		EnableDRAExtendedResource: pl.enableDRAExtendedResource,
+	}
+	if pl.enableDRAExtendedResource {
+		return nil, fwk.NewStatus(fwk.Unschedulable, "signature disabled when dra extended resources enabled")
+	}
+	return []fwk.SignFragment{
+		{Key: fwk.ResourcesSignerName, Value: computePodResourceRequest(pod, opts)},
+	}, nil
+}
+
 // NewFit initializes a new plugin and returns it.
-func NewFit(_ context.Context, plArgs runtime.Object, h framework.Handle, fts feature.Features) (framework.Plugin, error) {
+func NewFit(_ context.Context, plArgs runtime.Object, h fwk.Handle, fts feature.Features) (fwk.Plugin, error) {
 	args, ok := plArgs.(*config.NodeResourcesFitArgs)
 	if !ok {
 		return nil, fmt.Errorf("want args to be of type NodeResourcesFitArgs, got %T", plArgs)
@@ -174,24 +204,65 @@ func NewFit(_ context.Context, plArgs runtime.Object, h framework.Handle, fts fe
 		return nil, fmt.Errorf("scoring strategy %s is not supported", strategy)
 	}
 
+	scorer := scorePlugin(args)
+	if fts.EnableDRAExtendedResource {
+		scorer.enableDRAExtendedResource = true
+		scorer.draManager = h.SharedDRAManager()
+		scorer.draFeatures = dynamicresources.AllocatorFeatures(fts)
+		// Create a CEL cache for device class selector compilation
+		// This cache improves performance by avoiding recompilation of the same CEL expressions
+		scorer.DRACaches.celCache = cel.NewCache(10, cel.Features{EnableConsumableCapacity: fts.EnableDRAConsumableCapacity})
+	}
+
 	return &Fit{
-		ignoredResources:                sets.New(args.IgnoredResources...),
-		ignoredResourceGroups:           sets.New(args.IgnoredResourceGroups...),
-		enableInPlacePodVerticalScaling: fts.EnableInPlacePodVerticalScaling,
-		enableSidecarContainers:         fts.EnableSidecarContainers,
-		enableSchedulingQueueHint:       fts.EnableSchedulingQueueHint,
-		handle:                          h,
-		enablePodLevelResources:         fts.EnablePodLevelResources,
-		enableDRAExtendedResource:       fts.EnableDRAExtendedResource,
-		resourceAllocationScorer:        *scorePlugin(args),
+		ignoredResources:                              sets.New(args.IgnoredResources...),
+		ignoredResourceGroups:                         sets.New(args.IgnoredResourceGroups...),
+		enableInPlacePodVerticalScaling:               fts.EnableInPlacePodVerticalScaling,
+		enableSidecarContainers:                       fts.EnableSidecarContainers,
+		enableSchedulingQueueHint:                     fts.EnableSchedulingQueueHint,
+		handle:                                        h,
+		enablePodLevelResources:                       fts.EnablePodLevelResources,
+		enableDRAExtendedResource:                     fts.EnableDRAExtendedResource,
+		enableInPlacePodLevelResourcesVerticalScaling: fts.EnableInPlacePodLevelResourcesVerticalScaling,
+		resourceAllocationScorer:                      scorer,
 	}, nil
 }
 
+// ResourceRequestsOptions contains feature gate flags for resource request computation.
 type ResourceRequestsOptions struct {
 	EnablePodLevelResources   bool
 	EnableDRAExtendedResource bool
 }
 
+// shouldDelegateResourceToDRA checks if the given resource should be delegated to the DRA plugin.
+// It returns true if:
+//  1. The resource is not a scalar resource in the node's allocatable (not provided by device plugin)
+//  2. Either:
+//     a. A device class mapping exists for the resource in the cache (when draManager is available), OR
+//     b. draManager is nil (e.g., kubelet admission check) and the resource name suggests it's a DRA resource
+func shouldDelegateResourceToDRA(rName v1.ResourceName, nodeInfo fwk.NodeInfo, draManager fwk.SharedDRAManager, opts ResourceRequestsOptions) bool {
+	if !opts.EnableDRAExtendedResource {
+		return false
+	}
+
+	if allocatable := nodeInfo.GetAllocatable().GetScalarResources()[rName]; allocatable > 0 {
+		return false
+	}
+
+	// If draManager is available, check the cache for a mapping
+	if draManager != nil {
+		cache := draManager.DeviceClassResolver()
+		return cache.GetDeviceClass(rName) != nil
+	}
+
+	// If draManager is nil (e.g., kubelet admission check), delegate resources that are not in
+	// the node's allocatable. This allows pod to be admitted even when the kubelet
+	// doesn't have access to the device class cache.
+	// This can be removed once we have the fix for kubelet to admit pods with
+	// implicit extended resources or node's allocatable for the extended resource is zero.
+	return true
+}
+
 // computePodResourceRequest returns a framework.Resource that covers the largest
 // width in each resource dimension. Because init-containers run sequentially, we collect
 // the max in each dimension iteratively. In contrast, we sum the resource vectors for
@@ -219,8 +290,6 @@ type ResourceRequestsOptions struct {
 //	    Memory: 1G
 //
 // Result: CPU: 3, Memory: 3G
-// TODO(ndixita): modify computePodResourceRequest to accept opts of type
-// ResourceRequestOptions as the second parameter.
 func computePodResourceRequest(pod *v1.Pod, opts ResourceRequestsOptions) *preFilterState {
 	// pod hasn't scheduled yet so we don't need to worry about InPlacePodVerticalScalingEnabled
 	reqs := resource.PodRequests(pod, resource.PodResourcesOptions{
@@ -232,36 +301,8 @@ func computePodResourceRequest(pod *v1.Pod, opts ResourceRequestsOptions) *preFi
 	return result
 }
 
-// withDeviceClass adds resource to device class mapping to preFilterState.
-func withDeviceClass(result *preFilterState, draManager framework.SharedDRAManager) *fwk.Status {
-	hasExtendedResource := false
-	for rName, rQuant := range result.ScalarResources {
-		// Skip in case request quantity is zero
-		if rQuant == 0 {
-			continue
-		}
-
-		if v1helper.IsExtendedResourceName(rName) {
-			hasExtendedResource = true
-			break
-		}
-	}
-	if hasExtendedResource {
-		resourceToDeviceClass, err := extended.DeviceClassMapping(draManager)
-		if err != nil {
-			return fwk.AsStatus(err)
-		}
-		result.resourceToDeviceClass = resourceToDeviceClass
-		if len(resourceToDeviceClass) == 0 {
-			// ensure it is empty map, not nil.
-			result.resourceToDeviceClass = make(map[v1.ResourceName]string, 0)
-		}
-	}
-	return nil
-}
-
 // PreFilter invoked at the prefilter extension point.
-func (f *Fit) PreFilter(ctx context.Context, cycleState fwk.CycleState, pod *v1.Pod, nodes []fwk.NodeInfo) (*framework.PreFilterResult, *fwk.Status) {
+func (f *Fit) PreFilter(ctx context.Context, cycleState fwk.CycleState, pod *v1.Pod, nodes []fwk.NodeInfo) (*fwk.PreFilterResult, *fwk.Status) {
 	if !f.enableSidecarContainers && hasRestartableInitContainer(pod) {
 		// Scheduler will calculate resources usage for a Pod containing
 		// restartable init containers that will be equal or more than kubelet will
@@ -271,18 +312,13 @@ func (f *Fit) PreFilter(ctx context.Context, cycleState fwk.CycleState, pod *v1.
 		return nil, fwk.NewStatus(fwk.UnschedulableAndUnresolvable, "Pod has a restartable init container and the SidecarContainers feature is disabled")
 	}
 	result := computePodResourceRequest(pod, ResourceRequestsOptions{EnablePodLevelResources: f.enablePodLevelResources})
-	if f.enableDRAExtendedResource {
-		if err := withDeviceClass(result, f.handle.SharedDRAManager()); err != nil {
-			return nil, err
-		}
-	}
 
 	cycleState.Write(preFilterStateKey, result)
 	return nil, nil
 }
 
 // PreFilterExtensions returns prefilter extensions, pod add and remove.
-func (f *Fit) PreFilterExtensions() framework.PreFilterExtensions {
+func (f *Fit) PreFilterExtensions() fwk.PreFilterExtensions {
 	return nil
 }
 
@@ -320,10 +356,16 @@ func (f *Fit) EventsToRegister(_ context.Context) ([]fwk.ClusterEventWithHint, e
 		nodeActionType = fwk.Add | fwk.UpdateNodeAllocatable
 	}
 
-	return []fwk.ClusterEventWithHint{
+	events := []fwk.ClusterEventWithHint{
 		{Event: fwk.ClusterEvent{Resource: fwk.Pod, ActionType: podActionType}, QueueingHintFn: f.isSchedulableAfterPodEvent},
 		{Event: fwk.ClusterEvent{Resource: fwk.Node, ActionType: nodeActionType}, QueueingHintFn: f.isSchedulableAfterNodeChange},
-	}, nil
+	}
+	if f.enableDRAExtendedResource {
+		events = append(events,
+			// A pod might be waiting for an exteneded resurce from a class to get created or modified.
+			fwk.ClusterEventWithHint{Event: fwk.ClusterEvent{Resource: fwk.DeviceClass, ActionType: fwk.Add | fwk.Update}, QueueingHintFn: f.isSchedulableAfterDeviceClassEvent})
+	}
+	return events, nil
 }
 
 // isSchedulableAfterPodEvent is invoked whenever a pod deleted or scaled down. It checks whether
@@ -382,11 +424,12 @@ func (f *Fit) isSchedulableAfterPodScaleDown(targetPod, originalPod, modifiedPod
 
 	// the other pod was scheduled, so modification or deletion may free up some resources.
 	originalMaxResourceReq, modifiedMaxResourceReq := &framework.Resource{}, &framework.Resource{}
-	originalMaxResourceReq.SetMaxResource(resource.PodRequests(originalPod, resource.PodResourcesOptions{UseStatusResources: f.enableInPlacePodVerticalScaling}))
-	modifiedMaxResourceReq.SetMaxResource(resource.PodRequests(modifiedPod, resource.PodResourcesOptions{UseStatusResources: f.enableInPlacePodVerticalScaling}))
+	opts := resource.PodResourcesOptions{UseStatusResources: f.enableInPlacePodVerticalScaling, InPlacePodLevelResourcesVerticalScalingEnabled: f.enableInPlacePodLevelResourcesVerticalScaling}
+	originalMaxResourceReq.SetMaxResource(resource.PodRequests(originalPod, opts))
+	modifiedMaxResourceReq.SetMaxResource(resource.PodRequests(modifiedPod, opts))
 
 	// check whether the resource request of the modified pod is less than the original pod.
-	podRequests := resource.PodRequests(targetPod, resource.PodResourcesOptions{UseStatusResources: f.enableInPlacePodVerticalScaling})
+	podRequests := resource.PodRequests(targetPod, opts)
 	for rName, rValue := range podRequests {
 		if rValue.IsZero() {
 			// We only care about the resources requested by the pod we are trying to schedule.
@@ -421,8 +464,19 @@ func (f *Fit) isSchedulableAfterNodeChange(logger klog.Logger, pod *v1.Pod, oldO
 	if err != nil {
 		return fwk.Queue, err
 	}
+	// Use the DRA manager's extended resource cache for event handlers
+	var draManager fwk.SharedDRAManager
+	if f.enableDRAExtendedResource {
+		draManager = f.handle.SharedDRAManager()
+	}
+
+	opts := ResourceRequestsOptions{
+		EnablePodLevelResources:   f.enablePodLevelResources,
+		EnableDRAExtendedResource: f.enableDRAExtendedResource,
+	}
+
 	// Leaving in the queue, since the pod won't fit into the modified node anyway.
-	if !isFit(pod, modifiedNode, ResourceRequestsOptions{EnablePodLevelResources: f.enablePodLevelResources, EnableDRAExtendedResource: f.enableDRAExtendedResource}) {
+	if !isFit(pod, modifiedNode, draManager, opts) {
 		logger.V(5).Info("node was created or updated, but it doesn't have enough resource(s) to accommodate this pod", "pod", klog.KObj(pod), "node", klog.KObj(modifiedNode))
 		return fwk.QueueSkip, nil
 	}
@@ -432,7 +486,7 @@ func (f *Fit) isSchedulableAfterNodeChange(logger klog.Logger, pod *v1.Pod, oldO
 		return fwk.Queue, nil
 	}
 	// The pod will fit, but since there was no increase in available resources, the change won't make the pod schedulable.
-	if !haveAnyRequestedResourcesIncreased(pod, originalNode, modifiedNode, ResourceRequestsOptions{EnablePodLevelResources: f.enablePodLevelResources, EnableDRAExtendedResource: f.enableDRAExtendedResource}) {
+	if !haveAnyRequestedResourcesIncreased(pod, originalNode, modifiedNode, draManager, opts) {
 		logger.V(5).Info("node was updated, but haven't changed the pod's resource requestments fit assessment", "pod", klog.KObj(pod), "node", klog.KObj(modifiedNode))
 		return fwk.QueueSkip, nil
 	}
@@ -441,8 +495,39 @@ func (f *Fit) isSchedulableAfterNodeChange(logger klog.Logger, pod *v1.Pod, oldO
 	return fwk.Queue, nil
 }
 
+// isSchedulableAfterDeviceClassChange is invoked whenever a device class added or changed. It checks whether
+// that change could make a previously unschedulable pod schedulable.
+func (f *Fit) isSchedulableAfterDeviceClassEvent(logger klog.Logger, pod *v1.Pod, oldObj, newObj interface{}) (fwk.QueueingHint, error) {
+	originalClass, modifiedClass, err := schedutil.As[*resourceapi.DeviceClass](oldObj, newObj)
+	if err != nil {
+		return fwk.Queue, err
+	}
+	if originalClass != nil {
+		if ptr.Deref(originalClass.Spec.ExtendedResourceName, "") == ptr.Deref(modifiedClass.Spec.ExtendedResourceName, "") {
+			logger.V(5).Info("device class has identical extended resource name", "pod", klog.KObj(pod), "deviceclass", klog.KObj(modifiedClass))
+			return fwk.QueueSkip, nil
+		}
+	} else {
+		// only check implicit extended resource name for Add, as device class name does not change during Update.
+		reqs := resource.PodRequests(pod, resource.PodResourcesOptions{})
+		if _, ok := reqs[v1.ResourceName(resourceapi.ResourceDeviceClassPrefix+modifiedClass.Name)]; ok {
+			logger.V(5).Info("device class was added, and may now fit the pod's resource requests", "pod", klog.KObj(pod), "deviceclass", klog.KObj(modifiedClass))
+			return fwk.Queue, nil
+		}
+	}
+	if modifiedClass.Spec.ExtendedResourceName != nil {
+		reqs := resource.PodRequests(pod, resource.PodResourcesOptions{})
+		if _, ok := reqs[v1.ResourceName(*modifiedClass.Spec.ExtendedResourceName)]; ok {
+			logger.V(5).Info("device class was created or updated, and may fit the pod's resoruce requests", "pod", klog.KObj(pod), "deviceclass", klog.KObj(modifiedClass))
+			return fwk.Queue, nil
+		}
+	}
+	logger.V(5).Info("created or updated deivce class extended resource name is either nil, or does not match pod's resource request", "pod", klog.KObj(pod), "deviceclass", klog.KObj(modifiedClass))
+	return fwk.QueueSkip, nil
+}
+
 // haveAnyRequestedResourcesIncreased returns true if any of the resources requested by the pod have increased or if allowed pod number increased.
-func haveAnyRequestedResourcesIncreased(pod *v1.Pod, originalNode, modifiedNode *v1.Node, opts ResourceRequestsOptions) bool {
+func haveAnyRequestedResourcesIncreased(pod *v1.Pod, originalNode, modifiedNode *v1.Node, draManager fwk.SharedDRAManager, opts ResourceRequestsOptions) bool {
 	podRequest := computePodResourceRequest(pod, opts)
 	originalNodeInfo := framework.NewNodeInfo()
 	originalNodeInfo.SetNode(originalNode)
@@ -476,17 +561,8 @@ func haveAnyRequestedResourcesIncreased(pod *v1.Pod, originalNode, modifiedNode
 			return true
 		}
 
-		if opts.EnableDRAExtendedResource {
-			_, okScalar := modifiedNodeInfo.GetAllocatable().GetScalarResources()[rName]
-			_, okDynamic := podRequest.resourceToDeviceClass[rName]
-
-			if (okDynamic || podRequest.resourceToDeviceClass == nil) && !okScalar {
-				// The extended resource request matches a device class or no device class mapping
-				// provided and it is not in the node's Allocatable (i.e. it is not provided
-				// by the node's device plugin), then leave it to the dynamicresources
-				// plugin to evaluate whether it can be satisfy by DRA resources.
-				return true
-			}
+		if shouldDelegateResourceToDRA(rName, modifiedNodeInfo, draManager, opts) {
+			return true
 		}
 	}
 	return false
@@ -494,13 +570,14 @@ func haveAnyRequestedResourcesIncreased(pod *v1.Pod, originalNode, modifiedNode
 
 // isFit checks if the pod fits the node. If the node is nil, it returns false.
 // It constructs a fake NodeInfo object for the node and checks if the pod fits the node.
-func isFit(pod *v1.Pod, node *v1.Node, opts ResourceRequestsOptions) bool {
+func isFit(pod *v1.Pod, node *v1.Node, draManager fwk.SharedDRAManager, opts ResourceRequestsOptions) bool {
 	if node == nil {
 		return false
 	}
 	nodeInfo := framework.NewNodeInfo()
 	nodeInfo.SetNode(node)
-	return len(Fits(pod, nodeInfo, opts)) == 0
+
+	return len(Fits(pod, nodeInfo, draManager, opts)) == 0
 }
 
 // Filter invoked at the filter extension point.
@@ -512,9 +589,17 @@ func (f *Fit) Filter(ctx context.Context, cycleState fwk.CycleState, pod *v1.Pod
 		return fwk.AsStatus(err)
 	}
 
-	insufficientResources := fitsRequest(s, nodeInfo, f.ignoredResources, f.ignoredResourceGroups, ResourceRequestsOptions{
+	var draManager fwk.SharedDRAManager
+	if f.enableDRAExtendedResource {
+		draManager = f.handle.SharedDRAManager()
+	}
+
+	opts := ResourceRequestsOptions{
 		EnablePodLevelResources:   f.enablePodLevelResources,
-		EnableDRAExtendedResource: f.enableDRAExtendedResource})
+		EnableDRAExtendedResource: f.enableDRAExtendedResource,
+	}
+
+	insufficientResources := fitsRequest(s, nodeInfo, f.ignoredResources, f.ignoredResourceGroups, draManager, opts)
 
 	if len(insufficientResources) != 0 {
 		// We will keep all failure reasons.
@@ -557,11 +642,11 @@ type InsufficientResource struct {
 }
 
 // Fits checks if node have enough resources to host the pod.
-func Fits(pod *v1.Pod, nodeInfo fwk.NodeInfo, opts ResourceRequestsOptions) []InsufficientResource {
-	return fitsRequest(computePodResourceRequest(pod, opts), nodeInfo, nil, nil, opts)
+func Fits(pod *v1.Pod, nodeInfo fwk.NodeInfo, draManager fwk.SharedDRAManager, opts ResourceRequestsOptions) []InsufficientResource {
+	return fitsRequest(computePodResourceRequest(pod, opts), nodeInfo, nil, nil, draManager, opts)
 }
 
-func fitsRequest(podRequest *preFilterState, nodeInfo fwk.NodeInfo, ignoredExtendedResources, ignoredResourceGroups sets.Set[string], opts ResourceRequestsOptions) []InsufficientResource {
+func fitsRequest(podRequest *preFilterState, nodeInfo fwk.NodeInfo, ignoredExtendedResources, ignoredResourceGroups sets.Set[string], draManager fwk.SharedDRAManager, opts ResourceRequestsOptions) []InsufficientResource {
 	insufficientResources := make([]InsufficientResource, 0, 4)
 
 	allowedPodNumber := nodeInfo.GetAllocatable().GetAllowedPodNumber()
@@ -632,17 +717,8 @@ func fitsRequest(podRequest *preFilterState, nodeInfo fwk.NodeInfo, ignoredExten
 			}
 		}
 
-		if opts.EnableDRAExtendedResource {
-			_, okScalar := nodeInfo.GetAllocatable().GetScalarResources()[rName]
-			_, okDynamic := podRequest.resourceToDeviceClass[rName]
-
-			if (okDynamic || podRequest.resourceToDeviceClass == nil) && !okScalar {
-				// The extended resource request matches a device class or no device class mapping
-				// provided and it is not in the node's Allocatable (i.e. it is not provided
-				// by the node's device plugin), then leave it to the dynamicresources
-				// plugin to evaluate whether it can be satisfy by DRA resources.
-				continue
-			}
+		if shouldDelegateResourceToDRA(rName, nodeInfo, draManager, opts) {
+			continue
 		}
 		if rQuant > (nodeInfo.GetAllocatable().GetScalarResources()[rName] - nodeInfo.GetRequested().GetScalarResources()[rName]) {
 			insufficientResources = append(insufficientResources, InsufficientResource{
@@ -666,7 +742,16 @@ func (f *Fit) Score(ctx context.Context, state fwk.CycleState, pod *v1.Pod, node
 		s = &preScoreState{
 			podRequests: f.calculatePodResourceRequestList(pod, f.resources),
 		}
+		if f.enableDRAExtendedResource {
+			draPreScoreState, status := getDRAPreScoredParams(f.draManager, f.resources)
+			if status != nil {
+				return 0, status
+			}
+			if draPreScoreState != nil {
+				s.draPreScoreState = draPreScoreState
+			}
+		}
 	}
 
-	return f.score(ctx, pod, nodeInfo, s.podRequests)
+	return f.score(ctx, pod, nodeInfo, s.podRequests, s.draPreScoreState)
 }
diff --git a/pkg/scheduler/framework/plugins/noderesources/fit_test.go b/pkg/scheduler/framework/plugins/noderesources/fit_test.go
index cc5583d0e72a0..2953b71876a6e 100644
--- a/pkg/scheduler/framework/plugins/noderesources/fit_test.go
+++ b/pkg/scheduler/framework/plugins/noderesources/fit_test.go
@@ -29,11 +29,15 @@ import (
 	resourceapi "k8s.io/api/resource/v1"
 	"k8s.io/apimachinery/pkg/api/resource"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	utilfeature "k8s.io/apiserver/pkg/util/feature"
 	"k8s.io/client-go/informers"
 	"k8s.io/client-go/kubernetes/fake"
+	featuregatetesting "k8s.io/component-base/featuregate/testing"
+	"k8s.io/dynamic-resource-allocation/deviceclass/extendedresourcecache"
 	"k8s.io/klog/v2/ktesting"
 	_ "k8s.io/klog/v2/ktesting/init"
 	fwk "k8s.io/kube-scheduler/framework"
+	"k8s.io/kubernetes/pkg/features"
 	"k8s.io/kubernetes/pkg/scheduler/apis/config"
 	"k8s.io/kubernetes/pkg/scheduler/backend/cache"
 	"k8s.io/kubernetes/pkg/scheduler/framework"
@@ -44,6 +48,7 @@ import (
 	st "k8s.io/kubernetes/pkg/scheduler/testing"
 	tf "k8s.io/kubernetes/pkg/scheduler/testing/framework"
 	"k8s.io/kubernetes/pkg/scheduler/util/assumecache"
+	"k8s.io/utils/ptr"
 )
 
 var (
@@ -153,7 +158,7 @@ func TestEnoughRequests(t *testing.T) {
 		args                       config.NodeResourcesFitArgs
 		podLevelResourcesEnabled   bool
 		draExtendedResourceEnabled bool
-		nilResourceToDeviceClass   bool
+		nilDRAManager              bool
 		wantInsufficientResources  []InsufficientResource
 		wantStatus                 *fwk.Status
 	}{
@@ -632,17 +637,21 @@ func TestEnoughRequests(t *testing.T) {
 			draExtendedResourceEnabled: true,
 			pod: newResourcePod(
 				framework.Resource{MilliCPU: 1, Memory: 1, ScalarResources: map[v1.ResourceName]int64{extendedResourceDRA: 1}}),
-			nodeInfo:                  framework.NewNodeInfo(newResourcePod(framework.Resource{MilliCPU: 0, Memory: 0})),
-			name:                      "extended resource backed by DRA",
+			nodeInfo: framework.NewNodeInfo(newResourcePod(framework.Resource{MilliCPU: 0, Memory: 0})),
+			name:     "extended resource backed by DRA",
+			// When DRAExtendedResource is enabled and there's a matching DeviceClass,
+			// the noderesources plugin delegates to DRA instead of reporting insufficient resources.
 			wantInsufficientResources: []InsufficientResource{},
 		},
 		{
 			draExtendedResourceEnabled: true,
+			nilDRAManager:              true,
 			pod: newResourcePod(
-				framework.Resource{MilliCPU: 1, Memory: 1, ScalarResources: map[v1.ResourceName]int64{extendedResourceDRA: 1}}),
-			nodeInfo:                  framework.NewNodeInfo(newResourcePod(framework.Resource{MilliCPU: 0, Memory: 0})),
-			name:                      "extended resource backed by DRA, nil resourceToDeviceClass",
-			nilResourceToDeviceClass:  true,
+				framework.Resource{MilliCPU: 1, Memory: 1, ScalarResources: map[v1.ResourceName]int64{extendedResourceA: 1}}),
+			nodeInfo: framework.NewNodeInfo(newResourcePod(framework.Resource{MilliCPU: 0, Memory: 0})),
+			name:     "extended resource backed by DRA, nil draManager",
+			// When DRAExtendedResource is enabled but draManager is nil (e.g., kubelet path),
+			// the noderesources plugin delegates to DRA instead of reporting insufficient resources.
 			wantInsufficientResources: []InsufficientResource{},
 		},
 		{
@@ -677,11 +686,28 @@ func TestEnoughRequests(t *testing.T) {
 				},
 			},
 		},
+		{
+			draExtendedResourceEnabled: true,
+			pod: newResourcePod(
+				framework.Resource{ScalarResources: map[v1.ResourceName]int64{extendedResourceDRA: 1}}),
+			nodeInfo:                  framework.NewNodeInfo(newResourcePod(framework.Resource{ScalarResources: map[v1.ResourceName]int64{extendedResourceDRA: 0}})),
+			name:                      "extended resource was backed by Device Plugin (Allocatable: 0)",
+			wantInsufficientResources: []InsufficientResource{},
+		},
+		{
+			draExtendedResourceEnabled: true,
+			pod: newResourcePod(
+				framework.Resource{ScalarResources: map[v1.ResourceName]int64{extendedResourceA: 1}}),
+			nodeInfo:                  framework.NewNodeInfo(newResourcePod(framework.Resource{ScalarResources: map[v1.ResourceName]int64{extendedResourceA: 0}})),
+			name:                      "extended resource was backed by Device Plugin (Allocatable: 0), global cache",
+			wantInsufficientResources: []InsufficientResource{},
+		},
 	}
 
 	for _, test := range enoughPodsTests {
 		t.Run(test.name, func(t *testing.T) {
 
+			featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.DRAExtendedResource, test.draExtendedResourceEnabled)
 			node := v1.Node{Status: v1.NodeStatus{Capacity: makeResources(10, 20, 32, 5, 20, 5), Allocatable: makeAllocatableResources(10, 20, 32, 5, 20, 5)}}
 			test.nodeInfo.SetNode(&node)
 
@@ -695,7 +721,14 @@ func TestEnoughRequests(t *testing.T) {
 
 			client := fake.NewSimpleClientset(deviceClassWithExtendResourceName)
 			informerFactory := informers.NewSharedInformerFactory(client, 0)
-			draManager := dynamicresources.NewDRAManager(ctx, assumecache.NewAssumeCache(logger, informerFactory.Resource().V1().ResourceClaims().Informer(), "resource claim", "", nil), nil, informerFactory)
+			claimsCache := assumecache.NewAssumeCache(logger, informerFactory.Resource().V1().ResourceClaims().Informer(), "resource claim", "", nil)
+			draManager := dynamicresources.NewDRAManager(ctx, claimsCache, nil, informerFactory)
+			if test.draExtendedResourceEnabled {
+				cache := draManager.DeviceClassResolver().(*extendedresourcecache.ExtendedResourceCache)
+				if _, err := informerFactory.Resource().V1().DeviceClasses().Informer().AddEventHandler(cache); err != nil {
+					logger.Error(err, "failed to add device class informer event handler")
+				}
+			}
 			informerFactory.Start(ctx.Done())
 			t.Cleanup(func() {
 				// Now we can wait for all goroutines to stop.
@@ -711,22 +744,23 @@ func TestEnoughRequests(t *testing.T) {
 				t.Fatal(err)
 			}
 			cycleState := framework.NewCycleState()
-			_, preFilterStatus := p.(framework.PreFilterPlugin).PreFilter(ctx, cycleState, test.pod, nil)
+			_, preFilterStatus := p.(fwk.PreFilterPlugin).PreFilter(ctx, cycleState, test.pod, nil)
 			if !preFilterStatus.IsSuccess() {
 				t.Errorf("prefilter failed with status: %v", preFilterStatus)
 			}
 
-			gotStatus := p.(framework.FilterPlugin).Filter(ctx, cycleState, test.pod, test.nodeInfo)
+			gotStatus := p.(fwk.FilterPlugin).Filter(ctx, cycleState, test.pod, test.nodeInfo)
 			if diff := cmp.Diff(test.wantStatus, gotStatus); diff != "" {
 				t.Errorf("status does not match (-want,+got):\n%s", diff)
 			}
 
 			opts := ResourceRequestsOptions{EnablePodLevelResources: test.podLevelResourcesEnabled, EnableDRAExtendedResource: test.draExtendedResourceEnabled}
 			state := computePodResourceRequest(test.pod, opts)
-			if test.draExtendedResourceEnabled && !test.nilResourceToDeviceClass {
-				state.resourceToDeviceClass = map[v1.ResourceName]string{extendedResourceDRA: deviceClassName}
+			var testDRAManager fwk.SharedDRAManager
+			if !test.nilDRAManager {
+				testDRAManager = draManager
 			}
-			gotInsufficientResources := fitsRequest(state, test.nodeInfo, p.(*Fit).ignoredResources, p.(*Fit).ignoredResourceGroups, opts)
+			gotInsufficientResources := fitsRequest(state, test.nodeInfo, p.(*Fit).ignoredResources, p.(*Fit).ignoredResourceGroups, testDRAManager, opts)
 			if diff := cmp.Diff(test.wantInsufficientResources, gotInsufficientResources); diff != "" {
 				t.Errorf("insufficient resources do not match (-want,+got):\n%s", diff)
 			}
@@ -747,7 +781,7 @@ func TestPreFilterDisabled(t *testing.T) {
 		t.Fatal(err)
 	}
 	cycleState := framework.NewCycleState()
-	gotStatus := p.(framework.FilterPlugin).Filter(ctx, cycleState, pod, nodeInfo)
+	gotStatus := p.(fwk.FilterPlugin).Filter(ctx, cycleState, pod, nodeInfo)
 	wantStatus := fwk.AsStatus(fwk.ErrNotFound)
 	if diff := cmp.Diff(wantStatus, gotStatus); diff != "" {
 		t.Errorf("status does not match (-want,+got):\n%s", diff)
@@ -800,12 +834,12 @@ func TestNotEnoughRequests(t *testing.T) {
 				t.Fatal(err)
 			}
 			cycleState := framework.NewCycleState()
-			_, preFilterStatus := p.(framework.PreFilterPlugin).PreFilter(ctx, cycleState, test.pod, nil)
+			_, preFilterStatus := p.(fwk.PreFilterPlugin).PreFilter(ctx, cycleState, test.pod, nil)
 			if !preFilterStatus.IsSuccess() {
 				t.Errorf("prefilter failed with status: %v", preFilterStatus)
 			}
 
-			gotStatus := p.(framework.FilterPlugin).Filter(ctx, cycleState, test.pod, test.nodeInfo)
+			gotStatus := p.(fwk.FilterPlugin).Filter(ctx, cycleState, test.pod, test.nodeInfo)
 			if diff := cmp.Diff(test.wantStatus, gotStatus); diff != "" {
 				t.Errorf("status does not match (-want,+got):\n%s", diff)
 			}
@@ -861,12 +895,12 @@ func TestStorageRequests(t *testing.T) {
 				t.Fatal(err)
 			}
 			cycleState := framework.NewCycleState()
-			_, preFilterStatus := p.(framework.PreFilterPlugin).PreFilter(ctx, cycleState, test.pod, nil)
+			_, preFilterStatus := p.(fwk.PreFilterPlugin).PreFilter(ctx, cycleState, test.pod, nil)
 			if !preFilterStatus.IsSuccess() {
 				t.Errorf("prefilter failed with status: %v", preFilterStatus)
 			}
 
-			gotStatus := p.(framework.FilterPlugin).Filter(ctx, cycleState, test.pod, test.nodeInfo)
+			gotStatus := p.(fwk.FilterPlugin).Filter(ctx, cycleState, test.pod, test.nodeInfo)
 			if diff := cmp.Diff(test.wantStatus, gotStatus); diff != "" {
 				t.Errorf("status does not match (-want,+got):\n%s", diff)
 			}
@@ -971,7 +1005,7 @@ func TestRestartableInitContainers(t *testing.T) {
 				t.Fatal(err)
 			}
 			cycleState := framework.NewCycleState()
-			_, preFilterStatus := p.(framework.PreFilterPlugin).PreFilter(ctx, cycleState, test.pod, nil)
+			_, preFilterStatus := p.(fwk.PreFilterPlugin).PreFilter(ctx, cycleState, test.pod, nil)
 			if diff := cmp.Diff(test.wantPreFilterStatus, preFilterStatus); diff != "" {
 				t.Error("prefilter status does not match (-expected +actual):\n", diff)
 			}
@@ -979,7 +1013,7 @@ func TestRestartableInitContainers(t *testing.T) {
 				return
 			}
 
-			filterStatus := p.(framework.FilterPlugin).Filter(ctx, cycleState, test.pod, nodeInfo)
+			filterStatus := p.(fwk.FilterPlugin).Filter(ctx, cycleState, test.pod, nodeInfo)
 			if diff := cmp.Diff(test.wantFilterStatus, filterStatus); diff != "" {
 				t.Error("filter status does not match (-expected +actual):\n", diff)
 			}
@@ -994,7 +1028,7 @@ func TestFitScore(t *testing.T) {
 		requestedPod         *v1.Pod
 		nodes                []*v1.Node
 		existingPods         []*v1.Pod
-		expectedPriorities   framework.NodeScoreList
+		expectedPriorities   fwk.NodeScoreList
 		nodeResourcesFitArgs config.NodeResourcesFitArgs
 		runPreScore          bool
 	}{
@@ -1011,7 +1045,7 @@ func TestFitScore(t *testing.T) {
 				st.MakePod().Node("node1").Req(map[v1.ResourceName]string{"cpu": "2000", "memory": "4000"}).Obj(),
 				st.MakePod().Node("node2").Req(map[v1.ResourceName]string{"cpu": "1000", "memory": "2000"}).Obj(),
 			},
-			expectedPriorities: []framework.NodeScore{{Name: "node1", Score: 10}, {Name: "node2", Score: 32}},
+			expectedPriorities: []fwk.NodeScore{{Name: "node1", Score: 10}, {Name: "node2", Score: 32}},
 			nodeResourcesFitArgs: config.NodeResourcesFitArgs{
 				ScoringStrategy: &config.ScoringStrategy{
 					Type:      config.RequestedToCapacityRatio,
@@ -1039,7 +1073,7 @@ func TestFitScore(t *testing.T) {
 				st.MakePod().Node("node1").Req(map[v1.ResourceName]string{"cpu": "2000", "memory": "4000"}).Obj(),
 				st.MakePod().Node("node2").Req(map[v1.ResourceName]string{"cpu": "1000", "memory": "2000"}).Obj(),
 			},
-			expectedPriorities: []framework.NodeScore{{Name: "node1", Score: 95}, {Name: "node2", Score: 68}},
+			expectedPriorities: []fwk.NodeScore{{Name: "node1", Score: 95}, {Name: "node2", Score: 68}},
 			nodeResourcesFitArgs: config.NodeResourcesFitArgs{
 				ScoringStrategy: &config.ScoringStrategy{
 					Type:      config.RequestedToCapacityRatio,
@@ -1067,7 +1101,7 @@ func TestFitScore(t *testing.T) {
 				st.MakePod().Node("node1").Req(map[v1.ResourceName]string{"cpu": "2000", "memory": "4000"}).Obj(),
 				st.MakePod().Node("node2").Req(map[v1.ResourceName]string{"cpu": "1000", "memory": "2000"}).Obj(),
 			},
-			expectedPriorities: []framework.NodeScore{{Name: "node1", Score: 67}, {Name: "node2", Score: 36}},
+			expectedPriorities: []fwk.NodeScore{{Name: "node1", Score: 67}, {Name: "node2", Score: 36}},
 			nodeResourcesFitArgs: config.NodeResourcesFitArgs{
 				ScoringStrategy: &config.ScoringStrategy{
 					Type:      config.MostAllocated,
@@ -1089,7 +1123,7 @@ func TestFitScore(t *testing.T) {
 				st.MakePod().Node("node1").Req(map[v1.ResourceName]string{"cpu": "2000", "memory": "4000"}).Obj(),
 				st.MakePod().Node("node2").Req(map[v1.ResourceName]string{"cpu": "1000", "memory": "2000"}).Obj(),
 			},
-			expectedPriorities: []framework.NodeScore{{Name: "node1", Score: 32}, {Name: "node2", Score: 63}},
+			expectedPriorities: []fwk.NodeScore{{Name: "node1", Score: 32}, {Name: "node2", Score: 63}},
 			nodeResourcesFitArgs: config.NodeResourcesFitArgs{
 				ScoringStrategy: &config.ScoringStrategy{
 					Type:      config.LeastAllocated,
@@ -1111,7 +1145,7 @@ func TestFitScore(t *testing.T) {
 				st.MakePod().Node("node1").Req(map[v1.ResourceName]string{"cpu": "2000", "memory": "4000"}).Obj(),
 				st.MakePod().Node("node2").Req(map[v1.ResourceName]string{"cpu": "1000", "memory": "2000"}).Obj(),
 			},
-			expectedPriorities: []framework.NodeScore{{Name: "node1", Score: 10}, {Name: "node2", Score: 32}},
+			expectedPriorities: []fwk.NodeScore{{Name: "node1", Score: 10}, {Name: "node2", Score: 32}},
 			nodeResourcesFitArgs: config.NodeResourcesFitArgs{
 				ScoringStrategy: &config.ScoringStrategy{
 					Type:      config.RequestedToCapacityRatio,
@@ -1139,7 +1173,7 @@ func TestFitScore(t *testing.T) {
 				st.MakePod().Node("node1").Req(map[v1.ResourceName]string{"cpu": "2000", "memory": "4000"}).Obj(),
 				st.MakePod().Node("node2").Req(map[v1.ResourceName]string{"cpu": "1000", "memory": "2000"}).Obj(),
 			},
-			expectedPriorities: []framework.NodeScore{{Name: "node1", Score: 67}, {Name: "node2", Score: 36}},
+			expectedPriorities: []fwk.NodeScore{{Name: "node1", Score: 67}, {Name: "node2", Score: 36}},
 			nodeResourcesFitArgs: config.NodeResourcesFitArgs{
 				ScoringStrategy: &config.ScoringStrategy{
 					Type:      config.MostAllocated,
@@ -1161,7 +1195,7 @@ func TestFitScore(t *testing.T) {
 				st.MakePod().Node("node1").Req(map[v1.ResourceName]string{"cpu": "2000", "memory": "4000"}).Obj(),
 				st.MakePod().Node("node2").Req(map[v1.ResourceName]string{"cpu": "1000", "memory": "2000"}).Obj(),
 			},
-			expectedPriorities: []framework.NodeScore{{Name: "node1", Score: 32}, {Name: "node2", Score: 63}},
+			expectedPriorities: []fwk.NodeScore{{Name: "node1", Score: 32}, {Name: "node2", Score: 63}},
 			nodeResourcesFitArgs: config.NodeResourcesFitArgs{
 				ScoringStrategy: &config.ScoringStrategy{
 					Type:      config.LeastAllocated,
@@ -1184,7 +1218,7 @@ func TestFitScore(t *testing.T) {
 					SidecarReq(map[v1.ResourceName]string{"cpu": "1000", "memory": "2000"}).Obj(),
 				st.MakePod().Node("node2").Req(map[v1.ResourceName]string{"cpu": "1000", "memory": "2000"}).Obj(),
 			},
-			expectedPriorities: []framework.NodeScore{{Name: "node1", Score: 67}, {Name: "node2", Score: 45}},
+			expectedPriorities: []fwk.NodeScore{{Name: "node1", Score: 67}, {Name: "node2", Score: 45}},
 			nodeResourcesFitArgs: config.NodeResourcesFitArgs{
 				ScoringStrategy: &config.ScoringStrategy{
 					Type:      config.MostAllocated,
@@ -1207,7 +1241,7 @@ func TestFitScore(t *testing.T) {
 					SidecarReq(map[v1.ResourceName]string{"cpu": "1000", "memory": "2000"}).Obj(),
 				st.MakePod().Node("node2").Req(map[v1.ResourceName]string{"cpu": "1000", "memory": "2000"}).Obj(),
 			},
-			expectedPriorities: []framework.NodeScore{{Name: "node1", Score: 32}, {Name: "node2", Score: 55}},
+			expectedPriorities: []fwk.NodeScore{{Name: "node1", Score: 32}, {Name: "node2", Score: 55}},
 			nodeResourcesFitArgs: config.NodeResourcesFitArgs{
 				ScoringStrategy: &config.ScoringStrategy{
 					Type:      config.LeastAllocated,
@@ -1233,10 +1267,10 @@ func TestFitScore(t *testing.T) {
 				t.Fatalf("unexpected error: %v", err)
 			}
 
-			var gotPriorities framework.NodeScoreList
+			var gotPriorities fwk.NodeScoreList
 			for _, n := range test.nodes {
 				if test.runPreScore {
-					status := p.(framework.PreScorePlugin).PreScore(ctx, state, test.requestedPod, tf.BuildNodeInfos(test.nodes))
+					status := p.(fwk.PreScorePlugin).PreScore(ctx, state, test.requestedPod, tf.BuildNodeInfos(test.nodes))
 					if !status.IsSuccess() {
 						t.Errorf("PreScore is expected to return success, but didn't. Got status: %v", status)
 					}
@@ -1245,11 +1279,11 @@ func TestFitScore(t *testing.T) {
 				if err != nil {
 					t.Errorf("failed to get node %q from snapshot: %v", n.Name, err)
 				}
-				score, status := p.(framework.ScorePlugin).Score(ctx, state, test.requestedPod, nodeInfo)
+				score, status := p.(fwk.ScorePlugin).Score(ctx, state, test.requestedPod, nodeInfo)
 				if !status.IsSuccess() {
 					t.Errorf("Score is expected to return success, but didn't. Got status: %v", status)
 				}
-				gotPriorities = append(gotPriorities, framework.NodeScore{Name: n.Name, Score: score})
+				gotPriorities = append(gotPriorities, fwk.NodeScore{Name: n.Name, Score: score})
 			}
 
 			if diff := cmp.Diff(test.expectedPriorities, gotPriorities); diff != "" {
@@ -1383,6 +1417,7 @@ func TestEventsToRegister(t *testing.T) {
 		name                            string
 		enableInPlacePodVerticalScaling bool
 		enableSchedulingQueueHint       bool
+		enableDRAExtendedResource       bool
 		expectedClusterEvents           []fwk.ClusterEventWithHint
 	}{
 		{
@@ -1409,11 +1444,28 @@ func TestEventsToRegister(t *testing.T) {
 				{Event: fwk.ClusterEvent{Resource: "Node", ActionType: fwk.Add | fwk.UpdateNodeAllocatable | fwk.UpdateNodeTaint | fwk.UpdateNodeLabel}},
 			},
 		},
+		{
+			name:                      "Register events with DRAExtendedResource feature enabled",
+			enableDRAExtendedResource: true,
+			expectedClusterEvents: []fwk.ClusterEventWithHint{
+				{Event: fwk.ClusterEvent{Resource: "Pod", ActionType: fwk.Delete}},
+				{Event: fwk.ClusterEvent{Resource: "Node", ActionType: fwk.Add | fwk.UpdateNodeAllocatable | fwk.UpdateNodeTaint | fwk.UpdateNodeLabel}},
+				{Event: fwk.ClusterEvent{Resource: fwk.DeviceClass, ActionType: fwk.Add | fwk.Update}},
+			},
+		},
+		{
+			name:                      "Register events with DRAExtendedResource feature disabled",
+			enableDRAExtendedResource: false,
+			expectedClusterEvents: []fwk.ClusterEventWithHint{
+				{Event: fwk.ClusterEvent{Resource: "Pod", ActionType: fwk.Delete}},
+				{Event: fwk.ClusterEvent{Resource: "Node", ActionType: fwk.Add | fwk.UpdateNodeAllocatable | fwk.UpdateNodeTaint | fwk.UpdateNodeLabel}},
+			},
+		},
 	}
 
 	for _, test := range tests {
 		t.Run(test.name, func(t *testing.T) {
-			fp := &Fit{enableInPlacePodVerticalScaling: test.enableInPlacePodVerticalScaling, enableSchedulingQueueHint: test.enableSchedulingQueueHint}
+			fp := &Fit{enableInPlacePodVerticalScaling: test.enableInPlacePodVerticalScaling, enableSchedulingQueueHint: test.enableSchedulingQueueHint, enableDRAExtendedResource: test.enableDRAExtendedResource}
 			_, ctx := ktesting.NewTestContext(t)
 			actualClusterEvents, err := fp.EventsToRegister(ctx)
 			if err != nil {
@@ -1485,6 +1537,13 @@ func Test_isSchedulableAfterPodChange(t *testing.T) {
 			enableInPlacePodVerticalScaling: true,
 			expectedHint:                    fwk.QueueSkip,
 		},
+		"skip-queue-on-other-pod-unrelated-pod-level-resource-scaled-down": {
+			pod:                             st.MakePod().Name("pod1").UID("pod1").PodLevelResourceRequests(map[v1.ResourceName]string{v1.ResourceCPU: "1"}).Obj(),
+			oldObj:                          st.MakePod().Name("pod2").UID("pod2").PodLevelResourceRequests(map[v1.ResourceName]string{v1.ResourceMemory: "2"}).Node("fake").Obj(),
+			newObj:                          st.MakePod().Name("pod2").UID("pod2").PodLevelResourceRequests(map[v1.ResourceName]string{v1.ResourceMemory: "1"}).Node("fake").Obj(),
+			enableInPlacePodVerticalScaling: true,
+			expectedHint:                    fwk.QueueSkip,
+		},
 		"queue-on-other-pod-some-resource-scale-down": {
 			pod:                             st.MakePod().Name("pod1").UID("pod1").Req(map[v1.ResourceName]string{v1.ResourceCPU: "1"}).Obj(),
 			oldObj:                          st.MakePod().Name("pod2").UID("pod2").Req(map[v1.ResourceName]string{v1.ResourceCPU: "2"}).Node("fake").Obj(),
@@ -1492,6 +1551,13 @@ func Test_isSchedulableAfterPodChange(t *testing.T) {
 			enableInPlacePodVerticalScaling: true,
 			expectedHint:                    fwk.Queue,
 		},
+		"queue-on-other-pod-some-pod-level-resource-scale-down": {
+			pod:                             st.MakePod().Name("pod1").UID("pod1").PodLevelResourceRequests(map[v1.ResourceName]string{v1.ResourceCPU: "1"}).Obj(),
+			oldObj:                          st.MakePod().Name("pod2").UID("pod2").PodLevelResourceRequests(map[v1.ResourceName]string{v1.ResourceCPU: "2"}).Node("fake").Obj(),
+			newObj:                          st.MakePod().Name("pod2").UID("pod2").PodLevelResourceRequests(map[v1.ResourceName]string{v1.ResourceCPU: "1"}).Node("fake").Obj(),
+			enableInPlacePodVerticalScaling: true,
+			expectedHint:                    fwk.Queue,
+		},
 		"queue-on-target-pod-some-resource-scale-down": {
 			pod:                             st.MakePod().Name("pod1").UID("pod1").Req(map[v1.ResourceName]string{v1.ResourceCPU: "1"}).Obj(),
 			oldObj:                          st.MakePod().Name("pod1").UID("pod1").Req(map[v1.ResourceName]string{v1.ResourceCPU: "2"}).Obj(),
@@ -1499,6 +1565,13 @@ func Test_isSchedulableAfterPodChange(t *testing.T) {
 			enableInPlacePodVerticalScaling: true,
 			expectedHint:                    fwk.Queue,
 		},
+		"queue-on-target-pod-some-pod-level-resource-scale-down": {
+			pod:                             st.MakePod().Name("pod1").UID("pod1").PodLevelResourceRequests(map[v1.ResourceName]string{v1.ResourceCPU: "1"}).Obj(),
+			oldObj:                          st.MakePod().Name("pod1").UID("pod1").PodLevelResourceRequests(map[v1.ResourceName]string{v1.ResourceCPU: "2"}).Obj(),
+			newObj:                          st.MakePod().Name("pod1").UID("pod1").PodLevelResourceRequests(map[v1.ResourceName]string{v1.ResourceCPU: "1"}).Obj(),
+			enableInPlacePodVerticalScaling: true,
+			expectedHint:                    fwk.Queue,
+		},
 	}
 
 	for name, tc := range testcases {
@@ -1649,6 +1722,155 @@ func Test_isSchedulableAfterNodeChange(t *testing.T) {
 	}
 }
 
+func Test_isSchedulableAfterDeviceClassChange(t *testing.T) {
+	ern := "example.com/gpu"
+	testcases := map[string]struct {
+		pod            *v1.Pod
+		oldObj, newObj any
+		expectedHint   fwk.QueueingHint
+		expectedErr    bool
+	}{
+		"backoff-wrong-new-object": {
+			pod:          &v1.Pod{},
+			newObj:       "not-a-class",
+			expectedHint: fwk.Queue,
+			expectedErr:  true,
+		},
+		"backoff-wrong-old-object": {
+			pod:          &v1.Pod{},
+			oldObj:       "not-a-class",
+			newObj:       &resourceapi.DeviceClass{},
+			expectedHint: fwk.Queue,
+			expectedErr:  true,
+		},
+		"skip-queue-on-class-nil-extended-resource-name-pointer": {
+			pod: newResourcePod(framework.Resource{Memory: 2}),
+			newObj: &resourceapi.DeviceClass{
+				Spec: resourceapi.DeviceClassSpec{},
+			},
+			oldObj: &resourceapi.DeviceClass{
+				Spec: resourceapi.DeviceClassSpec{},
+			},
+			expectedHint: fwk.QueueSkip,
+		},
+		"skip-queue-on-class-same-extended-resource-name-pointer": {
+			pod: newResourcePod(framework.Resource{Memory: 2}),
+			newObj: &resourceapi.DeviceClass{
+				Spec: resourceapi.DeviceClassSpec{
+					ExtendedResourceName: &ern,
+				},
+			},
+			oldObj: &resourceapi.DeviceClass{
+				Spec: resourceapi.DeviceClassSpec{
+					ExtendedResourceName: &ern,
+				},
+			},
+			expectedHint: fwk.QueueSkip,
+		},
+		"skip-queue-on-class-same-extended-resource-name": {
+			pod: newResourcePod(framework.Resource{Memory: 2}),
+			newObj: &resourceapi.DeviceClass{
+				Spec: resourceapi.DeviceClassSpec{ExtendedResourceName: ptr.To("example.com/gpu")},
+			},
+			oldObj: &resourceapi.DeviceClass{
+				Spec: resourceapi.DeviceClassSpec{ExtendedResourceName: ptr.To("example.com/gpu")},
+			},
+			expectedHint: fwk.QueueSkip,
+		},
+		"queue-on-class-add-with-implicit-extended-resource-name": {
+			pod: newResourcePod(framework.Resource{
+				ScalarResources: map[v1.ResourceName]int64{"deviceclass.resource.kubernetes.io/gpuclass": 1},
+			}),
+			newObj: &resourceapi.DeviceClass{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "gpuclass",
+				},
+				Spec: resourceapi.DeviceClassSpec{ExtendedResourceName: ptr.To("example.com/gpu")},
+			},
+			expectedHint: fwk.Queue,
+		},
+		"skip-on-class-add-with-implicit-extended-resource-name-not-matching": {
+			pod: newResourcePod(framework.Resource{
+				ScalarResources: map[v1.ResourceName]int64{"deviceclass.resource.kubernetes.io/gpuclass": 1},
+			}),
+			newObj: &resourceapi.DeviceClass{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "myclass",
+				},
+				Spec: resourceapi.DeviceClassSpec{ExtendedResourceName: ptr.To("example.com/gpu")},
+			},
+			expectedHint: fwk.QueueSkip,
+		},
+		"skip-on-class-add-with-explicit-extended-resource-name-not-matching": {
+			pod: newResourcePod(framework.Resource{
+				ScalarResources: map[v1.ResourceName]int64{"example.com/othergpu": 1},
+			}),
+			newObj: &resourceapi.DeviceClass{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "myclass",
+				},
+				Spec: resourceapi.DeviceClassSpec{ExtendedResourceName: ptr.To("example.com/gpu")},
+			},
+			expectedHint: fwk.QueueSkip,
+		},
+		"skip-on-class-update-with-implicit-extended-resource-name": {
+			pod: newResourcePod(framework.Resource{
+				ScalarResources: map[v1.ResourceName]int64{"deviceclass.resource.kubernetes.io/gpuclass": 1},
+			}),
+			newObj: &resourceapi.DeviceClass{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "gpuclass",
+				},
+				Spec: resourceapi.DeviceClassSpec{ExtendedResourceName: ptr.To("example.com/gpu")},
+			},
+			oldObj: &resourceapi.DeviceClass{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "gpuclass",
+				},
+			},
+			expectedHint: fwk.QueueSkip,
+		},
+		"queue-on-class-add-with-extended-resource-name": {
+			pod: newResourcePod(framework.Resource{
+				ScalarResources: map[v1.ResourceName]int64{"example.com/gpu": 1},
+			}),
+			newObj: &resourceapi.DeviceClass{
+				Spec: resourceapi.DeviceClassSpec{ExtendedResourceName: ptr.To("example.com/gpu")},
+			},
+			expectedHint: fwk.Queue,
+		},
+		"queue-on-class-update-with-extended-resource-name": {
+			pod: newResourcePod(framework.Resource{
+				ScalarResources: map[v1.ResourceName]int64{"example.com/gpu": 1},
+			}),
+			newObj: &resourceapi.DeviceClass{
+				Spec: resourceapi.DeviceClassSpec{ExtendedResourceName: ptr.To("example.com/gpu")},
+			},
+			oldObj: &resourceapi.DeviceClass{
+				Spec: resourceapi.DeviceClassSpec{ExtendedResourceName: ptr.To("example.com/gpu1")},
+			},
+			expectedHint: fwk.Queue,
+		},
+	}
+
+	for name, tc := range testcases {
+		t.Run(name, func(t *testing.T) {
+			logger, ctx := ktesting.NewTestContext(t)
+			p, err := NewFit(ctx, &config.NodeResourcesFitArgs{ScoringStrategy: defaultScoringStrategy}, nil, plfeature.Features{})
+			if err != nil {
+				t.Fatal(err)
+			}
+			actualHint, err := p.(*Fit).isSchedulableAfterDeviceClassEvent(logger, tc.pod, tc.oldObj, tc.newObj)
+			if tc.expectedErr {
+				require.Error(t, err)
+				return
+			}
+			require.NoError(t, err)
+			require.Equal(t, tc.expectedHint, actualHint)
+		})
+	}
+}
+
 func TestIsFit(t *testing.T) {
 	testCases := map[string]struct {
 		pod                      *v1.Pod
@@ -1706,7 +1928,7 @@ func TestIsFit(t *testing.T) {
 
 	for name, tc := range testCases {
 		t.Run(name, func(t *testing.T) {
-			if got := isFit(tc.pod, tc.node, ResourceRequestsOptions{EnablePodLevelResources: tc.podLevelResourcesEnabled}); got != tc.expected {
+			if got := isFit(tc.pod, tc.node, nil, ResourceRequestsOptions{EnablePodLevelResources: tc.podLevelResourcesEnabled}); got != tc.expected {
 				t.Errorf("expected: %v, got: %v", tc.expected, got)
 			}
 		})
@@ -1799,6 +2021,19 @@ func TestHaveAnyRequestedResourcesIncreased(t *testing.T) {
 			draExtendedResourceEnabled: true,
 			expected:                   true,
 		},
+		"requested-resources-dra-zero-capacity": {
+			pod: newResourcePod(framework.Resource{
+				ScalarResources: map[v1.ResourceName]int64{extendedResourceA: 1},
+			}),
+			originalNode: st.MakeNode().Capacity(map[v1.ResourceName]string{
+				extendedResourceA: "0",
+			}).Obj(),
+			modifiedNode: st.MakeNode().Capacity(map[v1.ResourceName]string{
+				extendedResourceA: "0",
+			}).Obj(),
+			draExtendedResourceEnabled: true,
+			expected:                   true,
+		},
 		"scalar-resources-not-in-node": {
 			pod: newResourcePod(framework.Resource{
 				MilliCPU:         2,
@@ -1902,7 +2137,7 @@ func TestHaveAnyRequestedResourcesIncreased(t *testing.T) {
 	}
 	for name, tc := range testCases {
 		t.Run(name, func(t *testing.T) {
-			if got := haveAnyRequestedResourcesIncreased(tc.pod, tc.originalNode, tc.modifiedNode, ResourceRequestsOptions{EnableDRAExtendedResource: tc.draExtendedResourceEnabled}); got != tc.expected {
+			if got := haveAnyRequestedResourcesIncreased(tc.pod, tc.originalNode, tc.modifiedNode, nil, ResourceRequestsOptions{EnableDRAExtendedResource: tc.draExtendedResourceEnabled}); got != tc.expected {
 				t.Errorf("expected: %v, got: %v", tc.expected, got)
 			}
 		})
diff --git a/pkg/scheduler/framework/plugins/noderesources/least_allocated.go b/pkg/scheduler/framework/plugins/noderesources/least_allocated.go
index a19969e90de0e..20a456d9636d5 100644
--- a/pkg/scheduler/framework/plugins/noderesources/least_allocated.go
+++ b/pkg/scheduler/framework/plugins/noderesources/least_allocated.go
@@ -17,8 +17,8 @@ limitations under the License.
 package noderesources
 
 import (
+	fwk "k8s.io/kube-scheduler/framework"
 	"k8s.io/kubernetes/pkg/scheduler/apis/config"
-	"k8s.io/kubernetes/pkg/scheduler/framework"
 )
 
 // leastResourceScorer favors nodes with fewer requested resources.
@@ -57,5 +57,5 @@ func leastRequestedScore(requested, capacity int64) int64 {
 		return 0
 	}
 
-	return ((capacity - requested) * framework.MaxNodeScore) / capacity
+	return ((capacity - requested) * fwk.MaxNodeScore) / capacity
 }
diff --git a/pkg/scheduler/framework/plugins/noderesources/least_allocated_test.go b/pkg/scheduler/framework/plugins/noderesources/least_allocated_test.go
index feced9a002fab..aa04ac4b7fa8e 100644
--- a/pkg/scheduler/framework/plugins/noderesources/least_allocated_test.go
+++ b/pkg/scheduler/framework/plugins/noderesources/least_allocated_test.go
@@ -41,7 +41,7 @@ func TestLeastAllocatedScoringStrategy(t *testing.T) {
 		requestedPod   *v1.Pod
 		nodes          []*v1.Node
 		existingPods   []*v1.Pod
-		expectedScores framework.NodeScoreList
+		expectedScores fwk.NodeScoreList
 		resources      []config.ResourceSpec
 		wantErrs       field.ErrorList
 		wantStatusCode fwk.Code
@@ -62,7 +62,7 @@ func TestLeastAllocatedScoringStrategy(t *testing.T) {
 				st.MakeNode().Name("node2").Capacity(map[v1.ResourceName]string{"cpu": "4000", "memory": "10000"}).Obj(),
 			},
 			existingPods:   nil,
-			expectedScores: []framework.NodeScore{{Name: "node1", Score: framework.MaxNodeScore}, {Name: "node2", Score: framework.MaxNodeScore}},
+			expectedScores: []fwk.NodeScore{{Name: "node1", Score: fwk.MaxNodeScore}, {Name: "node2", Score: fwk.MaxNodeScore}},
 			resources:      defaultResources,
 		},
 		{
@@ -84,7 +84,7 @@ func TestLeastAllocatedScoringStrategy(t *testing.T) {
 				st.MakeNode().Name("node2").Capacity(map[v1.ResourceName]string{"cpu": "6000", "memory": "10000"}).Obj(),
 			},
 			existingPods:   nil,
-			expectedScores: []framework.NodeScore{{Name: "node1", Score: 37}, {Name: "node2", Score: 50}},
+			expectedScores: []fwk.NodeScore{{Name: "node1", Score: 37}, {Name: "node2", Score: 50}},
 			resources:      defaultResources,
 		},
 		{
@@ -98,7 +98,7 @@ func TestLeastAllocatedScoringStrategy(t *testing.T) {
 				st.MakeNode().Name("node2").Capacity(map[v1.ResourceName]string{"cpu": "6000", "memory": "10000"}).Obj(),
 			},
 			existingPods:   nil,
-			expectedScores: []framework.NodeScore{{Name: "node1", Score: framework.MinNodeScore}, {Name: "node2", Score: framework.MinNodeScore}},
+			expectedScores: []fwk.NodeScore{{Name: "node1", Score: fwk.MinNodeScore}, {Name: "node2", Score: fwk.MinNodeScore}},
 			resources:      nil,
 			wantStatusCode: fwk.Error,
 		},
@@ -123,7 +123,7 @@ func TestLeastAllocatedScoringStrategy(t *testing.T) {
 				st.MakePod().Node("node2").Obj(),
 				st.MakePod().Node("node2").Obj(),
 			},
-			expectedScores: []framework.NodeScore{{Name: "node1", Score: framework.MaxNodeScore}, {Name: "node2", Score: framework.MaxNodeScore}},
+			expectedScores: []fwk.NodeScore{{Name: "node1", Score: fwk.MaxNodeScore}, {Name: "node2", Score: fwk.MaxNodeScore}},
 			resources:      defaultResources,
 		},
 		{
@@ -147,7 +147,7 @@ func TestLeastAllocatedScoringStrategy(t *testing.T) {
 				st.MakePod().Node("node2").Req(map[v1.ResourceName]string{"cpu": "3000", "memory": "0"}).Obj(),
 				st.MakePod().Node("node2").Req(map[v1.ResourceName]string{"cpu": "3000", "memory": "5000"}).Obj(),
 			},
-			expectedScores: []framework.NodeScore{{Name: "node1", Score: 70}, {Name: "node2", Score: 57}},
+			expectedScores: []fwk.NodeScore{{Name: "node1", Score: 70}, {Name: "node2", Score: 57}},
 			resources:      defaultResources,
 		},
 		{
@@ -172,7 +172,7 @@ func TestLeastAllocatedScoringStrategy(t *testing.T) {
 				st.MakePod().Node("node1").Req(map[v1.ResourceName]string{"cpu": "3000", "memory": "0"}).Obj(),
 				st.MakePod().Node("node2").Req(map[v1.ResourceName]string{"cpu": "3000", "memory": "5000"}).Obj(),
 			},
-			expectedScores: []framework.NodeScore{{Name: "node1", Score: 57}, {Name: "node2", Score: 45}},
+			expectedScores: []fwk.NodeScore{{Name: "node1", Score: 57}, {Name: "node2", Score: 45}},
 			resources:      defaultResources,
 		},
 		{
@@ -197,7 +197,7 @@ func TestLeastAllocatedScoringStrategy(t *testing.T) {
 				st.MakePod().Node("node1").Req(map[v1.ResourceName]string{"cpu": "3000", "memory": "0"}).Obj(),
 				st.MakePod().Node("node2").Req(map[v1.ResourceName]string{"cpu": "3000", "memory": "5000"}).Obj(),
 			},
-			expectedScores: []framework.NodeScore{{Name: "node1", Score: 57}, {Name: "node2", Score: 60}},
+			expectedScores: []fwk.NodeScore{{Name: "node1", Score: 57}, {Name: "node2", Score: 60}},
 			resources:      defaultResources,
 		},
 		{
@@ -219,7 +219,7 @@ func TestLeastAllocatedScoringStrategy(t *testing.T) {
 				st.MakePod().Node("node1").Req(map[v1.ResourceName]string{"cpu": "3000", "memory": "0"}).Obj(),
 				st.MakePod().Node("node2").Req(map[v1.ResourceName]string{"cpu": "3000", "memory": "5000"}).Obj(),
 			},
-			expectedScores: []framework.NodeScore{{Name: "node1", Score: 50}, {Name: "node2", Score: 25}},
+			expectedScores: []fwk.NodeScore{{Name: "node1", Score: 50}, {Name: "node2", Score: 25}},
 			resources:      defaultResources,
 		},
 		{
@@ -233,7 +233,7 @@ func TestLeastAllocatedScoringStrategy(t *testing.T) {
 				st.MakePod().Node("node1").Req(map[v1.ResourceName]string{"cpu": "3000", "memory": "0"}).Obj(),
 				st.MakePod().Node("node2").Req(map[v1.ResourceName]string{"cpu": "3000", "memory": "5000"}).Obj(),
 			},
-			expectedScores: []framework.NodeScore{{Name: "node1", Score: framework.MinNodeScore}, {Name: "node2", Score: framework.MinNodeScore}},
+			expectedScores: []fwk.NodeScore{{Name: "node1", Score: fwk.MinNodeScore}, {Name: "node2", Score: fwk.MinNodeScore}},
 			resources:      defaultResources,
 		},
 		{
@@ -253,7 +253,7 @@ func TestLeastAllocatedScoringStrategy(t *testing.T) {
 				st.MakeNode().Name("node2").Capacity(map[v1.ResourceName]string{"cpu": "6000", "memory": "10000"}).Obj(),
 			},
 			existingPods:   nil,
-			expectedScores: []framework.NodeScore{{Name: "node1", Score: 41}, {Name: "node2", Score: 50}},
+			expectedScores: []fwk.NodeScore{{Name: "node1", Score: 41}, {Name: "node2", Score: 50}},
 			resources: []config.ResourceSpec{
 				{Name: "memory", Weight: 2},
 				{Name: "cpu", Weight: 1},
@@ -291,7 +291,7 @@ func TestLeastAllocatedScoringStrategy(t *testing.T) {
 				st.MakeNode().Name("node1").Capacity(map[v1.ResourceName]string{"cpu": "4000", "memory": "10000"}).Obj(),
 			},
 			existingPods:   nil,
-			expectedScores: []framework.NodeScore{{Name: "node1", Score: 41}, {Name: "node2", Score: 50}},
+			expectedScores: []fwk.NodeScore{{Name: "node1", Score: 41}, {Name: "node2", Score: 50}},
 			resources: []config.ResourceSpec{
 				{Name: "memory", Weight: 1},
 				{Name: "cpu", Weight: 0},
@@ -340,7 +340,7 @@ func TestLeastAllocatedScoringStrategy(t *testing.T) {
 				st.MakeNode().Name("node1").Capacity(map[v1.ResourceName]string{"cpu": "6000", "memory": "10000"}).Obj(),
 				st.MakeNode().Name("node2").Capacity(map[v1.ResourceName]string{"cpu": "6000", "memory": "10000", v1.ResourceName(extendedRes): "4"}).Obj(),
 			},
-			expectedScores: []framework.NodeScore{{Name: "node1", Score: 50}, {Name: "node2", Score: 50}},
+			expectedScores: []fwk.NodeScore{{Name: "node1", Score: 50}, {Name: "node2", Score: 50}},
 			resources:      extendedResourceSet,
 		},
 		{
@@ -361,7 +361,7 @@ func TestLeastAllocatedScoringStrategy(t *testing.T) {
 				st.MakeNode().Name("node2").Capacity(map[v1.ResourceName]string{"cpu": "6000", "memory": "10000", v1.ResourceName(extendedRes): "10"}).Obj(),
 			},
 			existingPods:   nil,
-			expectedScores: []framework.NodeScore{{Name: "node1", Score: 50}, {Name: "node2", Score: 60}},
+			expectedScores: []fwk.NodeScore{{Name: "node1", Score: 50}, {Name: "node2", Score: 60}},
 			resources:      extendedResourceSet,
 		},
 		{
@@ -378,7 +378,7 @@ func TestLeastAllocatedScoringStrategy(t *testing.T) {
 				st.MakeNode().Name("node1").Capacity(map[v1.ResourceName]string{"cpu": "6000", "memory": "10000"}).Obj(),
 				st.MakeNode().Name("node2").Capacity(map[v1.ResourceName]string{"cpu": "6000", "memory": "10000", v1.ResourceName(extendedRes): "4"}).Obj(),
 			},
-			expectedScores: []framework.NodeScore{{Name: "node1", Score: 55}, {Name: "node2", Score: 55}},
+			expectedScores: []fwk.NodeScore{{Name: "node1", Score: 55}, {Name: "node2", Score: 55}},
 			resources: []config.ResourceSpec{
 				{Name: extendedRes, Weight: 2},
 				{Name: string(v1.ResourceCPU), Weight: 1},
@@ -413,22 +413,22 @@ func TestLeastAllocatedScoringStrategy(t *testing.T) {
 				return
 			}
 
-			status := p.(framework.PreScorePlugin).PreScore(ctx, state, test.requestedPod, tf.BuildNodeInfos(test.nodes))
+			status := p.(fwk.PreScorePlugin).PreScore(ctx, state, test.requestedPod, tf.BuildNodeInfos(test.nodes))
 			if !status.IsSuccess() {
 				t.Errorf("PreScore is expected to return success, but didn't. Got status: %v", status)
 			}
 
-			var gotScores framework.NodeScoreList
+			var gotScores fwk.NodeScoreList
 			for _, n := range test.nodes {
 				nodeInfo, err := snapshot.Get(n.Name)
 				if err != nil {
 					t.Errorf("failed to get node %q from snapshot: %v", n.Name, err)
 				}
-				score, status := p.(framework.ScorePlugin).Score(ctx, state, test.requestedPod, nodeInfo)
+				score, status := p.(fwk.ScorePlugin).Score(ctx, state, test.requestedPod, nodeInfo)
 				if status.Code() != test.wantStatusCode {
 					t.Errorf("unexpected status code, want: %v, got: %v", test.wantStatusCode, status.Code())
 				}
-				gotScores = append(gotScores, framework.NodeScore{Name: n.Name, Score: score})
+				gotScores = append(gotScores, fwk.NodeScore{Name: n.Name, Score: score})
 			}
 
 			if diff := cmp.Diff(test.expectedScores, gotScores); diff != "" {
diff --git a/pkg/scheduler/framework/plugins/noderesources/most_allocated.go b/pkg/scheduler/framework/plugins/noderesources/most_allocated.go
index 41425698835f2..3e694d1b22f2c 100644
--- a/pkg/scheduler/framework/plugins/noderesources/most_allocated.go
+++ b/pkg/scheduler/framework/plugins/noderesources/most_allocated.go
@@ -17,8 +17,8 @@ limitations under the License.
 package noderesources
 
 import (
+	fwk "k8s.io/kube-scheduler/framework"
 	"k8s.io/kubernetes/pkg/scheduler/apis/config"
-	"k8s.io/kubernetes/pkg/scheduler/framework"
 )
 
 // mostResourceScorer favors nodes with most requested resources.
@@ -61,5 +61,5 @@ func mostRequestedScore(requested, capacity int64) int64 {
 		requested = capacity
 	}
 
-	return (requested * framework.MaxNodeScore) / capacity
+	return (requested * fwk.MaxNodeScore) / capacity
 }
diff --git a/pkg/scheduler/framework/plugins/noderesources/most_allocated_test.go b/pkg/scheduler/framework/plugins/noderesources/most_allocated_test.go
index c5cb89918ec65..6e3e0a0c9e636 100644
--- a/pkg/scheduler/framework/plugins/noderesources/most_allocated_test.go
+++ b/pkg/scheduler/framework/plugins/noderesources/most_allocated_test.go
@@ -41,7 +41,7 @@ func TestMostAllocatedScoringStrategy(t *testing.T) {
 		requestedPod   *v1.Pod
 		nodes          []*v1.Node
 		existingPods   []*v1.Pod
-		expectedScores framework.NodeScoreList
+		expectedScores fwk.NodeScoreList
 		resources      []config.ResourceSpec
 		wantErrs       field.ErrorList
 		wantStatusCode fwk.Code
@@ -62,7 +62,7 @@ func TestMostAllocatedScoringStrategy(t *testing.T) {
 				st.MakeNode().Name("node2").Capacity(map[v1.ResourceName]string{"cpu": "4000", "memory": "10000"}).Obj(),
 			},
 			existingPods:   nil,
-			expectedScores: []framework.NodeScore{{Name: "node1", Score: framework.MinNodeScore}, {Name: "node2", Score: framework.MinNodeScore}},
+			expectedScores: []fwk.NodeScore{{Name: "node1", Score: fwk.MinNodeScore}, {Name: "node2", Score: fwk.MinNodeScore}},
 			resources:      defaultResources,
 		},
 		{
@@ -84,7 +84,7 @@ func TestMostAllocatedScoringStrategy(t *testing.T) {
 				st.MakeNode().Name("node2").Capacity(map[v1.ResourceName]string{"cpu": "6000", "memory": "10000"}).Obj(),
 			},
 			existingPods:   nil,
-			expectedScores: []framework.NodeScore{{Name: "node1", Score: 62}, {Name: "node2", Score: 50}},
+			expectedScores: []fwk.NodeScore{{Name: "node1", Score: 62}, {Name: "node2", Score: 50}},
 			resources:      defaultResources,
 		},
 		{
@@ -98,7 +98,7 @@ func TestMostAllocatedScoringStrategy(t *testing.T) {
 				st.MakeNode().Name("node2").Capacity(map[v1.ResourceName]string{"cpu": "6000", "memory": "10000"}).Obj(),
 			},
 			existingPods:   nil,
-			expectedScores: []framework.NodeScore{{Name: "node1", Score: framework.MinNodeScore}, {Name: "node2", Score: framework.MinNodeScore}},
+			expectedScores: []fwk.NodeScore{{Name: "node1", Score: fwk.MinNodeScore}, {Name: "node2", Score: fwk.MinNodeScore}},
 			resources:      nil,
 			wantStatusCode: fwk.Error,
 		},
@@ -123,7 +123,7 @@ func TestMostAllocatedScoringStrategy(t *testing.T) {
 				st.MakePod().Node("node2").Req(map[v1.ResourceName]string{"cpu": "3000", "memory": "0"}).Obj(),
 				st.MakePod().Node("node2").Req(map[v1.ResourceName]string{"cpu": "3000", "memory": "5000"}).Obj(),
 			},
-			expectedScores: []framework.NodeScore{{Name: "node1", Score: 30}, {Name: "node2", Score: 42}},
+			expectedScores: []fwk.NodeScore{{Name: "node1", Score: 30}, {Name: "node2", Score: 42}},
 			resources:      defaultResources,
 		},
 		{
@@ -148,7 +148,7 @@ func TestMostAllocatedScoringStrategy(t *testing.T) {
 				st.MakePod().Node("node1").Req(map[v1.ResourceName]string{"cpu": "3000", "memory": "0"}).Obj(),
 				st.MakePod().Node("node2").Req(map[v1.ResourceName]string{"cpu": "3000", "memory": "5000"}).Obj(),
 			},
-			expectedScores: []framework.NodeScore{{Name: "node1", Score: 42}, {Name: "node2", Score: 55}},
+			expectedScores: []fwk.NodeScore{{Name: "node1", Score: 42}, {Name: "node2", Score: 55}},
 			resources:      defaultResources,
 		},
 		{
@@ -170,7 +170,7 @@ func TestMostAllocatedScoringStrategy(t *testing.T) {
 				st.MakeNode().Name("node2").Capacity(map[v1.ResourceName]string{"cpu": "10000", "memory": "9000"}).Obj(),
 			},
 			existingPods:   nil,
-			expectedScores: []framework.NodeScore{{Name: "node1", Score: 95}, {Name: "node2", Score: 75}},
+			expectedScores: []fwk.NodeScore{{Name: "node1", Score: 95}, {Name: "node2", Score: 75}},
 			resources:      defaultResources,
 		},
 		{
@@ -190,7 +190,7 @@ func TestMostAllocatedScoringStrategy(t *testing.T) {
 				st.MakeNode().Name("node2").Capacity(map[v1.ResourceName]string{"cpu": "6000", "memory": "10000"}).Obj(),
 			},
 			existingPods:   nil,
-			expectedScores: []framework.NodeScore{{Name: "node1", Score: 58}, {Name: "node2", Score: 50}},
+			expectedScores: []fwk.NodeScore{{Name: "node1", Score: 58}, {Name: "node2", Score: 50}},
 			resources: []config.ResourceSpec{
 				{Name: "memory", Weight: 2},
 				{Name: "cpu", Weight: 1},
@@ -215,7 +215,7 @@ func TestMostAllocatedScoringStrategy(t *testing.T) {
 				st.MakePod().Node("node1").Container("container").Obj(),
 				st.MakePod().Node("node1").Container("container").Obj(),
 			},
-			expectedScores: []framework.NodeScore{{Name: "node1", Score: 80}, {Name: "node2", Score: 30}},
+			expectedScores: []fwk.NodeScore{{Name: "node1", Score: 80}, {Name: "node2", Score: 30}},
 			resources:      defaultResources,
 		},
 		{
@@ -298,7 +298,7 @@ func TestMostAllocatedScoringStrategy(t *testing.T) {
 			},
 			resources:      extendedResourceSet,
 			existingPods:   nil,
-			expectedScores: []framework.NodeScore{{Name: "node1", Score: 50}, {Name: "node2", Score: 50}},
+			expectedScores: []fwk.NodeScore{{Name: "node1", Score: 50}, {Name: "node2", Score: 50}},
 		},
 		{
 			// Honor extended resource if the pod requests.
@@ -319,7 +319,7 @@ func TestMostAllocatedScoringStrategy(t *testing.T) {
 			},
 			resources:      extendedResourceSet,
 			existingPods:   nil,
-			expectedScores: []framework.NodeScore{{Name: "node1", Score: 50}, {Name: "node2", Score: 40}},
+			expectedScores: []fwk.NodeScore{{Name: "node1", Score: 50}, {Name: "node2", Score: 40}},
 		},
 		{
 			// If the node doesn't have a resource
@@ -335,7 +335,7 @@ func TestMostAllocatedScoringStrategy(t *testing.T) {
 				st.MakeNode().Name("node1").Capacity(map[v1.ResourceName]string{"cpu": "6000", "memory": "10000"}).Obj(),
 				st.MakeNode().Name("node2").Capacity(map[v1.ResourceName]string{"cpu": "6000", "memory": "10000", v1.ResourceName(extendedRes): "4"}).Obj(),
 			},
-			expectedScores: []framework.NodeScore{{Name: "node1", Score: 45}, {Name: "node2", Score: 45}},
+			expectedScores: []fwk.NodeScore{{Name: "node1", Score: 45}, {Name: "node2", Score: 45}},
 			resources: []config.ResourceSpec{
 				{Name: extendedRes, Weight: 2},
 				{Name: string(v1.ResourceCPU), Weight: 1},
@@ -369,22 +369,22 @@ func TestMostAllocatedScoringStrategy(t *testing.T) {
 				return
 			}
 
-			status := p.(framework.PreScorePlugin).PreScore(ctx, state, test.requestedPod, tf.BuildNodeInfos(test.nodes))
+			status := p.(fwk.PreScorePlugin).PreScore(ctx, state, test.requestedPod, tf.BuildNodeInfos(test.nodes))
 			if !status.IsSuccess() {
 				t.Errorf("PreScore is expected to return success, but didn't. Got status: %v", status)
 			}
 
-			var gotScores framework.NodeScoreList
+			var gotScores fwk.NodeScoreList
 			for _, n := range test.nodes {
 				nodeInfo, err := snapshot.Get(n.Name)
 				if err != nil {
 					t.Errorf("failed to get node %q from snapshot: %v", n.Name, err)
 				}
-				score, status := p.(framework.ScorePlugin).Score(ctx, state, test.requestedPod, nodeInfo)
+				score, status := p.(fwk.ScorePlugin).Score(ctx, state, test.requestedPod, nodeInfo)
 				if status.Code() != test.wantStatusCode {
 					t.Errorf("unexpected status code, want: %v, got: %v", test.wantStatusCode, status.Code())
 				}
-				gotScores = append(gotScores, framework.NodeScore{Name: n.Name, Score: score})
+				gotScores = append(gotScores, fwk.NodeScore{Name: n.Name, Score: score})
 			}
 
 			if diff := cmp.Diff(test.expectedScores, gotScores); diff != "" {
diff --git a/pkg/scheduler/framework/plugins/noderesources/requested_to_capacity_ratio.go b/pkg/scheduler/framework/plugins/noderesources/requested_to_capacity_ratio.go
index df5e2ff4733e9..f6c7838be3e66 100644
--- a/pkg/scheduler/framework/plugins/noderesources/requested_to_capacity_ratio.go
+++ b/pkg/scheduler/framework/plugins/noderesources/requested_to_capacity_ratio.go
@@ -19,8 +19,8 @@ package noderesources
 import (
 	"math"
 
+	fwk "k8s.io/kube-scheduler/framework"
 	"k8s.io/kubernetes/pkg/scheduler/apis/config"
-	"k8s.io/kubernetes/pkg/scheduler/framework"
 	"k8s.io/kubernetes/pkg/scheduler/framework/plugins/helper"
 )
 
@@ -65,7 +65,7 @@ func requestedToCapacityRatioScorer(resources []config.ResourceSpec, shape []con
 			// MaxCustomPriorityScore may diverge from the max score used in the scheduler and defined by MaxNodeScore,
 			// therefore we need to scale the score returned by requested to capacity ratio to the score range
 			// used by the scheduler.
-			Score: int64(point.Score) * (framework.MaxNodeScore / config.MaxCustomPriorityScore),
+			Score: int64(point.Score) * (fwk.MaxNodeScore / config.MaxCustomPriorityScore),
 		})
 	}
 
diff --git a/pkg/scheduler/framework/plugins/noderesources/requested_to_capacity_ratio_test.go b/pkg/scheduler/framework/plugins/noderesources/requested_to_capacity_ratio_test.go
index b168811db1fce..20f3821e617c7 100644
--- a/pkg/scheduler/framework/plugins/noderesources/requested_to_capacity_ratio_test.go
+++ b/pkg/scheduler/framework/plugins/noderesources/requested_to_capacity_ratio_test.go
@@ -27,6 +27,7 @@ import (
 	v1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/util/validation/field"
 	"k8s.io/klog/v2/ktesting"
+	fwk "k8s.io/kube-scheduler/framework"
 	"k8s.io/kubernetes/pkg/scheduler/apis/config"
 	"k8s.io/kubernetes/pkg/scheduler/backend/cache"
 	"k8s.io/kubernetes/pkg/scheduler/framework"
@@ -48,7 +49,7 @@ func TestRequestedToCapacityRatioScoringStrategy(t *testing.T) {
 		requestedPod   *v1.Pod
 		nodes          []*v1.Node
 		existingPods   []*v1.Pod
-		expectedScores framework.NodeScoreList
+		expectedScores fwk.NodeScoreList
 		resources      []config.ResourceSpec
 		shape          []config.UtilizationShapePoint
 		wantErrs       field.ErrorList
@@ -64,7 +65,7 @@ func TestRequestedToCapacityRatioScoringStrategy(t *testing.T) {
 				st.MakePod().Node("node1").Obj(),
 				st.MakePod().Node("node1").Obj(),
 			},
-			expectedScores: []framework.NodeScore{{Name: "node1", Score: framework.MaxNodeScore}, {Name: "node2", Score: framework.MaxNodeScore}},
+			expectedScores: []fwk.NodeScore{{Name: "node1", Score: fwk.MaxNodeScore}, {Name: "node2", Score: fwk.MaxNodeScore}},
 			resources:      defaultResources,
 			shape:          shape,
 		},
@@ -82,7 +83,7 @@ func TestRequestedToCapacityRatioScoringStrategy(t *testing.T) {
 				st.MakePod().Node("node1").Obj(),
 				st.MakePod().Node("node1").Obj(),
 			},
-			expectedScores: []framework.NodeScore{{Name: "node1", Score: 38}, {Name: "node2", Score: 50}},
+			expectedScores: []fwk.NodeScore{{Name: "node1", Score: 38}, {Name: "node2", Score: 50}},
 			resources:      defaultResources,
 			shape:          shape,
 		},
@@ -97,7 +98,7 @@ func TestRequestedToCapacityRatioScoringStrategy(t *testing.T) {
 				st.MakePod().Node("node1").Req(map[v1.ResourceName]string{"cpu": "3000", "memory": "5000"}).Obj(),
 				st.MakePod().Node("node2").Req(map[v1.ResourceName]string{"cpu": "3000", "memory": "5000"}).Obj(),
 			},
-			expectedScores: []framework.NodeScore{{Name: "node1", Score: 38}, {Name: "node2", Score: 50}},
+			expectedScores: []fwk.NodeScore{{Name: "node1", Score: 38}, {Name: "node2", Score: 50}},
 			resources:      defaultResources,
 			shape:          shape,
 		},
@@ -130,9 +131,9 @@ func TestRequestedToCapacityRatioScoringStrategy(t *testing.T) {
 				return
 			}
 
-			var gotScores framework.NodeScoreList
+			var gotScores fwk.NodeScoreList
 			for _, n := range test.nodes {
-				status := p.(framework.PreScorePlugin).PreScore(ctx, state, test.requestedPod, tf.BuildNodeInfos(test.nodes))
+				status := p.(fwk.PreScorePlugin).PreScore(ctx, state, test.requestedPod, tf.BuildNodeInfos(test.nodes))
 				if !status.IsSuccess() {
 					t.Errorf("PreScore is expected to return success, but didn't. Got status: %v", status)
 				}
@@ -140,11 +141,11 @@ func TestRequestedToCapacityRatioScoringStrategy(t *testing.T) {
 				if err != nil {
 					t.Errorf("failed to get node %q from snapshot: %v", n.Name, err)
 				}
-				score, status := p.(framework.ScorePlugin).Score(ctx, state, test.requestedPod, nodeInfo)
+				score, status := p.(fwk.ScorePlugin).Score(ctx, state, test.requestedPod, nodeInfo)
 				if !status.IsSuccess() {
 					t.Errorf("Score is expected to return success, but didn't. Got status: %v", status)
 				}
-				gotScores = append(gotScores, framework.NodeScore{Name: n.Name, Score: score})
+				gotScores = append(gotScores, fwk.NodeScore{Name: n.Name, Score: score})
 			}
 
 			if diff := cmp.Diff(test.expectedScores, gotScores); diff != "" {
@@ -238,14 +239,14 @@ func TestResourceBinPackingSingleExtended(t *testing.T) {
 		pod            *v1.Pod
 		pods           []*v1.Pod
 		nodes          []*v1.Node
-		expectedScores framework.NodeScoreList
+		expectedScores fwk.NodeScoreList
 		name           string
 	}{
 		{
 			//  Node1 Score = Node2 Score = 0 as the incoming Pod doesn't request extended resource.
 			pod:            st.MakePod().Obj(),
 			nodes:          []*v1.Node{makeNode("node1", 4000, 10000*1024*1024, extendedResource2), makeNode("node2", 4000, 10000*1024*1024, extendedResource1)},
-			expectedScores: []framework.NodeScore{{Name: "node1", Score: 0}, {Name: "node2", Score: 0}},
+			expectedScores: []fwk.NodeScore{{Name: "node1", Score: 0}, {Name: "node2", Score: 0}},
 			name:           "nothing scheduled, nothing requested",
 		},
 		{
@@ -262,7 +263,7 @@ func TestResourceBinPackingSingleExtended(t *testing.T) {
 			// Node2 Score: 5
 			pod:            st.MakePod().Req(extendedResource3).Obj(),
 			nodes:          []*v1.Node{makeNode("node1", 4000, 10000*1024*1024, extendedResource2), makeNode("node2", 4000, 10000*1024*1024, extendedResource1)},
-			expectedScores: []framework.NodeScore{{Name: "node1", Score: 2}, {Name: "node2", Score: 5}},
+			expectedScores: []fwk.NodeScore{{Name: "node1", Score: 2}, {Name: "node2", Score: 5}},
 			name:           "resources requested, pods scheduled with less resources",
 			pods:           []*v1.Pod{st.MakePod().Obj()},
 		},
@@ -280,7 +281,7 @@ func TestResourceBinPackingSingleExtended(t *testing.T) {
 			// Node2 Score: 10
 			pod:            st.MakePod().Req(extendedResource3).Obj(),
 			nodes:          []*v1.Node{makeNode("node1", 4000, 10000*1024*1024, extendedResource2), makeNode("node2", 4000, 10000*1024*1024, extendedResource1)},
-			expectedScores: []framework.NodeScore{{Name: "node1", Score: 2}, {Name: "node2", Score: 10}},
+			expectedScores: []fwk.NodeScore{{Name: "node1", Score: 2}, {Name: "node2", Score: 10}},
 			name:           "resources requested, pods scheduled with resources, on node with existing pod running ",
 			pods:           []*v1.Pod{st.MakePod().Req(extendedResource3).Node("node2").Obj()},
 		},
@@ -298,7 +299,7 @@ func TestResourceBinPackingSingleExtended(t *testing.T) {
 			// Node2 Score: 10
 			pod:            st.MakePod().Req(extendedResource4).Obj(),
 			nodes:          []*v1.Node{makeNode("node1", 4000, 10000*1024*1024, extendedResource2), makeNode("node2", 4000, 10000*1024*1024, extendedResource1)},
-			expectedScores: []framework.NodeScore{{Name: "node1", Score: 5}, {Name: "node2", Score: 10}},
+			expectedScores: []fwk.NodeScore{{Name: "node1", Score: 5}, {Name: "node2", Score: 10}},
 			name:           "resources requested, pods scheduled with more resources",
 			pods: []*v1.Pod{
 				st.MakePod().Obj(),
@@ -331,9 +332,9 @@ func TestResourceBinPackingSingleExtended(t *testing.T) {
 				t.Fatalf("unexpected error: %v", err)
 			}
 
-			var gotList framework.NodeScoreList
+			var gotList fwk.NodeScoreList
 			for _, n := range test.nodes {
-				status := p.(framework.PreScorePlugin).PreScore(ctx, state, test.pod, tf.BuildNodeInfos(test.nodes))
+				status := p.(fwk.PreScorePlugin).PreScore(ctx, state, test.pod, tf.BuildNodeInfos(test.nodes))
 				if !status.IsSuccess() {
 					t.Errorf("PreScore is expected to return success, but didn't. Got status: %v", status)
 				}
@@ -341,11 +342,11 @@ func TestResourceBinPackingSingleExtended(t *testing.T) {
 				if err != nil {
 					t.Errorf("failed to get node %q from snapshot: %v", n.Name, err)
 				}
-				score, status := p.(framework.ScorePlugin).Score(ctx, state, test.pod, nodeInfo)
+				score, status := p.(fwk.ScorePlugin).Score(ctx, state, test.pod, nodeInfo)
 				if !status.IsSuccess() {
 					t.Errorf("Score is expected to return success, but didn't. Got status: %v", status)
 				}
-				gotList = append(gotList, framework.NodeScore{Name: n.Name, Score: score})
+				gotList = append(gotList, fwk.NodeScore{Name: n.Name, Score: score})
 			}
 
 			if diff := cmp.Diff(test.expectedScores, gotList); diff != "" {
@@ -378,7 +379,7 @@ func TestResourceBinPackingMultipleExtended(t *testing.T) {
 		pod            *v1.Pod
 		pods           []*v1.Pod
 		nodes          []*v1.Node
-		expectedScores framework.NodeScoreList
+		expectedScores fwk.NodeScoreList
 		name           string
 	}{
 		{
@@ -411,7 +412,7 @@ func TestResourceBinPackingMultipleExtended(t *testing.T) {
 
 			pod:            st.MakePod().Obj(),
 			nodes:          []*v1.Node{makeNode("node1", 4000, 10000*1024*1024, extendedResources2), makeNode("node2", 4000, 10000*1024*1024, extendedResources1)},
-			expectedScores: []framework.NodeScore{{Name: "node1", Score: 0}, {Name: "node2", Score: 0}},
+			expectedScores: []fwk.NodeScore{{Name: "node1", Score: 0}, {Name: "node2", Score: 0}},
 			name:           "nothing scheduled, nothing requested",
 		},
 		{
@@ -444,7 +445,7 @@ func TestResourceBinPackingMultipleExtended(t *testing.T) {
 
 			pod:            st.MakePod().Req(extendedResourcePod1).Obj(),
 			nodes:          []*v1.Node{makeNode("node1", 4000, 10000*1024*1024, extendedResources2), makeNode("node2", 4000, 10000*1024*1024, extendedResources1)},
-			expectedScores: []framework.NodeScore{{Name: "node1", Score: 4}, {Name: "node2", Score: 3}},
+			expectedScores: []fwk.NodeScore{{Name: "node1", Score: 4}, {Name: "node2", Score: 3}},
 			name:           "resources requested, pods scheduled with less resources",
 			pods: []*v1.Pod{
 				st.MakePod().Obj(),
@@ -479,7 +480,7 @@ func TestResourceBinPackingMultipleExtended(t *testing.T) {
 
 			pod:            st.MakePod().Req(extendedResourcePod1).Obj(),
 			nodes:          []*v1.Node{makeNode("node1", 4000, 10000*1024*1024, extendedResources2), makeNode("node2", 4000, 10000*1024*1024, extendedResources1)},
-			expectedScores: []framework.NodeScore{{Name: "node1", Score: 4}, {Name: "node2", Score: 7}},
+			expectedScores: []fwk.NodeScore{{Name: "node1", Score: 4}, {Name: "node2", Score: 7}},
 			name:           "resources requested, pods scheduled with resources, on node with existing pod running ",
 			pods:           []*v1.Pod{st.MakePod().Req(extendedResourcePod2).Node("node2").Obj()},
 		},
@@ -527,7 +528,7 @@ func TestResourceBinPackingMultipleExtended(t *testing.T) {
 
 			pod:            st.MakePod().Req(extendedResourcePod2).Obj(),
 			nodes:          []*v1.Node{makeNode("node1", 4000, 10000*1024*1024, extendedResources2), makeNode("node2", 4000, 10000*1024*1024, extendedResources1)},
-			expectedScores: []framework.NodeScore{{Name: "node1", Score: 5}, {Name: "node2", Score: 5}},
+			expectedScores: []fwk.NodeScore{{Name: "node1", Score: 5}, {Name: "node2", Score: 5}},
 			name:           "resources requested, pods scheduled with more resources",
 			pods: []*v1.Pod{
 				st.MakePod().Obj(),
@@ -563,22 +564,22 @@ func TestResourceBinPackingMultipleExtended(t *testing.T) {
 				t.Fatalf("unexpected error: %v", err)
 			}
 
-			status := p.(framework.PreScorePlugin).PreScore(ctx, state, test.pod, tf.BuildNodeInfos(test.nodes))
+			status := p.(fwk.PreScorePlugin).PreScore(ctx, state, test.pod, tf.BuildNodeInfos(test.nodes))
 			if !status.IsSuccess() {
 				t.Errorf("PreScore is expected to return success, but didn't. Got status: %v", status)
 			}
 
-			var gotScores framework.NodeScoreList
+			var gotScores fwk.NodeScoreList
 			for _, n := range test.nodes {
 				nodeInfo, err := snapshot.Get(n.Name)
 				if err != nil {
 					t.Errorf("failed to get node %q from snapshot: %v", n.Name, err)
 				}
-				score, status := p.(framework.ScorePlugin).Score(ctx, state, test.pod, nodeInfo)
+				score, status := p.(fwk.ScorePlugin).Score(ctx, state, test.pod, nodeInfo)
 				if !status.IsSuccess() {
 					t.Errorf("Score is expected to return success, but didn't. Got status: %v", status)
 				}
-				gotScores = append(gotScores, framework.NodeScore{Name: n.Name, Score: score})
+				gotScores = append(gotScores, fwk.NodeScore{Name: n.Name, Score: score})
 			}
 
 			if diff := cmp.Diff(test.expectedScores, gotScores); diff != "" {
diff --git a/pkg/scheduler/framework/plugins/noderesources/resource_allocation.go b/pkg/scheduler/framework/plugins/noderesources/resource_allocation.go
index 33a46e5a871a3..b4f6f16b4bf9b 100644
--- a/pkg/scheduler/framework/plugins/noderesources/resource_allocation.go
+++ b/pkg/scheduler/framework/plugins/noderesources/resource_allocation.go
@@ -18,12 +18,18 @@ package noderesources
 
 import (
 	"context"
+	"strings"
+	"sync"
 
 	v1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/resource"
+	"k8s.io/dynamic-resource-allocation/cel"
 	"k8s.io/klog/v2"
+	"k8s.io/utils/ptr"
 
+	resourceapi "k8s.io/api/resource/v1"
 	resourcehelper "k8s.io/component-helpers/resource"
+	"k8s.io/dynamic-resource-allocation/structured"
 	fwk "k8s.io/kube-scheduler/framework"
 	"k8s.io/kubernetes/pkg/scheduler/apis/config"
 	schedutil "k8s.io/kubernetes/pkg/scheduler/util"
@@ -32,16 +38,100 @@ import (
 // scorer is decorator for resourceAllocationScorer
 type scorer func(args *config.NodeResourcesFitArgs) *resourceAllocationScorer
 
+// DRACaches holds various caches used for DRA-related computations
+type DRACaches struct {
+	// celCache is a cache for compiled CEL expressions used in device class selectors.
+	celCache *cel.Cache
+	// Cache for DeviceMatches results to avoid expensive repeated evaluations
+	deviceMatchCache sync.Map // map[deviceMatchCacheKey]bool
+	// Cache for NodeMatches results to avoid expensive repeated node selector evaluations
+	nodeMatchCache sync.Map // map[nodeMatchCacheKey]bool
+}
+
 // resourceAllocationScorer contains information to calculate resource allocation score.
 type resourceAllocationScorer struct {
-	Name                            string
-	enableInPlacePodVerticalScaling bool
-	enablePodLevelResources         bool
+	Name                                          string
+	enableInPlacePodVerticalScaling               bool
+	enablePodLevelResources                       bool
+	enableDRAExtendedResource                     bool
+	enableInPlacePodLevelResourcesVerticalScaling bool
 	// used to decide whether to use Requested or NonZeroRequested for
 	// cpu and memory.
 	useRequested bool
 	scorer       func(requested, allocable []int64) int64
 	resources    []config.ResourceSpec
+	draFeatures  structured.Features
+	draManager   fwk.SharedDRAManager
+	// Caches for DRA-related computations
+	DRACaches
+}
+
+// buildNodeMatchCacheKey creates a string cache key for node matching results
+// Using a string key is significantly faster than struct keys with sync.Map
+func buildNodeMatchCacheKey(nodeName string, nodeNameToMatch string, allNodesMatch bool, nodeSelectorHash string) string {
+	// Pre-allocate sufficient capacity to avoid reallocation
+	var b strings.Builder
+	b.Grow(len(nodeName) + len(nodeNameToMatch) + len(nodeSelectorHash) + 4)
+
+	b.WriteString(nodeName)
+	b.WriteByte('|')
+	b.WriteString(nodeNameToMatch)
+	b.WriteByte('|')
+	if allNodesMatch {
+		b.WriteByte('1')
+	} else {
+		b.WriteByte('0')
+	}
+	b.WriteByte('|')
+	b.WriteString(nodeSelectorHash)
+
+	return b.String()
+}
+
+// buildDeviceMatchCacheKey creates a string cache key for device matching results
+// Using a string key is significantly faster than struct keys with sync.Map
+// This concatenates expression|driver|poolName|deviceName with pipe separators
+func buildDeviceMatchCacheKey(expression string, driver string, poolName string, deviceName string) string {
+	// Pre-allocate sufficient capacity to avoid reallocation
+	var b strings.Builder
+	b.Grow(len(expression) + len(driver) + len(poolName) + len(deviceName) + 3)
+
+	b.WriteString(expression)
+	b.WriteByte('|')
+	b.WriteString(driver)
+	b.WriteByte('|')
+	b.WriteString(poolName)
+	b.WriteByte('|')
+	b.WriteString(deviceName)
+
+	return b.String()
+}
+
+// nodeMatches is a cached wrapper around structured.NodeMatches
+func (r *resourceAllocationScorer) nodeMatches(node *v1.Node, nodeNameToMatch string, allNodesMatch bool, nodeSelector *v1.NodeSelector) (bool, error) {
+
+	var nodeName string
+	if node != nil {
+		nodeName = node.Name
+	}
+
+	nodeSelectorStr := nodeSelector.String()
+	key := buildNodeMatchCacheKey(nodeName, nodeNameToMatch, allNodesMatch, nodeSelectorStr)
+
+	// Check cache first
+	if matches, ok := r.nodeMatchCache.Load(key); ok {
+		return matches.(bool), nil
+	}
+
+	// Call the original function
+	matches, err := structured.NodeMatches(r.draFeatures, node, nodeNameToMatch, allNodesMatch, nodeSelector)
+
+	// Cache the result (even if there was an error, to avoid repeated failures)
+	if err == nil {
+		r.nodeMatchCache.Store(key, matches)
+	}
+
+	return matches, err
 }
 
 // score will use `scorer` function to calculate the score.
@@ -49,7 +139,9 @@ func (r *resourceAllocationScorer) score(
 	ctx context.Context,
 	pod *v1.Pod,
 	nodeInfo fwk.NodeInfo,
-	podRequests []int64) (int64, *fwk.Status) {
+	podRequests []int64,
+	draPreScoreState *draPreScoreState,
+) (int64, *fwk.Status) {
 	logger := klog.FromContext(ctx)
 	node := nodeInfo.Node()
 
@@ -61,7 +153,7 @@ func (r *resourceAllocationScorer) score(
 	requested := make([]int64, len(r.resources))
 	allocatable := make([]int64, len(r.resources))
 	for i := range r.resources {
-		alloc, req := r.calculateResourceAllocatableRequest(logger, nodeInfo, v1.ResourceName(r.resources[i].Name), podRequests[i])
+		alloc, req := r.calculateResourceAllocatableRequest(ctx, nodeInfo, v1.ResourceName(r.resources[i].Name), podRequests[i], draPreScoreState)
 		// Only fill the extended resource entry when it's non-zero.
 		if alloc == 0 {
 			continue
@@ -86,7 +178,13 @@ func (r *resourceAllocationScorer) score(
 // - 1st param: quantity of allocatable resource on the node.
 // - 2nd param: aggregated quantity of requested resource on the node.
 // Note: if it's an extended resource, and the pod doesn't request it, (0, 0) is returned.
-func (r *resourceAllocationScorer) calculateResourceAllocatableRequest(logger klog.Logger, nodeInfo fwk.NodeInfo, resource v1.ResourceName, podRequest int64) (int64, int64) {
+func (r *resourceAllocationScorer) calculateResourceAllocatableRequest(
+	ctx context.Context,
+	nodeInfo fwk.NodeInfo,
+	resource v1.ResourceName,
+	podRequest int64,
+	draPreScoreState *draPreScoreState,
+) (int64, int64) {
 	requested := nodeInfo.GetNonZeroRequested()
 	if r.useRequested {
 		requested = nodeInfo.GetRequested()
@@ -105,11 +203,20 @@ func (r *resourceAllocationScorer) calculateResourceAllocatableRequest(logger kl
 	case v1.ResourceEphemeralStorage:
 		return nodeInfo.GetAllocatable().GetEphemeralStorage(), (nodeInfo.GetRequested().GetEphemeralStorage() + podRequest)
 	default:
-		if _, exists := nodeInfo.GetAllocatable().GetScalarResources()[resource]; exists {
-			return nodeInfo.GetAllocatable().GetScalarResources()[resource], (nodeInfo.GetRequested().GetScalarResources()[resource] + podRequest)
+		allocatable, exists := nodeInfo.GetAllocatable().GetScalarResources()[resource]
+		if allocatable == 0 && r.enableDRAExtendedResource && draPreScoreState != nil {
+			// Allocatable 0 means that this resource is not handled by device plugin.
+			// Calculate allocatable and requested for resources backed by DRA.
+			allocatable, allocated := r.calculateDRAExtendedResourceAllocatableRequest(ctx, nodeInfo.Node(), resource, draPreScoreState)
+			if allocatable > 0 {
+				return allocatable, allocated + podRequest
+			}
+		}
+		if exists {
+			return allocatable, (nodeInfo.GetRequested().GetScalarResources()[resource] + podRequest)
 		}
 	}
-	logger.V(10).Info("Requested resource is omitted for node score calculation", "resourceName", resource)
+	klog.FromContext(ctx).V(10).Info("Requested resource is omitted for node score calculation", "resourceName", resource)
 	return 0, 0
 }
 
@@ -119,6 +226,7 @@ func (r *resourceAllocationScorer) calculatePodResourceRequest(pod *v1.Pod, reso
 
 	opts := resourcehelper.PodResourcesOptions{
 		UseStatusResources: r.enableInPlacePodVerticalScaling,
+		InPlacePodLevelResourcesVerticalScalingEnabled: r.enableInPlacePodLevelResourcesVerticalScaling,
 		// SkipPodLevelResources is set to false when PodLevelResources feature is enabled.
 		SkipPodLevelResources: !r.enablePodLevelResources,
 	}
@@ -155,3 +263,230 @@ func (r *resourceAllocationScorer) isBestEffortPod(podRequests []int64) bool {
 	}
 	return true
 }
+
+// getDRAPreScoredParams returns the DRA allocated state and resource slices for DRA extended resource scoring.
+func getDRAPreScoredParams(draManager fwk.SharedDRAManager, resources []config.ResourceSpec) (*draPreScoreState, *fwk.Status) {
+	anyBackedByDRA := false
+	for _, resource := range resources {
+		resourceName := v1.ResourceName(resource.Name)
+		if !schedutil.IsDRAExtendedResourceName(resourceName) {
+			continue
+		}
+		deviceClass := draManager.DeviceClassResolver().GetDeviceClass(resourceName)
+		if deviceClass != nil {
+			anyBackedByDRA = true
+			break
+		}
+	}
+	// There's no point in returning DRA data as there are no resources backed by DRA.
+	if !anyBackedByDRA {
+		return nil, nil
+	}
+
+	allocatedState, err := draManager.ResourceClaims().GatherAllocatedState()
+	if err != nil {
+		return nil, fwk.AsStatus(err)
+	}
+	resourceSlices, err := draManager.ResourceSlices().ListWithDeviceTaintRules()
+	if err != nil {
+		return nil, fwk.AsStatus(err)
+	}
+
+	return &draPreScoreState{
+		allocatedState: allocatedState,
+		resourceSlices: resourceSlices,
+	}, nil
+}
+
+// calculateDRAExtendedResourceAllocatableRequest calculates allocatable and allocated
+// quantities for extended resources backed by DRA.
+func (r *resourceAllocationScorer) calculateDRAExtendedResourceAllocatableRequest(
+	ctx context.Context,
+	node *v1.Node,
+	resource v1.ResourceName,
+	draPreScoreState *draPreScoreState,
+) (int64, int64) {
+	logger := klog.FromContext(ctx)
+	deviceClass := r.draManager.DeviceClassResolver().GetDeviceClass(resource)
+	if deviceClass == nil {
+		// This resource is not backed by DRA.
+		logger.V(7).Info("Extended resource not found in device class mapping", "resource", resource)
+		return 0, 0
+	}
+
+	capacity, allocated, err := r.calculateDRAResourceTotals(ctx, node, deviceClass, draPreScoreState.allocatedState, draPreScoreState.resourceSlices)
+	if err != nil {
+		logger.Error(err, "Failed to calculate DRA resource capacity and allocated", "node", node.Name, "resource", resource, "deviceClass", deviceClass.Name)
+		return 0, 0
+	}
+
+	logger.V(7).Info("DRA extended resource calculation", "node", node.Name, "resource", resource, "deviceClass", deviceClass.Name, "capacity", capacity, "allocated", allocated)
+	return capacity, allocated
+}
+
+// calculateDRAResourceTotals computes the total capacity and total allocated count of devices
+// matching the specified Device Class on the given node. It queries the DRA manager for resource
+// slices and allocated devices, filters devices by class and driver, and returns the counts.
+// Returns an error if resource information cannot be retrieved or if node matching fails.
+//
+// Parameters:
+//
+//	ctx         - context for cancellation and deadlines
+//	node        - the node to evaluate device resources on
+//	deviceClass - the device class to filter devices by
+//
+// Returns:
+//
+//	totalCapacity  - total number of devices matching the device class on the node
+//	totalAllocated - number of devices currently allocated from the matching set
+//	error          - any error encountered during processing
+func (r *resourceAllocationScorer) calculateDRAResourceTotals(ctx context.Context, node *v1.Node, deviceClass *resourceapi.DeviceClass, allocatedState *structured.AllocatedState, resourceSlices []*resourceapi.ResourceSlice,
+) (int64, int64, error) {
+	var totalCapacity, totalAllocated int64
+	nodeName := node.Name
+
+	for _, slice := range resourceSlices {
+		// Early filtering: check if slice applies to this node
+		perDeviceNodeSelection := ptr.Deref(slice.Spec.PerDeviceNodeSelection, false)
+
+		var devices []resourceapi.Device
+
+		if perDeviceNodeSelection {
+			// Per-device node selection: filter devices individually
+			devices = make([]resourceapi.Device, 0, len(slice.Spec.Devices))
+			for _, device := range slice.Spec.Devices {
+				deviceNodeName := ptr.Deref(device.NodeName, "")
+				deviceAllNodes := ptr.Deref(device.AllNodes, false)
+
+				// Fast path: check AllNodes or exact name match first
+				if deviceAllNodes || (deviceNodeName != "" && deviceNodeName == nodeName) {
+					devices = append(devices, device)
+					continue
+				}
+
+				// Slow path: only if we have a node selector
+				if device.NodeSelector != nil {
+					deviceMatches, err := r.nodeMatches(node, deviceNodeName, deviceAllNodes, device.NodeSelector)
+					if err != nil {
+						return 0, 0, err
+					}
+					if deviceMatches {
+						devices = append(devices, device)
+					}
+				}
+			}
+		} else {
+			// Slice-level node selection
+			sliceNodeName := ptr.Deref(slice.Spec.NodeName, "")
+			sliceAllNodes := ptr.Deref(slice.Spec.AllNodes, false)
+
+			// Fast path: check AllNodes or exact name match first
+			if !sliceAllNodes && sliceNodeName != nodeName && slice.Spec.NodeSelector != nil {
+				// Need to check node selector
+				matches, err := r.nodeMatches(node, sliceNodeName, sliceAllNodes, slice.Spec.NodeSelector)
+				if err != nil {
+					return 0, 0, err
+				}
+				if !matches {
+					continue // Skip this slice
+				}
+			} else if !sliceAllNodes && sliceNodeName != "" && sliceNodeName != nodeName {
+				// Node name specified but doesn't match
+				continue
+			}
+
+			devices = slice.Spec.Devices
+		}
+
+		// Fast path for device class with no selectors
+		if len(deviceClass.Spec.Selectors) == 0 {
+			driver := slice.Spec.Driver
+			pool := slice.Spec.Pool.Name
+			for _, device := range devices {
+				totalCapacity++
+				deviceID := structured.MakeDeviceID(driver, pool, device.Name)
+				if structured.IsDeviceAllocated(deviceID, allocatedState) {
+					totalAllocated++
+				}
+			}
+		} else {
+			// Slow path: check device class selectors
+			driver := slice.Spec.Driver
+			pool := slice.Spec.Pool.Name
+			for _, device := range devices {
+				matches, err := r.deviceMatchesClass(ctx, device, deviceClass, driver, pool)
+				if err != nil {
+					return 0, 0, err
+				}
+				if matches {
+					totalCapacity++
+					deviceID := structured.MakeDeviceID(driver, pool, device.Name)
+					if structured.IsDeviceAllocated(deviceID, allocatedState) {
+						totalAllocated++
+					}
+				}
+			}
+		}
+	}
+
+	return totalCapacity, totalAllocated, nil
+}
+
+// deviceMatchesClass checks if a device matches the selectors of a device class.
+// Note: This method assumes the device class has ExtendedResourceName set, as filtering
+// should be done by the caller to ensure we only process DRA resources meant for extended
+// resource scoring.
+func (r *resourceAllocationScorer) deviceMatchesClass(ctx context.Context, device resourceapi.Device, deviceClass *resourceapi.DeviceClass, driver string, poolName string) (bool, error) {
+	// If no selectors are defined, all devices match
+	if len(deviceClass.Spec.Selectors) == 0 {
+		return true, nil
+	}
+
+	// Lazily create the CEL device only when needed (first CEL selector that's not cached)
+	var celDevice cel.Device
+	celDeviceCreated := false
+
+	// All selectors must match for the device to be considered a match
+	for _, selector := range deviceClass.Spec.Selectors {
+		if selector.CEL == nil {
+			continue
+		}
+
+		key := buildDeviceMatchCacheKey(selector.CEL.Expression, driver, poolName, device.Name)
+
+		// Check if result is already cached
+		if matches, ok := r.deviceMatchCache.Load(key); ok {
+			if !matches.(bool) {
+				return false, nil
+			}
+			continue // This selector matches, check the next one
+		}
+
+		// Cache miss - need to evaluate CEL expression
+		// Create CEL device if we haven't already
+		if !celDeviceCreated {
+			celDevice = cel.Device{
+				Driver:     driver,
+				Attributes: device.Attributes,
+				Capacity:   device.Capacity,
+			}
+			celDeviceCreated = true
+		}
+
+		// Use cached CEL compilation for performance
+		result := r.celCache.GetOrCompile(selector.CEL.Expression)
+		if result.Error != nil {
+			return false, result.Error
+		}
+
+		matches, _, err := result.DeviceMatches(ctx, celDevice)
+		if err != nil || !matches {
+			return false, err
+		}
+
+		// Cache the result for future use
+		r.deviceMatchCache.Store(key, matches)
+	}
+
+	return true, nil
+}
diff --git a/pkg/scheduler/framework/plugins/noderesources/resource_allocation_test.go b/pkg/scheduler/framework/plugins/noderesources/resource_allocation_test.go
index f13efe21d355f..f6b6c2aa3ae27 100644
--- a/pkg/scheduler/framework/plugins/noderesources/resource_allocation_test.go
+++ b/pkg/scheduler/framework/plugins/noderesources/resource_allocation_test.go
@@ -17,12 +17,35 @@ limitations under the License.
 package noderesources
 
 import (
+	"context"
 	"testing"
 
+	"github.com/google/go-cmp/cmp"
+	"github.com/stretchr/testify/assert"
 	v1 "k8s.io/api/core/v1"
+	resourceapi "k8s.io/api/resource/v1"
 	"k8s.io/apimachinery/pkg/api/resource"
-
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	apiruntime "k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/types"
+	utilfeature "k8s.io/apiserver/pkg/util/feature"
+	"k8s.io/client-go/informers"
+	"k8s.io/client-go/kubernetes/fake"
+	featuregatetesting "k8s.io/component-base/featuregate/testing"
+	"k8s.io/dynamic-resource-allocation/cel"
+	"k8s.io/dynamic-resource-allocation/deviceclass/extendedresourcecache"
+	"k8s.io/dynamic-resource-allocation/resourceslice/tracker"
+	"k8s.io/dynamic-resource-allocation/structured"
+	"k8s.io/klog/v2/ktesting"
+	fwk "k8s.io/kube-scheduler/framework"
+	"k8s.io/kubernetes/pkg/features"
+	"k8s.io/kubernetes/pkg/scheduler/apis/config"
+	"k8s.io/kubernetes/pkg/scheduler/framework"
+	"k8s.io/kubernetes/pkg/scheduler/framework/plugins/dynamicresources"
+	st "k8s.io/kubernetes/pkg/scheduler/testing"
 	"k8s.io/kubernetes/pkg/scheduler/util"
+	"k8s.io/kubernetes/pkg/scheduler/util/assumecache"
+	"k8s.io/utils/ptr"
 )
 
 func TestResourceAllocationScorerCalculateRequests(t *testing.T) {
@@ -238,3 +261,651 @@ func TestResourceAllocationScorerCalculateRequests(t *testing.T) {
 		})
 	}
 }
+
+func TestCalculateResourceAllocatableRequest(t *testing.T) {
+	// Initialize test variables
+	nodeName := "resource-node"
+	driverName := "test-driver"
+	testClaim := "test-claim"
+	explicitExtendedResource := v1.ResourceName(extendedResourceName)
+	implicitExtendedResource := v1.ResourceName(resourceapi.ResourceDeviceClassPrefix + deviceClassName)
+	celCache := cel.NewCache(10, cel.Features{EnableConsumableCapacity: true})
+	draFeatures := structured.Features{
+		AdminAccess:            true,
+		PrioritizedList:        true,
+		PartitionableDevices:   true,
+		DeviceTaints:           true,
+		DeviceBindingAndStatus: true,
+		ConsumableCapacity:     true,
+	}
+
+	// Define test cases
+	tests := map[string]struct {
+		enableDRAExtendedResource bool
+		node                      *v1.Node
+		extendedResource          v1.ResourceName
+		objects                   []apiruntime.Object
+		podRequest                int64
+		expectedAllocatable       int64
+		expectedRequested         int64
+	}{
+		"device-plugin-resource-feature-disabled": {
+			enableDRAExtendedResource: false,
+			node:                      st.MakeNode().Name(nodeName).Capacity(map[v1.ResourceName]string{explicitExtendedResource: "4"}).Obj(),
+			extendedResource:          explicitExtendedResource,
+			podRequest:                1,
+			expectedAllocatable:       4,
+			expectedRequested:         1,
+		},
+		"device-plugin-resource-feature-enabled": {
+			enableDRAExtendedResource: true,
+			node:                      st.MakeNode().Name(nodeName).Capacity(map[v1.ResourceName]string{explicitExtendedResource: "4"}).Obj(),
+			extendedResource:          explicitExtendedResource,
+			podRequest:                1,
+			expectedAllocatable:       4,
+			expectedRequested:         1,
+		},
+		"DRA-backed-resource-explicit": {
+			enableDRAExtendedResource: true,
+			node:                      st.MakeNode().Name(nodeName).Obj(),
+			extendedResource:          explicitExtendedResource,
+			objects: []apiruntime.Object{
+				deviceClassWithExtendResourceName,
+				st.MakeResourceSlice(nodeName, driverName).Device("device-1").Obj(),
+			},
+			podRequest:          1,
+			expectedAllocatable: 1,
+			expectedRequested:   1,
+		},
+		"DRA-backed-resource-implicit": {
+			enableDRAExtendedResource: true,
+			node:                      st.MakeNode().Name(nodeName).Obj(),
+			extendedResource:          implicitExtendedResource,
+			objects: []apiruntime.Object{
+				&resourceapi.DeviceClass{
+					ObjectMeta: metav1.ObjectMeta{
+						Name: deviceClassName,
+					},
+				},
+				st.MakeResourceSlice(nodeName, driverName).Device("device-1").Obj(),
+			},
+			podRequest:          1,
+			expectedAllocatable: 1,
+			expectedRequested:   1,
+		},
+		"DRA-backed-resource-no-slices": {
+			enableDRAExtendedResource: true,
+			node:                      st.MakeNode().Name(nodeName).Obj(),
+			extendedResource:          explicitExtendedResource,
+			objects:                   []apiruntime.Object{deviceClassWithExtendResourceName},
+			podRequest:                1,
+			expectedAllocatable:       0,
+			expectedRequested:         0,
+		},
+		"DRA-backed-resource-with-allocated-device": {
+			enableDRAExtendedResource: true,
+			node:                      st.MakeNode().Name(nodeName).Obj(),
+			extendedResource:          explicitExtendedResource,
+			objects: []apiruntime.Object{
+				deviceClassWithExtendResourceName,
+				st.MakeResourceSlice(nodeName, driverName).Devices("device-1", "device-2").Obj(),
+				// Create a resource claim that fully allocates device-1
+				st.MakeResourceClaim().
+					Name(testClaim).
+					Request(deviceClassName).
+					Allocation(&resourceapi.AllocationResult{
+						Devices: resourceapi.DeviceAllocationResult{
+							Results: []resourceapi.DeviceRequestAllocationResult{
+								{
+									Request: "req-1",
+									Driver:  driverName,
+									Pool:    nodeName,
+									Device:  "device-1",
+								},
+							},
+						},
+					}).
+					Obj(),
+			},
+			podRequest:          1,
+			expectedAllocatable: 2,
+			expectedRequested:   2, // 1 allocated + 1 requested
+		},
+		"DRA-backed-resource-with-shared-device-allocation": {
+			enableDRAExtendedResource: true,
+			node:                      st.MakeNode().Name(nodeName).Obj(),
+			extendedResource:          explicitExtendedResource,
+			objects: []apiruntime.Object{
+				deviceClassWithExtendResourceName,
+				st.MakeResourceSlice(nodeName, driverName).Devices("device-1", "device-2").Obj(),
+				// Create a resource claim with shared device allocation (consumable capacity)
+				st.MakeResourceClaim().
+					Name(testClaim).
+					Request(deviceClassName).
+					Allocation(&resourceapi.AllocationResult{
+						Devices: resourceapi.DeviceAllocationResult{
+							Results: []resourceapi.DeviceRequestAllocationResult{
+								{
+									Request: "req-1",
+									Driver:  driverName,
+									Pool:    nodeName,
+									Device:  "device-1",
+									ShareID: ptr.To(types.UID("share-123")), // Shared device allocation
+								},
+							},
+						},
+					}).
+					Obj(),
+			},
+			podRequest:          1,
+			expectedAllocatable: 2,
+			expectedRequested:   2, // 1 allocated (shared) + 1 requested
+		},
+		"DRA-backed-resource-multiple-devices-mixed-allocation": {
+			enableDRAExtendedResource: true,
+			node:                      st.MakeNode().Name(nodeName).Obj(),
+			extendedResource:          explicitExtendedResource,
+			objects: []apiruntime.Object{
+				deviceClassWithExtendResourceName,
+				st.MakeResourceSlice(nodeName, driverName).Devices("device-1", "device-2", "device-3").Obj(),
+				// Mix of fully allocated and shared device allocations
+				st.MakeResourceClaim().
+					Name("test-claim-1").
+					Request(deviceClassName).
+					Allocation(&resourceapi.AllocationResult{
+						Devices: resourceapi.DeviceAllocationResult{
+							Results: []resourceapi.DeviceRequestAllocationResult{
+								{
+									Request: "req-1",
+									Driver:  driverName,
+									Pool:    nodeName,
+									Device:  "device-1",
+									// No ShareID = fully allocated device
+								},
+							},
+						},
+					}).
+					Obj(),
+				st.MakeResourceClaim().
+					Name("test-claim-2").
+					Request(deviceClassName).
+					Allocation(&resourceapi.AllocationResult{
+						Devices: resourceapi.DeviceAllocationResult{
+							Results: []resourceapi.DeviceRequestAllocationResult{
+								{
+									Request: "req-1",
+									Driver:  driverName,
+									Pool:    nodeName,
+									Device:  "device-2",
+									ShareID: ptr.To(types.UID("share-456")), // Shared device allocation
+								},
+							},
+						},
+					}).
+					Obj(),
+				// device-3 remains unallocated
+			},
+			podRequest:          1,
+			expectedAllocatable: 3,
+			expectedRequested:   3, // 2 allocated (1 full + 1 shared) + 1 requested
+		},
+		"DRA-backed-resource-with-per-device-node-selection": {
+			enableDRAExtendedResource: true,
+			node:                      st.MakeNode().Name(nodeName).Obj(),
+			extendedResource:          explicitExtendedResource,
+			objects: []apiruntime.Object{
+				&resourceapi.DeviceClass{
+					ObjectMeta: metav1.ObjectMeta{
+						Name: deviceClassName,
+					},
+					Spec: resourceapi.DeviceClassSpec{
+						ExtendedResourceName: &extendedResourceName,
+						Selectors: []resourceapi.DeviceSelector{
+							{
+								CEL: &resourceapi.CELDeviceSelector{
+									// Realistic GPU selection: match test driver with at least 8GB memory and SOME- model
+									Expression: `device.driver == "test-driver" && device.capacity["test-driver"].memory.compareTo(quantity("8Gi")) >= 0 && device.attributes["test-driver"].model.startsWith("SOME-")`,
+								},
+							},
+						},
+					},
+				},
+				// Create a custom resource slice with per-device node selection
+				&resourceapi.ResourceSlice{
+					ObjectMeta: metav1.ObjectMeta{Name: "per-device-slice"},
+					Spec: resourceapi.ResourceSliceSpec{
+						Driver:                 driverName, // Match the CEL expression driver
+						Pool:                   resourceapi.ResourcePool{Name: "per-device-pool", ResourceSliceCount: 1},
+						PerDeviceNodeSelection: ptr.To(true), // Enable per-device node selection
+						// Note: No NodeName, AllNodes, or NodeSelector at slice level when PerDeviceNodeSelection is true
+						Devices: []resourceapi.Device{
+							{
+								Name:     "device-1",
+								NodeName: ptr.To(nodeName), // This device matches the test node
+								Attributes: map[resourceapi.QualifiedName]resourceapi.DeviceAttribute{
+									"model": {StringValue: ptr.To("SOME-XYZ")},
+								},
+								Capacity: map[resourceapi.QualifiedName]resourceapi.DeviceCapacity{
+									"memory": {Value: resource.MustParse("16Gi")}, // 16GB GPU - matches CEL (>= 8GB)
+								},
+							},
+							{
+								Name:     "device-2",
+								NodeName: ptr.To("other-node"), // This device matches a different node
+								Attributes: map[resourceapi.QualifiedName]resourceapi.DeviceAttribute{
+									"model": {StringValue: ptr.To("SOME-ZYX")},
+								},
+								Capacity: map[resourceapi.QualifiedName]resourceapi.DeviceCapacity{
+									"memory": {Value: resource.MustParse("12Gi")}, // 12GB GPU - matches CEL (>= 8GB)
+								},
+							},
+							{
+								Name:     "device-3",
+								AllNodes: ptr.To(true), // This device matches all nodes
+								Attributes: map[resourceapi.QualifiedName]resourceapi.DeviceAttribute{
+									"model": {StringValue: ptr.To("SOME-XZY")},
+								},
+								Capacity: map[resourceapi.QualifiedName]resourceapi.DeviceCapacity{
+									"memory": {Value: resource.MustParse("24Gi")}, // 24GB GPU - matches CEL (>= 8GB)
+								},
+							},
+						},
+					},
+				},
+				// Create a resource claim that allocates gpu-1
+				st.MakeResourceClaim().
+					Name("test-claim").
+					Request(deviceClassName).
+					Allocation(&resourceapi.AllocationResult{
+						Devices: resourceapi.DeviceAllocationResult{
+							Results: []resourceapi.DeviceRequestAllocationResult{
+								{
+									Request: "req-1",
+									Driver:  driverName,
+									Pool:    "per-device-pool",
+									Device:  "device-1",
+								},
+							},
+						},
+					}).
+					Obj(),
+			},
+			podRequest:          1,
+			expectedAllocatable: 2, // Only device-1 (matches test-node) and device-3 (matches all nodes)
+			expectedRequested:   2, // 1 allocated (device-1) + 1 requested
+		},
+	}
+
+	for name, tc := range tests {
+		t.Run(name, func(t *testing.T) {
+			// Setup environment, create required objects
+			logger, tCtx := ktesting.NewTestContext(t)
+			tCtx, cancel := context.WithCancel(tCtx)
+			defer cancel()
+
+			featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.DRAExtendedResource, tc.enableDRAExtendedResource)
+
+			client := fake.NewClientset(tc.objects...)
+			informerFactory := informers.NewSharedInformerFactory(client, 0)
+			resourceSliceTrackerOpts := tracker.Options{
+				SliceInformer: informerFactory.Resource().V1().ResourceSlices(),
+				TaintInformer: informerFactory.Resource().V1alpha3().DeviceTaintRules(),
+				ClassInformer: informerFactory.Resource().V1().DeviceClasses(),
+				KubeClient:    client,
+			}
+			resourceSliceTracker, err := tracker.StartTracker(tCtx, resourceSliceTrackerOpts)
+			if err != nil {
+				t.Fatalf("couldn't start resource slice tracker: %v", err)
+			}
+			draManager := dynamicresources.NewDRAManager(
+				tCtx,
+				assumecache.NewAssumeCache(
+					logger,
+					informerFactory.Resource().V1().ResourceClaims().Informer(),
+					"resource claim",
+					"",
+					nil),
+				resourceSliceTracker,
+				informerFactory)
+
+			if tc.enableDRAExtendedResource {
+				cache := draManager.DeviceClassResolver().(*extendedresourcecache.ExtendedResourceCache)
+				if _, err := informerFactory.Resource().V1().DeviceClasses().Informer().AddEventHandler(cache); err != nil {
+					logger.Error(err, "failed to add device class informer event handler")
+				}
+			}
+
+			informerFactory.Start(tCtx.Done())
+			t.Cleanup(func() {
+				// Now we can wait for all goroutines to stop.
+				informerFactory.Shutdown()
+			})
+			informerFactory.WaitForCacheSync(tCtx.Done())
+
+			nodeInfo := framework.NewNodeInfo()
+			nodeInfo.SetNode(tc.node)
+
+			scorer := &resourceAllocationScorer{
+				enableDRAExtendedResource: tc.enableDRAExtendedResource,
+				draManager:                draManager,
+				draFeatures:               draFeatures,
+				DRACaches: DRACaches{
+					celCache: celCache,
+				},
+			}
+
+			var draPreScoreState *draPreScoreState
+			if tc.enableDRAExtendedResource {
+				var status *fwk.Status
+				draPreScoreState, status = getDRAPreScoredParams(draManager, []config.ResourceSpec{{Name: string(tc.extendedResource)}})
+				if status != nil {
+					t.Fatalf("getting DRA pre-scored params failed: %v", status)
+				}
+			}
+
+			// Test calculateResourceAllocatableRequest API
+			allocatable, requested := scorer.calculateResourceAllocatableRequest(tCtx, nodeInfo, tc.extendedResource, tc.podRequest, draPreScoreState)
+			if !cmp.Equal(allocatable, tc.expectedAllocatable) {
+				t.Errorf("Expected allocatable=%v, but got allocatable=%v", tc.expectedAllocatable, allocatable)
+			}
+			if !cmp.Equal(requested, tc.expectedRequested) {
+				t.Errorf("Expected requested=%v, but got requested=%v", tc.expectedRequested, requested)
+			}
+		})
+	}
+}
+
+// getCachedDeviceMatch checks the cache for a DeviceMatches result
+// returns (matches, found)
+func (r *resourceAllocationScorer) getCachedDeviceMatch(expression string, driver string, poolName string, deviceName string) (bool, bool) {
+	key := buildDeviceMatchCacheKey(expression, driver, poolName, deviceName)
+
+	if value, ok := r.deviceMatchCache.Load(key); ok {
+		return value.(bool), true
+	}
+
+	return false, false
+}
+
+// setCachedDeviceMatch stores a DeviceMatches result in the cache
+func (r *resourceAllocationScorer) setCachedDeviceMatch(expression string, driver string, poolName string, deviceName string, matches bool) {
+	key := buildDeviceMatchCacheKey(expression, driver, poolName, deviceName)
+	r.deviceMatchCache.Store(key, matches)
+}
+
+func TestDeviceMatchCaching(t *testing.T) {
+	// Create a scorer with caching enabled
+	scorer := &resourceAllocationScorer{
+		DRACaches: DRACaches{
+			celCache: cel.NewCache(10, cel.Features{}),
+		},
+	}
+
+	expression := `device.attributes["example.com"].test_attr == "test-value"`
+	driverName := "example.com/test-driver"
+	poolName := "example-pool"
+	deviceName := "device-1"
+
+	// Test cache operations
+	// Initially, cache should be empty
+	matches, found := scorer.getCachedDeviceMatch(expression, driverName, poolName, deviceName)
+	if found {
+		t.Errorf("Cache should be empty initially, but found an entry")
+	}
+	if matches {
+		t.Errorf("Matches should be false initially, but got true")
+	}
+
+	// Store a result in cache
+	scorer.setCachedDeviceMatch(expression, driverName, poolName, deviceName, true)
+
+	// Retrieve from cache
+	matches, found = scorer.getCachedDeviceMatch(expression, driverName, poolName, deviceName)
+	if !found {
+		t.Errorf("Result should be found in cache, but was not")
+	}
+	if !matches {
+		t.Errorf("Cached result should match what we stored, expected true but got false")
+	}
+
+	// Test caching with error
+	scorer.setCachedDeviceMatch(expression, driverName, poolName, deviceName, false)
+
+	matches, found = scorer.getCachedDeviceMatch(expression, driverName, poolName, deviceName)
+	if !found {
+		t.Errorf("Result should be found in cache")
+	}
+	if matches {
+		t.Errorf("Cached result should match what we stored, expected false but got true")
+	}
+
+	// Test that different devices have different cache keys
+	matches, found = scorer.getCachedDeviceMatch(expression, driverName, poolName, "device-2")
+	if found {
+		t.Errorf("Different device should not hit cache")
+	}
+	if matches {
+		t.Errorf("Matches should be false for uncached entry")
+	}
+
+	// Test that different pools have different cache keys
+	matches, found = scorer.getCachedDeviceMatch(expression, driverName, "other-pool", deviceName)
+	if found {
+		t.Errorf("Different pool should not hit cache")
+	}
+	if matches {
+		t.Errorf("Matches should be false for uncached entry")
+	}
+}
+
+func BenchmarkDeviceMatchCaching(b *testing.B) {
+	expression := `device.attributes["example.com"].test_attr == "test-value"`
+	driverName := "example.com/test-driver"
+	poolName := "example-pool"
+	deviceName := "device-1"
+
+	// Create a scorer with caching enabled
+	scorer := &resourceAllocationScorer{
+		DRACaches: DRACaches{
+			celCache: cel.NewCache(10, cel.Features{}),
+		},
+	}
+
+	b.Run("WithoutCache", func(b *testing.B) {
+		// Disable caching by creating a new scorer each time
+		for i := 0; i < b.N; i++ {
+			freshScorer := &resourceAllocationScorer{
+				DRACaches: DRACaches{
+					celCache: cel.NewCache(10, cel.Features{}),
+				},
+			}
+
+			// This will always be a cache miss
+			_, _ = freshScorer.getCachedDeviceMatch(expression, driverName, poolName, deviceName)
+		}
+	})
+
+	b.Run("WithCache", func(b *testing.B) {
+		// Pre-warm the cache
+		scorer.setCachedDeviceMatch(expression, driverName, poolName, deviceName, true)
+
+		b.ResetTimer()
+		for i := 0; i < b.N; i++ {
+			// This should always be a cache hit
+			_, _ = scorer.getCachedDeviceMatch(expression, driverName, poolName, deviceName)
+		}
+	})
+}
+
+// getCachedNodeMatch checks the cache for a NodeMatches result
+func (r *resourceAllocationScorer) getCachedNodeMatch(nodeName string, nodeNameToMatch string, allNodesMatch bool, nodeSelectorHash string) (bool, bool) {
+	key := buildNodeMatchCacheKey(nodeName, nodeNameToMatch, allNodesMatch, nodeSelectorHash)
+
+	if value, ok := r.nodeMatchCache.Load(key); ok {
+		return value.(bool), true
+	}
+
+	return false, false
+}
+
+// setCachedNodeMatch stores a NodeMatches result in the cache
+func (r *resourceAllocationScorer) setCachedNodeMatch(nodeName string, nodeNameToMatch string, allNodesMatch bool, nodeSelectorHash string, matches bool) {
+	key := buildNodeMatchCacheKey(nodeName, nodeNameToMatch, allNodesMatch, nodeSelectorHash)
+	r.nodeMatchCache.Store(key, matches)
+}
+
+func TestNodeMatchCaching(t *testing.T) {
+	// Create a scorer with caching enabled
+	scorer := &resourceAllocationScorer{
+		DRACaches: DRACaches{
+			celCache: cel.NewCache(10, cel.Features{}),
+		},
+	}
+
+	// Create test node
+	testNode := &v1.Node{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: "test-node-1",
+			Labels: map[string]string{
+				"zone":          "us-east-1a",
+				"instance.type": "gpu-xlarge",
+			},
+		},
+	}
+
+	// Test cases for different NodeMatches scenarios
+	testCases := []struct {
+		name            string
+		nodeNameToMatch string
+		allNodesMatch   bool
+		nodeSelector    *v1.NodeSelector
+		expectedMatch   bool
+	}{
+		{
+			name:            "exact node name match",
+			nodeNameToMatch: "test-node-1",
+			allNodesMatch:   false,
+			nodeSelector:    nil,
+			expectedMatch:   true,
+		},
+		{
+			name:            "node name mismatch",
+			nodeNameToMatch: "different-node",
+			allNodesMatch:   false,
+			nodeSelector:    nil,
+			expectedMatch:   false,
+		},
+		{
+			name:            "all nodes match",
+			nodeNameToMatch: "",
+			allNodesMatch:   true,
+			nodeSelector:    nil,
+			expectedMatch:   true,
+		},
+		{
+			name:            "node selector match",
+			nodeNameToMatch: "",
+			allNodesMatch:   false,
+			nodeSelector: &v1.NodeSelector{
+				NodeSelectorTerms: []v1.NodeSelectorTerm{
+					{
+						MatchExpressions: []v1.NodeSelectorRequirement{
+							{
+								Key:      "zone",
+								Operator: v1.NodeSelectorOpIn,
+								Values:   []string{"us-east-1a", "us-east-1b"},
+							},
+						},
+					},
+				},
+			},
+			expectedMatch: true,
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			nodeSelectorStr := tc.nodeSelector.String()
+
+			// First call should be a cache miss
+			_, found1 := scorer.getCachedNodeMatch(testNode.Name, tc.nodeNameToMatch, tc.allNodesMatch, nodeSelectorStr)
+			assert.False(t, found1, "Cache should be empty initially")
+
+			// Simulate setting a cached result
+			scorer.setCachedNodeMatch(testNode.Name, tc.nodeNameToMatch, tc.allNodesMatch, nodeSelectorStr, tc.expectedMatch)
+
+			// Second call should be a cache hit
+			matches2, found2 := scorer.getCachedNodeMatch(testNode.Name, tc.nodeNameToMatch, tc.allNodesMatch, nodeSelectorStr)
+			assert.True(t, found2, "Result should be found in cache")
+			assert.Equal(t, tc.expectedMatch, matches2, "Cached result should match expected value")
+		})
+	}
+}
+
+func BenchmarkNodeMatchCaching(b *testing.B) {
+	// Create test node
+	testNode := &v1.Node{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: "test-node-1",
+			Labels: map[string]string{
+				"zone":          "us-east-1a",
+				"instance.type": "gpu-xlarge",
+			},
+		},
+	}
+
+	// Create a complex NodeSelector to make the test meaningful
+	nodeSelector := &v1.NodeSelector{
+		NodeSelectorTerms: []v1.NodeSelectorTerm{
+			{
+				MatchExpressions: []v1.NodeSelectorRequirement{
+					{
+						Key:      "zone",
+						Operator: v1.NodeSelectorOpIn,
+						Values:   []string{"us-east-1a", "us-east-1b", "us-west-2a"},
+					},
+					{
+						Key:      "instance.type",
+						Operator: v1.NodeSelectorOpExists,
+					},
+				},
+			},
+		},
+	}
+
+	b.Run("WithoutCache", func(b *testing.B) {
+		nodeSelectorStr := nodeSelector.String()
+
+		// Create a new scorer for each iteration to avoid caching
+		for i := 0; i < b.N; i++ {
+			freshScorer := &resourceAllocationScorer{
+				DRACaches: DRACaches{
+					celCache: cel.NewCache(10, cel.Features{}),
+				},
+			}
+
+			// This will always be a cache miss
+			_, _ = freshScorer.getCachedNodeMatch(testNode.Name, "", false, nodeSelectorStr)
+		}
+	})
+
+	b.Run("WithCache", func(b *testing.B) {
+		nodeSelectorStr := nodeSelector.String()
+
+		// Create a scorer and pre-warm the cache
+		scorer := &resourceAllocationScorer{
+			DRACaches: DRACaches{
+				celCache: cel.NewCache(10, cel.Features{}),
+			},
+		}
+
+		// Pre-warm the cache
+		scorer.setCachedNodeMatch(testNode.Name, "", false, nodeSelectorStr, true)
+
+		b.ResetTimer()
+		for i := 0; i < b.N; i++ {
+			// This should always be a cache hit
+			_, _ = scorer.getCachedNodeMatch(testNode.Name, "", false, nodeSelectorStr)
+		}
+	})
+}
diff --git a/pkg/scheduler/framework/plugins/nodeunschedulable/node_unschedulable.go b/pkg/scheduler/framework/plugins/nodeunschedulable/node_unschedulable.go
index f5f328cfe4648..345cc73aff18e 100644
--- a/pkg/scheduler/framework/plugins/nodeunschedulable/node_unschedulable.go
+++ b/pkg/scheduler/framework/plugins/nodeunschedulable/node_unschedulable.go
@@ -21,10 +21,11 @@ import (
 
 	v1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/runtime"
+	utilfeature "k8s.io/apiserver/pkg/util/feature"
 	v1helper "k8s.io/component-helpers/scheduling/corev1"
 	"k8s.io/klog/v2"
 	fwk "k8s.io/kube-scheduler/framework"
-	"k8s.io/kubernetes/pkg/scheduler/framework"
+	"k8s.io/kubernetes/pkg/features"
 	"k8s.io/kubernetes/pkg/scheduler/framework/plugins/feature"
 	"k8s.io/kubernetes/pkg/scheduler/framework/plugins/names"
 	"k8s.io/kubernetes/pkg/scheduler/util"
@@ -36,8 +37,9 @@ type NodeUnschedulable struct {
 	enableSchedulingQueueHint bool
 }
 
-var _ framework.FilterPlugin = &NodeUnschedulable{}
-var _ framework.EnqueueExtensions = &NodeUnschedulable{}
+var _ fwk.FilterPlugin = &NodeUnschedulable{}
+var _ fwk.EnqueueExtensions = &NodeUnschedulable{}
+var _ fwk.SignPlugin = &NodeUnschedulable{}
 
 // Name is the name of the plugin used in the plugin registry and configurations.
 const Name = names.NodeUnschedulable
@@ -85,10 +87,10 @@ func (pl *NodeUnschedulable) isSchedulableAfterPodTolerationChange(logger klog.L
 		// - Taint can be added, but can't be modified nor removed.
 		// - If the Pod already has the toleration, it shouldn't have rejected by this plugin in the first place.
 		//   Meaning, here this Pod has been rejected by this plugin, and hence it shouldn't have the toleration yet.
-		if v1helper.TolerationsTolerateTaint(modifiedPod.Spec.Tolerations, &v1.Taint{
+		if v1helper.TolerationsTolerateTaint(logger, modifiedPod.Spec.Tolerations, &v1.Taint{
 			Key:    v1.TaintNodeUnschedulable,
 			Effect: v1.TaintEffectNoSchedule,
-		}) {
+		}, utilfeature.DefaultFeatureGate.Enabled(features.TaintTolerationComparisonOperators)) {
 			// This update makes the pod tolerate the unschedulable taint.
 			logger.V(5).Info("a new toleration is added for the unschedulable Pod, and it may make it schedulable", "pod", klog.KObj(modifiedPod))
 			return fwk.Queue, nil
@@ -129,6 +131,13 @@ func (pl *NodeUnschedulable) Name() string {
 	return Name
 }
 
+// Feasibility and scoring based on the pod's tolerations.
+func (pl *NodeUnschedulable) SignPod(ctx context.Context, pod *v1.Pod) ([]fwk.SignFragment, *fwk.Status) {
+	return []fwk.SignFragment{
+		{Key: fwk.TolerationsSignerName, Value: fwk.TolerationsSigner(pod)},
+	}, nil
+}
+
 // Filter invoked at the filter extension point.
 func (pl *NodeUnschedulable) Filter(ctx context.Context, _ fwk.CycleState, pod *v1.Pod, nodeInfo fwk.NodeInfo) *fwk.Status {
 	node := nodeInfo.Node()
@@ -137,11 +146,12 @@ func (pl *NodeUnschedulable) Filter(ctx context.Context, _ fwk.CycleState, pod *
 		return nil
 	}
 
+	logger := klog.FromContext(ctx)
 	// If pod tolerate unschedulable taint, it's also tolerate `node.Spec.Unschedulable`.
-	podToleratesUnschedulable := v1helper.TolerationsTolerateTaint(pod.Spec.Tolerations, &v1.Taint{
+	podToleratesUnschedulable := v1helper.TolerationsTolerateTaint(logger, pod.Spec.Tolerations, &v1.Taint{
 		Key:    v1.TaintNodeUnschedulable,
 		Effect: v1.TaintEffectNoSchedule,
-	})
+	}, utilfeature.DefaultFeatureGate.Enabled(features.TaintTolerationComparisonOperators))
 	if !podToleratesUnschedulable {
 		return fwk.NewStatus(fwk.UnschedulableAndUnresolvable, ErrReasonUnschedulable)
 	}
@@ -150,6 +160,6 @@ func (pl *NodeUnschedulable) Filter(ctx context.Context, _ fwk.CycleState, pod *
 }
 
 // New initializes a new plugin and returns it.
-func New(_ context.Context, _ runtime.Object, _ framework.Handle, fts feature.Features) (framework.Plugin, error) {
+func New(_ context.Context, _ runtime.Object, _ fwk.Handle, fts feature.Features) (fwk.Plugin, error) {
 	return &NodeUnschedulable{enableSchedulingQueueHint: fts.EnableSchedulingQueueHint}, nil
 }
diff --git a/pkg/scheduler/framework/plugins/nodeunschedulable/node_unschedulable_test.go b/pkg/scheduler/framework/plugins/nodeunschedulable/node_unschedulable_test.go
index 03b9222b3e1ed..4b39623fe9d20 100644
--- a/pkg/scheduler/framework/plugins/nodeunschedulable/node_unschedulable_test.go
+++ b/pkg/scheduler/framework/plugins/nodeunschedulable/node_unschedulable_test.go
@@ -83,7 +83,7 @@ func TestNodeUnschedulable(t *testing.T) {
 		if err != nil {
 			t.Fatalf("creating plugin: %v", err)
 		}
-		gotStatus := p.(framework.FilterPlugin).Filter(ctx, nil, test.pod, nodeInfo)
+		gotStatus := p.(fwk.FilterPlugin).Filter(ctx, nil, test.pod, nodeInfo)
 		if diff := cmp.Diff(test.wantStatus, gotStatus); diff != "" {
 			t.Errorf("status does not match (-want,+got):\n%s", diff)
 		}
diff --git a/pkg/scheduler/framework/plugins/nodevolumelimits/csi.go b/pkg/scheduler/framework/plugins/nodevolumelimits/csi.go
index 6874b2c522450..07be0e040b792 100644
--- a/pkg/scheduler/framework/plugins/nodevolumelimits/csi.go
+++ b/pkg/scheduler/framework/plugins/nodevolumelimits/csi.go
@@ -33,7 +33,6 @@ import (
 	csitrans "k8s.io/csi-translation-lib"
 	"k8s.io/klog/v2"
 	fwk "k8s.io/kube-scheduler/framework"
-	"k8s.io/kubernetes/pkg/scheduler/framework"
 	"k8s.io/kubernetes/pkg/scheduler/framework/plugins/feature"
 	"k8s.io/kubernetes/pkg/scheduler/framework/plugins/names"
 	"k8s.io/kubernetes/pkg/scheduler/util"
@@ -58,21 +57,23 @@ type InTreeToCSITranslator interface {
 
 // CSILimits is a plugin that checks node volume limits.
 type CSILimits struct {
-	csiNodeLister storagelisters.CSINodeLister
-	pvLister      corelisters.PersistentVolumeLister
-	pvcLister     corelisters.PersistentVolumeClaimLister
-	scLister      storagelisters.StorageClassLister
-	vaLister      storagelisters.VolumeAttachmentLister
+	csiManager      fwk.CSIManager
+	pvLister        corelisters.PersistentVolumeLister
+	pvcLister       corelisters.PersistentVolumeClaimLister
+	scLister        storagelisters.StorageClassLister
+	vaLister        storagelisters.VolumeAttachmentLister
+	csiDriverLister storagelisters.CSIDriverLister
 
 	enableCSIMigrationPortworx bool
 	randomVolumeIDPrefix       string
-
-	translator InTreeToCSITranslator
+	enableVolumeLimitScaling   bool
+	translator                 InTreeToCSITranslator
 }
 
-var _ framework.PreFilterPlugin = &CSILimits{}
-var _ framework.FilterPlugin = &CSILimits{}
-var _ framework.EnqueueExtensions = &CSILimits{}
+var _ fwk.PreFilterPlugin = &CSILimits{}
+var _ fwk.FilterPlugin = &CSILimits{}
+var _ fwk.EnqueueExtensions = &CSILimits{}
+var _ fwk.SignPlugin = &CSILimits{}
 
 // CSIName is the name of the plugin used in the plugin registry and configurations.
 const CSIName = names.NodeVolumeLimits
@@ -116,7 +117,7 @@ func (pl *CSILimits) isSchedulableAfterPodDeleted(logger klog.Logger, pod *v1.Po
 		}
 	}
 
-	logger.V(5).Info("The deleted pod does not impact the scheduling of the unscheduled pod", "deletedPod", klog.KObj(pod), "pod", klog.KObj(deletedPod))
+	logger.V(5).Info("The deleted pod does not impact the scheduling of the unscheduled pod", "pod", klog.KObj(pod), "deletedPod", klog.KObj(deletedPod))
 	return fwk.QueueSkip, nil
 }
 
@@ -234,7 +235,7 @@ func (pl *CSILimits) isSchedulableAfterCSINodeUpdated(logger klog.Logger, pod *v
 // PreFilter invoked at the prefilter extension point
 //
 // If the pod haven't those types of volumes, we'll skip the Filter phase
-func (pl *CSILimits) PreFilter(ctx context.Context, _ fwk.CycleState, pod *v1.Pod, _ []fwk.NodeInfo) (*framework.PreFilterResult, *fwk.Status) {
+func (pl *CSILimits) PreFilter(ctx context.Context, _ fwk.CycleState, pod *v1.Pod, _ []fwk.NodeInfo) (*fwk.PreFilterResult, *fwk.Status) {
 	volumes := pod.Spec.Volumes
 	for i := range volumes {
 		vol := &volumes[i]
@@ -247,7 +248,7 @@ func (pl *CSILimits) PreFilter(ctx context.Context, _ fwk.CycleState, pod *v1.Po
 }
 
 // PreFilterExtensions returns prefilter extensions, pod add and remove.
-func (pl *CSILimits) PreFilterExtensions() framework.PreFilterExtensions {
+func (pl *CSILimits) PreFilterExtensions() fwk.PreFilterExtensions {
 	return nil
 }
 
@@ -262,7 +263,7 @@ func (pl *CSILimits) Filter(ctx context.Context, _ fwk.CycleState, pod *v1.Pod,
 
 	logger := klog.FromContext(ctx)
 
-	csiNode, err := pl.csiNodeLister.Get(node.Name)
+	csiNode, err := pl.csiManager.CSINodes().Get(node.Name)
 	if err != nil {
 		// TODO: return the error once CSINode is created by default (2 releases)
 		logger.V(5).Info("Could not get a CSINode object for the node", "node", klog.KObj(node), "err", err)
@@ -283,6 +284,19 @@ func (pl *CSILimits) Filter(ctx context.Context, _ fwk.CycleState, pod *v1.Pod,
 		return nil
 	}
 
+	if pl.enableVolumeLimitScaling {
+		for _, driverName := range newVolumes {
+			driverInstalled, err := pl.checkCSIDriverOnNode(driverName, csiNode)
+			if err != nil {
+				return fwk.AsStatus(err)
+			}
+			if !driverInstalled {
+				driverNotInstalledMsg := fmt.Sprintf("%s CSI driver is not installed on the node", driverName)
+				return fwk.NewStatus(fwk.Unschedulable, driverNotInstalledMsg)
+			}
+		}
+	}
+
 	// If the node doesn't have volume limits, the predicate will always be true
 	nodeVolumeLimits := getVolumeLimits(csiNode)
 	if len(nodeVolumeLimits) == 0 {
@@ -339,6 +353,29 @@ func (pl *CSILimits) Filter(ctx context.Context, _ fwk.CycleState, pod *v1.Pod,
 	return nil
 }
 
+func (pl *CSILimits) checkCSIDriverOnNode(pluginName string, csiNode *storagev1.CSINode) (bool, error) {
+	// the registered driver must be a CSI driver to enforce this limit, if we can't find the driver,
+	// we assume the driver may not be a CSI driver and allow the pod to be scheduled.
+	_, err := pl.csiDriverLister.Get(pluginName)
+	if err != nil {
+		if apierrors.IsNotFound(err) {
+			return true, nil
+		}
+		return false, fmt.Errorf("error getting CSIDriver for provider %s: %w", pluginName, err)
+	}
+
+	if csiNode == nil {
+		return false, nil
+	}
+
+	for _, driver := range csiNode.Spec.Drivers {
+		if driver.Name == pluginName {
+			return true, nil
+		}
+	}
+	return false, nil
+}
+
 // filterAttachableVolumes filters the attachable volumes from the pod and adds them to the result map.
 // The result map is a map of volumeUniqueName to driver name. The volumeUniqueName is a unique name for
 // the volume in the format of "driverName/volumeHandle". And driver name is the CSI driver name.
@@ -547,22 +584,24 @@ func (pl *CSILimits) getCSIDriverInfoFromSC(logger klog.Logger, csiNode *storage
 }
 
 // NewCSI initializes a new plugin and returns it.
-func NewCSI(_ context.Context, _ runtime.Object, handle framework.Handle, fts feature.Features) (framework.Plugin, error) {
+func NewCSI(_ context.Context, _ runtime.Object, handle fwk.Handle, fts feature.Features) (fwk.Plugin, error) {
 	informerFactory := handle.SharedInformerFactory()
 	pvLister := informerFactory.Core().V1().PersistentVolumes().Lister()
 	pvcLister := informerFactory.Core().V1().PersistentVolumeClaims().Lister()
-	csiNodesLister := informerFactory.Storage().V1().CSINodes().Lister()
 	scLister := informerFactory.Storage().V1().StorageClasses().Lister()
 	vaLister := informerFactory.Storage().V1().VolumeAttachments().Lister()
+	csiDriverLister := informerFactory.Storage().V1().CSIDrivers().Lister()
 	csiTranslator := csitrans.New()
 
 	return &CSILimits{
-		csiNodeLister:              csiNodesLister,
+		csiManager:                 handle.SharedCSIManager(),
 		pvLister:                   pvLister,
 		pvcLister:                  pvcLister,
 		scLister:                   scLister,
 		vaLister:                   vaLister,
+		csiDriverLister:            csiDriverLister,
 		enableCSIMigrationPortworx: fts.EnableCSIMigrationPortworx,
+		enableVolumeLimitScaling:   fts.EnableVolumeLimitScaling,
 		randomVolumeIDPrefix:       rand.String(32),
 		translator:                 csiTranslator,
 	}, nil
@@ -620,3 +659,10 @@ func (pl *CSILimits) getNodeVolumeAttachmentInfo(logger klog.Logger, nodeName st
 func getVolumeUniqueName(driverName, volumeHandle string) string {
 	return fmt.Sprintf("%s/%s", driverName, volumeHandle)
 }
+
+// Feasibility and scoring based on the non-synthetic volume sources.
+func (pl *CSILimits) SignPod(ctx context.Context, pod *v1.Pod) ([]fwk.SignFragment, *fwk.Status) {
+	return []fwk.SignFragment{
+		{Key: fwk.VolumesSignerName, Value: fwk.VolumesSigner(pod)},
+	}, nil
+}
diff --git a/pkg/scheduler/framework/plugins/nodevolumelimits/csi_manager.go b/pkg/scheduler/framework/plugins/nodevolumelimits/csi_manager.go
new file mode 100644
index 0000000000000..03650742056ab
--- /dev/null
+++ b/pkg/scheduler/framework/plugins/nodevolumelimits/csi_manager.go
@@ -0,0 +1,57 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package nodevolumelimits
+
+import (
+	storagev1 "k8s.io/api/storage/v1"
+	"k8s.io/apimachinery/pkg/labels"
+	storagelisters "k8s.io/client-go/listers/storage/v1"
+	fwk "k8s.io/kube-scheduler/framework"
+)
+
+// DefaultCSIManager is an implementation of the CSIManager interface.
+type DefaultCSIManager struct {
+	csiNodeLister *csiNodeListerWrapper
+}
+
+var _ fwk.CSIManager = &DefaultCSIManager{}
+
+func NewCSIManager(csiNodeLister storagelisters.CSINodeLister) *DefaultCSIManager {
+	return &DefaultCSIManager{csiNodeLister: NewCSINodeLister(csiNodeLister)}
+}
+
+func (m *DefaultCSIManager) CSINodes() fwk.CSINodeLister {
+	return m.csiNodeLister
+}
+
+type csiNodeListerWrapper struct {
+	csiNodeLister storagelisters.CSINodeLister
+}
+
+var _ fwk.CSINodeLister = &csiNodeListerWrapper{}
+
+func NewCSINodeLister(csiNodeLister storagelisters.CSINodeLister) *csiNodeListerWrapper {
+	return &csiNodeListerWrapper{csiNodeLister: csiNodeLister}
+}
+
+func (l *csiNodeListerWrapper) List() ([]*storagev1.CSINode, error) {
+	return l.csiNodeLister.List(labels.Everything())
+}
+
+func (l *csiNodeListerWrapper) Get(name string) (*storagev1.CSINode, error) {
+	return l.csiNodeLister.Get(name)
+}
diff --git a/pkg/scheduler/framework/plugins/nodevolumelimits/csi_test.go b/pkg/scheduler/framework/plugins/nodevolumelimits/csi_test.go
index b6e34cc16f2d8..dd0a9eb6c2116 100644
--- a/pkg/scheduler/framework/plugins/nodevolumelimits/csi_test.go
+++ b/pkg/scheduler/framework/plugins/nodevolumelimits/csi_test.go
@@ -26,7 +26,10 @@ import (
 
 	v1 "k8s.io/api/core/v1"
 	storagev1 "k8s.io/api/storage/v1"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/labels"
+	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/apimachinery/pkg/util/rand"
 	"k8s.io/apimachinery/pkg/util/sets"
 	csitrans "k8s.io/csi-translation-lib"
@@ -639,7 +642,7 @@ func TestCSILimits(t *testing.T) {
 			}
 			csiTranslator := csitrans.New()
 			p := &CSILimits{
-				csiNodeLister:        getFakeCSINodeLister(csiNode),
+				csiManager:           NewCSIManager(getFakeCSINodeLister(csiNode)),
 				pvLister:             getFakeCSIPVLister(test.filterName, test.driverNames...),
 				pvcLister:            append(getFakeCSIPVCLister(test.filterName, scName, test.driverNames...), test.extraClaims...),
 				scLister:             getFakeCSIStorageClassLister(scName, test.driverNames[0]),
@@ -1247,3 +1250,110 @@ func getNodeWithPodAndVolumeLimits(limitSource string, pods []*v1.Pod, limit int
 	nodeInfo.SetNode(node)
 	return nodeInfo, csiNode
 }
+
+// fakeCSIDriverLister is a minimal lister for CSIDriver used in tests.
+type fakeCSIDriverLister []storagev1.CSIDriver
+
+func (l fakeCSIDriverLister) Get(name string) (*storagev1.CSIDriver, error) {
+	for i := range l {
+		if l[i].Name == name {
+			return &l[i], nil
+		}
+	}
+	return nil, apierrors.NewNotFound(schema.GroupResource{Group: "storage.k8s.io", Resource: "csidrivers"}, name)
+}
+
+func (l fakeCSIDriverLister) List(selector labels.Selector) ([]*storagev1.CSIDriver, error) {
+	return nil, fmt.Errorf("not implemented")
+}
+
+func getFakeCSIDriverLister(driverNames ...string) fakeCSIDriverLister {
+	var list fakeCSIDriverLister
+	for _, name := range driverNames {
+		list = append(list, storagev1.CSIDriver{ObjectMeta: metav1.ObjectMeta{Name: name}})
+	}
+	return list
+}
+
+func TestVolumeLimitScalingGate(t *testing.T) {
+	// Pod uses a PVC that resolves to the EBS CSI driver via PV
+	newPod := st.MakePod().PVC("csi-ebs.csi.aws.com-0").Obj()
+
+	cases := []struct {
+		name                     string
+		enableVolumeLimitScaling bool
+		limitSource              string
+		limit                    int32
+		csiDriverPresent         bool
+		wantStatus               *fwk.Status
+	}{
+		{
+			name:                     "gate enabled - fail when driver not installed and CSIDriver exists",
+			enableVolumeLimitScaling: true,
+			limitSource:              "no-csi-driver",
+			limit:                    0,
+			csiDriverPresent:         true,
+			wantStatus:               fwk.NewStatus(fwk.Unschedulable, fmt.Sprintf("%s CSI driver is not installed on the node", ebsCSIDriverName)),
+		},
+		{
+			name:                     "gate disabled - skip driver presence check (regardless of CSIDriver presence)",
+			enableVolumeLimitScaling: false,
+			limitSource:              "no-csi-driver",
+			limit:                    0,
+			csiDriverPresent:         true,
+			wantStatus:               nil,
+		},
+		{
+			name:                     "gate enabled - driver installed within limit",
+			enableVolumeLimitScaling: true,
+			limitSource:              "csinode",
+			limit:                    2,
+			csiDriverPresent:         true,
+			wantStatus:               nil,
+		},
+		{
+			name:                     "gate enabled - allow scheduling when CSIDriver object missing",
+			enableVolumeLimitScaling: true,
+			limitSource:              "no-csi-driver",
+			limit:                    0,
+			csiDriverPresent:         false,
+			wantStatus:               nil,
+		},
+	}
+
+	for _, tt := range cases {
+		t.Run(tt.name, func(t *testing.T) {
+			node, csiNode := getNodeWithPodAndVolumeLimits(tt.limitSource, []*v1.Pod{}, tt.limit, ebsCSIDriverName)
+
+			csiTranslator := csitrans.New()
+			p := &CSILimits{
+				csiManager: NewCSIManager(getFakeCSINodeLister(csiNode)),
+				pvLister:   getFakeCSIPVLister("csi", ebsCSIDriverName),
+				pvcLister:  getFakeCSIPVCLister("csi", scName, ebsCSIDriverName),
+				scLister:   getFakeCSIStorageClassLister(scName, ebsCSIDriverName),
+				vaLister:   getFakeVolumeAttachmentLister(0, ebsCSIDriverName),
+				csiDriverLister: func() fakeCSIDriverLister {
+					if tt.csiDriverPresent {
+						return getFakeCSIDriverLister(ebsCSIDriverName)
+					}
+					return getFakeCSIDriverLister()
+				}(),
+				enableVolumeLimitScaling: tt.enableVolumeLimitScaling,
+				randomVolumeIDPrefix:     rand.String(32),
+				translator:               csiTranslator,
+			}
+
+			_, ctx := ktesting.NewTestContext(t)
+			// Ensure PreFilter doesn't skip
+			_, preStatus := p.PreFilter(ctx, nil, newPod, nil)
+			if preStatus.Code() == fwk.Skip {
+				t.Fatalf("unexpected PreFilter Skip")
+			}
+			gotStatus := p.Filter(ctx, nil, newPod, node)
+
+			if diff := cmp.Diff(tt.wantStatus, gotStatus, statusCmpOpts...); diff != "" {
+				t.Errorf("Filter status does not match (-want, +got):\n%s", diff)
+			}
+		})
+	}
+}
diff --git a/pkg/scheduler/framework/plugins/podtopologyspread/common.go b/pkg/scheduler/framework/plugins/podtopologyspread/common.go
index 1a302dd3ab18d..94e0f4d0f9ba7 100644
--- a/pkg/scheduler/framework/plugins/podtopologyspread/common.go
+++ b/pkg/scheduler/framework/plugins/podtopologyspread/common.go
@@ -22,6 +22,7 @@ import (
 	"k8s.io/apimachinery/pkg/labels"
 	v1helper "k8s.io/component-helpers/scheduling/corev1"
 	"k8s.io/component-helpers/scheduling/corev1/nodeaffinity"
+	"k8s.io/klog/v2"
 	fwk "k8s.io/kube-scheduler/framework"
 	"k8s.io/kubernetes/pkg/scheduler/framework/plugins/helper"
 	"k8s.io/utils/ptr"
@@ -39,7 +40,7 @@ type topologySpreadConstraint struct {
 	NodeTaintsPolicy   v1.NodeInclusionPolicy
 }
 
-func (tsc *topologySpreadConstraint) matchNodeInclusionPolicies(pod *v1.Pod, node *v1.Node, require nodeaffinity.RequiredNodeAffinity) bool {
+func (tsc *topologySpreadConstraint) matchNodeInclusionPolicies(logger klog.Logger, pod *v1.Pod, node *v1.Node, require nodeaffinity.RequiredNodeAffinity, enableComparisonOperators bool) bool {
 	if tsc.NodeAffinityPolicy == v1.NodeInclusionPolicyHonor {
 		// We ignore parsing errors here for backwards compatibility.
 		if match, _ := require.Match(node); !match {
@@ -48,7 +49,7 @@ func (tsc *topologySpreadConstraint) matchNodeInclusionPolicies(pod *v1.Pod, nod
 	}
 
 	if tsc.NodeTaintsPolicy == v1.NodeInclusionPolicyHonor {
-		if _, untolerated := v1helper.FindMatchingUntoleratedTaint(node.Spec.Taints, pod.Spec.Tolerations, helper.DoNotScheduleTaintsFilterFunc()); untolerated {
+		if _, untolerated := v1helper.FindMatchingUntoleratedTaint(logger, node.Spec.Taints, pod.Spec.Tolerations, helper.DoNotScheduleTaintsFilterFunc(), enableComparisonOperators); untolerated {
 			return false
 		}
 	}
diff --git a/pkg/scheduler/framework/plugins/podtopologyspread/filtering.go b/pkg/scheduler/framework/plugins/podtopologyspread/filtering.go
index 060617df16465..cbc1baf397c96 100644
--- a/pkg/scheduler/framework/plugins/podtopologyspread/filtering.go
+++ b/pkg/scheduler/framework/plugins/podtopologyspread/filtering.go
@@ -27,7 +27,6 @@ import (
 	"k8s.io/component-helpers/scheduling/corev1/nodeaffinity"
 	"k8s.io/klog/v2"
 	fwk "k8s.io/kube-scheduler/framework"
-	"k8s.io/kubernetes/pkg/scheduler/framework"
 )
 
 const preFilterStateKey = "PreFilter" + Name
@@ -137,7 +136,7 @@ func (p *criticalPaths) update(tpVal string, num int) {
 }
 
 // PreFilter invoked at the prefilter extension point.
-func (pl *PodTopologySpread) PreFilter(ctx context.Context, cycleState fwk.CycleState, pod *v1.Pod, nodes []fwk.NodeInfo) (*framework.PreFilterResult, *fwk.Status) {
+func (pl *PodTopologySpread) PreFilter(ctx context.Context, cycleState fwk.CycleState, pod *v1.Pod, nodes []fwk.NodeInfo) (*fwk.PreFilterResult, *fwk.Status) {
 	s, err := pl.calPreFilterState(ctx, pod, nodes)
 	if err != nil {
 		return nil, fwk.AsStatus(err)
@@ -150,33 +149,36 @@ func (pl *PodTopologySpread) PreFilter(ctx context.Context, cycleState fwk.Cycle
 }
 
 // PreFilterExtensions returns prefilter extensions, pod add and remove.
-func (pl *PodTopologySpread) PreFilterExtensions() framework.PreFilterExtensions {
+func (pl *PodTopologySpread) PreFilterExtensions() fwk.PreFilterExtensions {
 	return pl
 }
 
 // AddPod from pre-computed data in cycleState.
 func (pl *PodTopologySpread) AddPod(ctx context.Context, cycleState fwk.CycleState, podToSchedule *v1.Pod, podInfoToAdd fwk.PodInfo, nodeInfo fwk.NodeInfo) *fwk.Status {
+	logger := klog.FromContext(ctx)
+
 	s, err := getPreFilterState(cycleState)
 	if err != nil {
 		return fwk.AsStatus(err)
 	}
 
-	pl.updateWithPod(s, podInfoToAdd.GetPod(), podToSchedule, nodeInfo.Node(), 1)
+	pl.updateWithPod(logger, s, podInfoToAdd.GetPod(), podToSchedule, nodeInfo.Node(), 1)
 	return nil
 }
 
 // RemovePod from pre-computed data in cycleState.
 func (pl *PodTopologySpread) RemovePod(ctx context.Context, cycleState fwk.CycleState, podToSchedule *v1.Pod, podInfoToRemove fwk.PodInfo, nodeInfo fwk.NodeInfo) *fwk.Status {
+	logger := klog.FromContext(ctx)
 	s, err := getPreFilterState(cycleState)
 	if err != nil {
 		return fwk.AsStatus(err)
 	}
 
-	pl.updateWithPod(s, podInfoToRemove.GetPod(), podToSchedule, nodeInfo.Node(), -1)
+	pl.updateWithPod(logger, s, podInfoToRemove.GetPod(), podToSchedule, nodeInfo.Node(), -1)
 	return nil
 }
 
-func (pl *PodTopologySpread) updateWithPod(s *preFilterState, updatedPod, preemptorPod *v1.Pod, node *v1.Node, delta int) {
+func (pl *PodTopologySpread) updateWithPod(logger klog.Logger, s *preFilterState, updatedPod, preemptorPod *v1.Pod, node *v1.Node, delta int) {
 	if s == nil || updatedPod.Namespace != preemptorPod.Namespace || node == nil {
 		return
 	}
@@ -200,7 +202,7 @@ func (pl *PodTopologySpread) updateWithPod(s *preFilterState, updatedPod, preemp
 		}
 
 		if pl.enableNodeInclusionPolicyInPodTopologySpread &&
-			!constraint.matchNodeInclusionPolicies(preemptorPod, node, requiredSchedulingTerm) {
+			!constraint.matchNodeInclusionPolicies(logger, preemptorPod, node, requiredSchedulingTerm, pl.enableTaintTolerationComparisonOperators) {
 			continue
 		}
 
@@ -241,6 +243,7 @@ func (pl *PodTopologySpread) calPreFilterState(ctx context.Context, pod *v1.Pod,
 		return &preFilterState{}, nil
 	}
 
+	logger := klog.FromContext(ctx)
 	s := preFilterState{
 		Constraints:       constraints,
 		CriticalPaths:     make([]*criticalPaths, len(constraints)),
@@ -272,7 +275,7 @@ func (pl *PodTopologySpread) calPreFilterState(ctx context.Context, pod *v1.Pod,
 		tpCounts := make([]topologyCount, 0, len(constraints))
 		for i, c := range constraints {
 			if pl.enableNodeInclusionPolicyInPodTopologySpread &&
-				!c.matchNodeInclusionPolicies(pod, node, requiredNodeAffinity) {
+				!c.matchNodeInclusionPolicies(logger, pod, node, requiredNodeAffinity, pl.enableTaintTolerationComparisonOperators) {
 				continue
 			}
 
diff --git a/pkg/scheduler/framework/plugins/podtopologyspread/filtering_test.go b/pkg/scheduler/framework/plugins/podtopologyspread/filtering_test.go
index 25586b20fc7a4..03fe66078f322 100644
--- a/pkg/scheduler/framework/plugins/podtopologyspread/filtering_test.go
+++ b/pkg/scheduler/framework/plugins/podtopologyspread/filtering_test.go
@@ -3457,3 +3457,78 @@ func mustNewPodInfo(t *testing.T, pod *v1.Pod) *framework.PodInfo {
 	}
 	return podInfo
 }
+
+func TestPodTopoSignatures(t *testing.T) {
+	tests := []struct {
+		name              string
+		pod               *v1.Pod
+		expectedSignature []fwk.SignFragment
+		scheduleable      bool
+		config            config.PodTopologySpreadArgs
+	}{
+		{
+			name: "pod w constraints",
+			pod: &v1.Pod{
+				Spec: v1.PodSpec{
+					TopologySpreadConstraints: []v1.TopologySpreadConstraint{
+						{
+							TopologyKey: "test",
+						},
+					},
+				},
+			},
+			config: config.PodTopologySpreadArgs{
+				DefaultingType: "System",
+			},
+			scheduleable: false,
+		},
+		{
+			name: "pod no constraints but default",
+			pod: &v1.Pod{
+				Spec: v1.PodSpec{},
+			},
+			config: config.PodTopologySpreadArgs{
+				DefaultingType: "System",
+			},
+			scheduleable: false,
+		},
+		{
+			name: "pod no constraints no default",
+			pod: &v1.Pod{
+				Spec: v1.PodSpec{},
+			},
+			config: config.PodTopologySpreadArgs{
+				DefaultingType:     "List",
+				DefaultConstraints: []v1.TopologySpreadConstraint{},
+			},
+			scheduleable: true,
+		},
+	}
+
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			_, ctx := ktesting.NewTestContext(t)
+			ctx, cancel := context.WithCancel(ctx)
+			defer cancel()
+
+			snapshot := cache.NewSnapshot(nil, nil)
+			state := framework.NewCycleState()
+			pl := plugintesting.SetupPluginWithInformers(ctx, t, frameworkruntime.FactoryAdapter(feature.Features{}, New), &test.config, snapshot, nil)
+			p := pl.(*PodTopologySpread)
+			_, status := p.PreFilter(ctx, state, test.pod, []fwk.NodeInfo{})
+			if status.Code() == fwk.Error {
+				t.Fatalf("Expected success, got error")
+			}
+
+			signature, status := p.SignPod(ctx, test.pod)
+
+			if !status.IsSuccess() && test.scheduleable {
+				t.Fatalf("Expected success, got %v", status)
+			}
+
+			if diff := cmp.Diff(test.expectedSignature, signature); diff != "" {
+				t.Fatalf("Diff %s", diff)
+			}
+		})
+	}
+}
diff --git a/pkg/scheduler/framework/plugins/podtopologyspread/plugin.go b/pkg/scheduler/framework/plugins/podtopologyspread/plugin.go
index 583a46da147f3..18e7be733d5d7 100644
--- a/pkg/scheduler/framework/plugins/podtopologyspread/plugin.go
+++ b/pkg/scheduler/framework/plugins/podtopologyspread/plugin.go
@@ -31,8 +31,6 @@ import (
 	fwk "k8s.io/kube-scheduler/framework"
 	"k8s.io/kubernetes/pkg/scheduler/apis/config"
 	"k8s.io/kubernetes/pkg/scheduler/apis/config/validation"
-	"k8s.io/kubernetes/pkg/scheduler/framework"
-	"k8s.io/kubernetes/pkg/scheduler/framework/parallelize"
 	"k8s.io/kubernetes/pkg/scheduler/framework/plugins/feature"
 	"k8s.io/kubernetes/pkg/scheduler/framework/plugins/names"
 	"k8s.io/kubernetes/pkg/scheduler/util"
@@ -61,9 +59,9 @@ var systemDefaultConstraints = []v1.TopologySpreadConstraint{
 // PodTopologySpread is a plugin that ensures pod's topologySpreadConstraints is satisfied.
 type PodTopologySpread struct {
 	systemDefaulted                              bool
-	parallelizer                                 parallelize.Parallelizer
+	parallelizer                                 fwk.Parallelizer
 	defaultConstraints                           []v1.TopologySpreadConstraint
-	sharedLister                                 framework.SharedLister
+	sharedLister                                 fwk.SharedLister
 	services                                     corelisters.ServiceLister
 	replicationCtrls                             corelisters.ReplicationControllerLister
 	replicaSets                                  appslisters.ReplicaSetLister
@@ -71,13 +69,15 @@ type PodTopologySpread struct {
 	enableNodeInclusionPolicyInPodTopologySpread bool
 	enableMatchLabelKeysInPodTopologySpread      bool
 	enableSchedulingQueueHint                    bool
+	enableTaintTolerationComparisonOperators     bool
 }
 
-var _ framework.PreFilterPlugin = &PodTopologySpread{}
-var _ framework.FilterPlugin = &PodTopologySpread{}
-var _ framework.PreScorePlugin = &PodTopologySpread{}
-var _ framework.ScorePlugin = &PodTopologySpread{}
-var _ framework.EnqueueExtensions = &PodTopologySpread{}
+var _ fwk.PreFilterPlugin = &PodTopologySpread{}
+var _ fwk.FilterPlugin = &PodTopologySpread{}
+var _ fwk.PreScorePlugin = &PodTopologySpread{}
+var _ fwk.ScorePlugin = &PodTopologySpread{}
+var _ fwk.EnqueueExtensions = &PodTopologySpread{}
+var _ fwk.SignPlugin = &PodTopologySpread{}
 
 // Name is the name of the plugin used in the plugin registry and configurations.
 const Name = names.PodTopologySpread
@@ -87,8 +87,23 @@ func (pl *PodTopologySpread) Name() string {
 	return Name
 }
 
+// Pod topology spread is not localized to a pod and node, so we cannot
+// sign pods that have topology spread constraints, either explicit or
+// defaulted.
+func (pl *PodTopologySpread) SignPod(ctx context.Context, pod *v1.Pod) ([]fwk.SignFragment, *fwk.Status) {
+	if len(pod.Spec.TopologySpreadConstraints) > 0 {
+		return nil, fwk.NewStatus(fwk.Unschedulable, "pods with topology constraints are not signable")
+	}
+
+	if len(pl.defaultConstraints) > 0 {
+		return nil, fwk.NewStatus(fwk.Unschedulable, "pods with default topology constraints are not signable")
+	}
+
+	return nil, nil
+}
+
 // New initializes a new plugin and returns it.
-func New(_ context.Context, plArgs runtime.Object, h framework.Handle, fts feature.Features) (framework.Plugin, error) {
+func New(_ context.Context, plArgs runtime.Object, h fwk.Handle, fts feature.Features) (fwk.Plugin, error) {
 	if h.SnapshotSharedLister() == nil {
 		return nil, fmt.Errorf("SnapshotSharedlister is nil")
 	}
@@ -106,6 +121,7 @@ func New(_ context.Context, plArgs runtime.Object, h framework.Handle, fts featu
 		enableNodeInclusionPolicyInPodTopologySpread: fts.EnableNodeInclusionPolicyInPodTopologySpread,
 		enableMatchLabelKeysInPodTopologySpread:      fts.EnableMatchLabelKeysInPodTopologySpread,
 		enableSchedulingQueueHint:                    fts.EnableSchedulingQueueHint,
+		enableTaintTolerationComparisonOperators:     fts.EnableTaintTolerationComparisonOperators,
 	}
 	if args.DefaultingType == config.SystemDefaulting {
 		pl.defaultConstraints = systemDefaultConstraints
diff --git a/pkg/scheduler/framework/plugins/podtopologyspread/scoring.go b/pkg/scheduler/framework/plugins/podtopologyspread/scoring.go
index 3fa357d11adff..5f2631ace866d 100644
--- a/pkg/scheduler/framework/plugins/podtopologyspread/scoring.go
+++ b/pkg/scheduler/framework/plugins/podtopologyspread/scoring.go
@@ -19,6 +19,7 @@ package podtopologyspread
 import (
 	"context"
 	"fmt"
+	"k8s.io/klog/v2"
 	"math"
 	"sync/atomic"
 
@@ -26,7 +27,6 @@ import (
 	"k8s.io/apimachinery/pkg/util/sets"
 	"k8s.io/component-helpers/scheduling/corev1/nodeaffinity"
 	fwk "k8s.io/kube-scheduler/framework"
-	"k8s.io/kubernetes/pkg/scheduler/framework"
 )
 
 const preScoreStateKey = "PreScore" + Name
@@ -121,6 +121,7 @@ func (pl *PodTopologySpread) PreScore(
 	pod *v1.Pod,
 	filteredNodes []fwk.NodeInfo,
 ) *fwk.Status {
+
 	allNodes, err := pl.sharedLister.NodeInfos().List()
 	if err != nil {
 		return fwk.AsStatus(fmt.Errorf("getting all nodes: %w", err))
@@ -131,6 +132,7 @@ func (pl *PodTopologySpread) PreScore(
 		return fwk.NewStatus(fwk.Skip)
 	}
 
+	logger := klog.FromContext(ctx)
 	state := &preScoreState{
 		IgnoredNodes: sets.New[string](),
 	}
@@ -168,7 +170,8 @@ func (pl *PodTopologySpread) PreScore(
 
 		for i, c := range state.Constraints {
 			if pl.enableNodeInclusionPolicyInPodTopologySpread &&
-				!c.matchNodeInclusionPolicies(pod, node, requiredNodeAffinity) {
+				!c.matchNodeInclusionPolicies(logger, pod, node, requiredNodeAffinity,
+					pl.enableTaintTolerationComparisonOperators) {
 				continue
 			}
 
@@ -223,7 +226,7 @@ func (pl *PodTopologySpread) Score(ctx context.Context, cycleState fwk.CycleStat
 }
 
 // NormalizeScore invoked after scoring all nodes.
-func (pl *PodTopologySpread) NormalizeScore(ctx context.Context, cycleState fwk.CycleState, pod *v1.Pod, scores framework.NodeScoreList) *fwk.Status {
+func (pl *PodTopologySpread) NormalizeScore(ctx context.Context, cycleState fwk.CycleState, pod *v1.Pod, scores fwk.NodeScoreList) *fwk.Status {
 	s, err := getPreScoreState(cycleState)
 	if err != nil {
 		return fwk.AsStatus(err)
@@ -255,17 +258,17 @@ func (pl *PodTopologySpread) NormalizeScore(ctx context.Context, cycleState fwk.
 			continue
 		}
 		if maxScore == 0 {
-			scores[i].Score = framework.MaxNodeScore
+			scores[i].Score = fwk.MaxNodeScore
 			continue
 		}
 		s := scores[i].Score
-		scores[i].Score = framework.MaxNodeScore * (maxScore + minScore - s) / maxScore
+		scores[i].Score = fwk.MaxNodeScore * (maxScore + minScore - s) / maxScore
 	}
 	return nil
 }
 
 // ScoreExtensions of the Score plugin.
-func (pl *PodTopologySpread) ScoreExtensions() framework.ScoreExtensions {
+func (pl *PodTopologySpread) ScoreExtensions() fwk.ScoreExtensions {
 	return pl
 }
 
diff --git a/pkg/scheduler/framework/plugins/podtopologyspread/scoring_test.go b/pkg/scheduler/framework/plugins/podtopologyspread/scoring_test.go
index 8c1193bad4e3c..9e74f96def37f 100644
--- a/pkg/scheduler/framework/plugins/podtopologyspread/scoring_test.go
+++ b/pkg/scheduler/framework/plugins/podtopologyspread/scoring_test.go
@@ -628,7 +628,7 @@ func TestPodTopologySpreadScore(t *testing.T) {
 		nodes                     []*v1.Node
 		failedNodes               []*v1.Node // nodes + failedNodes = all nodes
 		objs                      []runtime.Object
-		want                      framework.NodeScoreList
+		want                      fwk.NodeScoreList
 		enableNodeInclusionPolicy bool
 		enableMatchLabelKeys      bool
 	}{
@@ -647,7 +647,7 @@ func TestPodTopologySpreadScore(t *testing.T) {
 				st.MakeNode().Name("node-a").Label(v1.LabelHostname, "node-a").Obj(),
 				st.MakeNode().Name("node-b").Label(v1.LabelHostname, "node-b").Obj(),
 			},
-			want: []framework.NodeScore{
+			want: []fwk.NodeScore{
 				{Name: "node-a", Score: 100},
 				{Name: "node-b", Score: 100},
 			},
@@ -669,7 +669,7 @@ func TestPodTopologySpreadScore(t *testing.T) {
 			failedNodes: []*v1.Node{
 				st.MakeNode().Name("node-b").Label(v1.LabelHostname, "node-b").Obj(),
 			},
-			want: []framework.NodeScore{
+			want: []fwk.NodeScore{
 				{Name: "node-a", Score: 100},
 			},
 		},
@@ -686,7 +686,7 @@ func TestPodTopologySpreadScore(t *testing.T) {
 				st.MakeNode().Name("node-a").Label(v1.LabelHostname, "node-a").Obj(),
 				st.MakeNode().Name("node-b").Label(v1.LabelHostname, "node-b").Obj(),
 			},
-			want: []framework.NodeScore{
+			want: []fwk.NodeScore{
 				{Name: "node-a", Score: 100},
 				{Name: "node-b", Score: 100},
 			},
@@ -712,7 +712,7 @@ func TestPodTopologySpreadScore(t *testing.T) {
 				st.MakeNode().Name("node-d").Label(v1.LabelHostname, "node-d").Obj(),
 			},
 			failedNodes: []*v1.Node{},
-			want: []framework.NodeScore{
+			want: []fwk.NodeScore{
 				{Name: "node-a", Score: 20},
 				{Name: "node-b", Score: 60},
 				{Name: "node-c", Score: 100},
@@ -738,7 +738,7 @@ func TestPodTopologySpreadScore(t *testing.T) {
 				st.MakeNode().Name("node-c").Label(v1.LabelHostname, "node-c").Obj(),
 				st.MakeNode().Name("node-d").Label(v1.LabelHostname, "node-d").Obj(),
 			},
-			want: []framework.NodeScore{
+			want: []fwk.NodeScore{
 				{Name: "node-a", Score: 100},
 				{Name: "node-b", Score: 100},
 				{Name: "node-c", Score: 100},
@@ -766,7 +766,7 @@ func TestPodTopologySpreadScore(t *testing.T) {
 				st.MakeNode().Name("node-d").Label(v1.LabelHostname, "node-d").Obj(),
 			},
 			failedNodes: []*v1.Node{},
-			want: []framework.NodeScore{
+			want: []fwk.NodeScore{
 				{Name: "node-a", Score: 33}, // +13, compared to maxSkew=1
 				{Name: "node-b", Score: 66}, // +6, compared to maxSkew=1
 				{Name: "node-c", Score: 100},
@@ -798,7 +798,7 @@ func TestPodTopologySpreadScore(t *testing.T) {
 				st.MakeNode().Name("node-d").Label(v1.LabelHostname, "node-d").Obj(),
 			},
 			failedNodes: []*v1.Node{},
-			want: []framework.NodeScore{
+			want: []fwk.NodeScore{
 				{Name: "node-a", Score: 44}, // +16 compared to maxSkew=1
 				{Name: "node-b", Score: 66}, // +9 compared to maxSkew=1
 				{Name: "node-c", Score: 77}, // +6 compared to maxSkew=1
@@ -831,7 +831,7 @@ func TestPodTopologySpreadScore(t *testing.T) {
 			objs: []runtime.Object{
 				&v1.Service{Spec: v1.ServiceSpec{Selector: map[string]string{"foo": ""}}},
 			},
-			want: []framework.NodeScore{
+			want: []fwk.NodeScore{
 				// Same scores as if we were using one spreading constraint.
 				{Name: "node-a", Score: 44},
 				{Name: "node-b", Score: 66},
@@ -865,7 +865,7 @@ func TestPodTopologySpreadScore(t *testing.T) {
 			failedNodes: []*v1.Node{
 				st.MakeNode().Name("node-y").Label(v1.LabelHostname, "node-y").Obj(),
 			},
-			want: []framework.NodeScore{
+			want: []fwk.NodeScore{
 				{Name: "node-a", Score: 33},
 				{Name: "node-b", Score: 83},
 				{Name: "node-x", Score: 100},
@@ -897,7 +897,7 @@ func TestPodTopologySpreadScore(t *testing.T) {
 			failedNodes: []*v1.Node{
 				st.MakeNode().Name("node-y").Label(v1.LabelHostname, "node-y").Obj(),
 			},
-			want: []framework.NodeScore{
+			want: []fwk.NodeScore{
 				{Name: "node-a", Score: 16},
 				{Name: "node-b", Score: 0},
 				{Name: "node-x", Score: 100},
@@ -929,7 +929,7 @@ func TestPodTopologySpreadScore(t *testing.T) {
 			failedNodes: []*v1.Node{
 				st.MakeNode().Name("node-y").Label("zone", "zone2").Label(v1.LabelHostname, "node-y").Obj(),
 			},
-			want: []framework.NodeScore{
+			want: []fwk.NodeScore{
 				{Name: "node-a", Score: 75},
 				{Name: "node-b", Score: 75},
 				{Name: "node-x", Score: 100},
@@ -961,7 +961,7 @@ func TestPodTopologySpreadScore(t *testing.T) {
 				st.MakeNode().Name("node-b").Label("zone", "zone1").Label(v1.LabelHostname, "node-b").Obj(),
 				st.MakeNode().Name("node-y").Label("zone", "zone2").Label(v1.LabelHostname, "node-y").Obj(),
 			},
-			want: []framework.NodeScore{
+			want: []fwk.NodeScore{
 				{Name: "node-a", Score: 100},
 				{Name: "node-x", Score: 63},
 			},
@@ -988,7 +988,7 @@ func TestPodTopologySpreadScore(t *testing.T) {
 				st.MakeNode().Name("node-b").Label("zone", "zone1").Obj(),
 				st.MakeNode().Name("node-y").Label("zone", "zone2").Obj(),
 			},
-			want: []framework.NodeScore{
+			want: []fwk.NodeScore{
 				{Name: "node-a", Score: 85},
 				{Name: "node-x", Score: 100},
 			},
@@ -1022,7 +1022,7 @@ func TestPodTopologySpreadScore(t *testing.T) {
 				st.MakeNode().Name("node-y").Label("zone", "zone2").Label(v1.LabelHostname, "node-y").Obj(),
 			},
 			failedNodes: []*v1.Node{},
-			want: []framework.NodeScore{
+			want: []fwk.NodeScore{
 				{Name: "node-a", Score: 60},
 				{Name: "node-b", Score: 20},
 				{Name: "node-x", Score: 100},
@@ -1049,7 +1049,7 @@ func TestPodTopologySpreadScore(t *testing.T) {
 				st.MakeNode().Name("node-y").Label("zone", "zone2").Label(v1.LabelHostname, "node-y").Obj(),
 			},
 			failedNodes: []*v1.Node{},
-			want: []framework.NodeScore{
+			want: []fwk.NodeScore{
 				{Name: "node-a", Score: 100},
 				{Name: "node-b", Score: 60},
 				{Name: "node-x", Score: 40},
@@ -1078,7 +1078,7 @@ func TestPodTopologySpreadScore(t *testing.T) {
 			failedNodes: []*v1.Node{
 				st.MakeNode().Name("node-y").Label("zone", "zone2").Label(v1.LabelHostname, "node-y").Obj(),
 			},
-			want: []framework.NodeScore{
+			want: []fwk.NodeScore{
 				{Name: "node-a", Score: 50},
 				{Name: "node-b", Score: 25},
 				{Name: "node-x", Score: 100},
@@ -1099,7 +1099,7 @@ func TestPodTopologySpreadScore(t *testing.T) {
 				st.MakeNode().Name("node-a").Label(v1.LabelHostname, "node-a").Obj(),
 				st.MakeNode().Name("node-b").Label(v1.LabelHostname, "node-b").Obj(),
 			},
-			want: []framework.NodeScore{
+			want: []fwk.NodeScore{
 				{Name: "node-a", Score: 100},
 				{Name: "node-b", Score: 33},
 			},
@@ -1117,7 +1117,7 @@ func TestPodTopologySpreadScore(t *testing.T) {
 				st.MakePod().Name("p-a").Node("node-a").Label("foo", "").Terminating().Obj(),
 				st.MakePod().Name("p-b").Node("node-b").Label("foo", "").Obj(),
 			},
-			want: []framework.NodeScore{
+			want: []fwk.NodeScore{
 				{Name: "node-a", Score: 100},
 				{Name: "node-b", Score: 0},
 			},
@@ -1148,7 +1148,7 @@ func TestPodTopologySpreadScore(t *testing.T) {
 				st.MakePod().Name("p-b2").Node("node-b").Label("foo", "").Obj(),
 				st.MakePod().Name("p-c1").Node("node-c").Label("foo", "").Obj(),
 			},
-			want: []framework.NodeScore{
+			want: []fwk.NodeScore{
 				{Name: "node-a", Score: 75},
 				{Name: "node-b", Score: 75},
 				{Name: "node-c", Score: 100},
@@ -1171,7 +1171,7 @@ func TestPodTopologySpreadScore(t *testing.T) {
 				st.MakePod().Name("p-b1").Node("node-b").Label("foo", "").Obj(),
 				st.MakePod().Name("p-c1").Node("node-c").Label("foo", "").Obj(),
 			},
-			want: []framework.NodeScore{
+			want: []fwk.NodeScore{
 				{Name: "node-a", Score: 0},
 				{Name: "node-b", Score: 33},
 				{Name: "node-c", Score: 100},
@@ -1195,7 +1195,7 @@ func TestPodTopologySpreadScore(t *testing.T) {
 				st.MakePod().Name("p-b1").Node("node-b").Label("foo", "").Obj(),
 				st.MakePod().Name("p-c1").Node("node-c").Label("foo", "").Obj(),
 			},
-			want: []framework.NodeScore{
+			want: []fwk.NodeScore{
 				{Name: "node-a", Score: 66},
 				{Name: "node-b", Score: 100},
 				{Name: "node-c", Score: 100},
@@ -1219,7 +1219,7 @@ func TestPodTopologySpreadScore(t *testing.T) {
 				st.MakePod().Name("p-b1").Node("node-b").Label("foo", "").Obj(),
 				st.MakePod().Name("p-c1").Node("node-c").Label("foo", "").Obj(),
 			},
-			want: []framework.NodeScore{
+			want: []fwk.NodeScore{
 				{Name: "node-a", Score: 0},
 				{Name: "node-b", Score: 33},
 				{Name: "node-c", Score: 100},
@@ -1243,7 +1243,7 @@ func TestPodTopologySpreadScore(t *testing.T) {
 				st.MakePod().Name("p-b1").Node("node-b").Label("foo", "").Obj(),
 				st.MakePod().Name("p-c1").Node("node-c").Label("foo", "").Obj(),
 			},
-			want: []framework.NodeScore{
+			want: []fwk.NodeScore{
 				{Name: "node-a", Score: 66},
 				{Name: "node-b", Score: 100},
 				{Name: "node-c", Score: 100},
@@ -1266,7 +1266,7 @@ func TestPodTopologySpreadScore(t *testing.T) {
 				st.MakePod().Name("p-b1").Node("node-b").Label("foo", "").Obj(),
 				st.MakePod().Name("p-c1").Node("node-c").Label("foo", "").Obj(),
 			},
-			want: []framework.NodeScore{
+			want: []fwk.NodeScore{
 				{Name: "node-a", Score: 0},
 				{Name: "node-b", Score: 33},
 				{Name: "node-c", Score: 100},
@@ -1289,7 +1289,7 @@ func TestPodTopologySpreadScore(t *testing.T) {
 				st.MakePod().Name("p-b1").Node("node-b").Label("foo", "").Obj(),
 				st.MakePod().Name("p-c1").Node("node-c").Label("foo", "").Obj(),
 			},
-			want: []framework.NodeScore{
+			want: []fwk.NodeScore{
 				{Name: "node-a", Score: 66},
 				{Name: "node-b", Score: 100},
 				{Name: "node-c", Score: 100},
@@ -1314,7 +1314,7 @@ func TestPodTopologySpreadScore(t *testing.T) {
 				st.MakeNode().Name("node-c").Label("zone", "zone2").Label(v1.LabelHostname, "node-c").Obj(),
 				st.MakeNode().Name("node-d").Label("zone", "zone2").Label(v1.LabelHostname, "node-d").Obj(),
 			},
-			want: []framework.NodeScore{
+			want: []fwk.NodeScore{
 				{Name: "node-a", Score: 60},
 				{Name: "node-b", Score: 20},
 				{Name: "node-c", Score: 60},
@@ -1340,7 +1340,7 @@ func TestPodTopologySpreadScore(t *testing.T) {
 				st.MakeNode().Name("node-c").Label("zone", "zone2").Label(v1.LabelHostname, "node-c").Obj(),
 				st.MakeNode().Name("node-d").Label("zone", "zone2").Label(v1.LabelHostname, "node-d").Obj(),
 			},
-			want: []framework.NodeScore{
+			want: []fwk.NodeScore{
 				{Name: "node-a", Score: 60},
 				{Name: "node-b", Score: 20},
 				{Name: "node-c", Score: 60},
@@ -1367,7 +1367,7 @@ func TestPodTopologySpreadScore(t *testing.T) {
 				st.MakeNode().Name("node-c").Label("zone", "zone2").Label(v1.LabelHostname, "node-c").Obj(),
 				st.MakeNode().Name("node-d").Label("zone", "zone2").Label(v1.LabelHostname, "node-d").Obj(),
 			},
-			want: []framework.NodeScore{
+			want: []fwk.NodeScore{
 				{Name: "node-a", Score: 60},
 				{Name: "node-b", Score: 20},
 				{Name: "node-c", Score: 60},
@@ -1394,7 +1394,7 @@ func TestPodTopologySpreadScore(t *testing.T) {
 				t.Errorf("unexpected error: %v", status)
 			}
 
-			var gotList framework.NodeScoreList
+			var gotList fwk.NodeScoreList
 			for _, n := range tt.nodes {
 				nodeName := n.Name
 				nodeInfo, err := p.sharedLister.NodeInfos().Get(n.Name)
@@ -1405,7 +1405,7 @@ func TestPodTopologySpreadScore(t *testing.T) {
 				if !status.IsSuccess() {
 					t.Errorf("unexpected error: %v", status)
 				}
-				gotList = append(gotList, framework.NodeScore{Name: nodeName, Score: score})
+				gotList = append(gotList, fwk.NodeScore{Name: nodeName, Score: score})
 			}
 
 			status = p.NormalizeScore(ctx, state, tt.pod, gotList)
@@ -1479,14 +1479,14 @@ func BenchmarkTestPodTopologySpreadScore(b *testing.B) {
 			b.ResetTimer()
 
 			for i := 0; i < b.N; i++ {
-				var gotList framework.NodeScoreList
+				var gotList fwk.NodeScoreList
 				for _, nodeInfo := range nodeInfos {
 					nodeName := nodeInfo.Node().Name
 					score, status := p.Score(ctx, state, tt.pod, nodeInfo)
 					if !status.IsSuccess() {
 						b.Fatalf("unexpected error: %v", status)
 					}
-					gotList = append(gotList, framework.NodeScore{Name: nodeName, Score: score})
+					gotList = append(gotList, fwk.NodeScore{Name: nodeName, Score: score})
 				}
 
 				status = p.NormalizeScore(ctx, state, tt.pod, gotList)
diff --git a/pkg/scheduler/framework/plugins/queuesort/priority_sort.go b/pkg/scheduler/framework/plugins/queuesort/priority_sort.go
index eeffc45ca1bbd..d1a1179243b9d 100644
--- a/pkg/scheduler/framework/plugins/queuesort/priority_sort.go
+++ b/pkg/scheduler/framework/plugins/queuesort/priority_sort.go
@@ -22,7 +22,6 @@ import (
 	"k8s.io/apimachinery/pkg/runtime"
 	corev1helpers "k8s.io/component-helpers/scheduling/corev1"
 	fwk "k8s.io/kube-scheduler/framework"
-	"k8s.io/kubernetes/pkg/scheduler/framework"
 	"k8s.io/kubernetes/pkg/scheduler/framework/plugins/names"
 )
 
@@ -32,7 +31,7 @@ const Name = names.PrioritySort
 // PrioritySort is a plugin that implements Priority based sorting.
 type PrioritySort struct{}
 
-var _ framework.QueueSortPlugin = &PrioritySort{}
+var _ fwk.QueueSortPlugin = &PrioritySort{}
 
 // Name returns name of the plugin.
 func (pl *PrioritySort) Name() string {
@@ -49,6 +48,6 @@ func (pl *PrioritySort) Less(pInfo1, pInfo2 fwk.QueuedPodInfo) bool {
 }
 
 // New initializes a new plugin and returns it.
-func New(_ context.Context, _ runtime.Object, handle framework.Handle) (framework.Plugin, error) {
+func New(_ context.Context, _ runtime.Object, handle fwk.Handle) (fwk.Plugin, error) {
 	return &PrioritySort{}, nil
 }
diff --git a/pkg/scheduler/framework/plugins/registry.go b/pkg/scheduler/framework/plugins/registry.go
index 76ffb70af8dae..8d945f6319f1f 100644
--- a/pkg/scheduler/framework/plugins/registry.go
+++ b/pkg/scheduler/framework/plugins/registry.go
@@ -22,9 +22,11 @@ import (
 	"k8s.io/kubernetes/pkg/scheduler/framework/plugins/defaultpreemption"
 	"k8s.io/kubernetes/pkg/scheduler/framework/plugins/dynamicresources"
 	plfeature "k8s.io/kubernetes/pkg/scheduler/framework/plugins/feature"
+	"k8s.io/kubernetes/pkg/scheduler/framework/plugins/gangscheduling"
 	"k8s.io/kubernetes/pkg/scheduler/framework/plugins/imagelocality"
 	"k8s.io/kubernetes/pkg/scheduler/framework/plugins/interpodaffinity"
 	"k8s.io/kubernetes/pkg/scheduler/framework/plugins/nodeaffinity"
+	"k8s.io/kubernetes/pkg/scheduler/framework/plugins/nodedeclaredfeatures"
 	"k8s.io/kubernetes/pkg/scheduler/framework/plugins/nodename"
 	"k8s.io/kubernetes/pkg/scheduler/framework/plugins/nodeports"
 	"k8s.io/kubernetes/pkg/scheduler/framework/plugins/noderesources"
@@ -52,6 +54,7 @@ func NewInTreeRegistry() runtime.Registry {
 		nodename.Name:                        runtime.FactoryAdapter(fts, nodename.New),
 		nodeports.Name:                       runtime.FactoryAdapter(fts, nodeports.New),
 		nodeaffinity.Name:                    runtime.FactoryAdapter(fts, nodeaffinity.New),
+		nodedeclaredfeatures.Name:            runtime.FactoryAdapter(fts, nodedeclaredfeatures.New),
 		podtopologyspread.Name:               runtime.FactoryAdapter(fts, podtopologyspread.New),
 		nodeunschedulable.Name:               runtime.FactoryAdapter(fts, nodeunschedulable.New),
 		noderesources.Name:                   runtime.FactoryAdapter(fts, noderesources.NewFit),
@@ -65,6 +68,7 @@ func NewInTreeRegistry() runtime.Registry {
 		defaultbinder.Name:                   defaultbinder.New,
 		defaultpreemption.Name:               runtime.FactoryAdapter(fts, defaultpreemption.New),
 		schedulinggates.Name:                 runtime.FactoryAdapter(fts, schedulinggates.New),
+		gangscheduling.Name:                  runtime.FactoryAdapter(fts, gangscheduling.New),
 	}
 
 	return registry
diff --git a/pkg/scheduler/framework/plugins/schedulinggates/scheduling_gates.go b/pkg/scheduler/framework/plugins/schedulinggates/scheduling_gates.go
index 5e228e3d41d02..b8d4ed8303b27 100644
--- a/pkg/scheduler/framework/plugins/schedulinggates/scheduling_gates.go
+++ b/pkg/scheduler/framework/plugins/schedulinggates/scheduling_gates.go
@@ -25,7 +25,6 @@ import (
 	"k8s.io/klog/v2"
 
 	fwk "k8s.io/kube-scheduler/framework"
-	"k8s.io/kubernetes/pkg/scheduler/framework"
 	"k8s.io/kubernetes/pkg/scheduler/framework/plugins/feature"
 	"k8s.io/kubernetes/pkg/scheduler/framework/plugins/names"
 	"k8s.io/kubernetes/pkg/scheduler/util"
@@ -39,8 +38,8 @@ type SchedulingGates struct {
 	enableSchedulingQueueHint bool
 }
 
-var _ framework.PreEnqueuePlugin = &SchedulingGates{}
-var _ framework.EnqueueExtensions = &SchedulingGates{}
+var _ fwk.PreEnqueuePlugin = &SchedulingGates{}
+var _ fwk.EnqueueExtensions = &SchedulingGates{}
 
 func (pl *SchedulingGates) Name() string {
 	return Name
@@ -74,7 +73,7 @@ func (pl *SchedulingGates) EventsToRegister(_ context.Context) ([]fwk.ClusterEve
 }
 
 // New initializes a new plugin and returns it.
-func New(_ context.Context, _ runtime.Object, _ framework.Handle, fts feature.Features) (framework.Plugin, error) {
+func New(_ context.Context, _ runtime.Object, _ fwk.Handle, fts feature.Features) (fwk.Plugin, error) {
 	return &SchedulingGates{
 		enableSchedulingQueueHint: fts.EnableSchedulingQueueHint,
 	}, nil
diff --git a/pkg/scheduler/framework/plugins/schedulinggates/scheduling_gates_test.go b/pkg/scheduler/framework/plugins/schedulinggates/scheduling_gates_test.go
index d5caa50016697..d2818cbdc8ba9 100644
--- a/pkg/scheduler/framework/plugins/schedulinggates/scheduling_gates_test.go
+++ b/pkg/scheduler/framework/plugins/schedulinggates/scheduling_gates_test.go
@@ -24,7 +24,6 @@ import (
 
 	v1 "k8s.io/api/core/v1"
 	fwk "k8s.io/kube-scheduler/framework"
-	"k8s.io/kubernetes/pkg/scheduler/framework"
 	"k8s.io/kubernetes/pkg/scheduler/framework/plugins/feature"
 	st "k8s.io/kubernetes/pkg/scheduler/testing"
 	"k8s.io/kubernetes/test/utils/ktesting"
@@ -56,7 +55,7 @@ func TestPreEnqueue(t *testing.T) {
 				t.Fatalf("Creating plugin: %v", err)
 			}
 
-			got := p.(framework.PreEnqueuePlugin).PreEnqueue(ctx, tt.pod)
+			got := p.(fwk.PreEnqueuePlugin).PreEnqueue(ctx, tt.pod)
 			if diff := cmp.Diff(tt.want, got); diff != "" {
 				t.Errorf("unexpected status (-want, +got):\n%s", diff)
 			}
diff --git a/pkg/scheduler/framework/plugins/tainttoleration/taint_toleration.go b/pkg/scheduler/framework/plugins/tainttoleration/taint_toleration.go
index 48b9f2fc86c2d..8dfe2b172f3aa 100644
--- a/pkg/scheduler/framework/plugins/tainttoleration/taint_toleration.go
+++ b/pkg/scheduler/framework/plugins/tainttoleration/taint_toleration.go
@@ -25,7 +25,6 @@ import (
 	v1helper "k8s.io/component-helpers/scheduling/corev1"
 	"k8s.io/klog/v2"
 	fwk "k8s.io/kube-scheduler/framework"
-	"k8s.io/kubernetes/pkg/scheduler/framework"
 	"k8s.io/kubernetes/pkg/scheduler/framework/plugins/feature"
 	"k8s.io/kubernetes/pkg/scheduler/framework/plugins/helper"
 	"k8s.io/kubernetes/pkg/scheduler/framework/plugins/names"
@@ -34,14 +33,16 @@ import (
 
 // TaintToleration is a plugin that checks if a pod tolerates a node's taints.
 type TaintToleration struct {
-	handle                    framework.Handle
-	enableSchedulingQueueHint bool
+	handle                                   fwk.Handle
+	enableSchedulingQueueHint                bool
+	enableTaintTolerationComparisonOperators bool
 }
 
-var _ framework.FilterPlugin = &TaintToleration{}
-var _ framework.PreScorePlugin = &TaintToleration{}
-var _ framework.ScorePlugin = &TaintToleration{}
-var _ framework.EnqueueExtensions = &TaintToleration{}
+var _ fwk.FilterPlugin = &TaintToleration{}
+var _ fwk.PreScorePlugin = &TaintToleration{}
+var _ fwk.ScorePlugin = &TaintToleration{}
+var _ fwk.EnqueueExtensions = &TaintToleration{}
+var _ fwk.SignPlugin = &TaintToleration{}
 
 const (
 	// Name is the name of the plugin used in the plugin registry and configurations.
@@ -57,6 +58,13 @@ func (pl *TaintToleration) Name() string {
 	return Name
 }
 
+// Feasibility and scoring based on the pod's tolerations.
+func (pl *TaintToleration) SignPod(ctx context.Context, pod *v1.Pod) ([]fwk.SignFragment, *fwk.Status) {
+	return []fwk.SignFragment{
+		{Key: fwk.TolerationsSignerName, Value: fwk.TolerationsSigner(pod)},
+	}, nil
+}
+
 // EventsToRegister returns the possible events that may make a Pod
 // failed by this plugin schedulable.
 func (pl *TaintToleration) EventsToRegister(_ context.Context) ([]fwk.ClusterEventWithHint, error) {
@@ -93,10 +101,10 @@ func (pl *TaintToleration) isSchedulableAfterNodeChange(logger klog.Logger, pod
 
 	wasUntolerated := true
 	if originalNode != nil {
-		_, wasUntolerated = v1helper.FindMatchingUntoleratedTaint(originalNode.Spec.Taints, pod.Spec.Tolerations, helper.DoNotScheduleTaintsFilterFunc())
+		_, wasUntolerated = v1helper.FindMatchingUntoleratedTaint(logger, originalNode.Spec.Taints, pod.Spec.Tolerations, helper.DoNotScheduleTaintsFilterFunc(), pl.enableTaintTolerationComparisonOperators)
 	}
 
-	_, isUntolerated := v1helper.FindMatchingUntoleratedTaint(modifiedNode.Spec.Taints, pod.Spec.Tolerations, helper.DoNotScheduleTaintsFilterFunc())
+	_, isUntolerated := v1helper.FindMatchingUntoleratedTaint(logger, modifiedNode.Spec.Taints, pod.Spec.Tolerations, helper.DoNotScheduleTaintsFilterFunc(), pl.enableTaintTolerationComparisonOperators)
 
 	if wasUntolerated && !isUntolerated {
 		logger.V(5).Info("node was created or updated, and this may make the Pod rejected by TaintToleration plugin in the previous scheduling cycle schedulable", "pod", klog.KObj(pod), "node", klog.KObj(modifiedNode))
@@ -109,9 +117,12 @@ func (pl *TaintToleration) isSchedulableAfterNodeChange(logger klog.Logger, pod
 
 // Filter invoked at the filter extension point.
 func (pl *TaintToleration) Filter(ctx context.Context, state fwk.CycleState, pod *v1.Pod, nodeInfo fwk.NodeInfo) *fwk.Status {
+	logger := klog.FromContext(ctx)
 	node := nodeInfo.Node()
 
-	taint, isUntolerated := v1helper.FindMatchingUntoleratedTaint(node.Spec.Taints, pod.Spec.Tolerations, helper.DoNotScheduleTaintsFilterFunc())
+	taint, isUntolerated := v1helper.FindMatchingUntoleratedTaint(logger, node.Spec.Taints, pod.Spec.Tolerations,
+		helper.DoNotScheduleTaintsFilterFunc(),
+		pl.enableTaintTolerationComparisonOperators)
 	if !isUntolerated {
 		return nil
 	}
@@ -166,14 +177,14 @@ func getPreScoreState(cycleState fwk.CycleState) (*preScoreState, error) {
 }
 
 // CountIntolerableTaintsPreferNoSchedule gives the count of intolerable taints of a pod with effect PreferNoSchedule
-func countIntolerableTaintsPreferNoSchedule(taints []v1.Taint, tolerations []v1.Toleration) (intolerableTaints int) {
+func (pl *TaintToleration) countIntolerableTaintsPreferNoSchedule(logger klog.Logger, taints []v1.Taint, tolerations []v1.Toleration) (intolerableTaints int) {
 	for _, taint := range taints {
 		// check only on taints that have effect PreferNoSchedule
 		if taint.Effect != v1.TaintEffectPreferNoSchedule {
 			continue
 		}
 
-		if !v1helper.TolerationsTolerateTaint(tolerations, &taint) {
+		if !v1helper.TolerationsTolerateTaint(logger, tolerations, &taint, pl.enableTaintTolerationComparisonOperators) {
 			intolerableTaints++
 		}
 	}
@@ -182,6 +193,8 @@ func countIntolerableTaintsPreferNoSchedule(taints []v1.Taint, tolerations []v1.
 
 // Score invoked at the Score extension point.
 func (pl *TaintToleration) Score(ctx context.Context, state fwk.CycleState, pod *v1.Pod, nodeInfo fwk.NodeInfo) (int64, *fwk.Status) {
+	logger := klog.FromContext(ctx)
+
 	node := nodeInfo.Node()
 
 	s, err := getPreScoreState(state)
@@ -189,25 +202,26 @@ func (pl *TaintToleration) Score(ctx context.Context, state fwk.CycleState, pod
 		return 0, fwk.AsStatus(err)
 	}
 
-	score := int64(countIntolerableTaintsPreferNoSchedule(node.Spec.Taints, s.tolerationsPreferNoSchedule))
+	score := int64(pl.countIntolerableTaintsPreferNoSchedule(logger, node.Spec.Taints, s.tolerationsPreferNoSchedule))
 	return score, nil
 }
 
 // NormalizeScore invoked after scoring all nodes.
-func (pl *TaintToleration) NormalizeScore(ctx context.Context, _ fwk.CycleState, pod *v1.Pod, scores framework.NodeScoreList) *fwk.Status {
-	return helper.DefaultNormalizeScore(framework.MaxNodeScore, true, scores)
+func (pl *TaintToleration) NormalizeScore(ctx context.Context, _ fwk.CycleState, pod *v1.Pod, scores fwk.NodeScoreList) *fwk.Status {
+	return helper.DefaultNormalizeScore(fwk.MaxNodeScore, true, scores)
 }
 
 // ScoreExtensions of the Score plugin.
-func (pl *TaintToleration) ScoreExtensions() framework.ScoreExtensions {
+func (pl *TaintToleration) ScoreExtensions() fwk.ScoreExtensions {
 	return pl
 }
 
 // New initializes a new plugin and returns it.
-func New(_ context.Context, _ runtime.Object, h framework.Handle, fts feature.Features) (framework.Plugin, error) {
+func New(_ context.Context, _ runtime.Object, h fwk.Handle, fts feature.Features) (fwk.Plugin, error) {
 	return &TaintToleration{
-		handle:                    h,
-		enableSchedulingQueueHint: fts.EnableSchedulingQueueHint,
+		handle:                                   h,
+		enableSchedulingQueueHint:                fts.EnableSchedulingQueueHint,
+		enableTaintTolerationComparisonOperators: fts.EnableTaintTolerationComparisonOperators,
 	}, nil
 }
 
diff --git a/pkg/scheduler/framework/plugins/tainttoleration/taint_toleration_test.go b/pkg/scheduler/framework/plugins/tainttoleration/taint_toleration_test.go
index 3af361cc7b1c5..5c44e3dbe0a49 100644
--- a/pkg/scheduler/framework/plugins/tainttoleration/taint_toleration_test.go
+++ b/pkg/scheduler/framework/plugins/tainttoleration/taint_toleration_test.go
@@ -56,10 +56,11 @@ func podWithTolerations(podName string, tolerations []v1.Toleration) *v1.Pod {
 
 func TestTaintTolerationScore(t *testing.T) {
 	tests := []struct {
-		name         string
-		pod          *v1.Pod
-		nodes        []*v1.Node
-		expectedList framework.NodeScoreList
+		name                               string
+		pod                                *v1.Pod
+		nodes                              []*v1.Node
+		expectedList                       fwk.NodeScoreList
+		enableTaintTolerationComparisonOps bool
 	}{
 		// basic test case
 		{
@@ -82,8 +83,8 @@ func TestTaintTolerationScore(t *testing.T) {
 					Effect: v1.TaintEffectPreferNoSchedule,
 				}}),
 			},
-			expectedList: []framework.NodeScore{
-				{Name: "nodeA", Score: framework.MaxNodeScore},
+			expectedList: []fwk.NodeScore{
+				{Name: "nodeA", Score: fwk.MaxNodeScore},
 				{Name: "nodeB", Score: 0},
 			},
 		},
@@ -124,10 +125,10 @@ func TestTaintTolerationScore(t *testing.T) {
 					},
 				}),
 			},
-			expectedList: []framework.NodeScore{
-				{Name: "nodeA", Score: framework.MaxNodeScore},
-				{Name: "nodeB", Score: framework.MaxNodeScore},
-				{Name: "nodeC", Score: framework.MaxNodeScore},
+			expectedList: []fwk.NodeScore{
+				{Name: "nodeA", Score: fwk.MaxNodeScore},
+				{Name: "nodeB", Score: fwk.MaxNodeScore},
+				{Name: "nodeC", Score: fwk.MaxNodeScore},
 			},
 		},
 		// the count of taints on a node that are not tolerated by pod, matters.
@@ -160,8 +161,8 @@ func TestTaintTolerationScore(t *testing.T) {
 					},
 				}),
 			},
-			expectedList: []framework.NodeScore{
-				{Name: "nodeA", Score: framework.MaxNodeScore},
+			expectedList: []fwk.NodeScore{
+				{Name: "nodeA", Score: fwk.MaxNodeScore},
 				{Name: "nodeB", Score: 50},
 				{Name: "nodeC", Score: 0},
 			},
@@ -203,9 +204,9 @@ func TestTaintTolerationScore(t *testing.T) {
 					},
 				}),
 			},
-			expectedList: []framework.NodeScore{
-				{Name: "nodeA", Score: framework.MaxNodeScore},
-				{Name: "nodeB", Score: framework.MaxNodeScore},
+			expectedList: []fwk.NodeScore{
+				{Name: "nodeA", Score: fwk.MaxNodeScore},
+				{Name: "nodeB", Score: fwk.MaxNodeScore},
 				{Name: "nodeC", Score: 0},
 			},
 		},
@@ -224,11 +225,63 @@ func TestTaintTolerationScore(t *testing.T) {
 					},
 				}),
 			},
-			expectedList: []framework.NodeScore{
-				{Name: "nodeA", Score: framework.MaxNodeScore},
+			expectedList: []fwk.NodeScore{
+				{Name: "nodeA", Score: fwk.MaxNodeScore},
 				{Name: "nodeB", Score: 0},
 			},
 		},
+		{
+			name: "Numeric Gt operator: pod with Gt toleration prefers nodes with matching SLA taint",
+			pod: podWithTolerations("pod1", []v1.Toleration{{
+				Key:      "node.kubernetes.io/sla",
+				Operator: "Gt",
+				Value:    "950",
+				Effect:   v1.TaintEffectPreferNoSchedule,
+			}}),
+			nodes: []*v1.Node{
+				nodeWithTaints("nodeA", []v1.Taint{{
+					Key:    "node.kubernetes.io/sla",
+					Value:  "800",
+					Effect: v1.TaintEffectPreferNoSchedule,
+				}}),
+				nodeWithTaints("nodeB", []v1.Taint{{
+					Key:    "node.kubernetes.io/sla",
+					Value:  "999",
+					Effect: v1.TaintEffectPreferNoSchedule,
+				}}),
+			},
+			expectedList: []fwk.NodeScore{
+				{Name: "nodeA", Score: 0},
+				{Name: "nodeB", Score: fwk.MaxNodeScore},
+			},
+			enableTaintTolerationComparisonOps: true,
+		},
+		{
+			name: "Numeric Lt operator: pod with Lt toleration prefers nodes with matching SLA taint",
+			pod: podWithTolerations("pod1", []v1.Toleration{{
+				Key:      "node.kubernetes.io/sla",
+				Operator: "Lt",
+				Value:    "800",
+				Effect:   v1.TaintEffectPreferNoSchedule,
+			}}),
+			nodes: []*v1.Node{
+				nodeWithTaints("nodeA", []v1.Taint{{
+					Key:    "node.kubernetes.io/sla",
+					Value:  "950",
+					Effect: v1.TaintEffectPreferNoSchedule,
+				}}),
+				nodeWithTaints("nodeB", []v1.Taint{{
+					Key:    "node.kubernetes.io/sla",
+					Value:  "700",
+					Effect: v1.TaintEffectPreferNoSchedule,
+				}}),
+			},
+			expectedList: []fwk.NodeScore{
+				{Name: "nodeA", Score: 0},
+				{Name: "nodeB", Score: fwk.MaxNodeScore},
+			},
+			enableTaintTolerationComparisonOps: true,
+		},
 	}
 	for _, test := range tests {
 		t.Run(test.name, func(t *testing.T) {
@@ -239,27 +292,29 @@ func TestTaintTolerationScore(t *testing.T) {
 			state := framework.NewCycleState()
 			snapshot := cache.NewSnapshot(nil, test.nodes)
 			fh, _ := runtime.NewFramework(ctx, nil, nil, runtime.WithSnapshotSharedLister(snapshot))
+			p, err := New(ctx, nil, fh, feature.Features{
+				EnableTaintTolerationComparisonOperators: test.enableTaintTolerationComparisonOps,
+			})
 
-			p, err := New(ctx, nil, fh, feature.Features{})
 			if err != nil {
 				t.Fatalf("creating plugin: %v", err)
 			}
 			nodeInfos := tf.BuildNodeInfos(test.nodes)
-			status := p.(framework.PreScorePlugin).PreScore(ctx, state, test.pod, nodeInfos)
+			status := p.(fwk.PreScorePlugin).PreScore(ctx, state, test.pod, nodeInfos)
 			if !status.IsSuccess() {
 				t.Errorf("unexpected error: %v", status)
 			}
-			var gotList framework.NodeScoreList
+			var gotList fwk.NodeScoreList
 			for _, nodeInfo := range nodeInfos {
 				nodeName := nodeInfo.Node().Name
-				score, status := p.(framework.ScorePlugin).Score(ctx, state, test.pod, nodeInfo)
+				score, status := p.(fwk.ScorePlugin).Score(ctx, state, test.pod, nodeInfo)
 				if !status.IsSuccess() {
 					t.Errorf("unexpected error: %v", status)
 				}
-				gotList = append(gotList, framework.NodeScore{Name: nodeName, Score: score})
+				gotList = append(gotList, fwk.NodeScore{Name: nodeName, Score: score})
 			}
 
-			status = p.(framework.ScorePlugin).ScoreExtensions().NormalizeScore(ctx, state, test.pod, gotList)
+			status = p.(fwk.ScorePlugin).ScoreExtensions().NormalizeScore(ctx, state, test.pod, gotList)
 			if !status.IsSuccess() {
 				t.Errorf("unexpected error: %v", status)
 			}
@@ -273,17 +328,17 @@ func TestTaintTolerationScore(t *testing.T) {
 
 func TestTaintTolerationFilter(t *testing.T) {
 	tests := []struct {
-		name       string
-		pod        *v1.Pod
-		node       *v1.Node
-		wantStatus *fwk.Status
+		name                               string
+		pod                                *v1.Pod
+		node                               *v1.Node
+		wantStatus                         *fwk.Status
+		enableTaintTolerationComparisonOps bool
 	}{
 		{
-			name: "A pod having no tolerations can't be scheduled onto a node with nonempty taints",
-			pod:  podWithTolerations("pod1", []v1.Toleration{}),
-			node: nodeWithTaints("nodeA", []v1.Taint{{Key: "dedicated", Value: "user1", Effect: "NoSchedule"}}),
-			wantStatus: fwk.NewStatus(fwk.UnschedulableAndUnresolvable,
-				"node(s) had untolerated taint(s)"),
+			name:       "A pod having no tolerations can't be scheduled onto a node with nonempty taints",
+			pod:        podWithTolerations("pod1", []v1.Toleration{}),
+			node:       nodeWithTaints("nodeA", []v1.Taint{{Key: "dedicated", Value: "user1", Effect: "NoSchedule"}}),
+			wantStatus: fwk.NewStatus(fwk.UnschedulableAndUnresolvable, "node(s) had untolerated taint(s)"),
 		},
 		{
 			name: "A pod which can be scheduled on a dedicated node assigned to user1 with effect NoSchedule",
@@ -291,11 +346,10 @@ func TestTaintTolerationFilter(t *testing.T) {
 			node: nodeWithTaints("nodeA", []v1.Taint{{Key: "dedicated", Value: "user1", Effect: "NoSchedule"}}),
 		},
 		{
-			name: "A pod which can't be scheduled on a dedicated node assigned to user2 with effect NoSchedule",
-			pod:  podWithTolerations("pod1", []v1.Toleration{{Key: "dedicated", Operator: "Equal", Value: "user2", Effect: "NoSchedule"}}),
-			node: nodeWithTaints("nodeA", []v1.Taint{{Key: "dedicated", Value: "user1", Effect: "NoSchedule"}}),
-			wantStatus: fwk.NewStatus(fwk.UnschedulableAndUnresolvable,
-				"node(s) had untolerated taint(s)"),
+			name:       "A pod which can't be scheduled on a dedicated node assigned to user2 with effect NoSchedule",
+			pod:        podWithTolerations("pod1", []v1.Toleration{{Key: "dedicated", Operator: "Equal", Value: "user2", Effect: "NoSchedule"}}),
+			node:       nodeWithTaints("nodeA", []v1.Taint{{Key: "dedicated", Value: "user1", Effect: "NoSchedule"}}),
+			wantStatus: fwk.NewStatus(fwk.UnschedulableAndUnresolvable, "node(s) had untolerated taint(s)"),
 		},
 		{
 			name: "A pod can be scheduled onto the node, with a toleration uses operator Exists that tolerates the taints on the node",
@@ -316,10 +370,9 @@ func TestTaintTolerationFilter(t *testing.T) {
 		{
 			name: "A pod has a toleration that keys and values match the taint on the node, but (non-empty) effect doesn't match, " +
 				"can't be scheduled onto the node",
-			pod:  podWithTolerations("pod1", []v1.Toleration{{Key: "foo", Operator: "Equal", Value: "bar", Effect: "PreferNoSchedule"}}),
-			node: nodeWithTaints("nodeA", []v1.Taint{{Key: "foo", Value: "bar", Effect: "NoSchedule"}}),
-			wantStatus: fwk.NewStatus(fwk.UnschedulableAndUnresolvable,
-				"node(s) had untolerated taint(s)"),
+			pod:        podWithTolerations("pod1", []v1.Toleration{{Key: "foo", Operator: "Equal", Value: "bar", Effect: "PreferNoSchedule"}}),
+			node:       nodeWithTaints("nodeA", []v1.Taint{{Key: "foo", Value: "bar", Effect: "NoSchedule"}}),
+			wantStatus: fwk.NewStatus(fwk.UnschedulableAndUnresolvable, "node(s) had untolerated taint(s)"),
 		},
 		{
 			name: "The pod has a toleration that keys and values match the taint on the node, the effect of toleration is empty, " +
@@ -339,17 +392,139 @@ func TestTaintTolerationFilter(t *testing.T) {
 			pod:  podWithTolerations("pod1", []v1.Toleration{}),
 			node: nodeWithTaints("nodeA", []v1.Taint{{Key: "dedicated", Value: "user1", Effect: "PreferNoSchedule"}}),
 		},
+		{
+			name:                               "Pod with Gt toleration cannot be scheduled on node when taint value is lower than threshold",
+			pod:                                podWithTolerations("pod1", []v1.Toleration{{Key: "node.example.com/priority-level", Operator: "Gt", Value: "950", Effect: "NoSchedule"}}),
+			node:                               nodeWithTaints("nodeA", []v1.Taint{{Key: "node.example.com/priority-level", Value: "800", Effect: "NoSchedule"}}),
+			wantStatus:                         fwk.NewStatus(fwk.UnschedulableAndUnresolvable, "node(s) had untolerated taint(s)"),
+			enableTaintTolerationComparisonOps: true,
+		},
+		{
+			name:                               "Pod with Gt toleration can be scheduled on node when taint value is higher than threshold",
+			pod:                                podWithTolerations("pod1", []v1.Toleration{{Key: "node.kubernetes.io/sla", Operator: "Gt", Value: "750", Effect: "NoSchedule"}}),
+			node:                               nodeWithTaints("nodeA", []v1.Taint{{Key: "node.kubernetes.io/sla", Value: "950", Effect: "NoSchedule"}}),
+			enableTaintTolerationComparisonOps: true,
+		},
+		{
+			name:                               "Pod with Lt toleration cannot be scheduled on node when taint value is higher than threshold",
+			pod:                                podWithTolerations("pod1", []v1.Toleration{{Key: "node.example.com/priority-level", Operator: "Lt", Value: "800", Effect: "NoSchedule"}}),
+			node:                               nodeWithTaints("nodeA", []v1.Taint{{Key: "node.example.com/priority-level", Value: "950", Effect: "NoSchedule"}}),
+			wantStatus:                         fwk.NewStatus(fwk.UnschedulableAndUnresolvable, "node(s) had untolerated taint(s)"),
+			enableTaintTolerationComparisonOps: true,
+		},
+		{
+			name:                               "Pod with Lt toleration can be scheduled on node when taint value is lower than threshold",
+			pod:                                podWithTolerations("pod1", []v1.Toleration{{Key: "node.kubernetes.io/sla", Operator: "Lt", Value: "950", Effect: "NoSchedule"}}),
+			node:                               nodeWithTaints("nodeA", []v1.Taint{{Key: "node.kubernetes.io/sla", Value: "800", Effect: "NoSchedule"}}),
+			enableTaintTolerationComparisonOps: true,
+		},
+		{
+			name: "Pod with Gt toleration cannot be scheduled on node with non-numeric taint value",
+			pod:  podWithTolerations("pod1", []v1.Toleration{{Key: "node.kubernetes.io/sla", Operator: "Gt", Value: "950", Effect: "NoSchedule"}}),
+			node: nodeWithTaints("nodeA", []v1.Taint{{Key: "node.kubernetes.io/sla", Value: "high", Effect: "NoSchedule"}}),
+			wantStatus: fwk.NewStatus(fwk.UnschedulableAndUnresolvable,
+				"node(s) had untolerated taint(s)"),
+			enableTaintTolerationComparisonOps: true,
+		},
 	}
 	for _, test := range tests {
 		t.Run(test.name, func(t *testing.T) {
 			_, ctx := ktesting.NewTestContext(t)
 			nodeInfo := framework.NewNodeInfo()
 			nodeInfo.SetNode(test.node)
-			p, err := New(ctx, nil, nil, feature.Features{})
+			p, err := New(ctx, nil, nil, feature.Features{
+				EnableTaintTolerationComparisonOperators: test.enableTaintTolerationComparisonOps,
+			})
+			if err != nil {
+				t.Fatalf("creating plugin: %v", err)
+			}
+			gotStatus := p.(fwk.FilterPlugin).Filter(ctx, nil, test.pod, nodeInfo)
+			if diff := cmp.Diff(test.wantStatus, gotStatus); diff != "" {
+				t.Errorf("Unexpected status (-want,+got):\n%s", diff)
+			}
+		})
+	}
+}
+
+func TestTaintTolerationFilterWithFeatureGate(t *testing.T) {
+	tests := []struct {
+		name                               string
+		pod                                *v1.Pod
+		node                               *v1.Node
+		enableTaintTolerationComparisonOps bool
+		wantStatus                         *fwk.Status
+	}{
+		{
+			name:                               "Pod with Gt toleration can be scheduled when feature gate is enabled and taint value is higher",
+			pod:                                podWithTolerations("pod1", []v1.Toleration{{Key: "node.kubernetes.io/sla", Operator: "Gt", Value: "750", Effect: "NoSchedule"}}),
+			node:                               nodeWithTaints("nodeA", []v1.Taint{{Key: "node.kubernetes.io/sla", Value: "950", Effect: "NoSchedule"}}),
+			enableTaintTolerationComparisonOps: true,
+			wantStatus:                         nil,
+		},
+		{
+			name: "Pod with Gt toleration cannot be scheduled when feature gate is disabled",
+			pod: podWithTolerations("pod1", []v1.Toleration{
+				{Key: "node.kubernetes.io/sla", Operator: "Gt", Value: "750", Effect: "NoSchedule"},
+			}),
+			node:                               nodeWithTaints("nodeA", []v1.Taint{{Key: "node.kubernetes.io/sla", Value: "950", Effect: "NoSchedule"}}),
+			enableTaintTolerationComparisonOps: false,
+			wantStatus:                         fwk.NewStatus(fwk.UnschedulableAndUnresolvable, "node(s) had untolerated taint(s)"),
+		},
+		{
+			name:                               "Pod with Lt toleration can be scheduled when feature gate is enabled and taint value is lower",
+			pod:                                podWithTolerations("pod1", []v1.Toleration{{Key: "node.kubernetes.io/sla", Operator: "Lt", Value: "950", Effect: "NoSchedule"}}),
+			node:                               nodeWithTaints("nodeA", []v1.Taint{{Key: "node.kubernetes.io/sla", Value: "800", Effect: "NoSchedule"}}),
+			enableTaintTolerationComparisonOps: true,
+			wantStatus:                         nil,
+		},
+		{
+			name: "Pod with Lt toleration cannot be scheduled when feature gate is disabled",
+			pod: podWithTolerations("pod1", []v1.Toleration{
+				{Key: "node.kubernetes.io/sla", Operator: "Lt", Value: "950", Effect: "NoSchedule"},
+			}),
+			node:                               nodeWithTaints("nodeA", []v1.Taint{{Key: "node.kubernetes.io/sla", Value: "800", Effect: "NoSchedule"}}),
+			enableTaintTolerationComparisonOps: false,
+			wantStatus:                         fwk.NewStatus(fwk.UnschedulableAndUnresolvable, "node(s) had untolerated taint(s)"),
+		},
+		{
+			name: "Pod with mixed tolerations (Equal and Gt) when feature gate is disabled - only Equal is honored",
+			pod: podWithTolerations("pod1", []v1.Toleration{
+				{Key: "dedicated", Operator: "Equal", Value: "user1", Effect: "NoSchedule"},
+				{Key: "node.kubernetes.io/sla", Operator: "Gt", Value: "750", Effect: "NoSchedule"},
+			}),
+			node: nodeWithTaints("nodeA", []v1.Taint{
+				{Key: "dedicated", Value: "user1", Effect: "NoSchedule"},
+			}),
+			enableTaintTolerationComparisonOps: false,
+			wantStatus:                         nil,
+		},
+		{
+			name: "Pod with mixed tolerations, Gt toleration needed but filtered out when feature gate is disabled",
+			pod: podWithTolerations("pod1", []v1.Toleration{
+				{Key: "dedicated", Operator: "Equal", Value: "user1", Effect: "NoSchedule"},
+				{Key: "node.kubernetes.io/sla", Operator: "Gt", Value: "750", Effect: "NoSchedule"},
+			}),
+			node: nodeWithTaints("nodeA", []v1.Taint{
+				{Key: "dedicated", Value: "user1", Effect: "NoSchedule"},
+				{Key: "node.kubernetes.io/sla", Value: "950", Effect: "NoSchedule"},
+			}),
+			enableTaintTolerationComparisonOps: false,
+			wantStatus:                         fwk.NewStatus(fwk.UnschedulableAndUnresolvable, "node(s) had untolerated taint(s)"),
+		},
+	}
+
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			_, ctx := ktesting.NewTestContext(t)
+			nodeInfo := framework.NewNodeInfo()
+			nodeInfo.SetNode(test.node)
+			p, err := New(ctx, nil, nil, feature.Features{
+				EnableTaintTolerationComparisonOperators: test.enableTaintTolerationComparisonOps,
+			})
 			if err != nil {
 				t.Fatalf("creating plugin: %v", err)
 			}
-			gotStatus := p.(framework.FilterPlugin).Filter(ctx, nil, test.pod, nodeInfo)
+			gotStatus := p.(fwk.FilterPlugin).Filter(ctx, nil, test.pod, nodeInfo)
 			if diff := cmp.Diff(test.wantStatus, gotStatus); diff != "" {
 				t.Errorf("Unexpected status (-want,+got):\n%s", diff)
 			}
diff --git a/pkg/scheduler/framework/plugins/testing/testing.go b/pkg/scheduler/framework/plugins/testing/testing.go
index 772da99547c6f..7ea9744265a35 100644
--- a/pkg/scheduler/framework/plugins/testing/testing.go
+++ b/pkg/scheduler/framework/plugins/testing/testing.go
@@ -20,12 +20,12 @@ import (
 	"context"
 	"testing"
 
-	"k8s.io/api/core/v1"
+	v1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/client-go/informers"
 	"k8s.io/client-go/kubernetes/fake"
-	"k8s.io/kubernetes/pkg/scheduler/framework"
+	fwk "k8s.io/kube-scheduler/framework"
 	frameworkruntime "k8s.io/kubernetes/pkg/scheduler/framework/runtime"
 )
 
@@ -38,9 +38,9 @@ func SetupPluginWithInformers(
 	tb testing.TB,
 	pf frameworkruntime.PluginFactory,
 	config runtime.Object,
-	sharedLister framework.SharedLister,
+	sharedLister fwk.SharedLister,
 	objs []runtime.Object,
-) framework.Plugin {
+) fwk.Plugin {
 	objs = append([]runtime.Object{&v1.Namespace{ObjectMeta: metav1.ObjectMeta{Name: ""}}}, objs...)
 	informerFactory := informers.NewSharedInformerFactory(fake.NewClientset(objs...), 0)
 	fh, err := frameworkruntime.NewFramework(ctx, nil, nil,
@@ -65,8 +65,8 @@ func SetupPlugin(
 	tb testing.TB,
 	pf frameworkruntime.PluginFactory,
 	config runtime.Object,
-	sharedLister framework.SharedLister,
-) framework.Plugin {
+	sharedLister fwk.SharedLister,
+) fwk.Plugin {
 	fh, err := frameworkruntime.NewFramework(ctx, nil, nil,
 		frameworkruntime.WithSnapshotSharedLister(sharedLister))
 	if err != nil {
diff --git a/pkg/scheduler/framework/plugins/volumebinding/assume_cache.go b/pkg/scheduler/framework/plugins/volumebinding/assume_cache.go
index e12fb08a0d488..d62ca6e5543c3 100644
--- a/pkg/scheduler/framework/plugins/volumebinding/assume_cache.go
+++ b/pkg/scheduler/framework/plugins/volumebinding/assume_cache.go
@@ -20,112 +20,57 @@ import (
 	"fmt"
 
 	v1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/client-go/tools/cache"
 	storagehelpers "k8s.io/component-helpers/storage/volume"
 	"k8s.io/klog/v2"
-	"k8s.io/kubernetes/pkg/scheduler/util/assumecache"
 )
 
 // PVAssumeCache is a AssumeCache for PersistentVolume objects
 type PVAssumeCache struct {
-	*assumecache.AssumeCache
-	logger klog.Logger
+	*passiveAssumeCache[*v1.PersistentVolume]
 }
 
 func pvStorageClassIndexFunc(obj interface{}) ([]string, error) {
 	if pv, ok := obj.(*v1.PersistentVolume); ok {
 		return []string{storagehelpers.GetPersistentVolumeClass(pv)}, nil
 	}
-	return []string{""}, fmt.Errorf("object is not a v1.PersistentVolume: %v", obj)
+	return nil, fmt.Errorf("object is not a v1.PersistentVolume: %v", obj)
 }
 
-// NewPVAssumeCache creates a PV assume cache.
-func NewPVAssumeCache(logger klog.Logger, informer assumecache.Informer) *PVAssumeCache {
-	logger = klog.LoggerWithName(logger, "PV Cache")
-	return &PVAssumeCache{
-		AssumeCache: assumecache.NewAssumeCache(logger, informer, "v1.PersistentVolume", "storageclass", pvStorageClassIndexFunc),
-		logger:      logger,
-	}
-}
-
-func (c *PVAssumeCache) GetPV(pvName string) (*v1.PersistentVolume, error) {
-	obj, err := c.Get(pvName)
-	if err != nil {
-		return nil, err
-	}
-
-	pv, ok := obj.(*v1.PersistentVolume)
-	if !ok {
-		return nil, &assumecache.WrongTypeError{TypeName: "v1.PersistentVolume", Object: obj}
-	}
-	return pv, nil
-}
+const storageClassIndex = "storageclass"
 
-func (c *PVAssumeCache) GetAPIPV(pvName string) (*v1.PersistentVolume, error) {
-	obj, err := c.GetAPIObj(pvName)
+// NewPVAssumeCache creates a PV assume cache.
+func NewPVAssumeCache(logger klog.Logger, informer informer) (PVAssumeCache, error) {
+	logger = klog.LoggerWithName(logger, "pv-cache")
+	err := informer.GetIndexer().AddIndexers(map[string]cache.IndexFunc{
+		storageClassIndex: pvStorageClassIndexFunc,
+	})
 	if err != nil {
-		return nil, err
-	}
-	pv, ok := obj.(*v1.PersistentVolume)
-	if !ok {
-		return nil, &assumecache.WrongTypeError{TypeName: "v1.PersistentVolume", Object: obj}
+		// Ignore the error if the index already exists. This can happen if
+		// the same informer is shared among multiple PVAssumeCache, maybe created from multiple profiles.
+		if informer.GetIndexer().GetIndexers()[storageClassIndex] == nil {
+			return PVAssumeCache{}, err
+		}
 	}
-	return pv, nil
+	cache, err := newAssumeCache[*v1.PersistentVolume](logger, informer, schema.GroupResource{Resource: "persistentvolumes"})
+	return PVAssumeCache{cache}, err
 }
 
-func (c *PVAssumeCache) ListPVs(storageClassName string) []*v1.PersistentVolume {
-	objs := c.List(&v1.PersistentVolume{
-		Spec: v1.PersistentVolumeSpec{
-			StorageClassName: storageClassName,
-		},
-	})
-	pvs := []*v1.PersistentVolume{}
-	for _, obj := range objs {
-		pv, ok := obj.(*v1.PersistentVolume)
-		if !ok {
-			c.logger.Error(&assumecache.WrongTypeError{TypeName: "v1.PersistentVolume", Object: obj}, "ListPVs")
-			continue
-		}
-		pvs = append(pvs, pv)
-	}
-	return pvs
+func (c PVAssumeCache) ListPVs(storageClassName string) ([]*v1.PersistentVolume, error) {
+	// This works because we will never change the storage class in scheduler
+	// Assumed PVs needs to be included here to ensure the same PVC will not be bound to another PV in the next scheduling cycle.
+	return c.ByIndex(storageClassIndex, storageClassName)
 }
 
 // PVCAssumeCache is a AssumeCache for PersistentVolumeClaim objects
 type PVCAssumeCache struct {
-	*assumecache.AssumeCache
-	logger klog.Logger
+	*passiveAssumeCache[*v1.PersistentVolumeClaim]
 }
 
 // NewPVCAssumeCache creates a PVC assume cache.
-func NewPVCAssumeCache(logger klog.Logger, informer assumecache.Informer) *PVCAssumeCache {
-	logger = klog.LoggerWithName(logger, "PVC Cache")
-	return &PVCAssumeCache{
-		AssumeCache: assumecache.NewAssumeCache(logger, informer, "v1.PersistentVolumeClaim", "", nil),
-		logger:      logger,
-	}
-}
-
-func (c *PVCAssumeCache) GetPVC(pvcKey string) (*v1.PersistentVolumeClaim, error) {
-	obj, err := c.Get(pvcKey)
-	if err != nil {
-		return nil, err
-	}
-
-	pvc, ok := obj.(*v1.PersistentVolumeClaim)
-	if !ok {
-		return nil, &assumecache.WrongTypeError{TypeName: "v1.PersistentVolumeClaim", Object: obj}
-	}
-	return pvc, nil
-}
-
-func (c *PVCAssumeCache) GetAPIPVC(pvcKey string) (*v1.PersistentVolumeClaim, error) {
-	obj, err := c.GetAPIObj(pvcKey)
-	if err != nil {
-		return nil, err
-	}
-	pvc, ok := obj.(*v1.PersistentVolumeClaim)
-	if !ok {
-		return nil, &assumecache.WrongTypeError{TypeName: "v1.PersistentVolumeClaim", Object: obj}
-	}
-	return pvc, nil
+func NewPVCAssumeCache(logger klog.Logger, informer informer) (PVCAssumeCache, error) {
+	logger = klog.LoggerWithName(logger, "pvc-cache")
+	cache, err := newAssumeCache[*v1.PersistentVolumeClaim](logger, informer, schema.GroupResource{Resource: "persistentvolumeclaims"})
+	return PVCAssumeCache{cache}, err
 }
diff --git a/pkg/scheduler/framework/plugins/volumebinding/assume_cache_test.go b/pkg/scheduler/framework/plugins/volumebinding/assume_cache_test.go
index 4256789a2f047..d5801f0eb20ef 100644
--- a/pkg/scheduler/framework/plugins/volumebinding/assume_cache_test.go
+++ b/pkg/scheduler/framework/plugins/volumebinding/assume_cache_test.go
@@ -1,5 +1,5 @@
 /*
-Copyright 2017 The Kubernetes Authors.
+Copyright 2025 The Kubernetes Authors.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -17,423 +17,39 @@ limitations under the License.
 package volumebinding
 
 import (
-	"fmt"
 	"testing"
 
-	v1 "k8s.io/api/core/v1"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/component-helpers/storage/volume"
-	"k8s.io/klog/v2/ktesting"
-	"k8s.io/kubernetes/pkg/scheduler/util/assumecache"
+	"k8s.io/client-go/tools/cache"
+	"k8s.io/kubernetes/test/utils/ktesting"
 )
 
-func verifyListPVs(t *testing.T, cache *PVAssumeCache, expectedPVs map[string]*v1.PersistentVolume, storageClassName string) {
-	pvList := cache.ListPVs(storageClassName)
-	if len(pvList) != len(expectedPVs) {
-		t.Errorf("ListPVs() returned %v PVs, expected %v", len(pvList), len(expectedPVs))
-	}
-	for _, pv := range pvList {
-		expectedPV, ok := expectedPVs[pv.Name]
-		if !ok {
-			t.Errorf("ListPVs() returned unexpected PV %q", pv.Name)
-		}
-		if expectedPV != pv {
-			t.Errorf("ListPVs() returned PV %p, expected %p", pv, expectedPV)
-		}
-	}
-}
-
-func verifyPV(cache *PVAssumeCache, name string, expectedPV *v1.PersistentVolume) error {
-	pv, err := cache.GetPV(name)
-	if err != nil {
-		return err
-	}
-	if pv != expectedPV {
-		return fmt.Errorf("GetPV() returned %p, expected %p", pv, expectedPV)
-	}
-	return nil
-}
-
-func TestAssumePV(t *testing.T) {
-	logger, _ := ktesting.NewTestContext(t)
-	scenarios := map[string]struct {
-		oldPV         *v1.PersistentVolume
-		newPV         *v1.PersistentVolume
-		shouldSucceed bool
-	}{
-		"success-same-version": {
-			oldPV:         makePV("pv1", "").withVersion("5").PersistentVolume,
-			newPV:         makePV("pv1", "").withVersion("5").PersistentVolume,
-			shouldSucceed: true,
-		},
-		"success-storageclass-same-version": {
-			oldPV:         makePV("pv1", "class1").withVersion("5").PersistentVolume,
-			newPV:         makePV("pv1", "class1").withVersion("5").PersistentVolume,
-			shouldSucceed: true,
-		},
-		"success-new-higher-version": {
-			oldPV:         makePV("pv1", "").withVersion("5").PersistentVolume,
-			newPV:         makePV("pv1", "").withVersion("6").PersistentVolume,
-			shouldSucceed: true,
-		},
-		"fail-old-not-found": {
-			oldPV:         makePV("pv2", "").withVersion("5").PersistentVolume,
-			newPV:         makePV("pv1", "").withVersion("5").PersistentVolume,
-			shouldSucceed: false,
-		},
-		"fail-new-lower-version": {
-			oldPV:         makePV("pv1", "").withVersion("5").PersistentVolume,
-			newPV:         makePV("pv1", "").withVersion("4").PersistentVolume,
-			shouldSucceed: false,
-		},
-		"fail-new-bad-version": {
-			oldPV:         makePV("pv1", "").withVersion("5").PersistentVolume,
-			newPV:         makePV("pv1", "").withVersion("a").PersistentVolume,
-			shouldSucceed: false,
-		},
-		"fail-old-bad-version": {
-			oldPV:         makePV("pv1", "").withVersion("a").PersistentVolume,
-			newPV:         makePV("pv1", "").withVersion("5").PersistentVolume,
-			shouldSucceed: false,
-		},
-	}
-
-	for name, scenario := range scenarios {
-		cache := NewPVAssumeCache(logger, nil)
-
-		// Add oldPV to cache
-		assumecache.AddTestObject(cache.AssumeCache, scenario.oldPV)
-		if err := verifyPV(cache, scenario.oldPV.Name, scenario.oldPV); err != nil {
-			t.Errorf("Failed to GetPV() after initial update: %v", err)
-			continue
-		}
-
-		// Assume newPV
-		err := cache.Assume(scenario.newPV)
-		if scenario.shouldSucceed && err != nil {
-			t.Errorf("Test %q failed: Assume() returned error %v", name, err)
-		}
-		if !scenario.shouldSucceed && err == nil {
-			t.Errorf("Test %q failed: Assume() returned success but expected error", name)
-		}
-
-		// Check that GetPV returns correct PV
-		expectedPV := scenario.newPV
-		if !scenario.shouldSucceed {
-			expectedPV = scenario.oldPV
-		}
-		if err := verifyPV(cache, scenario.oldPV.Name, expectedPV); err != nil {
-			t.Errorf("Failed to GetPV() after initial update: %v", err)
-		}
-	}
-}
-
-func TestRestorePV(t *testing.T) {
-	logger, _ := ktesting.NewTestContext(t)
-	cache := NewPVAssumeCache(logger, nil)
-
-	oldPV := makePV("pv1", "").withVersion("5").PersistentVolume
-	newPV := makePV("pv1", "").withVersion("5").PersistentVolume
-
-	// Restore PV that doesn't exist
-	cache.Restore("nothing")
-
-	// Add oldPV to cache
-	assumecache.AddTestObject(cache.AssumeCache, oldPV)
-	if err := verifyPV(cache, oldPV.Name, oldPV); err != nil {
-		t.Fatalf("Failed to GetPV() after initial update: %v", err)
-	}
-
-	// Restore PV
-	cache.Restore(oldPV.Name)
-	if err := verifyPV(cache, oldPV.Name, oldPV); err != nil {
-		t.Fatalf("Failed to GetPV() after initial restore: %v", err)
-	}
-
-	// Assume newPV
-	if err := cache.Assume(newPV); err != nil {
-		t.Fatalf("Assume() returned error %v", err)
-	}
-	if err := verifyPV(cache, oldPV.Name, newPV); err != nil {
-		t.Fatalf("Failed to GetPV() after Assume: %v", err)
-	}
-
-	// Restore PV
-	cache.Restore(oldPV.Name)
-	if err := verifyPV(cache, oldPV.Name, oldPV); err != nil {
-		t.Fatalf("Failed to GetPV() after restore: %v", err)
-	}
-}
-
-func TestBasicPVCache(t *testing.T) {
-	logger, _ := ktesting.NewTestContext(t)
-	cache := NewPVAssumeCache(logger, nil)
-
-	// Get object that doesn't exist
-	pv, err := cache.GetPV("nothere")
-	if err == nil {
-		t.Errorf("GetPV() returned unexpected success")
-	}
-	if pv != nil {
-		t.Errorf("GetPV() returned unexpected PV %q", pv.Name)
-	}
-
-	// Add a bunch of PVs
-	pvs := map[string]*v1.PersistentVolume{}
-	for i := 0; i < 10; i++ {
-		pv := makePV(fmt.Sprintf("test-pv%v", i), "").withVersion("1").PersistentVolume
-		pvs[pv.Name] = pv
-		assumecache.AddTestObject(cache.AssumeCache, pv)
-	}
-
-	// List them
-	verifyListPVs(t, cache, pvs, "")
-
-	// Update a PV
-	updatedPV := makePV("test-pv3", "").withVersion("2").PersistentVolume
-	pvs[updatedPV.Name] = updatedPV
-	assumecache.UpdateTestObject(cache.AssumeCache, updatedPV)
-
-	// List them
-	verifyListPVs(t, cache, pvs, "")
-
-	// Delete a PV
-	deletedPV := pvs["test-pv7"]
-	delete(pvs, deletedPV.Name)
-	assumecache.DeleteTestObject(cache.AssumeCache, deletedPV)
-
-	// List them
-	verifyListPVs(t, cache, pvs, "")
-}
-
-func TestPVCacheWithStorageClasses(t *testing.T) {
+func TestPVAssumeCache(t *testing.T) {
 	logger, _ := ktesting.NewTestContext(t)
-	cache := NewPVAssumeCache(logger, nil)
-
-	// Add a bunch of PVs
-	pvs1 := map[string]*v1.PersistentVolume{}
-	for i := 0; i < 10; i++ {
-		pv := makePV(fmt.Sprintf("test-pv%v", i), "class1").withVersion("1").PersistentVolume
-		pvs1[pv.Name] = pv
-		assumecache.AddTestObject(cache.AssumeCache, pv)
+	informer := &testInformer{
+		indexer: cache.NewIndexer(cache.MetaNamespaceKeyFunc, cache.Indexers{}),
+		t:       t,
 	}
-
-	// Add a bunch of PVs
-	pvs2 := map[string]*v1.PersistentVolume{}
-	for i := 0; i < 10; i++ {
-		pv := makePV(fmt.Sprintf("test2-pv%v", i), "class2").withVersion("1").PersistentVolume
-		pvs2[pv.Name] = pv
-		assumecache.AddTestObject(cache.AssumeCache, pv)
-	}
-
-	// List them
-	verifyListPVs(t, cache, pvs1, "class1")
-	verifyListPVs(t, cache, pvs2, "class2")
-
-	// Update a PV
-	updatedPV := makePV("test-pv3", "class1").withVersion("2").PersistentVolume
-	pvs1[updatedPV.Name] = updatedPV
-	assumecache.UpdateTestObject(cache.AssumeCache, updatedPV)
-
-	// List them
-	verifyListPVs(t, cache, pvs1, "class1")
-	verifyListPVs(t, cache, pvs2, "class2")
-
-	// Delete a PV
-	deletedPV := pvs1["test-pv7"]
-	delete(pvs1, deletedPV.Name)
-	assumecache.DeleteTestObject(cache.AssumeCache, deletedPV)
-
-	// List them
-	verifyListPVs(t, cache, pvs1, "class1")
-	verifyListPVs(t, cache, pvs2, "class2")
-}
-
-func TestAssumeUpdatePVCache(t *testing.T) {
-	logger, _ := ktesting.NewTestContext(t)
-	cache := NewPVAssumeCache(logger, nil)
-
-	pvName := "test-pv0"
-
-	// Add a PV
-	pv := makePV(pvName, "").withVersion("1").PersistentVolume
-	assumecache.AddTestObject(cache.AssumeCache, pv)
-	if err := verifyPV(cache, pvName, pv); err != nil {
-		t.Fatalf("failed to get PV: %v", err)
-	}
-
-	// Assume PV
-	newPV := pv.DeepCopy()
-	newPV.Spec.ClaimRef = &v1.ObjectReference{Name: "test-claim"}
-	if err := cache.Assume(newPV); err != nil {
-		t.Fatalf("failed to assume PV: %v", err)
-	}
-	if err := verifyPV(cache, pvName, newPV); err != nil {
-		t.Fatalf("failed to get PV after assume: %v", err)
-	}
-
-	// Add old PV
-	assumecache.AddTestObject(cache.AssumeCache, pv)
-	if err := verifyPV(cache, pvName, newPV); err != nil {
-		t.Fatalf("failed to get PV after old PV added: %v", err)
-	}
-}
-
-func makeClaim(name, version, namespace string) *v1.PersistentVolumeClaim {
-	return &v1.PersistentVolumeClaim{
-		ObjectMeta: metav1.ObjectMeta{
-			Name:            name,
-			Namespace:       namespace,
-			ResourceVersion: version,
-			Annotations:     map[string]string{},
-		},
-	}
-}
-
-func verifyPVC(cache *PVCAssumeCache, pvcKey string, expectedPVC *v1.PersistentVolumeClaim) error {
-	pvc, err := cache.GetPVC(pvcKey)
+	cache, err := NewPVAssumeCache(logger, informer)
 	if err != nil {
-		return err
-	}
-	if pvc != expectedPVC {
-		return fmt.Errorf("GetPVC() returned %p, expected %p", pvc, expectedPVC)
+		t.Fatalf("Failed to create PV cache: %v", err)
 	}
-	return nil
-}
-
-func TestAssumePVC(t *testing.T) {
-	logger, _ := ktesting.NewTestContext(t)
-	scenarios := map[string]struct {
-		oldPVC        *v1.PersistentVolumeClaim
-		newPVC        *v1.PersistentVolumeClaim
-		shouldSucceed bool
-	}{
-		"success-same-version": {
-			oldPVC:        makeClaim("pvc1", "5", "ns1"),
-			newPVC:        makeClaim("pvc1", "5", "ns1"),
-			shouldSucceed: true,
-		},
-		"success-new-higher-version": {
-			oldPVC:        makeClaim("pvc1", "5", "ns1"),
-			newPVC:        makeClaim("pvc1", "6", "ns1"),
-			shouldSucceed: true,
-		},
-		"fail-old-not-found": {
-			oldPVC:        makeClaim("pvc2", "5", "ns1"),
-			newPVC:        makeClaim("pvc1", "5", "ns1"),
-			shouldSucceed: false,
-		},
-		"fail-new-lower-version": {
-			oldPVC:        makeClaim("pvc1", "5", "ns1"),
-			newPVC:        makeClaim("pvc1", "4", "ns1"),
-			shouldSucceed: false,
-		},
-		"fail-new-bad-version": {
-			oldPVC:        makeClaim("pvc1", "5", "ns1"),
-			newPVC:        makeClaim("pvc1", "a", "ns1"),
-			shouldSucceed: false,
-		},
-		"fail-old-bad-version": {
-			oldPVC:        makeClaim("pvc1", "a", "ns1"),
-			newPVC:        makeClaim("pvc1", "5", "ns1"),
-			shouldSucceed: false,
-		},
-	}
-
-	for name, scenario := range scenarios {
-		cache := NewPVCAssumeCache(logger, nil)
-
-		// Add oldPVC to cache
-		assumecache.AddTestObject(cache.AssumeCache, scenario.oldPVC)
-		if err := verifyPVC(cache, getPVCName(scenario.oldPVC), scenario.oldPVC); err != nil {
-			t.Errorf("Failed to GetPVC() after initial update: %v", err)
-			continue
-		}
+	informer.add(makePV("pv1", "sc1").withVersion("1").PersistentVolume)
 
-		// Assume newPVC
-		err := cache.Assume(scenario.newPVC)
-		if scenario.shouldSucceed && err != nil {
-			t.Errorf("Test %q failed: Assume() returned error %v", name, err)
+	verifyPVs := func(cache PVAssumeCache) {
+		pvs, err := cache.ListPVs("sc1")
+		if err != nil {
+			t.Fatalf("Failed to list PVs: %v", err)
 		}
-		if !scenario.shouldSucceed && err == nil {
-			t.Errorf("Test %q failed: Assume() returned success but expected error", name)
+		if len(pvs) != 1 || pvs[0].Name != "pv1" {
+			t.Errorf("Unexpected PVs: %v", pvs)
 		}
-
-		// Check that GetPVC returns correct PVC
-		expectedPV := scenario.newPVC
-		if !scenario.shouldSucceed {
-			expectedPV = scenario.oldPVC
-		}
-		if err := verifyPVC(cache, getPVCName(scenario.oldPVC), expectedPV); err != nil {
-			t.Errorf("Failed to GetPVC() after initial update: %v", err)
-		}
-	}
-}
-
-func TestRestorePVC(t *testing.T) {
-	logger, _ := ktesting.NewTestContext(t)
-	cache := NewPVCAssumeCache(logger, nil)
-
-	oldPVC := makeClaim("pvc1", "5", "ns1")
-	newPVC := makeClaim("pvc1", "5", "ns1")
-
-	// Restore PVC that doesn't exist
-	cache.Restore("nothing")
-
-	// Add oldPVC to cache
-	assumecache.AddTestObject(cache.AssumeCache, oldPVC)
-	if err := verifyPVC(cache, getPVCName(oldPVC), oldPVC); err != nil {
-		t.Fatalf("Failed to GetPVC() after initial update: %v", err)
 	}
+	verifyPVs(cache)
 
-	// Restore PVC
-	cache.Restore(getPVCName(oldPVC))
-	if err := verifyPVC(cache, getPVCName(oldPVC), oldPVC); err != nil {
-		t.Fatalf("Failed to GetPVC() after initial restore: %v", err)
-	}
-
-	// Assume newPVC
-	if err := cache.Assume(newPVC); err != nil {
-		t.Fatalf("Assume() returned error %v", err)
-	}
-	if err := verifyPVC(cache, getPVCName(oldPVC), newPVC); err != nil {
-		t.Fatalf("Failed to GetPVC() after Assume: %v", err)
-	}
-
-	// Restore PVC
-	cache.Restore(getPVCName(oldPVC))
-	if err := verifyPVC(cache, getPVCName(oldPVC), oldPVC); err != nil {
-		t.Fatalf("Failed to GetPVC() after restore: %v", err)
-	}
-}
-
-func TestAssumeUpdatePVCCache(t *testing.T) {
-	logger, _ := ktesting.NewTestContext(t)
-	cache := NewPVCAssumeCache(logger, nil)
-
-	pvcName := "test-pvc0"
-	pvcNamespace := "test-ns"
-
-	// Add a PVC
-	pvc := makeClaim(pvcName, "1", pvcNamespace)
-	assumecache.AddTestObject(cache.AssumeCache, pvc)
-	if err := verifyPVC(cache, getPVCName(pvc), pvc); err != nil {
-		t.Fatalf("failed to get PVC: %v", err)
-	}
-
-	// Assume PVC
-	newPVC := pvc.DeepCopy()
-	newPVC.Annotations[volume.AnnSelectedNode] = "test-node"
-	if err := cache.Assume(newPVC); err != nil {
-		t.Fatalf("failed to assume PVC: %v", err)
-	}
-	if err := verifyPVC(cache, getPVCName(pvc), newPVC); err != nil {
-		t.Fatalf("failed to get PVC after assume: %v", err)
-	}
-
-	// Add old PVC
-	assumecache.AddTestObject(cache.AssumeCache, pvc)
-	if err := verifyPVC(cache, getPVCName(pvc), newPVC); err != nil {
-		t.Fatalf("failed to get PVC after old PVC added: %v", err)
+	// Shared informer
+	cache2, err := NewPVAssumeCache(logger, informer)
+	if err != nil {
+		t.Fatalf("Failed to create PV cache2: %v", err)
 	}
+	verifyPVs(cache2)
 }
diff --git a/pkg/scheduler/framework/plugins/volumebinding/binder.go b/pkg/scheduler/framework/plugins/volumebinding/binder.go
index 9d376b644e024..f4c9a22fc1f0d 100644
--- a/pkg/scheduler/framework/plugins/volumebinding/binder.go
+++ b/pkg/scheduler/framework/plugins/volumebinding/binder.go
@@ -46,7 +46,6 @@ import (
 	v1helper "k8s.io/kubernetes/pkg/apis/core/v1/helper"
 	"k8s.io/kubernetes/pkg/scheduler/framework/plugins/feature"
 	"k8s.io/kubernetes/pkg/scheduler/framework/plugins/volumebinding/metrics"
-	"k8s.io/kubernetes/pkg/scheduler/util/assumecache"
 )
 
 // ConflictReason is used for the special strings which explain why
@@ -217,8 +216,8 @@ type volumeBinder struct {
 	nodeLister    corelisters.NodeLister
 	csiNodeLister storagelisters.CSINodeLister
 
-	pvcCache *PVCAssumeCache
-	pvCache  *PVAssumeCache
+	pvcCache PVCAssumeCache
+	pvCache  PVAssumeCache
 
 	// Amount of time to wait for the bind operation to succeed
 	bindTimeout time.Duration
@@ -253,7 +252,13 @@ func NewVolumeBinder(
 	pvInformer coreinformers.PersistentVolumeInformer,
 	storageClassInformer storageinformers.StorageClassInformer,
 	capacityCheck CapacityCheck,
-	bindTimeout time.Duration) SchedulerVolumeBinder {
+	bindTimeout time.Duration) (SchedulerVolumeBinder, error) {
+
+	pvcCache, err1 := NewPVCAssumeCache(logger, pvcInformer.Informer())
+	pvCache, err2 := NewPVAssumeCache(logger, pvInformer.Informer())
+	if err := errors.Join(err1, err2); err != nil {
+		return nil, err
+	}
 	b := &volumeBinder{
 		kubeClient:                  kubeClient,
 		enableVolumeAttributesClass: fts.EnableVolumeAttributesClass,
@@ -262,8 +267,8 @@ func NewVolumeBinder(
 		classLister:                 storageClassInformer.Lister(),
 		nodeLister:                  nodeInformer.Lister(),
 		csiNodeLister:               csiNodeInformer.Lister(),
-		pvcCache:                    NewPVCAssumeCache(logger, pvcInformer.Informer()),
-		pvCache:                     NewPVAssumeCache(logger, pvInformer.Informer()),
+		pvcCache:                    pvcCache,
+		pvCache:                     pvCache,
 		bindTimeout:                 bindTimeout,
 		translator:                  csitrans.New(),
 	}
@@ -271,7 +276,7 @@ func NewVolumeBinder(
 	b.csiDriverLister = capacityCheck.CSIDriverInformer.Lister()
 	b.csiStorageCapacityLister = capacityCheck.CSIStorageCapacityInformer.Lister()
 
-	return b
+	return b, nil
 }
 
 // FindPodVolumes finds the matching PVs for PVCs and nodes to provision PVs
@@ -620,12 +625,12 @@ func (b *volumeBinder) checkBindings(logger klog.Logger, pod *v1.Pod, bindings [
 	}
 
 	for _, binding := range bindings {
-		pv, err := b.pvCache.GetAPIPV(binding.pv.Name)
+		pv, err := b.pvCache.GetAPIObj(binding.pv.Name)
 		if err != nil {
 			return false, fmt.Errorf("failed to check binding: %w", err)
 		}
 
-		pvc, err := b.pvcCache.GetAPIPVC(getPVCName(binding.pvc))
+		pvc, err := b.pvcCache.GetAPIObj(getPVCName(binding.pvc))
 		if err != nil {
 			return false, fmt.Errorf("failed to check binding: %w", err)
 		}
@@ -658,7 +663,7 @@ func (b *volumeBinder) checkBindings(logger klog.Logger, pod *v1.Pod, bindings [
 	}
 
 	for _, claim := range claimsToProvision {
-		pvc, err := b.pvcCache.GetAPIPVC(getPVCName(claim))
+		pvc, err := b.pvcCache.GetAPIObj(getPVCName(claim))
 		if err != nil {
 			return false, fmt.Errorf("failed to check provisioning pvc: %w", err)
 		}
@@ -683,9 +688,9 @@ func (b *volumeBinder) checkBindings(logger klog.Logger, pod *v1.Pod, bindings [
 
 		// If the PVC is bound to a PV, check its node affinity
 		if pvc.Spec.VolumeName != "" {
-			pv, err := b.pvCache.GetAPIPV(pvc.Spec.VolumeName)
+			pv, err := b.pvCache.GetAPIObj(pvc.Spec.VolumeName)
 			if err != nil {
-				if errors.Is(err, assumecache.ErrNotFound) {
+				if apierrors.IsNotFound(err) {
 					// We tolerate NotFound error here, because PV is possibly
 					// not found because of API delay, we can check next time.
 					// And if PV does not exist because it's deleted, PVC will
@@ -749,7 +754,7 @@ func (b *volumeBinder) isPVCBound(logger klog.Logger, namespace, pvcName string)
 		},
 	}
 	pvcKey := getPVCName(claim)
-	pvc, err := b.pvcCache.GetPVC(pvcKey)
+	pvc, err := b.pvcCache.Get(pvcKey)
 	if err != nil || pvc == nil {
 		return false, nil, fmt.Errorf("error getting PVC %q: %v", pvcKey, err)
 	}
@@ -822,7 +827,11 @@ func (b *volumeBinder) GetPodVolumeClaims(logger klog.Logger, pod *v1.Pod) (podV
 	for _, pvc := range podVolumeClaims.unboundClaimsDelayBinding {
 		// Get storage class name from each PVC
 		storageClassName := volume.GetPersistentVolumeClaimClass(pvc)
-		podVolumeClaims.unboundVolumesDelayBinding[storageClassName] = b.pvCache.ListPVs(storageClassName)
+		pvs, err := b.pvCache.ListPVs(storageClassName)
+		if err != nil {
+			return nil, err
+		}
+		podVolumeClaims.unboundVolumesDelayBinding[storageClassName] = pvs
 	}
 	return podVolumeClaims, nil
 }
@@ -836,9 +845,9 @@ func (b *volumeBinder) checkBoundClaims(logger klog.Logger, claims []*v1.Persist
 
 	for _, pvc := range claims {
 		pvName := pvc.Spec.VolumeName
-		pv, err := b.pvCache.GetPV(pvName)
+		pv, err := b.pvCache.Get(pvName)
 		if err != nil {
-			if errors.Is(err, assumecache.ErrNotFound) {
+			if apierrors.IsNotFound(err) {
 				err = nil
 			}
 			return true, false, err
@@ -954,13 +963,13 @@ func (b *volumeBinder) checkVolumeProvisions(logger klog.Logger, pod *v1.Pod, cl
 
 func (b *volumeBinder) revertAssumedPVs(bindings []*BindingInfo) {
 	for _, BindingInfo := range bindings {
-		b.pvCache.Restore(BindingInfo.pv.Name)
+		b.pvCache.Restore(BindingInfo.pv)
 	}
 }
 
 func (b *volumeBinder) revertAssumedPVCs(claims []*v1.PersistentVolumeClaim) {
 	for _, claim := range claims {
-		b.pvcCache.Restore(getPVCName(claim))
+		b.pvcCache.Restore(claim)
 	}
 }
 
diff --git a/pkg/scheduler/framework/plugins/volumebinding/binder_test.go b/pkg/scheduler/framework/plugins/volumebinding/binder_test.go
index 638e820c7d052..1273c10a6f7e4 100644
--- a/pkg/scheduler/framework/plugins/volumebinding/binder_test.go
+++ b/pkg/scheduler/framework/plugins/volumebinding/binder_test.go
@@ -46,7 +46,6 @@ import (
 	"k8s.io/kubernetes/pkg/controller"
 	pvtesting "k8s.io/kubernetes/pkg/controller/volume/persistentvolume/testing"
 	"k8s.io/kubernetes/pkg/scheduler/framework/plugins/feature"
-	"k8s.io/kubernetes/pkg/scheduler/util/assumecache"
 )
 
 var (
@@ -170,7 +169,7 @@ func newTestBinder(t *testing.T, ctx context.Context) *testEnv {
 		CSIDriverInformer:          csiDriverInformer,
 		CSIStorageCapacityInformer: csiStorageCapacityInformer,
 	}
-	binder := NewVolumeBinder(
+	binder, err := NewVolumeBinder(
 		logger,
 		client,
 		feature.Features{},
@@ -182,6 +181,9 @@ func newTestBinder(t *testing.T, ctx context.Context) *testEnv {
 		classInformer,
 		capacityCheck,
 		10*time.Second)
+	if err != nil {
+		t.Fatalf("Failed to create VolumeBinder: %v", err)
+	}
 
 	// Wait for informers cache sync
 	informerFactory.Start(ctx.Done())
@@ -296,9 +298,11 @@ func (env *testEnv) addCSIStorageCapacities(capacities []*storagev1.CSIStorageCa
 	}
 }
 
-func (env *testEnv) initClaims(cachedPVCs []*v1.PersistentVolumeClaim, apiPVCs []*v1.PersistentVolumeClaim) {
+func (env *testEnv) initClaims(t *testing.T, cachedPVCs []*v1.PersistentVolumeClaim, apiPVCs []*v1.PersistentVolumeClaim) {
 	for _, pvc := range cachedPVCs {
-		assumecache.AddTestObject(env.internalBinder.pvcCache.AssumeCache, pvc)
+		if err := env.internalBinder.pvcCache.store.Add(pvc); err != nil {
+			t.Fatalf("error adding PVC %s/%s to cache: %v", pvc.Namespace, pvc.Name, err)
+		}
 		if apiPVCs == nil {
 			env.reactor.AddClaim(pvc)
 		}
@@ -308,9 +312,11 @@ func (env *testEnv) initClaims(cachedPVCs []*v1.PersistentVolumeClaim, apiPVCs [
 	}
 }
 
-func (env *testEnv) initVolumes(cachedPVs []*v1.PersistentVolume, apiPVs []*v1.PersistentVolume) {
+func (env *testEnv) initVolumes(t *testing.T, cachedPVs []*v1.PersistentVolume, apiPVs []*v1.PersistentVolume) {
 	for _, pv := range cachedPVs {
-		assumecache.AddTestObject(env.internalBinder.pvCache.AssumeCache, pv)
+		if err := env.internalBinder.pvCache.store.Add(pv); err != nil {
+			t.Fatalf("error adding PV %s to cache: %v", pv.Name, err)
+		}
 		if apiPVs == nil {
 			env.reactor.AddVolume(pv)
 		}
@@ -318,7 +324,6 @@ func (env *testEnv) initVolumes(cachedPVs []*v1.PersistentVolume, apiPVs []*v1.P
 	for _, pv := range apiPVs {
 		env.reactor.AddVolume(pv)
 	}
-
 }
 
 func (env *testEnv) updateVolumes(ctx context.Context, pvs []*v1.PersistentVolume) error {
@@ -331,14 +336,10 @@ func (env *testEnv) updateVolumes(ctx context.Context, pvs []*v1.PersistentVolum
 	}
 	return wait.PollUntilContextTimeout(ctx, 100*time.Millisecond, 3*time.Second, false, func(ctx context.Context) (bool, error) {
 		for _, pv := range pvs {
-			obj, err := env.internalBinder.pvCache.GetAPIObj(pv.Name)
-			if obj == nil || err != nil {
+			pvInCache, err := env.internalBinder.pvCache.GetAPIObj(pv.Name)
+			if pvInCache == nil || err != nil {
 				return false, nil
 			}
-			pvInCache, ok := obj.(*v1.PersistentVolume)
-			if !ok {
-				return false, fmt.Errorf("PV %s invalid object", pvInCache.Name)
-			}
 			if versioner.CompareResourceVersion(pvInCache, pv) != 0 {
 				return false, nil
 			}
@@ -357,14 +358,10 @@ func (env *testEnv) updateClaims(ctx context.Context, pvcs []*v1.PersistentVolum
 	}
 	return wait.PollUntilContextTimeout(ctx, 100*time.Millisecond, 3*time.Second, false, func(ctx context.Context) (bool, error) {
 		for _, pvc := range pvcs {
-			obj, err := env.internalBinder.pvcCache.GetAPIObj(getPVCName(pvc))
-			if obj == nil || err != nil {
+			pvcInCache, err := env.internalBinder.pvcCache.GetAPIObj(getPVCName(pvc))
+			if pvcInCache == nil || err != nil {
 				return false, nil
 			}
-			pvcInCache, ok := obj.(*v1.PersistentVolumeClaim)
-			if !ok {
-				return false, fmt.Errorf("PVC %s invalid object", pvcInCache.Name)
-			}
 			if versioner.CompareResourceVersion(pvcInCache, pvc) != 0 {
 				return false, nil
 			}
@@ -373,15 +370,19 @@ func (env *testEnv) updateClaims(ctx context.Context, pvcs []*v1.PersistentVolum
 	})
 }
 
-func (env *testEnv) deleteVolumes(pvs []*v1.PersistentVolume) {
+func (env *testEnv) deleteVolumes(t *testing.T, pvs []*v1.PersistentVolume) {
 	for _, pv := range pvs {
-		assumecache.DeleteTestObject(env.internalBinder.pvCache.AssumeCache, pv)
+		if err := env.internalBinder.pvCache.store.Delete(pv); err != nil {
+			t.Fatalf("Error deleting PV %s: %v", pv.Name, err)
+		}
 	}
 }
 
-func (env *testEnv) deleteClaims(pvcs []*v1.PersistentVolumeClaim) {
+func (env *testEnv) deleteClaims(t *testing.T, pvcs []*v1.PersistentVolumeClaim) {
 	for _, pvc := range pvcs {
-		assumecache.DeleteTestObject(env.internalBinder.pvcCache.AssumeCache, pvc)
+		if err := env.internalBinder.pvcCache.store.Delete(pvc); err != nil {
+			t.Fatalf("Error deleting PVC %s/%s: %v", pvc.Namespace, pvc.Name, err)
+		}
 	}
 }
 
@@ -453,9 +454,9 @@ func (env *testEnv) validateAssume(t *testing.T, pod *v1.Pod, bindings []*Bindin
 	// Check pv cache
 	pvCache := env.internalBinder.pvCache
 	for _, b := range bindings {
-		pv, err := pvCache.GetPV(b.pv.Name)
+		pv, err := pvCache.Get(b.pv.Name)
 		if err != nil {
-			t.Errorf("GetPV %q returned error: %v", b.pv.Name, err)
+			t.Errorf("Get PV %q returned error: %v", b.pv.Name, err)
 			continue
 		}
 		if pv.Spec.ClaimRef == nil {
@@ -474,9 +475,9 @@ func (env *testEnv) validateAssume(t *testing.T, pod *v1.Pod, bindings []*Bindin
 	pvcCache := env.internalBinder.pvcCache
 	for _, p := range provisionings {
 		pvcKey := getPVCName(p)
-		pvc, err := pvcCache.GetPVC(pvcKey)
+		pvc, err := pvcCache.Get(pvcKey)
 		if err != nil {
-			t.Errorf("GetPVC %q returned error: %v", pvcKey, err)
+			t.Errorf("Get PVC %q returned error: %v", pvcKey, err)
 			continue
 		}
 		if pvc.Annotations[volume.AnnSelectedNode] != nodeLabelValue {
@@ -489,8 +490,8 @@ func (env *testEnv) validateCacheRestored(t *testing.T, pod *v1.Pod, bindings []
 	// All PVs have been unmodified in cache
 	pvCache := env.internalBinder.pvCache
 	for _, b := range bindings {
-		pv, _ := pvCache.GetPV(b.pv.Name)
-		apiPV, _ := pvCache.GetAPIPV(b.pv.Name)
+		pv, _ := pvCache.Get(b.pv.Name)
+		apiPV, _ := pvCache.GetAPIObj(b.pv.Name)
 		// PV could be nil if it's missing from cache
 		if pv != nil && pv != apiPV {
 			t.Errorf("PV %q was modified in cache", b.pv.Name)
@@ -501,9 +502,9 @@ func (env *testEnv) validateCacheRestored(t *testing.T, pod *v1.Pod, bindings []
 	pvcCache := env.internalBinder.pvcCache
 	for _, p := range provisionings {
 		pvcKey := getPVCName(p)
-		pvc, err := pvcCache.GetPVC(pvcKey)
+		pvc, err := pvcCache.Get(pvcKey)
 		if err != nil {
-			t.Errorf("GetPVC %q returned error: %v", pvcKey, err)
+			t.Errorf("Get PVC %q returned error: %v", pvcKey, err)
 			continue
 		}
 		if pvc.Annotations[volume.AnnSelectedNode] != "" {
@@ -521,9 +522,9 @@ func (env *testEnv) validateBind(
 	// Check pv cache
 	pvCache := env.internalBinder.pvCache
 	for _, pv := range expectedPVs {
-		cachedPV, err := pvCache.GetPV(pv.Name)
+		cachedPV, err := pvCache.Get(pv.Name)
 		if err != nil {
-			t.Errorf("GetPV %q returned error: %v", pv.Name, err)
+			t.Errorf("Get PV %q returned error: %v", pv.Name, err)
 		}
 		// Cache may be overridden by API object with higher version, compare but ignore resource version.
 		newCachedPV := cachedPV.DeepCopy()
@@ -548,9 +549,9 @@ func (env *testEnv) validateProvision(
 	// Check pvc cache
 	pvcCache := env.internalBinder.pvcCache
 	for _, pvc := range expectedPVCs {
-		cachedPVC, err := pvcCache.GetPVC(getPVCName(pvc))
+		cachedPVC, err := pvcCache.Get(getPVCName(pvc))
 		if err != nil {
-			t.Errorf("GetPVC %q returned error: %v", getPVCName(pvc), err)
+			t.Errorf("Get PVC %q returned error: %v", getPVCName(pvc), err)
 		}
 		// Cache may be overridden by API object with higher version, compare but ignore resource version.
 		newCachedPVC := cachedPVC.DeepCopy()
@@ -986,7 +987,7 @@ func TestFindPodVolumesWithoutProvisioning(t *testing.T) {
 
 		// Setup
 		testEnv := newTestBinder(t, ctx)
-		testEnv.initVolumes(scenario.pvs, scenario.pvs)
+		testEnv.initVolumes(t, scenario.pvs, scenario.pvs)
 		if csiDriver != nil {
 			testEnv.addCSIDriver(csiDriver)
 		}
@@ -995,7 +996,7 @@ func TestFindPodVolumesWithoutProvisioning(t *testing.T) {
 		if scenario.cachePVCs == nil {
 			scenario.cachePVCs = scenario.podPVCs
 		}
-		testEnv.initClaims(scenario.cachePVCs, scenario.cachePVCs)
+		testEnv.initClaims(t, scenario.cachePVCs, scenario.cachePVCs)
 
 		// b. Generate pod with given claims
 		if scenario.pod == nil {
@@ -1114,7 +1115,7 @@ func TestFindPodVolumesWithProvisioning(t *testing.T) {
 
 		// Setup
 		testEnv := newTestBinder(t, ctx)
-		testEnv.initVolumes(scenario.pvs, scenario.pvs)
+		testEnv.initVolumes(t, scenario.pvs, scenario.pvs)
 		if csiDriver != nil {
 			testEnv.addCSIDriver(csiDriver)
 		}
@@ -1123,7 +1124,7 @@ func TestFindPodVolumesWithProvisioning(t *testing.T) {
 		if scenario.cachePVCs == nil {
 			scenario.cachePVCs = scenario.podPVCs
 		}
-		testEnv.initClaims(scenario.cachePVCs, scenario.cachePVCs)
+		testEnv.initClaims(t, scenario.cachePVCs, scenario.cachePVCs)
 
 		// b. Generate pod with given claims
 		if scenario.pod == nil {
@@ -1222,7 +1223,7 @@ func TestFindPodVolumesWithCSIMigration(t *testing.T) {
 
 		// Setup
 		testEnv := newTestBinder(t, ctx)
-		testEnv.initVolumes(scenario.pvs, scenario.pvs)
+		testEnv.initVolumes(t, scenario.pvs, scenario.pvs)
 
 		var node *v1.Node
 		if len(scenario.initNodes) > 0 {
@@ -1240,7 +1241,7 @@ func TestFindPodVolumesWithCSIMigration(t *testing.T) {
 		if scenario.cachePVCs == nil {
 			scenario.cachePVCs = scenario.podPVCs
 		}
-		testEnv.initClaims(scenario.cachePVCs, scenario.cachePVCs)
+		testEnv.initClaims(t, scenario.cachePVCs, scenario.cachePVCs)
 
 		// b. Generate pod with given claims
 		if scenario.pod == nil {
@@ -1340,7 +1341,7 @@ func TestAssumePodVolumes(t *testing.T) {
 
 		// Setup
 		testEnv := newTestBinder(t, ctx)
-		testEnv.initClaims(scenario.podPVCs, scenario.podPVCs)
+		testEnv.initClaims(t, scenario.podPVCs, scenario.podPVCs)
 		pod := makePod("test-pod").
 			withNamespace("testns").
 			withNodeName("node1").
@@ -1349,7 +1350,7 @@ func TestAssumePodVolumes(t *testing.T) {
 			StaticBindings:    scenario.bindings,
 			DynamicProvisions: scenario.dynamicProvisions,
 		}
-		testEnv.initVolumes(scenario.pvs, scenario.pvs)
+		testEnv.initVolumes(t, scenario.pvs, scenario.pvs)
 
 		// Execute
 		allBound, err := testEnv.binder.AssumePodVolumes(logger, pod, "node1", podVolumes)
@@ -1399,7 +1400,7 @@ func TestRevertAssumedPodVolumes(t *testing.T) {
 
 	// Setup
 	testEnv := newTestBinder(t, ctx)
-	testEnv.initClaims(podPVCs, podPVCs)
+	testEnv.initClaims(t, podPVCs, podPVCs)
 	pod := makePod("test-pod").
 		withNamespace("testns").
 		withNodeName("node1").
@@ -1408,7 +1409,7 @@ func TestRevertAssumedPodVolumes(t *testing.T) {
 		StaticBindings:    bindings,
 		DynamicProvisions: dynamicProvisions,
 	}
-	testEnv.initVolumes(pvs, pvs)
+	testEnv.initVolumes(t, pvs, pvs)
 
 	allbound, err := testEnv.binder.AssumePodVolumes(logger, pod, "node1", podVolumes)
 	if allbound || err != nil {
@@ -1531,8 +1532,8 @@ func TestBindAPIUpdate(t *testing.T) {
 		if scenario.apiPVCs == nil {
 			scenario.apiPVCs = scenario.cachedPVCs
 		}
-		testEnv.initVolumes(scenario.cachedPVs, scenario.apiPVs)
-		testEnv.initClaims(scenario.cachedPVCs, scenario.apiPVCs)
+		testEnv.initVolumes(t, scenario.cachedPVs, scenario.apiPVs)
+		testEnv.initClaims(t, scenario.cachedPVCs, scenario.apiPVCs)
 		testEnv.assumeVolumes(t, "node1", pod, scenario.bindings, scenario.provisionedPVCs)
 
 		// Execute
@@ -1725,20 +1726,20 @@ func TestCheckBindings(t *testing.T) {
 		testEnv := newTestBinder(t, ctx)
 		testEnv.internalPodInformer.Informer().GetIndexer().Add(pod)
 		testEnv.initNodes([]*v1.Node{node1})
-		testEnv.initVolumes(scenario.initPVs, nil)
-		testEnv.initClaims(scenario.initPVCs, nil)
+		testEnv.initVolumes(t, scenario.initPVs, nil)
+		testEnv.initClaims(t, scenario.initPVCs, nil)
 		testEnv.assumeVolumes(t, "node1", pod, scenario.bindings, scenario.provisionedPVCs)
 
 		// Before execute
 		if scenario.deletePVs {
-			testEnv.deleteVolumes(scenario.initPVs)
+			testEnv.deleteVolumes(t, scenario.initPVs)
 		} else {
 			if err := testEnv.updateVolumes(ctx, scenario.apiPVs); err != nil {
 				t.Errorf("Failed to update PVs: %v", err)
 			}
 		}
 		if scenario.deletePVCs {
-			testEnv.deleteClaims(scenario.initPVCs)
+			testEnv.deleteClaims(t, scenario.initPVCs)
 		} else {
 			if err := testEnv.updateClaims(ctx, scenario.apiPVCs); err != nil {
 				t.Errorf("Failed to update PVCs: %v", err)
@@ -1853,8 +1854,8 @@ func TestCheckBindingsWithCSIMigration(t *testing.T) {
 		testEnv.internalPodInformer.Informer().GetIndexer().Add(pod)
 		testEnv.initNodes(scenario.initNodes)
 		testEnv.initCSINodes(scenario.initCSINodes)
-		testEnv.initVolumes(scenario.initPVs, nil)
-		testEnv.initClaims(scenario.initPVCs, nil)
+		testEnv.initVolumes(t, scenario.initPVs, nil)
+		testEnv.initClaims(t, scenario.initPVCs, nil)
 		testEnv.assumeVolumes(t, "node1", pod, scenario.bindings, scenario.provisionedPVCs)
 
 		// Before execute
@@ -2054,8 +2055,8 @@ func TestBindPodVolumes(t *testing.T) {
 				claimsToProvision = []*v1.PersistentVolumeClaim{scenario.claimToProvision}
 			}
 			testEnv.initNodes(scenario.nodes)
-			testEnv.initVolumes(scenario.initPVs, scenario.initPVs)
-			testEnv.initClaims(scenario.initPVCs, scenario.initPVCs)
+			testEnv.initVolumes(t, scenario.initPVs, scenario.initPVs)
+			testEnv.initClaims(t, scenario.initPVCs, scenario.initPVCs)
 			testEnv.assumeVolumes(t, "node1", pod, bindings, claimsToProvision)
 		}
 
@@ -2121,8 +2122,8 @@ func TestFindAssumeVolumes(t *testing.T) {
 	ctx, cancel := context.WithCancel(ctx)
 	defer cancel()
 	testEnv := newTestBinder(t, ctx)
-	testEnv.initVolumes(pvs, pvs)
-	testEnv.initClaims(podPVCs, podPVCs)
+	testEnv.initVolumes(t, pvs, pvs)
+	testEnv.initClaims(t, podPVCs, podPVCs)
 	pod := makePod("test-pod").
 		withNamespace("testns").
 		withNodeName("node1").
@@ -2141,20 +2142,20 @@ func TestFindAssumeVolumes(t *testing.T) {
 	// 1. Find matching PVs
 	podVolumes, reasons, err := findPodVolumes(logger, testEnv.binder, pod, testNode)
 	if err != nil {
-		t.Errorf("Test failed: FindPodVolumes returned error: %v", err)
+		t.Fatalf("Test failed: FindPodVolumes returned error: %v", err)
 	}
 	if len(reasons) > 0 {
-		t.Errorf("Test failed: couldn't find PVs for all PVCs: %v", reasons)
+		t.Fatalf("Test failed: couldn't find PVs for all PVCs: %v", reasons)
 	}
 	expectedBindings := podVolumes.StaticBindings
 
 	// 2. Assume matches
 	allBound, err := testEnv.binder.AssumePodVolumes(logger, pod, testNode.Name, podVolumes)
 	if err != nil {
-		t.Errorf("Test failed: AssumePodVolumes returned error: %v", err)
+		t.Fatalf("Test failed: AssumePodVolumes returned error: %v", err)
 	}
 	if allBound {
-		t.Errorf("Test failed: detected unbound volumes as bound")
+		t.Fatalf("Test failed: detected unbound volumes as bound")
 	}
 	testEnv.validateAssume(t, pod, expectedBindings, nil)
 
@@ -2167,10 +2168,10 @@ func TestFindAssumeVolumes(t *testing.T) {
 	for i := 0; i < 50; i++ {
 		podVolumes, reasons, err := findPodVolumes(logger, testEnv.binder, pod, testNode)
 		if err != nil {
-			t.Errorf("Test failed: FindPodVolumes returned error: %v", err)
+			t.Fatalf("Test failed: FindPodVolumes returned error: %v", err)
 		}
 		if len(reasons) > 0 {
-			t.Errorf("Test failed: couldn't find PVs for all PVCs: %v", reasons)
+			t.Fatalf("Test failed: couldn't find PVs for all PVCs: %v", reasons)
 		}
 		testEnv.validatePodCache(t, testNode.Name, pod, podVolumes, expectedBindings, nil)
 	}
@@ -2297,7 +2298,7 @@ func TestCapacity(t *testing.T) {
 		testEnv.addCSIStorageCapacities(scenario.capacities)
 
 		// a. Init pvc cache
-		testEnv.initClaims(scenario.pvcs, scenario.pvcs)
+		testEnv.initClaims(t, scenario.pvcs, scenario.pvcs)
 
 		// b. Generate pod with given claims
 		pod := makePod("test-pod").
diff --git a/pkg/scheduler/framework/plugins/volumebinding/passive_assume_cache.go b/pkg/scheduler/framework/plugins/volumebinding/passive_assume_cache.go
new file mode 100644
index 0000000000000..e27d74b40c881
--- /dev/null
+++ b/pkg/scheduler/framework/plugins/volumebinding/passive_assume_cache.go
@@ -0,0 +1,256 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package volumebinding
+
+import (
+	"fmt"
+	"sync"
+
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
+	"k8s.io/apimachinery/pkg/api/meta"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
+	"k8s.io/client-go/tools/cache"
+	"k8s.io/klog/v2"
+)
+
+// informer is the subset of [cache.SharedInformer] that newAssumeCache depends upon.
+type informer interface {
+	AddEventHandler(handler cache.ResourceEventHandler) (cache.ResourceEventHandlerRegistration, error)
+	GetIndexer() cache.Indexer
+}
+
+// passiveAssumeCache is a cache on top of the informer that allows for updating
+// objects outside of informer events and also restoring the informer
+// cache's version of the object.
+//
+// An informer update always overrides the assumed object.
+//
+// This is different from pkg/scheduler/util/assumecache in:
+//   - this does not dispatch events
+//   - this is always up-to-date with the informer
+//   - this only allow assuming objects yet to be sent to the apiserver,
+//     not the ones returned from the apiserver
+type passiveAssumeCache[T v1.Object] struct {
+	// The logger that was chosen when setting up the cache.
+	// Will be used for all operations.
+	logger klog.Logger
+	gr     schema.GroupResource
+
+	// Synchronizes updates to all fields below.
+	// Although [store] have its own lock, we still need to hold our lock
+	// before reading from either [store] or [assumed] if we compare
+	// ResourceVersion between them.
+	rwMutex sync.RWMutex
+
+	// Objects from informer
+	store   cache.Indexer
+	assumed map[string]T
+}
+
+// newAssumeCache creates an assume cache for objects of type T.
+func newAssumeCache[T v1.Object](logger klog.Logger, informer informer, gr schema.GroupResource) (*passiveAssumeCache[T], error) {
+	c := &passiveAssumeCache[T]{
+		logger:  logger,
+		gr:      gr,
+		store:   informer.GetIndexer(),
+		assumed: make(map[string]T),
+	}
+
+	_, err := informer.AddEventHandler(
+		cache.ResourceEventHandlerFuncs{
+			AddFunc:    c.add,
+			UpdateFunc: c.update,
+			DeleteFunc: c.delete,
+		},
+	)
+	return c, err
+}
+
+// Receives events from informer. May expire the assumed object if it is older.
+func (c *passiveAssumeCache[T]) mayExpire(key string) {
+	c.rwMutex.Lock()
+	defer c.rwMutex.Unlock()
+
+	assumed, ok := c.assumed[key]
+	if !ok {
+		return
+	}
+
+	// Get the latest version to avoid overwriting newer object from [Assume]
+	obj, exists, err := c.store.GetByKey(key)
+	if err != nil {
+		utilruntime.HandleErrorWithLogger(c.logger, err, "mayExpire get", "key", key)
+		return
+	}
+
+	expire := true
+	if exists {
+		newMeta, err := meta.Accessor(obj)
+		if err != nil {
+			utilruntime.HandleErrorWithLogger(c.logger, err, "mayExpire meta", "key", key)
+			return
+		}
+
+		// Only overwrite assumed object if version is newer (not resync).
+		if assumed.GetResourceVersion() == newMeta.GetResourceVersion() {
+			c.logger.V(10).Info("ignoring resync of assumed object", "key", key, "version", assumed.GetResourceVersion())
+			expire = false
+		} else {
+			c.logger.V(4).Info("assumed object expired", "newVersion", newMeta.GetResourceVersion(),
+				"key", key, "version", assumed.GetResourceVersion())
+		}
+	} else {
+		c.logger.V(4).Info("assumed object expired", "key", key, "version", assumed.GetResourceVersion())
+	}
+	if expire {
+		delete(c.assumed, key)
+	}
+}
+
+func (c *passiveAssumeCache[T]) add(obj any) {
+	key, err := cache.MetaNamespaceKeyFunc(obj)
+	if err != nil {
+		utilruntime.HandleErrorWithLogger(c.logger, err, "Add object get key")
+		return
+	}
+	c.mayExpire(key)
+}
+
+func (c *passiveAssumeCache[T]) update(_, obj any) {
+	c.add(obj)
+}
+
+func (c *passiveAssumeCache[T]) delete(obj any) {
+	key, err := cache.DeletionHandlingMetaNamespaceKeyFunc(obj)
+	if err != nil {
+		utilruntime.HandleErrorWithLogger(c.logger, err, "Delete object get key")
+		return
+	}
+	c.mayExpire(key)
+}
+
+// ByIndex returns the stored objects whose set of indexed values for the named index includes the given indexed value
+//
+// The index is evaluated on the object from store. Objects from [Assume] will present in the result but will not affect the index.
+func (c *passiveAssumeCache[T]) ByIndex(indexName, indexedValue string) ([]T, error) {
+	c.rwMutex.RLock()
+	defer c.rwMutex.RUnlock()
+
+	objs, err := c.store.ByIndex(indexName, indexedValue)
+	if err != nil {
+		return nil, err
+	}
+	return c.replaceAssumed(objs), nil
+}
+
+// Get the object by its key.
+func (c *passiveAssumeCache[T]) Get(key string) (T, error) {
+	c.rwMutex.RLock()
+	defer c.rwMutex.RUnlock()
+
+	obj, err := c.GetAPIObj(key)
+	if err != nil {
+		return obj, err
+	}
+
+	assumed, ok := c.assumed[key]
+	if !ok || assumed.GetResourceVersion() != obj.GetResourceVersion() { // not assumed or Informer object is newer
+		return obj, nil
+	}
+	return assumed, nil
+}
+
+// GetAPIObj gets the informer cache's version by its key.
+func (c *passiveAssumeCache[T]) GetAPIObj(key string) (T, error) {
+	obj, ok, err := c.store.GetByKey(key)
+	var zero T
+	if err != nil {
+		return zero, err
+	}
+	if !ok {
+		return zero, apierrors.NewNotFound(c.gr, key)
+	}
+	v, ok := obj.(T)
+	if !ok {
+		return zero, fmt.Errorf("object is not of type %T", zero)
+	}
+	return v, nil
+}
+
+func keyOf[T v1.Object](obj T) string {
+	return cache.MetaObjectToName(obj).String()
+}
+
+func (c *passiveAssumeCache[T]) replaceAssumed(objs []any) []T {
+	allObjs := make([]T, 0, len(objs))
+	for _, obj := range objs {
+		v, ok := obj.(T)
+		if !ok {
+			utilruntime.HandleErrorWithLogger(c.logger, nil, "listed object has wrong type", "type", fmt.Sprintf("%T", obj))
+			continue
+		}
+		assumed, ok := c.assumed[keyOf(v)]
+		if ok && assumed.GetResourceVersion() == v.GetResourceVersion() {
+			// assumed object is not in informer yet
+			v = assumed
+		}
+		allObjs = append(allObjs, v)
+	}
+	return allObjs
+}
+
+// Assume updates the object in-memory only.
+//
+// The version of the object must be equal to
+// the current object, otherwise an error is returned.
+// If an update is received via the informer while such an
+// object is assumed, it gets dropped in favor of the
+// newer object from the apiserver.
+func (c *passiveAssumeCache[T]) Assume(obj T) error {
+	key := keyOf(obj)
+
+	c.rwMutex.Lock()
+	defer c.rwMutex.Unlock()
+
+	stored, err := c.GetAPIObj(key)
+	if err != nil {
+		return err
+	}
+
+	if stored.GetResourceVersion() != obj.GetResourceVersion() {
+		return fmt.Errorf("%q is out of sync (stored: %s, assume: %s)", key, stored.GetResourceVersion(), obj.GetResourceVersion())
+	}
+	c.assumed[key] = obj
+	c.logger.V(4).Info("Assumed object", "key", key, "version", obj.GetResourceVersion())
+	return nil
+}
+
+// Restore the informer cache's version of the object.
+func (c *passiveAssumeCache[T]) Restore(obj T) {
+	key := keyOf(obj)
+
+	c.rwMutex.Lock()
+	defer c.rwMutex.Unlock()
+
+	assumed, ok := c.assumed[key]
+	if ok && assumed.GetResourceVersion() == obj.GetResourceVersion() {
+		delete(c.assumed, key)
+		c.logger.V(4).Info("Restored object", "key", key, "version", obj.GetResourceVersion())
+	}
+}
diff --git a/pkg/scheduler/framework/plugins/volumebinding/passive_assume_cache_test.go b/pkg/scheduler/framework/plugins/volumebinding/passive_assume_cache_test.go
new file mode 100644
index 0000000000000..ab6e2608e79a5
--- /dev/null
+++ b/pkg/scheduler/framework/plugins/volumebinding/passive_assume_cache_test.go
@@ -0,0 +1,404 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package volumebinding
+
+import (
+	"fmt"
+	"testing"
+
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/client-go/tools/cache"
+	"k8s.io/component-helpers/storage/volume"
+	"k8s.io/klog/v2/ktesting"
+)
+
+// sufficient for one assume cache.
+type testInformer struct {
+	handler cache.ResourceEventHandler
+	indexer cache.Indexer
+	t       *testing.T
+}
+
+func (i *testInformer) AddEventHandler(handler cache.ResourceEventHandler) (cache.ResourceEventHandlerRegistration, error) {
+	i.handler = handler
+	return nil, nil
+}
+
+func (i *testInformer) GetIndexer() cache.Indexer {
+	return i.indexer
+}
+
+func (i *testInformer) add(obj interface{}) {
+	if err := i.indexer.Add(obj); err != nil {
+		i.t.Fatalf("failed to add object into indexer: %v", err)
+	}
+	i.handler.OnAdd(obj, false)
+}
+
+func (i *testInformer) update(oldObj, obj interface{}) {
+	if err := i.indexer.Update(obj); err != nil {
+		i.t.Fatalf("failed to update object to indexer: %v", err)
+	}
+	i.handler.OnUpdate(oldObj, obj)
+}
+
+func (i *testInformer) delete(obj interface{}) {
+	if err := i.indexer.Delete(obj); err != nil {
+		i.t.Fatalf("failed to delete object from indexer: %v", err)
+	}
+	i.handler.OnDelete(obj)
+}
+
+func verifyList(t *testing.T, cache testCache, expected map[string]*testObj, indexedValue string) {
+	t.Helper()
+	got, err := cache.ByIndex(testIndex, indexedValue)
+	if err != nil {
+		t.Fatalf("failed to get indexed objects: %v", err)
+	}
+	if len(got) != len(expected) {
+		t.Errorf("ByIndex() returned %v objects, expected %v", len(got), len(expected))
+	}
+	for _, obj := range got {
+		expected, ok := expected[obj.Name]
+		if !ok {
+			t.Errorf("ByIndex() returned unexpected object %q", obj.Name)
+		}
+		if expected != obj {
+			t.Errorf("ByIndex() returned object %p, expected %p", obj, expected)
+		}
+	}
+}
+
+func TestBasicCache(t *testing.T) {
+	informer, cache := newTestCache(t)
+
+	// Get object that doesn't exist
+	obj, err := cache.Get("nothere")
+	if err == nil {
+		t.Errorf("Get() returned unexpected success")
+	}
+	if obj != nil {
+		t.Errorf("Get() returned unexpected PV %q", obj.Name)
+	}
+
+	// Add a bunch of objects
+	objects := map[string]*testObj{}
+	for i := range 10 {
+		obj := makeObj(fmt.Sprintf("test-%v", i), "1", "")
+		objects[obj.Name] = obj
+		informer.add(obj)
+	}
+
+	// List them
+	verifyList(t, cache, objects, "")
+
+	// Update an object
+	updated := makeObj("test-3", "1", "")
+	informer.update(objects["test-3"], updated)
+	objects[updated.Name] = updated
+
+	// List them
+	verifyList(t, cache, objects, "")
+
+	// Delete an object
+	deleted := objects["test-7"]
+	delete(objects, deleted.Name)
+	informer.delete(deleted)
+
+	// List them
+	verifyList(t, cache, objects, "")
+}
+
+func TestPVCacheWithIndex(t *testing.T) {
+	informer, cache := newTestCache(t)
+
+	// Add a bunch of objects
+	objects1 := map[string]*testObj{}
+	for i := range 10 {
+		obj := makeObj(fmt.Sprintf("test-%v", i), "1", "")
+		obj.Annotations["test"] = "test1"
+		objects1[obj.Name] = obj
+		informer.add(obj)
+	}
+
+	// Add a bunch of objects
+	objects2 := map[string]*testObj{}
+	for i := range 10 {
+		obj := makeObj(fmt.Sprintf("test2-%v", i), "1", "")
+		obj.Annotations["test"] = "test2"
+		objects2[obj.Name] = obj
+		informer.add(obj)
+	}
+
+	// List them
+	verifyList(t, cache, objects1, "test1")
+	verifyList(t, cache, objects2, "test2")
+
+	// Update an object
+	updated := makeObj("test-3", "2", "")
+	updated.Annotations["test"] = "test1"
+	informer.update(objects1[updated.Name], updated)
+	objects1[updated.Name] = updated
+
+	// List them
+	verifyList(t, cache, objects1, "test1")
+	verifyList(t, cache, objects2, "test2")
+
+	// Delete an object
+	deletedPV := objects1["test-7"]
+	delete(objects1, deletedPV.Name)
+	informer.delete(deletedPV)
+
+	// List them
+	verifyList(t, cache, objects1, "test1")
+	verifyList(t, cache, objects2, "test2")
+}
+
+type testObj = metav1.ObjectMeta
+
+func makeObj(name, version, namespace string) *testObj {
+	return &testObj{
+		Name:            name,
+		Namespace:       namespace,
+		ResourceVersion: version,
+		Annotations:     map[string]string{},
+	}
+}
+
+type testCache = *passiveAssumeCache[*testObj]
+
+func verifyObj(cache testCache, key string, expected *testObj) error {
+	obj, err := cache.Get(key)
+	if err != nil {
+		return err
+	}
+	if obj != expected {
+		return fmt.Errorf("Get() returned %p, expected %p", obj, expected)
+	}
+	return nil
+}
+
+const testIndex = "testIndex"
+
+func newTestCache(t *testing.T) (*testInformer, testCache) {
+	logger, _ := ktesting.NewTestContext(t)
+	informer := &testInformer{
+		indexer: cache.NewIndexer(cache.MetaNamespaceKeyFunc, cache.Indexers{
+			testIndex: func(obj interface{}) ([]string, error) {
+				return []string{obj.(*testObj).Annotations["test"]}, nil
+			},
+		}),
+		t: t,
+	}
+	cache, err := newAssumeCache[*testObj](logger, informer, schema.GroupResource{Resource: "tests"})
+	if err != nil {
+		t.Fatalf("newAssumeCache() failed: %v", err)
+	}
+	return informer, cache
+}
+
+func TestAssume(t *testing.T) {
+	scenarios := map[string]struct {
+		old           *testObj
+		new           *testObj
+		shouldSucceed bool
+	}{
+		"success-same-version": {
+			old:           makeObj("pvc1", "5", "ns1"),
+			new:           makeObj("pvc1", "5", "ns1"),
+			shouldSucceed: true,
+		},
+		"fail-new-higher-version": {
+			old:           makeObj("pvc1", "5", "ns1"),
+			new:           makeObj("pvc1", "6", "ns1"),
+			shouldSucceed: false,
+		},
+		"fail-old-not-found": {
+			old:           makeObj("pvc2", "5", "ns1"),
+			new:           makeObj("pvc1", "5", "ns1"),
+			shouldSucceed: false,
+		},
+		"fail-new-lower-version": {
+			old:           makeObj("pvc1", "5", "ns1"),
+			new:           makeObj("pvc1", "4", "ns1"),
+			shouldSucceed: false,
+		},
+		"fail-new-bad-version": {
+			old:           makeObj("pvc1", "5", "ns1"),
+			new:           makeObj("pvc1", "a", "ns1"),
+			shouldSucceed: false,
+		},
+		"fail-old-bad-version": {
+			old:           makeObj("pvc1", "a", "ns1"),
+			new:           makeObj("pvc1", "5", "ns1"),
+			shouldSucceed: false,
+		},
+	}
+
+	for name, scenario := range scenarios {
+		t.Run(name, func(t *testing.T) {
+			informer, cache := newTestCache(t)
+
+			// Add old to cache
+			informer.add(scenario.old)
+			if err := verifyObj(cache, keyOf(scenario.old), scenario.old); err != nil {
+				t.Fatalf("Failed to Get() after initial update: %v", err)
+			}
+
+			// Assume new
+			err := cache.Assume(scenario.new)
+			if scenario.shouldSucceed && err != nil {
+				t.Errorf("Test %q failed: Assume() returned error %v", name, err)
+			}
+			if !scenario.shouldSucceed && err == nil {
+				t.Errorf("Test %q failed: Assume() returned success but expected error", name)
+			}
+
+			// Check that Get returns correct version
+			expectedPV := scenario.new
+			if !scenario.shouldSucceed {
+				expectedPV = scenario.old
+			}
+			if err := verifyObj(cache, keyOf(scenario.old), expectedPV); err != nil {
+				t.Errorf("Failed to Get() after initial update: %v", err)
+			}
+		})
+	}
+}
+
+func TestRestore(t *testing.T) {
+	informer, cache := newTestCache(t)
+
+	old := makeObj("pvc1", "5", "ns1")
+	new := makeObj("pvc1", "5", "ns1")
+
+	// Restore object that doesn't exist
+	cache.Restore(&testObj{})
+
+	// Add old to cache
+	informer.add(old)
+	if err := verifyObj(cache, keyOf(old), old); err != nil {
+		t.Fatalf("Failed to Get() after initial update: %v", err)
+	}
+
+	// Restore
+	cache.Restore(old)
+	if err := verifyObj(cache, keyOf(old), old); err != nil {
+		t.Fatalf("Failed to Get() after initial restore: %v", err)
+	}
+
+	// Assume new
+	if err := cache.Assume(new); err != nil {
+		t.Fatalf("Assume() returned error %v", err)
+	}
+	if err := verifyObj(cache, keyOf(old), new); err != nil {
+		t.Fatalf("Failed to Get() after Assume: %v", err)
+	}
+
+	// Restore
+	cache.Restore(new)
+	if err := verifyObj(cache, keyOf(old), old); err != nil {
+		t.Fatalf("Failed to Get() after restore: %v", err)
+	}
+}
+
+func TestConcurrentAssume(t *testing.T) {
+	informer, cache := newTestCache(t)
+
+	obj1 := makeObj("pvc1", "5", "ns1")
+	obj1Update := makeObj("pvc1", "5", "ns1")
+	// Add object to cache
+	informer.add(obj1)
+
+	// Update obj 1
+	if err := cache.Assume(obj1Update); err != nil {
+		t.Fatalf("Assume() returned error %v", err)
+	}
+	if err := verifyObj(cache, keyOf(obj1Update), obj1Update); err != nil {
+		t.Fatalf("Failed to Get() after Assume: %v", err)
+	}
+
+	obj2 := makeObj("pvc1", "7", "ns1")
+	obj2Update := makeObj("pvc1", "7", "ns1")
+	// obj updated externally
+	informer.add(obj2)
+
+	// Update obj 2
+	if err := cache.Assume(obj2Update); err != nil {
+		t.Fatalf("Assume() returned error %v", err)
+	}
+	// obj 1 failed with conflict
+	cache.Restore(obj1Update)
+	// Should still have obj 2 in cache
+	if err := verifyObj(cache, keyOf(obj2Update), obj2Update); err != nil {
+		t.Fatalf("Failed to Get() after restore: %v", err)
+	}
+}
+
+func TestAssumeUpdateCache(t *testing.T) {
+	informer, cache := newTestCache(t)
+
+	// Add a object
+	obj := makeObj("test-pvc0", "1", "test-ns")
+	informer.add(obj)
+	if err := verifyObj(cache, keyOf(obj), obj); err != nil {
+		t.Fatalf("failed to get: %v", err)
+	}
+
+	// Assume
+	newObj := obj.DeepCopy()
+	newObj.Annotations[volume.AnnSelectedNode] = "test-node"
+	if err := cache.Assume(newObj); err != nil {
+		t.Fatalf("failed to assume: %v", err)
+	}
+	if err := verifyObj(cache, keyOf(obj), newObj); err != nil {
+		t.Fatalf("failed to get after assume: %v", err)
+	}
+
+	// Add old
+	informer.add(obj)
+	if err := verifyObj(cache, keyOf(obj), newObj); err != nil {
+		t.Fatalf("failed to get after old added: %v", err)
+	}
+}
+
+func TestDelayedInformerEvent(t *testing.T) {
+	informer, cache := newTestCache(t)
+
+	obj1 := makeObj("test-pvc0", "1", "test-ns")
+	obj2 := makeObj("test-pvc0", "2", "test-ns")
+	// Only add indexer, simulating delayed informer event
+	if err := informer.indexer.Add(obj2); err != nil {
+		t.Fatalf("failed to add: %v", err)
+	}
+
+	newObj := obj2.DeepCopy()
+	newObj.Annotations[volume.AnnSelectedNode] = "test-node"
+	if err := cache.Assume(newObj); err != nil {
+		t.Fatalf("failed to assume: %v", err)
+	}
+
+	// Send the delayed event
+	informer.handler.OnAdd(obj1, false)
+	informer.handler.OnDelete(obj1)
+	informer.handler.OnAdd(obj2, false)
+	// Expect assumed version not overwritten
+	if err := verifyObj(cache, keyOf(newObj), newObj); err != nil {
+		t.Fatalf("failed to get after assume: %v", err)
+	}
+}
diff --git a/pkg/scheduler/framework/plugins/volumebinding/scorer_test.go b/pkg/scheduler/framework/plugins/volumebinding/scorer_test.go
index e54b948966fb9..c1e5bcf14d69d 100644
--- a/pkg/scheduler/framework/plugins/volumebinding/scorer_test.go
+++ b/pkg/scheduler/framework/plugins/volumebinding/scorer_test.go
@@ -19,8 +19,8 @@ package volumebinding
 import (
 	"testing"
 
+	fwk "k8s.io/kube-scheduler/framework"
 	"k8s.io/kubernetes/pkg/scheduler/apis/config"
-	"k8s.io/kubernetes/pkg/scheduler/framework"
 	"k8s.io/kubernetes/pkg/scheduler/framework/plugins/helper"
 )
 
@@ -34,7 +34,7 @@ func TestScore(t *testing.T) {
 	for _, point := range defaultShapePoint {
 		defaultShape = append(defaultShape, helper.FunctionShapePoint{
 			Utilization: int64(point.Utilization),
-			Score:       int64(point.Score) * (framework.MaxNodeScore / config.MaxCustomPriorityScore),
+			Score:       int64(point.Score) * (fwk.MaxNodeScore / config.MaxCustomPriorityScore),
 		})
 	}
 	type scoreCase struct {
diff --git a/pkg/scheduler/framework/plugins/volumebinding/volume_binding.go b/pkg/scheduler/framework/plugins/volumebinding/volume_binding.go
index a3cb861ed2487..0774ea781087d 100644
--- a/pkg/scheduler/framework/plugins/volumebinding/volume_binding.go
+++ b/pkg/scheduler/framework/plugins/volumebinding/volume_binding.go
@@ -35,7 +35,6 @@ import (
 	fwk "k8s.io/kube-scheduler/framework"
 	"k8s.io/kubernetes/pkg/scheduler/apis/config"
 	"k8s.io/kubernetes/pkg/scheduler/apis/config/validation"
-	"k8s.io/kubernetes/pkg/scheduler/framework"
 	"k8s.io/kubernetes/pkg/scheduler/framework/plugins/feature"
 	"k8s.io/kubernetes/pkg/scheduler/framework/plugins/helper"
 	"k8s.io/kubernetes/pkg/scheduler/framework/plugins/names"
@@ -79,13 +78,14 @@ type VolumeBinding struct {
 	fts         feature.Features
 }
 
-var _ framework.PreFilterPlugin = &VolumeBinding{}
-var _ framework.FilterPlugin = &VolumeBinding{}
-var _ framework.ReservePlugin = &VolumeBinding{}
-var _ framework.PreBindPlugin = &VolumeBinding{}
-var _ framework.PreScorePlugin = &VolumeBinding{}
-var _ framework.ScorePlugin = &VolumeBinding{}
-var _ framework.EnqueueExtensions = &VolumeBinding{}
+var _ fwk.PreFilterPlugin = &VolumeBinding{}
+var _ fwk.FilterPlugin = &VolumeBinding{}
+var _ fwk.ReservePlugin = &VolumeBinding{}
+var _ fwk.PreBindPlugin = &VolumeBinding{}
+var _ fwk.PreScorePlugin = &VolumeBinding{}
+var _ fwk.ScorePlugin = &VolumeBinding{}
+var _ fwk.EnqueueExtensions = &VolumeBinding{}
+var _ fwk.SignPlugin = &VolumeBinding{}
 
 // Name is the name of the plugin used in Registry and configurations.
 const Name = names.VolumeBinding
@@ -95,6 +95,13 @@ func (pl *VolumeBinding) Name() string {
 	return Name
 }
 
+// Feasibility and scoring based on the non-synthetic volume sources.
+func (pl *VolumeBinding) SignPod(ctx context.Context, pod *v1.Pod) ([]fwk.SignFragment, *fwk.Status) {
+	return []fwk.SignFragment{
+		{Key: fwk.VolumesSignerName, Value: fwk.VolumesSigner(pod)},
+	}, nil
+}
+
 // EventsToRegister returns the possible events that may make a Pod
 // failed by this plugin schedulable.
 func (pl *VolumeBinding) EventsToRegister(_ context.Context) ([]fwk.ClusterEventWithHint, error) {
@@ -350,7 +357,7 @@ func (pl *VolumeBinding) podHasPVCs(pod *v1.Pod) (bool, error) {
 // PreFilter invoked at the prefilter extension point to check if pod has all
 // immediate PVCs bound. If not all immediate PVCs are bound, an
 // UnschedulableAndUnresolvable is returned.
-func (pl *VolumeBinding) PreFilter(ctx context.Context, state fwk.CycleState, pod *v1.Pod, nodes []fwk.NodeInfo) (*framework.PreFilterResult, *fwk.Status) {
+func (pl *VolumeBinding) PreFilter(ctx context.Context, state fwk.CycleState, pod *v1.Pod, nodes []fwk.NodeInfo) (*fwk.PreFilterResult, *fwk.Status) {
 	logger := klog.FromContext(ctx)
 	// If pod does not reference any PVC, we don't need to do anything.
 	if hasPVC, err := pl.podHasPVCs(pod); err != nil {
@@ -383,7 +390,7 @@ func (pl *VolumeBinding) PreFilter(ctx context.Context, state fwk.CycleState, po
 }
 
 // PreFilterExtensions returns prefilter extensions, pod add and remove.
-func (pl *VolumeBinding) PreFilterExtensions() framework.PreFilterExtensions {
+func (pl *VolumeBinding) PreFilterExtensions() fwk.PreFilterExtensions {
 	return nil
 }
 
@@ -516,7 +523,7 @@ func (pl *VolumeBinding) Score(ctx context.Context, cs fwk.CycleState, pod *v1.P
 }
 
 // ScoreExtensions of the Score plugin.
-func (pl *VolumeBinding) ScoreExtensions() framework.ScoreExtensions {
+func (pl *VolumeBinding) ScoreExtensions() fwk.ScoreExtensions {
 	return nil
 }
 
@@ -607,7 +614,7 @@ func (pl *VolumeBinding) Unreserve(ctx context.Context, cs fwk.CycleState, pod *
 }
 
 // New initializes a new plugin and returns it.
-func New(ctx context.Context, plArgs runtime.Object, fh framework.Handle, fts feature.Features) (framework.Plugin, error) {
+func New(ctx context.Context, plArgs runtime.Object, fh fwk.Handle, fts feature.Features) (fwk.Plugin, error) {
 	args, ok := plArgs.(*config.VolumeBindingArgs)
 	if !ok {
 		return nil, fmt.Errorf("want args to be of type VolumeBindingArgs, got %T", plArgs)
@@ -627,7 +634,10 @@ func New(ctx context.Context, plArgs runtime.Object, fh framework.Handle, fts fe
 		CSIDriverInformer:          fh.SharedInformerFactory().Storage().V1().CSIDrivers(),
 		CSIStorageCapacityInformer: fh.SharedInformerFactory().Storage().V1().CSIStorageCapacities(),
 	}
-	binder := NewVolumeBinder(klog.FromContext(ctx), fh.ClientSet(), fts, podInformer, nodeInformer, csiNodeInformer, pvcInformer, pvInformer, storageClassInformer, capacityCheck, time.Duration(args.BindTimeoutSeconds)*time.Second)
+	binder, err := NewVolumeBinder(klog.FromContext(ctx), fh.ClientSet(), fts, podInformer, nodeInformer, csiNodeInformer, pvcInformer, pvInformer, storageClassInformer, capacityCheck, time.Duration(args.BindTimeoutSeconds)*time.Second)
+	if err != nil {
+		return nil, fmt.Errorf("failed to build volume binder: %w", err)
+	}
 
 	// build score function
 	var scorer volumeCapacityScorer
@@ -636,7 +646,7 @@ func New(ctx context.Context, plArgs runtime.Object, fh framework.Handle, fts fe
 		for _, point := range args.Shape {
 			shape = append(shape, helper.FunctionShapePoint{
 				Utilization: int64(point.Utilization),
-				Score:       int64(point.Score) * (framework.MaxNodeScore / config.MaxCustomPriorityScore),
+				Score:       int64(point.Score) * (fwk.MaxNodeScore / config.MaxCustomPriorityScore),
 			})
 		}
 		scorer = buildScorerFunction(shape)
diff --git a/pkg/scheduler/framework/plugins/volumebinding/volume_binding_test.go b/pkg/scheduler/framework/plugins/volumebinding/volume_binding_test.go
index 454bdb3fbbead..13f2923919018 100644
--- a/pkg/scheduler/framework/plugins/volumebinding/volume_binding_test.go
+++ b/pkg/scheduler/framework/plugins/volumebinding/volume_binding_test.go
@@ -99,7 +99,7 @@ func TestVolumeBinding(t *testing.T) {
 		capacities              []*storagev1.CSIStorageCapacity
 		fts                     feature.Features
 		args                    *config.VolumeBindingArgs
-		wantPreFilterResult     *framework.PreFilterResult
+		wantPreFilterResult     *fwk.PreFilterResult
 		wantPreFilterStatus     *fwk.Status
 		wantStateAfterPreFilter *stateData
 		wantFilterStatus        []*fwk.Status
@@ -1154,7 +1154,7 @@ func Test_PreBindPreFlight(t *testing.T) {
 					"node-a": {},
 				},
 			},
-			want: fwk.NewStatus(fwk.Success),
+			want: nil,
 		},
 		{
 			name:     "error: state is nil",
diff --git a/pkg/scheduler/framework/plugins/volumerestrictions/volume_restrictions.go b/pkg/scheduler/framework/plugins/volumerestrictions/volume_restrictions.go
index 8257a35808f27..ec4c25565708d 100644
--- a/pkg/scheduler/framework/plugins/volumerestrictions/volume_restrictions.go
+++ b/pkg/scheduler/framework/plugins/volumerestrictions/volume_restrictions.go
@@ -37,14 +37,15 @@ import (
 // VolumeRestrictions is a plugin that checks volume restrictions.
 type VolumeRestrictions struct {
 	pvcLister                 corelisters.PersistentVolumeClaimLister
-	sharedLister              framework.SharedLister
+	sharedLister              fwk.SharedLister
 	enableSchedulingQueueHint bool
 }
 
-var _ framework.PreFilterPlugin = &VolumeRestrictions{}
-var _ framework.FilterPlugin = &VolumeRestrictions{}
-var _ framework.EnqueueExtensions = &VolumeRestrictions{}
+var _ fwk.PreFilterPlugin = &VolumeRestrictions{}
+var _ fwk.FilterPlugin = &VolumeRestrictions{}
+var _ fwk.EnqueueExtensions = &VolumeRestrictions{}
 var _ fwk.StateData = &preFilterState{}
+var _ fwk.SignPlugin = &VolumeRestrictions{}
 
 const (
 	// Name is the name of the plugin used in the plugin registry and configurations.
@@ -100,6 +101,13 @@ func (pl *VolumeRestrictions) Name() string {
 	return Name
 }
 
+// Feasibility and scoring based on the non-synthetic volume sources.
+func (pl *VolumeRestrictions) SignPod(ctx context.Context, pod *v1.Pod) ([]fwk.SignFragment, *fwk.Status) {
+	return []fwk.SignFragment{
+		{Key: fwk.VolumesSignerName, Value: fwk.VolumesSigner(pod)},
+	}, nil
+}
+
 func isVolumeConflict(volume *v1.Volume, pod *v1.Pod) bool {
 	for _, existingVolume := range pod.Spec.Volumes {
 		// Same GCE disk mounted by multiple pods conflicts unless all pods mount it read-only.
@@ -163,7 +171,7 @@ func needsRestrictionsCheck(v v1.Volume) bool {
 }
 
 // PreFilter computes and stores cycleState containing details for enforcing ReadWriteOncePod.
-func (pl *VolumeRestrictions) PreFilter(ctx context.Context, cycleState fwk.CycleState, pod *v1.Pod, nodes []fwk.NodeInfo) (*framework.PreFilterResult, *fwk.Status) {
+func (pl *VolumeRestrictions) PreFilter(ctx context.Context, cycleState fwk.CycleState, pod *v1.Pod, nodes []fwk.NodeInfo) (*fwk.PreFilterResult, *fwk.Status) {
 	needsCheck := false
 	for i := range pod.Spec.Volumes {
 		if needsRestrictionsCheck(pod.Spec.Volumes[i]) {
@@ -292,7 +300,7 @@ func satisfyReadWriteOncePod(ctx context.Context, state *preFilterState) *fwk.St
 }
 
 // PreFilterExtensions returns prefilter extensions, pod add and remove.
-func (pl *VolumeRestrictions) PreFilterExtensions() framework.PreFilterExtensions {
+func (pl *VolumeRestrictions) PreFilterExtensions() fwk.PreFilterExtensions {
 	return pl
 }
 
@@ -414,7 +422,7 @@ func (pl *VolumeRestrictions) isSchedulableAfterPodDeleted(logger klog.Logger, p
 }
 
 // New initializes a new plugin and returns it.
-func New(_ context.Context, _ runtime.Object, handle framework.Handle, fts feature.Features) (framework.Plugin, error) {
+func New(_ context.Context, _ runtime.Object, handle fwk.Handle, fts feature.Features) (fwk.Plugin, error) {
 	informerFactory := handle.SharedInformerFactory()
 	pvcLister := informerFactory.Core().V1().PersistentVolumeClaims().Lister()
 	sharedLister := handle.SnapshotSharedLister()
diff --git a/pkg/scheduler/framework/plugins/volumerestrictions/volume_restrictions_test.go b/pkg/scheduler/framework/plugins/volumerestrictions/volume_restrictions_test.go
index 4ced831261065..c8e8010b62ba6 100644
--- a/pkg/scheduler/framework/plugins/volumerestrictions/volume_restrictions_test.go
+++ b/pkg/scheduler/framework/plugins/volumerestrictions/volume_restrictions_test.go
@@ -106,13 +106,13 @@ func TestGCEDiskConflicts(t *testing.T) {
 			defer cancel()
 			p := newPlugin(ctx, t)
 			cycleState := framework.NewCycleState()
-			_, preFilterGotStatus := p.(framework.PreFilterPlugin).PreFilter(ctx, cycleState, test.pod, nil)
+			_, preFilterGotStatus := p.(fwk.PreFilterPlugin).PreFilter(ctx, cycleState, test.pod, nil)
 			if diff := cmp.Diff(test.preFilterWantStatus, preFilterGotStatus); diff != "" {
 				t.Errorf("Unexpected PreFilter status (-want, +got): %s", diff)
 			}
 			// If PreFilter fails, then Filter will not run.
 			if test.preFilterWantStatus.IsSuccess() {
-				gotStatus := p.(framework.FilterPlugin).Filter(ctx, cycleState, test.pod, test.nodeInfo)
+				gotStatus := p.(fwk.FilterPlugin).Filter(ctx, cycleState, test.pod, test.nodeInfo)
 				if diff := cmp.Diff(test.wantStatus, gotStatus); diff != "" {
 					t.Errorf("Unexpected Filter status (-want, +got): %s", diff)
 				}
@@ -181,13 +181,13 @@ func TestAWSDiskConflicts(t *testing.T) {
 			defer cancel()
 			p := newPlugin(ctx, t)
 			cycleState := framework.NewCycleState()
-			_, preFilterGotStatus := p.(framework.PreFilterPlugin).PreFilter(ctx, cycleState, test.pod, nil)
+			_, preFilterGotStatus := p.(fwk.PreFilterPlugin).PreFilter(ctx, cycleState, test.pod, nil)
 			if diff := cmp.Diff(test.preFilterWantStatus, preFilterGotStatus); diff != "" {
 				t.Errorf("Unexpected PreFilter status (-want, +got): %s", diff)
 			}
 			// If PreFilter fails, then Filter will not run.
 			if test.preFilterWantStatus.IsSuccess() {
-				gotStatus := p.(framework.FilterPlugin).Filter(ctx, cycleState, test.pod, test.nodeInfo)
+				gotStatus := p.(fwk.FilterPlugin).Filter(ctx, cycleState, test.pod, test.nodeInfo)
 				if diff := cmp.Diff(test.wantStatus, gotStatus); diff != "" {
 					t.Errorf("Unexpected Filter status (-want, +got): %s", diff)
 				}
@@ -262,13 +262,13 @@ func TestRBDDiskConflicts(t *testing.T) {
 			defer cancel()
 			p := newPlugin(ctx, t)
 			cycleState := framework.NewCycleState()
-			_, preFilterGotStatus := p.(framework.PreFilterPlugin).PreFilter(ctx, cycleState, test.pod, nil)
+			_, preFilterGotStatus := p.(fwk.PreFilterPlugin).PreFilter(ctx, cycleState, test.pod, nil)
 			if diff := cmp.Diff(test.preFilterWantStatus, preFilterGotStatus); diff != "" {
 				t.Errorf("Unexpected PreFilter status (-want, +got): %s", diff)
 			}
 			// If PreFilter fails, then Filter will not run.
 			if test.preFilterWantStatus.IsSuccess() {
-				gotStatus := p.(framework.FilterPlugin).Filter(ctx, cycleState, test.pod, test.nodeInfo)
+				gotStatus := p.(fwk.FilterPlugin).Filter(ctx, cycleState, test.pod, test.nodeInfo)
 				if diff := cmp.Diff(test.wantStatus, gotStatus); diff != "" {
 					t.Errorf("Unexpected Filter status (-want, +got): %s", diff)
 				}
@@ -343,13 +343,13 @@ func TestISCSIDiskConflicts(t *testing.T) {
 			defer cancel()
 			p := newPlugin(ctx, t)
 			cycleState := framework.NewCycleState()
-			_, preFilterGotStatus := p.(framework.PreFilterPlugin).PreFilter(ctx, cycleState, test.pod, nil)
+			_, preFilterGotStatus := p.(fwk.PreFilterPlugin).PreFilter(ctx, cycleState, test.pod, nil)
 			if diff := cmp.Diff(test.preFilterWantStatus, preFilterGotStatus); diff != "" {
 				t.Errorf("Unexpected PreFilter status (-want, +got): %s", diff)
 			}
 			// If PreFilter fails, then Filter will not run.
 			if test.preFilterWantStatus.IsSuccess() {
-				gotStatus := p.(framework.FilterPlugin).Filter(ctx, cycleState, test.pod, test.nodeInfo)
+				gotStatus := p.(fwk.FilterPlugin).Filter(ctx, cycleState, test.pod, test.nodeInfo)
 				if diff := cmp.Diff(test.wantStatus, gotStatus); diff != "" {
 					t.Errorf("Unexpected Filter status (-want, +got): %s", diff)
 				}
@@ -471,13 +471,13 @@ func TestAccessModeConflicts(t *testing.T) {
 			defer cancel()
 			p := newPluginWithListers(ctx, t, test.existingPods, test.existingNodes, test.existingPVCs)
 			cycleState := framework.NewCycleState()
-			_, preFilterGotStatus := p.(framework.PreFilterPlugin).PreFilter(ctx, cycleState, test.pod, nil)
+			_, preFilterGotStatus := p.(fwk.PreFilterPlugin).PreFilter(ctx, cycleState, test.pod, nil)
 			if diff := cmp.Diff(test.preFilterWantStatus, preFilterGotStatus); diff != "" {
 				t.Errorf("Unexpected PreFilter status (-want, +got): %s", diff)
 			}
 			// If PreFilter fails, then Filter will not run.
 			if test.preFilterWantStatus.IsSuccess() {
-				gotStatus := p.(framework.FilterPlugin).Filter(ctx, cycleState, test.pod, test.nodeInfo)
+				gotStatus := p.(fwk.FilterPlugin).Filter(ctx, cycleState, test.pod, test.nodeInfo)
 				if diff := cmp.Diff(test.wantStatus, gotStatus); diff != "" {
 					t.Errorf("Unexpected Filter status (-want, +got): %s", diff)
 				}
@@ -784,12 +784,12 @@ func Test_isSchedulableAfterPersistentVolumeClaimChange(t *testing.T) {
 	}
 }
 
-func newPlugin(ctx context.Context, t *testing.T) framework.Plugin {
+func newPlugin(ctx context.Context, t *testing.T) fwk.Plugin {
 	return newPluginWithListers(ctx, t, nil, nil, nil)
 }
 
-func newPluginWithListers(ctx context.Context, t *testing.T, pods []*v1.Pod, nodes []*v1.Node, pvcs []*v1.PersistentVolumeClaim) framework.Plugin {
-	pluginFactory := func(ctx context.Context, plArgs runtime.Object, fh framework.Handle) (framework.Plugin, error) {
+func newPluginWithListers(ctx context.Context, t *testing.T, pods []*v1.Pod, nodes []*v1.Node, pvcs []*v1.PersistentVolumeClaim) fwk.Plugin {
+	pluginFactory := func(ctx context.Context, plArgs runtime.Object, fh fwk.Handle) (fwk.Plugin, error) {
 		return New(ctx, plArgs, fh, feature.Features{})
 	}
 	snapshot := cache.NewSnapshot(pods, nodes)
diff --git a/pkg/scheduler/framework/plugins/volumezone/volume_zone.go b/pkg/scheduler/framework/plugins/volumezone/volume_zone.go
index 4fc9d9aaa90a0..d9968aed72785 100644
--- a/pkg/scheduler/framework/plugins/volumezone/volume_zone.go
+++ b/pkg/scheduler/framework/plugins/volumezone/volume_zone.go
@@ -33,7 +33,6 @@ import (
 	storagehelpers "k8s.io/component-helpers/storage/volume"
 	"k8s.io/klog/v2"
 	fwk "k8s.io/kube-scheduler/framework"
-	"k8s.io/kubernetes/pkg/scheduler/framework"
 	"k8s.io/kubernetes/pkg/scheduler/framework/plugins/feature"
 	"k8s.io/kubernetes/pkg/scheduler/framework/plugins/names"
 	"k8s.io/kubernetes/pkg/scheduler/util"
@@ -47,9 +46,10 @@ type VolumeZone struct {
 	enableSchedulingQueueHint bool
 }
 
-var _ framework.FilterPlugin = &VolumeZone{}
-var _ framework.PreFilterPlugin = &VolumeZone{}
-var _ framework.EnqueueExtensions = &VolumeZone{}
+var _ fwk.FilterPlugin = &VolumeZone{}
+var _ fwk.PreFilterPlugin = &VolumeZone{}
+var _ fwk.EnqueueExtensions = &VolumeZone{}
+var _ fwk.SignPlugin = &VolumeZone{}
 
 const (
 	// Name is the name of the plugin used in the plugin registry and configurations.
@@ -103,13 +103,20 @@ func (pl *VolumeZone) Name() string {
 	return Name
 }
 
+// Feasibility and scoring based on the non-synthetic volume sources.
+func (pl *VolumeZone) SignPod(ctx context.Context, pod *v1.Pod) ([]fwk.SignFragment, *fwk.Status) {
+	return []fwk.SignFragment{
+		{Key: fwk.VolumesSignerName, Value: fwk.VolumesSigner(pod)},
+	}, nil
+}
+
 // PreFilter invoked at the prefilter extension point
 //
 // # It finds the topology of the PersistentVolumes corresponding to the volumes a pod requests
 //
 // Currently, this is only supported with PersistentVolumeClaims,
 // and only looks for the bound PersistentVolume.
-func (pl *VolumeZone) PreFilter(ctx context.Context, cs fwk.CycleState, pod *v1.Pod, nodes []fwk.NodeInfo) (*framework.PreFilterResult, *fwk.Status) {
+func (pl *VolumeZone) PreFilter(ctx context.Context, cs fwk.CycleState, pod *v1.Pod, nodes []fwk.NodeInfo) (*fwk.PreFilterResult, *fwk.Status) {
 	logger := klog.FromContext(ctx)
 	podPVTopologies, status := pl.getPVbyPod(logger, pod)
 	if !status.IsSuccess() {
@@ -168,7 +175,7 @@ func (pl *VolumeZone) getPVbyPod(logger klog.Logger, pod *v1.Pod) ([]pvTopology,
 }
 
 // PreFilterExtensions returns prefilter extensions, pod add and remove.
-func (pl *VolumeZone) PreFilterExtensions() framework.PreFilterExtensions {
+func (pl *VolumeZone) PreFilterExtensions() fwk.PreFilterExtensions {
 	return nil
 }
 
@@ -397,7 +404,7 @@ func (pl *VolumeZone) getPVTopologies(logger klog.Logger, pv *v1.PersistentVolum
 }
 
 // New initializes a new plugin and returns it.
-func New(_ context.Context, _ runtime.Object, handle framework.Handle, fts feature.Features) (framework.Plugin, error) {
+func New(_ context.Context, _ runtime.Object, handle fwk.Handle, fts feature.Features) (fwk.Plugin, error) {
 	informerFactory := handle.SharedInformerFactory()
 	pvLister := informerFactory.Core().V1().PersistentVolumes().Lister()
 	pvcLister := informerFactory.Core().V1().PersistentVolumeClaims().Lister()
diff --git a/pkg/scheduler/framework/plugins/volumezone/volume_zone_test.go b/pkg/scheduler/framework/plugins/volumezone/volume_zone_test.go
index 1e393924e8fbe..595f0705f7f91 100644
--- a/pkg/scheduler/framework/plugins/volumezone/volume_zone_test.go
+++ b/pkg/scheduler/framework/plugins/volumezone/volume_zone_test.go
@@ -837,7 +837,7 @@ func BenchmarkVolumeZone(b *testing.B) {
 	}
 }
 
-func newPluginWithListers(ctx context.Context, tb testing.TB, pods []*v1.Pod, nodes []*v1.Node, pvcs []*v1.PersistentVolumeClaim, pvs []*v1.PersistentVolume) framework.Plugin {
+func newPluginWithListers(ctx context.Context, tb testing.TB, pods []*v1.Pod, nodes []*v1.Node, pvcs []*v1.PersistentVolumeClaim, pvs []*v1.PersistentVolume) fwk.Plugin {
 	snapshot := cache.NewSnapshot(pods, nodes)
 
 	objects := make([]runtime.Object, 0, len(pvcs))
diff --git a/pkg/scheduler/framework/preemption/preemption.go b/pkg/scheduler/framework/preemption/preemption.go
index ee98910ef993a..05918dd778ad1 100644
--- a/pkg/scheduler/framework/preemption/preemption.go
+++ b/pkg/scheduler/framework/preemption/preemption.go
@@ -129,7 +129,7 @@ type Interface interface {
 
 type Evaluator struct {
 	PluginName string
-	Handler    framework.Handle
+	Handler    fwk.Handle
 	PodLister  corelisters.PodLister
 	PdbLister  policylisters.PodDisruptionBudgetLister
 
@@ -138,6 +138,10 @@ type Evaluator struct {
 	// preempting is a set that records the pods that are currently triggering preemption asynchronously,
 	// which is used to prevent the pods from entering the scheduling cycle meanwhile.
 	preempting sets.Set[types.UID]
+	// lastVictimsPendingPreemption is a map that records the victim pods that are currently being preempted for a given preemptor pod,
+	// with a condition that the preemptor is waiting for one last victim to be preempted. This is used together with `preempting`
+	// to prevent the pods from entering the scheduling cycle while waiting for preemption to complete.
+	lastVictimsPendingPreemption map[types.UID]pendingVictim
 
 	// PreemptPod is a function that actually makes API calls to preempt a specific Pod.
 	// This is exposed to be replaced during tests.
@@ -146,18 +150,24 @@ type Evaluator struct {
 	Interface
 }
 
-func NewEvaluator(pluginName string, fh framework.Handle, i Interface, enableAsyncPreemption bool) *Evaluator {
+type pendingVictim struct {
+	namespace string
+	name      string
+}
+
+func NewEvaluator(pluginName string, fh fwk.Handle, i Interface, enableAsyncPreemption bool) *Evaluator {
 	podLister := fh.SharedInformerFactory().Core().V1().Pods().Lister()
 	pdbLister := fh.SharedInformerFactory().Policy().V1().PodDisruptionBudgets().Lister()
 
 	ev := &Evaluator{
-		PluginName:            pluginName,
-		Handler:               fh,
-		PodLister:             podLister,
-		PdbLister:             pdbLister,
-		Interface:             i,
-		enableAsyncPreemption: enableAsyncPreemption,
-		preempting:            sets.New[types.UID](),
+		PluginName:                   pluginName,
+		Handler:                      fh,
+		PodLister:                    podLister,
+		PdbLister:                    pdbLister,
+		Interface:                    i,
+		enableAsyncPreemption:        enableAsyncPreemption,
+		preempting:                   sets.New[types.UID](),
+		lastVictimsPendingPreemption: make(map[types.UID]pendingVictim),
 	}
 
 	// PreemptPod actually makes API calls to preempt a specific Pod.
@@ -184,8 +194,12 @@ func NewEvaluator(pluginName string, fh framework.Handle, i Interface, enableAsy
 			updated := apipod.UpdatePodCondition(newStatus, condition)
 			if updated {
 				if err := util.PatchPodStatus(ctx, ev.Handler.ClientSet(), victim.Name, victim.Namespace, &victim.Status, newStatus); err != nil {
-					logger.Error(err, "Could not add DisruptionTarget condition due to preemption", "pod", klog.KObj(victim), "preemptor", klog.KObj(preemptor))
-					return err
+					if !apierrors.IsNotFound(err) {
+						logger.Error(err, "Could not add DisruptionTarget condition due to preemption", "preemptor", klog.KObj(preemptor), "victim", klog.KObj(victim))
+						return err
+					}
+					logger.V(2).Info("Victim Pod is already deleted", "preemptor", klog.KObj(preemptor), "victim", klog.KObj(victim), "node", c.Name())
+					return nil
 				}
 			}
 			if err := util.DeletePod(ctx, ev.Handler.ClientSet(), victim); err != nil {
@@ -212,7 +226,27 @@ func (ev *Evaluator) IsPodRunningPreemption(podUID types.UID) bool {
 	ev.mu.RLock()
 	defer ev.mu.RUnlock()
 
-	return ev.preempting.Has(podUID)
+	if !ev.preempting.Has(podUID) {
+		return false
+	}
+
+	victim, ok := ev.lastVictimsPendingPreemption[podUID]
+	if !ok {
+		// Since pod is in `preempting` but last victim is not registered yet, the async preemption is pending.
+		return true
+	}
+	// Pod is waiting for preemption of one last victim. We can check if the victim has already been deleted.
+	victimPod, err := ev.PodLister.Pods(victim.namespace).Get(victim.name)
+	if err != nil {
+		// Victim already deleted, preemption is done.
+		return false
+	}
+	if victimPod.DeletionTimestamp != nil {
+		// Victim deletion has started, preemption is done.
+		return false
+	}
+	// Preemption of the last pod is still ongoing.
+	return true
 }
 
 // Preempt returns a PostFilterResult carrying suggested nominatedNodeName, along with a Status.
@@ -231,7 +265,7 @@ func (ev *Evaluator) IsPodRunningPreemption(podUID types.UID) bool {
 //
 //   - <non-nil PostFilterResult, Success>. It's the regular happy path
 //     and the non-empty nominatedNodeName will be applied to the preemptor pod.
-func (ev *Evaluator) Preempt(ctx context.Context, state fwk.CycleState, pod *v1.Pod, m framework.NodeToStatusReader) (*framework.PostFilterResult, *fwk.Status) {
+func (ev *Evaluator) Preempt(ctx context.Context, state fwk.CycleState, pod *v1.Pod, m fwk.NodeToStatusReader) (*fwk.PostFilterResult, *fwk.Status) {
 	logger := klog.FromContext(ctx)
 
 	// 0) Fetch the latest version of <pod>.
@@ -306,7 +340,7 @@ func (ev *Evaluator) Preempt(ctx context.Context, state fwk.CycleState, pod *v1.
 
 // FindCandidates calculates a slice of preemption candidates.
 // Each candidate is executable to make the given <pod> schedulable.
-func (ev *Evaluator) findCandidates(ctx context.Context, state fwk.CycleState, allNodes []fwk.NodeInfo, pod *v1.Pod, m framework.NodeToStatusReader) ([]Candidate, *framework.NodeToStatus, error) {
+func (ev *Evaluator) findCandidates(ctx context.Context, state fwk.CycleState, allNodes []fwk.NodeInfo, pod *v1.Pod, m fwk.NodeToStatusReader) ([]Candidate, *framework.NodeToStatus, error) {
 	if len(allNodes) == 0 {
 		return nil, nil, errors.New("no nodes available")
 	}
@@ -436,7 +470,13 @@ func (ev *Evaluator) prepareCandidate(ctx context.Context, c Candidate, pod *v1.
 	logger := klog.FromContext(ctx)
 	errCh := parallelize.NewErrorChannel()
 	fh.Parallelizer().Until(ctx, len(c.Victims().Pods), func(index int) {
-		if err := ev.PreemptPod(ctx, c, pod, c.Victims().Pods[index], pluginName); err != nil {
+		victim := c.Victims().Pods[index]
+		if victim.DeletionTimestamp != nil {
+			// Graceful pod deletion has already started. Sending another API call is unnecessary.
+			logger.V(2).Info("Victim Pod is already being deleted, skipping the API call for it", "preemptor", klog.KObj(pod), "node", c.Name(), "victim", klog.KObj(victim))
+			return
+		}
+		if err := ev.PreemptPod(ctx, c, pod, victim, pluginName); err != nil {
 			errCh.SendErrorWithCancel(err, cancel)
 		}
 	}, ev.PluginName)
@@ -449,7 +489,7 @@ func (ev *Evaluator) prepareCandidate(ctx context.Context, c Candidate, pod *v1.
 	// Lower priority pods nominated to run on this node, may no longer fit on
 	// this node. So, we should remove their nomination. Removing their
 	// nomination updates these pods and moves them to the active queue. It
-	// lets scheduler find another place for them.
+	// lets scheduler find another place for them sooner than after waiting for preemption completion.
 	nominatedPods := getLowerPriorityNominatedPods(logger, fh, pod, c.Name())
 	if err := clearNominatedNodeName(ctx, cs, ev.Handler.APICacher(), nominatedPods...); err != nil {
 		utilruntime.HandleErrorWithContext(ctx, err, "Cannot clear 'NominatedNodeName' field")
@@ -461,12 +501,12 @@ func (ev *Evaluator) prepareCandidate(ctx context.Context, c Candidate, pod *v1.
 
 // clearNominatedNodeName internally submit a patch request to API server
 // to set each pods[*].Status.NominatedNodeName> to "".
-func clearNominatedNodeName(ctx context.Context, cs clientset.Interface, apiCacher framework.APICacher, pods ...*v1.Pod) utilerrors.Aggregate {
+func clearNominatedNodeName(ctx context.Context, cs clientset.Interface, apiCacher fwk.APICacher, pods ...*v1.Pod) utilerrors.Aggregate {
 	var errs []error
 	for _, p := range pods {
 		if apiCacher != nil {
 			// When API cacher is available, use it to clear the NominatedNodeName.
-			_, err := apiCacher.PatchPodStatus(p, nil, &framework.NominatingInfo{NominatedNodeName: "", NominatingMode: framework.ModeOverride})
+			_, err := apiCacher.PatchPodStatus(p, nil, &fwk.NominatingInfo{NominatedNodeName: "", NominatingMode: fwk.ModeOverride})
 			if err != nil {
 				errs = append(errs, err)
 			}
@@ -497,9 +537,25 @@ func (ev *Evaluator) prepareCandidateAsync(c Candidate, pod *v1.Pod, pluginName
 	// Intentionally create a new context, not using a ctx from the scheduling cycle, to create ctx,
 	// because this process could continue even after this scheduling cycle finishes.
 	ctx, cancel := context.WithCancel(context.Background())
+	logger := klog.FromContext(ctx)
+
+	victimPods := make([]*v1.Pod, 0, len(c.Victims().Pods))
+	for _, victim := range c.Victims().Pods {
+		if victim.DeletionTimestamp != nil {
+			// Graceful pod deletion has already started. Sending another API call is unnecessary.
+			logger.V(2).Info("Victim Pod is already being deleted, skipping the API call for it", "preemptor", klog.KObj(pod), "node", c.Name(), "victim", klog.KObj(victim))
+			continue
+		}
+		victimPods = append(victimPods, victim)
+	}
+	if len(victimPods) == 0 {
+		cancel()
+		return
+	}
+
 	errCh := parallelize.NewErrorChannel()
 	preemptPod := func(index int) {
-		victim := c.Victims().Pods[index]
+		victim := victimPods[index]
 		if err := ev.PreemptPod(ctx, c, pod, victim, pluginName); err != nil {
 			errCh.SendErrorWithCancel(err, cancel)
 		}
@@ -509,8 +565,8 @@ func (ev *Evaluator) prepareCandidateAsync(c Candidate, pod *v1.Pod, pluginName
 	ev.preempting.Insert(pod.UID)
 	ev.mu.Unlock()
 
-	logger := klog.FromContext(ctx)
 	go func() {
+		logger := klog.FromContext(ctx)
 		startTime := time.Now()
 		result := metrics.GoroutineResultSuccess
 		defer metrics.PreemptionGoroutinesDuration.WithLabelValues(result).Observe(metrics.SinceInSeconds(startTime))
@@ -523,12 +579,12 @@ func (ev *Evaluator) prepareCandidateAsync(c Candidate, pod *v1.Pod, pluginName
 			}
 		}()
 		defer cancel()
-		logger.V(2).Info("Start the preemption asynchronously", "preemptor", klog.KObj(pod), "node", c.Name(), "numVictims", len(c.Victims().Pods))
+		logger.V(2).Info("Start the preemption asynchronously", "preemptor", klog.KObj(pod), "node", c.Name(), "numVictims", len(c.Victims().Pods), "numVictimsToDelete", len(victimPods))
 
 		// Lower priority pods nominated to run on this node, may no longer fit on
 		// this node. So, we should remove their nomination. Removing their
 		// nomination updates these pods and moves them to the active queue. It
-		// lets scheduler find another place for them.
+		// lets scheduler find another place for them sooner than after waiting for preemption completion.
 		nominatedPods := getLowerPriorityNominatedPods(logger, ev.Handler, pod, c.Name())
 		if err := clearNominatedNodeName(ctx, ev.Handler.ClientSet(), ev.Handler.APICacher(), nominatedPods...); err != nil {
 			utilruntime.HandleErrorWithContext(ctx, err, "Cannot clear 'NominatedNodeName' field from lower priority pods on the same target node", "node", c.Name())
@@ -536,35 +592,38 @@ func (ev *Evaluator) prepareCandidateAsync(c Candidate, pod *v1.Pod, pluginName
 			// We do not return as this error is not critical.
 		}
 
-		if len(c.Victims().Pods) == 0 {
-			ev.mu.Lock()
-			delete(ev.preempting, pod.UID)
-			ev.mu.Unlock()
-
-			return
-		}
-
-		// We can evict all victims in parallel, but the last one.
-		// We have to remove the pod from the preempting map before the last one is evicted
-		// because, otherwise, the pod removal might be notified to the scheduling queue before
-		// we remove this pod from the preempting map,
-		// and the pod could end up stucking at the unschedulable pod pool
-		// by all the pod removal events being ignored.
-		ev.Handler.Parallelizer().Until(ctx, len(c.Victims().Pods)-1, preemptPod, ev.PluginName)
-		if err := errCh.ReceiveError(); err != nil {
-			utilruntime.HandleErrorWithContext(ctx, err, "Error occurred during async preemption")
-			result = metrics.GoroutineResultError
+		if len(victimPods) > 1 {
+			// We can evict all victims in parallel, but the last one.
+			// We have to remove the pod from the preempting map before the last one is evicted
+			// because, otherwise, the pod removal might be notified to the scheduling queue before
+			// we remove this pod from the preempting map,
+			// and the pod could end up stucking at the unschedulable pod pool
+			// by all the pod removal events being ignored.
+			// In order to prevent requesting preemption of the same pod multiple times for the same preemptor,
+			// preemptor is marked as "waiting for preemption of a victim" (by adding it to preempting map).
+			// For optimization purposes the last victim is recorded in lastVictimsPendingPreemption.
+			ev.Handler.Parallelizer().Until(ctx, len(victimPods)-1, preemptPod, ev.PluginName)
+			if err := errCh.ReceiveError(); err != nil {
+				utilruntime.HandleErrorWithContext(ctx, err, "Error occurred during async preemption")
+				result = metrics.GoroutineResultError
+			}
 		}
 
+		lastVictim := victimPods[len(victimPods)-1]
 		ev.mu.Lock()
-		delete(ev.preempting, pod.UID)
+		ev.lastVictimsPendingPreemption[pod.UID] = pendingVictim{namespace: lastVictim.Namespace, name: lastVictim.Name}
 		ev.mu.Unlock()
 
-		if err := ev.PreemptPod(ctx, c, pod, c.Victims().Pods[len(c.Victims().Pods)-1], pluginName); err != nil {
+		if err := ev.PreemptPod(ctx, c, pod, lastVictim, pluginName); err != nil {
 			utilruntime.HandleErrorWithContext(ctx, err, "Error occurred during async preemption")
 			result = metrics.GoroutineResultError
 		}
 
+		ev.mu.Lock()
+		ev.preempting.Delete(pod.UID)
+		delete(ev.lastVictimsPendingPreemption, pod.UID)
+		ev.mu.Unlock()
+
 		logger.V(2).Info("Async Preemption finished completely", "preemptor", klog.KObj(pod), "node", c.Name(), "result", result)
 	}()
 }
@@ -684,7 +743,7 @@ func pickOneNodeForPreemption(logger klog.Logger, nodesToVictims map[string]*ext
 // manipulation of NodeInfo and PreFilter state per nominated pod. It may not be
 // worth the complexity, especially because we generally expect to have a very
 // small number of nominated pods per node.
-func getLowerPriorityNominatedPods(logger klog.Logger, pn framework.PodNominator, pod *v1.Pod, nodeName string) []*v1.Pod {
+func getLowerPriorityNominatedPods(logger klog.Logger, pn fwk.PodNominator, pod *v1.Pod, nodeName string) []*v1.Pod {
 	podInfos := pn.NominatedPodsForNode(nodeName)
 
 	if len(podInfos) == 0 {
diff --git a/pkg/scheduler/framework/preemption/preemption_test.go b/pkg/scheduler/framework/preemption/preemption_test.go
index e8b0a80ecad20..11c6ae73ab82c 100644
--- a/pkg/scheduler/framework/preemption/preemption_test.go
+++ b/pkg/scheduler/framework/preemption/preemption_test.go
@@ -30,6 +30,7 @@ import (
 
 	v1 "k8s.io/api/core/v1"
 	policy "k8s.io/api/policy/v1"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/types"
@@ -38,18 +39,19 @@ import (
 	"k8s.io/client-go/informers"
 	clientsetfake "k8s.io/client-go/kubernetes/fake"
 	"k8s.io/client-go/kubernetes/scheme"
+	corelisters "k8s.io/client-go/listers/core/v1"
 	clienttesting "k8s.io/client-go/testing"
 	"k8s.io/client-go/tools/events"
 	"k8s.io/klog/v2"
 	"k8s.io/klog/v2/ktesting"
 	extenderv1 "k8s.io/kube-scheduler/extender/v1"
 	fwk "k8s.io/kube-scheduler/framework"
-	"k8s.io/kubernetes/pkg/scheduler/backend/api_cache"
-	"k8s.io/kubernetes/pkg/scheduler/backend/api_dispatcher"
+	apicache "k8s.io/kubernetes/pkg/scheduler/backend/api_cache"
+	apidispatcher "k8s.io/kubernetes/pkg/scheduler/backend/api_dispatcher"
 	internalcache "k8s.io/kubernetes/pkg/scheduler/backend/cache"
 	internalqueue "k8s.io/kubernetes/pkg/scheduler/backend/queue"
 	"k8s.io/kubernetes/pkg/scheduler/framework"
-	"k8s.io/kubernetes/pkg/scheduler/framework/api_calls"
+	apicalls "k8s.io/kubernetes/pkg/scheduler/framework/api_calls"
 	"k8s.io/kubernetes/pkg/scheduler/framework/parallelize"
 	"k8s.io/kubernetes/pkg/scheduler/framework/plugins/defaultbinder"
 	"k8s.io/kubernetes/pkg/scheduler/framework/plugins/queuesort"
@@ -420,6 +422,11 @@ func TestPrepareCandidate(t *testing.T) {
 			Containers([]v1.Container{st.MakeContainer().Name("container1").Obj()}).
 			Obj()
 
+		notFoundVictim1 = st.MakePod().Name("not-found-victim").UID("victim1").
+				Node(node1Name).SchedulerName(defaultSchedulerName).Priority(midPriority).
+				Containers([]v1.Container{st.MakeContainer().Name("container1").Obj()}).
+				Obj()
+
 		failVictim = st.MakePod().Name("fail-victim").UID("victim1").
 				Node(node1Name).SchedulerName(defaultSchedulerName).Priority(midPriority).
 				Containers([]v1.Container{st.MakeContainer().Name("container1").Obj()}).
@@ -451,6 +458,12 @@ func TestPrepareCandidate(t *testing.T) {
 		errPatchStatusFailed = errors.New("patch pod status failed")
 	)
 
+	victimWithDeletionTimestamp := victim1.DeepCopy()
+	victimWithDeletionTimestamp.Name = "victim1-with-deletion-timestamp"
+	victimWithDeletionTimestamp.UID = "victim1-with-deletion-timestamp"
+	victimWithDeletionTimestamp.DeletionTimestamp = &metav1.Time{Time: time.Now().Add(-100 * time.Second)}
+	victimWithDeletionTimestamp.Finalizers = []string{"test"}
+
 	tests := []struct {
 		name      string
 		nodeNames []string
@@ -479,9 +492,8 @@ func TestPrepareCandidate(t *testing.T) {
 			testPods: []*v1.Pod{
 				victim1,
 			},
-			nodeNames:             []string{node1Name},
-			expectedStatus:        nil,
-			expectedPreemptingMap: sets.New(types.UID("preemptor")),
+			nodeNames:      []string{node1Name},
+			expectedStatus: nil,
 		},
 		{
 			name: "one victim without condition",
@@ -503,6 +515,41 @@ func TestPrepareCandidate(t *testing.T) {
 			expectedStatus:        nil,
 			expectedPreemptingMap: sets.New(types.UID("preemptor")),
 		},
+		{
+			name: "one victim, but victim is already being deleted",
+
+			candidate: &fakeCandidate{
+				name: node1Name,
+				victims: &extenderv1.Victims{
+					Pods: []*v1.Pod{
+						victimWithDeletionTimestamp,
+					},
+				},
+			},
+			preemptor: preemptor,
+			testPods: []*v1.Pod{
+				victimWithDeletionTimestamp,
+			},
+			nodeNames:      []string{node1Name},
+			expectedStatus: nil,
+		},
+		{
+			name: "one victim, but victim is already deleted",
+
+			candidate: &fakeCandidate{
+				name: node1Name,
+				victims: &extenderv1.Victims{
+					Pods: []*v1.Pod{
+						notFoundVictim1,
+					},
+				},
+			},
+			preemptor:             preemptor,
+			testPods:              []*v1.Pod{},
+			nodeNames:             []string{node1Name},
+			expectedStatus:        nil,
+			expectedPreemptingMap: sets.New(types.UID("preemptor")),
+		},
 		{
 			name: "one victim with same condition",
 
@@ -663,6 +710,11 @@ func TestPrepareCandidate(t *testing.T) {
 							deletionFailure = true
 							return true, nil, errDeletePodFailed
 						}
+						// fake clientset does not return an error for not-found pods, so we simulate it here.
+						if name == "not-found-victim" {
+							// Simulate a not-found error.
+							return true, nil, apierrors.NewNotFound(v1.Resource("pods"), name)
+						}
 
 						deletedPods.Insert(name)
 						return true, nil, nil
@@ -675,6 +727,10 @@ func TestPrepareCandidate(t *testing.T) {
 							patchFailure = true
 							return true, nil, errPatchStatusFailed
 						}
+						// fake clientset does not return an error for not-found pods, so we simulate it here.
+						if action.(clienttesting.PatchAction).GetName() == "not-found-victim" {
+							return true, nil, apierrors.NewNotFound(v1.Resource("pods"), "not-found-victim")
+						}
 						return true, nil, nil
 					})
 
@@ -877,7 +933,7 @@ func (f *fakeExtender) IsIgnorable() bool {
 func (f *fakeExtender) ProcessPreemption(
 	_ *v1.Pod,
 	victims map[string]*extenderv1.Victims,
-	_ framework.NodeInfoLister,
+	_ fwk.NodeInfoLister,
 ) (map[string]*extenderv1.Victims, error) {
 	if f.supportsPreemption {
 		if f.errProcessPreemption {
@@ -951,21 +1007,21 @@ func TestCallExtenders(t *testing.T) {
 	)
 	tests := []struct {
 		name           string
-		extenders      []framework.Extender
+		extenders      []fwk.Extender
 		candidates     []Candidate
 		wantStatus     *fwk.Status
 		wantCandidates []Candidate
 	}{
 		{
 			name:           "no extenders",
-			extenders:      []framework.Extender{},
+			extenders:      []fwk.Extender{},
 			candidates:     makeCandidates(node1Name, victim),
 			wantStatus:     nil,
 			wantCandidates: makeCandidates(node1Name, victim),
 		},
 		{
 			name: "one extender supports preemption",
-			extenders: []framework.Extender{
+			extenders: []fwk.Extender{
 				newFakeExtender().WithSupportsPreemption(true),
 			},
 			candidates:     makeCandidates(node1Name, victim),
@@ -974,7 +1030,7 @@ func TestCallExtenders(t *testing.T) {
 		},
 		{
 			name: "one extender with return no victims",
-			extenders: []framework.Extender{
+			extenders: []fwk.Extender{
 				newFakeExtender().WithSupportsPreemption(true).WithReturnNoVictims(true),
 			},
 			candidates:     makeCandidates(node1Name, victim),
@@ -983,7 +1039,7 @@ func TestCallExtenders(t *testing.T) {
 		},
 		{
 			name: "one extender does not support preemption",
-			extenders: []framework.Extender{
+			extenders: []fwk.Extender{
 				newFakeExtender().WithSupportsPreemption(false),
 			},
 			candidates:     makeCandidates(node1Name, victim),
@@ -992,7 +1048,7 @@ func TestCallExtenders(t *testing.T) {
 		},
 		{
 			name: "one extender with no return victims and is ignorable",
-			extenders: []framework.Extender{
+			extenders: []fwk.Extender{
 				newFakeExtender().WithSupportsPreemption(true).
 					WithReturnNoVictims(true).WithIgnorable(true),
 			},
@@ -1002,7 +1058,7 @@ func TestCallExtenders(t *testing.T) {
 		},
 		{
 			name: "one extender returns error and is ignorable",
-			extenders: []framework.Extender{
+			extenders: []fwk.Extender{
 				newFakeExtender().WithIgnorable(true).
 					WithSupportsPreemption(true).WithErrProcessPreemption(true),
 			},
@@ -1012,7 +1068,7 @@ func TestCallExtenders(t *testing.T) {
 		},
 		{
 			name: "one extender returns error and is not ignorable",
-			extenders: []framework.Extender{
+			extenders: []fwk.Extender{
 				newFakeExtender().WithErrProcessPreemption(true).
 					WithSupportsPreemption(true),
 			},
@@ -1022,7 +1078,7 @@ func TestCallExtenders(t *testing.T) {
 		},
 		{
 			name: "one extender with empty victims input",
-			extenders: []framework.Extender{
+			extenders: []fwk.Extender{
 				newFakeExtender().WithSupportsPreemption(true),
 			},
 			candidates:     []Candidate{},
@@ -1147,7 +1203,7 @@ func TestRemoveNominatedNodeName(t *testing.T) {
 				ctx, cancel := context.WithCancel(ctx)
 				defer cancel()
 
-				var apiCacher framework.APICacher
+				var apiCacher fwk.APICacher
 				if asyncAPICallsEnabled {
 					apiDispatcher := apidispatcher.New(cs, 16, apicalls.Relevances)
 					apiDispatcher.Run(logger)
@@ -1182,3 +1238,352 @@ func TestRemoveNominatedNodeName(t *testing.T) {
 		}
 	}
 }
+
+func TestPrepareCandidateAsyncSetsPreemptingSets(t *testing.T) {
+	var (
+		node1Name            = "node1"
+		defaultSchedulerName = "default-scheduler"
+	)
+
+	var (
+		victim1 = st.MakePod().Name("victim1").UID("victim1").
+			Node(node1Name).SchedulerName(defaultSchedulerName).Priority(midPriority).
+			Containers([]v1.Container{st.MakeContainer().Name("container1").Obj()}).
+			Obj()
+
+		victim2 = st.MakePod().Name("victim2").UID("victim2").
+			Node(node1Name).SchedulerName(defaultSchedulerName).Priority(midPriority).
+			Containers([]v1.Container{st.MakeContainer().Name("container1").Obj()}).
+			Obj()
+
+		preemptor = st.MakePod().Name("preemptor").UID("preemptor").
+				SchedulerName(defaultSchedulerName).Priority(highPriority).
+				Containers([]v1.Container{st.MakeContainer().Name("container1").Obj()}).
+				Obj()
+		testPods = []*v1.Pod{
+			victim1,
+			victim2,
+		}
+		nodeNames = []string{node1Name}
+	)
+
+	tests := []struct {
+		name       string
+		candidate  *fakeCandidate
+		lastVictim *v1.Pod
+		preemptor  *v1.Pod
+	}{
+		{
+			name: "no victims",
+			candidate: &fakeCandidate{
+				victims: &extenderv1.Victims{},
+			},
+			lastVictim: nil,
+			preemptor:  preemptor,
+		},
+		{
+			name: "one victim",
+			candidate: &fakeCandidate{
+				name: node1Name,
+				victims: &extenderv1.Victims{
+					Pods: []*v1.Pod{
+						victim1,
+					},
+				},
+			},
+			lastVictim: victim1,
+			preemptor:  preemptor,
+		},
+		{
+			name: "two victims",
+			candidate: &fakeCandidate{
+				name: node1Name,
+				victims: &extenderv1.Victims{
+					Pods: []*v1.Pod{
+						victim1,
+						victim2,
+					},
+				},
+			},
+			lastVictim: victim2,
+			preemptor:  preemptor,
+		},
+	}
+
+	for _, asyncAPICallsEnabled := range []bool{true, false} {
+		for _, tt := range tests {
+			t.Run(fmt.Sprintf("%v (Async API calls enabled: %v)", tt.name, asyncAPICallsEnabled), func(t *testing.T) {
+				metrics.Register()
+				logger, ctx := ktesting.NewTestContext(t)
+				ctx, cancel := context.WithCancel(ctx)
+				defer cancel()
+
+				nodes := make([]*v1.Node, len(nodeNames))
+				for i, nodeName := range nodeNames {
+					nodes[i] = st.MakeNode().Name(nodeName).Capacity(veryLargeRes).Obj()
+				}
+				registeredPlugins := append([]tf.RegisterPluginFunc{
+					tf.RegisterQueueSortPlugin(queuesort.Name, queuesort.New)},
+					tf.RegisterBindPlugin(defaultbinder.Name, defaultbinder.New),
+				)
+				var objs []runtime.Object
+				for _, pod := range testPods {
+					objs = append(objs, pod)
+				}
+
+				cs := clientsetfake.NewClientset(objs...)
+
+				informerFactory := informers.NewSharedInformerFactory(cs, 0)
+				eventBroadcaster := events.NewBroadcaster(&events.EventSinkImpl{Interface: cs.EventsV1()})
+
+				var apiDispatcher *apidispatcher.APIDispatcher
+				if asyncAPICallsEnabled {
+					apiDispatcher = apidispatcher.New(cs, 16, apicalls.Relevances)
+					apiDispatcher.Run(logger)
+					defer apiDispatcher.Close()
+				}
+
+				fwk, err := tf.NewFramework(
+					ctx,
+					registeredPlugins, "",
+					frameworkruntime.WithClientSet(cs),
+					frameworkruntime.WithAPIDispatcher(apiDispatcher),
+					frameworkruntime.WithLogger(logger),
+					frameworkruntime.WithInformerFactory(informerFactory),
+					frameworkruntime.WithWaitingPods(frameworkruntime.NewWaitingPodsMap()),
+					frameworkruntime.WithSnapshotSharedLister(internalcache.NewSnapshot(testPods, nodes)),
+					frameworkruntime.WithEventRecorder(eventBroadcaster.NewRecorder(scheme.Scheme, "test-scheduler")),
+					frameworkruntime.WithPodNominator(internalqueue.NewSchedulingQueue(nil, informerFactory)),
+				)
+				if err != nil {
+					t.Fatal(err)
+				}
+				informerFactory.Start(ctx.Done())
+				fakePreemptionScorePostFilterPlugin := &FakePreemptionScorePostFilterPlugin{}
+				if asyncAPICallsEnabled {
+					cache := internalcache.New(ctx, 100*time.Millisecond, apiDispatcher)
+					fwk.SetAPICacher(apicache.New(nil, cache))
+				}
+
+				pe := NewEvaluator("FakePreemptionScorePostFilter", fwk, fakePreemptionScorePostFilterPlugin, true /* asyncPreemptionEnabled */)
+				// preemptPodCallsCounter helps verify if the last victim pod gets preempted after other victims.
+				preemptPodCallsCounter := 0
+				preemptFunc := pe.PreemptPod
+				pe.PreemptPod = func(ctx context.Context, c Candidate, preemptor, victim *v1.Pod, pluginName string) error {
+					// Verify contents of the sets: preempting and lastVictimsPendingPreemption before preemption of subsequent pods.
+					pe.mu.RLock()
+					preemptPodCallsCounter++
+
+					if !pe.preempting.Has(tt.preemptor.UID) {
+						t.Errorf("Expected preempting set to be contain %v before preempting victim %v but got set: %v", tt.preemptor.UID, victim.Name, pe.preempting)
+					}
+
+					victimCount := len(tt.candidate.Victims().Pods)
+					if victim.Name == tt.lastVictim.Name {
+						if victimCount != preemptPodCallsCounter {
+							t.Errorf("Expected PreemptPod for last victim %v to be called last (call no. %v), but it was called as no. %v", victim.Name, victimCount, preemptPodCallsCounter)
+						}
+						if v, ok := pe.lastVictimsPendingPreemption[tt.preemptor.UID]; !ok || tt.lastVictim.Name != v.name {
+							t.Errorf("Expected lastVictimsPendingPreemption map to contain victim %v for preemptor UID %v when preempting the last victim, but got map: %v",
+								tt.lastVictim.Name, tt.preemptor.UID, pe.lastVictimsPendingPreemption)
+						}
+					} else {
+						if preemptPodCallsCounter >= victimCount {
+							t.Errorf("Expected PreemptPod for victim %v to be called earlier, but it was called as last - no. %v", victim.Name, preemptPodCallsCounter)
+						}
+						if _, ok := pe.lastVictimsPendingPreemption[tt.preemptor.UID]; ok {
+							t.Errorf("Expected lastVictimsPendingPreemption map to not contain values for preemptor UID %v when not preempting the last victim, but got map: %v",
+								tt.preemptor.UID, pe.lastVictimsPendingPreemption)
+						}
+					}
+					pe.mu.RUnlock()
+
+					return preemptFunc(ctx, c, preemptor, victim, pluginName)
+				}
+
+				pe.mu.RLock()
+				if len(pe.preempting) > 0 {
+					t.Errorf("Expected preempting set to be empty before prepareCandidateAsync but got %v", pe.preempting)
+				}
+				if len(pe.lastVictimsPendingPreemption) > 0 {
+					t.Errorf("Expected lastVictimsPendingPreemption map to be empty before prepareCandidateAsync but got %v", pe.lastVictimsPendingPreemption)
+				}
+				pe.mu.RUnlock()
+
+				pe.prepareCandidateAsync(tt.candidate, tt.preemptor, "test-plugin")
+
+				// Perform the checks when there are no victims left to preempt.
+				t.Log("Waiting for async preemption goroutine to finish cleanup...")
+				err = wait.PollUntilContextTimeout(ctx, 10*time.Millisecond, 2*time.Second, false, func(ctx context.Context) (bool, error) {
+					// Check if the preemptor is removed from the ev.preempting set.
+					pe.mu.RLock()
+					defer pe.mu.RUnlock()
+					return !pe.preempting.Has(tt.preemptor.UID), nil
+				})
+				if err != nil {
+					t.Errorf("Timed out waiting for preemptingSet to become empty. %v", err)
+				}
+
+				pe.mu.RLock()
+				if _, ok := pe.lastVictimsPendingPreemption[tt.preemptor.UID]; ok {
+					t.Errorf("Expected lastVictimsPendingPreemption map to not contain values for %v after completing preemption, but got map: %v",
+						tt.preemptor.UID, pe.lastVictimsPendingPreemption)
+				}
+				if victimCount := len(tt.candidate.Victims().Pods); victimCount != preemptPodCallsCounter {
+					t.Errorf("Expected PreemptPod to be called %v times during prepareCandidateAsync but got %v", victimCount, preemptPodCallsCounter)
+				}
+				pe.mu.RUnlock()
+			})
+		}
+	}
+}
+
+// fakePodLister helps test IsPodRunningPreemption logic without worrying about cache synchronization issues.
+// Current list of pods is set using field pods.
+type fakePodLister struct {
+	corelisters.PodLister
+	pods map[string]*v1.Pod
+}
+
+func (m *fakePodLister) Pods(namespace string) corelisters.PodNamespaceLister {
+	return &fakePodNamespaceLister{pods: m.pods}
+}
+
+// fakePodNamespaceLister helps test IsPodRunningPreemption logic without worrying about cache synchronization issues.
+// Current list of pods is set using field pods.
+type fakePodNamespaceLister struct {
+	corelisters.PodNamespaceLister
+	pods map[string]*v1.Pod
+}
+
+func (m *fakePodNamespaceLister) Get(name string) (*v1.Pod, error) {
+	if pod, ok := m.pods[name]; ok {
+		return pod, nil
+	}
+	// Important: Return the standard IsNotFound error for a fake cache miss.
+	return nil, apierrors.NewNotFound(v1.Resource("pods"), name)
+}
+
+func TestIsPodRunningPreemption(t *testing.T) {
+	var (
+		victim1 = st.MakePod().Name("victim1").UID("victim1").
+			Node("node").SchedulerName("sch").Priority(midPriority).
+			Containers([]v1.Container{st.MakeContainer().Name("container1").Obj()}).
+			Obj()
+
+		victim2 = st.MakePod().Name("victim2").UID("victim2").
+			Node("node").SchedulerName("sch").Priority(midPriority).
+			Containers([]v1.Container{st.MakeContainer().Name("container1").Obj()}).
+			Obj()
+
+		victimWithDeletionTimestamp = st.MakePod().Name("victim-deleted").UID("victim-deleted").
+						Node("node").SchedulerName("sch").Priority(midPriority).
+						Terminating().
+						Containers([]v1.Container{st.MakeContainer().Name("container1").Obj()}).
+						Obj()
+	)
+
+	tests := []struct {
+		name            string
+		preemptorUID    types.UID
+		preemptingSet   sets.Set[types.UID]
+		lastVictimSet   map[types.UID]pendingVictim
+		podsInPodLister map[string]*v1.Pod
+		expectedResult  bool
+	}{
+		{
+			name:           "preemptor not in preemptingSet",
+			preemptorUID:   "preemptor",
+			preemptingSet:  sets.New[types.UID](),
+			lastVictimSet:  map[types.UID]pendingVictim{},
+			expectedResult: false,
+		},
+		{
+			name:          "preemptor not in preemptingSet, lastVictimSet not empty",
+			preemptorUID:  "preemptor",
+			preemptingSet: sets.New[types.UID](),
+			lastVictimSet: map[types.UID]pendingVictim{
+				"preemptor": {
+					namespace: "ns",
+					name:      "victim1",
+				},
+			},
+			expectedResult: false,
+		},
+		{
+			name:          "preemptor in preemptingSet, no lastVictim for preemptor",
+			preemptorUID:  "preemptor",
+			preemptingSet: sets.New[types.UID]("preemptor"),
+			lastVictimSet: map[types.UID]pendingVictim{
+				"otherPod": {
+					namespace: "ns",
+					name:      "victim1",
+				},
+			},
+			expectedResult: true,
+		},
+		{
+			name:          "preemptor in preemptingSet, victim in lastVictimSet, not in PodLister",
+			preemptorUID:  "preemptor",
+			preemptingSet: sets.New[types.UID]("preemptor"),
+			lastVictimSet: map[types.UID]pendingVictim{
+				"preemptor": {
+					namespace: "ns",
+					name:      "victim1",
+				},
+			},
+			podsInPodLister: map[string]*v1.Pod{},
+			expectedResult:  false,
+		},
+		{
+			name:          "preemptor in preemptingSet, victim in lastVictimSet and in PodLister",
+			preemptorUID:  "preemptor",
+			preemptingSet: sets.New[types.UID]("preemptor"),
+			lastVictimSet: map[types.UID]pendingVictim{
+				"preemptor": {
+					namespace: "ns",
+					name:      "victim1",
+				},
+			},
+			podsInPodLister: map[string]*v1.Pod{
+				"victim1": victim1,
+				"victim2": victim2,
+			},
+			expectedResult: true,
+		},
+		{
+			name:          "preemptor in preemptingSet, victim in lastVictimSet and in PodLister with deletion timestamp",
+			preemptorUID:  "preemptor",
+			preemptingSet: sets.New[types.UID]("preemptor"),
+			lastVictimSet: map[types.UID]pendingVictim{
+				"preemptor": {
+					namespace: "ns",
+					name:      "victim-deleted",
+				},
+			},
+			podsInPodLister: map[string]*v1.Pod{
+				"victim1":        victim1,
+				"victim-deleted": victimWithDeletionTimestamp,
+			},
+			expectedResult: false,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(fmt.Sprintf("%v", tt.name), func(t *testing.T) {
+
+			fakeLister := &fakePodLister{
+				pods: tt.podsInPodLister,
+			}
+			pe := Evaluator{
+				PodLister:                    fakeLister,
+				preempting:                   tt.preemptingSet,
+				lastVictimsPendingPreemption: tt.lastVictimSet,
+			}
+
+			if result := pe.IsPodRunningPreemption(tt.preemptorUID); tt.expectedResult != result {
+				t.Errorf("Expected IsPodRunningPreemption to return %v but got %v", tt.expectedResult, result)
+			}
+		})
+	}
+}
diff --git a/pkg/scheduler/framework/runtime/batch.go b/pkg/scheduler/framework/runtime/batch.go
new file mode 100644
index 0000000000000..ad296f8a0103d
--- /dev/null
+++ b/pkg/scheduler/framework/runtime/batch.go
@@ -0,0 +1,240 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package runtime
+
+import (
+	"bytes"
+	"context"
+	"time"
+
+	v1 "k8s.io/api/core/v1"
+	"k8s.io/klog/v2"
+	fwk "k8s.io/kube-scheduler/framework"
+	"k8s.io/kubernetes/pkg/scheduler/framework"
+	"k8s.io/kubernetes/pkg/scheduler/metrics"
+)
+
+// OpportunisticBatching caches results from filtering and scoring when possible to optimize
+// scheduling of common pods.
+type OpportunisticBatch struct {
+	state         *batchState
+	lastCycle     schedulingCycle
+	signatureFunc SignatureFunc
+	handle        fwk.Handle
+
+	// Used primarily for tests, count the total pods we
+	// have successfully batched.
+	batchedPods int64
+}
+
+type batchState struct {
+	signature    fwk.PodSignature
+	sortedNodes  framework.SortedScoredNodes
+	creationTime time.Time
+}
+
+type schedulingCycle struct {
+	cycleCount int64
+	chosenNode string
+	succeeded  bool
+}
+
+const (
+	maxBatchAge = 500 * time.Millisecond
+)
+
+type SignatureFunc func(h fwk.Handle, ctx context.Context, p *v1.Pod, recordPluginStats bool) fwk.PodSignature
+
+func signUsingFramework(h fwk.Handle, ctx context.Context, p *v1.Pod, recordPluginStats bool) fwk.PodSignature {
+	return h.SignPod(ctx, p, recordPluginStats)
+}
+
+// Provide a hint for the pod based on filtering an scoring results of previous cycles. Caching works only for consecutive pods
+// with the same signature that are scheduled in 1-pod-per-node manner (otherwise previous scores could not be reused).
+// It's assured by checking the top rated node is no longer feasible (meaning the previous pod was successfully scheduled and the
+// current one does not fit).
+func (b *OpportunisticBatch) GetNodeHint(ctx context.Context, pod *v1.Pod, state fwk.CycleState, cycleCount int64) (string, fwk.PodSignature) {
+	logger := klog.FromContext(ctx)
+	var hint string
+
+	startTime := time.Now()
+	defer func() {
+		hinted := "hint"
+		if hint == "" {
+			hinted = "no_hint"
+		}
+		metrics.GetNodeHintDuration.WithLabelValues(hinted, b.handle.ProfileName()).Observe(metrics.SinceInSeconds(startTime))
+	}()
+
+	signature := b.signatureFunc(b.handle, ctx, pod, state.ShouldRecordPluginMetrics())
+
+	nodeInfos := b.handle.SnapshotSharedLister().NodeInfos()
+
+	// If we don't have state that we can use, then return an empty hint.
+	if !b.batchStateCompatible(ctx, logger, pod, signature, cycleCount, state, nodeInfos) {
+		metrics.BatchAttemptStats.WithLabelValues(b.handle.ProfileName(), metrics.BatchAttemptNoHint).Inc()
+		logger.V(4).Info("OpportunisticBatch no node hint available for pod",
+			"profile", b.handle.ProfileName(), "pod", klog.KObj(pod), "cycleCount", cycleCount)
+		return "", signature
+	}
+
+	// Otherwise, pop the head of the list in our state and return it as
+	// a hint. Also record it in our data to compare on storage.
+	hint = b.state.sortedNodes.Pop()
+	logger.V(3).Info("OpportunisticBatch provided node hint",
+		"profile", b.handle.ProfileName(), "pod", klog.KObj(pod), "cycleCount", cycleCount, "hint", hint,
+		"remainingNodes", b.state.sortedNodes.Len())
+
+	return hint, signature
+}
+
+// Store results from scheduling for use as a batch later.
+func (b *OpportunisticBatch) StoreScheduleResults(ctx context.Context, signature fwk.PodSignature, hintedNode, chosenNode string, otherNodes framework.SortedScoredNodes, cycleCount int64) {
+	logger := klog.FromContext(ctx)
+
+	startTime := time.Now()
+	defer metrics.StoreScheduleResultsDuration.WithLabelValues(b.handle.ProfileName()).Observe(metrics.SinceInSeconds(startTime))
+
+	// Set our cycle information for next time.
+	b.lastCycle = schedulingCycle{
+		cycleCount: cycleCount,
+		chosenNode: chosenNode,
+		succeeded:  true,
+	}
+	logger.V(4).Info("OpportunisticBatch set cycle state",
+		"profile", b.handle.ProfileName(), "cycleCount", cycleCount, "hintedNode", hintedNode, "chosenNode", chosenNode)
+
+	if hintedNode == chosenNode {
+		logger.V(4).Info("OpportunisticBatch skipping set state because hint was provided",
+			"profile", b.handle.ProfileName(), "cycleCount", cycleCount, "chosenNode", chosenNode)
+		metrics.BatchAttemptStats.WithLabelValues(b.handle.ProfileName(), metrics.BatchAttemptHintUsed).Inc()
+		b.batchedPods++
+		return
+	}
+
+	// Only store new results if we didn't give a hint or it wasn't used.
+	// Track the somewhat unusual case where we gave a hint and it wasn't used.
+	if hintedNode != "" {
+		metrics.BatchAttemptStats.WithLabelValues(b.handle.ProfileName(), metrics.BatchAttemptHintNotUsed).Inc()
+		logger.V(4).Info("OpportunisticBatch hint not used",
+			"profile", b.handle.ProfileName(), "cycleCount", b.lastCycle.cycleCount, "hint", hintedNode, "chosen", chosenNode)
+	}
+
+	// If this pod is batchable, set our results as state.
+	// We will check this against the next pod when we give the
+	// next hint.
+	if signature != nil && otherNodes != nil && otherNodes.Len() > 0 {
+		b.state = &batchState{
+			signature:    signature,
+			sortedNodes:  otherNodes,
+			creationTime: time.Now(),
+		}
+		if loggerV := logger.V(6); loggerV.Enabled() {
+			loggerV.Info("OpportunisticBatch set batch information",
+				"profile", b.handle.ProfileName(), "signature", b.state.signature, "nodes", otherNodes.Len(), "cycleCount", cycleCount)
+		} else {
+			logger.V(4).Info("OpportunisticBatch set batch information",
+				"profile", b.handle.ProfileName(), "nodes", otherNodes.Len(), "cycleCount", cycleCount)
+		}
+	} else {
+		reason := metrics.BatchFlushPodNotBatchable
+		if otherNodes == nil || otherNodes.Len() == 0 {
+			reason = metrics.BatchFlushEmptyList
+		}
+
+		b.logUnusableState(logger, cycleCount, reason)
+		b.state = nil
+	}
+}
+
+// logUnusableState our batch state because we can't keep it up to date.
+// Record the reason for our invalidation in the stats.
+func (b *OpportunisticBatch) logUnusableState(logger klog.Logger, cycleCount int64, reason string) {
+	metrics.BatchCacheFlushed.WithLabelValues(b.handle.ProfileName(), reason).Inc()
+	logger.V(4).Info("OpportunisticBatch found unusable state",
+		"profile", b.handle.ProfileName(), "cycleCount", cycleCount, "reason", reason)
+}
+
+// Update the batch state based on a the arrival of a new pod and the chosen node from the last pod.
+func (b *OpportunisticBatch) batchStateCompatible(ctx context.Context, logger klog.Logger, pod *v1.Pod, signature fwk.PodSignature, cycleCount int64, state fwk.CycleState, nodeInfos fwk.NodeInfoLister) bool {
+	// Just return if we don't have any state to use.
+	if b.stateEmpty() {
+		return false
+	}
+
+	// In this case, a previous pod was scheduled by another profile, meaning we can't use the state anymore.
+	if cycleCount != b.lastCycle.cycleCount+1 {
+		b.logUnusableState(logger, cycleCount, metrics.BatchFlushPodSkipped)
+		return false
+	}
+
+	// If our last pod failed we can't use the state.
+	if !b.lastCycle.succeeded {
+		b.logUnusableState(logger, cycleCount, metrics.BatchFlushPodFailed)
+		return false
+	}
+
+	// If the new pod is incompatible with the current state, throw the state away.
+	if signature == nil || !bytes.Equal(signature, b.state.signature) {
+		b.logUnusableState(logger, cycleCount, metrics.BatchFlushPodIncompatible)
+		return false
+	}
+
+	// If the state is too old, throw the state away. This is to avoid
+	// cases where we either have huge numbers of compatible pods in a
+	// row or we have a long wait between pods.
+	if time.Now().After((b.state.creationTime.Add(maxBatchAge))) {
+		b.logUnusableState(logger, cycleCount, metrics.BatchFlushExpired)
+		return false
+	}
+
+	// We can only reuse the previous state if the new pod will not
+	// fit on the node we used for the last pod. If the node we
+	// chose last time can't host this pod, then we know
+	// that the next best should be the next node in the list.
+	// If we *could* put this pod on the node we just used, then we can't
+	// use our cache because we don't know how to rescore the used node; it
+	// could be the best, or it could be somewhere else.
+	// See git.k8s.io/enhancements/keps/sig-scheduling/5598-opportunistic-batching
+	lastChosenNode, err := nodeInfos.Get(b.lastCycle.chosenNode)
+	if lastChosenNode == nil || err != nil {
+		b.logUnusableState(logger, cycleCount, metrics.BatchFlushNodeMissing)
+		return false
+	}
+
+	status := b.handle.RunFilterPlugins(ctx, state, pod, lastChosenNode)
+	if !status.IsRejected() {
+		b.logUnusableState(logger, cycleCount, metrics.BatchFlushNodeNotFull)
+		return false
+	}
+
+	// Our state matches with our new pod and is useable
+	return true
+}
+
+// Irritatingly we can end up with a variety of different configurations that are all "empty".
+// Rather than trying to normalize all cases when they happen, we just check them all.
+func (b *OpportunisticBatch) stateEmpty() bool {
+	return b.state == nil || b.state.sortedNodes == nil || b.state.sortedNodes.Len() == 0
+}
+
+func newOpportunisticBatch(h fwk.Handle, signatureFunc SignatureFunc) *OpportunisticBatch {
+	return &OpportunisticBatch{
+		signatureFunc: signatureFunc,
+		handle:        h,
+	}
+}
diff --git a/pkg/scheduler/framework/runtime/batch_test.go b/pkg/scheduler/framework/runtime/batch_test.go
new file mode 100644
index 0000000000000..b053fb6bebdfd
--- /dev/null
+++ b/pkg/scheduler/framework/runtime/batch_test.go
@@ -0,0 +1,388 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package runtime
+
+import (
+	"bytes"
+	"context"
+	"fmt"
+	"log"
+	"testing"
+
+	"github.com/google/go-cmp/cmp"
+	v1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/klog/v2/ktesting"
+	fwk "k8s.io/kube-scheduler/framework"
+	"k8s.io/kubernetes/pkg/scheduler/apis/config"
+	"k8s.io/kubernetes/pkg/scheduler/framework"
+)
+
+// nodeInfoLister declares a fwk.NodeInfo type for testing.
+type nodeInfoLister []fwk.NodeInfo
+
+// Get returns a fake node object in the fake nodes.
+func (nodes nodeInfoLister) Get(nodeName string) (fwk.NodeInfo, error) {
+	for _, node := range nodes {
+		if node != nil && node.Node().Name == nodeName {
+			return node, nil
+		}
+	}
+	return nil, fmt.Errorf("unable to find node: %s", nodeName)
+}
+
+// List lists all nodes.
+func (nodes nodeInfoLister) List() ([]fwk.NodeInfo, error) {
+	return nodes, nil
+}
+
+// HavePodsWithAffinityList is supposed to list nodes with at least one pod with affinity. For the fake lister
+// we just return everything.
+func (nodes nodeInfoLister) HavePodsWithAffinityList() ([]fwk.NodeInfo, error) {
+	return nodes, nil
+}
+
+// HavePodsWithRequiredAntiAffinityList is supposed to list nodes with at least one pod with
+// required anti-affinity. For the fake lister we just return everything.
+func (nodes nodeInfoLister) HavePodsWithRequiredAntiAffinityList() ([]fwk.NodeInfo, error) {
+	return nodes, nil
+}
+
+type sharedLister struct {
+	nodes nodeInfoLister
+}
+
+func (s sharedLister) NodeInfos() fwk.NodeInfoLister {
+	return s.nodes
+}
+
+type storageInfoListerContract struct{}
+
+func (c *storageInfoListerContract) IsPVCUsedByPods(_ string) bool {
+	return false
+}
+
+func (s sharedLister) StorageInfos() fwk.StorageInfoLister {
+	return &storageInfoListerContract{}
+}
+
+var batchRegistry = func() Registry {
+	r := make(Registry)
+	err := r.Register("batchTest", newBatchTestPlugin)
+	if err != nil {
+		log.Fatal("Couldn't register test.")
+	}
+	err = r.Register(queueSortPlugin, newQueueSortPlugin)
+	if err != nil {
+		log.Fatal("Couldn't register test.")
+	}
+	err = r.Register(bindPlugin, newBindPlugin)
+	if err != nil {
+		log.Fatal("Couldn't register test.")
+	}
+	return r
+}()
+
+type BatchTestPlugin struct{}
+
+func (pl *BatchTestPlugin) Name() string {
+	return "batchTest"
+}
+
+const blockingPodPrefix = 'b'
+
+func blockingPodID(suffix string) string {
+	return fmt.Sprintf("%c-%s", blockingPodPrefix, suffix)
+}
+
+const nonBlockingPodPrefix = 'a'
+
+func nonBlockingPodID(suffix string) string {
+	return fmt.Sprintf("%c-%s", nonBlockingPodPrefix, suffix)
+}
+
+// Test plugin assumes that each node can hold only one pod whose id begins with blockingPrefix. This allows
+// us to construct pods that block future selves or not.
+func (pl *BatchTestPlugin) Filter(ctx context.Context, state fwk.CycleState, pod *v1.Pod, nodeInfo fwk.NodeInfo) *fwk.Status {
+	podID := pod.GetUID()
+	for _, nodePod := range nodeInfo.GetPods() {
+		npid := nodePod.GetPod().GetUID()
+		if podID[0] == blockingPodPrefix && npid[0] == blockingPodPrefix {
+			return fwk.NewStatus(fwk.Unschedulable, "unsched")
+		}
+	}
+	return nil
+}
+
+func newBatchTestPlugin(_ context.Context, injArgs runtime.Object, f fwk.Handle) (fwk.Plugin, error) {
+	return &BatchTestPlugin{}, nil
+}
+
+func newBatchTestFramework(ctx context.Context, r Registry) (framework.Framework, *sharedLister, error) {
+	plugins := &config.Plugins{}
+	profile := config.KubeSchedulerProfile{Plugins: plugins}
+
+	if _, ok := r[queueSortPlugin]; !ok {
+		r[queueSortPlugin] = newQueueSortPlugin
+	}
+	if _, ok := r[bindPlugin]; !ok {
+		r[bindPlugin] = newBindPlugin
+	}
+
+	if len(profile.Plugins.QueueSort.Enabled) == 0 {
+		profile.Plugins.QueueSort.Enabled = append(profile.Plugins.QueueSort.Enabled, config.Plugin{Name: queueSortPlugin})
+	}
+	if len(profile.Plugins.Bind.Enabled) == 0 {
+		profile.Plugins.Bind.Enabled = append(profile.Plugins.Bind.Enabled, config.Plugin{Name: bindPlugin})
+	}
+	profile.Plugins.Filter.Enabled = []config.Plugin{{Name: "batchTest"}}
+
+	lister := &sharedLister{nodes: nodeInfoLister{}}
+
+	ret, err := NewFramework(ctx, r, &profile, WithSnapshotSharedLister(lister))
+
+	return ret, lister, err
+}
+
+type testSortedScoredNodes struct {
+	Nodes []string
+}
+
+var _ framework.SortedScoredNodes = &testSortedScoredNodes{}
+
+func (t *testSortedScoredNodes) Pop() string {
+	ret := t.Nodes[0]
+	t.Nodes = t.Nodes[1:]
+	return ret
+}
+
+func (t *testSortedScoredNodes) Len() int {
+	return len(t.Nodes)
+}
+
+func newTestNodes(n []string) *testSortedScoredNodes {
+	return &testSortedScoredNodes{Nodes: n}
+}
+
+func newTestSigFunc(sig *fwk.PodSignature) SignatureFunc {
+	return func(h fwk.Handle, ctx context.Context, p *v1.Pod, shouldRecordStats bool) fwk.PodSignature {
+		return *sig
+	}
+}
+
+func TestBatchBasic(t *testing.T) {
+	// This test first let OpportunisticBatch handle the first pod, and then see how it behaves with the second pod.
+	tests := []struct {
+		name                          string
+		firstPodID                    string
+		firstSig                      string
+		firstPodScheduledSuccessfully bool
+		// firstChosenNode is supposed to set only if firstPodScheduledSuccessfully is true.
+		firstChosenNode string
+		// firstOtherNodes is supposed to set only if firstPodScheduledSuccessfully is true.
+		firstOtherNodes framework.SortedScoredNodes
+		// if it's true, the test case behaves as if there is another pod handled by another profile between the first and second pod.
+		skipPod          bool
+		secondPodID      string
+		secondSig        string
+		secondChosenNode string
+		secondOtherNodes framework.SortedScoredNodes
+		expectedHint     string
+		expectedState    *batchState
+	}{
+		{
+			name:                          "a second pod with the same signature gets a hint",
+			firstPodID:                    blockingPodID("1"),
+			firstSig:                      "sig",
+			firstChosenNode:               "n3",
+			firstOtherNodes:               newTestNodes([]string{"n1"}),
+			firstPodScheduledSuccessfully: true,
+			secondPodID:                   blockingPodID("2"),
+			secondSig:                     "sig",
+			secondChosenNode:              "n1",
+			expectedHint:                  "n1",
+		},
+		{
+			name:                          "a second pod with a different signature doesn't get a hint",
+			firstPodID:                    nonBlockingPodID("1"),
+			firstSig:                      "sig",
+			firstChosenNode:               "n3",
+			firstOtherNodes:               newTestNodes([]string{"n1"}),
+			firstPodScheduledSuccessfully: true,
+			secondPodID:                   nonBlockingPodID("2"),
+			secondSig:                     "sig2",
+			secondChosenNode:              "n1",
+			expectedHint:                  "",
+		},
+		{
+			name:                          "a second pod doesn't get a hint if it's not 1-pod-per-node",
+			firstPodID:                    nonBlockingPodID("1"),
+			firstSig:                      "sig",
+			firstChosenNode:               "n3",
+			firstOtherNodes:               newTestNodes([]string{"n1"}),
+			firstPodScheduledSuccessfully: true,
+			secondPodID:                   nonBlockingPodID("2"),
+			secondSig:                     "sig",
+			secondChosenNode:              "n1",
+			expectedHint:                  "",
+		},
+		{
+			name:                          "pod doesn't get hint if previous pod didn't scheduled",
+			firstPodID:                    blockingPodID("1"),
+			firstSig:                      "sig",
+			firstChosenNode:               "n3",
+			firstOtherNodes:               newTestNodes([]string{"n1"}),
+			firstPodScheduledSuccessfully: false,
+			secondPodID:                   blockingPodID("2"),
+			secondSig:                     "sig",
+			secondChosenNode:              "n1",
+			expectedHint:                  "",
+		},
+		{
+			name:                          "empty list",
+			firstPodID:                    blockingPodID("1"),
+			firstSig:                      "sig",
+			firstChosenNode:               "n3",
+			firstOtherNodes:               newTestNodes([]string{}),
+			firstPodScheduledSuccessfully: true,
+			secondPodID:                   blockingPodID("2"),
+			secondSig:                     "sig",
+			secondChosenNode:              "n4",
+			expectedHint:                  "",
+		},
+		{
+			name:                          "nil list",
+			firstPodID:                    blockingPodID("1"),
+			firstSig:                      "sig",
+			firstChosenNode:               "n3",
+			firstOtherNodes:               nil,
+			firstPodScheduledSuccessfully: true,
+			secondPodID:                   blockingPodID("2"),
+			secondSig:                     "sig",
+			secondChosenNode:              "n4",
+			expectedHint:                  "",
+		},
+		{
+			name:                          "pod doesn't get hint because the previous pod is to a different profile",
+			firstPodID:                    blockingPodID("1"),
+			firstSig:                      "sig",
+			firstChosenNode:               "n3",
+			firstOtherNodes:               newTestNodes([]string{"n1"}),
+			firstPodScheduledSuccessfully: true,
+			skipPod:                       true,
+			secondPodID:                   blockingPodID("2"),
+			secondSig:                     "sig",
+			secondChosenNode:              "n1",
+			expectedHint:                  "",
+		},
+		{
+			name:                          "pod uses batch from preceding pod and leaves remaining batch to next pod",
+			firstPodID:                    blockingPodID("1"),
+			firstSig:                      "sig",
+			firstChosenNode:               "n3",
+			firstOtherNodes:               newTestNodes([]string{"n1", "n2"}),
+			firstPodScheduledSuccessfully: true,
+			secondPodID:                   blockingPodID("2"),
+			secondSig:                     "sig",
+			secondChosenNode:              "n1",
+			expectedHint:                  "n1",
+			expectedState: &batchState{
+				signature:   []byte("sig"),
+				sortedNodes: newTestNodes([]string{"n2"}),
+			},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			_, ctx := ktesting.NewTestContext(t)
+			ctx, cancel := context.WithCancel(ctx)
+			defer cancel()
+			testFwk, lister, err := newBatchTestFramework(ctx, batchRegistry)
+			if err != nil {
+				t.Fatalf("Failed to create framework for testing: %v", err)
+			}
+
+			pod := &v1.Pod{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "pod",
+					UID:  types.UID(tt.firstPodID),
+				},
+			}
+
+			signature := fwk.PodSignature(tt.firstSig)
+			batch := newOpportunisticBatch(testFwk, newTestSigFunc(&signature))
+			state := framework.NewCycleState()
+
+			// Run the first "pod" through
+			hint, _ := batch.GetNodeHint(ctx, pod, state, 1)
+			if hint != "" {
+				t.Fatalf("Got unexpected hint %s", hint)
+			}
+			if tt.firstPodScheduledSuccessfully {
+				batch.StoreScheduleResults(ctx, []byte(tt.firstSig), hint, tt.firstChosenNode, tt.firstOtherNodes, 1)
+			}
+
+			var cycleCount int64 = 2
+			if tt.skipPod {
+				cycleCount = 3
+			}
+
+			// Run the second pod
+			pod2 := &v1.Pod{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "pod2",
+					UID:  types.UID(tt.secondPodID),
+				},
+			}
+
+			lastChosenNode := framework.NewNodeInfo(pod)
+			lastChosenNode.SetNode(&v1.Node{ObjectMeta: metav1.ObjectMeta{
+				Name: tt.firstChosenNode,
+				UID:  types.UID(tt.firstChosenNode),
+			}})
+			lister.nodes = nodeInfoLister{lastChosenNode}
+
+			signature = fwk.PodSignature(tt.secondSig)
+			hint, _ = batch.GetNodeHint(ctx, pod2, state, cycleCount)
+
+			if hint != tt.expectedHint {
+				t.Fatalf("Got hint '%s' expected '%s' for test '%s'", hint, tt.expectedHint, tt.name)
+			}
+
+			batch.StoreScheduleResults(ctx, []byte(tt.secondSig), hint, tt.secondChosenNode, tt.secondOtherNodes, cycleCount)
+
+			batchEmpty := batch.state == nil || batch.state.sortedNodes == nil || batch.state.sortedNodes.Len() == 0
+			expectedEmpty := tt.expectedState == nil
+
+			if batchEmpty != expectedEmpty {
+				t.Fatalf("Expected empty %t, got empty %t for %s", expectedEmpty, batchEmpty, tt.name)
+			}
+			if !expectedEmpty {
+				if !bytes.Equal(batch.state.signature, []byte(tt.expectedState.signature)) {
+					t.Fatalf("Got state signature '%s' expected '%s' for test '%s'", batch.state.signature, tt.expectedState.signature, tt.name)
+				}
+				nodesDiff := cmp.Diff(tt.expectedState.sortedNodes, batch.state.sortedNodes)
+				if nodesDiff != "" {
+					t.Fatalf("Diff between sortedNodes (-want,+got):\n%s", nodesDiff)
+				}
+			}
+		})
+	}
+}
diff --git a/pkg/scheduler/framework/runtime/framework.go b/pkg/scheduler/framework/runtime/framework.go
index dad07a12abe3b..350c8e0c7fe19 100644
--- a/pkg/scheduler/framework/runtime/framework.go
+++ b/pkg/scheduler/framework/runtime/framework.go
@@ -18,6 +18,7 @@ package runtime
 
 import (
 	"context"
+	"encoding/json"
 	"errors"
 	"fmt"
 	"io"
@@ -29,6 +30,7 @@ import (
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/sets"
+	utilfeature "k8s.io/apiserver/pkg/util/feature"
 	"k8s.io/client-go/informers"
 	clientset "k8s.io/client-go/kubernetes"
 	restclient "k8s.io/client-go/rest"
@@ -36,8 +38,9 @@ import (
 	"k8s.io/component-helpers/scheduling/corev1"
 	"k8s.io/klog/v2"
 	fwk "k8s.io/kube-scheduler/framework"
+	"k8s.io/kubernetes/pkg/features"
 	"k8s.io/kubernetes/pkg/scheduler/apis/config"
-	"k8s.io/kubernetes/pkg/scheduler/backend/api_dispatcher"
+	apidispatcher "k8s.io/kubernetes/pkg/scheduler/backend/api_dispatcher"
 	"k8s.io/kubernetes/pkg/scheduler/framework"
 	"k8s.io/kubernetes/pkg/scheduler/framework/parallelize"
 	"k8s.io/kubernetes/pkg/scheduler/metrics"
@@ -53,44 +56,52 @@ const (
 // plugins.
 type frameworkImpl struct {
 	registry             Registry
-	snapshotSharedLister framework.SharedLister
+	snapshotSharedLister fwk.SharedLister
 	waitingPods          *waitingPodsMap
 	scorePluginWeight    map[string]int
-	preEnqueuePlugins    []framework.PreEnqueuePlugin
-	enqueueExtensions    []framework.EnqueueExtensions
-	queueSortPlugins     []framework.QueueSortPlugin
-	preFilterPlugins     []framework.PreFilterPlugin
-	filterPlugins        []framework.FilterPlugin
-	postFilterPlugins    []framework.PostFilterPlugin
-	preScorePlugins      []framework.PreScorePlugin
-	scorePlugins         []framework.ScorePlugin
-	reservePlugins       []framework.ReservePlugin
-	preBindPlugins       []framework.PreBindPlugin
-	bindPlugins          []framework.BindPlugin
-	postBindPlugins      []framework.PostBindPlugin
-	permitPlugins        []framework.PermitPlugin
+	preEnqueuePlugins    []fwk.PreEnqueuePlugin
+	enqueueExtensions    []fwk.EnqueueExtensions
+	queueSortPlugins     []fwk.QueueSortPlugin
+	preFilterPlugins     []fwk.PreFilterPlugin
+	filterPlugins        []fwk.FilterPlugin
+	postFilterPlugins    []fwk.PostFilterPlugin
+	preScorePlugins      []fwk.PreScorePlugin
+	scorePlugins         []fwk.ScorePlugin
+	reservePlugins       []fwk.ReservePlugin
+	preBindPlugins       []fwk.PreBindPlugin
+	bindPlugins          []fwk.BindPlugin
+	postBindPlugins      []fwk.PostBindPlugin
+	permitPlugins        []fwk.PermitPlugin
+	batchablePlugins     []fwk.SignPlugin
 
 	// pluginsMap contains all plugins, by name.
-	pluginsMap map[string]framework.Plugin
+	pluginsMap map[string]fwk.Plugin
 
 	clientSet        clientset.Interface
 	kubeConfig       *restclient.Config
 	eventRecorder    events.EventRecorder
 	informerFactory  informers.SharedInformerFactory
-	sharedDRAManager framework.SharedDRAManager
+	sharedDRAManager fwk.SharedDRAManager
+	workloadManager  fwk.WorkloadManager
 	logger           klog.Logger
 
+	sharedCSIManager fwk.CSIManager
+
 	metricsRecorder          *metrics.MetricAsyncRecorder
 	profileName              string
 	percentageOfNodesToScore *int32
 
-	extenders []framework.Extender
-	framework.PodNominator
-	framework.PodActivator
+	extenders []fwk.Extender
+	fwk.PodNominator
+	fwk.PodActivator
 	apiDispatcher *apidispatcher.APIDispatcher
-	apiCacher     framework.APICacher
+	apiCacher     fwk.APICacher
+
+	parallelizer fwk.Parallelizer
+
+	batch *OpportunisticBatch
 
-	parallelizer parallelize.Parallelizer
+	enableSignatures bool
 }
 
 // extensionPoint encapsulates desired and applied set of plugins at a specific extension
@@ -122,7 +133,7 @@ func (f *frameworkImpl) getExtensionPoints(plugins *config.Plugins) []extensionP
 }
 
 // Extenders returns the registered extenders.
-func (f *frameworkImpl) Extenders() []framework.Extender {
+func (f *frameworkImpl) Extenders() []fwk.Extender {
 	return f.extenders
 }
 
@@ -132,16 +143,18 @@ type frameworkOptions struct {
 	kubeConfig             *restclient.Config
 	eventRecorder          events.EventRecorder
 	informerFactory        informers.SharedInformerFactory
-	sharedDRAManager       framework.SharedDRAManager
-	snapshotSharedLister   framework.SharedLister
+	sharedDRAManager       fwk.SharedDRAManager
+	sharedCSIManager       fwk.CSIManager
+	snapshotSharedLister   fwk.SharedLister
 	metricsRecorder        *metrics.MetricAsyncRecorder
-	podNominator           framework.PodNominator
-	podActivator           framework.PodActivator
-	extenders              []framework.Extender
+	podNominator           fwk.PodNominator
+	podActivator           fwk.PodActivator
+	extenders              []fwk.Extender
 	captureProfile         CaptureProfile
 	parallelizer           parallelize.Parallelizer
 	waitingPods            *waitingPodsMap
 	apiDispatcher          *apidispatcher.APIDispatcher
+	workloadManager        fwk.WorkloadManager
 	logger                 *klog.Logger
 }
 
@@ -187,34 +200,41 @@ func WithInformerFactory(informerFactory informers.SharedInformerFactory) Option
 }
 
 // WithSharedDRAManager sets SharedDRAManager for the framework.
-func WithSharedDRAManager(sharedDRAManager framework.SharedDRAManager) Option {
+func WithSharedDRAManager(sharedDRAManager fwk.SharedDRAManager) Option {
 	return func(o *frameworkOptions) {
 		o.sharedDRAManager = sharedDRAManager
 	}
 }
 
+// WithSharedCSIManager sets SharedCSIManager for the framework.
+func WithSharedCSIManager(sharedCSIManager fwk.CSIManager) Option {
+	return func(o *frameworkOptions) {
+		o.sharedCSIManager = sharedCSIManager
+	}
+}
+
 // WithSnapshotSharedLister sets the SharedLister of the snapshot.
-func WithSnapshotSharedLister(snapshotSharedLister framework.SharedLister) Option {
+func WithSnapshotSharedLister(snapshotSharedLister fwk.SharedLister) Option {
 	return func(o *frameworkOptions) {
 		o.snapshotSharedLister = snapshotSharedLister
 	}
 }
 
 // WithPodNominator sets podNominator for the scheduling frameworkImpl.
-func WithPodNominator(nominator framework.PodNominator) Option {
+func WithPodNominator(nominator fwk.PodNominator) Option {
 	return func(o *frameworkOptions) {
 		o.podNominator = nominator
 	}
 }
 
-func WithPodActivator(activator framework.PodActivator) Option {
+func WithPodActivator(activator fwk.PodActivator) Option {
 	return func(o *frameworkOptions) {
 		o.podActivator = activator
 	}
 }
 
 // WithExtenders sets extenders for the scheduling frameworkImpl.
-func WithExtenders(extenders []framework.Extender) Option {
+func WithExtenders(extenders []fwk.Extender) Option {
 	return func(o *frameworkOptions) {
 		o.extenders = extenders
 	}
@@ -234,6 +254,13 @@ func WithAPIDispatcher(apiDispatcher *apidispatcher.APIDispatcher) Option {
 	}
 }
 
+// WithWorkloadManager sets Workload manager for the scheduling frameworkImpl.
+func WithWorkloadManager(workloadManager fwk.WorkloadManager) Option {
+	return func(o *frameworkOptions) {
+		o.workloadManager = workloadManager
+	}
+}
+
 // CaptureProfile is a callback to capture a finalized profile.
 type CaptureProfile func(config.KubeSchedulerProfile)
 
@@ -289,6 +316,7 @@ func NewFramework(ctx context.Context, r Registry, profile *config.KubeScheduler
 	f := &frameworkImpl{
 		registry:             r,
 		snapshotSharedLister: options.snapshotSharedLister,
+		sharedCSIManager:     options.sharedCSIManager,
 		scorePluginWeight:    make(map[string]int),
 		waitingPods:          options.waitingPods,
 		clientSet:            options.clientSet,
@@ -301,16 +329,21 @@ func NewFramework(ctx context.Context, r Registry, profile *config.KubeScheduler
 		PodNominator:         options.podNominator,
 		PodActivator:         options.podActivator,
 		apiDispatcher:        options.apiDispatcher,
+		workloadManager:      options.workloadManager,
 		parallelizer:         options.parallelizer,
 		logger:               logger,
 	}
 
+	if utilfeature.DefaultFeatureGate.Enabled(features.OpportunisticBatching) {
+		f.batch = newOpportunisticBatch(f, signUsingFramework)
+	}
+
 	if len(f.extenders) > 0 {
 		// Extender doesn't support any kind of requeueing feature like EnqueueExtensions in the scheduling framework.
-		// We register a defaultEnqueueExtension to framework.ExtenderName here.
+		// We register a defaultEnqueueExtension to fwk.ExtenderName here.
 		// And, in the scheduling cycle, when Extenders reject some Nodes and the pod ends up being unschedulable,
-		// we put framework.ExtenderName to pInfo.UnschedulablePlugins.
-		f.enqueueExtensions = []framework.EnqueueExtensions{&defaultEnqueueExtension{pluginName: framework.ExtenderName}}
+		// we put fwk.ExtenderName to pInfo.UnschedulablePlugins.
+		f.enqueueExtensions = []fwk.EnqueueExtensions{&defaultEnqueueExtension{pluginName: framework.ExtenderName}}
 	}
 
 	if profile == nil {
@@ -341,7 +374,7 @@ func NewFramework(ctx context.Context, r Registry, profile *config.KubeScheduler
 		PluginConfig:             make([]config.PluginConfig, 0, len(pg)),
 	}
 
-	f.pluginsMap = make(map[string]framework.Plugin)
+	f.pluginsMap = make(map[string]fwk.Plugin)
 	for name, factory := range r {
 		// initialize only needed plugins.
 		if !pg.Has(name) {
@@ -397,6 +430,10 @@ func NewFramework(ctx context.Context, r Registry, profile *config.KubeScheduler
 		}
 	}
 
+	if utilfeature.DefaultFeatureGate.Enabled(features.OpportunisticBatching) {
+		f.computeBatchablePlugins()
+	}
+
 	if options.captureProfile != nil {
 		if len(outputProfile.PluginConfig) != 0 {
 			sort.Slice(outputProfile.PluginConfig, func(i, j int) bool {
@@ -445,15 +482,15 @@ func (f *frameworkImpl) setInstrumentedPlugins() {
 	}
 }
 
-func (f *frameworkImpl) SetPodNominator(n framework.PodNominator) {
+func (f *frameworkImpl) SetPodNominator(n fwk.PodNominator) {
 	f.PodNominator = n
 }
 
-func (f *frameworkImpl) SetPodActivator(a framework.PodActivator) {
+func (f *frameworkImpl) SetPodActivator(a fwk.PodActivator) {
 	f.PodActivator = a
 }
 
-func (f *frameworkImpl) SetAPICacher(c framework.APICacher) {
+func (f *frameworkImpl) SetAPICacher(c fwk.APICacher) {
 	f.apiCacher = c
 }
 
@@ -497,10 +534,10 @@ func getScoreWeights(f *frameworkImpl, plugins []config.Plugin) error {
 		}
 
 		// Checks totalPriority against MaxTotalScore to avoid overflow
-		if int64(f.scorePluginWeight[e.Name])*framework.MaxNodeScore > framework.MaxTotalScore-totalPriority {
+		if int64(f.scorePluginWeight[e.Name])*fwk.MaxNodeScore > fwk.MaxTotalScore-totalPriority {
 			return fmt.Errorf("total score of Score plugins could overflow")
 		}
-		totalPriority += int64(f.scorePluginWeight[e.Name]) * framework.MaxNodeScore
+		totalPriority += int64(f.scorePluginWeight[e.Name]) * fwk.MaxNodeScore
 	}
 	return nil
 }
@@ -623,23 +660,23 @@ func (f *frameworkImpl) expandMultiPointPlugins(logger klog.Logger, profile *con
 	return nil
 }
 
-func shouldHaveEnqueueExtensions(p framework.Plugin) bool {
+func shouldHaveEnqueueExtensions(p fwk.Plugin) bool {
 	switch p.(type) {
 	// Only PreEnqueue, PreFilter, Filter, Reserve, and Permit plugins can (should) have EnqueueExtensions.
 	// See the comment of EnqueueExtensions for more detailed reason here.
-	case framework.PreEnqueuePlugin, framework.PreFilterPlugin, framework.FilterPlugin, framework.ReservePlugin, framework.PermitPlugin:
+	case fwk.PreEnqueuePlugin, fwk.PreFilterPlugin, fwk.FilterPlugin, fwk.ReservePlugin, fwk.PermitPlugin:
 		return true
 	}
 	return false
 }
 
-func (f *frameworkImpl) fillEnqueueExtensions(p framework.Plugin) {
+func (f *frameworkImpl) fillEnqueueExtensions(p fwk.Plugin) {
 	if !shouldHaveEnqueueExtensions(p) {
 		// Ignore EnqueueExtensions from plugin which isn't PreEnqueue, PreFilter, Filter, Reserve, and Permit.
 		return
 	}
 
-	ext, ok := p.(framework.EnqueueExtensions)
+	ext, ok := p.(fwk.EnqueueExtensions)
 	if !ok {
 		// If interface EnqueueExtensions is not implemented, register the default enqueue extensions
 		// to the plugin because we don't know which events the plugin is interested in.
@@ -665,7 +702,7 @@ func (p *defaultEnqueueExtension) EventsToRegister(_ context.Context) ([]fwk.Clu
 	return framework.UnrollWildCardResource(), nil
 }
 
-func updatePluginList(pluginList interface{}, pluginSet config.PluginSet, pluginsMap map[string]framework.Plugin) error {
+func updatePluginList(pluginList interface{}, pluginSet config.PluginSet, pluginsMap map[string]fwk.Plugin) error {
 	plugins := reflect.ValueOf(pluginList).Elem()
 	pluginType := plugins.Type().Elem()
 	set := sets.New[string]()
@@ -692,17 +729,17 @@ func updatePluginList(pluginList interface{}, pluginSet config.PluginSet, plugin
 }
 
 // PreEnqueuePlugins returns the registered preEnqueue plugins.
-func (f *frameworkImpl) PreEnqueuePlugins() []framework.PreEnqueuePlugin {
+func (f *frameworkImpl) PreEnqueuePlugins() []fwk.PreEnqueuePlugin {
 	return f.preEnqueuePlugins
 }
 
 // EnqueueExtensions returns the registered reenqueue plugins.
-func (f *frameworkImpl) EnqueueExtensions() []framework.EnqueueExtensions {
+func (f *frameworkImpl) EnqueueExtensions() []fwk.EnqueueExtensions {
 	return f.enqueueExtensions
 }
 
 // QueueSortFunc returns the function to sort pods in scheduling queue
-func (f *frameworkImpl) QueueSortFunc() framework.LessFunc {
+func (f *frameworkImpl) QueueSortFunc() fwk.LessFunc {
 	if f == nil {
 		// If frameworkImpl is nil, simply keep their order unchanged.
 		// NOTE: this is primarily for tests.
@@ -717,13 +754,112 @@ func (f *frameworkImpl) QueueSortFunc() framework.LessFunc {
 	return f.queueSortPlugins[0].Less
 }
 
+// If any of our preFilter, filter, preScore or score plugins haven't
+// implemented a signature, then disable the cache.
+func (f *frameworkImpl) computeBatchablePlugins() {
+	f.enableSignatures = true
+
+	if len(f.extenders) > 0 {
+		f.logger.Info("Disabling signatures for profile because it has extenders configured.",
+			"profile", f.profileName)
+
+		f.enableSignatures = false
+	}
+
+	// Get all plugins of compatible types.
+	candidatePlugins := []fwk.Plugin{}
+	for _, pl := range f.preFilterPlugins {
+		candidatePlugins = append(candidatePlugins, pl)
+	}
+	for _, pl := range f.filterPlugins {
+		candidatePlugins = append(candidatePlugins, pl)
+	}
+	for _, pl := range f.preScorePlugins {
+		candidatePlugins = append(candidatePlugins, pl)
+	}
+	for _, pl := range f.scorePlugins {
+		candidatePlugins = append(candidatePlugins, pl)
+	}
+
+	// Get signature elements from plugins.
+	plugins := map[string]fwk.SignPlugin{}
+	unsupportedPlugins := sets.New[string]()
+	for _, pl := range candidatePlugins {
+		if _, found := plugins[pl.Name()]; !found {
+			if _, implements := pl.(fwk.SignPlugin); implements {
+				f.batchablePlugins = append(f.batchablePlugins, pl.(fwk.SignPlugin))
+				plugins[pl.Name()] = pl.(fwk.SignPlugin)
+			} else {
+				unsupportedPlugins.Insert(pl.Name())
+				f.enableSignatures = false
+			}
+		}
+	}
+
+	if !f.enableSignatures {
+		f.logger.Info("Disabling signatures for profile because plugins do not support it.",
+			"profile", f.profileName, "plugins", unsupportedPlugins.UnsortedList())
+	}
+}
+
+// SignPod returns a signature for a given pod. Any two pods with the same signature should get
+// the same feasibility and scoring for the same set of nodes in the same state. If one or more plugins
+// is unable to construct a signature for the pod, the result will be nil, which means
+// there is no way to compare this pod against others, and will turn off a number of optimizations
+// for this pod.
+func (f *frameworkImpl) SignPod(ctx context.Context, pod *v1.Pod, recordPluginStats bool) fwk.PodSignature {
+	logger := klog.FromContext(ctx)
+	var status *fwk.Status
+
+	if recordPluginStats {
+		startTime := time.Now()
+		defer func() {
+			metrics.FrameworkExtensionPointDuration.WithLabelValues(metrics.Sign, status.Code().String(), f.profileName).Observe(metrics.SinceInSeconds(startTime))
+		}()
+	}
+
+	if !f.enableSignatures {
+		return nil
+	}
+
+	sig := map[string]any{
+		fwk.SchedulerNameSignerName: pod.Spec.SchedulerName,
+	}
+
+	for _, plugin := range f.batchablePlugins {
+		startTime := time.Now()
+		fragments, status := plugin.SignPod(ctx, pod)
+		f.metricsRecorder.ObservePluginDurationAsync(metrics.Sign, plugin.Name(), status.Code().String(), metrics.SinceInSeconds(startTime))
+
+		if !status.IsSuccess() {
+			if status.Code() == fwk.Error {
+				logger.Error(status.AsError(), "SignPod failed for plugin", "plugin", plugin.Name())
+			}
+			logger.V(5).Info("SignPod can't sign pod due to plugin", "plugin", plugin.Name(), "status", status)
+			return nil
+		}
+
+		for _, elem := range fragments {
+			sig[elem.Key] = elem.Value
+		}
+	}
+
+	sigBytes, err := json.Marshal(sig)
+	if err != nil {
+		logger.Error(err, "SignPod failed to marshal signature object")
+		return nil
+	}
+
+	return sigBytes
+}
+
 // RunPreFilterPlugins runs the set of configured PreFilter plugins. It returns
 // *Status and its code is set to non-success if any of the plugins returns
 // anything but Success/Skip.
 // When it returns Skip status, returned PreFilterResult and other fields in status are just ignored,
 // and coupled Filter plugin/PreFilterExtensions() will be skipped in this scheduling cycle.
 // If a non-success status is returned, then the scheduling cycle is aborted.
-func (f *frameworkImpl) RunPreFilterPlugins(ctx context.Context, state fwk.CycleState, pod *v1.Pod) (_ *framework.PreFilterResult, status *fwk.Status, _ sets.Set[string]) {
+func (f *frameworkImpl) RunPreFilterPlugins(ctx context.Context, state fwk.CycleState, pod *v1.Pod) (_ *fwk.PreFilterResult, status *fwk.Status, _ sets.Set[string]) {
 	startTime := time.Now()
 	skipPlugins := sets.New[string]()
 	defer func() {
@@ -734,7 +870,7 @@ func (f *frameworkImpl) RunPreFilterPlugins(ctx context.Context, state fwk.Cycle
 	if err != nil {
 		return nil, fwk.AsStatus(fmt.Errorf("getting all nodes: %w", err)), nil
 	}
-	var result *framework.PreFilterResult
+	var result *fwk.PreFilterResult
 	pluginsWithNodes := sets.New[string]()
 	logger := klog.FromContext(ctx)
 	verboseLogs := logger.V(4).Enabled()
@@ -786,7 +922,7 @@ func (f *frameworkImpl) RunPreFilterPlugins(ctx context.Context, state fwk.Cycle
 	return result, returnStatus, pluginsWithNodes
 }
 
-func (f *frameworkImpl) runPreFilterPlugin(ctx context.Context, pl framework.PreFilterPlugin, state fwk.CycleState, pod *v1.Pod, nodes []fwk.NodeInfo) (*framework.PreFilterResult, *fwk.Status) {
+func (f *frameworkImpl) runPreFilterPlugin(ctx context.Context, pl fwk.PreFilterPlugin, state fwk.CycleState, pod *v1.Pod, nodes []fwk.NodeInfo) (*fwk.PreFilterResult, *fwk.Status) {
 	if !state.ShouldRecordPluginMetrics() {
 		return pl.PreFilter(ctx, state, pod, nodes)
 	}
@@ -831,7 +967,7 @@ func (f *frameworkImpl) RunPreFilterExtensionAddPod(
 	return nil
 }
 
-func (f *frameworkImpl) runPreFilterExtensionAddPod(ctx context.Context, pl framework.PreFilterPlugin, state fwk.CycleState, podToSchedule *v1.Pod, podInfoToAdd fwk.PodInfo, nodeInfo fwk.NodeInfo) *fwk.Status {
+func (f *frameworkImpl) runPreFilterExtensionAddPod(ctx context.Context, pl fwk.PreFilterPlugin, state fwk.CycleState, podToSchedule *v1.Pod, podInfoToAdd fwk.PodInfo, nodeInfo fwk.NodeInfo) *fwk.Status {
 	if !state.ShouldRecordPluginMetrics() {
 		return pl.PreFilterExtensions().AddPod(ctx, state, podToSchedule, podInfoToAdd, nodeInfo)
 	}
@@ -880,7 +1016,7 @@ func (f *frameworkImpl) RunPreFilterExtensionRemovePod(
 	return nil
 }
 
-func (f *frameworkImpl) runPreFilterExtensionRemovePod(ctx context.Context, pl framework.PreFilterPlugin, state fwk.CycleState, podToSchedule *v1.Pod, podInfoToRemove fwk.PodInfo, nodeInfo fwk.NodeInfo) *fwk.Status {
+func (f *frameworkImpl) runPreFilterExtensionRemovePod(ctx context.Context, pl fwk.PreFilterPlugin, state fwk.CycleState, podToSchedule *v1.Pod, podInfoToRemove fwk.PodInfo, nodeInfo fwk.NodeInfo) *fwk.Status {
 	if !state.ShouldRecordPluginMetrics() {
 		return pl.PreFilterExtensions().RemovePod(ctx, state, podToSchedule, podInfoToRemove, nodeInfo)
 	}
@@ -929,7 +1065,7 @@ func (f *frameworkImpl) RunFilterPlugins(
 	return nil
 }
 
-func (f *frameworkImpl) runFilterPlugin(ctx context.Context, pl framework.FilterPlugin, state fwk.CycleState, pod *v1.Pod, nodeInfo fwk.NodeInfo) *fwk.Status {
+func (f *frameworkImpl) runFilterPlugin(ctx context.Context, pl fwk.FilterPlugin, state fwk.CycleState, pod *v1.Pod, nodeInfo fwk.NodeInfo) *fwk.Status {
 	if !state.ShouldRecordPluginMetrics() {
 		return pl.Filter(ctx, state, pod, nodeInfo)
 	}
@@ -941,7 +1077,7 @@ func (f *frameworkImpl) runFilterPlugin(ctx context.Context, pl framework.Filter
 
 // RunPostFilterPlugins runs the set of configured PostFilter plugins until the first
 // Success, Error or UnschedulableAndUnresolvable is met; otherwise continues to execute all plugins.
-func (f *frameworkImpl) RunPostFilterPlugins(ctx context.Context, state fwk.CycleState, pod *v1.Pod, filteredNodeStatusMap framework.NodeToStatusReader) (_ *framework.PostFilterResult, status *fwk.Status) {
+func (f *frameworkImpl) RunPostFilterPlugins(ctx context.Context, state fwk.CycleState, pod *v1.Pod, filteredNodeStatusMap fwk.NodeToStatusReader) (_ *fwk.PostFilterResult, status *fwk.Status) {
 	startTime := time.Now()
 	defer func() {
 		metrics.FrameworkExtensionPointDuration.WithLabelValues(metrics.PostFilter, status.Code().String(), f.profileName).Observe(metrics.SinceInSeconds(startTime))
@@ -954,7 +1090,7 @@ func (f *frameworkImpl) RunPostFilterPlugins(ctx context.Context, state fwk.Cycl
 	}
 
 	// `result` records the last meaningful(non-noop) PostFilterResult.
-	var result *framework.PostFilterResult
+	var result *fwk.PostFilterResult
 	var reasons []string
 	var rejectorPlugin string
 	for _, pl := range f.postFilterPlugins {
@@ -971,7 +1107,7 @@ func (f *frameworkImpl) RunPostFilterPlugins(ctx context.Context, state fwk.Cycl
 		} else if !s.IsRejected() {
 			// Any status other than Success, Unschedulable or UnschedulableAndUnresolvable is Error.
 			return nil, fwk.AsStatus(s.AsError()).WithPlugin(pl.Name())
-		} else if r != nil && r.Mode() != framework.ModeNoop {
+		} else if r != nil && r.Mode() != fwk.ModeNoop {
 			result = r
 		}
 
@@ -986,7 +1122,7 @@ func (f *frameworkImpl) RunPostFilterPlugins(ctx context.Context, state fwk.Cycl
 	return result, fwk.NewStatus(fwk.Unschedulable, reasons...).WithPlugin(rejectorPlugin)
 }
 
-func (f *frameworkImpl) runPostFilterPlugin(ctx context.Context, pl framework.PostFilterPlugin, state fwk.CycleState, pod *v1.Pod, filteredNodeStatusMap framework.NodeToStatusReader) (*framework.PostFilterResult, *fwk.Status) {
+func (f *frameworkImpl) runPostFilterPlugin(ctx context.Context, pl fwk.PostFilterPlugin, state fwk.CycleState, pod *v1.Pod, filteredNodeStatusMap fwk.NodeToStatusReader) (*fwk.PostFilterResult, *fwk.Status) {
 	if !state.ShouldRecordPluginMetrics() {
 		return pl.PostFilter(ctx, state, pod, filteredNodeStatusMap)
 	}
@@ -1056,7 +1192,7 @@ func (f *frameworkImpl) RunFilterPluginsWithNominatedPods(ctx context.Context, s
 // addGENominatedPods adds pods with equal or greater priority which are nominated
 // to run on the node. It returns 1) whether any pod was added, 2) augmented cycleState,
 // 3) augmented nodeInfo.
-func addGENominatedPods(ctx context.Context, fh framework.Handle, pod *v1.Pod, state fwk.CycleState, nodeInfo fwk.NodeInfo) (bool, fwk.CycleState, fwk.NodeInfo, error) {
+func addGENominatedPods(ctx context.Context, fh fwk.Handle, pod *v1.Pod, state fwk.CycleState, nodeInfo fwk.NodeInfo) (bool, fwk.CycleState, fwk.NodeInfo, error) {
 	if fh == nil {
 		// This may happen only in tests.
 		return false, state, nodeInfo, nil
@@ -1120,7 +1256,7 @@ func (f *frameworkImpl) RunPreScorePlugins(
 	return nil
 }
 
-func (f *frameworkImpl) runPreScorePlugin(ctx context.Context, pl framework.PreScorePlugin, state fwk.CycleState, pod *v1.Pod, nodes []fwk.NodeInfo) *fwk.Status {
+func (f *frameworkImpl) runPreScorePlugin(ctx context.Context, pl fwk.PreScorePlugin, state fwk.CycleState, pod *v1.Pod, nodes []fwk.NodeInfo) *fwk.Status {
 	if !state.ShouldRecordPluginMetrics() {
 		return pl.PreScore(ctx, state, pod, nodes)
 	}
@@ -1134,21 +1270,21 @@ func (f *frameworkImpl) runPreScorePlugin(ctx context.Context, pl framework.PreS
 // It returns a list that stores scores from each plugin and total score for each Node.
 // It also returns *Status, which is set to non-success if any of the plugins returns
 // a non-success status.
-func (f *frameworkImpl) RunScorePlugins(ctx context.Context, state fwk.CycleState, pod *v1.Pod, nodes []fwk.NodeInfo) (ns []framework.NodePluginScores, status *fwk.Status) {
+func (f *frameworkImpl) RunScorePlugins(ctx context.Context, state fwk.CycleState, pod *v1.Pod, nodes []fwk.NodeInfo) (ns []fwk.NodePluginScores, status *fwk.Status) {
 	startTime := time.Now()
 	defer func() {
 		metrics.FrameworkExtensionPointDuration.WithLabelValues(metrics.Score, status.Code().String(), f.profileName).Observe(metrics.SinceInSeconds(startTime))
 	}()
-	allNodePluginScores := make([]framework.NodePluginScores, len(nodes))
+	allNodePluginScores := make([]fwk.NodePluginScores, len(nodes))
 	numPlugins := len(f.scorePlugins)
-	plugins := make([]framework.ScorePlugin, 0, numPlugins)
-	pluginToNodeScores := make(map[string]framework.NodeScoreList, numPlugins)
+	plugins := make([]fwk.ScorePlugin, 0, numPlugins)
+	pluginToNodeScores := make(map[string]fwk.NodeScoreList, numPlugins)
 	for _, pl := range f.scorePlugins {
 		if state.GetSkipScorePlugins().Has(pl.Name()) {
 			continue
 		}
 		plugins = append(plugins, pl)
-		pluginToNodeScores[pl.Name()] = make(framework.NodeScoreList, len(nodes))
+		pluginToNodeScores[pl.Name()] = make(fwk.NodeScoreList, len(nodes))
 	}
 	ctx, cancel := context.WithCancel(ctx)
 	defer cancel()
@@ -1180,7 +1316,7 @@ func (f *frameworkImpl) RunScorePlugins(ctx context.Context, state fwk.CycleStat
 					errCh.SendErrorWithCancel(err, cancel)
 					return
 				}
-				pluginToNodeScores[pl.Name()][index] = framework.NodeScore{
+				pluginToNodeScores[pl.Name()][index] = fwk.NodeScore{
 					Name:  nodeName,
 					Score: s,
 				}
@@ -1212,9 +1348,9 @@ func (f *frameworkImpl) RunScorePlugins(ctx context.Context, state fwk.CycleStat
 	// Apply score weight for each ScorePlugin in parallel,
 	// and then, build allNodePluginScores.
 	f.Parallelizer().Until(ctx, len(nodes), func(index int) {
-		nodePluginScores := framework.NodePluginScores{
+		nodePluginScores := fwk.NodePluginScores{
 			Name:   nodes[index].Node().Name,
-			Scores: make([]framework.PluginScore, len(plugins)),
+			Scores: make([]fwk.PluginScore, len(plugins)),
 		}
 
 		for i, pl := range plugins {
@@ -1222,13 +1358,13 @@ func (f *frameworkImpl) RunScorePlugins(ctx context.Context, state fwk.CycleStat
 			nodeScoreList := pluginToNodeScores[pl.Name()]
 			score := nodeScoreList[index].Score
 
-			if score > framework.MaxNodeScore || score < framework.MinNodeScore {
-				err := fmt.Errorf("plugin %q returns an invalid score %v, it should in the range of [%v, %v] after normalizing", pl.Name(), score, framework.MinNodeScore, framework.MaxNodeScore)
+			if score > fwk.MaxNodeScore || score < fwk.MinNodeScore {
+				err := fmt.Errorf("plugin %q returns an invalid score %v, it should in the range of [%v, %v] after normalizing", pl.Name(), score, fwk.MinNodeScore, fwk.MaxNodeScore)
 				errCh.SendErrorWithCancel(err, cancel)
 				return
 			}
 			weightedScore := score * int64(weight)
-			nodePluginScores.Scores[i] = framework.PluginScore{
+			nodePluginScores.Scores[i] = fwk.PluginScore{
 				Name:  pl.Name(),
 				Score: weightedScore,
 			}
@@ -1243,7 +1379,7 @@ func (f *frameworkImpl) RunScorePlugins(ctx context.Context, state fwk.CycleStat
 	return allNodePluginScores, nil
 }
 
-func (f *frameworkImpl) runScorePlugin(ctx context.Context, pl framework.ScorePlugin, state fwk.CycleState, pod *v1.Pod, nodeInfo fwk.NodeInfo) (int64, *fwk.Status) {
+func (f *frameworkImpl) runScorePlugin(ctx context.Context, pl fwk.ScorePlugin, state fwk.CycleState, pod *v1.Pod, nodeInfo fwk.NodeInfo) (int64, *fwk.Status) {
 	if !state.ShouldRecordPluginMetrics() {
 		return pl.Score(ctx, state, pod, nodeInfo)
 	}
@@ -1253,7 +1389,7 @@ func (f *frameworkImpl) runScorePlugin(ctx context.Context, pl framework.ScorePl
 	return s, status
 }
 
-func (f *frameworkImpl) runScoreExtension(ctx context.Context, pl framework.ScorePlugin, state fwk.CycleState, pod *v1.Pod, nodeScoreList framework.NodeScoreList) *fwk.Status {
+func (f *frameworkImpl) runScoreExtension(ctx context.Context, pl fwk.ScorePlugin, state fwk.CycleState, pod *v1.Pod, nodeScoreList fwk.NodeScoreList) *fwk.Status {
 	if !state.ShouldRecordPluginMetrics() {
 		return pl.ScoreExtensions().NormalizeScore(ctx, state, pod, nodeScoreList)
 	}
@@ -1263,6 +1399,14 @@ func (f *frameworkImpl) runScoreExtension(ctx context.Context, pl framework.Scor
 	return status
 }
 
+func (f *frameworkImpl) GetNodeHint(ctx context.Context, pod *v1.Pod, state fwk.CycleState, cycleCount int64) (hint string, signature fwk.PodSignature) {
+	return f.batch.GetNodeHint(ctx, pod, state, cycleCount)
+}
+
+func (f *frameworkImpl) StoreScheduleResults(ctx context.Context, signature fwk.PodSignature, hintedNode, chosenNode string, otherNodes framework.SortedScoredNodes, cycleCount int64) {
+	f.batch.StoreScheduleResults(ctx, signature, hintedNode, chosenNode, otherNodes, cycleCount)
+}
+
 // RunPreBindPlugins runs the set of configured prebind plugins. It returns a
 // failure (bool) if any of the plugins returns an error. It also returns an
 // error containing the rejection message or the error occurred in the plugin.
@@ -1302,7 +1446,7 @@ func (f *frameworkImpl) RunPreBindPlugins(ctx context.Context, state fwk.CycleSt
 	return nil
 }
 
-func (f *frameworkImpl) runPreBindPlugin(ctx context.Context, pl framework.PreBindPlugin, state fwk.CycleState, pod *v1.Pod, nodeName string) *fwk.Status {
+func (f *frameworkImpl) runPreBindPlugin(ctx context.Context, pl fwk.PreBindPlugin, state fwk.CycleState, pod *v1.Pod, nodeName string) *fwk.Status {
 	if !state.ShouldRecordPluginMetrics() {
 		return pl.PreBind(ctx, state, pod, nodeName)
 	}
@@ -1356,7 +1500,7 @@ func (f *frameworkImpl) RunPreBindPreFlights(ctx context.Context, state fwk.Cycl
 	return returningStatus
 }
 
-func (f *frameworkImpl) runPreBindPreFlight(ctx context.Context, pl framework.PreBindPlugin, state fwk.CycleState, pod *v1.Pod, nodeName string) *fwk.Status {
+func (f *frameworkImpl) runPreBindPreFlight(ctx context.Context, pl fwk.PreBindPlugin, state fwk.CycleState, pod *v1.Pod, nodeName string) *fwk.Status {
 	if !state.ShouldRecordPluginMetrics() {
 		return pl.PreBindPreFlight(ctx, state, pod, nodeName)
 	}
@@ -1405,7 +1549,7 @@ func (f *frameworkImpl) RunBindPlugins(ctx context.Context, state fwk.CycleState
 	return status
 }
 
-func (f *frameworkImpl) runBindPlugin(ctx context.Context, bp framework.BindPlugin, state fwk.CycleState, pod *v1.Pod, nodeName string) *fwk.Status {
+func (f *frameworkImpl) runBindPlugin(ctx context.Context, bp fwk.BindPlugin, state fwk.CycleState, pod *v1.Pod, nodeName string) *fwk.Status {
 	if !state.ShouldRecordPluginMetrics() {
 		return bp.Bind(ctx, state, pod, nodeName)
 	}
@@ -1436,7 +1580,7 @@ func (f *frameworkImpl) RunPostBindPlugins(ctx context.Context, state fwk.CycleS
 	}
 }
 
-func (f *frameworkImpl) runPostBindPlugin(ctx context.Context, pl framework.PostBindPlugin, state fwk.CycleState, pod *v1.Pod, nodeName string) {
+func (f *frameworkImpl) runPostBindPlugin(ctx context.Context, pl fwk.PostBindPlugin, state fwk.CycleState, pod *v1.Pod, nodeName string) {
 	if !state.ShouldRecordPluginMetrics() {
 		pl.PostBind(ctx, state, pod, nodeName)
 		return
@@ -1483,7 +1627,7 @@ func (f *frameworkImpl) RunReservePluginsReserve(ctx context.Context, state fwk.
 	return nil
 }
 
-func (f *frameworkImpl) runReservePluginReserve(ctx context.Context, pl framework.ReservePlugin, state fwk.CycleState, pod *v1.Pod, nodeName string) *fwk.Status {
+func (f *frameworkImpl) runReservePluginReserve(ctx context.Context, pl fwk.ReservePlugin, state fwk.CycleState, pod *v1.Pod, nodeName string) *fwk.Status {
 	if !state.ShouldRecordPluginMetrics() {
 		return pl.Reserve(ctx, state, pod, nodeName)
 	}
@@ -1519,7 +1663,7 @@ func (f *frameworkImpl) RunReservePluginsUnreserve(ctx context.Context, state fw
 	}
 }
 
-func (f *frameworkImpl) runReservePluginUnreserve(ctx context.Context, pl framework.ReservePlugin, state fwk.CycleState, pod *v1.Pod, nodeName string) {
+func (f *frameworkImpl) runReservePluginUnreserve(ctx context.Context, pl fwk.ReservePlugin, state fwk.CycleState, pod *v1.Pod, nodeName string) {
 	if !state.ShouldRecordPluginMetrics() {
 		pl.Unreserve(ctx, state, pod, nodeName)
 		return
@@ -1584,7 +1728,7 @@ func (f *frameworkImpl) RunPermitPlugins(ctx context.Context, state fwk.CycleSta
 	return nil
 }
 
-func (f *frameworkImpl) runPermitPlugin(ctx context.Context, pl framework.PermitPlugin, state fwk.CycleState, pod *v1.Pod, nodeName string) (*fwk.Status, time.Duration) {
+func (f *frameworkImpl) runPermitPlugin(ctx context.Context, pl fwk.PermitPlugin, state fwk.CycleState, pod *v1.Pod, nodeName string) (*fwk.Status, time.Duration) {
 	if !state.ShouldRecordPluginMetrics() {
 		return pl.Permit(ctx, state, pod, nodeName)
 	}
@@ -1629,17 +1773,17 @@ func (f *frameworkImpl) WaitOnPermit(ctx context.Context, pod *v1.Pod) *fwk.Stat
 // snapshot. The snapshot is taken at the beginning of a scheduling cycle and remains
 // unchanged until a pod finishes "Reserve". There is no guarantee that the information
 // remains unchanged after "Reserve".
-func (f *frameworkImpl) SnapshotSharedLister() framework.SharedLister {
+func (f *frameworkImpl) SnapshotSharedLister() fwk.SharedLister {
 	return f.snapshotSharedLister
 }
 
 // IterateOverWaitingPods acquires a read lock and iterates over the WaitingPods map.
-func (f *frameworkImpl) IterateOverWaitingPods(callback func(framework.WaitingPod)) {
+func (f *frameworkImpl) IterateOverWaitingPods(callback func(fwk.WaitingPod)) {
 	f.waitingPods.iterate(callback)
 }
 
 // GetWaitingPod returns a reference to a WaitingPod given its UID.
-func (f *frameworkImpl) GetWaitingPod(uid types.UID) framework.WaitingPod {
+func (f *frameworkImpl) GetWaitingPod(uid types.UID) fwk.WaitingPod {
 	if wp := f.waitingPods.get(uid); wp != nil {
 		return wp
 	}
@@ -1681,7 +1825,7 @@ func (f *frameworkImpl) ListPlugins() *config.Plugins {
 		extName := plugins.Type().Elem().Name()
 		var cfgs []config.Plugin
 		for i := 0; i < plugins.Len(); i++ {
-			name := plugins.Index(i).Interface().(framework.Plugin).Name()
+			name := plugins.Index(i).Interface().(fwk.Plugin).Name()
 			p := config.Plugin{Name: name}
 			if extName == "ScorePlugin" {
 				// Weights apply only to score plugins.
@@ -1717,10 +1861,20 @@ func (f *frameworkImpl) SharedInformerFactory() informers.SharedInformerFactory
 }
 
 // SharedDRAManager returns the SharedDRAManager of the framework.
-func (f *frameworkImpl) SharedDRAManager() framework.SharedDRAManager {
+func (f *frameworkImpl) SharedDRAManager() fwk.SharedDRAManager {
 	return f.sharedDRAManager
 }
 
+// SharedCSIManager returns the SharedCSIManager of the framework.
+func (f *frameworkImpl) SharedCSIManager() fwk.CSIManager {
+	return f.sharedCSIManager
+}
+
+// WorkloadManager returns the WorkloadManager of the framework.
+func (f *frameworkImpl) WorkloadManager() fwk.WorkloadManager {
+	return f.workloadManager
+}
+
 func (f *frameworkImpl) pluginsNeeded(plugins *config.Plugins) sets.Set[string] {
 	pgSet := sets.Set[string]{}
 
@@ -1754,7 +1908,7 @@ func (f *frameworkImpl) PercentageOfNodesToScore() *int32 {
 }
 
 // Parallelizer returns a parallelizer holding parallelism for scheduler.
-func (f *frameworkImpl) Parallelizer() parallelize.Parallelizer {
+func (f *frameworkImpl) Parallelizer() fwk.Parallelizer {
 	return f.parallelizer
 }
 
@@ -1770,9 +1924,14 @@ func (f *frameworkImpl) APIDispatcher() fwk.APIDispatcher {
 // APICacher returns an apiCacher that can be used to dispatch API calls through scheduler's cache
 // instead of directly using APIDispatcher().
 // This requires SchedulerAsyncAPICalls feature gate to be enabled.
-func (f *frameworkImpl) APICacher() framework.APICacher {
+func (f *frameworkImpl) APICacher() fwk.APICacher {
 	if f.apiCacher == nil {
 		return nil
 	}
 	return f.apiCacher
 }
+
+// Used only for tests
+func (f *frameworkImpl) TotalBatchedPods() int64 {
+	return f.batch.batchedPods
+}
diff --git a/pkg/scheduler/framework/runtime/framework_test.go b/pkg/scheduler/framework/runtime/framework_test.go
index ecef4453bc29b..5bdf95e52f66f 100644
--- a/pkg/scheduler/framework/runtime/framework_test.go
+++ b/pkg/scheduler/framework/runtime/framework_test.go
@@ -74,8 +74,8 @@ func init() {
 
 // TestScoreWithNormalizePlugin implements ScoreWithNormalizePlugin interface.
 // TestScorePlugin only implements ScorePlugin interface.
-var _ framework.ScorePlugin = &TestScoreWithNormalizePlugin{}
-var _ framework.ScorePlugin = &TestScorePlugin{}
+var _ fwk.ScorePlugin = &TestScoreWithNormalizePlugin{}
+var _ fwk.ScorePlugin = &TestScorePlugin{}
 
 var statusCmpOpts = []cmp.Option{
 	cmp.Comparer(func(s1 *fwk.Status, s2 *fwk.Status) bool {
@@ -89,7 +89,7 @@ var statusCmpOpts = []cmp.Option{
 	}),
 }
 
-func newScoreWithNormalizePlugin1(_ context.Context, injArgs runtime.Object, f framework.Handle) (framework.Plugin, error) {
+func newScoreWithNormalizePlugin1(_ context.Context, injArgs runtime.Object, f fwk.Handle) (fwk.Plugin, error) {
 	var inj injectedResult
 	if err := DecodeInto(injArgs, &inj); err != nil {
 		return nil, err
@@ -97,7 +97,7 @@ func newScoreWithNormalizePlugin1(_ context.Context, injArgs runtime.Object, f f
 	return &TestScoreWithNormalizePlugin{scoreWithNormalizePlugin1, inj}, nil
 }
 
-func newScoreWithNormalizePlugin2(_ context.Context, injArgs runtime.Object, f framework.Handle) (framework.Plugin, error) {
+func newScoreWithNormalizePlugin2(_ context.Context, injArgs runtime.Object, f fwk.Handle) (fwk.Plugin, error) {
 	var inj injectedResult
 	if err := DecodeInto(injArgs, &inj); err != nil {
 		return nil, err
@@ -105,7 +105,7 @@ func newScoreWithNormalizePlugin2(_ context.Context, injArgs runtime.Object, f f
 	return &TestScoreWithNormalizePlugin{scoreWithNormalizePlugin2, inj}, nil
 }
 
-func newScorePlugin1(_ context.Context, injArgs runtime.Object, f framework.Handle) (framework.Plugin, error) {
+func newScorePlugin1(_ context.Context, injArgs runtime.Object, f fwk.Handle) (fwk.Plugin, error) {
 	var inj injectedResult
 	if err := DecodeInto(injArgs, &inj); err != nil {
 		return nil, err
@@ -113,7 +113,7 @@ func newScorePlugin1(_ context.Context, injArgs runtime.Object, f framework.Hand
 	return &TestScorePlugin{scorePlugin1, inj}, nil
 }
 
-func newScorePlugin2(_ context.Context, injArgs runtime.Object, f framework.Handle) (framework.Plugin, error) {
+func newScorePlugin2(_ context.Context, injArgs runtime.Object, f fwk.Handle) (fwk.Plugin, error) {
 	var inj injectedResult
 	if err := DecodeInto(injArgs, &inj); err != nil {
 		return nil, err
@@ -121,7 +121,7 @@ func newScorePlugin2(_ context.Context, injArgs runtime.Object, f framework.Hand
 	return &TestScorePlugin{scorePlugin2, inj}, nil
 }
 
-func newPluginNotImplementingScore(_ context.Context, _ runtime.Object, _ framework.Handle) (framework.Plugin, error) {
+func newPluginNotImplementingScore(_ context.Context, _ runtime.Object, _ fwk.Handle) (fwk.Plugin, error) {
 	return &PluginNotImplementingScore{}, nil
 }
 
@@ -134,7 +134,7 @@ func (pl *TestScoreWithNormalizePlugin) Name() string {
 	return pl.name
 }
 
-func (pl *TestScoreWithNormalizePlugin) NormalizeScore(ctx context.Context, state fwk.CycleState, pod *v1.Pod, scores framework.NodeScoreList) *fwk.Status {
+func (pl *TestScoreWithNormalizePlugin) NormalizeScore(ctx context.Context, state fwk.CycleState, pod *v1.Pod, scores fwk.NodeScoreList) *fwk.Status {
 	return injectNormalizeRes(pl.inj, scores)
 }
 
@@ -142,7 +142,7 @@ func (pl *TestScoreWithNormalizePlugin) Score(ctx context.Context, state fwk.Cyc
 	return setScoreRes(pl.inj)
 }
 
-func (pl *TestScoreWithNormalizePlugin) ScoreExtensions() framework.ScoreExtensions {
+func (pl *TestScoreWithNormalizePlugin) ScoreExtensions() fwk.ScoreExtensions {
 	return pl
 }
 
@@ -164,7 +164,7 @@ func (pl *TestScorePlugin) Score(ctx context.Context, state fwk.CycleState, p *v
 	return setScoreRes(pl.inj)
 }
 
-func (pl *TestScorePlugin) ScoreExtensions() framework.ScoreExtensions {
+func (pl *TestScorePlugin) ScoreExtensions() fwk.ScoreExtensions {
 	return nil
 }
 
@@ -175,7 +175,7 @@ func (pl *PluginNotImplementingScore) Name() string {
 	return pluginNotImplementingScore
 }
 
-func newTestPlugin(_ context.Context, injArgs runtime.Object, f framework.Handle) (framework.Plugin, error) {
+func newTestPlugin(_ context.Context, injArgs runtime.Object, f fwk.Handle) (fwk.Plugin, error) {
 	return &TestPlugin{name: testPlugin}, nil
 }
 
@@ -204,15 +204,15 @@ func (pl *TestPlugin) Score(ctx context.Context, state fwk.CycleState, p *v1.Pod
 	return 0, fwk.NewStatus(fwk.Code(pl.inj.ScoreStatus), injectReason)
 }
 
-func (pl *TestPlugin) ScoreExtensions() framework.ScoreExtensions {
+func (pl *TestPlugin) ScoreExtensions() fwk.ScoreExtensions {
 	return nil
 }
 
-func (pl *TestPlugin) PreFilter(ctx context.Context, state fwk.CycleState, p *v1.Pod, nodes []fwk.NodeInfo) (*framework.PreFilterResult, *fwk.Status) {
+func (pl *TestPlugin) PreFilter(ctx context.Context, state fwk.CycleState, p *v1.Pod, nodes []fwk.NodeInfo) (*fwk.PreFilterResult, *fwk.Status) {
 	return pl.inj.PreFilterResult, fwk.NewStatus(fwk.Code(pl.inj.PreFilterStatus), injectReason)
 }
 
-func (pl *TestPlugin) PreFilterExtensions() framework.PreFilterExtensions {
+func (pl *TestPlugin) PreFilterExtensions() fwk.PreFilterExtensions {
 	return pl
 }
 
@@ -220,7 +220,7 @@ func (pl *TestPlugin) Filter(ctx context.Context, state fwk.CycleState, pod *v1.
 	return fwk.NewStatus(fwk.Code(pl.inj.FilterStatus), injectFilterReason)
 }
 
-func (pl *TestPlugin) PostFilter(_ context.Context, _ fwk.CycleState, _ *v1.Pod, _ framework.NodeToStatusReader) (*framework.PostFilterResult, *fwk.Status) {
+func (pl *TestPlugin) PostFilter(_ context.Context, _ fwk.CycleState, _ *v1.Pod, _ fwk.NodeToStatusReader) (*fwk.PostFilterResult, *fwk.Status) {
 	return nil, fwk.NewStatus(fwk.Code(pl.inj.PostFilterStatus), injectReason)
 }
 
@@ -254,7 +254,7 @@ func (pl *TestPlugin) Bind(ctx context.Context, state fwk.CycleState, p *v1.Pod,
 	return fwk.NewStatus(fwk.Code(pl.inj.BindStatus), injectReason)
 }
 
-func newTestCloseErrorPlugin(_ context.Context, injArgs runtime.Object, f framework.Handle) (framework.Plugin, error) {
+func newTestCloseErrorPlugin(_ context.Context, injArgs runtime.Object, f fwk.Handle) (fwk.Plugin, error) {
 	return &TestCloseErrorPlugin{name: testCloseErrorPlugin}, nil
 }
 
@@ -282,12 +282,12 @@ func (pl *TestPreFilterPlugin) Name() string {
 	return preFilterPluginName
 }
 
-func (pl *TestPreFilterPlugin) PreFilter(ctx context.Context, state fwk.CycleState, p *v1.Pod, nodes []fwk.NodeInfo) (*framework.PreFilterResult, *fwk.Status) {
+func (pl *TestPreFilterPlugin) PreFilter(ctx context.Context, state fwk.CycleState, p *v1.Pod, nodes []fwk.NodeInfo) (*fwk.PreFilterResult, *fwk.Status) {
 	pl.PreFilterCalled++
 	return nil, nil
 }
 
-func (pl *TestPreFilterPlugin) PreFilterExtensions() framework.PreFilterExtensions {
+func (pl *TestPreFilterPlugin) PreFilterExtensions() fwk.PreFilterExtensions {
 	return nil
 }
 
@@ -302,7 +302,7 @@ func (pl *TestPreFilterWithExtensionsPlugin) Name() string {
 	return preFilterWithExtensionsPluginName
 }
 
-func (pl *TestPreFilterWithExtensionsPlugin) PreFilter(ctx context.Context, state fwk.CycleState, p *v1.Pod, nodes []fwk.NodeInfo) (*framework.PreFilterResult, *fwk.Status) {
+func (pl *TestPreFilterWithExtensionsPlugin) PreFilter(ctx context.Context, state fwk.CycleState, p *v1.Pod, nodes []fwk.NodeInfo) (*fwk.PreFilterResult, *fwk.Status) {
 	pl.PreFilterCalled++
 	return nil, nil
 }
@@ -319,7 +319,7 @@ func (pl *TestPreFilterWithExtensionsPlugin) RemovePod(ctx context.Context, stat
 	return nil
 }
 
-func (pl *TestPreFilterWithExtensionsPlugin) PreFilterExtensions() framework.PreFilterExtensions {
+func (pl *TestPreFilterWithExtensionsPlugin) PreFilterExtensions() fwk.PreFilterExtensions {
 	return pl
 }
 
@@ -330,17 +330,17 @@ func (dp *TestDuplicatePlugin) Name() string {
 	return duplicatePluginName
 }
 
-func (dp *TestDuplicatePlugin) PreFilter(ctx context.Context, state fwk.CycleState, p *v1.Pod, nodes []fwk.NodeInfo) (*framework.PreFilterResult, *fwk.Status) {
+func (dp *TestDuplicatePlugin) PreFilter(ctx context.Context, state fwk.CycleState, p *v1.Pod, nodes []fwk.NodeInfo) (*fwk.PreFilterResult, *fwk.Status) {
 	return nil, nil
 }
 
-func (dp *TestDuplicatePlugin) PreFilterExtensions() framework.PreFilterExtensions {
+func (dp *TestDuplicatePlugin) PreFilterExtensions() fwk.PreFilterExtensions {
 	return nil
 }
 
-var _ framework.PreFilterPlugin = &TestDuplicatePlugin{}
+var _ fwk.PreFilterPlugin = &TestDuplicatePlugin{}
 
-func newDuplicatePlugin(_ context.Context, _ runtime.Object, _ framework.Handle) (framework.Plugin, error) {
+func newDuplicatePlugin(_ context.Context, _ runtime.Object, _ fwk.Handle) (fwk.Plugin, error) {
 	return &TestDuplicatePlugin{}, nil
 }
 
@@ -356,7 +356,7 @@ func (pp *TestPermitPlugin) Permit(ctx context.Context, state fwk.CycleState, p
 	return fwk.NewStatus(fwk.Wait), 10 * time.Second
 }
 
-var _ framework.PreEnqueuePlugin = &TestPreEnqueuePlugin{}
+var _ fwk.PreEnqueuePlugin = &TestPreEnqueuePlugin{}
 
 type TestPreEnqueuePlugin struct{}
 
@@ -368,9 +368,9 @@ func (pl *TestPreEnqueuePlugin) PreEnqueue(ctx context.Context, p *v1.Pod) *fwk.
 	return nil
 }
 
-var _ framework.QueueSortPlugin = &TestQueueSortPlugin{}
+var _ fwk.QueueSortPlugin = &TestQueueSortPlugin{}
 
-func newQueueSortPlugin(_ context.Context, _ runtime.Object, _ framework.Handle) (framework.Plugin, error) {
+func newQueueSortPlugin(_ context.Context, _ runtime.Object, _ fwk.Handle) (fwk.Plugin, error) {
 	return &TestQueueSortPlugin{}, nil
 }
 
@@ -385,9 +385,9 @@ func (pl *TestQueueSortPlugin) Less(_, _ fwk.QueuedPodInfo) bool {
 	return false
 }
 
-var _ framework.BindPlugin = &TestBindPlugin{}
+var _ fwk.BindPlugin = &TestBindPlugin{}
 
-func newBindPlugin(_ context.Context, _ runtime.Object, _ framework.Handle) (framework.Plugin, error) {
+func newBindPlugin(_ context.Context, _ runtime.Object, _ fwk.Handle) (fwk.Plugin, error) {
 	return &TestBindPlugin{}, nil
 }
 
@@ -945,18 +945,18 @@ func TestNewFrameworkMultiPointExpansion(t *testing.T) {
 func TestPreEnqueuePlugins(t *testing.T) {
 	tests := []struct {
 		name    string
-		plugins []framework.Plugin
-		want    []framework.PreEnqueuePlugin
+		plugins []fwk.Plugin
+		want    []fwk.PreEnqueuePlugin
 	}{
 		{
 			name: "no PreEnqueuePlugin registered",
 		},
 		{
 			name: "one PreEnqueuePlugin registered",
-			plugins: []framework.Plugin{
+			plugins: []fwk.Plugin{
 				&TestPreEnqueuePlugin{},
 			},
-			want: []framework.PreEnqueuePlugin{
+			want: []fwk.PreEnqueuePlugin{
 				&TestPreEnqueuePlugin{},
 			},
 		},
@@ -971,7 +971,7 @@ func TestPreEnqueuePlugins(t *testing.T) {
 				// register all plugins
 				tmpPl := pl
 				if err := registry.Register(pl.Name(),
-					func(_ context.Context, _ runtime.Object, _ framework.Handle) (framework.Plugin, error) {
+					func(_ context.Context, _ runtime.Object, _ fwk.Handle) (fwk.Plugin, error) {
 						return tmpPl, nil
 					}); err != nil {
 					t.Fatalf("fail to register preEnqueue plugin (%s)", pl.Name())
@@ -1096,7 +1096,7 @@ func TestRunPreScorePlugins(t *testing.T) {
 			for i, p := range tt.plugins {
 				p := p
 				enabled[i].Name = p.name
-				if err := r.Register(p.name, func(_ context.Context, _ runtime.Object, fh framework.Handle) (framework.Plugin, error) {
+				if err := r.Register(p.name, func(_ context.Context, _ runtime.Object, fh fwk.Handle) (fwk.Plugin, error) {
 					return p, nil
 				}); err != nil {
 					t.Fatalf("fail to register PreScorePlugins plugin (%s)", p.Name())
@@ -1137,7 +1137,7 @@ func TestRunScorePlugins(t *testing.T) {
 		registry       Registry
 		plugins        *config.Plugins
 		pluginConfigs  []config.PluginConfig
-		want           []framework.NodePluginScores
+		want           []fwk.NodePluginScores
 		skippedPlugins sets.Set[string]
 		// If err is true, we expect RunScorePlugin to fail.
 		err bool
@@ -1145,14 +1145,14 @@ func TestRunScorePlugins(t *testing.T) {
 		{
 			name:    "no Score plugins",
 			plugins: buildScoreConfigDefaultWeights(),
-			want: []framework.NodePluginScores{
+			want: []fwk.NodePluginScores{
 				{
 					Name:   "node1",
-					Scores: []framework.PluginScore{},
+					Scores: []fwk.PluginScore{},
 				},
 				{
 					Name:   "node2",
-					Scores: []framework.PluginScore{},
+					Scores: []fwk.PluginScore{},
 				},
 			},
 		},
@@ -1168,10 +1168,10 @@ func TestRunScorePlugins(t *testing.T) {
 				},
 			},
 			// scorePlugin1 Score returns 1, weight=1, so want=1.
-			want: []framework.NodePluginScores{
+			want: []fwk.NodePluginScores{
 				{
 					Name: "node1",
-					Scores: []framework.PluginScore{
+					Scores: []fwk.PluginScore{
 						{
 							Name:  scorePlugin1,
 							Score: 1,
@@ -1181,7 +1181,7 @@ func TestRunScorePlugins(t *testing.T) {
 				},
 				{
 					Name: "node2",
-					Scores: []framework.PluginScore{
+					Scores: []fwk.PluginScore{
 						{
 							Name:  scorePlugin1,
 							Score: 1,
@@ -1204,10 +1204,10 @@ func TestRunScorePlugins(t *testing.T) {
 				},
 			},
 			// scoreWithNormalizePlugin1 Score returns 10, but NormalizeScore overrides to 5, weight=1, so want=5
-			want: []framework.NodePluginScores{
+			want: []fwk.NodePluginScores{
 				{
 					Name: "node1",
-					Scores: []framework.PluginScore{
+					Scores: []fwk.PluginScore{
 						{
 							Name:  scoreWithNormalizePlugin1,
 							Score: 5,
@@ -1217,7 +1217,7 @@ func TestRunScorePlugins(t *testing.T) {
 				},
 				{
 					Name: "node2",
-					Scores: []framework.PluginScore{
+					Scores: []fwk.PluginScore{
 						{
 							Name:  scoreWithNormalizePlugin1,
 							Score: 5,
@@ -1253,10 +1253,10 @@ func TestRunScorePlugins(t *testing.T) {
 			// scorePlugin1 Score returns 1, weight =1, so want=1.
 			// scoreWithNormalizePlugin1 Score returns 3, but NormalizeScore overrides to 4, weight=1, so want=4.
 			// scoreWithNormalizePlugin2 Score returns 4, but NormalizeScore overrides to 5, weight=2, so want=10.
-			want: []framework.NodePluginScores{
+			want: []fwk.NodePluginScores{
 				{
 					Name: "node1",
-					Scores: []framework.PluginScore{
+					Scores: []fwk.PluginScore{
 						{
 							Name:  scorePlugin1,
 							Score: 1,
@@ -1274,7 +1274,7 @@ func TestRunScorePlugins(t *testing.T) {
 				},
 				{
 					Name: "node2",
-					Scores: []framework.PluginScore{
+					Scores: []fwk.PluginScore{
 						{
 							Name:  scorePlugin1,
 							Score: 1,
@@ -1325,7 +1325,7 @@ func TestRunScorePlugins(t *testing.T) {
 				{
 					Name: scorePlugin1,
 					Args: &runtime.Unknown{
-						Raw: []byte(fmt.Sprintf(`{ "scoreRes": %d }`, framework.MaxNodeScore+1)),
+						Raw: []byte(fmt.Sprintf(`{ "scoreRes": %d }`, fwk.MaxNodeScore+1)),
 					},
 				},
 			},
@@ -1338,7 +1338,7 @@ func TestRunScorePlugins(t *testing.T) {
 				{
 					Name: scorePlugin1,
 					Args: &runtime.Unknown{
-						Raw: []byte(fmt.Sprintf(`{ "scoreRes": %d }`, framework.MinNodeScore-1)),
+						Raw: []byte(fmt.Sprintf(`{ "scoreRes": %d }`, fwk.MinNodeScore-1)),
 					},
 				},
 			},
@@ -1351,7 +1351,7 @@ func TestRunScorePlugins(t *testing.T) {
 				{
 					Name: scoreWithNormalizePlugin1,
 					Args: &runtime.Unknown{
-						Raw: []byte(fmt.Sprintf(`{ "normalizeRes": %d }`, framework.MaxNodeScore+1)),
+						Raw: []byte(fmt.Sprintf(`{ "normalizeRes": %d }`, fwk.MaxNodeScore+1)),
 					},
 				},
 			},
@@ -1364,7 +1364,7 @@ func TestRunScorePlugins(t *testing.T) {
 				{
 					Name: scoreWithNormalizePlugin1,
 					Args: &runtime.Unknown{
-						Raw: []byte(fmt.Sprintf(`{ "normalizeRes": %d }`, framework.MinNodeScore-1)),
+						Raw: []byte(fmt.Sprintf(`{ "normalizeRes": %d }`, fwk.MinNodeScore-1)),
 					},
 				},
 			},
@@ -1393,10 +1393,10 @@ func TestRunScorePlugins(t *testing.T) {
 				},
 			},
 			// scorePlugin1 Score returns 1, weight=3, so want=3.
-			want: []framework.NodePluginScores{
+			want: []fwk.NodePluginScores{
 				{
 					Name: "node1",
-					Scores: []framework.PluginScore{
+					Scores: []fwk.PluginScore{
 						{
 							Name:  scorePlugin1,
 							Score: 3,
@@ -1406,7 +1406,7 @@ func TestRunScorePlugins(t *testing.T) {
 				},
 				{
 					Name: "node2",
-					Scores: []framework.PluginScore{
+					Scores: []fwk.PluginScore{
 						{
 							Name:  scorePlugin1,
 							Score: 3,
@@ -1434,10 +1434,10 @@ func TestRunScorePlugins(t *testing.T) {
 				},
 			},
 			skippedPlugins: sets.New(scoreWithNormalizePlugin1),
-			want: []framework.NodePluginScores{
+			want: []fwk.NodePluginScores{
 				{
 					Name: "node1",
-					Scores: []framework.PluginScore{
+					Scores: []fwk.PluginScore{
 						{
 							Name:  scorePlugin1,
 							Score: 1,
@@ -1447,7 +1447,7 @@ func TestRunScorePlugins(t *testing.T) {
 				},
 				{
 					Name: "node2",
-					Scores: []framework.PluginScore{
+					Scores: []fwk.PluginScore{
 						{
 							Name:  scorePlugin1,
 							Score: 1,
@@ -1469,14 +1469,14 @@ func TestRunScorePlugins(t *testing.T) {
 				},
 			},
 			skippedPlugins: sets.New(scorePlugin1),
-			want: []framework.NodePluginScores{
+			want: []fwk.NodePluginScores{
 				{
 					Name:   "node1",
-					Scores: []framework.PluginScore{},
+					Scores: []fwk.PluginScore{},
 				},
 				{
 					Name:   "node2",
-					Scores: []framework.PluginScore{},
+					Scores: []fwk.PluginScore{},
 				},
 			},
 		},
@@ -1485,14 +1485,14 @@ func TestRunScorePlugins(t *testing.T) {
 			plugins:        buildScoreConfigDefaultWeights(scorePlugin1),
 			pluginConfigs:  nil,
 			skippedPlugins: sets.New(scorePlugin1, "score-plugin-unknown"),
-			want: []framework.NodePluginScores{
+			want: []fwk.NodePluginScores{
 				{
 					Name:   "node1",
-					Scores: []framework.PluginScore{},
+					Scores: []fwk.PluginScore{},
 				},
 				{
 					Name:   "node2",
-					Scores: []framework.PluginScore{},
+					Scores: []fwk.PluginScore{},
 				},
 			},
 		},
@@ -1542,11 +1542,11 @@ func TestPreFilterPlugins(t *testing.T) {
 	preFilter2 := &TestPreFilterWithExtensionsPlugin{}
 	r := make(Registry)
 	r.Register(preFilterPluginName,
-		func(_ context.Context, _ runtime.Object, fh framework.Handle) (framework.Plugin, error) {
+		func(_ context.Context, _ runtime.Object, fh fwk.Handle) (fwk.Plugin, error) {
 			return preFilter1, nil
 		})
 	r.Register(preFilterWithExtensionsPluginName,
-		func(_ context.Context, _ runtime.Object, fh framework.Handle) (framework.Plugin, error) {
+		func(_ context.Context, _ runtime.Object, fh fwk.Handle) (fwk.Plugin, error) {
 			return preFilter2, nil
 		})
 	plugins := &config.Plugins{PreFilter: config.PluginSet{Enabled: []config.Plugin{{Name: preFilterWithExtensionsPluginName}, {Name: preFilterPluginName}}}}
@@ -1587,7 +1587,7 @@ func TestRunPreFilterPlugins(t *testing.T) {
 	tests := []struct {
 		name                string
 		plugins             []*TestPlugin
-		wantPreFilterResult *framework.PreFilterResult
+		wantPreFilterResult *fwk.PreFilterResult
 		wantSkippedPlugins  sets.Set[string]
 		wantStatusCode      fwk.Code
 	}{
@@ -1713,7 +1713,7 @@ func TestRunPreFilterPlugins(t *testing.T) {
 			plugins: []*TestPlugin{
 				{
 					name: "reject-all-nodes",
-					inj:  injectedResult{PreFilterResult: &framework.PreFilterResult{NodeNames: sets.New[string]()}},
+					inj:  injectedResult{PreFilterResult: &fwk.PreFilterResult{NodeNames: sets.New[string]()}},
 				},
 				{
 					// to make sure this plugin is not executed, this plugin return Skip and we confirm it via wantSkippedPlugins.
@@ -1721,7 +1721,7 @@ func TestRunPreFilterPlugins(t *testing.T) {
 					inj:  injectedResult{PreFilterStatus: int(fwk.Skip)},
 				},
 			},
-			wantPreFilterResult: &framework.PreFilterResult{NodeNames: sets.New[string]()},
+			wantPreFilterResult: &fwk.PreFilterResult{NodeNames: sets.New[string]()},
 			wantSkippedPlugins:  sets.New[string](), // "skip" plugin isn't executed.
 			wantStatusCode:      fwk.UnschedulableAndUnresolvable,
 		},
@@ -1733,7 +1733,7 @@ func TestRunPreFilterPlugins(t *testing.T) {
 			for i, p := range tt.plugins {
 				p := p
 				enabled[i].Name = p.name
-				if err := r.Register(p.name, func(_ context.Context, _ runtime.Object, fh framework.Handle) (framework.Plugin, error) {
+				if err := r.Register(p.name, func(_ context.Context, _ runtime.Object, fh fwk.Handle) (fwk.Plugin, error) {
 					return p, nil
 				}); err != nil {
 					t.Fatalf("fail to register PreFilter plugin (%s)", p.Name())
@@ -1828,7 +1828,7 @@ func TestRunPreFilterExtensionRemovePod(t *testing.T) {
 			for i, p := range tt.plugins {
 				p := p
 				enabled[i].Name = p.name
-				if err := r.Register(p.name, func(_ context.Context, _ runtime.Object, fh framework.Handle) (framework.Plugin, error) {
+				if err := r.Register(p.name, func(_ context.Context, _ runtime.Object, fh fwk.Handle) (fwk.Plugin, error) {
 					return p, nil
 				}); err != nil {
 					t.Fatalf("fail to register PreFilterExtension plugin (%s)", p.Name())
@@ -1916,7 +1916,7 @@ func TestRunPreFilterExtensionAddPod(t *testing.T) {
 			for i, p := range tt.plugins {
 				p := p
 				enabled[i].Name = p.name
-				if err := r.Register(p.name, func(_ context.Context, _ runtime.Object, fh framework.Handle) (framework.Plugin, error) {
+				if err := r.Register(p.name, func(_ context.Context, _ runtime.Object, fh fwk.Handle) (fwk.Plugin, error) {
 					return p, nil
 				}); err != nil {
 					t.Fatalf("fail to register PreFilterExtension plugin (%s)", p.Name())
@@ -2125,7 +2125,7 @@ func TestFilterPlugins(t *testing.T) {
 				// register all plugins
 				tmpPl := pl
 				if err := registry.Register(pl.name,
-					func(_ context.Context, _ runtime.Object, _ framework.Handle) (framework.Plugin, error) {
+					func(_ context.Context, _ runtime.Object, _ fwk.Handle) (fwk.Plugin, error) {
 						return tmpPl, nil
 					}); err != nil {
 					t.Fatalf("fail to register filter plugin (%s)", pl.name)
@@ -2253,7 +2253,7 @@ func TestPostFilterPlugins(t *testing.T) {
 				// register all plugins
 				tmpPl := pl
 				if err := registry.Register(pl.name,
-					func(_ context.Context, _ runtime.Object, _ framework.Handle) (framework.Plugin, error) {
+					func(_ context.Context, _ runtime.Object, _ fwk.Handle) (fwk.Plugin, error) {
 						return tmpPl, nil
 					}); err != nil {
 					t.Fatalf("fail to register postFilter plugin (%s)", pl.name)
@@ -2389,7 +2389,7 @@ func TestFilterPluginsWithNominatedPods(t *testing.T) {
 
 			if tt.preFilterPlugin != nil {
 				if err := registry.Register(tt.preFilterPlugin.name,
-					func(_ context.Context, _ runtime.Object, _ framework.Handle) (framework.Plugin, error) {
+					func(_ context.Context, _ runtime.Object, _ fwk.Handle) (fwk.Plugin, error) {
 						return tt.preFilterPlugin, nil
 					}); err != nil {
 					t.Fatalf("fail to register preFilter plugin (%s)", tt.preFilterPlugin.name)
@@ -2401,7 +2401,7 @@ func TestFilterPluginsWithNominatedPods(t *testing.T) {
 			}
 			if tt.filterPlugin != nil {
 				if err := registry.Register(tt.filterPlugin.name,
-					func(_ context.Context, _ runtime.Object, _ framework.Handle) (framework.Plugin, error) {
+					func(_ context.Context, _ runtime.Object, _ fwk.Handle) (fwk.Plugin, error) {
 						return tt.filterPlugin, nil
 					}); err != nil {
 					t.Fatalf("fail to register filter plugin (%s)", tt.filterPlugin.name)
@@ -2430,7 +2430,7 @@ func TestFilterPluginsWithNominatedPods(t *testing.T) {
 				podNominator.AddNominatedPod(
 					logger,
 					mustNewPodInfo(t, tt.nominatedPod),
-					&framework.NominatingInfo{NominatingMode: framework.ModeOverride, NominatedNodeName: nodeName})
+					&fwk.NominatingInfo{NominatingMode: fwk.ModeOverride, NominatedNodeName: nodeName})
 			}
 			profile := config.KubeSchedulerProfile{Plugins: cfgPls}
 			ctx, cancel := context.WithCancel(ctx)
@@ -2582,7 +2582,7 @@ func TestPreBindPlugins(t *testing.T) {
 
 			for _, pl := range tt.plugins {
 				tmpPl := pl
-				if err := registry.Register(pl.name, func(_ context.Context, _ runtime.Object, _ framework.Handle) (framework.Plugin, error) {
+				if err := registry.Register(pl.name, func(_ context.Context, _ runtime.Object, _ fwk.Handle) (fwk.Plugin, error) {
 					return tmpPl, nil
 				}); err != nil {
 					t.Fatalf("Unable to register pre bind plugins: %s", pl.name)
@@ -2686,7 +2686,7 @@ func TestPreBindPreFlightPlugins(t *testing.T) {
 
 			for _, pl := range tt.plugins {
 				tmpPl := pl
-				if err := registry.Register(pl.name, func(_ context.Context, _ runtime.Object, _ framework.Handle) (framework.Plugin, error) {
+				if err := registry.Register(pl.name, func(_ context.Context, _ runtime.Object, _ fwk.Handle) (fwk.Plugin, error) {
 					return tmpPl, nil
 				}); err != nil {
 					t.Fatalf("Unable to register pre bind plugins: %s", pl.name)
@@ -2848,7 +2848,7 @@ func TestReservePlugins(t *testing.T) {
 
 			for _, pl := range tt.plugins {
 				tmpPl := pl
-				if err := registry.Register(pl.name, func(_ context.Context, _ runtime.Object, _ framework.Handle) (framework.Plugin, error) {
+				if err := registry.Register(pl.name, func(_ context.Context, _ runtime.Object, _ fwk.Handle) (fwk.Plugin, error) {
 					return tmpPl, nil
 				}); err != nil {
 					t.Fatalf("Unable to register pre bind plugins: %s", pl.name)
@@ -2978,7 +2978,7 @@ func TestPermitPlugins(t *testing.T) {
 
 			for _, pl := range tt.plugins {
 				tmpPl := pl
-				if err := registry.Register(pl.name, func(_ context.Context, _ runtime.Object, _ framework.Handle) (framework.Plugin, error) {
+				if err := registry.Register(pl.name, func(_ context.Context, _ runtime.Object, _ fwk.Handle) (fwk.Plugin, error) {
 					return tmpPl, nil
 				}); err != nil {
 					t.Fatalf("Unable to register Permit plugin: %s", pl.name)
@@ -3153,7 +3153,7 @@ func TestRecordingMetrics(t *testing.T) {
 			plugin := &TestPlugin{name: testPlugin, inj: tt.inject}
 			r := make(Registry)
 			r.Register(testPlugin,
-				func(_ context.Context, _ runtime.Object, fh framework.Handle) (framework.Plugin, error) {
+				func(_ context.Context, _ runtime.Object, fh fwk.Handle) (fwk.Plugin, error) {
 					return plugin, nil
 				})
 			pluginSet := config.PluginSet{Enabled: []config.Plugin{{Name: testPlugin, Weight: 1}}}
@@ -3280,7 +3280,7 @@ func TestRunBindPlugins(t *testing.T) {
 				name := fmt.Sprintf("bind-%d", i)
 				plugin := &TestPlugin{name: name, inj: injectedResult{BindStatus: int(inj)}}
 				r.Register(name,
-					func(_ context.Context, _ runtime.Object, fh framework.Handle) (framework.Plugin, error) {
+					func(_ context.Context, _ runtime.Object, fh fwk.Handle) (fwk.Plugin, error) {
 						return plugin, nil
 					})
 				pluginSet.Enabled = append(pluginSet.Enabled, config.Plugin{Name: name})
@@ -3342,7 +3342,7 @@ func TestPermitWaitDurationMetric(t *testing.T) {
 			plugin := &TestPlugin{name: testPlugin, inj: tt.inject}
 			r := make(Registry)
 			err := r.Register(testPlugin,
-				func(_ context.Context, _ runtime.Object, fh framework.Handle) (framework.Plugin, error) {
+				func(_ context.Context, _ runtime.Object, fh fwk.Handle) (fwk.Plugin, error) {
 					return plugin, nil
 				})
 			if err != nil {
@@ -3407,7 +3407,7 @@ func TestWaitOnPermit(t *testing.T) {
 			testPermitPlugin := &TestPermitPlugin{}
 			r := make(Registry)
 			r.Register(permitPlugin,
-				func(_ context.Context, _ runtime.Object, fh framework.Handle) (framework.Plugin, error) {
+				func(_ context.Context, _ runtime.Object, fh fwk.Handle) (fwk.Plugin, error) {
 					return testPermitPlugin, nil
 				})
 			plugins := &config.Plugins{
@@ -3550,22 +3550,22 @@ func buildScoreConfigWithWeights(weights map[string]int32, ps ...string) *config
 }
 
 type injectedResult struct {
-	ScoreRes                 int64                      `json:"scoreRes,omitempty"`
-	NormalizeRes             int64                      `json:"normalizeRes,omitempty"`
-	ScoreStatus              int                        `json:"scoreStatus,omitempty"`
-	NormalizeStatus          int                        `json:"normalizeStatus,omitempty"`
-	PreFilterResult          *framework.PreFilterResult `json:"preFilterResult,omitempty"`
-	PreFilterStatus          int                        `json:"preFilterStatus,omitempty"`
-	PreFilterAddPodStatus    int                        `json:"preFilterAddPodStatus,omitempty"`
-	PreFilterRemovePodStatus int                        `json:"preFilterRemovePodStatus,omitempty"`
-	FilterStatus             int                        `json:"filterStatus,omitempty"`
-	PostFilterStatus         int                        `json:"postFilterStatus,omitempty"`
-	PreScoreStatus           int                        `json:"preScoreStatus,omitempty"`
-	ReserveStatus            int                        `json:"reserveStatus,omitempty"`
-	PreBindPreFlightStatus   int                        `json:"preBindPreFlightStatus,omitempty"`
-	PreBindStatus            int                        `json:"preBindStatus,omitempty"`
-	BindStatus               int                        `json:"bindStatus,omitempty"`
-	PermitStatus             int                        `json:"permitStatus,omitempty"`
+	ScoreRes                 int64                `json:"scoreRes,omitempty"`
+	NormalizeRes             int64                `json:"normalizeRes,omitempty"`
+	ScoreStatus              int                  `json:"scoreStatus,omitempty"`
+	NormalizeStatus          int                  `json:"normalizeStatus,omitempty"`
+	PreFilterResult          *fwk.PreFilterResult `json:"preFilterResult,omitempty"`
+	PreFilterStatus          int                  `json:"preFilterStatus,omitempty"`
+	PreFilterAddPodStatus    int                  `json:"preFilterAddPodStatus,omitempty"`
+	PreFilterRemovePodStatus int                  `json:"preFilterRemovePodStatus,omitempty"`
+	FilterStatus             int                  `json:"filterStatus,omitempty"`
+	PostFilterStatus         int                  `json:"postFilterStatus,omitempty"`
+	PreScoreStatus           int                  `json:"preScoreStatus,omitempty"`
+	ReserveStatus            int                  `json:"reserveStatus,omitempty"`
+	PreBindPreFlightStatus   int                  `json:"preBindPreFlightStatus,omitempty"`
+	PreBindStatus            int                  `json:"preBindStatus,omitempty"`
+	BindStatus               int                  `json:"bindStatus,omitempty"`
+	PermitStatus             int                  `json:"permitStatus,omitempty"`
 }
 
 func setScoreRes(inj injectedResult) (int64, *fwk.Status) {
@@ -3575,7 +3575,7 @@ func setScoreRes(inj injectedResult) (int64, *fwk.Status) {
 	return inj.ScoreRes, nil
 }
 
-func injectNormalizeRes(inj injectedResult, scores framework.NodeScoreList) *fwk.Status {
+func injectNormalizeRes(inj injectedResult, scores fwk.NodeScoreList) *fwk.Status {
 	if fwk.Code(inj.NormalizeStatus) != fwk.Success {
 		return fwk.NewStatus(fwk.Code(inj.NormalizeStatus), "injecting failure.")
 	}
diff --git a/pkg/scheduler/framework/runtime/instrumented_plugins.go b/pkg/scheduler/framework/runtime/instrumented_plugins.go
index 02d4dc04a2d8d..6e9e86650e778 100644
--- a/pkg/scheduler/framework/runtime/instrumented_plugins.go
+++ b/pkg/scheduler/framework/runtime/instrumented_plugins.go
@@ -22,16 +22,15 @@ import (
 	v1 "k8s.io/api/core/v1"
 	compbasemetrics "k8s.io/component-base/metrics"
 	fwk "k8s.io/kube-scheduler/framework"
-	"k8s.io/kubernetes/pkg/scheduler/framework"
 )
 
 type instrumentedFilterPlugin struct {
-	framework.FilterPlugin
+	fwk.FilterPlugin
 
 	metric compbasemetrics.CounterMetric
 }
 
-var _ framework.FilterPlugin = &instrumentedFilterPlugin{}
+var _ fwk.FilterPlugin = &instrumentedFilterPlugin{}
 
 func (p *instrumentedFilterPlugin) Filter(ctx context.Context, state fwk.CycleState, pod *v1.Pod, nodeInfo fwk.NodeInfo) *fwk.Status {
 	p.metric.Inc()
@@ -39,14 +38,14 @@ func (p *instrumentedFilterPlugin) Filter(ctx context.Context, state fwk.CycleSt
 }
 
 type instrumentedPreFilterPlugin struct {
-	framework.PreFilterPlugin
+	fwk.PreFilterPlugin
 
 	metric compbasemetrics.CounterMetric
 }
 
-var _ framework.PreFilterPlugin = &instrumentedPreFilterPlugin{}
+var _ fwk.PreFilterPlugin = &instrumentedPreFilterPlugin{}
 
-func (p *instrumentedPreFilterPlugin) PreFilter(ctx context.Context, state fwk.CycleState, pod *v1.Pod, nodes []fwk.NodeInfo) (*framework.PreFilterResult, *fwk.Status) {
+func (p *instrumentedPreFilterPlugin) PreFilter(ctx context.Context, state fwk.CycleState, pod *v1.Pod, nodes []fwk.NodeInfo) (*fwk.PreFilterResult, *fwk.Status) {
 	result, status := p.PreFilterPlugin.PreFilter(ctx, state, pod, nodes)
 	if !status.IsSkip() {
 		p.metric.Inc()
@@ -55,12 +54,12 @@ func (p *instrumentedPreFilterPlugin) PreFilter(ctx context.Context, state fwk.C
 }
 
 type instrumentedPreScorePlugin struct {
-	framework.PreScorePlugin
+	fwk.PreScorePlugin
 
 	metric compbasemetrics.CounterMetric
 }
 
-var _ framework.PreScorePlugin = &instrumentedPreScorePlugin{}
+var _ fwk.PreScorePlugin = &instrumentedPreScorePlugin{}
 
 func (p *instrumentedPreScorePlugin) PreScore(ctx context.Context, state fwk.CycleState, pod *v1.Pod, nodes []fwk.NodeInfo) *fwk.Status {
 	status := p.PreScorePlugin.PreScore(ctx, state, pod, nodes)
@@ -71,12 +70,12 @@ func (p *instrumentedPreScorePlugin) PreScore(ctx context.Context, state fwk.Cyc
 }
 
 type instrumentedScorePlugin struct {
-	framework.ScorePlugin
+	fwk.ScorePlugin
 
 	metric compbasemetrics.CounterMetric
 }
 
-var _ framework.ScorePlugin = &instrumentedScorePlugin{}
+var _ fwk.ScorePlugin = &instrumentedScorePlugin{}
 
 func (p *instrumentedScorePlugin) Score(ctx context.Context, state fwk.CycleState, pod *v1.Pod, nodeInfo fwk.NodeInfo) (int64, *fwk.Status) {
 	p.metric.Inc()
diff --git a/pkg/scheduler/framework/runtime/registry.go b/pkg/scheduler/framework/runtime/registry.go
index 8c5901ae52a75..dfff0bdc46b18 100644
--- a/pkg/scheduler/framework/runtime/registry.go
+++ b/pkg/scheduler/framework/runtime/registry.go
@@ -22,21 +22,21 @@ import (
 
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/util/json"
-	"k8s.io/kubernetes/pkg/scheduler/framework"
+	fwk "k8s.io/kube-scheduler/framework"
 	plfeature "k8s.io/kubernetes/pkg/scheduler/framework/plugins/feature"
 	"sigs.k8s.io/yaml"
 )
 
 // PluginFactory is a function that builds a plugin.
-type PluginFactory = func(ctx context.Context, configuration runtime.Object, f framework.Handle) (framework.Plugin, error)
+type PluginFactory = func(ctx context.Context, configuration runtime.Object, f fwk.Handle) (fwk.Plugin, error)
 
 // PluginFactoryWithFts is a function that builds a plugin with certain feature gates.
-type PluginFactoryWithFts[T framework.Plugin] func(context.Context, runtime.Object, framework.Handle, plfeature.Features) (T, error)
+type PluginFactoryWithFts[T fwk.Plugin] func(context.Context, runtime.Object, fwk.Handle, plfeature.Features) (T, error)
 
 // FactoryAdapter can be used to inject feature gates for a plugin that needs
 // them when the caller expects the older PluginFactory method.
-func FactoryAdapter[T framework.Plugin](fts plfeature.Features, withFts PluginFactoryWithFts[T]) PluginFactory {
-	return func(ctx context.Context, plArgs runtime.Object, fh framework.Handle) (framework.Plugin, error) {
+func FactoryAdapter[T fwk.Plugin](fts plfeature.Features, withFts PluginFactoryWithFts[T]) PluginFactory {
+	return func(ctx context.Context, plArgs runtime.Object, fh fwk.Handle) (fwk.Plugin, error) {
 		return withFts(ctx, plArgs, fh, fts)
 	}
 }
diff --git a/pkg/scheduler/framework/runtime/registry_test.go b/pkg/scheduler/framework/runtime/registry_test.go
index 7f0d85c623158..5beb0de1f8e5e 100644
--- a/pkg/scheduler/framework/runtime/registry_test.go
+++ b/pkg/scheduler/framework/runtime/registry_test.go
@@ -24,7 +24,7 @@ import (
 	"github.com/google/uuid"
 
 	"k8s.io/apimachinery/pkg/runtime"
-	"k8s.io/kubernetes/pkg/scheduler/framework"
+	fwk "k8s.io/kube-scheduler/framework"
 )
 
 func TestDecodeInto(t *testing.T) {
@@ -110,7 +110,7 @@ func (p *mockNoopPlugin) Name() string {
 
 func NewMockNoopPluginFactory() PluginFactory {
 	uuid := uuid.New().String()
-	return func(_ context.Context, _ runtime.Object, _ framework.Handle) (framework.Plugin, error) {
+	return func(_ context.Context, _ runtime.Object, _ fwk.Handle) (fwk.Plugin, error) {
 		return &mockNoopPlugin{uuid}, nil
 	}
 }
diff --git a/pkg/scheduler/framework/runtime/waiting_pods_map.go b/pkg/scheduler/framework/runtime/waiting_pods_map.go
index 9616ed20afed4..dc054ee7f5ded 100644
--- a/pkg/scheduler/framework/runtime/waiting_pods_map.go
+++ b/pkg/scheduler/framework/runtime/waiting_pods_map.go
@@ -24,7 +24,6 @@ import (
 	v1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/types"
 	fwk "k8s.io/kube-scheduler/framework"
-	"k8s.io/kubernetes/pkg/scheduler/framework"
 )
 
 // waitingPodsMap a thread-safe map used to maintain pods waiting in the permit phase.
@@ -62,7 +61,7 @@ func (m *waitingPodsMap) get(uid types.UID) *waitingPod {
 }
 
 // iterate acquires a read lock and iterates over the WaitingPods map.
-func (m *waitingPodsMap) iterate(callback func(framework.WaitingPod)) {
+func (m *waitingPodsMap) iterate(callback func(fwk.WaitingPod)) {
 	m.mu.RLock()
 	defer m.mu.RUnlock()
 	for _, v := range m.pods {
@@ -78,7 +77,7 @@ type waitingPod struct {
 	mu             sync.RWMutex
 }
 
-var _ framework.WaitingPod = &waitingPod{}
+var _ fwk.WaitingPod = &waitingPod{}
 
 // newWaitingPod returns a new waitingPod instance.
 func newWaitingPod(pod *v1.Pod, pluginsMaxWaitTime map[string]time.Duration) *waitingPod {
diff --git a/pkg/scheduler/framework/types.go b/pkg/scheduler/framework/types.go
index 969b3898f836f..9e92527be172b 100644
--- a/pkg/scheduler/framework/types.go
+++ b/pkg/scheduler/framework/types.go
@@ -26,7 +26,6 @@ import (
 	"time"
 
 	v1 "k8s.io/api/core/v1"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	utilerrors "k8s.io/apimachinery/pkg/util/errors"
 	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
 	"k8s.io/apimachinery/pkg/util/sets"
@@ -34,6 +33,7 @@ import (
 	"k8s.io/klog/v2"
 
 	"k8s.io/apimachinery/pkg/api/resource"
+	ndf "k8s.io/component-helpers/nodedeclaredfeatures"
 	resourcehelper "k8s.io/component-helpers/resource"
 	fwk "k8s.io/kube-scheduler/framework"
 	"k8s.io/kubernetes/pkg/features"
@@ -76,6 +76,7 @@ var (
 		fwk.ResourceClaim,
 		fwk.ResourceSlice,
 		fwk.DeviceClass,
+		fwk.Workload,
 	}
 )
 
@@ -142,7 +143,7 @@ func MatchAnyClusterEvent(ce fwk.ClusterEvent, incomingEvents []fwk.ClusterEvent
 }
 
 func UnrollWildCardResource() []fwk.ClusterEventWithHint {
-	return []fwk.ClusterEventWithHint{
+	events := []fwk.ClusterEventWithHint{
 		{Event: fwk.ClusterEvent{Resource: fwk.Pod, ActionType: fwk.All}},
 		{Event: fwk.ClusterEvent{Resource: fwk.Node, ActionType: fwk.All}},
 		{Event: fwk.ClusterEvent{Resource: fwk.PersistentVolume, ActionType: fwk.All}},
@@ -154,6 +155,10 @@ func UnrollWildCardResource() []fwk.ClusterEventWithHint {
 		{Event: fwk.ClusterEvent{Resource: fwk.ResourceClaim, ActionType: fwk.All}},
 		{Event: fwk.ClusterEvent{Resource: fwk.DeviceClass, ActionType: fwk.All}},
 	}
+	if utilfeature.DefaultFeatureGate.Enabled(features.GenericWorkload) {
+		events = append(events, fwk.ClusterEventWithHint{Event: fwk.ClusterEvent{Resource: fwk.Workload, ActionType: fwk.All}})
+	}
+	return events
 }
 
 // NodeInfo is node level aggregated information.
@@ -197,6 +202,9 @@ type NodeInfo struct {
 	// Whenever NodeInfo changes, generation is bumped.
 	// This is used to avoid cloning it if the object didn't change.
 	Generation int64
+
+	// DeclaredFeatures is a set of features published by the node
+	DeclaredFeatures ndf.FeatureSet
 }
 
 func (n *NodeInfo) GetPods() []fwk.PodInfo {
@@ -239,6 +247,11 @@ func (n *NodeInfo) GetGeneration() int64 {
 	return n.Generation
 }
 
+// GetNodeDeclaredFeatures returns the declared feature set of the node
+func (n *NodeInfo) GetNodeDeclaredFeatures() ndf.FeatureSet {
+	return n.DeclaredFeatures
+}
+
 // NodeInfo implements KMetadata, so for example klog.KObjSlice(nodes) works
 // when nodes is a []*NodeInfo.
 var _ klog.KMetadata = &NodeInfo{}
@@ -285,6 +298,7 @@ func (n *NodeInfo) SnapshotConcrete() *NodeInfo {
 		ImageStates:      make(map[string]*fwk.ImageStateSummary),
 		PVCRefCounts:     make(map[string]int),
 		Generation:       n.Generation,
+		DeclaredFeatures: n.DeclaredFeatures.Clone(),
 	}
 	if len(n.Pods) > 0 {
 		clone.Pods = append([]fwk.PodInfo(nil), n.Pods...)
@@ -461,6 +475,9 @@ func (n *NodeInfo) updatePVCRefCounts(pod *v1.Pod, add bool) {
 func (n *NodeInfo) SetNode(node *v1.Node) {
 	n.node = node
 	n.Allocatable = NewResource(node.Status.Allocatable)
+	if utilfeature.DefaultFeatureGate.Enabled(features.NodeDeclaredFeatures) {
+		n.DeclaredFeatures = ndf.NewFeatureSet(node.Status.DeclaredFeatures...)
+	}
 	n.Generation = nextGeneration()
 }
 
@@ -670,20 +687,20 @@ func (pi *PodInfo) Update(pod *v1.Pod) error {
 
 	// Attempt to parse the affinity terms
 	var parseErrs []error
-	requiredAffinityTerms, err := GetAffinityTerms(pod, GetPodAffinityTerms(pod.Spec.Affinity))
+	requiredAffinityTerms, err := fwk.GetAffinityTerms(pod, fwk.GetPodAffinityTerms(pod.Spec.Affinity))
 	if err != nil {
 		parseErrs = append(parseErrs, fmt.Errorf("requiredAffinityTerms: %w", err))
 	}
-	requiredAntiAffinityTerms, err := GetAffinityTerms(pod,
-		GetPodAntiAffinityTerms(pod.Spec.Affinity))
+	requiredAntiAffinityTerms, err := fwk.GetAffinityTerms(pod,
+		fwk.GetPodAntiAffinityTerms(pod.Spec.Affinity))
 	if err != nil {
 		parseErrs = append(parseErrs, fmt.Errorf("requiredAntiAffinityTerms: %w", err))
 	}
-	weightedAffinityTerms, err := getWeightedAffinityTerms(pod, preferredAffinityTerms)
+	weightedAffinityTerms, err := fwk.GetWeightedAffinityTerms(pod, preferredAffinityTerms)
 	if err != nil {
 		parseErrs = append(parseErrs, fmt.Errorf("preferredAffinityTerms: %w", err))
 	}
-	weightedAntiAffinityTerms, err := getWeightedAffinityTerms(pod, preferredAntiAffinityTerms)
+	weightedAntiAffinityTerms, err := fwk.GetWeightedAffinityTerms(pod, preferredAntiAffinityTerms)
 	if err != nil {
 		parseErrs = append(parseErrs, fmt.Errorf("preferredAntiAffinityTerms: %w", err))
 	}
@@ -703,8 +720,10 @@ func (pi *PodInfo) CalculateResource() fwk.PodResource {
 	}
 	inPlacePodVerticalScalingEnabled := utilfeature.DefaultFeatureGate.Enabled(features.InPlacePodVerticalScaling)
 	podLevelResourcesEnabled := utilfeature.DefaultFeatureGate.Enabled(features.PodLevelResources)
+	inPlacePodLevelResourcesVerticalScalingEnabled := utilfeature.DefaultMutableFeatureGate.Enabled(features.InPlacePodLevelResourcesVerticalScaling)
 	requests := resourcehelper.PodRequests(pi.Pod, resourcehelper.PodResourcesOptions{
 		UseStatusResources: inPlacePodVerticalScalingEnabled,
+		InPlacePodLevelResourcesVerticalScalingEnabled: inPlacePodLevelResourcesVerticalScalingEnabled,
 		// SkipPodLevelResources is set to false when PodLevelResources feature is enabled.
 		SkipPodLevelResources: !podLevelResourcesEnabled,
 	})
@@ -714,6 +733,7 @@ func (pi *PodInfo) CalculateResource() fwk.PodResource {
 	if len(nonMissingContainerRequests) > 0 {
 		non0Requests = resourcehelper.PodRequests(pi.Pod, resourcehelper.PodResourcesOptions{
 			UseStatusResources: inPlacePodVerticalScalingEnabled,
+			InPlacePodLevelResourcesVerticalScalingEnabled: inPlacePodLevelResourcesVerticalScalingEnabled,
 			// SkipPodLevelResources is set to false when PodLevelResources feature is enabled.
 			SkipPodLevelResources:       !podLevelResourcesEnabled,
 			NonMissingContainerRequests: nonMissingContainerRequests,
@@ -797,8 +817,8 @@ func (f *FitError) Error() string {
 		// the scheduling cycle went through PreFilter extension point successfully.
 		//
 		// When the prefilter plugin returns unschedulable,
-		// the scheduling framework inserts the same unschedulable status to all nodes in NodeToStatusMap.
-		// So, we shouldn't add the message from NodeToStatusMap when the PreFilter failed.
+		// the scheduling framework inserts the same unschedulable status to all nodes in NodeToStatusReader.
+		// So, we shouldn't add the message from NodeToStatusReader when the PreFilter failed.
 		// Otherwise, we will have duplicated reasons in the error message.
 		reasons := make(map[string]int)
 		f.Diagnosis.NodeToStatus.ForEachExplicitNode(func(_ string, status *fwk.Status) {
@@ -807,7 +827,7 @@ func (f *FitError) Error() string {
 			}
 		})
 		if f.Diagnosis.NodeToStatus.Len() < f.NumAllNodes {
-			// Adding predefined reasons for nodes that are absent in NodeToStatusMap
+			// Adding predefined reasons for nodes that are absent in NodeToStatusReader
 			for _, reason := range f.Diagnosis.NodeToStatus.AbsentNodesStatus().Reasons() {
 				reasons[reason] += f.NumAllNodes - f.Diagnosis.NodeToStatus.Len()
 			}
@@ -837,58 +857,6 @@ func (f *FitError) Error() string {
 	return reasonMsg
 }
 
-func newAffinityTerm(pod *v1.Pod, term *v1.PodAffinityTerm) (*fwk.AffinityTerm, error) {
-	selector, err := metav1.LabelSelectorAsSelector(term.LabelSelector)
-	if err != nil {
-		return nil, err
-	}
-
-	namespaces := getNamespacesFromPodAffinityTerm(pod, term)
-	nsSelector, err := metav1.LabelSelectorAsSelector(term.NamespaceSelector)
-	if err != nil {
-		return nil, err
-	}
-
-	return &fwk.AffinityTerm{Namespaces: namespaces, Selector: selector, TopologyKey: term.TopologyKey, NamespaceSelector: nsSelector}, nil
-}
-
-// GetAffinityTerms receives a Pod and affinity terms and returns the namespaces and
-// selectors of the terms.
-func GetAffinityTerms(pod *v1.Pod, v1Terms []v1.PodAffinityTerm) ([]fwk.AffinityTerm, error) {
-	if v1Terms == nil {
-		return nil, nil
-	}
-
-	var terms []fwk.AffinityTerm
-	for i := range v1Terms {
-		t, err := newAffinityTerm(pod, &v1Terms[i])
-		if err != nil {
-			// We get here if the label selector failed to process
-			return nil, err
-		}
-		terms = append(terms, *t)
-	}
-	return terms, nil
-}
-
-// getWeightedAffinityTerms returns the list of processed affinity terms.
-func getWeightedAffinityTerms(pod *v1.Pod, v1Terms []v1.WeightedPodAffinityTerm) ([]fwk.WeightedAffinityTerm, error) {
-	if v1Terms == nil {
-		return nil, nil
-	}
-
-	var terms []fwk.WeightedAffinityTerm
-	for i := range v1Terms {
-		t, err := newAffinityTerm(pod, &v1Terms[i].PodAffinityTerm)
-		if err != nil {
-			// We get here if the label selector failed to process
-			return nil, err
-		}
-		terms = append(terms, fwk.WeightedAffinityTerm{AffinityTerm: *t, Weight: v1Terms[i].Weight})
-	}
-	return terms, nil
-}
-
 // NewPodInfo returns a new PodInfo.
 func NewPodInfo(pod *v1.Pod) (*PodInfo, error) {
 	pInfo := &PodInfo{}
@@ -896,44 +864,6 @@ func NewPodInfo(pod *v1.Pod) (*PodInfo, error) {
 	return pInfo, err
 }
 
-func GetPodAffinityTerms(affinity *v1.Affinity) (terms []v1.PodAffinityTerm) {
-	if affinity != nil && affinity.PodAffinity != nil {
-		if len(affinity.PodAffinity.RequiredDuringSchedulingIgnoredDuringExecution) != 0 {
-			terms = affinity.PodAffinity.RequiredDuringSchedulingIgnoredDuringExecution
-		}
-		// TODO: Uncomment this block when implement RequiredDuringSchedulingRequiredDuringExecution.
-		// if len(affinity.PodAffinity.RequiredDuringSchedulingRequiredDuringExecution) != 0 {
-		//	terms = append(terms, affinity.PodAffinity.RequiredDuringSchedulingRequiredDuringExecution...)
-		// }
-	}
-	return terms
-}
-
-func GetPodAntiAffinityTerms(affinity *v1.Affinity) (terms []v1.PodAffinityTerm) {
-	if affinity != nil && affinity.PodAntiAffinity != nil {
-		if len(affinity.PodAntiAffinity.RequiredDuringSchedulingIgnoredDuringExecution) != 0 {
-			terms = affinity.PodAntiAffinity.RequiredDuringSchedulingIgnoredDuringExecution
-		}
-		// TODO: Uncomment this block when implement RequiredDuringSchedulingRequiredDuringExecution.
-		// if len(affinity.PodAntiAffinity.RequiredDuringSchedulingRequiredDuringExecution) != 0 {
-		//	terms = append(terms, affinity.PodAntiAffinity.RequiredDuringSchedulingRequiredDuringExecution...)
-		// }
-	}
-	return terms
-}
-
-// returns a set of names according to the namespaces indicated in podAffinityTerm.
-// If namespaces is empty it considers the given pod's namespace.
-func getNamespacesFromPodAffinityTerm(pod *v1.Pod, podAffinityTerm *v1.PodAffinityTerm) sets.Set[string] {
-	names := sets.Set[string]{}
-	if len(podAffinityTerm.Namespaces) == 0 && podAffinityTerm.NamespaceSelector == nil {
-		names.Insert(pod.Namespace)
-	} else {
-		names.Insert(podAffinityTerm.Namespaces...)
-	}
-	return names
-}
-
 // Resource is a collection of compute resource.
 // Implementation is separate from interface fwk.Resource, because implementation of functions Add and SetMaxResource
 // depends on internal scheduler util functions.
diff --git a/pkg/scheduler/framework/types_test.go b/pkg/scheduler/framework/types_test.go
index 5b6bc19ecb99e..fe910a19341e0 100644
--- a/pkg/scheduler/framework/types_test.go
+++ b/pkg/scheduler/framework/types_test.go
@@ -27,9 +27,9 @@ import (
 	"k8s.io/apimachinery/pkg/api/resource"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
-	"k8s.io/apimachinery/pkg/util/sets"
 	utilfeature "k8s.io/apiserver/pkg/util/feature"
 	featuregatetesting "k8s.io/component-base/featuregate/testing"
+	ndf "k8s.io/component-helpers/nodedeclaredfeatures"
 	"k8s.io/klog/v2"
 	fwk "k8s.io/kube-scheduler/framework"
 	"k8s.io/kubernetes/pkg/features"
@@ -548,6 +548,28 @@ func TestNodeInfoClone(t *testing.T) {
 				},
 			},
 		},
+		{
+			nodeInfo: &NodeInfo{
+				Requested:        &Resource{},
+				NonZeroRequested: &Resource{},
+				Allocatable:      &Resource{},
+				Generation:       3,
+				UsedPorts:        fwk.HostPortInfo{},
+				ImageStates:      map[string]*fwk.ImageStateSummary{},
+				PVCRefCounts:     map[string]int{},
+				DeclaredFeatures: ndf.NewFeatureSet("FeatureA", "FeatureB"),
+			},
+			expected: &NodeInfo{
+				Requested:        &Resource{},
+				NonZeroRequested: &Resource{},
+				Allocatable:      &Resource{},
+				Generation:       3,
+				UsedPorts:        fwk.HostPortInfo{},
+				ImageStates:      map[string]*fwk.ImageStateSummary{},
+				PVCRefCounts:     map[string]int{},
+				DeclaredFeatures: ndf.NewFeatureSet("FeatureA", "FeatureB"),
+			},
+		},
 	}
 
 	for i, test := range tests {
@@ -1217,58 +1239,74 @@ func TestNodeInfoRemovePod(t *testing.T) {
 	}
 }
 
-func fakeNodeInfo(pods ...*v1.Pod) *NodeInfo {
-	ni := NewNodeInfo(pods...)
-	ni.SetNode(&v1.Node{
-		ObjectMeta: metav1.ObjectMeta{
-			Name: "test-node",
-		},
-	})
-	return ni
-}
-
-func TestGetNamespacesFromPodAffinityTerm(t *testing.T) {
+func TestSetNodeDeclaredFeatures(t *testing.T) {
 	tests := []struct {
-		name string
-		term *v1.PodAffinityTerm
-		want sets.Set[string]
+		name               string
+		featureGateEnabled bool
+		nodeStatus         v1.NodeStatus
+		expectedFeatures   ndf.FeatureSet
 	}{
 		{
-			name: "podAffinityTerm_namespace_empty",
-			term: &v1.PodAffinityTerm{},
-			want: sets.Set[string]{metav1.NamespaceDefault: sets.Empty{}},
+			name:               "Feature gate disabled",
+			featureGateEnabled: false,
+			nodeStatus: v1.NodeStatus{
+				DeclaredFeatures: []string{"FeatureA", "FeatureB"},
+			},
+			expectedFeatures: ndf.NewFeatureSet(),
 		},
 		{
-			name: "podAffinityTerm_namespace_not_empty",
-			term: &v1.PodAffinityTerm{
-				Namespaces: []string{metav1.NamespacePublic, metav1.NamespaceSystem},
+			name:               "Feature gate enabled, node has features",
+			featureGateEnabled: true,
+			nodeStatus: v1.NodeStatus{
+				DeclaredFeatures: []string{"FeatureA", "FeatureB"},
 			},
-			want: sets.New(metav1.NamespacePublic, metav1.NamespaceSystem),
+			expectedFeatures: ndf.NewFeatureSet("FeatureA", "FeatureB"),
 		},
 		{
-			name: "podAffinityTerm_namespace_selector_not_nil",
-			term: &v1.PodAffinityTerm{
-				NamespaceSelector: &metav1.LabelSelector{},
+			name:               "Feature gate enabled, node has no features",
+			featureGateEnabled: true,
+			nodeStatus: v1.NodeStatus{
+				DeclaredFeatures: []string{},
 			},
-			want: sets.Set[string]{},
+			expectedFeatures: ndf.NewFeatureSet(),
+		},
+		{
+			name:               "Feature gate enabled, node status has nil features",
+			featureGateEnabled: true,
+			nodeStatus: v1.NodeStatus{
+				DeclaredFeatures: nil,
+			},
+			expectedFeatures: ndf.NewFeatureSet(),
 		},
 	}
 
-	for _, test := range tests {
-		t.Run(test.name, func(t *testing.T) {
-			got := getNamespacesFromPodAffinityTerm(&v1.Pod{
-				ObjectMeta: metav1.ObjectMeta{
-					Name:      "topologies_pod",
-					Namespace: metav1.NamespaceDefault,
-				},
-			}, test.term)
-			if diff := cmp.Diff(test.want, got); diff != "" {
-				t.Errorf("Unexpected namespaces (-want, +got):\n%s", diff)
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.NodeDeclaredFeatures, tt.featureGateEnabled)
+			ni := NewNodeInfo()
+			node := &v1.Node{
+				ObjectMeta: metav1.ObjectMeta{Name: "test-node"},
+				Status:     tt.nodeStatus,
+			}
+			ni.SetNode(node)
+			gotFeatures := ni.GetNodeDeclaredFeatures()
+			if !gotFeatures.Equal(tt.expectedFeatures) {
+				t.Errorf("SetNode() or GetNodeDeclaredFeatures() unexpected result, got: %v, want: %v", gotFeatures, tt.expectedFeatures)
 			}
 		})
 	}
 }
 
+func fakeNodeInfo(pods ...*v1.Pod) *NodeInfo {
+	ni := NewNodeInfo(pods...)
+	ni.SetNode(&v1.Node{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: "test-node",
+		},
+	})
+	return ni
+}
+
 func TestFitError_Error(t *testing.T) {
 	tests := []struct {
 		name          string
@@ -1666,6 +1704,9 @@ func TestPodInfoCalculateResources(t *testing.T) {
 
 func TestCalculatePodResourcesWithResize(t *testing.T) {
 	featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.InPlacePodVerticalScaling, true)
+	featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.NodeDeclaredFeatures, true)
+	featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.InPlacePodLevelResourcesVerticalScaling, true)
+
 	testpod := v1.Pod{
 		ObjectMeta: metav1.ObjectMeta{
 			Namespace: "pod_resize_test",
@@ -1680,11 +1721,24 @@ func TestCalculatePodResourcesWithResize(t *testing.T) {
 	restartAlways := v1.ContainerRestartPolicyAlways
 
 	preparePodInfo := func(pod v1.Pod,
+		podRequests, podStatusResources,
 		requests, statusResources,
 		initRequests, initStatusResources,
 		sidecarRequests, sidecarStatusResources *v1.ResourceList,
 		resizeStatus []*v1.PodCondition) PodInfo {
 
+		if podRequests != nil {
+			pod.Spec.Resources = &v1.ResourceRequirements{
+				Requests: *podRequests,
+			}
+		}
+
+		if podStatusResources != nil {
+			pod.Status.Resources = &v1.ResourceRequirements{
+				Requests: *podStatusResources,
+			}
+		}
+
 		if requests != nil {
 			pod.Spec.Containers = append(pod.Spec.Containers,
 				v1.Container{
@@ -1747,15 +1801,17 @@ func TestCalculatePodResourcesWithResize(t *testing.T) {
 	}
 
 	tests := []struct {
-		name                   string
-		requests               v1.ResourceList
-		statusResources        v1.ResourceList
-		initRequests           *v1.ResourceList
-		initStatusResources    *v1.ResourceList
-		resizeStatus           []*v1.PodCondition
-		sidecarRequests        *v1.ResourceList
-		sidecarStatusResources *v1.ResourceList
-		expectedResource       fwk.PodResource
+		name                    string
+		podLevelRequests        *v1.ResourceList
+		requests                v1.ResourceList
+		statusResources         v1.ResourceList
+		podLevelStatusResources *v1.ResourceList
+		initRequests            *v1.ResourceList
+		initStatusResources     *v1.ResourceList
+		resizeStatus            []*v1.PodCondition
+		sidecarRequests         *v1.ResourceList
+		sidecarStatusResources  *v1.ResourceList
+		expectedResource        fwk.PodResource
 	}{
 		{
 			name:            "Pod with no pending resize",
@@ -1770,6 +1826,21 @@ func TestCalculatePodResourcesWithResize(t *testing.T) {
 				Non0Mem: mem500M.Value(),
 			},
 		},
+		{
+			name:                    "Pod with pod-level resources no pending resize",
+			podLevelRequests:        &v1.ResourceList{v1.ResourceCPU: cpu700m, v1.ResourceMemory: mem500M},
+			requests:                v1.ResourceList{v1.ResourceCPU: cpu500m, v1.ResourceMemory: mem500M},
+			podLevelStatusResources: &v1.ResourceList{v1.ResourceCPU: cpu500m, v1.ResourceMemory: mem500M},
+			statusResources:         v1.ResourceList{v1.ResourceCPU: cpu700m, v1.ResourceMemory: mem500M},
+			expectedResource: fwk.PodResource{
+				Resource: &Resource{
+					MilliCPU: cpu700m.MilliValue(),
+					Memory:   mem500M.Value(),
+				},
+				Non0CPU: cpu700m.MilliValue(),
+				Non0Mem: mem500M.Value(),
+			},
+		},
 		{
 			name:            "Pod with resize in progress",
 			requests:        v1.ResourceList{v1.ResourceCPU: cpu500m, v1.ResourceMemory: mem500M},
@@ -1789,6 +1860,27 @@ func TestCalculatePodResourcesWithResize(t *testing.T) {
 				Non0Mem: mem500M.Value(),
 			},
 		},
+		{
+			name:                    "Pod with pod-level resources and resize in progress",
+			podLevelRequests:        &v1.ResourceList{v1.ResourceCPU: cpu700m, v1.ResourceMemory: mem500M},
+			requests:                v1.ResourceList{v1.ResourceCPU: cpu500m, v1.ResourceMemory: mem500M},
+			podLevelStatusResources: &v1.ResourceList{v1.ResourceCPU: cpu500m, v1.ResourceMemory: mem500M},
+			statusResources:         v1.ResourceList{v1.ResourceCPU: cpu700m, v1.ResourceMemory: mem500M},
+			resizeStatus: []*v1.PodCondition{
+				{
+					Type:   v1.PodResizeInProgress,
+					Status: v1.ConditionTrue,
+				},
+			},
+			expectedResource: fwk.PodResource{
+				Resource: &Resource{
+					MilliCPU: cpu700m.MilliValue(),
+					Memory:   mem500M.Value(),
+				},
+				Non0CPU: cpu700m.MilliValue(),
+				Non0Mem: mem500M.Value(),
+			},
+		},
 		{
 			name:            "Pod with deferred resize",
 			requests:        v1.ResourceList{v1.ResourceCPU: cpu700m, v1.ResourceMemory: mem800M},
@@ -1809,6 +1901,28 @@ func TestCalculatePodResourcesWithResize(t *testing.T) {
 				Non0Mem: mem800M.Value(),
 			},
 		},
+		{
+			name:                    "Pod with pod-level resources and with deferred resize",
+			podLevelRequests:        &v1.ResourceList{v1.ResourceCPU: cpu700m, v1.ResourceMemory: mem800M},
+			requests:                v1.ResourceList{v1.ResourceCPU: cpu500m, v1.ResourceMemory: mem500M},
+			podLevelStatusResources: &v1.ResourceList{v1.ResourceCPU: cpu500m, v1.ResourceMemory: mem500M},
+			statusResources:         v1.ResourceList{v1.ResourceCPU: cpu500m, v1.ResourceMemory: mem500M},
+			resizeStatus: []*v1.PodCondition{
+				{
+					Type:   v1.PodResizePending,
+					Status: v1.ConditionTrue,
+					Reason: v1.PodReasonDeferred,
+				},
+			},
+			expectedResource: fwk.PodResource{
+				Resource: &Resource{
+					MilliCPU: cpu700m.MilliValue(),
+					Memory:   mem800M.Value(),
+				},
+				Non0CPU: cpu700m.MilliValue(),
+				Non0Mem: mem800M.Value(),
+			},
+		},
 		{
 			name:            "Pod with infeasible resize",
 			requests:        v1.ResourceList{v1.ResourceCPU: cpu700m, v1.ResourceMemory: mem800M},
@@ -1866,6 +1980,7 @@ func TestCalculatePodResourcesWithResize(t *testing.T) {
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			podInfo := preparePodInfo(*testpod.DeepCopy(),
+				tt.podLevelRequests, tt.podLevelStatusResources,
 				&tt.requests, &tt.statusResources,
 				tt.initRequests, tt.initStatusResources,
 				tt.sidecarRequests, tt.sidecarStatusResources,
diff --git a/pkg/scheduler/metrics/metrics.go b/pkg/scheduler/metrics/metrics.go
index 9ff706cfc6d4e..8fbdc0d98ab64 100644
--- a/pkg/scheduler/metrics/metrics.go
+++ b/pkg/scheduler/metrics/metrics.go
@@ -45,8 +45,8 @@ const (
 	GoroutineResultError   = "error"
 )
 
-// ExtentionPoints is a list of possible values for the extension_point label.
-var ExtentionPoints = []string{
+// ExtensionPoints is a list of possible values for the extension_point label.
+var ExtensionPoints = []string{
 	PreFilter,
 	Filter,
 	PreFilterExtensionAddPod,
@@ -56,11 +56,13 @@ var ExtentionPoints = []string{
 	Score,
 	ScoreExtensionNormalize,
 	PreBind,
+	PreBindPreFlight,
 	Bind,
 	PostBind,
 	Reserve,
 	Unreserve,
 	Permit,
+	Sign,
 }
 
 const (
@@ -79,6 +81,7 @@ const (
 	Reserve                     = "Reserve"
 	Unreserve                   = "Unreserve"
 	Permit                      = "Permit"
+	Sign                        = "Sign"
 )
 
 const (
@@ -91,17 +94,40 @@ const (
 	PodPoppedInFlightEvent = "PodPopped"
 )
 
+// Possible batch attempt results
+const (
+	BatchAttemptNoHint      = "no_hint"
+	BatchAttemptHintUsed    = "hint_used"
+	BatchAttemptHintNotUsed = "hint_not_used"
+)
+
+// Possible batch cache flush reasons
+const (
+	BatchFlushPodFailed       = "pod_failed"
+	BatchFlushPodSkipped      = "pod_skipped"
+	BatchFlushNodeMissing     = "node_missing"
+	BatchFlushNodeNotFull     = "node_not_full"
+	BatchFlushEmptyList       = "empty_list"
+	BatchFlushExpired         = "expired"
+	BatchFlushPodIncompatible = "pod_incompatible"
+	BatchFlushPodNotBatchable = "pod_not_batchable"
+)
+
 // All the histogram based metrics have 1ms as size for the smallest bucket.
 var (
-	scheduleAttempts           *metrics.CounterVec
-	EventHandlingLatency       *metrics.HistogramVec
-	schedulingLatency          *metrics.HistogramVec
-	SchedulingAlgorithmLatency *metrics.Histogram
-	PreemptionVictims          *metrics.Histogram
-	PreemptionAttempts         *metrics.Counter
-	pendingPods                *metrics.GaugeVec
-	InFlightEvents             *metrics.GaugeVec
-	Goroutines                 *metrics.GaugeVec
+	scheduleAttempts             *metrics.CounterVec
+	EventHandlingLatency         *metrics.HistogramVec
+	schedulingLatency            *metrics.HistogramVec
+	SchedulingAlgorithmLatency   *metrics.Histogram
+	PreemptionVictims            *metrics.Histogram
+	PreemptionAttempts           *metrics.Counter
+	pendingPods                  *metrics.GaugeVec
+	InFlightEvents               *metrics.GaugeVec
+	Goroutines                   *metrics.GaugeVec
+	BatchAttemptStats            *metrics.CounterVec
+	BatchCacheFlushed            *metrics.CounterVec
+	GetNodeHintDuration          *metrics.HistogramVec
+	StoreScheduleResultsDuration *metrics.HistogramVec
 
 	PodSchedulingSLIDuration        *metrics.HistogramVec
 	PodSchedulingAttempts           *metrics.Histogram
@@ -126,6 +152,9 @@ var (
 	AsyncAPICallDuration *metrics.HistogramVec
 	AsyncAPIPendingCalls *metrics.GaugeVec
 
+	// The below is only available when the DRAExtendedResource feature gate is enabled.
+	ResourceClaimCreatesTotal *metrics.CounterVec
+
 	// metricsList is a list of all metrics that should be registered always, regardless of any feature gate's value.
 	metricsList []metrics.Registerable
 )
@@ -153,6 +182,9 @@ func Register() {
 				AsyncAPIPendingCalls,
 			)
 		}
+		if utilfeature.DefaultFeatureGate.Enabled(features.DRAExtendedResource) {
+			RegisterMetrics(ResourceClaimCreatesTotal)
+		}
 	})
 }
 
@@ -229,6 +261,20 @@ func InitMetrics() {
 			Help:           "Number of running goroutines split by the work they do such as binding.",
 			StabilityLevel: metrics.ALPHA,
 		}, []string{"operation"})
+	BatchAttemptStats = metrics.NewCounterVec(
+		&metrics.CounterOpts{
+			Subsystem:      SchedulerSubsystem,
+			Name:           "batch_attempts_total",
+			Help:           "Counts of results when we attempt to use batching.",
+			StabilityLevel: metrics.ALPHA,
+		}, []string{"profile", "result"})
+	BatchCacheFlushed = metrics.NewCounterVec(
+		&metrics.CounterOpts{
+			Subsystem:      SchedulerSubsystem,
+			Name:           "batch_cache_flushed_total",
+			Help:           "Counts of cache flushes by reason.",
+			StabilityLevel: metrics.ALPHA,
+		}, []string{"profile", "reason"})
 
 	PodSchedulingSLIDuration = metrics.NewHistogramVec(
 		&metrics.HistogramOpts{
@@ -376,6 +422,37 @@ func InitMetrics() {
 		},
 		[]string{"call_type"})
 
+	ResourceClaimCreatesTotal = metrics.NewCounterVec(
+		&metrics.CounterOpts{
+			Subsystem:      SchedulerSubsystem,
+			Name:           "resourceclaim_creates_total",
+			Help:           "Number of ResourceClaims creation requests within scheduler",
+			StabilityLevel: metrics.ALPHA,
+		},
+		[]string{"status"})
+
+	GetNodeHintDuration = metrics.NewHistogramVec(
+		&metrics.HistogramOpts{
+			Subsystem: SchedulerSubsystem,
+			Name:      "get_node_hint_duration_seconds",
+			Help:      "Latency for getting a node hint.",
+			// Start with 0.01ms with the last bucket being [~200ms, Inf)
+			Buckets:        metrics.ExponentialBuckets(0.00001, 2, 12),
+			StabilityLevel: metrics.ALPHA,
+		},
+		[]string{"hinted", "profile"})
+
+	StoreScheduleResultsDuration = metrics.NewHistogramVec(
+		&metrics.HistogramOpts{
+			Subsystem: SchedulerSubsystem,
+			Name:      "store_schedule_results_duration_seconds",
+			Help:      "Latency for getting a no.",
+			// Start with 0.01ms with the last bucket being [~200ms, Inf)
+			Buckets:        metrics.ExponentialBuckets(0.00001, 2, 12),
+			StabilityLevel: metrics.ALPHA,
+		},
+		[]string{"profile"})
+
 	metricsList = []metrics.Registerable{
 		scheduleAttempts,
 		schedulingLatency,
@@ -394,6 +471,10 @@ func InitMetrics() {
 		CacheSize,
 		unschedulableReasons,
 		PluginEvaluationTotal,
+		BatchAttemptStats,
+		BatchCacheFlushed,
+		GetNodeHintDuration,
+		StoreScheduleResultsDuration,
 	}
 }
 
diff --git a/pkg/scheduler/profile/profile_test.go b/pkg/scheduler/profile/profile_test.go
index f535a1e25c473..32dd6117205d6 100644
--- a/pkg/scheduler/profile/profile_test.go
+++ b/pkg/scheduler/profile/profile_test.go
@@ -28,7 +28,6 @@ import (
 	"k8s.io/klog/v2/ktesting"
 	fwk "k8s.io/kube-scheduler/framework"
 	"k8s.io/kubernetes/pkg/scheduler/apis/config"
-	"k8s.io/kubernetes/pkg/scheduler/framework"
 	frameworkruntime "k8s.io/kubernetes/pkg/scheduler/framework/runtime"
 )
 
@@ -291,8 +290,8 @@ func (p *fakePlugin) Bind(context.Context, fwk.CycleState, *v1.Pod, string) *fwk
 	return nil
 }
 
-func newFakePlugin(name string) func(ctx context.Context, object runtime.Object, handle framework.Handle) (framework.Plugin, error) {
-	return func(_ context.Context, _ runtime.Object, _ framework.Handle) (framework.Plugin, error) {
+func newFakePlugin(name string) func(ctx context.Context, object runtime.Object, handle fwk.Handle) (fwk.Plugin, error) {
+	return func(_ context.Context, _ runtime.Object, _ fwk.Handle) (fwk.Plugin, error) {
 		return &fakePlugin{name: name}, nil
 	}
 }
diff --git a/pkg/scheduler/schedule_one.go b/pkg/scheduler/schedule_one.go
index fc12fcd1fe125..683bfaed690e0 100644
--- a/pkg/scheduler/schedule_one.go
+++ b/pkg/scheduler/schedule_one.go
@@ -31,12 +31,14 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
 	"k8s.io/apimachinery/pkg/util/sets"
+	utilfeature "k8s.io/apiserver/pkg/util/feature"
 	clientset "k8s.io/client-go/kubernetes"
 	"k8s.io/klog/v2"
 	extenderv1 "k8s.io/kube-scheduler/extender/v1"
 	fwk "k8s.io/kube-scheduler/framework"
 	podutil "k8s.io/kubernetes/pkg/api/v1/pod"
 	"k8s.io/kubernetes/pkg/apis/core/validation"
+	"k8s.io/kubernetes/pkg/features"
 	"k8s.io/kubernetes/pkg/scheduler/framework"
 	"k8s.io/kubernetes/pkg/scheduler/framework/parallelize"
 	"k8s.io/kubernetes/pkg/scheduler/metrics"
@@ -57,9 +59,6 @@ const (
 	// to ensure that a certain minimum of nodes are checked for feasibility.
 	// This in turn helps ensure a minimum level of spreading.
 	minFeasibleNodesPercentageToFind = 5
-	// numberOfHighestScoredNodesToReport is the number of node scores
-	// to be included in ScheduleResult.
-	numberOfHighestScoredNodesToReport = 3
 )
 
 // ScheduleOne does the entire scheduling workflow for a single pod. It is serialized on the scheduling algorithm's host fitting.
@@ -136,15 +135,7 @@ func (sched *Scheduler) ScheduleOne(ctx context.Context) {
 	}()
 }
 
-// newFailureNominatingInfo returns the appropriate NominatingInfo for scheduling failures.
-// When NominatedNodeNameForExpectation feature is enabled, it returns nil (no clearing).
-// Otherwise, it returns NominatingInfo to clear the pod's nominated node.
-func (sched *Scheduler) newFailureNominatingInfo() *framework.NominatingInfo {
-	if sched.nominatedNodeNameForExpectationEnabled {
-		return nil
-	}
-	return &framework.NominatingInfo{NominatingMode: framework.ModeOverride, NominatedNodeName: ""}
-}
+var clearNominatedNode = &fwk.NominatingInfo{NominatingMode: fwk.ModeOverride, NominatedNodeName: ""}
 
 // schedulingCycle tries to schedule a single Pod.
 func (sched *Scheduler) schedulingCycle(
@@ -164,13 +155,13 @@ func (sched *Scheduler) schedulingCycle(
 		}()
 		if err == ErrNoNodesAvailable {
 			status := fwk.NewStatus(fwk.UnschedulableAndUnresolvable).WithError(err)
-			return ScheduleResult{nominatingInfo: sched.newFailureNominatingInfo()}, podInfo, status
+			return ScheduleResult{nominatingInfo: clearNominatedNode}, podInfo, status
 		}
 
 		fitError, ok := err.(*framework.FitError)
 		if !ok {
 			logger.Error(err, "Error selecting node for pod", "pod", klog.KObj(pod))
-			return ScheduleResult{nominatingInfo: sched.newFailureNominatingInfo()}, podInfo, fwk.AsStatus(err)
+			return ScheduleResult{nominatingInfo: clearNominatedNode}, podInfo, fwk.AsStatus(err)
 		}
 
 		// SchedulePod() may have failed because the pod would not fit on any host, so we try to
@@ -180,7 +171,7 @@ func (sched *Scheduler) schedulingCycle(
 
 		if !schedFramework.HasPostFilterPlugins() {
 			logger.V(3).Info("No PostFilter plugins are registered, so no preemption will be performed")
-			return ScheduleResult{}, podInfo, fwk.NewStatus(fwk.Unschedulable).WithError(err)
+			return ScheduleResult{nominatingInfo: clearNominatedNode}, podInfo, fwk.NewStatus(fwk.Unschedulable).WithError(err)
 		}
 
 		// Run PostFilter plugins to attempt to make the pod schedulable in a future scheduling cycle.
@@ -193,7 +184,7 @@ func (sched *Scheduler) schedulingCycle(
 			logger.V(5).Info("Status after running PostFilter plugins for pod", "pod", klog.KObj(pod), "status", msg)
 		}
 
-		var nominatingInfo *framework.NominatingInfo
+		var nominatingInfo *fwk.NominatingInfo
 		if result != nil {
 			nominatingInfo = result.NominatingInfo
 		}
@@ -213,7 +204,7 @@ func (sched *Scheduler) schedulingCycle(
 		// This relies on the fact that Error will check if the pod has been bound
 		// to a node and if so will not add it back to the unscheduled pods queue
 		// (otherwise this would cause an infinite loop).
-		return ScheduleResult{nominatingInfo: sched.newFailureNominatingInfo()}, assumedPodInfo, fwk.AsStatus(err)
+		return ScheduleResult{nominatingInfo: clearNominatedNode}, assumedPodInfo, fwk.AsStatus(err)
 	}
 
 	// Run the Reserve method of reserve plugins.
@@ -234,9 +225,9 @@ func (sched *Scheduler) schedulingCycle(
 			}
 			fitErr.Diagnosis.NodeToStatus.Set(scheduleResult.SuggestedHost, sts)
 			fitErr.Diagnosis.AddPluginStatus(sts)
-			return ScheduleResult{nominatingInfo: sched.newFailureNominatingInfo()}, assumedPodInfo, fwk.NewStatus(sts.Code()).WithError(fitErr)
+			return ScheduleResult{nominatingInfo: clearNominatedNode}, assumedPodInfo, fwk.NewStatus(sts.Code()).WithError(fitErr)
 		}
-		return ScheduleResult{nominatingInfo: sched.newFailureNominatingInfo()}, assumedPodInfo, sts
+		return ScheduleResult{nominatingInfo: clearNominatedNode}, assumedPodInfo, sts
 	}
 
 	// Run "permit" plugins.
@@ -258,10 +249,10 @@ func (sched *Scheduler) schedulingCycle(
 			}
 			fitErr.Diagnosis.NodeToStatus.Set(scheduleResult.SuggestedHost, runPermitStatus)
 			fitErr.Diagnosis.AddPluginStatus(runPermitStatus)
-			return ScheduleResult{nominatingInfo: sched.newFailureNominatingInfo()}, assumedPodInfo, fwk.NewStatus(runPermitStatus.Code()).WithError(fitErr)
+			return ScheduleResult{nominatingInfo: clearNominatedNode}, assumedPodInfo, fwk.NewStatus(runPermitStatus.Code()).WithError(fitErr)
 		}
 
-		return ScheduleResult{nominatingInfo: sched.newFailureNominatingInfo()}, assumedPodInfo, runPermitStatus
+		return ScheduleResult{nominatingInfo: clearNominatedNode}, assumedPodInfo, runPermitStatus
 	}
 
 	// At the end of a successful scheduling cycle, pop and move up Pods if needed.
@@ -297,9 +288,9 @@ func (sched *Scheduler) bindingCycle(
 		if preFlightStatus.IsSuccess() || schedFramework.WillWaitOnPermit(ctx, assumedPod) {
 			// Add NominatedNodeName to tell the external components (e.g., the cluster autoscaler) that the pod is about to be bound to the node.
 			// We only do this when any of WaitOnPermit or PreBind will work because otherwise the pod will be soon bound anyway.
-			if err := updatePod(ctx, sched.client, schedFramework.APICacher(), assumedPod, nil, &framework.NominatingInfo{
+			if err := updatePod(ctx, sched.client, schedFramework.APICacher(), assumedPod, nil, &fwk.NominatingInfo{
 				NominatedNodeName: scheduleResult.SuggestedHost,
-				NominatingMode:    framework.ModeOverride,
+				NominatingMode:    fwk.ModeOverride,
 			}); err != nil {
 				logger.Error(err, "Failed to update the nominated node name in the binding cycle", "pod", klog.KObj(assumedPod), "nominatedNodeName", scheduleResult.SuggestedHost)
 				// We continue the processing because it's not critical enough to stop binding cycles here.
@@ -393,7 +384,7 @@ func (sched *Scheduler) handleBindingCycleError(
 		}
 	}
 
-	sched.FailureHandler(ctx, fwk, podInfo, status, sched.newFailureNominatingInfo(), start)
+	sched.FailureHandler(ctx, fwk, podInfo, status, clearNominatedNode, start)
 }
 
 func (sched *Scheduler) frameworkForPod(pod *v1.Pod) (framework.Framework, error) {
@@ -439,7 +430,7 @@ func (sched *Scheduler) schedulePod(ctx context.Context, fwk framework.Framework
 		return result, ErrNoNodesAvailable
 	}
 
-	feasibleNodes, diagnosis, err := sched.findNodesThatFitPod(ctx, fwk, state, pod)
+	feasibleNodes, diagnosis, nodeHint, signature, err := sched.findNodesThatFitPod(ctx, fwk, state, pod)
 	if err != nil {
 		return result, err
 	}
@@ -455,8 +446,12 @@ func (sched *Scheduler) schedulePod(ctx context.Context, fwk framework.Framework
 
 	// When only one node after predicate, just use it.
 	if len(feasibleNodes) == 1 {
+		node := feasibleNodes[0].Node().Name
+		if utilfeature.DefaultFeatureGate.Enabled(features.OpportunisticBatching) {
+			fwk.StoreScheduleResults(ctx, signature, nodeHint, node, nil, sched.CurrentCycle())
+		}
 		return ScheduleResult{
-			SuggestedHost:  feasibleNodes[0].Node().Name,
+			SuggestedHost:  node,
 			EvaluatedNodes: 1 + diagnosis.NodeToStatus.Len(),
 			FeasibleNodes:  1,
 		}, nil
@@ -467,11 +462,16 @@ func (sched *Scheduler) schedulePod(ctx context.Context, fwk framework.Framework
 		return result, err
 	}
 
-	host, _, err := selectHost(priorityList, numberOfHighestScoredNodesToReport)
+	sortedPrioritizedNodes := newSortedNodeScores(priorityList)
+	node := sortedPrioritizedNodes.Pop()
 	trace.Step("Prioritizing done")
 
+	if utilfeature.DefaultFeatureGate.Enabled(features.OpportunisticBatching) {
+		fwk.StoreScheduleResults(ctx, signature, nodeHint, node, sortedPrioritizedNodes, sched.CurrentCycle())
+	}
+
 	return ScheduleResult{
-		SuggestedHost:  host,
+		SuggestedHost:  node,
 		EvaluatedNodes: len(feasibleNodes) + diagnosis.NodeToStatus.Len(),
 		FeasibleNodes:  len(feasibleNodes),
 	}, err
@@ -479,7 +479,7 @@ func (sched *Scheduler) schedulePod(ctx context.Context, fwk framework.Framework
 
 // Filters the nodes to find the ones that fit the pod based on the framework
 // filter plugins and filter extenders.
-func (sched *Scheduler) findNodesThatFitPod(ctx context.Context, schedFramework framework.Framework, state fwk.CycleState, pod *v1.Pod) ([]fwk.NodeInfo, framework.Diagnosis, error) {
+func (sched *Scheduler) findNodesThatFitPod(ctx context.Context, schedFramework framework.Framework, state fwk.CycleState, pod *v1.Pod) ([]fwk.NodeInfo, framework.Diagnosis, string, fwk.PodSignature, error) {
 	logger := klog.FromContext(ctx)
 	diagnosis := framework.Diagnosis{
 		NodeToStatus: framework.NewDefaultNodeToStatus(),
@@ -487,14 +487,14 @@ func (sched *Scheduler) findNodesThatFitPod(ctx context.Context, schedFramework
 
 	allNodes, err := sched.nodeInfoSnapshot.NodeInfos().List()
 	if err != nil {
-		return nil, diagnosis, err
+		return nil, diagnosis, "", nil, err
 	}
 	// Run "prefilter" plugins.
 	preRes, s, unscheduledPlugins := schedFramework.RunPreFilterPlugins(ctx, state, pod)
 	diagnosis.UnschedulablePlugins = unscheduledPlugins
 	if !s.IsSuccess() {
 		if !s.IsRejected() {
-			return nil, diagnosis, s.AsError()
+			return nil, diagnosis, "", nil, s.AsError()
 		}
 		// All nodes in NodeToStatus will have the same status so that they can be handled in the preemption.
 		diagnosis.NodeToStatus.SetAbsentNodesStatus(s)
@@ -504,19 +504,28 @@ func (sched *Scheduler) findNodesThatFitPod(ctx context.Context, schedFramework
 		diagnosis.PreFilterMsg = msg
 		logger.V(5).Info("Status after running PreFilter plugins for pod", "pod", klog.KObj(pod), "status", msg)
 		diagnosis.AddPluginStatus(s)
-		return nil, diagnosis, nil
+		return nil, diagnosis, "", nil, nil
+	}
+
+	var nodeHint string
+	var signature fwk.PodSignature
+	if utilfeature.DefaultFeatureGate.Enabled(features.OpportunisticBatching) {
+		// We get the node hint even if we have a nominated name for simplicity, but we could potentially avoid it
+		// in this scenario in the future.
+		nodeHint, signature = schedFramework.GetNodeHint(ctx, pod, state, sched.CurrentCycle())
 	}
 
 	// "NominatedNodeName" can potentially be set in a previous scheduling cycle as a result of preemption.
 	// This node is likely the only candidate that will fit the pod, and hence we try it first before iterating over all nodes.
-	if len(pod.Status.NominatedNodeName) > 0 {
-		feasibleNodes, err := sched.evaluateNominatedNode(ctx, pod, schedFramework, state, diagnosis)
+	// We take the same tack for hinted nodes from the batch module.
+	if len(pod.Status.NominatedNodeName) > 0 || len(nodeHint) > 0 {
+		feasibleNodes, err := sched.evaluateNominatedNode(ctx, pod, schedFramework, state, nodeHint, diagnosis)
 		if err != nil {
 			utilruntime.HandleErrorWithContext(ctx, err, "Evaluation failed on nominated node", "pod", klog.KObj(pod), "node", pod.Status.NominatedNodeName)
 		}
 		// Nominated node passes all the filters, scheduler is good to assign this node to the pod.
 		if len(feasibleNodes) != 0 {
-			return feasibleNodes, diagnosis, nil
+			return feasibleNodes, diagnosis, nodeHint, signature, nil
 		}
 	}
 
@@ -538,19 +547,19 @@ func (sched *Scheduler) findNodesThatFitPod(ctx context.Context, schedFramework
 	processedNodes := len(feasibleNodes) + diagnosis.NodeToStatus.Len()
 	sched.nextStartNodeIndex = (sched.nextStartNodeIndex + processedNodes) % len(allNodes)
 	if err != nil {
-		return nil, diagnosis, err
+		return nil, diagnosis, nodeHint, signature, err
 	}
 
 	feasibleNodesAfterExtender, err := findNodesThatPassExtenders(ctx, sched.Extenders, pod, feasibleNodes, diagnosis.NodeToStatus)
 	if err != nil {
-		return nil, diagnosis, err
+		return nil, diagnosis, nodeHint, signature, err
 	}
 	if len(feasibleNodesAfterExtender) != len(feasibleNodes) {
 		// Extenders filtered out some nodes.
 		//
 		// Extender doesn't support any kind of requeueing feature like EnqueueExtensions in the scheduling framework.
 		// When Extenders reject some Nodes and the pod ends up being unschedulable,
-		// we put framework.ExtenderName to pInfo.UnschedulablePlugins.
+		// we put fwk.ExtenderName to pInfo.UnschedulablePlugins.
 		// This Pod will be requeued from unschedulable pod pool to activeQ/backoffQ
 		// by any kind of cluster events.
 		// https://github.com/kubernetes/kubernetes/issues/122019
@@ -560,11 +569,17 @@ func (sched *Scheduler) findNodesThatFitPod(ctx context.Context, schedFramework
 		diagnosis.UnschedulablePlugins.Insert(framework.ExtenderName)
 	}
 
-	return feasibleNodesAfterExtender, diagnosis, nil
+	return feasibleNodesAfterExtender, diagnosis, nodeHint, signature, nil
 }
 
-func (sched *Scheduler) evaluateNominatedNode(ctx context.Context, pod *v1.Pod, schedFramework framework.Framework, state fwk.CycleState, diagnosis framework.Diagnosis) ([]fwk.NodeInfo, error) {
+func (sched *Scheduler) evaluateNominatedNode(ctx context.Context, pod *v1.Pod, schedFramework framework.Framework, state fwk.CycleState, nodeHint string, diagnosis framework.Diagnosis) ([]fwk.NodeInfo, error) {
+	// In the future we could potentially use the hint if the nominated node failed.
+	// https://github.com/kubernetes/kubernetes/issues/135163
 	nnn := pod.Status.NominatedNodeName
+	if len(nnn) == 0 {
+		nnn = nodeHint
+	}
+
 	nodeInfo, err := sched.nodeInfoSnapshot.Get(nnn)
 	if err != nil {
 		return nil, err
@@ -722,7 +737,7 @@ func (sched *Scheduler) numFeasibleNodesToFind(percentageOfNodesToScore *int32,
 	return numNodes
 }
 
-func findNodesThatPassExtenders(ctx context.Context, extenders []framework.Extender, pod *v1.Pod, feasibleNodes []fwk.NodeInfo, statuses *framework.NodeToStatus) ([]fwk.NodeInfo, error) {
+func findNodesThatPassExtenders(ctx context.Context, extenders []fwk.Extender, pod *v1.Pod, feasibleNodes []fwk.NodeInfo, statuses *framework.NodeToStatus) ([]fwk.NodeInfo, error) {
 	logger := klog.FromContext(ctx)
 
 	// Extenders are called sequentially.
@@ -775,19 +790,19 @@ func findNodesThatPassExtenders(ctx context.Context, extenders []framework.Exten
 // All scores are finally combined (added) to get the total weighted scores of all nodes
 func prioritizeNodes(
 	ctx context.Context,
-	extenders []framework.Extender,
+	extenders []fwk.Extender,
 	schedFramework framework.Framework,
 	state fwk.CycleState,
 	pod *v1.Pod,
 	nodes []fwk.NodeInfo,
-) ([]framework.NodePluginScores, error) {
+) ([]fwk.NodePluginScores, error) {
 	logger := klog.FromContext(ctx)
 	// If no priority configs are provided, then all nodes will have a score of one.
 	// This is required to generate the priority list in the required format
 	if len(extenders) == 0 && !schedFramework.HasScorePlugins() {
-		result := make([]framework.NodePluginScores, 0, len(nodes))
+		result := make([]fwk.NodePluginScores, 0, len(nodes))
 		for i := range nodes {
-			result = append(result, framework.NodePluginScores{
+			result = append(result, fwk.NodePluginScores{
 				Name:       nodes[i].Node().Name,
 				TotalScore: 1,
 			})
@@ -820,7 +835,7 @@ func prioritizeNodes(
 	if len(extenders) != 0 && nodes != nil {
 		// allNodeExtendersScores has all extenders scores for all nodes.
 		// It is keyed with node name.
-		allNodeExtendersScores := make(map[string]*framework.NodePluginScores, len(nodes))
+		allNodeExtendersScores := make(map[string]*fwk.NodePluginScores, len(nodes))
 		var mu sync.Mutex
 		var wg sync.WaitGroup
 		for i := range extenders {
@@ -851,15 +866,15 @@ func prioritizeNodes(
 
 					// MaxExtenderPriority may diverge from the max priority used in the scheduler and defined by MaxNodeScore,
 					// therefore we need to scale the score returned by extenders to the score range used by the scheduler.
-					finalscore := score * weight * (framework.MaxNodeScore / extenderv1.MaxExtenderPriority)
+					finalscore := score * weight * (fwk.MaxNodeScore / extenderv1.MaxExtenderPriority)
 
 					if allNodeExtendersScores[nodename] == nil {
-						allNodeExtendersScores[nodename] = &framework.NodePluginScores{
+						allNodeExtendersScores[nodename] = &fwk.NodePluginScores{
 							Name:   nodename,
-							Scores: make([]framework.PluginScore, 0, len(extenders)),
+							Scores: make([]fwk.PluginScore, 0, len(extenders)),
 						}
 					}
-					allNodeExtendersScores[nodename].Scores = append(allNodeExtendersScores[nodename].Scores, framework.PluginScore{
+					allNodeExtendersScores[nodename].Scores = append(allNodeExtendersScores[nodename].Scores, fwk.PluginScore{
 						Name:  extenders[extIndex].Name(),
 						Score: finalscore,
 					})
@@ -873,6 +888,7 @@ func prioritizeNodes(
 			if score, ok := allNodeExtendersScores[nodes[i].Node().Name]; ok {
 				nodesScores[i].Scores = append(nodesScores[i].Scores, score.Scores...)
 				nodesScores[i].TotalScore += score.TotalScore
+				nodesScores[i].Randomizer = rand.Int()
 			}
 		}
 	}
@@ -885,73 +901,46 @@ func prioritizeNodes(
 	return nodesScores, nil
 }
 
-var errEmptyPriorityList = errors.New("empty priorityList")
-
-// selectHost takes a prioritized list of nodes and then picks one
-// in a reservoir sampling manner from the nodes that had the highest score.
-// It also returns the top {count} Nodes,
-// and the top of the list will be always the selected host.
-func selectHost(nodeScoreList []framework.NodePluginScores, count int) (string, []framework.NodePluginScores, error) {
-	if len(nodeScoreList) == 0 {
-		return "", nil, errEmptyPriorityList
-	}
+type sortedNodeScores struct {
+	nodes nodeScoreHeap
+}
 
+func newSortedNodeScores(nodeScoreList []fwk.NodePluginScores) *sortedNodeScores {
 	var h nodeScoreHeap = nodeScoreList
 	heap.Init(&h)
-	cntOfMaxScore := 1
-	selectedIndex := 0
-	// The top of the heap is the NodeScoreResult with the highest score.
-	sortedNodeScoreList := make([]framework.NodePluginScores, 0, count)
-	sortedNodeScoreList = append(sortedNodeScoreList, heap.Pop(&h).(framework.NodePluginScores))
-
-	// This for-loop will continue until all Nodes with the highest scores get checked for a reservoir sampling,
-	// and sortedNodeScoreList gets (count - 1) elements.
-	for ns := heap.Pop(&h).(framework.NodePluginScores); ; ns = heap.Pop(&h).(framework.NodePluginScores) {
-		if ns.TotalScore != sortedNodeScoreList[0].TotalScore && len(sortedNodeScoreList) == count {
-			break
-		}
-
-		if ns.TotalScore == sortedNodeScoreList[0].TotalScore {
-			cntOfMaxScore++
-			if rand.Intn(cntOfMaxScore) == 0 {
-				// Replace the candidate with probability of 1/cntOfMaxScore
-				selectedIndex = cntOfMaxScore - 1
-			}
-		}
-
-		sortedNodeScoreList = append(sortedNodeScoreList, ns)
-
-		if h.Len() == 0 {
-			break
-		}
-	}
+	return &sortedNodeScores{nodes: h}
+}
 
-	if selectedIndex != 0 {
-		// replace the first one with selected one
-		previous := sortedNodeScoreList[0]
-		sortedNodeScoreList[0] = sortedNodeScoreList[selectedIndex]
-		sortedNodeScoreList[selectedIndex] = previous
-	}
+func (s *sortedNodeScores) Pop() string {
+	ent := heap.Pop(&s.nodes).(fwk.NodePluginScores)
+	return ent.Name
+}
 
-	if len(sortedNodeScoreList) > count {
-		sortedNodeScoreList = sortedNodeScoreList[:count]
-	}
+// Used only for unit tests.
+func (s *sortedNodeScores) PopScore() fwk.NodePluginScores {
+	ent := heap.Pop(&s.nodes).(fwk.NodePluginScores)
+	return ent
+}
 
-	return sortedNodeScoreList[0].Name, sortedNodeScoreList, nil
+func (s *sortedNodeScores) Len() int {
+	return s.nodes.Len()
 }
 
-// nodeScoreHeap is a heap of framework.NodePluginScores.
-type nodeScoreHeap []framework.NodePluginScores
+// nodeScoreHeap is a heap of fwk.NodePluginScores.
+type nodeScoreHeap []fwk.NodePluginScores
 
 // nodeScoreHeap implements heap.Interface.
 var _ heap.Interface = &nodeScoreHeap{}
 
-func (h nodeScoreHeap) Len() int           { return len(h) }
-func (h nodeScoreHeap) Less(i, j int) bool { return h[i].TotalScore > h[j].TotalScore }
-func (h nodeScoreHeap) Swap(i, j int)      { h[i], h[j] = h[j], h[i] }
+func (h nodeScoreHeap) Len() int { return len(h) }
+func (h nodeScoreHeap) Less(i, j int) bool {
+	return (h[i].TotalScore > h[j].TotalScore ||
+		(h[i].TotalScore == h[j].TotalScore && h[i].Randomizer > h[j].Randomizer))
+}
+func (h nodeScoreHeap) Swap(i, j int) { h[i], h[j] = h[j], h[i] }
 
 func (h *nodeScoreHeap) Push(x interface{}) {
-	*h = append(*h, x.(framework.NodePluginScores))
+	*h = append(*h, x.(fwk.NodePluginScores))
 }
 
 func (h *nodeScoreHeap) Pop() interface{} {
@@ -1041,7 +1030,7 @@ func getAttemptsLabel(p *framework.QueuedPodInfo) string {
 
 // handleSchedulingFailure records an event for the pod that indicates the
 // pod has failed to schedule. Also, update the pod condition and nominated node name if set.
-func (sched *Scheduler) handleSchedulingFailure(ctx context.Context, fwk framework.Framework, podInfo *framework.QueuedPodInfo, status *fwk.Status, nominatingInfo *framework.NominatingInfo, start time.Time) {
+func (sched *Scheduler) handleSchedulingFailure(ctx context.Context, fwk framework.Framework, podInfo *framework.QueuedPodInfo, status *fwk.Status, nominatingInfo *fwk.NominatingInfo, start time.Time) {
 	calledDone := false
 	defer func() {
 		if !calledDone {
@@ -1139,7 +1128,7 @@ func truncateMessage(message string) string {
 	return message[:max-len(suffix)] + suffix
 }
 
-func updatePod(ctx context.Context, client clientset.Interface, apiCacher framework.APICacher, pod *v1.Pod, condition *v1.PodCondition, nominatingInfo *framework.NominatingInfo) error {
+func updatePod(ctx context.Context, client clientset.Interface, apiCacher fwk.APICacher, pod *v1.Pod, condition *v1.PodCondition, nominatingInfo *fwk.NominatingInfo) error {
 	if apiCacher != nil {
 		// When API cacher is available, use it to patch the status.
 		_, err := apiCacher.PatchPodStatus(pod, condition, nominatingInfo)
@@ -1158,7 +1147,7 @@ func updatePod(ctx context.Context, client clientset.Interface, apiCacher framew
 	podStatusCopy := pod.Status.DeepCopy()
 	// NominatedNodeName is updated only if we are trying to set it, and the value is
 	// different from the existing one.
-	nnnNeedsUpdate := nominatingInfo.Mode() == framework.ModeOverride && pod.Status.NominatedNodeName != nominatingInfo.NominatedNodeName
+	nnnNeedsUpdate := nominatingInfo.Mode() == fwk.ModeOverride && pod.Status.NominatedNodeName != nominatingInfo.NominatedNodeName
 	podConditionNeedsUpdate := condition != nil && podutil.UpdatePodCondition(podStatusCopy, condition)
 	if !podConditionNeedsUpdate && !nnnNeedsUpdate {
 		return nil
diff --git a/pkg/scheduler/schedule_one_test.go b/pkg/scheduler/schedule_one_test.go
index 887e6d2abcd22..592ff01a84e99 100644
--- a/pkg/scheduler/schedule_one_test.go
+++ b/pkg/scheduler/schedule_one_test.go
@@ -17,6 +17,7 @@ limitations under the License.
 package scheduler
 
 import (
+	"bytes"
 	"context"
 	"encoding/json"
 	"errors"
@@ -27,6 +28,7 @@ import (
 	goruntime "runtime"
 	"sort"
 	"strconv"
+	"strings"
 	"sync"
 	"testing"
 	"time"
@@ -40,7 +42,6 @@ import (
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/sets"
-	"k8s.io/apimachinery/pkg/util/strategicpatch"
 	"k8s.io/apimachinery/pkg/util/version"
 	"k8s.io/apimachinery/pkg/util/wait"
 	utilfeature "k8s.io/apiserver/pkg/util/feature"
@@ -118,7 +119,7 @@ func (f *fakeExtender) IsIgnorable() bool {
 func (f *fakeExtender) ProcessPreemption(
 	_ *v1.Pod,
 	_ map[string]*extenderv1.Victims,
-	_ framework.NodeInfoLister,
+	_ fwk.NodeInfoLister,
 ) (map[string]*extenderv1.Victims, error) {
 	return nil, nil
 }
@@ -168,7 +169,7 @@ func (f *fakeExtender) IsFilter() bool {
 type falseMapPlugin struct{}
 
 func newFalseMapPlugin() frameworkruntime.PluginFactory {
-	return func(_ context.Context, _ runtime.Object, _ framework.Handle) (framework.Plugin, error) {
+	return func(_ context.Context, _ runtime.Object, _ fwk.Handle) (fwk.Plugin, error) {
 		return &falseMapPlugin{}, nil
 	}
 }
@@ -181,14 +182,14 @@ func (pl *falseMapPlugin) Score(_ context.Context, _ fwk.CycleState, _ *v1.Pod,
 	return 0, fwk.AsStatus(errPrioritize)
 }
 
-func (pl *falseMapPlugin) ScoreExtensions() framework.ScoreExtensions {
+func (pl *falseMapPlugin) ScoreExtensions() fwk.ScoreExtensions {
 	return nil
 }
 
 type numericMapPlugin struct{}
 
 func newNumericMapPlugin() frameworkruntime.PluginFactory {
-	return func(_ context.Context, _ runtime.Object, _ framework.Handle) (framework.Plugin, error) {
+	return func(_ context.Context, _ runtime.Object, _ fwk.Handle) (fwk.Plugin, error) {
 		return &numericMapPlugin{}, nil
 	}
 }
@@ -206,12 +207,12 @@ func (pl *numericMapPlugin) Score(_ context.Context, _ fwk.CycleState, _ *v1.Pod
 	return int64(score), nil
 }
 
-func (pl *numericMapPlugin) ScoreExtensions() framework.ScoreExtensions {
+func (pl *numericMapPlugin) ScoreExtensions() fwk.ScoreExtensions {
 	return nil
 }
 
 // NewNoPodsFilterPlugin initializes a noPodsFilterPlugin and returns it.
-func NewNoPodsFilterPlugin(_ context.Context, _ runtime.Object, _ framework.Handle) (framework.Plugin, error) {
+func NewNoPodsFilterPlugin(_ context.Context, _ runtime.Object, _ fwk.Handle) (fwk.Plugin, error) {
 	return &noPodsFilterPlugin{}, nil
 }
 
@@ -230,11 +231,11 @@ func (pl *reverseNumericMapPlugin) Score(_ context.Context, _ fwk.CycleState, _
 	return int64(score), nil
 }
 
-func (pl *reverseNumericMapPlugin) ScoreExtensions() framework.ScoreExtensions {
+func (pl *reverseNumericMapPlugin) ScoreExtensions() fwk.ScoreExtensions {
 	return pl
 }
 
-func (pl *reverseNumericMapPlugin) NormalizeScore(_ context.Context, _ fwk.CycleState, _ *v1.Pod, nodeScores framework.NodeScoreList) *fwk.Status {
+func (pl *reverseNumericMapPlugin) NormalizeScore(_ context.Context, _ fwk.CycleState, _ *v1.Pod, nodeScores fwk.NodeScoreList) *fwk.Status {
 	var maxScore float64
 	minScore := math.MaxFloat64
 
@@ -243,7 +244,7 @@ func (pl *reverseNumericMapPlugin) NormalizeScore(_ context.Context, _ fwk.Cycle
 		minScore = math.Min(minScore, float64(hostPriority.Score))
 	}
 	for i, hostPriority := range nodeScores {
-		nodeScores[i] = framework.NodeScore{
+		nodeScores[i] = fwk.NodeScore{
 			Name:  hostPriority.Name,
 			Score: int64(maxScore + minScore - float64(hostPriority.Score)),
 		}
@@ -252,7 +253,7 @@ func (pl *reverseNumericMapPlugin) NormalizeScore(_ context.Context, _ fwk.Cycle
 }
 
 func newReverseNumericMapPlugin() frameworkruntime.PluginFactory {
-	return func(_ context.Context, _ runtime.Object, _ framework.Handle) (framework.Plugin, error) {
+	return func(_ context.Context, _ runtime.Object, _ fwk.Handle) (fwk.Plugin, error) {
 		return &reverseNumericMapPlugin{}, nil
 	}
 }
@@ -267,11 +268,11 @@ func (pl *trueMapPlugin) Score(_ context.Context, _ fwk.CycleState, _ *v1.Pod, _
 	return 1, nil
 }
 
-func (pl *trueMapPlugin) ScoreExtensions() framework.ScoreExtensions {
+func (pl *trueMapPlugin) ScoreExtensions() fwk.ScoreExtensions {
 	return pl
 }
 
-func (pl *trueMapPlugin) NormalizeScore(_ context.Context, _ fwk.CycleState, _ *v1.Pod, nodeScores framework.NodeScoreList) *fwk.Status {
+func (pl *trueMapPlugin) NormalizeScore(_ context.Context, _ fwk.CycleState, _ *v1.Pod, nodeScores fwk.NodeScoreList) *fwk.Status {
 	for _, host := range nodeScores {
 		if host.Name == "" {
 			return fwk.NewStatus(fwk.Error, "unexpected empty host name")
@@ -281,7 +282,7 @@ func (pl *trueMapPlugin) NormalizeScore(_ context.Context, _ fwk.CycleState, _ *
 }
 
 func newTrueMapPlugin() frameworkruntime.PluginFactory {
-	return func(_ context.Context, _ runtime.Object, _ framework.Handle) (framework.Plugin, error) {
+	return func(_ context.Context, _ runtime.Object, _ fwk.Handle) (fwk.Plugin, error) {
 		return &trueMapPlugin{}, nil
 	}
 }
@@ -320,7 +321,7 @@ func (s *fakeNodeSelector) Filter(_ context.Context, _ fwk.CycleState, _ *v1.Pod
 	return nil
 }
 
-func newFakeNodeSelector(_ context.Context, args runtime.Object, _ framework.Handle) (framework.Plugin, error) {
+func newFakeNodeSelector(_ context.Context, args runtime.Object, _ fwk.Handle) (fwk.Plugin, error) {
 	pl := &fakeNodeSelector{}
 	if err := frameworkruntime.DecodeInto(args, &pl.fakeNodeSelectorArgs); err != nil {
 		return nil, err
@@ -362,7 +363,7 @@ func (f *fakeNodeSelectorDependOnPodAnnotation) Filter(_ context.Context, _ fwk.
 	return nil
 }
 
-func newFakeNodeSelectorDependOnPodAnnotation(_ context.Context, _ runtime.Object, _ framework.Handle) (framework.Plugin, error) {
+func newFakeNodeSelectorDependOnPodAnnotation(_ context.Context, _ runtime.Object, _ fwk.Handle) (fwk.Plugin, error) {
 	return &fakeNodeSelectorDependOnPodAnnotation{}, nil
 }
 
@@ -370,8 +371,8 @@ type TestPlugin struct {
 	name string
 }
 
-var _ framework.ScorePlugin = &TestPlugin{}
-var _ framework.FilterPlugin = &TestPlugin{}
+var _ fwk.ScorePlugin = &TestPlugin{}
+var _ fwk.FilterPlugin = &TestPlugin{}
 
 func (t *TestPlugin) Name() string {
 	return t.name
@@ -381,7 +382,7 @@ func (t *TestPlugin) Score(ctx context.Context, state fwk.CycleState, p *v1.Pod,
 	return 1, nil
 }
 
-func (t *TestPlugin) ScoreExtensions() framework.ScoreExtensions {
+func (t *TestPlugin) ScoreExtensions() fwk.ScoreExtensions {
 	return nil
 }
 
@@ -916,33 +917,6 @@ func TestSchedulerScheduleOne(t *testing.T) {
 			mockScheduleResult: emptyScheduleResult,
 			eventReason:        "FailedScheduling",
 		},
-		{
-			name: "pod with existing nominated node name on scheduling error keeps nomination",
-			sendPod: func() *v1.Pod {
-				p := podWithID("foo", "")
-				p.Status.NominatedNodeName = "existing-node"
-				return p
-			}(),
-			injectSchedulingError: schedulingErr,
-			mockScheduleResult:    scheduleResultOk,
-			expectError:           schedulingErr,
-			expectErrorPod: func() *v1.Pod {
-				p := podWithID("foo", "")
-				p.Status.NominatedNodeName = "existing-node"
-				return p
-			}(),
-			expectPodInBackoffQ: func() *v1.Pod {
-				p := podWithID("foo", "")
-				p.Status.NominatedNodeName = "existing-node"
-				return p
-			}(),
-			// Depending on the timing, if asyncAPICallsEnabled, the NNN update might not be sent yet while checking the expectNominatedNodeName.
-			// So, asyncAPICallsEnabled is set to false.
-			asyncAPICallsEnabled:                   ptr.To(false),
-			nominatedNodeNameForExpectationEnabled: ptr.To(true),
-			expectNominatedNodeName:                "existing-node",
-			eventReason:                            "FailedScheduling",
-		},
 		{
 			name: "pod with existing nominated node name on scheduling error clears nomination",
 			sendPod: func() *v1.Pod {
@@ -965,9 +939,9 @@ func TestSchedulerScheduleOne(t *testing.T) {
 			}(),
 			// Depending on the timing, if asyncAPICallsEnabled, the NNN update might not be sent yet while checking the expectNominatedNodeName.
 			// So, asyncAPICallsEnabled is set to false.
-			asyncAPICallsEnabled:                   ptr.To(false),
-			nominatedNodeNameForExpectationEnabled: ptr.To(false),
-			eventReason:                            "FailedScheduling",
+			asyncAPICallsEnabled:    ptr.To(false),
+			expectNominatedNodeName: "",
+			eventReason:             "FailedScheduling",
 		},
 	}
 
@@ -986,7 +960,7 @@ func TestSchedulerScheduleOne(t *testing.T) {
 				for _, nominatedNodeNameForExpectationEnabled := range nominatedNodeNameForExpectationEnabled {
 					if (asyncAPICallsEnabled || nominatedNodeNameForExpectationEnabled) && !qHintEnabled {
 						// If the QHint feature gate is disabled, NominatedNodeNameForExpectation and SchedulerAsyncAPICalls cannot be enabled
-						// because that means users set the emilation version to 1.33 or later.
+						// because that means users set the emulation version to 1.33 or later.
 						continue
 					}
 					t.Run(fmt.Sprintf("%s (Queueing hints enabled: %v, Async API calls enabled: %v, NominatedNodeNameForExpectation enabled: %v)", item.name, qHintEnabled, asyncAPICallsEnabled, nominatedNodeNameForExpectationEnabled), func(t *testing.T) {
@@ -1000,7 +974,7 @@ func TestSchedulerScheduleOne(t *testing.T) {
 						var gotForgetPod *v1.Pod
 						var gotAssumedPod *v1.Pod
 						var gotBinding *v1.Binding
-						var gotNominatingInfo *framework.NominatingInfo
+						var gotNominatingInfo *fwk.NominatingInfo
 
 						client := clientsetfake.NewClientset(item.sendPod)
 						informerFactory := informers.NewSharedInformerFactory(client, 0)
@@ -1036,33 +1010,31 @@ func TestSchedulerScheduleOne(t *testing.T) {
 							},
 						}
 						mu := &sync.Mutex{}
-						updatedNominatedNodeName := ""
+						updatedNominatedNodeName := item.sendPod.Status.NominatedNodeName
 						client.PrependReactor("patch", "pods", func(action clienttesting.Action) (bool, runtime.Object, error) {
 							if action.GetSubresource() != "status" {
 								return false, nil, nil
 							}
 							patchAction := action.(clienttesting.PatchAction)
-							podName := patchAction.GetName()
-							namespace := patchAction.GetNamespace()
 							patch := patchAction.GetPatch()
-							pod, err := informerFactory.Core().V1().Pods().Lister().Pods(namespace).Get(podName)
-							if err != nil {
-								t.Fatalf("Failed to get the original pod %s/%s before patching: %v\n", namespace, podName, err)
-							}
-							marshalledPod, err := json.Marshal(pod)
-							if err != nil {
-								t.Fatalf("Failed to marshal the original pod %s/%s: %v", namespace, podName, err)
+							patchMap := map[string]map[string]json.RawMessage{}
+							if err := json.Unmarshal(patch, &patchMap); err != nil {
+								t.Fatalf("Failed to unmarshal patch %q: %v", patch, err)
 							}
-							updated, err := strategicpatch.StrategicMergePatch(marshalledPod, patch, v1.Pod{})
-							if err != nil {
-								t.Fatalf("Failed to apply strategic merge patch %q on pod %#v: %v", patch, marshalledPod, err)
+							statusMap, ok := patchMap["status"]
+							if !ok {
+								t.Fatalf("patch doesn't include status: %q", patch)
 							}
-							updatedPod := &v1.Pod{}
-							if err := json.Unmarshal(updated, updatedPod); err != nil {
-								t.Fatalf("Failed to unmarshal updated pod %q: %v", updated, err)
+							nnn, ok := statusMap["nominatedNodeName"]
+							if !ok {
+								return false, nil, nil
 							}
 							mu.Lock()
-							updatedNominatedNodeName = updatedPod.Status.NominatedNodeName
+							updatedNominatedNodeName = strings.Trim(string(nnn), "\"")
+							if updatedNominatedNodeName == "null" {
+								// NNN has to be cleared with this patch.
+								updatedNominatedNodeName = ""
+							}
 							mu.Unlock()
 							return false, nil, nil
 						})
@@ -1084,7 +1056,7 @@ func TestSchedulerScheduleOne(t *testing.T) {
 						}
 
 						ar := metrics.NewMetricsAsyncRecorder(10, 1*time.Second, ctx.Done())
-						queue := internalqueue.NewSchedulingQueue(nil, informerFactory, internalqueue.WithMetricsRecorder(*ar), internalqueue.WithAPIDispatcher(apiDispatcher))
+						queue := internalqueue.NewSchedulingQueue(nil, informerFactory, internalqueue.WithMetricsRecorder(ar), internalqueue.WithAPIDispatcher(apiDispatcher))
 						if asyncAPICallsEnabled {
 							schedFramework.SetAPICacher(apicache.New(queue, cache))
 						}
@@ -1103,7 +1075,7 @@ func TestSchedulerScheduleOne(t *testing.T) {
 						sched.SchedulePod = func(ctx context.Context, fwk framework.Framework, state fwk.CycleState, pod *v1.Pod) (ScheduleResult, error) {
 							return item.mockScheduleResult, item.injectSchedulingError
 						}
-						sched.FailureHandler = func(ctx context.Context, fwk framework.Framework, p *framework.QueuedPodInfo, status *fwk.Status, ni *framework.NominatingInfo, start time.Time) {
+						sched.FailureHandler = func(ctx context.Context, fwk framework.Framework, p *framework.QueuedPodInfo, status *fwk.Status, ni *fwk.NominatingInfo, start time.Time) {
 							gotPod = p.Pod
 							gotError = status.AsError()
 							gotNominatingInfo = ni
@@ -1123,6 +1095,7 @@ func TestSchedulerScheduleOne(t *testing.T) {
 						}
 						informerFactory.Start(ctx.Done())
 						informerFactory.WaitForCacheSync(ctx.Done())
+						sched.nodeInfoSnapshot = internalcache.NewEmptySnapshot()
 						sched.ScheduleOne(ctx)
 
 						if item.podToAdmit != nil {
@@ -1159,11 +1132,7 @@ func TestSchedulerScheduleOne(t *testing.T) {
 							t.Errorf("Unexpected error. Wanted %v, got %v", item.expectError.Error(), gotError.Error())
 						}
 						if item.expectError != nil {
-							var expectedNominatingInfo *framework.NominatingInfo
-							// Check nominatingInfo expectation based on feature gate
-							if !nominatedNodeNameForExpectationEnabled {
-								expectedNominatingInfo = &framework.NominatingInfo{NominatingMode: framework.ModeOverride, NominatedNodeName: ""}
-							}
+							expectedNominatingInfo := &fwk.NominatingInfo{NominatingMode: fwk.ModeOverride, NominatedNodeName: ""}
 							if diff := cmp.Diff(expectedNominatingInfo, gotNominatingInfo); diff != "" {
 								t.Errorf("Unexpected nominatingInfo (-want,+got):\n%s", diff)
 							}
@@ -1206,6 +1175,230 @@ func TestSchedulerScheduleOne(t *testing.T) {
 	}
 }
 
+type constSigPluginConfig struct {
+	name       string
+	signature  []fwk.SignFragment
+	status     *fwk.Status
+	pluginType string
+}
+
+type constantSigPlugin struct {
+	config *constSigPluginConfig
+}
+
+var _ fwk.FilterPlugin = &constantSigPlugin{}
+var _ fwk.PreFilterPlugin = &constantSigPlugin{}
+var _ fwk.ScorePlugin = &constantSigPlugin{}
+var _ fwk.PreScorePlugin = &constantSigPlugin{}
+
+func (pl *constantSigPlugin) Name() string {
+	return pl.config.name
+}
+
+func (pl *constantSigPlugin) Filter(_ context.Context, _ fwk.CycleState, _ *v1.Pod, _ fwk.NodeInfo) *fwk.Status {
+	return fwk.NewStatus(fwk.Success)
+}
+
+func (pl *constantSigPlugin) PreFilter(ctx context.Context, state fwk.CycleState, p *v1.Pod, nodes []fwk.NodeInfo) (*fwk.PreFilterResult, *fwk.Status) {
+	return nil, fwk.NewStatus(fwk.Success)
+}
+
+func (pl *constantSigPlugin) PreFilterExtensions() fwk.PreFilterExtensions {
+	return nil
+}
+
+func (pl *constantSigPlugin) PreScore(ctx context.Context, state fwk.CycleState, pod *v1.Pod, nodes []fwk.NodeInfo) *fwk.Status {
+	return fwk.NewStatus(fwk.Success)
+}
+
+func (pl *constantSigPlugin) Score(ctx context.Context, state fwk.CycleState, p *v1.Pod, nodeInfo fwk.NodeInfo) (int64, *fwk.Status) {
+	return 1, fwk.NewStatus(fwk.Success)
+}
+
+func (pl *constantSigPlugin) ScoreExtensions() fwk.ScoreExtensions {
+	return nil
+}
+
+func (pl *constantSigPlugin) SignPod(_ context.Context, pod *v1.Pod) ([]fwk.SignFragment, *fwk.Status) {
+	return pl.config.signature, pl.config.status
+}
+
+func newConstSigFactory(config *constSigPluginConfig) frameworkruntime.PluginFactory {
+	return func(_ context.Context, _ runtime.Object, handle fwk.Handle) (fwk.Plugin, error) {
+		return &constantSigPlugin{config: config}, nil
+	}
+}
+
+func TestSignatures(t *testing.T) {
+	table := []struct {
+		name              string
+		plugins           []*constSigPluginConfig
+		expectedSignature []byte
+	}{
+		{
+			name:              "no plugins",
+			expectedSignature: []byte(`{"v1.Pod.Spec.SchedulerName":"test-scheduler"}`),
+		},
+		{
+			name: "single filter",
+			plugins: []*constSigPluginConfig{
+				{
+					name:       "ConstSig",
+					signature:  []fwk.SignFragment{{Key: "test", Value: 16}},
+					status:     fwk.NewStatus(fwk.Success),
+					pluginType: "filter",
+				},
+			},
+			expectedSignature: []byte(`{"test":16,"v1.Pod.Spec.SchedulerName":"test-scheduler"}`),
+		},
+		{
+			name: "single prefilter",
+			plugins: []*constSigPluginConfig{
+				{
+					name:       "ConstSig",
+					signature:  []fwk.SignFragment{{Key: "test", Value: 16}},
+					status:     fwk.NewStatus(fwk.Success),
+					pluginType: "prefilter",
+				},
+			},
+			expectedSignature: []byte(`{"test":16,"v1.Pod.Spec.SchedulerName":"test-scheduler"}`),
+		},
+		{
+			name: "single score",
+			plugins: []*constSigPluginConfig{
+				{
+					name:       "ConstSig",
+					signature:  []fwk.SignFragment{{Key: "test", Value: 16}},
+					status:     fwk.NewStatus(fwk.Success),
+					pluginType: "score",
+				},
+			},
+			expectedSignature: []byte(`{"test":16,"v1.Pod.Spec.SchedulerName":"test-scheduler"}`),
+		},
+		{
+			name: "single prescore",
+			plugins: []*constSigPluginConfig{
+				{
+					name:       "ConstSig",
+					signature:  []fwk.SignFragment{{Key: "test", Value: 16}},
+					status:     fwk.NewStatus(fwk.Success),
+					pluginType: "prescore",
+				},
+			},
+			expectedSignature: []byte(`{"test":16,"v1.Pod.Spec.SchedulerName":"test-scheduler"}`),
+		},
+		{
+			name: "two plugins",
+			plugins: []*constSigPluginConfig{
+				{
+					name:       "ConstSig",
+					signature:  []fwk.SignFragment{{Key: "test", Value: 16}},
+					status:     fwk.NewStatus(fwk.Success),
+					pluginType: "filter",
+				},
+				{
+					name:       "ConstSig2",
+					signature:  []fwk.SignFragment{{Key: "test2", Value: 17}},
+					status:     fwk.NewStatus(fwk.Success),
+					pluginType: "score",
+				},
+			},
+			expectedSignature: []byte(`{"test":16,"test2":17,"v1.Pod.Spec.SchedulerName":"test-scheduler"}`),
+		},
+		{
+			name: "plugin with multiple fragments",
+			plugins: []*constSigPluginConfig{
+				{
+					name:       "ConstSig",
+					signature:  []fwk.SignFragment{{Key: "test", Value: 16}, {Key: "test2", Value: 17}},
+					status:     fwk.NewStatus(fwk.Success),
+					pluginType: "filter",
+				},
+			},
+			expectedSignature: []byte(`{"test":16,"test2":17,"v1.Pod.Spec.SchedulerName":"test-scheduler"}`),
+		},
+		{
+			name: "overlapping fragments",
+			plugins: []*constSigPluginConfig{
+				{
+					name:       "ConstSig",
+					signature:  []fwk.SignFragment{{Key: "test", Value: 16}},
+					status:     fwk.NewStatus(fwk.Success),
+					pluginType: "filter",
+				},
+				{
+					name:       "ConstSig2",
+					signature:  []fwk.SignFragment{{Key: "test", Value: 16}},
+					status:     fwk.NewStatus(fwk.Success),
+					pluginType: "score",
+				},
+			},
+			expectedSignature: []byte(`{"test":16,"v1.Pod.Spec.SchedulerName":"test-scheduler"}`),
+		},
+		{
+			name: "unsignable plugin",
+			plugins: []*constSigPluginConfig{
+				{
+					name:       "ConstSig",
+					status:     fwk.NewStatus(fwk.Unschedulable),
+					pluginType: "filter",
+				},
+			},
+			expectedSignature: nil,
+		},
+		{
+			name: "error plugin",
+			plugins: []*constSigPluginConfig{
+				{
+					name:       "ConstSig",
+					status:     fwk.NewStatus(fwk.Error),
+					pluginType: "filter",
+				},
+			},
+			expectedSignature: nil,
+		},
+	}
+	for _, item := range table {
+		t.Run(item.name, func(t *testing.T) {
+			_, ctx := ktesting.NewTestContext(t)
+			snapshot := internalcache.NewSnapshot([]*v1.Pod{}, []*v1.Node{})
+			informerFactory := informers.NewSharedInformerFactory(nil, 0)
+
+			plugins := []tf.RegisterPluginFunc{
+				tf.RegisterQueueSortPlugin(queuesort.Name, queuesort.New),
+				tf.RegisterBindPlugin(defaultbinder.Name, defaultbinder.New),
+			}
+
+			for _, pl := range item.plugins {
+				switch pl.pluginType {
+				case "filter":
+					plugins = append(plugins, tf.RegisterFilterPlugin(pl.name, newConstSigFactory(pl)))
+				case "prefilter":
+					plugins = append(plugins, tf.RegisterPreFilterPlugin(pl.name, newConstSigFactory(pl)))
+				case "score":
+					plugins = append(plugins, tf.RegisterScorePlugin(pl.name, newConstSigFactory(pl), 1))
+				case "prescore":
+					plugins = append(plugins, tf.RegisterPreScorePlugin(pl.name, newConstSigFactory(pl)))
+				}
+			}
+
+			schedFramework, err := tf.NewFramework(ctx,
+				plugins,
+				testSchedulerName,
+				frameworkruntime.WithSnapshotSharedLister(snapshot),
+				frameworkruntime.WithInformerFactory(informerFactory),
+			)
+			if err != nil {
+				t.Fatal(err)
+			}
+			signature := schedFramework.SignPod(ctx, podWithID("foo", ""), true)
+			if !bytes.Equal(signature, item.expectedSignature) {
+				t.Fatal(fmt.Errorf("Test %s got signature %s, expected %s", item.name, signature, item.expectedSignature))
+			}
+		})
+	}
+}
+
 // Tests the logic removing pods from inFlightPods after Permit (needed to fix issue https://github.com/kubernetes/kubernetes/issues/129967).
 // This needs to be a separate test case, because it mocks the waitOnPermit and runPrebindPlugins functions.
 func TestScheduleOneMarksPodAsProcessedBeforePreBind(t *testing.T) {
@@ -1413,7 +1606,7 @@ func TestScheduleOneMarksPodAsProcessedBeforePreBind(t *testing.T) {
 
 					informerFactory := informers.NewSharedInformerFactory(client, 0)
 					ar := metrics.NewMetricsAsyncRecorder(10, 1*time.Second, ctx.Done())
-					queue := internalqueue.NewSchedulingQueue(nil, informerFactory, internalqueue.WithMetricsRecorder(*ar), internalqueue.WithAPIDispatcher(apiDispatcher))
+					queue := internalqueue.NewSchedulingQueue(nil, informerFactory, internalqueue.WithMetricsRecorder(ar), internalqueue.WithAPIDispatcher(apiDispatcher))
 
 					schedFramework, err := NewFakeFramework(
 						ctx,
@@ -1457,7 +1650,7 @@ func TestScheduleOneMarksPodAsProcessedBeforePreBind(t *testing.T) {
 					sched.SchedulePod = func(ctx context.Context, fwk framework.Framework, state fwk.CycleState, pod *v1.Pod) (ScheduleResult, error) {
 						return item.mockScheduleResult, item.injectSchedulingError
 					}
-					sched.FailureHandler = func(_ context.Context, fwk framework.Framework, p *framework.QueuedPodInfo, status *fwk.Status, _ *framework.NominatingInfo, _ time.Time) {
+					sched.FailureHandler = func(_ context.Context, fwk framework.Framework, p *framework.QueuedPodInfo, status *fwk.Status, _ *fwk.NominatingInfo, _ time.Time) {
 						gotCallsToFailureHandler++
 						gotPodIsInFlightAtFailureHandler = podListContainsPod(queue.InFlightPods(), p.Pod)
 
@@ -1480,6 +1673,7 @@ func TestScheduleOneMarksPodAsProcessedBeforePreBind(t *testing.T) {
 					if err != nil {
 						t.Fatal(err)
 					}
+					sched.nodeInfoSnapshot = internalcache.NewEmptySnapshot()
 					sched.ScheduleOne(ctx)
 					<-called
 
@@ -1989,14 +2183,14 @@ func TestSchedulerWithVolumeBinding(t *testing.T) {
 func TestSchedulerBinding(t *testing.T) {
 	table := []struct {
 		podName      string
-		extenders    []framework.Extender
+		extenders    []fwk.Extender
 		wantBinderID int
 		name         string
 	}{
 		{
 			name:    "the extender is not a binder",
 			podName: "pod0",
-			extenders: []framework.Extender{
+			extenders: []fwk.Extender{
 				&fakeExtender{isBinder: false, interestedPodName: "pod0"},
 			},
 			wantBinderID: -1, // default binding.
@@ -2004,7 +2198,7 @@ func TestSchedulerBinding(t *testing.T) {
 		{
 			name:    "one of the extenders is a binder and interested in pod",
 			podName: "pod0",
-			extenders: []framework.Extender{
+			extenders: []fwk.Extender{
 				&fakeExtender{isBinder: false, interestedPodName: "pod0"},
 				&fakeExtender{isBinder: true, interestedPodName: "pod0"},
 			},
@@ -2013,7 +2207,7 @@ func TestSchedulerBinding(t *testing.T) {
 		{
 			name:    "one of the extenders is a binder, but not interested in pod",
 			podName: "pod1",
-			extenders: []framework.Extender{
+			extenders: []fwk.Extender{
 				&fakeExtender{isBinder: false, interestedPodName: "pod1"},
 				&fakeExtender{isBinder: true, interestedPodName: "pod0"},
 			},
@@ -2022,7 +2216,7 @@ func TestSchedulerBinding(t *testing.T) {
 		{
 			name:    "ignore when extender bind failed",
 			podName: "pod1",
-			extenders: []framework.Extender{
+			extenders: []fwk.Extender{
 				&fakeExtender{isBinder: true, errBind: true, interestedPodName: "pod1", ignorable: true},
 			},
 			wantBinderID: -1, // default binding.
@@ -2065,7 +2259,7 @@ func TestSchedulerBinding(t *testing.T) {
 				if asyncAPICallsEnabled {
 					informerFactory := informers.NewSharedInformerFactory(client, 0)
 					ar := metrics.NewMetricsAsyncRecorder(10, 1*time.Second, ctx.Done())
-					queue := internalqueue.NewSchedulingQueue(nil, informerFactory, internalqueue.WithMetricsRecorder(*ar), internalqueue.WithAPIDispatcher(apiDispatcher))
+					queue := internalqueue.NewSchedulingQueue(nil, informerFactory, internalqueue.WithMetricsRecorder(ar), internalqueue.WithAPIDispatcher(apiDispatcher))
 					fwk.SetAPICacher(apicache.New(queue, cache))
 				}
 
@@ -2099,13 +2293,13 @@ func TestSchedulerBinding(t *testing.T) {
 	}
 }
 
-func TestUpdatePod(t *testing.T) {
+func TestUpdatePodStatus(t *testing.T) {
 	tests := []struct {
 		name                     string
 		currentPodConditions     []v1.PodCondition
 		newPodCondition          *v1.PodCondition
 		currentNominatedNodeName string
-		newNominatingInfo        *framework.NominatingInfo
+		newNominatingInfo        *fwk.NominatingInfo
 		expectPatchRequest       bool
 		expectedPatchDataPattern string
 	}{
@@ -2235,7 +2429,7 @@ func TestUpdatePod(t *testing.T) {
 				Reason:             "currentReason",
 				Message:            "currentMessage",
 			},
-			newNominatingInfo:        &framework.NominatingInfo{NominatingMode: framework.ModeOverride, NominatedNodeName: "node1"},
+			newNominatingInfo:        &fwk.NominatingInfo{NominatingMode: fwk.ModeOverride, NominatedNodeName: "node1"},
 			expectPatchRequest:       true,
 			expectedPatchDataPattern: `{"status":{"nominatedNodeName":"node1"}}`,
 		},
@@ -2312,7 +2506,7 @@ func TestUpdatePod(t *testing.T) {
 				ctx, cancel := context.WithCancel(ctx)
 				defer cancel()
 
-				var apiCacher framework.APICacher
+				var apiCacher fwk.APICacher
 				if asyncAPICallsEnabled {
 					apiDispatcher := apidispatcher.New(cs, 16, apicalls.Relevances)
 					apiDispatcher.Run(logger)
@@ -2320,7 +2514,7 @@ func TestUpdatePod(t *testing.T) {
 
 					informerFactory := informers.NewSharedInformerFactory(cs, 0)
 					ar := metrics.NewMetricsAsyncRecorder(10, 1*time.Second, ctx.Done())
-					queue := internalqueue.NewSchedulingQueue(nil, informerFactory, internalqueue.WithMetricsRecorder(*ar), internalqueue.WithAPIDispatcher(apiDispatcher))
+					queue := internalqueue.NewSchedulingQueue(nil, informerFactory, internalqueue.WithMetricsRecorder(ar), internalqueue.WithAPIDispatcher(apiDispatcher))
 					apiCacher = apicache.New(queue, nil)
 				}
 
@@ -2355,135 +2549,65 @@ func TestUpdatePod(t *testing.T) {
 
 func Test_SelectHost(t *testing.T) {
 	tests := []struct {
-		name              string
-		list              []framework.NodePluginScores
-		topNodesCnt       int
-		possibleNodes     sets.Set[string]
-		possibleNodeLists [][]framework.NodePluginScores
-		wantError         error
+		name             string
+		list             []fwk.NodePluginScores
+		expectedNodeList []fwk.NodePluginScores
+		wantError        error
 	}{
 		{
 			name: "unique properly ordered scores",
-			list: []framework.NodePluginScores{
+			list: []fwk.NodePluginScores{
 				{Name: "node1", TotalScore: 1},
 				{Name: "node2", TotalScore: 2},
 			},
-			topNodesCnt:   2,
-			possibleNodes: sets.New("node2"),
-			possibleNodeLists: [][]framework.NodePluginScores{
-				{
-					{Name: "node2", TotalScore: 2},
-					{Name: "node1", TotalScore: 1},
-				},
-			},
-		},
-		{
-			name: "numberOfNodeScoresToReturn > len(list)",
-			list: []framework.NodePluginScores{
-				{Name: "node1", TotalScore: 1},
+			expectedNodeList: []fwk.NodePluginScores{
 				{Name: "node2", TotalScore: 2},
-			},
-			topNodesCnt:   100,
-			possibleNodes: sets.New("node2"),
-			possibleNodeLists: [][]framework.NodePluginScores{
-				{
-					{Name: "node2", TotalScore: 2},
-					{Name: "node1", TotalScore: 1},
-				},
+				{Name: "node1", TotalScore: 1},
 			},
 		},
 		{
 			name: "equal scores",
-			list: []framework.NodePluginScores{
-				{Name: "node2.1", TotalScore: 2},
-				{Name: "node2.2", TotalScore: 2},
-				{Name: "node2.3", TotalScore: 2},
+			list: []fwk.NodePluginScores{
+				{Name: "node2.2", TotalScore: 2, Randomizer: 2},
+				{Name: "node2.1", TotalScore: 2, Randomizer: 1},
+				{Name: "node2.3", TotalScore: 2, Randomizer: 3},
 			},
-			topNodesCnt:   2,
-			possibleNodes: sets.New("node2.1", "node2.2", "node2.3"),
-			possibleNodeLists: [][]framework.NodePluginScores{
-				{
-					{Name: "node2.1", TotalScore: 2},
-					{Name: "node2.2", TotalScore: 2},
-				},
-				{
-					{Name: "node2.1", TotalScore: 2},
-					{Name: "node2.3", TotalScore: 2},
-				},
-				{
-					{Name: "node2.2", TotalScore: 2},
-					{Name: "node2.1", TotalScore: 2},
-				},
-				{
-					{Name: "node2.2", TotalScore: 2},
-					{Name: "node2.3", TotalScore: 2},
-				},
-				{
-					{Name: "node2.3", TotalScore: 2},
-					{Name: "node2.1", TotalScore: 2},
-				},
-				{
-					{Name: "node2.3", TotalScore: 2},
-					{Name: "node2.2", TotalScore: 2},
-				},
+			expectedNodeList: []fwk.NodePluginScores{
+				{Name: "node2.3", TotalScore: 2, Randomizer: 3},
+				{Name: "node2.2", TotalScore: 2, Randomizer: 2},
+				{Name: "node2.1", TotalScore: 2, Randomizer: 1},
 			},
 		},
 		{
 			name: "out of order scores",
-			list: []framework.NodePluginScores{
-				{Name: "node3.1", TotalScore: 3},
+			list: []fwk.NodePluginScores{
+				{Name: "node3.1", TotalScore: 3, Randomizer: 1},
 				{Name: "node2.1", TotalScore: 2},
 				{Name: "node1.1", TotalScore: 1},
-				{Name: "node3.2", TotalScore: 3},
+				{Name: "node3.2", TotalScore: 3, Randomizer: 2},
 			},
-			topNodesCnt:   3,
-			possibleNodes: sets.New("node3.1", "node3.2"),
-			possibleNodeLists: [][]framework.NodePluginScores{
-				{
-					{Name: "node3.1", TotalScore: 3},
-					{Name: "node3.2", TotalScore: 3},
-					{Name: "node2.1", TotalScore: 2},
-				},
-				{
-					{Name: "node3.2", TotalScore: 3},
-					{Name: "node3.1", TotalScore: 3},
-					{Name: "node2.1", TotalScore: 2},
-				},
+			expectedNodeList: []fwk.NodePluginScores{
+				{Name: "node3.2", TotalScore: 3, Randomizer: 2},
+				{Name: "node3.1", TotalScore: 3, Randomizer: 1},
+				{Name: "node2.1", TotalScore: 2},
+				{Name: "node1.1", TotalScore: 1},
 			},
 		},
-		{
-			name:          "empty priority list",
-			list:          []framework.NodePluginScores{},
-			possibleNodes: sets.Set[string]{},
-			wantError:     errEmptyPriorityList,
-		},
 	}
 
 	for _, test := range tests {
 		t.Run(test.name, func(t *testing.T) {
-			// increase the randomness
-			for i := 0; i < 10; i++ {
-				got, scoreList, err := selectHost(test.list, test.topNodesCnt)
-				if err != test.wantError {
-					t.Fatalf("unexpected error is returned from selectHost: got: %v want: %v", err, test.wantError)
-				}
-				if test.possibleNodes.Len() == 0 {
-					if got != "" {
-						t.Fatalf("expected nothing returned as selected Node, but actually %s is returned from selectHost", got)
-					}
-					return
-				}
-				if !test.possibleNodes.Has(got) {
-					t.Errorf("got %s is not in the possible map %v", got, test.possibleNodes)
-				}
-				if got != scoreList[0].Name {
-					t.Errorf("The head of list should be the selected Node's score: got: %v, expected: %v", scoreList[0], got)
-				}
-				for _, list := range test.possibleNodeLists {
-					if cmp.Equal(list, scoreList) {
-						return
-					}
-				}
+			var err error
+			var scoreList = []fwk.NodePluginScores{}
+			h := newSortedNodeScores(test.list)
+			for range len(test.list) {
+				gotNode := h.PopScore()
+				scoreList = append(scoreList, gotNode)
+			}
+			if !errors.Is(err, test.wantError) {
+				t.Fatalf("unexpected error is returned from selectHost: got: %v want: %v", err, test.wantError)
+			}
+			if !cmp.Equal(test.expectedNodeList, scoreList) {
 				t.Errorf("Unexpected scoreList: %v", scoreList)
 			}
 		})
@@ -2640,7 +2764,7 @@ func TestFindNodesThatPassExtenders(t *testing.T) {
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			_, ctx := ktesting.NewTestContext(t)
-			var extenders []framework.Extender
+			var extenders []fwk.Extender
 			for ii := range tt.extenders {
 				extenders = append(extenders, &tt.extenders[ii])
 			}
@@ -3170,11 +3294,11 @@ func TestSchedulerSchedulePod(t *testing.T) {
 				),
 				tf.RegisterPreFilterPlugin(
 					"FakePreFilter2",
-					tf.NewFakePreFilterPlugin("FakePreFilter2", &framework.PreFilterResult{NodeNames: sets.New("node2")}, nil),
+					tf.NewFakePreFilterPlugin("FakePreFilter2", &fwk.PreFilterResult{NodeNames: sets.New("node2")}, nil),
 				),
 				tf.RegisterPreFilterPlugin(
 					"FakePreFilter3",
-					tf.NewFakePreFilterPlugin("FakePreFilter3", &framework.PreFilterResult{NodeNames: sets.New("node1", "node2")}, nil),
+					tf.NewFakePreFilterPlugin("FakePreFilter3", &fwk.PreFilterResult{NodeNames: sets.New("node1", "node2")}, nil),
 				),
 				tf.RegisterBindPlugin(defaultbinder.Name, defaultbinder.New),
 			},
@@ -3198,11 +3322,11 @@ func TestSchedulerSchedulePod(t *testing.T) {
 				),
 				tf.RegisterPreFilterPlugin(
 					"FakePreFilter2",
-					tf.NewFakePreFilterPlugin("FakePreFilter2", &framework.PreFilterResult{NodeNames: sets.New("node2")}, nil),
+					tf.NewFakePreFilterPlugin("FakePreFilter2", &fwk.PreFilterResult{NodeNames: sets.New("node2")}, nil),
 				),
 				tf.RegisterPreFilterPlugin(
 					"FakePreFilter3",
-					tf.NewFakePreFilterPlugin("FakePreFilter3", &framework.PreFilterResult{NodeNames: sets.New("node1")}, nil),
+					tf.NewFakePreFilterPlugin("FakePreFilter3", &fwk.PreFilterResult{NodeNames: sets.New("node1")}, nil),
 				),
 				tf.RegisterBindPlugin(defaultbinder.Name, defaultbinder.New),
 			},
@@ -3232,7 +3356,7 @@ func TestSchedulerSchedulePod(t *testing.T) {
 				),
 				tf.RegisterPreFilterPlugin(
 					"FakePreFilter2",
-					tf.NewFakePreFilterPlugin("FakePreFilter2", &framework.PreFilterResult{NodeNames: sets.New[string]()}, nil),
+					tf.NewFakePreFilterPlugin("FakePreFilter2", &fwk.PreFilterResult{NodeNames: sets.New[string]()}, nil),
 				),
 				tf.RegisterBindPlugin(defaultbinder.Name, defaultbinder.New),
 			},
@@ -3256,7 +3380,7 @@ func TestSchedulerSchedulePod(t *testing.T) {
 				tf.RegisterQueueSortPlugin(queuesort.Name, queuesort.New),
 				tf.RegisterPreFilterPlugin(
 					"FakePreFilter",
-					tf.NewFakePreFilterPlugin("FakePreFilter", &framework.PreFilterResult{NodeNames: sets.New[string]("node2")}, nil),
+					tf.NewFakePreFilterPlugin("FakePreFilter", &fwk.PreFilterResult{NodeNames: sets.New[string]("node2")}, nil),
 				),
 				tf.RegisterFilterPlugin(
 					"FakeFilter",
@@ -3295,7 +3419,7 @@ func TestSchedulerSchedulePod(t *testing.T) {
 						"node1": fwk.Unschedulable,
 					}),
 				),
-				tf.RegisterPluginAsExtensions("FakeFilter2", func(_ context.Context, configuration runtime.Object, f framework.Handle) (framework.Plugin, error) {
+				tf.RegisterPluginAsExtensions("FakeFilter2", func(_ context.Context, configuration runtime.Object, f fwk.Handle) (fwk.Plugin, error) {
 					return tf.FakePreFilterAndFilterPlugin{
 						FakePreFilterPlugin: &tf.FakePreFilterPlugin{
 							Result: nil,
@@ -3362,7 +3486,7 @@ func TestSchedulerSchedulePod(t *testing.T) {
 				tf.RegisterQueueSortPlugin(queuesort.Name, queuesort.New),
 				tf.RegisterPreFilterPlugin(
 					"FakePreFilter",
-					tf.NewFakePreFilterPlugin("FakePreFilter", &framework.PreFilterResult{NodeNames: sets.New("node1", "node2")}, nil),
+					tf.NewFakePreFilterPlugin("FakePreFilter", &fwk.PreFilterResult{NodeNames: sets.New("node1", "node2")}, nil),
 				),
 				tf.RegisterBindPlugin(defaultbinder.Name, defaultbinder.New),
 			},
@@ -3382,7 +3506,7 @@ func TestSchedulerSchedulePod(t *testing.T) {
 				tf.RegisterQueueSortPlugin(queuesort.Name, queuesort.New),
 				tf.RegisterPreFilterPlugin(
 					"FakePreFilter",
-					tf.NewFakePreFilterPlugin("FakePreFilter", &framework.PreFilterResult{
+					tf.NewFakePreFilterPlugin("FakePreFilter", &fwk.PreFilterResult{
 						NodeNames: sets.New("invalid-node"),
 					}, nil),
 				),
@@ -3474,7 +3598,7 @@ func TestSchedulerSchedulePod(t *testing.T) {
 				_, _ = cs.CoreV1().PersistentVolumes().Create(ctx, &pv, metav1.CreateOptions{})
 			}
 			snapshot := internalcache.NewSnapshot(test.pods, nodes)
-			fwk, err := tf.NewFramework(
+			schedFramework, err := tf.NewFramework(
 				ctx,
 				test.registerPlugins, "",
 				frameworkruntime.WithSnapshotSharedLister(snapshot),
@@ -3485,7 +3609,7 @@ func TestSchedulerSchedulePod(t *testing.T) {
 				t.Fatal(err)
 			}
 
-			var extenders []framework.Extender
+			var extenders []fwk.Extender
 			for ii := range test.extenders {
 				extenders = append(extenders, &test.extenders[ii])
 			}
@@ -3500,7 +3624,7 @@ func TestSchedulerSchedulePod(t *testing.T) {
 			informerFactory.Start(ctx.Done())
 			informerFactory.WaitForCacheSync(ctx.Done())
 
-			result, err := sched.SchedulePod(ctx, fwk, framework.NewCycleState(), test.pod)
+			result, err := sched.SchedulePod(ctx, schedFramework, framework.NewCycleState(), test.pod)
 			if err != test.wErr {
 				gotFitErr, gotOK := err.(*framework.FitError)
 				wantFitErr, wantOK := test.wErr.(*framework.FitError)
@@ -3553,7 +3677,7 @@ func TestFindFitAllError(t *testing.T) {
 		t.Fatal(err)
 	}
 
-	_, diagnosis, err := scheduler.findNodesThatFitPod(ctx, schedFramework, framework.NewCycleState(), &v1.Pod{})
+	_, diagnosis, _, _, err := scheduler.findNodesThatFitPod(ctx, schedFramework, framework.NewCycleState(), &v1.Pod{})
 	if err != nil {
 		t.Errorf("unexpected error: %v", err)
 	}
@@ -3599,7 +3723,7 @@ func TestFindFitSomeError(t *testing.T) {
 	}
 
 	pod := st.MakePod().Name("1").UID("1").Obj()
-	_, diagnosis, err := scheduler.findNodesThatFitPod(ctx, fwk, framework.NewCycleState(), pod)
+	_, diagnosis, _, _, err := scheduler.findNodesThatFitPod(ctx, fwk, framework.NewCycleState(), pod)
 	if err != nil {
 		t.Errorf("unexpected error: %v", err)
 	}
@@ -3651,7 +3775,7 @@ func TestFindFitPredicateCallCounts(t *testing.T) {
 			plugin := tf.FakeFilterPlugin{}
 			registerFakeFilterFunc := tf.RegisterFilterPlugin(
 				"FakeFilter",
-				func(_ context.Context, _ runtime.Object, fh framework.Handle) (framework.Plugin, error) {
+				func(_ context.Context, _ runtime.Object, fh fwk.Handle) (fwk.Plugin, error) {
 					return &plugin, nil
 				},
 			)
@@ -3674,7 +3798,7 @@ func TestFindFitPredicateCallCounts(t *testing.T) {
 			if err := scheduler.Cache.UpdateSnapshot(logger, scheduler.nodeInfoSnapshot); err != nil {
 				t.Fatal(err)
 			}
-			fwk, err := tf.NewFramework(
+			schedFramework, err := tf.NewFramework(
 				ctx,
 				registerPlugins, "",
 				frameworkruntime.WithPodNominator(internalqueue.NewSchedulingQueue(nil, informerFactory)),
@@ -3692,9 +3816,9 @@ func TestFindFitPredicateCallCounts(t *testing.T) {
 			if err != nil {
 				t.Fatalf("Error adding nominated pod to podInformer: %s", err)
 			}
-			fwk.AddNominatedPod(logger, podinfo, &framework.NominatingInfo{NominatingMode: framework.ModeOverride, NominatedNodeName: "1"})
+			schedFramework.AddNominatedPod(logger, podinfo, &fwk.NominatingInfo{NominatingMode: fwk.ModeOverride, NominatedNodeName: "1"})
 
-			_, _, err = scheduler.findNodesThatFitPod(ctx, fwk, framework.NewCycleState(), test.pod)
+			_, _, _, _, err = scheduler.findNodesThatFitPod(ctx, schedFramework, framework.NewCycleState(), test.pod)
 			if err != nil {
 				t.Errorf("unexpected error: %v", err)
 			}
@@ -3833,7 +3957,7 @@ func TestZeroRequest(t *testing.T) {
 			sched.applyDefaultHandlers()
 
 			state := framework.NewCycleState()
-			_, _, err = sched.findNodesThatFitPod(ctx, fwk, state, test.pod)
+			_, _, _, _, err = sched.findNodesThatFitPod(ctx, fwk, state, test.pod)
 			if err != nil {
 				t.Fatalf("error filtering nodes: %+v", err)
 			}
@@ -3916,7 +4040,7 @@ func Test_prioritizeNodes(t *testing.T) {
 		nodes               []*v1.Node
 		pluginRegistrations []tf.RegisterPluginFunc
 		extenders           []tf.FakeExtender
-		want                []framework.NodePluginScores
+		want                []fwk.NodePluginScores
 	}{
 		{
 			name:  "the score from all plugins should be recorded in PluginToNodeScores",
@@ -3929,10 +4053,10 @@ func Test_prioritizeNodes(t *testing.T) {
 				tf.RegisterBindPlugin(defaultbinder.Name, defaultbinder.New),
 			},
 			extenders: nil,
-			want: []framework.NodePluginScores{
+			want: []fwk.NodePluginScores{
 				{
 					Name: "node1",
-					Scores: []framework.PluginScore{
+					Scores: []fwk.PluginScore{
 						{
 							Name:  "Node2Prioritizer",
 							Score: 10,
@@ -3946,7 +4070,7 @@ func Test_prioritizeNodes(t *testing.T) {
 				},
 				{
 					Name: "node2",
-					Scores: []framework.PluginScore{
+					Scores: []fwk.PluginScore{
 						{
 							Name:  "Node2Prioritizer",
 							Score: 100,
@@ -3991,10 +4115,10 @@ func Test_prioritizeNodes(t *testing.T) {
 					},
 				},
 			},
-			want: []framework.NodePluginScores{
+			want: []fwk.NodePluginScores{
 				{
 					Name: "node1",
-					Scores: []framework.PluginScore{
+					Scores: []fwk.PluginScore{
 
 						{
 							Name:  "FakeExtender1",
@@ -4013,7 +4137,7 @@ func Test_prioritizeNodes(t *testing.T) {
 				},
 				{
 					Name: "node2",
-					Scores: []framework.PluginScore{
+					Scores: []fwk.PluginScore{
 						{
 							Name:  "FakeExtender1",
 							Score: 30,
@@ -4046,10 +4170,10 @@ func Test_prioritizeNodes(t *testing.T) {
 				), "PreScore", "Score"),
 			},
 			extenders: nil,
-			want: []framework.NodePluginScores{
+			want: []fwk.NodePluginScores{
 				{
 					Name: "node1",
-					Scores: []framework.PluginScore{
+					Scores: []fwk.PluginScore{
 						{
 							Name:  "Node2Prioritizer",
 							Score: 10,
@@ -4063,7 +4187,7 @@ func Test_prioritizeNodes(t *testing.T) {
 				},
 				{
 					Name: "node2",
-					Scores: []framework.PluginScore{
+					Scores: []fwk.PluginScore{
 						{
 							Name:  "Node2Prioritizer",
 							Score: 100,
@@ -4090,9 +4214,9 @@ func Test_prioritizeNodes(t *testing.T) {
 				), "PreScore", "Score"),
 			},
 			extenders: nil,
-			want: []framework.NodePluginScores{
-				{Name: "node1", Scores: []framework.PluginScore{}},
-				{Name: "node2", Scores: []framework.PluginScore{}},
+			want: []fwk.NodePluginScores{
+				{Name: "node1", Scores: []fwk.PluginScore{}},
+				{Name: "node2", Scores: []fwk.PluginScore{}},
 			},
 		},
 		{
@@ -4117,10 +4241,10 @@ func Test_prioritizeNodes(t *testing.T) {
 				tf.RegisterBindPlugin(defaultbinder.Name, defaultbinder.New),
 			},
 			extenders: nil,
-			want: []framework.NodePluginScores{
+			want: []fwk.NodePluginScores{
 				{
 					Name: "node1",
-					Scores: []framework.PluginScore{
+					Scores: []fwk.PluginScore{
 						{
 							Name:  "ImageLocality",
 							Score: 5,
@@ -4130,7 +4254,7 @@ func Test_prioritizeNodes(t *testing.T) {
 				},
 				{
 					Name: "node2",
-					Scores: []framework.PluginScore{
+					Scores: []fwk.PluginScore{
 						{
 							Name:  "ImageLocality",
 							Score: 5,
@@ -4140,7 +4264,7 @@ func Test_prioritizeNodes(t *testing.T) {
 				},
 				{
 					Name: "node3",
-					Scores: []framework.PluginScore{
+					Scores: []fwk.PluginScore{
 						{
 							Name:  "ImageLocality",
 							Score: 5,
@@ -4171,10 +4295,10 @@ func Test_prioritizeNodes(t *testing.T) {
 				tf.RegisterBindPlugin(defaultbinder.Name, defaultbinder.New),
 			},
 			extenders: nil,
-			want: []framework.NodePluginScores{
+			want: []fwk.NodePluginScores{
 				{
 					Name: "node1",
-					Scores: []framework.PluginScore{
+					Scores: []fwk.PluginScore{
 						{
 							Name:  "ImageLocality",
 							Score: 18,
@@ -4184,7 +4308,7 @@ func Test_prioritizeNodes(t *testing.T) {
 				},
 				{
 					Name: "node2",
-					Scores: []framework.PluginScore{
+					Scores: []fwk.PluginScore{
 						{
 							Name:  "ImageLocality",
 							Score: 18,
@@ -4194,7 +4318,7 @@ func Test_prioritizeNodes(t *testing.T) {
 				},
 				{
 					Name: "node3",
-					Scores: []framework.PluginScore{
+					Scores: []fwk.PluginScore{
 						{
 							Name:  "ImageLocality",
 							Score: 0,
@@ -4222,7 +4346,7 @@ func Test_prioritizeNodes(t *testing.T) {
 			if err := cache.UpdateSnapshot(klog.FromContext(ctx), snapshot); err != nil {
 				t.Fatal(err)
 			}
-			fwk, err := tf.NewFramework(
+			schedFramework, err := tf.NewFramework(
 				ctx,
 				test.pluginRegistrations, "",
 				frameworkruntime.WithInformerFactory(informerFactory),
@@ -4235,7 +4359,7 @@ func Test_prioritizeNodes(t *testing.T) {
 			}
 
 			state := framework.NewCycleState()
-			var extenders []framework.Extender
+			var extenders []fwk.Extender
 			for ii := range test.extenders {
 				extenders = append(extenders, &test.extenders[ii])
 			}
@@ -4243,10 +4367,13 @@ func Test_prioritizeNodes(t *testing.T) {
 			if err != nil {
 				t.Fatalf("failed to list node from snapshot: %v", err)
 			}
-			nodesscores, err := prioritizeNodes(ctx, extenders, fwk, state, test.pod, nodeInfos)
+			nodesscores, err := prioritizeNodes(ctx, extenders, schedFramework, state, test.pod, nodeInfos)
 			if err != nil {
 				t.Errorf("unexpected error: %v", err)
 			}
+			for i := range nodesscores {
+				nodesscores[i].Randomizer = 0
+			}
 			for i := range nodesscores {
 				sort.Slice(nodesscores[i].Scores, func(j, k int) bool {
 					return nodesscores[i].Scores[j].Name < nodesscores[i].Scores[k].Name
@@ -4364,7 +4491,7 @@ func TestFairEvaluationForNodes(t *testing.T) {
 
 	// Iterating over all nodes more than twice
 	for i := 0; i < 2*(numAllNodes/nodesToFind+1); i++ {
-		nodesThatFit, _, err := sched.findNodesThatFitPod(ctx, fwk, framework.NewCycleState(), &v1.Pod{})
+		nodesThatFit, _, _, _, err := sched.findNodesThatFitPod(ctx, fwk, framework.NewCycleState(), &v1.Pod{})
 		if err != nil {
 			t.Errorf("unexpected error: %v", err)
 		}
@@ -4419,7 +4546,7 @@ func TestPreferNominatedNodeFilterCallCounts(t *testing.T) {
 			plugin := tf.FakeFilterPlugin{FailedNodeReturnCodeMap: test.nodeReturnCodeMap}
 			registerFakeFilterFunc := tf.RegisterFilterPlugin(
 				"FakeFilter",
-				func(_ context.Context, _ runtime.Object, fh framework.Handle) (framework.Plugin, error) {
+				func(_ context.Context, _ runtime.Object, fh fwk.Handle) (fwk.Plugin, error) {
 					return &plugin, nil
 				},
 			)
@@ -4448,7 +4575,7 @@ func TestPreferNominatedNodeFilterCallCounts(t *testing.T) {
 			}
 			sched.applyDefaultHandlers()
 
-			_, _, err = sched.findNodesThatFitPod(ctx, fwk, framework.NewCycleState(), test.pod)
+			_, _, _, _, err = sched.findNodesThatFitPod(ctx, fwk, framework.NewCycleState(), test.pod)
 			if err != nil {
 				t.Errorf("unexpected error: %v", err)
 			}
@@ -4623,7 +4750,7 @@ func setupTestScheduler(ctx context.Context, t *testing.T, client clientset.Inte
 	}
 
 	sched.SchedulePod = sched.schedulePod
-	sched.FailureHandler = func(_ context.Context, _ framework.Framework, p *framework.QueuedPodInfo, status *fwk.Status, _ *framework.NominatingInfo, _ time.Time) {
+	sched.FailureHandler = func(_ context.Context, _ framework.Framework, p *framework.QueuedPodInfo, status *fwk.Status, _ *fwk.NominatingInfo, _ time.Time) {
 		err := status.AsError()
 		errChan <- err
 
@@ -4675,7 +4802,7 @@ func setupTestSchedulerWithVolumeBinding(ctx context.Context, t *testing.T, clie
 	fns := []tf.RegisterPluginFunc{
 		tf.RegisterQueueSortPlugin(queuesort.Name, queuesort.New),
 		tf.RegisterBindPlugin(defaultbinder.Name, defaultbinder.New),
-		tf.RegisterPluginAsExtensions(volumebinding.Name, func(ctx context.Context, plArgs runtime.Object, handle framework.Handle) (framework.Plugin, error) {
+		tf.RegisterPluginAsExtensions(volumebinding.Name, func(ctx context.Context, plArgs runtime.Object, handle fwk.Handle) (fwk.Plugin, error) {
 			return &volumebinding.VolumeBinding{Binder: volumeBinder, PVCLister: pvcInformer.Lister()}, nil
 		}, "PreFilter", "Filter", "Reserve", "PreBind"),
 	}
diff --git a/pkg/scheduler/scheduler.go b/pkg/scheduler/scheduler.go
index 52a2462950e25..7c289c154144d 100644
--- a/pkg/scheduler/scheduler.go
+++ b/pkg/scheduler/scheduler.go
@@ -45,12 +45,14 @@ import (
 	internalcache "k8s.io/kubernetes/pkg/scheduler/backend/cache"
 	cachedebugger "k8s.io/kubernetes/pkg/scheduler/backend/cache/debugger"
 	internalqueue "k8s.io/kubernetes/pkg/scheduler/backend/queue"
+	internalworkloadmanager "k8s.io/kubernetes/pkg/scheduler/backend/workloadmanager"
 	"k8s.io/kubernetes/pkg/scheduler/framework"
 	apicalls "k8s.io/kubernetes/pkg/scheduler/framework/api_calls"
 	"k8s.io/kubernetes/pkg/scheduler/framework/parallelize"
 	frameworkplugins "k8s.io/kubernetes/pkg/scheduler/framework/plugins"
 	"k8s.io/kubernetes/pkg/scheduler/framework/plugins/dynamicresources"
 	"k8s.io/kubernetes/pkg/scheduler/framework/plugins/noderesources"
+	"k8s.io/kubernetes/pkg/scheduler/framework/plugins/nodevolumelimits"
 	frameworkruntime "k8s.io/kubernetes/pkg/scheduler/framework/runtime"
 	"k8s.io/kubernetes/pkg/scheduler/metrics"
 	"k8s.io/kubernetes/pkg/scheduler/profile"
@@ -74,7 +76,7 @@ type Scheduler struct {
 	// by NodeLister and Algorithm.
 	Cache internalcache.Cache
 
-	Extenders []framework.Extender
+	Extenders []fwk.Extender
 
 	// NextPod should be a function that blocks until the next pod
 	// is available. We don't use a channel for this, because scheduling
@@ -102,6 +104,9 @@ type Scheduler struct {
 	// framework.APICache should be used instead.
 	APIDispatcher *apidispatcher.APIDispatcher
 
+	// WorkloadManager can be used to provide workload-aware scheduling.
+	WorkloadManager internalworkloadmanager.WorkloadManager
+
 	// Profiles are the scheduling profiles.
 	Profiles profile.Map
 
@@ -160,7 +165,7 @@ type ScheduleResult struct {
 	// The number of nodes out of the evaluated ones that fit the pod.
 	FeasibleNodes int
 	// The nominating info for scheduling cycle.
-	nominatingInfo *framework.NominatingInfo
+	nominatingInfo *fwk.NominatingInfo
 }
 
 // WithComponentConfigVersion sets the component config version to the
@@ -321,19 +326,19 @@ func New(ctx context.Context,
 
 	var resourceClaimCache *assumecache.AssumeCache
 	var resourceSliceTracker *resourceslicetracker.Tracker
-	var draManager framework.SharedDRAManager
+	var draManager fwk.SharedDRAManager
 	if feature.DefaultFeatureGate.Enabled(features.DynamicResourceAllocation) {
 		resourceClaimInformer := informerFactory.Resource().V1().ResourceClaims().Informer()
 		resourceClaimCache = assumecache.NewAssumeCache(logger, resourceClaimInformer, "ResourceClaim", "", nil)
 		resourceSliceTrackerOpts := resourceslicetracker.Options{
-			EnableDeviceTaints:       feature.DefaultFeatureGate.Enabled(features.DRADeviceTaints),
+			EnableDeviceTaintRules:   feature.DefaultFeatureGate.Enabled(features.DRADeviceTaintRules),
 			EnableConsumableCapacity: feature.DefaultFeatureGate.Enabled(features.DRAConsumableCapacity),
 			SliceInformer:            informerFactory.Resource().V1().ResourceSlices(),
 			KubeClient:               client,
 		}
-		// If device taints are disabled, the additional informers are not needed and
+		// If device taint rules are disabled, the additional informers are not needed and
 		// the tracker turns into a simple wrapper around the slice informer.
-		if resourceSliceTrackerOpts.EnableDeviceTaints {
+		if resourceSliceTrackerOpts.EnableDeviceTaintRules {
 			resourceSliceTrackerOpts.TaintInformer = informerFactory.Resource().V1alpha3().DeviceTaintRules()
 			resourceSliceTrackerOpts.ClassInformer = informerFactory.Resource().V1().DeviceClasses()
 		}
@@ -343,10 +348,16 @@ func New(ctx context.Context,
 		}
 		draManager = dynamicresources.NewDRAManager(ctx, resourceClaimCache, resourceSliceTracker, informerFactory)
 	}
+	sharedCSIManager := nodevolumelimits.NewCSIManager(informerFactory.Storage().V1().CSINodes().Lister())
+
 	var apiDispatcher *apidispatcher.APIDispatcher
 	if feature.DefaultFeatureGate.Enabled(features.SchedulerAsyncAPICalls) {
 		apiDispatcher = apidispatcher.New(client, int(options.parallelism), apicalls.Relevances)
 	}
+	var workloadManager internalworkloadmanager.WorkloadManager
+	if feature.DefaultFeatureGate.Enabled(features.GenericWorkload) {
+		workloadManager = internalworkloadmanager.New()
+	}
 
 	profiles, err := profile.NewMap(ctx, options.profiles, registry, recorderFactory,
 		frameworkruntime.WithComponentConfigVersion(options.componentConfigVersion),
@@ -361,6 +372,8 @@ func New(ctx context.Context,
 		frameworkruntime.WithMetricsRecorder(metricsRecorder),
 		frameworkruntime.WithWaitingPods(waitingPods),
 		frameworkruntime.WithAPIDispatcher(apiDispatcher),
+		frameworkruntime.WithSharedCSIManager(sharedCSIManager),
+		frameworkruntime.WithWorkloadManager(workloadManager),
 	)
 	if err != nil {
 		return nil, fmt.Errorf("initializing profiles: %v", err)
@@ -370,12 +383,12 @@ func New(ctx context.Context,
 		return nil, errors.New("at least one profile is required")
 	}
 
-	preEnqueuePluginMap := make(map[string]map[string]framework.PreEnqueuePlugin)
+	preEnqueuePluginMap := make(map[string]map[string]fwk.PreEnqueuePlugin)
 	queueingHintsPerProfile := make(internalqueue.QueueingHintMapPerProfile)
 	var returnErr error
 	for profileName, profile := range profiles {
 		plugins := profile.PreEnqueuePlugins()
-		preEnqueuePluginMap[profileName] = make(map[string]framework.PreEnqueuePlugin, len(plugins))
+		preEnqueuePluginMap[profileName] = make(map[string]fwk.PreEnqueuePlugin, len(plugins))
 		for _, plugin := range plugins {
 			preEnqueuePluginMap[profileName][plugin.Name()] = plugin
 		}
@@ -401,13 +414,13 @@ func New(ctx context.Context,
 		internalqueue.WithPreEnqueuePluginMap(preEnqueuePluginMap),
 		internalqueue.WithQueueingHintMapPerProfile(queueingHintsPerProfile),
 		internalqueue.WithPluginMetricsSamplePercent(pluginMetricsSamplePercent),
-		internalqueue.WithMetricsRecorder(*metricsRecorder),
+		internalqueue.WithMetricsRecorder(metricsRecorder),
 		internalqueue.WithAPIDispatcher(apiDispatcher),
 	)
 
 	schedulerCache := internalcache.New(ctx, durationToExpireAssumedPod, apiDispatcher)
 
-	var apiCache framework.APICacher
+	var apiCache fwk.APICacher
 	if apiDispatcher != nil {
 		apiCache = apicache.New(podQueue, schedulerCache)
 	}
@@ -434,11 +447,12 @@ func New(ctx context.Context,
 		logger:                                 logger,
 		APIDispatcher:                          apiDispatcher,
 		nominatedNodeNameForExpectationEnabled: feature.DefaultFeatureGate.Enabled(features.NominatedNodeNameForExpectation),
+		WorkloadManager:                        workloadManager,
 	}
 	sched.NextPod = podQueue.Pop
 	sched.applyDefaultHandlers()
 
-	if err = addAllEventHandlers(sched, informerFactory, dynInformerFactory, resourceClaimCache, resourceSliceTracker, unionedGVKs(queueingHintsPerProfile)); err != nil {
+	if err = addAllEventHandlers(sched, informerFactory, dynInformerFactory, resourceClaimCache, resourceSliceTracker, draManager, unionedGVKs(queueingHintsPerProfile)); err != nil {
 		return nil, fmt.Errorf("adding event handlers: %w", err)
 	}
 
@@ -451,7 +465,7 @@ var defaultQueueingHintFn = func(_ klog.Logger, _ *v1.Pod, _, _ interface{}) (fw
 	return fwk.Queue, nil
 }
 
-func buildQueueingHintMap(ctx context.Context, es []framework.EnqueueExtensions) (internalqueue.QueueingHintMap, error) {
+func buildQueueingHintMap(ctx context.Context, es []fwk.EnqueueExtensions) (internalqueue.QueueingHintMap, error) {
 	queueingHintMap := make(internalqueue.QueueingHintMap)
 	var returnErr error
 	for _, e := range es {
@@ -558,14 +572,14 @@ func NewInformerFactory(cs clientset.Interface, resyncPeriod time.Duration) info
 	return informerFactory
 }
 
-func buildExtenders(logger klog.Logger, extenders []schedulerapi.Extender, profiles []schedulerapi.KubeSchedulerProfile) ([]framework.Extender, error) {
-	var fExtenders []framework.Extender
+func buildExtenders(logger klog.Logger, extenders []schedulerapi.Extender, profiles []schedulerapi.KubeSchedulerProfile) ([]fwk.Extender, error) {
+	var fExtenders []fwk.Extender
 	if len(extenders) == 0 {
 		return nil, nil
 	}
 
 	var ignoredExtendedResources []string
-	var ignorableExtenders []framework.Extender
+	var ignorableExtenders []fwk.Extender
 	for i := range extenders {
 		logger.V(2).Info("Creating extender", "extender", extenders[i])
 		extender, err := NewHTTPExtender(&extenders[i])
@@ -616,7 +630,7 @@ func buildExtenders(logger klog.Logger, extenders []schedulerapi.Extender, profi
 	return fExtenders, nil
 }
 
-type FailureHandlerFn func(ctx context.Context, fwk framework.Framework, podInfo *framework.QueuedPodInfo, status *fwk.Status, nominatingInfo *framework.NominatingInfo, start time.Time)
+type FailureHandlerFn func(ctx context.Context, fwk framework.Framework, podInfo *framework.QueuedPodInfo, status *fwk.Status, nominatingInfo *fwk.NominatingInfo, start time.Time)
 
 func unionedGVKs(queueingHintsPerProfile internalqueue.QueueingHintMapPerProfile) map[fwk.EventResource]fwk.ActionType {
 	gvkMap := make(map[fwk.EventResource]fwk.ActionType)
@@ -654,3 +668,10 @@ func newPodInformer(cs clientset.Interface, resyncPeriod time.Duration) cache.Sh
 	informer.SetTransform(trim)
 	return informer
 }
+
+func (sched *Scheduler) CurrentCycle() int64 {
+	if sched.SchedulingQueue != nil {
+		return sched.SchedulingQueue.SchedulingCycle()
+	}
+	return 0
+}
diff --git a/pkg/scheduler/scheduler_test.go b/pkg/scheduler/scheduler_test.go
index 27c6524c03e59..519c6fc71a226 100644
--- a/pkg/scheduler/scheduler_test.go
+++ b/pkg/scheduler/scheduler_test.go
@@ -36,7 +36,7 @@ import (
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/util/sets"
 	"k8s.io/apimachinery/pkg/util/version"
-	utilfeature "k8s.io/apiserver/pkg/util/feature"
+	"k8s.io/apiserver/pkg/util/feature"
 	"k8s.io/client-go/informers"
 	"k8s.io/client-go/kubernetes"
 	"k8s.io/client-go/kubernetes/fake"
@@ -47,20 +47,18 @@ import (
 	"k8s.io/klog/v2"
 	"k8s.io/klog/v2/ktesting"
 	fwk "k8s.io/kube-scheduler/framework"
-	testingclock "k8s.io/utils/clock/testing"
-	"k8s.io/utils/ptr"
-
 	"k8s.io/kubernetes/pkg/features"
 	schedulerapi "k8s.io/kubernetes/pkg/scheduler/apis/config"
 	"k8s.io/kubernetes/pkg/scheduler/apis/config/testing/defaults"
-	"k8s.io/kubernetes/pkg/scheduler/backend/api_cache"
-	"k8s.io/kubernetes/pkg/scheduler/backend/api_dispatcher"
+	apicache "k8s.io/kubernetes/pkg/scheduler/backend/api_cache"
+	apidispatcher "k8s.io/kubernetes/pkg/scheduler/backend/api_dispatcher"
 	internalcache "k8s.io/kubernetes/pkg/scheduler/backend/cache"
 	internalqueue "k8s.io/kubernetes/pkg/scheduler/backend/queue"
 	"k8s.io/kubernetes/pkg/scheduler/framework"
-	"k8s.io/kubernetes/pkg/scheduler/framework/api_calls"
+	apicalls "k8s.io/kubernetes/pkg/scheduler/framework/api_calls"
 	"k8s.io/kubernetes/pkg/scheduler/framework/plugins"
 	"k8s.io/kubernetes/pkg/scheduler/framework/plugins/defaultbinder"
+	"k8s.io/kubernetes/pkg/scheduler/framework/plugins/names"
 	"k8s.io/kubernetes/pkg/scheduler/framework/plugins/queuesort"
 	frameworkruntime "k8s.io/kubernetes/pkg/scheduler/framework/runtime"
 	"k8s.io/kubernetes/pkg/scheduler/metrics"
@@ -68,6 +66,8 @@ import (
 	st "k8s.io/kubernetes/pkg/scheduler/testing"
 	tf "k8s.io/kubernetes/pkg/scheduler/testing/framework"
 	utiltesting "k8s.io/kubernetes/test/utils/ktesting"
+	testingclock "k8s.io/utils/clock/testing"
+	"k8s.io/utils/ptr"
 )
 
 func init() {
@@ -242,7 +242,7 @@ func TestSchedulerCreation(t *testing.T) {
 					t.Errorf("unexpected extenders (-want, +got):\n%s", diff)
 				}
 
-				// framework.Handle.Extenders()
+				// fwk.Handle.Extenders()
 				for _, p := range s.Profiles {
 					extenders := make([]string, 0, len(p.Extenders()))
 					for _, e := range p.Extenders() {
@@ -308,7 +308,7 @@ func TestFailureHandler(t *testing.T) {
 				}
 
 				recorder := metrics.NewMetricsAsyncRecorder(3, 20*time.Microsecond, ctx.Done())
-				queue := internalqueue.NewPriorityQueue(nil, informerFactory, internalqueue.WithClock(testingclock.NewFakeClock(time.Now())), internalqueue.WithMetricsRecorder(*recorder), internalqueue.WithAPIDispatcher(apiDispatcher))
+				queue := internalqueue.NewPriorityQueue(nil, informerFactory, internalqueue.WithClock(testingclock.NewFakeClock(time.Now())), internalqueue.WithMetricsRecorder(recorder), internalqueue.WithAPIDispatcher(apiDispatcher))
 				schedulerCache := internalcache.New(ctx, 30*time.Second, apiDispatcher)
 
 				queue.Add(logger, testPod)
@@ -525,7 +525,7 @@ func TestInitPluginsWithIndexers(t *testing.T) {
 		{
 			name: "register indexer, no conflicts",
 			entrypoints: map[string]frameworkruntime.PluginFactory{
-				"AddIndexer": func(ctx context.Context, obj runtime.Object, handle framework.Handle) (framework.Plugin, error) {
+				"AddIndexer": func(ctx context.Context, obj runtime.Object, handle fwk.Handle) (fwk.Plugin, error) {
 					podInformer := handle.SharedInformerFactory().Core().V1().Pods()
 					err := podInformer.Informer().AddIndexers(cache.Indexers{
 						"nodeName": indexByPodSpecNodeName,
@@ -538,14 +538,14 @@ func TestInitPluginsWithIndexers(t *testing.T) {
 			name: "register the same indexer name multiple times, conflict",
 			// order of registration doesn't matter
 			entrypoints: map[string]frameworkruntime.PluginFactory{
-				"AddIndexer1": func(ctx context.Context, obj runtime.Object, handle framework.Handle) (framework.Plugin, error) {
+				"AddIndexer1": func(ctx context.Context, obj runtime.Object, handle fwk.Handle) (fwk.Plugin, error) {
 					podInformer := handle.SharedInformerFactory().Core().V1().Pods()
 					err := podInformer.Informer().AddIndexers(cache.Indexers{
 						"nodeName": indexByPodSpecNodeName,
 					})
 					return &TestPlugin{name: "AddIndexer1"}, err
 				},
-				"AddIndexer2": func(ctx context.Context, obj runtime.Object, handle framework.Handle) (framework.Plugin, error) {
+				"AddIndexer2": func(ctx context.Context, obj runtime.Object, handle fwk.Handle) (fwk.Plugin, error) {
 					podInformer := handle.SharedInformerFactory().Core().V1().Pods()
 					err := podInformer.Informer().AddIndexers(cache.Indexers{
 						"nodeName": indexByPodAnnotationNodeName,
@@ -559,14 +559,14 @@ func TestInitPluginsWithIndexers(t *testing.T) {
 			name: "register the same indexer body with different names, no conflicts",
 			// order of registration doesn't matter
 			entrypoints: map[string]frameworkruntime.PluginFactory{
-				"AddIndexer1": func(ctx context.Context, obj runtime.Object, handle framework.Handle) (framework.Plugin, error) {
+				"AddIndexer1": func(ctx context.Context, obj runtime.Object, handle fwk.Handle) (fwk.Plugin, error) {
 					podInformer := handle.SharedInformerFactory().Core().V1().Pods()
 					err := podInformer.Informer().AddIndexers(cache.Indexers{
 						"nodeName1": indexByPodSpecNodeName,
 					})
 					return &TestPlugin{name: "AddIndexer1"}, err
 				},
-				"AddIndexer2": func(ctx context.Context, obj runtime.Object, handle framework.Handle) (framework.Plugin, error) {
+				"AddIndexer2": func(ctx context.Context, obj runtime.Object, handle fwk.Handle) (fwk.Plugin, error) {
 					podInformer := handle.SharedInformerFactory().Core().V1().Pods()
 					err := podInformer.Informer().AddIndexers(cache.Indexers{
 						"nodeName2": indexByPodAnnotationNodeName,
@@ -652,14 +652,14 @@ const (
 func Test_buildQueueingHintMap(t *testing.T) {
 	tests := []struct {
 		name                string
-		plugins             []framework.Plugin
+		plugins             []fwk.Plugin
 		want                map[fwk.ClusterEvent][]*internalqueue.QueueingHintFunction
 		featuregateDisabled bool
 		wantErr             error
 	}{
 		{
 			name:    "filter without EnqueueExtensions plugin",
-			plugins: []framework.Plugin{&filterWithoutEnqueueExtensionsPlugin{}},
+			plugins: []fwk.Plugin{&filterWithoutEnqueueExtensionsPlugin{}},
 			want: map[fwk.ClusterEvent][]*internalqueue.QueueingHintFunction{
 				{Resource: fwk.Pod, ActionType: fwk.All}: {
 					{PluginName: filterWithoutEnqueueExtensions, QueueingHintFn: defaultQueueingHintFn},
@@ -691,11 +691,14 @@ func Test_buildQueueingHintMap(t *testing.T) {
 				{Resource: fwk.DeviceClass, ActionType: fwk.All}: {
 					{PluginName: filterWithoutEnqueueExtensions, QueueingHintFn: defaultQueueingHintFn},
 				},
+				{Resource: fwk.Workload, ActionType: fwk.All}: {
+					{PluginName: filterWithoutEnqueueExtensions, QueueingHintFn: defaultQueueingHintFn},
+				},
 			},
 		},
 		{
 			name:    "node and pod plugin",
-			plugins: []framework.Plugin{&fakeNodePlugin{}, &fakePodPlugin{}},
+			plugins: []fwk.Plugin{&fakeNodePlugin{}, &fakePodPlugin{}},
 			want: map[fwk.ClusterEvent][]*internalqueue.QueueingHintFunction{
 				{Resource: fwk.Pod, ActionType: fwk.Add}: {
 					{PluginName: fakePod, QueueingHintFn: fakePodPluginQueueingFn},
@@ -710,7 +713,7 @@ func Test_buildQueueingHintMap(t *testing.T) {
 		},
 		{
 			name:                "node and pod plugin (featuregate is disabled)",
-			plugins:             []framework.Plugin{&fakeNodePlugin{}, &fakePodPlugin{}},
+			plugins:             []fwk.Plugin{&fakeNodePlugin{}, &fakePodPlugin{}},
 			featuregateDisabled: true,
 			want: map[fwk.ClusterEvent][]*internalqueue.QueueingHintFunction{
 				{Resource: fwk.Pod, ActionType: fwk.Add}: {
@@ -726,12 +729,12 @@ func Test_buildQueueingHintMap(t *testing.T) {
 		},
 		{
 			name:    "register plugin with empty event",
-			plugins: []framework.Plugin{&emptyEventPlugin{}},
+			plugins: []fwk.Plugin{&emptyEventPlugin{}},
 			want:    map[fwk.ClusterEvent][]*internalqueue.QueueingHintFunction{},
 		},
 		{
 			name:    "register plugins including emptyEventPlugin",
-			plugins: []framework.Plugin{&emptyEventPlugin{}, &fakeNodePlugin{}},
+			plugins: []fwk.Plugin{&emptyEventPlugin{}, &fakeNodePlugin{}},
 			want: map[fwk.ClusterEvent][]*internalqueue.QueueingHintFunction{
 				{Resource: fwk.Pod, ActionType: fwk.Add}: {
 					{PluginName: fakePod, QueueingHintFn: fakePodPluginQueueingFn},
@@ -746,7 +749,7 @@ func Test_buildQueueingHintMap(t *testing.T) {
 		},
 		{
 			name:    "one EventsToRegister returns an error",
-			plugins: []framework.Plugin{&errorEventsToRegisterPlugin{}},
+			plugins: []fwk.Plugin{&errorEventsToRegisterPlugin{}},
 			want:    map[fwk.ClusterEvent][]*internalqueue.QueueingHintFunction{},
 			wantErr: errors.New("mock error"),
 		},
@@ -755,8 +758,8 @@ func Test_buildQueueingHintMap(t *testing.T) {
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			if tt.featuregateDisabled {
-				featuregatetesting.SetFeatureGateEmulationVersionDuringTest(t, utilfeature.DefaultFeatureGate, version.MustParse("1.33"))
-				featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.SchedulerQueueingHints, false)
+				featuregatetesting.SetFeatureGateEmulationVersionDuringTest(t, feature.DefaultFeatureGate, version.MustParse("1.33"))
+				featuregatetesting.SetFeatureGateDuringTest(t, feature.DefaultFeatureGate, features.SchedulerQueueingHints, false)
 			}
 
 			logger, ctx := ktesting.NewTestContext(t)
@@ -767,7 +770,7 @@ func Test_buildQueueingHintMap(t *testing.T) {
 			plugins := append(tt.plugins, &fakebindPlugin{}, &fakeQueueSortPlugin{})
 			for _, pl := range plugins {
 				tmpPl := pl
-				if err := registry.Register(pl.Name(), func(_ context.Context, _ runtime.Object, _ framework.Handle) (framework.Plugin, error) {
+				if err := registry.Register(pl.Name(), func(_ context.Context, _ runtime.Object, _ fwk.Handle) (fwk.Plugin, error) {
 					return tmpPl, nil
 				}); err != nil {
 					t.Fatalf("fail to register filter plugin (%s)", pl.Name())
@@ -834,6 +837,8 @@ func Test_UnionedGVKs(t *testing.T) {
 		enableInPlacePodVerticalScaling bool
 		enableSchedulerQueueingHints    bool
 		enableDynamicResourceAllocation bool
+		enableNodeDeclaredFeatures      bool
+		enableGangScheduling            bool
 	}{
 		{
 			name: "filter without EnqueueExtensions plugin",
@@ -858,6 +863,34 @@ func Test_UnionedGVKs(t *testing.T) {
 				fwk.DeviceClass:           fwk.All,
 			},
 		},
+		{
+			name: "filter without EnqueueExtensions plugin (GenericWorkload enabled)",
+			plugins: schedulerapi.PluginSet{
+				Enabled: []schedulerapi.Plugin{
+					{Name: filterWithoutEnqueueExtensions},
+					{Name: queueSort},
+					{Name: fakeBind},
+				},
+				Disabled: []schedulerapi.Plugin{{Name: "*"}}, // disable default plugins
+			},
+			want: map[fwk.EventResource]fwk.ActionType{
+				fwk.Pod:                   fwk.All,
+				fwk.Node:                  fwk.All,
+				fwk.CSINode:               fwk.All,
+				fwk.CSIDriver:             fwk.All,
+				fwk.CSIStorageCapacity:    fwk.All,
+				fwk.PersistentVolume:      fwk.All,
+				fwk.PersistentVolumeClaim: fwk.All,
+				fwk.StorageClass:          fwk.All,
+				fwk.ResourceClaim:         fwk.All,
+				fwk.DeviceClass:           fwk.All,
+				fwk.Workload:              fwk.All,
+			},
+			enableGangScheduling:            true,
+			enableInPlacePodVerticalScaling: true,
+			enableDynamicResourceAllocation: true,
+			enableSchedulerQueueingHints:    true,
+		},
 		{
 			name: "node plugin",
 			plugins: schedulerapi.PluginSet{
@@ -1001,16 +1034,78 @@ func Test_UnionedGVKs(t *testing.T) {
 			enableDynamicResourceAllocation: true,
 			enableSchedulerQueueingHints:    true,
 		},
+		{
+			name:    "plugins with default profile and NodeDeclaredFeatures",
+			plugins: schedulerapi.PluginSet{Enabled: append(defaults.PluginsV1.MultiPoint.Enabled, schedulerapi.Plugin{Name: names.NodeDeclaredFeatures})},
+			want: map[fwk.EventResource]fwk.ActionType{
+				// NodeDeclaredFeatures adds fwk.Update
+				fwk.Pod: fwk.Add | fwk.UpdatePodLabel | fwk.UpdatePodGeneratedResourceClaim | fwk.UpdatePodToleration | fwk.UpdatePodSchedulingGatesEliminated | fwk.Delete | fwk.Update,
+				// NodeDeclaredFeatures adds fwk.UpdateNodeDeclaredFeature
+				fwk.Node:                  fwk.Add | fwk.UpdateNodeAllocatable | fwk.UpdateNodeLabel | fwk.UpdateNodeTaint | fwk.Delete | fwk.UpdateNodeDeclaredFeature,
+				fwk.CSINode:               fwk.All - fwk.Delete,
+				fwk.CSIDriver:             fwk.Update,
+				fwk.CSIStorageCapacity:    fwk.All - fwk.Delete,
+				fwk.PersistentVolume:      fwk.All - fwk.Delete,
+				fwk.PersistentVolumeClaim: fwk.All - fwk.Delete,
+				fwk.StorageClass:          fwk.All - fwk.Delete,
+				fwk.VolumeAttachment:      fwk.Delete,
+				fwk.DeviceClass:           fwk.All - fwk.Delete,
+				fwk.ResourceClaim:         fwk.All - fwk.Delete,
+				fwk.ResourceSlice:         fwk.All - fwk.Delete,
+			},
+			enableDynamicResourceAllocation: true,
+			enableSchedulerQueueingHints:    true,
+			enableNodeDeclaredFeatures:      true,
+			enableInPlacePodVerticalScaling: true,
+		},
+		{
+			name:    "plugins with default profile and GangScheduling",
+			plugins: schedulerapi.PluginSet{Enabled: append(defaults.PluginsV1.MultiPoint.Enabled, schedulerapi.Plugin{Name: names.GangScheduling})},
+			want: map[fwk.EventResource]fwk.ActionType{
+				fwk.Pod:                   fwk.Add | fwk.UpdatePodLabel | fwk.UpdatePodScaleDown | fwk.UpdatePodGeneratedResourceClaim | fwk.UpdatePodToleration | fwk.UpdatePodSchedulingGatesEliminated | fwk.Delete,
+				fwk.Node:                  fwk.Add | fwk.UpdateNodeAllocatable | fwk.UpdateNodeLabel | fwk.UpdateNodeTaint | fwk.Delete,
+				fwk.CSINode:               fwk.All - fwk.Delete,
+				fwk.CSIDriver:             fwk.Update,
+				fwk.CSIStorageCapacity:    fwk.All - fwk.Delete,
+				fwk.PersistentVolume:      fwk.All - fwk.Delete,
+				fwk.PersistentVolumeClaim: fwk.All - fwk.Delete,
+				fwk.StorageClass:          fwk.All - fwk.Delete,
+				fwk.VolumeAttachment:      fwk.Delete,
+				fwk.DeviceClass:           fwk.All - fwk.Delete,
+				fwk.ResourceClaim:         fwk.All - fwk.Delete,
+				fwk.ResourceSlice:         fwk.All - fwk.Delete,
+				fwk.Workload:              fwk.Add,
+			},
+			enableGangScheduling:            true,
+			enableInPlacePodVerticalScaling: true,
+			enableDynamicResourceAllocation: true,
+			enableSchedulerQueueingHints:    true,
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			pluginConfig := defaults.PluginConfigsV1
 
-			featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.InPlacePodVerticalScaling, tt.enableInPlacePodVerticalScaling)
-			featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.DynamicResourceAllocation, tt.enableDynamicResourceAllocation)
+			if !tt.enableSchedulerQueueingHints || !tt.enableDynamicResourceAllocation {
+				// Set emulated version before setting other feature gates, since it can impact feature dependencies.
+				featuregatetesting.SetFeatureGateEmulationVersionDuringTest(t, feature.DefaultFeatureGate, version.MustParse("1.33"))
+			} else if !tt.enableInPlacePodVerticalScaling {
+				// In place pod resize GA'd in 1.35. Set emulation version to 1.34 for tests that do not have the flag set
+				featuregatetesting.SetFeatureGateEmulationVersionDuringTest(t, feature.DefaultFeatureGate, version.MustParse("1.34"))
+			} else {
+				featuregatetesting.SetFeatureGateDuringTest(t, feature.DefaultFeatureGate, features.NodeDeclaredFeatures, tt.enableNodeDeclaredFeatures)
+				featuregatetesting.SetFeatureGatesDuringTest(t, feature.DefaultFeatureGate, featuregatetesting.FeatureOverrides{
+					features.NodeDeclaredFeatures: tt.enableNodeDeclaredFeatures,
+					features.GenericWorkload:      tt.enableGangScheduling,
+					features.GangScheduling:       tt.enableGangScheduling,
+				})
+			}
+			featuregatetesting.SetFeatureGatesDuringTest(t, feature.DefaultFeatureGate, featuregatetesting.FeatureOverrides{
+				features.InPlacePodVerticalScaling: tt.enableInPlacePodVerticalScaling,
+				features.DynamicResourceAllocation: tt.enableDynamicResourceAllocation,
+			})
 			if !tt.enableSchedulerQueueingHints {
-				featuregatetesting.SetFeatureGateEmulationVersionDuringTest(t, utilfeature.DefaultFeatureGate, version.MustParse("1.33"))
-				featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.SchedulerQueueingHints, false)
+				featuregatetesting.SetFeatureGateDuringTest(t, feature.DefaultFeatureGate, features.SchedulerQueueingHints, false)
 				// The test uses defaults.PluginConfigsV1, which contains the filter timeout.
 				// With emulation of 1.33, the DRASchedulerFilterTimeout feature gets disabled
 				// and also cannot be enabled ("pre-alpha"), which makes the config invalid.
@@ -1030,10 +1125,10 @@ func Test_UnionedGVKs(t *testing.T) {
 			registry := plugins.NewInTreeRegistry()
 
 			cfgPls := &schedulerapi.Plugins{MultiPoint: tt.plugins}
-			plugins := []framework.Plugin{&fakeNodePlugin{}, &fakePodPlugin{}, &filterWithoutEnqueueExtensionsPlugin{}, &emptyEventsToRegisterPlugin{}, &fakeQueueSortPlugin{}, &fakebindPlugin{}}
+			plugins := []fwk.Plugin{&fakeNodePlugin{}, &fakePodPlugin{}, &filterWithoutEnqueueExtensionsPlugin{}, &emptyEventsToRegisterPlugin{}, &fakeQueueSortPlugin{}, &fakebindPlugin{}}
 			for _, pl := range plugins {
 				tmpPl := pl
-				if err := registry.Register(pl.Name(), func(_ context.Context, _ runtime.Object, _ framework.Handle) (framework.Plugin, error) {
+				if err := registry.Register(pl.Name(), func(_ context.Context, _ runtime.Object, _ fwk.Handle) (fwk.Plugin, error) {
 					return tmpPl, nil
 				}); err != nil {
 					t.Fatalf("fail to register filter plugin (%s)", pl.Name())
@@ -1209,8 +1304,8 @@ func TestFrameworkHandler_IterateOverWaitingPods(t *testing.T) {
 			utiltesting.Eventually(tCtx, func(utiltesting.TContext) sets.Set[string] {
 				// Ensure that all waitingPods in scheduler can be obtained from any profiles.
 				actualPodNamesInWaitingPods := sets.New[string]()
-				for _, fwk := range scheduler.Profiles {
-					fwk.IterateOverWaitingPods(func(pod framework.WaitingPod) {
+				for _, schedFramework := range scheduler.Profiles {
+					schedFramework.IterateOverWaitingPods(func(pod fwk.WaitingPod) {
 						actualPodNamesInWaitingPods.Insert(pod.GetPod().Name)
 					})
 				}
@@ -1220,7 +1315,7 @@ func TestFrameworkHandler_IterateOverWaitingPods(t *testing.T) {
 	}
 }
 
-var _ framework.QueueSortPlugin = &fakeQueueSortPlugin{}
+var _ fwk.QueueSortPlugin = &fakeQueueSortPlugin{}
 
 // fakeQueueSortPlugin is a no-op implementation for QueueSort extension point.
 type fakeQueueSortPlugin struct{}
@@ -1233,7 +1328,7 @@ func (pl *fakeQueueSortPlugin) Less(_, _ fwk.QueuedPodInfo) bool {
 	return false
 }
 
-var _ framework.BindPlugin = &fakebindPlugin{}
+var _ fwk.BindPlugin = &fakebindPlugin{}
 
 // fakebindPlugin is a no-op implementation for Bind extension point.
 type fakebindPlugin struct{}
@@ -1320,7 +1415,7 @@ func (*errorEventsToRegisterPlugin) EventsToRegister(_ context.Context) ([]fwk.C
 	return nil, errors.New("mock error")
 }
 
-// emptyEventsToRegisterPlugin implement interface framework.EnqueueExtensions, but returns nil from EventsToRegister.
+// emptyEventsToRegisterPlugin implement interface fwk.EnqueueExtensions, but returns nil from EventsToRegister.
 // This can simulate a plugin registered at scheduler setup, but does nothing
 // due to some disabled feature gate.
 type emptyEventsToRegisterPlugin struct{}
@@ -1341,7 +1436,7 @@ type fakePermitPlugin struct {
 }
 
 func newFakePermitPlugin(eventRecorder events.EventRecorder) frameworkruntime.PluginFactory {
-	return func(ctx context.Context, configuration runtime.Object, f framework.Handle) (framework.Plugin, error) {
+	return func(ctx context.Context, configuration runtime.Object, f fwk.Handle) (fwk.Plugin, error) {
 		pl := &fakePermitPlugin{
 			eventRecorder: eventRecorder,
 		}
@@ -1367,4 +1462,4 @@ func (f fakePermitPlugin) Permit(ctx context.Context, state fwk.CycleState, p *v
 	return fwk.NewStatus(fwk.Wait), permitTimeout
 }
 
-var _ framework.PermitPlugin = &fakePermitPlugin{}
+var _ fwk.PermitPlugin = &fakePermitPlugin{}
diff --git a/pkg/scheduler/testing/framework/fake_extender.go b/pkg/scheduler/testing/framework/fake_extender.go
index 604cb4297c9e9..aed0c456a4146 100644
--- a/pkg/scheduler/testing/framework/fake_extender.go
+++ b/pkg/scheduler/testing/framework/fake_extender.go
@@ -36,7 +36,7 @@ import (
 type FitPredicate func(pod *v1.Pod, node fwk.NodeInfo) *fwk.Status
 
 // PriorityFunc is a function type which is used in fake extender.
-type PriorityFunc func(pod *v1.Pod, nodes []fwk.NodeInfo) (*framework.NodeScoreList, error)
+type PriorityFunc func(pod *v1.Pod, nodes []fwk.NodeInfo) (*fwk.NodeScoreList, error)
 
 // PriorityConfig is used in fake extender to perform Prioritize function.
 type PriorityConfig struct {
@@ -78,34 +78,34 @@ func Node2PredicateExtender(pod *v1.Pod, node fwk.NodeInfo) *fwk.Status {
 }
 
 // ErrorPrioritizerExtender implements PriorityFunc function to always return error.
-func ErrorPrioritizerExtender(pod *v1.Pod, nodes []fwk.NodeInfo) (*framework.NodeScoreList, error) {
-	return &framework.NodeScoreList{}, fmt.Errorf("some error")
+func ErrorPrioritizerExtender(pod *v1.Pod, nodes []fwk.NodeInfo) (*fwk.NodeScoreList, error) {
+	return &fwk.NodeScoreList{}, fmt.Errorf("some error")
 }
 
 // Node1PrioritizerExtender implements PriorityFunc function to give score 10
 // if the given node's name is "node1"; otherwise score 1.
-func Node1PrioritizerExtender(pod *v1.Pod, nodes []fwk.NodeInfo) (*framework.NodeScoreList, error) {
-	result := framework.NodeScoreList{}
+func Node1PrioritizerExtender(pod *v1.Pod, nodes []fwk.NodeInfo) (*fwk.NodeScoreList, error) {
+	result := fwk.NodeScoreList{}
 	for _, node := range nodes {
 		score := 1
 		if node.Node().Name == "node1" {
 			score = 10
 		}
-		result = append(result, framework.NodeScore{Name: node.Node().Name, Score: int64(score)})
+		result = append(result, fwk.NodeScore{Name: node.Node().Name, Score: int64(score)})
 	}
 	return &result, nil
 }
 
 // Node2PrioritizerExtender implements PriorityFunc function to give score 10
 // if the given node's name is "node2"; otherwise score 1.
-func Node2PrioritizerExtender(pod *v1.Pod, nodes []fwk.NodeInfo) (*framework.NodeScoreList, error) {
-	result := framework.NodeScoreList{}
+func Node2PrioritizerExtender(pod *v1.Pod, nodes []fwk.NodeInfo) (*fwk.NodeScoreList, error) {
+	result := fwk.NodeScoreList{}
 	for _, node := range nodes {
 		score := 1
 		if node.Node().Name == "node2" {
 			score = 10
 		}
-		result = append(result, framework.NodeScore{Name: node.Node().Name, Score: int64(score)})
+		result = append(result, fwk.NodeScore{Name: node.Node().Name, Score: int64(score)})
 	}
 	return &result, nil
 }
@@ -114,7 +114,7 @@ type node2PrioritizerPlugin struct{}
 
 // NewNode2PrioritizerPlugin returns a factory function to build node2PrioritizerPlugin.
 func NewNode2PrioritizerPlugin() frameworkruntime.PluginFactory {
-	return func(_ context.Context, _ runtime.Object, _ framework.Handle) (framework.Plugin, error) {
+	return func(_ context.Context, _ runtime.Object, _ fwk.Handle) (fwk.Plugin, error) {
 		return &node2PrioritizerPlugin{}, nil
 	}
 }
@@ -134,7 +134,7 @@ func (pl *node2PrioritizerPlugin) Score(_ context.Context, _ fwk.CycleState, _ *
 }
 
 // ScoreExtensions returns nil.
-func (pl *node2PrioritizerPlugin) ScoreExtensions() framework.ScoreExtensions {
+func (pl *node2PrioritizerPlugin) ScoreExtensions() fwk.ScoreExtensions {
 	return nil
 }
 
@@ -182,7 +182,7 @@ func (f *FakeExtender) SupportsPreemption() bool {
 func (f *FakeExtender) ProcessPreemption(
 	pod *v1.Pod,
 	nodeNameToVictims map[string]*extenderv1.Victims,
-	nodeInfos framework.NodeInfoLister,
+	nodeInfos fwk.NodeInfoLister,
 ) (map[string]*extenderv1.Victims, error) {
 	nodeNameToVictimsCopy := map[string]*extenderv1.Victims{}
 	// We don't want to change the original nodeNameToVictims
@@ -400,4 +400,4 @@ func (f *FakeExtender) IsInterested(pod *v1.Pod) bool {
 	return !f.UnInterested
 }
 
-var _ framework.Extender = &FakeExtender{}
+var _ fwk.Extender = &FakeExtender{}
diff --git a/pkg/scheduler/testing/framework/fake_plugins.go b/pkg/scheduler/testing/framework/fake_plugins.go
index 607fbdb39f4e2..14caf01a5d4a4 100644
--- a/pkg/scheduler/testing/framework/fake_plugins.go
+++ b/pkg/scheduler/testing/framework/fake_plugins.go
@@ -25,7 +25,6 @@ import (
 	v1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	fwk "k8s.io/kube-scheduler/framework"
-	"k8s.io/kubernetes/pkg/scheduler/framework"
 	frameworkruntime "k8s.io/kubernetes/pkg/scheduler/framework/runtime"
 )
 
@@ -46,7 +45,7 @@ func (pl *FalseFilterPlugin) Filter(_ context.Context, _ fwk.CycleState, pod *v1
 }
 
 // NewFalseFilterPlugin initializes a FalseFilterPlugin and returns it.
-func NewFalseFilterPlugin(_ context.Context, _ runtime.Object, _ framework.Handle) (framework.Plugin, error) {
+func NewFalseFilterPlugin(_ context.Context, _ runtime.Object, _ fwk.Handle) (fwk.Plugin, error) {
 	return &FalseFilterPlugin{}, nil
 }
 
@@ -64,7 +63,7 @@ func (pl *TrueFilterPlugin) Filter(_ context.Context, _ fwk.CycleState, pod *v1.
 }
 
 // NewTrueFilterPlugin initializes a TrueFilterPlugin and returns it.
-func NewTrueFilterPlugin(_ context.Context, _ runtime.Object, _ framework.Handle) (framework.Plugin, error) {
+func NewTrueFilterPlugin(_ context.Context, _ runtime.Object, _ fwk.Handle) (fwk.Plugin, error) {
 	return &TrueFilterPlugin{}, nil
 }
 
@@ -103,7 +102,7 @@ func (pl *FakeFilterPlugin) Filter(_ context.Context, _ fwk.CycleState, pod *v1.
 
 // NewFakeFilterPlugin initializes a fakeFilterPlugin and returns it.
 func NewFakeFilterPlugin(failedNodeReturnCodeMap map[string]fwk.Code) frameworkruntime.PluginFactory {
-	return func(_ context.Context, _ runtime.Object, _ framework.Handle) (framework.Plugin, error) {
+	return func(_ context.Context, _ runtime.Object, _ fwk.Handle) (fwk.Plugin, error) {
 		return &FakeFilterPlugin{
 			FailedNodeReturnCodeMap: failedNodeReturnCodeMap,
 		}, nil
@@ -132,13 +131,13 @@ func (pl *MatchFilterPlugin) Filter(_ context.Context, _ fwk.CycleState, pod *v1
 }
 
 // NewMatchFilterPlugin initializes a MatchFilterPlugin and returns it.
-func NewMatchFilterPlugin(_ context.Context, _ runtime.Object, _ framework.Handle) (framework.Plugin, error) {
+func NewMatchFilterPlugin(_ context.Context, _ runtime.Object, _ fwk.Handle) (fwk.Plugin, error) {
 	return &MatchFilterPlugin{}, nil
 }
 
 // FakePreFilterPlugin is a test filter plugin.
 type FakePreFilterPlugin struct {
-	Result *framework.PreFilterResult
+	Result *fwk.PreFilterResult
 	Status *fwk.Status
 	name   string
 }
@@ -149,18 +148,18 @@ func (pl *FakePreFilterPlugin) Name() string {
 }
 
 // PreFilter invoked at the PreFilter extension point.
-func (pl *FakePreFilterPlugin) PreFilter(_ context.Context, _ fwk.CycleState, pod *v1.Pod, nodes []fwk.NodeInfo) (*framework.PreFilterResult, *fwk.Status) {
+func (pl *FakePreFilterPlugin) PreFilter(_ context.Context, _ fwk.CycleState, pod *v1.Pod, nodes []fwk.NodeInfo) (*fwk.PreFilterResult, *fwk.Status) {
 	return pl.Result, pl.Status
 }
 
 // PreFilterExtensions no extensions implemented by this plugin.
-func (pl *FakePreFilterPlugin) PreFilterExtensions() framework.PreFilterExtensions {
+func (pl *FakePreFilterPlugin) PreFilterExtensions() fwk.PreFilterExtensions {
 	return nil
 }
 
 // NewFakePreFilterPlugin initializes a fakePreFilterPlugin and returns it.
-func NewFakePreFilterPlugin(name string, result *framework.PreFilterResult, status *fwk.Status) frameworkruntime.PluginFactory {
-	return func(_ context.Context, _ runtime.Object, _ framework.Handle) (framework.Plugin, error) {
+func NewFakePreFilterPlugin(name string, result *fwk.PreFilterResult, status *fwk.Status) frameworkruntime.PluginFactory {
+	return func(_ context.Context, _ runtime.Object, _ fwk.Handle) (fwk.Plugin, error) {
 		return &FakePreFilterPlugin{
 			Result: result,
 			Status: status,
@@ -190,7 +189,7 @@ func (pl *FakeReservePlugin) Unreserve(_ context.Context, _ fwk.CycleState, _ *v
 
 // NewFakeReservePlugin initializes a fakeReservePlugin and returns it.
 func NewFakeReservePlugin(status *fwk.Status) frameworkruntime.PluginFactory {
-	return func(_ context.Context, _ runtime.Object, _ framework.Handle) (framework.Plugin, error) {
+	return func(_ context.Context, _ runtime.Object, _ fwk.Handle) (fwk.Plugin, error) {
 		return &FakeReservePlugin{
 			Status: status,
 		}, nil
@@ -220,7 +219,7 @@ func (pl *FakePreBindPlugin) PreBind(_ context.Context, _ fwk.CycleState, _ *v1.
 
 // NewFakePreBindPlugin initializes a fakePreBindPlugin and returns it.
 func NewFakePreBindPlugin(preBindPreFlightStatus, preBindStatus *fwk.Status) frameworkruntime.PluginFactory {
-	return func(_ context.Context, _ runtime.Object, _ framework.Handle) (framework.Plugin, error) {
+	return func(_ context.Context, _ runtime.Object, _ fwk.Handle) (fwk.Plugin, error) {
 		return &FakePreBindPlugin{
 			PreBindPreFlightStatus: preBindPreFlightStatus,
 			PreBindStatus:          preBindStatus,
@@ -230,7 +229,7 @@ func NewFakePreBindPlugin(preBindPreFlightStatus, preBindStatus *fwk.Status) fra
 
 // FakePermitPlugin is a test permit plugin.
 type FakePermitPlugin struct {
-	Handle  framework.Handle
+	Handle  fwk.Handle
 	Status  *fwk.Status
 	Timeout time.Duration
 }
@@ -247,7 +246,7 @@ func (pl *FakePermitPlugin) Permit(_ context.Context, _ fwk.CycleState, p *v1.Po
 
 // NewFakePermitPlugin initializes a fakePermitPlugin and returns it.
 func NewFakePermitPlugin(status *fwk.Status, timeout time.Duration) frameworkruntime.PluginFactory {
-	return func(_ context.Context, _ runtime.Object, h framework.Handle) (framework.Plugin, error) {
+	return func(_ context.Context, _ runtime.Object, h fwk.Handle) (fwk.Plugin, error) {
 		return &FakePermitPlugin{
 			Status:  status,
 			Timeout: timeout,
@@ -272,7 +271,7 @@ func (pl *FakePreScoreAndScorePlugin) Score(ctx context.Context, state fwk.Cycle
 	return pl.score, pl.scoreStatus
 }
 
-func (pl *FakePreScoreAndScorePlugin) ScoreExtensions() framework.ScoreExtensions {
+func (pl *FakePreScoreAndScorePlugin) ScoreExtensions() fwk.ScoreExtensions {
 	return nil
 }
 
@@ -281,7 +280,7 @@ func (pl *FakePreScoreAndScorePlugin) PreScore(ctx context.Context, state fwk.Cy
 }
 
 func NewFakePreScoreAndScorePlugin(name string, score int64, preScoreStatus, scoreStatus *fwk.Status) frameworkruntime.PluginFactory {
-	return func(_ context.Context, _ runtime.Object, _ framework.Handle) (framework.Plugin, error) {
+	return func(_ context.Context, _ runtime.Object, _ fwk.Handle) (fwk.Plugin, error) {
 		return &FakePreScoreAndScorePlugin{
 			name:           name,
 			score:          score,
@@ -293,7 +292,7 @@ func NewFakePreScoreAndScorePlugin(name string, score int64, preScoreStatus, sco
 
 // NewEqualPrioritizerPlugin returns a factory function to build equalPrioritizerPlugin.
 func NewEqualPrioritizerPlugin() frameworkruntime.PluginFactory {
-	return func(_ context.Context, _ runtime.Object, _ framework.Handle) (framework.Plugin, error) {
+	return func(_ context.Context, _ runtime.Object, _ fwk.Handle) (fwk.Plugin, error) {
 		return &FakePreScoreAndScorePlugin{
 			name:  "EqualPrioritizerPlugin",
 			score: 1,
diff --git a/pkg/scheduler/testing/wrappers.go b/pkg/scheduler/testing/wrappers.go
index 09c7b4f3ac327..224e6c1fe18a2 100644
--- a/pkg/scheduler/testing/wrappers.go
+++ b/pkg/scheduler/testing/wrappers.go
@@ -24,6 +24,7 @@ import (
 	v1 "k8s.io/api/core/v1"
 	policy "k8s.io/api/policy/v1"
 	resourceapi "k8s.io/api/resource/v1"
+	schedulingapi "k8s.io/api/scheduling/v1alpha1"
 	storagev1 "k8s.io/api/storage/v1"
 	"k8s.io/apimachinery/pkg/api/resource"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -417,6 +418,12 @@ func (p *PodWrapper) ZeroTerminationGracePeriod() *PodWrapper {
 	return p
 }
 
+// TerminationGracePeriodSeconds sets the TerminationGracePeriodSeconds of the inner pod.
+func (p *PodWrapper) TerminationGracePeriodSeconds(s int64) *PodWrapper {
+	p.Spec.TerminationGracePeriodSeconds = &s
+	return p
+}
+
 // Node sets `s` as the nodeName of the inner pod.
 func (p *PodWrapper) Node(s string) *PodWrapper {
 	p.Spec.NodeName = s
@@ -562,6 +569,12 @@ func (p *PodWrapper) SchedulingGates(gates []string) *PodWrapper {
 	return p
 }
 
+// ResourceVersion sets the inner pod's ResurceVersion.
+func (p *PodWrapper) ResourceVersion(version string) *PodWrapper {
+	p.ObjectMeta.ResourceVersion = version
+	return p
+}
+
 // PodAffinityKind represents different kinds of PodAffinity.
 type PodAffinityKind int
 
@@ -781,6 +794,22 @@ func (p *PodWrapper) Res(resMap map[v1.ResourceName]string) *PodWrapper {
 	return p
 }
 
+// Resources sets requests and limits at pod-level.
+func (p *PodWrapper) PodLevelResourceRequests(reqMap map[v1.ResourceName]string) *PodWrapper {
+	if len(reqMap) == 0 {
+		return p
+	}
+
+	res := v1.ResourceList{}
+	for k, v := range reqMap {
+		res[k] = resource.MustParse(v)
+	}
+	p.Spec.Resources = &v1.ResourceRequirements{
+		Requests: res,
+	}
+	return p
+}
+
 // Req adds a new container to the inner pod with given resource map of requests.
 func (p *PodWrapper) Req(reqMap map[v1.ResourceName]string) *PodWrapper {
 	if len(reqMap) == 0 {
@@ -837,6 +866,12 @@ func (p *PodWrapper) Overhead(rl v1.ResourceList) *PodWrapper {
 	return p
 }
 
+// WorkloadRef sets workloadRef of the inner pod.
+func (p *PodWrapper) WorkloadRef(workloadRef *v1.WorkloadReference) *PodWrapper {
+	p.Spec.WorkloadRef = workloadRef
+	return p
+}
+
 // NodeWrapper wraps a Node inside.
 type NodeWrapper struct{ v1.Node }
 
@@ -918,6 +953,12 @@ func (n *NodeWrapper) Unschedulable(unschedulable bool) *NodeWrapper {
 	return n
 }
 
+// DeclaredFeatures applies the declared features in node status.
+func (n *NodeWrapper) DeclaredFeatures(declaredFeatures []string) *NodeWrapper {
+	n.Status.DeclaredFeatures = declaredFeatures
+	return n
+}
+
 // Condition applies the node condition.
 func (n *NodeWrapper) Condition(typ v1.NodeConditionType, status v1.ConditionStatus, message, reason string) *NodeWrapper {
 	n.Status.Conditions = []v1.NodeCondition{
@@ -1173,9 +1214,24 @@ func (wrapper *ResourceClaimWrapper) RequestWithName(name, deviceClassName strin
 	return wrapper
 }
 
+// RequestWithNameCount adds one device request for the given device class with given request name and count.
+func (wrapper *ResourceClaimWrapper) RequestWithNameCount(name, deviceClassName string, count int64) *ResourceClaimWrapper {
+	wrapper.Spec.Devices.Requests = append(wrapper.Spec.Devices.Requests,
+		resourceapi.DeviceRequest{
+			Name: name,
+			Exactly: &resourceapi.ExactDeviceRequest{
+				// Cannot rely on defaulting here, this is used in unit tests.
+				AllocationMode:  resourceapi.DeviceAllocationModeExactCount,
+				Count:           count,
+				DeviceClassName: deviceClassName,
+			},
+		})
+	return wrapper
+}
+
 // RequestWithPrioritizedList adds one device request with one subrequest
 // per provided deviceClassName.
-func (wrapper *ResourceClaimWrapper) RequestWithPrioritizedList(deviceClassNames ...string) *ResourceClaimWrapper {
+func (wrapper *ResourceClaimWrapper) RequestWithPrioritizedListFromDeviceClasses(deviceClassNames ...string) *ResourceClaimWrapper {
 	var prioritizedList []resourceapi.DeviceSubRequest
 	for i, deviceClassName := range deviceClassNames {
 		prioritizedList = append(prioritizedList, resourceapi.DeviceSubRequest{
@@ -1195,6 +1251,45 @@ func (wrapper *ResourceClaimWrapper) RequestWithPrioritizedList(deviceClassNames
 	return wrapper
 }
 
+func (wrapper *ResourceClaimWrapper) RequestWithPrioritizedList(subRequests ...resourceapi.DeviceSubRequest) *ResourceClaimWrapper {
+	return wrapper.NamedRequestWithPrioritizedList(fmt.Sprintf("req-%d", len(wrapper.Spec.Devices.Requests)+1), subRequests...)
+}
+
+func (wrapper *ResourceClaimWrapper) NamedRequestWithPrioritizedList(name string, subRequests ...resourceapi.DeviceSubRequest) *ResourceClaimWrapper {
+	wrapper.Spec.Devices.Requests = append(wrapper.Spec.Devices.Requests,
+		resourceapi.DeviceRequest{
+			Name:           name,
+			FirstAvailable: subRequests,
+		},
+	)
+	return wrapper
+}
+
+func SubRequest(name, deviceClassName string, count int64) resourceapi.DeviceSubRequest {
+	return resourceapi.DeviceSubRequest{
+		Name:            name,
+		AllocationMode:  resourceapi.DeviceAllocationModeExactCount,
+		Count:           count,
+		DeviceClassName: deviceClassName,
+	}
+}
+
+func SubRequestWithSelector(name, deviceClassName, selector string) resourceapi.DeviceSubRequest {
+	return resourceapi.DeviceSubRequest{
+		Name:            name,
+		AllocationMode:  resourceapi.DeviceAllocationModeExactCount,
+		Count:           1,
+		DeviceClassName: deviceClassName,
+		Selectors: []resourceapi.DeviceSelector{
+			{
+				CEL: &resourceapi.CELDeviceSelector{
+					Expression: selector,
+				},
+			},
+		},
+	}
+}
+
 // Allocation sets the allocation of the inner object.
 func (wrapper *ResourceClaimWrapper) Allocation(allocation *resourceapi.AllocationResult) *ResourceClaimWrapper {
 	if !slices.Contains(wrapper.ResourceClaim.Finalizers, resourceapi.Finalizer) {
@@ -1454,3 +1549,68 @@ func (c *VolumeAttachmentWrapper) Attached(attached bool) *VolumeAttachmentWrapp
 	c.Status.Attached = attached
 	return c
 }
+
+// WorkloadWrapper wraps a Workload inside.
+type WorkloadWrapper struct{ schedulingapi.Workload }
+
+// MakeWorkload creates a Workload wrapper.
+func MakeWorkload() *WorkloadWrapper {
+	return &WorkloadWrapper{}
+}
+
+// Obj returns the inner Workload.
+func (wrapper *WorkloadWrapper) Obj() *schedulingapi.Workload {
+	return &wrapper.Workload
+}
+
+// Name sets `name` as the name of the inner Workload.
+func (wrapper *WorkloadWrapper) Name(name string) *WorkloadWrapper {
+	wrapper.SetName(name)
+	return wrapper
+}
+
+// Namespace sets `namespace` as the namespace of the inner Workload.
+func (wrapper *WorkloadWrapper) Namespace(namespace string) *WorkloadWrapper {
+	wrapper.SetNamespace(namespace)
+	return wrapper
+}
+
+// PodGroup injects the pod group into the inner Workload.
+func (wrapper *WorkloadWrapper) PodGroup(pg *schedulingapi.PodGroup) *WorkloadWrapper {
+	wrapper.Spec.PodGroups = append(wrapper.Spec.PodGroups, *pg)
+	return wrapper
+}
+
+// PodGroupWrapper wraps a PodGroup inside.
+type PodGroupWrapper struct{ schedulingapi.PodGroup }
+
+// MakePodGroup creates a PodGroup wrapper.
+func MakePodGroup() *PodGroupWrapper {
+	return &PodGroupWrapper{}
+}
+
+// Obj returns the inner PodGroup.
+func (wrapper *PodGroupWrapper) Obj() *schedulingapi.PodGroup {
+	return &wrapper.PodGroup
+}
+
+// Name sets `name` as the name of the inner PodGroup.
+func (wrapper *PodGroupWrapper) Name(name string) *PodGroupWrapper {
+	wrapper.PodGroup.Name = name
+	return wrapper
+}
+
+// MinCount sets the MinCount for the Gang scheduling policy.
+func (wrapper *PodGroupWrapper) MinCount(count int32) *PodGroupWrapper {
+	if wrapper.Policy.Gang == nil {
+		wrapper.Policy.Gang = &schedulingapi.GangSchedulingPolicy{}
+	}
+	wrapper.Policy.Gang.MinCount = count
+	return wrapper
+}
+
+// BasicPolicy sets the PodGroup policy to Basic.
+func (wrapper *PodGroupWrapper) BasicPolicy() *PodGroupWrapper {
+	wrapper.Policy.Basic = &schedulingapi.BasicSchedulingPolicy{}
+	return wrapper
+}
diff --git a/pkg/scheduler/util/assumecache/assume_cache.go b/pkg/scheduler/util/assumecache/assume_cache.go
index 889cb9efe3bcf..fae3230bc3afe 100644
--- a/pkg/scheduler/util/assumecache/assume_cache.go
+++ b/pkg/scheduler/util/assumecache/assume_cache.go
@@ -124,6 +124,9 @@ type AssumeCache struct {
 	// Synchronizes updates to all fields below.
 	rwMutex sync.RWMutex
 
+	// cond is used by emitEvents.
+	cond *sync.Cond
+
 	// All registered event handlers.
 	eventHandlers       []cache.ResourceEventHandler
 	handlerRegistration cache.ResourceEventHandlerRegistration
@@ -149,6 +152,9 @@ type AssumeCache struct {
 	// of events would no longer be guaranteed.
 	eventQueue buffer.Ring[func()]
 
+	// emittingEvents is true while one emitEvents call is actively emitting events.
+	emittingEvents bool
+
 	// describes the object stored
 	description string
 
@@ -196,6 +202,7 @@ func NewAssumeCache(logger klog.Logger, informer Informer, description, indexNam
 		indexName:   indexName,
 		eventQueue:  *buffer.NewRing[func()](buffer.RingOptions{InitialSize: 0, NormalSize: 4}),
 	}
+	c.cond = sync.NewCond(&c.rwMutex)
 	indexers := cache.Indexers{}
 	if indexName != "" && indexFunc != nil {
 		indexers[indexName] = c.objInfoIndexFunc
@@ -508,8 +515,31 @@ func (c *AssumeCache) AddEventHandler(handler cache.ResourceEventHandler) cache.
 }
 
 // emitEvents delivers all pending events that are in the queue, in the order
-// in which they were stored there (FIFO).
+// in which they were stored there (FIFO). Only one goroutine at a time is
+// delivering events, to ensure correct order.
 func (c *AssumeCache) emitEvents() {
+	c.rwMutex.Lock()
+	for c.emittingEvents {
+		// Wait for the active caller of emitEvents to finish.
+		// When it is done, it may or may not have drained
+		// the events pushed by our caller.
+		// We'll check below ourselves.
+		c.cond.Wait()
+	}
+	c.emittingEvents = true
+	c.rwMutex.Unlock()
+
+	defer func() {
+		c.rwMutex.Lock()
+		c.emittingEvents = false
+		// Hand over the batton to one other goroutine, if there is one.
+		// We don't need to wake up more than one because only one of
+		// them would be able to grab the "emittingEvents" responsibility.
+		c.cond.Signal()
+		c.rwMutex.Unlock()
+	}()
+
+	// When we get here, this instance of emitEvents is the active one.
 	for {
 		c.rwMutex.Lock()
 		deliver, ok := c.eventQueue.ReadOne()
diff --git a/pkg/scheduler/util/assumecache/assume_cache_test.go b/pkg/scheduler/util/assumecache/assume_cache_test.go
index a18d51e0a8780..8024b20987d75 100644
--- a/pkg/scheduler/util/assumecache/assume_cache_test.go
+++ b/pkg/scheduler/util/assumecache/assume_cache_test.go
@@ -265,6 +265,65 @@ func TestAssume(t *testing.T) {
 	}
 }
 
+// TestAssumeRace simulates this sequence of events:
+//   - Informer update arrives, event handler gets invoked and is slow.
+//   - Assume for the same object is called. It must block until
+//     the informer-triggered event is delivered.
+func TestAssumeRace(t *testing.T) { ktesting.Init(t).SyncTest("", testAssumeRace) }
+func testAssumeRace(tCtx ktesting.TContext) {
+	var informer testInformer
+	testObj := makeObj("pvc1", "1", "")
+	ac := NewAssumeCache(tCtx.Logger(), &informer, "TestObject", "", nil)
+	blockEvent := ktesting.WithCancel(tCtx)
+	defer blockEvent.Cancel("test done")
+	eventBlocked := false
+	eventDone := false
+	ac.AddEventHandler(cache.ResourceEventHandlerFuncs{
+		AddFunc: func(obj any) {
+			eventBlocked = true
+			<-blockEvent.Done()
+			eventDone = true
+		},
+	})
+
+	// Here a real client with to a Create. What the assume cache may or may not
+	// see before Assume is the new object from the informer - let's pretend that
+	// comes first.
+	go informer.add(testObj)
+
+	// Wait for processing to finish.
+	tCtx.Wait()
+	if !eventBlocked {
+		tCtx.Fatal("Event handler should have been called and wasn't.")
+	}
+
+	// Assume should block until we unblock the event delivery.
+	assumeDone := false
+	go func() {
+		err := ac.Assume(testObj)
+		if err != nil {
+			tCtx.Errorf("Assume failed: %v", err)
+		}
+		assumeDone = true
+	}()
+
+	// Wait for Assume to be blocked in its implementation.
+	tCtx.Wait()
+	if assumeDone {
+		tCtx.Fatal("Assume should have blocked and didn't.")
+	}
+
+	// Unblock both goroutines.
+	blockEvent.Cancel("proceed")
+	tCtx.Wait()
+	if !eventDone {
+		tCtx.Fatal("Event should have been delivered and wasn't.")
+	}
+	if !assumeDone {
+		tCtx.Fatal("Assume should have returned and didn't.")
+	}
+}
+
 func TestRestore(t *testing.T) {
 	tCtx, cache, informer := newTest(t)
 	var events mockEventHandler
diff --git a/pkg/scheduler/util/utils.go b/pkg/scheduler/util/utils.go
index acaaaabb4d71c..06ba395030dbd 100644
--- a/pkg/scheduler/util/utils.go
+++ b/pkg/scheduler/util/utils.go
@@ -20,9 +20,11 @@ import (
 	"context"
 	"encoding/json"
 	"fmt"
+	"strings"
 	"time"
 
 	v1 "k8s.io/api/core/v1"
+	resourceapi "k8s.io/api/resource/v1"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
@@ -142,6 +144,12 @@ func IsScalarResourceName(name v1.ResourceName) bool {
 		v1helper.IsPrefixedNativeResource(name) || v1helper.IsAttachableVolumeResourceName(name)
 }
 
+// IsDRAExtendedResourceName returns true when name is an extended resource name, or an implicit extended resource name
+// derived from device class name with the format of deviceclass.resource.kubernetes.io/<device class name>
+func IsDRAExtendedResourceName(name v1.ResourceName) bool {
+	return v1helper.IsExtendedResourceName(name) || strings.HasPrefix(string(name), resourceapi.ResourceDeviceClassPrefix)
+}
+
 // As converts two objects to the given type.
 // Both objects must be of the same type. If not, an error is returned.
 // nil objects are allowed and will be converted to nil.
diff --git a/pkg/util/flag/flags.go b/pkg/util/flag/flags.go
index 9d518f7c659e7..f65eb3e950e53 100644
--- a/pkg/util/flag/flags.go
+++ b/pkg/util/flag/flags.go
@@ -171,7 +171,7 @@ type ReservedMemoryVar struct {
 // Set sets the flag value
 func (v *ReservedMemoryVar) Set(s string) error {
 	if v.Value == nil {
-		return fmt.Errorf("no target (nil pointer to *[]MemoryReservation")
+		return fmt.Errorf("no target (nil pointer to *[]MemoryReservation)")
 	}
 
 	if s == "" {
@@ -200,7 +200,7 @@ func (v *ReservedMemoryVar) Set(s string) error {
 		}
 		numaNodeID, err := strconv.Atoi(numaNodeReservation[0])
 		if err != nil {
-			return fmt.Errorf("failed to convert the NUMA node ID, exptected integer, got %s", numaNodeReservation[0])
+			return fmt.Errorf("failed to convert the NUMA node ID, expected integer, got %s", numaNodeReservation[0])
 		}
 
 		memoryReservation := kubeletconfig.MemoryReservation{
@@ -211,7 +211,7 @@ func (v *ReservedMemoryVar) Set(s string) error {
 		for _, memoryTypeReservation := range memoryTypeReservations {
 			limit := strings.Split(memoryTypeReservation, "=")
 			if len(limit) != 2 {
-				return fmt.Errorf("the reserved limit has incorrect value, expected type=quantatity, got %s", memoryTypeReservation)
+				return fmt.Errorf("the reserved limit has incorrect value, expected type=quantity, got %s", memoryTypeReservation)
 			}
 
 			resourceName := v1.ResourceName(limit[0])
@@ -221,7 +221,7 @@ func (v *ReservedMemoryVar) Set(s string) error {
 
 			q, err := resource.ParseQuantity(limit[1])
 			if err != nil {
-				return fmt.Errorf("failed to parse the quantatity, expected quantatity, got %s", limit[1])
+				return fmt.Errorf("failed to parse the quantity: %s", limit[1])
 			}
 
 			memoryReservation.Limits[v1.ResourceName(limit[0])] = q
@@ -264,6 +264,10 @@ type RegisterWithTaintsVar struct {
 
 // Set sets the flag value
 func (t RegisterWithTaintsVar) Set(s string) error {
+	if t.Value == nil {
+		return fmt.Errorf("no target (nil pointer to []v1.Taint)")
+	}
+
 	if len(s) == 0 {
 		*t.Value = nil
 		return nil
@@ -283,7 +287,7 @@ func (t RegisterWithTaintsVar) Set(s string) error {
 
 // String returns the flag value
 func (t RegisterWithTaintsVar) String() string {
-	if len(*t.Value) == 0 {
+	if t.Value == nil || len(*t.Value) == 0 {
 		return ""
 	}
 	var taints []string
diff --git a/pkg/util/iptables/iptables.go b/pkg/util/iptables/iptables.go
index dd6cd005d5bcc..8476c1ca78d1b 100644
--- a/pkg/util/iptables/iptables.go
+++ b/pkg/util/iptables/iptables.go
@@ -247,37 +247,17 @@ func New(protocol Protocol) Interface {
 	return newInternal(utilexec.New(), protocol, "", "")
 }
 
-func newDualStackInternal(exec utilexec.Interface) (map[v1.IPFamily]Interface, error) {
-	var err error
+func newDualStackInternal(exec utilexec.Interface) map[v1.IPFamily]Interface {
 	interfaces := map[v1.IPFamily]Interface{}
-
 	iptv4 := newInternal(exec, ProtocolIPv4, "", "")
-	if presentErr := iptv4.Present(); presentErr != nil {
-		err = presentErr
-	} else {
+	if presentErr := iptv4.Present(); presentErr == nil {
 		interfaces[v1.IPv4Protocol] = iptv4
 	}
 	iptv6 := newInternal(exec, ProtocolIPv6, "", "")
-	if presentErr := iptv6.Present(); presentErr != nil {
-		// If we get an error for both IPv4 and IPv6 Present() calls, it's virtually guaranteed that
-		// they're going to be the same error. We ignore the error for IPv6 if IPv4 has already failed.
-		if err == nil {
-			err = presentErr
-		}
-	} else {
+	if presentErr := iptv6.Present(); presentErr == nil {
 		interfaces[v1.IPv6Protocol] = iptv6
 	}
-
-	return interfaces, err
-}
-
-// NewDualStack returns a map containing an IPv4 Interface (if IPv4 iptables is supported)
-// and an IPv6 Interface (if IPv6 iptables is supported). If only one family is supported,
-// it will return a map with one Interface *and* an error (indicating the problem with the
-// other family). If neither family is supported, it will return an empty map and an
-// error.
-func NewDualStack() (map[v1.IPFamily]Interface, error) {
-	return newDualStackInternal(utilexec.New())
+	return interfaces
 }
 
 // NewBestEffort returns a map containing an IPv4 Interface (if IPv4 iptables is
@@ -286,8 +266,7 @@ func NewDualStack() (map[v1.IPFamily]Interface, error) {
 // simple for callers that just want "best-effort" iptables support, where neither partial
 // nor complete lack of iptables support is considered an error.
 func NewBestEffort() map[v1.IPFamily]Interface {
-	ipts, _ := newDualStackInternal(utilexec.New())
-	return ipts
+	return newDualStackInternal(utilexec.New())
 }
 
 // EnsureChain is part of Interface.
diff --git a/pkg/util/iptables/iptables_test.go b/pkg/util/iptables/iptables_test.go
index 1847552621383..e98abff487aff 100644
--- a/pkg/util/iptables/iptables_test.go
+++ b/pkg/util/iptables/iptables_test.go
@@ -329,7 +329,7 @@ func TestNewDualStack(t *testing.T) {
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
 			fexec := fakeExecForCommands(tc.commands)
-			runners, err := newDualStackInternal(fexec)
+			runners := newDualStackInternal(fexec)
 
 			if tc.ipv4 && runners[v1.IPv4Protocol] == nil {
 				t.Errorf("Expected ipv4 runner, got nil")
@@ -341,12 +341,6 @@ func TestNewDualStack(t *testing.T) {
 			} else if !tc.ipv6 && runners[v1.IPv6Protocol] != nil {
 				t.Errorf("Expected no ipv6 runner, got one")
 			}
-
-			if len(runners) == 2 && err != nil {
-				t.Errorf("Got 2 runners but also an error (%v)", err)
-			} else if len(runners) != 2 && err == nil {
-				t.Errorf("Got %d runners but no error", len(runners))
-			}
 		})
 	}
 }
diff --git a/pkg/util/parsers/parsers.go b/pkg/util/parsers/parsers.go
index 80a5f32a877f2..73916fda304a6 100644
--- a/pkg/util/parsers/parsers.go
+++ b/pkg/util/parsers/parsers.go
@@ -24,6 +24,7 @@ import (
 	_ "crypto/sha512"
 
 	dockerref "github.com/distribution/reference"
+	"github.com/robfig/cron/v3"
 )
 
 // ParseImageName parses a docker image string into three parts: repo, tag and digest.
@@ -52,3 +53,17 @@ func ParseImageName(image string) (string, string, string, error) {
 	}
 	return repoToPull, tag, digest, nil
 }
+
+// ParseCronScheduleWithPanicRecovery safely parses a cron schedule, recovering from panics
+// that can occur in cron.ParseStandard for malformed schedules like "TZ=0".
+func ParseCronScheduleWithPanicRecovery(schedule string) (sched cron.Schedule, err error) {
+	defer func() {
+		if r := recover(); r != nil {
+			sched = nil
+			err = fmt.Errorf("invalid schedule format: %v", r)
+		}
+	}()
+
+	sched, err = cron.ParseStandard(schedule)
+	return
+}
diff --git a/pkg/util/parsers/parsers_test.go b/pkg/util/parsers/parsers_test.go
index 82a75e6a258c5..96ead1c96cde9 100644
--- a/pkg/util/parsers/parsers_test.go
+++ b/pkg/util/parsers/parsers_test.go
@@ -19,6 +19,7 @@ package parsers
 import (
 	"strings"
 	"testing"
+	"time"
 )
 
 // Based on Docker test case removed in:
@@ -58,3 +59,132 @@ func TestParseImageName(t *testing.T) {
 		}
 	}
 }
+
+func TestParseCronSchedule(t *testing.T) {
+	testCases := []struct {
+		name          string
+		schedule      string
+		expectError   bool
+		expectedError string
+		expectPanic   bool
+	}{
+		{
+			name:        "valid schedule without timezone",
+			schedule:    "0 0 * * *",
+			expectError: false,
+		},
+		{
+			name:        "valid schedule with timezone",
+			schedule:    "TZ=UTC 0 0 * * *",
+			expectError: false,
+		},
+		{
+			name:        "valid schedule with CRON_TZ",
+			schedule:    "CRON_TZ=America/New_York 0 0 * * *",
+			expectError: false,
+		},
+		{
+			name:          "TZ=0 without space should panic and be recovered",
+			schedule:      "TZ=0",
+			expectError:   true,
+			expectedError: "invalid schedule format",
+			expectPanic:   true,
+		},
+		{
+			name:          "TZ= without value should panic and be recovered",
+			schedule:      "TZ=",
+			expectError:   true,
+			expectedError: "invalid schedule format",
+			expectPanic:   true,
+		},
+		{
+			name:          "CRON_TZ= without space should panic and be recovered",
+			schedule:      "CRON_TZ=UTC",
+			expectError:   true,
+			expectedError: "invalid schedule format",
+			expectPanic:   true,
+		},
+		{
+			name:          "malformed timezone spec should panic and be recovered",
+			schedule:      "TZ=Invalid/Timezone",
+			expectError:   true,
+			expectedError: "invalid schedule format",
+			expectPanic:   true,
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			// This should not panic even with malformed schedules
+			sched, err := ParseCronScheduleWithPanicRecovery(tc.schedule)
+
+			if tc.expectError {
+				if err == nil {
+					t.Errorf("Expected error for schedule %q, but got none", tc.schedule)
+					return
+				}
+
+				if tc.expectedError != "" {
+					errMsg := err.Error()
+					if !strings.Contains(errMsg, tc.expectedError) {
+						t.Errorf("Expected error message to contain %q, but got: %s", tc.expectedError, errMsg)
+					}
+				}
+
+				if sched != nil {
+					t.Errorf("Expected nil schedule when error occurs, but got: %v", sched)
+				}
+			} else {
+				if err != nil {
+					t.Errorf("Expected no error for schedule %q, but got: %v", tc.schedule, err)
+					return
+				}
+
+				if sched == nil {
+					t.Errorf("Expected valid schedule for %q, but got nil", tc.schedule)
+					return
+				}
+
+				// Verify that the schedule is actually valid by calling Next
+				// This ensures we got a real cron.Schedule, not just a non-nil value
+				next := sched.Next(time.Now())
+				if next.IsZero() {
+					t.Errorf("Expected valid next execution time for schedule %q, but got zero time", tc.schedule)
+				}
+			}
+		})
+	}
+}
+
+func TestParseCronSchedulePanicRecovery(t *testing.T) {
+	// Test that panics are properly recovered and converted to errors
+	panicSchedules := []string{
+		"TZ=0",
+		"TZ=",
+		"CRON_TZ=UTC",
+		"TZ=Invalid/Timezone",
+	}
+
+	for _, schedule := range panicSchedules {
+		t.Run("panic_recovery_"+schedule, func(t *testing.T) {
+			// This should not panic
+			sched, err := ParseCronScheduleWithPanicRecovery(schedule)
+
+			// Should get an error
+			if err == nil {
+				t.Errorf("Expected error for panic-causing schedule %q, but got none", schedule)
+			}
+
+			// Should get nil schedule
+			if sched != nil {
+				t.Errorf("Expected nil schedule for panic-causing schedule %q, but got: %v", schedule, sched)
+			}
+
+			// Error message should contain "invalid schedule format"
+			errMsg := err.Error()
+			if !strings.Contains(errMsg, "invalid schedule format") {
+				t.Errorf("Expected error message to contain 'invalid schedule format', but got: %s", errMsg)
+			}
+		})
+	}
+}
diff --git a/pkg/util/tolerations/tolerations_test.go b/pkg/util/tolerations/tolerations_test.go
index ea072ebde3be2..bbfd5b29f43dc 100644
--- a/pkg/util/tolerations/tolerations_test.go
+++ b/pkg/util/tolerations/tolerations_test.go
@@ -341,7 +341,7 @@ func TestFuzzed(t *testing.T) {
 			gen.TolerationSeconds = ptr.To[int64](r.Int63n(10))
 		}
 		// Ensure only valid tolerations are generated.
-		require.NoError(t, validation.ValidateTolerations([]api.Toleration{gen}, field.NewPath("")).ToAggregate(), "%#v", gen)
+		require.NoError(t, validation.ValidateTolerations([]api.Toleration{gen}, field.NewPath(""), validation.PodValidationOptions{}).ToAggregate(), "%#v", gen)
 		return gen
 	}
 	genTolerations := func() []api.Toleration {
diff --git a/pkg/volume/csi/csi_attacher.go b/pkg/volume/csi/csi_attacher.go
index c4fd435064f1c..816da41bd2972 100644
--- a/pkg/volume/csi/csi_attacher.go
+++ b/pkg/volume/csi/csi_attacher.go
@@ -356,7 +356,7 @@ func (c *csiAttacher) MountDevice(spec *volume.Spec, devicePath string, deviceMo
 		return nil
 	}
 
-	//TODO (vladimirvivien) implement better AccessModes mapping between k8s and CSI
+	// TODO (vladimirvivien) implement better AccessModes mapping between k8s and CSI
 	accessMode := v1.ReadWriteOnce
 	if spec.PersistentVolume.Spec.AccessModes != nil {
 		accessMode = spec.PersistentVolume.Spec.AccessModes[0]
diff --git a/pkg/volume/csi/csi_block.go b/pkg/volume/csi/csi_block.go
index 4626751c393c1..2fc1cd388e2a4 100644
--- a/pkg/volume/csi/csi_block.go
+++ b/pkg/volume/csi/csi_block.go
@@ -68,7 +68,6 @@ package csi
 import (
 	"context"
 	"errors"
-	"fmt"
 	"os"
 	"path/filepath"
 
@@ -171,8 +170,8 @@ func (m *csiBlockMapper) stageVolumeForBlock(
 	if csiSource.NodeStageSecretRef != nil {
 		nodeStageSecrets, err = getCredentialsFromSecret(m.k8s, csiSource.NodeStageSecretRef)
 		if err != nil {
-			return "", fmt.Errorf("failed to get NodeStageSecretRef %s/%s: %v",
-				csiSource.NodeStageSecretRef.Namespace, csiSource.NodeStageSecretRef.Name, err)
+			return "", volumetypes.NewTransientOperationFailure(log("failed to get NodeStageSecretRef %s/%s: %v",
+				csiSource.NodeStageSecretRef.Namespace, csiSource.NodeStageSecretRef.Name, err))
 		}
 	}
 
@@ -223,11 +222,11 @@ func (m *csiBlockMapper) publishVolumeForBlock(
 	volAttribs := csiSource.VolumeAttributes
 	podInfoEnabled, err := m.plugin.podInfoEnabled(string(m.driverName))
 	if err != nil {
-		return "", errors.New(log("blockMapper.publishVolumeForBlock failed to assemble volume attributes: %v", err))
+		return "", volumetypes.NewTransientOperationFailure(log("blockMapper.publishVolumeForBlock failed to assemble volume attributes: %v", err))
 	}
 	volumeLifecycleMode, err := m.plugin.getVolumeLifecycleMode(m.spec)
 	if err != nil {
-		return "", errors.New(log("blockMapper.publishVolumeForBlock failed to get VolumeLifecycleMode: %v", err))
+		return "", volumetypes.NewTransientOperationFailure(log("blockMapper.publishVolumeForBlock failed to get VolumeLifecycleMode: %v", err))
 	}
 	if podInfoEnabled {
 		volAttribs = mergeMap(volAttribs, getPodInfoAttrs(m.pod, volumeLifecycleMode))
@@ -237,7 +236,7 @@ func (m *csiBlockMapper) publishVolumeForBlock(
 	if csiSource.NodePublishSecretRef != nil {
 		nodePublishSecrets, err = getCredentialsFromSecret(m.k8s, csiSource.NodePublishSecretRef)
 		if err != nil {
-			return "", errors.New(log("blockMapper.publishVolumeForBlock failed to get NodePublishSecretRef %s/%s: %v",
+			return "", volumetypes.NewTransientOperationFailure(log("blockMapper.publishVolumeForBlock failed to get NodePublishSecretRef %s/%s: %v",
 				csiSource.NodePublishSecretRef.Namespace, csiSource.NodePublishSecretRef.Name, err))
 		}
 	}
@@ -304,11 +303,11 @@ func (m *csiBlockMapper) SetUpDevice() (string, error) {
 		attachID := getAttachmentName(csiSource.VolumeHandle, csiSource.Driver, nodeName)
 		attachment, err = m.k8s.StorageV1().VolumeAttachments().Get(context.TODO(), attachID, meta.GetOptions{})
 		if err != nil {
-			return "", errors.New(log("blockMapper.SetupDevice failed to get volume attachment [id=%v]: %v", attachID, err))
+			return "", volumetypes.NewTransientOperationFailure(log("blockMapper.SetupDevice failed to get volume attachment [id=%v]: %v", attachID, err))
 		}
 	}
 
-	//TODO (vladimirvivien) implement better AccessModes mapping between k8s and CSI
+	// TODO (vladimirvivien) implement better AccessModes mapping between k8s and CSI
 	accessMode := v1.ReadWriteOnce
 	if m.spec.PersistentVolume.Spec.AccessModes != nil {
 		accessMode = m.spec.PersistentVolume.Spec.AccessModes[0]
@@ -366,11 +365,11 @@ func (m *csiBlockMapper) MapPodDevice() (string, error) {
 		attachID := getAttachmentName(csiSource.VolumeHandle, csiSource.Driver, nodeName)
 		attachment, err = m.k8s.StorageV1().VolumeAttachments().Get(context.TODO(), attachID, meta.GetOptions{})
 		if err != nil {
-			return "", errors.New(log("blockMapper.MapPodDevice failed to get volume attachment [id=%v]: %v", attachID, err))
+			return "", volumetypes.NewTransientOperationFailure(log("blockMapper.MapPodDevice failed to get volume attachment [id=%v]: %v", attachID, err))
 		}
 	}
 
-	//TODO (vladimirvivien) implement better AccessModes mapping between k8s and CSI
+	// TODO (vladimirvivien) implement better AccessModes mapping between k8s and CSI
 	accessMode := v1.ReadWriteOnce
 	if m.spec.PersistentVolume.Spec.AccessModes != nil {
 		accessMode = m.spec.PersistentVolume.Spec.AccessModes[0]
diff --git a/pkg/volume/csi/csi_block_test.go b/pkg/volume/csi/csi_block_test.go
index 3b06ff1c7c771..deffc6b39f902 100644
--- a/pkg/volume/csi/csi_block_test.go
+++ b/pkg/volume/csi/csi_block_test.go
@@ -18,6 +18,7 @@ package csi
 
 import (
 	"context"
+	"errors"
 	"fmt"
 	"os"
 	"path/filepath"
@@ -491,6 +492,46 @@ func TestBlockMapperMapPodDeviceNoClientError(t *testing.T) {
 	}
 }
 
+func TestBlockMapperMapPodDeviceGetStageSecretsError(t *testing.T) {
+	transientError := volumetypes.NewTransientOperationFailure("")
+	plug, tmpDir := newTestPlugin(t, nil)
+	defer func() {
+		if err := os.RemoveAll(tmpDir); err != nil {
+			t.Error(err)
+		}
+	}()
+
+	csiMapper, _, pv, err := prepareBlockMapperTest(plug, "test-pv", t)
+	if err != nil {
+		t.Fatalf("Failed to make a new Mapper: %v", err)
+	}
+
+	// set a stage secret for the pv
+	pv.Spec.PersistentVolumeSource.CSI.NodePublishSecretRef = &api.SecretReference{
+		Name:      "foo",
+		Namespace: "default",
+	}
+	pvName := pv.GetName()
+	nodeName := string(plug.host.GetNodeName())
+
+	csiMapper.csiClient = setupClient(t, true)
+
+	attachID := getAttachmentName(csiMapper.volumeID, string(csiMapper.driverName), nodeName)
+	attachment := makeTestAttachment(attachID, nodeName, pvName)
+	attachment.Status.Attached = true
+	if _, err = csiMapper.k8s.StorageV1().VolumeAttachments().Create(context.Background(), attachment, metav1.CreateOptions{}); err != nil {
+		t.Fatalf("failed to setup VolumeAttachment: %v", err)
+	}
+	t.Log("created attachment ", attachID)
+
+	_, err = csiMapper.MapPodDevice()
+	if err == nil {
+		t.Errorf("test should fail, but no error occurred")
+	} else if !errors.As(err, &transientError) {
+		t.Errorf("expected a transient error but got %v", err)
+	}
+}
+
 func TestBlockMapperTearDownDevice(t *testing.T) {
 	plug, tmpDir := newTestPlugin(t, nil)
 	defer os.RemoveAll(tmpDir)
diff --git a/pkg/volume/csi/csi_mounter.go b/pkg/volume/csi/csi_mounter.go
index fa8a8e5878989..f8760280dcb0e 100644
--- a/pkg/volume/csi/csi_mounter.go
+++ b/pkg/volume/csi/csi_mounter.go
@@ -172,7 +172,7 @@ func (c *csiMountMgr) SetUpAt(dir string, mounterArgs volume.MounterArgs) error
 			secretRef = pvSrc.NodePublishSecretRef
 		}
 
-		//TODO (vladimirvivien) implement better AccessModes mapping between k8s and CSI
+		// TODO (vladimirvivien) implement better AccessModes mapping between k8s and CSI
 		if c.spec.PersistentVolume.Spec.AccessModes != nil {
 			accessMode = c.spec.PersistentVolume.Spec.AccessModes[0]
 		}
@@ -233,12 +233,19 @@ func (c *csiMountMgr) SetUpAt(dir string, mounterArgs volume.MounterArgs) error
 		volAttribs = mergeMap(volAttribs, getPodInfoAttrs(c.pod, c.volumeLifecycleMode))
 	}
 
-	// Inject pod service account token into volume attributes
-	serviceAccountTokenAttrs, err := c.podServiceAccountTokenAttrs()
+	serviceAccountTokenAttrs, serviceAccountTokenInSecrets, err := c.podServiceAccountTokenAttrs()
 	if err != nil {
 		return volumetypes.NewTransientOperationFailure(log("mounter.SetUpAt failed to get service accoount token attributes: %v", err))
 	}
-	volAttribs = mergeMap(volAttribs, serviceAccountTokenAttrs)
+
+	// Inject service account token information into
+	// 1. volume_attributes (default behavior)
+	// 2. node_publish_secrets (if ServiceAccountTokenInSecrets is true in the CSIDriver spec)
+	if serviceAccountTokenInSecrets {
+		nodePublishSecrets = mergeMap(nodePublishSecrets, serviceAccountTokenAttrs)
+	} else {
+		volAttribs = mergeMap(volAttribs, serviceAccountTokenAttrs)
+	}
 
 	driverSupportsCSIVolumeMountGroup := false
 	var nodePublishFSGroupArg *int64
@@ -348,22 +355,22 @@ func (c *csiMountMgr) SetUpAt(dir string, mounterArgs volume.MounterArgs) error
 	return nil
 }
 
-func (c *csiMountMgr) podServiceAccountTokenAttrs() (map[string]string, error) {
+func (c *csiMountMgr) podServiceAccountTokenAttrs() (map[string]string, bool, error) {
 	if c.plugin.serviceAccountTokenGetter == nil {
-		return nil, errors.New("ServiceAccountTokenGetter is nil")
+		return nil, false, errors.New("ServiceAccountTokenGetter is nil")
 	}
 
 	csiDriver, err := c.plugin.csiDriverLister.Get(string(c.driverName))
 	if err != nil {
 		if apierrors.IsNotFound(err) {
 			klog.V(5).Info(log("CSIDriver %q not found, not adding service account token information", c.driverName))
-			return nil, nil
+			return nil, false, nil
 		}
-		return nil, err
+		return nil, false, err
 	}
 
 	if len(csiDriver.Spec.TokenRequests) == 0 {
-		return nil, nil
+		return nil, false, nil
 	}
 
 	outputs := map[string]authenticationv1.TokenRequestStatus{}
@@ -386,17 +393,26 @@ func (c *csiMountMgr) podServiceAccountTokenAttrs() (map[string]string, error) {
 			},
 		})
 		if err != nil {
-			return nil, err
+			return nil, false, err
 		}
 
 		outputs[audience] = tr.Status
 	}
 
 	klog.V(4).Info(log("Fetched service account token attrs for CSIDriver %q", c.driverName))
-	tokens, _ := json.Marshal(outputs)
+	tokens, err := json.Marshal(outputs)
+	if err != nil {
+		return nil, false, err
+	}
+
+	var serviceAccountTokenInSecrets bool
+	if csiDriver.Spec.ServiceAccountTokenInSecrets != nil && *csiDriver.Spec.ServiceAccountTokenInSecrets {
+		serviceAccountTokenInSecrets = true
+	}
+
 	return map[string]string{
 		"csi.storage.k8s.io/serviceAccount.tokens": string(tokens),
-	}, nil
+	}, serviceAccountTokenInSecrets, nil
 }
 
 func (c *csiMountMgr) GetAttributes() volume.Attributes {
diff --git a/pkg/volume/csi/csi_mounter_test.go b/pkg/volume/csi/csi_mounter_test.go
index dedc6195f7f4b..62aecb809f0b1 100644
--- a/pkg/volume/csi/csi_mounter_test.go
+++ b/pkg/volume/csi/csi_mounter_test.go
@@ -49,6 +49,7 @@ import (
 	volumetypes "k8s.io/kubernetes/pkg/volume/util/types"
 	"k8s.io/mount-utils"
 	testingexec "k8s.io/utils/exec/testing"
+	"k8s.io/utils/ptr"
 )
 
 var (
@@ -1295,6 +1296,7 @@ func TestPodServiceAccountTokenAttrs(t *testing.T) {
 		driver            *storage.CSIDriver
 		volumeContext     map[string]string
 		wantVolumeContext map[string]string
+		wantSecrets       map[string]string
 	}{
 		{
 			desc: "csi driver has no ServiceAccountToken",
@@ -1338,6 +1340,23 @@ func TestPodServiceAccountTokenAttrs(t *testing.T) {
 			},
 			wantVolumeContext: map[string]string{"csi.storage.k8s.io/serviceAccount.tokens": `{"gcp":{"token":"test-ns:test-service-account:3600:[gcp]","expirationTimestamp":"1970-01-01T00:00:01Z"}}`},
 		},
+		{
+			desc: "service account token in secrets",
+			driver: &storage.CSIDriver{
+				ObjectMeta: meta.ObjectMeta{
+					Name: testDriver,
+				},
+				Spec: storage.CSIDriverSpec{
+					ServiceAccountTokenInSecrets: ptr.To(true),
+					TokenRequests: []storage.TokenRequest{
+						{
+							Audience: gcp,
+						},
+					},
+				},
+			},
+			wantSecrets: map[string]string{"gcp": "test-ns:test-service-account:3600:[gcp]"},
+		},
 	}
 
 	for _, test := range tests {
diff --git a/pkg/volume/csi/nodeinfomanager/nodeinfomanager.go b/pkg/volume/csi/nodeinfomanager/nodeinfomanager.go
index 1bff173c5fe76..ba1bde76a2dda 100644
--- a/pkg/volume/csi/nodeinfomanager/nodeinfomanager.go
+++ b/pkg/volume/csi/nodeinfomanager/nodeinfomanager.go
@@ -63,6 +63,7 @@ var (
 // the Node and CSINode objects.
 type nodeInfoManager struct {
 	nodeName        types.NodeName
+	nodeID          types.UID
 	volumeHost      volume.VolumeHost
 	migratedPlugins map[string](func() bool)
 	// lock protects changes to node.
@@ -402,6 +403,10 @@ func (nim *nodeInfoManager) tryUpdateCSINode(
 		return err
 	}
 
+	if err = nim.ensureNodeOwnsCSINode(nodeInfo); err != nil {
+		return err
+	}
+
 	return nim.installDriverToCSINode(nodeInfo, driverName, driverNodeID, maxAttachLimit, topology)
 }
 
@@ -430,6 +435,12 @@ func (nim *nodeInfoManager) tryInitializeCSINodeWithAnnotation(csiKubeClient cli
 	nim.lock.Lock()
 	defer nim.lock.Unlock()
 
+	node, err := csiKubeClient.CoreV1().Nodes().Get(context.TODO(), string(nim.nodeName), metav1.GetOptions{})
+	if err != nil {
+		return err
+	}
+	nim.nodeID = node.UID
+
 	nodeInfo, err := csiKubeClient.StorageV1().CSINodes().Get(context.TODO(), string(nim.nodeName), metav1.GetOptions{})
 	if nodeInfo == nil || errors.IsNotFound(err) {
 		// CreateCSINode will set the annotation
@@ -439,6 +450,10 @@ func (nim *nodeInfoManager) tryInitializeCSINodeWithAnnotation(csiKubeClient cli
 		return err
 	}
 
+	if err = nim.ensureNodeOwnsCSINode(nodeInfo); err != nil {
+		return err
+	}
+
 	annotationModified := setMigrationAnnotation(nim.migratedPlugins, nodeInfo)
 
 	if annotationModified {
@@ -449,6 +464,44 @@ func (nim *nodeInfoManager) tryInitializeCSINodeWithAnnotation(csiKubeClient cli
 
 }
 
+// ensureNodeOwnsCSINode will ensure that the current CSINode object is owned by the node represented by this nodeInfoManager.
+// If not, it will delete the existing CSINode object and return an error.
+func (nim *nodeInfoManager) ensureNodeOwnsCSINode(nodeInfo *storagev1.CSINode) error {
+	if ok, csiNodeOwnerID := nim.nodeOwnsCSINode(nodeInfo); !ok {
+		klog.V(2).Infof("existing CSINode %q is owned by different node (oldNodeID=%q, newNodeID=%q), cleaning up...", nodeInfo.Name, csiNodeOwnerID, nim.nodeID)
+		err := nim.DeleteCSINode()
+		if err != nil {
+			return fmt.Errorf("error deleting existing CSINode %q: %w", nodeInfo.Name, err)
+		}
+		// Returning now so that the next attempt can create a new CSINode object
+		return fmt.Errorf("CSINode %q was owned by different node (oldNodeID=%q, newNodeID=%q), deleted it", nodeInfo.Name, csiNodeOwnerID, nim.nodeID)
+	}
+	return nil
+}
+
+// nodeOwnsCSINode checks if the CSINode object is owned by the node represented by this nodeInfoManager.
+// It also returns the current owner UID.
+func (nim *nodeInfoManager) nodeOwnsCSINode(nodeInfo *storagev1.CSINode) (bool, types.UID) {
+	var csiNodeOwnerID types.UID
+	var found bool
+	for _, ownerRef := range nodeInfo.OwnerReferences {
+		if ownerRef.Kind != nodeKind.Kind {
+			continue
+		}
+
+		csiNodeOwnerID = ownerRef.UID
+		if ownerRef.Name != string(nim.nodeName) {
+			continue
+		}
+
+		if csiNodeOwnerID == nim.nodeID {
+			found = true
+			break
+		}
+	}
+	return found, csiNodeOwnerID
+}
+
 func (nim *nodeInfoManager) CreateCSINode() (*storagev1.CSINode, error) {
 
 	csiKubeClient := nim.volumeHost.GetKubeClient()
@@ -456,11 +509,6 @@ func (nim *nodeInfoManager) CreateCSINode() (*storagev1.CSINode, error) {
 		return nil, fmt.Errorf("error getting CSI client")
 	}
 
-	node, err := csiKubeClient.CoreV1().Nodes().Get(context.TODO(), string(nim.nodeName), metav1.GetOptions{})
-	if err != nil {
-		return nil, err
-	}
-
 	nodeInfo := &storagev1.CSINode{
 		ObjectMeta: metav1.ObjectMeta{
 			Name: string(nim.nodeName),
@@ -468,8 +516,8 @@ func (nim *nodeInfoManager) CreateCSINode() (*storagev1.CSINode, error) {
 				{
 					APIVersion: nodeKind.Version,
 					Kind:       nodeKind.Kind,
-					Name:       node.Name,
-					UID:        node.UID,
+					Name:       string(nim.nodeName),
+					UID:        nim.nodeID,
 				},
 			},
 		},
@@ -483,6 +531,16 @@ func (nim *nodeInfoManager) CreateCSINode() (*storagev1.CSINode, error) {
 	return csiKubeClient.StorageV1().CSINodes().Create(context.TODO(), nodeInfo, metav1.CreateOptions{})
 }
 
+func (nim *nodeInfoManager) DeleteCSINode() error {
+
+	csiKubeClient := nim.volumeHost.GetKubeClient()
+	if csiKubeClient == nil {
+		return fmt.Errorf("error getting CSI client")
+	}
+
+	return csiKubeClient.StorageV1().CSINodes().Delete(context.TODO(), string(nim.nodeName), metav1.DeleteOptions{})
+}
+
 func setMigrationAnnotation(migratedPlugins map[string](func() bool), nodeInfo *storagev1.CSINode) (modified bool) {
 	if migratedPlugins == nil {
 		return false
diff --git a/pkg/volume/csi/nodeinfomanager/nodeinfomanager_test.go b/pkg/volume/csi/nodeinfomanager/nodeinfomanager_test.go
index 7b414223c7555..8e909d7e29cb1 100644
--- a/pkg/volume/csi/nodeinfomanager/nodeinfomanager_test.go
+++ b/pkg/volume/csi/nodeinfomanager/nodeinfomanager_test.go
@@ -56,6 +56,7 @@ type testcase struct {
 	expectedCSINode  *storage.CSINode
 	expectFail       bool
 	hasModified      bool
+	migratedPlugins  map[string](func() bool)
 }
 
 type nodeIDMap map[string]string
@@ -307,6 +308,83 @@ func TestInstallCSIDriver(t *testing.T) {
 				},
 			},
 		},
+		{
+			name: "pre-existing node info, but owned by previous node",
+			existingNode: func() *v1.Node {
+				node := generateNode(nil /*nodeIDs*/, nil /*labels*/, nil /*capacity*/)
+				node.UID = types.UID("node1")
+				return node
+			}(),
+			existingCSINode: func() *storage.CSINode {
+				csiNode := generateCSINode(nil /*nodeIDs*/, nil /*volumeLimits*/, nil /*topologyKeys*/)
+				csiNode.OwnerReferences[0].UID = types.UID("node2")
+				return csiNode
+			}(),
+			migratedPlugins: map[string](func() bool){
+				"com.example.csi.driver1": func() bool { return true },
+			},
+			inputNodeID: "com.example.csi/csi-node1",
+			expectedNode: &v1.Node{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:        "node1",
+					UID:         types.UID("node1"),
+					Annotations: map[string]string{annotationKeyNodeID: marshall(nodeIDMap{"": "com.example.csi/csi-node1"})},
+				},
+			},
+			expectedCSINode: func() *storage.CSINode {
+				csiNode := &storage.CSINode{
+					ObjectMeta: getCSINodeObjectMeta(),
+					Spec: storage.CSINodeSpec{
+						Drivers: []storage.CSINodeDriver{
+							{
+								NodeID: "com.example.csi/csi-node1",
+							},
+						},
+					},
+				}
+				csiNode.Annotations = map[string]string{v1.MigratedPluginsAnnotationKey: "com.example.csi.driver1"}
+				return csiNode
+			}(),
+		},
+		{
+			name: "pre-existing node info with driver, but owned by previous node",
+			existingNode: func() *v1.Node {
+				node := generateNode(nil /*nodeIDs*/, nil /*labels*/, nil /*capacity*/)
+				node.UID = types.UID("node1")
+				return node
+			}(),
+			existingCSINode: func() *storage.CSINode {
+				csiNode := generateCSINode(
+					nodeIDMap{
+						"com.example.csi.old-driver": "com.example.csi/csi-node2",
+					},
+					nil /*volumeLimits*/, nil, /*topologyKeys*/
+				)
+				csiNode.OwnerReferences[0].UID = types.UID("node2")
+				return csiNode
+			}(),
+			driverName:  "com.example.csi.driver1",
+			inputNodeID: "com.example.csi/csi-node1",
+			expectedNode: &v1.Node{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:        "node1",
+					UID:         types.UID("node1"),
+					Annotations: map[string]string{annotationKeyNodeID: marshall(nodeIDMap{"com.example.csi.driver1": "com.example.csi/csi-node1"})},
+				},
+			},
+			expectedCSINode: &storage.CSINode{
+				ObjectMeta: getCSINodeObjectMeta(),
+				Spec: storage.CSINodeSpec{
+					Drivers: []storage.CSINodeDriver{
+						{
+							// Only the new driver should be present because the old CSINode represented a previous node.
+							Name:   "com.example.csi.driver1",
+							NodeID: "com.example.csi/csi-node1",
+						},
+					},
+				},
+			},
+		},
 		{
 			name:          "nil topology, empty node",
 			driverName:    "com.example.csi.driver1",
@@ -1029,7 +1107,7 @@ func test(t *testing.T, addNodeInfo bool, testcases []testcase) {
 			nil,
 			nil,
 		)
-		nim := NewNodeInfoManager(types.NodeName(nodeName), host, nil)
+		nim := NewNodeInfoManager(types.NodeName(nodeName), host, tc.migratedPlugins)
 
 		//// Act
 		nim.CreateCSINode()
diff --git a/pkg/volume/emptydir/empty_dir.go b/pkg/volume/emptydir/empty_dir.go
index 024b12a0022cc..d5c29b182fed5 100644
--- a/pkg/volume/emptydir/empty_dir.go
+++ b/pkg/volume/emptydir/empty_dir.go
@@ -112,14 +112,8 @@ func (plugin *emptyDirPlugin) NewMounter(spec *volume.Spec, pod *v1.Pod) (volume
 }
 
 func calculateEmptyDirMemorySize(nodeAllocatableMemory *resource.Quantity, spec *volume.Spec, pod *v1.Pod) *resource.Quantity {
-	// if feature is disabled, continue the default behavior of linux host default
-	sizeLimit := &resource.Quantity{}
-	if !utilfeature.DefaultFeatureGate.Enabled(features.SizeMemoryBackedVolumes) {
-		return sizeLimit
-	}
-
 	// size limit defaults to node allocatable (pods can't consume more memory than all pods)
-	sizeLimit = nodeAllocatableMemory
+	sizeLimit := nodeAllocatableMemory
 	zero := resource.MustParse("0")
 
 	// determine pod resource allocation
diff --git a/pkg/volume/hostpath/host_path.go b/pkg/volume/hostpath/host_path.go
index bdc3a3e623bfd..b167c932a185d 100644
--- a/pkg/volume/hostpath/host_path.go
+++ b/pkg/volume/hostpath/host_path.go
@@ -29,7 +29,7 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/uuid"
-	"k8s.io/kubernetes/pkg/kubelet/config"
+	"k8s.io/kubernetes/pkg/kubelet/kubeletconfig"
 	"k8s.io/kubernetes/pkg/volume"
 	"k8s.io/kubernetes/pkg/volume/util"
 	"k8s.io/kubernetes/pkg/volume/util/hostutil"
@@ -326,7 +326,7 @@ func (r *hostPathProvisioner) Provision(selectedNode *v1.Node, allowedTopologies
 		return nil, err
 	}
 	if selinux.GetEnabled() {
-		err := selinux.SetFileLabel(pv.Spec.HostPath.Path, config.KubeletContainersSharedSELinuxLabel)
+		err := selinux.SetFileLabel(pv.Spec.HostPath.Path, kubeletconfig.KubeletContainersSharedSELinuxLabel)
 		if err != nil {
 			return nil, fmt.Errorf("failed to set selinux label for %q: %v", pv.Spec.HostPath.Path, err)
 		}
diff --git a/pkg/volume/iscsi/iscsi_util.go b/pkg/volume/iscsi/iscsi_util.go
index b51127aa92f96..c876164feda06 100644
--- a/pkg/volume/iscsi/iscsi_util.go
+++ b/pkg/volume/iscsi/iscsi_util.go
@@ -34,7 +34,7 @@ import (
 	utilexec "k8s.io/utils/exec"
 
 	v1 "k8s.io/api/core/v1"
-	"k8s.io/kubernetes/pkg/kubelet/config"
+	"k8s.io/kubernetes/pkg/kubelet/kubeletconfig"
 	"k8s.io/kubernetes/pkg/volume"
 	volumeutil "k8s.io/kubernetes/pkg/volume/util"
 	"k8s.io/kubernetes/pkg/volume/util/types"
@@ -939,7 +939,7 @@ func getVolCount(dir, portal, iqn string) (int, error) {
 	// portal + iqn, e.g., 127.0.0.1:3260-iqn.2003-01.io.k8s:e2e.volume-1-lun-2
 	var counter int
 	for _, c := range contents {
-		if !c.IsDir() || c.Name() == config.DefaultKubeletVolumeDevicesDirName {
+		if !c.IsDir() || c.Name() == kubeletconfig.DefaultKubeletVolumeDevicesDirName {
 			continue
 		}
 
diff --git a/pkg/volume/iscsi/iscsi_util_test.go b/pkg/volume/iscsi/iscsi_util_test.go
index 7ab361a41795d..4d3906b509faf 100644
--- a/pkg/volume/iscsi/iscsi_util_test.go
+++ b/pkg/volume/iscsi/iscsi_util_test.go
@@ -28,7 +28,7 @@ import (
 
 	testingexec "k8s.io/utils/exec/testing"
 
-	"k8s.io/kubernetes/pkg/kubelet/config"
+	"k8s.io/kubernetes/pkg/kubelet/kubeletconfig"
 	"k8s.io/kubernetes/pkg/volume"
 	volumetest "k8s.io/kubernetes/pkg/volume/testing"
 )
@@ -414,7 +414,7 @@ func TestGetVolCount(t *testing.T) {
 		},
 		{
 			name:    "volumeDevices (block) volume",
-			baseDir: filepath.Join(baseDir, config.DefaultKubeletVolumeDevicesDirName),
+			baseDir: filepath.Join(baseDir, kubeletconfig.DefaultKubeletVolumeDevicesDirName),
 			portal:  "192.168.0.2:3260",
 			iqn:     "iqn.2003-01.io.k8s:e2e.volume-1-lun-4",
 			count:   1,
@@ -451,8 +451,8 @@ func createFakePluginDirs() (string, error) {
 		"iface-127.0.0.1:3260:pv1/127.0.0.1:3260-iqn.2003-01.io.k8s:e2e.volume-1-lun-3",
 		"iface-127.0.0.1:3260:pv2/127.0.0.1:3260-iqn.2003-01.io.k8s:e2e.volume-1-lun-2",
 		"iface-127.0.0.1:3260:pv2/192.168.0.1:3260-iqn.2003-01.io.k8s:e2e.volume-1-lun-1",
-		filepath.Join(config.DefaultKubeletVolumeDevicesDirName, "iface-127.0.0.1:3260/192.168.0.2:3260-iqn.2003-01.io.k8s:e2e.volume-1-lun-4"),
-		filepath.Join(config.DefaultKubeletVolumeDevicesDirName, "iface-127.0.0.1:3260/192.168.0.3:3260-iqn.2003-01.io.k8s:e2e.volume-1-lun-5"),
+		filepath.Join(kubeletconfig.DefaultKubeletVolumeDevicesDirName, "iface-127.0.0.1:3260/192.168.0.2:3260-iqn.2003-01.io.k8s:e2e.volume-1-lun-4"),
+		filepath.Join(kubeletconfig.DefaultKubeletVolumeDevicesDirName, "iface-127.0.0.1:3260/192.168.0.3:3260-iqn.2003-01.io.k8s:e2e.volume-1-lun-5"),
 	}
 
 	for _, d := range subdirs {
diff --git a/pkg/volume/testing/testing.go b/pkg/volume/testing/testing.go
index a897bab3a6a88..e96df4eb0f9d2 100644
--- a/pkg/volume/testing/testing.go
+++ b/pkg/volume/testing/testing.go
@@ -63,7 +63,7 @@ const (
 	TimeoutOnSetupVolumeName = "timeout-setup-volume"
 	// FailOnSetupVolumeName will cause setup call to fail
 	FailOnSetupVolumeName = "fail-setup-volume"
-	//TimeoutAndFailOnSetupVolumeName will first timeout and then fail the setup
+	// TimeoutAndFailOnSetupVolumeName will first timeout and then fail the setup
 	TimeoutAndFailOnSetupVolumeName = "timeout-and-fail-setup-volume"
 	// SuccessAndTimeoutSetupVolumeName will cause first mount operation to succeed but subsequent attempts to timeout
 	SuccessAndTimeoutSetupVolumeName = "success-and-timeout-setup-volume-name"
diff --git a/pkg/volume/util/fsquota/common/quota_common_linux_impl.go b/pkg/volume/util/fsquota/common/quota_common_linux_impl.go
index 5e8e3850cfe5d..a995966239309 100644
--- a/pkg/volume/util/fsquota/common/quota_common_linux_impl.go
+++ b/pkg/volume/util/fsquota/common/quota_common_linux_impl.go
@@ -71,9 +71,11 @@ var (
 type VolumeProvider struct {
 }
 
-var quotaCmds = []string{"/sbin/xfs_quota",
+var quotaCmds = []string{
+	"/sbin/xfs_quota",
 	"/usr/sbin/xfs_quota",
-	"/bin/xfs_quota"}
+	"/bin/xfs_quota",
+}
 
 var quotaParseRegexp = regexp.MustCompilePOSIX("^[^ \t]*[ \t]*([0-9]+)")
 
diff --git a/pkg/volume/util/fsquota/quota_linux.go b/pkg/volume/util/fsquota/quota_linux.go
index ef24cedb24975..6ddf4d4d50faa 100644
--- a/pkg/volume/util/fsquota/quota_linux.go
+++ b/pkg/volume/util/fsquota/quota_linux.go
@@ -158,6 +158,12 @@ func clearMountpoint(path string) {
 	delete(mountpointMap, path)
 }
 
+func clearSupportsQuotas(path string) {
+	supportsQuotasLock.Lock()
+	defer supportsQuotasLock.Unlock()
+	delete(supportsQuotasMap, path)
+}
+
 // getFSInfo Returns mountpoint and backing device
 // getFSInfo should cache the mountpoint and backing device for the
 // path.
@@ -430,7 +436,7 @@ func ClearQuota(m mount.Interface, path string, userNamespacesEnabled bool) erro
 		// stale directory, so if we find a quota, just remove it.
 		// The process of clearing the quota requires that an applier
 		// be found, which needs to be cleaned up.
-		defer delete(supportsQuotasMap, path)
+		defer clearSupportsQuotas(path)
 		defer clearApplier(path)
 		return clearQuotaOnDir(m, path, userNamespacesEnabled)
 	}
@@ -467,7 +473,7 @@ func ClearQuota(m mount.Interface, path string, userNamespacesEnabled bool) erro
 	}
 	delete(dirPodMap, path)
 	delete(dirQuotaMap, path)
-	delete(supportsQuotasMap, path)
+	clearSupportsQuotas(path)
 	clearApplier(path)
 	if err != nil {
 		return fmt.Errorf("unable to clear quota for %s: %v", path, err)
diff --git a/pkg/volume/util/nested_volumes.go b/pkg/volume/util/nested_volumes.go
index 27a6c29cd9864..e059f43b092a5 100644
--- a/pkg/volume/util/nested_volumes.go
+++ b/pkg/volume/util/nested_volumes.go
@@ -50,7 +50,7 @@ func getNestedMountpoints(name, baseDir string, pod v1.Pod) ([]string, error) {
 				// Don't let a container trick us into creating directories outside of its rootfs
 				return fmt.Errorf("invalid container mount point %v", myMountPoint)
 			}
-			myMPSlash := myMountPoint + string(os.PathSeparator)
+			myMountPointWithSlash := myMountPoint + string(os.PathSeparator)
 			// The previously found nested mountpoints.
 			// NOTE: We can't simply rely on sort.Strings to have all the mountpoints sorted and
 			// grouped. For example, the following strings are sorted in this exact order:
@@ -64,7 +64,7 @@ func getNestedMountpoints(name, baseDir string, pod v1.Pod) ([]string, error) {
 			// For example, if this volume is mounted as /dir and other volumes are mounted
 			//              as /dir/nested and /dir/nested/other, only create /dir/nested.
 			for _, mp := range allMountPoints {
-				if !strings.HasPrefix(mp, myMPSlash) {
+				if !strings.HasPrefix(mp, myMountPointWithSlash) {
 					continue // skip -- not nested beneath myMountPoint
 				}
 
@@ -80,7 +80,7 @@ func getNestedMountpoints(name, baseDir string, pod v1.Pod) ([]string, error) {
 				}
 				// since this mount point is nested, remember it so that we can check that following ones aren't nested beneath this one
 				prevNestedMPs = append(prevNestedMPs, mp+string(os.PathSeparator))
-				retval = append(retval, mp[len(myMPSlash):])
+				retval = append(retval, mp[len(myMountPointWithSlash):])
 			}
 		}
 		return nil
diff --git a/pkg/volume/util/operationexecutor/operation_executor.go b/pkg/volume/util/operationexecutor/operation_executor.go
index 462aafd00ed70..4100b0ae897e9 100644
--- a/pkg/volume/util/operationexecutor/operation_executor.go
+++ b/pkg/volume/util/operationexecutor/operation_executor.go
@@ -169,7 +169,6 @@ type MarkVolumeOpts struct {
 	VolumeName          v1.UniqueVolumeName
 	Mounter             volume.Mounter
 	BlockVolumeMapper   volume.BlockVolumeMapper
-	OuterVolumeSpecName string
 	VolumeGIDVolume     string
 	VolumeSpec          *volume.Spec
 	VolumeMountState    VolumeMountState
@@ -303,7 +302,7 @@ type VolumeLogger interface {
 	GenerateError(prefixMsg string, err error) (simpleErr, detailedErr error)
 }
 
-// Generates an error string with the format ": <err>" if err exists
+// errSuffix generates an error string with the format ": <err>" if err exists
 func errSuffix(err error) string {
 	errStr := ""
 	if err != nil {
@@ -312,12 +311,12 @@ func errSuffix(err error) string {
 	return errStr
 }
 
-// Generate a detailed error msg for logs
+// generateVolumeMsgDetailed generates a detailed error msg for logs
 func generateVolumeMsgDetailed(prefixMsg, suffixMsg, volumeName, details string) (detailedMsg string) {
 	return fmt.Sprintf("%v for volume %q %v %v", prefixMsg, volumeName, details, suffixMsg)
 }
 
-// Generate a simplified error msg for events and a detailed error msg for logs
+// generateVolumeMsg generates a simplified error msg for events and a detailed error msg for logs
 func generateVolumeMsg(prefixMsg, suffixMsg, volumeName, details string) (simpleMsg, detailedMsg string) {
 	simpleMsg = fmt.Sprintf("%v for volume %q %v", prefixMsg, volumeName, suffixMsg)
 	return simpleMsg, generateVolumeMsgDetailed(prefixMsg, suffixMsg, volumeName, details)
@@ -422,10 +421,8 @@ type VolumeToMount struct {
 	// InnerVolumeSpecName.
 	VolumeSpec *volume.Spec
 
-	// outerVolumeSpecName is the podSpec.Volume[x].Name of the volume. If the
-	// volume was referenced through a persistent volume claim, this contains
-	// the podSpec.Volume[x].Name of the persistent volume claim.
-	OuterVolumeSpecName string
+	// outerVolumeSpecNames are the podSpec.Volume[x].Name of the volume.
+	OuterVolumeSpecNames []string
 
 	// Pod to mount the volume to. Used to create NewMounter.
 	Pod *v1.Pod
@@ -679,44 +676,6 @@ type MountedVolume struct {
 	//     	   fsType: ext4
 	InnerVolumeSpecName string
 
-	// outerVolumeSpecName is the podSpec.Volume[x].Name of the volume. If the
-	// volume was referenced through a persistent volume claim, this contains
-	// the podSpec.Volume[x].Name of the persistent volume claim.
-	// PVC example:
-	//   kind: Pod
-	//   apiVersion: v1
-	//   metadata:
-	//     name: mypod
-	//   spec:
-	//     containers:
-	//       - name: myfrontend
-	//         image: dockerfile/nginx
-	//         volumeMounts:
-	//         - mountPath: "/var/www/html"
-	//           name: mypd
-	//     volumes:
-	//       - name: mypd				<- OuterVolumeSpecName
-	//         persistentVolumeClaim:
-	//           claimName: myclaim
-	// Non-PVC example:
-	//   apiVersion: v1
-	//   kind: Pod
-	//   metadata:
-	//     name: test-pd
-	//   spec:
-	//     containers:
-	//     - image: registry.k8s.io/test-webserver
-	//     	 name: test-container
-	//     	 volumeMounts:
-	//     	 - mountPath: /test-pd
-	//     	   name: test-volume
-	//     volumes:
-	//     - name: test-volume			<- OuterVolumeSpecName
-	//     	 gcePersistentDisk:
-	//     	   pdName: my-data-disk
-	//     	   fsType: ext4
-	OuterVolumeSpecName string
-
 	// PluginName is the "Unescaped Qualified" name of the volume plugin used to
 	// mount and unmount this volume. It can be used to fetch the volume plugin
 	// to unmount with, on demand. It is also the name that plugins use, though
@@ -758,13 +717,13 @@ type MountedVolume struct {
 // GenerateMsgDetailed returns detailed msgs for mounted volumes
 func (volume *MountedVolume) GenerateMsgDetailed(prefixMsg, suffixMsg string) (detailedMsg string) {
 	detailedStr := fmt.Sprintf("(UniqueName: %q) pod %q (UID: %q)", volume.VolumeName, volume.PodName, volume.PodUID)
-	return generateVolumeMsgDetailed(prefixMsg, suffixMsg, volume.OuterVolumeSpecName, detailedStr)
+	return generateVolumeMsgDetailed(prefixMsg, suffixMsg, string(volume.VolumeName), detailedStr)
 }
 
 // GenerateMsg returns simple and detailed msgs for mounted volumes
 func (volume *MountedVolume) GenerateMsg(prefixMsg, suffixMsg string) (simpleMsg, detailedMsg string) {
 	detailedStr := fmt.Sprintf("(UniqueName: %q) pod %q (UID: %q)", volume.VolumeName, volume.PodName, volume.PodUID)
-	return generateVolumeMsg(prefixMsg, suffixMsg, volume.OuterVolumeSpecName, detailedStr)
+	return generateVolumeMsg(prefixMsg, suffixMsg, string(volume.VolumeName), detailedStr)
 }
 
 // GenerateErrorDetailed returns simple and detailed errors for mounted volumes
diff --git a/pkg/volume/util/operationexecutor/operation_generator.go b/pkg/volume/util/operationexecutor/operation_generator.go
index a79e6cb628b1a..9d5c937d95372 100644
--- a/pkg/volume/util/operationexecutor/operation_generator.go
+++ b/pkg/volume/util/operationexecutor/operation_generator.go
@@ -593,7 +593,6 @@ func (og *operationGenerator) GenerateMountVolumeFunc(
 			PodUID:              volumeToMount.Pod.UID,
 			VolumeName:          volumeToMount.VolumeName,
 			Mounter:             volumeMounter,
-			OuterVolumeSpecName: volumeToMount.OuterVolumeSpecName,
 			VolumeGIDVolume:     volumeToMount.VolumeGIDValue,
 			VolumeSpec:          volumeToMount.VolumeSpec,
 			VolumeMountState:    VolumeMounted,
@@ -759,13 +758,12 @@ func (og *operationGenerator) GenerateUnmountVolumeFunc(
 		if unmountErr != nil {
 			// Mark the volume as uncertain, so SetUp is called for new pods. Teardown may be already in progress.
 			opts := MarkVolumeOpts{
-				PodName:             volumeToUnmount.PodName,
-				PodUID:              volumeToUnmount.PodUID,
-				VolumeName:          volumeToUnmount.VolumeName,
-				OuterVolumeSpecName: volumeToUnmount.OuterVolumeSpecName,
-				VolumeGIDVolume:     volumeToUnmount.VolumeGIDValue,
-				VolumeSpec:          volumeToUnmount.VolumeSpec,
-				VolumeMountState:    VolumeMountUncertain,
+				PodName:          volumeToUnmount.PodName,
+				PodUID:           volumeToUnmount.PodUID,
+				VolumeName:       volumeToUnmount.VolumeName,
+				VolumeGIDVolume:  volumeToUnmount.VolumeGIDValue,
+				VolumeSpec:       volumeToUnmount.VolumeSpec,
+				VolumeMountState: VolumeMountUncertain,
 			}
 			markMountUncertainErr := actualStateOfWorld.MarkVolumeMountAsUncertain(opts)
 			if markMountUncertainErr != nil {
@@ -779,9 +777,8 @@ func (og *operationGenerator) GenerateUnmountVolumeFunc(
 		}
 
 		klog.Infof(
-			"UnmountVolume.TearDown succeeded for volume %q (OuterVolumeSpecName: %q) pod %q (UID: %q). InnerVolumeSpecName %q. PluginName %q, VolumeGIDValue %q",
+			"UnmountVolume.TearDown succeeded for volume %q pod %q (UID: %q). InnerVolumeSpecName %q. PluginName %q, VolumeGIDValue %q",
 			volumeToUnmount.VolumeName,
-			volumeToUnmount.OuterVolumeSpecName,
 			volumeToUnmount.PodName,
 			volumeToUnmount.PodUID,
 			volumeToUnmount.InnerVolumeSpecName,
@@ -1025,14 +1022,13 @@ func (og *operationGenerator) GenerateMapVolumeFunc(
 		}
 
 		markVolumeOpts := MarkVolumeOpts{
-			PodName:             volumeToMount.PodName,
-			PodUID:              volumeToMount.Pod.UID,
-			VolumeName:          volumeToMount.VolumeName,
-			BlockVolumeMapper:   blockVolumeMapper,
-			OuterVolumeSpecName: volumeToMount.OuterVolumeSpecName,
-			VolumeGIDVolume:     volumeToMount.VolumeGIDValue,
-			VolumeSpec:          volumeToMount.VolumeSpec,
-			VolumeMountState:    VolumeMounted,
+			PodName:           volumeToMount.PodName,
+			PodUID:            volumeToMount.Pod.UID,
+			VolumeName:        volumeToMount.VolumeName,
+			BlockVolumeMapper: blockVolumeMapper,
+			VolumeGIDVolume:   volumeToMount.VolumeGIDValue,
+			VolumeSpec:        volumeToMount.VolumeSpec,
+			VolumeMountState:  VolumeMounted,
 		}
 
 		// Call MapPodDevice if blockVolumeMapper implements CustomBlockVolumeMapper
@@ -1199,13 +1195,12 @@ func (og *operationGenerator) GenerateUnmapVolumeFunc(
 		// cases below. The volume is marked as fully un-mapped at the end of this function, when everything
 		// succeeds.
 		markVolumeOpts := MarkVolumeOpts{
-			PodName:             volumeToUnmount.PodName,
-			PodUID:              volumeToUnmount.PodUID,
-			VolumeName:          volumeToUnmount.VolumeName,
-			OuterVolumeSpecName: volumeToUnmount.OuterVolumeSpecName,
-			VolumeGIDVolume:     volumeToUnmount.VolumeGIDValue,
-			VolumeSpec:          volumeToUnmount.VolumeSpec,
-			VolumeMountState:    VolumeMountUncertain,
+			PodName:          volumeToUnmount.PodName,
+			PodUID:           volumeToUnmount.PodUID,
+			VolumeName:       volumeToUnmount.VolumeName,
+			VolumeGIDVolume:  volumeToUnmount.VolumeGIDValue,
+			VolumeSpec:       volumeToUnmount.VolumeSpec,
+			VolumeMountState: VolumeMountUncertain,
 		}
 		markVolumeUncertainErr := actualStateOfWorld.MarkVolumeMountAsUncertain(markVolumeOpts)
 		if markVolumeUncertainErr != nil {
@@ -1234,9 +1229,8 @@ func (og *operationGenerator) GenerateUnmapVolumeFunc(
 		}
 
 		klog.Infof(
-			"UnmapVolume succeeded for volume %q (OuterVolumeSpecName: %q) pod %q (UID: %q). InnerVolumeSpecName %q. PluginName %q, VolumeGIDValue %q",
+			"UnmapVolume succeeded for volume %q pod %q (UID: %q). InnerVolumeSpecName %q. PluginName %q, VolumeGIDValue %q",
 			volumeToUnmount.VolumeName,
-			volumeToUnmount.OuterVolumeSpecName,
 			volumeToUnmount.PodName,
 			volumeToUnmount.PodUID,
 			volumeToUnmount.InnerVolumeSpecName,
@@ -2188,7 +2182,7 @@ func isDeviceOpened(deviceToDetach AttachedVolume, hostUtil hostutil.HostUtils)
 	if !isDevicePath && devicePathErr == nil ||
 		(devicePathErr != nil && strings.Contains(devicePathErr.Error(), "does not exist")) {
 		// not a device path or path doesn't exist
-		//TODO: refer to #36092
+		// TODO: refer to #36092
 		klog.V(3).Infof("The path isn't device path or doesn't exist. Skip checking device path: %s", deviceToDetach.DevicePath)
 		deviceOpened = false
 	} else if devicePathErr != nil {
diff --git a/pkg/volume/util/util.go b/pkg/volume/util/util.go
index 4c77d5a9b0a55..29cc74923549e 100644
--- a/pkg/volume/util/util.go
+++ b/pkg/volume/util/util.go
@@ -676,7 +676,7 @@ func GetReliableMountRefs(mounter mount.Interface, mountPath string) ([]string,
 		}
 		return true, nil
 	})
-	if err == wait.ErrWaitTimeout {
+	if wait.Interrupted(err) {
 		return nil, lastErr
 	}
 	return paths, err
diff --git a/pkg/volume/util/volumepathhandler/volume_path_handler.go b/pkg/volume/util/volumepathhandler/volume_path_handler.go
index 1f468410bf2ba..5eea77007cbed 100644
--- a/pkg/volume/util/volumepathhandler/volume_path_handler.go
+++ b/pkg/volume/util/volumepathhandler/volume_path_handler.go
@@ -130,11 +130,11 @@ func mapBindMountDevice(devicePath string, mapPath string, linkName string) erro
 		// Check if device file
 		// TODO: Need to check if this device file is actually the expected bind mount
 		if file.Mode()&os.ModeDevice == os.ModeDevice {
-			klog.Warningf("Warning: Map skipped because bind mount already exist on the path: %v", linkPath)
+			klog.Warningf("Warning: Map skipped because bind mount already exists on the path: %v", linkPath)
 			return nil
 		}
 
-		klog.Warningf("Warning: file %s is already exist but not mounted, skip creating file", linkPath)
+		klog.Warningf("Warning: file %s already exists but is not mounted, skip creating file", linkPath)
 	}
 
 	// Bind mount file
diff --git a/pkg/volume/volume.go b/pkg/volume/volume.go
index 36814591ccbce..4a6fc55e29bb7 100644
--- a/pkg/volume/volume.go
+++ b/pkg/volume/volume.go
@@ -99,7 +99,7 @@ type Metrics struct {
 	// and will not equal InodesUsed + InodesFree as the fs is shared.
 	Inodes *resource.Quantity
 
-	// InodesFree represent the inodes available for the volume.  For Volumes that share
+	// InodesFree represents the inodes available for the volume. For Volumes that share
 	// a filesystem with the host (e.g. emptydir, hostpath), this is the free inodes
 	// on the underlying storage, and is shared with host processes and other volumes
 	InodesFree *resource.Quantity
diff --git a/pkg/volume/volume_linux.go b/pkg/volume/volume_linux.go
index 0df840cdea959..c3caf8c66c6d5 100644
--- a/pkg/volume/volume_linux.go
+++ b/pkg/volume/volume_linux.go
@@ -252,7 +252,7 @@ func readDirNames(dirname string) ([]string, error) {
 // walkDeep can be used to traverse directories and has two minor differences
 // from filepath.Walk:
 //   - List of files/dirs is not sorted for performance reasons
-//   - callback walkFunc is invoked on root directory after visiting children dirs and files
+//   - callback walkFunc is invoked on root directory after visiting child dirs and files
 func walkDeep(root string, walkFunc filepath.WalkFunc) error {
 	info, err := os.Lstat(root)
 	if err != nil {
diff --git a/pkg/volume/volume_linux_test.go b/pkg/volume/volume_linux_test.go
index ac546ff3a1003..c133b69bcc1bb 100644
--- a/pkg/volume/volume_linux_test.go
+++ b/pkg/volume/volume_linux_test.go
@@ -341,9 +341,9 @@ func TestProgressTracking(t *testing.T) {
 	var permissionSleepDuration = 5 * time.Millisecond
 
 	// Override how often progress is reported
-	progressReportDuration = 200 * time.Millisecond
+	progressReportDuration = 300 * time.Millisecond
 	// Override when first event about progress is reported
-	firstEventReportDuration = 50 * time.Millisecond
+	firstEventReportDuration = 150 * time.Millisecond
 
 	// Override how permission change is applied, so as to artificially slow
 	// permission change
@@ -400,7 +400,7 @@ func TestProgressTracking(t *testing.T) {
 		},
 		{
 			name:                             "When permission change takes loo long and pod is specified",
-			filePermissionChangeTimeDuration: 300 * time.Millisecond,
+			filePermissionChangeTimeDuration: 600 * time.Millisecond,
 			totalWaitTime:                    1 * time.Second,
 			currentPod:                       pod,
 			expectedEvents: []string{
diff --git a/plugin/pkg/admission/defaulttolerationseconds/admission.go b/plugin/pkg/admission/defaulttolerationseconds/admission.go
index 08b22cdb9b16c..03dfffcdc9768 100644
--- a/plugin/pkg/admission/defaulttolerationseconds/admission.go
+++ b/plugin/pkg/admission/defaulttolerationseconds/admission.go
@@ -20,6 +20,7 @@ import (
 	"context"
 	"fmt"
 	"io"
+	"sync"
 
 	"github.com/spf13/pflag"
 	v1 "k8s.io/api/core/v1"
@@ -34,11 +35,21 @@ import (
 const PluginName = "DefaultTolerationSeconds"
 
 var (
+	// tolerationSecondsMutex protects registration and read in InspectFeatureGates, which is
+	// good enough for concurrent use in integration tests as long as the command
+	// line flags are not actually used by some test. In commands the registration,
+	// parsing and InspectFeatureGates are serialized.
+	tolerationSecondsMutex sync.RWMutex
+
 	defaultNotReadyTolerationSeconds    = int64(300)
 	defaultUnreachableTolerationSeconds = int64(300)
 )
 
 func RegisterFlags(fs *pflag.FlagSet) {
+	// Indirect writes of the default value!
+	tolerationSecondsMutex.Lock()
+	defer tolerationSecondsMutex.Unlock()
+
 	fs.Int64Var(&defaultNotReadyTolerationSeconds, "default-not-ready-toleration-seconds", defaultNotReadyTolerationSeconds,
 		"Indicates the tolerationSeconds of the toleration for notReady:NoExecute"+
 			" that is added by default to every pod that does not already have such a toleration.")
@@ -78,17 +89,24 @@ func NewDefaultTolerationSeconds() *Plugin {
 
 // InspectFeatureGates runs after command-line flags have been parsed
 func (p *Plugin) InspectFeatureGates(featureGates featuregate.FeatureGate) {
+	// Read the default values while holding a read lock.
+	tolerationSecondsMutex.RLock()
+	defer tolerationSecondsMutex.RUnlock()
+
+	notReadyTolerationSeconds := defaultNotReadyTolerationSeconds
+	unreachableTolerationSeconds := defaultUnreachableTolerationSeconds
+
 	p.notReadyToleration = api.Toleration{
 		Key:               v1.TaintNodeNotReady,
 		Operator:          api.TolerationOpExists,
 		Effect:            api.TaintEffectNoExecute,
-		TolerationSeconds: &defaultNotReadyTolerationSeconds,
+		TolerationSeconds: &notReadyTolerationSeconds,
 	}
 	p.unreachableToleration = api.Toleration{
 		Key:               v1.TaintNodeUnreachable,
 		Operator:          api.TolerationOpExists,
 		Effect:            api.TaintEffectNoExecute,
-		TolerationSeconds: &defaultUnreachableTolerationSeconds,
+		TolerationSeconds: &unreachableTolerationSeconds,
 	}
 }
 
diff --git a/plugin/pkg/admission/defaulttolerationseconds/admission_test.go b/plugin/pkg/admission/defaulttolerationseconds/admission_test.go
index ca170305f55bf..1e1443b460346 100644
--- a/plugin/pkg/admission/defaulttolerationseconds/admission_test.go
+++ b/plugin/pkg/admission/defaulttolerationseconds/admission_test.go
@@ -300,7 +300,7 @@ func TestHandles(t *testing.T) {
 // newHandlerForTest returns a handler configured for testing.
 func newHandlerForTest() (*Plugin, error) {
 	handler := NewDefaultTolerationSeconds()
-	pluginInitializer := initializer.New(nil, nil, nil, nil, nil, nil, nil)
+	pluginInitializer := initializer.New(nil, nil, nil, nil, nil, nil, nil, nil)
 	pluginInitializer.Initialize(handler)
 	return handler, admission.ValidateInitialization(handler)
 }
diff --git a/plugin/pkg/admission/gc/gc_admission_test.go b/plugin/pkg/admission/gc/gc_admission_test.go
index 1127e5385259b..bc02435e5696e 100644
--- a/plugin/pkg/admission/gc/gc_admission_test.go
+++ b/plugin/pkg/admission/gc/gc_admission_test.go
@@ -138,7 +138,7 @@ func newGCPermissionsEnforcement() (*gcPermissionsEnforcement, error) {
 		return nil, fmt.Errorf("unexpected error while constructing resource list from fake discovery client: %v", err)
 	}
 	restMapper := restmapper.NewDiscoveryRESTMapper(restMapperRes)
-	genericPluginInitializer := initializer.New(nil, nil, nil, fakeAuthorizer{}, nil, nil, restMapper)
+	genericPluginInitializer := initializer.New(nil, nil, nil, fakeAuthorizer{}, nil, nil, nil, restMapper)
 	pluginInitializer := controlplaneadmission.NewPluginInitializer(nil, nil)
 	initializersChain := apiserveradmission.PluginInitializers{}
 	initializersChain = append(initializersChain, genericPluginInitializer)
diff --git a/plugin/pkg/admission/limitranger/admission_test.go b/plugin/pkg/admission/limitranger/admission_test.go
index 17fc3211af358..67cf34d12b8eb 100644
--- a/plugin/pkg/admission/limitranger/admission_test.go
+++ b/plugin/pkg/admission/limitranger/admission_test.go
@@ -891,7 +891,7 @@ func newHandlerForTest(c clientset.Interface) (*LimitRanger, informers.SharedInf
 	if err != nil {
 		return nil, f, err
 	}
-	pluginInitializer := genericadmissioninitializer.New(c, nil, f, nil, nil, nil, nil)
+	pluginInitializer := genericadmissioninitializer.New(c, nil, f, nil, nil, nil, nil, nil)
 	pluginInitializer.Initialize(handler)
 	err = admission.ValidateInitialization(handler)
 	return handler, f, err
diff --git a/plugin/pkg/admission/namespace/autoprovision/admission_test.go b/plugin/pkg/admission/namespace/autoprovision/admission_test.go
index 935a1357677a6..2b34d1be38dab 100644
--- a/plugin/pkg/admission/namespace/autoprovision/admission_test.go
+++ b/plugin/pkg/admission/namespace/autoprovision/admission_test.go
@@ -41,7 +41,7 @@ import (
 func newHandlerForTest(c clientset.Interface) (admission.MutationInterface, informers.SharedInformerFactory, error) {
 	f := informers.NewSharedInformerFactory(c, 5*time.Minute)
 	handler := NewProvision()
-	pluginInitializer := genericadmissioninitializer.New(c, nil, f, nil, nil, nil, nil)
+	pluginInitializer := genericadmissioninitializer.New(c, nil, f, nil, nil, nil, nil, nil)
 	pluginInitializer.Initialize(handler)
 	err := admission.ValidateInitialization(handler)
 	return handler, f, err
diff --git a/plugin/pkg/admission/namespace/exists/admission_test.go b/plugin/pkg/admission/namespace/exists/admission_test.go
index 2937cb3948e2c..7d90a431b22e8 100644
--- a/plugin/pkg/admission/namespace/exists/admission_test.go
+++ b/plugin/pkg/admission/namespace/exists/admission_test.go
@@ -39,7 +39,7 @@ import (
 func newHandlerForTest(c kubernetes.Interface) (admission.ValidationInterface, informers.SharedInformerFactory, error) {
 	f := informers.NewSharedInformerFactory(c, 5*time.Minute)
 	handler := NewExists()
-	pluginInitializer := genericadmissioninitializer.New(c, nil, f, nil, nil, nil, nil)
+	pluginInitializer := genericadmissioninitializer.New(c, nil, f, nil, nil, nil, nil, nil)
 	pluginInitializer.Initialize(handler)
 	err := admission.ValidateInitialization(handler)
 	return handler, f, err
diff --git a/plugin/pkg/admission/nodedeclaredfeatures/admission.go b/plugin/pkg/admission/nodedeclaredfeatures/admission.go
new file mode 100644
index 0000000000000..a05a67e6f06dd
--- /dev/null
+++ b/plugin/pkg/admission/nodedeclaredfeatures/admission.go
@@ -0,0 +1,195 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package nodedeclaredfeatures
+
+import (
+	"context"
+	"fmt"
+	"io"
+	"strings"
+
+	corev1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/api/errors"
+	versionutil "k8s.io/apimachinery/pkg/util/version"
+	"k8s.io/apiserver/pkg/admission"
+	genericadmissioninitializer "k8s.io/apiserver/pkg/admission/initializer"
+	"k8s.io/client-go/informers"
+	corev1listers "k8s.io/client-go/listers/core/v1"
+	"k8s.io/component-base/featuregate"
+	"k8s.io/component-base/version"
+	ndf "k8s.io/component-helpers/nodedeclaredfeatures"
+	ndffeatures "k8s.io/component-helpers/nodedeclaredfeatures/features"
+	"k8s.io/kubernetes/pkg/apis/core"
+	v1 "k8s.io/kubernetes/pkg/apis/core/v1"
+	"k8s.io/kubernetes/pkg/features"
+)
+
+const (
+	// PluginName is the name of this admission controller plugin.
+	PluginName = "NodeDeclaredFeatureValidator"
+)
+
+// Register registers a plugin.
+func Register(plugins *admission.Plugins) {
+	plugins.Register(PluginName, func(config io.Reader) (admission.Interface, error) {
+		return NewPlugin()
+	})
+}
+
+// Plugin is an admission controller that validates pod updates against node capabilities.
+type Plugin struct {
+	*admission.Handler
+	nodeLister                     corev1listers.NodeLister
+	nodeDeclaredFeatureFramework   *ndf.Framework
+	nodeDeclaredFeatureGateEnabled bool
+	version                        *versionutil.Version
+}
+
+var _ admission.ValidationInterface = &Plugin{}
+var _ = genericadmissioninitializer.WantsExternalKubeInformerFactory(&Plugin{})
+var _ genericadmissioninitializer.WantsFeatures = &Plugin{}
+
+// New creates a new Plugin admission plugin
+func NewPlugin() (*Plugin, error) {
+	framework, err := ndf.New(ndffeatures.AllFeatures)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create node declared features helper: %w", err)
+	}
+
+	ver, err := versionutil.Parse(version.Get().String())
+	if err != nil {
+		return nil, fmt.Errorf("failed to parse version: %w", err)
+	}
+	return &Plugin{
+		Handler:                      admission.NewHandler(admission.Update),
+		nodeDeclaredFeatureFramework: framework,
+		version:                      ver,
+	}, nil
+}
+
+// SetExternalKubeInformerFactory sets the informer factory for the plugin.
+func (p *Plugin) SetExternalKubeInformerFactory(f informers.SharedInformerFactory) {
+	nodeInformer := f.Core().V1().Nodes()
+	p.nodeLister = f.Core().V1().Nodes().Lister()
+	p.SetReadyFunc(nodeInformer.Informer().HasSynced)
+}
+
+// SetFeatures sets the feature gates for the plugin.
+func (p *Plugin) InspectFeatureGates(featureGates featuregate.FeatureGate) {
+	p.nodeDeclaredFeatureGateEnabled = featureGates.Enabled(features.NodeDeclaredFeatures)
+}
+
+// ValidateInitialization ensures that the plugin is properly initialized.
+func (p *Plugin) ValidateInitialization() error {
+	if p.nodeLister == nil {
+		return fmt.Errorf("missing node lister for %s", PluginName)
+	}
+
+	if p.nodeDeclaredFeatureFramework == nil {
+		framework, err := ndf.New(ndffeatures.AllFeatures)
+		if err != nil {
+			return fmt.Errorf("failed to create node feature helper for %s: %w", PluginName, err)
+		}
+		p.nodeDeclaredFeatureFramework = framework
+	}
+	return nil
+}
+
+// Validate is the core of the admission controller logic.
+func (p *Plugin) Validate(ctx context.Context, a admission.Attributes, o admission.ObjectInterfaces) error {
+	// Ignore if the feature gate is not enabled.
+	if !p.nodeDeclaredFeatureGateEnabled {
+		return nil
+	}
+
+	if a.GetOperation() != admission.Update {
+		return nil
+	}
+
+	// We only care about Pod updates.
+	if a.GetResource().GroupResource() != core.Resource("pods") {
+		return nil
+	}
+
+	// Only validate updates to the main pod spec (subresource == "")
+	// or the custom "resize" subresource.
+	subresource := a.GetSubresource()
+	if subresource != "" && subresource != "resize" {
+		return nil
+	}
+	pod, ok := a.GetObject().(*core.Pod)
+	if !ok {
+		return errors.NewBadRequest(fmt.Sprintf("expected a pod but got a %T", a.GetObject()))
+	}
+	// We only care about pods that are already bound to a node.
+	if len(pod.Spec.NodeName) == 0 {
+		return nil
+	}
+	oldPod, ok := a.GetOldObject().(*core.Pod)
+	if !ok {
+		return errors.NewBadRequest(fmt.Sprintf("expected an old pod but got a %T", a.GetOldObject()))
+	}
+
+	if oldPod.Generation == pod.Generation {
+		// since generation is only incremented when the spec changes, we can skip validation if it doesnt.
+		return nil
+	}
+
+	if !p.WaitForReady() {
+		return admission.NewForbidden(a, fmt.Errorf("not yet ready to handle request"))
+	}
+
+	return p.validatePodUpdate(pod, oldPod, a)
+}
+
+func (p *Plugin) validatePodUpdate(pod, oldPod *core.Pod, a admission.Attributes) error {
+	// Convert internal to external pods for the helper library.
+	podV1 := &corev1.Pod{}
+	if err := v1.Convert_core_Pod_To_v1_Pod(pod, podV1, nil); err != nil {
+		return errors.NewBadRequest(fmt.Sprintf("failed to convert pod: %v", err))
+	}
+	oldPodV1 := &corev1.Pod{}
+	if err := v1.Convert_core_Pod_To_v1_Pod(oldPod, oldPodV1, nil); err != nil {
+		return errors.NewBadRequest(fmt.Sprintf("failed to convert oldPod: %v", err))
+	}
+	oldPodInfo := &ndf.PodInfo{Spec: &oldPodV1.Spec, Status: &oldPodV1.Status}
+	newPodInfo := &ndf.PodInfo{Spec: &podV1.Spec, Status: &podV1.Status}
+	reqs, err := p.nodeDeclaredFeatureFramework.InferForPodUpdate(oldPodInfo, newPodInfo, p.version)
+	if err != nil {
+		return admission.NewForbidden(a, fmt.Errorf("failed to infer pod capability requirements: %w", err))
+	}
+	// If there are no specific feature requirements for this update, we're done.
+	if reqs.Len() == 0 {
+		return nil
+	}
+	node, err := p.nodeLister.Get(pod.Spec.NodeName)
+	if err != nil {
+		if errors.IsNotFound(err) {
+			return admission.NewForbidden(a, fmt.Errorf("node %q not found", pod.Spec.NodeName))
+		}
+		return admission.NewForbidden(a, fmt.Errorf("failed to get node %q: %w", pod.Spec.NodeName, err))
+	}
+	result, err := ndf.MatchNode(reqs, node)
+	if err != nil {
+		return admission.NewForbidden(a, fmt.Errorf("failed to match pod requirements against node %q: %w", node.Name, err))
+	}
+	if !result.IsMatch {
+		return admission.NewForbidden(a, fmt.Errorf("pod update requires features %s which are not available on node %q", strings.Join(result.UnsatisfiedRequirements, ", "), node.Name))
+	}
+
+	return nil
+}
diff --git a/plugin/pkg/admission/nodedeclaredfeatures/admission_test.go b/plugin/pkg/admission/nodedeclaredfeatures/admission_test.go
new file mode 100644
index 0000000000000..be4fe78f8e51b
--- /dev/null
+++ b/plugin/pkg/admission/nodedeclaredfeatures/admission_test.go
@@ -0,0 +1,275 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package nodedeclaredfeatures
+
+import (
+	"context"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/mock"
+	"github.com/stretchr/testify/require"
+
+	v1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/api/resource"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/util/version"
+	"k8s.io/apiserver/pkg/admission"
+	utilfeature "k8s.io/apiserver/pkg/util/feature"
+	"k8s.io/client-go/informers"
+	"k8s.io/client-go/kubernetes/fake"
+	featuregatetesting "k8s.io/component-base/featuregate/testing"
+	ndf "k8s.io/component-helpers/nodedeclaredfeatures"
+	ndftesting "k8s.io/component-helpers/nodedeclaredfeatures/testing"
+	"k8s.io/kubernetes/pkg/apis/core"
+	"k8s.io/kubernetes/pkg/features"
+)
+
+func TestAdmission(t *testing.T) {
+	nodeWithFeature := &v1.Node{
+		ObjectMeta: metav1.ObjectMeta{Name: "test-node"},
+		Status: v1.NodeStatus{
+			DeclaredFeatures: []string{"TestFeature"},
+			NodeInfo:         v1.NodeSystemInfo{KubeletVersion: "1.35.0"},
+		},
+	}
+	nodeWithoutFeature := &v1.Node{
+		ObjectMeta: metav1.ObjectMeta{Name: "test-node-no-feature"},
+		Status: v1.NodeStatus{
+			DeclaredFeatures: []string{},
+			NodeInfo:         v1.NodeSystemInfo{KubeletVersion: "1.35.0"},
+		},
+	}
+
+	client := fake.NewClientset(nodeWithFeature, nodeWithoutFeature)
+	informerFactory := informers.NewSharedInformerFactory(client, 0)
+
+	oldPod := &core.Pod{
+		ObjectMeta: metav1.ObjectMeta{Name: "test-pod", Namespace: "test-ns"},
+		Spec: core.PodSpec{
+			NodeName: "test-node",
+			Containers: []core.Container{
+				{
+					Name:  "container",
+					Image: "image",
+					Resources: core.ResourceRequirements{
+						Requests: core.ResourceList{
+							core.ResourceCPU:    resource.MustParse("1000m"),
+							core.ResourceMemory: resource.MustParse("100Mi"),
+						},
+					},
+				}},
+		},
+	}
+	newPod := oldPod.DeepCopy()
+	newPod.Generation = oldPod.Generation + 1
+	newPod.Spec.Containers[0].Resources.Requests[core.ResourceCPU] = resource.MustParse("2000m")
+	podWithNoNode := oldPod.DeepCopy()
+	podWithNoNode.Spec.NodeName = ""
+	podWithInvalidNode := oldPod.DeepCopy()
+	podWithInvalidNode.Spec.NodeName = "invalid-node"
+
+	createMockFeature := func(t *testing.T, name string, inferForUpdate bool, maxVersionStr string) *ndftesting.MockFeature {
+		m := ndftesting.NewMockFeature(t)
+		m.EXPECT().Name().Return(name).Maybe()
+		m.EXPECT().InferForUpdate(mock.Anything, mock.Anything).Return(inferForUpdate).Maybe()
+		if maxVersionStr != "" {
+			minVersion := version.MustParseSemantic(maxVersionStr)
+			m.EXPECT().MaxVersion().Return(minVersion).Maybe()
+		} else {
+			m.EXPECT().MaxVersion().Return(nil).Maybe()
+		}
+		return m
+	}
+
+	testCases := []struct {
+		name               string
+		pod                *core.Pod
+		oldPod             *core.Pod
+		registeredFeatures []ndf.Feature
+		featureGateEnabled bool
+		componentVersion   string
+		expectErr          bool
+		errContains        string
+		subresource        string
+	}{
+		{
+			name:               "Feature gate disabled",
+			pod:                newPod,
+			oldPod:             oldPod,
+			registeredFeatures: []ndf.Feature{},
+			featureGateEnabled: false,
+			expectErr:          false,
+			componentVersion:   "1.35.0",
+		},
+		{
+			name:               "skip validation when pod is not bound to node",
+			pod:                podWithNoNode,
+			oldPod:             oldPod,
+			registeredFeatures: []ndf.Feature{},
+			featureGateEnabled: true,
+			expectErr:          false,
+			componentVersion:   "1.35.0",
+		},
+		{
+			name:               "skip validation on invalid node name",
+			pod:                func() *core.Pod { p := newPod.DeepCopy(); p.Spec.NodeName = "not-found-node"; return p }(),
+			oldPod:             oldPod,
+			featureGateEnabled: true,
+			registeredFeatures: []ndf.Feature{
+				createMockFeature(t, "TestFeature", true, "1.35.0"),
+			},
+			expectErr:        true,
+			errContains:      "node \"not-found-node\" not found",
+			componentVersion: "1.35.0",
+		},
+		{
+			name:               "No feature requirements",
+			pod:                newPod,
+			oldPod:             oldPod,
+			featureGateEnabled: true,
+			registeredFeatures: []ndf.Feature{
+				createMockFeature(t, "FeatureA", false, ""),
+			},
+			componentVersion: "1.35.0",
+			expectErr:        false,
+		},
+		{
+			name:               "Feature requirement met",
+			pod:                newPod,
+			oldPod:             oldPod,
+			featureGateEnabled: true,
+			componentVersion:   "1.35.0",
+			registeredFeatures: []ndf.Feature{
+				createMockFeature(t, "TestFeature", true, "1.35.0"),
+			},
+			expectErr: false,
+		},
+		{
+			name: "Feature requirement not met",
+			pod: func() *core.Pod {
+				p := newPod.DeepCopy()
+				p.Spec.NodeName = "test-node-no-feature"
+				return p
+			}(),
+			oldPod:             oldPod,
+			featureGateEnabled: true,
+			componentVersion:   "1.34.0",
+			registeredFeatures: []ndf.Feature{
+				createMockFeature(t, "TestFeature", true, "1.35.0"),
+			},
+			expectErr:   true,
+			errContains: "pod update requires features TestFeature which are not available on node \"test-node-no-feature\"",
+		},
+		{
+			name: "skip validation when generation not updated",
+			pod: func() *core.Pod {
+				p := newPod.DeepCopy()
+				p.Generation = oldPod.Generation
+				return p
+			}(),
+			oldPod:             oldPod,
+			featureGateEnabled: true,
+			componentVersion:   "1.34.0",
+			registeredFeatures: []ndf.Feature{
+				createMockFeature(t, "TestFeature", true, "1.35.0"),
+			},
+			expectErr: false,
+		},
+		{
+			name: "Feature not need as its generally available",
+			pod: func() *core.Pod {
+				p := newPod.DeepCopy()
+				p.Spec.NodeName = "test-node-no-feature"
+				return p
+			}(),
+			oldPod:             oldPod,
+			featureGateEnabled: true,
+			componentVersion:   "1.35.0",
+			registeredFeatures: []ndf.Feature{
+				// Feature max version less than component version
+				createMockFeature(t, "TestFeature", false, "1.34.0"),
+			},
+			expectErr: false,
+		},
+		{
+			name: "skip validation for `status` subresource",
+			pod: func() *core.Pod {
+				p := newPod.DeepCopy()
+				p.Spec.NodeName = "test-node-no-feature"
+				return p
+			}(),
+			oldPod:             oldPod,
+			featureGateEnabled: true,
+			componentVersion:   "1.35.0",
+			registeredFeatures: []ndf.Feature{
+				createMockFeature(t, "TestFeature", true, "1.35.0"),
+			},
+			subresource: "status",
+			expectErr:   false,
+		},
+		{
+			name:               "DO not skip validation for `resize` subresource",
+			pod:                newPod,
+			oldPod:             oldPod,
+			featureGateEnabled: true,
+			componentVersion:   "1.34.0",
+			registeredFeatures: []ndf.Feature{
+				createMockFeature(t, "TestFeature", true, "1.35.0"),
+			},
+			subresource: "resize",
+			expectErr:   false,
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.NodeDeclaredFeatures, tc.featureGateEnabled)
+
+			target, err := NewPlugin()
+			require.NoError(t, err)
+
+			if tc.featureGateEnabled {
+				framework, err := ndf.New(tc.registeredFeatures)
+				require.NoError(t, err)
+				target.nodeDeclaredFeatureFramework = framework
+				target.version = version.MustParseSemantic(tc.componentVersion)
+			}
+
+			target.SetExternalKubeInformerFactory(informerFactory)
+			target.InspectFeatureGates(utilfeature.DefaultFeatureGate)
+			err = target.ValidateInitialization()
+			require.NoError(t, err)
+
+			stopCh := make(chan struct{})
+			defer close(stopCh)
+			informerFactory.Start(stopCh)
+			informerFactory.WaitForCacheSync(stopCh)
+			attrs := admission.NewAttributesRecord(tc.pod, tc.oldPod, core.Kind("Pod").WithVersion("v1"), tc.pod.Namespace, tc.pod.Name, core.Resource("pods").WithVersion("v1"), tc.subresource, admission.Update, &metav1.UpdateOptions{}, false, nil)
+			err = target.Validate(context.Background(), attrs, nil)
+
+			if tc.expectErr {
+				require.Error(t, err)
+				if tc.errContains != "" {
+					assert.Contains(t, err.Error(), tc.errContains)
+				}
+			} else {
+				require.NoError(t, err)
+			}
+		})
+	}
+}
diff --git a/plugin/pkg/admission/noderestriction/admission_test.go b/plugin/pkg/admission/noderestriction/admission_test.go
index 8ef0e5af68d03..493bc6e063fd5 100644
--- a/plugin/pkg/admission/noderestriction/admission_test.go
+++ b/plugin/pkg/admission/noderestriction/admission_test.go
@@ -2555,6 +2555,9 @@ func TestAdmitResourceSlice(t *testing.T) {
 			attributes := admission.NewAttributesRecord(
 				test.obj, test.oldObj, schema.GroupVersionKind{},
 				"", "foo", apiResource, "", test.operation, test.options, false, mynode)
+			if !test.featureEnabled {
+				featuregatetesting.SetFeatureGateEmulationVersionDuringTest(t, feature.DefaultFeatureGate, version.MustParse("1.34"))
+			}
 			featuregatetesting.SetFeatureGateDuringTest(t, feature.DefaultFeatureGate, features.DynamicResourceAllocation, test.featureEnabled)
 			a := &admitTestCase{
 				name:       name,
diff --git a/plugin/pkg/admission/podnodeselector/admission_test.go b/plugin/pkg/admission/podnodeselector/admission_test.go
index b1e191622ef50..e2ead7c1c4101 100644
--- a/plugin/pkg/admission/podnodeselector/admission_test.go
+++ b/plugin/pkg/admission/podnodeselector/admission_test.go
@@ -198,7 +198,7 @@ func TestHandles(t *testing.T) {
 func newHandlerForTest(c kubernetes.Interface) (*Plugin, informers.SharedInformerFactory, error) {
 	f := informers.NewSharedInformerFactory(c, 5*time.Minute)
 	handler := NewPodNodeSelector(nil)
-	pluginInitializer := genericadmissioninitializer.New(c, nil, f, nil, nil, nil, nil)
+	pluginInitializer := genericadmissioninitializer.New(c, nil, f, nil, nil, nil, nil, nil)
 	pluginInitializer.Initialize(handler)
 	err := admission.ValidateInitialization(handler)
 	return handler, f, err
diff --git a/plugin/pkg/admission/podtolerationrestriction/admission_test.go b/plugin/pkg/admission/podtolerationrestriction/admission_test.go
index 9a23c03546293..f4bf95454c32c 100644
--- a/plugin/pkg/admission/podtolerationrestriction/admission_test.go
+++ b/plugin/pkg/admission/podtolerationrestriction/admission_test.go
@@ -23,6 +23,7 @@ import (
 	"time"
 
 	"github.com/stretchr/testify/assert"
+
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/resource"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -355,7 +356,7 @@ func newHandlerForTest(c kubernetes.Interface) (*Plugin, informers.SharedInforme
 		return nil, nil, err
 	}
 	handler := NewPodTolerationsPlugin(pluginConfig)
-	pluginInitializer := genericadmissioninitializer.New(c, nil, f, nil, nil, nil, nil)
+	pluginInitializer := genericadmissioninitializer.New(c, nil, f, nil, nil, nil, nil, nil)
 	pluginInitializer.Initialize(handler)
 	err = admission.ValidateInitialization(handler)
 	return handler, f, err
diff --git a/plugin/pkg/admission/podtolerationrestriction/apis/podtolerationrestriction/validation/validation.go b/plugin/pkg/admission/podtolerationrestriction/apis/podtolerationrestriction/validation/validation.go
index 99a36ed3aafed..42de6a7c966c5 100644
--- a/plugin/pkg/admission/podtolerationrestriction/apis/podtolerationrestriction/validation/validation.go
+++ b/plugin/pkg/admission/podtolerationrestriction/apis/podtolerationrestriction/validation/validation.go
@@ -28,8 +28,8 @@ import (
 func ValidateConfiguration(config *internalapi.Configuration) error {
 	allErrs := field.ErrorList{}
 	fldpath := field.NewPath("podtolerationrestriction")
-	allErrs = append(allErrs, validation.ValidateTolerations(config.Default, fldpath.Child("default"))...)
-	allErrs = append(allErrs, validation.ValidateTolerations(config.Whitelist, fldpath.Child("whitelist"))...)
+	allErrs = append(allErrs, validation.ValidateTolerations(config.Default, fldpath.Child("default"), validation.PodValidationOptions{})...)
+	allErrs = append(allErrs, validation.ValidateTolerations(config.Whitelist, fldpath.Child("whitelist"), validation.PodValidationOptions{})...)
 	if len(allErrs) > 0 {
 		return fmt.Errorf("invalid config: %v", allErrs)
 	}
diff --git a/plugin/pkg/admission/podtopologylabels/admission_test.go b/plugin/pkg/admission/podtopologylabels/admission_test.go
index 581363c24bb70..f4fc9f76c48e8 100644
--- a/plugin/pkg/admission/podtopologylabels/admission_test.go
+++ b/plugin/pkg/admission/podtopologylabels/admission_test.go
@@ -226,7 +226,7 @@ func TestPodTopology(t *testing.T) {
 func newHandlerForTest(c kubernetes.Interface) (*Plugin, informers.SharedInformerFactory, error) {
 	factory := informers.NewSharedInformerFactory(c, 5*time.Minute)
 	handler := NewPodTopologyPlugin(defaultConfig) // todo: write additional test cases with non-default config.
-	pluginInitializer := genericadmissioninitializer.New(c, nil, factory, nil, feature.DefaultFeatureGate, nil, nil)
+	pluginInitializer := genericadmissioninitializer.New(c, nil, factory, nil, feature.DefaultFeatureGate, nil, nil, nil)
 	pluginInitializer.Initialize(handler)
 	return handler, factory, admission.ValidateInitialization(handler)
 }
diff --git a/plugin/pkg/admission/resourcequota/admission_test.go b/plugin/pkg/admission/resourcequota/admission_test.go
index 74223fae59de3..607f6036697e3 100644
--- a/plugin/pkg/admission/resourcequota/admission_test.go
+++ b/plugin/pkg/admission/resourcequota/admission_test.go
@@ -110,7 +110,7 @@ func createHandlerWithConfig(kubeClient kubernetes.Interface, informerFactory in
 	if config == nil {
 		config = &resourcequotaapi.Configuration{}
 	}
-	quotaConfiguration := install.NewQuotaConfigurationForAdmission()
+	quotaConfiguration := install.NewQuotaConfigurationForAdmission(nil)
 
 	handler, err := resourcequota.NewResourceQuota(config, 5)
 	if err != nil {
@@ -118,7 +118,7 @@ func createHandlerWithConfig(kubeClient kubernetes.Interface, informerFactory in
 	}
 
 	initializers := admission.PluginInitializers{
-		genericadmissioninitializer.New(kubeClient, nil, informerFactory, nil, nil, stopCh, nil),
+		genericadmissioninitializer.New(kubeClient, nil, informerFactory, nil, nil, nil, stopCh, nil),
 		controlplaneadmission.NewPluginInitializer(quotaConfiguration, nil),
 	}
 	initializers.Initialize(handler)
diff --git a/plugin/pkg/admission/security/podsecurity/admission.go b/plugin/pkg/admission/security/podsecurity/admission.go
index 14c2b6d54b39c..6917fbd105f94 100644
--- a/plugin/pkg/admission/security/podsecurity/admission.go
+++ b/plugin/pkg/admission/security/podsecurity/admission.go
@@ -27,7 +27,6 @@ import (
 	_ "k8s.io/kubernetes/pkg/apis/apps/install"
 	_ "k8s.io/kubernetes/pkg/apis/batch/install"
 	_ "k8s.io/kubernetes/pkg/apis/core/install"
-	"k8s.io/kubernetes/pkg/features"
 
 	admissionv1 "k8s.io/api/admission/v1"
 	appsv1 "k8s.io/api/apps/v1"
@@ -43,7 +42,7 @@ import (
 	"k8s.io/client-go/informers"
 	"k8s.io/client-go/kubernetes"
 	corev1listers "k8s.io/client-go/listers/core/v1"
-	"k8s.io/component-base/featuregate"
+	"k8s.io/component-base/compatibility"
 	"k8s.io/component-base/metrics/legacyregistry"
 	"k8s.io/kubernetes/pkg/api/legacyscheme"
 	"k8s.io/kubernetes/pkg/apis/apps"
@@ -70,7 +69,8 @@ func Register(plugins *admission.Plugins) {
 type Plugin struct {
 	*admission.Handler
 
-	inspectedFeatureGates bool
+	inspectedEffectiveVersion bool
+	emulationVersion          *podsecurityadmissionapi.Version
 
 	client          kubernetes.Interface
 	namespaceLister corev1listers.NamespaceLister
@@ -104,16 +104,10 @@ func newPlugin(reader io.Reader) (*Plugin, error) {
 		return nil, err
 	}
 
-	evaluator, err := policy.NewEvaluator(policy.DefaultChecks())
-	if err != nil {
-		return nil, fmt.Errorf("could not create PodSecurityRegistry: %w", err)
-	}
-
 	return &Plugin{
 		Handler: admission.NewHandler(admission.Create, admission.Update),
 		delegate: &podsecurityadmission.Admission{
 			Configuration:    config,
-			Evaluator:        evaluator,
 			Metrics:          getDefaultRecorder(),
 			PodSpecExtractor: SCCMutatingPodSpecExtractorInstance,
 		},
@@ -146,23 +140,39 @@ func (p *Plugin) updateDelegate() {
 	if p.client == nil {
 		return
 	}
-	p.delegate.PodLister = podsecurityadmission.PodListerFromInformer(p.podLister)
-	p.delegate.NamespaceGetter = podsecurityadmission.NamespaceGetterFromListerAndClient(p.namespaceLister, p.client)
+	if !p.inspectedEffectiveVersion {
+		return
+	}
+	if p.delegate.PodLister == nil {
+		p.delegate.PodLister = podsecurityadmission.PodListerFromInformer(p.podLister)
+	}
+	if p.delegate.NamespaceGetter == nil {
+		p.delegate.NamespaceGetter = podsecurityadmission.NamespaceGetterFromListerAndClient(p.namespaceLister, p.client)
+	}
+	if p.delegate.Evaluator == nil {
+		evaluator, err := policy.NewEvaluator(policy.DefaultChecks(), p.emulationVersion)
+		if err != nil {
+			panic(fmt.Errorf("could not create PodSecurityRegistry: %w", err))
+		}
+		p.delegate.Evaluator = evaluator
+	}
 }
 
-func (c *Plugin) InspectFeatureGates(featureGates featuregate.FeatureGate) {
-	c.inspectedFeatureGates = true
-	policy.RelaxPolicyForUserNamespacePods(featureGates.Enabled(features.UserNamespacesPodSecurityStandards))
-
-	if !featureGates.Enabled(features.ProbeHostPodSecurityStandards) {
-		policy.SkipProbeHostEnforcement()
+func (p *Plugin) InspectEffectiveVersion(version compatibility.EffectiveVersion) {
+	p.inspectedEffectiveVersion = true
+	binaryVersion := version.BinaryVersion()
+	emulationVersion := version.EmulationVersion()
+	binaryMajorMinor := podsecurityadmissionapi.MajorMinorVersion(int(binaryVersion.Major()), int(binaryVersion.Minor()))
+	emulationMajorMinor := podsecurityadmissionapi.MajorMinorVersion(int(emulationVersion.Major()), int(emulationVersion.Minor()))
+	if binaryMajorMinor != emulationMajorMinor {
+		p.emulationVersion = &emulationMajorMinor
 	}
 }
 
 // ValidateInitialization ensures all required options are set
 func (p *Plugin) ValidateInitialization() error {
-	if !p.inspectedFeatureGates {
-		return fmt.Errorf("%s did not see feature gates", PluginName)
+	if !p.inspectedEffectiveVersion {
+		return fmt.Errorf("%s did not see effective version", PluginName)
 	}
 	if err := p.delegate.CompleteConfiguration(); err != nil {
 		return fmt.Errorf("%s configuration error: %w", PluginName, err)
diff --git a/plugin/pkg/admission/security/podsecurity/admission_test.go b/plugin/pkg/admission/security/podsecurity/admission_test.go
index ed4c4b92918b0..4f3873a1d4f80 100644
--- a/plugin/pkg/admission/security/podsecurity/admission_test.go
+++ b/plugin/pkg/admission/security/podsecurity/admission_test.go
@@ -23,6 +23,8 @@ import (
 	"strings"
 	"testing"
 
+	"sigs.k8s.io/yaml"
+
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
@@ -30,7 +32,7 @@ import (
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apiserver/pkg/admission"
 	"k8s.io/apiserver/pkg/authentication/user"
-	utilfeature "k8s.io/apiserver/pkg/util/feature"
+	"k8s.io/apiserver/pkg/util/compatibility"
 	"k8s.io/apiserver/pkg/warning"
 	"k8s.io/client-go/informers"
 	"k8s.io/client-go/kubernetes/fake"
@@ -40,7 +42,6 @@ import (
 	v1 "k8s.io/kubernetes/pkg/apis/core/v1"
 	podsecurityadmission "k8s.io/pod-security-admission/admission"
 	"k8s.io/utils/ptr"
-	"sigs.k8s.io/yaml"
 )
 
 func TestConvert(t *testing.T) {
@@ -81,7 +82,7 @@ func BenchmarkVerifyPod(b *testing.B) {
 		b.Fatal(err)
 	}
 
-	p.InspectFeatureGates(utilfeature.DefaultFeatureGate)
+	p.InspectEffectiveVersion(compatibility.DefaultBuildEffectiveVersion())
 
 	enforceImplicitPrivilegedNamespace := &corev1.Namespace{ObjectMeta: metav1.ObjectMeta{Name: "enforce-implicit", Labels: map[string]string{}}}
 	enforcePrivilegedNamespace := &corev1.Namespace{ObjectMeta: metav1.ObjectMeta{Name: "enforce-privileged", Labels: map[string]string{"pod-security.kubernetes.io/enforce": "privileged"}}}
@@ -189,7 +190,7 @@ func BenchmarkVerifyNamespace(b *testing.B) {
 		b.Fatal(err)
 	}
 
-	p.InspectFeatureGates(utilfeature.DefaultFeatureGate)
+	p.InspectEffectiveVersion(compatibility.DefaultBuildEffectiveVersion())
 
 	namespace := "enforce"
 	enforceNamespaceBaselineV1 := &corev1.Namespace{ObjectMeta: metav1.ObjectMeta{Name: namespace, Labels: map[string]string{"pod-security.kubernetes.io/enforce": "baseline"}}}
diff --git a/plugin/pkg/auth/authorizer/node/graph.go b/plugin/pkg/auth/authorizer/node/graph.go
index f731dddfca938..a61d625d35804 100644
--- a/plugin/pkg/auth/authorizer/node/graph.go
+++ b/plugin/pkg/auth/authorizer/node/graph.go
@@ -21,7 +21,7 @@ import (
 	"sync"
 	"time"
 
-	certsv1alpha1 "k8s.io/api/certificates/v1alpha1"
+	certsv1beta1 "k8s.io/api/certificates/v1beta1"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/component-helpers/storage/ephemeral"
 	"k8s.io/dynamic-resource-allocation/resourceclaim"
@@ -479,7 +479,7 @@ func (g *Graph) DeletePod(name, namespace string) {
 // authorization, and it's a shorter graph traversal.  The noderestriction
 // admission plugin ensures that all PCRs created have a valid node,
 // serviceaccount, and pod combination that actually exists in the cluster.
-func (g *Graph) AddPodCertificateRequest(pcr *certsv1alpha1.PodCertificateRequest) {
+func (g *Graph) AddPodCertificateRequest(pcr *certsv1beta1.PodCertificateRequest) {
 	start := time.Now()
 	defer func() {
 		graphActionsDuration.WithLabelValues("AddPodCertificateRequest").Observe(time.Since(start).Seconds())
@@ -494,7 +494,7 @@ func (g *Graph) AddPodCertificateRequest(pcr *certsv1alpha1.PodCertificateReques
 }
 
 // DeletePodCertificateRequest removes it from the graph.
-func (g *Graph) DeletePodCertificateRequest(pcr *certsv1alpha1.PodCertificateRequest) {
+func (g *Graph) DeletePodCertificateRequest(pcr *certsv1beta1.PodCertificateRequest) {
 	start := time.Now()
 	defer func() {
 		graphActionsDuration.WithLabelValues("DeletePodCertificateRequest").Observe(time.Since(start).Seconds())
diff --git a/plugin/pkg/auth/authorizer/node/graph_populator.go b/plugin/pkg/auth/authorizer/node/graph_populator.go
index 8749d7e317808..d10c229d3dc7f 100644
--- a/plugin/pkg/auth/authorizer/node/graph_populator.go
+++ b/plugin/pkg/auth/authorizer/node/graph_populator.go
@@ -21,12 +21,12 @@ import (
 
 	"k8s.io/klog/v2"
 
-	certsv1alpha1 "k8s.io/api/certificates/v1alpha1"
+	certsv1beta1 "k8s.io/api/certificates/v1beta1"
 	corev1 "k8s.io/api/core/v1"
 	resourceapi "k8s.io/api/resource/v1"
 	storagev1 "k8s.io/api/storage/v1"
 	"k8s.io/apimachinery/pkg/util/wait"
-	certsv1alpha1informers "k8s.io/client-go/informers/certificates/v1alpha1"
+	certsv1beta1informers "k8s.io/client-go/informers/certificates/v1beta1"
 	corev1informers "k8s.io/client-go/informers/core/v1"
 	resourceinformers "k8s.io/client-go/informers/resource/v1"
 	storageinformers "k8s.io/client-go/informers/storage/v1"
@@ -46,7 +46,7 @@ func AddGraphEventHandlers(
 	pvs corev1informers.PersistentVolumeInformer,
 	attachments storageinformers.VolumeAttachmentInformer,
 	slices resourceinformers.ResourceSliceInformer,
-	pcrs certsv1alpha1informers.PodCertificateRequestInformer,
+	pcrs certsv1beta1informers.PodCertificateRequestInformer,
 ) {
 	g := &graphPopulator{
 		graph: graph,
@@ -216,7 +216,7 @@ func (g *graphPopulator) deleteResourceSlice(obj interface{}) {
 }
 
 func (g *graphPopulator) addPCR(obj any) {
-	pcr, ok := obj.(*certsv1alpha1.PodCertificateRequest)
+	pcr, ok := obj.(*certsv1beta1.PodCertificateRequest)
 	if !ok {
 		klog.Infof("unexpected type %T", obj)
 		return
@@ -228,7 +228,7 @@ func (g *graphPopulator) deletePCR(obj any) {
 	if tombstone, ok := obj.(cache.DeletedFinalStateUnknown); ok {
 		obj = tombstone.Obj
 	}
-	pcr, ok := obj.(*certsv1alpha1.PodCertificateRequest)
+	pcr, ok := obj.(*certsv1beta1.PodCertificateRequest)
 	if !ok {
 		klog.Infof("unexpected type %T", obj)
 		return
diff --git a/plugin/pkg/auth/authorizer/node/graph_test.go b/plugin/pkg/auth/authorizer/node/graph_test.go
index a89e665aaed87..dbca535b14c5c 100644
--- a/plugin/pkg/auth/authorizer/node/graph_test.go
+++ b/plugin/pkg/auth/authorizer/node/graph_test.go
@@ -25,7 +25,7 @@ import (
 
 	"github.com/google/go-cmp/cmp"
 	"github.com/stretchr/testify/assert"
-	certsv1alpha1 "k8s.io/api/certificates/v1alpha1"
+	certsv1beta1 "k8s.io/api/certificates/v1beta1"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
@@ -960,14 +960,14 @@ func TestIndex2(t *testing.T) {
 	}
 }
 
-func pcr(namespace, name, podName, saName, nodeName string) *certsv1alpha1.PodCertificateRequest {
-	pcr := &certsv1alpha1.PodCertificateRequest{
+func pcr(namespace, name, podName, saName, nodeName string) *certsv1beta1.PodCertificateRequest {
+	pcr := &certsv1beta1.PodCertificateRequest{
 		ObjectMeta: metav1.ObjectMeta{
 			Namespace: namespace,
 			Name:      name,
 			UID:       types.UID(fmt.Sprintf("pcr%suid", name)),
 		},
-		Spec: certsv1alpha1.PodCertificateRequestSpec{
+		Spec: certsv1beta1.PodCertificateRequestSpec{
 			PodName:            podName,
 			ServiceAccountName: saName,
 			NodeName:           types.NodeName(nodeName),
diff --git a/plugin/pkg/auth/authorizer/node/node_authorizer.go b/plugin/pkg/auth/authorizer/node/node_authorizer.go
index f2fd9ab24a772..d49a817e90884 100644
--- a/plugin/pkg/auth/authorizer/node/node_authorizer.go
+++ b/plugin/pkg/auth/authorizer/node/node_authorizer.go
@@ -157,6 +157,7 @@ func (r *NodeAuthorizer) Authorize(ctx context.Context, attrs authorizer.Attribu
 			if r.features.Enabled(features.PodCertificateRequest) && r.features.Enabled(features.AuthorizeNodeWithSelectors) {
 				return r.authorizePodCertificateRequest(nodeName, attrs)
 			}
+			return authorizer.DecisionNoOpinion, "", nil
 		}
 	}
 
diff --git a/plugin/pkg/auth/authorizer/node/node_authorizer_test.go b/plugin/pkg/auth/authorizer/node/node_authorizer_test.go
index 5b32082c3a557..8b73c2af74401 100644
--- a/plugin/pkg/auth/authorizer/node/node_authorizer_test.go
+++ b/plugin/pkg/auth/authorizer/node/node_authorizer_test.go
@@ -27,7 +27,7 @@ import (
 	"testing"
 	"time"
 
-	certsv1alpha1 "k8s.io/api/certificates/v1alpha1"
+	certsv1beta1 "k8s.io/api/certificates/v1beta1"
 	corev1 "k8s.io/api/core/v1"
 	resourceapi "k8s.io/api/resource/v1"
 	storagev1 "k8s.io/api/storage/v1"
@@ -79,8 +79,10 @@ func TestNodeAuthorizer(t *testing.T) {
 	selectorAuthzDisabled := func(t testing.TB) featuregate.FeatureGate {
 		f := utilfeature.DefaultFeatureGate.DeepCopy()
 		featuregatetesting.SetFeatureGateEmulationVersionDuringTest(t, f, version.MustParse("1.33"))
-		featuregatetesting.SetFeatureGateDuringTest(t, f, genericfeatures.AuthorizeWithSelectors, false)
-		featuregatetesting.SetFeatureGateDuringTest(t, f, features.AuthorizeNodeWithSelectors, false)
+		featuregatetesting.SetFeatureGatesDuringTest(t, f, featuregatetesting.FeatureOverrides{
+			genericfeatures.AuthorizeWithSelectors: false,
+			features.AuthorizeNodeWithSelectors:    false,
+		})
 		return f
 	}
 
@@ -90,7 +92,10 @@ func TestNodeAuthorizer(t *testing.T) {
 
 	serviceAccountTokenForCredentialProvidersDisabled := func(t testing.TB) featuregate.FeatureGate {
 		f := utilfeature.DefaultFeatureGate.DeepCopy()
-		featuregatetesting.SetFeatureGateDuringTest(t, f, features.KubeletServiceAccountTokenForCredentialProviders, false)
+		featuregatetesting.SetFeatureGatesDuringTest(t, f, featuregatetesting.FeatureOverrides{
+			features.KubeletServiceAccountTokenForCredentialProviders: false,
+			features.PodCertificateRequest:                            false,
+		})
 		return f
 	}
 
@@ -102,9 +107,17 @@ func TestNodeAuthorizer(t *testing.T) {
 
 	podCertificateProjectionEnabled := func(t testing.TB) featuregate.FeatureGate {
 		f := utilfeature.DefaultFeatureGate.DeepCopy()
-		featuregatetesting.SetFeatureGateDuringTest(t, f, genericfeatures.AuthorizeWithSelectors, true)
-		featuregatetesting.SetFeatureGateDuringTest(t, f, features.AuthorizeNodeWithSelectors, true)
-		featuregatetesting.SetFeatureGateDuringTest(t, f, features.PodCertificateRequest, true)
+		featuregatetesting.SetFeatureGatesDuringTest(t, f, featuregatetesting.FeatureOverrides{
+			genericfeatures.AuthorizeWithSelectors: true,
+			features.AuthorizeNodeWithSelectors:    true,
+			features.PodCertificateRequest:         true,
+		})
+		return f
+	}
+
+	podCertificateProjectionDisabled := func(t testing.TB) featuregate.FeatureGate {
+		f := utilfeature.DefaultFeatureGate.DeepCopy()
+		featuregatetesting.SetFeatureGateDuringTest(t, f, features.PodCertificateRequest, false)
 		return f
 	}
 
@@ -291,9 +304,10 @@ func TestNodeAuthorizer(t *testing.T) {
 			features: podCertificateProjectionEnabled,
 		},
 		{
-			name:   "disallowed pcr create when PodCertificateProjection is disabled",
-			attrs:  authorizer.AttributesRecord{User: node0, ResourceRequest: true, Verb: "create", APIGroup: "certificates.k8s.io", Resource: "podcertificaterequests", Name: "pcr0-pod0-node0", Namespace: "ns0"},
-			expect: authorizer.DecisionNoOpinion,
+			name:     "disallowed pcr create when PodCertificateProjection is disabled",
+			attrs:    authorizer.AttributesRecord{User: node0, ResourceRequest: true, Verb: "create", APIGroup: "certificates.k8s.io", Resource: "podcertificaterequests", Name: "pcr0-pod0-node0", Namespace: "ns0"},
+			expect:   authorizer.DecisionNoOpinion,
+			features: podCertificateProjectionDisabled,
 		},
 		{
 			name:     "allowed pcr create when PodCertificateProjection is enabled",
@@ -302,9 +316,10 @@ func TestNodeAuthorizer(t *testing.T) {
 			features: podCertificateProjectionEnabled,
 		},
 		{
-			name:   "disallowed pcr get when PodCertificateProjection is disabled",
-			attrs:  authorizer.AttributesRecord{User: node0, ResourceRequest: true, Verb: "get", APIGroup: "certificates.k8s.io", Resource: "podcertificaterequests", Name: "pcr0-pod0-node0", Namespace: "ns0"},
-			expect: authorizer.DecisionNoOpinion,
+			name:     "disallowed pcr get when PodCertificateProjection is disabled",
+			attrs:    authorizer.AttributesRecord{User: node0, ResourceRequest: true, Verb: "get", APIGroup: "certificates.k8s.io", Resource: "podcertificaterequests", Name: "pcr0-pod0-node0", Namespace: "ns0"},
+			expect:   authorizer.DecisionNoOpinion,
+			features: podCertificateProjectionDisabled,
 		},
 		{
 			name:     "allowed pcr get when PodCertificateProjection is enabled",
@@ -313,9 +328,10 @@ func TestNodeAuthorizer(t *testing.T) {
 			features: podCertificateProjectionEnabled,
 		},
 		{
-			name:   "disallowed pcr list when PodCertificateProjection is disabled",
-			attrs:  authorizer.AttributesRecord{User: node0, ResourceRequest: true, Verb: "list", APIGroup: "certificates.k8s.io", Resource: "podcertificaterequests", Name: "pcr0-pod0-node0", Namespace: "ns0"},
-			expect: authorizer.DecisionNoOpinion,
+			name:     "disallowed pcr list when PodCertificateProjection is disabled",
+			attrs:    authorizer.AttributesRecord{User: node0, ResourceRequest: true, Verb: "list", APIGroup: "certificates.k8s.io", Resource: "podcertificaterequests", Name: "pcr0-pod0-node0", Namespace: "ns0"},
+			expect:   authorizer.DecisionNoOpinion,
+			features: podCertificateProjectionDisabled,
 		},
 		{
 			name:         "disallowed pcr list (un-filtered) when PodCertificateProjection is enabled",
@@ -338,9 +354,10 @@ func TestNodeAuthorizer(t *testing.T) {
 			features: podCertificateProjectionEnabled,
 		},
 		{
-			name:   "disallowed pcr watch when PodCertificateProjection is disabled",
-			attrs:  authorizer.AttributesRecord{User: node0, ResourceRequest: true, Verb: "watch", APIGroup: "certificates.k8s.io", Resource: "podcertificaterequests", Name: "pcr0-pod0-node0", Namespace: "ns0"},
-			expect: authorizer.DecisionNoOpinion,
+			name:     "disallowed pcr watch when PodCertificateProjection is disabled",
+			attrs:    authorizer.AttributesRecord{User: node0, ResourceRequest: true, Verb: "watch", APIGroup: "certificates.k8s.io", Resource: "podcertificaterequests", Name: "pcr0-pod0-node0", Namespace: "ns0"},
+			expect:   authorizer.DecisionNoOpinion,
+			features: podCertificateProjectionDisabled,
 		},
 		{
 			name:         "disallowed pcr watch (un-filtered) when PodCertificateProjection is enabled",
@@ -1483,7 +1500,7 @@ func BenchmarkAuthorization(b *testing.B) {
 	}
 }
 
-func populate(graph *Graph, nodes []*corev1.Node, pods []*corev1.Pod, pvs []*corev1.PersistentVolume, attachments []*storagev1.VolumeAttachment, slices []*resourceapi.ResourceSlice, pcrs []*certsv1alpha1.PodCertificateRequest) {
+func populate(graph *Graph, nodes []*corev1.Node, pods []*corev1.Pod, pvs []*corev1.PersistentVolume, attachments []*storagev1.VolumeAttachment, slices []*resourceapi.ResourceSlice, pcrs []*certsv1beta1.PodCertificateRequest) {
 	p := &graphPopulator{}
 	p.graph = graph
 	for _, pod := range pods {
@@ -1514,13 +1531,13 @@ func randomSubset(a, b int, randPerm func(int) []int) []int {
 // the secret/configmap/pvc/node references in the pod and pv objects are named to indicate the connections between the objects.
 // for example, secret0-pod0-node0 is a secret referenced by pod0 which is bound to node0.
 // when populated into the graph, the node authorizer should allow node0 to access that secret, but not node1.
-func generate(opts *sampleDataOpts) ([]*corev1.Node, []*corev1.Pod, []*corev1.PersistentVolume, []*storagev1.VolumeAttachment, []*resourceapi.ResourceSlice, []*certsv1alpha1.PodCertificateRequest) {
+func generate(opts *sampleDataOpts) ([]*corev1.Node, []*corev1.Pod, []*corev1.PersistentVolume, []*storagev1.VolumeAttachment, []*resourceapi.ResourceSlice, []*certsv1beta1.PodCertificateRequest) {
 	nodes := make([]*corev1.Node, 0, opts.nodes)
 	pods := make([]*corev1.Pod, 0, opts.nodes*opts.podsPerNode)
 	pvs := make([]*corev1.PersistentVolume, 0, (opts.nodes*opts.podsPerNode*opts.uniquePVCsPerPod)+(opts.sharedPVCsPerPod*opts.namespaces))
 	attachments := make([]*storagev1.VolumeAttachment, 0, opts.nodes*opts.attachmentsPerNode)
 	slices := make([]*resourceapi.ResourceSlice, 0, opts.nodes*opts.nodeResourceSlicesPerNode)
-	pcrs := make([]*certsv1alpha1.PodCertificateRequest, 0, opts.nodes*opts.podsPerNode*opts.podCertificateRequestsPerPod)
+	pcrs := make([]*certsv1beta1.PodCertificateRequest, 0, opts.nodes*opts.podsPerNode*opts.podCertificateRequestsPerPod)
 
 	r := rand.New(rand.NewSource(12345))
 
@@ -1562,9 +1579,9 @@ func generate(opts *sampleDataOpts) ([]*corev1.Node, []*corev1.Pod, []*corev1.Pe
 	return nodes, pods, pvs, attachments, slices, pcrs
 }
 
-func generatePod(name, namespace, nodeName, svcAccountName string, opts *sampleDataOpts, randPerm func(int) []int) (*corev1.Pod, []*corev1.PersistentVolume, []*certsv1alpha1.PodCertificateRequest) {
+func generatePod(name, namespace, nodeName, svcAccountName string, opts *sampleDataOpts, randPerm func(int) []int) (*corev1.Pod, []*corev1.PersistentVolume, []*certsv1beta1.PodCertificateRequest) {
 	pvs := make([]*corev1.PersistentVolume, 0, opts.uniquePVCsPerPod+opts.sharedPVCsPerPod)
-	pcrs := make([]*certsv1alpha1.PodCertificateRequest, 0, opts.podCertificateRequestsPerPod)
+	pcrs := make([]*certsv1beta1.PodCertificateRequest, 0, opts.podCertificateRequestsPerPod)
 
 	pod := &corev1.Pod{}
 	pod.Name = name
@@ -1652,12 +1669,12 @@ func generatePod(name, namespace, nodeName, svcAccountName string, opts *sampleD
 	}
 
 	for i := 0; i < opts.podCertificateRequestsPerPod; i++ {
-		pcr := &certsv1alpha1.PodCertificateRequest{
+		pcr := &certsv1beta1.PodCertificateRequest{
 			ObjectMeta: metav1.ObjectMeta{
 				Namespace: pod.ObjectMeta.Namespace,
 				Name:      fmt.Sprintf("pcr%d-%s", i, pod.ObjectMeta.Name),
 			},
-			Spec: certsv1alpha1.PodCertificateRequestSpec{
+			Spec: certsv1beta1.PodCertificateRequestSpec{
 				PodName:            pod.ObjectMeta.Name,
 				PodUID:             pod.ObjectMeta.UID,
 				ServiceAccountName: pod.Spec.ServiceAccountName,
diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/controller_policy.go b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/controller_policy.go
index 7468c0d60c727..3abb5e0d3009c 100644
--- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/controller_policy.go
+++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/controller_policy.go
@@ -218,21 +218,31 @@ func buildControllerRoles() ([]rbacv1.ClusterRole, []rbacv1.ClusterRoleBinding)
 			},
 		})
 		if utilfeature.DefaultFeatureGate.Enabled(features.DRADeviceTaints) {
+			rules := []rbacv1.PolicyRule{
+				// Deletes pods to evict them.
+				rbacv1helpers.NewRule("get", "list", "watch", "delete").Groups(legacyGroup).Resources("pods").RuleOrDie(),
+				// Sets pod conditions.
+				rbacv1helpers.NewRule("update", "patch").Groups(legacyGroup).Resources("pods/status").RuleOrDie(),
+				// The rest is read-only.
+				rbacv1helpers.NewRule("get", "list", "watch").Groups(resourceGroup).Resources("resourceclaims").RuleOrDie(),
+				rbacv1helpers.NewRule("get", "list", "watch").Groups(resourceGroup).Resources("resourceslices").RuleOrDie(),
+				rbacv1helpers.NewRule("get", "list", "watch").Groups(resourceGroup).Resources("deviceclasses").RuleOrDie(),
+				eventsRule(),
+			}
+
+			if utilfeature.DefaultFeatureGate.Enabled(features.DRADeviceTaintRules) {
+				rules = append(rules,
+					// Sets DeviceTaintRule conditions.
+					rbacv1helpers.NewRule("update", "patch").Groups(resourceGroup).Resources("devicetaintrules/status").RuleOrDie(),
+					// Read-only for spec.
+					rbacv1helpers.NewRule("get", "list", "watch").Groups(resourceGroup).Resources("devicetaintrules").RuleOrDie(),
+				)
+			}
+
 			addControllerRole(&controllerRoles, &controllerRoleBindings, rbacv1.ClusterRole{
 				// Same name as in k8s.io/kubernetes/cmd/kube-controller-manager/names.
 				ObjectMeta: metav1.ObjectMeta{Name: saRolePrefix + "device-taint-eviction-controller"},
-				Rules: []rbacv1.PolicyRule{
-					// Deletes pods to evict them.
-					rbacv1helpers.NewRule("get", "list", "watch", "delete").Groups(legacyGroup).Resources("pods").RuleOrDie(),
-					// Sets pod conditions.
-					rbacv1helpers.NewRule("update", "patch").Groups(legacyGroup).Resources("pods/status").RuleOrDie(),
-					// The rest is read-only.
-					rbacv1helpers.NewRule("get", "list", "watch").Groups(resourceGroup).Resources("resourceclaims").RuleOrDie(),
-					rbacv1helpers.NewRule("get", "list", "watch").Groups(resourceGroup).Resources("resourceslices").RuleOrDie(),
-					rbacv1helpers.NewRule("get", "list", "watch").Groups(resourceGroup).Resources("deviceclasses").RuleOrDie(),
-					rbacv1helpers.NewRule("get", "list", "watch").Groups(resourceGroup).Resources("devicetaintrules").RuleOrDie(),
-					eventsRule(),
-				},
+				Rules:      rules,
 			})
 		}
 	}
@@ -398,15 +408,12 @@ func buildControllerRoles() ([]rbacv1.ClusterRole, []rbacv1.ClusterRoleBinding)
 				rbacv1helpers.NewRule("get", "create", "delete", "update", "patch").Groups(legacyGroup).Resources("pods").RuleOrDie(),
 				rbacv1helpers.NewRule("get", "create", "delete", "update", "patch", "list", "watch").Groups(appsGroup).Resources("controllerrevisions").RuleOrDie(),
 				rbacv1helpers.NewRule("get", "create", "list", "watch").Groups(legacyGroup).Resources("persistentvolumeclaims").RuleOrDie(),
+				rbacv1helpers.NewRule("update", "delete").Groups(legacyGroup).Resources("persistentvolumeclaims").RuleOrDie(),
+				rbacv1helpers.NewRule("update").Groups(legacyGroup).Resources("pods/finalizers").RuleOrDie(),
 				eventsRule(),
 			},
 		}
 
-		if utilfeature.DefaultFeatureGate.Enabled(features.StatefulSetAutoDeletePVC) {
-			role.Rules = append(role.Rules, rbacv1helpers.NewRule("update", "delete").Groups(legacyGroup).Resources("persistentvolumeclaims").RuleOrDie())
-			role.Rules = append(role.Rules, rbacv1helpers.NewRule("update").Groups(legacyGroup).Resources("pods/finalizers").RuleOrDie())
-		}
-
 		return role
 	}())
 	addControllerRole(&controllerRoles, &controllerRoleBindings, rbacv1.ClusterRole{
@@ -542,7 +549,7 @@ func buildControllerRoles() ([]rbacv1.ClusterRole, []rbacv1.ClusterRoleBinding)
 				// need list to get current RV for any resource
 				// need patch for SSA of any resource
 				// need create because SSA of a deleted resource will be interpreted as a create request, these always fail with a conflict error because UID is set
-				rbacv1helpers.NewRule("list", "watch", "create", "patch").Groups("*").Resources("*").RuleOrDie(),
+				rbacv1helpers.NewRule("list", "create", "patch").Groups("*").Resources("*").RuleOrDie(),
 				rbacv1helpers.NewRule("update").Groups(storageVersionMigrationGroup).Resources("storageversionmigrations/status").RuleOrDie(),
 			},
 		})
diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/namespace_policy.go b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/namespace_policy.go
index 9329eba2b751e..385509a7546e0 100644
--- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/namespace_policy.go
+++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/namespace_policy.go
@@ -105,21 +105,17 @@ func init() {
 	})
 	// TODO: Create util on Role+Binding for leader locking if more cases evolve.
 	addNamespaceRole(metav1.NamespaceSystem, rbacv1.Role{
-		// role for the leader locking on supplied configmap
+		// role for the leader locking on supplied lease
 		ObjectMeta: metav1.ObjectMeta{Name: "system::leader-locking-kube-controller-manager"},
 		Rules: []rbacv1.PolicyRule{
-			rbacv1helpers.NewRule("watch").Groups(legacyGroup).Resources("configmaps").RuleOrDie(),
-			rbacv1helpers.NewRule("get", "update").Groups(legacyGroup).Resources("configmaps").Names("kube-controller-manager").RuleOrDie(),
 			rbacv1helpers.NewRule("get", "watch", "list", "create", "update").Groups("coordination.k8s.io").Resources("leases").RuleOrDie(),
 			rbacv1helpers.NewRule("get", "watch", "list", "create", "update").Groups("coordination.k8s.io").Resources("leasecandidates").RuleOrDie(),
 		},
 	})
 	addNamespaceRole(metav1.NamespaceSystem, rbacv1.Role{
-		// role for the leader locking on supplied configmap
+		// role for the leader locking on supplied lease
 		ObjectMeta: metav1.ObjectMeta{Name: "system::leader-locking-kube-scheduler"},
 		Rules: []rbacv1.PolicyRule{
-			rbacv1helpers.NewRule("watch").Groups(legacyGroup).Resources("configmaps").RuleOrDie(),
-			rbacv1helpers.NewRule("get", "update").Groups(legacyGroup).Resources("configmaps").Names("kube-scheduler").RuleOrDie(),
 			rbacv1helpers.NewRule("get", "watch", "list", "create", "update").Groups("coordination.k8s.io").Resources("leases").RuleOrDie(),
 			rbacv1helpers.NewRule("get", "watch", "list", "create", "update").Groups("coordination.k8s.io").Resources("leasecandidates").RuleOrDie(),
 		},
diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go
index e9c4bfbae5806..31f059a54b846 100644
--- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go
+++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go
@@ -66,6 +66,7 @@ const (
 	internalAPIServerGroup       = "internal.apiserver.k8s.io"
 	admissionRegistrationGroup   = "admissionregistration.k8s.io"
 	storageVersionMigrationGroup = "storagemigration.k8s.io"
+	schedulingGroup              = "scheduling.k8s.io"
 )
 
 func addDefaultMetadata(obj runtime.Object) {
@@ -112,12 +113,14 @@ func viewRules() []rbacv1.PolicyRule {
 	rules := []rbacv1.PolicyRule{
 		rbacv1helpers.NewRule(Read...).Groups(legacyGroup).Resources("pods", "replicationcontrollers", "replicationcontrollers/scale", "serviceaccounts",
 			"services", "services/status", "endpoints", "persistentvolumeclaims", "persistentvolumeclaims/status", "configmaps").RuleOrDie(),
-		rbacv1helpers.NewRule(Read...).Groups(legacyGroup).Resources("limitranges", "resourcequotas", "bindings", "events",
+		rbacv1helpers.NewRule(Read...).Groups(legacyGroup).Resources("limitranges", "resourcequotas", "bindings",
 			"pods/status", "resourcequotas/status", "namespaces/status", "replicationcontrollers/status", "pods/log").RuleOrDie(),
 		// read access to namespaces at the namespace scope means you can read *this* namespace.  This can be used as an
 		// indicator of which namespaces you have access to.
 		rbacv1helpers.NewRule(Read...).Groups(legacyGroup).Resources("namespaces").RuleOrDie(),
 
+		rbacv1helpers.NewRule(Read...).Groups(legacyGroup, eventsGroup).Resources("events").RuleOrDie(),
+
 		rbacv1helpers.NewRule(Read...).Groups(discoveryGroup).Resources("endpointslices").RuleOrDie(),
 
 		rbacv1helpers.NewRule(Read...).Groups(appsGroup).Resources(
@@ -155,9 +158,11 @@ func editRules() []rbacv1.PolicyRule {
 		rbacv1helpers.NewRule(Write...).Groups(legacyGroup).Resources("pods", "pods/attach", "pods/proxy", "pods/exec", "pods/portforward").RuleOrDie(),
 		rbacv1helpers.NewRule("create").Groups(legacyGroup).Resources("pods/eviction").RuleOrDie(),
 		rbacv1helpers.NewRule(Write...).Groups(legacyGroup).Resources("replicationcontrollers", "replicationcontrollers/scale", "serviceaccounts",
-			"services", "services/proxy", "persistentvolumeclaims", "configmaps", "secrets", "events").RuleOrDie(),
+			"services", "services/proxy", "persistentvolumeclaims", "configmaps", "secrets").RuleOrDie(),
 		rbacv1helpers.NewRule("create").Groups(legacyGroup).Resources("serviceaccounts/token").RuleOrDie(),
 
+		rbacv1helpers.NewRule(Write...).Groups(legacyGroup, eventsGroup).Resources("events").RuleOrDie(),
+
 		rbacv1helpers.NewRule(Write...).Groups(appsGroup).Resources(
 			"statefulsets", "statefulsets/scale",
 			"daemonsets",
@@ -202,7 +207,7 @@ func NodeRules() []rbacv1.PolicyRule {
 		rbacv1helpers.NewRule("update", "patch").Groups(legacyGroup).Resources("nodes").RuleOrDie(),
 
 		// TODO: restrict to the bound node as creator in the NodeRestrictions admission plugin
-		rbacv1helpers.NewRule("create", "update", "patch").Groups(legacyGroup).Resources("events").RuleOrDie(),
+		rbacv1helpers.NewRule("create", "update", "patch").Groups(legacyGroup, eventsGroup).Resources("events").RuleOrDie(),
 
 		// Use the Node authorizer to limit get to pods related to the node, and to limit list/watch to field selectors related to the node.
 		rbacv1helpers.NewRule(Read...).Groups(legacyGroup).Resources("pods").RuleOrDie(),
@@ -650,10 +655,13 @@ func clusterRoles() []rbacv1.ClusterRole {
 				rbacv1helpers.NewRule("create", "delete").Groups(resourceGroup).Resources("resourceclaims").RuleOrDie(),
 			)
 		}
-		if utilfeature.DefaultFeatureGate.Enabled(features.DRADeviceTaints) {
+		if utilfeature.DefaultFeatureGate.Enabled(features.DRADeviceTaintRules) {
 			kubeSchedulerRules = append(kubeSchedulerRules, rbacv1helpers.NewRule(Read...).Groups(resourceGroup).Resources("devicetaintrules").RuleOrDie())
 		}
 	}
+	if utilfeature.DefaultFeatureGate.Enabled(features.GenericWorkload) {
+		kubeSchedulerRules = append(kubeSchedulerRules, rbacv1helpers.NewRule(Read...).Groups(schedulingGroup).Resources("workloads").RuleOrDie())
+	}
 	roles = append(roles, rbacv1.ClusterRole{
 		// a role to use for the kube-scheduler
 		ObjectMeta: metav1.ObjectMeta{Name: "system:kube-scheduler"},
diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy_test.go b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy_test.go
index 50b20b08b35b0..c6b16a548ad4a 100644
--- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy_test.go
+++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy_test.go
@@ -178,8 +178,10 @@ func TestBootstrapClusterRoles(t *testing.T) {
 }
 
 func TestBootstrapClusterRolesWithFeatureGatesEnabled(t *testing.T) {
-	featuregatetesting.SetFeatureGateDuringTest(t, feature.DefaultFeatureGate, "AllAlpha", true)
-	featuregatetesting.SetFeatureGateDuringTest(t, feature.DefaultFeatureGate, "AllBeta", true)
+	featuregatetesting.SetFeatureGatesDuringTest(t, feature.DefaultFeatureGate, featuregatetesting.FeatureOverrides{
+		"AllAlpha": true,
+		"AllBeta":  true,
+	})
 
 	bootstrapRoles := bootstrappolicy.ClusterRoles()
 	featureGateList := &api.List{}
diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles-featuregates.yaml b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles-featuregates.yaml
index 50f4b787851fd..96e9efe0aefd6 100644
--- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles-featuregates.yaml
+++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles-featuregates.yaml
@@ -129,7 +129,6 @@ items:
     - ""
     resources:
     - configmaps
-    - events
     - persistentvolumeclaims
     - replicationcontrollers
     - replicationcontrollers/scale
@@ -149,6 +148,17 @@ items:
     - serviceaccounts/token
     verbs:
     - create
+  - apiGroups:
+    - ""
+    - events.k8s.io
+    resources:
+    - events
+    verbs:
+    - create
+    - delete
+    - deletecollection
+    - patch
+    - update
   - apiGroups:
     - apps
     resources:
@@ -281,7 +291,6 @@ items:
     - ""
     resources:
     - bindings
-    - events
     - limitranges
     - namespaces/status
     - pods/log
@@ -301,6 +310,15 @@ items:
     - get
     - list
     - watch
+  - apiGroups:
+    - ""
+    - events.k8s.io
+    resources:
+    - events
+    verbs:
+    - get
+    - list
+    - watch
   - apiGroups:
     - discovery.k8s.io
     resources:
@@ -958,6 +976,14 @@ items:
     - get
     - list
     - watch
+  - apiGroups:
+    - scheduling.k8s.io
+    resources:
+    - workloads
+    verbs:
+    - get
+    - list
+    - watch
 - apiVersion: rbac.authorization.k8s.io/v1
   kind: ClusterRole
   metadata:
@@ -1087,6 +1113,7 @@ items:
     - update
   - apiGroups:
     - ""
+    - events.k8s.io
     resources:
     - events
     verbs:
diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml
index 5e09b45b75ccb..e9ca1398e5c04 100644
--- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml
+++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml
@@ -129,7 +129,6 @@ items:
     - ""
     resources:
     - configmaps
-    - events
     - persistentvolumeclaims
     - replicationcontrollers
     - replicationcontrollers/scale
@@ -149,6 +148,17 @@ items:
     - serviceaccounts/token
     verbs:
     - create
+  - apiGroups:
+    - ""
+    - events.k8s.io
+    resources:
+    - events
+    verbs:
+    - create
+    - delete
+    - deletecollection
+    - patch
+    - update
   - apiGroups:
     - apps
     resources:
@@ -281,7 +291,6 @@ items:
     - ""
     resources:
     - bindings
-    - events
     - limitranges
     - namespaces/status
     - pods/log
@@ -301,6 +310,15 @@ items:
     - get
     - list
     - watch
+  - apiGroups:
+    - ""
+    - events.k8s.io
+    resources:
+    - events
+    verbs:
+    - get
+    - list
+    - watch
   - apiGroups:
     - discovery.k8s.io
     resources:
@@ -1047,6 +1065,7 @@ items:
     - update
   - apiGroups:
     - ""
+    - events.k8s.io
     resources:
     - events
     verbs:
diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-roles.yaml b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-roles.yaml
index 0205fd17cf156..a99e86274f8a9 100644
--- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-roles.yaml
+++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-roles.yaml
@@ -1614,25 +1614,25 @@ items:
     - watch
   - apiGroups:
     - ""
-    - events.k8s.io
     resources:
-    - events
+    - persistentvolumeclaims
     verbs:
-    - create
-    - patch
+    - delete
     - update
   - apiGroups:
     - ""
     resources:
-    - persistentvolumeclaims
+    - pods/finalizers
     verbs:
-    - delete
     - update
   - apiGroups:
     - ""
+    - events.k8s.io
     resources:
-    - pods/finalizers
+    - events
     verbs:
+    - create
+    - patch
     - update
 - apiVersion: rbac.authorization.k8s.io/v1
   kind: ClusterRole
diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/namespace-roles.yaml b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/namespace-roles.yaml
index 3e45ae87fd2c4..3e9480680cbb3 100644
--- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/namespace-roles.yaml
+++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/namespace-roles.yaml
@@ -65,21 +65,6 @@ items:
     name: system::leader-locking-kube-controller-manager
     namespace: kube-system
   rules:
-  - apiGroups:
-    - ""
-    resources:
-    - configmaps
-    verbs:
-    - watch
-  - apiGroups:
-    - ""
-    resourceNames:
-    - kube-controller-manager
-    resources:
-    - configmaps
-    verbs:
-    - get
-    - update
   - apiGroups:
     - coordination.k8s.io
     resources:
@@ -110,21 +95,6 @@ items:
     name: system::leader-locking-kube-scheduler
     namespace: kube-system
   rules:
-  - apiGroups:
-    - ""
-    resources:
-    - configmaps
-    verbs:
-    - watch
-  - apiGroups:
-    - ""
-    resourceNames:
-    - kube-scheduler
-    resources:
-    - configmaps
-    verbs:
-    - get
-    - update
   - apiGroups:
     - coordination.k8s.io
     resources:
diff --git a/staging/OWNERS b/staging/OWNERS
index d6971237df5ac..36159f87077f7 100644
--- a/staging/OWNERS
+++ b/staging/OWNERS
@@ -27,9 +27,9 @@ filters:
       - wojtek-t
     emeritus_approvers:
       - lavalamp
-  # go.{mod,sum} files relate to go dependencies, and should be reviewed by the
-  # dep-approvers
-  "go\\.(mod|sum)$":
+  # go.{mod,sum,work,work.sum} files relate to go dependencies,
+  # and should be reviewed by the dep-approvers
+  "go\\.(mod|sum|work|work\\.sum)$":
     approvers:
       - dep-approvers
     reviewers:
diff --git a/staging/publishing/import-restrictions.yaml b/staging/publishing/import-restrictions.yaml
index 6d2d68d8f3d2b..2c7ea26f2e29e 100644
--- a/staging/publishing/import-restrictions.yaml
+++ b/staging/publishing/import-restrictions.yaml
@@ -219,6 +219,8 @@
   - k8s.io/klog
   - k8s.io/kube-scheduler
   - k8s.io/utils
+  - k8s.io/dynamic-resource-allocation/structured
+  - k8s.io/component-helpers/nodedeclaredfeatures
 
 - baseImportPath: "./staging/src/k8s.io/kubelet"
   allowedImports:
diff --git a/staging/publishing/rules.yaml b/staging/publishing/rules.yaml
index 76723a7c5d3a2..a49f62ea039b2 100644
--- a/staging/publishing/rules.yaml
+++ b/staging/publishing/rules.yaml
@@ -6,30 +6,30 @@ rules:
       branch: master
       dirs:
       - staging/src/k8s.io/apimachinery
-  - name: release-1.31
-    go: 1.23.12
-    source:
-      branch: release-1.31
-      dirs:
-      - staging/src/k8s.io/apimachinery
   - name: release-1.32
-    go: 1.23.12
+    go: 1.24.11
     source:
       branch: release-1.32
       dirs:
       - staging/src/k8s.io/apimachinery
   - name: release-1.33
-    go: 1.24.9
+    go: 1.24.11
     source:
       branch: release-1.33
       dirs:
       - staging/src/k8s.io/apimachinery
   - name: release-1.34
-    go: 1.24.9
+    go: 1.24.11
     source:
       branch: release-1.34
       dirs:
       - staging/src/k8s.io/apimachinery
+  - name: release-1.35
+    go: 1.25.6
+    source:
+      branch: release-1.35
+      dirs:
+      - staging/src/k8s.io/apimachinery
   library: true
 - destination: api
   branches:
@@ -41,17 +41,8 @@ rules:
       branch: master
       dirs:
       - staging/src/k8s.io/api
-  - name: release-1.31
-    go: 1.23.12
-    dependencies:
-    - repository: apimachinery
-      branch: release-1.31
-    source:
-      branch: release-1.31
-      dirs:
-      - staging/src/k8s.io/api
   - name: release-1.32
-    go: 1.23.12
+    go: 1.24.11
     dependencies:
     - repository: apimachinery
       branch: release-1.32
@@ -60,7 +51,7 @@ rules:
       dirs:
       - staging/src/k8s.io/api
   - name: release-1.33
-    go: 1.24.9
+    go: 1.24.11
     dependencies:
     - repository: apimachinery
       branch: release-1.33
@@ -69,7 +60,7 @@ rules:
       dirs:
       - staging/src/k8s.io/api
   - name: release-1.34
-    go: 1.24.9
+    go: 1.24.11
     dependencies:
     - repository: apimachinery
       branch: release-1.34
@@ -77,6 +68,15 @@ rules:
       branch: release-1.34
       dirs:
       - staging/src/k8s.io/api
+  - name: release-1.35
+    go: 1.25.6
+    dependencies:
+    - repository: apimachinery
+      branch: release-1.35
+    source:
+      branch: release-1.35
+      dirs:
+      - staging/src/k8s.io/api
   library: true
 - destination: client-go
   branches:
@@ -94,23 +94,8 @@ rules:
       # assumes GO111MODULE=on
       go build -mod=mod ./...
       go test -mod=mod ./...
-  - name: release-1.31
-    go: 1.23.12
-    dependencies:
-    - repository: apimachinery
-      branch: release-1.31
-    - repository: api
-      branch: release-1.31
-    source:
-      branch: release-1.31
-      dirs:
-      - staging/src/k8s.io/client-go
-    smoke-test: |
-      # assumes GO111MODULE=on
-      go build -mod=mod ./...
-      go test -mod=mod ./...
   - name: release-1.32
-    go: 1.23.12
+    go: 1.24.11
     dependencies:
     - repository: apimachinery
       branch: release-1.32
@@ -125,7 +110,7 @@ rules:
       go build -mod=mod ./...
       go test -mod=mod ./...
   - name: release-1.33
-    go: 1.24.9
+    go: 1.24.11
     dependencies:
     - repository: apimachinery
       branch: release-1.33
@@ -140,7 +125,7 @@ rules:
       go build -mod=mod ./...
       go test -mod=mod ./...
   - name: release-1.34
-    go: 1.24.9
+    go: 1.24.11
     dependencies:
     - repository: apimachinery
       branch: release-1.34
@@ -154,6 +139,21 @@ rules:
       # assumes GO111MODULE=on
       go build -mod=mod ./...
       go test -mod=mod ./...
+  - name: release-1.35
+    go: 1.25.6
+    dependencies:
+    - repository: apimachinery
+      branch: release-1.35
+    - repository: api
+      branch: release-1.35
+    source:
+      branch: release-1.35
+      dirs:
+      - staging/src/k8s.io/client-go
+    smoke-test: |
+      # assumes GO111MODULE=on
+      go build -mod=mod ./...
+      go test -mod=mod ./...
   library: true
 - destination: code-generator
   branches:
@@ -165,17 +165,8 @@ rules:
       branch: master
       dirs:
       - staging/src/k8s.io/code-generator
-  - name: release-1.31
-    go: 1.23.12
-    dependencies:
-    - repository: apimachinery
-      branch: release-1.31
-    source:
-      branch: release-1.31
-      dirs:
-      - staging/src/k8s.io/code-generator
   - name: release-1.32
-    go: 1.23.12
+    go: 1.24.11
     dependencies:
     - repository: apimachinery
       branch: release-1.32
@@ -184,7 +175,7 @@ rules:
       dirs:
       - staging/src/k8s.io/code-generator
   - name: release-1.33
-    go: 1.24.9
+    go: 1.24.11
     dependencies:
     - repository: apimachinery
       branch: release-1.33
@@ -193,7 +184,7 @@ rules:
       dirs:
       - staging/src/k8s.io/code-generator
   - name: release-1.34
-    go: 1.24.9
+    go: 1.24.11
     dependencies:
     - repository: apimachinery
       branch: release-1.34
@@ -201,6 +192,15 @@ rules:
       branch: release-1.34
       dirs:
       - staging/src/k8s.io/code-generator
+  - name: release-1.35
+    go: 1.25.6
+    dependencies:
+    - repository: apimachinery
+      branch: release-1.35
+    source:
+      branch: release-1.35
+      dirs:
+      - staging/src/k8s.io/code-generator
 - destination: component-base
   branches:
   - name: master
@@ -215,21 +215,8 @@ rules:
       branch: master
       dirs:
       - staging/src/k8s.io/component-base
-  - name: release-1.31
-    go: 1.23.12
-    dependencies:
-    - repository: apimachinery
-      branch: release-1.31
-    - repository: api
-      branch: release-1.31
-    - repository: client-go
-      branch: release-1.31
-    source:
-      branch: release-1.31
-      dirs:
-      - staging/src/k8s.io/component-base
   - name: release-1.32
-    go: 1.23.12
+    go: 1.24.11
     dependencies:
     - repository: apimachinery
       branch: release-1.32
@@ -242,7 +229,7 @@ rules:
       dirs:
       - staging/src/k8s.io/component-base
   - name: release-1.33
-    go: 1.24.9
+    go: 1.24.11
     dependencies:
     - repository: apimachinery
       branch: release-1.33
@@ -255,7 +242,7 @@ rules:
       dirs:
       - staging/src/k8s.io/component-base
   - name: release-1.34
-    go: 1.24.9
+    go: 1.24.11
     dependencies:
     - repository: apimachinery
       branch: release-1.34
@@ -267,6 +254,19 @@ rules:
       branch: release-1.34
       dirs:
       - staging/src/k8s.io/component-base
+  - name: release-1.35
+    go: 1.25.6
+    dependencies:
+    - repository: apimachinery
+      branch: release-1.35
+    - repository: api
+      branch: release-1.35
+    - repository: client-go
+      branch: release-1.35
+    source:
+      branch: release-1.35
+      dirs:
+      - staging/src/k8s.io/component-base
   library: true
 - destination: component-helpers
   branches:
@@ -282,21 +282,8 @@ rules:
       branch: master
       dirs:
       - staging/src/k8s.io/component-helpers
-  - name: release-1.31
-    go: 1.23.12
-    dependencies:
-    - repository: apimachinery
-      branch: release-1.31
-    - repository: api
-      branch: release-1.31
-    - repository: client-go
-      branch: release-1.31
-    source:
-      branch: release-1.31
-      dirs:
-      - staging/src/k8s.io/component-helpers
   - name: release-1.32
-    go: 1.23.12
+    go: 1.24.11
     dependencies:
     - repository: apimachinery
       branch: release-1.32
@@ -309,7 +296,7 @@ rules:
       dirs:
       - staging/src/k8s.io/component-helpers
   - name: release-1.33
-    go: 1.24.9
+    go: 1.24.11
     dependencies:
     - repository: apimachinery
       branch: release-1.33
@@ -322,7 +309,7 @@ rules:
       dirs:
       - staging/src/k8s.io/component-helpers
   - name: release-1.34
-    go: 1.24.9
+    go: 1.24.11
     dependencies:
     - repository: apimachinery
       branch: release-1.34
@@ -334,6 +321,19 @@ rules:
       branch: release-1.34
       dirs:
       - staging/src/k8s.io/component-helpers
+  - name: release-1.35
+    go: 1.25.6
+    dependencies:
+    - repository: apimachinery
+      branch: release-1.35
+    - repository: api
+      branch: release-1.35
+    - repository: client-go
+      branch: release-1.35
+    source:
+      branch: release-1.35
+      dirs:
+      - staging/src/k8s.io/component-helpers
   library: true
 - destination: kms
   branches:
@@ -345,17 +345,8 @@ rules:
       branch: master
       dirs:
       - staging/src/k8s.io/kms
-  - name: release-1.31
-    go: 1.23.12
-    dependencies:
-    - repository: apimachinery
-      branch: release-1.31
-    source:
-      branch: release-1.31
-      dirs:
-      - staging/src/k8s.io/kms
   - name: release-1.32
-    go: 1.23.12
+    go: 1.24.11
     dependencies:
     - repository: apimachinery
       branch: release-1.32
@@ -364,7 +355,7 @@ rules:
       dirs:
       - staging/src/k8s.io/kms
   - name: release-1.33
-    go: 1.24.9
+    go: 1.24.11
     dependencies:
     - repository: apimachinery
       branch: release-1.33
@@ -373,7 +364,7 @@ rules:
       dirs:
       - staging/src/k8s.io/kms
   - name: release-1.34
-    go: 1.24.9
+    go: 1.24.11
     dependencies:
     - repository: apimachinery
       branch: release-1.34
@@ -381,6 +372,15 @@ rules:
       branch: release-1.34
       dirs:
       - staging/src/k8s.io/kms
+  - name: release-1.35
+    go: 1.25.6
+    dependencies:
+    - repository: apimachinery
+      branch: release-1.35
+    source:
+      branch: release-1.35
+      dirs:
+      - staging/src/k8s.io/kms
   library: true
 - destination: apiserver
   branches:
@@ -400,25 +400,8 @@ rules:
       branch: master
       dirs:
       - staging/src/k8s.io/apiserver
-  - name: release-1.31
-    go: 1.23.12
-    dependencies:
-    - repository: apimachinery
-      branch: release-1.31
-    - repository: api
-      branch: release-1.31
-    - repository: client-go
-      branch: release-1.31
-    - repository: component-base
-      branch: release-1.31
-    - repository: kms
-      branch: release-1.31
-    source:
-      branch: release-1.31
-      dirs:
-      - staging/src/k8s.io/apiserver
   - name: release-1.32
-    go: 1.23.12
+    go: 1.24.11
     dependencies:
     - repository: apimachinery
       branch: release-1.32
@@ -435,7 +418,7 @@ rules:
       dirs:
       - staging/src/k8s.io/apiserver
   - name: release-1.33
-    go: 1.24.9
+    go: 1.24.11
     dependencies:
     - repository: apimachinery
       branch: release-1.33
@@ -452,7 +435,7 @@ rules:
       dirs:
       - staging/src/k8s.io/apiserver
   - name: release-1.34
-    go: 1.24.9
+    go: 1.24.11
     dependencies:
     - repository: apimachinery
       branch: release-1.34
@@ -468,6 +451,23 @@ rules:
       branch: release-1.34
       dirs:
       - staging/src/k8s.io/apiserver
+  - name: release-1.35
+    go: 1.25.6
+    dependencies:
+    - repository: apimachinery
+      branch: release-1.35
+    - repository: api
+      branch: release-1.35
+    - repository: client-go
+      branch: release-1.35
+    - repository: component-base
+      branch: release-1.35
+    - repository: kms
+      branch: release-1.35
+    source:
+      branch: release-1.35
+      dirs:
+      - staging/src/k8s.io/apiserver
   library: true
 - destination: kube-aggregator
   branches:
@@ -491,29 +491,8 @@ rules:
       branch: master
       dirs:
       - staging/src/k8s.io/kube-aggregator
-  - name: release-1.31
-    go: 1.23.12
-    dependencies:
-    - repository: apimachinery
-      branch: release-1.31
-    - repository: api
-      branch: release-1.31
-    - repository: client-go
-      branch: release-1.31
-    - repository: apiserver
-      branch: release-1.31
-    - repository: component-base
-      branch: release-1.31
-    - repository: kms
-      branch: release-1.31
-    - repository: code-generator
-      branch: release-1.31
-    source:
-      branch: release-1.31
-      dirs:
-      - staging/src/k8s.io/kube-aggregator
   - name: release-1.32
-    go: 1.23.12
+    go: 1.24.11
     dependencies:
     - repository: apimachinery
       branch: release-1.32
@@ -534,7 +513,7 @@ rules:
       dirs:
       - staging/src/k8s.io/kube-aggregator
   - name: release-1.33
-    go: 1.24.9
+    go: 1.24.11
     dependencies:
     - repository: apimachinery
       branch: release-1.33
@@ -555,7 +534,7 @@ rules:
       dirs:
       - staging/src/k8s.io/kube-aggregator
   - name: release-1.34
-    go: 1.24.9
+    go: 1.24.11
     dependencies:
     - repository: apimachinery
       branch: release-1.34
@@ -575,6 +554,27 @@ rules:
       branch: release-1.34
       dirs:
       - staging/src/k8s.io/kube-aggregator
+  - name: release-1.35
+    go: 1.25.6
+    dependencies:
+    - repository: apimachinery
+      branch: release-1.35
+    - repository: api
+      branch: release-1.35
+    - repository: client-go
+      branch: release-1.35
+    - repository: apiserver
+      branch: release-1.35
+    - repository: component-base
+      branch: release-1.35
+    - repository: kms
+      branch: release-1.35
+    - repository: code-generator
+      branch: release-1.35
+    source:
+      branch: release-1.35
+      dirs:
+      - staging/src/k8s.io/kube-aggregator
 - destination: sample-apiserver
   branches:
   - name: master
@@ -602,34 +602,8 @@ rules:
     smoke-test: |
       # assumes GO111MODULE=on
       go build -mod=mod .
-  - name: release-1.31
-    go: 1.23.12
-    dependencies:
-    - repository: apimachinery
-      branch: release-1.31
-    - repository: api
-      branch: release-1.31
-    - repository: client-go
-      branch: release-1.31
-    - repository: apiserver
-      branch: release-1.31
-    - repository: code-generator
-      branch: release-1.31
-    - repository: kms
-      branch: release-1.31
-    - repository: component-base
-      branch: release-1.31
-    source:
-      branch: release-1.31
-      dirs:
-      - staging/src/k8s.io/sample-apiserver
-    required-packages:
-    - k8s.io/code-generator
-    smoke-test: |
-      # assumes GO111MODULE=on
-      go build -mod=mod .
   - name: release-1.32
-    go: 1.23.12
+    go: 1.24.11
     dependencies:
     - repository: apimachinery
       branch: release-1.32
@@ -655,7 +629,7 @@ rules:
       # assumes GO111MODULE=on
       go build -mod=mod .
   - name: release-1.33
-    go: 1.24.9
+    go: 1.24.11
     dependencies:
     - repository: apimachinery
       branch: release-1.33
@@ -681,7 +655,7 @@ rules:
       # assumes GO111MODULE=on
       go build -mod=mod .
   - name: release-1.34
-    go: 1.24.9
+    go: 1.24.11
     dependencies:
     - repository: apimachinery
       branch: release-1.34
@@ -706,40 +680,46 @@ rules:
     smoke-test: |
       # assumes GO111MODULE=on
       go build -mod=mod .
-- destination: sample-controller
-  branches:
-  - name: master
+  - name: release-1.35
+    go: 1.25.6
     dependencies:
     - repository: apimachinery
-      branch: master
+      branch: release-1.35
     - repository: api
-      branch: master
+      branch: release-1.35
     - repository: client-go
-      branch: master
+      branch: release-1.35
+    - repository: apiserver
+      branch: release-1.35
     - repository: code-generator
-      branch: master
+      branch: release-1.35
+    - repository: kms
+      branch: release-1.35
+    - repository: component-base
+      branch: release-1.35
     source:
-      branch: master
+      branch: release-1.35
       dirs:
-      - staging/src/k8s.io/sample-controller
+      - staging/src/k8s.io/sample-apiserver
     required-packages:
     - k8s.io/code-generator
     smoke-test: |
       # assumes GO111MODULE=on
       go build -mod=mod .
-  - name: release-1.31
-    go: 1.23.12
+- destination: sample-controller
+  branches:
+  - name: master
     dependencies:
     - repository: apimachinery
-      branch: release-1.31
+      branch: master
     - repository: api
-      branch: release-1.31
+      branch: master
     - repository: client-go
-      branch: release-1.31
+      branch: master
     - repository: code-generator
-      branch: release-1.31
+      branch: master
     source:
-      branch: release-1.31
+      branch: master
       dirs:
       - staging/src/k8s.io/sample-controller
     required-packages:
@@ -748,7 +728,7 @@ rules:
       # assumes GO111MODULE=on
       go build -mod=mod .
   - name: release-1.32
-    go: 1.23.12
+    go: 1.24.11
     dependencies:
     - repository: apimachinery
       branch: release-1.32
@@ -768,7 +748,7 @@ rules:
       # assumes GO111MODULE=on
       go build -mod=mod .
   - name: release-1.33
-    go: 1.24.9
+    go: 1.24.11
     dependencies:
     - repository: apimachinery
       branch: release-1.33
@@ -788,7 +768,7 @@ rules:
       # assumes GO111MODULE=on
       go build -mod=mod .
   - name: release-1.34
-    go: 1.24.9
+    go: 1.24.11
     dependencies:
     - repository: apimachinery
       branch: release-1.34
@@ -807,6 +787,26 @@ rules:
     smoke-test: |
       # assumes GO111MODULE=on
       go build -mod=mod .
+  - name: release-1.35
+    go: 1.25.6
+    dependencies:
+    - repository: apimachinery
+      branch: release-1.35
+    - repository: api
+      branch: release-1.35
+    - repository: client-go
+      branch: release-1.35
+    - repository: code-generator
+      branch: release-1.35
+    source:
+      branch: release-1.35
+      dirs:
+      - staging/src/k8s.io/sample-controller
+    required-packages:
+    - k8s.io/code-generator
+    smoke-test: |
+      # assumes GO111MODULE=on
+      go build -mod=mod .
 - destination: apiextensions-apiserver
   branches:
   - name: master
@@ -831,31 +831,8 @@ rules:
       - staging/src/k8s.io/apiextensions-apiserver
     required-packages:
     - k8s.io/code-generator
-  - name: release-1.31
-    go: 1.23.12
-    dependencies:
-    - repository: apimachinery
-      branch: release-1.31
-    - repository: api
-      branch: release-1.31
-    - repository: client-go
-      branch: release-1.31
-    - repository: apiserver
-      branch: release-1.31
-    - repository: code-generator
-      branch: release-1.31
-    - repository: component-base
-      branch: release-1.31
-    - repository: kms
-      branch: release-1.31
-    source:
-      branch: release-1.31
-      dirs:
-      - staging/src/k8s.io/apiextensions-apiserver
-    required-packages:
-    - k8s.io/code-generator
   - name: release-1.32
-    go: 1.23.12
+    go: 1.24.11
     dependencies:
     - repository: apimachinery
       branch: release-1.32
@@ -878,7 +855,7 @@ rules:
     required-packages:
     - k8s.io/code-generator
   - name: release-1.33
-    go: 1.24.9
+    go: 1.24.11
     dependencies:
     - repository: apimachinery
       branch: release-1.33
@@ -901,7 +878,7 @@ rules:
     required-packages:
     - k8s.io/code-generator
   - name: release-1.34
-    go: 1.24.9
+    go: 1.24.11
     dependencies:
     - repository: apimachinery
       branch: release-1.34
@@ -923,6 +900,29 @@ rules:
       - staging/src/k8s.io/apiextensions-apiserver
     required-packages:
     - k8s.io/code-generator
+  - name: release-1.35
+    go: 1.25.6
+    dependencies:
+    - repository: apimachinery
+      branch: release-1.35
+    - repository: api
+      branch: release-1.35
+    - repository: client-go
+      branch: release-1.35
+    - repository: apiserver
+      branch: release-1.35
+    - repository: code-generator
+      branch: release-1.35
+    - repository: component-base
+      branch: release-1.35
+    - repository: kms
+      branch: release-1.35
+    source:
+      branch: release-1.35
+      dirs:
+      - staging/src/k8s.io/apiextensions-apiserver
+    required-packages:
+    - k8s.io/code-generator
 - destination: metrics
   branches:
   - name: master
@@ -939,23 +939,8 @@ rules:
       branch: master
       dirs:
       - staging/src/k8s.io/metrics
-  - name: release-1.31
-    go: 1.23.12
-    dependencies:
-    - repository: apimachinery
-      branch: release-1.31
-    - repository: api
-      branch: release-1.31
-    - repository: client-go
-      branch: release-1.31
-    - repository: code-generator
-      branch: release-1.31
-    source:
-      branch: release-1.31
-      dirs:
-      - staging/src/k8s.io/metrics
   - name: release-1.32
-    go: 1.23.12
+    go: 1.24.11
     dependencies:
     - repository: apimachinery
       branch: release-1.32
@@ -970,7 +955,7 @@ rules:
       dirs:
       - staging/src/k8s.io/metrics
   - name: release-1.33
-    go: 1.24.9
+    go: 1.24.11
     dependencies:
     - repository: apimachinery
       branch: release-1.33
@@ -985,7 +970,7 @@ rules:
       dirs:
       - staging/src/k8s.io/metrics
   - name: release-1.34
-    go: 1.24.9
+    go: 1.24.11
     dependencies:
     - repository: apimachinery
       branch: release-1.34
@@ -999,6 +984,21 @@ rules:
       branch: release-1.34
       dirs:
       - staging/src/k8s.io/metrics
+  - name: release-1.35
+    go: 1.25.6
+    dependencies:
+    - repository: apimachinery
+      branch: release-1.35
+    - repository: api
+      branch: release-1.35
+    - repository: client-go
+      branch: release-1.35
+    - repository: code-generator
+      branch: release-1.35
+    source:
+      branch: release-1.35
+      dirs:
+      - staging/src/k8s.io/metrics
   library: true
 - destination: cli-runtime
   branches:
@@ -1014,21 +1014,8 @@ rules:
       branch: master
       dirs:
       - staging/src/k8s.io/cli-runtime
-  - name: release-1.31
-    go: 1.23.12
-    dependencies:
-    - repository: api
-      branch: release-1.31
-    - repository: apimachinery
-      branch: release-1.31
-    - repository: client-go
-      branch: release-1.31
-    source:
-      branch: release-1.31
-      dirs:
-      - staging/src/k8s.io/cli-runtime
   - name: release-1.32
-    go: 1.23.12
+    go: 1.24.11
     dependencies:
     - repository: api
       branch: release-1.32
@@ -1041,7 +1028,7 @@ rules:
       dirs:
       - staging/src/k8s.io/cli-runtime
   - name: release-1.33
-    go: 1.24.9
+    go: 1.24.11
     dependencies:
     - repository: api
       branch: release-1.33
@@ -1054,7 +1041,7 @@ rules:
       dirs:
       - staging/src/k8s.io/cli-runtime
   - name: release-1.34
-    go: 1.24.9
+    go: 1.24.11
     dependencies:
     - repository: api
       branch: release-1.34
@@ -1066,6 +1053,19 @@ rules:
       branch: release-1.34
       dirs:
       - staging/src/k8s.io/cli-runtime
+  - name: release-1.35
+    go: 1.25.6
+    dependencies:
+    - repository: api
+      branch: release-1.35
+    - repository: apimachinery
+      branch: release-1.35
+    - repository: client-go
+      branch: release-1.35
+    source:
+      branch: release-1.35
+      dirs:
+      - staging/src/k8s.io/cli-runtime
   library: true
 - destination: sample-cli-plugin
   branches:
@@ -1083,23 +1083,8 @@ rules:
       branch: master
       dirs:
       - staging/src/k8s.io/sample-cli-plugin
-  - name: release-1.31
-    go: 1.23.12
-    dependencies:
-    - repository: api
-      branch: release-1.31
-    - repository: apimachinery
-      branch: release-1.31
-    - repository: cli-runtime
-      branch: release-1.31
-    - repository: client-go
-      branch: release-1.31
-    source:
-      branch: release-1.31
-      dirs:
-      - staging/src/k8s.io/sample-cli-plugin
   - name: release-1.32
-    go: 1.23.12
+    go: 1.24.11
     dependencies:
     - repository: api
       branch: release-1.32
@@ -1114,7 +1099,7 @@ rules:
       dirs:
       - staging/src/k8s.io/sample-cli-plugin
   - name: release-1.33
-    go: 1.24.9
+    go: 1.24.11
     dependencies:
     - repository: api
       branch: release-1.33
@@ -1129,7 +1114,7 @@ rules:
       dirs:
       - staging/src/k8s.io/sample-cli-plugin
   - name: release-1.34
-    go: 1.24.9
+    go: 1.24.11
     dependencies:
     - repository: api
       branch: release-1.34
@@ -1143,6 +1128,21 @@ rules:
       branch: release-1.34
       dirs:
       - staging/src/k8s.io/sample-cli-plugin
+  - name: release-1.35
+    go: 1.25.6
+    dependencies:
+    - repository: api
+      branch: release-1.35
+    - repository: apimachinery
+      branch: release-1.35
+    - repository: cli-runtime
+      branch: release-1.35
+    - repository: client-go
+      branch: release-1.35
+    source:
+      branch: release-1.35
+      dirs:
+      - staging/src/k8s.io/sample-cli-plugin
 - destination: kube-proxy
   branches:
   - name: master
@@ -1159,23 +1159,8 @@ rules:
       branch: master
       dirs:
       - staging/src/k8s.io/kube-proxy
-  - name: release-1.31
-    go: 1.23.12
-    dependencies:
-    - repository: apimachinery
-      branch: release-1.31
-    - repository: component-base
-      branch: release-1.31
-    - repository: api
-      branch: release-1.31
-    - repository: client-go
-      branch: release-1.31
-    source:
-      branch: release-1.31
-      dirs:
-      - staging/src/k8s.io/kube-proxy
   - name: release-1.32
-    go: 1.23.12
+    go: 1.24.11
     dependencies:
     - repository: apimachinery
       branch: release-1.32
@@ -1190,7 +1175,7 @@ rules:
       dirs:
       - staging/src/k8s.io/kube-proxy
   - name: release-1.33
-    go: 1.24.9
+    go: 1.24.11
     dependencies:
     - repository: apimachinery
       branch: release-1.33
@@ -1205,7 +1190,7 @@ rules:
       dirs:
       - staging/src/k8s.io/kube-proxy
   - name: release-1.34
-    go: 1.24.9
+    go: 1.24.11
     dependencies:
     - repository: apimachinery
       branch: release-1.34
@@ -1219,38 +1204,53 @@ rules:
       branch: release-1.34
       dirs:
       - staging/src/k8s.io/kube-proxy
-  library: true
-- destination: cri-api
+  - name: release-1.35
+    go: 1.25.6
+    dependencies:
+    - repository: apimachinery
+      branch: release-1.35
+    - repository: component-base
+      branch: release-1.35
+    - repository: api
+      branch: release-1.35
+    - repository: client-go
+      branch: release-1.35
+    source:
+      branch: release-1.35
+      dirs:
+      - staging/src/k8s.io/kube-proxy
+  library: true
+- destination: cri-api
   branches:
   - name: master
     source:
       branch: master
       dirs:
       - staging/src/k8s.io/cri-api
-  - name: release-1.31
-    go: 1.23.12
-    source:
-      branch: release-1.31
-      dirs:
-      - staging/src/k8s.io/cri-api
   - name: release-1.32
-    go: 1.23.12
+    go: 1.24.11
     source:
       branch: release-1.32
       dirs:
       - staging/src/k8s.io/cri-api
   - name: release-1.33
-    go: 1.24.9
+    go: 1.24.11
     source:
       branch: release-1.33
       dirs:
       - staging/src/k8s.io/cri-api
   - name: release-1.34
-    go: 1.24.9
+    go: 1.24.11
     source:
       branch: release-1.34
       dirs:
       - staging/src/k8s.io/cri-api
+  - name: release-1.35
+    go: 1.25.6
+    source:
+      branch: release-1.35
+      dirs:
+      - staging/src/k8s.io/cri-api
   library: true
 - destination: cri-client
   branches:
@@ -1270,25 +1270,8 @@ rules:
       branch: master
       dirs:
       - staging/src/k8s.io/cri-client
-  - name: release-1.31
-    go: 1.23.12
-    dependencies:
-    - repository: api
-      branch: release-1.31
-    - repository: apimachinery
-      branch: release-1.31
-    - repository: client-go
-      branch: release-1.31
-    - repository: component-base
-      branch: release-1.31
-    - repository: cri-api
-      branch: release-1.31
-    source:
-      branch: release-1.31
-      dirs:
-      - staging/src/k8s.io/cri-client
   - name: release-1.32
-    go: 1.23.12
+    go: 1.24.11
     dependencies:
     - repository: api
       branch: release-1.32
@@ -1305,7 +1288,7 @@ rules:
       dirs:
       - staging/src/k8s.io/cri-client
   - name: release-1.33
-    go: 1.24.9
+    go: 1.24.11
     dependencies:
     - repository: api
       branch: release-1.33
@@ -1322,7 +1305,7 @@ rules:
       dirs:
       - staging/src/k8s.io/cri-client
   - name: release-1.34
-    go: 1.24.9
+    go: 1.24.11
     dependencies:
     - repository: api
       branch: release-1.34
@@ -1338,6 +1321,23 @@ rules:
       branch: release-1.34
       dirs:
       - staging/src/k8s.io/cri-client
+  - name: release-1.35
+    go: 1.25.6
+    dependencies:
+    - repository: api
+      branch: release-1.35
+    - repository: apimachinery
+      branch: release-1.35
+    - repository: client-go
+      branch: release-1.35
+    - repository: component-base
+      branch: release-1.35
+    - repository: cri-api
+      branch: release-1.35
+    source:
+      branch: release-1.35
+      dirs:
+      - staging/src/k8s.io/cri-client
   library: true
 - destination: kubelet
   branches:
@@ -1361,29 +1361,8 @@ rules:
       branch: master
       dirs:
       - staging/src/k8s.io/kubelet
-  - name: release-1.31
-    go: 1.23.12
-    dependencies:
-    - repository: apimachinery
-      branch: release-1.31
-    - repository: apiserver
-      branch: release-1.31
-    - repository: api
-      branch: release-1.31
-    - repository: client-go
-      branch: release-1.31
-    - repository: cri-api
-      branch: release-1.31
-    - repository: component-base
-      branch: release-1.31
-    - repository: kms
-      branch: release-1.31
-    source:
-      branch: release-1.31
-      dirs:
-      - staging/src/k8s.io/kubelet
   - name: release-1.32
-    go: 1.23.12
+    go: 1.24.11
     dependencies:
     - repository: apimachinery
       branch: release-1.32
@@ -1404,7 +1383,7 @@ rules:
       dirs:
       - staging/src/k8s.io/kubelet
   - name: release-1.33
-    go: 1.24.9
+    go: 1.24.11
     dependencies:
     - repository: apimachinery
       branch: release-1.33
@@ -1425,7 +1404,7 @@ rules:
       dirs:
       - staging/src/k8s.io/kubelet
   - name: release-1.34
-    go: 1.24.9
+    go: 1.24.11
     dependencies:
     - repository: apimachinery
       branch: release-1.34
@@ -1445,83 +1424,27 @@ rules:
       branch: release-1.34
       dirs:
       - staging/src/k8s.io/kubelet
-  library: true
-- destination: kube-scheduler
-  branches:
-  - name: master
-    dependencies:
-    - repository: apimachinery
-      branch: master
-    - repository: component-base
-      branch: master
-    - repository: api
-      branch: master
-    - repository: client-go
-      branch: master
-    source:
-      branch: master
-      dirs:
-      - staging/src/k8s.io/kube-scheduler
-  - name: release-1.31
-    go: 1.23.12
-    dependencies:
-    - repository: apimachinery
-      branch: release-1.31
-    - repository: component-base
-      branch: release-1.31
-    - repository: api
-      branch: release-1.31
-    - repository: client-go
-      branch: release-1.31
-    source:
-      branch: release-1.31
-      dirs:
-      - staging/src/k8s.io/kube-scheduler
-  - name: release-1.32
-    go: 1.23.12
-    dependencies:
-    - repository: apimachinery
-      branch: release-1.32
-    - repository: component-base
-      branch: release-1.32
-    - repository: api
-      branch: release-1.32
-    - repository: client-go
-      branch: release-1.32
-    source:
-      branch: release-1.32
-      dirs:
-      - staging/src/k8s.io/kube-scheduler
-  - name: release-1.33
-    go: 1.24.9
+  - name: release-1.35
+    go: 1.25.6
     dependencies:
     - repository: apimachinery
-      branch: release-1.33
-    - repository: component-base
-      branch: release-1.33
+      branch: release-1.35
+    - repository: apiserver
+      branch: release-1.35
     - repository: api
-      branch: release-1.33
+      branch: release-1.35
     - repository: client-go
-      branch: release-1.33
-    source:
-      branch: release-1.33
-      dirs:
-      - staging/src/k8s.io/kube-scheduler
-  - name: release-1.34
-    go: 1.24.9
-    dependencies:
-    - repository: apimachinery
-      branch: release-1.34
+      branch: release-1.35
+    - repository: cri-api
+      branch: release-1.35
     - repository: component-base
-      branch: release-1.34
-    - repository: api
-      branch: release-1.34
-    - repository: client-go
-      branch: release-1.34
+      branch: release-1.35
+    - repository: kms
+      branch: release-1.35
     source:
-      branch: release-1.34
+      branch: release-1.35
       dirs:
-      - staging/src/k8s.io/kube-scheduler
+      - staging/src/k8s.io/kubelet
   library: true
 - destination: controller-manager
   branches:
@@ -1543,27 +1466,8 @@ rules:
       branch: master
       dirs:
       - staging/src/k8s.io/controller-manager
-  - name: release-1.31
-    go: 1.23.12
-    dependencies:
-    - repository: api
-      branch: release-1.31
-    - repository: apimachinery
-      branch: release-1.31
-    - repository: client-go
-      branch: release-1.31
-    - repository: component-base
-      branch: release-1.31
-    - repository: apiserver
-      branch: release-1.31
-    - repository: kms
-      branch: release-1.31
-    source:
-      branch: release-1.31
-      dirs:
-      - staging/src/k8s.io/controller-manager
   - name: release-1.32
-    go: 1.23.12
+    go: 1.24.11
     dependencies:
     - repository: api
       branch: release-1.32
@@ -1582,7 +1486,7 @@ rules:
       dirs:
       - staging/src/k8s.io/controller-manager
   - name: release-1.33
-    go: 1.24.9
+    go: 1.24.11
     dependencies:
     - repository: api
       branch: release-1.33
@@ -1601,7 +1505,7 @@ rules:
       dirs:
       - staging/src/k8s.io/controller-manager
   - name: release-1.34
-    go: 1.24.9
+    go: 1.24.11
     dependencies:
     - repository: api
       branch: release-1.34
@@ -1619,6 +1523,25 @@ rules:
       branch: release-1.34
       dirs:
       - staging/src/k8s.io/controller-manager
+  - name: release-1.35
+    go: 1.25.6
+    dependencies:
+    - repository: api
+      branch: release-1.35
+    - repository: apimachinery
+      branch: release-1.35
+    - repository: client-go
+      branch: release-1.35
+    - repository: component-base
+      branch: release-1.35
+    - repository: apiserver
+      branch: release-1.35
+    - repository: kms
+      branch: release-1.35
+    source:
+      branch: release-1.35
+      dirs:
+      - staging/src/k8s.io/controller-manager
   library: true
 - destination: cloud-provider
   branches:
@@ -1644,31 +1567,8 @@ rules:
       branch: master
       dirs:
       - staging/src/k8s.io/cloud-provider
-  - name: release-1.31
-    go: 1.23.12
-    dependencies:
-    - repository: api
-      branch: release-1.31
-    - repository: apimachinery
-      branch: release-1.31
-    - repository: apiserver
-      branch: release-1.31
-    - repository: client-go
-      branch: release-1.31
-    - repository: component-base
-      branch: release-1.31
-    - repository: controller-manager
-      branch: release-1.31
-    - repository: component-helpers
-      branch: release-1.31
-    - repository: kms
-      branch: release-1.31
-    source:
-      branch: release-1.31
-      dirs:
-      - staging/src/k8s.io/cloud-provider
   - name: release-1.32
-    go: 1.23.12
+    go: 1.24.11
     dependencies:
     - repository: api
       branch: release-1.32
@@ -1691,7 +1591,7 @@ rules:
       dirs:
       - staging/src/k8s.io/cloud-provider
   - name: release-1.33
-    go: 1.24.9
+    go: 1.24.11
     dependencies:
     - repository: api
       branch: release-1.33
@@ -1714,7 +1614,7 @@ rules:
       dirs:
       - staging/src/k8s.io/cloud-provider
   - name: release-1.34
-    go: 1.24.9
+    go: 1.24.11
     dependencies:
     - repository: api
       branch: release-1.34
@@ -1736,6 +1636,29 @@ rules:
       branch: release-1.34
       dirs:
       - staging/src/k8s.io/cloud-provider
+  - name: release-1.35
+    go: 1.25.6
+    dependencies:
+    - repository: api
+      branch: release-1.35
+    - repository: apimachinery
+      branch: release-1.35
+    - repository: apiserver
+      branch: release-1.35
+    - repository: client-go
+      branch: release-1.35
+    - repository: component-base
+      branch: release-1.35
+    - repository: controller-manager
+      branch: release-1.35
+    - repository: component-helpers
+      branch: release-1.35
+    - repository: kms
+      branch: release-1.35
+    source:
+      branch: release-1.35
+      dirs:
+      - staging/src/k8s.io/cloud-provider
   library: true
 - destination: kube-controller-manager
   branches:
@@ -1763,33 +1686,8 @@ rules:
       branch: master
       dirs:
       - staging/src/k8s.io/kube-controller-manager
-  - name: release-1.31
-    go: 1.23.12
-    dependencies:
-    - repository: apimachinery
-      branch: release-1.31
-    - repository: apiserver
-      branch: release-1.31
-    - repository: component-base
-      branch: release-1.31
-    - repository: api
-      branch: release-1.31
-    - repository: client-go
-      branch: release-1.31
-    - repository: controller-manager
-      branch: release-1.31
-    - repository: cloud-provider
-      branch: release-1.31
-    - repository: component-helpers
-      branch: release-1.31
-    - repository: kms
-      branch: release-1.31
-    source:
-      branch: release-1.31
-      dirs:
-      - staging/src/k8s.io/kube-controller-manager
   - name: release-1.32
-    go: 1.23.12
+    go: 1.24.11
     dependencies:
     - repository: apimachinery
       branch: release-1.32
@@ -1814,7 +1712,7 @@ rules:
       dirs:
       - staging/src/k8s.io/kube-controller-manager
   - name: release-1.33
-    go: 1.24.9
+    go: 1.24.11
     dependencies:
     - repository: apimachinery
       branch: release-1.33
@@ -1839,7 +1737,7 @@ rules:
       dirs:
       - staging/src/k8s.io/kube-controller-manager
   - name: release-1.34
-    go: 1.24.9
+    go: 1.24.11
     dependencies:
     - repository: apimachinery
       branch: release-1.34
@@ -1863,6 +1761,31 @@ rules:
       branch: release-1.34
       dirs:
       - staging/src/k8s.io/kube-controller-manager
+  - name: release-1.35
+    go: 1.25.6
+    dependencies:
+    - repository: apimachinery
+      branch: release-1.35
+    - repository: apiserver
+      branch: release-1.35
+    - repository: component-base
+      branch: release-1.35
+    - repository: api
+      branch: release-1.35
+    - repository: client-go
+      branch: release-1.35
+    - repository: controller-manager
+      branch: release-1.35
+    - repository: cloud-provider
+      branch: release-1.35
+    - repository: component-helpers
+      branch: release-1.35
+    - repository: kms
+      branch: release-1.35
+    source:
+      branch: release-1.35
+      dirs:
+      - staging/src/k8s.io/kube-controller-manager
   library: true
 - destination: cluster-bootstrap
   branches:
@@ -1876,19 +1799,8 @@ rules:
       branch: master
       dirs:
       - staging/src/k8s.io/cluster-bootstrap
-  - name: release-1.31
-    go: 1.23.12
-    dependencies:
-    - repository: apimachinery
-      branch: release-1.31
-    - repository: api
-      branch: release-1.31
-    source:
-      branch: release-1.31
-      dirs:
-      - staging/src/k8s.io/cluster-bootstrap
   - name: release-1.32
-    go: 1.23.12
+    go: 1.24.11
     dependencies:
     - repository: apimachinery
       branch: release-1.32
@@ -1899,7 +1811,7 @@ rules:
       dirs:
       - staging/src/k8s.io/cluster-bootstrap
   - name: release-1.33
-    go: 1.24.9
+    go: 1.24.11
     dependencies:
     - repository: apimachinery
       branch: release-1.33
@@ -1910,7 +1822,7 @@ rules:
       dirs:
       - staging/src/k8s.io/cluster-bootstrap
   - name: release-1.34
-    go: 1.24.9
+    go: 1.24.11
     dependencies:
     - repository: apimachinery
       branch: release-1.34
@@ -1920,6 +1832,17 @@ rules:
       branch: release-1.34
       dirs:
       - staging/src/k8s.io/cluster-bootstrap
+  - name: release-1.35
+    go: 1.25.6
+    dependencies:
+    - repository: apimachinery
+      branch: release-1.35
+    - repository: api
+      branch: release-1.35
+    source:
+      branch: release-1.35
+      dirs:
+      - staging/src/k8s.io/cluster-bootstrap
   library: true
 - destination: csi-translation-lib
   branches:
@@ -1933,19 +1856,8 @@ rules:
       branch: master
       dirs:
       - staging/src/k8s.io/csi-translation-lib
-  - name: release-1.31
-    go: 1.23.12
-    dependencies:
-    - repository: api
-      branch: release-1.31
-    - repository: apimachinery
-      branch: release-1.31
-    source:
-      branch: release-1.31
-      dirs:
-      - staging/src/k8s.io/csi-translation-lib
   - name: release-1.32
-    go: 1.23.12
+    go: 1.24.11
     dependencies:
     - repository: api
       branch: release-1.32
@@ -1956,7 +1868,7 @@ rules:
       dirs:
       - staging/src/k8s.io/csi-translation-lib
   - name: release-1.33
-    go: 1.24.9
+    go: 1.24.11
     dependencies:
     - repository: api
       branch: release-1.33
@@ -1967,7 +1879,7 @@ rules:
       dirs:
       - staging/src/k8s.io/csi-translation-lib
   - name: release-1.34
-    go: 1.24.9
+    go: 1.24.11
     dependencies:
     - repository: api
       branch: release-1.34
@@ -1977,6 +1889,17 @@ rules:
       branch: release-1.34
       dirs:
       - staging/src/k8s.io/csi-translation-lib
+  - name: release-1.35
+    go: 1.25.6
+    dependencies:
+    - repository: api
+      branch: release-1.35
+    - repository: apimachinery
+      branch: release-1.35
+    source:
+      branch: release-1.35
+      dirs:
+      - staging/src/k8s.io/csi-translation-lib
   library: true
 - destination: mount-utils
   branches:
@@ -1985,30 +1908,30 @@ rules:
       branch: master
       dirs:
       - staging/src/k8s.io/mount-utils
-  - name: release-1.31
-    go: 1.23.12
-    source:
-      branch: release-1.31
-      dirs:
-      - staging/src/k8s.io/mount-utils
   - name: release-1.32
-    go: 1.23.12
+    go: 1.24.11
     source:
       branch: release-1.32
       dirs:
       - staging/src/k8s.io/mount-utils
   - name: release-1.33
-    go: 1.24.9
+    go: 1.24.11
     source:
       branch: release-1.33
       dirs:
       - staging/src/k8s.io/mount-utils
   - name: release-1.34
-    go: 1.24.9
+    go: 1.24.11
     source:
       branch: release-1.34
       dirs:
       - staging/src/k8s.io/mount-utils
+  - name: release-1.35
+    go: 1.25.6
+    source:
+      branch: release-1.35
+      dirs:
+      - staging/src/k8s.io/mount-utils
   library: true
 - destination: kubectl
   branches:
@@ -2034,31 +1957,8 @@ rules:
       branch: master
       dirs:
       - staging/src/k8s.io/kubectl
-  - name: release-1.31
-    go: 1.23.12
-    dependencies:
-    - repository: api
-      branch: release-1.31
-    - repository: apimachinery
-      branch: release-1.31
-    - repository: cli-runtime
-      branch: release-1.31
-    - repository: client-go
-      branch: release-1.31
-    - repository: code-generator
-      branch: release-1.31
-    - repository: component-base
-      branch: release-1.31
-    - repository: component-helpers
-      branch: release-1.31
-    - repository: metrics
-      branch: release-1.31
-    source:
-      branch: release-1.31
-      dirs:
-      - staging/src/k8s.io/kubectl
   - name: release-1.32
-    go: 1.23.12
+    go: 1.24.11
     dependencies:
     - repository: api
       branch: release-1.32
@@ -2081,7 +1981,7 @@ rules:
       dirs:
       - staging/src/k8s.io/kubectl
   - name: release-1.33
-    go: 1.24.9
+    go: 1.24.11
     dependencies:
     - repository: api
       branch: release-1.33
@@ -2104,7 +2004,7 @@ rules:
       dirs:
       - staging/src/k8s.io/kubectl
   - name: release-1.34
-    go: 1.24.9
+    go: 1.24.11
     dependencies:
     - repository: api
       branch: release-1.34
@@ -2126,6 +2026,29 @@ rules:
       branch: release-1.34
       dirs:
       - staging/src/k8s.io/kubectl
+  - name: release-1.35
+    go: 1.25.6
+    dependencies:
+    - repository: api
+      branch: release-1.35
+    - repository: apimachinery
+      branch: release-1.35
+    - repository: cli-runtime
+      branch: release-1.35
+    - repository: client-go
+      branch: release-1.35
+    - repository: code-generator
+      branch: release-1.35
+    - repository: component-base
+      branch: release-1.35
+    - repository: component-helpers
+      branch: release-1.35
+    - repository: metrics
+      branch: release-1.35
+    source:
+      branch: release-1.35
+      dirs:
+      - staging/src/k8s.io/kubectl
   library: true
 - destination: pod-security-admission
   branches:
@@ -2147,27 +2070,8 @@ rules:
       branch: master
       dirs:
       - staging/src/k8s.io/pod-security-admission
-  - name: release-1.31
-    go: 1.23.12
-    dependencies:
-    - repository: api
-      branch: release-1.31
-    - repository: apimachinery
-      branch: release-1.31
-    - repository: apiserver
-      branch: release-1.31
-    - repository: client-go
-      branch: release-1.31
-    - repository: component-base
-      branch: release-1.31
-    - repository: kms
-      branch: release-1.31
-    source:
-      branch: release-1.31
-      dirs:
-      - staging/src/k8s.io/pod-security-admission
   - name: release-1.32
-    go: 1.23.12
+    go: 1.24.11
     dependencies:
     - repository: api
       branch: release-1.32
@@ -2186,7 +2090,7 @@ rules:
       dirs:
       - staging/src/k8s.io/pod-security-admission
   - name: release-1.33
-    go: 1.24.9
+    go: 1.24.11
     dependencies:
     - repository: api
       branch: release-1.33
@@ -2205,7 +2109,7 @@ rules:
       dirs:
       - staging/src/k8s.io/pod-security-admission
   - name: release-1.34
-    go: 1.24.9
+    go: 1.24.11
     dependencies:
     - repository: api
       branch: release-1.34
@@ -2223,6 +2127,25 @@ rules:
       branch: release-1.34
       dirs:
       - staging/src/k8s.io/pod-security-admission
+  - name: release-1.35
+    go: 1.25.6
+    dependencies:
+    - repository: api
+      branch: release-1.35
+    - repository: apimachinery
+      branch: release-1.35
+    - repository: apiserver
+      branch: release-1.35
+    - repository: client-go
+      branch: release-1.35
+    - repository: component-base
+      branch: release-1.35
+    - repository: kms
+      branch: release-1.35
+    source:
+      branch: release-1.35
+      dirs:
+      - staging/src/k8s.io/pod-security-admission
   library: true
 - destination: dynamic-resource-allocation
   branches:
@@ -2250,33 +2173,8 @@ rules:
       branch: master
       dirs:
       - staging/src/k8s.io/dynamic-resource-allocation
-  - name: release-1.31
-    go: 1.23.12
-    dependencies:
-    - repository: apimachinery
-      branch: release-1.31
-    - repository: apiserver
-      branch: release-1.31
-    - repository: api
-      branch: release-1.31
-    - repository: client-go
-      branch: release-1.31
-    - repository: cri-api
-      branch: release-1.31
-    - repository: component-base
-      branch: release-1.31
-    - repository: component-helpers
-      branch: release-1.31
-    - repository: kms
-      branch: release-1.31
-    - repository: kubelet
-      branch: release-1.31
-    source:
-      branch: release-1.31
-      dirs:
-      - staging/src/k8s.io/dynamic-resource-allocation
   - name: release-1.32
-    go: 1.23.12
+    go: 1.24.11
     dependencies:
     - repository: apimachinery
       branch: release-1.32
@@ -2301,7 +2199,7 @@ rules:
       dirs:
       - staging/src/k8s.io/dynamic-resource-allocation
   - name: release-1.33
-    go: 1.24.9
+    go: 1.24.11
     dependencies:
     - repository: apimachinery
       branch: release-1.33
@@ -2326,7 +2224,7 @@ rules:
       dirs:
       - staging/src/k8s.io/dynamic-resource-allocation
   - name: release-1.34
-    go: 1.24.9
+    go: 1.24.11
     dependencies:
     - repository: apimachinery
       branch: release-1.34
@@ -2350,39 +2248,156 @@ rules:
       branch: release-1.34
       dirs:
       - staging/src/k8s.io/dynamic-resource-allocation
-- destination: endpointslice
+  - name: release-1.35
+    go: 1.25.6
+    dependencies:
+    - repository: apimachinery
+      branch: release-1.35
+    - repository: apiserver
+      branch: release-1.35
+    - repository: api
+      branch: release-1.35
+    - repository: client-go
+      branch: release-1.35
+    - repository: cri-api
+      branch: release-1.35
+    - repository: component-base
+      branch: release-1.35
+    - repository: component-helpers
+      branch: release-1.35
+    - repository: kms
+      branch: release-1.35
+    - repository: kubelet
+      branch: release-1.35
+    source:
+      branch: release-1.35
+      dirs:
+      - staging/src/k8s.io/dynamic-resource-allocation
+- destination: kube-scheduler
   branches:
   - name: master
     dependencies:
-    - repository: api
-      branch: master
     - repository: apimachinery
       branch: master
+    - repository: component-base
+      branch: master
+    - repository: api
+      branch: master
     - repository: client-go
       branch: master
-    - repository: component-base
+    - repository: apiserver
+      branch: master
+    - repository: component-helpers
+      branch: master
+    - repository: dynamic-resource-allocation
+      branch: master
+    - repository: kms
+      branch: master
+    - repository: kubelet
       branch: master
     source:
       branch: master
       dirs:
-      - staging/src/k8s.io/endpointslice
-  - name: release-1.31
-    go: 1.23.12
+      - staging/src/k8s.io/kube-scheduler
+  - name: release-1.32
+    go: 1.23.11
     dependencies:
+    - repository: apimachinery
+      branch: release-1.32
+    - repository: component-base
+      branch: release-1.32
     - repository: api
-      branch: release-1.31
+      branch: release-1.32
+    - repository: client-go
+      branch: release-1.32
+    source:
+      branch: release-1.32
+      dirs:
+      - staging/src/k8s.io/kube-scheduler
+  - name: release-1.33
+    go: 1.24.5
+    dependencies:
     - repository: apimachinery
-      branch: release-1.31
+      branch: release-1.33
+    - repository: component-base
+      branch: release-1.33
+    - repository: api
+      branch: release-1.33
     - repository: client-go
-      branch: release-1.31
+      branch: release-1.33
+    - repository: apiserver
+      branch: release-1.33
+    - repository: component-helpers
+      branch: release-1.33
+    - repository: dynamic-resource-allocation
+      branch: release-1.33
+    - repository: kms
+      branch: release-1.33
+    - repository: kubelet
+      branch: release-1.33
+    source:
+      branch: release-1.33
+      dirs:
+      - staging/src/k8s.io/kube-scheduler
+  - name: release-1.34
+    go: 1.24.11
+    dependencies:
+    - repository: apimachinery
+      branch: release-1.34
+    - repository: component-base
+      branch: release-1.34
+    - repository: api
+      branch: release-1.34
+    - repository: client-go
+      branch: release-1.34
+    source:
+      branch: release-1.34
+      dirs:
+      - staging/src/k8s.io/kube-scheduler
+  - name: release-1.35
+    go: 1.25.6
+    dependencies:
+    - repository: apimachinery
+      branch: release-1.35
     - repository: component-base
-      branch: release-1.31
+      branch: release-1.35
+    - repository: api
+      branch: release-1.35
+    - repository: client-go
+      branch: release-1.35
+    - repository: apiserver
+      branch: release-1.35
+    - repository: component-helpers
+      branch: release-1.35
+    - repository: dynamic-resource-allocation
+      branch: release-1.35
+    - repository: kms
+      branch: release-1.35
+    - repository: kubelet
+      branch: release-1.35
     source:
-      branch: release-1.31
+      branch: release-1.35
+      dirs:
+      - staging/src/k8s.io/kube-scheduler
+  library: true
+- destination: endpointslice
+  branches:
+  - name: master
+    dependencies:
+    - repository: api
+      branch: master
+    - repository: apimachinery
+      branch: master
+    - repository: client-go
+      branch: master
+    - repository: component-base
+      branch: master
+    source:
+      branch: master
       dirs:
       - staging/src/k8s.io/endpointslice
   - name: release-1.32
-    go: 1.23.12
+    go: 1.24.11
     dependencies:
     - repository: api
       branch: release-1.32
@@ -2397,7 +2412,7 @@ rules:
       dirs:
       - staging/src/k8s.io/endpointslice
   - name: release-1.33
-    go: 1.24.9
+    go: 1.24.11
     dependencies:
     - repository: api
       branch: release-1.33
@@ -2412,7 +2427,7 @@ rules:
       dirs:
       - staging/src/k8s.io/endpointslice
   - name: release-1.34
-    go: 1.24.9
+    go: 1.24.11
     dependencies:
     - repository: api
       branch: release-1.34
@@ -2426,6 +2441,21 @@ rules:
       branch: release-1.34
       dirs:
       - staging/src/k8s.io/endpointslice
+  - name: release-1.35
+    go: 1.25.6
+    dependencies:
+    - repository: api
+      branch: release-1.35
+    - repository: apimachinery
+      branch: release-1.35
+    - repository: client-go
+      branch: release-1.35
+    - repository: component-base
+      branch: release-1.35
+    source:
+      branch: release-1.35
+      dirs:
+      - staging/src/k8s.io/endpointslice
 - destination: externaljwt
   branches:
   - name: master
@@ -2434,23 +2464,29 @@ rules:
       dirs:
       - staging/src/k8s.io/externaljwt
   - name: release-1.32
-    go: 1.23.12
+    go: 1.24.11
     source:
       branch: release-1.32
       dirs:
       - staging/src/k8s.io/externaljwt
   - name: release-1.33
-    go: 1.24.9
+    go: 1.24.11
     source:
       branch: release-1.33
       dirs:
       - staging/src/k8s.io/externaljwt
   - name: release-1.34
-    go: 1.24.9
+    go: 1.24.11
     source:
       branch: release-1.34
       dirs:
       - staging/src/k8s.io/externaljwt
+  - name: release-1.35
+    go: 1.25.6
+    source:
+      branch: release-1.35
+      dirs:
+      - staging/src/k8s.io/externaljwt
 recursive-delete-patterns:
 - '*/.gitattributes'
-default-go-version: 1.24.9
+default-go-version: 1.25.6
diff --git a/staging/src/k8s.io/api/OWNERS b/staging/src/k8s.io/api/OWNERS
index 9a58553856c68..43e3879f48078 100644
--- a/staging/src/k8s.io/api/OWNERS
+++ b/staging/src/k8s.io/api/OWNERS
@@ -11,9 +11,9 @@ filters:
       - api-approvers
     reviewers:
       - api-reviewers
-  # go.{mod,sum} files relate to go dependencies, and should be reviewed by the
-  # dep-approvers
-  "go\\.(mod|sum)$":
+  # go.{mod,sum,work,work.sum} files relate to go dependencies,
+  # and should be reviewed by the dep-approvers
+  "go\\.(mod|sum|work|work\\.sum)$":
     approvers:
       - dep-approvers
     reviewers:
diff --git a/staging/src/k8s.io/api/admission/v1/doc.go b/staging/src/k8s.io/api/admission/v1/doc.go
index cab6528214dc0..c8be5b2352cdd 100644
--- a/staging/src/k8s.io/api/admission/v1/doc.go
+++ b/staging/src/k8s.io/api/admission/v1/doc.go
@@ -18,6 +18,8 @@ limitations under the License.
 // +k8s:protobuf-gen=package
 // +k8s:openapi-gen=false
 // +k8s:prerelease-lifecycle-gen=true
+// +k8s:openapi-model-package=io.k8s.api.admission.v1
+
 // +groupName=admission.k8s.io
 
 package v1
diff --git a/staging/src/k8s.io/api/admission/v1/generated.pb.go b/staging/src/k8s.io/api/admission/v1/generated.pb.go
index f5c417919826f..b9fe1402c3f8a 100644
--- a/staging/src/k8s.io/api/admission/v1/generated.pb.go
+++ b/staging/src/k8s.io/api/admission/v1/generated.pb.go
@@ -23,12 +23,10 @@ import (
 	fmt "fmt"
 
 	io "io"
+	"sort"
 
-	proto "github.com/gogo/protobuf/proto"
-	github_com_gogo_protobuf_sortkeys "github.com/gogo/protobuf/sortkeys"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
-	math "math"
 	math_bits "math/bits"
 	reflect "reflect"
 	strings "strings"
@@ -36,172 +34,11 @@ import (
 	k8s_io_apimachinery_pkg_types "k8s.io/apimachinery/pkg/types"
 )
 
-// Reference imports to suppress errors if they are not otherwise used.
-var _ = proto.Marshal
-var _ = fmt.Errorf
-var _ = math.Inf
+func (m *AdmissionRequest) Reset() { *m = AdmissionRequest{} }
 
-// This is a compile-time assertion to ensure that this generated file
-// is compatible with the proto package it is being compiled against.
-// A compilation error at this line likely means your copy of the
-// proto package needs to be updated.
-const _ = proto.GoGoProtoPackageIsVersion3 // please upgrade the proto package
+func (m *AdmissionResponse) Reset() { *m = AdmissionResponse{} }
 
-func (m *AdmissionRequest) Reset()      { *m = AdmissionRequest{} }
-func (*AdmissionRequest) ProtoMessage() {}
-func (*AdmissionRequest) Descriptor() ([]byte, []int) {
-	return fileDescriptor_7b47d27831186ccf, []int{0}
-}
-func (m *AdmissionRequest) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *AdmissionRequest) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *AdmissionRequest) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_AdmissionRequest.Merge(m, src)
-}
-func (m *AdmissionRequest) XXX_Size() int {
-	return m.Size()
-}
-func (m *AdmissionRequest) XXX_DiscardUnknown() {
-	xxx_messageInfo_AdmissionRequest.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_AdmissionRequest proto.InternalMessageInfo
-
-func (m *AdmissionResponse) Reset()      { *m = AdmissionResponse{} }
-func (*AdmissionResponse) ProtoMessage() {}
-func (*AdmissionResponse) Descriptor() ([]byte, []int) {
-	return fileDescriptor_7b47d27831186ccf, []int{1}
-}
-func (m *AdmissionResponse) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *AdmissionResponse) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *AdmissionResponse) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_AdmissionResponse.Merge(m, src)
-}
-func (m *AdmissionResponse) XXX_Size() int {
-	return m.Size()
-}
-func (m *AdmissionResponse) XXX_DiscardUnknown() {
-	xxx_messageInfo_AdmissionResponse.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_AdmissionResponse proto.InternalMessageInfo
-
-func (m *AdmissionReview) Reset()      { *m = AdmissionReview{} }
-func (*AdmissionReview) ProtoMessage() {}
-func (*AdmissionReview) Descriptor() ([]byte, []int) {
-	return fileDescriptor_7b47d27831186ccf, []int{2}
-}
-func (m *AdmissionReview) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *AdmissionReview) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *AdmissionReview) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_AdmissionReview.Merge(m, src)
-}
-func (m *AdmissionReview) XXX_Size() int {
-	return m.Size()
-}
-func (m *AdmissionReview) XXX_DiscardUnknown() {
-	xxx_messageInfo_AdmissionReview.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_AdmissionReview proto.InternalMessageInfo
-
-func init() {
-	proto.RegisterType((*AdmissionRequest)(nil), "k8s.io.api.admission.v1.AdmissionRequest")
-	proto.RegisterType((*AdmissionResponse)(nil), "k8s.io.api.admission.v1.AdmissionResponse")
-	proto.RegisterMapType((map[string]string)(nil), "k8s.io.api.admission.v1.AdmissionResponse.AuditAnnotationsEntry")
-	proto.RegisterType((*AdmissionReview)(nil), "k8s.io.api.admission.v1.AdmissionReview")
-}
-
-func init() {
-	proto.RegisterFile("k8s.io/api/admission/v1/generated.proto", fileDescriptor_7b47d27831186ccf)
-}
-
-var fileDescriptor_7b47d27831186ccf = []byte{
-	// 907 bytes of a gzipped FileDescriptorProto
-	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xac, 0x56, 0x4f, 0x6f, 0x1b, 0x45,
-	0x14, 0xf7, 0xd6, 0x8e, 0xed, 0x1d, 0x87, 0xda, 0x9d, 0x82, 0xba, 0xf2, 0x61, 0x6d, 0x72, 0x00,
-	0x17, 0xb5, 0xbb, 0x24, 0x82, 0x2a, 0xaa, 0x40, 0x22, 0x4b, 0x2a, 0x14, 0x90, 0x9a, 0x68, 0xda,
-	0x40, 0xc5, 0x01, 0x69, 0x62, 0x4f, 0xed, 0xc1, 0xf6, 0xcc, 0xb2, 0x33, 0xeb, 0xe0, 0x1b, 0x27,
-	0xce, 0x7c, 0x03, 0x8e, 0x7c, 0x06, 0xbe, 0x41, 0x8e, 0x3d, 0xf6, 0x64, 0x11, 0xf3, 0x2d, 0x72,
-	0x42, 0x33, 0x3b, 0xfb, 0xa7, 0x89, 0x2d, 0x42, 0xc3, 0x29, 0xfb, 0xfe, 0xfc, 0x7e, 0xef, 0xe5,
-	0xf7, 0xf6, 0xbd, 0x35, 0xf8, 0x70, 0xbc, 0x2b, 0x3c, 0xca, 0x7d, 0x1c, 0x52, 0x1f, 0x0f, 0xa6,
-	0x54, 0x08, 0xca, 0x99, 0x3f, 0xdb, 0xf6, 0x87, 0x84, 0x91, 0x08, 0x4b, 0x32, 0xf0, 0xc2, 0x88,
-	0x4b, 0x0e, 0xef, 0x25, 0x89, 0x1e, 0x0e, 0xa9, 0x97, 0x25, 0x7a, 0xb3, 0xed, 0xf6, 0xc3, 0x21,
-	0x95, 0xa3, 0xf8, 0xc4, 0xeb, 0xf3, 0xa9, 0x3f, 0xe4, 0x43, 0xee, 0xeb, 0xfc, 0x93, 0xf8, 0xa5,
-	0xb6, 0xb4, 0xa1, 0x9f, 0x12, 0x9e, 0xf6, 0x83, 0x62, 0xc1, 0x58, 0x8e, 0x08, 0x93, 0xb4, 0x8f,
-	0xe5, 0xea, 0xaa, 0xed, 0x4f, 0xf2, 0xec, 0x29, 0xee, 0x8f, 0x28, 0x23, 0xd1, 0xdc, 0x0f, 0xc7,
-	0x43, 0xe5, 0x10, 0xfe, 0x94, 0x48, 0xbc, 0x0a, 0xe5, 0xaf, 0x43, 0x45, 0x31, 0x93, 0x74, 0x4a,
-	0xae, 0x00, 0x1e, 0xfd, 0x1b, 0x40, 0xf4, 0x47, 0x64, 0x8a, 0x2f, 0xe3, 0xb6, 0x7e, 0xb7, 0x41,
-	0x6b, 0x2f, 0x15, 0x03, 0x91, 0x9f, 0x62, 0x22, 0x24, 0x0c, 0x40, 0x39, 0xa6, 0x03, 0xc7, 0xea,
-	0x5a, 0x3d, 0x3b, 0xf8, 0xf8, 0x6c, 0xd1, 0x29, 0x2d, 0x17, 0x9d, 0xf2, 0xf1, 0xc1, 0xfe, 0xc5,
-	0xa2, 0xf3, 0xfe, 0xba, 0x42, 0x72, 0x1e, 0x12, 0xe1, 0x1d, 0x1f, 0xec, 0x23, 0x05, 0x86, 0x2f,
-	0x40, 0x65, 0x4c, 0xd9, 0xc0, 0xb9, 0xd5, 0xb5, 0x7a, 0x8d, 0x9d, 0x47, 0x5e, 0x2e, 0x7e, 0x06,
-	0xf3, 0xc2, 0xf1, 0x50, 0x39, 0x84, 0xa7, 0x64, 0xf0, 0x66, 0xdb, 0xde, 0x57, 0x11, 0x8f, 0xc3,
-	0x6f, 0x49, 0xa4, 0x9a, 0xf9, 0x86, 0xb2, 0x41, 0xb0, 0x69, 0x8a, 0x57, 0x94, 0x85, 0x34, 0x23,
-	0x1c, 0x81, 0x7a, 0x44, 0x04, 0x8f, 0xa3, 0x3e, 0x71, 0xca, 0x9a, 0xfd, 0xf1, 0x7f, 0x67, 0x47,
-	0x86, 0x21, 0x68, 0x99, 0x0a, 0xf5, 0xd4, 0x83, 0x32, 0x76, 0xf8, 0x29, 0x68, 0x88, 0xf8, 0x24,
-	0x0d, 0x38, 0x15, 0xad, 0xc7, 0x5d, 0x03, 0x68, 0x3c, 0xcb, 0x43, 0xa8, 0x98, 0x07, 0x29, 0x68,
-	0x44, 0x89, 0x92, 0xaa, 0x6b, 0xe7, 0x9d, 0x1b, 0x29, 0xd0, 0x54, 0xa5, 0x50, 0x4e, 0x87, 0x8a,
-	0xdc, 0x70, 0x0e, 0x9a, 0xc6, 0xcc, 0xba, 0xbc, 0x7d, 0x63, 0x49, 0xee, 0x2e, 0x17, 0x9d, 0x26,
-	0x7a, 0x93, 0x16, 0x5d, 0xae, 0x03, 0xbf, 0x06, 0xd0, 0xb8, 0x0a, 0x42, 0x38, 0x4d, 0xad, 0x51,
-	0xdb, 0x68, 0x04, 0xd1, 0x95, 0x0c, 0xb4, 0x02, 0x05, 0xbb, 0xa0, 0xc2, 0xf0, 0x94, 0x38, 0x1b,
-	0x1a, 0x9d, 0x0d, 0xfd, 0x29, 0x9e, 0x12, 0xa4, 0x23, 0xd0, 0x07, 0xb6, 0xfa, 0x2b, 0x42, 0xdc,
-	0x27, 0x4e, 0x55, 0xa7, 0xdd, 0x31, 0x69, 0xf6, 0xd3, 0x34, 0x80, 0xf2, 0x1c, 0xf8, 0x19, 0xb0,
-	0x79, 0xa8, 0x5e, 0x75, 0xca, 0x99, 0x53, 0xd3, 0x00, 0x37, 0x05, 0x1c, 0xa6, 0x81, 0x8b, 0xa2,
-	0x81, 0x72, 0x00, 0x7c, 0x0e, 0xea, 0xb1, 0x20, 0xd1, 0x01, 0x7b, 0xc9, 0x9d, 0xba, 0x16, 0xf4,
-	0x03, 0xaf, 0x78, 0x3e, 0xde, 0x58, 0x7b, 0x25, 0xe4, 0xb1, 0xc9, 0xce, 0xdf, 0xa7, 0xd4, 0x83,
-	0x32, 0x26, 0x78, 0x0c, 0xaa, 0xfc, 0xe4, 0x47, 0xd2, 0x97, 0x8e, 0xad, 0x39, 0x1f, 0xae, 0x1d,
-	0x92, 0xd9, 0x5a, 0x0f, 0xe1, 0xd3, 0x27, 0x3f, 0x4b, 0xc2, 0xd4, 0x7c, 0x82, 0xdb, 0x86, 0xba,
-	0x7a, 0xa8, 0x49, 0x90, 0x21, 0x83, 0x3f, 0x00, 0x9b, 0x4f, 0x06, 0x89, 0xd3, 0x01, 0x6f, 0xc3,
-	0x9c, 0x49, 0x79, 0x98, 0xf2, 0xa0, 0x9c, 0x12, 0x6e, 0x81, 0xea, 0x20, 0x9a, 0xa3, 0x98, 0x39,
-	0x8d, 0xae, 0xd5, 0xab, 0x07, 0x40, 0xf5, 0xb0, 0xaf, 0x3d, 0xc8, 0x44, 0xe0, 0x0b, 0x50, 0xe3,
-	0xa1, 0x12, 0x43, 0x38, 0x9b, 0x6f, 0xd3, 0x41, 0xd3, 0x74, 0x50, 0x3b, 0x4c, 0x58, 0x50, 0x4a,
-	0xb7, 0xf5, 0x47, 0x05, 0xdc, 0x29, 0x5c, 0x28, 0x11, 0x72, 0x26, 0xc8, 0xff, 0x72, 0xa2, 0xee,
-	0x83, 0x1a, 0x9e, 0x4c, 0xf8, 0x29, 0x49, 0xae, 0x54, 0x3d, 0x6f, 0x62, 0x2f, 0x71, 0xa3, 0x34,
-	0x0e, 0x8f, 0x40, 0x55, 0x48, 0x2c, 0x63, 0x61, 0x2e, 0xce, 0x83, 0xeb, 0xad, 0xd7, 0x33, 0x8d,
-	0x49, 0x04, 0x43, 0x44, 0xc4, 0x13, 0x89, 0x0c, 0x0f, 0xec, 0x80, 0x8d, 0x10, 0xcb, 0xfe, 0x48,
-	0x5f, 0x95, 0xcd, 0xc0, 0x5e, 0x2e, 0x3a, 0x1b, 0x47, 0xca, 0x81, 0x12, 0x3f, 0xdc, 0x05, 0xb6,
-	0x7e, 0x78, 0x3e, 0x0f, 0xd3, 0xc5, 0x68, 0xab, 0x11, 0x1d, 0xa5, 0xce, 0x8b, 0xa2, 0x81, 0xf2,
-	0x64, 0xf8, 0xab, 0x05, 0x5a, 0x38, 0x1e, 0x50, 0xb9, 0xc7, 0x18, 0x97, 0x38, 0x99, 0x4a, 0xb5,
-	0x5b, 0xee, 0x35, 0x76, 0xbe, 0xf0, 0xd6, 0x7c, 0x04, 0xbd, 0x2b, 0x12, 0x7b, 0x7b, 0x97, 0x28,
-	0x9e, 0x30, 0x19, 0xcd, 0x03, 0xc7, 0x68, 0xd4, 0xba, 0x1c, 0x46, 0x57, 0x6a, 0xc2, 0x1e, 0xa8,
-	0x9f, 0xe2, 0x88, 0x51, 0x36, 0x14, 0x4e, 0xad, 0x5b, 0x56, 0xab, 0xad, 0x36, 0xe3, 0x3b, 0xe3,
-	0x43, 0x59, 0xb4, 0xfd, 0x25, 0x78, 0x6f, 0x65, 0x39, 0xd8, 0x02, 0xe5, 0x31, 0x99, 0x27, 0x73,
-	0x46, 0xea, 0x11, 0xbe, 0x0b, 0x36, 0x66, 0x78, 0x12, 0x13, 0x3d, 0x33, 0x1b, 0x25, 0xc6, 0xe3,
-	0x5b, 0xbb, 0xd6, 0xd6, 0x9f, 0x16, 0x68, 0x16, 0xfe, 0x8d, 0x19, 0x25, 0xa7, 0xf0, 0x08, 0xd4,
-	0xcc, 0xbd, 0xd1, 0x1c, 0x8d, 0x9d, 0xfb, 0xd7, 0x51, 0x40, 0x03, 0x82, 0x86, 0x7a, 0x15, 0xd2,
-	0x3b, 0x98, 0xd2, 0xa8, 0xd3, 0x10, 0x19, 0x89, 0xcc, 0xc7, 0xed, 0xa3, 0xeb, 0x8b, 0x9a, 0x08,
-	0x90, 0x5a, 0x28, 0x63, 0x0a, 0x3e, 0x3f, 0x3b, 0x77, 0x4b, 0xaf, 0xce, 0xdd, 0xd2, 0xeb, 0x73,
-	0xb7, 0xf4, 0xcb, 0xd2, 0xb5, 0xce, 0x96, 0xae, 0xf5, 0x6a, 0xe9, 0x5a, 0xaf, 0x97, 0xae, 0xf5,
-	0xd7, 0xd2, 0xb5, 0x7e, 0xfb, 0xdb, 0x2d, 0x7d, 0x7f, 0x6f, 0xcd, 0x6f, 0x9d, 0x7f, 0x02, 0x00,
-	0x00, 0xff, 0xff, 0x5c, 0x49, 0x23, 0x22, 0x05, 0x09, 0x00, 0x00,
-}
+func (m *AdmissionReview) Reset() { *m = AdmissionReview{} }
 
 func (m *AdmissionRequest) Marshal() (dAtA []byte, err error) {
 	size := m.Size()
@@ -384,7 +221,7 @@ func (m *AdmissionResponse) MarshalToSizedBuffer(dAtA []byte) (int, error) {
 		for k := range m.AuditAnnotations {
 			keysForAuditAnnotations = append(keysForAuditAnnotations, string(k))
 		}
-		github_com_gogo_protobuf_sortkeys.Strings(keysForAuditAnnotations)
+		sort.Strings(keysForAuditAnnotations)
 		for iNdEx := len(keysForAuditAnnotations) - 1; iNdEx >= 0; iNdEx-- {
 			v := m.AuditAnnotations[string(keysForAuditAnnotations[iNdEx])]
 			baseI := i
@@ -640,7 +477,7 @@ func (this *AdmissionResponse) String() string {
 	for k := range this.AuditAnnotations {
 		keysForAuditAnnotations = append(keysForAuditAnnotations, k)
 	}
-	github_com_gogo_protobuf_sortkeys.Strings(keysForAuditAnnotations)
+	sort.Strings(keysForAuditAnnotations)
 	mapStringForAuditAnnotations := "map[string]string{"
 	for _, k := range keysForAuditAnnotations {
 		mapStringForAuditAnnotations += fmt.Sprintf("%v: %v,", k, this.AuditAnnotations[k])
diff --git a/staging/src/k8s.io/api/admission/v1/generated.proto b/staging/src/k8s.io/api/admission/v1/generated.proto
index 9648aa58fbc34..cd5c88badc8cc 100644
--- a/staging/src/k8s.io/api/admission/v1/generated.proto
+++ b/staging/src/k8s.io/api/admission/v1/generated.proto
@@ -31,23 +31,23 @@ option go_package = "k8s.io/api/admission/v1";
 
 // AdmissionRequest describes the admission.Attributes for the admission request.
 message AdmissionRequest {
-  // UID is an identifier for the individual request/response. It allows us to distinguish instances of requests which are
+  // uid is an identifier for the individual request/response. It allows us to distinguish instances of requests which are
   // otherwise identical (parallel requests, requests when earlier requests did not modify etc)
   // The UID is meant to track the round trip (request/response) between the KAS and the WebHook, not the user request.
   // It is suitable for correlating log entries between the webhook and apiserver, for either auditing or debugging.
   optional string uid = 1;
 
-  // Kind is the fully-qualified type of object being submitted (for example, v1.Pod or autoscaling.v1.Scale)
+  // kind is the fully-qualified type of object being submitted (for example, v1.Pod or autoscaling.v1.Scale)
   optional .k8s.io.apimachinery.pkg.apis.meta.v1.GroupVersionKind kind = 2;
 
-  // Resource is the fully-qualified resource being requested (for example, v1.pods)
+  // resource is the fully-qualified resource being requested (for example, v1.pods)
   optional .k8s.io.apimachinery.pkg.apis.meta.v1.GroupVersionResource resource = 3;
 
-  // SubResource is the subresource being requested, if any (for example, "status" or "scale")
+  // subResource is the subresource being requested, if any (for example, "status" or "scale")
   // +optional
   optional string subResource = 4;
 
-  // RequestKind is the fully-qualified type of the original API request (for example, v1.Pod or autoscaling.v1.Scale).
+  // requestKind is the fully-qualified type of the original API request (for example, v1.Pod or autoscaling.v1.Scale).
   // If this is specified and differs from the value in "kind", an equivalent match and conversion was performed.
   //
   // For example, if deployments can be modified via apps/v1 and apps/v1beta1, and a webhook registered a rule of
@@ -60,7 +60,7 @@ message AdmissionRequest {
   // +optional
   optional .k8s.io.apimachinery.pkg.apis.meta.v1.GroupVersionKind requestKind = 13;
 
-  // RequestResource is the fully-qualified resource of the original API request (for example, v1.pods).
+  // requestResource is the fully-qualified resource of the original API request (for example, v1.pods).
   // If this is specified and differs from the value in "resource", an equivalent match and conversion was performed.
   //
   // For example, if deployments can be modified via apps/v1 and apps/v1beta1, and a webhook registered a rule of
@@ -73,42 +73,42 @@ message AdmissionRequest {
   // +optional
   optional .k8s.io.apimachinery.pkg.apis.meta.v1.GroupVersionResource requestResource = 14;
 
-  // RequestSubResource is the name of the subresource of the original API request, if any (for example, "status" or "scale")
+  // requestSubResource is the name of the subresource of the original API request, if any (for example, "status" or "scale")
   // If this is specified and differs from the value in "subResource", an equivalent match and conversion was performed.
   // See documentation for the "matchPolicy" field in the webhook configuration type.
   // +optional
   optional string requestSubResource = 15;
 
-  // Name is the name of the object as presented in the request.  On a CREATE operation, the client may omit name and
+  // name is the name of the object as presented in the request.  On a CREATE operation, the client may omit name and
   // rely on the server to generate the name.  If that is the case, this field will contain an empty string.
   // +optional
   optional string name = 5;
 
-  // Namespace is the namespace associated with the request (if any).
+  // namespace is the namespace associated with the request (if any).
   // +optional
   optional string namespace = 6;
 
-  // Operation is the operation being performed. This may be different than the operation
+  // operation is the operation being performed. This may be different than the operation
   // requested. e.g. a patch can result in either a CREATE or UPDATE Operation.
   optional string operation = 7;
 
-  // UserInfo is information about the requesting user
+  // userInfo is information about the requesting user
   optional .k8s.io.api.authentication.v1.UserInfo userInfo = 8;
 
-  // Object is the object from the incoming request.
+  // object is the object from the incoming request.
   // +optional
   optional .k8s.io.apimachinery.pkg.runtime.RawExtension object = 9;
 
-  // OldObject is the existing object. Only populated for DELETE and UPDATE requests.
+  // oldObject is the existing object. Only populated for DELETE and UPDATE requests.
   // +optional
   optional .k8s.io.apimachinery.pkg.runtime.RawExtension oldObject = 10;
 
-  // DryRun indicates that modifications will definitely not be persisted for this request.
+  // dryRun indicates that modifications will definitely not be persisted for this request.
   // Defaults to false.
   // +optional
   optional bool dryRun = 11;
 
-  // Options is the operation option structure of the operation being performed.
+  // options is the operation option structure of the operation being performed.
   // e.g. `meta.k8s.io/v1.DeleteOptions` or `meta.k8s.io/v1.CreateOptions`. This may be
   // different than the options the caller provided. e.g. for a patch request the performed
   // Operation might be a CREATE, in which case the Options will a
@@ -119,27 +119,27 @@ message AdmissionRequest {
 
 // AdmissionResponse describes an admission response.
 message AdmissionResponse {
-  // UID is an identifier for the individual request/response.
+  // uid is an identifier for the individual request/response.
   // This must be copied over from the corresponding AdmissionRequest.
   optional string uid = 1;
 
-  // Allowed indicates whether or not the admission request was permitted.
+  // allowed indicates whether or not the admission request was permitted.
   optional bool allowed = 2;
 
-  // Result contains extra details into why an admission request was denied.
+  // status is the result contains extra details into why an admission request was denied.
   // This field IS NOT consulted in any way if "Allowed" is "true".
   // +optional
   optional .k8s.io.apimachinery.pkg.apis.meta.v1.Status status = 3;
 
-  // The patch body. Currently we only support "JSONPatch" which implements RFC 6902.
+  // patch is the patch body. Currently we only support "JSONPatch" which implements RFC 6902.
   // +optional
   optional bytes patch = 4;
 
-  // The type of Patch. Currently we only allow "JSONPatch".
+  // patchType is the type of Patch. Currently we only allow "JSONPatch".
   // +optional
   optional string patchType = 5;
 
-  // AuditAnnotations is an unstructured key value map set by remote admission controller (e.g. error=image-blacklisted).
+  // auditAnnotations is an unstructured key value map set by remote admission controller (e.g. error=image-blacklisted).
   // MutatingAdmissionWebhook and ValidatingAdmissionWebhook admission controller will prefix the keys with
   // admission webhook name (e.g. imagepolicy.example.com/error=image-blacklisted). AuditAnnotations will be provided by
   // the admission webhook to add additional context to the audit log for this request.
@@ -151,16 +151,17 @@ message AdmissionResponse {
   // Limit warnings to 120 characters if possible.
   // Warnings over 256 characters and large numbers of warnings may be truncated.
   // +optional
+  // +listType=atomic
   repeated string warnings = 7;
 }
 
 // AdmissionReview describes an admission review request/response.
 message AdmissionReview {
-  // Request describes the attributes for the admission request.
+  // request describes the attributes for the admission request.
   // +optional
   optional AdmissionRequest request = 1;
 
-  // Response describes the attributes for the admission response.
+  // response describes the attributes for the admission response.
   // +optional
   optional AdmissionResponse response = 2;
 }
diff --git a/staging/src/k8s.io/api/admission/v1/generated.protomessage.pb.go b/staging/src/k8s.io/api/admission/v1/generated.protomessage.pb.go
new file mode 100644
index 0000000000000..4e1ec547d6121
--- /dev/null
+++ b/staging/src/k8s.io/api/admission/v1/generated.protomessage.pb.go
@@ -0,0 +1,28 @@
+//go:build kubernetes_protomessage_one_more_release
+// +build kubernetes_protomessage_one_more_release
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by go-to-protobuf. DO NOT EDIT.
+
+package v1
+
+func (*AdmissionRequest) ProtoMessage() {}
+
+func (*AdmissionResponse) ProtoMessage() {}
+
+func (*AdmissionReview) ProtoMessage() {}
diff --git a/staging/src/k8s.io/api/admission/v1/types.go b/staging/src/k8s.io/api/admission/v1/types.go
index 2def92da5b394..395672c390c17 100644
--- a/staging/src/k8s.io/api/admission/v1/types.go
+++ b/staging/src/k8s.io/api/admission/v1/types.go
@@ -29,30 +29,30 @@ import (
 // AdmissionReview describes an admission review request/response.
 type AdmissionReview struct {
 	metav1.TypeMeta `json:",inline"`
-	// Request describes the attributes for the admission request.
+	// request describes the attributes for the admission request.
 	// +optional
 	Request *AdmissionRequest `json:"request,omitempty" protobuf:"bytes,1,opt,name=request"`
-	// Response describes the attributes for the admission response.
+	// response describes the attributes for the admission response.
 	// +optional
 	Response *AdmissionResponse `json:"response,omitempty" protobuf:"bytes,2,opt,name=response"`
 }
 
 // AdmissionRequest describes the admission.Attributes for the admission request.
 type AdmissionRequest struct {
-	// UID is an identifier for the individual request/response. It allows us to distinguish instances of requests which are
+	// uid is an identifier for the individual request/response. It allows us to distinguish instances of requests which are
 	// otherwise identical (parallel requests, requests when earlier requests did not modify etc)
 	// The UID is meant to track the round trip (request/response) between the KAS and the WebHook, not the user request.
 	// It is suitable for correlating log entries between the webhook and apiserver, for either auditing or debugging.
 	UID types.UID `json:"uid" protobuf:"bytes,1,opt,name=uid"`
-	// Kind is the fully-qualified type of object being submitted (for example, v1.Pod or autoscaling.v1.Scale)
+	// kind is the fully-qualified type of object being submitted (for example, v1.Pod or autoscaling.v1.Scale)
 	Kind metav1.GroupVersionKind `json:"kind" protobuf:"bytes,2,opt,name=kind"`
-	// Resource is the fully-qualified resource being requested (for example, v1.pods)
+	// resource is the fully-qualified resource being requested (for example, v1.pods)
 	Resource metav1.GroupVersionResource `json:"resource" protobuf:"bytes,3,opt,name=resource"`
-	// SubResource is the subresource being requested, if any (for example, "status" or "scale")
+	// subResource is the subresource being requested, if any (for example, "status" or "scale")
 	// +optional
 	SubResource string `json:"subResource,omitempty" protobuf:"bytes,4,opt,name=subResource"`
 
-	// RequestKind is the fully-qualified type of the original API request (for example, v1.Pod or autoscaling.v1.Scale).
+	// requestKind is the fully-qualified type of the original API request (for example, v1.Pod or autoscaling.v1.Scale).
 	// If this is specified and differs from the value in "kind", an equivalent match and conversion was performed.
 	//
 	// For example, if deployments can be modified via apps/v1 and apps/v1beta1, and a webhook registered a rule of
@@ -64,7 +64,7 @@ type AdmissionRequest struct {
 	// See documentation for the "matchPolicy" field in the webhook configuration type for more details.
 	// +optional
 	RequestKind *metav1.GroupVersionKind `json:"requestKind,omitempty" protobuf:"bytes,13,opt,name=requestKind"`
-	// RequestResource is the fully-qualified resource of the original API request (for example, v1.pods).
+	// requestResource is the fully-qualified resource of the original API request (for example, v1.pods).
 	// If this is specified and differs from the value in "resource", an equivalent match and conversion was performed.
 	//
 	// For example, if deployments can be modified via apps/v1 and apps/v1beta1, and a webhook registered a rule of
@@ -76,35 +76,35 @@ type AdmissionRequest struct {
 	// See documentation for the "matchPolicy" field in the webhook configuration type.
 	// +optional
 	RequestResource *metav1.GroupVersionResource `json:"requestResource,omitempty" protobuf:"bytes,14,opt,name=requestResource"`
-	// RequestSubResource is the name of the subresource of the original API request, if any (for example, "status" or "scale")
+	// requestSubResource is the name of the subresource of the original API request, if any (for example, "status" or "scale")
 	// If this is specified and differs from the value in "subResource", an equivalent match and conversion was performed.
 	// See documentation for the "matchPolicy" field in the webhook configuration type.
 	// +optional
 	RequestSubResource string `json:"requestSubResource,omitempty" protobuf:"bytes,15,opt,name=requestSubResource"`
 
-	// Name is the name of the object as presented in the request.  On a CREATE operation, the client may omit name and
+	// name is the name of the object as presented in the request.  On a CREATE operation, the client may omit name and
 	// rely on the server to generate the name.  If that is the case, this field will contain an empty string.
 	// +optional
 	Name string `json:"name,omitempty" protobuf:"bytes,5,opt,name=name"`
-	// Namespace is the namespace associated with the request (if any).
+	// namespace is the namespace associated with the request (if any).
 	// +optional
 	Namespace string `json:"namespace,omitempty" protobuf:"bytes,6,opt,name=namespace"`
-	// Operation is the operation being performed. This may be different than the operation
+	// operation is the operation being performed. This may be different than the operation
 	// requested. e.g. a patch can result in either a CREATE or UPDATE Operation.
 	Operation Operation `json:"operation" protobuf:"bytes,7,opt,name=operation"`
-	// UserInfo is information about the requesting user
+	// userInfo is information about the requesting user
 	UserInfo authenticationv1.UserInfo `json:"userInfo" protobuf:"bytes,8,opt,name=userInfo"`
-	// Object is the object from the incoming request.
+	// object is the object from the incoming request.
 	// +optional
 	Object runtime.RawExtension `json:"object,omitempty" protobuf:"bytes,9,opt,name=object"`
-	// OldObject is the existing object. Only populated for DELETE and UPDATE requests.
+	// oldObject is the existing object. Only populated for DELETE and UPDATE requests.
 	// +optional
 	OldObject runtime.RawExtension `json:"oldObject,omitempty" protobuf:"bytes,10,opt,name=oldObject"`
-	// DryRun indicates that modifications will definitely not be persisted for this request.
+	// dryRun indicates that modifications will definitely not be persisted for this request.
 	// Defaults to false.
 	// +optional
 	DryRun *bool `json:"dryRun,omitempty" protobuf:"varint,11,opt,name=dryRun"`
-	// Options is the operation option structure of the operation being performed.
+	// options is the operation option structure of the operation being performed.
 	// e.g. `meta.k8s.io/v1.DeleteOptions` or `meta.k8s.io/v1.CreateOptions`. This may be
 	// different than the options the caller provided. e.g. for a patch request the performed
 	// Operation might be a CREATE, in which case the Options will a
@@ -115,27 +115,27 @@ type AdmissionRequest struct {
 
 // AdmissionResponse describes an admission response.
 type AdmissionResponse struct {
-	// UID is an identifier for the individual request/response.
+	// uid is an identifier for the individual request/response.
 	// This must be copied over from the corresponding AdmissionRequest.
 	UID types.UID `json:"uid" protobuf:"bytes,1,opt,name=uid"`
 
-	// Allowed indicates whether or not the admission request was permitted.
+	// allowed indicates whether or not the admission request was permitted.
 	Allowed bool `json:"allowed" protobuf:"varint,2,opt,name=allowed"`
 
-	// Result contains extra details into why an admission request was denied.
+	// status is the result contains extra details into why an admission request was denied.
 	// This field IS NOT consulted in any way if "Allowed" is "true".
 	// +optional
 	Result *metav1.Status `json:"status,omitempty" protobuf:"bytes,3,opt,name=status"`
 
-	// The patch body. Currently we only support "JSONPatch" which implements RFC 6902.
+	// patch is the patch body. Currently we only support "JSONPatch" which implements RFC 6902.
 	// +optional
 	Patch []byte `json:"patch,omitempty" protobuf:"bytes,4,opt,name=patch"`
 
-	// The type of Patch. Currently we only allow "JSONPatch".
+	// patchType is the type of Patch. Currently we only allow "JSONPatch".
 	// +optional
 	PatchType *PatchType `json:"patchType,omitempty" protobuf:"bytes,5,opt,name=patchType"`
 
-	// AuditAnnotations is an unstructured key value map set by remote admission controller (e.g. error=image-blacklisted).
+	// auditAnnotations is an unstructured key value map set by remote admission controller (e.g. error=image-blacklisted).
 	// MutatingAdmissionWebhook and ValidatingAdmissionWebhook admission controller will prefix the keys with
 	// admission webhook name (e.g. imagepolicy.example.com/error=image-blacklisted). AuditAnnotations will be provided by
 	// the admission webhook to add additional context to the audit log for this request.
@@ -147,6 +147,7 @@ type AdmissionResponse struct {
 	// Limit warnings to 120 characters if possible.
 	// Warnings over 256 characters and large numbers of warnings may be truncated.
 	// +optional
+	// +listType=atomic
 	Warnings []string `json:"warnings,omitempty" protobuf:"bytes,7,rep,name=warnings"`
 }
 
diff --git a/staging/src/k8s.io/api/admission/v1/types_swagger_doc_generated.go b/staging/src/k8s.io/api/admission/v1/types_swagger_doc_generated.go
index 1395a7e107bfe..0fe90acac6f09 100644
--- a/staging/src/k8s.io/api/admission/v1/types_swagger_doc_generated.go
+++ b/staging/src/k8s.io/api/admission/v1/types_swagger_doc_generated.go
@@ -29,21 +29,21 @@ package v1
 // AUTO-GENERATED FUNCTIONS START HERE. DO NOT EDIT.
 var map_AdmissionRequest = map[string]string{
 	"":                   "AdmissionRequest describes the admission.Attributes for the admission request.",
-	"uid":                "UID is an identifier for the individual request/response. It allows us to distinguish instances of requests which are otherwise identical (parallel requests, requests when earlier requests did not modify etc) The UID is meant to track the round trip (request/response) between the KAS and the WebHook, not the user request. It is suitable for correlating log entries between the webhook and apiserver, for either auditing or debugging.",
-	"kind":               "Kind is the fully-qualified type of object being submitted (for example, v1.Pod or autoscaling.v1.Scale)",
-	"resource":           "Resource is the fully-qualified resource being requested (for example, v1.pods)",
-	"subResource":        "SubResource is the subresource being requested, if any (for example, \"status\" or \"scale\")",
-	"requestKind":        "RequestKind is the fully-qualified type of the original API request (for example, v1.Pod or autoscaling.v1.Scale). If this is specified and differs from the value in \"kind\", an equivalent match and conversion was performed.\n\nFor example, if deployments can be modified via apps/v1 and apps/v1beta1, and a webhook registered a rule of `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: [\"deployments\"]` and `matchPolicy: Equivalent`, an API request to apps/v1beta1 deployments would be converted and sent to the webhook with `kind: {group:\"apps\", version:\"v1\", kind:\"Deployment\"}` (matching the rule the webhook registered for), and `requestKind: {group:\"apps\", version:\"v1beta1\", kind:\"Deployment\"}` (indicating the kind of the original API request).\n\nSee documentation for the \"matchPolicy\" field in the webhook configuration type for more details.",
-	"requestResource":    "RequestResource is the fully-qualified resource of the original API request (for example, v1.pods). If this is specified and differs from the value in \"resource\", an equivalent match and conversion was performed.\n\nFor example, if deployments can be modified via apps/v1 and apps/v1beta1, and a webhook registered a rule of `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: [\"deployments\"]` and `matchPolicy: Equivalent`, an API request to apps/v1beta1 deployments would be converted and sent to the webhook with `resource: {group:\"apps\", version:\"v1\", resource:\"deployments\"}` (matching the resource the webhook registered for), and `requestResource: {group:\"apps\", version:\"v1beta1\", resource:\"deployments\"}` (indicating the resource of the original API request).\n\nSee documentation for the \"matchPolicy\" field in the webhook configuration type.",
-	"requestSubResource": "RequestSubResource is the name of the subresource of the original API request, if any (for example, \"status\" or \"scale\") If this is specified and differs from the value in \"subResource\", an equivalent match and conversion was performed. See documentation for the \"matchPolicy\" field in the webhook configuration type.",
-	"name":               "Name is the name of the object as presented in the request.  On a CREATE operation, the client may omit name and rely on the server to generate the name.  If that is the case, this field will contain an empty string.",
-	"namespace":          "Namespace is the namespace associated with the request (if any).",
-	"operation":          "Operation is the operation being performed. This may be different than the operation requested. e.g. a patch can result in either a CREATE or UPDATE Operation.",
-	"userInfo":           "UserInfo is information about the requesting user",
-	"object":             "Object is the object from the incoming request.",
-	"oldObject":          "OldObject is the existing object. Only populated for DELETE and UPDATE requests.",
-	"dryRun":             "DryRun indicates that modifications will definitely not be persisted for this request. Defaults to false.",
-	"options":            "Options is the operation option structure of the operation being performed. e.g. `meta.k8s.io/v1.DeleteOptions` or `meta.k8s.io/v1.CreateOptions`. This may be different than the options the caller provided. e.g. for a patch request the performed Operation might be a CREATE, in which case the Options will a `meta.k8s.io/v1.CreateOptions` even though the caller provided `meta.k8s.io/v1.PatchOptions`.",
+	"uid":                "uid is an identifier for the individual request/response. It allows us to distinguish instances of requests which are otherwise identical (parallel requests, requests when earlier requests did not modify etc) The UID is meant to track the round trip (request/response) between the KAS and the WebHook, not the user request. It is suitable for correlating log entries between the webhook and apiserver, for either auditing or debugging.",
+	"kind":               "kind is the fully-qualified type of object being submitted (for example, v1.Pod or autoscaling.v1.Scale)",
+	"resource":           "resource is the fully-qualified resource being requested (for example, v1.pods)",
+	"subResource":        "subResource is the subresource being requested, if any (for example, \"status\" or \"scale\")",
+	"requestKind":        "requestKind is the fully-qualified type of the original API request (for example, v1.Pod or autoscaling.v1.Scale). If this is specified and differs from the value in \"kind\", an equivalent match and conversion was performed.\n\nFor example, if deployments can be modified via apps/v1 and apps/v1beta1, and a webhook registered a rule of `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: [\"deployments\"]` and `matchPolicy: Equivalent`, an API request to apps/v1beta1 deployments would be converted and sent to the webhook with `kind: {group:\"apps\", version:\"v1\", kind:\"Deployment\"}` (matching the rule the webhook registered for), and `requestKind: {group:\"apps\", version:\"v1beta1\", kind:\"Deployment\"}` (indicating the kind of the original API request).\n\nSee documentation for the \"matchPolicy\" field in the webhook configuration type for more details.",
+	"requestResource":    "requestResource is the fully-qualified resource of the original API request (for example, v1.pods). If this is specified and differs from the value in \"resource\", an equivalent match and conversion was performed.\n\nFor example, if deployments can be modified via apps/v1 and apps/v1beta1, and a webhook registered a rule of `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: [\"deployments\"]` and `matchPolicy: Equivalent`, an API request to apps/v1beta1 deployments would be converted and sent to the webhook with `resource: {group:\"apps\", version:\"v1\", resource:\"deployments\"}` (matching the resource the webhook registered for), and `requestResource: {group:\"apps\", version:\"v1beta1\", resource:\"deployments\"}` (indicating the resource of the original API request).\n\nSee documentation for the \"matchPolicy\" field in the webhook configuration type.",
+	"requestSubResource": "requestSubResource is the name of the subresource of the original API request, if any (for example, \"status\" or \"scale\") If this is specified and differs from the value in \"subResource\", an equivalent match and conversion was performed. See documentation for the \"matchPolicy\" field in the webhook configuration type.",
+	"name":               "name is the name of the object as presented in the request.  On a CREATE operation, the client may omit name and rely on the server to generate the name.  If that is the case, this field will contain an empty string.",
+	"namespace":          "namespace is the namespace associated with the request (if any).",
+	"operation":          "operation is the operation being performed. This may be different than the operation requested. e.g. a patch can result in either a CREATE or UPDATE Operation.",
+	"userInfo":           "userInfo is information about the requesting user",
+	"object":             "object is the object from the incoming request.",
+	"oldObject":          "oldObject is the existing object. Only populated for DELETE and UPDATE requests.",
+	"dryRun":             "dryRun indicates that modifications will definitely not be persisted for this request. Defaults to false.",
+	"options":            "options is the operation option structure of the operation being performed. e.g. `meta.k8s.io/v1.DeleteOptions` or `meta.k8s.io/v1.CreateOptions`. This may be different than the options the caller provided. e.g. for a patch request the performed Operation might be a CREATE, in which case the Options will a `meta.k8s.io/v1.CreateOptions` even though the caller provided `meta.k8s.io/v1.PatchOptions`.",
 }
 
 func (AdmissionRequest) SwaggerDoc() map[string]string {
@@ -52,12 +52,12 @@ func (AdmissionRequest) SwaggerDoc() map[string]string {
 
 var map_AdmissionResponse = map[string]string{
 	"":                 "AdmissionResponse describes an admission response.",
-	"uid":              "UID is an identifier for the individual request/response. This must be copied over from the corresponding AdmissionRequest.",
-	"allowed":          "Allowed indicates whether or not the admission request was permitted.",
-	"status":           "Result contains extra details into why an admission request was denied. This field IS NOT consulted in any way if \"Allowed\" is \"true\".",
-	"patch":            "The patch body. Currently we only support \"JSONPatch\" which implements RFC 6902.",
-	"patchType":        "The type of Patch. Currently we only allow \"JSONPatch\".",
-	"auditAnnotations": "AuditAnnotations is an unstructured key value map set by remote admission controller (e.g. error=image-blacklisted). MutatingAdmissionWebhook and ValidatingAdmissionWebhook admission controller will prefix the keys with admission webhook name (e.g. imagepolicy.example.com/error=image-blacklisted). AuditAnnotations will be provided by the admission webhook to add additional context to the audit log for this request.",
+	"uid":              "uid is an identifier for the individual request/response. This must be copied over from the corresponding AdmissionRequest.",
+	"allowed":          "allowed indicates whether or not the admission request was permitted.",
+	"status":           "status is the result contains extra details into why an admission request was denied. This field IS NOT consulted in any way if \"Allowed\" is \"true\".",
+	"patch":            "patch is the patch body. Currently we only support \"JSONPatch\" which implements RFC 6902.",
+	"patchType":        "patchType is the type of Patch. Currently we only allow \"JSONPatch\".",
+	"auditAnnotations": "auditAnnotations is an unstructured key value map set by remote admission controller (e.g. error=image-blacklisted). MutatingAdmissionWebhook and ValidatingAdmissionWebhook admission controller will prefix the keys with admission webhook name (e.g. imagepolicy.example.com/error=image-blacklisted). AuditAnnotations will be provided by the admission webhook to add additional context to the audit log for this request.",
 	"warnings":         "warnings is a list of warning messages to return to the requesting API client. Warning messages describe a problem the client making the API request should correct or be aware of. Limit warnings to 120 characters if possible. Warnings over 256 characters and large numbers of warnings may be truncated.",
 }
 
@@ -67,8 +67,8 @@ func (AdmissionResponse) SwaggerDoc() map[string]string {
 
 var map_AdmissionReview = map[string]string{
 	"":         "AdmissionReview describes an admission review request/response.",
-	"request":  "Request describes the attributes for the admission request.",
-	"response": "Response describes the attributes for the admission response.",
+	"request":  "request describes the attributes for the admission request.",
+	"response": "response describes the attributes for the admission response.",
 }
 
 func (AdmissionReview) SwaggerDoc() map[string]string {
diff --git a/staging/src/k8s.io/api/admission/v1/zz_generated.model_name.go b/staging/src/k8s.io/api/admission/v1/zz_generated.model_name.go
new file mode 100644
index 0000000000000..b36acc0520e99
--- /dev/null
+++ b/staging/src/k8s.io/api/admission/v1/zz_generated.model_name.go
@@ -0,0 +1,37 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by openapi-gen. DO NOT EDIT.
+
+package v1
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in AdmissionRequest) OpenAPIModelName() string {
+	return "io.k8s.api.admission.v1.AdmissionRequest"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in AdmissionResponse) OpenAPIModelName() string {
+	return "io.k8s.api.admission.v1.AdmissionResponse"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in AdmissionReview) OpenAPIModelName() string {
+	return "io.k8s.api.admission.v1.AdmissionReview"
+}
diff --git a/staging/src/k8s.io/api/admission/v1beta1/doc.go b/staging/src/k8s.io/api/admission/v1beta1/doc.go
index 447495684e7a3..db856da122c74 100644
--- a/staging/src/k8s.io/api/admission/v1beta1/doc.go
+++ b/staging/src/k8s.io/api/admission/v1beta1/doc.go
@@ -18,6 +18,7 @@ limitations under the License.
 // +k8s:protobuf-gen=package
 // +k8s:openapi-gen=false
 // +k8s:prerelease-lifecycle-gen=true
+// +k8s:openapi-model-package=io.k8s.api.admission.v1beta1
 
 // +groupName=admission.k8s.io
 
diff --git a/staging/src/k8s.io/api/admission/v1beta1/generated.pb.go b/staging/src/k8s.io/api/admission/v1beta1/generated.pb.go
index 22147cbe9473e..e8bb2c064bb5b 100644
--- a/staging/src/k8s.io/api/admission/v1beta1/generated.pb.go
+++ b/staging/src/k8s.io/api/admission/v1beta1/generated.pb.go
@@ -23,12 +23,10 @@ import (
 	fmt "fmt"
 
 	io "io"
+	"sort"
 
-	proto "github.com/gogo/protobuf/proto"
-	github_com_gogo_protobuf_sortkeys "github.com/gogo/protobuf/sortkeys"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
-	math "math"
 	math_bits "math/bits"
 	reflect "reflect"
 	strings "strings"
@@ -36,172 +34,11 @@ import (
 	k8s_io_apimachinery_pkg_types "k8s.io/apimachinery/pkg/types"
 )
 
-// Reference imports to suppress errors if they are not otherwise used.
-var _ = proto.Marshal
-var _ = fmt.Errorf
-var _ = math.Inf
+func (m *AdmissionRequest) Reset() { *m = AdmissionRequest{} }
 
-// This is a compile-time assertion to ensure that this generated file
-// is compatible with the proto package it is being compiled against.
-// A compilation error at this line likely means your copy of the
-// proto package needs to be updated.
-const _ = proto.GoGoProtoPackageIsVersion3 // please upgrade the proto package
+func (m *AdmissionResponse) Reset() { *m = AdmissionResponse{} }
 
-func (m *AdmissionRequest) Reset()      { *m = AdmissionRequest{} }
-func (*AdmissionRequest) ProtoMessage() {}
-func (*AdmissionRequest) Descriptor() ([]byte, []int) {
-	return fileDescriptor_d8f147b43c61e73e, []int{0}
-}
-func (m *AdmissionRequest) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *AdmissionRequest) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *AdmissionRequest) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_AdmissionRequest.Merge(m, src)
-}
-func (m *AdmissionRequest) XXX_Size() int {
-	return m.Size()
-}
-func (m *AdmissionRequest) XXX_DiscardUnknown() {
-	xxx_messageInfo_AdmissionRequest.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_AdmissionRequest proto.InternalMessageInfo
-
-func (m *AdmissionResponse) Reset()      { *m = AdmissionResponse{} }
-func (*AdmissionResponse) ProtoMessage() {}
-func (*AdmissionResponse) Descriptor() ([]byte, []int) {
-	return fileDescriptor_d8f147b43c61e73e, []int{1}
-}
-func (m *AdmissionResponse) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *AdmissionResponse) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *AdmissionResponse) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_AdmissionResponse.Merge(m, src)
-}
-func (m *AdmissionResponse) XXX_Size() int {
-	return m.Size()
-}
-func (m *AdmissionResponse) XXX_DiscardUnknown() {
-	xxx_messageInfo_AdmissionResponse.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_AdmissionResponse proto.InternalMessageInfo
-
-func (m *AdmissionReview) Reset()      { *m = AdmissionReview{} }
-func (*AdmissionReview) ProtoMessage() {}
-func (*AdmissionReview) Descriptor() ([]byte, []int) {
-	return fileDescriptor_d8f147b43c61e73e, []int{2}
-}
-func (m *AdmissionReview) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *AdmissionReview) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *AdmissionReview) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_AdmissionReview.Merge(m, src)
-}
-func (m *AdmissionReview) XXX_Size() int {
-	return m.Size()
-}
-func (m *AdmissionReview) XXX_DiscardUnknown() {
-	xxx_messageInfo_AdmissionReview.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_AdmissionReview proto.InternalMessageInfo
-
-func init() {
-	proto.RegisterType((*AdmissionRequest)(nil), "k8s.io.api.admission.v1beta1.AdmissionRequest")
-	proto.RegisterType((*AdmissionResponse)(nil), "k8s.io.api.admission.v1beta1.AdmissionResponse")
-	proto.RegisterMapType((map[string]string)(nil), "k8s.io.api.admission.v1beta1.AdmissionResponse.AuditAnnotationsEntry")
-	proto.RegisterType((*AdmissionReview)(nil), "k8s.io.api.admission.v1beta1.AdmissionReview")
-}
-
-func init() {
-	proto.RegisterFile("k8s.io/api/admission/v1beta1/generated.proto", fileDescriptor_d8f147b43c61e73e)
-}
-
-var fileDescriptor_d8f147b43c61e73e = []byte{
-	// 911 bytes of a gzipped FileDescriptorProto
-	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xac, 0x56, 0x4f, 0x6f, 0x1b, 0x45,
-	0x14, 0xf7, 0xd6, 0x8e, 0xed, 0x1d, 0x87, 0xda, 0x9d, 0x82, 0xb4, 0xb2, 0xaa, 0xb5, 0xc9, 0x01,
-	0x19, 0xa9, 0x9d, 0x25, 0x11, 0x54, 0x51, 0xc5, 0x25, 0x4b, 0x22, 0x14, 0x90, 0x9a, 0x68, 0x5a,
-	0x43, 0xe1, 0x80, 0x34, 0xb6, 0xa7, 0xf6, 0x60, 0x7b, 0x66, 0xd9, 0x99, 0x4d, 0xf0, 0x8d, 0x3b,
-	0x17, 0xbe, 0x01, 0x5f, 0x80, 0x6f, 0xc1, 0x25, 0xc7, 0x1e, 0x7b, 0xb2, 0x88, 0xf9, 0x16, 0x39,
-	0xa1, 0x99, 0x9d, 0xf5, 0x3a, 0x4e, 0x52, 0xfa, 0xef, 0x94, 0x7d, 0x7f, 0x7e, 0xbf, 0xf7, 0xf2,
-	0x7b, 0xfb, 0xde, 0x1a, 0xdc, 0x1f, 0xef, 0x4a, 0xc4, 0x44, 0x40, 0x22, 0x16, 0x90, 0xc1, 0x94,
-	0x49, 0xc9, 0x04, 0x0f, 0x4e, 0xb6, 0x7b, 0x54, 0x91, 0xed, 0x60, 0x48, 0x39, 0x8d, 0x89, 0xa2,
-	0x03, 0x14, 0xc5, 0x42, 0x09, 0x78, 0x2f, 0xcd, 0x46, 0x24, 0x62, 0x68, 0x99, 0x8d, 0x6c, 0x76,
-	0xf3, 0xc1, 0x90, 0xa9, 0x51, 0xd2, 0x43, 0x7d, 0x31, 0x0d, 0x86, 0x62, 0x28, 0x02, 0x03, 0xea,
-	0x25, 0xcf, 0x8d, 0x65, 0x0c, 0xf3, 0x94, 0x92, 0x35, 0x2f, 0x95, 0x4e, 0xd4, 0x88, 0x72, 0xc5,
-	0xfa, 0x44, 0xa5, 0xf5, 0xd7, 0x4b, 0x37, 0x3f, 0xcf, 0xb3, 0xa7, 0xa4, 0x3f, 0x62, 0x9c, 0xc6,
-	0xb3, 0x20, 0x1a, 0x0f, 0xb5, 0x43, 0x06, 0x53, 0xaa, 0xc8, 0x75, 0xa8, 0xe0, 0x26, 0x54, 0x9c,
-	0x70, 0xc5, 0xa6, 0xf4, 0x0a, 0xe0, 0xe1, 0xff, 0x01, 0x64, 0x7f, 0x44, 0xa7, 0x64, 0x1d, 0xb7,
-	0xf5, 0xa7, 0x0b, 0x1a, 0x7b, 0x99, 0x22, 0x98, 0xfe, 0x92, 0x50, 0xa9, 0x60, 0x08, 0x8a, 0x09,
-	0x1b, 0x78, 0x4e, 0xdb, 0xe9, 0xb8, 0xe1, 0x67, 0x67, 0xf3, 0x56, 0x61, 0x31, 0x6f, 0x15, 0xbb,
-	0x87, 0xfb, 0x17, 0xf3, 0xd6, 0xc7, 0x37, 0x15, 0x52, 0xb3, 0x88, 0x4a, 0xd4, 0x3d, 0xdc, 0xc7,
-	0x1a, 0x0c, 0x9f, 0x81, 0xd2, 0x98, 0xf1, 0x81, 0x77, 0xab, 0xed, 0x74, 0x6a, 0x3b, 0x0f, 0x51,
-	0x3e, 0x81, 0x25, 0x0c, 0x45, 0xe3, 0xa1, 0x76, 0x48, 0xa4, 0x65, 0x40, 0x27, 0xdb, 0xe8, 0xeb,
-	0x58, 0x24, 0xd1, 0x77, 0x34, 0xd6, 0xcd, 0x7c, 0xcb, 0xf8, 0x20, 0xdc, 0xb4, 0xc5, 0x4b, 0xda,
-	0xc2, 0x86, 0x11, 0x8e, 0x40, 0x35, 0xa6, 0x52, 0x24, 0x71, 0x9f, 0x7a, 0x45, 0xc3, 0xfe, 0xe8,
-	0xcd, 0xd9, 0xb1, 0x65, 0x08, 0x1b, 0xb6, 0x42, 0x35, 0xf3, 0xe0, 0x25, 0x3b, 0xfc, 0x02, 0xd4,
-	0x64, 0xd2, 0xcb, 0x02, 0x5e, 0xc9, 0xe8, 0x71, 0xd7, 0x02, 0x6a, 0x4f, 0xf2, 0x10, 0x5e, 0xcd,
-	0x83, 0x0c, 0xd4, 0xe2, 0x54, 0x49, 0xdd, 0xb5, 0xf7, 0xc1, 0x3b, 0x29, 0x50, 0xd7, 0xa5, 0x70,
-	0x4e, 0x87, 0x57, 0xb9, 0xe1, 0x0c, 0xd4, 0xad, 0xb9, 0xec, 0xf2, 0xf6, 0x3b, 0x4b, 0x72, 0x77,
-	0x31, 0x6f, 0xd5, 0xf1, 0x65, 0x5a, 0xbc, 0x5e, 0x07, 0x7e, 0x03, 0xa0, 0x75, 0xad, 0x08, 0xe1,
-	0xd5, 0x8d, 0x46, 0x4d, 0xab, 0x11, 0xc4, 0x57, 0x32, 0xf0, 0x35, 0x28, 0xd8, 0x06, 0x25, 0x4e,
-	0xa6, 0xd4, 0xdb, 0x30, 0xe8, 0xe5, 0xd0, 0x1f, 0x93, 0x29, 0xc5, 0x26, 0x02, 0x03, 0xe0, 0xea,
-	0xbf, 0x32, 0x22, 0x7d, 0xea, 0x95, 0x4d, 0xda, 0x1d, 0x9b, 0xe6, 0x3e, 0xce, 0x02, 0x38, 0xcf,
-	0x81, 0x5f, 0x02, 0x57, 0x44, 0xfa, 0x55, 0x67, 0x82, 0x7b, 0x15, 0x03, 0xf0, 0x33, 0xc0, 0x51,
-	0x16, 0xb8, 0x58, 0x35, 0x70, 0x0e, 0x80, 0x4f, 0x41, 0x35, 0x91, 0x34, 0x3e, 0xe4, 0xcf, 0x85,
-	0x57, 0x35, 0x82, 0x7e, 0x82, 0x56, 0x6f, 0xc8, 0xa5, 0xb5, 0xd7, 0x42, 0x76, 0x6d, 0x76, 0xfe,
-	0x3e, 0x65, 0x1e, 0xbc, 0x64, 0x82, 0x5d, 0x50, 0x16, 0xbd, 0x9f, 0x69, 0x5f, 0x79, 0xae, 0xe1,
-	0x7c, 0x70, 0xe3, 0x90, 0xec, 0xd6, 0x22, 0x4c, 0x4e, 0x0f, 0x7e, 0x55, 0x94, 0xeb, 0xf9, 0x84,
-	0xb7, 0x2d, 0x75, 0xf9, 0xc8, 0x90, 0x60, 0x4b, 0x06, 0x7f, 0x02, 0xae, 0x98, 0x0c, 0x52, 0xa7,
-	0x07, 0xde, 0x86, 0x79, 0x29, 0xe5, 0x51, 0xc6, 0x83, 0x73, 0x4a, 0xb8, 0x05, 0xca, 0x83, 0x78,
-	0x86, 0x13, 0xee, 0xd5, 0xda, 0x4e, 0xa7, 0x1a, 0x02, 0xdd, 0xc3, 0xbe, 0xf1, 0x60, 0x1b, 0x81,
-	0xcf, 0x40, 0x45, 0x44, 0x5a, 0x0c, 0xe9, 0x6d, 0xbe, 0x4d, 0x07, 0x75, 0xdb, 0x41, 0xe5, 0x28,
-	0x65, 0xc1, 0x19, 0xdd, 0xd6, 0x5f, 0x25, 0x70, 0x67, 0xe5, 0x42, 0xc9, 0x48, 0x70, 0x49, 0xdf,
-	0xcb, 0x89, 0xfa, 0x14, 0x54, 0xc8, 0x64, 0x22, 0x4e, 0x69, 0x7a, 0xa5, 0xaa, 0x79, 0x13, 0x7b,
-	0xa9, 0x1b, 0x67, 0x71, 0x78, 0x0c, 0xca, 0x52, 0x11, 0x95, 0x48, 0x7b, 0x71, 0xee, 0xbf, 0xde,
-	0x7a, 0x3d, 0x31, 0x98, 0x54, 0x30, 0x4c, 0x65, 0x32, 0x51, 0xd8, 0xf2, 0xc0, 0x16, 0xd8, 0x88,
-	0x88, 0xea, 0x8f, 0xcc, 0x55, 0xd9, 0x0c, 0xdd, 0xc5, 0xbc, 0xb5, 0x71, 0xac, 0x1d, 0x38, 0xf5,
-	0xc3, 0x5d, 0xe0, 0x9a, 0x87, 0xa7, 0xb3, 0x28, 0x5b, 0x8c, 0xa6, 0x1e, 0xd1, 0x71, 0xe6, 0xbc,
-	0x58, 0x35, 0x70, 0x9e, 0x0c, 0x7f, 0x77, 0x40, 0x83, 0x24, 0x03, 0xa6, 0xf6, 0x38, 0x17, 0x8a,
-	0xa4, 0x53, 0x29, 0xb7, 0x8b, 0x9d, 0xda, 0xce, 0x01, 0x7a, 0xd5, 0x97, 0x10, 0x5d, 0xd1, 0x19,
-	0xed, 0xad, 0xf1, 0x1c, 0x70, 0x15, 0xcf, 0x42, 0xcf, 0x0a, 0xd5, 0x58, 0x0f, 0xe3, 0x2b, 0x85,
-	0x61, 0x07, 0x54, 0x4f, 0x49, 0xcc, 0x19, 0x1f, 0x4a, 0xaf, 0xd2, 0x2e, 0xea, 0xfd, 0xd6, 0xeb,
-	0xf1, 0xbd, 0xf5, 0xe1, 0x65, 0xb4, 0xf9, 0x15, 0xf8, 0xe8, 0xda, 0x72, 0xb0, 0x01, 0x8a, 0x63,
-	0x3a, 0x4b, 0x87, 0x8d, 0xf5, 0x23, 0xfc, 0x10, 0x6c, 0x9c, 0x90, 0x49, 0x42, 0xcd, 0xe0, 0x5c,
-	0x9c, 0x1a, 0x8f, 0x6e, 0xed, 0x3a, 0x5b, 0x7f, 0x3b, 0xa0, 0xbe, 0xf2, 0x6f, 0x9c, 0x30, 0x7a,
-	0x0a, 0xbb, 0xa0, 0x62, 0x8f, 0x8e, 0xe1, 0xa8, 0xed, 0xa0, 0xd7, 0x96, 0xc1, 0xa0, 0xc2, 0x9a,
-	0x7e, 0x29, 0xb2, 0x8b, 0x98, 0x71, 0xc1, 0x1f, 0xcc, 0x87, 0xc8, 0xe8, 0x64, 0x3f, 0x73, 0xc1,
-	0x1b, 0xca, 0x9b, 0x4a, 0x91, 0x59, 0x78, 0x49, 0x17, 0x86, 0x67, 0xe7, 0x7e, 0xe1, 0xc5, 0xb9,
-	0x5f, 0x78, 0x79, 0xee, 0x17, 0x7e, 0x5b, 0xf8, 0xce, 0xd9, 0xc2, 0x77, 0x5e, 0x2c, 0x7c, 0xe7,
-	0xe5, 0xc2, 0x77, 0xfe, 0x59, 0xf8, 0xce, 0x1f, 0xff, 0xfa, 0x85, 0x1f, 0xef, 0xbd, 0xea, 0x47,
-	0xd0, 0x7f, 0x01, 0x00, 0x00, 0xff, 0xff, 0x90, 0x6e, 0x31, 0x41, 0x23, 0x09, 0x00, 0x00,
-}
+func (m *AdmissionReview) Reset() { *m = AdmissionReview{} }
 
 func (m *AdmissionRequest) Marshal() (dAtA []byte, err error) {
 	size := m.Size()
@@ -384,7 +221,7 @@ func (m *AdmissionResponse) MarshalToSizedBuffer(dAtA []byte) (int, error) {
 		for k := range m.AuditAnnotations {
 			keysForAuditAnnotations = append(keysForAuditAnnotations, string(k))
 		}
-		github_com_gogo_protobuf_sortkeys.Strings(keysForAuditAnnotations)
+		sort.Strings(keysForAuditAnnotations)
 		for iNdEx := len(keysForAuditAnnotations) - 1; iNdEx >= 0; iNdEx-- {
 			v := m.AuditAnnotations[string(keysForAuditAnnotations[iNdEx])]
 			baseI := i
@@ -640,7 +477,7 @@ func (this *AdmissionResponse) String() string {
 	for k := range this.AuditAnnotations {
 		keysForAuditAnnotations = append(keysForAuditAnnotations, k)
 	}
-	github_com_gogo_protobuf_sortkeys.Strings(keysForAuditAnnotations)
+	sort.Strings(keysForAuditAnnotations)
 	mapStringForAuditAnnotations := "map[string]string{"
 	for _, k := range keysForAuditAnnotations {
 		mapStringForAuditAnnotations += fmt.Sprintf("%v: %v,", k, this.AuditAnnotations[k])
diff --git a/staging/src/k8s.io/api/admission/v1beta1/generated.proto b/staging/src/k8s.io/api/admission/v1beta1/generated.proto
index d27c05b727eb5..5af234993a403 100644
--- a/staging/src/k8s.io/api/admission/v1beta1/generated.proto
+++ b/staging/src/k8s.io/api/admission/v1beta1/generated.proto
@@ -31,23 +31,23 @@ option go_package = "k8s.io/api/admission/v1beta1";
 
 // AdmissionRequest describes the admission.Attributes for the admission request.
 message AdmissionRequest {
-  // UID is an identifier for the individual request/response. It allows us to distinguish instances of requests which are
+  // uid is an identifier for the individual request/response. It allows us to distinguish instances of requests which are
   // otherwise identical (parallel requests, requests when earlier requests did not modify etc)
   // The UID is meant to track the round trip (request/response) between the KAS and the WebHook, not the user request.
   // It is suitable for correlating log entries between the webhook and apiserver, for either auditing or debugging.
   optional string uid = 1;
 
-  // Kind is the fully-qualified type of object being submitted (for example, v1.Pod or autoscaling.v1.Scale)
+  // kind is the fully-qualified type of object being submitted (for example, v1.Pod or autoscaling.v1.Scale)
   optional .k8s.io.apimachinery.pkg.apis.meta.v1.GroupVersionKind kind = 2;
 
-  // Resource is the fully-qualified resource being requested (for example, v1.pods)
+  // resource is the fully-qualified resource being requested (for example, v1.pods)
   optional .k8s.io.apimachinery.pkg.apis.meta.v1.GroupVersionResource resource = 3;
 
-  // SubResource is the subresource being requested, if any (for example, "status" or "scale")
+  // subResource is the subresource being requested, if any (for example, "status" or "scale")
   // +optional
   optional string subResource = 4;
 
-  // RequestKind is the fully-qualified type of the original API request (for example, v1.Pod or autoscaling.v1.Scale).
+  // requestKind is the fully-qualified type of the original API request (for example, v1.Pod or autoscaling.v1.Scale).
   // If this is specified and differs from the value in "kind", an equivalent match and conversion was performed.
   //
   // For example, if deployments can be modified via apps/v1 and apps/v1beta1, and a webhook registered a rule of
@@ -60,7 +60,7 @@ message AdmissionRequest {
   // +optional
   optional .k8s.io.apimachinery.pkg.apis.meta.v1.GroupVersionKind requestKind = 13;
 
-  // RequestResource is the fully-qualified resource of the original API request (for example, v1.pods).
+  // requestResource is the fully-qualified resource of the original API request (for example, v1.pods).
   // If this is specified and differs from the value in "resource", an equivalent match and conversion was performed.
   //
   // For example, if deployments can be modified via apps/v1 and apps/v1beta1, and a webhook registered a rule of
@@ -73,42 +73,42 @@ message AdmissionRequest {
   // +optional
   optional .k8s.io.apimachinery.pkg.apis.meta.v1.GroupVersionResource requestResource = 14;
 
-  // RequestSubResource is the name of the subresource of the original API request, if any (for example, "status" or "scale")
+  // requestSubResource is the name of the subresource of the original API request, if any (for example, "status" or "scale")
   // If this is specified and differs from the value in "subResource", an equivalent match and conversion was performed.
   // See documentation for the "matchPolicy" field in the webhook configuration type.
   // +optional
   optional string requestSubResource = 15;
 
-  // Name is the name of the object as presented in the request.  On a CREATE operation, the client may omit name and
+  // name is the name of the object as presented in the request.  On a CREATE operation, the client may omit name and
   // rely on the server to generate the name.  If that is the case, this field will contain an empty string.
   // +optional
   optional string name = 5;
 
-  // Namespace is the namespace associated with the request (if any).
+  // namespace is the namespace associated with the request (if any).
   // +optional
   optional string namespace = 6;
 
-  // Operation is the operation being performed. This may be different than the operation
+  // operation is the operation being performed. This may be different than the operation
   // requested. e.g. a patch can result in either a CREATE or UPDATE Operation.
   optional string operation = 7;
 
-  // UserInfo is information about the requesting user
+  // userInfo is information about the requesting user
   optional .k8s.io.api.authentication.v1.UserInfo userInfo = 8;
 
-  // Object is the object from the incoming request.
+  // object is the object from the incoming request.
   // +optional
   optional .k8s.io.apimachinery.pkg.runtime.RawExtension object = 9;
 
-  // OldObject is the existing object. Only populated for DELETE and UPDATE requests.
+  // oldObject is the existing object. Only populated for DELETE and UPDATE requests.
   // +optional
   optional .k8s.io.apimachinery.pkg.runtime.RawExtension oldObject = 10;
 
-  // DryRun indicates that modifications will definitely not be persisted for this request.
+  // dryRun indicates that modifications will definitely not be persisted for this request.
   // Defaults to false.
   // +optional
   optional bool dryRun = 11;
 
-  // Options is the operation option structure of the operation being performed.
+  // options is the operation option structure of the operation being performed.
   // e.g. `meta.k8s.io/v1.DeleteOptions` or `meta.k8s.io/v1.CreateOptions`. This may be
   // different than the options the caller provided. e.g. for a patch request the performed
   // Operation might be a CREATE, in which case the Options will a
@@ -119,27 +119,27 @@ message AdmissionRequest {
 
 // AdmissionResponse describes an admission response.
 message AdmissionResponse {
-  // UID is an identifier for the individual request/response.
+  // uid is an identifier for the individual request/response.
   // This should be copied over from the corresponding AdmissionRequest.
   optional string uid = 1;
 
-  // Allowed indicates whether or not the admission request was permitted.
+  // allowed indicates whether or not the admission request was permitted.
   optional bool allowed = 2;
 
-  // Result contains extra details into why an admission request was denied.
+  // status is the result contains extra details into why an admission request was denied.
   // This field IS NOT consulted in any way if "Allowed" is "true".
   // +optional
   optional .k8s.io.apimachinery.pkg.apis.meta.v1.Status status = 3;
 
-  // The patch body. Currently we only support "JSONPatch" which implements RFC 6902.
+  // patch is the patch body. Currently we only support "JSONPatch" which implements RFC 6902.
   // +optional
   optional bytes patch = 4;
 
-  // The type of Patch. Currently we only allow "JSONPatch".
+  // patchType is the type of Patch. Currently we only allow "JSONPatch".
   // +optional
   optional string patchType = 5;
 
-  // AuditAnnotations is an unstructured key value map set by remote admission controller (e.g. error=image-blacklisted).
+  // auditAnnotations is an unstructured key value map set by remote admission controller (e.g. error=image-blacklisted).
   // MutatingAdmissionWebhook and ValidatingAdmissionWebhook admission controller will prefix the keys with
   // admission webhook name (e.g. imagepolicy.example.com/error=image-blacklisted). AuditAnnotations will be provided by
   // the admission webhook to add additional context to the audit log for this request.
@@ -151,16 +151,17 @@ message AdmissionResponse {
   // Limit warnings to 120 characters if possible.
   // Warnings over 256 characters and large numbers of warnings may be truncated.
   // +optional
+  // +listType=atomic
   repeated string warnings = 7;
 }
 
 // AdmissionReview describes an admission review request/response.
 message AdmissionReview {
-  // Request describes the attributes for the admission request.
+  // request describes the attributes for the admission request.
   // +optional
   optional AdmissionRequest request = 1;
 
-  // Response describes the attributes for the admission response.
+  // response describes the attributes for the admission response.
   // +optional
   optional AdmissionResponse response = 2;
 }
diff --git a/staging/src/k8s.io/api/admission/v1beta1/generated.protomessage.pb.go b/staging/src/k8s.io/api/admission/v1beta1/generated.protomessage.pb.go
new file mode 100644
index 0000000000000..95c7022932260
--- /dev/null
+++ b/staging/src/k8s.io/api/admission/v1beta1/generated.protomessage.pb.go
@@ -0,0 +1,28 @@
+//go:build kubernetes_protomessage_one_more_release
+// +build kubernetes_protomessage_one_more_release
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by go-to-protobuf. DO NOT EDIT.
+
+package v1beta1
+
+func (*AdmissionRequest) ProtoMessage() {}
+
+func (*AdmissionResponse) ProtoMessage() {}
+
+func (*AdmissionReview) ProtoMessage() {}
diff --git a/staging/src/k8s.io/api/admission/v1beta1/types.go b/staging/src/k8s.io/api/admission/v1beta1/types.go
index 00c619d9986cc..81941eb325e60 100644
--- a/staging/src/k8s.io/api/admission/v1beta1/types.go
+++ b/staging/src/k8s.io/api/admission/v1beta1/types.go
@@ -33,30 +33,30 @@ import (
 // AdmissionReview describes an admission review request/response.
 type AdmissionReview struct {
 	metav1.TypeMeta `json:",inline"`
-	// Request describes the attributes for the admission request.
+	// request describes the attributes for the admission request.
 	// +optional
 	Request *AdmissionRequest `json:"request,omitempty" protobuf:"bytes,1,opt,name=request"`
-	// Response describes the attributes for the admission response.
+	// response describes the attributes for the admission response.
 	// +optional
 	Response *AdmissionResponse `json:"response,omitempty" protobuf:"bytes,2,opt,name=response"`
 }
 
 // AdmissionRequest describes the admission.Attributes for the admission request.
 type AdmissionRequest struct {
-	// UID is an identifier for the individual request/response. It allows us to distinguish instances of requests which are
+	// uid is an identifier for the individual request/response. It allows us to distinguish instances of requests which are
 	// otherwise identical (parallel requests, requests when earlier requests did not modify etc)
 	// The UID is meant to track the round trip (request/response) between the KAS and the WebHook, not the user request.
 	// It is suitable for correlating log entries between the webhook and apiserver, for either auditing or debugging.
 	UID types.UID `json:"uid" protobuf:"bytes,1,opt,name=uid"`
-	// Kind is the fully-qualified type of object being submitted (for example, v1.Pod or autoscaling.v1.Scale)
+	// kind is the fully-qualified type of object being submitted (for example, v1.Pod or autoscaling.v1.Scale)
 	Kind metav1.GroupVersionKind `json:"kind" protobuf:"bytes,2,opt,name=kind"`
-	// Resource is the fully-qualified resource being requested (for example, v1.pods)
+	// resource is the fully-qualified resource being requested (for example, v1.pods)
 	Resource metav1.GroupVersionResource `json:"resource" protobuf:"bytes,3,opt,name=resource"`
-	// SubResource is the subresource being requested, if any (for example, "status" or "scale")
+	// subResource is the subresource being requested, if any (for example, "status" or "scale")
 	// +optional
 	SubResource string `json:"subResource,omitempty" protobuf:"bytes,4,opt,name=subResource"`
 
-	// RequestKind is the fully-qualified type of the original API request (for example, v1.Pod or autoscaling.v1.Scale).
+	// requestKind is the fully-qualified type of the original API request (for example, v1.Pod or autoscaling.v1.Scale).
 	// If this is specified and differs from the value in "kind", an equivalent match and conversion was performed.
 	//
 	// For example, if deployments can be modified via apps/v1 and apps/v1beta1, and a webhook registered a rule of
@@ -68,7 +68,7 @@ type AdmissionRequest struct {
 	// See documentation for the "matchPolicy" field in the webhook configuration type for more details.
 	// +optional
 	RequestKind *metav1.GroupVersionKind `json:"requestKind,omitempty" protobuf:"bytes,13,opt,name=requestKind"`
-	// RequestResource is the fully-qualified resource of the original API request (for example, v1.pods).
+	// requestResource is the fully-qualified resource of the original API request (for example, v1.pods).
 	// If this is specified and differs from the value in "resource", an equivalent match and conversion was performed.
 	//
 	// For example, if deployments can be modified via apps/v1 and apps/v1beta1, and a webhook registered a rule of
@@ -80,35 +80,35 @@ type AdmissionRequest struct {
 	// See documentation for the "matchPolicy" field in the webhook configuration type.
 	// +optional
 	RequestResource *metav1.GroupVersionResource `json:"requestResource,omitempty" protobuf:"bytes,14,opt,name=requestResource"`
-	// RequestSubResource is the name of the subresource of the original API request, if any (for example, "status" or "scale")
+	// requestSubResource is the name of the subresource of the original API request, if any (for example, "status" or "scale")
 	// If this is specified and differs from the value in "subResource", an equivalent match and conversion was performed.
 	// See documentation for the "matchPolicy" field in the webhook configuration type.
 	// +optional
 	RequestSubResource string `json:"requestSubResource,omitempty" protobuf:"bytes,15,opt,name=requestSubResource"`
 
-	// Name is the name of the object as presented in the request.  On a CREATE operation, the client may omit name and
+	// name is the name of the object as presented in the request.  On a CREATE operation, the client may omit name and
 	// rely on the server to generate the name.  If that is the case, this field will contain an empty string.
 	// +optional
 	Name string `json:"name,omitempty" protobuf:"bytes,5,opt,name=name"`
-	// Namespace is the namespace associated with the request (if any).
+	// namespace is the namespace associated with the request (if any).
 	// +optional
 	Namespace string `json:"namespace,omitempty" protobuf:"bytes,6,opt,name=namespace"`
-	// Operation is the operation being performed. This may be different than the operation
+	// operation is the operation being performed. This may be different than the operation
 	// requested. e.g. a patch can result in either a CREATE or UPDATE Operation.
 	Operation Operation `json:"operation" protobuf:"bytes,7,opt,name=operation"`
-	// UserInfo is information about the requesting user
+	// userInfo is information about the requesting user
 	UserInfo authenticationv1.UserInfo `json:"userInfo" protobuf:"bytes,8,opt,name=userInfo"`
-	// Object is the object from the incoming request.
+	// object is the object from the incoming request.
 	// +optional
 	Object runtime.RawExtension `json:"object,omitempty" protobuf:"bytes,9,opt,name=object"`
-	// OldObject is the existing object. Only populated for DELETE and UPDATE requests.
+	// oldObject is the existing object. Only populated for DELETE and UPDATE requests.
 	// +optional
 	OldObject runtime.RawExtension `json:"oldObject,omitempty" protobuf:"bytes,10,opt,name=oldObject"`
-	// DryRun indicates that modifications will definitely not be persisted for this request.
+	// dryRun indicates that modifications will definitely not be persisted for this request.
 	// Defaults to false.
 	// +optional
 	DryRun *bool `json:"dryRun,omitempty" protobuf:"varint,11,opt,name=dryRun"`
-	// Options is the operation option structure of the operation being performed.
+	// options is the operation option structure of the operation being performed.
 	// e.g. `meta.k8s.io/v1.DeleteOptions` or `meta.k8s.io/v1.CreateOptions`. This may be
 	// different than the options the caller provided. e.g. for a patch request the performed
 	// Operation might be a CREATE, in which case the Options will a
@@ -119,27 +119,27 @@ type AdmissionRequest struct {
 
 // AdmissionResponse describes an admission response.
 type AdmissionResponse struct {
-	// UID is an identifier for the individual request/response.
+	// uid is an identifier for the individual request/response.
 	// This should be copied over from the corresponding AdmissionRequest.
 	UID types.UID `json:"uid" protobuf:"bytes,1,opt,name=uid"`
 
-	// Allowed indicates whether or not the admission request was permitted.
+	// allowed indicates whether or not the admission request was permitted.
 	Allowed bool `json:"allowed" protobuf:"varint,2,opt,name=allowed"`
 
-	// Result contains extra details into why an admission request was denied.
+	// status is the result contains extra details into why an admission request was denied.
 	// This field IS NOT consulted in any way if "Allowed" is "true".
 	// +optional
 	Result *metav1.Status `json:"status,omitempty" protobuf:"bytes,3,opt,name=status"`
 
-	// The patch body. Currently we only support "JSONPatch" which implements RFC 6902.
+	// patch is the patch body. Currently we only support "JSONPatch" which implements RFC 6902.
 	// +optional
 	Patch []byte `json:"patch,omitempty" protobuf:"bytes,4,opt,name=patch"`
 
-	// The type of Patch. Currently we only allow "JSONPatch".
+	// patchType is the type of Patch. Currently we only allow "JSONPatch".
 	// +optional
 	PatchType *PatchType `json:"patchType,omitempty" protobuf:"bytes,5,opt,name=patchType"`
 
-	// AuditAnnotations is an unstructured key value map set by remote admission controller (e.g. error=image-blacklisted).
+	// auditAnnotations is an unstructured key value map set by remote admission controller (e.g. error=image-blacklisted).
 	// MutatingAdmissionWebhook and ValidatingAdmissionWebhook admission controller will prefix the keys with
 	// admission webhook name (e.g. imagepolicy.example.com/error=image-blacklisted). AuditAnnotations will be provided by
 	// the admission webhook to add additional context to the audit log for this request.
@@ -151,6 +151,7 @@ type AdmissionResponse struct {
 	// Limit warnings to 120 characters if possible.
 	// Warnings over 256 characters and large numbers of warnings may be truncated.
 	// +optional
+	// +listType=atomic
 	Warnings []string `json:"warnings,omitempty" protobuf:"bytes,7,rep,name=warnings"`
 }
 
diff --git a/staging/src/k8s.io/api/admission/v1beta1/types_swagger_doc_generated.go b/staging/src/k8s.io/api/admission/v1beta1/types_swagger_doc_generated.go
index 82598ed57309e..25039cf27d14a 100644
--- a/staging/src/k8s.io/api/admission/v1beta1/types_swagger_doc_generated.go
+++ b/staging/src/k8s.io/api/admission/v1beta1/types_swagger_doc_generated.go
@@ -29,21 +29,21 @@ package v1beta1
 // AUTO-GENERATED FUNCTIONS START HERE. DO NOT EDIT.
 var map_AdmissionRequest = map[string]string{
 	"":                   "AdmissionRequest describes the admission.Attributes for the admission request.",
-	"uid":                "UID is an identifier for the individual request/response. It allows us to distinguish instances of requests which are otherwise identical (parallel requests, requests when earlier requests did not modify etc) The UID is meant to track the round trip (request/response) between the KAS and the WebHook, not the user request. It is suitable for correlating log entries between the webhook and apiserver, for either auditing or debugging.",
-	"kind":               "Kind is the fully-qualified type of object being submitted (for example, v1.Pod or autoscaling.v1.Scale)",
-	"resource":           "Resource is the fully-qualified resource being requested (for example, v1.pods)",
-	"subResource":        "SubResource is the subresource being requested, if any (for example, \"status\" or \"scale\")",
-	"requestKind":        "RequestKind is the fully-qualified type of the original API request (for example, v1.Pod or autoscaling.v1.Scale). If this is specified and differs from the value in \"kind\", an equivalent match and conversion was performed.\n\nFor example, if deployments can be modified via apps/v1 and apps/v1beta1, and a webhook registered a rule of `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: [\"deployments\"]` and `matchPolicy: Equivalent`, an API request to apps/v1beta1 deployments would be converted and sent to the webhook with `kind: {group:\"apps\", version:\"v1\", kind:\"Deployment\"}` (matching the rule the webhook registered for), and `requestKind: {group:\"apps\", version:\"v1beta1\", kind:\"Deployment\"}` (indicating the kind of the original API request).\n\nSee documentation for the \"matchPolicy\" field in the webhook configuration type for more details.",
-	"requestResource":    "RequestResource is the fully-qualified resource of the original API request (for example, v1.pods). If this is specified and differs from the value in \"resource\", an equivalent match and conversion was performed.\n\nFor example, if deployments can be modified via apps/v1 and apps/v1beta1, and a webhook registered a rule of `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: [\"deployments\"]` and `matchPolicy: Equivalent`, an API request to apps/v1beta1 deployments would be converted and sent to the webhook with `resource: {group:\"apps\", version:\"v1\", resource:\"deployments\"}` (matching the resource the webhook registered for), and `requestResource: {group:\"apps\", version:\"v1beta1\", resource:\"deployments\"}` (indicating the resource of the original API request).\n\nSee documentation for the \"matchPolicy\" field in the webhook configuration type.",
-	"requestSubResource": "RequestSubResource is the name of the subresource of the original API request, if any (for example, \"status\" or \"scale\") If this is specified and differs from the value in \"subResource\", an equivalent match and conversion was performed. See documentation for the \"matchPolicy\" field in the webhook configuration type.",
-	"name":               "Name is the name of the object as presented in the request.  On a CREATE operation, the client may omit name and rely on the server to generate the name.  If that is the case, this field will contain an empty string.",
-	"namespace":          "Namespace is the namespace associated with the request (if any).",
-	"operation":          "Operation is the operation being performed. This may be different than the operation requested. e.g. a patch can result in either a CREATE or UPDATE Operation.",
-	"userInfo":           "UserInfo is information about the requesting user",
-	"object":             "Object is the object from the incoming request.",
-	"oldObject":          "OldObject is the existing object. Only populated for DELETE and UPDATE requests.",
-	"dryRun":             "DryRun indicates that modifications will definitely not be persisted for this request. Defaults to false.",
-	"options":            "Options is the operation option structure of the operation being performed. e.g. `meta.k8s.io/v1.DeleteOptions` or `meta.k8s.io/v1.CreateOptions`. This may be different than the options the caller provided. e.g. for a patch request the performed Operation might be a CREATE, in which case the Options will a `meta.k8s.io/v1.CreateOptions` even though the caller provided `meta.k8s.io/v1.PatchOptions`.",
+	"uid":                "uid is an identifier for the individual request/response. It allows us to distinguish instances of requests which are otherwise identical (parallel requests, requests when earlier requests did not modify etc) The UID is meant to track the round trip (request/response) between the KAS and the WebHook, not the user request. It is suitable for correlating log entries between the webhook and apiserver, for either auditing or debugging.",
+	"kind":               "kind is the fully-qualified type of object being submitted (for example, v1.Pod or autoscaling.v1.Scale)",
+	"resource":           "resource is the fully-qualified resource being requested (for example, v1.pods)",
+	"subResource":        "subResource is the subresource being requested, if any (for example, \"status\" or \"scale\")",
+	"requestKind":        "requestKind is the fully-qualified type of the original API request (for example, v1.Pod or autoscaling.v1.Scale). If this is specified and differs from the value in \"kind\", an equivalent match and conversion was performed.\n\nFor example, if deployments can be modified via apps/v1 and apps/v1beta1, and a webhook registered a rule of `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: [\"deployments\"]` and `matchPolicy: Equivalent`, an API request to apps/v1beta1 deployments would be converted and sent to the webhook with `kind: {group:\"apps\", version:\"v1\", kind:\"Deployment\"}` (matching the rule the webhook registered for), and `requestKind: {group:\"apps\", version:\"v1beta1\", kind:\"Deployment\"}` (indicating the kind of the original API request).\n\nSee documentation for the \"matchPolicy\" field in the webhook configuration type for more details.",
+	"requestResource":    "requestResource is the fully-qualified resource of the original API request (for example, v1.pods). If this is specified and differs from the value in \"resource\", an equivalent match and conversion was performed.\n\nFor example, if deployments can be modified via apps/v1 and apps/v1beta1, and a webhook registered a rule of `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: [\"deployments\"]` and `matchPolicy: Equivalent`, an API request to apps/v1beta1 deployments would be converted and sent to the webhook with `resource: {group:\"apps\", version:\"v1\", resource:\"deployments\"}` (matching the resource the webhook registered for), and `requestResource: {group:\"apps\", version:\"v1beta1\", resource:\"deployments\"}` (indicating the resource of the original API request).\n\nSee documentation for the \"matchPolicy\" field in the webhook configuration type.",
+	"requestSubResource": "requestSubResource is the name of the subresource of the original API request, if any (for example, \"status\" or \"scale\") If this is specified and differs from the value in \"subResource\", an equivalent match and conversion was performed. See documentation for the \"matchPolicy\" field in the webhook configuration type.",
+	"name":               "name is the name of the object as presented in the request.  On a CREATE operation, the client may omit name and rely on the server to generate the name.  If that is the case, this field will contain an empty string.",
+	"namespace":          "namespace is the namespace associated with the request (if any).",
+	"operation":          "operation is the operation being performed. This may be different than the operation requested. e.g. a patch can result in either a CREATE or UPDATE Operation.",
+	"userInfo":           "userInfo is information about the requesting user",
+	"object":             "object is the object from the incoming request.",
+	"oldObject":          "oldObject is the existing object. Only populated for DELETE and UPDATE requests.",
+	"dryRun":             "dryRun indicates that modifications will definitely not be persisted for this request. Defaults to false.",
+	"options":            "options is the operation option structure of the operation being performed. e.g. `meta.k8s.io/v1.DeleteOptions` or `meta.k8s.io/v1.CreateOptions`. This may be different than the options the caller provided. e.g. for a patch request the performed Operation might be a CREATE, in which case the Options will a `meta.k8s.io/v1.CreateOptions` even though the caller provided `meta.k8s.io/v1.PatchOptions`.",
 }
 
 func (AdmissionRequest) SwaggerDoc() map[string]string {
@@ -52,12 +52,12 @@ func (AdmissionRequest) SwaggerDoc() map[string]string {
 
 var map_AdmissionResponse = map[string]string{
 	"":                 "AdmissionResponse describes an admission response.",
-	"uid":              "UID is an identifier for the individual request/response. This should be copied over from the corresponding AdmissionRequest.",
-	"allowed":          "Allowed indicates whether or not the admission request was permitted.",
-	"status":           "Result contains extra details into why an admission request was denied. This field IS NOT consulted in any way if \"Allowed\" is \"true\".",
-	"patch":            "The patch body. Currently we only support \"JSONPatch\" which implements RFC 6902.",
-	"patchType":        "The type of Patch. Currently we only allow \"JSONPatch\".",
-	"auditAnnotations": "AuditAnnotations is an unstructured key value map set by remote admission controller (e.g. error=image-blacklisted). MutatingAdmissionWebhook and ValidatingAdmissionWebhook admission controller will prefix the keys with admission webhook name (e.g. imagepolicy.example.com/error=image-blacklisted). AuditAnnotations will be provided by the admission webhook to add additional context to the audit log for this request.",
+	"uid":              "uid is an identifier for the individual request/response. This should be copied over from the corresponding AdmissionRequest.",
+	"allowed":          "allowed indicates whether or not the admission request was permitted.",
+	"status":           "status is the result contains extra details into why an admission request was denied. This field IS NOT consulted in any way if \"Allowed\" is \"true\".",
+	"patch":            "patch is the patch body. Currently we only support \"JSONPatch\" which implements RFC 6902.",
+	"patchType":        "patchType is the type of Patch. Currently we only allow \"JSONPatch\".",
+	"auditAnnotations": "auditAnnotations is an unstructured key value map set by remote admission controller (e.g. error=image-blacklisted). MutatingAdmissionWebhook and ValidatingAdmissionWebhook admission controller will prefix the keys with admission webhook name (e.g. imagepolicy.example.com/error=image-blacklisted). AuditAnnotations will be provided by the admission webhook to add additional context to the audit log for this request.",
 	"warnings":         "warnings is a list of warning messages to return to the requesting API client. Warning messages describe a problem the client making the API request should correct or be aware of. Limit warnings to 120 characters if possible. Warnings over 256 characters and large numbers of warnings may be truncated.",
 }
 
@@ -67,8 +67,8 @@ func (AdmissionResponse) SwaggerDoc() map[string]string {
 
 var map_AdmissionReview = map[string]string{
 	"":         "AdmissionReview describes an admission review request/response.",
-	"request":  "Request describes the attributes for the admission request.",
-	"response": "Response describes the attributes for the admission response.",
+	"request":  "request describes the attributes for the admission request.",
+	"response": "response describes the attributes for the admission response.",
 }
 
 func (AdmissionReview) SwaggerDoc() map[string]string {
diff --git a/staging/src/k8s.io/api/admission/v1beta1/zz_generated.model_name.go b/staging/src/k8s.io/api/admission/v1beta1/zz_generated.model_name.go
new file mode 100644
index 0000000000000..e67adcd7129e8
--- /dev/null
+++ b/staging/src/k8s.io/api/admission/v1beta1/zz_generated.model_name.go
@@ -0,0 +1,37 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by openapi-gen. DO NOT EDIT.
+
+package v1beta1
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in AdmissionRequest) OpenAPIModelName() string {
+	return "io.k8s.api.admission.v1beta1.AdmissionRequest"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in AdmissionResponse) OpenAPIModelName() string {
+	return "io.k8s.api.admission.v1beta1.AdmissionResponse"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in AdmissionReview) OpenAPIModelName() string {
+	return "io.k8s.api.admission.v1beta1.AdmissionReview"
+}
diff --git a/staging/src/k8s.io/api/admissionregistration/v1/doc.go b/staging/src/k8s.io/api/admissionregistration/v1/doc.go
index ec0ebb9c49c2e..0bcaeaa5464e9 100644
--- a/staging/src/k8s.io/api/admissionregistration/v1/doc.go
+++ b/staging/src/k8s.io/api/admissionregistration/v1/doc.go
@@ -18,6 +18,8 @@ limitations under the License.
 // +k8s:protobuf-gen=package
 // +k8s:openapi-gen=true
 // +k8s:prerelease-lifecycle-gen=true
+// +k8s:openapi-model-package=io.k8s.api.admissionregistration.v1
+
 // +groupName=admissionregistration.k8s.io
 
 // Package v1 is the v1 version of the API.
diff --git a/staging/src/k8s.io/api/admissionregistration/v1/generated.pb.go b/staging/src/k8s.io/api/admissionregistration/v1/generated.pb.go
index 09295734dfe36..91b2f1cbaee2f 100644
--- a/staging/src/k8s.io/api/admissionregistration/v1/generated.pb.go
+++ b/staging/src/k8s.io/api/admissionregistration/v1/generated.pb.go
@@ -24,950 +24,67 @@ import (
 
 	io "io"
 
-	proto "github.com/gogo/protobuf/proto"
 	k8s_io_apimachinery_pkg_apis_meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
-	math "math"
 	math_bits "math/bits"
 	reflect "reflect"
 	strings "strings"
 )
 
-// Reference imports to suppress errors if they are not otherwise used.
-var _ = proto.Marshal
-var _ = fmt.Errorf
-var _ = math.Inf
+func (m *AuditAnnotation) Reset() { *m = AuditAnnotation{} }
 
-// This is a compile-time assertion to ensure that this generated file
-// is compatible with the proto package it is being compiled against.
-// A compilation error at this line likely means your copy of the
-// proto package needs to be updated.
-const _ = proto.GoGoProtoPackageIsVersion3 // please upgrade the proto package
+func (m *ExpressionWarning) Reset() { *m = ExpressionWarning{} }
 
-func (m *AuditAnnotation) Reset()      { *m = AuditAnnotation{} }
-func (*AuditAnnotation) ProtoMessage() {}
-func (*AuditAnnotation) Descriptor() ([]byte, []int) {
-	return fileDescriptor_3205c7dc5bf0c9bf, []int{0}
-}
-func (m *AuditAnnotation) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *AuditAnnotation) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *AuditAnnotation) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_AuditAnnotation.Merge(m, src)
-}
-func (m *AuditAnnotation) XXX_Size() int {
-	return m.Size()
-}
-func (m *AuditAnnotation) XXX_DiscardUnknown() {
-	xxx_messageInfo_AuditAnnotation.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_AuditAnnotation proto.InternalMessageInfo
-
-func (m *ExpressionWarning) Reset()      { *m = ExpressionWarning{} }
-func (*ExpressionWarning) ProtoMessage() {}
-func (*ExpressionWarning) Descriptor() ([]byte, []int) {
-	return fileDescriptor_3205c7dc5bf0c9bf, []int{1}
-}
-func (m *ExpressionWarning) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ExpressionWarning) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ExpressionWarning) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ExpressionWarning.Merge(m, src)
-}
-func (m *ExpressionWarning) XXX_Size() int {
-	return m.Size()
-}
-func (m *ExpressionWarning) XXX_DiscardUnknown() {
-	xxx_messageInfo_ExpressionWarning.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_ExpressionWarning proto.InternalMessageInfo
-
-func (m *MatchCondition) Reset()      { *m = MatchCondition{} }
-func (*MatchCondition) ProtoMessage() {}
-func (*MatchCondition) Descriptor() ([]byte, []int) {
-	return fileDescriptor_3205c7dc5bf0c9bf, []int{2}
-}
-func (m *MatchCondition) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *MatchCondition) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *MatchCondition) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_MatchCondition.Merge(m, src)
-}
-func (m *MatchCondition) XXX_Size() int {
-	return m.Size()
-}
-func (m *MatchCondition) XXX_DiscardUnknown() {
-	xxx_messageInfo_MatchCondition.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_MatchCondition proto.InternalMessageInfo
-
-func (m *MatchResources) Reset()      { *m = MatchResources{} }
-func (*MatchResources) ProtoMessage() {}
-func (*MatchResources) Descriptor() ([]byte, []int) {
-	return fileDescriptor_3205c7dc5bf0c9bf, []int{3}
-}
-func (m *MatchResources) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *MatchResources) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *MatchResources) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_MatchResources.Merge(m, src)
-}
-func (m *MatchResources) XXX_Size() int {
-	return m.Size()
-}
-func (m *MatchResources) XXX_DiscardUnknown() {
-	xxx_messageInfo_MatchResources.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_MatchResources proto.InternalMessageInfo
-
-func (m *MutatingWebhook) Reset()      { *m = MutatingWebhook{} }
-func (*MutatingWebhook) ProtoMessage() {}
-func (*MutatingWebhook) Descriptor() ([]byte, []int) {
-	return fileDescriptor_3205c7dc5bf0c9bf, []int{4}
-}
-func (m *MutatingWebhook) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *MutatingWebhook) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *MutatingWebhook) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_MutatingWebhook.Merge(m, src)
-}
-func (m *MutatingWebhook) XXX_Size() int {
-	return m.Size()
-}
-func (m *MutatingWebhook) XXX_DiscardUnknown() {
-	xxx_messageInfo_MutatingWebhook.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_MutatingWebhook proto.InternalMessageInfo
-
-func (m *MutatingWebhookConfiguration) Reset()      { *m = MutatingWebhookConfiguration{} }
-func (*MutatingWebhookConfiguration) ProtoMessage() {}
-func (*MutatingWebhookConfiguration) Descriptor() ([]byte, []int) {
-	return fileDescriptor_3205c7dc5bf0c9bf, []int{5}
-}
-func (m *MutatingWebhookConfiguration) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *MutatingWebhookConfiguration) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *MutatingWebhookConfiguration) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_MutatingWebhookConfiguration.Merge(m, src)
-}
-func (m *MutatingWebhookConfiguration) XXX_Size() int {
-	return m.Size()
-}
-func (m *MutatingWebhookConfiguration) XXX_DiscardUnknown() {
-	xxx_messageInfo_MutatingWebhookConfiguration.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_MutatingWebhookConfiguration proto.InternalMessageInfo
-
-func (m *MutatingWebhookConfigurationList) Reset()      { *m = MutatingWebhookConfigurationList{} }
-func (*MutatingWebhookConfigurationList) ProtoMessage() {}
-func (*MutatingWebhookConfigurationList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_3205c7dc5bf0c9bf, []int{6}
-}
-func (m *MutatingWebhookConfigurationList) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *MutatingWebhookConfigurationList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *MutatingWebhookConfigurationList) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_MutatingWebhookConfigurationList.Merge(m, src)
-}
-func (m *MutatingWebhookConfigurationList) XXX_Size() int {
-	return m.Size()
-}
-func (m *MutatingWebhookConfigurationList) XXX_DiscardUnknown() {
-	xxx_messageInfo_MutatingWebhookConfigurationList.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_MutatingWebhookConfigurationList proto.InternalMessageInfo
-
-func (m *NamedRuleWithOperations) Reset()      { *m = NamedRuleWithOperations{} }
-func (*NamedRuleWithOperations) ProtoMessage() {}
-func (*NamedRuleWithOperations) Descriptor() ([]byte, []int) {
-	return fileDescriptor_3205c7dc5bf0c9bf, []int{7}
-}
-func (m *NamedRuleWithOperations) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *NamedRuleWithOperations) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *NamedRuleWithOperations) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_NamedRuleWithOperations.Merge(m, src)
-}
-func (m *NamedRuleWithOperations) XXX_Size() int {
-	return m.Size()
-}
-func (m *NamedRuleWithOperations) XXX_DiscardUnknown() {
-	xxx_messageInfo_NamedRuleWithOperations.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_NamedRuleWithOperations proto.InternalMessageInfo
-
-func (m *ParamKind) Reset()      { *m = ParamKind{} }
-func (*ParamKind) ProtoMessage() {}
-func (*ParamKind) Descriptor() ([]byte, []int) {
-	return fileDescriptor_3205c7dc5bf0c9bf, []int{8}
-}
-func (m *ParamKind) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ParamKind) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ParamKind) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ParamKind.Merge(m, src)
-}
-func (m *ParamKind) XXX_Size() int {
-	return m.Size()
-}
-func (m *ParamKind) XXX_DiscardUnknown() {
-	xxx_messageInfo_ParamKind.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_ParamKind proto.InternalMessageInfo
-
-func (m *ParamRef) Reset()      { *m = ParamRef{} }
-func (*ParamRef) ProtoMessage() {}
-func (*ParamRef) Descriptor() ([]byte, []int) {
-	return fileDescriptor_3205c7dc5bf0c9bf, []int{9}
-}
-func (m *ParamRef) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ParamRef) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ParamRef) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ParamRef.Merge(m, src)
-}
-func (m *ParamRef) XXX_Size() int {
-	return m.Size()
-}
-func (m *ParamRef) XXX_DiscardUnknown() {
-	xxx_messageInfo_ParamRef.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_ParamRef proto.InternalMessageInfo
-
-func (m *Rule) Reset()      { *m = Rule{} }
-func (*Rule) ProtoMessage() {}
-func (*Rule) Descriptor() ([]byte, []int) {
-	return fileDescriptor_3205c7dc5bf0c9bf, []int{10}
-}
-func (m *Rule) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *Rule) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *Rule) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_Rule.Merge(m, src)
-}
-func (m *Rule) XXX_Size() int {
-	return m.Size()
-}
-func (m *Rule) XXX_DiscardUnknown() {
-	xxx_messageInfo_Rule.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_Rule proto.InternalMessageInfo
-
-func (m *RuleWithOperations) Reset()      { *m = RuleWithOperations{} }
-func (*RuleWithOperations) ProtoMessage() {}
-func (*RuleWithOperations) Descriptor() ([]byte, []int) {
-	return fileDescriptor_3205c7dc5bf0c9bf, []int{11}
-}
-func (m *RuleWithOperations) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *RuleWithOperations) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *RuleWithOperations) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_RuleWithOperations.Merge(m, src)
-}
-func (m *RuleWithOperations) XXX_Size() int {
-	return m.Size()
-}
-func (m *RuleWithOperations) XXX_DiscardUnknown() {
-	xxx_messageInfo_RuleWithOperations.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_RuleWithOperations proto.InternalMessageInfo
-
-func (m *ServiceReference) Reset()      { *m = ServiceReference{} }
-func (*ServiceReference) ProtoMessage() {}
-func (*ServiceReference) Descriptor() ([]byte, []int) {
-	return fileDescriptor_3205c7dc5bf0c9bf, []int{12}
-}
-func (m *ServiceReference) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ServiceReference) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ServiceReference) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ServiceReference.Merge(m, src)
-}
-func (m *ServiceReference) XXX_Size() int {
-	return m.Size()
-}
-func (m *ServiceReference) XXX_DiscardUnknown() {
-	xxx_messageInfo_ServiceReference.DiscardUnknown(m)
-}
+func (m *MatchCondition) Reset() { *m = MatchCondition{} }
 
-var xxx_messageInfo_ServiceReference proto.InternalMessageInfo
+func (m *MatchResources) Reset() { *m = MatchResources{} }
 
-func (m *TypeChecking) Reset()      { *m = TypeChecking{} }
-func (*TypeChecking) ProtoMessage() {}
-func (*TypeChecking) Descriptor() ([]byte, []int) {
-	return fileDescriptor_3205c7dc5bf0c9bf, []int{13}
-}
-func (m *TypeChecking) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *TypeChecking) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *TypeChecking) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_TypeChecking.Merge(m, src)
-}
-func (m *TypeChecking) XXX_Size() int {
-	return m.Size()
-}
-func (m *TypeChecking) XXX_DiscardUnknown() {
-	xxx_messageInfo_TypeChecking.DiscardUnknown(m)
-}
+func (m *MutatingWebhook) Reset() { *m = MutatingWebhook{} }
 
-var xxx_messageInfo_TypeChecking proto.InternalMessageInfo
+func (m *MutatingWebhookConfiguration) Reset() { *m = MutatingWebhookConfiguration{} }
 
-func (m *ValidatingAdmissionPolicy) Reset()      { *m = ValidatingAdmissionPolicy{} }
-func (*ValidatingAdmissionPolicy) ProtoMessage() {}
-func (*ValidatingAdmissionPolicy) Descriptor() ([]byte, []int) {
-	return fileDescriptor_3205c7dc5bf0c9bf, []int{14}
-}
-func (m *ValidatingAdmissionPolicy) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ValidatingAdmissionPolicy) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ValidatingAdmissionPolicy) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ValidatingAdmissionPolicy.Merge(m, src)
-}
-func (m *ValidatingAdmissionPolicy) XXX_Size() int {
-	return m.Size()
-}
-func (m *ValidatingAdmissionPolicy) XXX_DiscardUnknown() {
-	xxx_messageInfo_ValidatingAdmissionPolicy.DiscardUnknown(m)
-}
+func (m *MutatingWebhookConfigurationList) Reset() { *m = MutatingWebhookConfigurationList{} }
 
-var xxx_messageInfo_ValidatingAdmissionPolicy proto.InternalMessageInfo
+func (m *NamedRuleWithOperations) Reset() { *m = NamedRuleWithOperations{} }
 
-func (m *ValidatingAdmissionPolicyBinding) Reset()      { *m = ValidatingAdmissionPolicyBinding{} }
-func (*ValidatingAdmissionPolicyBinding) ProtoMessage() {}
-func (*ValidatingAdmissionPolicyBinding) Descriptor() ([]byte, []int) {
-	return fileDescriptor_3205c7dc5bf0c9bf, []int{15}
-}
-func (m *ValidatingAdmissionPolicyBinding) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ValidatingAdmissionPolicyBinding) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ValidatingAdmissionPolicyBinding) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ValidatingAdmissionPolicyBinding.Merge(m, src)
-}
-func (m *ValidatingAdmissionPolicyBinding) XXX_Size() int {
-	return m.Size()
-}
-func (m *ValidatingAdmissionPolicyBinding) XXX_DiscardUnknown() {
-	xxx_messageInfo_ValidatingAdmissionPolicyBinding.DiscardUnknown(m)
-}
+func (m *ParamKind) Reset() { *m = ParamKind{} }
 
-var xxx_messageInfo_ValidatingAdmissionPolicyBinding proto.InternalMessageInfo
+func (m *ParamRef) Reset() { *m = ParamRef{} }
 
-func (m *ValidatingAdmissionPolicyBindingList) Reset()      { *m = ValidatingAdmissionPolicyBindingList{} }
-func (*ValidatingAdmissionPolicyBindingList) ProtoMessage() {}
-func (*ValidatingAdmissionPolicyBindingList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_3205c7dc5bf0c9bf, []int{16}
-}
-func (m *ValidatingAdmissionPolicyBindingList) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ValidatingAdmissionPolicyBindingList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ValidatingAdmissionPolicyBindingList) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ValidatingAdmissionPolicyBindingList.Merge(m, src)
-}
-func (m *ValidatingAdmissionPolicyBindingList) XXX_Size() int {
-	return m.Size()
-}
-func (m *ValidatingAdmissionPolicyBindingList) XXX_DiscardUnknown() {
-	xxx_messageInfo_ValidatingAdmissionPolicyBindingList.DiscardUnknown(m)
-}
+func (m *Rule) Reset() { *m = Rule{} }
 
-var xxx_messageInfo_ValidatingAdmissionPolicyBindingList proto.InternalMessageInfo
+func (m *RuleWithOperations) Reset() { *m = RuleWithOperations{} }
 
-func (m *ValidatingAdmissionPolicyBindingSpec) Reset()      { *m = ValidatingAdmissionPolicyBindingSpec{} }
-func (*ValidatingAdmissionPolicyBindingSpec) ProtoMessage() {}
-func (*ValidatingAdmissionPolicyBindingSpec) Descriptor() ([]byte, []int) {
-	return fileDescriptor_3205c7dc5bf0c9bf, []int{17}
-}
-func (m *ValidatingAdmissionPolicyBindingSpec) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ValidatingAdmissionPolicyBindingSpec) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ValidatingAdmissionPolicyBindingSpec) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ValidatingAdmissionPolicyBindingSpec.Merge(m, src)
-}
-func (m *ValidatingAdmissionPolicyBindingSpec) XXX_Size() int {
-	return m.Size()
-}
-func (m *ValidatingAdmissionPolicyBindingSpec) XXX_DiscardUnknown() {
-	xxx_messageInfo_ValidatingAdmissionPolicyBindingSpec.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_ValidatingAdmissionPolicyBindingSpec proto.InternalMessageInfo
-
-func (m *ValidatingAdmissionPolicyList) Reset()      { *m = ValidatingAdmissionPolicyList{} }
-func (*ValidatingAdmissionPolicyList) ProtoMessage() {}
-func (*ValidatingAdmissionPolicyList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_3205c7dc5bf0c9bf, []int{18}
-}
-func (m *ValidatingAdmissionPolicyList) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ValidatingAdmissionPolicyList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ValidatingAdmissionPolicyList) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ValidatingAdmissionPolicyList.Merge(m, src)
-}
-func (m *ValidatingAdmissionPolicyList) XXX_Size() int {
-	return m.Size()
-}
-func (m *ValidatingAdmissionPolicyList) XXX_DiscardUnknown() {
-	xxx_messageInfo_ValidatingAdmissionPolicyList.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_ValidatingAdmissionPolicyList proto.InternalMessageInfo
-
-func (m *ValidatingAdmissionPolicySpec) Reset()      { *m = ValidatingAdmissionPolicySpec{} }
-func (*ValidatingAdmissionPolicySpec) ProtoMessage() {}
-func (*ValidatingAdmissionPolicySpec) Descriptor() ([]byte, []int) {
-	return fileDescriptor_3205c7dc5bf0c9bf, []int{19}
-}
-func (m *ValidatingAdmissionPolicySpec) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ValidatingAdmissionPolicySpec) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ValidatingAdmissionPolicySpec) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ValidatingAdmissionPolicySpec.Merge(m, src)
-}
-func (m *ValidatingAdmissionPolicySpec) XXX_Size() int {
-	return m.Size()
-}
-func (m *ValidatingAdmissionPolicySpec) XXX_DiscardUnknown() {
-	xxx_messageInfo_ValidatingAdmissionPolicySpec.DiscardUnknown(m)
-}
+func (m *ServiceReference) Reset() { *m = ServiceReference{} }
 
-var xxx_messageInfo_ValidatingAdmissionPolicySpec proto.InternalMessageInfo
+func (m *TypeChecking) Reset() { *m = TypeChecking{} }
 
-func (m *ValidatingAdmissionPolicyStatus) Reset()      { *m = ValidatingAdmissionPolicyStatus{} }
-func (*ValidatingAdmissionPolicyStatus) ProtoMessage() {}
-func (*ValidatingAdmissionPolicyStatus) Descriptor() ([]byte, []int) {
-	return fileDescriptor_3205c7dc5bf0c9bf, []int{20}
-}
-func (m *ValidatingAdmissionPolicyStatus) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ValidatingAdmissionPolicyStatus) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ValidatingAdmissionPolicyStatus) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ValidatingAdmissionPolicyStatus.Merge(m, src)
-}
-func (m *ValidatingAdmissionPolicyStatus) XXX_Size() int {
-	return m.Size()
-}
-func (m *ValidatingAdmissionPolicyStatus) XXX_DiscardUnknown() {
-	xxx_messageInfo_ValidatingAdmissionPolicyStatus.DiscardUnknown(m)
-}
+func (m *ValidatingAdmissionPolicy) Reset() { *m = ValidatingAdmissionPolicy{} }
 
-var xxx_messageInfo_ValidatingAdmissionPolicyStatus proto.InternalMessageInfo
+func (m *ValidatingAdmissionPolicyBinding) Reset() { *m = ValidatingAdmissionPolicyBinding{} }
 
-func (m *ValidatingWebhook) Reset()      { *m = ValidatingWebhook{} }
-func (*ValidatingWebhook) ProtoMessage() {}
-func (*ValidatingWebhook) Descriptor() ([]byte, []int) {
-	return fileDescriptor_3205c7dc5bf0c9bf, []int{21}
-}
-func (m *ValidatingWebhook) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ValidatingWebhook) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ValidatingWebhook) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ValidatingWebhook.Merge(m, src)
-}
-func (m *ValidatingWebhook) XXX_Size() int {
-	return m.Size()
-}
-func (m *ValidatingWebhook) XXX_DiscardUnknown() {
-	xxx_messageInfo_ValidatingWebhook.DiscardUnknown(m)
-}
+func (m *ValidatingAdmissionPolicyBindingList) Reset() { *m = ValidatingAdmissionPolicyBindingList{} }
 
-var xxx_messageInfo_ValidatingWebhook proto.InternalMessageInfo
+func (m *ValidatingAdmissionPolicyBindingSpec) Reset() { *m = ValidatingAdmissionPolicyBindingSpec{} }
 
-func (m *ValidatingWebhookConfiguration) Reset()      { *m = ValidatingWebhookConfiguration{} }
-func (*ValidatingWebhookConfiguration) ProtoMessage() {}
-func (*ValidatingWebhookConfiguration) Descriptor() ([]byte, []int) {
-	return fileDescriptor_3205c7dc5bf0c9bf, []int{22}
-}
-func (m *ValidatingWebhookConfiguration) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ValidatingWebhookConfiguration) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ValidatingWebhookConfiguration) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ValidatingWebhookConfiguration.Merge(m, src)
-}
-func (m *ValidatingWebhookConfiguration) XXX_Size() int {
-	return m.Size()
-}
-func (m *ValidatingWebhookConfiguration) XXX_DiscardUnknown() {
-	xxx_messageInfo_ValidatingWebhookConfiguration.DiscardUnknown(m)
-}
+func (m *ValidatingAdmissionPolicyList) Reset() { *m = ValidatingAdmissionPolicyList{} }
 
-var xxx_messageInfo_ValidatingWebhookConfiguration proto.InternalMessageInfo
+func (m *ValidatingAdmissionPolicySpec) Reset() { *m = ValidatingAdmissionPolicySpec{} }
 
-func (m *ValidatingWebhookConfigurationList) Reset()      { *m = ValidatingWebhookConfigurationList{} }
-func (*ValidatingWebhookConfigurationList) ProtoMessage() {}
-func (*ValidatingWebhookConfigurationList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_3205c7dc5bf0c9bf, []int{23}
-}
-func (m *ValidatingWebhookConfigurationList) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ValidatingWebhookConfigurationList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ValidatingWebhookConfigurationList) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ValidatingWebhookConfigurationList.Merge(m, src)
-}
-func (m *ValidatingWebhookConfigurationList) XXX_Size() int {
-	return m.Size()
-}
-func (m *ValidatingWebhookConfigurationList) XXX_DiscardUnknown() {
-	xxx_messageInfo_ValidatingWebhookConfigurationList.DiscardUnknown(m)
-}
+func (m *ValidatingAdmissionPolicyStatus) Reset() { *m = ValidatingAdmissionPolicyStatus{} }
 
-var xxx_messageInfo_ValidatingWebhookConfigurationList proto.InternalMessageInfo
+func (m *ValidatingWebhook) Reset() { *m = ValidatingWebhook{} }
 
-func (m *Validation) Reset()      { *m = Validation{} }
-func (*Validation) ProtoMessage() {}
-func (*Validation) Descriptor() ([]byte, []int) {
-	return fileDescriptor_3205c7dc5bf0c9bf, []int{24}
-}
-func (m *Validation) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *Validation) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *Validation) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_Validation.Merge(m, src)
-}
-func (m *Validation) XXX_Size() int {
-	return m.Size()
-}
-func (m *Validation) XXX_DiscardUnknown() {
-	xxx_messageInfo_Validation.DiscardUnknown(m)
-}
+func (m *ValidatingWebhookConfiguration) Reset() { *m = ValidatingWebhookConfiguration{} }
 
-var xxx_messageInfo_Validation proto.InternalMessageInfo
+func (m *ValidatingWebhookConfigurationList) Reset() { *m = ValidatingWebhookConfigurationList{} }
 
-func (m *Variable) Reset()      { *m = Variable{} }
-func (*Variable) ProtoMessage() {}
-func (*Variable) Descriptor() ([]byte, []int) {
-	return fileDescriptor_3205c7dc5bf0c9bf, []int{25}
-}
-func (m *Variable) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *Variable) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *Variable) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_Variable.Merge(m, src)
-}
-func (m *Variable) XXX_Size() int {
-	return m.Size()
-}
-func (m *Variable) XXX_DiscardUnknown() {
-	xxx_messageInfo_Variable.DiscardUnknown(m)
-}
+func (m *Validation) Reset() { *m = Validation{} }
 
-var xxx_messageInfo_Variable proto.InternalMessageInfo
+func (m *Variable) Reset() { *m = Variable{} }
 
-func (m *WebhookClientConfig) Reset()      { *m = WebhookClientConfig{} }
-func (*WebhookClientConfig) ProtoMessage() {}
-func (*WebhookClientConfig) Descriptor() ([]byte, []int) {
-	return fileDescriptor_3205c7dc5bf0c9bf, []int{26}
-}
-func (m *WebhookClientConfig) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *WebhookClientConfig) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *WebhookClientConfig) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_WebhookClientConfig.Merge(m, src)
-}
-func (m *WebhookClientConfig) XXX_Size() int {
-	return m.Size()
-}
-func (m *WebhookClientConfig) XXX_DiscardUnknown() {
-	xxx_messageInfo_WebhookClientConfig.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_WebhookClientConfig proto.InternalMessageInfo
-
-func init() {
-	proto.RegisterType((*AuditAnnotation)(nil), "k8s.io.api.admissionregistration.v1.AuditAnnotation")
-	proto.RegisterType((*ExpressionWarning)(nil), "k8s.io.api.admissionregistration.v1.ExpressionWarning")
-	proto.RegisterType((*MatchCondition)(nil), "k8s.io.api.admissionregistration.v1.MatchCondition")
-	proto.RegisterType((*MatchResources)(nil), "k8s.io.api.admissionregistration.v1.MatchResources")
-	proto.RegisterType((*MutatingWebhook)(nil), "k8s.io.api.admissionregistration.v1.MutatingWebhook")
-	proto.RegisterType((*MutatingWebhookConfiguration)(nil), "k8s.io.api.admissionregistration.v1.MutatingWebhookConfiguration")
-	proto.RegisterType((*MutatingWebhookConfigurationList)(nil), "k8s.io.api.admissionregistration.v1.MutatingWebhookConfigurationList")
-	proto.RegisterType((*NamedRuleWithOperations)(nil), "k8s.io.api.admissionregistration.v1.NamedRuleWithOperations")
-	proto.RegisterType((*ParamKind)(nil), "k8s.io.api.admissionregistration.v1.ParamKind")
-	proto.RegisterType((*ParamRef)(nil), "k8s.io.api.admissionregistration.v1.ParamRef")
-	proto.RegisterType((*Rule)(nil), "k8s.io.api.admissionregistration.v1.Rule")
-	proto.RegisterType((*RuleWithOperations)(nil), "k8s.io.api.admissionregistration.v1.RuleWithOperations")
-	proto.RegisterType((*ServiceReference)(nil), "k8s.io.api.admissionregistration.v1.ServiceReference")
-	proto.RegisterType((*TypeChecking)(nil), "k8s.io.api.admissionregistration.v1.TypeChecking")
-	proto.RegisterType((*ValidatingAdmissionPolicy)(nil), "k8s.io.api.admissionregistration.v1.ValidatingAdmissionPolicy")
-	proto.RegisterType((*ValidatingAdmissionPolicyBinding)(nil), "k8s.io.api.admissionregistration.v1.ValidatingAdmissionPolicyBinding")
-	proto.RegisterType((*ValidatingAdmissionPolicyBindingList)(nil), "k8s.io.api.admissionregistration.v1.ValidatingAdmissionPolicyBindingList")
-	proto.RegisterType((*ValidatingAdmissionPolicyBindingSpec)(nil), "k8s.io.api.admissionregistration.v1.ValidatingAdmissionPolicyBindingSpec")
-	proto.RegisterType((*ValidatingAdmissionPolicyList)(nil), "k8s.io.api.admissionregistration.v1.ValidatingAdmissionPolicyList")
-	proto.RegisterType((*ValidatingAdmissionPolicySpec)(nil), "k8s.io.api.admissionregistration.v1.ValidatingAdmissionPolicySpec")
-	proto.RegisterType((*ValidatingAdmissionPolicyStatus)(nil), "k8s.io.api.admissionregistration.v1.ValidatingAdmissionPolicyStatus")
-	proto.RegisterType((*ValidatingWebhook)(nil), "k8s.io.api.admissionregistration.v1.ValidatingWebhook")
-	proto.RegisterType((*ValidatingWebhookConfiguration)(nil), "k8s.io.api.admissionregistration.v1.ValidatingWebhookConfiguration")
-	proto.RegisterType((*ValidatingWebhookConfigurationList)(nil), "k8s.io.api.admissionregistration.v1.ValidatingWebhookConfigurationList")
-	proto.RegisterType((*Validation)(nil), "k8s.io.api.admissionregistration.v1.Validation")
-	proto.RegisterType((*Variable)(nil), "k8s.io.api.admissionregistration.v1.Variable")
-	proto.RegisterType((*WebhookClientConfig)(nil), "k8s.io.api.admissionregistration.v1.WebhookClientConfig")
-}
-
-func init() {
-	proto.RegisterFile("k8s.io/api/admissionregistration/v1/generated.proto", fileDescriptor_3205c7dc5bf0c9bf)
-}
-
-var fileDescriptor_3205c7dc5bf0c9bf = []byte{
-	// 2075 bytes of a gzipped FileDescriptorProto
-	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xec, 0x5a, 0xcd, 0x6f, 0x1b, 0xc7,
-	0x15, 0xf7, 0x8a, 0x94, 0x44, 0x3e, 0xea, 0x8b, 0x13, 0x27, 0xa2, 0x1d, 0x87, 0x2b, 0x6c, 0x82,
-	0xc2, 0x46, 0x63, 0x32, 0xb2, 0x53, 0x27, 0x08, 0x8a, 0x06, 0xa2, 0xfc, 0x01, 0xc5, 0x96, 0x2d,
-	0x8c, 0x12, 0xa9, 0x68, 0xdd, 0x22, 0xab, 0xdd, 0x21, 0xb9, 0x11, 0xb9, 0xbb, 0xd8, 0xd9, 0x65,
-	0xac, 0x9e, 0x8a, 0xf6, 0x5e, 0x14, 0xe8, 0x5f, 0xd0, 0xfe, 0x09, 0xbd, 0xb4, 0x40, 0x4f, 0xbd,
-	0xf9, 0x52, 0x20, 0x3d, 0xd5, 0x87, 0x62, 0x51, 0xb3, 0x97, 0x1e, 0x7a, 0x68, 0xaf, 0x02, 0x8a,
-	0x16, 0x33, 0x3b, 0xfb, 0xc9, 0xa5, 0xb5, 0x96, 0x6d, 0xf5, 0xe2, 0x9b, 0xf6, 0x7d, 0xfc, 0xde,
-	0xbc, 0x37, 0x6f, 0xe6, 0xbd, 0x79, 0x14, 0x5c, 0x3f, 0xfc, 0x98, 0xb6, 0x0c, 0xab, 0xad, 0xda,
-	0x46, 0x5b, 0xd5, 0x87, 0x06, 0xa5, 0x86, 0x65, 0x3a, 0xa4, 0x67, 0x50, 0xd7, 0x51, 0x5d, 0xc3,
-	0x32, 0xdb, 0xa3, 0xf5, 0x76, 0x8f, 0x98, 0xc4, 0x51, 0x5d, 0xa2, 0xb7, 0x6c, 0xc7, 0x72, 0x2d,
-	0xf4, 0x6e, 0xa0, 0xd4, 0x52, 0x6d, 0xa3, 0x95, 0xab, 0xd4, 0x1a, 0xad, 0x5f, 0xbc, 0xda, 0x33,
-	0xdc, 0xbe, 0x77, 0xd0, 0xd2, 0xac, 0x61, 0xbb, 0x67, 0xf5, 0xac, 0x36, 0xd7, 0x3d, 0xf0, 0xba,
-	0xfc, 0x8b, 0x7f, 0xf0, 0xbf, 0x02, 0xcc, 0x8b, 0x1f, 0xc6, 0x0b, 0x19, 0xaa, 0x5a, 0xdf, 0x30,
-	0x89, 0x73, 0xd4, 0xb6, 0x0f, 0x7b, 0x8c, 0x40, 0xdb, 0x43, 0xe2, 0xaa, 0x39, 0x2b, 0xb9, 0xd8,
-	0x9e, 0xa6, 0xe5, 0x78, 0xa6, 0x6b, 0x0c, 0xc9, 0x84, 0xc2, 0x8d, 0x93, 0x14, 0xa8, 0xd6, 0x27,
-	0x43, 0x35, 0xab, 0xa7, 0x50, 0x58, 0xde, 0xf0, 0x74, 0xc3, 0xdd, 0x30, 0x4d, 0xcb, 0xe5, 0x3e,
-	0xa2, 0x77, 0xa0, 0x74, 0x48, 0x8e, 0x1a, 0xd2, 0x9a, 0x74, 0xb9, 0xda, 0xa9, 0x3d, 0xf6, 0xe5,
-	0x73, 0x63, 0x5f, 0x2e, 0xdd, 0x25, 0x47, 0x98, 0xd1, 0xd1, 0x06, 0x2c, 0x8f, 0xd4, 0x81, 0x47,
-	0x6e, 0x3d, 0xb2, 0x1d, 0xc2, 0x23, 0xd4, 0x98, 0xe1, 0xa2, 0xab, 0x42, 0x74, 0x79, 0x2f, 0xcd,
-	0xc6, 0x59, 0x79, 0x65, 0x00, 0xf5, 0xf8, 0x6b, 0x5f, 0x75, 0x4c, 0xc3, 0xec, 0xa1, 0xf7, 0xa1,
-	0xd2, 0x35, 0xc8, 0x40, 0xc7, 0xa4, 0x2b, 0x00, 0x57, 0x04, 0x60, 0xe5, 0xb6, 0xa0, 0xe3, 0x48,
-	0x02, 0x5d, 0x81, 0xf9, 0xaf, 0x03, 0xc5, 0x46, 0x89, 0x0b, 0x2f, 0x0b, 0xe1, 0x79, 0x81, 0x87,
-	0x43, 0xbe, 0xd2, 0x85, 0xa5, 0x6d, 0xd5, 0xd5, 0xfa, 0x9b, 0x96, 0xa9, 0x1b, 0xdc, 0xc3, 0x35,
-	0x28, 0x9b, 0xea, 0x90, 0x08, 0x17, 0x17, 0x84, 0x66, 0xf9, 0xbe, 0x3a, 0x24, 0x98, 0x73, 0xd0,
-	0x35, 0x00, 0x92, 0xf5, 0x0f, 0x09, 0x39, 0x48, 0xb8, 0x96, 0x90, 0x52, 0xfe, 0x54, 0x16, 0x86,
-	0x30, 0xa1, 0x96, 0xe7, 0x68, 0x84, 0xa2, 0x47, 0x50, 0x67, 0x70, 0xd4, 0x56, 0x35, 0xb2, 0x4b,
-	0x06, 0x44, 0x73, 0x2d, 0x87, 0x5b, 0xad, 0x5d, 0xbb, 0xde, 0x8a, 0x93, 0x2d, 0xda, 0xb1, 0x96,
-	0x7d, 0xd8, 0x63, 0x04, 0xda, 0x62, 0x89, 0xd1, 0x1a, 0xad, 0xb7, 0xee, 0xa9, 0x07, 0x64, 0x10,
-	0xaa, 0x76, 0xde, 0x1c, 0xfb, 0x72, 0xfd, 0x7e, 0x16, 0x11, 0x4f, 0x1a, 0x41, 0x16, 0x2c, 0x59,
-	0x07, 0x5f, 0x11, 0xcd, 0x8d, 0xcc, 0xce, 0x9c, 0xde, 0x2c, 0x1a, 0xfb, 0xf2, 0xd2, 0x83, 0x14,
-	0x1c, 0xce, 0xc0, 0xa3, 0x23, 0x58, 0x74, 0x84, 0xdf, 0xd8, 0x1b, 0x10, 0xda, 0x28, 0xad, 0x95,
-	0x2e, 0xd7, 0xae, 0x7d, 0xb7, 0x55, 0xe0, 0x4c, 0xb5, 0x98, 0x4b, 0x3a, 0x53, 0xdb, 0x37, 0xdc,
-	0xfe, 0x03, 0x9b, 0x04, 0x1c, 0xda, 0x79, 0x53, 0x84, 0x7c, 0x11, 0x27, 0xa1, 0x71, 0xda, 0x12,
-	0xfa, 0x85, 0x04, 0xe7, 0xc9, 0x23, 0x6d, 0xe0, 0xe9, 0x24, 0x25, 0xd7, 0x28, 0xbf, 0x84, 0x25,
-	0x5c, 0x12, 0x4b, 0x38, 0x7f, 0x2b, 0xc7, 0x02, 0xce, 0xb5, 0x8b, 0x6e, 0x42, 0x6d, 0xc8, 0x12,
-	0x61, 0xc7, 0x1a, 0x18, 0xda, 0x51, 0x63, 0x9e, 0xa7, 0x8f, 0x32, 0xf6, 0xe5, 0xda, 0x76, 0x4c,
-	0x3e, 0xf6, 0xe5, 0xe5, 0xc4, 0xe7, 0xe7, 0x47, 0x36, 0xc1, 0x49, 0x35, 0xe5, 0x77, 0x15, 0x58,
-	0xde, 0xf6, 0xd8, 0xa1, 0x34, 0x7b, 0xfb, 0xe4, 0xa0, 0x6f, 0x59, 0x87, 0x05, 0x32, 0xd7, 0x81,
-	0x05, 0x6d, 0x60, 0x10, 0xd3, 0xdd, 0xb4, 0xcc, 0xae, 0xd1, 0x13, 0xdb, 0xfe, 0x71, 0xa1, 0x18,
-	0x08, 0x2b, 0x9b, 0x09, 0xfd, 0xce, 0x79, 0x61, 0x63, 0x21, 0x49, 0xc5, 0x29, 0x1b, 0xe8, 0x21,
-	0xcc, 0x3a, 0x89, 0x3d, 0xff, 0xa8, 0x90, 0xb1, 0x9c, 0x58, 0x2f, 0x0a, 0x5b, 0xb3, 0x41, 0x70,
-	0x03, 0x50, 0x74, 0x0f, 0x16, 0xbb, 0xaa, 0x31, 0xf0, 0x1c, 0x22, 0xe2, 0x59, 0xe6, 0xce, 0x7f,
-	0x8b, 0xe5, 0xc5, 0xed, 0x24, 0xe3, 0xd8, 0x97, 0xeb, 0x29, 0x02, 0x8f, 0x69, 0x5a, 0x39, 0xbb,
-	0x37, 0xd5, 0x53, 0xed, 0x4d, 0xfe, 0xc1, 0x9e, 0xfd, 0xff, 0x1c, 0xec, 0xda, 0xab, 0x3d, 0xd8,
-	0x37, 0xa1, 0x46, 0x0d, 0x9d, 0xdc, 0xea, 0x76, 0x89, 0xe6, 0xd2, 0xc6, 0x5c, 0x1c, 0xb0, 0xdd,
-	0x98, 0xcc, 0x02, 0x16, 0x7f, 0x6e, 0x0e, 0x54, 0x4a, 0x71, 0x52, 0x0d, 0x7d, 0x02, 0x4b, 0xac,
-	0x0c, 0x59, 0x9e, 0xbb, 0x4b, 0x34, 0xcb, 0xd4, 0x29, 0x3f, 0x15, 0xb3, 0xc1, 0x0a, 0x3e, 0x4f,
-	0x71, 0x70, 0x46, 0x12, 0x7d, 0x01, 0xab, 0x51, 0x16, 0x61, 0x32, 0x32, 0xc8, 0xd7, 0x7b, 0xc4,
-	0x61, 0x1f, 0xb4, 0x51, 0x59, 0x2b, 0x5d, 0xae, 0x76, 0xde, 0x1e, 0xfb, 0xf2, 0xea, 0x46, 0xbe,
-	0x08, 0x9e, 0xa6, 0x8b, 0xbe, 0x04, 0xe4, 0x10, 0xc3, 0x1c, 0x59, 0x1a, 0x4f, 0x3f, 0x91, 0x10,
-	0xc0, 0xfd, 0xfb, 0x60, 0xec, 0xcb, 0x08, 0x4f, 0x70, 0x8f, 0x7d, 0xf9, 0xad, 0x49, 0x2a, 0x4f,
-	0x8f, 0x1c, 0x2c, 0x34, 0x82, 0xe5, 0x61, 0xaa, 0xf2, 0xd0, 0xc6, 0x02, 0x3f, 0x21, 0xd7, 0x0b,
-	0x9d, 0x90, 0x74, 0xd5, 0x8a, 0xeb, 0x6b, 0x9a, 0x4e, 0x71, 0xd6, 0x88, 0xf2, 0x44, 0x82, 0x4b,
-	0x99, 0x9b, 0x23, 0x38, 0xa9, 0x5e, 0x00, 0x8e, 0xbe, 0x84, 0x0a, 0x4b, 0x08, 0x5d, 0x75, 0x55,
-	0x51, 0x8e, 0x3e, 0x28, 0x96, 0x3e, 0x41, 0xae, 0x6c, 0x13, 0x57, 0x8d, 0xcb, 0x61, 0x4c, 0xc3,
-	0x11, 0x2a, 0xda, 0x83, 0x8a, 0xb0, 0x4c, 0x1b, 0x33, 0xdc, 0xe7, 0x0f, 0x8b, 0xf9, 0x9c, 0x5e,
-	0x76, 0xa7, 0xcc, 0xac, 0xe0, 0x08, 0x4b, 0xf9, 0x87, 0x04, 0x6b, 0xcf, 0x72, 0xed, 0x9e, 0x41,
-	0x5d, 0xf4, 0x70, 0xc2, 0xbd, 0x56, 0xc1, 0xd3, 0x61, 0xd0, 0xc0, 0xb9, 0xa8, 0xf5, 0x08, 0x29,
-	0x09, 0xd7, 0xba, 0x30, 0x6b, 0xb8, 0x64, 0x18, 0xfa, 0xb5, 0x71, 0x1a, 0xbf, 0x52, 0x6b, 0x8e,
-	0xef, 0xbd, 0x2d, 0x86, 0x8b, 0x03, 0x78, 0xb6, 0x8b, 0xab, 0x53, 0xaa, 0x12, 0xfa, 0x28, 0xae,
-	0xb6, 0xfc, 0xd6, 0x68, 0x48, 0xfc, 0x20, 0xd4, 0x93, 0xb5, 0x92, 0x33, 0x70, 0x5a, 0x0e, 0xfd,
-	0x5c, 0x02, 0xe4, 0x4c, 0xe0, 0x89, 0x2a, 0x71, 0xea, 0x8b, 0xfb, 0xa2, 0x70, 0x00, 0x4d, 0xf2,
-	0x70, 0x8e, 0x39, 0x45, 0x85, 0xea, 0x8e, 0xea, 0xa8, 0xc3, 0xbb, 0x86, 0xa9, 0xb3, 0x5e, 0x4b,
-	0xb5, 0x0d, 0x71, 0x2c, 0x45, 0x65, 0x8b, 0x92, 0x6b, 0x63, 0x67, 0x4b, 0x70, 0x70, 0x42, 0x8a,
-	0xd5, 0xc1, 0x43, 0xc3, 0xd4, 0x45, 0x67, 0x16, 0xd5, 0x41, 0x86, 0x87, 0x39, 0x47, 0xf9, 0xed,
-	0x0c, 0x54, 0xb8, 0x0d, 0xd6, 0x2d, 0x9e, 0x5c, 0x36, 0xdb, 0x50, 0x8d, 0xee, 0x5a, 0x81, 0x5a,
-	0x17, 0x62, 0xd5, 0xe8, 0x5e, 0xc6, 0xb1, 0x0c, 0xfa, 0x11, 0x54, 0x68, 0x78, 0x03, 0x97, 0x4e,
-	0x7f, 0x03, 0x2f, 0xb0, 0x24, 0x8b, 0xee, 0xde, 0x08, 0x12, 0xb9, 0xb0, 0x6a, 0xb3, 0xd5, 0x13,
-	0x97, 0x38, 0xf7, 0x2d, 0xf7, 0xb6, 0xe5, 0x99, 0xfa, 0x86, 0xc6, 0xa2, 0x27, 0xca, 0xdf, 0x27,
-	0xec, 0xce, 0xdb, 0xc9, 0x17, 0x39, 0xf6, 0xe5, 0xb7, 0xa7, 0xb0, 0xf8, 0x5d, 0x35, 0x0d, 0x5a,
-	0xf9, 0xa3, 0x04, 0x65, 0xb6, 0x85, 0xe8, 0xdb, 0x50, 0x55, 0x6d, 0xe3, 0x8e, 0x63, 0x79, 0x76,
-	0x98, 0x5b, 0x8b, 0x2c, 0x14, 0x1b, 0x3b, 0x5b, 0x01, 0x11, 0xc7, 0x7c, 0xb4, 0x0e, 0xb5, 0x78,
-	0x6b, 0x82, 0x63, 0x51, 0xed, 0x2c, 0xb3, 0x0a, 0x11, 0xef, 0x1e, 0xc5, 0x49, 0x19, 0x86, 0x1f,
-	0xe6, 0x65, 0xd0, 0x35, 0x08, 0xfc, 0xa8, 0x75, 0xc6, 0x31, 0x1f, 0xbd, 0x0f, 0xb3, 0x54, 0xb3,
-	0x6c, 0x22, 0x3c, 0x7f, 0x8b, 0x9d, 0x94, 0x5d, 0x46, 0x38, 0xf6, 0xe5, 0x2a, 0xff, 0x83, 0x7b,
-	0x15, 0x08, 0x29, 0xbf, 0x91, 0x20, 0x27, 0x0d, 0xd1, 0xa7, 0x00, 0x56, 0x9c, 0xef, 0x81, 0x4b,
-	0x32, 0xbf, 0xbe, 0x22, 0xea, 0xb1, 0x2f, 0x2f, 0x46, 0x5f, 0x1c, 0x32, 0xa1, 0x82, 0xee, 0x42,
-	0x99, 0x65, 0xb2, 0x38, 0x2a, 0x57, 0x0a, 0x1f, 0x95, 0x38, 0xdd, 0xd8, 0x17, 0xe6, 0x20, 0xca,
-	0xaf, 0x25, 0x58, 0xd9, 0x25, 0xce, 0xc8, 0xd0, 0x08, 0x26, 0x5d, 0xe2, 0x10, 0x53, 0xcb, 0xe4,
-	0xa0, 0x54, 0x20, 0x07, 0xc3, 0xb4, 0x9e, 0x99, 0x9a, 0xd6, 0x97, 0xa0, 0x6c, 0xab, 0x6e, 0x5f,
-	0xbc, 0x91, 0x2a, 0x8c, 0xbb, 0xa3, 0xba, 0x7d, 0xcc, 0xa9, 0x9c, 0x6b, 0x39, 0x2e, 0x8f, 0xeb,
-	0xac, 0xe0, 0x5a, 0x8e, 0x8b, 0x39, 0x55, 0xf9, 0x95, 0x04, 0x0b, 0x2c, 0x0a, 0x9b, 0x7d, 0xa2,
-	0x1d, 0xb2, 0x17, 0xda, 0xcf, 0x24, 0x40, 0x24, 0xfb, 0x6e, 0x0b, 0x62, 0x59, 0xbb, 0x76, 0xa3,
-	0x50, 0x40, 0x26, 0x9e, 0x7d, 0xf1, 0xd5, 0x31, 0xc1, 0xa2, 0x38, 0xc7, 0x9a, 0xf2, 0xe7, 0x19,
-	0xb8, 0xb0, 0xa7, 0x0e, 0x0c, 0x9d, 0x5f, 0xa7, 0x51, 0xd1, 0x17, 0x15, 0xf7, 0xd5, 0x17, 0x36,
-	0x1d, 0xca, 0xd4, 0x26, 0x9a, 0x48, 0x83, 0x4e, 0x21, 0xaf, 0xa7, 0xae, 0x77, 0xd7, 0x26, 0x5a,
-	0xbc, 0x6f, 0xec, 0x0b, 0x73, 0x74, 0x34, 0x80, 0x39, 0xea, 0xaa, 0xae, 0x47, 0xc5, 0xdd, 0x72,
-	0xf3, 0x05, 0xed, 0x70, 0xac, 0xce, 0x92, 0xb0, 0x34, 0x17, 0x7c, 0x63, 0x61, 0x43, 0xf9, 0xb7,
-	0x04, 0x6b, 0x53, 0x75, 0x3b, 0x86, 0xa9, 0xb3, 0xdd, 0x7f, 0xf5, 0xa1, 0x3d, 0x4c, 0x85, 0x76,
-	0xeb, 0xc5, 0x5c, 0x16, 0xcb, 0x9e, 0x16, 0x61, 0xe5, 0x5f, 0x12, 0xbc, 0x77, 0x92, 0xf2, 0x19,
-	0x34, 0x13, 0x5f, 0xa5, 0x9b, 0x89, 0x5b, 0x2f, 0xc5, 0xe9, 0x29, 0x0d, 0xc5, 0x7f, 0x66, 0x4e,
-	0x76, 0x99, 0x45, 0x88, 0x55, 0x64, 0x9b, 0x13, 0xef, 0xc7, 0x45, 0x33, 0xda, 0xba, 0x9d, 0x88,
-	0x83, 0x13, 0x52, 0x68, 0x1f, 0x2a, 0xb6, 0x28, 0xb7, 0x62, 0x03, 0xaf, 0x16, 0xf2, 0x25, 0xac,
-	0xd1, 0x41, 0x25, 0x0c, 0xbf, 0x70, 0x04, 0xc6, 0x1e, 0x3c, 0xc3, 0xd4, 0x54, 0x25, 0xa7, 0xdc,
-	0x9e, 0xd0, 0x43, 0x47, 0xaa, 0xc1, 0x73, 0x23, 0x4d, 0xc3, 0x19, 0x78, 0xb4, 0x0f, 0xf5, 0x91,
-	0x88, 0x92, 0x65, 0x06, 0x85, 0x31, 0x18, 0x25, 0x54, 0x3b, 0x57, 0xd8, 0x33, 0x6d, 0x2f, 0xcb,
-	0x3c, 0xf6, 0xe5, 0x95, 0x2c, 0x11, 0x4f, 0x62, 0x28, 0x63, 0x09, 0xde, 0x99, 0x1a, 0xff, 0x33,
-	0xc8, 0x35, 0x2d, 0x9d, 0x6b, 0xdf, 0x7b, 0xc1, 0x5c, 0x9b, 0x92, 0x64, 0xb3, 0xcf, 0x70, 0x92,
-	0x67, 0xd7, 0x0f, 0xa1, 0x6a, 0x87, 0xcd, 0x5f, 0x8e, 0x97, 0x27, 0xa4, 0x0a, 0xd3, 0x0a, 0x7a,
-	0x85, 0xe8, 0x13, 0xc7, 0x78, 0xc8, 0x83, 0x95, 0xf0, 0x35, 0xc4, 0x54, 0x0d, 0xd3, 0xa5, 0x39,
-	0x93, 0xaf, 0xc2, 0xf9, 0x72, 0x7e, 0xec, 0xcb, 0x2b, 0xdb, 0x19, 0x40, 0x3c, 0x61, 0x02, 0x75,
-	0xa1, 0x16, 0xef, 0x77, 0x38, 0x07, 0x69, 0x3f, 0x57, 0x80, 0x2d, 0xb3, 0xf3, 0x86, 0x88, 0x68,
-	0x2d, 0xa6, 0x51, 0x9c, 0x04, 0x7e, 0xc9, 0xb3, 0x90, 0x9f, 0xc0, 0x8a, 0x9a, 0x1e, 0xfe, 0xd2,
-	0xc6, 0xec, 0x73, 0x3c, 0xd6, 0x32, 0x93, 0xe3, 0x4e, 0x43, 0xac, 0x7f, 0x25, 0xc3, 0xa0, 0x78,
-	0xc2, 0x4e, 0xde, 0xdb, 0x78, 0xee, 0x0c, 0xde, 0xc6, 0xe8, 0xc7, 0x50, 0x1d, 0xa9, 0x8e, 0xa1,
-	0x1e, 0x0c, 0x08, 0x6d, 0xcc, 0x73, 0x8b, 0x57, 0x0b, 0xee, 0x53, 0xa0, 0x15, 0xf7, 0x64, 0x21,
-	0x85, 0xe2, 0x18, 0x52, 0xf9, 0xc3, 0x0c, 0xc8, 0x27, 0xd4, 0x61, 0xf4, 0x19, 0x20, 0xeb, 0x80,
-	0x12, 0x67, 0x44, 0xf4, 0x3b, 0xc1, 0x3c, 0x3e, 0x7c, 0xf9, 0x94, 0xe2, 0x7e, 0xe8, 0xc1, 0x84,
-	0x04, 0xce, 0xd1, 0x42, 0x3d, 0x58, 0x70, 0x13, 0x4d, 0x9a, 0x48, 0xf6, 0xf5, 0x42, 0x2e, 0x25,
-	0xbb, 0xbb, 0xce, 0xca, 0xd8, 0x97, 0x53, 0xfd, 0x1e, 0x4e, 0x01, 0x23, 0x0d, 0x40, 0x8b, 0xf7,
-	0x6a, 0x32, 0xc3, 0x9f, 0x71, 0x3b, 0xc5, 0xfb, 0x14, 0x55, 0x91, 0xc4, 0x16, 0x25, 0x60, 0x95,
-	0xbf, 0xcc, 0x43, 0x3d, 0x8e, 0xde, 0xeb, 0xa9, 0xe7, 0xeb, 0xa9, 0xe7, 0xb4, 0xa9, 0x27, 0xbc,
-	0x9e, 0x7a, 0x9e, 0x6a, 0xea, 0x99, 0x73, 0xef, 0xd6, 0xce, 0x62, 0x26, 0xf9, 0x57, 0x09, 0x9a,
-	0x13, 0x27, 0xfb, 0xac, 0xa7, 0x92, 0xdf, 0x9f, 0x98, 0x4a, 0xde, 0x78, 0xce, 0x26, 0x68, 0xda,
-	0x5c, 0xf2, 0x9f, 0x12, 0x28, 0xcf, 0x76, 0xef, 0x0c, 0x1a, 0xbc, 0x7e, 0xba, 0xc1, 0xdb, 0x3c,
-	0x9d, 0x6f, 0x45, 0x66, 0x93, 0xff, 0x95, 0x00, 0xe2, 0x26, 0x05, 0xbd, 0x07, 0x89, 0x1f, 0x45,
-	0xc5, 0x35, 0x1d, 0x44, 0x28, 0x41, 0x47, 0x57, 0x60, 0x7e, 0x48, 0x28, 0x55, 0x7b, 0xe1, 0xc4,
-	0x22, 0xfa, 0xcd, 0x76, 0x3b, 0x20, 0xe3, 0x90, 0x8f, 0xf6, 0x61, 0xce, 0x21, 0x2a, 0xb5, 0x4c,
-	0x31, 0xb9, 0xf8, 0x94, 0xbd, 0x5a, 0x31, 0xa7, 0x1c, 0xfb, 0xf2, 0x7a, 0x91, 0xdf, 0xd4, 0x5b,
-	0xe2, 0x91, 0xcb, 0x95, 0xb0, 0x80, 0x43, 0x77, 0xa0, 0x2e, 0x6c, 0x24, 0x16, 0x1c, 0x5c, 0xad,
-	0x17, 0xc4, 0x6a, 0xea, 0xdb, 0x59, 0x01, 0x3c, 0xa9, 0xa3, 0x7c, 0x06, 0x95, 0xb0, 0xfe, 0xa3,
-	0x06, 0x94, 0x13, 0x2f, 0xa5, 0xc0, 0x71, 0x4e, 0xc9, 0x04, 0x66, 0x26, 0x3f, 0x30, 0xca, 0xef,
-	0x25, 0x78, 0x23, 0xa7, 0x0a, 0xa1, 0x0b, 0x50, 0xf2, 0x9c, 0x81, 0x08, 0xc1, 0xfc, 0xd8, 0x97,
-	0x4b, 0x5f, 0xe0, 0x7b, 0x98, 0xd1, 0xd0, 0x43, 0x98, 0xa7, 0xc1, 0xfc, 0x48, 0xe4, 0xd1, 0x77,
-	0x0a, 0x6d, 0x76, 0x76, 0xe6, 0xd4, 0xa9, 0xb1, 0xf0, 0x87, 0xd4, 0x10, 0x12, 0x5d, 0x86, 0x8a,
-	0xa6, 0x76, 0x3c, 0x53, 0x17, 0xf3, 0xae, 0x85, 0xe0, 0x75, 0xb6, 0xb9, 0x11, 0xd0, 0x70, 0xc4,
-	0xed, 0x6c, 0x3d, 0x7e, 0xda, 0x3c, 0xf7, 0xcd, 0xd3, 0xe6, 0xb9, 0x27, 0x4f, 0x9b, 0xe7, 0x7e,
-	0x3a, 0x6e, 0x4a, 0x8f, 0xc7, 0x4d, 0xe9, 0x9b, 0x71, 0x53, 0x7a, 0x32, 0x6e, 0x4a, 0x7f, 0x1b,
-	0x37, 0xa5, 0x5f, 0xfe, 0xbd, 0x79, 0xee, 0x07, 0xef, 0x16, 0xf8, 0x6f, 0x8c, 0xff, 0x05, 0x00,
-	0x00, 0xff, 0xff, 0x1e, 0x59, 0xab, 0xd9, 0xb3, 0x21, 0x00, 0x00,
-}
+func (m *WebhookClientConfig) Reset() { *m = WebhookClientConfig{} }
 
 func (m *AuditAnnotation) Marshal() (dAtA []byte, err error) {
 	size := m.Size()
diff --git a/staging/src/k8s.io/api/admissionregistration/v1/generated.protomessage.pb.go b/staging/src/k8s.io/api/admissionregistration/v1/generated.protomessage.pb.go
new file mode 100644
index 0000000000000..04a23c597ca44
--- /dev/null
+++ b/staging/src/k8s.io/api/admissionregistration/v1/generated.protomessage.pb.go
@@ -0,0 +1,76 @@
+//go:build kubernetes_protomessage_one_more_release
+// +build kubernetes_protomessage_one_more_release
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by go-to-protobuf. DO NOT EDIT.
+
+package v1
+
+func (*AuditAnnotation) ProtoMessage() {}
+
+func (*ExpressionWarning) ProtoMessage() {}
+
+func (*MatchCondition) ProtoMessage() {}
+
+func (*MatchResources) ProtoMessage() {}
+
+func (*MutatingWebhook) ProtoMessage() {}
+
+func (*MutatingWebhookConfiguration) ProtoMessage() {}
+
+func (*MutatingWebhookConfigurationList) ProtoMessage() {}
+
+func (*NamedRuleWithOperations) ProtoMessage() {}
+
+func (*ParamKind) ProtoMessage() {}
+
+func (*ParamRef) ProtoMessage() {}
+
+func (*Rule) ProtoMessage() {}
+
+func (*RuleWithOperations) ProtoMessage() {}
+
+func (*ServiceReference) ProtoMessage() {}
+
+func (*TypeChecking) ProtoMessage() {}
+
+func (*ValidatingAdmissionPolicy) ProtoMessage() {}
+
+func (*ValidatingAdmissionPolicyBinding) ProtoMessage() {}
+
+func (*ValidatingAdmissionPolicyBindingList) ProtoMessage() {}
+
+func (*ValidatingAdmissionPolicyBindingSpec) ProtoMessage() {}
+
+func (*ValidatingAdmissionPolicyList) ProtoMessage() {}
+
+func (*ValidatingAdmissionPolicySpec) ProtoMessage() {}
+
+func (*ValidatingAdmissionPolicyStatus) ProtoMessage() {}
+
+func (*ValidatingWebhook) ProtoMessage() {}
+
+func (*ValidatingWebhookConfiguration) ProtoMessage() {}
+
+func (*ValidatingWebhookConfigurationList) ProtoMessage() {}
+
+func (*Validation) ProtoMessage() {}
+
+func (*Variable) ProtoMessage() {}
+
+func (*WebhookClientConfig) ProtoMessage() {}
diff --git a/staging/src/k8s.io/api/admissionregistration/v1/types.go b/staging/src/k8s.io/api/admissionregistration/v1/types.go
index 4efeb26748c6d..311c05c0ffa76 100644
--- a/staging/src/k8s.io/api/admissionregistration/v1/types.go
+++ b/staging/src/k8s.io/api/admissionregistration/v1/types.go
@@ -1098,17 +1098,18 @@ type MutatingWebhook struct {
 	MatchConditions []MatchCondition `json:"matchConditions,omitempty" patchStrategy:"merge" patchMergeKey:"name" protobuf:"bytes,12,opt,name=matchConditions"`
 }
 
-// ReinvocationPolicyType specifies what type of policy the admission hook uses.
+// ReinvocationPolicyType specifies what type of policy is used when other admission plugins also perform
+// modifications.
 // +enum
 type ReinvocationPolicyType string
 
 const (
-	// NeverReinvocationPolicy indicates that the webhook must not be called more than once in a
+	// NeverReinvocationPolicy indicates that the mutation must not be called more than once in a
 	// single admission evaluation.
 	NeverReinvocationPolicy ReinvocationPolicyType = "Never"
-	// IfNeededReinvocationPolicy indicates that the webhook may be called at least one
+	// IfNeededReinvocationPolicy indicates that the mutation may be called at least one
 	// additional time as part of the admission evaluation if the object being admitted is
-	// modified by other admission plugins after the initial webhook call.
+	// modified by other admission plugins after the initial mutation call.
 	IfNeededReinvocationPolicy ReinvocationPolicyType = "IfNeeded"
 )
 
diff --git a/staging/src/k8s.io/api/admissionregistration/v1/zz_generated.model_name.go b/staging/src/k8s.io/api/admissionregistration/v1/zz_generated.model_name.go
new file mode 100644
index 0000000000000..3264285cd072f
--- /dev/null
+++ b/staging/src/k8s.io/api/admissionregistration/v1/zz_generated.model_name.go
@@ -0,0 +1,157 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by openapi-gen. DO NOT EDIT.
+
+package v1
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in AuditAnnotation) OpenAPIModelName() string {
+	return "io.k8s.api.admissionregistration.v1.AuditAnnotation"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ExpressionWarning) OpenAPIModelName() string {
+	return "io.k8s.api.admissionregistration.v1.ExpressionWarning"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in MatchCondition) OpenAPIModelName() string {
+	return "io.k8s.api.admissionregistration.v1.MatchCondition"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in MatchResources) OpenAPIModelName() string {
+	return "io.k8s.api.admissionregistration.v1.MatchResources"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in MutatingWebhook) OpenAPIModelName() string {
+	return "io.k8s.api.admissionregistration.v1.MutatingWebhook"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in MutatingWebhookConfiguration) OpenAPIModelName() string {
+	return "io.k8s.api.admissionregistration.v1.MutatingWebhookConfiguration"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in MutatingWebhookConfigurationList) OpenAPIModelName() string {
+	return "io.k8s.api.admissionregistration.v1.MutatingWebhookConfigurationList"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in NamedRuleWithOperations) OpenAPIModelName() string {
+	return "io.k8s.api.admissionregistration.v1.NamedRuleWithOperations"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ParamKind) OpenAPIModelName() string {
+	return "io.k8s.api.admissionregistration.v1.ParamKind"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ParamRef) OpenAPIModelName() string {
+	return "io.k8s.api.admissionregistration.v1.ParamRef"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in Rule) OpenAPIModelName() string {
+	return "io.k8s.api.admissionregistration.v1.Rule"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in RuleWithOperations) OpenAPIModelName() string {
+	return "io.k8s.api.admissionregistration.v1.RuleWithOperations"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ServiceReference) OpenAPIModelName() string {
+	return "io.k8s.api.admissionregistration.v1.ServiceReference"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in TypeChecking) OpenAPIModelName() string {
+	return "io.k8s.api.admissionregistration.v1.TypeChecking"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ValidatingAdmissionPolicy) OpenAPIModelName() string {
+	return "io.k8s.api.admissionregistration.v1.ValidatingAdmissionPolicy"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ValidatingAdmissionPolicyBinding) OpenAPIModelName() string {
+	return "io.k8s.api.admissionregistration.v1.ValidatingAdmissionPolicyBinding"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ValidatingAdmissionPolicyBindingList) OpenAPIModelName() string {
+	return "io.k8s.api.admissionregistration.v1.ValidatingAdmissionPolicyBindingList"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ValidatingAdmissionPolicyBindingSpec) OpenAPIModelName() string {
+	return "io.k8s.api.admissionregistration.v1.ValidatingAdmissionPolicyBindingSpec"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ValidatingAdmissionPolicyList) OpenAPIModelName() string {
+	return "io.k8s.api.admissionregistration.v1.ValidatingAdmissionPolicyList"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ValidatingAdmissionPolicySpec) OpenAPIModelName() string {
+	return "io.k8s.api.admissionregistration.v1.ValidatingAdmissionPolicySpec"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ValidatingAdmissionPolicyStatus) OpenAPIModelName() string {
+	return "io.k8s.api.admissionregistration.v1.ValidatingAdmissionPolicyStatus"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ValidatingWebhook) OpenAPIModelName() string {
+	return "io.k8s.api.admissionregistration.v1.ValidatingWebhook"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ValidatingWebhookConfiguration) OpenAPIModelName() string {
+	return "io.k8s.api.admissionregistration.v1.ValidatingWebhookConfiguration"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ValidatingWebhookConfigurationList) OpenAPIModelName() string {
+	return "io.k8s.api.admissionregistration.v1.ValidatingWebhookConfigurationList"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in Validation) OpenAPIModelName() string {
+	return "io.k8s.api.admissionregistration.v1.Validation"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in Variable) OpenAPIModelName() string {
+	return "io.k8s.api.admissionregistration.v1.Variable"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in WebhookClientConfig) OpenAPIModelName() string {
+	return "io.k8s.api.admissionregistration.v1.WebhookClientConfig"
+}
diff --git a/staging/src/k8s.io/api/admissionregistration/v1alpha1/doc.go b/staging/src/k8s.io/api/admissionregistration/v1alpha1/doc.go
index 344af9ae09ff8..8cac29df647f5 100644
--- a/staging/src/k8s.io/api/admissionregistration/v1alpha1/doc.go
+++ b/staging/src/k8s.io/api/admissionregistration/v1alpha1/doc.go
@@ -18,6 +18,8 @@ limitations under the License.
 // +k8s:protobuf-gen=package
 // +k8s:openapi-gen=true
 // +k8s:prerelease-lifecycle-gen=true
+// +k8s:openapi-model-package=io.k8s.api.admissionregistration.v1alpha1
+
 // +groupName=admissionregistration.k8s.io
 
 // Package v1alpha1 is the v1alpha1 version of the API.
diff --git a/staging/src/k8s.io/api/admissionregistration/v1alpha1/generated.pb.go b/staging/src/k8s.io/api/admissionregistration/v1alpha1/generated.pb.go
index 993ff6f20eb09..8229043919052 100644
--- a/staging/src/k8s.io/api/admissionregistration/v1alpha1/generated.pb.go
+++ b/staging/src/k8s.io/api/admissionregistration/v1alpha1/generated.pb.go
@@ -24,904 +24,66 @@ import (
 
 	io "io"
 
-	proto "github.com/gogo/protobuf/proto"
 	k8s_io_api_admissionregistration_v1 "k8s.io/api/admissionregistration/v1"
 	k8s_io_apimachinery_pkg_apis_meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
-	math "math"
 	math_bits "math/bits"
 	reflect "reflect"
 	strings "strings"
 )
 
-// Reference imports to suppress errors if they are not otherwise used.
-var _ = proto.Marshal
-var _ = fmt.Errorf
-var _ = math.Inf
+func (m *ApplyConfiguration) Reset() { *m = ApplyConfiguration{} }
 
-// This is a compile-time assertion to ensure that this generated file
-// is compatible with the proto package it is being compiled against.
-// A compilation error at this line likely means your copy of the
-// proto package needs to be updated.
-const _ = proto.GoGoProtoPackageIsVersion3 // please upgrade the proto package
+func (m *AuditAnnotation) Reset() { *m = AuditAnnotation{} }
 
-func (m *ApplyConfiguration) Reset()      { *m = ApplyConfiguration{} }
-func (*ApplyConfiguration) ProtoMessage() {}
-func (*ApplyConfiguration) Descriptor() ([]byte, []int) {
-	return fileDescriptor_2c49182728ae0af5, []int{0}
-}
-func (m *ApplyConfiguration) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ApplyConfiguration) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ApplyConfiguration) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ApplyConfiguration.Merge(m, src)
-}
-func (m *ApplyConfiguration) XXX_Size() int {
-	return m.Size()
-}
-func (m *ApplyConfiguration) XXX_DiscardUnknown() {
-	xxx_messageInfo_ApplyConfiguration.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_ApplyConfiguration proto.InternalMessageInfo
-
-func (m *AuditAnnotation) Reset()      { *m = AuditAnnotation{} }
-func (*AuditAnnotation) ProtoMessage() {}
-func (*AuditAnnotation) Descriptor() ([]byte, []int) {
-	return fileDescriptor_2c49182728ae0af5, []int{1}
-}
-func (m *AuditAnnotation) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *AuditAnnotation) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *AuditAnnotation) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_AuditAnnotation.Merge(m, src)
-}
-func (m *AuditAnnotation) XXX_Size() int {
-	return m.Size()
-}
-func (m *AuditAnnotation) XXX_DiscardUnknown() {
-	xxx_messageInfo_AuditAnnotation.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_AuditAnnotation proto.InternalMessageInfo
-
-func (m *ExpressionWarning) Reset()      { *m = ExpressionWarning{} }
-func (*ExpressionWarning) ProtoMessage() {}
-func (*ExpressionWarning) Descriptor() ([]byte, []int) {
-	return fileDescriptor_2c49182728ae0af5, []int{2}
-}
-func (m *ExpressionWarning) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ExpressionWarning) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ExpressionWarning) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ExpressionWarning.Merge(m, src)
-}
-func (m *ExpressionWarning) XXX_Size() int {
-	return m.Size()
-}
-func (m *ExpressionWarning) XXX_DiscardUnknown() {
-	xxx_messageInfo_ExpressionWarning.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_ExpressionWarning proto.InternalMessageInfo
-
-func (m *JSONPatch) Reset()      { *m = JSONPatch{} }
-func (*JSONPatch) ProtoMessage() {}
-func (*JSONPatch) Descriptor() ([]byte, []int) {
-	return fileDescriptor_2c49182728ae0af5, []int{3}
-}
-func (m *JSONPatch) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *JSONPatch) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *JSONPatch) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_JSONPatch.Merge(m, src)
-}
-func (m *JSONPatch) XXX_Size() int {
-	return m.Size()
-}
-func (m *JSONPatch) XXX_DiscardUnknown() {
-	xxx_messageInfo_JSONPatch.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_JSONPatch proto.InternalMessageInfo
-
-func (m *MatchCondition) Reset()      { *m = MatchCondition{} }
-func (*MatchCondition) ProtoMessage() {}
-func (*MatchCondition) Descriptor() ([]byte, []int) {
-	return fileDescriptor_2c49182728ae0af5, []int{4}
-}
-func (m *MatchCondition) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *MatchCondition) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *MatchCondition) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_MatchCondition.Merge(m, src)
-}
-func (m *MatchCondition) XXX_Size() int {
-	return m.Size()
-}
-func (m *MatchCondition) XXX_DiscardUnknown() {
-	xxx_messageInfo_MatchCondition.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_MatchCondition proto.InternalMessageInfo
-
-func (m *MatchResources) Reset()      { *m = MatchResources{} }
-func (*MatchResources) ProtoMessage() {}
-func (*MatchResources) Descriptor() ([]byte, []int) {
-	return fileDescriptor_2c49182728ae0af5, []int{5}
-}
-func (m *MatchResources) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *MatchResources) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *MatchResources) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_MatchResources.Merge(m, src)
-}
-func (m *MatchResources) XXX_Size() int {
-	return m.Size()
-}
-func (m *MatchResources) XXX_DiscardUnknown() {
-	xxx_messageInfo_MatchResources.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_MatchResources proto.InternalMessageInfo
-
-func (m *MutatingAdmissionPolicy) Reset()      { *m = MutatingAdmissionPolicy{} }
-func (*MutatingAdmissionPolicy) ProtoMessage() {}
-func (*MutatingAdmissionPolicy) Descriptor() ([]byte, []int) {
-	return fileDescriptor_2c49182728ae0af5, []int{6}
-}
-func (m *MutatingAdmissionPolicy) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *MutatingAdmissionPolicy) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *MutatingAdmissionPolicy) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_MutatingAdmissionPolicy.Merge(m, src)
-}
-func (m *MutatingAdmissionPolicy) XXX_Size() int {
-	return m.Size()
-}
-func (m *MutatingAdmissionPolicy) XXX_DiscardUnknown() {
-	xxx_messageInfo_MutatingAdmissionPolicy.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_MutatingAdmissionPolicy proto.InternalMessageInfo
-
-func (m *MutatingAdmissionPolicyBinding) Reset()      { *m = MutatingAdmissionPolicyBinding{} }
-func (*MutatingAdmissionPolicyBinding) ProtoMessage() {}
-func (*MutatingAdmissionPolicyBinding) Descriptor() ([]byte, []int) {
-	return fileDescriptor_2c49182728ae0af5, []int{7}
-}
-func (m *MutatingAdmissionPolicyBinding) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *MutatingAdmissionPolicyBinding) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *MutatingAdmissionPolicyBinding) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_MutatingAdmissionPolicyBinding.Merge(m, src)
-}
-func (m *MutatingAdmissionPolicyBinding) XXX_Size() int {
-	return m.Size()
-}
-func (m *MutatingAdmissionPolicyBinding) XXX_DiscardUnknown() {
-	xxx_messageInfo_MutatingAdmissionPolicyBinding.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_MutatingAdmissionPolicyBinding proto.InternalMessageInfo
-
-func (m *MutatingAdmissionPolicyBindingList) Reset()      { *m = MutatingAdmissionPolicyBindingList{} }
-func (*MutatingAdmissionPolicyBindingList) ProtoMessage() {}
-func (*MutatingAdmissionPolicyBindingList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_2c49182728ae0af5, []int{8}
-}
-func (m *MutatingAdmissionPolicyBindingList) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *MutatingAdmissionPolicyBindingList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *MutatingAdmissionPolicyBindingList) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_MutatingAdmissionPolicyBindingList.Merge(m, src)
-}
-func (m *MutatingAdmissionPolicyBindingList) XXX_Size() int {
-	return m.Size()
-}
-func (m *MutatingAdmissionPolicyBindingList) XXX_DiscardUnknown() {
-	xxx_messageInfo_MutatingAdmissionPolicyBindingList.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_MutatingAdmissionPolicyBindingList proto.InternalMessageInfo
-
-func (m *MutatingAdmissionPolicyBindingSpec) Reset()      { *m = MutatingAdmissionPolicyBindingSpec{} }
-func (*MutatingAdmissionPolicyBindingSpec) ProtoMessage() {}
-func (*MutatingAdmissionPolicyBindingSpec) Descriptor() ([]byte, []int) {
-	return fileDescriptor_2c49182728ae0af5, []int{9}
-}
-func (m *MutatingAdmissionPolicyBindingSpec) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *MutatingAdmissionPolicyBindingSpec) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *MutatingAdmissionPolicyBindingSpec) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_MutatingAdmissionPolicyBindingSpec.Merge(m, src)
-}
-func (m *MutatingAdmissionPolicyBindingSpec) XXX_Size() int {
-	return m.Size()
-}
-func (m *MutatingAdmissionPolicyBindingSpec) XXX_DiscardUnknown() {
-	xxx_messageInfo_MutatingAdmissionPolicyBindingSpec.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_MutatingAdmissionPolicyBindingSpec proto.InternalMessageInfo
-
-func (m *MutatingAdmissionPolicyList) Reset()      { *m = MutatingAdmissionPolicyList{} }
-func (*MutatingAdmissionPolicyList) ProtoMessage() {}
-func (*MutatingAdmissionPolicyList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_2c49182728ae0af5, []int{10}
-}
-func (m *MutatingAdmissionPolicyList) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *MutatingAdmissionPolicyList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *MutatingAdmissionPolicyList) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_MutatingAdmissionPolicyList.Merge(m, src)
-}
-func (m *MutatingAdmissionPolicyList) XXX_Size() int {
-	return m.Size()
-}
-func (m *MutatingAdmissionPolicyList) XXX_DiscardUnknown() {
-	xxx_messageInfo_MutatingAdmissionPolicyList.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_MutatingAdmissionPolicyList proto.InternalMessageInfo
-
-func (m *MutatingAdmissionPolicySpec) Reset()      { *m = MutatingAdmissionPolicySpec{} }
-func (*MutatingAdmissionPolicySpec) ProtoMessage() {}
-func (*MutatingAdmissionPolicySpec) Descriptor() ([]byte, []int) {
-	return fileDescriptor_2c49182728ae0af5, []int{11}
-}
-func (m *MutatingAdmissionPolicySpec) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *MutatingAdmissionPolicySpec) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *MutatingAdmissionPolicySpec) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_MutatingAdmissionPolicySpec.Merge(m, src)
-}
-func (m *MutatingAdmissionPolicySpec) XXX_Size() int {
-	return m.Size()
-}
-func (m *MutatingAdmissionPolicySpec) XXX_DiscardUnknown() {
-	xxx_messageInfo_MutatingAdmissionPolicySpec.DiscardUnknown(m)
-}
+func (m *ExpressionWarning) Reset() { *m = ExpressionWarning{} }
 
-var xxx_messageInfo_MutatingAdmissionPolicySpec proto.InternalMessageInfo
+func (m *JSONPatch) Reset() { *m = JSONPatch{} }
 
-func (m *Mutation) Reset()      { *m = Mutation{} }
-func (*Mutation) ProtoMessage() {}
-func (*Mutation) Descriptor() ([]byte, []int) {
-	return fileDescriptor_2c49182728ae0af5, []int{12}
-}
-func (m *Mutation) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *Mutation) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *Mutation) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_Mutation.Merge(m, src)
-}
-func (m *Mutation) XXX_Size() int {
-	return m.Size()
-}
-func (m *Mutation) XXX_DiscardUnknown() {
-	xxx_messageInfo_Mutation.DiscardUnknown(m)
-}
+func (m *MatchCondition) Reset() { *m = MatchCondition{} }
 
-var xxx_messageInfo_Mutation proto.InternalMessageInfo
+func (m *MatchResources) Reset() { *m = MatchResources{} }
 
-func (m *NamedRuleWithOperations) Reset()      { *m = NamedRuleWithOperations{} }
-func (*NamedRuleWithOperations) ProtoMessage() {}
-func (*NamedRuleWithOperations) Descriptor() ([]byte, []int) {
-	return fileDescriptor_2c49182728ae0af5, []int{13}
-}
-func (m *NamedRuleWithOperations) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *NamedRuleWithOperations) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *NamedRuleWithOperations) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_NamedRuleWithOperations.Merge(m, src)
-}
-func (m *NamedRuleWithOperations) XXX_Size() int {
-	return m.Size()
-}
-func (m *NamedRuleWithOperations) XXX_DiscardUnknown() {
-	xxx_messageInfo_NamedRuleWithOperations.DiscardUnknown(m)
-}
+func (m *MutatingAdmissionPolicy) Reset() { *m = MutatingAdmissionPolicy{} }
 
-var xxx_messageInfo_NamedRuleWithOperations proto.InternalMessageInfo
+func (m *MutatingAdmissionPolicyBinding) Reset() { *m = MutatingAdmissionPolicyBinding{} }
 
-func (m *ParamKind) Reset()      { *m = ParamKind{} }
-func (*ParamKind) ProtoMessage() {}
-func (*ParamKind) Descriptor() ([]byte, []int) {
-	return fileDescriptor_2c49182728ae0af5, []int{14}
-}
-func (m *ParamKind) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ParamKind) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ParamKind) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ParamKind.Merge(m, src)
-}
-func (m *ParamKind) XXX_Size() int {
-	return m.Size()
-}
-func (m *ParamKind) XXX_DiscardUnknown() {
-	xxx_messageInfo_ParamKind.DiscardUnknown(m)
-}
+func (m *MutatingAdmissionPolicyBindingList) Reset() { *m = MutatingAdmissionPolicyBindingList{} }
 
-var xxx_messageInfo_ParamKind proto.InternalMessageInfo
+func (m *MutatingAdmissionPolicyBindingSpec) Reset() { *m = MutatingAdmissionPolicyBindingSpec{} }
 
-func (m *ParamRef) Reset()      { *m = ParamRef{} }
-func (*ParamRef) ProtoMessage() {}
-func (*ParamRef) Descriptor() ([]byte, []int) {
-	return fileDescriptor_2c49182728ae0af5, []int{15}
-}
-func (m *ParamRef) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ParamRef) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ParamRef) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ParamRef.Merge(m, src)
-}
-func (m *ParamRef) XXX_Size() int {
-	return m.Size()
-}
-func (m *ParamRef) XXX_DiscardUnknown() {
-	xxx_messageInfo_ParamRef.DiscardUnknown(m)
-}
+func (m *MutatingAdmissionPolicyList) Reset() { *m = MutatingAdmissionPolicyList{} }
 
-var xxx_messageInfo_ParamRef proto.InternalMessageInfo
+func (m *MutatingAdmissionPolicySpec) Reset() { *m = MutatingAdmissionPolicySpec{} }
 
-func (m *TypeChecking) Reset()      { *m = TypeChecking{} }
-func (*TypeChecking) ProtoMessage() {}
-func (*TypeChecking) Descriptor() ([]byte, []int) {
-	return fileDescriptor_2c49182728ae0af5, []int{16}
-}
-func (m *TypeChecking) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *TypeChecking) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *TypeChecking) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_TypeChecking.Merge(m, src)
-}
-func (m *TypeChecking) XXX_Size() int {
-	return m.Size()
-}
-func (m *TypeChecking) XXX_DiscardUnknown() {
-	xxx_messageInfo_TypeChecking.DiscardUnknown(m)
-}
+func (m *Mutation) Reset() { *m = Mutation{} }
 
-var xxx_messageInfo_TypeChecking proto.InternalMessageInfo
+func (m *NamedRuleWithOperations) Reset() { *m = NamedRuleWithOperations{} }
 
-func (m *ValidatingAdmissionPolicy) Reset()      { *m = ValidatingAdmissionPolicy{} }
-func (*ValidatingAdmissionPolicy) ProtoMessage() {}
-func (*ValidatingAdmissionPolicy) Descriptor() ([]byte, []int) {
-	return fileDescriptor_2c49182728ae0af5, []int{17}
-}
-func (m *ValidatingAdmissionPolicy) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ValidatingAdmissionPolicy) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ValidatingAdmissionPolicy) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ValidatingAdmissionPolicy.Merge(m, src)
-}
-func (m *ValidatingAdmissionPolicy) XXX_Size() int {
-	return m.Size()
-}
-func (m *ValidatingAdmissionPolicy) XXX_DiscardUnknown() {
-	xxx_messageInfo_ValidatingAdmissionPolicy.DiscardUnknown(m)
-}
+func (m *ParamKind) Reset() { *m = ParamKind{} }
 
-var xxx_messageInfo_ValidatingAdmissionPolicy proto.InternalMessageInfo
+func (m *ParamRef) Reset() { *m = ParamRef{} }
 
-func (m *ValidatingAdmissionPolicyBinding) Reset()      { *m = ValidatingAdmissionPolicyBinding{} }
-func (*ValidatingAdmissionPolicyBinding) ProtoMessage() {}
-func (*ValidatingAdmissionPolicyBinding) Descriptor() ([]byte, []int) {
-	return fileDescriptor_2c49182728ae0af5, []int{18}
-}
-func (m *ValidatingAdmissionPolicyBinding) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ValidatingAdmissionPolicyBinding) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ValidatingAdmissionPolicyBinding) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ValidatingAdmissionPolicyBinding.Merge(m, src)
-}
-func (m *ValidatingAdmissionPolicyBinding) XXX_Size() int {
-	return m.Size()
-}
-func (m *ValidatingAdmissionPolicyBinding) XXX_DiscardUnknown() {
-	xxx_messageInfo_ValidatingAdmissionPolicyBinding.DiscardUnknown(m)
-}
+func (m *TypeChecking) Reset() { *m = TypeChecking{} }
 
-var xxx_messageInfo_ValidatingAdmissionPolicyBinding proto.InternalMessageInfo
+func (m *ValidatingAdmissionPolicy) Reset() { *m = ValidatingAdmissionPolicy{} }
 
-func (m *ValidatingAdmissionPolicyBindingList) Reset()      { *m = ValidatingAdmissionPolicyBindingList{} }
-func (*ValidatingAdmissionPolicyBindingList) ProtoMessage() {}
-func (*ValidatingAdmissionPolicyBindingList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_2c49182728ae0af5, []int{19}
-}
-func (m *ValidatingAdmissionPolicyBindingList) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ValidatingAdmissionPolicyBindingList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ValidatingAdmissionPolicyBindingList) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ValidatingAdmissionPolicyBindingList.Merge(m, src)
-}
-func (m *ValidatingAdmissionPolicyBindingList) XXX_Size() int {
-	return m.Size()
-}
-func (m *ValidatingAdmissionPolicyBindingList) XXX_DiscardUnknown() {
-	xxx_messageInfo_ValidatingAdmissionPolicyBindingList.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_ValidatingAdmissionPolicyBindingList proto.InternalMessageInfo
-
-func (m *ValidatingAdmissionPolicyBindingSpec) Reset()      { *m = ValidatingAdmissionPolicyBindingSpec{} }
-func (*ValidatingAdmissionPolicyBindingSpec) ProtoMessage() {}
-func (*ValidatingAdmissionPolicyBindingSpec) Descriptor() ([]byte, []int) {
-	return fileDescriptor_2c49182728ae0af5, []int{20}
-}
-func (m *ValidatingAdmissionPolicyBindingSpec) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ValidatingAdmissionPolicyBindingSpec) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ValidatingAdmissionPolicyBindingSpec) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ValidatingAdmissionPolicyBindingSpec.Merge(m, src)
-}
-func (m *ValidatingAdmissionPolicyBindingSpec) XXX_Size() int {
-	return m.Size()
-}
-func (m *ValidatingAdmissionPolicyBindingSpec) XXX_DiscardUnknown() {
-	xxx_messageInfo_ValidatingAdmissionPolicyBindingSpec.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_ValidatingAdmissionPolicyBindingSpec proto.InternalMessageInfo
-
-func (m *ValidatingAdmissionPolicyList) Reset()      { *m = ValidatingAdmissionPolicyList{} }
-func (*ValidatingAdmissionPolicyList) ProtoMessage() {}
-func (*ValidatingAdmissionPolicyList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_2c49182728ae0af5, []int{21}
-}
-func (m *ValidatingAdmissionPolicyList) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ValidatingAdmissionPolicyList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ValidatingAdmissionPolicyList) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ValidatingAdmissionPolicyList.Merge(m, src)
-}
-func (m *ValidatingAdmissionPolicyList) XXX_Size() int {
-	return m.Size()
-}
-func (m *ValidatingAdmissionPolicyList) XXX_DiscardUnknown() {
-	xxx_messageInfo_ValidatingAdmissionPolicyList.DiscardUnknown(m)
-}
+func (m *ValidatingAdmissionPolicyBinding) Reset() { *m = ValidatingAdmissionPolicyBinding{} }
 
-var xxx_messageInfo_ValidatingAdmissionPolicyList proto.InternalMessageInfo
-
-func (m *ValidatingAdmissionPolicySpec) Reset()      { *m = ValidatingAdmissionPolicySpec{} }
-func (*ValidatingAdmissionPolicySpec) ProtoMessage() {}
-func (*ValidatingAdmissionPolicySpec) Descriptor() ([]byte, []int) {
-	return fileDescriptor_2c49182728ae0af5, []int{22}
-}
-func (m *ValidatingAdmissionPolicySpec) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ValidatingAdmissionPolicySpec) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ValidatingAdmissionPolicySpec) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ValidatingAdmissionPolicySpec.Merge(m, src)
-}
-func (m *ValidatingAdmissionPolicySpec) XXX_Size() int {
-	return m.Size()
-}
-func (m *ValidatingAdmissionPolicySpec) XXX_DiscardUnknown() {
-	xxx_messageInfo_ValidatingAdmissionPolicySpec.DiscardUnknown(m)
-}
+func (m *ValidatingAdmissionPolicyBindingList) Reset() { *m = ValidatingAdmissionPolicyBindingList{} }
 
-var xxx_messageInfo_ValidatingAdmissionPolicySpec proto.InternalMessageInfo
+func (m *ValidatingAdmissionPolicyBindingSpec) Reset() { *m = ValidatingAdmissionPolicyBindingSpec{} }
 
-func (m *ValidatingAdmissionPolicyStatus) Reset()      { *m = ValidatingAdmissionPolicyStatus{} }
-func (*ValidatingAdmissionPolicyStatus) ProtoMessage() {}
-func (*ValidatingAdmissionPolicyStatus) Descriptor() ([]byte, []int) {
-	return fileDescriptor_2c49182728ae0af5, []int{23}
-}
-func (m *ValidatingAdmissionPolicyStatus) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ValidatingAdmissionPolicyStatus) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ValidatingAdmissionPolicyStatus) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ValidatingAdmissionPolicyStatus.Merge(m, src)
-}
-func (m *ValidatingAdmissionPolicyStatus) XXX_Size() int {
-	return m.Size()
-}
-func (m *ValidatingAdmissionPolicyStatus) XXX_DiscardUnknown() {
-	xxx_messageInfo_ValidatingAdmissionPolicyStatus.DiscardUnknown(m)
-}
+func (m *ValidatingAdmissionPolicyList) Reset() { *m = ValidatingAdmissionPolicyList{} }
 
-var xxx_messageInfo_ValidatingAdmissionPolicyStatus proto.InternalMessageInfo
+func (m *ValidatingAdmissionPolicySpec) Reset() { *m = ValidatingAdmissionPolicySpec{} }
 
-func (m *Validation) Reset()      { *m = Validation{} }
-func (*Validation) ProtoMessage() {}
-func (*Validation) Descriptor() ([]byte, []int) {
-	return fileDescriptor_2c49182728ae0af5, []int{24}
-}
-func (m *Validation) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *Validation) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *Validation) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_Validation.Merge(m, src)
-}
-func (m *Validation) XXX_Size() int {
-	return m.Size()
-}
-func (m *Validation) XXX_DiscardUnknown() {
-	xxx_messageInfo_Validation.DiscardUnknown(m)
-}
+func (m *ValidatingAdmissionPolicyStatus) Reset() { *m = ValidatingAdmissionPolicyStatus{} }
 
-var xxx_messageInfo_Validation proto.InternalMessageInfo
+func (m *Validation) Reset() { *m = Validation{} }
 
-func (m *Variable) Reset()      { *m = Variable{} }
-func (*Variable) ProtoMessage() {}
-func (*Variable) Descriptor() ([]byte, []int) {
-	return fileDescriptor_2c49182728ae0af5, []int{25}
-}
-func (m *Variable) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *Variable) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *Variable) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_Variable.Merge(m, src)
-}
-func (m *Variable) XXX_Size() int {
-	return m.Size()
-}
-func (m *Variable) XXX_DiscardUnknown() {
-	xxx_messageInfo_Variable.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_Variable proto.InternalMessageInfo
-
-func init() {
-	proto.RegisterType((*ApplyConfiguration)(nil), "k8s.io.api.admissionregistration.v1alpha1.ApplyConfiguration")
-	proto.RegisterType((*AuditAnnotation)(nil), "k8s.io.api.admissionregistration.v1alpha1.AuditAnnotation")
-	proto.RegisterType((*ExpressionWarning)(nil), "k8s.io.api.admissionregistration.v1alpha1.ExpressionWarning")
-	proto.RegisterType((*JSONPatch)(nil), "k8s.io.api.admissionregistration.v1alpha1.JSONPatch")
-	proto.RegisterType((*MatchCondition)(nil), "k8s.io.api.admissionregistration.v1alpha1.MatchCondition")
-	proto.RegisterType((*MatchResources)(nil), "k8s.io.api.admissionregistration.v1alpha1.MatchResources")
-	proto.RegisterType((*MutatingAdmissionPolicy)(nil), "k8s.io.api.admissionregistration.v1alpha1.MutatingAdmissionPolicy")
-	proto.RegisterType((*MutatingAdmissionPolicyBinding)(nil), "k8s.io.api.admissionregistration.v1alpha1.MutatingAdmissionPolicyBinding")
-	proto.RegisterType((*MutatingAdmissionPolicyBindingList)(nil), "k8s.io.api.admissionregistration.v1alpha1.MutatingAdmissionPolicyBindingList")
-	proto.RegisterType((*MutatingAdmissionPolicyBindingSpec)(nil), "k8s.io.api.admissionregistration.v1alpha1.MutatingAdmissionPolicyBindingSpec")
-	proto.RegisterType((*MutatingAdmissionPolicyList)(nil), "k8s.io.api.admissionregistration.v1alpha1.MutatingAdmissionPolicyList")
-	proto.RegisterType((*MutatingAdmissionPolicySpec)(nil), "k8s.io.api.admissionregistration.v1alpha1.MutatingAdmissionPolicySpec")
-	proto.RegisterType((*Mutation)(nil), "k8s.io.api.admissionregistration.v1alpha1.Mutation")
-	proto.RegisterType((*NamedRuleWithOperations)(nil), "k8s.io.api.admissionregistration.v1alpha1.NamedRuleWithOperations")
-	proto.RegisterType((*ParamKind)(nil), "k8s.io.api.admissionregistration.v1alpha1.ParamKind")
-	proto.RegisterType((*ParamRef)(nil), "k8s.io.api.admissionregistration.v1alpha1.ParamRef")
-	proto.RegisterType((*TypeChecking)(nil), "k8s.io.api.admissionregistration.v1alpha1.TypeChecking")
-	proto.RegisterType((*ValidatingAdmissionPolicy)(nil), "k8s.io.api.admissionregistration.v1alpha1.ValidatingAdmissionPolicy")
-	proto.RegisterType((*ValidatingAdmissionPolicyBinding)(nil), "k8s.io.api.admissionregistration.v1alpha1.ValidatingAdmissionPolicyBinding")
-	proto.RegisterType((*ValidatingAdmissionPolicyBindingList)(nil), "k8s.io.api.admissionregistration.v1alpha1.ValidatingAdmissionPolicyBindingList")
-	proto.RegisterType((*ValidatingAdmissionPolicyBindingSpec)(nil), "k8s.io.api.admissionregistration.v1alpha1.ValidatingAdmissionPolicyBindingSpec")
-	proto.RegisterType((*ValidatingAdmissionPolicyList)(nil), "k8s.io.api.admissionregistration.v1alpha1.ValidatingAdmissionPolicyList")
-	proto.RegisterType((*ValidatingAdmissionPolicySpec)(nil), "k8s.io.api.admissionregistration.v1alpha1.ValidatingAdmissionPolicySpec")
-	proto.RegisterType((*ValidatingAdmissionPolicyStatus)(nil), "k8s.io.api.admissionregistration.v1alpha1.ValidatingAdmissionPolicyStatus")
-	proto.RegisterType((*Validation)(nil), "k8s.io.api.admissionregistration.v1alpha1.Validation")
-	proto.RegisterType((*Variable)(nil), "k8s.io.api.admissionregistration.v1alpha1.Variable")
-}
-
-func init() {
-	proto.RegisterFile("k8s.io/api/admissionregistration/v1alpha1/generated.proto", fileDescriptor_2c49182728ae0af5)
-}
-
-var fileDescriptor_2c49182728ae0af5 = []byte{
-	// 1783 bytes of a gzipped FileDescriptorProto
-	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xec, 0x59, 0xdd, 0x6f, 0x1b, 0x4b,
-	0x15, 0xcf, 0xda, 0xce, 0x87, 0xc7, 0xf9, 0xf2, 0xd0, 0x12, 0x37, 0xa5, 0xde, 0x68, 0x55, 0xa1,
-	0x46, 0x82, 0x35, 0x49, 0x0b, 0xa5, 0x55, 0x51, 0x95, 0x6d, 0x9b, 0xb6, 0x69, 0x9d, 0x44, 0x53,
-	0x94, 0x20, 0x04, 0x12, 0x93, 0xf5, 0xc4, 0xde, 0xc6, 0xfb, 0xc1, 0xce, 0x3a, 0x34, 0x02, 0x89,
-	0x4a, 0x08, 0x09, 0xde, 0x78, 0xe0, 0x85, 0x37, 0xc4, 0x1f, 0xc0, 0x03, 0xfc, 0x05, 0xbc, 0xf5,
-	0xb1, 0x8f, 0xe5, 0x81, 0x15, 0x35, 0x20, 0xf1, 0x0c, 0xd2, 0xbd, 0x52, 0x5e, 0xee, 0xd5, 0xcc,
-	0xce, 0x7e, 0x79, 0xed, 0xc6, 0x4e, 0xd3, 0xf4, 0xe1, 0xde, 0x37, 0xcf, 0xf9, 0xf8, 0x9d, 0x39,
-	0x67, 0xce, 0x9c, 0x39, 0xc7, 0x0b, 0x6e, 0x1d, 0x7c, 0x97, 0xaa, 0x86, 0x5d, 0xc3, 0x8e, 0x51,
-	0xc3, 0x0d, 0xd3, 0xa0, 0xd4, 0xb0, 0x2d, 0x97, 0x34, 0x0d, 0xea, 0xb9, 0xd8, 0x33, 0x6c, 0xab,
-	0x76, 0xb8, 0x82, 0xdb, 0x4e, 0x0b, 0xaf, 0xd4, 0x9a, 0xc4, 0x22, 0x2e, 0xf6, 0x48, 0x43, 0x75,
-	0x5c, 0xdb, 0xb3, 0xe1, 0x72, 0xa0, 0xaa, 0x62, 0xc7, 0x50, 0xfb, 0xaa, 0xaa, 0xa1, 0xea, 0xe2,
-	0x37, 0x9b, 0x86, 0xd7, 0xea, 0xec, 0xa9, 0xba, 0x6d, 0xd6, 0x9a, 0x76, 0xd3, 0xae, 0x71, 0x84,
-	0xbd, 0xce, 0x3e, 0x5f, 0xf1, 0x05, 0xff, 0x15, 0x20, 0x2f, 0x5e, 0x1f, 0x62, 0x53, 0xbd, 0xdb,
-	0x59, 0xbc, 0x11, 0x2b, 0x99, 0x58, 0x6f, 0x19, 0x16, 0x71, 0x8f, 0x6a, 0xce, 0x41, 0x93, 0x11,
-	0x68, 0xcd, 0x24, 0x1e, 0xee, 0xa7, 0x55, 0x1b, 0xa4, 0xe5, 0x76, 0x2c, 0xcf, 0x30, 0x49, 0x46,
-	0xe1, 0x3b, 0x27, 0x29, 0x50, 0xbd, 0x45, 0x4c, 0xdc, 0xab, 0xa7, 0x3c, 0x02, 0x70, 0xcd, 0x71,
-	0xda, 0x47, 0xf7, 0x6c, 0x6b, 0xdf, 0x68, 0x76, 0x02, 0x3f, 0xe0, 0x2a, 0x00, 0xe4, 0x85, 0xe3,
-	0x12, 0xee, 0x61, 0x45, 0x5a, 0x92, 0xae, 0x15, 0x35, 0xf8, 0xca, 0x97, 0xc7, 0xba, 0xbe, 0x0c,
-	0x1e, 0x44, 0x1c, 0x94, 0x90, 0x52, 0x28, 0x98, 0x5b, 0xeb, 0x34, 0x0c, 0x6f, 0xcd, 0xb2, 0x6c,
-	0x2f, 0x80, 0xb9, 0x02, 0xf2, 0x07, 0xe4, 0x48, 0xe8, 0x97, 0x84, 0x7e, 0xfe, 0x09, 0x39, 0x42,
-	0x8c, 0x0e, 0xd7, 0xc0, 0xdc, 0x21, 0x6e, 0x77, 0x48, 0x0c, 0x58, 0xc9, 0x71, 0xd1, 0x05, 0x21,
-	0x3a, 0xb7, 0x93, 0x66, 0xa3, 0x5e, 0x79, 0xa5, 0x0d, 0xca, 0xf1, 0x6a, 0x17, 0xbb, 0x96, 0x61,
-	0x35, 0xe1, 0x37, 0xc0, 0xd4, 0xbe, 0x41, 0xda, 0x0d, 0x44, 0xf6, 0x05, 0xe0, 0xbc, 0x00, 0x9c,
-	0x5a, 0x17, 0x74, 0x14, 0x49, 0xc0, 0x65, 0x30, 0xf9, 0xb3, 0x40, 0xb1, 0x92, 0xe7, 0xc2, 0x73,
-	0x42, 0x78, 0x52, 0xe0, 0xa1, 0x90, 0xaf, 0xdc, 0x05, 0xc5, 0x8d, 0x67, 0x5b, 0x9b, 0xdb, 0xd8,
-	0xd3, 0x5b, 0xa7, 0x8a, 0xd1, 0x3e, 0x98, 0xad, 0x33, 0xe5, 0x7b, 0xb6, 0xd5, 0x30, 0x78, 0x88,
-	0x96, 0x40, 0xc1, 0xc2, 0x26, 0x11, 0xfa, 0xd3, 0x42, 0xbf, 0xb0, 0x89, 0x4d, 0x82, 0x38, 0xa7,
-	0xc7, 0x4e, 0x6e, 0x28, 0x3b, 0x7f, 0x2f, 0x08, 0x43, 0x88, 0x50, 0xbb, 0xe3, 0xea, 0x84, 0xc2,
-	0x17, 0xa0, 0xcc, 0xe0, 0xa8, 0x83, 0x75, 0xf2, 0x8c, 0xb4, 0x89, 0xee, 0xd9, 0x2e, 0xb7, 0x5a,
-	0x5a, 0xbd, 0xae, 0xc6, 0x57, 0x26, 0x4a, 0x1e, 0xd5, 0x39, 0x68, 0x32, 0x02, 0x55, 0x59, 0x8e,
-	0xaa, 0x87, 0x2b, 0xea, 0x53, 0xbc, 0x47, 0xda, 0xa1, 0xaa, 0x76, 0xb1, 0xeb, 0xcb, 0xe5, 0xcd,
-	0x5e, 0x44, 0x94, 0x35, 0x02, 0x6d, 0x30, 0x6b, 0xef, 0x3d, 0x27, 0xba, 0x17, 0x99, 0xcd, 0x9d,
-	0xde, 0x2c, 0xec, 0xfa, 0xf2, 0xec, 0x56, 0x0a, 0x0e, 0xf5, 0xc0, 0xc3, 0x5f, 0x82, 0x19, 0x57,
-	0xf8, 0x8d, 0x3a, 0x6d, 0x42, 0x2b, 0xf9, 0xa5, 0xfc, 0xb5, 0xd2, 0xaa, 0xa6, 0x0e, 0x5d, 0x19,
-	0x54, 0xe6, 0x58, 0x83, 0x29, 0xef, 0x1a, 0x5e, 0x6b, 0xcb, 0x21, 0x01, 0x9f, 0x6a, 0x17, 0x45,
-	0xe0, 0x67, 0x50, 0xd2, 0x00, 0x4a, 0xdb, 0x83, 0xbf, 0x97, 0xc0, 0x05, 0xf2, 0x42, 0x6f, 0x77,
-	0x1a, 0x24, 0x25, 0x57, 0x29, 0x9c, 0xd9, 0x46, 0xbe, 0x26, 0x36, 0x72, 0xe1, 0x41, 0x1f, 0x3b,
-	0xa8, 0xaf, 0x75, 0x78, 0x1f, 0x94, 0x4c, 0x96, 0x14, 0xdb, 0x76, 0xdb, 0xd0, 0x8f, 0x2a, 0x93,
-	0x3c, 0x95, 0x94, 0xae, 0x2f, 0x97, 0xea, 0x31, 0xf9, 0xd8, 0x97, 0xe7, 0x12, 0xcb, 0xef, 0x1f,
-	0x39, 0x04, 0x25, 0xd5, 0x94, 0xff, 0x48, 0x60, 0xa1, 0xde, 0x61, 0x37, 0xdc, 0x6a, 0xae, 0x85,
-	0x9b, 0x0f, 0x78, 0xf0, 0x27, 0x60, 0x8a, 0x1d, 0x5b, 0x03, 0x7b, 0x58, 0xe4, 0xd6, 0xb7, 0x86,
-	0x3b, 0xe4, 0xe0, 0x44, 0xeb, 0xc4, 0xc3, 0x71, 0x6e, 0xc7, 0x34, 0x14, 0xa1, 0xc2, 0x16, 0x28,
-	0x50, 0x87, 0xe8, 0x22, 0x85, 0xd6, 0x47, 0x88, 0xe4, 0x80, 0x3d, 0x3f, 0x73, 0x88, 0x1e, 0xdf,
-	0x3b, 0xb6, 0x42, 0xdc, 0x82, 0xf2, 0x7f, 0x09, 0x54, 0x07, 0xe8, 0x68, 0x86, 0xd5, 0x60, 0x85,
-	0xe6, 0xc3, 0xbb, 0x6b, 0xa7, 0xdc, 0xad, 0xbf, 0xbf, 0xbb, 0x62, 0xeb, 0x03, 0xbd, 0xfe, 0x9f,
-	0x04, 0x94, 0x77, 0xab, 0x3e, 0x35, 0xa8, 0x07, 0x7f, 0x94, 0xf1, 0x5c, 0x1d, 0xf2, 0x36, 0x1b,
-	0x34, 0xf0, 0x3b, 0x2a, 0xc9, 0x21, 0x25, 0xe1, 0xb5, 0x05, 0xc6, 0x0d, 0x8f, 0x98, 0xb4, 0x92,
-	0xe3, 0xf7, 0xe5, 0xf1, 0x99, 0xb9, 0xad, 0xcd, 0x08, 0xab, 0xe3, 0x8f, 0x19, 0x3e, 0x0a, 0xcc,
-	0x28, 0x7f, 0xce, 0x9d, 0xe4, 0x34, 0x8b, 0x10, 0xab, 0xc4, 0x0e, 0x27, 0x6e, 0xc6, 0x15, 0x3b,
-	0x3a, 0xbe, 0xed, 0x88, 0x83, 0x12, 0x52, 0xf0, 0xc7, 0x60, 0xca, 0xc1, 0x2e, 0x36, 0xc3, 0xb7,
-	0x28, 0x5d, 0xf6, 0x4e, 0xf2, 0x66, 0x5b, 0xa8, 0x6a, 0xd3, 0x2c, 0x52, 0xe1, 0x0a, 0x45, 0x90,
-	0xb0, 0x03, 0x66, 0xcd, 0x54, 0x9d, 0xe7, 0x6f, 0x58, 0x69, 0xf5, 0xd6, 0x28, 0x21, 0x4b, 0x01,
-	0x04, 0x15, 0x36, 0x4d, 0x43, 0x3d, 0x46, 0x94, 0x7f, 0x4b, 0xe0, 0xf2, 0x80, 0x80, 0x9d, 0x43,
-	0x7a, 0x34, 0xd3, 0xe9, 0xa1, 0x9d, 0x41, 0x7a, 0xf4, 0xcf, 0x8b, 0x3f, 0x4e, 0x0c, 0x74, 0x93,
-	0x27, 0x04, 0x06, 0x45, 0x7e, 0x12, 0x4f, 0x0c, 0xab, 0x21, 0xfc, 0xbc, 0x31, 0xea, 0xe9, 0x32,
-	0x5d, 0x6d, 0xa6, 0xeb, 0xcb, 0xc5, 0x68, 0x89, 0x62, 0x54, 0xf8, 0x73, 0x30, 0x6f, 0x8a, 0x8e,
-	0x81, 0x01, 0x18, 0x96, 0x47, 0x45, 0x1e, 0xbd, 0xc7, 0x11, 0x5f, 0xe8, 0xfa, 0xf2, 0x7c, 0xbd,
-	0x07, 0x16, 0x65, 0x0c, 0xc1, 0x06, 0x28, 0x1e, 0x62, 0xd7, 0xc0, 0x7b, 0xf1, 0x23, 0x3a, 0x4a,
-	0xf6, 0xee, 0x08, 0x5d, 0xad, 0x2c, 0xa2, 0x5b, 0x0c, 0x29, 0x14, 0xc5, 0xc0, 0xcc, 0x8a, 0xd9,
-	0x09, 0x3a, 0xc6, 0xf0, 0x85, 0xbc, 0x3e, 0xf2, 0x91, 0xda, 0x56, 0x6c, 0x25, 0xa4, 0x50, 0x14,
-	0x03, 0xc3, 0xa7, 0x60, 0x66, 0x1f, 0x1b, 0xed, 0x8e, 0x4b, 0xc4, 0xf3, 0x37, 0xce, 0xef, 0xef,
-	0xd7, 0xd9, 0x63, 0xbe, 0x9e, 0x64, 0x1c, 0xfb, 0x72, 0x39, 0x45, 0xe0, 0x4f, 0x60, 0x5a, 0x19,
-	0xfe, 0x02, 0xcc, 0x99, 0xa9, 0x46, 0x8e, 0x56, 0x26, 0xf8, 0xce, 0x47, 0x3e, 0x95, 0x08, 0x21,
-	0xee, 0x7a, 0xd3, 0x74, 0x8a, 0x7a, 0x4d, 0xc1, 0xdf, 0x48, 0x00, 0xba, 0xc4, 0xb0, 0x0e, 0x6d,
-	0x9d, 0x43, 0xa6, 0x1e, 0xf4, 0x1f, 0x08, 0x18, 0x88, 0x32, 0x12, 0xc7, 0xbe, 0x7c, 0x7b, 0x88,
-	0x19, 0x46, 0xcd, 0x6a, 0xf2, 0x18, 0xf4, 0xb1, 0xa9, 0xfc, 0x35, 0x07, 0xa6, 0xc2, 0x78, 0xc3,
-	0x3b, 0xec, 0x3e, 0x78, 0x7a, 0x8b, 0x49, 0x8b, 0x4e, 0xb5, 0x1a, 0x1e, 0xca, 0x76, 0xc8, 0x38,
-	0x4e, 0x2e, 0x50, 0xac, 0x00, 0x7f, 0x2d, 0x01, 0x88, 0x33, 0xb3, 0x88, 0x28, 0x68, 0xdf, 0x1b,
-	0x21, 0xae, 0xd9, 0x81, 0x46, 0xfb, 0x2a, 0x0b, 0x48, 0x96, 0x8e, 0xfa, 0x18, 0x64, 0xb7, 0xfa,
-	0x39, 0xb5, 0x2d, 0xbe, 0xc7, 0x4a, 0x61, 0xe4, 0x5b, 0x1d, 0x4d, 0x08, 0xc1, 0xad, 0x8e, 0x96,
-	0x28, 0x46, 0x55, 0xde, 0x48, 0x60, 0x61, 0x40, 0x67, 0x07, 0x6f, 0xc6, 0xdd, 0x2b, 0x6f, 0xaf,
-	0x2b, 0xd2, 0x52, 0xfe, 0x5a, 0x51, 0x2b, 0x27, 0xbb, 0x4e, 0xce, 0x40, 0x69, 0x39, 0xf8, 0x2b,
-	0x96, 0x15, 0x19, 0x3c, 0x51, 0x2d, 0x6e, 0x0e, 0xe3, 0x81, 0xda, 0xa7, 0xd1, 0x5c, 0x8c, 0xd2,
-	0x29, 0xc3, 0x43, 0x7d, 0xcc, 0x29, 0x18, 0xc4, 0x85, 0x8c, 0xbd, 0x98, 0xd8, 0x31, 0x76, 0x88,
-	0xdb, 0x6f, 0x46, 0x5a, 0xdb, 0x7e, 0x2c, 0x38, 0x28, 0x21, 0xc5, 0x26, 0xa2, 0x03, 0x56, 0x4f,
-	0x73, 0xe9, 0x89, 0x88, 0x17, 0x46, 0xce, 0x51, 0xfe, 0x92, 0x03, 0xd1, 0x5b, 0x38, 0xc4, 0x00,
-	0x55, 0x03, 0xc5, 0x68, 0x28, 0x11, 0xa8, 0x51, 0xa9, 0x88, 0x06, 0x18, 0x14, 0xcb, 0xb0, 0x37,
-	0x9b, 0x86, 0xa3, 0x4a, 0xfe, 0xf4, 0xa3, 0x0a, 0x7f, 0xb3, 0xa3, 0x21, 0x25, 0x82, 0x84, 0x1e,
-	0x58, 0xe0, 0xf5, 0x9d, 0x78, 0xc4, 0xdd, 0xb4, 0xbd, 0x75, 0xbb, 0x63, 0x35, 0xd6, 0x74, 0x9e,
-	0xeb, 0x05, 0xbe, 0xbb, 0xdb, 0x5d, 0x5f, 0x5e, 0xd8, 0xee, 0x2f, 0x72, 0xec, 0xcb, 0x97, 0x07,
-	0xb0, 0xf8, 0x7d, 0x1a, 0x04, 0xad, 0xfc, 0x41, 0x02, 0xd3, 0x4c, 0xe2, 0x5e, 0x8b, 0xe8, 0x07,
-	0xac, 0x79, 0x65, 0x45, 0x84, 0xf4, 0xce, 0xce, 0x41, 0xb6, 0x95, 0x56, 0xef, 0x8c, 0x90, 0xf0,
-	0x99, 0x01, 0x3c, 0xce, 0x99, 0x0c, 0x8b, 0xa2, 0x3e, 0x36, 0x95, 0x7f, 0xe4, 0xc0, 0xa5, 0x1d,
-	0xdc, 0x36, 0x1a, 0x1f, 0x69, 0xa8, 0x78, 0x9e, 0xea, 0xb2, 0x1f, 0x8d, 0xf4, 0xc4, 0x0d, 0xd8,
-	0xf5, 0xa0, 0x06, 0x1b, 0xba, 0x60, 0x82, 0x7a, 0xd8, 0xeb, 0x84, 0x9d, 0xda, 0xc6, 0x99, 0x58,
-	0xe3, 0x88, 0xda, 0xac, 0xb0, 0x37, 0x11, 0xac, 0x91, 0xb0, 0xa4, 0x7c, 0x2a, 0x81, 0xa5, 0x81,
-	0xba, 0xe7, 0x37, 0xcc, 0xfc, 0x34, 0x15, 0xe6, 0xad, 0xb3, 0x70, 0xfc, 0xa4, 0x71, 0xe6, 0x13,
-	0x09, 0x5c, 0x3d, 0x49, 0xf9, 0x1c, 0x3a, 0x56, 0x27, 0xdd, 0xb1, 0x3e, 0x39, 0x43, 0xd7, 0x07,
-	0xb4, 0xae, 0xbf, 0xcd, 0x9f, 0xec, 0xf8, 0x97, 0x43, 0x4d, 0xea, 0x1f, 0xb2, 0x5d, 0x50, 0x3e,
-	0x14, 0x11, 0xb3, 0xad, 0xa0, 0x6a, 0x06, 0xfd, 0x68, 0x51, 0x5b, 0xee, 0xfa, 0x72, 0x79, 0xa7,
-	0x97, 0x79, 0xec, 0xcb, 0xf3, 0xbd, 0x44, 0x94, 0xc5, 0x50, 0xfe, 0x2b, 0x81, 0x2b, 0x03, 0xcf,
-	0xe2, 0x1c, 0xb2, 0xcf, 0x48, 0x67, 0xdf, 0xfd, 0x33, 0xc9, 0xbe, 0xfe, 0x69, 0xf7, 0xa7, 0x89,
-	0x77, 0xb8, 0xfa, 0x85, 0x98, 0x99, 0xda, 0xa0, 0x14, 0x67, 0x40, 0x38, 0x35, 0x7d, 0xfb, 0x14,
-	0x21, 0xb7, 0x2d, 0xed, 0x2b, 0x22, 0xc6, 0xa5, 0x98, 0x46, 0x51, 0x12, 0x3e, 0x3b, 0xd5, 0x14,
-	0xde, 0x67, 0xaa, 0x79, 0x29, 0x81, 0x79, 0x9c, 0xfe, 0x0f, 0x9f, 0x56, 0xc6, 0xb9, 0x07, 0xb7,
-	0x47, 0xe9, 0xbf, 0xd3, 0x10, 0x5a, 0x45, 0xb8, 0x31, 0xdf, 0xc3, 0xa0, 0x28, 0x63, 0xed, 0x23,
-	0x0f, 0x56, 0xa9, 0x81, 0x77, 0xf2, 0x03, 0x0d, 0xbc, 0xca, 0xdf, 0x72, 0x40, 0x3e, 0xe1, 0x29,
-	0x87, 0x1b, 0x00, 0xda, 0x7b, 0x94, 0xb8, 0x87, 0xa4, 0xf1, 0x30, 0xf8, 0x64, 0x13, 0x76, 0xd0,
-	0xf9, 0xb8, 0xbd, 0xda, 0xca, 0x48, 0xa0, 0x3e, 0x5a, 0xd0, 0x04, 0xd3, 0x5e, 0xa2, 0xf3, 0x1b,
-	0x65, 0x22, 0x10, 0x8e, 0x25, 0x1b, 0x47, 0x6d, 0xbe, 0xeb, 0xcb, 0xa9, 0x56, 0x12, 0xa5, 0xe0,
-	0xa1, 0x0e, 0x80, 0x1e, 0x9f, 0x5e, 0x70, 0x01, 0x6a, 0xc3, 0x95, 0xb3, 0xf8, 0xcc, 0xa2, 0x27,
-	0x28, 0x71, 0x5c, 0x09, 0x58, 0xe5, 0x33, 0x09, 0x80, 0xf8, 0x56, 0xc0, 0xab, 0x20, 0xf1, 0x29,
-	0x44, 0xbc, 0x62, 0x05, 0x06, 0x81, 0x12, 0x74, 0xb8, 0x0c, 0x26, 0x4d, 0x42, 0x29, 0x6e, 0x86,
-	0x73, 0x40, 0xf4, 0xa9, 0xa7, 0x1e, 0x90, 0x51, 0xc8, 0x87, 0xbb, 0x60, 0xc2, 0x25, 0x98, 0x8a,
-	0xf9, 0xb3, 0xa8, 0xdd, 0x65, 0x6d, 0x15, 0xe2, 0x94, 0x63, 0x5f, 0x5e, 0x19, 0xe6, 0xa3, 0x9e,
-	0x2a, 0xba, 0x30, 0xae, 0x84, 0x04, 0x1c, 0x7c, 0x08, 0xca, 0xc2, 0x46, 0x62, 0xc3, 0xc1, 0xad,
-	0xbd, 0x24, 0x76, 0x53, 0xae, 0xf7, 0x0a, 0xa0, 0xac, 0x8e, 0xb2, 0x01, 0xa6, 0xc2, 0xec, 0x82,
-	0x15, 0x50, 0x48, 0x3c, 0xdf, 0x81, 0xe3, 0x9c, 0xd2, 0x13, 0x98, 0x5c, 0xff, 0xc0, 0x68, 0x5b,
-	0xaf, 0xde, 0x56, 0xc7, 0x5e, 0xbf, 0xad, 0x8e, 0xbd, 0x79, 0x5b, 0x1d, 0x7b, 0xd9, 0xad, 0x4a,
-	0xaf, 0xba, 0x55, 0xe9, 0x75, 0xb7, 0x2a, 0xbd, 0xe9, 0x56, 0xa5, 0x7f, 0x76, 0xab, 0xd2, 0xef,
-	0xfe, 0x55, 0x1d, 0xfb, 0xe1, 0xf2, 0xd0, 0x1f, 0x65, 0x3f, 0x0f, 0x00, 0x00, 0xff, 0xff, 0xac,
-	0xc8, 0x8c, 0x78, 0xc0, 0x1d, 0x00, 0x00,
-}
+func (m *Variable) Reset() { *m = Variable{} }
 
 func (m *ApplyConfiguration) Marshal() (dAtA []byte, err error) {
 	size := m.Size()
diff --git a/staging/src/k8s.io/api/admissionregistration/v1alpha1/generated.protomessage.pb.go b/staging/src/k8s.io/api/admissionregistration/v1alpha1/generated.protomessage.pb.go
new file mode 100644
index 0000000000000..651a01f0b395f
--- /dev/null
+++ b/staging/src/k8s.io/api/admissionregistration/v1alpha1/generated.protomessage.pb.go
@@ -0,0 +1,74 @@
+//go:build kubernetes_protomessage_one_more_release
+// +build kubernetes_protomessage_one_more_release
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by go-to-protobuf. DO NOT EDIT.
+
+package v1alpha1
+
+func (*ApplyConfiguration) ProtoMessage() {}
+
+func (*AuditAnnotation) ProtoMessage() {}
+
+func (*ExpressionWarning) ProtoMessage() {}
+
+func (*JSONPatch) ProtoMessage() {}
+
+func (*MatchCondition) ProtoMessage() {}
+
+func (*MatchResources) ProtoMessage() {}
+
+func (*MutatingAdmissionPolicy) ProtoMessage() {}
+
+func (*MutatingAdmissionPolicyBinding) ProtoMessage() {}
+
+func (*MutatingAdmissionPolicyBindingList) ProtoMessage() {}
+
+func (*MutatingAdmissionPolicyBindingSpec) ProtoMessage() {}
+
+func (*MutatingAdmissionPolicyList) ProtoMessage() {}
+
+func (*MutatingAdmissionPolicySpec) ProtoMessage() {}
+
+func (*Mutation) ProtoMessage() {}
+
+func (*NamedRuleWithOperations) ProtoMessage() {}
+
+func (*ParamKind) ProtoMessage() {}
+
+func (*ParamRef) ProtoMessage() {}
+
+func (*TypeChecking) ProtoMessage() {}
+
+func (*ValidatingAdmissionPolicy) ProtoMessage() {}
+
+func (*ValidatingAdmissionPolicyBinding) ProtoMessage() {}
+
+func (*ValidatingAdmissionPolicyBindingList) ProtoMessage() {}
+
+func (*ValidatingAdmissionPolicyBindingSpec) ProtoMessage() {}
+
+func (*ValidatingAdmissionPolicyList) ProtoMessage() {}
+
+func (*ValidatingAdmissionPolicySpec) ProtoMessage() {}
+
+func (*ValidatingAdmissionPolicyStatus) ProtoMessage() {}
+
+func (*Validation) ProtoMessage() {}
+
+func (*Variable) ProtoMessage() {}
diff --git a/staging/src/k8s.io/api/admissionregistration/v1alpha1/types.go b/staging/src/k8s.io/api/admissionregistration/v1alpha1/types.go
index f183498a5540e..459f7944c7b2c 100644
--- a/staging/src/k8s.io/api/admissionregistration/v1alpha1/types.go
+++ b/staging/src/k8s.io/api/admissionregistration/v1alpha1/types.go
@@ -930,7 +930,8 @@ type JSONPatch struct {
 	Expression string `json:"expression,omitempty" protobuf:"bytes,1,opt,name=expression"`
 }
 
-// ReinvocationPolicyType specifies what type of policy the admission mutation uses.
+// ReinvocationPolicyType specifies what type of policy is used when other admission plugins also perform
+// modifications.
 // +enum
 type ReinvocationPolicyType = v1.ReinvocationPolicyType
 
diff --git a/staging/src/k8s.io/api/admissionregistration/v1alpha1/zz_generated.model_name.go b/staging/src/k8s.io/api/admissionregistration/v1alpha1/zz_generated.model_name.go
new file mode 100644
index 0000000000000..ea43d464905d2
--- /dev/null
+++ b/staging/src/k8s.io/api/admissionregistration/v1alpha1/zz_generated.model_name.go
@@ -0,0 +1,152 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by openapi-gen. DO NOT EDIT.
+
+package v1alpha1
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ApplyConfiguration) OpenAPIModelName() string {
+	return "io.k8s.api.admissionregistration.v1alpha1.ApplyConfiguration"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in AuditAnnotation) OpenAPIModelName() string {
+	return "io.k8s.api.admissionregistration.v1alpha1.AuditAnnotation"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ExpressionWarning) OpenAPIModelName() string {
+	return "io.k8s.api.admissionregistration.v1alpha1.ExpressionWarning"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in JSONPatch) OpenAPIModelName() string {
+	return "io.k8s.api.admissionregistration.v1alpha1.JSONPatch"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in MatchCondition) OpenAPIModelName() string {
+	return "io.k8s.api.admissionregistration.v1alpha1.MatchCondition"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in MatchResources) OpenAPIModelName() string {
+	return "io.k8s.api.admissionregistration.v1alpha1.MatchResources"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in MutatingAdmissionPolicy) OpenAPIModelName() string {
+	return "io.k8s.api.admissionregistration.v1alpha1.MutatingAdmissionPolicy"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in MutatingAdmissionPolicyBinding) OpenAPIModelName() string {
+	return "io.k8s.api.admissionregistration.v1alpha1.MutatingAdmissionPolicyBinding"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in MutatingAdmissionPolicyBindingList) OpenAPIModelName() string {
+	return "io.k8s.api.admissionregistration.v1alpha1.MutatingAdmissionPolicyBindingList"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in MutatingAdmissionPolicyBindingSpec) OpenAPIModelName() string {
+	return "io.k8s.api.admissionregistration.v1alpha1.MutatingAdmissionPolicyBindingSpec"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in MutatingAdmissionPolicyList) OpenAPIModelName() string {
+	return "io.k8s.api.admissionregistration.v1alpha1.MutatingAdmissionPolicyList"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in MutatingAdmissionPolicySpec) OpenAPIModelName() string {
+	return "io.k8s.api.admissionregistration.v1alpha1.MutatingAdmissionPolicySpec"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in Mutation) OpenAPIModelName() string {
+	return "io.k8s.api.admissionregistration.v1alpha1.Mutation"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in NamedRuleWithOperations) OpenAPIModelName() string {
+	return "io.k8s.api.admissionregistration.v1alpha1.NamedRuleWithOperations"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ParamKind) OpenAPIModelName() string {
+	return "io.k8s.api.admissionregistration.v1alpha1.ParamKind"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ParamRef) OpenAPIModelName() string {
+	return "io.k8s.api.admissionregistration.v1alpha1.ParamRef"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in TypeChecking) OpenAPIModelName() string {
+	return "io.k8s.api.admissionregistration.v1alpha1.TypeChecking"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ValidatingAdmissionPolicy) OpenAPIModelName() string {
+	return "io.k8s.api.admissionregistration.v1alpha1.ValidatingAdmissionPolicy"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ValidatingAdmissionPolicyBinding) OpenAPIModelName() string {
+	return "io.k8s.api.admissionregistration.v1alpha1.ValidatingAdmissionPolicyBinding"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ValidatingAdmissionPolicyBindingList) OpenAPIModelName() string {
+	return "io.k8s.api.admissionregistration.v1alpha1.ValidatingAdmissionPolicyBindingList"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ValidatingAdmissionPolicyBindingSpec) OpenAPIModelName() string {
+	return "io.k8s.api.admissionregistration.v1alpha1.ValidatingAdmissionPolicyBindingSpec"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ValidatingAdmissionPolicyList) OpenAPIModelName() string {
+	return "io.k8s.api.admissionregistration.v1alpha1.ValidatingAdmissionPolicyList"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ValidatingAdmissionPolicySpec) OpenAPIModelName() string {
+	return "io.k8s.api.admissionregistration.v1alpha1.ValidatingAdmissionPolicySpec"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ValidatingAdmissionPolicyStatus) OpenAPIModelName() string {
+	return "io.k8s.api.admissionregistration.v1alpha1.ValidatingAdmissionPolicyStatus"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in Validation) OpenAPIModelName() string {
+	return "io.k8s.api.admissionregistration.v1alpha1.Validation"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in Variable) OpenAPIModelName() string {
+	return "io.k8s.api.admissionregistration.v1alpha1.Variable"
+}
diff --git a/staging/src/k8s.io/api/admissionregistration/v1beta1/doc.go b/staging/src/k8s.io/api/admissionregistration/v1beta1/doc.go
index 40d8315738ec5..016a81fa85e21 100644
--- a/staging/src/k8s.io/api/admissionregistration/v1beta1/doc.go
+++ b/staging/src/k8s.io/api/admissionregistration/v1beta1/doc.go
@@ -18,6 +18,8 @@ limitations under the License.
 // +k8s:protobuf-gen=package
 // +k8s:openapi-gen=true
 // +k8s:prerelease-lifecycle-gen=true
+// +k8s:openapi-model-package=io.k8s.api.admissionregistration.v1beta1
+
 // +groupName=admissionregistration.k8s.io
 
 // Package v1beta1 is the v1beta1 version of the API.
diff --git a/staging/src/k8s.io/api/admissionregistration/v1beta1/generated.pb.go b/staging/src/k8s.io/api/admissionregistration/v1beta1/generated.pb.go
index bf1ae594882de..8e79eae397888 100644
--- a/staging/src/k8s.io/api/admissionregistration/v1beta1/generated.pb.go
+++ b/staging/src/k8s.io/api/admissionregistration/v1beta1/generated.pb.go
@@ -24,1164 +24,83 @@ import (
 
 	io "io"
 
-	proto "github.com/gogo/protobuf/proto"
 	k8s_io_api_admissionregistration_v1 "k8s.io/api/admissionregistration/v1"
 	v11 "k8s.io/api/admissionregistration/v1"
 	k8s_io_apimachinery_pkg_apis_meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
-	math "math"
 	math_bits "math/bits"
 	reflect "reflect"
 	strings "strings"
 )
 
-// Reference imports to suppress errors if they are not otherwise used.
-var _ = proto.Marshal
-var _ = fmt.Errorf
-var _ = math.Inf
+func (m *ApplyConfiguration) Reset() { *m = ApplyConfiguration{} }
 
-// This is a compile-time assertion to ensure that this generated file
-// is compatible with the proto package it is being compiled against.
-// A compilation error at this line likely means your copy of the
-// proto package needs to be updated.
-const _ = proto.GoGoProtoPackageIsVersion3 // please upgrade the proto package
+func (m *AuditAnnotation) Reset() { *m = AuditAnnotation{} }
 
-func (m *ApplyConfiguration) Reset()      { *m = ApplyConfiguration{} }
-func (*ApplyConfiguration) ProtoMessage() {}
-func (*ApplyConfiguration) Descriptor() ([]byte, []int) {
-	return fileDescriptor_7f7c65a4f012fb19, []int{0}
-}
-func (m *ApplyConfiguration) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ApplyConfiguration) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ApplyConfiguration) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ApplyConfiguration.Merge(m, src)
-}
-func (m *ApplyConfiguration) XXX_Size() int {
-	return m.Size()
-}
-func (m *ApplyConfiguration) XXX_DiscardUnknown() {
-	xxx_messageInfo_ApplyConfiguration.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_ApplyConfiguration proto.InternalMessageInfo
-
-func (m *AuditAnnotation) Reset()      { *m = AuditAnnotation{} }
-func (*AuditAnnotation) ProtoMessage() {}
-func (*AuditAnnotation) Descriptor() ([]byte, []int) {
-	return fileDescriptor_7f7c65a4f012fb19, []int{1}
-}
-func (m *AuditAnnotation) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *AuditAnnotation) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *AuditAnnotation) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_AuditAnnotation.Merge(m, src)
-}
-func (m *AuditAnnotation) XXX_Size() int {
-	return m.Size()
-}
-func (m *AuditAnnotation) XXX_DiscardUnknown() {
-	xxx_messageInfo_AuditAnnotation.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_AuditAnnotation proto.InternalMessageInfo
-
-func (m *ExpressionWarning) Reset()      { *m = ExpressionWarning{} }
-func (*ExpressionWarning) ProtoMessage() {}
-func (*ExpressionWarning) Descriptor() ([]byte, []int) {
-	return fileDescriptor_7f7c65a4f012fb19, []int{2}
-}
-func (m *ExpressionWarning) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ExpressionWarning) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ExpressionWarning) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ExpressionWarning.Merge(m, src)
-}
-func (m *ExpressionWarning) XXX_Size() int {
-	return m.Size()
-}
-func (m *ExpressionWarning) XXX_DiscardUnknown() {
-	xxx_messageInfo_ExpressionWarning.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_ExpressionWarning proto.InternalMessageInfo
-
-func (m *JSONPatch) Reset()      { *m = JSONPatch{} }
-func (*JSONPatch) ProtoMessage() {}
-func (*JSONPatch) Descriptor() ([]byte, []int) {
-	return fileDescriptor_7f7c65a4f012fb19, []int{3}
-}
-func (m *JSONPatch) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *JSONPatch) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *JSONPatch) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_JSONPatch.Merge(m, src)
-}
-func (m *JSONPatch) XXX_Size() int {
-	return m.Size()
-}
-func (m *JSONPatch) XXX_DiscardUnknown() {
-	xxx_messageInfo_JSONPatch.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_JSONPatch proto.InternalMessageInfo
-
-func (m *MatchCondition) Reset()      { *m = MatchCondition{} }
-func (*MatchCondition) ProtoMessage() {}
-func (*MatchCondition) Descriptor() ([]byte, []int) {
-	return fileDescriptor_7f7c65a4f012fb19, []int{4}
-}
-func (m *MatchCondition) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *MatchCondition) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *MatchCondition) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_MatchCondition.Merge(m, src)
-}
-func (m *MatchCondition) XXX_Size() int {
-	return m.Size()
-}
-func (m *MatchCondition) XXX_DiscardUnknown() {
-	xxx_messageInfo_MatchCondition.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_MatchCondition proto.InternalMessageInfo
-
-func (m *MatchResources) Reset()      { *m = MatchResources{} }
-func (*MatchResources) ProtoMessage() {}
-func (*MatchResources) Descriptor() ([]byte, []int) {
-	return fileDescriptor_7f7c65a4f012fb19, []int{5}
-}
-func (m *MatchResources) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *MatchResources) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *MatchResources) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_MatchResources.Merge(m, src)
-}
-func (m *MatchResources) XXX_Size() int {
-	return m.Size()
-}
-func (m *MatchResources) XXX_DiscardUnknown() {
-	xxx_messageInfo_MatchResources.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_MatchResources proto.InternalMessageInfo
-
-func (m *MutatingAdmissionPolicy) Reset()      { *m = MutatingAdmissionPolicy{} }
-func (*MutatingAdmissionPolicy) ProtoMessage() {}
-func (*MutatingAdmissionPolicy) Descriptor() ([]byte, []int) {
-	return fileDescriptor_7f7c65a4f012fb19, []int{6}
-}
-func (m *MutatingAdmissionPolicy) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *MutatingAdmissionPolicy) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *MutatingAdmissionPolicy) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_MutatingAdmissionPolicy.Merge(m, src)
-}
-func (m *MutatingAdmissionPolicy) XXX_Size() int {
-	return m.Size()
-}
-func (m *MutatingAdmissionPolicy) XXX_DiscardUnknown() {
-	xxx_messageInfo_MutatingAdmissionPolicy.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_MutatingAdmissionPolicy proto.InternalMessageInfo
-
-func (m *MutatingAdmissionPolicyBinding) Reset()      { *m = MutatingAdmissionPolicyBinding{} }
-func (*MutatingAdmissionPolicyBinding) ProtoMessage() {}
-func (*MutatingAdmissionPolicyBinding) Descriptor() ([]byte, []int) {
-	return fileDescriptor_7f7c65a4f012fb19, []int{7}
-}
-func (m *MutatingAdmissionPolicyBinding) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *MutatingAdmissionPolicyBinding) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *MutatingAdmissionPolicyBinding) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_MutatingAdmissionPolicyBinding.Merge(m, src)
-}
-func (m *MutatingAdmissionPolicyBinding) XXX_Size() int {
-	return m.Size()
-}
-func (m *MutatingAdmissionPolicyBinding) XXX_DiscardUnknown() {
-	xxx_messageInfo_MutatingAdmissionPolicyBinding.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_MutatingAdmissionPolicyBinding proto.InternalMessageInfo
-
-func (m *MutatingAdmissionPolicyBindingList) Reset()      { *m = MutatingAdmissionPolicyBindingList{} }
-func (*MutatingAdmissionPolicyBindingList) ProtoMessage() {}
-func (*MutatingAdmissionPolicyBindingList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_7f7c65a4f012fb19, []int{8}
-}
-func (m *MutatingAdmissionPolicyBindingList) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *MutatingAdmissionPolicyBindingList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *MutatingAdmissionPolicyBindingList) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_MutatingAdmissionPolicyBindingList.Merge(m, src)
-}
-func (m *MutatingAdmissionPolicyBindingList) XXX_Size() int {
-	return m.Size()
-}
-func (m *MutatingAdmissionPolicyBindingList) XXX_DiscardUnknown() {
-	xxx_messageInfo_MutatingAdmissionPolicyBindingList.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_MutatingAdmissionPolicyBindingList proto.InternalMessageInfo
-
-func (m *MutatingAdmissionPolicyBindingSpec) Reset()      { *m = MutatingAdmissionPolicyBindingSpec{} }
-func (*MutatingAdmissionPolicyBindingSpec) ProtoMessage() {}
-func (*MutatingAdmissionPolicyBindingSpec) Descriptor() ([]byte, []int) {
-	return fileDescriptor_7f7c65a4f012fb19, []int{9}
-}
-func (m *MutatingAdmissionPolicyBindingSpec) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *MutatingAdmissionPolicyBindingSpec) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *MutatingAdmissionPolicyBindingSpec) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_MutatingAdmissionPolicyBindingSpec.Merge(m, src)
-}
-func (m *MutatingAdmissionPolicyBindingSpec) XXX_Size() int {
-	return m.Size()
-}
-func (m *MutatingAdmissionPolicyBindingSpec) XXX_DiscardUnknown() {
-	xxx_messageInfo_MutatingAdmissionPolicyBindingSpec.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_MutatingAdmissionPolicyBindingSpec proto.InternalMessageInfo
-
-func (m *MutatingAdmissionPolicyList) Reset()      { *m = MutatingAdmissionPolicyList{} }
-func (*MutatingAdmissionPolicyList) ProtoMessage() {}
-func (*MutatingAdmissionPolicyList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_7f7c65a4f012fb19, []int{10}
-}
-func (m *MutatingAdmissionPolicyList) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *MutatingAdmissionPolicyList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *MutatingAdmissionPolicyList) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_MutatingAdmissionPolicyList.Merge(m, src)
-}
-func (m *MutatingAdmissionPolicyList) XXX_Size() int {
-	return m.Size()
-}
-func (m *MutatingAdmissionPolicyList) XXX_DiscardUnknown() {
-	xxx_messageInfo_MutatingAdmissionPolicyList.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_MutatingAdmissionPolicyList proto.InternalMessageInfo
-
-func (m *MutatingAdmissionPolicySpec) Reset()      { *m = MutatingAdmissionPolicySpec{} }
-func (*MutatingAdmissionPolicySpec) ProtoMessage() {}
-func (*MutatingAdmissionPolicySpec) Descriptor() ([]byte, []int) {
-	return fileDescriptor_7f7c65a4f012fb19, []int{11}
-}
-func (m *MutatingAdmissionPolicySpec) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *MutatingAdmissionPolicySpec) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *MutatingAdmissionPolicySpec) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_MutatingAdmissionPolicySpec.Merge(m, src)
-}
-func (m *MutatingAdmissionPolicySpec) XXX_Size() int {
-	return m.Size()
-}
-func (m *MutatingAdmissionPolicySpec) XXX_DiscardUnknown() {
-	xxx_messageInfo_MutatingAdmissionPolicySpec.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_MutatingAdmissionPolicySpec proto.InternalMessageInfo
-
-func (m *MutatingWebhook) Reset()      { *m = MutatingWebhook{} }
-func (*MutatingWebhook) ProtoMessage() {}
-func (*MutatingWebhook) Descriptor() ([]byte, []int) {
-	return fileDescriptor_7f7c65a4f012fb19, []int{12}
-}
-func (m *MutatingWebhook) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *MutatingWebhook) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *MutatingWebhook) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_MutatingWebhook.Merge(m, src)
-}
-func (m *MutatingWebhook) XXX_Size() int {
-	return m.Size()
-}
-func (m *MutatingWebhook) XXX_DiscardUnknown() {
-	xxx_messageInfo_MutatingWebhook.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_MutatingWebhook proto.InternalMessageInfo
-
-func (m *MutatingWebhookConfiguration) Reset()      { *m = MutatingWebhookConfiguration{} }
-func (*MutatingWebhookConfiguration) ProtoMessage() {}
-func (*MutatingWebhookConfiguration) Descriptor() ([]byte, []int) {
-	return fileDescriptor_7f7c65a4f012fb19, []int{13}
-}
-func (m *MutatingWebhookConfiguration) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *MutatingWebhookConfiguration) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *MutatingWebhookConfiguration) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_MutatingWebhookConfiguration.Merge(m, src)
-}
-func (m *MutatingWebhookConfiguration) XXX_Size() int {
-	return m.Size()
-}
-func (m *MutatingWebhookConfiguration) XXX_DiscardUnknown() {
-	xxx_messageInfo_MutatingWebhookConfiguration.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_MutatingWebhookConfiguration proto.InternalMessageInfo
-
-func (m *MutatingWebhookConfigurationList) Reset()      { *m = MutatingWebhookConfigurationList{} }
-func (*MutatingWebhookConfigurationList) ProtoMessage() {}
-func (*MutatingWebhookConfigurationList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_7f7c65a4f012fb19, []int{14}
-}
-func (m *MutatingWebhookConfigurationList) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *MutatingWebhookConfigurationList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *MutatingWebhookConfigurationList) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_MutatingWebhookConfigurationList.Merge(m, src)
-}
-func (m *MutatingWebhookConfigurationList) XXX_Size() int {
-	return m.Size()
-}
-func (m *MutatingWebhookConfigurationList) XXX_DiscardUnknown() {
-	xxx_messageInfo_MutatingWebhookConfigurationList.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_MutatingWebhookConfigurationList proto.InternalMessageInfo
-
-func (m *Mutation) Reset()      { *m = Mutation{} }
-func (*Mutation) ProtoMessage() {}
-func (*Mutation) Descriptor() ([]byte, []int) {
-	return fileDescriptor_7f7c65a4f012fb19, []int{15}
-}
-func (m *Mutation) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *Mutation) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *Mutation) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_Mutation.Merge(m, src)
-}
-func (m *Mutation) XXX_Size() int {
-	return m.Size()
-}
-func (m *Mutation) XXX_DiscardUnknown() {
-	xxx_messageInfo_Mutation.DiscardUnknown(m)
-}
+func (m *ExpressionWarning) Reset() { *m = ExpressionWarning{} }
 
-var xxx_messageInfo_Mutation proto.InternalMessageInfo
+func (m *JSONPatch) Reset() { *m = JSONPatch{} }
 
-func (m *NamedRuleWithOperations) Reset()      { *m = NamedRuleWithOperations{} }
-func (*NamedRuleWithOperations) ProtoMessage() {}
-func (*NamedRuleWithOperations) Descriptor() ([]byte, []int) {
-	return fileDescriptor_7f7c65a4f012fb19, []int{16}
-}
-func (m *NamedRuleWithOperations) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *NamedRuleWithOperations) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *NamedRuleWithOperations) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_NamedRuleWithOperations.Merge(m, src)
-}
-func (m *NamedRuleWithOperations) XXX_Size() int {
-	return m.Size()
-}
-func (m *NamedRuleWithOperations) XXX_DiscardUnknown() {
-	xxx_messageInfo_NamedRuleWithOperations.DiscardUnknown(m)
-}
+func (m *MatchCondition) Reset() { *m = MatchCondition{} }
 
-var xxx_messageInfo_NamedRuleWithOperations proto.InternalMessageInfo
+func (m *MatchResources) Reset() { *m = MatchResources{} }
 
-func (m *ParamKind) Reset()      { *m = ParamKind{} }
-func (*ParamKind) ProtoMessage() {}
-func (*ParamKind) Descriptor() ([]byte, []int) {
-	return fileDescriptor_7f7c65a4f012fb19, []int{17}
-}
-func (m *ParamKind) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ParamKind) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ParamKind) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ParamKind.Merge(m, src)
-}
-func (m *ParamKind) XXX_Size() int {
-	return m.Size()
-}
-func (m *ParamKind) XXX_DiscardUnknown() {
-	xxx_messageInfo_ParamKind.DiscardUnknown(m)
-}
+func (m *MutatingAdmissionPolicy) Reset() { *m = MutatingAdmissionPolicy{} }
 
-var xxx_messageInfo_ParamKind proto.InternalMessageInfo
+func (m *MutatingAdmissionPolicyBinding) Reset() { *m = MutatingAdmissionPolicyBinding{} }
 
-func (m *ParamRef) Reset()      { *m = ParamRef{} }
-func (*ParamRef) ProtoMessage() {}
-func (*ParamRef) Descriptor() ([]byte, []int) {
-	return fileDescriptor_7f7c65a4f012fb19, []int{18}
-}
-func (m *ParamRef) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ParamRef) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ParamRef) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ParamRef.Merge(m, src)
-}
-func (m *ParamRef) XXX_Size() int {
-	return m.Size()
-}
-func (m *ParamRef) XXX_DiscardUnknown() {
-	xxx_messageInfo_ParamRef.DiscardUnknown(m)
-}
+func (m *MutatingAdmissionPolicyBindingList) Reset() { *m = MutatingAdmissionPolicyBindingList{} }
 
-var xxx_messageInfo_ParamRef proto.InternalMessageInfo
+func (m *MutatingAdmissionPolicyBindingSpec) Reset() { *m = MutatingAdmissionPolicyBindingSpec{} }
 
-func (m *ServiceReference) Reset()      { *m = ServiceReference{} }
-func (*ServiceReference) ProtoMessage() {}
-func (*ServiceReference) Descriptor() ([]byte, []int) {
-	return fileDescriptor_7f7c65a4f012fb19, []int{19}
-}
-func (m *ServiceReference) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ServiceReference) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ServiceReference) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ServiceReference.Merge(m, src)
-}
-func (m *ServiceReference) XXX_Size() int {
-	return m.Size()
-}
-func (m *ServiceReference) XXX_DiscardUnknown() {
-	xxx_messageInfo_ServiceReference.DiscardUnknown(m)
-}
+func (m *MutatingAdmissionPolicyList) Reset() { *m = MutatingAdmissionPolicyList{} }
 
-var xxx_messageInfo_ServiceReference proto.InternalMessageInfo
+func (m *MutatingAdmissionPolicySpec) Reset() { *m = MutatingAdmissionPolicySpec{} }
 
-func (m *TypeChecking) Reset()      { *m = TypeChecking{} }
-func (*TypeChecking) ProtoMessage() {}
-func (*TypeChecking) Descriptor() ([]byte, []int) {
-	return fileDescriptor_7f7c65a4f012fb19, []int{20}
-}
-func (m *TypeChecking) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *TypeChecking) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *TypeChecking) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_TypeChecking.Merge(m, src)
-}
-func (m *TypeChecking) XXX_Size() int {
-	return m.Size()
-}
-func (m *TypeChecking) XXX_DiscardUnknown() {
-	xxx_messageInfo_TypeChecking.DiscardUnknown(m)
-}
+func (m *MutatingWebhook) Reset() { *m = MutatingWebhook{} }
 
-var xxx_messageInfo_TypeChecking proto.InternalMessageInfo
+func (m *MutatingWebhookConfiguration) Reset() { *m = MutatingWebhookConfiguration{} }
 
-func (m *ValidatingAdmissionPolicy) Reset()      { *m = ValidatingAdmissionPolicy{} }
-func (*ValidatingAdmissionPolicy) ProtoMessage() {}
-func (*ValidatingAdmissionPolicy) Descriptor() ([]byte, []int) {
-	return fileDescriptor_7f7c65a4f012fb19, []int{21}
-}
-func (m *ValidatingAdmissionPolicy) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ValidatingAdmissionPolicy) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ValidatingAdmissionPolicy) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ValidatingAdmissionPolicy.Merge(m, src)
-}
-func (m *ValidatingAdmissionPolicy) XXX_Size() int {
-	return m.Size()
-}
-func (m *ValidatingAdmissionPolicy) XXX_DiscardUnknown() {
-	xxx_messageInfo_ValidatingAdmissionPolicy.DiscardUnknown(m)
-}
+func (m *MutatingWebhookConfigurationList) Reset() { *m = MutatingWebhookConfigurationList{} }
 
-var xxx_messageInfo_ValidatingAdmissionPolicy proto.InternalMessageInfo
+func (m *Mutation) Reset() { *m = Mutation{} }
 
-func (m *ValidatingAdmissionPolicyBinding) Reset()      { *m = ValidatingAdmissionPolicyBinding{} }
-func (*ValidatingAdmissionPolicyBinding) ProtoMessage() {}
-func (*ValidatingAdmissionPolicyBinding) Descriptor() ([]byte, []int) {
-	return fileDescriptor_7f7c65a4f012fb19, []int{22}
-}
-func (m *ValidatingAdmissionPolicyBinding) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ValidatingAdmissionPolicyBinding) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ValidatingAdmissionPolicyBinding) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ValidatingAdmissionPolicyBinding.Merge(m, src)
-}
-func (m *ValidatingAdmissionPolicyBinding) XXX_Size() int {
-	return m.Size()
-}
-func (m *ValidatingAdmissionPolicyBinding) XXX_DiscardUnknown() {
-	xxx_messageInfo_ValidatingAdmissionPolicyBinding.DiscardUnknown(m)
-}
+func (m *NamedRuleWithOperations) Reset() { *m = NamedRuleWithOperations{} }
 
-var xxx_messageInfo_ValidatingAdmissionPolicyBinding proto.InternalMessageInfo
+func (m *ParamKind) Reset() { *m = ParamKind{} }
 
-func (m *ValidatingAdmissionPolicyBindingList) Reset()      { *m = ValidatingAdmissionPolicyBindingList{} }
-func (*ValidatingAdmissionPolicyBindingList) ProtoMessage() {}
-func (*ValidatingAdmissionPolicyBindingList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_7f7c65a4f012fb19, []int{23}
-}
-func (m *ValidatingAdmissionPolicyBindingList) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ValidatingAdmissionPolicyBindingList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ValidatingAdmissionPolicyBindingList) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ValidatingAdmissionPolicyBindingList.Merge(m, src)
-}
-func (m *ValidatingAdmissionPolicyBindingList) XXX_Size() int {
-	return m.Size()
-}
-func (m *ValidatingAdmissionPolicyBindingList) XXX_DiscardUnknown() {
-	xxx_messageInfo_ValidatingAdmissionPolicyBindingList.DiscardUnknown(m)
-}
+func (m *ParamRef) Reset() { *m = ParamRef{} }
 
-var xxx_messageInfo_ValidatingAdmissionPolicyBindingList proto.InternalMessageInfo
+func (m *ServiceReference) Reset() { *m = ServiceReference{} }
 
-func (m *ValidatingAdmissionPolicyBindingSpec) Reset()      { *m = ValidatingAdmissionPolicyBindingSpec{} }
-func (*ValidatingAdmissionPolicyBindingSpec) ProtoMessage() {}
-func (*ValidatingAdmissionPolicyBindingSpec) Descriptor() ([]byte, []int) {
-	return fileDescriptor_7f7c65a4f012fb19, []int{24}
-}
-func (m *ValidatingAdmissionPolicyBindingSpec) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ValidatingAdmissionPolicyBindingSpec) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ValidatingAdmissionPolicyBindingSpec) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ValidatingAdmissionPolicyBindingSpec.Merge(m, src)
-}
-func (m *ValidatingAdmissionPolicyBindingSpec) XXX_Size() int {
-	return m.Size()
-}
-func (m *ValidatingAdmissionPolicyBindingSpec) XXX_DiscardUnknown() {
-	xxx_messageInfo_ValidatingAdmissionPolicyBindingSpec.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_ValidatingAdmissionPolicyBindingSpec proto.InternalMessageInfo
-
-func (m *ValidatingAdmissionPolicyList) Reset()      { *m = ValidatingAdmissionPolicyList{} }
-func (*ValidatingAdmissionPolicyList) ProtoMessage() {}
-func (*ValidatingAdmissionPolicyList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_7f7c65a4f012fb19, []int{25}
-}
-func (m *ValidatingAdmissionPolicyList) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ValidatingAdmissionPolicyList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ValidatingAdmissionPolicyList) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ValidatingAdmissionPolicyList.Merge(m, src)
-}
-func (m *ValidatingAdmissionPolicyList) XXX_Size() int {
-	return m.Size()
-}
-func (m *ValidatingAdmissionPolicyList) XXX_DiscardUnknown() {
-	xxx_messageInfo_ValidatingAdmissionPolicyList.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_ValidatingAdmissionPolicyList proto.InternalMessageInfo
-
-func (m *ValidatingAdmissionPolicySpec) Reset()      { *m = ValidatingAdmissionPolicySpec{} }
-func (*ValidatingAdmissionPolicySpec) ProtoMessage() {}
-func (*ValidatingAdmissionPolicySpec) Descriptor() ([]byte, []int) {
-	return fileDescriptor_7f7c65a4f012fb19, []int{26}
-}
-func (m *ValidatingAdmissionPolicySpec) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ValidatingAdmissionPolicySpec) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ValidatingAdmissionPolicySpec) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ValidatingAdmissionPolicySpec.Merge(m, src)
-}
-func (m *ValidatingAdmissionPolicySpec) XXX_Size() int {
-	return m.Size()
-}
-func (m *ValidatingAdmissionPolicySpec) XXX_DiscardUnknown() {
-	xxx_messageInfo_ValidatingAdmissionPolicySpec.DiscardUnknown(m)
-}
+func (m *TypeChecking) Reset() { *m = TypeChecking{} }
 
-var xxx_messageInfo_ValidatingAdmissionPolicySpec proto.InternalMessageInfo
+func (m *ValidatingAdmissionPolicy) Reset() { *m = ValidatingAdmissionPolicy{} }
 
-func (m *ValidatingAdmissionPolicyStatus) Reset()      { *m = ValidatingAdmissionPolicyStatus{} }
-func (*ValidatingAdmissionPolicyStatus) ProtoMessage() {}
-func (*ValidatingAdmissionPolicyStatus) Descriptor() ([]byte, []int) {
-	return fileDescriptor_7f7c65a4f012fb19, []int{27}
-}
-func (m *ValidatingAdmissionPolicyStatus) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ValidatingAdmissionPolicyStatus) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ValidatingAdmissionPolicyStatus) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ValidatingAdmissionPolicyStatus.Merge(m, src)
-}
-func (m *ValidatingAdmissionPolicyStatus) XXX_Size() int {
-	return m.Size()
-}
-func (m *ValidatingAdmissionPolicyStatus) XXX_DiscardUnknown() {
-	xxx_messageInfo_ValidatingAdmissionPolicyStatus.DiscardUnknown(m)
-}
+func (m *ValidatingAdmissionPolicyBinding) Reset() { *m = ValidatingAdmissionPolicyBinding{} }
 
-var xxx_messageInfo_ValidatingAdmissionPolicyStatus proto.InternalMessageInfo
-
-func (m *ValidatingWebhook) Reset()      { *m = ValidatingWebhook{} }
-func (*ValidatingWebhook) ProtoMessage() {}
-func (*ValidatingWebhook) Descriptor() ([]byte, []int) {
-	return fileDescriptor_7f7c65a4f012fb19, []int{28}
-}
-func (m *ValidatingWebhook) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ValidatingWebhook) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ValidatingWebhook) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ValidatingWebhook.Merge(m, src)
-}
-func (m *ValidatingWebhook) XXX_Size() int {
-	return m.Size()
-}
-func (m *ValidatingWebhook) XXX_DiscardUnknown() {
-	xxx_messageInfo_ValidatingWebhook.DiscardUnknown(m)
-}
+func (m *ValidatingAdmissionPolicyBindingList) Reset() { *m = ValidatingAdmissionPolicyBindingList{} }
 
-var xxx_messageInfo_ValidatingWebhook proto.InternalMessageInfo
+func (m *ValidatingAdmissionPolicyBindingSpec) Reset() { *m = ValidatingAdmissionPolicyBindingSpec{} }
 
-func (m *ValidatingWebhookConfiguration) Reset()      { *m = ValidatingWebhookConfiguration{} }
-func (*ValidatingWebhookConfiguration) ProtoMessage() {}
-func (*ValidatingWebhookConfiguration) Descriptor() ([]byte, []int) {
-	return fileDescriptor_7f7c65a4f012fb19, []int{29}
-}
-func (m *ValidatingWebhookConfiguration) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ValidatingWebhookConfiguration) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ValidatingWebhookConfiguration) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ValidatingWebhookConfiguration.Merge(m, src)
-}
-func (m *ValidatingWebhookConfiguration) XXX_Size() int {
-	return m.Size()
-}
-func (m *ValidatingWebhookConfiguration) XXX_DiscardUnknown() {
-	xxx_messageInfo_ValidatingWebhookConfiguration.DiscardUnknown(m)
-}
+func (m *ValidatingAdmissionPolicyList) Reset() { *m = ValidatingAdmissionPolicyList{} }
 
-var xxx_messageInfo_ValidatingWebhookConfiguration proto.InternalMessageInfo
+func (m *ValidatingAdmissionPolicySpec) Reset() { *m = ValidatingAdmissionPolicySpec{} }
 
-func (m *ValidatingWebhookConfigurationList) Reset()      { *m = ValidatingWebhookConfigurationList{} }
-func (*ValidatingWebhookConfigurationList) ProtoMessage() {}
-func (*ValidatingWebhookConfigurationList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_7f7c65a4f012fb19, []int{30}
-}
-func (m *ValidatingWebhookConfigurationList) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ValidatingWebhookConfigurationList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ValidatingWebhookConfigurationList) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ValidatingWebhookConfigurationList.Merge(m, src)
-}
-func (m *ValidatingWebhookConfigurationList) XXX_Size() int {
-	return m.Size()
-}
-func (m *ValidatingWebhookConfigurationList) XXX_DiscardUnknown() {
-	xxx_messageInfo_ValidatingWebhookConfigurationList.DiscardUnknown(m)
-}
+func (m *ValidatingAdmissionPolicyStatus) Reset() { *m = ValidatingAdmissionPolicyStatus{} }
 
-var xxx_messageInfo_ValidatingWebhookConfigurationList proto.InternalMessageInfo
+func (m *ValidatingWebhook) Reset() { *m = ValidatingWebhook{} }
 
-func (m *Validation) Reset()      { *m = Validation{} }
-func (*Validation) ProtoMessage() {}
-func (*Validation) Descriptor() ([]byte, []int) {
-	return fileDescriptor_7f7c65a4f012fb19, []int{31}
-}
-func (m *Validation) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *Validation) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *Validation) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_Validation.Merge(m, src)
-}
-func (m *Validation) XXX_Size() int {
-	return m.Size()
-}
-func (m *Validation) XXX_DiscardUnknown() {
-	xxx_messageInfo_Validation.DiscardUnknown(m)
-}
+func (m *ValidatingWebhookConfiguration) Reset() { *m = ValidatingWebhookConfiguration{} }
 
-var xxx_messageInfo_Validation proto.InternalMessageInfo
+func (m *ValidatingWebhookConfigurationList) Reset() { *m = ValidatingWebhookConfigurationList{} }
 
-func (m *Variable) Reset()      { *m = Variable{} }
-func (*Variable) ProtoMessage() {}
-func (*Variable) Descriptor() ([]byte, []int) {
-	return fileDescriptor_7f7c65a4f012fb19, []int{32}
-}
-func (m *Variable) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *Variable) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *Variable) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_Variable.Merge(m, src)
-}
-func (m *Variable) XXX_Size() int {
-	return m.Size()
-}
-func (m *Variable) XXX_DiscardUnknown() {
-	xxx_messageInfo_Variable.DiscardUnknown(m)
-}
+func (m *Validation) Reset() { *m = Validation{} }
 
-var xxx_messageInfo_Variable proto.InternalMessageInfo
+func (m *Variable) Reset() { *m = Variable{} }
 
-func (m *WebhookClientConfig) Reset()      { *m = WebhookClientConfig{} }
-func (*WebhookClientConfig) ProtoMessage() {}
-func (*WebhookClientConfig) Descriptor() ([]byte, []int) {
-	return fileDescriptor_7f7c65a4f012fb19, []int{33}
-}
-func (m *WebhookClientConfig) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *WebhookClientConfig) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *WebhookClientConfig) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_WebhookClientConfig.Merge(m, src)
-}
-func (m *WebhookClientConfig) XXX_Size() int {
-	return m.Size()
-}
-func (m *WebhookClientConfig) XXX_DiscardUnknown() {
-	xxx_messageInfo_WebhookClientConfig.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_WebhookClientConfig proto.InternalMessageInfo
-
-func init() {
-	proto.RegisterType((*ApplyConfiguration)(nil), "k8s.io.api.admissionregistration.v1beta1.ApplyConfiguration")
-	proto.RegisterType((*AuditAnnotation)(nil), "k8s.io.api.admissionregistration.v1beta1.AuditAnnotation")
-	proto.RegisterType((*ExpressionWarning)(nil), "k8s.io.api.admissionregistration.v1beta1.ExpressionWarning")
-	proto.RegisterType((*JSONPatch)(nil), "k8s.io.api.admissionregistration.v1beta1.JSONPatch")
-	proto.RegisterType((*MatchCondition)(nil), "k8s.io.api.admissionregistration.v1beta1.MatchCondition")
-	proto.RegisterType((*MatchResources)(nil), "k8s.io.api.admissionregistration.v1beta1.MatchResources")
-	proto.RegisterType((*MutatingAdmissionPolicy)(nil), "k8s.io.api.admissionregistration.v1beta1.MutatingAdmissionPolicy")
-	proto.RegisterType((*MutatingAdmissionPolicyBinding)(nil), "k8s.io.api.admissionregistration.v1beta1.MutatingAdmissionPolicyBinding")
-	proto.RegisterType((*MutatingAdmissionPolicyBindingList)(nil), "k8s.io.api.admissionregistration.v1beta1.MutatingAdmissionPolicyBindingList")
-	proto.RegisterType((*MutatingAdmissionPolicyBindingSpec)(nil), "k8s.io.api.admissionregistration.v1beta1.MutatingAdmissionPolicyBindingSpec")
-	proto.RegisterType((*MutatingAdmissionPolicyList)(nil), "k8s.io.api.admissionregistration.v1beta1.MutatingAdmissionPolicyList")
-	proto.RegisterType((*MutatingAdmissionPolicySpec)(nil), "k8s.io.api.admissionregistration.v1beta1.MutatingAdmissionPolicySpec")
-	proto.RegisterType((*MutatingWebhook)(nil), "k8s.io.api.admissionregistration.v1beta1.MutatingWebhook")
-	proto.RegisterType((*MutatingWebhookConfiguration)(nil), "k8s.io.api.admissionregistration.v1beta1.MutatingWebhookConfiguration")
-	proto.RegisterType((*MutatingWebhookConfigurationList)(nil), "k8s.io.api.admissionregistration.v1beta1.MutatingWebhookConfigurationList")
-	proto.RegisterType((*Mutation)(nil), "k8s.io.api.admissionregistration.v1beta1.Mutation")
-	proto.RegisterType((*NamedRuleWithOperations)(nil), "k8s.io.api.admissionregistration.v1beta1.NamedRuleWithOperations")
-	proto.RegisterType((*ParamKind)(nil), "k8s.io.api.admissionregistration.v1beta1.ParamKind")
-	proto.RegisterType((*ParamRef)(nil), "k8s.io.api.admissionregistration.v1beta1.ParamRef")
-	proto.RegisterType((*ServiceReference)(nil), "k8s.io.api.admissionregistration.v1beta1.ServiceReference")
-	proto.RegisterType((*TypeChecking)(nil), "k8s.io.api.admissionregistration.v1beta1.TypeChecking")
-	proto.RegisterType((*ValidatingAdmissionPolicy)(nil), "k8s.io.api.admissionregistration.v1beta1.ValidatingAdmissionPolicy")
-	proto.RegisterType((*ValidatingAdmissionPolicyBinding)(nil), "k8s.io.api.admissionregistration.v1beta1.ValidatingAdmissionPolicyBinding")
-	proto.RegisterType((*ValidatingAdmissionPolicyBindingList)(nil), "k8s.io.api.admissionregistration.v1beta1.ValidatingAdmissionPolicyBindingList")
-	proto.RegisterType((*ValidatingAdmissionPolicyBindingSpec)(nil), "k8s.io.api.admissionregistration.v1beta1.ValidatingAdmissionPolicyBindingSpec")
-	proto.RegisterType((*ValidatingAdmissionPolicyList)(nil), "k8s.io.api.admissionregistration.v1beta1.ValidatingAdmissionPolicyList")
-	proto.RegisterType((*ValidatingAdmissionPolicySpec)(nil), "k8s.io.api.admissionregistration.v1beta1.ValidatingAdmissionPolicySpec")
-	proto.RegisterType((*ValidatingAdmissionPolicyStatus)(nil), "k8s.io.api.admissionregistration.v1beta1.ValidatingAdmissionPolicyStatus")
-	proto.RegisterType((*ValidatingWebhook)(nil), "k8s.io.api.admissionregistration.v1beta1.ValidatingWebhook")
-	proto.RegisterType((*ValidatingWebhookConfiguration)(nil), "k8s.io.api.admissionregistration.v1beta1.ValidatingWebhookConfiguration")
-	proto.RegisterType((*ValidatingWebhookConfigurationList)(nil), "k8s.io.api.admissionregistration.v1beta1.ValidatingWebhookConfigurationList")
-	proto.RegisterType((*Validation)(nil), "k8s.io.api.admissionregistration.v1beta1.Validation")
-	proto.RegisterType((*Variable)(nil), "k8s.io.api.admissionregistration.v1beta1.Variable")
-	proto.RegisterType((*WebhookClientConfig)(nil), "k8s.io.api.admissionregistration.v1beta1.WebhookClientConfig")
-}
-
-func init() {
-	proto.RegisterFile("k8s.io/api/admissionregistration/v1beta1/generated.proto", fileDescriptor_7f7c65a4f012fb19)
-}
-
-var fileDescriptor_7f7c65a4f012fb19 = []byte{
-	// 2215 bytes of a gzipped FileDescriptorProto
-	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xec, 0x5a, 0x4d, 0x6c, 0x1b, 0xc7,
-	0x15, 0xf6, 0x92, 0x92, 0x45, 0x3e, 0xca, 0x92, 0x38, 0x71, 0x2a, 0xfa, 0x8f, 0x14, 0x16, 0x41,
-	0x21, 0x03, 0x2d, 0x59, 0x2b, 0x41, 0xe2, 0x3a, 0x29, 0x02, 0xae, 0x62, 0x3b, 0x76, 0x24, 0x59,
-	0x18, 0x39, 0x52, 0xd1, 0x26, 0x40, 0x56, 0xcb, 0x21, 0xb9, 0x11, 0xb9, 0xcb, 0xee, 0x2c, 0x65,
-	0xab, 0x05, 0xda, 0x02, 0x2d, 0x90, 0x1e, 0x0b, 0xf4, 0x52, 0xa0, 0xa7, 0xde, 0x7b, 0x69, 0xef,
-	0x05, 0x7a, 0xf4, 0x31, 0xb7, 0x1a, 0x28, 0x4a, 0x54, 0x4c, 0xd1, 0x9e, 0x7a, 0x48, 0x81, 0xf6,
-	0xa0, 0x4b, 0x8b, 0x99, 0x9d, 0xfd, 0xdf, 0x95, 0x56, 0xb2, 0x2c, 0x17, 0x85, 0x6f, 0xda, 0xf7,
-	0xe6, 0xbd, 0x37, 0xef, 0xcd, 0x9b, 0xf7, 0xbe, 0x79, 0x22, 0xdc, 0xdc, 0xb9, 0x49, 0xeb, 0xba,
-	0xd9, 0x50, 0x07, 0x7a, 0x43, 0x6d, 0xf5, 0x75, 0x4a, 0x75, 0xd3, 0xb0, 0x48, 0x47, 0xa7, 0xb6,
-	0xa5, 0xda, 0xba, 0x69, 0x34, 0x76, 0x6f, 0x6c, 0x13, 0x5b, 0xbd, 0xd1, 0xe8, 0x10, 0x83, 0x58,
-	0xaa, 0x4d, 0x5a, 0xf5, 0x81, 0x65, 0xda, 0x26, 0x5a, 0x74, 0x24, 0xeb, 0xea, 0x40, 0xaf, 0x27,
-	0x4a, 0xd6, 0x85, 0xe4, 0xe5, 0xaf, 0x77, 0x74, 0xbb, 0x3b, 0xdc, 0xae, 0x6b, 0x66, 0xbf, 0xd1,
-	0x31, 0x3b, 0x66, 0x83, 0x2b, 0xd8, 0x1e, 0xb6, 0xf9, 0x17, 0xff, 0xe0, 0x7f, 0x39, 0x8a, 0x2f,
-	0xbf, 0x9e, 0x61, 0x4b, 0xd1, 0xdd, 0x5c, 0x7e, 0xc3, 0x17, 0xea, 0xab, 0x5a, 0x57, 0x37, 0x88,
-	0xb5, 0xd7, 0x18, 0xec, 0x74, 0x18, 0x81, 0x36, 0xfa, 0xc4, 0x56, 0x93, 0xa4, 0x1a, 0x69, 0x52,
-	0xd6, 0xd0, 0xb0, 0xf5, 0x3e, 0x89, 0x09, 0xbc, 0x79, 0x94, 0x00, 0xd5, 0xba, 0xa4, 0xaf, 0x46,
-	0xe5, 0xe4, 0xf7, 0x01, 0x35, 0x07, 0x83, 0xde, 0xde, 0xb2, 0x69, 0xb4, 0xf5, 0xce, 0xd0, 0xf1,
-	0x03, 0x2d, 0x01, 0x90, 0xc7, 0x03, 0x8b, 0x70, 0x0f, 0x2b, 0xd2, 0x82, 0xb4, 0x58, 0x54, 0xd0,
-	0x93, 0x51, 0xed, 0xdc, 0x78, 0x54, 0x83, 0xdb, 0x1e, 0x07, 0x07, 0x56, 0xc9, 0x14, 0x66, 0x9b,
-	0xc3, 0x96, 0x6e, 0x37, 0x0d, 0xc3, 0xb4, 0x1d, 0x35, 0xd7, 0x20, 0xbf, 0x43, 0xf6, 0x84, 0x7c,
-	0x49, 0xc8, 0xe7, 0x3f, 0x20, 0x7b, 0x98, 0xd1, 0x51, 0x13, 0x66, 0x77, 0xd5, 0xde, 0x90, 0xf8,
-	0x0a, 0x2b, 0x39, 0xbe, 0x74, 0x5e, 0x2c, 0x9d, 0xdd, 0x0c, 0xb3, 0x71, 0x74, 0xbd, 0xdc, 0x83,
-	0xb2, 0xff, 0xb5, 0xa5, 0x5a, 0x86, 0x6e, 0x74, 0xd0, 0xd7, 0xa0, 0xd0, 0xd6, 0x49, 0xaf, 0x85,
-	0x49, 0x5b, 0x28, 0x9c, 0x13, 0x0a, 0x0b, 0x77, 0x04, 0x1d, 0x7b, 0x2b, 0xd0, 0x75, 0x98, 0x7a,
-	0xe4, 0x08, 0x56, 0xf2, 0x7c, 0xf1, 0xac, 0x58, 0x3c, 0x25, 0xf4, 0x61, 0x97, 0x2f, 0xbf, 0x0b,
-	0xc5, 0xfb, 0x1b, 0x0f, 0xd6, 0xd6, 0x55, 0x5b, 0xeb, 0x9e, 0x28, 0x46, 0x6d, 0x98, 0x59, 0x65,
-	0xc2, 0xcb, 0xa6, 0xd1, 0xd2, 0x79, 0x88, 0x16, 0x60, 0xc2, 0x50, 0xfb, 0x44, 0xc8, 0x4f, 0x0b,
-	0xf9, 0x89, 0x35, 0xb5, 0x4f, 0x30, 0xe7, 0x44, 0xec, 0xe4, 0x32, 0xd9, 0xf9, 0xe3, 0x84, 0x30,
-	0x84, 0x09, 0x35, 0x87, 0x96, 0x46, 0x28, 0x7a, 0x0c, 0x65, 0xa6, 0x8e, 0x0e, 0x54, 0x8d, 0x6c,
-	0x90, 0x1e, 0xd1, 0x6c, 0xd3, 0xe2, 0x56, 0x4b, 0x4b, 0xaf, 0xd7, 0xfd, 0x1b, 0xe3, 0x25, 0x4f,
-	0x7d, 0xb0, 0xd3, 0x61, 0x04, 0x5a, 0x67, 0x39, 0x5a, 0xdf, 0xbd, 0x51, 0x5f, 0x51, 0xb7, 0x49,
-	0xcf, 0x15, 0x55, 0x5e, 0x1d, 0x8f, 0x6a, 0xe5, 0xb5, 0xa8, 0x46, 0x1c, 0x37, 0x82, 0x4c, 0x98,
-	0x31, 0xb7, 0x3f, 0x25, 0x9a, 0xed, 0x99, 0xcd, 0x9d, 0xdc, 0x2c, 0x1a, 0x8f, 0x6a, 0x33, 0x0f,
-	0x42, 0xea, 0x70, 0x44, 0x3d, 0xfa, 0x21, 0x5c, 0xb0, 0x84, 0xdf, 0x78, 0xd8, 0x23, 0xb4, 0x92,
-	0x5f, 0xc8, 0x2f, 0x96, 0x96, 0x9a, 0xf5, 0xac, 0x85, 0xa1, 0xce, 0xfc, 0x6a, 0x31, 0xd9, 0x2d,
-	0xdd, 0xee, 0x3e, 0x18, 0x10, 0x87, 0x4d, 0x95, 0x57, 0x45, 0xdc, 0x2f, 0xe0, 0xa0, 0x7e, 0x1c,
-	0x36, 0x87, 0x7e, 0x21, 0xc1, 0x45, 0xf2, 0x58, 0xeb, 0x0d, 0x5b, 0x24, 0xb4, 0xae, 0x32, 0x71,
-	0x5a, 0xfb, 0xb8, 0x2a, 0xf6, 0x71, 0xf1, 0x76, 0x82, 0x19, 0x9c, 0x68, 0x1c, 0xbd, 0x07, 0xa5,
-	0x3e, 0x4b, 0x89, 0x75, 0xb3, 0xa7, 0x6b, 0x7b, 0x95, 0x29, 0x9e, 0x48, 0xf2, 0x78, 0x54, 0x2b,
-	0xad, 0xfa, 0xe4, 0x83, 0x51, 0x6d, 0x36, 0xf0, 0xf9, 0x70, 0x6f, 0x40, 0x70, 0x50, 0x4c, 0xfe,
-	0xab, 0x04, 0xf3, 0xab, 0x43, 0x76, 0xbf, 0x8d, 0x4e, 0xd3, 0xdd, 0xbb, 0xc3, 0x43, 0x9f, 0x40,
-	0x81, 0x1d, 0x5a, 0x4b, 0xb5, 0x55, 0x91, 0x59, 0xdf, 0xc8, 0x76, 0xc4, 0xce, 0x79, 0xae, 0x12,
-	0x5b, 0xf5, 0x33, 0xdb, 0xa7, 0x61, 0x4f, 0x2b, 0xea, 0xc0, 0x04, 0x1d, 0x10, 0x4d, 0x24, 0xd0,
-	0xed, 0xec, 0x81, 0x4c, 0xd9, 0xf2, 0xc6, 0x80, 0x68, 0xfe, 0xa5, 0x63, 0x5f, 0x98, 0x1b, 0x90,
-	0xff, 0x29, 0x41, 0x35, 0x45, 0x46, 0xd1, 0x8d, 0x16, 0xab, 0x32, 0xcf, 0xdf, 0x5b, 0x23, 0xe4,
-	0xed, 0xca, 0x33, 0x7b, 0x2b, 0x76, 0x9e, 0xea, 0xf4, 0x97, 0x12, 0xc8, 0x87, 0x8b, 0xae, 0xe8,
-	0xd4, 0x46, 0x1f, 0xc5, 0x1c, 0xaf, 0x67, 0xbc, 0xc9, 0x3a, 0x75, 0xdc, 0xf6, 0xca, 0xb1, 0x4b,
-	0x09, 0x38, 0xdd, 0x87, 0x49, 0xdd, 0x26, 0x7d, 0x5a, 0xc9, 0xf1, 0xcb, 0xf2, 0xfe, 0x69, 0x79,
-	0xad, 0x5c, 0x10, 0x46, 0x27, 0xef, 0x31, 0xf5, 0xd8, 0xb1, 0x22, 0xff, 0x26, 0x77, 0x94, 0xcf,
-	0x2c, 0x40, 0xac, 0x08, 0x0f, 0x38, 0x71, 0xcd, 0x2f, 0xd6, 0xde, 0xe1, 0xad, 0x7b, 0x1c, 0x1c,
-	0x58, 0xc5, 0xe2, 0x34, 0x50, 0x2d, 0xb5, 0xef, 0xb6, 0xa1, 0xd2, 0xd2, 0x52, 0x76, 0x67, 0xd6,
-	0x85, 0xa4, 0x32, 0xcd, 0xe2, 0xe4, 0x7e, 0x61, 0x4f, 0x23, 0xb2, 0x61, 0xa6, 0x1f, 0xaa, 0xf0,
-	0xbc, 0x7b, 0x95, 0x96, 0x6e, 0x1e, 0x23, 0x60, 0x21, 0x79, 0xa7, 0xb4, 0x86, 0x69, 0x38, 0x62,
-	0x43, 0xfe, 0x42, 0x82, 0x2b, 0x29, 0xe1, 0x3a, 0x83, 0xdc, 0x68, 0x87, 0x73, 0xa3, 0xf9, 0xec,
-	0xb9, 0x91, 0x9c, 0x14, 0xbf, 0x3a, 0x9f, 0xea, 0x25, 0xcf, 0x86, 0x4f, 0xa0, 0xc8, 0xcf, 0xe1,
-	0x03, 0xdd, 0x68, 0x25, 0xf4, 0xd0, 0x2c, 0x47, 0xcb, 0x44, 0x95, 0x0b, 0xe3, 0x51, 0xad, 0xe8,
-	0x7d, 0x62, 0x5f, 0x29, 0xfa, 0x3e, 0xcc, 0xf5, 0x05, 0x50, 0x60, 0xf2, 0xba, 0x61, 0x53, 0x91,
-	0x43, 0x27, 0x3f, 0xdf, 0x8b, 0xe3, 0x51, 0x6d, 0x6e, 0x35, 0xa2, 0x15, 0xc7, 0xec, 0x20, 0x0d,
-	0x8a, 0xbb, 0xaa, 0xa5, 0xab, 0xdb, 0x7e, 0xeb, 0x3c, 0x46, 0xe2, 0x6e, 0x0a, 0x51, 0xa5, 0x2c,
-	0x42, 0x5b, 0x74, 0x29, 0x14, 0xfb, 0x7a, 0x99, 0x91, 0xfe, 0xd0, 0x81, 0x89, 0x6e, 0x5f, 0x5c,
-	0x3a, 0xee, 0x71, 0x9a, 0x86, 0x6f, 0xc4, 0xa5, 0x50, 0xec, 0xeb, 0x45, 0x2b, 0x70, 0xa1, 0xad,
-	0xea, 0xbd, 0xa1, 0x45, 0x44, 0xd3, 0x9b, 0xe4, 0x17, 0xf7, 0xab, 0xac, 0x83, 0xdf, 0x09, 0x32,
-	0x0e, 0x46, 0xb5, 0x72, 0x88, 0xc0, 0x1b, 0x5f, 0x58, 0x18, 0xfd, 0x00, 0x66, 0xfb, 0x21, 0xf0,
-	0x46, 0x2b, 0xe7, 0xf9, 0xc6, 0x8f, 0x7b, 0x24, 0x9e, 0x02, 0x1f, 0xe8, 0x86, 0xe9, 0x14, 0x47,
-	0x2d, 0xa1, 0x9f, 0x49, 0x80, 0x2c, 0xa2, 0x1b, 0xbb, 0xa6, 0xc6, 0x35, 0x86, 0xba, 0xf8, 0xb7,
-	0x85, 0x1a, 0x84, 0x63, 0x2b, 0x0e, 0x46, 0xb5, 0x5b, 0x19, 0x9e, 0x2d, 0xf5, 0xb8, 0x24, 0x0f,
-	0x41, 0x82, 0x4d, 0xf9, 0x6f, 0x05, 0x98, 0x75, 0x6f, 0xc7, 0x16, 0xd9, 0xee, 0x9a, 0xe6, 0x4e,
-	0x06, 0x18, 0xfb, 0x08, 0xa6, 0xb5, 0x9e, 0x4e, 0x0c, 0xdb, 0x79, 0x69, 0x88, 0x6c, 0xfe, 0x56,
-	0xf6, 0xd0, 0x09, 0x53, 0xcb, 0x01, 0x25, 0xca, 0x45, 0x61, 0x68, 0x3a, 0x48, 0xc5, 0x21, 0x43,
-	0xe8, 0x23, 0x98, 0xb4, 0x02, 0x28, 0xf0, 0xad, 0x2c, 0x16, 0xeb, 0x09, 0x98, 0xcb, 0x2b, 0x15,
-	0x0e, 0xc8, 0x72, 0x94, 0xc6, 0x53, 0x6c, 0xe2, 0x59, 0x52, 0x2c, 0x82, 0xd1, 0x8a, 0x27, 0xc2,
-	0x68, 0xc9, 0x50, 0x7f, 0xf2, 0xc5, 0x40, 0xfd, 0xd2, 0xf3, 0x85, 0xfa, 0xef, 0x41, 0x89, 0xea,
-	0x2d, 0x72, 0xbb, 0xdd, 0x26, 0x9a, 0xcd, 0xee, 0xa3, 0x17, 0xb0, 0x0d, 0x9f, 0xcc, 0x02, 0xe6,
-	0x7f, 0x2e, 0xf7, 0x54, 0x4a, 0x71, 0x50, 0x0c, 0xdd, 0x82, 0x19, 0xf6, 0x46, 0x36, 0x87, 0xf6,
-	0x06, 0xd1, 0x4c, 0xa3, 0x45, 0xf9, 0xbd, 0x9a, 0x74, 0x76, 0xf0, 0x30, 0xc4, 0xc1, 0x91, 0x95,
-	0xe8, 0x43, 0x98, 0xf7, 0xb2, 0x08, 0x93, 0x5d, 0x9d, 0x3c, 0xda, 0x24, 0x16, 0xe5, 0xd5, 0xa1,
-	0xb0, 0x90, 0x5f, 0x2c, 0x2a, 0x57, 0xc6, 0xa3, 0xda, 0x7c, 0x33, 0x79, 0x09, 0x4e, 0x93, 0x45,
-	0x3f, 0x4d, 0xbe, 0xef, 0xc0, 0x1d, 0x7c, 0x78, 0x56, 0x77, 0x3d, 0xa9, 0xe6, 0x4d, 0x9f, 0x55,
-	0xcd, 0x93, 0xff, 0x2c, 0xc1, 0xd5, 0x48, 0xa1, 0x09, 0x8f, 0x29, 0x9e, 0x3f, 0x04, 0xff, 0x2e,
-	0x14, 0x84, 0x65, 0x17, 0x74, 0x7c, 0xf3, 0xf8, 0xa0, 0x43, 0x68, 0x50, 0x26, 0x98, 0x29, 0xec,
-	0x29, 0x94, 0xff, 0x21, 0xc1, 0xc2, 0x61, 0xfe, 0x9d, 0x01, 0xa2, 0xda, 0x09, 0x23, 0xaa, 0x3b,
-	0x27, 0x76, 0x2e, 0xb4, 0xf1, 0x14, 0x58, 0xf5, 0xdb, 0x1c, 0x14, 0xdc, 0x3e, 0x8d, 0xde, 0x61,
-	0x18, 0xca, 0xd6, 0xba, 0x2c, 0xf5, 0xc4, 0x54, 0xa3, 0xea, 0x36, 0xf3, 0x75, 0x97, 0x71, 0x10,
-	0xfc, 0xc0, 0xbe, 0x00, 0xbf, 0x1e, 0x6a, 0x6c, 0x6e, 0x25, 0x20, 0xf0, 0x3b, 0xd9, 0xbd, 0x88,
-	0xcf, 0xbe, 0x94, 0xaf, 0xb0, 0xcb, 0x15, 0xa7, 0xe3, 0x04, 0x7b, 0x0c, 0x08, 0x7e, 0x4a, 0x4d,
-	0x83, 0x6f, 0x91, 0x57, 0xfe, 0x63, 0x01, 0x41, 0x6f, 0x96, 0xe4, 0x00, 0x41, 0xef, 0x13, 0xfb,
-	0x4a, 0xe5, 0xa7, 0x12, 0xcc, 0xa7, 0x4c, 0x01, 0xd0, 0x5b, 0xfe, 0x9c, 0x83, 0x57, 0xe7, 0x8a,
-	0xc4, 0x0b, 0x4e, 0x39, 0x38, 0xa0, 0xe0, 0x0c, 0x1c, 0x5e, 0x87, 0x7e, 0xc2, 0x8a, 0x4b, 0x4c,
-	0x9f, 0x68, 0xc9, 0x27, 0x6e, 0x90, 0x97, 0x3d, 0x14, 0x12, 0xe3, 0xe1, 0x04, 0x73, 0xb2, 0x0a,
-	0x3e, 0xf6, 0x65, 0x0f, 0x2c, 0x75, 0xa0, 0x8b, 0xf2, 0x17, 0x7d, 0x60, 0x35, 0xd7, 0xef, 0x09,
-	0x0e, 0x0e, 0xac, 0x62, 0xa0, 0x63, 0x87, 0x21, 0xf0, 0x5c, 0x18, 0x74, 0x70, 0x2c, 0xcd, 0x39,
-	0xf2, 0xef, 0x72, 0xe0, 0xbd, 0x9d, 0x32, 0x60, 0x94, 0x06, 0x14, 0xbd, 0x9e, 0x26, 0xb4, 0x7a,
-	0x00, 0xd3, 0xeb, 0x7f, 0xd8, 0x5f, 0x83, 0x3e, 0x86, 0x02, 0x75, 0x3b, 0x5d, 0xfe, 0xe4, 0x9d,
-	0x8e, 0xbf, 0xf1, 0xbc, 0x1e, 0xe7, 0xa9, 0x44, 0x36, 0xcc, 0xf3, 0x27, 0x01, 0xb1, 0x89, 0xb5,
-	0x66, 0xda, 0x77, 0xcc, 0xa1, 0xd1, 0x6a, 0x6a, 0x3c, 0xd3, 0x1d, 0x98, 0x71, 0x8b, 0xf5, 0x96,
-	0xf5, 0xe4, 0x25, 0x07, 0xa3, 0xda, 0x95, 0x14, 0x16, 0xbf, 0x4d, 0x69, 0xaa, 0xe5, 0x5f, 0x4b,
-	0x30, 0xb7, 0x41, 0xac, 0x5d, 0x5d, 0x23, 0x98, 0xb4, 0x89, 0x45, 0x0c, 0x2d, 0x12, 0x1a, 0x29,
-	0x43, 0x68, 0xdc, 0x68, 0xe7, 0x52, 0xa3, 0x7d, 0x15, 0x26, 0x06, 0xaa, 0xdd, 0x15, 0x53, 0xd7,
-	0x02, 0xe3, 0xae, 0xab, 0x76, 0x17, 0x73, 0x2a, 0xe7, 0x9a, 0x96, 0xcd, 0x1d, 0x9d, 0x14, 0x5c,
-	0xd3, 0xb2, 0x31, 0xa7, 0xca, 0xbf, 0x94, 0x60, 0x9a, 0x79, 0xb1, 0xdc, 0x25, 0xda, 0x8e, 0x6e,
-	0x74, 0xd0, 0x67, 0x12, 0x20, 0x12, 0x9d, 0x04, 0x3b, 0x37, 0xa2, 0xb4, 0xf4, 0x76, 0xf6, 0x3b,
-	0x19, 0x9b, 0x26, 0xfb, 0x69, 0x1d, 0x63, 0x51, 0x9c, 0x60, 0x52, 0xfe, 0x53, 0x0e, 0x2e, 0x6d,
-	0xaa, 0x3d, 0xbd, 0xf5, 0x82, 0x66, 0x64, 0x7a, 0x68, 0x6a, 0x74, 0xf7, 0x38, 0x2f, 0xb7, 0x94,
-	0x4d, 0xa7, 0x0d, 0x8c, 0xd0, 0xf7, 0xe0, 0x3c, 0xb5, 0x55, 0x7b, 0xe8, 0xce, 0x1e, 0xee, 0x9d,
-	0x86, 0x31, 0xae, 0x50, 0x99, 0x11, 0xe6, 0xce, 0x3b, 0xdf, 0x58, 0x18, 0x92, 0xff, 0x2d, 0xc1,
-	0x42, 0xaa, 0xec, 0xd9, 0x8d, 0xe6, 0x06, 0xa1, 0x20, 0xaf, 0x9d, 0x82, 0xdf, 0x47, 0x0d, 0xe7,
-	0xfe, 0x25, 0xc1, 0x6b, 0x47, 0x09, 0x9f, 0x01, 0x60, 0x30, 0xc3, 0x80, 0xe1, 0xfe, 0xe9, 0x79,
-	0x9e, 0x02, 0x1a, 0x3e, 0xcb, 0x1f, 0xed, 0xf7, 0xcb, 0x11, 0x5d, 0xe0, 0x1f, 0x3d, 0x5b, 0x50,
-	0xde, 0x15, 0xf1, 0x32, 0x0d, 0xa7, 0xa4, 0x3b, 0x13, 0x96, 0xa2, 0x72, 0x9d, 0x3d, 0xe4, 0x36,
-	0xa3, 0xcc, 0x83, 0x51, 0x6d, 0x2e, 0x4a, 0xc4, 0x71, 0x1d, 0xf2, 0xdf, 0x25, 0xb8, 0x96, 0x7a,
-	0x12, 0x67, 0x90, 0x7a, 0xdd, 0x70, 0xea, 0x2d, 0x9f, 0x46, 0xea, 0xa5, 0xce, 0xff, 0xae, 0x1d,
-	0x5a, 0x0d, 0xff, 0xcf, 0x27, 0x80, 0x3b, 0x50, 0xf2, 0x8f, 0xdf, 0x1d, 0x9c, 0xbc, 0x71, 0xfc,
-	0x78, 0x9b, 0x86, 0xf2, 0x8a, 0x08, 0x70, 0xc9, 0xa7, 0x51, 0x1c, 0xd4, 0x7e, 0xca, 0x13, 0x94,
-	0x1f, 0xc1, 0x9c, 0x1a, 0xfe, 0x2f, 0x34, 0xad, 0x4c, 0x1e, 0xf7, 0xe1, 0x16, 0xf9, 0x3f, 0xb6,
-	0x52, 0x11, 0x4e, 0xcc, 0x45, 0x18, 0x14, 0xc7, 0x8c, 0xbd, 0xd8, 0x29, 0x61, 0x68, 0x74, 0x3b,
-	0xf5, 0x7c, 0x46, 0xb7, 0xf2, 0x1f, 0x72, 0x50, 0x3b, 0xa2, 0x7d, 0xa3, 0xfb, 0x80, 0xcc, 0x6d,
-	0x4a, 0xac, 0x5d, 0xd2, 0xba, 0xeb, 0xfc, 0xe2, 0xc0, 0x85, 0xf5, 0x79, 0x1f, 0x50, 0x3d, 0x88,
-	0xad, 0xc0, 0x09, 0x52, 0xa8, 0x07, 0xd3, 0x76, 0x00, 0xea, 0x89, 0x5b, 0xf0, 0x66, 0x76, 0xbf,
-	0x82, 0x40, 0x51, 0x99, 0x1b, 0x8f, 0x6a, 0x21, 0xe8, 0x88, 0x43, 0xda, 0x91, 0x06, 0xa0, 0xf9,
-	0x47, 0xe7, 0xa4, 0x7e, 0x23, 0x5b, 0x15, 0xf3, 0x4f, 0xcc, 0xeb, 0x3b, 0x81, 0xc3, 0x0a, 0xa8,
-	0x95, 0xf7, 0xa7, 0xa0, 0xec, 0x87, 0xf0, 0xe5, 0x10, 0xf5, 0xe5, 0x10, 0xf5, 0xd0, 0x21, 0x2a,
-	0xbc, 0x1c, 0xa2, 0x9e, 0x68, 0x88, 0x9a, 0x50, 0x8b, 0x4b, 0x67, 0x36, 0xbd, 0xdc, 0x97, 0xa0,
-	0x1a, 0xbb, 0xe3, 0x67, 0x3d, 0xbf, 0xfc, 0x38, 0x36, 0xbf, 0x7c, 0xfb, 0x24, 0xb0, 0x29, 0x6d,
-	0x82, 0xf9, 0xa5, 0x04, 0xf2, 0xe1, 0x3e, 0xfe, 0x4f, 0xff, 0x62, 0xe0, 0xf0, 0xad, 0xa7, 0x80,
-	0xc3, 0xff, 0x48, 0x00, 0x3e, 0x98, 0x41, 0xaf, 0x41, 0xe0, 0x47, 0x58, 0xa2, 0x74, 0x3b, 0x61,
-	0x0a, 0xd0, 0xd1, 0x75, 0x98, 0xea, 0x13, 0x4a, 0xd5, 0x8e, 0x3b, 0x10, 0xf1, 0x7e, 0x64, 0xb6,
-	0xea, 0x90, 0xb1, 0xcb, 0x47, 0x5b, 0x70, 0xde, 0x22, 0x2a, 0x15, 0xd3, 0xcc, 0xa2, 0xf2, 0x2e,
-	0x7b, 0x05, 0x63, 0x4e, 0x39, 0x18, 0xd5, 0x6e, 0x64, 0xf9, 0x39, 0x61, 0x5d, 0x3c, 0x9a, 0xb9,
-	0x10, 0x16, 0xea, 0xd0, 0x5d, 0x28, 0x0b, 0x1b, 0x81, 0x0d, 0x3b, 0x95, 0xf6, 0x92, 0xd8, 0x4d,
-	0x79, 0x35, 0xba, 0x00, 0xc7, 0x65, 0xe4, 0xfb, 0x50, 0x70, 0x81, 0x01, 0xaa, 0xc0, 0x44, 0xe0,
-	0xbd, 0xe5, 0x38, 0xce, 0x29, 0x91, 0xc0, 0xe4, 0x92, 0x03, 0x23, 0xff, 0x5e, 0x82, 0x57, 0x12,
-	0x9a, 0x12, 0xba, 0x04, 0xf9, 0xa1, 0xd5, 0x13, 0x21, 0x98, 0x1a, 0x8f, 0x6a, 0xf9, 0x0f, 0xf1,
-	0x0a, 0x66, 0x34, 0xa4, 0xc2, 0x14, 0x75, 0xc6, 0x53, 0x22, 0x99, 0x6e, 0x65, 0x3f, 0xf1, 0xe8,
-	0x5c, 0x4b, 0x29, 0xb1, 0x33, 0x70, 0xa9, 0xae, 0x5e, 0xb4, 0x08, 0x05, 0x4d, 0x55, 0x86, 0x46,
-	0xab, 0xe7, 0x9c, 0xd7, 0xb4, 0xf3, 0xc6, 0x5b, 0x6e, 0x3a, 0x34, 0xec, 0x71, 0x95, 0xb5, 0x27,
-	0xfb, 0xd5, 0x73, 0x9f, 0xef, 0x57, 0xcf, 0x3d, 0xdd, 0xaf, 0x9e, 0xfb, 0xf1, 0xb8, 0x2a, 0x3d,
-	0x19, 0x57, 0xa5, 0xcf, 0xc7, 0x55, 0xe9, 0xe9, 0xb8, 0x2a, 0xfd, 0x65, 0x5c, 0x95, 0x7e, 0xfe,
-	0x45, 0xf5, 0xdc, 0x77, 0x16, 0xb3, 0xfe, 0x98, 0xf5, 0xbf, 0x01, 0x00, 0x00, 0xff, 0xff, 0x13,
-	0x7c, 0x49, 0xa4, 0xf7, 0x2a, 0x00, 0x00,
-}
+func (m *WebhookClientConfig) Reset() { *m = WebhookClientConfig{} }
 
 func (m *ApplyConfiguration) Marshal() (dAtA []byte, err error) {
 	size := m.Size()
diff --git a/staging/src/k8s.io/api/admissionregistration/v1beta1/generated.proto b/staging/src/k8s.io/api/admissionregistration/v1beta1/generated.proto
index fb47a20056ea4..d184664e56334 100644
--- a/staging/src/k8s.io/api/admissionregistration/v1beta1/generated.proto
+++ b/staging/src/k8s.io/api/admissionregistration/v1beta1/generated.proto
@@ -815,7 +815,6 @@ message TypeChecking {
   repeated ExpressionWarning expressionWarnings = 1;
 }
 
-// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
 // +genclient
 // +genclient:nonNamespaced
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
diff --git a/staging/src/k8s.io/api/admissionregistration/v1beta1/generated.protomessage.pb.go b/staging/src/k8s.io/api/admissionregistration/v1beta1/generated.protomessage.pb.go
new file mode 100644
index 0000000000000..67b85ac629cb6
--- /dev/null
+++ b/staging/src/k8s.io/api/admissionregistration/v1beta1/generated.protomessage.pb.go
@@ -0,0 +1,90 @@
+//go:build kubernetes_protomessage_one_more_release
+// +build kubernetes_protomessage_one_more_release
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by go-to-protobuf. DO NOT EDIT.
+
+package v1beta1
+
+func (*ApplyConfiguration) ProtoMessage() {}
+
+func (*AuditAnnotation) ProtoMessage() {}
+
+func (*ExpressionWarning) ProtoMessage() {}
+
+func (*JSONPatch) ProtoMessage() {}
+
+func (*MatchCondition) ProtoMessage() {}
+
+func (*MatchResources) ProtoMessage() {}
+
+func (*MutatingAdmissionPolicy) ProtoMessage() {}
+
+func (*MutatingAdmissionPolicyBinding) ProtoMessage() {}
+
+func (*MutatingAdmissionPolicyBindingList) ProtoMessage() {}
+
+func (*MutatingAdmissionPolicyBindingSpec) ProtoMessage() {}
+
+func (*MutatingAdmissionPolicyList) ProtoMessage() {}
+
+func (*MutatingAdmissionPolicySpec) ProtoMessage() {}
+
+func (*MutatingWebhook) ProtoMessage() {}
+
+func (*MutatingWebhookConfiguration) ProtoMessage() {}
+
+func (*MutatingWebhookConfigurationList) ProtoMessage() {}
+
+func (*Mutation) ProtoMessage() {}
+
+func (*NamedRuleWithOperations) ProtoMessage() {}
+
+func (*ParamKind) ProtoMessage() {}
+
+func (*ParamRef) ProtoMessage() {}
+
+func (*ServiceReference) ProtoMessage() {}
+
+func (*TypeChecking) ProtoMessage() {}
+
+func (*ValidatingAdmissionPolicy) ProtoMessage() {}
+
+func (*ValidatingAdmissionPolicyBinding) ProtoMessage() {}
+
+func (*ValidatingAdmissionPolicyBindingList) ProtoMessage() {}
+
+func (*ValidatingAdmissionPolicyBindingSpec) ProtoMessage() {}
+
+func (*ValidatingAdmissionPolicyList) ProtoMessage() {}
+
+func (*ValidatingAdmissionPolicySpec) ProtoMessage() {}
+
+func (*ValidatingAdmissionPolicyStatus) ProtoMessage() {}
+
+func (*ValidatingWebhook) ProtoMessage() {}
+
+func (*ValidatingWebhookConfiguration) ProtoMessage() {}
+
+func (*ValidatingWebhookConfigurationList) ProtoMessage() {}
+
+func (*Validation) ProtoMessage() {}
+
+func (*Variable) ProtoMessage() {}
+
+func (*WebhookClientConfig) ProtoMessage() {}
diff --git a/staging/src/k8s.io/api/admissionregistration/v1beta1/types.go b/staging/src/k8s.io/api/admissionregistration/v1beta1/types.go
index cffdda82c9a52..c7259d3d3e988 100644
--- a/staging/src/k8s.io/api/admissionregistration/v1beta1/types.go
+++ b/staging/src/k8s.io/api/admissionregistration/v1beta1/types.go
@@ -26,6 +26,7 @@ import (
 type Rule = v1.Rule
 
 // ScopeType specifies a scope for a Rule.
+// +enum
 type ScopeType = v1.ScopeType
 
 const (
@@ -87,7 +88,6 @@ const (
 	SideEffectClassNoneOnDryRun SideEffectClass = "NoneOnDryRun"
 )
 
-// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
 // +genclient
 // +genclient:nonNamespaced
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
@@ -1072,16 +1072,18 @@ type MutatingWebhook struct {
 	MatchConditions []MatchCondition `json:"matchConditions,omitempty" patchStrategy:"merge" patchMergeKey:"name" protobuf:"bytes,12,rep,name=matchConditions"`
 }
 
-// ReinvocationPolicyType specifies what type of policy the admission hook uses.
+// ReinvocationPolicyType specifies what type of policy is used when other admission plugins also perform
+// modifications.
+// +enum
 type ReinvocationPolicyType = v1.ReinvocationPolicyType
 
 const (
-	// NeverReinvocationPolicy indicates that the webhook must not be called more than once in a
+	// NeverReinvocationPolicy indicates that the mutation must not be called more than once in a
 	// single admission evaluation.
 	NeverReinvocationPolicy ReinvocationPolicyType = "Never"
-	// IfNeededReinvocationPolicy indicates that the webhook may be called at least one
+	// IfNeededReinvocationPolicy indicates that the mutation may be called at least one
 	// additional time as part of the admission evaluation if the object being admitted is
-	// modified by other admission plugins after the initial webhook call.
+	// modified by other admission plugins after the initial mutation call.
 	IfNeededReinvocationPolicy ReinvocationPolicyType = "IfNeeded"
 )
 
diff --git a/staging/src/k8s.io/api/admissionregistration/v1beta1/zz_generated.model_name.go b/staging/src/k8s.io/api/admissionregistration/v1beta1/zz_generated.model_name.go
new file mode 100644
index 0000000000000..f747248e9c85d
--- /dev/null
+++ b/staging/src/k8s.io/api/admissionregistration/v1beta1/zz_generated.model_name.go
@@ -0,0 +1,192 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by openapi-gen. DO NOT EDIT.
+
+package v1beta1
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ApplyConfiguration) OpenAPIModelName() string {
+	return "io.k8s.api.admissionregistration.v1beta1.ApplyConfiguration"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in AuditAnnotation) OpenAPIModelName() string {
+	return "io.k8s.api.admissionregistration.v1beta1.AuditAnnotation"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ExpressionWarning) OpenAPIModelName() string {
+	return "io.k8s.api.admissionregistration.v1beta1.ExpressionWarning"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in JSONPatch) OpenAPIModelName() string {
+	return "io.k8s.api.admissionregistration.v1beta1.JSONPatch"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in MatchCondition) OpenAPIModelName() string {
+	return "io.k8s.api.admissionregistration.v1beta1.MatchCondition"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in MatchResources) OpenAPIModelName() string {
+	return "io.k8s.api.admissionregistration.v1beta1.MatchResources"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in MutatingAdmissionPolicy) OpenAPIModelName() string {
+	return "io.k8s.api.admissionregistration.v1beta1.MutatingAdmissionPolicy"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in MutatingAdmissionPolicyBinding) OpenAPIModelName() string {
+	return "io.k8s.api.admissionregistration.v1beta1.MutatingAdmissionPolicyBinding"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in MutatingAdmissionPolicyBindingList) OpenAPIModelName() string {
+	return "io.k8s.api.admissionregistration.v1beta1.MutatingAdmissionPolicyBindingList"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in MutatingAdmissionPolicyBindingSpec) OpenAPIModelName() string {
+	return "io.k8s.api.admissionregistration.v1beta1.MutatingAdmissionPolicyBindingSpec"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in MutatingAdmissionPolicyList) OpenAPIModelName() string {
+	return "io.k8s.api.admissionregistration.v1beta1.MutatingAdmissionPolicyList"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in MutatingAdmissionPolicySpec) OpenAPIModelName() string {
+	return "io.k8s.api.admissionregistration.v1beta1.MutatingAdmissionPolicySpec"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in MutatingWebhook) OpenAPIModelName() string {
+	return "io.k8s.api.admissionregistration.v1beta1.MutatingWebhook"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in MutatingWebhookConfiguration) OpenAPIModelName() string {
+	return "io.k8s.api.admissionregistration.v1beta1.MutatingWebhookConfiguration"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in MutatingWebhookConfigurationList) OpenAPIModelName() string {
+	return "io.k8s.api.admissionregistration.v1beta1.MutatingWebhookConfigurationList"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in Mutation) OpenAPIModelName() string {
+	return "io.k8s.api.admissionregistration.v1beta1.Mutation"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in NamedRuleWithOperations) OpenAPIModelName() string {
+	return "io.k8s.api.admissionregistration.v1beta1.NamedRuleWithOperations"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ParamKind) OpenAPIModelName() string {
+	return "io.k8s.api.admissionregistration.v1beta1.ParamKind"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ParamRef) OpenAPIModelName() string {
+	return "io.k8s.api.admissionregistration.v1beta1.ParamRef"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ServiceReference) OpenAPIModelName() string {
+	return "io.k8s.api.admissionregistration.v1beta1.ServiceReference"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in TypeChecking) OpenAPIModelName() string {
+	return "io.k8s.api.admissionregistration.v1beta1.TypeChecking"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ValidatingAdmissionPolicy) OpenAPIModelName() string {
+	return "io.k8s.api.admissionregistration.v1beta1.ValidatingAdmissionPolicy"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ValidatingAdmissionPolicyBinding) OpenAPIModelName() string {
+	return "io.k8s.api.admissionregistration.v1beta1.ValidatingAdmissionPolicyBinding"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ValidatingAdmissionPolicyBindingList) OpenAPIModelName() string {
+	return "io.k8s.api.admissionregistration.v1beta1.ValidatingAdmissionPolicyBindingList"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ValidatingAdmissionPolicyBindingSpec) OpenAPIModelName() string {
+	return "io.k8s.api.admissionregistration.v1beta1.ValidatingAdmissionPolicyBindingSpec"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ValidatingAdmissionPolicyList) OpenAPIModelName() string {
+	return "io.k8s.api.admissionregistration.v1beta1.ValidatingAdmissionPolicyList"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ValidatingAdmissionPolicySpec) OpenAPIModelName() string {
+	return "io.k8s.api.admissionregistration.v1beta1.ValidatingAdmissionPolicySpec"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ValidatingAdmissionPolicyStatus) OpenAPIModelName() string {
+	return "io.k8s.api.admissionregistration.v1beta1.ValidatingAdmissionPolicyStatus"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ValidatingWebhook) OpenAPIModelName() string {
+	return "io.k8s.api.admissionregistration.v1beta1.ValidatingWebhook"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ValidatingWebhookConfiguration) OpenAPIModelName() string {
+	return "io.k8s.api.admissionregistration.v1beta1.ValidatingWebhookConfiguration"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ValidatingWebhookConfigurationList) OpenAPIModelName() string {
+	return "io.k8s.api.admissionregistration.v1beta1.ValidatingWebhookConfigurationList"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in Validation) OpenAPIModelName() string {
+	return "io.k8s.api.admissionregistration.v1beta1.Validation"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in Variable) OpenAPIModelName() string {
+	return "io.k8s.api.admissionregistration.v1beta1.Variable"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in WebhookClientConfig) OpenAPIModelName() string {
+	return "io.k8s.api.admissionregistration.v1beta1.WebhookClientConfig"
+}
diff --git a/staging/src/k8s.io/api/apidiscovery/v2/doc.go b/staging/src/k8s.io/api/apidiscovery/v2/doc.go
index f46d33e942f2e..9d30b342a785c 100644
--- a/staging/src/k8s.io/api/apidiscovery/v2/doc.go
+++ b/staging/src/k8s.io/api/apidiscovery/v2/doc.go
@@ -18,6 +18,8 @@ limitations under the License.
 // +k8s:protobuf-gen=package
 // +k8s:openapi-gen=true
 // +k8s:prerelease-lifecycle-gen=true
+// +k8s:openapi-model-package=io.k8s.api.apidiscovery.v2
+
 // +groupName=apidiscovery.k8s.io
 
 package v2
diff --git a/staging/src/k8s.io/api/apidiscovery/v2/generated.pb.go b/staging/src/k8s.io/api/apidiscovery/v2/generated.pb.go
index 5c37feaa2ea3e..5056c8a49bccd 100644
--- a/staging/src/k8s.io/api/apidiscovery/v2/generated.pb.go
+++ b/staging/src/k8s.io/api/apidiscovery/v2/generated.pb.go
@@ -24,227 +24,22 @@ import (
 
 	io "io"
 
-	proto "github.com/gogo/protobuf/proto"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
-	math "math"
 	math_bits "math/bits"
 	reflect "reflect"
 	strings "strings"
 )
 
-// Reference imports to suppress errors if they are not otherwise used.
-var _ = proto.Marshal
-var _ = fmt.Errorf
-var _ = math.Inf
+func (m *APIGroupDiscovery) Reset() { *m = APIGroupDiscovery{} }
 
-// This is a compile-time assertion to ensure that this generated file
-// is compatible with the proto package it is being compiled against.
-// A compilation error at this line likely means your copy of the
-// proto package needs to be updated.
-const _ = proto.GoGoProtoPackageIsVersion3 // please upgrade the proto package
+func (m *APIGroupDiscoveryList) Reset() { *m = APIGroupDiscoveryList{} }
 
-func (m *APIGroupDiscovery) Reset()      { *m = APIGroupDiscovery{} }
-func (*APIGroupDiscovery) ProtoMessage() {}
-func (*APIGroupDiscovery) Descriptor() ([]byte, []int) {
-	return fileDescriptor_e0b7287280068d8f, []int{0}
-}
-func (m *APIGroupDiscovery) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *APIGroupDiscovery) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *APIGroupDiscovery) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_APIGroupDiscovery.Merge(m, src)
-}
-func (m *APIGroupDiscovery) XXX_Size() int {
-	return m.Size()
-}
-func (m *APIGroupDiscovery) XXX_DiscardUnknown() {
-	xxx_messageInfo_APIGroupDiscovery.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_APIGroupDiscovery proto.InternalMessageInfo
-
-func (m *APIGroupDiscoveryList) Reset()      { *m = APIGroupDiscoveryList{} }
-func (*APIGroupDiscoveryList) ProtoMessage() {}
-func (*APIGroupDiscoveryList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_e0b7287280068d8f, []int{1}
-}
-func (m *APIGroupDiscoveryList) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *APIGroupDiscoveryList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *APIGroupDiscoveryList) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_APIGroupDiscoveryList.Merge(m, src)
-}
-func (m *APIGroupDiscoveryList) XXX_Size() int {
-	return m.Size()
-}
-func (m *APIGroupDiscoveryList) XXX_DiscardUnknown() {
-	xxx_messageInfo_APIGroupDiscoveryList.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_APIGroupDiscoveryList proto.InternalMessageInfo
-
-func (m *APIResourceDiscovery) Reset()      { *m = APIResourceDiscovery{} }
-func (*APIResourceDiscovery) ProtoMessage() {}
-func (*APIResourceDiscovery) Descriptor() ([]byte, []int) {
-	return fileDescriptor_e0b7287280068d8f, []int{2}
-}
-func (m *APIResourceDiscovery) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *APIResourceDiscovery) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *APIResourceDiscovery) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_APIResourceDiscovery.Merge(m, src)
-}
-func (m *APIResourceDiscovery) XXX_Size() int {
-	return m.Size()
-}
-func (m *APIResourceDiscovery) XXX_DiscardUnknown() {
-	xxx_messageInfo_APIResourceDiscovery.DiscardUnknown(m)
-}
+func (m *APIResourceDiscovery) Reset() { *m = APIResourceDiscovery{} }
 
-var xxx_messageInfo_APIResourceDiscovery proto.InternalMessageInfo
+func (m *APISubresourceDiscovery) Reset() { *m = APISubresourceDiscovery{} }
 
-func (m *APISubresourceDiscovery) Reset()      { *m = APISubresourceDiscovery{} }
-func (*APISubresourceDiscovery) ProtoMessage() {}
-func (*APISubresourceDiscovery) Descriptor() ([]byte, []int) {
-	return fileDescriptor_e0b7287280068d8f, []int{3}
-}
-func (m *APISubresourceDiscovery) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *APISubresourceDiscovery) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *APISubresourceDiscovery) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_APISubresourceDiscovery.Merge(m, src)
-}
-func (m *APISubresourceDiscovery) XXX_Size() int {
-	return m.Size()
-}
-func (m *APISubresourceDiscovery) XXX_DiscardUnknown() {
-	xxx_messageInfo_APISubresourceDiscovery.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_APISubresourceDiscovery proto.InternalMessageInfo
-
-func (m *APIVersionDiscovery) Reset()      { *m = APIVersionDiscovery{} }
-func (*APIVersionDiscovery) ProtoMessage() {}
-func (*APIVersionDiscovery) Descriptor() ([]byte, []int) {
-	return fileDescriptor_e0b7287280068d8f, []int{4}
-}
-func (m *APIVersionDiscovery) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *APIVersionDiscovery) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *APIVersionDiscovery) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_APIVersionDiscovery.Merge(m, src)
-}
-func (m *APIVersionDiscovery) XXX_Size() int {
-	return m.Size()
-}
-func (m *APIVersionDiscovery) XXX_DiscardUnknown() {
-	xxx_messageInfo_APIVersionDiscovery.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_APIVersionDiscovery proto.InternalMessageInfo
-
-func init() {
-	proto.RegisterType((*APIGroupDiscovery)(nil), "k8s.io.api.apidiscovery.v2.APIGroupDiscovery")
-	proto.RegisterType((*APIGroupDiscoveryList)(nil), "k8s.io.api.apidiscovery.v2.APIGroupDiscoveryList")
-	proto.RegisterType((*APIResourceDiscovery)(nil), "k8s.io.api.apidiscovery.v2.APIResourceDiscovery")
-	proto.RegisterType((*APISubresourceDiscovery)(nil), "k8s.io.api.apidiscovery.v2.APISubresourceDiscovery")
-	proto.RegisterType((*APIVersionDiscovery)(nil), "k8s.io.api.apidiscovery.v2.APIVersionDiscovery")
-}
-
-func init() {
-	proto.RegisterFile("k8s.io/api/apidiscovery/v2/generated.proto", fileDescriptor_e0b7287280068d8f)
-}
-
-var fileDescriptor_e0b7287280068d8f = []byte{
-	// 736 bytes of a gzipped FileDescriptorProto
-	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xbc, 0x55, 0xcd, 0x4e, 0xdb, 0x4c,
-	0x14, 0x8d, 0x09, 0xf9, 0x48, 0x26, 0xc9, 0xd7, 0x30, 0x80, 0x6a, 0x65, 0xe1, 0xa0, 0x6c, 0x4a,
-	0xab, 0x32, 0x86, 0x94, 0xa2, 0x2e, 0x9b, 0x94, 0xb6, 0x8a, 0xfa, 0x87, 0x26, 0x15, 0x8b, 0xaa,
-	0x95, 0xea, 0x38, 0x83, 0xe3, 0x82, 0x7f, 0x34, 0xe3, 0x44, 0x62, 0xd7, 0x47, 0xe8, 0x13, 0xf4,
-	0x79, 0xe8, 0x8e, 0x05, 0x0b, 0x56, 0x51, 0x49, 0x77, 0x7d, 0x04, 0x56, 0xd5, 0x8c, 0xc7, 0x3f,
-	0x21, 0x44, 0x41, 0x5d, 0x74, 0x81, 0x84, 0xcf, 0x9c, 0x73, 0xee, 0x3d, 0xd7, 0xd7, 0x13, 0xf0,
-	0xe0, 0xe8, 0x09, 0x43, 0xb6, 0xa7, 0x1b, 0xbe, 0xcd, 0xff, 0x7a, 0x36, 0x33, 0xbd, 0x21, 0xa1,
-	0x27, 0xfa, 0xb0, 0xa1, 0x5b, 0xc4, 0x25, 0xd4, 0x08, 0x48, 0x0f, 0xf9, 0xd4, 0x0b, 0x3c, 0x58,
-	0x0d, 0xb9, 0xc8, 0xf0, 0x6d, 0x94, 0xe6, 0xa2, 0x61, 0xa3, 0xba, 0x69, 0xd9, 0x41, 0x7f, 0xd0,
-	0x45, 0xa6, 0xe7, 0xe8, 0x96, 0x67, 0x79, 0xba, 0x90, 0x74, 0x07, 0x87, 0xe2, 0x49, 0x3c, 0x88,
-	0xff, 0x42, 0xab, 0xea, 0x4e, 0x52, 0xd6, 0x31, 0xcc, 0xbe, 0xed, 0xf2, 0x92, 0xfe, 0x91, 0xc5,
-	0x01, 0xa6, 0x3b, 0x24, 0x30, 0xf4, 0xe1, 0xf6, 0xf5, 0x06, 0xaa, 0xfa, 0x2c, 0x15, 0x1d, 0xb8,
-	0x81, 0xed, 0x90, 0x29, 0xc1, 0xee, 0x3c, 0x01, 0x33, 0xfb, 0xc4, 0x31, 0xae, 0xeb, 0xea, 0xe7,
-	0x0a, 0x58, 0x6e, 0xee, 0xb7, 0x5f, 0x52, 0x6f, 0xe0, 0xef, 0x45, 0x31, 0xe1, 0x67, 0x90, 0xe7,
-	0x9d, 0xf5, 0x8c, 0xc0, 0x50, 0x95, 0x75, 0x65, 0xa3, 0xd8, 0xd8, 0x42, 0xc9, 0x48, 0xe2, 0x02,
-	0xc8, 0x3f, 0xb2, 0x38, 0xc0, 0x10, 0x67, 0xa3, 0xe1, 0x36, 0x7a, 0xd7, 0xfd, 0x42, 0xcc, 0xe0,
-	0x0d, 0x09, 0x8c, 0x16, 0x3c, 0x1d, 0xd5, 0x32, 0xe3, 0x51, 0x0d, 0x24, 0x18, 0x8e, 0x5d, 0xe1,
-	0x27, 0x90, 0x1f, 0x12, 0xca, 0x6c, 0xcf, 0x65, 0xea, 0xc2, 0x7a, 0x76, 0xa3, 0xd8, 0xd0, 0xd1,
-	0xec, 0xa1, 0xa3, 0xe6, 0x7e, 0xfb, 0x20, 0xa4, 0xc7, 0x4d, 0xb6, 0x2a, 0xb2, 0x40, 0x5e, 0x9e,
-	0x30, 0x1c, 0x5b, 0xd6, 0x7f, 0x28, 0x60, 0x6d, 0x2a, 0xd6, 0x6b, 0x9b, 0x05, 0xf0, 0xe3, 0x54,
-	0x34, 0x74, 0xbb, 0x68, 0x5c, 0x2d, 0x82, 0xc5, 0x75, 0x23, 0x24, 0x15, 0x0b, 0x83, 0x9c, 0x1d,
-	0x10, 0x27, 0xca, 0xb4, 0x39, 0x27, 0xd3, 0x64, 0x7f, 0xad, 0xb2, 0x74, 0xce, 0xb5, 0xb9, 0x07,
-	0x0e, 0xad, 0xea, 0xdf, 0x17, 0xc1, 0x6a, 0x73, 0xbf, 0x8d, 0x09, 0xf3, 0x06, 0xd4, 0x24, 0xc9,
-	0x5b, 0x7a, 0x08, 0xf2, 0x54, 0x82, 0x22, 0x4a, 0x21, 0x69, 0x2d, 0x22, 0xe3, 0x98, 0x01, 0x8f,
-	0x41, 0x89, 0x12, 0xe6, 0x7b, 0x2e, 0x23, 0xaf, 0x6c, 0xb7, 0xa7, 0x2e, 0x88, 0xf0, 0xbb, 0xb7,
-	0x0b, 0x2f, 0x1a, 0x95, 0x73, 0xe6, 0xea, 0x56, 0x65, 0x3c, 0xaa, 0x95, 0x70, 0xca, 0x0f, 0x4f,
-	0xb8, 0xc3, 0x1d, 0x90, 0x63, 0xa6, 0xe7, 0x13, 0x35, 0x2b, 0x1a, 0xd3, 0xa2, 0x64, 0x1d, 0x0e,
-	0x5e, 0x8d, 0x6a, 0xe5, 0xa8, 0x43, 0x01, 0xe0, 0x90, 0x0c, 0xf7, 0x40, 0x85, 0xd9, 0xae, 0x35,
-	0x38, 0x36, 0x68, 0x74, 0xae, 0x2e, 0x0a, 0x03, 0x55, 0x1a, 0x54, 0x3a, 0xd7, 0xce, 0xf1, 0x94,
-	0x02, 0xd6, 0x40, 0x6e, 0x48, 0x68, 0x97, 0xa9, 0xb9, 0xf5, 0xec, 0x46, 0xa1, 0x55, 0xe0, 0x75,
-	0x0f, 0x38, 0x80, 0x43, 0x1c, 0x22, 0x00, 0x58, 0xdf, 0xa3, 0xc1, 0x5b, 0xc3, 0x21, 0x4c, 0xfd,
-	0x4f, 0xb0, 0xfe, 0xe7, 0xab, 0xda, 0x89, 0x51, 0x9c, 0x62, 0x70, 0xbe, 0x69, 0x04, 0xc4, 0xf2,
-	0xa8, 0x4d, 0x98, 0xba, 0x94, 0xf0, 0x9f, 0xc5, 0x28, 0x4e, 0x31, 0xa0, 0x03, 0x4a, 0x6c, 0xd0,
-	0x8d, 0x26, 0xcf, 0xd4, 0xbc, 0x58, 0x86, 0x47, 0x73, 0x96, 0xa1, 0x93, 0x48, 0x92, 0x95, 0x58,
-	0x95, 0xb9, 0x4b, 0xa9, 0x53, 0x86, 0x27, 0xec, 0xeb, 0xe7, 0x0b, 0xe0, 0xee, 0x0c, 0x3d, 0x7c,
-	0x0c, 0x8a, 0x29, 0xae, 0x5c, 0x93, 0x15, 0x69, 0x5a, 0x4c, 0x49, 0x70, 0x9a, 0xf7, 0x8f, 0x97,
-	0x85, 0x81, 0xb2, 0x61, 0x9a, 0xc4, 0x0f, 0x48, 0xef, 0xfd, 0x89, 0x4f, 0x98, 0x9a, 0x15, 0x03,
-	0xfb, 0xdb, 0x72, 0x6b, 0x32, 0x5e, 0xb9, 0x99, 0x36, 0xc5, 0x93, 0x35, 0x92, 0x2d, 0x59, 0xbc,
-	0x79, 0x4b, 0xea, 0xbf, 0x15, 0xb0, 0x72, 0xc3, 0xbd, 0x03, 0xef, 0x83, 0x25, 0x79, 0xcf, 0xc8,
-	0x71, 0xde, 0x91, 0xf5, 0x96, 0x24, 0x15, 0x47, 0xe7, 0xd0, 0x00, 0x85, 0x64, 0x0b, 0xc2, 0x2b,
-	0x61, 0x6b, 0xce, 0x16, 0x4c, 0x7d, 0xe6, 0xad, 0x65, 0x69, 0x5f, 0xc0, 0xf1, 0xfb, 0x4f, 0x5c,
-	0xe1, 0x73, 0x50, 0x38, 0xa4, 0x84, 0xf5, 0x5d, 0xc2, 0x98, 0xfc, 0xd8, 0xee, 0x45, 0x82, 0x17,
-	0xd1, 0xc1, 0xd5, 0xa8, 0x06, 0x63, 0xc3, 0x18, 0xc5, 0x89, 0xb2, 0xf5, 0xf4, 0xf4, 0x52, 0xcb,
-	0x9c, 0x5d, 0x6a, 0x99, 0x8b, 0x4b, 0x2d, 0xf3, 0x75, 0xac, 0x29, 0xa7, 0x63, 0x4d, 0x39, 0x1b,
-	0x6b, 0xca, 0xc5, 0x58, 0x53, 0x7e, 0x8e, 0x35, 0xe5, 0xdb, 0x2f, 0x2d, 0xf3, 0xa1, 0x3a, 0xfb,
-	0x37, 0xf4, 0x4f, 0x00, 0x00, 0x00, 0xff, 0xff, 0x5d, 0x35, 0x6a, 0x0f, 0x60, 0x07, 0x00, 0x00,
-}
+func (m *APIVersionDiscovery) Reset() { *m = APIVersionDiscovery{} }
 
 func (m *APIGroupDiscovery) Marshal() (dAtA []byte, err error) {
 	size := m.Size()
diff --git a/staging/src/k8s.io/api/apidiscovery/v2/generated.protomessage.pb.go b/staging/src/k8s.io/api/apidiscovery/v2/generated.protomessage.pb.go
new file mode 100644
index 0000000000000..35fe0d2a8ad18
--- /dev/null
+++ b/staging/src/k8s.io/api/apidiscovery/v2/generated.protomessage.pb.go
@@ -0,0 +1,32 @@
+//go:build kubernetes_protomessage_one_more_release
+// +build kubernetes_protomessage_one_more_release
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by go-to-protobuf. DO NOT EDIT.
+
+package v2
+
+func (*APIGroupDiscovery) ProtoMessage() {}
+
+func (*APIGroupDiscoveryList) ProtoMessage() {}
+
+func (*APIResourceDiscovery) ProtoMessage() {}
+
+func (*APISubresourceDiscovery) ProtoMessage() {}
+
+func (*APIVersionDiscovery) ProtoMessage() {}
diff --git a/staging/src/k8s.io/api/apidiscovery/v2/zz_generated.model_name.go b/staging/src/k8s.io/api/apidiscovery/v2/zz_generated.model_name.go
new file mode 100644
index 0000000000000..40724b0fd7dfc
--- /dev/null
+++ b/staging/src/k8s.io/api/apidiscovery/v2/zz_generated.model_name.go
@@ -0,0 +1,47 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by openapi-gen. DO NOT EDIT.
+
+package v2
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in APIGroupDiscovery) OpenAPIModelName() string {
+	return "io.k8s.api.apidiscovery.v2.APIGroupDiscovery"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in APIGroupDiscoveryList) OpenAPIModelName() string {
+	return "io.k8s.api.apidiscovery.v2.APIGroupDiscoveryList"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in APIResourceDiscovery) OpenAPIModelName() string {
+	return "io.k8s.api.apidiscovery.v2.APIResourceDiscovery"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in APISubresourceDiscovery) OpenAPIModelName() string {
+	return "io.k8s.api.apidiscovery.v2.APISubresourceDiscovery"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in APIVersionDiscovery) OpenAPIModelName() string {
+	return "io.k8s.api.apidiscovery.v2.APIVersionDiscovery"
+}
diff --git a/staging/src/k8s.io/api/apidiscovery/v2beta1/doc.go b/staging/src/k8s.io/api/apidiscovery/v2beta1/doc.go
index d4fceab68d428..244986bb419f4 100644
--- a/staging/src/k8s.io/api/apidiscovery/v2beta1/doc.go
+++ b/staging/src/k8s.io/api/apidiscovery/v2beta1/doc.go
@@ -18,6 +18,7 @@ limitations under the License.
 // +k8s:protobuf-gen=package
 // +k8s:openapi-gen=true
 // +k8s:prerelease-lifecycle-gen=true
+// +k8s:openapi-model-package=io.k8s.api.apidiscovery.v2beta1
 
 // +groupName=apidiscovery.k8s.io
 
diff --git a/staging/src/k8s.io/api/apidiscovery/v2beta1/generated.pb.go b/staging/src/k8s.io/api/apidiscovery/v2beta1/generated.pb.go
index 398c5f94f2af4..8994f570f51c7 100644
--- a/staging/src/k8s.io/api/apidiscovery/v2beta1/generated.pb.go
+++ b/staging/src/k8s.io/api/apidiscovery/v2beta1/generated.pb.go
@@ -24,228 +24,22 @@ import (
 
 	io "io"
 
-	proto "github.com/gogo/protobuf/proto"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
-	math "math"
 	math_bits "math/bits"
 	reflect "reflect"
 	strings "strings"
 )
 
-// Reference imports to suppress errors if they are not otherwise used.
-var _ = proto.Marshal
-var _ = fmt.Errorf
-var _ = math.Inf
+func (m *APIGroupDiscovery) Reset() { *m = APIGroupDiscovery{} }
 
-// This is a compile-time assertion to ensure that this generated file
-// is compatible with the proto package it is being compiled against.
-// A compilation error at this line likely means your copy of the
-// proto package needs to be updated.
-const _ = proto.GoGoProtoPackageIsVersion3 // please upgrade the proto package
+func (m *APIGroupDiscoveryList) Reset() { *m = APIGroupDiscoveryList{} }
 
-func (m *APIGroupDiscovery) Reset()      { *m = APIGroupDiscovery{} }
-func (*APIGroupDiscovery) ProtoMessage() {}
-func (*APIGroupDiscovery) Descriptor() ([]byte, []int) {
-	return fileDescriptor_48661e6ba3d554f3, []int{0}
-}
-func (m *APIGroupDiscovery) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *APIGroupDiscovery) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *APIGroupDiscovery) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_APIGroupDiscovery.Merge(m, src)
-}
-func (m *APIGroupDiscovery) XXX_Size() int {
-	return m.Size()
-}
-func (m *APIGroupDiscovery) XXX_DiscardUnknown() {
-	xxx_messageInfo_APIGroupDiscovery.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_APIGroupDiscovery proto.InternalMessageInfo
-
-func (m *APIGroupDiscoveryList) Reset()      { *m = APIGroupDiscoveryList{} }
-func (*APIGroupDiscoveryList) ProtoMessage() {}
-func (*APIGroupDiscoveryList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_48661e6ba3d554f3, []int{1}
-}
-func (m *APIGroupDiscoveryList) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *APIGroupDiscoveryList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *APIGroupDiscoveryList) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_APIGroupDiscoveryList.Merge(m, src)
-}
-func (m *APIGroupDiscoveryList) XXX_Size() int {
-	return m.Size()
-}
-func (m *APIGroupDiscoveryList) XXX_DiscardUnknown() {
-	xxx_messageInfo_APIGroupDiscoveryList.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_APIGroupDiscoveryList proto.InternalMessageInfo
-
-func (m *APIResourceDiscovery) Reset()      { *m = APIResourceDiscovery{} }
-func (*APIResourceDiscovery) ProtoMessage() {}
-func (*APIResourceDiscovery) Descriptor() ([]byte, []int) {
-	return fileDescriptor_48661e6ba3d554f3, []int{2}
-}
-func (m *APIResourceDiscovery) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *APIResourceDiscovery) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *APIResourceDiscovery) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_APIResourceDiscovery.Merge(m, src)
-}
-func (m *APIResourceDiscovery) XXX_Size() int {
-	return m.Size()
-}
-func (m *APIResourceDiscovery) XXX_DiscardUnknown() {
-	xxx_messageInfo_APIResourceDiscovery.DiscardUnknown(m)
-}
+func (m *APIResourceDiscovery) Reset() { *m = APIResourceDiscovery{} }
 
-var xxx_messageInfo_APIResourceDiscovery proto.InternalMessageInfo
+func (m *APISubresourceDiscovery) Reset() { *m = APISubresourceDiscovery{} }
 
-func (m *APISubresourceDiscovery) Reset()      { *m = APISubresourceDiscovery{} }
-func (*APISubresourceDiscovery) ProtoMessage() {}
-func (*APISubresourceDiscovery) Descriptor() ([]byte, []int) {
-	return fileDescriptor_48661e6ba3d554f3, []int{3}
-}
-func (m *APISubresourceDiscovery) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *APISubresourceDiscovery) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *APISubresourceDiscovery) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_APISubresourceDiscovery.Merge(m, src)
-}
-func (m *APISubresourceDiscovery) XXX_Size() int {
-	return m.Size()
-}
-func (m *APISubresourceDiscovery) XXX_DiscardUnknown() {
-	xxx_messageInfo_APISubresourceDiscovery.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_APISubresourceDiscovery proto.InternalMessageInfo
-
-func (m *APIVersionDiscovery) Reset()      { *m = APIVersionDiscovery{} }
-func (*APIVersionDiscovery) ProtoMessage() {}
-func (*APIVersionDiscovery) Descriptor() ([]byte, []int) {
-	return fileDescriptor_48661e6ba3d554f3, []int{4}
-}
-func (m *APIVersionDiscovery) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *APIVersionDiscovery) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *APIVersionDiscovery) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_APIVersionDiscovery.Merge(m, src)
-}
-func (m *APIVersionDiscovery) XXX_Size() int {
-	return m.Size()
-}
-func (m *APIVersionDiscovery) XXX_DiscardUnknown() {
-	xxx_messageInfo_APIVersionDiscovery.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_APIVersionDiscovery proto.InternalMessageInfo
-
-func init() {
-	proto.RegisterType((*APIGroupDiscovery)(nil), "k8s.io.api.apidiscovery.v2beta1.APIGroupDiscovery")
-	proto.RegisterType((*APIGroupDiscoveryList)(nil), "k8s.io.api.apidiscovery.v2beta1.APIGroupDiscoveryList")
-	proto.RegisterType((*APIResourceDiscovery)(nil), "k8s.io.api.apidiscovery.v2beta1.APIResourceDiscovery")
-	proto.RegisterType((*APISubresourceDiscovery)(nil), "k8s.io.api.apidiscovery.v2beta1.APISubresourceDiscovery")
-	proto.RegisterType((*APIVersionDiscovery)(nil), "k8s.io.api.apidiscovery.v2beta1.APIVersionDiscovery")
-}
-
-func init() {
-	proto.RegisterFile("k8s.io/api/apidiscovery/v2beta1/generated.proto", fileDescriptor_48661e6ba3d554f3)
-}
-
-var fileDescriptor_48661e6ba3d554f3 = []byte{
-	// 740 bytes of a gzipped FileDescriptorProto
-	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xbc, 0x55, 0xcd, 0x4e, 0xdb, 0x4a,
-	0x18, 0x8d, 0x09, 0xb9, 0x24, 0x93, 0xe4, 0xde, 0x30, 0x80, 0xae, 0xc5, 0xc2, 0x46, 0xd9, 0x5c,
-	0xae, 0xd4, 0x8e, 0x4b, 0x04, 0x88, 0x6d, 0x52, 0x68, 0x15, 0xf5, 0x0f, 0x4d, 0x2a, 0x2a, 0x55,
-	0x5d, 0xd4, 0x71, 0x06, 0xc7, 0x85, 0xd8, 0xd6, 0xcc, 0x24, 0x12, 0xbb, 0x3e, 0x42, 0xdf, 0xa1,
-	0x2f, 0xc3, 0xaa, 0x62, 0xd1, 0x05, 0xdd, 0x44, 0x25, 0x7d, 0x80, 0xee, 0x59, 0x55, 0x33, 0x1e,
-	0xff, 0x84, 0x80, 0x88, 0xba, 0xe8, 0x22, 0x52, 0x7c, 0xe6, 0x9c, 0xf3, 0x7d, 0xe7, 0xcb, 0xe7,
-	0x09, 0xb0, 0x4e, 0xf6, 0x18, 0xf2, 0x02, 0xcb, 0x0e, 0x3d, 0xf1, 0xe9, 0x79, 0xcc, 0x09, 0x46,
-	0x84, 0x9e, 0x59, 0xa3, 0x46, 0x97, 0x70, 0x7b, 0xcb, 0x72, 0x89, 0x4f, 0xa8, 0xcd, 0x49, 0x0f,
-	0x85, 0x34, 0xe0, 0x01, 0x34, 0x23, 0x01, 0xb2, 0x43, 0x0f, 0x65, 0x05, 0x48, 0x09, 0xd6, 0x1f,
-	0xba, 0x1e, 0xef, 0x0f, 0xbb, 0xc8, 0x09, 0x06, 0x96, 0x1b, 0xb8, 0x81, 0x25, 0x75, 0xdd, 0xe1,
-	0xb1, 0x7c, 0x92, 0x0f, 0xf2, 0x5b, 0xe4, 0xb7, 0xbe, 0x9d, 0x36, 0x30, 0xb0, 0x9d, 0xbe, 0xe7,
-	0x8b, 0xe2, 0xe1, 0x89, 0x2b, 0x00, 0x66, 0x0d, 0x08, 0xb7, 0xad, 0xd1, 0x4c, 0x17, 0xeb, 0xd6,
-	0x5d, 0x2a, 0x3a, 0xf4, 0xb9, 0x37, 0x20, 0x33, 0x82, 0xdd, 0xfb, 0x04, 0xcc, 0xe9, 0x93, 0x81,
-	0x7d, 0x53, 0x57, 0xff, 0xa6, 0x81, 0xe5, 0xe6, 0x61, 0xfb, 0x29, 0x0d, 0x86, 0xe1, 0x7e, 0x9c,
-	0x15, 0xbe, 0x07, 0x45, 0xd1, 0x59, 0xcf, 0xe6, 0xb6, 0xae, 0x6d, 0x68, 0x9b, 0xe5, 0xc6, 0x23,
-	0x94, 0xce, 0x25, 0x29, 0x80, 0xc2, 0x13, 0x57, 0x00, 0x0c, 0x09, 0x36, 0x1a, 0x6d, 0xa1, 0x57,
-	0xdd, 0x0f, 0xc4, 0xe1, 0x2f, 0x08, 0xb7, 0x5b, 0xf0, 0x7c, 0x6c, 0xe6, 0x26, 0x63, 0x13, 0xa4,
-	0x18, 0x4e, 0x5c, 0x61, 0x17, 0x14, 0x47, 0x84, 0x32, 0x2f, 0xf0, 0x99, 0xbe, 0xb0, 0x91, 0xdf,
-	0x2c, 0x37, 0xb6, 0xd1, 0x3d, 0x93, 0x47, 0xcd, 0xc3, 0xf6, 0x51, 0xa4, 0x49, 0x3a, 0x6d, 0xd5,
-	0x54, 0x95, 0xa2, 0x3a, 0x61, 0x38, 0xf1, 0xad, 0x7f, 0xd1, 0xc0, 0xda, 0x4c, 0xb6, 0xe7, 0x1e,
-	0xe3, 0xf0, 0xdd, 0x4c, 0x3e, 0x34, 0x5f, 0x3e, 0xa1, 0x96, 0xe9, 0x92, 0xba, 0x31, 0x92, 0xc9,
-	0xf6, 0x06, 0x14, 0x3c, 0x4e, 0x06, 0x71, 0xb0, 0xc6, 0x3c, 0xc1, 0xa6, 0x9b, 0x6c, 0x55, 0x95,
-	0x7d, 0xa1, 0x2d, 0x8c, 0x70, 0xe4, 0x57, 0xff, 0xbc, 0x08, 0x56, 0x9b, 0x87, 0x6d, 0x4c, 0x58,
-	0x30, 0xa4, 0x0e, 0x49, 0x7f, 0xaf, 0x07, 0xa0, 0x48, 0x15, 0x28, 0xf3, 0x94, 0xd2, 0xfe, 0x62,
-	0x32, 0x4e, 0x18, 0xf0, 0x14, 0x54, 0x28, 0x61, 0x61, 0xe0, 0x33, 0xf2, 0xcc, 0xf3, 0x7b, 0xfa,
-	0x82, 0x9c, 0xc0, 0xee, 0x7c, 0x13, 0x90, 0x8d, 0xaa, 0x61, 0x0b, 0x75, 0xab, 0x36, 0x19, 0x9b,
-	0x15, 0x9c, 0xf1, 0xc3, 0x53, 0xee, 0x70, 0x1b, 0x14, 0x98, 0x13, 0x84, 0x44, 0xcf, 0xcb, 0xc6,
-	0x8c, 0x38, 0x59, 0x47, 0x80, 0xd7, 0x63, 0xb3, 0x1a, 0x77, 0x28, 0x01, 0x1c, 0x91, 0xe1, 0x3e,
-	0xa8, 0x31, 0xcf, 0x77, 0x87, 0xa7, 0x36, 0x8d, 0xcf, 0xf5, 0x45, 0x69, 0xa0, 0x2b, 0x83, 0x5a,
-	0xe7, 0xc6, 0x39, 0x9e, 0x51, 0x40, 0x13, 0x14, 0x46, 0x84, 0x76, 0x99, 0x5e, 0xd8, 0xc8, 0x6f,
-	0x96, 0x5a, 0x25, 0x51, 0xf7, 0x48, 0x00, 0x38, 0xc2, 0x21, 0x02, 0x80, 0xf5, 0x03, 0xca, 0x5f,
-	0xda, 0x03, 0xc2, 0xf4, 0xbf, 0x24, 0xeb, 0x6f, 0xb1, 0xb4, 0x9d, 0x04, 0xc5, 0x19, 0x86, 0xe0,
-	0x3b, 0x36, 0x27, 0x6e, 0x40, 0x3d, 0xc2, 0xf4, 0xa5, 0x94, 0xff, 0x38, 0x41, 0x71, 0x86, 0x01,
-	0x29, 0xa8, 0xb0, 0x61, 0x37, 0x9e, 0x3c, 0xd3, 0x8b, 0x72, 0x23, 0xf6, 0xe6, 0xd9, 0x88, 0x4e,
-	0xaa, 0x4b, 0xf7, 0x62, 0x55, 0x85, 0xaf, 0x64, 0x4e, 0x19, 0x9e, 0xaa, 0x51, 0xff, 0xba, 0x00,
-	0xfe, 0xbd, 0x43, 0x0f, 0x77, 0x40, 0x39, 0xc3, 0x55, 0xbb, 0xb2, 0xa2, 0x4c, 0xcb, 0x19, 0x09,
-	0xce, 0xf2, 0xfe, 0xf0, 0xc6, 0x30, 0x50, 0xb5, 0x1d, 0x87, 0x84, 0x9c, 0xf4, 0x5e, 0x9f, 0x85,
-	0x84, 0xe9, 0x79, 0x39, 0xb5, 0xdf, 0x2d, 0xb7, 0xa6, 0xe2, 0x55, 0x9b, 0x59, 0x53, 0x3c, 0x5d,
-	0x23, 0x5d, 0x95, 0xc5, 0xdb, 0x57, 0xa5, 0xfe, 0x53, 0x03, 0x2b, 0xb7, 0xdc, 0x40, 0xf0, 0x7f,
-	0xb0, 0xa4, 0x6e, 0x1c, 0x35, 0xce, 0x7f, 0x54, 0xbd, 0x25, 0x45, 0xc5, 0xf1, 0x39, 0x3c, 0x06,
-	0xa5, 0x74, 0x15, 0xa2, 0xcb, 0x61, 0x67, 0x9e, 0x55, 0x98, 0x79, 0xe1, 0x5b, 0xcb, 0xaa, 0x46,
-	0x09, 0x27, 0x4b, 0x90, 0x5a, 0xc3, 0x03, 0x50, 0x3a, 0xa6, 0x84, 0xf5, 0x7d, 0xc2, 0x98, 0x7a,
-	0xed, 0xfe, 0x8b, 0x05, 0x4f, 0xe2, 0x83, 0xeb, 0xb1, 0x09, 0x13, 0xc3, 0x04, 0xc5, 0xa9, 0xb2,
-	0x75, 0x70, 0x7e, 0x65, 0xe4, 0x2e, 0xae, 0x8c, 0xdc, 0xe5, 0x95, 0x91, 0xfb, 0x38, 0x31, 0xb4,
-	0xf3, 0x89, 0xa1, 0x5d, 0x4c, 0x0c, 0xed, 0x72, 0x62, 0x68, 0xdf, 0x27, 0x86, 0xf6, 0xe9, 0x87,
-	0x91, 0x7b, 0x6b, 0xde, 0xf3, 0x0f, 0xfb, 0x2b, 0x00, 0x00, 0xff, 0xff, 0xe4, 0x85, 0x3b, 0x06,
-	0x83, 0x07, 0x00, 0x00,
-}
+func (m *APIVersionDiscovery) Reset() { *m = APIVersionDiscovery{} }
 
 func (m *APIGroupDiscovery) Marshal() (dAtA []byte, err error) {
 	size := m.Size()
diff --git a/staging/src/k8s.io/api/apidiscovery/v2beta1/generated.protomessage.pb.go b/staging/src/k8s.io/api/apidiscovery/v2beta1/generated.protomessage.pb.go
new file mode 100644
index 0000000000000..0998c461bb8d1
--- /dev/null
+++ b/staging/src/k8s.io/api/apidiscovery/v2beta1/generated.protomessage.pb.go
@@ -0,0 +1,32 @@
+//go:build kubernetes_protomessage_one_more_release
+// +build kubernetes_protomessage_one_more_release
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by go-to-protobuf. DO NOT EDIT.
+
+package v2beta1
+
+func (*APIGroupDiscovery) ProtoMessage() {}
+
+func (*APIGroupDiscoveryList) ProtoMessage() {}
+
+func (*APIResourceDiscovery) ProtoMessage() {}
+
+func (*APISubresourceDiscovery) ProtoMessage() {}
+
+func (*APIVersionDiscovery) ProtoMessage() {}
diff --git a/staging/src/k8s.io/api/apidiscovery/v2beta1/zz_generated.model_name.go b/staging/src/k8s.io/api/apidiscovery/v2beta1/zz_generated.model_name.go
new file mode 100644
index 0000000000000..8054db78a2973
--- /dev/null
+++ b/staging/src/k8s.io/api/apidiscovery/v2beta1/zz_generated.model_name.go
@@ -0,0 +1,47 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by openapi-gen. DO NOT EDIT.
+
+package v2beta1
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in APIGroupDiscovery) OpenAPIModelName() string {
+	return "io.k8s.api.apidiscovery.v2beta1.APIGroupDiscovery"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in APIGroupDiscoveryList) OpenAPIModelName() string {
+	return "io.k8s.api.apidiscovery.v2beta1.APIGroupDiscoveryList"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in APIResourceDiscovery) OpenAPIModelName() string {
+	return "io.k8s.api.apidiscovery.v2beta1.APIResourceDiscovery"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in APISubresourceDiscovery) OpenAPIModelName() string {
+	return "io.k8s.api.apidiscovery.v2beta1.APISubresourceDiscovery"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in APIVersionDiscovery) OpenAPIModelName() string {
+	return "io.k8s.api.apidiscovery.v2beta1.APIVersionDiscovery"
+}
diff --git a/staging/src/k8s.io/api/apiserverinternal/v1alpha1/doc.go b/staging/src/k8s.io/api/apiserverinternal/v1alpha1/doc.go
index 867d74165143f..7a2253c8536dd 100644
--- a/staging/src/k8s.io/api/apiserverinternal/v1alpha1/doc.go
+++ b/staging/src/k8s.io/api/apiserverinternal/v1alpha1/doc.go
@@ -17,6 +17,7 @@ limitations under the License.
 // +k8s:deepcopy-gen=package
 // +k8s:protobuf-gen=package
 // +k8s:openapi-gen=true
+// +k8s:openapi-model-package=io.k8s.api.apiserverinternal.v1alpha1
 
 // +groupName=internal.apiserver.k8s.io
 
diff --git a/staging/src/k8s.io/api/apiserverinternal/v1alpha1/generated.pb.go b/staging/src/k8s.io/api/apiserverinternal/v1alpha1/generated.pb.go
index b0343ffcfb380..0c73dc29a7581 100644
--- a/staging/src/k8s.io/api/apiserverinternal/v1alpha1/generated.pb.go
+++ b/staging/src/k8s.io/api/apiserverinternal/v1alpha1/generated.pb.go
@@ -24,258 +24,22 @@ import (
 
 	io "io"
 
-	proto "github.com/gogo/protobuf/proto"
-
-	math "math"
 	math_bits "math/bits"
 	reflect "reflect"
 	strings "strings"
 )
 
-// Reference imports to suppress errors if they are not otherwise used.
-var _ = proto.Marshal
-var _ = fmt.Errorf
-var _ = math.Inf
+func (m *ServerStorageVersion) Reset() { *m = ServerStorageVersion{} }
 
-// This is a compile-time assertion to ensure that this generated file
-// is compatible with the proto package it is being compiled against.
-// A compilation error at this line likely means your copy of the
-// proto package needs to be updated.
-const _ = proto.GoGoProtoPackageIsVersion3 // please upgrade the proto package
+func (m *StorageVersion) Reset() { *m = StorageVersion{} }
 
-func (m *ServerStorageVersion) Reset()      { *m = ServerStorageVersion{} }
-func (*ServerStorageVersion) ProtoMessage() {}
-func (*ServerStorageVersion) Descriptor() ([]byte, []int) {
-	return fileDescriptor_126bcbf538b54729, []int{0}
-}
-func (m *ServerStorageVersion) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ServerStorageVersion) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ServerStorageVersion) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ServerStorageVersion.Merge(m, src)
-}
-func (m *ServerStorageVersion) XXX_Size() int {
-	return m.Size()
-}
-func (m *ServerStorageVersion) XXX_DiscardUnknown() {
-	xxx_messageInfo_ServerStorageVersion.DiscardUnknown(m)
-}
+func (m *StorageVersionCondition) Reset() { *m = StorageVersionCondition{} }
 
-var xxx_messageInfo_ServerStorageVersion proto.InternalMessageInfo
+func (m *StorageVersionList) Reset() { *m = StorageVersionList{} }
 
-func (m *StorageVersion) Reset()      { *m = StorageVersion{} }
-func (*StorageVersion) ProtoMessage() {}
-func (*StorageVersion) Descriptor() ([]byte, []int) {
-	return fileDescriptor_126bcbf538b54729, []int{1}
-}
-func (m *StorageVersion) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *StorageVersion) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *StorageVersion) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_StorageVersion.Merge(m, src)
-}
-func (m *StorageVersion) XXX_Size() int {
-	return m.Size()
-}
-func (m *StorageVersion) XXX_DiscardUnknown() {
-	xxx_messageInfo_StorageVersion.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_StorageVersion proto.InternalMessageInfo
+func (m *StorageVersionSpec) Reset() { *m = StorageVersionSpec{} }
 
-func (m *StorageVersionCondition) Reset()      { *m = StorageVersionCondition{} }
-func (*StorageVersionCondition) ProtoMessage() {}
-func (*StorageVersionCondition) Descriptor() ([]byte, []int) {
-	return fileDescriptor_126bcbf538b54729, []int{2}
-}
-func (m *StorageVersionCondition) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *StorageVersionCondition) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *StorageVersionCondition) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_StorageVersionCondition.Merge(m, src)
-}
-func (m *StorageVersionCondition) XXX_Size() int {
-	return m.Size()
-}
-func (m *StorageVersionCondition) XXX_DiscardUnknown() {
-	xxx_messageInfo_StorageVersionCondition.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_StorageVersionCondition proto.InternalMessageInfo
-
-func (m *StorageVersionList) Reset()      { *m = StorageVersionList{} }
-func (*StorageVersionList) ProtoMessage() {}
-func (*StorageVersionList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_126bcbf538b54729, []int{3}
-}
-func (m *StorageVersionList) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *StorageVersionList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *StorageVersionList) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_StorageVersionList.Merge(m, src)
-}
-func (m *StorageVersionList) XXX_Size() int {
-	return m.Size()
-}
-func (m *StorageVersionList) XXX_DiscardUnknown() {
-	xxx_messageInfo_StorageVersionList.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_StorageVersionList proto.InternalMessageInfo
-
-func (m *StorageVersionSpec) Reset()      { *m = StorageVersionSpec{} }
-func (*StorageVersionSpec) ProtoMessage() {}
-func (*StorageVersionSpec) Descriptor() ([]byte, []int) {
-	return fileDescriptor_126bcbf538b54729, []int{4}
-}
-func (m *StorageVersionSpec) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *StorageVersionSpec) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *StorageVersionSpec) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_StorageVersionSpec.Merge(m, src)
-}
-func (m *StorageVersionSpec) XXX_Size() int {
-	return m.Size()
-}
-func (m *StorageVersionSpec) XXX_DiscardUnknown() {
-	xxx_messageInfo_StorageVersionSpec.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_StorageVersionSpec proto.InternalMessageInfo
-
-func (m *StorageVersionStatus) Reset()      { *m = StorageVersionStatus{} }
-func (*StorageVersionStatus) ProtoMessage() {}
-func (*StorageVersionStatus) Descriptor() ([]byte, []int) {
-	return fileDescriptor_126bcbf538b54729, []int{5}
-}
-func (m *StorageVersionStatus) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *StorageVersionStatus) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *StorageVersionStatus) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_StorageVersionStatus.Merge(m, src)
-}
-func (m *StorageVersionStatus) XXX_Size() int {
-	return m.Size()
-}
-func (m *StorageVersionStatus) XXX_DiscardUnknown() {
-	xxx_messageInfo_StorageVersionStatus.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_StorageVersionStatus proto.InternalMessageInfo
-
-func init() {
-	proto.RegisterType((*ServerStorageVersion)(nil), "k8s.io.api.apiserverinternal.v1alpha1.ServerStorageVersion")
-	proto.RegisterType((*StorageVersion)(nil), "k8s.io.api.apiserverinternal.v1alpha1.StorageVersion")
-	proto.RegisterType((*StorageVersionCondition)(nil), "k8s.io.api.apiserverinternal.v1alpha1.StorageVersionCondition")
-	proto.RegisterType((*StorageVersionList)(nil), "k8s.io.api.apiserverinternal.v1alpha1.StorageVersionList")
-	proto.RegisterType((*StorageVersionSpec)(nil), "k8s.io.api.apiserverinternal.v1alpha1.StorageVersionSpec")
-	proto.RegisterType((*StorageVersionStatus)(nil), "k8s.io.api.apiserverinternal.v1alpha1.StorageVersionStatus")
-}
-
-func init() {
-	proto.RegisterFile("k8s.io/api/apiserverinternal/v1alpha1/generated.proto", fileDescriptor_126bcbf538b54729)
-}
-
-var fileDescriptor_126bcbf538b54729 = []byte{
-	// 770 bytes of a gzipped FileDescriptorProto
-	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x9c, 0x55, 0x41, 0x4f, 0x13, 0x41,
-	0x14, 0xee, 0xd2, 0x52, 0x60, 0xaa, 0xad, 0x8c, 0x10, 0x6a, 0x4d, 0xb6, 0xd8, 0x04, 0x83, 0x1a,
-	0x77, 0xa5, 0x11, 0x23, 0x9a, 0x68, 0x58, 0x20, 0x06, 0x85, 0x60, 0xa6, 0xc4, 0x03, 0x7a, 0x70,
-	0xba, 0x1d, 0xb7, 0x2b, 0xdd, 0x9d, 0xcd, 0xce, 0xb4, 0x09, 0x17, 0xe3, 0x4f, 0xd0, 0xff, 0xe1,
-	0xd1, 0x1f, 0xc1, 0xc9, 0x70, 0x24, 0x31, 0x69, 0x64, 0xfd, 0x17, 0x9c, 0xcc, 0xcc, 0x6e, 0xb7,
-	0x6c, 0x5b, 0x62, 0xc3, 0xa1, 0x49, 0xe7, 0xbd, 0xf7, 0x7d, 0xef, 0xcd, 0x37, 0xdf, 0xcc, 0x82,
-	0xd5, 0xc3, 0xa7, 0x4c, 0xb3, 0xa9, 0x8e, 0x3d, 0x5b, 0xfc, 0x18, 0xf1, 0x3b, 0xc4, 0xb7, 0x5d,
-	0x4e, 0x7c, 0x17, 0xb7, 0xf4, 0xce, 0x0a, 0x6e, 0x79, 0x4d, 0xbc, 0xa2, 0x5b, 0xc4, 0x25, 0x3e,
-	0xe6, 0xa4, 0xa1, 0x79, 0x3e, 0xe5, 0x14, 0x2e, 0x85, 0x30, 0x0d, 0x7b, 0xb6, 0x36, 0x04, 0xd3,
-	0x7a, 0xb0, 0xd2, 0x43, 0xcb, 0xe6, 0xcd, 0x76, 0x5d, 0x33, 0xa9, 0xa3, 0x5b, 0xd4, 0xa2, 0xba,
-	0x44, 0xd7, 0xdb, 0x9f, 0xe4, 0x4a, 0x2e, 0xe4, 0xbf, 0x90, 0xb5, 0xf4, 0xb8, 0x3f, 0x8c, 0x83,
-	0xcd, 0xa6, 0xed, 0x12, 0xff, 0x48, 0xf7, 0x0e, 0x2d, 0x39, 0x99, 0xee, 0x10, 0x8e, 0xf5, 0xce,
-	0xd0, 0x2c, 0x25, 0xfd, 0x32, 0x94, 0xdf, 0x76, 0xb9, 0xed, 0x90, 0x21, 0xc0, 0x93, 0xff, 0x01,
-	0x98, 0xd9, 0x24, 0x0e, 0x1e, 0xc4, 0x55, 0xbe, 0x4f, 0x80, 0xb9, 0x9a, 0xdc, 0x69, 0x8d, 0x53,
-	0x1f, 0x5b, 0xe4, 0x1d, 0xf1, 0x99, 0x4d, 0x5d, 0xb8, 0x0a, 0x72, 0xd8, 0xb3, 0xc3, 0xd4, 0xf6,
-	0x66, 0x51, 0x59, 0x54, 0x96, 0x67, 0x8c, 0x9b, 0xc7, 0xdd, 0x72, 0x2a, 0xe8, 0x96, 0x73, 0xeb,
-	0x6f, 0xb7, 0x7b, 0x29, 0x74, 0xb1, 0x0e, 0xae, 0x83, 0x02, 0x71, 0x4d, 0xda, 0xb0, 0x5d, 0x2b,
-	0x62, 0x2a, 0x4e, 0x48, 0xe8, 0x42, 0x04, 0x2d, 0x6c, 0x25, 0xd3, 0x68, 0xb0, 0x1e, 0x6e, 0x80,
-	0xd9, 0x06, 0x31, 0x69, 0x03, 0xd7, 0x5b, 0xbd, 0x69, 0x58, 0x31, 0xbd, 0x98, 0x5e, 0x9e, 0x31,
-	0xe6, 0x83, 0x6e, 0x79, 0x76, 0x73, 0x30, 0x89, 0x86, 0xeb, 0xe1, 0x33, 0x90, 0x97, 0x07, 0xd8,
-	0x88, 0x19, 0x32, 0x92, 0x01, 0x06, 0xdd, 0x72, 0xbe, 0x96, 0xc8, 0xa0, 0x81, 0xca, 0xca, 0xcf,
-	0x09, 0x90, 0x1f, 0x50, 0xe3, 0x23, 0x98, 0x16, 0x47, 0xd5, 0xc0, 0x1c, 0x4b, 0x29, 0x72, 0xd5,
-	0x47, 0x5a, 0xdf, 0x2e, 0xb1, 0xe2, 0x9a, 0x77, 0x68, 0x49, 0xef, 0x68, 0xa2, 0x5a, 0xeb, 0xac,
-	0x68, 0x7b, 0xf5, 0xcf, 0xc4, 0xe4, 0xbb, 0x84, 0x63, 0x03, 0x46, 0x0a, 0x80, 0x7e, 0x0c, 0xc5,
-	0xac, 0xf0, 0x3d, 0xc8, 0x30, 0x8f, 0x98, 0x52, 0xad, 0x5c, 0x75, 0x4d, 0x1b, 0xcb, 0x8c, 0x5a,
-	0x72, 0xcc, 0x9a, 0x47, 0x4c, 0xe3, 0x5a, 0xd4, 0x26, 0x23, 0x56, 0x48, 0x92, 0x42, 0x13, 0x64,
-	0x19, 0xc7, 0xbc, 0x2d, 0x74, 0x14, 0xf4, 0xcf, 0xaf, 0x46, 0x2f, 0x29, 0x8c, 0x7c, 0xd4, 0x20,
-	0x1b, 0xae, 0x51, 0x44, 0x5d, 0xf9, 0x91, 0x06, 0x0b, 0x49, 0xc0, 0x06, 0x75, 0x1b, 0x36, 0x17,
-	0xfa, 0xbd, 0x04, 0x19, 0x7e, 0xe4, 0x91, 0xc8, 0x46, 0x0f, 0x7a, 0x23, 0xee, 0x1f, 0x79, 0xe4,
-	0xbc, 0x5b, 0xbe, 0x7d, 0x09, 0x4c, 0xa4, 0x91, 0x04, 0xc2, 0xb5, 0x78, 0x07, 0xa1, 0x9d, 0xee,
-	0x24, 0x87, 0x38, 0xef, 0x96, 0x0b, 0x31, 0x2c, 0x39, 0x17, 0x7c, 0x0d, 0x20, 0xad, 0x87, 0x47,
-	0xfc, 0x2a, 0x74, 0xbf, 0x70, 0xa5, 0x10, 0x22, 0x6d, 0x94, 0x22, 0x1a, 0xb8, 0x37, 0x54, 0x81,
-	0x46, 0xa0, 0x60, 0x07, 0xc0, 0x16, 0x66, 0x7c, 0xdf, 0xc7, 0x2e, 0x0b, 0x47, 0xb4, 0x1d, 0x52,
-	0xcc, 0x48, 0x51, 0xef, 0x8f, 0xe7, 0x08, 0x81, 0xe8, 0xf7, 0xdd, 0x19, 0x62, 0x43, 0x23, 0x3a,
-	0xc0, 0xbb, 0x20, 0xeb, 0x13, 0xcc, 0xa8, 0x5b, 0x9c, 0x94, 0xdb, 0x8f, 0xcf, 0x00, 0xc9, 0x28,
-	0x8a, 0xb2, 0xf0, 0x1e, 0x98, 0x72, 0x08, 0x63, 0xd8, 0x22, 0xc5, 0xac, 0x2c, 0x2c, 0x44, 0x85,
-	0x53, 0xbb, 0x61, 0x18, 0xf5, 0xf2, 0x95, 0x5f, 0x0a, 0x80, 0x49, 0xdd, 0x77, 0x6c, 0xc6, 0xe1,
-	0x87, 0x21, 0xa7, 0x6b, 0xe3, 0xed, 0x4b, 0xa0, 0xa5, 0xcf, 0x6f, 0x44, 0x2d, 0xa7, 0x7b, 0x91,
-	0x0b, 0x2e, 0x3f, 0x00, 0x93, 0x36, 0x27, 0x8e, 0x38, 0xc5, 0xf4, 0x72, 0xae, 0xba, 0x7a, 0x25,
-	0x1f, 0x1a, 0xd7, 0xa3, 0x0e, 0x93, 0xdb, 0x82, 0x0b, 0x85, 0x94, 0x95, 0xb9, 0xc1, 0xfd, 0x88,
-	0x0b, 0x50, 0xf9, 0x2d, 0x1e, 0xb8, 0x11, 0x36, 0x86, 0x5f, 0x40, 0x81, 0x25, 0xe2, 0xac, 0xa8,
-	0xc8, 0xa1, 0xc6, 0xbe, 0x1c, 0x23, 0x9e, 0xcd, 0xfe, 0x33, 0x97, 0x8c, 0x33, 0x34, 0xd8, 0x0c,
-	0xee, 0x81, 0x79, 0x93, 0x3a, 0x0e, 0x75, 0xb7, 0x46, 0xbe, 0x97, 0xb7, 0x82, 0x6e, 0x79, 0x7e,
-	0x63, 0x54, 0x01, 0x1a, 0x8d, 0x83, 0x3e, 0x00, 0x66, 0xef, 0x0a, 0x84, 0x0f, 0x66, 0xae, 0xfa,
-	0xe2, 0x4a, 0x02, 0xc7, 0x37, 0xa9, 0xff, 0x66, 0xc5, 0x21, 0x86, 0x2e, 0x74, 0x31, 0xde, 0x1c,
-	0x9f, 0xa9, 0xa9, 0x93, 0x33, 0x35, 0x75, 0x7a, 0xa6, 0xa6, 0xbe, 0x06, 0xaa, 0x72, 0x1c, 0xa8,
-	0xca, 0x49, 0xa0, 0x2a, 0xa7, 0x81, 0xaa, 0xfc, 0x09, 0x54, 0xe5, 0xdb, 0x5f, 0x35, 0x75, 0xb0,
-	0x34, 0xd6, 0x07, 0xf9, 0x5f, 0x00, 0x00, 0x00, 0xff, 0xff, 0x79, 0x04, 0x7d, 0x78, 0xb8, 0x07,
-	0x00, 0x00,
-}
+func (m *StorageVersionStatus) Reset() { *m = StorageVersionStatus{} }
 
 func (m *ServerStorageVersion) Marshal() (dAtA []byte, err error) {
 	size := m.Size()
diff --git a/staging/src/k8s.io/api/apiserverinternal/v1alpha1/generated.protomessage.pb.go b/staging/src/k8s.io/api/apiserverinternal/v1alpha1/generated.protomessage.pb.go
new file mode 100644
index 0000000000000..b0839952b2aa1
--- /dev/null
+++ b/staging/src/k8s.io/api/apiserverinternal/v1alpha1/generated.protomessage.pb.go
@@ -0,0 +1,34 @@
+//go:build kubernetes_protomessage_one_more_release
+// +build kubernetes_protomessage_one_more_release
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by go-to-protobuf. DO NOT EDIT.
+
+package v1alpha1
+
+func (*ServerStorageVersion) ProtoMessage() {}
+
+func (*StorageVersion) ProtoMessage() {}
+
+func (*StorageVersionCondition) ProtoMessage() {}
+
+func (*StorageVersionList) ProtoMessage() {}
+
+func (*StorageVersionSpec) ProtoMessage() {}
+
+func (*StorageVersionStatus) ProtoMessage() {}
diff --git a/staging/src/k8s.io/api/apiserverinternal/v1alpha1/zz_generated.model_name.go b/staging/src/k8s.io/api/apiserverinternal/v1alpha1/zz_generated.model_name.go
new file mode 100644
index 0000000000000..5f48f5ff3883e
--- /dev/null
+++ b/staging/src/k8s.io/api/apiserverinternal/v1alpha1/zz_generated.model_name.go
@@ -0,0 +1,52 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by openapi-gen. DO NOT EDIT.
+
+package v1alpha1
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ServerStorageVersion) OpenAPIModelName() string {
+	return "io.k8s.api.apiserverinternal.v1alpha1.ServerStorageVersion"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in StorageVersion) OpenAPIModelName() string {
+	return "io.k8s.api.apiserverinternal.v1alpha1.StorageVersion"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in StorageVersionCondition) OpenAPIModelName() string {
+	return "io.k8s.api.apiserverinternal.v1alpha1.StorageVersionCondition"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in StorageVersionList) OpenAPIModelName() string {
+	return "io.k8s.api.apiserverinternal.v1alpha1.StorageVersionList"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in StorageVersionSpec) OpenAPIModelName() string {
+	return "io.k8s.api.apiserverinternal.v1alpha1.StorageVersionSpec"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in StorageVersionStatus) OpenAPIModelName() string {
+	return "io.k8s.api.apiserverinternal.v1alpha1.StorageVersionStatus"
+}
diff --git a/staging/src/k8s.io/api/apps/v1/doc.go b/staging/src/k8s.io/api/apps/v1/doc.go
index 51fe12c53ded3..122ae8eeb1e51 100644
--- a/staging/src/k8s.io/api/apps/v1/doc.go
+++ b/staging/src/k8s.io/api/apps/v1/doc.go
@@ -18,5 +18,6 @@ limitations under the License.
 // +k8s:protobuf-gen=package
 // +k8s:openapi-gen=true
 // +k8s:prerelease-lifecycle-gen=true
+// +k8s:openapi-model-package=io.k8s.api.apps.v1
 
 package v1
diff --git a/staging/src/k8s.io/api/apps/v1/generated.pb.go b/staging/src/k8s.io/api/apps/v1/generated.pb.go
index eacc25931be73..b46ed0dc40bbd 100644
--- a/staging/src/k8s.io/api/apps/v1/generated.pb.go
+++ b/staging/src/k8s.io/api/apps/v1/generated.pb.go
@@ -24,12 +24,10 @@ import (
 
 	io "io"
 
-	proto "github.com/gogo/protobuf/proto"
 	k8s_io_api_core_v1 "k8s.io/api/core/v1"
 	v11 "k8s.io/api/core/v1"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
-	math "math"
 	math_bits "math/bits"
 	reflect "reflect"
 	strings "strings"
@@ -37,1039 +35,67 @@ import (
 	intstr "k8s.io/apimachinery/pkg/util/intstr"
 )
 
-// Reference imports to suppress errors if they are not otherwise used.
-var _ = proto.Marshal
-var _ = fmt.Errorf
-var _ = math.Inf
+func (m *ControllerRevision) Reset() { *m = ControllerRevision{} }
 
-// This is a compile-time assertion to ensure that this generated file
-// is compatible with the proto package it is being compiled against.
-// A compilation error at this line likely means your copy of the
-// proto package needs to be updated.
-const _ = proto.GoGoProtoPackageIsVersion3 // please upgrade the proto package
+func (m *ControllerRevisionList) Reset() { *m = ControllerRevisionList{} }
 
-func (m *ControllerRevision) Reset()      { *m = ControllerRevision{} }
-func (*ControllerRevision) ProtoMessage() {}
-func (*ControllerRevision) Descriptor() ([]byte, []int) {
-	return fileDescriptor_5b781835628d5338, []int{0}
-}
-func (m *ControllerRevision) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ControllerRevision) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ControllerRevision) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ControllerRevision.Merge(m, src)
-}
-func (m *ControllerRevision) XXX_Size() int {
-	return m.Size()
-}
-func (m *ControllerRevision) XXX_DiscardUnknown() {
-	xxx_messageInfo_ControllerRevision.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_ControllerRevision proto.InternalMessageInfo
-
-func (m *ControllerRevisionList) Reset()      { *m = ControllerRevisionList{} }
-func (*ControllerRevisionList) ProtoMessage() {}
-func (*ControllerRevisionList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_5b781835628d5338, []int{1}
-}
-func (m *ControllerRevisionList) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ControllerRevisionList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ControllerRevisionList) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ControllerRevisionList.Merge(m, src)
-}
-func (m *ControllerRevisionList) XXX_Size() int {
-	return m.Size()
-}
-func (m *ControllerRevisionList) XXX_DiscardUnknown() {
-	xxx_messageInfo_ControllerRevisionList.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_ControllerRevisionList proto.InternalMessageInfo
-
-func (m *DaemonSet) Reset()      { *m = DaemonSet{} }
-func (*DaemonSet) ProtoMessage() {}
-func (*DaemonSet) Descriptor() ([]byte, []int) {
-	return fileDescriptor_5b781835628d5338, []int{2}
-}
-func (m *DaemonSet) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *DaemonSet) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *DaemonSet) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_DaemonSet.Merge(m, src)
-}
-func (m *DaemonSet) XXX_Size() int {
-	return m.Size()
-}
-func (m *DaemonSet) XXX_DiscardUnknown() {
-	xxx_messageInfo_DaemonSet.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_DaemonSet proto.InternalMessageInfo
-
-func (m *DaemonSetCondition) Reset()      { *m = DaemonSetCondition{} }
-func (*DaemonSetCondition) ProtoMessage() {}
-func (*DaemonSetCondition) Descriptor() ([]byte, []int) {
-	return fileDescriptor_5b781835628d5338, []int{3}
-}
-func (m *DaemonSetCondition) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *DaemonSetCondition) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *DaemonSetCondition) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_DaemonSetCondition.Merge(m, src)
-}
-func (m *DaemonSetCondition) XXX_Size() int {
-	return m.Size()
-}
-func (m *DaemonSetCondition) XXX_DiscardUnknown() {
-	xxx_messageInfo_DaemonSetCondition.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_DaemonSetCondition proto.InternalMessageInfo
-
-func (m *DaemonSetList) Reset()      { *m = DaemonSetList{} }
-func (*DaemonSetList) ProtoMessage() {}
-func (*DaemonSetList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_5b781835628d5338, []int{4}
-}
-func (m *DaemonSetList) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *DaemonSetList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *DaemonSetList) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_DaemonSetList.Merge(m, src)
-}
-func (m *DaemonSetList) XXX_Size() int {
-	return m.Size()
-}
-func (m *DaemonSetList) XXX_DiscardUnknown() {
-	xxx_messageInfo_DaemonSetList.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_DaemonSetList proto.InternalMessageInfo
-
-func (m *DaemonSetSpec) Reset()      { *m = DaemonSetSpec{} }
-func (*DaemonSetSpec) ProtoMessage() {}
-func (*DaemonSetSpec) Descriptor() ([]byte, []int) {
-	return fileDescriptor_5b781835628d5338, []int{5}
-}
-func (m *DaemonSetSpec) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *DaemonSetSpec) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *DaemonSetSpec) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_DaemonSetSpec.Merge(m, src)
-}
-func (m *DaemonSetSpec) XXX_Size() int {
-	return m.Size()
-}
-func (m *DaemonSetSpec) XXX_DiscardUnknown() {
-	xxx_messageInfo_DaemonSetSpec.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_DaemonSetSpec proto.InternalMessageInfo
-
-func (m *DaemonSetStatus) Reset()      { *m = DaemonSetStatus{} }
-func (*DaemonSetStatus) ProtoMessage() {}
-func (*DaemonSetStatus) Descriptor() ([]byte, []int) {
-	return fileDescriptor_5b781835628d5338, []int{6}
-}
-func (m *DaemonSetStatus) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *DaemonSetStatus) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *DaemonSetStatus) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_DaemonSetStatus.Merge(m, src)
-}
-func (m *DaemonSetStatus) XXX_Size() int {
-	return m.Size()
-}
-func (m *DaemonSetStatus) XXX_DiscardUnknown() {
-	xxx_messageInfo_DaemonSetStatus.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_DaemonSetStatus proto.InternalMessageInfo
-
-func (m *DaemonSetUpdateStrategy) Reset()      { *m = DaemonSetUpdateStrategy{} }
-func (*DaemonSetUpdateStrategy) ProtoMessage() {}
-func (*DaemonSetUpdateStrategy) Descriptor() ([]byte, []int) {
-	return fileDescriptor_5b781835628d5338, []int{7}
-}
-func (m *DaemonSetUpdateStrategy) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *DaemonSetUpdateStrategy) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *DaemonSetUpdateStrategy) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_DaemonSetUpdateStrategy.Merge(m, src)
-}
-func (m *DaemonSetUpdateStrategy) XXX_Size() int {
-	return m.Size()
-}
-func (m *DaemonSetUpdateStrategy) XXX_DiscardUnknown() {
-	xxx_messageInfo_DaemonSetUpdateStrategy.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_DaemonSetUpdateStrategy proto.InternalMessageInfo
-
-func (m *Deployment) Reset()      { *m = Deployment{} }
-func (*Deployment) ProtoMessage() {}
-func (*Deployment) Descriptor() ([]byte, []int) {
-	return fileDescriptor_5b781835628d5338, []int{8}
-}
-func (m *Deployment) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *Deployment) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *Deployment) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_Deployment.Merge(m, src)
-}
-func (m *Deployment) XXX_Size() int {
-	return m.Size()
-}
-func (m *Deployment) XXX_DiscardUnknown() {
-	xxx_messageInfo_Deployment.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_Deployment proto.InternalMessageInfo
-
-func (m *DeploymentCondition) Reset()      { *m = DeploymentCondition{} }
-func (*DeploymentCondition) ProtoMessage() {}
-func (*DeploymentCondition) Descriptor() ([]byte, []int) {
-	return fileDescriptor_5b781835628d5338, []int{9}
-}
-func (m *DeploymentCondition) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *DeploymentCondition) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *DeploymentCondition) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_DeploymentCondition.Merge(m, src)
-}
-func (m *DeploymentCondition) XXX_Size() int {
-	return m.Size()
-}
-func (m *DeploymentCondition) XXX_DiscardUnknown() {
-	xxx_messageInfo_DeploymentCondition.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_DeploymentCondition proto.InternalMessageInfo
-
-func (m *DeploymentList) Reset()      { *m = DeploymentList{} }
-func (*DeploymentList) ProtoMessage() {}
-func (*DeploymentList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_5b781835628d5338, []int{10}
-}
-func (m *DeploymentList) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *DeploymentList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *DeploymentList) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_DeploymentList.Merge(m, src)
-}
-func (m *DeploymentList) XXX_Size() int {
-	return m.Size()
-}
-func (m *DeploymentList) XXX_DiscardUnknown() {
-	xxx_messageInfo_DeploymentList.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_DeploymentList proto.InternalMessageInfo
-
-func (m *DeploymentSpec) Reset()      { *m = DeploymentSpec{} }
-func (*DeploymentSpec) ProtoMessage() {}
-func (*DeploymentSpec) Descriptor() ([]byte, []int) {
-	return fileDescriptor_5b781835628d5338, []int{11}
-}
-func (m *DeploymentSpec) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *DeploymentSpec) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *DeploymentSpec) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_DeploymentSpec.Merge(m, src)
-}
-func (m *DeploymentSpec) XXX_Size() int {
-	return m.Size()
-}
-func (m *DeploymentSpec) XXX_DiscardUnknown() {
-	xxx_messageInfo_DeploymentSpec.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_DeploymentSpec proto.InternalMessageInfo
-
-func (m *DeploymentStatus) Reset()      { *m = DeploymentStatus{} }
-func (*DeploymentStatus) ProtoMessage() {}
-func (*DeploymentStatus) Descriptor() ([]byte, []int) {
-	return fileDescriptor_5b781835628d5338, []int{12}
-}
-func (m *DeploymentStatus) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *DeploymentStatus) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *DeploymentStatus) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_DeploymentStatus.Merge(m, src)
-}
-func (m *DeploymentStatus) XXX_Size() int {
-	return m.Size()
-}
-func (m *DeploymentStatus) XXX_DiscardUnknown() {
-	xxx_messageInfo_DeploymentStatus.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_DeploymentStatus proto.InternalMessageInfo
-
-func (m *DeploymentStrategy) Reset()      { *m = DeploymentStrategy{} }
-func (*DeploymentStrategy) ProtoMessage() {}
-func (*DeploymentStrategy) Descriptor() ([]byte, []int) {
-	return fileDescriptor_5b781835628d5338, []int{13}
-}
-func (m *DeploymentStrategy) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *DeploymentStrategy) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *DeploymentStrategy) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_DeploymentStrategy.Merge(m, src)
-}
-func (m *DeploymentStrategy) XXX_Size() int {
-	return m.Size()
-}
-func (m *DeploymentStrategy) XXX_DiscardUnknown() {
-	xxx_messageInfo_DeploymentStrategy.DiscardUnknown(m)
-}
+func (m *DaemonSet) Reset() { *m = DaemonSet{} }
 
-var xxx_messageInfo_DeploymentStrategy proto.InternalMessageInfo
+func (m *DaemonSetCondition) Reset() { *m = DaemonSetCondition{} }
 
-func (m *ReplicaSet) Reset()      { *m = ReplicaSet{} }
-func (*ReplicaSet) ProtoMessage() {}
-func (*ReplicaSet) Descriptor() ([]byte, []int) {
-	return fileDescriptor_5b781835628d5338, []int{14}
-}
-func (m *ReplicaSet) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ReplicaSet) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ReplicaSet) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ReplicaSet.Merge(m, src)
-}
-func (m *ReplicaSet) XXX_Size() int {
-	return m.Size()
-}
-func (m *ReplicaSet) XXX_DiscardUnknown() {
-	xxx_messageInfo_ReplicaSet.DiscardUnknown(m)
-}
+func (m *DaemonSetList) Reset() { *m = DaemonSetList{} }
 
-var xxx_messageInfo_ReplicaSet proto.InternalMessageInfo
+func (m *DaemonSetSpec) Reset() { *m = DaemonSetSpec{} }
 
-func (m *ReplicaSetCondition) Reset()      { *m = ReplicaSetCondition{} }
-func (*ReplicaSetCondition) ProtoMessage() {}
-func (*ReplicaSetCondition) Descriptor() ([]byte, []int) {
-	return fileDescriptor_5b781835628d5338, []int{15}
-}
-func (m *ReplicaSetCondition) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ReplicaSetCondition) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ReplicaSetCondition) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ReplicaSetCondition.Merge(m, src)
-}
-func (m *ReplicaSetCondition) XXX_Size() int {
-	return m.Size()
-}
-func (m *ReplicaSetCondition) XXX_DiscardUnknown() {
-	xxx_messageInfo_ReplicaSetCondition.DiscardUnknown(m)
-}
+func (m *DaemonSetStatus) Reset() { *m = DaemonSetStatus{} }
 
-var xxx_messageInfo_ReplicaSetCondition proto.InternalMessageInfo
+func (m *DaemonSetUpdateStrategy) Reset() { *m = DaemonSetUpdateStrategy{} }
 
-func (m *ReplicaSetList) Reset()      { *m = ReplicaSetList{} }
-func (*ReplicaSetList) ProtoMessage() {}
-func (*ReplicaSetList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_5b781835628d5338, []int{16}
-}
-func (m *ReplicaSetList) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ReplicaSetList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ReplicaSetList) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ReplicaSetList.Merge(m, src)
-}
-func (m *ReplicaSetList) XXX_Size() int {
-	return m.Size()
-}
-func (m *ReplicaSetList) XXX_DiscardUnknown() {
-	xxx_messageInfo_ReplicaSetList.DiscardUnknown(m)
-}
+func (m *Deployment) Reset() { *m = Deployment{} }
 
-var xxx_messageInfo_ReplicaSetList proto.InternalMessageInfo
+func (m *DeploymentCondition) Reset() { *m = DeploymentCondition{} }
 
-func (m *ReplicaSetSpec) Reset()      { *m = ReplicaSetSpec{} }
-func (*ReplicaSetSpec) ProtoMessage() {}
-func (*ReplicaSetSpec) Descriptor() ([]byte, []int) {
-	return fileDescriptor_5b781835628d5338, []int{17}
-}
-func (m *ReplicaSetSpec) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ReplicaSetSpec) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ReplicaSetSpec) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ReplicaSetSpec.Merge(m, src)
-}
-func (m *ReplicaSetSpec) XXX_Size() int {
-	return m.Size()
-}
-func (m *ReplicaSetSpec) XXX_DiscardUnknown() {
-	xxx_messageInfo_ReplicaSetSpec.DiscardUnknown(m)
-}
+func (m *DeploymentList) Reset() { *m = DeploymentList{} }
 
-var xxx_messageInfo_ReplicaSetSpec proto.InternalMessageInfo
+func (m *DeploymentSpec) Reset() { *m = DeploymentSpec{} }
 
-func (m *ReplicaSetStatus) Reset()      { *m = ReplicaSetStatus{} }
-func (*ReplicaSetStatus) ProtoMessage() {}
-func (*ReplicaSetStatus) Descriptor() ([]byte, []int) {
-	return fileDescriptor_5b781835628d5338, []int{18}
-}
-func (m *ReplicaSetStatus) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ReplicaSetStatus) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ReplicaSetStatus) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ReplicaSetStatus.Merge(m, src)
-}
-func (m *ReplicaSetStatus) XXX_Size() int {
-	return m.Size()
-}
-func (m *ReplicaSetStatus) XXX_DiscardUnknown() {
-	xxx_messageInfo_ReplicaSetStatus.DiscardUnknown(m)
-}
+func (m *DeploymentStatus) Reset() { *m = DeploymentStatus{} }
 
-var xxx_messageInfo_ReplicaSetStatus proto.InternalMessageInfo
+func (m *DeploymentStrategy) Reset() { *m = DeploymentStrategy{} }
 
-func (m *RollingUpdateDaemonSet) Reset()      { *m = RollingUpdateDaemonSet{} }
-func (*RollingUpdateDaemonSet) ProtoMessage() {}
-func (*RollingUpdateDaemonSet) Descriptor() ([]byte, []int) {
-	return fileDescriptor_5b781835628d5338, []int{19}
-}
-func (m *RollingUpdateDaemonSet) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *RollingUpdateDaemonSet) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *RollingUpdateDaemonSet) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_RollingUpdateDaemonSet.Merge(m, src)
-}
-func (m *RollingUpdateDaemonSet) XXX_Size() int {
-	return m.Size()
-}
-func (m *RollingUpdateDaemonSet) XXX_DiscardUnknown() {
-	xxx_messageInfo_RollingUpdateDaemonSet.DiscardUnknown(m)
-}
+func (m *ReplicaSet) Reset() { *m = ReplicaSet{} }
 
-var xxx_messageInfo_RollingUpdateDaemonSet proto.InternalMessageInfo
+func (m *ReplicaSetCondition) Reset() { *m = ReplicaSetCondition{} }
 
-func (m *RollingUpdateDeployment) Reset()      { *m = RollingUpdateDeployment{} }
-func (*RollingUpdateDeployment) ProtoMessage() {}
-func (*RollingUpdateDeployment) Descriptor() ([]byte, []int) {
-	return fileDescriptor_5b781835628d5338, []int{20}
-}
-func (m *RollingUpdateDeployment) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *RollingUpdateDeployment) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *RollingUpdateDeployment) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_RollingUpdateDeployment.Merge(m, src)
-}
-func (m *RollingUpdateDeployment) XXX_Size() int {
-	return m.Size()
-}
-func (m *RollingUpdateDeployment) XXX_DiscardUnknown() {
-	xxx_messageInfo_RollingUpdateDeployment.DiscardUnknown(m)
-}
+func (m *ReplicaSetList) Reset() { *m = ReplicaSetList{} }
 
-var xxx_messageInfo_RollingUpdateDeployment proto.InternalMessageInfo
+func (m *ReplicaSetSpec) Reset() { *m = ReplicaSetSpec{} }
 
-func (m *RollingUpdateStatefulSetStrategy) Reset()      { *m = RollingUpdateStatefulSetStrategy{} }
-func (*RollingUpdateStatefulSetStrategy) ProtoMessage() {}
-func (*RollingUpdateStatefulSetStrategy) Descriptor() ([]byte, []int) {
-	return fileDescriptor_5b781835628d5338, []int{21}
-}
-func (m *RollingUpdateStatefulSetStrategy) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *RollingUpdateStatefulSetStrategy) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *RollingUpdateStatefulSetStrategy) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_RollingUpdateStatefulSetStrategy.Merge(m, src)
-}
-func (m *RollingUpdateStatefulSetStrategy) XXX_Size() int {
-	return m.Size()
-}
-func (m *RollingUpdateStatefulSetStrategy) XXX_DiscardUnknown() {
-	xxx_messageInfo_RollingUpdateStatefulSetStrategy.DiscardUnknown(m)
-}
+func (m *ReplicaSetStatus) Reset() { *m = ReplicaSetStatus{} }
 
-var xxx_messageInfo_RollingUpdateStatefulSetStrategy proto.InternalMessageInfo
+func (m *RollingUpdateDaemonSet) Reset() { *m = RollingUpdateDaemonSet{} }
 
-func (m *StatefulSet) Reset()      { *m = StatefulSet{} }
-func (*StatefulSet) ProtoMessage() {}
-func (*StatefulSet) Descriptor() ([]byte, []int) {
-	return fileDescriptor_5b781835628d5338, []int{22}
-}
-func (m *StatefulSet) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *StatefulSet) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *StatefulSet) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_StatefulSet.Merge(m, src)
-}
-func (m *StatefulSet) XXX_Size() int {
-	return m.Size()
-}
-func (m *StatefulSet) XXX_DiscardUnknown() {
-	xxx_messageInfo_StatefulSet.DiscardUnknown(m)
-}
+func (m *RollingUpdateDeployment) Reset() { *m = RollingUpdateDeployment{} }
 
-var xxx_messageInfo_StatefulSet proto.InternalMessageInfo
+func (m *RollingUpdateStatefulSetStrategy) Reset() { *m = RollingUpdateStatefulSetStrategy{} }
 
-func (m *StatefulSetCondition) Reset()      { *m = StatefulSetCondition{} }
-func (*StatefulSetCondition) ProtoMessage() {}
-func (*StatefulSetCondition) Descriptor() ([]byte, []int) {
-	return fileDescriptor_5b781835628d5338, []int{23}
-}
-func (m *StatefulSetCondition) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *StatefulSetCondition) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *StatefulSetCondition) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_StatefulSetCondition.Merge(m, src)
-}
-func (m *StatefulSetCondition) XXX_Size() int {
-	return m.Size()
-}
-func (m *StatefulSetCondition) XXX_DiscardUnknown() {
-	xxx_messageInfo_StatefulSetCondition.DiscardUnknown(m)
-}
+func (m *StatefulSet) Reset() { *m = StatefulSet{} }
 
-var xxx_messageInfo_StatefulSetCondition proto.InternalMessageInfo
+func (m *StatefulSetCondition) Reset() { *m = StatefulSetCondition{} }
 
-func (m *StatefulSetList) Reset()      { *m = StatefulSetList{} }
-func (*StatefulSetList) ProtoMessage() {}
-func (*StatefulSetList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_5b781835628d5338, []int{24}
-}
-func (m *StatefulSetList) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *StatefulSetList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *StatefulSetList) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_StatefulSetList.Merge(m, src)
-}
-func (m *StatefulSetList) XXX_Size() int {
-	return m.Size()
-}
-func (m *StatefulSetList) XXX_DiscardUnknown() {
-	xxx_messageInfo_StatefulSetList.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_StatefulSetList proto.InternalMessageInfo
-
-func (m *StatefulSetOrdinals) Reset()      { *m = StatefulSetOrdinals{} }
-func (*StatefulSetOrdinals) ProtoMessage() {}
-func (*StatefulSetOrdinals) Descriptor() ([]byte, []int) {
-	return fileDescriptor_5b781835628d5338, []int{25}
-}
-func (m *StatefulSetOrdinals) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *StatefulSetOrdinals) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *StatefulSetOrdinals) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_StatefulSetOrdinals.Merge(m, src)
-}
-func (m *StatefulSetOrdinals) XXX_Size() int {
-	return m.Size()
-}
-func (m *StatefulSetOrdinals) XXX_DiscardUnknown() {
-	xxx_messageInfo_StatefulSetOrdinals.DiscardUnknown(m)
-}
+func (m *StatefulSetList) Reset() { *m = StatefulSetList{} }
 
-var xxx_messageInfo_StatefulSetOrdinals proto.InternalMessageInfo
+func (m *StatefulSetOrdinals) Reset() { *m = StatefulSetOrdinals{} }
 
 func (m *StatefulSetPersistentVolumeClaimRetentionPolicy) Reset() {
 	*m = StatefulSetPersistentVolumeClaimRetentionPolicy{}
 }
-func (*StatefulSetPersistentVolumeClaimRetentionPolicy) ProtoMessage() {}
-func (*StatefulSetPersistentVolumeClaimRetentionPolicy) Descriptor() ([]byte, []int) {
-	return fileDescriptor_5b781835628d5338, []int{26}
-}
-func (m *StatefulSetPersistentVolumeClaimRetentionPolicy) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *StatefulSetPersistentVolumeClaimRetentionPolicy) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *StatefulSetPersistentVolumeClaimRetentionPolicy) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_StatefulSetPersistentVolumeClaimRetentionPolicy.Merge(m, src)
-}
-func (m *StatefulSetPersistentVolumeClaimRetentionPolicy) XXX_Size() int {
-	return m.Size()
-}
-func (m *StatefulSetPersistentVolumeClaimRetentionPolicy) XXX_DiscardUnknown() {
-	xxx_messageInfo_StatefulSetPersistentVolumeClaimRetentionPolicy.DiscardUnknown(m)
-}
 
-var xxx_messageInfo_StatefulSetPersistentVolumeClaimRetentionPolicy proto.InternalMessageInfo
+func (m *StatefulSetSpec) Reset() { *m = StatefulSetSpec{} }
 
-func (m *StatefulSetSpec) Reset()      { *m = StatefulSetSpec{} }
-func (*StatefulSetSpec) ProtoMessage() {}
-func (*StatefulSetSpec) Descriptor() ([]byte, []int) {
-	return fileDescriptor_5b781835628d5338, []int{27}
-}
-func (m *StatefulSetSpec) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *StatefulSetSpec) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *StatefulSetSpec) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_StatefulSetSpec.Merge(m, src)
-}
-func (m *StatefulSetSpec) XXX_Size() int {
-	return m.Size()
-}
-func (m *StatefulSetSpec) XXX_DiscardUnknown() {
-	xxx_messageInfo_StatefulSetSpec.DiscardUnknown(m)
-}
+func (m *StatefulSetStatus) Reset() { *m = StatefulSetStatus{} }
 
-var xxx_messageInfo_StatefulSetSpec proto.InternalMessageInfo
-
-func (m *StatefulSetStatus) Reset()      { *m = StatefulSetStatus{} }
-func (*StatefulSetStatus) ProtoMessage() {}
-func (*StatefulSetStatus) Descriptor() ([]byte, []int) {
-	return fileDescriptor_5b781835628d5338, []int{28}
-}
-func (m *StatefulSetStatus) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *StatefulSetStatus) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *StatefulSetStatus) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_StatefulSetStatus.Merge(m, src)
-}
-func (m *StatefulSetStatus) XXX_Size() int {
-	return m.Size()
-}
-func (m *StatefulSetStatus) XXX_DiscardUnknown() {
-	xxx_messageInfo_StatefulSetStatus.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_StatefulSetStatus proto.InternalMessageInfo
-
-func (m *StatefulSetUpdateStrategy) Reset()      { *m = StatefulSetUpdateStrategy{} }
-func (*StatefulSetUpdateStrategy) ProtoMessage() {}
-func (*StatefulSetUpdateStrategy) Descriptor() ([]byte, []int) {
-	return fileDescriptor_5b781835628d5338, []int{29}
-}
-func (m *StatefulSetUpdateStrategy) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *StatefulSetUpdateStrategy) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *StatefulSetUpdateStrategy) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_StatefulSetUpdateStrategy.Merge(m, src)
-}
-func (m *StatefulSetUpdateStrategy) XXX_Size() int {
-	return m.Size()
-}
-func (m *StatefulSetUpdateStrategy) XXX_DiscardUnknown() {
-	xxx_messageInfo_StatefulSetUpdateStrategy.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_StatefulSetUpdateStrategy proto.InternalMessageInfo
-
-func init() {
-	proto.RegisterType((*ControllerRevision)(nil), "k8s.io.api.apps.v1.ControllerRevision")
-	proto.RegisterType((*ControllerRevisionList)(nil), "k8s.io.api.apps.v1.ControllerRevisionList")
-	proto.RegisterType((*DaemonSet)(nil), "k8s.io.api.apps.v1.DaemonSet")
-	proto.RegisterType((*DaemonSetCondition)(nil), "k8s.io.api.apps.v1.DaemonSetCondition")
-	proto.RegisterType((*DaemonSetList)(nil), "k8s.io.api.apps.v1.DaemonSetList")
-	proto.RegisterType((*DaemonSetSpec)(nil), "k8s.io.api.apps.v1.DaemonSetSpec")
-	proto.RegisterType((*DaemonSetStatus)(nil), "k8s.io.api.apps.v1.DaemonSetStatus")
-	proto.RegisterType((*DaemonSetUpdateStrategy)(nil), "k8s.io.api.apps.v1.DaemonSetUpdateStrategy")
-	proto.RegisterType((*Deployment)(nil), "k8s.io.api.apps.v1.Deployment")
-	proto.RegisterType((*DeploymentCondition)(nil), "k8s.io.api.apps.v1.DeploymentCondition")
-	proto.RegisterType((*DeploymentList)(nil), "k8s.io.api.apps.v1.DeploymentList")
-	proto.RegisterType((*DeploymentSpec)(nil), "k8s.io.api.apps.v1.DeploymentSpec")
-	proto.RegisterType((*DeploymentStatus)(nil), "k8s.io.api.apps.v1.DeploymentStatus")
-	proto.RegisterType((*DeploymentStrategy)(nil), "k8s.io.api.apps.v1.DeploymentStrategy")
-	proto.RegisterType((*ReplicaSet)(nil), "k8s.io.api.apps.v1.ReplicaSet")
-	proto.RegisterType((*ReplicaSetCondition)(nil), "k8s.io.api.apps.v1.ReplicaSetCondition")
-	proto.RegisterType((*ReplicaSetList)(nil), "k8s.io.api.apps.v1.ReplicaSetList")
-	proto.RegisterType((*ReplicaSetSpec)(nil), "k8s.io.api.apps.v1.ReplicaSetSpec")
-	proto.RegisterType((*ReplicaSetStatus)(nil), "k8s.io.api.apps.v1.ReplicaSetStatus")
-	proto.RegisterType((*RollingUpdateDaemonSet)(nil), "k8s.io.api.apps.v1.RollingUpdateDaemonSet")
-	proto.RegisterType((*RollingUpdateDeployment)(nil), "k8s.io.api.apps.v1.RollingUpdateDeployment")
-	proto.RegisterType((*RollingUpdateStatefulSetStrategy)(nil), "k8s.io.api.apps.v1.RollingUpdateStatefulSetStrategy")
-	proto.RegisterType((*StatefulSet)(nil), "k8s.io.api.apps.v1.StatefulSet")
-	proto.RegisterType((*StatefulSetCondition)(nil), "k8s.io.api.apps.v1.StatefulSetCondition")
-	proto.RegisterType((*StatefulSetList)(nil), "k8s.io.api.apps.v1.StatefulSetList")
-	proto.RegisterType((*StatefulSetOrdinals)(nil), "k8s.io.api.apps.v1.StatefulSetOrdinals")
-	proto.RegisterType((*StatefulSetPersistentVolumeClaimRetentionPolicy)(nil), "k8s.io.api.apps.v1.StatefulSetPersistentVolumeClaimRetentionPolicy")
-	proto.RegisterType((*StatefulSetSpec)(nil), "k8s.io.api.apps.v1.StatefulSetSpec")
-	proto.RegisterType((*StatefulSetStatus)(nil), "k8s.io.api.apps.v1.StatefulSetStatus")
-	proto.RegisterType((*StatefulSetUpdateStrategy)(nil), "k8s.io.api.apps.v1.StatefulSetUpdateStrategy")
-}
-
-func init() {
-	proto.RegisterFile("k8s.io/api/apps/v1/generated.proto", fileDescriptor_5b781835628d5338)
-}
-
-var fileDescriptor_5b781835628d5338 = []byte{
-	// 2225 bytes of a gzipped FileDescriptorProto
-	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xec, 0x5a, 0xcd, 0x6f, 0x1b, 0xc7,
-	0x15, 0xd7, 0x52, 0xa4, 0x44, 0x0d, 0x2d, 0xc9, 0x1e, 0xa9, 0x12, 0x63, 0x37, 0xa4, 0xbb, 0x71,
-	0x6d, 0x25, 0x8e, 0xc9, 0xda, 0x71, 0x82, 0xc0, 0x29, 0x12, 0x88, 0x54, 0x9a, 0xba, 0xd1, 0x57,
-	0x87, 0x92, 0x03, 0xb8, 0x69, 0xd1, 0xd1, 0x72, 0x4c, 0x6d, 0xbc, 0x5f, 0xd8, 0x1d, 0x2a, 0x16,
-	0x7a, 0x29, 0x0a, 0x14, 0xe8, 0x21, 0x87, 0xfe, 0x0d, 0xfd, 0x07, 0x8a, 0xa2, 0x68, 0x6e, 0x45,
-	0x50, 0xf4, 0xe2, 0x4b, 0x81, 0xa0, 0x97, 0xe6, 0x44, 0xd4, 0xcc, 0xa9, 0x28, 0x7a, 0x6b, 0x2f,
-	0xbe, 0xb4, 0x98, 0xd9, 0xd9, 0xef, 0x59, 0x91, 0x92, 0x63, 0xa5, 0x09, 0x7c, 0xe3, 0xce, 0x7b,
-	0xef, 0x37, 0x6f, 0x66, 0xde, 0x9b, 0xf7, 0x9b, 0x19, 0x02, 0xf5, 0xfe, 0xeb, 0x5e, 0x43, 0xb7,
-	0x9b, 0xd8, 0xd1, 0x9b, 0xd8, 0x71, 0xbc, 0xe6, 0xc1, 0xf5, 0x66, 0x8f, 0x58, 0xc4, 0xc5, 0x94,
-	0x74, 0x1b, 0x8e, 0x6b, 0x53, 0x1b, 0x42, 0x5f, 0xa7, 0x81, 0x1d, 0xbd, 0xc1, 0x74, 0x1a, 0x07,
-	0xd7, 0xcf, 0x5f, 0xeb, 0xe9, 0x74, 0xbf, 0xbf, 0xd7, 0xd0, 0x6c, 0xb3, 0xd9, 0xb3, 0x7b, 0x76,
-	0x93, 0xab, 0xee, 0xf5, 0xef, 0xf1, 0x2f, 0xfe, 0xc1, 0x7f, 0xf9, 0x10, 0xe7, 0xe3, 0xdd, 0x68,
-	0xb6, 0x4b, 0x24, 0xdd, 0x9c, 0xbf, 0x19, 0xe9, 0x98, 0x58, 0xdb, 0xd7, 0x2d, 0xe2, 0x1e, 0x36,
-	0x9d, 0xfb, 0x3d, 0xd6, 0xe0, 0x35, 0x4d, 0x42, 0xb1, 0xcc, 0xaa, 0x99, 0x67, 0xe5, 0xf6, 0x2d,
-	0xaa, 0x9b, 0x24, 0x63, 0xf0, 0xda, 0x28, 0x03, 0x4f, 0xdb, 0x27, 0x26, 0xce, 0xd8, 0xbd, 0x92,
-	0x67, 0xd7, 0xa7, 0xba, 0xd1, 0xd4, 0x2d, 0xea, 0x51, 0x37, 0x6d, 0xa4, 0xfe, 0x47, 0x01, 0xb0,
-	0x6d, 0x5b, 0xd4, 0xb5, 0x0d, 0x83, 0xb8, 0x88, 0x1c, 0xe8, 0x9e, 0x6e, 0x5b, 0xf0, 0xa7, 0xa0,
-	0xcc, 0xc6, 0xd3, 0xc5, 0x14, 0x57, 0x95, 0x8b, 0xca, 0x4a, 0xe5, 0xc6, 0x77, 0x1a, 0xd1, 0x24,
-	0x87, 0xf0, 0x0d, 0xe7, 0x7e, 0x8f, 0x35, 0x78, 0x0d, 0xa6, 0xdd, 0x38, 0xb8, 0xde, 0xd8, 0xda,
-	0xfb, 0x80, 0x68, 0x74, 0x83, 0x50, 0xdc, 0x82, 0x0f, 0x07, 0xf5, 0x89, 0xe1, 0xa0, 0x0e, 0xa2,
-	0x36, 0x14, 0xa2, 0xc2, 0x2d, 0x50, 0xe4, 0xe8, 0x05, 0x8e, 0x7e, 0x2d, 0x17, 0x5d, 0x0c, 0xba,
-	0x81, 0xf0, 0x87, 0x6f, 0x3f, 0xa0, 0xc4, 0x62, 0xee, 0xb5, 0xce, 0x08, 0xe8, 0xe2, 0x1a, 0xa6,
-	0x18, 0x71, 0x20, 0xf8, 0x32, 0x28, 0xbb, 0xc2, 0xfd, 0xea, 0xe4, 0x45, 0x65, 0x65, 0xb2, 0x75,
-	0x56, 0x68, 0x95, 0x83, 0x61, 0xa1, 0x50, 0x43, 0xfd, 0xb3, 0x02, 0x96, 0xb2, 0xe3, 0x5e, 0xd7,
-	0x3d, 0x0a, 0xdf, 0xcf, 0x8c, 0xbd, 0x31, 0xde, 0xd8, 0x99, 0x35, 0x1f, 0x79, 0xd8, 0x71, 0xd0,
-	0x12, 0x1b, 0xf7, 0xbb, 0xa0, 0xa4, 0x53, 0x62, 0x7a, 0xd5, 0xc2, 0xc5, 0xc9, 0x95, 0xca, 0x8d,
-	0xcb, 0x8d, 0x6c, 0xec, 0x36, 0xb2, 0x8e, 0xb5, 0x66, 0x05, 0x64, 0xe9, 0x36, 0x33, 0x46, 0x3e,
-	0x86, 0xfa, 0x5f, 0x05, 0xcc, 0xac, 0x61, 0x62, 0xda, 0x56, 0x87, 0xd0, 0x53, 0x58, 0xb4, 0x36,
-	0x28, 0x7a, 0x0e, 0xd1, 0xc4, 0xa2, 0x7d, 0x4b, 0xe6, 0x7b, 0xe8, 0x4e, 0xc7, 0x21, 0x5a, 0xb4,
-	0x50, 0xec, 0x0b, 0x71, 0x63, 0xf8, 0x2e, 0x98, 0xf2, 0x28, 0xa6, 0x7d, 0x8f, 0x2f, 0x53, 0xe5,
-	0xc6, 0x0b, 0x47, 0xc3, 0x70, 0xd5, 0xd6, 0x9c, 0x00, 0x9a, 0xf2, 0xbf, 0x91, 0x80, 0x50, 0xff,
-	0x51, 0x00, 0x30, 0xd4, 0x6d, 0xdb, 0x56, 0x57, 0xa7, 0x2c, 0x7e, 0x6f, 0x81, 0x22, 0x3d, 0x74,
-	0x08, 0x9f, 0x86, 0x99, 0xd6, 0xe5, 0xc0, 0x8b, 0x9d, 0x43, 0x87, 0x3c, 0x1e, 0xd4, 0x97, 0xb2,
-	0x16, 0x4c, 0x82, 0xb8, 0x0d, 0x5c, 0x0f, 0xfd, 0x2b, 0x70, 0xeb, 0x9b, 0xc9, 0xae, 0x1f, 0x0f,
-	0xea, 0x92, 0xcd, 0xa2, 0x11, 0x22, 0x25, 0x1d, 0x84, 0x07, 0x00, 0x1a, 0xd8, 0xa3, 0x3b, 0x2e,
-	0xb6, 0x3c, 0xbf, 0x27, 0xdd, 0x24, 0x62, 0xe4, 0x2f, 0x8d, 0xb7, 0x3c, 0xcc, 0xa2, 0x75, 0x5e,
-	0x78, 0x01, 0xd7, 0x33, 0x68, 0x48, 0xd2, 0x03, 0xbc, 0x0c, 0xa6, 0x5c, 0x82, 0x3d, 0xdb, 0xaa,
-	0x16, 0xf9, 0x28, 0xc2, 0x09, 0x44, 0xbc, 0x15, 0x09, 0x29, 0x7c, 0x11, 0x4c, 0x9b, 0xc4, 0xf3,
-	0x70, 0x8f, 0x54, 0x4b, 0x5c, 0x71, 0x5e, 0x28, 0x4e, 0x6f, 0xf8, 0xcd, 0x28, 0x90, 0xab, 0xbf,
-	0x53, 0xc0, 0x6c, 0x38, 0x73, 0xa7, 0x90, 0x2a, 0xad, 0x64, 0xaa, 0x3c, 0x7f, 0x64, 0x9c, 0xe4,
-	0x64, 0xc8, 0x27, 0x93, 0x31, 0x9f, 0x59, 0x10, 0xc2, 0x1f, 0x83, 0xb2, 0x47, 0x0c, 0xa2, 0x51,
-	0xdb, 0x15, 0x3e, 0xbf, 0x32, 0xa6, 0xcf, 0x78, 0x8f, 0x18, 0x1d, 0x61, 0xda, 0x3a, 0xc3, 0x9c,
-	0x0e, 0xbe, 0x50, 0x08, 0x09, 0x7f, 0x08, 0xca, 0x94, 0x98, 0x8e, 0x81, 0x29, 0x11, 0x69, 0x92,
-	0x88, 0x6f, 0x16, 0x2e, 0x0c, 0x6c, 0xdb, 0xee, 0xee, 0x08, 0x35, 0x9e, 0x28, 0xe1, 0x3c, 0x04,
-	0xad, 0x28, 0x84, 0x81, 0xf7, 0xc1, 0x5c, 0xdf, 0xe9, 0x32, 0x4d, 0xca, 0xb6, 0xee, 0xde, 0xa1,
-	0x08, 0x9f, 0xab, 0x47, 0x4e, 0xc8, 0x6e, 0xc2, 0xa4, 0xb5, 0x24, 0x3a, 0x98, 0x4b, 0xb6, 0xa3,
-	0x14, 0x34, 0x5c, 0x05, 0xf3, 0xa6, 0x6e, 0x21, 0x82, 0xbb, 0x87, 0x1d, 0xa2, 0xd9, 0x56, 0xd7,
-	0xe3, 0x01, 0x54, 0x6a, 0x2d, 0x0b, 0x80, 0xf9, 0x8d, 0xa4, 0x18, 0xa5, 0xf5, 0xe1, 0x3a, 0x58,
-	0x0c, 0xf6, 0xd9, 0xef, 0xeb, 0x1e, 0xb5, 0xdd, 0xc3, 0x75, 0xdd, 0xd4, 0x69, 0x75, 0x8a, 0xe3,
-	0x54, 0x87, 0x83, 0xfa, 0x22, 0x92, 0xc8, 0x91, 0xd4, 0x4a, 0xfd, 0x68, 0x0a, 0xcc, 0xa7, 0x76,
-	0x03, 0x78, 0x07, 0x2c, 0x69, 0x7d, 0xd7, 0x25, 0x16, 0xdd, 0xec, 0x9b, 0x7b, 0xc4, 0xed, 0x68,
-	0xfb, 0xa4, 0xdb, 0x37, 0x48, 0x97, 0xaf, 0x68, 0xa9, 0x55, 0x13, 0xbe, 0x2e, 0xb5, 0xa5, 0x5a,
-	0x28, 0xc7, 0x1a, 0xfe, 0x00, 0x40, 0x8b, 0x37, 0x6d, 0xe8, 0x9e, 0x17, 0x62, 0x16, 0x38, 0x66,
-	0x98, 0x80, 0x9b, 0x19, 0x0d, 0x24, 0xb1, 0x62, 0x3e, 0x76, 0x89, 0xa7, 0xbb, 0xa4, 0x9b, 0xf6,
-	0x71, 0x32, 0xe9, 0xe3, 0x9a, 0x54, 0x0b, 0xe5, 0x58, 0xc3, 0x57, 0x41, 0xc5, 0xef, 0x8d, 0xcf,
-	0xb9, 0x58, 0x9c, 0x05, 0x01, 0x56, 0xd9, 0x8c, 0x44, 0x28, 0xae, 0xc7, 0x86, 0x66, 0xef, 0x79,
-	0xc4, 0x3d, 0x20, 0xdd, 0x77, 0x7c, 0x0e, 0xc0, 0x0a, 0x65, 0x89, 0x17, 0xca, 0x70, 0x68, 0x5b,
-	0x19, 0x0d, 0x24, 0xb1, 0x62, 0x43, 0xf3, 0xa3, 0x26, 0x33, 0xb4, 0xa9, 0xe4, 0xd0, 0x76, 0xa5,
-	0x5a, 0x28, 0xc7, 0x9a, 0xc5, 0x9e, 0xef, 0xf2, 0xea, 0x01, 0xd6, 0x0d, 0xbc, 0x67, 0x90, 0xea,
-	0x74, 0x32, 0xf6, 0x36, 0x93, 0x62, 0x94, 0xd6, 0x87, 0xef, 0x80, 0x73, 0x7e, 0xd3, 0xae, 0x85,
-	0x43, 0x90, 0x32, 0x07, 0x79, 0x4e, 0x80, 0x9c, 0xdb, 0x4c, 0x2b, 0xa0, 0xac, 0x0d, 0xbc, 0x05,
-	0xe6, 0x34, 0xdb, 0x30, 0x78, 0x3c, 0xb6, 0xed, 0xbe, 0x45, 0xab, 0x33, 0x1c, 0x05, 0xb2, 0x1c,
-	0x6a, 0x27, 0x24, 0x28, 0xa5, 0x09, 0xef, 0x02, 0xa0, 0x05, 0xe5, 0xc0, 0xab, 0x82, 0xfc, 0x42,
-	0x9f, 0xad, 0x43, 0x51, 0x01, 0x0e, 0x9b, 0x3c, 0x14, 0x43, 0x53, 0x3f, 0x51, 0xc0, 0x72, 0x4e,
-	0x8e, 0xc3, 0xb7, 0x12, 0x55, 0xef, 0x6a, 0xaa, 0xea, 0x5d, 0xc8, 0x31, 0x8b, 0x95, 0x3e, 0x0d,
-	0xcc, 0x32, 0xde, 0xa1, 0x5b, 0x3d, 0x5f, 0x45, 0xec, 0x60, 0x2f, 0xc9, 0x7c, 0x47, 0x71, 0xc5,
-	0x68, 0x1b, 0x3e, 0x37, 0x1c, 0xd4, 0x67, 0x13, 0x32, 0x94, 0xc4, 0x54, 0x7f, 0x51, 0x00, 0x60,
-	0x8d, 0x38, 0x86, 0x7d, 0x68, 0x12, 0xeb, 0x34, 0x58, 0xcb, 0x5a, 0x82, 0xb5, 0xa8, 0xd2, 0x85,
-	0x08, 0xfd, 0xc9, 0xa5, 0x2d, 0xeb, 0x29, 0xda, 0x72, 0x69, 0x04, 0xce, 0xd1, 0xbc, 0xe5, 0x6f,
-	0x93, 0x60, 0x21, 0x52, 0x8e, 0x88, 0xcb, 0x1b, 0x89, 0x25, 0xbc, 0x92, 0x5a, 0xc2, 0x65, 0x89,
-	0xc9, 0x53, 0x63, 0x2e, 0x1f, 0x80, 0x39, 0xc6, 0x2b, 0xfc, 0x55, 0xe3, 0xac, 0x65, 0xea, 0xd8,
-	0xac, 0x25, 0xac, 0x3a, 0xeb, 0x09, 0x24, 0x94, 0x42, 0xce, 0x61, 0x49, 0xd3, 0x5f, 0x45, 0x96,
-	0xf4, 0x7b, 0x05, 0xcc, 0x45, 0xcb, 0x74, 0x0a, 0x34, 0xa9, 0x9d, 0xa4, 0x49, 0xb5, 0xa3, 0xe3,
-	0x32, 0x87, 0x27, 0xfd, 0xb5, 0x18, 0xf7, 0x9a, 0x13, 0xa5, 0x15, 0x76, 0xa0, 0x72, 0x0c, 0x5d,
-	0xc3, 0x9e, 0x28, 0xab, 0x67, 0xfc, 0xc3, 0x94, 0xdf, 0x86, 0x42, 0x69, 0x82, 0x52, 0x15, 0x9e,
-	0x2e, 0xa5, 0x9a, 0xfc, 0x62, 0x28, 0xd5, 0x0e, 0x28, 0x7b, 0x01, 0x99, 0x2a, 0x72, 0xc8, 0xcb,
-	0xa3, 0xd2, 0x59, 0xf0, 0xa8, 0x10, 0x35, 0x64, 0x50, 0x21, 0x92, 0x8c, 0x3b, 0x95, 0xbe, 0x4c,
-	0xee, 0xc4, 0xc2, 0xdb, 0xc1, 0x7d, 0x8f, 0x74, 0x79, 0x2a, 0x95, 0xa3, 0xf0, 0xde, 0xe6, 0xad,
-	0x48, 0x48, 0xe1, 0x2e, 0x58, 0x76, 0x5c, 0xbb, 0xe7, 0x12, 0xcf, 0x5b, 0x23, 0xb8, 0x6b, 0xe8,
-	0x16, 0x09, 0x06, 0xe0, 0x57, 0xbd, 0x0b, 0xc3, 0x41, 0x7d, 0x79, 0x5b, 0xae, 0x82, 0xf2, 0x6c,
-	0xd5, 0x5f, 0x95, 0xc0, 0xd9, 0xf4, 0x8e, 0x98, 0x43, 0x44, 0x94, 0x13, 0x11, 0x91, 0x97, 0x63,
-	0x21, 0xea, 0xb3, 0xb4, 0xd8, 0x99, 0x3f, 0x13, 0xa6, 0xab, 0x60, 0x5e, 0x10, 0x8f, 0x40, 0x28,
-	0xa8, 0x58, 0xb8, 0x3c, 0xbb, 0x49, 0x31, 0x4a, 0xeb, 0xc3, 0x37, 0xc0, 0xac, 0xcb, 0xb9, 0x55,
-	0x00, 0xe0, 0xf3, 0x93, 0x6f, 0x08, 0x80, 0x59, 0x14, 0x17, 0xa2, 0xa4, 0x2e, 0xe3, 0x26, 0x11,
-	0xe5, 0x08, 0x00, 0x8a, 0x49, 0x6e, 0xb2, 0x9a, 0x56, 0x40, 0x59, 0x1b, 0xb8, 0x01, 0x16, 0xfa,
-	0x56, 0x16, 0xca, 0x8f, 0xb5, 0x0b, 0x02, 0x6a, 0x61, 0x37, 0xab, 0x82, 0x64, 0x76, 0xf0, 0x36,
-	0x58, 0xa0, 0xc4, 0x35, 0x75, 0x0b, 0x53, 0xdd, 0xea, 0x85, 0x70, 0xfe, 0xca, 0x2f, 0x33, 0xa8,
-	0x9d, 0xac, 0x18, 0xc9, 0x6c, 0xe0, 0x8f, 0x12, 0xcc, 0x67, 0x8a, 0x6f, 0x48, 0x57, 0x8e, 0xce,
-	0xac, 0xb1, 0xa9, 0x8f, 0x84, 0x92, 0x95, 0xc7, 0xa5, 0x64, 0xea, 0xc7, 0x0a, 0x80, 0xd9, 0x6c,
-	0x1e, 0x79, 0x4f, 0x90, 0xb1, 0x88, 0x55, 0xdb, 0xae, 0x9c, 0x2c, 0x5d, 0x1d, 0x4d, 0x96, 0xa2,
-	0xcd, 0x78, 0x3c, 0xb6, 0x24, 0xa6, 0xf7, 0x74, 0xee, 0x78, 0xc6, 0x60, 0x4b, 0x91, 0x3f, 0x4f,
-	0xc6, 0x96, 0x62, 0x38, 0x47, 0xb3, 0xa5, 0x7f, 0x16, 0xc0, 0x42, 0xa4, 0x3c, 0x36, 0x5b, 0x92,
-	0x98, 0x3c, 0xbb, 0xe7, 0x19, 0x8f, 0xc1, 0x44, 0x53, 0xf7, 0x7f, 0xc2, 0x60, 0x22, 0x87, 0x72,
-	0x18, 0xcc, 0x6f, 0x0b, 0x71, 0xaf, 0x8f, 0xc9, 0x60, 0xbe, 0x80, 0x5b, 0x8f, 0xaf, 0x1c, 0x09,
-	0x52, 0x3f, 0x2a, 0x82, 0xb3, 0xe9, 0x14, 0x4c, 0x94, 0x54, 0x65, 0x64, 0x49, 0xdd, 0x06, 0x8b,
-	0xf7, 0xfa, 0x86, 0x71, 0xc8, 0xc7, 0x10, 0xab, 0xab, 0x7e, 0x31, 0xfe, 0xa6, 0xb0, 0x5c, 0xfc,
-	0x9e, 0x44, 0x07, 0x49, 0x2d, 0xb3, 0x15, 0xb6, 0xf8, 0xa4, 0x15, 0xb6, 0x74, 0x82, 0x0a, 0x9b,
-	0x53, 0x12, 0xa7, 0x4f, 0x50, 0x12, 0xe5, 0x7c, 0x67, 0xf2, 0x44, 0x7c, 0x67, 0xec, 0xf2, 0x2a,
-	0xd9, 0xf9, 0x46, 0xde, 0x2c, 0x0c, 0x15, 0xb0, 0x24, 0x3f, 0xd4, 0x43, 0x03, 0xcc, 0x99, 0xf8,
-	0x41, 0xfc, 0x4a, 0x65, 0x54, 0xed, 0xe9, 0x53, 0xdd, 0x68, 0xf8, 0x6f, 0x4e, 0x8d, 0xdb, 0x16,
-	0xdd, 0x72, 0x3b, 0xd4, 0xd5, 0xad, 0x9e, 0x5f, 0xab, 0x37, 0x12, 0x58, 0x28, 0x85, 0x0d, 0xef,
-	0x82, 0xb2, 0x89, 0x1f, 0x74, 0xfa, 0x6e, 0x2f, 0xa8, 0xa9, 0xc7, 0xef, 0x87, 0xa7, 0xd1, 0x86,
-	0x40, 0x41, 0x21, 0x9e, 0xfa, 0xb9, 0x02, 0x96, 0x73, 0x8a, 0xf1, 0xd7, 0x68, 0x94, 0x7f, 0x54,
-	0xc0, 0xc5, 0xc4, 0x28, 0x59, 0x72, 0x93, 0x7b, 0x7d, 0x83, 0xe7, 0xb9, 0xe0, 0x3e, 0x57, 0xc1,
-	0x8c, 0x83, 0x5d, 0xaa, 0x87, 0xfc, 0xbb, 0xd4, 0x9a, 0x1d, 0x0e, 0xea, 0x33, 0xdb, 0x41, 0x23,
-	0x8a, 0xe4, 0x92, 0xb9, 0x29, 0x3c, 0xbd, 0xb9, 0x51, 0x7f, 0x59, 0x00, 0x95, 0x98, 0xcb, 0xa7,
-	0xc0, 0x7a, 0xde, 0x4e, 0xb0, 0x1e, 0xe9, 0x93, 0x54, 0x7c, 0x0e, 0xf3, 0x68, 0xcf, 0x46, 0x8a,
-	0xf6, 0x7c, 0x7b, 0x14, 0xd0, 0xd1, 0xbc, 0xe7, 0x5f, 0x05, 0xb0, 0x18, 0xd3, 0x8e, 0x88, 0xcf,
-	0x77, 0x13, 0xc4, 0x67, 0x25, 0x45, 0x7c, 0xaa, 0x32, 0x9b, 0x67, 0xcc, 0x67, 0x34, 0xf3, 0xf9,
-	0x83, 0x02, 0xe6, 0x63, 0x73, 0x77, 0x0a, 0xd4, 0x67, 0x2d, 0x49, 0x7d, 0xea, 0x23, 0xe2, 0x25,
-	0x87, 0xfb, 0xdc, 0x02, 0x0b, 0x31, 0xa5, 0x2d, 0xb7, 0xab, 0x5b, 0xd8, 0xf0, 0xe0, 0x0b, 0xa0,
-	0xe4, 0x51, 0xec, 0xd2, 0x20, 0xbb, 0x03, 0xdb, 0x0e, 0x6b, 0x44, 0xbe, 0x4c, 0xfd, 0xb7, 0x02,
-	0x9a, 0x31, 0xe3, 0x6d, 0xe2, 0x7a, 0xba, 0x47, 0x89, 0x45, 0xef, 0xd8, 0x46, 0xdf, 0x24, 0x6d,
-	0x03, 0xeb, 0x26, 0x22, 0xac, 0x41, 0xb7, 0xad, 0x6d, 0xdb, 0xd0, 0xb5, 0x43, 0x88, 0x41, 0xe5,
-	0xc3, 0x7d, 0x62, 0xad, 0x11, 0x83, 0x50, 0xf1, 0xe8, 0x32, 0xd3, 0x7a, 0x2b, 0x78, 0x83, 0x78,
-	0x2f, 0x12, 0x3d, 0x1e, 0xd4, 0x57, 0xc6, 0x41, 0xe4, 0xc1, 0x19, 0xc7, 0x84, 0x3f, 0x01, 0x80,
-	0x7d, 0x76, 0x34, 0x1c, 0x3c, 0xc1, 0xcc, 0xb4, 0xde, 0x0c, 0x52, 0xf8, 0xbd, 0x50, 0x72, 0xac,
-	0x0e, 0x62, 0x88, 0xea, 0x6f, 0xca, 0x89, 0xa5, 0xfe, 0xda, 0xdf, 0x78, 0xfd, 0x0c, 0x2c, 0x1e,
-	0x44, 0xb3, 0x13, 0x28, 0x30, 0x7a, 0xc5, 0xe2, 0xee, 0x45, 0x29, 0xbc, 0x6c, 0x5e, 0x23, 0x52,
-	0x77, 0x47, 0x02, 0x87, 0xa4, 0x9d, 0xc0, 0x57, 0x41, 0x85, 0x71, 0x19, 0x5d, 0x23, 0x9b, 0xd8,
-	0x0c, 0xd2, 0x30, 0x7c, 0xb3, 0xea, 0x44, 0x22, 0x14, 0xd7, 0x83, 0xfb, 0x60, 0xc1, 0xb1, 0xbb,
-	0x1b, 0xd8, 0xc2, 0x3d, 0xc2, 0x2a, 0xb4, 0xbf, 0x94, 0xfc, 0x2e, 0x6c, 0xa6, 0xf5, 0x5a, 0x70,
-	0xcf, 0xb1, 0x9d, 0x55, 0x61, 0x87, 0x3f, 0x49, 0x33, 0x0f, 0x02, 0x19, 0x24, 0x34, 0x33, 0x4f,
-	0xac, 0xd3, 0x99, 0xff, 0xa5, 0xc8, 0xf2, 0xf1, 0x84, 0x8f, 0xac, 0x79, 0xb7, 0x7c, 0xe5, 0x13,
-	0xdd, 0xf2, 0x49, 0x0e, 0x2f, 0x33, 0xc7, 0x3c, 0xbc, 0xfc, 0x49, 0x01, 0x97, 0x9c, 0x31, 0xd2,
-	0xa8, 0x0a, 0xf8, 0xb4, 0xb4, 0x47, 0x4c, 0xcb, 0x38, 0x19, 0xd9, 0x5a, 0x19, 0x0e, 0xea, 0x97,
-	0xc6, 0xd1, 0x44, 0x63, 0xb9, 0xc6, 0x92, 0xc6, 0x16, 0x3b, 0x5f, 0xb5, 0xc2, 0xdd, 0xbc, 0x32,
-	0xc2, 0xcd, 0x60, 0xa3, 0xf4, 0xf3, 0x30, 0xf8, 0x42, 0x21, 0x8c, 0xfa, 0x71, 0x09, 0x9c, 0xcb,
-	0x54, 0xeb, 0x2f, 0xf1, 0x06, 0x33, 0x73, 0x38, 0x9a, 0x3c, 0xc6, 0xe1, 0x68, 0x15, 0xcc, 0x8b,
-	0x67, 0xef, 0xd4, 0xd9, 0x2a, 0x0c, 0x93, 0x76, 0x52, 0x8c, 0xd2, 0xfa, 0xb2, 0x1b, 0xd4, 0xd2,
-	0x31, 0x6f, 0x50, 0xe3, 0x5e, 0x88, 0x7f, 0x6b, 0xf9, 0xf9, 0x9c, 0xf5, 0x42, 0xfc, 0x69, 0x2b,
-	0xad, 0x0f, 0xdf, 0x0c, 0x92, 0x35, 0x44, 0x98, 0xe6, 0x08, 0xa9, 0xec, 0x0b, 0x01, 0x52, 0xda,
-	0x4f, 0xf4, 0xb4, 0xfb, 0xbe, 0xe4, 0x69, 0x77, 0x65, 0x44, 0x98, 0x8d, 0x7f, 0xc3, 0x29, 0x3d,
-	0xbf, 0x56, 0x8e, 0x7f, 0x7e, 0x55, 0xff, 0xa2, 0x80, 0xe7, 0x72, 0xb7, 0x29, 0xb8, 0x9a, 0x60,
-	0x8f, 0xd7, 0x52, 0xec, 0xf1, 0xf9, 0x5c, 0xc3, 0x18, 0x85, 0x34, 0xe5, 0x97, 0x9f, 0x37, 0x47,
-	0x5e, 0x7e, 0x4a, 0x4e, 0x22, 0xa3, 0x6f, 0x41, 0x5b, 0xaf, 0x3f, 0x7c, 0x54, 0x9b, 0xf8, 0xf4,
-	0x51, 0x6d, 0xe2, 0xb3, 0x47, 0xb5, 0x89, 0x9f, 0x0f, 0x6b, 0xca, 0xc3, 0x61, 0x4d, 0xf9, 0x74,
-	0x58, 0x53, 0x3e, 0x1b, 0xd6, 0x94, 0xbf, 0x0f, 0x6b, 0xca, 0xaf, 0x3f, 0xaf, 0x4d, 0xdc, 0x85,
-	0xd9, 0xff, 0x8a, 0xfe, 0x2f, 0x00, 0x00, 0xff, 0xff, 0x5f, 0x0a, 0xea, 0xf9, 0x40, 0x2a, 0x00,
-	0x00,
-}
+func (m *StatefulSetUpdateStrategy) Reset() { *m = StatefulSetUpdateStrategy{} }
 
 func (m *ControllerRevision) Marshal() (dAtA []byte, err error) {
 	size := m.Size()
diff --git a/staging/src/k8s.io/api/apps/v1/generated.proto b/staging/src/k8s.io/api/apps/v1/generated.proto
index 5885a62225f62..42d5415c2fcc0 100644
--- a/staging/src/k8s.io/api/apps/v1/generated.proto
+++ b/staging/src/k8s.io/api/apps/v1/generated.proto
@@ -343,7 +343,7 @@ message DeploymentStatus {
   // Total number of terminating pods targeted by this deployment. Terminating pods have a non-null
   // .metadata.deletionTimestamp and have not yet reached the Failed or Succeeded .status.phase.
   //
-  // This is an alpha field. Enable DeploymentReplicaSetTerminatingReplicas to be able to use this field.
+  // This is a beta field and requires enabling DeploymentReplicaSetTerminatingReplicas feature (enabled by default).
   // +optional
   optional int32 terminatingReplicas = 9;
 
@@ -481,7 +481,7 @@ message ReplicaSetStatus {
   // The number of terminating pods for this replica set. Terminating pods have a non-null .metadata.deletionTimestamp
   // and have not yet reached the Failed or Succeeded .status.phase.
   //
-  // This is an alpha field. Enable DeploymentReplicaSetTerminatingReplicas to be able to use this field.
+  // This is a beta field and requires enabling DeploymentReplicaSetTerminatingReplicas feature (enabled by default).
   // +optional
   optional int32 terminatingReplicas = 7;
 
@@ -581,10 +581,12 @@ message RollingUpdateStatefulSetStrategy {
   // The maximum number of pods that can be unavailable during the update.
   // Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%).
   // Absolute number is calculated from percentage by rounding up. This can not be 0.
-  // Defaults to 1. This field is alpha-level and is only honored by servers that enable the
-  // MaxUnavailableStatefulSet feature. The field applies to all pods in the range 0 to
+  // Defaults to 1. This field is beta-level and is enabled by default. The field applies to all pods in the range 0 to
   // Replicas-1. That means if there is any unavailable pod in the range 0 to Replicas-1, it
   // will be counted towards MaxUnavailable.
+  // This setting might not be effective for the OrderedReady podManagementPolicy. That policy ensures pods are created and become ready one at a time.
+  //
+  // +featureGate=MaxUnavailableStatefulSet
   // +optional
   optional .k8s.io.apimachinery.pkg.util.intstr.IntOrString maxUnavailable = 2;
 }
diff --git a/staging/src/k8s.io/api/apps/v1/generated.protomessage.pb.go b/staging/src/k8s.io/api/apps/v1/generated.protomessage.pb.go
new file mode 100644
index 0000000000000..f9faa4e13a0d9
--- /dev/null
+++ b/staging/src/k8s.io/api/apps/v1/generated.protomessage.pb.go
@@ -0,0 +1,82 @@
+//go:build kubernetes_protomessage_one_more_release
+// +build kubernetes_protomessage_one_more_release
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by go-to-protobuf. DO NOT EDIT.
+
+package v1
+
+func (*ControllerRevision) ProtoMessage() {}
+
+func (*ControllerRevisionList) ProtoMessage() {}
+
+func (*DaemonSet) ProtoMessage() {}
+
+func (*DaemonSetCondition) ProtoMessage() {}
+
+func (*DaemonSetList) ProtoMessage() {}
+
+func (*DaemonSetSpec) ProtoMessage() {}
+
+func (*DaemonSetStatus) ProtoMessage() {}
+
+func (*DaemonSetUpdateStrategy) ProtoMessage() {}
+
+func (*Deployment) ProtoMessage() {}
+
+func (*DeploymentCondition) ProtoMessage() {}
+
+func (*DeploymentList) ProtoMessage() {}
+
+func (*DeploymentSpec) ProtoMessage() {}
+
+func (*DeploymentStatus) ProtoMessage() {}
+
+func (*DeploymentStrategy) ProtoMessage() {}
+
+func (*ReplicaSet) ProtoMessage() {}
+
+func (*ReplicaSetCondition) ProtoMessage() {}
+
+func (*ReplicaSetList) ProtoMessage() {}
+
+func (*ReplicaSetSpec) ProtoMessage() {}
+
+func (*ReplicaSetStatus) ProtoMessage() {}
+
+func (*RollingUpdateDaemonSet) ProtoMessage() {}
+
+func (*RollingUpdateDeployment) ProtoMessage() {}
+
+func (*RollingUpdateStatefulSetStrategy) ProtoMessage() {}
+
+func (*StatefulSet) ProtoMessage() {}
+
+func (*StatefulSetCondition) ProtoMessage() {}
+
+func (*StatefulSetList) ProtoMessage() {}
+
+func (*StatefulSetOrdinals) ProtoMessage() {}
+
+func (*StatefulSetPersistentVolumeClaimRetentionPolicy) ProtoMessage() {}
+
+func (*StatefulSetSpec) ProtoMessage() {}
+
+func (*StatefulSetStatus) ProtoMessage() {}
+
+func (*StatefulSetUpdateStrategy) ProtoMessage() {}
diff --git a/staging/src/k8s.io/api/apps/v1/types.go b/staging/src/k8s.io/api/apps/v1/types.go
index 4cf54cc99b609..b8989c140639a 100644
--- a/staging/src/k8s.io/api/apps/v1/types.go
+++ b/staging/src/k8s.io/api/apps/v1/types.go
@@ -19,7 +19,7 @@ package v1
 import (
 	v1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	runtime "k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/util/intstr"
 )
 
@@ -123,10 +123,12 @@ type RollingUpdateStatefulSetStrategy struct {
 	// The maximum number of pods that can be unavailable during the update.
 	// Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%).
 	// Absolute number is calculated from percentage by rounding up. This can not be 0.
-	// Defaults to 1. This field is alpha-level and is only honored by servers that enable the
-	// MaxUnavailableStatefulSet feature. The field applies to all pods in the range 0 to
+	// Defaults to 1. This field is beta-level and is enabled by default. The field applies to all pods in the range 0 to
 	// Replicas-1. That means if there is any unavailable pod in the range 0 to Replicas-1, it
 	// will be counted towards MaxUnavailable.
+	// This setting might not be effective for the OrderedReady podManagementPolicy. That policy ensures pods are created and become ready one at a time.
+	//
+	// +featureGate=MaxUnavailableStatefulSet
 	// +optional
 	MaxUnavailable *intstr.IntOrString `json:"maxUnavailable,omitempty" protobuf:"varint,2,opt,name=maxUnavailable"`
 }
@@ -512,7 +514,7 @@ type DeploymentStatus struct {
 	// Total number of terminating pods targeted by this deployment. Terminating pods have a non-null
 	// .metadata.deletionTimestamp and have not yet reached the Failed or Succeeded .status.phase.
 	//
-	// This is an alpha field. Enable DeploymentReplicaSetTerminatingReplicas to be able to use this field.
+	// This is a beta field and requires enabling DeploymentReplicaSetTerminatingReplicas feature (enabled by default).
 	// +optional
 	TerminatingReplicas *int32 `json:"terminatingReplicas,omitempty" protobuf:"varint,9,opt,name=terminatingReplicas"`
 
@@ -900,7 +902,7 @@ type ReplicaSetStatus struct {
 	// The number of terminating pods for this replica set. Terminating pods have a non-null .metadata.deletionTimestamp
 	// and have not yet reached the Failed or Succeeded .status.phase.
 	//
-	// This is an alpha field. Enable DeploymentReplicaSetTerminatingReplicas to be able to use this field.
+	// This is a beta field and requires enabling DeploymentReplicaSetTerminatingReplicas feature (enabled by default).
 	// +optional
 	TerminatingReplicas *int32 `json:"terminatingReplicas,omitempty" protobuf:"varint,7,opt,name=terminatingReplicas"`
 
diff --git a/staging/src/k8s.io/api/apps/v1/types_swagger_doc_generated.go b/staging/src/k8s.io/api/apps/v1/types_swagger_doc_generated.go
index ac54033fd6d19..718914c6005f2 100644
--- a/staging/src/k8s.io/api/apps/v1/types_swagger_doc_generated.go
+++ b/staging/src/k8s.io/api/apps/v1/types_swagger_doc_generated.go
@@ -182,7 +182,7 @@ var map_DeploymentStatus = map[string]string{
 	"readyReplicas":       "Total number of non-terminating pods targeted by this Deployment with a Ready Condition.",
 	"availableReplicas":   "Total number of available non-terminating pods (ready for at least minReadySeconds) targeted by this deployment.",
 	"unavailableReplicas": "Total number of unavailable pods targeted by this deployment. This is the total number of pods that are still required for the deployment to have 100% available capacity. They may either be pods that are running but not yet available or pods that still have not been created.",
-	"terminatingReplicas": "Total number of terminating pods targeted by this deployment. Terminating pods have a non-null .metadata.deletionTimestamp and have not yet reached the Failed or Succeeded .status.phase.\n\nThis is an alpha field. Enable DeploymentReplicaSetTerminatingReplicas to be able to use this field.",
+	"terminatingReplicas": "Total number of terminating pods targeted by this deployment. Terminating pods have a non-null .metadata.deletionTimestamp and have not yet reached the Failed or Succeeded .status.phase.\n\nThis is a beta field and requires enabling DeploymentReplicaSetTerminatingReplicas feature (enabled by default).",
 	"conditions":          "Represents the latest available observations of a deployment's current state.",
 	"collisionCount":      "Count of hash collisions for the Deployment. The Deployment controller uses this field as a collision avoidance mechanism when it needs to create the name for the newest ReplicaSet.",
 }
@@ -253,7 +253,7 @@ var map_ReplicaSetStatus = map[string]string{
 	"fullyLabeledReplicas": "The number of non-terminating pods that have labels matching the labels of the pod template of the replicaset.",
 	"readyReplicas":        "The number of non-terminating pods targeted by this ReplicaSet with a Ready Condition.",
 	"availableReplicas":    "The number of available non-terminating pods (ready for at least minReadySeconds) for this replica set.",
-	"terminatingReplicas":  "The number of terminating pods for this replica set. Terminating pods have a non-null .metadata.deletionTimestamp and have not yet reached the Failed or Succeeded .status.phase.\n\nThis is an alpha field. Enable DeploymentReplicaSetTerminatingReplicas to be able to use this field.",
+	"terminatingReplicas":  "The number of terminating pods for this replica set. Terminating pods have a non-null .metadata.deletionTimestamp and have not yet reached the Failed or Succeeded .status.phase.\n\nThis is a beta field and requires enabling DeploymentReplicaSetTerminatingReplicas feature (enabled by default).",
 	"observedGeneration":   "ObservedGeneration reflects the generation of the most recently observed ReplicaSet.",
 	"conditions":           "Represents the latest available observations of a replica set's current state.",
 }
@@ -285,7 +285,7 @@ func (RollingUpdateDeployment) SwaggerDoc() map[string]string {
 var map_RollingUpdateStatefulSetStrategy = map[string]string{
 	"":               "RollingUpdateStatefulSetStrategy is used to communicate parameter for RollingUpdateStatefulSetStrategyType.",
 	"partition":      "Partition indicates the ordinal at which the StatefulSet should be partitioned for updates. During a rolling update, all pods from ordinal Replicas-1 to Partition are updated. All pods from ordinal Partition-1 to 0 remain untouched. This is helpful in being able to do a canary based deployment. The default value is 0.",
-	"maxUnavailable": "The maximum number of pods that can be unavailable during the update. Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%). Absolute number is calculated from percentage by rounding up. This can not be 0. Defaults to 1. This field is alpha-level and is only honored by servers that enable the MaxUnavailableStatefulSet feature. The field applies to all pods in the range 0 to Replicas-1. That means if there is any unavailable pod in the range 0 to Replicas-1, it will be counted towards MaxUnavailable.",
+	"maxUnavailable": "The maximum number of pods that can be unavailable during the update. Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%). Absolute number is calculated from percentage by rounding up. This can not be 0. Defaults to 1. This field is beta-level and is enabled by default. The field applies to all pods in the range 0 to Replicas-1. That means if there is any unavailable pod in the range 0 to Replicas-1, it will be counted towards MaxUnavailable. This setting might not be effective for the OrderedReady podManagementPolicy. That policy ensures pods are created and become ready one at a time.",
 }
 
 func (RollingUpdateStatefulSetStrategy) SwaggerDoc() map[string]string {
diff --git a/staging/src/k8s.io/api/apps/v1/zz_generated.model_name.go b/staging/src/k8s.io/api/apps/v1/zz_generated.model_name.go
new file mode 100644
index 0000000000000..ae9c3ace130d1
--- /dev/null
+++ b/staging/src/k8s.io/api/apps/v1/zz_generated.model_name.go
@@ -0,0 +1,172 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by openapi-gen. DO NOT EDIT.
+
+package v1
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ControllerRevision) OpenAPIModelName() string {
+	return "io.k8s.api.apps.v1.ControllerRevision"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ControllerRevisionList) OpenAPIModelName() string {
+	return "io.k8s.api.apps.v1.ControllerRevisionList"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in DaemonSet) OpenAPIModelName() string {
+	return "io.k8s.api.apps.v1.DaemonSet"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in DaemonSetCondition) OpenAPIModelName() string {
+	return "io.k8s.api.apps.v1.DaemonSetCondition"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in DaemonSetList) OpenAPIModelName() string {
+	return "io.k8s.api.apps.v1.DaemonSetList"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in DaemonSetSpec) OpenAPIModelName() string {
+	return "io.k8s.api.apps.v1.DaemonSetSpec"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in DaemonSetStatus) OpenAPIModelName() string {
+	return "io.k8s.api.apps.v1.DaemonSetStatus"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in DaemonSetUpdateStrategy) OpenAPIModelName() string {
+	return "io.k8s.api.apps.v1.DaemonSetUpdateStrategy"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in Deployment) OpenAPIModelName() string {
+	return "io.k8s.api.apps.v1.Deployment"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in DeploymentCondition) OpenAPIModelName() string {
+	return "io.k8s.api.apps.v1.DeploymentCondition"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in DeploymentList) OpenAPIModelName() string {
+	return "io.k8s.api.apps.v1.DeploymentList"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in DeploymentSpec) OpenAPIModelName() string {
+	return "io.k8s.api.apps.v1.DeploymentSpec"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in DeploymentStatus) OpenAPIModelName() string {
+	return "io.k8s.api.apps.v1.DeploymentStatus"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in DeploymentStrategy) OpenAPIModelName() string {
+	return "io.k8s.api.apps.v1.DeploymentStrategy"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ReplicaSet) OpenAPIModelName() string {
+	return "io.k8s.api.apps.v1.ReplicaSet"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ReplicaSetCondition) OpenAPIModelName() string {
+	return "io.k8s.api.apps.v1.ReplicaSetCondition"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ReplicaSetList) OpenAPIModelName() string {
+	return "io.k8s.api.apps.v1.ReplicaSetList"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ReplicaSetSpec) OpenAPIModelName() string {
+	return "io.k8s.api.apps.v1.ReplicaSetSpec"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ReplicaSetStatus) OpenAPIModelName() string {
+	return "io.k8s.api.apps.v1.ReplicaSetStatus"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in RollingUpdateDaemonSet) OpenAPIModelName() string {
+	return "io.k8s.api.apps.v1.RollingUpdateDaemonSet"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in RollingUpdateDeployment) OpenAPIModelName() string {
+	return "io.k8s.api.apps.v1.RollingUpdateDeployment"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in RollingUpdateStatefulSetStrategy) OpenAPIModelName() string {
+	return "io.k8s.api.apps.v1.RollingUpdateStatefulSetStrategy"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in StatefulSet) OpenAPIModelName() string {
+	return "io.k8s.api.apps.v1.StatefulSet"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in StatefulSetCondition) OpenAPIModelName() string {
+	return "io.k8s.api.apps.v1.StatefulSetCondition"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in StatefulSetList) OpenAPIModelName() string {
+	return "io.k8s.api.apps.v1.StatefulSetList"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in StatefulSetOrdinals) OpenAPIModelName() string {
+	return "io.k8s.api.apps.v1.StatefulSetOrdinals"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in StatefulSetPersistentVolumeClaimRetentionPolicy) OpenAPIModelName() string {
+	return "io.k8s.api.apps.v1.StatefulSetPersistentVolumeClaimRetentionPolicy"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in StatefulSetSpec) OpenAPIModelName() string {
+	return "io.k8s.api.apps.v1.StatefulSetSpec"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in StatefulSetStatus) OpenAPIModelName() string {
+	return "io.k8s.api.apps.v1.StatefulSetStatus"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in StatefulSetUpdateStrategy) OpenAPIModelName() string {
+	return "io.k8s.api.apps.v1.StatefulSetUpdateStrategy"
+}
diff --git a/staging/src/k8s.io/api/apps/v1beta1/doc.go b/staging/src/k8s.io/api/apps/v1beta1/doc.go
index 7770fab5d2110..85f6df3fde96f 100644
--- a/staging/src/k8s.io/api/apps/v1beta1/doc.go
+++ b/staging/src/k8s.io/api/apps/v1beta1/doc.go
@@ -18,5 +18,6 @@ limitations under the License.
 // +k8s:protobuf-gen=package
 // +k8s:openapi-gen=true
 // +k8s:prerelease-lifecycle-gen=true
+// +k8s:openapi-model-package=io.k8s.api.apps.v1beta1
 
 package v1beta1
diff --git a/staging/src/k8s.io/api/apps/v1beta1/generated.pb.go b/staging/src/k8s.io/api/apps/v1beta1/generated.pb.go
index ae84aaf487bc5..3058b6d272c62 100644
--- a/staging/src/k8s.io/api/apps/v1beta1/generated.pb.go
+++ b/staging/src/k8s.io/api/apps/v1beta1/generated.pb.go
@@ -23,14 +23,12 @@ import (
 	fmt "fmt"
 
 	io "io"
+	"sort"
 
-	proto "github.com/gogo/protobuf/proto"
-	github_com_gogo_protobuf_sortkeys "github.com/gogo/protobuf/sortkeys"
 	k8s_io_api_core_v1 "k8s.io/api/core/v1"
 	v11 "k8s.io/api/core/v1"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
-	math "math"
 	math_bits "math/bits"
 	reflect "reflect"
 	strings "strings"
@@ -38,826 +36,53 @@ import (
 	intstr "k8s.io/apimachinery/pkg/util/intstr"
 )
 
-// Reference imports to suppress errors if they are not otherwise used.
-var _ = proto.Marshal
-var _ = fmt.Errorf
-var _ = math.Inf
+func (m *ControllerRevision) Reset() { *m = ControllerRevision{} }
 
-// This is a compile-time assertion to ensure that this generated file
-// is compatible with the proto package it is being compiled against.
-// A compilation error at this line likely means your copy of the
-// proto package needs to be updated.
-const _ = proto.GoGoProtoPackageIsVersion3 // please upgrade the proto package
+func (m *ControllerRevisionList) Reset() { *m = ControllerRevisionList{} }
 
-func (m *ControllerRevision) Reset()      { *m = ControllerRevision{} }
-func (*ControllerRevision) ProtoMessage() {}
-func (*ControllerRevision) Descriptor() ([]byte, []int) {
-	return fileDescriptor_2747f709ac7c95e7, []int{0}
-}
-func (m *ControllerRevision) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ControllerRevision) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ControllerRevision) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ControllerRevision.Merge(m, src)
-}
-func (m *ControllerRevision) XXX_Size() int {
-	return m.Size()
-}
-func (m *ControllerRevision) XXX_DiscardUnknown() {
-	xxx_messageInfo_ControllerRevision.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_ControllerRevision proto.InternalMessageInfo
-
-func (m *ControllerRevisionList) Reset()      { *m = ControllerRevisionList{} }
-func (*ControllerRevisionList) ProtoMessage() {}
-func (*ControllerRevisionList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_2747f709ac7c95e7, []int{1}
-}
-func (m *ControllerRevisionList) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ControllerRevisionList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ControllerRevisionList) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ControllerRevisionList.Merge(m, src)
-}
-func (m *ControllerRevisionList) XXX_Size() int {
-	return m.Size()
-}
-func (m *ControllerRevisionList) XXX_DiscardUnknown() {
-	xxx_messageInfo_ControllerRevisionList.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_ControllerRevisionList proto.InternalMessageInfo
-
-func (m *Deployment) Reset()      { *m = Deployment{} }
-func (*Deployment) ProtoMessage() {}
-func (*Deployment) Descriptor() ([]byte, []int) {
-	return fileDescriptor_2747f709ac7c95e7, []int{2}
-}
-func (m *Deployment) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *Deployment) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *Deployment) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_Deployment.Merge(m, src)
-}
-func (m *Deployment) XXX_Size() int {
-	return m.Size()
-}
-func (m *Deployment) XXX_DiscardUnknown() {
-	xxx_messageInfo_Deployment.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_Deployment proto.InternalMessageInfo
-
-func (m *DeploymentCondition) Reset()      { *m = DeploymentCondition{} }
-func (*DeploymentCondition) ProtoMessage() {}
-func (*DeploymentCondition) Descriptor() ([]byte, []int) {
-	return fileDescriptor_2747f709ac7c95e7, []int{3}
-}
-func (m *DeploymentCondition) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *DeploymentCondition) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *DeploymentCondition) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_DeploymentCondition.Merge(m, src)
-}
-func (m *DeploymentCondition) XXX_Size() int {
-	return m.Size()
-}
-func (m *DeploymentCondition) XXX_DiscardUnknown() {
-	xxx_messageInfo_DeploymentCondition.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_DeploymentCondition proto.InternalMessageInfo
-
-func (m *DeploymentList) Reset()      { *m = DeploymentList{} }
-func (*DeploymentList) ProtoMessage() {}
-func (*DeploymentList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_2747f709ac7c95e7, []int{4}
-}
-func (m *DeploymentList) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *DeploymentList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *DeploymentList) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_DeploymentList.Merge(m, src)
-}
-func (m *DeploymentList) XXX_Size() int {
-	return m.Size()
-}
-func (m *DeploymentList) XXX_DiscardUnknown() {
-	xxx_messageInfo_DeploymentList.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_DeploymentList proto.InternalMessageInfo
-
-func (m *DeploymentRollback) Reset()      { *m = DeploymentRollback{} }
-func (*DeploymentRollback) ProtoMessage() {}
-func (*DeploymentRollback) Descriptor() ([]byte, []int) {
-	return fileDescriptor_2747f709ac7c95e7, []int{5}
-}
-func (m *DeploymentRollback) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *DeploymentRollback) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *DeploymentRollback) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_DeploymentRollback.Merge(m, src)
-}
-func (m *DeploymentRollback) XXX_Size() int {
-	return m.Size()
-}
-func (m *DeploymentRollback) XXX_DiscardUnknown() {
-	xxx_messageInfo_DeploymentRollback.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_DeploymentRollback proto.InternalMessageInfo
-
-func (m *DeploymentSpec) Reset()      { *m = DeploymentSpec{} }
-func (*DeploymentSpec) ProtoMessage() {}
-func (*DeploymentSpec) Descriptor() ([]byte, []int) {
-	return fileDescriptor_2747f709ac7c95e7, []int{6}
-}
-func (m *DeploymentSpec) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *DeploymentSpec) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *DeploymentSpec) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_DeploymentSpec.Merge(m, src)
-}
-func (m *DeploymentSpec) XXX_Size() int {
-	return m.Size()
-}
-func (m *DeploymentSpec) XXX_DiscardUnknown() {
-	xxx_messageInfo_DeploymentSpec.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_DeploymentSpec proto.InternalMessageInfo
-
-func (m *DeploymentStatus) Reset()      { *m = DeploymentStatus{} }
-func (*DeploymentStatus) ProtoMessage() {}
-func (*DeploymentStatus) Descriptor() ([]byte, []int) {
-	return fileDescriptor_2747f709ac7c95e7, []int{7}
-}
-func (m *DeploymentStatus) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *DeploymentStatus) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *DeploymentStatus) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_DeploymentStatus.Merge(m, src)
-}
-func (m *DeploymentStatus) XXX_Size() int {
-	return m.Size()
-}
-func (m *DeploymentStatus) XXX_DiscardUnknown() {
-	xxx_messageInfo_DeploymentStatus.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_DeploymentStatus proto.InternalMessageInfo
-
-func (m *DeploymentStrategy) Reset()      { *m = DeploymentStrategy{} }
-func (*DeploymentStrategy) ProtoMessage() {}
-func (*DeploymentStrategy) Descriptor() ([]byte, []int) {
-	return fileDescriptor_2747f709ac7c95e7, []int{8}
-}
-func (m *DeploymentStrategy) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *DeploymentStrategy) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *DeploymentStrategy) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_DeploymentStrategy.Merge(m, src)
-}
-func (m *DeploymentStrategy) XXX_Size() int {
-	return m.Size()
-}
-func (m *DeploymentStrategy) XXX_DiscardUnknown() {
-	xxx_messageInfo_DeploymentStrategy.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_DeploymentStrategy proto.InternalMessageInfo
-
-func (m *RollbackConfig) Reset()      { *m = RollbackConfig{} }
-func (*RollbackConfig) ProtoMessage() {}
-func (*RollbackConfig) Descriptor() ([]byte, []int) {
-	return fileDescriptor_2747f709ac7c95e7, []int{9}
-}
-func (m *RollbackConfig) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *RollbackConfig) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *RollbackConfig) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_RollbackConfig.Merge(m, src)
-}
-func (m *RollbackConfig) XXX_Size() int {
-	return m.Size()
-}
-func (m *RollbackConfig) XXX_DiscardUnknown() {
-	xxx_messageInfo_RollbackConfig.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_RollbackConfig proto.InternalMessageInfo
-
-func (m *RollingUpdateDeployment) Reset()      { *m = RollingUpdateDeployment{} }
-func (*RollingUpdateDeployment) ProtoMessage() {}
-func (*RollingUpdateDeployment) Descriptor() ([]byte, []int) {
-	return fileDescriptor_2747f709ac7c95e7, []int{10}
-}
-func (m *RollingUpdateDeployment) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *RollingUpdateDeployment) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *RollingUpdateDeployment) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_RollingUpdateDeployment.Merge(m, src)
-}
-func (m *RollingUpdateDeployment) XXX_Size() int {
-	return m.Size()
-}
-func (m *RollingUpdateDeployment) XXX_DiscardUnknown() {
-	xxx_messageInfo_RollingUpdateDeployment.DiscardUnknown(m)
-}
+func (m *Deployment) Reset() { *m = Deployment{} }
 
-var xxx_messageInfo_RollingUpdateDeployment proto.InternalMessageInfo
+func (m *DeploymentCondition) Reset() { *m = DeploymentCondition{} }
 
-func (m *RollingUpdateStatefulSetStrategy) Reset()      { *m = RollingUpdateStatefulSetStrategy{} }
-func (*RollingUpdateStatefulSetStrategy) ProtoMessage() {}
-func (*RollingUpdateStatefulSetStrategy) Descriptor() ([]byte, []int) {
-	return fileDescriptor_2747f709ac7c95e7, []int{11}
-}
-func (m *RollingUpdateStatefulSetStrategy) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *RollingUpdateStatefulSetStrategy) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *RollingUpdateStatefulSetStrategy) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_RollingUpdateStatefulSetStrategy.Merge(m, src)
-}
-func (m *RollingUpdateStatefulSetStrategy) XXX_Size() int {
-	return m.Size()
-}
-func (m *RollingUpdateStatefulSetStrategy) XXX_DiscardUnknown() {
-	xxx_messageInfo_RollingUpdateStatefulSetStrategy.DiscardUnknown(m)
-}
+func (m *DeploymentList) Reset() { *m = DeploymentList{} }
 
-var xxx_messageInfo_RollingUpdateStatefulSetStrategy proto.InternalMessageInfo
+func (m *DeploymentRollback) Reset() { *m = DeploymentRollback{} }
 
-func (m *Scale) Reset()      { *m = Scale{} }
-func (*Scale) ProtoMessage() {}
-func (*Scale) Descriptor() ([]byte, []int) {
-	return fileDescriptor_2747f709ac7c95e7, []int{12}
-}
-func (m *Scale) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *Scale) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *Scale) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_Scale.Merge(m, src)
-}
-func (m *Scale) XXX_Size() int {
-	return m.Size()
-}
-func (m *Scale) XXX_DiscardUnknown() {
-	xxx_messageInfo_Scale.DiscardUnknown(m)
-}
+func (m *DeploymentSpec) Reset() { *m = DeploymentSpec{} }
 
-var xxx_messageInfo_Scale proto.InternalMessageInfo
+func (m *DeploymentStatus) Reset() { *m = DeploymentStatus{} }
 
-func (m *ScaleSpec) Reset()      { *m = ScaleSpec{} }
-func (*ScaleSpec) ProtoMessage() {}
-func (*ScaleSpec) Descriptor() ([]byte, []int) {
-	return fileDescriptor_2747f709ac7c95e7, []int{13}
-}
-func (m *ScaleSpec) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ScaleSpec) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ScaleSpec) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ScaleSpec.Merge(m, src)
-}
-func (m *ScaleSpec) XXX_Size() int {
-	return m.Size()
-}
-func (m *ScaleSpec) XXX_DiscardUnknown() {
-	xxx_messageInfo_ScaleSpec.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_ScaleSpec proto.InternalMessageInfo
+func (m *DeploymentStrategy) Reset() { *m = DeploymentStrategy{} }
 
-func (m *ScaleStatus) Reset()      { *m = ScaleStatus{} }
-func (*ScaleStatus) ProtoMessage() {}
-func (*ScaleStatus) Descriptor() ([]byte, []int) {
-	return fileDescriptor_2747f709ac7c95e7, []int{14}
-}
-func (m *ScaleStatus) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ScaleStatus) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ScaleStatus) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ScaleStatus.Merge(m, src)
-}
-func (m *ScaleStatus) XXX_Size() int {
-	return m.Size()
-}
-func (m *ScaleStatus) XXX_DiscardUnknown() {
-	xxx_messageInfo_ScaleStatus.DiscardUnknown(m)
-}
+func (m *RollbackConfig) Reset() { *m = RollbackConfig{} }
 
-var xxx_messageInfo_ScaleStatus proto.InternalMessageInfo
+func (m *RollingUpdateDeployment) Reset() { *m = RollingUpdateDeployment{} }
 
-func (m *StatefulSet) Reset()      { *m = StatefulSet{} }
-func (*StatefulSet) ProtoMessage() {}
-func (*StatefulSet) Descriptor() ([]byte, []int) {
-	return fileDescriptor_2747f709ac7c95e7, []int{15}
-}
-func (m *StatefulSet) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *StatefulSet) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *StatefulSet) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_StatefulSet.Merge(m, src)
-}
-func (m *StatefulSet) XXX_Size() int {
-	return m.Size()
-}
-func (m *StatefulSet) XXX_DiscardUnknown() {
-	xxx_messageInfo_StatefulSet.DiscardUnknown(m)
-}
+func (m *RollingUpdateStatefulSetStrategy) Reset() { *m = RollingUpdateStatefulSetStrategy{} }
 
-var xxx_messageInfo_StatefulSet proto.InternalMessageInfo
+func (m *Scale) Reset() { *m = Scale{} }
 
-func (m *StatefulSetCondition) Reset()      { *m = StatefulSetCondition{} }
-func (*StatefulSetCondition) ProtoMessage() {}
-func (*StatefulSetCondition) Descriptor() ([]byte, []int) {
-	return fileDescriptor_2747f709ac7c95e7, []int{16}
-}
-func (m *StatefulSetCondition) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *StatefulSetCondition) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *StatefulSetCondition) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_StatefulSetCondition.Merge(m, src)
-}
-func (m *StatefulSetCondition) XXX_Size() int {
-	return m.Size()
-}
-func (m *StatefulSetCondition) XXX_DiscardUnknown() {
-	xxx_messageInfo_StatefulSetCondition.DiscardUnknown(m)
-}
+func (m *ScaleSpec) Reset() { *m = ScaleSpec{} }
 
-var xxx_messageInfo_StatefulSetCondition proto.InternalMessageInfo
+func (m *ScaleStatus) Reset() { *m = ScaleStatus{} }
 
-func (m *StatefulSetList) Reset()      { *m = StatefulSetList{} }
-func (*StatefulSetList) ProtoMessage() {}
-func (*StatefulSetList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_2747f709ac7c95e7, []int{17}
-}
-func (m *StatefulSetList) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *StatefulSetList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *StatefulSetList) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_StatefulSetList.Merge(m, src)
-}
-func (m *StatefulSetList) XXX_Size() int {
-	return m.Size()
-}
-func (m *StatefulSetList) XXX_DiscardUnknown() {
-	xxx_messageInfo_StatefulSetList.DiscardUnknown(m)
-}
+func (m *StatefulSet) Reset() { *m = StatefulSet{} }
 
-var xxx_messageInfo_StatefulSetList proto.InternalMessageInfo
+func (m *StatefulSetCondition) Reset() { *m = StatefulSetCondition{} }
 
-func (m *StatefulSetOrdinals) Reset()      { *m = StatefulSetOrdinals{} }
-func (*StatefulSetOrdinals) ProtoMessage() {}
-func (*StatefulSetOrdinals) Descriptor() ([]byte, []int) {
-	return fileDescriptor_2747f709ac7c95e7, []int{18}
-}
-func (m *StatefulSetOrdinals) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *StatefulSetOrdinals) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *StatefulSetOrdinals) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_StatefulSetOrdinals.Merge(m, src)
-}
-func (m *StatefulSetOrdinals) XXX_Size() int {
-	return m.Size()
-}
-func (m *StatefulSetOrdinals) XXX_DiscardUnknown() {
-	xxx_messageInfo_StatefulSetOrdinals.DiscardUnknown(m)
-}
+func (m *StatefulSetList) Reset() { *m = StatefulSetList{} }
 
-var xxx_messageInfo_StatefulSetOrdinals proto.InternalMessageInfo
+func (m *StatefulSetOrdinals) Reset() { *m = StatefulSetOrdinals{} }
 
 func (m *StatefulSetPersistentVolumeClaimRetentionPolicy) Reset() {
 	*m = StatefulSetPersistentVolumeClaimRetentionPolicy{}
 }
-func (*StatefulSetPersistentVolumeClaimRetentionPolicy) ProtoMessage() {}
-func (*StatefulSetPersistentVolumeClaimRetentionPolicy) Descriptor() ([]byte, []int) {
-	return fileDescriptor_2747f709ac7c95e7, []int{19}
-}
-func (m *StatefulSetPersistentVolumeClaimRetentionPolicy) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *StatefulSetPersistentVolumeClaimRetentionPolicy) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *StatefulSetPersistentVolumeClaimRetentionPolicy) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_StatefulSetPersistentVolumeClaimRetentionPolicy.Merge(m, src)
-}
-func (m *StatefulSetPersistentVolumeClaimRetentionPolicy) XXX_Size() int {
-	return m.Size()
-}
-func (m *StatefulSetPersistentVolumeClaimRetentionPolicy) XXX_DiscardUnknown() {
-	xxx_messageInfo_StatefulSetPersistentVolumeClaimRetentionPolicy.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_StatefulSetPersistentVolumeClaimRetentionPolicy proto.InternalMessageInfo
-
-func (m *StatefulSetSpec) Reset()      { *m = StatefulSetSpec{} }
-func (*StatefulSetSpec) ProtoMessage() {}
-func (*StatefulSetSpec) Descriptor() ([]byte, []int) {
-	return fileDescriptor_2747f709ac7c95e7, []int{20}
-}
-func (m *StatefulSetSpec) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *StatefulSetSpec) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *StatefulSetSpec) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_StatefulSetSpec.Merge(m, src)
-}
-func (m *StatefulSetSpec) XXX_Size() int {
-	return m.Size()
-}
-func (m *StatefulSetSpec) XXX_DiscardUnknown() {
-	xxx_messageInfo_StatefulSetSpec.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_StatefulSetSpec proto.InternalMessageInfo
 
-func (m *StatefulSetStatus) Reset()      { *m = StatefulSetStatus{} }
-func (*StatefulSetStatus) ProtoMessage() {}
-func (*StatefulSetStatus) Descriptor() ([]byte, []int) {
-	return fileDescriptor_2747f709ac7c95e7, []int{21}
-}
-func (m *StatefulSetStatus) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *StatefulSetStatus) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *StatefulSetStatus) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_StatefulSetStatus.Merge(m, src)
-}
-func (m *StatefulSetStatus) XXX_Size() int {
-	return m.Size()
-}
-func (m *StatefulSetStatus) XXX_DiscardUnknown() {
-	xxx_messageInfo_StatefulSetStatus.DiscardUnknown(m)
-}
+func (m *StatefulSetSpec) Reset() { *m = StatefulSetSpec{} }
 
-var xxx_messageInfo_StatefulSetStatus proto.InternalMessageInfo
+func (m *StatefulSetStatus) Reset() { *m = StatefulSetStatus{} }
 
-func (m *StatefulSetUpdateStrategy) Reset()      { *m = StatefulSetUpdateStrategy{} }
-func (*StatefulSetUpdateStrategy) ProtoMessage() {}
-func (*StatefulSetUpdateStrategy) Descriptor() ([]byte, []int) {
-	return fileDescriptor_2747f709ac7c95e7, []int{22}
-}
-func (m *StatefulSetUpdateStrategy) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *StatefulSetUpdateStrategy) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *StatefulSetUpdateStrategy) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_StatefulSetUpdateStrategy.Merge(m, src)
-}
-func (m *StatefulSetUpdateStrategy) XXX_Size() int {
-	return m.Size()
-}
-func (m *StatefulSetUpdateStrategy) XXX_DiscardUnknown() {
-	xxx_messageInfo_StatefulSetUpdateStrategy.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_StatefulSetUpdateStrategy proto.InternalMessageInfo
-
-func init() {
-	proto.RegisterType((*ControllerRevision)(nil), "k8s.io.api.apps.v1beta1.ControllerRevision")
-	proto.RegisterType((*ControllerRevisionList)(nil), "k8s.io.api.apps.v1beta1.ControllerRevisionList")
-	proto.RegisterType((*Deployment)(nil), "k8s.io.api.apps.v1beta1.Deployment")
-	proto.RegisterType((*DeploymentCondition)(nil), "k8s.io.api.apps.v1beta1.DeploymentCondition")
-	proto.RegisterType((*DeploymentList)(nil), "k8s.io.api.apps.v1beta1.DeploymentList")
-	proto.RegisterType((*DeploymentRollback)(nil), "k8s.io.api.apps.v1beta1.DeploymentRollback")
-	proto.RegisterMapType((map[string]string)(nil), "k8s.io.api.apps.v1beta1.DeploymentRollback.UpdatedAnnotationsEntry")
-	proto.RegisterType((*DeploymentSpec)(nil), "k8s.io.api.apps.v1beta1.DeploymentSpec")
-	proto.RegisterType((*DeploymentStatus)(nil), "k8s.io.api.apps.v1beta1.DeploymentStatus")
-	proto.RegisterType((*DeploymentStrategy)(nil), "k8s.io.api.apps.v1beta1.DeploymentStrategy")
-	proto.RegisterType((*RollbackConfig)(nil), "k8s.io.api.apps.v1beta1.RollbackConfig")
-	proto.RegisterType((*RollingUpdateDeployment)(nil), "k8s.io.api.apps.v1beta1.RollingUpdateDeployment")
-	proto.RegisterType((*RollingUpdateStatefulSetStrategy)(nil), "k8s.io.api.apps.v1beta1.RollingUpdateStatefulSetStrategy")
-	proto.RegisterType((*Scale)(nil), "k8s.io.api.apps.v1beta1.Scale")
-	proto.RegisterType((*ScaleSpec)(nil), "k8s.io.api.apps.v1beta1.ScaleSpec")
-	proto.RegisterType((*ScaleStatus)(nil), "k8s.io.api.apps.v1beta1.ScaleStatus")
-	proto.RegisterMapType((map[string]string)(nil), "k8s.io.api.apps.v1beta1.ScaleStatus.SelectorEntry")
-	proto.RegisterType((*StatefulSet)(nil), "k8s.io.api.apps.v1beta1.StatefulSet")
-	proto.RegisterType((*StatefulSetCondition)(nil), "k8s.io.api.apps.v1beta1.StatefulSetCondition")
-	proto.RegisterType((*StatefulSetList)(nil), "k8s.io.api.apps.v1beta1.StatefulSetList")
-	proto.RegisterType((*StatefulSetOrdinals)(nil), "k8s.io.api.apps.v1beta1.StatefulSetOrdinals")
-	proto.RegisterType((*StatefulSetPersistentVolumeClaimRetentionPolicy)(nil), "k8s.io.api.apps.v1beta1.StatefulSetPersistentVolumeClaimRetentionPolicy")
-	proto.RegisterType((*StatefulSetSpec)(nil), "k8s.io.api.apps.v1beta1.StatefulSetSpec")
-	proto.RegisterType((*StatefulSetStatus)(nil), "k8s.io.api.apps.v1beta1.StatefulSetStatus")
-	proto.RegisterType((*StatefulSetUpdateStrategy)(nil), "k8s.io.api.apps.v1beta1.StatefulSetUpdateStrategy")
-}
-
-func init() {
-	proto.RegisterFile("k8s.io/api/apps/v1beta1/generated.proto", fileDescriptor_2747f709ac7c95e7)
-}
-
-var fileDescriptor_2747f709ac7c95e7 = []byte{
-	// 2041 bytes of a gzipped FileDescriptorProto
-	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xdc, 0x59, 0xdd, 0x6f, 0x1b, 0xc7,
-	0x11, 0xd7, 0x51, 0xa2, 0x44, 0x8d, 0x22, 0xca, 0x5e, 0xa9, 0x16, 0xa3, 0xb4, 0x92, 0x70, 0x31,
-	0x62, 0x25, 0xb1, 0x8f, 0xb1, 0x92, 0x06, 0x89, 0xdd, 0xba, 0x10, 0x25, 0x37, 0x56, 0x20, 0x45,
-	0xca, 0x4a, 0xb2, 0xd1, 0xf4, 0x03, 0x59, 0x91, 0x6b, 0xea, 0xa2, 0xfb, 0xc2, 0xdd, 0x52, 0x31,
-	0xd1, 0x97, 0xfe, 0x01, 0x2d, 0xd2, 0xe7, 0xfe, 0x15, 0xed, 0x53, 0x8b, 0x16, 0x7d, 0x2d, 0xfc,
-	0x18, 0xf4, 0xa5, 0x79, 0x22, 0x6a, 0xe6, 0xb5, 0x7d, 0x6b, 0x5f, 0x0c, 0x14, 0x28, 0x76, 0x6f,
-	0xef, 0xfb, 0x4e, 0x3a, 0x16, 0xb0, 0x80, 0xe6, 0x8d, 0xb7, 0x33, 0xf3, 0x9b, 0xd9, 0xd9, 0x99,
-	0xd9, 0x99, 0x25, 0xdc, 0x38, 0x7d, 0xcf, 0xd3, 0x74, 0xbb, 0x49, 0x1c, 0xbd, 0x49, 0x1c, 0xc7,
-	0x6b, 0x9e, 0xdd, 0x3e, 0xa6, 0x8c, 0xdc, 0x6e, 0x76, 0xa9, 0x45, 0x5d, 0xc2, 0x68, 0x47, 0x73,
-	0x5c, 0x9b, 0xd9, 0x68, 0xd1, 0x67, 0xd4, 0x88, 0xa3, 0x6b, 0x9c, 0x51, 0x93, 0x8c, 0x4b, 0xb7,
-	0xba, 0x3a, 0x3b, 0xe9, 0x1d, 0x6b, 0x6d, 0xdb, 0x6c, 0x76, 0xed, 0xae, 0xdd, 0x14, 0xfc, 0xc7,
-	0xbd, 0xc7, 0xe2, 0x4b, 0x7c, 0x88, 0x5f, 0x3e, 0xce, 0x92, 0x1a, 0x53, 0xd8, 0xb6, 0x5d, 0xda,
-	0x3c, 0xcb, 0xe8, 0x5a, 0x7a, 0x27, 0xe2, 0x31, 0x49, 0xfb, 0x44, 0xb7, 0xa8, 0xdb, 0x6f, 0x3a,
-	0xa7, 0x5d, 0xbe, 0xe0, 0x35, 0x4d, 0xca, 0x48, 0x9e, 0x54, 0xb3, 0x48, 0xca, 0xed, 0x59, 0x4c,
-	0x37, 0x69, 0x46, 0xe0, 0xdd, 0x8b, 0x04, 0xbc, 0xf6, 0x09, 0x35, 0x49, 0x46, 0xee, 0xed, 0x22,
-	0xb9, 0x1e, 0xd3, 0x8d, 0xa6, 0x6e, 0x31, 0x8f, 0xb9, 0x69, 0x21, 0xf5, 0xdf, 0x0a, 0xa0, 0x4d,
-	0xdb, 0x62, 0xae, 0x6d, 0x18, 0xd4, 0xc5, 0xf4, 0x4c, 0xf7, 0x74, 0xdb, 0x42, 0x9f, 0x42, 0x8d,
-	0xef, 0xa7, 0x43, 0x18, 0x69, 0x28, 0xab, 0xca, 0xda, 0xcc, 0xfa, 0x5b, 0x5a, 0xe4, 0xe9, 0x10,
-	0x5e, 0x73, 0x4e, 0xbb, 0x7c, 0xc1, 0xd3, 0x38, 0xb7, 0x76, 0x76, 0x5b, 0xdb, 0x3b, 0xfe, 0x8c,
-	0xb6, 0xd9, 0x2e, 0x65, 0xa4, 0x85, 0x9e, 0x0e, 0x56, 0xc6, 0x86, 0x83, 0x15, 0x88, 0xd6, 0x70,
-	0x88, 0x8a, 0xf6, 0x60, 0x42, 0xa0, 0x57, 0x04, 0xfa, 0xad, 0x42, 0x74, 0xb9, 0x69, 0x0d, 0x93,
-	0xcf, 0xef, 0x3f, 0x61, 0xd4, 0xe2, 0xe6, 0xb5, 0x5e, 0x92, 0xd0, 0x13, 0x5b, 0x84, 0x11, 0x2c,
-	0x80, 0xd0, 0x4d, 0xa8, 0xb9, 0xd2, 0xfc, 0xc6, 0xf8, 0xaa, 0xb2, 0x36, 0xde, 0xba, 0x22, 0xb9,
-	0x6a, 0xc1, 0xb6, 0x70, 0xc8, 0xa1, 0x3e, 0x55, 0xe0, 0x5a, 0x76, 0xdf, 0x3b, 0xba, 0xc7, 0xd0,
-	0x4f, 0x32, 0x7b, 0xd7, 0xca, 0xed, 0x9d, 0x4b, 0x8b, 0x9d, 0x87, 0x8a, 0x83, 0x95, 0xd8, 0xbe,
-	0xf7, 0xa1, 0xaa, 0x33, 0x6a, 0x7a, 0x8d, 0xca, 0xea, 0xf8, 0xda, 0xcc, 0xfa, 0x9b, 0x5a, 0x41,
-	0x00, 0x6b, 0x59, 0xeb, 0x5a, 0xb3, 0x12, 0xb7, 0xba, 0xcd, 0x11, 0xb0, 0x0f, 0xa4, 0xfe, 0xb2,
-	0x02, 0xb0, 0x45, 0x1d, 0xc3, 0xee, 0x9b, 0xd4, 0x62, 0x97, 0x70, 0x74, 0xdb, 0x30, 0xe1, 0x39,
-	0xb4, 0x2d, 0x8f, 0xee, 0x46, 0xe1, 0x0e, 0x22, 0xa3, 0x0e, 0x1c, 0xda, 0x8e, 0x0e, 0x8d, 0x7f,
-	0x61, 0x01, 0x81, 0x3e, 0x86, 0x49, 0x8f, 0x11, 0xd6, 0xf3, 0xc4, 0x91, 0xcd, 0xac, 0xbf, 0x5e,
-	0x06, 0x4c, 0x08, 0xb4, 0xea, 0x12, 0x6e, 0xd2, 0xff, 0xc6, 0x12, 0x48, 0xfd, 0xdb, 0x38, 0xcc,
-	0x47, 0xcc, 0x9b, 0xb6, 0xd5, 0xd1, 0x19, 0x0f, 0xe9, 0xbb, 0x30, 0xc1, 0xfa, 0x0e, 0x15, 0x3e,
-	0x99, 0x6e, 0xdd, 0x08, 0x8c, 0x39, 0xec, 0x3b, 0xf4, 0xf9, 0x60, 0x65, 0x31, 0x47, 0x84, 0x93,
-	0xb0, 0x10, 0x42, 0x3b, 0xa1, 0x9d, 0x15, 0x21, 0xfe, 0x4e, 0x52, 0xf9, 0xf3, 0xc1, 0x4a, 0x4e,
-	0x01, 0xd1, 0x42, 0xa4, 0xa4, 0x89, 0xe8, 0x33, 0xa8, 0x1b, 0xc4, 0x63, 0x47, 0x4e, 0x87, 0x30,
-	0x7a, 0xa8, 0x9b, 0xb4, 0x31, 0x29, 0x76, 0xff, 0x46, 0xb9, 0x83, 0xe2, 0x12, 0xad, 0x6b, 0xd2,
-	0x82, 0xfa, 0x4e, 0x02, 0x09, 0xa7, 0x90, 0xd1, 0x19, 0x20, 0xbe, 0x72, 0xe8, 0x12, 0xcb, 0xf3,
-	0x77, 0xc5, 0xf5, 0x4d, 0x8d, 0xac, 0x6f, 0x49, 0xea, 0x43, 0x3b, 0x19, 0x34, 0x9c, 0xa3, 0x01,
-	0xbd, 0x06, 0x93, 0x2e, 0x25, 0x9e, 0x6d, 0x35, 0x26, 0x84, 0xc7, 0xc2, 0xe3, 0xc2, 0x62, 0x15,
-	0x4b, 0x2a, 0x7a, 0x1d, 0xa6, 0x4c, 0xea, 0x79, 0xa4, 0x4b, 0x1b, 0x55, 0xc1, 0x38, 0x27, 0x19,
-	0xa7, 0x76, 0xfd, 0x65, 0x1c, 0xd0, 0xd5, 0x3f, 0x28, 0x50, 0x8f, 0x8e, 0xe9, 0x12, 0x72, 0xf5,
-	0x41, 0x32, 0x57, 0x5f, 0x2d, 0x11, 0x9c, 0x05, 0x39, 0xfa, 0x8f, 0x0a, 0xa0, 0x88, 0x09, 0xdb,
-	0x86, 0x71, 0x4c, 0xda, 0xa7, 0x68, 0x15, 0x26, 0x2c, 0x62, 0x06, 0x31, 0x19, 0x26, 0xc8, 0x47,
-	0xc4, 0xa4, 0x58, 0x50, 0xd0, 0x17, 0x0a, 0xa0, 0x9e, 0x38, 0xcd, 0xce, 0x86, 0x65, 0xd9, 0x8c,
-	0x70, 0x07, 0x07, 0x06, 0x6d, 0x96, 0x30, 0x28, 0xd0, 0xa5, 0x1d, 0x65, 0x50, 0xee, 0x5b, 0xcc,
-	0xed, 0x47, 0x07, 0x9b, 0x65, 0xc0, 0x39, 0xaa, 0xd1, 0x8f, 0x01, 0x5c, 0x89, 0x79, 0x68, 0xcb,
-	0xb4, 0x2d, 0xae, 0x01, 0x81, 0xfa, 0x4d, 0xdb, 0x7a, 0xac, 0x77, 0xa3, 0xc2, 0x82, 0x43, 0x08,
-	0x1c, 0x83, 0x5b, 0xba, 0x0f, 0x8b, 0x05, 0x76, 0xa2, 0x2b, 0x30, 0x7e, 0x4a, 0xfb, 0xbe, 0xab,
-	0x30, 0xff, 0x89, 0x16, 0xa0, 0x7a, 0x46, 0x8c, 0x1e, 0xf5, 0x73, 0x12, 0xfb, 0x1f, 0x77, 0x2a,
-	0xef, 0x29, 0xea, 0x6f, 0xab, 0xf1, 0x48, 0xe1, 0xf5, 0x06, 0xad, 0xf1, 0xeb, 0xc1, 0x31, 0xf4,
-	0x36, 0xf1, 0x04, 0x46, 0xb5, 0xf5, 0x92, 0x7f, 0x35, 0xf8, 0x6b, 0x38, 0xa4, 0xa2, 0x9f, 0x42,
-	0xcd, 0xa3, 0x06, 0x6d, 0x33, 0xdb, 0x95, 0x25, 0xee, 0xed, 0x92, 0x31, 0x45, 0x8e, 0xa9, 0x71,
-	0x20, 0x45, 0x7d, 0xf8, 0xe0, 0x0b, 0x87, 0x90, 0xe8, 0x63, 0xa8, 0x31, 0x6a, 0x3a, 0x06, 0x61,
-	0x54, 0x7a, 0x2f, 0x11, 0x57, 0xbc, 0x76, 0x70, 0xb0, 0x7d, 0xbb, 0x73, 0x28, 0xd9, 0x44, 0xf5,
-	0x0c, 0xe3, 0x34, 0x58, 0xc5, 0x21, 0x0c, 0xfa, 0x11, 0xd4, 0x3c, 0xc6, 0x6f, 0xf5, 0x6e, 0x5f,
-	0x64, 0xdb, 0x79, 0xd7, 0x4a, 0xbc, 0x8e, 0xfa, 0x22, 0x11, 0x74, 0xb0, 0x82, 0x43, 0x38, 0xb4,
-	0x01, 0x73, 0xa6, 0x6e, 0x61, 0x4a, 0x3a, 0xfd, 0x03, 0xda, 0xb6, 0xad, 0x8e, 0x27, 0xd2, 0xb4,
-	0xda, 0x5a, 0x94, 0x42, 0x73, 0xbb, 0x49, 0x32, 0x4e, 0xf3, 0xa3, 0x1d, 0x58, 0x08, 0xae, 0xdd,
-	0x07, 0xba, 0xc7, 0x6c, 0xb7, 0xbf, 0xa3, 0x9b, 0x3a, 0x13, 0x35, 0xaf, 0xda, 0x6a, 0x0c, 0x07,
-	0x2b, 0x0b, 0x38, 0x87, 0x8e, 0x73, 0xa5, 0x78, 0x5d, 0x71, 0x48, 0xcf, 0xa3, 0x1d, 0x51, 0xc3,
-	0x6a, 0x51, 0x5d, 0xd9, 0x17, 0xab, 0x58, 0x52, 0xd1, 0xa3, 0x44, 0x98, 0xd6, 0x46, 0x0b, 0xd3,
-	0x7a, 0x71, 0x88, 0xa2, 0x23, 0x58, 0x74, 0x5c, 0xbb, 0xeb, 0x52, 0xcf, 0xdb, 0xa2, 0xa4, 0x63,
-	0xe8, 0x16, 0x0d, 0x3c, 0x33, 0x2d, 0x76, 0xf4, 0xca, 0x70, 0xb0, 0xb2, 0xb8, 0x9f, 0xcf, 0x82,
-	0x8b, 0x64, 0xd5, 0x5f, 0x55, 0xe1, 0x4a, 0xfa, 0x8e, 0x43, 0x1f, 0x02, 0xb2, 0x8f, 0x3d, 0xea,
-	0x9e, 0xd1, 0xce, 0x07, 0x7e, 0xe3, 0xc6, 0xbb, 0x1b, 0x45, 0x74, 0x37, 0x61, 0xde, 0xee, 0x65,
-	0x38, 0x70, 0x8e, 0x94, 0xdf, 0x1f, 0xc9, 0x04, 0xa8, 0x08, 0x43, 0x63, 0xfd, 0x51, 0x26, 0x09,
-	0x36, 0x60, 0x4e, 0xe6, 0x7e, 0x40, 0x14, 0xc1, 0x1a, 0x3b, 0xf7, 0xa3, 0x24, 0x19, 0xa7, 0xf9,
-	0xd1, 0x5d, 0x98, 0x75, 0x79, 0x1c, 0x84, 0x00, 0x53, 0x02, 0xe0, 0x5b, 0x12, 0x60, 0x16, 0xc7,
-	0x89, 0x38, 0xc9, 0x8b, 0x3e, 0x80, 0xab, 0xe4, 0x8c, 0xe8, 0x06, 0x39, 0x36, 0x68, 0x08, 0x30,
-	0x21, 0x00, 0x5e, 0x96, 0x00, 0x57, 0x37, 0xd2, 0x0c, 0x38, 0x2b, 0x83, 0x76, 0x61, 0xbe, 0x67,
-	0x65, 0xa1, 0xfc, 0x20, 0x7e, 0x45, 0x42, 0xcd, 0x1f, 0x65, 0x59, 0x70, 0x9e, 0x1c, 0xda, 0x86,
-	0x79, 0x46, 0x5d, 0x53, 0xb7, 0x08, 0xd3, 0xad, 0x6e, 0x08, 0xe7, 0x9f, 0xfc, 0x22, 0x87, 0x3a,
-	0xcc, 0x92, 0x71, 0x9e, 0x0c, 0xfa, 0x14, 0xa0, 0x1d, 0x34, 0x08, 0x5e, 0x63, 0x52, 0x54, 0xf4,
-	0x9b, 0x25, 0xf2, 0x36, 0xec, 0x2a, 0xa2, 0x6a, 0x1a, 0x2e, 0x79, 0x38, 0x86, 0x89, 0xee, 0x40,
-	0xbd, 0x6d, 0x1b, 0x86, 0x48, 0xa2, 0x4d, 0xbb, 0x67, 0x31, 0x91, 0x07, 0xd5, 0x16, 0xe2, 0x7d,
-	0xc3, 0x66, 0x82, 0x82, 0x53, 0x9c, 0xea, 0x9f, 0x94, 0xf8, 0x8d, 0x15, 0x54, 0x06, 0x74, 0x27,
-	0xd1, 0x45, 0xbd, 0x96, 0xea, 0xa2, 0xae, 0x65, 0x25, 0x62, 0x4d, 0x94, 0x0e, 0xb3, 0x3c, 0x8f,
-	0x74, 0xab, 0xeb, 0xc7, 0x8e, 0xac, 0xae, 0x6f, 0x9d, 0x9b, 0x95, 0x21, 0x77, 0xec, 0x8e, 0xbd,
-	0x2a, 0xc2, 0x27, 0x4e, 0xc4, 0x49, 0x64, 0xf5, 0x1e, 0xd4, 0x93, 0x29, 0x9d, 0x18, 0x0f, 0x94,
-	0x0b, 0xc7, 0x83, 0xaf, 0x15, 0x58, 0x2c, 0xd0, 0x8e, 0x0c, 0xa8, 0x9b, 0xe4, 0x49, 0x2c, 0x62,
-	0x2e, 0x6c, 0xb3, 0xf9, 0x00, 0xa6, 0xf9, 0x03, 0x98, 0xb6, 0x6d, 0xb1, 0x3d, 0xf7, 0x80, 0xb9,
-	0xba, 0xd5, 0xf5, 0xcf, 0x61, 0x37, 0x81, 0x85, 0x53, 0xd8, 0xe8, 0x13, 0xa8, 0x99, 0xe4, 0xc9,
-	0x41, 0xcf, 0xed, 0xe6, 0xf9, 0xab, 0x9c, 0x1e, 0x71, 0x15, 0xed, 0x4a, 0x14, 0x1c, 0xe2, 0xa9,
-	0x7f, 0x56, 0x60, 0x35, 0xb1, 0x4b, 0x5e, 0x76, 0xe8, 0xe3, 0x9e, 0x71, 0x40, 0xa3, 0x13, 0x7f,
-	0x13, 0xa6, 0x1d, 0xe2, 0x32, 0x3d, 0x2c, 0x3d, 0xd5, 0xd6, 0xec, 0x70, 0xb0, 0x32, 0xbd, 0x1f,
-	0x2c, 0xe2, 0x88, 0x9e, 0xe3, 0x9b, 0xca, 0x8b, 0xf3, 0x8d, 0xfa, 0x1f, 0x05, 0xaa, 0x07, 0x6d,
-	0x62, 0xd0, 0x4b, 0x18, 0x7a, 0xb6, 0x12, 0x43, 0x8f, 0x5a, 0x18, 0xb3, 0xc2, 0x9e, 0xc2, 0x79,
-	0x67, 0x27, 0x35, 0xef, 0x5c, 0xbf, 0x00, 0xe7, 0xfc, 0x51, 0xe7, 0x7d, 0x98, 0x0e, 0xd5, 0x25,
-	0xea, 0xbb, 0x72, 0x51, 0x7d, 0x57, 0x7f, 0x53, 0x81, 0x99, 0x98, 0x8a, 0xd1, 0xa4, 0xb9, 0xbb,
-	0x63, 0x2d, 0x12, 0x2f, 0x5c, 0xeb, 0x65, 0x36, 0xa2, 0x05, 0xed, 0x90, 0xdf, 0x79, 0x46, 0x7d,
-	0x47, 0xb6, 0x4b, 0xba, 0x07, 0x75, 0x46, 0xdc, 0x2e, 0x65, 0x01, 0x4d, 0x38, 0x6c, 0x3a, 0x1a,
-	0x7b, 0x0e, 0x13, 0x54, 0x9c, 0xe2, 0x5e, 0xba, 0x0b, 0xb3, 0x09, 0x65, 0x23, 0xb5, 0x8f, 0x5f,
-	0x70, 0xe7, 0x44, 0xa9, 0x70, 0x09, 0xd1, 0xf5, 0x61, 0x22, 0xba, 0xd6, 0x8a, 0x9d, 0x19, 0x4b,
-	0xd0, 0xa2, 0x18, 0xc3, 0xa9, 0x18, 0x7b, 0xa3, 0x14, 0xda, 0xf9, 0x91, 0xf6, 0xcf, 0x0a, 0x2c,
-	0xc4, 0xb8, 0xa3, 0xa9, 0xfa, 0x7b, 0x89, 0xfb, 0x60, 0x2d, 0x75, 0x1f, 0x34, 0xf2, 0x64, 0x5e,
-	0xd8, 0x58, 0x9d, 0x3f, 0xea, 0x8e, 0xff, 0x3f, 0x8e, 0xba, 0x7f, 0x54, 0x60, 0x2e, 0xe6, 0xbb,
-	0x4b, 0x98, 0x75, 0xb7, 0x93, 0xb3, 0xee, 0xf5, 0x32, 0x41, 0x53, 0x30, 0xec, 0xde, 0x81, 0xf9,
-	0x18, 0xd3, 0x9e, 0xdb, 0xd1, 0x2d, 0x62, 0x78, 0xe8, 0x55, 0xa8, 0x7a, 0x8c, 0xb8, 0x2c, 0xb8,
-	0x44, 0x02, 0xd9, 0x03, 0xbe, 0x88, 0x7d, 0x9a, 0xfa, 0x2f, 0x05, 0x9a, 0x31, 0xe1, 0x7d, 0xea,
-	0x7a, 0xba, 0xc7, 0xa8, 0xc5, 0x1e, 0xda, 0x46, 0xcf, 0xa4, 0x9b, 0x06, 0xd1, 0x4d, 0x4c, 0xf9,
-	0x82, 0x6e, 0x5b, 0xfb, 0xb6, 0xa1, 0xb7, 0xfb, 0x88, 0xc0, 0xcc, 0xe7, 0x27, 0xd4, 0xda, 0xa2,
-	0x06, 0x65, 0xb4, 0x23, 0x43, 0xf1, 0x07, 0x12, 0x7e, 0xe6, 0x51, 0x44, 0x7a, 0x3e, 0x58, 0x59,
-	0x2b, 0x83, 0x28, 0x22, 0x34, 0x8e, 0x89, 0x7e, 0x06, 0xc0, 0x3f, 0x45, 0x2d, 0xeb, 0xc8, 0x60,
-	0xbd, 0x17, 0x64, 0xf4, 0xa3, 0x90, 0x32, 0x92, 0x82, 0x18, 0xa2, 0xfa, 0xbb, 0x5a, 0xe2, 0xbc,
-	0xbf, 0xf1, 0x13, 0xeb, 0xcf, 0x61, 0xe1, 0x2c, 0xf2, 0x4e, 0xc0, 0xc0, 0x3b, 0xfc, 0xf1, 0xf4,
-	0x2b, 0x60, 0x08, 0x9f, 0xe7, 0xd7, 0xd6, 0xb7, 0xa5, 0x92, 0x85, 0x87, 0x39, 0x70, 0x38, 0x57,
-	0x09, 0xfa, 0x2e, 0xcc, 0xf0, 0xe9, 0x48, 0x6f, 0xd3, 0x8f, 0x88, 0x19, 0xe4, 0xe2, 0x7c, 0x10,
-	0x2f, 0x07, 0x11, 0x09, 0xc7, 0xf9, 0xd0, 0x09, 0xcc, 0x3b, 0x76, 0x67, 0x97, 0x58, 0xa4, 0x4b,
-	0x79, 0x23, 0xe8, 0x1f, 0xa5, 0x18, 0x63, 0xa7, 0x5b, 0xef, 0x06, 0x93, 0xc4, 0x7e, 0x96, 0xe5,
-	0x39, 0x9f, 0x07, 0xb3, 0xcb, 0x22, 0x08, 0xf2, 0x20, 0x91, 0x0b, 0xf5, 0x9e, 0xec, 0xc7, 0xe4,
-	0x54, 0xef, 0xbf, 0xd7, 0xad, 0x97, 0x49, 0xca, 0xa3, 0x84, 0x64, 0x74, 0x61, 0x26, 0xd7, 0x71,
-	0x4a, 0x43, 0xe1, 0x94, 0x5e, 0xfb, 0x9f, 0xa6, 0xf4, 0x9c, 0x67, 0x83, 0xe9, 0x11, 0x9f, 0x0d,
-	0xfe, 0xa2, 0xc0, 0x75, 0xa7, 0x44, 0x2e, 0x35, 0x40, 0xf8, 0xe6, 0x41, 0x19, 0xdf, 0x94, 0xc9,
-	0xcd, 0xd6, 0xda, 0x70, 0xb0, 0x72, 0xbd, 0x0c, 0x27, 0x2e, 0x65, 0x1f, 0x7a, 0x08, 0x35, 0x5b,
-	0xd6, 0xc0, 0xc6, 0x8c, 0xb0, 0xf5, 0x66, 0x19, 0x5b, 0x83, 0xba, 0xe9, 0xa7, 0x65, 0xf0, 0x85,
-	0x43, 0x2c, 0xf5, 0xf7, 0x55, 0xb8, 0x9a, 0xb9, 0xc1, 0xd1, 0x0f, 0xcf, 0x79, 0x32, 0xb8, 0xf6,
-	0xc2, 0x9e, 0x0b, 0x32, 0xb3, 0xfe, 0xf8, 0x08, 0xb3, 0xfe, 0x06, 0xcc, 0xb5, 0x7b, 0xae, 0x4b,
-	0x2d, 0x96, 0x9a, 0xf4, 0xc3, 0x60, 0xd9, 0x4c, 0x92, 0x71, 0x9a, 0x3f, 0xef, 0xb9, 0xa2, 0x3a,
-	0xe2, 0x73, 0x45, 0xdc, 0x0a, 0x39, 0x27, 0xfa, 0xa9, 0x9d, 0xb5, 0x42, 0x8e, 0x8b, 0x69, 0x7e,
-	0xde, 0xb4, 0xfa, 0xa8, 0x21, 0xc2, 0x54, 0xb2, 0x69, 0x3d, 0x4a, 0x50, 0x71, 0x8a, 0x3b, 0x67,
-	0x5e, 0x9f, 0x2e, 0x3b, 0xaf, 0x23, 0x92, 0x78, 0x4d, 0x00, 0x51, 0x47, 0x6f, 0x95, 0x89, 0xb3,
-	0xf2, 0xcf, 0x09, 0xb9, 0x6f, 0x32, 0x33, 0xa3, 0xbf, 0xc9, 0xa8, 0x7f, 0x55, 0xe0, 0xe5, 0xc2,
-	0x8a, 0x85, 0x36, 0x12, 0x2d, 0xe5, 0xad, 0x54, 0x4b, 0xf9, 0x9d, 0x42, 0xc1, 0x58, 0x5f, 0xe9,
-	0xe6, 0xbf, 0x34, 0xbc, 0x5f, 0xee, 0xa5, 0x21, 0x67, 0x0a, 0xbe, 0xf8, 0xc9, 0xa1, 0xf5, 0xfd,
-	0xa7, 0xcf, 0x96, 0xc7, 0xbe, 0x7c, 0xb6, 0x3c, 0xf6, 0xd5, 0xb3, 0xe5, 0xb1, 0x5f, 0x0c, 0x97,
-	0x95, 0xa7, 0xc3, 0x65, 0xe5, 0xcb, 0xe1, 0xb2, 0xf2, 0xd5, 0x70, 0x59, 0xf9, 0xfb, 0x70, 0x59,
-	0xf9, 0xf5, 0xd7, 0xcb, 0x63, 0x9f, 0x2c, 0x16, 0xfc, 0xb1, 0xfd, 0xdf, 0x00, 0x00, 0x00, 0xff,
-	0xff, 0x40, 0xa4, 0x4b, 0xb9, 0xf2, 0x1e, 0x00, 0x00,
-}
+func (m *StatefulSetUpdateStrategy) Reset() { *m = StatefulSetUpdateStrategy{} }
 
 func (m *ControllerRevision) Marshal() (dAtA []byte, err error) {
 	size := m.Size()
@@ -1150,7 +375,7 @@ func (m *DeploymentRollback) MarshalToSizedBuffer(dAtA []byte) (int, error) {
 		for k := range m.UpdatedAnnotations {
 			keysForUpdatedAnnotations = append(keysForUpdatedAnnotations, string(k))
 		}
-		github_com_gogo_protobuf_sortkeys.Strings(keysForUpdatedAnnotations)
+		sort.Strings(keysForUpdatedAnnotations)
 		for iNdEx := len(keysForUpdatedAnnotations) - 1; iNdEx >= 0; iNdEx-- {
 			v := m.UpdatedAnnotations[string(keysForUpdatedAnnotations[iNdEx])]
 			baseI := i
@@ -1597,7 +822,7 @@ func (m *ScaleStatus) MarshalToSizedBuffer(dAtA []byte) (int, error) {
 		for k := range m.Selector {
 			keysForSelector = append(keysForSelector, string(k))
 		}
-		github_com_gogo_protobuf_sortkeys.Strings(keysForSelector)
+		sort.Strings(keysForSelector)
 		for iNdEx := len(keysForSelector) - 1; iNdEx >= 0; iNdEx-- {
 			v := m.Selector[string(keysForSelector[iNdEx])]
 			baseI := i
@@ -2586,7 +1811,7 @@ func (this *DeploymentRollback) String() string {
 	for k := range this.UpdatedAnnotations {
 		keysForUpdatedAnnotations = append(keysForUpdatedAnnotations, k)
 	}
-	github_com_gogo_protobuf_sortkeys.Strings(keysForUpdatedAnnotations)
+	sort.Strings(keysForUpdatedAnnotations)
 	mapStringForUpdatedAnnotations := "map[string]string{"
 	for _, k := range keysForUpdatedAnnotations {
 		mapStringForUpdatedAnnotations += fmt.Sprintf("%v: %v,", k, this.UpdatedAnnotations[k])
@@ -2714,7 +1939,7 @@ func (this *ScaleStatus) String() string {
 	for k := range this.Selector {
 		keysForSelector = append(keysForSelector, k)
 	}
-	github_com_gogo_protobuf_sortkeys.Strings(keysForSelector)
+	sort.Strings(keysForSelector)
 	mapStringForSelector := "map[string]string{"
 	for _, k := range keysForSelector {
 		mapStringForSelector += fmt.Sprintf("%v: %v,", k, this.Selector[k])
diff --git a/staging/src/k8s.io/api/apps/v1beta1/generated.proto b/staging/src/k8s.io/api/apps/v1beta1/generated.proto
index b61dc490dbdef..b47d61e209259 100644
--- a/staging/src/k8s.io/api/apps/v1beta1/generated.proto
+++ b/staging/src/k8s.io/api/apps/v1beta1/generated.proto
@@ -208,7 +208,7 @@ message DeploymentStatus {
   // Total number of terminating pods targeted by this deployment. Terminating pods have a non-null
   // .metadata.deletionTimestamp and have not yet reached the Failed or Succeeded .status.phase.
   //
-  // This is an alpha field. Enable DeploymentReplicaSetTerminatingReplicas to be able to use this field.
+  // This is a beta field and requires enabling DeploymentReplicaSetTerminatingReplicas feature (enabled by default).
   // +optional
   optional int32 terminatingReplicas = 9;
 
@@ -289,10 +289,12 @@ message RollingUpdateStatefulSetStrategy {
   // maxUnavailable is the maximum number of pods that can be unavailable during the update.
   // Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%).
   // Absolute number is calculated from percentage by rounding up. This can not be 0.
-  // Defaults to 1. This field is alpha-level and is only honored by servers that enable the
-  // MaxUnavailableStatefulSet feature. The field applies to all pods in the range 0 to
+  // Defaults to 1. This field is beta-level and is enabled by default. The field applies to all pods in the range 0 to
   // Replicas-1. That means if there is any unavailable pod in the range 0 to Replicas-1, it
   // will be counted towards MaxUnavailable.
+  // This setting might not be effective for the OrderedReady podManagementPolicy. That policy ensures pods are created and become ready one at a time.
+  //
+  // +featureGate=MaxUnavailableStatefulSet
   // +optional
   optional .k8s.io.apimachinery.pkg.util.intstr.IntOrString maxUnavailable = 2;
 }
@@ -496,8 +498,12 @@ message StatefulSetSpec {
   // +optional
   optional int32 minReadySeconds = 9;
 
-  // PersistentVolumeClaimRetentionPolicy describes the policy used for PVCs created from
-  // the StatefulSet VolumeClaimTemplates.
+  // persistentVolumeClaimRetentionPolicy describes the lifecycle of persistent
+  // volume claims created from volumeClaimTemplates. By default, all persistent
+  // volume claims are created as needed and retained until manually deleted. This
+  // policy allows the lifecycle to be altered, for example by deleting persistent
+  // volume claims when their stateful set is deleted, or when their pod is scaled
+  // down.
   // +optional
   optional StatefulSetPersistentVolumeClaimRetentionPolicy persistentVolumeClaimRetentionPolicy = 10;
 
diff --git a/staging/src/k8s.io/api/apps/v1beta1/generated.protomessage.pb.go b/staging/src/k8s.io/api/apps/v1beta1/generated.protomessage.pb.go
new file mode 100644
index 0000000000000..3127ea3caeca7
--- /dev/null
+++ b/staging/src/k8s.io/api/apps/v1beta1/generated.protomessage.pb.go
@@ -0,0 +1,68 @@
+//go:build kubernetes_protomessage_one_more_release
+// +build kubernetes_protomessage_one_more_release
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by go-to-protobuf. DO NOT EDIT.
+
+package v1beta1
+
+func (*ControllerRevision) ProtoMessage() {}
+
+func (*ControllerRevisionList) ProtoMessage() {}
+
+func (*Deployment) ProtoMessage() {}
+
+func (*DeploymentCondition) ProtoMessage() {}
+
+func (*DeploymentList) ProtoMessage() {}
+
+func (*DeploymentRollback) ProtoMessage() {}
+
+func (*DeploymentSpec) ProtoMessage() {}
+
+func (*DeploymentStatus) ProtoMessage() {}
+
+func (*DeploymentStrategy) ProtoMessage() {}
+
+func (*RollbackConfig) ProtoMessage() {}
+
+func (*RollingUpdateDeployment) ProtoMessage() {}
+
+func (*RollingUpdateStatefulSetStrategy) ProtoMessage() {}
+
+func (*Scale) ProtoMessage() {}
+
+func (*ScaleSpec) ProtoMessage() {}
+
+func (*ScaleStatus) ProtoMessage() {}
+
+func (*StatefulSet) ProtoMessage() {}
+
+func (*StatefulSetCondition) ProtoMessage() {}
+
+func (*StatefulSetList) ProtoMessage() {}
+
+func (*StatefulSetOrdinals) ProtoMessage() {}
+
+func (*StatefulSetPersistentVolumeClaimRetentionPolicy) ProtoMessage() {}
+
+func (*StatefulSetSpec) ProtoMessage() {}
+
+func (*StatefulSetStatus) ProtoMessage() {}
+
+func (*StatefulSetUpdateStrategy) ProtoMessage() {}
diff --git a/staging/src/k8s.io/api/apps/v1beta1/types.go b/staging/src/k8s.io/api/apps/v1beta1/types.go
index cd140be12faa4..b1e6b33683e3a 100644
--- a/staging/src/k8s.io/api/apps/v1beta1/types.go
+++ b/staging/src/k8s.io/api/apps/v1beta1/types.go
@@ -166,10 +166,12 @@ type RollingUpdateStatefulSetStrategy struct {
 	// maxUnavailable is the maximum number of pods that can be unavailable during the update.
 	// Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%).
 	// Absolute number is calculated from percentage by rounding up. This can not be 0.
-	// Defaults to 1. This field is alpha-level and is only honored by servers that enable the
-	// MaxUnavailableStatefulSet feature. The field applies to all pods in the range 0 to
+	// Defaults to 1. This field is beta-level and is enabled by default. The field applies to all pods in the range 0 to
 	// Replicas-1. That means if there is any unavailable pod in the range 0 to Replicas-1, it
 	// will be counted towards MaxUnavailable.
+	// This setting might not be effective for the OrderedReady podManagementPolicy. That policy ensures pods are created and become ready one at a time.
+	//
+	// +featureGate=MaxUnavailableStatefulSet
 	// +optional
 	MaxUnavailable *intstr.IntOrString `json:"maxUnavailable,omitempty" protobuf:"varint,2,opt,name=maxUnavailable"`
 }
@@ -294,8 +296,12 @@ type StatefulSetSpec struct {
 	// +optional
 	MinReadySeconds int32 `json:"minReadySeconds,omitempty" protobuf:"varint,9,opt,name=minReadySeconds"`
 
-	// PersistentVolumeClaimRetentionPolicy describes the policy used for PVCs created from
-	// the StatefulSet VolumeClaimTemplates.
+	// persistentVolumeClaimRetentionPolicy describes the lifecycle of persistent
+	// volume claims created from volumeClaimTemplates. By default, all persistent
+	// volume claims are created as needed and retained until manually deleted. This
+	// policy allows the lifecycle to be altered, for example by deleting persistent
+	// volume claims when their stateful set is deleted, or when their pod is scaled
+	// down.
 	// +optional
 	PersistentVolumeClaimRetentionPolicy *StatefulSetPersistentVolumeClaimRetentionPolicy `json:"persistentVolumeClaimRetentionPolicy,omitempty" protobuf:"bytes,10,opt,name=persistentVolumeClaimRetentionPolicy"`
 
@@ -582,7 +588,7 @@ type DeploymentStatus struct {
 	// Total number of terminating pods targeted by this deployment. Terminating pods have a non-null
 	// .metadata.deletionTimestamp and have not yet reached the Failed or Succeeded .status.phase.
 	//
-	// This is an alpha field. Enable DeploymentReplicaSetTerminatingReplicas to be able to use this field.
+	// This is a beta field and requires enabling DeploymentReplicaSetTerminatingReplicas feature (enabled by default).
 	// +optional
 	TerminatingReplicas *int32 `json:"terminatingReplicas,omitempty" protobuf:"varint,9,opt,name=terminatingReplicas"`
 
diff --git a/staging/src/k8s.io/api/apps/v1beta1/types_swagger_doc_generated.go b/staging/src/k8s.io/api/apps/v1beta1/types_swagger_doc_generated.go
index 02ea5f7f26e52..a6f7a11927065 100644
--- a/staging/src/k8s.io/api/apps/v1beta1/types_swagger_doc_generated.go
+++ b/staging/src/k8s.io/api/apps/v1beta1/types_swagger_doc_generated.go
@@ -119,7 +119,7 @@ var map_DeploymentStatus = map[string]string{
 	"readyReplicas":       "Total number of non-terminating pods targeted by this Deployment with a Ready Condition.",
 	"availableReplicas":   "Total number of available non-terminating pods (ready for at least minReadySeconds) targeted by this deployment.",
 	"unavailableReplicas": "Total number of unavailable pods targeted by this deployment. This is the total number of pods that are still required for the deployment to have 100% available capacity. They may either be pods that are running but not yet available or pods that still have not been created.",
-	"terminatingReplicas": "Total number of terminating pods targeted by this deployment. Terminating pods have a non-null .metadata.deletionTimestamp and have not yet reached the Failed or Succeeded .status.phase.\n\nThis is an alpha field. Enable DeploymentReplicaSetTerminatingReplicas to be able to use this field.",
+	"terminatingReplicas": "Total number of terminating pods targeted by this deployment. Terminating pods have a non-null .metadata.deletionTimestamp and have not yet reached the Failed or Succeeded .status.phase.\n\nThis is a beta field and requires enabling DeploymentReplicaSetTerminatingReplicas feature (enabled by default).",
 	"conditions":          "Represents the latest available observations of a deployment's current state.",
 	"collisionCount":      "collisionCount is the count of hash collisions for the Deployment. The Deployment controller uses this field as a collision avoidance mechanism when it needs to create the name for the newest ReplicaSet.",
 }
@@ -160,7 +160,7 @@ func (RollingUpdateDeployment) SwaggerDoc() map[string]string {
 var map_RollingUpdateStatefulSetStrategy = map[string]string{
 	"":               "RollingUpdateStatefulSetStrategy is used to communicate parameter for RollingUpdateStatefulSetStrategyType.",
 	"partition":      "Partition indicates the ordinal at which the StatefulSet should be partitioned for updates. During a rolling update, all pods from ordinal Replicas-1 to Partition are updated. All pods from ordinal Partition-1 to 0 remain untouched. This is helpful in being able to do a canary based deployment. The default value is 0.",
-	"maxUnavailable": "maxUnavailable is the maximum number of pods that can be unavailable during the update. Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%). Absolute number is calculated from percentage by rounding up. This can not be 0. Defaults to 1. This field is alpha-level and is only honored by servers that enable the MaxUnavailableStatefulSet feature. The field applies to all pods in the range 0 to Replicas-1. That means if there is any unavailable pod in the range 0 to Replicas-1, it will be counted towards MaxUnavailable.",
+	"maxUnavailable": "maxUnavailable is the maximum number of pods that can be unavailable during the update. Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%). Absolute number is calculated from percentage by rounding up. This can not be 0. Defaults to 1. This field is beta-level and is enabled by default. The field applies to all pods in the range 0 to Replicas-1. That means if there is any unavailable pod in the range 0 to Replicas-1, it will be counted towards MaxUnavailable. This setting might not be effective for the OrderedReady podManagementPolicy. That policy ensures pods are created and become ready one at a time.",
 }
 
 func (RollingUpdateStatefulSetStrategy) SwaggerDoc() map[string]string {
@@ -259,7 +259,7 @@ var map_StatefulSetSpec = map[string]string{
 	"updateStrategy":                       "updateStrategy indicates the StatefulSetUpdateStrategy that will be employed to update Pods in the StatefulSet when a revision is made to Template.",
 	"revisionHistoryLimit":                 "revisionHistoryLimit is the maximum number of revisions that will be maintained in the StatefulSet's revision history. The revision history consists of all revisions not represented by a currently applied StatefulSetSpec version. The default value is 10.",
 	"minReadySeconds":                      "minReadySeconds is the minimum number of seconds for which a newly created pod should be ready without any of its container crashing for it to be considered available. Defaults to 0 (pod will be considered available as soon as it is ready)",
-	"persistentVolumeClaimRetentionPolicy": "PersistentVolumeClaimRetentionPolicy describes the policy used for PVCs created from the StatefulSet VolumeClaimTemplates.",
+	"persistentVolumeClaimRetentionPolicy": "persistentVolumeClaimRetentionPolicy describes the lifecycle of persistent volume claims created from volumeClaimTemplates. By default, all persistent volume claims are created as needed and retained until manually deleted. This policy allows the lifecycle to be altered, for example by deleting persistent volume claims when their stateful set is deleted, or when their pod is scaled down.",
 	"ordinals":                             "ordinals controls the numbering of replica indices in a StatefulSet. The default ordinals behavior assigns a \"0\" index to the first replica and increments the index by one for each additional replica requested.",
 }
 
diff --git a/staging/src/k8s.io/api/apps/v1beta1/zz_generated.model_name.go b/staging/src/k8s.io/api/apps/v1beta1/zz_generated.model_name.go
new file mode 100644
index 0000000000000..5da1ed3f741b4
--- /dev/null
+++ b/staging/src/k8s.io/api/apps/v1beta1/zz_generated.model_name.go
@@ -0,0 +1,137 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by openapi-gen. DO NOT EDIT.
+
+package v1beta1
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ControllerRevision) OpenAPIModelName() string {
+	return "io.k8s.api.apps.v1beta1.ControllerRevision"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ControllerRevisionList) OpenAPIModelName() string {
+	return "io.k8s.api.apps.v1beta1.ControllerRevisionList"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in Deployment) OpenAPIModelName() string {
+	return "io.k8s.api.apps.v1beta1.Deployment"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in DeploymentCondition) OpenAPIModelName() string {
+	return "io.k8s.api.apps.v1beta1.DeploymentCondition"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in DeploymentList) OpenAPIModelName() string {
+	return "io.k8s.api.apps.v1beta1.DeploymentList"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in DeploymentRollback) OpenAPIModelName() string {
+	return "io.k8s.api.apps.v1beta1.DeploymentRollback"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in DeploymentSpec) OpenAPIModelName() string {
+	return "io.k8s.api.apps.v1beta1.DeploymentSpec"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in DeploymentStatus) OpenAPIModelName() string {
+	return "io.k8s.api.apps.v1beta1.DeploymentStatus"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in DeploymentStrategy) OpenAPIModelName() string {
+	return "io.k8s.api.apps.v1beta1.DeploymentStrategy"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in RollbackConfig) OpenAPIModelName() string {
+	return "io.k8s.api.apps.v1beta1.RollbackConfig"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in RollingUpdateDeployment) OpenAPIModelName() string {
+	return "io.k8s.api.apps.v1beta1.RollingUpdateDeployment"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in RollingUpdateStatefulSetStrategy) OpenAPIModelName() string {
+	return "io.k8s.api.apps.v1beta1.RollingUpdateStatefulSetStrategy"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in Scale) OpenAPIModelName() string {
+	return "io.k8s.api.apps.v1beta1.Scale"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ScaleSpec) OpenAPIModelName() string {
+	return "io.k8s.api.apps.v1beta1.ScaleSpec"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ScaleStatus) OpenAPIModelName() string {
+	return "io.k8s.api.apps.v1beta1.ScaleStatus"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in StatefulSet) OpenAPIModelName() string {
+	return "io.k8s.api.apps.v1beta1.StatefulSet"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in StatefulSetCondition) OpenAPIModelName() string {
+	return "io.k8s.api.apps.v1beta1.StatefulSetCondition"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in StatefulSetList) OpenAPIModelName() string {
+	return "io.k8s.api.apps.v1beta1.StatefulSetList"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in StatefulSetOrdinals) OpenAPIModelName() string {
+	return "io.k8s.api.apps.v1beta1.StatefulSetOrdinals"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in StatefulSetPersistentVolumeClaimRetentionPolicy) OpenAPIModelName() string {
+	return "io.k8s.api.apps.v1beta1.StatefulSetPersistentVolumeClaimRetentionPolicy"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in StatefulSetSpec) OpenAPIModelName() string {
+	return "io.k8s.api.apps.v1beta1.StatefulSetSpec"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in StatefulSetStatus) OpenAPIModelName() string {
+	return "io.k8s.api.apps.v1beta1.StatefulSetStatus"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in StatefulSetUpdateStrategy) OpenAPIModelName() string {
+	return "io.k8s.api.apps.v1beta1.StatefulSetUpdateStrategy"
+}
diff --git a/staging/src/k8s.io/api/apps/v1beta2/doc.go b/staging/src/k8s.io/api/apps/v1beta2/doc.go
index 7d28fe42df5ab..3259a47ba2eb6 100644
--- a/staging/src/k8s.io/api/apps/v1beta2/doc.go
+++ b/staging/src/k8s.io/api/apps/v1beta2/doc.go
@@ -18,5 +18,6 @@ limitations under the License.
 // +k8s:protobuf-gen=package
 // +k8s:openapi-gen=true
 // +k8s:prerelease-lifecycle-gen=true
+// +k8s:openapi-model-package=io.k8s.api.apps.v1beta2
 
 package v1beta2
diff --git a/staging/src/k8s.io/api/apps/v1beta2/generated.pb.go b/staging/src/k8s.io/api/apps/v1beta2/generated.pb.go
index 9fcba6feb1eed..777a66f12c8bf 100644
--- a/staging/src/k8s.io/api/apps/v1beta2/generated.pb.go
+++ b/staging/src/k8s.io/api/apps/v1beta2/generated.pb.go
@@ -23,14 +23,12 @@ import (
 	fmt "fmt"
 
 	io "io"
+	"sort"
 
-	proto "github.com/gogo/protobuf/proto"
-	github_com_gogo_protobuf_sortkeys "github.com/gogo/protobuf/sortkeys"
 	k8s_io_api_core_v1 "k8s.io/api/core/v1"
 	v11 "k8s.io/api/core/v1"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
-	math "math"
 	math_bits "math/bits"
 	reflect "reflect"
 	strings "strings"
@@ -38,1135 +36,73 @@ import (
 	intstr "k8s.io/apimachinery/pkg/util/intstr"
 )
 
-// Reference imports to suppress errors if they are not otherwise used.
-var _ = proto.Marshal
-var _ = fmt.Errorf
-var _ = math.Inf
+func (m *ControllerRevision) Reset() { *m = ControllerRevision{} }
 
-// This is a compile-time assertion to ensure that this generated file
-// is compatible with the proto package it is being compiled against.
-// A compilation error at this line likely means your copy of the
-// proto package needs to be updated.
-const _ = proto.GoGoProtoPackageIsVersion3 // please upgrade the proto package
+func (m *ControllerRevisionList) Reset() { *m = ControllerRevisionList{} }
 
-func (m *ControllerRevision) Reset()      { *m = ControllerRevision{} }
-func (*ControllerRevision) ProtoMessage() {}
-func (*ControllerRevision) Descriptor() ([]byte, []int) {
-	return fileDescriptor_c423c016abf485d4, []int{0}
-}
-func (m *ControllerRevision) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ControllerRevision) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ControllerRevision) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ControllerRevision.Merge(m, src)
-}
-func (m *ControllerRevision) XXX_Size() int {
-	return m.Size()
-}
-func (m *ControllerRevision) XXX_DiscardUnknown() {
-	xxx_messageInfo_ControllerRevision.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_ControllerRevision proto.InternalMessageInfo
-
-func (m *ControllerRevisionList) Reset()      { *m = ControllerRevisionList{} }
-func (*ControllerRevisionList) ProtoMessage() {}
-func (*ControllerRevisionList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_c423c016abf485d4, []int{1}
-}
-func (m *ControllerRevisionList) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ControllerRevisionList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ControllerRevisionList) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ControllerRevisionList.Merge(m, src)
-}
-func (m *ControllerRevisionList) XXX_Size() int {
-	return m.Size()
-}
-func (m *ControllerRevisionList) XXX_DiscardUnknown() {
-	xxx_messageInfo_ControllerRevisionList.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_ControllerRevisionList proto.InternalMessageInfo
-
-func (m *DaemonSet) Reset()      { *m = DaemonSet{} }
-func (*DaemonSet) ProtoMessage() {}
-func (*DaemonSet) Descriptor() ([]byte, []int) {
-	return fileDescriptor_c423c016abf485d4, []int{2}
-}
-func (m *DaemonSet) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *DaemonSet) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *DaemonSet) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_DaemonSet.Merge(m, src)
-}
-func (m *DaemonSet) XXX_Size() int {
-	return m.Size()
-}
-func (m *DaemonSet) XXX_DiscardUnknown() {
-	xxx_messageInfo_DaemonSet.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_DaemonSet proto.InternalMessageInfo
-
-func (m *DaemonSetCondition) Reset()      { *m = DaemonSetCondition{} }
-func (*DaemonSetCondition) ProtoMessage() {}
-func (*DaemonSetCondition) Descriptor() ([]byte, []int) {
-	return fileDescriptor_c423c016abf485d4, []int{3}
-}
-func (m *DaemonSetCondition) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *DaemonSetCondition) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *DaemonSetCondition) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_DaemonSetCondition.Merge(m, src)
-}
-func (m *DaemonSetCondition) XXX_Size() int {
-	return m.Size()
-}
-func (m *DaemonSetCondition) XXX_DiscardUnknown() {
-	xxx_messageInfo_DaemonSetCondition.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_DaemonSetCondition proto.InternalMessageInfo
-
-func (m *DaemonSetList) Reset()      { *m = DaemonSetList{} }
-func (*DaemonSetList) ProtoMessage() {}
-func (*DaemonSetList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_c423c016abf485d4, []int{4}
-}
-func (m *DaemonSetList) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *DaemonSetList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *DaemonSetList) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_DaemonSetList.Merge(m, src)
-}
-func (m *DaemonSetList) XXX_Size() int {
-	return m.Size()
-}
-func (m *DaemonSetList) XXX_DiscardUnknown() {
-	xxx_messageInfo_DaemonSetList.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_DaemonSetList proto.InternalMessageInfo
-
-func (m *DaemonSetSpec) Reset()      { *m = DaemonSetSpec{} }
-func (*DaemonSetSpec) ProtoMessage() {}
-func (*DaemonSetSpec) Descriptor() ([]byte, []int) {
-	return fileDescriptor_c423c016abf485d4, []int{5}
-}
-func (m *DaemonSetSpec) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *DaemonSetSpec) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *DaemonSetSpec) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_DaemonSetSpec.Merge(m, src)
-}
-func (m *DaemonSetSpec) XXX_Size() int {
-	return m.Size()
-}
-func (m *DaemonSetSpec) XXX_DiscardUnknown() {
-	xxx_messageInfo_DaemonSetSpec.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_DaemonSetSpec proto.InternalMessageInfo
-
-func (m *DaemonSetStatus) Reset()      { *m = DaemonSetStatus{} }
-func (*DaemonSetStatus) ProtoMessage() {}
-func (*DaemonSetStatus) Descriptor() ([]byte, []int) {
-	return fileDescriptor_c423c016abf485d4, []int{6}
-}
-func (m *DaemonSetStatus) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *DaemonSetStatus) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *DaemonSetStatus) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_DaemonSetStatus.Merge(m, src)
-}
-func (m *DaemonSetStatus) XXX_Size() int {
-	return m.Size()
-}
-func (m *DaemonSetStatus) XXX_DiscardUnknown() {
-	xxx_messageInfo_DaemonSetStatus.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_DaemonSetStatus proto.InternalMessageInfo
-
-func (m *DaemonSetUpdateStrategy) Reset()      { *m = DaemonSetUpdateStrategy{} }
-func (*DaemonSetUpdateStrategy) ProtoMessage() {}
-func (*DaemonSetUpdateStrategy) Descriptor() ([]byte, []int) {
-	return fileDescriptor_c423c016abf485d4, []int{7}
-}
-func (m *DaemonSetUpdateStrategy) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *DaemonSetUpdateStrategy) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *DaemonSetUpdateStrategy) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_DaemonSetUpdateStrategy.Merge(m, src)
-}
-func (m *DaemonSetUpdateStrategy) XXX_Size() int {
-	return m.Size()
-}
-func (m *DaemonSetUpdateStrategy) XXX_DiscardUnknown() {
-	xxx_messageInfo_DaemonSetUpdateStrategy.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_DaemonSetUpdateStrategy proto.InternalMessageInfo
-
-func (m *Deployment) Reset()      { *m = Deployment{} }
-func (*Deployment) ProtoMessage() {}
-func (*Deployment) Descriptor() ([]byte, []int) {
-	return fileDescriptor_c423c016abf485d4, []int{8}
-}
-func (m *Deployment) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *Deployment) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *Deployment) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_Deployment.Merge(m, src)
-}
-func (m *Deployment) XXX_Size() int {
-	return m.Size()
-}
-func (m *Deployment) XXX_DiscardUnknown() {
-	xxx_messageInfo_Deployment.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_Deployment proto.InternalMessageInfo
-
-func (m *DeploymentCondition) Reset()      { *m = DeploymentCondition{} }
-func (*DeploymentCondition) ProtoMessage() {}
-func (*DeploymentCondition) Descriptor() ([]byte, []int) {
-	return fileDescriptor_c423c016abf485d4, []int{9}
-}
-func (m *DeploymentCondition) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *DeploymentCondition) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *DeploymentCondition) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_DeploymentCondition.Merge(m, src)
-}
-func (m *DeploymentCondition) XXX_Size() int {
-	return m.Size()
-}
-func (m *DeploymentCondition) XXX_DiscardUnknown() {
-	xxx_messageInfo_DeploymentCondition.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_DeploymentCondition proto.InternalMessageInfo
-
-func (m *DeploymentList) Reset()      { *m = DeploymentList{} }
-func (*DeploymentList) ProtoMessage() {}
-func (*DeploymentList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_c423c016abf485d4, []int{10}
-}
-func (m *DeploymentList) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *DeploymentList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *DeploymentList) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_DeploymentList.Merge(m, src)
-}
-func (m *DeploymentList) XXX_Size() int {
-	return m.Size()
-}
-func (m *DeploymentList) XXX_DiscardUnknown() {
-	xxx_messageInfo_DeploymentList.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_DeploymentList proto.InternalMessageInfo
-
-func (m *DeploymentSpec) Reset()      { *m = DeploymentSpec{} }
-func (*DeploymentSpec) ProtoMessage() {}
-func (*DeploymentSpec) Descriptor() ([]byte, []int) {
-	return fileDescriptor_c423c016abf485d4, []int{11}
-}
-func (m *DeploymentSpec) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *DeploymentSpec) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *DeploymentSpec) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_DeploymentSpec.Merge(m, src)
-}
-func (m *DeploymentSpec) XXX_Size() int {
-	return m.Size()
-}
-func (m *DeploymentSpec) XXX_DiscardUnknown() {
-	xxx_messageInfo_DeploymentSpec.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_DeploymentSpec proto.InternalMessageInfo
-
-func (m *DeploymentStatus) Reset()      { *m = DeploymentStatus{} }
-func (*DeploymentStatus) ProtoMessage() {}
-func (*DeploymentStatus) Descriptor() ([]byte, []int) {
-	return fileDescriptor_c423c016abf485d4, []int{12}
-}
-func (m *DeploymentStatus) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *DeploymentStatus) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *DeploymentStatus) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_DeploymentStatus.Merge(m, src)
-}
-func (m *DeploymentStatus) XXX_Size() int {
-	return m.Size()
-}
-func (m *DeploymentStatus) XXX_DiscardUnknown() {
-	xxx_messageInfo_DeploymentStatus.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_DeploymentStatus proto.InternalMessageInfo
-
-func (m *DeploymentStrategy) Reset()      { *m = DeploymentStrategy{} }
-func (*DeploymentStrategy) ProtoMessage() {}
-func (*DeploymentStrategy) Descriptor() ([]byte, []int) {
-	return fileDescriptor_c423c016abf485d4, []int{13}
-}
-func (m *DeploymentStrategy) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *DeploymentStrategy) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *DeploymentStrategy) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_DeploymentStrategy.Merge(m, src)
-}
-func (m *DeploymentStrategy) XXX_Size() int {
-	return m.Size()
-}
-func (m *DeploymentStrategy) XXX_DiscardUnknown() {
-	xxx_messageInfo_DeploymentStrategy.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_DeploymentStrategy proto.InternalMessageInfo
-
-func (m *ReplicaSet) Reset()      { *m = ReplicaSet{} }
-func (*ReplicaSet) ProtoMessage() {}
-func (*ReplicaSet) Descriptor() ([]byte, []int) {
-	return fileDescriptor_c423c016abf485d4, []int{14}
-}
-func (m *ReplicaSet) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ReplicaSet) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ReplicaSet) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ReplicaSet.Merge(m, src)
-}
-func (m *ReplicaSet) XXX_Size() int {
-	return m.Size()
-}
-func (m *ReplicaSet) XXX_DiscardUnknown() {
-	xxx_messageInfo_ReplicaSet.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_ReplicaSet proto.InternalMessageInfo
+func (m *DaemonSet) Reset() { *m = DaemonSet{} }
 
-func (m *ReplicaSetCondition) Reset()      { *m = ReplicaSetCondition{} }
-func (*ReplicaSetCondition) ProtoMessage() {}
-func (*ReplicaSetCondition) Descriptor() ([]byte, []int) {
-	return fileDescriptor_c423c016abf485d4, []int{15}
-}
-func (m *ReplicaSetCondition) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ReplicaSetCondition) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ReplicaSetCondition) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ReplicaSetCondition.Merge(m, src)
-}
-func (m *ReplicaSetCondition) XXX_Size() int {
-	return m.Size()
-}
-func (m *ReplicaSetCondition) XXX_DiscardUnknown() {
-	xxx_messageInfo_ReplicaSetCondition.DiscardUnknown(m)
-}
+func (m *DaemonSetCondition) Reset() { *m = DaemonSetCondition{} }
 
-var xxx_messageInfo_ReplicaSetCondition proto.InternalMessageInfo
+func (m *DaemonSetList) Reset() { *m = DaemonSetList{} }
 
-func (m *ReplicaSetList) Reset()      { *m = ReplicaSetList{} }
-func (*ReplicaSetList) ProtoMessage() {}
-func (*ReplicaSetList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_c423c016abf485d4, []int{16}
-}
-func (m *ReplicaSetList) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ReplicaSetList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ReplicaSetList) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ReplicaSetList.Merge(m, src)
-}
-func (m *ReplicaSetList) XXX_Size() int {
-	return m.Size()
-}
-func (m *ReplicaSetList) XXX_DiscardUnknown() {
-	xxx_messageInfo_ReplicaSetList.DiscardUnknown(m)
-}
+func (m *DaemonSetSpec) Reset() { *m = DaemonSetSpec{} }
 
-var xxx_messageInfo_ReplicaSetList proto.InternalMessageInfo
+func (m *DaemonSetStatus) Reset() { *m = DaemonSetStatus{} }
 
-func (m *ReplicaSetSpec) Reset()      { *m = ReplicaSetSpec{} }
-func (*ReplicaSetSpec) ProtoMessage() {}
-func (*ReplicaSetSpec) Descriptor() ([]byte, []int) {
-	return fileDescriptor_c423c016abf485d4, []int{17}
-}
-func (m *ReplicaSetSpec) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ReplicaSetSpec) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ReplicaSetSpec) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ReplicaSetSpec.Merge(m, src)
-}
-func (m *ReplicaSetSpec) XXX_Size() int {
-	return m.Size()
-}
-func (m *ReplicaSetSpec) XXX_DiscardUnknown() {
-	xxx_messageInfo_ReplicaSetSpec.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_ReplicaSetSpec proto.InternalMessageInfo
-
-func (m *ReplicaSetStatus) Reset()      { *m = ReplicaSetStatus{} }
-func (*ReplicaSetStatus) ProtoMessage() {}
-func (*ReplicaSetStatus) Descriptor() ([]byte, []int) {
-	return fileDescriptor_c423c016abf485d4, []int{18}
-}
-func (m *ReplicaSetStatus) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ReplicaSetStatus) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ReplicaSetStatus) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ReplicaSetStatus.Merge(m, src)
-}
-func (m *ReplicaSetStatus) XXX_Size() int {
-	return m.Size()
-}
-func (m *ReplicaSetStatus) XXX_DiscardUnknown() {
-	xxx_messageInfo_ReplicaSetStatus.DiscardUnknown(m)
-}
+func (m *DaemonSetUpdateStrategy) Reset() { *m = DaemonSetUpdateStrategy{} }
 
-var xxx_messageInfo_ReplicaSetStatus proto.InternalMessageInfo
+func (m *Deployment) Reset() { *m = Deployment{} }
 
-func (m *RollingUpdateDaemonSet) Reset()      { *m = RollingUpdateDaemonSet{} }
-func (*RollingUpdateDaemonSet) ProtoMessage() {}
-func (*RollingUpdateDaemonSet) Descriptor() ([]byte, []int) {
-	return fileDescriptor_c423c016abf485d4, []int{19}
-}
-func (m *RollingUpdateDaemonSet) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *RollingUpdateDaemonSet) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *RollingUpdateDaemonSet) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_RollingUpdateDaemonSet.Merge(m, src)
-}
-func (m *RollingUpdateDaemonSet) XXX_Size() int {
-	return m.Size()
-}
-func (m *RollingUpdateDaemonSet) XXX_DiscardUnknown() {
-	xxx_messageInfo_RollingUpdateDaemonSet.DiscardUnknown(m)
-}
+func (m *DeploymentCondition) Reset() { *m = DeploymentCondition{} }
 
-var xxx_messageInfo_RollingUpdateDaemonSet proto.InternalMessageInfo
+func (m *DeploymentList) Reset() { *m = DeploymentList{} }
 
-func (m *RollingUpdateDeployment) Reset()      { *m = RollingUpdateDeployment{} }
-func (*RollingUpdateDeployment) ProtoMessage() {}
-func (*RollingUpdateDeployment) Descriptor() ([]byte, []int) {
-	return fileDescriptor_c423c016abf485d4, []int{20}
-}
-func (m *RollingUpdateDeployment) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *RollingUpdateDeployment) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *RollingUpdateDeployment) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_RollingUpdateDeployment.Merge(m, src)
-}
-func (m *RollingUpdateDeployment) XXX_Size() int {
-	return m.Size()
-}
-func (m *RollingUpdateDeployment) XXX_DiscardUnknown() {
-	xxx_messageInfo_RollingUpdateDeployment.DiscardUnknown(m)
-}
+func (m *DeploymentSpec) Reset() { *m = DeploymentSpec{} }
 
-var xxx_messageInfo_RollingUpdateDeployment proto.InternalMessageInfo
+func (m *DeploymentStatus) Reset() { *m = DeploymentStatus{} }
 
-func (m *RollingUpdateStatefulSetStrategy) Reset()      { *m = RollingUpdateStatefulSetStrategy{} }
-func (*RollingUpdateStatefulSetStrategy) ProtoMessage() {}
-func (*RollingUpdateStatefulSetStrategy) Descriptor() ([]byte, []int) {
-	return fileDescriptor_c423c016abf485d4, []int{21}
-}
-func (m *RollingUpdateStatefulSetStrategy) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *RollingUpdateStatefulSetStrategy) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *RollingUpdateStatefulSetStrategy) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_RollingUpdateStatefulSetStrategy.Merge(m, src)
-}
-func (m *RollingUpdateStatefulSetStrategy) XXX_Size() int {
-	return m.Size()
-}
-func (m *RollingUpdateStatefulSetStrategy) XXX_DiscardUnknown() {
-	xxx_messageInfo_RollingUpdateStatefulSetStrategy.DiscardUnknown(m)
-}
+func (m *DeploymentStrategy) Reset() { *m = DeploymentStrategy{} }
 
-var xxx_messageInfo_RollingUpdateStatefulSetStrategy proto.InternalMessageInfo
+func (m *ReplicaSet) Reset() { *m = ReplicaSet{} }
 
-func (m *Scale) Reset()      { *m = Scale{} }
-func (*Scale) ProtoMessage() {}
-func (*Scale) Descriptor() ([]byte, []int) {
-	return fileDescriptor_c423c016abf485d4, []int{22}
-}
-func (m *Scale) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *Scale) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *Scale) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_Scale.Merge(m, src)
-}
-func (m *Scale) XXX_Size() int {
-	return m.Size()
-}
-func (m *Scale) XXX_DiscardUnknown() {
-	xxx_messageInfo_Scale.DiscardUnknown(m)
-}
+func (m *ReplicaSetCondition) Reset() { *m = ReplicaSetCondition{} }
 
-var xxx_messageInfo_Scale proto.InternalMessageInfo
+func (m *ReplicaSetList) Reset() { *m = ReplicaSetList{} }
 
-func (m *ScaleSpec) Reset()      { *m = ScaleSpec{} }
-func (*ScaleSpec) ProtoMessage() {}
-func (*ScaleSpec) Descriptor() ([]byte, []int) {
-	return fileDescriptor_c423c016abf485d4, []int{23}
-}
-func (m *ScaleSpec) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ScaleSpec) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ScaleSpec) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ScaleSpec.Merge(m, src)
-}
-func (m *ScaleSpec) XXX_Size() int {
-	return m.Size()
-}
-func (m *ScaleSpec) XXX_DiscardUnknown() {
-	xxx_messageInfo_ScaleSpec.DiscardUnknown(m)
-}
+func (m *ReplicaSetSpec) Reset() { *m = ReplicaSetSpec{} }
 
-var xxx_messageInfo_ScaleSpec proto.InternalMessageInfo
+func (m *ReplicaSetStatus) Reset() { *m = ReplicaSetStatus{} }
 
-func (m *ScaleStatus) Reset()      { *m = ScaleStatus{} }
-func (*ScaleStatus) ProtoMessage() {}
-func (*ScaleStatus) Descriptor() ([]byte, []int) {
-	return fileDescriptor_c423c016abf485d4, []int{24}
-}
-func (m *ScaleStatus) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ScaleStatus) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ScaleStatus) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ScaleStatus.Merge(m, src)
-}
-func (m *ScaleStatus) XXX_Size() int {
-	return m.Size()
-}
-func (m *ScaleStatus) XXX_DiscardUnknown() {
-	xxx_messageInfo_ScaleStatus.DiscardUnknown(m)
-}
+func (m *RollingUpdateDaemonSet) Reset() { *m = RollingUpdateDaemonSet{} }
 
-var xxx_messageInfo_ScaleStatus proto.InternalMessageInfo
+func (m *RollingUpdateDeployment) Reset() { *m = RollingUpdateDeployment{} }
 
-func (m *StatefulSet) Reset()      { *m = StatefulSet{} }
-func (*StatefulSet) ProtoMessage() {}
-func (*StatefulSet) Descriptor() ([]byte, []int) {
-	return fileDescriptor_c423c016abf485d4, []int{25}
-}
-func (m *StatefulSet) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *StatefulSet) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *StatefulSet) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_StatefulSet.Merge(m, src)
-}
-func (m *StatefulSet) XXX_Size() int {
-	return m.Size()
-}
-func (m *StatefulSet) XXX_DiscardUnknown() {
-	xxx_messageInfo_StatefulSet.DiscardUnknown(m)
-}
+func (m *RollingUpdateStatefulSetStrategy) Reset() { *m = RollingUpdateStatefulSetStrategy{} }
 
-var xxx_messageInfo_StatefulSet proto.InternalMessageInfo
+func (m *Scale) Reset() { *m = Scale{} }
 
-func (m *StatefulSetCondition) Reset()      { *m = StatefulSetCondition{} }
-func (*StatefulSetCondition) ProtoMessage() {}
-func (*StatefulSetCondition) Descriptor() ([]byte, []int) {
-	return fileDescriptor_c423c016abf485d4, []int{26}
-}
-func (m *StatefulSetCondition) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *StatefulSetCondition) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *StatefulSetCondition) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_StatefulSetCondition.Merge(m, src)
-}
-func (m *StatefulSetCondition) XXX_Size() int {
-	return m.Size()
-}
-func (m *StatefulSetCondition) XXX_DiscardUnknown() {
-	xxx_messageInfo_StatefulSetCondition.DiscardUnknown(m)
-}
+func (m *ScaleSpec) Reset() { *m = ScaleSpec{} }
 
-var xxx_messageInfo_StatefulSetCondition proto.InternalMessageInfo
+func (m *ScaleStatus) Reset() { *m = ScaleStatus{} }
 
-func (m *StatefulSetList) Reset()      { *m = StatefulSetList{} }
-func (*StatefulSetList) ProtoMessage() {}
-func (*StatefulSetList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_c423c016abf485d4, []int{27}
-}
-func (m *StatefulSetList) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *StatefulSetList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *StatefulSetList) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_StatefulSetList.Merge(m, src)
-}
-func (m *StatefulSetList) XXX_Size() int {
-	return m.Size()
-}
-func (m *StatefulSetList) XXX_DiscardUnknown() {
-	xxx_messageInfo_StatefulSetList.DiscardUnknown(m)
-}
+func (m *StatefulSet) Reset() { *m = StatefulSet{} }
 
-var xxx_messageInfo_StatefulSetList proto.InternalMessageInfo
+func (m *StatefulSetCondition) Reset() { *m = StatefulSetCondition{} }
 
-func (m *StatefulSetOrdinals) Reset()      { *m = StatefulSetOrdinals{} }
-func (*StatefulSetOrdinals) ProtoMessage() {}
-func (*StatefulSetOrdinals) Descriptor() ([]byte, []int) {
-	return fileDescriptor_c423c016abf485d4, []int{28}
-}
-func (m *StatefulSetOrdinals) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *StatefulSetOrdinals) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *StatefulSetOrdinals) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_StatefulSetOrdinals.Merge(m, src)
-}
-func (m *StatefulSetOrdinals) XXX_Size() int {
-	return m.Size()
-}
-func (m *StatefulSetOrdinals) XXX_DiscardUnknown() {
-	xxx_messageInfo_StatefulSetOrdinals.DiscardUnknown(m)
-}
+func (m *StatefulSetList) Reset() { *m = StatefulSetList{} }
 
-var xxx_messageInfo_StatefulSetOrdinals proto.InternalMessageInfo
+func (m *StatefulSetOrdinals) Reset() { *m = StatefulSetOrdinals{} }
 
 func (m *StatefulSetPersistentVolumeClaimRetentionPolicy) Reset() {
 	*m = StatefulSetPersistentVolumeClaimRetentionPolicy{}
 }
-func (*StatefulSetPersistentVolumeClaimRetentionPolicy) ProtoMessage() {}
-func (*StatefulSetPersistentVolumeClaimRetentionPolicy) Descriptor() ([]byte, []int) {
-	return fileDescriptor_c423c016abf485d4, []int{29}
-}
-func (m *StatefulSetPersistentVolumeClaimRetentionPolicy) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *StatefulSetPersistentVolumeClaimRetentionPolicy) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *StatefulSetPersistentVolumeClaimRetentionPolicy) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_StatefulSetPersistentVolumeClaimRetentionPolicy.Merge(m, src)
-}
-func (m *StatefulSetPersistentVolumeClaimRetentionPolicy) XXX_Size() int {
-	return m.Size()
-}
-func (m *StatefulSetPersistentVolumeClaimRetentionPolicy) XXX_DiscardUnknown() {
-	xxx_messageInfo_StatefulSetPersistentVolumeClaimRetentionPolicy.DiscardUnknown(m)
-}
 
-var xxx_messageInfo_StatefulSetPersistentVolumeClaimRetentionPolicy proto.InternalMessageInfo
+func (m *StatefulSetSpec) Reset() { *m = StatefulSetSpec{} }
 
-func (m *StatefulSetSpec) Reset()      { *m = StatefulSetSpec{} }
-func (*StatefulSetSpec) ProtoMessage() {}
-func (*StatefulSetSpec) Descriptor() ([]byte, []int) {
-	return fileDescriptor_c423c016abf485d4, []int{30}
-}
-func (m *StatefulSetSpec) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *StatefulSetSpec) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *StatefulSetSpec) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_StatefulSetSpec.Merge(m, src)
-}
-func (m *StatefulSetSpec) XXX_Size() int {
-	return m.Size()
-}
-func (m *StatefulSetSpec) XXX_DiscardUnknown() {
-	xxx_messageInfo_StatefulSetSpec.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_StatefulSetSpec proto.InternalMessageInfo
-
-func (m *StatefulSetStatus) Reset()      { *m = StatefulSetStatus{} }
-func (*StatefulSetStatus) ProtoMessage() {}
-func (*StatefulSetStatus) Descriptor() ([]byte, []int) {
-	return fileDescriptor_c423c016abf485d4, []int{31}
-}
-func (m *StatefulSetStatus) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *StatefulSetStatus) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *StatefulSetStatus) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_StatefulSetStatus.Merge(m, src)
-}
-func (m *StatefulSetStatus) XXX_Size() int {
-	return m.Size()
-}
-func (m *StatefulSetStatus) XXX_DiscardUnknown() {
-	xxx_messageInfo_StatefulSetStatus.DiscardUnknown(m)
-}
+func (m *StatefulSetStatus) Reset() { *m = StatefulSetStatus{} }
 
-var xxx_messageInfo_StatefulSetStatus proto.InternalMessageInfo
-
-func (m *StatefulSetUpdateStrategy) Reset()      { *m = StatefulSetUpdateStrategy{} }
-func (*StatefulSetUpdateStrategy) ProtoMessage() {}
-func (*StatefulSetUpdateStrategy) Descriptor() ([]byte, []int) {
-	return fileDescriptor_c423c016abf485d4, []int{32}
-}
-func (m *StatefulSetUpdateStrategy) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *StatefulSetUpdateStrategy) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *StatefulSetUpdateStrategy) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_StatefulSetUpdateStrategy.Merge(m, src)
-}
-func (m *StatefulSetUpdateStrategy) XXX_Size() int {
-	return m.Size()
-}
-func (m *StatefulSetUpdateStrategy) XXX_DiscardUnknown() {
-	xxx_messageInfo_StatefulSetUpdateStrategy.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_StatefulSetUpdateStrategy proto.InternalMessageInfo
-
-func init() {
-	proto.RegisterType((*ControllerRevision)(nil), "k8s.io.api.apps.v1beta2.ControllerRevision")
-	proto.RegisterType((*ControllerRevisionList)(nil), "k8s.io.api.apps.v1beta2.ControllerRevisionList")
-	proto.RegisterType((*DaemonSet)(nil), "k8s.io.api.apps.v1beta2.DaemonSet")
-	proto.RegisterType((*DaemonSetCondition)(nil), "k8s.io.api.apps.v1beta2.DaemonSetCondition")
-	proto.RegisterType((*DaemonSetList)(nil), "k8s.io.api.apps.v1beta2.DaemonSetList")
-	proto.RegisterType((*DaemonSetSpec)(nil), "k8s.io.api.apps.v1beta2.DaemonSetSpec")
-	proto.RegisterType((*DaemonSetStatus)(nil), "k8s.io.api.apps.v1beta2.DaemonSetStatus")
-	proto.RegisterType((*DaemonSetUpdateStrategy)(nil), "k8s.io.api.apps.v1beta2.DaemonSetUpdateStrategy")
-	proto.RegisterType((*Deployment)(nil), "k8s.io.api.apps.v1beta2.Deployment")
-	proto.RegisterType((*DeploymentCondition)(nil), "k8s.io.api.apps.v1beta2.DeploymentCondition")
-	proto.RegisterType((*DeploymentList)(nil), "k8s.io.api.apps.v1beta2.DeploymentList")
-	proto.RegisterType((*DeploymentSpec)(nil), "k8s.io.api.apps.v1beta2.DeploymentSpec")
-	proto.RegisterType((*DeploymentStatus)(nil), "k8s.io.api.apps.v1beta2.DeploymentStatus")
-	proto.RegisterType((*DeploymentStrategy)(nil), "k8s.io.api.apps.v1beta2.DeploymentStrategy")
-	proto.RegisterType((*ReplicaSet)(nil), "k8s.io.api.apps.v1beta2.ReplicaSet")
-	proto.RegisterType((*ReplicaSetCondition)(nil), "k8s.io.api.apps.v1beta2.ReplicaSetCondition")
-	proto.RegisterType((*ReplicaSetList)(nil), "k8s.io.api.apps.v1beta2.ReplicaSetList")
-	proto.RegisterType((*ReplicaSetSpec)(nil), "k8s.io.api.apps.v1beta2.ReplicaSetSpec")
-	proto.RegisterType((*ReplicaSetStatus)(nil), "k8s.io.api.apps.v1beta2.ReplicaSetStatus")
-	proto.RegisterType((*RollingUpdateDaemonSet)(nil), "k8s.io.api.apps.v1beta2.RollingUpdateDaemonSet")
-	proto.RegisterType((*RollingUpdateDeployment)(nil), "k8s.io.api.apps.v1beta2.RollingUpdateDeployment")
-	proto.RegisterType((*RollingUpdateStatefulSetStrategy)(nil), "k8s.io.api.apps.v1beta2.RollingUpdateStatefulSetStrategy")
-	proto.RegisterType((*Scale)(nil), "k8s.io.api.apps.v1beta2.Scale")
-	proto.RegisterType((*ScaleSpec)(nil), "k8s.io.api.apps.v1beta2.ScaleSpec")
-	proto.RegisterType((*ScaleStatus)(nil), "k8s.io.api.apps.v1beta2.ScaleStatus")
-	proto.RegisterMapType((map[string]string)(nil), "k8s.io.api.apps.v1beta2.ScaleStatus.SelectorEntry")
-	proto.RegisterType((*StatefulSet)(nil), "k8s.io.api.apps.v1beta2.StatefulSet")
-	proto.RegisterType((*StatefulSetCondition)(nil), "k8s.io.api.apps.v1beta2.StatefulSetCondition")
-	proto.RegisterType((*StatefulSetList)(nil), "k8s.io.api.apps.v1beta2.StatefulSetList")
-	proto.RegisterType((*StatefulSetOrdinals)(nil), "k8s.io.api.apps.v1beta2.StatefulSetOrdinals")
-	proto.RegisterType((*StatefulSetPersistentVolumeClaimRetentionPolicy)(nil), "k8s.io.api.apps.v1beta2.StatefulSetPersistentVolumeClaimRetentionPolicy")
-	proto.RegisterType((*StatefulSetSpec)(nil), "k8s.io.api.apps.v1beta2.StatefulSetSpec")
-	proto.RegisterType((*StatefulSetStatus)(nil), "k8s.io.api.apps.v1beta2.StatefulSetStatus")
-	proto.RegisterType((*StatefulSetUpdateStrategy)(nil), "k8s.io.api.apps.v1beta2.StatefulSetUpdateStrategy")
-}
-
-func init() {
-	proto.RegisterFile("k8s.io/api/apps/v1beta2/generated.proto", fileDescriptor_c423c016abf485d4)
-}
-
-var fileDescriptor_c423c016abf485d4 = []byte{
-	// 2359 bytes of a gzipped FileDescriptorProto
-	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xec, 0x5a, 0xcd, 0x6f, 0x1b, 0xc7,
-	0x15, 0xf7, 0x92, 0xa2, 0x44, 0x0e, 0x2d, 0xc9, 0x1e, 0xa9, 0x22, 0x63, 0xb7, 0xa4, 0xb1, 0x36,
-	0x6c, 0x25, 0xb6, 0x49, 0x5b, 0xf9, 0x40, 0x62, 0xb7, 0x09, 0x44, 0x29, 0xb5, 0x1d, 0x48, 0x32,
-	0x33, 0xb4, 0x1c, 0x34, 0xe8, 0x87, 0x47, 0xe4, 0x98, 0xda, 0x78, 0xbf, 0xb0, 0x3b, 0x54, 0x4c,
-	0xf4, 0xd2, 0x6b, 0x81, 0x16, 0x6d, 0xae, 0xfd, 0x27, 0x8a, 0x5e, 0x8a, 0xa2, 0x41, 0x6f, 0x41,
-	0xe1, 0x63, 0xd0, 0x4b, 0x72, 0x22, 0x6a, 0xe6, 0x54, 0x14, 0xbd, 0xb5, 0x17, 0x03, 0x05, 0x8a,
-	0x99, 0x9d, 0xfd, 0xde, 0x35, 0x97, 0x8a, 0xad, 0x34, 0x41, 0x6e, 0xdc, 0x79, 0xef, 0xfd, 0xe6,
-	0xcd, 0xcc, 0x7b, 0xf3, 0x7e, 0xfb, 0xb8, 0xe0, 0xc2, 0x83, 0xd7, 0xed, 0x86, 0x62, 0x34, 0xb1,
-	0xa9, 0x34, 0xb1, 0x69, 0xda, 0xcd, 0x83, 0xab, 0x7b, 0x84, 0xe2, 0xb5, 0x66, 0x9f, 0xe8, 0xc4,
-	0xc2, 0x94, 0xf4, 0x1a, 0xa6, 0x65, 0x50, 0x03, 0x56, 0x1c, 0xc5, 0x06, 0x36, 0x95, 0x06, 0x53,
-	0x6c, 0x08, 0xc5, 0x53, 0x97, 0xfb, 0x0a, 0xdd, 0x1f, 0xec, 0x35, 0xba, 0x86, 0xd6, 0xec, 0x1b,
-	0x7d, 0xa3, 0xc9, 0xf5, 0xf7, 0x06, 0xf7, 0xf9, 0x13, 0x7f, 0xe0, 0xbf, 0x1c, 0x9c, 0x53, 0x72,
-	0x60, 0xc2, 0xae, 0x61, 0x91, 0xe6, 0xc1, 0xd5, 0xe8, 0x5c, 0xa7, 0x5e, 0xf1, 0x75, 0x34, 0xdc,
-	0xdd, 0x57, 0x74, 0x62, 0x0d, 0x9b, 0xe6, 0x83, 0x3e, 0x1b, 0xb0, 0x9b, 0x1a, 0xa1, 0x38, 0xc9,
-	0xaa, 0x99, 0x66, 0x65, 0x0d, 0x74, 0xaa, 0x68, 0x24, 0x66, 0xf0, 0xda, 0x24, 0x03, 0xbb, 0xbb,
-	0x4f, 0x34, 0x1c, 0xb3, 0x7b, 0x39, 0xcd, 0x6e, 0x40, 0x15, 0xb5, 0xa9, 0xe8, 0xd4, 0xa6, 0x56,
-	0xd4, 0x48, 0xfe, 0x8f, 0x04, 0xe0, 0x86, 0xa1, 0x53, 0xcb, 0x50, 0x55, 0x62, 0x21, 0x72, 0xa0,
-	0xd8, 0x8a, 0xa1, 0xc3, 0x7b, 0xa0, 0xc8, 0xd6, 0xd3, 0xc3, 0x14, 0x57, 0xa5, 0x33, 0xd2, 0x6a,
-	0x79, 0xed, 0x4a, 0xc3, 0xdf, 0x69, 0x0f, 0xbe, 0x61, 0x3e, 0xe8, 0xb3, 0x01, 0xbb, 0xc1, 0xb4,
-	0x1b, 0x07, 0x57, 0x1b, 0xb7, 0xf7, 0x3e, 0x20, 0x5d, 0xba, 0x4d, 0x28, 0x6e, 0xc1, 0x47, 0xa3,
-	0xfa, 0xb1, 0xf1, 0xa8, 0x0e, 0xfc, 0x31, 0xe4, 0xa1, 0xc2, 0xdb, 0x60, 0x86, 0xa3, 0xe7, 0x38,
-	0xfa, 0xe5, 0x54, 0x74, 0xb1, 0xe8, 0x06, 0xc2, 0x1f, 0xbe, 0xfd, 0x90, 0x12, 0x9d, 0xb9, 0xd7,
-	0x3a, 0x2e, 0xa0, 0x67, 0x36, 0x31, 0xc5, 0x88, 0x03, 0xc1, 0x4b, 0xa0, 0x68, 0x09, 0xf7, 0xab,
-	0xf9, 0x33, 0xd2, 0x6a, 0xbe, 0x75, 0x42, 0x68, 0x15, 0xdd, 0x65, 0x21, 0x4f, 0x43, 0x7e, 0x24,
-	0x81, 0x95, 0xf8, 0xba, 0xb7, 0x14, 0x9b, 0xc2, 0x1f, 0xc7, 0xd6, 0xde, 0xc8, 0xb6, 0x76, 0x66,
-	0xcd, 0x57, 0xee, 0x4d, 0xec, 0x8e, 0x04, 0xd6, 0xdd, 0x06, 0x05, 0x85, 0x12, 0xcd, 0xae, 0xe6,
-	0xce, 0xe4, 0x57, 0xcb, 0x6b, 0x17, 0x1b, 0x29, 0x01, 0xdc, 0x88, 0x7b, 0xd7, 0x9a, 0x17, 0xb8,
-	0x85, 0x5b, 0x0c, 0x01, 0x39, 0x40, 0xf2, 0x2f, 0x73, 0xa0, 0xb4, 0x89, 0x89, 0x66, 0xe8, 0x1d,
-	0x42, 0x8f, 0xe0, 0xe4, 0x6e, 0x82, 0x19, 0xdb, 0x24, 0x5d, 0x71, 0x72, 0xe7, 0x53, 0x17, 0xe0,
-	0xf9, 0xd4, 0x31, 0x49, 0xd7, 0x3f, 0x32, 0xf6, 0x84, 0x38, 0x02, 0x6c, 0x83, 0x59, 0x9b, 0x62,
-	0x3a, 0xb0, 0xf9, 0x81, 0x95, 0xd7, 0x56, 0x33, 0x60, 0x71, 0xfd, 0xd6, 0x82, 0x40, 0x9b, 0x75,
-	0x9e, 0x91, 0xc0, 0x91, 0xff, 0x91, 0x03, 0xd0, 0xd3, 0xdd, 0x30, 0xf4, 0x9e, 0x42, 0x59, 0x38,
-	0x5f, 0x03, 0x33, 0x74, 0x68, 0x12, 0xbe, 0x21, 0xa5, 0xd6, 0x79, 0xd7, 0x95, 0x3b, 0x43, 0x93,
-	0x3c, 0x19, 0xd5, 0x57, 0xe2, 0x16, 0x4c, 0x82, 0xb8, 0x0d, 0xdc, 0xf2, 0x9c, 0xcc, 0x71, 0xeb,
-	0x57, 0xc2, 0x53, 0x3f, 0x19, 0xd5, 0x13, 0xee, 0x8e, 0x86, 0x87, 0x14, 0x76, 0x10, 0x1e, 0x00,
-	0xa8, 0x62, 0x9b, 0xde, 0xb1, 0xb0, 0x6e, 0x3b, 0x33, 0x29, 0x1a, 0x11, 0xcb, 0x7f, 0x29, 0xdb,
-	0x41, 0x31, 0x8b, 0xd6, 0x29, 0xe1, 0x05, 0xdc, 0x8a, 0xa1, 0xa1, 0x84, 0x19, 0xe0, 0x79, 0x30,
-	0x6b, 0x11, 0x6c, 0x1b, 0x7a, 0x75, 0x86, 0xaf, 0xc2, 0xdb, 0x40, 0xc4, 0x47, 0x91, 0x90, 0xc2,
-	0x17, 0xc1, 0x9c, 0x46, 0x6c, 0x1b, 0xf7, 0x49, 0xb5, 0xc0, 0x15, 0x17, 0x85, 0xe2, 0xdc, 0xb6,
-	0x33, 0x8c, 0x5c, 0xb9, 0xfc, 0x47, 0x09, 0xcc, 0x7b, 0x3b, 0x77, 0x04, 0x99, 0x73, 0x23, 0x9c,
-	0x39, 0xf2, 0xe4, 0x60, 0x49, 0x49, 0x98, 0x4f, 0xf2, 0x01, 0xc7, 0x59, 0x38, 0xc2, 0x9f, 0x80,
-	0xa2, 0x4d, 0x54, 0xd2, 0xa5, 0x86, 0x25, 0x1c, 0x7f, 0x39, 0xa3, 0xe3, 0x78, 0x8f, 0xa8, 0x1d,
-	0x61, 0xda, 0x3a, 0xce, 0x3c, 0x77, 0x9f, 0x90, 0x07, 0x09, 0xdf, 0x05, 0x45, 0x4a, 0x34, 0x53,
-	0xc5, 0x94, 0x88, 0xac, 0x39, 0x1b, 0x74, 0x9e, 0xc5, 0x0c, 0x03, 0x6b, 0x1b, 0xbd, 0x3b, 0x42,
-	0x8d, 0xa7, 0x8c, 0xb7, 0x19, 0xee, 0x28, 0xf2, 0x60, 0xa0, 0x09, 0x16, 0x06, 0x66, 0x8f, 0x69,
-	0x52, 0x76, 0x9d, 0xf7, 0x87, 0x22, 0x86, 0xae, 0x4c, 0xde, 0x95, 0xdd, 0x90, 0x5d, 0x6b, 0x45,
-	0xcc, 0xb2, 0x10, 0x1e, 0x47, 0x11, 0x7c, 0xb8, 0x0e, 0x16, 0x35, 0x45, 0x47, 0x04, 0xf7, 0x86,
-	0x1d, 0xd2, 0x35, 0xf4, 0x9e, 0xcd, 0x43, 0xa9, 0xd0, 0xaa, 0x08, 0x80, 0xc5, 0xed, 0xb0, 0x18,
-	0x45, 0xf5, 0xe1, 0x16, 0x58, 0x76, 0x2f, 0xe0, 0x9b, 0x8a, 0x4d, 0x0d, 0x6b, 0xb8, 0xa5, 0x68,
-	0x0a, 0xad, 0xce, 0x72, 0x9c, 0xea, 0x78, 0x54, 0x5f, 0x46, 0x09, 0x72, 0x94, 0x68, 0x25, 0x7f,
-	0x34, 0x0b, 0x16, 0x23, 0xf7, 0x02, 0xbc, 0x0b, 0x56, 0xba, 0x03, 0xcb, 0x22, 0x3a, 0xdd, 0x19,
-	0x68, 0x7b, 0xc4, 0xea, 0x74, 0xf7, 0x49, 0x6f, 0xa0, 0x92, 0x1e, 0x3f, 0xd6, 0x42, 0xab, 0x26,
-	0x7c, 0x5d, 0xd9, 0x48, 0xd4, 0x42, 0x29, 0xd6, 0xf0, 0x1d, 0x00, 0x75, 0x3e, 0xb4, 0xad, 0xd8,
-	0xb6, 0x87, 0x99, 0xe3, 0x98, 0x5e, 0x2a, 0xee, 0xc4, 0x34, 0x50, 0x82, 0x15, 0xf3, 0xb1, 0x47,
-	0x6c, 0xc5, 0x22, 0xbd, 0xa8, 0x8f, 0xf9, 0xb0, 0x8f, 0x9b, 0x89, 0x5a, 0x28, 0xc5, 0x1a, 0xbe,
-	0x0a, 0xca, 0xce, 0x6c, 0x7c, 0xcf, 0xc5, 0xe1, 0x2c, 0x09, 0xb0, 0xf2, 0x8e, 0x2f, 0x42, 0x41,
-	0x3d, 0xb6, 0x34, 0x63, 0xcf, 0x26, 0xd6, 0x01, 0xe9, 0xdd, 0x70, 0xc8, 0x01, 0xab, 0xa0, 0x05,
-	0x5e, 0x41, 0xbd, 0xa5, 0xdd, 0x8e, 0x69, 0xa0, 0x04, 0x2b, 0xb6, 0x34, 0x27, 0x6a, 0x62, 0x4b,
-	0x9b, 0x0d, 0x2f, 0x6d, 0x37, 0x51, 0x0b, 0xa5, 0x58, 0xb3, 0xd8, 0x73, 0x5c, 0x5e, 0x3f, 0xc0,
-	0x8a, 0x8a, 0xf7, 0x54, 0x52, 0x9d, 0x0b, 0xc7, 0xde, 0x4e, 0x58, 0x8c, 0xa2, 0xfa, 0xf0, 0x06,
-	0x38, 0xe9, 0x0c, 0xed, 0xea, 0xd8, 0x03, 0x29, 0x72, 0x90, 0x17, 0x04, 0xc8, 0xc9, 0x9d, 0xa8,
-	0x02, 0x8a, 0xdb, 0xc0, 0x6b, 0x60, 0xa1, 0x6b, 0xa8, 0x2a, 0x8f, 0xc7, 0x0d, 0x63, 0xa0, 0xd3,
-	0x6a, 0x89, 0xa3, 0x40, 0x96, 0x43, 0x1b, 0x21, 0x09, 0x8a, 0x68, 0xc2, 0x9f, 0x01, 0xd0, 0x75,
-	0x0b, 0x83, 0x5d, 0x05, 0x13, 0x18, 0x40, 0xbc, 0x2c, 0xf9, 0x95, 0xd9, 0x1b, 0xb2, 0x51, 0x00,
-	0x52, 0xfe, 0x44, 0x02, 0x95, 0x94, 0x44, 0x87, 0x6f, 0x85, 0x8a, 0xe0, 0xc5, 0x48, 0x11, 0x3c,
-	0x9d, 0x62, 0x16, 0xa8, 0x84, 0xfb, 0x60, 0x9e, 0x11, 0x12, 0x45, 0xef, 0x3b, 0x2a, 0xe2, 0x2e,
-	0x6b, 0xa6, 0x2e, 0x00, 0x05, 0xb5, 0xfd, 0x5b, 0xf9, 0xe4, 0x78, 0x54, 0x9f, 0x0f, 0xc9, 0x50,
-	0x18, 0x58, 0xfe, 0x55, 0x0e, 0x80, 0x4d, 0x62, 0xaa, 0xc6, 0x50, 0x23, 0xfa, 0x51, 0x70, 0x9a,
-	0x5b, 0x21, 0x4e, 0x73, 0x21, 0xfd, 0x48, 0x3c, 0xa7, 0x52, 0x49, 0xcd, 0xbb, 0x11, 0x52, 0xf3,
-	0x62, 0x16, 0xb0, 0xa7, 0xb3, 0x9a, 0xcf, 0xf2, 0x60, 0xc9, 0x57, 0xf6, 0x69, 0xcd, 0xf5, 0xd0,
-	0x89, 0x5e, 0x88, 0x9c, 0x68, 0x25, 0xc1, 0xe4, 0xb9, 0xf1, 0x9a, 0x0f, 0xc0, 0x02, 0x63, 0x1d,
-	0xce, 0xf9, 0x71, 0x4e, 0x33, 0x3b, 0x35, 0xa7, 0xf1, 0x2a, 0xd1, 0x56, 0x08, 0x09, 0x45, 0x90,
-	0x53, 0x38, 0xd4, 0xdc, 0xd7, 0x91, 0x43, 0xfd, 0x49, 0x02, 0x0b, 0xfe, 0x31, 0x1d, 0x01, 0x89,
-	0xba, 0x19, 0x26, 0x51, 0x67, 0x33, 0x04, 0x67, 0x0a, 0x8b, 0xfa, 0x6c, 0x26, 0xe8, 0x3a, 0xa7,
-	0x51, 0xab, 0xec, 0x15, 0xcc, 0x54, 0x95, 0x2e, 0xb6, 0x45, 0xbd, 0x3d, 0xee, 0xbc, 0x7e, 0x39,
-	0x63, 0xc8, 0x93, 0x86, 0x08, 0x57, 0xee, 0xf9, 0x12, 0xae, 0xfc, 0xb3, 0x21, 0x5c, 0x3f, 0x02,
-	0x45, 0xdb, 0xa5, 0x5a, 0x33, 0x1c, 0xf2, 0x62, 0xa6, 0xc4, 0x16, 0x2c, 0xcb, 0x83, 0xf6, 0xf8,
-	0x95, 0x07, 0x97, 0xc4, 0xac, 0x0a, 0x5f, 0x25, 0xb3, 0x62, 0x81, 0x6e, 0xe2, 0x81, 0x4d, 0x7a,
-	0x3c, 0xa9, 0x8a, 0x7e, 0xa0, 0xb7, 0xf9, 0x28, 0x12, 0x52, 0xb8, 0x0b, 0x2a, 0xa6, 0x65, 0xf4,
-	0x2d, 0x62, 0xdb, 0x9b, 0x04, 0xf7, 0x54, 0x45, 0x27, 0xee, 0x02, 0x9c, 0x9a, 0x78, 0x7a, 0x3c,
-	0xaa, 0x57, 0xda, 0xc9, 0x2a, 0x28, 0xcd, 0x56, 0xfe, 0x75, 0x01, 0x9c, 0x88, 0xde, 0x8d, 0x29,
-	0x34, 0x45, 0x3a, 0x14, 0x4d, 0xb9, 0x14, 0x88, 0x53, 0x87, 0xc3, 0x05, 0x5a, 0x05, 0xb1, 0x58,
-	0x5d, 0x07, 0x8b, 0x82, 0x96, 0xb8, 0x42, 0x41, 0xd4, 0xbc, 0xe3, 0xd9, 0x0d, 0x8b, 0x51, 0x54,
-	0x1f, 0x5e, 0x07, 0xf3, 0x16, 0x67, 0x5e, 0x2e, 0x80, 0xc3, 0x5e, 0xbe, 0x23, 0x00, 0xe6, 0x51,
-	0x50, 0x88, 0xc2, 0xba, 0x8c, 0xb9, 0xf8, 0x84, 0xc4, 0x05, 0x98, 0x09, 0x33, 0x97, 0xf5, 0xa8,
-	0x02, 0x8a, 0xdb, 0xc0, 0x6d, 0xb0, 0x34, 0xd0, 0xe3, 0x50, 0x4e, 0xac, 0x9d, 0x16, 0x50, 0x4b,
-	0xbb, 0x71, 0x15, 0x94, 0x64, 0x07, 0x6f, 0x81, 0x25, 0x4a, 0x2c, 0x4d, 0xd1, 0x31, 0x55, 0xf4,
-	0xbe, 0x07, 0xe7, 0x9c, 0x7c, 0x85, 0x41, 0xdd, 0x89, 0x8b, 0x51, 0x92, 0x0d, 0xbc, 0x17, 0xe2,
-	0x45, 0xb3, 0xfc, 0x6a, 0xba, 0x94, 0x21, 0xbd, 0x32, 0x13, 0xa3, 0x04, 0xd6, 0x56, 0xcc, 0xca,
-	0xda, 0xe4, 0x8f, 0x25, 0x00, 0xe3, 0x29, 0x3d, 0xb1, 0xa9, 0x10, 0xb3, 0x08, 0x14, 0x5f, 0x25,
-	0x99, 0x4a, 0x5d, 0xc9, 0x48, 0xa5, 0xfc, 0xbb, 0x39, 0x1b, 0x97, 0x12, 0x1b, 0x7d, 0x34, 0xfd,
-	0xa1, 0xac, 0x5c, 0xca, 0x77, 0xea, 0x19, 0x70, 0xa9, 0x00, 0xd8, 0xd3, 0xb9, 0xd4, 0x3f, 0x73,
-	0x60, 0xc9, 0x57, 0xce, 0xcc, 0xa5, 0x12, 0x4c, 0xbe, 0xed, 0x11, 0x65, 0xe3, 0x37, 0xfe, 0xd6,
-	0xfd, 0x3f, 0xf1, 0x1b, 0xdf, 0xab, 0x14, 0x7e, 0xf3, 0xfb, 0x5c, 0xd0, 0xf5, 0x29, 0xf9, 0xcd,
-	0x33, 0x68, 0x96, 0x7c, 0xed, 0x28, 0x92, 0xfc, 0xd1, 0x0c, 0x38, 0x11, 0xcd, 0xc3, 0x50, 0xad,
-	0x95, 0x26, 0xd6, 0xda, 0x36, 0x58, 0xbe, 0x3f, 0x50, 0xd5, 0x21, 0x5f, 0x43, 0xa0, 0xe0, 0x3a,
-	0x55, 0xfa, 0xbb, 0xc2, 0x72, 0xf9, 0x87, 0x09, 0x3a, 0x28, 0xd1, 0x32, 0x5e, 0x7a, 0x67, 0xbe,
-	0x6c, 0xe9, 0x2d, 0x1c, 0xa2, 0xf4, 0xa6, 0xd4, 0xca, 0xb9, 0x43, 0xd4, 0xca, 0x64, 0x22, 0x94,
-	0x3f, 0x14, 0x11, 0x9a, 0xae, 0xee, 0x26, 0xdc, 0x81, 0x13, 0x1b, 0x12, 0x63, 0x09, 0xac, 0x24,
-	0xb7, 0x01, 0xa0, 0x0a, 0x16, 0x34, 0xfc, 0x30, 0xd8, 0x8e, 0x99, 0x54, 0x8f, 0x06, 0x54, 0x51,
-	0x1b, 0xce, 0x1f, 0x59, 0x8d, 0x5b, 0x3a, 0xbd, 0x6d, 0x75, 0xa8, 0xa5, 0xe8, 0x7d, 0xa7, 0x88,
-	0x6f, 0x87, 0xb0, 0x50, 0x04, 0x1b, 0xbe, 0x0f, 0x8a, 0x1a, 0x7e, 0xd8, 0x19, 0x58, 0xfd, 0xa4,
-	0x62, 0x9b, 0x6d, 0x1e, 0x9e, 0x4b, 0xdb, 0x02, 0x05, 0x79, 0x78, 0xf2, 0x17, 0x12, 0xa8, 0xa4,
-	0x14, 0xe8, 0x6f, 0xd0, 0x2a, 0xff, 0x22, 0x81, 0x33, 0xa1, 0x55, 0xb2, 0x0c, 0x27, 0xf7, 0x07,
-	0x2a, 0x4f, 0x76, 0x41, 0x8a, 0x2e, 0x82, 0x92, 0x89, 0x2d, 0xaa, 0x78, 0xec, 0xbc, 0xd0, 0x9a,
-	0x1f, 0x8f, 0xea, 0xa5, 0xb6, 0x3b, 0x88, 0x7c, 0x79, 0xc2, 0xde, 0xe4, 0x9e, 0xdf, 0xde, 0xc8,
-	0xff, 0x95, 0x40, 0xa1, 0xd3, 0xc5, 0x2a, 0x39, 0x02, 0x0e, 0xb4, 0x19, 0xe2, 0x40, 0xe9, 0x7f,
-	0x55, 0x70, 0x7f, 0x52, 0xe9, 0xcf, 0x56, 0x84, 0xfe, 0x9c, 0x9b, 0x80, 0xf3, 0x74, 0xe6, 0xf3,
-	0x06, 0x28, 0x79, 0xd3, 0x4d, 0x77, 0x2d, 0xcb, 0xbf, 0xcb, 0x81, 0x72, 0x60, 0x8a, 0x29, 0x2f,
-	0xf5, 0x7b, 0xa1, 0x4a, 0xc6, 0xee, 0x98, 0xb5, 0x2c, 0x0b, 0x69, 0xb8, 0x55, 0xeb, 0x6d, 0x9d,
-	0x5a, 0xc1, 0x37, 0xe8, 0x78, 0x31, 0x7b, 0x13, 0x2c, 0x50, 0x6c, 0xf5, 0x09, 0x75, 0x65, 0x7c,
-	0xc3, 0x4a, 0x7e, 0x47, 0xe9, 0x4e, 0x48, 0x8a, 0x22, 0xda, 0xa7, 0xae, 0x83, 0xf9, 0xd0, 0x64,
-	0xf0, 0x04, 0xc8, 0x3f, 0x20, 0x43, 0x87, 0x0c, 0x22, 0xf6, 0x13, 0x2e, 0x83, 0xc2, 0x01, 0x56,
-	0x07, 0x4e, 0x88, 0x96, 0x90, 0xf3, 0x70, 0x2d, 0xf7, 0xba, 0x24, 0xff, 0x86, 0x6d, 0x8e, 0x9f,
-	0x0a, 0x47, 0x10, 0x5d, 0xef, 0x84, 0xa2, 0x2b, 0xfd, 0x5f, 0xd3, 0x60, 0x82, 0xa6, 0xc5, 0x18,
-	0x8a, 0xc4, 0xd8, 0x4b, 0x99, 0xd0, 0x9e, 0x1e, 0x69, 0xff, 0xca, 0x81, 0xe5, 0x80, 0xb6, 0x4f,
-	0xb2, 0xbf, 0x1f, 0x22, 0xd9, 0xab, 0x11, 0x92, 0x5d, 0x4d, 0xb2, 0xf9, 0x96, 0x65, 0x4f, 0x66,
-	0xd9, 0x7f, 0x96, 0xc0, 0x62, 0x60, 0xef, 0x8e, 0x80, 0x66, 0xdf, 0x0a, 0xd3, 0xec, 0x73, 0x59,
-	0x82, 0x26, 0x85, 0x67, 0x5f, 0x03, 0x4b, 0x01, 0xa5, 0xdb, 0x56, 0x4f, 0xd1, 0xb1, 0x6a, 0xc3,
-	0xb3, 0xa0, 0x60, 0x53, 0x6c, 0x51, 0xb7, 0x88, 0xb8, 0xb6, 0x1d, 0x36, 0x88, 0x1c, 0x99, 0xfc,
-	0x6f, 0x09, 0x34, 0x03, 0xc6, 0x6d, 0x62, 0xd9, 0x8a, 0x4d, 0x89, 0x4e, 0xef, 0x1a, 0xea, 0x40,
-	0x23, 0x1b, 0x2a, 0x56, 0x34, 0x44, 0xd8, 0x80, 0x62, 0xe8, 0x6d, 0x43, 0x55, 0xba, 0x43, 0x88,
-	0x41, 0xf9, 0xc3, 0x7d, 0xa2, 0x6f, 0x12, 0x95, 0x50, 0xf1, 0xbf, 0x60, 0xa9, 0xf5, 0x96, 0xfb,
-	0x37, 0xd9, 0x7b, 0xbe, 0xe8, 0xc9, 0xa8, 0xbe, 0x9a, 0x05, 0x91, 0x47, 0x68, 0x10, 0x13, 0xfe,
-	0x14, 0x00, 0xf6, 0xc8, 0xef, 0xb2, 0x9e, 0x08, 0xd6, 0x37, 0xdd, 0x8c, 0x7e, 0xcf, 0x93, 0x4c,
-	0x35, 0x41, 0x00, 0x51, 0xfe, 0x43, 0x31, 0x74, 0xde, 0xdf, 0xf8, 0xde, 0xeb, 0xcf, 0xc1, 0xf2,
-	0x81, 0xbf, 0x3b, 0xae, 0x02, 0xa3, 0xf2, 0xf9, 0x68, 0x53, 0xc0, 0x83, 0x4f, 0xda, 0x57, 0xff,
-	0x05, 0xe2, 0x6e, 0x02, 0x1c, 0x4a, 0x9c, 0x04, 0xbe, 0x0a, 0xca, 0x8c, 0x37, 0x2b, 0x5d, 0xb2,
-	0x83, 0x35, 0x37, 0x17, 0xbd, 0xbf, 0x55, 0x3b, 0xbe, 0x08, 0x05, 0xf5, 0xe0, 0x3e, 0x58, 0x32,
-	0x8d, 0xde, 0x36, 0xd6, 0x71, 0x9f, 0x30, 0x22, 0xe8, 0x1c, 0x25, 0x6f, 0xc8, 0x96, 0x5a, 0xaf,
-	0xb9, 0xcd, 0xb6, 0x76, 0x5c, 0xe5, 0xc9, 0xa8, 0x5e, 0x49, 0x18, 0xe6, 0x41, 0x90, 0x04, 0x09,
-	0xad, 0xd8, 0xa7, 0x00, 0xce, 0x5f, 0x21, 0x6b, 0x59, 0x92, 0xf2, 0x90, 0x1f, 0x03, 0xa4, 0xf5,
-	0x9b, 0x8b, 0x87, 0xea, 0x37, 0x27, 0xbc, 0x2d, 0x97, 0xa6, 0x7c, 0x5b, 0xfe, 0xab, 0x04, 0xce,
-	0x99, 0x19, 0x72, 0xa9, 0x0a, 0xf8, 0xde, 0xdc, 0xcc, 0xb2, 0x37, 0x59, 0x72, 0xb3, 0xb5, 0x3a,
-	0x1e, 0xd5, 0xcf, 0x65, 0xd1, 0x44, 0x99, 0xfc, 0x83, 0x77, 0x41, 0xd1, 0x10, 0x77, 0x60, 0xb5,
-	0xcc, 0x7d, 0xbd, 0x94, 0xc5, 0x57, 0xf7, 0xde, 0x74, 0xd2, 0xd2, 0x7d, 0x42, 0x1e, 0x96, 0xfc,
-	0x71, 0x01, 0x9c, 0x8c, 0x55, 0xf0, 0xaf, 0xb0, 0xab, 0x1e, 0x7b, 0x2f, 0xcf, 0x4f, 0xf1, 0x5e,
-	0xbe, 0x0e, 0x16, 0xc5, 0x87, 0x1a, 0x91, 0xd7, 0x7a, 0x2f, 0x60, 0x36, 0xc2, 0x62, 0x14, 0xd5,
-	0x4f, 0xea, 0xea, 0x17, 0xa6, 0xec, 0xea, 0x07, 0xbd, 0x10, 0x1f, 0x1e, 0x3a, 0xe9, 0x1d, 0xf7,
-	0x42, 0x7c, 0x7f, 0x18, 0xd5, 0x67, 0xc4, 0xd5, 0x41, 0xf5, 0x10, 0xe6, 0xc2, 0xc4, 0x75, 0x37,
-	0x24, 0x45, 0x11, 0xed, 0x2f, 0xf5, 0x31, 0x02, 0x4e, 0xf8, 0x18, 0xe1, 0x72, 0x96, 0x58, 0xcb,
-	0xde, 0x75, 0x4f, 0xec, 0x9f, 0x94, 0xa7, 0xef, 0x9f, 0xc8, 0x7f, 0x93, 0xc0, 0x0b, 0xa9, 0xb7,
-	0x16, 0x5c, 0x0f, 0xd1, 0xca, 0xcb, 0x11, 0x5a, 0xf9, 0xbd, 0x54, 0xc3, 0x00, 0xb7, 0xb4, 0x92,
-	0x1b, 0xf2, 0x6f, 0x64, 0x6b, 0xc8, 0x27, 0xbc, 0x09, 0x4f, 0xee, 0xcc, 0xb7, 0x7e, 0xf0, 0xe8,
-	0x71, 0xed, 0xd8, 0xa7, 0x8f, 0x6b, 0xc7, 0x3e, 0x7f, 0x5c, 0x3b, 0xf6, 0x8b, 0x71, 0x4d, 0x7a,
-	0x34, 0xae, 0x49, 0x9f, 0x8e, 0x6b, 0xd2, 0xe7, 0xe3, 0x9a, 0xf4, 0xf7, 0x71, 0x4d, 0xfa, 0xed,
-	0x17, 0xb5, 0x63, 0xef, 0x57, 0x52, 0x3e, 0x85, 0xfe, 0x5f, 0x00, 0x00, 0x00, 0xff, 0xff, 0xd4,
-	0x01, 0x82, 0xf5, 0x24, 0x2d, 0x00, 0x00,
-}
+func (m *StatefulSetUpdateStrategy) Reset() { *m = StatefulSetUpdateStrategy{} }
 
 func (m *ControllerRevision) Marshal() (dAtA []byte, err error) {
 	size := m.Size()
@@ -2438,7 +1374,7 @@ func (m *ScaleStatus) MarshalToSizedBuffer(dAtA []byte) (int, error) {
 		for k := range m.Selector {
 			keysForSelector = append(keysForSelector, string(k))
 		}
-		github_com_gogo_protobuf_sortkeys.Strings(keysForSelector)
+		sort.Strings(keysForSelector)
 		for iNdEx := len(keysForSelector) - 1; iNdEx >= 0; iNdEx-- {
 			v := m.Selector[string(keysForSelector[iNdEx])]
 			baseI := i
@@ -3884,7 +2820,7 @@ func (this *ScaleStatus) String() string {
 	for k := range this.Selector {
 		keysForSelector = append(keysForSelector, k)
 	}
-	github_com_gogo_protobuf_sortkeys.Strings(keysForSelector)
+	sort.Strings(keysForSelector)
 	mapStringForSelector := "map[string]string{"
 	for _, k := range keysForSelector {
 		mapStringForSelector += fmt.Sprintf("%v: %v,", k, this.Selector[k])
diff --git a/staging/src/k8s.io/api/apps/v1beta2/generated.proto b/staging/src/k8s.io/api/apps/v1beta2/generated.proto
index 37c6d5ae1bf7b..1cdd0a43f7adb 100644
--- a/staging/src/k8s.io/api/apps/v1beta2/generated.proto
+++ b/staging/src/k8s.io/api/apps/v1beta2/generated.proto
@@ -348,7 +348,7 @@ message DeploymentStatus {
   // Total number of terminating pods targeted by this deployment. Terminating pods have a non-null
   // .metadata.deletionTimestamp and have not yet reached the Failed or Succeeded .status.phase.
   //
-  // This is an alpha field. Enable DeploymentReplicaSetTerminatingReplicas to be able to use this field.
+  // This is a beta field and requires enabling DeploymentReplicaSetTerminatingReplicas feature (enabled by default).
   // +optional
   optional int32 terminatingReplicas = 9;
 
@@ -487,7 +487,7 @@ message ReplicaSetStatus {
   // The number of terminating pods for this replica set. Terminating pods have a non-null .metadata.deletionTimestamp
   // and have not yet reached the Failed or Succeeded .status.phase.
   //
-  // This is an alpha field. Enable DeploymentReplicaSetTerminatingReplicas to be able to use this field.
+  // This is a beta field and requires enabling DeploymentReplicaSetTerminatingReplicas feature (enabled by default).
   // +optional
   optional int32 terminatingReplicas = 7;
 
@@ -587,10 +587,12 @@ message RollingUpdateStatefulSetStrategy {
   // The maximum number of pods that can be unavailable during the update.
   // Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%).
   // Absolute number is calculated from percentage by rounding up. This can not be 0.
-  // Defaults to 1. This field is alpha-level and is only honored by servers that enable the
-  // MaxUnavailableStatefulSet feature. The field applies to all pods in the range 0 to
+  // Defaults to 1. This field is beta-level and is enabled by default. The field applies to all pods in the range 0 to
   // Replicas-1. That means if there is any unavailable pod in the range 0 to Replicas-1, it
   // will be counted towards MaxUnavailable.
+  // This setting might not be effective for the OrderedReady podManagementPolicy. That policy ensures pods are created and become ready one at a time.
+  //
+  // +featureGate=MaxUnavailableStatefulSet
   // +optional
   optional .k8s.io.apimachinery.pkg.util.intstr.IntOrString maxUnavailable = 2;
 }
@@ -795,8 +797,12 @@ message StatefulSetSpec {
   // +optional
   optional int32 minReadySeconds = 9;
 
-  // PersistentVolumeClaimRetentionPolicy describes the policy used for PVCs created from
-  // the StatefulSet VolumeClaimTemplates.
+  // persistentVolumeClaimRetentionPolicy describes the lifecycle of persistent
+  // volume claims created from volumeClaimTemplates. By default, all persistent
+  // volume claims are created as needed and retained until manually deleted. This
+  // policy allows the lifecycle to be altered, for example by deleting persistent
+  // volume claims when their stateful set is deleted, or when their pod is scaled
+  // down.
   // +optional
   optional StatefulSetPersistentVolumeClaimRetentionPolicy persistentVolumeClaimRetentionPolicy = 10;
 
diff --git a/staging/src/k8s.io/api/apps/v1beta2/generated.protomessage.pb.go b/staging/src/k8s.io/api/apps/v1beta2/generated.protomessage.pb.go
new file mode 100644
index 0000000000000..18582bf290de7
--- /dev/null
+++ b/staging/src/k8s.io/api/apps/v1beta2/generated.protomessage.pb.go
@@ -0,0 +1,88 @@
+//go:build kubernetes_protomessage_one_more_release
+// +build kubernetes_protomessage_one_more_release
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by go-to-protobuf. DO NOT EDIT.
+
+package v1beta2
+
+func (*ControllerRevision) ProtoMessage() {}
+
+func (*ControllerRevisionList) ProtoMessage() {}
+
+func (*DaemonSet) ProtoMessage() {}
+
+func (*DaemonSetCondition) ProtoMessage() {}
+
+func (*DaemonSetList) ProtoMessage() {}
+
+func (*DaemonSetSpec) ProtoMessage() {}
+
+func (*DaemonSetStatus) ProtoMessage() {}
+
+func (*DaemonSetUpdateStrategy) ProtoMessage() {}
+
+func (*Deployment) ProtoMessage() {}
+
+func (*DeploymentCondition) ProtoMessage() {}
+
+func (*DeploymentList) ProtoMessage() {}
+
+func (*DeploymentSpec) ProtoMessage() {}
+
+func (*DeploymentStatus) ProtoMessage() {}
+
+func (*DeploymentStrategy) ProtoMessage() {}
+
+func (*ReplicaSet) ProtoMessage() {}
+
+func (*ReplicaSetCondition) ProtoMessage() {}
+
+func (*ReplicaSetList) ProtoMessage() {}
+
+func (*ReplicaSetSpec) ProtoMessage() {}
+
+func (*ReplicaSetStatus) ProtoMessage() {}
+
+func (*RollingUpdateDaemonSet) ProtoMessage() {}
+
+func (*RollingUpdateDeployment) ProtoMessage() {}
+
+func (*RollingUpdateStatefulSetStrategy) ProtoMessage() {}
+
+func (*Scale) ProtoMessage() {}
+
+func (*ScaleSpec) ProtoMessage() {}
+
+func (*ScaleStatus) ProtoMessage() {}
+
+func (*StatefulSet) ProtoMessage() {}
+
+func (*StatefulSetCondition) ProtoMessage() {}
+
+func (*StatefulSetList) ProtoMessage() {}
+
+func (*StatefulSetOrdinals) ProtoMessage() {}
+
+func (*StatefulSetPersistentVolumeClaimRetentionPolicy) ProtoMessage() {}
+
+func (*StatefulSetSpec) ProtoMessage() {}
+
+func (*StatefulSetStatus) ProtoMessage() {}
+
+func (*StatefulSetUpdateStrategy) ProtoMessage() {}
diff --git a/staging/src/k8s.io/api/apps/v1beta2/types.go b/staging/src/k8s.io/api/apps/v1beta2/types.go
index e9dc85df05568..18c74a4aa6312 100644
--- a/staging/src/k8s.io/api/apps/v1beta2/types.go
+++ b/staging/src/k8s.io/api/apps/v1beta2/types.go
@@ -19,7 +19,7 @@ package v1beta2
 import (
 	v1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	runtime "k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/util/intstr"
 )
 
@@ -176,10 +176,12 @@ type RollingUpdateStatefulSetStrategy struct {
 	// The maximum number of pods that can be unavailable during the update.
 	// Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%).
 	// Absolute number is calculated from percentage by rounding up. This can not be 0.
-	// Defaults to 1. This field is alpha-level and is only honored by servers that enable the
-	// MaxUnavailableStatefulSet feature. The field applies to all pods in the range 0 to
+	// Defaults to 1. This field is beta-level and is enabled by default. The field applies to all pods in the range 0 to
 	// Replicas-1. That means if there is any unavailable pod in the range 0 to Replicas-1, it
 	// will be counted towards MaxUnavailable.
+	// This setting might not be effective for the OrderedReady podManagementPolicy. That policy ensures pods are created and become ready one at a time.
+	//
+	// +featureGate=MaxUnavailableStatefulSet
 	// +optional
 	MaxUnavailable *intstr.IntOrString `json:"maxUnavailable,omitempty" protobuf:"varint,2,opt,name=maxUnavailable"`
 }
@@ -304,8 +306,12 @@ type StatefulSetSpec struct {
 	// +optional
 	MinReadySeconds int32 `json:"minReadySeconds,omitempty" protobuf:"varint,9,opt,name=minReadySeconds"`
 
-	// PersistentVolumeClaimRetentionPolicy describes the policy used for PVCs created from
-	// the StatefulSet VolumeClaimTemplates.
+	// persistentVolumeClaimRetentionPolicy describes the lifecycle of persistent
+	// volume claims created from volumeClaimTemplates. By default, all persistent
+	// volume claims are created as needed and retained until manually deleted. This
+	// policy allows the lifecycle to be altered, for example by deleting persistent
+	// volume claims when their stateful set is deleted, or when their pod is scaled
+	// down.
 	// +optional
 	PersistentVolumeClaimRetentionPolicy *StatefulSetPersistentVolumeClaimRetentionPolicy `json:"persistentVolumeClaimRetentionPolicy,omitempty" protobuf:"bytes,10,opt,name=persistentVolumeClaimRetentionPolicy"`
 
@@ -560,7 +566,7 @@ type DeploymentStatus struct {
 	// Total number of terminating pods targeted by this deployment. Terminating pods have a non-null
 	// .metadata.deletionTimestamp and have not yet reached the Failed or Succeeded .status.phase.
 	//
-	// This is an alpha field. Enable DeploymentReplicaSetTerminatingReplicas to be able to use this field.
+	// This is a beta field and requires enabling DeploymentReplicaSetTerminatingReplicas feature (enabled by default).
 	// +optional
 	TerminatingReplicas *int32 `json:"terminatingReplicas,omitempty" protobuf:"varint,9,opt,name=terminatingReplicas"`
 
@@ -962,7 +968,7 @@ type ReplicaSetStatus struct {
 	// The number of terminating pods for this replica set. Terminating pods have a non-null .metadata.deletionTimestamp
 	// and have not yet reached the Failed or Succeeded .status.phase.
 	//
-	// This is an alpha field. Enable DeploymentReplicaSetTerminatingReplicas to be able to use this field.
+	// This is a beta field and requires enabling DeploymentReplicaSetTerminatingReplicas feature (enabled by default).
 	// +optional
 	TerminatingReplicas *int32 `json:"terminatingReplicas,omitempty" protobuf:"varint,7,opt,name=terminatingReplicas"`
 
diff --git a/staging/src/k8s.io/api/apps/v1beta2/types_swagger_doc_generated.go b/staging/src/k8s.io/api/apps/v1beta2/types_swagger_doc_generated.go
index 34d80af58d76a..ebafa66aa6657 100644
--- a/staging/src/k8s.io/api/apps/v1beta2/types_swagger_doc_generated.go
+++ b/staging/src/k8s.io/api/apps/v1beta2/types_swagger_doc_generated.go
@@ -182,7 +182,7 @@ var map_DeploymentStatus = map[string]string{
 	"readyReplicas":       "Total number of non-terminating pods targeted by this Deployment with a Ready Condition.",
 	"availableReplicas":   "Total number of available non-terminating pods (ready for at least minReadySeconds) targeted by this deployment.",
 	"unavailableReplicas": "Total number of unavailable pods targeted by this deployment. This is the total number of pods that are still required for the deployment to have 100% available capacity. They may either be pods that are running but not yet available or pods that still have not been created.",
-	"terminatingReplicas": "Total number of terminating pods targeted by this deployment. Terminating pods have a non-null .metadata.deletionTimestamp and have not yet reached the Failed or Succeeded .status.phase.\n\nThis is an alpha field. Enable DeploymentReplicaSetTerminatingReplicas to be able to use this field.",
+	"terminatingReplicas": "Total number of terminating pods targeted by this deployment. Terminating pods have a non-null .metadata.deletionTimestamp and have not yet reached the Failed or Succeeded .status.phase.\n\nThis is a beta field and requires enabling DeploymentReplicaSetTerminatingReplicas feature (enabled by default).",
 	"conditions":          "Represents the latest available observations of a deployment's current state.",
 	"collisionCount":      "Count of hash collisions for the Deployment. The Deployment controller uses this field as a collision avoidance mechanism when it needs to create the name for the newest ReplicaSet.",
 }
@@ -253,7 +253,7 @@ var map_ReplicaSetStatus = map[string]string{
 	"fullyLabeledReplicas": "The number of non-terminating pods that have labels matching the labels of the pod template of the replicaset.",
 	"readyReplicas":        "The number of non-terminating pods targeted by this ReplicaSet with a Ready Condition.",
 	"availableReplicas":    "The number of available non-terminating pods (ready for at least minReadySeconds) for this replica set.",
-	"terminatingReplicas":  "The number of terminating pods for this replica set. Terminating pods have a non-null .metadata.deletionTimestamp and have not yet reached the Failed or Succeeded .status.phase.\n\nThis is an alpha field. Enable DeploymentReplicaSetTerminatingReplicas to be able to use this field.",
+	"terminatingReplicas":  "The number of terminating pods for this replica set. Terminating pods have a non-null .metadata.deletionTimestamp and have not yet reached the Failed or Succeeded .status.phase.\n\nThis is a beta field and requires enabling DeploymentReplicaSetTerminatingReplicas feature (enabled by default).",
 	"observedGeneration":   "ObservedGeneration reflects the generation of the most recently observed ReplicaSet.",
 	"conditions":           "Represents the latest available observations of a replica set's current state.",
 }
@@ -285,7 +285,7 @@ func (RollingUpdateDeployment) SwaggerDoc() map[string]string {
 var map_RollingUpdateStatefulSetStrategy = map[string]string{
 	"":               "RollingUpdateStatefulSetStrategy is used to communicate parameter for RollingUpdateStatefulSetStrategyType.",
 	"partition":      "Partition indicates the ordinal at which the StatefulSet should be partitioned for updates. During a rolling update, all pods from ordinal Replicas-1 to Partition are updated. All pods from ordinal Partition-1 to 0 remain untouched. This is helpful in being able to do a canary based deployment. The default value is 0.",
-	"maxUnavailable": "The maximum number of pods that can be unavailable during the update. Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%). Absolute number is calculated from percentage by rounding up. This can not be 0. Defaults to 1. This field is alpha-level and is only honored by servers that enable the MaxUnavailableStatefulSet feature. The field applies to all pods in the range 0 to Replicas-1. That means if there is any unavailable pod in the range 0 to Replicas-1, it will be counted towards MaxUnavailable.",
+	"maxUnavailable": "The maximum number of pods that can be unavailable during the update. Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%). Absolute number is calculated from percentage by rounding up. This can not be 0. Defaults to 1. This field is beta-level and is enabled by default. The field applies to all pods in the range 0 to Replicas-1. That means if there is any unavailable pod in the range 0 to Replicas-1, it will be counted towards MaxUnavailable. This setting might not be effective for the OrderedReady podManagementPolicy. That policy ensures pods are created and become ready one at a time.",
 }
 
 func (RollingUpdateStatefulSetStrategy) SwaggerDoc() map[string]string {
@@ -384,7 +384,7 @@ var map_StatefulSetSpec = map[string]string{
 	"updateStrategy":                       "updateStrategy indicates the StatefulSetUpdateStrategy that will be employed to update Pods in the StatefulSet when a revision is made to Template.",
 	"revisionHistoryLimit":                 "revisionHistoryLimit is the maximum number of revisions that will be maintained in the StatefulSet's revision history. The revision history consists of all revisions not represented by a currently applied StatefulSetSpec version. The default value is 10.",
 	"minReadySeconds":                      "Minimum number of seconds for which a newly created pod should be ready without any of its container crashing for it to be considered available. Defaults to 0 (pod will be considered available as soon as it is ready)",
-	"persistentVolumeClaimRetentionPolicy": "PersistentVolumeClaimRetentionPolicy describes the policy used for PVCs created from the StatefulSet VolumeClaimTemplates.",
+	"persistentVolumeClaimRetentionPolicy": "persistentVolumeClaimRetentionPolicy describes the lifecycle of persistent volume claims created from volumeClaimTemplates. By default, all persistent volume claims are created as needed and retained until manually deleted. This policy allows the lifecycle to be altered, for example by deleting persistent volume claims when their stateful set is deleted, or when their pod is scaled down.",
 	"ordinals":                             "ordinals controls the numbering of replica indices in a StatefulSet. The default ordinals behavior assigns a \"0\" index to the first replica and increments the index by one for each additional replica requested.",
 }
 
diff --git a/staging/src/k8s.io/api/apps/v1beta2/zz_generated.model_name.go b/staging/src/k8s.io/api/apps/v1beta2/zz_generated.model_name.go
new file mode 100644
index 0000000000000..f3ee41780b839
--- /dev/null
+++ b/staging/src/k8s.io/api/apps/v1beta2/zz_generated.model_name.go
@@ -0,0 +1,187 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by openapi-gen. DO NOT EDIT.
+
+package v1beta2
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ControllerRevision) OpenAPIModelName() string {
+	return "io.k8s.api.apps.v1beta2.ControllerRevision"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ControllerRevisionList) OpenAPIModelName() string {
+	return "io.k8s.api.apps.v1beta2.ControllerRevisionList"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in DaemonSet) OpenAPIModelName() string {
+	return "io.k8s.api.apps.v1beta2.DaemonSet"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in DaemonSetCondition) OpenAPIModelName() string {
+	return "io.k8s.api.apps.v1beta2.DaemonSetCondition"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in DaemonSetList) OpenAPIModelName() string {
+	return "io.k8s.api.apps.v1beta2.DaemonSetList"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in DaemonSetSpec) OpenAPIModelName() string {
+	return "io.k8s.api.apps.v1beta2.DaemonSetSpec"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in DaemonSetStatus) OpenAPIModelName() string {
+	return "io.k8s.api.apps.v1beta2.DaemonSetStatus"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in DaemonSetUpdateStrategy) OpenAPIModelName() string {
+	return "io.k8s.api.apps.v1beta2.DaemonSetUpdateStrategy"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in Deployment) OpenAPIModelName() string {
+	return "io.k8s.api.apps.v1beta2.Deployment"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in DeploymentCondition) OpenAPIModelName() string {
+	return "io.k8s.api.apps.v1beta2.DeploymentCondition"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in DeploymentList) OpenAPIModelName() string {
+	return "io.k8s.api.apps.v1beta2.DeploymentList"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in DeploymentSpec) OpenAPIModelName() string {
+	return "io.k8s.api.apps.v1beta2.DeploymentSpec"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in DeploymentStatus) OpenAPIModelName() string {
+	return "io.k8s.api.apps.v1beta2.DeploymentStatus"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in DeploymentStrategy) OpenAPIModelName() string {
+	return "io.k8s.api.apps.v1beta2.DeploymentStrategy"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ReplicaSet) OpenAPIModelName() string {
+	return "io.k8s.api.apps.v1beta2.ReplicaSet"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ReplicaSetCondition) OpenAPIModelName() string {
+	return "io.k8s.api.apps.v1beta2.ReplicaSetCondition"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ReplicaSetList) OpenAPIModelName() string {
+	return "io.k8s.api.apps.v1beta2.ReplicaSetList"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ReplicaSetSpec) OpenAPIModelName() string {
+	return "io.k8s.api.apps.v1beta2.ReplicaSetSpec"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ReplicaSetStatus) OpenAPIModelName() string {
+	return "io.k8s.api.apps.v1beta2.ReplicaSetStatus"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in RollingUpdateDaemonSet) OpenAPIModelName() string {
+	return "io.k8s.api.apps.v1beta2.RollingUpdateDaemonSet"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in RollingUpdateDeployment) OpenAPIModelName() string {
+	return "io.k8s.api.apps.v1beta2.RollingUpdateDeployment"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in RollingUpdateStatefulSetStrategy) OpenAPIModelName() string {
+	return "io.k8s.api.apps.v1beta2.RollingUpdateStatefulSetStrategy"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in Scale) OpenAPIModelName() string {
+	return "io.k8s.api.apps.v1beta2.Scale"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ScaleSpec) OpenAPIModelName() string {
+	return "io.k8s.api.apps.v1beta2.ScaleSpec"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ScaleStatus) OpenAPIModelName() string {
+	return "io.k8s.api.apps.v1beta2.ScaleStatus"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in StatefulSet) OpenAPIModelName() string {
+	return "io.k8s.api.apps.v1beta2.StatefulSet"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in StatefulSetCondition) OpenAPIModelName() string {
+	return "io.k8s.api.apps.v1beta2.StatefulSetCondition"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in StatefulSetList) OpenAPIModelName() string {
+	return "io.k8s.api.apps.v1beta2.StatefulSetList"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in StatefulSetOrdinals) OpenAPIModelName() string {
+	return "io.k8s.api.apps.v1beta2.StatefulSetOrdinals"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in StatefulSetPersistentVolumeClaimRetentionPolicy) OpenAPIModelName() string {
+	return "io.k8s.api.apps.v1beta2.StatefulSetPersistentVolumeClaimRetentionPolicy"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in StatefulSetSpec) OpenAPIModelName() string {
+	return "io.k8s.api.apps.v1beta2.StatefulSetSpec"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in StatefulSetStatus) OpenAPIModelName() string {
+	return "io.k8s.api.apps.v1beta2.StatefulSetStatus"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in StatefulSetUpdateStrategy) OpenAPIModelName() string {
+	return "io.k8s.api.apps.v1beta2.StatefulSetUpdateStrategy"
+}
diff --git a/staging/src/k8s.io/api/authentication/v1/doc.go b/staging/src/k8s.io/api/authentication/v1/doc.go
index dc3aed4e4febd..bf0cd7055859d 100644
--- a/staging/src/k8s.io/api/authentication/v1/doc.go
+++ b/staging/src/k8s.io/api/authentication/v1/doc.go
@@ -19,5 +19,6 @@ limitations under the License.
 // +groupName=authentication.k8s.io
 // +k8s:openapi-gen=true
 // +k8s:prerelease-lifecycle-gen=true
+// +k8s:openapi-model-package=io.k8s.api.authentication.v1
 
 package v1
diff --git a/staging/src/k8s.io/api/authentication/v1/generated.pb.go b/staging/src/k8s.io/api/authentication/v1/generated.pb.go
index 6d922030c1c39..2b872c453e162 100644
--- a/staging/src/k8s.io/api/authentication/v1/generated.pb.go
+++ b/staging/src/k8s.io/api/authentication/v1/generated.pb.go
@@ -23,11 +23,8 @@ import (
 	fmt "fmt"
 
 	io "io"
+	"sort"
 
-	proto "github.com/gogo/protobuf/proto"
-	github_com_gogo_protobuf_sortkeys "github.com/gogo/protobuf/sortkeys"
-
-	math "math"
 	math_bits "math/bits"
 	reflect "reflect"
 	strings "strings"
@@ -35,407 +32,27 @@ import (
 	k8s_io_apimachinery_pkg_types "k8s.io/apimachinery/pkg/types"
 )
 
-// Reference imports to suppress errors if they are not otherwise used.
-var _ = proto.Marshal
-var _ = fmt.Errorf
-var _ = math.Inf
+func (m *BoundObjectReference) Reset() { *m = BoundObjectReference{} }
 
-// This is a compile-time assertion to ensure that this generated file
-// is compatible with the proto package it is being compiled against.
-// A compilation error at this line likely means your copy of the
-// proto package needs to be updated.
-const _ = proto.GoGoProtoPackageIsVersion3 // please upgrade the proto package
+func (m *ExtraValue) Reset() { *m = ExtraValue{} }
 
-func (m *BoundObjectReference) Reset()      { *m = BoundObjectReference{} }
-func (*BoundObjectReference) ProtoMessage() {}
-func (*BoundObjectReference) Descriptor() ([]byte, []int) {
-	return fileDescriptor_d1237cbf54dccd53, []int{0}
-}
-func (m *BoundObjectReference) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *BoundObjectReference) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *BoundObjectReference) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_BoundObjectReference.Merge(m, src)
-}
-func (m *BoundObjectReference) XXX_Size() int {
-	return m.Size()
-}
-func (m *BoundObjectReference) XXX_DiscardUnknown() {
-	xxx_messageInfo_BoundObjectReference.DiscardUnknown(m)
-}
+func (m *SelfSubjectReview) Reset() { *m = SelfSubjectReview{} }
 
-var xxx_messageInfo_BoundObjectReference proto.InternalMessageInfo
+func (m *SelfSubjectReviewStatus) Reset() { *m = SelfSubjectReviewStatus{} }
 
-func (m *ExtraValue) Reset()      { *m = ExtraValue{} }
-func (*ExtraValue) ProtoMessage() {}
-func (*ExtraValue) Descriptor() ([]byte, []int) {
-	return fileDescriptor_d1237cbf54dccd53, []int{1}
-}
-func (m *ExtraValue) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ExtraValue) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ExtraValue) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ExtraValue.Merge(m, src)
-}
-func (m *ExtraValue) XXX_Size() int {
-	return m.Size()
-}
-func (m *ExtraValue) XXX_DiscardUnknown() {
-	xxx_messageInfo_ExtraValue.DiscardUnknown(m)
-}
+func (m *TokenRequest) Reset() { *m = TokenRequest{} }
 
-var xxx_messageInfo_ExtraValue proto.InternalMessageInfo
+func (m *TokenRequestSpec) Reset() { *m = TokenRequestSpec{} }
 
-func (m *SelfSubjectReview) Reset()      { *m = SelfSubjectReview{} }
-func (*SelfSubjectReview) ProtoMessage() {}
-func (*SelfSubjectReview) Descriptor() ([]byte, []int) {
-	return fileDescriptor_d1237cbf54dccd53, []int{2}
-}
-func (m *SelfSubjectReview) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *SelfSubjectReview) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *SelfSubjectReview) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_SelfSubjectReview.Merge(m, src)
-}
-func (m *SelfSubjectReview) XXX_Size() int {
-	return m.Size()
-}
-func (m *SelfSubjectReview) XXX_DiscardUnknown() {
-	xxx_messageInfo_SelfSubjectReview.DiscardUnknown(m)
-}
+func (m *TokenRequestStatus) Reset() { *m = TokenRequestStatus{} }
 
-var xxx_messageInfo_SelfSubjectReview proto.InternalMessageInfo
+func (m *TokenReview) Reset() { *m = TokenReview{} }
 
-func (m *SelfSubjectReviewStatus) Reset()      { *m = SelfSubjectReviewStatus{} }
-func (*SelfSubjectReviewStatus) ProtoMessage() {}
-func (*SelfSubjectReviewStatus) Descriptor() ([]byte, []int) {
-	return fileDescriptor_d1237cbf54dccd53, []int{3}
-}
-func (m *SelfSubjectReviewStatus) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *SelfSubjectReviewStatus) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *SelfSubjectReviewStatus) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_SelfSubjectReviewStatus.Merge(m, src)
-}
-func (m *SelfSubjectReviewStatus) XXX_Size() int {
-	return m.Size()
-}
-func (m *SelfSubjectReviewStatus) XXX_DiscardUnknown() {
-	xxx_messageInfo_SelfSubjectReviewStatus.DiscardUnknown(m)
-}
+func (m *TokenReviewSpec) Reset() { *m = TokenReviewSpec{} }
 
-var xxx_messageInfo_SelfSubjectReviewStatus proto.InternalMessageInfo
+func (m *TokenReviewStatus) Reset() { *m = TokenReviewStatus{} }
 
-func (m *TokenRequest) Reset()      { *m = TokenRequest{} }
-func (*TokenRequest) ProtoMessage() {}
-func (*TokenRequest) Descriptor() ([]byte, []int) {
-	return fileDescriptor_d1237cbf54dccd53, []int{4}
-}
-func (m *TokenRequest) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *TokenRequest) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *TokenRequest) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_TokenRequest.Merge(m, src)
-}
-func (m *TokenRequest) XXX_Size() int {
-	return m.Size()
-}
-func (m *TokenRequest) XXX_DiscardUnknown() {
-	xxx_messageInfo_TokenRequest.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_TokenRequest proto.InternalMessageInfo
-
-func (m *TokenRequestSpec) Reset()      { *m = TokenRequestSpec{} }
-func (*TokenRequestSpec) ProtoMessage() {}
-func (*TokenRequestSpec) Descriptor() ([]byte, []int) {
-	return fileDescriptor_d1237cbf54dccd53, []int{5}
-}
-func (m *TokenRequestSpec) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *TokenRequestSpec) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *TokenRequestSpec) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_TokenRequestSpec.Merge(m, src)
-}
-func (m *TokenRequestSpec) XXX_Size() int {
-	return m.Size()
-}
-func (m *TokenRequestSpec) XXX_DiscardUnknown() {
-	xxx_messageInfo_TokenRequestSpec.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_TokenRequestSpec proto.InternalMessageInfo
-
-func (m *TokenRequestStatus) Reset()      { *m = TokenRequestStatus{} }
-func (*TokenRequestStatus) ProtoMessage() {}
-func (*TokenRequestStatus) Descriptor() ([]byte, []int) {
-	return fileDescriptor_d1237cbf54dccd53, []int{6}
-}
-func (m *TokenRequestStatus) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *TokenRequestStatus) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *TokenRequestStatus) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_TokenRequestStatus.Merge(m, src)
-}
-func (m *TokenRequestStatus) XXX_Size() int {
-	return m.Size()
-}
-func (m *TokenRequestStatus) XXX_DiscardUnknown() {
-	xxx_messageInfo_TokenRequestStatus.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_TokenRequestStatus proto.InternalMessageInfo
-
-func (m *TokenReview) Reset()      { *m = TokenReview{} }
-func (*TokenReview) ProtoMessage() {}
-func (*TokenReview) Descriptor() ([]byte, []int) {
-	return fileDescriptor_d1237cbf54dccd53, []int{7}
-}
-func (m *TokenReview) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *TokenReview) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *TokenReview) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_TokenReview.Merge(m, src)
-}
-func (m *TokenReview) XXX_Size() int {
-	return m.Size()
-}
-func (m *TokenReview) XXX_DiscardUnknown() {
-	xxx_messageInfo_TokenReview.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_TokenReview proto.InternalMessageInfo
-
-func (m *TokenReviewSpec) Reset()      { *m = TokenReviewSpec{} }
-func (*TokenReviewSpec) ProtoMessage() {}
-func (*TokenReviewSpec) Descriptor() ([]byte, []int) {
-	return fileDescriptor_d1237cbf54dccd53, []int{8}
-}
-func (m *TokenReviewSpec) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *TokenReviewSpec) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *TokenReviewSpec) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_TokenReviewSpec.Merge(m, src)
-}
-func (m *TokenReviewSpec) XXX_Size() int {
-	return m.Size()
-}
-func (m *TokenReviewSpec) XXX_DiscardUnknown() {
-	xxx_messageInfo_TokenReviewSpec.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_TokenReviewSpec proto.InternalMessageInfo
-
-func (m *TokenReviewStatus) Reset()      { *m = TokenReviewStatus{} }
-func (*TokenReviewStatus) ProtoMessage() {}
-func (*TokenReviewStatus) Descriptor() ([]byte, []int) {
-	return fileDescriptor_d1237cbf54dccd53, []int{9}
-}
-func (m *TokenReviewStatus) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *TokenReviewStatus) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *TokenReviewStatus) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_TokenReviewStatus.Merge(m, src)
-}
-func (m *TokenReviewStatus) XXX_Size() int {
-	return m.Size()
-}
-func (m *TokenReviewStatus) XXX_DiscardUnknown() {
-	xxx_messageInfo_TokenReviewStatus.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_TokenReviewStatus proto.InternalMessageInfo
-
-func (m *UserInfo) Reset()      { *m = UserInfo{} }
-func (*UserInfo) ProtoMessage() {}
-func (*UserInfo) Descriptor() ([]byte, []int) {
-	return fileDescriptor_d1237cbf54dccd53, []int{10}
-}
-func (m *UserInfo) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *UserInfo) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *UserInfo) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_UserInfo.Merge(m, src)
-}
-func (m *UserInfo) XXX_Size() int {
-	return m.Size()
-}
-func (m *UserInfo) XXX_DiscardUnknown() {
-	xxx_messageInfo_UserInfo.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_UserInfo proto.InternalMessageInfo
-
-func init() {
-	proto.RegisterType((*BoundObjectReference)(nil), "k8s.io.api.authentication.v1.BoundObjectReference")
-	proto.RegisterType((*ExtraValue)(nil), "k8s.io.api.authentication.v1.ExtraValue")
-	proto.RegisterType((*SelfSubjectReview)(nil), "k8s.io.api.authentication.v1.SelfSubjectReview")
-	proto.RegisterType((*SelfSubjectReviewStatus)(nil), "k8s.io.api.authentication.v1.SelfSubjectReviewStatus")
-	proto.RegisterType((*TokenRequest)(nil), "k8s.io.api.authentication.v1.TokenRequest")
-	proto.RegisterType((*TokenRequestSpec)(nil), "k8s.io.api.authentication.v1.TokenRequestSpec")
-	proto.RegisterType((*TokenRequestStatus)(nil), "k8s.io.api.authentication.v1.TokenRequestStatus")
-	proto.RegisterType((*TokenReview)(nil), "k8s.io.api.authentication.v1.TokenReview")
-	proto.RegisterType((*TokenReviewSpec)(nil), "k8s.io.api.authentication.v1.TokenReviewSpec")
-	proto.RegisterType((*TokenReviewStatus)(nil), "k8s.io.api.authentication.v1.TokenReviewStatus")
-	proto.RegisterType((*UserInfo)(nil), "k8s.io.api.authentication.v1.UserInfo")
-	proto.RegisterMapType((map[string]ExtraValue)(nil), "k8s.io.api.authentication.v1.UserInfo.ExtraEntry")
-}
-
-func init() {
-	proto.RegisterFile("k8s.io/api/authentication/v1/generated.proto", fileDescriptor_d1237cbf54dccd53)
-}
-
-var fileDescriptor_d1237cbf54dccd53 = []byte{
-	// 947 bytes of a gzipped FileDescriptorProto
-	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xbc, 0x56, 0x4b, 0x6f, 0x23, 0xc5,
-	0x13, 0xf7, 0xf8, 0x11, 0xd9, 0xe5, 0x4d, 0xfe, 0x49, 0xef, 0x7f, 0x85, 0x15, 0x16, 0x4f, 0x98,
-	0x95, 0x50, 0x04, 0xbb, 0x33, 0x1b, 0x8b, 0xc7, 0x6a, 0x91, 0x90, 0x32, 0xc4, 0x02, 0x0b, 0xc1,
-	0xae, 0xda, 0x49, 0x40, 0x48, 0x48, 0xb4, 0xc7, 0x1d, 0xa7, 0xf1, 0xce, 0x83, 0x99, 0x1e, 0xb3,
-	0xbe, 0xed, 0x47, 0xe0, 0x08, 0x12, 0x07, 0x3e, 0x04, 0x12, 0x5f, 0x21, 0xc7, 0x15, 0xe2, 0xb0,
-	0x07, 0x64, 0x91, 0xe1, 0xca, 0x91, 0x13, 0x27, 0xd4, 0x3d, 0x1d, 0xdb, 0x63, 0x27, 0x13, 0x9f,
-	0xf6, 0xe6, 0xa9, 0xc7, 0xaf, 0xaa, 0x7e, 0x55, 0x5d, 0x65, 0xb8, 0x3b, 0x7c, 0x10, 0x99, 0xcc,
-	0xb7, 0x48, 0xc0, 0x2c, 0x12, 0xf3, 0x53, 0xea, 0x71, 0xe6, 0x10, 0xce, 0x7c, 0xcf, 0x1a, 0xed,
-	0x59, 0x03, 0xea, 0xd1, 0x90, 0x70, 0xda, 0x37, 0x83, 0xd0, 0xe7, 0x3e, 0xba, 0x9d, 0x5a, 0x9b,
-	0x24, 0x60, 0x66, 0xd6, 0xda, 0x1c, 0xed, 0x6d, 0xdf, 0x1b, 0x30, 0x7e, 0x1a, 0xf7, 0x4c, 0xc7,
-	0x77, 0xad, 0x81, 0x3f, 0xf0, 0x2d, 0xe9, 0xd4, 0x8b, 0x4f, 0xe4, 0x97, 0xfc, 0x90, 0xbf, 0x52,
-	0xb0, 0xed, 0xb7, 0x67, 0xa1, 0x5d, 0xe2, 0x9c, 0x32, 0x8f, 0x86, 0x63, 0x2b, 0x18, 0x0e, 0x84,
-	0x20, 0xb2, 0x5c, 0xca, 0xc9, 0x25, 0x29, 0x6c, 0x5b, 0x57, 0x79, 0x85, 0xb1, 0xc7, 0x99, 0x4b,
-	0x97, 0x1c, 0xde, 0xbd, 0xce, 0x21, 0x72, 0x4e, 0xa9, 0x4b, 0x16, 0xfd, 0x8c, 0xdf, 0x34, 0xf8,
-	0xbf, 0xed, 0xc7, 0x5e, 0xff, 0x51, 0xef, 0x1b, 0xea, 0x70, 0x4c, 0x4f, 0x68, 0x48, 0x3d, 0x87,
-	0xa2, 0x1d, 0x28, 0x0f, 0x99, 0xd7, 0x6f, 0x68, 0x3b, 0xda, 0x6e, 0xcd, 0xbe, 0x71, 0x36, 0xd1,
-	0x0b, 0xc9, 0x44, 0x2f, 0x7f, 0xc2, 0xbc, 0x3e, 0x96, 0x1a, 0xd4, 0x02, 0x20, 0x01, 0x3b, 0xa6,
-	0x61, 0xc4, 0x7c, 0xaf, 0x51, 0x94, 0x76, 0x48, 0xd9, 0xc1, 0xfe, 0xe3, 0x8e, 0xd2, 0xe0, 0x39,
-	0x2b, 0x81, 0xea, 0x11, 0x97, 0x36, 0x4a, 0x59, 0xd4, 0xcf, 0x88, 0x4b, 0xb1, 0xd4, 0x20, 0x1b,
-	0x4a, 0x71, 0xe7, 0xa0, 0x51, 0x96, 0x06, 0xf7, 0x95, 0x41, 0xe9, 0xa8, 0x73, 0xf0, 0xef, 0x44,
-	0x7f, 0xfd, 0xaa, 0x22, 0xf9, 0x38, 0xa0, 0x91, 0x79, 0xd4, 0x39, 0xc0, 0xc2, 0xd9, 0x78, 0x0f,
-	0xa0, 0xfd, 0x94, 0x87, 0xe4, 0x98, 0x3c, 0x89, 0x29, 0xd2, 0xa1, 0xc2, 0x38, 0x75, 0xa3, 0x86,
-	0xb6, 0x53, 0xda, 0xad, 0xd9, 0xb5, 0x64, 0xa2, 0x57, 0x3a, 0x42, 0x80, 0x53, 0xf9, 0xc3, 0xea,
-	0x0f, 0x3f, 0xeb, 0x85, 0x67, 0x7f, 0xec, 0x14, 0x8c, 0xdf, 0x35, 0xd8, 0xea, 0xd2, 0x27, 0x27,
-	0xdd, 0x58, 0xb1, 0x31, 0x62, 0xf4, 0x3b, 0xf4, 0x35, 0x54, 0x45, 0x9f, 0xfa, 0x84, 0x13, 0x49,
-	0x47, 0xbd, 0x75, 0xdf, 0x9c, 0x8d, 0xc8, 0x34, 0x13, 0x33, 0x18, 0x0e, 0x84, 0x20, 0x32, 0x85,
-	0xb5, 0x39, 0xda, 0x33, 0x53, 0x4e, 0x3f, 0xa5, 0x9c, 0xcc, 0x88, 0x99, 0xc9, 0xf0, 0x14, 0x15,
-	0x7d, 0x05, 0x6b, 0x11, 0x27, 0x3c, 0x8e, 0x24, 0x8d, 0xf5, 0xd6, 0x3b, 0x66, 0xde, 0x08, 0x9a,
-	0x4b, 0x29, 0x76, 0xa5, 0xb3, 0xbd, 0xa1, 0x82, 0xac, 0xa5, 0xdf, 0x58, 0x81, 0x1a, 0x3e, 0xbc,
-	0x72, 0x85, 0x0b, 0x3a, 0x84, 0x6a, 0x1c, 0xd1, 0xb0, 0xe3, 0x9d, 0xf8, 0xaa, 0xb6, 0x37, 0xf2,
-	0x63, 0x1f, 0x29, 0x6b, 0x7b, 0x53, 0x05, 0xab, 0x5e, 0x48, 0xf0, 0x14, 0xc9, 0xf8, 0xa9, 0x08,
-	0x37, 0x0e, 0xfd, 0x21, 0xf5, 0x30, 0xfd, 0x36, 0xa6, 0x11, 0x7f, 0x09, 0x14, 0x3e, 0x86, 0x72,
-	0x14, 0x50, 0x47, 0x11, 0x68, 0xe6, 0x17, 0x31, 0x9f, 0x5b, 0x37, 0xa0, 0xce, 0x6c, 0x12, 0xc5,
-	0x17, 0x96, 0x48, 0xe8, 0x8b, 0x69, 0x53, 0x4a, 0x4b, 0x19, 0x5f, 0x87, 0x99, 0xdf, 0x8f, 0x7f,
-	0x34, 0xd8, 0x5c, 0x4c, 0x01, 0xbd, 0x05, 0x35, 0x12, 0xf7, 0x99, 0x78, 0x7c, 0x17, 0xa3, 0xba,
-	0x9e, 0x4c, 0xf4, 0xda, 0xfe, 0x85, 0x10, 0xcf, 0xf4, 0xe8, 0x43, 0xd8, 0xa2, 0x4f, 0x03, 0x16,
-	0xca, 0xe8, 0x5d, 0xea, 0xf8, 0x5e, 0x3f, 0x92, 0x6f, 0xa6, 0x64, 0xdf, 0x4a, 0x26, 0xfa, 0x56,
-	0x7b, 0x51, 0x89, 0x97, 0xed, 0x91, 0x07, 0x1b, 0xbd, 0xcc, 0xd3, 0x57, 0x85, 0xb6, 0xf2, 0x0b,
-	0xbd, 0x6c, 0x5d, 0xd8, 0x28, 0x99, 0xe8, 0x1b, 0x59, 0x0d, 0x5e, 0x40, 0x37, 0x7e, 0xd1, 0x00,
-	0x2d, 0xb3, 0x84, 0xee, 0x40, 0x85, 0x0b, 0xa9, 0x5a, 0x35, 0xeb, 0x8a, 0xb4, 0x4a, 0x6a, 0x9a,
-	0xea, 0xd0, 0x18, 0x6e, 0xce, 0x0a, 0x38, 0x64, 0x2e, 0x8d, 0x38, 0x71, 0x03, 0xd5, 0xed, 0x37,
-	0x57, 0x9b, 0x25, 0xe1, 0x66, 0xbf, 0xaa, 0xe0, 0x6f, 0xb6, 0x97, 0xe1, 0xf0, 0x65, 0x31, 0x8c,
-	0x1f, 0x8b, 0x50, 0x57, 0x69, 0xbf, 0xa4, 0x75, 0xf0, 0x28, 0x33, 0xcb, 0xf7, 0x56, 0x9a, 0x3b,
-	0xf9, 0xa6, 0xaf, 0x1a, 0xe5, 0xcf, 0x17, 0x46, 0xd9, 0x5a, 0x1d, 0x32, 0x7f, 0x92, 0x1d, 0xf8,
-	0xdf, 0x42, 0xfc, 0xd5, 0xda, 0x99, 0x19, 0xf6, 0x62, 0xfe, 0xb0, 0x1b, 0x7f, 0x6b, 0xb0, 0xb5,
-	0x94, 0x12, 0x7a, 0x1f, 0xd6, 0xe7, 0x32, 0xa7, 0xe9, 0xa5, 0xaa, 0xda, 0xb7, 0x54, 0xbc, 0xf5,
-	0xfd, 0x79, 0x25, 0xce, 0xda, 0xa2, 0x8f, 0xa1, 0x2c, 0x96, 0x95, 0x62, 0x78, 0xd5, 0x95, 0x37,
-	0xa5, 0x56, 0x48, 0xb0, 0x44, 0xc8, 0x56, 0x52, 0xbe, 0xe6, 0xd9, 0xde, 0x81, 0x0a, 0x0d, 0x43,
-	0x3f, 0x54, 0xf7, 0x6f, 0xca, 0x4d, 0x5b, 0x08, 0x71, 0xaa, 0x33, 0x7e, 0x2d, 0xc2, 0x74, 0xa7,
-	0xa2, 0xbb, 0xe9, 0x7e, 0x96, 0x47, 0x33, 0x25, 0x34, 0xb3, 0x77, 0x85, 0x1c, 0x4f, 0x2d, 0xd0,
-	0x6b, 0x50, 0x8a, 0x59, 0x5f, 0xdd, 0xe2, 0xfa, 0xdc, 0xf1, 0xc4, 0x42, 0x8e, 0x0c, 0x58, 0x1b,
-	0x84, 0x7e, 0x1c, 0x88, 0x31, 0x10, 0x89, 0x82, 0xe8, 0xe8, 0x47, 0x52, 0x82, 0x95, 0x06, 0x1d,
-	0x43, 0x85, 0x8a, 0xdb, 0x29, 0x6b, 0xa9, 0xb7, 0xf6, 0x56, 0xa3, 0xc6, 0x94, 0xf7, 0xb6, 0xed,
-	0xf1, 0x70, 0x3c, 0x57, 0x95, 0x90, 0xe1, 0x14, 0x6e, 0xbb, 0xa7, 0x6e, 0xb2, 0xb4, 0x41, 0x9b,
-	0x50, 0x1a, 0xd2, 0x71, 0x5a, 0x11, 0x16, 0x3f, 0xd1, 0x07, 0x50, 0x19, 0x89, 0x73, 0xad, 0x5a,
-	0xb2, 0x9b, 0x1f, 0x77, 0x76, 0xde, 0x71, 0xea, 0xf6, 0xb0, 0xf8, 0x40, 0xb3, 0xed, 0xb3, 0xf3,
-	0x66, 0xe1, 0xf9, 0x79, 0xb3, 0xf0, 0xe2, 0xbc, 0x59, 0x78, 0x96, 0x34, 0xb5, 0xb3, 0xa4, 0xa9,
-	0x3d, 0x4f, 0x9a, 0xda, 0x8b, 0xa4, 0xa9, 0xfd, 0x99, 0x34, 0xb5, 0xef, 0xff, 0x6a, 0x16, 0xbe,
-	0xbc, 0x9d, 0xf7, 0x67, 0xf0, 0xbf, 0x00, 0x00, 0x00, 0xff, 0xff, 0xf0, 0xb7, 0xc1, 0xa0, 0x2b,
-	0x0a, 0x00, 0x00,
-}
+func (m *UserInfo) Reset() { *m = UserInfo{} }
 
 func (m *BoundObjectReference) Marshal() (dAtA []byte, err error) {
 	size := m.Size()
@@ -898,7 +515,7 @@ func (m *UserInfo) MarshalToSizedBuffer(dAtA []byte) (int, error) {
 		for k := range m.Extra {
 			keysForExtra = append(keysForExtra, string(k))
 		}
-		github_com_gogo_protobuf_sortkeys.Strings(keysForExtra)
+		sort.Strings(keysForExtra)
 		for iNdEx := len(keysForExtra) - 1; iNdEx >= 0; iNdEx-- {
 			v := m.Extra[string(keysForExtra[iNdEx])]
 			baseI := i
@@ -1260,7 +877,7 @@ func (this *UserInfo) String() string {
 	for k := range this.Extra {
 		keysForExtra = append(keysForExtra, k)
 	}
-	github_com_gogo_protobuf_sortkeys.Strings(keysForExtra)
+	sort.Strings(keysForExtra)
 	mapStringForExtra := "map[string]ExtraValue{"
 	for _, k := range keysForExtra {
 		mapStringForExtra += fmt.Sprintf("%v: %v,", k, this.Extra[k])
diff --git a/staging/src/k8s.io/api/authentication/v1/generated.protomessage.pb.go b/staging/src/k8s.io/api/authentication/v1/generated.protomessage.pb.go
new file mode 100644
index 0000000000000..7003a8084351a
--- /dev/null
+++ b/staging/src/k8s.io/api/authentication/v1/generated.protomessage.pb.go
@@ -0,0 +1,44 @@
+//go:build kubernetes_protomessage_one_more_release
+// +build kubernetes_protomessage_one_more_release
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by go-to-protobuf. DO NOT EDIT.
+
+package v1
+
+func (*BoundObjectReference) ProtoMessage() {}
+
+func (*ExtraValue) ProtoMessage() {}
+
+func (*SelfSubjectReview) ProtoMessage() {}
+
+func (*SelfSubjectReviewStatus) ProtoMessage() {}
+
+func (*TokenRequest) ProtoMessage() {}
+
+func (*TokenRequestSpec) ProtoMessage() {}
+
+func (*TokenRequestStatus) ProtoMessage() {}
+
+func (*TokenReview) ProtoMessage() {}
+
+func (*TokenReviewSpec) ProtoMessage() {}
+
+func (*TokenReviewStatus) ProtoMessage() {}
+
+func (*UserInfo) ProtoMessage() {}
diff --git a/staging/src/k8s.io/api/authentication/v1/zz_generated.model_name.go b/staging/src/k8s.io/api/authentication/v1/zz_generated.model_name.go
new file mode 100644
index 0000000000000..ca0c6f353c973
--- /dev/null
+++ b/staging/src/k8s.io/api/authentication/v1/zz_generated.model_name.go
@@ -0,0 +1,72 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by openapi-gen. DO NOT EDIT.
+
+package v1
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in BoundObjectReference) OpenAPIModelName() string {
+	return "io.k8s.api.authentication.v1.BoundObjectReference"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in SelfSubjectReview) OpenAPIModelName() string {
+	return "io.k8s.api.authentication.v1.SelfSubjectReview"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in SelfSubjectReviewStatus) OpenAPIModelName() string {
+	return "io.k8s.api.authentication.v1.SelfSubjectReviewStatus"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in TokenRequest) OpenAPIModelName() string {
+	return "io.k8s.api.authentication.v1.TokenRequest"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in TokenRequestSpec) OpenAPIModelName() string {
+	return "io.k8s.api.authentication.v1.TokenRequestSpec"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in TokenRequestStatus) OpenAPIModelName() string {
+	return "io.k8s.api.authentication.v1.TokenRequestStatus"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in TokenReview) OpenAPIModelName() string {
+	return "io.k8s.api.authentication.v1.TokenReview"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in TokenReviewSpec) OpenAPIModelName() string {
+	return "io.k8s.api.authentication.v1.TokenReviewSpec"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in TokenReviewStatus) OpenAPIModelName() string {
+	return "io.k8s.api.authentication.v1.TokenReviewStatus"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in UserInfo) OpenAPIModelName() string {
+	return "io.k8s.api.authentication.v1.UserInfo"
+}
diff --git a/staging/src/k8s.io/api/authentication/v1alpha1/doc.go b/staging/src/k8s.io/api/authentication/v1alpha1/doc.go
index c199ccd499997..47f61e0b696bf 100644
--- a/staging/src/k8s.io/api/authentication/v1alpha1/doc.go
+++ b/staging/src/k8s.io/api/authentication/v1alpha1/doc.go
@@ -19,5 +19,6 @@ limitations under the License.
 // +groupName=authentication.k8s.io
 // +k8s:openapi-gen=true
 // +k8s:prerelease-lifecycle-gen=true
+// +k8s:openapi-model-package=io.k8s.api.authentication.v1alpha1
 
 package v1alpha1
diff --git a/staging/src/k8s.io/api/authentication/v1alpha1/generated.pb.go b/staging/src/k8s.io/api/authentication/v1alpha1/generated.pb.go
index 98c106ec65a88..b017e1c3342a1 100644
--- a/staging/src/k8s.io/api/authentication/v1alpha1/generated.pb.go
+++ b/staging/src/k8s.io/api/authentication/v1alpha1/generated.pb.go
@@ -24,116 +24,14 @@ import (
 
 	io "io"
 
-	proto "github.com/gogo/protobuf/proto"
-
-	math "math"
 	math_bits "math/bits"
 	reflect "reflect"
 	strings "strings"
 )
 
-// Reference imports to suppress errors if they are not otherwise used.
-var _ = proto.Marshal
-var _ = fmt.Errorf
-var _ = math.Inf
-
-// This is a compile-time assertion to ensure that this generated file
-// is compatible with the proto package it is being compiled against.
-// A compilation error at this line likely means your copy of the
-// proto package needs to be updated.
-const _ = proto.GoGoProtoPackageIsVersion3 // please upgrade the proto package
+func (m *SelfSubjectReview) Reset() { *m = SelfSubjectReview{} }
 
-func (m *SelfSubjectReview) Reset()      { *m = SelfSubjectReview{} }
-func (*SelfSubjectReview) ProtoMessage() {}
-func (*SelfSubjectReview) Descriptor() ([]byte, []int) {
-	return fileDescriptor_f003acd72d3d5efb, []int{0}
-}
-func (m *SelfSubjectReview) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *SelfSubjectReview) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *SelfSubjectReview) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_SelfSubjectReview.Merge(m, src)
-}
-func (m *SelfSubjectReview) XXX_Size() int {
-	return m.Size()
-}
-func (m *SelfSubjectReview) XXX_DiscardUnknown() {
-	xxx_messageInfo_SelfSubjectReview.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_SelfSubjectReview proto.InternalMessageInfo
-
-func (m *SelfSubjectReviewStatus) Reset()      { *m = SelfSubjectReviewStatus{} }
-func (*SelfSubjectReviewStatus) ProtoMessage() {}
-func (*SelfSubjectReviewStatus) Descriptor() ([]byte, []int) {
-	return fileDescriptor_f003acd72d3d5efb, []int{1}
-}
-func (m *SelfSubjectReviewStatus) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *SelfSubjectReviewStatus) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *SelfSubjectReviewStatus) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_SelfSubjectReviewStatus.Merge(m, src)
-}
-func (m *SelfSubjectReviewStatus) XXX_Size() int {
-	return m.Size()
-}
-func (m *SelfSubjectReviewStatus) XXX_DiscardUnknown() {
-	xxx_messageInfo_SelfSubjectReviewStatus.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_SelfSubjectReviewStatus proto.InternalMessageInfo
-
-func init() {
-	proto.RegisterType((*SelfSubjectReview)(nil), "k8s.io.api.authentication.v1alpha1.SelfSubjectReview")
-	proto.RegisterType((*SelfSubjectReviewStatus)(nil), "k8s.io.api.authentication.v1alpha1.SelfSubjectReviewStatus")
-}
-
-func init() {
-	proto.RegisterFile("k8s.io/api/authentication/v1alpha1/generated.proto", fileDescriptor_f003acd72d3d5efb)
-}
-
-var fileDescriptor_f003acd72d3d5efb = []byte{
-	// 368 bytes of a gzipped FileDescriptorProto
-	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x84, 0x92, 0x41, 0x4f, 0xe2, 0x40,
-	0x14, 0xc7, 0x3b, 0x7b, 0x20, 0xa4, 0x9b, 0x6c, 0x76, 0x7b, 0x59, 0xc2, 0x61, 0x30, 0x3d, 0x18,
-	0x0f, 0x3a, 0x23, 0xc4, 0x18, 0x13, 0x6f, 0x3d, 0xe9, 0xc1, 0x98, 0x14, 0xbd, 0x78, 0xf2, 0x51,
-	0x1e, 0xed, 0x08, 0xed, 0x34, 0xed, 0x14, 0xe3, 0xcd, 0x8f, 0xe0, 0xc7, 0xe2, 0xc8, 0x91, 0x78,
-	0x20, 0x52, 0xbf, 0x88, 0xe9, 0x50, 0x20, 0x82, 0xc0, 0xad, 0xef, 0xe5, 0xfd, 0x7e, 0xef, 0xdf,
-	0x99, 0x31, 0x5b, 0xfd, 0x8b, 0x94, 0x09, 0xc9, 0x21, 0x16, 0x1c, 0x32, 0x15, 0x60, 0xa4, 0x84,
-	0x07, 0x4a, 0xc8, 0x88, 0x0f, 0x9b, 0x30, 0x88, 0x03, 0x68, 0x72, 0x1f, 0x23, 0x4c, 0x40, 0x61,
-	0x97, 0xc5, 0x89, 0x54, 0xd2, 0xb2, 0xe7, 0x0c, 0x83, 0x58, 0xb0, 0xef, 0x0c, 0x5b, 0x30, 0xf5,
-	0x13, 0x5f, 0xa8, 0x20, 0xeb, 0x30, 0x4f, 0x86, 0xdc, 0x97, 0xbe, 0xe4, 0x1a, 0xed, 0x64, 0x3d,
-	0x5d, 0xe9, 0x42, 0x7f, 0xcd, 0x95, 0xf5, 0xe3, 0x5d, 0x31, 0xd6, 0x03, 0xd4, 0xcf, 0x56, 0xd3,
-	0x21, 0x78, 0x81, 0x88, 0x30, 0x79, 0xe1, 0x71, 0xdf, 0x2f, 0x1a, 0x29, 0x0f, 0x51, 0xc1, 0x4f,
-	0x14, 0xdf, 0x46, 0x25, 0x59, 0xa4, 0x44, 0x88, 0x1b, 0xc0, 0xf9, 0x3e, 0x20, 0xf5, 0x02, 0x0c,
-	0x61, 0x9d, 0xb3, 0xdf, 0x89, 0xf9, 0xaf, 0x8d, 0x83, 0x5e, 0x3b, 0xeb, 0x3c, 0xa1, 0xa7, 0x5c,
-	0x1c, 0x0a, 0x7c, 0xb6, 0x1e, 0xcd, 0x6a, 0x91, 0xac, 0x0b, 0x0a, 0x6a, 0xe4, 0x80, 0x1c, 0xfd,
-	0x6e, 0x9d, 0xb2, 0xd5, 0x41, 0x2e, 0x17, 0xb0, 0xb8, 0xef, 0x17, 0x8d, 0x94, 0x15, 0xd3, 0x6c,
-	0xd8, 0x64, 0xb7, 0xda, 0x72, 0x83, 0x0a, 0x1c, 0x6b, 0x34, 0x6d, 0x18, 0xf9, 0xb4, 0x61, 0xae,
-	0x7a, 0xee, 0xd2, 0x6a, 0x79, 0x66, 0x25, 0x55, 0xa0, 0xb2, 0xb4, 0xf6, 0x4b, 0xfb, 0x2f, 0xd9,
-	0xfe, 0x8b, 0x62, 0x1b, 0x41, 0xdb, 0x5a, 0xe1, 0xfc, 0x29, 0x57, 0x55, 0xe6, 0xb5, 0x5b, 0xaa,
-	0x6d, 0x69, 0xfe, 0xdf, 0x82, 0x58, 0x77, 0x66, 0x35, 0x4b, 0x31, 0xb9, 0x8e, 0x7a, 0xb2, 0xfc,
-	0xc3, 0xc3, 0x9d, 0x09, 0xd8, 0x7d, 0x39, 0xed, 0xfc, 0x2d, 0x97, 0x55, 0x17, 0x1d, 0x77, 0x69,
-	0x72, 0xae, 0x46, 0x33, 0x6a, 0x8c, 0x67, 0xd4, 0x98, 0xcc, 0xa8, 0xf1, 0x9a, 0x53, 0x32, 0xca,
-	0x29, 0x19, 0xe7, 0x94, 0x4c, 0x72, 0x4a, 0x3e, 0x72, 0x4a, 0xde, 0x3e, 0xa9, 0xf1, 0x60, 0xef,
-	0x7f, 0xc7, 0x5f, 0x01, 0x00, 0x00, 0xff, 0xff, 0x04, 0xfb, 0xb6, 0xfb, 0xec, 0x02, 0x00, 0x00,
-}
+func (m *SelfSubjectReviewStatus) Reset() { *m = SelfSubjectReviewStatus{} }
 
 func (m *SelfSubjectReview) Marshal() (dAtA []byte, err error) {
 	size := m.Size()
diff --git a/staging/src/k8s.io/api/authentication/v1alpha1/generated.protomessage.pb.go b/staging/src/k8s.io/api/authentication/v1alpha1/generated.protomessage.pb.go
new file mode 100644
index 0000000000000..d0e9c4e564dc9
--- /dev/null
+++ b/staging/src/k8s.io/api/authentication/v1alpha1/generated.protomessage.pb.go
@@ -0,0 +1,26 @@
+//go:build kubernetes_protomessage_one_more_release
+// +build kubernetes_protomessage_one_more_release
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by go-to-protobuf. DO NOT EDIT.
+
+package v1alpha1
+
+func (*SelfSubjectReview) ProtoMessage() {}
+
+func (*SelfSubjectReviewStatus) ProtoMessage() {}
diff --git a/staging/src/k8s.io/api/authentication/v1alpha1/zz_generated.model_name.go b/staging/src/k8s.io/api/authentication/v1alpha1/zz_generated.model_name.go
new file mode 100644
index 0000000000000..fbf0de8eda4be
--- /dev/null
+++ b/staging/src/k8s.io/api/authentication/v1alpha1/zz_generated.model_name.go
@@ -0,0 +1,32 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by openapi-gen. DO NOT EDIT.
+
+package v1alpha1
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in SelfSubjectReview) OpenAPIModelName() string {
+	return "io.k8s.api.authentication.v1alpha1.SelfSubjectReview"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in SelfSubjectReviewStatus) OpenAPIModelName() string {
+	return "io.k8s.api.authentication.v1alpha1.SelfSubjectReviewStatus"
+}
diff --git a/staging/src/k8s.io/api/authentication/v1beta1/doc.go b/staging/src/k8s.io/api/authentication/v1beta1/doc.go
index af63dc845bcdd..2acdbd02e8bc6 100644
--- a/staging/src/k8s.io/api/authentication/v1beta1/doc.go
+++ b/staging/src/k8s.io/api/authentication/v1beta1/doc.go
@@ -19,5 +19,6 @@ limitations under the License.
 // +groupName=authentication.k8s.io
 // +k8s:openapi-gen=true
 // +k8s:prerelease-lifecycle-gen=true
+// +k8s:openapi-model-package=io.k8s.api.authentication.v1beta1
 
 package v1beta1
diff --git a/staging/src/k8s.io/api/authentication/v1beta1/generated.pb.go b/staging/src/k8s.io/api/authentication/v1beta1/generated.pb.go
index 4153926447836..7e337e0a19f8f 100644
--- a/staging/src/k8s.io/api/authentication/v1beta1/generated.pb.go
+++ b/staging/src/k8s.io/api/authentication/v1beta1/generated.pb.go
@@ -23,286 +23,26 @@ import (
 	fmt "fmt"
 
 	io "io"
+	"sort"
 
-	proto "github.com/gogo/protobuf/proto"
-	github_com_gogo_protobuf_sortkeys "github.com/gogo/protobuf/sortkeys"
-
-	math "math"
 	math_bits "math/bits"
 	reflect "reflect"
 	strings "strings"
 )
 
-// Reference imports to suppress errors if they are not otherwise used.
-var _ = proto.Marshal
-var _ = fmt.Errorf
-var _ = math.Inf
-
-// This is a compile-time assertion to ensure that this generated file
-// is compatible with the proto package it is being compiled against.
-// A compilation error at this line likely means your copy of the
-// proto package needs to be updated.
-const _ = proto.GoGoProtoPackageIsVersion3 // please upgrade the proto package
-
-func (m *ExtraValue) Reset()      { *m = ExtraValue{} }
-func (*ExtraValue) ProtoMessage() {}
-func (*ExtraValue) Descriptor() ([]byte, []int) {
-	return fileDescriptor_fdc2de40fd7f3b21, []int{0}
-}
-func (m *ExtraValue) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ExtraValue) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ExtraValue) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ExtraValue.Merge(m, src)
-}
-func (m *ExtraValue) XXX_Size() int {
-	return m.Size()
-}
-func (m *ExtraValue) XXX_DiscardUnknown() {
-	xxx_messageInfo_ExtraValue.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_ExtraValue proto.InternalMessageInfo
+func (m *ExtraValue) Reset() { *m = ExtraValue{} }
 
-func (m *SelfSubjectReview) Reset()      { *m = SelfSubjectReview{} }
-func (*SelfSubjectReview) ProtoMessage() {}
-func (*SelfSubjectReview) Descriptor() ([]byte, []int) {
-	return fileDescriptor_fdc2de40fd7f3b21, []int{1}
-}
-func (m *SelfSubjectReview) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *SelfSubjectReview) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *SelfSubjectReview) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_SelfSubjectReview.Merge(m, src)
-}
-func (m *SelfSubjectReview) XXX_Size() int {
-	return m.Size()
-}
-func (m *SelfSubjectReview) XXX_DiscardUnknown() {
-	xxx_messageInfo_SelfSubjectReview.DiscardUnknown(m)
-}
+func (m *SelfSubjectReview) Reset() { *m = SelfSubjectReview{} }
 
-var xxx_messageInfo_SelfSubjectReview proto.InternalMessageInfo
+func (m *SelfSubjectReviewStatus) Reset() { *m = SelfSubjectReviewStatus{} }
 
-func (m *SelfSubjectReviewStatus) Reset()      { *m = SelfSubjectReviewStatus{} }
-func (*SelfSubjectReviewStatus) ProtoMessage() {}
-func (*SelfSubjectReviewStatus) Descriptor() ([]byte, []int) {
-	return fileDescriptor_fdc2de40fd7f3b21, []int{2}
-}
-func (m *SelfSubjectReviewStatus) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *SelfSubjectReviewStatus) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *SelfSubjectReviewStatus) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_SelfSubjectReviewStatus.Merge(m, src)
-}
-func (m *SelfSubjectReviewStatus) XXX_Size() int {
-	return m.Size()
-}
-func (m *SelfSubjectReviewStatus) XXX_DiscardUnknown() {
-	xxx_messageInfo_SelfSubjectReviewStatus.DiscardUnknown(m)
-}
+func (m *TokenReview) Reset() { *m = TokenReview{} }
 
-var xxx_messageInfo_SelfSubjectReviewStatus proto.InternalMessageInfo
+func (m *TokenReviewSpec) Reset() { *m = TokenReviewSpec{} }
 
-func (m *TokenReview) Reset()      { *m = TokenReview{} }
-func (*TokenReview) ProtoMessage() {}
-func (*TokenReview) Descriptor() ([]byte, []int) {
-	return fileDescriptor_fdc2de40fd7f3b21, []int{3}
-}
-func (m *TokenReview) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *TokenReview) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *TokenReview) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_TokenReview.Merge(m, src)
-}
-func (m *TokenReview) XXX_Size() int {
-	return m.Size()
-}
-func (m *TokenReview) XXX_DiscardUnknown() {
-	xxx_messageInfo_TokenReview.DiscardUnknown(m)
-}
+func (m *TokenReviewStatus) Reset() { *m = TokenReviewStatus{} }
 
-var xxx_messageInfo_TokenReview proto.InternalMessageInfo
-
-func (m *TokenReviewSpec) Reset()      { *m = TokenReviewSpec{} }
-func (*TokenReviewSpec) ProtoMessage() {}
-func (*TokenReviewSpec) Descriptor() ([]byte, []int) {
-	return fileDescriptor_fdc2de40fd7f3b21, []int{4}
-}
-func (m *TokenReviewSpec) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *TokenReviewSpec) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *TokenReviewSpec) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_TokenReviewSpec.Merge(m, src)
-}
-func (m *TokenReviewSpec) XXX_Size() int {
-	return m.Size()
-}
-func (m *TokenReviewSpec) XXX_DiscardUnknown() {
-	xxx_messageInfo_TokenReviewSpec.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_TokenReviewSpec proto.InternalMessageInfo
-
-func (m *TokenReviewStatus) Reset()      { *m = TokenReviewStatus{} }
-func (*TokenReviewStatus) ProtoMessage() {}
-func (*TokenReviewStatus) Descriptor() ([]byte, []int) {
-	return fileDescriptor_fdc2de40fd7f3b21, []int{5}
-}
-func (m *TokenReviewStatus) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *TokenReviewStatus) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *TokenReviewStatus) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_TokenReviewStatus.Merge(m, src)
-}
-func (m *TokenReviewStatus) XXX_Size() int {
-	return m.Size()
-}
-func (m *TokenReviewStatus) XXX_DiscardUnknown() {
-	xxx_messageInfo_TokenReviewStatus.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_TokenReviewStatus proto.InternalMessageInfo
-
-func (m *UserInfo) Reset()      { *m = UserInfo{} }
-func (*UserInfo) ProtoMessage() {}
-func (*UserInfo) Descriptor() ([]byte, []int) {
-	return fileDescriptor_fdc2de40fd7f3b21, []int{6}
-}
-func (m *UserInfo) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *UserInfo) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *UserInfo) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_UserInfo.Merge(m, src)
-}
-func (m *UserInfo) XXX_Size() int {
-	return m.Size()
-}
-func (m *UserInfo) XXX_DiscardUnknown() {
-	xxx_messageInfo_UserInfo.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_UserInfo proto.InternalMessageInfo
-
-func init() {
-	proto.RegisterType((*ExtraValue)(nil), "k8s.io.api.authentication.v1beta1.ExtraValue")
-	proto.RegisterType((*SelfSubjectReview)(nil), "k8s.io.api.authentication.v1beta1.SelfSubjectReview")
-	proto.RegisterType((*SelfSubjectReviewStatus)(nil), "k8s.io.api.authentication.v1beta1.SelfSubjectReviewStatus")
-	proto.RegisterType((*TokenReview)(nil), "k8s.io.api.authentication.v1beta1.TokenReview")
-	proto.RegisterType((*TokenReviewSpec)(nil), "k8s.io.api.authentication.v1beta1.TokenReviewSpec")
-	proto.RegisterType((*TokenReviewStatus)(nil), "k8s.io.api.authentication.v1beta1.TokenReviewStatus")
-	proto.RegisterType((*UserInfo)(nil), "k8s.io.api.authentication.v1beta1.UserInfo")
-	proto.RegisterMapType((map[string]ExtraValue)(nil), "k8s.io.api.authentication.v1beta1.UserInfo.ExtraEntry")
-}
-
-func init() {
-	proto.RegisterFile("k8s.io/api/authentication/v1beta1/generated.proto", fileDescriptor_fdc2de40fd7f3b21)
-}
-
-var fileDescriptor_fdc2de40fd7f3b21 = []byte{
-	// 711 bytes of a gzipped FileDescriptorProto
-	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xbc, 0x55, 0xcf, 0x4e, 0xdb, 0x4e,
-	0x10, 0x8e, 0xf3, 0x07, 0x25, 0x9b, 0x5f, 0x7e, 0x85, 0x95, 0xaa, 0xa2, 0x48, 0x75, 0x20, 0x95,
-	0x2a, 0x24, 0x60, 0xdd, 0x20, 0x44, 0x11, 0x3d, 0xe1, 0x16, 0x21, 0x0e, 0xa8, 0xd2, 0x06, 0x7a,
-	0x68, 0x7b, 0xe8, 0xc6, 0x19, 0x1c, 0x37, 0xc4, 0xb6, 0xec, 0x75, 0x5a, 0x6e, 0x3c, 0x42, 0x8f,
-	0x3d, 0x56, 0xea, 0x93, 0xf4, 0xc6, 0x91, 0x23, 0x95, 0xaa, 0xa8, 0xb8, 0x4f, 0xd0, 0x37, 0xa8,
-	0x76, 0xbd, 0x38, 0x09, 0x94, 0x00, 0x97, 0xde, 0xbc, 0xdf, 0xce, 0xf7, 0xcd, 0xcc, 0x37, 0xa3,
-	0x35, 0x6a, 0x74, 0xd7, 0x43, 0xe2, 0x78, 0x06, 0xf3, 0x1d, 0x83, 0x45, 0xbc, 0x03, 0x2e, 0x77,
-	0x2c, 0xc6, 0x1d, 0xcf, 0x35, 0xfa, 0x8d, 0x16, 0x70, 0xd6, 0x30, 0x6c, 0x70, 0x21, 0x60, 0x1c,
-	0xda, 0xc4, 0x0f, 0x3c, 0xee, 0xe1, 0xf9, 0x84, 0x42, 0x98, 0xef, 0x90, 0x71, 0x0a, 0x51, 0x94,
-	0xea, 0xb2, 0xed, 0xf0, 0x4e, 0xd4, 0x22, 0x96, 0xd7, 0x33, 0x6c, 0xcf, 0xf6, 0x0c, 0xc9, 0x6c,
-	0x45, 0x07, 0xf2, 0x24, 0x0f, 0xf2, 0x2b, 0x51, 0xac, 0x2e, 0x4d, 0x2a, 0xe2, 0x72, 0xfe, 0xea,
-	0xea, 0x30, 0xba, 0xc7, 0xac, 0x8e, 0xe3, 0x42, 0x70, 0x64, 0xf8, 0x5d, 0x5b, 0x00, 0xa1, 0xd1,
-	0x03, 0xce, 0xfe, 0xc6, 0x32, 0xae, 0x63, 0x05, 0x91, 0xcb, 0x9d, 0x1e, 0x5c, 0x21, 0xac, 0xdd,
-	0x44, 0x08, 0xad, 0x0e, 0xf4, 0xd8, 0x65, 0x5e, 0xfd, 0x29, 0x42, 0x5b, 0x1f, 0x79, 0xc0, 0x5e,
-	0xb1, 0xc3, 0x08, 0x70, 0x0d, 0x15, 0x1c, 0x0e, 0xbd, 0x70, 0x56, 0x9b, 0xcb, 0x2d, 0x94, 0xcc,
-	0x52, 0x3c, 0xa8, 0x15, 0x76, 0x04, 0x40, 0x13, 0x7c, 0xa3, 0xf8, 0xf9, 0x4b, 0x2d, 0x73, 0xfc,
-	0x63, 0x2e, 0x53, 0xff, 0xae, 0xa1, 0x99, 0x26, 0x1c, 0x1e, 0x34, 0xa3, 0xd6, 0x7b, 0xb0, 0x38,
-	0x85, 0xbe, 0x03, 0x1f, 0xf0, 0x3b, 0x54, 0x14, 0x2d, 0xb5, 0x19, 0x67, 0xb3, 0xda, 0x9c, 0xb6,
-	0x50, 0x5e, 0x79, 0x42, 0x86, 0x03, 0x48, 0x2b, 0x23, 0x7e, 0xd7, 0x16, 0x40, 0x48, 0x44, 0x34,
-	0xe9, 0x37, 0xc8, 0x4b, 0xa9, 0xb2, 0x0b, 0x9c, 0x99, 0xf8, 0x64, 0x50, 0xcb, 0xc4, 0x83, 0x1a,
-	0x1a, 0x62, 0x34, 0x55, 0xc5, 0x2d, 0x34, 0x15, 0x72, 0xc6, 0xa3, 0x70, 0x36, 0x2b, 0xf5, 0x37,
-	0xc8, 0x8d, 0x03, 0x26, 0x57, 0xea, 0x6c, 0x4a, 0x05, 0xf3, 0x7f, 0x95, 0x69, 0x2a, 0x39, 0x53,
-	0xa5, 0x5c, 0xf7, 0xd0, 0x83, 0x6b, 0x28, 0x78, 0x0f, 0x15, 0xa3, 0x10, 0x82, 0x1d, 0xf7, 0xc0,
-	0x53, 0x0d, 0x3e, 0x9e, 0x58, 0x00, 0xd9, 0x57, 0xd1, 0xe6, 0xb4, 0x4a, 0x56, 0xbc, 0x40, 0x68,
-	0xaa, 0x54, 0xff, 0x9a, 0x45, 0xe5, 0x3d, 0xaf, 0x0b, 0xee, 0x3f, 0xb3, 0x71, 0x0f, 0xe5, 0x43,
-	0x1f, 0x2c, 0x65, 0xe2, 0xca, 0x2d, 0x4c, 0x1c, 0xa9, 0xaf, 0xe9, 0x83, 0x65, 0xfe, 0xa7, 0xf4,
-	0xf3, 0xe2, 0x44, 0xa5, 0x1a, 0x7e, 0x9b, 0x0e, 0x27, 0x27, 0x75, 0x57, 0xef, 0xa8, 0x3b, 0x79,
-	0x2c, 0x16, 0xba, 0x77, 0xa9, 0x08, 0xfc, 0x08, 0x15, 0xb8, 0x80, 0xa4, 0x4b, 0x25, 0xb3, 0xa2,
-	0x98, 0x85, 0x24, 0x2e, 0xb9, 0xc3, 0x8b, 0xa8, 0xc4, 0xa2, 0xb6, 0x03, 0xae, 0x05, 0x62, 0x6b,
-	0xc4, 0x66, 0x57, 0xe2, 0x41, 0xad, 0xb4, 0x79, 0x01, 0xd2, 0xe1, 0x7d, 0xfd, 0xb7, 0x86, 0x66,
-	0xae, 0x94, 0x84, 0x9f, 0xa1, 0xca, 0x48, 0xf9, 0xd0, 0x96, 0xf9, 0x8a, 0xe6, 0x7d, 0x95, 0xaf,
-	0xb2, 0x39, 0x7a, 0x49, 0xc7, 0x63, 0xf1, 0x2e, 0xca, 0x8b, 0x49, 0x2b, 0xaf, 0x17, 0x6f, 0xe1,
-	0x49, 0xba, 0x34, 0xa9, 0xc9, 0x02, 0xa1, 0x52, 0x66, 0xbc, 0x9d, 0xfc, 0xe4, 0x76, 0x84, 0x41,
-	0x10, 0x04, 0x5e, 0x20, 0x07, 0x32, 0x62, 0xd0, 0x96, 0x00, 0x69, 0x72, 0x57, 0xff, 0x96, 0x45,
-	0xe9, 0x56, 0xe2, 0xa5, 0x64, 0xc3, 0x5d, 0xd6, 0x03, 0xe5, 0xea, 0xd8, 0xe6, 0x0a, 0x9c, 0xa6,
-	0x11, 0xf8, 0x21, 0xca, 0x45, 0x4e, 0x5b, 0xb6, 0x56, 0x32, 0xcb, 0x2a, 0x30, 0xb7, 0xbf, 0xf3,
-	0x82, 0x0a, 0x1c, 0xd7, 0xd1, 0x94, 0x1d, 0x78, 0x91, 0x2f, 0x16, 0x42, 0x14, 0x8a, 0xc4, 0x58,
-	0xb7, 0x25, 0x42, 0xd5, 0x0d, 0x7e, 0x83, 0x0a, 0x20, 0x9e, 0x20, 0xd9, 0x4b, 0x79, 0x65, 0xed,
-	0x0e, 0xfe, 0x10, 0xf9, 0x76, 0x6d, 0xb9, 0x3c, 0x38, 0x1a, 0x69, 0x4d, 0x60, 0x34, 0xd1, 0xac,
-	0xda, 0xea, 0x7d, 0x93, 0x31, 0x78, 0x1a, 0xe5, 0xba, 0x70, 0x94, 0xb4, 0x45, 0xc5, 0x27, 0x7e,
-	0x8e, 0x0a, 0x7d, 0xf1, 0xf4, 0xa9, 0xe1, 0x2c, 0xdf, 0x22, 0xf9, 0xf0, 0xbd, 0xa4, 0x09, 0x77,
-	0x23, 0xbb, 0xae, 0x99, 0xdb, 0x27, 0xe7, 0x7a, 0xe6, 0xf4, 0x5c, 0xcf, 0x9c, 0x9d, 0xeb, 0x99,
-	0xe3, 0x58, 0xd7, 0x4e, 0x62, 0x5d, 0x3b, 0x8d, 0x75, 0xed, 0x2c, 0xd6, 0xb5, 0x9f, 0xb1, 0xae,
-	0x7d, 0xfa, 0xa5, 0x67, 0x5e, 0xcf, 0xdf, 0xf8, 0x03, 0xfb, 0x13, 0x00, 0x00, 0xff, 0xff, 0x45,
-	0x72, 0x2b, 0xf2, 0xe4, 0x06, 0x00, 0x00,
-}
+func (m *UserInfo) Reset() { *m = UserInfo{} }
 
 func (m ExtraValue) Marshal() (dAtA []byte, err error) {
 	size := m.Size()
@@ -582,7 +322,7 @@ func (m *UserInfo) MarshalToSizedBuffer(dAtA []byte) (int, error) {
 		for k := range m.Extra {
 			keysForExtra = append(keysForExtra, string(k))
 		}
-		github_com_gogo_protobuf_sortkeys.Strings(keysForExtra)
+		sort.Strings(keysForExtra)
 		for iNdEx := len(keysForExtra) - 1; iNdEx >= 0; iNdEx-- {
 			v := m.Extra[string(keysForExtra[iNdEx])]
 			baseI := i
@@ -829,7 +569,7 @@ func (this *UserInfo) String() string {
 	for k := range this.Extra {
 		keysForExtra = append(keysForExtra, k)
 	}
-	github_com_gogo_protobuf_sortkeys.Strings(keysForExtra)
+	sort.Strings(keysForExtra)
 	mapStringForExtra := "map[string]ExtraValue{"
 	for _, k := range keysForExtra {
 		mapStringForExtra += fmt.Sprintf("%v: %v,", k, this.Extra[k])
diff --git a/staging/src/k8s.io/api/authentication/v1beta1/generated.protomessage.pb.go b/staging/src/k8s.io/api/authentication/v1beta1/generated.protomessage.pb.go
new file mode 100644
index 0000000000000..a55034da99046
--- /dev/null
+++ b/staging/src/k8s.io/api/authentication/v1beta1/generated.protomessage.pb.go
@@ -0,0 +1,36 @@
+//go:build kubernetes_protomessage_one_more_release
+// +build kubernetes_protomessage_one_more_release
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by go-to-protobuf. DO NOT EDIT.
+
+package v1beta1
+
+func (*ExtraValue) ProtoMessage() {}
+
+func (*SelfSubjectReview) ProtoMessage() {}
+
+func (*SelfSubjectReviewStatus) ProtoMessage() {}
+
+func (*TokenReview) ProtoMessage() {}
+
+func (*TokenReviewSpec) ProtoMessage() {}
+
+func (*TokenReviewStatus) ProtoMessage() {}
+
+func (*UserInfo) ProtoMessage() {}
diff --git a/staging/src/k8s.io/api/authentication/v1beta1/zz_generated.model_name.go b/staging/src/k8s.io/api/authentication/v1beta1/zz_generated.model_name.go
new file mode 100644
index 0000000000000..f464c3f2f2b0b
--- /dev/null
+++ b/staging/src/k8s.io/api/authentication/v1beta1/zz_generated.model_name.go
@@ -0,0 +1,52 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by openapi-gen. DO NOT EDIT.
+
+package v1beta1
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in SelfSubjectReview) OpenAPIModelName() string {
+	return "io.k8s.api.authentication.v1beta1.SelfSubjectReview"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in SelfSubjectReviewStatus) OpenAPIModelName() string {
+	return "io.k8s.api.authentication.v1beta1.SelfSubjectReviewStatus"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in TokenReview) OpenAPIModelName() string {
+	return "io.k8s.api.authentication.v1beta1.TokenReview"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in TokenReviewSpec) OpenAPIModelName() string {
+	return "io.k8s.api.authentication.v1beta1.TokenReviewSpec"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in TokenReviewStatus) OpenAPIModelName() string {
+	return "io.k8s.api.authentication.v1beta1.TokenReviewStatus"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in UserInfo) OpenAPIModelName() string {
+	return "io.k8s.api.authentication.v1beta1.UserInfo"
+}
diff --git a/staging/src/k8s.io/api/authorization/v1/doc.go b/staging/src/k8s.io/api/authorization/v1/doc.go
index 40bf8006e06ca..0a0cbf91becf3 100644
--- a/staging/src/k8s.io/api/authorization/v1/doc.go
+++ b/staging/src/k8s.io/api/authorization/v1/doc.go
@@ -18,6 +18,8 @@ limitations under the License.
 // +k8s:protobuf-gen=package
 // +k8s:openapi-gen=true
 // +k8s:prerelease-lifecycle-gen=true
+// +k8s:openapi-model-package=io.k8s.api.authorization.v1
+
 // +groupName=authorization.k8s.io
 
 package v1
diff --git a/staging/src/k8s.io/api/authorization/v1/generated.pb.go b/staging/src/k8s.io/api/authorization/v1/generated.pb.go
index aed9a3a476169..f389c4c05f243 100644
--- a/staging/src/k8s.io/api/authorization/v1/generated.pb.go
+++ b/staging/src/k8s.io/api/authorization/v1/generated.pb.go
@@ -23,581 +23,46 @@ import (
 	fmt "fmt"
 
 	io "io"
+	"sort"
 
-	proto "github.com/gogo/protobuf/proto"
-	github_com_gogo_protobuf_sortkeys "github.com/gogo/protobuf/sortkeys"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
-	math "math"
 	math_bits "math/bits"
 	reflect "reflect"
 	strings "strings"
 )
 
-// Reference imports to suppress errors if they are not otherwise used.
-var _ = proto.Marshal
-var _ = fmt.Errorf
-var _ = math.Inf
+func (m *ExtraValue) Reset() { *m = ExtraValue{} }
 
-// This is a compile-time assertion to ensure that this generated file
-// is compatible with the proto package it is being compiled against.
-// A compilation error at this line likely means your copy of the
-// proto package needs to be updated.
-const _ = proto.GoGoProtoPackageIsVersion3 // please upgrade the proto package
+func (m *FieldSelectorAttributes) Reset() { *m = FieldSelectorAttributes{} }
 
-func (m *ExtraValue) Reset()      { *m = ExtraValue{} }
-func (*ExtraValue) ProtoMessage() {}
-func (*ExtraValue) Descriptor() ([]byte, []int) {
-	return fileDescriptor_aafd0e5e70cec678, []int{0}
-}
-func (m *ExtraValue) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ExtraValue) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ExtraValue) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ExtraValue.Merge(m, src)
-}
-func (m *ExtraValue) XXX_Size() int {
-	return m.Size()
-}
-func (m *ExtraValue) XXX_DiscardUnknown() {
-	xxx_messageInfo_ExtraValue.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_ExtraValue proto.InternalMessageInfo
-
-func (m *FieldSelectorAttributes) Reset()      { *m = FieldSelectorAttributes{} }
-func (*FieldSelectorAttributes) ProtoMessage() {}
-func (*FieldSelectorAttributes) Descriptor() ([]byte, []int) {
-	return fileDescriptor_aafd0e5e70cec678, []int{1}
-}
-func (m *FieldSelectorAttributes) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *FieldSelectorAttributes) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *FieldSelectorAttributes) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_FieldSelectorAttributes.Merge(m, src)
-}
-func (m *FieldSelectorAttributes) XXX_Size() int {
-	return m.Size()
-}
-func (m *FieldSelectorAttributes) XXX_DiscardUnknown() {
-	xxx_messageInfo_FieldSelectorAttributes.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_FieldSelectorAttributes proto.InternalMessageInfo
-
-func (m *LabelSelectorAttributes) Reset()      { *m = LabelSelectorAttributes{} }
-func (*LabelSelectorAttributes) ProtoMessage() {}
-func (*LabelSelectorAttributes) Descriptor() ([]byte, []int) {
-	return fileDescriptor_aafd0e5e70cec678, []int{2}
-}
-func (m *LabelSelectorAttributes) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *LabelSelectorAttributes) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *LabelSelectorAttributes) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_LabelSelectorAttributes.Merge(m, src)
-}
-func (m *LabelSelectorAttributes) XXX_Size() int {
-	return m.Size()
-}
-func (m *LabelSelectorAttributes) XXX_DiscardUnknown() {
-	xxx_messageInfo_LabelSelectorAttributes.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_LabelSelectorAttributes proto.InternalMessageInfo
-
-func (m *LocalSubjectAccessReview) Reset()      { *m = LocalSubjectAccessReview{} }
-func (*LocalSubjectAccessReview) ProtoMessage() {}
-func (*LocalSubjectAccessReview) Descriptor() ([]byte, []int) {
-	return fileDescriptor_aafd0e5e70cec678, []int{3}
-}
-func (m *LocalSubjectAccessReview) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *LocalSubjectAccessReview) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *LocalSubjectAccessReview) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_LocalSubjectAccessReview.Merge(m, src)
-}
-func (m *LocalSubjectAccessReview) XXX_Size() int {
-	return m.Size()
-}
-func (m *LocalSubjectAccessReview) XXX_DiscardUnknown() {
-	xxx_messageInfo_LocalSubjectAccessReview.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_LocalSubjectAccessReview proto.InternalMessageInfo
-
-func (m *NonResourceAttributes) Reset()      { *m = NonResourceAttributes{} }
-func (*NonResourceAttributes) ProtoMessage() {}
-func (*NonResourceAttributes) Descriptor() ([]byte, []int) {
-	return fileDescriptor_aafd0e5e70cec678, []int{4}
-}
-func (m *NonResourceAttributes) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *NonResourceAttributes) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *NonResourceAttributes) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_NonResourceAttributes.Merge(m, src)
-}
-func (m *NonResourceAttributes) XXX_Size() int {
-	return m.Size()
-}
-func (m *NonResourceAttributes) XXX_DiscardUnknown() {
-	xxx_messageInfo_NonResourceAttributes.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_NonResourceAttributes proto.InternalMessageInfo
-
-func (m *NonResourceRule) Reset()      { *m = NonResourceRule{} }
-func (*NonResourceRule) ProtoMessage() {}
-func (*NonResourceRule) Descriptor() ([]byte, []int) {
-	return fileDescriptor_aafd0e5e70cec678, []int{5}
-}
-func (m *NonResourceRule) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *NonResourceRule) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *NonResourceRule) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_NonResourceRule.Merge(m, src)
-}
-func (m *NonResourceRule) XXX_Size() int {
-	return m.Size()
-}
-func (m *NonResourceRule) XXX_DiscardUnknown() {
-	xxx_messageInfo_NonResourceRule.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_NonResourceRule proto.InternalMessageInfo
-
-func (m *ResourceAttributes) Reset()      { *m = ResourceAttributes{} }
-func (*ResourceAttributes) ProtoMessage() {}
-func (*ResourceAttributes) Descriptor() ([]byte, []int) {
-	return fileDescriptor_aafd0e5e70cec678, []int{6}
-}
-func (m *ResourceAttributes) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ResourceAttributes) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ResourceAttributes) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ResourceAttributes.Merge(m, src)
-}
-func (m *ResourceAttributes) XXX_Size() int {
-	return m.Size()
-}
-func (m *ResourceAttributes) XXX_DiscardUnknown() {
-	xxx_messageInfo_ResourceAttributes.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_ResourceAttributes proto.InternalMessageInfo
-
-func (m *ResourceRule) Reset()      { *m = ResourceRule{} }
-func (*ResourceRule) ProtoMessage() {}
-func (*ResourceRule) Descriptor() ([]byte, []int) {
-	return fileDescriptor_aafd0e5e70cec678, []int{7}
-}
-func (m *ResourceRule) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ResourceRule) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ResourceRule) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ResourceRule.Merge(m, src)
-}
-func (m *ResourceRule) XXX_Size() int {
-	return m.Size()
-}
-func (m *ResourceRule) XXX_DiscardUnknown() {
-	xxx_messageInfo_ResourceRule.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_ResourceRule proto.InternalMessageInfo
-
-func (m *SelfSubjectAccessReview) Reset()      { *m = SelfSubjectAccessReview{} }
-func (*SelfSubjectAccessReview) ProtoMessage() {}
-func (*SelfSubjectAccessReview) Descriptor() ([]byte, []int) {
-	return fileDescriptor_aafd0e5e70cec678, []int{8}
-}
-func (m *SelfSubjectAccessReview) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *SelfSubjectAccessReview) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *SelfSubjectAccessReview) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_SelfSubjectAccessReview.Merge(m, src)
-}
-func (m *SelfSubjectAccessReview) XXX_Size() int {
-	return m.Size()
-}
-func (m *SelfSubjectAccessReview) XXX_DiscardUnknown() {
-	xxx_messageInfo_SelfSubjectAccessReview.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_SelfSubjectAccessReview proto.InternalMessageInfo
-
-func (m *SelfSubjectAccessReviewSpec) Reset()      { *m = SelfSubjectAccessReviewSpec{} }
-func (*SelfSubjectAccessReviewSpec) ProtoMessage() {}
-func (*SelfSubjectAccessReviewSpec) Descriptor() ([]byte, []int) {
-	return fileDescriptor_aafd0e5e70cec678, []int{9}
-}
-func (m *SelfSubjectAccessReviewSpec) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *SelfSubjectAccessReviewSpec) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *SelfSubjectAccessReviewSpec) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_SelfSubjectAccessReviewSpec.Merge(m, src)
-}
-func (m *SelfSubjectAccessReviewSpec) XXX_Size() int {
-	return m.Size()
-}
-func (m *SelfSubjectAccessReviewSpec) XXX_DiscardUnknown() {
-	xxx_messageInfo_SelfSubjectAccessReviewSpec.DiscardUnknown(m)
-}
+func (m *LabelSelectorAttributes) Reset() { *m = LabelSelectorAttributes{} }
 
-var xxx_messageInfo_SelfSubjectAccessReviewSpec proto.InternalMessageInfo
-
-func (m *SelfSubjectRulesReview) Reset()      { *m = SelfSubjectRulesReview{} }
-func (*SelfSubjectRulesReview) ProtoMessage() {}
-func (*SelfSubjectRulesReview) Descriptor() ([]byte, []int) {
-	return fileDescriptor_aafd0e5e70cec678, []int{10}
-}
-func (m *SelfSubjectRulesReview) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *SelfSubjectRulesReview) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *SelfSubjectRulesReview) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_SelfSubjectRulesReview.Merge(m, src)
-}
-func (m *SelfSubjectRulesReview) XXX_Size() int {
-	return m.Size()
-}
-func (m *SelfSubjectRulesReview) XXX_DiscardUnknown() {
-	xxx_messageInfo_SelfSubjectRulesReview.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_SelfSubjectRulesReview proto.InternalMessageInfo
-
-func (m *SelfSubjectRulesReviewSpec) Reset()      { *m = SelfSubjectRulesReviewSpec{} }
-func (*SelfSubjectRulesReviewSpec) ProtoMessage() {}
-func (*SelfSubjectRulesReviewSpec) Descriptor() ([]byte, []int) {
-	return fileDescriptor_aafd0e5e70cec678, []int{11}
-}
-func (m *SelfSubjectRulesReviewSpec) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *SelfSubjectRulesReviewSpec) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *SelfSubjectRulesReviewSpec) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_SelfSubjectRulesReviewSpec.Merge(m, src)
-}
-func (m *SelfSubjectRulesReviewSpec) XXX_Size() int {
-	return m.Size()
-}
-func (m *SelfSubjectRulesReviewSpec) XXX_DiscardUnknown() {
-	xxx_messageInfo_SelfSubjectRulesReviewSpec.DiscardUnknown(m)
-}
+func (m *LocalSubjectAccessReview) Reset() { *m = LocalSubjectAccessReview{} }
 
-var xxx_messageInfo_SelfSubjectRulesReviewSpec proto.InternalMessageInfo
+func (m *NonResourceAttributes) Reset() { *m = NonResourceAttributes{} }
 
-func (m *SubjectAccessReview) Reset()      { *m = SubjectAccessReview{} }
-func (*SubjectAccessReview) ProtoMessage() {}
-func (*SubjectAccessReview) Descriptor() ([]byte, []int) {
-	return fileDescriptor_aafd0e5e70cec678, []int{12}
-}
-func (m *SubjectAccessReview) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *SubjectAccessReview) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *SubjectAccessReview) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_SubjectAccessReview.Merge(m, src)
-}
-func (m *SubjectAccessReview) XXX_Size() int {
-	return m.Size()
-}
-func (m *SubjectAccessReview) XXX_DiscardUnknown() {
-	xxx_messageInfo_SubjectAccessReview.DiscardUnknown(m)
-}
+func (m *NonResourceRule) Reset() { *m = NonResourceRule{} }
 
-var xxx_messageInfo_SubjectAccessReview proto.InternalMessageInfo
+func (m *ResourceAttributes) Reset() { *m = ResourceAttributes{} }
 
-func (m *SubjectAccessReviewSpec) Reset()      { *m = SubjectAccessReviewSpec{} }
-func (*SubjectAccessReviewSpec) ProtoMessage() {}
-func (*SubjectAccessReviewSpec) Descriptor() ([]byte, []int) {
-	return fileDescriptor_aafd0e5e70cec678, []int{13}
-}
-func (m *SubjectAccessReviewSpec) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *SubjectAccessReviewSpec) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *SubjectAccessReviewSpec) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_SubjectAccessReviewSpec.Merge(m, src)
-}
-func (m *SubjectAccessReviewSpec) XXX_Size() int {
-	return m.Size()
-}
-func (m *SubjectAccessReviewSpec) XXX_DiscardUnknown() {
-	xxx_messageInfo_SubjectAccessReviewSpec.DiscardUnknown(m)
-}
+func (m *ResourceRule) Reset() { *m = ResourceRule{} }
 
-var xxx_messageInfo_SubjectAccessReviewSpec proto.InternalMessageInfo
+func (m *SelfSubjectAccessReview) Reset() { *m = SelfSubjectAccessReview{} }
 
-func (m *SubjectAccessReviewStatus) Reset()      { *m = SubjectAccessReviewStatus{} }
-func (*SubjectAccessReviewStatus) ProtoMessage() {}
-func (*SubjectAccessReviewStatus) Descriptor() ([]byte, []int) {
-	return fileDescriptor_aafd0e5e70cec678, []int{14}
-}
-func (m *SubjectAccessReviewStatus) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *SubjectAccessReviewStatus) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *SubjectAccessReviewStatus) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_SubjectAccessReviewStatus.Merge(m, src)
-}
-func (m *SubjectAccessReviewStatus) XXX_Size() int {
-	return m.Size()
-}
-func (m *SubjectAccessReviewStatus) XXX_DiscardUnknown() {
-	xxx_messageInfo_SubjectAccessReviewStatus.DiscardUnknown(m)
-}
+func (m *SelfSubjectAccessReviewSpec) Reset() { *m = SelfSubjectAccessReviewSpec{} }
 
-var xxx_messageInfo_SubjectAccessReviewStatus proto.InternalMessageInfo
+func (m *SelfSubjectRulesReview) Reset() { *m = SelfSubjectRulesReview{} }
 
-func (m *SubjectRulesReviewStatus) Reset()      { *m = SubjectRulesReviewStatus{} }
-func (*SubjectRulesReviewStatus) ProtoMessage() {}
-func (*SubjectRulesReviewStatus) Descriptor() ([]byte, []int) {
-	return fileDescriptor_aafd0e5e70cec678, []int{15}
-}
-func (m *SubjectRulesReviewStatus) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *SubjectRulesReviewStatus) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *SubjectRulesReviewStatus) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_SubjectRulesReviewStatus.Merge(m, src)
-}
-func (m *SubjectRulesReviewStatus) XXX_Size() int {
-	return m.Size()
-}
-func (m *SubjectRulesReviewStatus) XXX_DiscardUnknown() {
-	xxx_messageInfo_SubjectRulesReviewStatus.DiscardUnknown(m)
-}
+func (m *SelfSubjectRulesReviewSpec) Reset() { *m = SelfSubjectRulesReviewSpec{} }
 
-var xxx_messageInfo_SubjectRulesReviewStatus proto.InternalMessageInfo
+func (m *SubjectAccessReview) Reset() { *m = SubjectAccessReview{} }
 
-func init() {
-	proto.RegisterType((*ExtraValue)(nil), "k8s.io.api.authorization.v1.ExtraValue")
-	proto.RegisterType((*FieldSelectorAttributes)(nil), "k8s.io.api.authorization.v1.FieldSelectorAttributes")
-	proto.RegisterType((*LabelSelectorAttributes)(nil), "k8s.io.api.authorization.v1.LabelSelectorAttributes")
-	proto.RegisterType((*LocalSubjectAccessReview)(nil), "k8s.io.api.authorization.v1.LocalSubjectAccessReview")
-	proto.RegisterType((*NonResourceAttributes)(nil), "k8s.io.api.authorization.v1.NonResourceAttributes")
-	proto.RegisterType((*NonResourceRule)(nil), "k8s.io.api.authorization.v1.NonResourceRule")
-	proto.RegisterType((*ResourceAttributes)(nil), "k8s.io.api.authorization.v1.ResourceAttributes")
-	proto.RegisterType((*ResourceRule)(nil), "k8s.io.api.authorization.v1.ResourceRule")
-	proto.RegisterType((*SelfSubjectAccessReview)(nil), "k8s.io.api.authorization.v1.SelfSubjectAccessReview")
-	proto.RegisterType((*SelfSubjectAccessReviewSpec)(nil), "k8s.io.api.authorization.v1.SelfSubjectAccessReviewSpec")
-	proto.RegisterType((*SelfSubjectRulesReview)(nil), "k8s.io.api.authorization.v1.SelfSubjectRulesReview")
-	proto.RegisterType((*SelfSubjectRulesReviewSpec)(nil), "k8s.io.api.authorization.v1.SelfSubjectRulesReviewSpec")
-	proto.RegisterType((*SubjectAccessReview)(nil), "k8s.io.api.authorization.v1.SubjectAccessReview")
-	proto.RegisterType((*SubjectAccessReviewSpec)(nil), "k8s.io.api.authorization.v1.SubjectAccessReviewSpec")
-	proto.RegisterMapType((map[string]ExtraValue)(nil), "k8s.io.api.authorization.v1.SubjectAccessReviewSpec.ExtraEntry")
-	proto.RegisterType((*SubjectAccessReviewStatus)(nil), "k8s.io.api.authorization.v1.SubjectAccessReviewStatus")
-	proto.RegisterType((*SubjectRulesReviewStatus)(nil), "k8s.io.api.authorization.v1.SubjectRulesReviewStatus")
-}
+func (m *SubjectAccessReviewSpec) Reset() { *m = SubjectAccessReviewSpec{} }
 
-func init() {
-	proto.RegisterFile("k8s.io/api/authorization/v1/generated.proto", fileDescriptor_aafd0e5e70cec678)
-}
+func (m *SubjectAccessReviewStatus) Reset() { *m = SubjectAccessReviewStatus{} }
 
-var fileDescriptor_aafd0e5e70cec678 = []byte{
-	// 1247 bytes of a gzipped FileDescriptorProto
-	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xec, 0x58, 0xcf, 0x6f, 0x1b, 0xc5,
-	0x17, 0xf7, 0xfa, 0x47, 0x62, 0x8f, 0xe3, 0x6f, 0xd2, 0xc9, 0x37, 0xcd, 0x36, 0x11, 0x76, 0x64,
-	0x24, 0x48, 0xd5, 0xb2, 0x26, 0x51, 0xdb, 0x44, 0x95, 0x0a, 0xf2, 0xaa, 0x01, 0x45, 0x4a, 0x4b,
-	0x35, 0x51, 0x22, 0x51, 0x04, 0x62, 0xbc, 0x9e, 0xd8, 0x4b, 0xec, 0xdd, 0xed, 0xcc, 0xac, 0xd3,
-	0x70, 0xaa, 0xc4, 0x3f, 0xc0, 0x91, 0x43, 0x0f, 0xfc, 0x07, 0x5c, 0x90, 0xb8, 0x73, 0x40, 0x11,
-	0xa7, 0x1e, 0x8b, 0x84, 0x2c, 0x62, 0xce, 0xfc, 0x0f, 0x68, 0x66, 0xc7, 0xde, 0xdd, 0xc4, 0x76,
-	0x6d, 0x0e, 0x94, 0x43, 0x6f, 0x9e, 0xf7, 0x79, 0xbf, 0xe7, 0xbd, 0xb7, 0x6f, 0x0c, 0x6e, 0x1c,
-	0x6f, 0x33, 0xc3, 0x76, 0x2b, 0xd8, 0xb3, 0x2b, 0xd8, 0xe7, 0x4d, 0x97, 0xda, 0x5f, 0x63, 0x6e,
-	0xbb, 0x4e, 0xa5, 0xb3, 0x51, 0x69, 0x10, 0x87, 0x50, 0xcc, 0x49, 0xdd, 0xf0, 0xa8, 0xcb, 0x5d,
-	0xb8, 0x1a, 0x30, 0x1b, 0xd8, 0xb3, 0x8d, 0x18, 0xb3, 0xd1, 0xd9, 0x58, 0x79, 0xaf, 0x61, 0xf3,
-	0xa6, 0x5f, 0x33, 0x2c, 0xb7, 0x5d, 0x69, 0xb8, 0x0d, 0xb7, 0x22, 0x65, 0x6a, 0xfe, 0x91, 0x3c,
-	0xc9, 0x83, 0xfc, 0x15, 0xe8, 0x5a, 0xb9, 0x15, 0x1a, 0x6e, 0x63, 0xab, 0x69, 0x3b, 0x84, 0x9e,
-	0x56, 0xbc, 0xe3, 0x86, 0x20, 0xb0, 0x4a, 0x9b, 0x70, 0x3c, 0xc4, 0x83, 0x95, 0xca, 0x28, 0x29,
-	0xea, 0x3b, 0xdc, 0x6e, 0x93, 0x4b, 0x02, 0x77, 0x5e, 0x25, 0xc0, 0xac, 0x26, 0x69, 0xe3, 0x8b,
-	0x72, 0xe5, 0x2d, 0x00, 0x76, 0x9e, 0x72, 0x8a, 0x0f, 0x71, 0xcb, 0x27, 0xb0, 0x04, 0x32, 0x36,
-	0x27, 0x6d, 0xa6, 0x6b, 0x6b, 0xa9, 0xf5, 0x9c, 0x99, 0xeb, 0x75, 0x4b, 0x99, 0x5d, 0x41, 0x40,
-	0x01, 0xfd, 0x6e, 0xf6, 0xbb, 0xef, 0x4b, 0x89, 0x67, 0xbf, 0xaf, 0x25, 0xca, 0xbf, 0x6a, 0x60,
-	0xf9, 0x23, 0x9b, 0xb4, 0xea, 0xfb, 0xa4, 0x45, 0x2c, 0xee, 0xd2, 0x2a, 0xe7, 0xd4, 0xae, 0xf9,
-	0x9c, 0x30, 0x78, 0x1b, 0xe4, 0x29, 0x3e, 0xe9, 0x03, 0xba, 0xb6, 0xa6, 0xad, 0xe7, 0xcc, 0xc5,
-	0xb3, 0x6e, 0x29, 0xd1, 0xeb, 0x96, 0xf2, 0x28, 0x84, 0x50, 0x94, 0x0f, 0x3e, 0x05, 0x73, 0x94,
-	0x3c, 0xf1, 0x6d, 0x4a, 0xda, 0xc4, 0xe1, 0x4c, 0x4f, 0xae, 0xa5, 0xd6, 0xf3, 0x9b, 0x1f, 0x18,
-	0xe1, 0x6d, 0x0c, 0x42, 0x33, 0xbc, 0xe3, 0x86, 0x20, 0x30, 0x43, 0x64, 0xd0, 0xe8, 0x6c, 0x18,
-	0x31, 0x5f, 0x50, 0xa8, 0xc6, 0xfc, 0xbf, 0xb2, 0x3b, 0x17, 0x21, 0x32, 0x14, 0xb3, 0x24, 0x83,
-	0xd9, 0xc3, 0x35, 0xd2, 0xfa, 0x8f, 0x04, 0x13, 0xf3, 0x65, 0xda, 0x60, 0x7e, 0x4c, 0x02, 0x7d,
-	0xcf, 0xb5, 0x70, 0x6b, 0xdf, 0xaf, 0x7d, 0x45, 0x2c, 0x5e, 0xb5, 0x2c, 0xc2, 0x18, 0x22, 0x1d,
-	0x9b, 0x9c, 0xc0, 0x2f, 0x41, 0x56, 0x18, 0xa9, 0x63, 0x8e, 0x65, 0x28, 0xf9, 0xcd, 0xf7, 0x27,
-	0x73, 0xe9, 0x13, 0xa9, 0xeb, 0x01, 0xe1, 0xd8, 0x84, 0xca, 0x09, 0x10, 0xd2, 0xd0, 0x40, 0x2b,
-	0x3c, 0x04, 0x69, 0xe6, 0x11, 0x4b, 0x4f, 0x4a, 0xed, 0xb7, 0x8c, 0x31, 0xbd, 0x64, 0x0c, 0xf1,
-	0x70, 0xdf, 0x23, 0x96, 0x39, 0xa7, 0x2c, 0xa4, 0xc5, 0x09, 0x49, 0x7d, 0xf0, 0x0b, 0x30, 0xc3,
-	0x38, 0xe6, 0x3e, 0xd3, 0x53, 0x52, 0xf3, 0x9d, 0xa9, 0x35, 0x4b, 0x69, 0xf3, 0x7f, 0x4a, 0xf7,
-	0x4c, 0x70, 0x46, 0x4a, 0x6b, 0xf9, 0x33, 0xb0, 0xf4, 0xd0, 0x75, 0x10, 0x61, 0xae, 0x4f, 0x2d,
-	0x12, 0x29, 0x80, 0x35, 0x90, 0xf6, 0x30, 0x6f, 0xaa, 0x9b, 0x1f, 0xb8, 0xf6, 0x08, 0xf3, 0x26,
-	0x92, 0x88, 0xe0, 0xe8, 0x10, 0x5a, 0x93, 0x21, 0x47, 0x38, 0x0e, 0x09, 0xad, 0x21, 0x89, 0x94,
-	0x9f, 0x80, 0xf9, 0x88, 0x72, 0xe4, 0xb7, 0x64, 0xaf, 0x09, 0x28, 0xd6, 0x6b, 0x42, 0x82, 0xa1,
-	0x80, 0x0e, 0xef, 0x81, 0x79, 0x27, 0x94, 0x39, 0x40, 0x7b, 0x41, 0x11, 0xe5, 0xcc, 0xc5, 0x5e,
-	0xb7, 0x14, 0x55, 0x27, 0x20, 0x74, 0x91, 0xb7, 0xfc, 0x3c, 0x0d, 0xe0, 0x90, 0x68, 0x2a, 0x20,
-	0xe7, 0xe0, 0x36, 0x61, 0x1e, 0xb6, 0x88, 0x0a, 0xe9, 0x8a, 0x72, 0x38, 0xf7, 0xb0, 0x0f, 0xa0,
-	0x90, 0xe7, 0xd5, 0xc1, 0xc1, 0xb7, 0x41, 0xa6, 0x41, 0x5d, 0xdf, 0x93, 0x17, 0x93, 0x33, 0x0b,
-	0x8a, 0x25, 0xf3, 0xb1, 0x20, 0xa2, 0x00, 0x83, 0xd7, 0xc1, 0x6c, 0x87, 0x50, 0x66, 0xbb, 0x8e,
-	0x9e, 0x96, 0x6c, 0xf3, 0x8a, 0x6d, 0xf6, 0x30, 0x20, 0xa3, 0x3e, 0x0e, 0x6f, 0x82, 0x2c, 0x55,
-	0x8e, 0xeb, 0x19, 0xc9, 0xbb, 0xa0, 0x78, 0xb3, 0x83, 0x0c, 0x0e, 0x38, 0x44, 0x7f, 0x32, 0xbf,
-	0x36, 0x10, 0x98, 0x89, 0xf7, 0xe7, 0x7e, 0x08, 0xa1, 0x28, 0x9f, 0x08, 0x4b, 0xc4, 0xa8, 0xcf,
-	0xc6, 0xc3, 0x12, 0x29, 0x40, 0x12, 0x81, 0x6d, 0x50, 0x38, 0x8a, 0x0e, 0x15, 0x3d, 0x3b, 0x41,
-	0x45, 0x8f, 0x18, 0x89, 0xe6, 0x95, 0x5e, 0xb7, 0x54, 0x88, 0xcf, 0xa8, 0xb8, 0x76, 0x61, 0xae,
-	0x15, 0x6d, 0x7b, 0x3d, 0x37, 0x81, 0xb9, 0x11, 0x43, 0x2b, 0x30, 0x17, 0x9f, 0x22, 0x71, 0xed,
-	0xe5, 0x9f, 0x35, 0x30, 0x37, 0x5d, 0x3d, 0xde, 0x00, 0x39, 0xec, 0xd9, 0xf2, 0x52, 0xfb, 0x95,
-	0x58, 0x10, 0x55, 0x53, 0x7d, 0xb4, 0x1b, 0x10, 0x51, 0x88, 0x0b, 0xe6, 0x7e, 0xaa, 0x45, 0xc3,
-	0x0e, 0x98, 0xfb, 0x26, 0x19, 0x0a, 0x71, 0xb8, 0x05, 0x0a, 0xfd, 0x83, 0x2c, 0x41, 0x3d, 0x2d,
-	0x05, 0x64, 0x10, 0x28, 0x0a, 0xa0, 0x38, 0x5f, 0xf9, 0xa7, 0x24, 0x58, 0xde, 0x27, 0xad, 0xa3,
-	0xd7, 0x33, 0xe9, 0x1e, 0xc7, 0x26, 0xdd, 0xf6, 0xf8, 0x79, 0x34, 0xdc, 0xcb, 0xd7, 0x36, 0xed,
-	0x9e, 0x27, 0xc1, 0xea, 0x18, 0x9f, 0xe0, 0x09, 0x80, 0xf4, 0xd2, 0xf0, 0x50, 0x79, 0xac, 0x8c,
-	0xf5, 0xe5, 0xf2, 0xcc, 0x31, 0xaf, 0xf6, 0xba, 0xa5, 0x21, 0xb3, 0x08, 0x0d, 0x31, 0x01, 0xbf,
-	0xd1, 0xc0, 0x92, 0x33, 0x6c, 0x0e, 0xab, 0x34, 0x6f, 0x8e, 0x35, 0x3e, 0x74, 0x82, 0x9b, 0xd7,
-	0x7a, 0xdd, 0xd2, 0xf0, 0xe1, 0x8e, 0x86, 0xdb, 0x12, 0xdf, 0xd0, 0xab, 0x91, 0xf4, 0x88, 0x06,
-	0xf9, 0xf7, 0xea, 0xea, 0xd3, 0x58, 0x5d, 0x6d, 0x4d, 0x5a, 0x57, 0x11, 0x27, 0x47, 0x96, 0xd5,
-	0xe7, 0x17, 0xca, 0xea, 0xf6, 0x24, 0x65, 0x15, 0x55, 0x3c, 0xbe, 0xaa, 0x1e, 0x80, 0x95, 0xd1,
-	0x0e, 0x4d, 0xfd, 0xe9, 0x29, 0xff, 0x90, 0x04, 0x8b, 0x6f, 0x96, 0x98, 0x69, 0xda, 0xfa, 0x97,
-	0x34, 0x58, 0x7e, 0xd3, 0xd2, 0xa3, 0xd6, 0x38, 0x9f, 0x11, 0xaa, 0x96, 0x94, 0xc1, 0xe5, 0x1c,
-	0x30, 0x42, 0x91, 0x44, 0x60, 0x19, 0xcc, 0x34, 0x82, 0xaf, 0x5b, 0xf0, 0xfd, 0x01, 0x22, 0xc1,
-	0xea, 0xd3, 0xa6, 0x10, 0x58, 0x07, 0x19, 0x22, 0xde, 0x4b, 0x7a, 0x46, 0xee, 0xf3, 0x1f, 0xfe,
-	0x93, 0xca, 0x30, 0xe4, 0x8b, 0x6b, 0xc7, 0xe1, 0xf4, 0x34, 0x5c, 0x96, 0x24, 0x0d, 0x05, 0xca,
-	0xe1, 0x5b, 0x20, 0xe5, 0xdb, 0x75, 0xb5, 0xcb, 0xe4, 0x15, 0x4b, 0xea, 0x60, 0xf7, 0x3e, 0x12,
-	0xf4, 0x15, 0xac, 0x1e, 0x6d, 0x52, 0x05, 0x5c, 0x00, 0xa9, 0x63, 0x72, 0x1a, 0x34, 0x14, 0x12,
-	0x3f, 0xe1, 0x3d, 0x90, 0xe9, 0x88, 0xf7, 0x9c, 0xca, 0xef, 0xbb, 0x63, 0x9d, 0x0c, 0x9f, 0x7f,
-	0x28, 0x90, 0xba, 0x9b, 0xdc, 0xd6, 0xca, 0xbf, 0x69, 0xe0, 0xda, 0xc8, 0xf2, 0x13, 0xcb, 0x1c,
-	0x6e, 0xb5, 0xdc, 0x13, 0x52, 0x97, 0x66, 0xb3, 0xe1, 0x32, 0x57, 0x0d, 0xc8, 0xa8, 0x8f, 0xc3,
-	0x77, 0xc0, 0x4c, 0x9d, 0x38, 0x36, 0xa9, 0xcb, 0xb5, 0x2f, 0x1b, 0x56, 0xee, 0x7d, 0x49, 0x45,
-	0x0a, 0x15, 0x7c, 0x94, 0x60, 0xe6, 0x3a, 0x6a, 0xd1, 0x1c, 0xf0, 0x21, 0x49, 0x45, 0x0a, 0x85,
-	0x55, 0x30, 0x4f, 0x84, 0x9b, 0xd2, 0xff, 0x1d, 0x4a, 0xdd, 0xfe, 0x8d, 0x2e, 0x2b, 0x81, 0xf9,
-	0x9d, 0x38, 0x8c, 0x2e, 0xf2, 0x97, 0xff, 0x4a, 0x02, 0x7d, 0xd4, 0x68, 0x83, 0x47, 0xe1, 0x2e,
-	0x22, 0x41, 0xb9, 0x0e, 0xe5, 0x37, 0xaf, 0x4f, 0xd4, 0x20, 0x42, 0xc2, 0x5c, 0x52, 0x8e, 0x14,
-	0xa2, 0xd4, 0xc8, 0xea, 0x22, 0x8f, 0x90, 0x82, 0x05, 0x27, 0xfe, 0x22, 0xe8, 0xbf, 0x11, 0x6f,
-	0x4e, 0xda, 0x0e, 0xd2, 0x9a, 0xae, 0xac, 0x2d, 0x5c, 0x00, 0x18, 0xba, 0xa4, 0x1f, 0x6e, 0x02,
-	0x60, 0x3b, 0x96, 0xdb, 0xf6, 0x5a, 0x84, 0x13, 0x99, 0xb6, 0x6c, 0x38, 0x07, 0x77, 0x07, 0x08,
-	0x8a, 0x70, 0x0d, 0xcb, 0x77, 0x7a, 0xba, 0x7c, 0x9b, 0xd5, 0xb3, 0xf3, 0x62, 0xe2, 0xc5, 0x79,
-	0x31, 0xf1, 0xf2, 0xbc, 0x98, 0x78, 0xd6, 0x2b, 0x6a, 0x67, 0xbd, 0xa2, 0xf6, 0xa2, 0x57, 0xd4,
-	0x5e, 0xf6, 0x8a, 0xda, 0x1f, 0xbd, 0xa2, 0xf6, 0xed, 0x9f, 0xc5, 0xc4, 0xe3, 0xd5, 0x31, 0xff,
-	0xd0, 0xfc, 0x1d, 0x00, 0x00, 0xff, 0xff, 0xb5, 0x8c, 0x77, 0x0f, 0xbf, 0x11, 0x00, 0x00,
-}
+func (m *SubjectRulesReviewStatus) Reset() { *m = SubjectRulesReviewStatus{} }
 
 func (m ExtraValue) Marshal() (dAtA []byte, err error) {
 	size := m.Size()
@@ -1247,7 +712,7 @@ func (m *SubjectAccessReviewSpec) MarshalToSizedBuffer(dAtA []byte) (int, error)
 		for k := range m.Extra {
 			keysForExtra = append(keysForExtra, string(k))
 		}
-		github_com_gogo_protobuf_sortkeys.Strings(keysForExtra)
+		sort.Strings(keysForExtra)
 		for iNdEx := len(keysForExtra) - 1; iNdEx >= 0; iNdEx-- {
 			v := m.Extra[string(keysForExtra[iNdEx])]
 			baseI := i
@@ -1914,7 +1379,7 @@ func (this *SubjectAccessReviewSpec) String() string {
 	for k := range this.Extra {
 		keysForExtra = append(keysForExtra, k)
 	}
-	github_com_gogo_protobuf_sortkeys.Strings(keysForExtra)
+	sort.Strings(keysForExtra)
 	mapStringForExtra := "map[string]ExtraValue{"
 	for _, k := range keysForExtra {
 		mapStringForExtra += fmt.Sprintf("%v: %v,", k, this.Extra[k])
diff --git a/staging/src/k8s.io/api/authorization/v1/generated.protomessage.pb.go b/staging/src/k8s.io/api/authorization/v1/generated.protomessage.pb.go
new file mode 100644
index 0000000000000..dc1e1028c00c8
--- /dev/null
+++ b/staging/src/k8s.io/api/authorization/v1/generated.protomessage.pb.go
@@ -0,0 +1,54 @@
+//go:build kubernetes_protomessage_one_more_release
+// +build kubernetes_protomessage_one_more_release
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by go-to-protobuf. DO NOT EDIT.
+
+package v1
+
+func (*ExtraValue) ProtoMessage() {}
+
+func (*FieldSelectorAttributes) ProtoMessage() {}
+
+func (*LabelSelectorAttributes) ProtoMessage() {}
+
+func (*LocalSubjectAccessReview) ProtoMessage() {}
+
+func (*NonResourceAttributes) ProtoMessage() {}
+
+func (*NonResourceRule) ProtoMessage() {}
+
+func (*ResourceAttributes) ProtoMessage() {}
+
+func (*ResourceRule) ProtoMessage() {}
+
+func (*SelfSubjectAccessReview) ProtoMessage() {}
+
+func (*SelfSubjectAccessReviewSpec) ProtoMessage() {}
+
+func (*SelfSubjectRulesReview) ProtoMessage() {}
+
+func (*SelfSubjectRulesReviewSpec) ProtoMessage() {}
+
+func (*SubjectAccessReview) ProtoMessage() {}
+
+func (*SubjectAccessReviewSpec) ProtoMessage() {}
+
+func (*SubjectAccessReviewStatus) ProtoMessage() {}
+
+func (*SubjectRulesReviewStatus) ProtoMessage() {}
diff --git a/staging/src/k8s.io/api/authorization/v1/zz_generated.model_name.go b/staging/src/k8s.io/api/authorization/v1/zz_generated.model_name.go
new file mode 100644
index 0000000000000..43e3b62eb0872
--- /dev/null
+++ b/staging/src/k8s.io/api/authorization/v1/zz_generated.model_name.go
@@ -0,0 +1,97 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by openapi-gen. DO NOT EDIT.
+
+package v1
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in FieldSelectorAttributes) OpenAPIModelName() string {
+	return "io.k8s.api.authorization.v1.FieldSelectorAttributes"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in LabelSelectorAttributes) OpenAPIModelName() string {
+	return "io.k8s.api.authorization.v1.LabelSelectorAttributes"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in LocalSubjectAccessReview) OpenAPIModelName() string {
+	return "io.k8s.api.authorization.v1.LocalSubjectAccessReview"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in NonResourceAttributes) OpenAPIModelName() string {
+	return "io.k8s.api.authorization.v1.NonResourceAttributes"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in NonResourceRule) OpenAPIModelName() string {
+	return "io.k8s.api.authorization.v1.NonResourceRule"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ResourceAttributes) OpenAPIModelName() string {
+	return "io.k8s.api.authorization.v1.ResourceAttributes"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ResourceRule) OpenAPIModelName() string {
+	return "io.k8s.api.authorization.v1.ResourceRule"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in SelfSubjectAccessReview) OpenAPIModelName() string {
+	return "io.k8s.api.authorization.v1.SelfSubjectAccessReview"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in SelfSubjectAccessReviewSpec) OpenAPIModelName() string {
+	return "io.k8s.api.authorization.v1.SelfSubjectAccessReviewSpec"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in SelfSubjectRulesReview) OpenAPIModelName() string {
+	return "io.k8s.api.authorization.v1.SelfSubjectRulesReview"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in SelfSubjectRulesReviewSpec) OpenAPIModelName() string {
+	return "io.k8s.api.authorization.v1.SelfSubjectRulesReviewSpec"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in SubjectAccessReview) OpenAPIModelName() string {
+	return "io.k8s.api.authorization.v1.SubjectAccessReview"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in SubjectAccessReviewSpec) OpenAPIModelName() string {
+	return "io.k8s.api.authorization.v1.SubjectAccessReviewSpec"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in SubjectAccessReviewStatus) OpenAPIModelName() string {
+	return "io.k8s.api.authorization.v1.SubjectAccessReviewStatus"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in SubjectRulesReviewStatus) OpenAPIModelName() string {
+	return "io.k8s.api.authorization.v1.SubjectRulesReviewStatus"
+}
diff --git a/staging/src/k8s.io/api/authorization/v1beta1/doc.go b/staging/src/k8s.io/api/authorization/v1beta1/doc.go
index 9f7332d493c0e..8937d1c157a3a 100644
--- a/staging/src/k8s.io/api/authorization/v1beta1/doc.go
+++ b/staging/src/k8s.io/api/authorization/v1beta1/doc.go
@@ -18,6 +18,7 @@ limitations under the License.
 // +k8s:protobuf-gen=package
 // +k8s:openapi-gen=true
 // +k8s:prerelease-lifecycle-gen=true
+// +k8s:openapi-model-package=io.k8s.api.authorization.v1beta1
 
 // +groupName=authorization.k8s.io
 
diff --git a/staging/src/k8s.io/api/authorization/v1beta1/generated.pb.go b/staging/src/k8s.io/api/authorization/v1beta1/generated.pb.go
index 5007d1b4963ca..9578cfec44e26 100644
--- a/staging/src/k8s.io/api/authorization/v1beta1/generated.pb.go
+++ b/staging/src/k8s.io/api/authorization/v1beta1/generated.pb.go
@@ -23,520 +23,42 @@ import (
 	fmt "fmt"
 
 	io "io"
+	"sort"
 
-	proto "github.com/gogo/protobuf/proto"
-	github_com_gogo_protobuf_sortkeys "github.com/gogo/protobuf/sortkeys"
 	v11 "k8s.io/api/authorization/v1"
 
-	math "math"
 	math_bits "math/bits"
 	reflect "reflect"
 	strings "strings"
 )
 
-// Reference imports to suppress errors if they are not otherwise used.
-var _ = proto.Marshal
-var _ = fmt.Errorf
-var _ = math.Inf
+func (m *ExtraValue) Reset() { *m = ExtraValue{} }
 
-// This is a compile-time assertion to ensure that this generated file
-// is compatible with the proto package it is being compiled against.
-// A compilation error at this line likely means your copy of the
-// proto package needs to be updated.
-const _ = proto.GoGoProtoPackageIsVersion3 // please upgrade the proto package
+func (m *LocalSubjectAccessReview) Reset() { *m = LocalSubjectAccessReview{} }
 
-func (m *ExtraValue) Reset()      { *m = ExtraValue{} }
-func (*ExtraValue) ProtoMessage() {}
-func (*ExtraValue) Descriptor() ([]byte, []int) {
-	return fileDescriptor_8eab727787743457, []int{0}
-}
-func (m *ExtraValue) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ExtraValue) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ExtraValue) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ExtraValue.Merge(m, src)
-}
-func (m *ExtraValue) XXX_Size() int {
-	return m.Size()
-}
-func (m *ExtraValue) XXX_DiscardUnknown() {
-	xxx_messageInfo_ExtraValue.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_ExtraValue proto.InternalMessageInfo
-
-func (m *LocalSubjectAccessReview) Reset()      { *m = LocalSubjectAccessReview{} }
-func (*LocalSubjectAccessReview) ProtoMessage() {}
-func (*LocalSubjectAccessReview) Descriptor() ([]byte, []int) {
-	return fileDescriptor_8eab727787743457, []int{1}
-}
-func (m *LocalSubjectAccessReview) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *LocalSubjectAccessReview) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *LocalSubjectAccessReview) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_LocalSubjectAccessReview.Merge(m, src)
-}
-func (m *LocalSubjectAccessReview) XXX_Size() int {
-	return m.Size()
-}
-func (m *LocalSubjectAccessReview) XXX_DiscardUnknown() {
-	xxx_messageInfo_LocalSubjectAccessReview.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_LocalSubjectAccessReview proto.InternalMessageInfo
-
-func (m *NonResourceAttributes) Reset()      { *m = NonResourceAttributes{} }
-func (*NonResourceAttributes) ProtoMessage() {}
-func (*NonResourceAttributes) Descriptor() ([]byte, []int) {
-	return fileDescriptor_8eab727787743457, []int{2}
-}
-func (m *NonResourceAttributes) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *NonResourceAttributes) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *NonResourceAttributes) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_NonResourceAttributes.Merge(m, src)
-}
-func (m *NonResourceAttributes) XXX_Size() int {
-	return m.Size()
-}
-func (m *NonResourceAttributes) XXX_DiscardUnknown() {
-	xxx_messageInfo_NonResourceAttributes.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_NonResourceAttributes proto.InternalMessageInfo
-
-func (m *NonResourceRule) Reset()      { *m = NonResourceRule{} }
-func (*NonResourceRule) ProtoMessage() {}
-func (*NonResourceRule) Descriptor() ([]byte, []int) {
-	return fileDescriptor_8eab727787743457, []int{3}
-}
-func (m *NonResourceRule) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *NonResourceRule) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *NonResourceRule) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_NonResourceRule.Merge(m, src)
-}
-func (m *NonResourceRule) XXX_Size() int {
-	return m.Size()
-}
-func (m *NonResourceRule) XXX_DiscardUnknown() {
-	xxx_messageInfo_NonResourceRule.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_NonResourceRule proto.InternalMessageInfo
-
-func (m *ResourceAttributes) Reset()      { *m = ResourceAttributes{} }
-func (*ResourceAttributes) ProtoMessage() {}
-func (*ResourceAttributes) Descriptor() ([]byte, []int) {
-	return fileDescriptor_8eab727787743457, []int{4}
-}
-func (m *ResourceAttributes) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ResourceAttributes) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ResourceAttributes) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ResourceAttributes.Merge(m, src)
-}
-func (m *ResourceAttributes) XXX_Size() int {
-	return m.Size()
-}
-func (m *ResourceAttributes) XXX_DiscardUnknown() {
-	xxx_messageInfo_ResourceAttributes.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_ResourceAttributes proto.InternalMessageInfo
-
-func (m *ResourceRule) Reset()      { *m = ResourceRule{} }
-func (*ResourceRule) ProtoMessage() {}
-func (*ResourceRule) Descriptor() ([]byte, []int) {
-	return fileDescriptor_8eab727787743457, []int{5}
-}
-func (m *ResourceRule) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ResourceRule) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ResourceRule) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ResourceRule.Merge(m, src)
-}
-func (m *ResourceRule) XXX_Size() int {
-	return m.Size()
-}
-func (m *ResourceRule) XXX_DiscardUnknown() {
-	xxx_messageInfo_ResourceRule.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_ResourceRule proto.InternalMessageInfo
-
-func (m *SelfSubjectAccessReview) Reset()      { *m = SelfSubjectAccessReview{} }
-func (*SelfSubjectAccessReview) ProtoMessage() {}
-func (*SelfSubjectAccessReview) Descriptor() ([]byte, []int) {
-	return fileDescriptor_8eab727787743457, []int{6}
-}
-func (m *SelfSubjectAccessReview) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *SelfSubjectAccessReview) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *SelfSubjectAccessReview) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_SelfSubjectAccessReview.Merge(m, src)
-}
-func (m *SelfSubjectAccessReview) XXX_Size() int {
-	return m.Size()
-}
-func (m *SelfSubjectAccessReview) XXX_DiscardUnknown() {
-	xxx_messageInfo_SelfSubjectAccessReview.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_SelfSubjectAccessReview proto.InternalMessageInfo
+func (m *NonResourceAttributes) Reset() { *m = NonResourceAttributes{} }
 
-func (m *SelfSubjectAccessReviewSpec) Reset()      { *m = SelfSubjectAccessReviewSpec{} }
-func (*SelfSubjectAccessReviewSpec) ProtoMessage() {}
-func (*SelfSubjectAccessReviewSpec) Descriptor() ([]byte, []int) {
-	return fileDescriptor_8eab727787743457, []int{7}
-}
-func (m *SelfSubjectAccessReviewSpec) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *SelfSubjectAccessReviewSpec) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *SelfSubjectAccessReviewSpec) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_SelfSubjectAccessReviewSpec.Merge(m, src)
-}
-func (m *SelfSubjectAccessReviewSpec) XXX_Size() int {
-	return m.Size()
-}
-func (m *SelfSubjectAccessReviewSpec) XXX_DiscardUnknown() {
-	xxx_messageInfo_SelfSubjectAccessReviewSpec.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_SelfSubjectAccessReviewSpec proto.InternalMessageInfo
-
-func (m *SelfSubjectRulesReview) Reset()      { *m = SelfSubjectRulesReview{} }
-func (*SelfSubjectRulesReview) ProtoMessage() {}
-func (*SelfSubjectRulesReview) Descriptor() ([]byte, []int) {
-	return fileDescriptor_8eab727787743457, []int{8}
-}
-func (m *SelfSubjectRulesReview) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *SelfSubjectRulesReview) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *SelfSubjectRulesReview) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_SelfSubjectRulesReview.Merge(m, src)
-}
-func (m *SelfSubjectRulesReview) XXX_Size() int {
-	return m.Size()
-}
-func (m *SelfSubjectRulesReview) XXX_DiscardUnknown() {
-	xxx_messageInfo_SelfSubjectRulesReview.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_SelfSubjectRulesReview proto.InternalMessageInfo
-
-func (m *SelfSubjectRulesReviewSpec) Reset()      { *m = SelfSubjectRulesReviewSpec{} }
-func (*SelfSubjectRulesReviewSpec) ProtoMessage() {}
-func (*SelfSubjectRulesReviewSpec) Descriptor() ([]byte, []int) {
-	return fileDescriptor_8eab727787743457, []int{9}
-}
-func (m *SelfSubjectRulesReviewSpec) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *SelfSubjectRulesReviewSpec) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *SelfSubjectRulesReviewSpec) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_SelfSubjectRulesReviewSpec.Merge(m, src)
-}
-func (m *SelfSubjectRulesReviewSpec) XXX_Size() int {
-	return m.Size()
-}
-func (m *SelfSubjectRulesReviewSpec) XXX_DiscardUnknown() {
-	xxx_messageInfo_SelfSubjectRulesReviewSpec.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_SelfSubjectRulesReviewSpec proto.InternalMessageInfo
-
-func (m *SubjectAccessReview) Reset()      { *m = SubjectAccessReview{} }
-func (*SubjectAccessReview) ProtoMessage() {}
-func (*SubjectAccessReview) Descriptor() ([]byte, []int) {
-	return fileDescriptor_8eab727787743457, []int{10}
-}
-func (m *SubjectAccessReview) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *SubjectAccessReview) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *SubjectAccessReview) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_SubjectAccessReview.Merge(m, src)
-}
-func (m *SubjectAccessReview) XXX_Size() int {
-	return m.Size()
-}
-func (m *SubjectAccessReview) XXX_DiscardUnknown() {
-	xxx_messageInfo_SubjectAccessReview.DiscardUnknown(m)
-}
+func (m *NonResourceRule) Reset() { *m = NonResourceRule{} }
 
-var xxx_messageInfo_SubjectAccessReview proto.InternalMessageInfo
+func (m *ResourceAttributes) Reset() { *m = ResourceAttributes{} }
 
-func (m *SubjectAccessReviewSpec) Reset()      { *m = SubjectAccessReviewSpec{} }
-func (*SubjectAccessReviewSpec) ProtoMessage() {}
-func (*SubjectAccessReviewSpec) Descriptor() ([]byte, []int) {
-	return fileDescriptor_8eab727787743457, []int{11}
-}
-func (m *SubjectAccessReviewSpec) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *SubjectAccessReviewSpec) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *SubjectAccessReviewSpec) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_SubjectAccessReviewSpec.Merge(m, src)
-}
-func (m *SubjectAccessReviewSpec) XXX_Size() int {
-	return m.Size()
-}
-func (m *SubjectAccessReviewSpec) XXX_DiscardUnknown() {
-	xxx_messageInfo_SubjectAccessReviewSpec.DiscardUnknown(m)
-}
+func (m *ResourceRule) Reset() { *m = ResourceRule{} }
 
-var xxx_messageInfo_SubjectAccessReviewSpec proto.InternalMessageInfo
+func (m *SelfSubjectAccessReview) Reset() { *m = SelfSubjectAccessReview{} }
 
-func (m *SubjectAccessReviewStatus) Reset()      { *m = SubjectAccessReviewStatus{} }
-func (*SubjectAccessReviewStatus) ProtoMessage() {}
-func (*SubjectAccessReviewStatus) Descriptor() ([]byte, []int) {
-	return fileDescriptor_8eab727787743457, []int{12}
-}
-func (m *SubjectAccessReviewStatus) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *SubjectAccessReviewStatus) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *SubjectAccessReviewStatus) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_SubjectAccessReviewStatus.Merge(m, src)
-}
-func (m *SubjectAccessReviewStatus) XXX_Size() int {
-	return m.Size()
-}
-func (m *SubjectAccessReviewStatus) XXX_DiscardUnknown() {
-	xxx_messageInfo_SubjectAccessReviewStatus.DiscardUnknown(m)
-}
+func (m *SelfSubjectAccessReviewSpec) Reset() { *m = SelfSubjectAccessReviewSpec{} }
 
-var xxx_messageInfo_SubjectAccessReviewStatus proto.InternalMessageInfo
+func (m *SelfSubjectRulesReview) Reset() { *m = SelfSubjectRulesReview{} }
 
-func (m *SubjectRulesReviewStatus) Reset()      { *m = SubjectRulesReviewStatus{} }
-func (*SubjectRulesReviewStatus) ProtoMessage() {}
-func (*SubjectRulesReviewStatus) Descriptor() ([]byte, []int) {
-	return fileDescriptor_8eab727787743457, []int{13}
-}
-func (m *SubjectRulesReviewStatus) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *SubjectRulesReviewStatus) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *SubjectRulesReviewStatus) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_SubjectRulesReviewStatus.Merge(m, src)
-}
-func (m *SubjectRulesReviewStatus) XXX_Size() int {
-	return m.Size()
-}
-func (m *SubjectRulesReviewStatus) XXX_DiscardUnknown() {
-	xxx_messageInfo_SubjectRulesReviewStatus.DiscardUnknown(m)
-}
+func (m *SelfSubjectRulesReviewSpec) Reset() { *m = SelfSubjectRulesReviewSpec{} }
 
-var xxx_messageInfo_SubjectRulesReviewStatus proto.InternalMessageInfo
+func (m *SubjectAccessReview) Reset() { *m = SubjectAccessReview{} }
 
-func init() {
-	proto.RegisterType((*ExtraValue)(nil), "k8s.io.api.authorization.v1beta1.ExtraValue")
-	proto.RegisterType((*LocalSubjectAccessReview)(nil), "k8s.io.api.authorization.v1beta1.LocalSubjectAccessReview")
-	proto.RegisterType((*NonResourceAttributes)(nil), "k8s.io.api.authorization.v1beta1.NonResourceAttributes")
-	proto.RegisterType((*NonResourceRule)(nil), "k8s.io.api.authorization.v1beta1.NonResourceRule")
-	proto.RegisterType((*ResourceAttributes)(nil), "k8s.io.api.authorization.v1beta1.ResourceAttributes")
-	proto.RegisterType((*ResourceRule)(nil), "k8s.io.api.authorization.v1beta1.ResourceRule")
-	proto.RegisterType((*SelfSubjectAccessReview)(nil), "k8s.io.api.authorization.v1beta1.SelfSubjectAccessReview")
-	proto.RegisterType((*SelfSubjectAccessReviewSpec)(nil), "k8s.io.api.authorization.v1beta1.SelfSubjectAccessReviewSpec")
-	proto.RegisterType((*SelfSubjectRulesReview)(nil), "k8s.io.api.authorization.v1beta1.SelfSubjectRulesReview")
-	proto.RegisterType((*SelfSubjectRulesReviewSpec)(nil), "k8s.io.api.authorization.v1beta1.SelfSubjectRulesReviewSpec")
-	proto.RegisterType((*SubjectAccessReview)(nil), "k8s.io.api.authorization.v1beta1.SubjectAccessReview")
-	proto.RegisterType((*SubjectAccessReviewSpec)(nil), "k8s.io.api.authorization.v1beta1.SubjectAccessReviewSpec")
-	proto.RegisterMapType((map[string]ExtraValue)(nil), "k8s.io.api.authorization.v1beta1.SubjectAccessReviewSpec.ExtraEntry")
-	proto.RegisterType((*SubjectAccessReviewStatus)(nil), "k8s.io.api.authorization.v1beta1.SubjectAccessReviewStatus")
-	proto.RegisterType((*SubjectRulesReviewStatus)(nil), "k8s.io.api.authorization.v1beta1.SubjectRulesReviewStatus")
-}
+func (m *SubjectAccessReviewSpec) Reset() { *m = SubjectAccessReviewSpec{} }
 
-func init() {
-	proto.RegisterFile("k8s.io/api/authorization/v1beta1/generated.proto", fileDescriptor_8eab727787743457)
-}
+func (m *SubjectAccessReviewStatus) Reset() { *m = SubjectAccessReviewStatus{} }
 
-var fileDescriptor_8eab727787743457 = []byte{
-	// 1192 bytes of a gzipped FileDescriptorProto
-	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xec, 0x58, 0x4f, 0x6f, 0xe3, 0x44,
-	0x14, 0x8f, 0xf3, 0xa7, 0x4d, 0x26, 0x1b, 0xda, 0x9d, 0xaa, 0x5b, 0x6f, 0x11, 0x49, 0x14, 0x24,
-	0x54, 0xb4, 0x8b, 0xb3, 0xad, 0x0a, 0x5d, 0x0a, 0x7b, 0xa8, 0xd5, 0x2e, 0xaa, 0xd4, 0x5d, 0x56,
-	0x53, 0xb5, 0x07, 0x56, 0x02, 0x26, 0xce, 0x34, 0x31, 0x75, 0x6c, 0xe3, 0x19, 0xa7, 0x14, 0x71,
-	0xd8, 0x23, 0x47, 0x8e, 0x1c, 0x38, 0x70, 0xe2, 0x3b, 0x70, 0x41, 0x82, 0x53, 0x8f, 0x7b, 0x2c,
-	0x12, 0x8a, 0xa8, 0xf9, 0x10, 0x5c, 0xd1, 0x8c, 0x27, 0xb1, 0x9d, 0xba, 0x4d, 0xdb, 0x03, 0x7b,
-	0xd9, 0x5b, 0xe6, 0xfd, 0x7e, 0xef, 0xcf, 0xbc, 0x79, 0xf3, 0xfc, 0x26, 0xe0, 0xc1, 0xe1, 0x43,
-	0xaa, 0x99, 0x4e, 0x13, 0xbb, 0x66, 0x13, 0xfb, 0xac, 0xeb, 0x78, 0xe6, 0xb7, 0x98, 0x99, 0x8e,
-	0xdd, 0xec, 0x2f, 0xb7, 0x08, 0xc3, 0xcb, 0xcd, 0x0e, 0xb1, 0x89, 0x87, 0x19, 0x69, 0x6b, 0xae,
-	0xe7, 0x30, 0x07, 0xd6, 0x43, 0x0d, 0x0d, 0xbb, 0xa6, 0x96, 0xd0, 0xd0, 0xa4, 0xc6, 0xe2, 0x7b,
-	0x1d, 0x93, 0x75, 0xfd, 0x96, 0x66, 0x38, 0xbd, 0x66, 0xc7, 0xe9, 0x38, 0x4d, 0xa1, 0xd8, 0xf2,
-	0x0f, 0xc4, 0x4a, 0x2c, 0xc4, 0xaf, 0xd0, 0xe0, 0xe2, 0xbd, 0x4b, 0x42, 0x18, 0xf7, 0xbe, 0xb8,
-	0x1a, 0x91, 0x7b, 0xd8, 0xe8, 0x9a, 0x36, 0xf1, 0x8e, 0x9b, 0xee, 0x61, 0x87, 0x0b, 0x68, 0xb3,
-	0x47, 0x18, 0x4e, 0xd3, 0x6a, 0x5e, 0xa4, 0xe5, 0xf9, 0x36, 0x33, 0x7b, 0xe4, 0x9c, 0xc2, 0x07,
-	0x93, 0x14, 0xa8, 0xd1, 0x25, 0x3d, 0x3c, 0xae, 0xd7, 0x58, 0x03, 0x60, 0xeb, 0x1b, 0xe6, 0xe1,
-	0x7d, 0x6c, 0xf9, 0x04, 0xd6, 0x40, 0xc1, 0x64, 0xa4, 0x47, 0x55, 0xa5, 0x9e, 0x5b, 0x2a, 0xe9,
-	0xa5, 0x60, 0x50, 0x2b, 0x6c, 0x73, 0x01, 0x0a, 0xe5, 0xeb, 0xc5, 0x1f, 0x7f, 0xae, 0x65, 0x5e,
-	0xfc, 0x55, 0xcf, 0x34, 0x7e, 0xcb, 0x02, 0x75, 0xc7, 0x31, 0xb0, 0xb5, 0xeb, 0xb7, 0xbe, 0x22,
-	0x06, 0xdb, 0x30, 0x0c, 0x42, 0x29, 0x22, 0x7d, 0x93, 0x1c, 0xc1, 0x2f, 0x41, 0x91, 0xef, 0xac,
-	0x8d, 0x19, 0x56, 0x95, 0xba, 0xb2, 0x54, 0x5e, 0x79, 0xa0, 0x45, 0xa7, 0x30, 0x0a, 0x50, 0x73,
-	0x0f, 0x3b, 0x5c, 0x40, 0x35, 0xce, 0xd6, 0xfa, 0xcb, 0xda, 0xa7, 0xc2, 0xd6, 0x13, 0xc2, 0xb0,
-	0x0e, 0x4f, 0x06, 0xb5, 0x4c, 0x30, 0xa8, 0x81, 0x48, 0x86, 0x46, 0x56, 0xe1, 0x73, 0x90, 0xa7,
-	0x2e, 0x31, 0xd4, 0xac, 0xb0, 0xfe, 0xa1, 0x36, 0xe9, 0x8c, 0xb5, 0x94, 0x30, 0x77, 0x5d, 0x62,
-	0xe8, 0xb7, 0xa4, 0x9b, 0x3c, 0x5f, 0x21, 0x61, 0x14, 0x1a, 0x60, 0x8a, 0x32, 0xcc, 0x7c, 0xaa,
-	0xe6, 0x84, 0xf9, 0x8f, 0x6e, 0x66, 0x5e, 0x98, 0xd0, 0xdf, 0x90, 0x0e, 0xa6, 0xc2, 0x35, 0x92,
-	0xa6, 0x1b, 0xcf, 0xc1, 0xfc, 0x53, 0xc7, 0x46, 0x84, 0x3a, 0xbe, 0x67, 0x90, 0x0d, 0xc6, 0x3c,
-	0xb3, 0xe5, 0x33, 0x42, 0x61, 0x1d, 0xe4, 0x5d, 0xcc, 0xba, 0x22, 0x71, 0xa5, 0x28, 0xbe, 0x67,
-	0x98, 0x75, 0x91, 0x40, 0x38, 0xa3, 0x4f, 0xbc, 0x96, 0xd8, 0x7c, 0x8c, 0xb1, 0x4f, 0xbc, 0x16,
-	0x12, 0x48, 0xe3, 0x6b, 0x30, 0x13, 0x33, 0x8e, 0x7c, 0x4b, 0x9c, 0x2d, 0x87, 0x12, 0x67, 0xcb,
-	0x35, 0x28, 0x0a, 0xe5, 0xf0, 0x11, 0x98, 0xb1, 0x23, 0x9d, 0x3d, 0xb4, 0x43, 0xd5, 0xac, 0xa0,
-	0xce, 0x05, 0x83, 0x5a, 0xdc, 0x1c, 0x87, 0xd0, 0x38, 0xb7, 0xf1, 0x53, 0x1e, 0xc0, 0x94, 0xdd,
-	0x34, 0x41, 0xc9, 0xc6, 0x3d, 0x42, 0x5d, 0x6c, 0x10, 0xb9, 0xa5, 0xdb, 0x32, 0xe0, 0xd2, 0xd3,
-	0x21, 0x80, 0x22, 0xce, 0xe4, 0xcd, 0xc1, 0xb7, 0x41, 0xa1, 0xe3, 0x39, 0xbe, 0x2b, 0x4e, 0xa7,
-	0xa4, 0x57, 0x24, 0xa5, 0xf0, 0x09, 0x17, 0xa2, 0x10, 0x83, 0xef, 0x82, 0xe9, 0x3e, 0xf1, 0xa8,
-	0xe9, 0xd8, 0x6a, 0x5e, 0xd0, 0x66, 0x24, 0x6d, 0x7a, 0x3f, 0x14, 0xa3, 0x21, 0x0e, 0xef, 0x83,
-	0xa2, 0x27, 0x03, 0x57, 0x0b, 0x82, 0x3b, 0x2b, 0xb9, 0xc5, 0x51, 0x06, 0x47, 0x0c, 0xf8, 0x3e,
-	0x28, 0x53, 0xbf, 0x35, 0x52, 0x98, 0x12, 0x0a, 0x73, 0x52, 0xa1, 0xbc, 0x1b, 0x41, 0x28, 0xce,
-	0xe3, 0xdb, 0xe2, 0x7b, 0x54, 0xa7, 0x93, 0xdb, 0xe2, 0x29, 0x40, 0x02, 0x81, 0x3d, 0x50, 0x39,
-	0x30, 0x89, 0xd5, 0xde, 0x25, 0x16, 0x31, 0x98, 0xe3, 0xa9, 0x45, 0x51, 0x7c, 0xab, 0x97, 0x15,
-	0x9f, 0xf6, 0x38, 0xae, 0x11, 0xa5, 0x5d, 0xbf, 0x1d, 0x0c, 0x6a, 0x95, 0x04, 0x88, 0x92, 0xd6,
-	0xb9, 0x3b, 0x0b, 0xb7, 0x88, 0x35, 0x72, 0x57, 0xba, 0x82, 0xbb, 0x9d, 0xb8, 0xc6, 0xb8, 0xbb,
-	0x04, 0x88, 0x92, 0xd6, 0x1b, 0x7f, 0x28, 0xe0, 0xd6, 0xf5, 0xea, 0xf1, 0x1e, 0x28, 0x61, 0xd7,
-	0x14, 0x87, 0x3a, 0xac, 0xc4, 0x0a, 0xaf, 0x9a, 0x8d, 0x67, 0xdb, 0xa1, 0x10, 0x45, 0x38, 0x27,
-	0x0f, 0x53, 0xcd, 0x6f, 0xed, 0x88, 0x3c, 0x74, 0x49, 0x51, 0x84, 0xc3, 0x35, 0x50, 0x19, 0x2e,
-	0x44, 0x09, 0xaa, 0x79, 0xa1, 0x20, 0x36, 0x81, 0xe2, 0x00, 0x4a, 0xf2, 0x1a, 0xbf, 0x67, 0xc1,
-	0xc2, 0x2e, 0xb1, 0x0e, 0x5e, 0x4d, 0xcf, 0xfb, 0x22, 0xd1, 0xf3, 0x1e, 0x5d, 0xa1, 0x29, 0xa5,
-	0x87, 0xfa, 0x6a, 0xfb, 0xde, 0x2f, 0x59, 0xf0, 0xe6, 0x25, 0x81, 0xc1, 0xef, 0x00, 0xf4, 0xce,
-	0xb5, 0x11, 0x99, 0xd1, 0xd5, 0xc9, 0x01, 0x9d, 0x6f, 0x41, 0xfa, 0x9d, 0x60, 0x50, 0x4b, 0x69,
-	0x4d, 0x28, 0xc5, 0x0f, 0xfc, 0x5e, 0x01, 0xf3, 0x76, 0x5a, 0x5b, 0x96, 0x59, 0x5f, 0x9b, 0x1c,
-	0x41, 0x6a, 0x57, 0xd7, 0xef, 0x06, 0x83, 0x5a, 0x7a, 0xc3, 0x47, 0xe9, 0x0e, 0xf9, 0x17, 0xf6,
-	0x4e, 0x2c, 0x51, 0xfc, 0xd2, 0xfc, 0x7f, 0xb5, 0xf6, 0x79, 0xa2, 0xd6, 0x3e, 0xbe, 0x56, 0xad,
-	0xc5, 0x22, 0xbd, 0xb0, 0xd4, 0x5a, 0x63, 0xa5, 0xb6, 0x7e, 0xe5, 0x52, 0x8b, 0x5b, 0xbf, 0xbc,
-	0xd2, 0x9e, 0x80, 0xc5, 0x8b, 0xa3, 0xba, 0xf6, 0x87, 0xa9, 0xf1, 0x6b, 0x16, 0xcc, 0xbd, 0x1e,
-	0x76, 0x6e, 0x76, 0xe9, 0x4f, 0xf3, 0x60, 0xe1, 0xf5, 0x85, 0xbf, 0xfc, 0xc2, 0xf3, 0x11, 0xc1,
-	0xa7, 0xc4, 0x93, 0x63, 0xcd, 0xe8, 0xac, 0xf6, 0x28, 0xf1, 0x90, 0x40, 0x60, 0x7d, 0x38, 0xf9,
-	0x84, 0x1f, 0x2c, 0xc0, 0x33, 0x2d, 0xbf, 0x85, 0x72, 0xec, 0x31, 0x41, 0x81, 0xf0, 0x79, 0x5e,
-	0x2d, 0xd4, 0x73, 0x4b, 0xe5, 0x95, 0xcd, 0x1b, 0xd7, 0x8a, 0x26, 0x9e, 0x05, 0x5b, 0x36, 0xf3,
-	0x8e, 0xa3, 0x09, 0x4b, 0xc8, 0x50, 0xe8, 0x01, 0xbe, 0x05, 0x72, 0xbe, 0xd9, 0x96, 0x03, 0x50,
-	0x59, 0x52, 0x72, 0x7b, 0xdb, 0x9b, 0x88, 0xcb, 0x17, 0x0f, 0xe4, 0xcb, 0x42, 0x98, 0x80, 0xb3,
-	0x20, 0x77, 0x48, 0x8e, 0xc3, 0x7b, 0x86, 0xf8, 0x4f, 0xa8, 0x83, 0x42, 0x9f, 0x3f, 0x3a, 0x64,
-	0x9e, 0xef, 0x4f, 0x8e, 0x34, 0x7a, 0xa8, 0xa0, 0x50, 0x75, 0x3d, 0xfb, 0x50, 0x69, 0xfc, 0xa9,
-	0x80, 0xbb, 0x17, 0x16, 0x24, 0x1f, 0x03, 0xb1, 0x65, 0x39, 0x47, 0xa4, 0x2d, 0x7c, 0x17, 0xa3,
-	0x31, 0x70, 0x23, 0x14, 0xa3, 0x21, 0x0e, 0xdf, 0x01, 0x53, 0x6d, 0x62, 0x9b, 0xa4, 0x2d, 0x06,
-	0xc6, 0x62, 0x54, 0xcb, 0x9b, 0x42, 0x8a, 0x24, 0xca, 0x79, 0x1e, 0xc1, 0xd4, 0xb1, 0xe5, 0x88,
-	0x3a, 0xe2, 0x21, 0x21, 0x45, 0x12, 0x85, 0x1b, 0x60, 0x86, 0xf0, 0x30, 0xc5, 0x26, 0xb6, 0x3c,
-	0xcf, 0x19, 0x9e, 0xec, 0x82, 0x54, 0x98, 0xd9, 0x4a, 0xc2, 0x68, 0x9c, 0xdf, 0xf8, 0x37, 0x0b,
-	0xd4, 0x8b, 0xda, 0x1e, 0x3c, 0x8c, 0xa6, 0x18, 0x01, 0x8a, 0x41, 0xaa, 0xbc, 0xa2, 0x5d, 0xfd,
-	0xca, 0x70, 0x35, 0x7d, 0x5e, 0x46, 0x53, 0x89, 0x4b, 0x63, 0x93, 0x8f, 0x58, 0xc2, 0x23, 0x30,
-	0x6b, 0x27, 0x1f, 0x14, 0xe1, 0x4c, 0x56, 0x5e, 0x59, 0xbe, 0xd6, 0x05, 0x11, 0x2e, 0x55, 0xe9,
-	0x72, 0x76, 0x0c, 0xa0, 0xe8, 0x9c, 0x13, 0xb8, 0x02, 0x80, 0x69, 0x1b, 0x4e, 0xcf, 0xb5, 0x08,
-	0x23, 0x22, 0x81, 0xc5, 0xa8, 0x5b, 0x6e, 0x8f, 0x10, 0x14, 0x63, 0xa5, 0x65, 0x3e, 0x7f, 0xbd,
-	0xcc, 0xeb, 0x8f, 0x4f, 0xce, 0xaa, 0x99, 0x97, 0x67, 0xd5, 0xcc, 0xe9, 0x59, 0x35, 0xf3, 0x22,
-	0xa8, 0x2a, 0x27, 0x41, 0x55, 0x79, 0x19, 0x54, 0x95, 0xd3, 0xa0, 0xaa, 0xfc, 0x1d, 0x54, 0x95,
-	0x1f, 0xfe, 0xa9, 0x66, 0x3e, 0xab, 0x4f, 0xfa, 0x33, 0xe2, 0xbf, 0x00, 0x00, 0x00, 0xff, 0xff,
-	0x46, 0xf7, 0xe0, 0x3d, 0xaf, 0x10, 0x00, 0x00,
-}
+func (m *SubjectRulesReviewStatus) Reset() { *m = SubjectRulesReviewStatus{} }
 
 func (m ExtraValue) Marshal() (dAtA []byte, err error) {
 	size := m.Size()
@@ -1102,7 +624,7 @@ func (m *SubjectAccessReviewSpec) MarshalToSizedBuffer(dAtA []byte) (int, error)
 		for k := range m.Extra {
 			keysForExtra = append(keysForExtra, string(k))
 		}
-		github_com_gogo_protobuf_sortkeys.Strings(keysForExtra)
+		sort.Strings(keysForExtra)
 		for iNdEx := len(keysForExtra) - 1; iNdEx >= 0; iNdEx-- {
 			v := m.Extra[string(keysForExtra[iNdEx])]
 			baseI := i
@@ -1703,7 +1225,7 @@ func (this *SubjectAccessReviewSpec) String() string {
 	for k := range this.Extra {
 		keysForExtra = append(keysForExtra, k)
 	}
-	github_com_gogo_protobuf_sortkeys.Strings(keysForExtra)
+	sort.Strings(keysForExtra)
 	mapStringForExtra := "map[string]ExtraValue{"
 	for _, k := range keysForExtra {
 		mapStringForExtra += fmt.Sprintf("%v: %v,", k, this.Extra[k])
diff --git a/staging/src/k8s.io/api/authorization/v1beta1/generated.protomessage.pb.go b/staging/src/k8s.io/api/authorization/v1beta1/generated.protomessage.pb.go
new file mode 100644
index 0000000000000..69af1b6c93050
--- /dev/null
+++ b/staging/src/k8s.io/api/authorization/v1beta1/generated.protomessage.pb.go
@@ -0,0 +1,50 @@
+//go:build kubernetes_protomessage_one_more_release
+// +build kubernetes_protomessage_one_more_release
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by go-to-protobuf. DO NOT EDIT.
+
+package v1beta1
+
+func (*ExtraValue) ProtoMessage() {}
+
+func (*LocalSubjectAccessReview) ProtoMessage() {}
+
+func (*NonResourceAttributes) ProtoMessage() {}
+
+func (*NonResourceRule) ProtoMessage() {}
+
+func (*ResourceAttributes) ProtoMessage() {}
+
+func (*ResourceRule) ProtoMessage() {}
+
+func (*SelfSubjectAccessReview) ProtoMessage() {}
+
+func (*SelfSubjectAccessReviewSpec) ProtoMessage() {}
+
+func (*SelfSubjectRulesReview) ProtoMessage() {}
+
+func (*SelfSubjectRulesReviewSpec) ProtoMessage() {}
+
+func (*SubjectAccessReview) ProtoMessage() {}
+
+func (*SubjectAccessReviewSpec) ProtoMessage() {}
+
+func (*SubjectAccessReviewStatus) ProtoMessage() {}
+
+func (*SubjectRulesReviewStatus) ProtoMessage() {}
diff --git a/staging/src/k8s.io/api/authorization/v1beta1/zz_generated.model_name.go b/staging/src/k8s.io/api/authorization/v1beta1/zz_generated.model_name.go
new file mode 100644
index 0000000000000..0f1b55c13f10d
--- /dev/null
+++ b/staging/src/k8s.io/api/authorization/v1beta1/zz_generated.model_name.go
@@ -0,0 +1,87 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by openapi-gen. DO NOT EDIT.
+
+package v1beta1
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in LocalSubjectAccessReview) OpenAPIModelName() string {
+	return "io.k8s.api.authorization.v1beta1.LocalSubjectAccessReview"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in NonResourceAttributes) OpenAPIModelName() string {
+	return "io.k8s.api.authorization.v1beta1.NonResourceAttributes"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in NonResourceRule) OpenAPIModelName() string {
+	return "io.k8s.api.authorization.v1beta1.NonResourceRule"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ResourceAttributes) OpenAPIModelName() string {
+	return "io.k8s.api.authorization.v1beta1.ResourceAttributes"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ResourceRule) OpenAPIModelName() string {
+	return "io.k8s.api.authorization.v1beta1.ResourceRule"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in SelfSubjectAccessReview) OpenAPIModelName() string {
+	return "io.k8s.api.authorization.v1beta1.SelfSubjectAccessReview"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in SelfSubjectAccessReviewSpec) OpenAPIModelName() string {
+	return "io.k8s.api.authorization.v1beta1.SelfSubjectAccessReviewSpec"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in SelfSubjectRulesReview) OpenAPIModelName() string {
+	return "io.k8s.api.authorization.v1beta1.SelfSubjectRulesReview"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in SelfSubjectRulesReviewSpec) OpenAPIModelName() string {
+	return "io.k8s.api.authorization.v1beta1.SelfSubjectRulesReviewSpec"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in SubjectAccessReview) OpenAPIModelName() string {
+	return "io.k8s.api.authorization.v1beta1.SubjectAccessReview"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in SubjectAccessReviewSpec) OpenAPIModelName() string {
+	return "io.k8s.api.authorization.v1beta1.SubjectAccessReviewSpec"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in SubjectAccessReviewStatus) OpenAPIModelName() string {
+	return "io.k8s.api.authorization.v1beta1.SubjectAccessReviewStatus"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in SubjectRulesReviewStatus) OpenAPIModelName() string {
+	return "io.k8s.api.authorization.v1beta1.SubjectRulesReviewStatus"
+}
diff --git a/staging/src/k8s.io/api/autoscaling/v1/doc.go b/staging/src/k8s.io/api/autoscaling/v1/doc.go
index 4ee085e165c89..9f502a66091c7 100644
--- a/staging/src/k8s.io/api/autoscaling/v1/doc.go
+++ b/staging/src/k8s.io/api/autoscaling/v1/doc.go
@@ -18,5 +18,6 @@ limitations under the License.
 // +k8s:protobuf-gen=package
 // +k8s:openapi-gen=true
 // +k8s:prerelease-lifecycle-gen=true
+// +k8s:openapi-model-package=io.k8s.api.autoscaling.v1
 
 package v1
diff --git a/staging/src/k8s.io/api/autoscaling/v1/generated.pb.go b/staging/src/k8s.io/api/autoscaling/v1/generated.pb.go
index 3e3c23135195f..6028054aefd05 100644
--- a/staging/src/k8s.io/api/autoscaling/v1/generated.pb.go
+++ b/staging/src/k8s.io/api/autoscaling/v1/generated.pb.go
@@ -24,748 +24,56 @@ import (
 
 	io "io"
 
-	proto "github.com/gogo/protobuf/proto"
-
 	k8s_io_api_core_v1 "k8s.io/api/core/v1"
 	resource "k8s.io/apimachinery/pkg/api/resource"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
-	math "math"
 	math_bits "math/bits"
 	reflect "reflect"
 	strings "strings"
 )
 
-// Reference imports to suppress errors if they are not otherwise used.
-var _ = proto.Marshal
-var _ = fmt.Errorf
-var _ = math.Inf
+func (m *ContainerResourceMetricSource) Reset() { *m = ContainerResourceMetricSource{} }
 
-// This is a compile-time assertion to ensure that this generated file
-// is compatible with the proto package it is being compiled against.
-// A compilation error at this line likely means your copy of the
-// proto package needs to be updated.
-const _ = proto.GoGoProtoPackageIsVersion3 // please upgrade the proto package
+func (m *ContainerResourceMetricStatus) Reset() { *m = ContainerResourceMetricStatus{} }
 
-func (m *ContainerResourceMetricSource) Reset()      { *m = ContainerResourceMetricSource{} }
-func (*ContainerResourceMetricSource) ProtoMessage() {}
-func (*ContainerResourceMetricSource) Descriptor() ([]byte, []int) {
-	return fileDescriptor_1972394c0c7aac8b, []int{0}
-}
-func (m *ContainerResourceMetricSource) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ContainerResourceMetricSource) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ContainerResourceMetricSource) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ContainerResourceMetricSource.Merge(m, src)
-}
-func (m *ContainerResourceMetricSource) XXX_Size() int {
-	return m.Size()
-}
-func (m *ContainerResourceMetricSource) XXX_DiscardUnknown() {
-	xxx_messageInfo_ContainerResourceMetricSource.DiscardUnknown(m)
-}
+func (m *CrossVersionObjectReference) Reset() { *m = CrossVersionObjectReference{} }
 
-var xxx_messageInfo_ContainerResourceMetricSource proto.InternalMessageInfo
+func (m *ExternalMetricSource) Reset() { *m = ExternalMetricSource{} }
 
-func (m *ContainerResourceMetricStatus) Reset()      { *m = ContainerResourceMetricStatus{} }
-func (*ContainerResourceMetricStatus) ProtoMessage() {}
-func (*ContainerResourceMetricStatus) Descriptor() ([]byte, []int) {
-	return fileDescriptor_1972394c0c7aac8b, []int{1}
-}
-func (m *ContainerResourceMetricStatus) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ContainerResourceMetricStatus) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ContainerResourceMetricStatus) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ContainerResourceMetricStatus.Merge(m, src)
-}
-func (m *ContainerResourceMetricStatus) XXX_Size() int {
-	return m.Size()
-}
-func (m *ContainerResourceMetricStatus) XXX_DiscardUnknown() {
-	xxx_messageInfo_ContainerResourceMetricStatus.DiscardUnknown(m)
-}
+func (m *ExternalMetricStatus) Reset() { *m = ExternalMetricStatus{} }
 
-var xxx_messageInfo_ContainerResourceMetricStatus proto.InternalMessageInfo
+func (m *HorizontalPodAutoscaler) Reset() { *m = HorizontalPodAutoscaler{} }
 
-func (m *CrossVersionObjectReference) Reset()      { *m = CrossVersionObjectReference{} }
-func (*CrossVersionObjectReference) ProtoMessage() {}
-func (*CrossVersionObjectReference) Descriptor() ([]byte, []int) {
-	return fileDescriptor_1972394c0c7aac8b, []int{2}
-}
-func (m *CrossVersionObjectReference) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *CrossVersionObjectReference) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *CrossVersionObjectReference) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_CrossVersionObjectReference.Merge(m, src)
-}
-func (m *CrossVersionObjectReference) XXX_Size() int {
-	return m.Size()
-}
-func (m *CrossVersionObjectReference) XXX_DiscardUnknown() {
-	xxx_messageInfo_CrossVersionObjectReference.DiscardUnknown(m)
-}
+func (m *HorizontalPodAutoscalerCondition) Reset() { *m = HorizontalPodAutoscalerCondition{} }
 
-var xxx_messageInfo_CrossVersionObjectReference proto.InternalMessageInfo
+func (m *HorizontalPodAutoscalerList) Reset() { *m = HorizontalPodAutoscalerList{} }
 
-func (m *ExternalMetricSource) Reset()      { *m = ExternalMetricSource{} }
-func (*ExternalMetricSource) ProtoMessage() {}
-func (*ExternalMetricSource) Descriptor() ([]byte, []int) {
-	return fileDescriptor_1972394c0c7aac8b, []int{3}
-}
-func (m *ExternalMetricSource) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ExternalMetricSource) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ExternalMetricSource) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ExternalMetricSource.Merge(m, src)
-}
-func (m *ExternalMetricSource) XXX_Size() int {
-	return m.Size()
-}
-func (m *ExternalMetricSource) XXX_DiscardUnknown() {
-	xxx_messageInfo_ExternalMetricSource.DiscardUnknown(m)
-}
+func (m *HorizontalPodAutoscalerSpec) Reset() { *m = HorizontalPodAutoscalerSpec{} }
 
-var xxx_messageInfo_ExternalMetricSource proto.InternalMessageInfo
+func (m *HorizontalPodAutoscalerStatus) Reset() { *m = HorizontalPodAutoscalerStatus{} }
 
-func (m *ExternalMetricStatus) Reset()      { *m = ExternalMetricStatus{} }
-func (*ExternalMetricStatus) ProtoMessage() {}
-func (*ExternalMetricStatus) Descriptor() ([]byte, []int) {
-	return fileDescriptor_1972394c0c7aac8b, []int{4}
-}
-func (m *ExternalMetricStatus) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ExternalMetricStatus) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ExternalMetricStatus) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ExternalMetricStatus.Merge(m, src)
-}
-func (m *ExternalMetricStatus) XXX_Size() int {
-	return m.Size()
-}
-func (m *ExternalMetricStatus) XXX_DiscardUnknown() {
-	xxx_messageInfo_ExternalMetricStatus.DiscardUnknown(m)
-}
+func (m *MetricSpec) Reset() { *m = MetricSpec{} }
 
-var xxx_messageInfo_ExternalMetricStatus proto.InternalMessageInfo
+func (m *MetricStatus) Reset() { *m = MetricStatus{} }
 
-func (m *HorizontalPodAutoscaler) Reset()      { *m = HorizontalPodAutoscaler{} }
-func (*HorizontalPodAutoscaler) ProtoMessage() {}
-func (*HorizontalPodAutoscaler) Descriptor() ([]byte, []int) {
-	return fileDescriptor_1972394c0c7aac8b, []int{5}
-}
-func (m *HorizontalPodAutoscaler) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *HorizontalPodAutoscaler) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *HorizontalPodAutoscaler) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_HorizontalPodAutoscaler.Merge(m, src)
-}
-func (m *HorizontalPodAutoscaler) XXX_Size() int {
-	return m.Size()
-}
-func (m *HorizontalPodAutoscaler) XXX_DiscardUnknown() {
-	xxx_messageInfo_HorizontalPodAutoscaler.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_HorizontalPodAutoscaler proto.InternalMessageInfo
-
-func (m *HorizontalPodAutoscalerCondition) Reset()      { *m = HorizontalPodAutoscalerCondition{} }
-func (*HorizontalPodAutoscalerCondition) ProtoMessage() {}
-func (*HorizontalPodAutoscalerCondition) Descriptor() ([]byte, []int) {
-	return fileDescriptor_1972394c0c7aac8b, []int{6}
-}
-func (m *HorizontalPodAutoscalerCondition) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *HorizontalPodAutoscalerCondition) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *HorizontalPodAutoscalerCondition) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_HorizontalPodAutoscalerCondition.Merge(m, src)
-}
-func (m *HorizontalPodAutoscalerCondition) XXX_Size() int {
-	return m.Size()
-}
-func (m *HorizontalPodAutoscalerCondition) XXX_DiscardUnknown() {
-	xxx_messageInfo_HorizontalPodAutoscalerCondition.DiscardUnknown(m)
-}
+func (m *ObjectMetricSource) Reset() { *m = ObjectMetricSource{} }
 
-var xxx_messageInfo_HorizontalPodAutoscalerCondition proto.InternalMessageInfo
+func (m *ObjectMetricStatus) Reset() { *m = ObjectMetricStatus{} }
 
-func (m *HorizontalPodAutoscalerList) Reset()      { *m = HorizontalPodAutoscalerList{} }
-func (*HorizontalPodAutoscalerList) ProtoMessage() {}
-func (*HorizontalPodAutoscalerList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_1972394c0c7aac8b, []int{7}
-}
-func (m *HorizontalPodAutoscalerList) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *HorizontalPodAutoscalerList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *HorizontalPodAutoscalerList) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_HorizontalPodAutoscalerList.Merge(m, src)
-}
-func (m *HorizontalPodAutoscalerList) XXX_Size() int {
-	return m.Size()
-}
-func (m *HorizontalPodAutoscalerList) XXX_DiscardUnknown() {
-	xxx_messageInfo_HorizontalPodAutoscalerList.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_HorizontalPodAutoscalerList proto.InternalMessageInfo
-
-func (m *HorizontalPodAutoscalerSpec) Reset()      { *m = HorizontalPodAutoscalerSpec{} }
-func (*HorizontalPodAutoscalerSpec) ProtoMessage() {}
-func (*HorizontalPodAutoscalerSpec) Descriptor() ([]byte, []int) {
-	return fileDescriptor_1972394c0c7aac8b, []int{8}
-}
-func (m *HorizontalPodAutoscalerSpec) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *HorizontalPodAutoscalerSpec) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *HorizontalPodAutoscalerSpec) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_HorizontalPodAutoscalerSpec.Merge(m, src)
-}
-func (m *HorizontalPodAutoscalerSpec) XXX_Size() int {
-	return m.Size()
-}
-func (m *HorizontalPodAutoscalerSpec) XXX_DiscardUnknown() {
-	xxx_messageInfo_HorizontalPodAutoscalerSpec.DiscardUnknown(m)
-}
+func (m *PodsMetricSource) Reset() { *m = PodsMetricSource{} }
 
-var xxx_messageInfo_HorizontalPodAutoscalerSpec proto.InternalMessageInfo
+func (m *PodsMetricStatus) Reset() { *m = PodsMetricStatus{} }
 
-func (m *HorizontalPodAutoscalerStatus) Reset()      { *m = HorizontalPodAutoscalerStatus{} }
-func (*HorizontalPodAutoscalerStatus) ProtoMessage() {}
-func (*HorizontalPodAutoscalerStatus) Descriptor() ([]byte, []int) {
-	return fileDescriptor_1972394c0c7aac8b, []int{9}
-}
-func (m *HorizontalPodAutoscalerStatus) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *HorizontalPodAutoscalerStatus) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *HorizontalPodAutoscalerStatus) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_HorizontalPodAutoscalerStatus.Merge(m, src)
-}
-func (m *HorizontalPodAutoscalerStatus) XXX_Size() int {
-	return m.Size()
-}
-func (m *HorizontalPodAutoscalerStatus) XXX_DiscardUnknown() {
-	xxx_messageInfo_HorizontalPodAutoscalerStatus.DiscardUnknown(m)
-}
+func (m *ResourceMetricSource) Reset() { *m = ResourceMetricSource{} }
 
-var xxx_messageInfo_HorizontalPodAutoscalerStatus proto.InternalMessageInfo
+func (m *ResourceMetricStatus) Reset() { *m = ResourceMetricStatus{} }
 
-func (m *MetricSpec) Reset()      { *m = MetricSpec{} }
-func (*MetricSpec) ProtoMessage() {}
-func (*MetricSpec) Descriptor() ([]byte, []int) {
-	return fileDescriptor_1972394c0c7aac8b, []int{10}
-}
-func (m *MetricSpec) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *MetricSpec) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *MetricSpec) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_MetricSpec.Merge(m, src)
-}
-func (m *MetricSpec) XXX_Size() int {
-	return m.Size()
-}
-func (m *MetricSpec) XXX_DiscardUnknown() {
-	xxx_messageInfo_MetricSpec.DiscardUnknown(m)
-}
+func (m *Scale) Reset() { *m = Scale{} }
 
-var xxx_messageInfo_MetricSpec proto.InternalMessageInfo
+func (m *ScaleSpec) Reset() { *m = ScaleSpec{} }
 
-func (m *MetricStatus) Reset()      { *m = MetricStatus{} }
-func (*MetricStatus) ProtoMessage() {}
-func (*MetricStatus) Descriptor() ([]byte, []int) {
-	return fileDescriptor_1972394c0c7aac8b, []int{11}
-}
-func (m *MetricStatus) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *MetricStatus) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *MetricStatus) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_MetricStatus.Merge(m, src)
-}
-func (m *MetricStatus) XXX_Size() int {
-	return m.Size()
-}
-func (m *MetricStatus) XXX_DiscardUnknown() {
-	xxx_messageInfo_MetricStatus.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_MetricStatus proto.InternalMessageInfo
-
-func (m *ObjectMetricSource) Reset()      { *m = ObjectMetricSource{} }
-func (*ObjectMetricSource) ProtoMessage() {}
-func (*ObjectMetricSource) Descriptor() ([]byte, []int) {
-	return fileDescriptor_1972394c0c7aac8b, []int{12}
-}
-func (m *ObjectMetricSource) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ObjectMetricSource) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ObjectMetricSource) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ObjectMetricSource.Merge(m, src)
-}
-func (m *ObjectMetricSource) XXX_Size() int {
-	return m.Size()
-}
-func (m *ObjectMetricSource) XXX_DiscardUnknown() {
-	xxx_messageInfo_ObjectMetricSource.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_ObjectMetricSource proto.InternalMessageInfo
-
-func (m *ObjectMetricStatus) Reset()      { *m = ObjectMetricStatus{} }
-func (*ObjectMetricStatus) ProtoMessage() {}
-func (*ObjectMetricStatus) Descriptor() ([]byte, []int) {
-	return fileDescriptor_1972394c0c7aac8b, []int{13}
-}
-func (m *ObjectMetricStatus) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ObjectMetricStatus) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ObjectMetricStatus) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ObjectMetricStatus.Merge(m, src)
-}
-func (m *ObjectMetricStatus) XXX_Size() int {
-	return m.Size()
-}
-func (m *ObjectMetricStatus) XXX_DiscardUnknown() {
-	xxx_messageInfo_ObjectMetricStatus.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_ObjectMetricStatus proto.InternalMessageInfo
-
-func (m *PodsMetricSource) Reset()      { *m = PodsMetricSource{} }
-func (*PodsMetricSource) ProtoMessage() {}
-func (*PodsMetricSource) Descriptor() ([]byte, []int) {
-	return fileDescriptor_1972394c0c7aac8b, []int{14}
-}
-func (m *PodsMetricSource) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *PodsMetricSource) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *PodsMetricSource) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_PodsMetricSource.Merge(m, src)
-}
-func (m *PodsMetricSource) XXX_Size() int {
-	return m.Size()
-}
-func (m *PodsMetricSource) XXX_DiscardUnknown() {
-	xxx_messageInfo_PodsMetricSource.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_PodsMetricSource proto.InternalMessageInfo
-
-func (m *PodsMetricStatus) Reset()      { *m = PodsMetricStatus{} }
-func (*PodsMetricStatus) ProtoMessage() {}
-func (*PodsMetricStatus) Descriptor() ([]byte, []int) {
-	return fileDescriptor_1972394c0c7aac8b, []int{15}
-}
-func (m *PodsMetricStatus) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *PodsMetricStatus) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *PodsMetricStatus) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_PodsMetricStatus.Merge(m, src)
-}
-func (m *PodsMetricStatus) XXX_Size() int {
-	return m.Size()
-}
-func (m *PodsMetricStatus) XXX_DiscardUnknown() {
-	xxx_messageInfo_PodsMetricStatus.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_PodsMetricStatus proto.InternalMessageInfo
-
-func (m *ResourceMetricSource) Reset()      { *m = ResourceMetricSource{} }
-func (*ResourceMetricSource) ProtoMessage() {}
-func (*ResourceMetricSource) Descriptor() ([]byte, []int) {
-	return fileDescriptor_1972394c0c7aac8b, []int{16}
-}
-func (m *ResourceMetricSource) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ResourceMetricSource) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ResourceMetricSource) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ResourceMetricSource.Merge(m, src)
-}
-func (m *ResourceMetricSource) XXX_Size() int {
-	return m.Size()
-}
-func (m *ResourceMetricSource) XXX_DiscardUnknown() {
-	xxx_messageInfo_ResourceMetricSource.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_ResourceMetricSource proto.InternalMessageInfo
-
-func (m *ResourceMetricStatus) Reset()      { *m = ResourceMetricStatus{} }
-func (*ResourceMetricStatus) ProtoMessage() {}
-func (*ResourceMetricStatus) Descriptor() ([]byte, []int) {
-	return fileDescriptor_1972394c0c7aac8b, []int{17}
-}
-func (m *ResourceMetricStatus) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ResourceMetricStatus) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ResourceMetricStatus) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ResourceMetricStatus.Merge(m, src)
-}
-func (m *ResourceMetricStatus) XXX_Size() int {
-	return m.Size()
-}
-func (m *ResourceMetricStatus) XXX_DiscardUnknown() {
-	xxx_messageInfo_ResourceMetricStatus.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_ResourceMetricStatus proto.InternalMessageInfo
-
-func (m *Scale) Reset()      { *m = Scale{} }
-func (*Scale) ProtoMessage() {}
-func (*Scale) Descriptor() ([]byte, []int) {
-	return fileDescriptor_1972394c0c7aac8b, []int{18}
-}
-func (m *Scale) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *Scale) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *Scale) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_Scale.Merge(m, src)
-}
-func (m *Scale) XXX_Size() int {
-	return m.Size()
-}
-func (m *Scale) XXX_DiscardUnknown() {
-	xxx_messageInfo_Scale.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_Scale proto.InternalMessageInfo
-
-func (m *ScaleSpec) Reset()      { *m = ScaleSpec{} }
-func (*ScaleSpec) ProtoMessage() {}
-func (*ScaleSpec) Descriptor() ([]byte, []int) {
-	return fileDescriptor_1972394c0c7aac8b, []int{19}
-}
-func (m *ScaleSpec) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ScaleSpec) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ScaleSpec) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ScaleSpec.Merge(m, src)
-}
-func (m *ScaleSpec) XXX_Size() int {
-	return m.Size()
-}
-func (m *ScaleSpec) XXX_DiscardUnknown() {
-	xxx_messageInfo_ScaleSpec.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_ScaleSpec proto.InternalMessageInfo
-
-func (m *ScaleStatus) Reset()      { *m = ScaleStatus{} }
-func (*ScaleStatus) ProtoMessage() {}
-func (*ScaleStatus) Descriptor() ([]byte, []int) {
-	return fileDescriptor_1972394c0c7aac8b, []int{20}
-}
-func (m *ScaleStatus) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ScaleStatus) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ScaleStatus) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ScaleStatus.Merge(m, src)
-}
-func (m *ScaleStatus) XXX_Size() int {
-	return m.Size()
-}
-func (m *ScaleStatus) XXX_DiscardUnknown() {
-	xxx_messageInfo_ScaleStatus.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_ScaleStatus proto.InternalMessageInfo
-
-func init() {
-	proto.RegisterType((*ContainerResourceMetricSource)(nil), "k8s.io.api.autoscaling.v1.ContainerResourceMetricSource")
-	proto.RegisterType((*ContainerResourceMetricStatus)(nil), "k8s.io.api.autoscaling.v1.ContainerResourceMetricStatus")
-	proto.RegisterType((*CrossVersionObjectReference)(nil), "k8s.io.api.autoscaling.v1.CrossVersionObjectReference")
-	proto.RegisterType((*ExternalMetricSource)(nil), "k8s.io.api.autoscaling.v1.ExternalMetricSource")
-	proto.RegisterType((*ExternalMetricStatus)(nil), "k8s.io.api.autoscaling.v1.ExternalMetricStatus")
-	proto.RegisterType((*HorizontalPodAutoscaler)(nil), "k8s.io.api.autoscaling.v1.HorizontalPodAutoscaler")
-	proto.RegisterType((*HorizontalPodAutoscalerCondition)(nil), "k8s.io.api.autoscaling.v1.HorizontalPodAutoscalerCondition")
-	proto.RegisterType((*HorizontalPodAutoscalerList)(nil), "k8s.io.api.autoscaling.v1.HorizontalPodAutoscalerList")
-	proto.RegisterType((*HorizontalPodAutoscalerSpec)(nil), "k8s.io.api.autoscaling.v1.HorizontalPodAutoscalerSpec")
-	proto.RegisterType((*HorizontalPodAutoscalerStatus)(nil), "k8s.io.api.autoscaling.v1.HorizontalPodAutoscalerStatus")
-	proto.RegisterType((*MetricSpec)(nil), "k8s.io.api.autoscaling.v1.MetricSpec")
-	proto.RegisterType((*MetricStatus)(nil), "k8s.io.api.autoscaling.v1.MetricStatus")
-	proto.RegisterType((*ObjectMetricSource)(nil), "k8s.io.api.autoscaling.v1.ObjectMetricSource")
-	proto.RegisterType((*ObjectMetricStatus)(nil), "k8s.io.api.autoscaling.v1.ObjectMetricStatus")
-	proto.RegisterType((*PodsMetricSource)(nil), "k8s.io.api.autoscaling.v1.PodsMetricSource")
-	proto.RegisterType((*PodsMetricStatus)(nil), "k8s.io.api.autoscaling.v1.PodsMetricStatus")
-	proto.RegisterType((*ResourceMetricSource)(nil), "k8s.io.api.autoscaling.v1.ResourceMetricSource")
-	proto.RegisterType((*ResourceMetricStatus)(nil), "k8s.io.api.autoscaling.v1.ResourceMetricStatus")
-	proto.RegisterType((*Scale)(nil), "k8s.io.api.autoscaling.v1.Scale")
-	proto.RegisterType((*ScaleSpec)(nil), "k8s.io.api.autoscaling.v1.ScaleSpec")
-	proto.RegisterType((*ScaleStatus)(nil), "k8s.io.api.autoscaling.v1.ScaleStatus")
-}
-
-func init() {
-	proto.RegisterFile("k8s.io/api/autoscaling/v1/generated.proto", fileDescriptor_1972394c0c7aac8b)
-}
-
-var fileDescriptor_1972394c0c7aac8b = []byte{
-	// 1593 bytes of a gzipped FileDescriptorProto
-	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xec, 0x59, 0x4d, 0x6c, 0x13, 0xd7,
-	0x16, 0x8e, 0x7f, 0x12, 0x92, 0xe3, 0x90, 0x9f, 0x0b, 0x0f, 0x92, 0xf0, 0xf0, 0x44, 0xf3, 0x10,
-	0x0a, 0xef, 0x3d, 0xc6, 0x8d, 0x4b, 0x11, 0x5d, 0x55, 0xb1, 0x5b, 0x0a, 0x6a, 0x0c, 0xe1, 0x26,
-	0x50, 0xfa, 0x2b, 0x6e, 0xc6, 0x17, 0x67, 0x88, 0x67, 0xc6, 0x9a, 0x19, 0x5b, 0x04, 0x09, 0xa9,
-	0x5d, 0x74, 0xdf, 0x0d, 0xed, 0xb6, 0x95, 0xba, 0xed, 0x9a, 0x75, 0x77, 0x2c, 0x59, 0x20, 0x95,
-	0x95, 0x55, 0xa6, 0x8b, 0x2e, 0xba, 0xea, 0x96, 0x55, 0x75, 0xef, 0xdc, 0x19, 0xcf, 0xd8, 0x9e,
-	0x89, 0xe3, 0x84, 0xa8, 0xad, 0xd8, 0x65, 0x7c, 0xcf, 0xf9, 0xce, 0xbd, 0xe7, 0xff, 0x9c, 0xc0,
-	0xb9, 0xed, 0x4b, 0xb6, 0xa2, 0x99, 0x05, 0xd2, 0xd0, 0x0a, 0xa4, 0xe9, 0x98, 0xb6, 0x4a, 0xea,
-	0x9a, 0x51, 0x2b, 0xb4, 0x96, 0x0b, 0x35, 0x6a, 0x50, 0x8b, 0x38, 0xb4, 0xaa, 0x34, 0x2c, 0xd3,
-	0x31, 0xd1, 0xbc, 0x47, 0xaa, 0x90, 0x86, 0xa6, 0x84, 0x48, 0x95, 0xd6, 0xf2, 0xc2, 0xf9, 0x9a,
-	0xe6, 0x6c, 0x35, 0x37, 0x15, 0xd5, 0xd4, 0x0b, 0x35, 0xb3, 0x66, 0x16, 0x38, 0xc7, 0x66, 0xf3,
-	0x2e, 0xff, 0xe2, 0x1f, 0xfc, 0x2f, 0x0f, 0x69, 0x41, 0x0e, 0x09, 0x55, 0x4d, 0x8b, 0xf6, 0x91,
-	0xb6, 0x70, 0xa1, 0x43, 0xa3, 0x13, 0x75, 0x4b, 0x33, 0xa8, 0xb5, 0x53, 0x68, 0x6c, 0xd7, 0x38,
-	0x93, 0x45, 0x6d, 0xb3, 0x69, 0xa9, 0x74, 0x4f, 0x5c, 0x76, 0x41, 0xa7, 0x0e, 0xe9, 0x27, 0xab,
-	0x10, 0xc7, 0x65, 0x35, 0x0d, 0x47, 0xd3, 0x7b, 0xc5, 0x5c, 0xdc, 0x8d, 0xc1, 0x56, 0xb7, 0xa8,
-	0x4e, 0xba, 0xf9, 0xe4, 0xdf, 0xd2, 0x70, 0xba, 0x6c, 0x1a, 0x0e, 0x61, 0x1c, 0x58, 0x3c, 0xa2,
-	0x42, 0x1d, 0x4b, 0x53, 0xd7, 0xf9, 0xdf, 0xa8, 0x0c, 0x59, 0x83, 0xe8, 0x74, 0x2e, 0xb5, 0x98,
-	0x5a, 0x9a, 0x28, 0x15, 0x9e, 0xb4, 0xa5, 0x11, 0xb7, 0x2d, 0x65, 0xaf, 0x11, 0x9d, 0xbe, 0x6c,
-	0x4b, 0x52, 0xaf, 0xe2, 0x14, 0x1f, 0x86, 0x91, 0x60, 0xce, 0x8c, 0x6e, 0xc3, 0x9c, 0x43, 0xac,
-	0x1a, 0x75, 0x56, 0x5a, 0xd4, 0x22, 0x35, 0x7a, 0xd3, 0xd1, 0xea, 0xda, 0x03, 0xe2, 0x68, 0xa6,
-	0x31, 0x97, 0x5e, 0x4c, 0x2d, 0x8d, 0x96, 0xfe, 0xed, 0xb6, 0xa5, 0xb9, 0x8d, 0x18, 0x1a, 0x1c,
-	0xcb, 0x8d, 0x5a, 0x80, 0x22, 0x67, 0xb7, 0x48, 0xbd, 0x49, 0xe7, 0x32, 0x8b, 0xa9, 0xa5, 0x5c,
-	0x51, 0x51, 0x3a, 0x0e, 0x12, 0x68, 0x45, 0x69, 0x6c, 0xd7, 0xb8, 0xc7, 0xf8, 0x26, 0x53, 0x6e,
-	0x34, 0x89, 0xe1, 0x68, 0xce, 0x4e, 0xe9, 0x84, 0xdb, 0x96, 0xd0, 0x46, 0x0f, 0x1a, 0xee, 0x23,
-	0x01, 0x15, 0x60, 0x42, 0xf5, 0xf5, 0x36, 0x37, 0xca, 0x75, 0x33, 0x2b, 0x74, 0x33, 0xd1, 0x51,
-	0x68, 0x87, 0x46, 0xfe, 0x23, 0x41, 0xd3, 0x0e, 0x71, 0x9a, 0xf6, 0xc1, 0x68, 0xfa, 0x13, 0x98,
-	0x57, 0x9b, 0x96, 0x45, 0x8d, 0x78, 0x55, 0x9f, 0x76, 0xdb, 0xd2, 0x7c, 0x39, 0x8e, 0x08, 0xc7,
-	0xf3, 0xa3, 0x87, 0x70, 0x2c, 0x7a, 0xb8, 0x1f, 0x6d, 0x9f, 0x12, 0x0f, 0x3c, 0x56, 0xee, 0x85,
-	0xc4, 0xfd, 0xe4, 0x44, 0x75, 0x9e, 0x1d, 0x40, 0xe7, 0x8f, 0x52, 0x70, 0xaa, 0x6c, 0x99, 0xb6,
-	0x7d, 0x8b, 0x5a, 0xb6, 0x66, 0x1a, 0xd7, 0x37, 0xef, 0x51, 0xd5, 0xc1, 0xf4, 0x2e, 0xb5, 0xa8,
-	0xa1, 0x52, 0xb4, 0x08, 0xd9, 0x6d, 0xcd, 0xa8, 0x0a, 0x8d, 0x4f, 0xfa, 0x1a, 0xff, 0x40, 0x33,
-	0xaa, 0x98, 0x9f, 0x30, 0x0a, 0x6e, 0x93, 0x74, 0x94, 0x22, 0xa4, 0xf0, 0x22, 0x00, 0x69, 0x68,
-	0x42, 0x00, 0x57, 0xc5, 0x44, 0x09, 0x09, 0x3a, 0x58, 0x59, 0xbb, 0x2a, 0x4e, 0x70, 0x88, 0x4a,
-	0xfe, 0x26, 0x03, 0xc7, 0xdf, 0xbb, 0xef, 0x50, 0xcb, 0x20, 0xf5, 0x48, 0xb0, 0x15, 0x01, 0x74,
-	0xfe, 0x7d, 0xad, 0xe3, 0x08, 0x01, 0x58, 0x25, 0x38, 0xc1, 0x21, 0x2a, 0x64, 0xc2, 0x94, 0xf7,
-	0xb5, 0x4e, 0xeb, 0x54, 0x75, 0x4c, 0x8b, 0x5f, 0x36, 0x57, 0x7c, 0x33, 0xc9, 0x1e, 0xb6, 0xc2,
-	0x52, 0x8f, 0xd2, 0x5a, 0x56, 0x56, 0xc9, 0x26, 0xad, 0xfb, 0xac, 0x25, 0xe4, 0xb6, 0xa5, 0xa9,
-	0x4a, 0x04, 0x0e, 0x77, 0xc1, 0x23, 0x02, 0x39, 0x2f, 0x20, 0xf6, 0x63, 0xfd, 0x69, 0xb7, 0x2d,
-	0xe5, 0x36, 0x3a, 0x30, 0x38, 0x8c, 0x19, 0x13, 0xd5, 0xd9, 0x57, 0x1d, 0xd5, 0xf2, 0x77, 0xbd,
-	0x86, 0xf1, 0x62, 0xf3, 0x6f, 0x61, 0x98, 0x2d, 0x98, 0x14, 0x61, 0xb3, 0x1f, 0xcb, 0x1c, 0x17,
-	0xcf, 0x9a, 0x2c, 0x87, 0xb0, 0x70, 0x04, 0x19, 0xed, 0xf4, 0x4f, 0x04, 0xc3, 0x19, 0xe8, 0xe4,
-	0x5e, 0x92, 0x80, 0xfc, 0x38, 0x0d, 0x27, 0xaf, 0x98, 0x96, 0xf6, 0x80, 0x45, 0x79, 0x7d, 0xcd,
-	0xac, 0xae, 0x88, 0xca, 0x4f, 0x2d, 0x74, 0x07, 0xc6, 0x99, 0xf6, 0xaa, 0xc4, 0x21, 0xdc, 0x46,
-	0xb9, 0xe2, 0x1b, 0x83, 0xe9, 0xda, 0x4b, 0x0c, 0x15, 0xea, 0x90, 0x8e, 0x55, 0x3b, 0xbf, 0xe1,
-	0x00, 0x15, 0xdd, 0x86, 0xac, 0xdd, 0xa0, 0xaa, 0xb0, 0xe4, 0x45, 0x25, 0xb6, 0x03, 0x51, 0x62,
-	0xee, 0xb8, 0xde, 0xa0, 0x6a, 0x27, 0x8f, 0xb0, 0x2f, 0xcc, 0x11, 0xd1, 0x1d, 0x18, 0xb3, 0xb9,
-	0xaf, 0x09, 0xb3, 0x5d, 0x1a, 0x02, 0x9b, 0xf3, 0x97, 0xa6, 0x04, 0xfa, 0x98, 0xf7, 0x8d, 0x05,
-	0xae, 0xfc, 0x55, 0x06, 0x16, 0x63, 0x38, 0xcb, 0xa6, 0x51, 0xd5, 0x78, 0x8a, 0xbf, 0x02, 0x59,
-	0x67, 0xa7, 0xe1, 0xbb, 0xf8, 0x05, 0xff, 0xa2, 0x1b, 0x3b, 0x0d, 0x56, 0x84, 0xce, 0xec, 0xc6,
-	0xcf, 0xe8, 0x30, 0x47, 0x40, 0xab, 0xc1, 0x83, 0xd2, 0x11, 0x2c, 0x71, 0xad, 0x97, 0x6d, 0xa9,
-	0x4f, 0xd7, 0xa5, 0x04, 0x48, 0xd1, 0xcb, 0xb3, 0x8c, 0x50, 0x27, 0xb6, 0xb3, 0x61, 0x11, 0xc3,
-	0xf6, 0x24, 0x69, 0xba, 0xef, 0xe1, 0xff, 0x1d, 0xcc, 0xc8, 0x8c, 0xa3, 0xb4, 0x20, 0x6e, 0x81,
-	0x56, 0x7b, 0xd0, 0x70, 0x1f, 0x09, 0xe8, 0x2c, 0x8c, 0x59, 0x94, 0xd8, 0xa6, 0x21, 0x0a, 0x4e,
-	0xa0, 0x5c, 0xcc, 0x7f, 0xc5, 0xe2, 0x14, 0x9d, 0x83, 0x23, 0x3a, 0xb5, 0x6d, 0x52, 0xa3, 0xa2,
-	0x1b, 0x98, 0x16, 0x84, 0x47, 0x2a, 0xde, 0xcf, 0xd8, 0x3f, 0x97, 0x9f, 0xa5, 0xe0, 0x54, 0x8c,
-	0x1e, 0x57, 0x35, 0xdb, 0x41, 0x9f, 0xf6, 0x78, 0xb1, 0x32, 0x60, 0xc6, 0xd0, 0x6c, 0xcf, 0x87,
-	0x67, 0x84, 0xec, 0x71, 0xff, 0x97, 0x90, 0x07, 0x7f, 0x08, 0xa3, 0x9a, 0x43, 0x75, 0x66, 0x95,
-	0xcc, 0x52, 0xae, 0x58, 0xdc, 0xbb, 0x9b, 0x95, 0x8e, 0x0a, 0xf8, 0xd1, 0xab, 0x0c, 0x08, 0x7b,
-	0x78, 0xf2, 0xef, 0xe9, 0xd8, 0x67, 0x31, 0x37, 0x47, 0x2d, 0x98, 0xe2, 0x5f, 0x5e, 0x2a, 0xc6,
-	0xf4, 0xae, 0x78, 0x5c, 0x52, 0x10, 0x25, 0x14, 0xef, 0xd2, 0x09, 0x71, 0x8b, 0xa9, 0xf5, 0x08,
-	0x2a, 0xee, 0x92, 0x82, 0x96, 0x21, 0xa7, 0x6b, 0x06, 0xa6, 0x8d, 0xba, 0xa6, 0x12, 0x5b, 0xf4,
-	0x40, 0xbc, 0xfc, 0x54, 0x3a, 0x3f, 0xe3, 0x30, 0x0d, 0x7a, 0x0b, 0x72, 0x3a, 0xb9, 0x1f, 0xb0,
-	0x64, 0x38, 0xcb, 0x31, 0x21, 0x2f, 0x57, 0xe9, 0x1c, 0xe1, 0x30, 0x1d, 0xba, 0x07, 0x79, 0xaf,
-	0xa6, 0x94, 0xd7, 0x6e, 0x86, 0xda, 0xa6, 0x35, 0x6a, 0xa9, 0xd4, 0x70, 0x98, 0x6b, 0x64, 0x39,
-	0x92, 0xec, 0xb6, 0xa5, 0xfc, 0x46, 0x22, 0x25, 0xde, 0x05, 0x49, 0xfe, 0x29, 0x03, 0xa7, 0x13,
-	0xd3, 0x00, 0xba, 0x0c, 0xc8, 0xdc, 0xb4, 0xa9, 0xd5, 0xa2, 0xd5, 0xf7, 0xbd, 0xae, 0x9f, 0x35,
-	0x28, 0x4c, 0xe7, 0x19, 0xaf, 0x26, 0x5e, 0xef, 0x39, 0xc5, 0x7d, 0x38, 0x90, 0x0a, 0x47, 0x59,
-	0x5c, 0x78, 0x5a, 0xd6, 0x44, 0x2f, 0xb4, 0xb7, 0xa0, 0x9b, 0x75, 0xdb, 0xd2, 0xd1, 0xd5, 0x30,
-	0x08, 0x8e, 0x62, 0xa2, 0x15, 0x98, 0x16, 0xc9, 0xbe, 0x4b, 0xeb, 0x27, 0x85, 0xd6, 0xa7, 0xcb,
-	0xd1, 0x63, 0xdc, 0x4d, 0xcf, 0x20, 0xaa, 0xd4, 0xd6, 0x2c, 0x5a, 0x0d, 0x20, 0xb2, 0x51, 0x88,
-	0x77, 0xa3, 0xc7, 0xb8, 0x9b, 0x1e, 0xe9, 0x20, 0x09, 0xd4, 0x58, 0x0b, 0x8e, 0x72, 0xc8, 0xff,
-	0xb8, 0x6d, 0x49, 0x2a, 0x27, 0x93, 0xe2, 0xdd, 0xb0, 0xe4, 0x47, 0x59, 0x10, 0xbd, 0x03, 0x0f,
-	0x90, 0x0b, 0x91, 0xd4, 0xbb, 0xd8, 0x95, 0x7a, 0x67, 0xc2, 0x8d, 0x62, 0x28, 0xcd, 0xde, 0x80,
-	0x31, 0x93, 0x47, 0x86, 0xb0, 0xcb, 0xf9, 0x84, 0x70, 0x0a, 0x4a, 0x5a, 0x00, 0x54, 0x02, 0x96,
-	0xcb, 0x44, 0x68, 0x09, 0x20, 0x74, 0x15, 0xb2, 0x0d, 0xb3, 0xea, 0x17, 0xa2, 0xff, 0x25, 0x00,
-	0xae, 0x99, 0x55, 0x3b, 0x02, 0x37, 0xce, 0x6e, 0xcc, 0x7e, 0xc5, 0x1c, 0x02, 0x7d, 0x04, 0xe3,
-	0x7e, 0xc1, 0x17, 0xdd, 0x41, 0x21, 0x01, 0xae, 0xdf, 0x00, 0x5a, 0x9a, 0x64, 0x89, 0xcc, 0x3f,
-	0xc1, 0x01, 0x1c, 0x7a, 0x08, 0xb3, 0x6a, 0xf7, 0x3c, 0x35, 0x77, 0x64, 0xd7, 0xda, 0x99, 0x38,
-	0xed, 0x96, 0xfe, 0xe5, 0xb6, 0xa5, 0xd9, 0x1e, 0x12, 0xdc, 0x2b, 0x89, 0xbd, 0x8c, 0x8a, 0x4e,
-	0x91, 0x3b, 0x45, 0xf2, 0xcb, 0xfa, 0x75, 0xfb, 0xde, 0xcb, 0xfc, 0x13, 0x1c, 0xc0, 0xc9, 0xdf,
-	0x66, 0x61, 0x32, 0xd2, 0x7d, 0x1e, 0xb2, 0x67, 0x78, 0x6d, 0xc4, 0x81, 0x79, 0x86, 0x07, 0x77,
-	0xa0, 0x9e, 0xe1, 0x41, 0x1e, 0x92, 0x67, 0x78, 0xc2, 0x0e, 0xc9, 0x33, 0x42, 0x2f, 0xeb, 0xe3,
-	0x19, 0xcf, 0x32, 0x80, 0x7a, 0x83, 0x18, 0x7d, 0x0e, 0x63, 0x5e, 0xb9, 0xd8, 0x67, 0x49, 0x0d,
-	0x9a, 0x1b, 0x51, 0x3d, 0x05, 0x6a, 0xd7, 0xf4, 0x93, 0x1e, 0x68, 0xfa, 0xa1, 0x07, 0x31, 0x25,
-	0x06, 0x35, 0x37, 0x76, 0x52, 0xfc, 0x0c, 0xc6, 0x6d, 0x7f, 0xbc, 0xca, 0x0e, 0x3f, 0x5e, 0x71,
-	0x85, 0x07, 0x83, 0x55, 0x00, 0x89, 0xaa, 0x30, 0x49, 0xc2, 0x13, 0xce, 0xe8, 0x50, 0xcf, 0x98,
-	0x61, 0xe3, 0x54, 0x64, 0xb4, 0x89, 0xa0, 0xca, 0x3f, 0x77, 0x9b, 0xd5, 0x0b, 0xfb, 0xbf, 0xa2,
-	0x59, 0x0f, 0x6f, 0xc6, 0xfc, 0x47, 0x58, 0xf6, 0xfb, 0x34, 0xcc, 0x74, 0x17, 0xc9, 0xa1, 0x96,
-	0x09, 0x0f, 0xfa, 0x6e, 0x44, 0xd2, 0x43, 0x5d, 0x3a, 0x98, 0x81, 0x06, 0xdc, 0x75, 0x86, 0x2d,
-	0x91, 0x39, 0x70, 0x4b, 0xc8, 0x3f, 0x44, 0x75, 0x34, 0xfc, 0xc2, 0x25, 0x66, 0x3d, 0x99, 0x3e,
-	0xa4, 0xf5, 0xe4, 0x2b, 0x56, 0xd3, 0x8f, 0x69, 0x38, 0xfe, 0x7a, 0x43, 0x3f, 0xf8, 0x2e, 0xef,
-	0x71, 0xaf, 0xbe, 0x5e, 0xef, 0xd9, 0x07, 0x5a, 0xb1, 0x7d, 0x99, 0x86, 0x51, 0x3e, 0x9a, 0x1d,
-	0xc2, 0x42, 0xed, 0x72, 0x64, 0xa1, 0x76, 0x26, 0xa1, 0xc2, 0xf1, 0x1b, 0xc5, 0xae, 0xcf, 0xae,
-	0x75, 0xad, 0xcf, 0xce, 0xee, 0x8a, 0x94, 0xbc, 0x2c, 0x7b, 0x1b, 0x26, 0x02, 0x81, 0xe8, 0xff,
-	0xac, 0x57, 0x15, 0x33, 0x65, 0x8a, 0xdb, 0x36, 0xd8, 0xb0, 0x04, 0xc3, 0x64, 0x40, 0x21, 0x6b,
-	0x90, 0x0b, 0x49, 0xd8, 0x1b, 0x33, 0xa3, 0xb6, 0xc3, 0xeb, 0xe2, 0x89, 0x0e, 0x75, 0x6f, 0x4e,
-	0x28, 0xbd, 0xf3, 0xe4, 0x45, 0x7e, 0xe4, 0xe9, 0x8b, 0xfc, 0xc8, 0xf3, 0x17, 0xf9, 0x91, 0x2f,
-	0xdc, 0x7c, 0xea, 0x89, 0x9b, 0x4f, 0x3d, 0x75, 0xf3, 0xa9, 0xe7, 0x6e, 0x3e, 0xf5, 0x8b, 0x9b,
-	0x4f, 0x7d, 0xfd, 0x6b, 0x7e, 0xe4, 0xe3, 0xf9, 0xd8, 0x7f, 0xa9, 0xfe, 0x19, 0x00, 0x00, 0xff,
-	0xff, 0xd7, 0x67, 0xd4, 0x08, 0x6e, 0x1d, 0x00, 0x00,
-}
+func (m *ScaleStatus) Reset() { *m = ScaleStatus{} }
 
 func (m *ContainerResourceMetricSource) Marshal() (dAtA []byte, err error) {
 	size := m.Size()
diff --git a/staging/src/k8s.io/api/autoscaling/v1/generated.protomessage.pb.go b/staging/src/k8s.io/api/autoscaling/v1/generated.protomessage.pb.go
new file mode 100644
index 0000000000000..7b073f92c3ea8
--- /dev/null
+++ b/staging/src/k8s.io/api/autoscaling/v1/generated.protomessage.pb.go
@@ -0,0 +1,64 @@
+//go:build kubernetes_protomessage_one_more_release
+// +build kubernetes_protomessage_one_more_release
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by go-to-protobuf. DO NOT EDIT.
+
+package v1
+
+func (*ContainerResourceMetricSource) ProtoMessage() {}
+
+func (*ContainerResourceMetricStatus) ProtoMessage() {}
+
+func (*CrossVersionObjectReference) ProtoMessage() {}
+
+func (*ExternalMetricSource) ProtoMessage() {}
+
+func (*ExternalMetricStatus) ProtoMessage() {}
+
+func (*HorizontalPodAutoscaler) ProtoMessage() {}
+
+func (*HorizontalPodAutoscalerCondition) ProtoMessage() {}
+
+func (*HorizontalPodAutoscalerList) ProtoMessage() {}
+
+func (*HorizontalPodAutoscalerSpec) ProtoMessage() {}
+
+func (*HorizontalPodAutoscalerStatus) ProtoMessage() {}
+
+func (*MetricSpec) ProtoMessage() {}
+
+func (*MetricStatus) ProtoMessage() {}
+
+func (*ObjectMetricSource) ProtoMessage() {}
+
+func (*ObjectMetricStatus) ProtoMessage() {}
+
+func (*PodsMetricSource) ProtoMessage() {}
+
+func (*PodsMetricStatus) ProtoMessage() {}
+
+func (*ResourceMetricSource) ProtoMessage() {}
+
+func (*ResourceMetricStatus) ProtoMessage() {}
+
+func (*Scale) ProtoMessage() {}
+
+func (*ScaleSpec) ProtoMessage() {}
+
+func (*ScaleStatus) ProtoMessage() {}
diff --git a/staging/src/k8s.io/api/autoscaling/v1/zz_generated.model_name.go b/staging/src/k8s.io/api/autoscaling/v1/zz_generated.model_name.go
new file mode 100644
index 0000000000000..d4f18650db9e2
--- /dev/null
+++ b/staging/src/k8s.io/api/autoscaling/v1/zz_generated.model_name.go
@@ -0,0 +1,127 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by openapi-gen. DO NOT EDIT.
+
+package v1
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ContainerResourceMetricSource) OpenAPIModelName() string {
+	return "io.k8s.api.autoscaling.v1.ContainerResourceMetricSource"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ContainerResourceMetricStatus) OpenAPIModelName() string {
+	return "io.k8s.api.autoscaling.v1.ContainerResourceMetricStatus"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in CrossVersionObjectReference) OpenAPIModelName() string {
+	return "io.k8s.api.autoscaling.v1.CrossVersionObjectReference"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ExternalMetricSource) OpenAPIModelName() string {
+	return "io.k8s.api.autoscaling.v1.ExternalMetricSource"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ExternalMetricStatus) OpenAPIModelName() string {
+	return "io.k8s.api.autoscaling.v1.ExternalMetricStatus"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in HorizontalPodAutoscaler) OpenAPIModelName() string {
+	return "io.k8s.api.autoscaling.v1.HorizontalPodAutoscaler"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in HorizontalPodAutoscalerCondition) OpenAPIModelName() string {
+	return "io.k8s.api.autoscaling.v1.HorizontalPodAutoscalerCondition"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in HorizontalPodAutoscalerList) OpenAPIModelName() string {
+	return "io.k8s.api.autoscaling.v1.HorizontalPodAutoscalerList"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in HorizontalPodAutoscalerSpec) OpenAPIModelName() string {
+	return "io.k8s.api.autoscaling.v1.HorizontalPodAutoscalerSpec"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in HorizontalPodAutoscalerStatus) OpenAPIModelName() string {
+	return "io.k8s.api.autoscaling.v1.HorizontalPodAutoscalerStatus"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in MetricSpec) OpenAPIModelName() string {
+	return "io.k8s.api.autoscaling.v1.MetricSpec"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in MetricStatus) OpenAPIModelName() string {
+	return "io.k8s.api.autoscaling.v1.MetricStatus"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ObjectMetricSource) OpenAPIModelName() string {
+	return "io.k8s.api.autoscaling.v1.ObjectMetricSource"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ObjectMetricStatus) OpenAPIModelName() string {
+	return "io.k8s.api.autoscaling.v1.ObjectMetricStatus"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in PodsMetricSource) OpenAPIModelName() string {
+	return "io.k8s.api.autoscaling.v1.PodsMetricSource"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in PodsMetricStatus) OpenAPIModelName() string {
+	return "io.k8s.api.autoscaling.v1.PodsMetricStatus"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ResourceMetricSource) OpenAPIModelName() string {
+	return "io.k8s.api.autoscaling.v1.ResourceMetricSource"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ResourceMetricStatus) OpenAPIModelName() string {
+	return "io.k8s.api.autoscaling.v1.ResourceMetricStatus"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in Scale) OpenAPIModelName() string {
+	return "io.k8s.api.autoscaling.v1.Scale"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ScaleSpec) OpenAPIModelName() string {
+	return "io.k8s.api.autoscaling.v1.ScaleSpec"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ScaleStatus) OpenAPIModelName() string {
+	return "io.k8s.api.autoscaling.v1.ScaleStatus"
+}
diff --git a/staging/src/k8s.io/api/autoscaling/v2/doc.go b/staging/src/k8s.io/api/autoscaling/v2/doc.go
index 8dea6339dfb1d..e9a98ae00994b 100644
--- a/staging/src/k8s.io/api/autoscaling/v2/doc.go
+++ b/staging/src/k8s.io/api/autoscaling/v2/doc.go
@@ -18,5 +18,6 @@ limitations under the License.
 // +k8s:protobuf-gen=package
 // +k8s:openapi-gen=true
 // +k8s:prerelease-lifecycle-gen=true
+// +k8s:openapi-model-package=io.k8s.api.autoscaling.v2
 
 package v2
diff --git a/staging/src/k8s.io/api/autoscaling/v2/generated.pb.go b/staging/src/k8s.io/api/autoscaling/v2/generated.pb.go
index 40b60ebeca4d7..7505c7592fc38 100644
--- a/staging/src/k8s.io/api/autoscaling/v2/generated.pb.go
+++ b/staging/src/k8s.io/api/autoscaling/v2/generated.pb.go
@@ -24,844 +24,62 @@ import (
 
 	io "io"
 
-	proto "github.com/gogo/protobuf/proto"
-
 	k8s_io_api_core_v1 "k8s.io/api/core/v1"
 	resource "k8s.io/apimachinery/pkg/api/resource"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
-	math "math"
 	math_bits "math/bits"
 	reflect "reflect"
 	strings "strings"
 )
 
-// Reference imports to suppress errors if they are not otherwise used.
-var _ = proto.Marshal
-var _ = fmt.Errorf
-var _ = math.Inf
-
-// This is a compile-time assertion to ensure that this generated file
-// is compatible with the proto package it is being compiled against.
-// A compilation error at this line likely means your copy of the
-// proto package needs to be updated.
-const _ = proto.GoGoProtoPackageIsVersion3 // please upgrade the proto package
+func (m *ContainerResourceMetricSource) Reset() { *m = ContainerResourceMetricSource{} }
 
-func (m *ContainerResourceMetricSource) Reset()      { *m = ContainerResourceMetricSource{} }
-func (*ContainerResourceMetricSource) ProtoMessage() {}
-func (*ContainerResourceMetricSource) Descriptor() ([]byte, []int) {
-	return fileDescriptor_4d5f2c8767749221, []int{0}
-}
-func (m *ContainerResourceMetricSource) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ContainerResourceMetricSource) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ContainerResourceMetricSource) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ContainerResourceMetricSource.Merge(m, src)
-}
-func (m *ContainerResourceMetricSource) XXX_Size() int {
-	return m.Size()
-}
-func (m *ContainerResourceMetricSource) XXX_DiscardUnknown() {
-	xxx_messageInfo_ContainerResourceMetricSource.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_ContainerResourceMetricSource proto.InternalMessageInfo
-
-func (m *ContainerResourceMetricStatus) Reset()      { *m = ContainerResourceMetricStatus{} }
-func (*ContainerResourceMetricStatus) ProtoMessage() {}
-func (*ContainerResourceMetricStatus) Descriptor() ([]byte, []int) {
-	return fileDescriptor_4d5f2c8767749221, []int{1}
-}
-func (m *ContainerResourceMetricStatus) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ContainerResourceMetricStatus) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ContainerResourceMetricStatus) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ContainerResourceMetricStatus.Merge(m, src)
-}
-func (m *ContainerResourceMetricStatus) XXX_Size() int {
-	return m.Size()
-}
-func (m *ContainerResourceMetricStatus) XXX_DiscardUnknown() {
-	xxx_messageInfo_ContainerResourceMetricStatus.DiscardUnknown(m)
-}
+func (m *ContainerResourceMetricStatus) Reset() { *m = ContainerResourceMetricStatus{} }
 
-var xxx_messageInfo_ContainerResourceMetricStatus proto.InternalMessageInfo
+func (m *CrossVersionObjectReference) Reset() { *m = CrossVersionObjectReference{} }
 
-func (m *CrossVersionObjectReference) Reset()      { *m = CrossVersionObjectReference{} }
-func (*CrossVersionObjectReference) ProtoMessage() {}
-func (*CrossVersionObjectReference) Descriptor() ([]byte, []int) {
-	return fileDescriptor_4d5f2c8767749221, []int{2}
-}
-func (m *CrossVersionObjectReference) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *CrossVersionObjectReference) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *CrossVersionObjectReference) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_CrossVersionObjectReference.Merge(m, src)
-}
-func (m *CrossVersionObjectReference) XXX_Size() int {
-	return m.Size()
-}
-func (m *CrossVersionObjectReference) XXX_DiscardUnknown() {
-	xxx_messageInfo_CrossVersionObjectReference.DiscardUnknown(m)
-}
+func (m *ExternalMetricSource) Reset() { *m = ExternalMetricSource{} }
 
-var xxx_messageInfo_CrossVersionObjectReference proto.InternalMessageInfo
+func (m *ExternalMetricStatus) Reset() { *m = ExternalMetricStatus{} }
 
-func (m *ExternalMetricSource) Reset()      { *m = ExternalMetricSource{} }
-func (*ExternalMetricSource) ProtoMessage() {}
-func (*ExternalMetricSource) Descriptor() ([]byte, []int) {
-	return fileDescriptor_4d5f2c8767749221, []int{3}
-}
-func (m *ExternalMetricSource) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ExternalMetricSource) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ExternalMetricSource) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ExternalMetricSource.Merge(m, src)
-}
-func (m *ExternalMetricSource) XXX_Size() int {
-	return m.Size()
-}
-func (m *ExternalMetricSource) XXX_DiscardUnknown() {
-	xxx_messageInfo_ExternalMetricSource.DiscardUnknown(m)
-}
+func (m *HPAScalingPolicy) Reset() { *m = HPAScalingPolicy{} }
 
-var xxx_messageInfo_ExternalMetricSource proto.InternalMessageInfo
+func (m *HPAScalingRules) Reset() { *m = HPAScalingRules{} }
 
-func (m *ExternalMetricStatus) Reset()      { *m = ExternalMetricStatus{} }
-func (*ExternalMetricStatus) ProtoMessage() {}
-func (*ExternalMetricStatus) Descriptor() ([]byte, []int) {
-	return fileDescriptor_4d5f2c8767749221, []int{4}
-}
-func (m *ExternalMetricStatus) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ExternalMetricStatus) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ExternalMetricStatus) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ExternalMetricStatus.Merge(m, src)
-}
-func (m *ExternalMetricStatus) XXX_Size() int {
-	return m.Size()
-}
-func (m *ExternalMetricStatus) XXX_DiscardUnknown() {
-	xxx_messageInfo_ExternalMetricStatus.DiscardUnknown(m)
-}
+func (m *HorizontalPodAutoscaler) Reset() { *m = HorizontalPodAutoscaler{} }
 
-var xxx_messageInfo_ExternalMetricStatus proto.InternalMessageInfo
+func (m *HorizontalPodAutoscalerBehavior) Reset() { *m = HorizontalPodAutoscalerBehavior{} }
 
-func (m *HPAScalingPolicy) Reset()      { *m = HPAScalingPolicy{} }
-func (*HPAScalingPolicy) ProtoMessage() {}
-func (*HPAScalingPolicy) Descriptor() ([]byte, []int) {
-	return fileDescriptor_4d5f2c8767749221, []int{5}
-}
-func (m *HPAScalingPolicy) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *HPAScalingPolicy) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *HPAScalingPolicy) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_HPAScalingPolicy.Merge(m, src)
-}
-func (m *HPAScalingPolicy) XXX_Size() int {
-	return m.Size()
-}
-func (m *HPAScalingPolicy) XXX_DiscardUnknown() {
-	xxx_messageInfo_HPAScalingPolicy.DiscardUnknown(m)
-}
+func (m *HorizontalPodAutoscalerCondition) Reset() { *m = HorizontalPodAutoscalerCondition{} }
 
-var xxx_messageInfo_HPAScalingPolicy proto.InternalMessageInfo
+func (m *HorizontalPodAutoscalerList) Reset() { *m = HorizontalPodAutoscalerList{} }
 
-func (m *HPAScalingRules) Reset()      { *m = HPAScalingRules{} }
-func (*HPAScalingRules) ProtoMessage() {}
-func (*HPAScalingRules) Descriptor() ([]byte, []int) {
-	return fileDescriptor_4d5f2c8767749221, []int{6}
-}
-func (m *HPAScalingRules) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *HPAScalingRules) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *HPAScalingRules) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_HPAScalingRules.Merge(m, src)
-}
-func (m *HPAScalingRules) XXX_Size() int {
-	return m.Size()
-}
-func (m *HPAScalingRules) XXX_DiscardUnknown() {
-	xxx_messageInfo_HPAScalingRules.DiscardUnknown(m)
-}
+func (m *HorizontalPodAutoscalerSpec) Reset() { *m = HorizontalPodAutoscalerSpec{} }
 
-var xxx_messageInfo_HPAScalingRules proto.InternalMessageInfo
+func (m *HorizontalPodAutoscalerStatus) Reset() { *m = HorizontalPodAutoscalerStatus{} }
 
-func (m *HorizontalPodAutoscaler) Reset()      { *m = HorizontalPodAutoscaler{} }
-func (*HorizontalPodAutoscaler) ProtoMessage() {}
-func (*HorizontalPodAutoscaler) Descriptor() ([]byte, []int) {
-	return fileDescriptor_4d5f2c8767749221, []int{7}
-}
-func (m *HorizontalPodAutoscaler) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *HorizontalPodAutoscaler) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *HorizontalPodAutoscaler) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_HorizontalPodAutoscaler.Merge(m, src)
-}
-func (m *HorizontalPodAutoscaler) XXX_Size() int {
-	return m.Size()
-}
-func (m *HorizontalPodAutoscaler) XXX_DiscardUnknown() {
-	xxx_messageInfo_HorizontalPodAutoscaler.DiscardUnknown(m)
-}
+func (m *MetricIdentifier) Reset() { *m = MetricIdentifier{} }
 
-var xxx_messageInfo_HorizontalPodAutoscaler proto.InternalMessageInfo
+func (m *MetricSpec) Reset() { *m = MetricSpec{} }
 
-func (m *HorizontalPodAutoscalerBehavior) Reset()      { *m = HorizontalPodAutoscalerBehavior{} }
-func (*HorizontalPodAutoscalerBehavior) ProtoMessage() {}
-func (*HorizontalPodAutoscalerBehavior) Descriptor() ([]byte, []int) {
-	return fileDescriptor_4d5f2c8767749221, []int{8}
-}
-func (m *HorizontalPodAutoscalerBehavior) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *HorizontalPodAutoscalerBehavior) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *HorizontalPodAutoscalerBehavior) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_HorizontalPodAutoscalerBehavior.Merge(m, src)
-}
-func (m *HorizontalPodAutoscalerBehavior) XXX_Size() int {
-	return m.Size()
-}
-func (m *HorizontalPodAutoscalerBehavior) XXX_DiscardUnknown() {
-	xxx_messageInfo_HorizontalPodAutoscalerBehavior.DiscardUnknown(m)
-}
+func (m *MetricStatus) Reset() { *m = MetricStatus{} }
 
-var xxx_messageInfo_HorizontalPodAutoscalerBehavior proto.InternalMessageInfo
+func (m *MetricTarget) Reset() { *m = MetricTarget{} }
 
-func (m *HorizontalPodAutoscalerCondition) Reset()      { *m = HorizontalPodAutoscalerCondition{} }
-func (*HorizontalPodAutoscalerCondition) ProtoMessage() {}
-func (*HorizontalPodAutoscalerCondition) Descriptor() ([]byte, []int) {
-	return fileDescriptor_4d5f2c8767749221, []int{9}
-}
-func (m *HorizontalPodAutoscalerCondition) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *HorizontalPodAutoscalerCondition) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *HorizontalPodAutoscalerCondition) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_HorizontalPodAutoscalerCondition.Merge(m, src)
-}
-func (m *HorizontalPodAutoscalerCondition) XXX_Size() int {
-	return m.Size()
-}
-func (m *HorizontalPodAutoscalerCondition) XXX_DiscardUnknown() {
-	xxx_messageInfo_HorizontalPodAutoscalerCondition.DiscardUnknown(m)
-}
+func (m *MetricValueStatus) Reset() { *m = MetricValueStatus{} }
 
-var xxx_messageInfo_HorizontalPodAutoscalerCondition proto.InternalMessageInfo
+func (m *ObjectMetricSource) Reset() { *m = ObjectMetricSource{} }
 
-func (m *HorizontalPodAutoscalerList) Reset()      { *m = HorizontalPodAutoscalerList{} }
-func (*HorizontalPodAutoscalerList) ProtoMessage() {}
-func (*HorizontalPodAutoscalerList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_4d5f2c8767749221, []int{10}
-}
-func (m *HorizontalPodAutoscalerList) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *HorizontalPodAutoscalerList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *HorizontalPodAutoscalerList) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_HorizontalPodAutoscalerList.Merge(m, src)
-}
-func (m *HorizontalPodAutoscalerList) XXX_Size() int {
-	return m.Size()
-}
-func (m *HorizontalPodAutoscalerList) XXX_DiscardUnknown() {
-	xxx_messageInfo_HorizontalPodAutoscalerList.DiscardUnknown(m)
-}
+func (m *ObjectMetricStatus) Reset() { *m = ObjectMetricStatus{} }
 
-var xxx_messageInfo_HorizontalPodAutoscalerList proto.InternalMessageInfo
+func (m *PodsMetricSource) Reset() { *m = PodsMetricSource{} }
 
-func (m *HorizontalPodAutoscalerSpec) Reset()      { *m = HorizontalPodAutoscalerSpec{} }
-func (*HorizontalPodAutoscalerSpec) ProtoMessage() {}
-func (*HorizontalPodAutoscalerSpec) Descriptor() ([]byte, []int) {
-	return fileDescriptor_4d5f2c8767749221, []int{11}
-}
-func (m *HorizontalPodAutoscalerSpec) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *HorizontalPodAutoscalerSpec) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *HorizontalPodAutoscalerSpec) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_HorizontalPodAutoscalerSpec.Merge(m, src)
-}
-func (m *HorizontalPodAutoscalerSpec) XXX_Size() int {
-	return m.Size()
-}
-func (m *HorizontalPodAutoscalerSpec) XXX_DiscardUnknown() {
-	xxx_messageInfo_HorizontalPodAutoscalerSpec.DiscardUnknown(m)
-}
+func (m *PodsMetricStatus) Reset() { *m = PodsMetricStatus{} }
 
-var xxx_messageInfo_HorizontalPodAutoscalerSpec proto.InternalMessageInfo
+func (m *ResourceMetricSource) Reset() { *m = ResourceMetricSource{} }
 
-func (m *HorizontalPodAutoscalerStatus) Reset()      { *m = HorizontalPodAutoscalerStatus{} }
-func (*HorizontalPodAutoscalerStatus) ProtoMessage() {}
-func (*HorizontalPodAutoscalerStatus) Descriptor() ([]byte, []int) {
-	return fileDescriptor_4d5f2c8767749221, []int{12}
-}
-func (m *HorizontalPodAutoscalerStatus) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *HorizontalPodAutoscalerStatus) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *HorizontalPodAutoscalerStatus) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_HorizontalPodAutoscalerStatus.Merge(m, src)
-}
-func (m *HorizontalPodAutoscalerStatus) XXX_Size() int {
-	return m.Size()
-}
-func (m *HorizontalPodAutoscalerStatus) XXX_DiscardUnknown() {
-	xxx_messageInfo_HorizontalPodAutoscalerStatus.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_HorizontalPodAutoscalerStatus proto.InternalMessageInfo
-
-func (m *MetricIdentifier) Reset()      { *m = MetricIdentifier{} }
-func (*MetricIdentifier) ProtoMessage() {}
-func (*MetricIdentifier) Descriptor() ([]byte, []int) {
-	return fileDescriptor_4d5f2c8767749221, []int{13}
-}
-func (m *MetricIdentifier) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *MetricIdentifier) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *MetricIdentifier) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_MetricIdentifier.Merge(m, src)
-}
-func (m *MetricIdentifier) XXX_Size() int {
-	return m.Size()
-}
-func (m *MetricIdentifier) XXX_DiscardUnknown() {
-	xxx_messageInfo_MetricIdentifier.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_MetricIdentifier proto.InternalMessageInfo
-
-func (m *MetricSpec) Reset()      { *m = MetricSpec{} }
-func (*MetricSpec) ProtoMessage() {}
-func (*MetricSpec) Descriptor() ([]byte, []int) {
-	return fileDescriptor_4d5f2c8767749221, []int{14}
-}
-func (m *MetricSpec) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *MetricSpec) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *MetricSpec) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_MetricSpec.Merge(m, src)
-}
-func (m *MetricSpec) XXX_Size() int {
-	return m.Size()
-}
-func (m *MetricSpec) XXX_DiscardUnknown() {
-	xxx_messageInfo_MetricSpec.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_MetricSpec proto.InternalMessageInfo
-
-func (m *MetricStatus) Reset()      { *m = MetricStatus{} }
-func (*MetricStatus) ProtoMessage() {}
-func (*MetricStatus) Descriptor() ([]byte, []int) {
-	return fileDescriptor_4d5f2c8767749221, []int{15}
-}
-func (m *MetricStatus) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *MetricStatus) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *MetricStatus) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_MetricStatus.Merge(m, src)
-}
-func (m *MetricStatus) XXX_Size() int {
-	return m.Size()
-}
-func (m *MetricStatus) XXX_DiscardUnknown() {
-	xxx_messageInfo_MetricStatus.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_MetricStatus proto.InternalMessageInfo
-
-func (m *MetricTarget) Reset()      { *m = MetricTarget{} }
-func (*MetricTarget) ProtoMessage() {}
-func (*MetricTarget) Descriptor() ([]byte, []int) {
-	return fileDescriptor_4d5f2c8767749221, []int{16}
-}
-func (m *MetricTarget) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *MetricTarget) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *MetricTarget) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_MetricTarget.Merge(m, src)
-}
-func (m *MetricTarget) XXX_Size() int {
-	return m.Size()
-}
-func (m *MetricTarget) XXX_DiscardUnknown() {
-	xxx_messageInfo_MetricTarget.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_MetricTarget proto.InternalMessageInfo
-
-func (m *MetricValueStatus) Reset()      { *m = MetricValueStatus{} }
-func (*MetricValueStatus) ProtoMessage() {}
-func (*MetricValueStatus) Descriptor() ([]byte, []int) {
-	return fileDescriptor_4d5f2c8767749221, []int{17}
-}
-func (m *MetricValueStatus) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *MetricValueStatus) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *MetricValueStatus) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_MetricValueStatus.Merge(m, src)
-}
-func (m *MetricValueStatus) XXX_Size() int {
-	return m.Size()
-}
-func (m *MetricValueStatus) XXX_DiscardUnknown() {
-	xxx_messageInfo_MetricValueStatus.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_MetricValueStatus proto.InternalMessageInfo
-
-func (m *ObjectMetricSource) Reset()      { *m = ObjectMetricSource{} }
-func (*ObjectMetricSource) ProtoMessage() {}
-func (*ObjectMetricSource) Descriptor() ([]byte, []int) {
-	return fileDescriptor_4d5f2c8767749221, []int{18}
-}
-func (m *ObjectMetricSource) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ObjectMetricSource) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ObjectMetricSource) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ObjectMetricSource.Merge(m, src)
-}
-func (m *ObjectMetricSource) XXX_Size() int {
-	return m.Size()
-}
-func (m *ObjectMetricSource) XXX_DiscardUnknown() {
-	xxx_messageInfo_ObjectMetricSource.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_ObjectMetricSource proto.InternalMessageInfo
-
-func (m *ObjectMetricStatus) Reset()      { *m = ObjectMetricStatus{} }
-func (*ObjectMetricStatus) ProtoMessage() {}
-func (*ObjectMetricStatus) Descriptor() ([]byte, []int) {
-	return fileDescriptor_4d5f2c8767749221, []int{19}
-}
-func (m *ObjectMetricStatus) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ObjectMetricStatus) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ObjectMetricStatus) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ObjectMetricStatus.Merge(m, src)
-}
-func (m *ObjectMetricStatus) XXX_Size() int {
-	return m.Size()
-}
-func (m *ObjectMetricStatus) XXX_DiscardUnknown() {
-	xxx_messageInfo_ObjectMetricStatus.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_ObjectMetricStatus proto.InternalMessageInfo
-
-func (m *PodsMetricSource) Reset()      { *m = PodsMetricSource{} }
-func (*PodsMetricSource) ProtoMessage() {}
-func (*PodsMetricSource) Descriptor() ([]byte, []int) {
-	return fileDescriptor_4d5f2c8767749221, []int{20}
-}
-func (m *PodsMetricSource) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *PodsMetricSource) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *PodsMetricSource) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_PodsMetricSource.Merge(m, src)
-}
-func (m *PodsMetricSource) XXX_Size() int {
-	return m.Size()
-}
-func (m *PodsMetricSource) XXX_DiscardUnknown() {
-	xxx_messageInfo_PodsMetricSource.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_PodsMetricSource proto.InternalMessageInfo
-
-func (m *PodsMetricStatus) Reset()      { *m = PodsMetricStatus{} }
-func (*PodsMetricStatus) ProtoMessage() {}
-func (*PodsMetricStatus) Descriptor() ([]byte, []int) {
-	return fileDescriptor_4d5f2c8767749221, []int{21}
-}
-func (m *PodsMetricStatus) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *PodsMetricStatus) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *PodsMetricStatus) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_PodsMetricStatus.Merge(m, src)
-}
-func (m *PodsMetricStatus) XXX_Size() int {
-	return m.Size()
-}
-func (m *PodsMetricStatus) XXX_DiscardUnknown() {
-	xxx_messageInfo_PodsMetricStatus.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_PodsMetricStatus proto.InternalMessageInfo
-
-func (m *ResourceMetricSource) Reset()      { *m = ResourceMetricSource{} }
-func (*ResourceMetricSource) ProtoMessage() {}
-func (*ResourceMetricSource) Descriptor() ([]byte, []int) {
-	return fileDescriptor_4d5f2c8767749221, []int{22}
-}
-func (m *ResourceMetricSource) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ResourceMetricSource) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ResourceMetricSource) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ResourceMetricSource.Merge(m, src)
-}
-func (m *ResourceMetricSource) XXX_Size() int {
-	return m.Size()
-}
-func (m *ResourceMetricSource) XXX_DiscardUnknown() {
-	xxx_messageInfo_ResourceMetricSource.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_ResourceMetricSource proto.InternalMessageInfo
-
-func (m *ResourceMetricStatus) Reset()      { *m = ResourceMetricStatus{} }
-func (*ResourceMetricStatus) ProtoMessage() {}
-func (*ResourceMetricStatus) Descriptor() ([]byte, []int) {
-	return fileDescriptor_4d5f2c8767749221, []int{23}
-}
-func (m *ResourceMetricStatus) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ResourceMetricStatus) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ResourceMetricStatus) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ResourceMetricStatus.Merge(m, src)
-}
-func (m *ResourceMetricStatus) XXX_Size() int {
-	return m.Size()
-}
-func (m *ResourceMetricStatus) XXX_DiscardUnknown() {
-	xxx_messageInfo_ResourceMetricStatus.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_ResourceMetricStatus proto.InternalMessageInfo
-
-func init() {
-	proto.RegisterType((*ContainerResourceMetricSource)(nil), "k8s.io.api.autoscaling.v2.ContainerResourceMetricSource")
-	proto.RegisterType((*ContainerResourceMetricStatus)(nil), "k8s.io.api.autoscaling.v2.ContainerResourceMetricStatus")
-	proto.RegisterType((*CrossVersionObjectReference)(nil), "k8s.io.api.autoscaling.v2.CrossVersionObjectReference")
-	proto.RegisterType((*ExternalMetricSource)(nil), "k8s.io.api.autoscaling.v2.ExternalMetricSource")
-	proto.RegisterType((*ExternalMetricStatus)(nil), "k8s.io.api.autoscaling.v2.ExternalMetricStatus")
-	proto.RegisterType((*HPAScalingPolicy)(nil), "k8s.io.api.autoscaling.v2.HPAScalingPolicy")
-	proto.RegisterType((*HPAScalingRules)(nil), "k8s.io.api.autoscaling.v2.HPAScalingRules")
-	proto.RegisterType((*HorizontalPodAutoscaler)(nil), "k8s.io.api.autoscaling.v2.HorizontalPodAutoscaler")
-	proto.RegisterType((*HorizontalPodAutoscalerBehavior)(nil), "k8s.io.api.autoscaling.v2.HorizontalPodAutoscalerBehavior")
-	proto.RegisterType((*HorizontalPodAutoscalerCondition)(nil), "k8s.io.api.autoscaling.v2.HorizontalPodAutoscalerCondition")
-	proto.RegisterType((*HorizontalPodAutoscalerList)(nil), "k8s.io.api.autoscaling.v2.HorizontalPodAutoscalerList")
-	proto.RegisterType((*HorizontalPodAutoscalerSpec)(nil), "k8s.io.api.autoscaling.v2.HorizontalPodAutoscalerSpec")
-	proto.RegisterType((*HorizontalPodAutoscalerStatus)(nil), "k8s.io.api.autoscaling.v2.HorizontalPodAutoscalerStatus")
-	proto.RegisterType((*MetricIdentifier)(nil), "k8s.io.api.autoscaling.v2.MetricIdentifier")
-	proto.RegisterType((*MetricSpec)(nil), "k8s.io.api.autoscaling.v2.MetricSpec")
-	proto.RegisterType((*MetricStatus)(nil), "k8s.io.api.autoscaling.v2.MetricStatus")
-	proto.RegisterType((*MetricTarget)(nil), "k8s.io.api.autoscaling.v2.MetricTarget")
-	proto.RegisterType((*MetricValueStatus)(nil), "k8s.io.api.autoscaling.v2.MetricValueStatus")
-	proto.RegisterType((*ObjectMetricSource)(nil), "k8s.io.api.autoscaling.v2.ObjectMetricSource")
-	proto.RegisterType((*ObjectMetricStatus)(nil), "k8s.io.api.autoscaling.v2.ObjectMetricStatus")
-	proto.RegisterType((*PodsMetricSource)(nil), "k8s.io.api.autoscaling.v2.PodsMetricSource")
-	proto.RegisterType((*PodsMetricStatus)(nil), "k8s.io.api.autoscaling.v2.PodsMetricStatus")
-	proto.RegisterType((*ResourceMetricSource)(nil), "k8s.io.api.autoscaling.v2.ResourceMetricSource")
-	proto.RegisterType((*ResourceMetricStatus)(nil), "k8s.io.api.autoscaling.v2.ResourceMetricStatus")
-}
-
-func init() {
-	proto.RegisterFile("k8s.io/api/autoscaling/v2/generated.proto", fileDescriptor_4d5f2c8767749221)
-}
-
-var fileDescriptor_4d5f2c8767749221 = []byte{
-	// 1742 bytes of a gzipped FileDescriptorProto
-	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xd4, 0x59, 0xc9, 0x8f, 0x1b, 0x4b,
-	0x19, 0x9f, 0xb6, 0x3d, 0x5b, 0x79, 0xd6, 0xca, 0xe6, 0x4c, 0x14, 0x7b, 0xd4, 0x04, 0xb2, 0x40,
-	0xda, 0xc4, 0x84, 0x28, 0x22, 0x07, 0x34, 0x3d, 0x01, 0x32, 0xca, 0x0c, 0xe3, 0x94, 0x27, 0x19,
-	0x76, 0xa5, 0xdc, 0x5d, 0xe3, 0x29, 0xc6, 0xee, 0xb6, 0xba, 0xdb, 0x4e, 0x26, 0x12, 0x12, 0x17,
-	0xee, 0x08, 0x14, 0xf1, 0x4f, 0x44, 0x9c, 0x40, 0xe1, 0x00, 0x12, 0x12, 0x1c, 0x72, 0x41, 0xca,
-	0x81, 0x43, 0x4e, 0x16, 0x31, 0xd2, 0x3b, 0xbe, 0xe3, 0x3b, 0xe4, 0xf4, 0x54, 0x4b, 0xaf, 0xde,
-	0xc6, 0x79, 0x93, 0x91, 0xe6, 0xe6, 0xaa, 0xfa, 0xbe, 0xdf, 0xb7, 0xd4, 0xb7, 0x55, 0x1b, 0x5c,
-	0x3f, 0xb8, 0xeb, 0x6a, 0xd4, 0x2e, 0xe2, 0x26, 0x2d, 0xe2, 0x96, 0x67, 0xbb, 0x06, 0xae, 0x53,
-	0xab, 0x56, 0x6c, 0x97, 0x8a, 0x35, 0x62, 0x11, 0x07, 0x7b, 0xc4, 0xd4, 0x9a, 0x8e, 0xed, 0xd9,
-	0xf0, 0xa2, 0x20, 0xd5, 0x70, 0x93, 0x6a, 0x11, 0x52, 0xad, 0x5d, 0x5a, 0xb9, 0x59, 0xa3, 0xde,
-	0x7e, 0xab, 0xaa, 0x19, 0x76, 0xa3, 0x58, 0xb3, 0x6b, 0x76, 0x91, 0x73, 0x54, 0x5b, 0x7b, 0x7c,
-	0xc5, 0x17, 0xfc, 0x97, 0x40, 0x5a, 0x51, 0x23, 0x42, 0x0d, 0xdb, 0x21, 0xc5, 0xf6, 0xad, 0xa4,
-	0xb4, 0x95, 0xdb, 0x21, 0x4d, 0x03, 0x1b, 0xfb, 0xd4, 0x22, 0xce, 0x61, 0xb1, 0x79, 0x50, 0xe3,
-	0x4c, 0x0e, 0x71, 0xed, 0x96, 0x63, 0x90, 0xb1, 0xb8, 0xdc, 0x62, 0x83, 0x78, 0xb8, 0x9f, 0xac,
-	0xe2, 0x20, 0x2e, 0xa7, 0x65, 0x79, 0xb4, 0xd1, 0x2b, 0xe6, 0xce, 0x28, 0x06, 0xd7, 0xd8, 0x27,
-	0x0d, 0x9c, 0xe4, 0x53, 0x3f, 0x53, 0xc0, 0xe5, 0x75, 0xdb, 0xf2, 0x30, 0xe3, 0x40, 0xd2, 0x88,
-	0x2d, 0xe2, 0x39, 0xd4, 0xa8, 0xf0, 0xdf, 0x70, 0x1d, 0x64, 0x2c, 0xdc, 0x20, 0x39, 0x65, 0x55,
-	0xb9, 0x36, 0xab, 0x17, 0xdf, 0x74, 0x0a, 0x13, 0xdd, 0x4e, 0x21, 0xf3, 0x63, 0xdc, 0x20, 0x1f,
-	0x3a, 0x85, 0x42, 0xaf, 0xe3, 0x34, 0x1f, 0x86, 0x91, 0x20, 0xce, 0x0c, 0xb7, 0xc1, 0x94, 0x87,
-	0x9d, 0x1a, 0xf1, 0x72, 0xa9, 0x55, 0xe5, 0x5a, 0xb6, 0x74, 0x55, 0x1b, 0x78, 0x75, 0x9a, 0x90,
-	0xbe, 0xc3, 0xc9, 0xf5, 0x05, 0x29, 0x6f, 0x4a, 0xac, 0x91, 0x84, 0x81, 0x45, 0x30, 0x6b, 0xf8,
-	0x6a, 0xe7, 0xd2, 0x5c, 0xb5, 0x65, 0x49, 0x3a, 0x1b, 0xda, 0x13, 0xd2, 0xa8, 0x9f, 0x0f, 0x31,
-	0xd4, 0xc3, 0x5e, 0xcb, 0x3d, 0x1e, 0x43, 0x77, 0xc1, 0xb4, 0xd1, 0x72, 0x1c, 0x62, 0xf9, 0x96,
-	0x7e, 0x6b, 0xa4, 0xa5, 0x4f, 0x70, 0xbd, 0x45, 0x84, 0x0e, 0xfa, 0xa2, 0x94, 0x3a, 0xbd, 0x2e,
-	0x40, 0x90, 0x8f, 0x36, 0xbe, 0xc1, 0x2f, 0x15, 0x70, 0x69, 0xdd, 0xb1, 0x5d, 0xf7, 0x09, 0x71,
-	0x5c, 0x6a, 0x5b, 0xdb, 0xd5, 0x5f, 0x13, 0xc3, 0x43, 0x64, 0x8f, 0x38, 0xc4, 0x32, 0x08, 0x5c,
-	0x05, 0x99, 0x03, 0x6a, 0x99, 0xd2, 0xdc, 0x39, 0xdf, 0xdc, 0x87, 0xd4, 0x32, 0x11, 0x3f, 0x61,
-	0x14, 0xdc, 0x21, 0xa9, 0x38, 0x45, 0xc4, 0xda, 0x12, 0x00, 0xb8, 0x49, 0xa5, 0x00, 0xa9, 0x15,
-	0x94, 0x74, 0x60, 0xad, 0xbc, 0x21, 0x4f, 0x50, 0x84, 0x4a, 0xfd, 0xbb, 0x02, 0xce, 0xfe, 0xe0,
-	0xb9, 0x47, 0x1c, 0x0b, 0xd7, 0x63, 0x81, 0x56, 0x01, 0x53, 0x0d, 0xbe, 0xe6, 0x2a, 0x65, 0x4b,
-	0xdf, 0x1c, 0xe9, 0xb9, 0x0d, 0x93, 0x58, 0x1e, 0xdd, 0xa3, 0xc4, 0x09, 0xe3, 0x44, 0x9c, 0x20,
-	0x09, 0x75, 0xec, 0x81, 0xa7, 0xfe, 0xbb, 0x57, 0x7d, 0x11, 0x3e, 0x9f, 0x44, 0xfd, 0x4f, 0x15,
-	0x4e, 0xea, 0x9f, 0x15, 0xb0, 0xf4, 0xa0, 0xbc, 0x56, 0x11, 0xdc, 0x65, 0xbb, 0x4e, 0x8d, 0x43,
-	0x78, 0x17, 0x64, 0xbc, 0xc3, 0xa6, 0x9f, 0x01, 0x57, 0xfc, 0x0b, 0xdf, 0x39, 0x6c, 0xb2, 0x0c,
-	0x38, 0x9b, 0xa4, 0x67, 0xfb, 0x88, 0x73, 0xc0, 0xaf, 0x81, 0xc9, 0x36, 0x93, 0xcb, 0xb5, 0x9c,
-	0xd4, 0xe7, 0x25, 0xeb, 0x24, 0x57, 0x06, 0x89, 0x33, 0x78, 0x0f, 0xcc, 0x37, 0x89, 0x43, 0x6d,
-	0xb3, 0x42, 0x0c, 0xdb, 0x32, 0x5d, 0x1e, 0x30, 0x93, 0xfa, 0x39, 0x49, 0x3c, 0x5f, 0x8e, 0x1e,
-	0xa2, 0x38, 0xad, 0xfa, 0x45, 0x0a, 0x2c, 0x86, 0x0a, 0xa0, 0x56, 0x9d, 0xb8, 0xf0, 0x57, 0x60,
-	0xc5, 0xf5, 0x70, 0x95, 0xd6, 0xe9, 0x0b, 0xec, 0x51, 0xdb, 0xda, 0xa5, 0x96, 0x69, 0x3f, 0x8b,
-	0xa3, 0xe7, 0xbb, 0x9d, 0xc2, 0x4a, 0x65, 0x20, 0x15, 0x1a, 0x82, 0x00, 0x1f, 0x82, 0x39, 0x97,
-	0xd4, 0x89, 0xe1, 0x09, 0x7b, 0xa5, 0x5f, 0xae, 0x76, 0x3b, 0x85, 0xb9, 0x4a, 0x64, 0xff, 0x43,
-	0xa7, 0x70, 0x26, 0xe6, 0x18, 0x71, 0x88, 0x62, 0xcc, 0xf0, 0xa7, 0x60, 0xa6, 0xc9, 0x7e, 0x51,
-	0xe2, 0xe6, 0x52, 0xab, 0xe9, 0x11, 0x11, 0x92, 0xf4, 0xb5, 0xbe, 0x24, 0xbd, 0x34, 0x53, 0x96,
-	0x20, 0x28, 0x80, 0x83, 0x3f, 0x07, 0xb3, 0x9e, 0x5d, 0x27, 0x0e, 0xb6, 0x0c, 0x92, 0xcb, 0xf0,
-	0x38, 0xd1, 0x22, 0xd8, 0x41, 0x43, 0xd0, 0x9a, 0x07, 0x35, 0x2e, 0xcc, 0xef, 0x56, 0xda, 0xa3,
-	0x16, 0xb6, 0x3c, 0xea, 0x1d, 0xea, 0xf3, 0xac, 0x8e, 0xec, 0xf8, 0x20, 0x28, 0xc4, 0x53, 0x5f,
-	0xa7, 0xc0, 0x85, 0x07, 0xb6, 0x43, 0x5f, 0xb0, 0xca, 0x52, 0x2f, 0xdb, 0xe6, 0x9a, 0xd4, 0x94,
-	0x38, 0xf0, 0x29, 0x98, 0x61, 0x1d, 0xcc, 0xc4, 0x1e, 0x96, 0x51, 0xff, 0xed, 0x61, 0x72, 0x5d,
-	0x8d, 0x51, 0x6b, 0xed, 0x5b, 0x9a, 0x28, 0x46, 0x5b, 0xc4, 0xc3, 0x61, 0xbd, 0x08, 0xf7, 0x50,
-	0x80, 0x0a, 0x7f, 0x02, 0x32, 0x6e, 0x93, 0x18, 0x32, 0xfa, 0xef, 0x0c, 0xf3, 0x58, 0x7f, 0x1d,
-	0x2b, 0x4d, 0x62, 0x84, 0xb5, 0x8b, 0xad, 0x10, 0x47, 0x84, 0x4f, 0xc1, 0x94, 0xcb, 0xb3, 0x84,
-	0x07, 0x4a, 0xb6, 0x74, 0xf7, 0x23, 0xb0, 0x45, 0x96, 0x05, 0xc9, 0x2b, 0xd6, 0x48, 0xe2, 0xaa,
-	0xff, 0x51, 0x40, 0x61, 0x00, 0xa7, 0x4e, 0xf6, 0x71, 0x9b, 0xda, 0x0e, 0x7c, 0x04, 0xa6, 0xf9,
-	0xce, 0xe3, 0xa6, 0x74, 0xe0, 0x8d, 0x23, 0x05, 0x05, 0x8f, 0x7f, 0x3d, 0xcb, 0x52, 0xbb, 0x22,
-	0xd8, 0x91, 0x8f, 0x03, 0x77, 0xc1, 0x2c, 0xff, 0x79, 0xdf, 0x7e, 0x66, 0x49, 0xbf, 0x8d, 0x03,
-	0xca, 0x23, 0xa1, 0xe2, 0x03, 0xa0, 0x10, 0x4b, 0xfd, 0x5d, 0x1a, 0xac, 0x0e, 0xb0, 0x67, 0xdd,
-	0xb6, 0x4c, 0xca, 0x12, 0x08, 0x3e, 0x88, 0xd5, 0x90, 0xdb, 0x89, 0x1a, 0x72, 0x65, 0x14, 0x7f,
-	0xa4, 0xa6, 0x6c, 0x06, 0x17, 0x94, 0x8a, 0x61, 0x49, 0x37, 0x7f, 0xe8, 0x14, 0xfa, 0x4c, 0x6d,
-	0x5a, 0x80, 0x14, 0xbf, 0x0c, 0xd8, 0x06, 0xb0, 0x8e, 0x5d, 0x6f, 0xc7, 0xc1, 0x96, 0x2b, 0x24,
-	0xd1, 0x06, 0x91, 0x57, 0x7f, 0xe3, 0x68, 0x41, 0xcb, 0x38, 0xf4, 0x15, 0xa9, 0x05, 0xdc, 0xec,
-	0x41, 0x43, 0x7d, 0x24, 0xc0, 0x6f, 0x80, 0x29, 0x87, 0x60, 0xd7, 0xb6, 0x78, 0x62, 0xce, 0x86,
-	0xc1, 0x82, 0xf8, 0x2e, 0x92, 0xa7, 0xf0, 0x3a, 0x98, 0x6e, 0x10, 0xd7, 0xc5, 0x35, 0x92, 0x9b,
-	0xe4, 0x84, 0x41, 0xed, 0xde, 0x12, 0xdb, 0xc8, 0x3f, 0x57, 0xff, 0xab, 0x80, 0x4b, 0x03, 0xfc,
-	0xb8, 0x49, 0x5d, 0x0f, 0xfe, 0xa2, 0x27, 0x2b, 0xb5, 0xa3, 0x19, 0xc8, 0xb8, 0x79, 0x4e, 0x06,
-	0xc5, 0xc6, 0xdf, 0x89, 0x64, 0xe4, 0x2e, 0x98, 0xa4, 0x1e, 0x69, 0xf8, 0x45, 0xac, 0x34, 0x7e,
-	0xda, 0x84, 0xed, 0x61, 0x83, 0x01, 0x21, 0x81, 0xa7, 0xbe, 0x4e, 0x0f, 0x34, 0x8b, 0xa5, 0x2d,
-	0x6c, 0x83, 0x05, 0xbe, 0x92, 0x0d, 0x99, 0xec, 0x49, 0xe3, 0x86, 0x15, 0x85, 0x21, 0x03, 0x90,
-	0x7e, 0x5e, 0x6a, 0xb1, 0x50, 0x89, 0xa1, 0xa2, 0x84, 0x14, 0x78, 0x0b, 0x64, 0x1b, 0xd4, 0x42,
-	0xa4, 0x59, 0xa7, 0x06, 0x76, 0x65, 0x87, 0x5b, 0xec, 0x76, 0x0a, 0xd9, 0xad, 0x70, 0x1b, 0x45,
-	0x69, 0xe0, 0x77, 0x41, 0xb6, 0x81, 0x9f, 0x07, 0x2c, 0xa2, 0x13, 0x9d, 0x91, 0xf2, 0xb2, 0x5b,
-	0xe1, 0x11, 0x8a, 0xd2, 0xc1, 0x32, 0x8b, 0x01, 0xd6, 0xc3, 0xdd, 0x5c, 0x86, 0x3b, 0xf7, 0xeb,
-	0x23, 0xbb, 0x3d, 0x2f, 0x6f, 0x91, 0x50, 0xe1, 0xdc, 0xc8, 0x87, 0x81, 0x26, 0x98, 0xa9, 0xca,
-	0x52, 0xc3, 0xc3, 0x2a, 0x5b, 0xfa, 0xde, 0x47, 0xdc, 0x97, 0x44, 0xd0, 0xe7, 0x58, 0x48, 0xf8,
-	0x2b, 0x14, 0x20, 0xab, 0xaf, 0x32, 0xe0, 0xf2, 0xd0, 0x12, 0x09, 0x7f, 0x08, 0xa0, 0x5d, 0x75,
-	0x89, 0xd3, 0x26, 0xe6, 0x8f, 0xc4, 0x0b, 0x84, 0x0d, 0x8c, 0xec, 0xfe, 0xd2, 0xfa, 0x79, 0x96,
-	0x4d, 0xdb, 0x3d, 0xa7, 0xa8, 0x0f, 0x07, 0x34, 0xc0, 0x3c, 0xcb, 0x31, 0x71, 0x63, 0x54, 0xce,
-	0xa6, 0xe3, 0x25, 0xf0, 0x32, 0x1b, 0x35, 0x36, 0xa3, 0x20, 0x28, 0x8e, 0x09, 0xd7, 0xc0, 0xa2,
-	0x1c, 0x93, 0x12, 0x37, 0x78, 0x41, 0xfa, 0x79, 0x71, 0x3d, 0x7e, 0x8c, 0x92, 0xf4, 0x0c, 0xc2,
-	0x24, 0x2e, 0x75, 0x88, 0x19, 0x40, 0x64, 0xe2, 0x10, 0xf7, 0xe3, 0xc7, 0x28, 0x49, 0x0f, 0x6b,
-	0x60, 0x41, 0xa2, 0xca, 0x5b, 0xcd, 0x4d, 0xf2, 0x98, 0x18, 0x3d, 0xc1, 0xca, 0xb6, 0x14, 0xc4,
-	0xf7, 0x7a, 0x0c, 0x06, 0x25, 0x60, 0xa1, 0x0d, 0x80, 0xe1, 0x17, 0x4d, 0x37, 0x37, 0xc5, 0x85,
-	0xdc, 0x1b, 0x3f, 0x4a, 0x82, 0xc2, 0x1b, 0x76, 0xf4, 0x60, 0xcb, 0x45, 0x11, 0x11, 0xea, 0x1f,
-	0x15, 0xb0, 0x94, 0x9c, 0x80, 0x83, 0xc7, 0x86, 0x32, 0xf0, 0xb1, 0xf1, 0x4b, 0x30, 0x23, 0x06,
-	0x2a, 0xdb, 0x91, 0xd7, 0xfe, 0x9d, 0x23, 0x96, 0x35, 0x5c, 0x25, 0xf5, 0x8a, 0x64, 0x15, 0x41,
-	0xec, 0xaf, 0x50, 0x00, 0xa9, 0xbe, 0xcc, 0x00, 0x10, 0xe6, 0x14, 0xbc, 0x1d, 0xeb, 0x63, 0xab,
-	0x89, 0x3e, 0xb6, 0x14, 0x7d, 0xb9, 0x44, 0x7a, 0xd6, 0x23, 0x30, 0x65, 0xf3, 0x32, 0x23, 0x35,
-	0xbc, 0x39, 0xc4, 0x8f, 0xc1, 0xbc, 0x13, 0x00, 0xe9, 0x80, 0x35, 0x06, 0x59, 0xa7, 0x24, 0x10,
-	0xdc, 0x00, 0x99, 0xa6, 0x6d, 0xfa, 0x53, 0xca, 0xb0, 0x99, 0xb1, 0x6c, 0x9b, 0x6e, 0x0c, 0x6e,
-	0x86, 0x69, 0xcc, 0x76, 0x11, 0x87, 0x60, 0x23, 0xa8, 0x3f, 0xf9, 0xc9, 0x31, 0xb1, 0x38, 0x04,
-	0xae, 0xdf, 0xd7, 0x00, 0xe1, 0x3d, 0xff, 0x04, 0x05, 0x70, 0xf0, 0x37, 0x60, 0xd9, 0x48, 0xbe,
-	0xae, 0x73, 0xd3, 0x23, 0x07, 0xab, 0xa1, 0x9f, 0x1e, 0xf4, 0x73, 0xdd, 0x4e, 0x61, 0xb9, 0x87,
-	0x04, 0xf5, 0x4a, 0x62, 0x96, 0x11, 0xf9, 0x28, 0x93, 0x75, 0x6e, 0x98, 0x65, 0xfd, 0x9e, 0x9f,
-	0xc2, 0x32, 0xff, 0x04, 0x05, 0x70, 0xea, 0x9f, 0x32, 0x60, 0x2e, 0xf6, 0xd0, 0x3b, 0xe1, 0xc8,
-	0x10, 0xc9, 0x7c, 0x6c, 0x91, 0x21, 0xe0, 0x8e, 0x35, 0x32, 0x04, 0xe4, 0x09, 0x45, 0x86, 0x10,
-	0x76, 0x42, 0x91, 0x11, 0xb1, 0xac, 0x4f, 0x64, 0xfc, 0x2b, 0xe5, 0x47, 0x86, 0x18, 0x16, 0x8e,
-	0x16, 0x19, 0x82, 0x36, 0x12, 0x19, 0xdb, 0xd1, 0xb7, 0xf3, 0xf8, 0x2f, 0xb7, 0xd9, 0x9e, 0x77,
-	0xb6, 0x09, 0xe6, 0x70, 0x9b, 0x38, 0xb8, 0x46, 0xf8, 0xb6, 0x8c, 0x8f, 0x71, 0x71, 0x97, 0xd8,
-	0x33, 0x77, 0x2d, 0x82, 0x83, 0x62, 0xa8, 0xac, 0xa5, 0xcb, 0xf5, 0x63, 0x2f, 0x78, 0x3f, 0xcb,
-	0x2e, 0xc7, 0x5b, 0xfa, 0x5a, 0xcf, 0x29, 0xea, 0xc3, 0xa1, 0xfe, 0x21, 0x05, 0x96, 0x7b, 0xbe,
-	0x5c, 0x84, 0x4e, 0x51, 0x3e, 0x91, 0x53, 0x52, 0x27, 0xe8, 0x94, 0xf4, 0xd8, 0x4e, 0xf9, 0x6b,
-	0x0a, 0xc0, 0xde, 0xfe, 0x00, 0x0f, 0xf9, 0x58, 0x61, 0x38, 0xb4, 0x4a, 0x4c, 0x71, 0xfc, 0x15,
-	0x67, 0xe0, 0xe8, 0x38, 0x12, 0x85, 0x45, 0x49, 0x39, 0xc7, 0xff, 0x05, 0x37, 0xfc, 0x5e, 0x96,
-	0x3e, 0xb6, 0xef, 0x65, 0xea, 0x3f, 0x92, 0x7e, 0x3b, 0x85, 0xdf, 0xe6, 0xfa, 0xdd, 0x72, 0xfa,
-	0x64, 0x6e, 0x59, 0xfd, 0x9b, 0x02, 0x96, 0x92, 0x63, 0xc4, 0x29, 0xf9, 0x30, 0xfb, 0xcf, 0xb8,
-	0xea, 0xa7, 0xf1, 0xa3, 0xec, 0x2b, 0x05, 0x9c, 0x3d, 0x3d, 0xff, 0xc1, 0xa8, 0x7f, 0xe9, 0x55,
-	0xf7, 0x14, 0xfc, 0x93, 0xa2, 0x7f, 0xff, 0xcd, 0xfb, 0xfc, 0xc4, 0xdb, 0xf7, 0xf9, 0x89, 0x77,
-	0xef, 0xf3, 0x13, 0xbf, 0xed, 0xe6, 0x95, 0x37, 0xdd, 0xbc, 0xf2, 0xb6, 0x9b, 0x57, 0xde, 0x75,
-	0xf3, 0xca, 0xff, 0xba, 0x79, 0xe5, 0xf7, 0xff, 0xcf, 0x4f, 0xfc, 0xec, 0xe2, 0xc0, 0xbf, 0x21,
-	0xbf, 0x0c, 0x00, 0x00, 0xff, 0xff, 0xbe, 0x23, 0xae, 0x54, 0xa2, 0x1c, 0x00, 0x00,
-}
+func (m *ResourceMetricStatus) Reset() { *m = ResourceMetricStatus{} }
 
 func (m *ContainerResourceMetricSource) Marshal() (dAtA []byte, err error) {
 	size := m.Size()
diff --git a/staging/src/k8s.io/api/autoscaling/v2/generated.proto b/staging/src/k8s.io/api/autoscaling/v2/generated.proto
index 04c34d6e168e4..a007676a7d541 100644
--- a/staging/src/k8s.io/api/autoscaling/v2/generated.proto
+++ b/staging/src/k8s.io/api/autoscaling/v2/generated.proto
@@ -123,7 +123,7 @@ message HPAScalingPolicy {
 //
 // The tolerance is applied to the metric values and prevents scaling too
 // eagerly for small metric variations. (Note that setting a tolerance requires
-// enabling the alpha HPAConfigurableTolerance feature gate.)
+// the beta HPAConfigurableTolerance feature gate to be enabled.)
 message HPAScalingRules {
   // stabilizationWindowSeconds is the number of seconds for which past recommendations should be
   // considered while scaling up or scaling down.
@@ -156,8 +156,8 @@ message HPAScalingRules {
   // and scale-down and scale-up tolerances of 5% and 1% respectively, scaling will be
   // triggered when the actual consumption falls below 95Mi or exceeds 101Mi.
   //
-  // This is an alpha field and requires enabling the HPAConfigurableTolerance
-  // feature gate.
+  // This is an beta field and requires the HPAConfigurableTolerance feature
+  // gate to be enabled.
   //
   // +featureGate=HPAConfigurableTolerance
   // +optional
diff --git a/staging/src/k8s.io/api/autoscaling/v2/generated.protomessage.pb.go b/staging/src/k8s.io/api/autoscaling/v2/generated.protomessage.pb.go
new file mode 100644
index 0000000000000..0a73d526bc297
--- /dev/null
+++ b/staging/src/k8s.io/api/autoscaling/v2/generated.protomessage.pb.go
@@ -0,0 +1,70 @@
+//go:build kubernetes_protomessage_one_more_release
+// +build kubernetes_protomessage_one_more_release
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by go-to-protobuf. DO NOT EDIT.
+
+package v2
+
+func (*ContainerResourceMetricSource) ProtoMessage() {}
+
+func (*ContainerResourceMetricStatus) ProtoMessage() {}
+
+func (*CrossVersionObjectReference) ProtoMessage() {}
+
+func (*ExternalMetricSource) ProtoMessage() {}
+
+func (*ExternalMetricStatus) ProtoMessage() {}
+
+func (*HPAScalingPolicy) ProtoMessage() {}
+
+func (*HPAScalingRules) ProtoMessage() {}
+
+func (*HorizontalPodAutoscaler) ProtoMessage() {}
+
+func (*HorizontalPodAutoscalerBehavior) ProtoMessage() {}
+
+func (*HorizontalPodAutoscalerCondition) ProtoMessage() {}
+
+func (*HorizontalPodAutoscalerList) ProtoMessage() {}
+
+func (*HorizontalPodAutoscalerSpec) ProtoMessage() {}
+
+func (*HorizontalPodAutoscalerStatus) ProtoMessage() {}
+
+func (*MetricIdentifier) ProtoMessage() {}
+
+func (*MetricSpec) ProtoMessage() {}
+
+func (*MetricStatus) ProtoMessage() {}
+
+func (*MetricTarget) ProtoMessage() {}
+
+func (*MetricValueStatus) ProtoMessage() {}
+
+func (*ObjectMetricSource) ProtoMessage() {}
+
+func (*ObjectMetricStatus) ProtoMessage() {}
+
+func (*PodsMetricSource) ProtoMessage() {}
+
+func (*PodsMetricStatus) ProtoMessage() {}
+
+func (*ResourceMetricSource) ProtoMessage() {}
+
+func (*ResourceMetricStatus) ProtoMessage() {}
diff --git a/staging/src/k8s.io/api/autoscaling/v2/types.go b/staging/src/k8s.io/api/autoscaling/v2/types.go
index 9ce69b1edc891..03a06dc8b41f0 100644
--- a/staging/src/k8s.io/api/autoscaling/v2/types.go
+++ b/staging/src/k8s.io/api/autoscaling/v2/types.go
@@ -182,7 +182,7 @@ const (
 //
 // The tolerance is applied to the metric values and prevents scaling too
 // eagerly for small metric variations. (Note that setting a tolerance requires
-// enabling the alpha HPAConfigurableTolerance feature gate.)
+// the beta HPAConfigurableTolerance feature gate to be enabled.)
 type HPAScalingRules struct {
 	// stabilizationWindowSeconds is the number of seconds for which past recommendations should be
 	// considered while scaling up or scaling down.
@@ -215,8 +215,8 @@ type HPAScalingRules struct {
 	// and scale-down and scale-up tolerances of 5% and 1% respectively, scaling will be
 	// triggered when the actual consumption falls below 95Mi or exceeds 101Mi.
 	//
-	// This is an alpha field and requires enabling the HPAConfigurableTolerance
-	// feature gate.
+	// This is an beta field and requires the HPAConfigurableTolerance feature
+	// gate to be enabled.
 	//
 	// +featureGate=HPAConfigurableTolerance
 	// +optional
diff --git a/staging/src/k8s.io/api/autoscaling/v2/types_swagger_doc_generated.go b/staging/src/k8s.io/api/autoscaling/v2/types_swagger_doc_generated.go
index 017fefcde72ea..af3f3022daeff 100644
--- a/staging/src/k8s.io/api/autoscaling/v2/types_swagger_doc_generated.go
+++ b/staging/src/k8s.io/api/autoscaling/v2/types_swagger_doc_generated.go
@@ -92,11 +92,11 @@ func (HPAScalingPolicy) SwaggerDoc() map[string]string {
 }
 
 var map_HPAScalingRules = map[string]string{
-	"":                           "HPAScalingRules configures the scaling behavior for one direction via scaling Policy Rules and a configurable metric tolerance.\n\nScaling Policy Rules are applied after calculating DesiredReplicas from metrics for the HPA. They can limit the scaling velocity by specifying scaling policies. They can prevent flapping by specifying the stabilization window, so that the number of replicas is not set instantly, instead, the safest value from the stabilization window is chosen.\n\nThe tolerance is applied to the metric values and prevents scaling too eagerly for small metric variations. (Note that setting a tolerance requires enabling the alpha HPAConfigurableTolerance feature gate.)",
+	"":                           "HPAScalingRules configures the scaling behavior for one direction via scaling Policy Rules and a configurable metric tolerance.\n\nScaling Policy Rules are applied after calculating DesiredReplicas from metrics for the HPA. They can limit the scaling velocity by specifying scaling policies. They can prevent flapping by specifying the stabilization window, so that the number of replicas is not set instantly, instead, the safest value from the stabilization window is chosen.\n\nThe tolerance is applied to the metric values and prevents scaling too eagerly for small metric variations. (Note that setting a tolerance requires the beta HPAConfigurableTolerance feature gate to be enabled.)",
 	"stabilizationWindowSeconds": "stabilizationWindowSeconds is the number of seconds for which past recommendations should be considered while scaling up or scaling down. StabilizationWindowSeconds must be greater than or equal to zero and less than or equal to 3600 (one hour). If not set, use the default values: - For scale up: 0 (i.e. no stabilization is done). - For scale down: 300 (i.e. the stabilization window is 300 seconds long).",
 	"selectPolicy":               "selectPolicy is used to specify which policy should be used. If not set, the default value Max is used.",
 	"policies":                   "policies is a list of potential scaling polices which can be used during scaling. If not set, use the default values: - For scale up: allow doubling the number of pods, or an absolute change of 4 pods in a 15s window. - For scale down: allow all pods to be removed in a 15s window.",
-	"tolerance":                  "tolerance is the tolerance on the ratio between the current and desired metric value under which no updates are made to the desired number of replicas (e.g. 0.01 for 1%). Must be greater than or equal to zero. If not set, the default cluster-wide tolerance is applied (by default 10%).\n\nFor example, if autoscaling is configured with a memory consumption target of 100Mi, and scale-down and scale-up tolerances of 5% and 1% respectively, scaling will be triggered when the actual consumption falls below 95Mi or exceeds 101Mi.\n\nThis is an alpha field and requires enabling the HPAConfigurableTolerance feature gate.",
+	"tolerance":                  "tolerance is the tolerance on the ratio between the current and desired metric value under which no updates are made to the desired number of replicas (e.g. 0.01 for 1%). Must be greater than or equal to zero. If not set, the default cluster-wide tolerance is applied (by default 10%).\n\nFor example, if autoscaling is configured with a memory consumption target of 100Mi, and scale-down and scale-up tolerances of 5% and 1% respectively, scaling will be triggered when the actual consumption falls below 95Mi or exceeds 101Mi.\n\nThis is an beta field and requires the HPAConfigurableTolerance feature gate to be enabled.",
 }
 
 func (HPAScalingRules) SwaggerDoc() map[string]string {
diff --git a/staging/src/k8s.io/api/autoscaling/v2/zz_generated.model_name.go b/staging/src/k8s.io/api/autoscaling/v2/zz_generated.model_name.go
new file mode 100644
index 0000000000000..b15b34219b62c
--- /dev/null
+++ b/staging/src/k8s.io/api/autoscaling/v2/zz_generated.model_name.go
@@ -0,0 +1,142 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by openapi-gen. DO NOT EDIT.
+
+package v2
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ContainerResourceMetricSource) OpenAPIModelName() string {
+	return "io.k8s.api.autoscaling.v2.ContainerResourceMetricSource"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ContainerResourceMetricStatus) OpenAPIModelName() string {
+	return "io.k8s.api.autoscaling.v2.ContainerResourceMetricStatus"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in CrossVersionObjectReference) OpenAPIModelName() string {
+	return "io.k8s.api.autoscaling.v2.CrossVersionObjectReference"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ExternalMetricSource) OpenAPIModelName() string {
+	return "io.k8s.api.autoscaling.v2.ExternalMetricSource"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ExternalMetricStatus) OpenAPIModelName() string {
+	return "io.k8s.api.autoscaling.v2.ExternalMetricStatus"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in HPAScalingPolicy) OpenAPIModelName() string {
+	return "io.k8s.api.autoscaling.v2.HPAScalingPolicy"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in HPAScalingRules) OpenAPIModelName() string {
+	return "io.k8s.api.autoscaling.v2.HPAScalingRules"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in HorizontalPodAutoscaler) OpenAPIModelName() string {
+	return "io.k8s.api.autoscaling.v2.HorizontalPodAutoscaler"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in HorizontalPodAutoscalerBehavior) OpenAPIModelName() string {
+	return "io.k8s.api.autoscaling.v2.HorizontalPodAutoscalerBehavior"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in HorizontalPodAutoscalerCondition) OpenAPIModelName() string {
+	return "io.k8s.api.autoscaling.v2.HorizontalPodAutoscalerCondition"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in HorizontalPodAutoscalerList) OpenAPIModelName() string {
+	return "io.k8s.api.autoscaling.v2.HorizontalPodAutoscalerList"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in HorizontalPodAutoscalerSpec) OpenAPIModelName() string {
+	return "io.k8s.api.autoscaling.v2.HorizontalPodAutoscalerSpec"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in HorizontalPodAutoscalerStatus) OpenAPIModelName() string {
+	return "io.k8s.api.autoscaling.v2.HorizontalPodAutoscalerStatus"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in MetricIdentifier) OpenAPIModelName() string {
+	return "io.k8s.api.autoscaling.v2.MetricIdentifier"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in MetricSpec) OpenAPIModelName() string {
+	return "io.k8s.api.autoscaling.v2.MetricSpec"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in MetricStatus) OpenAPIModelName() string {
+	return "io.k8s.api.autoscaling.v2.MetricStatus"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in MetricTarget) OpenAPIModelName() string {
+	return "io.k8s.api.autoscaling.v2.MetricTarget"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in MetricValueStatus) OpenAPIModelName() string {
+	return "io.k8s.api.autoscaling.v2.MetricValueStatus"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ObjectMetricSource) OpenAPIModelName() string {
+	return "io.k8s.api.autoscaling.v2.ObjectMetricSource"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ObjectMetricStatus) OpenAPIModelName() string {
+	return "io.k8s.api.autoscaling.v2.ObjectMetricStatus"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in PodsMetricSource) OpenAPIModelName() string {
+	return "io.k8s.api.autoscaling.v2.PodsMetricSource"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in PodsMetricStatus) OpenAPIModelName() string {
+	return "io.k8s.api.autoscaling.v2.PodsMetricStatus"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ResourceMetricSource) OpenAPIModelName() string {
+	return "io.k8s.api.autoscaling.v2.ResourceMetricSource"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ResourceMetricStatus) OpenAPIModelName() string {
+	return "io.k8s.api.autoscaling.v2.ResourceMetricStatus"
+}
diff --git a/staging/src/k8s.io/api/autoscaling/v2beta1/doc.go b/staging/src/k8s.io/api/autoscaling/v2beta1/doc.go
index eac92e86e8070..58cc1f89dc7ca 100644
--- a/staging/src/k8s.io/api/autoscaling/v2beta1/doc.go
+++ b/staging/src/k8s.io/api/autoscaling/v2beta1/doc.go
@@ -18,5 +18,6 @@ limitations under the License.
 // +k8s:protobuf-gen=package
 // +k8s:openapi-gen=true
 // +k8s:prerelease-lifecycle-gen=true
+// +k8s:openapi-model-package=io.k8s.api.autoscaling.v2beta1
 
 package v2beta1
diff --git a/staging/src/k8s.io/api/autoscaling/v2beta1/generated.pb.go b/staging/src/k8s.io/api/autoscaling/v2beta1/generated.pb.go
index 69567089b6fcc..b3b535adc718b 100644
--- a/staging/src/k8s.io/api/autoscaling/v2beta1/generated.pb.go
+++ b/staging/src/k8s.io/api/autoscaling/v2beta1/generated.pb.go
@@ -24,658 +24,50 @@ import (
 
 	io "io"
 
-	proto "github.com/gogo/protobuf/proto"
-
 	k8s_io_api_core_v1 "k8s.io/api/core/v1"
 	resource "k8s.io/apimachinery/pkg/api/resource"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
-	math "math"
 	math_bits "math/bits"
 	reflect "reflect"
 	strings "strings"
 )
 
-// Reference imports to suppress errors if they are not otherwise used.
-var _ = proto.Marshal
-var _ = fmt.Errorf
-var _ = math.Inf
+func (m *ContainerResourceMetricSource) Reset() { *m = ContainerResourceMetricSource{} }
 
-// This is a compile-time assertion to ensure that this generated file
-// is compatible with the proto package it is being compiled against.
-// A compilation error at this line likely means your copy of the
-// proto package needs to be updated.
-const _ = proto.GoGoProtoPackageIsVersion3 // please upgrade the proto package
+func (m *ContainerResourceMetricStatus) Reset() { *m = ContainerResourceMetricStatus{} }
 
-func (m *ContainerResourceMetricSource) Reset()      { *m = ContainerResourceMetricSource{} }
-func (*ContainerResourceMetricSource) ProtoMessage() {}
-func (*ContainerResourceMetricSource) Descriptor() ([]byte, []int) {
-	return fileDescriptor_ea74040359c1ed83, []int{0}
-}
-func (m *ContainerResourceMetricSource) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ContainerResourceMetricSource) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ContainerResourceMetricSource) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ContainerResourceMetricSource.Merge(m, src)
-}
-func (m *ContainerResourceMetricSource) XXX_Size() int {
-	return m.Size()
-}
-func (m *ContainerResourceMetricSource) XXX_DiscardUnknown() {
-	xxx_messageInfo_ContainerResourceMetricSource.DiscardUnknown(m)
-}
+func (m *CrossVersionObjectReference) Reset() { *m = CrossVersionObjectReference{} }
 
-var xxx_messageInfo_ContainerResourceMetricSource proto.InternalMessageInfo
+func (m *ExternalMetricSource) Reset() { *m = ExternalMetricSource{} }
 
-func (m *ContainerResourceMetricStatus) Reset()      { *m = ContainerResourceMetricStatus{} }
-func (*ContainerResourceMetricStatus) ProtoMessage() {}
-func (*ContainerResourceMetricStatus) Descriptor() ([]byte, []int) {
-	return fileDescriptor_ea74040359c1ed83, []int{1}
-}
-func (m *ContainerResourceMetricStatus) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ContainerResourceMetricStatus) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ContainerResourceMetricStatus) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ContainerResourceMetricStatus.Merge(m, src)
-}
-func (m *ContainerResourceMetricStatus) XXX_Size() int {
-	return m.Size()
-}
-func (m *ContainerResourceMetricStatus) XXX_DiscardUnknown() {
-	xxx_messageInfo_ContainerResourceMetricStatus.DiscardUnknown(m)
-}
+func (m *ExternalMetricStatus) Reset() { *m = ExternalMetricStatus{} }
 
-var xxx_messageInfo_ContainerResourceMetricStatus proto.InternalMessageInfo
+func (m *HorizontalPodAutoscaler) Reset() { *m = HorizontalPodAutoscaler{} }
 
-func (m *CrossVersionObjectReference) Reset()      { *m = CrossVersionObjectReference{} }
-func (*CrossVersionObjectReference) ProtoMessage() {}
-func (*CrossVersionObjectReference) Descriptor() ([]byte, []int) {
-	return fileDescriptor_ea74040359c1ed83, []int{2}
-}
-func (m *CrossVersionObjectReference) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *CrossVersionObjectReference) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *CrossVersionObjectReference) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_CrossVersionObjectReference.Merge(m, src)
-}
-func (m *CrossVersionObjectReference) XXX_Size() int {
-	return m.Size()
-}
-func (m *CrossVersionObjectReference) XXX_DiscardUnknown() {
-	xxx_messageInfo_CrossVersionObjectReference.DiscardUnknown(m)
-}
+func (m *HorizontalPodAutoscalerCondition) Reset() { *m = HorizontalPodAutoscalerCondition{} }
 
-var xxx_messageInfo_CrossVersionObjectReference proto.InternalMessageInfo
+func (m *HorizontalPodAutoscalerList) Reset() { *m = HorizontalPodAutoscalerList{} }
 
-func (m *ExternalMetricSource) Reset()      { *m = ExternalMetricSource{} }
-func (*ExternalMetricSource) ProtoMessage() {}
-func (*ExternalMetricSource) Descriptor() ([]byte, []int) {
-	return fileDescriptor_ea74040359c1ed83, []int{3}
-}
-func (m *ExternalMetricSource) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ExternalMetricSource) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ExternalMetricSource) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ExternalMetricSource.Merge(m, src)
-}
-func (m *ExternalMetricSource) XXX_Size() int {
-	return m.Size()
-}
-func (m *ExternalMetricSource) XXX_DiscardUnknown() {
-	xxx_messageInfo_ExternalMetricSource.DiscardUnknown(m)
-}
+func (m *HorizontalPodAutoscalerSpec) Reset() { *m = HorizontalPodAutoscalerSpec{} }
 
-var xxx_messageInfo_ExternalMetricSource proto.InternalMessageInfo
+func (m *HorizontalPodAutoscalerStatus) Reset() { *m = HorizontalPodAutoscalerStatus{} }
 
-func (m *ExternalMetricStatus) Reset()      { *m = ExternalMetricStatus{} }
-func (*ExternalMetricStatus) ProtoMessage() {}
-func (*ExternalMetricStatus) Descriptor() ([]byte, []int) {
-	return fileDescriptor_ea74040359c1ed83, []int{4}
-}
-func (m *ExternalMetricStatus) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ExternalMetricStatus) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ExternalMetricStatus) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ExternalMetricStatus.Merge(m, src)
-}
-func (m *ExternalMetricStatus) XXX_Size() int {
-	return m.Size()
-}
-func (m *ExternalMetricStatus) XXX_DiscardUnknown() {
-	xxx_messageInfo_ExternalMetricStatus.DiscardUnknown(m)
-}
+func (m *MetricSpec) Reset() { *m = MetricSpec{} }
 
-var xxx_messageInfo_ExternalMetricStatus proto.InternalMessageInfo
+func (m *MetricStatus) Reset() { *m = MetricStatus{} }
 
-func (m *HorizontalPodAutoscaler) Reset()      { *m = HorizontalPodAutoscaler{} }
-func (*HorizontalPodAutoscaler) ProtoMessage() {}
-func (*HorizontalPodAutoscaler) Descriptor() ([]byte, []int) {
-	return fileDescriptor_ea74040359c1ed83, []int{5}
-}
-func (m *HorizontalPodAutoscaler) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *HorizontalPodAutoscaler) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *HorizontalPodAutoscaler) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_HorizontalPodAutoscaler.Merge(m, src)
-}
-func (m *HorizontalPodAutoscaler) XXX_Size() int {
-	return m.Size()
-}
-func (m *HorizontalPodAutoscaler) XXX_DiscardUnknown() {
-	xxx_messageInfo_HorizontalPodAutoscaler.DiscardUnknown(m)
-}
+func (m *ObjectMetricSource) Reset() { *m = ObjectMetricSource{} }
 
-var xxx_messageInfo_HorizontalPodAutoscaler proto.InternalMessageInfo
+func (m *ObjectMetricStatus) Reset() { *m = ObjectMetricStatus{} }
 
-func (m *HorizontalPodAutoscalerCondition) Reset()      { *m = HorizontalPodAutoscalerCondition{} }
-func (*HorizontalPodAutoscalerCondition) ProtoMessage() {}
-func (*HorizontalPodAutoscalerCondition) Descriptor() ([]byte, []int) {
-	return fileDescriptor_ea74040359c1ed83, []int{6}
-}
-func (m *HorizontalPodAutoscalerCondition) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *HorizontalPodAutoscalerCondition) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *HorizontalPodAutoscalerCondition) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_HorizontalPodAutoscalerCondition.Merge(m, src)
-}
-func (m *HorizontalPodAutoscalerCondition) XXX_Size() int {
-	return m.Size()
-}
-func (m *HorizontalPodAutoscalerCondition) XXX_DiscardUnknown() {
-	xxx_messageInfo_HorizontalPodAutoscalerCondition.DiscardUnknown(m)
-}
+func (m *PodsMetricSource) Reset() { *m = PodsMetricSource{} }
 
-var xxx_messageInfo_HorizontalPodAutoscalerCondition proto.InternalMessageInfo
+func (m *PodsMetricStatus) Reset() { *m = PodsMetricStatus{} }
 
-func (m *HorizontalPodAutoscalerList) Reset()      { *m = HorizontalPodAutoscalerList{} }
-func (*HorizontalPodAutoscalerList) ProtoMessage() {}
-func (*HorizontalPodAutoscalerList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_ea74040359c1ed83, []int{7}
-}
-func (m *HorizontalPodAutoscalerList) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *HorizontalPodAutoscalerList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *HorizontalPodAutoscalerList) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_HorizontalPodAutoscalerList.Merge(m, src)
-}
-func (m *HorizontalPodAutoscalerList) XXX_Size() int {
-	return m.Size()
-}
-func (m *HorizontalPodAutoscalerList) XXX_DiscardUnknown() {
-	xxx_messageInfo_HorizontalPodAutoscalerList.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_HorizontalPodAutoscalerList proto.InternalMessageInfo
-
-func (m *HorizontalPodAutoscalerSpec) Reset()      { *m = HorizontalPodAutoscalerSpec{} }
-func (*HorizontalPodAutoscalerSpec) ProtoMessage() {}
-func (*HorizontalPodAutoscalerSpec) Descriptor() ([]byte, []int) {
-	return fileDescriptor_ea74040359c1ed83, []int{8}
-}
-func (m *HorizontalPodAutoscalerSpec) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *HorizontalPodAutoscalerSpec) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *HorizontalPodAutoscalerSpec) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_HorizontalPodAutoscalerSpec.Merge(m, src)
-}
-func (m *HorizontalPodAutoscalerSpec) XXX_Size() int {
-	return m.Size()
-}
-func (m *HorizontalPodAutoscalerSpec) XXX_DiscardUnknown() {
-	xxx_messageInfo_HorizontalPodAutoscalerSpec.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_HorizontalPodAutoscalerSpec proto.InternalMessageInfo
-
-func (m *HorizontalPodAutoscalerStatus) Reset()      { *m = HorizontalPodAutoscalerStatus{} }
-func (*HorizontalPodAutoscalerStatus) ProtoMessage() {}
-func (*HorizontalPodAutoscalerStatus) Descriptor() ([]byte, []int) {
-	return fileDescriptor_ea74040359c1ed83, []int{9}
-}
-func (m *HorizontalPodAutoscalerStatus) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *HorizontalPodAutoscalerStatus) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *HorizontalPodAutoscalerStatus) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_HorizontalPodAutoscalerStatus.Merge(m, src)
-}
-func (m *HorizontalPodAutoscalerStatus) XXX_Size() int {
-	return m.Size()
-}
-func (m *HorizontalPodAutoscalerStatus) XXX_DiscardUnknown() {
-	xxx_messageInfo_HorizontalPodAutoscalerStatus.DiscardUnknown(m)
-}
+func (m *ResourceMetricSource) Reset() { *m = ResourceMetricSource{} }
 
-var xxx_messageInfo_HorizontalPodAutoscalerStatus proto.InternalMessageInfo
-
-func (m *MetricSpec) Reset()      { *m = MetricSpec{} }
-func (*MetricSpec) ProtoMessage() {}
-func (*MetricSpec) Descriptor() ([]byte, []int) {
-	return fileDescriptor_ea74040359c1ed83, []int{10}
-}
-func (m *MetricSpec) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *MetricSpec) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *MetricSpec) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_MetricSpec.Merge(m, src)
-}
-func (m *MetricSpec) XXX_Size() int {
-	return m.Size()
-}
-func (m *MetricSpec) XXX_DiscardUnknown() {
-	xxx_messageInfo_MetricSpec.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_MetricSpec proto.InternalMessageInfo
-
-func (m *MetricStatus) Reset()      { *m = MetricStatus{} }
-func (*MetricStatus) ProtoMessage() {}
-func (*MetricStatus) Descriptor() ([]byte, []int) {
-	return fileDescriptor_ea74040359c1ed83, []int{11}
-}
-func (m *MetricStatus) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *MetricStatus) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *MetricStatus) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_MetricStatus.Merge(m, src)
-}
-func (m *MetricStatus) XXX_Size() int {
-	return m.Size()
-}
-func (m *MetricStatus) XXX_DiscardUnknown() {
-	xxx_messageInfo_MetricStatus.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_MetricStatus proto.InternalMessageInfo
-
-func (m *ObjectMetricSource) Reset()      { *m = ObjectMetricSource{} }
-func (*ObjectMetricSource) ProtoMessage() {}
-func (*ObjectMetricSource) Descriptor() ([]byte, []int) {
-	return fileDescriptor_ea74040359c1ed83, []int{12}
-}
-func (m *ObjectMetricSource) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ObjectMetricSource) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ObjectMetricSource) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ObjectMetricSource.Merge(m, src)
-}
-func (m *ObjectMetricSource) XXX_Size() int {
-	return m.Size()
-}
-func (m *ObjectMetricSource) XXX_DiscardUnknown() {
-	xxx_messageInfo_ObjectMetricSource.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_ObjectMetricSource proto.InternalMessageInfo
-
-func (m *ObjectMetricStatus) Reset()      { *m = ObjectMetricStatus{} }
-func (*ObjectMetricStatus) ProtoMessage() {}
-func (*ObjectMetricStatus) Descriptor() ([]byte, []int) {
-	return fileDescriptor_ea74040359c1ed83, []int{13}
-}
-func (m *ObjectMetricStatus) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ObjectMetricStatus) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ObjectMetricStatus) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ObjectMetricStatus.Merge(m, src)
-}
-func (m *ObjectMetricStatus) XXX_Size() int {
-	return m.Size()
-}
-func (m *ObjectMetricStatus) XXX_DiscardUnknown() {
-	xxx_messageInfo_ObjectMetricStatus.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_ObjectMetricStatus proto.InternalMessageInfo
-
-func (m *PodsMetricSource) Reset()      { *m = PodsMetricSource{} }
-func (*PodsMetricSource) ProtoMessage() {}
-func (*PodsMetricSource) Descriptor() ([]byte, []int) {
-	return fileDescriptor_ea74040359c1ed83, []int{14}
-}
-func (m *PodsMetricSource) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *PodsMetricSource) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *PodsMetricSource) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_PodsMetricSource.Merge(m, src)
-}
-func (m *PodsMetricSource) XXX_Size() int {
-	return m.Size()
-}
-func (m *PodsMetricSource) XXX_DiscardUnknown() {
-	xxx_messageInfo_PodsMetricSource.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_PodsMetricSource proto.InternalMessageInfo
-
-func (m *PodsMetricStatus) Reset()      { *m = PodsMetricStatus{} }
-func (*PodsMetricStatus) ProtoMessage() {}
-func (*PodsMetricStatus) Descriptor() ([]byte, []int) {
-	return fileDescriptor_ea74040359c1ed83, []int{15}
-}
-func (m *PodsMetricStatus) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *PodsMetricStatus) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *PodsMetricStatus) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_PodsMetricStatus.Merge(m, src)
-}
-func (m *PodsMetricStatus) XXX_Size() int {
-	return m.Size()
-}
-func (m *PodsMetricStatus) XXX_DiscardUnknown() {
-	xxx_messageInfo_PodsMetricStatus.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_PodsMetricStatus proto.InternalMessageInfo
-
-func (m *ResourceMetricSource) Reset()      { *m = ResourceMetricSource{} }
-func (*ResourceMetricSource) ProtoMessage() {}
-func (*ResourceMetricSource) Descriptor() ([]byte, []int) {
-	return fileDescriptor_ea74040359c1ed83, []int{16}
-}
-func (m *ResourceMetricSource) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ResourceMetricSource) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ResourceMetricSource) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ResourceMetricSource.Merge(m, src)
-}
-func (m *ResourceMetricSource) XXX_Size() int {
-	return m.Size()
-}
-func (m *ResourceMetricSource) XXX_DiscardUnknown() {
-	xxx_messageInfo_ResourceMetricSource.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_ResourceMetricSource proto.InternalMessageInfo
-
-func (m *ResourceMetricStatus) Reset()      { *m = ResourceMetricStatus{} }
-func (*ResourceMetricStatus) ProtoMessage() {}
-func (*ResourceMetricStatus) Descriptor() ([]byte, []int) {
-	return fileDescriptor_ea74040359c1ed83, []int{17}
-}
-func (m *ResourceMetricStatus) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ResourceMetricStatus) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ResourceMetricStatus) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ResourceMetricStatus.Merge(m, src)
-}
-func (m *ResourceMetricStatus) XXX_Size() int {
-	return m.Size()
-}
-func (m *ResourceMetricStatus) XXX_DiscardUnknown() {
-	xxx_messageInfo_ResourceMetricStatus.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_ResourceMetricStatus proto.InternalMessageInfo
-
-func init() {
-	proto.RegisterType((*ContainerResourceMetricSource)(nil), "k8s.io.api.autoscaling.v2beta1.ContainerResourceMetricSource")
-	proto.RegisterType((*ContainerResourceMetricStatus)(nil), "k8s.io.api.autoscaling.v2beta1.ContainerResourceMetricStatus")
-	proto.RegisterType((*CrossVersionObjectReference)(nil), "k8s.io.api.autoscaling.v2beta1.CrossVersionObjectReference")
-	proto.RegisterType((*ExternalMetricSource)(nil), "k8s.io.api.autoscaling.v2beta1.ExternalMetricSource")
-	proto.RegisterType((*ExternalMetricStatus)(nil), "k8s.io.api.autoscaling.v2beta1.ExternalMetricStatus")
-	proto.RegisterType((*HorizontalPodAutoscaler)(nil), "k8s.io.api.autoscaling.v2beta1.HorizontalPodAutoscaler")
-	proto.RegisterType((*HorizontalPodAutoscalerCondition)(nil), "k8s.io.api.autoscaling.v2beta1.HorizontalPodAutoscalerCondition")
-	proto.RegisterType((*HorizontalPodAutoscalerList)(nil), "k8s.io.api.autoscaling.v2beta1.HorizontalPodAutoscalerList")
-	proto.RegisterType((*HorizontalPodAutoscalerSpec)(nil), "k8s.io.api.autoscaling.v2beta1.HorizontalPodAutoscalerSpec")
-	proto.RegisterType((*HorizontalPodAutoscalerStatus)(nil), "k8s.io.api.autoscaling.v2beta1.HorizontalPodAutoscalerStatus")
-	proto.RegisterType((*MetricSpec)(nil), "k8s.io.api.autoscaling.v2beta1.MetricSpec")
-	proto.RegisterType((*MetricStatus)(nil), "k8s.io.api.autoscaling.v2beta1.MetricStatus")
-	proto.RegisterType((*ObjectMetricSource)(nil), "k8s.io.api.autoscaling.v2beta1.ObjectMetricSource")
-	proto.RegisterType((*ObjectMetricStatus)(nil), "k8s.io.api.autoscaling.v2beta1.ObjectMetricStatus")
-	proto.RegisterType((*PodsMetricSource)(nil), "k8s.io.api.autoscaling.v2beta1.PodsMetricSource")
-	proto.RegisterType((*PodsMetricStatus)(nil), "k8s.io.api.autoscaling.v2beta1.PodsMetricStatus")
-	proto.RegisterType((*ResourceMetricSource)(nil), "k8s.io.api.autoscaling.v2beta1.ResourceMetricSource")
-	proto.RegisterType((*ResourceMetricStatus)(nil), "k8s.io.api.autoscaling.v2beta1.ResourceMetricStatus")
-}
-
-func init() {
-	proto.RegisterFile("k8s.io/api/autoscaling/v2beta1/generated.proto", fileDescriptor_ea74040359c1ed83)
-}
-
-var fileDescriptor_ea74040359c1ed83 = []byte{
-	// 1549 bytes of a gzipped FileDescriptorProto
-	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xec, 0x59, 0x4d, 0x6c, 0x1b, 0xc5,
-	0x17, 0x8f, 0xed, 0x4d, 0x9a, 0x3c, 0xa7, 0xf9, 0x98, 0xf6, 0xdf, 0xba, 0xe9, 0xbf, 0x76, 0xb4,
-	0xfa, 0xeb, 0xaf, 0x50, 0xc1, 0xba, 0x35, 0xe1, 0x43, 0x42, 0x48, 0xc4, 0x2e, 0xd0, 0x8a, 0xb8,
-	0x2d, 0x93, 0xb4, 0x42, 0xd0, 0x22, 0x26, 0xeb, 0xa9, 0xb3, 0xc4, 0xde, 0xb5, 0x76, 0xc6, 0x51,
-	0x53, 0x84, 0x84, 0x90, 0xb8, 0x73, 0x81, 0x33, 0x48, 0x5c, 0x11, 0xe2, 0x02, 0x67, 0x6e, 0x3d,
-	0xf6, 0xd8, 0x0a, 0x64, 0x51, 0x73, 0xe0, 0xcc, 0xb5, 0x27, 0x34, 0xb3, 0xb3, 0xeb, 0x5d, 0xdb,
-	0x6b, 0x3b, 0x6e, 0x1a, 0x3e, 0xd4, 0x9b, 0x77, 0xe7, 0xbd, 0xdf, 0x9b, 0xf9, 0xbd, 0xaf, 0x79,
-	0x6b, 0x30, 0x76, 0x5e, 0x66, 0x86, 0xe5, 0xe4, 0x49, 0xc3, 0xca, 0x93, 0x26, 0x77, 0x98, 0x49,
-	0x6a, 0x96, 0x5d, 0xcd, 0xef, 0x16, 0xb6, 0x28, 0x27, 0xe7, 0xf3, 0x55, 0x6a, 0x53, 0x97, 0x70,
-	0x5a, 0x31, 0x1a, 0xae, 0xc3, 0x1d, 0x94, 0xf5, 0xe4, 0x0d, 0xd2, 0xb0, 0x8c, 0x90, 0xbc, 0xa1,
-	0xe4, 0x97, 0x9e, 0xab, 0x5a, 0x7c, 0xbb, 0xb9, 0x65, 0x98, 0x4e, 0x3d, 0x5f, 0x75, 0xaa, 0x4e,
-	0x5e, 0xaa, 0x6d, 0x35, 0x6f, 0xc9, 0x27, 0xf9, 0x20, 0x7f, 0x79, 0x70, 0x4b, 0x7a, 0xc8, 0xbc,
-	0xe9, 0xb8, 0x34, 0xbf, 0xdb, 0x63, 0x72, 0x69, 0xb5, 0x23, 0x53, 0x27, 0xe6, 0xb6, 0x65, 0x53,
-	0x77, 0x2f, 0xdf, 0xd8, 0xa9, 0x4a, 0x25, 0x97, 0x32, 0xa7, 0xe9, 0x9a, 0x74, 0x5f, 0x5a, 0x2c,
-	0x5f, 0xa7, 0x9c, 0xf4, 0xb3, 0x95, 0x8f, 0xd3, 0x72, 0x9b, 0x36, 0xb7, 0xea, 0xbd, 0x66, 0x5e,
-	0x1c, 0xa6, 0xc0, 0xcc, 0x6d, 0x5a, 0x27, 0xdd, 0x7a, 0xfa, 0xef, 0x49, 0x38, 0x53, 0x72, 0x6c,
-	0x4e, 0x84, 0x06, 0x56, 0x87, 0x28, 0x53, 0xee, 0x5a, 0xe6, 0x86, 0xfc, 0x8d, 0x4a, 0xa0, 0xd9,
-	0xa4, 0x4e, 0x33, 0x89, 0xe5, 0xc4, 0xca, 0x4c, 0x31, 0x7f, 0xb7, 0x95, 0x9b, 0x68, 0xb7, 0x72,
-	0xda, 0x65, 0x52, 0xa7, 0x8f, 0x5a, 0xb9, 0x5c, 0x2f, 0x71, 0x86, 0x0f, 0x23, 0x44, 0xb0, 0x54,
-	0x46, 0xef, 0x40, 0x86, 0x13, 0xb7, 0x4a, 0xf9, 0xda, 0x2e, 0x75, 0x49, 0x95, 0x5e, 0xe3, 0x56,
-	0xcd, 0xba, 0x43, 0xb8, 0xe5, 0xd8, 0x99, 0xe4, 0x72, 0x62, 0x65, 0xb2, 0xf8, 0xdf, 0x76, 0x2b,
-	0x97, 0xd9, 0x8c, 0x91, 0xc1, 0xb1, 0xda, 0x68, 0x17, 0x50, 0x64, 0xed, 0x3a, 0xa9, 0x35, 0x69,
-	0x26, 0xb5, 0x9c, 0x58, 0x49, 0x17, 0x0c, 0xa3, 0x13, 0x25, 0x01, 0x2b, 0x46, 0x63, 0xa7, 0x2a,
-	0xc3, 0xc6, 0x77, 0x99, 0xf1, 0x76, 0x93, 0xd8, 0xdc, 0xe2, 0x7b, 0xc5, 0x13, 0xed, 0x56, 0x0e,
-	0x6d, 0xf6, 0xa0, 0xe1, 0x3e, 0x16, 0x50, 0x1e, 0x66, 0x4c, 0x9f, 0xb7, 0x8c, 0x26, 0xb9, 0x59,
-	0x54, 0xdc, 0xcc, 0x74, 0x08, 0xed, 0xc8, 0xe8, 0x7f, 0x0c, 0x60, 0x9a, 0x13, 0xde, 0x64, 0x07,
-	0xc3, 0xf4, 0x7b, 0x70, 0xca, 0x6c, 0xba, 0x2e, 0xb5, 0xe3, 0xa9, 0x3e, 0xd3, 0x6e, 0xe5, 0x4e,
-	0x95, 0xe2, 0x84, 0x70, 0xbc, 0x3e, 0xfa, 0x18, 0x8e, 0x45, 0x17, 0x1f, 0x87, 0xed, 0xd3, 0xea,
-	0x80, 0xc7, 0x4a, 0xbd, 0x90, 0xb8, 0x9f, 0x9d, 0xfd, 0x73, 0xfe, 0x45, 0x02, 0x4e, 0x97, 0x5c,
-	0x87, 0xb1, 0xeb, 0xd4, 0x65, 0x96, 0x63, 0x5f, 0xd9, 0xfa, 0x90, 0x9a, 0x1c, 0xd3, 0x5b, 0xd4,
-	0xa5, 0xb6, 0x49, 0xd1, 0x32, 0x68, 0x3b, 0x96, 0x5d, 0x51, 0x8c, 0xcf, 0xfa, 0x8c, 0xbf, 0x65,
-	0xd9, 0x15, 0x2c, 0x57, 0x84, 0x84, 0xf4, 0x49, 0x32, 0x2a, 0x11, 0x22, 0xbc, 0x00, 0x40, 0x1a,
-	0x96, 0x32, 0x20, 0xa9, 0x98, 0x29, 0x22, 0x25, 0x07, 0x6b, 0x57, 0x2f, 0xa9, 0x15, 0x1c, 0x92,
-	0xd2, 0xbf, 0x4c, 0xc1, 0xf1, 0xd7, 0x6f, 0x73, 0xea, 0xda, 0xa4, 0x16, 0x49, 0xb6, 0x02, 0x40,
-	0x5d, 0x3e, 0x5f, 0xee, 0x04, 0x42, 0x00, 0x56, 0x0e, 0x56, 0x70, 0x48, 0x0a, 0x39, 0x30, 0xe7,
-	0x3d, 0x6d, 0xd0, 0x1a, 0x35, 0xb9, 0xe3, 0xca, 0xcd, 0xa6, 0x0b, 0xcf, 0x0f, 0xf2, 0x07, 0x33,
-	0x44, 0xe9, 0x31, 0x76, 0xcf, 0x1b, 0xeb, 0x64, 0x8b, 0xd6, 0x7c, 0xd5, 0x22, 0x6a, 0xb7, 0x72,
-	0x73, 0xe5, 0x08, 0x1c, 0xee, 0x82, 0x47, 0x04, 0xd2, 0x5e, 0x42, 0x3c, 0x8e, 0xf7, 0xe7, 0xdb,
-	0xad, 0x5c, 0x7a, 0xb3, 0x03, 0x83, 0xc3, 0x98, 0x31, 0x59, 0xad, 0x3d, 0xe9, 0xac, 0xd6, 0xbf,
-	0xea, 0x75, 0x8c, 0x97, 0x9b, 0xff, 0x08, 0xc7, 0x6c, 0xc3, 0xac, 0x4a, 0x9b, 0xc7, 0xf1, 0xcc,
-	0x71, 0x75, 0xac, 0xd9, 0x52, 0x08, 0x0b, 0x47, 0x90, 0xd1, 0x5e, 0xff, 0x42, 0x30, 0x9e, 0x83,
-	0x4e, 0xee, 0xa7, 0x08, 0xe8, 0x3f, 0x25, 0xe1, 0xe4, 0x45, 0xc7, 0xb5, 0xee, 0x88, 0x2c, 0xaf,
-	0x5d, 0x75, 0x2a, 0x6b, 0xaa, 0xfd, 0x53, 0x17, 0x7d, 0x00, 0xd3, 0x82, 0xbd, 0x0a, 0xe1, 0x44,
-	0xfa, 0x28, 0x5d, 0x38, 0x37, 0x1a, 0xd7, 0x5e, 0x61, 0x28, 0x53, 0x4e, 0x3a, 0x5e, 0xed, 0xbc,
-	0xc3, 0x01, 0x2a, 0xba, 0x09, 0x1a, 0x6b, 0x50, 0x53, 0x79, 0xf2, 0x15, 0x63, 0xf0, 0x35, 0xc4,
-	0x88, 0xd9, 0xe8, 0x46, 0x83, 0x9a, 0x9d, 0x62, 0x22, 0x9e, 0xb0, 0x84, 0x45, 0x14, 0xa6, 0x98,
-	0x0c, 0x38, 0xe5, 0xbb, 0x57, 0xc7, 0x35, 0x20, 0x41, 0x8a, 0x73, 0xca, 0xc4, 0x94, 0xf7, 0x8c,
-	0x15, 0xb8, 0xfe, 0x59, 0x0a, 0x96, 0x63, 0x34, 0x4b, 0x8e, 0x5d, 0xb1, 0x64, 0xb1, 0xbf, 0x08,
-	0x1a, 0xdf, 0x6b, 0xf8, 0xc1, 0xbe, 0xea, 0xef, 0x76, 0x73, 0xaf, 0x21, 0xda, 0xd1, 0xff, 0x86,
-	0xe9, 0x0b, 0x39, 0x2c, 0x11, 0xd0, 0x7a, 0x70, 0xaa, 0x64, 0x04, 0x4b, 0x6d, 0xeb, 0x51, 0x2b,
-	0xd7, 0xe7, 0xfe, 0x65, 0x04, 0x48, 0xd1, 0xcd, 0x8b, 0xda, 0x50, 0x23, 0x8c, 0x6f, 0xba, 0xc4,
-	0x66, 0x9e, 0x25, 0xab, 0xee, 0xc7, 0xfa, 0xd9, 0xd1, 0xdc, 0x2d, 0x34, 0x8a, 0x4b, 0x6a, 0x17,
-	0x68, 0xbd, 0x07, 0x0d, 0xf7, 0xb1, 0x80, 0xfe, 0x0f, 0x53, 0x2e, 0x25, 0xcc, 0xb1, 0x55, 0xeb,
-	0x09, 0xc8, 0xc5, 0xf2, 0x2d, 0x56, 0xab, 0xe8, 0x19, 0x38, 0x52, 0xa7, 0x8c, 0x91, 0x2a, 0xcd,
-	0x4c, 0x4a, 0xc1, 0x79, 0x25, 0x78, 0xa4, 0xec, 0xbd, 0xc6, 0xfe, 0xba, 0xfe, 0x20, 0x01, 0xa7,
-	0x63, 0x78, 0x5c, 0xb7, 0x18, 0x47, 0x37, 0x7a, 0xe2, 0xd9, 0x18, 0xb1, 0x76, 0x58, 0xcc, 0x8b,
-	0xe6, 0x05, 0x65, 0x7b, 0xda, 0x7f, 0x13, 0x8a, 0xe5, 0x1b, 0x30, 0x69, 0x71, 0x5a, 0x17, 0x5e,
-	0x49, 0xad, 0xa4, 0x0b, 0x2f, 0x8d, 0x19, 0x6b, 0xc5, 0xa3, 0xca, 0xc6, 0xe4, 0x25, 0x81, 0x86,
-	0x3d, 0x50, 0xfd, 0xe7, 0x64, 0xec, 0xd9, 0x44, 0xc0, 0xa3, 0x8f, 0x60, 0x4e, 0x3e, 0x79, 0x95,
-	0x19, 0xd3, 0x5b, 0xea, 0x84, 0x43, 0x73, 0x6a, 0x40, 0x43, 0x2f, 0x9e, 0x50, 0x5b, 0x99, 0xdb,
-	0x88, 0x40, 0xe3, 0x2e, 0x53, 0xe8, 0x3c, 0xa4, 0xeb, 0x96, 0x8d, 0x69, 0xa3, 0x66, 0x99, 0x84,
-	0xa9, 0x7b, 0x91, 0x6c, 0x49, 0xe5, 0xce, 0x6b, 0x1c, 0x96, 0x41, 0x2f, 0x40, 0xba, 0x4e, 0x6e,
-	0x07, 0x2a, 0x29, 0xa9, 0x72, 0x4c, 0xd9, 0x4b, 0x97, 0x3b, 0x4b, 0x38, 0x2c, 0x87, 0xae, 0x89,
-	0x68, 0x10, 0x55, 0x9a, 0x65, 0x34, 0x49, 0xf3, 0xd9, 0x61, 0xe7, 0x53, 0x45, 0x5e, 0x94, 0x88,
-	0x50, 0xe4, 0x48, 0x08, 0xec, 0x63, 0xe9, 0x3f, 0x68, 0x70, 0x66, 0x60, 0xee, 0xa3, 0x37, 0x00,
-	0x39, 0x5b, 0x8c, 0xba, 0xbb, 0xb4, 0xf2, 0xa6, 0x77, 0xe9, 0x17, 0xf7, 0x13, 0xc1, 0x71, 0xca,
-	0x6b, 0x89, 0x57, 0x7a, 0x56, 0x71, 0x1f, 0x0d, 0x64, 0xc2, 0x51, 0x91, 0x0c, 0x1e, 0xa1, 0x96,
-	0xba, 0x0a, 0xed, 0x2f, 0xd3, 0x16, 0xdb, 0xad, 0xdc, 0xd1, 0xf5, 0x30, 0x08, 0x8e, 0x62, 0xa2,
-	0x35, 0x98, 0x57, 0xb5, 0xbe, 0x8b, 0xe0, 0x93, 0x8a, 0x81, 0xf9, 0x52, 0x74, 0x19, 0x77, 0xcb,
-	0x0b, 0x88, 0x0a, 0x65, 0x96, 0x4b, 0x2b, 0x01, 0x84, 0x16, 0x85, 0xb8, 0x10, 0x5d, 0xc6, 0xdd,
-	0xf2, 0xa8, 0x06, 0x73, 0x0a, 0x55, 0xf1, 0x9d, 0x99, 0x94, 0x2e, 0x7b, 0x76, 0x44, 0x97, 0x79,
-	0x45, 0x37, 0x88, 0xc1, 0x52, 0x04, 0x0b, 0x77, 0x61, 0x23, 0x0e, 0x60, 0xfa, 0x25, 0x8e, 0x65,
-	0xa6, 0xa4, 0xa5, 0xd7, 0xc6, 0xcc, 0xc1, 0xa0, 0x56, 0x76, 0xda, 0x57, 0xf0, 0x8a, 0xe1, 0x90,
-	0x1d, 0xfd, 0x3b, 0x0d, 0xa0, 0x13, 0x61, 0x68, 0x35, 0x52, 0xe4, 0x97, 0xbb, 0x8a, 0xfc, 0x42,
-	0xf8, 0x72, 0x1a, 0x2a, 0xe8, 0xd7, 0x61, 0xca, 0x91, 0x99, 0xa7, 0x82, 0xa1, 0x30, 0x6c, 0xdb,
-	0x41, 0x2f, 0x0d, 0xd0, 0x8a, 0x20, 0x4a, 0xa7, 0xca, 0x5f, 0x85, 0x86, 0x2e, 0x83, 0xd6, 0x70,
-	0x2a, 0x7e, 0xf3, 0x3b, 0x37, 0x0c, 0xf5, 0xaa, 0x53, 0x61, 0x11, 0xcc, 0x69, 0xb1, 0x77, 0xf1,
-	0x16, 0x4b, 0x1c, 0xf4, 0x3e, 0x4c, 0xfb, 0xd7, 0x0d, 0x75, 0x37, 0x59, 0x1d, 0x86, 0xd9, 0x6f,
-	0x06, 0x2e, 0xce, 0x8a, 0x0a, 0xea, 0xaf, 0xe0, 0x00, 0x13, 0x7d, 0x9a, 0x80, 0x45, 0xb3, 0x7b,
-	0xa6, 0xcb, 0x1c, 0x19, 0xad, 0x75, 0x0f, 0x1c, 0xbb, 0x8b, 0xff, 0x69, 0xb7, 0x72, 0x8b, 0x3d,
-	0x22, 0xb8, 0xd7, 0x9c, 0x38, 0x24, 0x55, 0x57, 0x56, 0xd9, 0x70, 0x46, 0x38, 0x64, 0xbf, 0xd9,
-	0xc3, 0x3b, 0xa4, 0xbf, 0x82, 0x03, 0x4c, 0xfd, 0x7b, 0x0d, 0x66, 0x23, 0x77, 0xe1, 0xbf, 0x22,
-	0x66, 0xbc, 0xd4, 0x3a, 0xd8, 0x98, 0xf1, 0x30, 0x0f, 0x3e, 0x66, 0x3c, 0xdc, 0x43, 0x8d, 0x19,
-	0xcf, 0xe4, 0x61, 0xc6, 0x4c, 0xe8, 0x90, 0x7d, 0x62, 0xe6, 0x41, 0x0a, 0x50, 0x6f, 0xce, 0x23,
-	0x13, 0xa6, 0xbc, 0xa1, 0xeb, 0x20, 0x7a, 0x7d, 0x70, 0xff, 0x52, 0x6d, 0x5d, 0x41, 0x77, 0x8d,
-	0x6a, 0xc9, 0x91, 0x46, 0x35, 0x7a, 0x10, 0x23, 0x6d, 0x70, 0x19, 0x88, 0x1d, 0x6b, 0x6f, 0xc2,
-	0x34, 0xf3, 0x67, 0x41, 0x6d, 0xfc, 0x59, 0x50, 0xb2, 0x1e, 0x4c, 0x81, 0x01, 0x24, 0xaa, 0xc0,
-	0x2c, 0x09, 0x8f, 0x63, 0x93, 0x63, 0x1d, 0x63, 0x41, 0xcc, 0x7e, 0x91, 0x39, 0x2c, 0x82, 0xaa,
-	0xff, 0xd2, 0xed, 0x5b, 0xaf, 0x2a, 0xfc, 0x6d, 0x7d, 0x7b, 0x78, 0x53, 0xf1, 0xbf, 0xc2, 0xbd,
-	0x5f, 0x27, 0x61, 0xa1, 0xbb, 0xb1, 0x8e, 0xf5, 0xf9, 0xe3, 0x4e, 0xdf, 0x6f, 0x38, 0xc9, 0xb1,
-	0x36, 0x1d, 0xcc, 0x6a, 0x23, 0x7e, 0x9d, 0x0d, 0x7b, 0x22, 0x75, 0xe0, 0x9e, 0xd0, 0xbf, 0x89,
-	0x72, 0x34, 0xfe, 0x27, 0xa2, 0x98, 0x0f, 0xaa, 0xc9, 0x43, 0xfa, 0xa0, 0xfa, 0x84, 0x69, 0xfa,
-	0x36, 0x09, 0xc7, 0x9f, 0xfe, 0xa7, 0x30, 0xfa, 0xd7, 0xc7, 0x1f, 0x7b, 0xf9, 0x7a, 0xfa, 0xcf,
-	0xc0, 0x28, 0x81, 0x5c, 0xbc, 0x70, 0xf7, 0x61, 0x76, 0xe2, 0xde, 0xc3, 0xec, 0xc4, 0xfd, 0x87,
-	0xd9, 0x89, 0x4f, 0xda, 0xd9, 0xc4, 0xdd, 0x76, 0x36, 0x71, 0xaf, 0x9d, 0x4d, 0xdc, 0x6f, 0x67,
-	0x13, 0xbf, 0xb6, 0xb3, 0x89, 0xcf, 0x7f, 0xcb, 0x4e, 0xbc, 0x9b, 0x1d, 0xfc, 0x27, 0xe3, 0x9f,
-	0x01, 0x00, 0x00, 0xff, 0xff, 0x5b, 0x05, 0xaa, 0x18, 0x85, 0x1c, 0x00, 0x00,
-}
+func (m *ResourceMetricStatus) Reset() { *m = ResourceMetricStatus{} }
 
 func (m *ContainerResourceMetricSource) Marshal() (dAtA []byte, err error) {
 	size := m.Size()
diff --git a/staging/src/k8s.io/api/autoscaling/v2beta1/generated.protomessage.pb.go b/staging/src/k8s.io/api/autoscaling/v2beta1/generated.protomessage.pb.go
new file mode 100644
index 0000000000000..ab1fe8c8b2b83
--- /dev/null
+++ b/staging/src/k8s.io/api/autoscaling/v2beta1/generated.protomessage.pb.go
@@ -0,0 +1,58 @@
+//go:build kubernetes_protomessage_one_more_release
+// +build kubernetes_protomessage_one_more_release
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by go-to-protobuf. DO NOT EDIT.
+
+package v2beta1
+
+func (*ContainerResourceMetricSource) ProtoMessage() {}
+
+func (*ContainerResourceMetricStatus) ProtoMessage() {}
+
+func (*CrossVersionObjectReference) ProtoMessage() {}
+
+func (*ExternalMetricSource) ProtoMessage() {}
+
+func (*ExternalMetricStatus) ProtoMessage() {}
+
+func (*HorizontalPodAutoscaler) ProtoMessage() {}
+
+func (*HorizontalPodAutoscalerCondition) ProtoMessage() {}
+
+func (*HorizontalPodAutoscalerList) ProtoMessage() {}
+
+func (*HorizontalPodAutoscalerSpec) ProtoMessage() {}
+
+func (*HorizontalPodAutoscalerStatus) ProtoMessage() {}
+
+func (*MetricSpec) ProtoMessage() {}
+
+func (*MetricStatus) ProtoMessage() {}
+
+func (*ObjectMetricSource) ProtoMessage() {}
+
+func (*ObjectMetricStatus) ProtoMessage() {}
+
+func (*PodsMetricSource) ProtoMessage() {}
+
+func (*PodsMetricStatus) ProtoMessage() {}
+
+func (*ResourceMetricSource) ProtoMessage() {}
+
+func (*ResourceMetricStatus) ProtoMessage() {}
diff --git a/staging/src/k8s.io/api/autoscaling/v2beta1/zz_generated.model_name.go b/staging/src/k8s.io/api/autoscaling/v2beta1/zz_generated.model_name.go
new file mode 100644
index 0000000000000..2b8674e651620
--- /dev/null
+++ b/staging/src/k8s.io/api/autoscaling/v2beta1/zz_generated.model_name.go
@@ -0,0 +1,112 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by openapi-gen. DO NOT EDIT.
+
+package v2beta1
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ContainerResourceMetricSource) OpenAPIModelName() string {
+	return "io.k8s.api.autoscaling.v2beta1.ContainerResourceMetricSource"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ContainerResourceMetricStatus) OpenAPIModelName() string {
+	return "io.k8s.api.autoscaling.v2beta1.ContainerResourceMetricStatus"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in CrossVersionObjectReference) OpenAPIModelName() string {
+	return "io.k8s.api.autoscaling.v2beta1.CrossVersionObjectReference"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ExternalMetricSource) OpenAPIModelName() string {
+	return "io.k8s.api.autoscaling.v2beta1.ExternalMetricSource"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ExternalMetricStatus) OpenAPIModelName() string {
+	return "io.k8s.api.autoscaling.v2beta1.ExternalMetricStatus"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in HorizontalPodAutoscaler) OpenAPIModelName() string {
+	return "io.k8s.api.autoscaling.v2beta1.HorizontalPodAutoscaler"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in HorizontalPodAutoscalerCondition) OpenAPIModelName() string {
+	return "io.k8s.api.autoscaling.v2beta1.HorizontalPodAutoscalerCondition"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in HorizontalPodAutoscalerList) OpenAPIModelName() string {
+	return "io.k8s.api.autoscaling.v2beta1.HorizontalPodAutoscalerList"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in HorizontalPodAutoscalerSpec) OpenAPIModelName() string {
+	return "io.k8s.api.autoscaling.v2beta1.HorizontalPodAutoscalerSpec"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in HorizontalPodAutoscalerStatus) OpenAPIModelName() string {
+	return "io.k8s.api.autoscaling.v2beta1.HorizontalPodAutoscalerStatus"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in MetricSpec) OpenAPIModelName() string {
+	return "io.k8s.api.autoscaling.v2beta1.MetricSpec"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in MetricStatus) OpenAPIModelName() string {
+	return "io.k8s.api.autoscaling.v2beta1.MetricStatus"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ObjectMetricSource) OpenAPIModelName() string {
+	return "io.k8s.api.autoscaling.v2beta1.ObjectMetricSource"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ObjectMetricStatus) OpenAPIModelName() string {
+	return "io.k8s.api.autoscaling.v2beta1.ObjectMetricStatus"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in PodsMetricSource) OpenAPIModelName() string {
+	return "io.k8s.api.autoscaling.v2beta1.PodsMetricSource"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in PodsMetricStatus) OpenAPIModelName() string {
+	return "io.k8s.api.autoscaling.v2beta1.PodsMetricStatus"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ResourceMetricSource) OpenAPIModelName() string {
+	return "io.k8s.api.autoscaling.v2beta1.ResourceMetricSource"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ResourceMetricStatus) OpenAPIModelName() string {
+	return "io.k8s.api.autoscaling.v2beta1.ResourceMetricStatus"
+}
diff --git a/staging/src/k8s.io/api/autoscaling/v2beta2/doc.go b/staging/src/k8s.io/api/autoscaling/v2beta2/doc.go
index 1500372978d57..5ea9edb68ad87 100644
--- a/staging/src/k8s.io/api/autoscaling/v2beta2/doc.go
+++ b/staging/src/k8s.io/api/autoscaling/v2beta2/doc.go
@@ -18,5 +18,6 @@ limitations under the License.
 // +k8s:protobuf-gen=package
 // +k8s:openapi-gen=true
 // +k8s:prerelease-lifecycle-gen=true
+// +k8s:openapi-model-package=io.k8s.api.autoscaling.v2beta2
 
 package v2beta2
diff --git a/staging/src/k8s.io/api/autoscaling/v2beta2/generated.pb.go b/staging/src/k8s.io/api/autoscaling/v2beta2/generated.pb.go
index 741979505dc71..87c8738678d4f 100644
--- a/staging/src/k8s.io/api/autoscaling/v2beta2/generated.pb.go
+++ b/staging/src/k8s.io/api/autoscaling/v2beta2/generated.pb.go
@@ -24,843 +24,62 @@ import (
 
 	io "io"
 
-	proto "github.com/gogo/protobuf/proto"
-
 	k8s_io_api_core_v1 "k8s.io/api/core/v1"
 	resource "k8s.io/apimachinery/pkg/api/resource"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
-	math "math"
 	math_bits "math/bits"
 	reflect "reflect"
 	strings "strings"
 )
 
-// Reference imports to suppress errors if they are not otherwise used.
-var _ = proto.Marshal
-var _ = fmt.Errorf
-var _ = math.Inf
-
-// This is a compile-time assertion to ensure that this generated file
-// is compatible with the proto package it is being compiled against.
-// A compilation error at this line likely means your copy of the
-// proto package needs to be updated.
-const _ = proto.GoGoProtoPackageIsVersion3 // please upgrade the proto package
+func (m *ContainerResourceMetricSource) Reset() { *m = ContainerResourceMetricSource{} }
 
-func (m *ContainerResourceMetricSource) Reset()      { *m = ContainerResourceMetricSource{} }
-func (*ContainerResourceMetricSource) ProtoMessage() {}
-func (*ContainerResourceMetricSource) Descriptor() ([]byte, []int) {
-	return fileDescriptor_1076ab1fac987148, []int{0}
-}
-func (m *ContainerResourceMetricSource) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ContainerResourceMetricSource) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ContainerResourceMetricSource) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ContainerResourceMetricSource.Merge(m, src)
-}
-func (m *ContainerResourceMetricSource) XXX_Size() int {
-	return m.Size()
-}
-func (m *ContainerResourceMetricSource) XXX_DiscardUnknown() {
-	xxx_messageInfo_ContainerResourceMetricSource.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_ContainerResourceMetricSource proto.InternalMessageInfo
-
-func (m *ContainerResourceMetricStatus) Reset()      { *m = ContainerResourceMetricStatus{} }
-func (*ContainerResourceMetricStatus) ProtoMessage() {}
-func (*ContainerResourceMetricStatus) Descriptor() ([]byte, []int) {
-	return fileDescriptor_1076ab1fac987148, []int{1}
-}
-func (m *ContainerResourceMetricStatus) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ContainerResourceMetricStatus) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ContainerResourceMetricStatus) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ContainerResourceMetricStatus.Merge(m, src)
-}
-func (m *ContainerResourceMetricStatus) XXX_Size() int {
-	return m.Size()
-}
-func (m *ContainerResourceMetricStatus) XXX_DiscardUnknown() {
-	xxx_messageInfo_ContainerResourceMetricStatus.DiscardUnknown(m)
-}
+func (m *ContainerResourceMetricStatus) Reset() { *m = ContainerResourceMetricStatus{} }
 
-var xxx_messageInfo_ContainerResourceMetricStatus proto.InternalMessageInfo
+func (m *CrossVersionObjectReference) Reset() { *m = CrossVersionObjectReference{} }
 
-func (m *CrossVersionObjectReference) Reset()      { *m = CrossVersionObjectReference{} }
-func (*CrossVersionObjectReference) ProtoMessage() {}
-func (*CrossVersionObjectReference) Descriptor() ([]byte, []int) {
-	return fileDescriptor_1076ab1fac987148, []int{2}
-}
-func (m *CrossVersionObjectReference) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *CrossVersionObjectReference) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *CrossVersionObjectReference) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_CrossVersionObjectReference.Merge(m, src)
-}
-func (m *CrossVersionObjectReference) XXX_Size() int {
-	return m.Size()
-}
-func (m *CrossVersionObjectReference) XXX_DiscardUnknown() {
-	xxx_messageInfo_CrossVersionObjectReference.DiscardUnknown(m)
-}
+func (m *ExternalMetricSource) Reset() { *m = ExternalMetricSource{} }
 
-var xxx_messageInfo_CrossVersionObjectReference proto.InternalMessageInfo
+func (m *ExternalMetricStatus) Reset() { *m = ExternalMetricStatus{} }
 
-func (m *ExternalMetricSource) Reset()      { *m = ExternalMetricSource{} }
-func (*ExternalMetricSource) ProtoMessage() {}
-func (*ExternalMetricSource) Descriptor() ([]byte, []int) {
-	return fileDescriptor_1076ab1fac987148, []int{3}
-}
-func (m *ExternalMetricSource) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ExternalMetricSource) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ExternalMetricSource) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ExternalMetricSource.Merge(m, src)
-}
-func (m *ExternalMetricSource) XXX_Size() int {
-	return m.Size()
-}
-func (m *ExternalMetricSource) XXX_DiscardUnknown() {
-	xxx_messageInfo_ExternalMetricSource.DiscardUnknown(m)
-}
+func (m *HPAScalingPolicy) Reset() { *m = HPAScalingPolicy{} }
 
-var xxx_messageInfo_ExternalMetricSource proto.InternalMessageInfo
+func (m *HPAScalingRules) Reset() { *m = HPAScalingRules{} }
 
-func (m *ExternalMetricStatus) Reset()      { *m = ExternalMetricStatus{} }
-func (*ExternalMetricStatus) ProtoMessage() {}
-func (*ExternalMetricStatus) Descriptor() ([]byte, []int) {
-	return fileDescriptor_1076ab1fac987148, []int{4}
-}
-func (m *ExternalMetricStatus) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ExternalMetricStatus) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ExternalMetricStatus) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ExternalMetricStatus.Merge(m, src)
-}
-func (m *ExternalMetricStatus) XXX_Size() int {
-	return m.Size()
-}
-func (m *ExternalMetricStatus) XXX_DiscardUnknown() {
-	xxx_messageInfo_ExternalMetricStatus.DiscardUnknown(m)
-}
+func (m *HorizontalPodAutoscaler) Reset() { *m = HorizontalPodAutoscaler{} }
 
-var xxx_messageInfo_ExternalMetricStatus proto.InternalMessageInfo
+func (m *HorizontalPodAutoscalerBehavior) Reset() { *m = HorizontalPodAutoscalerBehavior{} }
 
-func (m *HPAScalingPolicy) Reset()      { *m = HPAScalingPolicy{} }
-func (*HPAScalingPolicy) ProtoMessage() {}
-func (*HPAScalingPolicy) Descriptor() ([]byte, []int) {
-	return fileDescriptor_1076ab1fac987148, []int{5}
-}
-func (m *HPAScalingPolicy) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *HPAScalingPolicy) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *HPAScalingPolicy) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_HPAScalingPolicy.Merge(m, src)
-}
-func (m *HPAScalingPolicy) XXX_Size() int {
-	return m.Size()
-}
-func (m *HPAScalingPolicy) XXX_DiscardUnknown() {
-	xxx_messageInfo_HPAScalingPolicy.DiscardUnknown(m)
-}
+func (m *HorizontalPodAutoscalerCondition) Reset() { *m = HorizontalPodAutoscalerCondition{} }
 
-var xxx_messageInfo_HPAScalingPolicy proto.InternalMessageInfo
+func (m *HorizontalPodAutoscalerList) Reset() { *m = HorizontalPodAutoscalerList{} }
 
-func (m *HPAScalingRules) Reset()      { *m = HPAScalingRules{} }
-func (*HPAScalingRules) ProtoMessage() {}
-func (*HPAScalingRules) Descriptor() ([]byte, []int) {
-	return fileDescriptor_1076ab1fac987148, []int{6}
-}
-func (m *HPAScalingRules) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *HPAScalingRules) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *HPAScalingRules) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_HPAScalingRules.Merge(m, src)
-}
-func (m *HPAScalingRules) XXX_Size() int {
-	return m.Size()
-}
-func (m *HPAScalingRules) XXX_DiscardUnknown() {
-	xxx_messageInfo_HPAScalingRules.DiscardUnknown(m)
-}
+func (m *HorizontalPodAutoscalerSpec) Reset() { *m = HorizontalPodAutoscalerSpec{} }
 
-var xxx_messageInfo_HPAScalingRules proto.InternalMessageInfo
+func (m *HorizontalPodAutoscalerStatus) Reset() { *m = HorizontalPodAutoscalerStatus{} }
 
-func (m *HorizontalPodAutoscaler) Reset()      { *m = HorizontalPodAutoscaler{} }
-func (*HorizontalPodAutoscaler) ProtoMessage() {}
-func (*HorizontalPodAutoscaler) Descriptor() ([]byte, []int) {
-	return fileDescriptor_1076ab1fac987148, []int{7}
-}
-func (m *HorizontalPodAutoscaler) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *HorizontalPodAutoscaler) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *HorizontalPodAutoscaler) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_HorizontalPodAutoscaler.Merge(m, src)
-}
-func (m *HorizontalPodAutoscaler) XXX_Size() int {
-	return m.Size()
-}
-func (m *HorizontalPodAutoscaler) XXX_DiscardUnknown() {
-	xxx_messageInfo_HorizontalPodAutoscaler.DiscardUnknown(m)
-}
+func (m *MetricIdentifier) Reset() { *m = MetricIdentifier{} }
 
-var xxx_messageInfo_HorizontalPodAutoscaler proto.InternalMessageInfo
+func (m *MetricSpec) Reset() { *m = MetricSpec{} }
 
-func (m *HorizontalPodAutoscalerBehavior) Reset()      { *m = HorizontalPodAutoscalerBehavior{} }
-func (*HorizontalPodAutoscalerBehavior) ProtoMessage() {}
-func (*HorizontalPodAutoscalerBehavior) Descriptor() ([]byte, []int) {
-	return fileDescriptor_1076ab1fac987148, []int{8}
-}
-func (m *HorizontalPodAutoscalerBehavior) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *HorizontalPodAutoscalerBehavior) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *HorizontalPodAutoscalerBehavior) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_HorizontalPodAutoscalerBehavior.Merge(m, src)
-}
-func (m *HorizontalPodAutoscalerBehavior) XXX_Size() int {
-	return m.Size()
-}
-func (m *HorizontalPodAutoscalerBehavior) XXX_DiscardUnknown() {
-	xxx_messageInfo_HorizontalPodAutoscalerBehavior.DiscardUnknown(m)
-}
+func (m *MetricStatus) Reset() { *m = MetricStatus{} }
 
-var xxx_messageInfo_HorizontalPodAutoscalerBehavior proto.InternalMessageInfo
+func (m *MetricTarget) Reset() { *m = MetricTarget{} }
 
-func (m *HorizontalPodAutoscalerCondition) Reset()      { *m = HorizontalPodAutoscalerCondition{} }
-func (*HorizontalPodAutoscalerCondition) ProtoMessage() {}
-func (*HorizontalPodAutoscalerCondition) Descriptor() ([]byte, []int) {
-	return fileDescriptor_1076ab1fac987148, []int{9}
-}
-func (m *HorizontalPodAutoscalerCondition) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *HorizontalPodAutoscalerCondition) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *HorizontalPodAutoscalerCondition) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_HorizontalPodAutoscalerCondition.Merge(m, src)
-}
-func (m *HorizontalPodAutoscalerCondition) XXX_Size() int {
-	return m.Size()
-}
-func (m *HorizontalPodAutoscalerCondition) XXX_DiscardUnknown() {
-	xxx_messageInfo_HorizontalPodAutoscalerCondition.DiscardUnknown(m)
-}
+func (m *MetricValueStatus) Reset() { *m = MetricValueStatus{} }
 
-var xxx_messageInfo_HorizontalPodAutoscalerCondition proto.InternalMessageInfo
+func (m *ObjectMetricSource) Reset() { *m = ObjectMetricSource{} }
 
-func (m *HorizontalPodAutoscalerList) Reset()      { *m = HorizontalPodAutoscalerList{} }
-func (*HorizontalPodAutoscalerList) ProtoMessage() {}
-func (*HorizontalPodAutoscalerList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_1076ab1fac987148, []int{10}
-}
-func (m *HorizontalPodAutoscalerList) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *HorizontalPodAutoscalerList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *HorizontalPodAutoscalerList) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_HorizontalPodAutoscalerList.Merge(m, src)
-}
-func (m *HorizontalPodAutoscalerList) XXX_Size() int {
-	return m.Size()
-}
-func (m *HorizontalPodAutoscalerList) XXX_DiscardUnknown() {
-	xxx_messageInfo_HorizontalPodAutoscalerList.DiscardUnknown(m)
-}
+func (m *ObjectMetricStatus) Reset() { *m = ObjectMetricStatus{} }
 
-var xxx_messageInfo_HorizontalPodAutoscalerList proto.InternalMessageInfo
+func (m *PodsMetricSource) Reset() { *m = PodsMetricSource{} }
 
-func (m *HorizontalPodAutoscalerSpec) Reset()      { *m = HorizontalPodAutoscalerSpec{} }
-func (*HorizontalPodAutoscalerSpec) ProtoMessage() {}
-func (*HorizontalPodAutoscalerSpec) Descriptor() ([]byte, []int) {
-	return fileDescriptor_1076ab1fac987148, []int{11}
-}
-func (m *HorizontalPodAutoscalerSpec) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *HorizontalPodAutoscalerSpec) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *HorizontalPodAutoscalerSpec) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_HorizontalPodAutoscalerSpec.Merge(m, src)
-}
-func (m *HorizontalPodAutoscalerSpec) XXX_Size() int {
-	return m.Size()
-}
-func (m *HorizontalPodAutoscalerSpec) XXX_DiscardUnknown() {
-	xxx_messageInfo_HorizontalPodAutoscalerSpec.DiscardUnknown(m)
-}
+func (m *PodsMetricStatus) Reset() { *m = PodsMetricStatus{} }
 
-var xxx_messageInfo_HorizontalPodAutoscalerSpec proto.InternalMessageInfo
+func (m *ResourceMetricSource) Reset() { *m = ResourceMetricSource{} }
 
-func (m *HorizontalPodAutoscalerStatus) Reset()      { *m = HorizontalPodAutoscalerStatus{} }
-func (*HorizontalPodAutoscalerStatus) ProtoMessage() {}
-func (*HorizontalPodAutoscalerStatus) Descriptor() ([]byte, []int) {
-	return fileDescriptor_1076ab1fac987148, []int{12}
-}
-func (m *HorizontalPodAutoscalerStatus) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *HorizontalPodAutoscalerStatus) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *HorizontalPodAutoscalerStatus) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_HorizontalPodAutoscalerStatus.Merge(m, src)
-}
-func (m *HorizontalPodAutoscalerStatus) XXX_Size() int {
-	return m.Size()
-}
-func (m *HorizontalPodAutoscalerStatus) XXX_DiscardUnknown() {
-	xxx_messageInfo_HorizontalPodAutoscalerStatus.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_HorizontalPodAutoscalerStatus proto.InternalMessageInfo
-
-func (m *MetricIdentifier) Reset()      { *m = MetricIdentifier{} }
-func (*MetricIdentifier) ProtoMessage() {}
-func (*MetricIdentifier) Descriptor() ([]byte, []int) {
-	return fileDescriptor_1076ab1fac987148, []int{13}
-}
-func (m *MetricIdentifier) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *MetricIdentifier) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *MetricIdentifier) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_MetricIdentifier.Merge(m, src)
-}
-func (m *MetricIdentifier) XXX_Size() int {
-	return m.Size()
-}
-func (m *MetricIdentifier) XXX_DiscardUnknown() {
-	xxx_messageInfo_MetricIdentifier.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_MetricIdentifier proto.InternalMessageInfo
-
-func (m *MetricSpec) Reset()      { *m = MetricSpec{} }
-func (*MetricSpec) ProtoMessage() {}
-func (*MetricSpec) Descriptor() ([]byte, []int) {
-	return fileDescriptor_1076ab1fac987148, []int{14}
-}
-func (m *MetricSpec) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *MetricSpec) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *MetricSpec) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_MetricSpec.Merge(m, src)
-}
-func (m *MetricSpec) XXX_Size() int {
-	return m.Size()
-}
-func (m *MetricSpec) XXX_DiscardUnknown() {
-	xxx_messageInfo_MetricSpec.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_MetricSpec proto.InternalMessageInfo
-
-func (m *MetricStatus) Reset()      { *m = MetricStatus{} }
-func (*MetricStatus) ProtoMessage() {}
-func (*MetricStatus) Descriptor() ([]byte, []int) {
-	return fileDescriptor_1076ab1fac987148, []int{15}
-}
-func (m *MetricStatus) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *MetricStatus) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *MetricStatus) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_MetricStatus.Merge(m, src)
-}
-func (m *MetricStatus) XXX_Size() int {
-	return m.Size()
-}
-func (m *MetricStatus) XXX_DiscardUnknown() {
-	xxx_messageInfo_MetricStatus.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_MetricStatus proto.InternalMessageInfo
-
-func (m *MetricTarget) Reset()      { *m = MetricTarget{} }
-func (*MetricTarget) ProtoMessage() {}
-func (*MetricTarget) Descriptor() ([]byte, []int) {
-	return fileDescriptor_1076ab1fac987148, []int{16}
-}
-func (m *MetricTarget) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *MetricTarget) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *MetricTarget) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_MetricTarget.Merge(m, src)
-}
-func (m *MetricTarget) XXX_Size() int {
-	return m.Size()
-}
-func (m *MetricTarget) XXX_DiscardUnknown() {
-	xxx_messageInfo_MetricTarget.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_MetricTarget proto.InternalMessageInfo
-
-func (m *MetricValueStatus) Reset()      { *m = MetricValueStatus{} }
-func (*MetricValueStatus) ProtoMessage() {}
-func (*MetricValueStatus) Descriptor() ([]byte, []int) {
-	return fileDescriptor_1076ab1fac987148, []int{17}
-}
-func (m *MetricValueStatus) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *MetricValueStatus) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *MetricValueStatus) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_MetricValueStatus.Merge(m, src)
-}
-func (m *MetricValueStatus) XXX_Size() int {
-	return m.Size()
-}
-func (m *MetricValueStatus) XXX_DiscardUnknown() {
-	xxx_messageInfo_MetricValueStatus.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_MetricValueStatus proto.InternalMessageInfo
-
-func (m *ObjectMetricSource) Reset()      { *m = ObjectMetricSource{} }
-func (*ObjectMetricSource) ProtoMessage() {}
-func (*ObjectMetricSource) Descriptor() ([]byte, []int) {
-	return fileDescriptor_1076ab1fac987148, []int{18}
-}
-func (m *ObjectMetricSource) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ObjectMetricSource) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ObjectMetricSource) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ObjectMetricSource.Merge(m, src)
-}
-func (m *ObjectMetricSource) XXX_Size() int {
-	return m.Size()
-}
-func (m *ObjectMetricSource) XXX_DiscardUnknown() {
-	xxx_messageInfo_ObjectMetricSource.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_ObjectMetricSource proto.InternalMessageInfo
-
-func (m *ObjectMetricStatus) Reset()      { *m = ObjectMetricStatus{} }
-func (*ObjectMetricStatus) ProtoMessage() {}
-func (*ObjectMetricStatus) Descriptor() ([]byte, []int) {
-	return fileDescriptor_1076ab1fac987148, []int{19}
-}
-func (m *ObjectMetricStatus) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ObjectMetricStatus) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ObjectMetricStatus) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ObjectMetricStatus.Merge(m, src)
-}
-func (m *ObjectMetricStatus) XXX_Size() int {
-	return m.Size()
-}
-func (m *ObjectMetricStatus) XXX_DiscardUnknown() {
-	xxx_messageInfo_ObjectMetricStatus.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_ObjectMetricStatus proto.InternalMessageInfo
-
-func (m *PodsMetricSource) Reset()      { *m = PodsMetricSource{} }
-func (*PodsMetricSource) ProtoMessage() {}
-func (*PodsMetricSource) Descriptor() ([]byte, []int) {
-	return fileDescriptor_1076ab1fac987148, []int{20}
-}
-func (m *PodsMetricSource) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *PodsMetricSource) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *PodsMetricSource) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_PodsMetricSource.Merge(m, src)
-}
-func (m *PodsMetricSource) XXX_Size() int {
-	return m.Size()
-}
-func (m *PodsMetricSource) XXX_DiscardUnknown() {
-	xxx_messageInfo_PodsMetricSource.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_PodsMetricSource proto.InternalMessageInfo
-
-func (m *PodsMetricStatus) Reset()      { *m = PodsMetricStatus{} }
-func (*PodsMetricStatus) ProtoMessage() {}
-func (*PodsMetricStatus) Descriptor() ([]byte, []int) {
-	return fileDescriptor_1076ab1fac987148, []int{21}
-}
-func (m *PodsMetricStatus) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *PodsMetricStatus) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *PodsMetricStatus) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_PodsMetricStatus.Merge(m, src)
-}
-func (m *PodsMetricStatus) XXX_Size() int {
-	return m.Size()
-}
-func (m *PodsMetricStatus) XXX_DiscardUnknown() {
-	xxx_messageInfo_PodsMetricStatus.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_PodsMetricStatus proto.InternalMessageInfo
-
-func (m *ResourceMetricSource) Reset()      { *m = ResourceMetricSource{} }
-func (*ResourceMetricSource) ProtoMessage() {}
-func (*ResourceMetricSource) Descriptor() ([]byte, []int) {
-	return fileDescriptor_1076ab1fac987148, []int{22}
-}
-func (m *ResourceMetricSource) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ResourceMetricSource) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ResourceMetricSource) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ResourceMetricSource.Merge(m, src)
-}
-func (m *ResourceMetricSource) XXX_Size() int {
-	return m.Size()
-}
-func (m *ResourceMetricSource) XXX_DiscardUnknown() {
-	xxx_messageInfo_ResourceMetricSource.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_ResourceMetricSource proto.InternalMessageInfo
-
-func (m *ResourceMetricStatus) Reset()      { *m = ResourceMetricStatus{} }
-func (*ResourceMetricStatus) ProtoMessage() {}
-func (*ResourceMetricStatus) Descriptor() ([]byte, []int) {
-	return fileDescriptor_1076ab1fac987148, []int{23}
-}
-func (m *ResourceMetricStatus) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ResourceMetricStatus) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ResourceMetricStatus) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ResourceMetricStatus.Merge(m, src)
-}
-func (m *ResourceMetricStatus) XXX_Size() int {
-	return m.Size()
-}
-func (m *ResourceMetricStatus) XXX_DiscardUnknown() {
-	xxx_messageInfo_ResourceMetricStatus.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_ResourceMetricStatus proto.InternalMessageInfo
-
-func init() {
-	proto.RegisterType((*ContainerResourceMetricSource)(nil), "k8s.io.api.autoscaling.v2beta2.ContainerResourceMetricSource")
-	proto.RegisterType((*ContainerResourceMetricStatus)(nil), "k8s.io.api.autoscaling.v2beta2.ContainerResourceMetricStatus")
-	proto.RegisterType((*CrossVersionObjectReference)(nil), "k8s.io.api.autoscaling.v2beta2.CrossVersionObjectReference")
-	proto.RegisterType((*ExternalMetricSource)(nil), "k8s.io.api.autoscaling.v2beta2.ExternalMetricSource")
-	proto.RegisterType((*ExternalMetricStatus)(nil), "k8s.io.api.autoscaling.v2beta2.ExternalMetricStatus")
-	proto.RegisterType((*HPAScalingPolicy)(nil), "k8s.io.api.autoscaling.v2beta2.HPAScalingPolicy")
-	proto.RegisterType((*HPAScalingRules)(nil), "k8s.io.api.autoscaling.v2beta2.HPAScalingRules")
-	proto.RegisterType((*HorizontalPodAutoscaler)(nil), "k8s.io.api.autoscaling.v2beta2.HorizontalPodAutoscaler")
-	proto.RegisterType((*HorizontalPodAutoscalerBehavior)(nil), "k8s.io.api.autoscaling.v2beta2.HorizontalPodAutoscalerBehavior")
-	proto.RegisterType((*HorizontalPodAutoscalerCondition)(nil), "k8s.io.api.autoscaling.v2beta2.HorizontalPodAutoscalerCondition")
-	proto.RegisterType((*HorizontalPodAutoscalerList)(nil), "k8s.io.api.autoscaling.v2beta2.HorizontalPodAutoscalerList")
-	proto.RegisterType((*HorizontalPodAutoscalerSpec)(nil), "k8s.io.api.autoscaling.v2beta2.HorizontalPodAutoscalerSpec")
-	proto.RegisterType((*HorizontalPodAutoscalerStatus)(nil), "k8s.io.api.autoscaling.v2beta2.HorizontalPodAutoscalerStatus")
-	proto.RegisterType((*MetricIdentifier)(nil), "k8s.io.api.autoscaling.v2beta2.MetricIdentifier")
-	proto.RegisterType((*MetricSpec)(nil), "k8s.io.api.autoscaling.v2beta2.MetricSpec")
-	proto.RegisterType((*MetricStatus)(nil), "k8s.io.api.autoscaling.v2beta2.MetricStatus")
-	proto.RegisterType((*MetricTarget)(nil), "k8s.io.api.autoscaling.v2beta2.MetricTarget")
-	proto.RegisterType((*MetricValueStatus)(nil), "k8s.io.api.autoscaling.v2beta2.MetricValueStatus")
-	proto.RegisterType((*ObjectMetricSource)(nil), "k8s.io.api.autoscaling.v2beta2.ObjectMetricSource")
-	proto.RegisterType((*ObjectMetricStatus)(nil), "k8s.io.api.autoscaling.v2beta2.ObjectMetricStatus")
-	proto.RegisterType((*PodsMetricSource)(nil), "k8s.io.api.autoscaling.v2beta2.PodsMetricSource")
-	proto.RegisterType((*PodsMetricStatus)(nil), "k8s.io.api.autoscaling.v2beta2.PodsMetricStatus")
-	proto.RegisterType((*ResourceMetricSource)(nil), "k8s.io.api.autoscaling.v2beta2.ResourceMetricSource")
-	proto.RegisterType((*ResourceMetricStatus)(nil), "k8s.io.api.autoscaling.v2beta2.ResourceMetricStatus")
-}
-
-func init() {
-	proto.RegisterFile("k8s.io/api/autoscaling/v2beta2/generated.proto", fileDescriptor_1076ab1fac987148)
-}
-
-var fileDescriptor_1076ab1fac987148 = []byte{
-	// 1727 bytes of a gzipped FileDescriptorProto
-	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xd4, 0x59, 0xcd, 0x6f, 0x1b, 0xc7,
-	0x15, 0xd7, 0x92, 0xd4, 0xd7, 0x50, 0x9f, 0xe3, 0x2f, 0x42, 0x86, 0x49, 0x61, 0x6b, 0xb4, 0xae,
-	0xd1, 0x2e, 0x2b, 0x56, 0x6d, 0x0d, 0x18, 0x45, 0xab, 0x95, 0xdb, 0xda, 0xb0, 0x64, 0xab, 0x43,
-	0x59, 0x2d, 0x02, 0xd9, 0xc8, 0x70, 0x77, 0x44, 0x4d, 0x44, 0xee, 0x12, 0xbb, 0x4b, 0xda, 0x72,
-	0x80, 0x20, 0x08, 0x90, 0x7b, 0x90, 0x20, 0xd7, 0xfc, 0x09, 0x09, 0x7c, 0x09, 0x90, 0x63, 0x3e,
-	0x60, 0x18, 0x41, 0x10, 0xf8, 0x16, 0xe7, 0x42, 0xc4, 0xcc, 0x31, 0xc7, 0xdc, 0x7c, 0x0a, 0xe6,
-	0x63, 0x3f, 0x49, 0x89, 0x94, 0x20, 0x29, 0xd0, 0x8d, 0x3b, 0xf3, 0xde, 0xef, 0xcd, 0x7b, 0xf3,
-	0x7b, 0x6f, 0xde, 0x0c, 0x81, 0xb6, 0x73, 0xcd, 0xd5, 0xa8, 0x5d, 0xc4, 0x0d, 0x5a, 0xc4, 0x4d,
-	0xcf, 0x76, 0x0d, 0x5c, 0xa3, 0x56, 0xb5, 0xd8, 0x2a, 0x55, 0x88, 0x87, 0x4b, 0xc5, 0x2a, 0xb1,
-	0x88, 0x83, 0x3d, 0x62, 0x6a, 0x0d, 0xc7, 0xf6, 0x6c, 0x98, 0x17, 0xf2, 0x1a, 0x6e, 0x50, 0x2d,
-	0x22, 0xaf, 0x49, 0xf9, 0xb9, 0x3f, 0x56, 0xa9, 0xb7, 0xdd, 0xac, 0x68, 0x86, 0x5d, 0x2f, 0x56,
-	0xed, 0xaa, 0x5d, 0xe4, 0x6a, 0x95, 0xe6, 0x16, 0xff, 0xe2, 0x1f, 0xfc, 0x97, 0x80, 0x9b, 0x53,
-	0x23, 0xe6, 0x0d, 0xdb, 0x21, 0xc5, 0xd6, 0x42, 0xd2, 0xe4, 0xdc, 0x62, 0x28, 0x53, 0xc7, 0xc6,
-	0x36, 0xb5, 0x88, 0xb3, 0x5b, 0x6c, 0xec, 0x54, 0xb9, 0x92, 0x43, 0x5c, 0xbb, 0xe9, 0x18, 0xe4,
-	0x40, 0x5a, 0x6e, 0xb1, 0x4e, 0x3c, 0xdc, 0xcb, 0x56, 0x71, 0x2f, 0x2d, 0xa7, 0x69, 0x79, 0xb4,
-	0xde, 0x6d, 0xe6, 0xaf, 0xfd, 0x14, 0x5c, 0x63, 0x9b, 0xd4, 0x71, 0x52, 0x4f, 0xfd, 0x49, 0x01,
-	0x97, 0x96, 0x6d, 0xcb, 0xc3, 0x4c, 0x03, 0x49, 0x27, 0x56, 0x89, 0xe7, 0x50, 0xa3, 0xcc, 0x7f,
-	0xc3, 0x65, 0x90, 0xb1, 0x70, 0x9d, 0xe4, 0x94, 0x79, 0xe5, 0xca, 0xb8, 0x5e, 0x7c, 0xd6, 0x2e,
-	0x0c, 0x75, 0xda, 0x85, 0xcc, 0x1d, 0x5c, 0x27, 0xaf, 0xda, 0x85, 0x42, 0x77, 0xe0, 0x34, 0x1f,
-	0x86, 0x89, 0x20, 0xae, 0x0c, 0xd7, 0xc1, 0x88, 0x87, 0x9d, 0x2a, 0xf1, 0x72, 0xa9, 0x79, 0xe5,
-	0x4a, 0xb6, 0xf4, 0x07, 0x6d, 0xff, 0xfd, 0xd3, 0xc4, 0x12, 0xd6, 0xb9, 0x8e, 0x3e, 0x25, 0x8d,
-	0x8e, 0x88, 0x6f, 0x24, 0xb1, 0x60, 0x11, 0x8c, 0x1b, 0xfe, 0xda, 0x73, 0x69, 0xbe, 0xbe, 0x59,
-	0x29, 0x3a, 0x1e, 0x3a, 0x15, 0xca, 0xa8, 0x3f, 0xef, 0xe3, 0xad, 0x87, 0xbd, 0xa6, 0x7b, 0x34,
-	0xde, 0x6e, 0x82, 0x51, 0xa3, 0xe9, 0x38, 0xc4, 0xf2, 0xdd, 0x5d, 0x18, 0xcc, 0xdd, 0x0d, 0x5c,
-	0x6b, 0x12, 0xb1, 0x10, 0x7d, 0x5a, 0x9a, 0x1e, 0x5d, 0x16, 0x48, 0xc8, 0x87, 0x3c, 0xb8, 0xd7,
-	0x1f, 0x2a, 0xe0, 0xe2, 0xb2, 0x63, 0xbb, 0xee, 0x06, 0x71, 0x5c, 0x6a, 0x5b, 0x77, 0x2b, 0x6f,
-	0x10, 0xc3, 0x43, 0x64, 0x8b, 0x38, 0xc4, 0x32, 0x08, 0x9c, 0x07, 0x99, 0x1d, 0x6a, 0x99, 0xd2,
-	0xe7, 0x09, 0xdf, 0xe7, 0xdb, 0xd4, 0x32, 0x11, 0x9f, 0x61, 0x12, 0x3c, 0x2a, 0xa9, 0xb8, 0x44,
-	0xc4, 0xe5, 0x12, 0x00, 0xb8, 0x41, 0xa5, 0x01, 0xb9, 0x2a, 0x28, 0xe5, 0xc0, 0xd2, 0xda, 0x2d,
-	0x39, 0x83, 0x22, 0x52, 0xea, 0x53, 0x05, 0x9c, 0xfd, 0xd7, 0x23, 0x8f, 0x38, 0x16, 0xae, 0xc5,
-	0x28, 0xf7, 0x7f, 0x30, 0x52, 0xe7, 0xdf, 0x7c, 0x49, 0xd9, 0xd2, 0x9f, 0x06, 0x0b, 0xdf, 0x2d,
-	0x93, 0x58, 0x1e, 0xdd, 0xa2, 0xc4, 0x09, 0x19, 0x23, 0x66, 0x90, 0xc4, 0x3b, 0x1e, 0x1e, 0xaa,
-	0xdf, 0x76, 0x3b, 0x22, 0xd8, 0x74, 0x7c, 0x8e, 0x1c, 0x2b, 0xc5, 0xd4, 0x8f, 0x15, 0x30, 0x73,
-	0x73, 0x6d, 0xa9, 0x2c, 0x20, 0xd6, 0xec, 0x1a, 0x35, 0x76, 0xe1, 0x35, 0x90, 0xf1, 0x76, 0x1b,
-	0x7e, 0x6a, 0x5c, 0xf6, 0x49, 0xb0, 0xbe, 0xdb, 0x60, 0xa9, 0x71, 0x36, 0x29, 0xcf, 0xc6, 0x11,
-	0xd7, 0x80, 0xbf, 0x01, 0xc3, 0x2d, 0x66, 0x97, 0x2f, 0x75, 0x58, 0x9f, 0x94, 0xaa, 0xc3, 0x7c,
-	0x31, 0x48, 0xcc, 0xc1, 0xeb, 0x60, 0xb2, 0x41, 0x1c, 0x6a, 0x9b, 0x65, 0x62, 0xd8, 0x96, 0xe9,
-	0x72, 0x12, 0x0d, 0xeb, 0xe7, 0xa4, 0xf0, 0xe4, 0x5a, 0x74, 0x12, 0xc5, 0x65, 0xd5, 0x8f, 0x52,
-	0x60, 0x3a, 0x5c, 0x00, 0x6a, 0xd6, 0x88, 0x0b, 0x1f, 0x80, 0x39, 0xd7, 0xc3, 0x15, 0x5a, 0xa3,
-	0x8f, 0xb1, 0x47, 0x6d, 0xeb, 0x7f, 0xd4, 0x32, 0xed, 0x87, 0x71, 0xf4, 0x7c, 0xa7, 0x5d, 0x98,
-	0x2b, 0xef, 0x29, 0x85, 0xf6, 0x41, 0x80, 0xb7, 0xc1, 0x84, 0x4b, 0x6a, 0xc4, 0xf0, 0x84, 0xbf,
-	0x32, 0x2e, 0xbf, 0xeb, 0xb4, 0x0b, 0x13, 0xe5, 0xc8, 0xf8, 0xab, 0x76, 0xe1, 0x4c, 0x2c, 0x30,
-	0x62, 0x12, 0xc5, 0x94, 0xe1, 0x03, 0x30, 0xd6, 0x60, 0xbf, 0x28, 0x71, 0x73, 0xa9, 0xf9, 0xf4,
-	0x20, 0x5c, 0x49, 0x06, 0x5c, 0x9f, 0x91, 0xa1, 0x1a, 0x5b, 0x93, 0x48, 0x28, 0xc0, 0x54, 0x3f,
-	0x4f, 0x81, 0x0b, 0x37, 0x6d, 0x87, 0x3e, 0x66, 0x55, 0xa1, 0xb6, 0x66, 0x9b, 0x4b, 0x12, 0x91,
-	0x38, 0xf0, 0x75, 0x30, 0xc6, 0xce, 0x21, 0x13, 0x7b, 0xb8, 0x07, 0x4f, 0x83, 0xe3, 0x44, 0x6b,
-	0xec, 0x54, 0xd9, 0x80, 0xab, 0x31, 0x69, 0xad, 0xb5, 0xa0, 0x89, 0x42, 0xb2, 0x4a, 0x3c, 0x1c,
-	0xe6, 0x7a, 0x38, 0x86, 0x02, 0x54, 0x78, 0x1f, 0x64, 0xdc, 0x06, 0x31, 0x24, 0x55, 0xaf, 0xf7,
-	0xf5, 0xac, 0xf7, 0x42, 0xcb, 0x0d, 0x62, 0x84, 0xc5, 0x87, 0x7d, 0x21, 0x0e, 0x0b, 0x09, 0x18,
-	0x71, 0x39, 0xa5, 0xf9, 0xae, 0x66, 0x4b, 0x7f, 0x3f, 0xac, 0x01, 0x91, 0x17, 0x41, 0xce, 0x89,
-	0x6f, 0x24, 0xc1, 0xd5, 0xef, 0x14, 0x50, 0xd8, 0x43, 0x53, 0x27, 0xdb, 0xb8, 0x45, 0x6d, 0x07,
-	0x6e, 0x80, 0x51, 0x3e, 0x72, 0xaf, 0x21, 0x43, 0x59, 0x1c, 0x7c, 0x1b, 0x39, 0x6d, 0xf5, 0x2c,
-	0xcb, 0xc8, 0xb2, 0xc0, 0x40, 0x3e, 0x18, 0xdc, 0x04, 0xe3, 0xfc, 0xe7, 0x0d, 0xfb, 0xa1, 0x25,
-	0xc3, 0x78, 0x60, 0xe4, 0x49, 0x76, 0x42, 0x94, 0x7d, 0x14, 0x14, 0x02, 0xaa, 0xef, 0xa6, 0xc1,
-	0xfc, 0x1e, 0x9e, 0x2d, 0xdb, 0x96, 0x49, 0x19, 0xf9, 0xe1, 0xcd, 0x58, 0xfe, 0x2f, 0x26, 0xf2,
-	0xff, 0x72, 0x3f, 0xfd, 0x48, 0x3d, 0x58, 0x09, 0xf6, 0x2b, 0x15, 0xc3, 0x92, 0x01, 0x7f, 0xd5,
-	0x2e, 0xf4, 0xe8, 0xc7, 0xb4, 0x00, 0x29, 0xbe, 0x2d, 0xb0, 0x05, 0x60, 0x0d, 0xbb, 0xde, 0xba,
-	0x83, 0x2d, 0x57, 0x58, 0xa2, 0x75, 0x22, 0x99, 0x70, 0x75, 0x30, 0x22, 0x33, 0x0d, 0x7d, 0x4e,
-	0xae, 0x02, 0xae, 0x74, 0xa1, 0xa1, 0x1e, 0x16, 0xe0, 0x6f, 0xc1, 0x88, 0x43, 0xb0, 0x6b, 0x5b,
-	0xb9, 0x0c, 0xf7, 0x22, 0xa0, 0x0d, 0xe2, 0xa3, 0x48, 0xce, 0xc2, 0xdf, 0x83, 0xd1, 0x3a, 0x71,
-	0x5d, 0x5c, 0x25, 0xb9, 0x61, 0x2e, 0x18, 0xd4, 0xdd, 0x55, 0x31, 0x8c, 0xfc, 0x79, 0xf5, 0x7b,
-	0x05, 0x5c, 0xdc, 0x23, 0x8e, 0x2b, 0xd4, 0xf5, 0xe0, 0x66, 0x57, 0xa6, 0x6a, 0x83, 0x39, 0xc8,
-	0xb4, 0x79, 0x9e, 0x06, 0x35, 0xc2, 0x1f, 0x89, 0x64, 0xe9, 0x26, 0x18, 0xa6, 0x1e, 0xa9, 0xfb,
-	0x05, 0xe8, 0x6f, 0x87, 0xcc, 0xa2, 0xb0, 0xbe, 0xdf, 0x62, 0x68, 0x48, 0x80, 0xaa, 0x4f, 0xd3,
-	0x7b, 0xfa, 0xc6, 0x52, 0x19, 0xbe, 0x09, 0xa6, 0xf8, 0x97, 0x3c, 0x5b, 0xc9, 0x96, 0xf4, 0xb0,
-	0x6f, 0xb5, 0xd8, 0xa7, 0xb5, 0xd1, 0xcf, 0xcb, 0xa5, 0x4c, 0x95, 0x63, 0xd0, 0x28, 0x61, 0x0a,
-	0x2e, 0x80, 0x6c, 0x9d, 0x5a, 0x88, 0x34, 0x6a, 0xd4, 0xc0, 0xae, 0x3c, 0xa7, 0xa6, 0x3b, 0xed,
-	0x42, 0x76, 0x35, 0x1c, 0x46, 0x51, 0x19, 0xf8, 0x17, 0x90, 0xad, 0xe3, 0x47, 0x81, 0x8a, 0x38,
-	0x4f, 0xce, 0x48, 0x7b, 0xd9, 0xd5, 0x70, 0x0a, 0x45, 0xe5, 0xe0, 0x3d, 0xc6, 0x06, 0x76, 0x12,
-	0xbb, 0xb9, 0x0c, 0x0f, 0xf3, 0xd5, 0xc1, 0x0e, 0x6e, 0x5e, 0xfc, 0x22, 0xcc, 0xe1, 0x10, 0xc8,
-	0xc7, 0x82, 0x14, 0x8c, 0x55, 0x64, 0x0d, 0xe2, 0x2c, 0xcb, 0x96, 0xfe, 0x71, 0xd8, 0xed, 0x93,
-	0x30, 0xfa, 0x04, 0xa3, 0x89, 0xff, 0x85, 0x02, 0x78, 0xf5, 0xd3, 0x0c, 0xb8, 0xb4, 0x6f, 0x01,
-	0x85, 0xff, 0x06, 0xd0, 0xae, 0xb8, 0xc4, 0x69, 0x11, 0xf3, 0x3f, 0xe2, 0xbe, 0xc1, 0x9a, 0x42,
-	0xb6, 0x9d, 0x69, 0xfd, 0x3c, 0xcb, 0xb0, 0xbb, 0x5d, 0xb3, 0xa8, 0x87, 0x06, 0x34, 0xc0, 0x24,
-	0xcb, 0x3b, 0xb1, 0x77, 0x54, 0xf6, 0x9f, 0x07, 0x4b, 0xea, 0x59, 0xd6, 0x3a, 0xac, 0x44, 0x41,
-	0x50, 0x1c, 0x13, 0x2e, 0x81, 0x69, 0xd9, 0xf6, 0x24, 0xf6, 0xf2, 0x82, 0x0c, 0xf6, 0xf4, 0x72,
-	0x7c, 0x1a, 0x25, 0xe5, 0x19, 0x84, 0x49, 0x5c, 0xea, 0x10, 0x33, 0x80, 0xc8, 0xc4, 0x21, 0x6e,
-	0xc4, 0xa7, 0x51, 0x52, 0x1e, 0xd6, 0xc0, 0x94, 0x44, 0x95, 0x5b, 0x9b, 0x1b, 0xe6, 0xec, 0x18,
-	0xb0, 0x41, 0x95, 0x27, 0x57, 0x40, 0xf7, 0xe5, 0x18, 0x16, 0x4a, 0x60, 0x43, 0x0f, 0x00, 0xc3,
-	0xaf, 0xa6, 0x6e, 0x6e, 0x84, 0x5b, 0xfa, 0xe7, 0x21, 0xf9, 0x12, 0x94, 0xe5, 0xb0, 0x07, 0x08,
-	0x86, 0x5c, 0x14, 0xb1, 0xa3, 0x7e, 0xa0, 0x80, 0x99, 0x64, 0x83, 0x1b, 0x5c, 0x2d, 0x94, 0x3d,
-	0xaf, 0x16, 0xf7, 0xc1, 0x98, 0x68, 0x95, 0x6c, 0x47, 0x12, 0xe0, 0xcf, 0x03, 0x16, 0x3d, 0x5c,
-	0x21, 0xb5, 0xb2, 0x54, 0x15, 0x74, 0xf6, 0xbf, 0x50, 0x00, 0xa9, 0x7e, 0x92, 0x01, 0x20, 0x4c,
-	0x31, 0xb8, 0x18, 0x3b, 0xe5, 0xe6, 0x13, 0xa7, 0xdc, 0x4c, 0xf4, 0x9e, 0x12, 0x39, 0xd1, 0x36,
-	0xc0, 0x88, 0xcd, 0x4b, 0x8f, 0x5c, 0x61, 0xa9, 0x5f, 0x30, 0x83, 0x36, 0x29, 0x40, 0xd3, 0x01,
-	0x3b, 0x3b, 0x64, 0x01, 0x93, 0x68, 0xf0, 0x0e, 0xc8, 0x34, 0x6c, 0xd3, 0xef, 0x6b, 0xfa, 0xb6,
-	0x84, 0x6b, 0xb6, 0xe9, 0xc6, 0x30, 0xc7, 0xd8, 0xda, 0xd9, 0x28, 0xe2, 0x38, 0xac, 0xcd, 0xf4,
-	0x5f, 0x2a, 0x38, 0x45, 0xb3, 0xa5, 0xc5, 0x7e, 0x98, 0xbd, 0x1e, 0x05, 0x44, 0x30, 0xfd, 0x19,
-	0x14, 0x60, 0xc2, 0x77, 0x14, 0x30, 0x6b, 0x24, 0x2f, 0xd8, 0xb9, 0xd1, 0xc1, 0xba, 0xb2, 0x7d,
-	0xdf, 0x21, 0xf4, 0x73, 0x9d, 0x76, 0x61, 0xb6, 0x4b, 0x04, 0x75, 0x9b, 0x63, 0x4e, 0x12, 0x79,
-	0x1b, 0x93, 0xb5, 0xb0, 0xaf, 0x93, 0xbd, 0xae, 0xa1, 0xc2, 0x49, 0x7f, 0x06, 0x05, 0x98, 0xea,
-	0x93, 0x0c, 0x98, 0x88, 0x5d, 0xf3, 0x7e, 0x0d, 0xce, 0x88, 0x84, 0x3f, 0x5a, 0xce, 0x08, 0xcc,
-	0xa3, 0xe7, 0x8c, 0xc0, 0x3d, 0x51, 0xce, 0x08, 0x93, 0x27, 0xc9, 0x99, 0x88, 0x93, 0x3d, 0x38,
-	0xf3, 0x65, 0xca, 0xe7, 0x8c, 0x68, 0x3a, 0x06, 0xe3, 0x8c, 0x90, 0x8d, 0x70, 0xe6, 0x6e, 0xf4,
-	0x26, 0xdd, 0xa7, 0xfb, 0xd3, 0xfc, 0x08, 0x6b, 0xff, 0x6d, 0x62, 0xcb, 0xa3, 0xde, 0xae, 0x3e,
-	0xde, 0x75, 0xeb, 0x36, 0xc1, 0x04, 0x6e, 0x11, 0x07, 0x57, 0x09, 0x1f, 0x96, 0xa4, 0x39, 0x28,
-	0xee, 0x0c, 0xbb, 0xf4, 0x2e, 0x45, 0x70, 0x50, 0x0c, 0x95, 0x35, 0x04, 0xf2, 0xfb, 0x9e, 0x17,
-	0xdc, 0xa6, 0xe5, 0x19, 0xc9, 0x1b, 0x82, 0xa5, 0xae, 0x59, 0xd4, 0x43, 0x43, 0x7d, 0x3f, 0x05,
-	0x66, 0xbb, 0xde, 0x31, 0xc2, 0xa0, 0x28, 0xc7, 0x14, 0x94, 0xd4, 0x09, 0x06, 0x25, 0x7d, 0xe0,
-	0xa0, 0x7c, 0x95, 0x02, 0xb0, 0xfb, 0x38, 0x81, 0x6f, 0xf1, 0xa6, 0xc4, 0x70, 0x68, 0x85, 0x98,
-	0x62, 0xfa, 0x28, 0x1a, 0xea, 0x68, 0x47, 0x13, 0xc5, 0x46, 0x49, 0x63, 0xc7, 0xf4, 0xe4, 0x1b,
-	0xbe, 0xa8, 0xa5, 0x8f, 0xf6, 0x45, 0x4d, 0xfd, 0x26, 0x19, 0xc6, 0x53, 0xfd, 0x84, 0xd7, 0x6b,
-	0xfb, 0xd3, 0x27, 0xb8, 0xfd, 0xea, 0x17, 0x0a, 0x98, 0x49, 0xb6, 0x23, 0xa7, 0xee, 0x61, 0xf7,
-	0xeb, 0xb8, 0x13, 0xa7, 0xfb, 0x51, 0xf7, 0x89, 0x02, 0xce, 0x9e, 0xb2, 0x7f, 0x78, 0xd4, 0xcf,
-	0xba, 0xd7, 0x7c, 0x5a, 0xfe, 0xa7, 0xd1, 0x6f, 0x3c, 0x7b, 0x99, 0x1f, 0x7a, 0xfe, 0x32, 0x3f,
-	0xf4, 0xe2, 0x65, 0x7e, 0xe8, 0xed, 0x4e, 0x5e, 0x79, 0xd6, 0xc9, 0x2b, 0xcf, 0x3b, 0x79, 0xe5,
-	0x45, 0x27, 0xaf, 0xfc, 0xd0, 0xc9, 0x2b, 0xef, 0xfd, 0x98, 0x1f, 0x7a, 0x2d, 0xbf, 0xff, 0x1f,
-	0x9f, 0xbf, 0x04, 0x00, 0x00, 0xff, 0xff, 0xa4, 0x27, 0xde, 0xc0, 0x19, 0x1d, 0x00, 0x00,
-}
+func (m *ResourceMetricStatus) Reset() { *m = ResourceMetricStatus{} }
 
 func (m *ContainerResourceMetricSource) Marshal() (dAtA []byte, err error) {
 	size := m.Size()
diff --git a/staging/src/k8s.io/api/autoscaling/v2beta2/generated.protomessage.pb.go b/staging/src/k8s.io/api/autoscaling/v2beta2/generated.protomessage.pb.go
new file mode 100644
index 0000000000000..6064b1eb0265d
--- /dev/null
+++ b/staging/src/k8s.io/api/autoscaling/v2beta2/generated.protomessage.pb.go
@@ -0,0 +1,70 @@
+//go:build kubernetes_protomessage_one_more_release
+// +build kubernetes_protomessage_one_more_release
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by go-to-protobuf. DO NOT EDIT.
+
+package v2beta2
+
+func (*ContainerResourceMetricSource) ProtoMessage() {}
+
+func (*ContainerResourceMetricStatus) ProtoMessage() {}
+
+func (*CrossVersionObjectReference) ProtoMessage() {}
+
+func (*ExternalMetricSource) ProtoMessage() {}
+
+func (*ExternalMetricStatus) ProtoMessage() {}
+
+func (*HPAScalingPolicy) ProtoMessage() {}
+
+func (*HPAScalingRules) ProtoMessage() {}
+
+func (*HorizontalPodAutoscaler) ProtoMessage() {}
+
+func (*HorizontalPodAutoscalerBehavior) ProtoMessage() {}
+
+func (*HorizontalPodAutoscalerCondition) ProtoMessage() {}
+
+func (*HorizontalPodAutoscalerList) ProtoMessage() {}
+
+func (*HorizontalPodAutoscalerSpec) ProtoMessage() {}
+
+func (*HorizontalPodAutoscalerStatus) ProtoMessage() {}
+
+func (*MetricIdentifier) ProtoMessage() {}
+
+func (*MetricSpec) ProtoMessage() {}
+
+func (*MetricStatus) ProtoMessage() {}
+
+func (*MetricTarget) ProtoMessage() {}
+
+func (*MetricValueStatus) ProtoMessage() {}
+
+func (*ObjectMetricSource) ProtoMessage() {}
+
+func (*ObjectMetricStatus) ProtoMessage() {}
+
+func (*PodsMetricSource) ProtoMessage() {}
+
+func (*PodsMetricStatus) ProtoMessage() {}
+
+func (*ResourceMetricSource) ProtoMessage() {}
+
+func (*ResourceMetricStatus) ProtoMessage() {}
diff --git a/staging/src/k8s.io/api/autoscaling/v2beta2/zz_generated.model_name.go b/staging/src/k8s.io/api/autoscaling/v2beta2/zz_generated.model_name.go
new file mode 100644
index 0000000000000..20e8a854c674e
--- /dev/null
+++ b/staging/src/k8s.io/api/autoscaling/v2beta2/zz_generated.model_name.go
@@ -0,0 +1,142 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by openapi-gen. DO NOT EDIT.
+
+package v2beta2
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ContainerResourceMetricSource) OpenAPIModelName() string {
+	return "io.k8s.api.autoscaling.v2beta2.ContainerResourceMetricSource"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ContainerResourceMetricStatus) OpenAPIModelName() string {
+	return "io.k8s.api.autoscaling.v2beta2.ContainerResourceMetricStatus"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in CrossVersionObjectReference) OpenAPIModelName() string {
+	return "io.k8s.api.autoscaling.v2beta2.CrossVersionObjectReference"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ExternalMetricSource) OpenAPIModelName() string {
+	return "io.k8s.api.autoscaling.v2beta2.ExternalMetricSource"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ExternalMetricStatus) OpenAPIModelName() string {
+	return "io.k8s.api.autoscaling.v2beta2.ExternalMetricStatus"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in HPAScalingPolicy) OpenAPIModelName() string {
+	return "io.k8s.api.autoscaling.v2beta2.HPAScalingPolicy"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in HPAScalingRules) OpenAPIModelName() string {
+	return "io.k8s.api.autoscaling.v2beta2.HPAScalingRules"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in HorizontalPodAutoscaler) OpenAPIModelName() string {
+	return "io.k8s.api.autoscaling.v2beta2.HorizontalPodAutoscaler"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in HorizontalPodAutoscalerBehavior) OpenAPIModelName() string {
+	return "io.k8s.api.autoscaling.v2beta2.HorizontalPodAutoscalerBehavior"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in HorizontalPodAutoscalerCondition) OpenAPIModelName() string {
+	return "io.k8s.api.autoscaling.v2beta2.HorizontalPodAutoscalerCondition"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in HorizontalPodAutoscalerList) OpenAPIModelName() string {
+	return "io.k8s.api.autoscaling.v2beta2.HorizontalPodAutoscalerList"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in HorizontalPodAutoscalerSpec) OpenAPIModelName() string {
+	return "io.k8s.api.autoscaling.v2beta2.HorizontalPodAutoscalerSpec"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in HorizontalPodAutoscalerStatus) OpenAPIModelName() string {
+	return "io.k8s.api.autoscaling.v2beta2.HorizontalPodAutoscalerStatus"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in MetricIdentifier) OpenAPIModelName() string {
+	return "io.k8s.api.autoscaling.v2beta2.MetricIdentifier"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in MetricSpec) OpenAPIModelName() string {
+	return "io.k8s.api.autoscaling.v2beta2.MetricSpec"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in MetricStatus) OpenAPIModelName() string {
+	return "io.k8s.api.autoscaling.v2beta2.MetricStatus"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in MetricTarget) OpenAPIModelName() string {
+	return "io.k8s.api.autoscaling.v2beta2.MetricTarget"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in MetricValueStatus) OpenAPIModelName() string {
+	return "io.k8s.api.autoscaling.v2beta2.MetricValueStatus"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ObjectMetricSource) OpenAPIModelName() string {
+	return "io.k8s.api.autoscaling.v2beta2.ObjectMetricSource"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ObjectMetricStatus) OpenAPIModelName() string {
+	return "io.k8s.api.autoscaling.v2beta2.ObjectMetricStatus"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in PodsMetricSource) OpenAPIModelName() string {
+	return "io.k8s.api.autoscaling.v2beta2.PodsMetricSource"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in PodsMetricStatus) OpenAPIModelName() string {
+	return "io.k8s.api.autoscaling.v2beta2.PodsMetricStatus"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ResourceMetricSource) OpenAPIModelName() string {
+	return "io.k8s.api.autoscaling.v2beta2.ResourceMetricSource"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ResourceMetricStatus) OpenAPIModelName() string {
+	return "io.k8s.api.autoscaling.v2beta2.ResourceMetricStatus"
+}
diff --git a/staging/src/k8s.io/api/batch/v1/doc.go b/staging/src/k8s.io/api/batch/v1/doc.go
index 69088e2c5b84f..1525ce2aaf455 100644
--- a/staging/src/k8s.io/api/batch/v1/doc.go
+++ b/staging/src/k8s.io/api/batch/v1/doc.go
@@ -18,4 +18,6 @@ limitations under the License.
 // +k8s:protobuf-gen=package
 // +k8s:openapi-gen=true
 // +k8s:prerelease-lifecycle-gen=true
+// +k8s:openapi-model-package=io.k8s.api.batch.v1
+
 package v1
diff --git a/staging/src/k8s.io/api/batch/v1/generated.pb.go b/staging/src/k8s.io/api/batch/v1/generated.pb.go
index 6108a60839fc6..099350e734803 100644
--- a/staging/src/k8s.io/api/batch/v1/generated.pb.go
+++ b/staging/src/k8s.io/api/batch/v1/generated.pb.go
@@ -24,12 +24,10 @@ import (
 
 	io "io"
 
-	proto "github.com/gogo/protobuf/proto"
 	k8s_io_api_core_v1 "k8s.io/api/core/v1"
 	v11 "k8s.io/api/core/v1"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
-	math "math"
 	math_bits "math/bits"
 	reflect "reflect"
 	strings "strings"
@@ -37,642 +35,43 @@ import (
 	k8s_io_apimachinery_pkg_types "k8s.io/apimachinery/pkg/types"
 )
 
-// Reference imports to suppress errors if they are not otherwise used.
-var _ = proto.Marshal
-var _ = fmt.Errorf
-var _ = math.Inf
+func (m *CronJob) Reset() { *m = CronJob{} }
 
-// This is a compile-time assertion to ensure that this generated file
-// is compatible with the proto package it is being compiled against.
-// A compilation error at this line likely means your copy of the
-// proto package needs to be updated.
-const _ = proto.GoGoProtoPackageIsVersion3 // please upgrade the proto package
+func (m *CronJobList) Reset() { *m = CronJobList{} }
 
-func (m *CronJob) Reset()      { *m = CronJob{} }
-func (*CronJob) ProtoMessage() {}
-func (*CronJob) Descriptor() ([]byte, []int) {
-	return fileDescriptor_79228dc2c4001a22, []int{0}
-}
-func (m *CronJob) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *CronJob) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *CronJob) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_CronJob.Merge(m, src)
-}
-func (m *CronJob) XXX_Size() int {
-	return m.Size()
-}
-func (m *CronJob) XXX_DiscardUnknown() {
-	xxx_messageInfo_CronJob.DiscardUnknown(m)
-}
+func (m *CronJobSpec) Reset() { *m = CronJobSpec{} }
 
-var xxx_messageInfo_CronJob proto.InternalMessageInfo
+func (m *CronJobStatus) Reset() { *m = CronJobStatus{} }
 
-func (m *CronJobList) Reset()      { *m = CronJobList{} }
-func (*CronJobList) ProtoMessage() {}
-func (*CronJobList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_79228dc2c4001a22, []int{1}
-}
-func (m *CronJobList) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *CronJobList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *CronJobList) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_CronJobList.Merge(m, src)
-}
-func (m *CronJobList) XXX_Size() int {
-	return m.Size()
-}
-func (m *CronJobList) XXX_DiscardUnknown() {
-	xxx_messageInfo_CronJobList.DiscardUnknown(m)
-}
+func (m *Job) Reset() { *m = Job{} }
 
-var xxx_messageInfo_CronJobList proto.InternalMessageInfo
-
-func (m *CronJobSpec) Reset()      { *m = CronJobSpec{} }
-func (*CronJobSpec) ProtoMessage() {}
-func (*CronJobSpec) Descriptor() ([]byte, []int) {
-	return fileDescriptor_79228dc2c4001a22, []int{2}
-}
-func (m *CronJobSpec) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *CronJobSpec) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *CronJobSpec) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_CronJobSpec.Merge(m, src)
-}
-func (m *CronJobSpec) XXX_Size() int {
-	return m.Size()
-}
-func (m *CronJobSpec) XXX_DiscardUnknown() {
-	xxx_messageInfo_CronJobSpec.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_CronJobSpec proto.InternalMessageInfo
-
-func (m *CronJobStatus) Reset()      { *m = CronJobStatus{} }
-func (*CronJobStatus) ProtoMessage() {}
-func (*CronJobStatus) Descriptor() ([]byte, []int) {
-	return fileDescriptor_79228dc2c4001a22, []int{3}
-}
-func (m *CronJobStatus) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *CronJobStatus) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *CronJobStatus) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_CronJobStatus.Merge(m, src)
-}
-func (m *CronJobStatus) XXX_Size() int {
-	return m.Size()
-}
-func (m *CronJobStatus) XXX_DiscardUnknown() {
-	xxx_messageInfo_CronJobStatus.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_CronJobStatus proto.InternalMessageInfo
-
-func (m *Job) Reset()      { *m = Job{} }
-func (*Job) ProtoMessage() {}
-func (*Job) Descriptor() ([]byte, []int) {
-	return fileDescriptor_79228dc2c4001a22, []int{4}
-}
-func (m *Job) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *Job) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *Job) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_Job.Merge(m, src)
-}
-func (m *Job) XXX_Size() int {
-	return m.Size()
-}
-func (m *Job) XXX_DiscardUnknown() {
-	xxx_messageInfo_Job.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_Job proto.InternalMessageInfo
-
-func (m *JobCondition) Reset()      { *m = JobCondition{} }
-func (*JobCondition) ProtoMessage() {}
-func (*JobCondition) Descriptor() ([]byte, []int) {
-	return fileDescriptor_79228dc2c4001a22, []int{5}
-}
-func (m *JobCondition) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *JobCondition) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *JobCondition) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_JobCondition.Merge(m, src)
-}
-func (m *JobCondition) XXX_Size() int {
-	return m.Size()
-}
-func (m *JobCondition) XXX_DiscardUnknown() {
-	xxx_messageInfo_JobCondition.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_JobCondition proto.InternalMessageInfo
-
-func (m *JobList) Reset()      { *m = JobList{} }
-func (*JobList) ProtoMessage() {}
-func (*JobList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_79228dc2c4001a22, []int{6}
-}
-func (m *JobList) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *JobList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *JobList) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_JobList.Merge(m, src)
-}
-func (m *JobList) XXX_Size() int {
-	return m.Size()
-}
-func (m *JobList) XXX_DiscardUnknown() {
-	xxx_messageInfo_JobList.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_JobList proto.InternalMessageInfo
-
-func (m *JobSpec) Reset()      { *m = JobSpec{} }
-func (*JobSpec) ProtoMessage() {}
-func (*JobSpec) Descriptor() ([]byte, []int) {
-	return fileDescriptor_79228dc2c4001a22, []int{7}
-}
-func (m *JobSpec) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *JobSpec) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *JobSpec) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_JobSpec.Merge(m, src)
-}
-func (m *JobSpec) XXX_Size() int {
-	return m.Size()
-}
-func (m *JobSpec) XXX_DiscardUnknown() {
-	xxx_messageInfo_JobSpec.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_JobSpec proto.InternalMessageInfo
-
-func (m *JobStatus) Reset()      { *m = JobStatus{} }
-func (*JobStatus) ProtoMessage() {}
-func (*JobStatus) Descriptor() ([]byte, []int) {
-	return fileDescriptor_79228dc2c4001a22, []int{8}
-}
-func (m *JobStatus) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *JobStatus) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *JobStatus) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_JobStatus.Merge(m, src)
-}
-func (m *JobStatus) XXX_Size() int {
-	return m.Size()
-}
-func (m *JobStatus) XXX_DiscardUnknown() {
-	xxx_messageInfo_JobStatus.DiscardUnknown(m)
-}
+func (m *JobCondition) Reset() { *m = JobCondition{} }
 
-var xxx_messageInfo_JobStatus proto.InternalMessageInfo
+func (m *JobList) Reset() { *m = JobList{} }
 
-func (m *JobTemplateSpec) Reset()      { *m = JobTemplateSpec{} }
-func (*JobTemplateSpec) ProtoMessage() {}
-func (*JobTemplateSpec) Descriptor() ([]byte, []int) {
-	return fileDescriptor_79228dc2c4001a22, []int{9}
-}
-func (m *JobTemplateSpec) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *JobTemplateSpec) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *JobTemplateSpec) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_JobTemplateSpec.Merge(m, src)
-}
-func (m *JobTemplateSpec) XXX_Size() int {
-	return m.Size()
-}
-func (m *JobTemplateSpec) XXX_DiscardUnknown() {
-	xxx_messageInfo_JobTemplateSpec.DiscardUnknown(m)
-}
+func (m *JobSpec) Reset() { *m = JobSpec{} }
 
-var xxx_messageInfo_JobTemplateSpec proto.InternalMessageInfo
+func (m *JobStatus) Reset() { *m = JobStatus{} }
 
-func (m *PodFailurePolicy) Reset()      { *m = PodFailurePolicy{} }
-func (*PodFailurePolicy) ProtoMessage() {}
-func (*PodFailurePolicy) Descriptor() ([]byte, []int) {
-	return fileDescriptor_79228dc2c4001a22, []int{10}
-}
-func (m *PodFailurePolicy) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *PodFailurePolicy) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *PodFailurePolicy) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_PodFailurePolicy.Merge(m, src)
-}
-func (m *PodFailurePolicy) XXX_Size() int {
-	return m.Size()
-}
-func (m *PodFailurePolicy) XXX_DiscardUnknown() {
-	xxx_messageInfo_PodFailurePolicy.DiscardUnknown(m)
-}
+func (m *JobTemplateSpec) Reset() { *m = JobTemplateSpec{} }
 
-var xxx_messageInfo_PodFailurePolicy proto.InternalMessageInfo
+func (m *PodFailurePolicy) Reset() { *m = PodFailurePolicy{} }
 
 func (m *PodFailurePolicyOnExitCodesRequirement) Reset() {
 	*m = PodFailurePolicyOnExitCodesRequirement{}
 }
-func (*PodFailurePolicyOnExitCodesRequirement) ProtoMessage() {}
-func (*PodFailurePolicyOnExitCodesRequirement) Descriptor() ([]byte, []int) {
-	return fileDescriptor_79228dc2c4001a22, []int{11}
-}
-func (m *PodFailurePolicyOnExitCodesRequirement) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *PodFailurePolicyOnExitCodesRequirement) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *PodFailurePolicyOnExitCodesRequirement) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_PodFailurePolicyOnExitCodesRequirement.Merge(m, src)
-}
-func (m *PodFailurePolicyOnExitCodesRequirement) XXX_Size() int {
-	return m.Size()
-}
-func (m *PodFailurePolicyOnExitCodesRequirement) XXX_DiscardUnknown() {
-	xxx_messageInfo_PodFailurePolicyOnExitCodesRequirement.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_PodFailurePolicyOnExitCodesRequirement proto.InternalMessageInfo
 
 func (m *PodFailurePolicyOnPodConditionsPattern) Reset() {
 	*m = PodFailurePolicyOnPodConditionsPattern{}
 }
-func (*PodFailurePolicyOnPodConditionsPattern) ProtoMessage() {}
-func (*PodFailurePolicyOnPodConditionsPattern) Descriptor() ([]byte, []int) {
-	return fileDescriptor_79228dc2c4001a22, []int{12}
-}
-func (m *PodFailurePolicyOnPodConditionsPattern) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *PodFailurePolicyOnPodConditionsPattern) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *PodFailurePolicyOnPodConditionsPattern) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_PodFailurePolicyOnPodConditionsPattern.Merge(m, src)
-}
-func (m *PodFailurePolicyOnPodConditionsPattern) XXX_Size() int {
-	return m.Size()
-}
-func (m *PodFailurePolicyOnPodConditionsPattern) XXX_DiscardUnknown() {
-	xxx_messageInfo_PodFailurePolicyOnPodConditionsPattern.DiscardUnknown(m)
-}
 
-var xxx_messageInfo_PodFailurePolicyOnPodConditionsPattern proto.InternalMessageInfo
+func (m *PodFailurePolicyRule) Reset() { *m = PodFailurePolicyRule{} }
 
-func (m *PodFailurePolicyRule) Reset()      { *m = PodFailurePolicyRule{} }
-func (*PodFailurePolicyRule) ProtoMessage() {}
-func (*PodFailurePolicyRule) Descriptor() ([]byte, []int) {
-	return fileDescriptor_79228dc2c4001a22, []int{13}
-}
-func (m *PodFailurePolicyRule) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *PodFailurePolicyRule) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *PodFailurePolicyRule) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_PodFailurePolicyRule.Merge(m, src)
-}
-func (m *PodFailurePolicyRule) XXX_Size() int {
-	return m.Size()
-}
-func (m *PodFailurePolicyRule) XXX_DiscardUnknown() {
-	xxx_messageInfo_PodFailurePolicyRule.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_PodFailurePolicyRule proto.InternalMessageInfo
-
-func (m *SuccessPolicy) Reset()      { *m = SuccessPolicy{} }
-func (*SuccessPolicy) ProtoMessage() {}
-func (*SuccessPolicy) Descriptor() ([]byte, []int) {
-	return fileDescriptor_79228dc2c4001a22, []int{14}
-}
-func (m *SuccessPolicy) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *SuccessPolicy) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *SuccessPolicy) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_SuccessPolicy.Merge(m, src)
-}
-func (m *SuccessPolicy) XXX_Size() int {
-	return m.Size()
-}
-func (m *SuccessPolicy) XXX_DiscardUnknown() {
-	xxx_messageInfo_SuccessPolicy.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_SuccessPolicy proto.InternalMessageInfo
-
-func (m *SuccessPolicyRule) Reset()      { *m = SuccessPolicyRule{} }
-func (*SuccessPolicyRule) ProtoMessage() {}
-func (*SuccessPolicyRule) Descriptor() ([]byte, []int) {
-	return fileDescriptor_79228dc2c4001a22, []int{15}
-}
-func (m *SuccessPolicyRule) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *SuccessPolicyRule) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *SuccessPolicyRule) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_SuccessPolicyRule.Merge(m, src)
-}
-func (m *SuccessPolicyRule) XXX_Size() int {
-	return m.Size()
-}
-func (m *SuccessPolicyRule) XXX_DiscardUnknown() {
-	xxx_messageInfo_SuccessPolicyRule.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_SuccessPolicyRule proto.InternalMessageInfo
-
-func (m *UncountedTerminatedPods) Reset()      { *m = UncountedTerminatedPods{} }
-func (*UncountedTerminatedPods) ProtoMessage() {}
-func (*UncountedTerminatedPods) Descriptor() ([]byte, []int) {
-	return fileDescriptor_79228dc2c4001a22, []int{16}
-}
-func (m *UncountedTerminatedPods) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *UncountedTerminatedPods) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *UncountedTerminatedPods) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_UncountedTerminatedPods.Merge(m, src)
-}
-func (m *UncountedTerminatedPods) XXX_Size() int {
-	return m.Size()
-}
-func (m *UncountedTerminatedPods) XXX_DiscardUnknown() {
-	xxx_messageInfo_UncountedTerminatedPods.DiscardUnknown(m)
-}
+func (m *SuccessPolicy) Reset() { *m = SuccessPolicy{} }
 
-var xxx_messageInfo_UncountedTerminatedPods proto.InternalMessageInfo
+func (m *SuccessPolicyRule) Reset() { *m = SuccessPolicyRule{} }
 
-func init() {
-	proto.RegisterType((*CronJob)(nil), "k8s.io.api.batch.v1.CronJob")
-	proto.RegisterType((*CronJobList)(nil), "k8s.io.api.batch.v1.CronJobList")
-	proto.RegisterType((*CronJobSpec)(nil), "k8s.io.api.batch.v1.CronJobSpec")
-	proto.RegisterType((*CronJobStatus)(nil), "k8s.io.api.batch.v1.CronJobStatus")
-	proto.RegisterType((*Job)(nil), "k8s.io.api.batch.v1.Job")
-	proto.RegisterType((*JobCondition)(nil), "k8s.io.api.batch.v1.JobCondition")
-	proto.RegisterType((*JobList)(nil), "k8s.io.api.batch.v1.JobList")
-	proto.RegisterType((*JobSpec)(nil), "k8s.io.api.batch.v1.JobSpec")
-	proto.RegisterType((*JobStatus)(nil), "k8s.io.api.batch.v1.JobStatus")
-	proto.RegisterType((*JobTemplateSpec)(nil), "k8s.io.api.batch.v1.JobTemplateSpec")
-	proto.RegisterType((*PodFailurePolicy)(nil), "k8s.io.api.batch.v1.PodFailurePolicy")
-	proto.RegisterType((*PodFailurePolicyOnExitCodesRequirement)(nil), "k8s.io.api.batch.v1.PodFailurePolicyOnExitCodesRequirement")
-	proto.RegisterType((*PodFailurePolicyOnPodConditionsPattern)(nil), "k8s.io.api.batch.v1.PodFailurePolicyOnPodConditionsPattern")
-	proto.RegisterType((*PodFailurePolicyRule)(nil), "k8s.io.api.batch.v1.PodFailurePolicyRule")
-	proto.RegisterType((*SuccessPolicy)(nil), "k8s.io.api.batch.v1.SuccessPolicy")
-	proto.RegisterType((*SuccessPolicyRule)(nil), "k8s.io.api.batch.v1.SuccessPolicyRule")
-	proto.RegisterType((*UncountedTerminatedPods)(nil), "k8s.io.api.batch.v1.UncountedTerminatedPods")
-}
-
-func init() {
-	proto.RegisterFile("k8s.io/api/batch/v1/generated.proto", fileDescriptor_79228dc2c4001a22)
-}
-
-var fileDescriptor_79228dc2c4001a22 = []byte{
-	// 1882 bytes of a gzipped FileDescriptorProto
-	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xcc, 0x58, 0xcd, 0x6f, 0xdb, 0xc8,
-	0x15, 0x37, 0x6d, 0xcb, 0x96, 0x46, 0xfe, 0x90, 0x27, 0x4e, 0xa2, 0xba, 0x0b, 0xd1, 0xab, 0xec,
-	0x06, 0xde, 0x76, 0x2b, 0x6d, 0xbc, 0x41, 0xb7, 0x1f, 0x68, 0xb1, 0xa1, 0xd2, 0x6c, 0xe3, 0x95,
-	0x37, 0xea, 0xc8, 0x69, 0x81, 0xdd, 0xb4, 0xe8, 0x88, 0x1c, 0xc9, 0xdc, 0x50, 0x1c, 0x96, 0x1c,
-	0x1a, 0xf1, 0xa5, 0x28, 0xd0, 0x7f, 0xa0, 0x3d, 0xf6, 0x1f, 0xe8, 0xb1, 0x97, 0xf6, 0xdc, 0xde,
-	0x8a, 0x1c, 0x17, 0x3d, 0x2d, 0x7a, 0x20, 0x1a, 0xf6, 0x0f, 0xe8, 0xdd, 0x45, 0x81, 0x62, 0x86,
-	0xc3, 0x4f, 0x91, 0x5e, 0x67, 0x81, 0x06, 0xbd, 0x89, 0xef, 0xfd, 0xde, 0x6f, 0x1e, 0xe7, 0x7d,
-	0x52, 0xe0, 0xd6, 0xd3, 0x6f, 0x79, 0x3d, 0x93, 0xf6, 0xb1, 0x63, 0xf6, 0x27, 0x98, 0xe9, 0xa7,
-	0xfd, 0xb3, 0x3b, 0xfd, 0x19, 0xb1, 0x89, 0x8b, 0x19, 0x31, 0x7a, 0x8e, 0x4b, 0x19, 0x85, 0xd7,
-	0x22, 0x50, 0x0f, 0x3b, 0x66, 0x4f, 0x80, 0x7a, 0x67, 0x77, 0xf6, 0xbe, 0x31, 0x33, 0xd9, 0xa9,
-	0x3f, 0xe9, 0xe9, 0x74, 0xde, 0x9f, 0xd1, 0x19, 0xed, 0x0b, 0xec, 0xc4, 0x9f, 0x8a, 0x27, 0xf1,
-	0x20, 0x7e, 0x45, 0x1c, 0x7b, 0xdd, 0xcc, 0x41, 0x3a, 0x75, 0x49, 0xc9, 0x39, 0x7b, 0x77, 0x53,
-	0xcc, 0x1c, 0xeb, 0xa7, 0xa6, 0x4d, 0xdc, 0xf3, 0xbe, 0xf3, 0x74, 0xc6, 0x05, 0x5e, 0x7f, 0x4e,
-	0x18, 0x2e, 0xb3, 0xea, 0x57, 0x59, 0xb9, 0xbe, 0xcd, 0xcc, 0x39, 0x59, 0x30, 0xf8, 0xe6, 0x17,
-	0x19, 0x78, 0xfa, 0x29, 0x99, 0xe3, 0xa2, 0x5d, 0xf7, 0xdf, 0x0a, 0x58, 0x1f, 0xb8, 0xd4, 0x3e,
-	0xa2, 0x13, 0xf8, 0x73, 0x50, 0xe7, 0xfe, 0x18, 0x98, 0xe1, 0xb6, 0xb2, 0xaf, 0x1c, 0x34, 0x0f,
-	0xdf, 0xe9, 0xa5, 0xb7, 0x94, 0xd0, 0xf6, 0x9c, 0xa7, 0x33, 0x2e, 0xf0, 0x7a, 0x1c, 0xdd, 0x3b,
-	0xbb, 0xd3, 0x7b, 0x34, 0xf9, 0x94, 0xe8, 0xec, 0x98, 0x30, 0xac, 0xc1, 0xe7, 0x81, 0xba, 0x14,
-	0x06, 0x2a, 0x48, 0x65, 0x28, 0x61, 0x85, 0x1a, 0x58, 0xf5, 0x1c, 0xa2, 0xb7, 0x97, 0x05, 0xfb,
-	0x7e, 0xaf, 0x24, 0x06, 0x3d, 0xe9, 0xcd, 0xd8, 0x21, 0xba, 0xb6, 0x21, 0xd9, 0x56, 0xf9, 0x13,
-	0x12, 0xb6, 0xf0, 0x08, 0xac, 0x79, 0x0c, 0x33, 0xdf, 0x6b, 0xaf, 0x08, 0x96, 0xee, 0xa5, 0x2c,
-	0x02, 0xa9, 0x6d, 0x49, 0x9e, 0xb5, 0xe8, 0x19, 0x49, 0x86, 0xee, 0x1f, 0x14, 0xd0, 0x94, 0xc8,
-	0xa1, 0xe9, 0x31, 0xf8, 0x64, 0xe1, 0x06, 0x7a, 0x57, 0xbb, 0x01, 0x6e, 0x2d, 0xde, 0xbf, 0x25,
-	0x4f, 0xaa, 0xc7, 0x92, 0xcc, 0xdb, 0xdf, 0x03, 0x35, 0x93, 0x91, 0xb9, 0xd7, 0x5e, 0xde, 0x5f,
-	0x39, 0x68, 0x1e, 0xbe, 0x76, 0x99, 0xe3, 0xda, 0xa6, 0x24, 0xaa, 0x3d, 0xe4, 0x26, 0x28, 0xb2,
-	0xec, 0xfe, 0x6d, 0x35, 0x71, 0x98, 0x5f, 0x09, 0x7c, 0x1b, 0xd4, 0x79, 0x60, 0x0d, 0xdf, 0x22,
-	0xc2, 0xe1, 0x46, 0xea, 0xc0, 0x58, 0xca, 0x51, 0x82, 0x80, 0x07, 0xa0, 0xce, 0x73, 0xe1, 0x63,
-	0x6a, 0x93, 0x76, 0x5d, 0xa0, 0x37, 0x38, 0xf2, 0x44, 0xca, 0x50, 0xa2, 0x85, 0x8f, 0xc1, 0x4d,
-	0x8f, 0x61, 0x97, 0x99, 0xf6, 0xec, 0x3e, 0xc1, 0x86, 0x65, 0xda, 0x64, 0x4c, 0x74, 0x6a, 0x1b,
-	0x9e, 0x88, 0xdd, 0x8a, 0xf6, 0xd5, 0x30, 0x50, 0x6f, 0x8e, 0xcb, 0x21, 0xa8, 0xca, 0x16, 0x3e,
-	0x01, 0x3b, 0x3a, 0xb5, 0x75, 0xdf, 0x75, 0x89, 0xad, 0x9f, 0x8f, 0xa8, 0x65, 0xea, 0xe7, 0x22,
-	0x8c, 0x0d, 0xad, 0x27, 0xfd, 0xde, 0x19, 0x14, 0x01, 0x17, 0x65, 0x42, 0xb4, 0x48, 0x04, 0xdf,
-	0x04, 0xeb, 0x9e, 0xef, 0x39, 0xc4, 0x36, 0xda, 0xab, 0xfb, 0xca, 0x41, 0x5d, 0x6b, 0x86, 0x81,
-	0xba, 0x3e, 0x8e, 0x44, 0x28, 0xd6, 0xc1, 0x4f, 0x40, 0xf3, 0x53, 0x3a, 0x39, 0x21, 0x73, 0xc7,
-	0xc2, 0x8c, 0xb4, 0x6b, 0x22, 0xce, 0x6f, 0x94, 0x06, 0xe3, 0x28, 0xc5, 0x89, 0x7c, 0xbc, 0x26,
-	0x9d, 0x6c, 0x66, 0x14, 0x28, 0xcb, 0x06, 0x7f, 0x06, 0xf6, 0x3c, 0x5f, 0xd7, 0x89, 0xe7, 0x4d,
-	0x7d, 0xeb, 0x88, 0x4e, 0xbc, 0x1f, 0x9a, 0x1e, 0xa3, 0xee, 0xf9, 0xd0, 0x9c, 0x9b, 0xac, 0xbd,
-	0xb6, 0xaf, 0x1c, 0xd4, 0xb4, 0x4e, 0x18, 0xa8, 0x7b, 0xe3, 0x4a, 0x14, 0xba, 0x84, 0x01, 0x22,
-	0x70, 0x63, 0x8a, 0x4d, 0x8b, 0x18, 0x0b, 0xdc, 0xeb, 0x82, 0x7b, 0x2f, 0x0c, 0xd4, 0x1b, 0x0f,
-	0x4a, 0x11, 0xa8, 0xc2, 0xb2, 0xfb, 0xe7, 0x65, 0xb0, 0x99, 0xab, 0x17, 0xf8, 0x21, 0x58, 0xc3,
-	0x3a, 0x33, 0xcf, 0x78, 0x52, 0xf1, 0x54, 0xbd, 0x95, 0xbd, 0x1d, 0xde, 0xe9, 0xd2, 0xaa, 0x47,
-	0x64, 0x4a, 0x78, 0x10, 0x48, 0x5a, 0x64, 0xf7, 0x84, 0x29, 0x92, 0x14, 0xd0, 0x02, 0x2d, 0x0b,
-	0x7b, 0x2c, 0xce, 0x47, 0x9e, 0x6d, 0x22, 0x3e, 0xcd, 0xc3, 0xaf, 0x5d, 0xad, 0xb8, 0xb8, 0x85,
-	0xb6, 0x1b, 0x06, 0x6a, 0x6b, 0x58, 0xe0, 0x41, 0x0b, 0xcc, 0xd0, 0x05, 0x50, 0xc8, 0x92, 0x2b,
-	0x14, 0xe7, 0xd5, 0x5e, 0xfa, 0xbc, 0x1b, 0x61, 0xa0, 0xc2, 0xe1, 0x02, 0x13, 0x2a, 0x61, 0xef,
-	0xfe, 0x4b, 0x01, 0x2b, 0xaf, 0xa6, 0x81, 0x7e, 0x3f, 0xd7, 0x40, 0x5f, 0xab, 0x4a, 0xda, 0xca,
-	0xe6, 0xf9, 0xa0, 0xd0, 0x3c, 0x3b, 0x95, 0x0c, 0x97, 0x37, 0xce, 0xbf, 0xae, 0x80, 0x8d, 0x23,
-	0x3a, 0x19, 0x50, 0xdb, 0x30, 0x99, 0x49, 0x6d, 0x78, 0x17, 0xac, 0xb2, 0x73, 0x27, 0x6e, 0x42,
-	0xfb, 0xf1, 0xd1, 0x27, 0xe7, 0x0e, 0xb9, 0x08, 0xd4, 0x56, 0x16, 0xcb, 0x65, 0x48, 0xa0, 0xe1,
-	0x30, 0x71, 0x67, 0x59, 0xd8, 0xdd, 0xcd, 0x1f, 0x77, 0x11, 0xa8, 0x25, 0x23, 0xb6, 0x97, 0x30,
-	0xe5, 0x9d, 0x82, 0x33, 0xb0, 0xc9, 0x83, 0x33, 0x72, 0xe9, 0x24, 0xca, 0xb2, 0x95, 0x97, 0x8e,
-	0xfa, 0x75, 0xe9, 0xc0, 0xe6, 0x30, 0x4b, 0x84, 0xf2, 0xbc, 0xf0, 0x2c, 0xca, 0xb1, 0x13, 0x17,
-	0xdb, 0x5e, 0xf4, 0x4a, 0x5f, 0x2e, 0xa7, 0xf7, 0xe4, 0x69, 0x22, 0xcf, 0xf2, 0x6c, 0xa8, 0xe4,
-	0x04, 0x78, 0x1b, 0xac, 0xb9, 0x04, 0x7b, 0xd4, 0x16, 0xf9, 0xdc, 0x48, 0xa3, 0x83, 0x84, 0x14,
-	0x49, 0x2d, 0x7c, 0x0b, 0xac, 0xcf, 0x89, 0xe7, 0xe1, 0x19, 0x11, 0x1d, 0xa7, 0xa1, 0x6d, 0x4b,
-	0xe0, 0xfa, 0x71, 0x24, 0x46, 0xb1, 0xbe, 0xfb, 0x7b, 0x05, 0xac, 0xbf, 0x9a, 0xe9, 0xf7, 0xbd,
-	0xfc, 0xf4, 0x6b, 0x57, 0x65, 0x5e, 0xc5, 0xe4, 0xfb, 0x5d, 0x43, 0x38, 0x2a, 0xa6, 0xde, 0x1d,
-	0xd0, 0x74, 0xb0, 0x8b, 0x2d, 0x8b, 0x58, 0xa6, 0x37, 0x17, 0xbe, 0xd6, 0xb4, 0x6d, 0xde, 0x97,
-	0x47, 0xa9, 0x18, 0x65, 0x31, 0xdc, 0x44, 0xa7, 0x73, 0xc7, 0x22, 0xfc, 0x32, 0xa3, 0x74, 0x93,
-	0x26, 0x83, 0x54, 0x8c, 0xb2, 0x18, 0xf8, 0x08, 0x5c, 0x8f, 0x3a, 0x58, 0x71, 0x02, 0xae, 0x88,
-	0x09, 0xf8, 0x95, 0x30, 0x50, 0xaf, 0xdf, 0x2b, 0x03, 0xa0, 0x72, 0x3b, 0x38, 0x03, 0x2d, 0x87,
-	0x1a, 0xbc, 0x39, 0xfb, 0x2e, 0x91, 0xc3, 0xaf, 0x29, 0xee, 0xf9, 0xcd, 0xd2, 0xcb, 0x18, 0x15,
-	0xc0, 0x51, 0x0f, 0x2c, 0x4a, 0xd1, 0x02, 0x29, 0xfc, 0x04, 0x6c, 0xca, 0x11, 0x22, 0x4f, 0x69,
-	0x5d, 0xb2, 0x29, 0x8d, 0xb3, 0x48, 0x6d, 0x87, 0x27, 0x7f, 0x4e, 0x84, 0xf2, 0x5c, 0xf0, 0x2e,
-	0xd8, 0x98, 0x60, 0xfd, 0x29, 0x9d, 0x4e, 0xb3, 0x73, 0xa7, 0x15, 0x06, 0xea, 0x86, 0x96, 0x91,
-	0xa3, 0x1c, 0x0a, 0x0e, 0xc1, 0x6e, 0xf6, 0x79, 0x44, 0xdc, 0x87, 0xb6, 0x41, 0x9e, 0xb5, 0x37,
-	0x84, 0x75, 0x3b, 0x0c, 0xd4, 0x5d, 0xad, 0x44, 0x8f, 0x4a, 0xad, 0xe0, 0xfb, 0xa0, 0x35, 0xc7,
-	0xcf, 0xa2, 0x31, 0x27, 0x24, 0xc4, 0x6b, 0x6f, 0x0a, 0x26, 0x71, 0x45, 0xc7, 0x05, 0x1d, 0x5a,
-	0x40, 0xc3, 0x9f, 0x82, 0xba, 0x47, 0x2c, 0xa2, 0x33, 0xea, 0xca, 0xc2, 0x7d, 0xf7, 0x8a, 0xb9,
-	0x8e, 0x27, 0xc4, 0x1a, 0x4b, 0xd3, 0x68, 0x7f, 0x8a, 0x9f, 0x50, 0x42, 0x09, 0xbf, 0x03, 0xb6,
-	0xe6, 0xd8, 0xf6, 0x71, 0x82, 0x14, 0x15, 0x5b, 0xd7, 0x60, 0x18, 0xa8, 0x5b, 0xc7, 0x39, 0x0d,
-	0x2a, 0x20, 0xe1, 0x8f, 0x40, 0x9d, 0xc5, 0xcb, 0xc9, 0x9a, 0x70, 0xad, 0x74, 0xfc, 0x8e, 0xa8,
-	0x91, 0xdb, 0x4d, 0x92, 0xda, 0x4b, 0x16, 0x93, 0x84, 0x86, 0xaf, 0x73, 0x8c, 0x59, 0x32, 0x0f,
-	0xef, 0x4d, 0x19, 0x71, 0x1f, 0x98, 0xb6, 0xe9, 0x9d, 0x12, 0x43, 0xec, 0x81, 0xb5, 0x68, 0x9d,
-	0x3b, 0x39, 0x19, 0x96, 0x41, 0x50, 0x95, 0x2d, 0x1c, 0x82, 0xad, 0xb4, 0x60, 0x8e, 0xa9, 0x41,
-	0xda, 0x0d, 0xd1, 0x6e, 0xde, 0xe0, 0x6f, 0x39, 0xc8, 0x69, 0x2e, 0x16, 0x24, 0xa8, 0x60, 0x9b,
-	0x5d, 0xdf, 0xc0, 0x25, 0xeb, 0x9b, 0x01, 0x76, 0x1d, 0x6a, 0x20, 0xe2, 0x58, 0x58, 0x27, 0x73,
-	0x62, 0x33, 0x99, 0xe3, 0x5b, 0xe2, 0xe8, 0x77, 0x78, 0x26, 0x8d, 0x4a, 0xf4, 0x17, 0x15, 0x72,
-	0x54, 0xca, 0x06, 0xbf, 0x0e, 0x1a, 0x73, 0x6c, 0xe3, 0x19, 0x31, 0xb4, 0xf3, 0xf6, 0xb6, 0xa0,
-	0xde, 0x0c, 0x03, 0xb5, 0x71, 0x1c, 0x0b, 0x51, 0xaa, 0xef, 0xfe, 0xa7, 0x06, 0x1a, 0xe9, 0xf2,
-	0xf4, 0x18, 0x00, 0x3d, 0x9e, 0x50, 0x9e, 0x5c, 0xa0, 0x5e, 0xaf, 0xea, 0x76, 0xc9, 0x2c, 0x4b,
-	0x07, 0x7f, 0x22, 0xf2, 0x50, 0x86, 0x08, 0xfe, 0x04, 0x34, 0xc4, 0x5a, 0x2d, 0x66, 0xcd, 0xf2,
-	0x4b, 0xcf, 0x1a, 0xe1, 0xfd, 0x38, 0x26, 0x40, 0x29, 0x17, 0x9c, 0x66, 0xa3, 0xf8, 0x25, 0xe7,
-	0x26, 0xcc, 0x47, 0x5c, 0x1c, 0x51, 0x60, 0xe5, 0xd3, 0x4b, 0x2e, 0x95, 0xab, 0x22, 0xe7, 0xaa,
-	0xf6, 0xc5, 0x3e, 0x68, 0x88, 0x8e, 0x43, 0x0c, 0x62, 0x88, 0xb2, 0xa9, 0x69, 0x3b, 0x12, 0xda,
-	0x18, 0xc7, 0x0a, 0x94, 0x62, 0x38, 0x71, 0xb4, 0xd9, 0xca, 0xfd, 0x3a, 0x21, 0x8e, 0x4a, 0x1e,
-	0x49, 0x2d, 0x9f, 0x01, 0x8c, 0xb8, 0x73, 0xd3, 0xc6, 0xfc, 0xdb, 0x44, 0xb4, 0x5e, 0x39, 0x03,
-	0x4e, 0x52, 0x31, 0xca, 0x62, 0xe0, 0x7d, 0xd0, 0x92, 0x6f, 0x91, 0x36, 0x9a, 0x75, 0x91, 0x0d,
-	0x6d, 0x79, 0x48, 0x6b, 0x50, 0xd0, 0xa3, 0x05, 0x0b, 0xf8, 0x1e, 0xd8, 0x9c, 0xe6, 0x7a, 0x15,
-	0x10, 0x14, 0xa2, 0xd7, 0xe6, 0x1b, 0x55, 0x1e, 0x07, 0x7f, 0xad, 0x80, 0x9b, 0xbe, 0xad, 0x53,
-	0xdf, 0x66, 0xc4, 0x88, 0x9d, 0x24, 0xc6, 0x88, 0x1a, 0x9e, 0x28, 0xdc, 0xe6, 0xe1, 0xdb, 0xa5,
-	0x89, 0xf5, 0xb8, 0xdc, 0x26, 0x2a, 0xf3, 0x0a, 0x25, 0xaa, 0x3a, 0x09, 0xaa, 0xa0, 0xe6, 0x12,
-	0x6c, 0x9c, 0x8b, 0xea, 0xae, 0x69, 0x0d, 0x3e, 0x9b, 0x11, 0x17, 0xa0, 0x48, 0xde, 0xfd, 0xa3,
-	0x02, 0xb6, 0x0b, 0x9f, 0x4a, 0xff, 0xff, 0xbb, 0x70, 0x77, 0x02, 0x16, 0x66, 0x29, 0xfc, 0x08,
-	0xd4, 0x5c, 0xdf, 0x22, 0x71, 0xd9, 0xbe, 0x75, 0xa5, 0xb9, 0x8c, 0x7c, 0x8b, 0xa4, 0x5b, 0x0b,
-	0x7f, 0xf2, 0x50, 0x44, 0xd3, 0xfd, 0xbb, 0x02, 0x6e, 0x17, 0xe1, 0x8f, 0xec, 0x1f, 0x3c, 0x33,
-	0xd9, 0x80, 0x1a, 0xc4, 0x43, 0xe4, 0x17, 0xbe, 0xe9, 0x8a, 0xbe, 0xc3, 0x93, 0x44, 0xa7, 0x36,
-	0xc3, 0xfc, 0x5a, 0x3e, 0xc2, 0xf3, 0x78, 0x95, 0x16, 0x49, 0x32, 0xc8, 0x2a, 0x50, 0x1e, 0x07,
-	0xc7, 0xa0, 0x4e, 0x1d, 0xe2, 0x62, 0x3e, 0x65, 0xa2, 0x35, 0xfa, 0xbd, 0x78, 0x14, 0x3c, 0x92,
-	0xf2, 0x8b, 0x40, 0xbd, 0x75, 0x89, 0x1b, 0x31, 0x0c, 0x25, 0x44, 0xb0, 0x0b, 0xd6, 0xce, 0xb0,
-	0xe5, 0x13, 0xbe, 0xed, 0xac, 0x1c, 0xd4, 0x34, 0xc0, 0xeb, 0xe9, 0xc7, 0x42, 0x82, 0xa4, 0xa6,
-	0xfb, 0x97, 0xd2, 0x97, 0x1b, 0x51, 0x23, 0xed, 0x60, 0x23, 0xcc, 0x18, 0x71, 0x6d, 0xf8, 0x41,
-	0xee, 0xf3, 0xe0, 0xdd, 0xc2, 0xe7, 0xc1, 0xad, 0x92, 0x25, 0x3f, 0x4b, 0xf3, 0xbf, 0xfa, 0x62,
-	0xe8, 0x3e, 0x5f, 0x06, 0xbb, 0x65, 0xd1, 0x84, 0xef, 0x47, 0xbd, 0x8a, 0xda, 0xd2, 0xe3, 0x83,
-	0x6c, 0xaf, 0xa2, 0xf6, 0x45, 0xa0, 0xde, 0x28, 0xda, 0x45, 0x1a, 0x24, 0xed, 0xa0, 0x0d, 0x9a,
-	0x34, 0xbd, 0x61, 0x99, 0xa4, 0xdf, 0xbd, 0x52, 0x3e, 0x95, 0x27, 0x48, 0xd4, 0xa9, 0xb2, 0xba,
-	0xec, 0x01, 0xf0, 0x97, 0x60, 0x9b, 0xe6, 0xef, 0x5e, 0x44, 0xee, 0xea, 0x67, 0x96, 0xc5, 0x4d,
-	0xbb, 0x29, 0xdf, 0x7b, 0xbb, 0xa0, 0x47, 0xc5, 0xc3, 0xba, 0x4f, 0x40, 0x7e, 0x6d, 0x84, 0x1f,
-	0xe6, 0x4b, 0xe9, 0xf6, 0x17, 0x2f, 0x9f, 0x97, 0xd4, 0xd1, 0x6f, 0x15, 0xb0, 0xb3, 0x80, 0xe5,
-	0x6b, 0x60, 0x32, 0x05, 0xe2, 0xd6, 0x1a, 0xc5, 0x4b, 0xac, 0x81, 0xe3, 0x82, 0x0e, 0x2d, 0xa0,
-	0xf9, 0x9e, 0x96, 0xc8, 0x06, 0xbc, 0xf9, 0xc9, 0x2f, 0x03, 0x31, 0xcf, 0xc6, 0x39, 0x0d, 0x2a,
-	0x20, 0xbb, 0x7f, 0x52, 0x40, 0x55, 0x2f, 0x85, 0xa3, 0xec, 0x0c, 0xe3, 0x17, 0xd0, 0xd0, 0x0e,
-	0x73, 0xf3, 0xeb, 0x22, 0x50, 0x5f, 0xaf, 0xfa, 0xcb, 0x96, 0x27, 0xba, 0xd7, 0x7b, 0xfc, 0xf0,
-	0x7e, 0x76, 0xc8, 0x7d, 0x90, 0x0c, 0xb9, 0x65, 0x41, 0xd7, 0x4f, 0x07, 0xdc, 0xd5, 0xb8, 0xa4,
-	0xb9, 0xf6, 0xed, 0xe7, 0x2f, 0x3a, 0x4b, 0x9f, 0xbd, 0xe8, 0x2c, 0x7d, 0xfe, 0xa2, 0xb3, 0xf4,
-	0xab, 0xb0, 0xa3, 0x3c, 0x0f, 0x3b, 0xca, 0x67, 0x61, 0x47, 0xf9, 0x3c, 0xec, 0x28, 0xff, 0x08,
-	0x3b, 0xca, 0x6f, 0xfe, 0xd9, 0x59, 0xfa, 0xf8, 0x5a, 0xc9, 0x7f, 0xe8, 0xff, 0x0d, 0x00, 0x00,
-	0xff, 0xff, 0x1e, 0x70, 0x68, 0xe1, 0x59, 0x17, 0x00, 0x00,
-}
+func (m *UncountedTerminatedPods) Reset() { *m = UncountedTerminatedPods{} }
 
 func (m *CronJob) Marshal() (dAtA []byte, err error) {
 	size := m.Size()
diff --git a/staging/src/k8s.io/api/batch/v1/generated.proto b/staging/src/k8s.io/api/batch/v1/generated.proto
index c0ce8cef26cb2..ca8248ff5b6cd 100644
--- a/staging/src/k8s.io/api/batch/v1/generated.proto
+++ b/staging/src/k8s.io/api/batch/v1/generated.proto
@@ -342,9 +342,6 @@ message JobSpec {
   // by RFC 1123. All characters trailing the first "/" must be valid HTTP Path
   // characters as defined by RFC 3986. The value cannot exceed 63 characters.
   // This field is immutable.
-  //
-  // This field is beta-level. The job controller accepts setting the field
-  // when the feature gate JobManagedBy is enabled (enabled by default).
   // +optional
   optional string managedBy = 15;
 }
@@ -532,6 +529,7 @@ message PodFailurePolicyOnPodConditionsPattern {
   // Specifies the required Pod condition status. To match a pod condition
   // it is required that the specified status equals the pod condition status.
   // Defaults to True.
+  // +optional
   optional string status = 2;
 }
 
diff --git a/staging/src/k8s.io/api/batch/v1/generated.protomessage.pb.go b/staging/src/k8s.io/api/batch/v1/generated.protomessage.pb.go
new file mode 100644
index 0000000000000..82928e07d1ede
--- /dev/null
+++ b/staging/src/k8s.io/api/batch/v1/generated.protomessage.pb.go
@@ -0,0 +1,56 @@
+//go:build kubernetes_protomessage_one_more_release
+// +build kubernetes_protomessage_one_more_release
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by go-to-protobuf. DO NOT EDIT.
+
+package v1
+
+func (*CronJob) ProtoMessage() {}
+
+func (*CronJobList) ProtoMessage() {}
+
+func (*CronJobSpec) ProtoMessage() {}
+
+func (*CronJobStatus) ProtoMessage() {}
+
+func (*Job) ProtoMessage() {}
+
+func (*JobCondition) ProtoMessage() {}
+
+func (*JobList) ProtoMessage() {}
+
+func (*JobSpec) ProtoMessage() {}
+
+func (*JobStatus) ProtoMessage() {}
+
+func (*JobTemplateSpec) ProtoMessage() {}
+
+func (*PodFailurePolicy) ProtoMessage() {}
+
+func (*PodFailurePolicyOnExitCodesRequirement) ProtoMessage() {}
+
+func (*PodFailurePolicyOnPodConditionsPattern) ProtoMessage() {}
+
+func (*PodFailurePolicyRule) ProtoMessage() {}
+
+func (*SuccessPolicy) ProtoMessage() {}
+
+func (*SuccessPolicyRule) ProtoMessage() {}
+
+func (*UncountedTerminatedPods) ProtoMessage() {}
diff --git a/staging/src/k8s.io/api/batch/v1/types.go b/staging/src/k8s.io/api/batch/v1/types.go
index 9183c073d2ae3..26d0ee6dc4a89 100644
--- a/staging/src/k8s.io/api/batch/v1/types.go
+++ b/staging/src/k8s.io/api/batch/v1/types.go
@@ -209,6 +209,7 @@ type PodFailurePolicyOnPodConditionsPattern struct {
 	// Specifies the required Pod condition status. To match a pod condition
 	// it is required that the specified status equals the pod condition status.
 	// Defaults to True.
+	// +optional
 	Status corev1.ConditionStatus `json:"status" protobuf:"bytes,2,req,name=status"`
 }
 
@@ -468,9 +469,6 @@ type JobSpec struct {
 	// by RFC 1123. All characters trailing the first "/" must be valid HTTP Path
 	// characters as defined by RFC 3986. The value cannot exceed 63 characters.
 	// This field is immutable.
-	//
-	// This field is beta-level. The job controller accepts setting the field
-	// when the feature gate JobManagedBy is enabled (enabled by default).
 	// +optional
 	ManagedBy *string `json:"managedBy,omitempty" protobuf:"bytes,15,opt,name=managedBy"`
 }
diff --git a/staging/src/k8s.io/api/batch/v1/types_swagger_doc_generated.go b/staging/src/k8s.io/api/batch/v1/types_swagger_doc_generated.go
index 451f4609f2d89..267df4292662a 100644
--- a/staging/src/k8s.io/api/batch/v1/types_swagger_doc_generated.go
+++ b/staging/src/k8s.io/api/batch/v1/types_swagger_doc_generated.go
@@ -127,7 +127,7 @@ var map_JobSpec = map[string]string{
 	"completionMode":          "completionMode specifies how Pod completions are tracked. It can be `NonIndexed` (default) or `Indexed`.\n\n`NonIndexed` means that the Job is considered complete when there have been .spec.completions successfully completed Pods. Each Pod completion is homologous to each other.\n\n`Indexed` means that the Pods of a Job get an associated completion index from 0 to (.spec.completions - 1), available in the annotation batch.kubernetes.io/job-completion-index. The Job is considered complete when there is one successfully completed Pod for each index. When value is `Indexed`, .spec.completions must be specified and `.spec.parallelism` must be less than or equal to 10^5. In addition, The Pod name takes the form `$(job-name)-$(index)-$(random-string)`, the Pod hostname takes the form `$(job-name)-$(index)`.\n\nMore completion modes can be added in the future. If the Job controller observes a mode that it doesn't recognize, which is possible during upgrades due to version skew, the controller skips updates for the Job.",
 	"suspend":                 "suspend specifies whether the Job controller should create Pods or not. If a Job is created with suspend set to true, no Pods are created by the Job controller. If a Job is suspended after creation (i.e. the flag goes from false to true), the Job controller will delete all active Pods associated with this Job. Users must design their workload to gracefully handle this. Suspending a Job will reset the StartTime field of the Job, effectively resetting the ActiveDeadlineSeconds timer too. Defaults to false.",
 	"podReplacementPolicy":    "podReplacementPolicy specifies when to create replacement Pods. Possible values are: - TerminatingOrFailed means that we recreate pods\n  when they are terminating (has a metadata.deletionTimestamp) or failed.\n- Failed means to wait until a previously created Pod is fully terminated (has phase\n  Failed or Succeeded) before creating a replacement Pod.\n\nWhen using podFailurePolicy, Failed is the the only allowed value. TerminatingOrFailed and Failed are allowed values when podFailurePolicy is not in use.",
-	"managedBy":               "ManagedBy field indicates the controller that manages a Job. The k8s Job controller reconciles jobs which don't have this field at all or the field value is the reserved string `kubernetes.io/job-controller`, but skips reconciling Jobs with a custom value for this field. The value must be a valid domain-prefixed path (e.g. acme.io/foo) - all characters before the first \"/\" must be a valid subdomain as defined by RFC 1123. All characters trailing the first \"/\" must be valid HTTP Path characters as defined by RFC 3986. The value cannot exceed 63 characters. This field is immutable.\n\nThis field is beta-level. The job controller accepts setting the field when the feature gate JobManagedBy is enabled (enabled by default).",
+	"managedBy":               "ManagedBy field indicates the controller that manages a Job. The k8s Job controller reconciles jobs which don't have this field at all or the field value is the reserved string `kubernetes.io/job-controller`, but skips reconciling Jobs with a custom value for this field. The value must be a valid domain-prefixed path (e.g. acme.io/foo) - all characters before the first \"/\" must be a valid subdomain as defined by RFC 1123. All characters trailing the first \"/\" must be valid HTTP Path characters as defined by RFC 3986. The value cannot exceed 63 characters. This field is immutable.",
 }
 
 func (JobSpec) SwaggerDoc() map[string]string {
diff --git a/staging/src/k8s.io/api/batch/v1/zz_generated.model_name.go b/staging/src/k8s.io/api/batch/v1/zz_generated.model_name.go
new file mode 100644
index 0000000000000..c5b86f29cdf27
--- /dev/null
+++ b/staging/src/k8s.io/api/batch/v1/zz_generated.model_name.go
@@ -0,0 +1,107 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by openapi-gen. DO NOT EDIT.
+
+package v1
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in CronJob) OpenAPIModelName() string {
+	return "io.k8s.api.batch.v1.CronJob"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in CronJobList) OpenAPIModelName() string {
+	return "io.k8s.api.batch.v1.CronJobList"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in CronJobSpec) OpenAPIModelName() string {
+	return "io.k8s.api.batch.v1.CronJobSpec"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in CronJobStatus) OpenAPIModelName() string {
+	return "io.k8s.api.batch.v1.CronJobStatus"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in Job) OpenAPIModelName() string {
+	return "io.k8s.api.batch.v1.Job"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in JobCondition) OpenAPIModelName() string {
+	return "io.k8s.api.batch.v1.JobCondition"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in JobList) OpenAPIModelName() string {
+	return "io.k8s.api.batch.v1.JobList"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in JobSpec) OpenAPIModelName() string {
+	return "io.k8s.api.batch.v1.JobSpec"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in JobStatus) OpenAPIModelName() string {
+	return "io.k8s.api.batch.v1.JobStatus"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in JobTemplateSpec) OpenAPIModelName() string {
+	return "io.k8s.api.batch.v1.JobTemplateSpec"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in PodFailurePolicy) OpenAPIModelName() string {
+	return "io.k8s.api.batch.v1.PodFailurePolicy"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in PodFailurePolicyOnExitCodesRequirement) OpenAPIModelName() string {
+	return "io.k8s.api.batch.v1.PodFailurePolicyOnExitCodesRequirement"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in PodFailurePolicyOnPodConditionsPattern) OpenAPIModelName() string {
+	return "io.k8s.api.batch.v1.PodFailurePolicyOnPodConditionsPattern"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in PodFailurePolicyRule) OpenAPIModelName() string {
+	return "io.k8s.api.batch.v1.PodFailurePolicyRule"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in SuccessPolicy) OpenAPIModelName() string {
+	return "io.k8s.api.batch.v1.SuccessPolicy"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in SuccessPolicyRule) OpenAPIModelName() string {
+	return "io.k8s.api.batch.v1.SuccessPolicyRule"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in UncountedTerminatedPods) OpenAPIModelName() string {
+	return "io.k8s.api.batch.v1.UncountedTerminatedPods"
+}
diff --git a/staging/src/k8s.io/api/batch/v1beta1/doc.go b/staging/src/k8s.io/api/batch/v1beta1/doc.go
index 3430d6939d47f..b71088480abc7 100644
--- a/staging/src/k8s.io/api/batch/v1beta1/doc.go
+++ b/staging/src/k8s.io/api/batch/v1beta1/doc.go
@@ -18,5 +18,6 @@ limitations under the License.
 // +k8s:protobuf-gen=package
 // +k8s:openapi-gen=true
 // +k8s:prerelease-lifecycle-gen=true
+// +k8s:openapi-model-package=io.k8s.api.batch.v1beta1
 
 package v1beta1
diff --git a/staging/src/k8s.io/api/batch/v1beta1/generated.pb.go b/staging/src/k8s.io/api/batch/v1beta1/generated.pb.go
index 895d9c91966ad..5e0888a6a0e77 100644
--- a/staging/src/k8s.io/api/batch/v1beta1/generated.pb.go
+++ b/staging/src/k8s.io/api/batch/v1beta1/generated.pb.go
@@ -24,231 +24,23 @@ import (
 
 	io "io"
 
-	proto "github.com/gogo/protobuf/proto"
 	v11 "k8s.io/api/core/v1"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
-	math "math"
 	math_bits "math/bits"
 	reflect "reflect"
 	strings "strings"
 )
 
-// Reference imports to suppress errors if they are not otherwise used.
-var _ = proto.Marshal
-var _ = fmt.Errorf
-var _ = math.Inf
+func (m *CronJob) Reset() { *m = CronJob{} }
 
-// This is a compile-time assertion to ensure that this generated file
-// is compatible with the proto package it is being compiled against.
-// A compilation error at this line likely means your copy of the
-// proto package needs to be updated.
-const _ = proto.GoGoProtoPackageIsVersion3 // please upgrade the proto package
+func (m *CronJobList) Reset() { *m = CronJobList{} }
 
-func (m *CronJob) Reset()      { *m = CronJob{} }
-func (*CronJob) ProtoMessage() {}
-func (*CronJob) Descriptor() ([]byte, []int) {
-	return fileDescriptor_ed95843ae7b4086b, []int{0}
-}
-func (m *CronJob) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *CronJob) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *CronJob) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_CronJob.Merge(m, src)
-}
-func (m *CronJob) XXX_Size() int {
-	return m.Size()
-}
-func (m *CronJob) XXX_DiscardUnknown() {
-	xxx_messageInfo_CronJob.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_CronJob proto.InternalMessageInfo
-
-func (m *CronJobList) Reset()      { *m = CronJobList{} }
-func (*CronJobList) ProtoMessage() {}
-func (*CronJobList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_ed95843ae7b4086b, []int{1}
-}
-func (m *CronJobList) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *CronJobList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *CronJobList) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_CronJobList.Merge(m, src)
-}
-func (m *CronJobList) XXX_Size() int {
-	return m.Size()
-}
-func (m *CronJobList) XXX_DiscardUnknown() {
-	xxx_messageInfo_CronJobList.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_CronJobList proto.InternalMessageInfo
-
-func (m *CronJobSpec) Reset()      { *m = CronJobSpec{} }
-func (*CronJobSpec) ProtoMessage() {}
-func (*CronJobSpec) Descriptor() ([]byte, []int) {
-	return fileDescriptor_ed95843ae7b4086b, []int{2}
-}
-func (m *CronJobSpec) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *CronJobSpec) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *CronJobSpec) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_CronJobSpec.Merge(m, src)
-}
-func (m *CronJobSpec) XXX_Size() int {
-	return m.Size()
-}
-func (m *CronJobSpec) XXX_DiscardUnknown() {
-	xxx_messageInfo_CronJobSpec.DiscardUnknown(m)
-}
+func (m *CronJobSpec) Reset() { *m = CronJobSpec{} }
 
-var xxx_messageInfo_CronJobSpec proto.InternalMessageInfo
+func (m *CronJobStatus) Reset() { *m = CronJobStatus{} }
 
-func (m *CronJobStatus) Reset()      { *m = CronJobStatus{} }
-func (*CronJobStatus) ProtoMessage() {}
-func (*CronJobStatus) Descriptor() ([]byte, []int) {
-	return fileDescriptor_ed95843ae7b4086b, []int{3}
-}
-func (m *CronJobStatus) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *CronJobStatus) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *CronJobStatus) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_CronJobStatus.Merge(m, src)
-}
-func (m *CronJobStatus) XXX_Size() int {
-	return m.Size()
-}
-func (m *CronJobStatus) XXX_DiscardUnknown() {
-	xxx_messageInfo_CronJobStatus.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_CronJobStatus proto.InternalMessageInfo
-
-func (m *JobTemplateSpec) Reset()      { *m = JobTemplateSpec{} }
-func (*JobTemplateSpec) ProtoMessage() {}
-func (*JobTemplateSpec) Descriptor() ([]byte, []int) {
-	return fileDescriptor_ed95843ae7b4086b, []int{4}
-}
-func (m *JobTemplateSpec) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *JobTemplateSpec) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *JobTemplateSpec) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_JobTemplateSpec.Merge(m, src)
-}
-func (m *JobTemplateSpec) XXX_Size() int {
-	return m.Size()
-}
-func (m *JobTemplateSpec) XXX_DiscardUnknown() {
-	xxx_messageInfo_JobTemplateSpec.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_JobTemplateSpec proto.InternalMessageInfo
-
-func init() {
-	proto.RegisterType((*CronJob)(nil), "k8s.io.api.batch.v1beta1.CronJob")
-	proto.RegisterType((*CronJobList)(nil), "k8s.io.api.batch.v1beta1.CronJobList")
-	proto.RegisterType((*CronJobSpec)(nil), "k8s.io.api.batch.v1beta1.CronJobSpec")
-	proto.RegisterType((*CronJobStatus)(nil), "k8s.io.api.batch.v1beta1.CronJobStatus")
-	proto.RegisterType((*JobTemplateSpec)(nil), "k8s.io.api.batch.v1beta1.JobTemplateSpec")
-}
-
-func init() {
-	proto.RegisterFile("k8s.io/api/batch/v1beta1/generated.proto", fileDescriptor_ed95843ae7b4086b)
-}
-
-var fileDescriptor_ed95843ae7b4086b = []byte{
-	// 771 bytes of a gzipped FileDescriptorProto
-	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xbc, 0x95, 0xcf, 0x8f, 0xdb, 0x44,
-	0x14, 0xc7, 0xe3, 0x6c, 0x7e, 0x75, 0xd2, 0xc2, 0x76, 0x40, 0x5b, 0x2b, 0x20, 0x3b, 0xa4, 0xaa,
-	0x08, 0x08, 0xc6, 0xec, 0x0a, 0x21, 0x4e, 0x95, 0x70, 0x51, 0x81, 0x25, 0xa8, 0x68, 0x52, 0x2e,
-	0x55, 0x85, 0x3a, 0x9e, 0x4c, 0x92, 0xe9, 0xda, 0x1e, 0xcb, 0x33, 0x5e, 0x29, 0x37, 0x2e, 0xdc,
-	0xf9, 0x5f, 0xb8, 0x73, 0xde, 0x63, 0x6f, 0xf4, 0x64, 0xb1, 0xe6, 0xbf, 0xe0, 0x84, 0x66, 0xe2,
-	0x4d, 0xd2, 0xc4, 0xe9, 0x96, 0x0b, 0xb7, 0xcc, 0xf3, 0xf7, 0xfb, 0x99, 0xa7, 0xf7, 0xde, 0xbc,
-	0x80, 0xe1, 0xd9, 0x97, 0x12, 0x71, 0xe1, 0x91, 0x84, 0x7b, 0x01, 0x51, 0x74, 0xee, 0x9d, 0x1f,
-	0x07, 0x4c, 0x91, 0x63, 0x6f, 0xc6, 0x62, 0x96, 0x12, 0xc5, 0x26, 0x28, 0x49, 0x85, 0x12, 0xd0,
-	0x5e, 0x2a, 0x11, 0x49, 0x38, 0x32, 0x4a, 0x54, 0x2a, 0x7b, 0x9f, 0xce, 0xb8, 0x9a, 0x67, 0x01,
-	0xa2, 0x22, 0xf2, 0x66, 0x62, 0x26, 0x3c, 0x63, 0x08, 0xb2, 0xa9, 0x39, 0x99, 0x83, 0xf9, 0xb5,
-	0x04, 0xf5, 0xee, 0x56, 0x5c, 0xb9, 0x7d, 0x5b, 0x6f, 0xb0, 0x21, 0xa2, 0x22, 0x65, 0x55, 0x9a,
-	0xcf, 0xd7, 0x9a, 0x88, 0xd0, 0x39, 0x8f, 0x59, 0xba, 0xf0, 0x92, 0xb3, 0x99, 0x0e, 0x48, 0x2f,
-	0x62, 0x8a, 0x54, 0xb9, 0xbc, 0x7d, 0xae, 0x34, 0x8b, 0x15, 0x8f, 0xd8, 0x8e, 0xe1, 0x8b, 0xeb,
-	0x0c, 0x92, 0xce, 0x59, 0x44, 0xb6, 0x7d, 0x83, 0x5f, 0xeb, 0xa0, 0xfd, 0x20, 0x15, 0xf1, 0xa9,
-	0x08, 0xe0, 0x33, 0xd0, 0xd1, 0xf9, 0x4c, 0x88, 0x22, 0xb6, 0xd5, 0xb7, 0x86, 0xdd, 0x93, 0xcf,
-	0xd0, 0xba, 0x9e, 0x2b, 0x2c, 0x4a, 0xce, 0x66, 0x3a, 0x20, 0x91, 0x56, 0xa3, 0xf3, 0x63, 0xf4,
-	0x28, 0x78, 0xce, 0xa8, 0xfa, 0x81, 0x29, 0xe2, 0xc3, 0x8b, 0xdc, 0xad, 0x15, 0xb9, 0x0b, 0xd6,
-	0x31, 0xbc, 0xa2, 0xc2, 0x6f, 0x40, 0x43, 0x26, 0x8c, 0xda, 0x75, 0x43, 0xbf, 0x87, 0xf6, 0x75,
-	0x0b, 0x95, 0x29, 0x8d, 0x13, 0x46, 0xfd, 0x9b, 0x25, 0xb2, 0xa1, 0x4f, 0xd8, 0x00, 0xe0, 0x23,
-	0xd0, 0x92, 0x8a, 0xa8, 0x4c, 0xda, 0x07, 0x06, 0xf5, 0xe1, 0xf5, 0x28, 0x23, 0xf7, 0xdf, 0x2a,
-	0x61, 0xad, 0xe5, 0x19, 0x97, 0x98, 0xc1, 0xef, 0x16, 0xe8, 0x96, 0xca, 0x11, 0x97, 0x0a, 0x3e,
-	0xdd, 0xa9, 0x05, 0x7a, 0xb3, 0x5a, 0x68, 0xb7, 0xa9, 0xc4, 0x61, 0x79, 0x53, 0xe7, 0x2a, 0xb2,
-	0x51, 0x87, 0x87, 0xa0, 0xc9, 0x15, 0x8b, 0xa4, 0x5d, 0xef, 0x1f, 0x0c, 0xbb, 0x27, 0x1f, 0x5c,
-	0x9b, 0xbd, 0x7f, 0xab, 0xa4, 0x35, 0xbf, 0xd3, 0x3e, 0xbc, 0xb4, 0x0f, 0xfe, 0x6c, 0xac, 0xb2,
-	0xd6, 0xc5, 0x81, 0x9f, 0x80, 0x8e, 0xee, 0xf3, 0x24, 0x0b, 0x99, 0xc9, 0xfa, 0xc6, 0x3a, 0x8b,
-	0x71, 0x19, 0xc7, 0x2b, 0x05, 0x1c, 0x82, 0x8e, 0x1e, 0x8d, 0x27, 0x22, 0x66, 0x76, 0xc7, 0xa8,
-	0x6f, 0x6a, 0xe5, 0xe3, 0x32, 0x86, 0x57, 0x5f, 0xe1, 0x4f, 0xe0, 0x8e, 0x54, 0x24, 0x55, 0x3c,
-	0x9e, 0x7d, 0xcd, 0xc8, 0x24, 0xe4, 0x31, 0x1b, 0x33, 0x2a, 0xe2, 0x89, 0x34, 0xad, 0x3c, 0xf0,
-	0xdf, 0x2b, 0x72, 0xf7, 0xce, 0xb8, 0x5a, 0x82, 0xf7, 0x79, 0xe1, 0x53, 0x70, 0x9b, 0x8a, 0x98,
-	0x66, 0x69, 0xca, 0x62, 0xba, 0xf8, 0x51, 0x84, 0x9c, 0x2e, 0x4c, 0x43, 0x6f, 0xf8, 0xa8, 0xcc,
-	0xfb, 0xf6, 0x83, 0x6d, 0xc1, 0x3f, 0x55, 0x41, 0xbc, 0x0b, 0x82, 0xf7, 0x40, 0x5b, 0x66, 0x32,
-	0x61, 0xf1, 0xc4, 0x6e, 0xf4, 0xad, 0x61, 0xc7, 0xef, 0x16, 0xb9, 0xdb, 0x1e, 0x2f, 0x43, 0xf8,
-	0xea, 0x1b, 0x7c, 0x06, 0xba, 0xcf, 0x45, 0xf0, 0x98, 0x45, 0x49, 0x48, 0x14, 0xb3, 0x9b, 0xa6,
-	0xd9, 0x1f, 0xed, 0xef, 0xc8, 0xe9, 0x5a, 0x6c, 0xc6, 0xf3, 0x9d, 0x32, 0xd3, 0xee, 0xc6, 0x07,
-	0xbc, 0x89, 0x84, 0x3f, 0x83, 0x9e, 0xcc, 0x28, 0x65, 0x52, 0x4e, 0xb3, 0xf0, 0x54, 0x04, 0xf2,
-	0x5b, 0x2e, 0x95, 0x48, 0x17, 0x23, 0x1e, 0x71, 0x65, 0xb7, 0xfa, 0xd6, 0xb0, 0xe9, 0x3b, 0x45,
-	0xee, 0xf6, 0xc6, 0x7b, 0x55, 0xf8, 0x35, 0x04, 0x88, 0xc1, 0xd1, 0x94, 0xf0, 0x90, 0x4d, 0x76,
-	0xd8, 0x6d, 0xc3, 0xee, 0x15, 0xb9, 0x7b, 0xf4, 0xb0, 0x52, 0x81, 0xf7, 0x38, 0x07, 0x7f, 0xd4,
-	0xc1, 0xad, 0x57, 0x5e, 0x0e, 0xfc, 0x1e, 0xb4, 0x08, 0x55, 0xfc, 0x5c, 0x4f, 0x96, 0x1e, 0xda,
-	0xbb, 0x9b, 0x25, 0xd2, 0xdb, 0x6f, 0xbd, 0x09, 0x30, 0x9b, 0x32, 0xdd, 0x09, 0xb6, 0x7e, 0x6e,
-	0x5f, 0x19, 0x2b, 0x2e, 0x11, 0x30, 0x04, 0x87, 0x21, 0x91, 0xea, 0x6a, 0x28, 0xf5, 0xc8, 0x99,
-	0x26, 0x75, 0x4f, 0x3e, 0x7e, 0xb3, 0x67, 0xa6, 0x1d, 0xfe, 0xbb, 0x45, 0xee, 0x1e, 0x8e, 0xb6,
-	0x38, 0x78, 0x87, 0x0c, 0x53, 0x00, 0x4d, 0x6c, 0x55, 0x42, 0x73, 0x5f, 0xf3, 0x3f, 0xdf, 0x77,
-	0x54, 0xe4, 0x2e, 0x1c, 0xed, 0x90, 0x70, 0x05, 0x5d, 0x2f, 0x94, 0xb7, 0xb7, 0x46, 0xe5, 0x7f,
-	0x58, 0xb0, 0xf7, 0x5f, 0x59, 0xb0, 0xef, 0x57, 0x4d, 0x31, 0x7a, 0xcd, 0x5e, 0xf5, 0xef, 0x5f,
-	0x5c, 0x3a, 0xb5, 0x17, 0x97, 0x4e, 0xed, 0xe5, 0xa5, 0x53, 0xfb, 0xa5, 0x70, 0xac, 0x8b, 0xc2,
-	0xb1, 0x5e, 0x14, 0x8e, 0xf5, 0xb2, 0x70, 0xac, 0xbf, 0x0a, 0xc7, 0xfa, 0xed, 0x6f, 0xa7, 0xf6,
-	0xc4, 0xde, 0xf7, 0x7f, 0xfc, 0x6f, 0x00, 0x00, 0x00, 0xff, 0xff, 0x9e, 0xaa, 0x2c, 0x86, 0xaa,
-	0x07, 0x00, 0x00,
-}
+func (m *JobTemplateSpec) Reset() { *m = JobTemplateSpec{} }
 
 func (m *CronJob) Marshal() (dAtA []byte, err error) {
 	size := m.Size()
diff --git a/staging/src/k8s.io/api/batch/v1beta1/generated.protomessage.pb.go b/staging/src/k8s.io/api/batch/v1beta1/generated.protomessage.pb.go
new file mode 100644
index 0000000000000..57520d7aff6db
--- /dev/null
+++ b/staging/src/k8s.io/api/batch/v1beta1/generated.protomessage.pb.go
@@ -0,0 +1,32 @@
+//go:build kubernetes_protomessage_one_more_release
+// +build kubernetes_protomessage_one_more_release
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by go-to-protobuf. DO NOT EDIT.
+
+package v1beta1
+
+func (*CronJob) ProtoMessage() {}
+
+func (*CronJobList) ProtoMessage() {}
+
+func (*CronJobSpec) ProtoMessage() {}
+
+func (*CronJobStatus) ProtoMessage() {}
+
+func (*JobTemplateSpec) ProtoMessage() {}
diff --git a/staging/src/k8s.io/api/batch/v1beta1/zz_generated.model_name.go b/staging/src/k8s.io/api/batch/v1beta1/zz_generated.model_name.go
new file mode 100644
index 0000000000000..77fe2f6629f90
--- /dev/null
+++ b/staging/src/k8s.io/api/batch/v1beta1/zz_generated.model_name.go
@@ -0,0 +1,47 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by openapi-gen. DO NOT EDIT.
+
+package v1beta1
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in CronJob) OpenAPIModelName() string {
+	return "io.k8s.api.batch.v1beta1.CronJob"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in CronJobList) OpenAPIModelName() string {
+	return "io.k8s.api.batch.v1beta1.CronJobList"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in CronJobSpec) OpenAPIModelName() string {
+	return "io.k8s.api.batch.v1beta1.CronJobSpec"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in CronJobStatus) OpenAPIModelName() string {
+	return "io.k8s.api.batch.v1beta1.CronJobStatus"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in JobTemplateSpec) OpenAPIModelName() string {
+	return "io.k8s.api.batch.v1beta1.JobTemplateSpec"
+}
diff --git a/staging/src/k8s.io/api/certificates/v1/doc.go b/staging/src/k8s.io/api/certificates/v1/doc.go
index 6c16fc29b877a..3ed26758fba00 100644
--- a/staging/src/k8s.io/api/certificates/v1/doc.go
+++ b/staging/src/k8s.io/api/certificates/v1/doc.go
@@ -18,6 +18,8 @@ limitations under the License.
 // +k8s:protobuf-gen=package
 // +k8s:openapi-gen=true
 // +k8s:prerelease-lifecycle-gen=true
+// +k8s:openapi-model-package=io.k8s.api.certificates.v1
+
 // +groupName=certificates.k8s.io
 
 package v1
diff --git a/staging/src/k8s.io/api/certificates/v1/generated.pb.go b/staging/src/k8s.io/api/certificates/v1/generated.pb.go
index cba4a8ea49260..e47a42e62e781 100644
--- a/staging/src/k8s.io/api/certificates/v1/generated.pb.go
+++ b/staging/src/k8s.io/api/certificates/v1/generated.pb.go
@@ -23,270 +23,26 @@ import (
 	fmt "fmt"
 
 	io "io"
-
-	proto "github.com/gogo/protobuf/proto"
-	github_com_gogo_protobuf_sortkeys "github.com/gogo/protobuf/sortkeys"
+	"sort"
 
 	k8s_io_api_core_v1 "k8s.io/api/core/v1"
 
-	math "math"
 	math_bits "math/bits"
 	reflect "reflect"
 	strings "strings"
 )
 
-// Reference imports to suppress errors if they are not otherwise used.
-var _ = proto.Marshal
-var _ = fmt.Errorf
-var _ = math.Inf
+func (m *CertificateSigningRequest) Reset() { *m = CertificateSigningRequest{} }
 
-// This is a compile-time assertion to ensure that this generated file
-// is compatible with the proto package it is being compiled against.
-// A compilation error at this line likely means your copy of the
-// proto package needs to be updated.
-const _ = proto.GoGoProtoPackageIsVersion3 // please upgrade the proto package
+func (m *CertificateSigningRequestCondition) Reset() { *m = CertificateSigningRequestCondition{} }
 
-func (m *CertificateSigningRequest) Reset()      { *m = CertificateSigningRequest{} }
-func (*CertificateSigningRequest) ProtoMessage() {}
-func (*CertificateSigningRequest) Descriptor() ([]byte, []int) {
-	return fileDescriptor_5f7d41da689f96f7, []int{0}
-}
-func (m *CertificateSigningRequest) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *CertificateSigningRequest) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *CertificateSigningRequest) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_CertificateSigningRequest.Merge(m, src)
-}
-func (m *CertificateSigningRequest) XXX_Size() int {
-	return m.Size()
-}
-func (m *CertificateSigningRequest) XXX_DiscardUnknown() {
-	xxx_messageInfo_CertificateSigningRequest.DiscardUnknown(m)
-}
+func (m *CertificateSigningRequestList) Reset() { *m = CertificateSigningRequestList{} }
 
-var xxx_messageInfo_CertificateSigningRequest proto.InternalMessageInfo
+func (m *CertificateSigningRequestSpec) Reset() { *m = CertificateSigningRequestSpec{} }
 
-func (m *CertificateSigningRequestCondition) Reset()      { *m = CertificateSigningRequestCondition{} }
-func (*CertificateSigningRequestCondition) ProtoMessage() {}
-func (*CertificateSigningRequestCondition) Descriptor() ([]byte, []int) {
-	return fileDescriptor_5f7d41da689f96f7, []int{1}
-}
-func (m *CertificateSigningRequestCondition) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *CertificateSigningRequestCondition) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *CertificateSigningRequestCondition) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_CertificateSigningRequestCondition.Merge(m, src)
-}
-func (m *CertificateSigningRequestCondition) XXX_Size() int {
-	return m.Size()
-}
-func (m *CertificateSigningRequestCondition) XXX_DiscardUnknown() {
-	xxx_messageInfo_CertificateSigningRequestCondition.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_CertificateSigningRequestCondition proto.InternalMessageInfo
+func (m *CertificateSigningRequestStatus) Reset() { *m = CertificateSigningRequestStatus{} }
 
-func (m *CertificateSigningRequestList) Reset()      { *m = CertificateSigningRequestList{} }
-func (*CertificateSigningRequestList) ProtoMessage() {}
-func (*CertificateSigningRequestList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_5f7d41da689f96f7, []int{2}
-}
-func (m *CertificateSigningRequestList) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *CertificateSigningRequestList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *CertificateSigningRequestList) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_CertificateSigningRequestList.Merge(m, src)
-}
-func (m *CertificateSigningRequestList) XXX_Size() int {
-	return m.Size()
-}
-func (m *CertificateSigningRequestList) XXX_DiscardUnknown() {
-	xxx_messageInfo_CertificateSigningRequestList.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_CertificateSigningRequestList proto.InternalMessageInfo
-
-func (m *CertificateSigningRequestSpec) Reset()      { *m = CertificateSigningRequestSpec{} }
-func (*CertificateSigningRequestSpec) ProtoMessage() {}
-func (*CertificateSigningRequestSpec) Descriptor() ([]byte, []int) {
-	return fileDescriptor_5f7d41da689f96f7, []int{3}
-}
-func (m *CertificateSigningRequestSpec) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *CertificateSigningRequestSpec) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *CertificateSigningRequestSpec) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_CertificateSigningRequestSpec.Merge(m, src)
-}
-func (m *CertificateSigningRequestSpec) XXX_Size() int {
-	return m.Size()
-}
-func (m *CertificateSigningRequestSpec) XXX_DiscardUnknown() {
-	xxx_messageInfo_CertificateSigningRequestSpec.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_CertificateSigningRequestSpec proto.InternalMessageInfo
-
-func (m *CertificateSigningRequestStatus) Reset()      { *m = CertificateSigningRequestStatus{} }
-func (*CertificateSigningRequestStatus) ProtoMessage() {}
-func (*CertificateSigningRequestStatus) Descriptor() ([]byte, []int) {
-	return fileDescriptor_5f7d41da689f96f7, []int{4}
-}
-func (m *CertificateSigningRequestStatus) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *CertificateSigningRequestStatus) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *CertificateSigningRequestStatus) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_CertificateSigningRequestStatus.Merge(m, src)
-}
-func (m *CertificateSigningRequestStatus) XXX_Size() int {
-	return m.Size()
-}
-func (m *CertificateSigningRequestStatus) XXX_DiscardUnknown() {
-	xxx_messageInfo_CertificateSigningRequestStatus.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_CertificateSigningRequestStatus proto.InternalMessageInfo
-
-func (m *ExtraValue) Reset()      { *m = ExtraValue{} }
-func (*ExtraValue) ProtoMessage() {}
-func (*ExtraValue) Descriptor() ([]byte, []int) {
-	return fileDescriptor_5f7d41da689f96f7, []int{5}
-}
-func (m *ExtraValue) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ExtraValue) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ExtraValue) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ExtraValue.Merge(m, src)
-}
-func (m *ExtraValue) XXX_Size() int {
-	return m.Size()
-}
-func (m *ExtraValue) XXX_DiscardUnknown() {
-	xxx_messageInfo_ExtraValue.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_ExtraValue proto.InternalMessageInfo
-
-func init() {
-	proto.RegisterType((*CertificateSigningRequest)(nil), "k8s.io.api.certificates.v1.CertificateSigningRequest")
-	proto.RegisterType((*CertificateSigningRequestCondition)(nil), "k8s.io.api.certificates.v1.CertificateSigningRequestCondition")
-	proto.RegisterType((*CertificateSigningRequestList)(nil), "k8s.io.api.certificates.v1.CertificateSigningRequestList")
-	proto.RegisterType((*CertificateSigningRequestSpec)(nil), "k8s.io.api.certificates.v1.CertificateSigningRequestSpec")
-	proto.RegisterMapType((map[string]ExtraValue)(nil), "k8s.io.api.certificates.v1.CertificateSigningRequestSpec.ExtraEntry")
-	proto.RegisterType((*CertificateSigningRequestStatus)(nil), "k8s.io.api.certificates.v1.CertificateSigningRequestStatus")
-	proto.RegisterType((*ExtraValue)(nil), "k8s.io.api.certificates.v1.ExtraValue")
-}
-
-func init() {
-	proto.RegisterFile("k8s.io/api/certificates/v1/generated.proto", fileDescriptor_5f7d41da689f96f7)
-}
-
-var fileDescriptor_5f7d41da689f96f7 = []byte{
-	// 896 bytes of a gzipped FileDescriptorProto
-	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x9c, 0x56, 0x4f, 0x6f, 0x1b, 0x45,
-	0x14, 0xf7, 0xc6, 0x7f, 0x62, 0x8f, 0x43, 0xda, 0x8e, 0xa0, 0x5a, 0x2c, 0xd5, 0x6b, 0xad, 0xa0,
-	0x0a, 0x15, 0xcc, 0x92, 0xa8, 0x40, 0x28, 0x08, 0xa1, 0x4d, 0x23, 0x54, 0x91, 0x82, 0x34, 0x49,
-	0x38, 0x14, 0x0e, 0x9d, 0xac, 0x5f, 0x37, 0xd3, 0x74, 0xff, 0xb0, 0x33, 0x6b, 0xd5, 0xb7, 0x7e,
-	0x04, 0x8e, 0x1c, 0xf9, 0x02, 0x7c, 0x06, 0xae, 0x39, 0xf6, 0x58, 0x24, 0x64, 0x11, 0xf7, 0x5b,
-	0xe4, 0x84, 0x66, 0x76, 0xbc, 0x76, 0x9c, 0xb8, 0x0d, 0xb9, 0x79, 0x7e, 0xf3, 0x7b, 0xbf, 0xdf,
-	0x7b, 0x6f, 0xdf, 0x1b, 0x19, 0xdd, 0x39, 0xda, 0x14, 0x84, 0x27, 0x1e, 0x4b, 0xb9, 0x17, 0x40,
-	0x26, 0xf9, 0x13, 0x1e, 0x30, 0x09, 0xc2, 0x1b, 0xac, 0x7b, 0x21, 0xc4, 0x90, 0x31, 0x09, 0x7d,
-	0x92, 0x66, 0x89, 0x4c, 0x70, 0xa7, 0xe0, 0x12, 0x96, 0x72, 0x32, 0xcb, 0x25, 0x83, 0xf5, 0xce,
-	0x27, 0x21, 0x97, 0x87, 0xf9, 0x01, 0x09, 0x92, 0xc8, 0x0b, 0x93, 0x30, 0xf1, 0x74, 0xc8, 0x41,
-	0xfe, 0x44, 0x9f, 0xf4, 0x41, 0xff, 0x2a, 0xa4, 0x3a, 0xee, 0xac, 0x6d, 0x92, 0xc1, 0x05, 0x76,
-	0x9d, 0xbb, 0x53, 0x4e, 0xc4, 0x82, 0x43, 0x1e, 0x43, 0x36, 0xf4, 0xd2, 0xa3, 0x50, 0x01, 0xc2,
-	0x8b, 0x40, 0xb2, 0x8b, 0xa2, 0xbc, 0x45, 0x51, 0x59, 0x1e, 0x4b, 0x1e, 0xc1, 0xb9, 0x80, 0xcf,
-	0xdf, 0x16, 0x20, 0x82, 0x43, 0x88, 0xd8, 0x7c, 0x9c, 0xfb, 0xd7, 0x12, 0x7a, 0x7f, 0x6b, 0xda,
-	0x85, 0x5d, 0x1e, 0xc6, 0x3c, 0x0e, 0x29, 0xfc, 0x9a, 0x83, 0x90, 0xf8, 0x31, 0x6a, 0xaa, 0x0c,
-	0xfb, 0x4c, 0x32, 0xdb, 0xea, 0x59, 0x6b, 0xed, 0x8d, 0x4f, 0xc9, 0xb4, 0x7d, 0xa5, 0x11, 0x49,
-	0x8f, 0x42, 0x05, 0x08, 0xa2, 0xd8, 0x64, 0xb0, 0x4e, 0x7e, 0x3c, 0x78, 0x0a, 0x81, 0x7c, 0x08,
-	0x92, 0xf9, 0xf8, 0x78, 0xe4, 0x54, 0xc6, 0x23, 0x07, 0x4d, 0x31, 0x5a, 0xaa, 0xe2, 0x9f, 0x51,
-	0x4d, 0xa4, 0x10, 0xd8, 0x4b, 0x5a, 0xfd, 0x4b, 0xb2, 0xf8, 0xe3, 0x90, 0x85, 0x69, 0xee, 0xa6,
-	0x10, 0xf8, 0x2b, 0xc6, 0xa6, 0xa6, 0x4e, 0x54, 0x8b, 0xe2, 0x00, 0x35, 0x84, 0x64, 0x32, 0x17,
-	0x76, 0x55, 0xcb, 0x7f, 0x75, 0x35, 0x79, 0x2d, 0xe1, 0xaf, 0x1a, 0x83, 0x46, 0x71, 0xa6, 0x46,
-	0xda, 0x7d, 0x5d, 0x45, 0xee, 0xc2, 0xd8, 0xad, 0x24, 0xee, 0x73, 0xc9, 0x93, 0x18, 0x6f, 0xa2,
-	0x9a, 0x1c, 0xa6, 0xa0, 0xdb, 0xd8, 0xf2, 0x3f, 0x98, 0x64, 0xbb, 0x37, 0x4c, 0xe1, 0x74, 0xe4,
-	0xbc, 0x3b, 0xcf, 0x57, 0x38, 0xd5, 0x11, 0x78, 0xa7, 0xac, 0xa2, 0xa1, 0x63, 0xef, 0x9e, 0x4d,
-	0xe4, 0x74, 0xe4, 0x5c, 0x30, 0x87, 0xa4, 0x54, 0x3a, 0x9b, 0x2e, 0xbe, 0x8d, 0x1a, 0x19, 0x30,
-	0x91, 0xc4, 0xba, 0xe5, 0xad, 0x69, 0x59, 0x54, 0xa3, 0xd4, 0xdc, 0xe2, 0x8f, 0xd0, 0x72, 0x04,
-	0x42, 0xb0, 0x10, 0x74, 0xf3, 0x5a, 0xfe, 0x35, 0x43, 0x5c, 0x7e, 0x58, 0xc0, 0x74, 0x72, 0x8f,
-	0x9f, 0xa2, 0xd5, 0x67, 0x4c, 0xc8, 0xfd, 0xb4, 0xcf, 0x24, 0xec, 0xf1, 0x08, 0xec, 0x9a, 0x6e,
-	0xf7, 0x9d, 0xcb, 0xcd, 0x8a, 0x8a, 0xf0, 0x6f, 0x1a, 0xf5, 0xd5, 0x9d, 0x33, 0x4a, 0x74, 0x4e,
-	0x19, 0x0f, 0x10, 0x56, 0xc8, 0x5e, 0xc6, 0x62, 0x51, 0x34, 0x4a, 0xf9, 0xd5, 0xff, 0xb7, 0x5f,
-	0xc7, 0xf8, 0xe1, 0x9d, 0x73, 0x6a, 0xf4, 0x02, 0x07, 0xf7, 0x6f, 0x0b, 0xdd, 0x5a, 0xf8, 0x95,
-	0x77, 0xb8, 0x90, 0xf8, 0x97, 0x73, 0xbb, 0x42, 0x2e, 0x97, 0x8f, 0x8a, 0xd6, 0x9b, 0x72, 0xdd,
-	0xe4, 0xd4, 0x9c, 0x20, 0x33, 0x7b, 0xf2, 0x08, 0xd5, 0xb9, 0x84, 0x48, 0xd8, 0x4b, 0xbd, 0xea,
-	0x5a, 0x7b, 0xe3, 0xb3, 0x2b, 0x4d, 0xb2, 0xff, 0x8e, 0x71, 0xa8, 0x3f, 0x50, 0x5a, 0xb4, 0x90,
-	0x74, 0xff, 0xac, 0xbd, 0xa1, 0x36, 0xb5, 0x4e, 0xf8, 0x43, 0xb4, 0x9c, 0x15, 0x47, 0x5d, 0xda,
-	0x8a, 0xdf, 0x56, 0x83, 0x60, 0x18, 0x74, 0x72, 0x87, 0x37, 0x10, 0x12, 0x3c, 0x8c, 0x21, 0xfb,
-	0x81, 0x45, 0x60, 0x2f, 0xeb, 0xb1, 0x29, 0xd7, 0x7f, 0xb7, 0xbc, 0xa1, 0x33, 0x2c, 0xbc, 0x85,
-	0x6e, 0xc0, 0xf3, 0x94, 0x67, 0x4c, 0xcf, 0x2a, 0x04, 0x49, 0xdc, 0x17, 0x76, 0xb3, 0x67, 0xad,
-	0xd5, 0xfd, 0xf7, 0xc6, 0x23, 0xe7, 0xc6, 0xf6, 0xfc, 0x25, 0x3d, 0xcf, 0xc7, 0x04, 0x35, 0x72,
-	0x35, 0x8a, 0xc2, 0xae, 0xf7, 0xaa, 0x6b, 0x2d, 0xff, 0xa6, 0x1a, 0xe8, 0x7d, 0x8d, 0x9c, 0x8e,
-	0x9c, 0xe6, 0xf7, 0x30, 0xd4, 0x07, 0x6a, 0x58, 0xf8, 0x63, 0xd4, 0xcc, 0x05, 0x64, 0xb1, 0x4a,
-	0xb3, 0x58, 0x83, 0xb2, 0xf7, 0xfb, 0x06, 0xa7, 0x25, 0x03, 0xdf, 0x42, 0xd5, 0x9c, 0xf7, 0xcd,
-	0x1a, 0xb4, 0x0d, 0xb1, 0xba, 0xff, 0xe0, 0x3e, 0x55, 0x38, 0x76, 0x51, 0x23, 0xcc, 0x92, 0x3c,
-	0x15, 0x76, 0x4d, 0x9b, 0x23, 0x65, 0xfe, 0x9d, 0x46, 0xa8, 0xb9, 0xc1, 0x1c, 0xd5, 0xe1, 0xb9,
-	0xcc, 0x98, 0xdd, 0xd0, 0x9f, 0xef, 0xfe, 0x95, 0xdf, 0x39, 0xb2, 0xad, 0x64, 0xb6, 0x63, 0x99,
-	0x0d, 0xa7, 0x5f, 0x53, 0x63, 0xb4, 0x70, 0xe8, 0x3c, 0x46, 0x68, 0xca, 0xc1, 0xd7, 0x51, 0xf5,
-	0x08, 0x86, 0xc5, 0xab, 0x43, 0xd5, 0x4f, 0xfc, 0x35, 0xaa, 0x0f, 0xd8, 0xb3, 0x1c, 0xcc, 0x93,
-	0x7b, 0xfb, 0x4d, 0xa9, 0x68, 0xa1, 0x9f, 0x14, 0x9b, 0x16, 0x41, 0xf7, 0x96, 0x36, 0x2d, 0xf7,
-	0xd8, 0x42, 0xce, 0x5b, 0x5e, 0x4b, 0x9c, 0x21, 0x14, 0x4c, 0x5e, 0x20, 0x61, 0x5b, 0xba, 0xea,
-	0x6f, 0xae, 0x54, 0x75, 0xf9, 0x90, 0x4d, 0x47, 0xa9, 0x84, 0x04, 0x9d, 0x71, 0xc1, 0xeb, 0xa8,
-	0x3d, 0xa3, 0xaa, 0xeb, 0x5b, 0xf1, 0xaf, 0x8d, 0x47, 0x4e, 0x7b, 0x46, 0x9c, 0xce, 0x72, 0xdc,
-	0x2f, 0x4c, 0xb3, 0x74, 0x8d, 0xd8, 0x99, 0x2c, 0x99, 0xa5, 0x3f, 0x64, 0x6b, 0x7e, 0x53, 0xee,
-	0x35, 0x7f, 0xff, 0xc3, 0xa9, 0xbc, 0xf8, 0xa7, 0x57, 0xf1, 0xbf, 0x3d, 0x3e, 0xe9, 0x56, 0x5e,
-	0x9e, 0x74, 0x2b, 0xaf, 0x4e, 0xba, 0x95, 0x17, 0xe3, 0xae, 0x75, 0x3c, 0xee, 0x5a, 0x2f, 0xc7,
-	0x5d, 0xeb, 0xd5, 0xb8, 0x6b, 0xfd, 0x3b, 0xee, 0x5a, 0xbf, 0xbd, 0xee, 0x56, 0x1e, 0x75, 0x16,
-	0xff, 0x2f, 0xf9, 0x2f, 0x00, 0x00, 0xff, 0xff, 0xd9, 0x4a, 0x4f, 0xbc, 0xb4, 0x08, 0x00, 0x00,
-}
+func (m *ExtraValue) Reset() { *m = ExtraValue{} }
 
 func (m *CertificateSigningRequest) Marshal() (dAtA []byte, err error) {
 	size := m.Size()
@@ -486,7 +242,7 @@ func (m *CertificateSigningRequestSpec) MarshalToSizedBuffer(dAtA []byte) (int,
 		for k := range m.Extra {
 			keysForExtra = append(keysForExtra, string(k))
 		}
-		github_com_gogo_protobuf_sortkeys.Strings(keysForExtra)
+		sort.Strings(keysForExtra)
 		for iNdEx := len(keysForExtra) - 1; iNdEx >= 0; iNdEx-- {
 			v := m.Extra[string(keysForExtra[iNdEx])]
 			baseI := i
@@ -822,7 +578,7 @@ func (this *CertificateSigningRequestSpec) String() string {
 	for k := range this.Extra {
 		keysForExtra = append(keysForExtra, k)
 	}
-	github_com_gogo_protobuf_sortkeys.Strings(keysForExtra)
+	sort.Strings(keysForExtra)
 	mapStringForExtra := "map[string]ExtraValue{"
 	for _, k := range keysForExtra {
 		mapStringForExtra += fmt.Sprintf("%v: %v,", k, this.Extra[k])
diff --git a/staging/src/k8s.io/api/certificates/v1/generated.proto b/staging/src/k8s.io/api/certificates/v1/generated.proto
index 24528fc8bc21d..a689f3e8920eb 100644
--- a/staging/src/k8s.io/api/certificates/v1/generated.proto
+++ b/staging/src/k8s.io/api/certificates/v1/generated.proto
@@ -111,7 +111,6 @@ message CertificateSigningRequestList {
 message CertificateSigningRequestSpec {
   // request contains an x509 certificate signing request encoded in a "CERTIFICATE REQUEST" PEM block.
   // When serialized as JSON or YAML, the data is additionally base64-encoded.
-  // +listType=atomic
   optional bytes request = 1;
 
   // signerName indicates the requested signer, and is a qualified name.
@@ -207,6 +206,7 @@ message CertificateSigningRequestStatus {
   // +optional
   // +k8s:listType=map
   // +k8s:listMapKey=type
+  // +k8s:customUnique
   // +k8s:optional
   // +k8s:item(type: "Approved")=+k8s:zeroOrOneOfMember
   // +k8s:item(type: "Denied")=+k8s:zeroOrOneOfMember
@@ -239,7 +239,6 @@ message CertificateSigningRequestStatus {
   //     -----END CERTIFICATE-----
   //     )
   //
-  // +listType=atomic
   // +optional
   optional bytes certificate = 2;
 }
diff --git a/staging/src/k8s.io/api/certificates/v1/generated.protomessage.pb.go b/staging/src/k8s.io/api/certificates/v1/generated.protomessage.pb.go
new file mode 100644
index 0000000000000..527630582c77a
--- /dev/null
+++ b/staging/src/k8s.io/api/certificates/v1/generated.protomessage.pb.go
@@ -0,0 +1,34 @@
+//go:build kubernetes_protomessage_one_more_release
+// +build kubernetes_protomessage_one_more_release
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by go-to-protobuf. DO NOT EDIT.
+
+package v1
+
+func (*CertificateSigningRequest) ProtoMessage() {}
+
+func (*CertificateSigningRequestCondition) ProtoMessage() {}
+
+func (*CertificateSigningRequestList) ProtoMessage() {}
+
+func (*CertificateSigningRequestSpec) ProtoMessage() {}
+
+func (*CertificateSigningRequestStatus) ProtoMessage() {}
+
+func (*ExtraValue) ProtoMessage() {}
diff --git a/staging/src/k8s.io/api/certificates/v1/types.go b/staging/src/k8s.io/api/certificates/v1/types.go
index 71203e80d55c0..8cd56e6db7e1d 100644
--- a/staging/src/k8s.io/api/certificates/v1/types.go
+++ b/staging/src/k8s.io/api/certificates/v1/types.go
@@ -61,7 +61,6 @@ type CertificateSigningRequest struct {
 type CertificateSigningRequestSpec struct {
 	// request contains an x509 certificate signing request encoded in a "CERTIFICATE REQUEST" PEM block.
 	// When serialized as JSON or YAML, the data is additionally base64-encoded.
-	// +listType=atomic
 	Request []byte `json:"request" protobuf:"bytes,1,opt,name=request"`
 
 	// signerName indicates the requested signer, and is a qualified name.
@@ -182,6 +181,7 @@ type CertificateSigningRequestStatus struct {
 	// +optional
 	// +k8s:listType=map
 	// +k8s:listMapKey=type
+	// +k8s:customUnique
 	// +k8s:optional
 	// +k8s:item(type: "Approved")=+k8s:zeroOrOneOfMember
 	// +k8s:item(type: "Denied")=+k8s:zeroOrOneOfMember
@@ -214,7 +214,6 @@ type CertificateSigningRequestStatus struct {
 	//     -----END CERTIFICATE-----
 	//     )
 	//
-	// +listType=atomic
 	// +optional
 	Certificate []byte `json:"certificate,omitempty" protobuf:"bytes,2,opt,name=certificate"`
 }
diff --git a/staging/src/k8s.io/api/certificates/v1/zz_generated.model_name.go b/staging/src/k8s.io/api/certificates/v1/zz_generated.model_name.go
new file mode 100644
index 0000000000000..9c7ad07a2c4fe
--- /dev/null
+++ b/staging/src/k8s.io/api/certificates/v1/zz_generated.model_name.go
@@ -0,0 +1,47 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by openapi-gen. DO NOT EDIT.
+
+package v1
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in CertificateSigningRequest) OpenAPIModelName() string {
+	return "io.k8s.api.certificates.v1.CertificateSigningRequest"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in CertificateSigningRequestCondition) OpenAPIModelName() string {
+	return "io.k8s.api.certificates.v1.CertificateSigningRequestCondition"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in CertificateSigningRequestList) OpenAPIModelName() string {
+	return "io.k8s.api.certificates.v1.CertificateSigningRequestList"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in CertificateSigningRequestSpec) OpenAPIModelName() string {
+	return "io.k8s.api.certificates.v1.CertificateSigningRequestSpec"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in CertificateSigningRequestStatus) OpenAPIModelName() string {
+	return "io.k8s.api.certificates.v1.CertificateSigningRequestStatus"
+}
diff --git a/staging/src/k8s.io/api/certificates/v1alpha1/doc.go b/staging/src/k8s.io/api/certificates/v1alpha1/doc.go
index 01481df8e50b1..b8b1b1a696ae7 100644
--- a/staging/src/k8s.io/api/certificates/v1alpha1/doc.go
+++ b/staging/src/k8s.io/api/certificates/v1alpha1/doc.go
@@ -18,6 +18,7 @@ limitations under the License.
 // +k8s:protobuf-gen=package
 // +k8s:openapi-gen=true
 // +k8s:prerelease-lifecycle-gen=true
+// +k8s:openapi-model-package=io.k8s.api.certificates.v1alpha1
 
 // +groupName=certificates.k8s.io
 
diff --git a/staging/src/k8s.io/api/certificates/v1alpha1/generated.pb.go b/staging/src/k8s.io/api/certificates/v1alpha1/generated.pb.go
index c260f0436dadb..29b8843a2fba8 100644
--- a/staging/src/k8s.io/api/certificates/v1alpha1/generated.pb.go
+++ b/staging/src/k8s.io/api/certificates/v1alpha1/generated.pb.go
@@ -24,299 +24,16 @@ import (
 
 	io "io"
 
-	proto "github.com/gogo/protobuf/proto"
-	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-
-	math "math"
 	math_bits "math/bits"
 	reflect "reflect"
 	strings "strings"
-
-	k8s_io_apimachinery_pkg_types "k8s.io/apimachinery/pkg/types"
 )
 
-// Reference imports to suppress errors if they are not otherwise used.
-var _ = proto.Marshal
-var _ = fmt.Errorf
-var _ = math.Inf
-
-// This is a compile-time assertion to ensure that this generated file
-// is compatible with the proto package it is being compiled against.
-// A compilation error at this line likely means your copy of the
-// proto package needs to be updated.
-const _ = proto.GoGoProtoPackageIsVersion3 // please upgrade the proto package
-
-func (m *ClusterTrustBundle) Reset()      { *m = ClusterTrustBundle{} }
-func (*ClusterTrustBundle) ProtoMessage() {}
-func (*ClusterTrustBundle) Descriptor() ([]byte, []int) {
-	return fileDescriptor_f73d5fe56c015bb8, []int{0}
-}
-func (m *ClusterTrustBundle) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ClusterTrustBundle) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ClusterTrustBundle) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ClusterTrustBundle.Merge(m, src)
-}
-func (m *ClusterTrustBundle) XXX_Size() int {
-	return m.Size()
-}
-func (m *ClusterTrustBundle) XXX_DiscardUnknown() {
-	xxx_messageInfo_ClusterTrustBundle.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_ClusterTrustBundle proto.InternalMessageInfo
-
-func (m *ClusterTrustBundleList) Reset()      { *m = ClusterTrustBundleList{} }
-func (*ClusterTrustBundleList) ProtoMessage() {}
-func (*ClusterTrustBundleList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_f73d5fe56c015bb8, []int{1}
-}
-func (m *ClusterTrustBundleList) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ClusterTrustBundleList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ClusterTrustBundleList) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ClusterTrustBundleList.Merge(m, src)
-}
-func (m *ClusterTrustBundleList) XXX_Size() int {
-	return m.Size()
-}
-func (m *ClusterTrustBundleList) XXX_DiscardUnknown() {
-	xxx_messageInfo_ClusterTrustBundleList.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_ClusterTrustBundleList proto.InternalMessageInfo
-
-func (m *ClusterTrustBundleSpec) Reset()      { *m = ClusterTrustBundleSpec{} }
-func (*ClusterTrustBundleSpec) ProtoMessage() {}
-func (*ClusterTrustBundleSpec) Descriptor() ([]byte, []int) {
-	return fileDescriptor_f73d5fe56c015bb8, []int{2}
-}
-func (m *ClusterTrustBundleSpec) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ClusterTrustBundleSpec) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ClusterTrustBundleSpec) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ClusterTrustBundleSpec.Merge(m, src)
-}
-func (m *ClusterTrustBundleSpec) XXX_Size() int {
-	return m.Size()
-}
-func (m *ClusterTrustBundleSpec) XXX_DiscardUnknown() {
-	xxx_messageInfo_ClusterTrustBundleSpec.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_ClusterTrustBundleSpec proto.InternalMessageInfo
-
-func (m *PodCertificateRequest) Reset()      { *m = PodCertificateRequest{} }
-func (*PodCertificateRequest) ProtoMessage() {}
-func (*PodCertificateRequest) Descriptor() ([]byte, []int) {
-	return fileDescriptor_f73d5fe56c015bb8, []int{3}
-}
-func (m *PodCertificateRequest) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *PodCertificateRequest) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *PodCertificateRequest) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_PodCertificateRequest.Merge(m, src)
-}
-func (m *PodCertificateRequest) XXX_Size() int {
-	return m.Size()
-}
-func (m *PodCertificateRequest) XXX_DiscardUnknown() {
-	xxx_messageInfo_PodCertificateRequest.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_PodCertificateRequest proto.InternalMessageInfo
-
-func (m *PodCertificateRequestList) Reset()      { *m = PodCertificateRequestList{} }
-func (*PodCertificateRequestList) ProtoMessage() {}
-func (*PodCertificateRequestList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_f73d5fe56c015bb8, []int{4}
-}
-func (m *PodCertificateRequestList) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *PodCertificateRequestList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *PodCertificateRequestList) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_PodCertificateRequestList.Merge(m, src)
-}
-func (m *PodCertificateRequestList) XXX_Size() int {
-	return m.Size()
-}
-func (m *PodCertificateRequestList) XXX_DiscardUnknown() {
-	xxx_messageInfo_PodCertificateRequestList.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_PodCertificateRequestList proto.InternalMessageInfo
-
-func (m *PodCertificateRequestSpec) Reset()      { *m = PodCertificateRequestSpec{} }
-func (*PodCertificateRequestSpec) ProtoMessage() {}
-func (*PodCertificateRequestSpec) Descriptor() ([]byte, []int) {
-	return fileDescriptor_f73d5fe56c015bb8, []int{5}
-}
-func (m *PodCertificateRequestSpec) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *PodCertificateRequestSpec) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *PodCertificateRequestSpec) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_PodCertificateRequestSpec.Merge(m, src)
-}
-func (m *PodCertificateRequestSpec) XXX_Size() int {
-	return m.Size()
-}
-func (m *PodCertificateRequestSpec) XXX_DiscardUnknown() {
-	xxx_messageInfo_PodCertificateRequestSpec.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_PodCertificateRequestSpec proto.InternalMessageInfo
-
-func (m *PodCertificateRequestStatus) Reset()      { *m = PodCertificateRequestStatus{} }
-func (*PodCertificateRequestStatus) ProtoMessage() {}
-func (*PodCertificateRequestStatus) Descriptor() ([]byte, []int) {
-	return fileDescriptor_f73d5fe56c015bb8, []int{6}
-}
-func (m *PodCertificateRequestStatus) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *PodCertificateRequestStatus) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *PodCertificateRequestStatus) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_PodCertificateRequestStatus.Merge(m, src)
-}
-func (m *PodCertificateRequestStatus) XXX_Size() int {
-	return m.Size()
-}
-func (m *PodCertificateRequestStatus) XXX_DiscardUnknown() {
-	xxx_messageInfo_PodCertificateRequestStatus.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_PodCertificateRequestStatus proto.InternalMessageInfo
+func (m *ClusterTrustBundle) Reset() { *m = ClusterTrustBundle{} }
 
-func init() {
-	proto.RegisterType((*ClusterTrustBundle)(nil), "k8s.io.api.certificates.v1alpha1.ClusterTrustBundle")
-	proto.RegisterType((*ClusterTrustBundleList)(nil), "k8s.io.api.certificates.v1alpha1.ClusterTrustBundleList")
-	proto.RegisterType((*ClusterTrustBundleSpec)(nil), "k8s.io.api.certificates.v1alpha1.ClusterTrustBundleSpec")
-	proto.RegisterType((*PodCertificateRequest)(nil), "k8s.io.api.certificates.v1alpha1.PodCertificateRequest")
-	proto.RegisterType((*PodCertificateRequestList)(nil), "k8s.io.api.certificates.v1alpha1.PodCertificateRequestList")
-	proto.RegisterType((*PodCertificateRequestSpec)(nil), "k8s.io.api.certificates.v1alpha1.PodCertificateRequestSpec")
-	proto.RegisterType((*PodCertificateRequestStatus)(nil), "k8s.io.api.certificates.v1alpha1.PodCertificateRequestStatus")
-}
-
-func init() {
-	proto.RegisterFile("k8s.io/api/certificates/v1alpha1/generated.proto", fileDescriptor_f73d5fe56c015bb8)
-}
+func (m *ClusterTrustBundleList) Reset() { *m = ClusterTrustBundleList{} }
 
-var fileDescriptor_f73d5fe56c015bb8 = []byte{
-	// 918 bytes of a gzipped FileDescriptorProto
-	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xbc, 0x96, 0xcf, 0x6f, 0xe3, 0x44,
-	0x14, 0xc7, 0xe3, 0xb6, 0x69, 0x9b, 0x49, 0x5b, 0xda, 0x61, 0x17, 0x99, 0x22, 0x39, 0x21, 0x07,
-	0x54, 0x90, 0xb0, 0xb7, 0xa5, 0xb0, 0x2b, 0x10, 0x48, 0x75, 0x0a, 0x52, 0xe9, 0x6e, 0x36, 0x9a,
-	0x74, 0xf9, 0xb1, 0x5a, 0x24, 0x1c, 0xe7, 0x25, 0x19, 0x1a, 0x7b, 0x8c, 0x67, 0x5c, 0xb5, 0x37,
-	0x24, 0xfe, 0x01, 0xfe, 0x23, 0xae, 0x3d, 0x2e, 0x5c, 0xd8, 0x53, 0xa0, 0xe6, 0x6f, 0xe0, 0xb2,
-	0x27, 0xe4, 0xb1, 0x9d, 0x5f, 0x4e, 0xb6, 0xd9, 0x1e, 0x7a, 0xcb, 0xbc, 0x79, 0xdf, 0xcf, 0xfb,
-	0xbe, 0x99, 0x37, 0x56, 0xd0, 0xbd, 0xd3, 0x07, 0x5c, 0xa7, 0xcc, 0xb0, 0x3c, 0x6a, 0xd8, 0xe0,
-	0x0b, 0xda, 0xa6, 0xb6, 0x25, 0x80, 0x1b, 0x67, 0xbb, 0x56, 0xcf, 0xeb, 0x5a, 0xbb, 0x46, 0x07,
-	0x5c, 0xf0, 0x2d, 0x01, 0x2d, 0xdd, 0xf3, 0x99, 0x60, 0xb8, 0x1c, 0x2b, 0x74, 0xcb, 0xa3, 0xfa,
-	0xa8, 0x42, 0x4f, 0x15, 0xdb, 0x1f, 0x76, 0xa8, 0xe8, 0x06, 0x4d, 0xdd, 0x66, 0x8e, 0xd1, 0x61,
-	0x1d, 0x66, 0x48, 0x61, 0x33, 0x68, 0xcb, 0x95, 0x5c, 0xc8, 0x5f, 0x31, 0x70, 0x7b, 0x7f, 0x68,
-	0xc1, 0xb1, 0xec, 0x2e, 0x75, 0xc1, 0xbf, 0x30, 0xbc, 0xd3, 0x4e, 0x14, 0xe0, 0x86, 0x03, 0xc2,
-	0x32, 0xce, 0x32, 0x36, 0xb6, 0x8d, 0x59, 0x2a, 0x3f, 0x70, 0x05, 0x75, 0x20, 0x23, 0xf8, 0xe4,
-	0x3a, 0x01, 0xb7, 0xbb, 0xe0, 0x58, 0x93, 0xba, 0xca, 0x9f, 0x0a, 0xc2, 0xd5, 0x5e, 0xc0, 0x05,
-	0xf8, 0x27, 0x7e, 0xc0, 0x85, 0x19, 0xb8, 0xad, 0x1e, 0xe0, 0x1f, 0xd1, 0x6a, 0x64, 0xad, 0x65,
-	0x09, 0x4b, 0x55, 0xca, 0xca, 0x4e, 0x71, 0xef, 0x9e, 0x3e, 0x3c, 0x99, 0x41, 0x05, 0xdd, 0x3b,
-	0xed, 0x44, 0x01, 0xae, 0x47, 0xd9, 0xfa, 0xd9, 0xae, 0xfe, 0xb8, 0xf9, 0x13, 0xd8, 0xe2, 0x11,
-	0x08, 0xcb, 0xc4, 0x97, 0xfd, 0x52, 0x2e, 0xec, 0x97, 0xd0, 0x30, 0x46, 0x06, 0x54, 0xfc, 0x14,
-	0x2d, 0x71, 0x0f, 0x6c, 0x75, 0x41, 0xd2, 0x1f, 0xe8, 0xd7, 0x9d, 0xbb, 0x9e, 0x75, 0xd9, 0xf0,
-	0xc0, 0x36, 0xd7, 0x92, 0x2a, 0x4b, 0xd1, 0x8a, 0x48, 0x66, 0xe5, 0x0f, 0x05, 0xbd, 0x95, 0x4d,
-	0x7f, 0x48, 0xb9, 0xc0, 0xcf, 0x32, 0x8d, 0xe9, 0xf3, 0x35, 0x16, 0xa9, 0x65, 0x5b, 0x9b, 0x49,
-	0xc1, 0xd5, 0x34, 0x32, 0xd2, 0xd4, 0xf7, 0x28, 0x4f, 0x05, 0x38, 0x5c, 0x5d, 0x28, 0x2f, 0xee,
-	0x14, 0xf7, 0xf6, 0x6f, 0xd2, 0x95, 0xb9, 0x9e, 0x14, 0xc8, 0x1f, 0x45, 0x28, 0x12, 0x13, 0x2b,
-	0xbf, 0x4e, 0xed, 0x29, 0x6a, 0x1a, 0xef, 0x21, 0xc4, 0x69, 0xc7, 0x05, 0xbf, 0x66, 0x39, 0x20,
-	0xbb, 0x2a, 0x0c, 0x0f, 0xbf, 0x31, 0xd8, 0x21, 0x23, 0x59, 0xf8, 0x63, 0x54, 0x14, 0x43, 0x8c,
-	0xbc, 0x85, 0x82, 0xf9, 0x66, 0x22, 0x2a, 0x8e, 0x54, 0x20, 0xa3, 0x79, 0x95, 0xdf, 0x17, 0xd0,
-	0xdd, 0x3a, 0x6b, 0x55, 0x87, 0xbd, 0x10, 0xf8, 0x39, 0x00, 0x2e, 0x6e, 0x61, 0x62, 0x7e, 0x18,
-	0x9b, 0x98, 0xcf, 0xae, 0x3f, 0xdb, 0xa9, 0x46, 0x67, 0x0d, 0x0d, 0x06, 0xb4, 0xcc, 0x85, 0x25,
-	0x02, 0xae, 0x2e, 0xca, 0x02, 0x9f, 0xdf, 0xb4, 0x80, 0x84, 0x98, 0x1b, 0x49, 0x89, 0xe5, 0x78,
-	0x4d, 0x12, 0x78, 0xe5, 0x2f, 0x05, 0xbd, 0x3d, 0x55, 0x77, 0x0b, 0xe3, 0xf9, 0x6c, 0x7c, 0x3c,
-	0xef, 0xdf, 0xb0, 0xc3, 0x19, 0x13, 0xfa, 0x5f, 0x7e, 0x46, 0x67, 0x37, 0x1e, 0xd2, 0xf7, 0xd1,
-	0x8a, 0xc7, 0x5a, 0x52, 0x10, 0x0f, 0xe8, 0x1b, 0x89, 0x60, 0xa5, 0x1e, 0x87, 0x49, 0xba, 0x8f,
-	0x8f, 0xd1, 0xb2, 0xc7, 0x5a, 0x4f, 0x8e, 0x0e, 0xe5, 0xed, 0x15, 0xcc, 0x8f, 0xd2, 0xe3, 0xaf,
-	0xcb, 0xe8, 0xcb, 0x7e, 0xe9, 0xdd, 0x59, 0x5f, 0x48, 0x71, 0xe1, 0x01, 0xd7, 0x9f, 0x1c, 0x1d,
-	0x92, 0x04, 0x81, 0xbf, 0x46, 0x98, 0x83, 0x7f, 0x46, 0x6d, 0x38, 0xb0, 0x6d, 0x16, 0xb8, 0x42,
-	0x5a, 0x58, 0x92, 0xe0, 0xed, 0x04, 0x8c, 0x1b, 0x99, 0x0c, 0x32, 0x45, 0x85, 0x7b, 0x68, 0x6b,
-	0x3c, 0x1a, 0x79, 0xcc, 0x4b, 0xd4, 0x17, 0x09, 0x6a, 0xab, 0x31, 0x99, 0x30, 0x9f, 0xdd, 0x2c,
-	0x18, 0x7f, 0x83, 0x56, 0x5d, 0xd6, 0x02, 0xe9, 0x77, 0x59, 0x16, 0xf9, 0x34, 0x9d, 0x87, 0x5a,
-	0x12, 0x7f, 0xd9, 0x2f, 0xbd, 0xf7, 0x6a, 0x76, 0x9a, 0x49, 0x06, 0x2c, 0x5c, 0x43, 0x2b, 0xd1,
-	0xef, 0xc8, 0xfb, 0x8a, 0xc4, 0xee, 0xa7, 0x37, 0x51, 0x8b, 0xc3, 0xf3, 0x39, 0x4e, 0x21, 0xf8,
-	0x21, 0xba, 0xe3, 0x58, 0xe7, 0x5f, 0x9e, 0x7b, 0xd4, 0xb7, 0x04, 0x65, 0x6e, 0x03, 0x6c, 0xe6,
-	0xb6, 0xb8, 0xba, 0x5a, 0x56, 0x76, 0xf2, 0xa6, 0x1a, 0xf6, 0x4b, 0x77, 0x1e, 0x4d, 0xd9, 0x27,
-	0x53, 0x55, 0xf8, 0x3e, 0x5a, 0xf7, 0x4e, 0xe9, 0x79, 0x3d, 0x68, 0xf6, 0xa8, 0x7d, 0x0c, 0x17,
-	0x6a, 0xa1, 0xac, 0xec, 0xac, 0x99, 0x5b, 0x61, 0xbf, 0xb4, 0x5e, 0x3f, 0x3e, 0xfa, 0x6e, 0xb0,
-	0x41, 0xc6, 0xf3, 0x70, 0x15, 0x6d, 0x79, 0x3e, 0x63, 0xed, 0xc7, 0xed, 0x3a, 0xe3, 0x1c, 0x38,
-	0xa7, 0xcc, 0x55, 0x91, 0x14, 0xdf, 0x8d, 0x2e, 0xa6, 0x3e, 0xb9, 0x49, 0xb2, 0xf9, 0x95, 0xbf,
-	0x17, 0xd1, 0x3b, 0xaf, 0xf8, 0x12, 0x60, 0x1b, 0xa1, 0xc8, 0x26, 0x8d, 0x1c, 0x73, 0x55, 0x91,
-	0x4f, 0xcf, 0x98, 0xef, 0x55, 0x57, 0x53, 0xdd, 0xf0, 0xa9, 0x0c, 0x42, 0x9c, 0x8c, 0x60, 0xf1,
-	0x21, 0xda, 0x1c, 0x79, 0xc1, 0xd5, 0xae, 0x45, 0xdd, 0xe4, 0xcd, 0xa8, 0x89, 0x72, 0xb3, 0x3a,
-	0xb1, 0x4f, 0x32, 0x0a, 0xfc, 0x2d, 0x2a, 0xb8, 0x4c, 0x98, 0xd0, 0x66, 0x7e, 0x3c, 0xef, 0xc5,
-	0xbd, 0x0f, 0xe6, 0x73, 0x7a, 0x42, 0x1d, 0x30, 0xd7, 0xc3, 0x7e, 0xa9, 0x50, 0x4b, 0x01, 0x64,
-	0xc8, 0xc2, 0x6d, 0xb4, 0xd1, 0x84, 0x0e, 0x75, 0x09, 0xb4, 0x7d, 0xe0, 0xdd, 0x03, 0x21, 0x9f,
-	0xc0, 0xeb, 0xd1, 0x71, 0xd8, 0x2f, 0x6d, 0x98, 0x63, 0x14, 0x32, 0x41, 0xc5, 0x27, 0xd1, 0xfc,
-	0x8b, 0x83, 0xb6, 0x00, 0x5f, 0xce, 0xff, 0xeb, 0x55, 0x58, 0x8b, 0xdf, 0x49, 0xac, 0x27, 0x03,
-	0x92, 0xf9, 0xd5, 0xe5, 0x95, 0x96, 0x7b, 0x7e, 0xa5, 0xe5, 0x5e, 0x5c, 0x69, 0xb9, 0x5f, 0x42,
-	0x4d, 0xb9, 0x0c, 0x35, 0xe5, 0x79, 0xa8, 0x29, 0x2f, 0x42, 0x4d, 0xf9, 0x27, 0xd4, 0x94, 0xdf,
-	0xfe, 0xd5, 0x72, 0x4f, 0xcb, 0xd7, 0xfd, 0xd9, 0xfc, 0x3f, 0x00, 0x00, 0xff, 0xff, 0xcf, 0x6c,
-	0x5a, 0xc4, 0x8f, 0x0a, 0x00, 0x00,
-}
+func (m *ClusterTrustBundleSpec) Reset() { *m = ClusterTrustBundleSpec{} }
 
 func (m *ClusterTrustBundle) Marshal() (dAtA []byte, err error) {
 	size := m.Size()
@@ -441,261 +158,6 @@ func (m *ClusterTrustBundleSpec) MarshalToSizedBuffer(dAtA []byte) (int, error)
 	return len(dAtA) - i, nil
 }
 
-func (m *PodCertificateRequest) Marshal() (dAtA []byte, err error) {
-	size := m.Size()
-	dAtA = make([]byte, size)
-	n, err := m.MarshalToSizedBuffer(dAtA[:size])
-	if err != nil {
-		return nil, err
-	}
-	return dAtA[:n], nil
-}
-
-func (m *PodCertificateRequest) MarshalTo(dAtA []byte) (int, error) {
-	size := m.Size()
-	return m.MarshalToSizedBuffer(dAtA[:size])
-}
-
-func (m *PodCertificateRequest) MarshalToSizedBuffer(dAtA []byte) (int, error) {
-	i := len(dAtA)
-	_ = i
-	var l int
-	_ = l
-	{
-		size, err := m.Status.MarshalToSizedBuffer(dAtA[:i])
-		if err != nil {
-			return 0, err
-		}
-		i -= size
-		i = encodeVarintGenerated(dAtA, i, uint64(size))
-	}
-	i--
-	dAtA[i] = 0x1a
-	{
-		size, err := m.Spec.MarshalToSizedBuffer(dAtA[:i])
-		if err != nil {
-			return 0, err
-		}
-		i -= size
-		i = encodeVarintGenerated(dAtA, i, uint64(size))
-	}
-	i--
-	dAtA[i] = 0x12
-	{
-		size, err := m.ObjectMeta.MarshalToSizedBuffer(dAtA[:i])
-		if err != nil {
-			return 0, err
-		}
-		i -= size
-		i = encodeVarintGenerated(dAtA, i, uint64(size))
-	}
-	i--
-	dAtA[i] = 0xa
-	return len(dAtA) - i, nil
-}
-
-func (m *PodCertificateRequestList) Marshal() (dAtA []byte, err error) {
-	size := m.Size()
-	dAtA = make([]byte, size)
-	n, err := m.MarshalToSizedBuffer(dAtA[:size])
-	if err != nil {
-		return nil, err
-	}
-	return dAtA[:n], nil
-}
-
-func (m *PodCertificateRequestList) MarshalTo(dAtA []byte) (int, error) {
-	size := m.Size()
-	return m.MarshalToSizedBuffer(dAtA[:size])
-}
-
-func (m *PodCertificateRequestList) MarshalToSizedBuffer(dAtA []byte) (int, error) {
-	i := len(dAtA)
-	_ = i
-	var l int
-	_ = l
-	if len(m.Items) > 0 {
-		for iNdEx := len(m.Items) - 1; iNdEx >= 0; iNdEx-- {
-			{
-				size, err := m.Items[iNdEx].MarshalToSizedBuffer(dAtA[:i])
-				if err != nil {
-					return 0, err
-				}
-				i -= size
-				i = encodeVarintGenerated(dAtA, i, uint64(size))
-			}
-			i--
-			dAtA[i] = 0x12
-		}
-	}
-	{
-		size, err := m.ListMeta.MarshalToSizedBuffer(dAtA[:i])
-		if err != nil {
-			return 0, err
-		}
-		i -= size
-		i = encodeVarintGenerated(dAtA, i, uint64(size))
-	}
-	i--
-	dAtA[i] = 0xa
-	return len(dAtA) - i, nil
-}
-
-func (m *PodCertificateRequestSpec) Marshal() (dAtA []byte, err error) {
-	size := m.Size()
-	dAtA = make([]byte, size)
-	n, err := m.MarshalToSizedBuffer(dAtA[:size])
-	if err != nil {
-		return nil, err
-	}
-	return dAtA[:n], nil
-}
-
-func (m *PodCertificateRequestSpec) MarshalTo(dAtA []byte) (int, error) {
-	size := m.Size()
-	return m.MarshalToSizedBuffer(dAtA[:size])
-}
-
-func (m *PodCertificateRequestSpec) MarshalToSizedBuffer(dAtA []byte) (int, error) {
-	i := len(dAtA)
-	_ = i
-	var l int
-	_ = l
-	if m.ProofOfPossession != nil {
-		i -= len(m.ProofOfPossession)
-		copy(dAtA[i:], m.ProofOfPossession)
-		i = encodeVarintGenerated(dAtA, i, uint64(len(m.ProofOfPossession)))
-		i--
-		dAtA[i] = 0x52
-	}
-	if m.PKIXPublicKey != nil {
-		i -= len(m.PKIXPublicKey)
-		copy(dAtA[i:], m.PKIXPublicKey)
-		i = encodeVarintGenerated(dAtA, i, uint64(len(m.PKIXPublicKey)))
-		i--
-		dAtA[i] = 0x4a
-	}
-	if m.MaxExpirationSeconds != nil {
-		i = encodeVarintGenerated(dAtA, i, uint64(*m.MaxExpirationSeconds))
-		i--
-		dAtA[i] = 0x40
-	}
-	i -= len(m.NodeUID)
-	copy(dAtA[i:], m.NodeUID)
-	i = encodeVarintGenerated(dAtA, i, uint64(len(m.NodeUID)))
-	i--
-	dAtA[i] = 0x3a
-	i -= len(m.NodeName)
-	copy(dAtA[i:], m.NodeName)
-	i = encodeVarintGenerated(dAtA, i, uint64(len(m.NodeName)))
-	i--
-	dAtA[i] = 0x32
-	i -= len(m.ServiceAccountUID)
-	copy(dAtA[i:], m.ServiceAccountUID)
-	i = encodeVarintGenerated(dAtA, i, uint64(len(m.ServiceAccountUID)))
-	i--
-	dAtA[i] = 0x2a
-	i -= len(m.ServiceAccountName)
-	copy(dAtA[i:], m.ServiceAccountName)
-	i = encodeVarintGenerated(dAtA, i, uint64(len(m.ServiceAccountName)))
-	i--
-	dAtA[i] = 0x22
-	i -= len(m.PodUID)
-	copy(dAtA[i:], m.PodUID)
-	i = encodeVarintGenerated(dAtA, i, uint64(len(m.PodUID)))
-	i--
-	dAtA[i] = 0x1a
-	i -= len(m.PodName)
-	copy(dAtA[i:], m.PodName)
-	i = encodeVarintGenerated(dAtA, i, uint64(len(m.PodName)))
-	i--
-	dAtA[i] = 0x12
-	i -= len(m.SignerName)
-	copy(dAtA[i:], m.SignerName)
-	i = encodeVarintGenerated(dAtA, i, uint64(len(m.SignerName)))
-	i--
-	dAtA[i] = 0xa
-	return len(dAtA) - i, nil
-}
-
-func (m *PodCertificateRequestStatus) Marshal() (dAtA []byte, err error) {
-	size := m.Size()
-	dAtA = make([]byte, size)
-	n, err := m.MarshalToSizedBuffer(dAtA[:size])
-	if err != nil {
-		return nil, err
-	}
-	return dAtA[:n], nil
-}
-
-func (m *PodCertificateRequestStatus) MarshalTo(dAtA []byte) (int, error) {
-	size := m.Size()
-	return m.MarshalToSizedBuffer(dAtA[:size])
-}
-
-func (m *PodCertificateRequestStatus) MarshalToSizedBuffer(dAtA []byte) (int, error) {
-	i := len(dAtA)
-	_ = i
-	var l int
-	_ = l
-	if m.NotAfter != nil {
-		{
-			size, err := m.NotAfter.MarshalToSizedBuffer(dAtA[:i])
-			if err != nil {
-				return 0, err
-			}
-			i -= size
-			i = encodeVarintGenerated(dAtA, i, uint64(size))
-		}
-		i--
-		dAtA[i] = 0x32
-	}
-	if m.BeginRefreshAt != nil {
-		{
-			size, err := m.BeginRefreshAt.MarshalToSizedBuffer(dAtA[:i])
-			if err != nil {
-				return 0, err
-			}
-			i -= size
-			i = encodeVarintGenerated(dAtA, i, uint64(size))
-		}
-		i--
-		dAtA[i] = 0x2a
-	}
-	if m.NotBefore != nil {
-		{
-			size, err := m.NotBefore.MarshalToSizedBuffer(dAtA[:i])
-			if err != nil {
-				return 0, err
-			}
-			i -= size
-			i = encodeVarintGenerated(dAtA, i, uint64(size))
-		}
-		i--
-		dAtA[i] = 0x22
-	}
-	i -= len(m.CertificateChain)
-	copy(dAtA[i:], m.CertificateChain)
-	i = encodeVarintGenerated(dAtA, i, uint64(len(m.CertificateChain)))
-	i--
-	dAtA[i] = 0x12
-	if len(m.Conditions) > 0 {
-		for iNdEx := len(m.Conditions) - 1; iNdEx >= 0; iNdEx-- {
-			{
-				size, err := m.Conditions[iNdEx].MarshalToSizedBuffer(dAtA[:i])
-				if err != nil {
-					return 0, err
-				}
-				i -= size
-				i = encodeVarintGenerated(dAtA, i, uint64(size))
-			}
-			i--
-			dAtA[i] = 0xa
-		}
-	}
-	return len(dAtA) - i, nil
-}
-
 func encodeVarintGenerated(dAtA []byte, offset int, v uint64) int {
 	offset -= sovGenerated(v)
 	base := offset
@@ -720,1140 +182,122 @@ func (m *ClusterTrustBundle) Size() (n int) {
 	return n
 }
 
-func (m *ClusterTrustBundleList) Size() (n int) {
-	if m == nil {
-		return 0
-	}
-	var l int
-	_ = l
-	l = m.ListMeta.Size()
-	n += 1 + l + sovGenerated(uint64(l))
-	if len(m.Items) > 0 {
-		for _, e := range m.Items {
-			l = e.Size()
-			n += 1 + l + sovGenerated(uint64(l))
-		}
-	}
-	return n
-}
-
-func (m *ClusterTrustBundleSpec) Size() (n int) {
-	if m == nil {
-		return 0
-	}
-	var l int
-	_ = l
-	l = len(m.SignerName)
-	n += 1 + l + sovGenerated(uint64(l))
-	l = len(m.TrustBundle)
-	n += 1 + l + sovGenerated(uint64(l))
-	return n
-}
-
-func (m *PodCertificateRequest) Size() (n int) {
-	if m == nil {
-		return 0
-	}
-	var l int
-	_ = l
-	l = m.ObjectMeta.Size()
-	n += 1 + l + sovGenerated(uint64(l))
-	l = m.Spec.Size()
-	n += 1 + l + sovGenerated(uint64(l))
-	l = m.Status.Size()
-	n += 1 + l + sovGenerated(uint64(l))
-	return n
-}
-
-func (m *PodCertificateRequestList) Size() (n int) {
-	if m == nil {
-		return 0
-	}
-	var l int
-	_ = l
-	l = m.ListMeta.Size()
-	n += 1 + l + sovGenerated(uint64(l))
-	if len(m.Items) > 0 {
-		for _, e := range m.Items {
-			l = e.Size()
-			n += 1 + l + sovGenerated(uint64(l))
-		}
-	}
-	return n
-}
-
-func (m *PodCertificateRequestSpec) Size() (n int) {
-	if m == nil {
-		return 0
-	}
-	var l int
-	_ = l
-	l = len(m.SignerName)
-	n += 1 + l + sovGenerated(uint64(l))
-	l = len(m.PodName)
-	n += 1 + l + sovGenerated(uint64(l))
-	l = len(m.PodUID)
-	n += 1 + l + sovGenerated(uint64(l))
-	l = len(m.ServiceAccountName)
-	n += 1 + l + sovGenerated(uint64(l))
-	l = len(m.ServiceAccountUID)
-	n += 1 + l + sovGenerated(uint64(l))
-	l = len(m.NodeName)
-	n += 1 + l + sovGenerated(uint64(l))
-	l = len(m.NodeUID)
-	n += 1 + l + sovGenerated(uint64(l))
-	if m.MaxExpirationSeconds != nil {
-		n += 1 + sovGenerated(uint64(*m.MaxExpirationSeconds))
-	}
-	if m.PKIXPublicKey != nil {
-		l = len(m.PKIXPublicKey)
-		n += 1 + l + sovGenerated(uint64(l))
-	}
-	if m.ProofOfPossession != nil {
-		l = len(m.ProofOfPossession)
-		n += 1 + l + sovGenerated(uint64(l))
-	}
-	return n
-}
-
-func (m *PodCertificateRequestStatus) Size() (n int) {
-	if m == nil {
-		return 0
-	}
-	var l int
-	_ = l
-	if len(m.Conditions) > 0 {
-		for _, e := range m.Conditions {
-			l = e.Size()
-			n += 1 + l + sovGenerated(uint64(l))
-		}
-	}
-	l = len(m.CertificateChain)
-	n += 1 + l + sovGenerated(uint64(l))
-	if m.NotBefore != nil {
-		l = m.NotBefore.Size()
-		n += 1 + l + sovGenerated(uint64(l))
-	}
-	if m.BeginRefreshAt != nil {
-		l = m.BeginRefreshAt.Size()
-		n += 1 + l + sovGenerated(uint64(l))
-	}
-	if m.NotAfter != nil {
-		l = m.NotAfter.Size()
-		n += 1 + l + sovGenerated(uint64(l))
-	}
-	return n
-}
-
-func sovGenerated(x uint64) (n int) {
-	return (math_bits.Len64(x|1) + 6) / 7
-}
-func sozGenerated(x uint64) (n int) {
-	return sovGenerated(uint64((x << 1) ^ uint64((int64(x) >> 63))))
-}
-func (this *ClusterTrustBundle) String() string {
-	if this == nil {
-		return "nil"
-	}
-	s := strings.Join([]string{`&ClusterTrustBundle{`,
-		`ObjectMeta:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.ObjectMeta), "ObjectMeta", "v1.ObjectMeta", 1), `&`, ``, 1) + `,`,
-		`Spec:` + strings.Replace(strings.Replace(this.Spec.String(), "ClusterTrustBundleSpec", "ClusterTrustBundleSpec", 1), `&`, ``, 1) + `,`,
-		`}`,
-	}, "")
-	return s
-}
-func (this *ClusterTrustBundleList) String() string {
-	if this == nil {
-		return "nil"
-	}
-	repeatedStringForItems := "[]ClusterTrustBundle{"
-	for _, f := range this.Items {
-		repeatedStringForItems += strings.Replace(strings.Replace(f.String(), "ClusterTrustBundle", "ClusterTrustBundle", 1), `&`, ``, 1) + ","
-	}
-	repeatedStringForItems += "}"
-	s := strings.Join([]string{`&ClusterTrustBundleList{`,
-		`ListMeta:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.ListMeta), "ListMeta", "v1.ListMeta", 1), `&`, ``, 1) + `,`,
-		`Items:` + repeatedStringForItems + `,`,
-		`}`,
-	}, "")
-	return s
-}
-func (this *ClusterTrustBundleSpec) String() string {
-	if this == nil {
-		return "nil"
-	}
-	s := strings.Join([]string{`&ClusterTrustBundleSpec{`,
-		`SignerName:` + fmt.Sprintf("%v", this.SignerName) + `,`,
-		`TrustBundle:` + fmt.Sprintf("%v", this.TrustBundle) + `,`,
-		`}`,
-	}, "")
-	return s
-}
-func (this *PodCertificateRequest) String() string {
-	if this == nil {
-		return "nil"
-	}
-	s := strings.Join([]string{`&PodCertificateRequest{`,
-		`ObjectMeta:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.ObjectMeta), "ObjectMeta", "v1.ObjectMeta", 1), `&`, ``, 1) + `,`,
-		`Spec:` + strings.Replace(strings.Replace(this.Spec.String(), "PodCertificateRequestSpec", "PodCertificateRequestSpec", 1), `&`, ``, 1) + `,`,
-		`Status:` + strings.Replace(strings.Replace(this.Status.String(), "PodCertificateRequestStatus", "PodCertificateRequestStatus", 1), `&`, ``, 1) + `,`,
-		`}`,
-	}, "")
-	return s
-}
-func (this *PodCertificateRequestList) String() string {
-	if this == nil {
-		return "nil"
-	}
-	repeatedStringForItems := "[]PodCertificateRequest{"
-	for _, f := range this.Items {
-		repeatedStringForItems += strings.Replace(strings.Replace(f.String(), "PodCertificateRequest", "PodCertificateRequest", 1), `&`, ``, 1) + ","
-	}
-	repeatedStringForItems += "}"
-	s := strings.Join([]string{`&PodCertificateRequestList{`,
-		`ListMeta:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.ListMeta), "ListMeta", "v1.ListMeta", 1), `&`, ``, 1) + `,`,
-		`Items:` + repeatedStringForItems + `,`,
-		`}`,
-	}, "")
-	return s
-}
-func (this *PodCertificateRequestSpec) String() string {
-	if this == nil {
-		return "nil"
-	}
-	s := strings.Join([]string{`&PodCertificateRequestSpec{`,
-		`SignerName:` + fmt.Sprintf("%v", this.SignerName) + `,`,
-		`PodName:` + fmt.Sprintf("%v", this.PodName) + `,`,
-		`PodUID:` + fmt.Sprintf("%v", this.PodUID) + `,`,
-		`ServiceAccountName:` + fmt.Sprintf("%v", this.ServiceAccountName) + `,`,
-		`ServiceAccountUID:` + fmt.Sprintf("%v", this.ServiceAccountUID) + `,`,
-		`NodeName:` + fmt.Sprintf("%v", this.NodeName) + `,`,
-		`NodeUID:` + fmt.Sprintf("%v", this.NodeUID) + `,`,
-		`MaxExpirationSeconds:` + valueToStringGenerated(this.MaxExpirationSeconds) + `,`,
-		`PKIXPublicKey:` + valueToStringGenerated(this.PKIXPublicKey) + `,`,
-		`ProofOfPossession:` + valueToStringGenerated(this.ProofOfPossession) + `,`,
-		`}`,
-	}, "")
-	return s
-}
-func (this *PodCertificateRequestStatus) String() string {
-	if this == nil {
-		return "nil"
-	}
-	repeatedStringForConditions := "[]Condition{"
-	for _, f := range this.Conditions {
-		repeatedStringForConditions += fmt.Sprintf("%v", f) + ","
-	}
-	repeatedStringForConditions += "}"
-	s := strings.Join([]string{`&PodCertificateRequestStatus{`,
-		`Conditions:` + repeatedStringForConditions + `,`,
-		`CertificateChain:` + fmt.Sprintf("%v", this.CertificateChain) + `,`,
-		`NotBefore:` + strings.Replace(fmt.Sprintf("%v", this.NotBefore), "Time", "v1.Time", 1) + `,`,
-		`BeginRefreshAt:` + strings.Replace(fmt.Sprintf("%v", this.BeginRefreshAt), "Time", "v1.Time", 1) + `,`,
-		`NotAfter:` + strings.Replace(fmt.Sprintf("%v", this.NotAfter), "Time", "v1.Time", 1) + `,`,
-		`}`,
-	}, "")
-	return s
-}
-func valueToStringGenerated(v interface{}) string {
-	rv := reflect.ValueOf(v)
-	if rv.IsNil() {
-		return "nil"
-	}
-	pv := reflect.Indirect(rv).Interface()
-	return fmt.Sprintf("*%v", pv)
-}
-func (m *ClusterTrustBundle) Unmarshal(dAtA []byte) error {
-	l := len(dAtA)
-	iNdEx := 0
-	for iNdEx < l {
-		preIndex := iNdEx
-		var wire uint64
-		for shift := uint(0); ; shift += 7 {
-			if shift >= 64 {
-				return ErrIntOverflowGenerated
-			}
-			if iNdEx >= l {
-				return io.ErrUnexpectedEOF
-			}
-			b := dAtA[iNdEx]
-			iNdEx++
-			wire |= uint64(b&0x7F) << shift
-			if b < 0x80 {
-				break
-			}
-		}
-		fieldNum := int32(wire >> 3)
-		wireType := int(wire & 0x7)
-		if wireType == 4 {
-			return fmt.Errorf("proto: ClusterTrustBundle: wiretype end group for non-group")
-		}
-		if fieldNum <= 0 {
-			return fmt.Errorf("proto: ClusterTrustBundle: illegal tag %d (wire type %d)", fieldNum, wire)
-		}
-		switch fieldNum {
-		case 1:
-			if wireType != 2 {
-				return fmt.Errorf("proto: wrong wireType = %d for field ObjectMeta", wireType)
-			}
-			var msglen int
-			for shift := uint(0); ; shift += 7 {
-				if shift >= 64 {
-					return ErrIntOverflowGenerated
-				}
-				if iNdEx >= l {
-					return io.ErrUnexpectedEOF
-				}
-				b := dAtA[iNdEx]
-				iNdEx++
-				msglen |= int(b&0x7F) << shift
-				if b < 0x80 {
-					break
-				}
-			}
-			if msglen < 0 {
-				return ErrInvalidLengthGenerated
-			}
-			postIndex := iNdEx + msglen
-			if postIndex < 0 {
-				return ErrInvalidLengthGenerated
-			}
-			if postIndex > l {
-				return io.ErrUnexpectedEOF
-			}
-			if err := m.ObjectMeta.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
-				return err
-			}
-			iNdEx = postIndex
-		case 2:
-			if wireType != 2 {
-				return fmt.Errorf("proto: wrong wireType = %d for field Spec", wireType)
-			}
-			var msglen int
-			for shift := uint(0); ; shift += 7 {
-				if shift >= 64 {
-					return ErrIntOverflowGenerated
-				}
-				if iNdEx >= l {
-					return io.ErrUnexpectedEOF
-				}
-				b := dAtA[iNdEx]
-				iNdEx++
-				msglen |= int(b&0x7F) << shift
-				if b < 0x80 {
-					break
-				}
-			}
-			if msglen < 0 {
-				return ErrInvalidLengthGenerated
-			}
-			postIndex := iNdEx + msglen
-			if postIndex < 0 {
-				return ErrInvalidLengthGenerated
-			}
-			if postIndex > l {
-				return io.ErrUnexpectedEOF
-			}
-			if err := m.Spec.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
-				return err
-			}
-			iNdEx = postIndex
-		default:
-			iNdEx = preIndex
-			skippy, err := skipGenerated(dAtA[iNdEx:])
-			if err != nil {
-				return err
-			}
-			if (skippy < 0) || (iNdEx+skippy) < 0 {
-				return ErrInvalidLengthGenerated
-			}
-			if (iNdEx + skippy) > l {
-				return io.ErrUnexpectedEOF
-			}
-			iNdEx += skippy
-		}
-	}
-
-	if iNdEx > l {
-		return io.ErrUnexpectedEOF
-	}
-	return nil
-}
-func (m *ClusterTrustBundleList) Unmarshal(dAtA []byte) error {
-	l := len(dAtA)
-	iNdEx := 0
-	for iNdEx < l {
-		preIndex := iNdEx
-		var wire uint64
-		for shift := uint(0); ; shift += 7 {
-			if shift >= 64 {
-				return ErrIntOverflowGenerated
-			}
-			if iNdEx >= l {
-				return io.ErrUnexpectedEOF
-			}
-			b := dAtA[iNdEx]
-			iNdEx++
-			wire |= uint64(b&0x7F) << shift
-			if b < 0x80 {
-				break
-			}
-		}
-		fieldNum := int32(wire >> 3)
-		wireType := int(wire & 0x7)
-		if wireType == 4 {
-			return fmt.Errorf("proto: ClusterTrustBundleList: wiretype end group for non-group")
-		}
-		if fieldNum <= 0 {
-			return fmt.Errorf("proto: ClusterTrustBundleList: illegal tag %d (wire type %d)", fieldNum, wire)
-		}
-		switch fieldNum {
-		case 1:
-			if wireType != 2 {
-				return fmt.Errorf("proto: wrong wireType = %d for field ListMeta", wireType)
-			}
-			var msglen int
-			for shift := uint(0); ; shift += 7 {
-				if shift >= 64 {
-					return ErrIntOverflowGenerated
-				}
-				if iNdEx >= l {
-					return io.ErrUnexpectedEOF
-				}
-				b := dAtA[iNdEx]
-				iNdEx++
-				msglen |= int(b&0x7F) << shift
-				if b < 0x80 {
-					break
-				}
-			}
-			if msglen < 0 {
-				return ErrInvalidLengthGenerated
-			}
-			postIndex := iNdEx + msglen
-			if postIndex < 0 {
-				return ErrInvalidLengthGenerated
-			}
-			if postIndex > l {
-				return io.ErrUnexpectedEOF
-			}
-			if err := m.ListMeta.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
-				return err
-			}
-			iNdEx = postIndex
-		case 2:
-			if wireType != 2 {
-				return fmt.Errorf("proto: wrong wireType = %d for field Items", wireType)
-			}
-			var msglen int
-			for shift := uint(0); ; shift += 7 {
-				if shift >= 64 {
-					return ErrIntOverflowGenerated
-				}
-				if iNdEx >= l {
-					return io.ErrUnexpectedEOF
-				}
-				b := dAtA[iNdEx]
-				iNdEx++
-				msglen |= int(b&0x7F) << shift
-				if b < 0x80 {
-					break
-				}
-			}
-			if msglen < 0 {
-				return ErrInvalidLengthGenerated
-			}
-			postIndex := iNdEx + msglen
-			if postIndex < 0 {
-				return ErrInvalidLengthGenerated
-			}
-			if postIndex > l {
-				return io.ErrUnexpectedEOF
-			}
-			m.Items = append(m.Items, ClusterTrustBundle{})
-			if err := m.Items[len(m.Items)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
-				return err
-			}
-			iNdEx = postIndex
-		default:
-			iNdEx = preIndex
-			skippy, err := skipGenerated(dAtA[iNdEx:])
-			if err != nil {
-				return err
-			}
-			if (skippy < 0) || (iNdEx+skippy) < 0 {
-				return ErrInvalidLengthGenerated
-			}
-			if (iNdEx + skippy) > l {
-				return io.ErrUnexpectedEOF
-			}
-			iNdEx += skippy
-		}
-	}
-
-	if iNdEx > l {
-		return io.ErrUnexpectedEOF
-	}
-	return nil
-}
-func (m *ClusterTrustBundleSpec) Unmarshal(dAtA []byte) error {
-	l := len(dAtA)
-	iNdEx := 0
-	for iNdEx < l {
-		preIndex := iNdEx
-		var wire uint64
-		for shift := uint(0); ; shift += 7 {
-			if shift >= 64 {
-				return ErrIntOverflowGenerated
-			}
-			if iNdEx >= l {
-				return io.ErrUnexpectedEOF
-			}
-			b := dAtA[iNdEx]
-			iNdEx++
-			wire |= uint64(b&0x7F) << shift
-			if b < 0x80 {
-				break
-			}
-		}
-		fieldNum := int32(wire >> 3)
-		wireType := int(wire & 0x7)
-		if wireType == 4 {
-			return fmt.Errorf("proto: ClusterTrustBundleSpec: wiretype end group for non-group")
-		}
-		if fieldNum <= 0 {
-			return fmt.Errorf("proto: ClusterTrustBundleSpec: illegal tag %d (wire type %d)", fieldNum, wire)
-		}
-		switch fieldNum {
-		case 1:
-			if wireType != 2 {
-				return fmt.Errorf("proto: wrong wireType = %d for field SignerName", wireType)
-			}
-			var stringLen uint64
-			for shift := uint(0); ; shift += 7 {
-				if shift >= 64 {
-					return ErrIntOverflowGenerated
-				}
-				if iNdEx >= l {
-					return io.ErrUnexpectedEOF
-				}
-				b := dAtA[iNdEx]
-				iNdEx++
-				stringLen |= uint64(b&0x7F) << shift
-				if b < 0x80 {
-					break
-				}
-			}
-			intStringLen := int(stringLen)
-			if intStringLen < 0 {
-				return ErrInvalidLengthGenerated
-			}
-			postIndex := iNdEx + intStringLen
-			if postIndex < 0 {
-				return ErrInvalidLengthGenerated
-			}
-			if postIndex > l {
-				return io.ErrUnexpectedEOF
-			}
-			m.SignerName = string(dAtA[iNdEx:postIndex])
-			iNdEx = postIndex
-		case 2:
-			if wireType != 2 {
-				return fmt.Errorf("proto: wrong wireType = %d for field TrustBundle", wireType)
-			}
-			var stringLen uint64
-			for shift := uint(0); ; shift += 7 {
-				if shift >= 64 {
-					return ErrIntOverflowGenerated
-				}
-				if iNdEx >= l {
-					return io.ErrUnexpectedEOF
-				}
-				b := dAtA[iNdEx]
-				iNdEx++
-				stringLen |= uint64(b&0x7F) << shift
-				if b < 0x80 {
-					break
-				}
-			}
-			intStringLen := int(stringLen)
-			if intStringLen < 0 {
-				return ErrInvalidLengthGenerated
-			}
-			postIndex := iNdEx + intStringLen
-			if postIndex < 0 {
-				return ErrInvalidLengthGenerated
-			}
-			if postIndex > l {
-				return io.ErrUnexpectedEOF
-			}
-			m.TrustBundle = string(dAtA[iNdEx:postIndex])
-			iNdEx = postIndex
-		default:
-			iNdEx = preIndex
-			skippy, err := skipGenerated(dAtA[iNdEx:])
-			if err != nil {
-				return err
-			}
-			if (skippy < 0) || (iNdEx+skippy) < 0 {
-				return ErrInvalidLengthGenerated
-			}
-			if (iNdEx + skippy) > l {
-				return io.ErrUnexpectedEOF
-			}
-			iNdEx += skippy
-		}
-	}
-
-	if iNdEx > l {
-		return io.ErrUnexpectedEOF
-	}
-	return nil
-}
-func (m *PodCertificateRequest) Unmarshal(dAtA []byte) error {
-	l := len(dAtA)
-	iNdEx := 0
-	for iNdEx < l {
-		preIndex := iNdEx
-		var wire uint64
-		for shift := uint(0); ; shift += 7 {
-			if shift >= 64 {
-				return ErrIntOverflowGenerated
-			}
-			if iNdEx >= l {
-				return io.ErrUnexpectedEOF
-			}
-			b := dAtA[iNdEx]
-			iNdEx++
-			wire |= uint64(b&0x7F) << shift
-			if b < 0x80 {
-				break
-			}
-		}
-		fieldNum := int32(wire >> 3)
-		wireType := int(wire & 0x7)
-		if wireType == 4 {
-			return fmt.Errorf("proto: PodCertificateRequest: wiretype end group for non-group")
-		}
-		if fieldNum <= 0 {
-			return fmt.Errorf("proto: PodCertificateRequest: illegal tag %d (wire type %d)", fieldNum, wire)
-		}
-		switch fieldNum {
-		case 1:
-			if wireType != 2 {
-				return fmt.Errorf("proto: wrong wireType = %d for field ObjectMeta", wireType)
-			}
-			var msglen int
-			for shift := uint(0); ; shift += 7 {
-				if shift >= 64 {
-					return ErrIntOverflowGenerated
-				}
-				if iNdEx >= l {
-					return io.ErrUnexpectedEOF
-				}
-				b := dAtA[iNdEx]
-				iNdEx++
-				msglen |= int(b&0x7F) << shift
-				if b < 0x80 {
-					break
-				}
-			}
-			if msglen < 0 {
-				return ErrInvalidLengthGenerated
-			}
-			postIndex := iNdEx + msglen
-			if postIndex < 0 {
-				return ErrInvalidLengthGenerated
-			}
-			if postIndex > l {
-				return io.ErrUnexpectedEOF
-			}
-			if err := m.ObjectMeta.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
-				return err
-			}
-			iNdEx = postIndex
-		case 2:
-			if wireType != 2 {
-				return fmt.Errorf("proto: wrong wireType = %d for field Spec", wireType)
-			}
-			var msglen int
-			for shift := uint(0); ; shift += 7 {
-				if shift >= 64 {
-					return ErrIntOverflowGenerated
-				}
-				if iNdEx >= l {
-					return io.ErrUnexpectedEOF
-				}
-				b := dAtA[iNdEx]
-				iNdEx++
-				msglen |= int(b&0x7F) << shift
-				if b < 0x80 {
-					break
-				}
-			}
-			if msglen < 0 {
-				return ErrInvalidLengthGenerated
-			}
-			postIndex := iNdEx + msglen
-			if postIndex < 0 {
-				return ErrInvalidLengthGenerated
-			}
-			if postIndex > l {
-				return io.ErrUnexpectedEOF
-			}
-			if err := m.Spec.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
-				return err
-			}
-			iNdEx = postIndex
-		case 3:
-			if wireType != 2 {
-				return fmt.Errorf("proto: wrong wireType = %d for field Status", wireType)
-			}
-			var msglen int
-			for shift := uint(0); ; shift += 7 {
-				if shift >= 64 {
-					return ErrIntOverflowGenerated
-				}
-				if iNdEx >= l {
-					return io.ErrUnexpectedEOF
-				}
-				b := dAtA[iNdEx]
-				iNdEx++
-				msglen |= int(b&0x7F) << shift
-				if b < 0x80 {
-					break
-				}
-			}
-			if msglen < 0 {
-				return ErrInvalidLengthGenerated
-			}
-			postIndex := iNdEx + msglen
-			if postIndex < 0 {
-				return ErrInvalidLengthGenerated
-			}
-			if postIndex > l {
-				return io.ErrUnexpectedEOF
-			}
-			if err := m.Status.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
-				return err
-			}
-			iNdEx = postIndex
-		default:
-			iNdEx = preIndex
-			skippy, err := skipGenerated(dAtA[iNdEx:])
-			if err != nil {
-				return err
-			}
-			if (skippy < 0) || (iNdEx+skippy) < 0 {
-				return ErrInvalidLengthGenerated
-			}
-			if (iNdEx + skippy) > l {
-				return io.ErrUnexpectedEOF
-			}
-			iNdEx += skippy
-		}
-	}
-
-	if iNdEx > l {
-		return io.ErrUnexpectedEOF
-	}
-	return nil
-}
-func (m *PodCertificateRequestList) Unmarshal(dAtA []byte) error {
-	l := len(dAtA)
-	iNdEx := 0
-	for iNdEx < l {
-		preIndex := iNdEx
-		var wire uint64
-		for shift := uint(0); ; shift += 7 {
-			if shift >= 64 {
-				return ErrIntOverflowGenerated
-			}
-			if iNdEx >= l {
-				return io.ErrUnexpectedEOF
-			}
-			b := dAtA[iNdEx]
-			iNdEx++
-			wire |= uint64(b&0x7F) << shift
-			if b < 0x80 {
-				break
-			}
-		}
-		fieldNum := int32(wire >> 3)
-		wireType := int(wire & 0x7)
-		if wireType == 4 {
-			return fmt.Errorf("proto: PodCertificateRequestList: wiretype end group for non-group")
-		}
-		if fieldNum <= 0 {
-			return fmt.Errorf("proto: PodCertificateRequestList: illegal tag %d (wire type %d)", fieldNum, wire)
-		}
-		switch fieldNum {
-		case 1:
-			if wireType != 2 {
-				return fmt.Errorf("proto: wrong wireType = %d for field ListMeta", wireType)
-			}
-			var msglen int
-			for shift := uint(0); ; shift += 7 {
-				if shift >= 64 {
-					return ErrIntOverflowGenerated
-				}
-				if iNdEx >= l {
-					return io.ErrUnexpectedEOF
-				}
-				b := dAtA[iNdEx]
-				iNdEx++
-				msglen |= int(b&0x7F) << shift
-				if b < 0x80 {
-					break
-				}
-			}
-			if msglen < 0 {
-				return ErrInvalidLengthGenerated
-			}
-			postIndex := iNdEx + msglen
-			if postIndex < 0 {
-				return ErrInvalidLengthGenerated
-			}
-			if postIndex > l {
-				return io.ErrUnexpectedEOF
-			}
-			if err := m.ListMeta.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
-				return err
-			}
-			iNdEx = postIndex
-		case 2:
-			if wireType != 2 {
-				return fmt.Errorf("proto: wrong wireType = %d for field Items", wireType)
-			}
-			var msglen int
-			for shift := uint(0); ; shift += 7 {
-				if shift >= 64 {
-					return ErrIntOverflowGenerated
-				}
-				if iNdEx >= l {
-					return io.ErrUnexpectedEOF
-				}
-				b := dAtA[iNdEx]
-				iNdEx++
-				msglen |= int(b&0x7F) << shift
-				if b < 0x80 {
-					break
-				}
-			}
-			if msglen < 0 {
-				return ErrInvalidLengthGenerated
-			}
-			postIndex := iNdEx + msglen
-			if postIndex < 0 {
-				return ErrInvalidLengthGenerated
-			}
-			if postIndex > l {
-				return io.ErrUnexpectedEOF
-			}
-			m.Items = append(m.Items, PodCertificateRequest{})
-			if err := m.Items[len(m.Items)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
-				return err
-			}
-			iNdEx = postIndex
-		default:
-			iNdEx = preIndex
-			skippy, err := skipGenerated(dAtA[iNdEx:])
-			if err != nil {
-				return err
-			}
-			if (skippy < 0) || (iNdEx+skippy) < 0 {
-				return ErrInvalidLengthGenerated
-			}
-			if (iNdEx + skippy) > l {
-				return io.ErrUnexpectedEOF
-			}
-			iNdEx += skippy
-		}
-	}
-
-	if iNdEx > l {
-		return io.ErrUnexpectedEOF
-	}
-	return nil
-}
-func (m *PodCertificateRequestSpec) Unmarshal(dAtA []byte) error {
-	l := len(dAtA)
-	iNdEx := 0
-	for iNdEx < l {
-		preIndex := iNdEx
-		var wire uint64
-		for shift := uint(0); ; shift += 7 {
-			if shift >= 64 {
-				return ErrIntOverflowGenerated
-			}
-			if iNdEx >= l {
-				return io.ErrUnexpectedEOF
-			}
-			b := dAtA[iNdEx]
-			iNdEx++
-			wire |= uint64(b&0x7F) << shift
-			if b < 0x80 {
-				break
-			}
-		}
-		fieldNum := int32(wire >> 3)
-		wireType := int(wire & 0x7)
-		if wireType == 4 {
-			return fmt.Errorf("proto: PodCertificateRequestSpec: wiretype end group for non-group")
-		}
-		if fieldNum <= 0 {
-			return fmt.Errorf("proto: PodCertificateRequestSpec: illegal tag %d (wire type %d)", fieldNum, wire)
-		}
-		switch fieldNum {
-		case 1:
-			if wireType != 2 {
-				return fmt.Errorf("proto: wrong wireType = %d for field SignerName", wireType)
-			}
-			var stringLen uint64
-			for shift := uint(0); ; shift += 7 {
-				if shift >= 64 {
-					return ErrIntOverflowGenerated
-				}
-				if iNdEx >= l {
-					return io.ErrUnexpectedEOF
-				}
-				b := dAtA[iNdEx]
-				iNdEx++
-				stringLen |= uint64(b&0x7F) << shift
-				if b < 0x80 {
-					break
-				}
-			}
-			intStringLen := int(stringLen)
-			if intStringLen < 0 {
-				return ErrInvalidLengthGenerated
-			}
-			postIndex := iNdEx + intStringLen
-			if postIndex < 0 {
-				return ErrInvalidLengthGenerated
-			}
-			if postIndex > l {
-				return io.ErrUnexpectedEOF
-			}
-			m.SignerName = string(dAtA[iNdEx:postIndex])
-			iNdEx = postIndex
-		case 2:
-			if wireType != 2 {
-				return fmt.Errorf("proto: wrong wireType = %d for field PodName", wireType)
-			}
-			var stringLen uint64
-			for shift := uint(0); ; shift += 7 {
-				if shift >= 64 {
-					return ErrIntOverflowGenerated
-				}
-				if iNdEx >= l {
-					return io.ErrUnexpectedEOF
-				}
-				b := dAtA[iNdEx]
-				iNdEx++
-				stringLen |= uint64(b&0x7F) << shift
-				if b < 0x80 {
-					break
-				}
-			}
-			intStringLen := int(stringLen)
-			if intStringLen < 0 {
-				return ErrInvalidLengthGenerated
-			}
-			postIndex := iNdEx + intStringLen
-			if postIndex < 0 {
-				return ErrInvalidLengthGenerated
-			}
-			if postIndex > l {
-				return io.ErrUnexpectedEOF
-			}
-			m.PodName = string(dAtA[iNdEx:postIndex])
-			iNdEx = postIndex
-		case 3:
-			if wireType != 2 {
-				return fmt.Errorf("proto: wrong wireType = %d for field PodUID", wireType)
-			}
-			var stringLen uint64
-			for shift := uint(0); ; shift += 7 {
-				if shift >= 64 {
-					return ErrIntOverflowGenerated
-				}
-				if iNdEx >= l {
-					return io.ErrUnexpectedEOF
-				}
-				b := dAtA[iNdEx]
-				iNdEx++
-				stringLen |= uint64(b&0x7F) << shift
-				if b < 0x80 {
-					break
-				}
-			}
-			intStringLen := int(stringLen)
-			if intStringLen < 0 {
-				return ErrInvalidLengthGenerated
-			}
-			postIndex := iNdEx + intStringLen
-			if postIndex < 0 {
-				return ErrInvalidLengthGenerated
-			}
-			if postIndex > l {
-				return io.ErrUnexpectedEOF
-			}
-			m.PodUID = k8s_io_apimachinery_pkg_types.UID(dAtA[iNdEx:postIndex])
-			iNdEx = postIndex
-		case 4:
-			if wireType != 2 {
-				return fmt.Errorf("proto: wrong wireType = %d for field ServiceAccountName", wireType)
-			}
-			var stringLen uint64
-			for shift := uint(0); ; shift += 7 {
-				if shift >= 64 {
-					return ErrIntOverflowGenerated
-				}
-				if iNdEx >= l {
-					return io.ErrUnexpectedEOF
-				}
-				b := dAtA[iNdEx]
-				iNdEx++
-				stringLen |= uint64(b&0x7F) << shift
-				if b < 0x80 {
-					break
-				}
-			}
-			intStringLen := int(stringLen)
-			if intStringLen < 0 {
-				return ErrInvalidLengthGenerated
-			}
-			postIndex := iNdEx + intStringLen
-			if postIndex < 0 {
-				return ErrInvalidLengthGenerated
-			}
-			if postIndex > l {
-				return io.ErrUnexpectedEOF
-			}
-			m.ServiceAccountName = string(dAtA[iNdEx:postIndex])
-			iNdEx = postIndex
-		case 5:
-			if wireType != 2 {
-				return fmt.Errorf("proto: wrong wireType = %d for field ServiceAccountUID", wireType)
-			}
-			var stringLen uint64
-			for shift := uint(0); ; shift += 7 {
-				if shift >= 64 {
-					return ErrIntOverflowGenerated
-				}
-				if iNdEx >= l {
-					return io.ErrUnexpectedEOF
-				}
-				b := dAtA[iNdEx]
-				iNdEx++
-				stringLen |= uint64(b&0x7F) << shift
-				if b < 0x80 {
-					break
-				}
-			}
-			intStringLen := int(stringLen)
-			if intStringLen < 0 {
-				return ErrInvalidLengthGenerated
-			}
-			postIndex := iNdEx + intStringLen
-			if postIndex < 0 {
-				return ErrInvalidLengthGenerated
-			}
-			if postIndex > l {
-				return io.ErrUnexpectedEOF
-			}
-			m.ServiceAccountUID = k8s_io_apimachinery_pkg_types.UID(dAtA[iNdEx:postIndex])
-			iNdEx = postIndex
-		case 6:
-			if wireType != 2 {
-				return fmt.Errorf("proto: wrong wireType = %d for field NodeName", wireType)
-			}
-			var stringLen uint64
-			for shift := uint(0); ; shift += 7 {
-				if shift >= 64 {
-					return ErrIntOverflowGenerated
-				}
-				if iNdEx >= l {
-					return io.ErrUnexpectedEOF
-				}
-				b := dAtA[iNdEx]
-				iNdEx++
-				stringLen |= uint64(b&0x7F) << shift
-				if b < 0x80 {
-					break
-				}
-			}
-			intStringLen := int(stringLen)
-			if intStringLen < 0 {
-				return ErrInvalidLengthGenerated
-			}
-			postIndex := iNdEx + intStringLen
-			if postIndex < 0 {
-				return ErrInvalidLengthGenerated
-			}
-			if postIndex > l {
-				return io.ErrUnexpectedEOF
-			}
-			m.NodeName = k8s_io_apimachinery_pkg_types.NodeName(dAtA[iNdEx:postIndex])
-			iNdEx = postIndex
-		case 7:
-			if wireType != 2 {
-				return fmt.Errorf("proto: wrong wireType = %d for field NodeUID", wireType)
-			}
-			var stringLen uint64
-			for shift := uint(0); ; shift += 7 {
-				if shift >= 64 {
-					return ErrIntOverflowGenerated
-				}
-				if iNdEx >= l {
-					return io.ErrUnexpectedEOF
-				}
-				b := dAtA[iNdEx]
-				iNdEx++
-				stringLen |= uint64(b&0x7F) << shift
-				if b < 0x80 {
-					break
-				}
-			}
-			intStringLen := int(stringLen)
-			if intStringLen < 0 {
-				return ErrInvalidLengthGenerated
-			}
-			postIndex := iNdEx + intStringLen
-			if postIndex < 0 {
-				return ErrInvalidLengthGenerated
+func (m *ClusterTrustBundleList) Size() (n int) {
+	if m == nil {
+		return 0
+	}
+	var l int
+	_ = l
+	l = m.ListMeta.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	if len(m.Items) > 0 {
+		for _, e := range m.Items {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	return n
+}
+
+func (m *ClusterTrustBundleSpec) Size() (n int) {
+	if m == nil {
+		return 0
+	}
+	var l int
+	_ = l
+	l = len(m.SignerName)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.TrustBundle)
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func sovGenerated(x uint64) (n int) {
+	return (math_bits.Len64(x|1) + 6) / 7
+}
+func sozGenerated(x uint64) (n int) {
+	return sovGenerated(uint64((x << 1) ^ uint64((int64(x) >> 63))))
+}
+func (this *ClusterTrustBundle) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&ClusterTrustBundle{`,
+		`ObjectMeta:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.ObjectMeta), "ObjectMeta", "v1.ObjectMeta", 1), `&`, ``, 1) + `,`,
+		`Spec:` + strings.Replace(strings.Replace(this.Spec.String(), "ClusterTrustBundleSpec", "ClusterTrustBundleSpec", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *ClusterTrustBundleList) String() string {
+	if this == nil {
+		return "nil"
+	}
+	repeatedStringForItems := "[]ClusterTrustBundle{"
+	for _, f := range this.Items {
+		repeatedStringForItems += strings.Replace(strings.Replace(f.String(), "ClusterTrustBundle", "ClusterTrustBundle", 1), `&`, ``, 1) + ","
+	}
+	repeatedStringForItems += "}"
+	s := strings.Join([]string{`&ClusterTrustBundleList{`,
+		`ListMeta:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.ListMeta), "ListMeta", "v1.ListMeta", 1), `&`, ``, 1) + `,`,
+		`Items:` + repeatedStringForItems + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *ClusterTrustBundleSpec) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&ClusterTrustBundleSpec{`,
+		`SignerName:` + fmt.Sprintf("%v", this.SignerName) + `,`,
+		`TrustBundle:` + fmt.Sprintf("%v", this.TrustBundle) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func valueToStringGenerated(v interface{}) string {
+	rv := reflect.ValueOf(v)
+	if rv.IsNil() {
+		return "nil"
+	}
+	pv := reflect.Indirect(rv).Interface()
+	return fmt.Sprintf("*%v", pv)
+}
+func (m *ClusterTrustBundle) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
 			}
-			if postIndex > l {
+			if iNdEx >= l {
 				return io.ErrUnexpectedEOF
 			}
-			m.NodeUID = k8s_io_apimachinery_pkg_types.UID(dAtA[iNdEx:postIndex])
-			iNdEx = postIndex
-		case 8:
-			if wireType != 0 {
-				return fmt.Errorf("proto: wrong wireType = %d for field MaxExpirationSeconds", wireType)
-			}
-			var v int32
-			for shift := uint(0); ; shift += 7 {
-				if shift >= 64 {
-					return ErrIntOverflowGenerated
-				}
-				if iNdEx >= l {
-					return io.ErrUnexpectedEOF
-				}
-				b := dAtA[iNdEx]
-				iNdEx++
-				v |= int32(b&0x7F) << shift
-				if b < 0x80 {
-					break
-				}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= uint64(b&0x7F) << shift
+			if b < 0x80 {
+				break
 			}
-			m.MaxExpirationSeconds = &v
-		case 9:
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: ClusterTrustBundle: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: ClusterTrustBundle: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
 			if wireType != 2 {
-				return fmt.Errorf("proto: wrong wireType = %d for field PKIXPublicKey", wireType)
+				return fmt.Errorf("proto: wrong wireType = %d for field ObjectMeta", wireType)
 			}
-			var byteLen int
+			var msglen int
 			for shift := uint(0); ; shift += 7 {
 				if shift >= 64 {
 					return ErrIntOverflowGenerated
@@ -1863,31 +307,30 @@ func (m *PodCertificateRequestSpec) Unmarshal(dAtA []byte) error {
 				}
 				b := dAtA[iNdEx]
 				iNdEx++
-				byteLen |= int(b&0x7F) << shift
+				msglen |= int(b&0x7F) << shift
 				if b < 0x80 {
 					break
 				}
 			}
-			if byteLen < 0 {
+			if msglen < 0 {
 				return ErrInvalidLengthGenerated
 			}
-			postIndex := iNdEx + byteLen
+			postIndex := iNdEx + msglen
 			if postIndex < 0 {
 				return ErrInvalidLengthGenerated
 			}
 			if postIndex > l {
 				return io.ErrUnexpectedEOF
 			}
-			m.PKIXPublicKey = append(m.PKIXPublicKey[:0], dAtA[iNdEx:postIndex]...)
-			if m.PKIXPublicKey == nil {
-				m.PKIXPublicKey = []byte{}
+			if err := m.ObjectMeta.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
 			}
 			iNdEx = postIndex
-		case 10:
+		case 2:
 			if wireType != 2 {
-				return fmt.Errorf("proto: wrong wireType = %d for field ProofOfPossession", wireType)
+				return fmt.Errorf("proto: wrong wireType = %d for field Spec", wireType)
 			}
-			var byteLen int
+			var msglen int
 			for shift := uint(0); ; shift += 7 {
 				if shift >= 64 {
 					return ErrIntOverflowGenerated
@@ -1897,24 +340,23 @@ func (m *PodCertificateRequestSpec) Unmarshal(dAtA []byte) error {
 				}
 				b := dAtA[iNdEx]
 				iNdEx++
-				byteLen |= int(b&0x7F) << shift
+				msglen |= int(b&0x7F) << shift
 				if b < 0x80 {
 					break
 				}
 			}
-			if byteLen < 0 {
+			if msglen < 0 {
 				return ErrInvalidLengthGenerated
 			}
-			postIndex := iNdEx + byteLen
+			postIndex := iNdEx + msglen
 			if postIndex < 0 {
 				return ErrInvalidLengthGenerated
 			}
 			if postIndex > l {
 				return io.ErrUnexpectedEOF
 			}
-			m.ProofOfPossession = append(m.ProofOfPossession[:0], dAtA[iNdEx:postIndex]...)
-			if m.ProofOfPossession == nil {
-				m.ProofOfPossession = []byte{}
+			if err := m.Spec.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
 			}
 			iNdEx = postIndex
 		default:
@@ -1938,7 +380,7 @@ func (m *PodCertificateRequestSpec) Unmarshal(dAtA []byte) error {
 	}
 	return nil
 }
-func (m *PodCertificateRequestStatus) Unmarshal(dAtA []byte) error {
+func (m *ClusterTrustBundleList) Unmarshal(dAtA []byte) error {
 	l := len(dAtA)
 	iNdEx := 0
 	for iNdEx < l {
@@ -1961,15 +403,15 @@ func (m *PodCertificateRequestStatus) Unmarshal(dAtA []byte) error {
 		fieldNum := int32(wire >> 3)
 		wireType := int(wire & 0x7)
 		if wireType == 4 {
-			return fmt.Errorf("proto: PodCertificateRequestStatus: wiretype end group for non-group")
+			return fmt.Errorf("proto: ClusterTrustBundleList: wiretype end group for non-group")
 		}
 		if fieldNum <= 0 {
-			return fmt.Errorf("proto: PodCertificateRequestStatus: illegal tag %d (wire type %d)", fieldNum, wire)
+			return fmt.Errorf("proto: ClusterTrustBundleList: illegal tag %d (wire type %d)", fieldNum, wire)
 		}
 		switch fieldNum {
 		case 1:
 			if wireType != 2 {
-				return fmt.Errorf("proto: wrong wireType = %d for field Conditions", wireType)
+				return fmt.Errorf("proto: wrong wireType = %d for field ListMeta", wireType)
 			}
 			var msglen int
 			for shift := uint(0); ; shift += 7 {
@@ -1996,16 +438,15 @@ func (m *PodCertificateRequestStatus) Unmarshal(dAtA []byte) error {
 			if postIndex > l {
 				return io.ErrUnexpectedEOF
 			}
-			m.Conditions = append(m.Conditions, v1.Condition{})
-			if err := m.Conditions[len(m.Conditions)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+			if err := m.ListMeta.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
 				return err
 			}
 			iNdEx = postIndex
 		case 2:
 			if wireType != 2 {
-				return fmt.Errorf("proto: wrong wireType = %d for field CertificateChain", wireType)
+				return fmt.Errorf("proto: wrong wireType = %d for field Items", wireType)
 			}
-			var stringLen uint64
+			var msglen int
 			for shift := uint(0); ; shift += 7 {
 				if shift >= 64 {
 					return ErrIntOverflowGenerated
@@ -2015,65 +456,81 @@ func (m *PodCertificateRequestStatus) Unmarshal(dAtA []byte) error {
 				}
 				b := dAtA[iNdEx]
 				iNdEx++
-				stringLen |= uint64(b&0x7F) << shift
+				msglen |= int(b&0x7F) << shift
 				if b < 0x80 {
 					break
 				}
 			}
-			intStringLen := int(stringLen)
-			if intStringLen < 0 {
+			if msglen < 0 {
 				return ErrInvalidLengthGenerated
 			}
-			postIndex := iNdEx + intStringLen
+			postIndex := iNdEx + msglen
 			if postIndex < 0 {
 				return ErrInvalidLengthGenerated
 			}
 			if postIndex > l {
 				return io.ErrUnexpectedEOF
 			}
-			m.CertificateChain = string(dAtA[iNdEx:postIndex])
-			iNdEx = postIndex
-		case 4:
-			if wireType != 2 {
-				return fmt.Errorf("proto: wrong wireType = %d for field NotBefore", wireType)
-			}
-			var msglen int
-			for shift := uint(0); ; shift += 7 {
-				if shift >= 64 {
-					return ErrIntOverflowGenerated
-				}
-				if iNdEx >= l {
-					return io.ErrUnexpectedEOF
-				}
-				b := dAtA[iNdEx]
-				iNdEx++
-				msglen |= int(b&0x7F) << shift
-				if b < 0x80 {
-					break
-				}
+			m.Items = append(m.Items, ClusterTrustBundle{})
+			if err := m.Items[len(m.Items)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
 			}
-			if msglen < 0 {
-				return ErrInvalidLengthGenerated
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
 			}
-			postIndex := iNdEx + msglen
-			if postIndex < 0 {
+			if (skippy < 0) || (iNdEx+skippy) < 0 {
 				return ErrInvalidLengthGenerated
 			}
-			if postIndex > l {
+			if (iNdEx + skippy) > l {
 				return io.ErrUnexpectedEOF
 			}
-			if m.NotBefore == nil {
-				m.NotBefore = &v1.Time{}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *ClusterTrustBundleSpec) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
 			}
-			if err := m.NotBefore.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
-				return err
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= uint64(b&0x7F) << shift
+			if b < 0x80 {
+				break
 			}
-			iNdEx = postIndex
-		case 5:
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: ClusterTrustBundleSpec: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: ClusterTrustBundleSpec: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
 			if wireType != 2 {
-				return fmt.Errorf("proto: wrong wireType = %d for field BeginRefreshAt", wireType)
+				return fmt.Errorf("proto: wrong wireType = %d for field SignerName", wireType)
 			}
-			var msglen int
+			var stringLen uint64
 			for shift := uint(0); ; shift += 7 {
 				if shift >= 64 {
 					return ErrIntOverflowGenerated
@@ -2083,33 +540,29 @@ func (m *PodCertificateRequestStatus) Unmarshal(dAtA []byte) error {
 				}
 				b := dAtA[iNdEx]
 				iNdEx++
-				msglen |= int(b&0x7F) << shift
+				stringLen |= uint64(b&0x7F) << shift
 				if b < 0x80 {
 					break
 				}
 			}
-			if msglen < 0 {
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
 				return ErrInvalidLengthGenerated
 			}
-			postIndex := iNdEx + msglen
+			postIndex := iNdEx + intStringLen
 			if postIndex < 0 {
 				return ErrInvalidLengthGenerated
 			}
 			if postIndex > l {
 				return io.ErrUnexpectedEOF
 			}
-			if m.BeginRefreshAt == nil {
-				m.BeginRefreshAt = &v1.Time{}
-			}
-			if err := m.BeginRefreshAt.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
-				return err
-			}
+			m.SignerName = string(dAtA[iNdEx:postIndex])
 			iNdEx = postIndex
-		case 6:
+		case 2:
 			if wireType != 2 {
-				return fmt.Errorf("proto: wrong wireType = %d for field NotAfter", wireType)
+				return fmt.Errorf("proto: wrong wireType = %d for field TrustBundle", wireType)
 			}
-			var msglen int
+			var stringLen uint64
 			for shift := uint(0); ; shift += 7 {
 				if shift >= 64 {
 					return ErrIntOverflowGenerated
@@ -2119,27 +572,23 @@ func (m *PodCertificateRequestStatus) Unmarshal(dAtA []byte) error {
 				}
 				b := dAtA[iNdEx]
 				iNdEx++
-				msglen |= int(b&0x7F) << shift
+				stringLen |= uint64(b&0x7F) << shift
 				if b < 0x80 {
 					break
 				}
 			}
-			if msglen < 0 {
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
 				return ErrInvalidLengthGenerated
 			}
-			postIndex := iNdEx + msglen
+			postIndex := iNdEx + intStringLen
 			if postIndex < 0 {
 				return ErrInvalidLengthGenerated
 			}
 			if postIndex > l {
 				return io.ErrUnexpectedEOF
 			}
-			if m.NotAfter == nil {
-				m.NotAfter = &v1.Time{}
-			}
-			if err := m.NotAfter.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
-				return err
-			}
+			m.TrustBundle = string(dAtA[iNdEx:postIndex])
 			iNdEx = postIndex
 		default:
 			iNdEx = preIndex
diff --git a/staging/src/k8s.io/api/certificates/v1alpha1/generated.proto b/staging/src/k8s.io/api/certificates/v1alpha1/generated.proto
index 194bdbc14ff23..7155f778cffce 100644
--- a/staging/src/k8s.io/api/certificates/v1alpha1/generated.proto
+++ b/staging/src/k8s.io/api/certificates/v1alpha1/generated.proto
@@ -101,208 +101,3 @@ message ClusterTrustBundleSpec {
   optional string trustBundle = 2;
 }
 
-// PodCertificateRequest encodes a pod requesting a certificate from a given
-// signer.
-//
-// Kubelets use this API to implement podCertificate projected volumes
-message PodCertificateRequest {
-  // metadata contains the object metadata.
-  //
-  // +optional
-  optional .k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
-
-  // spec contains the details about the certificate being requested.
-  optional PodCertificateRequestSpec spec = 2;
-
-  // status contains the issued certificate, and a standard set of conditions.
-  // +optional
-  optional PodCertificateRequestStatus status = 3;
-}
-
-// PodCertificateRequestList is a collection of PodCertificateRequest objects
-message PodCertificateRequestList {
-  // metadata contains the list metadata.
-  //
-  // +optional
-  optional .k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
-
-  // items is a collection of PodCertificateRequest objects
-  repeated PodCertificateRequest items = 2;
-}
-
-// PodCertificateRequestSpec describes the certificate request.  All fields are
-// immutable after creation.
-message PodCertificateRequestSpec {
-  // signerName indicates the requested signer.
-  //
-  // All signer names beginning with `kubernetes.io` are reserved for use by
-  // the Kubernetes project.  There is currently one well-known signer
-  // documented by the Kubernetes project,
-  // `kubernetes.io/kube-apiserver-client-pod`, which will issue client
-  // certificates understood by kube-apiserver.  It is currently
-  // unimplemented.
-  //
-  // +required
-  optional string signerName = 1;
-
-  // podName is the name of the pod into which the certificate will be mounted.
-  //
-  // +required
-  optional string podName = 2;
-
-  // podUID is the UID of the pod into which the certificate will be mounted.
-  //
-  // +required
-  optional string podUID = 3;
-
-  // serviceAccountName is the name of the service account the pod is running as.
-  //
-  // +required
-  optional string serviceAccountName = 4;
-
-  // serviceAccountUID is the UID of the service account the pod is running as.
-  //
-  // +required
-  optional string serviceAccountUID = 5;
-
-  // nodeName is the name of the node the pod is assigned to.
-  //
-  // +required
-  optional string nodeName = 6;
-
-  // nodeUID is the UID of the node the pod is assigned to.
-  //
-  // +required
-  optional string nodeUID = 7;
-
-  // maxExpirationSeconds is the maximum lifetime permitted for the
-  // certificate.
-  //
-  // If omitted, kube-apiserver will set it to 86400(24 hours). kube-apiserver
-  // will reject values shorter than 3600 (1 hour).  The maximum allowable
-  // value is 7862400 (91 days).
-  //
-  // The signer implementation is then free to issue a certificate with any
-  // lifetime *shorter* than MaxExpirationSeconds, but no shorter than 3600
-  // seconds (1 hour).  This constraint is enforced by kube-apiserver.
-  // `kubernetes.io` signers will never issue certificates with a lifetime
-  // longer than 24 hours.
-  //
-  // +optional
-  // +default=86400
-  optional int32 maxExpirationSeconds = 8;
-
-  // pkixPublicKey is the PKIX-serialized public key the signer will issue the
-  // certificate to.
-  //
-  // The key must be one of RSA3072, RSA4096, ECDSAP256, ECDSAP384, ECDSAP521,
-  // or ED25519. Note that this list may be expanded in the future.
-  //
-  // Signer implementations do not need to support all key types supported by
-  // kube-apiserver and kubelet.  If a signer does not support the key type
-  // used for a given PodCertificateRequest, it must deny the request by
-  // setting a status.conditions entry with a type of "Denied" and a reason of
-  // "UnsupportedKeyType". It may also suggest a key type that it does support
-  // in the message field.
-  //
-  // +required
-  optional bytes pkixPublicKey = 9;
-
-  // proofOfPossession proves that the requesting kubelet holds the private
-  // key corresponding to pkixPublicKey.
-  //
-  // It is contructed by signing the ASCII bytes of the pod's UID using
-  // `pkixPublicKey`.
-  //
-  // kube-apiserver validates the proof of possession during creation of the
-  // PodCertificateRequest.
-  //
-  // If the key is an RSA key, then the signature is over the ASCII bytes of
-  // the pod UID, using RSASSA-PSS from RFC 8017 (as implemented by the golang
-  // function crypto/rsa.SignPSS with nil options).
-  //
-  // If the key is an ECDSA key, then the signature is as described by [SEC 1,
-  // Version 2.0](https://www.secg.org/sec1-v2.pdf) (as implemented by the
-  // golang library function crypto/ecdsa.SignASN1)
-  //
-  // If the key is an ED25519 key, the the signature is as described by the
-  // [ED25519 Specification](https://ed25519.cr.yp.to/) (as implemented by
-  // the golang library crypto/ed25519.Sign).
-  //
-  // +required
-  optional bytes proofOfPossession = 10;
-}
-
-// PodCertificateRequestStatus describes the status of the request, and holds
-// the certificate data if the request is issued.
-message PodCertificateRequestStatus {
-  // conditions applied to the request.
-  //
-  // The types "Issued", "Denied", and "Failed" have special handling.  At
-  // most one of these conditions may be present, and they must have status
-  // "True".
-  //
-  // If the request is denied with `Reason=UnsupportedKeyType`, the signer may
-  // suggest a key type that will work in the message field.
-  //
-  // +patchMergeKey=type
-  // +patchStrategy=merge
-  // +listType=map
-  // +listMapKey=type
-  // +optional
-  repeated .k8s.io.apimachinery.pkg.apis.meta.v1.Condition conditions = 1;
-
-  // certificateChain is populated with an issued certificate by the signer.
-  // This field is set via the /status subresource. Once populated, this field
-  // is immutable.
-  //
-  // If the certificate signing request is denied, a condition of type
-  // "Denied" is added and this field remains empty. If the signer cannot
-  // issue the certificate, a condition of type "Failed" is added and this
-  // field remains empty.
-  //
-  // Validation requirements:
-  //  1. certificateChain must consist of one or more PEM-formatted certificates.
-  //  2. Each entry must be a valid PEM-wrapped, DER-encoded ASN.1 Certificate as
-  //     described in section 4 of RFC5280.
-  //
-  // If more than one block is present, and the definition of the requested
-  // spec.signerName does not indicate otherwise, the first block is the
-  // issued certificate, and subsequent blocks should be treated as
-  // intermediate certificates and presented in TLS handshakes.  When
-  // projecting the chain into a pod volume, kubelet will drop any data
-  // in-between the PEM blocks, as well as any PEM block headers.
-  //
-  // +optional
-  optional string certificateChain = 2;
-
-  // notBefore is the time at which the certificate becomes valid.  The value
-  // must be the same as the notBefore value in the leaf certificate in
-  // certificateChain.  This field is set via the /status subresource.  Once
-  // populated, it is immutable. The signer must set this field at the same
-  // time it sets certificateChain.
-  //
-  // +optional
-  optional .k8s.io.apimachinery.pkg.apis.meta.v1.Time notBefore = 4;
-
-  // beginRefreshAt is the time at which the kubelet should begin trying to
-  // refresh the certificate.  This field is set via the /status subresource,
-  // and must be set at the same time as certificateChain.  Once populated,
-  // this field is immutable.
-  //
-  // This field is only a hint.  Kubelet may start refreshing before or after
-  // this time if necessary.
-  //
-  // +optional
-  optional .k8s.io.apimachinery.pkg.apis.meta.v1.Time beginRefreshAt = 5;
-
-  // notAfter is the time at which the certificate expires.  The value must be
-  // the same as the notAfter value in the leaf certificate in
-  // certificateChain.  This field is set via the /status subresource.  Once
-  // populated, it is immutable.  The signer must set this field at the same
-  // time it sets certificateChain.
-  //
-  // +optional
-  optional .k8s.io.apimachinery.pkg.apis.meta.v1.Time notAfter = 6;
-}
-
diff --git a/staging/src/k8s.io/api/certificates/v1alpha1/generated.protomessage.pb.go b/staging/src/k8s.io/api/certificates/v1alpha1/generated.protomessage.pb.go
new file mode 100644
index 0000000000000..81dd80e28a926
--- /dev/null
+++ b/staging/src/k8s.io/api/certificates/v1alpha1/generated.protomessage.pb.go
@@ -0,0 +1,28 @@
+//go:build kubernetes_protomessage_one_more_release
+// +build kubernetes_protomessage_one_more_release
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by go-to-protobuf. DO NOT EDIT.
+
+package v1alpha1
+
+func (*ClusterTrustBundle) ProtoMessage() {}
+
+func (*ClusterTrustBundleList) ProtoMessage() {}
+
+func (*ClusterTrustBundleSpec) ProtoMessage() {}
diff --git a/staging/src/k8s.io/api/certificates/v1alpha1/register.go b/staging/src/k8s.io/api/certificates/v1alpha1/register.go
index ae541e15c12af..7288ed9a3e8dd 100644
--- a/staging/src/k8s.io/api/certificates/v1alpha1/register.go
+++ b/staging/src/k8s.io/api/certificates/v1alpha1/register.go
@@ -53,8 +53,6 @@ func addKnownTypes(scheme *runtime.Scheme) error {
 	scheme.AddKnownTypes(SchemeGroupVersion,
 		&ClusterTrustBundle{},
 		&ClusterTrustBundleList{},
-		&PodCertificateRequest{},
-		&PodCertificateRequestList{},
 	)
 
 	// Add the watch version that applies
diff --git a/staging/src/k8s.io/api/certificates/v1alpha1/types.go b/staging/src/k8s.io/api/certificates/v1alpha1/types.go
index a5cb3809e7fea..beef02599d075 100644
--- a/staging/src/k8s.io/api/certificates/v1alpha1/types.go
+++ b/staging/src/k8s.io/api/certificates/v1alpha1/types.go
@@ -18,7 +18,6 @@ package v1alpha1
 
 import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/apimachinery/pkg/types"
 )
 
 // +genclient
@@ -107,233 +106,3 @@ type ClusterTrustBundleList struct {
 	// items is a collection of ClusterTrustBundle objects
 	Items []ClusterTrustBundle `json:"items" protobuf:"bytes,2,rep,name=items"`
 }
-
-// +genclient
-// +k8s:prerelease-lifecycle-gen:introduced=1.34
-// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
-
-// PodCertificateRequest encodes a pod requesting a certificate from a given
-// signer.
-//
-// Kubelets use this API to implement podCertificate projected volumes
-type PodCertificateRequest struct {
-	metav1.TypeMeta `json:",inline"`
-
-	// metadata contains the object metadata.
-	//
-	// +optional
-	metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
-
-	// spec contains the details about the certificate being requested.
-	Spec PodCertificateRequestSpec `json:"spec" protobuf:"bytes,2,opt,name=spec"`
-
-	// status contains the issued certificate, and a standard set of conditions.
-	// +optional
-	Status PodCertificateRequestStatus `json:"status,omitempty" protobuf:"bytes,3,opt,name=status"`
-}
-
-// PodCertificateRequestSpec describes the certificate request.  All fields are
-// immutable after creation.
-type PodCertificateRequestSpec struct {
-	// signerName indicates the requested signer.
-	//
-	// All signer names beginning with `kubernetes.io` are reserved for use by
-	// the Kubernetes project.  There is currently one well-known signer
-	// documented by the Kubernetes project,
-	// `kubernetes.io/kube-apiserver-client-pod`, which will issue client
-	// certificates understood by kube-apiserver.  It is currently
-	// unimplemented.
-	//
-	// +required
-	SignerName string `json:"signerName" protobuf:"bytes,1,opt,name=signerName"`
-
-	// podName is the name of the pod into which the certificate will be mounted.
-	//
-	// +required
-	PodName string `json:"podName" protobuf:"bytes,2,opt,name=podName"`
-	// podUID is the UID of the pod into which the certificate will be mounted.
-	//
-	// +required
-	PodUID types.UID `json:"podUID" protobuf:"bytes,3,opt,name=podUID"`
-
-	// serviceAccountName is the name of the service account the pod is running as.
-	//
-	// +required
-	ServiceAccountName string `json:"serviceAccountName" protobuf:"bytes,4,opt,name=serviceAccountName"`
-	// serviceAccountUID is the UID of the service account the pod is running as.
-	//
-	// +required
-	ServiceAccountUID types.UID `json:"serviceAccountUID" protobuf:"bytes,5,opt,name=serviceAccountUID"`
-
-	// nodeName is the name of the node the pod is assigned to.
-	//
-	// +required
-	NodeName types.NodeName `json:"nodeName" protobuf:"bytes,6,opt,name=nodeName"`
-	// nodeUID is the UID of the node the pod is assigned to.
-	//
-	// +required
-	NodeUID types.UID `json:"nodeUID" protobuf:"bytes,7,opt,name=nodeUID"`
-
-	// maxExpirationSeconds is the maximum lifetime permitted for the
-	// certificate.
-	//
-	// If omitted, kube-apiserver will set it to 86400(24 hours). kube-apiserver
-	// will reject values shorter than 3600 (1 hour).  The maximum allowable
-	// value is 7862400 (91 days).
-	//
-	// The signer implementation is then free to issue a certificate with any
-	// lifetime *shorter* than MaxExpirationSeconds, but no shorter than 3600
-	// seconds (1 hour).  This constraint is enforced by kube-apiserver.
-	// `kubernetes.io` signers will never issue certificates with a lifetime
-	// longer than 24 hours.
-	//
-	// +optional
-	// +default=86400
-	MaxExpirationSeconds *int32 `json:"maxExpirationSeconds,omitempty" protobuf:"varint,8,opt,name=maxExpirationSeconds"`
-
-	// pkixPublicKey is the PKIX-serialized public key the signer will issue the
-	// certificate to.
-	//
-	// The key must be one of RSA3072, RSA4096, ECDSAP256, ECDSAP384, ECDSAP521,
-	// or ED25519. Note that this list may be expanded in the future.
-	//
-	// Signer implementations do not need to support all key types supported by
-	// kube-apiserver and kubelet.  If a signer does not support the key type
-	// used for a given PodCertificateRequest, it must deny the request by
-	// setting a status.conditions entry with a type of "Denied" and a reason of
-	// "UnsupportedKeyType". It may also suggest a key type that it does support
-	// in the message field.
-	//
-	// +required
-	PKIXPublicKey []byte `json:"pkixPublicKey" protobuf:"bytes,9,opt,name=pkixPublicKey"`
-
-	// proofOfPossession proves that the requesting kubelet holds the private
-	// key corresponding to pkixPublicKey.
-	//
-	// It is contructed by signing the ASCII bytes of the pod's UID using
-	// `pkixPublicKey`.
-	//
-	// kube-apiserver validates the proof of possession during creation of the
-	// PodCertificateRequest.
-	//
-	// If the key is an RSA key, then the signature is over the ASCII bytes of
-	// the pod UID, using RSASSA-PSS from RFC 8017 (as implemented by the golang
-	// function crypto/rsa.SignPSS with nil options).
-	//
-	// If the key is an ECDSA key, then the signature is as described by [SEC 1,
-	// Version 2.0](https://www.secg.org/sec1-v2.pdf) (as implemented by the
-	// golang library function crypto/ecdsa.SignASN1)
-	//
-	// If the key is an ED25519 key, the the signature is as described by the
-	// [ED25519 Specification](https://ed25519.cr.yp.to/) (as implemented by
-	// the golang library crypto/ed25519.Sign).
-	//
-	// +required
-	ProofOfPossession []byte `json:"proofOfPossession" protobuf:"bytes,10,opt,name=proofOfPossession"`
-}
-
-// PodCertificateRequestStatus describes the status of the request, and holds
-// the certificate data if the request is issued.
-type PodCertificateRequestStatus struct {
-	// conditions applied to the request.
-	//
-	// The types "Issued", "Denied", and "Failed" have special handling.  At
-	// most one of these conditions may be present, and they must have status
-	// "True".
-	//
-	// If the request is denied with `Reason=UnsupportedKeyType`, the signer may
-	// suggest a key type that will work in the message field.
-	//
-	// +patchMergeKey=type
-	// +patchStrategy=merge
-	// +listType=map
-	// +listMapKey=type
-	// +optional
-	Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type" protobuf:"bytes,1,rep,name=conditions"`
-
-	// certificateChain is populated with an issued certificate by the signer.
-	// This field is set via the /status subresource. Once populated, this field
-	// is immutable.
-	//
-	// If the certificate signing request is denied, a condition of type
-	// "Denied" is added and this field remains empty. If the signer cannot
-	// issue the certificate, a condition of type "Failed" is added and this
-	// field remains empty.
-	//
-	// Validation requirements:
-	//  1. certificateChain must consist of one or more PEM-formatted certificates.
-	//  2. Each entry must be a valid PEM-wrapped, DER-encoded ASN.1 Certificate as
-	//     described in section 4 of RFC5280.
-	//
-	// If more than one block is present, and the definition of the requested
-	// spec.signerName does not indicate otherwise, the first block is the
-	// issued certificate, and subsequent blocks should be treated as
-	// intermediate certificates and presented in TLS handshakes.  When
-	// projecting the chain into a pod volume, kubelet will drop any data
-	// in-between the PEM blocks, as well as any PEM block headers.
-	//
-	// +optional
-	CertificateChain string `json:"certificateChain,omitempty" protobuf:"bytes,2,opt,name=certificateChain"`
-
-	// notBefore is the time at which the certificate becomes valid.  The value
-	// must be the same as the notBefore value in the leaf certificate in
-	// certificateChain.  This field is set via the /status subresource.  Once
-	// populated, it is immutable. The signer must set this field at the same
-	// time it sets certificateChain.
-	//
-	// +optional
-	NotBefore *metav1.Time `json:"notBefore,omitempty" protobuf:"bytes,4,opt,name=notBefore"`
-
-	// beginRefreshAt is the time at which the kubelet should begin trying to
-	// refresh the certificate.  This field is set via the /status subresource,
-	// and must be set at the same time as certificateChain.  Once populated,
-	// this field is immutable.
-	//
-	// This field is only a hint.  Kubelet may start refreshing before or after
-	// this time if necessary.
-	//
-	// +optional
-	BeginRefreshAt *metav1.Time `json:"beginRefreshAt,omitempty" protobuf:"bytes,5,opt,name=beginRefreshAt"`
-
-	// notAfter is the time at which the certificate expires.  The value must be
-	// the same as the notAfter value in the leaf certificate in
-	// certificateChain.  This field is set via the /status subresource.  Once
-	// populated, it is immutable.  The signer must set this field at the same
-	// time it sets certificateChain.
-	//
-	// +optional
-	NotAfter *metav1.Time `json:"notAfter,omitempty" protobuf:"bytes,6,opt,name=notAfter"`
-}
-
-// Well-known condition types for PodCertificateRequests
-const (
-	// Denied indicates the request was denied by the signer.
-	PodCertificateRequestConditionTypeDenied string = "Denied"
-	// Failed indicates the signer failed to issue the certificate.
-	PodCertificateRequestConditionTypeFailed string = "Failed"
-	// Issued indicates the certificate has been issued.
-	PodCertificateRequestConditionTypeIssued string = "Issued"
-)
-
-// Well-known condition reasons for PodCertificateRequests
-const (
-	// UnsupportedKeyType should be set on "Denied" conditions when the signer
-	// doesn't support the key type of publicKey.
-	PodCertificateRequestConditionUnsupportedKeyType string = "UnsupportedKeyType"
-)
-
-// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
-// +k8s:prerelease-lifecycle-gen:introduced=1.34
-
-// PodCertificateRequestList is a collection of PodCertificateRequest objects
-type PodCertificateRequestList struct {
-	metav1.TypeMeta `json:",inline"`
-
-	// metadata contains the list metadata.
-	//
-	// +optional
-	metav1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
-
-	// items is a collection of PodCertificateRequest objects
-	Items []PodCertificateRequest `json:"items" protobuf:"bytes,2,rep,name=items"`
-}
diff --git a/staging/src/k8s.io/api/certificates/v1alpha1/types_swagger_doc_generated.go b/staging/src/k8s.io/api/certificates/v1alpha1/types_swagger_doc_generated.go
index d29f2d8505f50..bff649e3cbdb2 100644
--- a/staging/src/k8s.io/api/certificates/v1alpha1/types_swagger_doc_generated.go
+++ b/staging/src/k8s.io/api/certificates/v1alpha1/types_swagger_doc_generated.go
@@ -57,56 +57,4 @@ func (ClusterTrustBundleSpec) SwaggerDoc() map[string]string {
 	return map_ClusterTrustBundleSpec
 }
 
-var map_PodCertificateRequest = map[string]string{
-	"":         "PodCertificateRequest encodes a pod requesting a certificate from a given signer.\n\nKubelets use this API to implement podCertificate projected volumes",
-	"metadata": "metadata contains the object metadata.",
-	"spec":     "spec contains the details about the certificate being requested.",
-	"status":   "status contains the issued certificate, and a standard set of conditions.",
-}
-
-func (PodCertificateRequest) SwaggerDoc() map[string]string {
-	return map_PodCertificateRequest
-}
-
-var map_PodCertificateRequestList = map[string]string{
-	"":         "PodCertificateRequestList is a collection of PodCertificateRequest objects",
-	"metadata": "metadata contains the list metadata.",
-	"items":    "items is a collection of PodCertificateRequest objects",
-}
-
-func (PodCertificateRequestList) SwaggerDoc() map[string]string {
-	return map_PodCertificateRequestList
-}
-
-var map_PodCertificateRequestSpec = map[string]string{
-	"":                     "PodCertificateRequestSpec describes the certificate request.  All fields are immutable after creation.",
-	"signerName":           "signerName indicates the requested signer.\n\nAll signer names beginning with `kubernetes.io` are reserved for use by the Kubernetes project.  There is currently one well-known signer documented by the Kubernetes project, `kubernetes.io/kube-apiserver-client-pod`, which will issue client certificates understood by kube-apiserver.  It is currently unimplemented.",
-	"podName":              "podName is the name of the pod into which the certificate will be mounted.",
-	"podUID":               "podUID is the UID of the pod into which the certificate will be mounted.",
-	"serviceAccountName":   "serviceAccountName is the name of the service account the pod is running as.",
-	"serviceAccountUID":    "serviceAccountUID is the UID of the service account the pod is running as.",
-	"nodeName":             "nodeName is the name of the node the pod is assigned to.",
-	"nodeUID":              "nodeUID is the UID of the node the pod is assigned to.",
-	"maxExpirationSeconds": "maxExpirationSeconds is the maximum lifetime permitted for the certificate.\n\nIf omitted, kube-apiserver will set it to 86400(24 hours). kube-apiserver will reject values shorter than 3600 (1 hour).  The maximum allowable value is 7862400 (91 days).\n\nThe signer implementation is then free to issue a certificate with any lifetime *shorter* than MaxExpirationSeconds, but no shorter than 3600 seconds (1 hour).  This constraint is enforced by kube-apiserver. `kubernetes.io` signers will never issue certificates with a lifetime longer than 24 hours.",
-	"pkixPublicKey":        "pkixPublicKey is the PKIX-serialized public key the signer will issue the certificate to.\n\nThe key must be one of RSA3072, RSA4096, ECDSAP256, ECDSAP384, ECDSAP521, or ED25519. Note that this list may be expanded in the future.\n\nSigner implementations do not need to support all key types supported by kube-apiserver and kubelet.  If a signer does not support the key type used for a given PodCertificateRequest, it must deny the request by setting a status.conditions entry with a type of \"Denied\" and a reason of \"UnsupportedKeyType\". It may also suggest a key type that it does support in the message field.",
-	"proofOfPossession":    "proofOfPossession proves that the requesting kubelet holds the private key corresponding to pkixPublicKey.\n\nIt is contructed by signing the ASCII bytes of the pod's UID using `pkixPublicKey`.\n\nkube-apiserver validates the proof of possession during creation of the PodCertificateRequest.\n\nIf the key is an RSA key, then the signature is over the ASCII bytes of the pod UID, using RSASSA-PSS from RFC 8017 (as implemented by the golang function crypto/rsa.SignPSS with nil options).\n\nIf the key is an ECDSA key, then the signature is as described by [SEC 1, Version 2.0](https://www.secg.org/sec1-v2.pdf) (as implemented by the golang library function crypto/ecdsa.SignASN1)\n\nIf the key is an ED25519 key, the the signature is as described by the [ED25519 Specification](https://ed25519.cr.yp.to/) (as implemented by the golang library crypto/ed25519.Sign).",
-}
-
-func (PodCertificateRequestSpec) SwaggerDoc() map[string]string {
-	return map_PodCertificateRequestSpec
-}
-
-var map_PodCertificateRequestStatus = map[string]string{
-	"":                 "PodCertificateRequestStatus describes the status of the request, and holds the certificate data if the request is issued.",
-	"conditions":       "conditions applied to the request.\n\nThe types \"Issued\", \"Denied\", and \"Failed\" have special handling.  At most one of these conditions may be present, and they must have status \"True\".\n\nIf the request is denied with `Reason=UnsupportedKeyType`, the signer may suggest a key type that will work in the message field.",
-	"certificateChain": "certificateChain is populated with an issued certificate by the signer. This field is set via the /status subresource. Once populated, this field is immutable.\n\nIf the certificate signing request is denied, a condition of type \"Denied\" is added and this field remains empty. If the signer cannot issue the certificate, a condition of type \"Failed\" is added and this field remains empty.\n\nValidation requirements:\n 1. certificateChain must consist of one or more PEM-formatted certificates.\n 2. Each entry must be a valid PEM-wrapped, DER-encoded ASN.1 Certificate as\n    described in section 4 of RFC5280.\n\nIf more than one block is present, and the definition of the requested spec.signerName does not indicate otherwise, the first block is the issued certificate, and subsequent blocks should be treated as intermediate certificates and presented in TLS handshakes.  When projecting the chain into a pod volume, kubelet will drop any data in-between the PEM blocks, as well as any PEM block headers.",
-	"notBefore":        "notBefore is the time at which the certificate becomes valid.  The value must be the same as the notBefore value in the leaf certificate in certificateChain.  This field is set via the /status subresource.  Once populated, it is immutable. The signer must set this field at the same time it sets certificateChain.",
-	"beginRefreshAt":   "beginRefreshAt is the time at which the kubelet should begin trying to refresh the certificate.  This field is set via the /status subresource, and must be set at the same time as certificateChain.  Once populated, this field is immutable.\n\nThis field is only a hint.  Kubelet may start refreshing before or after this time if necessary.",
-	"notAfter":         "notAfter is the time at which the certificate expires.  The value must be the same as the notAfter value in the leaf certificate in certificateChain.  This field is set via the /status subresource.  Once populated, it is immutable.  The signer must set this field at the same time it sets certificateChain.",
-}
-
-func (PodCertificateRequestStatus) SwaggerDoc() map[string]string {
-	return map_PodCertificateRequestStatus
-}
-
 // AUTO-GENERATED FUNCTIONS END HERE
diff --git a/staging/src/k8s.io/api/certificates/v1alpha1/zz_generated.deepcopy.go b/staging/src/k8s.io/api/certificates/v1alpha1/zz_generated.deepcopy.go
index 25bc0ed6cbc57..30a4dc1e80dcd 100644
--- a/staging/src/k8s.io/api/certificates/v1alpha1/zz_generated.deepcopy.go
+++ b/staging/src/k8s.io/api/certificates/v1alpha1/zz_generated.deepcopy.go
@@ -22,7 +22,6 @@ limitations under the License.
 package v1alpha1
 
 import (
-	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	runtime "k8s.io/apimachinery/pkg/runtime"
 )
 
@@ -101,130 +100,3 @@ func (in *ClusterTrustBundleSpec) DeepCopy() *ClusterTrustBundleSpec {
 	in.DeepCopyInto(out)
 	return out
 }
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *PodCertificateRequest) DeepCopyInto(out *PodCertificateRequest) {
-	*out = *in
-	out.TypeMeta = in.TypeMeta
-	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
-	in.Spec.DeepCopyInto(&out.Spec)
-	in.Status.DeepCopyInto(&out.Status)
-	return
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PodCertificateRequest.
-func (in *PodCertificateRequest) DeepCopy() *PodCertificateRequest {
-	if in == nil {
-		return nil
-	}
-	out := new(PodCertificateRequest)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
-func (in *PodCertificateRequest) DeepCopyObject() runtime.Object {
-	if c := in.DeepCopy(); c != nil {
-		return c
-	}
-	return nil
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *PodCertificateRequestList) DeepCopyInto(out *PodCertificateRequestList) {
-	*out = *in
-	out.TypeMeta = in.TypeMeta
-	in.ListMeta.DeepCopyInto(&out.ListMeta)
-	if in.Items != nil {
-		in, out := &in.Items, &out.Items
-		*out = make([]PodCertificateRequest, len(*in))
-		for i := range *in {
-			(*in)[i].DeepCopyInto(&(*out)[i])
-		}
-	}
-	return
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PodCertificateRequestList.
-func (in *PodCertificateRequestList) DeepCopy() *PodCertificateRequestList {
-	if in == nil {
-		return nil
-	}
-	out := new(PodCertificateRequestList)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
-func (in *PodCertificateRequestList) DeepCopyObject() runtime.Object {
-	if c := in.DeepCopy(); c != nil {
-		return c
-	}
-	return nil
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *PodCertificateRequestSpec) DeepCopyInto(out *PodCertificateRequestSpec) {
-	*out = *in
-	if in.MaxExpirationSeconds != nil {
-		in, out := &in.MaxExpirationSeconds, &out.MaxExpirationSeconds
-		*out = new(int32)
-		**out = **in
-	}
-	if in.PKIXPublicKey != nil {
-		in, out := &in.PKIXPublicKey, &out.PKIXPublicKey
-		*out = make([]byte, len(*in))
-		copy(*out, *in)
-	}
-	if in.ProofOfPossession != nil {
-		in, out := &in.ProofOfPossession, &out.ProofOfPossession
-		*out = make([]byte, len(*in))
-		copy(*out, *in)
-	}
-	return
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PodCertificateRequestSpec.
-func (in *PodCertificateRequestSpec) DeepCopy() *PodCertificateRequestSpec {
-	if in == nil {
-		return nil
-	}
-	out := new(PodCertificateRequestSpec)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *PodCertificateRequestStatus) DeepCopyInto(out *PodCertificateRequestStatus) {
-	*out = *in
-	if in.Conditions != nil {
-		in, out := &in.Conditions, &out.Conditions
-		*out = make([]v1.Condition, len(*in))
-		for i := range *in {
-			(*in)[i].DeepCopyInto(&(*out)[i])
-		}
-	}
-	if in.NotBefore != nil {
-		in, out := &in.NotBefore, &out.NotBefore
-		*out = (*in).DeepCopy()
-	}
-	if in.BeginRefreshAt != nil {
-		in, out := &in.BeginRefreshAt, &out.BeginRefreshAt
-		*out = (*in).DeepCopy()
-	}
-	if in.NotAfter != nil {
-		in, out := &in.NotAfter, &out.NotAfter
-		*out = (*in).DeepCopy()
-	}
-	return
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PodCertificateRequestStatus.
-func (in *PodCertificateRequestStatus) DeepCopy() *PodCertificateRequestStatus {
-	if in == nil {
-		return nil
-	}
-	out := new(PodCertificateRequestStatus)
-	in.DeepCopyInto(out)
-	return out
-}
diff --git a/staging/src/k8s.io/api/certificates/v1alpha1/zz_generated.model_name.go b/staging/src/k8s.io/api/certificates/v1alpha1/zz_generated.model_name.go
new file mode 100644
index 0000000000000..cec3b649c253d
--- /dev/null
+++ b/staging/src/k8s.io/api/certificates/v1alpha1/zz_generated.model_name.go
@@ -0,0 +1,37 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by openapi-gen. DO NOT EDIT.
+
+package v1alpha1
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ClusterTrustBundle) OpenAPIModelName() string {
+	return "io.k8s.api.certificates.v1alpha1.ClusterTrustBundle"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ClusterTrustBundleList) OpenAPIModelName() string {
+	return "io.k8s.api.certificates.v1alpha1.ClusterTrustBundleList"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ClusterTrustBundleSpec) OpenAPIModelName() string {
+	return "io.k8s.api.certificates.v1alpha1.ClusterTrustBundleSpec"
+}
diff --git a/staging/src/k8s.io/api/certificates/v1alpha1/zz_generated.prerelease-lifecycle.go b/staging/src/k8s.io/api/certificates/v1alpha1/zz_generated.prerelease-lifecycle.go
index edbfce79bc753..3121a87d0826e 100644
--- a/staging/src/k8s.io/api/certificates/v1alpha1/zz_generated.prerelease-lifecycle.go
+++ b/staging/src/k8s.io/api/certificates/v1alpha1/zz_generated.prerelease-lifecycle.go
@@ -56,39 +56,3 @@ func (in *ClusterTrustBundleList) APILifecycleDeprecated() (major, minor int) {
 func (in *ClusterTrustBundleList) APILifecycleRemoved() (major, minor int) {
 	return 1, 37
 }
-
-// APILifecycleIntroduced is an autogenerated function, returning the release in which the API struct was introduced as int versions of major and minor for comparison.
-// It is controlled by "k8s:prerelease-lifecycle-gen:introduced" tags in types.go.
-func (in *PodCertificateRequest) APILifecycleIntroduced() (major, minor int) {
-	return 1, 34
-}
-
-// APILifecycleDeprecated is an autogenerated function, returning the release in which the API struct was or will be deprecated as int versions of major and minor for comparison.
-// It is controlled by "k8s:prerelease-lifecycle-gen:deprecated" tags in types.go or  "k8s:prerelease-lifecycle-gen:introduced" plus three minor.
-func (in *PodCertificateRequest) APILifecycleDeprecated() (major, minor int) {
-	return 1, 37
-}
-
-// APILifecycleRemoved is an autogenerated function, returning the release in which the API is no longer served as int versions of major and minor for comparison.
-// It is controlled by "k8s:prerelease-lifecycle-gen:removed" tags in types.go or  "k8s:prerelease-lifecycle-gen:deprecated" plus three minor.
-func (in *PodCertificateRequest) APILifecycleRemoved() (major, minor int) {
-	return 1, 40
-}
-
-// APILifecycleIntroduced is an autogenerated function, returning the release in which the API struct was introduced as int versions of major and minor for comparison.
-// It is controlled by "k8s:prerelease-lifecycle-gen:introduced" tags in types.go.
-func (in *PodCertificateRequestList) APILifecycleIntroduced() (major, minor int) {
-	return 1, 34
-}
-
-// APILifecycleDeprecated is an autogenerated function, returning the release in which the API struct was or will be deprecated as int versions of major and minor for comparison.
-// It is controlled by "k8s:prerelease-lifecycle-gen:deprecated" tags in types.go or  "k8s:prerelease-lifecycle-gen:introduced" plus three minor.
-func (in *PodCertificateRequestList) APILifecycleDeprecated() (major, minor int) {
-	return 1, 37
-}
-
-// APILifecycleRemoved is an autogenerated function, returning the release in which the API is no longer served as int versions of major and minor for comparison.
-// It is controlled by "k8s:prerelease-lifecycle-gen:removed" tags in types.go or  "k8s:prerelease-lifecycle-gen:deprecated" plus three minor.
-func (in *PodCertificateRequestList) APILifecycleRemoved() (major, minor int) {
-	return 1, 40
-}
diff --git a/staging/src/k8s.io/api/certificates/v1beta1/doc.go b/staging/src/k8s.io/api/certificates/v1beta1/doc.go
index 81608a554c4e8..dddb7cb97fc7f 100644
--- a/staging/src/k8s.io/api/certificates/v1beta1/doc.go
+++ b/staging/src/k8s.io/api/certificates/v1beta1/doc.go
@@ -18,6 +18,7 @@ limitations under the License.
 // +k8s:protobuf-gen=package
 // +k8s:openapi-gen=true
 // +k8s:prerelease-lifecycle-gen=true
+// +k8s:openapi-model-package=io.k8s.api.certificates.v1beta1
 
 // +groupName=certificates.k8s.io
 
diff --git a/staging/src/k8s.io/api/certificates/v1beta1/generated.pb.go b/staging/src/k8s.io/api/certificates/v1beta1/generated.pb.go
index 199a54496a8ad..5a8b8f2d13b5f 100644
--- a/staging/src/k8s.io/api/certificates/v1beta1/generated.pb.go
+++ b/staging/src/k8s.io/api/certificates/v1beta1/generated.pb.go
@@ -23,363 +23,43 @@ import (
 	fmt "fmt"
 
 	io "io"
-
-	proto "github.com/gogo/protobuf/proto"
-	github_com_gogo_protobuf_sortkeys "github.com/gogo/protobuf/sortkeys"
+	"sort"
 
 	k8s_io_api_core_v1 "k8s.io/api/core/v1"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
-	math "math"
 	math_bits "math/bits"
 	reflect "reflect"
 	strings "strings"
-)
-
-// Reference imports to suppress errors if they are not otherwise used.
-var _ = proto.Marshal
-var _ = fmt.Errorf
-var _ = math.Inf
-
-// This is a compile-time assertion to ensure that this generated file
-// is compatible with the proto package it is being compiled against.
-// A compilation error at this line likely means your copy of the
-// proto package needs to be updated.
-const _ = proto.GoGoProtoPackageIsVersion3 // please upgrade the proto package
-
-func (m *CertificateSigningRequest) Reset()      { *m = CertificateSigningRequest{} }
-func (*CertificateSigningRequest) ProtoMessage() {}
-func (*CertificateSigningRequest) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6529c11a462c48a5, []int{0}
-}
-func (m *CertificateSigningRequest) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *CertificateSigningRequest) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *CertificateSigningRequest) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_CertificateSigningRequest.Merge(m, src)
-}
-func (m *CertificateSigningRequest) XXX_Size() int {
-	return m.Size()
-}
-func (m *CertificateSigningRequest) XXX_DiscardUnknown() {
-	xxx_messageInfo_CertificateSigningRequest.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_CertificateSigningRequest proto.InternalMessageInfo
-
-func (m *CertificateSigningRequestCondition) Reset()      { *m = CertificateSigningRequestCondition{} }
-func (*CertificateSigningRequestCondition) ProtoMessage() {}
-func (*CertificateSigningRequestCondition) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6529c11a462c48a5, []int{1}
-}
-func (m *CertificateSigningRequestCondition) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *CertificateSigningRequestCondition) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *CertificateSigningRequestCondition) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_CertificateSigningRequestCondition.Merge(m, src)
-}
-func (m *CertificateSigningRequestCondition) XXX_Size() int {
-	return m.Size()
-}
-func (m *CertificateSigningRequestCondition) XXX_DiscardUnknown() {
-	xxx_messageInfo_CertificateSigningRequestCondition.DiscardUnknown(m)
-}
 
-var xxx_messageInfo_CertificateSigningRequestCondition proto.InternalMessageInfo
+	k8s_io_apimachinery_pkg_types "k8s.io/apimachinery/pkg/types"
+)
 
-func (m *CertificateSigningRequestList) Reset()      { *m = CertificateSigningRequestList{} }
-func (*CertificateSigningRequestList) ProtoMessage() {}
-func (*CertificateSigningRequestList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6529c11a462c48a5, []int{2}
-}
-func (m *CertificateSigningRequestList) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *CertificateSigningRequestList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *CertificateSigningRequestList) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_CertificateSigningRequestList.Merge(m, src)
-}
-func (m *CertificateSigningRequestList) XXX_Size() int {
-	return m.Size()
-}
-func (m *CertificateSigningRequestList) XXX_DiscardUnknown() {
-	xxx_messageInfo_CertificateSigningRequestList.DiscardUnknown(m)
-}
+func (m *CertificateSigningRequest) Reset() { *m = CertificateSigningRequest{} }
 
-var xxx_messageInfo_CertificateSigningRequestList proto.InternalMessageInfo
+func (m *CertificateSigningRequestCondition) Reset() { *m = CertificateSigningRequestCondition{} }
 
-func (m *CertificateSigningRequestSpec) Reset()      { *m = CertificateSigningRequestSpec{} }
-func (*CertificateSigningRequestSpec) ProtoMessage() {}
-func (*CertificateSigningRequestSpec) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6529c11a462c48a5, []int{3}
-}
-func (m *CertificateSigningRequestSpec) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *CertificateSigningRequestSpec) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *CertificateSigningRequestSpec) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_CertificateSigningRequestSpec.Merge(m, src)
-}
-func (m *CertificateSigningRequestSpec) XXX_Size() int {
-	return m.Size()
-}
-func (m *CertificateSigningRequestSpec) XXX_DiscardUnknown() {
-	xxx_messageInfo_CertificateSigningRequestSpec.DiscardUnknown(m)
-}
+func (m *CertificateSigningRequestList) Reset() { *m = CertificateSigningRequestList{} }
 
-var xxx_messageInfo_CertificateSigningRequestSpec proto.InternalMessageInfo
+func (m *CertificateSigningRequestSpec) Reset() { *m = CertificateSigningRequestSpec{} }
 
-func (m *CertificateSigningRequestStatus) Reset()      { *m = CertificateSigningRequestStatus{} }
-func (*CertificateSigningRequestStatus) ProtoMessage() {}
-func (*CertificateSigningRequestStatus) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6529c11a462c48a5, []int{4}
-}
-func (m *CertificateSigningRequestStatus) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *CertificateSigningRequestStatus) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *CertificateSigningRequestStatus) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_CertificateSigningRequestStatus.Merge(m, src)
-}
-func (m *CertificateSigningRequestStatus) XXX_Size() int {
-	return m.Size()
-}
-func (m *CertificateSigningRequestStatus) XXX_DiscardUnknown() {
-	xxx_messageInfo_CertificateSigningRequestStatus.DiscardUnknown(m)
-}
+func (m *CertificateSigningRequestStatus) Reset() { *m = CertificateSigningRequestStatus{} }
 
-var xxx_messageInfo_CertificateSigningRequestStatus proto.InternalMessageInfo
+func (m *ClusterTrustBundle) Reset() { *m = ClusterTrustBundle{} }
 
-func (m *ClusterTrustBundle) Reset()      { *m = ClusterTrustBundle{} }
-func (*ClusterTrustBundle) ProtoMessage() {}
-func (*ClusterTrustBundle) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6529c11a462c48a5, []int{5}
-}
-func (m *ClusterTrustBundle) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ClusterTrustBundle) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ClusterTrustBundle) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ClusterTrustBundle.Merge(m, src)
-}
-func (m *ClusterTrustBundle) XXX_Size() int {
-	return m.Size()
-}
-func (m *ClusterTrustBundle) XXX_DiscardUnknown() {
-	xxx_messageInfo_ClusterTrustBundle.DiscardUnknown(m)
-}
+func (m *ClusterTrustBundleList) Reset() { *m = ClusterTrustBundleList{} }
 
-var xxx_messageInfo_ClusterTrustBundle proto.InternalMessageInfo
+func (m *ClusterTrustBundleSpec) Reset() { *m = ClusterTrustBundleSpec{} }
 
-func (m *ClusterTrustBundleList) Reset()      { *m = ClusterTrustBundleList{} }
-func (*ClusterTrustBundleList) ProtoMessage() {}
-func (*ClusterTrustBundleList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6529c11a462c48a5, []int{6}
-}
-func (m *ClusterTrustBundleList) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ClusterTrustBundleList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ClusterTrustBundleList) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ClusterTrustBundleList.Merge(m, src)
-}
-func (m *ClusterTrustBundleList) XXX_Size() int {
-	return m.Size()
-}
-func (m *ClusterTrustBundleList) XXX_DiscardUnknown() {
-	xxx_messageInfo_ClusterTrustBundleList.DiscardUnknown(m)
-}
+func (m *ExtraValue) Reset() { *m = ExtraValue{} }
 
-var xxx_messageInfo_ClusterTrustBundleList proto.InternalMessageInfo
+func (m *PodCertificateRequest) Reset() { *m = PodCertificateRequest{} }
 
-func (m *ClusterTrustBundleSpec) Reset()      { *m = ClusterTrustBundleSpec{} }
-func (*ClusterTrustBundleSpec) ProtoMessage() {}
-func (*ClusterTrustBundleSpec) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6529c11a462c48a5, []int{7}
-}
-func (m *ClusterTrustBundleSpec) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ClusterTrustBundleSpec) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ClusterTrustBundleSpec) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ClusterTrustBundleSpec.Merge(m, src)
-}
-func (m *ClusterTrustBundleSpec) XXX_Size() int {
-	return m.Size()
-}
-func (m *ClusterTrustBundleSpec) XXX_DiscardUnknown() {
-	xxx_messageInfo_ClusterTrustBundleSpec.DiscardUnknown(m)
-}
+func (m *PodCertificateRequestList) Reset() { *m = PodCertificateRequestList{} }
 
-var xxx_messageInfo_ClusterTrustBundleSpec proto.InternalMessageInfo
+func (m *PodCertificateRequestSpec) Reset() { *m = PodCertificateRequestSpec{} }
 
-func (m *ExtraValue) Reset()      { *m = ExtraValue{} }
-func (*ExtraValue) ProtoMessage() {}
-func (*ExtraValue) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6529c11a462c48a5, []int{8}
-}
-func (m *ExtraValue) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ExtraValue) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ExtraValue) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ExtraValue.Merge(m, src)
-}
-func (m *ExtraValue) XXX_Size() int {
-	return m.Size()
-}
-func (m *ExtraValue) XXX_DiscardUnknown() {
-	xxx_messageInfo_ExtraValue.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_ExtraValue proto.InternalMessageInfo
-
-func init() {
-	proto.RegisterType((*CertificateSigningRequest)(nil), "k8s.io.api.certificates.v1beta1.CertificateSigningRequest")
-	proto.RegisterType((*CertificateSigningRequestCondition)(nil), "k8s.io.api.certificates.v1beta1.CertificateSigningRequestCondition")
-	proto.RegisterType((*CertificateSigningRequestList)(nil), "k8s.io.api.certificates.v1beta1.CertificateSigningRequestList")
-	proto.RegisterType((*CertificateSigningRequestSpec)(nil), "k8s.io.api.certificates.v1beta1.CertificateSigningRequestSpec")
-	proto.RegisterMapType((map[string]ExtraValue)(nil), "k8s.io.api.certificates.v1beta1.CertificateSigningRequestSpec.ExtraEntry")
-	proto.RegisterType((*CertificateSigningRequestStatus)(nil), "k8s.io.api.certificates.v1beta1.CertificateSigningRequestStatus")
-	proto.RegisterType((*ClusterTrustBundle)(nil), "k8s.io.api.certificates.v1beta1.ClusterTrustBundle")
-	proto.RegisterType((*ClusterTrustBundleList)(nil), "k8s.io.api.certificates.v1beta1.ClusterTrustBundleList")
-	proto.RegisterType((*ClusterTrustBundleSpec)(nil), "k8s.io.api.certificates.v1beta1.ClusterTrustBundleSpec")
-	proto.RegisterType((*ExtraValue)(nil), "k8s.io.api.certificates.v1beta1.ExtraValue")
-}
-
-func init() {
-	proto.RegisterFile("k8s.io/api/certificates/v1beta1/generated.proto", fileDescriptor_6529c11a462c48a5)
-}
-
-var fileDescriptor_6529c11a462c48a5 = []byte{
-	// 991 bytes of a gzipped FileDescriptorProto
-	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xbc, 0x56, 0x4f, 0x6f, 0xe3, 0x44,
-	0x14, 0x8f, 0x9b, 0x3f, 0x4d, 0x26, 0xa5, 0xbb, 0x3b, 0x40, 0x65, 0x22, 0x6d, 0x1c, 0x59, 0x80,
-	0xca, 0x3f, 0x9b, 0x96, 0x85, 0xad, 0x7a, 0x40, 0xe0, 0x50, 0xa1, 0x8a, 0x2e, 0x48, 0xd3, 0x16,
-	0x01, 0x42, 0x62, 0xa7, 0xce, 0x5b, 0xd7, 0xdb, 0xc6, 0x36, 0x9e, 0x71, 0xd8, 0xdc, 0x56, 0xe2,
-	0x0b, 0x70, 0xe4, 0xc8, 0x77, 0xe0, 0x4b, 0x94, 0x03, 0x52, 0xb9, 0xed, 0x01, 0x45, 0x34, 0xfb,
-	0x2d, 0x7a, 0x42, 0x33, 0x9e, 0x38, 0x4e, 0xd2, 0x90, 0xa5, 0x2b, 0xed, 0x2d, 0xf3, 0xe6, 0xfd,
-	0x7e, 0xbf, 0xf7, 0x9e, 0xdf, 0x7b, 0x13, 0x64, 0x9f, 0x6c, 0x31, 0xcb, 0x0f, 0x6d, 0x1a, 0xf9,
-	0xb6, 0x0b, 0x31, 0xf7, 0x1f, 0xf8, 0x2e, 0xe5, 0xc0, 0xec, 0xde, 0xc6, 0x11, 0x70, 0xba, 0x61,
-	0x7b, 0x10, 0x40, 0x4c, 0x39, 0x74, 0xac, 0x28, 0x0e, 0x79, 0x88, 0x8d, 0x14, 0x60, 0xd1, 0xc8,
-	0xb7, 0xf2, 0x00, 0x4b, 0x01, 0x1a, 0xef, 0x79, 0x3e, 0x3f, 0x4e, 0x8e, 0x2c, 0x37, 0xec, 0xda,
-	0x5e, 0xe8, 0x85, 0xb6, 0xc4, 0x1d, 0x25, 0x0f, 0xe4, 0x49, 0x1e, 0xe4, 0xaf, 0x94, 0xaf, 0x61,
-	0xe6, 0x03, 0x08, 0x63, 0xb0, 0x7b, 0x33, 0x9a, 0x8d, 0x3b, 0x63, 0x9f, 0x2e, 0x75, 0x8f, 0xfd,
-	0x00, 0xe2, 0xbe, 0x1d, 0x9d, 0x78, 0xc2, 0xc0, 0xec, 0x2e, 0x70, 0x7a, 0x15, 0xca, 0x9e, 0x87,
-	0x8a, 0x93, 0x80, 0xfb, 0x5d, 0x98, 0x01, 0x7c, 0xb4, 0x08, 0xc0, 0xdc, 0x63, 0xe8, 0xd2, 0x69,
-	0x9c, 0xf9, 0xc7, 0x12, 0x7a, 0xad, 0x3d, 0x2e, 0xc5, 0xbe, 0xef, 0x05, 0x7e, 0xe0, 0x11, 0xf8,
-	0x31, 0x01, 0xc6, 0xf1, 0x7d, 0x54, 0x15, 0x11, 0x76, 0x28, 0xa7, 0xba, 0xd6, 0xd2, 0xd6, 0xeb,
-	0x9b, 0xef, 0x5b, 0xe3, 0x1a, 0x66, 0x42, 0x56, 0x74, 0xe2, 0x09, 0x03, 0xb3, 0x84, 0xb7, 0xd5,
-	0xdb, 0xb0, 0xbe, 0x3a, 0x7a, 0x08, 0x2e, 0xbf, 0x07, 0x9c, 0x3a, 0xf8, 0x6c, 0x60, 0x14, 0x86,
-	0x03, 0x03, 0x8d, 0x6d, 0x24, 0x63, 0xc5, 0xf7, 0x51, 0x89, 0x45, 0xe0, 0xea, 0x4b, 0x92, 0xfd,
-	0x63, 0x6b, 0xc1, 0x17, 0xb2, 0xe6, 0xc6, 0xba, 0x1f, 0x81, 0xeb, 0xac, 0x28, 0xad, 0x92, 0x38,
-	0x11, 0xc9, 0x8c, 0x8f, 0x51, 0x85, 0x71, 0xca, 0x13, 0xa6, 0x17, 0xa5, 0xc6, 0x27, 0xcf, 0xa1,
-	0x21, 0x79, 0x9c, 0x55, 0xa5, 0x52, 0x49, 0xcf, 0x44, 0xf1, 0x9b, 0x4f, 0x8b, 0xc8, 0x9c, 0x8b,
-	0x6d, 0x87, 0x41, 0xc7, 0xe7, 0x7e, 0x18, 0xe0, 0x2d, 0x54, 0xe2, 0xfd, 0x08, 0x64, 0x41, 0x6b,
-	0xce, 0xeb, 0xa3, 0x90, 0x0f, 0xfa, 0x11, 0x5c, 0x0e, 0x8c, 0x57, 0xa6, 0xfd, 0x85, 0x9d, 0x48,
-	0x04, 0xde, 0xcb, 0x52, 0xa9, 0x48, 0xec, 0x9d, 0xc9, 0x40, 0x2e, 0x07, 0xc6, 0x15, 0x1d, 0x69,
-	0x65, 0x4c, 0x93, 0xe1, 0xe2, 0x37, 0x51, 0x25, 0x06, 0xca, 0xc2, 0x40, 0x16, 0xbf, 0x36, 0x4e,
-	0x8b, 0x48, 0x2b, 0x51, 0xb7, 0xf8, 0x2d, 0xb4, 0xdc, 0x05, 0xc6, 0xa8, 0x07, 0xb2, 0x82, 0x35,
-	0xe7, 0x86, 0x72, 0x5c, 0xbe, 0x97, 0x9a, 0xc9, 0xe8, 0x1e, 0x3f, 0x44, 0xab, 0xa7, 0x94, 0xf1,
-	0xc3, 0xa8, 0x43, 0x39, 0x1c, 0xf8, 0x5d, 0xd0, 0x4b, 0xb2, 0xe6, 0x6f, 0x3f, 0x5b, 0xd7, 0x08,
-	0x84, 0xb3, 0xa6, 0xd8, 0x57, 0xf7, 0x26, 0x98, 0xc8, 0x14, 0x33, 0xee, 0x21, 0x2c, 0x2c, 0x07,
-	0x31, 0x0d, 0x58, 0x5a, 0x28, 0xa1, 0x57, 0xfe, 0xdf, 0x7a, 0x0d, 0xa5, 0x87, 0xf7, 0x66, 0xd8,
-	0xc8, 0x15, 0x0a, 0xe6, 0x40, 0x43, 0xb7, 0xe7, 0x7e, 0xe5, 0x3d, 0x9f, 0x71, 0xfc, 0xfd, 0xcc,
-	0xd4, 0x58, 0xcf, 0x16, 0x8f, 0x40, 0xcb, 0x99, 0xb9, 0xa9, 0x62, 0xaa, 0x8e, 0x2c, 0xb9, 0x89,
-	0xf9, 0x01, 0x95, 0x7d, 0x0e, 0x5d, 0xa6, 0x2f, 0xb5, 0x8a, 0xeb, 0xf5, 0xcd, 0xed, 0xeb, 0xb7,
-	0xb3, 0xf3, 0x92, 0x92, 0x29, 0xef, 0x0a, 0x42, 0x92, 0xf2, 0x9a, 0xbf, 0x97, 0xfe, 0x23, 0x41,
-	0x31, 0x58, 0xf8, 0x0d, 0xb4, 0x1c, 0xa7, 0x47, 0x99, 0xdf, 0x8a, 0x53, 0x17, 0xdd, 0xa0, 0x3c,
-	0xc8, 0xe8, 0x0e, 0x5b, 0x08, 0x31, 0xdf, 0x0b, 0x20, 0xfe, 0x92, 0x76, 0x41, 0x5f, 0x4e, 0x9b,
-	0x4c, 0x6c, 0x82, 0xfd, 0xcc, 0x4a, 0x72, 0x1e, 0xb8, 0x8d, 0x6e, 0xc1, 0xa3, 0xc8, 0x8f, 0xa9,
-	0x6c, 0x56, 0x70, 0xc3, 0xa0, 0xc3, 0xf4, 0x6a, 0x4b, 0x5b, 0x2f, 0x3b, 0xaf, 0x0e, 0x07, 0xc6,
-	0xad, 0x9d, 0xe9, 0x4b, 0x32, 0xeb, 0x8f, 0x2d, 0x54, 0x49, 0x44, 0x2f, 0x32, 0xbd, 0xdc, 0x2a,
-	0xae, 0xd7, 0x9c, 0x35, 0xd1, 0xd1, 0x87, 0xd2, 0x72, 0x39, 0x30, 0xaa, 0x5f, 0x40, 0x5f, 0x1e,
-	0x88, 0xf2, 0xc2, 0xef, 0xa2, 0x6a, 0xc2, 0x20, 0x0e, 0x44, 0x88, 0xe9, 0x1c, 0x64, 0xc5, 0x3f,
-	0x54, 0x76, 0x92, 0x79, 0xe0, 0xdb, 0xa8, 0x98, 0xf8, 0x1d, 0x35, 0x07, 0x75, 0xe5, 0x58, 0x3c,
-	0xdc, 0xfd, 0x8c, 0x08, 0x3b, 0x36, 0x51, 0xc5, 0x8b, 0xc3, 0x24, 0x62, 0x7a, 0x49, 0x8a, 0x23,
-	0x21, 0xfe, 0xb9, 0xb4, 0x10, 0x75, 0x83, 0x03, 0x54, 0x86, 0x47, 0x3c, 0xa6, 0x7a, 0x45, 0x7e,
-	0xbf, 0xdd, 0xe7, 0x5b, 0x79, 0xd6, 0x8e, 0xe0, 0xda, 0x09, 0x78, 0xdc, 0x1f, 0x7f, 0x4e, 0x69,
-	0x23, 0xa9, 0x4c, 0x03, 0x10, 0x1a, 0xfb, 0xe0, 0x9b, 0xa8, 0x78, 0x02, 0xfd, 0x74, 0xf7, 0x10,
-	0xf1, 0x13, 0x7f, 0x8a, 0xca, 0x3d, 0x7a, 0x9a, 0x80, 0x5a, 0xc1, 0xef, 0x2c, 0x8c, 0x47, 0xb2,
-	0x7d, 0x2d, 0x20, 0x24, 0x45, 0x6e, 0x2f, 0x6d, 0x69, 0xe6, 0x9f, 0x1a, 0x32, 0x16, 0x2c, 0x4e,
-	0xfc, 0x13, 0x42, 0xee, 0x68, 0x19, 0x31, 0x5d, 0x93, 0xf9, 0xb7, 0xaf, 0x9f, 0x7f, 0xb6, 0xd8,
-	0xc6, 0x6f, 0x4c, 0x66, 0x62, 0x24, 0x27, 0x85, 0x37, 0x50, 0x3d, 0x47, 0x2d, 0x33, 0x5d, 0x71,
-	0x6e, 0x0c, 0x07, 0x46, 0x3d, 0x47, 0x4e, 0xf2, 0x3e, 0xe6, 0x5f, 0x1a, 0xc2, 0xed, 0xd3, 0x84,
-	0x71, 0x88, 0x0f, 0xe2, 0x84, 0x71, 0x27, 0x09, 0x3a, 0xa7, 0xf0, 0x02, 0x5e, 0xc4, 0x6f, 0x27,
-	0x5e, 0xc4, 0xbb, 0x8b, 0xcb, 0x33, 0x13, 0xe4, 0xbc, 0xa7, 0xd0, 0x3c, 0xd7, 0xd0, 0xda, 0xac,
-	0xfb, 0x0b, 0xd8, 0x59, 0xdf, 0x4c, 0xee, 0xac, 0x0f, 0xae, 0x91, 0xd4, 0x9c, 0x65, 0xf5, 0xf3,
-	0x95, 0x29, 0xc9, 0x2d, 0xb5, 0x39, 0xb1, 0x7e, 0xd2, 0xd7, 0x36, 0x2b, 0xfd, 0x9c, 0x15, 0xf4,
-	0x21, 0xaa, 0xf3, 0x31, 0x8d, 0x5a, 0x08, 0x2f, 0x2b, 0x50, 0x3d, 0xa7, 0x40, 0xf2, 0x7e, 0xe6,
-	0x5d, 0x35, 0x63, 0x72, 0x2a, 0xb0, 0x31, 0xca, 0x56, 0x93, 0x4b, 0xa0, 0x36, 0x1d, 0xf4, 0x76,
-	0xf5, 0xd7, 0xdf, 0x8c, 0xc2, 0xe3, 0xbf, 0x5b, 0x05, 0x67, 0xe7, 0xec, 0xa2, 0x59, 0x38, 0xbf,
-	0x68, 0x16, 0x9e, 0x5c, 0x34, 0x0b, 0x8f, 0x87, 0x4d, 0xed, 0x6c, 0xd8, 0xd4, 0xce, 0x87, 0x4d,
-	0xed, 0xc9, 0xb0, 0xa9, 0xfd, 0x33, 0x6c, 0x6a, 0xbf, 0x3c, 0x6d, 0x16, 0xbe, 0x33, 0x16, 0xfc,
-	0xd1, 0xfd, 0x37, 0x00, 0x00, 0xff, 0xff, 0x17, 0xbe, 0xe3, 0x02, 0x0a, 0x0b, 0x00, 0x00,
-}
+func (m *PodCertificateRequestStatus) Reset() { *m = PodCertificateRequestStatus{} }
 
 func (m *CertificateSigningRequest) Marshal() (dAtA []byte, err error) {
 	size := m.Size()
@@ -581,7 +261,7 @@ func (m *CertificateSigningRequestSpec) MarshalToSizedBuffer(dAtA []byte) (int,
 		for k := range m.Extra {
 			keysForExtra = append(keysForExtra, string(k))
 		}
-		github_com_gogo_protobuf_sortkeys.Strings(keysForExtra)
+		sort.Strings(keysForExtra)
 		for iNdEx := len(keysForExtra) - 1; iNdEx >= 0; iNdEx-- {
 			v := m.Extra[string(keysForExtra[iNdEx])]
 			baseI := i
@@ -842,151 +522,336 @@ func (m ExtraValue) MarshalToSizedBuffer(dAtA []byte) (int, error) {
 	return len(dAtA) - i, nil
 }
 
-func encodeVarintGenerated(dAtA []byte, offset int, v uint64) int {
-	offset -= sovGenerated(v)
-	base := offset
-	for v >= 1<<7 {
-		dAtA[offset] = uint8(v&0x7f | 0x80)
-		v >>= 7
-		offset++
-	}
-	dAtA[offset] = uint8(v)
-	return base
-}
-func (m *CertificateSigningRequest) Size() (n int) {
-	if m == nil {
-		return 0
-	}
-	var l int
-	_ = l
-	l = m.ObjectMeta.Size()
-	n += 1 + l + sovGenerated(uint64(l))
-	l = m.Spec.Size()
-	n += 1 + l + sovGenerated(uint64(l))
-	l = m.Status.Size()
-	n += 1 + l + sovGenerated(uint64(l))
-	return n
-}
-
-func (m *CertificateSigningRequestCondition) Size() (n int) {
-	if m == nil {
-		return 0
+func (m *PodCertificateRequest) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalToSizedBuffer(dAtA[:size])
+	if err != nil {
+		return nil, err
 	}
-	var l int
-	_ = l
-	l = len(m.Type)
-	n += 1 + l + sovGenerated(uint64(l))
-	l = len(m.Reason)
-	n += 1 + l + sovGenerated(uint64(l))
-	l = len(m.Message)
-	n += 1 + l + sovGenerated(uint64(l))
-	l = m.LastUpdateTime.Size()
-	n += 1 + l + sovGenerated(uint64(l))
-	l = m.LastTransitionTime.Size()
-	n += 1 + l + sovGenerated(uint64(l))
-	l = len(m.Status)
-	n += 1 + l + sovGenerated(uint64(l))
-	return n
+	return dAtA[:n], nil
 }
 
-func (m *CertificateSigningRequestList) Size() (n int) {
-	if m == nil {
-		return 0
-	}
-	var l int
-	_ = l
-	l = m.ListMeta.Size()
-	n += 1 + l + sovGenerated(uint64(l))
-	if len(m.Items) > 0 {
-		for _, e := range m.Items {
-			l = e.Size()
-			n += 1 + l + sovGenerated(uint64(l))
-		}
-	}
-	return n
+func (m *PodCertificateRequest) MarshalTo(dAtA []byte) (int, error) {
+	size := m.Size()
+	return m.MarshalToSizedBuffer(dAtA[:size])
 }
 
-func (m *CertificateSigningRequestSpec) Size() (n int) {
-	if m == nil {
-		return 0
-	}
+func (m *PodCertificateRequest) MarshalToSizedBuffer(dAtA []byte) (int, error) {
+	i := len(dAtA)
+	_ = i
 	var l int
 	_ = l
-	if m.Request != nil {
-		l = len(m.Request)
-		n += 1 + l + sovGenerated(uint64(l))
-	}
-	l = len(m.Username)
-	n += 1 + l + sovGenerated(uint64(l))
-	l = len(m.UID)
-	n += 1 + l + sovGenerated(uint64(l))
-	if len(m.Groups) > 0 {
-		for _, s := range m.Groups {
-			l = len(s)
-			n += 1 + l + sovGenerated(uint64(l))
+	{
+		size, err := m.Status.MarshalToSizedBuffer(dAtA[:i])
+		if err != nil {
+			return 0, err
 		}
+		i -= size
+		i = encodeVarintGenerated(dAtA, i, uint64(size))
 	}
-	if len(m.Usages) > 0 {
-		for _, s := range m.Usages {
-			l = len(s)
-			n += 1 + l + sovGenerated(uint64(l))
+	i--
+	dAtA[i] = 0x1a
+	{
+		size, err := m.Spec.MarshalToSizedBuffer(dAtA[:i])
+		if err != nil {
+			return 0, err
 		}
+		i -= size
+		i = encodeVarintGenerated(dAtA, i, uint64(size))
 	}
-	if len(m.Extra) > 0 {
-		for k, v := range m.Extra {
-			_ = k
-			_ = v
-			l = v.Size()
-			mapEntrySize := 1 + len(k) + sovGenerated(uint64(len(k))) + 1 + l + sovGenerated(uint64(l))
-			n += mapEntrySize + 1 + sovGenerated(uint64(mapEntrySize))
+	i--
+	dAtA[i] = 0x12
+	{
+		size, err := m.ObjectMeta.MarshalToSizedBuffer(dAtA[:i])
+		if err != nil {
+			return 0, err
 		}
+		i -= size
+		i = encodeVarintGenerated(dAtA, i, uint64(size))
 	}
-	if m.SignerName != nil {
-		l = len(*m.SignerName)
-		n += 1 + l + sovGenerated(uint64(l))
-	}
-	if m.ExpirationSeconds != nil {
-		n += 1 + sovGenerated(uint64(*m.ExpirationSeconds))
-	}
-	return n
+	i--
+	dAtA[i] = 0xa
+	return len(dAtA) - i, nil
 }
 
-func (m *CertificateSigningRequestStatus) Size() (n int) {
-	if m == nil {
-		return 0
-	}
-	var l int
-	_ = l
-	if len(m.Conditions) > 0 {
-		for _, e := range m.Conditions {
-			l = e.Size()
-			n += 1 + l + sovGenerated(uint64(l))
-		}
-	}
-	if m.Certificate != nil {
-		l = len(m.Certificate)
-		n += 1 + l + sovGenerated(uint64(l))
+func (m *PodCertificateRequestList) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalToSizedBuffer(dAtA[:size])
+	if err != nil {
+		return nil, err
 	}
-	return n
+	return dAtA[:n], nil
 }
 
-func (m *ClusterTrustBundle) Size() (n int) {
-	if m == nil {
-		return 0
-	}
-	var l int
-	_ = l
-	l = m.ObjectMeta.Size()
-	n += 1 + l + sovGenerated(uint64(l))
-	l = m.Spec.Size()
-	n += 1 + l + sovGenerated(uint64(l))
-	return n
+func (m *PodCertificateRequestList) MarshalTo(dAtA []byte) (int, error) {
+	size := m.Size()
+	return m.MarshalToSizedBuffer(dAtA[:size])
 }
 
-func (m *ClusterTrustBundleList) Size() (n int) {
-	if m == nil {
-		return 0
-	}
+func (m *PodCertificateRequestList) MarshalToSizedBuffer(dAtA []byte) (int, error) {
+	i := len(dAtA)
+	_ = i
+	var l int
+	_ = l
+	if len(m.Items) > 0 {
+		for iNdEx := len(m.Items) - 1; iNdEx >= 0; iNdEx-- {
+			{
+				size, err := m.Items[iNdEx].MarshalToSizedBuffer(dAtA[:i])
+				if err != nil {
+					return 0, err
+				}
+				i -= size
+				i = encodeVarintGenerated(dAtA, i, uint64(size))
+			}
+			i--
+			dAtA[i] = 0x12
+		}
+	}
+	{
+		size, err := m.ListMeta.MarshalToSizedBuffer(dAtA[:i])
+		if err != nil {
+			return 0, err
+		}
+		i -= size
+		i = encodeVarintGenerated(dAtA, i, uint64(size))
+	}
+	i--
+	dAtA[i] = 0xa
+	return len(dAtA) - i, nil
+}
+
+func (m *PodCertificateRequestSpec) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalToSizedBuffer(dAtA[:size])
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *PodCertificateRequestSpec) MarshalTo(dAtA []byte) (int, error) {
+	size := m.Size()
+	return m.MarshalToSizedBuffer(dAtA[:size])
+}
+
+func (m *PodCertificateRequestSpec) MarshalToSizedBuffer(dAtA []byte) (int, error) {
+	i := len(dAtA)
+	_ = i
+	var l int
+	_ = l
+	if len(m.UnverifiedUserAnnotations) > 0 {
+		keysForUnverifiedUserAnnotations := make([]string, 0, len(m.UnverifiedUserAnnotations))
+		for k := range m.UnverifiedUserAnnotations {
+			keysForUnverifiedUserAnnotations = append(keysForUnverifiedUserAnnotations, string(k))
+		}
+		sort.Strings(keysForUnverifiedUserAnnotations)
+		for iNdEx := len(keysForUnverifiedUserAnnotations) - 1; iNdEx >= 0; iNdEx-- {
+			v := m.UnverifiedUserAnnotations[string(keysForUnverifiedUserAnnotations[iNdEx])]
+			baseI := i
+			i -= len(v)
+			copy(dAtA[i:], v)
+			i = encodeVarintGenerated(dAtA, i, uint64(len(v)))
+			i--
+			dAtA[i] = 0x12
+			i -= len(keysForUnverifiedUserAnnotations[iNdEx])
+			copy(dAtA[i:], keysForUnverifiedUserAnnotations[iNdEx])
+			i = encodeVarintGenerated(dAtA, i, uint64(len(keysForUnverifiedUserAnnotations[iNdEx])))
+			i--
+			dAtA[i] = 0xa
+			i = encodeVarintGenerated(dAtA, i, uint64(baseI-i))
+			i--
+			dAtA[i] = 0x5a
+		}
+	}
+	if m.ProofOfPossession != nil {
+		i -= len(m.ProofOfPossession)
+		copy(dAtA[i:], m.ProofOfPossession)
+		i = encodeVarintGenerated(dAtA, i, uint64(len(m.ProofOfPossession)))
+		i--
+		dAtA[i] = 0x52
+	}
+	if m.PKIXPublicKey != nil {
+		i -= len(m.PKIXPublicKey)
+		copy(dAtA[i:], m.PKIXPublicKey)
+		i = encodeVarintGenerated(dAtA, i, uint64(len(m.PKIXPublicKey)))
+		i--
+		dAtA[i] = 0x4a
+	}
+	if m.MaxExpirationSeconds != nil {
+		i = encodeVarintGenerated(dAtA, i, uint64(*m.MaxExpirationSeconds))
+		i--
+		dAtA[i] = 0x40
+	}
+	i -= len(m.NodeUID)
+	copy(dAtA[i:], m.NodeUID)
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.NodeUID)))
+	i--
+	dAtA[i] = 0x3a
+	i -= len(m.NodeName)
+	copy(dAtA[i:], m.NodeName)
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.NodeName)))
+	i--
+	dAtA[i] = 0x32
+	i -= len(m.ServiceAccountUID)
+	copy(dAtA[i:], m.ServiceAccountUID)
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.ServiceAccountUID)))
+	i--
+	dAtA[i] = 0x2a
+	i -= len(m.ServiceAccountName)
+	copy(dAtA[i:], m.ServiceAccountName)
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.ServiceAccountName)))
+	i--
+	dAtA[i] = 0x22
+	i -= len(m.PodUID)
+	copy(dAtA[i:], m.PodUID)
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.PodUID)))
+	i--
+	dAtA[i] = 0x1a
+	i -= len(m.PodName)
+	copy(dAtA[i:], m.PodName)
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.PodName)))
+	i--
+	dAtA[i] = 0x12
+	i -= len(m.SignerName)
+	copy(dAtA[i:], m.SignerName)
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.SignerName)))
+	i--
+	dAtA[i] = 0xa
+	return len(dAtA) - i, nil
+}
+
+func (m *PodCertificateRequestStatus) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalToSizedBuffer(dAtA[:size])
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *PodCertificateRequestStatus) MarshalTo(dAtA []byte) (int, error) {
+	size := m.Size()
+	return m.MarshalToSizedBuffer(dAtA[:size])
+}
+
+func (m *PodCertificateRequestStatus) MarshalToSizedBuffer(dAtA []byte) (int, error) {
+	i := len(dAtA)
+	_ = i
+	var l int
+	_ = l
+	if m.NotAfter != nil {
+		{
+			size, err := m.NotAfter.MarshalToSizedBuffer(dAtA[:i])
+			if err != nil {
+				return 0, err
+			}
+			i -= size
+			i = encodeVarintGenerated(dAtA, i, uint64(size))
+		}
+		i--
+		dAtA[i] = 0x32
+	}
+	if m.BeginRefreshAt != nil {
+		{
+			size, err := m.BeginRefreshAt.MarshalToSizedBuffer(dAtA[:i])
+			if err != nil {
+				return 0, err
+			}
+			i -= size
+			i = encodeVarintGenerated(dAtA, i, uint64(size))
+		}
+		i--
+		dAtA[i] = 0x2a
+	}
+	if m.NotBefore != nil {
+		{
+			size, err := m.NotBefore.MarshalToSizedBuffer(dAtA[:i])
+			if err != nil {
+				return 0, err
+			}
+			i -= size
+			i = encodeVarintGenerated(dAtA, i, uint64(size))
+		}
+		i--
+		dAtA[i] = 0x22
+	}
+	i -= len(m.CertificateChain)
+	copy(dAtA[i:], m.CertificateChain)
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.CertificateChain)))
+	i--
+	dAtA[i] = 0x12
+	if len(m.Conditions) > 0 {
+		for iNdEx := len(m.Conditions) - 1; iNdEx >= 0; iNdEx-- {
+			{
+				size, err := m.Conditions[iNdEx].MarshalToSizedBuffer(dAtA[:i])
+				if err != nil {
+					return 0, err
+				}
+				i -= size
+				i = encodeVarintGenerated(dAtA, i, uint64(size))
+			}
+			i--
+			dAtA[i] = 0xa
+		}
+	}
+	return len(dAtA) - i, nil
+}
+
+func encodeVarintGenerated(dAtA []byte, offset int, v uint64) int {
+	offset -= sovGenerated(v)
+	base := offset
+	for v >= 1<<7 {
+		dAtA[offset] = uint8(v&0x7f | 0x80)
+		v >>= 7
+		offset++
+	}
+	dAtA[offset] = uint8(v)
+	return base
+}
+func (m *CertificateSigningRequest) Size() (n int) {
+	if m == nil {
+		return 0
+	}
+	var l int
+	_ = l
+	l = m.ObjectMeta.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	l = m.Spec.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	l = m.Status.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func (m *CertificateSigningRequestCondition) Size() (n int) {
+	if m == nil {
+		return 0
+	}
+	var l int
+	_ = l
+	l = len(m.Type)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.Reason)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.Message)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = m.LastUpdateTime.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	l = m.LastTransitionTime.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.Status)
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func (m *CertificateSigningRequestList) Size() (n int) {
+	if m == nil {
+		return 0
+	}
 	var l int
 	_ = l
 	l = m.ListMeta.Size()
@@ -1000,43 +865,240 @@ func (m *ClusterTrustBundleList) Size() (n int) {
 	return n
 }
 
-func (m *ClusterTrustBundleSpec) Size() (n int) {
+func (m *CertificateSigningRequestSpec) Size() (n int) {
 	if m == nil {
 		return 0
 	}
 	var l int
 	_ = l
-	l = len(m.SignerName)
+	if m.Request != nil {
+		l = len(m.Request)
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	l = len(m.Username)
 	n += 1 + l + sovGenerated(uint64(l))
-	l = len(m.TrustBundle)
+	l = len(m.UID)
 	n += 1 + l + sovGenerated(uint64(l))
+	if len(m.Groups) > 0 {
+		for _, s := range m.Groups {
+			l = len(s)
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	if len(m.Usages) > 0 {
+		for _, s := range m.Usages {
+			l = len(s)
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	if len(m.Extra) > 0 {
+		for k, v := range m.Extra {
+			_ = k
+			_ = v
+			l = v.Size()
+			mapEntrySize := 1 + len(k) + sovGenerated(uint64(len(k))) + 1 + l + sovGenerated(uint64(l))
+			n += mapEntrySize + 1 + sovGenerated(uint64(mapEntrySize))
+		}
+	}
+	if m.SignerName != nil {
+		l = len(*m.SignerName)
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	if m.ExpirationSeconds != nil {
+		n += 1 + sovGenerated(uint64(*m.ExpirationSeconds))
+	}
 	return n
 }
 
-func (m ExtraValue) Size() (n int) {
+func (m *CertificateSigningRequestStatus) Size() (n int) {
 	if m == nil {
 		return 0
 	}
 	var l int
 	_ = l
-	if len(m) > 0 {
-		for _, s := range m {
-			l = len(s)
+	if len(m.Conditions) > 0 {
+		for _, e := range m.Conditions {
+			l = e.Size()
 			n += 1 + l + sovGenerated(uint64(l))
 		}
 	}
+	if m.Certificate != nil {
+		l = len(m.Certificate)
+		n += 1 + l + sovGenerated(uint64(l))
+	}
 	return n
 }
 
-func sovGenerated(x uint64) (n int) {
-	return (math_bits.Len64(x|1) + 6) / 7
-}
-func sozGenerated(x uint64) (n int) {
-	return sovGenerated(uint64((x << 1) ^ uint64((int64(x) >> 63))))
+func (m *ClusterTrustBundle) Size() (n int) {
+	if m == nil {
+		return 0
+	}
+	var l int
+	_ = l
+	l = m.ObjectMeta.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	l = m.Spec.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
 }
-func (this *CertificateSigningRequest) String() string {
-	if this == nil {
-		return "nil"
+
+func (m *ClusterTrustBundleList) Size() (n int) {
+	if m == nil {
+		return 0
+	}
+	var l int
+	_ = l
+	l = m.ListMeta.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	if len(m.Items) > 0 {
+		for _, e := range m.Items {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	return n
+}
+
+func (m *ClusterTrustBundleSpec) Size() (n int) {
+	if m == nil {
+		return 0
+	}
+	var l int
+	_ = l
+	l = len(m.SignerName)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.TrustBundle)
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func (m ExtraValue) Size() (n int) {
+	if m == nil {
+		return 0
+	}
+	var l int
+	_ = l
+	if len(m) > 0 {
+		for _, s := range m {
+			l = len(s)
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	return n
+}
+
+func (m *PodCertificateRequest) Size() (n int) {
+	if m == nil {
+		return 0
+	}
+	var l int
+	_ = l
+	l = m.ObjectMeta.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	l = m.Spec.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	l = m.Status.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func (m *PodCertificateRequestList) Size() (n int) {
+	if m == nil {
+		return 0
+	}
+	var l int
+	_ = l
+	l = m.ListMeta.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	if len(m.Items) > 0 {
+		for _, e := range m.Items {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	return n
+}
+
+func (m *PodCertificateRequestSpec) Size() (n int) {
+	if m == nil {
+		return 0
+	}
+	var l int
+	_ = l
+	l = len(m.SignerName)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.PodName)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.PodUID)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.ServiceAccountName)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.ServiceAccountUID)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.NodeName)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.NodeUID)
+	n += 1 + l + sovGenerated(uint64(l))
+	if m.MaxExpirationSeconds != nil {
+		n += 1 + sovGenerated(uint64(*m.MaxExpirationSeconds))
+	}
+	if m.PKIXPublicKey != nil {
+		l = len(m.PKIXPublicKey)
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	if m.ProofOfPossession != nil {
+		l = len(m.ProofOfPossession)
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	if len(m.UnverifiedUserAnnotations) > 0 {
+		for k, v := range m.UnverifiedUserAnnotations {
+			_ = k
+			_ = v
+			mapEntrySize := 1 + len(k) + sovGenerated(uint64(len(k))) + 1 + len(v) + sovGenerated(uint64(len(v)))
+			n += mapEntrySize + 1 + sovGenerated(uint64(mapEntrySize))
+		}
+	}
+	return n
+}
+
+func (m *PodCertificateRequestStatus) Size() (n int) {
+	if m == nil {
+		return 0
+	}
+	var l int
+	_ = l
+	if len(m.Conditions) > 0 {
+		for _, e := range m.Conditions {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	l = len(m.CertificateChain)
+	n += 1 + l + sovGenerated(uint64(l))
+	if m.NotBefore != nil {
+		l = m.NotBefore.Size()
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	if m.BeginRefreshAt != nil {
+		l = m.BeginRefreshAt.Size()
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	if m.NotAfter != nil {
+		l = m.NotAfter.Size()
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	return n
+}
+
+func sovGenerated(x uint64) (n int) {
+	return (math_bits.Len64(x|1) + 6) / 7
+}
+func sozGenerated(x uint64) (n int) {
+	return sovGenerated(uint64((x << 1) ^ uint64((int64(x) >> 63))))
+}
+func (this *CertificateSigningRequest) String() string {
+	if this == nil {
+		return "nil"
 	}
 	s := strings.Join([]string{`&CertificateSigningRequest{`,
 		`ObjectMeta:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.ObjectMeta), "ObjectMeta", "v1.ObjectMeta", 1), `&`, ``, 1) + `,`,
@@ -1085,7 +1147,7 @@ func (this *CertificateSigningRequestSpec) String() string {
 	for k := range this.Extra {
 		keysForExtra = append(keysForExtra, k)
 	}
-	github_com_gogo_protobuf_sortkeys.Strings(keysForExtra)
+	sort.Strings(keysForExtra)
 	mapStringForExtra := "map[string]ExtraValue{"
 	for _, k := range keysForExtra {
 		mapStringForExtra += fmt.Sprintf("%v: %v,", k, this.Extra[k])
@@ -1158,6 +1220,83 @@ func (this *ClusterTrustBundleSpec) String() string {
 	}, "")
 	return s
 }
+func (this *PodCertificateRequest) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&PodCertificateRequest{`,
+		`ObjectMeta:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.ObjectMeta), "ObjectMeta", "v1.ObjectMeta", 1), `&`, ``, 1) + `,`,
+		`Spec:` + strings.Replace(strings.Replace(this.Spec.String(), "PodCertificateRequestSpec", "PodCertificateRequestSpec", 1), `&`, ``, 1) + `,`,
+		`Status:` + strings.Replace(strings.Replace(this.Status.String(), "PodCertificateRequestStatus", "PodCertificateRequestStatus", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *PodCertificateRequestList) String() string {
+	if this == nil {
+		return "nil"
+	}
+	repeatedStringForItems := "[]PodCertificateRequest{"
+	for _, f := range this.Items {
+		repeatedStringForItems += strings.Replace(strings.Replace(f.String(), "PodCertificateRequest", "PodCertificateRequest", 1), `&`, ``, 1) + ","
+	}
+	repeatedStringForItems += "}"
+	s := strings.Join([]string{`&PodCertificateRequestList{`,
+		`ListMeta:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.ListMeta), "ListMeta", "v1.ListMeta", 1), `&`, ``, 1) + `,`,
+		`Items:` + repeatedStringForItems + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *PodCertificateRequestSpec) String() string {
+	if this == nil {
+		return "nil"
+	}
+	keysForUnverifiedUserAnnotations := make([]string, 0, len(this.UnverifiedUserAnnotations))
+	for k := range this.UnverifiedUserAnnotations {
+		keysForUnverifiedUserAnnotations = append(keysForUnverifiedUserAnnotations, k)
+	}
+	sort.Strings(keysForUnverifiedUserAnnotations)
+	mapStringForUnverifiedUserAnnotations := "map[string]string{"
+	for _, k := range keysForUnverifiedUserAnnotations {
+		mapStringForUnverifiedUserAnnotations += fmt.Sprintf("%v: %v,", k, this.UnverifiedUserAnnotations[k])
+	}
+	mapStringForUnverifiedUserAnnotations += "}"
+	s := strings.Join([]string{`&PodCertificateRequestSpec{`,
+		`SignerName:` + fmt.Sprintf("%v", this.SignerName) + `,`,
+		`PodName:` + fmt.Sprintf("%v", this.PodName) + `,`,
+		`PodUID:` + fmt.Sprintf("%v", this.PodUID) + `,`,
+		`ServiceAccountName:` + fmt.Sprintf("%v", this.ServiceAccountName) + `,`,
+		`ServiceAccountUID:` + fmt.Sprintf("%v", this.ServiceAccountUID) + `,`,
+		`NodeName:` + fmt.Sprintf("%v", this.NodeName) + `,`,
+		`NodeUID:` + fmt.Sprintf("%v", this.NodeUID) + `,`,
+		`MaxExpirationSeconds:` + valueToStringGenerated(this.MaxExpirationSeconds) + `,`,
+		`PKIXPublicKey:` + valueToStringGenerated(this.PKIXPublicKey) + `,`,
+		`ProofOfPossession:` + valueToStringGenerated(this.ProofOfPossession) + `,`,
+		`UnverifiedUserAnnotations:` + mapStringForUnverifiedUserAnnotations + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *PodCertificateRequestStatus) String() string {
+	if this == nil {
+		return "nil"
+	}
+	repeatedStringForConditions := "[]Condition{"
+	for _, f := range this.Conditions {
+		repeatedStringForConditions += fmt.Sprintf("%v", f) + ","
+	}
+	repeatedStringForConditions += "}"
+	s := strings.Join([]string{`&PodCertificateRequestStatus{`,
+		`Conditions:` + repeatedStringForConditions + `,`,
+		`CertificateChain:` + fmt.Sprintf("%v", this.CertificateChain) + `,`,
+		`NotBefore:` + strings.Replace(fmt.Sprintf("%v", this.NotBefore), "Time", "v1.Time", 1) + `,`,
+		`BeginRefreshAt:` + strings.Replace(fmt.Sprintf("%v", this.BeginRefreshAt), "Time", "v1.Time", 1) + `,`,
+		`NotAfter:` + strings.Replace(fmt.Sprintf("%v", this.NotAfter), "Time", "v1.Time", 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
 func valueToStringGenerated(v interface{}) string {
 	rv := reflect.ValueOf(v)
 	if rv.IsNil() {
@@ -1176,30 +1315,670 @@ func (m *CertificateSigningRequest) Unmarshal(dAtA []byte) error {
 			if shift >= 64 {
 				return ErrIntOverflowGenerated
 			}
-			if iNdEx >= l {
-				return io.ErrUnexpectedEOF
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= uint64(b&0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: CertificateSigningRequest: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: CertificateSigningRequest: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ObjectMeta", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= int(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.ObjectMeta.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Spec", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= int(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.Spec.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Status", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= int(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.Status.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if (skippy < 0) || (iNdEx+skippy) < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *CertificateSigningRequestCondition) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= uint64(b&0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: CertificateSigningRequestCondition: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: CertificateSigningRequestCondition: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Type", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= uint64(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Type = RequestConditionType(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Reason", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= uint64(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Reason = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Message", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= uint64(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Message = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 4:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field LastUpdateTime", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= int(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.LastUpdateTime.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 5:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field LastTransitionTime", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= int(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.LastTransitionTime.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 6:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Status", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= uint64(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Status = k8s_io_api_core_v1.ConditionStatus(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if (skippy < 0) || (iNdEx+skippy) < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *CertificateSigningRequestList) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= uint64(b&0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: CertificateSigningRequestList: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: CertificateSigningRequestList: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ListMeta", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= int(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.ListMeta.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Items", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= int(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Items = append(m.Items, CertificateSigningRequest{})
+			if err := m.Items[len(m.Items)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if (skippy < 0) || (iNdEx+skippy) < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *CertificateSigningRequestSpec) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= uint64(b&0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: CertificateSigningRequestSpec: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: CertificateSigningRequestSpec: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Request", wireType)
+			}
+			var byteLen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				byteLen |= int(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if byteLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + byteLen
+			if postIndex < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Request = append(m.Request[:0], dAtA[iNdEx:postIndex]...)
+			if m.Request == nil {
+				m.Request = []byte{}
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Username", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= uint64(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Username = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field UID", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= uint64(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.UID = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 4:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Groups", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= uint64(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
 			}
-			b := dAtA[iNdEx]
-			iNdEx++
-			wire |= uint64(b&0x7F) << shift
-			if b < 0x80 {
-				break
+			postIndex := iNdEx + intStringLen
+			if postIndex < 0 {
+				return ErrInvalidLengthGenerated
 			}
-		}
-		fieldNum := int32(wire >> 3)
-		wireType := int(wire & 0x7)
-		if wireType == 4 {
-			return fmt.Errorf("proto: CertificateSigningRequest: wiretype end group for non-group")
-		}
-		if fieldNum <= 0 {
-			return fmt.Errorf("proto: CertificateSigningRequest: illegal tag %d (wire type %d)", fieldNum, wire)
-		}
-		switch fieldNum {
-		case 1:
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Groups = append(m.Groups, string(dAtA[iNdEx:postIndex]))
+			iNdEx = postIndex
+		case 5:
 			if wireType != 2 {
-				return fmt.Errorf("proto: wrong wireType = %d for field ObjectMeta", wireType)
+				return fmt.Errorf("proto: wrong wireType = %d for field Usages", wireType)
 			}
-			var msglen int
+			var stringLen uint64
 			for shift := uint(0); ; shift += 7 {
 				if shift >= 64 {
 					return ErrIntOverflowGenerated
@@ -1209,28 +1988,27 @@ func (m *CertificateSigningRequest) Unmarshal(dAtA []byte) error {
 				}
 				b := dAtA[iNdEx]
 				iNdEx++
-				msglen |= int(b&0x7F) << shift
+				stringLen |= uint64(b&0x7F) << shift
 				if b < 0x80 {
 					break
 				}
 			}
-			if msglen < 0 {
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
 				return ErrInvalidLengthGenerated
 			}
-			postIndex := iNdEx + msglen
+			postIndex := iNdEx + intStringLen
 			if postIndex < 0 {
 				return ErrInvalidLengthGenerated
 			}
 			if postIndex > l {
 				return io.ErrUnexpectedEOF
 			}
-			if err := m.ObjectMeta.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
-				return err
-			}
+			m.Usages = append(m.Usages, KeyUsage(dAtA[iNdEx:postIndex]))
 			iNdEx = postIndex
-		case 2:
+		case 6:
 			if wireType != 2 {
-				return fmt.Errorf("proto: wrong wireType = %d for field Spec", wireType)
+				return fmt.Errorf("proto: wrong wireType = %d for field Extra", wireType)
 			}
 			var msglen int
 			for shift := uint(0); ; shift += 7 {
@@ -1257,15 +2035,111 @@ func (m *CertificateSigningRequest) Unmarshal(dAtA []byte) error {
 			if postIndex > l {
 				return io.ErrUnexpectedEOF
 			}
-			if err := m.Spec.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
-				return err
+			if m.Extra == nil {
+				m.Extra = make(map[string]ExtraValue)
+			}
+			var mapkey string
+			mapvalue := &ExtraValue{}
+			for iNdEx < postIndex {
+				entryPreIndex := iNdEx
+				var wire uint64
+				for shift := uint(0); ; shift += 7 {
+					if shift >= 64 {
+						return ErrIntOverflowGenerated
+					}
+					if iNdEx >= l {
+						return io.ErrUnexpectedEOF
+					}
+					b := dAtA[iNdEx]
+					iNdEx++
+					wire |= uint64(b&0x7F) << shift
+					if b < 0x80 {
+						break
+					}
+				}
+				fieldNum := int32(wire >> 3)
+				if fieldNum == 1 {
+					var stringLenmapkey uint64
+					for shift := uint(0); ; shift += 7 {
+						if shift >= 64 {
+							return ErrIntOverflowGenerated
+						}
+						if iNdEx >= l {
+							return io.ErrUnexpectedEOF
+						}
+						b := dAtA[iNdEx]
+						iNdEx++
+						stringLenmapkey |= uint64(b&0x7F) << shift
+						if b < 0x80 {
+							break
+						}
+					}
+					intStringLenmapkey := int(stringLenmapkey)
+					if intStringLenmapkey < 0 {
+						return ErrInvalidLengthGenerated
+					}
+					postStringIndexmapkey := iNdEx + intStringLenmapkey
+					if postStringIndexmapkey < 0 {
+						return ErrInvalidLengthGenerated
+					}
+					if postStringIndexmapkey > l {
+						return io.ErrUnexpectedEOF
+					}
+					mapkey = string(dAtA[iNdEx:postStringIndexmapkey])
+					iNdEx = postStringIndexmapkey
+				} else if fieldNum == 2 {
+					var mapmsglen int
+					for shift := uint(0); ; shift += 7 {
+						if shift >= 64 {
+							return ErrIntOverflowGenerated
+						}
+						if iNdEx >= l {
+							return io.ErrUnexpectedEOF
+						}
+						b := dAtA[iNdEx]
+						iNdEx++
+						mapmsglen |= int(b&0x7F) << shift
+						if b < 0x80 {
+							break
+						}
+					}
+					if mapmsglen < 0 {
+						return ErrInvalidLengthGenerated
+					}
+					postmsgIndex := iNdEx + mapmsglen
+					if postmsgIndex < 0 {
+						return ErrInvalidLengthGenerated
+					}
+					if postmsgIndex > l {
+						return io.ErrUnexpectedEOF
+					}
+					mapvalue = &ExtraValue{}
+					if err := mapvalue.Unmarshal(dAtA[iNdEx:postmsgIndex]); err != nil {
+						return err
+					}
+					iNdEx = postmsgIndex
+				} else {
+					iNdEx = entryPreIndex
+					skippy, err := skipGenerated(dAtA[iNdEx:])
+					if err != nil {
+						return err
+					}
+					if (skippy < 0) || (iNdEx+skippy) < 0 {
+						return ErrInvalidLengthGenerated
+					}
+					if (iNdEx + skippy) > postIndex {
+						return io.ErrUnexpectedEOF
+					}
+					iNdEx += skippy
+				}
 			}
+			m.Extra[mapkey] = *mapvalue
 			iNdEx = postIndex
-		case 3:
+		case 7:
 			if wireType != 2 {
-				return fmt.Errorf("proto: wrong wireType = %d for field Status", wireType)
+				return fmt.Errorf("proto: wrong wireType = %d for field SignerName", wireType)
 			}
-			var msglen int
+			var stringLen uint64
 			for shift := uint(0); ; shift += 7 {
 				if shift >= 64 {
 					return ErrIntOverflowGenerated
@@ -1275,25 +2149,45 @@ func (m *CertificateSigningRequest) Unmarshal(dAtA []byte) error {
 				}
 				b := dAtA[iNdEx]
 				iNdEx++
-				msglen |= int(b&0x7F) << shift
+				stringLen |= uint64(b&0x7F) << shift
 				if b < 0x80 {
 					break
 				}
 			}
-			if msglen < 0 {
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
 				return ErrInvalidLengthGenerated
 			}
-			postIndex := iNdEx + msglen
+			postIndex := iNdEx + intStringLen
 			if postIndex < 0 {
 				return ErrInvalidLengthGenerated
 			}
 			if postIndex > l {
 				return io.ErrUnexpectedEOF
 			}
-			if err := m.Status.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
-				return err
-			}
+			s := string(dAtA[iNdEx:postIndex])
+			m.SignerName = &s
 			iNdEx = postIndex
+		case 8:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ExpirationSeconds", wireType)
+			}
+			var v int32
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= int32(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			m.ExpirationSeconds = &v
 		default:
 			iNdEx = preIndex
 			skippy, err := skipGenerated(dAtA[iNdEx:])
@@ -1315,7 +2209,7 @@ func (m *CertificateSigningRequest) Unmarshal(dAtA []byte) error {
 	}
 	return nil
 }
-func (m *CertificateSigningRequestCondition) Unmarshal(dAtA []byte) error {
+func (m *CertificateSigningRequestStatus) Unmarshal(dAtA []byte) error {
 	l := len(dAtA)
 	iNdEx := 0
 	for iNdEx < l {
@@ -1338,17 +2232,17 @@ func (m *CertificateSigningRequestCondition) Unmarshal(dAtA []byte) error {
 		fieldNum := int32(wire >> 3)
 		wireType := int(wire & 0x7)
 		if wireType == 4 {
-			return fmt.Errorf("proto: CertificateSigningRequestCondition: wiretype end group for non-group")
+			return fmt.Errorf("proto: CertificateSigningRequestStatus: wiretype end group for non-group")
 		}
 		if fieldNum <= 0 {
-			return fmt.Errorf("proto: CertificateSigningRequestCondition: illegal tag %d (wire type %d)", fieldNum, wire)
+			return fmt.Errorf("proto: CertificateSigningRequestStatus: illegal tag %d (wire type %d)", fieldNum, wire)
 		}
 		switch fieldNum {
 		case 1:
 			if wireType != 2 {
-				return fmt.Errorf("proto: wrong wireType = %d for field Type", wireType)
+				return fmt.Errorf("proto: wrong wireType = %d for field Conditions", wireType)
 			}
-			var stringLen uint64
+			var msglen int
 			for shift := uint(0); ; shift += 7 {
 				if shift >= 64 {
 					return ErrIntOverflowGenerated
@@ -1358,29 +2252,31 @@ func (m *CertificateSigningRequestCondition) Unmarshal(dAtA []byte) error {
 				}
 				b := dAtA[iNdEx]
 				iNdEx++
-				stringLen |= uint64(b&0x7F) << shift
+				msglen |= int(b&0x7F) << shift
 				if b < 0x80 {
 					break
 				}
 			}
-			intStringLen := int(stringLen)
-			if intStringLen < 0 {
+			if msglen < 0 {
 				return ErrInvalidLengthGenerated
 			}
-			postIndex := iNdEx + intStringLen
+			postIndex := iNdEx + msglen
 			if postIndex < 0 {
 				return ErrInvalidLengthGenerated
 			}
 			if postIndex > l {
 				return io.ErrUnexpectedEOF
 			}
-			m.Type = RequestConditionType(dAtA[iNdEx:postIndex])
+			m.Conditions = append(m.Conditions, CertificateSigningRequestCondition{})
+			if err := m.Conditions[len(m.Conditions)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
 			iNdEx = postIndex
 		case 2:
 			if wireType != 2 {
-				return fmt.Errorf("proto: wrong wireType = %d for field Reason", wireType)
+				return fmt.Errorf("proto: wrong wireType = %d for field Certificate", wireType)
 			}
-			var stringLen uint64
+			var byteLen int
 			for shift := uint(0); ; shift += 7 {
 				if shift >= 64 {
 					return ErrIntOverflowGenerated
@@ -1390,29 +2286,81 @@ func (m *CertificateSigningRequestCondition) Unmarshal(dAtA []byte) error {
 				}
 				b := dAtA[iNdEx]
 				iNdEx++
-				stringLen |= uint64(b&0x7F) << shift
+				byteLen |= int(b&0x7F) << shift
 				if b < 0x80 {
 					break
 				}
 			}
-			intStringLen := int(stringLen)
-			if intStringLen < 0 {
+			if byteLen < 0 {
 				return ErrInvalidLengthGenerated
 			}
-			postIndex := iNdEx + intStringLen
+			postIndex := iNdEx + byteLen
 			if postIndex < 0 {
 				return ErrInvalidLengthGenerated
 			}
-			if postIndex > l {
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Certificate = append(m.Certificate[:0], dAtA[iNdEx:postIndex]...)
+			if m.Certificate == nil {
+				m.Certificate = []byte{}
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if (skippy < 0) || (iNdEx+skippy) < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *ClusterTrustBundle) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
 				return io.ErrUnexpectedEOF
 			}
-			m.Reason = string(dAtA[iNdEx:postIndex])
-			iNdEx = postIndex
-		case 3:
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= uint64(b&0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: ClusterTrustBundle: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: ClusterTrustBundle: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
 			if wireType != 2 {
-				return fmt.Errorf("proto: wrong wireType = %d for field Message", wireType)
+				return fmt.Errorf("proto: wrong wireType = %d for field ObjectMeta", wireType)
 			}
-			var stringLen uint64
+			var msglen int
 			for shift := uint(0); ; shift += 7 {
 				if shift >= 64 {
 					return ErrIntOverflowGenerated
@@ -1422,27 +2370,28 @@ func (m *CertificateSigningRequestCondition) Unmarshal(dAtA []byte) error {
 				}
 				b := dAtA[iNdEx]
 				iNdEx++
-				stringLen |= uint64(b&0x7F) << shift
+				msglen |= int(b&0x7F) << shift
 				if b < 0x80 {
 					break
 				}
 			}
-			intStringLen := int(stringLen)
-			if intStringLen < 0 {
+			if msglen < 0 {
 				return ErrInvalidLengthGenerated
 			}
-			postIndex := iNdEx + intStringLen
+			postIndex := iNdEx + msglen
 			if postIndex < 0 {
 				return ErrInvalidLengthGenerated
 			}
 			if postIndex > l {
 				return io.ErrUnexpectedEOF
 			}
-			m.Message = string(dAtA[iNdEx:postIndex])
+			if err := m.ObjectMeta.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
 			iNdEx = postIndex
-		case 4:
+		case 2:
 			if wireType != 2 {
-				return fmt.Errorf("proto: wrong wireType = %d for field LastUpdateTime", wireType)
+				return fmt.Errorf("proto: wrong wireType = %d for field Spec", wireType)
 			}
 			var msglen int
 			for shift := uint(0); ; shift += 7 {
@@ -1469,13 +2418,63 @@ func (m *CertificateSigningRequestCondition) Unmarshal(dAtA []byte) error {
 			if postIndex > l {
 				return io.ErrUnexpectedEOF
 			}
-			if err := m.LastUpdateTime.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+			if err := m.Spec.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
 				return err
 			}
 			iNdEx = postIndex
-		case 5:
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if (skippy < 0) || (iNdEx+skippy) < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *ClusterTrustBundleList) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= uint64(b&0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: ClusterTrustBundleList: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: ClusterTrustBundleList: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
 			if wireType != 2 {
-				return fmt.Errorf("proto: wrong wireType = %d for field LastTransitionTime", wireType)
+				return fmt.Errorf("proto: wrong wireType = %d for field ListMeta", wireType)
 			}
 			var msglen int
 			for shift := uint(0); ; shift += 7 {
@@ -1502,15 +2501,15 @@ func (m *CertificateSigningRequestCondition) Unmarshal(dAtA []byte) error {
 			if postIndex > l {
 				return io.ErrUnexpectedEOF
 			}
-			if err := m.LastTransitionTime.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+			if err := m.ListMeta.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
 				return err
 			}
 			iNdEx = postIndex
-		case 6:
+		case 2:
 			if wireType != 2 {
-				return fmt.Errorf("proto: wrong wireType = %d for field Status", wireType)
+				return fmt.Errorf("proto: wrong wireType = %d for field Items", wireType)
 			}
-			var stringLen uint64
+			var msglen int
 			for shift := uint(0); ; shift += 7 {
 				if shift >= 64 {
 					return ErrIntOverflowGenerated
@@ -1520,23 +2519,25 @@ func (m *CertificateSigningRequestCondition) Unmarshal(dAtA []byte) error {
 				}
 				b := dAtA[iNdEx]
 				iNdEx++
-				stringLen |= uint64(b&0x7F) << shift
+				msglen |= int(b&0x7F) << shift
 				if b < 0x80 {
 					break
 				}
 			}
-			intStringLen := int(stringLen)
-			if intStringLen < 0 {
+			if msglen < 0 {
 				return ErrInvalidLengthGenerated
 			}
-			postIndex := iNdEx + intStringLen
+			postIndex := iNdEx + msglen
 			if postIndex < 0 {
 				return ErrInvalidLengthGenerated
 			}
 			if postIndex > l {
 				return io.ErrUnexpectedEOF
 			}
-			m.Status = k8s_io_api_core_v1.ConditionStatus(dAtA[iNdEx:postIndex])
+			m.Items = append(m.Items, ClusterTrustBundle{})
+			if err := m.Items[len(m.Items)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
 			iNdEx = postIndex
 		default:
 			iNdEx = preIndex
@@ -1559,7 +2560,7 @@ func (m *CertificateSigningRequestCondition) Unmarshal(dAtA []byte) error {
 	}
 	return nil
 }
-func (m *CertificateSigningRequestList) Unmarshal(dAtA []byte) error {
+func (m *ClusterTrustBundleSpec) Unmarshal(dAtA []byte) error {
 	l := len(dAtA)
 	iNdEx := 0
 	for iNdEx < l {
@@ -1582,17 +2583,17 @@ func (m *CertificateSigningRequestList) Unmarshal(dAtA []byte) error {
 		fieldNum := int32(wire >> 3)
 		wireType := int(wire & 0x7)
 		if wireType == 4 {
-			return fmt.Errorf("proto: CertificateSigningRequestList: wiretype end group for non-group")
+			return fmt.Errorf("proto: ClusterTrustBundleSpec: wiretype end group for non-group")
 		}
 		if fieldNum <= 0 {
-			return fmt.Errorf("proto: CertificateSigningRequestList: illegal tag %d (wire type %d)", fieldNum, wire)
+			return fmt.Errorf("proto: ClusterTrustBundleSpec: illegal tag %d (wire type %d)", fieldNum, wire)
 		}
 		switch fieldNum {
 		case 1:
 			if wireType != 2 {
-				return fmt.Errorf("proto: wrong wireType = %d for field ListMeta", wireType)
+				return fmt.Errorf("proto: wrong wireType = %d for field SignerName", wireType)
 			}
-			var msglen int
+			var stringLen uint64
 			for shift := uint(0); ; shift += 7 {
 				if shift >= 64 {
 					return ErrIntOverflowGenerated
@@ -1602,30 +2603,29 @@ func (m *CertificateSigningRequestList) Unmarshal(dAtA []byte) error {
 				}
 				b := dAtA[iNdEx]
 				iNdEx++
-				msglen |= int(b&0x7F) << shift
+				stringLen |= uint64(b&0x7F) << shift
 				if b < 0x80 {
 					break
 				}
 			}
-			if msglen < 0 {
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
 				return ErrInvalidLengthGenerated
 			}
-			postIndex := iNdEx + msglen
+			postIndex := iNdEx + intStringLen
 			if postIndex < 0 {
 				return ErrInvalidLengthGenerated
 			}
 			if postIndex > l {
 				return io.ErrUnexpectedEOF
 			}
-			if err := m.ListMeta.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
-				return err
-			}
+			m.SignerName = string(dAtA[iNdEx:postIndex])
 			iNdEx = postIndex
 		case 2:
 			if wireType != 2 {
-				return fmt.Errorf("proto: wrong wireType = %d for field Items", wireType)
+				return fmt.Errorf("proto: wrong wireType = %d for field TrustBundle", wireType)
 			}
-			var msglen int
+			var stringLen uint64
 			for shift := uint(0); ; shift += 7 {
 				if shift >= 64 {
 					return ErrIntOverflowGenerated
@@ -1635,25 +2635,23 @@ func (m *CertificateSigningRequestList) Unmarshal(dAtA []byte) error {
 				}
 				b := dAtA[iNdEx]
 				iNdEx++
-				msglen |= int(b&0x7F) << shift
+				stringLen |= uint64(b&0x7F) << shift
 				if b < 0x80 {
 					break
 				}
 			}
-			if msglen < 0 {
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
 				return ErrInvalidLengthGenerated
 			}
-			postIndex := iNdEx + msglen
+			postIndex := iNdEx + intStringLen
 			if postIndex < 0 {
 				return ErrInvalidLengthGenerated
 			}
 			if postIndex > l {
 				return io.ErrUnexpectedEOF
 			}
-			m.Items = append(m.Items, CertificateSigningRequest{})
-			if err := m.Items[len(m.Items)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
-				return err
-			}
+			m.TrustBundle = string(dAtA[iNdEx:postIndex])
 			iNdEx = postIndex
 		default:
 			iNdEx = preIndex
@@ -1676,7 +2674,7 @@ func (m *CertificateSigningRequestList) Unmarshal(dAtA []byte) error {
 	}
 	return nil
 }
-func (m *CertificateSigningRequestSpec) Unmarshal(dAtA []byte) error {
+func (m *ExtraValue) Unmarshal(dAtA []byte) error {
 	l := len(dAtA)
 	iNdEx := 0
 	for iNdEx < l {
@@ -1699,17 +2697,17 @@ func (m *CertificateSigningRequestSpec) Unmarshal(dAtA []byte) error {
 		fieldNum := int32(wire >> 3)
 		wireType := int(wire & 0x7)
 		if wireType == 4 {
-			return fmt.Errorf("proto: CertificateSigningRequestSpec: wiretype end group for non-group")
+			return fmt.Errorf("proto: ExtraValue: wiretype end group for non-group")
 		}
 		if fieldNum <= 0 {
-			return fmt.Errorf("proto: CertificateSigningRequestSpec: illegal tag %d (wire type %d)", fieldNum, wire)
+			return fmt.Errorf("proto: ExtraValue: illegal tag %d (wire type %d)", fieldNum, wire)
 		}
 		switch fieldNum {
 		case 1:
 			if wireType != 2 {
-				return fmt.Errorf("proto: wrong wireType = %d for field Request", wireType)
+				return fmt.Errorf("proto: wrong wireType = %d for field Items", wireType)
 			}
-			var byteLen int
+			var stringLen uint64
 			for shift := uint(0); ; shift += 7 {
 				if shift >= 64 {
 					return ErrIntOverflowGenerated
@@ -1719,31 +2717,79 @@ func (m *CertificateSigningRequestSpec) Unmarshal(dAtA []byte) error {
 				}
 				b := dAtA[iNdEx]
 				iNdEx++
-				byteLen |= int(b&0x7F) << shift
+				stringLen |= uint64(b&0x7F) << shift
 				if b < 0x80 {
 					break
 				}
 			}
-			if byteLen < 0 {
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
 				return ErrInvalidLengthGenerated
 			}
-			postIndex := iNdEx + byteLen
+			postIndex := iNdEx + intStringLen
 			if postIndex < 0 {
 				return ErrInvalidLengthGenerated
 			}
 			if postIndex > l {
 				return io.ErrUnexpectedEOF
 			}
-			m.Request = append(m.Request[:0], dAtA[iNdEx:postIndex]...)
-			if m.Request == nil {
-				m.Request = []byte{}
-			}
+			*m = append(*m, string(dAtA[iNdEx:postIndex]))
 			iNdEx = postIndex
-		case 2:
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if (skippy < 0) || (iNdEx+skippy) < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *PodCertificateRequest) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= uint64(b&0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: PodCertificateRequest: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: PodCertificateRequest: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
 			if wireType != 2 {
-				return fmt.Errorf("proto: wrong wireType = %d for field Username", wireType)
+				return fmt.Errorf("proto: wrong wireType = %d for field ObjectMeta", wireType)
 			}
-			var stringLen uint64
+			var msglen int
 			for shift := uint(0); ; shift += 7 {
 				if shift >= 64 {
 					return ErrIntOverflowGenerated
@@ -1753,29 +2799,30 @@ func (m *CertificateSigningRequestSpec) Unmarshal(dAtA []byte) error {
 				}
 				b := dAtA[iNdEx]
 				iNdEx++
-				stringLen |= uint64(b&0x7F) << shift
+				msglen |= int(b&0x7F) << shift
 				if b < 0x80 {
 					break
 				}
 			}
-			intStringLen := int(stringLen)
-			if intStringLen < 0 {
+			if msglen < 0 {
 				return ErrInvalidLengthGenerated
 			}
-			postIndex := iNdEx + intStringLen
+			postIndex := iNdEx + msglen
 			if postIndex < 0 {
 				return ErrInvalidLengthGenerated
 			}
 			if postIndex > l {
 				return io.ErrUnexpectedEOF
 			}
-			m.Username = string(dAtA[iNdEx:postIndex])
+			if err := m.ObjectMeta.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
 			iNdEx = postIndex
-		case 3:
+		case 2:
 			if wireType != 2 {
-				return fmt.Errorf("proto: wrong wireType = %d for field UID", wireType)
+				return fmt.Errorf("proto: wrong wireType = %d for field Spec", wireType)
 			}
-			var stringLen uint64
+			var msglen int
 			for shift := uint(0); ; shift += 7 {
 				if shift >= 64 {
 					return ErrIntOverflowGenerated
@@ -1785,29 +2832,30 @@ func (m *CertificateSigningRequestSpec) Unmarshal(dAtA []byte) error {
 				}
 				b := dAtA[iNdEx]
 				iNdEx++
-				stringLen |= uint64(b&0x7F) << shift
+				msglen |= int(b&0x7F) << shift
 				if b < 0x80 {
 					break
 				}
 			}
-			intStringLen := int(stringLen)
-			if intStringLen < 0 {
+			if msglen < 0 {
 				return ErrInvalidLengthGenerated
 			}
-			postIndex := iNdEx + intStringLen
+			postIndex := iNdEx + msglen
 			if postIndex < 0 {
 				return ErrInvalidLengthGenerated
 			}
 			if postIndex > l {
 				return io.ErrUnexpectedEOF
 			}
-			m.UID = string(dAtA[iNdEx:postIndex])
+			if err := m.Spec.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
 			iNdEx = postIndex
-		case 4:
+		case 3:
 			if wireType != 2 {
-				return fmt.Errorf("proto: wrong wireType = %d for field Groups", wireType)
+				return fmt.Errorf("proto: wrong wireType = %d for field Status", wireType)
 			}
-			var stringLen uint64
+			var msglen int
 			for shift := uint(0); ; shift += 7 {
 				if shift >= 64 {
 					return ErrIntOverflowGenerated
@@ -1817,29 +2865,80 @@ func (m *CertificateSigningRequestSpec) Unmarshal(dAtA []byte) error {
 				}
 				b := dAtA[iNdEx]
 				iNdEx++
-				stringLen |= uint64(b&0x7F) << shift
+				msglen |= int(b&0x7F) << shift
 				if b < 0x80 {
 					break
 				}
 			}
-			intStringLen := int(stringLen)
-			if intStringLen < 0 {
+			if msglen < 0 {
 				return ErrInvalidLengthGenerated
 			}
-			postIndex := iNdEx + intStringLen
+			postIndex := iNdEx + msglen
 			if postIndex < 0 {
 				return ErrInvalidLengthGenerated
 			}
 			if postIndex > l {
 				return io.ErrUnexpectedEOF
 			}
-			m.Groups = append(m.Groups, string(dAtA[iNdEx:postIndex]))
+			if err := m.Status.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
 			iNdEx = postIndex
-		case 5:
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if (skippy < 0) || (iNdEx+skippy) < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *PodCertificateRequestList) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= uint64(b&0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: PodCertificateRequestList: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: PodCertificateRequestList: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
 			if wireType != 2 {
-				return fmt.Errorf("proto: wrong wireType = %d for field Usages", wireType)
+				return fmt.Errorf("proto: wrong wireType = %d for field ListMeta", wireType)
 			}
-			var stringLen uint64
+			var msglen int
 			for shift := uint(0); ; shift += 7 {
 				if shift >= 64 {
 					return ErrIntOverflowGenerated
@@ -1849,27 +2948,28 @@ func (m *CertificateSigningRequestSpec) Unmarshal(dAtA []byte) error {
 				}
 				b := dAtA[iNdEx]
 				iNdEx++
-				stringLen |= uint64(b&0x7F) << shift
+				msglen |= int(b&0x7F) << shift
 				if b < 0x80 {
 					break
 				}
 			}
-			intStringLen := int(stringLen)
-			if intStringLen < 0 {
+			if msglen < 0 {
 				return ErrInvalidLengthGenerated
 			}
-			postIndex := iNdEx + intStringLen
+			postIndex := iNdEx + msglen
 			if postIndex < 0 {
 				return ErrInvalidLengthGenerated
 			}
 			if postIndex > l {
 				return io.ErrUnexpectedEOF
 			}
-			m.Usages = append(m.Usages, KeyUsage(dAtA[iNdEx:postIndex]))
+			if err := m.ListMeta.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
 			iNdEx = postIndex
-		case 6:
+		case 2:
 			if wireType != 2 {
-				return fmt.Errorf("proto: wrong wireType = %d for field Extra", wireType)
+				return fmt.Errorf("proto: wrong wireType = %d for field Items", wireType)
 			}
 			var msglen int
 			for shift := uint(0); ; shift += 7 {
@@ -1896,109 +2996,96 @@ func (m *CertificateSigningRequestSpec) Unmarshal(dAtA []byte) error {
 			if postIndex > l {
 				return io.ErrUnexpectedEOF
 			}
-			if m.Extra == nil {
-				m.Extra = make(map[string]ExtraValue)
+			m.Items = append(m.Items, PodCertificateRequest{})
+			if err := m.Items[len(m.Items)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
 			}
-			var mapkey string
-			mapvalue := &ExtraValue{}
-			for iNdEx < postIndex {
-				entryPreIndex := iNdEx
-				var wire uint64
-				for shift := uint(0); ; shift += 7 {
-					if shift >= 64 {
-						return ErrIntOverflowGenerated
-					}
-					if iNdEx >= l {
-						return io.ErrUnexpectedEOF
-					}
-					b := dAtA[iNdEx]
-					iNdEx++
-					wire |= uint64(b&0x7F) << shift
-					if b < 0x80 {
-						break
-					}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if (skippy < 0) || (iNdEx+skippy) < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *PodCertificateRequestSpec) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= uint64(b&0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: PodCertificateRequestSpec: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: PodCertificateRequestSpec: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field SignerName", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
 				}
-				fieldNum := int32(wire >> 3)
-				if fieldNum == 1 {
-					var stringLenmapkey uint64
-					for shift := uint(0); ; shift += 7 {
-						if shift >= 64 {
-							return ErrIntOverflowGenerated
-						}
-						if iNdEx >= l {
-							return io.ErrUnexpectedEOF
-						}
-						b := dAtA[iNdEx]
-						iNdEx++
-						stringLenmapkey |= uint64(b&0x7F) << shift
-						if b < 0x80 {
-							break
-						}
-					}
-					intStringLenmapkey := int(stringLenmapkey)
-					if intStringLenmapkey < 0 {
-						return ErrInvalidLengthGenerated
-					}
-					postStringIndexmapkey := iNdEx + intStringLenmapkey
-					if postStringIndexmapkey < 0 {
-						return ErrInvalidLengthGenerated
-					}
-					if postStringIndexmapkey > l {
-						return io.ErrUnexpectedEOF
-					}
-					mapkey = string(dAtA[iNdEx:postStringIndexmapkey])
-					iNdEx = postStringIndexmapkey
-				} else if fieldNum == 2 {
-					var mapmsglen int
-					for shift := uint(0); ; shift += 7 {
-						if shift >= 64 {
-							return ErrIntOverflowGenerated
-						}
-						if iNdEx >= l {
-							return io.ErrUnexpectedEOF
-						}
-						b := dAtA[iNdEx]
-						iNdEx++
-						mapmsglen |= int(b&0x7F) << shift
-						if b < 0x80 {
-							break
-						}
-					}
-					if mapmsglen < 0 {
-						return ErrInvalidLengthGenerated
-					}
-					postmsgIndex := iNdEx + mapmsglen
-					if postmsgIndex < 0 {
-						return ErrInvalidLengthGenerated
-					}
-					if postmsgIndex > l {
-						return io.ErrUnexpectedEOF
-					}
-					mapvalue = &ExtraValue{}
-					if err := mapvalue.Unmarshal(dAtA[iNdEx:postmsgIndex]); err != nil {
-						return err
-					}
-					iNdEx = postmsgIndex
-				} else {
-					iNdEx = entryPreIndex
-					skippy, err := skipGenerated(dAtA[iNdEx:])
-					if err != nil {
-						return err
-					}
-					if (skippy < 0) || (iNdEx+skippy) < 0 {
-						return ErrInvalidLengthGenerated
-					}
-					if (iNdEx + skippy) > postIndex {
-						return io.ErrUnexpectedEOF
-					}
-					iNdEx += skippy
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= uint64(b&0x7F) << shift
+				if b < 0x80 {
+					break
 				}
 			}
-			m.Extra[mapkey] = *mapvalue
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.SignerName = string(dAtA[iNdEx:postIndex])
 			iNdEx = postIndex
-		case 7:
+		case 2:
 			if wireType != 2 {
-				return fmt.Errorf("proto: wrong wireType = %d for field SignerName", wireType)
+				return fmt.Errorf("proto: wrong wireType = %d for field PodName", wireType)
 			}
 			var stringLen uint64
 			for shift := uint(0); ; shift += 7 {
@@ -2026,14 +3113,13 @@ func (m *CertificateSigningRequestSpec) Unmarshal(dAtA []byte) error {
 			if postIndex > l {
 				return io.ErrUnexpectedEOF
 			}
-			s := string(dAtA[iNdEx:postIndex])
-			m.SignerName = &s
+			m.PodName = string(dAtA[iNdEx:postIndex])
 			iNdEx = postIndex
-		case 8:
-			if wireType != 0 {
-				return fmt.Errorf("proto: wrong wireType = %d for field ExpirationSeconds", wireType)
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field PodUID", wireType)
 			}
-			var v int32
+			var stringLen uint64
 			for shift := uint(0); ; shift += 7 {
 				if shift >= 64 {
 					return ErrIntOverflowGenerated
@@ -2043,67 +3129,61 @@ func (m *CertificateSigningRequestSpec) Unmarshal(dAtA []byte) error {
 				}
 				b := dAtA[iNdEx]
 				iNdEx++
-				v |= int32(b&0x7F) << shift
+				stringLen |= uint64(b&0x7F) << shift
 				if b < 0x80 {
 					break
 				}
 			}
-			m.ExpirationSeconds = &v
-		default:
-			iNdEx = preIndex
-			skippy, err := skipGenerated(dAtA[iNdEx:])
-			if err != nil {
-				return err
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
 			}
-			if (skippy < 0) || (iNdEx+skippy) < 0 {
+			postIndex := iNdEx + intStringLen
+			if postIndex < 0 {
 				return ErrInvalidLengthGenerated
 			}
-			if (iNdEx + skippy) > l {
+			if postIndex > l {
 				return io.ErrUnexpectedEOF
 			}
-			iNdEx += skippy
-		}
-	}
-
-	if iNdEx > l {
-		return io.ErrUnexpectedEOF
-	}
-	return nil
-}
-func (m *CertificateSigningRequestStatus) Unmarshal(dAtA []byte) error {
-	l := len(dAtA)
-	iNdEx := 0
-	for iNdEx < l {
-		preIndex := iNdEx
-		var wire uint64
-		for shift := uint(0); ; shift += 7 {
-			if shift >= 64 {
-				return ErrIntOverflowGenerated
+			m.PodUID = k8s_io_apimachinery_pkg_types.UID(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 4:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ServiceAccountName", wireType)
 			}
-			if iNdEx >= l {
-				return io.ErrUnexpectedEOF
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= uint64(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
 			}
-			b := dAtA[iNdEx]
-			iNdEx++
-			wire |= uint64(b&0x7F) << shift
-			if b < 0x80 {
-				break
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
 			}
-		}
-		fieldNum := int32(wire >> 3)
-		wireType := int(wire & 0x7)
-		if wireType == 4 {
-			return fmt.Errorf("proto: CertificateSigningRequestStatus: wiretype end group for non-group")
-		}
-		if fieldNum <= 0 {
-			return fmt.Errorf("proto: CertificateSigningRequestStatus: illegal tag %d (wire type %d)", fieldNum, wire)
-		}
-		switch fieldNum {
-		case 1:
+			postIndex := iNdEx + intStringLen
+			if postIndex < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.ServiceAccountName = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 5:
 			if wireType != 2 {
-				return fmt.Errorf("proto: wrong wireType = %d for field Conditions", wireType)
+				return fmt.Errorf("proto: wrong wireType = %d for field ServiceAccountUID", wireType)
 			}
-			var msglen int
+			var stringLen uint64
 			for shift := uint(0); ; shift += 7 {
 				if shift >= 64 {
 					return ErrIntOverflowGenerated
@@ -2113,31 +3193,29 @@ func (m *CertificateSigningRequestStatus) Unmarshal(dAtA []byte) error {
 				}
 				b := dAtA[iNdEx]
 				iNdEx++
-				msglen |= int(b&0x7F) << shift
+				stringLen |= uint64(b&0x7F) << shift
 				if b < 0x80 {
 					break
 				}
 			}
-			if msglen < 0 {
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
 				return ErrInvalidLengthGenerated
 			}
-			postIndex := iNdEx + msglen
+			postIndex := iNdEx + intStringLen
 			if postIndex < 0 {
 				return ErrInvalidLengthGenerated
 			}
 			if postIndex > l {
 				return io.ErrUnexpectedEOF
 			}
-			m.Conditions = append(m.Conditions, CertificateSigningRequestCondition{})
-			if err := m.Conditions[len(m.Conditions)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
-				return err
-			}
+			m.ServiceAccountUID = k8s_io_apimachinery_pkg_types.UID(dAtA[iNdEx:postIndex])
 			iNdEx = postIndex
-		case 2:
+		case 6:
 			if wireType != 2 {
-				return fmt.Errorf("proto: wrong wireType = %d for field Certificate", wireType)
+				return fmt.Errorf("proto: wrong wireType = %d for field NodeName", wireType)
 			}
-			var byteLen int
+			var stringLen uint64
 			for shift := uint(0); ; shift += 7 {
 				if shift >= 64 {
 					return ErrIntOverflowGenerated
@@ -2147,81 +3225,115 @@ func (m *CertificateSigningRequestStatus) Unmarshal(dAtA []byte) error {
 				}
 				b := dAtA[iNdEx]
 				iNdEx++
-				byteLen |= int(b&0x7F) << shift
+				stringLen |= uint64(b&0x7F) << shift
 				if b < 0x80 {
 					break
 				}
 			}
-			if byteLen < 0 {
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
 				return ErrInvalidLengthGenerated
 			}
-			postIndex := iNdEx + byteLen
+			postIndex := iNdEx + intStringLen
 			if postIndex < 0 {
 				return ErrInvalidLengthGenerated
 			}
 			if postIndex > l {
 				return io.ErrUnexpectedEOF
 			}
-			m.Certificate = append(m.Certificate[:0], dAtA[iNdEx:postIndex]...)
-			if m.Certificate == nil {
-				m.Certificate = []byte{}
-			}
+			m.NodeName = k8s_io_apimachinery_pkg_types.NodeName(dAtA[iNdEx:postIndex])
 			iNdEx = postIndex
-		default:
-			iNdEx = preIndex
-			skippy, err := skipGenerated(dAtA[iNdEx:])
-			if err != nil {
-				return err
+		case 7:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field NodeUID", wireType)
 			}
-			if (skippy < 0) || (iNdEx+skippy) < 0 {
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= uint64(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
 				return ErrInvalidLengthGenerated
 			}
-			if (iNdEx + skippy) > l {
+			postIndex := iNdEx + intStringLen
+			if postIndex < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if postIndex > l {
 				return io.ErrUnexpectedEOF
 			}
-			iNdEx += skippy
-		}
-	}
-
-	if iNdEx > l {
-		return io.ErrUnexpectedEOF
-	}
-	return nil
-}
-func (m *ClusterTrustBundle) Unmarshal(dAtA []byte) error {
-	l := len(dAtA)
-	iNdEx := 0
-	for iNdEx < l {
-		preIndex := iNdEx
-		var wire uint64
-		for shift := uint(0); ; shift += 7 {
-			if shift >= 64 {
-				return ErrIntOverflowGenerated
+			m.NodeUID = k8s_io_apimachinery_pkg_types.UID(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 8:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field MaxExpirationSeconds", wireType)
 			}
-			if iNdEx >= l {
+			var v int32
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= int32(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			m.MaxExpirationSeconds = &v
+		case 9:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field PKIXPublicKey", wireType)
+			}
+			var byteLen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				byteLen |= int(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if byteLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + byteLen
+			if postIndex < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if postIndex > l {
 				return io.ErrUnexpectedEOF
 			}
-			b := dAtA[iNdEx]
-			iNdEx++
-			wire |= uint64(b&0x7F) << shift
-			if b < 0x80 {
-				break
+			m.PKIXPublicKey = append(m.PKIXPublicKey[:0], dAtA[iNdEx:postIndex]...)
+			if m.PKIXPublicKey == nil {
+				m.PKIXPublicKey = []byte{}
 			}
-		}
-		fieldNum := int32(wire >> 3)
-		wireType := int(wire & 0x7)
-		if wireType == 4 {
-			return fmt.Errorf("proto: ClusterTrustBundle: wiretype end group for non-group")
-		}
-		if fieldNum <= 0 {
-			return fmt.Errorf("proto: ClusterTrustBundle: illegal tag %d (wire type %d)", fieldNum, wire)
-		}
-		switch fieldNum {
-		case 1:
+			iNdEx = postIndex
+		case 10:
 			if wireType != 2 {
-				return fmt.Errorf("proto: wrong wireType = %d for field ObjectMeta", wireType)
+				return fmt.Errorf("proto: wrong wireType = %d for field ProofOfPossession", wireType)
 			}
-			var msglen int
+			var byteLen int
 			for shift := uint(0); ; shift += 7 {
 				if shift >= 64 {
 					return ErrIntOverflowGenerated
@@ -2231,28 +3343,29 @@ func (m *ClusterTrustBundle) Unmarshal(dAtA []byte) error {
 				}
 				b := dAtA[iNdEx]
 				iNdEx++
-				msglen |= int(b&0x7F) << shift
+				byteLen |= int(b&0x7F) << shift
 				if b < 0x80 {
 					break
 				}
 			}
-			if msglen < 0 {
+			if byteLen < 0 {
 				return ErrInvalidLengthGenerated
 			}
-			postIndex := iNdEx + msglen
+			postIndex := iNdEx + byteLen
 			if postIndex < 0 {
 				return ErrInvalidLengthGenerated
 			}
 			if postIndex > l {
 				return io.ErrUnexpectedEOF
 			}
-			if err := m.ObjectMeta.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
-				return err
+			m.ProofOfPossession = append(m.ProofOfPossession[:0], dAtA[iNdEx:postIndex]...)
+			if m.ProofOfPossession == nil {
+				m.ProofOfPossession = []byte{}
 			}
 			iNdEx = postIndex
-		case 2:
+		case 11:
 			if wireType != 2 {
-				return fmt.Errorf("proto: wrong wireType = %d for field Spec", wireType)
+				return fmt.Errorf("proto: wrong wireType = %d for field UnverifiedUserAnnotations", wireType)
 			}
 			var msglen int
 			for shift := uint(0); ; shift += 7 {
@@ -2279,9 +3392,103 @@ func (m *ClusterTrustBundle) Unmarshal(dAtA []byte) error {
 			if postIndex > l {
 				return io.ErrUnexpectedEOF
 			}
-			if err := m.Spec.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
-				return err
+			if m.UnverifiedUserAnnotations == nil {
+				m.UnverifiedUserAnnotations = make(map[string]string)
+			}
+			var mapkey string
+			var mapvalue string
+			for iNdEx < postIndex {
+				entryPreIndex := iNdEx
+				var wire uint64
+				for shift := uint(0); ; shift += 7 {
+					if shift >= 64 {
+						return ErrIntOverflowGenerated
+					}
+					if iNdEx >= l {
+						return io.ErrUnexpectedEOF
+					}
+					b := dAtA[iNdEx]
+					iNdEx++
+					wire |= uint64(b&0x7F) << shift
+					if b < 0x80 {
+						break
+					}
+				}
+				fieldNum := int32(wire >> 3)
+				if fieldNum == 1 {
+					var stringLenmapkey uint64
+					for shift := uint(0); ; shift += 7 {
+						if shift >= 64 {
+							return ErrIntOverflowGenerated
+						}
+						if iNdEx >= l {
+							return io.ErrUnexpectedEOF
+						}
+						b := dAtA[iNdEx]
+						iNdEx++
+						stringLenmapkey |= uint64(b&0x7F) << shift
+						if b < 0x80 {
+							break
+						}
+					}
+					intStringLenmapkey := int(stringLenmapkey)
+					if intStringLenmapkey < 0 {
+						return ErrInvalidLengthGenerated
+					}
+					postStringIndexmapkey := iNdEx + intStringLenmapkey
+					if postStringIndexmapkey < 0 {
+						return ErrInvalidLengthGenerated
+					}
+					if postStringIndexmapkey > l {
+						return io.ErrUnexpectedEOF
+					}
+					mapkey = string(dAtA[iNdEx:postStringIndexmapkey])
+					iNdEx = postStringIndexmapkey
+				} else if fieldNum == 2 {
+					var stringLenmapvalue uint64
+					for shift := uint(0); ; shift += 7 {
+						if shift >= 64 {
+							return ErrIntOverflowGenerated
+						}
+						if iNdEx >= l {
+							return io.ErrUnexpectedEOF
+						}
+						b := dAtA[iNdEx]
+						iNdEx++
+						stringLenmapvalue |= uint64(b&0x7F) << shift
+						if b < 0x80 {
+							break
+						}
+					}
+					intStringLenmapvalue := int(stringLenmapvalue)
+					if intStringLenmapvalue < 0 {
+						return ErrInvalidLengthGenerated
+					}
+					postStringIndexmapvalue := iNdEx + intStringLenmapvalue
+					if postStringIndexmapvalue < 0 {
+						return ErrInvalidLengthGenerated
+					}
+					if postStringIndexmapvalue > l {
+						return io.ErrUnexpectedEOF
+					}
+					mapvalue = string(dAtA[iNdEx:postStringIndexmapvalue])
+					iNdEx = postStringIndexmapvalue
+				} else {
+					iNdEx = entryPreIndex
+					skippy, err := skipGenerated(dAtA[iNdEx:])
+					if err != nil {
+						return err
+					}
+					if (skippy < 0) || (iNdEx+skippy) < 0 {
+						return ErrInvalidLengthGenerated
+					}
+					if (iNdEx + skippy) > postIndex {
+						return io.ErrUnexpectedEOF
+					}
+					iNdEx += skippy
+				}
 			}
+			m.UnverifiedUserAnnotations[mapkey] = mapvalue
 			iNdEx = postIndex
 		default:
 			iNdEx = preIndex
@@ -2304,7 +3511,7 @@ func (m *ClusterTrustBundle) Unmarshal(dAtA []byte) error {
 	}
 	return nil
 }
-func (m *ClusterTrustBundleList) Unmarshal(dAtA []byte) error {
+func (m *PodCertificateRequestStatus) Unmarshal(dAtA []byte) error {
 	l := len(dAtA)
 	iNdEx := 0
 	for iNdEx < l {
@@ -2327,15 +3534,15 @@ func (m *ClusterTrustBundleList) Unmarshal(dAtA []byte) error {
 		fieldNum := int32(wire >> 3)
 		wireType := int(wire & 0x7)
 		if wireType == 4 {
-			return fmt.Errorf("proto: ClusterTrustBundleList: wiretype end group for non-group")
+			return fmt.Errorf("proto: PodCertificateRequestStatus: wiretype end group for non-group")
 		}
 		if fieldNum <= 0 {
-			return fmt.Errorf("proto: ClusterTrustBundleList: illegal tag %d (wire type %d)", fieldNum, wire)
+			return fmt.Errorf("proto: PodCertificateRequestStatus: illegal tag %d (wire type %d)", fieldNum, wire)
 		}
 		switch fieldNum {
 		case 1:
 			if wireType != 2 {
-				return fmt.Errorf("proto: wrong wireType = %d for field ListMeta", wireType)
+				return fmt.Errorf("proto: wrong wireType = %d for field Conditions", wireType)
 			}
 			var msglen int
 			for shift := uint(0); ; shift += 7 {
@@ -2362,15 +3569,16 @@ func (m *ClusterTrustBundleList) Unmarshal(dAtA []byte) error {
 			if postIndex > l {
 				return io.ErrUnexpectedEOF
 			}
-			if err := m.ListMeta.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+			m.Conditions = append(m.Conditions, v1.Condition{})
+			if err := m.Conditions[len(m.Conditions)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
 				return err
 			}
 			iNdEx = postIndex
 		case 2:
 			if wireType != 2 {
-				return fmt.Errorf("proto: wrong wireType = %d for field Items", wireType)
+				return fmt.Errorf("proto: wrong wireType = %d for field CertificateChain", wireType)
 			}
-			var msglen int
+			var stringLen uint64
 			for shift := uint(0); ; shift += 7 {
 				if shift >= 64 {
 					return ErrIntOverflowGenerated
@@ -2380,81 +3588,29 @@ func (m *ClusterTrustBundleList) Unmarshal(dAtA []byte) error {
 				}
 				b := dAtA[iNdEx]
 				iNdEx++
-				msglen |= int(b&0x7F) << shift
+				stringLen |= uint64(b&0x7F) << shift
 				if b < 0x80 {
 					break
 				}
 			}
-			if msglen < 0 {
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
 				return ErrInvalidLengthGenerated
 			}
-			postIndex := iNdEx + msglen
+			postIndex := iNdEx + intStringLen
 			if postIndex < 0 {
 				return ErrInvalidLengthGenerated
 			}
 			if postIndex > l {
 				return io.ErrUnexpectedEOF
 			}
-			m.Items = append(m.Items, ClusterTrustBundle{})
-			if err := m.Items[len(m.Items)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
-				return err
-			}
+			m.CertificateChain = string(dAtA[iNdEx:postIndex])
 			iNdEx = postIndex
-		default:
-			iNdEx = preIndex
-			skippy, err := skipGenerated(dAtA[iNdEx:])
-			if err != nil {
-				return err
-			}
-			if (skippy < 0) || (iNdEx+skippy) < 0 {
-				return ErrInvalidLengthGenerated
-			}
-			if (iNdEx + skippy) > l {
-				return io.ErrUnexpectedEOF
-			}
-			iNdEx += skippy
-		}
-	}
-
-	if iNdEx > l {
-		return io.ErrUnexpectedEOF
-	}
-	return nil
-}
-func (m *ClusterTrustBundleSpec) Unmarshal(dAtA []byte) error {
-	l := len(dAtA)
-	iNdEx := 0
-	for iNdEx < l {
-		preIndex := iNdEx
-		var wire uint64
-		for shift := uint(0); ; shift += 7 {
-			if shift >= 64 {
-				return ErrIntOverflowGenerated
-			}
-			if iNdEx >= l {
-				return io.ErrUnexpectedEOF
-			}
-			b := dAtA[iNdEx]
-			iNdEx++
-			wire |= uint64(b&0x7F) << shift
-			if b < 0x80 {
-				break
-			}
-		}
-		fieldNum := int32(wire >> 3)
-		wireType := int(wire & 0x7)
-		if wireType == 4 {
-			return fmt.Errorf("proto: ClusterTrustBundleSpec: wiretype end group for non-group")
-		}
-		if fieldNum <= 0 {
-			return fmt.Errorf("proto: ClusterTrustBundleSpec: illegal tag %d (wire type %d)", fieldNum, wire)
-		}
-		switch fieldNum {
-		case 1:
+		case 4:
 			if wireType != 2 {
-				return fmt.Errorf("proto: wrong wireType = %d for field SignerName", wireType)
+				return fmt.Errorf("proto: wrong wireType = %d for field NotBefore", wireType)
 			}
-			var stringLen uint64
+			var msglen int
 			for shift := uint(0); ; shift += 7 {
 				if shift >= 64 {
 					return ErrIntOverflowGenerated
@@ -2464,29 +3620,33 @@ func (m *ClusterTrustBundleSpec) Unmarshal(dAtA []byte) error {
 				}
 				b := dAtA[iNdEx]
 				iNdEx++
-				stringLen |= uint64(b&0x7F) << shift
+				msglen |= int(b&0x7F) << shift
 				if b < 0x80 {
 					break
 				}
 			}
-			intStringLen := int(stringLen)
-			if intStringLen < 0 {
+			if msglen < 0 {
 				return ErrInvalidLengthGenerated
 			}
-			postIndex := iNdEx + intStringLen
+			postIndex := iNdEx + msglen
 			if postIndex < 0 {
 				return ErrInvalidLengthGenerated
 			}
 			if postIndex > l {
 				return io.ErrUnexpectedEOF
 			}
-			m.SignerName = string(dAtA[iNdEx:postIndex])
+			if m.NotBefore == nil {
+				m.NotBefore = &v1.Time{}
+			}
+			if err := m.NotBefore.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
 			iNdEx = postIndex
-		case 2:
+		case 5:
 			if wireType != 2 {
-				return fmt.Errorf("proto: wrong wireType = %d for field TrustBundle", wireType)
+				return fmt.Errorf("proto: wrong wireType = %d for field BeginRefreshAt", wireType)
 			}
-			var stringLen uint64
+			var msglen int
 			for shift := uint(0); ; shift += 7 {
 				if shift >= 64 {
 					return ErrIntOverflowGenerated
@@ -2496,79 +3656,33 @@ func (m *ClusterTrustBundleSpec) Unmarshal(dAtA []byte) error {
 				}
 				b := dAtA[iNdEx]
 				iNdEx++
-				stringLen |= uint64(b&0x7F) << shift
+				msglen |= int(b&0x7F) << shift
 				if b < 0x80 {
 					break
 				}
 			}
-			intStringLen := int(stringLen)
-			if intStringLen < 0 {
+			if msglen < 0 {
 				return ErrInvalidLengthGenerated
 			}
-			postIndex := iNdEx + intStringLen
+			postIndex := iNdEx + msglen
 			if postIndex < 0 {
 				return ErrInvalidLengthGenerated
 			}
 			if postIndex > l {
 				return io.ErrUnexpectedEOF
 			}
-			m.TrustBundle = string(dAtA[iNdEx:postIndex])
-			iNdEx = postIndex
-		default:
-			iNdEx = preIndex
-			skippy, err := skipGenerated(dAtA[iNdEx:])
-			if err != nil {
-				return err
-			}
-			if (skippy < 0) || (iNdEx+skippy) < 0 {
-				return ErrInvalidLengthGenerated
-			}
-			if (iNdEx + skippy) > l {
-				return io.ErrUnexpectedEOF
-			}
-			iNdEx += skippy
-		}
-	}
-
-	if iNdEx > l {
-		return io.ErrUnexpectedEOF
-	}
-	return nil
-}
-func (m *ExtraValue) Unmarshal(dAtA []byte) error {
-	l := len(dAtA)
-	iNdEx := 0
-	for iNdEx < l {
-		preIndex := iNdEx
-		var wire uint64
-		for shift := uint(0); ; shift += 7 {
-			if shift >= 64 {
-				return ErrIntOverflowGenerated
-			}
-			if iNdEx >= l {
-				return io.ErrUnexpectedEOF
+			if m.BeginRefreshAt == nil {
+				m.BeginRefreshAt = &v1.Time{}
 			}
-			b := dAtA[iNdEx]
-			iNdEx++
-			wire |= uint64(b&0x7F) << shift
-			if b < 0x80 {
-				break
+			if err := m.BeginRefreshAt.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
 			}
-		}
-		fieldNum := int32(wire >> 3)
-		wireType := int(wire & 0x7)
-		if wireType == 4 {
-			return fmt.Errorf("proto: ExtraValue: wiretype end group for non-group")
-		}
-		if fieldNum <= 0 {
-			return fmt.Errorf("proto: ExtraValue: illegal tag %d (wire type %d)", fieldNum, wire)
-		}
-		switch fieldNum {
-		case 1:
+			iNdEx = postIndex
+		case 6:
 			if wireType != 2 {
-				return fmt.Errorf("proto: wrong wireType = %d for field Items", wireType)
+				return fmt.Errorf("proto: wrong wireType = %d for field NotAfter", wireType)
 			}
-			var stringLen uint64
+			var msglen int
 			for shift := uint(0); ; shift += 7 {
 				if shift >= 64 {
 					return ErrIntOverflowGenerated
@@ -2578,23 +3692,27 @@ func (m *ExtraValue) Unmarshal(dAtA []byte) error {
 				}
 				b := dAtA[iNdEx]
 				iNdEx++
-				stringLen |= uint64(b&0x7F) << shift
+				msglen |= int(b&0x7F) << shift
 				if b < 0x80 {
 					break
 				}
 			}
-			intStringLen := int(stringLen)
-			if intStringLen < 0 {
+			if msglen < 0 {
 				return ErrInvalidLengthGenerated
 			}
-			postIndex := iNdEx + intStringLen
+			postIndex := iNdEx + msglen
 			if postIndex < 0 {
 				return ErrInvalidLengthGenerated
 			}
 			if postIndex > l {
 				return io.ErrUnexpectedEOF
 			}
-			*m = append(*m, string(dAtA[iNdEx:postIndex]))
+			if m.NotAfter == nil {
+				m.NotAfter = &v1.Time{}
+			}
+			if err := m.NotAfter.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
 			iNdEx = postIndex
 		default:
 			iNdEx = preIndex
diff --git a/staging/src/k8s.io/api/certificates/v1beta1/generated.proto b/staging/src/k8s.io/api/certificates/v1beta1/generated.proto
index 4c9385c1960c4..a8ffad4727f54 100644
--- a/staging/src/k8s.io/api/certificates/v1beta1/generated.proto
+++ b/staging/src/k8s.io/api/certificates/v1beta1/generated.proto
@@ -86,7 +86,6 @@ message CertificateSigningRequestList {
 // CertificateSigningRequestSpec contains the certificate request.
 message CertificateSigningRequestSpec {
   // Base64-encoded PKCS#10 CSR data
-  // +listType=atomic
   optional bytes request = 1;
 
   // Requested signer for the request. It is a qualified name in the form:
@@ -186,13 +185,13 @@ message CertificateSigningRequestStatus {
   // +optional
   // +k8s:listType=map
   // +k8s:listMapKey=type
+  // +k8s:customUnique
   // +k8s:optional
   // +k8s:item(type: "Approved")=+k8s:zeroOrOneOfMember
   // +k8s:item(type: "Denied")=+k8s:zeroOrOneOfMember
   repeated CertificateSigningRequestCondition conditions = 1;
 
   // If request was approved, the controller will place the issued certificate here.
-  // +listType=atomic
   // +optional
   optional bytes certificate = 2;
 }
@@ -279,3 +278,220 @@ message ExtraValue {
   repeated string items = 1;
 }
 
+// PodCertificateRequest encodes a pod requesting a certificate from a given
+// signer.
+//
+// Kubelets use this API to implement podCertificate projected volumes
+message PodCertificateRequest {
+  // metadata contains the object metadata.
+  //
+  // +optional
+  optional .k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
+
+  // spec contains the details about the certificate being requested.
+  optional PodCertificateRequestSpec spec = 2;
+
+  // status contains the issued certificate, and a standard set of conditions.
+  // +optional
+  optional PodCertificateRequestStatus status = 3;
+}
+
+// PodCertificateRequestList is a collection of PodCertificateRequest objects
+message PodCertificateRequestList {
+  // metadata contains the list metadata.
+  //
+  // +optional
+  optional .k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
+
+  // items is a collection of PodCertificateRequest objects
+  repeated PodCertificateRequest items = 2;
+}
+
+// PodCertificateRequestSpec describes the certificate request.  All fields are
+// immutable after creation.
+message PodCertificateRequestSpec {
+  // signerName indicates the requested signer.
+  //
+  // All signer names beginning with `kubernetes.io` are reserved for use by
+  // the Kubernetes project.  There is currently one well-known signer
+  // documented by the Kubernetes project,
+  // `kubernetes.io/kube-apiserver-client-pod`, which will issue client
+  // certificates understood by kube-apiserver.  It is currently
+  // unimplemented.
+  //
+  // +required
+  optional string signerName = 1;
+
+  // podName is the name of the pod into which the certificate will be mounted.
+  //
+  // +required
+  optional string podName = 2;
+
+  // podUID is the UID of the pod into which the certificate will be mounted.
+  //
+  // +required
+  optional string podUID = 3;
+
+  // serviceAccountName is the name of the service account the pod is running as.
+  //
+  // +required
+  optional string serviceAccountName = 4;
+
+  // serviceAccountUID is the UID of the service account the pod is running as.
+  //
+  // +required
+  optional string serviceAccountUID = 5;
+
+  // nodeName is the name of the node the pod is assigned to.
+  //
+  // +required
+  optional string nodeName = 6;
+
+  // nodeUID is the UID of the node the pod is assigned to.
+  //
+  // +required
+  optional string nodeUID = 7;
+
+  // maxExpirationSeconds is the maximum lifetime permitted for the
+  // certificate.
+  //
+  // If omitted, kube-apiserver will set it to 86400(24 hours). kube-apiserver
+  // will reject values shorter than 3600 (1 hour).  The maximum allowable
+  // value is 7862400 (91 days).
+  //
+  // The signer implementation is then free to issue a certificate with any
+  // lifetime *shorter* than MaxExpirationSeconds, but no shorter than 3600
+  // seconds (1 hour).  This constraint is enforced by kube-apiserver.
+  // `kubernetes.io` signers will never issue certificates with a lifetime
+  // longer than 24 hours.
+  //
+  // +optional
+  // +default=86400
+  optional int32 maxExpirationSeconds = 8;
+
+  // pkixPublicKey is the PKIX-serialized public key the signer will issue the
+  // certificate to.
+  //
+  // The key must be one of RSA3072, RSA4096, ECDSAP256, ECDSAP384, ECDSAP521,
+  // or ED25519. Note that this list may be expanded in the future.
+  //
+  // Signer implementations do not need to support all key types supported by
+  // kube-apiserver and kubelet.  If a signer does not support the key type
+  // used for a given PodCertificateRequest, it must deny the request by
+  // setting a status.conditions entry with a type of "Denied" and a reason of
+  // "UnsupportedKeyType". It may also suggest a key type that it does support
+  // in the message field.
+  //
+  // +required
+  optional bytes pkixPublicKey = 9;
+
+  // proofOfPossession proves that the requesting kubelet holds the private
+  // key corresponding to pkixPublicKey.
+  //
+  // It is contructed by signing the ASCII bytes of the pod's UID using
+  // `pkixPublicKey`.
+  //
+  // kube-apiserver validates the proof of possession during creation of the
+  // PodCertificateRequest.
+  //
+  // If the key is an RSA key, then the signature is over the ASCII bytes of
+  // the pod UID, using RSASSA-PSS from RFC 8017 (as implemented by the golang
+  // function crypto/rsa.SignPSS with nil options).
+  //
+  // If the key is an ECDSA key, then the signature is as described by [SEC 1,
+  // Version 2.0](https://www.secg.org/sec1-v2.pdf) (as implemented by the
+  // golang library function crypto/ecdsa.SignASN1)
+  //
+  // If the key is an ED25519 key, the the signature is as described by the
+  // [ED25519 Specification](https://ed25519.cr.yp.to/) (as implemented by
+  // the golang library crypto/ed25519.Sign).
+  //
+  // +required
+  optional bytes proofOfPossession = 10;
+
+  // unverifiedUserAnnotations allow pod authors to pass additional information to
+  // the signer implementation.  Kubernetes does not restrict or validate this
+  // metadata in any way.
+  //
+  // Entries are subject to the same validation as object metadata annotations,
+  // with the addition that all keys must be domain-prefixed. No restrictions
+  // are placed on values, except an overall size limitation on the entire field.
+  //
+  // Signers should document the keys and values they support.  Signers should
+  // deny requests that contain keys they do not recognize.
+  map<string, string> unverifiedUserAnnotations = 11;
+}
+
+// PodCertificateRequestStatus describes the status of the request, and holds
+// the certificate data if the request is issued.
+message PodCertificateRequestStatus {
+  // conditions applied to the request.
+  //
+  // The types "Issued", "Denied", and "Failed" have special handling.  At
+  // most one of these conditions may be present, and they must have status
+  // "True".
+  //
+  // If the request is denied with `Reason=UnsupportedKeyType`, the signer may
+  // suggest a key type that will work in the message field.
+  //
+  // +patchMergeKey=type
+  // +patchStrategy=merge
+  // +listType=map
+  // +listMapKey=type
+  // +optional
+  repeated .k8s.io.apimachinery.pkg.apis.meta.v1.Condition conditions = 1;
+
+  // certificateChain is populated with an issued certificate by the signer.
+  // This field is set via the /status subresource. Once populated, this field
+  // is immutable.
+  //
+  // If the certificate signing request is denied, a condition of type
+  // "Denied" is added and this field remains empty. If the signer cannot
+  // issue the certificate, a condition of type "Failed" is added and this
+  // field remains empty.
+  //
+  // Validation requirements:
+  //  1. certificateChain must consist of one or more PEM-formatted certificates.
+  //  2. Each entry must be a valid PEM-wrapped, DER-encoded ASN.1 Certificate as
+  //     described in section 4 of RFC5280.
+  //
+  // If more than one block is present, and the definition of the requested
+  // spec.signerName does not indicate otherwise, the first block is the
+  // issued certificate, and subsequent blocks should be treated as
+  // intermediate certificates and presented in TLS handshakes.  When
+  // projecting the chain into a pod volume, kubelet will drop any data
+  // in-between the PEM blocks, as well as any PEM block headers.
+  //
+  // +optional
+  optional string certificateChain = 2;
+
+  // notBefore is the time at which the certificate becomes valid.  The value
+  // must be the same as the notBefore value in the leaf certificate in
+  // certificateChain.  This field is set via the /status subresource.  Once
+  // populated, it is immutable. The signer must set this field at the same
+  // time it sets certificateChain.
+  //
+  // +optional
+  optional .k8s.io.apimachinery.pkg.apis.meta.v1.Time notBefore = 4;
+
+  // beginRefreshAt is the time at which the kubelet should begin trying to
+  // refresh the certificate.  This field is set via the /status subresource,
+  // and must be set at the same time as certificateChain.  Once populated,
+  // this field is immutable.
+  //
+  // This field is only a hint.  Kubelet may start refreshing before or after
+  // this time if necessary.
+  //
+  // +optional
+  optional .k8s.io.apimachinery.pkg.apis.meta.v1.Time beginRefreshAt = 5;
+
+  // notAfter is the time at which the certificate expires.  The value must be
+  // the same as the notAfter value in the leaf certificate in
+  // certificateChain.  This field is set via the /status subresource.  Once
+  // populated, it is immutable.  The signer must set this field at the same
+  // time it sets certificateChain.
+  //
+  // +optional
+  optional .k8s.io.apimachinery.pkg.apis.meta.v1.Time notAfter = 6;
+}
+
diff --git a/staging/src/k8s.io/api/certificates/v1beta1/generated.protomessage.pb.go b/staging/src/k8s.io/api/certificates/v1beta1/generated.protomessage.pb.go
new file mode 100644
index 0000000000000..00ba7faaeb6e6
--- /dev/null
+++ b/staging/src/k8s.io/api/certificates/v1beta1/generated.protomessage.pb.go
@@ -0,0 +1,48 @@
+//go:build kubernetes_protomessage_one_more_release
+// +build kubernetes_protomessage_one_more_release
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by go-to-protobuf. DO NOT EDIT.
+
+package v1beta1
+
+func (*CertificateSigningRequest) ProtoMessage() {}
+
+func (*CertificateSigningRequestCondition) ProtoMessage() {}
+
+func (*CertificateSigningRequestList) ProtoMessage() {}
+
+func (*CertificateSigningRequestSpec) ProtoMessage() {}
+
+func (*CertificateSigningRequestStatus) ProtoMessage() {}
+
+func (*ClusterTrustBundle) ProtoMessage() {}
+
+func (*ClusterTrustBundleList) ProtoMessage() {}
+
+func (*ClusterTrustBundleSpec) ProtoMessage() {}
+
+func (*ExtraValue) ProtoMessage() {}
+
+func (*PodCertificateRequest) ProtoMessage() {}
+
+func (*PodCertificateRequestList) ProtoMessage() {}
+
+func (*PodCertificateRequestSpec) ProtoMessage() {}
+
+func (*PodCertificateRequestStatus) ProtoMessage() {}
diff --git a/staging/src/k8s.io/api/certificates/v1beta1/register.go b/staging/src/k8s.io/api/certificates/v1beta1/register.go
index 800dccd07dcf6..ee98513288de7 100644
--- a/staging/src/k8s.io/api/certificates/v1beta1/register.go
+++ b/staging/src/k8s.io/api/certificates/v1beta1/register.go
@@ -53,6 +53,8 @@ func addKnownTypes(scheme *runtime.Scheme) error {
 		&CertificateSigningRequestList{},
 		&ClusterTrustBundle{},
 		&ClusterTrustBundleList{},
+		&PodCertificateRequest{},
+		&PodCertificateRequestList{},
 	)
 
 	// Add the watch version that applies
diff --git a/staging/src/k8s.io/api/certificates/v1beta1/types.go b/staging/src/k8s.io/api/certificates/v1beta1/types.go
index fadb7e082efbc..acfabbfe9fd65 100644
--- a/staging/src/k8s.io/api/certificates/v1beta1/types.go
+++ b/staging/src/k8s.io/api/certificates/v1beta1/types.go
@@ -21,6 +21,7 @@ import (
 
 	v1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/types"
 )
 
 // +genclient
@@ -51,7 +52,6 @@ type CertificateSigningRequest struct {
 // CertificateSigningRequestSpec contains the certificate request.
 type CertificateSigningRequestSpec struct {
 	// Base64-encoded PKCS#10 CSR data
-	// +listType=atomic
 	Request []byte `json:"request" protobuf:"bytes,1,opt,name=request"`
 
 	// Requested signer for the request. It is a qualified name in the form:
@@ -179,13 +179,13 @@ type CertificateSigningRequestStatus struct {
 	// +optional
 	// +k8s:listType=map
 	// +k8s:listMapKey=type
+	// +k8s:customUnique
 	// +k8s:optional
 	// +k8s:item(type: "Approved")=+k8s:zeroOrOneOfMember
 	// +k8s:item(type: "Denied")=+k8s:zeroOrOneOfMember
 	Conditions []CertificateSigningRequestCondition `json:"conditions,omitempty" protobuf:"bytes,1,rep,name=conditions"`
 
 	// If request was approved, the controller will place the issued certificate here.
-	// +listType=atomic
 	// +optional
 	Certificate []byte `json:"certificate,omitempty" protobuf:"bytes,2,opt,name=certificate"`
 }
@@ -354,3 +354,250 @@ type ClusterTrustBundleList struct {
 	// items is a collection of ClusterTrustBundle objects
 	Items []ClusterTrustBundle `json:"items" protobuf:"bytes,2,rep,name=items"`
 }
+
+// +genclient
+// +k8s:prerelease-lifecycle-gen:introduced=1.35
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// PodCertificateRequest encodes a pod requesting a certificate from a given
+// signer.
+//
+// Kubelets use this API to implement podCertificate projected volumes
+type PodCertificateRequest struct {
+	metav1.TypeMeta `json:",inline"`
+
+	// metadata contains the object metadata.
+	//
+	// +optional
+	metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
+
+	// spec contains the details about the certificate being requested.
+	Spec PodCertificateRequestSpec `json:"spec" protobuf:"bytes,2,opt,name=spec"`
+
+	// status contains the issued certificate, and a standard set of conditions.
+	// +optional
+	Status PodCertificateRequestStatus `json:"status,omitempty" protobuf:"bytes,3,opt,name=status"`
+}
+
+// PodCertificateRequestSpec describes the certificate request.  All fields are
+// immutable after creation.
+type PodCertificateRequestSpec struct {
+	// signerName indicates the requested signer.
+	//
+	// All signer names beginning with `kubernetes.io` are reserved for use by
+	// the Kubernetes project.  There is currently one well-known signer
+	// documented by the Kubernetes project,
+	// `kubernetes.io/kube-apiserver-client-pod`, which will issue client
+	// certificates understood by kube-apiserver.  It is currently
+	// unimplemented.
+	//
+	// +required
+	SignerName string `json:"signerName" protobuf:"bytes,1,opt,name=signerName"`
+
+	// podName is the name of the pod into which the certificate will be mounted.
+	//
+	// +required
+	PodName string `json:"podName" protobuf:"bytes,2,opt,name=podName"`
+	// podUID is the UID of the pod into which the certificate will be mounted.
+	//
+	// +required
+	PodUID types.UID `json:"podUID" protobuf:"bytes,3,opt,name=podUID"`
+
+	// serviceAccountName is the name of the service account the pod is running as.
+	//
+	// +required
+	ServiceAccountName string `json:"serviceAccountName" protobuf:"bytes,4,opt,name=serviceAccountName"`
+	// serviceAccountUID is the UID of the service account the pod is running as.
+	//
+	// +required
+	ServiceAccountUID types.UID `json:"serviceAccountUID" protobuf:"bytes,5,opt,name=serviceAccountUID"`
+
+	// nodeName is the name of the node the pod is assigned to.
+	//
+	// +required
+	NodeName types.NodeName `json:"nodeName" protobuf:"bytes,6,opt,name=nodeName"`
+	// nodeUID is the UID of the node the pod is assigned to.
+	//
+	// +required
+	NodeUID types.UID `json:"nodeUID" protobuf:"bytes,7,opt,name=nodeUID"`
+
+	// maxExpirationSeconds is the maximum lifetime permitted for the
+	// certificate.
+	//
+	// If omitted, kube-apiserver will set it to 86400(24 hours). kube-apiserver
+	// will reject values shorter than 3600 (1 hour).  The maximum allowable
+	// value is 7862400 (91 days).
+	//
+	// The signer implementation is then free to issue a certificate with any
+	// lifetime *shorter* than MaxExpirationSeconds, but no shorter than 3600
+	// seconds (1 hour).  This constraint is enforced by kube-apiserver.
+	// `kubernetes.io` signers will never issue certificates with a lifetime
+	// longer than 24 hours.
+	//
+	// +optional
+	// +default=86400
+	MaxExpirationSeconds *int32 `json:"maxExpirationSeconds,omitempty" protobuf:"varint,8,opt,name=maxExpirationSeconds"`
+
+	// pkixPublicKey is the PKIX-serialized public key the signer will issue the
+	// certificate to.
+	//
+	// The key must be one of RSA3072, RSA4096, ECDSAP256, ECDSAP384, ECDSAP521,
+	// or ED25519. Note that this list may be expanded in the future.
+	//
+	// Signer implementations do not need to support all key types supported by
+	// kube-apiserver and kubelet.  If a signer does not support the key type
+	// used for a given PodCertificateRequest, it must deny the request by
+	// setting a status.conditions entry with a type of "Denied" and a reason of
+	// "UnsupportedKeyType". It may also suggest a key type that it does support
+	// in the message field.
+	//
+	// +required
+	PKIXPublicKey []byte `json:"pkixPublicKey" protobuf:"bytes,9,opt,name=pkixPublicKey"`
+
+	// proofOfPossession proves that the requesting kubelet holds the private
+	// key corresponding to pkixPublicKey.
+	//
+	// It is contructed by signing the ASCII bytes of the pod's UID using
+	// `pkixPublicKey`.
+	//
+	// kube-apiserver validates the proof of possession during creation of the
+	// PodCertificateRequest.
+	//
+	// If the key is an RSA key, then the signature is over the ASCII bytes of
+	// the pod UID, using RSASSA-PSS from RFC 8017 (as implemented by the golang
+	// function crypto/rsa.SignPSS with nil options).
+	//
+	// If the key is an ECDSA key, then the signature is as described by [SEC 1,
+	// Version 2.0](https://www.secg.org/sec1-v2.pdf) (as implemented by the
+	// golang library function crypto/ecdsa.SignASN1)
+	//
+	// If the key is an ED25519 key, the the signature is as described by the
+	// [ED25519 Specification](https://ed25519.cr.yp.to/) (as implemented by
+	// the golang library crypto/ed25519.Sign).
+	//
+	// +required
+	ProofOfPossession []byte `json:"proofOfPossession" protobuf:"bytes,10,opt,name=proofOfPossession"`
+
+	// unverifiedUserAnnotations allow pod authors to pass additional information to
+	// the signer implementation.  Kubernetes does not restrict or validate this
+	// metadata in any way.
+	//
+	// Entries are subject to the same validation as object metadata annotations,
+	// with the addition that all keys must be domain-prefixed. No restrictions
+	// are placed on values, except an overall size limitation on the entire field.
+	//
+	// Signers should document the keys and values they support.  Signers should
+	// deny requests that contain keys they do not recognize.
+	UnverifiedUserAnnotations map[string]string `json:"unverifiedUserAnnotations,omitempty" protobuf:"bytes,11,opt,name=unverifiedUserAnnotations"`
+}
+
+// PodCertificateRequestStatus describes the status of the request, and holds
+// the certificate data if the request is issued.
+type PodCertificateRequestStatus struct {
+	// conditions applied to the request.
+	//
+	// The types "Issued", "Denied", and "Failed" have special handling.  At
+	// most one of these conditions may be present, and they must have status
+	// "True".
+	//
+	// If the request is denied with `Reason=UnsupportedKeyType`, the signer may
+	// suggest a key type that will work in the message field.
+	//
+	// +patchMergeKey=type
+	// +patchStrategy=merge
+	// +listType=map
+	// +listMapKey=type
+	// +optional
+	Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type" protobuf:"bytes,1,rep,name=conditions"`
+
+	// certificateChain is populated with an issued certificate by the signer.
+	// This field is set via the /status subresource. Once populated, this field
+	// is immutable.
+	//
+	// If the certificate signing request is denied, a condition of type
+	// "Denied" is added and this field remains empty. If the signer cannot
+	// issue the certificate, a condition of type "Failed" is added and this
+	// field remains empty.
+	//
+	// Validation requirements:
+	//  1. certificateChain must consist of one or more PEM-formatted certificates.
+	//  2. Each entry must be a valid PEM-wrapped, DER-encoded ASN.1 Certificate as
+	//     described in section 4 of RFC5280.
+	//
+	// If more than one block is present, and the definition of the requested
+	// spec.signerName does not indicate otherwise, the first block is the
+	// issued certificate, and subsequent blocks should be treated as
+	// intermediate certificates and presented in TLS handshakes.  When
+	// projecting the chain into a pod volume, kubelet will drop any data
+	// in-between the PEM blocks, as well as any PEM block headers.
+	//
+	// +optional
+	CertificateChain string `json:"certificateChain,omitempty" protobuf:"bytes,2,opt,name=certificateChain"`
+
+	// notBefore is the time at which the certificate becomes valid.  The value
+	// must be the same as the notBefore value in the leaf certificate in
+	// certificateChain.  This field is set via the /status subresource.  Once
+	// populated, it is immutable. The signer must set this field at the same
+	// time it sets certificateChain.
+	//
+	// +optional
+	NotBefore *metav1.Time `json:"notBefore,omitempty" protobuf:"bytes,4,opt,name=notBefore"`
+
+	// beginRefreshAt is the time at which the kubelet should begin trying to
+	// refresh the certificate.  This field is set via the /status subresource,
+	// and must be set at the same time as certificateChain.  Once populated,
+	// this field is immutable.
+	//
+	// This field is only a hint.  Kubelet may start refreshing before or after
+	// this time if necessary.
+	//
+	// +optional
+	BeginRefreshAt *metav1.Time `json:"beginRefreshAt,omitempty" protobuf:"bytes,5,opt,name=beginRefreshAt"`
+
+	// notAfter is the time at which the certificate expires.  The value must be
+	// the same as the notAfter value in the leaf certificate in
+	// certificateChain.  This field is set via the /status subresource.  Once
+	// populated, it is immutable.  The signer must set this field at the same
+	// time it sets certificateChain.
+	//
+	// +optional
+	NotAfter *metav1.Time `json:"notAfter,omitempty" protobuf:"bytes,6,opt,name=notAfter"`
+}
+
+// Well-known condition types for PodCertificateRequests
+const (
+	// Denied indicates the request was denied by the signer.
+	PodCertificateRequestConditionTypeDenied string = "Denied"
+	// Failed indicates the signer failed to issue the certificate.
+	PodCertificateRequestConditionTypeFailed string = "Failed"
+	// Issued indicates the certificate has been issued.
+	PodCertificateRequestConditionTypeIssued string = "Issued"
+)
+
+// Well-known condition reasons for PodCertificateRequests
+const (
+	// UnsupportedKeyType should be set on "Denied" conditions when the signer
+	// doesn't support the key type of publicKey.
+	PodCertificateRequestConditionUnsupportedKeyType string = "UnsupportedKeyType"
+
+	// InvalidUnverifiedUserAnnotations should be set on "Denied" conditions when the signer
+	// does not recognize one of the keys passed in userConfig, or if the signer
+	// otherwise considers the userConfig of the request to be invalid.
+	PodCertificateRequestConditionInvalidUserConfig string = "InvalidUnverifiedUserAnnotations"
+)
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+// +k8s:prerelease-lifecycle-gen:introduced=1.35
+
+// PodCertificateRequestList is a collection of PodCertificateRequest objects
+type PodCertificateRequestList struct {
+	metav1.TypeMeta `json:",inline"`
+
+	// metadata contains the list metadata.
+	//
+	// +optional
+	metav1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
+
+	// items is a collection of PodCertificateRequest objects
+	Items []PodCertificateRequest `json:"items" protobuf:"bytes,2,rep,name=items"`
+}
diff --git a/staging/src/k8s.io/api/certificates/v1beta1/types_swagger_doc_generated.go b/staging/src/k8s.io/api/certificates/v1beta1/types_swagger_doc_generated.go
index 58c69e54d3d7e..bd829fb216bb8 100644
--- a/staging/src/k8s.io/api/certificates/v1beta1/types_swagger_doc_generated.go
+++ b/staging/src/k8s.io/api/certificates/v1beta1/types_swagger_doc_generated.go
@@ -105,4 +105,57 @@ func (ClusterTrustBundleSpec) SwaggerDoc() map[string]string {
 	return map_ClusterTrustBundleSpec
 }
 
+var map_PodCertificateRequest = map[string]string{
+	"":         "PodCertificateRequest encodes a pod requesting a certificate from a given signer.\n\nKubelets use this API to implement podCertificate projected volumes",
+	"metadata": "metadata contains the object metadata.",
+	"spec":     "spec contains the details about the certificate being requested.",
+	"status":   "status contains the issued certificate, and a standard set of conditions.",
+}
+
+func (PodCertificateRequest) SwaggerDoc() map[string]string {
+	return map_PodCertificateRequest
+}
+
+var map_PodCertificateRequestList = map[string]string{
+	"":         "PodCertificateRequestList is a collection of PodCertificateRequest objects",
+	"metadata": "metadata contains the list metadata.",
+	"items":    "items is a collection of PodCertificateRequest objects",
+}
+
+func (PodCertificateRequestList) SwaggerDoc() map[string]string {
+	return map_PodCertificateRequestList
+}
+
+var map_PodCertificateRequestSpec = map[string]string{
+	"":                          "PodCertificateRequestSpec describes the certificate request.  All fields are immutable after creation.",
+	"signerName":                "signerName indicates the requested signer.\n\nAll signer names beginning with `kubernetes.io` are reserved for use by the Kubernetes project.  There is currently one well-known signer documented by the Kubernetes project, `kubernetes.io/kube-apiserver-client-pod`, which will issue client certificates understood by kube-apiserver.  It is currently unimplemented.",
+	"podName":                   "podName is the name of the pod into which the certificate will be mounted.",
+	"podUID":                    "podUID is the UID of the pod into which the certificate will be mounted.",
+	"serviceAccountName":        "serviceAccountName is the name of the service account the pod is running as.",
+	"serviceAccountUID":         "serviceAccountUID is the UID of the service account the pod is running as.",
+	"nodeName":                  "nodeName is the name of the node the pod is assigned to.",
+	"nodeUID":                   "nodeUID is the UID of the node the pod is assigned to.",
+	"maxExpirationSeconds":      "maxExpirationSeconds is the maximum lifetime permitted for the certificate.\n\nIf omitted, kube-apiserver will set it to 86400(24 hours). kube-apiserver will reject values shorter than 3600 (1 hour).  The maximum allowable value is 7862400 (91 days).\n\nThe signer implementation is then free to issue a certificate with any lifetime *shorter* than MaxExpirationSeconds, but no shorter than 3600 seconds (1 hour).  This constraint is enforced by kube-apiserver. `kubernetes.io` signers will never issue certificates with a lifetime longer than 24 hours.",
+	"pkixPublicKey":             "pkixPublicKey is the PKIX-serialized public key the signer will issue the certificate to.\n\nThe key must be one of RSA3072, RSA4096, ECDSAP256, ECDSAP384, ECDSAP521, or ED25519. Note that this list may be expanded in the future.\n\nSigner implementations do not need to support all key types supported by kube-apiserver and kubelet.  If a signer does not support the key type used for a given PodCertificateRequest, it must deny the request by setting a status.conditions entry with a type of \"Denied\" and a reason of \"UnsupportedKeyType\". It may also suggest a key type that it does support in the message field.",
+	"proofOfPossession":         "proofOfPossession proves that the requesting kubelet holds the private key corresponding to pkixPublicKey.\n\nIt is contructed by signing the ASCII bytes of the pod's UID using `pkixPublicKey`.\n\nkube-apiserver validates the proof of possession during creation of the PodCertificateRequest.\n\nIf the key is an RSA key, then the signature is over the ASCII bytes of the pod UID, using RSASSA-PSS from RFC 8017 (as implemented by the golang function crypto/rsa.SignPSS with nil options).\n\nIf the key is an ECDSA key, then the signature is as described by [SEC 1, Version 2.0](https://www.secg.org/sec1-v2.pdf) (as implemented by the golang library function crypto/ecdsa.SignASN1)\n\nIf the key is an ED25519 key, the the signature is as described by the [ED25519 Specification](https://ed25519.cr.yp.to/) (as implemented by the golang library crypto/ed25519.Sign).",
+	"unverifiedUserAnnotations": "unverifiedUserAnnotations allow pod authors to pass additional information to the signer implementation.  Kubernetes does not restrict or validate this metadata in any way.\n\nEntries are subject to the same validation as object metadata annotations, with the addition that all keys must be domain-prefixed. No restrictions are placed on values, except an overall size limitation on the entire field.\n\nSigners should document the keys and values they support.  Signers should deny requests that contain keys they do not recognize.",
+}
+
+func (PodCertificateRequestSpec) SwaggerDoc() map[string]string {
+	return map_PodCertificateRequestSpec
+}
+
+var map_PodCertificateRequestStatus = map[string]string{
+	"":                 "PodCertificateRequestStatus describes the status of the request, and holds the certificate data if the request is issued.",
+	"conditions":       "conditions applied to the request.\n\nThe types \"Issued\", \"Denied\", and \"Failed\" have special handling.  At most one of these conditions may be present, and they must have status \"True\".\n\nIf the request is denied with `Reason=UnsupportedKeyType`, the signer may suggest a key type that will work in the message field.",
+	"certificateChain": "certificateChain is populated with an issued certificate by the signer. This field is set via the /status subresource. Once populated, this field is immutable.\n\nIf the certificate signing request is denied, a condition of type \"Denied\" is added and this field remains empty. If the signer cannot issue the certificate, a condition of type \"Failed\" is added and this field remains empty.\n\nValidation requirements:\n 1. certificateChain must consist of one or more PEM-formatted certificates.\n 2. Each entry must be a valid PEM-wrapped, DER-encoded ASN.1 Certificate as\n    described in section 4 of RFC5280.\n\nIf more than one block is present, and the definition of the requested spec.signerName does not indicate otherwise, the first block is the issued certificate, and subsequent blocks should be treated as intermediate certificates and presented in TLS handshakes.  When projecting the chain into a pod volume, kubelet will drop any data in-between the PEM blocks, as well as any PEM block headers.",
+	"notBefore":        "notBefore is the time at which the certificate becomes valid.  The value must be the same as the notBefore value in the leaf certificate in certificateChain.  This field is set via the /status subresource.  Once populated, it is immutable. The signer must set this field at the same time it sets certificateChain.",
+	"beginRefreshAt":   "beginRefreshAt is the time at which the kubelet should begin trying to refresh the certificate.  This field is set via the /status subresource, and must be set at the same time as certificateChain.  Once populated, this field is immutable.\n\nThis field is only a hint.  Kubelet may start refreshing before or after this time if necessary.",
+	"notAfter":         "notAfter is the time at which the certificate expires.  The value must be the same as the notAfter value in the leaf certificate in certificateChain.  This field is set via the /status subresource.  Once populated, it is immutable.  The signer must set this field at the same time it sets certificateChain.",
+}
+
+func (PodCertificateRequestStatus) SwaggerDoc() map[string]string {
+	return map_PodCertificateRequestStatus
+}
+
 // AUTO-GENERATED FUNCTIONS END HERE
diff --git a/staging/src/k8s.io/api/certificates/v1beta1/zz_generated.deepcopy.go b/staging/src/k8s.io/api/certificates/v1beta1/zz_generated.deepcopy.go
index 854e8347393a3..20b5c2a24262b 100644
--- a/staging/src/k8s.io/api/certificates/v1beta1/zz_generated.deepcopy.go
+++ b/staging/src/k8s.io/api/certificates/v1beta1/zz_generated.deepcopy.go
@@ -22,6 +22,7 @@ limitations under the License.
 package v1beta1
 
 import (
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	runtime "k8s.io/apimachinery/pkg/runtime"
 )
 
@@ -283,3 +284,137 @@ func (in ExtraValue) DeepCopy() ExtraValue {
 	in.DeepCopyInto(out)
 	return *out
 }
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *PodCertificateRequest) DeepCopyInto(out *PodCertificateRequest) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
+	in.Status.DeepCopyInto(&out.Status)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PodCertificateRequest.
+func (in *PodCertificateRequest) DeepCopy() *PodCertificateRequest {
+	if in == nil {
+		return nil
+	}
+	out := new(PodCertificateRequest)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *PodCertificateRequest) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *PodCertificateRequestList) DeepCopyInto(out *PodCertificateRequestList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]PodCertificateRequest, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PodCertificateRequestList.
+func (in *PodCertificateRequestList) DeepCopy() *PodCertificateRequestList {
+	if in == nil {
+		return nil
+	}
+	out := new(PodCertificateRequestList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *PodCertificateRequestList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *PodCertificateRequestSpec) DeepCopyInto(out *PodCertificateRequestSpec) {
+	*out = *in
+	if in.MaxExpirationSeconds != nil {
+		in, out := &in.MaxExpirationSeconds, &out.MaxExpirationSeconds
+		*out = new(int32)
+		**out = **in
+	}
+	if in.PKIXPublicKey != nil {
+		in, out := &in.PKIXPublicKey, &out.PKIXPublicKey
+		*out = make([]byte, len(*in))
+		copy(*out, *in)
+	}
+	if in.ProofOfPossession != nil {
+		in, out := &in.ProofOfPossession, &out.ProofOfPossession
+		*out = make([]byte, len(*in))
+		copy(*out, *in)
+	}
+	if in.UnverifiedUserAnnotations != nil {
+		in, out := &in.UnverifiedUserAnnotations, &out.UnverifiedUserAnnotations
+		*out = make(map[string]string, len(*in))
+		for key, val := range *in {
+			(*out)[key] = val
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PodCertificateRequestSpec.
+func (in *PodCertificateRequestSpec) DeepCopy() *PodCertificateRequestSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(PodCertificateRequestSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *PodCertificateRequestStatus) DeepCopyInto(out *PodCertificateRequestStatus) {
+	*out = *in
+	if in.Conditions != nil {
+		in, out := &in.Conditions, &out.Conditions
+		*out = make([]v1.Condition, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.NotBefore != nil {
+		in, out := &in.NotBefore, &out.NotBefore
+		*out = (*in).DeepCopy()
+	}
+	if in.BeginRefreshAt != nil {
+		in, out := &in.BeginRefreshAt, &out.BeginRefreshAt
+		*out = (*in).DeepCopy()
+	}
+	if in.NotAfter != nil {
+		in, out := &in.NotAfter, &out.NotAfter
+		*out = (*in).DeepCopy()
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PodCertificateRequestStatus.
+func (in *PodCertificateRequestStatus) DeepCopy() *PodCertificateRequestStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(PodCertificateRequestStatus)
+	in.DeepCopyInto(out)
+	return out
+}
diff --git a/staging/src/k8s.io/api/certificates/v1beta1/zz_generated.model_name.go b/staging/src/k8s.io/api/certificates/v1beta1/zz_generated.model_name.go
new file mode 100644
index 0000000000000..5c0b5ee587d9e
--- /dev/null
+++ b/staging/src/k8s.io/api/certificates/v1beta1/zz_generated.model_name.go
@@ -0,0 +1,82 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by openapi-gen. DO NOT EDIT.
+
+package v1beta1
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in CertificateSigningRequest) OpenAPIModelName() string {
+	return "io.k8s.api.certificates.v1beta1.CertificateSigningRequest"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in CertificateSigningRequestCondition) OpenAPIModelName() string {
+	return "io.k8s.api.certificates.v1beta1.CertificateSigningRequestCondition"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in CertificateSigningRequestList) OpenAPIModelName() string {
+	return "io.k8s.api.certificates.v1beta1.CertificateSigningRequestList"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in CertificateSigningRequestSpec) OpenAPIModelName() string {
+	return "io.k8s.api.certificates.v1beta1.CertificateSigningRequestSpec"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in CertificateSigningRequestStatus) OpenAPIModelName() string {
+	return "io.k8s.api.certificates.v1beta1.CertificateSigningRequestStatus"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ClusterTrustBundle) OpenAPIModelName() string {
+	return "io.k8s.api.certificates.v1beta1.ClusterTrustBundle"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ClusterTrustBundleList) OpenAPIModelName() string {
+	return "io.k8s.api.certificates.v1beta1.ClusterTrustBundleList"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ClusterTrustBundleSpec) OpenAPIModelName() string {
+	return "io.k8s.api.certificates.v1beta1.ClusterTrustBundleSpec"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in PodCertificateRequest) OpenAPIModelName() string {
+	return "io.k8s.api.certificates.v1beta1.PodCertificateRequest"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in PodCertificateRequestList) OpenAPIModelName() string {
+	return "io.k8s.api.certificates.v1beta1.PodCertificateRequestList"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in PodCertificateRequestSpec) OpenAPIModelName() string {
+	return "io.k8s.api.certificates.v1beta1.PodCertificateRequestSpec"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in PodCertificateRequestStatus) OpenAPIModelName() string {
+	return "io.k8s.api.certificates.v1beta1.PodCertificateRequestStatus"
+}
diff --git a/staging/src/k8s.io/api/certificates/v1beta1/zz_generated.prerelease-lifecycle.go b/staging/src/k8s.io/api/certificates/v1beta1/zz_generated.prerelease-lifecycle.go
index 062b46f16415b..f95e329e2dbc2 100644
--- a/staging/src/k8s.io/api/certificates/v1beta1/zz_generated.prerelease-lifecycle.go
+++ b/staging/src/k8s.io/api/certificates/v1beta1/zz_generated.prerelease-lifecycle.go
@@ -108,3 +108,39 @@ func (in *ClusterTrustBundleList) APILifecycleDeprecated() (major, minor int) {
 func (in *ClusterTrustBundleList) APILifecycleRemoved() (major, minor int) {
 	return 1, 39
 }
+
+// APILifecycleIntroduced is an autogenerated function, returning the release in which the API struct was introduced as int versions of major and minor for comparison.
+// It is controlled by "k8s:prerelease-lifecycle-gen:introduced" tags in types.go.
+func (in *PodCertificateRequest) APILifecycleIntroduced() (major, minor int) {
+	return 1, 35
+}
+
+// APILifecycleDeprecated is an autogenerated function, returning the release in which the API struct was or will be deprecated as int versions of major and minor for comparison.
+// It is controlled by "k8s:prerelease-lifecycle-gen:deprecated" tags in types.go or  "k8s:prerelease-lifecycle-gen:introduced" plus three minor.
+func (in *PodCertificateRequest) APILifecycleDeprecated() (major, minor int) {
+	return 1, 38
+}
+
+// APILifecycleRemoved is an autogenerated function, returning the release in which the API is no longer served as int versions of major and minor for comparison.
+// It is controlled by "k8s:prerelease-lifecycle-gen:removed" tags in types.go or  "k8s:prerelease-lifecycle-gen:deprecated" plus three minor.
+func (in *PodCertificateRequest) APILifecycleRemoved() (major, minor int) {
+	return 1, 41
+}
+
+// APILifecycleIntroduced is an autogenerated function, returning the release in which the API struct was introduced as int versions of major and minor for comparison.
+// It is controlled by "k8s:prerelease-lifecycle-gen:introduced" tags in types.go.
+func (in *PodCertificateRequestList) APILifecycleIntroduced() (major, minor int) {
+	return 1, 35
+}
+
+// APILifecycleDeprecated is an autogenerated function, returning the release in which the API struct was or will be deprecated as int versions of major and minor for comparison.
+// It is controlled by "k8s:prerelease-lifecycle-gen:deprecated" tags in types.go or  "k8s:prerelease-lifecycle-gen:introduced" plus three minor.
+func (in *PodCertificateRequestList) APILifecycleDeprecated() (major, minor int) {
+	return 1, 38
+}
+
+// APILifecycleRemoved is an autogenerated function, returning the release in which the API is no longer served as int versions of major and minor for comparison.
+// It is controlled by "k8s:prerelease-lifecycle-gen:removed" tags in types.go or  "k8s:prerelease-lifecycle-gen:deprecated" plus three minor.
+func (in *PodCertificateRequestList) APILifecycleRemoved() (major, minor int) {
+	return 1, 41
+}
diff --git a/staging/src/k8s.io/api/coordination/v1/doc.go b/staging/src/k8s.io/api/coordination/v1/doc.go
index 82ae6340c7d7d..fc427222c130a 100644
--- a/staging/src/k8s.io/api/coordination/v1/doc.go
+++ b/staging/src/k8s.io/api/coordination/v1/doc.go
@@ -18,6 +18,7 @@ limitations under the License.
 // +k8s:protobuf-gen=package
 // +k8s:openapi-gen=true
 // +k8s:prerelease-lifecycle-gen=true
+// +k8s:openapi-model-package=io.k8s.api.coordination.v1
 
 // +groupName=coordination.k8s.io
 
diff --git a/staging/src/k8s.io/api/coordination/v1/generated.pb.go b/staging/src/k8s.io/api/coordination/v1/generated.pb.go
index cf6702aef37eb..2c32ca48ec46e 100644
--- a/staging/src/k8s.io/api/coordination/v1/generated.pb.go
+++ b/staging/src/k8s.io/api/coordination/v1/generated.pb.go
@@ -24,160 +24,18 @@ import (
 
 	io "io"
 
-	proto "github.com/gogo/protobuf/proto"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
-	math "math"
 	math_bits "math/bits"
 	reflect "reflect"
 	strings "strings"
 )
 
-// Reference imports to suppress errors if they are not otherwise used.
-var _ = proto.Marshal
-var _ = fmt.Errorf
-var _ = math.Inf
+func (m *Lease) Reset() { *m = Lease{} }
 
-// This is a compile-time assertion to ensure that this generated file
-// is compatible with the proto package it is being compiled against.
-// A compilation error at this line likely means your copy of the
-// proto package needs to be updated.
-const _ = proto.GoGoProtoPackageIsVersion3 // please upgrade the proto package
+func (m *LeaseList) Reset() { *m = LeaseList{} }
 
-func (m *Lease) Reset()      { *m = Lease{} }
-func (*Lease) ProtoMessage() {}
-func (*Lease) Descriptor() ([]byte, []int) {
-	return fileDescriptor_239d5a4df3139dce, []int{0}
-}
-func (m *Lease) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *Lease) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *Lease) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_Lease.Merge(m, src)
-}
-func (m *Lease) XXX_Size() int {
-	return m.Size()
-}
-func (m *Lease) XXX_DiscardUnknown() {
-	xxx_messageInfo_Lease.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_Lease proto.InternalMessageInfo
-
-func (m *LeaseList) Reset()      { *m = LeaseList{} }
-func (*LeaseList) ProtoMessage() {}
-func (*LeaseList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_239d5a4df3139dce, []int{1}
-}
-func (m *LeaseList) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *LeaseList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *LeaseList) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_LeaseList.Merge(m, src)
-}
-func (m *LeaseList) XXX_Size() int {
-	return m.Size()
-}
-func (m *LeaseList) XXX_DiscardUnknown() {
-	xxx_messageInfo_LeaseList.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_LeaseList proto.InternalMessageInfo
-
-func (m *LeaseSpec) Reset()      { *m = LeaseSpec{} }
-func (*LeaseSpec) ProtoMessage() {}
-func (*LeaseSpec) Descriptor() ([]byte, []int) {
-	return fileDescriptor_239d5a4df3139dce, []int{2}
-}
-func (m *LeaseSpec) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *LeaseSpec) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *LeaseSpec) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_LeaseSpec.Merge(m, src)
-}
-func (m *LeaseSpec) XXX_Size() int {
-	return m.Size()
-}
-func (m *LeaseSpec) XXX_DiscardUnknown() {
-	xxx_messageInfo_LeaseSpec.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_LeaseSpec proto.InternalMessageInfo
-
-func init() {
-	proto.RegisterType((*Lease)(nil), "k8s.io.api.coordination.v1.Lease")
-	proto.RegisterType((*LeaseList)(nil), "k8s.io.api.coordination.v1.LeaseList")
-	proto.RegisterType((*LeaseSpec)(nil), "k8s.io.api.coordination.v1.LeaseSpec")
-}
-
-func init() {
-	proto.RegisterFile("k8s.io/api/coordination/v1/generated.proto", fileDescriptor_239d5a4df3139dce)
-}
-
-var fileDescriptor_239d5a4df3139dce = []byte{
-	// 588 bytes of a gzipped FileDescriptorProto
-	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x9c, 0x94, 0xdf, 0x4e, 0xd4, 0x40,
-	0x14, 0xc6, 0xb7, 0xb0, 0xab, 0xec, 0xac, 0xfc, 0xc9, 0xc8, 0x45, 0xb3, 0x17, 0x2d, 0x92, 0x98,
-	0x10, 0x13, 0xa7, 0x42, 0x8c, 0x31, 0x26, 0x26, 0x58, 0x89, 0x4a, 0xb2, 0x44, 0x53, 0xb8, 0x32,
-	0x5c, 0x38, 0xdb, 0x1e, 0xba, 0x23, 0xb4, 0x53, 0x67, 0x66, 0x31, 0xdc, 0xf9, 0x08, 0x3e, 0x81,
-	0xef, 0xa0, 0x4f, 0xc1, 0x25, 0x97, 0x5c, 0x35, 0x32, 0xbe, 0x85, 0x57, 0x66, 0x66, 0x0b, 0x0b,
-	0xcb, 0x6e, 0x20, 0xde, 0x75, 0xce, 0x39, 0xdf, 0xef, 0x7c, 0x73, 0x4e, 0x5b, 0xf4, 0x68, 0xff,
-	0xb9, 0x24, 0x8c, 0x07, 0xb4, 0x60, 0x41, 0xcc, 0xb9, 0x48, 0x58, 0x4e, 0x15, 0xe3, 0x79, 0x70,
-	0xb8, 0x1a, 0xa4, 0x90, 0x83, 0xa0, 0x0a, 0x12, 0x52, 0x08, 0xae, 0x38, 0x6e, 0x0f, 0x6a, 0x09,
-	0x2d, 0x18, 0xb9, 0x5c, 0x4b, 0x0e, 0x57, 0xdb, 0x8f, 0x53, 0xa6, 0x7a, 0xfd, 0x2e, 0x89, 0x79,
-	0x16, 0xa4, 0x3c, 0xe5, 0x81, 0x95, 0x74, 0xfb, 0x7b, 0xf6, 0x64, 0x0f, 0xf6, 0x69, 0x80, 0x6a,
-	0x3f, 0x1d, 0xb6, 0xcd, 0x68, 0xdc, 0x63, 0x39, 0x88, 0xa3, 0xa0, 0xd8, 0x4f, 0x4d, 0x40, 0x06,
-	0x19, 0x28, 0x3a, 0xc6, 0x40, 0x3b, 0x98, 0xa4, 0x12, 0xfd, 0x5c, 0xb1, 0x0c, 0xae, 0x09, 0x9e,
-	0xdd, 0x24, 0x90, 0x71, 0x0f, 0x32, 0x3a, 0xaa, 0x5b, 0xfe, 0xe5, 0xa0, 0x46, 0x07, 0xa8, 0x04,
-	0xfc, 0x09, 0xcd, 0x18, 0x37, 0x09, 0x55, 0xd4, 0x75, 0x96, 0x9c, 0x95, 0xd6, 0xda, 0x13, 0x32,
-	0x1c, 0xc3, 0x05, 0x94, 0x14, 0xfb, 0xa9, 0x09, 0x48, 0x62, 0xaa, 0xc9, 0xe1, 0x2a, 0x79, 0xdf,
-	0xfd, 0x0c, 0xb1, 0xda, 0x02, 0x45, 0x43, 0x7c, 0x5c, 0xfa, 0x35, 0x5d, 0xfa, 0x68, 0x18, 0x8b,
-	0x2e, 0xa8, 0xf8, 0x2d, 0xaa, 0xcb, 0x02, 0x62, 0x77, 0xca, 0xd2, 0x1f, 0x92, 0xc9, 0x43, 0x26,
-	0xd6, 0xd2, 0x76, 0x01, 0x71, 0x78, 0xaf, 0x42, 0xd6, 0xcd, 0x29, 0xb2, 0x80, 0xe5, 0x9f, 0x0e,
-	0x6a, 0xda, 0x8a, 0x0e, 0x93, 0x0a, 0xef, 0x5e, 0x33, 0x4e, 0x6e, 0x67, 0xdc, 0xa8, 0xad, 0xed,
-	0x85, 0xaa, 0xc7, 0xcc, 0x79, 0xe4, 0x92, 0xe9, 0x37, 0xa8, 0xc1, 0x14, 0x64, 0xd2, 0x9d, 0x5a,
-	0x9a, 0x5e, 0x69, 0xad, 0x3d, 0xb8, 0xd1, 0x75, 0x38, 0x5b, 0xd1, 0x1a, 0x9b, 0x46, 0x17, 0x0d,
-	0xe4, 0xcb, 0x3f, 0xea, 0x95, 0x67, 0x73, 0x0f, 0xfc, 0x02, 0xcd, 0xf5, 0xf8, 0x41, 0x02, 0x62,
-	0x33, 0x81, 0x5c, 0x31, 0x75, 0x64, 0x9d, 0x37, 0x43, 0xac, 0x4b, 0x7f, 0xee, 0xdd, 0x95, 0x4c,
-	0x34, 0x52, 0x89, 0x3b, 0x68, 0xf1, 0xc0, 0x80, 0x36, 0xfa, 0xc2, 0x76, 0xde, 0x86, 0x98, 0xe7,
-	0x89, 0xb4, 0x63, 0x6d, 0x84, 0xae, 0x2e, 0xfd, 0xc5, 0xce, 0x98, 0x7c, 0x34, 0x56, 0x85, 0xbb,
-	0xa8, 0x45, 0xe3, 0x2f, 0x7d, 0x26, 0x60, 0x87, 0x65, 0xe0, 0x4e, 0xdb, 0x01, 0x06, 0xb7, 0x1b,
-	0xe0, 0x16, 0x8b, 0x05, 0x37, 0xb2, 0x70, 0x5e, 0x97, 0x7e, 0xeb, 0xd5, 0x90, 0x13, 0x5d, 0x86,
-	0xe2, 0x5d, 0xd4, 0x14, 0x90, 0xc3, 0x57, 0xdb, 0xa1, 0xfe, 0x7f, 0x1d, 0x66, 0x75, 0xe9, 0x37,
-	0xa3, 0x73, 0x4a, 0x34, 0x04, 0xe2, 0x75, 0xb4, 0x60, 0x6f, 0xb6, 0x23, 0x68, 0x2e, 0x99, 0xb9,
-	0x9b, 0x74, 0x1b, 0x76, 0x16, 0x8b, 0xba, 0xf4, 0x17, 0x3a, 0x23, 0xb9, 0xe8, 0x5a, 0x35, 0xde,
-	0x40, 0x33, 0x52, 0x99, 0xaf, 0x22, 0x3d, 0x72, 0xef, 0xd8, 0x3d, 0xac, 0x98, 0xb7, 0x61, 0xbb,
-	0x8a, 0xfd, 0x2d, 0x7d, 0xf7, 0xf5, 0xf9, 0xaa, 0x21, 0x19, 0x6c, 0xb1, 0xca, 0x45, 0x17, 0x4a,
-	0xfc, 0x12, 0xcd, 0x17, 0x02, 0xf6, 0x40, 0x08, 0x48, 0x06, 0x2b, 0x74, 0xef, 0x5a, 0xd8, 0x7d,
-	0x5d, 0xfa, 0xf3, 0x1f, 0xae, 0xa6, 0xa2, 0xd1, 0xda, 0x70, 0xfd, 0xf8, 0xcc, 0xab, 0x9d, 0x9c,
-	0x79, 0xb5, 0xd3, 0x33, 0xaf, 0xf6, 0x4d, 0x7b, 0xce, 0xb1, 0xf6, 0x9c, 0x13, 0xed, 0x39, 0xa7,
-	0xda, 0x73, 0x7e, 0x6b, 0xcf, 0xf9, 0xfe, 0xc7, 0xab, 0x7d, 0x6c, 0x4f, 0xfe, 0x8b, 0xfd, 0x0b,
-	0x00, 0x00, 0xff, 0xff, 0xf8, 0xf4, 0xd4, 0x78, 0xe2, 0x04, 0x00, 0x00,
-}
+func (m *LeaseSpec) Reset() { *m = LeaseSpec{} }
 
 func (m *Lease) Marshal() (dAtA []byte, err error) {
 	size := m.Size()
diff --git a/staging/src/k8s.io/api/coordination/v1/generated.protomessage.pb.go b/staging/src/k8s.io/api/coordination/v1/generated.protomessage.pb.go
new file mode 100644
index 0000000000000..f9210fce6a5fa
--- /dev/null
+++ b/staging/src/k8s.io/api/coordination/v1/generated.protomessage.pb.go
@@ -0,0 +1,28 @@
+//go:build kubernetes_protomessage_one_more_release
+// +build kubernetes_protomessage_one_more_release
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by go-to-protobuf. DO NOT EDIT.
+
+package v1
+
+func (*Lease) ProtoMessage() {}
+
+func (*LeaseList) ProtoMessage() {}
+
+func (*LeaseSpec) ProtoMessage() {}
diff --git a/staging/src/k8s.io/api/coordination/v1/zz_generated.model_name.go b/staging/src/k8s.io/api/coordination/v1/zz_generated.model_name.go
new file mode 100644
index 0000000000000..cf1217ef6c408
--- /dev/null
+++ b/staging/src/k8s.io/api/coordination/v1/zz_generated.model_name.go
@@ -0,0 +1,37 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by openapi-gen. DO NOT EDIT.
+
+package v1
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in Lease) OpenAPIModelName() string {
+	return "io.k8s.api.coordination.v1.Lease"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in LeaseList) OpenAPIModelName() string {
+	return "io.k8s.api.coordination.v1.LeaseList"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in LeaseSpec) OpenAPIModelName() string {
+	return "io.k8s.api.coordination.v1.LeaseSpec"
+}
diff --git a/staging/src/k8s.io/api/coordination/v1alpha2/doc.go b/staging/src/k8s.io/api/coordination/v1alpha2/doc.go
index dff7df47fc42f..134b182aedc3a 100644
--- a/staging/src/k8s.io/api/coordination/v1alpha2/doc.go
+++ b/staging/src/k8s.io/api/coordination/v1alpha2/doc.go
@@ -18,6 +18,7 @@ limitations under the License.
 // +k8s:protobuf-gen=package
 // +k8s:openapi-gen=true
 // +k8s:prerelease-lifecycle-gen=true
+// +k8s:openapi-model-package=io.k8s.api.coordination.v1alpha2
 
 // +groupName=coordination.k8s.io
 
diff --git a/staging/src/k8s.io/api/coordination/v1alpha2/generated.pb.go b/staging/src/k8s.io/api/coordination/v1alpha2/generated.pb.go
index 85ceea1f258f9..25a7a483058f7 100644
--- a/staging/src/k8s.io/api/coordination/v1alpha2/generated.pb.go
+++ b/staging/src/k8s.io/api/coordination/v1alpha2/generated.pb.go
@@ -24,160 +24,19 @@ import (
 
 	io "io"
 
-	proto "github.com/gogo/protobuf/proto"
-
 	k8s_io_api_coordination_v1 "k8s.io/api/coordination/v1"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
-	math "math"
 	math_bits "math/bits"
 	reflect "reflect"
 	strings "strings"
 )
 
-// Reference imports to suppress errors if they are not otherwise used.
-var _ = proto.Marshal
-var _ = fmt.Errorf
-var _ = math.Inf
-
-// This is a compile-time assertion to ensure that this generated file
-// is compatible with the proto package it is being compiled against.
-// A compilation error at this line likely means your copy of the
-// proto package needs to be updated.
-const _ = proto.GoGoProtoPackageIsVersion3 // please upgrade the proto package
-
-func (m *LeaseCandidate) Reset()      { *m = LeaseCandidate{} }
-func (*LeaseCandidate) ProtoMessage() {}
-func (*LeaseCandidate) Descriptor() ([]byte, []int) {
-	return fileDescriptor_c1ec5c989d262916, []int{0}
-}
-func (m *LeaseCandidate) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *LeaseCandidate) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *LeaseCandidate) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_LeaseCandidate.Merge(m, src)
-}
-func (m *LeaseCandidate) XXX_Size() int {
-	return m.Size()
-}
-func (m *LeaseCandidate) XXX_DiscardUnknown() {
-	xxx_messageInfo_LeaseCandidate.DiscardUnknown(m)
-}
+func (m *LeaseCandidate) Reset() { *m = LeaseCandidate{} }
 
-var xxx_messageInfo_LeaseCandidate proto.InternalMessageInfo
+func (m *LeaseCandidateList) Reset() { *m = LeaseCandidateList{} }
 
-func (m *LeaseCandidateList) Reset()      { *m = LeaseCandidateList{} }
-func (*LeaseCandidateList) ProtoMessage() {}
-func (*LeaseCandidateList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_c1ec5c989d262916, []int{1}
-}
-func (m *LeaseCandidateList) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *LeaseCandidateList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *LeaseCandidateList) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_LeaseCandidateList.Merge(m, src)
-}
-func (m *LeaseCandidateList) XXX_Size() int {
-	return m.Size()
-}
-func (m *LeaseCandidateList) XXX_DiscardUnknown() {
-	xxx_messageInfo_LeaseCandidateList.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_LeaseCandidateList proto.InternalMessageInfo
-
-func (m *LeaseCandidateSpec) Reset()      { *m = LeaseCandidateSpec{} }
-func (*LeaseCandidateSpec) ProtoMessage() {}
-func (*LeaseCandidateSpec) Descriptor() ([]byte, []int) {
-	return fileDescriptor_c1ec5c989d262916, []int{2}
-}
-func (m *LeaseCandidateSpec) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *LeaseCandidateSpec) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *LeaseCandidateSpec) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_LeaseCandidateSpec.Merge(m, src)
-}
-func (m *LeaseCandidateSpec) XXX_Size() int {
-	return m.Size()
-}
-func (m *LeaseCandidateSpec) XXX_DiscardUnknown() {
-	xxx_messageInfo_LeaseCandidateSpec.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_LeaseCandidateSpec proto.InternalMessageInfo
-
-func init() {
-	proto.RegisterType((*LeaseCandidate)(nil), "k8s.io.api.coordination.v1alpha2.LeaseCandidate")
-	proto.RegisterType((*LeaseCandidateList)(nil), "k8s.io.api.coordination.v1alpha2.LeaseCandidateList")
-	proto.RegisterType((*LeaseCandidateSpec)(nil), "k8s.io.api.coordination.v1alpha2.LeaseCandidateSpec")
-}
-
-func init() {
-	proto.RegisterFile("k8s.io/api/coordination/v1alpha2/generated.proto", fileDescriptor_c1ec5c989d262916)
-}
-
-var fileDescriptor_c1ec5c989d262916 = []byte{
-	// 555 bytes of a gzipped FileDescriptorProto
-	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x9c, 0x94, 0x4f, 0x8b, 0xd3, 0x4e,
-	0x18, 0xc7, 0x9b, 0xdd, 0xf6, 0x47, 0x3b, 0xbf, 0xad, 0xd4, 0x01, 0x21, 0xf4, 0x90, 0x96, 0x9e,
-	0x44, 0x70, 0x66, 0x77, 0x5d, 0x44, 0xf0, 0x96, 0xf5, 0x0f, 0x42, 0x57, 0x25, 0xab, 0x0b, 0xca,
-	0x1e, 0x9c, 0x26, 0x8f, 0xe9, 0xd8, 0x26, 0x13, 0x92, 0xe9, 0x4a, 0x6f, 0xbe, 0x04, 0x5f, 0x56,
-	0xf5, 0xb4, 0xc7, 0x3d, 0x15, 0x1b, 0xc1, 0x17, 0xe1, 0x49, 0x66, 0x9a, 0xf4, 0xaf, 0xa5, 0xc5,
-	0x5b, 0xe7, 0x99, 0xe7, 0xf3, 0x99, 0xf9, 0x3e, 0x69, 0x82, 0x0e, 0x7b, 0x8f, 0x12, 0xc2, 0x05,
-	0x65, 0x11, 0xa7, 0xae, 0x10, 0xb1, 0xc7, 0x43, 0x26, 0xb9, 0x08, 0xe9, 0xd5, 0x11, 0xeb, 0x47,
-	0x5d, 0x76, 0x4c, 0x7d, 0x08, 0x21, 0x66, 0x12, 0x3c, 0x12, 0xc5, 0x42, 0x0a, 0xdc, 0x9c, 0x12,
-	0x84, 0x45, 0x9c, 0x2c, 0x12, 0x24, 0x27, 0xea, 0xf7, 0x7d, 0x2e, 0xbb, 0x83, 0x0e, 0x71, 0x45,
-	0x40, 0x7d, 0xe1, 0x0b, 0xaa, 0xc1, 0xce, 0xe0, 0xa3, 0x5e, 0xe9, 0x85, 0xfe, 0x35, 0x15, 0xd6,
-	0xef, 0x6d, 0xbe, 0xc2, 0xea, 0xe1, 0xf5, 0x93, 0x79, 0x6f, 0xc0, 0xdc, 0x2e, 0x0f, 0x21, 0x1e,
-	0xd2, 0xa8, 0xe7, 0xab, 0x42, 0x42, 0x03, 0x90, 0xec, 0x6f, 0x14, 0xdd, 0x44, 0xc5, 0x83, 0x50,
-	0xf2, 0x00, 0xd6, 0x80, 0x87, 0xdb, 0x80, 0xc4, 0xed, 0x42, 0xc0, 0x56, 0xb9, 0xd6, 0x77, 0x03,
-	0xdd, 0x6a, 0x03, 0x4b, 0xe0, 0x94, 0x85, 0x1e, 0xf7, 0x98, 0x04, 0xfc, 0x01, 0x95, 0xd5, 0xb5,
-	0x3c, 0x26, 0x99, 0x69, 0x34, 0x8d, 0xbb, 0xff, 0x1f, 0x1f, 0x92, 0xf9, 0x04, 0x67, 0x76, 0x12,
-	0xf5, 0x7c, 0x55, 0x48, 0x88, 0xea, 0x26, 0x57, 0x47, 0xe4, 0x55, 0xe7, 0x13, 0xb8, 0xf2, 0x0c,
-	0x24, 0xb3, 0xf1, 0x68, 0xdc, 0x28, 0xa4, 0xe3, 0x06, 0x9a, 0xd7, 0x9c, 0x99, 0x15, 0x5f, 0xa0,
-	0x62, 0x12, 0x81, 0x6b, 0xee, 0x69, 0xfb, 0x09, 0xd9, 0xf6, 0x7c, 0xc8, 0xf2, 0x0d, 0xcf, 0x23,
-	0x70, 0xed, 0x83, 0xec, 0x84, 0xa2, 0x5a, 0x39, 0xda, 0xd7, 0xfa, 0x66, 0x20, 0xbc, 0xdc, 0xda,
-	0xe6, 0x89, 0xc4, 0x97, 0x6b, 0x81, 0xc8, 0x6e, 0x81, 0x14, 0xad, 0xe3, 0xd4, 0xb2, 0xc3, 0xca,
-	0x79, 0x65, 0x21, 0xcc, 0x5b, 0x54, 0xe2, 0x12, 0x82, 0xc4, 0xdc, 0x6b, 0xee, 0xaf, 0xcc, 0x6a,
-	0xa7, 0x34, 0x76, 0x35, 0x93, 0x97, 0x5e, 0x28, 0x8d, 0x33, 0xb5, 0xb5, 0x7e, 0xed, 0xaf, 0x66,
-	0x51, 0x41, 0x31, 0x45, 0x95, 0xbe, 0xaa, 0xbe, 0x64, 0x01, 0xe8, 0x30, 0x15, 0xfb, 0x76, 0xc6,
-	0x57, 0xda, 0xf9, 0x86, 0x33, 0xef, 0xc1, 0xef, 0x50, 0x39, 0xe2, 0xa1, 0xff, 0x86, 0x07, 0x90,
-	0xcd, 0x9b, 0xee, 0x16, 0xfe, 0x8c, 0xbb, 0xb1, 0x50, 0x98, 0x7d, 0xa0, 0x92, 0xbf, 0xce, 0x24,
-	0xce, 0x4c, 0x87, 0x2f, 0x51, 0x25, 0x86, 0x10, 0x3e, 0x6b, 0xf7, 0xfe, 0xbf, 0xb9, 0xab, 0xea,
-	0xe2, 0x4e, 0x6e, 0x71, 0xe6, 0x42, 0xfc, 0x18, 0x55, 0x3b, 0x3c, 0x64, 0xf1, 0xf0, 0x02, 0xe2,
-	0x84, 0x8b, 0xd0, 0x2c, 0xea, 0xb4, 0x77, 0xb2, 0xb4, 0x55, 0x7b, 0x71, 0xd3, 0x59, 0xee, 0xc5,
-	0x4f, 0x50, 0x0d, 0x82, 0x41, 0x5f, 0x0f, 0x3e, 0xe7, 0x4b, 0x9a, 0x37, 0x33, 0xbe, 0xf6, 0x74,
-	0x65, 0xdf, 0x59, 0x23, 0xb0, 0x8b, 0xca, 0x89, 0x54, 0x6f, 0x8b, 0x3f, 0x34, 0xff, 0xd3, 0xf4,
-	0xf3, 0xfc, 0x8f, 0x70, 0x9e, 0xd5, 0x7f, 0x8f, 0x1b, 0x0f, 0x36, 0x7f, 0x0d, 0xc8, 0x69, 0xbe,
-	0x06, 0x4f, 0x3f, 0x9d, 0x1c, 0x73, 0x66, 0x62, 0xfb, 0xd9, 0x68, 0x62, 0x15, 0xae, 0x27, 0x56,
-	0xe1, 0x66, 0x62, 0x15, 0xbe, 0xa4, 0x96, 0x31, 0x4a, 0x2d, 0xe3, 0x3a, 0xb5, 0x8c, 0x9b, 0xd4,
-	0x32, 0x7e, 0xa4, 0x96, 0xf1, 0xf5, 0xa7, 0x55, 0x78, 0xdf, 0xdc, 0xf6, 0xd5, 0xfb, 0x13, 0x00,
-	0x00, 0xff, 0xff, 0x7f, 0x15, 0x63, 0xd0, 0x18, 0x05, 0x00, 0x00,
-}
+func (m *LeaseCandidateSpec) Reset() { *m = LeaseCandidateSpec{} }
 
 func (m *LeaseCandidate) Marshal() (dAtA []byte, err error) {
 	size := m.Size()
diff --git a/staging/src/k8s.io/api/coordination/v1alpha2/generated.protomessage.pb.go b/staging/src/k8s.io/api/coordination/v1alpha2/generated.protomessage.pb.go
new file mode 100644
index 0000000000000..93743262291a9
--- /dev/null
+++ b/staging/src/k8s.io/api/coordination/v1alpha2/generated.protomessage.pb.go
@@ -0,0 +1,28 @@
+//go:build kubernetes_protomessage_one_more_release
+// +build kubernetes_protomessage_one_more_release
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by go-to-protobuf. DO NOT EDIT.
+
+package v1alpha2
+
+func (*LeaseCandidate) ProtoMessage() {}
+
+func (*LeaseCandidateList) ProtoMessage() {}
+
+func (*LeaseCandidateSpec) ProtoMessage() {}
diff --git a/staging/src/k8s.io/api/coordination/v1alpha2/zz_generated.model_name.go b/staging/src/k8s.io/api/coordination/v1alpha2/zz_generated.model_name.go
new file mode 100644
index 0000000000000..016d489f9b38b
--- /dev/null
+++ b/staging/src/k8s.io/api/coordination/v1alpha2/zz_generated.model_name.go
@@ -0,0 +1,37 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by openapi-gen. DO NOT EDIT.
+
+package v1alpha2
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in LeaseCandidate) OpenAPIModelName() string {
+	return "io.k8s.api.coordination.v1alpha2.LeaseCandidate"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in LeaseCandidateList) OpenAPIModelName() string {
+	return "io.k8s.api.coordination.v1alpha2.LeaseCandidateList"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in LeaseCandidateSpec) OpenAPIModelName() string {
+	return "io.k8s.api.coordination.v1alpha2.LeaseCandidateSpec"
+}
diff --git a/staging/src/k8s.io/api/coordination/v1beta1/doc.go b/staging/src/k8s.io/api/coordination/v1beta1/doc.go
index cab8becf677d6..22c5a91762812 100644
--- a/staging/src/k8s.io/api/coordination/v1beta1/doc.go
+++ b/staging/src/k8s.io/api/coordination/v1beta1/doc.go
@@ -18,6 +18,7 @@ limitations under the License.
 // +k8s:protobuf-gen=package
 // +k8s:openapi-gen=true
 // +k8s:prerelease-lifecycle-gen=true
+// +k8s:openapi-model-package=io.k8s.api.coordination.v1beta1
 
 // +groupName=coordination.k8s.io
 
diff --git a/staging/src/k8s.io/api/coordination/v1beta1/generated.pb.go b/staging/src/k8s.io/api/coordination/v1beta1/generated.pb.go
index 52fd4167fa630..f9330ae787e22 100644
--- a/staging/src/k8s.io/api/coordination/v1beta1/generated.pb.go
+++ b/staging/src/k8s.io/api/coordination/v1beta1/generated.pb.go
@@ -24,259 +24,25 @@ import (
 
 	io "io"
 
-	proto "github.com/gogo/protobuf/proto"
-
 	k8s_io_api_coordination_v1 "k8s.io/api/coordination/v1"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
-	math "math"
 	math_bits "math/bits"
 	reflect "reflect"
 	strings "strings"
 )
 
-// Reference imports to suppress errors if they are not otherwise used.
-var _ = proto.Marshal
-var _ = fmt.Errorf
-var _ = math.Inf
+func (m *Lease) Reset() { *m = Lease{} }
 
-// This is a compile-time assertion to ensure that this generated file
-// is compatible with the proto package it is being compiled against.
-// A compilation error at this line likely means your copy of the
-// proto package needs to be updated.
-const _ = proto.GoGoProtoPackageIsVersion3 // please upgrade the proto package
+func (m *LeaseCandidate) Reset() { *m = LeaseCandidate{} }
 
-func (m *Lease) Reset()      { *m = Lease{} }
-func (*Lease) ProtoMessage() {}
-func (*Lease) Descriptor() ([]byte, []int) {
-	return fileDescriptor_8d4e223b8bb23da3, []int{0}
-}
-func (m *Lease) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *Lease) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *Lease) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_Lease.Merge(m, src)
-}
-func (m *Lease) XXX_Size() int {
-	return m.Size()
-}
-func (m *Lease) XXX_DiscardUnknown() {
-	xxx_messageInfo_Lease.DiscardUnknown(m)
-}
+func (m *LeaseCandidateList) Reset() { *m = LeaseCandidateList{} }
 
-var xxx_messageInfo_Lease proto.InternalMessageInfo
+func (m *LeaseCandidateSpec) Reset() { *m = LeaseCandidateSpec{} }
 
-func (m *LeaseCandidate) Reset()      { *m = LeaseCandidate{} }
-func (*LeaseCandidate) ProtoMessage() {}
-func (*LeaseCandidate) Descriptor() ([]byte, []int) {
-	return fileDescriptor_8d4e223b8bb23da3, []int{1}
-}
-func (m *LeaseCandidate) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *LeaseCandidate) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *LeaseCandidate) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_LeaseCandidate.Merge(m, src)
-}
-func (m *LeaseCandidate) XXX_Size() int {
-	return m.Size()
-}
-func (m *LeaseCandidate) XXX_DiscardUnknown() {
-	xxx_messageInfo_LeaseCandidate.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_LeaseCandidate proto.InternalMessageInfo
+func (m *LeaseList) Reset() { *m = LeaseList{} }
 
-func (m *LeaseCandidateList) Reset()      { *m = LeaseCandidateList{} }
-func (*LeaseCandidateList) ProtoMessage() {}
-func (*LeaseCandidateList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_8d4e223b8bb23da3, []int{2}
-}
-func (m *LeaseCandidateList) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *LeaseCandidateList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *LeaseCandidateList) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_LeaseCandidateList.Merge(m, src)
-}
-func (m *LeaseCandidateList) XXX_Size() int {
-	return m.Size()
-}
-func (m *LeaseCandidateList) XXX_DiscardUnknown() {
-	xxx_messageInfo_LeaseCandidateList.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_LeaseCandidateList proto.InternalMessageInfo
-
-func (m *LeaseCandidateSpec) Reset()      { *m = LeaseCandidateSpec{} }
-func (*LeaseCandidateSpec) ProtoMessage() {}
-func (*LeaseCandidateSpec) Descriptor() ([]byte, []int) {
-	return fileDescriptor_8d4e223b8bb23da3, []int{3}
-}
-func (m *LeaseCandidateSpec) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *LeaseCandidateSpec) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *LeaseCandidateSpec) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_LeaseCandidateSpec.Merge(m, src)
-}
-func (m *LeaseCandidateSpec) XXX_Size() int {
-	return m.Size()
-}
-func (m *LeaseCandidateSpec) XXX_DiscardUnknown() {
-	xxx_messageInfo_LeaseCandidateSpec.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_LeaseCandidateSpec proto.InternalMessageInfo
-
-func (m *LeaseList) Reset()      { *m = LeaseList{} }
-func (*LeaseList) ProtoMessage() {}
-func (*LeaseList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_8d4e223b8bb23da3, []int{4}
-}
-func (m *LeaseList) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *LeaseList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *LeaseList) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_LeaseList.Merge(m, src)
-}
-func (m *LeaseList) XXX_Size() int {
-	return m.Size()
-}
-func (m *LeaseList) XXX_DiscardUnknown() {
-	xxx_messageInfo_LeaseList.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_LeaseList proto.InternalMessageInfo
-
-func (m *LeaseSpec) Reset()      { *m = LeaseSpec{} }
-func (*LeaseSpec) ProtoMessage() {}
-func (*LeaseSpec) Descriptor() ([]byte, []int) {
-	return fileDescriptor_8d4e223b8bb23da3, []int{5}
-}
-func (m *LeaseSpec) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *LeaseSpec) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *LeaseSpec) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_LeaseSpec.Merge(m, src)
-}
-func (m *LeaseSpec) XXX_Size() int {
-	return m.Size()
-}
-func (m *LeaseSpec) XXX_DiscardUnknown() {
-	xxx_messageInfo_LeaseSpec.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_LeaseSpec proto.InternalMessageInfo
-
-func init() {
-	proto.RegisterType((*Lease)(nil), "k8s.io.api.coordination.v1beta1.Lease")
-	proto.RegisterType((*LeaseCandidate)(nil), "k8s.io.api.coordination.v1beta1.LeaseCandidate")
-	proto.RegisterType((*LeaseCandidateList)(nil), "k8s.io.api.coordination.v1beta1.LeaseCandidateList")
-	proto.RegisterType((*LeaseCandidateSpec)(nil), "k8s.io.api.coordination.v1beta1.LeaseCandidateSpec")
-	proto.RegisterType((*LeaseList)(nil), "k8s.io.api.coordination.v1beta1.LeaseList")
-	proto.RegisterType((*LeaseSpec)(nil), "k8s.io.api.coordination.v1beta1.LeaseSpec")
-}
-
-func init() {
-	proto.RegisterFile("k8s.io/api/coordination/v1beta1/generated.proto", fileDescriptor_8d4e223b8bb23da3)
-}
-
-var fileDescriptor_8d4e223b8bb23da3 = []byte{
-	// 750 bytes of a gzipped FileDescriptorProto
-	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xbc, 0x56, 0xdd, 0x4e, 0x1b, 0x39,
-	0x18, 0xcd, 0x40, 0xb2, 0x9b, 0x38, 0x04, 0xb2, 0x5e, 0x56, 0x1a, 0x71, 0x31, 0x83, 0x72, 0xb1,
-	0x42, 0x48, 0xeb, 0x59, 0x60, 0xb5, 0x5a, 0x6d, 0x55, 0xa9, 0x1d, 0x40, 0x2d, 0x6a, 0x68, 0x91,
-	0xa1, 0x95, 0x5a, 0x21, 0xb5, 0xce, 0x8c, 0x99, 0xb8, 0x30, 0x3f, 0xf5, 0x38, 0x54, 0xb9, 0xeb,
-	0x23, 0xf4, 0x69, 0x5a, 0xf5, 0x0d, 0xd2, 0x3b, 0x2e, 0xb9, 0x8a, 0xca, 0x54, 0xea, 0x43, 0xf4,
-	0xaa, 0xb2, 0x33, 0xf9, 0x27, 0x22, 0x6d, 0x11, 0x77, 0xf1, 0xf7, 0x9d, 0x73, 0xfc, 0x1d, 0xfb,
-	0x38, 0x1a, 0x60, 0x1d, 0xff, 0x17, 0x23, 0x16, 0x5a, 0x24, 0x62, 0x96, 0x13, 0x86, 0xdc, 0x65,
-	0x01, 0x11, 0x2c, 0x0c, 0xac, 0xd3, 0xb5, 0x1a, 0x15, 0x64, 0xcd, 0xf2, 0x68, 0x40, 0x39, 0x11,
-	0xd4, 0x45, 0x11, 0x0f, 0x45, 0x08, 0xcd, 0x0e, 0x01, 0x91, 0x88, 0xa1, 0x41, 0x02, 0x4a, 0x09,
-	0x4b, 0x7f, 0x79, 0x4c, 0xd4, 0x1b, 0x35, 0xe4, 0x84, 0xbe, 0xe5, 0x85, 0x5e, 0x68, 0x29, 0x5e,
-	0xad, 0x71, 0xa4, 0x56, 0x6a, 0xa1, 0x7e, 0x75, 0xf4, 0x96, 0x56, 0x27, 0x0f, 0x30, 0xba, 0xf7,
-	0xd2, 0x3f, 0x7d, 0xac, 0x4f, 0x9c, 0x3a, 0x0b, 0x28, 0x6f, 0x5a, 0xd1, 0xb1, 0x27, 0x0b, 0xb1,
-	0xe5, 0x53, 0x41, 0x2e, 0x63, 0x59, 0x93, 0x58, 0xbc, 0x11, 0x08, 0xe6, 0xd3, 0x31, 0xc2, 0xbf,
-	0x57, 0x11, 0x62, 0xa7, 0x4e, 0x7d, 0x32, 0xca, 0xab, 0xbc, 0xd7, 0x40, 0xae, 0x4a, 0x49, 0x4c,
-	0xe1, 0x0b, 0x90, 0x97, 0xd3, 0xb8, 0x44, 0x10, 0x5d, 0x5b, 0xd6, 0x56, 0x8a, 0xeb, 0x7f, 0xa3,
-	0xfe, 0xb9, 0xf5, 0x44, 0x51, 0x74, 0xec, 0xc9, 0x42, 0x8c, 0x24, 0x1a, 0x9d, 0xae, 0xa1, 0x47,
-	0xb5, 0x97, 0xd4, 0x11, 0xbb, 0x54, 0x10, 0x1b, 0xb6, 0xda, 0x66, 0x26, 0x69, 0x9b, 0xa0, 0x5f,
-	0xc3, 0x3d, 0x55, 0x58, 0x05, 0xd9, 0x38, 0xa2, 0x8e, 0x3e, 0xa3, 0xd4, 0x57, 0xd1, 0x15, 0xb7,
-	0x82, 0xd4, 0x5c, 0xfb, 0x11, 0x75, 0xec, 0xb9, 0x54, 0x37, 0x2b, 0x57, 0x58, 0xa9, 0x54, 0x3e,
-	0x6a, 0x60, 0x5e, 0x21, 0x36, 0x49, 0xe0, 0x32, 0x97, 0x88, 0x9b, 0xb0, 0xf0, 0x78, 0xc8, 0xc2,
-	0xc6, 0x74, 0x16, 0x7a, 0x03, 0x4e, 0xf4, 0xd2, 0xd2, 0x00, 0x1c, 0x86, 0x56, 0x59, 0x2c, 0xe0,
-	0xe1, 0x98, 0x1f, 0x34, 0x9d, 0x1f, 0xc9, 0x56, 0x6e, 0xca, 0xe9, 0x66, 0xf9, 0x6e, 0x65, 0xc0,
-	0xcb, 0x01, 0xc8, 0x31, 0x41, 0xfd, 0x58, 0x9f, 0x59, 0x9e, 0x5d, 0x29, 0xae, 0x5b, 0xdf, 0x69,
-	0xc6, 0x2e, 0xa5, 0xda, 0xb9, 0x1d, 0xa9, 0x82, 0x3b, 0x62, 0x95, 0x2f, 0xb3, 0xa3, 0x56, 0xa4,
-	0x4f, 0x68, 0x81, 0xc2, 0x89, 0xac, 0x3e, 0x24, 0x3e, 0x55, 0x5e, 0x0a, 0xf6, 0x6f, 0x29, 0xbf,
-	0x50, 0xed, 0x36, 0x70, 0x1f, 0x03, 0x9f, 0x82, 0x7c, 0xc4, 0x02, 0xef, 0x80, 0xf9, 0x34, 0x3d,
-	0x6d, 0x6b, 0x3a, 0xef, 0xbb, 0xcc, 0xe1, 0xa1, 0xa4, 0xd9, 0x73, 0xd2, 0xf8, 0x5e, 0x2a, 0x82,
-	0x7b, 0x72, 0xf0, 0x10, 0x14, 0x38, 0x0d, 0xe8, 0x6b, 0xa5, 0x3d, 0xfb, 0x63, 0xda, 0x25, 0x39,
-	0x38, 0xee, 0xaa, 0xe0, 0xbe, 0x20, 0xbc, 0x05, 0x4a, 0x35, 0x16, 0x10, 0xde, 0x7c, 0x42, 0x79,
-	0xcc, 0xc2, 0x40, 0xcf, 0x2a, 0xb7, 0x7f, 0xa4, 0x6e, 0x4b, 0xf6, 0x60, 0x13, 0x0f, 0x63, 0xe1,
-	0x16, 0x28, 0x53, 0xbf, 0x71, 0xa2, 0xce, 0xbd, 0xcb, 0xcf, 0x29, 0xbe, 0x9e, 0xf2, 0xcb, 0xdb,
-	0x23, 0x7d, 0x3c, 0xc6, 0x80, 0x0e, 0xc8, 0xc7, 0x42, 0xbe, 0x72, 0xaf, 0xa9, 0xff, 0xa2, 0xd8,
-	0xf7, 0xba, 0x39, 0xd8, 0x4f, 0xeb, 0x5f, 0xdb, 0xe6, 0xc6, 0xe4, 0x7f, 0x31, 0xb4, 0xd9, 0x5d,
-	0x53, 0xb7, 0xf3, 0x0a, 0x53, 0x1a, 0xee, 0x09, 0x57, 0xde, 0x69, 0xa0, 0x73, 0x73, 0x37, 0x10,
-	0xd5, 0x07, 0xc3, 0x51, 0xfd, 0x73, 0xba, 0xa8, 0x4e, 0x48, 0xe8, 0x87, 0x6c, 0x3a, 0xb8, 0x0a,
-	0xe6, 0xff, 0x60, 0xbe, 0x1e, 0x9e, 0xb8, 0x94, 0xef, 0xb8, 0x34, 0x10, 0x4c, 0x34, 0xd3, 0x74,
-	0xc2, 0xa4, 0x6d, 0xce, 0xdf, 0x1f, 0xea, 0xe0, 0x11, 0x24, 0xac, 0x82, 0x45, 0x15, 0xd8, 0xad,
-	0x06, 0x57, 0xdb, 0xef, 0x53, 0x27, 0x0c, 0xdc, 0x58, 0xe5, 0x35, 0x67, 0xeb, 0x49, 0xdb, 0x5c,
-	0xac, 0x5e, 0xd2, 0xc7, 0x97, 0xb2, 0x60, 0x0d, 0x14, 0x89, 0xf3, 0xaa, 0xc1, 0x38, 0xfd, 0x99,
-	0x60, 0x2e, 0x24, 0x6d, 0xb3, 0x78, 0xb7, 0xaf, 0x83, 0x07, 0x45, 0x87, 0xa3, 0x9f, 0xbd, 0xee,
-	0xe8, 0xdf, 0x01, 0x65, 0xe5, 0xec, 0x80, 0x93, 0x20, 0x66, 0xd2, 0x5b, 0xac, 0xd2, 0x9b, 0xb3,
-	0x17, 0x65, 0x72, 0xab, 0x23, 0x3d, 0x3c, 0x86, 0x86, 0xcf, 0xc7, 0x92, 0xbb, 0x79, 0xad, 0xa9,
-	0x85, 0xb7, 0xc1, 0x42, 0xc4, 0xe9, 0x11, 0xe5, 0x9c, 0xba, 0x9d, 0xdb, 0xd5, 0x7f, 0x55, 0xfb,
-	0xfc, 0x9e, 0xb4, 0xcd, 0x85, 0xbd, 0xe1, 0x16, 0x1e, 0xc5, 0xda, 0xdb, 0xad, 0x0b, 0x23, 0x73,
-	0x76, 0x61, 0x64, 0xce, 0x2f, 0x8c, 0xcc, 0x9b, 0xc4, 0xd0, 0x5a, 0x89, 0xa1, 0x9d, 0x25, 0x86,
-	0x76, 0x9e, 0x18, 0xda, 0xa7, 0xc4, 0xd0, 0xde, 0x7e, 0x36, 0x32, 0xcf, 0xcc, 0x2b, 0x3e, 0x50,
-	0xbe, 0x05, 0x00, 0x00, 0xff, 0xff, 0xff, 0x56, 0x51, 0x57, 0xc2, 0x08, 0x00, 0x00,
-}
+func (m *LeaseSpec) Reset() { *m = LeaseSpec{} }
 
 func (m *Lease) Marshal() (dAtA []byte, err error) {
 	size := m.Size()
diff --git a/staging/src/k8s.io/api/coordination/v1beta1/generated.protomessage.pb.go b/staging/src/k8s.io/api/coordination/v1beta1/generated.protomessage.pb.go
new file mode 100644
index 0000000000000..a1a88e55ff019
--- /dev/null
+++ b/staging/src/k8s.io/api/coordination/v1beta1/generated.protomessage.pb.go
@@ -0,0 +1,34 @@
+//go:build kubernetes_protomessage_one_more_release
+// +build kubernetes_protomessage_one_more_release
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by go-to-protobuf. DO NOT EDIT.
+
+package v1beta1
+
+func (*Lease) ProtoMessage() {}
+
+func (*LeaseCandidate) ProtoMessage() {}
+
+func (*LeaseCandidateList) ProtoMessage() {}
+
+func (*LeaseCandidateSpec) ProtoMessage() {}
+
+func (*LeaseList) ProtoMessage() {}
+
+func (*LeaseSpec) ProtoMessage() {}
diff --git a/staging/src/k8s.io/api/coordination/v1beta1/zz_generated.model_name.go b/staging/src/k8s.io/api/coordination/v1beta1/zz_generated.model_name.go
new file mode 100644
index 0000000000000..53b291dbd63d9
--- /dev/null
+++ b/staging/src/k8s.io/api/coordination/v1beta1/zz_generated.model_name.go
@@ -0,0 +1,52 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by openapi-gen. DO NOT EDIT.
+
+package v1beta1
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in Lease) OpenAPIModelName() string {
+	return "io.k8s.api.coordination.v1beta1.Lease"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in LeaseCandidate) OpenAPIModelName() string {
+	return "io.k8s.api.coordination.v1beta1.LeaseCandidate"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in LeaseCandidateList) OpenAPIModelName() string {
+	return "io.k8s.api.coordination.v1beta1.LeaseCandidateList"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in LeaseCandidateSpec) OpenAPIModelName() string {
+	return "io.k8s.api.coordination.v1beta1.LeaseCandidateSpec"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in LeaseList) OpenAPIModelName() string {
+	return "io.k8s.api.coordination.v1beta1.LeaseList"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in LeaseSpec) OpenAPIModelName() string {
+	return "io.k8s.api.coordination.v1beta1.LeaseSpec"
+}
diff --git a/staging/src/k8s.io/api/core/v1/doc.go b/staging/src/k8s.io/api/core/v1/doc.go
index e4e9196aebcb1..a41f2ce1f6ce6 100644
--- a/staging/src/k8s.io/api/core/v1/doc.go
+++ b/staging/src/k8s.io/api/core/v1/doc.go
@@ -18,6 +18,8 @@ limitations under the License.
 // +k8s:deepcopy-gen=package
 // +k8s:protobuf-gen=package
 // +k8s:prerelease-lifecycle-gen=true
+// +k8s:openapi-model-package=io.k8s.api.core.v1
+
 // +groupName=
 
 // Package v1 is the v1 version of the core API.
diff --git a/staging/src/k8s.io/api/core/v1/generated.pb.go b/staging/src/k8s.io/api/core/v1/generated.pb.go
index e1a297b985478..b7de1bea54d37 100644
--- a/staging/src/k8s.io/api/core/v1/generated.pb.go
+++ b/staging/src/k8s.io/api/core/v1/generated.pb.go
@@ -23,14 +23,12 @@ import (
 	fmt "fmt"
 
 	io "io"
+	"sort"
 
-	proto "github.com/gogo/protobuf/proto"
-	github_com_gogo_protobuf_sortkeys "github.com/gogo/protobuf/sortkeys"
 	resource "k8s.io/apimachinery/pkg/api/resource"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	runtime "k8s.io/apimachinery/pkg/runtime"
 
-	math "math"
 	math_bits "math/bits"
 	reflect "reflect"
 	strings "strings"
@@ -38,7973 +36,481 @@ import (
 	k8s_io_apimachinery_pkg_types "k8s.io/apimachinery/pkg/types"
 )
 
-// Reference imports to suppress errors if they are not otherwise used.
-var _ = proto.Marshal
-var _ = fmt.Errorf
-var _ = math.Inf
+func (m *AWSElasticBlockStoreVolumeSource) Reset() { *m = AWSElasticBlockStoreVolumeSource{} }
 
-// This is a compile-time assertion to ensure that this generated file
-// is compatible with the proto package it is being compiled against.
-// A compilation error at this line likely means your copy of the
-// proto package needs to be updated.
-const _ = proto.GoGoProtoPackageIsVersion3 // please upgrade the proto package
+func (m *Affinity) Reset() { *m = Affinity{} }
 
-func (m *AWSElasticBlockStoreVolumeSource) Reset()      { *m = AWSElasticBlockStoreVolumeSource{} }
-func (*AWSElasticBlockStoreVolumeSource) ProtoMessage() {}
-func (*AWSElasticBlockStoreVolumeSource) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{0}
-}
-func (m *AWSElasticBlockStoreVolumeSource) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *AWSElasticBlockStoreVolumeSource) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *AWSElasticBlockStoreVolumeSource) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_AWSElasticBlockStoreVolumeSource.Merge(m, src)
-}
-func (m *AWSElasticBlockStoreVolumeSource) XXX_Size() int {
-	return m.Size()
-}
-func (m *AWSElasticBlockStoreVolumeSource) XXX_DiscardUnknown() {
-	xxx_messageInfo_AWSElasticBlockStoreVolumeSource.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_AWSElasticBlockStoreVolumeSource proto.InternalMessageInfo
-
-func (m *Affinity) Reset()      { *m = Affinity{} }
-func (*Affinity) ProtoMessage() {}
-func (*Affinity) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{1}
-}
-func (m *Affinity) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *Affinity) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *Affinity) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_Affinity.Merge(m, src)
-}
-func (m *Affinity) XXX_Size() int {
-	return m.Size()
-}
-func (m *Affinity) XXX_DiscardUnknown() {
-	xxx_messageInfo_Affinity.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_Affinity proto.InternalMessageInfo
-
-func (m *AppArmorProfile) Reset()      { *m = AppArmorProfile{} }
-func (*AppArmorProfile) ProtoMessage() {}
-func (*AppArmorProfile) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{2}
-}
-func (m *AppArmorProfile) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *AppArmorProfile) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *AppArmorProfile) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_AppArmorProfile.Merge(m, src)
-}
-func (m *AppArmorProfile) XXX_Size() int {
-	return m.Size()
-}
-func (m *AppArmorProfile) XXX_DiscardUnknown() {
-	xxx_messageInfo_AppArmorProfile.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_AppArmorProfile proto.InternalMessageInfo
-
-func (m *AttachedVolume) Reset()      { *m = AttachedVolume{} }
-func (*AttachedVolume) ProtoMessage() {}
-func (*AttachedVolume) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{3}
-}
-func (m *AttachedVolume) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *AttachedVolume) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *AttachedVolume) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_AttachedVolume.Merge(m, src)
-}
-func (m *AttachedVolume) XXX_Size() int {
-	return m.Size()
-}
-func (m *AttachedVolume) XXX_DiscardUnknown() {
-	xxx_messageInfo_AttachedVolume.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_AttachedVolume proto.InternalMessageInfo
-
-func (m *AvoidPods) Reset()      { *m = AvoidPods{} }
-func (*AvoidPods) ProtoMessage() {}
-func (*AvoidPods) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{4}
-}
-func (m *AvoidPods) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *AvoidPods) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *AvoidPods) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_AvoidPods.Merge(m, src)
-}
-func (m *AvoidPods) XXX_Size() int {
-	return m.Size()
-}
-func (m *AvoidPods) XXX_DiscardUnknown() {
-	xxx_messageInfo_AvoidPods.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_AvoidPods proto.InternalMessageInfo
-
-func (m *AzureDiskVolumeSource) Reset()      { *m = AzureDiskVolumeSource{} }
-func (*AzureDiskVolumeSource) ProtoMessage() {}
-func (*AzureDiskVolumeSource) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{5}
-}
-func (m *AzureDiskVolumeSource) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *AzureDiskVolumeSource) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *AzureDiskVolumeSource) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_AzureDiskVolumeSource.Merge(m, src)
-}
-func (m *AzureDiskVolumeSource) XXX_Size() int {
-	return m.Size()
-}
-func (m *AzureDiskVolumeSource) XXX_DiscardUnknown() {
-	xxx_messageInfo_AzureDiskVolumeSource.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_AzureDiskVolumeSource proto.InternalMessageInfo
-
-func (m *AzureFilePersistentVolumeSource) Reset()      { *m = AzureFilePersistentVolumeSource{} }
-func (*AzureFilePersistentVolumeSource) ProtoMessage() {}
-func (*AzureFilePersistentVolumeSource) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{6}
-}
-func (m *AzureFilePersistentVolumeSource) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *AzureFilePersistentVolumeSource) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *AzureFilePersistentVolumeSource) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_AzureFilePersistentVolumeSource.Merge(m, src)
-}
-func (m *AzureFilePersistentVolumeSource) XXX_Size() int {
-	return m.Size()
-}
-func (m *AzureFilePersistentVolumeSource) XXX_DiscardUnknown() {
-	xxx_messageInfo_AzureFilePersistentVolumeSource.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_AzureFilePersistentVolumeSource proto.InternalMessageInfo
-
-func (m *AzureFileVolumeSource) Reset()      { *m = AzureFileVolumeSource{} }
-func (*AzureFileVolumeSource) ProtoMessage() {}
-func (*AzureFileVolumeSource) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{7}
-}
-func (m *AzureFileVolumeSource) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *AzureFileVolumeSource) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *AzureFileVolumeSource) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_AzureFileVolumeSource.Merge(m, src)
-}
-func (m *AzureFileVolumeSource) XXX_Size() int {
-	return m.Size()
-}
-func (m *AzureFileVolumeSource) XXX_DiscardUnknown() {
-	xxx_messageInfo_AzureFileVolumeSource.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_AzureFileVolumeSource proto.InternalMessageInfo
-
-func (m *Binding) Reset()      { *m = Binding{} }
-func (*Binding) ProtoMessage() {}
-func (*Binding) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{8}
-}
-func (m *Binding) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *Binding) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *Binding) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_Binding.Merge(m, src)
-}
-func (m *Binding) XXX_Size() int {
-	return m.Size()
-}
-func (m *Binding) XXX_DiscardUnknown() {
-	xxx_messageInfo_Binding.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_Binding proto.InternalMessageInfo
-
-func (m *CSIPersistentVolumeSource) Reset()      { *m = CSIPersistentVolumeSource{} }
-func (*CSIPersistentVolumeSource) ProtoMessage() {}
-func (*CSIPersistentVolumeSource) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{9}
-}
-func (m *CSIPersistentVolumeSource) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *CSIPersistentVolumeSource) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *CSIPersistentVolumeSource) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_CSIPersistentVolumeSource.Merge(m, src)
-}
-func (m *CSIPersistentVolumeSource) XXX_Size() int {
-	return m.Size()
-}
-func (m *CSIPersistentVolumeSource) XXX_DiscardUnknown() {
-	xxx_messageInfo_CSIPersistentVolumeSource.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_CSIPersistentVolumeSource proto.InternalMessageInfo
-
-func (m *CSIVolumeSource) Reset()      { *m = CSIVolumeSource{} }
-func (*CSIVolumeSource) ProtoMessage() {}
-func (*CSIVolumeSource) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{10}
-}
-func (m *CSIVolumeSource) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *CSIVolumeSource) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *CSIVolumeSource) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_CSIVolumeSource.Merge(m, src)
-}
-func (m *CSIVolumeSource) XXX_Size() int {
-	return m.Size()
-}
-func (m *CSIVolumeSource) XXX_DiscardUnknown() {
-	xxx_messageInfo_CSIVolumeSource.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_CSIVolumeSource proto.InternalMessageInfo
-
-func (m *Capabilities) Reset()      { *m = Capabilities{} }
-func (*Capabilities) ProtoMessage() {}
-func (*Capabilities) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{11}
-}
-func (m *Capabilities) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *Capabilities) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *Capabilities) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_Capabilities.Merge(m, src)
-}
-func (m *Capabilities) XXX_Size() int {
-	return m.Size()
-}
-func (m *Capabilities) XXX_DiscardUnknown() {
-	xxx_messageInfo_Capabilities.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_Capabilities proto.InternalMessageInfo
-
-func (m *CephFSPersistentVolumeSource) Reset()      { *m = CephFSPersistentVolumeSource{} }
-func (*CephFSPersistentVolumeSource) ProtoMessage() {}
-func (*CephFSPersistentVolumeSource) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{12}
-}
-func (m *CephFSPersistentVolumeSource) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *CephFSPersistentVolumeSource) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *CephFSPersistentVolumeSource) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_CephFSPersistentVolumeSource.Merge(m, src)
-}
-func (m *CephFSPersistentVolumeSource) XXX_Size() int {
-	return m.Size()
-}
-func (m *CephFSPersistentVolumeSource) XXX_DiscardUnknown() {
-	xxx_messageInfo_CephFSPersistentVolumeSource.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_CephFSPersistentVolumeSource proto.InternalMessageInfo
-
-func (m *CephFSVolumeSource) Reset()      { *m = CephFSVolumeSource{} }
-func (*CephFSVolumeSource) ProtoMessage() {}
-func (*CephFSVolumeSource) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{13}
-}
-func (m *CephFSVolumeSource) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *CephFSVolumeSource) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *CephFSVolumeSource) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_CephFSVolumeSource.Merge(m, src)
-}
-func (m *CephFSVolumeSource) XXX_Size() int {
-	return m.Size()
-}
-func (m *CephFSVolumeSource) XXX_DiscardUnknown() {
-	xxx_messageInfo_CephFSVolumeSource.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_CephFSVolumeSource proto.InternalMessageInfo
-
-func (m *CinderPersistentVolumeSource) Reset()      { *m = CinderPersistentVolumeSource{} }
-func (*CinderPersistentVolumeSource) ProtoMessage() {}
-func (*CinderPersistentVolumeSource) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{14}
-}
-func (m *CinderPersistentVolumeSource) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *CinderPersistentVolumeSource) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *CinderPersistentVolumeSource) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_CinderPersistentVolumeSource.Merge(m, src)
-}
-func (m *CinderPersistentVolumeSource) XXX_Size() int {
-	return m.Size()
-}
-func (m *CinderPersistentVolumeSource) XXX_DiscardUnknown() {
-	xxx_messageInfo_CinderPersistentVolumeSource.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_CinderPersistentVolumeSource proto.InternalMessageInfo
-
-func (m *CinderVolumeSource) Reset()      { *m = CinderVolumeSource{} }
-func (*CinderVolumeSource) ProtoMessage() {}
-func (*CinderVolumeSource) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{15}
-}
-func (m *CinderVolumeSource) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *CinderVolumeSource) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *CinderVolumeSource) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_CinderVolumeSource.Merge(m, src)
-}
-func (m *CinderVolumeSource) XXX_Size() int {
-	return m.Size()
-}
-func (m *CinderVolumeSource) XXX_DiscardUnknown() {
-	xxx_messageInfo_CinderVolumeSource.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_CinderVolumeSource proto.InternalMessageInfo
-
-func (m *ClientIPConfig) Reset()      { *m = ClientIPConfig{} }
-func (*ClientIPConfig) ProtoMessage() {}
-func (*ClientIPConfig) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{16}
-}
-func (m *ClientIPConfig) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ClientIPConfig) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ClientIPConfig) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ClientIPConfig.Merge(m, src)
-}
-func (m *ClientIPConfig) XXX_Size() int {
-	return m.Size()
-}
-func (m *ClientIPConfig) XXX_DiscardUnknown() {
-	xxx_messageInfo_ClientIPConfig.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_ClientIPConfig proto.InternalMessageInfo
-
-func (m *ClusterTrustBundleProjection) Reset()      { *m = ClusterTrustBundleProjection{} }
-func (*ClusterTrustBundleProjection) ProtoMessage() {}
-func (*ClusterTrustBundleProjection) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{17}
-}
-func (m *ClusterTrustBundleProjection) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ClusterTrustBundleProjection) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ClusterTrustBundleProjection) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ClusterTrustBundleProjection.Merge(m, src)
-}
-func (m *ClusterTrustBundleProjection) XXX_Size() int {
-	return m.Size()
-}
-func (m *ClusterTrustBundleProjection) XXX_DiscardUnknown() {
-	xxx_messageInfo_ClusterTrustBundleProjection.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_ClusterTrustBundleProjection proto.InternalMessageInfo
-
-func (m *ComponentCondition) Reset()      { *m = ComponentCondition{} }
-func (*ComponentCondition) ProtoMessage() {}
-func (*ComponentCondition) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{18}
-}
-func (m *ComponentCondition) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ComponentCondition) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ComponentCondition) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ComponentCondition.Merge(m, src)
-}
-func (m *ComponentCondition) XXX_Size() int {
-	return m.Size()
-}
-func (m *ComponentCondition) XXX_DiscardUnknown() {
-	xxx_messageInfo_ComponentCondition.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_ComponentCondition proto.InternalMessageInfo
-
-func (m *ComponentStatus) Reset()      { *m = ComponentStatus{} }
-func (*ComponentStatus) ProtoMessage() {}
-func (*ComponentStatus) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{19}
-}
-func (m *ComponentStatus) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ComponentStatus) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ComponentStatus) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ComponentStatus.Merge(m, src)
-}
-func (m *ComponentStatus) XXX_Size() int {
-	return m.Size()
-}
-func (m *ComponentStatus) XXX_DiscardUnknown() {
-	xxx_messageInfo_ComponentStatus.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_ComponentStatus proto.InternalMessageInfo
-
-func (m *ComponentStatusList) Reset()      { *m = ComponentStatusList{} }
-func (*ComponentStatusList) ProtoMessage() {}
-func (*ComponentStatusList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{20}
-}
-func (m *ComponentStatusList) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ComponentStatusList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ComponentStatusList) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ComponentStatusList.Merge(m, src)
-}
-func (m *ComponentStatusList) XXX_Size() int {
-	return m.Size()
-}
-func (m *ComponentStatusList) XXX_DiscardUnknown() {
-	xxx_messageInfo_ComponentStatusList.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_ComponentStatusList proto.InternalMessageInfo
-
-func (m *ConfigMap) Reset()      { *m = ConfigMap{} }
-func (*ConfigMap) ProtoMessage() {}
-func (*ConfigMap) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{21}
-}
-func (m *ConfigMap) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ConfigMap) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ConfigMap) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ConfigMap.Merge(m, src)
-}
-func (m *ConfigMap) XXX_Size() int {
-	return m.Size()
-}
-func (m *ConfigMap) XXX_DiscardUnknown() {
-	xxx_messageInfo_ConfigMap.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_ConfigMap proto.InternalMessageInfo
-
-func (m *ConfigMapEnvSource) Reset()      { *m = ConfigMapEnvSource{} }
-func (*ConfigMapEnvSource) ProtoMessage() {}
-func (*ConfigMapEnvSource) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{22}
-}
-func (m *ConfigMapEnvSource) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ConfigMapEnvSource) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ConfigMapEnvSource) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ConfigMapEnvSource.Merge(m, src)
-}
-func (m *ConfigMapEnvSource) XXX_Size() int {
-	return m.Size()
-}
-func (m *ConfigMapEnvSource) XXX_DiscardUnknown() {
-	xxx_messageInfo_ConfigMapEnvSource.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_ConfigMapEnvSource proto.InternalMessageInfo
-
-func (m *ConfigMapKeySelector) Reset()      { *m = ConfigMapKeySelector{} }
-func (*ConfigMapKeySelector) ProtoMessage() {}
-func (*ConfigMapKeySelector) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{23}
-}
-func (m *ConfigMapKeySelector) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ConfigMapKeySelector) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ConfigMapKeySelector) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ConfigMapKeySelector.Merge(m, src)
-}
-func (m *ConfigMapKeySelector) XXX_Size() int {
-	return m.Size()
-}
-func (m *ConfigMapKeySelector) XXX_DiscardUnknown() {
-	xxx_messageInfo_ConfigMapKeySelector.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_ConfigMapKeySelector proto.InternalMessageInfo
-
-func (m *ConfigMapList) Reset()      { *m = ConfigMapList{} }
-func (*ConfigMapList) ProtoMessage() {}
-func (*ConfigMapList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{24}
-}
-func (m *ConfigMapList) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ConfigMapList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ConfigMapList) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ConfigMapList.Merge(m, src)
-}
-func (m *ConfigMapList) XXX_Size() int {
-	return m.Size()
-}
-func (m *ConfigMapList) XXX_DiscardUnknown() {
-	xxx_messageInfo_ConfigMapList.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_ConfigMapList proto.InternalMessageInfo
-
-func (m *ConfigMapNodeConfigSource) Reset()      { *m = ConfigMapNodeConfigSource{} }
-func (*ConfigMapNodeConfigSource) ProtoMessage() {}
-func (*ConfigMapNodeConfigSource) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{25}
-}
-func (m *ConfigMapNodeConfigSource) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ConfigMapNodeConfigSource) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ConfigMapNodeConfigSource) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ConfigMapNodeConfigSource.Merge(m, src)
-}
-func (m *ConfigMapNodeConfigSource) XXX_Size() int {
-	return m.Size()
-}
-func (m *ConfigMapNodeConfigSource) XXX_DiscardUnknown() {
-	xxx_messageInfo_ConfigMapNodeConfigSource.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_ConfigMapNodeConfigSource proto.InternalMessageInfo
-
-func (m *ConfigMapProjection) Reset()      { *m = ConfigMapProjection{} }
-func (*ConfigMapProjection) ProtoMessage() {}
-func (*ConfigMapProjection) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{26}
-}
-func (m *ConfigMapProjection) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ConfigMapProjection) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ConfigMapProjection) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ConfigMapProjection.Merge(m, src)
-}
-func (m *ConfigMapProjection) XXX_Size() int {
-	return m.Size()
-}
-func (m *ConfigMapProjection) XXX_DiscardUnknown() {
-	xxx_messageInfo_ConfigMapProjection.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_ConfigMapProjection proto.InternalMessageInfo
-
-func (m *ConfigMapVolumeSource) Reset()      { *m = ConfigMapVolumeSource{} }
-func (*ConfigMapVolumeSource) ProtoMessage() {}
-func (*ConfigMapVolumeSource) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{27}
-}
-func (m *ConfigMapVolumeSource) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ConfigMapVolumeSource) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ConfigMapVolumeSource) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ConfigMapVolumeSource.Merge(m, src)
-}
-func (m *ConfigMapVolumeSource) XXX_Size() int {
-	return m.Size()
-}
-func (m *ConfigMapVolumeSource) XXX_DiscardUnknown() {
-	xxx_messageInfo_ConfigMapVolumeSource.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_ConfigMapVolumeSource proto.InternalMessageInfo
-
-func (m *Container) Reset()      { *m = Container{} }
-func (*Container) ProtoMessage() {}
-func (*Container) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{28}
-}
-func (m *Container) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *Container) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *Container) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_Container.Merge(m, src)
-}
-func (m *Container) XXX_Size() int {
-	return m.Size()
-}
-func (m *Container) XXX_DiscardUnknown() {
-	xxx_messageInfo_Container.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_Container proto.InternalMessageInfo
-
-func (m *ContainerExtendedResourceRequest) Reset()      { *m = ContainerExtendedResourceRequest{} }
-func (*ContainerExtendedResourceRequest) ProtoMessage() {}
-func (*ContainerExtendedResourceRequest) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{29}
-}
-func (m *ContainerExtendedResourceRequest) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ContainerExtendedResourceRequest) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ContainerExtendedResourceRequest) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ContainerExtendedResourceRequest.Merge(m, src)
-}
-func (m *ContainerExtendedResourceRequest) XXX_Size() int {
-	return m.Size()
-}
-func (m *ContainerExtendedResourceRequest) XXX_DiscardUnknown() {
-	xxx_messageInfo_ContainerExtendedResourceRequest.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_ContainerExtendedResourceRequest proto.InternalMessageInfo
-
-func (m *ContainerImage) Reset()      { *m = ContainerImage{} }
-func (*ContainerImage) ProtoMessage() {}
-func (*ContainerImage) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{30}
-}
-func (m *ContainerImage) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ContainerImage) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ContainerImage) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ContainerImage.Merge(m, src)
-}
-func (m *ContainerImage) XXX_Size() int {
-	return m.Size()
-}
-func (m *ContainerImage) XXX_DiscardUnknown() {
-	xxx_messageInfo_ContainerImage.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_ContainerImage proto.InternalMessageInfo
-
-func (m *ContainerPort) Reset()      { *m = ContainerPort{} }
-func (*ContainerPort) ProtoMessage() {}
-func (*ContainerPort) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{31}
-}
-func (m *ContainerPort) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ContainerPort) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ContainerPort) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ContainerPort.Merge(m, src)
-}
-func (m *ContainerPort) XXX_Size() int {
-	return m.Size()
-}
-func (m *ContainerPort) XXX_DiscardUnknown() {
-	xxx_messageInfo_ContainerPort.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_ContainerPort proto.InternalMessageInfo
-
-func (m *ContainerResizePolicy) Reset()      { *m = ContainerResizePolicy{} }
-func (*ContainerResizePolicy) ProtoMessage() {}
-func (*ContainerResizePolicy) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{32}
-}
-func (m *ContainerResizePolicy) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ContainerResizePolicy) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ContainerResizePolicy) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ContainerResizePolicy.Merge(m, src)
-}
-func (m *ContainerResizePolicy) XXX_Size() int {
-	return m.Size()
-}
-func (m *ContainerResizePolicy) XXX_DiscardUnknown() {
-	xxx_messageInfo_ContainerResizePolicy.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_ContainerResizePolicy proto.InternalMessageInfo
-
-func (m *ContainerRestartRule) Reset()      { *m = ContainerRestartRule{} }
-func (*ContainerRestartRule) ProtoMessage() {}
-func (*ContainerRestartRule) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{33}
-}
-func (m *ContainerRestartRule) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ContainerRestartRule) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ContainerRestartRule) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ContainerRestartRule.Merge(m, src)
-}
-func (m *ContainerRestartRule) XXX_Size() int {
-	return m.Size()
-}
-func (m *ContainerRestartRule) XXX_DiscardUnknown() {
-	xxx_messageInfo_ContainerRestartRule.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_ContainerRestartRule proto.InternalMessageInfo
-
-func (m *ContainerRestartRuleOnExitCodes) Reset()      { *m = ContainerRestartRuleOnExitCodes{} }
-func (*ContainerRestartRuleOnExitCodes) ProtoMessage() {}
-func (*ContainerRestartRuleOnExitCodes) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{34}
-}
-func (m *ContainerRestartRuleOnExitCodes) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ContainerRestartRuleOnExitCodes) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ContainerRestartRuleOnExitCodes) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ContainerRestartRuleOnExitCodes.Merge(m, src)
-}
-func (m *ContainerRestartRuleOnExitCodes) XXX_Size() int {
-	return m.Size()
-}
-func (m *ContainerRestartRuleOnExitCodes) XXX_DiscardUnknown() {
-	xxx_messageInfo_ContainerRestartRuleOnExitCodes.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_ContainerRestartRuleOnExitCodes proto.InternalMessageInfo
-
-func (m *ContainerState) Reset()      { *m = ContainerState{} }
-func (*ContainerState) ProtoMessage() {}
-func (*ContainerState) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{35}
-}
-func (m *ContainerState) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ContainerState) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ContainerState) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ContainerState.Merge(m, src)
-}
-func (m *ContainerState) XXX_Size() int {
-	return m.Size()
-}
-func (m *ContainerState) XXX_DiscardUnknown() {
-	xxx_messageInfo_ContainerState.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_ContainerState proto.InternalMessageInfo
-
-func (m *ContainerStateRunning) Reset()      { *m = ContainerStateRunning{} }
-func (*ContainerStateRunning) ProtoMessage() {}
-func (*ContainerStateRunning) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{36}
-}
-func (m *ContainerStateRunning) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ContainerStateRunning) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ContainerStateRunning) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ContainerStateRunning.Merge(m, src)
-}
-func (m *ContainerStateRunning) XXX_Size() int {
-	return m.Size()
-}
-func (m *ContainerStateRunning) XXX_DiscardUnknown() {
-	xxx_messageInfo_ContainerStateRunning.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_ContainerStateRunning proto.InternalMessageInfo
-
-func (m *ContainerStateTerminated) Reset()      { *m = ContainerStateTerminated{} }
-func (*ContainerStateTerminated) ProtoMessage() {}
-func (*ContainerStateTerminated) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{37}
-}
-func (m *ContainerStateTerminated) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ContainerStateTerminated) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ContainerStateTerminated) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ContainerStateTerminated.Merge(m, src)
-}
-func (m *ContainerStateTerminated) XXX_Size() int {
-	return m.Size()
-}
-func (m *ContainerStateTerminated) XXX_DiscardUnknown() {
-	xxx_messageInfo_ContainerStateTerminated.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_ContainerStateTerminated proto.InternalMessageInfo
-
-func (m *ContainerStateWaiting) Reset()      { *m = ContainerStateWaiting{} }
-func (*ContainerStateWaiting) ProtoMessage() {}
-func (*ContainerStateWaiting) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{38}
-}
-func (m *ContainerStateWaiting) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ContainerStateWaiting) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ContainerStateWaiting) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ContainerStateWaiting.Merge(m, src)
-}
-func (m *ContainerStateWaiting) XXX_Size() int {
-	return m.Size()
-}
-func (m *ContainerStateWaiting) XXX_DiscardUnknown() {
-	xxx_messageInfo_ContainerStateWaiting.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_ContainerStateWaiting proto.InternalMessageInfo
-
-func (m *ContainerStatus) Reset()      { *m = ContainerStatus{} }
-func (*ContainerStatus) ProtoMessage() {}
-func (*ContainerStatus) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{39}
-}
-func (m *ContainerStatus) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ContainerStatus) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ContainerStatus) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ContainerStatus.Merge(m, src)
-}
-func (m *ContainerStatus) XXX_Size() int {
-	return m.Size()
-}
-func (m *ContainerStatus) XXX_DiscardUnknown() {
-	xxx_messageInfo_ContainerStatus.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_ContainerStatus proto.InternalMessageInfo
-
-func (m *ContainerUser) Reset()      { *m = ContainerUser{} }
-func (*ContainerUser) ProtoMessage() {}
-func (*ContainerUser) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{40}
-}
-func (m *ContainerUser) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ContainerUser) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ContainerUser) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ContainerUser.Merge(m, src)
-}
-func (m *ContainerUser) XXX_Size() int {
-	return m.Size()
-}
-func (m *ContainerUser) XXX_DiscardUnknown() {
-	xxx_messageInfo_ContainerUser.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_ContainerUser proto.InternalMessageInfo
-
-func (m *DaemonEndpoint) Reset()      { *m = DaemonEndpoint{} }
-func (*DaemonEndpoint) ProtoMessage() {}
-func (*DaemonEndpoint) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{41}
-}
-func (m *DaemonEndpoint) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *DaemonEndpoint) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *DaemonEndpoint) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_DaemonEndpoint.Merge(m, src)
-}
-func (m *DaemonEndpoint) XXX_Size() int {
-	return m.Size()
-}
-func (m *DaemonEndpoint) XXX_DiscardUnknown() {
-	xxx_messageInfo_DaemonEndpoint.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_DaemonEndpoint proto.InternalMessageInfo
-
-func (m *DownwardAPIProjection) Reset()      { *m = DownwardAPIProjection{} }
-func (*DownwardAPIProjection) ProtoMessage() {}
-func (*DownwardAPIProjection) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{42}
-}
-func (m *DownwardAPIProjection) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *DownwardAPIProjection) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *DownwardAPIProjection) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_DownwardAPIProjection.Merge(m, src)
-}
-func (m *DownwardAPIProjection) XXX_Size() int {
-	return m.Size()
-}
-func (m *DownwardAPIProjection) XXX_DiscardUnknown() {
-	xxx_messageInfo_DownwardAPIProjection.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_DownwardAPIProjection proto.InternalMessageInfo
-
-func (m *DownwardAPIVolumeFile) Reset()      { *m = DownwardAPIVolumeFile{} }
-func (*DownwardAPIVolumeFile) ProtoMessage() {}
-func (*DownwardAPIVolumeFile) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{43}
-}
-func (m *DownwardAPIVolumeFile) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *DownwardAPIVolumeFile) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *DownwardAPIVolumeFile) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_DownwardAPIVolumeFile.Merge(m, src)
-}
-func (m *DownwardAPIVolumeFile) XXX_Size() int {
-	return m.Size()
-}
-func (m *DownwardAPIVolumeFile) XXX_DiscardUnknown() {
-	xxx_messageInfo_DownwardAPIVolumeFile.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_DownwardAPIVolumeFile proto.InternalMessageInfo
-
-func (m *DownwardAPIVolumeSource) Reset()      { *m = DownwardAPIVolumeSource{} }
-func (*DownwardAPIVolumeSource) ProtoMessage() {}
-func (*DownwardAPIVolumeSource) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{44}
-}
-func (m *DownwardAPIVolumeSource) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *DownwardAPIVolumeSource) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *DownwardAPIVolumeSource) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_DownwardAPIVolumeSource.Merge(m, src)
-}
-func (m *DownwardAPIVolumeSource) XXX_Size() int {
-	return m.Size()
-}
-func (m *DownwardAPIVolumeSource) XXX_DiscardUnknown() {
-	xxx_messageInfo_DownwardAPIVolumeSource.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_DownwardAPIVolumeSource proto.InternalMessageInfo
-
-func (m *EmptyDirVolumeSource) Reset()      { *m = EmptyDirVolumeSource{} }
-func (*EmptyDirVolumeSource) ProtoMessage() {}
-func (*EmptyDirVolumeSource) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{45}
-}
-func (m *EmptyDirVolumeSource) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *EmptyDirVolumeSource) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *EmptyDirVolumeSource) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_EmptyDirVolumeSource.Merge(m, src)
-}
-func (m *EmptyDirVolumeSource) XXX_Size() int {
-	return m.Size()
-}
-func (m *EmptyDirVolumeSource) XXX_DiscardUnknown() {
-	xxx_messageInfo_EmptyDirVolumeSource.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_EmptyDirVolumeSource proto.InternalMessageInfo
-
-func (m *EndpointAddress) Reset()      { *m = EndpointAddress{} }
-func (*EndpointAddress) ProtoMessage() {}
-func (*EndpointAddress) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{46}
-}
-func (m *EndpointAddress) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *EndpointAddress) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *EndpointAddress) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_EndpointAddress.Merge(m, src)
-}
-func (m *EndpointAddress) XXX_Size() int {
-	return m.Size()
-}
-func (m *EndpointAddress) XXX_DiscardUnknown() {
-	xxx_messageInfo_EndpointAddress.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_EndpointAddress proto.InternalMessageInfo
-
-func (m *EndpointPort) Reset()      { *m = EndpointPort{} }
-func (*EndpointPort) ProtoMessage() {}
-func (*EndpointPort) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{47}
-}
-func (m *EndpointPort) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *EndpointPort) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *EndpointPort) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_EndpointPort.Merge(m, src)
-}
-func (m *EndpointPort) XXX_Size() int {
-	return m.Size()
-}
-func (m *EndpointPort) XXX_DiscardUnknown() {
-	xxx_messageInfo_EndpointPort.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_EndpointPort proto.InternalMessageInfo
-
-func (m *EndpointSubset) Reset()      { *m = EndpointSubset{} }
-func (*EndpointSubset) ProtoMessage() {}
-func (*EndpointSubset) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{48}
-}
-func (m *EndpointSubset) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *EndpointSubset) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *EndpointSubset) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_EndpointSubset.Merge(m, src)
-}
-func (m *EndpointSubset) XXX_Size() int {
-	return m.Size()
-}
-func (m *EndpointSubset) XXX_DiscardUnknown() {
-	xxx_messageInfo_EndpointSubset.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_EndpointSubset proto.InternalMessageInfo
-
-func (m *Endpoints) Reset()      { *m = Endpoints{} }
-func (*Endpoints) ProtoMessage() {}
-func (*Endpoints) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{49}
-}
-func (m *Endpoints) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *Endpoints) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *Endpoints) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_Endpoints.Merge(m, src)
-}
-func (m *Endpoints) XXX_Size() int {
-	return m.Size()
-}
-func (m *Endpoints) XXX_DiscardUnknown() {
-	xxx_messageInfo_Endpoints.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_Endpoints proto.InternalMessageInfo
-
-func (m *EndpointsList) Reset()      { *m = EndpointsList{} }
-func (*EndpointsList) ProtoMessage() {}
-func (*EndpointsList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{50}
-}
-func (m *EndpointsList) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *EndpointsList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *EndpointsList) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_EndpointsList.Merge(m, src)
-}
-func (m *EndpointsList) XXX_Size() int {
-	return m.Size()
-}
-func (m *EndpointsList) XXX_DiscardUnknown() {
-	xxx_messageInfo_EndpointsList.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_EndpointsList proto.InternalMessageInfo
-
-func (m *EnvFromSource) Reset()      { *m = EnvFromSource{} }
-func (*EnvFromSource) ProtoMessage() {}
-func (*EnvFromSource) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{51}
-}
-func (m *EnvFromSource) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *EnvFromSource) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *EnvFromSource) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_EnvFromSource.Merge(m, src)
-}
-func (m *EnvFromSource) XXX_Size() int {
-	return m.Size()
-}
-func (m *EnvFromSource) XXX_DiscardUnknown() {
-	xxx_messageInfo_EnvFromSource.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_EnvFromSource proto.InternalMessageInfo
-
-func (m *EnvVar) Reset()      { *m = EnvVar{} }
-func (*EnvVar) ProtoMessage() {}
-func (*EnvVar) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{52}
-}
-func (m *EnvVar) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *EnvVar) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *EnvVar) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_EnvVar.Merge(m, src)
-}
-func (m *EnvVar) XXX_Size() int {
-	return m.Size()
-}
-func (m *EnvVar) XXX_DiscardUnknown() {
-	xxx_messageInfo_EnvVar.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_EnvVar proto.InternalMessageInfo
-
-func (m *EnvVarSource) Reset()      { *m = EnvVarSource{} }
-func (*EnvVarSource) ProtoMessage() {}
-func (*EnvVarSource) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{53}
-}
-func (m *EnvVarSource) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *EnvVarSource) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *EnvVarSource) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_EnvVarSource.Merge(m, src)
-}
-func (m *EnvVarSource) XXX_Size() int {
-	return m.Size()
-}
-func (m *EnvVarSource) XXX_DiscardUnknown() {
-	xxx_messageInfo_EnvVarSource.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_EnvVarSource proto.InternalMessageInfo
-
-func (m *EphemeralContainer) Reset()      { *m = EphemeralContainer{} }
-func (*EphemeralContainer) ProtoMessage() {}
-func (*EphemeralContainer) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{54}
-}
-func (m *EphemeralContainer) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *EphemeralContainer) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *EphemeralContainer) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_EphemeralContainer.Merge(m, src)
-}
-func (m *EphemeralContainer) XXX_Size() int {
-	return m.Size()
-}
-func (m *EphemeralContainer) XXX_DiscardUnknown() {
-	xxx_messageInfo_EphemeralContainer.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_EphemeralContainer proto.InternalMessageInfo
-
-func (m *EphemeralContainerCommon) Reset()      { *m = EphemeralContainerCommon{} }
-func (*EphemeralContainerCommon) ProtoMessage() {}
-func (*EphemeralContainerCommon) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{55}
-}
-func (m *EphemeralContainerCommon) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *EphemeralContainerCommon) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *EphemeralContainerCommon) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_EphemeralContainerCommon.Merge(m, src)
-}
-func (m *EphemeralContainerCommon) XXX_Size() int {
-	return m.Size()
-}
-func (m *EphemeralContainerCommon) XXX_DiscardUnknown() {
-	xxx_messageInfo_EphemeralContainerCommon.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_EphemeralContainerCommon proto.InternalMessageInfo
-
-func (m *EphemeralVolumeSource) Reset()      { *m = EphemeralVolumeSource{} }
-func (*EphemeralVolumeSource) ProtoMessage() {}
-func (*EphemeralVolumeSource) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{56}
-}
-func (m *EphemeralVolumeSource) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *EphemeralVolumeSource) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *EphemeralVolumeSource) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_EphemeralVolumeSource.Merge(m, src)
-}
-func (m *EphemeralVolumeSource) XXX_Size() int {
-	return m.Size()
-}
-func (m *EphemeralVolumeSource) XXX_DiscardUnknown() {
-	xxx_messageInfo_EphemeralVolumeSource.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_EphemeralVolumeSource proto.InternalMessageInfo
-
-func (m *Event) Reset()      { *m = Event{} }
-func (*Event) ProtoMessage() {}
-func (*Event) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{57}
-}
-func (m *Event) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *Event) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *Event) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_Event.Merge(m, src)
-}
-func (m *Event) XXX_Size() int {
-	return m.Size()
-}
-func (m *Event) XXX_DiscardUnknown() {
-	xxx_messageInfo_Event.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_Event proto.InternalMessageInfo
-
-func (m *EventList) Reset()      { *m = EventList{} }
-func (*EventList) ProtoMessage() {}
-func (*EventList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{58}
-}
-func (m *EventList) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *EventList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *EventList) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_EventList.Merge(m, src)
-}
-func (m *EventList) XXX_Size() int {
-	return m.Size()
-}
-func (m *EventList) XXX_DiscardUnknown() {
-	xxx_messageInfo_EventList.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_EventList proto.InternalMessageInfo
-
-func (m *EventSeries) Reset()      { *m = EventSeries{} }
-func (*EventSeries) ProtoMessage() {}
-func (*EventSeries) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{59}
-}
-func (m *EventSeries) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *EventSeries) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *EventSeries) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_EventSeries.Merge(m, src)
-}
-func (m *EventSeries) XXX_Size() int {
-	return m.Size()
-}
-func (m *EventSeries) XXX_DiscardUnknown() {
-	xxx_messageInfo_EventSeries.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_EventSeries proto.InternalMessageInfo
-
-func (m *EventSource) Reset()      { *m = EventSource{} }
-func (*EventSource) ProtoMessage() {}
-func (*EventSource) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{60}
-}
-func (m *EventSource) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *EventSource) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *EventSource) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_EventSource.Merge(m, src)
-}
-func (m *EventSource) XXX_Size() int {
-	return m.Size()
-}
-func (m *EventSource) XXX_DiscardUnknown() {
-	xxx_messageInfo_EventSource.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_EventSource proto.InternalMessageInfo
-
-func (m *ExecAction) Reset()      { *m = ExecAction{} }
-func (*ExecAction) ProtoMessage() {}
-func (*ExecAction) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{61}
-}
-func (m *ExecAction) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ExecAction) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ExecAction) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ExecAction.Merge(m, src)
-}
-func (m *ExecAction) XXX_Size() int {
-	return m.Size()
-}
-func (m *ExecAction) XXX_DiscardUnknown() {
-	xxx_messageInfo_ExecAction.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_ExecAction proto.InternalMessageInfo
-
-func (m *FCVolumeSource) Reset()      { *m = FCVolumeSource{} }
-func (*FCVolumeSource) ProtoMessage() {}
-func (*FCVolumeSource) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{62}
-}
-func (m *FCVolumeSource) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *FCVolumeSource) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *FCVolumeSource) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_FCVolumeSource.Merge(m, src)
-}
-func (m *FCVolumeSource) XXX_Size() int {
-	return m.Size()
-}
-func (m *FCVolumeSource) XXX_DiscardUnknown() {
-	xxx_messageInfo_FCVolumeSource.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_FCVolumeSource proto.InternalMessageInfo
-
-func (m *FileKeySelector) Reset()      { *m = FileKeySelector{} }
-func (*FileKeySelector) ProtoMessage() {}
-func (*FileKeySelector) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{63}
-}
-func (m *FileKeySelector) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *FileKeySelector) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *FileKeySelector) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_FileKeySelector.Merge(m, src)
-}
-func (m *FileKeySelector) XXX_Size() int {
-	return m.Size()
-}
-func (m *FileKeySelector) XXX_DiscardUnknown() {
-	xxx_messageInfo_FileKeySelector.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_FileKeySelector proto.InternalMessageInfo
-
-func (m *FlexPersistentVolumeSource) Reset()      { *m = FlexPersistentVolumeSource{} }
-func (*FlexPersistentVolumeSource) ProtoMessage() {}
-func (*FlexPersistentVolumeSource) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{64}
-}
-func (m *FlexPersistentVolumeSource) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *FlexPersistentVolumeSource) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *FlexPersistentVolumeSource) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_FlexPersistentVolumeSource.Merge(m, src)
-}
-func (m *FlexPersistentVolumeSource) XXX_Size() int {
-	return m.Size()
-}
-func (m *FlexPersistentVolumeSource) XXX_DiscardUnknown() {
-	xxx_messageInfo_FlexPersistentVolumeSource.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_FlexPersistentVolumeSource proto.InternalMessageInfo
-
-func (m *FlexVolumeSource) Reset()      { *m = FlexVolumeSource{} }
-func (*FlexVolumeSource) ProtoMessage() {}
-func (*FlexVolumeSource) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{65}
-}
-func (m *FlexVolumeSource) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *FlexVolumeSource) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *FlexVolumeSource) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_FlexVolumeSource.Merge(m, src)
-}
-func (m *FlexVolumeSource) XXX_Size() int {
-	return m.Size()
-}
-func (m *FlexVolumeSource) XXX_DiscardUnknown() {
-	xxx_messageInfo_FlexVolumeSource.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_FlexVolumeSource proto.InternalMessageInfo
-
-func (m *FlockerVolumeSource) Reset()      { *m = FlockerVolumeSource{} }
-func (*FlockerVolumeSource) ProtoMessage() {}
-func (*FlockerVolumeSource) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{66}
-}
-func (m *FlockerVolumeSource) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *FlockerVolumeSource) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *FlockerVolumeSource) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_FlockerVolumeSource.Merge(m, src)
-}
-func (m *FlockerVolumeSource) XXX_Size() int {
-	return m.Size()
-}
-func (m *FlockerVolumeSource) XXX_DiscardUnknown() {
-	xxx_messageInfo_FlockerVolumeSource.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_FlockerVolumeSource proto.InternalMessageInfo
-
-func (m *GCEPersistentDiskVolumeSource) Reset()      { *m = GCEPersistentDiskVolumeSource{} }
-func (*GCEPersistentDiskVolumeSource) ProtoMessage() {}
-func (*GCEPersistentDiskVolumeSource) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{67}
-}
-func (m *GCEPersistentDiskVolumeSource) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *GCEPersistentDiskVolumeSource) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *GCEPersistentDiskVolumeSource) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_GCEPersistentDiskVolumeSource.Merge(m, src)
-}
-func (m *GCEPersistentDiskVolumeSource) XXX_Size() int {
-	return m.Size()
-}
-func (m *GCEPersistentDiskVolumeSource) XXX_DiscardUnknown() {
-	xxx_messageInfo_GCEPersistentDiskVolumeSource.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_GCEPersistentDiskVolumeSource proto.InternalMessageInfo
-
-func (m *GRPCAction) Reset()      { *m = GRPCAction{} }
-func (*GRPCAction) ProtoMessage() {}
-func (*GRPCAction) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{68}
-}
-func (m *GRPCAction) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *GRPCAction) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *GRPCAction) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_GRPCAction.Merge(m, src)
-}
-func (m *GRPCAction) XXX_Size() int {
-	return m.Size()
-}
-func (m *GRPCAction) XXX_DiscardUnknown() {
-	xxx_messageInfo_GRPCAction.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_GRPCAction proto.InternalMessageInfo
-
-func (m *GitRepoVolumeSource) Reset()      { *m = GitRepoVolumeSource{} }
-func (*GitRepoVolumeSource) ProtoMessage() {}
-func (*GitRepoVolumeSource) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{69}
-}
-func (m *GitRepoVolumeSource) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *GitRepoVolumeSource) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *GitRepoVolumeSource) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_GitRepoVolumeSource.Merge(m, src)
-}
-func (m *GitRepoVolumeSource) XXX_Size() int {
-	return m.Size()
-}
-func (m *GitRepoVolumeSource) XXX_DiscardUnknown() {
-	xxx_messageInfo_GitRepoVolumeSource.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_GitRepoVolumeSource proto.InternalMessageInfo
-
-func (m *GlusterfsPersistentVolumeSource) Reset()      { *m = GlusterfsPersistentVolumeSource{} }
-func (*GlusterfsPersistentVolumeSource) ProtoMessage() {}
-func (*GlusterfsPersistentVolumeSource) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{70}
-}
-func (m *GlusterfsPersistentVolumeSource) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *GlusterfsPersistentVolumeSource) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *GlusterfsPersistentVolumeSource) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_GlusterfsPersistentVolumeSource.Merge(m, src)
-}
-func (m *GlusterfsPersistentVolumeSource) XXX_Size() int {
-	return m.Size()
-}
-func (m *GlusterfsPersistentVolumeSource) XXX_DiscardUnknown() {
-	xxx_messageInfo_GlusterfsPersistentVolumeSource.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_GlusterfsPersistentVolumeSource proto.InternalMessageInfo
-
-func (m *GlusterfsVolumeSource) Reset()      { *m = GlusterfsVolumeSource{} }
-func (*GlusterfsVolumeSource) ProtoMessage() {}
-func (*GlusterfsVolumeSource) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{71}
-}
-func (m *GlusterfsVolumeSource) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *GlusterfsVolumeSource) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *GlusterfsVolumeSource) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_GlusterfsVolumeSource.Merge(m, src)
-}
-func (m *GlusterfsVolumeSource) XXX_Size() int {
-	return m.Size()
-}
-func (m *GlusterfsVolumeSource) XXX_DiscardUnknown() {
-	xxx_messageInfo_GlusterfsVolumeSource.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_GlusterfsVolumeSource proto.InternalMessageInfo
-
-func (m *HTTPGetAction) Reset()      { *m = HTTPGetAction{} }
-func (*HTTPGetAction) ProtoMessage() {}
-func (*HTTPGetAction) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{72}
-}
-func (m *HTTPGetAction) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *HTTPGetAction) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *HTTPGetAction) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_HTTPGetAction.Merge(m, src)
-}
-func (m *HTTPGetAction) XXX_Size() int {
-	return m.Size()
-}
-func (m *HTTPGetAction) XXX_DiscardUnknown() {
-	xxx_messageInfo_HTTPGetAction.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_HTTPGetAction proto.InternalMessageInfo
-
-func (m *HTTPHeader) Reset()      { *m = HTTPHeader{} }
-func (*HTTPHeader) ProtoMessage() {}
-func (*HTTPHeader) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{73}
-}
-func (m *HTTPHeader) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *HTTPHeader) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *HTTPHeader) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_HTTPHeader.Merge(m, src)
-}
-func (m *HTTPHeader) XXX_Size() int {
-	return m.Size()
-}
-func (m *HTTPHeader) XXX_DiscardUnknown() {
-	xxx_messageInfo_HTTPHeader.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_HTTPHeader proto.InternalMessageInfo
-
-func (m *HostAlias) Reset()      { *m = HostAlias{} }
-func (*HostAlias) ProtoMessage() {}
-func (*HostAlias) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{74}
-}
-func (m *HostAlias) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *HostAlias) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *HostAlias) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_HostAlias.Merge(m, src)
-}
-func (m *HostAlias) XXX_Size() int {
-	return m.Size()
-}
-func (m *HostAlias) XXX_DiscardUnknown() {
-	xxx_messageInfo_HostAlias.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_HostAlias proto.InternalMessageInfo
-
-func (m *HostIP) Reset()      { *m = HostIP{} }
-func (*HostIP) ProtoMessage() {}
-func (*HostIP) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{75}
-}
-func (m *HostIP) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *HostIP) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *HostIP) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_HostIP.Merge(m, src)
-}
-func (m *HostIP) XXX_Size() int {
-	return m.Size()
-}
-func (m *HostIP) XXX_DiscardUnknown() {
-	xxx_messageInfo_HostIP.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_HostIP proto.InternalMessageInfo
-
-func (m *HostPathVolumeSource) Reset()      { *m = HostPathVolumeSource{} }
-func (*HostPathVolumeSource) ProtoMessage() {}
-func (*HostPathVolumeSource) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{76}
-}
-func (m *HostPathVolumeSource) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *HostPathVolumeSource) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *HostPathVolumeSource) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_HostPathVolumeSource.Merge(m, src)
-}
-func (m *HostPathVolumeSource) XXX_Size() int {
-	return m.Size()
-}
-func (m *HostPathVolumeSource) XXX_DiscardUnknown() {
-	xxx_messageInfo_HostPathVolumeSource.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_HostPathVolumeSource proto.InternalMessageInfo
-
-func (m *ISCSIPersistentVolumeSource) Reset()      { *m = ISCSIPersistentVolumeSource{} }
-func (*ISCSIPersistentVolumeSource) ProtoMessage() {}
-func (*ISCSIPersistentVolumeSource) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{77}
-}
-func (m *ISCSIPersistentVolumeSource) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ISCSIPersistentVolumeSource) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ISCSIPersistentVolumeSource) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ISCSIPersistentVolumeSource.Merge(m, src)
-}
-func (m *ISCSIPersistentVolumeSource) XXX_Size() int {
-	return m.Size()
-}
-func (m *ISCSIPersistentVolumeSource) XXX_DiscardUnknown() {
-	xxx_messageInfo_ISCSIPersistentVolumeSource.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_ISCSIPersistentVolumeSource proto.InternalMessageInfo
-
-func (m *ISCSIVolumeSource) Reset()      { *m = ISCSIVolumeSource{} }
-func (*ISCSIVolumeSource) ProtoMessage() {}
-func (*ISCSIVolumeSource) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{78}
-}
-func (m *ISCSIVolumeSource) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ISCSIVolumeSource) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ISCSIVolumeSource) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ISCSIVolumeSource.Merge(m, src)
-}
-func (m *ISCSIVolumeSource) XXX_Size() int {
-	return m.Size()
-}
-func (m *ISCSIVolumeSource) XXX_DiscardUnknown() {
-	xxx_messageInfo_ISCSIVolumeSource.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_ISCSIVolumeSource proto.InternalMessageInfo
-
-func (m *ImageVolumeSource) Reset()      { *m = ImageVolumeSource{} }
-func (*ImageVolumeSource) ProtoMessage() {}
-func (*ImageVolumeSource) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{79}
-}
-func (m *ImageVolumeSource) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ImageVolumeSource) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ImageVolumeSource) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ImageVolumeSource.Merge(m, src)
-}
-func (m *ImageVolumeSource) XXX_Size() int {
-	return m.Size()
-}
-func (m *ImageVolumeSource) XXX_DiscardUnknown() {
-	xxx_messageInfo_ImageVolumeSource.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_ImageVolumeSource proto.InternalMessageInfo
-
-func (m *KeyToPath) Reset()      { *m = KeyToPath{} }
-func (*KeyToPath) ProtoMessage() {}
-func (*KeyToPath) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{80}
-}
-func (m *KeyToPath) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *KeyToPath) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *KeyToPath) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_KeyToPath.Merge(m, src)
-}
-func (m *KeyToPath) XXX_Size() int {
-	return m.Size()
-}
-func (m *KeyToPath) XXX_DiscardUnknown() {
-	xxx_messageInfo_KeyToPath.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_KeyToPath proto.InternalMessageInfo
-
-func (m *Lifecycle) Reset()      { *m = Lifecycle{} }
-func (*Lifecycle) ProtoMessage() {}
-func (*Lifecycle) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{81}
-}
-func (m *Lifecycle) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *Lifecycle) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *Lifecycle) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_Lifecycle.Merge(m, src)
-}
-func (m *Lifecycle) XXX_Size() int {
-	return m.Size()
-}
-func (m *Lifecycle) XXX_DiscardUnknown() {
-	xxx_messageInfo_Lifecycle.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_Lifecycle proto.InternalMessageInfo
-
-func (m *LifecycleHandler) Reset()      { *m = LifecycleHandler{} }
-func (*LifecycleHandler) ProtoMessage() {}
-func (*LifecycleHandler) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{82}
-}
-func (m *LifecycleHandler) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *LifecycleHandler) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *LifecycleHandler) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_LifecycleHandler.Merge(m, src)
-}
-func (m *LifecycleHandler) XXX_Size() int {
-	return m.Size()
-}
-func (m *LifecycleHandler) XXX_DiscardUnknown() {
-	xxx_messageInfo_LifecycleHandler.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_LifecycleHandler proto.InternalMessageInfo
-
-func (m *LimitRange) Reset()      { *m = LimitRange{} }
-func (*LimitRange) ProtoMessage() {}
-func (*LimitRange) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{83}
-}
-func (m *LimitRange) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *LimitRange) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *LimitRange) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_LimitRange.Merge(m, src)
-}
-func (m *LimitRange) XXX_Size() int {
-	return m.Size()
-}
-func (m *LimitRange) XXX_DiscardUnknown() {
-	xxx_messageInfo_LimitRange.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_LimitRange proto.InternalMessageInfo
-
-func (m *LimitRangeItem) Reset()      { *m = LimitRangeItem{} }
-func (*LimitRangeItem) ProtoMessage() {}
-func (*LimitRangeItem) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{84}
-}
-func (m *LimitRangeItem) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *LimitRangeItem) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *LimitRangeItem) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_LimitRangeItem.Merge(m, src)
-}
-func (m *LimitRangeItem) XXX_Size() int {
-	return m.Size()
-}
-func (m *LimitRangeItem) XXX_DiscardUnknown() {
-	xxx_messageInfo_LimitRangeItem.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_LimitRangeItem proto.InternalMessageInfo
-
-func (m *LimitRangeList) Reset()      { *m = LimitRangeList{} }
-func (*LimitRangeList) ProtoMessage() {}
-func (*LimitRangeList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{85}
-}
-func (m *LimitRangeList) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *LimitRangeList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *LimitRangeList) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_LimitRangeList.Merge(m, src)
-}
-func (m *LimitRangeList) XXX_Size() int {
-	return m.Size()
-}
-func (m *LimitRangeList) XXX_DiscardUnknown() {
-	xxx_messageInfo_LimitRangeList.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_LimitRangeList proto.InternalMessageInfo
-
-func (m *LimitRangeSpec) Reset()      { *m = LimitRangeSpec{} }
-func (*LimitRangeSpec) ProtoMessage() {}
-func (*LimitRangeSpec) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{86}
-}
-func (m *LimitRangeSpec) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *LimitRangeSpec) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *LimitRangeSpec) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_LimitRangeSpec.Merge(m, src)
-}
-func (m *LimitRangeSpec) XXX_Size() int {
-	return m.Size()
-}
-func (m *LimitRangeSpec) XXX_DiscardUnknown() {
-	xxx_messageInfo_LimitRangeSpec.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_LimitRangeSpec proto.InternalMessageInfo
-
-func (m *LinuxContainerUser) Reset()      { *m = LinuxContainerUser{} }
-func (*LinuxContainerUser) ProtoMessage() {}
-func (*LinuxContainerUser) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{87}
-}
-func (m *LinuxContainerUser) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *LinuxContainerUser) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *LinuxContainerUser) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_LinuxContainerUser.Merge(m, src)
-}
-func (m *LinuxContainerUser) XXX_Size() int {
-	return m.Size()
-}
-func (m *LinuxContainerUser) XXX_DiscardUnknown() {
-	xxx_messageInfo_LinuxContainerUser.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_LinuxContainerUser proto.InternalMessageInfo
-
-func (m *List) Reset()      { *m = List{} }
-func (*List) ProtoMessage() {}
-func (*List) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{88}
-}
-func (m *List) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *List) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *List) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_List.Merge(m, src)
-}
-func (m *List) XXX_Size() int {
-	return m.Size()
-}
-func (m *List) XXX_DiscardUnknown() {
-	xxx_messageInfo_List.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_List proto.InternalMessageInfo
-
-func (m *LoadBalancerIngress) Reset()      { *m = LoadBalancerIngress{} }
-func (*LoadBalancerIngress) ProtoMessage() {}
-func (*LoadBalancerIngress) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{89}
-}
-func (m *LoadBalancerIngress) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *LoadBalancerIngress) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *LoadBalancerIngress) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_LoadBalancerIngress.Merge(m, src)
-}
-func (m *LoadBalancerIngress) XXX_Size() int {
-	return m.Size()
-}
-func (m *LoadBalancerIngress) XXX_DiscardUnknown() {
-	xxx_messageInfo_LoadBalancerIngress.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_LoadBalancerIngress proto.InternalMessageInfo
-
-func (m *LoadBalancerStatus) Reset()      { *m = LoadBalancerStatus{} }
-func (*LoadBalancerStatus) ProtoMessage() {}
-func (*LoadBalancerStatus) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{90}
-}
-func (m *LoadBalancerStatus) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *LoadBalancerStatus) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *LoadBalancerStatus) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_LoadBalancerStatus.Merge(m, src)
-}
-func (m *LoadBalancerStatus) XXX_Size() int {
-	return m.Size()
-}
-func (m *LoadBalancerStatus) XXX_DiscardUnknown() {
-	xxx_messageInfo_LoadBalancerStatus.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_LoadBalancerStatus proto.InternalMessageInfo
-
-func (m *LocalObjectReference) Reset()      { *m = LocalObjectReference{} }
-func (*LocalObjectReference) ProtoMessage() {}
-func (*LocalObjectReference) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{91}
-}
-func (m *LocalObjectReference) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *LocalObjectReference) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *LocalObjectReference) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_LocalObjectReference.Merge(m, src)
-}
-func (m *LocalObjectReference) XXX_Size() int {
-	return m.Size()
-}
-func (m *LocalObjectReference) XXX_DiscardUnknown() {
-	xxx_messageInfo_LocalObjectReference.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_LocalObjectReference proto.InternalMessageInfo
-
-func (m *LocalVolumeSource) Reset()      { *m = LocalVolumeSource{} }
-func (*LocalVolumeSource) ProtoMessage() {}
-func (*LocalVolumeSource) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{92}
-}
-func (m *LocalVolumeSource) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *LocalVolumeSource) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *LocalVolumeSource) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_LocalVolumeSource.Merge(m, src)
-}
-func (m *LocalVolumeSource) XXX_Size() int {
-	return m.Size()
-}
-func (m *LocalVolumeSource) XXX_DiscardUnknown() {
-	xxx_messageInfo_LocalVolumeSource.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_LocalVolumeSource proto.InternalMessageInfo
-
-func (m *ModifyVolumeStatus) Reset()      { *m = ModifyVolumeStatus{} }
-func (*ModifyVolumeStatus) ProtoMessage() {}
-func (*ModifyVolumeStatus) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{93}
-}
-func (m *ModifyVolumeStatus) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ModifyVolumeStatus) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ModifyVolumeStatus) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ModifyVolumeStatus.Merge(m, src)
-}
-func (m *ModifyVolumeStatus) XXX_Size() int {
-	return m.Size()
-}
-func (m *ModifyVolumeStatus) XXX_DiscardUnknown() {
-	xxx_messageInfo_ModifyVolumeStatus.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_ModifyVolumeStatus proto.InternalMessageInfo
-
-func (m *NFSVolumeSource) Reset()      { *m = NFSVolumeSource{} }
-func (*NFSVolumeSource) ProtoMessage() {}
-func (*NFSVolumeSource) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{94}
-}
-func (m *NFSVolumeSource) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *NFSVolumeSource) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *NFSVolumeSource) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_NFSVolumeSource.Merge(m, src)
-}
-func (m *NFSVolumeSource) XXX_Size() int {
-	return m.Size()
-}
-func (m *NFSVolumeSource) XXX_DiscardUnknown() {
-	xxx_messageInfo_NFSVolumeSource.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_NFSVolumeSource proto.InternalMessageInfo
-
-func (m *Namespace) Reset()      { *m = Namespace{} }
-func (*Namespace) ProtoMessage() {}
-func (*Namespace) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{95}
-}
-func (m *Namespace) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *Namespace) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *Namespace) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_Namespace.Merge(m, src)
-}
-func (m *Namespace) XXX_Size() int {
-	return m.Size()
-}
-func (m *Namespace) XXX_DiscardUnknown() {
-	xxx_messageInfo_Namespace.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_Namespace proto.InternalMessageInfo
-
-func (m *NamespaceCondition) Reset()      { *m = NamespaceCondition{} }
-func (*NamespaceCondition) ProtoMessage() {}
-func (*NamespaceCondition) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{96}
-}
-func (m *NamespaceCondition) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *NamespaceCondition) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *NamespaceCondition) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_NamespaceCondition.Merge(m, src)
-}
-func (m *NamespaceCondition) XXX_Size() int {
-	return m.Size()
-}
-func (m *NamespaceCondition) XXX_DiscardUnknown() {
-	xxx_messageInfo_NamespaceCondition.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_NamespaceCondition proto.InternalMessageInfo
-
-func (m *NamespaceList) Reset()      { *m = NamespaceList{} }
-func (*NamespaceList) ProtoMessage() {}
-func (*NamespaceList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{97}
-}
-func (m *NamespaceList) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *NamespaceList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *NamespaceList) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_NamespaceList.Merge(m, src)
-}
-func (m *NamespaceList) XXX_Size() int {
-	return m.Size()
-}
-func (m *NamespaceList) XXX_DiscardUnknown() {
-	xxx_messageInfo_NamespaceList.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_NamespaceList proto.InternalMessageInfo
-
-func (m *NamespaceSpec) Reset()      { *m = NamespaceSpec{} }
-func (*NamespaceSpec) ProtoMessage() {}
-func (*NamespaceSpec) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{98}
-}
-func (m *NamespaceSpec) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *NamespaceSpec) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *NamespaceSpec) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_NamespaceSpec.Merge(m, src)
-}
-func (m *NamespaceSpec) XXX_Size() int {
-	return m.Size()
-}
-func (m *NamespaceSpec) XXX_DiscardUnknown() {
-	xxx_messageInfo_NamespaceSpec.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_NamespaceSpec proto.InternalMessageInfo
-
-func (m *NamespaceStatus) Reset()      { *m = NamespaceStatus{} }
-func (*NamespaceStatus) ProtoMessage() {}
-func (*NamespaceStatus) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{99}
-}
-func (m *NamespaceStatus) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *NamespaceStatus) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *NamespaceStatus) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_NamespaceStatus.Merge(m, src)
-}
-func (m *NamespaceStatus) XXX_Size() int {
-	return m.Size()
-}
-func (m *NamespaceStatus) XXX_DiscardUnknown() {
-	xxx_messageInfo_NamespaceStatus.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_NamespaceStatus proto.InternalMessageInfo
-
-func (m *Node) Reset()      { *m = Node{} }
-func (*Node) ProtoMessage() {}
-func (*Node) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{100}
-}
-func (m *Node) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *Node) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *Node) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_Node.Merge(m, src)
-}
-func (m *Node) XXX_Size() int {
-	return m.Size()
-}
-func (m *Node) XXX_DiscardUnknown() {
-	xxx_messageInfo_Node.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_Node proto.InternalMessageInfo
-
-func (m *NodeAddress) Reset()      { *m = NodeAddress{} }
-func (*NodeAddress) ProtoMessage() {}
-func (*NodeAddress) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{101}
-}
-func (m *NodeAddress) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *NodeAddress) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *NodeAddress) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_NodeAddress.Merge(m, src)
-}
-func (m *NodeAddress) XXX_Size() int {
-	return m.Size()
-}
-func (m *NodeAddress) XXX_DiscardUnknown() {
-	xxx_messageInfo_NodeAddress.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_NodeAddress proto.InternalMessageInfo
-
-func (m *NodeAffinity) Reset()      { *m = NodeAffinity{} }
-func (*NodeAffinity) ProtoMessage() {}
-func (*NodeAffinity) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{102}
-}
-func (m *NodeAffinity) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *NodeAffinity) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *NodeAffinity) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_NodeAffinity.Merge(m, src)
-}
-func (m *NodeAffinity) XXX_Size() int {
-	return m.Size()
-}
-func (m *NodeAffinity) XXX_DiscardUnknown() {
-	xxx_messageInfo_NodeAffinity.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_NodeAffinity proto.InternalMessageInfo
-
-func (m *NodeCondition) Reset()      { *m = NodeCondition{} }
-func (*NodeCondition) ProtoMessage() {}
-func (*NodeCondition) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{103}
-}
-func (m *NodeCondition) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *NodeCondition) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *NodeCondition) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_NodeCondition.Merge(m, src)
-}
-func (m *NodeCondition) XXX_Size() int {
-	return m.Size()
-}
-func (m *NodeCondition) XXX_DiscardUnknown() {
-	xxx_messageInfo_NodeCondition.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_NodeCondition proto.InternalMessageInfo
-
-func (m *NodeConfigSource) Reset()      { *m = NodeConfigSource{} }
-func (*NodeConfigSource) ProtoMessage() {}
-func (*NodeConfigSource) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{104}
-}
-func (m *NodeConfigSource) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *NodeConfigSource) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *NodeConfigSource) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_NodeConfigSource.Merge(m, src)
-}
-func (m *NodeConfigSource) XXX_Size() int {
-	return m.Size()
-}
-func (m *NodeConfigSource) XXX_DiscardUnknown() {
-	xxx_messageInfo_NodeConfigSource.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_NodeConfigSource proto.InternalMessageInfo
-
-func (m *NodeConfigStatus) Reset()      { *m = NodeConfigStatus{} }
-func (*NodeConfigStatus) ProtoMessage() {}
-func (*NodeConfigStatus) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{105}
-}
-func (m *NodeConfigStatus) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *NodeConfigStatus) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *NodeConfigStatus) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_NodeConfigStatus.Merge(m, src)
-}
-func (m *NodeConfigStatus) XXX_Size() int {
-	return m.Size()
-}
-func (m *NodeConfigStatus) XXX_DiscardUnknown() {
-	xxx_messageInfo_NodeConfigStatus.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_NodeConfigStatus proto.InternalMessageInfo
-
-func (m *NodeDaemonEndpoints) Reset()      { *m = NodeDaemonEndpoints{} }
-func (*NodeDaemonEndpoints) ProtoMessage() {}
-func (*NodeDaemonEndpoints) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{106}
-}
-func (m *NodeDaemonEndpoints) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *NodeDaemonEndpoints) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *NodeDaemonEndpoints) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_NodeDaemonEndpoints.Merge(m, src)
-}
-func (m *NodeDaemonEndpoints) XXX_Size() int {
-	return m.Size()
-}
-func (m *NodeDaemonEndpoints) XXX_DiscardUnknown() {
-	xxx_messageInfo_NodeDaemonEndpoints.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_NodeDaemonEndpoints proto.InternalMessageInfo
-
-func (m *NodeFeatures) Reset()      { *m = NodeFeatures{} }
-func (*NodeFeatures) ProtoMessage() {}
-func (*NodeFeatures) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{107}
-}
-func (m *NodeFeatures) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *NodeFeatures) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *NodeFeatures) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_NodeFeatures.Merge(m, src)
-}
-func (m *NodeFeatures) XXX_Size() int {
-	return m.Size()
-}
-func (m *NodeFeatures) XXX_DiscardUnknown() {
-	xxx_messageInfo_NodeFeatures.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_NodeFeatures proto.InternalMessageInfo
-
-func (m *NodeList) Reset()      { *m = NodeList{} }
-func (*NodeList) ProtoMessage() {}
-func (*NodeList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{108}
-}
-func (m *NodeList) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *NodeList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *NodeList) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_NodeList.Merge(m, src)
-}
-func (m *NodeList) XXX_Size() int {
-	return m.Size()
-}
-func (m *NodeList) XXX_DiscardUnknown() {
-	xxx_messageInfo_NodeList.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_NodeList proto.InternalMessageInfo
-
-func (m *NodeProxyOptions) Reset()      { *m = NodeProxyOptions{} }
-func (*NodeProxyOptions) ProtoMessage() {}
-func (*NodeProxyOptions) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{109}
-}
-func (m *NodeProxyOptions) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *NodeProxyOptions) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *NodeProxyOptions) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_NodeProxyOptions.Merge(m, src)
-}
-func (m *NodeProxyOptions) XXX_Size() int {
-	return m.Size()
-}
-func (m *NodeProxyOptions) XXX_DiscardUnknown() {
-	xxx_messageInfo_NodeProxyOptions.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_NodeProxyOptions proto.InternalMessageInfo
-
-func (m *NodeRuntimeHandler) Reset()      { *m = NodeRuntimeHandler{} }
-func (*NodeRuntimeHandler) ProtoMessage() {}
-func (*NodeRuntimeHandler) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{110}
-}
-func (m *NodeRuntimeHandler) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *NodeRuntimeHandler) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *NodeRuntimeHandler) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_NodeRuntimeHandler.Merge(m, src)
-}
-func (m *NodeRuntimeHandler) XXX_Size() int {
-	return m.Size()
-}
-func (m *NodeRuntimeHandler) XXX_DiscardUnknown() {
-	xxx_messageInfo_NodeRuntimeHandler.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_NodeRuntimeHandler proto.InternalMessageInfo
-
-func (m *NodeRuntimeHandlerFeatures) Reset()      { *m = NodeRuntimeHandlerFeatures{} }
-func (*NodeRuntimeHandlerFeatures) ProtoMessage() {}
-func (*NodeRuntimeHandlerFeatures) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{111}
-}
-func (m *NodeRuntimeHandlerFeatures) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *NodeRuntimeHandlerFeatures) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *NodeRuntimeHandlerFeatures) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_NodeRuntimeHandlerFeatures.Merge(m, src)
-}
-func (m *NodeRuntimeHandlerFeatures) XXX_Size() int {
-	return m.Size()
-}
-func (m *NodeRuntimeHandlerFeatures) XXX_DiscardUnknown() {
-	xxx_messageInfo_NodeRuntimeHandlerFeatures.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_NodeRuntimeHandlerFeatures proto.InternalMessageInfo
-
-func (m *NodeSelector) Reset()      { *m = NodeSelector{} }
-func (*NodeSelector) ProtoMessage() {}
-func (*NodeSelector) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{112}
-}
-func (m *NodeSelector) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *NodeSelector) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *NodeSelector) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_NodeSelector.Merge(m, src)
-}
-func (m *NodeSelector) XXX_Size() int {
-	return m.Size()
-}
-func (m *NodeSelector) XXX_DiscardUnknown() {
-	xxx_messageInfo_NodeSelector.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_NodeSelector proto.InternalMessageInfo
-
-func (m *NodeSelectorRequirement) Reset()      { *m = NodeSelectorRequirement{} }
-func (*NodeSelectorRequirement) ProtoMessage() {}
-func (*NodeSelectorRequirement) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{113}
-}
-func (m *NodeSelectorRequirement) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *NodeSelectorRequirement) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *NodeSelectorRequirement) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_NodeSelectorRequirement.Merge(m, src)
-}
-func (m *NodeSelectorRequirement) XXX_Size() int {
-	return m.Size()
-}
-func (m *NodeSelectorRequirement) XXX_DiscardUnknown() {
-	xxx_messageInfo_NodeSelectorRequirement.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_NodeSelectorRequirement proto.InternalMessageInfo
-
-func (m *NodeSelectorTerm) Reset()      { *m = NodeSelectorTerm{} }
-func (*NodeSelectorTerm) ProtoMessage() {}
-func (*NodeSelectorTerm) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{114}
-}
-func (m *NodeSelectorTerm) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *NodeSelectorTerm) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *NodeSelectorTerm) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_NodeSelectorTerm.Merge(m, src)
-}
-func (m *NodeSelectorTerm) XXX_Size() int {
-	return m.Size()
-}
-func (m *NodeSelectorTerm) XXX_DiscardUnknown() {
-	xxx_messageInfo_NodeSelectorTerm.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_NodeSelectorTerm proto.InternalMessageInfo
-
-func (m *NodeSpec) Reset()      { *m = NodeSpec{} }
-func (*NodeSpec) ProtoMessage() {}
-func (*NodeSpec) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{115}
-}
-func (m *NodeSpec) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *NodeSpec) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *NodeSpec) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_NodeSpec.Merge(m, src)
-}
-func (m *NodeSpec) XXX_Size() int {
-	return m.Size()
-}
-func (m *NodeSpec) XXX_DiscardUnknown() {
-	xxx_messageInfo_NodeSpec.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_NodeSpec proto.InternalMessageInfo
-
-func (m *NodeStatus) Reset()      { *m = NodeStatus{} }
-func (*NodeStatus) ProtoMessage() {}
-func (*NodeStatus) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{116}
-}
-func (m *NodeStatus) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *NodeStatus) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *NodeStatus) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_NodeStatus.Merge(m, src)
-}
-func (m *NodeStatus) XXX_Size() int {
-	return m.Size()
-}
-func (m *NodeStatus) XXX_DiscardUnknown() {
-	xxx_messageInfo_NodeStatus.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_NodeStatus proto.InternalMessageInfo
-
-func (m *NodeSwapStatus) Reset()      { *m = NodeSwapStatus{} }
-func (*NodeSwapStatus) ProtoMessage() {}
-func (*NodeSwapStatus) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{117}
-}
-func (m *NodeSwapStatus) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *NodeSwapStatus) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *NodeSwapStatus) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_NodeSwapStatus.Merge(m, src)
-}
-func (m *NodeSwapStatus) XXX_Size() int {
-	return m.Size()
-}
-func (m *NodeSwapStatus) XXX_DiscardUnknown() {
-	xxx_messageInfo_NodeSwapStatus.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_NodeSwapStatus proto.InternalMessageInfo
-
-func (m *NodeSystemInfo) Reset()      { *m = NodeSystemInfo{} }
-func (*NodeSystemInfo) ProtoMessage() {}
-func (*NodeSystemInfo) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{118}
-}
-func (m *NodeSystemInfo) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *NodeSystemInfo) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *NodeSystemInfo) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_NodeSystemInfo.Merge(m, src)
-}
-func (m *NodeSystemInfo) XXX_Size() int {
-	return m.Size()
-}
-func (m *NodeSystemInfo) XXX_DiscardUnknown() {
-	xxx_messageInfo_NodeSystemInfo.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_NodeSystemInfo proto.InternalMessageInfo
-
-func (m *ObjectFieldSelector) Reset()      { *m = ObjectFieldSelector{} }
-func (*ObjectFieldSelector) ProtoMessage() {}
-func (*ObjectFieldSelector) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{119}
-}
-func (m *ObjectFieldSelector) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ObjectFieldSelector) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ObjectFieldSelector) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ObjectFieldSelector.Merge(m, src)
-}
-func (m *ObjectFieldSelector) XXX_Size() int {
-	return m.Size()
-}
-func (m *ObjectFieldSelector) XXX_DiscardUnknown() {
-	xxx_messageInfo_ObjectFieldSelector.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_ObjectFieldSelector proto.InternalMessageInfo
-
-func (m *ObjectReference) Reset()      { *m = ObjectReference{} }
-func (*ObjectReference) ProtoMessage() {}
-func (*ObjectReference) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{120}
-}
-func (m *ObjectReference) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ObjectReference) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ObjectReference) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ObjectReference.Merge(m, src)
-}
-func (m *ObjectReference) XXX_Size() int {
-	return m.Size()
-}
-func (m *ObjectReference) XXX_DiscardUnknown() {
-	xxx_messageInfo_ObjectReference.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_ObjectReference proto.InternalMessageInfo
-
-func (m *PersistentVolume) Reset()      { *m = PersistentVolume{} }
-func (*PersistentVolume) ProtoMessage() {}
-func (*PersistentVolume) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{121}
-}
-func (m *PersistentVolume) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *PersistentVolume) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *PersistentVolume) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_PersistentVolume.Merge(m, src)
-}
-func (m *PersistentVolume) XXX_Size() int {
-	return m.Size()
-}
-func (m *PersistentVolume) XXX_DiscardUnknown() {
-	xxx_messageInfo_PersistentVolume.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_PersistentVolume proto.InternalMessageInfo
-
-func (m *PersistentVolumeClaim) Reset()      { *m = PersistentVolumeClaim{} }
-func (*PersistentVolumeClaim) ProtoMessage() {}
-func (*PersistentVolumeClaim) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{122}
-}
-func (m *PersistentVolumeClaim) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *PersistentVolumeClaim) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *PersistentVolumeClaim) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_PersistentVolumeClaim.Merge(m, src)
-}
-func (m *PersistentVolumeClaim) XXX_Size() int {
-	return m.Size()
-}
-func (m *PersistentVolumeClaim) XXX_DiscardUnknown() {
-	xxx_messageInfo_PersistentVolumeClaim.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_PersistentVolumeClaim proto.InternalMessageInfo
-
-func (m *PersistentVolumeClaimCondition) Reset()      { *m = PersistentVolumeClaimCondition{} }
-func (*PersistentVolumeClaimCondition) ProtoMessage() {}
-func (*PersistentVolumeClaimCondition) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{123}
-}
-func (m *PersistentVolumeClaimCondition) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *PersistentVolumeClaimCondition) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *PersistentVolumeClaimCondition) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_PersistentVolumeClaimCondition.Merge(m, src)
-}
-func (m *PersistentVolumeClaimCondition) XXX_Size() int {
-	return m.Size()
-}
-func (m *PersistentVolumeClaimCondition) XXX_DiscardUnknown() {
-	xxx_messageInfo_PersistentVolumeClaimCondition.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_PersistentVolumeClaimCondition proto.InternalMessageInfo
-
-func (m *PersistentVolumeClaimList) Reset()      { *m = PersistentVolumeClaimList{} }
-func (*PersistentVolumeClaimList) ProtoMessage() {}
-func (*PersistentVolumeClaimList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{124}
-}
-func (m *PersistentVolumeClaimList) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *PersistentVolumeClaimList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *PersistentVolumeClaimList) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_PersistentVolumeClaimList.Merge(m, src)
-}
-func (m *PersistentVolumeClaimList) XXX_Size() int {
-	return m.Size()
-}
-func (m *PersistentVolumeClaimList) XXX_DiscardUnknown() {
-	xxx_messageInfo_PersistentVolumeClaimList.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_PersistentVolumeClaimList proto.InternalMessageInfo
-
-func (m *PersistentVolumeClaimSpec) Reset()      { *m = PersistentVolumeClaimSpec{} }
-func (*PersistentVolumeClaimSpec) ProtoMessage() {}
-func (*PersistentVolumeClaimSpec) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{125}
-}
-func (m *PersistentVolumeClaimSpec) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *PersistentVolumeClaimSpec) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *PersistentVolumeClaimSpec) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_PersistentVolumeClaimSpec.Merge(m, src)
-}
-func (m *PersistentVolumeClaimSpec) XXX_Size() int {
-	return m.Size()
-}
-func (m *PersistentVolumeClaimSpec) XXX_DiscardUnknown() {
-	xxx_messageInfo_PersistentVolumeClaimSpec.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_PersistentVolumeClaimSpec proto.InternalMessageInfo
-
-func (m *PersistentVolumeClaimStatus) Reset()      { *m = PersistentVolumeClaimStatus{} }
-func (*PersistentVolumeClaimStatus) ProtoMessage() {}
-func (*PersistentVolumeClaimStatus) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{126}
-}
-func (m *PersistentVolumeClaimStatus) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *PersistentVolumeClaimStatus) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *PersistentVolumeClaimStatus) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_PersistentVolumeClaimStatus.Merge(m, src)
-}
-func (m *PersistentVolumeClaimStatus) XXX_Size() int {
-	return m.Size()
-}
-func (m *PersistentVolumeClaimStatus) XXX_DiscardUnknown() {
-	xxx_messageInfo_PersistentVolumeClaimStatus.DiscardUnknown(m)
-}
+func (m *AppArmorProfile) Reset() { *m = AppArmorProfile{} }
 
-var xxx_messageInfo_PersistentVolumeClaimStatus proto.InternalMessageInfo
-
-func (m *PersistentVolumeClaimTemplate) Reset()      { *m = PersistentVolumeClaimTemplate{} }
-func (*PersistentVolumeClaimTemplate) ProtoMessage() {}
-func (*PersistentVolumeClaimTemplate) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{127}
-}
-func (m *PersistentVolumeClaimTemplate) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *PersistentVolumeClaimTemplate) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *PersistentVolumeClaimTemplate) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_PersistentVolumeClaimTemplate.Merge(m, src)
-}
-func (m *PersistentVolumeClaimTemplate) XXX_Size() int {
-	return m.Size()
-}
-func (m *PersistentVolumeClaimTemplate) XXX_DiscardUnknown() {
-	xxx_messageInfo_PersistentVolumeClaimTemplate.DiscardUnknown(m)
-}
+func (m *AttachedVolume) Reset() { *m = AttachedVolume{} }
 
-var xxx_messageInfo_PersistentVolumeClaimTemplate proto.InternalMessageInfo
+func (m *AvoidPods) Reset() { *m = AvoidPods{} }
 
-func (m *PersistentVolumeClaimVolumeSource) Reset()      { *m = PersistentVolumeClaimVolumeSource{} }
-func (*PersistentVolumeClaimVolumeSource) ProtoMessage() {}
-func (*PersistentVolumeClaimVolumeSource) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{128}
-}
-func (m *PersistentVolumeClaimVolumeSource) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *PersistentVolumeClaimVolumeSource) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *PersistentVolumeClaimVolumeSource) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_PersistentVolumeClaimVolumeSource.Merge(m, src)
-}
-func (m *PersistentVolumeClaimVolumeSource) XXX_Size() int {
-	return m.Size()
-}
-func (m *PersistentVolumeClaimVolumeSource) XXX_DiscardUnknown() {
-	xxx_messageInfo_PersistentVolumeClaimVolumeSource.DiscardUnknown(m)
-}
+func (m *AzureDiskVolumeSource) Reset() { *m = AzureDiskVolumeSource{} }
 
-var xxx_messageInfo_PersistentVolumeClaimVolumeSource proto.InternalMessageInfo
+func (m *AzureFilePersistentVolumeSource) Reset() { *m = AzureFilePersistentVolumeSource{} }
 
-func (m *PersistentVolumeList) Reset()      { *m = PersistentVolumeList{} }
-func (*PersistentVolumeList) ProtoMessage() {}
-func (*PersistentVolumeList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{129}
-}
-func (m *PersistentVolumeList) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *PersistentVolumeList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *PersistentVolumeList) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_PersistentVolumeList.Merge(m, src)
-}
-func (m *PersistentVolumeList) XXX_Size() int {
-	return m.Size()
-}
-func (m *PersistentVolumeList) XXX_DiscardUnknown() {
-	xxx_messageInfo_PersistentVolumeList.DiscardUnknown(m)
-}
+func (m *AzureFileVolumeSource) Reset() { *m = AzureFileVolumeSource{} }
 
-var xxx_messageInfo_PersistentVolumeList proto.InternalMessageInfo
+func (m *Binding) Reset() { *m = Binding{} }
 
-func (m *PersistentVolumeSource) Reset()      { *m = PersistentVolumeSource{} }
-func (*PersistentVolumeSource) ProtoMessage() {}
-func (*PersistentVolumeSource) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{130}
-}
-func (m *PersistentVolumeSource) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *PersistentVolumeSource) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *PersistentVolumeSource) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_PersistentVolumeSource.Merge(m, src)
-}
-func (m *PersistentVolumeSource) XXX_Size() int {
-	return m.Size()
-}
-func (m *PersistentVolumeSource) XXX_DiscardUnknown() {
-	xxx_messageInfo_PersistentVolumeSource.DiscardUnknown(m)
-}
+func (m *CSIPersistentVolumeSource) Reset() { *m = CSIPersistentVolumeSource{} }
 
-var xxx_messageInfo_PersistentVolumeSource proto.InternalMessageInfo
+func (m *CSIVolumeSource) Reset() { *m = CSIVolumeSource{} }
 
-func (m *PersistentVolumeSpec) Reset()      { *m = PersistentVolumeSpec{} }
-func (*PersistentVolumeSpec) ProtoMessage() {}
-func (*PersistentVolumeSpec) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{131}
-}
-func (m *PersistentVolumeSpec) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *PersistentVolumeSpec) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *PersistentVolumeSpec) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_PersistentVolumeSpec.Merge(m, src)
-}
-func (m *PersistentVolumeSpec) XXX_Size() int {
-	return m.Size()
-}
-func (m *PersistentVolumeSpec) XXX_DiscardUnknown() {
-	xxx_messageInfo_PersistentVolumeSpec.DiscardUnknown(m)
-}
+func (m *Capabilities) Reset() { *m = Capabilities{} }
 
-var xxx_messageInfo_PersistentVolumeSpec proto.InternalMessageInfo
+func (m *CephFSPersistentVolumeSource) Reset() { *m = CephFSPersistentVolumeSource{} }
 
-func (m *PersistentVolumeStatus) Reset()      { *m = PersistentVolumeStatus{} }
-func (*PersistentVolumeStatus) ProtoMessage() {}
-func (*PersistentVolumeStatus) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{132}
-}
-func (m *PersistentVolumeStatus) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *PersistentVolumeStatus) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *PersistentVolumeStatus) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_PersistentVolumeStatus.Merge(m, src)
-}
-func (m *PersistentVolumeStatus) XXX_Size() int {
-	return m.Size()
-}
-func (m *PersistentVolumeStatus) XXX_DiscardUnknown() {
-	xxx_messageInfo_PersistentVolumeStatus.DiscardUnknown(m)
-}
+func (m *CephFSVolumeSource) Reset() { *m = CephFSVolumeSource{} }
 
-var xxx_messageInfo_PersistentVolumeStatus proto.InternalMessageInfo
+func (m *CinderPersistentVolumeSource) Reset() { *m = CinderPersistentVolumeSource{} }
 
-func (m *PhotonPersistentDiskVolumeSource) Reset()      { *m = PhotonPersistentDiskVolumeSource{} }
-func (*PhotonPersistentDiskVolumeSource) ProtoMessage() {}
-func (*PhotonPersistentDiskVolumeSource) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{133}
-}
-func (m *PhotonPersistentDiskVolumeSource) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *PhotonPersistentDiskVolumeSource) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *PhotonPersistentDiskVolumeSource) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_PhotonPersistentDiskVolumeSource.Merge(m, src)
-}
-func (m *PhotonPersistentDiskVolumeSource) XXX_Size() int {
-	return m.Size()
-}
-func (m *PhotonPersistentDiskVolumeSource) XXX_DiscardUnknown() {
-	xxx_messageInfo_PhotonPersistentDiskVolumeSource.DiscardUnknown(m)
-}
+func (m *CinderVolumeSource) Reset() { *m = CinderVolumeSource{} }
 
-var xxx_messageInfo_PhotonPersistentDiskVolumeSource proto.InternalMessageInfo
+func (m *ClientIPConfig) Reset() { *m = ClientIPConfig{} }
 
-func (m *Pod) Reset()      { *m = Pod{} }
-func (*Pod) ProtoMessage() {}
-func (*Pod) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{134}
-}
-func (m *Pod) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *Pod) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *Pod) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_Pod.Merge(m, src)
-}
-func (m *Pod) XXX_Size() int {
-	return m.Size()
-}
-func (m *Pod) XXX_DiscardUnknown() {
-	xxx_messageInfo_Pod.DiscardUnknown(m)
-}
+func (m *ClusterTrustBundleProjection) Reset() { *m = ClusterTrustBundleProjection{} }
 
-var xxx_messageInfo_Pod proto.InternalMessageInfo
+func (m *ComponentCondition) Reset() { *m = ComponentCondition{} }
 
-func (m *PodAffinity) Reset()      { *m = PodAffinity{} }
-func (*PodAffinity) ProtoMessage() {}
-func (*PodAffinity) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{135}
-}
-func (m *PodAffinity) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *PodAffinity) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *PodAffinity) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_PodAffinity.Merge(m, src)
-}
-func (m *PodAffinity) XXX_Size() int {
-	return m.Size()
-}
-func (m *PodAffinity) XXX_DiscardUnknown() {
-	xxx_messageInfo_PodAffinity.DiscardUnknown(m)
-}
+func (m *ComponentStatus) Reset() { *m = ComponentStatus{} }
 
-var xxx_messageInfo_PodAffinity proto.InternalMessageInfo
+func (m *ComponentStatusList) Reset() { *m = ComponentStatusList{} }
 
-func (m *PodAffinityTerm) Reset()      { *m = PodAffinityTerm{} }
-func (*PodAffinityTerm) ProtoMessage() {}
-func (*PodAffinityTerm) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{136}
-}
-func (m *PodAffinityTerm) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *PodAffinityTerm) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *PodAffinityTerm) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_PodAffinityTerm.Merge(m, src)
-}
-func (m *PodAffinityTerm) XXX_Size() int {
-	return m.Size()
-}
-func (m *PodAffinityTerm) XXX_DiscardUnknown() {
-	xxx_messageInfo_PodAffinityTerm.DiscardUnknown(m)
-}
+func (m *ConfigMap) Reset() { *m = ConfigMap{} }
 
-var xxx_messageInfo_PodAffinityTerm proto.InternalMessageInfo
+func (m *ConfigMapEnvSource) Reset() { *m = ConfigMapEnvSource{} }
 
-func (m *PodAntiAffinity) Reset()      { *m = PodAntiAffinity{} }
-func (*PodAntiAffinity) ProtoMessage() {}
-func (*PodAntiAffinity) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{137}
-}
-func (m *PodAntiAffinity) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *PodAntiAffinity) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *PodAntiAffinity) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_PodAntiAffinity.Merge(m, src)
-}
-func (m *PodAntiAffinity) XXX_Size() int {
-	return m.Size()
-}
-func (m *PodAntiAffinity) XXX_DiscardUnknown() {
-	xxx_messageInfo_PodAntiAffinity.DiscardUnknown(m)
-}
+func (m *ConfigMapKeySelector) Reset() { *m = ConfigMapKeySelector{} }
 
-var xxx_messageInfo_PodAntiAffinity proto.InternalMessageInfo
+func (m *ConfigMapList) Reset() { *m = ConfigMapList{} }
 
-func (m *PodAttachOptions) Reset()      { *m = PodAttachOptions{} }
-func (*PodAttachOptions) ProtoMessage() {}
-func (*PodAttachOptions) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{138}
-}
-func (m *PodAttachOptions) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *PodAttachOptions) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *PodAttachOptions) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_PodAttachOptions.Merge(m, src)
-}
-func (m *PodAttachOptions) XXX_Size() int {
-	return m.Size()
-}
-func (m *PodAttachOptions) XXX_DiscardUnknown() {
-	xxx_messageInfo_PodAttachOptions.DiscardUnknown(m)
-}
+func (m *ConfigMapNodeConfigSource) Reset() { *m = ConfigMapNodeConfigSource{} }
 
-var xxx_messageInfo_PodAttachOptions proto.InternalMessageInfo
+func (m *ConfigMapProjection) Reset() { *m = ConfigMapProjection{} }
 
-func (m *PodCertificateProjection) Reset()      { *m = PodCertificateProjection{} }
-func (*PodCertificateProjection) ProtoMessage() {}
-func (*PodCertificateProjection) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{139}
-}
-func (m *PodCertificateProjection) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *PodCertificateProjection) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *PodCertificateProjection) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_PodCertificateProjection.Merge(m, src)
-}
-func (m *PodCertificateProjection) XXX_Size() int {
-	return m.Size()
-}
-func (m *PodCertificateProjection) XXX_DiscardUnknown() {
-	xxx_messageInfo_PodCertificateProjection.DiscardUnknown(m)
-}
+func (m *ConfigMapVolumeSource) Reset() { *m = ConfigMapVolumeSource{} }
 
-var xxx_messageInfo_PodCertificateProjection proto.InternalMessageInfo
+func (m *Container) Reset() { *m = Container{} }
 
-func (m *PodCondition) Reset()      { *m = PodCondition{} }
-func (*PodCondition) ProtoMessage() {}
-func (*PodCondition) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{140}
-}
-func (m *PodCondition) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *PodCondition) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *PodCondition) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_PodCondition.Merge(m, src)
-}
-func (m *PodCondition) XXX_Size() int {
-	return m.Size()
-}
-func (m *PodCondition) XXX_DiscardUnknown() {
-	xxx_messageInfo_PodCondition.DiscardUnknown(m)
-}
+func (m *ContainerExtendedResourceRequest) Reset() { *m = ContainerExtendedResourceRequest{} }
 
-var xxx_messageInfo_PodCondition proto.InternalMessageInfo
+func (m *ContainerImage) Reset() { *m = ContainerImage{} }
 
-func (m *PodDNSConfig) Reset()      { *m = PodDNSConfig{} }
-func (*PodDNSConfig) ProtoMessage() {}
-func (*PodDNSConfig) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{141}
-}
-func (m *PodDNSConfig) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *PodDNSConfig) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *PodDNSConfig) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_PodDNSConfig.Merge(m, src)
-}
-func (m *PodDNSConfig) XXX_Size() int {
-	return m.Size()
-}
-func (m *PodDNSConfig) XXX_DiscardUnknown() {
-	xxx_messageInfo_PodDNSConfig.DiscardUnknown(m)
-}
+func (m *ContainerPort) Reset() { *m = ContainerPort{} }
 
-var xxx_messageInfo_PodDNSConfig proto.InternalMessageInfo
+func (m *ContainerResizePolicy) Reset() { *m = ContainerResizePolicy{} }
 
-func (m *PodDNSConfigOption) Reset()      { *m = PodDNSConfigOption{} }
-func (*PodDNSConfigOption) ProtoMessage() {}
-func (*PodDNSConfigOption) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{142}
-}
-func (m *PodDNSConfigOption) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *PodDNSConfigOption) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *PodDNSConfigOption) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_PodDNSConfigOption.Merge(m, src)
-}
-func (m *PodDNSConfigOption) XXX_Size() int {
-	return m.Size()
-}
-func (m *PodDNSConfigOption) XXX_DiscardUnknown() {
-	xxx_messageInfo_PodDNSConfigOption.DiscardUnknown(m)
-}
+func (m *ContainerRestartRule) Reset() { *m = ContainerRestartRule{} }
 
-var xxx_messageInfo_PodDNSConfigOption proto.InternalMessageInfo
+func (m *ContainerRestartRuleOnExitCodes) Reset() { *m = ContainerRestartRuleOnExitCodes{} }
 
-func (m *PodExecOptions) Reset()      { *m = PodExecOptions{} }
-func (*PodExecOptions) ProtoMessage() {}
-func (*PodExecOptions) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{143}
-}
-func (m *PodExecOptions) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *PodExecOptions) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *PodExecOptions) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_PodExecOptions.Merge(m, src)
-}
-func (m *PodExecOptions) XXX_Size() int {
-	return m.Size()
-}
-func (m *PodExecOptions) XXX_DiscardUnknown() {
-	xxx_messageInfo_PodExecOptions.DiscardUnknown(m)
-}
+func (m *ContainerState) Reset() { *m = ContainerState{} }
 
-var xxx_messageInfo_PodExecOptions proto.InternalMessageInfo
+func (m *ContainerStateRunning) Reset() { *m = ContainerStateRunning{} }
 
-func (m *PodExtendedResourceClaimStatus) Reset()      { *m = PodExtendedResourceClaimStatus{} }
-func (*PodExtendedResourceClaimStatus) ProtoMessage() {}
-func (*PodExtendedResourceClaimStatus) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{144}
-}
-func (m *PodExtendedResourceClaimStatus) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *PodExtendedResourceClaimStatus) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *PodExtendedResourceClaimStatus) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_PodExtendedResourceClaimStatus.Merge(m, src)
-}
-func (m *PodExtendedResourceClaimStatus) XXX_Size() int {
-	return m.Size()
-}
-func (m *PodExtendedResourceClaimStatus) XXX_DiscardUnknown() {
-	xxx_messageInfo_PodExtendedResourceClaimStatus.DiscardUnknown(m)
-}
+func (m *ContainerStateTerminated) Reset() { *m = ContainerStateTerminated{} }
 
-var xxx_messageInfo_PodExtendedResourceClaimStatus proto.InternalMessageInfo
+func (m *ContainerStateWaiting) Reset() { *m = ContainerStateWaiting{} }
 
-func (m *PodIP) Reset()      { *m = PodIP{} }
-func (*PodIP) ProtoMessage() {}
-func (*PodIP) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{145}
-}
-func (m *PodIP) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *PodIP) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *PodIP) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_PodIP.Merge(m, src)
-}
-func (m *PodIP) XXX_Size() int {
-	return m.Size()
-}
-func (m *PodIP) XXX_DiscardUnknown() {
-	xxx_messageInfo_PodIP.DiscardUnknown(m)
-}
+func (m *ContainerStatus) Reset() { *m = ContainerStatus{} }
 
-var xxx_messageInfo_PodIP proto.InternalMessageInfo
+func (m *ContainerUser) Reset() { *m = ContainerUser{} }
 
-func (m *PodList) Reset()      { *m = PodList{} }
-func (*PodList) ProtoMessage() {}
-func (*PodList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{146}
-}
-func (m *PodList) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *PodList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *PodList) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_PodList.Merge(m, src)
-}
-func (m *PodList) XXX_Size() int {
-	return m.Size()
-}
-func (m *PodList) XXX_DiscardUnknown() {
-	xxx_messageInfo_PodList.DiscardUnknown(m)
-}
+func (m *DaemonEndpoint) Reset() { *m = DaemonEndpoint{} }
 
-var xxx_messageInfo_PodList proto.InternalMessageInfo
+func (m *DownwardAPIProjection) Reset() { *m = DownwardAPIProjection{} }
 
-func (m *PodLogOptions) Reset()      { *m = PodLogOptions{} }
-func (*PodLogOptions) ProtoMessage() {}
-func (*PodLogOptions) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{147}
-}
-func (m *PodLogOptions) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *PodLogOptions) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *PodLogOptions) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_PodLogOptions.Merge(m, src)
-}
-func (m *PodLogOptions) XXX_Size() int {
-	return m.Size()
-}
-func (m *PodLogOptions) XXX_DiscardUnknown() {
-	xxx_messageInfo_PodLogOptions.DiscardUnknown(m)
-}
+func (m *DownwardAPIVolumeFile) Reset() { *m = DownwardAPIVolumeFile{} }
 
-var xxx_messageInfo_PodLogOptions proto.InternalMessageInfo
+func (m *DownwardAPIVolumeSource) Reset() { *m = DownwardAPIVolumeSource{} }
 
-func (m *PodOS) Reset()      { *m = PodOS{} }
-func (*PodOS) ProtoMessage() {}
-func (*PodOS) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{148}
-}
-func (m *PodOS) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *PodOS) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *PodOS) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_PodOS.Merge(m, src)
-}
-func (m *PodOS) XXX_Size() int {
-	return m.Size()
-}
-func (m *PodOS) XXX_DiscardUnknown() {
-	xxx_messageInfo_PodOS.DiscardUnknown(m)
-}
+func (m *EmptyDirVolumeSource) Reset() { *m = EmptyDirVolumeSource{} }
 
-var xxx_messageInfo_PodOS proto.InternalMessageInfo
+func (m *EndpointAddress) Reset() { *m = EndpointAddress{} }
 
-func (m *PodPortForwardOptions) Reset()      { *m = PodPortForwardOptions{} }
-func (*PodPortForwardOptions) ProtoMessage() {}
-func (*PodPortForwardOptions) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{149}
-}
-func (m *PodPortForwardOptions) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *PodPortForwardOptions) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *PodPortForwardOptions) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_PodPortForwardOptions.Merge(m, src)
-}
-func (m *PodPortForwardOptions) XXX_Size() int {
-	return m.Size()
-}
-func (m *PodPortForwardOptions) XXX_DiscardUnknown() {
-	xxx_messageInfo_PodPortForwardOptions.DiscardUnknown(m)
-}
+func (m *EndpointPort) Reset() { *m = EndpointPort{} }
 
-var xxx_messageInfo_PodPortForwardOptions proto.InternalMessageInfo
+func (m *EndpointSubset) Reset() { *m = EndpointSubset{} }
 
-func (m *PodProxyOptions) Reset()      { *m = PodProxyOptions{} }
-func (*PodProxyOptions) ProtoMessage() {}
-func (*PodProxyOptions) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{150}
-}
-func (m *PodProxyOptions) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *PodProxyOptions) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *PodProxyOptions) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_PodProxyOptions.Merge(m, src)
-}
-func (m *PodProxyOptions) XXX_Size() int {
-	return m.Size()
-}
-func (m *PodProxyOptions) XXX_DiscardUnknown() {
-	xxx_messageInfo_PodProxyOptions.DiscardUnknown(m)
-}
+func (m *Endpoints) Reset() { *m = Endpoints{} }
 
-var xxx_messageInfo_PodProxyOptions proto.InternalMessageInfo
+func (m *EndpointsList) Reset() { *m = EndpointsList{} }
 
-func (m *PodReadinessGate) Reset()      { *m = PodReadinessGate{} }
-func (*PodReadinessGate) ProtoMessage() {}
-func (*PodReadinessGate) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{151}
-}
-func (m *PodReadinessGate) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *PodReadinessGate) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *PodReadinessGate) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_PodReadinessGate.Merge(m, src)
-}
-func (m *PodReadinessGate) XXX_Size() int {
-	return m.Size()
-}
-func (m *PodReadinessGate) XXX_DiscardUnknown() {
-	xxx_messageInfo_PodReadinessGate.DiscardUnknown(m)
-}
+func (m *EnvFromSource) Reset() { *m = EnvFromSource{} }
 
-var xxx_messageInfo_PodReadinessGate proto.InternalMessageInfo
+func (m *EnvVar) Reset() { *m = EnvVar{} }
 
-func (m *PodResourceClaim) Reset()      { *m = PodResourceClaim{} }
-func (*PodResourceClaim) ProtoMessage() {}
-func (*PodResourceClaim) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{152}
-}
-func (m *PodResourceClaim) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *PodResourceClaim) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *PodResourceClaim) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_PodResourceClaim.Merge(m, src)
-}
-func (m *PodResourceClaim) XXX_Size() int {
-	return m.Size()
-}
-func (m *PodResourceClaim) XXX_DiscardUnknown() {
-	xxx_messageInfo_PodResourceClaim.DiscardUnknown(m)
-}
+func (m *EnvVarSource) Reset() { *m = EnvVarSource{} }
 
-var xxx_messageInfo_PodResourceClaim proto.InternalMessageInfo
+func (m *EphemeralContainer) Reset() { *m = EphemeralContainer{} }
 
-func (m *PodResourceClaimStatus) Reset()      { *m = PodResourceClaimStatus{} }
-func (*PodResourceClaimStatus) ProtoMessage() {}
-func (*PodResourceClaimStatus) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{153}
-}
-func (m *PodResourceClaimStatus) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *PodResourceClaimStatus) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *PodResourceClaimStatus) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_PodResourceClaimStatus.Merge(m, src)
-}
-func (m *PodResourceClaimStatus) XXX_Size() int {
-	return m.Size()
-}
-func (m *PodResourceClaimStatus) XXX_DiscardUnknown() {
-	xxx_messageInfo_PodResourceClaimStatus.DiscardUnknown(m)
-}
+func (m *EphemeralContainerCommon) Reset() { *m = EphemeralContainerCommon{} }
 
-var xxx_messageInfo_PodResourceClaimStatus proto.InternalMessageInfo
+func (m *EphemeralVolumeSource) Reset() { *m = EphemeralVolumeSource{} }
 
-func (m *PodSchedulingGate) Reset()      { *m = PodSchedulingGate{} }
-func (*PodSchedulingGate) ProtoMessage() {}
-func (*PodSchedulingGate) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{154}
-}
-func (m *PodSchedulingGate) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *PodSchedulingGate) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *PodSchedulingGate) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_PodSchedulingGate.Merge(m, src)
-}
-func (m *PodSchedulingGate) XXX_Size() int {
-	return m.Size()
-}
-func (m *PodSchedulingGate) XXX_DiscardUnknown() {
-	xxx_messageInfo_PodSchedulingGate.DiscardUnknown(m)
-}
+func (m *Event) Reset() { *m = Event{} }
 
-var xxx_messageInfo_PodSchedulingGate proto.InternalMessageInfo
+func (m *EventList) Reset() { *m = EventList{} }
 
-func (m *PodSecurityContext) Reset()      { *m = PodSecurityContext{} }
-func (*PodSecurityContext) ProtoMessage() {}
-func (*PodSecurityContext) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{155}
-}
-func (m *PodSecurityContext) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *PodSecurityContext) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *PodSecurityContext) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_PodSecurityContext.Merge(m, src)
-}
-func (m *PodSecurityContext) XXX_Size() int {
-	return m.Size()
-}
-func (m *PodSecurityContext) XXX_DiscardUnknown() {
-	xxx_messageInfo_PodSecurityContext.DiscardUnknown(m)
-}
+func (m *EventSeries) Reset() { *m = EventSeries{} }
 
-var xxx_messageInfo_PodSecurityContext proto.InternalMessageInfo
+func (m *EventSource) Reset() { *m = EventSource{} }
 
-func (m *PodSignature) Reset()      { *m = PodSignature{} }
-func (*PodSignature) ProtoMessage() {}
-func (*PodSignature) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{156}
-}
-func (m *PodSignature) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *PodSignature) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *PodSignature) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_PodSignature.Merge(m, src)
-}
-func (m *PodSignature) XXX_Size() int {
-	return m.Size()
-}
-func (m *PodSignature) XXX_DiscardUnknown() {
-	xxx_messageInfo_PodSignature.DiscardUnknown(m)
-}
+func (m *ExecAction) Reset() { *m = ExecAction{} }
 
-var xxx_messageInfo_PodSignature proto.InternalMessageInfo
+func (m *FCVolumeSource) Reset() { *m = FCVolumeSource{} }
 
-func (m *PodSpec) Reset()      { *m = PodSpec{} }
-func (*PodSpec) ProtoMessage() {}
-func (*PodSpec) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{157}
-}
-func (m *PodSpec) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *PodSpec) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *PodSpec) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_PodSpec.Merge(m, src)
-}
-func (m *PodSpec) XXX_Size() int {
-	return m.Size()
-}
-func (m *PodSpec) XXX_DiscardUnknown() {
-	xxx_messageInfo_PodSpec.DiscardUnknown(m)
-}
+func (m *FileKeySelector) Reset() { *m = FileKeySelector{} }
 
-var xxx_messageInfo_PodSpec proto.InternalMessageInfo
+func (m *FlexPersistentVolumeSource) Reset() { *m = FlexPersistentVolumeSource{} }
 
-func (m *PodStatus) Reset()      { *m = PodStatus{} }
-func (*PodStatus) ProtoMessage() {}
-func (*PodStatus) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{158}
-}
-func (m *PodStatus) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *PodStatus) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *PodStatus) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_PodStatus.Merge(m, src)
-}
-func (m *PodStatus) XXX_Size() int {
-	return m.Size()
-}
-func (m *PodStatus) XXX_DiscardUnknown() {
-	xxx_messageInfo_PodStatus.DiscardUnknown(m)
-}
+func (m *FlexVolumeSource) Reset() { *m = FlexVolumeSource{} }
 
-var xxx_messageInfo_PodStatus proto.InternalMessageInfo
+func (m *FlockerVolumeSource) Reset() { *m = FlockerVolumeSource{} }
 
-func (m *PodStatusResult) Reset()      { *m = PodStatusResult{} }
-func (*PodStatusResult) ProtoMessage() {}
-func (*PodStatusResult) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{159}
-}
-func (m *PodStatusResult) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *PodStatusResult) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *PodStatusResult) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_PodStatusResult.Merge(m, src)
-}
-func (m *PodStatusResult) XXX_Size() int {
-	return m.Size()
-}
-func (m *PodStatusResult) XXX_DiscardUnknown() {
-	xxx_messageInfo_PodStatusResult.DiscardUnknown(m)
-}
+func (m *GCEPersistentDiskVolumeSource) Reset() { *m = GCEPersistentDiskVolumeSource{} }
 
-var xxx_messageInfo_PodStatusResult proto.InternalMessageInfo
+func (m *GRPCAction) Reset() { *m = GRPCAction{} }
 
-func (m *PodTemplate) Reset()      { *m = PodTemplate{} }
-func (*PodTemplate) ProtoMessage() {}
-func (*PodTemplate) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{160}
-}
-func (m *PodTemplate) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *PodTemplate) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *PodTemplate) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_PodTemplate.Merge(m, src)
-}
-func (m *PodTemplate) XXX_Size() int {
-	return m.Size()
-}
-func (m *PodTemplate) XXX_DiscardUnknown() {
-	xxx_messageInfo_PodTemplate.DiscardUnknown(m)
-}
+func (m *GitRepoVolumeSource) Reset() { *m = GitRepoVolumeSource{} }
 
-var xxx_messageInfo_PodTemplate proto.InternalMessageInfo
+func (m *GlusterfsPersistentVolumeSource) Reset() { *m = GlusterfsPersistentVolumeSource{} }
 
-func (m *PodTemplateList) Reset()      { *m = PodTemplateList{} }
-func (*PodTemplateList) ProtoMessage() {}
-func (*PodTemplateList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{161}
-}
-func (m *PodTemplateList) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *PodTemplateList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *PodTemplateList) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_PodTemplateList.Merge(m, src)
-}
-func (m *PodTemplateList) XXX_Size() int {
-	return m.Size()
-}
-func (m *PodTemplateList) XXX_DiscardUnknown() {
-	xxx_messageInfo_PodTemplateList.DiscardUnknown(m)
-}
+func (m *GlusterfsVolumeSource) Reset() { *m = GlusterfsVolumeSource{} }
 
-var xxx_messageInfo_PodTemplateList proto.InternalMessageInfo
+func (m *HTTPGetAction) Reset() { *m = HTTPGetAction{} }
 
-func (m *PodTemplateSpec) Reset()      { *m = PodTemplateSpec{} }
-func (*PodTemplateSpec) ProtoMessage() {}
-func (*PodTemplateSpec) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{162}
-}
-func (m *PodTemplateSpec) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *PodTemplateSpec) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *PodTemplateSpec) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_PodTemplateSpec.Merge(m, src)
-}
-func (m *PodTemplateSpec) XXX_Size() int {
-	return m.Size()
-}
-func (m *PodTemplateSpec) XXX_DiscardUnknown() {
-	xxx_messageInfo_PodTemplateSpec.DiscardUnknown(m)
-}
+func (m *HTTPHeader) Reset() { *m = HTTPHeader{} }
 
-var xxx_messageInfo_PodTemplateSpec proto.InternalMessageInfo
+func (m *HostAlias) Reset() { *m = HostAlias{} }
 
-func (m *PortStatus) Reset()      { *m = PortStatus{} }
-func (*PortStatus) ProtoMessage() {}
-func (*PortStatus) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{163}
-}
-func (m *PortStatus) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *PortStatus) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *PortStatus) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_PortStatus.Merge(m, src)
-}
-func (m *PortStatus) XXX_Size() int {
-	return m.Size()
-}
-func (m *PortStatus) XXX_DiscardUnknown() {
-	xxx_messageInfo_PortStatus.DiscardUnknown(m)
-}
+func (m *HostIP) Reset() { *m = HostIP{} }
 
-var xxx_messageInfo_PortStatus proto.InternalMessageInfo
+func (m *HostPathVolumeSource) Reset() { *m = HostPathVolumeSource{} }
 
-func (m *PortworxVolumeSource) Reset()      { *m = PortworxVolumeSource{} }
-func (*PortworxVolumeSource) ProtoMessage() {}
-func (*PortworxVolumeSource) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{164}
-}
-func (m *PortworxVolumeSource) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *PortworxVolumeSource) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *PortworxVolumeSource) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_PortworxVolumeSource.Merge(m, src)
-}
-func (m *PortworxVolumeSource) XXX_Size() int {
-	return m.Size()
-}
-func (m *PortworxVolumeSource) XXX_DiscardUnknown() {
-	xxx_messageInfo_PortworxVolumeSource.DiscardUnknown(m)
-}
+func (m *ISCSIPersistentVolumeSource) Reset() { *m = ISCSIPersistentVolumeSource{} }
 
-var xxx_messageInfo_PortworxVolumeSource proto.InternalMessageInfo
+func (m *ISCSIVolumeSource) Reset() { *m = ISCSIVolumeSource{} }
 
-func (m *Preconditions) Reset()      { *m = Preconditions{} }
-func (*Preconditions) ProtoMessage() {}
-func (*Preconditions) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{165}
-}
-func (m *Preconditions) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *Preconditions) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *Preconditions) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_Preconditions.Merge(m, src)
-}
-func (m *Preconditions) XXX_Size() int {
-	return m.Size()
-}
-func (m *Preconditions) XXX_DiscardUnknown() {
-	xxx_messageInfo_Preconditions.DiscardUnknown(m)
-}
+func (m *ImageVolumeSource) Reset() { *m = ImageVolumeSource{} }
 
-var xxx_messageInfo_Preconditions proto.InternalMessageInfo
+func (m *KeyToPath) Reset() { *m = KeyToPath{} }
 
-func (m *PreferAvoidPodsEntry) Reset()      { *m = PreferAvoidPodsEntry{} }
-func (*PreferAvoidPodsEntry) ProtoMessage() {}
-func (*PreferAvoidPodsEntry) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{166}
-}
-func (m *PreferAvoidPodsEntry) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *PreferAvoidPodsEntry) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *PreferAvoidPodsEntry) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_PreferAvoidPodsEntry.Merge(m, src)
-}
-func (m *PreferAvoidPodsEntry) XXX_Size() int {
-	return m.Size()
-}
-func (m *PreferAvoidPodsEntry) XXX_DiscardUnknown() {
-	xxx_messageInfo_PreferAvoidPodsEntry.DiscardUnknown(m)
-}
+func (m *Lifecycle) Reset() { *m = Lifecycle{} }
 
-var xxx_messageInfo_PreferAvoidPodsEntry proto.InternalMessageInfo
+func (m *LifecycleHandler) Reset() { *m = LifecycleHandler{} }
 
-func (m *PreferredSchedulingTerm) Reset()      { *m = PreferredSchedulingTerm{} }
-func (*PreferredSchedulingTerm) ProtoMessage() {}
-func (*PreferredSchedulingTerm) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{167}
-}
-func (m *PreferredSchedulingTerm) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *PreferredSchedulingTerm) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *PreferredSchedulingTerm) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_PreferredSchedulingTerm.Merge(m, src)
-}
-func (m *PreferredSchedulingTerm) XXX_Size() int {
-	return m.Size()
-}
-func (m *PreferredSchedulingTerm) XXX_DiscardUnknown() {
-	xxx_messageInfo_PreferredSchedulingTerm.DiscardUnknown(m)
-}
+func (m *LimitRange) Reset() { *m = LimitRange{} }
 
-var xxx_messageInfo_PreferredSchedulingTerm proto.InternalMessageInfo
+func (m *LimitRangeItem) Reset() { *m = LimitRangeItem{} }
 
-func (m *Probe) Reset()      { *m = Probe{} }
-func (*Probe) ProtoMessage() {}
-func (*Probe) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{168}
-}
-func (m *Probe) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *Probe) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *Probe) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_Probe.Merge(m, src)
-}
-func (m *Probe) XXX_Size() int {
-	return m.Size()
-}
-func (m *Probe) XXX_DiscardUnknown() {
-	xxx_messageInfo_Probe.DiscardUnknown(m)
-}
+func (m *LimitRangeList) Reset() { *m = LimitRangeList{} }
 
-var xxx_messageInfo_Probe proto.InternalMessageInfo
+func (m *LimitRangeSpec) Reset() { *m = LimitRangeSpec{} }
 
-func (m *ProbeHandler) Reset()      { *m = ProbeHandler{} }
-func (*ProbeHandler) ProtoMessage() {}
-func (*ProbeHandler) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{169}
-}
-func (m *ProbeHandler) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ProbeHandler) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ProbeHandler) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ProbeHandler.Merge(m, src)
-}
-func (m *ProbeHandler) XXX_Size() int {
-	return m.Size()
-}
-func (m *ProbeHandler) XXX_DiscardUnknown() {
-	xxx_messageInfo_ProbeHandler.DiscardUnknown(m)
-}
+func (m *LinuxContainerUser) Reset() { *m = LinuxContainerUser{} }
 
-var xxx_messageInfo_ProbeHandler proto.InternalMessageInfo
+func (m *List) Reset() { *m = List{} }
 
-func (m *ProjectedVolumeSource) Reset()      { *m = ProjectedVolumeSource{} }
-func (*ProjectedVolumeSource) ProtoMessage() {}
-func (*ProjectedVolumeSource) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{170}
-}
-func (m *ProjectedVolumeSource) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ProjectedVolumeSource) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ProjectedVolumeSource) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ProjectedVolumeSource.Merge(m, src)
-}
-func (m *ProjectedVolumeSource) XXX_Size() int {
-	return m.Size()
-}
-func (m *ProjectedVolumeSource) XXX_DiscardUnknown() {
-	xxx_messageInfo_ProjectedVolumeSource.DiscardUnknown(m)
-}
+func (m *LoadBalancerIngress) Reset() { *m = LoadBalancerIngress{} }
 
-var xxx_messageInfo_ProjectedVolumeSource proto.InternalMessageInfo
+func (m *LoadBalancerStatus) Reset() { *m = LoadBalancerStatus{} }
 
-func (m *QuobyteVolumeSource) Reset()      { *m = QuobyteVolumeSource{} }
-func (*QuobyteVolumeSource) ProtoMessage() {}
-func (*QuobyteVolumeSource) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{171}
-}
-func (m *QuobyteVolumeSource) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *QuobyteVolumeSource) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *QuobyteVolumeSource) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_QuobyteVolumeSource.Merge(m, src)
-}
-func (m *QuobyteVolumeSource) XXX_Size() int {
-	return m.Size()
-}
-func (m *QuobyteVolumeSource) XXX_DiscardUnknown() {
-	xxx_messageInfo_QuobyteVolumeSource.DiscardUnknown(m)
-}
+func (m *LocalObjectReference) Reset() { *m = LocalObjectReference{} }
 
-var xxx_messageInfo_QuobyteVolumeSource proto.InternalMessageInfo
+func (m *LocalVolumeSource) Reset() { *m = LocalVolumeSource{} }
 
-func (m *RBDPersistentVolumeSource) Reset()      { *m = RBDPersistentVolumeSource{} }
-func (*RBDPersistentVolumeSource) ProtoMessage() {}
-func (*RBDPersistentVolumeSource) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{172}
-}
-func (m *RBDPersistentVolumeSource) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *RBDPersistentVolumeSource) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *RBDPersistentVolumeSource) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_RBDPersistentVolumeSource.Merge(m, src)
-}
-func (m *RBDPersistentVolumeSource) XXX_Size() int {
-	return m.Size()
-}
-func (m *RBDPersistentVolumeSource) XXX_DiscardUnknown() {
-	xxx_messageInfo_RBDPersistentVolumeSource.DiscardUnknown(m)
-}
+func (m *ModifyVolumeStatus) Reset() { *m = ModifyVolumeStatus{} }
 
-var xxx_messageInfo_RBDPersistentVolumeSource proto.InternalMessageInfo
+func (m *NFSVolumeSource) Reset() { *m = NFSVolumeSource{} }
 
-func (m *RBDVolumeSource) Reset()      { *m = RBDVolumeSource{} }
-func (*RBDVolumeSource) ProtoMessage() {}
-func (*RBDVolumeSource) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{173}
-}
-func (m *RBDVolumeSource) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *RBDVolumeSource) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *RBDVolumeSource) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_RBDVolumeSource.Merge(m, src)
-}
-func (m *RBDVolumeSource) XXX_Size() int {
-	return m.Size()
-}
-func (m *RBDVolumeSource) XXX_DiscardUnknown() {
-	xxx_messageInfo_RBDVolumeSource.DiscardUnknown(m)
-}
+func (m *Namespace) Reset() { *m = Namespace{} }
 
-var xxx_messageInfo_RBDVolumeSource proto.InternalMessageInfo
+func (m *NamespaceCondition) Reset() { *m = NamespaceCondition{} }
 
-func (m *RangeAllocation) Reset()      { *m = RangeAllocation{} }
-func (*RangeAllocation) ProtoMessage() {}
-func (*RangeAllocation) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{174}
-}
-func (m *RangeAllocation) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *RangeAllocation) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *RangeAllocation) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_RangeAllocation.Merge(m, src)
-}
-func (m *RangeAllocation) XXX_Size() int {
-	return m.Size()
-}
-func (m *RangeAllocation) XXX_DiscardUnknown() {
-	xxx_messageInfo_RangeAllocation.DiscardUnknown(m)
-}
+func (m *NamespaceList) Reset() { *m = NamespaceList{} }
 
-var xxx_messageInfo_RangeAllocation proto.InternalMessageInfo
+func (m *NamespaceSpec) Reset() { *m = NamespaceSpec{} }
 
-func (m *ReplicationController) Reset()      { *m = ReplicationController{} }
-func (*ReplicationController) ProtoMessage() {}
-func (*ReplicationController) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{175}
-}
-func (m *ReplicationController) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ReplicationController) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ReplicationController) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ReplicationController.Merge(m, src)
-}
-func (m *ReplicationController) XXX_Size() int {
-	return m.Size()
-}
-func (m *ReplicationController) XXX_DiscardUnknown() {
-	xxx_messageInfo_ReplicationController.DiscardUnknown(m)
-}
+func (m *NamespaceStatus) Reset() { *m = NamespaceStatus{} }
 
-var xxx_messageInfo_ReplicationController proto.InternalMessageInfo
+func (m *Node) Reset() { *m = Node{} }
 
-func (m *ReplicationControllerCondition) Reset()      { *m = ReplicationControllerCondition{} }
-func (*ReplicationControllerCondition) ProtoMessage() {}
-func (*ReplicationControllerCondition) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{176}
-}
-func (m *ReplicationControllerCondition) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ReplicationControllerCondition) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ReplicationControllerCondition) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ReplicationControllerCondition.Merge(m, src)
-}
-func (m *ReplicationControllerCondition) XXX_Size() int {
-	return m.Size()
-}
-func (m *ReplicationControllerCondition) XXX_DiscardUnknown() {
-	xxx_messageInfo_ReplicationControllerCondition.DiscardUnknown(m)
-}
+func (m *NodeAddress) Reset() { *m = NodeAddress{} }
 
-var xxx_messageInfo_ReplicationControllerCondition proto.InternalMessageInfo
+func (m *NodeAffinity) Reset() { *m = NodeAffinity{} }
 
-func (m *ReplicationControllerList) Reset()      { *m = ReplicationControllerList{} }
-func (*ReplicationControllerList) ProtoMessage() {}
-func (*ReplicationControllerList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{177}
-}
-func (m *ReplicationControllerList) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ReplicationControllerList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ReplicationControllerList) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ReplicationControllerList.Merge(m, src)
-}
-func (m *ReplicationControllerList) XXX_Size() int {
-	return m.Size()
-}
-func (m *ReplicationControllerList) XXX_DiscardUnknown() {
-	xxx_messageInfo_ReplicationControllerList.DiscardUnknown(m)
-}
+func (m *NodeCondition) Reset() { *m = NodeCondition{} }
 
-var xxx_messageInfo_ReplicationControllerList proto.InternalMessageInfo
+func (m *NodeConfigSource) Reset() { *m = NodeConfigSource{} }
 
-func (m *ReplicationControllerSpec) Reset()      { *m = ReplicationControllerSpec{} }
-func (*ReplicationControllerSpec) ProtoMessage() {}
-func (*ReplicationControllerSpec) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{178}
-}
-func (m *ReplicationControllerSpec) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ReplicationControllerSpec) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ReplicationControllerSpec) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ReplicationControllerSpec.Merge(m, src)
-}
-func (m *ReplicationControllerSpec) XXX_Size() int {
-	return m.Size()
-}
-func (m *ReplicationControllerSpec) XXX_DiscardUnknown() {
-	xxx_messageInfo_ReplicationControllerSpec.DiscardUnknown(m)
-}
+func (m *NodeConfigStatus) Reset() { *m = NodeConfigStatus{} }
 
-var xxx_messageInfo_ReplicationControllerSpec proto.InternalMessageInfo
+func (m *NodeDaemonEndpoints) Reset() { *m = NodeDaemonEndpoints{} }
 
-func (m *ReplicationControllerStatus) Reset()      { *m = ReplicationControllerStatus{} }
-func (*ReplicationControllerStatus) ProtoMessage() {}
-func (*ReplicationControllerStatus) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{179}
-}
-func (m *ReplicationControllerStatus) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ReplicationControllerStatus) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ReplicationControllerStatus) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ReplicationControllerStatus.Merge(m, src)
-}
-func (m *ReplicationControllerStatus) XXX_Size() int {
-	return m.Size()
-}
-func (m *ReplicationControllerStatus) XXX_DiscardUnknown() {
-	xxx_messageInfo_ReplicationControllerStatus.DiscardUnknown(m)
-}
+func (m *NodeFeatures) Reset() { *m = NodeFeatures{} }
 
-var xxx_messageInfo_ReplicationControllerStatus proto.InternalMessageInfo
+func (m *NodeList) Reset() { *m = NodeList{} }
 
-func (m *ResourceClaim) Reset()      { *m = ResourceClaim{} }
-func (*ResourceClaim) ProtoMessage() {}
-func (*ResourceClaim) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{180}
-}
-func (m *ResourceClaim) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ResourceClaim) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ResourceClaim) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ResourceClaim.Merge(m, src)
-}
-func (m *ResourceClaim) XXX_Size() int {
-	return m.Size()
-}
-func (m *ResourceClaim) XXX_DiscardUnknown() {
-	xxx_messageInfo_ResourceClaim.DiscardUnknown(m)
-}
+func (m *NodeProxyOptions) Reset() { *m = NodeProxyOptions{} }
 
-var xxx_messageInfo_ResourceClaim proto.InternalMessageInfo
+func (m *NodeRuntimeHandler) Reset() { *m = NodeRuntimeHandler{} }
 
-func (m *ResourceFieldSelector) Reset()      { *m = ResourceFieldSelector{} }
-func (*ResourceFieldSelector) ProtoMessage() {}
-func (*ResourceFieldSelector) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{181}
-}
-func (m *ResourceFieldSelector) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ResourceFieldSelector) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ResourceFieldSelector) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ResourceFieldSelector.Merge(m, src)
-}
-func (m *ResourceFieldSelector) XXX_Size() int {
-	return m.Size()
-}
-func (m *ResourceFieldSelector) XXX_DiscardUnknown() {
-	xxx_messageInfo_ResourceFieldSelector.DiscardUnknown(m)
-}
+func (m *NodeRuntimeHandlerFeatures) Reset() { *m = NodeRuntimeHandlerFeatures{} }
 
-var xxx_messageInfo_ResourceFieldSelector proto.InternalMessageInfo
+func (m *NodeSelector) Reset() { *m = NodeSelector{} }
 
-func (m *ResourceHealth) Reset()      { *m = ResourceHealth{} }
-func (*ResourceHealth) ProtoMessage() {}
-func (*ResourceHealth) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{182}
-}
-func (m *ResourceHealth) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ResourceHealth) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ResourceHealth) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ResourceHealth.Merge(m, src)
-}
-func (m *ResourceHealth) XXX_Size() int {
-	return m.Size()
-}
-func (m *ResourceHealth) XXX_DiscardUnknown() {
-	xxx_messageInfo_ResourceHealth.DiscardUnknown(m)
-}
+func (m *NodeSelectorRequirement) Reset() { *m = NodeSelectorRequirement{} }
 
-var xxx_messageInfo_ResourceHealth proto.InternalMessageInfo
+func (m *NodeSelectorTerm) Reset() { *m = NodeSelectorTerm{} }
 
-func (m *ResourceQuota) Reset()      { *m = ResourceQuota{} }
-func (*ResourceQuota) ProtoMessage() {}
-func (*ResourceQuota) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{183}
-}
-func (m *ResourceQuota) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ResourceQuota) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ResourceQuota) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ResourceQuota.Merge(m, src)
-}
-func (m *ResourceQuota) XXX_Size() int {
-	return m.Size()
-}
-func (m *ResourceQuota) XXX_DiscardUnknown() {
-	xxx_messageInfo_ResourceQuota.DiscardUnknown(m)
-}
+func (m *NodeSpec) Reset() { *m = NodeSpec{} }
 
-var xxx_messageInfo_ResourceQuota proto.InternalMessageInfo
+func (m *NodeStatus) Reset() { *m = NodeStatus{} }
 
-func (m *ResourceQuotaList) Reset()      { *m = ResourceQuotaList{} }
-func (*ResourceQuotaList) ProtoMessage() {}
-func (*ResourceQuotaList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{184}
-}
-func (m *ResourceQuotaList) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ResourceQuotaList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ResourceQuotaList) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ResourceQuotaList.Merge(m, src)
-}
-func (m *ResourceQuotaList) XXX_Size() int {
-	return m.Size()
-}
-func (m *ResourceQuotaList) XXX_DiscardUnknown() {
-	xxx_messageInfo_ResourceQuotaList.DiscardUnknown(m)
-}
+func (m *NodeSwapStatus) Reset() { *m = NodeSwapStatus{} }
 
-var xxx_messageInfo_ResourceQuotaList proto.InternalMessageInfo
+func (m *NodeSystemInfo) Reset() { *m = NodeSystemInfo{} }
 
-func (m *ResourceQuotaSpec) Reset()      { *m = ResourceQuotaSpec{} }
-func (*ResourceQuotaSpec) ProtoMessage() {}
-func (*ResourceQuotaSpec) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{185}
-}
-func (m *ResourceQuotaSpec) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ResourceQuotaSpec) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ResourceQuotaSpec) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ResourceQuotaSpec.Merge(m, src)
-}
-func (m *ResourceQuotaSpec) XXX_Size() int {
-	return m.Size()
-}
-func (m *ResourceQuotaSpec) XXX_DiscardUnknown() {
-	xxx_messageInfo_ResourceQuotaSpec.DiscardUnknown(m)
-}
+func (m *ObjectFieldSelector) Reset() { *m = ObjectFieldSelector{} }
 
-var xxx_messageInfo_ResourceQuotaSpec proto.InternalMessageInfo
+func (m *ObjectReference) Reset() { *m = ObjectReference{} }
 
-func (m *ResourceQuotaStatus) Reset()      { *m = ResourceQuotaStatus{} }
-func (*ResourceQuotaStatus) ProtoMessage() {}
-func (*ResourceQuotaStatus) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{186}
-}
-func (m *ResourceQuotaStatus) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ResourceQuotaStatus) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ResourceQuotaStatus) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ResourceQuotaStatus.Merge(m, src)
-}
-func (m *ResourceQuotaStatus) XXX_Size() int {
-	return m.Size()
-}
-func (m *ResourceQuotaStatus) XXX_DiscardUnknown() {
-	xxx_messageInfo_ResourceQuotaStatus.DiscardUnknown(m)
-}
+func (m *PersistentVolume) Reset() { *m = PersistentVolume{} }
 
-var xxx_messageInfo_ResourceQuotaStatus proto.InternalMessageInfo
+func (m *PersistentVolumeClaim) Reset() { *m = PersistentVolumeClaim{} }
 
-func (m *ResourceRequirements) Reset()      { *m = ResourceRequirements{} }
-func (*ResourceRequirements) ProtoMessage() {}
-func (*ResourceRequirements) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{187}
-}
-func (m *ResourceRequirements) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ResourceRequirements) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ResourceRequirements) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ResourceRequirements.Merge(m, src)
-}
-func (m *ResourceRequirements) XXX_Size() int {
-	return m.Size()
-}
-func (m *ResourceRequirements) XXX_DiscardUnknown() {
-	xxx_messageInfo_ResourceRequirements.DiscardUnknown(m)
-}
+func (m *PersistentVolumeClaimCondition) Reset() { *m = PersistentVolumeClaimCondition{} }
 
-var xxx_messageInfo_ResourceRequirements proto.InternalMessageInfo
+func (m *PersistentVolumeClaimList) Reset() { *m = PersistentVolumeClaimList{} }
 
-func (m *ResourceStatus) Reset()      { *m = ResourceStatus{} }
-func (*ResourceStatus) ProtoMessage() {}
-func (*ResourceStatus) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{188}
-}
-func (m *ResourceStatus) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ResourceStatus) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ResourceStatus) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ResourceStatus.Merge(m, src)
-}
-func (m *ResourceStatus) XXX_Size() int {
-	return m.Size()
-}
-func (m *ResourceStatus) XXX_DiscardUnknown() {
-	xxx_messageInfo_ResourceStatus.DiscardUnknown(m)
-}
+func (m *PersistentVolumeClaimSpec) Reset() { *m = PersistentVolumeClaimSpec{} }
 
-var xxx_messageInfo_ResourceStatus proto.InternalMessageInfo
+func (m *PersistentVolumeClaimStatus) Reset() { *m = PersistentVolumeClaimStatus{} }
 
-func (m *SELinuxOptions) Reset()      { *m = SELinuxOptions{} }
-func (*SELinuxOptions) ProtoMessage() {}
-func (*SELinuxOptions) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{189}
-}
-func (m *SELinuxOptions) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *SELinuxOptions) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *SELinuxOptions) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_SELinuxOptions.Merge(m, src)
-}
-func (m *SELinuxOptions) XXX_Size() int {
-	return m.Size()
-}
-func (m *SELinuxOptions) XXX_DiscardUnknown() {
-	xxx_messageInfo_SELinuxOptions.DiscardUnknown(m)
-}
+func (m *PersistentVolumeClaimTemplate) Reset() { *m = PersistentVolumeClaimTemplate{} }
 
-var xxx_messageInfo_SELinuxOptions proto.InternalMessageInfo
+func (m *PersistentVolumeClaimVolumeSource) Reset() { *m = PersistentVolumeClaimVolumeSource{} }
 
-func (m *ScaleIOPersistentVolumeSource) Reset()      { *m = ScaleIOPersistentVolumeSource{} }
-func (*ScaleIOPersistentVolumeSource) ProtoMessage() {}
-func (*ScaleIOPersistentVolumeSource) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{190}
-}
-func (m *ScaleIOPersistentVolumeSource) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ScaleIOPersistentVolumeSource) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ScaleIOPersistentVolumeSource) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ScaleIOPersistentVolumeSource.Merge(m, src)
-}
-func (m *ScaleIOPersistentVolumeSource) XXX_Size() int {
-	return m.Size()
-}
-func (m *ScaleIOPersistentVolumeSource) XXX_DiscardUnknown() {
-	xxx_messageInfo_ScaleIOPersistentVolumeSource.DiscardUnknown(m)
-}
+func (m *PersistentVolumeList) Reset() { *m = PersistentVolumeList{} }
 
-var xxx_messageInfo_ScaleIOPersistentVolumeSource proto.InternalMessageInfo
+func (m *PersistentVolumeSource) Reset() { *m = PersistentVolumeSource{} }
 
-func (m *ScaleIOVolumeSource) Reset()      { *m = ScaleIOVolumeSource{} }
-func (*ScaleIOVolumeSource) ProtoMessage() {}
-func (*ScaleIOVolumeSource) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{191}
-}
-func (m *ScaleIOVolumeSource) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ScaleIOVolumeSource) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ScaleIOVolumeSource) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ScaleIOVolumeSource.Merge(m, src)
-}
-func (m *ScaleIOVolumeSource) XXX_Size() int {
-	return m.Size()
-}
-func (m *ScaleIOVolumeSource) XXX_DiscardUnknown() {
-	xxx_messageInfo_ScaleIOVolumeSource.DiscardUnknown(m)
-}
+func (m *PersistentVolumeSpec) Reset() { *m = PersistentVolumeSpec{} }
+
+func (m *PersistentVolumeStatus) Reset() { *m = PersistentVolumeStatus{} }
+
+func (m *PhotonPersistentDiskVolumeSource) Reset() { *m = PhotonPersistentDiskVolumeSource{} }
+
+func (m *Pod) Reset() { *m = Pod{} }
+
+func (m *PodAffinity) Reset() { *m = PodAffinity{} }
+
+func (m *PodAffinityTerm) Reset() { *m = PodAffinityTerm{} }
+
+func (m *PodAntiAffinity) Reset() { *m = PodAntiAffinity{} }
+
+func (m *PodAttachOptions) Reset() { *m = PodAttachOptions{} }
+
+func (m *PodCertificateProjection) Reset() { *m = PodCertificateProjection{} }
 
-var xxx_messageInfo_ScaleIOVolumeSource proto.InternalMessageInfo
+func (m *PodCondition) Reset() { *m = PodCondition{} }
 
-func (m *ScopeSelector) Reset()      { *m = ScopeSelector{} }
-func (*ScopeSelector) ProtoMessage() {}
-func (*ScopeSelector) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{192}
-}
-func (m *ScopeSelector) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ScopeSelector) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ScopeSelector) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ScopeSelector.Merge(m, src)
-}
-func (m *ScopeSelector) XXX_Size() int {
-	return m.Size()
-}
-func (m *ScopeSelector) XXX_DiscardUnknown() {
-	xxx_messageInfo_ScopeSelector.DiscardUnknown(m)
-}
+func (m *PodDNSConfig) Reset() { *m = PodDNSConfig{} }
 
-var xxx_messageInfo_ScopeSelector proto.InternalMessageInfo
+func (m *PodDNSConfigOption) Reset() { *m = PodDNSConfigOption{} }
 
-func (m *ScopedResourceSelectorRequirement) Reset()      { *m = ScopedResourceSelectorRequirement{} }
-func (*ScopedResourceSelectorRequirement) ProtoMessage() {}
-func (*ScopedResourceSelectorRequirement) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{193}
-}
-func (m *ScopedResourceSelectorRequirement) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ScopedResourceSelectorRequirement) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ScopedResourceSelectorRequirement) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ScopedResourceSelectorRequirement.Merge(m, src)
-}
-func (m *ScopedResourceSelectorRequirement) XXX_Size() int {
-	return m.Size()
-}
-func (m *ScopedResourceSelectorRequirement) XXX_DiscardUnknown() {
-	xxx_messageInfo_ScopedResourceSelectorRequirement.DiscardUnknown(m)
-}
+func (m *PodExecOptions) Reset() { *m = PodExecOptions{} }
 
-var xxx_messageInfo_ScopedResourceSelectorRequirement proto.InternalMessageInfo
+func (m *PodExtendedResourceClaimStatus) Reset() { *m = PodExtendedResourceClaimStatus{} }
 
-func (m *SeccompProfile) Reset()      { *m = SeccompProfile{} }
-func (*SeccompProfile) ProtoMessage() {}
-func (*SeccompProfile) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{194}
-}
-func (m *SeccompProfile) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *SeccompProfile) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *SeccompProfile) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_SeccompProfile.Merge(m, src)
-}
-func (m *SeccompProfile) XXX_Size() int {
-	return m.Size()
-}
-func (m *SeccompProfile) XXX_DiscardUnknown() {
-	xxx_messageInfo_SeccompProfile.DiscardUnknown(m)
-}
+func (m *PodIP) Reset() { *m = PodIP{} }
 
-var xxx_messageInfo_SeccompProfile proto.InternalMessageInfo
+func (m *PodList) Reset() { *m = PodList{} }
 
-func (m *Secret) Reset()      { *m = Secret{} }
-func (*Secret) ProtoMessage() {}
-func (*Secret) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{195}
-}
-func (m *Secret) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *Secret) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *Secret) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_Secret.Merge(m, src)
-}
-func (m *Secret) XXX_Size() int {
-	return m.Size()
-}
-func (m *Secret) XXX_DiscardUnknown() {
-	xxx_messageInfo_Secret.DiscardUnknown(m)
-}
+func (m *PodLogOptions) Reset() { *m = PodLogOptions{} }
 
-var xxx_messageInfo_Secret proto.InternalMessageInfo
+func (m *PodOS) Reset() { *m = PodOS{} }
 
-func (m *SecretEnvSource) Reset()      { *m = SecretEnvSource{} }
-func (*SecretEnvSource) ProtoMessage() {}
-func (*SecretEnvSource) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{196}
-}
-func (m *SecretEnvSource) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *SecretEnvSource) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *SecretEnvSource) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_SecretEnvSource.Merge(m, src)
-}
-func (m *SecretEnvSource) XXX_Size() int {
-	return m.Size()
-}
-func (m *SecretEnvSource) XXX_DiscardUnknown() {
-	xxx_messageInfo_SecretEnvSource.DiscardUnknown(m)
-}
+func (m *PodPortForwardOptions) Reset() { *m = PodPortForwardOptions{} }
 
-var xxx_messageInfo_SecretEnvSource proto.InternalMessageInfo
+func (m *PodProxyOptions) Reset() { *m = PodProxyOptions{} }
 
-func (m *SecretKeySelector) Reset()      { *m = SecretKeySelector{} }
-func (*SecretKeySelector) ProtoMessage() {}
-func (*SecretKeySelector) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{197}
-}
-func (m *SecretKeySelector) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *SecretKeySelector) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *SecretKeySelector) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_SecretKeySelector.Merge(m, src)
-}
-func (m *SecretKeySelector) XXX_Size() int {
-	return m.Size()
-}
-func (m *SecretKeySelector) XXX_DiscardUnknown() {
-	xxx_messageInfo_SecretKeySelector.DiscardUnknown(m)
-}
+func (m *PodReadinessGate) Reset() { *m = PodReadinessGate{} }
 
-var xxx_messageInfo_SecretKeySelector proto.InternalMessageInfo
+func (m *PodResourceClaim) Reset() { *m = PodResourceClaim{} }
 
-func (m *SecretList) Reset()      { *m = SecretList{} }
-func (*SecretList) ProtoMessage() {}
-func (*SecretList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{198}
-}
-func (m *SecretList) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *SecretList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *SecretList) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_SecretList.Merge(m, src)
-}
-func (m *SecretList) XXX_Size() int {
-	return m.Size()
-}
-func (m *SecretList) XXX_DiscardUnknown() {
-	xxx_messageInfo_SecretList.DiscardUnknown(m)
-}
+func (m *PodResourceClaimStatus) Reset() { *m = PodResourceClaimStatus{} }
 
-var xxx_messageInfo_SecretList proto.InternalMessageInfo
+func (m *PodSchedulingGate) Reset() { *m = PodSchedulingGate{} }
 
-func (m *SecretProjection) Reset()      { *m = SecretProjection{} }
-func (*SecretProjection) ProtoMessage() {}
-func (*SecretProjection) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{199}
-}
-func (m *SecretProjection) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *SecretProjection) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *SecretProjection) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_SecretProjection.Merge(m, src)
-}
-func (m *SecretProjection) XXX_Size() int {
-	return m.Size()
-}
-func (m *SecretProjection) XXX_DiscardUnknown() {
-	xxx_messageInfo_SecretProjection.DiscardUnknown(m)
-}
+func (m *PodSecurityContext) Reset() { *m = PodSecurityContext{} }
 
-var xxx_messageInfo_SecretProjection proto.InternalMessageInfo
+func (m *PodSignature) Reset() { *m = PodSignature{} }
 
-func (m *SecretReference) Reset()      { *m = SecretReference{} }
-func (*SecretReference) ProtoMessage() {}
-func (*SecretReference) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{200}
-}
-func (m *SecretReference) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *SecretReference) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *SecretReference) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_SecretReference.Merge(m, src)
-}
-func (m *SecretReference) XXX_Size() int {
-	return m.Size()
-}
-func (m *SecretReference) XXX_DiscardUnknown() {
-	xxx_messageInfo_SecretReference.DiscardUnknown(m)
-}
+func (m *PodSpec) Reset() { *m = PodSpec{} }
 
-var xxx_messageInfo_SecretReference proto.InternalMessageInfo
+func (m *PodStatus) Reset() { *m = PodStatus{} }
 
-func (m *SecretVolumeSource) Reset()      { *m = SecretVolumeSource{} }
-func (*SecretVolumeSource) ProtoMessage() {}
-func (*SecretVolumeSource) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{201}
-}
-func (m *SecretVolumeSource) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *SecretVolumeSource) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *SecretVolumeSource) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_SecretVolumeSource.Merge(m, src)
-}
-func (m *SecretVolumeSource) XXX_Size() int {
-	return m.Size()
-}
-func (m *SecretVolumeSource) XXX_DiscardUnknown() {
-	xxx_messageInfo_SecretVolumeSource.DiscardUnknown(m)
-}
+func (m *PodStatusResult) Reset() { *m = PodStatusResult{} }
 
-var xxx_messageInfo_SecretVolumeSource proto.InternalMessageInfo
+func (m *PodTemplate) Reset() { *m = PodTemplate{} }
 
-func (m *SecurityContext) Reset()      { *m = SecurityContext{} }
-func (*SecurityContext) ProtoMessage() {}
-func (*SecurityContext) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{202}
-}
-func (m *SecurityContext) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *SecurityContext) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *SecurityContext) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_SecurityContext.Merge(m, src)
-}
-func (m *SecurityContext) XXX_Size() int {
-	return m.Size()
-}
-func (m *SecurityContext) XXX_DiscardUnknown() {
-	xxx_messageInfo_SecurityContext.DiscardUnknown(m)
-}
+func (m *PodTemplateList) Reset() { *m = PodTemplateList{} }
 
-var xxx_messageInfo_SecurityContext proto.InternalMessageInfo
+func (m *PodTemplateSpec) Reset() { *m = PodTemplateSpec{} }
 
-func (m *SerializedReference) Reset()      { *m = SerializedReference{} }
-func (*SerializedReference) ProtoMessage() {}
-func (*SerializedReference) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{203}
-}
-func (m *SerializedReference) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *SerializedReference) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *SerializedReference) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_SerializedReference.Merge(m, src)
-}
-func (m *SerializedReference) XXX_Size() int {
-	return m.Size()
-}
-func (m *SerializedReference) XXX_DiscardUnknown() {
-	xxx_messageInfo_SerializedReference.DiscardUnknown(m)
-}
+func (m *PortStatus) Reset() { *m = PortStatus{} }
 
-var xxx_messageInfo_SerializedReference proto.InternalMessageInfo
+func (m *PortworxVolumeSource) Reset() { *m = PortworxVolumeSource{} }
 
-func (m *Service) Reset()      { *m = Service{} }
-func (*Service) ProtoMessage() {}
-func (*Service) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{204}
-}
-func (m *Service) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *Service) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *Service) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_Service.Merge(m, src)
-}
-func (m *Service) XXX_Size() int {
-	return m.Size()
-}
-func (m *Service) XXX_DiscardUnknown() {
-	xxx_messageInfo_Service.DiscardUnknown(m)
-}
+func (m *Preconditions) Reset() { *m = Preconditions{} }
 
-var xxx_messageInfo_Service proto.InternalMessageInfo
+func (m *PreferAvoidPodsEntry) Reset() { *m = PreferAvoidPodsEntry{} }
 
-func (m *ServiceAccount) Reset()      { *m = ServiceAccount{} }
-func (*ServiceAccount) ProtoMessage() {}
-func (*ServiceAccount) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{205}
-}
-func (m *ServiceAccount) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ServiceAccount) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ServiceAccount) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ServiceAccount.Merge(m, src)
-}
-func (m *ServiceAccount) XXX_Size() int {
-	return m.Size()
-}
-func (m *ServiceAccount) XXX_DiscardUnknown() {
-	xxx_messageInfo_ServiceAccount.DiscardUnknown(m)
-}
+func (m *PreferredSchedulingTerm) Reset() { *m = PreferredSchedulingTerm{} }
 
-var xxx_messageInfo_ServiceAccount proto.InternalMessageInfo
+func (m *Probe) Reset() { *m = Probe{} }
 
-func (m *ServiceAccountList) Reset()      { *m = ServiceAccountList{} }
-func (*ServiceAccountList) ProtoMessage() {}
-func (*ServiceAccountList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{206}
-}
-func (m *ServiceAccountList) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ServiceAccountList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ServiceAccountList) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ServiceAccountList.Merge(m, src)
-}
-func (m *ServiceAccountList) XXX_Size() int {
-	return m.Size()
-}
-func (m *ServiceAccountList) XXX_DiscardUnknown() {
-	xxx_messageInfo_ServiceAccountList.DiscardUnknown(m)
-}
+func (m *ProbeHandler) Reset() { *m = ProbeHandler{} }
 
-var xxx_messageInfo_ServiceAccountList proto.InternalMessageInfo
+func (m *ProjectedVolumeSource) Reset() { *m = ProjectedVolumeSource{} }
 
-func (m *ServiceAccountTokenProjection) Reset()      { *m = ServiceAccountTokenProjection{} }
-func (*ServiceAccountTokenProjection) ProtoMessage() {}
-func (*ServiceAccountTokenProjection) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{207}
-}
-func (m *ServiceAccountTokenProjection) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ServiceAccountTokenProjection) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ServiceAccountTokenProjection) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ServiceAccountTokenProjection.Merge(m, src)
-}
-func (m *ServiceAccountTokenProjection) XXX_Size() int {
-	return m.Size()
-}
-func (m *ServiceAccountTokenProjection) XXX_DiscardUnknown() {
-	xxx_messageInfo_ServiceAccountTokenProjection.DiscardUnknown(m)
-}
+func (m *QuobyteVolumeSource) Reset() { *m = QuobyteVolumeSource{} }
 
-var xxx_messageInfo_ServiceAccountTokenProjection proto.InternalMessageInfo
+func (m *RBDPersistentVolumeSource) Reset() { *m = RBDPersistentVolumeSource{} }
 
-func (m *ServiceList) Reset()      { *m = ServiceList{} }
-func (*ServiceList) ProtoMessage() {}
-func (*ServiceList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{208}
-}
-func (m *ServiceList) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ServiceList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ServiceList) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ServiceList.Merge(m, src)
-}
-func (m *ServiceList) XXX_Size() int {
-	return m.Size()
-}
-func (m *ServiceList) XXX_DiscardUnknown() {
-	xxx_messageInfo_ServiceList.DiscardUnknown(m)
-}
+func (m *RBDVolumeSource) Reset() { *m = RBDVolumeSource{} }
 
-var xxx_messageInfo_ServiceList proto.InternalMessageInfo
+func (m *RangeAllocation) Reset() { *m = RangeAllocation{} }
 
-func (m *ServicePort) Reset()      { *m = ServicePort{} }
-func (*ServicePort) ProtoMessage() {}
-func (*ServicePort) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{209}
-}
-func (m *ServicePort) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ServicePort) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ServicePort) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ServicePort.Merge(m, src)
-}
-func (m *ServicePort) XXX_Size() int {
-	return m.Size()
-}
-func (m *ServicePort) XXX_DiscardUnknown() {
-	xxx_messageInfo_ServicePort.DiscardUnknown(m)
-}
+func (m *ReplicationController) Reset() { *m = ReplicationController{} }
 
-var xxx_messageInfo_ServicePort proto.InternalMessageInfo
+func (m *ReplicationControllerCondition) Reset() { *m = ReplicationControllerCondition{} }
 
-func (m *ServiceProxyOptions) Reset()      { *m = ServiceProxyOptions{} }
-func (*ServiceProxyOptions) ProtoMessage() {}
-func (*ServiceProxyOptions) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{210}
-}
-func (m *ServiceProxyOptions) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ServiceProxyOptions) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ServiceProxyOptions) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ServiceProxyOptions.Merge(m, src)
-}
-func (m *ServiceProxyOptions) XXX_Size() int {
-	return m.Size()
-}
-func (m *ServiceProxyOptions) XXX_DiscardUnknown() {
-	xxx_messageInfo_ServiceProxyOptions.DiscardUnknown(m)
-}
+func (m *ReplicationControllerList) Reset() { *m = ReplicationControllerList{} }
 
-var xxx_messageInfo_ServiceProxyOptions proto.InternalMessageInfo
+func (m *ReplicationControllerSpec) Reset() { *m = ReplicationControllerSpec{} }
 
-func (m *ServiceSpec) Reset()      { *m = ServiceSpec{} }
-func (*ServiceSpec) ProtoMessage() {}
-func (*ServiceSpec) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{211}
-}
-func (m *ServiceSpec) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ServiceSpec) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ServiceSpec) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ServiceSpec.Merge(m, src)
-}
-func (m *ServiceSpec) XXX_Size() int {
-	return m.Size()
-}
-func (m *ServiceSpec) XXX_DiscardUnknown() {
-	xxx_messageInfo_ServiceSpec.DiscardUnknown(m)
-}
+func (m *ReplicationControllerStatus) Reset() { *m = ReplicationControllerStatus{} }
 
-var xxx_messageInfo_ServiceSpec proto.InternalMessageInfo
+func (m *ResourceClaim) Reset() { *m = ResourceClaim{} }
 
-func (m *ServiceStatus) Reset()      { *m = ServiceStatus{} }
-func (*ServiceStatus) ProtoMessage() {}
-func (*ServiceStatus) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{212}
-}
-func (m *ServiceStatus) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ServiceStatus) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ServiceStatus) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ServiceStatus.Merge(m, src)
-}
-func (m *ServiceStatus) XXX_Size() int {
-	return m.Size()
-}
-func (m *ServiceStatus) XXX_DiscardUnknown() {
-	xxx_messageInfo_ServiceStatus.DiscardUnknown(m)
-}
+func (m *ResourceFieldSelector) Reset() { *m = ResourceFieldSelector{} }
 
-var xxx_messageInfo_ServiceStatus proto.InternalMessageInfo
+func (m *ResourceHealth) Reset() { *m = ResourceHealth{} }
 
-func (m *SessionAffinityConfig) Reset()      { *m = SessionAffinityConfig{} }
-func (*SessionAffinityConfig) ProtoMessage() {}
-func (*SessionAffinityConfig) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{213}
-}
-func (m *SessionAffinityConfig) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *SessionAffinityConfig) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *SessionAffinityConfig) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_SessionAffinityConfig.Merge(m, src)
-}
-func (m *SessionAffinityConfig) XXX_Size() int {
-	return m.Size()
-}
-func (m *SessionAffinityConfig) XXX_DiscardUnknown() {
-	xxx_messageInfo_SessionAffinityConfig.DiscardUnknown(m)
-}
+func (m *ResourceQuota) Reset() { *m = ResourceQuota{} }
 
-var xxx_messageInfo_SessionAffinityConfig proto.InternalMessageInfo
+func (m *ResourceQuotaList) Reset() { *m = ResourceQuotaList{} }
 
-func (m *SleepAction) Reset()      { *m = SleepAction{} }
-func (*SleepAction) ProtoMessage() {}
-func (*SleepAction) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{214}
-}
-func (m *SleepAction) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *SleepAction) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *SleepAction) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_SleepAction.Merge(m, src)
-}
-func (m *SleepAction) XXX_Size() int {
-	return m.Size()
-}
-func (m *SleepAction) XXX_DiscardUnknown() {
-	xxx_messageInfo_SleepAction.DiscardUnknown(m)
-}
+func (m *ResourceQuotaSpec) Reset() { *m = ResourceQuotaSpec{} }
 
-var xxx_messageInfo_SleepAction proto.InternalMessageInfo
+func (m *ResourceQuotaStatus) Reset() { *m = ResourceQuotaStatus{} }
 
-func (m *StorageOSPersistentVolumeSource) Reset()      { *m = StorageOSPersistentVolumeSource{} }
-func (*StorageOSPersistentVolumeSource) ProtoMessage() {}
-func (*StorageOSPersistentVolumeSource) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{215}
-}
-func (m *StorageOSPersistentVolumeSource) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *StorageOSPersistentVolumeSource) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *StorageOSPersistentVolumeSource) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_StorageOSPersistentVolumeSource.Merge(m, src)
-}
-func (m *StorageOSPersistentVolumeSource) XXX_Size() int {
-	return m.Size()
-}
-func (m *StorageOSPersistentVolumeSource) XXX_DiscardUnknown() {
-	xxx_messageInfo_StorageOSPersistentVolumeSource.DiscardUnknown(m)
-}
+func (m *ResourceRequirements) Reset() { *m = ResourceRequirements{} }
 
-var xxx_messageInfo_StorageOSPersistentVolumeSource proto.InternalMessageInfo
+func (m *ResourceStatus) Reset() { *m = ResourceStatus{} }
 
-func (m *StorageOSVolumeSource) Reset()      { *m = StorageOSVolumeSource{} }
-func (*StorageOSVolumeSource) ProtoMessage() {}
-func (*StorageOSVolumeSource) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{216}
-}
-func (m *StorageOSVolumeSource) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *StorageOSVolumeSource) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *StorageOSVolumeSource) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_StorageOSVolumeSource.Merge(m, src)
-}
-func (m *StorageOSVolumeSource) XXX_Size() int {
-	return m.Size()
-}
-func (m *StorageOSVolumeSource) XXX_DiscardUnknown() {
-	xxx_messageInfo_StorageOSVolumeSource.DiscardUnknown(m)
-}
+func (m *SELinuxOptions) Reset() { *m = SELinuxOptions{} }
 
-var xxx_messageInfo_StorageOSVolumeSource proto.InternalMessageInfo
+func (m *ScaleIOPersistentVolumeSource) Reset() { *m = ScaleIOPersistentVolumeSource{} }
 
-func (m *Sysctl) Reset()      { *m = Sysctl{} }
-func (*Sysctl) ProtoMessage() {}
-func (*Sysctl) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{217}
-}
-func (m *Sysctl) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *Sysctl) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *Sysctl) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_Sysctl.Merge(m, src)
-}
-func (m *Sysctl) XXX_Size() int {
-	return m.Size()
-}
-func (m *Sysctl) XXX_DiscardUnknown() {
-	xxx_messageInfo_Sysctl.DiscardUnknown(m)
-}
+func (m *ScaleIOVolumeSource) Reset() { *m = ScaleIOVolumeSource{} }
 
-var xxx_messageInfo_Sysctl proto.InternalMessageInfo
+func (m *ScopeSelector) Reset() { *m = ScopeSelector{} }
 
-func (m *TCPSocketAction) Reset()      { *m = TCPSocketAction{} }
-func (*TCPSocketAction) ProtoMessage() {}
-func (*TCPSocketAction) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{218}
-}
-func (m *TCPSocketAction) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *TCPSocketAction) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *TCPSocketAction) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_TCPSocketAction.Merge(m, src)
-}
-func (m *TCPSocketAction) XXX_Size() int {
-	return m.Size()
-}
-func (m *TCPSocketAction) XXX_DiscardUnknown() {
-	xxx_messageInfo_TCPSocketAction.DiscardUnknown(m)
-}
+func (m *ScopedResourceSelectorRequirement) Reset() { *m = ScopedResourceSelectorRequirement{} }
 
-var xxx_messageInfo_TCPSocketAction proto.InternalMessageInfo
+func (m *SeccompProfile) Reset() { *m = SeccompProfile{} }
 
-func (m *Taint) Reset()      { *m = Taint{} }
-func (*Taint) ProtoMessage() {}
-func (*Taint) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{219}
-}
-func (m *Taint) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *Taint) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *Taint) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_Taint.Merge(m, src)
-}
-func (m *Taint) XXX_Size() int {
-	return m.Size()
-}
-func (m *Taint) XXX_DiscardUnknown() {
-	xxx_messageInfo_Taint.DiscardUnknown(m)
-}
+func (m *Secret) Reset() { *m = Secret{} }
 
-var xxx_messageInfo_Taint proto.InternalMessageInfo
+func (m *SecretEnvSource) Reset() { *m = SecretEnvSource{} }
 
-func (m *Toleration) Reset()      { *m = Toleration{} }
-func (*Toleration) ProtoMessage() {}
-func (*Toleration) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{220}
-}
-func (m *Toleration) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *Toleration) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *Toleration) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_Toleration.Merge(m, src)
-}
-func (m *Toleration) XXX_Size() int {
-	return m.Size()
-}
-func (m *Toleration) XXX_DiscardUnknown() {
-	xxx_messageInfo_Toleration.DiscardUnknown(m)
-}
+func (m *SecretKeySelector) Reset() { *m = SecretKeySelector{} }
 
-var xxx_messageInfo_Toleration proto.InternalMessageInfo
+func (m *SecretList) Reset() { *m = SecretList{} }
 
-func (m *TopologySelectorLabelRequirement) Reset()      { *m = TopologySelectorLabelRequirement{} }
-func (*TopologySelectorLabelRequirement) ProtoMessage() {}
-func (*TopologySelectorLabelRequirement) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{221}
-}
-func (m *TopologySelectorLabelRequirement) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *TopologySelectorLabelRequirement) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *TopologySelectorLabelRequirement) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_TopologySelectorLabelRequirement.Merge(m, src)
-}
-func (m *TopologySelectorLabelRequirement) XXX_Size() int {
-	return m.Size()
-}
-func (m *TopologySelectorLabelRequirement) XXX_DiscardUnknown() {
-	xxx_messageInfo_TopologySelectorLabelRequirement.DiscardUnknown(m)
-}
+func (m *SecretProjection) Reset() { *m = SecretProjection{} }
 
-var xxx_messageInfo_TopologySelectorLabelRequirement proto.InternalMessageInfo
+func (m *SecretReference) Reset() { *m = SecretReference{} }
 
-func (m *TopologySelectorTerm) Reset()      { *m = TopologySelectorTerm{} }
-func (*TopologySelectorTerm) ProtoMessage() {}
-func (*TopologySelectorTerm) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{222}
-}
-func (m *TopologySelectorTerm) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *TopologySelectorTerm) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *TopologySelectorTerm) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_TopologySelectorTerm.Merge(m, src)
-}
-func (m *TopologySelectorTerm) XXX_Size() int {
-	return m.Size()
-}
-func (m *TopologySelectorTerm) XXX_DiscardUnknown() {
-	xxx_messageInfo_TopologySelectorTerm.DiscardUnknown(m)
-}
+func (m *SecretVolumeSource) Reset() { *m = SecretVolumeSource{} }
 
-var xxx_messageInfo_TopologySelectorTerm proto.InternalMessageInfo
+func (m *SecurityContext) Reset() { *m = SecurityContext{} }
 
-func (m *TopologySpreadConstraint) Reset()      { *m = TopologySpreadConstraint{} }
-func (*TopologySpreadConstraint) ProtoMessage() {}
-func (*TopologySpreadConstraint) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{223}
-}
-func (m *TopologySpreadConstraint) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *TopologySpreadConstraint) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *TopologySpreadConstraint) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_TopologySpreadConstraint.Merge(m, src)
-}
-func (m *TopologySpreadConstraint) XXX_Size() int {
-	return m.Size()
-}
-func (m *TopologySpreadConstraint) XXX_DiscardUnknown() {
-	xxx_messageInfo_TopologySpreadConstraint.DiscardUnknown(m)
-}
+func (m *SerializedReference) Reset() { *m = SerializedReference{} }
 
-var xxx_messageInfo_TopologySpreadConstraint proto.InternalMessageInfo
+func (m *Service) Reset() { *m = Service{} }
 
-func (m *TypedLocalObjectReference) Reset()      { *m = TypedLocalObjectReference{} }
-func (*TypedLocalObjectReference) ProtoMessage() {}
-func (*TypedLocalObjectReference) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{224}
-}
-func (m *TypedLocalObjectReference) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *TypedLocalObjectReference) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *TypedLocalObjectReference) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_TypedLocalObjectReference.Merge(m, src)
-}
-func (m *TypedLocalObjectReference) XXX_Size() int {
-	return m.Size()
-}
-func (m *TypedLocalObjectReference) XXX_DiscardUnknown() {
-	xxx_messageInfo_TypedLocalObjectReference.DiscardUnknown(m)
-}
+func (m *ServiceAccount) Reset() { *m = ServiceAccount{} }
 
-var xxx_messageInfo_TypedLocalObjectReference proto.InternalMessageInfo
+func (m *ServiceAccountList) Reset() { *m = ServiceAccountList{} }
 
-func (m *TypedObjectReference) Reset()      { *m = TypedObjectReference{} }
-func (*TypedObjectReference) ProtoMessage() {}
-func (*TypedObjectReference) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{225}
-}
-func (m *TypedObjectReference) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *TypedObjectReference) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *TypedObjectReference) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_TypedObjectReference.Merge(m, src)
-}
-func (m *TypedObjectReference) XXX_Size() int {
-	return m.Size()
-}
-func (m *TypedObjectReference) XXX_DiscardUnknown() {
-	xxx_messageInfo_TypedObjectReference.DiscardUnknown(m)
-}
+func (m *ServiceAccountTokenProjection) Reset() { *m = ServiceAccountTokenProjection{} }
 
-var xxx_messageInfo_TypedObjectReference proto.InternalMessageInfo
+func (m *ServiceList) Reset() { *m = ServiceList{} }
 
-func (m *Volume) Reset()      { *m = Volume{} }
-func (*Volume) ProtoMessage() {}
-func (*Volume) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{226}
-}
-func (m *Volume) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *Volume) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *Volume) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_Volume.Merge(m, src)
-}
-func (m *Volume) XXX_Size() int {
-	return m.Size()
-}
-func (m *Volume) XXX_DiscardUnknown() {
-	xxx_messageInfo_Volume.DiscardUnknown(m)
-}
+func (m *ServicePort) Reset() { *m = ServicePort{} }
 
-var xxx_messageInfo_Volume proto.InternalMessageInfo
+func (m *ServiceProxyOptions) Reset() { *m = ServiceProxyOptions{} }
 
-func (m *VolumeDevice) Reset()      { *m = VolumeDevice{} }
-func (*VolumeDevice) ProtoMessage() {}
-func (*VolumeDevice) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{227}
-}
-func (m *VolumeDevice) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *VolumeDevice) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *VolumeDevice) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_VolumeDevice.Merge(m, src)
-}
-func (m *VolumeDevice) XXX_Size() int {
-	return m.Size()
-}
-func (m *VolumeDevice) XXX_DiscardUnknown() {
-	xxx_messageInfo_VolumeDevice.DiscardUnknown(m)
-}
+func (m *ServiceSpec) Reset() { *m = ServiceSpec{} }
 
-var xxx_messageInfo_VolumeDevice proto.InternalMessageInfo
+func (m *ServiceStatus) Reset() { *m = ServiceStatus{} }
 
-func (m *VolumeMount) Reset()      { *m = VolumeMount{} }
-func (*VolumeMount) ProtoMessage() {}
-func (*VolumeMount) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{228}
-}
-func (m *VolumeMount) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *VolumeMount) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *VolumeMount) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_VolumeMount.Merge(m, src)
-}
-func (m *VolumeMount) XXX_Size() int {
-	return m.Size()
-}
-func (m *VolumeMount) XXX_DiscardUnknown() {
-	xxx_messageInfo_VolumeMount.DiscardUnknown(m)
-}
+func (m *SessionAffinityConfig) Reset() { *m = SessionAffinityConfig{} }
 
-var xxx_messageInfo_VolumeMount proto.InternalMessageInfo
+func (m *SleepAction) Reset() { *m = SleepAction{} }
 
-func (m *VolumeMountStatus) Reset()      { *m = VolumeMountStatus{} }
-func (*VolumeMountStatus) ProtoMessage() {}
-func (*VolumeMountStatus) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{229}
-}
-func (m *VolumeMountStatus) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *VolumeMountStatus) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *VolumeMountStatus) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_VolumeMountStatus.Merge(m, src)
-}
-func (m *VolumeMountStatus) XXX_Size() int {
-	return m.Size()
-}
-func (m *VolumeMountStatus) XXX_DiscardUnknown() {
-	xxx_messageInfo_VolumeMountStatus.DiscardUnknown(m)
-}
+func (m *StorageOSPersistentVolumeSource) Reset() { *m = StorageOSPersistentVolumeSource{} }
 
-var xxx_messageInfo_VolumeMountStatus proto.InternalMessageInfo
+func (m *StorageOSVolumeSource) Reset() { *m = StorageOSVolumeSource{} }
 
-func (m *VolumeNodeAffinity) Reset()      { *m = VolumeNodeAffinity{} }
-func (*VolumeNodeAffinity) ProtoMessage() {}
-func (*VolumeNodeAffinity) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{230}
-}
-func (m *VolumeNodeAffinity) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *VolumeNodeAffinity) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *VolumeNodeAffinity) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_VolumeNodeAffinity.Merge(m, src)
-}
-func (m *VolumeNodeAffinity) XXX_Size() int {
-	return m.Size()
-}
-func (m *VolumeNodeAffinity) XXX_DiscardUnknown() {
-	xxx_messageInfo_VolumeNodeAffinity.DiscardUnknown(m)
-}
+func (m *Sysctl) Reset() { *m = Sysctl{} }
 
-var xxx_messageInfo_VolumeNodeAffinity proto.InternalMessageInfo
+func (m *TCPSocketAction) Reset() { *m = TCPSocketAction{} }
 
-func (m *VolumeProjection) Reset()      { *m = VolumeProjection{} }
-func (*VolumeProjection) ProtoMessage() {}
-func (*VolumeProjection) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{231}
-}
-func (m *VolumeProjection) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *VolumeProjection) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *VolumeProjection) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_VolumeProjection.Merge(m, src)
-}
-func (m *VolumeProjection) XXX_Size() int {
-	return m.Size()
-}
-func (m *VolumeProjection) XXX_DiscardUnknown() {
-	xxx_messageInfo_VolumeProjection.DiscardUnknown(m)
-}
+func (m *Taint) Reset() { *m = Taint{} }
 
-var xxx_messageInfo_VolumeProjection proto.InternalMessageInfo
+func (m *Toleration) Reset() { *m = Toleration{} }
 
-func (m *VolumeResourceRequirements) Reset()      { *m = VolumeResourceRequirements{} }
-func (*VolumeResourceRequirements) ProtoMessage() {}
-func (*VolumeResourceRequirements) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{232}
-}
-func (m *VolumeResourceRequirements) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *VolumeResourceRequirements) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *VolumeResourceRequirements) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_VolumeResourceRequirements.Merge(m, src)
-}
-func (m *VolumeResourceRequirements) XXX_Size() int {
-	return m.Size()
-}
-func (m *VolumeResourceRequirements) XXX_DiscardUnknown() {
-	xxx_messageInfo_VolumeResourceRequirements.DiscardUnknown(m)
-}
+func (m *TopologySelectorLabelRequirement) Reset() { *m = TopologySelectorLabelRequirement{} }
 
-var xxx_messageInfo_VolumeResourceRequirements proto.InternalMessageInfo
+func (m *TopologySelectorTerm) Reset() { *m = TopologySelectorTerm{} }
 
-func (m *VolumeSource) Reset()      { *m = VolumeSource{} }
-func (*VolumeSource) ProtoMessage() {}
-func (*VolumeSource) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{233}
-}
-func (m *VolumeSource) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *VolumeSource) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *VolumeSource) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_VolumeSource.Merge(m, src)
-}
-func (m *VolumeSource) XXX_Size() int {
-	return m.Size()
-}
-func (m *VolumeSource) XXX_DiscardUnknown() {
-	xxx_messageInfo_VolumeSource.DiscardUnknown(m)
-}
+func (m *TopologySpreadConstraint) Reset() { *m = TopologySpreadConstraint{} }
 
-var xxx_messageInfo_VolumeSource proto.InternalMessageInfo
+func (m *TypedLocalObjectReference) Reset() { *m = TypedLocalObjectReference{} }
 
-func (m *VsphereVirtualDiskVolumeSource) Reset()      { *m = VsphereVirtualDiskVolumeSource{} }
-func (*VsphereVirtualDiskVolumeSource) ProtoMessage() {}
-func (*VsphereVirtualDiskVolumeSource) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{234}
-}
-func (m *VsphereVirtualDiskVolumeSource) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *VsphereVirtualDiskVolumeSource) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *VsphereVirtualDiskVolumeSource) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_VsphereVirtualDiskVolumeSource.Merge(m, src)
-}
-func (m *VsphereVirtualDiskVolumeSource) XXX_Size() int {
-	return m.Size()
-}
-func (m *VsphereVirtualDiskVolumeSource) XXX_DiscardUnknown() {
-	xxx_messageInfo_VsphereVirtualDiskVolumeSource.DiscardUnknown(m)
-}
+func (m *TypedObjectReference) Reset() { *m = TypedObjectReference{} }
 
-var xxx_messageInfo_VsphereVirtualDiskVolumeSource proto.InternalMessageInfo
+func (m *Volume) Reset() { *m = Volume{} }
 
-func (m *WeightedPodAffinityTerm) Reset()      { *m = WeightedPodAffinityTerm{} }
-func (*WeightedPodAffinityTerm) ProtoMessage() {}
-func (*WeightedPodAffinityTerm) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{235}
-}
-func (m *WeightedPodAffinityTerm) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *WeightedPodAffinityTerm) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *WeightedPodAffinityTerm) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_WeightedPodAffinityTerm.Merge(m, src)
-}
-func (m *WeightedPodAffinityTerm) XXX_Size() int {
-	return m.Size()
-}
-func (m *WeightedPodAffinityTerm) XXX_DiscardUnknown() {
-	xxx_messageInfo_WeightedPodAffinityTerm.DiscardUnknown(m)
-}
+func (m *VolumeDevice) Reset() { *m = VolumeDevice{} }
 
-var xxx_messageInfo_WeightedPodAffinityTerm proto.InternalMessageInfo
+func (m *VolumeMount) Reset() { *m = VolumeMount{} }
 
-func (m *WindowsSecurityContextOptions) Reset()      { *m = WindowsSecurityContextOptions{} }
-func (*WindowsSecurityContextOptions) ProtoMessage() {}
-func (*WindowsSecurityContextOptions) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6c07b07c062484ab, []int{236}
-}
-func (m *WindowsSecurityContextOptions) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *WindowsSecurityContextOptions) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *WindowsSecurityContextOptions) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_WindowsSecurityContextOptions.Merge(m, src)
-}
-func (m *WindowsSecurityContextOptions) XXX_Size() int {
-	return m.Size()
-}
-func (m *WindowsSecurityContextOptions) XXX_DiscardUnknown() {
-	xxx_messageInfo_WindowsSecurityContextOptions.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_WindowsSecurityContextOptions proto.InternalMessageInfo
-
-func init() {
-	proto.RegisterType((*AWSElasticBlockStoreVolumeSource)(nil), "k8s.io.api.core.v1.AWSElasticBlockStoreVolumeSource")
-	proto.RegisterType((*Affinity)(nil), "k8s.io.api.core.v1.Affinity")
-	proto.RegisterType((*AppArmorProfile)(nil), "k8s.io.api.core.v1.AppArmorProfile")
-	proto.RegisterType((*AttachedVolume)(nil), "k8s.io.api.core.v1.AttachedVolume")
-	proto.RegisterType((*AvoidPods)(nil), "k8s.io.api.core.v1.AvoidPods")
-	proto.RegisterType((*AzureDiskVolumeSource)(nil), "k8s.io.api.core.v1.AzureDiskVolumeSource")
-	proto.RegisterType((*AzureFilePersistentVolumeSource)(nil), "k8s.io.api.core.v1.AzureFilePersistentVolumeSource")
-	proto.RegisterType((*AzureFileVolumeSource)(nil), "k8s.io.api.core.v1.AzureFileVolumeSource")
-	proto.RegisterType((*Binding)(nil), "k8s.io.api.core.v1.Binding")
-	proto.RegisterType((*CSIPersistentVolumeSource)(nil), "k8s.io.api.core.v1.CSIPersistentVolumeSource")
-	proto.RegisterMapType((map[string]string)(nil), "k8s.io.api.core.v1.CSIPersistentVolumeSource.VolumeAttributesEntry")
-	proto.RegisterType((*CSIVolumeSource)(nil), "k8s.io.api.core.v1.CSIVolumeSource")
-	proto.RegisterMapType((map[string]string)(nil), "k8s.io.api.core.v1.CSIVolumeSource.VolumeAttributesEntry")
-	proto.RegisterType((*Capabilities)(nil), "k8s.io.api.core.v1.Capabilities")
-	proto.RegisterType((*CephFSPersistentVolumeSource)(nil), "k8s.io.api.core.v1.CephFSPersistentVolumeSource")
-	proto.RegisterType((*CephFSVolumeSource)(nil), "k8s.io.api.core.v1.CephFSVolumeSource")
-	proto.RegisterType((*CinderPersistentVolumeSource)(nil), "k8s.io.api.core.v1.CinderPersistentVolumeSource")
-	proto.RegisterType((*CinderVolumeSource)(nil), "k8s.io.api.core.v1.CinderVolumeSource")
-	proto.RegisterType((*ClientIPConfig)(nil), "k8s.io.api.core.v1.ClientIPConfig")
-	proto.RegisterType((*ClusterTrustBundleProjection)(nil), "k8s.io.api.core.v1.ClusterTrustBundleProjection")
-	proto.RegisterType((*ComponentCondition)(nil), "k8s.io.api.core.v1.ComponentCondition")
-	proto.RegisterType((*ComponentStatus)(nil), "k8s.io.api.core.v1.ComponentStatus")
-	proto.RegisterType((*ComponentStatusList)(nil), "k8s.io.api.core.v1.ComponentStatusList")
-	proto.RegisterType((*ConfigMap)(nil), "k8s.io.api.core.v1.ConfigMap")
-	proto.RegisterMapType((map[string][]byte)(nil), "k8s.io.api.core.v1.ConfigMap.BinaryDataEntry")
-	proto.RegisterMapType((map[string]string)(nil), "k8s.io.api.core.v1.ConfigMap.DataEntry")
-	proto.RegisterType((*ConfigMapEnvSource)(nil), "k8s.io.api.core.v1.ConfigMapEnvSource")
-	proto.RegisterType((*ConfigMapKeySelector)(nil), "k8s.io.api.core.v1.ConfigMapKeySelector")
-	proto.RegisterType((*ConfigMapList)(nil), "k8s.io.api.core.v1.ConfigMapList")
-	proto.RegisterType((*ConfigMapNodeConfigSource)(nil), "k8s.io.api.core.v1.ConfigMapNodeConfigSource")
-	proto.RegisterType((*ConfigMapProjection)(nil), "k8s.io.api.core.v1.ConfigMapProjection")
-	proto.RegisterType((*ConfigMapVolumeSource)(nil), "k8s.io.api.core.v1.ConfigMapVolumeSource")
-	proto.RegisterType((*Container)(nil), "k8s.io.api.core.v1.Container")
-	proto.RegisterType((*ContainerExtendedResourceRequest)(nil), "k8s.io.api.core.v1.ContainerExtendedResourceRequest")
-	proto.RegisterType((*ContainerImage)(nil), "k8s.io.api.core.v1.ContainerImage")
-	proto.RegisterType((*ContainerPort)(nil), "k8s.io.api.core.v1.ContainerPort")
-	proto.RegisterType((*ContainerResizePolicy)(nil), "k8s.io.api.core.v1.ContainerResizePolicy")
-	proto.RegisterType((*ContainerRestartRule)(nil), "k8s.io.api.core.v1.ContainerRestartRule")
-	proto.RegisterType((*ContainerRestartRuleOnExitCodes)(nil), "k8s.io.api.core.v1.ContainerRestartRuleOnExitCodes")
-	proto.RegisterType((*ContainerState)(nil), "k8s.io.api.core.v1.ContainerState")
-	proto.RegisterType((*ContainerStateRunning)(nil), "k8s.io.api.core.v1.ContainerStateRunning")
-	proto.RegisterType((*ContainerStateTerminated)(nil), "k8s.io.api.core.v1.ContainerStateTerminated")
-	proto.RegisterType((*ContainerStateWaiting)(nil), "k8s.io.api.core.v1.ContainerStateWaiting")
-	proto.RegisterType((*ContainerStatus)(nil), "k8s.io.api.core.v1.ContainerStatus")
-	proto.RegisterMapType((ResourceList)(nil), "k8s.io.api.core.v1.ContainerStatus.AllocatedResourcesEntry")
-	proto.RegisterType((*ContainerUser)(nil), "k8s.io.api.core.v1.ContainerUser")
-	proto.RegisterType((*DaemonEndpoint)(nil), "k8s.io.api.core.v1.DaemonEndpoint")
-	proto.RegisterType((*DownwardAPIProjection)(nil), "k8s.io.api.core.v1.DownwardAPIProjection")
-	proto.RegisterType((*DownwardAPIVolumeFile)(nil), "k8s.io.api.core.v1.DownwardAPIVolumeFile")
-	proto.RegisterType((*DownwardAPIVolumeSource)(nil), "k8s.io.api.core.v1.DownwardAPIVolumeSource")
-	proto.RegisterType((*EmptyDirVolumeSource)(nil), "k8s.io.api.core.v1.EmptyDirVolumeSource")
-	proto.RegisterType((*EndpointAddress)(nil), "k8s.io.api.core.v1.EndpointAddress")
-	proto.RegisterType((*EndpointPort)(nil), "k8s.io.api.core.v1.EndpointPort")
-	proto.RegisterType((*EndpointSubset)(nil), "k8s.io.api.core.v1.EndpointSubset")
-	proto.RegisterType((*Endpoints)(nil), "k8s.io.api.core.v1.Endpoints")
-	proto.RegisterType((*EndpointsList)(nil), "k8s.io.api.core.v1.EndpointsList")
-	proto.RegisterType((*EnvFromSource)(nil), "k8s.io.api.core.v1.EnvFromSource")
-	proto.RegisterType((*EnvVar)(nil), "k8s.io.api.core.v1.EnvVar")
-	proto.RegisterType((*EnvVarSource)(nil), "k8s.io.api.core.v1.EnvVarSource")
-	proto.RegisterType((*EphemeralContainer)(nil), "k8s.io.api.core.v1.EphemeralContainer")
-	proto.RegisterType((*EphemeralContainerCommon)(nil), "k8s.io.api.core.v1.EphemeralContainerCommon")
-	proto.RegisterType((*EphemeralVolumeSource)(nil), "k8s.io.api.core.v1.EphemeralVolumeSource")
-	proto.RegisterType((*Event)(nil), "k8s.io.api.core.v1.Event")
-	proto.RegisterType((*EventList)(nil), "k8s.io.api.core.v1.EventList")
-	proto.RegisterType((*EventSeries)(nil), "k8s.io.api.core.v1.EventSeries")
-	proto.RegisterType((*EventSource)(nil), "k8s.io.api.core.v1.EventSource")
-	proto.RegisterType((*ExecAction)(nil), "k8s.io.api.core.v1.ExecAction")
-	proto.RegisterType((*FCVolumeSource)(nil), "k8s.io.api.core.v1.FCVolumeSource")
-	proto.RegisterType((*FileKeySelector)(nil), "k8s.io.api.core.v1.FileKeySelector")
-	proto.RegisterType((*FlexPersistentVolumeSource)(nil), "k8s.io.api.core.v1.FlexPersistentVolumeSource")
-	proto.RegisterMapType((map[string]string)(nil), "k8s.io.api.core.v1.FlexPersistentVolumeSource.OptionsEntry")
-	proto.RegisterType((*FlexVolumeSource)(nil), "k8s.io.api.core.v1.FlexVolumeSource")
-	proto.RegisterMapType((map[string]string)(nil), "k8s.io.api.core.v1.FlexVolumeSource.OptionsEntry")
-	proto.RegisterType((*FlockerVolumeSource)(nil), "k8s.io.api.core.v1.FlockerVolumeSource")
-	proto.RegisterType((*GCEPersistentDiskVolumeSource)(nil), "k8s.io.api.core.v1.GCEPersistentDiskVolumeSource")
-	proto.RegisterType((*GRPCAction)(nil), "k8s.io.api.core.v1.GRPCAction")
-	proto.RegisterType((*GitRepoVolumeSource)(nil), "k8s.io.api.core.v1.GitRepoVolumeSource")
-	proto.RegisterType((*GlusterfsPersistentVolumeSource)(nil), "k8s.io.api.core.v1.GlusterfsPersistentVolumeSource")
-	proto.RegisterType((*GlusterfsVolumeSource)(nil), "k8s.io.api.core.v1.GlusterfsVolumeSource")
-	proto.RegisterType((*HTTPGetAction)(nil), "k8s.io.api.core.v1.HTTPGetAction")
-	proto.RegisterType((*HTTPHeader)(nil), "k8s.io.api.core.v1.HTTPHeader")
-	proto.RegisterType((*HostAlias)(nil), "k8s.io.api.core.v1.HostAlias")
-	proto.RegisterType((*HostIP)(nil), "k8s.io.api.core.v1.HostIP")
-	proto.RegisterType((*HostPathVolumeSource)(nil), "k8s.io.api.core.v1.HostPathVolumeSource")
-	proto.RegisterType((*ISCSIPersistentVolumeSource)(nil), "k8s.io.api.core.v1.ISCSIPersistentVolumeSource")
-	proto.RegisterType((*ISCSIVolumeSource)(nil), "k8s.io.api.core.v1.ISCSIVolumeSource")
-	proto.RegisterType((*ImageVolumeSource)(nil), "k8s.io.api.core.v1.ImageVolumeSource")
-	proto.RegisterType((*KeyToPath)(nil), "k8s.io.api.core.v1.KeyToPath")
-	proto.RegisterType((*Lifecycle)(nil), "k8s.io.api.core.v1.Lifecycle")
-	proto.RegisterType((*LifecycleHandler)(nil), "k8s.io.api.core.v1.LifecycleHandler")
-	proto.RegisterType((*LimitRange)(nil), "k8s.io.api.core.v1.LimitRange")
-	proto.RegisterType((*LimitRangeItem)(nil), "k8s.io.api.core.v1.LimitRangeItem")
-	proto.RegisterMapType((ResourceList)(nil), "k8s.io.api.core.v1.LimitRangeItem.DefaultEntry")
-	proto.RegisterMapType((ResourceList)(nil), "k8s.io.api.core.v1.LimitRangeItem.DefaultRequestEntry")
-	proto.RegisterMapType((ResourceList)(nil), "k8s.io.api.core.v1.LimitRangeItem.MaxEntry")
-	proto.RegisterMapType((ResourceList)(nil), "k8s.io.api.core.v1.LimitRangeItem.MaxLimitRequestRatioEntry")
-	proto.RegisterMapType((ResourceList)(nil), "k8s.io.api.core.v1.LimitRangeItem.MinEntry")
-	proto.RegisterType((*LimitRangeList)(nil), "k8s.io.api.core.v1.LimitRangeList")
-	proto.RegisterType((*LimitRangeSpec)(nil), "k8s.io.api.core.v1.LimitRangeSpec")
-	proto.RegisterType((*LinuxContainerUser)(nil), "k8s.io.api.core.v1.LinuxContainerUser")
-	proto.RegisterType((*List)(nil), "k8s.io.api.core.v1.List")
-	proto.RegisterType((*LoadBalancerIngress)(nil), "k8s.io.api.core.v1.LoadBalancerIngress")
-	proto.RegisterType((*LoadBalancerStatus)(nil), "k8s.io.api.core.v1.LoadBalancerStatus")
-	proto.RegisterType((*LocalObjectReference)(nil), "k8s.io.api.core.v1.LocalObjectReference")
-	proto.RegisterType((*LocalVolumeSource)(nil), "k8s.io.api.core.v1.LocalVolumeSource")
-	proto.RegisterType((*ModifyVolumeStatus)(nil), "k8s.io.api.core.v1.ModifyVolumeStatus")
-	proto.RegisterType((*NFSVolumeSource)(nil), "k8s.io.api.core.v1.NFSVolumeSource")
-	proto.RegisterType((*Namespace)(nil), "k8s.io.api.core.v1.Namespace")
-	proto.RegisterType((*NamespaceCondition)(nil), "k8s.io.api.core.v1.NamespaceCondition")
-	proto.RegisterType((*NamespaceList)(nil), "k8s.io.api.core.v1.NamespaceList")
-	proto.RegisterType((*NamespaceSpec)(nil), "k8s.io.api.core.v1.NamespaceSpec")
-	proto.RegisterType((*NamespaceStatus)(nil), "k8s.io.api.core.v1.NamespaceStatus")
-	proto.RegisterType((*Node)(nil), "k8s.io.api.core.v1.Node")
-	proto.RegisterType((*NodeAddress)(nil), "k8s.io.api.core.v1.NodeAddress")
-	proto.RegisterType((*NodeAffinity)(nil), "k8s.io.api.core.v1.NodeAffinity")
-	proto.RegisterType((*NodeCondition)(nil), "k8s.io.api.core.v1.NodeCondition")
-	proto.RegisterType((*NodeConfigSource)(nil), "k8s.io.api.core.v1.NodeConfigSource")
-	proto.RegisterType((*NodeConfigStatus)(nil), "k8s.io.api.core.v1.NodeConfigStatus")
-	proto.RegisterType((*NodeDaemonEndpoints)(nil), "k8s.io.api.core.v1.NodeDaemonEndpoints")
-	proto.RegisterType((*NodeFeatures)(nil), "k8s.io.api.core.v1.NodeFeatures")
-	proto.RegisterType((*NodeList)(nil), "k8s.io.api.core.v1.NodeList")
-	proto.RegisterType((*NodeProxyOptions)(nil), "k8s.io.api.core.v1.NodeProxyOptions")
-	proto.RegisterType((*NodeRuntimeHandler)(nil), "k8s.io.api.core.v1.NodeRuntimeHandler")
-	proto.RegisterType((*NodeRuntimeHandlerFeatures)(nil), "k8s.io.api.core.v1.NodeRuntimeHandlerFeatures")
-	proto.RegisterType((*NodeSelector)(nil), "k8s.io.api.core.v1.NodeSelector")
-	proto.RegisterType((*NodeSelectorRequirement)(nil), "k8s.io.api.core.v1.NodeSelectorRequirement")
-	proto.RegisterType((*NodeSelectorTerm)(nil), "k8s.io.api.core.v1.NodeSelectorTerm")
-	proto.RegisterType((*NodeSpec)(nil), "k8s.io.api.core.v1.NodeSpec")
-	proto.RegisterType((*NodeStatus)(nil), "k8s.io.api.core.v1.NodeStatus")
-	proto.RegisterMapType((ResourceList)(nil), "k8s.io.api.core.v1.NodeStatus.AllocatableEntry")
-	proto.RegisterMapType((ResourceList)(nil), "k8s.io.api.core.v1.NodeStatus.CapacityEntry")
-	proto.RegisterType((*NodeSwapStatus)(nil), "k8s.io.api.core.v1.NodeSwapStatus")
-	proto.RegisterType((*NodeSystemInfo)(nil), "k8s.io.api.core.v1.NodeSystemInfo")
-	proto.RegisterType((*ObjectFieldSelector)(nil), "k8s.io.api.core.v1.ObjectFieldSelector")
-	proto.RegisterType((*ObjectReference)(nil), "k8s.io.api.core.v1.ObjectReference")
-	proto.RegisterType((*PersistentVolume)(nil), "k8s.io.api.core.v1.PersistentVolume")
-	proto.RegisterType((*PersistentVolumeClaim)(nil), "k8s.io.api.core.v1.PersistentVolumeClaim")
-	proto.RegisterType((*PersistentVolumeClaimCondition)(nil), "k8s.io.api.core.v1.PersistentVolumeClaimCondition")
-	proto.RegisterType((*PersistentVolumeClaimList)(nil), "k8s.io.api.core.v1.PersistentVolumeClaimList")
-	proto.RegisterType((*PersistentVolumeClaimSpec)(nil), "k8s.io.api.core.v1.PersistentVolumeClaimSpec")
-	proto.RegisterType((*PersistentVolumeClaimStatus)(nil), "k8s.io.api.core.v1.PersistentVolumeClaimStatus")
-	proto.RegisterMapType((map[ResourceName]ClaimResourceStatus)(nil), "k8s.io.api.core.v1.PersistentVolumeClaimStatus.AllocatedResourceStatusesEntry")
-	proto.RegisterMapType((ResourceList)(nil), "k8s.io.api.core.v1.PersistentVolumeClaimStatus.AllocatedResourcesEntry")
-	proto.RegisterMapType((ResourceList)(nil), "k8s.io.api.core.v1.PersistentVolumeClaimStatus.CapacityEntry")
-	proto.RegisterType((*PersistentVolumeClaimTemplate)(nil), "k8s.io.api.core.v1.PersistentVolumeClaimTemplate")
-	proto.RegisterType((*PersistentVolumeClaimVolumeSource)(nil), "k8s.io.api.core.v1.PersistentVolumeClaimVolumeSource")
-	proto.RegisterType((*PersistentVolumeList)(nil), "k8s.io.api.core.v1.PersistentVolumeList")
-	proto.RegisterType((*PersistentVolumeSource)(nil), "k8s.io.api.core.v1.PersistentVolumeSource")
-	proto.RegisterType((*PersistentVolumeSpec)(nil), "k8s.io.api.core.v1.PersistentVolumeSpec")
-	proto.RegisterMapType((ResourceList)(nil), "k8s.io.api.core.v1.PersistentVolumeSpec.CapacityEntry")
-	proto.RegisterType((*PersistentVolumeStatus)(nil), "k8s.io.api.core.v1.PersistentVolumeStatus")
-	proto.RegisterType((*PhotonPersistentDiskVolumeSource)(nil), "k8s.io.api.core.v1.PhotonPersistentDiskVolumeSource")
-	proto.RegisterType((*Pod)(nil), "k8s.io.api.core.v1.Pod")
-	proto.RegisterType((*PodAffinity)(nil), "k8s.io.api.core.v1.PodAffinity")
-	proto.RegisterType((*PodAffinityTerm)(nil), "k8s.io.api.core.v1.PodAffinityTerm")
-	proto.RegisterType((*PodAntiAffinity)(nil), "k8s.io.api.core.v1.PodAntiAffinity")
-	proto.RegisterType((*PodAttachOptions)(nil), "k8s.io.api.core.v1.PodAttachOptions")
-	proto.RegisterType((*PodCertificateProjection)(nil), "k8s.io.api.core.v1.PodCertificateProjection")
-	proto.RegisterType((*PodCondition)(nil), "k8s.io.api.core.v1.PodCondition")
-	proto.RegisterType((*PodDNSConfig)(nil), "k8s.io.api.core.v1.PodDNSConfig")
-	proto.RegisterType((*PodDNSConfigOption)(nil), "k8s.io.api.core.v1.PodDNSConfigOption")
-	proto.RegisterType((*PodExecOptions)(nil), "k8s.io.api.core.v1.PodExecOptions")
-	proto.RegisterType((*PodExtendedResourceClaimStatus)(nil), "k8s.io.api.core.v1.PodExtendedResourceClaimStatus")
-	proto.RegisterType((*PodIP)(nil), "k8s.io.api.core.v1.PodIP")
-	proto.RegisterType((*PodList)(nil), "k8s.io.api.core.v1.PodList")
-	proto.RegisterType((*PodLogOptions)(nil), "k8s.io.api.core.v1.PodLogOptions")
-	proto.RegisterType((*PodOS)(nil), "k8s.io.api.core.v1.PodOS")
-	proto.RegisterType((*PodPortForwardOptions)(nil), "k8s.io.api.core.v1.PodPortForwardOptions")
-	proto.RegisterType((*PodProxyOptions)(nil), "k8s.io.api.core.v1.PodProxyOptions")
-	proto.RegisterType((*PodReadinessGate)(nil), "k8s.io.api.core.v1.PodReadinessGate")
-	proto.RegisterType((*PodResourceClaim)(nil), "k8s.io.api.core.v1.PodResourceClaim")
-	proto.RegisterType((*PodResourceClaimStatus)(nil), "k8s.io.api.core.v1.PodResourceClaimStatus")
-	proto.RegisterType((*PodSchedulingGate)(nil), "k8s.io.api.core.v1.PodSchedulingGate")
-	proto.RegisterType((*PodSecurityContext)(nil), "k8s.io.api.core.v1.PodSecurityContext")
-	proto.RegisterType((*PodSignature)(nil), "k8s.io.api.core.v1.PodSignature")
-	proto.RegisterType((*PodSpec)(nil), "k8s.io.api.core.v1.PodSpec")
-	proto.RegisterMapType((map[string]string)(nil), "k8s.io.api.core.v1.PodSpec.NodeSelectorEntry")
-	proto.RegisterMapType((ResourceList)(nil), "k8s.io.api.core.v1.PodSpec.OverheadEntry")
-	proto.RegisterType((*PodStatus)(nil), "k8s.io.api.core.v1.PodStatus")
-	proto.RegisterType((*PodStatusResult)(nil), "k8s.io.api.core.v1.PodStatusResult")
-	proto.RegisterType((*PodTemplate)(nil), "k8s.io.api.core.v1.PodTemplate")
-	proto.RegisterType((*PodTemplateList)(nil), "k8s.io.api.core.v1.PodTemplateList")
-	proto.RegisterType((*PodTemplateSpec)(nil), "k8s.io.api.core.v1.PodTemplateSpec")
-	proto.RegisterType((*PortStatus)(nil), "k8s.io.api.core.v1.PortStatus")
-	proto.RegisterType((*PortworxVolumeSource)(nil), "k8s.io.api.core.v1.PortworxVolumeSource")
-	proto.RegisterType((*Preconditions)(nil), "k8s.io.api.core.v1.Preconditions")
-	proto.RegisterType((*PreferAvoidPodsEntry)(nil), "k8s.io.api.core.v1.PreferAvoidPodsEntry")
-	proto.RegisterType((*PreferredSchedulingTerm)(nil), "k8s.io.api.core.v1.PreferredSchedulingTerm")
-	proto.RegisterType((*Probe)(nil), "k8s.io.api.core.v1.Probe")
-	proto.RegisterType((*ProbeHandler)(nil), "k8s.io.api.core.v1.ProbeHandler")
-	proto.RegisterType((*ProjectedVolumeSource)(nil), "k8s.io.api.core.v1.ProjectedVolumeSource")
-	proto.RegisterType((*QuobyteVolumeSource)(nil), "k8s.io.api.core.v1.QuobyteVolumeSource")
-	proto.RegisterType((*RBDPersistentVolumeSource)(nil), "k8s.io.api.core.v1.RBDPersistentVolumeSource")
-	proto.RegisterType((*RBDVolumeSource)(nil), "k8s.io.api.core.v1.RBDVolumeSource")
-	proto.RegisterType((*RangeAllocation)(nil), "k8s.io.api.core.v1.RangeAllocation")
-	proto.RegisterType((*ReplicationController)(nil), "k8s.io.api.core.v1.ReplicationController")
-	proto.RegisterType((*ReplicationControllerCondition)(nil), "k8s.io.api.core.v1.ReplicationControllerCondition")
-	proto.RegisterType((*ReplicationControllerList)(nil), "k8s.io.api.core.v1.ReplicationControllerList")
-	proto.RegisterType((*ReplicationControllerSpec)(nil), "k8s.io.api.core.v1.ReplicationControllerSpec")
-	proto.RegisterMapType((map[string]string)(nil), "k8s.io.api.core.v1.ReplicationControllerSpec.SelectorEntry")
-	proto.RegisterType((*ReplicationControllerStatus)(nil), "k8s.io.api.core.v1.ReplicationControllerStatus")
-	proto.RegisterType((*ResourceClaim)(nil), "k8s.io.api.core.v1.ResourceClaim")
-	proto.RegisterType((*ResourceFieldSelector)(nil), "k8s.io.api.core.v1.ResourceFieldSelector")
-	proto.RegisterType((*ResourceHealth)(nil), "k8s.io.api.core.v1.ResourceHealth")
-	proto.RegisterType((*ResourceQuota)(nil), "k8s.io.api.core.v1.ResourceQuota")
-	proto.RegisterType((*ResourceQuotaList)(nil), "k8s.io.api.core.v1.ResourceQuotaList")
-	proto.RegisterType((*ResourceQuotaSpec)(nil), "k8s.io.api.core.v1.ResourceQuotaSpec")
-	proto.RegisterMapType((ResourceList)(nil), "k8s.io.api.core.v1.ResourceQuotaSpec.HardEntry")
-	proto.RegisterType((*ResourceQuotaStatus)(nil), "k8s.io.api.core.v1.ResourceQuotaStatus")
-	proto.RegisterMapType((ResourceList)(nil), "k8s.io.api.core.v1.ResourceQuotaStatus.HardEntry")
-	proto.RegisterMapType((ResourceList)(nil), "k8s.io.api.core.v1.ResourceQuotaStatus.UsedEntry")
-	proto.RegisterType((*ResourceRequirements)(nil), "k8s.io.api.core.v1.ResourceRequirements")
-	proto.RegisterMapType((ResourceList)(nil), "k8s.io.api.core.v1.ResourceRequirements.LimitsEntry")
-	proto.RegisterMapType((ResourceList)(nil), "k8s.io.api.core.v1.ResourceRequirements.RequestsEntry")
-	proto.RegisterType((*ResourceStatus)(nil), "k8s.io.api.core.v1.ResourceStatus")
-	proto.RegisterType((*SELinuxOptions)(nil), "k8s.io.api.core.v1.SELinuxOptions")
-	proto.RegisterType((*ScaleIOPersistentVolumeSource)(nil), "k8s.io.api.core.v1.ScaleIOPersistentVolumeSource")
-	proto.RegisterType((*ScaleIOVolumeSource)(nil), "k8s.io.api.core.v1.ScaleIOVolumeSource")
-	proto.RegisterType((*ScopeSelector)(nil), "k8s.io.api.core.v1.ScopeSelector")
-	proto.RegisterType((*ScopedResourceSelectorRequirement)(nil), "k8s.io.api.core.v1.ScopedResourceSelectorRequirement")
-	proto.RegisterType((*SeccompProfile)(nil), "k8s.io.api.core.v1.SeccompProfile")
-	proto.RegisterType((*Secret)(nil), "k8s.io.api.core.v1.Secret")
-	proto.RegisterMapType((map[string][]byte)(nil), "k8s.io.api.core.v1.Secret.DataEntry")
-	proto.RegisterMapType((map[string]string)(nil), "k8s.io.api.core.v1.Secret.StringDataEntry")
-	proto.RegisterType((*SecretEnvSource)(nil), "k8s.io.api.core.v1.SecretEnvSource")
-	proto.RegisterType((*SecretKeySelector)(nil), "k8s.io.api.core.v1.SecretKeySelector")
-	proto.RegisterType((*SecretList)(nil), "k8s.io.api.core.v1.SecretList")
-	proto.RegisterType((*SecretProjection)(nil), "k8s.io.api.core.v1.SecretProjection")
-	proto.RegisterType((*SecretReference)(nil), "k8s.io.api.core.v1.SecretReference")
-	proto.RegisterType((*SecretVolumeSource)(nil), "k8s.io.api.core.v1.SecretVolumeSource")
-	proto.RegisterType((*SecurityContext)(nil), "k8s.io.api.core.v1.SecurityContext")
-	proto.RegisterType((*SerializedReference)(nil), "k8s.io.api.core.v1.SerializedReference")
-	proto.RegisterType((*Service)(nil), "k8s.io.api.core.v1.Service")
-	proto.RegisterType((*ServiceAccount)(nil), "k8s.io.api.core.v1.ServiceAccount")
-	proto.RegisterType((*ServiceAccountList)(nil), "k8s.io.api.core.v1.ServiceAccountList")
-	proto.RegisterType((*ServiceAccountTokenProjection)(nil), "k8s.io.api.core.v1.ServiceAccountTokenProjection")
-	proto.RegisterType((*ServiceList)(nil), "k8s.io.api.core.v1.ServiceList")
-	proto.RegisterType((*ServicePort)(nil), "k8s.io.api.core.v1.ServicePort")
-	proto.RegisterType((*ServiceProxyOptions)(nil), "k8s.io.api.core.v1.ServiceProxyOptions")
-	proto.RegisterType((*ServiceSpec)(nil), "k8s.io.api.core.v1.ServiceSpec")
-	proto.RegisterMapType((map[string]string)(nil), "k8s.io.api.core.v1.ServiceSpec.SelectorEntry")
-	proto.RegisterType((*ServiceStatus)(nil), "k8s.io.api.core.v1.ServiceStatus")
-	proto.RegisterType((*SessionAffinityConfig)(nil), "k8s.io.api.core.v1.SessionAffinityConfig")
-	proto.RegisterType((*SleepAction)(nil), "k8s.io.api.core.v1.SleepAction")
-	proto.RegisterType((*StorageOSPersistentVolumeSource)(nil), "k8s.io.api.core.v1.StorageOSPersistentVolumeSource")
-	proto.RegisterType((*StorageOSVolumeSource)(nil), "k8s.io.api.core.v1.StorageOSVolumeSource")
-	proto.RegisterType((*Sysctl)(nil), "k8s.io.api.core.v1.Sysctl")
-	proto.RegisterType((*TCPSocketAction)(nil), "k8s.io.api.core.v1.TCPSocketAction")
-	proto.RegisterType((*Taint)(nil), "k8s.io.api.core.v1.Taint")
-	proto.RegisterType((*Toleration)(nil), "k8s.io.api.core.v1.Toleration")
-	proto.RegisterType((*TopologySelectorLabelRequirement)(nil), "k8s.io.api.core.v1.TopologySelectorLabelRequirement")
-	proto.RegisterType((*TopologySelectorTerm)(nil), "k8s.io.api.core.v1.TopologySelectorTerm")
-	proto.RegisterType((*TopologySpreadConstraint)(nil), "k8s.io.api.core.v1.TopologySpreadConstraint")
-	proto.RegisterType((*TypedLocalObjectReference)(nil), "k8s.io.api.core.v1.TypedLocalObjectReference")
-	proto.RegisterType((*TypedObjectReference)(nil), "k8s.io.api.core.v1.TypedObjectReference")
-	proto.RegisterType((*Volume)(nil), "k8s.io.api.core.v1.Volume")
-	proto.RegisterType((*VolumeDevice)(nil), "k8s.io.api.core.v1.VolumeDevice")
-	proto.RegisterType((*VolumeMount)(nil), "k8s.io.api.core.v1.VolumeMount")
-	proto.RegisterType((*VolumeMountStatus)(nil), "k8s.io.api.core.v1.VolumeMountStatus")
-	proto.RegisterType((*VolumeNodeAffinity)(nil), "k8s.io.api.core.v1.VolumeNodeAffinity")
-	proto.RegisterType((*VolumeProjection)(nil), "k8s.io.api.core.v1.VolumeProjection")
-	proto.RegisterType((*VolumeResourceRequirements)(nil), "k8s.io.api.core.v1.VolumeResourceRequirements")
-	proto.RegisterMapType((ResourceList)(nil), "k8s.io.api.core.v1.VolumeResourceRequirements.LimitsEntry")
-	proto.RegisterMapType((ResourceList)(nil), "k8s.io.api.core.v1.VolumeResourceRequirements.RequestsEntry")
-	proto.RegisterType((*VolumeSource)(nil), "k8s.io.api.core.v1.VolumeSource")
-	proto.RegisterType((*VsphereVirtualDiskVolumeSource)(nil), "k8s.io.api.core.v1.VsphereVirtualDiskVolumeSource")
-	proto.RegisterType((*WeightedPodAffinityTerm)(nil), "k8s.io.api.core.v1.WeightedPodAffinityTerm")
-	proto.RegisterType((*WindowsSecurityContextOptions)(nil), "k8s.io.api.core.v1.WindowsSecurityContextOptions")
-}
-
-func init() {
-	proto.RegisterFile("k8s.io/api/core/v1/generated.proto", fileDescriptor_6c07b07c062484ab)
-}
-
-var fileDescriptor_6c07b07c062484ab = []byte{
-	// 16665 bytes of a gzipped FileDescriptorProto
-	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xec, 0xbd, 0x5b, 0x90, 0x5c, 0x49,
-	0x76, 0x18, 0xb6, 0xb7, 0xaa, 0x9f, 0xa7, 0xdf, 0x89, 0x57, 0xa1, 0x07, 0x40, 0x61, 0xee, 0xcc,
-	0x60, 0x30, 0x3b, 0x33, 0x8d, 0xc5, 0x3c, 0x76, 0xb1, 0x33, 0xb3, 0xc3, 0xe9, 0x27, 0xd0, 0x03,
-	0x74, 0xa3, 0x26, 0xab, 0x01, 0xec, 0x63, 0x76, 0xb5, 0x17, 0x55, 0xd9, 0xdd, 0x77, 0xbb, 0xea,
-	0xde, 0x9a, 0x7b, 0x6f, 0x35, 0xd0, 0x30, 0x15, 0xa4, 0x56, 0xe6, 0x4a, 0x4b, 0xd2, 0x11, 0x1b,
-	0x0a, 0x4b, 0x72, 0x90, 0x0a, 0x7e, 0xe8, 0x45, 0xd2, 0xb4, 0x64, 0x52, 0xa4, 0x45, 0x59, 0x14,
-	0x29, 0xda, 0x96, 0x23, 0x68, 0x7f, 0xc8, 0x14, 0x23, 0xcc, 0x65, 0x58, 0xe1, 0x96, 0xd9, 0xb6,
-	0x42, 0xc1, 0x0f, 0x53, 0x0a, 0xda, 0x1f, 0x76, 0x87, 0x6c, 0x2a, 0xf2, 0x79, 0x33, 0xef, 0xab,
-	0xaa, 0x31, 0x40, 0xef, 0x70, 0x63, 0xfe, 0xaa, 0xf2, 0x9c, 0x3c, 0x99, 0x37, 0x1f, 0x27, 0x4f,
-	0x9e, 0x73, 0xf2, 0x1c, 0xb0, 0x77, 0xae, 0x85, 0x73, 0xae, 0x7f, 0xc5, 0xe9, 0xb8, 0x57, 0x1a,
-	0x7e, 0x40, 0xae, 0xec, 0x5e, 0xbd, 0xb2, 0x45, 0x3c, 0x12, 0x38, 0x11, 0x69, 0xce, 0x75, 0x02,
-	0x3f, 0xf2, 0x11, 0xe2, 0x38, 0x73, 0x4e, 0xc7, 0x9d, 0xa3, 0x38, 0x73, 0xbb, 0x57, 0x67, 0x5f,
-	0xdd, 0x72, 0xa3, 0xed, 0xee, 0xfd, 0xb9, 0x86, 0xdf, 0xbe, 0xb2, 0xe5, 0x6f, 0xf9, 0x57, 0x18,
-	0xea, 0xfd, 0xee, 0x26, 0xfb, 0xc7, 0xfe, 0xb0, 0x5f, 0x9c, 0xc4, 0xec, 0x1b, 0x71, 0x33, 0x6d,
-	0xa7, 0xb1, 0xed, 0x7a, 0x24, 0xd8, 0xbb, 0xd2, 0xd9, 0xd9, 0x62, 0xed, 0x06, 0x24, 0xf4, 0xbb,
-	0x41, 0x83, 0x24, 0x1b, 0x2e, 0xac, 0x15, 0x5e, 0x69, 0x93, 0xc8, 0xc9, 0xe8, 0xee, 0xec, 0x95,
-	0xbc, 0x5a, 0x41, 0xd7, 0x8b, 0xdc, 0x76, 0xba, 0x99, 0xcf, 0xf7, 0xaa, 0x10, 0x36, 0xb6, 0x49,
-	0xdb, 0x49, 0xd5, 0x7b, 0x3d, 0xaf, 0x5e, 0x37, 0x72, 0x5b, 0x57, 0x5c, 0x2f, 0x0a, 0xa3, 0x20,
-	0x59, 0xc9, 0xfe, 0xbe, 0x05, 0x17, 0xe7, 0xef, 0xd5, 0x97, 0x5b, 0x4e, 0x18, 0xb9, 0x8d, 0x85,
-	0x96, 0xdf, 0xd8, 0xa9, 0x47, 0x7e, 0x40, 0xee, 0xfa, 0xad, 0x6e, 0x9b, 0xd4, 0xd9, 0x40, 0xa0,
-	0x57, 0x60, 0x64, 0x97, 0xfd, 0x5f, 0x5d, 0xaa, 0x58, 0x17, 0xad, 0xcb, 0xa3, 0x0b, 0xd3, 0xbf,
-	0xb3, 0x5f, 0xfd, 0xcc, 0xc1, 0x7e, 0x75, 0xe4, 0xae, 0x28, 0xc7, 0x0a, 0x03, 0x5d, 0x82, 0xa1,
-	0xcd, 0x70, 0x63, 0xaf, 0x43, 0x2a, 0x25, 0x86, 0x3b, 0x29, 0x70, 0x87, 0x56, 0xea, 0xb4, 0x14,
-	0x0b, 0x28, 0xba, 0x02, 0xa3, 0x1d, 0x27, 0x88, 0xdc, 0xc8, 0xf5, 0xbd, 0x4a, 0xf9, 0xa2, 0x75,
-	0x79, 0x70, 0x61, 0x46, 0xa0, 0x8e, 0xd6, 0x24, 0x00, 0xc7, 0x38, 0xb4, 0x1b, 0x01, 0x71, 0x9a,
-	0xb7, 0xbd, 0xd6, 0x5e, 0x65, 0xe0, 0xa2, 0x75, 0x79, 0x24, 0xee, 0x06, 0x16, 0xe5, 0x58, 0x61,
-	0xd8, 0x3f, 0x53, 0x82, 0x91, 0xf9, 0xcd, 0x4d, 0xd7, 0x73, 0xa3, 0x3d, 0x74, 0x17, 0xc6, 0x3d,
-	0xbf, 0x49, 0xe4, 0x7f, 0xf6, 0x15, 0x63, 0xaf, 0x5d, 0x9c, 0x4b, 0x2f, 0xa5, 0xb9, 0x75, 0x0d,
-	0x6f, 0x61, 0xfa, 0x60, 0xbf, 0x3a, 0xae, 0x97, 0x60, 0x83, 0x0e, 0xc2, 0x30, 0xd6, 0xf1, 0x9b,
-	0x8a, 0x6c, 0x89, 0x91, 0xad, 0x66, 0x91, 0xad, 0xc5, 0x68, 0x0b, 0x53, 0x07, 0xfb, 0xd5, 0x31,
-	0xad, 0x00, 0xeb, 0x44, 0xd0, 0x7d, 0x98, 0xa2, 0x7f, 0xbd, 0xc8, 0x55, 0x74, 0xcb, 0x8c, 0xee,
-	0x73, 0x79, 0x74, 0x35, 0xd4, 0x85, 0x13, 0x07, 0xfb, 0xd5, 0xa9, 0x44, 0x21, 0x4e, 0x12, 0xb4,
-	0x7f, 0xda, 0x82, 0xa9, 0xf9, 0x4e, 0x67, 0x3e, 0x68, 0xfb, 0x41, 0x2d, 0xf0, 0x37, 0xdd, 0x16,
-	0x41, 0x5f, 0x80, 0x81, 0x88, 0xce, 0x1a, 0x9f, 0xe1, 0xe7, 0xc4, 0xd0, 0x0e, 0xd0, 0xb9, 0x3a,
-	0xdc, 0xaf, 0x9e, 0x48, 0xa0, 0xb3, 0xa9, 0x64, 0x15, 0xd0, 0x7b, 0x30, 0xdd, 0xf2, 0x1b, 0x4e,
-	0x6b, 0xdb, 0x0f, 0x23, 0x01, 0x15, 0x53, 0x7f, 0xf2, 0x60, 0xbf, 0x3a, 0x7d, 0x2b, 0x01, 0xc3,
-	0x29, 0x6c, 0xfb, 0x11, 0x4c, 0xce, 0x47, 0x91, 0xd3, 0xd8, 0x26, 0x4d, 0xbe, 0xa0, 0xd0, 0x1b,
-	0x30, 0xe0, 0x39, 0x6d, 0xd9, 0x99, 0x8b, 0xb2, 0x33, 0xeb, 0x4e, 0x9b, 0x76, 0x66, 0xfa, 0x8e,
-	0xe7, 0x7e, 0xd4, 0x15, 0x8b, 0x94, 0x96, 0x61, 0x86, 0x8d, 0x5e, 0x03, 0x68, 0x92, 0x5d, 0xb7,
-	0x41, 0x6a, 0x4e, 0xb4, 0x2d, 0xfa, 0x80, 0x44, 0x5d, 0x58, 0x52, 0x10, 0xac, 0x61, 0xd9, 0x0f,
-	0x61, 0x74, 0x7e, 0xd7, 0x77, 0x9b, 0x35, 0xbf, 0x19, 0xa2, 0x1d, 0x98, 0xea, 0x04, 0x64, 0x93,
-	0x04, 0xaa, 0xa8, 0x62, 0x5d, 0x2c, 0x5f, 0x1e, 0x7b, 0xed, 0x72, 0xe6, 0xd8, 0x9b, 0xa8, 0xcb,
-	0x5e, 0x14, 0xec, 0x2d, 0x9c, 0x11, 0xed, 0x4d, 0x25, 0xa0, 0x38, 0x49, 0xd9, 0xfe, 0x67, 0x25,
-	0x38, 0x35, 0xff, 0xa8, 0x1b, 0x90, 0x25, 0x37, 0xdc, 0x49, 0x6e, 0xb8, 0xa6, 0x1b, 0xee, 0xac,
-	0xc7, 0x23, 0xa0, 0x56, 0xfa, 0x92, 0x28, 0xc7, 0x0a, 0x03, 0xbd, 0x0a, 0xc3, 0xf4, 0xf7, 0x1d,
-	0xbc, 0x2a, 0x3e, 0xf9, 0x84, 0x40, 0x1e, 0x5b, 0x72, 0x22, 0x67, 0x89, 0x83, 0xb0, 0xc4, 0x41,
-	0x6b, 0x30, 0xd6, 0x60, 0xfc, 0x61, 0x6b, 0xcd, 0x6f, 0x12, 0xb6, 0xb6, 0x46, 0x17, 0x5e, 0xa6,
-	0xe8, 0x8b, 0x71, 0xf1, 0xe1, 0x7e, 0xb5, 0xc2, 0xfb, 0x26, 0x48, 0x68, 0x30, 0xac, 0xd7, 0x47,
-	0xb6, 0xda, 0xee, 0x03, 0x8c, 0x12, 0x64, 0x6c, 0xf5, 0xcb, 0xda, 0xce, 0x1d, 0x64, 0x3b, 0x77,
-	0x3c, 0x7b, 0xd7, 0xa2, 0xab, 0x30, 0xb0, 0xe3, 0x7a, 0xcd, 0xca, 0x10, 0xa3, 0x75, 0x9e, 0xce,
-	0xf9, 0x4d, 0xd7, 0x6b, 0x1e, 0xee, 0x57, 0x67, 0x8c, 0xee, 0xd0, 0x42, 0xcc, 0x50, 0xed, 0xff,
-	0xcb, 0x82, 0x2a, 0x83, 0xad, 0xb8, 0x2d, 0x52, 0x23, 0x41, 0xe8, 0x86, 0x11, 0xf1, 0x22, 0x63,
-	0x40, 0x5f, 0x03, 0x08, 0x49, 0x23, 0x20, 0x91, 0x36, 0xa4, 0x6a, 0x61, 0xd4, 0x15, 0x04, 0x6b,
-	0x58, 0x94, 0x3f, 0x85, 0xdb, 0x4e, 0xc0, 0xd6, 0x97, 0x18, 0x58, 0xc5, 0x9f, 0xea, 0x12, 0x80,
-	0x63, 0x1c, 0x83, 0x3f, 0x95, 0x7b, 0xf1, 0x27, 0xf4, 0x25, 0x98, 0x8a, 0x1b, 0x0b, 0x3b, 0x4e,
-	0x43, 0x0e, 0x20, 0xdb, 0xc1, 0x75, 0x13, 0x84, 0x93, 0xb8, 0xf6, 0x7f, 0x6e, 0x89, 0xc5, 0x43,
-	0xbf, 0xfa, 0x13, 0xfe, 0xad, 0xf6, 0x3f, 0xb2, 0x60, 0x78, 0xc1, 0xf5, 0x9a, 0xae, 0xb7, 0x85,
-	0xbe, 0x09, 0x23, 0xf4, 0xa8, 0x6c, 0x3a, 0x91, 0x23, 0xd8, 0xf0, 0xe7, 0xb4, 0xbd, 0xa5, 0x4e,
-	0xae, 0xb9, 0xce, 0xce, 0x16, 0x2d, 0x08, 0xe7, 0x28, 0x36, 0xdd, 0x6d, 0xb7, 0xef, 0x7f, 0x8b,
-	0x34, 0xa2, 0x35, 0x12, 0x39, 0xf1, 0xe7, 0xc4, 0x65, 0x58, 0x51, 0x45, 0x37, 0x61, 0x28, 0x72,
-	0x82, 0x2d, 0x12, 0x09, 0x7e, 0x9c, 0xc9, 0x37, 0x79, 0x4d, 0x4c, 0x77, 0x24, 0xf1, 0x1a, 0x24,
-	0x3e, 0xa5, 0x36, 0x58, 0x55, 0x2c, 0x48, 0xd8, 0xff, 0xdf, 0x30, 0x9c, 0x5d, 0xac, 0xaf, 0xe6,
-	0xac, 0xab, 0x4b, 0x30, 0xd4, 0x0c, 0xdc, 0x5d, 0x12, 0x88, 0x71, 0x56, 0x54, 0x96, 0x58, 0x29,
-	0x16, 0x50, 0x74, 0x0d, 0xc6, 0xf9, 0xf9, 0x78, 0xc3, 0xf1, 0x9a, 0x31, 0x7b, 0x14, 0xd8, 0xe3,
-	0x77, 0x35, 0x18, 0x36, 0x30, 0x8f, 0xb8, 0xa8, 0x2e, 0x25, 0x36, 0x63, 0xde, 0xd9, 0xfb, 0x5d,
-	0x0b, 0xa6, 0x79, 0x33, 0xf3, 0x51, 0x14, 0xb8, 0xf7, 0xbb, 0x11, 0x09, 0x2b, 0x83, 0x8c, 0xd3,
-	0x2d, 0x66, 0x8d, 0x56, 0xee, 0x08, 0xcc, 0xdd, 0x4d, 0x50, 0xe1, 0x4c, 0xb0, 0x22, 0xda, 0x9d,
-	0x4e, 0x82, 0x71, 0xaa, 0x59, 0xf4, 0x17, 0x2d, 0x98, 0x6d, 0xf8, 0x5e, 0x14, 0xf8, 0xad, 0x16,
-	0x09, 0x6a, 0xdd, 0xfb, 0x2d, 0x37, 0xdc, 0xe6, 0xeb, 0x14, 0x93, 0x4d, 0xc6, 0x09, 0x72, 0xe6,
-	0x50, 0x21, 0x89, 0x39, 0xbc, 0x70, 0xb0, 0x5f, 0x9d, 0x5d, 0xcc, 0x25, 0x85, 0x0b, 0x9a, 0x41,
-	0x3b, 0x80, 0xe8, 0xc9, 0x5e, 0x8f, 0x9c, 0x2d, 0x12, 0x37, 0x3e, 0xdc, 0x7f, 0xe3, 0xa7, 0x0f,
-	0xf6, 0xab, 0x68, 0x3d, 0x45, 0x02, 0x67, 0x90, 0x45, 0x1f, 0xc1, 0x49, 0x5a, 0x9a, 0xfa, 0xd6,
-	0x91, 0xfe, 0x9b, 0xab, 0x1c, 0xec, 0x57, 0x4f, 0xae, 0x67, 0x10, 0xc1, 0x99, 0xa4, 0xd1, 0x8f,
-	0x5b, 0x70, 0x36, 0xfe, 0xfc, 0xe5, 0x87, 0x1d, 0xc7, 0x6b, 0xc6, 0x0d, 0x8f, 0xf6, 0xdf, 0x30,
-	0xe5, 0xc9, 0x67, 0x17, 0xf3, 0x28, 0xe1, 0xfc, 0x46, 0x90, 0x07, 0x27, 0x68, 0xd7, 0x92, 0x6d,
-	0x43, 0xff, 0x6d, 0x9f, 0x39, 0xd8, 0xaf, 0x9e, 0x58, 0x4f, 0xd3, 0xc0, 0x59, 0x84, 0x67, 0x17,
-	0xe1, 0x54, 0xe6, 0xea, 0x44, 0xd3, 0x50, 0xde, 0x21, 0x5c, 0x08, 0x1c, 0xc5, 0xf4, 0x27, 0x3a,
-	0x09, 0x83, 0xbb, 0x4e, 0xab, 0x2b, 0x36, 0x26, 0xe6, 0x7f, 0xde, 0x2a, 0x5d, 0xb3, 0xec, 0xff,
-	0xbe, 0x0c, 0x53, 0x8b, 0xf5, 0xd5, 0xc7, 0xda, 0xf5, 0xfa, 0xb1, 0x57, 0x2a, 0x3c, 0xf6, 0xe2,
-	0x43, 0xb4, 0x9c, 0x7b, 0x88, 0xfe, 0x58, 0xc6, 0x96, 0x1d, 0x60, 0x5b, 0xf6, 0x8b, 0x39, 0x5b,
-	0xf6, 0x09, 0x6f, 0xd4, 0xdd, 0x9c, 0x55, 0x3b, 0xc8, 0x26, 0x30, 0x53, 0x42, 0x62, 0xb2, 0x5f,
-	0x92, 0xd5, 0x1e, 0x71, 0xe9, 0x3e, 0x99, 0x79, 0x6c, 0xc0, 0xf8, 0xa2, 0xd3, 0x71, 0xee, 0xbb,
-	0x2d, 0x37, 0x72, 0x49, 0x88, 0x5e, 0x84, 0xb2, 0xd3, 0x6c, 0x32, 0xe9, 0x6e, 0x74, 0xe1, 0xd4,
-	0xc1, 0x7e, 0xb5, 0x3c, 0xdf, 0xa4, 0x62, 0x06, 0x28, 0xac, 0x3d, 0x4c, 0x31, 0xd0, 0x67, 0x61,
-	0xa0, 0x19, 0xf8, 0x9d, 0x4a, 0x89, 0x61, 0xd2, 0x5d, 0x3e, 0xb0, 0x14, 0xf8, 0x9d, 0x04, 0x2a,
-	0xc3, 0xb1, 0x7f, 0xbb, 0x04, 0xe7, 0x16, 0x49, 0x67, 0x7b, 0xa5, 0x9e, 0x73, 0x5e, 0x5c, 0x86,
-	0x91, 0xb6, 0xef, 0xb9, 0x91, 0x1f, 0x84, 0xa2, 0x69, 0xb6, 0x22, 0xd6, 0x44, 0x19, 0x56, 0x50,
-	0x74, 0x11, 0x06, 0x3a, 0xb1, 0x10, 0x3b, 0x2e, 0x05, 0x60, 0x26, 0xbe, 0x32, 0x08, 0xc5, 0xe8,
-	0x86, 0x24, 0x10, 0x2b, 0x46, 0x61, 0xdc, 0x09, 0x49, 0x80, 0x19, 0x24, 0x96, 0x04, 0xa8, 0x8c,
-	0x20, 0x4e, 0x84, 0x84, 0x24, 0x40, 0x21, 0x58, 0xc3, 0x42, 0x35, 0x18, 0x0d, 0x13, 0x33, 0xdb,
-	0xd7, 0xd6, 0x9c, 0x60, 0xa2, 0x82, 0x9a, 0xc9, 0x98, 0x88, 0x71, 0x82, 0x0d, 0xf5, 0x14, 0x15,
-	0x7e, 0xa3, 0x04, 0x88, 0x0f, 0xe1, 0x9f, 0xb1, 0x81, 0xbb, 0x93, 0x1e, 0xb8, 0xfe, 0xb7, 0xc4,
-	0x93, 0x1a, 0xbd, 0xff, 0xdb, 0x82, 0x73, 0x8b, 0xae, 0xd7, 0x24, 0x41, 0xce, 0x02, 0x7c, 0x3a,
-	0x57, 0xf9, 0xa3, 0x09, 0x29, 0xc6, 0x12, 0x1b, 0x78, 0x02, 0x4b, 0xcc, 0xfe, 0xb7, 0x16, 0x20,
-	0xfe, 0xd9, 0x9f, 0xb8, 0x8f, 0xbd, 0x93, 0xfe, 0xd8, 0x27, 0xb0, 0x2c, 0xec, 0x5b, 0x30, 0xb9,
-	0xd8, 0x72, 0x89, 0x17, 0xad, 0xd6, 0x16, 0x7d, 0x6f, 0xd3, 0xdd, 0x42, 0x6f, 0xc1, 0x64, 0xe4,
-	0xb6, 0x89, 0xdf, 0x8d, 0xea, 0xa4, 0xe1, 0x7b, 0xec, 0xe6, 0x6a, 0x5d, 0x1e, 0x5c, 0x40, 0x07,
-	0xfb, 0xd5, 0xc9, 0x0d, 0x03, 0x82, 0x13, 0x98, 0xf6, 0xdf, 0xa5, 0x7c, 0xab, 0xd5, 0x0d, 0x23,
-	0x12, 0x6c, 0x04, 0xdd, 0x30, 0x5a, 0xe8, 0x52, 0xd9, 0xb3, 0x16, 0xf8, 0xb4, 0x3b, 0xae, 0xef,
-	0xa1, 0x73, 0xc6, 0x75, 0x7c, 0x44, 0x5e, 0xc5, 0xc5, 0xb5, 0x7b, 0x0e, 0x20, 0x74, 0xb7, 0x3c,
-	0x12, 0x68, 0xd7, 0x87, 0x49, 0xb6, 0x55, 0x54, 0x29, 0xd6, 0x30, 0x50, 0x0b, 0x26, 0x5a, 0xce,
-	0x7d, 0xd2, 0xaa, 0x93, 0x16, 0x69, 0x44, 0x7e, 0x20, 0xf4, 0x1b, 0xaf, 0xf7, 0x77, 0x0f, 0xb8,
-	0xa5, 0x57, 0x5d, 0x98, 0x39, 0xd8, 0xaf, 0x4e, 0x18, 0x45, 0xd8, 0x24, 0x4e, 0x59, 0x87, 0xdf,
-	0xa1, 0x5f, 0xe1, 0xb4, 0xf4, 0xcb, 0xe7, 0x6d, 0x51, 0x86, 0x15, 0x54, 0xb1, 0x8e, 0x81, 0x3c,
-	0xd6, 0x61, 0xff, 0x4b, 0xba, 0xd0, 0xfc, 0x76, 0xc7, 0xf7, 0x88, 0x17, 0x2d, 0xfa, 0x5e, 0x93,
-	0x6b, 0xa6, 0xde, 0x32, 0x54, 0x27, 0x97, 0x12, 0xaa, 0x93, 0xd3, 0xe9, 0x1a, 0x9a, 0xf6, 0xe4,
-	0x8b, 0x30, 0x14, 0x46, 0x4e, 0xd4, 0x0d, 0xc5, 0xc0, 0x3d, 0x2b, 0x97, 0x5d, 0x9d, 0x95, 0x1e,
-	0xee, 0x57, 0xa7, 0x54, 0x35, 0x5e, 0x84, 0x45, 0x05, 0xf4, 0x12, 0x0c, 0xb7, 0x49, 0x18, 0x3a,
-	0x5b, 0x52, 0x6c, 0x98, 0x12, 0x75, 0x87, 0xd7, 0x78, 0x31, 0x96, 0x70, 0xf4, 0x1c, 0x0c, 0x92,
-	0x20, 0xf0, 0x03, 0xf1, 0x6d, 0x13, 0x02, 0x71, 0x70, 0x99, 0x16, 0x62, 0x0e, 0xb3, 0xff, 0x27,
-	0x0b, 0xa6, 0x54, 0x5f, 0x79, 0x5b, 0xc7, 0x70, 0x5d, 0xfb, 0x2a, 0x40, 0x43, 0x7e, 0x60, 0xc8,
-	0x8e, 0xd9, 0xb1, 0xd7, 0x2e, 0x65, 0x4a, 0x34, 0xa9, 0x61, 0x8c, 0x29, 0xab, 0xa2, 0x10, 0x6b,
-	0xd4, 0xec, 0xdf, 0xb4, 0xe0, 0x44, 0xe2, 0x8b, 0x6e, 0xb9, 0x61, 0x84, 0x3e, 0x4c, 0x7d, 0xd5,
-	0x5c, 0x9f, 0x8b, 0xcf, 0x0d, 0xf9, 0x37, 0xa9, 0x3d, 0x2f, 0x4b, 0xb4, 0x2f, 0xba, 0x01, 0x83,
-	0x6e, 0x44, 0xda, 0xf2, 0x63, 0x9e, 0x2b, 0xfc, 0x18, 0xde, 0xab, 0x78, 0x46, 0x56, 0x69, 0x4d,
-	0xcc, 0x09, 0xd8, 0xbf, 0x5d, 0x86, 0x51, 0xbe, 0xbf, 0xd7, 0x9c, 0xce, 0x31, 0xcc, 0xc5, 0xcb,
-	0x30, 0xea, 0xb6, 0xdb, 0xdd, 0xc8, 0xb9, 0x2f, 0xce, 0xbd, 0x11, 0xce, 0x83, 0x56, 0x65, 0x21,
-	0x8e, 0xe1, 0x68, 0x15, 0x06, 0x58, 0x57, 0xf8, 0x57, 0xbe, 0x98, 0xfd, 0x95, 0xa2, 0xef, 0x73,
-	0x4b, 0x4e, 0xe4, 0x70, 0x91, 0x53, 0xed, 0x2b, 0x5a, 0x84, 0x19, 0x09, 0xe4, 0x00, 0xdc, 0x77,
-	0x3d, 0x27, 0xd8, 0xa3, 0x65, 0x95, 0x32, 0x23, 0xf8, 0x6a, 0x31, 0xc1, 0x05, 0x85, 0xcf, 0xc9,
-	0xaa, 0x0f, 0x8b, 0x01, 0x58, 0x23, 0x3a, 0xfb, 0x05, 0x18, 0x55, 0xc8, 0x47, 0x91, 0x1c, 0x67,
-	0xbf, 0x04, 0x53, 0x89, 0xb6, 0x7a, 0x55, 0x1f, 0xd7, 0x05, 0xcf, 0x7f, 0xcc, 0x58, 0x86, 0xe8,
-	0xf5, 0xb2, 0xb7, 0x2b, 0xce, 0xa6, 0x47, 0x70, 0xb2, 0x95, 0xc1, 0xf2, 0xc5, 0xbc, 0xf6, 0x7f,
-	0x44, 0x9c, 0x13, 0x9f, 0x7d, 0x32, 0x0b, 0x8a, 0x33, 0xdb, 0x30, 0x38, 0x62, 0xa9, 0x88, 0x23,
-	0x52, 0x7e, 0x77, 0x52, 0x75, 0xfe, 0x26, 0xd9, 0x53, 0x4c, 0xf5, 0x07, 0xd9, 0xfd, 0xf3, 0x7c,
-	0xf4, 0x39, 0xbb, 0x1c, 0x13, 0x04, 0xca, 0x37, 0xc9, 0x1e, 0x9f, 0x0a, 0xfd, 0xeb, 0xca, 0x85,
-	0x5f, 0xf7, 0x2b, 0x16, 0x4c, 0xa8, 0xaf, 0x3b, 0x06, 0xbe, 0xb0, 0x60, 0xf2, 0x85, 0xf3, 0x85,
-	0x0b, 0x3c, 0x87, 0x23, 0xfc, 0x46, 0x09, 0xce, 0x2a, 0x1c, 0x7a, 0x89, 0xe2, 0x7f, 0xc4, 0xaa,
-	0xba, 0x02, 0xa3, 0x9e, 0x52, 0x27, 0x5a, 0xa6, 0x1e, 0x2f, 0x56, 0x26, 0xc6, 0x38, 0xf4, 0xc8,
-	0xf3, 0xe2, 0x43, 0x7b, 0x5c, 0xd7, 0xb3, 0x8b, 0xc3, 0x7d, 0x01, 0xca, 0x5d, 0xb7, 0x29, 0x0e,
-	0x98, 0xcf, 0xc9, 0xd1, 0xbe, 0xb3, 0xba, 0x74, 0xb8, 0x5f, 0x7d, 0x36, 0xcf, 0xe4, 0x44, 0x4f,
-	0xb6, 0x70, 0xee, 0xce, 0xea, 0x12, 0xa6, 0x95, 0xd1, 0x3c, 0x4c, 0x49, 0xab, 0xda, 0x5d, 0x2a,
-	0x97, 0xfa, 0x9e, 0x38, 0x87, 0x94, 0xb2, 0x1c, 0x9b, 0x60, 0x9c, 0xc4, 0x47, 0x4b, 0x30, 0xbd,
-	0xd3, 0xbd, 0x4f, 0x5a, 0x24, 0xe2, 0x1f, 0x7c, 0x93, 0x70, 0x55, 0xf2, 0x68, 0x7c, 0x85, 0xbd,
-	0x99, 0x80, 0xe3, 0x54, 0x0d, 0xfb, 0x4f, 0xd9, 0x79, 0x20, 0x46, 0x4f, 0x93, 0x6f, 0x7e, 0x90,
-	0xcb, 0xb9, 0x9f, 0x55, 0x71, 0x93, 0xec, 0x6d, 0xf8, 0x54, 0x0e, 0xc9, 0x5e, 0x15, 0xc6, 0x9a,
-	0x1f, 0x28, 0x5c, 0xf3, 0xbf, 0x56, 0x82, 0x53, 0x6a, 0x04, 0x0c, 0x69, 0xf9, 0xcf, 0xfa, 0x18,
-	0x5c, 0x85, 0xb1, 0x26, 0xd9, 0x74, 0xba, 0xad, 0x48, 0xd9, 0x35, 0x06, 0xb9, 0xa9, 0x6d, 0x29,
-	0x2e, 0xc6, 0x3a, 0xce, 0x11, 0x86, 0xed, 0x6f, 0x4d, 0xb2, 0x83, 0x38, 0x72, 0xe8, 0x1a, 0x57,
-	0xbb, 0xc6, 0xca, 0xdd, 0x35, 0xcf, 0xc1, 0xa0, 0xdb, 0xa6, 0x82, 0x59, 0xc9, 0x94, 0xb7, 0x56,
-	0x69, 0x21, 0xe6, 0x30, 0xf4, 0x02, 0x0c, 0x37, 0xfc, 0x76, 0xdb, 0xf1, 0x9a, 0xec, 0xc8, 0x1b,
-	0x5d, 0x18, 0xa3, 0xb2, 0xdb, 0x22, 0x2f, 0xc2, 0x12, 0x46, 0x85, 0x6f, 0x27, 0xd8, 0xe2, 0xca,
-	0x1e, 0x21, 0x7c, 0xcf, 0x07, 0x5b, 0x21, 0x66, 0xa5, 0xf4, 0xae, 0xfa, 0xc0, 0x0f, 0x76, 0x5c,
-	0x6f, 0x6b, 0xc9, 0x0d, 0xc4, 0x96, 0x50, 0x67, 0xe1, 0x3d, 0x05, 0xc1, 0x1a, 0x16, 0x5a, 0x81,
-	0xc1, 0x8e, 0x1f, 0x44, 0x61, 0x65, 0x88, 0x0d, 0xf7, 0xb3, 0x39, 0x8c, 0x88, 0x7f, 0x6d, 0xcd,
-	0x0f, 0xa2, 0xf8, 0x03, 0xe8, 0xbf, 0x10, 0xf3, 0xea, 0xe8, 0x16, 0x0c, 0x13, 0x6f, 0x77, 0x25,
-	0xf0, 0xdb, 0x95, 0x13, 0xf9, 0x94, 0x96, 0x39, 0x0a, 0x5f, 0x66, 0xb1, 0x8c, 0x2a, 0x8a, 0xb1,
-	0x24, 0x81, 0xbe, 0x08, 0x65, 0xe2, 0xed, 0x56, 0x86, 0x19, 0xa5, 0xd9, 0x1c, 0x4a, 0x77, 0x9d,
-	0x20, 0xe6, 0xf9, 0xcb, 0xde, 0x2e, 0xa6, 0x75, 0xd0, 0x57, 0x60, 0x54, 0x32, 0x8c, 0x50, 0x68,
-	0x51, 0x33, 0x17, 0xac, 0x64, 0x33, 0x98, 0x7c, 0xd4, 0x75, 0x03, 0xd2, 0x26, 0x5e, 0x14, 0xc6,
-	0x1c, 0x52, 0x42, 0x43, 0x1c, 0x53, 0x43, 0x0d, 0x18, 0x0f, 0x48, 0xe8, 0x3e, 0x22, 0x35, 0xbf,
-	0xe5, 0x36, 0xf6, 0x2a, 0x67, 0x58, 0xf7, 0x5e, 0x2a, 0x1c, 0x32, 0xac, 0x55, 0x88, 0xb5, 0xfc,
-	0x7a, 0x29, 0x36, 0x88, 0xa2, 0x0f, 0x60, 0x22, 0x20, 0x61, 0xe4, 0x04, 0x91, 0x68, 0xa5, 0xa2,
-	0xac, 0x72, 0x13, 0x58, 0x07, 0xf0, 0xeb, 0x44, 0xdc, 0x4c, 0x0c, 0xc1, 0x26, 0x05, 0x14, 0x01,
-	0x32, 0x0a, 0x70, 0xb7, 0x45, 0xc2, 0xca, 0xd9, 0x7c, 0x6b, 0x66, 0x92, 0x2c, 0xad, 0xb0, 0x30,
-	0x2b, 0x3a, 0x8f, 0x70, 0x8a, 0x16, 0xce, 0xa0, 0x8f, 0xbe, 0x22, 0x0d, 0x1d, 0x6b, 0x7e, 0xd7,
-	0x8b, 0xc2, 0xca, 0x28, 0x6b, 0x2f, 0xd3, 0x22, 0x7e, 0x37, 0xc6, 0x4b, 0x5a, 0x42, 0x78, 0x65,
-	0x6c, 0x90, 0x42, 0x5f, 0x87, 0x09, 0xfe, 0x9f, 0x1b, 0x72, 0xc3, 0xca, 0x29, 0x46, 0xfb, 0x62,
-	0x3e, 0x6d, 0x8e, 0xb8, 0x70, 0x4a, 0x10, 0x9f, 0xd0, 0x4b, 0x43, 0x6c, 0x52, 0x43, 0x18, 0x26,
-	0x5a, 0xee, 0x2e, 0xf1, 0x48, 0x18, 0xd6, 0x02, 0xff, 0x3e, 0x11, 0x7a, 0xe9, 0xb3, 0xd9, 0x86,
-	0x5f, 0xff, 0x3e, 0x11, 0x57, 0x4f, 0xbd, 0x0e, 0x36, 0x49, 0xa0, 0x3b, 0x30, 0x19, 0x10, 0xa7,
-	0xe9, 0xc6, 0x44, 0xc7, 0x7a, 0x11, 0x65, 0xd7, 0x75, 0x6c, 0x54, 0xc2, 0x09, 0x22, 0xe8, 0x36,
-	0x8c, 0xb3, 0x81, 0xef, 0x76, 0x38, 0xd1, 0xd3, 0xbd, 0x88, 0x32, 0x37, 0x86, 0xba, 0x56, 0x05,
-	0x1b, 0x04, 0xd0, 0xfb, 0x30, 0xda, 0x72, 0x37, 0x49, 0x63, 0xaf, 0xd1, 0x22, 0x95, 0x71, 0x46,
-	0x2d, 0x93, 0x05, 0xdf, 0x92, 0x48, 0xfc, 0x56, 0xa0, 0xfe, 0xe2, 0xb8, 0x3a, 0xba, 0x0b, 0xa7,
-	0x23, 0x12, 0xb4, 0x5d, 0xcf, 0xa1, 0xac, 0x53, 0x5c, 0x44, 0x99, 0x3d, 0x7e, 0x82, 0xad, 0xe9,
-	0x0b, 0x62, 0x36, 0x4e, 0x6f, 0x64, 0x62, 0xe1, 0x9c, 0xda, 0xe8, 0x21, 0x54, 0x32, 0x20, 0x7c,
-	0xb7, 0x9c, 0x64, 0x94, 0xdf, 0x11, 0x94, 0x2b, 0x1b, 0x39, 0x78, 0x87, 0x05, 0x30, 0x9c, 0x4b,
-	0x1d, 0xdd, 0x86, 0x29, 0xc6, 0xaf, 0x6b, 0xdd, 0x56, 0x4b, 0x34, 0x38, 0xc9, 0x1a, 0x7c, 0x41,
-	0x4a, 0x2f, 0xab, 0x26, 0xf8, 0x70, 0xbf, 0x0a, 0xf1, 0x3f, 0x9c, 0xac, 0x8d, 0xee, 0x33, 0xd3,
-	0x6f, 0x37, 0x70, 0xa3, 0x3d, 0xba, 0xe9, 0xc8, 0xc3, 0xa8, 0x32, 0x55, 0xa8, 0x06, 0xd3, 0x51,
-	0x95, 0x7d, 0x58, 0x2f, 0xc4, 0x49, 0x82, 0xf4, 0x00, 0x0a, 0xa3, 0xa6, 0xeb, 0x55, 0xa6, 0xf9,
-	0x2d, 0x4e, 0xf2, 0xef, 0x3a, 0x2d, 0xc4, 0x1c, 0xc6, 0xcc, 0xbe, 0xf4, 0xc7, 0x6d, 0x7a, 0xce,
-	0xcf, 0x30, 0xc4, 0xd8, 0xec, 0x2b, 0x01, 0x38, 0xc6, 0xa1, 0xa2, 0x77, 0x14, 0xed, 0x55, 0x10,
-	0x43, 0x55, 0x6c, 0x78, 0x63, 0xe3, 0x2b, 0x98, 0x96, 0xdb, 0xbf, 0x6b, 0xc1, 0x45, 0xc5, 0x46,
-	0x96, 0x1f, 0x46, 0xc4, 0x6b, 0x92, 0xa6, 0xce, 0x73, 0x49, 0x18, 0xa1, 0xb7, 0x61, 0xa2, 0x21,
-	0x71, 0x34, 0x13, 0xb5, 0xda, 0xa5, 0x8b, 0x3a, 0x10, 0x9b, 0xb8, 0xe8, 0x1a, 0xe3, 0xc6, 0x8c,
-	0x9e, 0xa6, 0x6c, 0xd2, 0x59, 0xac, 0x82, 0x61, 0x03, 0x13, 0xbd, 0x09, 0x63, 0x01, 0xef, 0x01,
-	0xab, 0x58, 0x36, 0x3d, 0x25, 0x70, 0x0c, 0xc2, 0x3a, 0x9e, 0x7d, 0x1f, 0x26, 0x55, 0x87, 0xd8,
-	0x34, 0xa3, 0x2a, 0x0c, 0x32, 0xf9, 0x59, 0xe8, 0xa1, 0x47, 0xe9, 0xa8, 0x32, 0xd9, 0x1a, 0xf3,
-	0x72, 0x36, 0xaa, 0xee, 0x23, 0xb2, 0xb0, 0x17, 0x11, 0xae, 0xd4, 0x29, 0x6b, 0xa3, 0x2a, 0x01,
-	0x38, 0xc6, 0xb1, 0xff, 0x7f, 0x7e, 0x0f, 0x89, 0x8f, 0xdb, 0x3e, 0x04, 0x8c, 0x57, 0x60, 0x84,
-	0x79, 0xd0, 0xf8, 0x01, 0x37, 0x73, 0x0f, 0xc6, 0x37, 0x8f, 0x1b, 0xa2, 0x1c, 0x2b, 0x0c, 0x63,
-	0xcc, 0x59, 0x15, 0x2e, 0x1d, 0xa5, 0xc7, 0x9c, 0xd5, 0x33, 0x71, 0xd1, 0x35, 0x18, 0x61, 0xce,
-	0x62, 0x0d, 0xbf, 0x25, 0xc4, 0x76, 0x29, 0xe2, 0x8d, 0xd4, 0x44, 0xf9, 0xa1, 0xf6, 0x1b, 0x2b,
-	0x6c, 0x74, 0x09, 0x86, 0x68, 0x17, 0x56, 0x6b, 0x42, 0x2e, 0x51, 0x2a, 0xd5, 0x1b, 0xac, 0x14,
-	0x0b, 0xa8, 0xfd, 0x9b, 0x16, 0x13, 0x4a, 0xd3, 0x87, 0x27, 0xba, 0x91, 0x98, 0x6f, 0x3e, 0x20,
-	0xcf, 0x67, 0xcd, 0xf7, 0x61, 0xf1, 0xfc, 0x7f, 0x35, 0x79, 0xc4, 0xf2, 0xa5, 0xf3, 0x86, 0x1c,
-	0x82, 0xe4, 0x31, 0xfb, 0x4c, 0xbc, 0x6e, 0x69, 0x7f, 0x8a, 0xce, 0x5a, 0xfb, 0xb7, 0xf8, 0x35,
-	0x39, 0x75, 0x7c, 0xa2, 0x25, 0x18, 0x72, 0xd8, 0x0d, 0x43, 0x74, 0xfc, 0x15, 0x39, 0x00, 0xf3,
-	0xac, 0xf4, 0x50, 0xd8, 0xab, 0x93, 0xf5, 0x38, 0x14, 0x8b, 0xba, 0xe8, 0x9b, 0x30, 0x4a, 0x1e,
-	0xba, 0xd1, 0xa2, 0xdf, 0x14, 0x0b, 0xca, 0xd4, 0x95, 0x16, 0x9e, 0xe0, 0xb7, 0xbd, 0x65, 0x59,
-	0x95, 0x33, 0x6d, 0xf5, 0x17, 0xc7, 0x44, 0xed, 0x9f, 0xb3, 0xa0, 0xda, 0xa3, 0x36, 0xba, 0x47,
-	0x85, 0x65, 0x12, 0x38, 0x91, 0x2f, 0xed, 0x9e, 0x6f, 0xcb, 0x65, 0x70, 0x5b, 0x94, 0x1f, 0xee,
-	0x57, 0x5f, 0xec, 0x41, 0x46, 0xa2, 0x62, 0x45, 0x0c, 0xd9, 0x30, 0xc4, 0xd4, 0x25, 0x5c, 0xfa,
-	0x1f, 0xe4, 0xc6, 0xcf, 0xbb, 0xac, 0x04, 0x0b, 0x88, 0xfd, 0x57, 0x4a, 0xda, 0x3e, 0xac, 0x47,
-	0x4e, 0x44, 0x50, 0x0d, 0x86, 0x1f, 0x38, 0x6e, 0xe4, 0x7a, 0x5b, 0xe2, 0x8a, 0x52, 0x2c, 0x93,
-	0xb1, 0x4a, 0xf7, 0x78, 0x05, 0x2e, 0x68, 0x8b, 0x3f, 0x58, 0x92, 0xa1, 0x14, 0x83, 0xae, 0xe7,
-	0x51, 0x8a, 0xa5, 0x7e, 0x29, 0x62, 0x5e, 0x81, 0x53, 0x14, 0x7f, 0xb0, 0x24, 0x83, 0x3e, 0x04,
-	0x90, 0xc7, 0x0a, 0x69, 0x0a, 0x35, 0xf7, 0x2b, 0xbd, 0x89, 0x6e, 0xa8, 0x3a, 0x5c, 0x8f, 0x1e,
-	0xff, 0xc7, 0x1a, 0x3d, 0x3b, 0xd2, 0x76, 0x8d, 0xde, 0x19, 0xf4, 0x35, 0xca, 0xd7, 0x9d, 0x20,
-	0x22, 0xcd, 0xf9, 0x48, 0x0c, 0xce, 0x67, 0xfb, 0xd3, 0x63, 0x6c, 0xb8, 0x6d, 0xa2, 0x9f, 0x01,
-	0x82, 0x08, 0x8e, 0xe9, 0xd9, 0xbf, 0x5e, 0x86, 0x4a, 0x5e, 0x77, 0x29, 0x5b, 0x92, 0xab, 0x4a,
-	0xd8, 0x1f, 0x14, 0x5b, 0x92, 0x4b, 0x00, 0x2b, 0x0c, 0xca, 0x1f, 0x42, 0x77, 0x4b, 0xaa, 0xa1,
-	0x06, 0x63, 0xfe, 0x50, 0x67, 0xa5, 0x58, 0x40, 0x29, 0x5e, 0x40, 0x9c, 0x50, 0xf8, 0x89, 0x6a,
-	0x7c, 0x04, 0xb3, 0x52, 0x2c, 0xa0, 0xba, 0x42, 0x7c, 0xa0, 0x87, 0x42, 0xdc, 0x18, 0xa2, 0xc1,
-	0x27, 0x3b, 0x44, 0xe8, 0x1b, 0x00, 0x9b, 0xae, 0xe7, 0x86, 0xdb, 0x8c, 0xfa, 0xd0, 0x91, 0xa9,
-	0xab, 0xfb, 0xdb, 0x8a, 0xa2, 0x82, 0x35, 0x8a, 0xf4, 0x2c, 0x53, 0x2c, 0x7a, 0x75, 0x89, 0x79,
-	0xa9, 0x68, 0x67, 0x59, 0x7c, 0x5e, 0x2d, 0x61, 0x1d, 0xcf, 0xfe, 0x56, 0x72, 0xbd, 0x88, 0x1d,
-	0xa0, 0x8d, 0xaf, 0xd5, 0xef, 0xf8, 0x96, 0x8a, 0xc7, 0xd7, 0xfe, 0x17, 0xa3, 0x30, 0x65, 0x34,
-	0xd6, 0x0d, 0xfb, 0x38, 0xd5, 0xae, 0x53, 0xa9, 0xc5, 0x89, 0x88, 0xd8, 0x7f, 0x76, 0xef, 0xad,
-	0xa2, 0x4b, 0x36, 0x74, 0x07, 0xf0, 0xfa, 0xe8, 0x1b, 0x30, 0xda, 0x72, 0x42, 0xa6, 0x5c, 0x27,
-	0x62, 0xdf, 0xf5, 0x43, 0x2c, 0xd6, 0x5d, 0x38, 0x61, 0xa4, 0x89, 0x8a, 0x9c, 0x76, 0x4c, 0x92,
-	0x8a, 0x57, 0x54, 0x28, 0x97, 0x8e, 0xc8, 0xaa, 0x13, 0x54, 0x72, 0xdf, 0xc3, 0x1c, 0x26, 0x84,
-	0x15, 0xba, 0x2a, 0x16, 0xe9, 0x15, 0x86, 0x2d, 0xb3, 0x41, 0x43, 0x58, 0x51, 0x30, 0x6c, 0x60,
-	0xc6, 0xea, 0x83, 0xa1, 0x02, 0xf5, 0xc1, 0x4b, 0x30, 0xcc, 0x7e, 0xa8, 0x15, 0xa0, 0x66, 0x63,
-	0x95, 0x17, 0x63, 0x09, 0x4f, 0x2e, 0x98, 0x91, 0xfe, 0x16, 0x0c, 0x7a, 0x01, 0x86, 0xc5, 0xa2,
-	0x66, 0x1e, 0x42, 0x23, 0x9c, 0xcb, 0x89, 0x25, 0x8f, 0x25, 0x0c, 0xfd, 0xbc, 0x05, 0xc8, 0x69,
-	0xb5, 0xfc, 0x06, 0xe3, 0x50, 0xea, 0x1e, 0x0e, 0xec, 0x7e, 0xf6, 0x76, 0xcf, 0x61, 0xef, 0x86,
-	0x73, 0xf3, 0xa9, 0xda, 0x5c, 0xa9, 0xff, 0x96, 0xbc, 0x7e, 0xa6, 0x11, 0xf4, 0xe3, 0xfe, 0x96,
-	0x1b, 0x46, 0xdf, 0xfe, 0x57, 0x89, 0xe3, 0x3f, 0xa3, 0x4b, 0xe8, 0x8e, 0xae, 0x27, 0x18, 0x3b,
-	0xa2, 0x9e, 0x60, 0x22, 0x57, 0x47, 0xf0, 0xe7, 0x12, 0xb7, 0xde, 0x71, 0xf6, 0xe5, 0x2f, 0xf4,
-	0xb8, 0xf5, 0x0a, 0xcb, 0x4f, 0x3f, 0x77, 0xdf, 0x9a, 0x70, 0x59, 0x98, 0x60, 0x5d, 0x2e, 0xd6,
-	0xd7, 0xdc, 0x09, 0x49, 0xb0, 0x70, 0x56, 0x7a, 0x34, 0x1c, 0xea, 0xd2, 0x9d, 0xe6, 0xe2, 0xf0,
-	0xe3, 0x16, 0x54, 0xd2, 0x03, 0xc4, 0xbb, 0x54, 0x99, 0x64, 0xfd, 0xb7, 0x8b, 0x46, 0x46, 0x74,
-	0x5e, 0x7a, 0x66, 0x57, 0xe6, 0x73, 0x68, 0xe1, 0xdc, 0x56, 0xd0, 0x35, 0x80, 0x30, 0xf2, 0x3b,
-	0x9c, 0xd7, 0xb3, 0x1b, 0xd0, 0x28, 0xf3, 0x0d, 0x82, 0xba, 0x2a, 0x3d, 0x8c, 0xcf, 0x02, 0x0d,
-	0x77, 0xb6, 0x0b, 0x67, 0x72, 0x56, 0x4c, 0x86, 0x69, 0x66, 0x49, 0x37, 0xcd, 0xf4, 0x50, 0xe8,
-	0xcf, 0xc9, 0x39, 0x9d, 0xfb, 0xa0, 0xeb, 0x78, 0x91, 0x1b, 0xed, 0xe9, 0xa6, 0x1c, 0x0f, 0xcc,
-	0xa1, 0x44, 0x5f, 0x87, 0xc1, 0x96, 0xeb, 0x75, 0x1f, 0x8a, 0x33, 0xf6, 0x52, 0xf6, 0x9d, 0xd9,
-	0xeb, 0x3e, 0x34, 0x27, 0xa7, 0x4a, 0xb7, 0x32, 0x2b, 0x3f, 0xdc, 0xaf, 0xa2, 0x34, 0x02, 0xe6,
-	0x54, 0xed, 0xcf, 0xc2, 0xe4, 0x92, 0x43, 0xda, 0xbe, 0xb7, 0xec, 0x35, 0x3b, 0xbe, 0xeb, 0x45,
-	0xa8, 0x02, 0x03, 0x4c, 0x7c, 0xe7, 0x47, 0xeb, 0x00, 0x1d, 0x7c, 0xcc, 0x4a, 0xec, 0x2d, 0x38,
-	0xb5, 0xe4, 0x3f, 0xf0, 0x1e, 0x38, 0x41, 0x73, 0xbe, 0xb6, 0xaa, 0xa9, 0xb6, 0xd7, 0xa5, 0x6a,
-	0xd5, 0xca, 0x57, 0x5c, 0x69, 0x35, 0xf9, 0x22, 0x5c, 0x71, 0x5b, 0x24, 0xc7, 0x00, 0xf1, 0xd7,
-	0x4b, 0x46, 0x4b, 0x31, 0xbe, 0x32, 0x9f, 0x5b, 0xb9, 0x9e, 0x37, 0x1f, 0xc0, 0xc8, 0xa6, 0x4b,
-	0x5a, 0x4d, 0x4c, 0x36, 0xc5, 0x6c, 0xbc, 0x98, 0xef, 0x9b, 0xbb, 0x42, 0x31, 0x95, 0x9d, 0x9f,
-	0x29, 0x66, 0x57, 0x44, 0x65, 0xac, 0xc8, 0xa0, 0x1d, 0x98, 0x96, 0x73, 0x26, 0xa1, 0x82, 0xdf,
-	0xbf, 0x54, 0xb4, 0x7c, 0x4d, 0xe2, 0xec, 0x9d, 0x02, 0x4e, 0x90, 0xc1, 0x29, 0xc2, 0xe8, 0x1c,
-	0x0c, 0xb4, 0xa9, 0x64, 0x33, 0xc0, 0x86, 0x9f, 0x69, 0x62, 0x99, 0x52, 0x99, 0x95, 0xda, 0x7f,
-	0xc3, 0x82, 0x33, 0xa9, 0x91, 0x11, 0xca, 0xf5, 0x27, 0x3c, 0x0b, 0x49, 0x65, 0x77, 0xa9, 0xb7,
-	0xb2, 0xdb, 0xfe, 0x2f, 0x2c, 0x38, 0xb9, 0xdc, 0xee, 0x44, 0x7b, 0x4b, 0xae, 0xe9, 0x26, 0xf3,
-	0x05, 0x18, 0x6a, 0x93, 0xa6, 0xdb, 0x6d, 0x8b, 0x99, 0xab, 0xca, 0xd3, 0x7f, 0x8d, 0x95, 0x52,
-	0x0e, 0x52, 0x8f, 0xfc, 0xc0, 0xd9, 0x22, 0xbc, 0x00, 0x0b, 0x74, 0x26, 0x43, 0xb9, 0x8f, 0xc8,
-	0x2d, 0xb7, 0xed, 0x46, 0x8f, 0xb7, 0xbb, 0x84, 0x87, 0x8b, 0x24, 0x82, 0x63, 0x7a, 0xf6, 0xf7,
-	0x2d, 0x98, 0x92, 0xeb, 0x7e, 0xbe, 0xd9, 0x0c, 0x48, 0x18, 0xa2, 0x59, 0x28, 0xb9, 0x1d, 0xd1,
-	0x4b, 0x10, 0xbd, 0x2c, 0xad, 0xd6, 0x70, 0xc9, 0xed, 0xc8, 0x0b, 0xb1, 0x17, 0x5f, 0xee, 0x8d,
-	0x0b, 0xb1, 0xc7, 0xde, 0x4c, 0x48, 0x0c, 0x74, 0x19, 0x46, 0x3c, 0xbf, 0xc9, 0xef, 0x94, 0xc2,
-	0xdd, 0x83, 0x62, 0xae, 0x8b, 0x32, 0xac, 0xa0, 0xa8, 0x06, 0xa3, 0xdc, 0x15, 0x3c, 0x5e, 0xb4,
-	0x7d, 0x39, 0x94, 0xb3, 0x2f, 0xdb, 0x90, 0x35, 0x71, 0x4c, 0xc4, 0xfe, 0xa7, 0x16, 0x8c, 0xcb,
-	0x2f, 0xeb, 0xf3, 0xb6, 0x4f, 0xb7, 0x56, 0x7c, 0xd3, 0x8f, 0xb7, 0x16, 0xbd, 0xad, 0x33, 0x88,
-	0x71, 0x49, 0x2f, 0x1f, 0xe9, 0x92, 0x7e, 0x15, 0xc6, 0x9c, 0x4e, 0xa7, 0x66, 0xde, 0xf0, 0xd9,
-	0x52, 0x9a, 0x8f, 0x8b, 0xb1, 0x8e, 0x63, 0xff, 0x6c, 0x09, 0x26, 0xe5, 0x17, 0xd4, 0xbb, 0xf7,
-	0x43, 0x12, 0xa1, 0x0d, 0x18, 0x75, 0xf8, 0x2c, 0x11, 0xb9, 0xc8, 0x9f, 0xcb, 0x56, 0xe1, 0x1b,
-	0x53, 0x1a, 0x0b, 0xd2, 0xf3, 0xb2, 0x36, 0x8e, 0x09, 0xa1, 0x16, 0xcc, 0x78, 0x7e, 0xc4, 0x84,
-	0x2a, 0x05, 0x2f, 0xf2, 0xaa, 0x48, 0x52, 0x3f, 0x2b, 0xa8, 0xcf, 0xac, 0x27, 0xa9, 0xe0, 0x34,
-	0x61, 0xb4, 0x2c, 0xcd, 0x22, 0xe5, 0x7c, 0xcd, 0xb2, 0x3e, 0x71, 0xd9, 0x56, 0x11, 0xfb, 0x9f,
-	0x58, 0x30, 0x2a, 0xd1, 0x8e, 0xc3, 0x81, 0x66, 0x0d, 0x86, 0x43, 0x36, 0x09, 0x72, 0x68, 0xec,
-	0xa2, 0x8e, 0xf3, 0xf9, 0x8a, 0x65, 0x45, 0xfe, 0x3f, 0xc4, 0x92, 0x06, 0xb3, 0x8a, 0xab, 0xee,
-	0x7f, 0x42, 0xac, 0xe2, 0xaa, 0x3f, 0x39, 0x87, 0xd2, 0xbf, 0x61, 0x7d, 0xd6, 0xcc, 0x4c, 0xf4,
-	0x4a, 0xd3, 0x09, 0xc8, 0xa6, 0xfb, 0x30, 0x79, 0xa5, 0xa9, 0xb1, 0x52, 0x2c, 0xa0, 0xe8, 0x43,
-	0x18, 0x6f, 0x48, 0x73, 0x68, 0xbc, 0xc3, 0x2f, 0x15, 0x9a, 0xe6, 0x95, 0x17, 0x07, 0x57, 0xac,
-	0x2f, 0x6a, 0xf5, 0xb1, 0x41, 0xcd, 0x74, 0x75, 0x2c, 0xf7, 0x72, 0x75, 0x8c, 0xe9, 0xe6, 0x3b,
-	0xfe, 0xfd, 0x9c, 0x05, 0x43, 0xdc, 0x0c, 0xd6, 0x9f, 0x15, 0x52, 0x73, 0x6a, 0x89, 0xc7, 0x8e,
-	0x29, 0x57, 0x84, 0x64, 0x83, 0xd6, 0x60, 0x94, 0xfd, 0x60, 0x66, 0xbc, 0x72, 0xfe, 0xc3, 0x48,
-	0xde, 0xaa, 0xde, 0xc1, 0xbb, 0xb2, 0x1a, 0x8e, 0x29, 0xd8, 0x7f, 0x54, 0xa6, 0xdc, 0x2d, 0x46,
-	0x35, 0x0e, 0x7d, 0xeb, 0xe9, 0x1d, 0xfa, 0xa5, 0xa7, 0x75, 0xe8, 0x6f, 0xc1, 0x54, 0x43, 0x73,
-	0x81, 0x89, 0x67, 0xf2, 0x72, 0xe1, 0x22, 0xd1, 0xbc, 0x65, 0xb8, 0xca, 0x7e, 0xd1, 0x24, 0x82,
-	0x93, 0x54, 0xd1, 0xd7, 0x60, 0x9c, 0xcf, 0xb3, 0x68, 0x85, 0x7b, 0x8b, 0xbe, 0x90, 0xbf, 0x5e,
-	0xf4, 0x26, 0xb8, 0x89, 0x47, 0xab, 0x8e, 0x0d, 0x62, 0xa8, 0x0e, 0xb0, 0xe9, 0xb6, 0x88, 0x20,
-	0x5d, 0xe0, 0xd8, 0xbd, 0xc2, 0xb1, 0x14, 0xe1, 0x49, 0xae, 0x87, 0x90, 0x55, 0xb1, 0x46, 0xc6,
-	0xfe, 0x77, 0x16, 0xa0, 0xe5, 0xce, 0x36, 0x69, 0x93, 0xc0, 0x69, 0xc5, 0xe6, 0xf1, 0x9f, 0xb4,
-	0xa0, 0x42, 0x52, 0xc5, 0x8b, 0x7e, 0xbb, 0x2d, 0x34, 0x0c, 0x39, 0x4a, 0xb0, 0xe5, 0x9c, 0x3a,
-	0xf1, 0x2d, 0x23, 0x0f, 0x03, 0xe7, 0xb6, 0x87, 0xd6, 0xe0, 0x04, 0x3f, 0x7a, 0x0d, 0xbb, 0x82,
-	0xd8, 0x11, 0xcf, 0x08, 0xc2, 0x27, 0x36, 0xd2, 0x28, 0x38, 0xab, 0x9e, 0xfd, 0x0f, 0x26, 0x21,
-	0xb7, 0x17, 0x9f, 0xfa, 0x05, 0x7c, 0xea, 0x17, 0xf0, 0xa9, 0x5f, 0xc0, 0xa7, 0x7e, 0x01, 0x9f,
-	0xfa, 0x05, 0x7c, 0xea, 0x17, 0xf0, 0xa9, 0x5f, 0x80, 0xe6, 0x17, 0xf0, 0x57, 0x2d, 0x38, 0xa5,
-	0x0e, 0x4d, 0x43, 0xf7, 0xf0, 0xa3, 0x70, 0x82, 0x6f, 0xb7, 0xc5, 0x96, 0xe3, 0xb6, 0x37, 0x48,
-	0xbb, 0xd3, 0x72, 0x22, 0xe9, 0x73, 0x78, 0x35, 0x73, 0xe5, 0x26, 0x1e, 0x36, 0x19, 0x15, 0xf9,
-	0x0b, 0xd1, 0x0c, 0x00, 0xce, 0x6a, 0xc6, 0xfe, 0xf5, 0x11, 0x18, 0x5c, 0xde, 0x25, 0x5e, 0x74,
-	0x0c, 0xb7, 0xb4, 0x06, 0x4c, 0xba, 0xde, 0xae, 0xdf, 0xda, 0x25, 0x4d, 0x0e, 0x3f, 0x8a, 0x32,
-	0xe1, 0xb4, 0x20, 0x3d, 0xb9, 0x6a, 0x90, 0xc0, 0x09, 0x92, 0x4f, 0xc3, 0x50, 0x76, 0x1d, 0x86,
-	0xf8, 0x91, 0x27, 0x84, 0xc6, 0x4c, 0x9e, 0xcd, 0x06, 0x51, 0x1c, 0xe4, 0xb1, 0x11, 0x8f, 0x1f,
-	0xa9, 0xa2, 0x3a, 0xfa, 0x16, 0x4c, 0x6e, 0xba, 0x41, 0x18, 0x6d, 0xb8, 0x6d, 0x7a, 0x3e, 0xb4,
-	0x3b, 0x8f, 0x61, 0x18, 0x53, 0xe3, 0xb0, 0x62, 0x50, 0xc2, 0x09, 0xca, 0x68, 0x0b, 0x26, 0x5a,
-	0x8e, 0xde, 0xd4, 0xf0, 0x91, 0x9b, 0x52, 0xa7, 0xc3, 0x2d, 0x9d, 0x10, 0x36, 0xe9, 0xd2, 0xed,
-	0xd4, 0x60, 0xb6, 0x9d, 0x11, 0xa6, 0x99, 0x51, 0xdb, 0x89, 0x1b, 0x75, 0x38, 0x8c, 0x8a, 0x85,
-	0xec, 0x79, 0xd0, 0xa8, 0x29, 0x16, 0x6a, 0x8f, 0x80, 0xbe, 0x09, 0xa3, 0x84, 0x0e, 0x21, 0x25,
-	0x2c, 0x0e, 0x98, 0x2b, 0xfd, 0xf5, 0x75, 0xcd, 0x6d, 0x04, 0xbe, 0x69, 0x92, 0x5c, 0x96, 0x94,
-	0x70, 0x4c, 0x14, 0x2d, 0xc2, 0x50, 0x48, 0x02, 0x57, 0x99, 0x3d, 0x0a, 0xa6, 0x91, 0xa1, 0x71,
-	0x2b, 0x3c, 0xff, 0x8d, 0x45, 0x55, 0xba, 0xbc, 0x84, 0x3b, 0xc3, 0xb8, 0xb9, 0xbc, 0x12, 0x0e,
-	0x0b, 0xef, 0xc3, 0x70, 0x40, 0x5a, 0xcc, 0xe6, 0x3d, 0xd1, 0xff, 0x22, 0xe7, 0x26, 0x74, 0x5e,
-	0x0f, 0x4b, 0x02, 0xe8, 0x26, 0x95, 0x57, 0xa8, 0x58, 0xe9, 0x7a, 0x5b, 0xea, 0xd1, 0x8c, 0x60,
-	0xb4, 0x4a, 0x7c, 0xc7, 0x31, 0x86, 0x7c, 0x7d, 0x8e, 0x33, 0xaa, 0xa1, 0xeb, 0x30, 0xa3, 0x4a,
-	0x57, 0xbd, 0x30, 0x72, 0x28, 0x83, 0xe3, 0x96, 0x07, 0xa5, 0x2a, 0xc2, 0x49, 0x04, 0x9c, 0xae,
-	0x63, 0xff, 0xa2, 0x05, 0x7c, 0x9c, 0x8f, 0x41, 0x41, 0xf2, 0xae, 0xa9, 0x20, 0x39, 0x9b, 0x3b,
-	0x73, 0x39, 0xca, 0x91, 0x5f, 0xb4, 0x60, 0x4c, 0x9b, 0xd9, 0x78, 0xcd, 0x5a, 0x05, 0x6b, 0xb6,
-	0x0b, 0xd3, 0x74, 0xa5, 0xdf, 0xbe, 0x1f, 0x92, 0x60, 0x97, 0x34, 0xd9, 0xc2, 0x2c, 0x3d, 0xde,
-	0xc2, 0x54, 0x0e, 0xfa, 0xb7, 0x12, 0x04, 0x71, 0xaa, 0x09, 0xfb, 0x9b, 0xb2, 0xab, 0xea, 0x3d,
-	0x43, 0x43, 0xcd, 0x79, 0xe2, 0x3d, 0x83, 0x9a, 0x55, 0x1c, 0xe3, 0xd0, 0xad, 0xb6, 0xed, 0x87,
-	0x51, 0xf2, 0x3d, 0xc3, 0x0d, 0x3f, 0x8c, 0x30, 0x83, 0xd8, 0xaf, 0x03, 0x2c, 0x3f, 0x24, 0x0d,
-	0xbe, 0x62, 0xf5, 0xab, 0x96, 0x95, 0x7f, 0xd5, 0xb2, 0x7f, 0xcf, 0x82, 0xc9, 0x95, 0x45, 0xe3,
-	0xe4, 0x9a, 0x03, 0xe0, 0xf7, 0xc3, 0x7b, 0xf7, 0xd6, 0xa5, 0x2f, 0x18, 0x77, 0xd6, 0x50, 0xa5,
-	0x58, 0xc3, 0x40, 0x67, 0xa1, 0xdc, 0xea, 0x7a, 0x42, 0x83, 0x3b, 0x4c, 0x8f, 0xc7, 0x5b, 0x5d,
-	0x0f, 0xd3, 0x32, 0xed, 0xe5, 0x69, 0xb9, 0xef, 0x97, 0xa7, 0x3d, 0x03, 0x60, 0xa1, 0x2a, 0x0c,
-	0x3e, 0x78, 0xe0, 0x36, 0x79, 0x5c, 0x0f, 0xe1, 0xa7, 0x76, 0xef, 0xde, 0xea, 0x52, 0x88, 0x79,
-	0xb9, 0xfd, 0xcb, 0x16, 0x4c, 0x25, 0x6e, 0xfb, 0xf4, 0xd6, 0xb8, 0xab, 0xa2, 0x2a, 0x25, 0x83,
-	0xc7, 0x68, 0xf1, 0x96, 0x34, 0xac, 0x3e, 0x5e, 0x5c, 0x8b, 0x17, 0x3b, 0xe5, 0x3e, 0x5e, 0xec,
-	0x14, 0xbb, 0xe1, 0x7f, 0xaf, 0x0c, 0xb3, 0x2b, 0x2d, 0xf2, 0xf0, 0x63, 0x86, 0x63, 0xe9, 0xf7,
-	0xa9, 0xef, 0xd1, 0xd4, 0x77, 0x47, 0x7d, 0xce, 0xdd, 0x7b, 0x0a, 0x37, 0x61, 0x98, 0x7f, 0xba,
-	0x0c, 0xce, 0x92, 0x69, 0x4c, 0xcf, 0x1f, 0x90, 0x39, 0x3e, 0x84, 0xc2, 0x98, 0xae, 0xce, 0x78,
-	0x51, 0x8a, 0x25, 0xf1, 0xd9, 0xb7, 0x60, 0x5c, 0xc7, 0x3c, 0x52, 0x60, 0x85, 0xbf, 0x50, 0x86,
-	0x69, 0xda, 0x83, 0xa7, 0x3a, 0x11, 0x77, 0xd2, 0x13, 0xf1, 0xa4, 0x1f, 0xd7, 0xf7, 0x9e, 0x8d,
-	0x0f, 0x93, 0xb3, 0x71, 0x35, 0x6f, 0x36, 0x8e, 0x7b, 0x0e, 0xfe, 0xa2, 0x05, 0x27, 0x56, 0x5a,
-	0x7e, 0x63, 0x27, 0xf1, 0x00, 0xfe, 0x4d, 0x18, 0xa3, 0x27, 0x48, 0x68, 0xc4, 0x82, 0x32, 0xa2,
-	0x83, 0x09, 0x10, 0xd6, 0xf1, 0xb4, 0x6a, 0x77, 0xee, 0xac, 0x2e, 0x65, 0x05, 0x15, 0x13, 0x20,
-	0xac, 0xe3, 0xd9, 0xff, 0xdc, 0x82, 0xf3, 0xd7, 0x17, 0x97, 0xe3, 0xa5, 0x98, 0x8a, 0x6b, 0x76,
-	0x09, 0x86, 0x3a, 0x4d, 0xad, 0x2b, 0xb1, 0x52, 0x7e, 0x89, 0xf5, 0x42, 0x40, 0x3f, 0x29, 0x21,
-	0x04, 0xef, 0x00, 0x5c, 0xc7, 0xb5, 0x45, 0x71, 0x54, 0x48, 0x1b, 0x9c, 0x95, 0x6b, 0x83, 0x7b,
-	0x01, 0x86, 0xe9, 0x51, 0xe6, 0x36, 0x64, 0xbf, 0xb9, 0xbb, 0x0c, 0x2f, 0xc2, 0x12, 0x66, 0xff,
-	0x82, 0x05, 0x27, 0xae, 0xbb, 0x11, 0x95, 0x33, 0x92, 0x81, 0xbb, 0xa8, 0xa0, 0x11, 0xba, 0x91,
-	0x1f, 0xec, 0x25, 0x79, 0x2f, 0x56, 0x10, 0xac, 0x61, 0xf1, 0x0f, 0xda, 0x75, 0xd9, 0x93, 0xba,
-	0x92, 0x69, 0xf5, 0xc4, 0xa2, 0x1c, 0x2b, 0x0c, 0x3a, 0x5e, 0x4d, 0x37, 0x60, 0x9c, 0x5e, 0x72,
-	0x63, 0x35, 0x5e, 0x4b, 0x12, 0x80, 0x63, 0x1c, 0xfb, 0x8f, 0x2d, 0xa8, 0x5e, 0xe7, 0x81, 0x01,
-	0x36, 0xc3, 0x1c, 0xa6, 0xfb, 0x3a, 0x8c, 0x12, 0x69, 0x9e, 0x49, 0xfa, 0x72, 0x2b, 0xbb, 0x0d,
-	0x8f, 0x1f, 0xa6, 0xf0, 0xfa, 0x38, 0x33, 0x8e, 0x16, 0x66, 0x61, 0x05, 0x10, 0xd1, 0xdb, 0xd2,
-	0x03, 0xaa, 0xb1, 0xc8, 0x4c, 0xcb, 0x29, 0x28, 0xce, 0xa8, 0x61, 0xff, 0x0d, 0x0b, 0x4e, 0xa9,
-	0x0f, 0xfe, 0xc4, 0x7d, 0xa6, 0xfd, 0xab, 0x25, 0x98, 0xb8, 0xb1, 0xb1, 0x51, 0xbb, 0x4e, 0x22,
-	0x6d, 0x55, 0x16, 0x3b, 0x5d, 0x60, 0xcd, 0x76, 0x5c, 0x74, 0xad, 0xed, 0x46, 0x6e, 0x6b, 0x8e,
-	0x87, 0x09, 0x9d, 0x5b, 0xf5, 0xa2, 0xdb, 0x41, 0x3d, 0x0a, 0x5c, 0x6f, 0x2b, 0x73, 0xa5, 0x4b,
-	0x31, 0xab, 0x9c, 0x27, 0x66, 0xa1, 0xd7, 0x61, 0x88, 0xc5, 0x29, 0x95, 0x93, 0xf0, 0x8c, 0xba,
-	0x15, 0xb2, 0xd2, 0xc3, 0xfd, 0xea, 0xe8, 0x1d, 0xbc, 0xca, 0xff, 0x60, 0x81, 0x8a, 0xee, 0xc0,
-	0xd8, 0x76, 0x14, 0x75, 0x6e, 0x10, 0xa7, 0x49, 0x02, 0xc9, 0x65, 0x2f, 0x64, 0x71, 0x59, 0x3a,
-	0x08, 0x1c, 0x2d, 0x66, 0x4c, 0x71, 0x59, 0x88, 0x75, 0x3a, 0x76, 0x1d, 0x20, 0x86, 0x3d, 0x21,
-	0xb3, 0x99, 0xbd, 0x01, 0xa3, 0xf4, 0x73, 0xe7, 0x5b, 0xae, 0x53, 0xec, 0x98, 0xf0, 0x32, 0x8c,
-	0x4a, 0xb7, 0x83, 0x50, 0x44, 0x11, 0x62, 0x27, 0x92, 0xf4, 0x4a, 0x08, 0x71, 0x0c, 0xb7, 0x9f,
-	0x07, 0xe1, 0x1b, 0x5f, 0x44, 0xd2, 0xde, 0x84, 0x93, 0xcc, 0xc9, 0xdf, 0x89, 0xb6, 0x8d, 0x35,
-	0xda, 0x7b, 0x31, 0xbc, 0x22, 0xae, 0xa2, 0x25, 0xe5, 0x6d, 0x25, 0xa3, 0x54, 0x8c, 0x4b, 0x8a,
-	0xf1, 0xb5, 0xd4, 0xfe, 0xa3, 0x01, 0x78, 0x66, 0xb5, 0x9e, 0x1f, 0xfe, 0xee, 0x1a, 0x8c, 0x73,
-	0x09, 0x97, 0x2e, 0x0d, 0xa7, 0x25, 0xda, 0x55, 0x4a, 0xdb, 0x0d, 0x0d, 0x86, 0x0d, 0x4c, 0x2a,
-	0x11, 0xba, 0x1f, 0x79, 0xc9, 0x37, 0xdc, 0xab, 0x1f, 0xac, 0x63, 0x5a, 0x4e, 0xc1, 0x54, 0x58,
-	0xe6, 0x2c, 0x5d, 0x81, 0x95, 0xc0, 0xfc, 0x2e, 0x4c, 0xba, 0x61, 0x23, 0x74, 0x57, 0x3d, 0xba,
-	0x4f, 0xb5, 0x9d, 0xae, 0xd4, 0x24, 0xb4, 0xd3, 0x0a, 0x8a, 0x13, 0xd8, 0xda, 0xf9, 0x32, 0xd8,
-	0xb7, 0xc0, 0xdd, 0x33, 0xf8, 0x0e, 0x65, 0xff, 0x1d, 0xf6, 0x75, 0x21, 0xb3, 0x55, 0x08, 0xf6,
-	0xcf, 0x3f, 0x38, 0xc4, 0x12, 0x46, 0xef, 0xa0, 0x8d, 0x6d, 0xa7, 0x33, 0xdf, 0x8d, 0xb6, 0x97,
-	0xdc, 0xb0, 0xe1, 0xef, 0x92, 0x60, 0x8f, 0xa9, 0x0f, 0x46, 0xe2, 0x3b, 0xa8, 0x02, 0x2c, 0xde,
-	0x98, 0xaf, 0x51, 0x4c, 0x9c, 0xae, 0x83, 0xe6, 0x61, 0x4a, 0x16, 0xd6, 0x49, 0xc8, 0x8e, 0x80,
-	0x31, 0x46, 0x46, 0xbd, 0xaa, 0x16, 0xc5, 0x8a, 0x48, 0x12, 0xdf, 0x14, 0x70, 0xe1, 0x49, 0x08,
-	0xb8, 0x5f, 0x80, 0x09, 0xd7, 0x73, 0x23, 0xd7, 0x89, 0x7c, 0x6e, 0x68, 0xe3, 0x9a, 0x02, 0xa6,
-	0x13, 0x5f, 0xd5, 0x01, 0xd8, 0xc4, 0xb3, 0xff, 0x8f, 0x01, 0x98, 0x61, 0xd3, 0xf6, 0xe9, 0x0a,
-	0xfb, 0x61, 0x5a, 0x61, 0x77, 0xd2, 0x2b, 0xec, 0x49, 0x48, 0xee, 0x8f, 0xbd, 0xcc, 0xbe, 0x63,
-	0xc1, 0x0c, 0x53, 0xcb, 0x1b, 0xcb, 0xec, 0x0a, 0x8c, 0x06, 0xc6, 0x83, 0xf7, 0x51, 0xdd, 0xfa,
-	0x27, 0xdf, 0xae, 0xc7, 0x38, 0xe8, 0x3d, 0x80, 0x4e, 0xac, 0xf6, 0x2f, 0x19, 0x51, 0x8a, 0x21,
-	0x57, 0xe3, 0xaf, 0xd5, 0xb1, 0xbf, 0x05, 0xa3, 0xea, 0x45, 0xbb, 0xbc, 0x20, 0x5b, 0x39, 0x17,
-	0xe4, 0xde, 0x62, 0x84, 0xf4, 0x4c, 0x2c, 0x67, 0x7a, 0x26, 0xfe, 0x6b, 0x0b, 0x62, 0xa3, 0x0c,
-	0xfa, 0x00, 0x46, 0x3b, 0x3e, 0x73, 0x64, 0x0f, 0xe4, 0xeb, 0x90, 0xe7, 0x0b, 0xad, 0x3a, 0x3c,
-	0x14, 0x69, 0xc0, 0xa7, 0xa3, 0x26, 0xab, 0xe2, 0x98, 0x0a, 0xba, 0x09, 0xc3, 0x9d, 0x80, 0xd4,
-	0x23, 0x16, 0x27, 0xaf, 0x7f, 0x82, 0x7c, 0xf9, 0xf2, 0x8a, 0x58, 0x52, 0x48, 0xf8, 0x05, 0x97,
-	0xfb, 0xf7, 0x0b, 0xb6, 0xff, 0x7e, 0x09, 0xa6, 0x93, 0x8d, 0xa0, 0x77, 0x60, 0x80, 0x3c, 0x24,
-	0x0d, 0xf1, 0xa5, 0x99, 0xd2, 0x44, 0xac, 0x10, 0xe2, 0x43, 0x47, 0xff, 0x63, 0x56, 0x0b, 0xdd,
-	0x80, 0x61, 0x2a, 0x4a, 0x5c, 0x57, 0xd1, 0x64, 0x9f, 0xcd, 0x13, 0x47, 0x94, 0x4c, 0xc6, 0x3f,
-	0x4b, 0x14, 0x61, 0x59, 0x9d, 0x39, 0x12, 0x36, 0x3a, 0x75, 0x7a, 0x4b, 0x8b, 0x8a, 0x94, 0x09,
-	0x1b, 0x8b, 0x35, 0x8e, 0x24, 0xa8, 0x71, 0x47, 0x42, 0x59, 0x88, 0x63, 0x22, 0xe8, 0x3d, 0x18,
-	0x0c, 0x5b, 0x84, 0x74, 0x84, 0xa7, 0x48, 0xa6, 0x4a, 0xb7, 0x4e, 0x11, 0x04, 0x25, 0xa6, 0x02,
-	0x62, 0x05, 0x98, 0x57, 0xb4, 0x7f, 0xcd, 0x02, 0xe0, 0x9e, 0x97, 0x8e, 0xb7, 0x45, 0x8e, 0xc1,
-	0x0a, 0xb2, 0x04, 0x03, 0x61, 0x87, 0x34, 0x8a, 0xde, 0x77, 0xc4, 0xfd, 0xa9, 0x77, 0x48, 0x23,
-	0x5e, 0xed, 0xf4, 0x1f, 0x66, 0xb5, 0xed, 0x9f, 0x00, 0x98, 0x8c, 0xd1, 0x56, 0x23, 0xd2, 0x46,
-	0xaf, 0x1a, 0x21, 0xb8, 0xce, 0x26, 0x42, 0x70, 0x8d, 0x32, 0x6c, 0x4d, 0xe1, 0xfe, 0x2d, 0x28,
-	0xb7, 0x9d, 0x87, 0x42, 0xa3, 0xfa, 0x72, 0x71, 0x37, 0x28, 0xfd, 0xb9, 0x35, 0xe7, 0x21, 0xbf,
-	0xc1, 0xbf, 0x2c, 0x77, 0xe7, 0x9a, 0xf3, 0xb0, 0xe7, 0x1b, 0x04, 0xda, 0x08, 0x6b, 0xcb, 0xf5,
-	0x84, 0x53, 0x61, 0x5f, 0x6d, 0xb9, 0x5e, 0xb2, 0x2d, 0xd7, 0xeb, 0xa3, 0x2d, 0xd7, 0x43, 0x8f,
-	0x60, 0x58, 0xf8, 0xfc, 0x8a, 0xd8, 0xa0, 0x57, 0xfa, 0x68, 0x4f, 0xb8, 0x0c, 0xf3, 0x36, 0xaf,
-	0x48, 0x0d, 0x85, 0x28, 0xed, 0xd9, 0xae, 0x6c, 0x10, 0xfd, 0x35, 0x0b, 0x26, 0xc5, 0x6f, 0xf1,
-	0x9c, 0x56, 0x48, 0xf0, 0x9f, 0xef, 0xbf, 0x0f, 0xa2, 0x22, 0xef, 0xca, 0xe7, 0xe5, 0x61, 0x6b,
-	0x02, 0x7b, 0xf6, 0x28, 0xd1, 0x0b, 0xf4, 0xf7, 0x2d, 0x38, 0xd9, 0x76, 0x1e, 0xf2, 0x16, 0x79,
-	0x19, 0x76, 0x22, 0xd7, 0x17, 0x6e, 0x2e, 0xef, 0xf4, 0x37, 0xfd, 0xa9, 0xea, 0xbc, 0x93, 0xd2,
-	0xba, 0x7c, 0x32, 0x0b, 0xa5, 0x67, 0x57, 0x33, 0xfb, 0x35, 0xbb, 0x09, 0x23, 0x72, 0xbd, 0x3d,
-	0xcd, 0x07, 0x0d, 0xac, 0x1d, 0xb1, 0xd6, 0x9e, 0x6a, 0x3b, 0xdf, 0x82, 0x71, 0x7d, 0x8d, 0x3d,
-	0xd5, 0xb6, 0x3e, 0x82, 0x13, 0x19, 0x6b, 0xe9, 0xa9, 0x36, 0xf9, 0x00, 0xce, 0xe6, 0xae, 0x8f,
-	0xa7, 0xfa, 0x20, 0xe5, 0x57, 0x2d, 0x9d, 0x0f, 0x1e, 0x83, 0x29, 0x6a, 0xd1, 0x34, 0x45, 0x5d,
-	0x28, 0xde, 0x39, 0x39, 0xf6, 0xa8, 0x0f, 0xf5, 0x4e, 0x53, 0xae, 0x8e, 0xde, 0x87, 0xa1, 0x16,
-	0x2d, 0x91, 0x9e, 0xe3, 0x76, 0xef, 0x1d, 0x19, 0x4b, 0xd4, 0xac, 0x3c, 0xc4, 0x82, 0x82, 0xfd,
-	0x33, 0x16, 0x64, 0x3c, 0xa9, 0xa1, 0x12, 0x56, 0xd7, 0x6d, 0xb2, 0x21, 0x29, 0xc7, 0x12, 0x96,
-	0x8a, 0x50, 0x75, 0x1e, 0xca, 0x5b, 0x6e, 0x53, 0xbc, 0xd6, 0x57, 0xe0, 0xeb, 0x14, 0xbc, 0xe5,
-	0x36, 0xd1, 0x0a, 0xa0, 0xb0, 0xdb, 0xe9, 0xb4, 0x98, 0x67, 0x98, 0xd3, 0xba, 0x1e, 0xf8, 0xdd,
-	0x0e, 0x77, 0x13, 0x2f, 0x73, 0xf5, 0x52, 0x3d, 0x05, 0xc5, 0x19, 0x35, 0xec, 0x7f, 0x64, 0xc1,
-	0xc0, 0x31, 0x4c, 0x13, 0x36, 0xa7, 0xe9, 0xd5, 0x5c, 0xd2, 0x22, 0xa5, 0xcc, 0x1c, 0x76, 0x1e,
-	0xb0, 0x70, 0x0d, 0x21, 0x13, 0x38, 0x32, 0x67, 0x6d, 0xdf, 0x82, 0x13, 0xb7, 0x7c, 0xa7, 0xb9,
-	0xe0, 0xb4, 0x1c, 0xaf, 0x41, 0x82, 0x55, 0x6f, 0xeb, 0x48, 0x6f, 0x32, 0x4a, 0x3d, 0xdf, 0x64,
-	0x5c, 0x83, 0x21, 0xb7, 0xa3, 0xe5, 0xa4, 0xb8, 0x48, 0x67, 0x77, 0xb5, 0x26, 0xd2, 0x51, 0x20,
-	0xa3, 0x71, 0x56, 0x8a, 0x05, 0x3e, 0x5d, 0x96, 0xdc, 0x6f, 0x71, 0x20, 0x7f, 0x59, 0xd2, 0x5b,
-	0x52, 0x32, 0xd6, 0xa2, 0xe1, 0xb6, 0xbf, 0x0d, 0x46, 0x13, 0xe2, 0x91, 0x1a, 0x86, 0x61, 0x97,
-	0x7f, 0xa9, 0x58, 0x9b, 0x2f, 0x66, 0xdf, 0x5e, 0x52, 0x03, 0xa3, 0xbd, 0xc6, 0xe4, 0x05, 0x58,
-	0x12, 0xb2, 0xaf, 0x41, 0x66, 0x6c, 0xac, 0xde, 0x9a, 0x29, 0xfb, 0x2b, 0x30, 0xc3, 0x6a, 0x1e,
-	0x51, 0xeb, 0x63, 0x27, 0xf4, 0xe9, 0x19, 0xe1, 0xc5, 0xed, 0xff, 0xc5, 0x02, 0xb4, 0xe6, 0x37,
-	0xdd, 0xcd, 0x3d, 0x41, 0x9c, 0x7f, 0xff, 0x47, 0x50, 0xe5, 0xd7, 0xea, 0x64, 0x08, 0xee, 0xc5,
-	0x96, 0x13, 0x86, 0x9a, 0x2e, 0xff, 0x45, 0xd1, 0x6e, 0x75, 0xa3, 0x18, 0x1d, 0xf7, 0xa2, 0x87,
-	0x3e, 0x48, 0x44, 0x44, 0xfd, 0x62, 0x2a, 0x22, 0xea, 0x8b, 0x99, 0x4e, 0x40, 0xe9, 0xde, 0xcb,
-	0x48, 0xa9, 0xf6, 0x77, 0x2d, 0x98, 0x5a, 0x4f, 0x84, 0x94, 0xbe, 0xc4, 0x3c, 0x22, 0x32, 0x6c,
-	0x54, 0x75, 0x56, 0x8a, 0x05, 0xf4, 0x89, 0xeb, 0x70, 0xff, 0xd4, 0x82, 0x38, 0x16, 0xdf, 0x31,
-	0x88, 0xdc, 0x8b, 0x86, 0xc8, 0x9d, 0x79, 0x7d, 0x51, 0xdd, 0xc9, 0x93, 0xb8, 0xd1, 0x4d, 0x35,
-	0x27, 0x05, 0x37, 0x97, 0x98, 0x0c, 0xdf, 0x67, 0x93, 0xe6, 0xc4, 0xa9, 0xd9, 0xf8, 0xfd, 0x12,
-	0x20, 0x85, 0xdb, 0x77, 0x14, 0xdd, 0x74, 0x8d, 0x27, 0x13, 0x45, 0x77, 0x17, 0x10, 0xf3, 0xe9,
-	0x09, 0x1c, 0x2f, 0xe4, 0x64, 0x5d, 0xa1, 0xb5, 0x3e, 0x9a, 0xc3, 0x90, 0x72, 0x89, 0xbd, 0x95,
-	0xa2, 0x86, 0x33, 0x5a, 0xd0, 0x7c, 0xb5, 0x06, 0xfb, 0xf5, 0xd5, 0x1a, 0xea, 0xf1, 0xe8, 0xfe,
-	0x57, 0x2c, 0x98, 0x50, 0xc3, 0xf4, 0x09, 0x79, 0xba, 0xa3, 0xfa, 0x93, 0x73, 0xae, 0xd4, 0xb4,
-	0x2e, 0x33, 0x61, 0xe0, 0x47, 0x58, 0xf0, 0x04, 0xa7, 0xe5, 0x3e, 0x22, 0x2a, 0xd8, 0x7b, 0x55,
-	0x04, 0x43, 0x10, 0xa5, 0x87, 0xfb, 0xd5, 0x09, 0xf5, 0x8f, 0xfb, 0x23, 0xc4, 0x55, 0xec, 0xbf,
-	0x4d, 0x37, 0xbb, 0xb9, 0x14, 0xd1, 0x9b, 0x30, 0xd8, 0xd9, 0x76, 0x42, 0x92, 0x78, 0xe2, 0x38,
-	0x58, 0xa3, 0x85, 0x87, 0xfb, 0xd5, 0x49, 0x55, 0x81, 0x95, 0x60, 0x8e, 0xdd, 0x7f, 0x6c, 0xe2,
-	0xf4, 0xe2, 0xec, 0x19, 0x9b, 0xf8, 0xdf, 0x59, 0x30, 0xb0, 0x4e, 0x4f, 0xaf, 0xa7, 0xcf, 0x02,
-	0xde, 0x35, 0x58, 0xc0, 0xb9, 0xbc, 0xb4, 0x67, 0xb9, 0xbb, 0x7f, 0x25, 0xb1, 0xfb, 0x2f, 0xe4,
-	0x52, 0x28, 0xde, 0xf8, 0x6d, 0x18, 0x63, 0xc9, 0xd4, 0xc4, 0x73, 0xce, 0xd7, 0x8d, 0x0d, 0x5f,
-	0x4d, 0x6c, 0xf8, 0x29, 0x0d, 0x55, 0xdb, 0xe9, 0x2f, 0xc1, 0xb0, 0x78, 0x1f, 0x98, 0x8c, 0x41,
-	0x21, 0x70, 0xb1, 0x84, 0xdb, 0x3f, 0x57, 0x06, 0x23, 0x79, 0x1b, 0xfa, 0x27, 0x16, 0xcc, 0x05,
-	0xdc, 0xc5, 0xbf, 0xb9, 0xd4, 0x0d, 0x5c, 0x6f, 0xab, 0xde, 0xd8, 0x26, 0xcd, 0x6e, 0xcb, 0xf5,
-	0xb6, 0x56, 0xb7, 0x3c, 0x5f, 0x15, 0x2f, 0x3f, 0x24, 0x8d, 0xae, 0x8a, 0xdb, 0x53, 0x90, 0x29,
-	0x4e, 0x3d, 0x93, 0x79, 0xed, 0x60, 0xbf, 0x3a, 0x87, 0x8f, 0x44, 0x1b, 0x1f, 0xb1, 0x2f, 0xe8,
-	0x9f, 0x5b, 0x70, 0x85, 0x27, 0x11, 0xeb, 0xbf, 0xff, 0x05, 0x1a, 0x8e, 0x9a, 0x24, 0x15, 0x13,
-	0xd9, 0x20, 0x41, 0x7b, 0xe1, 0x0b, 0x62, 0x40, 0xaf, 0xd4, 0x8e, 0xd6, 0x16, 0x3e, 0x6a, 0xe7,
-	0xec, 0xff, 0xa6, 0x0c, 0x13, 0x22, 0x86, 0xad, 0x38, 0x03, 0xde, 0x34, 0x96, 0xc4, 0xb3, 0x89,
-	0x25, 0x31, 0x63, 0x20, 0x3f, 0x19, 0xf6, 0x1f, 0xc2, 0x0c, 0x65, 0xce, 0x37, 0x88, 0x13, 0x44,
-	0xf7, 0x89, 0xc3, 0x5d, 0x30, 0xcb, 0x47, 0xe6, 0xfe, 0x4a, 0xb1, 0x7e, 0x2b, 0x49, 0x0c, 0xa7,
-	0xe9, 0xff, 0x30, 0x9d, 0x39, 0x1e, 0x4c, 0xa7, 0xc2, 0x10, 0x7f, 0x15, 0x46, 0xd5, 0xe3, 0x36,
-	0xc1, 0x74, 0x8a, 0xa3, 0x79, 0x27, 0x29, 0x70, 0xa5, 0x67, 0xfc, 0xb0, 0x32, 0x26, 0x67, 0xff,
-	0x72, 0xc9, 0x68, 0x90, 0x4f, 0xe2, 0x3a, 0x8c, 0x38, 0x21, 0xcb, 0x30, 0xd0, 0x2c, 0xd2, 0x68,
-	0xa7, 0x9a, 0x61, 0x7e, 0x66, 0xf3, 0xa2, 0x26, 0x56, 0x34, 0xd0, 0x0d, 0xee, 0xe8, 0xba, 0x4b,
-	0x8a, 0xd4, 0xd9, 0x29, 0x6a, 0x20, 0x5d, 0x61, 0x77, 0x09, 0x16, 0xf5, 0xd1, 0xd7, 0xb9, 0x27,
-	0xf2, 0x4d, 0xcf, 0x7f, 0xe0, 0x5d, 0xf7, 0x7d, 0x19, 0x04, 0xaa, 0x3f, 0x82, 0x33, 0xd2, 0xff,
-	0x58, 0x55, 0xc7, 0x26, 0xb5, 0xfe, 0xe2, 0xfa, 0xff, 0x28, 0xb0, 0xa4, 0x49, 0x66, 0x2c, 0x89,
-	0x10, 0x11, 0x98, 0x12, 0x01, 0x92, 0x65, 0x99, 0x18, 0xbb, 0xcc, 0xeb, 0xb7, 0x59, 0x3b, 0xb6,
-	0x00, 0xdd, 0x34, 0x49, 0xe0, 0x24, 0x4d, 0x7b, 0x9b, 0x33, 0xe1, 0x15, 0xe2, 0x44, 0xdd, 0x80,
-	0x84, 0xe8, 0xcb, 0x50, 0x49, 0xdf, 0x8c, 0x85, 0x21, 0xc5, 0x62, 0xd2, 0xf3, 0xb9, 0x83, 0xfd,
-	0x6a, 0xa5, 0x9e, 0x83, 0x83, 0x73, 0x6b, 0xdb, 0x3f, 0x6f, 0x01, 0x7b, 0xc1, 0x7f, 0x0c, 0x92,
-	0xcf, 0x97, 0x4c, 0xc9, 0xa7, 0x92, 0x37, 0x9d, 0x39, 0x42, 0xcf, 0x1b, 0x7c, 0x0d, 0xd7, 0x02,
-	0xff, 0xe1, 0x9e, 0xf0, 0xfa, 0xea, 0x7d, 0x8d, 0xb3, 0xbf, 0x67, 0x01, 0xcb, 0x30, 0x86, 0xf9,
-	0xad, 0x5d, 0x1a, 0x38, 0x7a, 0x3b, 0x34, 0x7c, 0x19, 0x46, 0x36, 0xc5, 0xf0, 0x67, 0x28, 0x9d,
-	0x8c, 0x0e, 0x9b, 0xb4, 0xe5, 0xa4, 0x89, 0x97, 0xb8, 0xe2, 0x1f, 0x56, 0xd4, 0xec, 0xff, 0xd2,
-	0x82, 0xd9, 0xfc, 0x6a, 0xe8, 0x0e, 0x9c, 0x09, 0x48, 0xa3, 0x1b, 0x84, 0x74, 0x4b, 0x88, 0x0b,
-	0x90, 0x78, 0x01, 0xc6, 0xa7, 0xfa, 0x99, 0x83, 0xfd, 0xea, 0x19, 0x9c, 0x8d, 0x82, 0xf3, 0xea,
-	0xa2, 0xb7, 0x60, 0xb2, 0x1b, 0x72, 0xc9, 0x8f, 0x09, 0x5d, 0xa1, 0x08, 0x63, 0xcf, 0x1e, 0x49,
-	0xdd, 0x31, 0x20, 0x38, 0x81, 0x69, 0xff, 0x79, 0xbe, 0x1c, 0x95, 0xc7, 0x6b, 0x1b, 0x66, 0x3c,
-	0xed, 0x3f, 0x3d, 0x01, 0xe5, 0x55, 0xff, 0xf9, 0x5e, 0xa7, 0x3e, 0x3b, 0x2e, 0xb5, 0x18, 0x03,
-	0x09, 0x32, 0x38, 0x4d, 0xd9, 0xfe, 0x9b, 0x16, 0x9c, 0xd1, 0x11, 0xb5, 0x17, 0x87, 0xbd, 0xac,
-	0x80, 0x4b, 0x5a, 0x00, 0x3e, 0x7e, 0xcc, 0x5d, 0xce, 0x08, 0xc0, 0x77, 0x52, 0xa7, 0x5e, 0x18,
-	0x6d, 0x8f, 0xbf, 0x2d, 0xcd, 0x8a, 0xb6, 0xf7, 0x47, 0x16, 0x5f, 0x9f, 0x7a, 0xd7, 0xd1, 0x47,
-	0x30, 0xdd, 0x76, 0xa2, 0xc6, 0xf6, 0xf2, 0xc3, 0x4e, 0xc0, 0x8d, 0xbb, 0x72, 0x9c, 0x5e, 0xee,
-	0x35, 0x4e, 0xda, 0x47, 0xc6, 0xde, 0xe0, 0x6b, 0x09, 0x62, 0x38, 0x45, 0x1e, 0xdd, 0x87, 0x31,
-	0x56, 0xc6, 0xde, 0x62, 0x87, 0x45, 0xb2, 0x4c, 0x5e, 0x6b, 0xca, 0x39, 0x68, 0x2d, 0xa6, 0x83,
-	0x75, 0xa2, 0xf6, 0x2f, 0x95, 0x39, 0xd3, 0x60, 0x77, 0x8f, 0x97, 0x60, 0xb8, 0xe3, 0x37, 0x17,
-	0x57, 0x97, 0xb0, 0x98, 0x05, 0x75, 0xee, 0xd5, 0x78, 0x31, 0x96, 0x70, 0x74, 0x19, 0x46, 0xc4,
-	0x4f, 0x69, 0x8c, 0x67, 0x7b, 0x44, 0xe0, 0x85, 0x58, 0x41, 0xd1, 0x6b, 0x00, 0x9d, 0xc0, 0xdf,
-	0x75, 0x9b, 0x2c, 0xf6, 0x56, 0xd9, 0xf4, 0xeb, 0xab, 0x29, 0x08, 0xd6, 0xb0, 0xd0, 0xdb, 0x30,
-	0xd1, 0xf5, 0x42, 0x2e, 0x3f, 0x69, 0xc9, 0x38, 0x94, 0xc7, 0xd9, 0x1d, 0x1d, 0x88, 0x4d, 0x5c,
-	0x34, 0x0f, 0x43, 0x91, 0xc3, 0xfc, 0xd4, 0x06, 0xf3, 0x5f, 0x0c, 0x6c, 0x50, 0x0c, 0x3d, 0xed,
-	0x25, 0xad, 0x80, 0x45, 0x45, 0xf4, 0x55, 0x19, 0x16, 0x81, 0x9f, 0x44, 0xe2, 0xa9, 0x4e, 0x7f,
-	0xa7, 0x96, 0x16, 0x14, 0x41, 0x3c, 0x01, 0x32, 0x68, 0xa1, 0xb7, 0x00, 0xc8, 0xc3, 0x88, 0x04,
-	0x9e, 0xd3, 0x52, 0xde, 0xa5, 0x4a, 0x90, 0x59, 0xf2, 0xd7, 0xfd, 0xe8, 0x4e, 0x48, 0x96, 0x15,
-	0x06, 0xd6, 0xb0, 0xed, 0x9f, 0x18, 0x03, 0x88, 0x2f, 0x1a, 0xe8, 0x11, 0x8c, 0x34, 0x9c, 0x8e,
-	0xd3, 0xe0, 0x39, 0x9d, 0xcb, 0x79, 0x0f, 0xcb, 0xe3, 0x1a, 0x73, 0x8b, 0x02, 0x9d, 0x1b, 0x6f,
-	0x64, 0x3e, 0x83, 0x11, 0x59, 0xdc, 0xd3, 0x60, 0xa3, 0xda, 0x43, 0xdf, 0xb1, 0x60, 0x4c, 0xc4,
-	0xb6, 0x62, 0x33, 0x54, 0xca, 0xb7, 0xb7, 0x69, 0xed, 0xcf, 0xc7, 0x35, 0x78, 0x17, 0x5e, 0x97,
-	0x2b, 0x54, 0x83, 0xf4, 0xec, 0x85, 0xde, 0x30, 0xfa, 0x9c, 0xbc, 0xdb, 0x96, 0x8d, 0xa1, 0x54,
-	0x77, 0xdb, 0x51, 0x76, 0xd4, 0xe8, 0xd7, 0xda, 0x3b, 0xc6, 0xb5, 0x76, 0x20, 0xff, 0x89, 0xb6,
-	0x21, 0x6f, 0xf7, 0xba, 0xd1, 0xa2, 0x9a, 0x1e, 0x03, 0x66, 0x30, 0xff, 0x85, 0xaf, 0x76, 0xb1,
-	0xeb, 0x11, 0xff, 0xe5, 0x5b, 0x30, 0xd5, 0x34, 0xa5, 0x16, 0xb1, 0x12, 0x5f, 0xcc, 0xa3, 0x9b,
-	0x10, 0x72, 0x62, 0x39, 0x25, 0x01, 0xc0, 0x49, 0xc2, 0xa8, 0xc6, 0x43, 0x02, 0xad, 0x7a, 0x9b,
-	0xbe, 0x78, 0x2e, 0x66, 0xe7, 0xce, 0xe5, 0x5e, 0x18, 0x91, 0x36, 0xc5, 0x8c, 0x85, 0x84, 0x75,
-	0x51, 0x17, 0x2b, 0x2a, 0xe8, 0x7d, 0x18, 0x62, 0x4f, 0x3c, 0xc3, 0xca, 0x48, 0xbe, 0x59, 0xc3,
-	0x8c, 0x2e, 0x1c, 0x6f, 0x48, 0xf6, 0x37, 0xc4, 0x82, 0x02, 0xba, 0x21, 0x1f, 0x50, 0x87, 0xab,
-	0xde, 0x9d, 0x90, 0xb0, 0x07, 0xd4, 0xa3, 0x0b, 0xcf, 0xc7, 0x6f, 0xa3, 0x79, 0x79, 0x66, 0x72,
-	0x6c, 0xa3, 0x26, 0x15, 0xfb, 0xc4, 0x7f, 0x99, 0x73, 0x5b, 0x44, 0xea, 0xcb, 0xec, 0x9e, 0x99,
-	0x97, 0x3b, 0x1e, 0xce, 0xbb, 0x26, 0x09, 0x9c, 0xa4, 0x49, 0x45, 0x68, 0xbe, 0xeb, 0xc5, 0x83,
-	0xb3, 0x5e, 0xbc, 0x83, 0x6b, 0x0e, 0xd8, 0x69, 0xc4, 0x4b, 0xb0, 0xa8, 0x8f, 0x5c, 0x98, 0x0a,
-	0x0c, 0xf1, 0x42, 0x06, 0xd8, 0xbb, 0xd4, 0x9f, 0x10, 0xa3, 0x65, 0x19, 0x31, 0xc9, 0xe0, 0x24,
-	0x5d, 0xf4, 0xbe, 0x26, 0x28, 0x4d, 0x14, 0xdf, 0xfc, 0x7b, 0x89, 0x46, 0xb3, 0x3b, 0x30, 0x61,
-	0x30, 0x9b, 0xa7, 0x6a, 0x82, 0xf4, 0x60, 0x3a, 0xc9, 0x59, 0x9e, 0xaa, 0xe5, 0xf1, 0x2d, 0x98,
-	0x64, 0x1b, 0xe1, 0x81, 0xd3, 0x11, 0xac, 0xf8, 0xb2, 0xc1, 0x8a, 0xad, 0xcb, 0x65, 0x3e, 0x30,
-	0x72, 0x08, 0x62, 0xc6, 0x69, 0xff, 0x9d, 0x41, 0x51, 0x59, 0xed, 0x22, 0x74, 0x05, 0x46, 0x45,
-	0x07, 0x54, 0xaa, 0x3e, 0xc5, 0x18, 0xd6, 0x24, 0x00, 0xc7, 0x38, 0x2c, 0x43, 0x23, 0xab, 0xae,
-	0xbd, 0x50, 0x88, 0x33, 0x34, 0x2a, 0x08, 0xd6, 0xb0, 0xe8, 0xe5, 0xf7, 0xbe, 0xef, 0x47, 0xea,
-	0x0c, 0x56, 0x5b, 0x6d, 0x81, 0x95, 0x62, 0x01, 0xa5, 0x67, 0xef, 0x0e, 0x09, 0x3c, 0xd2, 0x32,
-	0x73, 0xd5, 0xa8, 0xb3, 0xf7, 0xa6, 0x0e, 0xc4, 0x26, 0x2e, 0x95, 0x20, 0xfc, 0x90, 0xed, 0x5d,
-	0x71, 0xc5, 0x8e, 0x5f, 0x7c, 0xd4, 0x79, 0x90, 0x0f, 0x09, 0x47, 0x5f, 0x81, 0x33, 0x2a, 0xd8,
-	0xa6, 0x58, 0x99, 0xb2, 0xc5, 0x21, 0x43, 0x23, 0x76, 0x66, 0x31, 0x1b, 0x0d, 0xe7, 0xd5, 0x47,
-	0xef, 0xc2, 0xa4, 0xb8, 0x86, 0x49, 0x8a, 0xc3, 0xa6, 0xfb, 0xe2, 0x4d, 0x03, 0x8a, 0x13, 0xd8,
-	0x32, 0xdb, 0x0e, 0xbb, 0x9f, 0x48, 0x0a, 0x23, 0xe9, 0x6c, 0x3b, 0x3a, 0x1c, 0xa7, 0x6a, 0xa0,
-	0x79, 0x98, 0xe2, 0x62, 0xa7, 0xeb, 0x6d, 0xf1, 0x39, 0x11, 0x4f, 0x60, 0xd5, 0x86, 0xbc, 0x6d,
-	0x82, 0x71, 0x12, 0x1f, 0x5d, 0x83, 0x71, 0x27, 0x68, 0x6c, 0xbb, 0x11, 0x69, 0xd0, 0x5d, 0xc5,
-	0x3c, 0x08, 0x35, 0xff, 0xcf, 0x79, 0x0d, 0x86, 0x0d, 0x4c, 0xf4, 0x1e, 0x0c, 0x84, 0x0f, 0x9c,
-	0x8e, 0xe0, 0x3e, 0xf9, 0xac, 0x5c, 0xad, 0x60, 0xee, 0xfa, 0x45, 0xff, 0x63, 0x56, 0xd3, 0x7e,
-	0x04, 0x27, 0x32, 0x82, 0x12, 0xd1, 0xa5, 0xe7, 0x74, 0x5c, 0x39, 0x2a, 0x89, 0x67, 0x1a, 0xf3,
-	0xb5, 0x55, 0x39, 0x1e, 0x1a, 0x16, 0x5d, 0xdf, 0x2c, 0x78, 0x51, 0x2d, 0x36, 0x24, 0xa9, 0xf5,
-	0xbd, 0x22, 0x01, 0x38, 0xc6, 0xb1, 0xff, 0xa4, 0x04, 0x53, 0x19, 0xe6, 0x41, 0x96, 0x1b, 0x3f,
-	0x71, 0xcf, 0x8b, 0x53, 0xe1, 0x9b, 0xe9, 0x9f, 0x4a, 0x47, 0x48, 0xff, 0x54, 0xee, 0x95, 0xfe,
-	0x69, 0xe0, 0xe3, 0xa4, 0x7f, 0x32, 0x47, 0x6c, 0xb0, 0xaf, 0x11, 0xcb, 0x48, 0x19, 0x35, 0x74,
-	0xc4, 0x94, 0x51, 0xc6, 0xa0, 0x0f, 0xf7, 0x31, 0xe8, 0xff, 0x69, 0x09, 0xa6, 0x93, 0x96, 0xc5,
-	0x63, 0xd0, 0xce, 0xbf, 0x6f, 0x68, 0xe7, 0x2f, 0xf7, 0x13, 0xf4, 0x20, 0x57, 0x53, 0x8f, 0x13,
-	0x9a, 0xfa, 0xcf, 0xf6, 0x45, 0xad, 0x58, 0x6b, 0xff, 0xb7, 0x4a, 0x70, 0x2a, 0xd3, 0xe0, 0x7a,
-	0x0c, 0x63, 0x73, 0xdb, 0x18, 0x9b, 0x57, 0xfb, 0x0e, 0x08, 0x91, 0x3b, 0x40, 0xf7, 0x12, 0x03,
-	0x74, 0xa5, 0x7f, 0x92, 0xc5, 0xa3, 0xf4, 0xfd, 0x32, 0x5c, 0xc8, 0xac, 0x17, 0x2b, 0xb7, 0x57,
-	0x0c, 0xe5, 0xf6, 0x6b, 0x09, 0xe5, 0xb6, 0x5d, 0x5c, 0xfb, 0xc9, 0x68, 0xbb, 0x45, 0x60, 0x04,
-	0x16, 0xde, 0xe5, 0x31, 0x35, 0xdd, 0x46, 0x60, 0x04, 0x45, 0x08, 0x9b, 0x74, 0x7f, 0x98, 0x34,
-	0xdc, 0xff, 0x83, 0x05, 0x67, 0x33, 0xe7, 0xe6, 0x18, 0xf4, 0x8c, 0xeb, 0xa6, 0x9e, 0xf1, 0xa5,
-	0xbe, 0x57, 0x6b, 0x8e, 0xe2, 0xf1, 0xbb, 0x43, 0x39, 0xdf, 0xc2, 0xd4, 0x1f, 0xb7, 0x61, 0xcc,
-	0x69, 0x34, 0x48, 0x18, 0xae, 0xb1, 0x54, 0x13, 0xdc, 0xf6, 0xfa, 0x2a, 0xbb, 0x9c, 0xc6, 0xc5,
-	0x87, 0xfb, 0xd5, 0xd9, 0x24, 0x89, 0x18, 0x8c, 0x75, 0x0a, 0xe8, 0xeb, 0x30, 0x12, 0xca, 0x24,
-	0xbf, 0x03, 0x8f, 0x9f, 0xe4, 0x97, 0x49, 0x92, 0x4a, 0xbd, 0xa3, 0x48, 0xa2, 0x3f, 0xa7, 0x87,
-	0xf7, 0x2a, 0x50, 0x6c, 0xf2, 0x4e, 0x3e, 0x46, 0x90, 0x2f, 0xf3, 0x39, 0x7c, 0xb9, 0xaf, 0xe7,
-	0xf0, 0xef, 0xc1, 0x74, 0xc8, 0xc3, 0xe5, 0xc6, 0x2e, 0x32, 0x7c, 0x2d, 0xb2, 0x88, 0x83, 0xf5,
-	0x04, 0x0c, 0xa7, 0xb0, 0xd1, 0x8a, 0x6c, 0x95, 0x39, 0x43, 0xf1, 0xe5, 0x79, 0x29, 0x6e, 0x51,
-	0x38, 0x44, 0x9d, 0x4c, 0x4e, 0x02, 0x1b, 0x7e, 0xad, 0x26, 0xfa, 0x3a, 0x00, 0x5d, 0x44, 0x42,
-	0x85, 0x33, 0x9c, 0xcf, 0x42, 0x29, 0x6f, 0x69, 0x66, 0xbe, 0xc0, 0x60, 0x11, 0x0d, 0x96, 0x14,
-	0x11, 0xac, 0x11, 0x44, 0x0e, 0x4c, 0xc4, 0xff, 0x30, 0xd9, 0x2c, 0x0a, 0xb0, 0xc6, 0x5a, 0x48,
-	0x12, 0x67, 0xe6, 0x8d, 0x25, 0x9d, 0x04, 0x36, 0x29, 0xa2, 0xaf, 0xc1, 0xd9, 0xdd, 0x5c, 0xbf,
-	0x23, 0x2e, 0x4b, 0x9e, 0x3f, 0xd8, 0xaf, 0x9e, 0xcd, 0xf7, 0x36, 0xca, 0xaf, 0x6f, 0xff, 0x8f,
-	0x00, 0xcf, 0x14, 0x70, 0x7a, 0x34, 0x6f, 0xfa, 0x0c, 0xbc, 0x9c, 0xd4, 0xab, 0xcc, 0x66, 0x56,
-	0x36, 0x14, 0x2d, 0x89, 0x0d, 0x55, 0xfa, 0xd8, 0x1b, 0xea, 0xa7, 0x2c, 0xed, 0x9a, 0xc5, 0x3d,
-	0xca, 0xbf, 0x74, 0xc4, 0x13, 0xec, 0x09, 0xaa, 0xc0, 0x36, 0x33, 0xf4, 0x48, 0xaf, 0xf5, 0xdd,
-	0x9d, 0xfe, 0x15, 0x4b, 0xbf, 0x9a, 0x9d, 0x60, 0x80, 0xab, 0x98, 0xae, 0x1f, 0xf5, 0xfb, 0x8f,
-	0x2b, 0xd9, 0xc0, 0xef, 0x5b, 0x70, 0x36, 0x55, 0xcc, 0xfb, 0x40, 0x42, 0x11, 0xce, 0x70, 0xfd,
-	0x63, 0x77, 0x5e, 0x12, 0xe4, 0xdf, 0x70, 0x43, 0x7c, 0xc3, 0xd9, 0x5c, 0xbc, 0x64, 0xd7, 0x7f,
-	0xf2, 0x5f, 0x55, 0x4f, 0xb0, 0x06, 0x4c, 0x44, 0x9c, 0xdf, 0x75, 0xd4, 0x81, 0x8b, 0x8d, 0x6e,
-	0x10, 0xc4, 0x8b, 0x35, 0x63, 0x73, 0xf2, 0xdb, 0xe2, 0xf3, 0x07, 0xfb, 0xd5, 0x8b, 0x8b, 0x3d,
-	0x70, 0x71, 0x4f, 0x6a, 0xc8, 0x03, 0xd4, 0x4e, 0x79, 0xf7, 0x31, 0x06, 0x90, 0xa3, 0x05, 0x4a,
-	0xfb, 0x02, 0x72, 0x3f, 0xdd, 0x0c, 0x1f, 0xc1, 0x0c, 0xca, 0xc7, 0xab, 0xbb, 0xf9, 0xc1, 0x64,
-	0x33, 0x98, 0xbd, 0x05, 0x17, 0x8a, 0x17, 0xd3, 0x91, 0x42, 0x50, 0xfc, 0x9e, 0x05, 0xe7, 0x0b,
-	0x43, 0xb3, 0xfd, 0x19, 0xbc, 0x2c, 0xd8, 0xdf, 0xb6, 0xe0, 0xd9, 0xcc, 0x1a, 0xc9, 0xc7, 0x83,
-	0x0d, 0x5a, 0xa8, 0x39, 0xc3, 0xc6, 0x41, 0x8a, 0x24, 0x00, 0xc7, 0x38, 0x86, 0xbf, 0x68, 0xa9,
-	0xa7, 0xbf, 0xe8, 0x3f, 0xb5, 0x20, 0x75, 0xd4, 0x1f, 0x83, 0xe4, 0xb9, 0x6a, 0x4a, 0x9e, 0xcf,
-	0xf7, 0x33, 0x9a, 0x39, 0x42, 0xe7, 0xbf, 0x9d, 0x82, 0xd3, 0x39, 0x2f, 0xc8, 0x77, 0x61, 0x66,
-	0xab, 0x41, 0xcc, 0x90, 0x21, 0x45, 0xd1, 0xff, 0x0a, 0xe3, 0x8b, 0x2c, 0x9c, 0x3a, 0xd8, 0xaf,
-	0xce, 0xa4, 0x50, 0x70, 0xba, 0x09, 0xf4, 0x6d, 0x0b, 0x4e, 0x3a, 0x0f, 0xc2, 0x65, 0x7a, 0x83,
-	0x70, 0x1b, 0x0b, 0x2d, 0xbf, 0xb1, 0x43, 0x05, 0x33, 0xb9, 0xad, 0xde, 0xc8, 0x54, 0x85, 0xdf,
-	0xab, 0xa7, 0xf0, 0x8d, 0xe6, 0x2b, 0x07, 0xfb, 0xd5, 0x93, 0x59, 0x58, 0x38, 0xb3, 0x2d, 0x84,
-	0x45, 0x0e, 0x3f, 0x27, 0xda, 0x2e, 0x0a, 0x6a, 0x93, 0xf5, 0xd4, 0x9f, 0x8b, 0xc4, 0x12, 0x82,
-	0x15, 0x1d, 0xf4, 0x4d, 0x18, 0xdd, 0x92, 0xf1, 0x2b, 0x32, 0x44, 0xee, 0x78, 0x20, 0x8b, 0xa3,
-	0x7a, 0x70, 0x07, 0x1c, 0x85, 0x84, 0x63, 0xa2, 0xe8, 0x5d, 0x28, 0x7b, 0x9b, 0x61, 0x51, 0x08,
-	0xe9, 0x84, 0xa7, 0x35, 0x8f, 0x76, 0xb5, 0xbe, 0x52, 0xc7, 0xb4, 0x22, 0xba, 0x01, 0xe5, 0xe0,
-	0x7e, 0x53, 0xd8, 0x71, 0x32, 0x37, 0x29, 0x5e, 0x58, 0xca, 0xe9, 0x15, 0xa3, 0x84, 0x17, 0x96,
-	0x30, 0x25, 0x81, 0x6a, 0x30, 0xc8, 0x9e, 0x5d, 0x0b, 0xd1, 0x36, 0xf3, 0x2a, 0x5f, 0x10, 0xbe,
-	0x80, 0xbf, 0x87, 0x64, 0x08, 0x98, 0x13, 0x42, 0x1b, 0x30, 0xd4, 0x70, 0xbd, 0x26, 0x09, 0x84,
-	0x2c, 0xfb, 0xb9, 0x4c, 0x8b, 0x0d, 0xc3, 0xc8, 0xa1, 0xc9, 0x0d, 0x18, 0x0c, 0x03, 0x0b, 0x5a,
-	0x8c, 0x2a, 0xe9, 0x6c, 0x6f, 0xca, 0x13, 0x2b, 0x9b, 0x2a, 0xe9, 0x6c, 0xaf, 0xd4, 0x0b, 0xa9,
-	0x32, 0x0c, 0x2c, 0x68, 0xa1, 0xb7, 0xa0, 0xb4, 0xd9, 0x10, 0x4f, 0xaa, 0x33, 0xd5, 0x9b, 0x66,
-	0xc0, 0xb2, 0x85, 0xa1, 0x83, 0xfd, 0x6a, 0x69, 0x65, 0x11, 0x97, 0x36, 0x1b, 0x68, 0x1d, 0x86,
-	0x37, 0x79, 0xbc, 0x20, 0xa1, 0x1f, 0x7d, 0x31, 0x3b, 0x94, 0x51, 0x2a, 0xa4, 0x10, 0x7f, 0xdb,
-	0x2a, 0x00, 0x58, 0x12, 0x61, 0x09, 0xcf, 0x54, 0xdc, 0x23, 0x11, 0x29, 0x76, 0xee, 0x68, 0xb1,
-	0xaa, 0x44, 0xa0, 0x71, 0x45, 0x05, 0x6b, 0x14, 0xe9, 0xaa, 0x76, 0x1e, 0x75, 0x03, 0x96, 0x11,
-	0x45, 0x18, 0x66, 0x32, 0x57, 0xf5, 0xbc, 0x44, 0x2a, 0x5a, 0xd5, 0x0a, 0x09, 0xc7, 0x44, 0xd1,
-	0x0e, 0x4c, 0xec, 0x86, 0x9d, 0x6d, 0x22, 0xb7, 0x34, 0x8b, 0x30, 0x98, 0x23, 0xcd, 0xde, 0x15,
-	0x88, 0x6e, 0x10, 0x75, 0x9d, 0x56, 0x8a, 0x0b, 0xb1, 0x6b, 0xcd, 0x5d, 0x9d, 0x18, 0x36, 0x69,
-	0xd3, 0xe1, 0xff, 0xa8, 0xeb, 0xdf, 0xdf, 0x8b, 0x88, 0x08, 0xf0, 0x9a, 0x39, 0xfc, 0x1f, 0x70,
-	0x94, 0xf4, 0xf0, 0x0b, 0x00, 0x96, 0x44, 0xd0, 0x5d, 0x31, 0x3c, 0x8c, 0x7b, 0x4e, 0xe7, 0x07,
-	0xc2, 0x9f, 0x97, 0x48, 0x39, 0x83, 0xc2, 0xb8, 0x65, 0x4c, 0x8a, 0x71, 0xc9, 0xce, 0xb6, 0x1f,
-	0xf9, 0x5e, 0x82, 0x43, 0xcf, 0xe4, 0x73, 0xc9, 0x5a, 0x06, 0x7e, 0x9a, 0x4b, 0x66, 0x61, 0xe1,
-	0xcc, 0xb6, 0x50, 0x13, 0x26, 0x3b, 0x7e, 0x10, 0x3d, 0xf0, 0x03, 0xb9, 0xbe, 0x50, 0x81, 0xa2,
-	0xd4, 0xc0, 0x14, 0x2d, 0x32, 0xb7, 0x20, 0x13, 0x82, 0x13, 0x34, 0xd1, 0x97, 0x61, 0x38, 0x6c,
-	0x38, 0x2d, 0xb2, 0x7a, 0xbb, 0x72, 0x22, 0xff, 0xf8, 0xa9, 0x73, 0x94, 0x9c, 0xd5, 0xc5, 0xc3,
-	0x3d, 0x71, 0x14, 0x2c, 0xc9, 0xa1, 0x15, 0x18, 0x64, 0x39, 0xef, 0x59, 0x34, 0xe2, 0x9c, 0x78,
-	0xfe, 0xa9, 0x47, 0x3d, 0x9c, 0x37, 0xb1, 0x62, 0xcc, 0xab, 0xd3, 0x3d, 0x20, 0x34, 0x05, 0x7e,
-	0x58, 0x39, 0x95, 0xbf, 0x07, 0x84, 0x82, 0xe1, 0x76, 0xbd, 0x68, 0x0f, 0x28, 0x24, 0x1c, 0x13,
-	0xa5, 0x9c, 0x99, 0x72, 0xd3, 0xd3, 0x05, 0x0e, 0x9b, 0xb9, 0xbc, 0x94, 0x71, 0x66, 0xca, 0x49,
-	0x29, 0x09, 0xfb, 0x37, 0x47, 0xd2, 0x32, 0x0b, 0xd3, 0x30, 0xfd, 0xc7, 0x56, 0xca, 0x63, 0xe3,
-	0xf3, 0xfd, 0x2a, 0xbc, 0x9f, 0xe0, 0xc5, 0xf5, 0xdb, 0x16, 0x9c, 0xee, 0x64, 0x7e, 0x88, 0x10,
-	0x00, 0xfa, 0xd3, 0x9b, 0xf3, 0x4f, 0x57, 0x91, 0xab, 0xb3, 0xe1, 0x38, 0xa7, 0xa5, 0xa4, 0x72,
-	0xa0, 0xfc, 0xb1, 0x95, 0x03, 0x6b, 0x30, 0xd2, 0xe0, 0x37, 0x39, 0x99, 0x3c, 0xa2, 0xaf, 0xb8,
-	0xab, 0xdc, 0x4e, 0x2b, 0x2a, 0x62, 0x45, 0x02, 0xfd, 0xb4, 0x05, 0xe7, 0x93, 0x5d, 0xc7, 0x84,
-	0x81, 0x85, 0xbb, 0x26, 0x57, 0x6b, 0xad, 0x88, 0xef, 0x4f, 0xc9, 0xff, 0x06, 0xf2, 0x61, 0x2f,
-	0x04, 0x5c, 0xdc, 0x18, 0x5a, 0xca, 0xd0, 0xab, 0x0d, 0x99, 0x36, 0xc9, 0x3e, 0x74, 0x6b, 0x6f,
-	0xc0, 0x78, 0xdb, 0xef, 0x7a, 0x91, 0xf0, 0xba, 0x14, 0xae, 0x5b, 0xcc, 0x65, 0x69, 0x4d, 0x2b,
-	0xc7, 0x06, 0x56, 0x42, 0x23, 0x37, 0xf2, 0xd8, 0x1a, 0xb9, 0x0f, 0x61, 0xdc, 0xd3, 0x1e, 0x24,
-	0x14, 0xdd, 0x60, 0x85, 0x76, 0x51, 0xc3, 0xe6, 0xbd, 0xd4, 0x4b, 0xb0, 0x41, 0xad, 0x58, 0x5b,
-	0x06, 0x1f, 0x4f, 0x5b, 0x76, 0xac, 0x57, 0x62, 0xfb, 0xef, 0x95, 0x32, 0x6e, 0x0c, 0x5c, 0x2b,
-	0xf7, 0x8e, 0xa9, 0x95, 0xbb, 0x94, 0xd4, 0xca, 0xa5, 0x4c, 0x55, 0x86, 0x42, 0xae, 0xff, 0x0c,
-	0xa6, 0x7d, 0xc7, 0xd2, 0xfe, 0x0b, 0x16, 0x9c, 0x61, 0xb6, 0x0f, 0xda, 0xc0, 0xc7, 0xb6, 0x77,
-	0x30, 0x87, 0xd8, 0x5b, 0xd9, 0xe4, 0x70, 0x5e, 0x3b, 0x76, 0x0b, 0x2e, 0xf6, 0x3a, 0x77, 0x99,
-	0x7f, 0x71, 0x53, 0xb9, 0x57, 0xc4, 0xfe, 0xc5, 0xcd, 0xd5, 0x25, 0xcc, 0x20, 0xfd, 0x86, 0x5d,
-	0xb4, 0xff, 0x4f, 0x0b, 0xca, 0x35, 0xbf, 0x79, 0x0c, 0x37, 0xfa, 0x2f, 0x19, 0x37, 0xfa, 0x67,
-	0xb2, 0x4f, 0xfc, 0x66, 0xae, 0xb1, 0x6f, 0x39, 0x61, 0xec, 0x3b, 0x9f, 0x47, 0xa0, 0xd8, 0xb4,
-	0xf7, 0xb7, 0xcb, 0x30, 0x56, 0xf3, 0x9b, 0x6a, 0x9f, 0xfd, 0x77, 0x8f, 0xf3, 0x8c, 0x28, 0x37,
-	0x67, 0x99, 0x46, 0x99, 0xf9, 0x13, 0xcb, 0xa8, 0x17, 0x7f, 0xc6, 0x5e, 0x13, 0xdd, 0x23, 0xee,
-	0xd6, 0x76, 0x44, 0x9a, 0xc9, 0xcf, 0x39, 0xbe, 0xd7, 0x44, 0x7f, 0x58, 0x86, 0xa9, 0x44, 0xeb,
-	0xa8, 0x05, 0x13, 0x2d, 0xdd, 0x94, 0x24, 0xd6, 0xe9, 0x63, 0x59, 0xa1, 0xc4, 0x6b, 0x0c, 0xad,
-	0x08, 0x9b, 0xc4, 0xd1, 0x1c, 0x80, 0xa7, 0xfb, 0xa4, 0xab, 0x98, 0xd0, 0x9a, 0x3f, 0xba, 0x86,
-	0x81, 0xde, 0x84, 0xb1, 0xc8, 0xef, 0xf8, 0x2d, 0x7f, 0x6b, 0xef, 0xa6, 0x8a, 0x8f, 0xac, 0x5c,
-	0x96, 0x37, 0x62, 0x10, 0xd6, 0xf1, 0xd0, 0x43, 0x98, 0x51, 0x44, 0xea, 0x4f, 0xc0, 0xbc, 0xc6,
-	0xd4, 0x26, 0xeb, 0x49, 0x8a, 0x38, 0xdd, 0x08, 0x7a, 0x0b, 0x26, 0x99, 0xef, 0x34, 0xab, 0x7f,
-	0x93, 0xec, 0xc9, 0xe0, 0xd2, 0x4c, 0xc2, 0x5e, 0x33, 0x20, 0x38, 0x81, 0x89, 0x16, 0x61, 0xa6,
-	0xed, 0x86, 0x89, 0xea, 0x43, 0xac, 0x3a, 0xeb, 0xc0, 0x5a, 0x12, 0x88, 0xd3, 0xf8, 0xf6, 0x2f,
-	0x88, 0x39, 0xf6, 0x22, 0xf7, 0xd3, 0xed, 0xf8, 0xc9, 0xde, 0x8e, 0xdf, 0xb7, 0x60, 0x9a, 0xb6,
-	0xce, 0x1c, 0x42, 0xa5, 0x20, 0xa5, 0xd2, 0x8f, 0x58, 0x05, 0xe9, 0x47, 0x2e, 0x51, 0xb6, 0xdd,
-	0xf4, 0xbb, 0x91, 0xd0, 0x8e, 0x6a, 0x7c, 0x99, 0x96, 0x62, 0x01, 0x15, 0x78, 0x24, 0x08, 0xc4,
-	0xab, 0x7b, 0x1d, 0x8f, 0x04, 0x01, 0x16, 0x50, 0x99, 0x9d, 0x64, 0x20, 0x3b, 0x3b, 0x09, 0x0f,
-	0x32, 0x2f, 0xfc, 0xe8, 0x84, 0x48, 0xab, 0x05, 0x99, 0x97, 0x0e, 0x76, 0x31, 0x8e, 0xfd, 0xd7,
-	0xca, 0x50, 0xa9, 0xf9, 0xcd, 0x45, 0x12, 0x44, 0xee, 0xa6, 0xdb, 0x70, 0x22, 0xa2, 0xe5, 0xdb,
-	0x7d, 0x0d, 0x80, 0x3d, 0x22, 0x0b, 0xb2, 0x22, 0xa8, 0xd7, 0x15, 0x04, 0x6b, 0x58, 0x54, 0x2a,
-	0xd9, 0x21, 0x7b, 0xda, 0xc9, 0xab, 0xa4, 0x92, 0x9b, 0xbc, 0x18, 0x4b, 0x38, 0xba, 0xc5, 0x42,
-	0x19, 0x2d, 0x3f, 0xec, 0xb8, 0x01, 0xcf, 0x4c, 0x4e, 0x1a, 0xbe, 0xd7, 0x0c, 0x45, 0xe0, 0xb7,
-	0x8a, 0x08, 0x44, 0x94, 0x82, 0xe3, 0xcc, 0x5a, 0xa8, 0x06, 0x27, 0x1b, 0x01, 0x69, 0x12, 0x2f,
-	0x72, 0x9d, 0xd6, 0x42, 0xd7, 0x6b, 0xb6, 0x78, 0x4a, 0x9e, 0x01, 0x23, 0x83, 0xe8, 0xc9, 0xc5,
-	0x0c, 0x1c, 0x9c, 0x59, 0x53, 0x7c, 0x0a, 0x23, 0x32, 0x98, 0xfa, 0x14, 0x56, 0x4f, 0xc2, 0x59,
-	0xe3, 0xf1, 0x10, 0x2e, 0x6e, 0x3b, 0xae, 0xc7, 0xea, 0x0d, 0x25, 0x1a, 0xcf, 0xc0, 0xc1, 0x99,
-	0x35, 0xed, 0x3f, 0x2d, 0xc3, 0x38, 0x9d, 0x18, 0xe5, 0x71, 0xf3, 0x86, 0xe1, 0x71, 0x73, 0x31,
-	0xe1, 0x71, 0x33, 0xad, 0xe3, 0x6a, 0xfe, 0x35, 0xef, 0x03, 0xf2, 0x45, 0x52, 0x82, 0xeb, 0xc4,
-	0x23, 0x7c, 0xc8, 0x98, 0x92, 0xb1, 0x1c, 0xfb, 0xa3, 0xdc, 0x4e, 0x61, 0xe0, 0x8c, 0x5a, 0x9f,
-	0xfa, 0xea, 0x1c, 0xaf, 0xaf, 0xce, 0x6f, 0x59, 0x6c, 0x05, 0x2c, 0xad, 0xd7, 0xb9, 0x13, 0x39,
-	0xba, 0x0a, 0x63, 0xec, 0x18, 0x63, 0xb1, 0x3c, 0xa4, 0x4b, 0x0b, 0xcb, 0x6e, 0xbb, 0x1e, 0x17,
-	0x63, 0x1d, 0x07, 0x5d, 0x86, 0x91, 0x90, 0x38, 0x41, 0x63, 0x5b, 0x9d, 0xe1, 0xc2, 0xff, 0x84,
-	0x97, 0x61, 0x05, 0x45, 0x1f, 0xc4, 0x11, 0xe1, 0xcb, 0xf9, 0x1e, 0xe9, 0x7a, 0x7f, 0x38, 0x1f,
-	0xcc, 0x0f, 0x03, 0x6f, 0xdf, 0x03, 0x94, 0xc6, 0xef, 0xe3, 0x89, 0x5f, 0xd5, 0x8c, 0x59, 0x3c,
-	0x9a, 0x8a, 0x57, 0xfc, 0xef, 0x2d, 0x98, 0xac, 0xf9, 0x4d, 0xca, 0x9f, 0x7f, 0x98, 0x98, 0xb1,
-	0x9e, 0xc1, 0x63, 0xa8, 0x20, 0x83, 0xc7, 0x81, 0x05, 0x17, 0xd8, 0xe7, 0x47, 0xc4, 0x6b, 0xc6,
-	0x06, 0x4f, 0xdd, 0xdf, 0xe3, 0x01, 0x4c, 0x05, 0x3c, 0x7c, 0xd7, 0x9a, 0xd3, 0xe9, 0xb8, 0xde,
-	0x96, 0x7c, 0xdf, 0xf6, 0x46, 0xe1, 0xbb, 0x8d, 0x24, 0x49, 0x11, 0x02, 0x4c, 0x77, 0x54, 0x35,
-	0x88, 0xe2, 0x64, 0x2b, 0x3c, 0x2b, 0x8d, 0xd6, 0x1f, 0x2d, 0x41, 0xa5, 0x96, 0x95, 0x26, 0x81,
-	0x80, 0xd3, 0x75, 0xec, 0xe7, 0x60, 0xb0, 0xe6, 0x37, 0x7b, 0x04, 0x8f, 0xfe, 0x3b, 0x16, 0x0c,
-	0xd7, 0xfc, 0xe6, 0x31, 0x98, 0x10, 0xdf, 0x31, 0x4d, 0x88, 0x67, 0x72, 0x36, 0x47, 0x8e, 0xd5,
-	0xf0, 0x9f, 0x0d, 0xc0, 0x04, 0xed, 0xa7, 0xbf, 0x25, 0xd7, 0xab, 0xb1, 0x36, 0xac, 0x3e, 0xd6,
-	0x06, 0xbd, 0xd0, 0xfa, 0xad, 0x96, 0xff, 0x20, 0xb9, 0x76, 0x57, 0x58, 0x29, 0x16, 0x50, 0xf4,
-	0x0a, 0x8c, 0x74, 0x02, 0xb2, 0xeb, 0xfa, 0xe2, 0xa6, 0xa8, 0x19, 0x64, 0x6b, 0xa2, 0x1c, 0x2b,
-	0x0c, 0xf4, 0x06, 0x8c, 0x87, 0xae, 0x47, 0xa5, 0x62, 0x7e, 0xf4, 0x0e, 0xb0, 0x83, 0x81, 0xe7,
-	0xd2, 0xd3, 0xca, 0xb1, 0x81, 0x85, 0xee, 0xc1, 0x28, 0xfb, 0xcf, 0x78, 0xeb, 0xe0, 0x91, 0x79,
-	0xab, 0x48, 0x94, 0x2e, 0x08, 0xe0, 0x98, 0x16, 0x15, 0x38, 0x22, 0x99, 0x8f, 0x2a, 0x14, 0x41,
-	0x84, 0x95, 0xc0, 0xa1, 0x32, 0x55, 0x85, 0x58, 0xc3, 0x42, 0x2f, 0xc3, 0x68, 0xe4, 0xb8, 0xad,
-	0x5b, 0xae, 0xc7, 0x3c, 0x51, 0x68, 0xff, 0x45, 0xbe, 0x72, 0x51, 0x88, 0x63, 0x38, 0xbd, 0xd5,
-	0xb0, 0xd8, 0x6a, 0x0b, 0x7b, 0x91, 0xc8, 0xa2, 0x59, 0xe6, 0xb7, 0x9a, 0x5b, 0xaa, 0x14, 0x6b,
-	0x18, 0x68, 0x1b, 0xce, 0xb9, 0x1e, 0xcb, 0x3b, 0x47, 0xea, 0x3b, 0x6e, 0x67, 0xe3, 0x56, 0xfd,
-	0x2e, 0x09, 0xdc, 0xcd, 0xbd, 0x05, 0xa7, 0xb1, 0x43, 0xbc, 0x26, 0x53, 0x7a, 0x8d, 0x2c, 0x3c,
-	0x2f, 0xba, 0x78, 0x6e, 0xb5, 0x00, 0x17, 0x17, 0x52, 0x42, 0x36, 0xe5, 0x39, 0x01, 0x71, 0xda,
-	0x42, 0xbb, 0xc5, 0x73, 0x56, 0xb1, 0x12, 0x2c, 0x20, 0xf6, 0xeb, 0x6c, 0x4f, 0xdc, 0xae, 0xa3,
-	0xcf, 0x1a, 0x3c, 0xf4, 0xb4, 0xce, 0x43, 0x0f, 0xf7, 0xab, 0x43, 0xb7, 0xeb, 0x5a, 0x9c, 0xad,
-	0x6b, 0x70, 0xaa, 0xe6, 0x37, 0x6b, 0x7e, 0x10, 0xad, 0xf8, 0xc1, 0x03, 0x27, 0x68, 0xca, 0x25,
-	0x58, 0x95, 0x91, 0xc6, 0x28, 0x67, 0x18, 0xe4, 0x6c, 0xd6, 0x88, 0x22, 0xf6, 0x3a, 0xbb, 0x9f,
-	0x1c, 0xf1, 0x61, 0x77, 0x83, 0x49, 0xca, 0x2a, 0xbb, 0xe3, 0x75, 0x27, 0x22, 0xe8, 0x36, 0x4c,
-	0x34, 0x74, 0xd9, 0x44, 0x54, 0x7f, 0x49, 0x9e, 0xe8, 0x86, 0xe0, 0x92, 0x29, 0xcc, 0x98, 0xf5,
-	0xed, 0xdf, 0xb7, 0x44, 0x2b, 0x1a, 0xd7, 0xe8, 0xe3, 0x60, 0x59, 0xcc, 0x62, 0x4e, 0xfc, 0xa6,
-	0x7a, 0xaa, 0x5f, 0xc6, 0x84, 0xbe, 0x06, 0x67, 0x8d, 0x42, 0xe9, 0x14, 0xa2, 0xe5, 0xdf, 0x67,
-	0x9a, 0x49, 0x9c, 0x87, 0x84, 0xf3, 0xeb, 0xdb, 0x3f, 0x06, 0xa7, 0x93, 0xdf, 0x25, 0x38, 0xfa,
-	0x63, 0x7e, 0x5d, 0xe9, 0x68, 0x5f, 0x67, 0xbf, 0x09, 0x33, 0x35, 0x5f, 0x8b, 0xa2, 0xc2, 0xe6,
-	0xaf, 0x77, 0x30, 0xb7, 0x5f, 0x1e, 0x61, 0x67, 0x7d, 0x22, 0x65, 0x23, 0xfa, 0x06, 0x4c, 0x86,
-	0x84, 0x45, 0x30, 0x94, 0x3a, 0xea, 0x82, 0xa8, 0x0c, 0xf5, 0x65, 0x1d, 0x93, 0xdf, 0xc3, 0xcd,
-	0x32, 0x9c, 0xa0, 0x86, 0xda, 0x30, 0xf9, 0xc0, 0xf5, 0x9a, 0xfe, 0x83, 0x50, 0xd2, 0x1f, 0xc9,
-	0x37, 0x78, 0xdd, 0xe3, 0x98, 0x89, 0x3e, 0x1a, 0xcd, 0xdd, 0x33, 0x88, 0xe1, 0x04, 0x71, 0xca,
-	0x6a, 0x82, 0xae, 0x37, 0x1f, 0xde, 0x09, 0x49, 0x20, 0xe2, 0x2b, 0x32, 0x56, 0x83, 0x65, 0x21,
-	0x8e, 0xe1, 0x94, 0xd5, 0xb0, 0x3f, 0x2c, 0xac, 0x03, 0xe3, 0x65, 0x82, 0xd5, 0x60, 0x55, 0x8a,
-	0x35, 0x0c, 0xca, 0x8a, 0xd9, 0xbf, 0x75, 0xdf, 0xc3, 0xbe, 0x1f, 0x49, 0xe6, 0xcd, 0xb2, 0xea,
-	0x6a, 0xe5, 0xd8, 0xc0, 0xca, 0x89, 0xe6, 0x38, 0x70, 0xd4, 0x68, 0x8e, 0x28, 0x2a, 0x88, 0x64,
-	0xc1, 0xe3, 0x91, 0x5f, 0x2b, 0x8a, 0x64, 0x71, 0xf8, 0x58, 0x51, 0x2e, 0xa8, 0xc0, 0xb3, 0x29,
-	0x06, 0x68, 0x90, 0x87, 0xab, 0x64, 0x26, 0xf9, 0x3a, 0x1f, 0x1d, 0x09, 0x43, 0xcb, 0x30, 0x1c,
-	0xee, 0x85, 0x8d, 0xa8, 0x15, 0x16, 0x65, 0x4e, 0xae, 0x33, 0x94, 0x58, 0x1e, 0xe5, 0xff, 0x43,
-	0x2c, 0xeb, 0xa2, 0x06, 0x9c, 0x10, 0x14, 0x17, 0xb7, 0x1d, 0x4f, 0x65, 0x56, 0xe5, 0xbe, 0xb7,
-	0x57, 0x0f, 0xf6, 0xab, 0x27, 0x44, 0xcb, 0x3a, 0xf8, 0x70, 0xbf, 0x4a, 0xb7, 0x64, 0x06, 0x04,
-	0x67, 0x51, 0xe3, 0x4b, 0xbe, 0xd1, 0xf0, 0xdb, 0x9d, 0x5a, 0xe0, 0x6f, 0xba, 0x2d, 0x52, 0xe4,
-	0xd6, 0x50, 0x37, 0x30, 0xc5, 0x92, 0x37, 0xca, 0x70, 0x82, 0x1a, 0xba, 0x0f, 0x53, 0x4e, 0xa7,
-	0x33, 0x1f, 0xb4, 0xfd, 0x40, 0x36, 0x30, 0x96, 0x6f, 0x1f, 0x9b, 0x37, 0x51, 0x79, 0x62, 0xd5,
-	0x44, 0x21, 0x4e, 0x12, 0xa4, 0x03, 0x25, 0x36, 0x9a, 0x31, 0x50, 0x13, 0xf1, 0x40, 0x89, 0x7d,
-	0x99, 0x31, 0x50, 0x19, 0x10, 0x9c, 0x45, 0xcd, 0xfe, 0xf3, 0xec, 0x76, 0xc3, 0xa2, 0x9d, 0xb3,
-	0x47, 0x6e, 0x6d, 0x98, 0xe8, 0x30, 0xb6, 0x2f, 0x92, 0x1e, 0x0a, 0x56, 0xf1, 0x46, 0x9f, 0x6a,
-	0xf8, 0x07, 0x2c, 0xab, 0xb3, 0xe1, 0x8e, 0x5d, 0xd3, 0xc9, 0x61, 0x93, 0xba, 0xfd, 0xaf, 0x67,
-	0x99, 0xe8, 0x58, 0xe7, 0xba, 0xf5, 0x61, 0xf1, 0xe4, 0x57, 0x48, 0xc9, 0xb3, 0xf9, 0x56, 0xac,
-	0x78, 0x7d, 0x89, 0x67, 0xc3, 0x58, 0xd6, 0x45, 0x5f, 0x87, 0x49, 0xd7, 0x73, 0xe3, 0x24, 0xeb,
-	0x61, 0xe5, 0x64, 0x7e, 0x2c, 0x39, 0x85, 0xa5, 0x27, 0x44, 0xd5, 0x2b, 0xe3, 0x04, 0x31, 0xf4,
-	0x01, 0xf3, 0x50, 0x96, 0xa4, 0x4b, 0xfd, 0x90, 0xd6, 0x9d, 0x91, 0x25, 0x59, 0x8d, 0x08, 0xea,
-	0xc2, 0x89, 0x74, 0xb2, 0xf9, 0xb0, 0x62, 0xe7, 0x5f, 0x00, 0xd3, 0xf9, 0xe2, 0xe3, 0xcc, 0x95,
-	0x69, 0x58, 0x88, 0xb3, 0xe8, 0xa3, 0x5b, 0xc9, 0x54, 0xe0, 0x65, 0xc3, 0xfe, 0x95, 0x4a, 0x07,
-	0x3e, 0x51, 0x98, 0x05, 0x7c, 0x0b, 0xce, 0x6b, 0x79, 0x8d, 0xaf, 0x07, 0x0e, 0xf3, 0x90, 0x73,
-	0xd9, 0x69, 0xa4, 0x09, 0xb5, 0xcf, 0x1e, 0xec, 0x57, 0xcf, 0x6f, 0x14, 0x21, 0xe2, 0x62, 0x3a,
-	0xe8, 0x36, 0x9c, 0xe2, 0x91, 0x90, 0x96, 0x88, 0xd3, 0x6c, 0xb9, 0x9e, 0x92, 0x9a, 0x39, 0xef,
-	0x3a, 0x7b, 0xb0, 0x5f, 0x3d, 0x35, 0x9f, 0x85, 0x80, 0xb3, 0xeb, 0xa1, 0x77, 0x60, 0xb4, 0xe9,
-	0x49, 0x2e, 0x3b, 0x64, 0xa4, 0x8e, 0x1e, 0x5d, 0x5a, 0xaf, 0xab, 0xef, 0x8f, 0xff, 0xe0, 0xb8,
-	0x02, 0xda, 0xe2, 0x06, 0x58, 0xa5, 0x35, 0x1f, 0x4e, 0x05, 0xc8, 0x4d, 0x1a, 0x96, 0x8c, 0xd0,
-	0x22, 0xdc, 0xf3, 0x40, 0x3d, 0x3f, 0x35, 0xa2, 0x8e, 0x18, 0x84, 0xd1, 0xfb, 0x80, 0x44, 0xbe,
-	0xaf, 0xf9, 0x06, 0xcb, 0xa8, 0xa9, 0x79, 0x45, 0x2b, 0x3d, 0x49, 0x3d, 0x85, 0x81, 0x33, 0x6a,
-	0xa1, 0x1b, 0x94, 0x3d, 0xea, 0xa5, 0x82, 0xfd, 0x4a, 0x7d, 0x56, 0x65, 0x89, 0x74, 0x02, 0xc2,
-	0x1c, 0x79, 0x4d, 0x8a, 0x38, 0x51, 0x0f, 0x35, 0xe1, 0x9c, 0xd3, 0x8d, 0x7c, 0x66, 0xdb, 0x36,
-	0x51, 0x37, 0xfc, 0x1d, 0xe2, 0x31, 0xb7, 0x92, 0x11, 0x16, 0x78, 0xf7, 0xdc, 0x7c, 0x01, 0x1e,
-	0x2e, 0xa4, 0x42, 0xaf, 0x53, 0x74, 0x2c, 0x34, 0xb3, 0xb3, 0x11, 0x25, 0x81, 0xfb, 0x62, 0x48,
-	0x0c, 0xf4, 0x26, 0x8c, 0x6d, 0xfb, 0x61, 0xb4, 0x4e, 0xa2, 0x07, 0x7e, 0xb0, 0x23, 0x12, 0x8c,
-	0xc4, 0x49, 0x9d, 0x62, 0x10, 0xd6, 0xf1, 0xd0, 0x4b, 0x30, 0xcc, 0x9c, 0x1e, 0x57, 0x97, 0xd8,
-	0x59, 0x3b, 0x12, 0xf3, 0x98, 0x1b, 0xbc, 0x18, 0x4b, 0xb8, 0x44, 0x5d, 0xad, 0x2d, 0x32, 0x76,
-	0x9c, 0x40, 0x5d, 0xad, 0x2d, 0x62, 0x09, 0xa7, 0xcb, 0x35, 0xdc, 0x76, 0x02, 0x52, 0x0b, 0xfc,
-	0x06, 0x09, 0xb5, 0x54, 0x62, 0xcf, 0xf0, 0xf4, 0x29, 0x74, 0xb9, 0xd6, 0xb3, 0x10, 0x70, 0x76,
-	0x3d, 0x44, 0xd2, 0x39, 0xbd, 0x27, 0xf3, 0x8d, 0xfe, 0x69, 0x71, 0xb0, 0xcf, 0xb4, 0xde, 0x1e,
-	0x4c, 0xab, 0x6c, 0xe2, 0x3c, 0x61, 0x4a, 0x58, 0x99, 0xca, 0xcf, 0xe9, 0x9f, 0xf9, 0xd6, 0x47,
-	0xb9, 0x51, 0xac, 0x26, 0x28, 0xe1, 0x14, 0x6d, 0x23, 0xb2, 0xf3, 0x74, 0xcf, 0xc8, 0xce, 0x57,
-	0x60, 0x34, 0xec, 0xde, 0x6f, 0xfa, 0x6d, 0xc7, 0xf5, 0x98, 0xef, 0x98, 0x76, 0x71, 0xaf, 0x4b,
-	0x00, 0x8e, 0x71, 0xd0, 0x0a, 0x8c, 0x38, 0xd2, 0x47, 0x02, 0xe5, 0x07, 0xad, 0x54, 0x9e, 0x11,
-	0x3c, 0x8e, 0x9b, 0xf4, 0x8a, 0x50, 0x75, 0xd1, 0xdb, 0x30, 0x21, 0x02, 0xe3, 0x08, 0x7d, 0xfc,
-	0x09, 0xf3, 0x29, 0x7f, 0x5d, 0x07, 0x62, 0x13, 0x17, 0xdd, 0x81, 0xb1, 0xc8, 0x6f, 0x09, 0x45,
-	0x6e, 0x58, 0x39, 0x9d, 0x1f, 0x5b, 0x7a, 0x43, 0xa1, 0xe9, 0xd6, 0x3b, 0x55, 0x15, 0xeb, 0x74,
-	0xd0, 0x06, 0x5f, 0xef, 0x2c, 0x71, 0x18, 0x09, 0x2b, 0x67, 0xf2, 0xcf, 0x24, 0x95, 0x5f, 0xcc,
-	0xdc, 0x0e, 0xa2, 0x26, 0xd6, 0xc9, 0xa0, 0xeb, 0x30, 0xd3, 0x09, 0x5c, 0x9f, 0xad, 0x09, 0xe5,
-	0xf3, 0x51, 0x31, 0x75, 0x48, 0xb5, 0x24, 0x02, 0x4e, 0xd7, 0x61, 0x71, 0x8d, 0x44, 0x61, 0xe5,
-	0x2c, 0x4f, 0x75, 0xc8, 0xf5, 0x20, 0xbc, 0x0c, 0x2b, 0x28, 0x5a, 0x63, 0x9c, 0x98, 0xeb, 0x29,
-	0x2b, 0xb3, 0xf9, 0xd1, 0x32, 0x74, 0x7d, 0x26, 0x97, 0xfd, 0xd5, 0x5f, 0x1c, 0x53, 0x40, 0x4d,
-	0x98, 0x0c, 0xf4, 0x1b, 0x70, 0x58, 0x39, 0x57, 0xe0, 0x79, 0x9e, 0xb8, 0x2e, 0xc7, 0x02, 0x81,
-	0x51, 0x1c, 0xe2, 0x04, 0x4d, 0xf4, 0x1e, 0x4c, 0x8b, 0xa0, 0x1f, 0xf1, 0x30, 0x9d, 0x8f, 0x5f,
-	0xe7, 0xe1, 0x04, 0x0c, 0xa7, 0xb0, 0x79, 0xaa, 0x41, 0xe7, 0x7e, 0x8b, 0x08, 0xd6, 0x77, 0xcb,
-	0xf5, 0x76, 0xc2, 0xca, 0x05, 0xc6, 0x1f, 0x44, 0xaa, 0xc1, 0x24, 0x14, 0x67, 0xd4, 0x40, 0x1b,
-	0x30, 0xdd, 0x09, 0x08, 0x69, 0xb3, 0x7b, 0x92, 0x38, 0xcf, 0xaa, 0x3c, 0xac, 0x17, 0xed, 0x49,
-	0x2d, 0x01, 0x3b, 0xcc, 0x28, 0xc3, 0x29, 0x0a, 0xe8, 0x01, 0x8c, 0xf8, 0xbb, 0x24, 0xd8, 0x26,
-	0x4e, 0xb3, 0x72, 0xb1, 0xe0, 0xcd, 0xa8, 0x38, 0xdc, 0x6e, 0x0b, 0xdc, 0x84, 0x4b, 0x9d, 0x2c,
-	0xee, 0xed, 0x52, 0x27, 0x1b, 0x43, 0xff, 0x89, 0x05, 0x67, 0xa5, 0x91, 0xba, 0xde, 0xa1, 0xa3,
-	0xbe, 0xe8, 0x7b, 0x61, 0x14, 0xf0, 0x40, 0x54, 0xcf, 0xe6, 0x07, 0x67, 0xda, 0xc8, 0xa9, 0xa4,
-	0x4c, 0x25, 0x67, 0xf3, 0x30, 0x42, 0x9c, 0xdf, 0x22, 0xbd, 0xd9, 0x87, 0x24, 0x92, 0xcc, 0x68,
-	0x3e, 0x5c, 0xf9, 0x60, 0x69, 0xbd, 0xf2, 0x1c, 0x8f, 0xa2, 0x45, 0x37, 0x43, 0x3d, 0x09, 0xc4,
-	0x69, 0x7c, 0x74, 0x15, 0x4a, 0x7e, 0x58, 0x79, 0x9e, 0xad, 0xed, 0xb3, 0x39, 0xe3, 0x78, 0xbb,
-	0xce, 0x5d, 0xab, 0x6f, 0xd7, 0x71, 0xc9, 0x0f, 0x65, 0xba, 0x3f, 0x7a, 0x9d, 0x0d, 0x2b, 0x2f,
-	0x70, 0xc5, 0xba, 0x4c, 0xf7, 0xc7, 0x0a, 0x71, 0x0c, 0x47, 0xdb, 0x30, 0x15, 0x1a, 0x6a, 0x83,
-	0xb0, 0x72, 0x89, 0x8d, 0xd4, 0x0b, 0x79, 0x93, 0x66, 0x60, 0x6b, 0x79, 0xb8, 0x4c, 0x2a, 0x38,
-	0x49, 0x96, 0xef, 0x2e, 0x4d, 0x71, 0x11, 0x56, 0x5e, 0xec, 0xb1, 0xbb, 0x34, 0x64, 0x7d, 0x77,
-	0xe9, 0x34, 0x70, 0x82, 0x26, 0xba, 0xa3, 0x3f, 0xc8, 0xbd, 0x9c, 0xef, 0xa6, 0x9b, 0xf9, 0x14,
-	0x77, 0x22, 0xf7, 0x19, 0xee, 0x7b, 0x30, 0x2d, 0xcf, 0x12, 0xba, 0x32, 0x03, 0xb7, 0x49, 0x2a,
-	0x2f, 0xc5, 0x9b, 0xf6, 0x46, 0x02, 0x86, 0x53, 0xd8, 0xb3, 0x3f, 0x02, 0x33, 0x29, 0x39, 0xee,
-	0x28, 0xef, 0x9b, 0x66, 0x77, 0x60, 0xc2, 0xd8, 0x2b, 0x4f, 0xd7, 0xfd, 0x6d, 0x0c, 0x46, 0x95,
-	0x5b, 0x52, 0x8e, 0x39, 0x72, 0xe6, 0xb1, 0xcc, 0x91, 0x57, 0x4c, 0xef, 0xb9, 0xb3, 0x49, 0xef,
-	0xb9, 0x91, 0x9a, 0xdf, 0x34, 0x1c, 0xe6, 0x36, 0x32, 0x22, 0x60, 0xe7, 0x71, 0xf9, 0xfe, 0x1f,
-	0x74, 0x6a, 0x16, 0xbd, 0x72, 0xdf, 0x6e, 0x78, 0x03, 0x85, 0x46, 0xc2, 0xeb, 0x30, 0xe3, 0xf9,
-	0xec, 0x22, 0x42, 0x9a, 0x52, 0xca, 0x64, 0xc2, 0xe4, 0xa8, 0x1e, 0xa1, 0x31, 0x81, 0x80, 0xd3,
-	0x75, 0x68, 0x83, 0x5c, 0x1a, 0x4c, 0x5a, 0x25, 0xb9, 0xb0, 0x88, 0x05, 0x94, 0x5e, 0x80, 0xf9,
-	0xaf, 0xb0, 0x32, 0x9d, 0x7f, 0x01, 0xe6, 0x95, 0x92, 0x12, 0x67, 0x28, 0x25, 0x4e, 0x66, 0x84,
-	0xeb, 0xf8, 0xcd, 0xd5, 0x9a, 0xb8, 0xcb, 0x68, 0xb9, 0x29, 0x9a, 0xab, 0x35, 0xcc, 0x61, 0x68,
-	0x1e, 0x86, 0xd8, 0x0f, 0x19, 0xf9, 0x2a, 0x8f, 0x17, 0xad, 0xd6, 0xb4, 0x9c, 0xca, 0xac, 0x02,
-	0x16, 0x15, 0x99, 0xfd, 0x81, 0x5e, 0x00, 0x99, 0xfd, 0x61, 0xf8, 0x31, 0xed, 0x0f, 0x92, 0x00,
-	0x8e, 0x69, 0xa1, 0x87, 0x70, 0xca, 0xb8, 0x74, 0xab, 0x17, 0xae, 0x90, 0xef, 0x64, 0x93, 0x40,
-	0x5e, 0x38, 0x2f, 0x3a, 0x7d, 0x6a, 0x35, 0x8b, 0x12, 0xce, 0x6e, 0x00, 0xb5, 0x60, 0xa6, 0x91,
-	0x6a, 0x75, 0xa4, 0xff, 0x56, 0xd5, 0xba, 0x48, 0xb7, 0x98, 0x26, 0x8c, 0xde, 0x86, 0x91, 0x8f,
-	0x7c, 0xee, 0x10, 0x2b, 0xee, 0x5f, 0x32, 0x3e, 0xd3, 0xc8, 0x07, 0xb7, 0xeb, 0xac, 0xfc, 0x70,
-	0xbf, 0x3a, 0x56, 0xf3, 0x9b, 0xf2, 0x2f, 0x56, 0x15, 0xd0, 0x5f, 0xb2, 0x60, 0x36, 0x7d, 0xab,
-	0x57, 0x9d, 0x9e, 0xe8, 0xbf, 0xd3, 0xb6, 0x68, 0x74, 0x76, 0x39, 0x97, 0x1c, 0x2e, 0x68, 0x0a,
-	0x7d, 0x91, 0xee, 0xa7, 0xd0, 0x7d, 0xc4, 0x5f, 0xb8, 0x68, 0x0e, 0x09, 0x98, 0x95, 0x1e, 0xee,
-	0x57, 0xa7, 0x38, 0xfb, 0x77, 0x1f, 0xa9, 0x2c, 0x1a, 0xbc, 0x02, 0xfa, 0x31, 0x38, 0x15, 0xa4,
-	0xb5, 0xec, 0x44, 0xde, 0x34, 0x3e, 0xdb, 0xcf, 0x51, 0x92, 0x9c, 0x70, 0x9c, 0x45, 0x10, 0x67,
-	0xb7, 0x83, 0xfe, 0xaa, 0x05, 0xcf, 0x90, 0x7c, 0x0b, 0xae, 0xb8, 0x2a, 0xbc, 0x96, 0xd3, 0x8f,
-	0x02, 0xdb, 0x2f, 0x4b, 0x30, 0xf0, 0x4c, 0x01, 0x02, 0x2e, 0x6a, 0xd7, 0xfe, 0xc7, 0x16, 0xb3,
-	0xfa, 0x08, 0x54, 0x12, 0x76, 0x5b, 0xd1, 0x31, 0x38, 0xc7, 0x2e, 0x1b, 0xae, 0x25, 0x8f, 0xed,
-	0xdd, 0xfa, 0xdf, 0x5a, 0xcc, 0xbb, 0xf5, 0x18, 0xdf, 0xe9, 0x7e, 0x00, 0x23, 0x91, 0x68, 0x4d,
-	0x74, 0x3d, 0xcf, 0x13, 0x4f, 0x76, 0x8a, 0x79, 0xf8, 0xaa, 0x1b, 0xa6, 0x2c, 0xc5, 0x8a, 0x8c,
-	0xfd, 0x5f, 0xf1, 0x19, 0x90, 0x90, 0x63, 0x30, 0x6e, 0x2f, 0x99, 0xc6, 0xed, 0x6a, 0x8f, 0x2f,
-	0xc8, 0x31, 0x72, 0xff, 0x03, 0xb3, 0xdf, 0x4c, 0xb3, 0xfa, 0x49, 0x77, 0xab, 0xb6, 0xbf, 0x6b,
-	0x01, 0xc4, 0xe9, 0x94, 0xfa, 0x48, 0x8c, 0x7f, 0x8d, 0xde, 0x29, 0xfd, 0xc8, 0x6f, 0xf8, 0x2d,
-	0x61, 0x5c, 0x3b, 0x17, 0xdb, 0xd7, 0x79, 0xf9, 0xa1, 0xf6, 0x1b, 0x2b, 0x6c, 0x54, 0x95, 0xf1,
-	0xcd, 0xcb, 0xb1, 0x5b, 0x8b, 0x11, 0xdb, 0xfc, 0x67, 0x2c, 0x38, 0x99, 0xf5, 0xe8, 0x0b, 0xbd,
-	0x02, 0x23, 0x5c, 0xc7, 0xac, 0x5c, 0xde, 0xd5, 0x6c, 0xde, 0x15, 0xe5, 0x58, 0x61, 0xf4, 0xeb,
-	0xfa, 0x7e, 0xc4, 0x54, 0x3f, 0xb7, 0x61, 0xa2, 0x16, 0x10, 0x4d, 0xee, 0x79, 0x37, 0xce, 0x42,
-	0x36, 0xba, 0xf0, 0xca, 0x91, 0x23, 0xa9, 0xd9, 0xbf, 0x54, 0x82, 0x93, 0xdc, 0x71, 0x73, 0x7e,
-	0xd7, 0x77, 0x9b, 0x35, 0xbf, 0x29, 0x9e, 0xea, 0x7f, 0x15, 0xc6, 0x3b, 0x9a, 0x61, 0xa0, 0x28,
-	0x6d, 0x85, 0x6e, 0x40, 0x88, 0x55, 0x99, 0x7a, 0x29, 0x36, 0x68, 0xa1, 0x26, 0x8c, 0x93, 0x5d,
-	0xb7, 0xa1, 0x1c, 0xc3, 0x4a, 0x47, 0x16, 0x1e, 0x54, 0x2b, 0xcb, 0x1a, 0x1d, 0x6c, 0x50, 0xed,
-	0xfb, 0xb9, 0x85, 0x26, 0x3a, 0x0e, 0xf4, 0x70, 0x06, 0xfb, 0x59, 0x0b, 0xce, 0xe4, 0x24, 0xb9,
-	0xa0, 0xcd, 0x3d, 0x60, 0x2e, 0xb2, 0x62, 0xd9, 0xaa, 0xe6, 0xb8, 0xe3, 0x2c, 0x16, 0x50, 0xf4,
-	0x65, 0x80, 0x4e, 0x9c, 0x1a, 0xb8, 0x47, 0x36, 0x00, 0x23, 0x2e, 0xb8, 0x16, 0xe2, 0x59, 0x65,
-	0x10, 0xd6, 0x68, 0xd9, 0x3f, 0x33, 0x00, 0x83, 0xcc, 0x07, 0x0f, 0xd5, 0x60, 0x78, 0x9b, 0x47,
-	0x20, 0x2d, 0x9c, 0x37, 0x8a, 0x2b, 0x43, 0x9a, 0xc6, 0xf3, 0xa6, 0x95, 0x62, 0x49, 0x06, 0xad,
-	0xc1, 0x09, 0x9e, 0xf6, 0xb8, 0xb5, 0x44, 0x5a, 0xce, 0x9e, 0xd4, 0xb9, 0x97, 0xd8, 0xa7, 0x2a,
-	0xdb, 0xc3, 0x6a, 0x1a, 0x05, 0x67, 0xd5, 0x43, 0xef, 0xc2, 0x64, 0xe4, 0xb6, 0x89, 0xdf, 0x8d,
-	0x4c, 0x77, 0x53, 0x75, 0x2d, 0xdc, 0x30, 0xa0, 0x38, 0x81, 0x8d, 0xde, 0x86, 0x89, 0x4e, 0xca,
-	0xba, 0x30, 0x18, 0xab, 0xe1, 0x4c, 0x8b, 0x82, 0x89, 0xcb, 0xde, 0x7d, 0x75, 0xd9, 0x2b, 0xb7,
-	0x8d, 0xed, 0x80, 0x84, 0xdb, 0x7e, 0xab, 0xc9, 0x24, 0xf3, 0x41, 0xed, 0xdd, 0x57, 0x02, 0x8e,
-	0x53, 0x35, 0x28, 0x95, 0x4d, 0xc7, 0x6d, 0x75, 0x03, 0x12, 0x53, 0x19, 0x32, 0xa9, 0xac, 0x24,
-	0xe0, 0x38, 0x55, 0xa3, 0xb7, 0xd9, 0x64, 0xf8, 0xc9, 0x98, 0x4d, 0xec, 0xbf, 0x5b, 0x02, 0x63,
-	0x6a, 0x7f, 0x88, 0xb3, 0x18, 0xbf, 0x03, 0x03, 0x5b, 0x41, 0xa7, 0x21, 0xfc, 0x4d, 0x33, 0xbf,
-	0xec, 0x3a, 0xae, 0x2d, 0xea, 0x5f, 0x46, 0xff, 0x63, 0x56, 0x8b, 0xee, 0xf1, 0x53, 0xc2, 0xfb,
-	0x5a, 0x06, 0x29, 0x56, 0xcf, 0x2b, 0x87, 0xa5, 0x26, 0xa2, 0x20, 0x9c, 0xbf, 0x78, 0x23, 0xa6,
-	0xfc, 0xb7, 0x35, 0x53, 0xb8, 0xd0, 0x43, 0x48, 0x2a, 0xe8, 0x2a, 0x8c, 0x89, 0xc4, 0xb2, 0xec,
-	0x15, 0x20, 0xdf, 0x4c, 0xcc, 0x95, 0x74, 0x29, 0x2e, 0xc6, 0x3a, 0x8e, 0xfd, 0x97, 0x4b, 0x70,
-	0x22, 0xe3, 0x19, 0x37, 0x3f, 0x46, 0xb6, 0xdc, 0x30, 0x0a, 0xf6, 0x92, 0x87, 0x13, 0x16, 0xe5,
-	0x58, 0x61, 0x50, 0x5e, 0xc5, 0x0f, 0xaa, 0xe4, 0xe1, 0x24, 0x9e, 0x49, 0x0a, 0xe8, 0xd1, 0x0e,
-	0x27, 0x7a, 0x6c, 0x77, 0x43, 0x22, 0x33, 0x87, 0xa8, 0x63, 0x9b, 0xb9, 0x64, 0x30, 0x08, 0xbd,
-	0x9a, 0x6e, 0x29, 0x3f, 0x03, 0xed, 0x6a, 0xca, 0x3d, 0x0d, 0x38, 0x8c, 0x76, 0x2e, 0x22, 0x9e,
-	0xe3, 0x45, 0xe2, 0x02, 0x1b, 0x47, 0x94, 0x67, 0xa5, 0x58, 0x40, 0xed, 0xef, 0x95, 0xe1, 0x6c,
-	0x6e, 0x60, 0x07, 0xda, 0xf5, 0xb6, 0xef, 0xb9, 0x91, 0xaf, 0x7c, 0x74, 0x79, 0x14, 0x79, 0xd2,
-	0xd9, 0x5e, 0x13, 0xe5, 0x58, 0x61, 0xa0, 0x4b, 0x30, 0xc8, 0x2c, 0x12, 0xc9, 0xa4, 0x92, 0x78,
-	0x61, 0x89, 0xc7, 0xd8, 0xe5, 0x60, 0xed, 0x54, 0x2f, 0x17, 0x9e, 0xea, 0xcf, 0x51, 0x09, 0xc6,
-	0x6f, 0x25, 0x0f, 0x14, 0xda, 0x5d, 0xdf, 0x6f, 0x61, 0x06, 0x44, 0x2f, 0x88, 0xf1, 0x4a, 0x38,
-	0xa5, 0x62, 0xa7, 0xe9, 0x87, 0xda, 0xa0, 0x71, 0x07, 0xf8, 0xc0, 0xf5, 0xb6, 0x92, 0xce, 0xca,
-	0x37, 0x79, 0x31, 0x96, 0x70, 0xba, 0x97, 0xe2, 0xdc, 0xf8, 0xc3, 0xf9, 0x7b, 0x49, 0x65, 0xc0,
-	0xef, 0x99, 0x16, 0x5f, 0x5f, 0x01, 0x23, 0x3d, 0xc5, 0x93, 0x9f, 0x2a, 0xc3, 0x14, 0x5e, 0x58,
-	0xfa, 0x74, 0x22, 0xee, 0xa4, 0x27, 0xa2, 0x7f, 0xb3, 0xd9, 0x93, 0x9a, 0x8d, 0x7f, 0x68, 0xc1,
-	0x14, 0x4b, 0x6f, 0x2b, 0xa2, 0x32, 0xb9, 0xbe, 0x77, 0x0c, 0x57, 0x81, 0xe7, 0x60, 0x30, 0xa0,
-	0x8d, 0x8a, 0x19, 0x54, 0x7b, 0x9c, 0xf5, 0x04, 0x73, 0x18, 0x3a, 0x07, 0x03, 0xac, 0x0b, 0x74,
-	0xf2, 0xc6, 0x39, 0x0b, 0x5e, 0x72, 0x22, 0x07, 0xb3, 0x52, 0x16, 0x1f, 0x16, 0x93, 0x4e, 0xcb,
-	0xe5, 0x9d, 0x8e, 0xfd, 0x45, 0x3e, 0x19, 0x21, 0x9f, 0x32, 0xbb, 0xf6, 0xf1, 0xe2, 0xc3, 0x66,
-	0x93, 0x2c, 0xbe, 0x66, 0xff, 0x71, 0x09, 0x2e, 0x64, 0xd6, 0xeb, 0x3b, 0x3e, 0x6c, 0x71, 0xed,
-	0xa7, 0x99, 0x0c, 0xb3, 0x7c, 0x8c, 0x4f, 0x41, 0x06, 0xfa, 0x95, 0xfe, 0x07, 0xfb, 0x08, 0xdb,
-	0x9a, 0x39, 0x64, 0x9f, 0x90, 0xb0, 0xad, 0x99, 0x7d, 0xcb, 0x51, 0x13, 0xfc, 0x69, 0x29, 0xe7,
-	0x5b, 0x98, 0xc2, 0xe0, 0x32, 0xe5, 0x33, 0x0c, 0x18, 0xca, 0x4b, 0x38, 0xe7, 0x31, 0xbc, 0x0c,
-	0x2b, 0x28, 0x9a, 0x87, 0xa9, 0xb6, 0xeb, 0x51, 0xe6, 0xb3, 0x67, 0x8a, 0xe2, 0xca, 0x90, 0xb4,
-	0x66, 0x82, 0x71, 0x12, 0x1f, 0xb9, 0x5a, 0x48, 0x57, 0xfe, 0x75, 0x6f, 0x1f, 0x69, 0xd7, 0xcd,
-	0x99, 0xbe, 0x34, 0x6a, 0x14, 0x33, 0xc2, 0xbb, 0xae, 0x69, 0x7a, 0xa2, 0x72, 0xff, 0x7a, 0xa2,
-	0xf1, 0x6c, 0x1d, 0xd1, 0xec, 0xdb, 0x30, 0xf1, 0xd8, 0xf6, 0x1f, 0xfb, 0xfb, 0x65, 0x78, 0xa6,
-	0x60, 0xdb, 0x73, 0x5e, 0x6f, 0xcc, 0x81, 0xc6, 0xeb, 0x53, 0xf3, 0x50, 0x83, 0x93, 0x9b, 0xdd,
-	0x56, 0x6b, 0x8f, 0x3d, 0x6c, 0x25, 0x4d, 0x89, 0x21, 0x64, 0x4a, 0xf5, 0xf4, 0x6d, 0x25, 0x03,
-	0x07, 0x67, 0xd6, 0xa4, 0x57, 0x2c, 0x7a, 0x92, 0xec, 0x29, 0x52, 0x89, 0x2b, 0x16, 0xd6, 0x81,
-	0xd8, 0xc4, 0x45, 0xd7, 0x61, 0xc6, 0xd9, 0x75, 0x5c, 0x9e, 0x4c, 0x48, 0x12, 0xe0, 0x77, 0x2c,
-	0xa5, 0x23, 0x9f, 0x4f, 0x22, 0xe0, 0x74, 0x9d, 0x1c, 0x53, 0x55, 0xf9, 0xb1, 0x4c, 0x55, 0x66,
-	0x70, 0xd1, 0xa1, 0xfc, 0xe0, 0xa2, 0xc5, 0x7c, 0xb1, 0x67, 0x1e, 0xd6, 0x0f, 0x61, 0xe2, 0xa8,
-	0x3e, 0xf1, 0x2f, 0xc1, 0xb0, 0x78, 0xc3, 0x93, 0x7c, 0xaf, 0x29, 0xf3, 0xff, 0x4b, 0xb8, 0xfd,
-	0xbf, 0x5a, 0xa0, 0x74, 0xdc, 0x66, 0x1e, 0x81, 0xb7, 0x99, 0x83, 0x3f, 0xd7, 0xce, 0x6b, 0x6f,
-	0x45, 0x4f, 0x69, 0x0e, 0xfe, 0x31, 0x10, 0x9b, 0xb8, 0x7c, 0xb9, 0x85, 0x71, 0xc4, 0x1a, 0xe3,
-	0x02, 0x21, 0x6c, 0xab, 0x0a, 0x03, 0x7d, 0x05, 0x86, 0x9b, 0xee, 0xae, 0x1b, 0x0a, 0x3d, 0xda,
-	0x91, 0x6d, 0x93, 0xf1, 0xf7, 0x2d, 0x71, 0x32, 0x58, 0xd2, 0xb3, 0xff, 0x8a, 0x05, 0xca, 0x28,
-	0x7c, 0x83, 0x38, 0xad, 0x68, 0x1b, 0xbd, 0x07, 0x20, 0x29, 0x28, 0xdd, 0x9b, 0x74, 0x55, 0x03,
-	0xac, 0x20, 0x87, 0xc6, 0x3f, 0xac, 0xd5, 0x41, 0xef, 0xc2, 0xd0, 0x36, 0xa3, 0x25, 0xbe, 0xed,
-	0x92, 0x32, 0xc1, 0xb1, 0xd2, 0xc3, 0xfd, 0xea, 0x49, 0xb3, 0x4d, 0x79, 0x8a, 0xf1, 0x5a, 0xf6,
-	0x4f, 0x95, 0xe2, 0x39, 0xfd, 0xa0, 0xeb, 0x47, 0xce, 0x31, 0x48, 0x22, 0xd7, 0x0d, 0x49, 0xe4,
-	0x85, 0x22, 0xab, 0x37, 0xeb, 0x52, 0xae, 0x04, 0x72, 0x3b, 0x21, 0x81, 0xbc, 0xd8, 0x9b, 0x54,
-	0xb1, 0xe4, 0xf1, 0x5f, 0x5b, 0x30, 0x63, 0xe0, 0x1f, 0xc3, 0x01, 0xb8, 0x62, 0x1e, 0x80, 0xcf,
-	0xf6, 0xfc, 0x86, 0x9c, 0x83, 0xef, 0x27, 0xca, 0x89, 0xbe, 0xb3, 0x03, 0xef, 0x23, 0x18, 0xd8,
-	0x76, 0x82, 0xa6, 0xb8, 0xd7, 0x5f, 0xe9, 0x6b, 0xac, 0xe7, 0x6e, 0x38, 0x81, 0x70, 0x73, 0x79,
-	0x45, 0x8e, 0x3a, 0x2d, 0xea, 0xe9, 0xe2, 0xc2, 0x9a, 0x42, 0xd7, 0x60, 0x28, 0x6c, 0xf8, 0x1d,
-	0xf5, 0x24, 0xf4, 0x22, 0x1b, 0x68, 0x56, 0x72, 0xb8, 0x5f, 0x45, 0x66, 0x73, 0xb4, 0x18, 0x0b,
-	0x7c, 0xf4, 0x55, 0x98, 0x60, 0xbf, 0x94, 0xcf, 0x69, 0x39, 0x5f, 0x03, 0x53, 0xd7, 0x11, 0xb9,
-	0x43, 0xb6, 0x51, 0x84, 0x4d, 0x52, 0xb3, 0x5b, 0x30, 0xaa, 0x3e, 0xeb, 0xa9, 0x7a, 0x24, 0xfc,
-	0x8b, 0x32, 0x9c, 0xc8, 0x58, 0x73, 0x28, 0x34, 0x66, 0xe2, 0x6a, 0x9f, 0x4b, 0xf5, 0x63, 0xce,
-	0x45, 0xc8, 0x2e, 0x80, 0x4d, 0xb1, 0xb6, 0xfa, 0x6e, 0xf4, 0x4e, 0x48, 0x92, 0x8d, 0xd2, 0xa2,
-	0xde, 0x8d, 0xd2, 0xc6, 0x8e, 0x6d, 0xa8, 0x69, 0x43, 0xaa, 0xa7, 0x4f, 0x75, 0x4e, 0x7f, 0x6b,
-	0x00, 0x4e, 0x66, 0x39, 0xe2, 0xa0, 0x1f, 0x85, 0x21, 0xf6, 0x9c, 0xaf, 0xf0, 0xfd, 0x6b, 0x56,
-	0xcd, 0x39, 0xf6, 0x22, 0x50, 0x84, 0xa2, 0x9e, 0x93, 0xec, 0x88, 0x17, 0xf6, 0x1c, 0x66, 0xd1,
-	0x26, 0x0b, 0x11, 0x27, 0x4e, 0x4f, 0xc9, 0x3e, 0x3e, 0xdf, 0x77, 0x07, 0xc4, 0xf9, 0x1b, 0x26,
-	0xfc, 0xd9, 0x64, 0x71, 0x6f, 0x7f, 0x36, 0xd9, 0x32, 0x5a, 0x85, 0xa1, 0x06, 0x77, 0x94, 0x2a,
-	0xf7, 0x66, 0x61, 0xdc, 0x4b, 0x4a, 0x31, 0x60, 0xe1, 0x1d, 0x25, 0x08, 0xcc, 0xba, 0x30, 0xa6,
-	0x0d, 0xcc, 0x53, 0x5d, 0x3c, 0x3b, 0xf4, 0xe0, 0xd3, 0x86, 0xe0, 0xa9, 0x2e, 0xa0, 0xbf, 0xae,
-	0x9d, 0xfd, 0x82, 0x1f, 0x7c, 0xce, 0x90, 0x9d, 0xce, 0x25, 0x1e, 0x59, 0x26, 0xf6, 0x15, 0x93,
-	0xa5, 0xea, 0x66, 0x0e, 0x87, 0xdc, 0x44, 0x74, 0xe6, 0x81, 0x5f, 0x9c, 0xb7, 0xc1, 0xfe, 0x59,
-	0x0b, 0x12, 0xcf, 0xe0, 0x94, 0xba, 0xd3, 0xca, 0x55, 0x77, 0x5e, 0x84, 0x81, 0xc0, 0x6f, 0x49,
-	0x79, 0x4a, 0x61, 0x60, 0xbf, 0x45, 0x30, 0x83, 0x50, 0x8c, 0x28, 0x56, 0x62, 0x8d, 0xeb, 0x17,
-	0x74, 0x71, 0xf5, 0x7e, 0x0e, 0x06, 0x5b, 0x64, 0x97, 0xb4, 0x92, 0xf9, 0x98, 0x6f, 0xd1, 0x42,
-	0xcc, 0x61, 0xf6, 0x3f, 0x1c, 0x80, 0xf3, 0x85, 0x91, 0x24, 0xa9, 0x80, 0xb9, 0xe5, 0x44, 0xe4,
-	0x81, 0xb3, 0x97, 0xcc, 0x43, 0x7a, 0x9d, 0x17, 0x63, 0x09, 0x67, 0xef, 0xee, 0x79, 0x6e, 0xad,
-	0x84, 0x72, 0x58, 0xa4, 0xd4, 0x12, 0x50, 0x53, 0xd9, 0x58, 0x7e, 0x12, 0xca, 0xc6, 0xd7, 0x00,
-	0xc2, 0xb0, 0xc5, 0xbd, 0x5d, 0x9b, 0xe2, 0x41, 0x7f, 0x1c, 0xe9, 0xa4, 0x7e, 0x4b, 0x40, 0xb0,
-	0x86, 0x85, 0x96, 0x60, 0xba, 0x13, 0xf8, 0x11, 0xd7, 0xb5, 0x2f, 0x71, 0x87, 0xf0, 0x41, 0x33,
-	0x88, 0x5f, 0x2d, 0x01, 0xc7, 0xa9, 0x1a, 0xe8, 0x4d, 0x18, 0x13, 0x81, 0xfd, 0x6a, 0xbe, 0xdf,
-	0x12, 0xea, 0x3d, 0xe5, 0x23, 0x5d, 0x8f, 0x41, 0x58, 0xc7, 0xd3, 0xaa, 0x31, 0x05, 0xfe, 0x70,
-	0x66, 0x35, 0xae, 0xc4, 0xd7, 0xf0, 0x12, 0x49, 0x40, 0x46, 0xfa, 0x4a, 0x02, 0x12, 0x2b, 0x3c,
-	0x47, 0xfb, 0xb6, 0x27, 0x43, 0x4f, 0x15, 0xe1, 0xaf, 0x0c, 0xc0, 0x09, 0xb1, 0x70, 0x9e, 0xf6,
-	0x72, 0xb9, 0x93, 0x5e, 0x2e, 0x4f, 0x42, 0x25, 0xfa, 0xe9, 0x9a, 0x39, 0xee, 0x35, 0xf3, 0xd3,
-	0x16, 0x98, 0x32, 0x24, 0xfa, 0x8f, 0x72, 0x13, 0x39, 0xbf, 0x99, 0x2b, 0x93, 0xc6, 0x19, 0x02,
-	0x3e, 0x5e, 0x4a, 0x67, 0xfb, 0x7f, 0xb6, 0xe0, 0xd9, 0x9e, 0x14, 0xd1, 0x32, 0x8c, 0x32, 0x41,
-	0x57, 0xbb, 0x17, 0xbf, 0xa8, 0x1e, 0x8c, 0x48, 0x40, 0x8e, 0xdc, 0x1d, 0xd7, 0x44, 0xcb, 0xa9,
-	0x8c, 0xd9, 0x2f, 0x65, 0x64, 0xcc, 0x3e, 0x65, 0x0c, 0xcf, 0x63, 0xa6, 0xcc, 0xfe, 0x49, 0x7a,
-	0xe2, 0x98, 0xaf, 0x4e, 0x3f, 0x6f, 0xa8, 0x73, 0xed, 0x84, 0x3a, 0x17, 0x99, 0xd8, 0xda, 0x19,
-	0xf2, 0x1e, 0x4c, 0xb3, 0x88, 0xbf, 0xec, 0xf9, 0x92, 0x78, 0xae, 0x5a, 0x8a, 0xbd, 0x9d, 0x6f,
-	0x25, 0x60, 0x38, 0x85, 0x6d, 0xff, 0x9b, 0x32, 0x0c, 0xf1, 0xed, 0x77, 0x0c, 0x17, 0xdf, 0x97,
-	0x61, 0xd4, 0x6d, 0xb7, 0xbb, 0x3c, 0x09, 0xf2, 0x60, 0xec, 0xf0, 0xbe, 0x2a, 0x0b, 0x71, 0x0c,
-	0x47, 0x2b, 0xc2, 0x92, 0x50, 0x90, 0x54, 0x80, 0x77, 0x7c, 0x6e, 0xc9, 0x89, 0x1c, 0x2e, 0xc5,
-	0xa9, 0x73, 0x36, 0xb6, 0x39, 0xa0, 0x6f, 0x00, 0x84, 0x51, 0xe0, 0x7a, 0x5b, 0xb4, 0x4c, 0x64,
-	0x9e, 0xf9, 0x6c, 0x01, 0xb5, 0xba, 0x42, 0xe6, 0x34, 0x63, 0x9e, 0xa3, 0x00, 0x58, 0xa3, 0x88,
-	0xe6, 0x8c, 0x93, 0x7e, 0x36, 0x31, 0x77, 0xc0, 0xa9, 0xc6, 0x73, 0x36, 0xfb, 0x05, 0x18, 0x55,
-	0xc4, 0x7b, 0xe9, 0x15, 0xc7, 0x75, 0x81, 0xed, 0x4b, 0x30, 0x95, 0xe8, 0xdb, 0x91, 0xd4, 0x92,
-	0xbf, 0x6e, 0xc1, 0x14, 0xef, 0xcc, 0xb2, 0xb7, 0x2b, 0x4e, 0x83, 0x47, 0x70, 0xb2, 0x95, 0xc1,
-	0x95, 0xc5, 0xf4, 0xf7, 0xcf, 0xc5, 0x95, 0x1a, 0x32, 0x0b, 0x8a, 0x33, 0xdb, 0x40, 0x97, 0xe9,
-	0x8e, 0xa3, 0x5c, 0xd7, 0x69, 0x89, 0x98, 0x2b, 0xe3, 0x7c, 0xb7, 0xf1, 0x32, 0xac, 0xa0, 0xf6,
-	0x1f, 0x58, 0x30, 0xc3, 0x7b, 0x7e, 0x93, 0xec, 0x29, 0xde, 0xf4, 0x83, 0xec, 0xbb, 0x48, 0xbf,
-	0x5f, 0xca, 0x49, 0xbf, 0xaf, 0x7f, 0x5a, 0xb9, 0xf0, 0xd3, 0x7e, 0xc9, 0x02, 0xb1, 0x42, 0x8e,
-	0x41, 0xd3, 0xf2, 0x23, 0xa6, 0xa6, 0x65, 0x36, 0x7f, 0x13, 0xe4, 0xa8, 0x58, 0xfe, 0xbd, 0x05,
-	0xd3, 0x1c, 0x41, 0x8b, 0x62, 0xf7, 0x83, 0x9c, 0x87, 0x05, 0xf3, 0x8b, 0x32, 0xdd, 0x5a, 0x6f,
-	0x92, 0xbd, 0x0d, 0xbf, 0xe6, 0x44, 0xdb, 0xd9, 0x1f, 0x65, 0x4c, 0xd6, 0x40, 0xe1, 0x64, 0x35,
-	0xe5, 0x06, 0x32, 0x12, 0xad, 0xf6, 0x50, 0x00, 0x1f, 0x35, 0xd1, 0xaa, 0xfd, 0x47, 0x16, 0x20,
-	0xde, 0x8c, 0x21, 0xb8, 0x51, 0x71, 0x88, 0x95, 0x66, 0x06, 0x0b, 0x54, 0x10, 0xac, 0x61, 0x3d,
-	0x91, 0xe1, 0x49, 0xb8, 0xb2, 0x94, 0x7b, 0xbb, 0xb2, 0x1c, 0x61, 0x44, 0x7f, 0x69, 0x18, 0x92,
-	0x0f, 0x56, 0xd1, 0x5d, 0x18, 0x6f, 0x38, 0x1d, 0xe7, 0xbe, 0xdb, 0x72, 0x23, 0x97, 0x84, 0x45,
-	0x7e, 0x6e, 0x8b, 0x1a, 0x9e, 0x70, 0x3e, 0xd0, 0x4a, 0xb0, 0x41, 0x07, 0xcd, 0x01, 0x74, 0x02,
-	0x77, 0xd7, 0x6d, 0x91, 0x2d, 0xa6, 0x10, 0x62, 0x51, 0x9e, 0xb8, 0xd3, 0x9d, 0x2c, 0xc5, 0x1a,
-	0x46, 0x46, 0x70, 0x95, 0xf2, 0x53, 0x0e, 0xae, 0x02, 0xc7, 0x16, 0x5c, 0x65, 0xe0, 0x48, 0xc1,
-	0x55, 0x46, 0x8e, 0x1c, 0x5c, 0x65, 0xb0, 0xaf, 0xe0, 0x2a, 0x18, 0x4e, 0x4b, 0xd9, 0x93, 0xfe,
-	0x5f, 0x71, 0x5b, 0x44, 0x5c, 0x38, 0x78, 0x68, 0xaa, 0xd9, 0x83, 0xfd, 0xea, 0x69, 0x9c, 0x89,
-	0x81, 0x73, 0x6a, 0xa2, 0x2f, 0x43, 0xc5, 0x69, 0xb5, 0xfc, 0x07, 0x6a, 0x52, 0x97, 0xc3, 0x86,
-	0xd3, 0x8a, 0xc3, 0x32, 0x8e, 0x2c, 0x9c, 0x3b, 0xd8, 0xaf, 0x56, 0xe6, 0x73, 0x70, 0x70, 0x6e,
-	0x6d, 0xf4, 0x0e, 0x8c, 0x76, 0x02, 0xbf, 0xb1, 0xa6, 0xbd, 0xaa, 0xbf, 0x40, 0x07, 0xb0, 0x26,
-	0x0b, 0x0f, 0xf7, 0xab, 0x13, 0xea, 0x0f, 0x3b, 0xf0, 0xe3, 0x0a, 0x19, 0x71, 0x4b, 0xc6, 0x9e,
-	0x76, 0xdc, 0x92, 0xf1, 0x27, 0x1c, 0xb7, 0xc4, 0xde, 0x81, 0x13, 0x75, 0x12, 0xb8, 0x4e, 0xcb,
-	0x7d, 0x44, 0x65, 0x72, 0xc9, 0x03, 0x37, 0x60, 0x34, 0x48, 0x70, 0xfd, 0xbe, 0x92, 0x09, 0x68,
-	0x7a, 0x19, 0xc9, 0xe5, 0x63, 0x42, 0xf6, 0xff, 0x6b, 0xc1, 0xb0, 0x78, 0x04, 0x7b, 0x0c, 0x92,
-	0xe9, 0xbc, 0x61, 0x92, 0xa9, 0x66, 0x4f, 0x0a, 0xeb, 0x4c, 0xae, 0x31, 0x66, 0x35, 0x61, 0x8c,
-	0x79, 0xb6, 0x88, 0x48, 0xb1, 0x19, 0xe6, 0x3f, 0x2b, 0xd3, 0x1b, 0x82, 0x11, 0x8e, 0xe1, 0xe9,
-	0x0f, 0xc1, 0x3a, 0x0c, 0x87, 0x22, 0x1c, 0x40, 0x29, 0xff, 0x8d, 0x51, 0x72, 0x12, 0x63, 0x1f,
-	0x48, 0x11, 0x00, 0x40, 0x12, 0xc9, 0x8c, 0x33, 0x50, 0x7e, 0x8a, 0x71, 0x06, 0x7a, 0x05, 0xac,
-	0x18, 0x78, 0x12, 0x01, 0x2b, 0xec, 0xdf, 0x60, 0xa7, 0xb3, 0x5e, 0x7e, 0x0c, 0x82, 0xdb, 0x75,
-	0xf3, 0x1c, 0xb7, 0x0b, 0x56, 0x96, 0xe8, 0x54, 0x8e, 0x00, 0xf7, 0x6b, 0x16, 0x9c, 0xcf, 0xf8,
-	0x2a, 0x4d, 0x9a, 0x7b, 0x05, 0x46, 0x9c, 0x6e, 0xd3, 0x55, 0x7b, 0x59, 0xb3, 0x16, 0xcf, 0x8b,
-	0x72, 0xac, 0x30, 0xd0, 0x22, 0xcc, 0x90, 0x54, 0x7c, 0x61, 0x1e, 0xb9, 0x8b, 0xbd, 0x9c, 0x4e,
-	0x07, 0x17, 0x4e, 0xe3, 0xab, 0xa0, 0x77, 0xe5, 0xdc, 0xa0, 0x77, 0x7f, 0xcf, 0x82, 0x31, 0xf5,
-	0x20, 0xfe, 0xa9, 0x8f, 0xf6, 0x7b, 0xe6, 0x68, 0x3f, 0x53, 0x30, 0xda, 0x39, 0xc3, 0xfc, 0x7b,
-	0x25, 0xd5, 0xdf, 0x9a, 0x1f, 0x44, 0x7d, 0x48, 0x89, 0x8f, 0xff, 0xec, 0xe5, 0x2a, 0x8c, 0x39,
-	0x9d, 0x8e, 0x04, 0x48, 0xff, 0x45, 0x96, 0x1a, 0x26, 0x2e, 0xc6, 0x3a, 0x8e, 0x7a, 0x85, 0x53,
-	0xce, 0x7d, 0x85, 0xd3, 0x04, 0x88, 0x9c, 0x60, 0x8b, 0x44, 0xb4, 0x4c, 0xb8, 0x5b, 0xe7, 0xf3,
-	0x9b, 0x6e, 0xe4, 0xb6, 0xe6, 0x5c, 0x2f, 0x0a, 0xa3, 0x60, 0x6e, 0xd5, 0x8b, 0x6e, 0x07, 0xfc,
-	0x9a, 0xaa, 0x85, 0x96, 0x54, 0xb4, 0xb0, 0x46, 0x57, 0x06, 0x7f, 0x61, 0x6d, 0x0c, 0x9a, 0x8e,
-	0x30, 0xeb, 0xa2, 0x1c, 0x2b, 0x0c, 0xfb, 0x0b, 0xec, 0xf4, 0x61, 0x63, 0x7a, 0xb4, 0x90, 0x89,
-	0x7f, 0x3c, 0xae, 0x66, 0x83, 0x99, 0x84, 0x97, 0xf4, 0xc0, 0x8c, 0xc5, 0xcc, 0x9e, 0x36, 0xac,
-	0xbf, 0xb3, 0x8d, 0xa3, 0x37, 0xa2, 0xaf, 0xa5, 0x9c, 0x9b, 0x5e, 0xed, 0x71, 0x6a, 0x1c, 0xc1,
-	0x9d, 0x89, 0xe5, 0x89, 0x64, 0x59, 0xf4, 0x56, 0x6b, 0x62, 0x5f, 0x68, 0x79, 0x22, 0x05, 0x00,
-	0xc7, 0x38, 0x54, 0x60, 0x53, 0x7f, 0xc2, 0x0a, 0x8a, 0xd3, 0x09, 0x28, 0xec, 0x10, 0x6b, 0x18,
-	0xe8, 0x8a, 0x50, 0x5a, 0x70, 0xdb, 0xc3, 0x33, 0x09, 0xa5, 0x85, 0x1c, 0x2e, 0x4d, 0xd3, 0x74,
-	0x15, 0xc6, 0xc8, 0xc3, 0x88, 0x04, 0x9e, 0xd3, 0xa2, 0x2d, 0x0c, 0xc6, 0xc1, 0x91, 0x97, 0xe3,
-	0x62, 0xac, 0xe3, 0xa0, 0x0d, 0x98, 0x0a, 0xb9, 0x2e, 0x4f, 0x25, 0xb1, 0xe1, 0x3a, 0xd1, 0xcf,
-	0xaa, 0x50, 0x04, 0x26, 0xf8, 0x90, 0x15, 0x71, 0xee, 0x24, 0x03, 0xb4, 0x24, 0x49, 0xa0, 0x77,
-	0x61, 0xb2, 0xe5, 0x3b, 0xcd, 0x05, 0xa7, 0xe5, 0x78, 0x0d, 0x36, 0x3e, 0x23, 0x46, 0x94, 0xce,
-	0xc9, 0x5b, 0x06, 0x14, 0x27, 0xb0, 0xa9, 0x80, 0xa8, 0x97, 0x88, 0xc4, 0x4b, 0x8e, 0xb7, 0x45,
-	0xc2, 0xca, 0x28, 0xfb, 0x2a, 0x26, 0x20, 0xde, 0xca, 0xc1, 0xc1, 0xb9, 0xb5, 0xd1, 0x35, 0x18,
-	0x97, 0x9f, 0xaf, 0xc5, 0x33, 0x8a, 0x1f, 0x34, 0x69, 0x30, 0x6c, 0x60, 0xa2, 0x10, 0x4e, 0xc9,
-	0xff, 0x1b, 0x81, 0xb3, 0xb9, 0xe9, 0x36, 0x44, 0x90, 0x0f, 0xfe, 0x28, 0xfd, 0x4b, 0xf2, 0x05,
-	0xec, 0x72, 0x16, 0xd2, 0xe1, 0x7e, 0xf5, 0x9c, 0x18, 0xb5, 0x4c, 0x38, 0xce, 0xa6, 0x8d, 0xd6,
-	0xe0, 0x04, 0xf7, 0x81, 0x59, 0xdc, 0x26, 0x8d, 0x1d, 0xb9, 0xe1, 0x98, 0xd4, 0xa8, 0x3d, 0xfc,
-	0xb9, 0x91, 0x46, 0xc1, 0x59, 0xf5, 0xd0, 0x87, 0x50, 0xe9, 0x74, 0xef, 0xb7, 0xdc, 0x70, 0x7b,
-	0xdd, 0x8f, 0x98, 0x0b, 0xd9, 0x7c, 0xb3, 0x19, 0x90, 0x90, 0xbf, 0x59, 0x66, 0x47, 0xaf, 0x8c,
-	0x41, 0x55, 0xcb, 0xc1, 0xc3, 0xb9, 0x14, 0xd0, 0x23, 0x38, 0x95, 0x58, 0x08, 0x22, 0x98, 0xcc,
-	0x64, 0x7e, 0x0a, 0xbb, 0x7a, 0x56, 0x05, 0x11, 0x97, 0x29, 0x0b, 0x84, 0xb3, 0x9b, 0x40, 0x6f,
-	0x01, 0xb8, 0x9d, 0x15, 0xa7, 0xed, 0xb6, 0xe8, 0x75, 0xf4, 0x04, 0x5b, 0x23, 0xf4, 0x6a, 0x02,
-	0xab, 0x35, 0x59, 0x4a, 0x79, 0xb3, 0xf8, 0xb7, 0x87, 0x35, 0x6c, 0x74, 0x0b, 0x26, 0xc5, 0xbf,
-	0x3d, 0x31, 0xa5, 0x33, 0x2a, 0xdb, 0xf1, 0xa4, 0xac, 0xa1, 0xe6, 0x31, 0x51, 0x82, 0x13, 0x75,
-	0xd1, 0x16, 0x9c, 0x97, 0xa9, 0x96, 0xf5, 0xf5, 0x29, 0xe7, 0x20, 0x64, 0x79, 0xe3, 0x46, 0xf8,
-	0x9b, 0xa2, 0xf9, 0x22, 0x44, 0x5c, 0x4c, 0x87, 0x9e, 0xeb, 0xfa, 0x32, 0xe7, 0x2f, 0xd9, 0x4f,
-	0xc5, 0xb1, 0x4e, 0x6f, 0x25, 0x81, 0x38, 0x8d, 0x8f, 0x7c, 0x38, 0xe5, 0x7a, 0x59, 0xab, 0xfa,
-	0x34, 0x23, 0xf4, 0x45, 0xfe, 0x88, 0xbf, 0x78, 0x45, 0x67, 0xc2, 0x71, 0x36, 0x5d, 0xb4, 0x0a,
-	0x27, 0x22, 0x5e, 0xb0, 0xe4, 0x86, 0x3c, 0x2d, 0x15, 0xbd, 0xf6, 0x9d, 0x61, 0xcd, 0x9d, 0xa1,
-	0xab, 0x79, 0x23, 0x0d, 0xc6, 0x59, 0x75, 0x3e, 0x9e, 0x03, 0xe8, 0xef, 0x5b, 0xb4, 0xb6, 0x26,
-	0xe8, 0xa3, 0x6f, 0xc2, 0xb8, 0x3e, 0x3e, 0x42, 0x68, 0xb9, 0x94, 0x2d, 0x07, 0x6b, 0xec, 0x85,
-	0x5f, 0x13, 0x14, 0x0b, 0xd1, 0x61, 0xd8, 0xa0, 0x88, 0x1a, 0x19, 0xc1, 0x37, 0xae, 0xf4, 0x27,
-	0x14, 0xf5, 0xef, 0xff, 0x48, 0x20, 0x7b, 0xe7, 0xa0, 0x5b, 0x30, 0xd2, 0x68, 0xb9, 0xc4, 0x8b,
-	0x56, 0x6b, 0x45, 0x21, 0x68, 0x17, 0x05, 0x8e, 0xd8, 0x8a, 0x22, 0x9b, 0x1c, 0x2f, 0xc3, 0x8a,
-	0x82, 0x7d, 0x0d, 0xc6, 0xea, 0x2d, 0x42, 0x3a, 0xfc, 0x1d, 0x17, 0x7a, 0x89, 0x5d, 0x4c, 0x98,
-	0x68, 0x69, 0x31, 0xd1, 0x52, 0xbf, 0x73, 0x30, 0xa1, 0x52, 0xc2, 0xed, 0xdf, 0x2e, 0x41, 0xb5,
-	0x47, 0x52, 0xc3, 0x84, 0xbd, 0xcd, 0xea, 0xcb, 0xde, 0x36, 0x0f, 0x53, 0xf1, 0x3f, 0x5d, 0x95,
-	0xa7, 0x9c, 0xa1, 0xef, 0x9a, 0x60, 0x9c, 0xc4, 0xef, 0xfb, 0x5d, 0x8b, 0x6e, 0xb2, 0x1b, 0xe8,
-	0xf9, 0x32, 0xcb, 0x30, 0xd5, 0x0f, 0xf6, 0x7f, 0xf7, 0xce, 0x35, 0xbb, 0xda, 0xbf, 0x51, 0x82,
-	0x53, 0x6a, 0x08, 0x7f, 0x78, 0x07, 0xee, 0x4e, 0x7a, 0xe0, 0x9e, 0x80, 0xd1, 0xda, 0xbe, 0x0d,
-	0x43, 0x3c, 0x2e, 0x6e, 0x1f, 0x32, 0xff, 0x73, 0x66, 0x1e, 0x06, 0x25, 0x66, 0x1a, 0xb9, 0x18,
-	0xfe, 0x92, 0x05, 0x53, 0x89, 0x07, 0x92, 0x08, 0x6b, 0xaf, 0xe8, 0x1f, 0x47, 0x2e, 0xcf, 0x92,
-	0xf8, 0x2f, 0xc2, 0xc0, 0xb6, 0xaf, 0x9c, 0x94, 0x15, 0xc6, 0x0d, 0x3f, 0x8c, 0x30, 0x83, 0xd8,
-	0xff, 0xd2, 0x82, 0xc1, 0x0d, 0xc7, 0xf5, 0x22, 0x69, 0xfd, 0xb0, 0x72, 0xac, 0x1f, 0xfd, 0x7c,
-	0x17, 0x7a, 0x13, 0x86, 0xc8, 0xe6, 0x26, 0x69, 0x44, 0x62, 0x56, 0x65, 0x94, 0x8f, 0xa1, 0x65,
-	0x56, 0x4a, 0x85, 0x50, 0xd6, 0x18, 0xff, 0x8b, 0x05, 0x32, 0xba, 0x07, 0xa3, 0x91, 0xdb, 0x26,
-	0xf3, 0xcd, 0xa6, 0xf0, 0x09, 0x78, 0x8c, 0xd0, 0x34, 0x1b, 0x92, 0x00, 0x8e, 0x69, 0xd9, 0xdf,
-	0x2b, 0x01, 0xc4, 0x71, 0xf8, 0x7a, 0x7d, 0xe2, 0x42, 0xca, 0x5a, 0x7c, 0x29, 0xc3, 0x5a, 0x8c,
-	0x62, 0x82, 0x19, 0xa6, 0x62, 0x35, 0x4c, 0xe5, 0xbe, 0x86, 0x69, 0xe0, 0x28, 0xc3, 0xb4, 0x08,
-	0x33, 0x71, 0x1c, 0x41, 0x33, 0x8c, 0x2a, 0x3b, 0xbf, 0x37, 0x92, 0x40, 0x9c, 0xc6, 0xb7, 0x09,
-	0x5c, 0x54, 0xe1, 0xd4, 0xc4, 0x59, 0xc8, 0x9e, 0x12, 0xe8, 0xd6, 0xf7, 0x1e, 0xe3, 0x14, 0x9b,
-	0xc3, 0x4b, 0xb9, 0xe6, 0xf0, 0xbf, 0x69, 0xc1, 0xc9, 0x64, 0x3b, 0xec, 0xdd, 0xfd, 0x77, 0x2d,
-	0x38, 0x15, 0xe7, 0xf4, 0x4a, 0xbb, 0x20, 0xbc, 0x51, 0x18, 0x22, 0x2e, 0xa7, 0xc7, 0x71, 0x38,
-	0x99, 0xb5, 0x2c, 0xd2, 0x38, 0xbb, 0x45, 0xfb, 0xff, 0x19, 0x80, 0x4a, 0x5e, 0x6c, 0x39, 0xf6,
-	0xd2, 0xc8, 0x79, 0x58, 0xdf, 0x21, 0x0f, 0xc4, 0x7b, 0x8e, 0xf8, 0xa5, 0x11, 0x2f, 0xc6, 0x12,
-	0x9e, 0x4c, 0xe3, 0x56, 0xea, 0x33, 0x8d, 0xdb, 0x36, 0xcc, 0x3c, 0xd8, 0x26, 0xde, 0x1d, 0x2f,
-	0x74, 0x22, 0x37, 0xdc, 0x74, 0x99, 0x01, 0x9d, 0xaf, 0x9b, 0xb7, 0xe4, 0xab, 0x8b, 0x7b, 0x49,
-	0x84, 0xc3, 0xfd, 0xea, 0x79, 0xa3, 0x20, 0xee, 0x32, 0x67, 0x24, 0x38, 0x4d, 0x34, 0x9d, 0x05,
-	0x6f, 0xe0, 0x29, 0x67, 0xc1, 0x6b, 0xbb, 0xc2, 0xed, 0x46, 0x3e, 0x23, 0x61, 0xd7, 0xd6, 0x35,
-	0x55, 0x8a, 0x35, 0x0c, 0xf4, 0x75, 0x40, 0x7a, 0x1a, 0x53, 0x23, 0xb4, 0xef, 0xab, 0x07, 0xfb,
-	0x55, 0xb4, 0x9e, 0x82, 0x1e, 0xee, 0x57, 0x4f, 0xd0, 0xd2, 0x55, 0x8f, 0x5e, 0x7f, 0xe3, 0x78,
-	0x88, 0x19, 0x84, 0xd0, 0x3d, 0x98, 0xa6, 0xa5, 0x6c, 0x47, 0xc9, 0xb8, 0xc1, 0xfc, 0xca, 0xfa,
-	0xf2, 0xc1, 0x7e, 0x75, 0x7a, 0x3d, 0x01, 0xcb, 0x23, 0x9d, 0x22, 0x92, 0x91, 0x0c, 0x6f, 0xa4,
-	0xdf, 0x64, 0x78, 0xf6, 0x77, 0x2d, 0x38, 0x4b, 0x0f, 0xb8, 0xe6, 0xad, 0x1c, 0x2b, 0xba, 0xd3,
-	0x71, 0xb9, 0x9d, 0x46, 0x1c, 0x35, 0x4c, 0x57, 0x57, 0x5b, 0xe5, 0x56, 0x1a, 0x05, 0xa5, 0x1c,
-	0x7e, 0xc7, 0xf5, 0x9a, 0x49, 0x0e, 0x7f, 0xd3, 0xf5, 0x9a, 0x98, 0x41, 0xd4, 0x91, 0x55, 0xce,
-	0xcd, 0x43, 0xf0, 0x2b, 0x74, 0xaf, 0xd2, 0xbe, 0xfc, 0x40, 0xbb, 0x81, 0x5e, 0xd6, 0x6d, 0xaa,
-	0xc2, 0x7d, 0x32, 0xd7, 0x9e, 0xfa, 0x1d, 0x0b, 0xc4, 0xeb, 0xf7, 0x3e, 0xce, 0xe4, 0xaf, 0xc2,
-	0xf8, 0x6e, 0x3a, 0xc5, 0xf3, 0xc5, 0xfc, 0x70, 0x00, 0x22, 0xb1, 0xb3, 0x12, 0xd1, 0x8d, 0x74,
-	0xce, 0x06, 0x2d, 0xbb, 0x09, 0x02, 0xba, 0x44, 0x98, 0x55, 0xa3, 0x77, 0x6f, 0x5e, 0x03, 0x68,
-	0x32, 0x5c, 0x96, 0xec, 0xac, 0x64, 0x4a, 0x5c, 0x4b, 0x0a, 0x82, 0x35, 0x2c, 0xfb, 0x17, 0xca,
-	0x30, 0x26, 0x53, 0x0a, 0x77, 0xbd, 0x7e, 0x74, 0x8f, 0xba, 0xe0, 0x54, 0xea, 0x29, 0x38, 0x7d,
-	0x08, 0x33, 0x01, 0x69, 0x74, 0x83, 0xd0, 0xdd, 0x25, 0x12, 0x2c, 0x36, 0xc9, 0x1c, 0x4f, 0x83,
-	0x91, 0x00, 0x1e, 0xb2, 0xd0, 0x5d, 0x89, 0x42, 0x66, 0x34, 0x4e, 0x13, 0x42, 0x57, 0x60, 0x94,
-	0xa9, 0xde, 0x6b, 0xb1, 0x42, 0x58, 0x29, 0xbe, 0xd6, 0x24, 0x00, 0xc7, 0x38, 0xec, 0x72, 0xd0,
-	0xbd, 0xaf, 0x65, 0xa2, 0x8b, 0x2f, 0x07, 0xbc, 0x18, 0x4b, 0x38, 0xfa, 0x32, 0x4c, 0xf3, 0x7a,
-	0x81, 0xdf, 0x71, 0xb6, 0xb8, 0x49, 0x70, 0x50, 0x85, 0xd7, 0x99, 0x5e, 0x4b, 0xc0, 0x0e, 0xf7,
-	0xab, 0x27, 0x93, 0x65, 0xac, 0xdb, 0x29, 0x2a, 0xcc, 0xf3, 0x8f, 0x37, 0x42, 0xcf, 0x8c, 0x94,
-	0xc3, 0x60, 0x0c, 0xc2, 0x3a, 0x9e, 0xfd, 0x27, 0x16, 0xcc, 0x68, 0x53, 0xd5, 0x77, 0x26, 0x12,
-	0x63, 0x90, 0x4a, 0x7d, 0x0c, 0xd2, 0xd1, 0xa2, 0x3d, 0x64, 0xce, 0xf0, 0xc0, 0x13, 0x9a, 0x61,
-	0xfb, 0x9b, 0x80, 0xd2, 0xf9, 0xaa, 0xd1, 0xfb, 0xdc, 0x91, 0xdf, 0x0d, 0x48, 0xb3, 0xc8, 0xe0,
-	0xaf, 0x47, 0xce, 0x91, 0x2f, 0x57, 0x79, 0x2d, 0xac, 0xea, 0xdb, 0x7f, 0x32, 0x00, 0xd3, 0xc9,
-	0x58, 0x1d, 0xe8, 0x06, 0x0c, 0x71, 0x29, 0x5d, 0x90, 0x2f, 0xf0, 0x27, 0xd3, 0x22, 0x7c, 0xf0,
-	0x2c, 0x41, 0x5c, 0xba, 0x17, 0xf5, 0xd1, 0x87, 0x30, 0xd6, 0xf4, 0x1f, 0x78, 0x0f, 0x9c, 0xa0,
-	0x39, 0x5f, 0x5b, 0x15, 0x1c, 0x22, 0x53, 0x01, 0xb5, 0x14, 0xa3, 0xe9, 0x51, 0x43, 0x98, 0xef,
-	0x44, 0x0c, 0xc2, 0x3a, 0x39, 0xb4, 0xc1, 0x12, 0x57, 0x6d, 0xba, 0x5b, 0x6b, 0x4e, 0xa7, 0xe8,
-	0x55, 0xd7, 0xa2, 0x44, 0xd2, 0x28, 0x4f, 0x88, 0xec, 0x56, 0x1c, 0x80, 0x63, 0x42, 0xe8, 0x47,
-	0xe1, 0x44, 0x98, 0x63, 0x12, 0xcb, 0x71, 0x38, 0x28, 0xb4, 0x12, 0x71, 0x65, 0x4a, 0x96, 0xf1,
-	0x2c, 0xab, 0x19, 0xf4, 0x10, 0x90, 0x50, 0x3d, 0x6f, 0x04, 0xdd, 0x30, 0xe2, 0x29, 0x20, 0xc5,
-	0xa5, 0xeb, 0x73, 0xd9, 0x7a, 0x82, 0x24, 0xb6, 0xd6, 0x36, 0x0b, 0x9c, 0x9c, 0xc6, 0xc0, 0x19,
-	0x6d, 0xa0, 0x6d, 0x98, 0xec, 0x18, 0xd9, 0x37, 0xd9, 0xde, 0xcc, 0x89, 0x2e, 0x9c, 0x97, 0xa7,
-	0x93, 0x9f, 0xd2, 0x26, 0x14, 0x27, 0xe8, 0xda, 0xdf, 0x19, 0x80, 0x59, 0x99, 0x8a, 0x3e, 0xe3,
-	0x9d, 0xcc, 0xb7, 0xad, 0xc4, 0x43, 0x99, 0xb7, 0xf2, 0x8f, 0x94, 0xa7, 0xf6, 0x5c, 0xe6, 0x27,
-	0xd3, 0xcf, 0x65, 0xde, 0x39, 0x62, 0x37, 0x9e, 0xd8, 0xa3, 0x99, 0x1f, 0xda, 0x97, 0x2e, 0x07,
-	0x27, 0xc1, 0x10, 0x02, 0x10, 0xe6, 0xf1, 0xef, 0x6b, 0xd2, 0x48, 0x95, 0xa3, 0x68, 0xb8, 0x21,
-	0x70, 0x0c, 0xb1, 0x62, 0x5c, 0x46, 0xc9, 0x67, 0x1c, 0x5d, 0xd1, 0xa1, 0x34, 0x49, 0xbb, 0x13,
-	0xed, 0x2d, 0xb9, 0x81, 0xe8, 0x71, 0x26, 0xcd, 0x65, 0x81, 0x93, 0xa6, 0x29, 0x21, 0x58, 0xd1,
-	0x41, 0xbb, 0x30, 0xb3, 0xc5, 0x62, 0x4b, 0x69, 0x59, 0xe1, 0x05, 0x07, 0xca, 0xe4, 0x10, 0xd7,
-	0x17, 0x97, 0xf3, 0x53, 0xc8, 0xf3, 0x6b, 0x66, 0x0a, 0x05, 0xa7, 0x9b, 0xa0, 0x5b, 0xe3, 0xa4,
-	0xf3, 0x20, 0x5c, 0x6e, 0x39, 0x61, 0xe4, 0x36, 0x16, 0x5a, 0x7e, 0x63, 0xa7, 0x1e, 0xf9, 0x81,
-	0xcc, 0x2a, 0x9a, 0x79, 0xcb, 0x9b, 0xbf, 0x57, 0x4f, 0xe1, 0x1b, 0xcd, 0xb3, 0xec, 0xb6, 0x59,
-	0x58, 0x38, 0xb3, 0x2d, 0xb4, 0x0e, 0xc3, 0x5b, 0x6e, 0x84, 0x49, 0xc7, 0x17, 0x7c, 0x29, 0x93,
-	0xe9, 0x5e, 0xe7, 0x28, 0x46, 0x4b, 0x2c, 0xf6, 0x95, 0x00, 0x60, 0x49, 0x04, 0xbd, 0xaf, 0x8e,
-	0x9b, 0xa1, 0x7c, 0x55, 0x6f, 0xda, 0xcb, 0x2f, 0xf3, 0xc0, 0x79, 0x17, 0xca, 0xde, 0x66, 0x58,
-	0x14, 0xf5, 0x67, 0x7d, 0xc5, 0xd0, 0xd4, 0x2d, 0x0c, 0xd3, 0x4b, 0xf8, 0xfa, 0x4a, 0x1d, 0xd3,
-	0x8a, 0xec, 0x81, 0x6d, 0xd8, 0x08, 0x5d, 0x91, 0xbc, 0x2b, 0xf3, 0xbd, 0xf1, 0x6a, 0x7d, 0xb1,
-	0xbe, 0x6a, 0xd0, 0x60, 0xf1, 0x13, 0x59, 0x31, 0xe6, 0xd5, 0xd1, 0x5d, 0x18, 0xdd, 0xe2, 0x2c,
-	0x76, 0x93, 0x87, 0xb5, 0xcd, 0x39, 0xf6, 0xae, 0x4b, 0x24, 0x83, 0x1e, 0x3b, 0x9c, 0x14, 0x08,
-	0xc7, 0xa4, 0xd0, 0x77, 0x2c, 0x38, 0xd5, 0x49, 0xe8, 0x6a, 0xd9, 0xb3, 0x38, 0xe1, 0x10, 0x97,
-	0xf9, 0xd4, 0xa0, 0x96, 0x55, 0xc1, 0x68, 0x90, 0x19, 0x7a, 0x32, 0xd1, 0x70, 0x76, 0x73, 0x74,
-	0xa0, 0x83, 0xfb, 0xcd, 0xa2, 0x7c, 0x4f, 0x89, 0x10, 0x48, 0x7c, 0xa0, 0xf1, 0xc2, 0x12, 0xa6,
-	0x15, 0xd1, 0x06, 0xc0, 0x66, 0x8b, 0x88, 0xd8, 0x92, 0xc2, 0xfd, 0x2a, 0x53, 0xce, 0x58, 0x51,
-	0x58, 0x82, 0x0e, 0xbb, 0xf3, 0xc6, 0xa5, 0x58, 0xa3, 0x43, 0x97, 0x52, 0xc3, 0xf5, 0x9a, 0x24,
-	0x60, 0x66, 0xb4, 0x9c, 0xa5, 0xb4, 0xc8, 0x30, 0xd2, 0x4b, 0x89, 0x97, 0x63, 0x41, 0x81, 0xd1,
-	0x22, 0x9d, 0xed, 0xcd, 0xb0, 0x28, 0xb3, 0xc8, 0x22, 0xe9, 0x6c, 0x27, 0x16, 0x14, 0xa7, 0xc5,
-	0xca, 0xb1, 0xa0, 0x40, 0xb7, 0xcc, 0x26, 0xdd, 0x40, 0x24, 0xa8, 0x4c, 0xe5, 0x6f, 0x99, 0x15,
-	0x8e, 0x92, 0xde, 0x32, 0x02, 0x80, 0x25, 0x11, 0xf4, 0x0d, 0x53, 0xae, 0x9a, 0x66, 0x34, 0x5f,
-	0xee, 0x21, 0x57, 0x19, 0x74, 0x8b, 0x25, 0xab, 0xb7, 0xa0, 0xb4, 0xd9, 0x60, 0xe6, 0xb7, 0x1c,
-	0xeb, 0xc4, 0xca, 0xa2, 0x41, 0x8d, 0x45, 0xea, 0x5f, 0x59, 0xc4, 0xa5, 0xcd, 0x06, 0x5d, 0xfa,
-	0xce, 0xa3, 0x6e, 0x40, 0x56, 0xdc, 0x16, 0x11, 0xa1, 0x83, 0x33, 0x97, 0xfe, 0xbc, 0x44, 0x4a,
-	0x2f, 0x7d, 0x05, 0xc2, 0x31, 0x29, 0x4a, 0x37, 0x96, 0xf6, 0x4e, 0xe4, 0xd3, 0x55, 0x42, 0x5d,
-	0x9a, 0x6e, 0xa6, 0xbc, 0xb7, 0x03, 0x13, 0xbb, 0x61, 0x67, 0x9b, 0x48, 0xae, 0xc8, 0x0c, 0x83,
-	0x39, 0x31, 0x31, 0xee, 0x0a, 0x44, 0x37, 0x88, 0xba, 0x4e, 0x2b, 0xc5, 0xc8, 0x99, 0x12, 0xe7,
-	0xae, 0x4e, 0x0c, 0x9b, 0xb4, 0xe9, 0x42, 0xf8, 0x88, 0x07, 0xae, 0x63, 0x26, 0xc2, 0x9c, 0x85,
-	0x90, 0x11, 0xdb, 0x8e, 0x2f, 0x04, 0x01, 0xc0, 0x92, 0x88, 0x1a, 0x6c, 0x76, 0x00, 0x9d, 0xee,
-	0x31, 0xd8, 0xa9, 0xfe, 0xc6, 0x83, 0xcd, 0x0e, 0x9c, 0x98, 0x14, 0x3b, 0x68, 0x3a, 0xdb, 0x7e,
-	0xe4, 0x7b, 0x89, 0x43, 0xee, 0x4c, 0xfe, 0x41, 0x53, 0xcb, 0xc0, 0x4f, 0x1f, 0x34, 0x59, 0x58,
-	0x38, 0xb3, 0x2d, 0xfa, 0x71, 0x1d, 0x19, 0x83, 0x50, 0x64, 0x42, 0x79, 0x29, 0x27, 0x84, 0x67,
-	0x3a, 0x50, 0x21, 0xff, 0x38, 0x05, 0xc2, 0x31, 0x29, 0xd4, 0xa4, 0x92, 0xae, 0x1e, 0xdb, 0x96,
-	0x65, 0x74, 0xc9, 0x91, 0x0b, 0xb2, 0xa2, 0xe0, 0x4a, 0x29, 0x57, 0x87, 0xe0, 0x04, 0x4d, 0xe6,
-	0x23, 0xc8, 0x1f, 0x15, 0xb2, 0x84, 0x2f, 0x39, 0x53, 0x9d, 0xf1, 0xee, 0x90, 0x4f, 0xb5, 0x00,
-	0x60, 0x49, 0x84, 0x8e, 0x86, 0x78, 0x0a, 0xe7, 0x87, 0x2c, 0x6f, 0x52, 0x9e, 0x29, 0x3f, 0xcb,
-	0x20, 0x25, 0x03, 0xcd, 0x0b, 0x10, 0x8e, 0x49, 0x51, 0x4e, 0x4e, 0x0f, 0xbc, 0x73, 0xf9, 0x9c,
-	0x3c, 0x79, 0xdc, 0x31, 0x4e, 0x4e, 0x0f, 0xbb, 0xb2, 0x38, 0xea, 0x54, 0x5c, 0x74, 0x96, 0xf3,
-	0x25, 0xa7, 0x5f, 0x2a, 0xb0, 0x7a, 0xba, 0x5f, 0x0a, 0x84, 0x63, 0x52, 0xec, 0x28, 0x66, 0x41,
-	0xf0, 0x2e, 0x14, 0x1c, 0xc5, 0x14, 0x21, 0xe3, 0x28, 0xd6, 0x82, 0xe4, 0xd9, 0x7f, 0xb9, 0x04,
-	0x17, 0x8a, 0xf7, 0x6d, 0x6c, 0xad, 0xab, 0xc5, 0xde, 0x51, 0x09, 0x6b, 0x1d, 0xd7, 0x1d, 0xc5,
-	0x58, 0x7d, 0x87, 0x36, 0xbe, 0x0e, 0x33, 0xea, 0xe1, 0x63, 0xcb, 0x6d, 0xec, 0x69, 0x89, 0x5e,
-	0x55, 0x10, 0xa0, 0x7a, 0x12, 0x01, 0xa7, 0xeb, 0xa0, 0x79, 0x98, 0x32, 0x0a, 0x57, 0x97, 0x84,
-	0xa2, 0x21, 0xce, 0x56, 0x62, 0x82, 0x71, 0x12, 0xdf, 0xfe, 0x45, 0x0b, 0xce, 0xf0, 0x40, 0xbc,
-	0xa4, 0x59, 0xf3, 0x9b, 0x52, 0xa3, 0x70, 0xa4, 0xc8, 0xbd, 0x9b, 0x30, 0xd5, 0x31, 0xab, 0xf6,
-	0x08, 0x36, 0xae, 0xa3, 0xc6, 0x7d, 0x4d, 0x00, 0x70, 0x92, 0xa8, 0xfd, 0xf3, 0x25, 0x38, 0x5f,
-	0xe8, 0xc9, 0x8f, 0x30, 0x9c, 0xde, 0x6a, 0x87, 0xce, 0x62, 0x40, 0x9a, 0xc4, 0x8b, 0x5c, 0xa7,
-	0x55, 0xef, 0x90, 0x86, 0x66, 0x6f, 0x65, 0x2e, 0xf1, 0xd7, 0xd7, 0xea, 0xf3, 0x69, 0x0c, 0x9c,
-	0x53, 0x13, 0xad, 0x00, 0x4a, 0x43, 0xc4, 0x0c, 0xb3, 0xcb, 0x74, 0x9a, 0x1e, 0xce, 0xa8, 0x81,
-	0xbe, 0x00, 0x13, 0xea, 0x85, 0x80, 0x36, 0xe3, 0xec, 0x80, 0xc0, 0x3a, 0x00, 0x9b, 0x78, 0xe8,
-	0x2a, 0x4f, 0x63, 0x25, 0x12, 0x9e, 0x09, 0xe3, 0xec, 0x94, 0xcc, 0x51, 0x25, 0x8a, 0xb1, 0x8e,
-	0xb3, 0x70, 0xed, 0x77, 0xfe, 0xf0, 0xc2, 0x67, 0x7e, 0xf7, 0x0f, 0x2f, 0x7c, 0xe6, 0x0f, 0xfe,
-	0xf0, 0xc2, 0x67, 0x7e, 0xfc, 0xe0, 0x82, 0xf5, 0x3b, 0x07, 0x17, 0xac, 0xdf, 0x3d, 0xb8, 0x60,
-	0xfd, 0xc1, 0xc1, 0x05, 0xeb, 0x7f, 0x3b, 0xb8, 0x60, 0x7d, 0xef, 0x7f, 0xbf, 0xf0, 0x99, 0xaf,
-	0xa2, 0x38, 0x16, 0xf6, 0x15, 0x3a, 0x3b, 0x57, 0x76, 0xaf, 0xfe, 0x87, 0x00, 0x00, 0x00, 0xff,
-	0xff, 0xba, 0xfb, 0xfc, 0xdd, 0x18, 0x2e, 0x01, 0x00,
-}
+func (m *VolumeMountStatus) Reset() { *m = VolumeMountStatus{} }
+
+func (m *VolumeNodeAffinity) Reset() { *m = VolumeNodeAffinity{} }
+
+func (m *VolumeProjection) Reset() { *m = VolumeProjection{} }
+
+func (m *VolumeResourceRequirements) Reset() { *m = VolumeResourceRequirements{} }
+
+func (m *VolumeSource) Reset() { *m = VolumeSource{} }
+
+func (m *VsphereVirtualDiskVolumeSource) Reset() { *m = VsphereVirtualDiskVolumeSource{} }
+
+func (m *WeightedPodAffinityTerm) Reset() { *m = WeightedPodAffinityTerm{} }
+
+func (m *WindowsSecurityContextOptions) Reset() { *m = WindowsSecurityContextOptions{} }
+
+func (m *WorkloadReference) Reset() { *m = WorkloadReference{} }
 
 func (m *AWSElasticBlockStoreVolumeSource) Marshal() (dAtA []byte, err error) {
 	size := m.Size()
@@ -8495,7 +1001,7 @@ func (m *CSIPersistentVolumeSource) MarshalToSizedBuffer(dAtA []byte) (int, erro
 		for k := range m.VolumeAttributes {
 			keysForVolumeAttributes = append(keysForVolumeAttributes, string(k))
 		}
-		github_com_gogo_protobuf_sortkeys.Strings(keysForVolumeAttributes)
+		sort.Strings(keysForVolumeAttributes)
 		for iNdEx := len(keysForVolumeAttributes) - 1; iNdEx >= 0; iNdEx-- {
 			v := m.VolumeAttributes[string(keysForVolumeAttributes[iNdEx])]
 			baseI := i
@@ -8577,7 +1083,7 @@ func (m *CSIVolumeSource) MarshalToSizedBuffer(dAtA []byte) (int, error) {
 		for k := range m.VolumeAttributes {
 			keysForVolumeAttributes = append(keysForVolumeAttributes, string(k))
 		}
-		github_com_gogo_protobuf_sortkeys.Strings(keysForVolumeAttributes)
+		sort.Strings(keysForVolumeAttributes)
 		for iNdEx := len(keysForVolumeAttributes) - 1; iNdEx >= 0; iNdEx-- {
 			v := m.VolumeAttributes[string(keysForVolumeAttributes[iNdEx])]
 			baseI := i
@@ -9166,7 +1672,7 @@ func (m *ConfigMap) MarshalToSizedBuffer(dAtA []byte) (int, error) {
 		for k := range m.BinaryData {
 			keysForBinaryData = append(keysForBinaryData, string(k))
 		}
-		github_com_gogo_protobuf_sortkeys.Strings(keysForBinaryData)
+		sort.Strings(keysForBinaryData)
 		for iNdEx := len(keysForBinaryData) - 1; iNdEx >= 0; iNdEx-- {
 			v := m.BinaryData[string(keysForBinaryData[iNdEx])]
 			baseI := i
@@ -9192,7 +1698,7 @@ func (m *ConfigMap) MarshalToSizedBuffer(dAtA []byte) (int, error) {
 		for k := range m.Data {
 			keysForData = append(keysForData, string(k))
 		}
-		github_com_gogo_protobuf_sortkeys.Strings(keysForData)
+		sort.Strings(keysForData)
 		for iNdEx := len(keysForData) - 1; iNdEx >= 0; iNdEx-- {
 			v := m.Data[string(keysForData[iNdEx])]
 			baseI := i
@@ -10317,7 +2823,7 @@ func (m *ContainerStatus) MarshalToSizedBuffer(dAtA []byte) (int, error) {
 		for k := range m.AllocatedResources {
 			keysForAllocatedResources = append(keysForAllocatedResources, string(k))
 		}
-		github_com_gogo_protobuf_sortkeys.Strings(keysForAllocatedResources)
+		sort.Strings(keysForAllocatedResources)
 		for iNdEx := len(keysForAllocatedResources) - 1; iNdEx >= 0; iNdEx-- {
 			v := m.AllocatedResources[ResourceName(keysForAllocatedResources[iNdEx])]
 			baseI := i
@@ -11859,7 +4365,7 @@ func (m *FlexPersistentVolumeSource) MarshalToSizedBuffer(dAtA []byte) (int, err
 		for k := range m.Options {
 			keysForOptions = append(keysForOptions, string(k))
 		}
-		github_com_gogo_protobuf_sortkeys.Strings(keysForOptions)
+		sort.Strings(keysForOptions)
 		for iNdEx := len(keysForOptions) - 1; iNdEx >= 0; iNdEx-- {
 			v := m.Options[string(keysForOptions[iNdEx])]
 			baseI := i
@@ -11936,7 +4442,7 @@ func (m *FlexVolumeSource) MarshalToSizedBuffer(dAtA []byte) (int, error) {
 		for k := range m.Options {
 			keysForOptions = append(keysForOptions, string(k))
 		}
-		github_com_gogo_protobuf_sortkeys.Strings(keysForOptions)
+		sort.Strings(keysForOptions)
 		for iNdEx := len(keysForOptions) - 1; iNdEx >= 0; iNdEx-- {
 			v := m.Options[string(keysForOptions[iNdEx])]
 			baseI := i
@@ -12880,7 +5386,7 @@ func (m *LimitRangeItem) MarshalToSizedBuffer(dAtA []byte) (int, error) {
 		for k := range m.MaxLimitRequestRatio {
 			keysForMaxLimitRequestRatio = append(keysForMaxLimitRequestRatio, string(k))
 		}
-		github_com_gogo_protobuf_sortkeys.Strings(keysForMaxLimitRequestRatio)
+		sort.Strings(keysForMaxLimitRequestRatio)
 		for iNdEx := len(keysForMaxLimitRequestRatio) - 1; iNdEx >= 0; iNdEx-- {
 			v := m.MaxLimitRequestRatio[ResourceName(keysForMaxLimitRequestRatio[iNdEx])]
 			baseI := i
@@ -12909,7 +5415,7 @@ func (m *LimitRangeItem) MarshalToSizedBuffer(dAtA []byte) (int, error) {
 		for k := range m.DefaultRequest {
 			keysForDefaultRequest = append(keysForDefaultRequest, string(k))
 		}
-		github_com_gogo_protobuf_sortkeys.Strings(keysForDefaultRequest)
+		sort.Strings(keysForDefaultRequest)
 		for iNdEx := len(keysForDefaultRequest) - 1; iNdEx >= 0; iNdEx-- {
 			v := m.DefaultRequest[ResourceName(keysForDefaultRequest[iNdEx])]
 			baseI := i
@@ -12938,7 +5444,7 @@ func (m *LimitRangeItem) MarshalToSizedBuffer(dAtA []byte) (int, error) {
 		for k := range m.Default {
 			keysForDefault = append(keysForDefault, string(k))
 		}
-		github_com_gogo_protobuf_sortkeys.Strings(keysForDefault)
+		sort.Strings(keysForDefault)
 		for iNdEx := len(keysForDefault) - 1; iNdEx >= 0; iNdEx-- {
 			v := m.Default[ResourceName(keysForDefault[iNdEx])]
 			baseI := i
@@ -12967,7 +5473,7 @@ func (m *LimitRangeItem) MarshalToSizedBuffer(dAtA []byte) (int, error) {
 		for k := range m.Min {
 			keysForMin = append(keysForMin, string(k))
 		}
-		github_com_gogo_protobuf_sortkeys.Strings(keysForMin)
+		sort.Strings(keysForMin)
 		for iNdEx := len(keysForMin) - 1; iNdEx >= 0; iNdEx-- {
 			v := m.Min[ResourceName(keysForMin[iNdEx])]
 			baseI := i
@@ -12996,7 +5502,7 @@ func (m *LimitRangeItem) MarshalToSizedBuffer(dAtA []byte) (int, error) {
 		for k := range m.Max {
 			keysForMax = append(keysForMax, string(k))
 		}
-		github_com_gogo_protobuf_sortkeys.Strings(keysForMax)
+		sort.Strings(keysForMax)
 		for iNdEx := len(keysForMax) - 1; iNdEx >= 0; iNdEx-- {
 			v := m.Max[ResourceName(keysForMax[iNdEx])]
 			baseI := i
@@ -14402,6 +6908,15 @@ func (m *NodeStatus) MarshalToSizedBuffer(dAtA []byte) (int, error) {
 	_ = i
 	var l int
 	_ = l
+	if len(m.DeclaredFeatures) > 0 {
+		for iNdEx := len(m.DeclaredFeatures) - 1; iNdEx >= 0; iNdEx-- {
+			i -= len(m.DeclaredFeatures[iNdEx])
+			copy(dAtA[i:], m.DeclaredFeatures[iNdEx])
+			i = encodeVarintGenerated(dAtA, i, uint64(len(m.DeclaredFeatures[iNdEx])))
+			i--
+			dAtA[i] = 0x72
+		}
+	}
 	if m.Features != nil {
 		{
 			size, err := m.Features.MarshalToSizedBuffer(dAtA[:i])
@@ -14535,7 +7050,7 @@ func (m *NodeStatus) MarshalToSizedBuffer(dAtA []byte) (int, error) {
 		for k := range m.Allocatable {
 			keysForAllocatable = append(keysForAllocatable, string(k))
 		}
-		github_com_gogo_protobuf_sortkeys.Strings(keysForAllocatable)
+		sort.Strings(keysForAllocatable)
 		for iNdEx := len(keysForAllocatable) - 1; iNdEx >= 0; iNdEx-- {
 			v := m.Allocatable[ResourceName(keysForAllocatable[iNdEx])]
 			baseI := i
@@ -14564,7 +7079,7 @@ func (m *NodeStatus) MarshalToSizedBuffer(dAtA []byte) (int, error) {
 		for k := range m.Capacity {
 			keysForCapacity = append(keysForCapacity, string(k))
 		}
-		github_com_gogo_protobuf_sortkeys.Strings(keysForCapacity)
+		sort.Strings(keysForCapacity)
 		for iNdEx := len(keysForCapacity) - 1; iNdEx >= 0; iNdEx-- {
 			v := m.Capacity[ResourceName(keysForCapacity[iNdEx])]
 			baseI := i
@@ -15159,7 +7674,7 @@ func (m *PersistentVolumeClaimStatus) MarshalToSizedBuffer(dAtA []byte) (int, er
 		for k := range m.AllocatedResourceStatuses {
 			keysForAllocatedResourceStatuses = append(keysForAllocatedResourceStatuses, string(k))
 		}
-		github_com_gogo_protobuf_sortkeys.Strings(keysForAllocatedResourceStatuses)
+		sort.Strings(keysForAllocatedResourceStatuses)
 		for iNdEx := len(keysForAllocatedResourceStatuses) - 1; iNdEx >= 0; iNdEx-- {
 			v := m.AllocatedResourceStatuses[ResourceName(keysForAllocatedResourceStatuses[iNdEx])]
 			baseI := i
@@ -15183,7 +7698,7 @@ func (m *PersistentVolumeClaimStatus) MarshalToSizedBuffer(dAtA []byte) (int, er
 		for k := range m.AllocatedResources {
 			keysForAllocatedResources = append(keysForAllocatedResources, string(k))
 		}
-		github_com_gogo_protobuf_sortkeys.Strings(keysForAllocatedResources)
+		sort.Strings(keysForAllocatedResources)
 		for iNdEx := len(keysForAllocatedResources) - 1; iNdEx >= 0; iNdEx-- {
 			v := m.AllocatedResources[ResourceName(keysForAllocatedResources[iNdEx])]
 			baseI := i
@@ -15226,7 +7741,7 @@ func (m *PersistentVolumeClaimStatus) MarshalToSizedBuffer(dAtA []byte) (int, er
 		for k := range m.Capacity {
 			keysForCapacity = append(keysForCapacity, string(k))
 		}
-		github_com_gogo_protobuf_sortkeys.Strings(keysForCapacity)
+		sort.Strings(keysForCapacity)
 		for iNdEx := len(keysForCapacity) - 1; iNdEx >= 0; iNdEx-- {
 			v := m.Capacity[ResourceName(keysForCapacity[iNdEx])]
 			baseI := i
@@ -15795,7 +8310,7 @@ func (m *PersistentVolumeSpec) MarshalToSizedBuffer(dAtA []byte) (int, error) {
 		for k := range m.Capacity {
 			keysForCapacity = append(keysForCapacity, string(k))
 		}
-		github_com_gogo_protobuf_sortkeys.Strings(keysForCapacity)
+		sort.Strings(keysForCapacity)
 		for iNdEx := len(keysForCapacity) - 1; iNdEx >= 0; iNdEx-- {
 			v := m.Capacity[ResourceName(keysForCapacity[iNdEx])]
 			baseI := i
@@ -16219,6 +8734,30 @@ func (m *PodCertificateProjection) MarshalToSizedBuffer(dAtA []byte) (int, error
 	_ = i
 	var l int
 	_ = l
+	if len(m.UserAnnotations) > 0 {
+		keysForUserAnnotations := make([]string, 0, len(m.UserAnnotations))
+		for k := range m.UserAnnotations {
+			keysForUserAnnotations = append(keysForUserAnnotations, string(k))
+		}
+		sort.Strings(keysForUserAnnotations)
+		for iNdEx := len(keysForUserAnnotations) - 1; iNdEx >= 0; iNdEx-- {
+			v := m.UserAnnotations[string(keysForUserAnnotations[iNdEx])]
+			baseI := i
+			i -= len(v)
+			copy(dAtA[i:], v)
+			i = encodeVarintGenerated(dAtA, i, uint64(len(v)))
+			i--
+			dAtA[i] = 0x12
+			i -= len(keysForUserAnnotations[iNdEx])
+			copy(dAtA[i:], keysForUserAnnotations[iNdEx])
+			i = encodeVarintGenerated(dAtA, i, uint64(len(keysForUserAnnotations[iNdEx])))
+			i--
+			dAtA[i] = 0xa
+			i = encodeVarintGenerated(dAtA, i, uint64(baseI-i))
+			i--
+			dAtA[i] = 0x3a
+		}
+	}
 	i -= len(m.CertificateChainPath)
 	copy(dAtA[i:], m.CertificateChainPath)
 	i = encodeVarintGenerated(dAtA, i, uint64(len(m.CertificateChainPath)))
@@ -17100,6 +9639,20 @@ func (m *PodSpec) MarshalToSizedBuffer(dAtA []byte) (int, error) {
 	_ = i
 	var l int
 	_ = l
+	if m.WorkloadRef != nil {
+		{
+			size, err := m.WorkloadRef.MarshalToSizedBuffer(dAtA[:i])
+			if err != nil {
+				return 0, err
+			}
+			i -= size
+			i = encodeVarintGenerated(dAtA, i, uint64(size))
+		}
+		i--
+		dAtA[i] = 0x2
+		i--
+		dAtA[i] = 0xd2
+	}
 	if m.HostnameOverride != nil {
 		i -= len(*m.HostnameOverride)
 		copy(dAtA[i:], *m.HostnameOverride)
@@ -17230,7 +9783,7 @@ func (m *PodSpec) MarshalToSizedBuffer(dAtA []byte) (int, error) {
 		for k := range m.Overhead {
 			keysForOverhead = append(keysForOverhead, string(k))
 		}
-		github_com_gogo_protobuf_sortkeys.Strings(keysForOverhead)
+		sort.Strings(keysForOverhead)
 		for iNdEx := len(keysForOverhead) - 1; iNdEx >= 0; iNdEx-- {
 			v := m.Overhead[ResourceName(keysForOverhead[iNdEx])]
 			baseI := i
@@ -17507,7 +10060,7 @@ func (m *PodSpec) MarshalToSizedBuffer(dAtA []byte) (int, error) {
 		for k := range m.NodeSelector {
 			keysForNodeSelector = append(keysForNodeSelector, string(k))
 		}
-		github_com_gogo_protobuf_sortkeys.Strings(keysForNodeSelector)
+		sort.Strings(keysForNodeSelector)
 		for iNdEx := len(keysForNodeSelector) - 1; iNdEx >= 0; iNdEx-- {
 			v := m.NodeSelector[string(keysForNodeSelector[iNdEx])]
 			baseI := i
@@ -17597,6 +10150,51 @@ func (m *PodStatus) MarshalToSizedBuffer(dAtA []byte) (int, error) {
 	_ = i
 	var l int
 	_ = l
+	if m.Resources != nil {
+		{
+			size, err := m.Resources.MarshalToSizedBuffer(dAtA[:i])
+			if err != nil {
+				return 0, err
+			}
+			i -= size
+			i = encodeVarintGenerated(dAtA, i, uint64(size))
+		}
+		i--
+		dAtA[i] = 0x1
+		i--
+		dAtA[i] = 0xa2
+	}
+	if len(m.AllocatedResources) > 0 {
+		keysForAllocatedResources := make([]string, 0, len(m.AllocatedResources))
+		for k := range m.AllocatedResources {
+			keysForAllocatedResources = append(keysForAllocatedResources, string(k))
+		}
+		sort.Strings(keysForAllocatedResources)
+		for iNdEx := len(keysForAllocatedResources) - 1; iNdEx >= 0; iNdEx-- {
+			v := m.AllocatedResources[ResourceName(keysForAllocatedResources[iNdEx])]
+			baseI := i
+			{
+				size, err := (&v).MarshalToSizedBuffer(dAtA[:i])
+				if err != nil {
+					return 0, err
+				}
+				i -= size
+				i = encodeVarintGenerated(dAtA, i, uint64(size))
+			}
+			i--
+			dAtA[i] = 0x12
+			i -= len(keysForAllocatedResources[iNdEx])
+			copy(dAtA[i:], keysForAllocatedResources[iNdEx])
+			i = encodeVarintGenerated(dAtA, i, uint64(len(keysForAllocatedResources[iNdEx])))
+			i--
+			dAtA[i] = 0xa
+			i = encodeVarintGenerated(dAtA, i, uint64(baseI-i))
+			i--
+			dAtA[i] = 0x1
+			i--
+			dAtA[i] = 0x9a
+		}
+	}
 	if m.ExtendedResourceClaimStatus != nil {
 		{
 			size, err := m.ExtendedResourceClaimStatus.MarshalToSizedBuffer(dAtA[:i])
@@ -18759,7 +11357,7 @@ func (m *ReplicationControllerSpec) MarshalToSizedBuffer(dAtA []byte) (int, erro
 		for k := range m.Selector {
 			keysForSelector = append(keysForSelector, string(k))
 		}
-		github_com_gogo_protobuf_sortkeys.Strings(keysForSelector)
+		sort.Strings(keysForSelector)
 		for iNdEx := len(keysForSelector) - 1; iNdEx >= 0; iNdEx-- {
 			v := m.Selector[string(keysForSelector[iNdEx])]
 			baseI := i
@@ -19093,7 +11691,7 @@ func (m *ResourceQuotaSpec) MarshalToSizedBuffer(dAtA []byte) (int, error) {
 		for k := range m.Hard {
 			keysForHard = append(keysForHard, string(k))
 		}
-		github_com_gogo_protobuf_sortkeys.Strings(keysForHard)
+		sort.Strings(keysForHard)
 		for iNdEx := len(keysForHard) - 1; iNdEx >= 0; iNdEx-- {
 			v := m.Hard[ResourceName(keysForHard[iNdEx])]
 			baseI := i
@@ -19145,7 +11743,7 @@ func (m *ResourceQuotaStatus) MarshalToSizedBuffer(dAtA []byte) (int, error) {
 		for k := range m.Used {
 			keysForUsed = append(keysForUsed, string(k))
 		}
-		github_com_gogo_protobuf_sortkeys.Strings(keysForUsed)
+		sort.Strings(keysForUsed)
 		for iNdEx := len(keysForUsed) - 1; iNdEx >= 0; iNdEx-- {
 			v := m.Used[ResourceName(keysForUsed[iNdEx])]
 			baseI := i
@@ -19174,7 +11772,7 @@ func (m *ResourceQuotaStatus) MarshalToSizedBuffer(dAtA []byte) (int, error) {
 		for k := range m.Hard {
 			keysForHard = append(keysForHard, string(k))
 		}
-		github_com_gogo_protobuf_sortkeys.Strings(keysForHard)
+		sort.Strings(keysForHard)
 		for iNdEx := len(keysForHard) - 1; iNdEx >= 0; iNdEx-- {
 			v := m.Hard[ResourceName(keysForHard[iNdEx])]
 			baseI := i
@@ -19240,7 +11838,7 @@ func (m *ResourceRequirements) MarshalToSizedBuffer(dAtA []byte) (int, error) {
 		for k := range m.Requests {
 			keysForRequests = append(keysForRequests, string(k))
 		}
-		github_com_gogo_protobuf_sortkeys.Strings(keysForRequests)
+		sort.Strings(keysForRequests)
 		for iNdEx := len(keysForRequests) - 1; iNdEx >= 0; iNdEx-- {
 			v := m.Requests[ResourceName(keysForRequests[iNdEx])]
 			baseI := i
@@ -19269,7 +11867,7 @@ func (m *ResourceRequirements) MarshalToSizedBuffer(dAtA []byte) (int, error) {
 		for k := range m.Limits {
 			keysForLimits = append(keysForLimits, string(k))
 		}
-		github_com_gogo_protobuf_sortkeys.Strings(keysForLimits)
+		sort.Strings(keysForLimits)
 		for iNdEx := len(keysForLimits) - 1; iNdEx >= 0; iNdEx-- {
 			v := m.Limits[ResourceName(keysForLimits[iNdEx])]
 			baseI := i
@@ -19702,7 +12300,7 @@ func (m *Secret) MarshalToSizedBuffer(dAtA []byte) (int, error) {
 		for k := range m.StringData {
 			keysForStringData = append(keysForStringData, string(k))
 		}
-		github_com_gogo_protobuf_sortkeys.Strings(keysForStringData)
+		sort.Strings(keysForStringData)
 		for iNdEx := len(keysForStringData) - 1; iNdEx >= 0; iNdEx-- {
 			v := m.StringData[string(keysForStringData[iNdEx])]
 			baseI := i
@@ -19731,7 +12329,7 @@ func (m *Secret) MarshalToSizedBuffer(dAtA []byte) (int, error) {
 		for k := range m.Data {
 			keysForData = append(keysForData, string(k))
 		}
-		github_com_gogo_protobuf_sortkeys.Strings(keysForData)
+		sort.Strings(keysForData)
 		for iNdEx := len(keysForData) - 1; iNdEx >= 0; iNdEx-- {
 			v := m.Data[string(keysForData[iNdEx])]
 			baseI := i
@@ -20729,7 +13327,7 @@ func (m *ServiceSpec) MarshalToSizedBuffer(dAtA []byte) (int, error) {
 		for k := range m.Selector {
 			keysForSelector = append(keysForSelector, string(k))
 		}
-		github_com_gogo_protobuf_sortkeys.Strings(keysForSelector)
+		sort.Strings(keysForSelector)
 		for iNdEx := len(keysForSelector) - 1; iNdEx >= 0; iNdEx-- {
 			v := m.Selector[string(keysForSelector[iNdEx])]
 			baseI := i
@@ -21734,7 +14332,7 @@ func (m *VolumeResourceRequirements) MarshalToSizedBuffer(dAtA []byte) (int, err
 		for k := range m.Requests {
 			keysForRequests = append(keysForRequests, string(k))
 		}
-		github_com_gogo_protobuf_sortkeys.Strings(keysForRequests)
+		sort.Strings(keysForRequests)
 		for iNdEx := len(keysForRequests) - 1; iNdEx >= 0; iNdEx-- {
 			v := m.Requests[ResourceName(keysForRequests[iNdEx])]
 			baseI := i
@@ -21763,7 +14361,7 @@ func (m *VolumeResourceRequirements) MarshalToSizedBuffer(dAtA []byte) (int, err
 		for k := range m.Limits {
 			keysForLimits = append(keysForLimits, string(k))
 		}
-		github_com_gogo_protobuf_sortkeys.Strings(keysForLimits)
+		sort.Strings(keysForLimits)
 		for iNdEx := len(keysForLimits) - 1; iNdEx >= 0; iNdEx-- {
 			v := m.Limits[ResourceName(keysForLimits[iNdEx])]
 			baseI := i
@@ -22336,6 +14934,44 @@ func (m *WindowsSecurityContextOptions) MarshalToSizedBuffer(dAtA []byte) (int,
 	return len(dAtA) - i, nil
 }
 
+func (m *WorkloadReference) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalToSizedBuffer(dAtA[:size])
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *WorkloadReference) MarshalTo(dAtA []byte) (int, error) {
+	size := m.Size()
+	return m.MarshalToSizedBuffer(dAtA[:size])
+}
+
+func (m *WorkloadReference) MarshalToSizedBuffer(dAtA []byte) (int, error) {
+	i := len(dAtA)
+	_ = i
+	var l int
+	_ = l
+	i -= len(m.PodGroupReplicaKey)
+	copy(dAtA[i:], m.PodGroupReplicaKey)
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.PodGroupReplicaKey)))
+	i--
+	dAtA[i] = 0x1a
+	i -= len(m.PodGroup)
+	copy(dAtA[i:], m.PodGroup)
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.PodGroup)))
+	i--
+	dAtA[i] = 0x12
+	i -= len(m.Name)
+	copy(dAtA[i:], m.Name)
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Name)))
+	i--
+	dAtA[i] = 0xa
+	return len(dAtA) - i, nil
+}
+
 func encodeVarintGenerated(dAtA []byte, offset int, v uint64) int {
 	offset -= sovGenerated(v)
 	base := offset
@@ -24786,6 +17422,12 @@ func (m *NodeStatus) Size() (n int) {
 		l = m.Features.Size()
 		n += 1 + l + sovGenerated(uint64(l))
 	}
+	if len(m.DeclaredFeatures) > 0 {
+		for _, s := range m.DeclaredFeatures {
+			l = len(s)
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
 	return n
 }
 
@@ -25389,6 +18031,14 @@ func (m *PodCertificateProjection) Size() (n int) {
 	n += 1 + l + sovGenerated(uint64(l))
 	l = len(m.CertificateChainPath)
 	n += 1 + l + sovGenerated(uint64(l))
+	if len(m.UserAnnotations) > 0 {
+		for k, v := range m.UserAnnotations {
+			_ = k
+			_ = v
+			mapEntrySize := 1 + len(k) + sovGenerated(uint64(len(k))) + 1 + len(v) + sovGenerated(uint64(len(v)))
+			n += mapEntrySize + 1 + sovGenerated(uint64(mapEntrySize))
+		}
+	}
 	return n
 }
 
@@ -25885,6 +18535,10 @@ func (m *PodSpec) Size() (n int) {
 		l = len(*m.HostnameOverride)
 		n += 2 + l + sovGenerated(uint64(l))
 	}
+	if m.WorkloadRef != nil {
+		l = m.WorkloadRef.Size()
+		n += 2 + l + sovGenerated(uint64(l))
+	}
 	return n
 }
 
@@ -25961,6 +18615,19 @@ func (m *PodStatus) Size() (n int) {
 		l = m.ExtendedResourceClaimStatus.Size()
 		n += 2 + l + sovGenerated(uint64(l))
 	}
+	if len(m.AllocatedResources) > 0 {
+		for k, v := range m.AllocatedResources {
+			_ = k
+			_ = v
+			l = v.Size()
+			mapEntrySize := 1 + len(k) + sovGenerated(uint64(len(k))) + 1 + l + sovGenerated(uint64(l))
+			n += mapEntrySize + 2 + sovGenerated(uint64(mapEntrySize))
+		}
+	}
+	if m.Resources != nil {
+		l = m.Resources.Size()
+		n += 2 + l + sovGenerated(uint64(l))
+	}
 	return n
 }
 
@@ -27632,6 +20299,21 @@ func (m *WindowsSecurityContextOptions) Size() (n int) {
 	return n
 }
 
+func (m *WorkloadReference) Size() (n int) {
+	if m == nil {
+		return 0
+	}
+	var l int
+	_ = l
+	l = len(m.Name)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.PodGroup)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.PodGroupReplicaKey)
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
 func sovGenerated(x uint64) (n int) {
 	return (math_bits.Len64(x|1) + 6) / 7
 }
@@ -27759,7 +20441,7 @@ func (this *CSIPersistentVolumeSource) String() string {
 	for k := range this.VolumeAttributes {
 		keysForVolumeAttributes = append(keysForVolumeAttributes, k)
 	}
-	github_com_gogo_protobuf_sortkeys.Strings(keysForVolumeAttributes)
+	sort.Strings(keysForVolumeAttributes)
 	mapStringForVolumeAttributes := "map[string]string{"
 	for _, k := range keysForVolumeAttributes {
 		mapStringForVolumeAttributes += fmt.Sprintf("%v: %v,", k, this.VolumeAttributes[k])
@@ -27788,7 +20470,7 @@ func (this *CSIVolumeSource) String() string {
 	for k := range this.VolumeAttributes {
 		keysForVolumeAttributes = append(keysForVolumeAttributes, k)
 	}
-	github_com_gogo_protobuf_sortkeys.Strings(keysForVolumeAttributes)
+	sort.Strings(keysForVolumeAttributes)
 	mapStringForVolumeAttributes := "map[string]string{"
 	for _, k := range keysForVolumeAttributes {
 		mapStringForVolumeAttributes += fmt.Sprintf("%v: %v,", k, this.VolumeAttributes[k])
@@ -27948,7 +20630,7 @@ func (this *ConfigMap) String() string {
 	for k := range this.Data {
 		keysForData = append(keysForData, k)
 	}
-	github_com_gogo_protobuf_sortkeys.Strings(keysForData)
+	sort.Strings(keysForData)
 	mapStringForData := "map[string]string{"
 	for _, k := range keysForData {
 		mapStringForData += fmt.Sprintf("%v: %v,", k, this.Data[k])
@@ -27958,7 +20640,7 @@ func (this *ConfigMap) String() string {
 	for k := range this.BinaryData {
 		keysForBinaryData = append(keysForBinaryData, k)
 	}
-	github_com_gogo_protobuf_sortkeys.Strings(keysForBinaryData)
+	sort.Strings(keysForBinaryData)
 	mapStringForBinaryData := "map[string][]byte{"
 	for _, k := range keysForBinaryData {
 		mapStringForBinaryData += fmt.Sprintf("%v: %v,", k, this.BinaryData[k])
@@ -28267,7 +20949,7 @@ func (this *ContainerStatus) String() string {
 	for k := range this.AllocatedResources {
 		keysForAllocatedResources = append(keysForAllocatedResources, string(k))
 	}
-	github_com_gogo_protobuf_sortkeys.Strings(keysForAllocatedResources)
+	sort.Strings(keysForAllocatedResources)
 	mapStringForAllocatedResources := "ResourceList{"
 	for _, k := range keysForAllocatedResources {
 		mapStringForAllocatedResources += fmt.Sprintf("%v: %v,", k, this.AllocatedResources[ResourceName(k)])
@@ -28688,7 +21370,7 @@ func (this *FlexPersistentVolumeSource) String() string {
 	for k := range this.Options {
 		keysForOptions = append(keysForOptions, k)
 	}
-	github_com_gogo_protobuf_sortkeys.Strings(keysForOptions)
+	sort.Strings(keysForOptions)
 	mapStringForOptions := "map[string]string{"
 	for _, k := range keysForOptions {
 		mapStringForOptions += fmt.Sprintf("%v: %v,", k, this.Options[k])
@@ -28712,7 +21394,7 @@ func (this *FlexVolumeSource) String() string {
 	for k := range this.Options {
 		keysForOptions = append(keysForOptions, k)
 	}
-	github_com_gogo_protobuf_sortkeys.Strings(keysForOptions)
+	sort.Strings(keysForOptions)
 	mapStringForOptions := "map[string]string{"
 	for _, k := range keysForOptions {
 		mapStringForOptions += fmt.Sprintf("%v: %v,", k, this.Options[k])
@@ -28969,7 +21651,7 @@ func (this *LimitRangeItem) String() string {
 	for k := range this.Max {
 		keysForMax = append(keysForMax, string(k))
 	}
-	github_com_gogo_protobuf_sortkeys.Strings(keysForMax)
+	sort.Strings(keysForMax)
 	mapStringForMax := "ResourceList{"
 	for _, k := range keysForMax {
 		mapStringForMax += fmt.Sprintf("%v: %v,", k, this.Max[ResourceName(k)])
@@ -28979,7 +21661,7 @@ func (this *LimitRangeItem) String() string {
 	for k := range this.Min {
 		keysForMin = append(keysForMin, string(k))
 	}
-	github_com_gogo_protobuf_sortkeys.Strings(keysForMin)
+	sort.Strings(keysForMin)
 	mapStringForMin := "ResourceList{"
 	for _, k := range keysForMin {
 		mapStringForMin += fmt.Sprintf("%v: %v,", k, this.Min[ResourceName(k)])
@@ -28989,7 +21671,7 @@ func (this *LimitRangeItem) String() string {
 	for k := range this.Default {
 		keysForDefault = append(keysForDefault, string(k))
 	}
-	github_com_gogo_protobuf_sortkeys.Strings(keysForDefault)
+	sort.Strings(keysForDefault)
 	mapStringForDefault := "ResourceList{"
 	for _, k := range keysForDefault {
 		mapStringForDefault += fmt.Sprintf("%v: %v,", k, this.Default[ResourceName(k)])
@@ -28999,7 +21681,7 @@ func (this *LimitRangeItem) String() string {
 	for k := range this.DefaultRequest {
 		keysForDefaultRequest = append(keysForDefaultRequest, string(k))
 	}
-	github_com_gogo_protobuf_sortkeys.Strings(keysForDefaultRequest)
+	sort.Strings(keysForDefaultRequest)
 	mapStringForDefaultRequest := "ResourceList{"
 	for _, k := range keysForDefaultRequest {
 		mapStringForDefaultRequest += fmt.Sprintf("%v: %v,", k, this.DefaultRequest[ResourceName(k)])
@@ -29009,7 +21691,7 @@ func (this *LimitRangeItem) String() string {
 	for k := range this.MaxLimitRequestRatio {
 		keysForMaxLimitRequestRatio = append(keysForMaxLimitRequestRatio, string(k))
 	}
-	github_com_gogo_protobuf_sortkeys.Strings(keysForMaxLimitRequestRatio)
+	sort.Strings(keysForMaxLimitRequestRatio)
 	mapStringForMaxLimitRequestRatio := "ResourceList{"
 	for _, k := range keysForMaxLimitRequestRatio {
 		mapStringForMaxLimitRequestRatio += fmt.Sprintf("%v: %v,", k, this.MaxLimitRequestRatio[ResourceName(k)])
@@ -29477,7 +22159,7 @@ func (this *NodeStatus) String() string {
 	for k := range this.Capacity {
 		keysForCapacity = append(keysForCapacity, string(k))
 	}
-	github_com_gogo_protobuf_sortkeys.Strings(keysForCapacity)
+	sort.Strings(keysForCapacity)
 	mapStringForCapacity := "ResourceList{"
 	for _, k := range keysForCapacity {
 		mapStringForCapacity += fmt.Sprintf("%v: %v,", k, this.Capacity[ResourceName(k)])
@@ -29487,7 +22169,7 @@ func (this *NodeStatus) String() string {
 	for k := range this.Allocatable {
 		keysForAllocatable = append(keysForAllocatable, string(k))
 	}
-	github_com_gogo_protobuf_sortkeys.Strings(keysForAllocatable)
+	sort.Strings(keysForAllocatable)
 	mapStringForAllocatable := "ResourceList{"
 	for _, k := range keysForAllocatable {
 		mapStringForAllocatable += fmt.Sprintf("%v: %v,", k, this.Allocatable[ResourceName(k)])
@@ -29507,6 +22189,7 @@ func (this *NodeStatus) String() string {
 		`Config:` + strings.Replace(this.Config.String(), "NodeConfigStatus", "NodeConfigStatus", 1) + `,`,
 		`RuntimeHandlers:` + repeatedStringForRuntimeHandlers + `,`,
 		`Features:` + strings.Replace(this.Features.String(), "NodeFeatures", "NodeFeatures", 1) + `,`,
+		`DeclaredFeatures:` + fmt.Sprintf("%v", this.DeclaredFeatures) + `,`,
 		`}`,
 	}, "")
 	return s
@@ -29654,7 +22337,7 @@ func (this *PersistentVolumeClaimStatus) String() string {
 	for k := range this.Capacity {
 		keysForCapacity = append(keysForCapacity, string(k))
 	}
-	github_com_gogo_protobuf_sortkeys.Strings(keysForCapacity)
+	sort.Strings(keysForCapacity)
 	mapStringForCapacity := "ResourceList{"
 	for _, k := range keysForCapacity {
 		mapStringForCapacity += fmt.Sprintf("%v: %v,", k, this.Capacity[ResourceName(k)])
@@ -29664,7 +22347,7 @@ func (this *PersistentVolumeClaimStatus) String() string {
 	for k := range this.AllocatedResources {
 		keysForAllocatedResources = append(keysForAllocatedResources, string(k))
 	}
-	github_com_gogo_protobuf_sortkeys.Strings(keysForAllocatedResources)
+	sort.Strings(keysForAllocatedResources)
 	mapStringForAllocatedResources := "ResourceList{"
 	for _, k := range keysForAllocatedResources {
 		mapStringForAllocatedResources += fmt.Sprintf("%v: %v,", k, this.AllocatedResources[ResourceName(k)])
@@ -29674,7 +22357,7 @@ func (this *PersistentVolumeClaimStatus) String() string {
 	for k := range this.AllocatedResourceStatuses {
 		keysForAllocatedResourceStatuses = append(keysForAllocatedResourceStatuses, string(k))
 	}
-	github_com_gogo_protobuf_sortkeys.Strings(keysForAllocatedResourceStatuses)
+	sort.Strings(keysForAllocatedResourceStatuses)
 	mapStringForAllocatedResourceStatuses := "map[ResourceName]ClaimResourceStatus{"
 	for _, k := range keysForAllocatedResourceStatuses {
 		mapStringForAllocatedResourceStatuses += fmt.Sprintf("%v: %v,", k, this.AllocatedResourceStatuses[ResourceName(k)])
@@ -29770,7 +22453,7 @@ func (this *PersistentVolumeSpec) String() string {
 	for k := range this.Capacity {
 		keysForCapacity = append(keysForCapacity, string(k))
 	}
-	github_com_gogo_protobuf_sortkeys.Strings(keysForCapacity)
+	sort.Strings(keysForCapacity)
 	mapStringForCapacity := "ResourceList{"
 	for _, k := range keysForCapacity {
 		mapStringForCapacity += fmt.Sprintf("%v: %v,", k, this.Capacity[ResourceName(k)])
@@ -29902,6 +22585,16 @@ func (this *PodCertificateProjection) String() string {
 	if this == nil {
 		return "nil"
 	}
+	keysForUserAnnotations := make([]string, 0, len(this.UserAnnotations))
+	for k := range this.UserAnnotations {
+		keysForUserAnnotations = append(keysForUserAnnotations, k)
+	}
+	sort.Strings(keysForUserAnnotations)
+	mapStringForUserAnnotations := "map[string]string{"
+	for _, k := range keysForUserAnnotations {
+		mapStringForUserAnnotations += fmt.Sprintf("%v: %v,", k, this.UserAnnotations[k])
+	}
+	mapStringForUserAnnotations += "}"
 	s := strings.Join([]string{`&PodCertificateProjection{`,
 		`SignerName:` + fmt.Sprintf("%v", this.SignerName) + `,`,
 		`KeyType:` + fmt.Sprintf("%v", this.KeyType) + `,`,
@@ -29909,6 +22602,7 @@ func (this *PodCertificateProjection) String() string {
 		`CredentialBundlePath:` + fmt.Sprintf("%v", this.CredentialBundlePath) + `,`,
 		`KeyPath:` + fmt.Sprintf("%v", this.KeyPath) + `,`,
 		`CertificateChainPath:` + fmt.Sprintf("%v", this.CertificateChainPath) + `,`,
+		`UserAnnotations:` + mapStringForUserAnnotations + `,`,
 		`}`,
 	}, "")
 	return s
@@ -30206,7 +22900,7 @@ func (this *PodSpec) String() string {
 	for k := range this.NodeSelector {
 		keysForNodeSelector = append(keysForNodeSelector, k)
 	}
-	github_com_gogo_protobuf_sortkeys.Strings(keysForNodeSelector)
+	sort.Strings(keysForNodeSelector)
 	mapStringForNodeSelector := "map[string]string{"
 	for _, k := range keysForNodeSelector {
 		mapStringForNodeSelector += fmt.Sprintf("%v: %v,", k, this.NodeSelector[k])
@@ -30216,7 +22910,7 @@ func (this *PodSpec) String() string {
 	for k := range this.Overhead {
 		keysForOverhead = append(keysForOverhead, string(k))
 	}
-	github_com_gogo_protobuf_sortkeys.Strings(keysForOverhead)
+	sort.Strings(keysForOverhead)
 	mapStringForOverhead := "ResourceList{"
 	for _, k := range keysForOverhead {
 		mapStringForOverhead += fmt.Sprintf("%v: %v,", k, this.Overhead[ResourceName(k)])
@@ -30264,6 +22958,7 @@ func (this *PodSpec) String() string {
 		`ResourceClaims:` + repeatedStringForResourceClaims + `,`,
 		`Resources:` + strings.Replace(this.Resources.String(), "ResourceRequirements", "ResourceRequirements", 1) + `,`,
 		`HostnameOverride:` + valueToStringGenerated(this.HostnameOverride) + `,`,
+		`WorkloadRef:` + strings.Replace(this.WorkloadRef.String(), "WorkloadReference", "WorkloadReference", 1) + `,`,
 		`}`,
 	}, "")
 	return s
@@ -30307,6 +23002,16 @@ func (this *PodStatus) String() string {
 		repeatedStringForHostIPs += strings.Replace(strings.Replace(f.String(), "HostIP", "HostIP", 1), `&`, ``, 1) + ","
 	}
 	repeatedStringForHostIPs += "}"
+	keysForAllocatedResources := make([]string, 0, len(this.AllocatedResources))
+	for k := range this.AllocatedResources {
+		keysForAllocatedResources = append(keysForAllocatedResources, string(k))
+	}
+	sort.Strings(keysForAllocatedResources)
+	mapStringForAllocatedResources := "ResourceList{"
+	for _, k := range keysForAllocatedResources {
+		mapStringForAllocatedResources += fmt.Sprintf("%v: %v,", k, this.AllocatedResources[ResourceName(k)])
+	}
+	mapStringForAllocatedResources += "}"
 	s := strings.Join([]string{`&PodStatus{`,
 		`Phase:` + fmt.Sprintf("%v", this.Phase) + `,`,
 		`Conditions:` + repeatedStringForConditions + `,`,
@@ -30326,6 +23031,8 @@ func (this *PodStatus) String() string {
 		`HostIPs:` + repeatedStringForHostIPs + `,`,
 		`ObservedGeneration:` + fmt.Sprintf("%v", this.ObservedGeneration) + `,`,
 		`ExtendedResourceClaimStatus:` + strings.Replace(this.ExtendedResourceClaimStatus.String(), "PodExtendedResourceClaimStatus", "PodExtendedResourceClaimStatus", 1) + `,`,
+		`AllocatedResources:` + mapStringForAllocatedResources + `,`,
+		`Resources:` + strings.Replace(this.Resources.String(), "ResourceRequirements", "ResourceRequirements", 1) + `,`,
 		`}`,
 	}, "")
 	return s
@@ -30593,7 +23300,7 @@ func (this *ReplicationControllerSpec) String() string {
 	for k := range this.Selector {
 		keysForSelector = append(keysForSelector, k)
 	}
-	github_com_gogo_protobuf_sortkeys.Strings(keysForSelector)
+	sort.Strings(keysForSelector)
 	mapStringForSelector := "map[string]string{"
 	for _, k := range keysForSelector {
 		mapStringForSelector += fmt.Sprintf("%v: %v,", k, this.Selector[k])
@@ -30698,7 +23405,7 @@ func (this *ResourceQuotaSpec) String() string {
 	for k := range this.Hard {
 		keysForHard = append(keysForHard, string(k))
 	}
-	github_com_gogo_protobuf_sortkeys.Strings(keysForHard)
+	sort.Strings(keysForHard)
 	mapStringForHard := "ResourceList{"
 	for _, k := range keysForHard {
 		mapStringForHard += fmt.Sprintf("%v: %v,", k, this.Hard[ResourceName(k)])
@@ -30720,7 +23427,7 @@ func (this *ResourceQuotaStatus) String() string {
 	for k := range this.Hard {
 		keysForHard = append(keysForHard, string(k))
 	}
-	github_com_gogo_protobuf_sortkeys.Strings(keysForHard)
+	sort.Strings(keysForHard)
 	mapStringForHard := "ResourceList{"
 	for _, k := range keysForHard {
 		mapStringForHard += fmt.Sprintf("%v: %v,", k, this.Hard[ResourceName(k)])
@@ -30730,7 +23437,7 @@ func (this *ResourceQuotaStatus) String() string {
 	for k := range this.Used {
 		keysForUsed = append(keysForUsed, string(k))
 	}
-	github_com_gogo_protobuf_sortkeys.Strings(keysForUsed)
+	sort.Strings(keysForUsed)
 	mapStringForUsed := "ResourceList{"
 	for _, k := range keysForUsed {
 		mapStringForUsed += fmt.Sprintf("%v: %v,", k, this.Used[ResourceName(k)])
@@ -30756,7 +23463,7 @@ func (this *ResourceRequirements) String() string {
 	for k := range this.Limits {
 		keysForLimits = append(keysForLimits, string(k))
 	}
-	github_com_gogo_protobuf_sortkeys.Strings(keysForLimits)
+	sort.Strings(keysForLimits)
 	mapStringForLimits := "ResourceList{"
 	for _, k := range keysForLimits {
 		mapStringForLimits += fmt.Sprintf("%v: %v,", k, this.Limits[ResourceName(k)])
@@ -30766,7 +23473,7 @@ func (this *ResourceRequirements) String() string {
 	for k := range this.Requests {
 		keysForRequests = append(keysForRequests, string(k))
 	}
-	github_com_gogo_protobuf_sortkeys.Strings(keysForRequests)
+	sort.Strings(keysForRequests)
 	mapStringForRequests := "ResourceList{"
 	for _, k := range keysForRequests {
 		mapStringForRequests += fmt.Sprintf("%v: %v,", k, this.Requests[ResourceName(k)])
@@ -30893,7 +23600,7 @@ func (this *Secret) String() string {
 	for k := range this.Data {
 		keysForData = append(keysForData, k)
 	}
-	github_com_gogo_protobuf_sortkeys.Strings(keysForData)
+	sort.Strings(keysForData)
 	mapStringForData := "map[string][]byte{"
 	for _, k := range keysForData {
 		mapStringForData += fmt.Sprintf("%v: %v,", k, this.Data[k])
@@ -30903,7 +23610,7 @@ func (this *Secret) String() string {
 	for k := range this.StringData {
 		keysForStringData = append(keysForStringData, k)
 	}
-	github_com_gogo_protobuf_sortkeys.Strings(keysForStringData)
+	sort.Strings(keysForStringData)
 	mapStringForStringData := "map[string]string{"
 	for _, k := range keysForStringData {
 		mapStringForStringData += fmt.Sprintf("%v: %v,", k, this.StringData[k])
@@ -31152,7 +23859,7 @@ func (this *ServiceSpec) String() string {
 	for k := range this.Selector {
 		keysForSelector = append(keysForSelector, k)
 	}
-	github_com_gogo_protobuf_sortkeys.Strings(keysForSelector)
+	sort.Strings(keysForSelector)
 	mapStringForSelector := "map[string]string{"
 	for _, k := range keysForSelector {
 		mapStringForSelector += fmt.Sprintf("%v: %v,", k, this.Selector[k])
@@ -31448,7 +24155,7 @@ func (this *VolumeResourceRequirements) String() string {
 	for k := range this.Limits {
 		keysForLimits = append(keysForLimits, string(k))
 	}
-	github_com_gogo_protobuf_sortkeys.Strings(keysForLimits)
+	sort.Strings(keysForLimits)
 	mapStringForLimits := "ResourceList{"
 	for _, k := range keysForLimits {
 		mapStringForLimits += fmt.Sprintf("%v: %v,", k, this.Limits[ResourceName(k)])
@@ -31458,7 +24165,7 @@ func (this *VolumeResourceRequirements) String() string {
 	for k := range this.Requests {
 		keysForRequests = append(keysForRequests, string(k))
 	}
-	github_com_gogo_protobuf_sortkeys.Strings(keysForRequests)
+	sort.Strings(keysForRequests)
 	mapStringForRequests := "ResourceList{"
 	for _, k := range keysForRequests {
 		mapStringForRequests += fmt.Sprintf("%v: %v,", k, this.Requests[ResourceName(k)])
@@ -31547,6 +24254,18 @@ func (this *WindowsSecurityContextOptions) String() string {
 	}, "")
 	return s
 }
+func (this *WorkloadReference) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&WorkloadReference{`,
+		`Name:` + fmt.Sprintf("%v", this.Name) + `,`,
+		`PodGroup:` + fmt.Sprintf("%v", this.PodGroup) + `,`,
+		`PodGroupReplicaKey:` + fmt.Sprintf("%v", this.PodGroupReplicaKey) + `,`,
+		`}`,
+	}, "")
+	return s
+}
 func valueToStringGenerated(v interface{}) string {
 	rv := reflect.ValueOf(v)
 	if rv.IsNil() {
@@ -52070,14 +44789,214 @@ func (m *NodeStatus) Unmarshal(dAtA []byte) error {
 			if postIndex > l {
 				return io.ErrUnexpectedEOF
 			}
-			m.Conditions = append(m.Conditions, NodeCondition{})
-			if err := m.Conditions[len(m.Conditions)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+			m.Conditions = append(m.Conditions, NodeCondition{})
+			if err := m.Conditions[len(m.Conditions)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 5:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Addresses", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= int(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Addresses = append(m.Addresses, NodeAddress{})
+			if err := m.Addresses[len(m.Addresses)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 6:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field DaemonEndpoints", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= int(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.DaemonEndpoints.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 7:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field NodeInfo", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= int(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.NodeInfo.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 8:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Images", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= int(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Images = append(m.Images, ContainerImage{})
+			if err := m.Images[len(m.Images)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 9:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field VolumesInUse", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= uint64(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.VolumesInUse = append(m.VolumesInUse, UniqueVolumeName(dAtA[iNdEx:postIndex]))
+			iNdEx = postIndex
+		case 10:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field VolumesAttached", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= int(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.VolumesAttached = append(m.VolumesAttached, AttachedVolume{})
+			if err := m.VolumesAttached[len(m.VolumesAttached)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
 				return err
 			}
 			iNdEx = postIndex
-		case 5:
+		case 11:
 			if wireType != 2 {
-				return fmt.Errorf("proto: wrong wireType = %d for field Addresses", wireType)
+				return fmt.Errorf("proto: wrong wireType = %d for field Config", wireType)
 			}
 			var msglen int
 			for shift := uint(0); ; shift += 7 {
@@ -52104,47 +45023,16 @@ func (m *NodeStatus) Unmarshal(dAtA []byte) error {
 			if postIndex > l {
 				return io.ErrUnexpectedEOF
 			}
-			m.Addresses = append(m.Addresses, NodeAddress{})
-			if err := m.Addresses[len(m.Addresses)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
-				return err
-			}
-			iNdEx = postIndex
-		case 6:
-			if wireType != 2 {
-				return fmt.Errorf("proto: wrong wireType = %d for field DaemonEndpoints", wireType)
-			}
-			var msglen int
-			for shift := uint(0); ; shift += 7 {
-				if shift >= 64 {
-					return ErrIntOverflowGenerated
-				}
-				if iNdEx >= l {
-					return io.ErrUnexpectedEOF
-				}
-				b := dAtA[iNdEx]
-				iNdEx++
-				msglen |= int(b&0x7F) << shift
-				if b < 0x80 {
-					break
-				}
-			}
-			if msglen < 0 {
-				return ErrInvalidLengthGenerated
-			}
-			postIndex := iNdEx + msglen
-			if postIndex < 0 {
-				return ErrInvalidLengthGenerated
-			}
-			if postIndex > l {
-				return io.ErrUnexpectedEOF
+			if m.Config == nil {
+				m.Config = &NodeConfigStatus{}
 			}
-			if err := m.DaemonEndpoints.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+			if err := m.Config.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
 				return err
 			}
 			iNdEx = postIndex
-		case 7:
+		case 12:
 			if wireType != 2 {
-				return fmt.Errorf("proto: wrong wireType = %d for field NodeInfo", wireType)
+				return fmt.Errorf("proto: wrong wireType = %d for field RuntimeHandlers", wireType)
 			}
 			var msglen int
 			for shift := uint(0); ; shift += 7 {
@@ -52171,13 +45059,14 @@ func (m *NodeStatus) Unmarshal(dAtA []byte) error {
 			if postIndex > l {
 				return io.ErrUnexpectedEOF
 			}
-			if err := m.NodeInfo.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+			m.RuntimeHandlers = append(m.RuntimeHandlers, NodeRuntimeHandler{})
+			if err := m.RuntimeHandlers[len(m.RuntimeHandlers)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
 				return err
 			}
 			iNdEx = postIndex
-		case 8:
+		case 13:
 			if wireType != 2 {
-				return fmt.Errorf("proto: wrong wireType = %d for field Images", wireType)
+				return fmt.Errorf("proto: wrong wireType = %d for field Features", wireType)
 			}
 			var msglen int
 			for shift := uint(0); ; shift += 7 {
@@ -52204,14 +45093,16 @@ func (m *NodeStatus) Unmarshal(dAtA []byte) error {
 			if postIndex > l {
 				return io.ErrUnexpectedEOF
 			}
-			m.Images = append(m.Images, ContainerImage{})
-			if err := m.Images[len(m.Images)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+			if m.Features == nil {
+				m.Features = &NodeFeatures{}
+			}
+			if err := m.Features.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
 				return err
 			}
 			iNdEx = postIndex
-		case 9:
+		case 14:
 			if wireType != 2 {
-				return fmt.Errorf("proto: wrong wireType = %d for field VolumesInUse", wireType)
+				return fmt.Errorf("proto: wrong wireType = %d for field DeclaredFeatures", wireType)
 			}
 			var stringLen uint64
 			for shift := uint(0); ; shift += 7 {
@@ -52239,147 +45130,7 @@ func (m *NodeStatus) Unmarshal(dAtA []byte) error {
 			if postIndex > l {
 				return io.ErrUnexpectedEOF
 			}
-			m.VolumesInUse = append(m.VolumesInUse, UniqueVolumeName(dAtA[iNdEx:postIndex]))
-			iNdEx = postIndex
-		case 10:
-			if wireType != 2 {
-				return fmt.Errorf("proto: wrong wireType = %d for field VolumesAttached", wireType)
-			}
-			var msglen int
-			for shift := uint(0); ; shift += 7 {
-				if shift >= 64 {
-					return ErrIntOverflowGenerated
-				}
-				if iNdEx >= l {
-					return io.ErrUnexpectedEOF
-				}
-				b := dAtA[iNdEx]
-				iNdEx++
-				msglen |= int(b&0x7F) << shift
-				if b < 0x80 {
-					break
-				}
-			}
-			if msglen < 0 {
-				return ErrInvalidLengthGenerated
-			}
-			postIndex := iNdEx + msglen
-			if postIndex < 0 {
-				return ErrInvalidLengthGenerated
-			}
-			if postIndex > l {
-				return io.ErrUnexpectedEOF
-			}
-			m.VolumesAttached = append(m.VolumesAttached, AttachedVolume{})
-			if err := m.VolumesAttached[len(m.VolumesAttached)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
-				return err
-			}
-			iNdEx = postIndex
-		case 11:
-			if wireType != 2 {
-				return fmt.Errorf("proto: wrong wireType = %d for field Config", wireType)
-			}
-			var msglen int
-			for shift := uint(0); ; shift += 7 {
-				if shift >= 64 {
-					return ErrIntOverflowGenerated
-				}
-				if iNdEx >= l {
-					return io.ErrUnexpectedEOF
-				}
-				b := dAtA[iNdEx]
-				iNdEx++
-				msglen |= int(b&0x7F) << shift
-				if b < 0x80 {
-					break
-				}
-			}
-			if msglen < 0 {
-				return ErrInvalidLengthGenerated
-			}
-			postIndex := iNdEx + msglen
-			if postIndex < 0 {
-				return ErrInvalidLengthGenerated
-			}
-			if postIndex > l {
-				return io.ErrUnexpectedEOF
-			}
-			if m.Config == nil {
-				m.Config = &NodeConfigStatus{}
-			}
-			if err := m.Config.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
-				return err
-			}
-			iNdEx = postIndex
-		case 12:
-			if wireType != 2 {
-				return fmt.Errorf("proto: wrong wireType = %d for field RuntimeHandlers", wireType)
-			}
-			var msglen int
-			for shift := uint(0); ; shift += 7 {
-				if shift >= 64 {
-					return ErrIntOverflowGenerated
-				}
-				if iNdEx >= l {
-					return io.ErrUnexpectedEOF
-				}
-				b := dAtA[iNdEx]
-				iNdEx++
-				msglen |= int(b&0x7F) << shift
-				if b < 0x80 {
-					break
-				}
-			}
-			if msglen < 0 {
-				return ErrInvalidLengthGenerated
-			}
-			postIndex := iNdEx + msglen
-			if postIndex < 0 {
-				return ErrInvalidLengthGenerated
-			}
-			if postIndex > l {
-				return io.ErrUnexpectedEOF
-			}
-			m.RuntimeHandlers = append(m.RuntimeHandlers, NodeRuntimeHandler{})
-			if err := m.RuntimeHandlers[len(m.RuntimeHandlers)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
-				return err
-			}
-			iNdEx = postIndex
-		case 13:
-			if wireType != 2 {
-				return fmt.Errorf("proto: wrong wireType = %d for field Features", wireType)
-			}
-			var msglen int
-			for shift := uint(0); ; shift += 7 {
-				if shift >= 64 {
-					return ErrIntOverflowGenerated
-				}
-				if iNdEx >= l {
-					return io.ErrUnexpectedEOF
-				}
-				b := dAtA[iNdEx]
-				iNdEx++
-				msglen |= int(b&0x7F) << shift
-				if b < 0x80 {
-					break
-				}
-			}
-			if msglen < 0 {
-				return ErrInvalidLengthGenerated
-			}
-			postIndex := iNdEx + msglen
-			if postIndex < 0 {
-				return ErrInvalidLengthGenerated
-			}
-			if postIndex > l {
-				return io.ErrUnexpectedEOF
-			}
-			if m.Features == nil {
-				m.Features = &NodeFeatures{}
-			}
-			if err := m.Features.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
-				return err
-			}
+			m.DeclaredFeatures = append(m.DeclaredFeatures, string(dAtA[iNdEx:postIndex]))
 			iNdEx = postIndex
 		default:
 			iNdEx = preIndex
@@ -57720,31 +50471,63 @@ func (m *PodCertificateProjection) Unmarshal(dAtA []byte) error {
 			if postIndex > l {
 				return io.ErrUnexpectedEOF
 			}
-			m.KeyType = string(dAtA[iNdEx:postIndex])
+			m.KeyType = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 3:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field MaxExpirationSeconds", wireType)
+			}
+			var v int32
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= int32(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			m.MaxExpirationSeconds = &v
+		case 4:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field CredentialBundlePath", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= uint64(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.CredentialBundlePath = string(dAtA[iNdEx:postIndex])
 			iNdEx = postIndex
-		case 3:
-			if wireType != 0 {
-				return fmt.Errorf("proto: wrong wireType = %d for field MaxExpirationSeconds", wireType)
-			}
-			var v int32
-			for shift := uint(0); ; shift += 7 {
-				if shift >= 64 {
-					return ErrIntOverflowGenerated
-				}
-				if iNdEx >= l {
-					return io.ErrUnexpectedEOF
-				}
-				b := dAtA[iNdEx]
-				iNdEx++
-				v |= int32(b&0x7F) << shift
-				if b < 0x80 {
-					break
-				}
-			}
-			m.MaxExpirationSeconds = &v
-		case 4:
+		case 5:
 			if wireType != 2 {
-				return fmt.Errorf("proto: wrong wireType = %d for field CredentialBundlePath", wireType)
+				return fmt.Errorf("proto: wrong wireType = %d for field KeyPath", wireType)
 			}
 			var stringLen uint64
 			for shift := uint(0); ; shift += 7 {
@@ -57772,11 +50555,11 @@ func (m *PodCertificateProjection) Unmarshal(dAtA []byte) error {
 			if postIndex > l {
 				return io.ErrUnexpectedEOF
 			}
-			m.CredentialBundlePath = string(dAtA[iNdEx:postIndex])
+			m.KeyPath = string(dAtA[iNdEx:postIndex])
 			iNdEx = postIndex
-		case 5:
+		case 6:
 			if wireType != 2 {
-				return fmt.Errorf("proto: wrong wireType = %d for field KeyPath", wireType)
+				return fmt.Errorf("proto: wrong wireType = %d for field CertificateChainPath", wireType)
 			}
 			var stringLen uint64
 			for shift := uint(0); ; shift += 7 {
@@ -57804,13 +50587,13 @@ func (m *PodCertificateProjection) Unmarshal(dAtA []byte) error {
 			if postIndex > l {
 				return io.ErrUnexpectedEOF
 			}
-			m.KeyPath = string(dAtA[iNdEx:postIndex])
+			m.CertificateChainPath = string(dAtA[iNdEx:postIndex])
 			iNdEx = postIndex
-		case 6:
+		case 7:
 			if wireType != 2 {
-				return fmt.Errorf("proto: wrong wireType = %d for field CertificateChainPath", wireType)
+				return fmt.Errorf("proto: wrong wireType = %d for field UserAnnotations", wireType)
 			}
-			var stringLen uint64
+			var msglen int
 			for shift := uint(0); ; shift += 7 {
 				if shift >= 64 {
 					return ErrIntOverflowGenerated
@@ -57820,23 +50603,118 @@ func (m *PodCertificateProjection) Unmarshal(dAtA []byte) error {
 				}
 				b := dAtA[iNdEx]
 				iNdEx++
-				stringLen |= uint64(b&0x7F) << shift
+				msglen |= int(b&0x7F) << shift
 				if b < 0x80 {
 					break
 				}
 			}
-			intStringLen := int(stringLen)
-			if intStringLen < 0 {
+			if msglen < 0 {
 				return ErrInvalidLengthGenerated
 			}
-			postIndex := iNdEx + intStringLen
+			postIndex := iNdEx + msglen
 			if postIndex < 0 {
 				return ErrInvalidLengthGenerated
 			}
 			if postIndex > l {
 				return io.ErrUnexpectedEOF
 			}
-			m.CertificateChainPath = string(dAtA[iNdEx:postIndex])
+			if m.UserAnnotations == nil {
+				m.UserAnnotations = make(map[string]string)
+			}
+			var mapkey string
+			var mapvalue string
+			for iNdEx < postIndex {
+				entryPreIndex := iNdEx
+				var wire uint64
+				for shift := uint(0); ; shift += 7 {
+					if shift >= 64 {
+						return ErrIntOverflowGenerated
+					}
+					if iNdEx >= l {
+						return io.ErrUnexpectedEOF
+					}
+					b := dAtA[iNdEx]
+					iNdEx++
+					wire |= uint64(b&0x7F) << shift
+					if b < 0x80 {
+						break
+					}
+				}
+				fieldNum := int32(wire >> 3)
+				if fieldNum == 1 {
+					var stringLenmapkey uint64
+					for shift := uint(0); ; shift += 7 {
+						if shift >= 64 {
+							return ErrIntOverflowGenerated
+						}
+						if iNdEx >= l {
+							return io.ErrUnexpectedEOF
+						}
+						b := dAtA[iNdEx]
+						iNdEx++
+						stringLenmapkey |= uint64(b&0x7F) << shift
+						if b < 0x80 {
+							break
+						}
+					}
+					intStringLenmapkey := int(stringLenmapkey)
+					if intStringLenmapkey < 0 {
+						return ErrInvalidLengthGenerated
+					}
+					postStringIndexmapkey := iNdEx + intStringLenmapkey
+					if postStringIndexmapkey < 0 {
+						return ErrInvalidLengthGenerated
+					}
+					if postStringIndexmapkey > l {
+						return io.ErrUnexpectedEOF
+					}
+					mapkey = string(dAtA[iNdEx:postStringIndexmapkey])
+					iNdEx = postStringIndexmapkey
+				} else if fieldNum == 2 {
+					var stringLenmapvalue uint64
+					for shift := uint(0); ; shift += 7 {
+						if shift >= 64 {
+							return ErrIntOverflowGenerated
+						}
+						if iNdEx >= l {
+							return io.ErrUnexpectedEOF
+						}
+						b := dAtA[iNdEx]
+						iNdEx++
+						stringLenmapvalue |= uint64(b&0x7F) << shift
+						if b < 0x80 {
+							break
+						}
+					}
+					intStringLenmapvalue := int(stringLenmapvalue)
+					if intStringLenmapvalue < 0 {
+						return ErrInvalidLengthGenerated
+					}
+					postStringIndexmapvalue := iNdEx + intStringLenmapvalue
+					if postStringIndexmapvalue < 0 {
+						return ErrInvalidLengthGenerated
+					}
+					if postStringIndexmapvalue > l {
+						return io.ErrUnexpectedEOF
+					}
+					mapvalue = string(dAtA[iNdEx:postStringIndexmapvalue])
+					iNdEx = postStringIndexmapvalue
+				} else {
+					iNdEx = entryPreIndex
+					skippy, err := skipGenerated(dAtA[iNdEx:])
+					if err != nil {
+						return err
+					}
+					if (skippy < 0) || (iNdEx+skippy) < 0 {
+						return ErrInvalidLengthGenerated
+					}
+					if (iNdEx + skippy) > postIndex {
+						return io.ErrUnexpectedEOF
+					}
+					iNdEx += skippy
+				}
+			}
+			m.UserAnnotations[mapkey] = mapvalue
 			iNdEx = postIndex
 		default:
 			iNdEx = preIndex
@@ -61923,6 +54801,42 @@ func (m *PodSpec) Unmarshal(dAtA []byte) error {
 			s := string(dAtA[iNdEx:postIndex])
 			m.HostnameOverride = &s
 			iNdEx = postIndex
+		case 42:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field WorkloadRef", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= int(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.WorkloadRef == nil {
+				m.WorkloadRef = &WorkloadReference{}
+			}
+			if err := m.WorkloadRef.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
 		default:
 			iNdEx = preIndex
 			skippy, err := skipGenerated(dAtA[iNdEx:])
@@ -62498,33 +55412,198 @@ func (m *PodStatus) Unmarshal(dAtA []byte) error {
 			if postIndex > l {
 				return io.ErrUnexpectedEOF
 			}
-			m.HostIPs = append(m.HostIPs, HostIP{})
-			if err := m.HostIPs[len(m.HostIPs)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
-				return err
-			}
-			iNdEx = postIndex
-		case 17:
-			if wireType != 0 {
-				return fmt.Errorf("proto: wrong wireType = %d for field ObservedGeneration", wireType)
+			m.HostIPs = append(m.HostIPs, HostIP{})
+			if err := m.HostIPs[len(m.HostIPs)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 17:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ObservedGeneration", wireType)
+			}
+			m.ObservedGeneration = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.ObservedGeneration |= int64(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+		case 18:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ExtendedResourceClaimStatus", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= int(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.ExtendedResourceClaimStatus == nil {
+				m.ExtendedResourceClaimStatus = &PodExtendedResourceClaimStatus{}
+			}
+			if err := m.ExtendedResourceClaimStatus.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 19:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field AllocatedResources", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= int(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.AllocatedResources == nil {
+				m.AllocatedResources = make(ResourceList)
 			}
-			m.ObservedGeneration = 0
-			for shift := uint(0); ; shift += 7 {
-				if shift >= 64 {
-					return ErrIntOverflowGenerated
-				}
-				if iNdEx >= l {
-					return io.ErrUnexpectedEOF
+			var mapkey ResourceName
+			mapvalue := &resource.Quantity{}
+			for iNdEx < postIndex {
+				entryPreIndex := iNdEx
+				var wire uint64
+				for shift := uint(0); ; shift += 7 {
+					if shift >= 64 {
+						return ErrIntOverflowGenerated
+					}
+					if iNdEx >= l {
+						return io.ErrUnexpectedEOF
+					}
+					b := dAtA[iNdEx]
+					iNdEx++
+					wire |= uint64(b&0x7F) << shift
+					if b < 0x80 {
+						break
+					}
 				}
-				b := dAtA[iNdEx]
-				iNdEx++
-				m.ObservedGeneration |= int64(b&0x7F) << shift
-				if b < 0x80 {
-					break
+				fieldNum := int32(wire >> 3)
+				if fieldNum == 1 {
+					var stringLenmapkey uint64
+					for shift := uint(0); ; shift += 7 {
+						if shift >= 64 {
+							return ErrIntOverflowGenerated
+						}
+						if iNdEx >= l {
+							return io.ErrUnexpectedEOF
+						}
+						b := dAtA[iNdEx]
+						iNdEx++
+						stringLenmapkey |= uint64(b&0x7F) << shift
+						if b < 0x80 {
+							break
+						}
+					}
+					intStringLenmapkey := int(stringLenmapkey)
+					if intStringLenmapkey < 0 {
+						return ErrInvalidLengthGenerated
+					}
+					postStringIndexmapkey := iNdEx + intStringLenmapkey
+					if postStringIndexmapkey < 0 {
+						return ErrInvalidLengthGenerated
+					}
+					if postStringIndexmapkey > l {
+						return io.ErrUnexpectedEOF
+					}
+					mapkey = ResourceName(dAtA[iNdEx:postStringIndexmapkey])
+					iNdEx = postStringIndexmapkey
+				} else if fieldNum == 2 {
+					var mapmsglen int
+					for shift := uint(0); ; shift += 7 {
+						if shift >= 64 {
+							return ErrIntOverflowGenerated
+						}
+						if iNdEx >= l {
+							return io.ErrUnexpectedEOF
+						}
+						b := dAtA[iNdEx]
+						iNdEx++
+						mapmsglen |= int(b&0x7F) << shift
+						if b < 0x80 {
+							break
+						}
+					}
+					if mapmsglen < 0 {
+						return ErrInvalidLengthGenerated
+					}
+					postmsgIndex := iNdEx + mapmsglen
+					if postmsgIndex < 0 {
+						return ErrInvalidLengthGenerated
+					}
+					if postmsgIndex > l {
+						return io.ErrUnexpectedEOF
+					}
+					mapvalue = &resource.Quantity{}
+					if err := mapvalue.Unmarshal(dAtA[iNdEx:postmsgIndex]); err != nil {
+						return err
+					}
+					iNdEx = postmsgIndex
+				} else {
+					iNdEx = entryPreIndex
+					skippy, err := skipGenerated(dAtA[iNdEx:])
+					if err != nil {
+						return err
+					}
+					if (skippy < 0) || (iNdEx+skippy) < 0 {
+						return ErrInvalidLengthGenerated
+					}
+					if (iNdEx + skippy) > postIndex {
+						return io.ErrUnexpectedEOF
+					}
+					iNdEx += skippy
 				}
 			}
-		case 18:
+			m.AllocatedResources[ResourceName(mapkey)] = *mapvalue
+			iNdEx = postIndex
+		case 20:
 			if wireType != 2 {
-				return fmt.Errorf("proto: wrong wireType = %d for field ExtendedResourceClaimStatus", wireType)
+				return fmt.Errorf("proto: wrong wireType = %d for field Resources", wireType)
 			}
 			var msglen int
 			for shift := uint(0); ; shift += 7 {
@@ -62551,10 +55630,10 @@ func (m *PodStatus) Unmarshal(dAtA []byte) error {
 			if postIndex > l {
 				return io.ErrUnexpectedEOF
 			}
-			if m.ExtendedResourceClaimStatus == nil {
-				m.ExtendedResourceClaimStatus = &PodExtendedResourceClaimStatus{}
+			if m.Resources == nil {
+				m.Resources = &ResourceRequirements{}
 			}
-			if err := m.ExtendedResourceClaimStatus.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+			if err := m.Resources.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
 				return err
 			}
 			iNdEx = postIndex
@@ -77305,6 +70384,152 @@ func (m *WindowsSecurityContextOptions) Unmarshal(dAtA []byte) error {
 	}
 	return nil
 }
+func (m *WorkloadReference) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= uint64(b&0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: WorkloadReference: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: WorkloadReference: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Name", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= uint64(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Name = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field PodGroup", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= uint64(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.PodGroup = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field PodGroupReplicaKey", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= uint64(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.PodGroupReplicaKey = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if (skippy < 0) || (iNdEx+skippy) < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
 func skipGenerated(dAtA []byte) (n int, err error) {
 	l := len(dAtA)
 	iNdEx := 0
diff --git a/staging/src/k8s.io/api/core/v1/generated.proto b/staging/src/k8s.io/api/core/v1/generated.proto
index fb26953147d90..570b4d3438928 100644
--- a/staging/src/k8s.io/api/core/v1/generated.proto
+++ b/staging/src/k8s.io/api/core/v1/generated.proto
@@ -762,6 +762,7 @@ message Container {
   optional ResourceRequirements resources = 8;
 
   // Resources resize policy for the container.
+  // This field cannot be set on ephemeral containers.
   // +featureGate=InPlacePodVerticalScaling
   // +optional
   // +listType=atomic
@@ -782,7 +783,6 @@ message Container {
   // container. Instead, the next init container starts immediately after this
   // init container is started, or after any startupProbe has successfully
   // completed.
-  // +featureGate=SidecarContainers
   // +optional
   optional string restartPolicy = 24;
 
@@ -1148,7 +1148,6 @@ message ContainerStatus {
   // +patchStrategy=merge
   // +listType=map
   // +listMapKey=mountPath
-  // +featureGate=RecursiveReadOnlyMounts
   repeated VolumeMountStatus volumeMounts = 12;
 
   // User represents user identity information initially attached to the first process of the container
@@ -1582,7 +1581,6 @@ message EphemeralContainerCommon {
   // Restart policy for the container to manage the restart behavior of each
   // container within a pod.
   // You cannot set this field on ephemeral containers.
-  // +featureGate=SidecarContainers
   // +optional
   optional string restartPolicy = 24;
 
@@ -2346,7 +2344,6 @@ message LifecycleHandler {
   optional TCPSocketAction tcpSocket = 3;
 
   // Sleep represents a duration that the container should sleep.
-  // +featureGate=PodLifecycleSleepAction
   // +optional
   optional SleepAction sleep = 4;
 }
@@ -2811,7 +2808,6 @@ message NodeRuntimeHandler {
 // NodeRuntimeHandlerFeatures is a set of features implemented by the runtime handler.
 message NodeRuntimeHandlerFeatures {
   // RecursiveReadOnlyMounts is set to true if the runtime handler supports RecursiveReadOnlyMounts.
-  // +featureGate=RecursiveReadOnlyMounts
   // +optional
   optional bool recursiveReadOnlyMounts = 1;
 
@@ -2978,7 +2974,6 @@ message NodeStatus {
   optional NodeConfigStatus config = 11;
 
   // The available runtime handlers.
-  // +featureGate=RecursiveReadOnlyMounts
   // +featureGate=UserNamespacesSupport
   // +optional
   // +listType=atomic
@@ -2988,6 +2983,12 @@ message NodeStatus {
   // +featureGate=SupplementalGroupsPolicy
   // +optional
   optional NodeFeatures features = 13;
+
+  // DeclaredFeatures represents the features related to feature gates that are declared by the node.
+  // +featureGate=NodeDeclaredFeatures
+  // +optional
+  // +listType=atomic
+  repeated string declaredFeatures = 14;
 }
 
 // NodeSwapStatus represents swap memory information.
@@ -3206,7 +3207,7 @@ message PersistentVolumeClaimSpec {
   optional .k8s.io.apimachinery.pkg.apis.meta.v1.LabelSelector selector = 4;
 
   // resources represents the minimum resources the volume should have.
-  // If RecoverVolumeExpansionFailure feature is enabled users are allowed to specify resource requirements
+  // Users are allowed to specify resource requirements
   // that are lower than previous value but must still be higher than capacity recorded in the
   // status field of the claim.
   // More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources
@@ -3324,9 +3325,6 @@ message PersistentVolumeClaimStatus {
   // should ignore the update for the purpose it was designed. For example - a controller that
   // only is responsible for resizing capacity of the volume, should ignore PVC updates that change other valid
   // resources associated with PVC.
-  //
-  // This is an alpha field and requires enabling RecoverVolumeExpansionFailure feature.
-  // +featureGate=RecoverVolumeExpansionFailure
   // +optional
   map<string, .k8s.io.apimachinery.pkg.api.resource.Quantity> allocatedResources = 5;
 
@@ -3363,9 +3361,6 @@ message PersistentVolumeClaimStatus {
   // should ignore the update for the purpose it was designed. For example - a controller that
   // only is responsible for resizing capacity of the volume, should ignore PVC updates that change other valid
   // resources associated with PVC.
-  //
-  // This is an alpha field and requires enabling RecoverVolumeExpansionFailure feature.
-  // +featureGate=RecoverVolumeExpansionFailure
   // +mapType=granular
   // +optional
   map<string, string> allocatedResourceStatuses = 7;
@@ -3609,6 +3604,7 @@ message PersistentVolumeSpec {
 
   // nodeAffinity defines constraints that limit what nodes this volume can be accessed from.
   // This field influences the scheduling of pods that use this volume.
+  // This field is mutable if MutablePVNodeAffinity feature gate is enabled.
   // +optional
   optional VolumeNodeAffinity nodeAffinity = 9;
 
@@ -3898,6 +3894,21 @@ message PodCertificateProjection {
   //
   // +optional
   optional string certificateChainPath = 6;
+
+  // userAnnotations allow pod authors to pass additional information to
+  // the signer implementation.  Kubernetes does not restrict or validate this
+  // metadata in any way.
+  //
+  // These values are copied verbatim into the `spec.unverifiedUserAnnotations` field of
+  // the PodCertificateRequest objects that Kubelet creates.
+  //
+  // Entries are subject to the same validation as object metadata annotations,
+  // with the addition that all keys must be domain-prefixed. No restrictions
+  // are placed on values, except an overall size limitation on the entire field.
+  //
+  // Signers should document the keys and values they support. Signers should
+  // deny requests that contain keys they do not recognize.
+  map<string, string> userAnnotations = 7;
 }
 
 // PodCondition contains details for the current condition of this pod.
@@ -3907,7 +3918,7 @@ message PodCondition {
   optional string type = 1;
 
   // If set, this represents the .metadata.generation that the pod condition was set based upon.
-  // This is an alpha field. Enable PodObservedGenerationTracking to be able to use this field.
+  // The PodObservedGenerationTracking feature gate must be enabled to use this field.
   // +featureGate=PodObservedGenerationTracking
   // +optional
   optional int64 observedGeneration = 7;
@@ -4681,8 +4692,8 @@ message PodSpec {
   // will be made available to those containers which consume them
   // by name.
   //
-  // This is an alpha field and requires enabling the
-  // DynamicResourceAllocation feature gate.
+  // This is a stable field but requires that the
+  // DynamicResourceAllocation feature gate is enabled.
   //
   // This field is immutable.
   //
@@ -4723,6 +4734,18 @@ message PodSpec {
   // +featureGate=HostnameOverride
   // +optional
   optional string hostnameOverride = 41;
+
+  // WorkloadRef provides a reference to the Workload object that this Pod belongs to.
+  // This field is used by the scheduler to identify the PodGroup and apply the
+  // correct group scheduling policies. The Workload object referenced
+  // by this field may not exist at the time the Pod is created.
+  // This field is immutable, but a Workload object with the same name
+  // may be recreated with different policies. Doing this during pod scheduling
+  // may result in the placement not conforming to the expected policies.
+  //
+  // +featureGate=GenericWorkload
+  // +optional
+  optional WorkloadReference workloadRef = 42;
 }
 
 // PodStatus represents information about the status of a pod. Status may trail the actual
@@ -4730,7 +4753,7 @@ message PodSpec {
 // plane.
 message PodStatus {
   // If set, this represents the .metadata.generation that the pod status was set based upon.
-  // This is an alpha field. Enable PodObservedGenerationTracking to be able to use this field.
+  // The PodObservedGenerationTracking feature gate must be enabled to use this field.
   // +featureGate=PodObservedGenerationTracking
   // +optional
   optional int64 observedGeneration = 17;
@@ -4886,6 +4909,20 @@ message PodStatus {
   // +featureGate=DRAExtendedResource
   // +optional
   optional PodExtendedResourceClaimStatus extendedResourceClaimStatus = 18;
+
+  // AllocatedResources is the total requests allocated for this pod by the node.
+  // If pod-level requests are not set, this will be the total requests aggregated
+  // across containers in the pod.
+  // +featureGate=InPlacePodLevelResourcesVerticalScaling
+  // +optional
+  map<string, .k8s.io.apimachinery.pkg.api.resource.Quantity> allocatedResources = 19;
+
+  // Resources represents the compute resource requests and limits that have been
+  // applied at the pod level if pod-level requests or limits are set in
+  // PodSpec.Resources
+  // +featureGate=InPlacePodLevelResourcesVerticalScaling
+  // +optional
+  optional ResourceRequirements resources = 20;
 }
 
 // PodStatusResult is a wrapper for PodStatus returned by kubelet that can be encode/decoded
@@ -5263,6 +5300,8 @@ message ReplicationController {
   // be the same as the Pod(s) that the replication controller manages.
   // Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
   // +optional
+  // +k8s:subfield(name)=+k8s:optional
+  // +k8s:subfield(name)=+k8s:format=k8s-long-name
   optional .k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
 
   // Spec defines the specification of the desired behavior of the replication controller.
@@ -6378,7 +6417,6 @@ message ServiceSpec {
   // field is not set, the implementation will apply its default routing
   // strategy. If set to "PreferClose", implementations should prioritize
   // endpoints that are in the same zone.
-  // +featureGate=ServiceTrafficDistribution
   // +optional
   optional string trafficDistribution = 23;
 }
@@ -6526,9 +6564,10 @@ message Toleration {
   optional string key = 1;
 
   // Operator represents a key's relationship to the value.
-  // Valid operators are Exists and Equal. Defaults to Equal.
+  // Valid operators are Exists, Equal, Lt, and Gt. Defaults to Equal.
   // Exists is equivalent to wildcard for value, so that a pod can
   // tolerate all taints of a particular category.
+  // Lt and Gt perform numeric comparisons (requires feature gate TaintTolerationComparisonOperators).
   // +optional
   optional string operator = 2;
 
@@ -6800,8 +6839,6 @@ message VolumeMount {
   // None (or be unspecified, which defaults to None).
   //
   // If this field is not specified, it is treated as an equivalent of Disabled.
-  //
-  // +featureGate=RecursiveReadOnlyMounts
   // +optional
   optional string recursiveReadOnly = 7;
 
@@ -6846,7 +6883,6 @@ message VolumeMountStatus {
   // RecursiveReadOnly must be set to Disabled, Enabled, or unspecified (for non-readonly mounts).
   // An IfPossible value in the original VolumeMount must be translated to Disabled or Enabled,
   // depending on the mount result.
-  // +featureGate=RecursiveReadOnlyMounts
   // +optional
   optional string recursiveReadOnly = 4;
 }
@@ -6929,7 +6965,8 @@ message VolumeProjection {
   // issues; consult the signer implementation's documentation to learn how to
   // use the certificates it issues.
   //
-  // +featureGate=PodCertificateProjection +optional
+  // +featureGate=PodCertificateProjection
+  // +optional
   optional PodCertificateProjection podCertificate = 6;
 }
 
@@ -7212,3 +7249,33 @@ message WindowsSecurityContextOptions {
   optional bool hostProcess = 4;
 }
 
+// WorkloadReference identifies the Workload object and PodGroup membership
+// that a Pod belongs to. The scheduler uses this information to apply
+// workload-aware scheduling semantics.
+message WorkloadReference {
+  // Name defines the name of the Workload object this Pod belongs to.
+  // Workload must be in the same namespace as the Pod.
+  // If it doesn't match any existing Workload, the Pod will remain unschedulable
+  // until a Workload object is created and observed by the kube-scheduler.
+  // It must be a DNS subdomain.
+  //
+  // +required
+  optional string name = 1;
+
+  // PodGroup is the name of the PodGroup within the Workload that this Pod
+  // belongs to. If it doesn't match any existing PodGroup within the Workload,
+  // the Pod will remain unschedulable until the Workload object is recreated
+  // and observed by the kube-scheduler. It must be a DNS label.
+  //
+  // +required
+  optional string podGroup = 2;
+
+  // PodGroupReplicaKey specifies the replica key of the PodGroup to which this
+  // Pod belongs. It is used to distinguish pods belonging to different replicas
+  // of the same pod group. The pod group policy is applied separately to each replica.
+  // When set, it must be a DNS label.
+  //
+  // +optional
+  optional string podGroupReplicaKey = 3;
+}
+
diff --git a/staging/src/k8s.io/api/core/v1/generated.protomessage.pb.go b/staging/src/k8s.io/api/core/v1/generated.protomessage.pb.go
new file mode 100644
index 0000000000000..cf74ffa0885e2
--- /dev/null
+++ b/staging/src/k8s.io/api/core/v1/generated.protomessage.pb.go
@@ -0,0 +1,498 @@
+//go:build kubernetes_protomessage_one_more_release
+// +build kubernetes_protomessage_one_more_release
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by go-to-protobuf. DO NOT EDIT.
+
+package v1
+
+func (*AWSElasticBlockStoreVolumeSource) ProtoMessage() {}
+
+func (*Affinity) ProtoMessage() {}
+
+func (*AppArmorProfile) ProtoMessage() {}
+
+func (*AttachedVolume) ProtoMessage() {}
+
+func (*AvoidPods) ProtoMessage() {}
+
+func (*AzureDiskVolumeSource) ProtoMessage() {}
+
+func (*AzureFilePersistentVolumeSource) ProtoMessage() {}
+
+func (*AzureFileVolumeSource) ProtoMessage() {}
+
+func (*Binding) ProtoMessage() {}
+
+func (*CSIPersistentVolumeSource) ProtoMessage() {}
+
+func (*CSIVolumeSource) ProtoMessage() {}
+
+func (*Capabilities) ProtoMessage() {}
+
+func (*CephFSPersistentVolumeSource) ProtoMessage() {}
+
+func (*CephFSVolumeSource) ProtoMessage() {}
+
+func (*CinderPersistentVolumeSource) ProtoMessage() {}
+
+func (*CinderVolumeSource) ProtoMessage() {}
+
+func (*ClientIPConfig) ProtoMessage() {}
+
+func (*ClusterTrustBundleProjection) ProtoMessage() {}
+
+func (*ComponentCondition) ProtoMessage() {}
+
+func (*ComponentStatus) ProtoMessage() {}
+
+func (*ComponentStatusList) ProtoMessage() {}
+
+func (*ConfigMap) ProtoMessage() {}
+
+func (*ConfigMapEnvSource) ProtoMessage() {}
+
+func (*ConfigMapKeySelector) ProtoMessage() {}
+
+func (*ConfigMapList) ProtoMessage() {}
+
+func (*ConfigMapNodeConfigSource) ProtoMessage() {}
+
+func (*ConfigMapProjection) ProtoMessage() {}
+
+func (*ConfigMapVolumeSource) ProtoMessage() {}
+
+func (*Container) ProtoMessage() {}
+
+func (*ContainerExtendedResourceRequest) ProtoMessage() {}
+
+func (*ContainerImage) ProtoMessage() {}
+
+func (*ContainerPort) ProtoMessage() {}
+
+func (*ContainerResizePolicy) ProtoMessage() {}
+
+func (*ContainerRestartRule) ProtoMessage() {}
+
+func (*ContainerRestartRuleOnExitCodes) ProtoMessage() {}
+
+func (*ContainerState) ProtoMessage() {}
+
+func (*ContainerStateRunning) ProtoMessage() {}
+
+func (*ContainerStateTerminated) ProtoMessage() {}
+
+func (*ContainerStateWaiting) ProtoMessage() {}
+
+func (*ContainerStatus) ProtoMessage() {}
+
+func (*ContainerUser) ProtoMessage() {}
+
+func (*DaemonEndpoint) ProtoMessage() {}
+
+func (*DownwardAPIProjection) ProtoMessage() {}
+
+func (*DownwardAPIVolumeFile) ProtoMessage() {}
+
+func (*DownwardAPIVolumeSource) ProtoMessage() {}
+
+func (*EmptyDirVolumeSource) ProtoMessage() {}
+
+func (*EndpointAddress) ProtoMessage() {}
+
+func (*EndpointPort) ProtoMessage() {}
+
+func (*EndpointSubset) ProtoMessage() {}
+
+func (*Endpoints) ProtoMessage() {}
+
+func (*EndpointsList) ProtoMessage() {}
+
+func (*EnvFromSource) ProtoMessage() {}
+
+func (*EnvVar) ProtoMessage() {}
+
+func (*EnvVarSource) ProtoMessage() {}
+
+func (*EphemeralContainer) ProtoMessage() {}
+
+func (*EphemeralContainerCommon) ProtoMessage() {}
+
+func (*EphemeralVolumeSource) ProtoMessage() {}
+
+func (*Event) ProtoMessage() {}
+
+func (*EventList) ProtoMessage() {}
+
+func (*EventSeries) ProtoMessage() {}
+
+func (*EventSource) ProtoMessage() {}
+
+func (*ExecAction) ProtoMessage() {}
+
+func (*FCVolumeSource) ProtoMessage() {}
+
+func (*FileKeySelector) ProtoMessage() {}
+
+func (*FlexPersistentVolumeSource) ProtoMessage() {}
+
+func (*FlexVolumeSource) ProtoMessage() {}
+
+func (*FlockerVolumeSource) ProtoMessage() {}
+
+func (*GCEPersistentDiskVolumeSource) ProtoMessage() {}
+
+func (*GRPCAction) ProtoMessage() {}
+
+func (*GitRepoVolumeSource) ProtoMessage() {}
+
+func (*GlusterfsPersistentVolumeSource) ProtoMessage() {}
+
+func (*GlusterfsVolumeSource) ProtoMessage() {}
+
+func (*HTTPGetAction) ProtoMessage() {}
+
+func (*HTTPHeader) ProtoMessage() {}
+
+func (*HostAlias) ProtoMessage() {}
+
+func (*HostIP) ProtoMessage() {}
+
+func (*HostPathVolumeSource) ProtoMessage() {}
+
+func (*ISCSIPersistentVolumeSource) ProtoMessage() {}
+
+func (*ISCSIVolumeSource) ProtoMessage() {}
+
+func (*ImageVolumeSource) ProtoMessage() {}
+
+func (*KeyToPath) ProtoMessage() {}
+
+func (*Lifecycle) ProtoMessage() {}
+
+func (*LifecycleHandler) ProtoMessage() {}
+
+func (*LimitRange) ProtoMessage() {}
+
+func (*LimitRangeItem) ProtoMessage() {}
+
+func (*LimitRangeList) ProtoMessage() {}
+
+func (*LimitRangeSpec) ProtoMessage() {}
+
+func (*LinuxContainerUser) ProtoMessage() {}
+
+func (*List) ProtoMessage() {}
+
+func (*LoadBalancerIngress) ProtoMessage() {}
+
+func (*LoadBalancerStatus) ProtoMessage() {}
+
+func (*LocalObjectReference) ProtoMessage() {}
+
+func (*LocalVolumeSource) ProtoMessage() {}
+
+func (*ModifyVolumeStatus) ProtoMessage() {}
+
+func (*NFSVolumeSource) ProtoMessage() {}
+
+func (*Namespace) ProtoMessage() {}
+
+func (*NamespaceCondition) ProtoMessage() {}
+
+func (*NamespaceList) ProtoMessage() {}
+
+func (*NamespaceSpec) ProtoMessage() {}
+
+func (*NamespaceStatus) ProtoMessage() {}
+
+func (*Node) ProtoMessage() {}
+
+func (*NodeAddress) ProtoMessage() {}
+
+func (*NodeAffinity) ProtoMessage() {}
+
+func (*NodeCondition) ProtoMessage() {}
+
+func (*NodeConfigSource) ProtoMessage() {}
+
+func (*NodeConfigStatus) ProtoMessage() {}
+
+func (*NodeDaemonEndpoints) ProtoMessage() {}
+
+func (*NodeFeatures) ProtoMessage() {}
+
+func (*NodeList) ProtoMessage() {}
+
+func (*NodeProxyOptions) ProtoMessage() {}
+
+func (*NodeRuntimeHandler) ProtoMessage() {}
+
+func (*NodeRuntimeHandlerFeatures) ProtoMessage() {}
+
+func (*NodeSelector) ProtoMessage() {}
+
+func (*NodeSelectorRequirement) ProtoMessage() {}
+
+func (*NodeSelectorTerm) ProtoMessage() {}
+
+func (*NodeSpec) ProtoMessage() {}
+
+func (*NodeStatus) ProtoMessage() {}
+
+func (*NodeSwapStatus) ProtoMessage() {}
+
+func (*NodeSystemInfo) ProtoMessage() {}
+
+func (*ObjectFieldSelector) ProtoMessage() {}
+
+func (*ObjectReference) ProtoMessage() {}
+
+func (*PersistentVolume) ProtoMessage() {}
+
+func (*PersistentVolumeClaim) ProtoMessage() {}
+
+func (*PersistentVolumeClaimCondition) ProtoMessage() {}
+
+func (*PersistentVolumeClaimList) ProtoMessage() {}
+
+func (*PersistentVolumeClaimSpec) ProtoMessage() {}
+
+func (*PersistentVolumeClaimStatus) ProtoMessage() {}
+
+func (*PersistentVolumeClaimTemplate) ProtoMessage() {}
+
+func (*PersistentVolumeClaimVolumeSource) ProtoMessage() {}
+
+func (*PersistentVolumeList) ProtoMessage() {}
+
+func (*PersistentVolumeSource) ProtoMessage() {}
+
+func (*PersistentVolumeSpec) ProtoMessage() {}
+
+func (*PersistentVolumeStatus) ProtoMessage() {}
+
+func (*PhotonPersistentDiskVolumeSource) ProtoMessage() {}
+
+func (*Pod) ProtoMessage() {}
+
+func (*PodAffinity) ProtoMessage() {}
+
+func (*PodAffinityTerm) ProtoMessage() {}
+
+func (*PodAntiAffinity) ProtoMessage() {}
+
+func (*PodAttachOptions) ProtoMessage() {}
+
+func (*PodCertificateProjection) ProtoMessage() {}
+
+func (*PodCondition) ProtoMessage() {}
+
+func (*PodDNSConfig) ProtoMessage() {}
+
+func (*PodDNSConfigOption) ProtoMessage() {}
+
+func (*PodExecOptions) ProtoMessage() {}
+
+func (*PodExtendedResourceClaimStatus) ProtoMessage() {}
+
+func (*PodIP) ProtoMessage() {}
+
+func (*PodList) ProtoMessage() {}
+
+func (*PodLogOptions) ProtoMessage() {}
+
+func (*PodOS) ProtoMessage() {}
+
+func (*PodPortForwardOptions) ProtoMessage() {}
+
+func (*PodProxyOptions) ProtoMessage() {}
+
+func (*PodReadinessGate) ProtoMessage() {}
+
+func (*PodResourceClaim) ProtoMessage() {}
+
+func (*PodResourceClaimStatus) ProtoMessage() {}
+
+func (*PodSchedulingGate) ProtoMessage() {}
+
+func (*PodSecurityContext) ProtoMessage() {}
+
+func (*PodSignature) ProtoMessage() {}
+
+func (*PodSpec) ProtoMessage() {}
+
+func (*PodStatus) ProtoMessage() {}
+
+func (*PodStatusResult) ProtoMessage() {}
+
+func (*PodTemplate) ProtoMessage() {}
+
+func (*PodTemplateList) ProtoMessage() {}
+
+func (*PodTemplateSpec) ProtoMessage() {}
+
+func (*PortStatus) ProtoMessage() {}
+
+func (*PortworxVolumeSource) ProtoMessage() {}
+
+func (*Preconditions) ProtoMessage() {}
+
+func (*PreferAvoidPodsEntry) ProtoMessage() {}
+
+func (*PreferredSchedulingTerm) ProtoMessage() {}
+
+func (*Probe) ProtoMessage() {}
+
+func (*ProbeHandler) ProtoMessage() {}
+
+func (*ProjectedVolumeSource) ProtoMessage() {}
+
+func (*QuobyteVolumeSource) ProtoMessage() {}
+
+func (*RBDPersistentVolumeSource) ProtoMessage() {}
+
+func (*RBDVolumeSource) ProtoMessage() {}
+
+func (*RangeAllocation) ProtoMessage() {}
+
+func (*ReplicationController) ProtoMessage() {}
+
+func (*ReplicationControllerCondition) ProtoMessage() {}
+
+func (*ReplicationControllerList) ProtoMessage() {}
+
+func (*ReplicationControllerSpec) ProtoMessage() {}
+
+func (*ReplicationControllerStatus) ProtoMessage() {}
+
+func (*ResourceClaim) ProtoMessage() {}
+
+func (*ResourceFieldSelector) ProtoMessage() {}
+
+func (*ResourceHealth) ProtoMessage() {}
+
+func (*ResourceQuota) ProtoMessage() {}
+
+func (*ResourceQuotaList) ProtoMessage() {}
+
+func (*ResourceQuotaSpec) ProtoMessage() {}
+
+func (*ResourceQuotaStatus) ProtoMessage() {}
+
+func (*ResourceRequirements) ProtoMessage() {}
+
+func (*ResourceStatus) ProtoMessage() {}
+
+func (*SELinuxOptions) ProtoMessage() {}
+
+func (*ScaleIOPersistentVolumeSource) ProtoMessage() {}
+
+func (*ScaleIOVolumeSource) ProtoMessage() {}
+
+func (*ScopeSelector) ProtoMessage() {}
+
+func (*ScopedResourceSelectorRequirement) ProtoMessage() {}
+
+func (*SeccompProfile) ProtoMessage() {}
+
+func (*Secret) ProtoMessage() {}
+
+func (*SecretEnvSource) ProtoMessage() {}
+
+func (*SecretKeySelector) ProtoMessage() {}
+
+func (*SecretList) ProtoMessage() {}
+
+func (*SecretProjection) ProtoMessage() {}
+
+func (*SecretReference) ProtoMessage() {}
+
+func (*SecretVolumeSource) ProtoMessage() {}
+
+func (*SecurityContext) ProtoMessage() {}
+
+func (*SerializedReference) ProtoMessage() {}
+
+func (*Service) ProtoMessage() {}
+
+func (*ServiceAccount) ProtoMessage() {}
+
+func (*ServiceAccountList) ProtoMessage() {}
+
+func (*ServiceAccountTokenProjection) ProtoMessage() {}
+
+func (*ServiceList) ProtoMessage() {}
+
+func (*ServicePort) ProtoMessage() {}
+
+func (*ServiceProxyOptions) ProtoMessage() {}
+
+func (*ServiceSpec) ProtoMessage() {}
+
+func (*ServiceStatus) ProtoMessage() {}
+
+func (*SessionAffinityConfig) ProtoMessage() {}
+
+func (*SleepAction) ProtoMessage() {}
+
+func (*StorageOSPersistentVolumeSource) ProtoMessage() {}
+
+func (*StorageOSVolumeSource) ProtoMessage() {}
+
+func (*Sysctl) ProtoMessage() {}
+
+func (*TCPSocketAction) ProtoMessage() {}
+
+func (*Taint) ProtoMessage() {}
+
+func (*Toleration) ProtoMessage() {}
+
+func (*TopologySelectorLabelRequirement) ProtoMessage() {}
+
+func (*TopologySelectorTerm) ProtoMessage() {}
+
+func (*TopologySpreadConstraint) ProtoMessage() {}
+
+func (*TypedLocalObjectReference) ProtoMessage() {}
+
+func (*TypedObjectReference) ProtoMessage() {}
+
+func (*Volume) ProtoMessage() {}
+
+func (*VolumeDevice) ProtoMessage() {}
+
+func (*VolumeMount) ProtoMessage() {}
+
+func (*VolumeMountStatus) ProtoMessage() {}
+
+func (*VolumeNodeAffinity) ProtoMessage() {}
+
+func (*VolumeProjection) ProtoMessage() {}
+
+func (*VolumeResourceRequirements) ProtoMessage() {}
+
+func (*VolumeSource) ProtoMessage() {}
+
+func (*VsphereVirtualDiskVolumeSource) ProtoMessage() {}
+
+func (*WeightedPodAffinityTerm) ProtoMessage() {}
+
+func (*WindowsSecurityContextOptions) ProtoMessage() {}
+
+func (*WorkloadReference) ProtoMessage() {}
diff --git a/staging/src/k8s.io/api/core/v1/toleration.go b/staging/src/k8s.io/api/core/v1/toleration.go
index e803d518b5cc0..080c228d2d9d9 100644
--- a/staging/src/k8s.io/api/core/v1/toleration.go
+++ b/staging/src/k8s.io/api/core/v1/toleration.go
@@ -16,6 +16,16 @@ limitations under the License.
 
 package v1
 
+import (
+	"errors"
+	"strconv"
+	"strings"
+
+	"k8s.io/apimachinery/pkg/api/validate/content"
+
+	"k8s.io/klog/v2"
+)
+
 // MatchToleration checks if the toleration matches tolerationToMatch. Tolerations are unique by <key,effect,operator,value>,
 // if the two tolerations have same <key,effect,operator,value> combination, regard as they match.
 // TODO: uniqueness check for tolerations in api validations.
@@ -35,7 +45,11 @@ func (t *Toleration) MatchToleration(tolerationToMatch *Toleration) bool {
 //  3. Empty toleration.key means to match all taint keys.
 //     If toleration.key is empty, toleration.operator must be 'Exists';
 //     this combination means to match all taint values and all taint keys.
-func (t *Toleration) ToleratesTaint(taint *Taint) bool {
+//  4. If toleration.operator is 'Lt' or 'Gt', numeric comparison is performed
+//     between toleration.value and taint.value.
+//  5. If enableComparisonOperators is false and the toleration uses 'Lt' or 'Gt'
+//     operators, the toleration does not match (returns false).
+func (t *Toleration) ToleratesTaint(logger klog.Logger, taint *Taint, enableComparisonOperators bool) bool {
 	if len(t.Effect) > 0 && t.Effect != taint.Effect {
 		return false
 	}
@@ -51,6 +65,47 @@ func (t *Toleration) ToleratesTaint(taint *Taint) bool {
 		return t.Value == taint.Value
 	case TolerationOpExists:
 		return true
+	case TolerationOpLt, TolerationOpGt:
+		// If comparison operators are disabled, this toleration doesn't match
+		if !enableComparisonOperators {
+			return false
+		}
+		return compareNumericValues(logger, t.Value, taint.Value, t.Operator)
+	default:
+		return false
+	}
+}
+
+// compareNumericValues performs numeric comparison between toleration and taint values
+func compareNumericValues(logger klog.Logger, tolerationVal, taintVal string, op TolerationOperator) bool {
+
+	errorMsgs := content.IsDecimalInteger(tolerationVal)
+	if len(errorMsgs) > 0 {
+		logger.Error(errors.New(strings.Join(errorMsgs, ",")), "failed to parse toleration value as int64", "toleration", tolerationVal)
+		return false
+	}
+	tVal, err := strconv.ParseInt(tolerationVal, 10, 64)
+	if err != nil {
+		logger.Error(err, "failed to parse toleration value as int64", "toleration", tolerationVal)
+		return false
+	}
+
+	errorMsgs = content.IsDecimalInteger(taintVal)
+	if len(errorMsgs) > 0 {
+		logger.Error(errors.New(strings.Join(errorMsgs, ",")), "failed to parse taint value as int64", "taint", taintVal)
+		return false
+	}
+	tntVal, err := strconv.ParseInt(taintVal, 10, 64)
+	if err != nil {
+		logger.Error(err, "failed to parse taint value as int64", "taint", taintVal)
+		return false
+	}
+
+	switch op {
+	case TolerationOpLt:
+		return tntVal < tVal
+	case TolerationOpGt:
+		return tntVal > tVal
 	default:
 		return false
 	}
diff --git a/staging/src/k8s.io/api/core/v1/toleration_test.go b/staging/src/k8s.io/api/core/v1/toleration_test.go
index 3dd48f08778a1..93fc2839dc006 100644
--- a/staging/src/k8s.io/api/core/v1/toleration_test.go
+++ b/staging/src/k8s.io/api/core/v1/toleration_test.go
@@ -17,16 +17,19 @@ limitations under the License.
 package v1
 
 import (
+	"k8s.io/klog/v2/ktesting"
 	"testing"
 )
 
 func TestTolerationToleratesTaint(t *testing.T) {
-
+	logger, _ := ktesting.NewTestContext(t)
 	testCases := []struct {
-		description     string
-		toleration      Toleration
-		taint           Taint
-		expectTolerated bool
+		description                                string
+		toleration                                 Toleration
+		taint                                      Taint
+		expectTolerated                            bool
+		expectError                                bool
+		enableTaintTolerationComparisonOperatorsFG bool
 	}{
 		{
 			description: "toleration and taint have the same key and effect, and operator is Exists, and taint has no value, expect tolerated",
@@ -114,10 +117,384 @@ func TestTolerationToleratesTaint(t *testing.T) {
 			},
 			expectTolerated: false,
 		},
+		{
+			description: "toleration with Gt operator - taint value less than toleration value, expect not tolerated",
+			toleration: Toleration{
+				Key:      "node.kubernetes.io/sla",
+				Operator: TolerationOpGt,
+				Value:    "950",
+				Effect:   TaintEffectNoSchedule,
+			},
+			taint: Taint{
+				Key:    "node.kubernetes.io/sla",
+				Value:  "800",
+				Effect: TaintEffectNoSchedule,
+			},
+			expectTolerated: false,
+			enableTaintTolerationComparisonOperatorsFG: true,
+		},
+		{
+			description: "toleration with Gt operator - taint value greater than toleration value, expect tolerated",
+			toleration: Toleration{
+				Key:      "node.kubernetes.io/sla",
+				Operator: TolerationOpGt,
+				Value:    "750",
+				Effect:   TaintEffectNoSchedule,
+			},
+			taint: Taint{
+				Key:    "node.kubernetes.io/sla",
+				Value:  "950",
+				Effect: TaintEffectNoSchedule,
+			},
+			expectTolerated: true,
+			enableTaintTolerationComparisonOperatorsFG: true,
+		},
+		{
+			description: "toleration with Lt operator - taint value greater than toleration value, expect not tolerated",
+			toleration: Toleration{
+				Key:      "node.kubernetes.io/sla",
+				Operator: TolerationOpLt,
+				Value:    "800",
+				Effect:   TaintEffectNoSchedule,
+			},
+			taint: Taint{
+				Key:    "node.kubernetes.io/sla",
+				Value:  "950",
+				Effect: TaintEffectNoSchedule,
+			},
+			expectTolerated: false,
+			enableTaintTolerationComparisonOperatorsFG: true,
+		},
+		{
+			description: "toleration with Lt operator - taint value less than toleration value, expect tolerated",
+			toleration: Toleration{
+				Key:      "node.kubernetes.io/sla",
+				Operator: TolerationOpLt,
+				Value:    "950",
+				Effect:   TaintEffectNoSchedule,
+			},
+			taint: Taint{
+				Key:    "node.kubernetes.io/sla",
+				Value:  "800",
+				Effect: TaintEffectNoSchedule,
+			},
+			expectTolerated: true,
+			enableTaintTolerationComparisonOperatorsFG: true,
+		},
+		{
+			description: "toleration with Gt operator and taint with equal numeric value, expect not tolerated",
+			toleration: Toleration{
+				Key:      "node.kubernetes.io/sla",
+				Operator: TolerationOpGt,
+				Value:    "950",
+				Effect:   TaintEffectNoSchedule,
+			},
+			taint: Taint{
+				Key:    "node.kubernetes.io/sla",
+				Value:  "950",
+				Effect: TaintEffectNoSchedule,
+			},
+			expectTolerated: false,
+			enableTaintTolerationComparisonOperatorsFG: true,
+		},
+		{
+			description: "toleration with Gt operator and taint with non-numeric value, expect not tolerated",
+			toleration: Toleration{
+				Key:      "node.kubernetes.io/sla",
+				Operator: TolerationOpGt,
+				Value:    "950",
+				Effect:   TaintEffectNoSchedule,
+			},
+			taint: Taint{
+				Key:    "node.kubernetes.io/sla",
+				Value:  "high",
+				Effect: TaintEffectNoSchedule,
+			},
+			expectTolerated: false,
+			expectError:     true,
+			enableTaintTolerationComparisonOperatorsFG: true,
+		},
+		{
+			description: "toleration with Gt operator and negative numeric values - taint value less than threshold, expect not tolerated",
+			toleration: Toleration{
+				Key:      "test-key",
+				Operator: TolerationOpGt,
+				Value:    "-100",
+				Effect:   TaintEffectNoSchedule,
+			},
+			taint: Taint{
+				Key:    "test-key",
+				Value:  "-200",
+				Effect: TaintEffectNoSchedule,
+			},
+			expectTolerated: false,
+			enableTaintTolerationComparisonOperatorsFG: true,
+		},
+		{
+			description: "toleration with Gt operator and large int64 values - taint value less than threshold, expect not tolerated",
+			toleration: Toleration{
+				Key:      "test-key",
+				Operator: TolerationOpGt,
+				Value:    "9223372036854775806",
+				Effect:   TaintEffectNoSchedule,
+			},
+			taint: Taint{
+				Key:    "test-key",
+				Value:  "100",
+				Effect: TaintEffectNoSchedule,
+			},
+			expectTolerated: false,
+			enableTaintTolerationComparisonOperatorsFG: true,
+		},
 	}
 	for _, tc := range testCases {
-		if tolerated := tc.toleration.ToleratesTaint(&tc.taint); tc.expectTolerated != tolerated {
+		if tolerated := tc.toleration.ToleratesTaint(logger, &tc.taint, tc.enableTaintTolerationComparisonOperatorsFG); tc.expectTolerated != tolerated {
 			t.Errorf("[%s] expect %v, got %v: toleration %+v, taint %s", tc.description, tc.expectTolerated, tolerated, tc.toleration, tc.taint.ToString())
 		}
 	}
 }
+
+func TestCompareNumericValues(t *testing.T) {
+	logger, _ := ktesting.NewTestContext(t)
+	testCases := []struct {
+		description    string
+		tolerationVal  string
+		taintVal       string
+		operator       TolerationOperator
+		expectedResult bool
+	}{
+		// Valid Gt operator cases
+		{
+			description:    "Gt operator - taint value greater than toleration value, expect true",
+			tolerationVal:  "100",
+			taintVal:       "200",
+			operator:       TolerationOpGt,
+			expectedResult: true,
+		},
+		{
+			description:    "Gt operator - taint value less than toleration value, expect false",
+			tolerationVal:  "200",
+			taintVal:       "100",
+			operator:       TolerationOpGt,
+			expectedResult: false,
+		},
+		{
+			description:    "Gt operator - taint value equal to toleration value, expect false",
+			tolerationVal:  "100",
+			taintVal:       "100",
+			operator:       TolerationOpGt,
+			expectedResult: false,
+		},
+		{
+			description:    "Gt operator - negative numbers, taint greater, expect true",
+			tolerationVal:  "-100",
+			taintVal:       "-50",
+			operator:       TolerationOpGt,
+			expectedResult: true,
+		},
+		{
+			description:    "Gt operator - negative numbers, taint less, expect false",
+			tolerationVal:  "-50",
+			taintVal:       "-100",
+			operator:       TolerationOpGt,
+			expectedResult: false,
+		},
+		{
+			description:    "Gt operator - zero and positive, expect true",
+			tolerationVal:  "0",
+			taintVal:       "1",
+			operator:       TolerationOpGt,
+			expectedResult: true,
+		},
+		{
+			description:    "Gt operator - large int64 values, taint greater, expect true",
+			tolerationVal:  "9223372036854775806",
+			taintVal:       "9223372036854775807",
+			operator:       TolerationOpGt,
+			expectedResult: true,
+		},
+
+		// Valid Lt operator cases
+		{
+			description:    "Lt operator - taint value less than toleration value, expect true",
+			tolerationVal:  "200",
+			taintVal:       "100",
+			operator:       TolerationOpLt,
+			expectedResult: true,
+		},
+		{
+			description:    "Lt operator - taint value greater than toleration value, expect false",
+			tolerationVal:  "100",
+			taintVal:       "200",
+			operator:       TolerationOpLt,
+			expectedResult: false,
+		},
+		{
+			description:    "Lt operator - taint value equal to toleration value, expect false",
+			tolerationVal:  "100",
+			taintVal:       "100",
+			operator:       TolerationOpLt,
+			expectedResult: false,
+		},
+		{
+			description:    "Lt operator - negative numbers, taint less, expect true",
+			tolerationVal:  "-50",
+			taintVal:       "-100",
+			operator:       TolerationOpLt,
+			expectedResult: true,
+		},
+		{
+			description:    "Lt operator - negative numbers, taint greater, expect false",
+			tolerationVal:  "-100",
+			taintVal:       "-50",
+			operator:       TolerationOpLt,
+			expectedResult: false,
+		},
+		{
+			description:    "Lt operator - zero and negative, expect true",
+			tolerationVal:  "0",
+			taintVal:       "-1",
+			operator:       TolerationOpLt,
+			expectedResult: true,
+		},
+
+		// Invalid toleration values - should return false
+		{
+			description:    "Gt operator - invalid toleration value (non-numeric), expect false",
+			tolerationVal:  "abc",
+			taintVal:       "100",
+			operator:       TolerationOpGt,
+			expectedResult: false,
+		},
+		{
+			description:    "Gt operator - invalid toleration value (empty string), expect false",
+			tolerationVal:  "",
+			taintVal:       "100",
+			operator:       TolerationOpGt,
+			expectedResult: false,
+		},
+		{
+			description:    "Gt operator - invalid toleration value (leading zero), expect false",
+			tolerationVal:  "0100",
+			taintVal:       "200",
+			operator:       TolerationOpGt,
+			expectedResult: false,
+		},
+		{
+			description:    "Gt operator - invalid toleration value (plus sign), expect false",
+			tolerationVal:  "+100",
+			taintVal:       "200",
+			operator:       TolerationOpGt,
+			expectedResult: false,
+		},
+		{
+			description:    "Gt operator - invalid toleration value (floating point), expect false",
+			tolerationVal:  "100.5",
+			taintVal:       "200",
+			operator:       TolerationOpGt,
+			expectedResult: false,
+		},
+		{
+			description:    "Gt operator - invalid toleration value (just minus sign), expect false",
+			tolerationVal:  "-",
+			taintVal:       "100",
+			operator:       TolerationOpGt,
+			expectedResult: false,
+		},
+
+		// Invalid taint values - should return false
+		{
+			description:    "Gt operator - invalid taint value (non-numeric), expect false",
+			tolerationVal:  "100",
+			taintVal:       "xyz",
+			operator:       TolerationOpGt,
+			expectedResult: false,
+		},
+		{
+			description:    "Gt operator - invalid taint value (empty string), expect false",
+			tolerationVal:  "100",
+			taintVal:       "",
+			operator:       TolerationOpGt,
+			expectedResult: false,
+		},
+		{
+			description:    "Gt operator - invalid taint value (leading zero), expect false",
+			tolerationVal:  "100",
+			taintVal:       "0200",
+			operator:       TolerationOpGt,
+			expectedResult: false,
+		},
+		{
+			description:    "Lt operator - invalid taint value (plus sign), expect false",
+			tolerationVal:  "100",
+			taintVal:       "+200",
+			operator:       TolerationOpLt,
+			expectedResult: false,
+		},
+		{
+			description:    "Lt operator - invalid taint value (spaces), expect false",
+			tolerationVal:  "100",
+			taintVal:       " 200 ",
+			operator:       TolerationOpLt,
+			expectedResult: false,
+		},
+
+		// Invalid operator - should return false
+		{
+			description:    "Equal operator (unsupported for numeric comparison), expect false",
+			tolerationVal:  "100",
+			taintVal:       "100",
+			operator:       TolerationOpEqual,
+			expectedResult: false,
+		},
+		{
+			description:    "Exists operator (unsupported for numeric comparison), expect false",
+			tolerationVal:  "100",
+			taintVal:       "100",
+			operator:       TolerationOpExists,
+			expectedResult: false,
+		},
+
+		// Edge cases with zero
+		{
+			description:    "Gt operator - both zero, expect false",
+			tolerationVal:  "0",
+			taintVal:       "0",
+			operator:       TolerationOpGt,
+			expectedResult: false,
+		},
+		{
+			description:    "Lt operator - both zero, expect false",
+			tolerationVal:  "0",
+			taintVal:       "0",
+			operator:       TolerationOpLt,
+			expectedResult: false,
+		},
+
+		// Int64 boundary cases
+		{
+			description:    "Gt operator - max int64 as taint, expect true",
+			tolerationVal:  "0",
+			taintVal:       "9223372036854775807",
+			operator:       TolerationOpGt,
+			expectedResult: true,
+		},
+		{
+			description:    "Lt operator - min int64 as taint, expect true",
+			tolerationVal:  "0",
+			taintVal:       "-9223372036854775808",
+			operator:       TolerationOpLt,
+			expectedResult: true,
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.description, func(t *testing.T) {
+			result := compareNumericValues(logger, tc.tolerationVal, tc.taintVal, tc.operator)
+			if result != tc.expectedResult {
+				t.Errorf("[%s] expected %v, got %v: tolerationVal=%q, taintVal=%q, operator=%v",
+					tc.description, tc.expectedResult, result, tc.tolerationVal, tc.taintVal, tc.operator)
+			}
+		})
+	}
+}
diff --git a/staging/src/k8s.io/api/core/v1/types.go b/staging/src/k8s.io/api/core/v1/types.go
index 08b6d351cc67e..705c82083cc50 100644
--- a/staging/src/k8s.io/api/core/v1/types.go
+++ b/staging/src/k8s.io/api/core/v1/types.go
@@ -427,6 +427,7 @@ type PersistentVolumeSpec struct {
 	VolumeMode *PersistentVolumeMode `json:"volumeMode,omitempty" protobuf:"bytes,8,opt,name=volumeMode,casttype=PersistentVolumeMode"`
 	// nodeAffinity defines constraints that limit what nodes this volume can be accessed from.
 	// This field influences the scheduling of pods that use this volume.
+	// This field is mutable if MutablePVNodeAffinity feature gate is enabled.
 	// +optional
 	NodeAffinity *VolumeNodeAffinity `json:"nodeAffinity,omitempty" protobuf:"bytes,9,opt,name=nodeAffinity"`
 	// Name of VolumeAttributesClass to which this persistent volume belongs. Empty value
@@ -558,7 +559,7 @@ type PersistentVolumeClaimSpec struct {
 	// +optional
 	Selector *metav1.LabelSelector `json:"selector,omitempty" protobuf:"bytes,4,opt,name=selector"`
 	// resources represents the minimum resources the volume should have.
-	// If RecoverVolumeExpansionFailure feature is enabled users are allowed to specify resource requirements
+	// Users are allowed to specify resource requirements
 	// that are lower than previous value but must still be higher than capacity recorded in the
 	// status field of the claim.
 	// More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources
@@ -648,7 +649,7 @@ type TypedObjectReference struct {
 // Valid values are:
 //   - "Resizing", "FileSystemResizePending"
 //
-// If RecoverVolumeExpansionFailure feature gate is enabled, then following additional values can be expected:
+// The following additional values can be expected:
 //   - "ControllerResizeError", "NodeResizeError"
 //
 // If VolumeAttributesClass feature gate is enabled, then following additional values can be expected:
@@ -796,9 +797,6 @@ type PersistentVolumeClaimStatus struct {
 	// should ignore the update for the purpose it was designed. For example - a controller that
 	// only is responsible for resizing capacity of the volume, should ignore PVC updates that change other valid
 	// resources associated with PVC.
-	//
-	// This is an alpha field and requires enabling RecoverVolumeExpansionFailure feature.
-	// +featureGate=RecoverVolumeExpansionFailure
 	// +optional
 	AllocatedResources ResourceList `json:"allocatedResources,omitempty" protobuf:"bytes,5,rep,name=allocatedResources,casttype=ResourceList,castkey=ResourceName"`
 
@@ -838,9 +836,6 @@ type PersistentVolumeClaimStatus struct {
 	// should ignore the update for the purpose it was designed. For example - a controller that
 	// only is responsible for resizing capacity of the volume, should ignore PVC updates that change other valid
 	// resources associated with PVC.
-	//
-	// This is an alpha field and requires enabling RecoverVolumeExpansionFailure feature.
-	// +featureGate=RecoverVolumeExpansionFailure
 	// +mapType=granular
 	// +optional
 	AllocatedResourceStatuses map[ResourceName]ClaimResourceStatus `json:"allocatedResourceStatuses,omitempty" protobuf:"bytes,7,rep,name=allocatedResourceStatuses"`
@@ -2056,6 +2051,21 @@ type PodCertificateProjection struct {
 	//
 	// +optional
 	CertificateChainPath string `json:"certificateChainPath,omitempty" protobuf:"bytes,6,rep,name=certificateChainPath"`
+
+	// userAnnotations allow pod authors to pass additional information to
+	// the signer implementation.  Kubernetes does not restrict or validate this
+	// metadata in any way.
+	//
+	// These values are copied verbatim into the `spec.unverifiedUserAnnotations` field of
+	// the PodCertificateRequest objects that Kubelet creates.
+	//
+	// Entries are subject to the same validation as object metadata annotations,
+	// with the addition that all keys must be domain-prefixed. No restrictions
+	// are placed on values, except an overall size limitation on the entire field.
+	//
+	// Signers should document the keys and values they support. Signers should
+	// deny requests that contain keys they do not recognize.
+	UserAnnotations map[string]string `json:"userAnnotations,omitempty" protobuf:"bytes,7,rep,name=userAnnotations"`
 }
 
 // Represents a projected volume source
@@ -2144,7 +2154,8 @@ type VolumeProjection struct {
 	// issues; consult the signer implementation's documentation to learn how to
 	// use the certificates it issues.
 	//
-	// +featureGate=PodCertificateProjection +optional
+	// +featureGate=PodCertificateProjection
+	// +optional
 	PodCertificate *PodCertificateProjection `json:"podCertificate,omitempty" protobuf:"bytes,6,opt,name=podCertificate"`
 }
 
@@ -2379,8 +2390,6 @@ type VolumeMount struct {
 	// None (or be unspecified, which defaults to None).
 	//
 	// If this field is not specified, it is treated as an equivalent of Disabled.
-	//
-	// +featureGate=RecursiveReadOnlyMounts
 	// +optional
 	RecursiveReadOnly *RecursiveReadOnlyMode `json:"recursiveReadOnly,omitempty" protobuf:"bytes,7,opt,name=recursiveReadOnly,casttype=RecursiveReadOnlyMode"`
 	// Path within the container at which the volume should be mounted.  Must
@@ -2965,6 +2974,7 @@ type Container struct {
 	// +optional
 	Resources ResourceRequirements `json:"resources,omitempty" protobuf:"bytes,8,opt,name=resources"`
 	// Resources resize policy for the container.
+	// This field cannot be set on ephemeral containers.
 	// +featureGate=InPlacePodVerticalScaling
 	// +optional
 	// +listType=atomic
@@ -2984,7 +2994,6 @@ type Container struct {
 	// container. Instead, the next init container starts immediately after this
 	// init container is started, or after any startupProbe has successfully
 	// completed.
-	// +featureGate=SidecarContainers
 	// +optional
 	RestartPolicy *ContainerRestartPolicy `json:"restartPolicy,omitempty" protobuf:"bytes,24,opt,name=restartPolicy,casttype=ContainerRestartPolicy"`
 	// Represents a list of rules to be checked to determine if the
@@ -3128,7 +3137,6 @@ type LifecycleHandler struct {
 	// +optional
 	TCPSocket *TCPSocketAction `json:"tcpSocket,omitempty" protobuf:"bytes,3,opt,name=tcpSocket"`
 	// Sleep represents a duration that the container should sleep.
-	// +featureGate=PodLifecycleSleepAction
 	// +optional
 	Sleep *SleepAction `json:"sleep,omitempty" protobuf:"bytes,4,opt,name=sleep"`
 }
@@ -3369,7 +3377,6 @@ type ContainerStatus struct {
 	// +patchStrategy=merge
 	// +listType=map
 	// +listMapKey=mountPath
-	// +featureGate=RecursiveReadOnlyMounts
 	VolumeMounts []VolumeMountStatus `json:"volumeMounts,omitempty" patchStrategy:"merge" patchMergeKey:"mountPath" protobuf:"bytes,12,rep,name=volumeMounts"`
 	// User represents user identity information initially attached to the first process of the container
 	// +featureGate=SupplementalGroupsPolicy
@@ -3523,6 +3530,8 @@ const (
 	// If both PodResizePending and PodResizeInProgress are set, it means that a new resize was
 	// requested in the middle of a previous pod resize that is still in progress.
 	PodResizeInProgress PodConditionType = "PodResizeInProgress"
+	// AllContainersRestarting indicates that all containers of the pod is being restarted.
+	AllContainersRestarting PodConditionType = "AllContainersRestarting"
 )
 
 // These are reasons for a pod's transition to a condition.
@@ -3566,7 +3575,7 @@ type PodCondition struct {
 	// More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-conditions
 	Type PodConditionType `json:"type" protobuf:"bytes,1,opt,name=type,casttype=PodConditionType"`
 	// If set, this represents the .metadata.generation that the pod condition was set based upon.
-	// This is an alpha field. Enable PodObservedGenerationTracking to be able to use this field.
+	// The PodObservedGenerationTracking feature gate must be enabled to use this field.
 	// +featureGate=PodObservedGenerationTracking
 	// +optional
 	ObservedGeneration int64 `json:"observedGeneration,omitempty" protobuf:"varint,7,opt,name=observedGeneration"`
@@ -3612,7 +3621,6 @@ type VolumeMountStatus struct {
 	// RecursiveReadOnly must be set to Disabled, Enabled, or unspecified (for non-readonly mounts).
 	// An IfPossible value in the original VolumeMount must be translated to Disabled or Enabled,
 	// depending on the mount result.
-	// +featureGate=RecursiveReadOnlyMounts
 	// +optional
 	RecursiveReadOnly *RecursiveReadOnlyMode `json:"recursiveReadOnly,omitempty" protobuf:"bytes,4,opt,name=recursiveReadOnly,casttype=RecursiveReadOnlyMode"`
 }
@@ -3660,7 +3668,8 @@ type ContainerRestartRuleAction string
 
 // The only valid action is Restart.
 const (
-	ContainerRestartRuleActionRestart ContainerRestartRuleAction = "Restart"
+	ContainerRestartRuleActionRestart              ContainerRestartRuleAction = "Restart"
+	ContainerRestartRuleActionRestartAllContainers ContainerRestartRuleAction = "RestartAllContainers"
 )
 
 // ContainerRestartRuleOnExitCodes describes the condition
@@ -4048,9 +4057,10 @@ type Toleration struct {
 	// +optional
 	Key string `json:"key,omitempty" protobuf:"bytes,1,opt,name=key"`
 	// Operator represents a key's relationship to the value.
-	// Valid operators are Exists and Equal. Defaults to Equal.
+	// Valid operators are Exists, Equal, Lt, and Gt. Defaults to Equal.
 	// Exists is equivalent to wildcard for value, so that a pod can
 	// tolerate all taints of a particular category.
+	// Lt and Gt perform numeric comparisons (requires feature gate TaintTolerationComparisonOperators).
 	// +optional
 	Operator TolerationOperator `json:"operator,omitempty" protobuf:"bytes,2,opt,name=operator,casttype=TolerationOperator"`
 	// Value is the taint value the toleration matches to.
@@ -4076,6 +4086,8 @@ type TolerationOperator string
 const (
 	TolerationOpExists TolerationOperator = "Exists"
 	TolerationOpEqual  TolerationOperator = "Equal"
+	TolerationOpLt     TolerationOperator = "Lt"
+	TolerationOpGt     TolerationOperator = "Gt"
 )
 
 // PodReadinessGate contains the reference to a pod condition
@@ -4388,8 +4400,8 @@ type PodSpec struct {
 	// will be made available to those containers which consume them
 	// by name.
 	//
-	// This is an alpha field and requires enabling the
-	// DynamicResourceAllocation feature gate.
+	// This is a stable field but requires that the
+	// DynamicResourceAllocation feature gate is enabled.
 	//
 	// This field is immutable.
 	//
@@ -4428,6 +4440,17 @@ type PodSpec struct {
 	// +featureGate=HostnameOverride
 	// +optional
 	HostnameOverride *string `json:"hostnameOverride,omitempty" protobuf:"bytes,41,opt,name=hostnameOverride"`
+	// WorkloadRef provides a reference to the Workload object that this Pod belongs to.
+	// This field is used by the scheduler to identify the PodGroup and apply the
+	// correct group scheduling policies. The Workload object referenced
+	// by this field may not exist at the time the Pod is created.
+	// This field is immutable, but a Workload object with the same name
+	// may be recreated with different policies. Doing this during pod scheduling
+	// may result in the placement not conforming to the expected policies.
+	//
+	// +featureGate=GenericWorkload
+	// +optional
+	WorkloadRef *WorkloadReference `json:"workloadRef,omitempty" protobuf:"bytes,42,opt,name=workloadRef"`
 }
 
 // PodResourceClaim references exactly one ResourceClaim, either directly
@@ -4539,6 +4562,36 @@ type PodSchedulingGate struct {
 	Name string `json:"name" protobuf:"bytes,1,opt,name=name"`
 }
 
+// WorkloadReference identifies the Workload object and PodGroup membership
+// that a Pod belongs to. The scheduler uses this information to apply
+// workload-aware scheduling semantics.
+type WorkloadReference struct {
+	// Name defines the name of the Workload object this Pod belongs to.
+	// Workload must be in the same namespace as the Pod.
+	// If it doesn't match any existing Workload, the Pod will remain unschedulable
+	// until a Workload object is created and observed by the kube-scheduler.
+	// It must be a DNS subdomain.
+	//
+	// +required
+	Name string `json:"name" protobuf:"bytes,1,opt,name=name"`
+
+	// PodGroup is the name of the PodGroup within the Workload that this Pod
+	// belongs to. If it doesn't match any existing PodGroup within the Workload,
+	// the Pod will remain unschedulable until the Workload object is recreated
+	// and observed by the kube-scheduler. It must be a DNS label.
+	//
+	// +required
+	PodGroup string `json:"podGroup" protobuf:"bytes,2,opt,name=podGroup"`
+
+	// PodGroupReplicaKey specifies the replica key of the PodGroup to which this
+	// Pod belongs. It is used to distinguish pods belonging to different replicas
+	// of the same pod group. The pod group policy is applied separately to each replica.
+	// When set, it must be a DNS label.
+	//
+	// +optional
+	PodGroupReplicaKey string `json:"podGroupReplicaKey,omitempty" protobuf:"bytes,3,opt,name=podGroupReplicaKey"`
+}
+
 // +enum
 type UnsatisfiableConstraintAction string
 
@@ -5074,7 +5127,6 @@ type EphemeralContainerCommon struct {
 	// Restart policy for the container to manage the restart behavior of each
 	// container within a pod.
 	// You cannot set this field on ephemeral containers.
-	// +featureGate=SidecarContainers
 	// +optional
 	RestartPolicy *ContainerRestartPolicy `json:"restartPolicy,omitempty" protobuf:"bytes,24,opt,name=restartPolicy,casttype=ContainerRestartPolicy"`
 	// Represents a list of rules to be checked to determine if the
@@ -5198,7 +5250,7 @@ type EphemeralContainer struct {
 // plane.
 type PodStatus struct {
 	// If set, this represents the .metadata.generation that the pod status was set based upon.
-	// This is an alpha field. Enable PodObservedGenerationTracking to be able to use this field.
+	// The PodObservedGenerationTracking feature gate must be enabled to use this field.
 	// +featureGate=PodObservedGenerationTracking
 	// +optional
 	ObservedGeneration int64 `json:"observedGeneration,omitempty" protobuf:"varint,17,opt,name=observedGeneration"`
@@ -5348,6 +5400,20 @@ type PodStatus struct {
 	// +featureGate=DRAExtendedResource
 	// +optional
 	ExtendedResourceClaimStatus *PodExtendedResourceClaimStatus `json:"extendedResourceClaimStatus,omitempty" protobuf:"bytes,18,opt,name=extendedResourceClaimStatus"`
+
+	// AllocatedResources is the total requests allocated for this pod by the node.
+	// If pod-level requests are not set, this will be the total requests aggregated
+	// across containers in the pod.
+	// +featureGate=InPlacePodLevelResourcesVerticalScaling
+	// +optional
+	AllocatedResources ResourceList `json:"allocatedResources,omitempty" protobuf:"bytes,19,rep,name=allocatedResources,casttype=ResourceList,castkey=ResourceName"`
+
+	// Resources represents the compute resource requests and limits that have been
+	// applied at the pod level if pod-level requests or limits are set in
+	// PodSpec.Resources
+	// +featureGate=InPlacePodLevelResourcesVerticalScaling
+	// +optional
+	Resources *ResourceRequirements `json:"resources,omitempty" protobuf:"bytes,20,opt,name=resources"`
 }
 
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
@@ -5578,6 +5644,8 @@ type ReplicationController struct {
 	// be the same as the Pod(s) that the replication controller manages.
 	// Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	// +optional
+	// +k8s:subfield(name)=+k8s:optional
+	// +k8s:subfield(name)=+k8s:format=k8s-long-name
 	metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
 
 	// Spec defines the specification of the desired behavior of the replication controller.
@@ -5678,8 +5746,11 @@ const (
 	ServiceInternalTrafficPolicyLocal ServiceInternalTrafficPolicy = "Local"
 )
 
-// for backwards compat
+// ServiceInternalTrafficPolicy describes how nodes distribute service traffic they
+// receive on the ClusterIP.
 // +enum
+//
+// Deprecated: use ServiceInternalTrafficPolicy instead.
 type ServiceInternalTrafficPolicyType = ServiceInternalTrafficPolicy
 
 // ServiceExternalTrafficPolicy describes how nodes distribute service traffic they
@@ -5698,8 +5769,12 @@ const (
 	ServiceExternalTrafficPolicyLocal ServiceExternalTrafficPolicy = "Local"
 )
 
-// for backwards compat
+// ServiceExternalTrafficPolicy describes how nodes distribute service traffic they
+// receive on one of the Service's "externally-facing" addresses (NodePorts, ExternalIPs,
+// and LoadBalancer IPs.
 // +enum
+//
+// Deprecated: use ServiceExternalTrafficPolicy instead.
 type ServiceExternalTrafficPolicyType = ServiceExternalTrafficPolicy
 
 const (
@@ -5709,27 +5784,25 @@ const (
 
 // These are valid values for the TrafficDistribution field of a Service.
 const (
-	// Indicates a preference for routing traffic to endpoints that are in the same
-	// zone as the client. Users should not set this value unless they have ensured
-	// that clients and endpoints are distributed in such a way that the "same zone"
-	// preference will not result in endpoints getting overloaded.
-	ServiceTrafficDistributionPreferClose = "PreferClose"
-
-	// Indicates a preference for routing traffic to endpoints that are in the same
-	// zone as the client. Users should not set this value unless they have ensured
-	// that clients and endpoints are distributed in such a way that the "same zone"
-	// preference will not result in endpoints getting overloaded.
-	// This is an alias for "PreferClose", but it is an Alpha feature and is only
-	// recognized if the PreferSameTrafficDistribution feature gate is enabled.
+	// ServiceTrafficDistributionPreferSameZone indicates a preference for routing
+	// traffic to endpoints that are in the same zone as the client. Users should only
+	// set this value if they have ensured that clients and endpoints are distributed
+	// in such a way that the "same zone" preference will not result in endpoints
+	// getting overloaded.
 	ServiceTrafficDistributionPreferSameZone = "PreferSameZone"
 
-	// Indicates a preference for routing traffic to endpoints that are on the same
-	// node as the client. Users should not set this value unless they have ensured
-	// that clients and endpoints are distributed in such a way that the "same node"
-	// preference will not result in endpoints getting overloaded.
-	// This is an Alpha feature and is only recognized if the
-	// PreferSameTrafficDistribution feature gate is enabled.
+	// ServiceTrafficDistributionPreferSameNode indicates a preference for routing
+	// traffic to endpoints that are on the same node as the client. Users should only
+	// set this value if they have ensured that clients and endpoints are distributed
+	// in such a way that the "same node" preference will not result in endpoints
+	// getting overloaded.
 	ServiceTrafficDistributionPreferSameNode = "PreferSameNode"
+
+	// ServiceTrafficDistributionPreferClose is the original name of "PreferSameZone".
+	// Despite the generic-sounding name, it has exactly the same meaning as
+	// "PreferSameZone".
+	// Deprecated: use "PreferSameZone" instead.
+	ServiceTrafficDistributionPreferClose = "PreferClose"
 )
 
 // These are the valid conditions of a service.
@@ -5833,8 +5906,10 @@ const (
 	IPFamilyPolicyRequireDualStack IPFamilyPolicy = "RequireDualStack"
 )
 
-// for backwards compat
+// IPFamilyPolicy represents the dual-stack-ness requested or required by a Service
 // +enum
+//
+// Deprecated: use IPFamilyPolicy instead.
 type IPFamilyPolicyType = IPFamilyPolicy
 
 // ServiceSpec describes the attributes that a user creates on a service.
@@ -6083,7 +6158,6 @@ type ServiceSpec struct {
 	// field is not set, the implementation will apply its default routing
 	// strategy. If set to "PreferClose", implementations should prioritize
 	// endpoints that are in the same zone.
-	// +featureGate=ServiceTrafficDistribution
 	// +optional
 	TrafficDistribution *string `json:"trafficDistribution,omitempty" protobuf:"bytes,23,opt,name=trafficDistribution"`
 }
@@ -6508,7 +6582,6 @@ type NodeDaemonEndpoints struct {
 // NodeRuntimeHandlerFeatures is a set of features implemented by the runtime handler.
 type NodeRuntimeHandlerFeatures struct {
 	// RecursiveReadOnlyMounts is set to true if the runtime handler supports RecursiveReadOnlyMounts.
-	// +featureGate=RecursiveReadOnlyMounts
 	// +optional
 	RecursiveReadOnlyMounts *bool `json:"recursiveReadOnlyMounts,omitempty" protobuf:"varint,1,opt,name=recursiveReadOnlyMounts"`
 	// UserNamespaces is set to true if the runtime handler supports UserNamespaces, including for volumes.
@@ -6683,7 +6756,6 @@ type NodeStatus struct {
 	// +optional
 	Config *NodeConfigStatus `json:"config,omitempty" protobuf:"bytes,11,opt,name=config"`
 	// The available runtime handlers.
-	// +featureGate=RecursiveReadOnlyMounts
 	// +featureGate=UserNamespacesSupport
 	// +optional
 	// +listType=atomic
@@ -6692,6 +6764,11 @@ type NodeStatus struct {
 	// +featureGate=SupplementalGroupsPolicy
 	// +optional
 	Features *NodeFeatures `json:"features,omitempty" protobuf:"bytes,13,rep,name=features"`
+	// DeclaredFeatures represents the features related to feature gates that are declared by the node.
+	// +featureGate=NodeDeclaredFeatures
+	// +optional
+	// +listType=atomic
+	DeclaredFeatures []string `json:"declaredFeatures,omitempty" protobuf:"bytes,14,rep,name=declaredFeatures"`
 }
 
 type UniqueVolumeName string
@@ -7645,6 +7722,8 @@ const (
 	ResourceLimitsEphemeralStorage ResourceName = "limits.ephemeral-storage"
 	// resource.k8s.io devices requested with a certain DeviceClass, number
 	ResourceClaimsPerClass string = ".deviceclass.resource.k8s.io/devices"
+	// resource.k8s.io devices requested with a certain DeviceClass by implicit extended resource name, number
+	ResourceImplicitExtendedClaimsPerClass string = "requests.deviceclass.resource.kubernetes.io/"
 )
 
 // The following identify resource prefix for Kubernetes object types
diff --git a/staging/src/k8s.io/api/core/v1/types_swagger_doc_generated.go b/staging/src/k8s.io/api/core/v1/types_swagger_doc_generated.go
index 1204307667fac..0f5e44e917a41 100644
--- a/staging/src/k8s.io/api/core/v1/types_swagger_doc_generated.go
+++ b/staging/src/k8s.io/api/core/v1/types_swagger_doc_generated.go
@@ -359,7 +359,7 @@ var map_Container = map[string]string{
 	"envFrom":                  "List of sources to populate environment variables in the container. The keys defined within a source may consist of any printable ASCII characters except '='. When a key exists in multiple sources, the value associated with the last source will take precedence. Values defined by an Env with a duplicate key will take precedence. Cannot be updated.",
 	"env":                      "List of environment variables to set in the container. Cannot be updated.",
 	"resources":                "Compute Resources required by this container. Cannot be updated. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/",
-	"resizePolicy":             "Resources resize policy for the container.",
+	"resizePolicy":             "Resources resize policy for the container. This field cannot be set on ephemeral containers.",
 	"restartPolicy":            "RestartPolicy defines the restart behavior of individual containers in a pod. This overrides the pod-level restart policy. When this field is not specified, the restart behavior is defined by the Pod's restart policy and the container type. Additionally, setting the RestartPolicy as \"Always\" for the init container will have the following effect: this init container will be continually restarted on exit until all regular containers have terminated. Once all regular containers have completed, all init containers with restartPolicy \"Always\" will be shut down. This lifecycle differs from normal init containers and is often referred to as a \"sidecar\" container. Although this init container still starts in the init container sequence, it does not wait for the container to complete before proceeding to the next init container. Instead, the next init container starts immediately after this init container is started, or after any startupProbe has successfully completed.",
 	"restartPolicyRules":       "Represents a list of rules to be checked to determine if the container should be restarted on exit. The rules are evaluated in order. Once a rule matches a container exit condition, the remaining rules are ignored. If no rule matches the container exit condition, the Container-level restart policy determines the whether the container is restarted or not. Constraints on the rules: - At most 20 rules are allowed. - Rules can have the same action. - Identical rules are not forbidden in validations. When rules are specified, container MUST set RestartPolicy explicitly even it if matches the Pod's RestartPolicy.",
 	"volumeMounts":             "Pod volumes to mount into the container's filesystem. Cannot be updated.",
@@ -1363,20 +1363,21 @@ func (NodeSpec) SwaggerDoc() map[string]string {
 }
 
 var map_NodeStatus = map[string]string{
-	"":                "NodeStatus is information about the current status of a node.",
-	"capacity":        "Capacity represents the total resources of a node. More info: https://kubernetes.io/docs/reference/node/node-status/#capacity",
-	"allocatable":     "Allocatable represents the resources of a node that are available for scheduling. Defaults to Capacity.",
-	"phase":           "NodePhase is the recently observed lifecycle phase of the node. More info: https://kubernetes.io/docs/concepts/nodes/node/#phase The field is never populated, and now is deprecated.",
-	"conditions":      "Conditions is an array of current observed node conditions. More info: https://kubernetes.io/docs/reference/node/node-status/#condition",
-	"addresses":       "List of addresses reachable to the node. Queried from cloud provider, if available. More info: https://kubernetes.io/docs/reference/node/node-status/#addresses Note: This field is declared as mergeable, but the merge key is not sufficiently unique, which can cause data corruption when it is merged. Callers should instead use a full-replacement patch. See https://pr.k8s.io/79391 for an example. Consumers should assume that addresses can change during the lifetime of a Node. However, there are some exceptions where this may not be possible, such as Pods that inherit a Node's address in its own status or consumers of the downward API (status.hostIP).",
-	"daemonEndpoints": "Endpoints of daemons running on the Node.",
-	"nodeInfo":        "Set of ids/uuids to uniquely identify the node. More info: https://kubernetes.io/docs/reference/node/node-status/#info",
-	"images":          "List of container images on this node",
-	"volumesInUse":    "List of attachable volumes in use (mounted) by the node.",
-	"volumesAttached": "List of volumes that are attached to the node.",
-	"config":          "Status of the config assigned to the node via the dynamic Kubelet config feature.",
-	"runtimeHandlers": "The available runtime handlers.",
-	"features":        "Features describes the set of features implemented by the CRI implementation.",
+	"":                 "NodeStatus is information about the current status of a node.",
+	"capacity":         "Capacity represents the total resources of a node. More info: https://kubernetes.io/docs/reference/node/node-status/#capacity",
+	"allocatable":      "Allocatable represents the resources of a node that are available for scheduling. Defaults to Capacity.",
+	"phase":            "NodePhase is the recently observed lifecycle phase of the node. More info: https://kubernetes.io/docs/concepts/nodes/node/#phase The field is never populated, and now is deprecated.",
+	"conditions":       "Conditions is an array of current observed node conditions. More info: https://kubernetes.io/docs/reference/node/node-status/#condition",
+	"addresses":        "List of addresses reachable to the node. Queried from cloud provider, if available. More info: https://kubernetes.io/docs/reference/node/node-status/#addresses Note: This field is declared as mergeable, but the merge key is not sufficiently unique, which can cause data corruption when it is merged. Callers should instead use a full-replacement patch. See https://pr.k8s.io/79391 for an example. Consumers should assume that addresses can change during the lifetime of a Node. However, there are some exceptions where this may not be possible, such as Pods that inherit a Node's address in its own status or consumers of the downward API (status.hostIP).",
+	"daemonEndpoints":  "Endpoints of daemons running on the Node.",
+	"nodeInfo":         "Set of ids/uuids to uniquely identify the node. More info: https://kubernetes.io/docs/reference/node/node-status/#info",
+	"images":           "List of container images on this node",
+	"volumesInUse":     "List of attachable volumes in use (mounted) by the node.",
+	"volumesAttached":  "List of volumes that are attached to the node.",
+	"config":           "Status of the config assigned to the node via the dynamic Kubelet config feature.",
+	"runtimeHandlers":  "The available runtime handlers.",
+	"features":         "Features describes the set of features implemented by the CRI implementation.",
+	"declaredFeatures": "DeclaredFeatures represents the features related to feature gates that are declared by the node.",
 }
 
 func (NodeStatus) SwaggerDoc() map[string]string {
@@ -1486,7 +1487,7 @@ var map_PersistentVolumeClaimSpec = map[string]string{
 	"":                          "PersistentVolumeClaimSpec describes the common attributes of storage devices and allows a Source for provider-specific attributes",
 	"accessModes":               "accessModes contains the desired access modes the volume should have. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1",
 	"selector":                  "selector is a label query over volumes to consider for binding.",
-	"resources":                 "resources represents the minimum resources the volume should have. If RecoverVolumeExpansionFailure feature is enabled users are allowed to specify resource requirements that are lower than previous value but must still be higher than capacity recorded in the status field of the claim. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources",
+	"resources":                 "resources represents the minimum resources the volume should have. Users are allowed to specify resource requirements that are lower than previous value but must still be higher than capacity recorded in the status field of the claim. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources",
 	"volumeName":                "volumeName is the binding reference to the PersistentVolume backing this claim.",
 	"storageClassName":          "storageClassName is the name of the StorageClass required by the claim. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1",
 	"volumeMode":                "volumeMode defines what type of volume is required by the claim. Value of Filesystem is implied when not included in claim spec.",
@@ -1505,8 +1506,8 @@ var map_PersistentVolumeClaimStatus = map[string]string{
 	"accessModes":                      "accessModes contains the actual access modes the volume backing the PVC has. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1",
 	"capacity":                         "capacity represents the actual resources of the underlying volume.",
 	"conditions":                       "conditions is the current Condition of persistent volume claim. If underlying persistent volume is being resized then the Condition will be set to 'Resizing'.",
-	"allocatedResources":               "allocatedResources tracks the resources allocated to a PVC including its capacity. Key names follow standard Kubernetes label syntax. Valid values are either:\n\t* Un-prefixed keys:\n\t\t- storage - the capacity of the volume.\n\t* Custom resources must use implementation-defined prefixed names such as \"example.com/my-custom-resource\"\nApart from above values - keys that are unprefixed or have kubernetes.io prefix are considered reserved and hence may not be used.\n\nCapacity reported here may be larger than the actual capacity when a volume expansion operation is requested. For storage quota, the larger value from allocatedResources and PVC.spec.resources is used. If allocatedResources is not set, PVC.spec.resources alone is used for quota calculation. If a volume expansion capacity request is lowered, allocatedResources is only lowered if there are no expansion operations in progress and if the actual volume capacity is equal or lower than the requested capacity.\n\nA controller that receives PVC update with previously unknown resourceName should ignore the update for the purpose it was designed. For example - a controller that only is responsible for resizing capacity of the volume, should ignore PVC updates that change other valid resources associated with PVC.\n\nThis is an alpha field and requires enabling RecoverVolumeExpansionFailure feature.",
-	"allocatedResourceStatuses":        "allocatedResourceStatuses stores status of resource being resized for the given PVC. Key names follow standard Kubernetes label syntax. Valid values are either:\n\t* Un-prefixed keys:\n\t\t- storage - the capacity of the volume.\n\t* Custom resources must use implementation-defined prefixed names such as \"example.com/my-custom-resource\"\nApart from above values - keys that are unprefixed or have kubernetes.io prefix are considered reserved and hence may not be used.\n\nClaimResourceStatus can be in any of following states:\n\t- ControllerResizeInProgress:\n\t\tState set when resize controller starts resizing the volume in control-plane.\n\t- ControllerResizeFailed:\n\t\tState set when resize has failed in resize controller with a terminal error.\n\t- NodeResizePending:\n\t\tState set when resize controller has finished resizing the volume but further resizing of\n\t\tvolume is needed on the node.\n\t- NodeResizeInProgress:\n\t\tState set when kubelet starts resizing the volume.\n\t- NodeResizeFailed:\n\t\tState set when resizing has failed in kubelet with a terminal error. Transient errors don't set\n\t\tNodeResizeFailed.\nFor example: if expanding a PVC for more capacity - this field can be one of the following states:\n\t- pvc.status.allocatedResourceStatus['storage'] = \"ControllerResizeInProgress\"\n     - pvc.status.allocatedResourceStatus['storage'] = \"ControllerResizeFailed\"\n     - pvc.status.allocatedResourceStatus['storage'] = \"NodeResizePending\"\n     - pvc.status.allocatedResourceStatus['storage'] = \"NodeResizeInProgress\"\n     - pvc.status.allocatedResourceStatus['storage'] = \"NodeResizeFailed\"\nWhen this field is not set, it means that no resize operation is in progress for the given PVC.\n\nA controller that receives PVC update with previously unknown resourceName or ClaimResourceStatus should ignore the update for the purpose it was designed. For example - a controller that only is responsible for resizing capacity of the volume, should ignore PVC updates that change other valid resources associated with PVC.\n\nThis is an alpha field and requires enabling RecoverVolumeExpansionFailure feature.",
+	"allocatedResources":               "allocatedResources tracks the resources allocated to a PVC including its capacity. Key names follow standard Kubernetes label syntax. Valid values are either:\n\t* Un-prefixed keys:\n\t\t- storage - the capacity of the volume.\n\t* Custom resources must use implementation-defined prefixed names such as \"example.com/my-custom-resource\"\nApart from above values - keys that are unprefixed or have kubernetes.io prefix are considered reserved and hence may not be used.\n\nCapacity reported here may be larger than the actual capacity when a volume expansion operation is requested. For storage quota, the larger value from allocatedResources and PVC.spec.resources is used. If allocatedResources is not set, PVC.spec.resources alone is used for quota calculation. If a volume expansion capacity request is lowered, allocatedResources is only lowered if there are no expansion operations in progress and if the actual volume capacity is equal or lower than the requested capacity.\n\nA controller that receives PVC update with previously unknown resourceName should ignore the update for the purpose it was designed. For example - a controller that only is responsible for resizing capacity of the volume, should ignore PVC updates that change other valid resources associated with PVC.",
+	"allocatedResourceStatuses":        "allocatedResourceStatuses stores status of resource being resized for the given PVC. Key names follow standard Kubernetes label syntax. Valid values are either:\n\t* Un-prefixed keys:\n\t\t- storage - the capacity of the volume.\n\t* Custom resources must use implementation-defined prefixed names such as \"example.com/my-custom-resource\"\nApart from above values - keys that are unprefixed or have kubernetes.io prefix are considered reserved and hence may not be used.\n\nClaimResourceStatus can be in any of following states:\n\t- ControllerResizeInProgress:\n\t\tState set when resize controller starts resizing the volume in control-plane.\n\t- ControllerResizeFailed:\n\t\tState set when resize has failed in resize controller with a terminal error.\n\t- NodeResizePending:\n\t\tState set when resize controller has finished resizing the volume but further resizing of\n\t\tvolume is needed on the node.\n\t- NodeResizeInProgress:\n\t\tState set when kubelet starts resizing the volume.\n\t- NodeResizeFailed:\n\t\tState set when resizing has failed in kubelet with a terminal error. Transient errors don't set\n\t\tNodeResizeFailed.\nFor example: if expanding a PVC for more capacity - this field can be one of the following states:\n\t- pvc.status.allocatedResourceStatus['storage'] = \"ControllerResizeInProgress\"\n     - pvc.status.allocatedResourceStatus['storage'] = \"ControllerResizeFailed\"\n     - pvc.status.allocatedResourceStatus['storage'] = \"NodeResizePending\"\n     - pvc.status.allocatedResourceStatus['storage'] = \"NodeResizeInProgress\"\n     - pvc.status.allocatedResourceStatus['storage'] = \"NodeResizeFailed\"\nWhen this field is not set, it means that no resize operation is in progress for the given PVC.\n\nA controller that receives PVC update with previously unknown resourceName or ClaimResourceStatus should ignore the update for the purpose it was designed. For example - a controller that only is responsible for resizing capacity of the volume, should ignore PVC updates that change other valid resources associated with PVC.",
 	"currentVolumeAttributesClassName": "currentVolumeAttributesClassName is the current name of the VolumeAttributesClass the PVC is using. When unset, there is no VolumeAttributeClass applied to this PersistentVolumeClaim",
 	"modifyVolumeStatus":               "ModifyVolumeStatus represents the status object of ControllerModifyVolume operation. When this is unset, there is no ModifyVolume operation being attempted.",
 }
@@ -1584,7 +1585,7 @@ var map_PersistentVolumeSpec = map[string]string{
 	"storageClassName":              "storageClassName is the name of StorageClass to which this persistent volume belongs. Empty value means that this volume does not belong to any StorageClass.",
 	"mountOptions":                  "mountOptions is the list of mount options, e.g. [\"ro\", \"soft\"]. Not validated - mount will simply fail if one is invalid. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes/#mount-options",
 	"volumeMode":                    "volumeMode defines if a volume is intended to be used with a formatted filesystem or to remain in raw block state. Value of Filesystem is implied when not included in spec.",
-	"nodeAffinity":                  "nodeAffinity defines constraints that limit what nodes this volume can be accessed from. This field influences the scheduling of pods that use this volume.",
+	"nodeAffinity":                  "nodeAffinity defines constraints that limit what nodes this volume can be accessed from. This field influences the scheduling of pods that use this volume. This field is mutable if MutablePVNodeAffinity feature gate is enabled.",
 	"volumeAttributesClassName":     "Name of VolumeAttributesClass to which this persistent volume belongs. Empty value is not allowed. When this field is not set, it indicates that this volume does not belong to any VolumeAttributesClass. This field is mutable and can be changed by the CSI driver after a volume has been updated successfully to a new class. For an unbound PersistentVolume, the volumeAttributesClassName will be matched with unbound PersistentVolumeClaims during the binding process.",
 }
 
@@ -1680,6 +1681,7 @@ var map_PodCertificateProjection = map[string]string{
 	"credentialBundlePath": "Write the credential bundle at this path in the projected volume.\n\nThe credential bundle is a single file that contains multiple PEM blocks. The first PEM block is a PRIVATE KEY block, containing a PKCS#8 private key.\n\nThe remaining blocks are CERTIFICATE blocks, containing the issued certificate chain from the signer (leaf and any intermediates).\n\nUsing credentialBundlePath lets your Pod's application code make a single atomic read that retrieves a consistent key and certificate chain.  If you project them to separate files, your application code will need to additionally check that the leaf certificate was issued to the key.",
 	"keyPath":              "Write the key at this path in the projected volume.\n\nMost applications should use credentialBundlePath.  When using keyPath and certificateChainPath, your application needs to check that the key and leaf certificate are consistent, because it is possible to read the files mid-rotation.",
 	"certificateChainPath": "Write the certificate chain at this path in the projected volume.\n\nMost applications should use credentialBundlePath.  When using keyPath and certificateChainPath, your application needs to check that the key and leaf certificate are consistent, because it is possible to read the files mid-rotation.",
+	"userAnnotations":      "userAnnotations allow pod authors to pass additional information to the signer implementation.  Kubernetes does not restrict or validate this metadata in any way.\n\nThese values are copied verbatim into the `spec.unverifiedUserAnnotations` field of the PodCertificateRequest objects that Kubelet creates.\n\nEntries are subject to the same validation as object metadata annotations, with the addition that all keys must be domain-prefixed. No restrictions are placed on values, except an overall size limitation on the entire field.\n\nSigners should document the keys and values they support. Signers should deny requests that contain keys they do not recognize.",
 }
 
 func (PodCertificateProjection) SwaggerDoc() map[string]string {
@@ -1689,7 +1691,7 @@ func (PodCertificateProjection) SwaggerDoc() map[string]string {
 var map_PodCondition = map[string]string{
 	"":                   "PodCondition contains details for the current condition of this pod.",
 	"type":               "Type is the type of the condition. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-conditions",
-	"observedGeneration": "If set, this represents the .metadata.generation that the pod condition was set based upon. This is an alpha field. Enable PodObservedGenerationTracking to be able to use this field.",
+	"observedGeneration": "If set, this represents the .metadata.generation that the pod condition was set based upon. The PodObservedGenerationTracking feature gate must be enabled to use this field.",
 	"status":             "Status is the status of the condition. Can be True, False, Unknown. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-conditions",
 	"lastProbeTime":      "Last time we probed the condition.",
 	"lastTransitionTime": "Last time the condition transitioned from one status to another.",
@@ -1919,9 +1921,10 @@ var map_PodSpec = map[string]string{
 	"os":                            "Specifies the OS of the containers in the pod. Some pod and container fields are restricted if this is set.\n\nIf the OS field is set to linux, the following fields must be unset: -securityContext.windowsOptions\n\nIf the OS field is set to windows, following fields must be unset: - spec.hostPID - spec.hostIPC - spec.hostUsers - spec.resources - spec.securityContext.appArmorProfile - spec.securityContext.seLinuxOptions - spec.securityContext.seccompProfile - spec.securityContext.fsGroup - spec.securityContext.fsGroupChangePolicy - spec.securityContext.sysctls - spec.shareProcessNamespace - spec.securityContext.runAsUser - spec.securityContext.runAsGroup - spec.securityContext.supplementalGroups - spec.securityContext.supplementalGroupsPolicy - spec.containers[*].securityContext.appArmorProfile - spec.containers[*].securityContext.seLinuxOptions - spec.containers[*].securityContext.seccompProfile - spec.containers[*].securityContext.capabilities - spec.containers[*].securityContext.readOnlyRootFilesystem - spec.containers[*].securityContext.privileged - spec.containers[*].securityContext.allowPrivilegeEscalation - spec.containers[*].securityContext.procMount - spec.containers[*].securityContext.runAsUser - spec.containers[*].securityContext.runAsGroup",
 	"hostUsers":                     "Use the host's user namespace. Optional: Default to true. If set to true or not present, the pod will be run in the host user namespace, useful for when the pod needs a feature only available to the host user namespace, such as loading a kernel module with CAP_SYS_MODULE. When set to false, a new userns is created for the pod. Setting false is useful for mitigating container breakout vulnerabilities even allowing users to run their containers as root without actually having root privileges on the host. This field is alpha-level and is only honored by servers that enable the UserNamespacesSupport feature.",
 	"schedulingGates":               "SchedulingGates is an opaque list of values that if specified will block scheduling the pod. If schedulingGates is not empty, the pod will stay in the SchedulingGated state and the scheduler will not attempt to schedule the pod.\n\nSchedulingGates can only be set at pod creation time, and be removed only afterwards.",
-	"resourceClaims":                "ResourceClaims defines which ResourceClaims must be allocated and reserved before the Pod is allowed to start. The resources will be made available to those containers which consume them by name.\n\nThis is an alpha field and requires enabling the DynamicResourceAllocation feature gate.\n\nThis field is immutable.",
+	"resourceClaims":                "ResourceClaims defines which ResourceClaims must be allocated and reserved before the Pod is allowed to start. The resources will be made available to those containers which consume them by name.\n\nThis is a stable field but requires that the DynamicResourceAllocation feature gate is enabled.\n\nThis field is immutable.",
 	"resources":                     "Resources is the total amount of CPU and Memory resources required by all containers in the pod. It supports specifying Requests and Limits for \"cpu\", \"memory\" and \"hugepages-\" resource names only. ResourceClaims are not supported.\n\nThis field enables fine-grained control over resource allocation for the entire pod, allowing resource sharing among containers in a pod.\n\nThis is an alpha field and requires enabling the PodLevelResources feature gate.",
 	"hostnameOverride":              "HostnameOverride specifies an explicit override for the pod's hostname as perceived by the pod. This field only specifies the pod's hostname and does not affect its DNS records. When this field is set to a non-empty string: - It takes precedence over the values set in `hostname` and `subdomain`. - The Pod's hostname will be set to this value. - `setHostnameAsFQDN` must be nil or set to false. - `hostNetwork` must be set to false.\n\nThis field must be a valid DNS subdomain as defined in RFC 1123 and contain at most 64 characters. Requires the HostnameOverride feature gate to be enabled.",
+	"workloadRef":                   "WorkloadRef provides a reference to the Workload object that this Pod belongs to. This field is used by the scheduler to identify the PodGroup and apply the correct group scheduling policies. The Workload object referenced by this field may not exist at the time the Pod is created. This field is immutable, but a Workload object with the same name may be recreated with different policies. Doing this during pod scheduling may result in the placement not conforming to the expected policies.",
 }
 
 func (PodSpec) SwaggerDoc() map[string]string {
@@ -1930,7 +1933,7 @@ func (PodSpec) SwaggerDoc() map[string]string {
 
 var map_PodStatus = map[string]string{
 	"":                            "PodStatus represents information about the status of a pod. Status may trail the actual state of a system, especially if the node that hosts the pod cannot contact the control plane.",
-	"observedGeneration":          "If set, this represents the .metadata.generation that the pod status was set based upon. This is an alpha field. Enable PodObservedGenerationTracking to be able to use this field.",
+	"observedGeneration":          "If set, this represents the .metadata.generation that the pod status was set based upon. The PodObservedGenerationTracking feature gate must be enabled to use this field.",
 	"phase":                       "The phase of a Pod is a simple, high-level summary of where the Pod is in its lifecycle. The conditions array, the reason and message fields, and the individual container status arrays contain more detail about the pod's status. There are five possible phase values:\n\nPending: The pod has been accepted by the Kubernetes system, but one or more of the container images has not been created. This includes time before being scheduled as well as time spent downloading images over the network, which could take a while. Running: The pod has been bound to a node, and all of the containers have been created. At least one container is still running, or is in the process of starting or restarting. Succeeded: All containers in the pod have terminated in success, and will not be restarted. Failed: All containers in the pod have terminated, and at least one container has terminated in failure. The container either exited with non-zero status or was terminated by the system. Unknown: For some reason the state of the pod could not be obtained, typically due to an error in communicating with the host of the pod.\n\nMore info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-phase",
 	"conditions":                  "Current service state of pod. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-conditions",
 	"message":                     "A human readable message indicating details about why the pod is in this condition.",
@@ -1948,6 +1951,8 @@ var map_PodStatus = map[string]string{
 	"resize":                      "Status of resources resize desired for pod's containers. It is empty if no resources resize is pending. Any changes to container resources will automatically set this to \"Proposed\" Deprecated: Resize status is moved to two pod conditions PodResizePending and PodResizeInProgress. PodResizePending will track states where the spec has been resized, but the Kubelet has not yet allocated the resources. PodResizeInProgress will track in-progress resizes, and should be present whenever allocated resources != acknowledged resources.",
 	"resourceClaimStatuses":       "Status of resource claims.",
 	"extendedResourceClaimStatus": "Status of extended resource claim backed by DRA.",
+	"allocatedResources":          "AllocatedResources is the total requests allocated for this pod by the node. If pod-level requests are not set, this will be the total requests aggregated across containers in the pod.",
+	"resources":                   "Resources represents the compute resource requests and limits that have been applied at the pod level if pod-level requests or limits are set in PodSpec.Resources",
 }
 
 func (PodStatus) SwaggerDoc() map[string]string {
@@ -2669,7 +2674,7 @@ func (Taint) SwaggerDoc() map[string]string {
 var map_Toleration = map[string]string{
 	"":                  "The pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator <operator>.",
 	"key":               "Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.",
-	"operator":          "Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.",
+	"operator":          "Operator represents a key's relationship to the value. Valid operators are Exists, Equal, Lt, and Gt. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category. Lt and Gt perform numeric comparisons (requires feature gate TaintTolerationComparisonOperators).",
 	"value":             "Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.",
 	"effect":            "Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.",
 	"tolerationSeconds": "TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.",
@@ -2888,4 +2893,15 @@ func (WindowsSecurityContextOptions) SwaggerDoc() map[string]string {
 	return map_WindowsSecurityContextOptions
 }
 
+var map_WorkloadReference = map[string]string{
+	"":                   "WorkloadReference identifies the Workload object and PodGroup membership that a Pod belongs to. The scheduler uses this information to apply workload-aware scheduling semantics.",
+	"name":               "Name defines the name of the Workload object this Pod belongs to. Workload must be in the same namespace as the Pod. If it doesn't match any existing Workload, the Pod will remain unschedulable until a Workload object is created and observed by the kube-scheduler. It must be a DNS subdomain.",
+	"podGroup":           "PodGroup is the name of the PodGroup within the Workload that this Pod belongs to. If it doesn't match any existing PodGroup within the Workload, the Pod will remain unschedulable until the Workload object is recreated and observed by the kube-scheduler. It must be a DNS label.",
+	"podGroupReplicaKey": "PodGroupReplicaKey specifies the replica key of the PodGroup to which this Pod belongs. It is used to distinguish pods belonging to different replicas of the same pod group. The pod group policy is applied separately to each replica. When set, it must be a DNS label.",
+}
+
+func (WorkloadReference) SwaggerDoc() map[string]string {
+	return map_WorkloadReference
+}
+
 // AUTO-GENERATED FUNCTIONS END HERE
diff --git a/staging/src/k8s.io/api/core/v1/zz_generated.deepcopy.go b/staging/src/k8s.io/api/core/v1/zz_generated.deepcopy.go
index bcd91bd0190fd..15bc2ee0331e0 100644
--- a/staging/src/k8s.io/api/core/v1/zz_generated.deepcopy.go
+++ b/staging/src/k8s.io/api/core/v1/zz_generated.deepcopy.go
@@ -3145,6 +3145,11 @@ func (in *NodeStatus) DeepCopyInto(out *NodeStatus) {
 		*out = new(NodeFeatures)
 		(*in).DeepCopyInto(*out)
 	}
+	if in.DeclaredFeatures != nil {
+		in, out := &in.DeclaredFeatures, &out.DeclaredFeatures
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
 	return
 }
 
@@ -3903,6 +3908,13 @@ func (in *PodCertificateProjection) DeepCopyInto(out *PodCertificateProjection)
 		*out = new(int32)
 		**out = **in
 	}
+	if in.UserAnnotations != nil {
+		in, out := &in.UserAnnotations, &out.UserAnnotations
+		*out = make(map[string]string, len(*in))
+		for key, val := range *in {
+			(*out)[key] = val
+		}
+	}
 	return
 }
 
@@ -4557,6 +4569,11 @@ func (in *PodSpec) DeepCopyInto(out *PodSpec) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.WorkloadRef != nil {
+		in, out := &in.WorkloadRef, &out.WorkloadRef
+		*out = new(WorkloadReference)
+		**out = **in
+	}
 	return
 }
 
@@ -4627,6 +4644,18 @@ func (in *PodStatus) DeepCopyInto(out *PodStatus) {
 		*out = new(PodExtendedResourceClaimStatus)
 		(*in).DeepCopyInto(*out)
 	}
+	if in.AllocatedResources != nil {
+		in, out := &in.AllocatedResources, &out.AllocatedResources
+		*out = make(ResourceList, len(*in))
+		for key, val := range *in {
+			(*out)[key] = val.DeepCopy()
+		}
+	}
+	if in.Resources != nil {
+		in, out := &in.Resources, &out.Resources
+		*out = new(ResourceRequirements)
+		(*in).DeepCopyInto(*out)
+	}
 	return
 }
 
@@ -6844,3 +6873,19 @@ func (in *WindowsSecurityContextOptions) DeepCopy() *WindowsSecurityContextOptio
 	in.DeepCopyInto(out)
 	return out
 }
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *WorkloadReference) DeepCopyInto(out *WorkloadReference) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WorkloadReference.
+func (in *WorkloadReference) DeepCopy() *WorkloadReference {
+	if in == nil {
+		return nil
+	}
+	out := new(WorkloadReference)
+	in.DeepCopyInto(out)
+	return out
+}
diff --git a/staging/src/k8s.io/api/core/v1/zz_generated.model_name.go b/staging/src/k8s.io/api/core/v1/zz_generated.model_name.go
new file mode 100644
index 0000000000000..523bb3a85290b
--- /dev/null
+++ b/staging/src/k8s.io/api/core/v1/zz_generated.model_name.go
@@ -0,0 +1,1212 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by openapi-gen. DO NOT EDIT.
+
+package v1
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in AWSElasticBlockStoreVolumeSource) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.AWSElasticBlockStoreVolumeSource"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in Affinity) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.Affinity"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in AppArmorProfile) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.AppArmorProfile"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in AttachedVolume) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.AttachedVolume"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in AvoidPods) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.AvoidPods"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in AzureDiskVolumeSource) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.AzureDiskVolumeSource"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in AzureFilePersistentVolumeSource) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.AzureFilePersistentVolumeSource"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in AzureFileVolumeSource) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.AzureFileVolumeSource"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in Binding) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.Binding"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in CSIPersistentVolumeSource) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.CSIPersistentVolumeSource"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in CSIVolumeSource) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.CSIVolumeSource"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in Capabilities) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.Capabilities"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in CephFSPersistentVolumeSource) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.CephFSPersistentVolumeSource"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in CephFSVolumeSource) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.CephFSVolumeSource"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in CinderPersistentVolumeSource) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.CinderPersistentVolumeSource"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in CinderVolumeSource) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.CinderVolumeSource"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ClientIPConfig) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.ClientIPConfig"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ClusterTrustBundleProjection) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.ClusterTrustBundleProjection"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ComponentCondition) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.ComponentCondition"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ComponentStatus) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.ComponentStatus"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ComponentStatusList) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.ComponentStatusList"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ConfigMap) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.ConfigMap"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ConfigMapEnvSource) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.ConfigMapEnvSource"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ConfigMapKeySelector) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.ConfigMapKeySelector"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ConfigMapList) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.ConfigMapList"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ConfigMapNodeConfigSource) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.ConfigMapNodeConfigSource"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ConfigMapProjection) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.ConfigMapProjection"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ConfigMapVolumeSource) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.ConfigMapVolumeSource"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in Container) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.Container"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ContainerExtendedResourceRequest) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.ContainerExtendedResourceRequest"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ContainerImage) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.ContainerImage"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ContainerPort) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.ContainerPort"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ContainerResizePolicy) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.ContainerResizePolicy"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ContainerRestartRule) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.ContainerRestartRule"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ContainerRestartRuleOnExitCodes) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.ContainerRestartRuleOnExitCodes"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ContainerState) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.ContainerState"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ContainerStateRunning) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.ContainerStateRunning"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ContainerStateTerminated) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.ContainerStateTerminated"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ContainerStateWaiting) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.ContainerStateWaiting"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ContainerStatus) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.ContainerStatus"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ContainerUser) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.ContainerUser"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in DaemonEndpoint) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.DaemonEndpoint"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in DownwardAPIProjection) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.DownwardAPIProjection"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in DownwardAPIVolumeFile) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.DownwardAPIVolumeFile"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in DownwardAPIVolumeSource) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.DownwardAPIVolumeSource"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in EmptyDirVolumeSource) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.EmptyDirVolumeSource"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in EndpointAddress) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.EndpointAddress"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in EndpointPort) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.EndpointPort"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in EndpointSubset) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.EndpointSubset"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in Endpoints) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.Endpoints"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in EndpointsList) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.EndpointsList"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in EnvFromSource) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.EnvFromSource"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in EnvVar) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.EnvVar"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in EnvVarSource) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.EnvVarSource"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in EphemeralContainer) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.EphemeralContainer"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in EphemeralContainerCommon) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.EphemeralContainerCommon"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in EphemeralVolumeSource) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.EphemeralVolumeSource"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in Event) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.Event"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in EventList) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.EventList"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in EventSeries) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.EventSeries"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in EventSource) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.EventSource"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ExecAction) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.ExecAction"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in FCVolumeSource) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.FCVolumeSource"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in FileKeySelector) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.FileKeySelector"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in FlexPersistentVolumeSource) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.FlexPersistentVolumeSource"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in FlexVolumeSource) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.FlexVolumeSource"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in FlockerVolumeSource) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.FlockerVolumeSource"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in GCEPersistentDiskVolumeSource) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.GCEPersistentDiskVolumeSource"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in GRPCAction) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.GRPCAction"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in GitRepoVolumeSource) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.GitRepoVolumeSource"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in GlusterfsPersistentVolumeSource) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.GlusterfsPersistentVolumeSource"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in GlusterfsVolumeSource) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.GlusterfsVolumeSource"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in HTTPGetAction) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.HTTPGetAction"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in HTTPHeader) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.HTTPHeader"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in HostAlias) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.HostAlias"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in HostIP) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.HostIP"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in HostPathVolumeSource) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.HostPathVolumeSource"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ISCSIPersistentVolumeSource) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.ISCSIPersistentVolumeSource"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ISCSIVolumeSource) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.ISCSIVolumeSource"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ImageVolumeSource) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.ImageVolumeSource"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in KeyToPath) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.KeyToPath"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in Lifecycle) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.Lifecycle"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in LifecycleHandler) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.LifecycleHandler"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in LimitRange) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.LimitRange"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in LimitRangeItem) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.LimitRangeItem"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in LimitRangeList) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.LimitRangeList"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in LimitRangeSpec) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.LimitRangeSpec"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in LinuxContainerUser) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.LinuxContainerUser"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in List) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.List"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in LoadBalancerIngress) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.LoadBalancerIngress"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in LoadBalancerStatus) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.LoadBalancerStatus"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in LocalObjectReference) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.LocalObjectReference"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in LocalVolumeSource) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.LocalVolumeSource"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ModifyVolumeStatus) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.ModifyVolumeStatus"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in NFSVolumeSource) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.NFSVolumeSource"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in Namespace) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.Namespace"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in NamespaceCondition) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.NamespaceCondition"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in NamespaceList) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.NamespaceList"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in NamespaceSpec) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.NamespaceSpec"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in NamespaceStatus) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.NamespaceStatus"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in Node) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.Node"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in NodeAddress) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.NodeAddress"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in NodeAffinity) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.NodeAffinity"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in NodeCondition) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.NodeCondition"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in NodeConfigSource) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.NodeConfigSource"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in NodeConfigStatus) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.NodeConfigStatus"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in NodeDaemonEndpoints) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.NodeDaemonEndpoints"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in NodeFeatures) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.NodeFeatures"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in NodeList) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.NodeList"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in NodeProxyOptions) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.NodeProxyOptions"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in NodeRuntimeHandler) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.NodeRuntimeHandler"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in NodeRuntimeHandlerFeatures) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.NodeRuntimeHandlerFeatures"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in NodeSelector) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.NodeSelector"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in NodeSelectorRequirement) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.NodeSelectorRequirement"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in NodeSelectorTerm) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.NodeSelectorTerm"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in NodeSpec) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.NodeSpec"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in NodeStatus) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.NodeStatus"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in NodeSwapStatus) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.NodeSwapStatus"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in NodeSystemInfo) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.NodeSystemInfo"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ObjectFieldSelector) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.ObjectFieldSelector"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ObjectReference) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.ObjectReference"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in PersistentVolume) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.PersistentVolume"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in PersistentVolumeClaim) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.PersistentVolumeClaim"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in PersistentVolumeClaimCondition) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.PersistentVolumeClaimCondition"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in PersistentVolumeClaimList) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.PersistentVolumeClaimList"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in PersistentVolumeClaimSpec) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.PersistentVolumeClaimSpec"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in PersistentVolumeClaimStatus) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.PersistentVolumeClaimStatus"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in PersistentVolumeClaimTemplate) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.PersistentVolumeClaimTemplate"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in PersistentVolumeClaimVolumeSource) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.PersistentVolumeClaimVolumeSource"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in PersistentVolumeList) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.PersistentVolumeList"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in PersistentVolumeSource) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.PersistentVolumeSource"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in PersistentVolumeSpec) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.PersistentVolumeSpec"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in PersistentVolumeStatus) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.PersistentVolumeStatus"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in PhotonPersistentDiskVolumeSource) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.PhotonPersistentDiskVolumeSource"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in Pod) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.Pod"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in PodAffinity) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.PodAffinity"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in PodAffinityTerm) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.PodAffinityTerm"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in PodAntiAffinity) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.PodAntiAffinity"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in PodAttachOptions) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.PodAttachOptions"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in PodCertificateProjection) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.PodCertificateProjection"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in PodCondition) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.PodCondition"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in PodDNSConfig) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.PodDNSConfig"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in PodDNSConfigOption) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.PodDNSConfigOption"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in PodExecOptions) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.PodExecOptions"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in PodExtendedResourceClaimStatus) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.PodExtendedResourceClaimStatus"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in PodIP) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.PodIP"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in PodList) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.PodList"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in PodLogOptions) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.PodLogOptions"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in PodOS) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.PodOS"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in PodPortForwardOptions) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.PodPortForwardOptions"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in PodProxyOptions) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.PodProxyOptions"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in PodReadinessGate) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.PodReadinessGate"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in PodResourceClaim) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.PodResourceClaim"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in PodResourceClaimStatus) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.PodResourceClaimStatus"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in PodSchedulingGate) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.PodSchedulingGate"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in PodSecurityContext) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.PodSecurityContext"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in PodSignature) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.PodSignature"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in PodSpec) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.PodSpec"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in PodStatus) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.PodStatus"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in PodStatusResult) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.PodStatusResult"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in PodTemplate) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.PodTemplate"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in PodTemplateList) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.PodTemplateList"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in PodTemplateSpec) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.PodTemplateSpec"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in PortStatus) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.PortStatus"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in PortworxVolumeSource) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.PortworxVolumeSource"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in Preconditions) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.Preconditions"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in PreferAvoidPodsEntry) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.PreferAvoidPodsEntry"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in PreferredSchedulingTerm) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.PreferredSchedulingTerm"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in Probe) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.Probe"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ProbeHandler) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.ProbeHandler"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ProjectedVolumeSource) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.ProjectedVolumeSource"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in QuobyteVolumeSource) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.QuobyteVolumeSource"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in RBDPersistentVolumeSource) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.RBDPersistentVolumeSource"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in RBDVolumeSource) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.RBDVolumeSource"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in RangeAllocation) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.RangeAllocation"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ReplicationController) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.ReplicationController"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ReplicationControllerCondition) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.ReplicationControllerCondition"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ReplicationControllerList) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.ReplicationControllerList"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ReplicationControllerSpec) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.ReplicationControllerSpec"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ReplicationControllerStatus) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.ReplicationControllerStatus"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ResourceClaim) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.ResourceClaim"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ResourceFieldSelector) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.ResourceFieldSelector"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ResourceHealth) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.ResourceHealth"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ResourceQuota) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.ResourceQuota"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ResourceQuotaList) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.ResourceQuotaList"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ResourceQuotaSpec) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.ResourceQuotaSpec"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ResourceQuotaStatus) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.ResourceQuotaStatus"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ResourceRequirements) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.ResourceRequirements"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ResourceStatus) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.ResourceStatus"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in SELinuxOptions) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.SELinuxOptions"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ScaleIOPersistentVolumeSource) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.ScaleIOPersistentVolumeSource"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ScaleIOVolumeSource) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.ScaleIOVolumeSource"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ScopeSelector) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.ScopeSelector"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ScopedResourceSelectorRequirement) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.ScopedResourceSelectorRequirement"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in SeccompProfile) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.SeccompProfile"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in Secret) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.Secret"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in SecretEnvSource) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.SecretEnvSource"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in SecretKeySelector) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.SecretKeySelector"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in SecretList) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.SecretList"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in SecretProjection) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.SecretProjection"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in SecretReference) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.SecretReference"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in SecretVolumeSource) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.SecretVolumeSource"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in SecurityContext) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.SecurityContext"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in SerializedReference) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.SerializedReference"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in Service) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.Service"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ServiceAccount) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.ServiceAccount"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ServiceAccountList) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.ServiceAccountList"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ServiceAccountTokenProjection) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.ServiceAccountTokenProjection"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ServiceList) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.ServiceList"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ServicePort) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.ServicePort"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ServiceProxyOptions) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.ServiceProxyOptions"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ServiceSpec) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.ServiceSpec"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ServiceStatus) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.ServiceStatus"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in SessionAffinityConfig) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.SessionAffinityConfig"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in SleepAction) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.SleepAction"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in StorageOSPersistentVolumeSource) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.StorageOSPersistentVolumeSource"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in StorageOSVolumeSource) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.StorageOSVolumeSource"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in Sysctl) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.Sysctl"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in TCPSocketAction) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.TCPSocketAction"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in Taint) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.Taint"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in Toleration) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.Toleration"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in TopologySelectorLabelRequirement) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.TopologySelectorLabelRequirement"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in TopologySelectorTerm) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.TopologySelectorTerm"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in TopologySpreadConstraint) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.TopologySpreadConstraint"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in TypedLocalObjectReference) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.TypedLocalObjectReference"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in TypedObjectReference) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.TypedObjectReference"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in Volume) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.Volume"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in VolumeDevice) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.VolumeDevice"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in VolumeMount) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.VolumeMount"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in VolumeMountStatus) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.VolumeMountStatus"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in VolumeNodeAffinity) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.VolumeNodeAffinity"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in VolumeProjection) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.VolumeProjection"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in VolumeResourceRequirements) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.VolumeResourceRequirements"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in VolumeSource) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.VolumeSource"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in VsphereVirtualDiskVolumeSource) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.VsphereVirtualDiskVolumeSource"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in WeightedPodAffinityTerm) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.WeightedPodAffinityTerm"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in WindowsSecurityContextOptions) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.WindowsSecurityContextOptions"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in WorkloadReference) OpenAPIModelName() string {
+	return "io.k8s.api.core.v1.WorkloadReference"
+}
diff --git a/staging/src/k8s.io/api/discovery/v1/doc.go b/staging/src/k8s.io/api/discovery/v1/doc.go
index 43e30b7f43213..2f4d40a4e23d0 100644
--- a/staging/src/k8s.io/api/discovery/v1/doc.go
+++ b/staging/src/k8s.io/api/discovery/v1/doc.go
@@ -18,6 +18,8 @@ limitations under the License.
 // +k8s:protobuf-gen=package
 // +k8s:openapi-gen=true
 // +k8s:prerelease-lifecycle-gen=true
+// +k8s:openapi-model-package=io.k8s.api.discovery.v1
+
 // +groupName=discovery.k8s.io
 
 package v1
diff --git a/staging/src/k8s.io/api/discovery/v1/generated.pb.go b/staging/src/k8s.io/api/discovery/v1/generated.pb.go
index 443ff8f8f3d66..39c1db71a7a4f 100644
--- a/staging/src/k8s.io/api/discovery/v1/generated.pb.go
+++ b/staging/src/k8s.io/api/discovery/v1/generated.pb.go
@@ -23,329 +23,31 @@ import (
 	fmt "fmt"
 
 	io "io"
+	"sort"
 
-	proto "github.com/gogo/protobuf/proto"
-	github_com_gogo_protobuf_sortkeys "github.com/gogo/protobuf/sortkeys"
 	k8s_io_api_core_v1 "k8s.io/api/core/v1"
 	v1 "k8s.io/api/core/v1"
 
-	math "math"
 	math_bits "math/bits"
 	reflect "reflect"
 	strings "strings"
 )
 
-// Reference imports to suppress errors if they are not otherwise used.
-var _ = proto.Marshal
-var _ = fmt.Errorf
-var _ = math.Inf
+func (m *Endpoint) Reset() { *m = Endpoint{} }
 
-// This is a compile-time assertion to ensure that this generated file
-// is compatible with the proto package it is being compiled against.
-// A compilation error at this line likely means your copy of the
-// proto package needs to be updated.
-const _ = proto.GoGoProtoPackageIsVersion3 // please upgrade the proto package
+func (m *EndpointConditions) Reset() { *m = EndpointConditions{} }
 
-func (m *Endpoint) Reset()      { *m = Endpoint{} }
-func (*Endpoint) ProtoMessage() {}
-func (*Endpoint) Descriptor() ([]byte, []int) {
-	return fileDescriptor_2237b452324cf77e, []int{0}
-}
-func (m *Endpoint) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *Endpoint) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *Endpoint) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_Endpoint.Merge(m, src)
-}
-func (m *Endpoint) XXX_Size() int {
-	return m.Size()
-}
-func (m *Endpoint) XXX_DiscardUnknown() {
-	xxx_messageInfo_Endpoint.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_Endpoint proto.InternalMessageInfo
-
-func (m *EndpointConditions) Reset()      { *m = EndpointConditions{} }
-func (*EndpointConditions) ProtoMessage() {}
-func (*EndpointConditions) Descriptor() ([]byte, []int) {
-	return fileDescriptor_2237b452324cf77e, []int{1}
-}
-func (m *EndpointConditions) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *EndpointConditions) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *EndpointConditions) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_EndpointConditions.Merge(m, src)
-}
-func (m *EndpointConditions) XXX_Size() int {
-	return m.Size()
-}
-func (m *EndpointConditions) XXX_DiscardUnknown() {
-	xxx_messageInfo_EndpointConditions.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_EndpointConditions proto.InternalMessageInfo
-
-func (m *EndpointHints) Reset()      { *m = EndpointHints{} }
-func (*EndpointHints) ProtoMessage() {}
-func (*EndpointHints) Descriptor() ([]byte, []int) {
-	return fileDescriptor_2237b452324cf77e, []int{2}
-}
-func (m *EndpointHints) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *EndpointHints) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *EndpointHints) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_EndpointHints.Merge(m, src)
-}
-func (m *EndpointHints) XXX_Size() int {
-	return m.Size()
-}
-func (m *EndpointHints) XXX_DiscardUnknown() {
-	xxx_messageInfo_EndpointHints.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_EndpointHints proto.InternalMessageInfo
-
-func (m *EndpointPort) Reset()      { *m = EndpointPort{} }
-func (*EndpointPort) ProtoMessage() {}
-func (*EndpointPort) Descriptor() ([]byte, []int) {
-	return fileDescriptor_2237b452324cf77e, []int{3}
-}
-func (m *EndpointPort) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *EndpointPort) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *EndpointPort) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_EndpointPort.Merge(m, src)
-}
-func (m *EndpointPort) XXX_Size() int {
-	return m.Size()
-}
-func (m *EndpointPort) XXX_DiscardUnknown() {
-	xxx_messageInfo_EndpointPort.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_EndpointPort proto.InternalMessageInfo
-
-func (m *EndpointSlice) Reset()      { *m = EndpointSlice{} }
-func (*EndpointSlice) ProtoMessage() {}
-func (*EndpointSlice) Descriptor() ([]byte, []int) {
-	return fileDescriptor_2237b452324cf77e, []int{4}
-}
-func (m *EndpointSlice) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *EndpointSlice) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *EndpointSlice) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_EndpointSlice.Merge(m, src)
-}
-func (m *EndpointSlice) XXX_Size() int {
-	return m.Size()
-}
-func (m *EndpointSlice) XXX_DiscardUnknown() {
-	xxx_messageInfo_EndpointSlice.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_EndpointSlice proto.InternalMessageInfo
-
-func (m *EndpointSliceList) Reset()      { *m = EndpointSliceList{} }
-func (*EndpointSliceList) ProtoMessage() {}
-func (*EndpointSliceList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_2237b452324cf77e, []int{5}
-}
-func (m *EndpointSliceList) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *EndpointSliceList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *EndpointSliceList) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_EndpointSliceList.Merge(m, src)
-}
-func (m *EndpointSliceList) XXX_Size() int {
-	return m.Size()
-}
-func (m *EndpointSliceList) XXX_DiscardUnknown() {
-	xxx_messageInfo_EndpointSliceList.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_EndpointSliceList proto.InternalMessageInfo
-
-func (m *ForNode) Reset()      { *m = ForNode{} }
-func (*ForNode) ProtoMessage() {}
-func (*ForNode) Descriptor() ([]byte, []int) {
-	return fileDescriptor_2237b452324cf77e, []int{6}
-}
-func (m *ForNode) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ForNode) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ForNode) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ForNode.Merge(m, src)
-}
-func (m *ForNode) XXX_Size() int {
-	return m.Size()
-}
-func (m *ForNode) XXX_DiscardUnknown() {
-	xxx_messageInfo_ForNode.DiscardUnknown(m)
-}
+func (m *EndpointHints) Reset() { *m = EndpointHints{} }
 
-var xxx_messageInfo_ForNode proto.InternalMessageInfo
-
-func (m *ForZone) Reset()      { *m = ForZone{} }
-func (*ForZone) ProtoMessage() {}
-func (*ForZone) Descriptor() ([]byte, []int) {
-	return fileDescriptor_2237b452324cf77e, []int{7}
-}
-func (m *ForZone) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ForZone) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ForZone) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ForZone.Merge(m, src)
-}
-func (m *ForZone) XXX_Size() int {
-	return m.Size()
-}
-func (m *ForZone) XXX_DiscardUnknown() {
-	xxx_messageInfo_ForZone.DiscardUnknown(m)
-}
+func (m *EndpointPort) Reset() { *m = EndpointPort{} }
 
-var xxx_messageInfo_ForZone proto.InternalMessageInfo
+func (m *EndpointSlice) Reset() { *m = EndpointSlice{} }
 
-func init() {
-	proto.RegisterType((*Endpoint)(nil), "k8s.io.api.discovery.v1.Endpoint")
-	proto.RegisterMapType((map[string]string)(nil), "k8s.io.api.discovery.v1.Endpoint.DeprecatedTopologyEntry")
-	proto.RegisterType((*EndpointConditions)(nil), "k8s.io.api.discovery.v1.EndpointConditions")
-	proto.RegisterType((*EndpointHints)(nil), "k8s.io.api.discovery.v1.EndpointHints")
-	proto.RegisterType((*EndpointPort)(nil), "k8s.io.api.discovery.v1.EndpointPort")
-	proto.RegisterType((*EndpointSlice)(nil), "k8s.io.api.discovery.v1.EndpointSlice")
-	proto.RegisterType((*EndpointSliceList)(nil), "k8s.io.api.discovery.v1.EndpointSliceList")
-	proto.RegisterType((*ForNode)(nil), "k8s.io.api.discovery.v1.ForNode")
-	proto.RegisterType((*ForZone)(nil), "k8s.io.api.discovery.v1.ForZone")
-}
+func (m *EndpointSliceList) Reset() { *m = EndpointSliceList{} }
 
-func init() {
-	proto.RegisterFile("k8s.io/api/discovery/v1/generated.proto", fileDescriptor_2237b452324cf77e)
-}
+func (m *ForNode) Reset() { *m = ForNode{} }
 
-var fileDescriptor_2237b452324cf77e = []byte{
-	// 902 bytes of a gzipped FileDescriptorProto
-	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x8c, 0x56, 0xcf, 0x6f, 0xe3, 0x44,
-	0x14, 0x8e, 0x9b, 0x9a, 0xda, 0xe3, 0x56, 0xec, 0x8e, 0x90, 0x6a, 0x05, 0x64, 0x07, 0xa3, 0x85,
-	0x48, 0x15, 0x0e, 0xad, 0x10, 0x5a, 0x90, 0x38, 0xd4, 0x6c, 0xd9, 0xe5, 0x57, 0xa9, 0x66, 0x7b,
-	0x5a, 0x21, 0x81, 0x6b, 0xbf, 0x3a, 0xa6, 0x8d, 0xc7, 0xf2, 0x4c, 0x22, 0x85, 0x13, 0x17, 0xce,
-	0xf0, 0x9f, 0xf0, 0x1f, 0x70, 0x44, 0x3d, 0xee, 0x8d, 0x3d, 0x59, 0xd4, 0xfc, 0x0b, 0x9c, 0xf6,
-	0x84, 0x66, 0xfc, 0x33, 0xa4, 0x51, 0xf6, 0xe6, 0xf9, 0xe6, 0x7b, 0xdf, 0x7b, 0xf3, 0xcd, 0x7b,
-	0x23, 0xa3, 0xf7, 0xae, 0x1e, 0x32, 0x37, 0xa6, 0x63, 0x3f, 0x8d, 0xc7, 0x61, 0xcc, 0x02, 0x3a,
-	0x87, 0x6c, 0x31, 0x9e, 0x1f, 0x8e, 0x23, 0x48, 0x20, 0xf3, 0x39, 0x84, 0x6e, 0x9a, 0x51, 0x4e,
-	0xf1, 0x7e, 0x49, 0x74, 0xfd, 0x34, 0x76, 0x1b, 0xa2, 0x3b, 0x3f, 0x1c, 0xbc, 0x1f, 0xc5, 0x7c,
-	0x32, 0xbb, 0x70, 0x03, 0x3a, 0x1d, 0x47, 0x34, 0xa2, 0x63, 0xc9, 0xbf, 0x98, 0x5d, 0xca, 0x95,
-	0x5c, 0xc8, 0xaf, 0x52, 0x67, 0xe0, 0x74, 0x12, 0x06, 0x34, 0x83, 0x3b, 0x72, 0x0d, 0x3e, 0x6c,
-	0x39, 0x53, 0x3f, 0x98, 0xc4, 0x89, 0xa8, 0x29, 0xbd, 0x8a, 0x04, 0xc0, 0xc6, 0x53, 0xe0, 0xfe,
-	0x5d, 0x51, 0xe3, 0x75, 0x51, 0xd9, 0x2c, 0xe1, 0xf1, 0x14, 0x56, 0x02, 0x3e, 0xda, 0x14, 0xc0,
-	0x82, 0x09, 0x4c, 0xfd, 0xff, 0xc7, 0x39, 0xff, 0x6e, 0x23, 0xed, 0x24, 0x09, 0x53, 0x1a, 0x27,
-	0x1c, 0x1f, 0x20, 0xdd, 0x0f, 0xc3, 0x0c, 0x18, 0x03, 0x66, 0x2a, 0xc3, 0xfe, 0x48, 0xf7, 0xf6,
-	0x8a, 0xdc, 0xd6, 0x8f, 0x6b, 0x90, 0xb4, 0xfb, 0xf8, 0x7b, 0x84, 0x02, 0x9a, 0x84, 0x31, 0x8f,
-	0x69, 0xc2, 0xcc, 0xad, 0xa1, 0x32, 0x32, 0x8e, 0x0e, 0xdc, 0x35, 0xce, 0xba, 0x75, 0x8e, 0xcf,
-	0x9a, 0x10, 0x0f, 0xdf, 0xe4, 0x76, 0xaf, 0xc8, 0x6d, 0xd4, 0x62, 0xa4, 0x23, 0x89, 0x47, 0x48,
-	0x9b, 0x50, 0xc6, 0x13, 0x7f, 0x0a, 0x66, 0x7f, 0xa8, 0x8c, 0x74, 0x6f, 0xb7, 0xc8, 0x6d, 0xed,
-	0x49, 0x85, 0x91, 0x66, 0x17, 0x9f, 0x21, 0x9d, 0xfb, 0x59, 0x04, 0x9c, 0xc0, 0xa5, 0xb9, 0x2d,
-	0x2b, 0x79, 0xa7, 0x5b, 0x89, 0xb8, 0x1b, 0x51, 0xc4, 0xb7, 0x17, 0x3f, 0x42, 0x20, 0x48, 0x90,
-	0x41, 0x12, 0x40, 0x79, 0xb8, 0xf3, 0x3a, 0x92, 0xb4, 0x22, 0xf8, 0x17, 0x05, 0xe1, 0x10, 0xd2,
-	0x0c, 0x02, 0xe1, 0xd5, 0x39, 0x4d, 0xe9, 0x35, 0x8d, 0x16, 0xa6, 0x3a, 0xec, 0x8f, 0x8c, 0xa3,
-	0x8f, 0x37, 0x9e, 0xd2, 0x7d, 0xb4, 0x12, 0x7b, 0x92, 0xf0, 0x6c, 0xe1, 0x0d, 0xaa, 0x33, 0xe3,
-	0x55, 0x02, 0xb9, 0x23, 0xa1, 0xf0, 0x20, 0xa1, 0x21, 0x9c, 0x0a, 0x0f, 0x5e, 0x6b, 0x3d, 0x38,
-	0xad, 0x30, 0xd2, 0xec, 0xe2, 0xb7, 0xd0, 0xf6, 0x4f, 0x34, 0x01, 0x73, 0x47, 0xb2, 0xb4, 0x22,
-	0xb7, 0xb7, 0x9f, 0xd1, 0x04, 0x88, 0x44, 0xf1, 0x63, 0xa4, 0x4e, 0xe2, 0x84, 0x33, 0x53, 0x93,
-	0xee, 0xbc, 0xbb, 0xf1, 0x04, 0x4f, 0x04, 0xdb, 0xd3, 0x8b, 0xdc, 0x56, 0xe5, 0x27, 0x29, 0xe3,
-	0x07, 0x27, 0x68, 0x7f, 0xcd, 0xd9, 0xf0, 0x3d, 0xd4, 0xbf, 0x82, 0x85, 0xa9, 0x88, 0x02, 0x88,
-	0xf8, 0xc4, 0x6f, 0x20, 0x75, 0xee, 0x5f, 0xcf, 0x40, 0x76, 0x87, 0x4e, 0xca, 0xc5, 0x27, 0x5b,
-	0x0f, 0x15, 0xe7, 0x57, 0x05, 0xe1, 0xd5, 0x96, 0xc0, 0x36, 0x52, 0x33, 0xf0, 0xc3, 0x52, 0x44,
-	0x2b, 0xd3, 0x13, 0x01, 0x90, 0x12, 0xc7, 0x0f, 0xd0, 0x0e, 0x83, 0x6c, 0x1e, 0x27, 0x91, 0xd4,
-	0xd4, 0x3c, 0xa3, 0xc8, 0xed, 0x9d, 0xa7, 0x25, 0x44, 0xea, 0x3d, 0x7c, 0x88, 0x0c, 0x0e, 0xd9,
-	0x34, 0x4e, 0x7c, 0x2e, 0xa8, 0x7d, 0x49, 0x7d, 0xbd, 0xc8, 0x6d, 0xe3, 0xbc, 0x85, 0x49, 0x97,
-	0xe3, 0xfc, 0xae, 0xa0, 0xbd, 0xa5, 0xc3, 0xe3, 0x53, 0xa4, 0x5d, 0xd2, 0x4c, 0x98, 0x58, 0x0e,
-	0x83, 0x71, 0x34, 0x5c, 0x6b, 0xdb, 0xe7, 0x25, 0xd1, 0xbb, 0x57, 0xdd, 0xaf, 0x56, 0x01, 0x8c,
-	0x34, 0x1a, 0x95, 0x9e, 0xb8, 0x3a, 0x31, 0x2e, 0x1b, 0xf5, 0x04, 0x71, 0x49, 0x4f, 0x46, 0x92,
-	0x46, 0xc3, 0xf9, 0x53, 0x41, 0xbb, 0x75, 0xc5, 0x67, 0x34, 0xe3, 0xa2, 0x05, 0xe4, 0xb0, 0x28,
-	0x6d, 0x0b, 0xc8, 0x26, 0x91, 0x28, 0x7e, 0x8c, 0x34, 0x39, 0xf2, 0x01, 0xbd, 0x2e, 0xef, 0xc3,
-	0x3b, 0x10, 0xc2, 0x67, 0x15, 0xf6, 0x32, 0xb7, 0xdf, 0x5c, 0x7d, 0xce, 0xdc, 0x7a, 0x9b, 0x34,
-	0xc1, 0x22, 0x4d, 0x4a, 0x33, 0x2e, 0x5d, 0x55, 0xcb, 0x34, 0x22, 0x3d, 0x91, 0xa8, 0xb0, 0xde,
-	0x4f, 0xd3, 0x3a, 0x4c, 0x4e, 0xa3, 0x5e, 0x5a, 0x7f, 0xdc, 0xc2, 0xa4, 0xcb, 0x71, 0xfe, 0xda,
-	0x6a, 0xad, 0x7f, 0x7a, 0x1d, 0x07, 0x80, 0x7f, 0x40, 0x9a, 0x78, 0x19, 0x43, 0x9f, 0xfb, 0xf2,
-	0x34, 0xc6, 0xd1, 0x07, 0x1d, 0xab, 0x9a, 0x07, 0xce, 0x4d, 0xaf, 0x22, 0x01, 0x30, 0x57, 0xb0,
-	0xdb, 0x09, 0xff, 0x06, 0xb8, 0xdf, 0x3e, 0x2f, 0x2d, 0x46, 0x1a, 0x55, 0xfc, 0x08, 0x19, 0xd5,
-	0x53, 0x76, 0xbe, 0x48, 0xa1, 0x2a, 0xd3, 0xa9, 0x42, 0x8c, 0xe3, 0x76, 0xeb, 0xe5, 0xf2, 0x92,
-	0x74, 0xc3, 0x30, 0x41, 0x3a, 0x54, 0x85, 0xd7, 0x77, 0xfa, 0xf6, 0xc6, 0xd1, 0xf2, 0xee, 0x57,
-	0x69, 0xf4, 0x1a, 0x61, 0xa4, 0x95, 0xc1, 0x5f, 0x22, 0x55, 0x18, 0xc9, 0xcc, 0xbe, 0xd4, 0x7b,
-	0xb0, 0x51, 0x4f, 0x98, 0xef, 0xed, 0x55, 0x9a, 0xaa, 0x58, 0x31, 0x52, 0x4a, 0x38, 0x7f, 0x28,
-	0xe8, 0xfe, 0x92, 0xb3, 0x5f, 0xc7, 0x8c, 0xe3, 0xef, 0x56, 0xdc, 0x75, 0x5f, 0xcd, 0x5d, 0x11,
-	0x2d, 0xbd, 0x6d, 0xda, 0xb2, 0x46, 0x3a, 0xce, 0x7e, 0x85, 0xd4, 0x98, 0xc3, 0xb4, 0xf6, 0x63,
-	0xf3, 0x53, 0x23, 0x0b, 0x6b, 0x0f, 0xf0, 0x85, 0x08, 0x26, 0xa5, 0x86, 0x73, 0x80, 0x76, 0xaa,
-	0xce, 0xc7, 0xc3, 0xa5, 0xee, 0xde, 0xad, 0xe8, 0x9d, 0x0e, 0xaf, 0xc8, 0x62, 0xd8, 0x36, 0x93,
-	0xbd, 0x4f, 0x6f, 0x6e, 0xad, 0xde, 0xf3, 0x5b, 0xab, 0xf7, 0xe2, 0xd6, 0xea, 0xfd, 0x5c, 0x58,
-	0xca, 0x4d, 0x61, 0x29, 0xcf, 0x0b, 0x4b, 0x79, 0x51, 0x58, 0xca, 0xdf, 0x85, 0xa5, 0xfc, 0xf6,
-	0x8f, 0xd5, 0x7b, 0xb6, 0xbf, 0xe6, 0x97, 0xe2, 0xbf, 0x00, 0x00, 0x00, 0xff, 0xff, 0xf4, 0xfc,
-	0xbe, 0xad, 0x6c, 0x08, 0x00, 0x00,
-}
+func (m *ForZone) Reset() { *m = ForZone{} }
 
 func (m *Endpoint) Marshal() (dAtA []byte, err error) {
 	size := m.Size()
@@ -398,7 +100,7 @@ func (m *Endpoint) MarshalToSizedBuffer(dAtA []byte) (int, error) {
 		for k := range m.DeprecatedTopology {
 			keysForDeprecatedTopology = append(keysForDeprecatedTopology, string(k))
 		}
-		github_com_gogo_protobuf_sortkeys.Strings(keysForDeprecatedTopology)
+		sort.Strings(keysForDeprecatedTopology)
 		for iNdEx := len(keysForDeprecatedTopology) - 1; iNdEx >= 0; iNdEx-- {
 			v := m.DeprecatedTopology[string(keysForDeprecatedTopology[iNdEx])]
 			baseI := i
@@ -977,7 +679,7 @@ func (this *Endpoint) String() string {
 	for k := range this.DeprecatedTopology {
 		keysForDeprecatedTopology = append(keysForDeprecatedTopology, k)
 	}
-	github_com_gogo_protobuf_sortkeys.Strings(keysForDeprecatedTopology)
+	sort.Strings(keysForDeprecatedTopology)
 	mapStringForDeprecatedTopology := "map[string]string{"
 	for _, k := range keysForDeprecatedTopology {
 		mapStringForDeprecatedTopology += fmt.Sprintf("%v: %v,", k, this.DeprecatedTopology[k])
diff --git a/staging/src/k8s.io/api/discovery/v1/generated.proto b/staging/src/k8s.io/api/discovery/v1/generated.proto
index 569d8a916efd3..97582a1b2a021 100644
--- a/staging/src/k8s.io/api/discovery/v1/generated.proto
+++ b/staging/src/k8s.io/api/discovery/v1/generated.proto
@@ -114,8 +114,6 @@ message EndpointHints {
 
   // forNodes indicates the node(s) this endpoint should be consumed by when
   // using topology aware routing. May contain a maximum of 8 entries.
-  // This is an Alpha feature and is only used when the PreferSameTrafficDistribution
-  // feature gate is enabled.
   // +listType=atomic
   repeated ForNode forNodes = 2;
 }
diff --git a/staging/src/k8s.io/api/discovery/v1/generated.protomessage.pb.go b/staging/src/k8s.io/api/discovery/v1/generated.protomessage.pb.go
new file mode 100644
index 0000000000000..9e246b87b8bf3
--- /dev/null
+++ b/staging/src/k8s.io/api/discovery/v1/generated.protomessage.pb.go
@@ -0,0 +1,38 @@
+//go:build kubernetes_protomessage_one_more_release
+// +build kubernetes_protomessage_one_more_release
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by go-to-protobuf. DO NOT EDIT.
+
+package v1
+
+func (*Endpoint) ProtoMessage() {}
+
+func (*EndpointConditions) ProtoMessage() {}
+
+func (*EndpointHints) ProtoMessage() {}
+
+func (*EndpointPort) ProtoMessage() {}
+
+func (*EndpointSlice) ProtoMessage() {}
+
+func (*EndpointSliceList) ProtoMessage() {}
+
+func (*ForNode) ProtoMessage() {}
+
+func (*ForZone) ProtoMessage() {}
diff --git a/staging/src/k8s.io/api/discovery/v1/types.go b/staging/src/k8s.io/api/discovery/v1/types.go
index 6f26953169c4f..ca78ce386963b 100644
--- a/staging/src/k8s.io/api/discovery/v1/types.go
+++ b/staging/src/k8s.io/api/discovery/v1/types.go
@@ -166,8 +166,6 @@ type EndpointHints struct {
 
 	// forNodes indicates the node(s) this endpoint should be consumed by when
 	// using topology aware routing. May contain a maximum of 8 entries.
-	// This is an Alpha feature and is only used when the PreferSameTrafficDistribution
-	// feature gate is enabled.
 	// +listType=atomic
 	ForNodes []ForNode `json:"forNodes,omitempty" protobuf:"bytes,2,name=forNodes"`
 }
diff --git a/staging/src/k8s.io/api/discovery/v1/types_swagger_doc_generated.go b/staging/src/k8s.io/api/discovery/v1/types_swagger_doc_generated.go
index ac5b853b9e1d9..ba8b0363adad8 100644
--- a/staging/src/k8s.io/api/discovery/v1/types_swagger_doc_generated.go
+++ b/staging/src/k8s.io/api/discovery/v1/types_swagger_doc_generated.go
@@ -57,7 +57,7 @@ func (EndpointConditions) SwaggerDoc() map[string]string {
 var map_EndpointHints = map[string]string{
 	"":         "EndpointHints provides hints describing how an endpoint should be consumed.",
 	"forZones": "forZones indicates the zone(s) this endpoint should be consumed by when using topology aware routing. May contain a maximum of 8 entries.",
-	"forNodes": "forNodes indicates the node(s) this endpoint should be consumed by when using topology aware routing. May contain a maximum of 8 entries. This is an Alpha feature and is only used when the PreferSameTrafficDistribution feature gate is enabled.",
+	"forNodes": "forNodes indicates the node(s) this endpoint should be consumed by when using topology aware routing. May contain a maximum of 8 entries.",
 }
 
 func (EndpointHints) SwaggerDoc() map[string]string {
diff --git a/staging/src/k8s.io/api/discovery/v1/zz_generated.model_name.go b/staging/src/k8s.io/api/discovery/v1/zz_generated.model_name.go
new file mode 100644
index 0000000000000..2053c56117419
--- /dev/null
+++ b/staging/src/k8s.io/api/discovery/v1/zz_generated.model_name.go
@@ -0,0 +1,62 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by openapi-gen. DO NOT EDIT.
+
+package v1
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in Endpoint) OpenAPIModelName() string {
+	return "io.k8s.api.discovery.v1.Endpoint"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in EndpointConditions) OpenAPIModelName() string {
+	return "io.k8s.api.discovery.v1.EndpointConditions"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in EndpointHints) OpenAPIModelName() string {
+	return "io.k8s.api.discovery.v1.EndpointHints"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in EndpointPort) OpenAPIModelName() string {
+	return "io.k8s.api.discovery.v1.EndpointPort"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in EndpointSlice) OpenAPIModelName() string {
+	return "io.k8s.api.discovery.v1.EndpointSlice"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in EndpointSliceList) OpenAPIModelName() string {
+	return "io.k8s.api.discovery.v1.EndpointSliceList"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ForNode) OpenAPIModelName() string {
+	return "io.k8s.api.discovery.v1.ForNode"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ForZone) OpenAPIModelName() string {
+	return "io.k8s.api.discovery.v1.ForZone"
+}
diff --git a/staging/src/k8s.io/api/discovery/v1beta1/doc.go b/staging/src/k8s.io/api/discovery/v1beta1/doc.go
index f12087eff1bca..aa5ba7442878f 100644
--- a/staging/src/k8s.io/api/discovery/v1beta1/doc.go
+++ b/staging/src/k8s.io/api/discovery/v1beta1/doc.go
@@ -18,6 +18,8 @@ limitations under the License.
 // +k8s:protobuf-gen=package
 // +k8s:openapi-gen=true
 // +k8s:prerelease-lifecycle-gen=true
+// +k8s:openapi-model-package=io.k8s.api.discovery.v1beta1
+
 // +groupName=discovery.k8s.io
 
 package v1beta1
diff --git a/staging/src/k8s.io/api/discovery/v1beta1/generated.pb.go b/staging/src/k8s.io/api/discovery/v1beta1/generated.pb.go
index de32577864363..7a7613d01f726 100644
--- a/staging/src/k8s.io/api/discovery/v1beta1/generated.pb.go
+++ b/staging/src/k8s.io/api/discovery/v1beta1/generated.pb.go
@@ -23,327 +23,31 @@ import (
 	fmt "fmt"
 
 	io "io"
+	"sort"
 
-	proto "github.com/gogo/protobuf/proto"
-	github_com_gogo_protobuf_sortkeys "github.com/gogo/protobuf/sortkeys"
 	k8s_io_api_core_v1 "k8s.io/api/core/v1"
 	v1 "k8s.io/api/core/v1"
 
-	math "math"
 	math_bits "math/bits"
 	reflect "reflect"
 	strings "strings"
 )
 
-// Reference imports to suppress errors if they are not otherwise used.
-var _ = proto.Marshal
-var _ = fmt.Errorf
-var _ = math.Inf
+func (m *Endpoint) Reset() { *m = Endpoint{} }
 
-// This is a compile-time assertion to ensure that this generated file
-// is compatible with the proto package it is being compiled against.
-// A compilation error at this line likely means your copy of the
-// proto package needs to be updated.
-const _ = proto.GoGoProtoPackageIsVersion3 // please upgrade the proto package
+func (m *EndpointConditions) Reset() { *m = EndpointConditions{} }
 
-func (m *Endpoint) Reset()      { *m = Endpoint{} }
-func (*Endpoint) ProtoMessage() {}
-func (*Endpoint) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6555bad15de200e0, []int{0}
-}
-func (m *Endpoint) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *Endpoint) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *Endpoint) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_Endpoint.Merge(m, src)
-}
-func (m *Endpoint) XXX_Size() int {
-	return m.Size()
-}
-func (m *Endpoint) XXX_DiscardUnknown() {
-	xxx_messageInfo_Endpoint.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_Endpoint proto.InternalMessageInfo
-
-func (m *EndpointConditions) Reset()      { *m = EndpointConditions{} }
-func (*EndpointConditions) ProtoMessage() {}
-func (*EndpointConditions) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6555bad15de200e0, []int{1}
-}
-func (m *EndpointConditions) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *EndpointConditions) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *EndpointConditions) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_EndpointConditions.Merge(m, src)
-}
-func (m *EndpointConditions) XXX_Size() int {
-	return m.Size()
-}
-func (m *EndpointConditions) XXX_DiscardUnknown() {
-	xxx_messageInfo_EndpointConditions.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_EndpointConditions proto.InternalMessageInfo
-
-func (m *EndpointHints) Reset()      { *m = EndpointHints{} }
-func (*EndpointHints) ProtoMessage() {}
-func (*EndpointHints) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6555bad15de200e0, []int{2}
-}
-func (m *EndpointHints) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *EndpointHints) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *EndpointHints) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_EndpointHints.Merge(m, src)
-}
-func (m *EndpointHints) XXX_Size() int {
-	return m.Size()
-}
-func (m *EndpointHints) XXX_DiscardUnknown() {
-	xxx_messageInfo_EndpointHints.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_EndpointHints proto.InternalMessageInfo
-
-func (m *EndpointPort) Reset()      { *m = EndpointPort{} }
-func (*EndpointPort) ProtoMessage() {}
-func (*EndpointPort) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6555bad15de200e0, []int{3}
-}
-func (m *EndpointPort) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *EndpointPort) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *EndpointPort) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_EndpointPort.Merge(m, src)
-}
-func (m *EndpointPort) XXX_Size() int {
-	return m.Size()
-}
-func (m *EndpointPort) XXX_DiscardUnknown() {
-	xxx_messageInfo_EndpointPort.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_EndpointPort proto.InternalMessageInfo
-
-func (m *EndpointSlice) Reset()      { *m = EndpointSlice{} }
-func (*EndpointSlice) ProtoMessage() {}
-func (*EndpointSlice) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6555bad15de200e0, []int{4}
-}
-func (m *EndpointSlice) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *EndpointSlice) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *EndpointSlice) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_EndpointSlice.Merge(m, src)
-}
-func (m *EndpointSlice) XXX_Size() int {
-	return m.Size()
-}
-func (m *EndpointSlice) XXX_DiscardUnknown() {
-	xxx_messageInfo_EndpointSlice.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_EndpointSlice proto.InternalMessageInfo
-
-func (m *EndpointSliceList) Reset()      { *m = EndpointSliceList{} }
-func (*EndpointSliceList) ProtoMessage() {}
-func (*EndpointSliceList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6555bad15de200e0, []int{5}
-}
-func (m *EndpointSliceList) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *EndpointSliceList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *EndpointSliceList) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_EndpointSliceList.Merge(m, src)
-}
-func (m *EndpointSliceList) XXX_Size() int {
-	return m.Size()
-}
-func (m *EndpointSliceList) XXX_DiscardUnknown() {
-	xxx_messageInfo_EndpointSliceList.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_EndpointSliceList proto.InternalMessageInfo
-
-func (m *ForNode) Reset()      { *m = ForNode{} }
-func (*ForNode) ProtoMessage() {}
-func (*ForNode) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6555bad15de200e0, []int{6}
-}
-func (m *ForNode) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ForNode) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ForNode) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ForNode.Merge(m, src)
-}
-func (m *ForNode) XXX_Size() int {
-	return m.Size()
-}
-func (m *ForNode) XXX_DiscardUnknown() {
-	xxx_messageInfo_ForNode.DiscardUnknown(m)
-}
+func (m *EndpointHints) Reset() { *m = EndpointHints{} }
 
-var xxx_messageInfo_ForNode proto.InternalMessageInfo
-
-func (m *ForZone) Reset()      { *m = ForZone{} }
-func (*ForZone) ProtoMessage() {}
-func (*ForZone) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6555bad15de200e0, []int{7}
-}
-func (m *ForZone) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ForZone) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ForZone) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ForZone.Merge(m, src)
-}
-func (m *ForZone) XXX_Size() int {
-	return m.Size()
-}
-func (m *ForZone) XXX_DiscardUnknown() {
-	xxx_messageInfo_ForZone.DiscardUnknown(m)
-}
+func (m *EndpointPort) Reset() { *m = EndpointPort{} }
 
-var xxx_messageInfo_ForZone proto.InternalMessageInfo
+func (m *EndpointSlice) Reset() { *m = EndpointSlice{} }
 
-func init() {
-	proto.RegisterType((*Endpoint)(nil), "k8s.io.api.discovery.v1beta1.Endpoint")
-	proto.RegisterMapType((map[string]string)(nil), "k8s.io.api.discovery.v1beta1.Endpoint.TopologyEntry")
-	proto.RegisterType((*EndpointConditions)(nil), "k8s.io.api.discovery.v1beta1.EndpointConditions")
-	proto.RegisterType((*EndpointHints)(nil), "k8s.io.api.discovery.v1beta1.EndpointHints")
-	proto.RegisterType((*EndpointPort)(nil), "k8s.io.api.discovery.v1beta1.EndpointPort")
-	proto.RegisterType((*EndpointSlice)(nil), "k8s.io.api.discovery.v1beta1.EndpointSlice")
-	proto.RegisterType((*EndpointSliceList)(nil), "k8s.io.api.discovery.v1beta1.EndpointSliceList")
-	proto.RegisterType((*ForNode)(nil), "k8s.io.api.discovery.v1beta1.ForNode")
-	proto.RegisterType((*ForZone)(nil), "k8s.io.api.discovery.v1beta1.ForZone")
-}
+func (m *EndpointSliceList) Reset() { *m = EndpointSliceList{} }
 
-func init() {
-	proto.RegisterFile("k8s.io/api/discovery/v1beta1/generated.proto", fileDescriptor_6555bad15de200e0)
-}
+func (m *ForNode) Reset() { *m = ForNode{} }
 
-var fileDescriptor_6555bad15de200e0 = []byte{
-	// 877 bytes of a gzipped FileDescriptorProto
-	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x8c, 0x56, 0x4f, 0x6f, 0xe4, 0x34,
-	0x1c, 0x9d, 0x74, 0x1a, 0x9a, 0x78, 0x5a, 0xb1, 0x6b, 0x71, 0x18, 0x95, 0x2a, 0x19, 0x05, 0x2d,
-	0x1a, 0x51, 0x48, 0x68, 0xb5, 0x42, 0x2b, 0x38, 0x35, 0xb0, 0xb0, 0x48, 0xcb, 0x6e, 0xe5, 0x56,
-	0x42, 0x5a, 0x71, 0xc0, 0x93, 0xb8, 0x19, 0xd3, 0x26, 0x8e, 0x62, 0x77, 0xa4, 0xb9, 0xf1, 0x0d,
-	0xe0, 0xb3, 0x70, 0xe3, 0x8c, 0x84, 0x7a, 0xdc, 0xe3, 0x9e, 0x22, 0x1a, 0xbe, 0xc5, 0x9e, 0x90,
-	0x1d, 0xe7, 0xcf, 0x30, 0xd0, 0xce, 0x2d, 0x7e, 0x7e, 0xef, 0xfd, 0xfe, 0xd9, 0x56, 0xc0, 0xc7,
-	0x97, 0x4f, 0xb8, 0x4f, 0x59, 0x80, 0x73, 0x1a, 0xc4, 0x94, 0x47, 0x6c, 0x41, 0x8a, 0x65, 0xb0,
-	0x38, 0x9a, 0x11, 0x81, 0x8f, 0x82, 0x84, 0x64, 0xa4, 0xc0, 0x82, 0xc4, 0x7e, 0x5e, 0x30, 0xc1,
-	0xe0, 0x41, 0xcd, 0xf6, 0x71, 0x4e, 0xfd, 0x96, 0xed, 0x6b, 0xf6, 0xfe, 0x27, 0x09, 0x15, 0xf3,
-	0xeb, 0x99, 0x1f, 0xb1, 0x34, 0x48, 0x58, 0xc2, 0x02, 0x25, 0x9a, 0x5d, 0x5f, 0xa8, 0x95, 0x5a,
-	0xa8, 0xaf, 0xda, 0x6c, 0xdf, 0xeb, 0x85, 0x8e, 0x58, 0x41, 0x82, 0xc5, 0x5a, 0xc0, 0xfd, 0xc7,
-	0x1d, 0x27, 0xc5, 0xd1, 0x9c, 0x66, 0x32, 0xbb, 0xfc, 0x32, 0x91, 0x00, 0x0f, 0x52, 0x22, 0xf0,
-	0x7f, 0xa9, 0x82, 0xff, 0x53, 0x15, 0xd7, 0x99, 0xa0, 0x29, 0x59, 0x13, 0x7c, 0x76, 0x9f, 0x80,
-	0x47, 0x73, 0x92, 0xe2, 0x7f, 0xeb, 0xbc, 0xdf, 0xb6, 0x81, 0xf5, 0x34, 0x8b, 0x73, 0x46, 0x33,
-	0x01, 0x0f, 0x81, 0x8d, 0xe3, 0xb8, 0x20, 0x9c, 0x13, 0x3e, 0x36, 0x26, 0xc3, 0xa9, 0x1d, 0xee,
-	0x55, 0xa5, 0x6b, 0x9f, 0x34, 0x20, 0xea, 0xf6, 0x61, 0x0c, 0x40, 0xc4, 0xb2, 0x98, 0x0a, 0xca,
-	0x32, 0x3e, 0xde, 0x9a, 0x18, 0xd3, 0xd1, 0xf1, 0xa7, 0xfe, 0x5d, 0xed, 0xf5, 0x9b, 0x40, 0x5f,
-	0xb6, 0xba, 0x10, 0xde, 0x94, 0xee, 0xa0, 0x2a, 0x5d, 0xd0, 0x61, 0xa8, 0xe7, 0x0b, 0xa7, 0xc0,
-	0x9a, 0x33, 0x2e, 0x32, 0x9c, 0x92, 0xf1, 0x70, 0x62, 0x4c, 0xed, 0x70, 0xb7, 0x2a, 0x5d, 0xeb,
-	0x99, 0xc6, 0x50, 0xbb, 0x0b, 0x4f, 0x81, 0x2d, 0x70, 0x91, 0x10, 0x81, 0xc8, 0xc5, 0x78, 0x5b,
-	0xa5, 0xf3, 0x41, 0x3f, 0x1d, 0x39, 0x20, 0x7f, 0x71, 0xe4, 0xbf, 0x9c, 0xfd, 0x44, 0x22, 0x49,
-	0x22, 0x05, 0xc9, 0x22, 0x52, 0x57, 0x78, 0xde, 0x28, 0x51, 0x67, 0x02, 0x67, 0xc0, 0x12, 0x2c,
-	0x67, 0x57, 0x2c, 0x59, 0x8e, 0xcd, 0xc9, 0x70, 0x3a, 0x3a, 0x7e, 0xbc, 0x59, 0x7d, 0xfe, 0xb9,
-	0x96, 0x3d, 0xcd, 0x44, 0xb1, 0x0c, 0x1f, 0xe8, 0x1a, 0xad, 0x06, 0x46, 0xad, 0xaf, 0xac, 0x2f,
-	0x63, 0x31, 0x79, 0x21, 0xeb, 0x7b, 0xa7, 0xab, 0xef, 0x85, 0xc6, 0x50, 0xbb, 0x0b, 0x9f, 0x03,
-	0x73, 0x4e, 0x33, 0xc1, 0xc7, 0x3b, 0xaa, 0xb6, 0xc3, 0xcd, 0x52, 0x79, 0x26, 0x25, 0xa1, 0x5d,
-	0x95, 0xae, 0xa9, 0x3e, 0x51, 0x6d, 0xb2, 0xff, 0x05, 0xd8, 0x5b, 0x49, 0x12, 0x3e, 0x00, 0xc3,
-	0x4b, 0xb2, 0x1c, 0x1b, 0x32, 0x07, 0x24, 0x3f, 0xe1, 0x7b, 0xc0, 0x5c, 0xe0, 0xab, 0x6b, 0xa2,
-	0x66, 0x6b, 0xa3, 0x7a, 0xf1, 0xf9, 0xd6, 0x13, 0xc3, 0xfb, 0xc5, 0x00, 0x70, 0x7d, 0x96, 0xd0,
-	0x05, 0x66, 0x41, 0x70, 0x5c, 0x9b, 0x58, 0x75, 0x50, 0x24, 0x01, 0x54, 0xe3, 0xf0, 0x11, 0xd8,
-	0xe1, 0xa4, 0x58, 0xd0, 0x2c, 0x51, 0x9e, 0x56, 0x38, 0xaa, 0x4a, 0x77, 0xe7, 0xac, 0x86, 0x50,
-	0xb3, 0x07, 0x8f, 0xc0, 0x48, 0x90, 0x22, 0xa5, 0x19, 0x16, 0x92, 0x3a, 0x54, 0xd4, 0x77, 0xab,
-	0xd2, 0x1d, 0x9d, 0x77, 0x30, 0xea, 0x73, 0xbc, 0xdf, 0x0d, 0xb0, 0xb7, 0x52, 0x32, 0x3c, 0x03,
-	0xd6, 0x05, 0x2b, 0x5e, 0xb1, 0x4c, 0x1f, 0xe5, 0xd1, 0xf1, 0xa3, 0xbb, 0x3b, 0xf6, 0x75, 0xcd,
-	0xee, 0xa6, 0xa5, 0x01, 0x8e, 0x5a, 0x23, 0x6d, 0x2a, 0x87, 0x23, 0x4f, 0xfc, 0x66, 0xa6, 0x92,
-	0xbd, 0x62, 0xaa, 0xe4, 0xa8, 0x35, 0xf2, 0xfe, 0x34, 0xc0, 0x6e, 0x93, 0xfb, 0x29, 0x2b, 0x04,
-	0x3c, 0x00, 0xdb, 0xea, 0xbc, 0xab, 0x59, 0x84, 0x56, 0x55, 0xba, 0xdb, 0xea, 0x2c, 0x28, 0x14,
-	0x7e, 0x03, 0x2c, 0x75, 0x75, 0x23, 0x76, 0x55, 0x4f, 0x26, 0x3c, 0x94, 0xc6, 0xa7, 0x1a, 0x7b,
-	0x5b, 0xba, 0xef, 0xaf, 0x3f, 0x4b, 0x7e, 0xb3, 0x8d, 0x5a, 0xb1, 0x0c, 0x93, 0xb3, 0x42, 0xa8,
-	0xfe, 0x9a, 0x75, 0x18, 0x19, 0x1e, 0x29, 0x54, 0x0e, 0x01, 0xe7, 0x79, 0x23, 0x53, 0x17, 0xca,
-	0xae, 0x87, 0x70, 0xd2, 0xc1, 0xa8, 0xcf, 0xf1, 0x6e, 0xb7, 0xba, 0x21, 0x9c, 0x5d, 0xd1, 0x88,
-	0xc0, 0x1f, 0x81, 0x25, 0x5f, 0xb8, 0x18, 0x0b, 0xac, 0xaa, 0x59, 0x7d, 0x21, 0xda, 0x87, 0xca,
-	0xcf, 0x2f, 0x13, 0x09, 0x70, 0x5f, 0xb2, 0xbb, 0x4b, 0xfa, 0x1d, 0x11, 0xb8, 0x7b, 0x21, 0x3a,
-	0x0c, 0xb5, 0xae, 0xf0, 0x2b, 0x30, 0xd2, 0x4f, 0xd2, 0xf9, 0x32, 0x27, 0x3a, 0x4d, 0x4f, 0x4b,
-	0x46, 0x27, 0xdd, 0xd6, 0xdb, 0xd5, 0x25, 0xea, 0xcb, 0xe0, 0xf7, 0xc0, 0x26, 0x3a, 0xf1, 0x66,
-	0xb0, 0x1f, 0x6e, 0x76, 0xbf, 0xc2, 0x87, 0x3a, 0x96, 0xdd, 0x20, 0x1c, 0x75, 0x5e, 0xf0, 0x25,
-	0x30, 0x65, 0x37, 0xf9, 0x78, 0xa8, 0x4c, 0x3f, 0xda, 0xcc, 0x54, 0x8e, 0x21, 0xdc, 0xd3, 0xc6,
-	0xa6, 0x5c, 0x71, 0x54, 0xfb, 0x78, 0x7f, 0x18, 0xe0, 0xe1, 0x4a, 0x8f, 0x9f, 0x53, 0x2e, 0xe0,
-	0x0f, 0x6b, 0x7d, 0xf6, 0x37, 0xeb, 0xb3, 0x54, 0xab, 0x2e, 0xb7, 0x07, 0xb4, 0x41, 0x7a, 0x3d,
-	0x3e, 0x05, 0x26, 0x15, 0x24, 0x6d, 0x3a, 0xb3, 0xe1, 0xcb, 0xa3, 0xb2, 0xeb, 0xaa, 0xf8, 0x56,
-	0x3a, 0xa0, 0xda, 0xc8, 0x3b, 0x04, 0x3b, 0xfa, 0x22, 0xc0, 0xc9, 0xca, 0x61, 0xdf, 0xd5, 0xf4,
-	0xde, 0x81, 0xd7, 0x64, 0x79, 0x01, 0xef, 0x27, 0x87, 0xe1, 0xcd, 0xad, 0x33, 0x78, 0x7d, 0xeb,
-	0x0c, 0xde, 0xdc, 0x3a, 0x83, 0x9f, 0x2b, 0xc7, 0xb8, 0xa9, 0x1c, 0xe3, 0x75, 0xe5, 0x18, 0x6f,
-	0x2a, 0xc7, 0xf8, 0xab, 0x72, 0x8c, 0x5f, 0xff, 0x76, 0x06, 0xaf, 0x0e, 0xee, 0xfa, 0x67, 0xf8,
-	0x27, 0x00, 0x00, 0xff, 0xff, 0x76, 0x8e, 0x48, 0x7e, 0x52, 0x08, 0x00, 0x00,
-}
+func (m *ForZone) Reset() { *m = ForZone{} }
 
 func (m *Endpoint) Marshal() (dAtA []byte, err error) {
 	size := m.Size()
@@ -389,7 +93,7 @@ func (m *Endpoint) MarshalToSizedBuffer(dAtA []byte) (int, error) {
 		for k := range m.Topology {
 			keysForTopology = append(keysForTopology, string(k))
 		}
-		github_com_gogo_protobuf_sortkeys.Strings(keysForTopology)
+		sort.Strings(keysForTopology)
 		for iNdEx := len(keysForTopology) - 1; iNdEx >= 0; iNdEx-- {
 			v := m.Topology[string(keysForTopology[iNdEx])]
 			baseI := i
@@ -964,7 +668,7 @@ func (this *Endpoint) String() string {
 	for k := range this.Topology {
 		keysForTopology = append(keysForTopology, k)
 	}
-	github_com_gogo_protobuf_sortkeys.Strings(keysForTopology)
+	sort.Strings(keysForTopology)
 	mapStringForTopology := "map[string]string{"
 	for _, k := range keysForTopology {
 		mapStringForTopology += fmt.Sprintf("%v: %v,", k, this.Topology[k])
diff --git a/staging/src/k8s.io/api/discovery/v1beta1/generated.proto b/staging/src/k8s.io/api/discovery/v1beta1/generated.proto
index 907050da1c5ba..7b9d983b831a8 100644
--- a/staging/src/k8s.io/api/discovery/v1beta1/generated.proto
+++ b/staging/src/k8s.io/api/discovery/v1beta1/generated.proto
@@ -117,8 +117,6 @@ message EndpointHints {
 
   // forNodes indicates the node(s) this endpoint should be consumed by when
   // using topology aware routing. May contain a maximum of 8 entries.
-  // This is an Alpha feature and is only used when the PreferSameTrafficDistribution
-  // feature gate is enabled.
   // +listType=atomic
   repeated ForNode forNodes = 2;
 }
diff --git a/staging/src/k8s.io/api/discovery/v1beta1/generated.protomessage.pb.go b/staging/src/k8s.io/api/discovery/v1beta1/generated.protomessage.pb.go
new file mode 100644
index 0000000000000..6e60bb139e7f1
--- /dev/null
+++ b/staging/src/k8s.io/api/discovery/v1beta1/generated.protomessage.pb.go
@@ -0,0 +1,38 @@
+//go:build kubernetes_protomessage_one_more_release
+// +build kubernetes_protomessage_one_more_release
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by go-to-protobuf. DO NOT EDIT.
+
+package v1beta1
+
+func (*Endpoint) ProtoMessage() {}
+
+func (*EndpointConditions) ProtoMessage() {}
+
+func (*EndpointHints) ProtoMessage() {}
+
+func (*EndpointPort) ProtoMessage() {}
+
+func (*EndpointSlice) ProtoMessage() {}
+
+func (*EndpointSliceList) ProtoMessage() {}
+
+func (*ForNode) ProtoMessage() {}
+
+func (*ForZone) ProtoMessage() {}
diff --git a/staging/src/k8s.io/api/discovery/v1beta1/types.go b/staging/src/k8s.io/api/discovery/v1beta1/types.go
index fa9d1eae43bac..11ec1b3968a88 100644
--- a/staging/src/k8s.io/api/discovery/v1beta1/types.go
+++ b/staging/src/k8s.io/api/discovery/v1beta1/types.go
@@ -164,8 +164,6 @@ type EndpointHints struct {
 
 	// forNodes indicates the node(s) this endpoint should be consumed by when
 	// using topology aware routing. May contain a maximum of 8 entries.
-	// This is an Alpha feature and is only used when the PreferSameTrafficDistribution
-	// feature gate is enabled.
 	// +listType=atomic
 	ForNodes []ForNode `json:"forNodes,omitempty" protobuf:"bytes,2,name=forNodes"`
 }
diff --git a/staging/src/k8s.io/api/discovery/v1beta1/types_swagger_doc_generated.go b/staging/src/k8s.io/api/discovery/v1beta1/types_swagger_doc_generated.go
index 72aa0cb9b220e..acc838378475e 100644
--- a/staging/src/k8s.io/api/discovery/v1beta1/types_swagger_doc_generated.go
+++ b/staging/src/k8s.io/api/discovery/v1beta1/types_swagger_doc_generated.go
@@ -56,7 +56,7 @@ func (EndpointConditions) SwaggerDoc() map[string]string {
 var map_EndpointHints = map[string]string{
 	"":         "EndpointHints provides hints describing how an endpoint should be consumed.",
 	"forZones": "forZones indicates the zone(s) this endpoint should be consumed by to enable topology aware routing. May contain a maximum of 8 entries.",
-	"forNodes": "forNodes indicates the node(s) this endpoint should be consumed by when using topology aware routing. May contain a maximum of 8 entries. This is an Alpha feature and is only used when the PreferSameTrafficDistribution feature gate is enabled.",
+	"forNodes": "forNodes indicates the node(s) this endpoint should be consumed by when using topology aware routing. May contain a maximum of 8 entries.",
 }
 
 func (EndpointHints) SwaggerDoc() map[string]string {
diff --git a/staging/src/k8s.io/api/discovery/v1beta1/zz_generated.model_name.go b/staging/src/k8s.io/api/discovery/v1beta1/zz_generated.model_name.go
new file mode 100644
index 0000000000000..531c6672da82c
--- /dev/null
+++ b/staging/src/k8s.io/api/discovery/v1beta1/zz_generated.model_name.go
@@ -0,0 +1,62 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by openapi-gen. DO NOT EDIT.
+
+package v1beta1
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in Endpoint) OpenAPIModelName() string {
+	return "io.k8s.api.discovery.v1beta1.Endpoint"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in EndpointConditions) OpenAPIModelName() string {
+	return "io.k8s.api.discovery.v1beta1.EndpointConditions"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in EndpointHints) OpenAPIModelName() string {
+	return "io.k8s.api.discovery.v1beta1.EndpointHints"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in EndpointPort) OpenAPIModelName() string {
+	return "io.k8s.api.discovery.v1beta1.EndpointPort"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in EndpointSlice) OpenAPIModelName() string {
+	return "io.k8s.api.discovery.v1beta1.EndpointSlice"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in EndpointSliceList) OpenAPIModelName() string {
+	return "io.k8s.api.discovery.v1beta1.EndpointSliceList"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ForNode) OpenAPIModelName() string {
+	return "io.k8s.api.discovery.v1beta1.ForNode"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ForZone) OpenAPIModelName() string {
+	return "io.k8s.api.discovery.v1beta1.ForZone"
+}
diff --git a/staging/src/k8s.io/api/events/v1/doc.go b/staging/src/k8s.io/api/events/v1/doc.go
index 911639044f8c7..49e9733f4680e 100644
--- a/staging/src/k8s.io/api/events/v1/doc.go
+++ b/staging/src/k8s.io/api/events/v1/doc.go
@@ -18,6 +18,8 @@ limitations under the License.
 // +k8s:protobuf-gen=package
 // +k8s:openapi-gen=true
 // +k8s:prerelease-lifecycle-gen=true
+// +k8s:openapi-model-package=io.k8s.api.events.v1
+
 // +groupName=events.k8s.io
 
 package v1
diff --git a/staging/src/k8s.io/api/events/v1/generated.pb.go b/staging/src/k8s.io/api/events/v1/generated.pb.go
index 96a6047e86022..82d88d95b1708 100644
--- a/staging/src/k8s.io/api/events/v1/generated.pb.go
+++ b/staging/src/k8s.io/api/events/v1/generated.pb.go
@@ -24,171 +24,18 @@ import (
 
 	io "io"
 
-	proto "github.com/gogo/protobuf/proto"
 	v11 "k8s.io/api/core/v1"
 
-	math "math"
 	math_bits "math/bits"
 	reflect "reflect"
 	strings "strings"
 )
 
-// Reference imports to suppress errors if they are not otherwise used.
-var _ = proto.Marshal
-var _ = fmt.Errorf
-var _ = math.Inf
+func (m *Event) Reset() { *m = Event{} }
 
-// This is a compile-time assertion to ensure that this generated file
-// is compatible with the proto package it is being compiled against.
-// A compilation error at this line likely means your copy of the
-// proto package needs to be updated.
-const _ = proto.GoGoProtoPackageIsVersion3 // please upgrade the proto package
+func (m *EventList) Reset() { *m = EventList{} }
 
-func (m *Event) Reset()      { *m = Event{} }
-func (*Event) ProtoMessage() {}
-func (*Event) Descriptor() ([]byte, []int) {
-	return fileDescriptor_d3a3e1495c224e47, []int{0}
-}
-func (m *Event) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *Event) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *Event) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_Event.Merge(m, src)
-}
-func (m *Event) XXX_Size() int {
-	return m.Size()
-}
-func (m *Event) XXX_DiscardUnknown() {
-	xxx_messageInfo_Event.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_Event proto.InternalMessageInfo
-
-func (m *EventList) Reset()      { *m = EventList{} }
-func (*EventList) ProtoMessage() {}
-func (*EventList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_d3a3e1495c224e47, []int{1}
-}
-func (m *EventList) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *EventList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *EventList) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_EventList.Merge(m, src)
-}
-func (m *EventList) XXX_Size() int {
-	return m.Size()
-}
-func (m *EventList) XXX_DiscardUnknown() {
-	xxx_messageInfo_EventList.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_EventList proto.InternalMessageInfo
-
-func (m *EventSeries) Reset()      { *m = EventSeries{} }
-func (*EventSeries) ProtoMessage() {}
-func (*EventSeries) Descriptor() ([]byte, []int) {
-	return fileDescriptor_d3a3e1495c224e47, []int{2}
-}
-func (m *EventSeries) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *EventSeries) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *EventSeries) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_EventSeries.Merge(m, src)
-}
-func (m *EventSeries) XXX_Size() int {
-	return m.Size()
-}
-func (m *EventSeries) XXX_DiscardUnknown() {
-	xxx_messageInfo_EventSeries.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_EventSeries proto.InternalMessageInfo
-
-func init() {
-	proto.RegisterType((*Event)(nil), "k8s.io.api.events.v1.Event")
-	proto.RegisterType((*EventList)(nil), "k8s.io.api.events.v1.EventList")
-	proto.RegisterType((*EventSeries)(nil), "k8s.io.api.events.v1.EventSeries")
-}
-
-func init() {
-	proto.RegisterFile("k8s.io/api/events/v1/generated.proto", fileDescriptor_d3a3e1495c224e47)
-}
-
-var fileDescriptor_d3a3e1495c224e47 = []byte{
-	// 759 bytes of a gzipped FileDescriptorProto
-	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xa4, 0x55, 0x4f, 0x4f, 0xdb, 0x48,
-	0x14, 0x8f, 0x81, 0x04, 0x32, 0xe1, 0x4f, 0x18, 0x90, 0x98, 0x05, 0xc9, 0xc9, 0x86, 0xd5, 0x2a,
-	0x5a, 0x69, 0xed, 0x05, 0xad, 0x56, 0xab, 0x3d, 0x2d, 0x26, 0xec, 0x8a, 0x0a, 0x8a, 0x34, 0x70,
-	0xaa, 0x7a, 0x60, 0xe2, 0x3c, 0x8c, 0x4b, 0xec, 0xb1, 0xc6, 0x93, 0x48, 0xdc, 0x7a, 0xa9, 0xd4,
-	0x63, 0xbf, 0x40, 0x3f, 0x40, 0xd5, 0x2f, 0xc2, 0x91, 0x23, 0xa7, 0xa8, 0xb8, 0x5f, 0xa4, 0xf2,
-	0xd8, 0x89, 0x43, 0xfe, 0xb4, 0xa9, 0x7a, 0xf3, 0xbc, 0xf7, 0xfb, 0xf3, 0xde, 0xcc, 0xcb, 0x0b,
-	0xfa, 0xe5, 0xe6, 0xef, 0xd0, 0x70, 0xb9, 0xc9, 0x02, 0xd7, 0x84, 0x2e, 0xf8, 0x32, 0x34, 0xbb,
-	0x7b, 0xa6, 0x03, 0x3e, 0x08, 0x26, 0xa1, 0x65, 0x04, 0x82, 0x4b, 0x8e, 0x37, 0x13, 0x94, 0xc1,
-	0x02, 0xd7, 0x48, 0x50, 0x46, 0x77, 0x6f, 0xfb, 0x77, 0xc7, 0x95, 0xd7, 0x9d, 0xa6, 0x61, 0x73,
-	0xcf, 0x74, 0xb8, 0xc3, 0x4d, 0x05, 0x6e, 0x76, 0xae, 0xd4, 0x49, 0x1d, 0xd4, 0x57, 0x22, 0xb2,
-	0x5d, 0x1b, 0xb2, 0xb2, 0xb9, 0x80, 0x09, 0x46, 0xdb, 0x7f, 0x66, 0x18, 0x8f, 0xd9, 0xd7, 0xae,
-	0x0f, 0xe2, 0xd6, 0x0c, 0x6e, 0x9c, 0x38, 0x10, 0x9a, 0x1e, 0x48, 0x36, 0x89, 0x65, 0x4e, 0x63,
-	0x89, 0x8e, 0x2f, 0x5d, 0x0f, 0xc6, 0x08, 0x7f, 0x7d, 0x8b, 0x10, 0xda, 0xd7, 0xe0, 0xb1, 0x51,
-	0x5e, 0xed, 0x7d, 0x11, 0xe5, 0x8f, 0xe2, 0xfe, 0xf1, 0x25, 0x5a, 0x8a, 0xab, 0x69, 0x31, 0xc9,
-	0x88, 0x56, 0xd5, 0xea, 0xa5, 0xfd, 0x3f, 0x8c, 0xec, 0x92, 0x06, 0xa2, 0x46, 0x70, 0xe3, 0xc4,
-	0x81, 0xd0, 0x88, 0xd1, 0x46, 0x77, 0xcf, 0x38, 0x6b, 0xbe, 0x02, 0x5b, 0x9e, 0x82, 0x64, 0x16,
-	0xbe, 0xeb, 0x55, 0x72, 0x51, 0xaf, 0x82, 0xb2, 0x18, 0x1d, 0xa8, 0xe2, 0x4b, 0x54, 0x54, 0x57,
-	0x7d, 0xe1, 0x7a, 0x40, 0xe6, 0x94, 0x85, 0x39, 0x9b, 0xc5, 0xa9, 0x6b, 0x0b, 0x1e, 0xd3, 0xac,
-	0xf5, 0xd4, 0xa1, 0x78, 0xd4, 0x57, 0xa2, 0x99, 0x28, 0x3e, 0x42, 0x85, 0x10, 0x84, 0x0b, 0x21,
-	0x99, 0x57, 0xf2, 0x3f, 0x1b, 0x93, 0x9e, 0xd9, 0x50, 0xdc, 0x73, 0x05, 0xb4, 0x50, 0xd4, 0xab,
-	0x14, 0x92, 0x6f, 0x9a, 0x92, 0xf1, 0x29, 0xda, 0x10, 0x10, 0x70, 0x21, 0x5d, 0xdf, 0x39, 0xe4,
-	0xbe, 0x14, 0xbc, 0xdd, 0x06, 0x41, 0x16, 0xaa, 0x5a, 0xbd, 0x68, 0xed, 0xa4, 0x15, 0x6c, 0xd0,
-	0x71, 0x08, 0x9d, 0xc4, 0xc3, 0xff, 0xa3, 0xf5, 0x41, 0xf8, 0xd8, 0x0f, 0x25, 0xf3, 0x6d, 0x20,
-	0x79, 0x25, 0xf6, 0x53, 0x2a, 0xb6, 0x4e, 0x47, 0x01, 0x74, 0x9c, 0x83, 0x7f, 0x45, 0x05, 0x66,
-	0x4b, 0x97, 0xfb, 0xa4, 0xa0, 0xd8, 0xab, 0x29, 0xbb, 0x70, 0xa0, 0xa2, 0x34, 0xcd, 0xc6, 0x38,
-	0x01, 0x2c, 0xe4, 0x3e, 0x59, 0x7c, 0x8a, 0xa3, 0x2a, 0x4a, 0xd3, 0x2c, 0xbe, 0x40, 0x45, 0x01,
-	0x0e, 0x13, 0x2d, 0xd7, 0x77, 0xc8, 0x92, 0xba, 0xb1, 0xdd, 0xe1, 0x1b, 0x8b, 0x67, 0x3a, 0x7b,
-	0x61, 0x0a, 0x57, 0x20, 0xc0, 0xb7, 0x87, 0x1e, 0x81, 0xf6, 0xd9, 0x34, 0x13, 0xc2, 0xcf, 0xd0,
-	0xa2, 0x80, 0x76, 0x3c, 0x63, 0xa4, 0x38, 0xbb, 0x66, 0x29, 0xea, 0x55, 0x16, 0x69, 0xc2, 0xa3,
-	0x7d, 0x01, 0x5c, 0x45, 0x0b, 0x3e, 0x97, 0x40, 0x90, 0xea, 0x63, 0x39, 0xf5, 0x5d, 0x78, 0xce,
-	0x25, 0x50, 0x95, 0x89, 0x11, 0xf2, 0x36, 0x00, 0x52, 0x7a, 0x8a, 0xb8, 0xb8, 0x0d, 0x80, 0xaa,
-	0x0c, 0x06, 0x54, 0x6e, 0x41, 0x20, 0xc0, 0x8e, 0x15, 0xcf, 0x79, 0x47, 0xd8, 0x40, 0x96, 0x55,
-	0x61, 0x95, 0x49, 0x85, 0x25, 0xc3, 0xa1, 0x60, 0x16, 0x49, 0xe5, 0xca, 0x8d, 0x11, 0x01, 0x3a,
-	0x26, 0x89, 0xdf, 0x6a, 0x88, 0x64, 0xc1, 0xff, 0x5c, 0x11, 0xaa, 0x99, 0x0c, 0x25, 0xf3, 0x02,
-	0xb2, 0xa2, 0xfc, 0x7e, 0x9b, 0x6d, 0xda, 0xd5, 0xa0, 0x57, 0x53, 0x6b, 0xd2, 0x98, 0xa2, 0x49,
-	0xa7, 0xba, 0xe1, 0x37, 0x1a, 0xda, 0xca, 0x92, 0x27, 0x6c, 0xb8, 0x92, 0xd5, 0xef, 0xae, 0xa4,
-	0x92, 0x56, 0xb2, 0xd5, 0x98, 0x2c, 0x49, 0xa7, 0x79, 0xe1, 0x03, 0xb4, 0x96, 0xa5, 0x0e, 0x79,
-	0xc7, 0x97, 0x64, 0xad, 0xaa, 0xd5, 0xf3, 0xd6, 0x56, 0x2a, 0xb9, 0xd6, 0x78, 0x9a, 0xa6, 0xa3,
-	0xf8, 0xda, 0x47, 0x0d, 0x25, 0x3f, 0xf5, 0x13, 0x37, 0x94, 0xf8, 0xe5, 0xd8, 0x8e, 0x32, 0x66,
-	0x6b, 0x24, 0x66, 0xab, 0x0d, 0x55, 0x4e, 0x9d, 0x97, 0xfa, 0x91, 0xa1, 0xfd, 0xf4, 0x2f, 0xca,
-	0xbb, 0x12, 0xbc, 0x90, 0xcc, 0x55, 0xe7, 0xeb, 0xa5, 0xfd, 0x9d, 0xaf, 0x2c, 0x0f, 0x6b, 0x25,
-	0xd5, 0xc9, 0x1f, 0xc7, 0x0c, 0x9a, 0x10, 0x6b, 0x1f, 0x34, 0x54, 0x1a, 0x5a, 0x2e, 0x78, 0x17,
-	0xe5, 0x6d, 0xd5, 0xb6, 0xa6, 0xda, 0x1e, 0x90, 0x92, 0x66, 0x93, 0x1c, 0xee, 0xa0, 0x72, 0x9b,
-	0x85, 0xf2, 0xac, 0x19, 0x82, 0xe8, 0x42, 0xeb, 0x47, 0xb6, 0xe3, 0x60, 0x5e, 0x4f, 0x46, 0x04,
-	0xe9, 0x98, 0x85, 0xf5, 0xcf, 0xdd, 0xa3, 0x9e, 0xbb, 0x7f, 0xd4, 0x73, 0x0f, 0x8f, 0x7a, 0xee,
-	0x75, 0xa4, 0x6b, 0x77, 0x91, 0xae, 0xdd, 0x47, 0xba, 0xf6, 0x10, 0xe9, 0xda, 0xa7, 0x48, 0xd7,
-	0xde, 0x7d, 0xd6, 0x73, 0x2f, 0x36, 0x27, 0xfd, 0x9b, 0x7e, 0x09, 0x00, 0x00, 0xff, 0xff, 0x6f,
-	0x4f, 0x7a, 0xe4, 0x64, 0x07, 0x00, 0x00,
-}
+func (m *EventSeries) Reset() { *m = EventSeries{} }
 
 func (m *Event) Marshal() (dAtA []byte, err error) {
 	size := m.Size()
diff --git a/staging/src/k8s.io/api/events/v1/generated.protomessage.pb.go b/staging/src/k8s.io/api/events/v1/generated.protomessage.pb.go
new file mode 100644
index 0000000000000..09ff231dac6d1
--- /dev/null
+++ b/staging/src/k8s.io/api/events/v1/generated.protomessage.pb.go
@@ -0,0 +1,28 @@
+//go:build kubernetes_protomessage_one_more_release
+// +build kubernetes_protomessage_one_more_release
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by go-to-protobuf. DO NOT EDIT.
+
+package v1
+
+func (*Event) ProtoMessage() {}
+
+func (*EventList) ProtoMessage() {}
+
+func (*EventSeries) ProtoMessage() {}
diff --git a/staging/src/k8s.io/api/events/v1/zz_generated.model_name.go b/staging/src/k8s.io/api/events/v1/zz_generated.model_name.go
new file mode 100644
index 0000000000000..ac580c796ac0f
--- /dev/null
+++ b/staging/src/k8s.io/api/events/v1/zz_generated.model_name.go
@@ -0,0 +1,37 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by openapi-gen. DO NOT EDIT.
+
+package v1
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in Event) OpenAPIModelName() string {
+	return "io.k8s.api.events.v1.Event"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in EventList) OpenAPIModelName() string {
+	return "io.k8s.api.events.v1.EventList"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in EventSeries) OpenAPIModelName() string {
+	return "io.k8s.api.events.v1.EventSeries"
+}
diff --git a/staging/src/k8s.io/api/events/v1beta1/doc.go b/staging/src/k8s.io/api/events/v1beta1/doc.go
index e4864294fd274..2402303855424 100644
--- a/staging/src/k8s.io/api/events/v1beta1/doc.go
+++ b/staging/src/k8s.io/api/events/v1beta1/doc.go
@@ -18,6 +18,7 @@ limitations under the License.
 // +k8s:protobuf-gen=package
 // +k8s:openapi-gen=true
 // +k8s:prerelease-lifecycle-gen=true
+// +k8s:openapi-model-package=io.k8s.api.events.v1beta1
 
 // +groupName=events.k8s.io
 
diff --git a/staging/src/k8s.io/api/events/v1beta1/generated.pb.go b/staging/src/k8s.io/api/events/v1beta1/generated.pb.go
index 5d7881e8c090e..70eee4abf85a4 100644
--- a/staging/src/k8s.io/api/events/v1beta1/generated.pb.go
+++ b/staging/src/k8s.io/api/events/v1beta1/generated.pb.go
@@ -24,171 +24,18 @@ import (
 
 	io "io"
 
-	proto "github.com/gogo/protobuf/proto"
 	v11 "k8s.io/api/core/v1"
 
-	math "math"
 	math_bits "math/bits"
 	reflect "reflect"
 	strings "strings"
 )
 
-// Reference imports to suppress errors if they are not otherwise used.
-var _ = proto.Marshal
-var _ = fmt.Errorf
-var _ = math.Inf
+func (m *Event) Reset() { *m = Event{} }
 
-// This is a compile-time assertion to ensure that this generated file
-// is compatible with the proto package it is being compiled against.
-// A compilation error at this line likely means your copy of the
-// proto package needs to be updated.
-const _ = proto.GoGoProtoPackageIsVersion3 // please upgrade the proto package
+func (m *EventList) Reset() { *m = EventList{} }
 
-func (m *Event) Reset()      { *m = Event{} }
-func (*Event) ProtoMessage() {}
-func (*Event) Descriptor() ([]byte, []int) {
-	return fileDescriptor_99027a32dee7673b, []int{0}
-}
-func (m *Event) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *Event) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *Event) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_Event.Merge(m, src)
-}
-func (m *Event) XXX_Size() int {
-	return m.Size()
-}
-func (m *Event) XXX_DiscardUnknown() {
-	xxx_messageInfo_Event.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_Event proto.InternalMessageInfo
-
-func (m *EventList) Reset()      { *m = EventList{} }
-func (*EventList) ProtoMessage() {}
-func (*EventList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_99027a32dee7673b, []int{1}
-}
-func (m *EventList) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *EventList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *EventList) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_EventList.Merge(m, src)
-}
-func (m *EventList) XXX_Size() int {
-	return m.Size()
-}
-func (m *EventList) XXX_DiscardUnknown() {
-	xxx_messageInfo_EventList.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_EventList proto.InternalMessageInfo
-
-func (m *EventSeries) Reset()      { *m = EventSeries{} }
-func (*EventSeries) ProtoMessage() {}
-func (*EventSeries) Descriptor() ([]byte, []int) {
-	return fileDescriptor_99027a32dee7673b, []int{2}
-}
-func (m *EventSeries) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *EventSeries) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *EventSeries) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_EventSeries.Merge(m, src)
-}
-func (m *EventSeries) XXX_Size() int {
-	return m.Size()
-}
-func (m *EventSeries) XXX_DiscardUnknown() {
-	xxx_messageInfo_EventSeries.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_EventSeries proto.InternalMessageInfo
-
-func init() {
-	proto.RegisterType((*Event)(nil), "k8s.io.api.events.v1beta1.Event")
-	proto.RegisterType((*EventList)(nil), "k8s.io.api.events.v1beta1.EventList")
-	proto.RegisterType((*EventSeries)(nil), "k8s.io.api.events.v1beta1.EventSeries")
-}
-
-func init() {
-	proto.RegisterFile("k8s.io/api/events/v1beta1/generated.proto", fileDescriptor_99027a32dee7673b)
-}
-
-var fileDescriptor_99027a32dee7673b = []byte{
-	// 764 bytes of a gzipped FileDescriptorProto
-	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xa4, 0x95, 0xcf, 0x4f, 0xdb, 0x48,
-	0x14, 0xc7, 0x63, 0x20, 0x81, 0x4c, 0xf8, 0x11, 0x86, 0x03, 0x03, 0x2b, 0x39, 0x51, 0x90, 0x50,
-	0x76, 0xa5, 0xb5, 0x17, 0xb4, 0x5a, 0xed, 0x6d, 0x85, 0x09, 0x5b, 0x81, 0xa0, 0x48, 0x03, 0xa7,
-	0xaa, 0x07, 0x26, 0xce, 0xc3, 0xb8, 0xc4, 0x1e, 0x6b, 0x3c, 0x89, 0xc4, 0xad, 0x97, 0x4a, 0x3d,
-	0xf6, 0x6f, 0xe8, 0xad, 0xb7, 0xfe, 0x19, 0x1c, 0x39, 0x72, 0x8a, 0x8a, 0xfb, 0x8f, 0x54, 0x1e,
-	0x3b, 0x71, 0xc8, 0x0f, 0x91, 0xaa, 0x37, 0xfb, 0xbd, 0xef, 0xf7, 0xf3, 0xde, 0x8c, 0x5f, 0x5e,
-	0xd0, 0xef, 0xb7, 0xff, 0x86, 0x86, 0xcb, 0x4d, 0x16, 0xb8, 0x26, 0x74, 0xc1, 0x97, 0xa1, 0xd9,
-	0xdd, 0x6b, 0x82, 0x64, 0x7b, 0xa6, 0x03, 0x3e, 0x08, 0x26, 0xa1, 0x65, 0x04, 0x82, 0x4b, 0x8e,
-	0xb7, 0x12, 0xa9, 0xc1, 0x02, 0xd7, 0x48, 0xa4, 0x46, 0x2a, 0xdd, 0xfe, 0xd3, 0x71, 0xe5, 0x4d,
-	0xa7, 0x69, 0xd8, 0xdc, 0x33, 0x1d, 0xee, 0x70, 0x53, 0x39, 0x9a, 0x9d, 0x6b, 0xf5, 0xa6, 0x5e,
-	0xd4, 0x53, 0x42, 0xda, 0xae, 0x0d, 0x15, 0xb5, 0xb9, 0x00, 0xb3, 0x3b, 0x56, 0x6d, 0xfb, 0xef,
-	0x4c, 0xe3, 0x31, 0xfb, 0xc6, 0xf5, 0x41, 0xdc, 0x99, 0xc1, 0xad, 0x13, 0x07, 0x42, 0xd3, 0x03,
-	0xc9, 0x26, 0xb9, 0xcc, 0x69, 0x2e, 0xd1, 0xf1, 0xa5, 0xeb, 0xc1, 0x98, 0xe1, 0x9f, 0x97, 0x0c,
-	0xa1, 0x7d, 0x03, 0x1e, 0x1b, 0xf5, 0xd5, 0x3e, 0x17, 0x51, 0xfe, 0x28, 0xbe, 0x04, 0x7c, 0x85,
-	0x96, 0xe2, 0x6e, 0x5a, 0x4c, 0x32, 0xa2, 0x55, 0xb5, 0x7a, 0x69, 0xff, 0x2f, 0x23, 0xbb, 0xa9,
-	0x01, 0xd4, 0x08, 0x6e, 0x9d, 0x38, 0x10, 0x1a, 0xb1, 0xda, 0xe8, 0xee, 0x19, 0xe7, 0xcd, 0x77,
-	0x60, 0xcb, 0x33, 0x90, 0xcc, 0xc2, 0xf7, 0xbd, 0x4a, 0x2e, 0xea, 0x55, 0x50, 0x16, 0xa3, 0x03,
-	0x2a, 0xbe, 0x42, 0x45, 0x75, 0xdf, 0x97, 0xae, 0x07, 0x64, 0x4e, 0x95, 0x30, 0x67, 0x2b, 0x71,
-	0xe6, 0xda, 0x82, 0xc7, 0x36, 0x6b, 0x3d, 0xad, 0x50, 0x3c, 0xea, 0x93, 0x68, 0x06, 0xc5, 0x27,
-	0xa8, 0x10, 0x82, 0x70, 0x21, 0x24, 0xf3, 0x0a, 0xbf, 0x6b, 0x4c, 0xfd, 0xd6, 0x86, 0x02, 0x5c,
-	0x28, 0xb5, 0x85, 0xa2, 0x5e, 0xa5, 0x90, 0x3c, 0xd3, 0x94, 0x80, 0xcf, 0xd0, 0x86, 0x80, 0x80,
-	0x0b, 0xe9, 0xfa, 0xce, 0x21, 0xf7, 0xa5, 0xe0, 0xed, 0x36, 0x08, 0xb2, 0x50, 0xd5, 0xea, 0x45,
-	0xeb, 0xb7, 0xb4, 0x8d, 0x0d, 0x3a, 0x2e, 0xa1, 0x93, 0x7c, 0xf8, 0x15, 0x5a, 0x1f, 0x84, 0x8f,
-	0xfd, 0x50, 0x32, 0xdf, 0x06, 0x92, 0x57, 0xb0, 0xad, 0x14, 0xb6, 0x4e, 0x47, 0x05, 0x74, 0xdc,
-	0x83, 0x77, 0x51, 0x81, 0xd9, 0xd2, 0xe5, 0x3e, 0x29, 0x28, 0xf7, 0x6a, 0xea, 0x2e, 0x1c, 0xa8,
-	0x28, 0x4d, 0xb3, 0xb1, 0x4e, 0x00, 0x0b, 0xb9, 0x4f, 0x16, 0x9f, 0xeb, 0xa8, 0x8a, 0xd2, 0x34,
-	0x8b, 0x2f, 0x51, 0x51, 0x80, 0xc3, 0x44, 0xcb, 0xf5, 0x1d, 0xb2, 0xa4, 0xae, 0x6d, 0x67, 0xf8,
-	0xda, 0xe2, 0xc1, 0xce, 0x3e, 0x33, 0x85, 0x6b, 0x10, 0xe0, 0xdb, 0x43, 0x5f, 0x82, 0xf6, 0xdd,
-	0x34, 0x03, 0xe1, 0x13, 0xb4, 0x28, 0xa0, 0x1d, 0x0f, 0x1a, 0x29, 0xce, 0xce, 0x2c, 0x45, 0xbd,
-	0xca, 0x22, 0x4d, 0x7c, 0xb4, 0x0f, 0xc0, 0x55, 0xb4, 0xe0, 0x73, 0x09, 0x04, 0xa9, 0x73, 0x2c,
-	0xa7, 0x75, 0x17, 0x5e, 0x73, 0x09, 0x54, 0x65, 0x62, 0x85, 0xbc, 0x0b, 0x80, 0x94, 0x9e, 0x2b,
-	0x2e, 0xef, 0x02, 0xa0, 0x2a, 0x83, 0x01, 0x95, 0x5b, 0x10, 0x08, 0xb0, 0x63, 0xe2, 0x05, 0xef,
-	0x08, 0x1b, 0xc8, 0xb2, 0x6a, 0xac, 0x32, 0xa9, 0xb1, 0x64, 0x38, 0x94, 0xcc, 0x22, 0x29, 0xae,
-	0xdc, 0x18, 0x01, 0xd0, 0x31, 0x24, 0xfe, 0xa8, 0x21, 0x92, 0x05, 0xff, 0x77, 0x45, 0xa8, 0x06,
-	0x33, 0x94, 0xcc, 0x0b, 0xc8, 0x8a, 0xaa, 0xf7, 0xc7, 0x6c, 0x23, 0xaf, 0xa6, 0xbd, 0x9a, 0x96,
-	0x26, 0x8d, 0x29, 0x4c, 0x3a, 0xb5, 0x1a, 0xfe, 0xa0, 0xa1, 0xcd, 0x2c, 0x79, 0xca, 0x86, 0x3b,
-	0x59, 0xfd, 0xe9, 0x4e, 0x2a, 0x69, 0x27, 0x9b, 0x8d, 0xc9, 0x48, 0x3a, 0xad, 0x16, 0x3e, 0x40,
-	0x6b, 0x59, 0xea, 0x90, 0x77, 0x7c, 0x49, 0xd6, 0xaa, 0x5a, 0x3d, 0x6f, 0x6d, 0xa6, 0xc8, 0xb5,
-	0xc6, 0xf3, 0x34, 0x1d, 0xd5, 0xd7, 0xbe, 0x6a, 0x28, 0xf9, 0xbd, 0x9f, 0xba, 0xa1, 0xc4, 0x6f,
-	0xc7, 0x16, 0x95, 0x31, 0xdb, 0x41, 0x62, 0xb7, 0x5a, 0x53, 0xe5, 0xb4, 0xf2, 0x52, 0x3f, 0x32,
-	0xb4, 0xa4, 0x8e, 0x50, 0xde, 0x95, 0xe0, 0x85, 0x64, 0xae, 0x3a, 0x5f, 0x2f, 0xed, 0x57, 0x5f,
-	0xda, 0x20, 0xd6, 0x4a, 0x0a, 0xcb, 0x1f, 0xc7, 0x36, 0x9a, 0xb8, 0x6b, 0x5f, 0x34, 0x54, 0x1a,
-	0xda, 0x30, 0x78, 0x07, 0xe5, 0x6d, 0x75, 0x76, 0x4d, 0x9d, 0x7d, 0x60, 0x4a, 0x4e, 0x9c, 0xe4,
-	0x70, 0x07, 0x95, 0xdb, 0x2c, 0x94, 0xe7, 0xcd, 0x10, 0x44, 0x17, 0x5a, 0xbf, 0xb2, 0x27, 0x07,
-	0x43, 0x7b, 0x3a, 0x02, 0xa4, 0x63, 0x25, 0xac, 0xff, 0xee, 0x9f, 0xf4, 0xdc, 0xc3, 0x93, 0x9e,
-	0x7b, 0x7c, 0xd2, 0x73, 0xef, 0x23, 0x5d, 0xbb, 0x8f, 0x74, 0xed, 0x21, 0xd2, 0xb5, 0xc7, 0x48,
-	0xd7, 0xbe, 0x45, 0xba, 0xf6, 0xe9, 0xbb, 0x9e, 0x7b, 0xb3, 0x35, 0xf5, 0x1f, 0xf6, 0x47, 0x00,
-	0x00, 0x00, 0xff, 0xff, 0x2b, 0xc1, 0x64, 0x36, 0x7d, 0x07, 0x00, 0x00,
-}
+func (m *EventSeries) Reset() { *m = EventSeries{} }
 
 func (m *Event) Marshal() (dAtA []byte, err error) {
 	size := m.Size()
diff --git a/staging/src/k8s.io/api/events/v1beta1/generated.protomessage.pb.go b/staging/src/k8s.io/api/events/v1beta1/generated.protomessage.pb.go
new file mode 100644
index 0000000000000..a70924a20dcd1
--- /dev/null
+++ b/staging/src/k8s.io/api/events/v1beta1/generated.protomessage.pb.go
@@ -0,0 +1,28 @@
+//go:build kubernetes_protomessage_one_more_release
+// +build kubernetes_protomessage_one_more_release
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by go-to-protobuf. DO NOT EDIT.
+
+package v1beta1
+
+func (*Event) ProtoMessage() {}
+
+func (*EventList) ProtoMessage() {}
+
+func (*EventSeries) ProtoMessage() {}
diff --git a/staging/src/k8s.io/api/events/v1beta1/zz_generated.model_name.go b/staging/src/k8s.io/api/events/v1beta1/zz_generated.model_name.go
new file mode 100644
index 0000000000000..189a20ad740d4
--- /dev/null
+++ b/staging/src/k8s.io/api/events/v1beta1/zz_generated.model_name.go
@@ -0,0 +1,37 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by openapi-gen. DO NOT EDIT.
+
+package v1beta1
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in Event) OpenAPIModelName() string {
+	return "io.k8s.api.events.v1beta1.Event"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in EventList) OpenAPIModelName() string {
+	return "io.k8s.api.events.v1beta1.EventList"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in EventSeries) OpenAPIModelName() string {
+	return "io.k8s.api.events.v1beta1.EventSeries"
+}
diff --git a/staging/src/k8s.io/api/extensions/v1beta1/doc.go b/staging/src/k8s.io/api/extensions/v1beta1/doc.go
index be710973cb932..bf39ca3e1e70d 100644
--- a/staging/src/k8s.io/api/extensions/v1beta1/doc.go
+++ b/staging/src/k8s.io/api/extensions/v1beta1/doc.go
@@ -18,6 +18,7 @@ limitations under the License.
 // +k8s:protobuf-gen=package
 // +k8s:openapi-gen=true
 // +k8s:prerelease-lifecycle-gen=true
+// +k8s:openapi-model-package=io.k8s.api.extensions.v1beta1
 // +k8s:validation-gen=TypeMeta
 // +k8s:validation-gen-input=k8s.io/api/extensions/v1beta1
 
diff --git a/staging/src/k8s.io/api/extensions/v1beta1/generated.pb.go b/staging/src/k8s.io/api/extensions/v1beta1/generated.pb.go
index 35b9a4ff2aa78..ca9477394f4f1 100644
--- a/staging/src/k8s.io/api/extensions/v1beta1/generated.pb.go
+++ b/staging/src/k8s.io/api/extensions/v1beta1/generated.pb.go
@@ -23,14 +23,12 @@ import (
 	fmt "fmt"
 
 	io "io"
+	"sort"
 
-	proto "github.com/gogo/protobuf/proto"
-	github_com_gogo_protobuf_sortkeys "github.com/gogo/protobuf/sortkeys"
 	k8s_io_api_core_v1 "k8s.io/api/core/v1"
 	v11 "k8s.io/api/core/v1"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
-	math "math"
 	math_bits "math/bits"
 	reflect "reflect"
 	strings "strings"
@@ -38,1514 +36,95 @@ import (
 	intstr "k8s.io/apimachinery/pkg/util/intstr"
 )
 
-// Reference imports to suppress errors if they are not otherwise used.
-var _ = proto.Marshal
-var _ = fmt.Errorf
-var _ = math.Inf
+func (m *DaemonSet) Reset() { *m = DaemonSet{} }
 
-// This is a compile-time assertion to ensure that this generated file
-// is compatible with the proto package it is being compiled against.
-// A compilation error at this line likely means your copy of the
-// proto package needs to be updated.
-const _ = proto.GoGoProtoPackageIsVersion3 // please upgrade the proto package
+func (m *DaemonSetCondition) Reset() { *m = DaemonSetCondition{} }
 
-func (m *DaemonSet) Reset()      { *m = DaemonSet{} }
-func (*DaemonSet) ProtoMessage() {}
-func (*DaemonSet) Descriptor() ([]byte, []int) {
-	return fileDescriptor_90a532284de28347, []int{0}
-}
-func (m *DaemonSet) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *DaemonSet) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *DaemonSet) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_DaemonSet.Merge(m, src)
-}
-func (m *DaemonSet) XXX_Size() int {
-	return m.Size()
-}
-func (m *DaemonSet) XXX_DiscardUnknown() {
-	xxx_messageInfo_DaemonSet.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_DaemonSet proto.InternalMessageInfo
-
-func (m *DaemonSetCondition) Reset()      { *m = DaemonSetCondition{} }
-func (*DaemonSetCondition) ProtoMessage() {}
-func (*DaemonSetCondition) Descriptor() ([]byte, []int) {
-	return fileDescriptor_90a532284de28347, []int{1}
-}
-func (m *DaemonSetCondition) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *DaemonSetCondition) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *DaemonSetCondition) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_DaemonSetCondition.Merge(m, src)
-}
-func (m *DaemonSetCondition) XXX_Size() int {
-	return m.Size()
-}
-func (m *DaemonSetCondition) XXX_DiscardUnknown() {
-	xxx_messageInfo_DaemonSetCondition.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_DaemonSetCondition proto.InternalMessageInfo
-
-func (m *DaemonSetList) Reset()      { *m = DaemonSetList{} }
-func (*DaemonSetList) ProtoMessage() {}
-func (*DaemonSetList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_90a532284de28347, []int{2}
-}
-func (m *DaemonSetList) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *DaemonSetList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *DaemonSetList) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_DaemonSetList.Merge(m, src)
-}
-func (m *DaemonSetList) XXX_Size() int {
-	return m.Size()
-}
-func (m *DaemonSetList) XXX_DiscardUnknown() {
-	xxx_messageInfo_DaemonSetList.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_DaemonSetList proto.InternalMessageInfo
-
-func (m *DaemonSetSpec) Reset()      { *m = DaemonSetSpec{} }
-func (*DaemonSetSpec) ProtoMessage() {}
-func (*DaemonSetSpec) Descriptor() ([]byte, []int) {
-	return fileDescriptor_90a532284de28347, []int{3}
-}
-func (m *DaemonSetSpec) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *DaemonSetSpec) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *DaemonSetSpec) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_DaemonSetSpec.Merge(m, src)
-}
-func (m *DaemonSetSpec) XXX_Size() int {
-	return m.Size()
-}
-func (m *DaemonSetSpec) XXX_DiscardUnknown() {
-	xxx_messageInfo_DaemonSetSpec.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_DaemonSetSpec proto.InternalMessageInfo
-
-func (m *DaemonSetStatus) Reset()      { *m = DaemonSetStatus{} }
-func (*DaemonSetStatus) ProtoMessage() {}
-func (*DaemonSetStatus) Descriptor() ([]byte, []int) {
-	return fileDescriptor_90a532284de28347, []int{4}
-}
-func (m *DaemonSetStatus) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *DaemonSetStatus) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *DaemonSetStatus) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_DaemonSetStatus.Merge(m, src)
-}
-func (m *DaemonSetStatus) XXX_Size() int {
-	return m.Size()
-}
-func (m *DaemonSetStatus) XXX_DiscardUnknown() {
-	xxx_messageInfo_DaemonSetStatus.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_DaemonSetStatus proto.InternalMessageInfo
-
-func (m *DaemonSetUpdateStrategy) Reset()      { *m = DaemonSetUpdateStrategy{} }
-func (*DaemonSetUpdateStrategy) ProtoMessage() {}
-func (*DaemonSetUpdateStrategy) Descriptor() ([]byte, []int) {
-	return fileDescriptor_90a532284de28347, []int{5}
-}
-func (m *DaemonSetUpdateStrategy) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *DaemonSetUpdateStrategy) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *DaemonSetUpdateStrategy) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_DaemonSetUpdateStrategy.Merge(m, src)
-}
-func (m *DaemonSetUpdateStrategy) XXX_Size() int {
-	return m.Size()
-}
-func (m *DaemonSetUpdateStrategy) XXX_DiscardUnknown() {
-	xxx_messageInfo_DaemonSetUpdateStrategy.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_DaemonSetUpdateStrategy proto.InternalMessageInfo
-
-func (m *Deployment) Reset()      { *m = Deployment{} }
-func (*Deployment) ProtoMessage() {}
-func (*Deployment) Descriptor() ([]byte, []int) {
-	return fileDescriptor_90a532284de28347, []int{6}
-}
-func (m *Deployment) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *Deployment) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *Deployment) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_Deployment.Merge(m, src)
-}
-func (m *Deployment) XXX_Size() int {
-	return m.Size()
-}
-func (m *Deployment) XXX_DiscardUnknown() {
-	xxx_messageInfo_Deployment.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_Deployment proto.InternalMessageInfo
-
-func (m *DeploymentCondition) Reset()      { *m = DeploymentCondition{} }
-func (*DeploymentCondition) ProtoMessage() {}
-func (*DeploymentCondition) Descriptor() ([]byte, []int) {
-	return fileDescriptor_90a532284de28347, []int{7}
-}
-func (m *DeploymentCondition) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *DeploymentCondition) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *DeploymentCondition) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_DeploymentCondition.Merge(m, src)
-}
-func (m *DeploymentCondition) XXX_Size() int {
-	return m.Size()
-}
-func (m *DeploymentCondition) XXX_DiscardUnknown() {
-	xxx_messageInfo_DeploymentCondition.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_DeploymentCondition proto.InternalMessageInfo
-
-func (m *DeploymentList) Reset()      { *m = DeploymentList{} }
-func (*DeploymentList) ProtoMessage() {}
-func (*DeploymentList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_90a532284de28347, []int{8}
-}
-func (m *DeploymentList) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *DeploymentList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *DeploymentList) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_DeploymentList.Merge(m, src)
-}
-func (m *DeploymentList) XXX_Size() int {
-	return m.Size()
-}
-func (m *DeploymentList) XXX_DiscardUnknown() {
-	xxx_messageInfo_DeploymentList.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_DeploymentList proto.InternalMessageInfo
-
-func (m *DeploymentRollback) Reset()      { *m = DeploymentRollback{} }
-func (*DeploymentRollback) ProtoMessage() {}
-func (*DeploymentRollback) Descriptor() ([]byte, []int) {
-	return fileDescriptor_90a532284de28347, []int{9}
-}
-func (m *DeploymentRollback) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *DeploymentRollback) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *DeploymentRollback) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_DeploymentRollback.Merge(m, src)
-}
-func (m *DeploymentRollback) XXX_Size() int {
-	return m.Size()
-}
-func (m *DeploymentRollback) XXX_DiscardUnknown() {
-	xxx_messageInfo_DeploymentRollback.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_DeploymentRollback proto.InternalMessageInfo
-
-func (m *DeploymentSpec) Reset()      { *m = DeploymentSpec{} }
-func (*DeploymentSpec) ProtoMessage() {}
-func (*DeploymentSpec) Descriptor() ([]byte, []int) {
-	return fileDescriptor_90a532284de28347, []int{10}
-}
-func (m *DeploymentSpec) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *DeploymentSpec) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *DeploymentSpec) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_DeploymentSpec.Merge(m, src)
-}
-func (m *DeploymentSpec) XXX_Size() int {
-	return m.Size()
-}
-func (m *DeploymentSpec) XXX_DiscardUnknown() {
-	xxx_messageInfo_DeploymentSpec.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_DeploymentSpec proto.InternalMessageInfo
-
-func (m *DeploymentStatus) Reset()      { *m = DeploymentStatus{} }
-func (*DeploymentStatus) ProtoMessage() {}
-func (*DeploymentStatus) Descriptor() ([]byte, []int) {
-	return fileDescriptor_90a532284de28347, []int{11}
-}
-func (m *DeploymentStatus) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *DeploymentStatus) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *DeploymentStatus) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_DeploymentStatus.Merge(m, src)
-}
-func (m *DeploymentStatus) XXX_Size() int {
-	return m.Size()
-}
-func (m *DeploymentStatus) XXX_DiscardUnknown() {
-	xxx_messageInfo_DeploymentStatus.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_DeploymentStatus proto.InternalMessageInfo
-
-func (m *DeploymentStrategy) Reset()      { *m = DeploymentStrategy{} }
-func (*DeploymentStrategy) ProtoMessage() {}
-func (*DeploymentStrategy) Descriptor() ([]byte, []int) {
-	return fileDescriptor_90a532284de28347, []int{12}
-}
-func (m *DeploymentStrategy) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *DeploymentStrategy) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *DeploymentStrategy) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_DeploymentStrategy.Merge(m, src)
-}
-func (m *DeploymentStrategy) XXX_Size() int {
-	return m.Size()
-}
-func (m *DeploymentStrategy) XXX_DiscardUnknown() {
-	xxx_messageInfo_DeploymentStrategy.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_DeploymentStrategy proto.InternalMessageInfo
-
-func (m *HTTPIngressPath) Reset()      { *m = HTTPIngressPath{} }
-func (*HTTPIngressPath) ProtoMessage() {}
-func (*HTTPIngressPath) Descriptor() ([]byte, []int) {
-	return fileDescriptor_90a532284de28347, []int{13}
-}
-func (m *HTTPIngressPath) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *HTTPIngressPath) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *HTTPIngressPath) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_HTTPIngressPath.Merge(m, src)
-}
-func (m *HTTPIngressPath) XXX_Size() int {
-	return m.Size()
-}
-func (m *HTTPIngressPath) XXX_DiscardUnknown() {
-	xxx_messageInfo_HTTPIngressPath.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_HTTPIngressPath proto.InternalMessageInfo
-
-func (m *HTTPIngressRuleValue) Reset()      { *m = HTTPIngressRuleValue{} }
-func (*HTTPIngressRuleValue) ProtoMessage() {}
-func (*HTTPIngressRuleValue) Descriptor() ([]byte, []int) {
-	return fileDescriptor_90a532284de28347, []int{14}
-}
-func (m *HTTPIngressRuleValue) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *HTTPIngressRuleValue) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *HTTPIngressRuleValue) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_HTTPIngressRuleValue.Merge(m, src)
-}
-func (m *HTTPIngressRuleValue) XXX_Size() int {
-	return m.Size()
-}
-func (m *HTTPIngressRuleValue) XXX_DiscardUnknown() {
-	xxx_messageInfo_HTTPIngressRuleValue.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_HTTPIngressRuleValue proto.InternalMessageInfo
-
-func (m *IPBlock) Reset()      { *m = IPBlock{} }
-func (*IPBlock) ProtoMessage() {}
-func (*IPBlock) Descriptor() ([]byte, []int) {
-	return fileDescriptor_90a532284de28347, []int{15}
-}
-func (m *IPBlock) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *IPBlock) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *IPBlock) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_IPBlock.Merge(m, src)
-}
-func (m *IPBlock) XXX_Size() int {
-	return m.Size()
-}
-func (m *IPBlock) XXX_DiscardUnknown() {
-	xxx_messageInfo_IPBlock.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_IPBlock proto.InternalMessageInfo
-
-func (m *Ingress) Reset()      { *m = Ingress{} }
-func (*Ingress) ProtoMessage() {}
-func (*Ingress) Descriptor() ([]byte, []int) {
-	return fileDescriptor_90a532284de28347, []int{16}
-}
-func (m *Ingress) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *Ingress) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *Ingress) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_Ingress.Merge(m, src)
-}
-func (m *Ingress) XXX_Size() int {
-	return m.Size()
-}
-func (m *Ingress) XXX_DiscardUnknown() {
-	xxx_messageInfo_Ingress.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_Ingress proto.InternalMessageInfo
-
-func (m *IngressBackend) Reset()      { *m = IngressBackend{} }
-func (*IngressBackend) ProtoMessage() {}
-func (*IngressBackend) Descriptor() ([]byte, []int) {
-	return fileDescriptor_90a532284de28347, []int{17}
-}
-func (m *IngressBackend) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *IngressBackend) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *IngressBackend) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_IngressBackend.Merge(m, src)
-}
-func (m *IngressBackend) XXX_Size() int {
-	return m.Size()
-}
-func (m *IngressBackend) XXX_DiscardUnknown() {
-	xxx_messageInfo_IngressBackend.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_IngressBackend proto.InternalMessageInfo
-
-func (m *IngressList) Reset()      { *m = IngressList{} }
-func (*IngressList) ProtoMessage() {}
-func (*IngressList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_90a532284de28347, []int{18}
-}
-func (m *IngressList) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *IngressList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *IngressList) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_IngressList.Merge(m, src)
-}
-func (m *IngressList) XXX_Size() int {
-	return m.Size()
-}
-func (m *IngressList) XXX_DiscardUnknown() {
-	xxx_messageInfo_IngressList.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_IngressList proto.InternalMessageInfo
-
-func (m *IngressLoadBalancerIngress) Reset()      { *m = IngressLoadBalancerIngress{} }
-func (*IngressLoadBalancerIngress) ProtoMessage() {}
-func (*IngressLoadBalancerIngress) Descriptor() ([]byte, []int) {
-	return fileDescriptor_90a532284de28347, []int{19}
-}
-func (m *IngressLoadBalancerIngress) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *IngressLoadBalancerIngress) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *IngressLoadBalancerIngress) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_IngressLoadBalancerIngress.Merge(m, src)
-}
-func (m *IngressLoadBalancerIngress) XXX_Size() int {
-	return m.Size()
-}
-func (m *IngressLoadBalancerIngress) XXX_DiscardUnknown() {
-	xxx_messageInfo_IngressLoadBalancerIngress.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_IngressLoadBalancerIngress proto.InternalMessageInfo
-
-func (m *IngressLoadBalancerStatus) Reset()      { *m = IngressLoadBalancerStatus{} }
-func (*IngressLoadBalancerStatus) ProtoMessage() {}
-func (*IngressLoadBalancerStatus) Descriptor() ([]byte, []int) {
-	return fileDescriptor_90a532284de28347, []int{20}
-}
-func (m *IngressLoadBalancerStatus) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *IngressLoadBalancerStatus) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *IngressLoadBalancerStatus) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_IngressLoadBalancerStatus.Merge(m, src)
-}
-func (m *IngressLoadBalancerStatus) XXX_Size() int {
-	return m.Size()
-}
-func (m *IngressLoadBalancerStatus) XXX_DiscardUnknown() {
-	xxx_messageInfo_IngressLoadBalancerStatus.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_IngressLoadBalancerStatus proto.InternalMessageInfo
-
-func (m *IngressPortStatus) Reset()      { *m = IngressPortStatus{} }
-func (*IngressPortStatus) ProtoMessage() {}
-func (*IngressPortStatus) Descriptor() ([]byte, []int) {
-	return fileDescriptor_90a532284de28347, []int{21}
-}
-func (m *IngressPortStatus) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *IngressPortStatus) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *IngressPortStatus) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_IngressPortStatus.Merge(m, src)
-}
-func (m *IngressPortStatus) XXX_Size() int {
-	return m.Size()
-}
-func (m *IngressPortStatus) XXX_DiscardUnknown() {
-	xxx_messageInfo_IngressPortStatus.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_IngressPortStatus proto.InternalMessageInfo
-
-func (m *IngressRule) Reset()      { *m = IngressRule{} }
-func (*IngressRule) ProtoMessage() {}
-func (*IngressRule) Descriptor() ([]byte, []int) {
-	return fileDescriptor_90a532284de28347, []int{22}
-}
-func (m *IngressRule) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *IngressRule) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *IngressRule) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_IngressRule.Merge(m, src)
-}
-func (m *IngressRule) XXX_Size() int {
-	return m.Size()
-}
-func (m *IngressRule) XXX_DiscardUnknown() {
-	xxx_messageInfo_IngressRule.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_IngressRule proto.InternalMessageInfo
+func (m *DaemonSetList) Reset() { *m = DaemonSetList{} }
 
-func (m *IngressRuleValue) Reset()      { *m = IngressRuleValue{} }
-func (*IngressRuleValue) ProtoMessage() {}
-func (*IngressRuleValue) Descriptor() ([]byte, []int) {
-	return fileDescriptor_90a532284de28347, []int{23}
-}
-func (m *IngressRuleValue) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *IngressRuleValue) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *IngressRuleValue) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_IngressRuleValue.Merge(m, src)
-}
-func (m *IngressRuleValue) XXX_Size() int {
-	return m.Size()
-}
-func (m *IngressRuleValue) XXX_DiscardUnknown() {
-	xxx_messageInfo_IngressRuleValue.DiscardUnknown(m)
-}
+func (m *DaemonSetSpec) Reset() { *m = DaemonSetSpec{} }
 
-var xxx_messageInfo_IngressRuleValue proto.InternalMessageInfo
-
-func (m *IngressSpec) Reset()      { *m = IngressSpec{} }
-func (*IngressSpec) ProtoMessage() {}
-func (*IngressSpec) Descriptor() ([]byte, []int) {
-	return fileDescriptor_90a532284de28347, []int{24}
-}
-func (m *IngressSpec) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *IngressSpec) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *IngressSpec) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_IngressSpec.Merge(m, src)
-}
-func (m *IngressSpec) XXX_Size() int {
-	return m.Size()
-}
-func (m *IngressSpec) XXX_DiscardUnknown() {
-	xxx_messageInfo_IngressSpec.DiscardUnknown(m)
-}
+func (m *DaemonSetStatus) Reset() { *m = DaemonSetStatus{} }
 
-var xxx_messageInfo_IngressSpec proto.InternalMessageInfo
+func (m *DaemonSetUpdateStrategy) Reset() { *m = DaemonSetUpdateStrategy{} }
 
-func (m *IngressStatus) Reset()      { *m = IngressStatus{} }
-func (*IngressStatus) ProtoMessage() {}
-func (*IngressStatus) Descriptor() ([]byte, []int) {
-	return fileDescriptor_90a532284de28347, []int{25}
-}
-func (m *IngressStatus) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *IngressStatus) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *IngressStatus) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_IngressStatus.Merge(m, src)
-}
-func (m *IngressStatus) XXX_Size() int {
-	return m.Size()
-}
-func (m *IngressStatus) XXX_DiscardUnknown() {
-	xxx_messageInfo_IngressStatus.DiscardUnknown(m)
-}
+func (m *Deployment) Reset() { *m = Deployment{} }
 
-var xxx_messageInfo_IngressStatus proto.InternalMessageInfo
+func (m *DeploymentCondition) Reset() { *m = DeploymentCondition{} }
 
-func (m *IngressTLS) Reset()      { *m = IngressTLS{} }
-func (*IngressTLS) ProtoMessage() {}
-func (*IngressTLS) Descriptor() ([]byte, []int) {
-	return fileDescriptor_90a532284de28347, []int{26}
-}
-func (m *IngressTLS) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *IngressTLS) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *IngressTLS) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_IngressTLS.Merge(m, src)
-}
-func (m *IngressTLS) XXX_Size() int {
-	return m.Size()
-}
-func (m *IngressTLS) XXX_DiscardUnknown() {
-	xxx_messageInfo_IngressTLS.DiscardUnknown(m)
-}
+func (m *DeploymentList) Reset() { *m = DeploymentList{} }
 
-var xxx_messageInfo_IngressTLS proto.InternalMessageInfo
+func (m *DeploymentRollback) Reset() { *m = DeploymentRollback{} }
 
-func (m *NetworkPolicy) Reset()      { *m = NetworkPolicy{} }
-func (*NetworkPolicy) ProtoMessage() {}
-func (*NetworkPolicy) Descriptor() ([]byte, []int) {
-	return fileDescriptor_90a532284de28347, []int{27}
-}
-func (m *NetworkPolicy) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *NetworkPolicy) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *NetworkPolicy) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_NetworkPolicy.Merge(m, src)
-}
-func (m *NetworkPolicy) XXX_Size() int {
-	return m.Size()
-}
-func (m *NetworkPolicy) XXX_DiscardUnknown() {
-	xxx_messageInfo_NetworkPolicy.DiscardUnknown(m)
-}
+func (m *DeploymentSpec) Reset() { *m = DeploymentSpec{} }
 
-var xxx_messageInfo_NetworkPolicy proto.InternalMessageInfo
+func (m *DeploymentStatus) Reset() { *m = DeploymentStatus{} }
 
-func (m *NetworkPolicyEgressRule) Reset()      { *m = NetworkPolicyEgressRule{} }
-func (*NetworkPolicyEgressRule) ProtoMessage() {}
-func (*NetworkPolicyEgressRule) Descriptor() ([]byte, []int) {
-	return fileDescriptor_90a532284de28347, []int{28}
-}
-func (m *NetworkPolicyEgressRule) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *NetworkPolicyEgressRule) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *NetworkPolicyEgressRule) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_NetworkPolicyEgressRule.Merge(m, src)
-}
-func (m *NetworkPolicyEgressRule) XXX_Size() int {
-	return m.Size()
-}
-func (m *NetworkPolicyEgressRule) XXX_DiscardUnknown() {
-	xxx_messageInfo_NetworkPolicyEgressRule.DiscardUnknown(m)
-}
+func (m *DeploymentStrategy) Reset() { *m = DeploymentStrategy{} }
 
-var xxx_messageInfo_NetworkPolicyEgressRule proto.InternalMessageInfo
+func (m *HTTPIngressPath) Reset() { *m = HTTPIngressPath{} }
 
-func (m *NetworkPolicyIngressRule) Reset()      { *m = NetworkPolicyIngressRule{} }
-func (*NetworkPolicyIngressRule) ProtoMessage() {}
-func (*NetworkPolicyIngressRule) Descriptor() ([]byte, []int) {
-	return fileDescriptor_90a532284de28347, []int{29}
-}
-func (m *NetworkPolicyIngressRule) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *NetworkPolicyIngressRule) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *NetworkPolicyIngressRule) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_NetworkPolicyIngressRule.Merge(m, src)
-}
-func (m *NetworkPolicyIngressRule) XXX_Size() int {
-	return m.Size()
-}
-func (m *NetworkPolicyIngressRule) XXX_DiscardUnknown() {
-	xxx_messageInfo_NetworkPolicyIngressRule.DiscardUnknown(m)
-}
+func (m *HTTPIngressRuleValue) Reset() { *m = HTTPIngressRuleValue{} }
 
-var xxx_messageInfo_NetworkPolicyIngressRule proto.InternalMessageInfo
+func (m *IPBlock) Reset() { *m = IPBlock{} }
 
-func (m *NetworkPolicyList) Reset()      { *m = NetworkPolicyList{} }
-func (*NetworkPolicyList) ProtoMessage() {}
-func (*NetworkPolicyList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_90a532284de28347, []int{30}
-}
-func (m *NetworkPolicyList) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *NetworkPolicyList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *NetworkPolicyList) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_NetworkPolicyList.Merge(m, src)
-}
-func (m *NetworkPolicyList) XXX_Size() int {
-	return m.Size()
-}
-func (m *NetworkPolicyList) XXX_DiscardUnknown() {
-	xxx_messageInfo_NetworkPolicyList.DiscardUnknown(m)
-}
+func (m *Ingress) Reset() { *m = Ingress{} }
 
-var xxx_messageInfo_NetworkPolicyList proto.InternalMessageInfo
+func (m *IngressBackend) Reset() { *m = IngressBackend{} }
 
-func (m *NetworkPolicyPeer) Reset()      { *m = NetworkPolicyPeer{} }
-func (*NetworkPolicyPeer) ProtoMessage() {}
-func (*NetworkPolicyPeer) Descriptor() ([]byte, []int) {
-	return fileDescriptor_90a532284de28347, []int{31}
-}
-func (m *NetworkPolicyPeer) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *NetworkPolicyPeer) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *NetworkPolicyPeer) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_NetworkPolicyPeer.Merge(m, src)
-}
-func (m *NetworkPolicyPeer) XXX_Size() int {
-	return m.Size()
-}
-func (m *NetworkPolicyPeer) XXX_DiscardUnknown() {
-	xxx_messageInfo_NetworkPolicyPeer.DiscardUnknown(m)
-}
+func (m *IngressList) Reset() { *m = IngressList{} }
 
-var xxx_messageInfo_NetworkPolicyPeer proto.InternalMessageInfo
+func (m *IngressLoadBalancerIngress) Reset() { *m = IngressLoadBalancerIngress{} }
 
-func (m *NetworkPolicyPort) Reset()      { *m = NetworkPolicyPort{} }
-func (*NetworkPolicyPort) ProtoMessage() {}
-func (*NetworkPolicyPort) Descriptor() ([]byte, []int) {
-	return fileDescriptor_90a532284de28347, []int{32}
-}
-func (m *NetworkPolicyPort) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *NetworkPolicyPort) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *NetworkPolicyPort) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_NetworkPolicyPort.Merge(m, src)
-}
-func (m *NetworkPolicyPort) XXX_Size() int {
-	return m.Size()
-}
-func (m *NetworkPolicyPort) XXX_DiscardUnknown() {
-	xxx_messageInfo_NetworkPolicyPort.DiscardUnknown(m)
-}
+func (m *IngressLoadBalancerStatus) Reset() { *m = IngressLoadBalancerStatus{} }
 
-var xxx_messageInfo_NetworkPolicyPort proto.InternalMessageInfo
+func (m *IngressPortStatus) Reset() { *m = IngressPortStatus{} }
 
-func (m *NetworkPolicySpec) Reset()      { *m = NetworkPolicySpec{} }
-func (*NetworkPolicySpec) ProtoMessage() {}
-func (*NetworkPolicySpec) Descriptor() ([]byte, []int) {
-	return fileDescriptor_90a532284de28347, []int{33}
-}
-func (m *NetworkPolicySpec) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *NetworkPolicySpec) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *NetworkPolicySpec) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_NetworkPolicySpec.Merge(m, src)
-}
-func (m *NetworkPolicySpec) XXX_Size() int {
-	return m.Size()
-}
-func (m *NetworkPolicySpec) XXX_DiscardUnknown() {
-	xxx_messageInfo_NetworkPolicySpec.DiscardUnknown(m)
-}
+func (m *IngressRule) Reset() { *m = IngressRule{} }
 
-var xxx_messageInfo_NetworkPolicySpec proto.InternalMessageInfo
+func (m *IngressRuleValue) Reset() { *m = IngressRuleValue{} }
 
-func (m *ReplicaSet) Reset()      { *m = ReplicaSet{} }
-func (*ReplicaSet) ProtoMessage() {}
-func (*ReplicaSet) Descriptor() ([]byte, []int) {
-	return fileDescriptor_90a532284de28347, []int{34}
-}
-func (m *ReplicaSet) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ReplicaSet) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ReplicaSet) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ReplicaSet.Merge(m, src)
-}
-func (m *ReplicaSet) XXX_Size() int {
-	return m.Size()
-}
-func (m *ReplicaSet) XXX_DiscardUnknown() {
-	xxx_messageInfo_ReplicaSet.DiscardUnknown(m)
-}
+func (m *IngressSpec) Reset() { *m = IngressSpec{} }
 
-var xxx_messageInfo_ReplicaSet proto.InternalMessageInfo
+func (m *IngressStatus) Reset() { *m = IngressStatus{} }
 
-func (m *ReplicaSetCondition) Reset()      { *m = ReplicaSetCondition{} }
-func (*ReplicaSetCondition) ProtoMessage() {}
-func (*ReplicaSetCondition) Descriptor() ([]byte, []int) {
-	return fileDescriptor_90a532284de28347, []int{35}
-}
-func (m *ReplicaSetCondition) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ReplicaSetCondition) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ReplicaSetCondition) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ReplicaSetCondition.Merge(m, src)
-}
-func (m *ReplicaSetCondition) XXX_Size() int {
-	return m.Size()
-}
-func (m *ReplicaSetCondition) XXX_DiscardUnknown() {
-	xxx_messageInfo_ReplicaSetCondition.DiscardUnknown(m)
-}
+func (m *IngressTLS) Reset() { *m = IngressTLS{} }
 
-var xxx_messageInfo_ReplicaSetCondition proto.InternalMessageInfo
+func (m *NetworkPolicy) Reset() { *m = NetworkPolicy{} }
 
-func (m *ReplicaSetList) Reset()      { *m = ReplicaSetList{} }
-func (*ReplicaSetList) ProtoMessage() {}
-func (*ReplicaSetList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_90a532284de28347, []int{36}
-}
-func (m *ReplicaSetList) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ReplicaSetList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ReplicaSetList) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ReplicaSetList.Merge(m, src)
-}
-func (m *ReplicaSetList) XXX_Size() int {
-	return m.Size()
-}
-func (m *ReplicaSetList) XXX_DiscardUnknown() {
-	xxx_messageInfo_ReplicaSetList.DiscardUnknown(m)
-}
+func (m *NetworkPolicyEgressRule) Reset() { *m = NetworkPolicyEgressRule{} }
 
-var xxx_messageInfo_ReplicaSetList proto.InternalMessageInfo
+func (m *NetworkPolicyIngressRule) Reset() { *m = NetworkPolicyIngressRule{} }
 
-func (m *ReplicaSetSpec) Reset()      { *m = ReplicaSetSpec{} }
-func (*ReplicaSetSpec) ProtoMessage() {}
-func (*ReplicaSetSpec) Descriptor() ([]byte, []int) {
-	return fileDescriptor_90a532284de28347, []int{37}
-}
-func (m *ReplicaSetSpec) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ReplicaSetSpec) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ReplicaSetSpec) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ReplicaSetSpec.Merge(m, src)
-}
-func (m *ReplicaSetSpec) XXX_Size() int {
-	return m.Size()
-}
-func (m *ReplicaSetSpec) XXX_DiscardUnknown() {
-	xxx_messageInfo_ReplicaSetSpec.DiscardUnknown(m)
-}
+func (m *NetworkPolicyList) Reset() { *m = NetworkPolicyList{} }
 
-var xxx_messageInfo_ReplicaSetSpec proto.InternalMessageInfo
+func (m *NetworkPolicyPeer) Reset() { *m = NetworkPolicyPeer{} }
 
-func (m *ReplicaSetStatus) Reset()      { *m = ReplicaSetStatus{} }
-func (*ReplicaSetStatus) ProtoMessage() {}
-func (*ReplicaSetStatus) Descriptor() ([]byte, []int) {
-	return fileDescriptor_90a532284de28347, []int{38}
-}
-func (m *ReplicaSetStatus) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ReplicaSetStatus) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ReplicaSetStatus) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ReplicaSetStatus.Merge(m, src)
-}
-func (m *ReplicaSetStatus) XXX_Size() int {
-	return m.Size()
-}
-func (m *ReplicaSetStatus) XXX_DiscardUnknown() {
-	xxx_messageInfo_ReplicaSetStatus.DiscardUnknown(m)
-}
+func (m *NetworkPolicyPort) Reset() { *m = NetworkPolicyPort{} }
 
-var xxx_messageInfo_ReplicaSetStatus proto.InternalMessageInfo
+func (m *NetworkPolicySpec) Reset() { *m = NetworkPolicySpec{} }
 
-func (m *RollbackConfig) Reset()      { *m = RollbackConfig{} }
-func (*RollbackConfig) ProtoMessage() {}
-func (*RollbackConfig) Descriptor() ([]byte, []int) {
-	return fileDescriptor_90a532284de28347, []int{39}
-}
-func (m *RollbackConfig) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *RollbackConfig) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *RollbackConfig) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_RollbackConfig.Merge(m, src)
-}
-func (m *RollbackConfig) XXX_Size() int {
-	return m.Size()
-}
-func (m *RollbackConfig) XXX_DiscardUnknown() {
-	xxx_messageInfo_RollbackConfig.DiscardUnknown(m)
-}
+func (m *ReplicaSet) Reset() { *m = ReplicaSet{} }
 
-var xxx_messageInfo_RollbackConfig proto.InternalMessageInfo
+func (m *ReplicaSetCondition) Reset() { *m = ReplicaSetCondition{} }
 
-func (m *RollingUpdateDaemonSet) Reset()      { *m = RollingUpdateDaemonSet{} }
-func (*RollingUpdateDaemonSet) ProtoMessage() {}
-func (*RollingUpdateDaemonSet) Descriptor() ([]byte, []int) {
-	return fileDescriptor_90a532284de28347, []int{40}
-}
-func (m *RollingUpdateDaemonSet) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *RollingUpdateDaemonSet) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *RollingUpdateDaemonSet) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_RollingUpdateDaemonSet.Merge(m, src)
-}
-func (m *RollingUpdateDaemonSet) XXX_Size() int {
-	return m.Size()
-}
-func (m *RollingUpdateDaemonSet) XXX_DiscardUnknown() {
-	xxx_messageInfo_RollingUpdateDaemonSet.DiscardUnknown(m)
-}
+func (m *ReplicaSetList) Reset() { *m = ReplicaSetList{} }
 
-var xxx_messageInfo_RollingUpdateDaemonSet proto.InternalMessageInfo
+func (m *ReplicaSetSpec) Reset() { *m = ReplicaSetSpec{} }
 
-func (m *RollingUpdateDeployment) Reset()      { *m = RollingUpdateDeployment{} }
-func (*RollingUpdateDeployment) ProtoMessage() {}
-func (*RollingUpdateDeployment) Descriptor() ([]byte, []int) {
-	return fileDescriptor_90a532284de28347, []int{41}
-}
-func (m *RollingUpdateDeployment) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *RollingUpdateDeployment) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *RollingUpdateDeployment) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_RollingUpdateDeployment.Merge(m, src)
-}
-func (m *RollingUpdateDeployment) XXX_Size() int {
-	return m.Size()
-}
-func (m *RollingUpdateDeployment) XXX_DiscardUnknown() {
-	xxx_messageInfo_RollingUpdateDeployment.DiscardUnknown(m)
-}
+func (m *ReplicaSetStatus) Reset() { *m = ReplicaSetStatus{} }
 
-var xxx_messageInfo_RollingUpdateDeployment proto.InternalMessageInfo
+func (m *RollbackConfig) Reset() { *m = RollbackConfig{} }
 
-func (m *Scale) Reset()      { *m = Scale{} }
-func (*Scale) ProtoMessage() {}
-func (*Scale) Descriptor() ([]byte, []int) {
-	return fileDescriptor_90a532284de28347, []int{42}
-}
-func (m *Scale) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *Scale) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *Scale) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_Scale.Merge(m, src)
-}
-func (m *Scale) XXX_Size() int {
-	return m.Size()
-}
-func (m *Scale) XXX_DiscardUnknown() {
-	xxx_messageInfo_Scale.DiscardUnknown(m)
-}
+func (m *RollingUpdateDaemonSet) Reset() { *m = RollingUpdateDaemonSet{} }
 
-var xxx_messageInfo_Scale proto.InternalMessageInfo
+func (m *RollingUpdateDeployment) Reset() { *m = RollingUpdateDeployment{} }
 
-func (m *ScaleSpec) Reset()      { *m = ScaleSpec{} }
-func (*ScaleSpec) ProtoMessage() {}
-func (*ScaleSpec) Descriptor() ([]byte, []int) {
-	return fileDescriptor_90a532284de28347, []int{43}
-}
-func (m *ScaleSpec) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ScaleSpec) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ScaleSpec) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ScaleSpec.Merge(m, src)
-}
-func (m *ScaleSpec) XXX_Size() int {
-	return m.Size()
-}
-func (m *ScaleSpec) XXX_DiscardUnknown() {
-	xxx_messageInfo_ScaleSpec.DiscardUnknown(m)
-}
+func (m *Scale) Reset() { *m = Scale{} }
 
-var xxx_messageInfo_ScaleSpec proto.InternalMessageInfo
+func (m *ScaleSpec) Reset() { *m = ScaleSpec{} }
 
-func (m *ScaleStatus) Reset()      { *m = ScaleStatus{} }
-func (*ScaleStatus) ProtoMessage() {}
-func (*ScaleStatus) Descriptor() ([]byte, []int) {
-	return fileDescriptor_90a532284de28347, []int{44}
-}
-func (m *ScaleStatus) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ScaleStatus) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ScaleStatus) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ScaleStatus.Merge(m, src)
-}
-func (m *ScaleStatus) XXX_Size() int {
-	return m.Size()
-}
-func (m *ScaleStatus) XXX_DiscardUnknown() {
-	xxx_messageInfo_ScaleStatus.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_ScaleStatus proto.InternalMessageInfo
-
-func init() {
-	proto.RegisterType((*DaemonSet)(nil), "k8s.io.api.extensions.v1beta1.DaemonSet")
-	proto.RegisterType((*DaemonSetCondition)(nil), "k8s.io.api.extensions.v1beta1.DaemonSetCondition")
-	proto.RegisterType((*DaemonSetList)(nil), "k8s.io.api.extensions.v1beta1.DaemonSetList")
-	proto.RegisterType((*DaemonSetSpec)(nil), "k8s.io.api.extensions.v1beta1.DaemonSetSpec")
-	proto.RegisterType((*DaemonSetStatus)(nil), "k8s.io.api.extensions.v1beta1.DaemonSetStatus")
-	proto.RegisterType((*DaemonSetUpdateStrategy)(nil), "k8s.io.api.extensions.v1beta1.DaemonSetUpdateStrategy")
-	proto.RegisterType((*Deployment)(nil), "k8s.io.api.extensions.v1beta1.Deployment")
-	proto.RegisterType((*DeploymentCondition)(nil), "k8s.io.api.extensions.v1beta1.DeploymentCondition")
-	proto.RegisterType((*DeploymentList)(nil), "k8s.io.api.extensions.v1beta1.DeploymentList")
-	proto.RegisterType((*DeploymentRollback)(nil), "k8s.io.api.extensions.v1beta1.DeploymentRollback")
-	proto.RegisterMapType((map[string]string)(nil), "k8s.io.api.extensions.v1beta1.DeploymentRollback.UpdatedAnnotationsEntry")
-	proto.RegisterType((*DeploymentSpec)(nil), "k8s.io.api.extensions.v1beta1.DeploymentSpec")
-	proto.RegisterType((*DeploymentStatus)(nil), "k8s.io.api.extensions.v1beta1.DeploymentStatus")
-	proto.RegisterType((*DeploymentStrategy)(nil), "k8s.io.api.extensions.v1beta1.DeploymentStrategy")
-	proto.RegisterType((*HTTPIngressPath)(nil), "k8s.io.api.extensions.v1beta1.HTTPIngressPath")
-	proto.RegisterType((*HTTPIngressRuleValue)(nil), "k8s.io.api.extensions.v1beta1.HTTPIngressRuleValue")
-	proto.RegisterType((*IPBlock)(nil), "k8s.io.api.extensions.v1beta1.IPBlock")
-	proto.RegisterType((*Ingress)(nil), "k8s.io.api.extensions.v1beta1.Ingress")
-	proto.RegisterType((*IngressBackend)(nil), "k8s.io.api.extensions.v1beta1.IngressBackend")
-	proto.RegisterType((*IngressList)(nil), "k8s.io.api.extensions.v1beta1.IngressList")
-	proto.RegisterType((*IngressLoadBalancerIngress)(nil), "k8s.io.api.extensions.v1beta1.IngressLoadBalancerIngress")
-	proto.RegisterType((*IngressLoadBalancerStatus)(nil), "k8s.io.api.extensions.v1beta1.IngressLoadBalancerStatus")
-	proto.RegisterType((*IngressPortStatus)(nil), "k8s.io.api.extensions.v1beta1.IngressPortStatus")
-	proto.RegisterType((*IngressRule)(nil), "k8s.io.api.extensions.v1beta1.IngressRule")
-	proto.RegisterType((*IngressRuleValue)(nil), "k8s.io.api.extensions.v1beta1.IngressRuleValue")
-	proto.RegisterType((*IngressSpec)(nil), "k8s.io.api.extensions.v1beta1.IngressSpec")
-	proto.RegisterType((*IngressStatus)(nil), "k8s.io.api.extensions.v1beta1.IngressStatus")
-	proto.RegisterType((*IngressTLS)(nil), "k8s.io.api.extensions.v1beta1.IngressTLS")
-	proto.RegisterType((*NetworkPolicy)(nil), "k8s.io.api.extensions.v1beta1.NetworkPolicy")
-	proto.RegisterType((*NetworkPolicyEgressRule)(nil), "k8s.io.api.extensions.v1beta1.NetworkPolicyEgressRule")
-	proto.RegisterType((*NetworkPolicyIngressRule)(nil), "k8s.io.api.extensions.v1beta1.NetworkPolicyIngressRule")
-	proto.RegisterType((*NetworkPolicyList)(nil), "k8s.io.api.extensions.v1beta1.NetworkPolicyList")
-	proto.RegisterType((*NetworkPolicyPeer)(nil), "k8s.io.api.extensions.v1beta1.NetworkPolicyPeer")
-	proto.RegisterType((*NetworkPolicyPort)(nil), "k8s.io.api.extensions.v1beta1.NetworkPolicyPort")
-	proto.RegisterType((*NetworkPolicySpec)(nil), "k8s.io.api.extensions.v1beta1.NetworkPolicySpec")
-	proto.RegisterType((*ReplicaSet)(nil), "k8s.io.api.extensions.v1beta1.ReplicaSet")
-	proto.RegisterType((*ReplicaSetCondition)(nil), "k8s.io.api.extensions.v1beta1.ReplicaSetCondition")
-	proto.RegisterType((*ReplicaSetList)(nil), "k8s.io.api.extensions.v1beta1.ReplicaSetList")
-	proto.RegisterType((*ReplicaSetSpec)(nil), "k8s.io.api.extensions.v1beta1.ReplicaSetSpec")
-	proto.RegisterType((*ReplicaSetStatus)(nil), "k8s.io.api.extensions.v1beta1.ReplicaSetStatus")
-	proto.RegisterType((*RollbackConfig)(nil), "k8s.io.api.extensions.v1beta1.RollbackConfig")
-	proto.RegisterType((*RollingUpdateDaemonSet)(nil), "k8s.io.api.extensions.v1beta1.RollingUpdateDaemonSet")
-	proto.RegisterType((*RollingUpdateDeployment)(nil), "k8s.io.api.extensions.v1beta1.RollingUpdateDeployment")
-	proto.RegisterType((*Scale)(nil), "k8s.io.api.extensions.v1beta1.Scale")
-	proto.RegisterType((*ScaleSpec)(nil), "k8s.io.api.extensions.v1beta1.ScaleSpec")
-	proto.RegisterType((*ScaleStatus)(nil), "k8s.io.api.extensions.v1beta1.ScaleStatus")
-	proto.RegisterMapType((map[string]string)(nil), "k8s.io.api.extensions.v1beta1.ScaleStatus.SelectorEntry")
-}
-
-func init() {
-	proto.RegisterFile("k8s.io/api/extensions/v1beta1/generated.proto", fileDescriptor_90a532284de28347)
-}
-
-var fileDescriptor_90a532284de28347 = []byte{
-	// 2875 bytes of a gzipped FileDescriptorProto
-	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xec, 0x5b, 0xcf, 0x6f, 0x24, 0x47,
-	0xf5, 0xdf, 0x9e, 0xf1, 0xd8, 0xe3, 0xe7, 0xb5, 0xbd, 0x5b, 0xeb, 0xac, 0x1d, 0xef, 0x37, 0x76,
-	0xd4, 0x5f, 0x11, 0x36, 0x61, 0x77, 0x86, 0xdd, 0x24, 0x4b, 0x7e, 0x48, 0x09, 0x3b, 0xde, 0x4d,
-	0xd6, 0x89, 0x7f, 0x4c, 0x6a, 0xc6, 0x09, 0x8a, 0x08, 0xd0, 0xee, 0x29, 0x8f, 0x3b, 0xee, 0xe9,
-	0x1e, 0x75, 0xd7, 0x98, 0xf5, 0x0d, 0x04, 0x97, 0x9c, 0x40, 0x42, 0x21, 0x1c, 0x91, 0x90, 0xb8,
-	0x72, 0xe5, 0x10, 0x22, 0x10, 0x41, 0x8a, 0x38, 0x45, 0xe2, 0x40, 0x4e, 0x16, 0x71, 0x4e, 0x88,
-	0x7f, 0x00, 0xed, 0x09, 0xd5, 0x8f, 0xae, 0xfe, 0x6d, 0xf7, 0x0c, 0x5e, 0x8b, 0x20, 0x4e, 0xeb,
-	0xa9, 0xf7, 0xde, 0xa7, 0x5e, 0x55, 0xbd, 0x7a, 0xef, 0x53, 0x55, 0xbd, 0x70, 0x7d, 0xef, 0x39,
-	0xbf, 0x66, 0xb9, 0x75, 0xa3, 0x6f, 0xd5, 0xc9, 0x7d, 0x4a, 0x1c, 0xdf, 0x72, 0x1d, 0xbf, 0xbe,
-	0x7f, 0x63, 0x9b, 0x50, 0xe3, 0x46, 0xbd, 0x4b, 0x1c, 0xe2, 0x19, 0x94, 0x74, 0x6a, 0x7d, 0xcf,
-	0xa5, 0x2e, 0x7a, 0x4c, 0xa8, 0xd7, 0x8c, 0xbe, 0x55, 0x0b, 0xd5, 0x6b, 0x52, 0x7d, 0xf1, 0x7a,
-	0xd7, 0xa2, 0xbb, 0x83, 0xed, 0x9a, 0xe9, 0xf6, 0xea, 0x5d, 0xb7, 0xeb, 0xd6, 0xb9, 0xd5, 0xf6,
-	0x60, 0x87, 0xff, 0xe2, 0x3f, 0xf8, 0x5f, 0x02, 0x6d, 0x51, 0x8f, 0x74, 0x6e, 0xba, 0x1e, 0xa9,
-	0xef, 0xa7, 0x7a, 0x5c, 0x7c, 0x26, 0xd4, 0xe9, 0x19, 0xe6, 0xae, 0xe5, 0x10, 0xef, 0xa0, 0xde,
-	0xdf, 0xeb, 0xb2, 0x06, 0xbf, 0xde, 0x23, 0xd4, 0xc8, 0xb2, 0xaa, 0xe7, 0x59, 0x79, 0x03, 0x87,
-	0x5a, 0x3d, 0x92, 0x32, 0xb8, 0x75, 0x92, 0x81, 0x6f, 0xee, 0x92, 0x9e, 0x91, 0xb2, 0x7b, 0x3a,
-	0xcf, 0x6e, 0x40, 0x2d, 0xbb, 0x6e, 0x39, 0xd4, 0xa7, 0x5e, 0xd2, 0x48, 0x7f, 0xbf, 0x04, 0x93,
-	0x77, 0x0c, 0xd2, 0x73, 0x9d, 0x16, 0xa1, 0xe8, 0x7b, 0x50, 0x65, 0xc3, 0xe8, 0x18, 0xd4, 0x58,
-	0xd0, 0x1e, 0xd7, 0xae, 0x4e, 0xdd, 0xfc, 0x7a, 0x2d, 0x9c, 0x66, 0x85, 0x5a, 0xeb, 0xef, 0x75,
-	0x59, 0x83, 0x5f, 0x63, 0xda, 0xb5, 0xfd, 0x1b, 0xb5, 0xcd, 0xed, 0x77, 0x89, 0x49, 0xd7, 0x09,
-	0x35, 0x1a, 0xe8, 0x93, 0xc3, 0xe5, 0x73, 0x47, 0x87, 0xcb, 0x10, 0xb6, 0x61, 0x85, 0x8a, 0x36,
-	0x60, 0xcc, 0xef, 0x13, 0x73, 0xa1, 0xc4, 0xd1, 0xaf, 0xd5, 0x8e, 0x5d, 0xc4, 0x9a, 0xf2, 0xac,
-	0xd5, 0x27, 0x66, 0xe3, 0xbc, 0x44, 0x1e, 0x63, 0xbf, 0x30, 0xc7, 0x41, 0x6f, 0xc2, 0xb8, 0x4f,
-	0x0d, 0x3a, 0xf0, 0x17, 0xca, 0x1c, 0xb1, 0x56, 0x18, 0x91, 0x5b, 0x35, 0x66, 0x24, 0xe6, 0xb8,
-	0xf8, 0x8d, 0x25, 0x9a, 0xfe, 0xf7, 0x12, 0x20, 0xa5, 0xbb, 0xe2, 0x3a, 0x1d, 0x8b, 0x5a, 0xae,
-	0x83, 0x5e, 0x80, 0x31, 0x7a, 0xd0, 0x27, 0x7c, 0x72, 0x26, 0x1b, 0x4f, 0x04, 0x0e, 0xb5, 0x0f,
-	0xfa, 0xe4, 0xc1, 0xe1, 0xf2, 0xe5, 0xb4, 0x05, 0x93, 0x60, 0x6e, 0x83, 0xd6, 0x94, 0xab, 0x25,
-	0x6e, 0xfd, 0x4c, 0xbc, 0xeb, 0x07, 0x87, 0xcb, 0x19, 0x41, 0x58, 0x53, 0x48, 0x71, 0x07, 0xd1,
-	0x3e, 0x20, 0xdb, 0xf0, 0x69, 0xdb, 0x33, 0x1c, 0x5f, 0xf4, 0x64, 0xf5, 0x88, 0x9c, 0x84, 0xa7,
-	0x8a, 0x2d, 0x1a, 0xb3, 0x68, 0x2c, 0x4a, 0x2f, 0xd0, 0x5a, 0x0a, 0x0d, 0x67, 0xf4, 0x80, 0x9e,
-	0x80, 0x71, 0x8f, 0x18, 0xbe, 0xeb, 0x2c, 0x8c, 0xf1, 0x51, 0xa8, 0x09, 0xc4, 0xbc, 0x15, 0x4b,
-	0x29, 0x7a, 0x12, 0x26, 0x7a, 0xc4, 0xf7, 0x8d, 0x2e, 0x59, 0xa8, 0x70, 0xc5, 0x59, 0xa9, 0x38,
-	0xb1, 0x2e, 0x9a, 0x71, 0x20, 0xd7, 0x3f, 0xd4, 0x60, 0x5a, 0xcd, 0xdc, 0x9a, 0xe5, 0x53, 0xf4,
-	0xed, 0x54, 0x1c, 0xd6, 0x8a, 0x0d, 0x89, 0x59, 0xf3, 0x28, 0xbc, 0x20, 0x7b, 0xab, 0x06, 0x2d,
-	0x91, 0x18, 0x5c, 0x87, 0x8a, 0x45, 0x49, 0x8f, 0xad, 0x43, 0xf9, 0xea, 0xd4, 0xcd, 0xab, 0x45,
-	0x43, 0xa6, 0x31, 0x2d, 0x41, 0x2b, 0xab, 0xcc, 0x1c, 0x0b, 0x14, 0xfd, 0xe7, 0x63, 0x11, 0xf7,
-	0x59, 0x68, 0xa2, 0x77, 0xa0, 0xea, 0x13, 0x9b, 0x98, 0xd4, 0xf5, 0xa4, 0xfb, 0x4f, 0x17, 0x74,
-	0xdf, 0xd8, 0x26, 0x76, 0x4b, 0x9a, 0x36, 0xce, 0x33, 0xff, 0x83, 0x5f, 0x58, 0x41, 0xa2, 0x37,
-	0xa0, 0x4a, 0x49, 0xaf, 0x6f, 0x1b, 0x94, 0xc8, 0x7d, 0xf4, 0xff, 0xd1, 0x21, 0xb0, 0xc8, 0x61,
-	0x60, 0x4d, 0xb7, 0xd3, 0x96, 0x6a, 0x7c, 0xfb, 0xa8, 0x29, 0x09, 0x5a, 0xb1, 0x82, 0x41, 0xfb,
-	0x30, 0x33, 0xe8, 0x77, 0x98, 0x26, 0x65, 0xd9, 0xa1, 0x7b, 0x20, 0x23, 0xe9, 0x56, 0xd1, 0xb9,
-	0xd9, 0x8a, 0x59, 0x37, 0x2e, 0xcb, 0xbe, 0x66, 0xe2, 0xed, 0x38, 0xd1, 0x0b, 0xba, 0x0d, 0xb3,
-	0x3d, 0xcb, 0xc1, 0xc4, 0xe8, 0x1c, 0xb4, 0x88, 0xe9, 0x3a, 0x1d, 0x9f, 0x87, 0x55, 0xa5, 0x31,
-	0x2f, 0x01, 0x66, 0xd7, 0xe3, 0x62, 0x9c, 0xd4, 0x47, 0xaf, 0x01, 0x0a, 0x86, 0xf1, 0xaa, 0x48,
-	0x6e, 0x96, 0xeb, 0xf0, 0x98, 0x2b, 0x87, 0xc1, 0xdd, 0x4e, 0x69, 0xe0, 0x0c, 0x2b, 0xb4, 0x06,
-	0x73, 0x1e, 0xd9, 0xb7, 0xd8, 0x18, 0xef, 0x59, 0x3e, 0x75, 0xbd, 0x83, 0x35, 0xab, 0x67, 0xd1,
-	0x85, 0x71, 0xee, 0xd3, 0xc2, 0xd1, 0xe1, 0xf2, 0x1c, 0xce, 0x90, 0xe3, 0x4c, 0x2b, 0xfd, 0x83,
-	0x71, 0x98, 0x4d, 0xe4, 0x1b, 0xf4, 0x26, 0x5c, 0x36, 0x07, 0x9e, 0x47, 0x1c, 0xba, 0x31, 0xe8,
-	0x6d, 0x13, 0xaf, 0x65, 0xee, 0x92, 0xce, 0xc0, 0x26, 0x1d, 0x1e, 0x28, 0x95, 0xc6, 0x92, 0xf4,
-	0xf8, 0xf2, 0x4a, 0xa6, 0x16, 0xce, 0xb1, 0x66, 0xb3, 0xe0, 0xf0, 0xa6, 0x75, 0xcb, 0xf7, 0x15,
-	0x66, 0x89, 0x63, 0xaa, 0x59, 0xd8, 0x48, 0x69, 0xe0, 0x0c, 0x2b, 0xe6, 0x63, 0x87, 0xf8, 0x96,
-	0x47, 0x3a, 0x49, 0x1f, 0xcb, 0x71, 0x1f, 0xef, 0x64, 0x6a, 0xe1, 0x1c, 0x6b, 0xf4, 0x2c, 0x4c,
-	0x89, 0xde, 0xf8, 0xfa, 0xc9, 0x85, 0xbe, 0x24, 0xc1, 0xa6, 0x36, 0x42, 0x11, 0x8e, 0xea, 0xb1,
-	0xa1, 0xb9, 0xdb, 0x3e, 0xf1, 0xf6, 0x49, 0x27, 0x7f, 0x81, 0x37, 0x53, 0x1a, 0x38, 0xc3, 0x8a,
-	0x0d, 0x4d, 0x44, 0x60, 0x6a, 0x68, 0xe3, 0xf1, 0xa1, 0x6d, 0x65, 0x6a, 0xe1, 0x1c, 0x6b, 0x16,
-	0xc7, 0xc2, 0xe5, 0xdb, 0xfb, 0x86, 0x65, 0x1b, 0xdb, 0x36, 0x59, 0x98, 0x88, 0xc7, 0xf1, 0x46,
-	0x5c, 0x8c, 0x93, 0xfa, 0xe8, 0x55, 0xb8, 0x28, 0x9a, 0xb6, 0x1c, 0x43, 0x81, 0x54, 0x39, 0xc8,
-	0xa3, 0x12, 0xe4, 0xe2, 0x46, 0x52, 0x01, 0xa7, 0x6d, 0xd0, 0x0b, 0x30, 0x63, 0xba, 0xb6, 0xcd,
-	0xe3, 0x71, 0xc5, 0x1d, 0x38, 0x74, 0x61, 0x92, 0xa3, 0x20, 0xb6, 0x1f, 0x57, 0x62, 0x12, 0x9c,
-	0xd0, 0x44, 0x04, 0xc0, 0x0c, 0x0a, 0x8e, 0xbf, 0x00, 0x3c, 0x3f, 0xde, 0x28, 0x9a, 0x03, 0x54,
-	0xa9, 0x0a, 0x39, 0x80, 0x6a, 0xf2, 0x71, 0x04, 0x58, 0xff, 0xb3, 0x06, 0xf3, 0x39, 0xa9, 0x03,
-	0xbd, 0x1c, 0x2b, 0xb1, 0x5f, 0x4b, 0x94, 0xd8, 0x2b, 0x39, 0x66, 0x91, 0x3a, 0xeb, 0xc0, 0xb4,
-	0xc7, 0x46, 0xe5, 0x74, 0x85, 0x8a, 0xcc, 0x91, 0xcf, 0x9e, 0x30, 0x0c, 0x1c, 0xb5, 0x09, 0x73,
-	0xfe, 0xc5, 0xa3, 0xc3, 0xe5, 0xe9, 0x98, 0x0c, 0xc7, 0xe1, 0xf5, 0x5f, 0x94, 0x00, 0xee, 0x90,
-	0xbe, 0xed, 0x1e, 0xf4, 0x88, 0x73, 0x16, 0x1c, 0x6a, 0x33, 0xc6, 0xa1, 0xae, 0x9f, 0xb4, 0x3c,
-	0xca, 0xb5, 0x5c, 0x12, 0xf5, 0x56, 0x82, 0x44, 0xd5, 0x8b, 0x43, 0x1e, 0xcf, 0xa2, 0xfe, 0x5a,
-	0x86, 0x4b, 0xa1, 0x72, 0x48, 0xa3, 0x5e, 0x8c, 0xad, 0xf1, 0x57, 0x13, 0x6b, 0x3c, 0x9f, 0x61,
-	0xf2, 0xd0, 0x78, 0xd4, 0xbb, 0x30, 0xc3, 0x58, 0x8e, 0x58, 0x4b, 0xce, 0xa1, 0xc6, 0x87, 0xe6,
-	0x50, 0xaa, 0xda, 0xad, 0xc5, 0x90, 0x70, 0x02, 0x39, 0x87, 0xb3, 0x4d, 0x7c, 0x19, 0x39, 0xdb,
-	0x47, 0x1a, 0xcc, 0x84, 0xcb, 0x74, 0x06, 0xa4, 0x6d, 0x23, 0x4e, 0xda, 0x9e, 0x2c, 0x1c, 0xa2,
-	0x39, 0xac, 0xed, 0x9f, 0x8c, 0xe0, 0x2b, 0x25, 0xb6, 0xc1, 0xb7, 0x0d, 0x73, 0x0f, 0x3d, 0x0e,
-	0x63, 0x8e, 0xd1, 0x0b, 0x22, 0x53, 0x6d, 0x96, 0x0d, 0xa3, 0x47, 0x30, 0x97, 0xa0, 0xf7, 0x35,
-	0x40, 0xb2, 0x0a, 0xdc, 0x76, 0x1c, 0x97, 0x1a, 0x22, 0x57, 0x0a, 0xb7, 0x56, 0x0b, 0xbb, 0x15,
-	0xf4, 0x58, 0xdb, 0x4a, 0x61, 0xdd, 0x75, 0xa8, 0x77, 0x10, 0x2e, 0x72, 0x5a, 0x01, 0x67, 0x38,
-	0x80, 0x0c, 0x00, 0x4f, 0x62, 0xb6, 0x5d, 0xb9, 0x91, 0xaf, 0x17, 0xc8, 0x79, 0xcc, 0x60, 0xc5,
-	0x75, 0x76, 0xac, 0x6e, 0x98, 0x76, 0xb0, 0x02, 0xc2, 0x11, 0xd0, 0xc5, 0xbb, 0x30, 0x9f, 0xe3,
-	0x2d, 0xba, 0x00, 0xe5, 0x3d, 0x72, 0x20, 0xa6, 0x0d, 0xb3, 0x3f, 0xd1, 0x1c, 0x54, 0xf6, 0x0d,
-	0x7b, 0x20, 0xd2, 0xef, 0x24, 0x16, 0x3f, 0x5e, 0x28, 0x3d, 0xa7, 0xe9, 0x1f, 0x56, 0xa2, 0xb1,
-	0xc3, 0x19, 0xf3, 0x55, 0xa8, 0x7a, 0xa4, 0x6f, 0x5b, 0xa6, 0xe1, 0x4b, 0x22, 0xc4, 0xc9, 0x2f,
-	0x96, 0x6d, 0x58, 0x49, 0x63, 0xdc, 0xba, 0xf4, 0x70, 0xb9, 0x75, 0xf9, 0x74, 0xb8, 0xf5, 0x77,
-	0xa1, 0xea, 0x07, 0xac, 0x7a, 0x8c, 0x43, 0xde, 0x18, 0x22, 0xbf, 0x4a, 0x42, 0xad, 0x3a, 0x50,
-	0x54, 0x5a, 0x81, 0x66, 0x91, 0xe8, 0xca, 0x90, 0x24, 0xfa, 0x54, 0x89, 0x2f, 0xcb, 0x37, 0x7d,
-	0x63, 0xe0, 0x93, 0x0e, 0xcf, 0x6d, 0xd5, 0x30, 0xdf, 0x34, 0x79, 0x2b, 0x96, 0x52, 0xf4, 0x4e,
-	0x2c, 0x64, 0xab, 0xa3, 0x84, 0xec, 0x4c, 0x7e, 0xb8, 0xa2, 0x2d, 0x98, 0xef, 0x7b, 0x6e, 0xd7,
-	0x23, 0xbe, 0x7f, 0x87, 0x18, 0x1d, 0xdb, 0x72, 0x48, 0x30, 0x3f, 0x82, 0x11, 0x5d, 0x39, 0x3a,
-	0x5c, 0x9e, 0x6f, 0x66, 0xab, 0xe0, 0x3c, 0x5b, 0xfd, 0x67, 0x15, 0xb8, 0x90, 0xac, 0x80, 0x39,
-	0x24, 0x55, 0x1b, 0x89, 0xa4, 0x5e, 0x8b, 0x6c, 0x06, 0xc1, 0xe0, 0xd5, 0xea, 0x67, 0x6c, 0x88,
-	0xdb, 0x30, 0x2b, 0xb3, 0x41, 0x20, 0x94, 0x34, 0x5d, 0xad, 0xfe, 0x56, 0x5c, 0x8c, 0x93, 0xfa,
-	0xe8, 0x45, 0x98, 0xf6, 0x38, 0xef, 0x0e, 0x00, 0x04, 0x77, 0x7d, 0x44, 0x02, 0x4c, 0xe3, 0xa8,
-	0x10, 0xc7, 0x75, 0x19, 0x6f, 0x0d, 0xe9, 0x68, 0x00, 0x30, 0x16, 0xe7, 0xad, 0xb7, 0x93, 0x0a,
-	0x38, 0x6d, 0x83, 0xd6, 0xe1, 0xd2, 0xc0, 0x49, 0x43, 0x89, 0x50, 0xbe, 0x22, 0xa1, 0x2e, 0x6d,
-	0xa5, 0x55, 0x70, 0x96, 0x1d, 0x5a, 0x85, 0x4b, 0x94, 0x78, 0x3d, 0xcb, 0x31, 0xa8, 0xe5, 0x74,
-	0x15, 0x9c, 0x58, 0xf9, 0x79, 0x06, 0xd5, 0x4e, 0x8b, 0x71, 0x96, 0x0d, 0xda, 0x89, 0xb1, 0xe2,
-	0x71, 0x9e, 0xe9, 0x6f, 0x16, 0xde, 0xc3, 0x85, 0x69, 0x71, 0x06, 0x73, 0xaf, 0x16, 0x65, 0xee,
-	0xfa, 0x1f, 0xb4, 0x68, 0x3d, 0x53, 0x6c, 0xfa, 0xa4, 0x0b, 0xab, 0x94, 0x45, 0x84, 0x68, 0xb9,
-	0xd9, 0x44, 0xfa, 0xd6, 0x50, 0x44, 0x3a, 0xac, 0xc3, 0x27, 0x33, 0xe9, 0x3f, 0x6a, 0x30, 0x7b,
-	0xaf, 0xdd, 0x6e, 0xae, 0x3a, 0x7c, 0xe3, 0x35, 0x0d, 0xba, 0xcb, 0x0a, 0x72, 0xdf, 0xa0, 0xbb,
-	0xc9, 0x82, 0xcc, 0x64, 0x98, 0x4b, 0xd0, 0x33, 0x50, 0x65, 0xff, 0x32, 0xc7, 0x79, 0xe4, 0x4f,
-	0xf2, 0x7c, 0x55, 0x6d, 0xca, 0xb6, 0x07, 0x91, 0xbf, 0xb1, 0xd2, 0x44, 0xdf, 0x82, 0x09, 0x96,
-	0x26, 0x88, 0xd3, 0x29, 0xc8, 0xa3, 0xa5, 0x53, 0x0d, 0x61, 0x14, 0x52, 0x23, 0xd9, 0x80, 0x03,
-	0x38, 0x7d, 0x0f, 0xe6, 0x22, 0x83, 0xc0, 0x03, 0x9b, 0xbc, 0xc9, 0x4a, 0x1f, 0x6a, 0x41, 0x85,
-	0xf5, 0xce, 0x0a, 0x5c, 0xb9, 0xc0, 0x4d, 0x65, 0x62, 0x22, 0x42, 0x1a, 0xc3, 0x7e, 0xf9, 0x58,
-	0x60, 0xe9, 0x9b, 0x30, 0xb1, 0xda, 0x6c, 0xd8, 0xae, 0xa0, 0x2e, 0xa6, 0xd5, 0xf1, 0x92, 0x33,
-	0xb5, 0xb2, 0x7a, 0x07, 0x63, 0x2e, 0x41, 0x3a, 0x8c, 0x93, 0xfb, 0x26, 0xe9, 0x53, 0xce, 0x56,
-	0x26, 0x1b, 0xc0, 0x72, 0xf2, 0x5d, 0xde, 0x82, 0xa5, 0x44, 0xff, 0x49, 0x09, 0x26, 0x64, 0xb7,
-	0x67, 0x70, 0x94, 0x59, 0x8b, 0x1d, 0x65, 0x9e, 0x2a, 0xb6, 0x04, 0xb9, 0xe7, 0x98, 0x76, 0xe2,
-	0x1c, 0x73, 0xad, 0x20, 0xde, 0xf1, 0x87, 0x98, 0xf7, 0x4a, 0x30, 0x13, 0x5f, 0x7c, 0xf4, 0x2c,
-	0x4c, 0xb1, 0xac, 0x6d, 0x99, 0x64, 0x23, 0x24, 0x8b, 0xea, 0x26, 0xa3, 0x15, 0x8a, 0x70, 0x54,
-	0x0f, 0x75, 0x95, 0x59, 0xd3, 0xf5, 0xa8, 0x1c, 0x74, 0xfe, 0x94, 0x0e, 0xa8, 0x65, 0xd7, 0xc4,
-	0xbd, 0x7d, 0x6d, 0xd5, 0xa1, 0x9b, 0x5e, 0x8b, 0x7a, 0x96, 0xd3, 0x4d, 0x75, 0xc4, 0xc0, 0x70,
-	0x14, 0x19, 0xbd, 0xc5, 0x2a, 0x88, 0xef, 0x0e, 0x3c, 0x93, 0x64, 0x31, 0xc1, 0x80, 0xc5, 0xb0,
-	0x8d, 0xd0, 0x59, 0x73, 0x4d, 0xc3, 0x16, 0x8b, 0x83, 0xc9, 0x0e, 0xf1, 0x88, 0x63, 0x92, 0x80,
-	0x7d, 0x09, 0x08, 0xac, 0xc0, 0xf4, 0xdf, 0x6a, 0x30, 0x25, 0xe7, 0xe2, 0x0c, 0x38, 0xff, 0xeb,
-	0x71, 0xce, 0xff, 0x44, 0xc1, 0x1d, 0x9a, 0x4d, 0xf8, 0x7f, 0xa7, 0xc1, 0x62, 0xe0, 0xba, 0x6b,
-	0x74, 0x1a, 0x86, 0x6d, 0x38, 0x26, 0xf1, 0x82, 0x58, 0x5f, 0x84, 0x92, 0xd5, 0x97, 0x2b, 0x09,
-	0x12, 0xa0, 0xb4, 0xda, 0xc4, 0x25, 0xab, 0xcf, 0x0a, 0xf2, 0xae, 0xeb, 0x53, 0x7e, 0x30, 0x10,
-	0x67, 0x4e, 0xe5, 0xf5, 0x3d, 0xd9, 0x8e, 0x95, 0x06, 0xda, 0x82, 0x4a, 0xdf, 0xf5, 0x28, 0x2b,
-	0x82, 0xe5, 0xc4, 0xfa, 0x1e, 0xe3, 0x35, 0x5b, 0x37, 0x19, 0x88, 0xe1, 0x4e, 0x67, 0x30, 0x58,
-	0xa0, 0xe9, 0x3f, 0xd4, 0xe0, 0xd1, 0x0c, 0xff, 0x25, 0xff, 0xe8, 0xc0, 0x84, 0x25, 0x84, 0x32,
-	0xbd, 0x3c, 0x5f, 0xac, 0xdb, 0x8c, 0xa9, 0x08, 0x53, 0x5b, 0x90, 0xc2, 0x02, 0x68, 0xfd, 0x57,
-	0x1a, 0x5c, 0x4c, 0xf9, 0xcb, 0x53, 0x34, 0x8b, 0x67, 0x49, 0xdc, 0x55, 0x8a, 0x66, 0x61, 0xc9,
-	0x25, 0xe8, 0x75, 0xa8, 0xf2, 0xe7, 0x26, 0xd3, 0xb5, 0xe5, 0x04, 0xd6, 0x83, 0x09, 0x6c, 0xca,
-	0xf6, 0x07, 0x87, 0xcb, 0x57, 0x32, 0x8e, 0xed, 0x81, 0x18, 0x2b, 0x00, 0xb4, 0x0c, 0x15, 0xe2,
-	0x79, 0xae, 0x27, 0x93, 0xfd, 0x24, 0x9b, 0xa9, 0xbb, 0xac, 0x01, 0x8b, 0x76, 0xfd, 0xd7, 0x61,
-	0x90, 0xb2, 0xec, 0xcb, 0xfc, 0x63, 0x8b, 0x93, 0x4c, 0x8c, 0x6c, 0xe9, 0x30, 0x97, 0xa0, 0x01,
-	0x5c, 0xb0, 0x12, 0xe9, 0x5a, 0xee, 0xce, 0x7a, 0xb1, 0x69, 0x54, 0x66, 0x8d, 0x05, 0x09, 0x7f,
-	0x21, 0x29, 0xc1, 0xa9, 0x2e, 0x74, 0x02, 0x29, 0x2d, 0xf4, 0x06, 0x8c, 0xed, 0x52, 0xda, 0xcf,
-	0x78, 0x37, 0x38, 0xa1, 0x48, 0x84, 0x2e, 0x54, 0xf9, 0xe8, 0xda, 0xed, 0x26, 0xe6, 0x50, 0xfa,
-	0xef, 0x4b, 0x6a, 0x3e, 0xf8, 0x61, 0xeb, 0x9b, 0x6a, 0xb4, 0x2b, 0xb6, 0xe1, 0xfb, 0x3c, 0x85,
-	0x89, 0x8b, 0x81, 0xb9, 0x88, 0xe3, 0x4a, 0x86, 0x53, 0xda, 0xa8, 0x1d, 0x16, 0x4f, 0x6d, 0x94,
-	0xe2, 0x39, 0x95, 0x55, 0x38, 0xd1, 0x3d, 0x28, 0x53, 0xbb, 0xe8, 0x01, 0x5f, 0x22, 0xb6, 0xd7,
-	0x5a, 0x8d, 0x29, 0x39, 0xe5, 0xe5, 0xf6, 0x5a, 0x0b, 0x33, 0x08, 0xb4, 0x09, 0x15, 0x6f, 0x60,
-	0x13, 0x56, 0x07, 0xca, 0xc5, 0xeb, 0x0a, 0x9b, 0xc1, 0x70, 0xf3, 0xb1, 0x5f, 0x3e, 0x16, 0x38,
-	0xfa, 0x8f, 0x34, 0x98, 0x8e, 0x55, 0x0b, 0xe4, 0xc1, 0x79, 0x3b, 0xb2, 0x77, 0xe4, 0x3c, 0x3c,
-	0x37, 0xfc, 0xae, 0x93, 0x9b, 0x7e, 0x4e, 0xf6, 0x7b, 0x3e, 0x2a, 0xc3, 0xb1, 0x3e, 0x74, 0x03,
-	0x20, 0x1c, 0x36, 0xdb, 0x07, 0x2c, 0x78, 0xc5, 0x86, 0x97, 0xfb, 0x80, 0xc5, 0xb4, 0x8f, 0x45,
-	0x3b, 0xba, 0x09, 0xe0, 0x13, 0xd3, 0x23, 0x74, 0x23, 0x4c, 0x5c, 0xaa, 0x1c, 0xb7, 0x94, 0x04,
-	0x47, 0xb4, 0xf4, 0x3f, 0x69, 0x30, 0xbd, 0x41, 0xe8, 0xf7, 0x5d, 0x6f, 0xaf, 0xe9, 0xda, 0x96,
-	0x79, 0x70, 0x06, 0x24, 0x00, 0xc7, 0x48, 0xc0, 0x49, 0xf9, 0x32, 0xe6, 0x5d, 0x1e, 0x15, 0xd0,
-	0x3f, 0xd2, 0x60, 0x3e, 0xa6, 0x79, 0x37, 0xcc, 0x07, 0x2a, 0x41, 0x6b, 0x85, 0x12, 0x74, 0x0c,
-	0x86, 0x25, 0xb5, 0xec, 0x04, 0x8d, 0xd6, 0xa0, 0x44, 0x5d, 0x19, 0xbd, 0xc3, 0x61, 0x12, 0xe2,
-	0x85, 0x35, 0xa7, 0xed, 0xe2, 0x12, 0x75, 0xd9, 0x42, 0x2c, 0xc4, 0xb4, 0xa2, 0x19, 0xed, 0x21,
-	0x8d, 0x00, 0xc3, 0xd8, 0x8e, 0xe7, 0xf6, 0x46, 0x1e, 0x83, 0x5a, 0x88, 0x57, 0x3c, 0xb7, 0x87,
-	0x39, 0x96, 0xfe, 0xb1, 0x06, 0x17, 0x63, 0x9a, 0x67, 0xc0, 0x1b, 0xde, 0x88, 0xf3, 0x86, 0x6b,
-	0xc3, 0x0c, 0x24, 0x87, 0x3d, 0x7c, 0x5c, 0x4a, 0x0c, 0x83, 0x0d, 0x18, 0xed, 0xc0, 0x54, 0xdf,
-	0xed, 0xb4, 0x4e, 0xe1, 0xad, 0x77, 0x96, 0xf1, 0xb9, 0x66, 0x88, 0x85, 0xa3, 0xc0, 0xe8, 0x3e,
-	0x5c, 0x64, 0xd4, 0xc2, 0xef, 0x1b, 0x26, 0x69, 0x9d, 0xc2, 0xed, 0xd7, 0x23, 0xfc, 0x31, 0x29,
-	0x89, 0x88, 0xd3, 0x9d, 0xa0, 0x75, 0x98, 0xb0, 0xfa, 0xfc, 0x7c, 0x21, 0x89, 0xe4, 0x89, 0x24,
-	0x4c, 0x9c, 0x46, 0x44, 0x8a, 0x97, 0x3f, 0x70, 0x80, 0xa1, 0xff, 0x25, 0x19, 0x0d, 0x9c, 0xae,
-	0xbe, 0x1a, 0xa1, 0x07, 0xf2, 0xd9, 0x67, 0x34, 0x6a, 0xb0, 0x21, 0x99, 0xc8, 0xa8, 0xcc, 0xba,
-	0x9a, 0xe0, 0x2d, 0x5f, 0x81, 0x09, 0xe2, 0x74, 0x38, 0x59, 0x17, 0x77, 0x2a, 0x7c, 0x54, 0x77,
-	0x45, 0x13, 0x0e, 0x64, 0xfa, 0x8f, 0xcb, 0x89, 0x51, 0xf1, 0x32, 0xfb, 0xee, 0xa9, 0x05, 0x87,
-	0x22, 0xfc, 0xb9, 0x01, 0xb2, 0x1d, 0xd2, 0x3f, 0x11, 0xf3, 0xdf, 0x18, 0x26, 0xe6, 0xa3, 0xf5,
-	0x2f, 0x97, 0xfc, 0xa1, 0xef, 0xc0, 0x38, 0x11, 0x5d, 0x88, 0xaa, 0x7a, 0x6b, 0x98, 0x2e, 0xc2,
-	0xf4, 0x1b, 0x9e, 0xb3, 0x64, 0x9b, 0x44, 0x45, 0x2f, 0xb3, 0xf9, 0x62, 0xba, 0xec, 0x58, 0x22,
-	0xd8, 0xf3, 0x64, 0xe3, 0x31, 0x31, 0x6c, 0xd5, 0xfc, 0xe0, 0x70, 0x19, 0xc2, 0x9f, 0x38, 0x6a,
-	0xc1, 0x1f, 0xe2, 0xe4, 0x9d, 0xcd, 0xd9, 0x7c, 0xcc, 0x34, 0xdc, 0x43, 0x5c, 0xe8, 0xda, 0xa9,
-	0x3d, 0xc4, 0x45, 0x20, 0x8f, 0x3f, 0xc3, 0xfe, 0xa3, 0x04, 0x97, 0x42, 0xe5, 0xc2, 0x0f, 0x71,
-	0x19, 0x26, 0xff, 0xfb, 0xa0, 0xa9, 0xd8, 0xe3, 0x58, 0x38, 0x75, 0xff, 0x79, 0x8f, 0x63, 0xa1,
-	0x6f, 0x39, 0xd5, 0xee, 0x37, 0xa5, 0xe8, 0x00, 0x86, 0x7c, 0xa1, 0x39, 0x85, 0x6f, 0x7a, 0xbe,
-	0x74, 0x8f, 0x3c, 0xfa, 0x07, 0x63, 0x70, 0x21, 0xb9, 0x1b, 0x63, 0x17, 0xf9, 0xda, 0x89, 0x17,
-	0xf9, 0x4d, 0x98, 0xdb, 0x19, 0xd8, 0xf6, 0x01, 0x1f, 0x43, 0xe4, 0x36, 0x5f, 0x3c, 0x01, 0xfc,
-	0x9f, 0xb4, 0x9c, 0x7b, 0x25, 0x43, 0x07, 0x67, 0x5a, 0xa6, 0xef, 0xf5, 0xc7, 0xfe, 0xdd, 0x7b,
-	0xfd, 0xca, 0x08, 0xf7, 0xfa, 0x39, 0x17, 0xf1, 0x13, 0x23, 0x5c, 0xc4, 0x67, 0xbf, 0xb2, 0x94,
-	0x47, 0x7a, 0x65, 0x19, 0xe5, 0x52, 0x3f, 0x23, 0x1f, 0x9e, 0xf8, 0xad, 0xcb, 0x4b, 0x30, 0x13,
-	0x7f, 0xb3, 0x12, 0x61, 0x21, 0x9e, 0xcd, 0xe4, 0x0b, 0x51, 0x24, 0x2c, 0x44, 0x3b, 0x56, 0x1a,
-	0xfa, 0x91, 0x06, 0x97, 0xb3, 0xbf, 0x4d, 0x41, 0x36, 0xcc, 0xf4, 0x8c, 0xfb, 0xd1, 0xef, 0x85,
-	0xb4, 0x11, 0x89, 0x0f, 0x7f, 0x61, 0x58, 0x8f, 0x61, 0xe1, 0x04, 0x36, 0x7a, 0x1b, 0xaa, 0x3d,
-	0xe3, 0x7e, 0x6b, 0xe0, 0x75, 0xc9, 0xc8, 0x04, 0x8b, 0xef, 0xc8, 0x75, 0x89, 0x82, 0x15, 0x9e,
-	0xfe, 0x85, 0x06, 0xf3, 0x39, 0xef, 0x06, 0xff, 0x45, 0xa3, 0x7c, 0xaf, 0x04, 0x95, 0x96, 0x69,
-	0xd8, 0xe4, 0x0c, 0xb8, 0xc9, 0x6b, 0x31, 0x6e, 0x72, 0xd2, 0x37, 0xae, 0xdc, 0xab, 0x5c, 0x5a,
-	0x82, 0x13, 0xb4, 0xe4, 0xa9, 0x42, 0x68, 0xc7, 0x33, 0x92, 0xe7, 0x61, 0x52, 0x75, 0x3a, 0x5c,
-	0xa2, 0xd4, 0x7f, 0x59, 0x82, 0xa9, 0x48, 0x17, 0x43, 0xa6, 0xd9, 0x9d, 0x58, 0x6d, 0x29, 0x17,
-	0xb8, 0xb4, 0x89, 0xf4, 0x55, 0x0b, 0xaa, 0x89, 0xf8, 0x46, 0x23, 0x7c, 0x95, 0x4f, 0x17, 0x99,
-	0x97, 0x60, 0x86, 0x1a, 0x5e, 0x97, 0x50, 0x75, 0x02, 0x10, 0xf7, 0x95, 0xea, 0x63, 0xa1, 0x76,
-	0x4c, 0x8a, 0x13, 0xda, 0x8b, 0x2f, 0xc2, 0x74, 0xac, 0xb3, 0x61, 0x3e, 0xb1, 0x68, 0xac, 0x7c,
-	0xf2, 0xf9, 0xd2, 0xb9, 0x4f, 0x3f, 0x5f, 0x3a, 0xf7, 0xd9, 0xe7, 0x4b, 0xe7, 0x7e, 0x70, 0xb4,
-	0xa4, 0x7d, 0x72, 0xb4, 0xa4, 0x7d, 0x7a, 0xb4, 0xa4, 0x7d, 0x76, 0xb4, 0xa4, 0xfd, 0xed, 0x68,
-	0x49, 0xfb, 0xe9, 0x17, 0x4b, 0xe7, 0xde, 0x7e, 0xec, 0xd8, 0xff, 0x71, 0xf1, 0xaf, 0x00, 0x00,
-	0x00, 0xff, 0xff, 0x6a, 0x79, 0xb9, 0xab, 0x91, 0x31, 0x00, 0x00,
-}
+func (m *ScaleStatus) Reset() { *m = ScaleStatus{} }
 
 func (m *DaemonSet) Marshal() (dAtA []byte, err error) {
 	size := m.Size()
@@ -2070,7 +649,7 @@ func (m *DeploymentRollback) MarshalToSizedBuffer(dAtA []byte) (int, error) {
 		for k := range m.UpdatedAnnotations {
 			keysForUpdatedAnnotations = append(keysForUpdatedAnnotations, string(k))
 		}
-		github_com_gogo_protobuf_sortkeys.Strings(keysForUpdatedAnnotations)
+		sort.Strings(keysForUpdatedAnnotations)
 		for iNdEx := len(keysForUpdatedAnnotations) - 1; iNdEx >= 0; iNdEx-- {
 			v := m.UpdatedAnnotations[string(keysForUpdatedAnnotations[iNdEx])]
 			baseI := i
@@ -3759,7 +2338,7 @@ func (m *ScaleStatus) MarshalToSizedBuffer(dAtA []byte) (int, error) {
 		for k := range m.Selector {
 			keysForSelector = append(keysForSelector, string(k))
 		}
-		github_com_gogo_protobuf_sortkeys.Strings(keysForSelector)
+		sort.Strings(keysForSelector)
 		for iNdEx := len(keysForSelector) - 1; iNdEx >= 0; iNdEx-- {
 			v := m.Selector[string(keysForSelector[iNdEx])]
 			baseI := i
@@ -4761,7 +3340,7 @@ func (this *DeploymentRollback) String() string {
 	for k := range this.UpdatedAnnotations {
 		keysForUpdatedAnnotations = append(keysForUpdatedAnnotations, k)
 	}
-	github_com_gogo_protobuf_sortkeys.Strings(keysForUpdatedAnnotations)
+	sort.Strings(keysForUpdatedAnnotations)
 	mapStringForUpdatedAnnotations := "map[string]string{"
 	for _, k := range keysForUpdatedAnnotations {
 		mapStringForUpdatedAnnotations += fmt.Sprintf("%v: %v,", k, this.UpdatedAnnotations[k])
@@ -5268,7 +3847,7 @@ func (this *ScaleStatus) String() string {
 	for k := range this.Selector {
 		keysForSelector = append(keysForSelector, k)
 	}
-	github_com_gogo_protobuf_sortkeys.Strings(keysForSelector)
+	sort.Strings(keysForSelector)
 	mapStringForSelector := "map[string]string{"
 	for _, k := range keysForSelector {
 		mapStringForSelector += fmt.Sprintf("%v: %v,", k, this.Selector[k])
diff --git a/staging/src/k8s.io/api/extensions/v1beta1/generated.proto b/staging/src/k8s.io/api/extensions/v1beta1/generated.proto
index fed0b4835d610..c664c71bd2689 100644
--- a/staging/src/k8s.io/api/extensions/v1beta1/generated.proto
+++ b/staging/src/k8s.io/api/extensions/v1beta1/generated.proto
@@ -345,7 +345,7 @@ message DeploymentStatus {
   // Total number of terminating pods targeted by this deployment. Terminating pods have a non-null
   // .metadata.deletionTimestamp and have not yet reached the Failed or Succeeded .status.phase.
   //
-  // This is an alpha field. Enable DeploymentReplicaSetTerminatingReplicas to be able to use this field.
+  // This is a beta field and requires enabling DeploymentReplicaSetTerminatingReplicas feature (enabled by default).
   // +optional
   optional int32 terminatingReplicas = 9;
 
@@ -924,7 +924,7 @@ message ReplicaSetStatus {
   // The number of terminating pods for this replica set. Terminating pods have a non-null .metadata.deletionTimestamp
   // and have not yet reached the Failed or Succeeded .status.phase.
   //
-  // This is an alpha field. Enable DeploymentReplicaSetTerminatingReplicas to be able to use this field.
+  // This is a beta field and requires enabling DeploymentReplicaSetTerminatingReplicas feature (enabled by default).
   // +optional
   optional int32 terminatingReplicas = 7;
 
diff --git a/staging/src/k8s.io/api/extensions/v1beta1/generated.protomessage.pb.go b/staging/src/k8s.io/api/extensions/v1beta1/generated.protomessage.pb.go
new file mode 100644
index 0000000000000..ef18ae29964f5
--- /dev/null
+++ b/staging/src/k8s.io/api/extensions/v1beta1/generated.protomessage.pb.go
@@ -0,0 +1,112 @@
+//go:build kubernetes_protomessage_one_more_release
+// +build kubernetes_protomessage_one_more_release
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by go-to-protobuf. DO NOT EDIT.
+
+package v1beta1
+
+func (*DaemonSet) ProtoMessage() {}
+
+func (*DaemonSetCondition) ProtoMessage() {}
+
+func (*DaemonSetList) ProtoMessage() {}
+
+func (*DaemonSetSpec) ProtoMessage() {}
+
+func (*DaemonSetStatus) ProtoMessage() {}
+
+func (*DaemonSetUpdateStrategy) ProtoMessage() {}
+
+func (*Deployment) ProtoMessage() {}
+
+func (*DeploymentCondition) ProtoMessage() {}
+
+func (*DeploymentList) ProtoMessage() {}
+
+func (*DeploymentRollback) ProtoMessage() {}
+
+func (*DeploymentSpec) ProtoMessage() {}
+
+func (*DeploymentStatus) ProtoMessage() {}
+
+func (*DeploymentStrategy) ProtoMessage() {}
+
+func (*HTTPIngressPath) ProtoMessage() {}
+
+func (*HTTPIngressRuleValue) ProtoMessage() {}
+
+func (*IPBlock) ProtoMessage() {}
+
+func (*Ingress) ProtoMessage() {}
+
+func (*IngressBackend) ProtoMessage() {}
+
+func (*IngressList) ProtoMessage() {}
+
+func (*IngressLoadBalancerIngress) ProtoMessage() {}
+
+func (*IngressLoadBalancerStatus) ProtoMessage() {}
+
+func (*IngressPortStatus) ProtoMessage() {}
+
+func (*IngressRule) ProtoMessage() {}
+
+func (*IngressRuleValue) ProtoMessage() {}
+
+func (*IngressSpec) ProtoMessage() {}
+
+func (*IngressStatus) ProtoMessage() {}
+
+func (*IngressTLS) ProtoMessage() {}
+
+func (*NetworkPolicy) ProtoMessage() {}
+
+func (*NetworkPolicyEgressRule) ProtoMessage() {}
+
+func (*NetworkPolicyIngressRule) ProtoMessage() {}
+
+func (*NetworkPolicyList) ProtoMessage() {}
+
+func (*NetworkPolicyPeer) ProtoMessage() {}
+
+func (*NetworkPolicyPort) ProtoMessage() {}
+
+func (*NetworkPolicySpec) ProtoMessage() {}
+
+func (*ReplicaSet) ProtoMessage() {}
+
+func (*ReplicaSetCondition) ProtoMessage() {}
+
+func (*ReplicaSetList) ProtoMessage() {}
+
+func (*ReplicaSetSpec) ProtoMessage() {}
+
+func (*ReplicaSetStatus) ProtoMessage() {}
+
+func (*RollbackConfig) ProtoMessage() {}
+
+func (*RollingUpdateDaemonSet) ProtoMessage() {}
+
+func (*RollingUpdateDeployment) ProtoMessage() {}
+
+func (*Scale) ProtoMessage() {}
+
+func (*ScaleSpec) ProtoMessage() {}
+
+func (*ScaleStatus) ProtoMessage() {}
diff --git a/staging/src/k8s.io/api/extensions/v1beta1/types.go b/staging/src/k8s.io/api/extensions/v1beta1/types.go
index c7b50e0590c02..c0d8b4f9592d2 100644
--- a/staging/src/k8s.io/api/extensions/v1beta1/types.go
+++ b/staging/src/k8s.io/api/extensions/v1beta1/types.go
@@ -274,7 +274,7 @@ type DeploymentStatus struct {
 	// Total number of terminating pods targeted by this deployment. Terminating pods have a non-null
 	// .metadata.deletionTimestamp and have not yet reached the Failed or Succeeded .status.phase.
 	//
-	// This is an alpha field. Enable DeploymentReplicaSetTerminatingReplicas to be able to use this field.
+	// This is a beta field and requires enabling DeploymentReplicaSetTerminatingReplicas feature (enabled by default).
 	// +optional
 	TerminatingReplicas *int32 `json:"terminatingReplicas,omitempty" protobuf:"varint,9,opt,name=terminatingReplicas"`
 
@@ -1006,7 +1006,7 @@ type ReplicaSetStatus struct {
 	// The number of terminating pods for this replica set. Terminating pods have a non-null .metadata.deletionTimestamp
 	// and have not yet reached the Failed or Succeeded .status.phase.
 	//
-	// This is an alpha field. Enable DeploymentReplicaSetTerminatingReplicas to be able to use this field.
+	// This is a beta field and requires enabling DeploymentReplicaSetTerminatingReplicas feature (enabled by default).
 	// +optional
 	TerminatingReplicas *int32 `json:"terminatingReplicas,omitempty" protobuf:"varint,7,opt,name=terminatingReplicas"`
 
diff --git a/staging/src/k8s.io/api/extensions/v1beta1/types_swagger_doc_generated.go b/staging/src/k8s.io/api/extensions/v1beta1/types_swagger_doc_generated.go
index 8a158233efd97..ce64d7a299f2a 100644
--- a/staging/src/k8s.io/api/extensions/v1beta1/types_swagger_doc_generated.go
+++ b/staging/src/k8s.io/api/extensions/v1beta1/types_swagger_doc_generated.go
@@ -174,7 +174,7 @@ var map_DeploymentStatus = map[string]string{
 	"readyReplicas":       "Total number of non-terminating pods targeted by this Deployment with a Ready Condition.",
 	"availableReplicas":   "Total number of available non-terminating pods (ready for at least minReadySeconds) targeted by this deployment.",
 	"unavailableReplicas": "Total number of unavailable pods targeted by this deployment. This is the total number of pods that are still required for the deployment to have 100% available capacity. They may either be pods that are running but not yet available or pods that still have not been created.",
-	"terminatingReplicas": "Total number of terminating pods targeted by this deployment. Terminating pods have a non-null .metadata.deletionTimestamp and have not yet reached the Failed or Succeeded .status.phase.\n\nThis is an alpha field. Enable DeploymentReplicaSetTerminatingReplicas to be able to use this field.",
+	"terminatingReplicas": "Total number of terminating pods targeted by this deployment. Terminating pods have a non-null .metadata.deletionTimestamp and have not yet reached the Failed or Succeeded .status.phase.\n\nThis is a beta field and requires enabling DeploymentReplicaSetTerminatingReplicas feature (enabled by default).",
 	"conditions":          "Represents the latest available observations of a deployment's current state.",
 	"collisionCount":      "Count of hash collisions for the Deployment. The Deployment controller uses this field as a collision avoidance mechanism when it needs to create the name for the newest ReplicaSet.",
 }
@@ -461,7 +461,7 @@ var map_ReplicaSetStatus = map[string]string{
 	"fullyLabeledReplicas": "The number of non-terminating pods that have labels matching the labels of the pod template of the replicaset.",
 	"readyReplicas":        "The number of non-terminating pods targeted by this ReplicaSet with a Ready Condition.",
 	"availableReplicas":    "The number of available non-terminating pods (ready for at least minReadySeconds) for this replica set.",
-	"terminatingReplicas":  "The number of terminating pods for this replica set. Terminating pods have a non-null .metadata.deletionTimestamp and have not yet reached the Failed or Succeeded .status.phase.\n\nThis is an alpha field. Enable DeploymentReplicaSetTerminatingReplicas to be able to use this field.",
+	"terminatingReplicas":  "The number of terminating pods for this replica set. Terminating pods have a non-null .metadata.deletionTimestamp and have not yet reached the Failed or Succeeded .status.phase.\n\nThis is a beta field and requires enabling DeploymentReplicaSetTerminatingReplicas feature (enabled by default).",
 	"observedGeneration":   "ObservedGeneration reflects the generation of the most recently observed ReplicaSet.",
 	"conditions":           "Represents the latest available observations of a replica set's current state.",
 }
diff --git a/staging/src/k8s.io/api/extensions/v1beta1/zz_generated.model_name.go b/staging/src/k8s.io/api/extensions/v1beta1/zz_generated.model_name.go
new file mode 100644
index 0000000000000..bba6d5d9ddbd0
--- /dev/null
+++ b/staging/src/k8s.io/api/extensions/v1beta1/zz_generated.model_name.go
@@ -0,0 +1,247 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by openapi-gen. DO NOT EDIT.
+
+package v1beta1
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in DaemonSet) OpenAPIModelName() string {
+	return "io.k8s.api.extensions.v1beta1.DaemonSet"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in DaemonSetCondition) OpenAPIModelName() string {
+	return "io.k8s.api.extensions.v1beta1.DaemonSetCondition"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in DaemonSetList) OpenAPIModelName() string {
+	return "io.k8s.api.extensions.v1beta1.DaemonSetList"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in DaemonSetSpec) OpenAPIModelName() string {
+	return "io.k8s.api.extensions.v1beta1.DaemonSetSpec"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in DaemonSetStatus) OpenAPIModelName() string {
+	return "io.k8s.api.extensions.v1beta1.DaemonSetStatus"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in DaemonSetUpdateStrategy) OpenAPIModelName() string {
+	return "io.k8s.api.extensions.v1beta1.DaemonSetUpdateStrategy"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in Deployment) OpenAPIModelName() string {
+	return "io.k8s.api.extensions.v1beta1.Deployment"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in DeploymentCondition) OpenAPIModelName() string {
+	return "io.k8s.api.extensions.v1beta1.DeploymentCondition"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in DeploymentList) OpenAPIModelName() string {
+	return "io.k8s.api.extensions.v1beta1.DeploymentList"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in DeploymentRollback) OpenAPIModelName() string {
+	return "io.k8s.api.extensions.v1beta1.DeploymentRollback"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in DeploymentSpec) OpenAPIModelName() string {
+	return "io.k8s.api.extensions.v1beta1.DeploymentSpec"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in DeploymentStatus) OpenAPIModelName() string {
+	return "io.k8s.api.extensions.v1beta1.DeploymentStatus"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in DeploymentStrategy) OpenAPIModelName() string {
+	return "io.k8s.api.extensions.v1beta1.DeploymentStrategy"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in HTTPIngressPath) OpenAPIModelName() string {
+	return "io.k8s.api.extensions.v1beta1.HTTPIngressPath"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in HTTPIngressRuleValue) OpenAPIModelName() string {
+	return "io.k8s.api.extensions.v1beta1.HTTPIngressRuleValue"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in IPBlock) OpenAPIModelName() string {
+	return "io.k8s.api.extensions.v1beta1.IPBlock"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in Ingress) OpenAPIModelName() string {
+	return "io.k8s.api.extensions.v1beta1.Ingress"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in IngressBackend) OpenAPIModelName() string {
+	return "io.k8s.api.extensions.v1beta1.IngressBackend"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in IngressList) OpenAPIModelName() string {
+	return "io.k8s.api.extensions.v1beta1.IngressList"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in IngressLoadBalancerIngress) OpenAPIModelName() string {
+	return "io.k8s.api.extensions.v1beta1.IngressLoadBalancerIngress"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in IngressLoadBalancerStatus) OpenAPIModelName() string {
+	return "io.k8s.api.extensions.v1beta1.IngressLoadBalancerStatus"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in IngressPortStatus) OpenAPIModelName() string {
+	return "io.k8s.api.extensions.v1beta1.IngressPortStatus"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in IngressRule) OpenAPIModelName() string {
+	return "io.k8s.api.extensions.v1beta1.IngressRule"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in IngressRuleValue) OpenAPIModelName() string {
+	return "io.k8s.api.extensions.v1beta1.IngressRuleValue"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in IngressSpec) OpenAPIModelName() string {
+	return "io.k8s.api.extensions.v1beta1.IngressSpec"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in IngressStatus) OpenAPIModelName() string {
+	return "io.k8s.api.extensions.v1beta1.IngressStatus"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in IngressTLS) OpenAPIModelName() string {
+	return "io.k8s.api.extensions.v1beta1.IngressTLS"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in NetworkPolicy) OpenAPIModelName() string {
+	return "io.k8s.api.extensions.v1beta1.NetworkPolicy"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in NetworkPolicyEgressRule) OpenAPIModelName() string {
+	return "io.k8s.api.extensions.v1beta1.NetworkPolicyEgressRule"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in NetworkPolicyIngressRule) OpenAPIModelName() string {
+	return "io.k8s.api.extensions.v1beta1.NetworkPolicyIngressRule"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in NetworkPolicyList) OpenAPIModelName() string {
+	return "io.k8s.api.extensions.v1beta1.NetworkPolicyList"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in NetworkPolicyPeer) OpenAPIModelName() string {
+	return "io.k8s.api.extensions.v1beta1.NetworkPolicyPeer"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in NetworkPolicyPort) OpenAPIModelName() string {
+	return "io.k8s.api.extensions.v1beta1.NetworkPolicyPort"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in NetworkPolicySpec) OpenAPIModelName() string {
+	return "io.k8s.api.extensions.v1beta1.NetworkPolicySpec"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ReplicaSet) OpenAPIModelName() string {
+	return "io.k8s.api.extensions.v1beta1.ReplicaSet"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ReplicaSetCondition) OpenAPIModelName() string {
+	return "io.k8s.api.extensions.v1beta1.ReplicaSetCondition"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ReplicaSetList) OpenAPIModelName() string {
+	return "io.k8s.api.extensions.v1beta1.ReplicaSetList"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ReplicaSetSpec) OpenAPIModelName() string {
+	return "io.k8s.api.extensions.v1beta1.ReplicaSetSpec"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ReplicaSetStatus) OpenAPIModelName() string {
+	return "io.k8s.api.extensions.v1beta1.ReplicaSetStatus"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in RollbackConfig) OpenAPIModelName() string {
+	return "io.k8s.api.extensions.v1beta1.RollbackConfig"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in RollingUpdateDaemonSet) OpenAPIModelName() string {
+	return "io.k8s.api.extensions.v1beta1.RollingUpdateDaemonSet"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in RollingUpdateDeployment) OpenAPIModelName() string {
+	return "io.k8s.api.extensions.v1beta1.RollingUpdateDeployment"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in Scale) OpenAPIModelName() string {
+	return "io.k8s.api.extensions.v1beta1.Scale"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ScaleSpec) OpenAPIModelName() string {
+	return "io.k8s.api.extensions.v1beta1.ScaleSpec"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ScaleStatus) OpenAPIModelName() string {
+	return "io.k8s.api.extensions.v1beta1.ScaleStatus"
+}
diff --git a/staging/src/k8s.io/api/extensions/v1beta1/zz_generated.validations.go b/staging/src/k8s.io/api/extensions/v1beta1/zz_generated.validations.go
index 6d2a1666ae31d..f4f0e317a763d 100644
--- a/staging/src/k8s.io/api/extensions/v1beta1/zz_generated.validations.go
+++ b/staging/src/k8s.io/api/extensions/v1beta1/zz_generated.validations.go
@@ -37,6 +37,7 @@ func init() { localSchemeBuilder.Register(RegisterValidations) }
 // RegisterValidations adds validation functions to the given scheme.
 // Public to allow building arbitrary schemes.
 func RegisterValidations(scheme *runtime.Scheme) error {
+	// type Scale
 	scheme.AddValidationFunc((*Scale)(nil), func(ctx context.Context, op operation.Operation, obj, oldObj interface{}) field.ErrorList {
 		switch op.Request.SubresourcePath() {
 		case "/scale":
@@ -47,32 +48,43 @@ func RegisterValidations(scheme *runtime.Scheme) error {
 	return nil
 }
 
+// Validate_Scale validates an instance of Scale according
+// to declarative validation rules in the API schema.
 func Validate_Scale(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *Scale) (errs field.ErrorList) {
 	// field Scale.TypeMeta has no validation
 	// field Scale.ObjectMeta has no validation
 
 	// field Scale.Spec
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *ScaleSpec) (errs field.ErrorList) {
+		func(fldPath *field.Path, obj, oldObj *ScaleSpec, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call the type's validation function
 			errs = append(errs, Validate_ScaleSpec(ctx, op, fldPath, obj, oldObj)...)
 			return
-		}(fldPath.Child("spec"), &obj.Spec, safe.Field(oldObj, func(oldObj *Scale) *ScaleSpec { return &oldObj.Spec }))...)
+		}(fldPath.Child("spec"), &obj.Spec, safe.Field(oldObj, func(oldObj *Scale) *ScaleSpec { return &oldObj.Spec }), oldObj != nil)...)
 
 	// field Scale.Status has no validation
 	return errs
 }
 
+// Validate_ScaleSpec validates an instance of ScaleSpec according
+// to declarative validation rules in the API schema.
 func Validate_ScaleSpec(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *ScaleSpec) (errs field.ErrorList) {
 	// field ScaleSpec.Replicas
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *int32) (errs field.ErrorList) {
+		func(fldPath *field.Path, obj, oldObj *int32, oldValueCorrelated bool) (errs field.ErrorList) {
 			// optional value-type fields with zero-value defaults are purely documentation
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.Minimum(ctx, op, fldPath, obj, oldObj, 0)...)
 			return
-		}(fldPath.Child("replicas"), &obj.Replicas, safe.Field(oldObj, func(oldObj *ScaleSpec) *int32 { return &oldObj.Replicas }))...)
+		}(fldPath.Child("replicas"), &obj.Replicas, safe.Field(oldObj, func(oldObj *ScaleSpec) *int32 { return &oldObj.Replicas }), oldObj != nil)...)
 
 	return errs
 }
diff --git a/staging/src/k8s.io/api/flowcontrol/v1/doc.go b/staging/src/k8s.io/api/flowcontrol/v1/doc.go
index ad5f457919148..b1367b9251649 100644
--- a/staging/src/k8s.io/api/flowcontrol/v1/doc.go
+++ b/staging/src/k8s.io/api/flowcontrol/v1/doc.go
@@ -18,6 +18,7 @@ limitations under the License.
 // +k8s:protobuf-gen=package
 // +k8s:openapi-gen=true
 // +k8s:prerelease-lifecycle-gen=true
+// +k8s:openapi-model-package=io.k8s.api.flowcontrol.v1
 
 // +groupName=flowcontrol.apiserver.k8s.io
 
diff --git a/staging/src/k8s.io/api/flowcontrol/v1/generated.pb.go b/staging/src/k8s.io/api/flowcontrol/v1/generated.pb.go
index b342445f71bdb..d1f3186872f3b 100644
--- a/staging/src/k8s.io/api/flowcontrol/v1/generated.pb.go
+++ b/staging/src/k8s.io/api/flowcontrol/v1/generated.pb.go
@@ -24,801 +24,56 @@ import (
 
 	io "io"
 
-	proto "github.com/gogo/protobuf/proto"
-
-	math "math"
 	math_bits "math/bits"
 	reflect "reflect"
 	strings "strings"
 )
 
-// Reference imports to suppress errors if they are not otherwise used.
-var _ = proto.Marshal
-var _ = fmt.Errorf
-var _ = math.Inf
+func (m *ExemptPriorityLevelConfiguration) Reset() { *m = ExemptPriorityLevelConfiguration{} }
 
-// This is a compile-time assertion to ensure that this generated file
-// is compatible with the proto package it is being compiled against.
-// A compilation error at this line likely means your copy of the
-// proto package needs to be updated.
-const _ = proto.GoGoProtoPackageIsVersion3 // please upgrade the proto package
+func (m *FlowDistinguisherMethod) Reset() { *m = FlowDistinguisherMethod{} }
 
-func (m *ExemptPriorityLevelConfiguration) Reset()      { *m = ExemptPriorityLevelConfiguration{} }
-func (*ExemptPriorityLevelConfiguration) ProtoMessage() {}
-func (*ExemptPriorityLevelConfiguration) Descriptor() ([]byte, []int) {
-	return fileDescriptor_5d08a1401821035d, []int{0}
-}
-func (m *ExemptPriorityLevelConfiguration) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ExemptPriorityLevelConfiguration) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ExemptPriorityLevelConfiguration) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ExemptPriorityLevelConfiguration.Merge(m, src)
-}
-func (m *ExemptPriorityLevelConfiguration) XXX_Size() int {
-	return m.Size()
-}
-func (m *ExemptPriorityLevelConfiguration) XXX_DiscardUnknown() {
-	xxx_messageInfo_ExemptPriorityLevelConfiguration.DiscardUnknown(m)
-}
+func (m *FlowSchema) Reset() { *m = FlowSchema{} }
 
-var xxx_messageInfo_ExemptPriorityLevelConfiguration proto.InternalMessageInfo
+func (m *FlowSchemaCondition) Reset() { *m = FlowSchemaCondition{} }
 
-func (m *FlowDistinguisherMethod) Reset()      { *m = FlowDistinguisherMethod{} }
-func (*FlowDistinguisherMethod) ProtoMessage() {}
-func (*FlowDistinguisherMethod) Descriptor() ([]byte, []int) {
-	return fileDescriptor_5d08a1401821035d, []int{1}
-}
-func (m *FlowDistinguisherMethod) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *FlowDistinguisherMethod) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *FlowDistinguisherMethod) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_FlowDistinguisherMethod.Merge(m, src)
-}
-func (m *FlowDistinguisherMethod) XXX_Size() int {
-	return m.Size()
-}
-func (m *FlowDistinguisherMethod) XXX_DiscardUnknown() {
-	xxx_messageInfo_FlowDistinguisherMethod.DiscardUnknown(m)
-}
+func (m *FlowSchemaList) Reset() { *m = FlowSchemaList{} }
 
-var xxx_messageInfo_FlowDistinguisherMethod proto.InternalMessageInfo
+func (m *FlowSchemaSpec) Reset() { *m = FlowSchemaSpec{} }
 
-func (m *FlowSchema) Reset()      { *m = FlowSchema{} }
-func (*FlowSchema) ProtoMessage() {}
-func (*FlowSchema) Descriptor() ([]byte, []int) {
-	return fileDescriptor_5d08a1401821035d, []int{2}
-}
-func (m *FlowSchema) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *FlowSchema) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *FlowSchema) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_FlowSchema.Merge(m, src)
-}
-func (m *FlowSchema) XXX_Size() int {
-	return m.Size()
-}
-func (m *FlowSchema) XXX_DiscardUnknown() {
-	xxx_messageInfo_FlowSchema.DiscardUnknown(m)
-}
+func (m *FlowSchemaStatus) Reset() { *m = FlowSchemaStatus{} }
 
-var xxx_messageInfo_FlowSchema proto.InternalMessageInfo
+func (m *GroupSubject) Reset() { *m = GroupSubject{} }
 
-func (m *FlowSchemaCondition) Reset()      { *m = FlowSchemaCondition{} }
-func (*FlowSchemaCondition) ProtoMessage() {}
-func (*FlowSchemaCondition) Descriptor() ([]byte, []int) {
-	return fileDescriptor_5d08a1401821035d, []int{3}
-}
-func (m *FlowSchemaCondition) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *FlowSchemaCondition) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *FlowSchemaCondition) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_FlowSchemaCondition.Merge(m, src)
-}
-func (m *FlowSchemaCondition) XXX_Size() int {
-	return m.Size()
-}
-func (m *FlowSchemaCondition) XXX_DiscardUnknown() {
-	xxx_messageInfo_FlowSchemaCondition.DiscardUnknown(m)
-}
+func (m *LimitResponse) Reset() { *m = LimitResponse{} }
 
-var xxx_messageInfo_FlowSchemaCondition proto.InternalMessageInfo
+func (m *LimitedPriorityLevelConfiguration) Reset() { *m = LimitedPriorityLevelConfiguration{} }
 
-func (m *FlowSchemaList) Reset()      { *m = FlowSchemaList{} }
-func (*FlowSchemaList) ProtoMessage() {}
-func (*FlowSchemaList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_5d08a1401821035d, []int{4}
-}
-func (m *FlowSchemaList) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *FlowSchemaList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *FlowSchemaList) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_FlowSchemaList.Merge(m, src)
-}
-func (m *FlowSchemaList) XXX_Size() int {
-	return m.Size()
-}
-func (m *FlowSchemaList) XXX_DiscardUnknown() {
-	xxx_messageInfo_FlowSchemaList.DiscardUnknown(m)
-}
+func (m *NonResourcePolicyRule) Reset() { *m = NonResourcePolicyRule{} }
 
-var xxx_messageInfo_FlowSchemaList proto.InternalMessageInfo
+func (m *PolicyRulesWithSubjects) Reset() { *m = PolicyRulesWithSubjects{} }
 
-func (m *FlowSchemaSpec) Reset()      { *m = FlowSchemaSpec{} }
-func (*FlowSchemaSpec) ProtoMessage() {}
-func (*FlowSchemaSpec) Descriptor() ([]byte, []int) {
-	return fileDescriptor_5d08a1401821035d, []int{5}
-}
-func (m *FlowSchemaSpec) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *FlowSchemaSpec) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *FlowSchemaSpec) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_FlowSchemaSpec.Merge(m, src)
-}
-func (m *FlowSchemaSpec) XXX_Size() int {
-	return m.Size()
-}
-func (m *FlowSchemaSpec) XXX_DiscardUnknown() {
-	xxx_messageInfo_FlowSchemaSpec.DiscardUnknown(m)
-}
+func (m *PriorityLevelConfiguration) Reset() { *m = PriorityLevelConfiguration{} }
 
-var xxx_messageInfo_FlowSchemaSpec proto.InternalMessageInfo
+func (m *PriorityLevelConfigurationCondition) Reset() { *m = PriorityLevelConfigurationCondition{} }
 
-func (m *FlowSchemaStatus) Reset()      { *m = FlowSchemaStatus{} }
-func (*FlowSchemaStatus) ProtoMessage() {}
-func (*FlowSchemaStatus) Descriptor() ([]byte, []int) {
-	return fileDescriptor_5d08a1401821035d, []int{6}
-}
-func (m *FlowSchemaStatus) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *FlowSchemaStatus) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *FlowSchemaStatus) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_FlowSchemaStatus.Merge(m, src)
-}
-func (m *FlowSchemaStatus) XXX_Size() int {
-	return m.Size()
-}
-func (m *FlowSchemaStatus) XXX_DiscardUnknown() {
-	xxx_messageInfo_FlowSchemaStatus.DiscardUnknown(m)
-}
+func (m *PriorityLevelConfigurationList) Reset() { *m = PriorityLevelConfigurationList{} }
 
-var xxx_messageInfo_FlowSchemaStatus proto.InternalMessageInfo
+func (m *PriorityLevelConfigurationReference) Reset() { *m = PriorityLevelConfigurationReference{} }
 
-func (m *GroupSubject) Reset()      { *m = GroupSubject{} }
-func (*GroupSubject) ProtoMessage() {}
-func (*GroupSubject) Descriptor() ([]byte, []int) {
-	return fileDescriptor_5d08a1401821035d, []int{7}
-}
-func (m *GroupSubject) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *GroupSubject) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *GroupSubject) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_GroupSubject.Merge(m, src)
-}
-func (m *GroupSubject) XXX_Size() int {
-	return m.Size()
-}
-func (m *GroupSubject) XXX_DiscardUnknown() {
-	xxx_messageInfo_GroupSubject.DiscardUnknown(m)
-}
+func (m *PriorityLevelConfigurationSpec) Reset() { *m = PriorityLevelConfigurationSpec{} }
 
-var xxx_messageInfo_GroupSubject proto.InternalMessageInfo
+func (m *PriorityLevelConfigurationStatus) Reset() { *m = PriorityLevelConfigurationStatus{} }
 
-func (m *LimitResponse) Reset()      { *m = LimitResponse{} }
-func (*LimitResponse) ProtoMessage() {}
-func (*LimitResponse) Descriptor() ([]byte, []int) {
-	return fileDescriptor_5d08a1401821035d, []int{8}
-}
-func (m *LimitResponse) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *LimitResponse) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *LimitResponse) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_LimitResponse.Merge(m, src)
-}
-func (m *LimitResponse) XXX_Size() int {
-	return m.Size()
-}
-func (m *LimitResponse) XXX_DiscardUnknown() {
-	xxx_messageInfo_LimitResponse.DiscardUnknown(m)
-}
+func (m *QueuingConfiguration) Reset() { *m = QueuingConfiguration{} }
 
-var xxx_messageInfo_LimitResponse proto.InternalMessageInfo
+func (m *ResourcePolicyRule) Reset() { *m = ResourcePolicyRule{} }
 
-func (m *LimitedPriorityLevelConfiguration) Reset()      { *m = LimitedPriorityLevelConfiguration{} }
-func (*LimitedPriorityLevelConfiguration) ProtoMessage() {}
-func (*LimitedPriorityLevelConfiguration) Descriptor() ([]byte, []int) {
-	return fileDescriptor_5d08a1401821035d, []int{9}
-}
-func (m *LimitedPriorityLevelConfiguration) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *LimitedPriorityLevelConfiguration) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *LimitedPriorityLevelConfiguration) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_LimitedPriorityLevelConfiguration.Merge(m, src)
-}
-func (m *LimitedPriorityLevelConfiguration) XXX_Size() int {
-	return m.Size()
-}
-func (m *LimitedPriorityLevelConfiguration) XXX_DiscardUnknown() {
-	xxx_messageInfo_LimitedPriorityLevelConfiguration.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_LimitedPriorityLevelConfiguration proto.InternalMessageInfo
-
-func (m *NonResourcePolicyRule) Reset()      { *m = NonResourcePolicyRule{} }
-func (*NonResourcePolicyRule) ProtoMessage() {}
-func (*NonResourcePolicyRule) Descriptor() ([]byte, []int) {
-	return fileDescriptor_5d08a1401821035d, []int{10}
-}
-func (m *NonResourcePolicyRule) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *NonResourcePolicyRule) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *NonResourcePolicyRule) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_NonResourcePolicyRule.Merge(m, src)
-}
-func (m *NonResourcePolicyRule) XXX_Size() int {
-	return m.Size()
-}
-func (m *NonResourcePolicyRule) XXX_DiscardUnknown() {
-	xxx_messageInfo_NonResourcePolicyRule.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_NonResourcePolicyRule proto.InternalMessageInfo
-
-func (m *PolicyRulesWithSubjects) Reset()      { *m = PolicyRulesWithSubjects{} }
-func (*PolicyRulesWithSubjects) ProtoMessage() {}
-func (*PolicyRulesWithSubjects) Descriptor() ([]byte, []int) {
-	return fileDescriptor_5d08a1401821035d, []int{11}
-}
-func (m *PolicyRulesWithSubjects) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *PolicyRulesWithSubjects) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *PolicyRulesWithSubjects) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_PolicyRulesWithSubjects.Merge(m, src)
-}
-func (m *PolicyRulesWithSubjects) XXX_Size() int {
-	return m.Size()
-}
-func (m *PolicyRulesWithSubjects) XXX_DiscardUnknown() {
-	xxx_messageInfo_PolicyRulesWithSubjects.DiscardUnknown(m)
-}
+func (m *ServiceAccountSubject) Reset() { *m = ServiceAccountSubject{} }
 
-var xxx_messageInfo_PolicyRulesWithSubjects proto.InternalMessageInfo
+func (m *Subject) Reset() { *m = Subject{} }
 
-func (m *PriorityLevelConfiguration) Reset()      { *m = PriorityLevelConfiguration{} }
-func (*PriorityLevelConfiguration) ProtoMessage() {}
-func (*PriorityLevelConfiguration) Descriptor() ([]byte, []int) {
-	return fileDescriptor_5d08a1401821035d, []int{12}
-}
-func (m *PriorityLevelConfiguration) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *PriorityLevelConfiguration) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *PriorityLevelConfiguration) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_PriorityLevelConfiguration.Merge(m, src)
-}
-func (m *PriorityLevelConfiguration) XXX_Size() int {
-	return m.Size()
-}
-func (m *PriorityLevelConfiguration) XXX_DiscardUnknown() {
-	xxx_messageInfo_PriorityLevelConfiguration.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_PriorityLevelConfiguration proto.InternalMessageInfo
-
-func (m *PriorityLevelConfigurationCondition) Reset()      { *m = PriorityLevelConfigurationCondition{} }
-func (*PriorityLevelConfigurationCondition) ProtoMessage() {}
-func (*PriorityLevelConfigurationCondition) Descriptor() ([]byte, []int) {
-	return fileDescriptor_5d08a1401821035d, []int{13}
-}
-func (m *PriorityLevelConfigurationCondition) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *PriorityLevelConfigurationCondition) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *PriorityLevelConfigurationCondition) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_PriorityLevelConfigurationCondition.Merge(m, src)
-}
-func (m *PriorityLevelConfigurationCondition) XXX_Size() int {
-	return m.Size()
-}
-func (m *PriorityLevelConfigurationCondition) XXX_DiscardUnknown() {
-	xxx_messageInfo_PriorityLevelConfigurationCondition.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_PriorityLevelConfigurationCondition proto.InternalMessageInfo
-
-func (m *PriorityLevelConfigurationList) Reset()      { *m = PriorityLevelConfigurationList{} }
-func (*PriorityLevelConfigurationList) ProtoMessage() {}
-func (*PriorityLevelConfigurationList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_5d08a1401821035d, []int{14}
-}
-func (m *PriorityLevelConfigurationList) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *PriorityLevelConfigurationList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *PriorityLevelConfigurationList) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_PriorityLevelConfigurationList.Merge(m, src)
-}
-func (m *PriorityLevelConfigurationList) XXX_Size() int {
-	return m.Size()
-}
-func (m *PriorityLevelConfigurationList) XXX_DiscardUnknown() {
-	xxx_messageInfo_PriorityLevelConfigurationList.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_PriorityLevelConfigurationList proto.InternalMessageInfo
-
-func (m *PriorityLevelConfigurationReference) Reset()      { *m = PriorityLevelConfigurationReference{} }
-func (*PriorityLevelConfigurationReference) ProtoMessage() {}
-func (*PriorityLevelConfigurationReference) Descriptor() ([]byte, []int) {
-	return fileDescriptor_5d08a1401821035d, []int{15}
-}
-func (m *PriorityLevelConfigurationReference) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *PriorityLevelConfigurationReference) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *PriorityLevelConfigurationReference) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_PriorityLevelConfigurationReference.Merge(m, src)
-}
-func (m *PriorityLevelConfigurationReference) XXX_Size() int {
-	return m.Size()
-}
-func (m *PriorityLevelConfigurationReference) XXX_DiscardUnknown() {
-	xxx_messageInfo_PriorityLevelConfigurationReference.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_PriorityLevelConfigurationReference proto.InternalMessageInfo
-
-func (m *PriorityLevelConfigurationSpec) Reset()      { *m = PriorityLevelConfigurationSpec{} }
-func (*PriorityLevelConfigurationSpec) ProtoMessage() {}
-func (*PriorityLevelConfigurationSpec) Descriptor() ([]byte, []int) {
-	return fileDescriptor_5d08a1401821035d, []int{16}
-}
-func (m *PriorityLevelConfigurationSpec) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *PriorityLevelConfigurationSpec) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *PriorityLevelConfigurationSpec) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_PriorityLevelConfigurationSpec.Merge(m, src)
-}
-func (m *PriorityLevelConfigurationSpec) XXX_Size() int {
-	return m.Size()
-}
-func (m *PriorityLevelConfigurationSpec) XXX_DiscardUnknown() {
-	xxx_messageInfo_PriorityLevelConfigurationSpec.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_PriorityLevelConfigurationSpec proto.InternalMessageInfo
-
-func (m *PriorityLevelConfigurationStatus) Reset()      { *m = PriorityLevelConfigurationStatus{} }
-func (*PriorityLevelConfigurationStatus) ProtoMessage() {}
-func (*PriorityLevelConfigurationStatus) Descriptor() ([]byte, []int) {
-	return fileDescriptor_5d08a1401821035d, []int{17}
-}
-func (m *PriorityLevelConfigurationStatus) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *PriorityLevelConfigurationStatus) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *PriorityLevelConfigurationStatus) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_PriorityLevelConfigurationStatus.Merge(m, src)
-}
-func (m *PriorityLevelConfigurationStatus) XXX_Size() int {
-	return m.Size()
-}
-func (m *PriorityLevelConfigurationStatus) XXX_DiscardUnknown() {
-	xxx_messageInfo_PriorityLevelConfigurationStatus.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_PriorityLevelConfigurationStatus proto.InternalMessageInfo
-
-func (m *QueuingConfiguration) Reset()      { *m = QueuingConfiguration{} }
-func (*QueuingConfiguration) ProtoMessage() {}
-func (*QueuingConfiguration) Descriptor() ([]byte, []int) {
-	return fileDescriptor_5d08a1401821035d, []int{18}
-}
-func (m *QueuingConfiguration) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *QueuingConfiguration) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *QueuingConfiguration) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_QueuingConfiguration.Merge(m, src)
-}
-func (m *QueuingConfiguration) XXX_Size() int {
-	return m.Size()
-}
-func (m *QueuingConfiguration) XXX_DiscardUnknown() {
-	xxx_messageInfo_QueuingConfiguration.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_QueuingConfiguration proto.InternalMessageInfo
-
-func (m *ResourcePolicyRule) Reset()      { *m = ResourcePolicyRule{} }
-func (*ResourcePolicyRule) ProtoMessage() {}
-func (*ResourcePolicyRule) Descriptor() ([]byte, []int) {
-	return fileDescriptor_5d08a1401821035d, []int{19}
-}
-func (m *ResourcePolicyRule) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ResourcePolicyRule) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ResourcePolicyRule) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ResourcePolicyRule.Merge(m, src)
-}
-func (m *ResourcePolicyRule) XXX_Size() int {
-	return m.Size()
-}
-func (m *ResourcePolicyRule) XXX_DiscardUnknown() {
-	xxx_messageInfo_ResourcePolicyRule.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_ResourcePolicyRule proto.InternalMessageInfo
-
-func (m *ServiceAccountSubject) Reset()      { *m = ServiceAccountSubject{} }
-func (*ServiceAccountSubject) ProtoMessage() {}
-func (*ServiceAccountSubject) Descriptor() ([]byte, []int) {
-	return fileDescriptor_5d08a1401821035d, []int{20}
-}
-func (m *ServiceAccountSubject) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ServiceAccountSubject) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ServiceAccountSubject) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ServiceAccountSubject.Merge(m, src)
-}
-func (m *ServiceAccountSubject) XXX_Size() int {
-	return m.Size()
-}
-func (m *ServiceAccountSubject) XXX_DiscardUnknown() {
-	xxx_messageInfo_ServiceAccountSubject.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_ServiceAccountSubject proto.InternalMessageInfo
-
-func (m *Subject) Reset()      { *m = Subject{} }
-func (*Subject) ProtoMessage() {}
-func (*Subject) Descriptor() ([]byte, []int) {
-	return fileDescriptor_5d08a1401821035d, []int{21}
-}
-func (m *Subject) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *Subject) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *Subject) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_Subject.Merge(m, src)
-}
-func (m *Subject) XXX_Size() int {
-	return m.Size()
-}
-func (m *Subject) XXX_DiscardUnknown() {
-	xxx_messageInfo_Subject.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_Subject proto.InternalMessageInfo
-
-func (m *UserSubject) Reset()      { *m = UserSubject{} }
-func (*UserSubject) ProtoMessage() {}
-func (*UserSubject) Descriptor() ([]byte, []int) {
-	return fileDescriptor_5d08a1401821035d, []int{22}
-}
-func (m *UserSubject) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *UserSubject) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *UserSubject) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_UserSubject.Merge(m, src)
-}
-func (m *UserSubject) XXX_Size() int {
-	return m.Size()
-}
-func (m *UserSubject) XXX_DiscardUnknown() {
-	xxx_messageInfo_UserSubject.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_UserSubject proto.InternalMessageInfo
-
-func init() {
-	proto.RegisterType((*ExemptPriorityLevelConfiguration)(nil), "k8s.io.api.flowcontrol.v1.ExemptPriorityLevelConfiguration")
-	proto.RegisterType((*FlowDistinguisherMethod)(nil), "k8s.io.api.flowcontrol.v1.FlowDistinguisherMethod")
-	proto.RegisterType((*FlowSchema)(nil), "k8s.io.api.flowcontrol.v1.FlowSchema")
-	proto.RegisterType((*FlowSchemaCondition)(nil), "k8s.io.api.flowcontrol.v1.FlowSchemaCondition")
-	proto.RegisterType((*FlowSchemaList)(nil), "k8s.io.api.flowcontrol.v1.FlowSchemaList")
-	proto.RegisterType((*FlowSchemaSpec)(nil), "k8s.io.api.flowcontrol.v1.FlowSchemaSpec")
-	proto.RegisterType((*FlowSchemaStatus)(nil), "k8s.io.api.flowcontrol.v1.FlowSchemaStatus")
-	proto.RegisterType((*GroupSubject)(nil), "k8s.io.api.flowcontrol.v1.GroupSubject")
-	proto.RegisterType((*LimitResponse)(nil), "k8s.io.api.flowcontrol.v1.LimitResponse")
-	proto.RegisterType((*LimitedPriorityLevelConfiguration)(nil), "k8s.io.api.flowcontrol.v1.LimitedPriorityLevelConfiguration")
-	proto.RegisterType((*NonResourcePolicyRule)(nil), "k8s.io.api.flowcontrol.v1.NonResourcePolicyRule")
-	proto.RegisterType((*PolicyRulesWithSubjects)(nil), "k8s.io.api.flowcontrol.v1.PolicyRulesWithSubjects")
-	proto.RegisterType((*PriorityLevelConfiguration)(nil), "k8s.io.api.flowcontrol.v1.PriorityLevelConfiguration")
-	proto.RegisterType((*PriorityLevelConfigurationCondition)(nil), "k8s.io.api.flowcontrol.v1.PriorityLevelConfigurationCondition")
-	proto.RegisterType((*PriorityLevelConfigurationList)(nil), "k8s.io.api.flowcontrol.v1.PriorityLevelConfigurationList")
-	proto.RegisterType((*PriorityLevelConfigurationReference)(nil), "k8s.io.api.flowcontrol.v1.PriorityLevelConfigurationReference")
-	proto.RegisterType((*PriorityLevelConfigurationSpec)(nil), "k8s.io.api.flowcontrol.v1.PriorityLevelConfigurationSpec")
-	proto.RegisterType((*PriorityLevelConfigurationStatus)(nil), "k8s.io.api.flowcontrol.v1.PriorityLevelConfigurationStatus")
-	proto.RegisterType((*QueuingConfiguration)(nil), "k8s.io.api.flowcontrol.v1.QueuingConfiguration")
-	proto.RegisterType((*ResourcePolicyRule)(nil), "k8s.io.api.flowcontrol.v1.ResourcePolicyRule")
-	proto.RegisterType((*ServiceAccountSubject)(nil), "k8s.io.api.flowcontrol.v1.ServiceAccountSubject")
-	proto.RegisterType((*Subject)(nil), "k8s.io.api.flowcontrol.v1.Subject")
-	proto.RegisterType((*UserSubject)(nil), "k8s.io.api.flowcontrol.v1.UserSubject")
-}
-
-func init() {
-	proto.RegisterFile("k8s.io/api/flowcontrol/v1/generated.proto", fileDescriptor_5d08a1401821035d)
-}
-
-var fileDescriptor_5d08a1401821035d = []byte{
-	// 1575 bytes of a gzipped FileDescriptorProto
-	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xec, 0x58, 0x4b, 0x6f, 0xdb, 0x56,
-	0x16, 0x36, 0x65, 0xc9, 0xb6, 0x8e, 0x9f, 0xb9, 0x8e, 0x61, 0xc5, 0x19, 0x48, 0x0e, 0x07, 0x93,
-	0xc7, 0x64, 0x42, 0x25, 0xc6, 0x64, 0x26, 0x41, 0x66, 0x26, 0x08, 0x93, 0x4c, 0x5e, 0xb6, 0xe3,
-	0x5c, 0xe5, 0x51, 0xa4, 0x05, 0x5a, 0x9a, 0xba, 0x96, 0x18, 0x8b, 0x8f, 0xf2, 0x92, 0x72, 0x5d,
-	0xa0, 0x40, 0x7f, 0x42, 0x56, 0x5d, 0x76, 0xd1, 0xfe, 0x83, 0xae, 0x8a, 0x76, 0xd3, 0x65, 0x76,
-	0xcd, 0x32, 0xed, 0x42, 0x68, 0xd4, 0xbf, 0xd0, 0x45, 0x9b, 0x55, 0x71, 0x2f, 0x2f, 0x49, 0x51,
-	0x12, 0x69, 0xc1, 0x8b, 0x74, 0xd3, 0x9d, 0x79, 0xce, 0x77, 0xbe, 0x73, 0xef, 0xb9, 0xe7, 0x25,
-	0xc3, 0x99, 0xdd, 0x4b, 0x54, 0x31, 0xec, 0xaa, 0xe6, 0x18, 0xd5, 0x9d, 0x96, 0xbd, 0xa7, 0xdb,
-	0x96, 0xe7, 0xda, 0xad, 0x6a, 0xfb, 0x42, 0xb5, 0x41, 0x2c, 0xe2, 0x6a, 0x1e, 0xa9, 0x2b, 0x8e,
-	0x6b, 0x7b, 0x36, 0x3a, 0x16, 0x40, 0x15, 0xcd, 0x31, 0x94, 0x1e, 0xa8, 0xd2, 0xbe, 0xb0, 0x72,
-	0xae, 0x61, 0x78, 0x4d, 0x7f, 0x5b, 0xd1, 0x6d, 0xb3, 0xda, 0xb0, 0x1b, 0x76, 0x95, 0x5b, 0x6c,
-	0xfb, 0x3b, 0xfc, 0x8b, 0x7f, 0xf0, 0xbf, 0x02, 0xa6, 0x95, 0x7f, 0xc6, 0x4e, 0x4d, 0x4d, 0x6f,
-	0x1a, 0x16, 0x71, 0xf7, 0xab, 0xce, 0x6e, 0x83, 0x09, 0x68, 0xd5, 0x24, 0x9e, 0x36, 0xc4, 0xff,
-	0x4a, 0x35, 0xcd, 0xca, 0xf5, 0x2d, 0xcf, 0x30, 0xc9, 0x80, 0xc1, 0xbf, 0x0e, 0x32, 0xa0, 0x7a,
-	0x93, 0x98, 0x5a, 0xbf, 0x9d, 0xfc, 0xad, 0x04, 0xab, 0x37, 0x3f, 0x22, 0xa6, 0xe3, 0x6d, 0xb9,
-	0x86, 0xed, 0x1a, 0xde, 0xfe, 0x3a, 0x69, 0x93, 0xd6, 0x75, 0xdb, 0xda, 0x31, 0x1a, 0xbe, 0xab,
-	0x79, 0x86, 0x6d, 0xa1, 0x77, 0xa0, 0x64, 0xd9, 0xa6, 0x61, 0x69, 0x4c, 0xae, 0xfb, 0xae, 0x4b,
-	0x2c, 0x7d, 0xbf, 0xd6, 0xd4, 0x5c, 0x42, 0x4b, 0xd2, 0xaa, 0x74, 0xba, 0xa0, 0xfe, 0xa5, 0xdb,
-	0xa9, 0x94, 0x36, 0x53, 0x30, 0x38, 0xd5, 0x1a, 0xfd, 0x17, 0xe6, 0x5b, 0xc4, 0xaa, 0x6b, 0xdb,
-	0x2d, 0xb2, 0x45, 0x5c, 0x9d, 0x58, 0x5e, 0x29, 0xc7, 0x09, 0x17, 0xbb, 0x9d, 0xca, 0xfc, 0x7a,
-	0x52, 0x85, 0xfb, 0xb1, 0xf2, 0x53, 0x58, 0xfe, 0x7f, 0xcb, 0xde, 0xbb, 0x61, 0x50, 0xcf, 0xb0,
-	0x1a, 0xbe, 0x41, 0x9b, 0xc4, 0xdd, 0x20, 0x5e, 0xd3, 0xae, 0xa3, 0xab, 0x90, 0xf7, 0xf6, 0x1d,
-	0xc2, 0xcf, 0x57, 0x54, 0xcf, 0xbe, 0xe8, 0x54, 0xc6, 0xba, 0x9d, 0x4a, 0xfe, 0xe1, 0xbe, 0x43,
-	0xde, 0x74, 0x2a, 0xc7, 0x53, 0xcc, 0x98, 0x1a, 0x73, 0x43, 0xf9, 0x79, 0x0e, 0x80, 0xa1, 0x6a,
-	0x3c, 0x70, 0xe8, 0x03, 0x98, 0x62, 0x8f, 0x55, 0xd7, 0x3c, 0x8d, 0x73, 0x4e, 0xaf, 0x9d, 0x57,
-	0xe2, 0x24, 0x89, 0x62, 0xae, 0x38, 0xbb, 0x0d, 0x26, 0xa0, 0x0a, 0x43, 0x2b, 0xed, 0x0b, 0xca,
-	0xfd, 0xed, 0x67, 0x44, 0xf7, 0x36, 0x88, 0xa7, 0xa9, 0x48, 0x9c, 0x02, 0x62, 0x19, 0x8e, 0x58,
-	0xd1, 0x3d, 0xc8, 0x53, 0x87, 0xe8, 0x3c, 0x00, 0xd3, 0x6b, 0x67, 0x94, 0xd4, 0x14, 0x54, 0xe2,
-	0x63, 0xd5, 0x1c, 0xa2, 0xab, 0x33, 0xe1, 0xe5, 0xd8, 0x17, 0xe6, 0x24, 0xa8, 0x06, 0x13, 0xd4,
-	0xd3, 0x3c, 0x9f, 0x96, 0xc6, 0x39, 0xdd, 0xd9, 0xd1, 0xe8, 0xb8, 0x89, 0x3a, 0x27, 0x08, 0x27,
-	0x82, 0x6f, 0x2c, 0xa8, 0xe4, 0x57, 0x39, 0x58, 0x8c, 0xc1, 0xd7, 0x6d, 0xab, 0x6e, 0xf0, 0xfc,
-	0xb8, 0x92, 0x88, 0xf5, 0xa9, 0xbe, 0x58, 0x2f, 0x0f, 0x31, 0x89, 0xe3, 0x8c, 0x2e, 0x47, 0x27,
-	0xcd, 0x71, 0xf3, 0x13, 0x49, 0xe7, 0x6f, 0x3a, 0x95, 0xf9, 0xc8, 0x2c, 0x79, 0x1e, 0xd4, 0x06,
-	0xd4, 0xd2, 0xa8, 0xf7, 0xd0, 0xd5, 0x2c, 0x1a, 0xd0, 0x1a, 0x26, 0x11, 0x17, 0xfe, 0xfb, 0x68,
-	0xaf, 0xc3, 0x2c, 0xd4, 0x15, 0xe1, 0x12, 0xad, 0x0f, 0xb0, 0xe1, 0x21, 0x1e, 0xd0, 0x49, 0x98,
-	0x70, 0x89, 0x46, 0x6d, 0xab, 0x94, 0xe7, 0x47, 0x8e, 0xe2, 0x85, 0xb9, 0x14, 0x0b, 0x2d, 0x3a,
-	0x03, 0x93, 0x26, 0xa1, 0x54, 0x6b, 0x90, 0x52, 0x81, 0x03, 0xe7, 0x05, 0x70, 0x72, 0x23, 0x10,
-	0xe3, 0x50, 0x2f, 0x7f, 0x23, 0xc1, 0x5c, 0x1c, 0xa7, 0x75, 0x83, 0x7a, 0xe8, 0xbd, 0x81, 0x8c,
-	0x53, 0x46, 0xbb, 0x13, 0xb3, 0xe6, 0xf9, 0xb6, 0x20, 0xdc, 0x4d, 0x85, 0x92, 0x9e, 0x6c, 0xbb,
-	0x0b, 0x05, 0xc3, 0x23, 0x26, 0x8b, 0xfa, 0xf8, 0xe9, 0xe9, 0xb5, 0xbf, 0x8d, 0x94, 0x1f, 0xea,
-	0xac, 0x60, 0x2c, 0xdc, 0x61, 0xb6, 0x38, 0xa0, 0x90, 0x7f, 0x18, 0xef, 0x3d, 0x3c, 0xcb, 0x42,
-	0xf4, 0x85, 0x04, 0x2b, 0x4e, 0x6a, 0x47, 0x11, 0xf7, 0xf9, 0x5f, 0x86, 0xd3, 0xf4, 0x76, 0x84,
-	0xc9, 0x0e, 0x61, 0x3d, 0x84, 0xa8, 0xb2, 0x38, 0xcd, 0x4a, 0x06, 0x38, 0xe3, 0x14, 0xe8, 0x2e,
-	0x20, 0x53, 0xf3, 0x58, 0x1c, 0x1b, 0x5b, 0x2e, 0xd1, 0x49, 0x9d, 0xb1, 0x8a, 0x06, 0x14, 0xe5,
-	0xc4, 0xc6, 0x00, 0x02, 0x0f, 0xb1, 0x42, 0x9f, 0xc0, 0x62, 0x7d, 0xb0, 0x9f, 0x88, 0x64, 0x5c,
-	0x3b, 0x20, 0xba, 0x43, 0x3a, 0x91, 0xba, 0xdc, 0xed, 0x54, 0x16, 0x87, 0x28, 0xf0, 0x30, 0x3f,
-	0xe8, 0x09, 0x14, 0x5c, 0xbf, 0x45, 0x68, 0x29, 0xcf, 0x9f, 0x33, 0xcb, 0xe1, 0x96, 0xdd, 0x32,
-	0xf4, 0x7d, 0xcc, 0xd0, 0x4f, 0x0c, 0xaf, 0x59, 0xf3, 0x79, 0x33, 0xa2, 0xf1, 0xdb, 0x72, 0x15,
-	0x0e, 0xf8, 0xe4, 0x36, 0x2c, 0xf4, 0xf7, 0x07, 0xb4, 0x0d, 0xa0, 0x87, 0x25, 0xc9, 0x26, 0xc0,
-	0x78, 0x5f, 0x6e, 0xa6, 0x27, 0x50, 0x54, 0xc9, 0x71, 0x2f, 0x8c, 0x44, 0x14, 0xf7, 0xb0, 0xca,
-	0xe7, 0x61, 0xe6, 0x96, 0x6b, 0xfb, 0x8e, 0x38, 0x1e, 0x5a, 0x85, 0xbc, 0xa5, 0x99, 0x61, 0x8f,
-	0x89, 0x5a, 0xde, 0xa6, 0x66, 0x12, 0xcc, 0x35, 0xf2, 0xe7, 0x12, 0xcc, 0xae, 0x1b, 0xa6, 0xe1,
-	0x61, 0x42, 0x1d, 0xdb, 0xa2, 0x04, 0x5d, 0x4c, 0xf4, 0xa5, 0x13, 0x7d, 0x7d, 0xe9, 0x48, 0x02,
-	0xdc, 0xd3, 0x91, 0x1e, 0xc3, 0xe4, 0x87, 0x3e, 0xf1, 0x0d, 0xab, 0x21, 0x7a, 0x71, 0x35, 0xe3,
-	0x6e, 0x0f, 0x02, 0x64, 0x22, 0xb1, 0xd4, 0x69, 0x56, 0xe3, 0x42, 0x83, 0x43, 0x32, 0xf9, 0x97,
-	0x1c, 0x9c, 0xe0, 0x3e, 0x49, 0xfd, 0x0f, 0x19, 0xb6, 0x04, 0x66, 0x5b, 0xbd, 0x57, 0x16, 0xb7,
-	0x3b, 0x9d, 0x71, 0xbb, 0x44, 0x88, 0xd4, 0x25, 0x11, 0xc1, 0x64, 0x98, 0x71, 0x92, 0x75, 0xd8,
-	0x4c, 0x1f, 0x1f, 0x7d, 0xa6, 0xa3, 0xfb, 0xb0, 0xb4, 0x6d, 0xbb, 0xae, 0xbd, 0x67, 0x58, 0x0d,
-	0xee, 0x27, 0x24, 0xc9, 0x73, 0x92, 0x63, 0xdd, 0x4e, 0x65, 0x49, 0x1d, 0x06, 0xc0, 0xc3, 0xed,
-	0xe4, 0x3d, 0x58, 0xda, 0x64, 0x5d, 0x83, 0xda, 0xbe, 0xab, 0x93, 0x38, 0xfb, 0x51, 0x05, 0x0a,
-	0x6d, 0xe2, 0x6e, 0x07, 0x19, 0x5c, 0x54, 0x8b, 0x2c, 0xf7, 0x1f, 0x33, 0x01, 0x0e, 0xe4, 0xec,
-	0x26, 0x56, 0x6c, 0xf9, 0x08, 0xaf, 0xd3, 0xd2, 0x04, 0x87, 0xf2, 0x9b, 0x6c, 0x26, 0x55, 0xb8,
-	0x1f, 0x2b, 0x7f, 0x9f, 0x83, 0xe5, 0x94, 0x62, 0x43, 0x5b, 0x30, 0x45, 0xc5, 0xdf, 0xa2, 0x80,
-	0xe4, 0x8c, 0x67, 0x10, 0x66, 0x71, 0x43, 0x0f, 0x79, 0x70, 0xc4, 0x82, 0x9e, 0xc1, 0xac, 0x2b,
-	0xbc, 0x73, 0x77, 0xa2, 0xb1, 0x9f, 0xcb, 0xa0, 0x1d, 0x8c, 0x49, 0xfc, 0xc4, 0xb8, 0x97, 0x0b,
-	0x27, 0xa9, 0x51, 0x1b, 0x16, 0x7a, 0x2e, 0x1b, 0xb8, 0x1b, 0xe7, 0xee, 0xce, 0x67, 0xb8, 0x1b,
-	0xfa, 0x0a, 0x6a, 0x49, 0x78, 0x5c, 0xd8, 0xec, 0x63, 0xc4, 0x03, 0x3e, 0xe4, 0xef, 0x72, 0x90,
-	0xd1, 0xeb, 0xdf, 0xc2, 0x8e, 0xf6, 0x6e, 0x62, 0x47, 0xbb, 0x7c, 0xa8, 0xf9, 0x95, 0xba, 0xb3,
-	0xe9, 0x7d, 0x3b, 0xdb, 0x95, 0xc3, 0xd1, 0x67, 0xef, 0x70, 0xbf, 0xe6, 0xe0, 0xaf, 0xe9, 0xc6,
-	0xf1, 0x4e, 0x77, 0x2f, 0xd1, 0x3b, 0xff, 0xdd, 0xd7, 0x3b, 0x4f, 0x8d, 0x40, 0xf1, 0xe7, 0x8e,
-	0xd7, 0xb7, 0xe3, 0xfd, 0x28, 0x41, 0x39, 0x3d, 0x6e, 0x6f, 0x61, 0xe7, 0x7b, 0x9a, 0xdc, 0xf9,
-	0x2e, 0x1e, 0x2a, 0xbf, 0x52, 0x76, 0xc0, 0x5b, 0x59, 0x69, 0x15, 0xad, 0x6c, 0x23, 0x8c, 0xf1,
-	0x2f, 0x73, 0x59, 0x51, 0xe2, 0xcb, 0xe5, 0x01, 0xbf, 0x37, 0x12, 0xd6, 0x37, 0x2d, 0x36, 0x5c,
-	0x4c, 0x36, 0x1f, 0x82, 0x5c, 0xd4, 0x61, 0xb2, 0x15, 0x0c, 0x61, 0x51, 0xc5, 0xff, 0x39, 0x68,
-	0xfe, 0x65, 0x8d, 0xeb, 0x60, 0xd4, 0x0b, 0x18, 0x0e, 0x99, 0xd1, 0xfb, 0x30, 0x41, 0xf8, 0xaf,
-	0xea, 0x11, 0x4a, 0xf9, 0xa0, 0x9f, 0xdf, 0x2a, 0xb0, 0xb4, 0x0b, 0x50, 0x58, 0xd0, 0xca, 0x9f,
-	0x49, 0xb0, 0x7a, 0x50, 0x0f, 0x40, 0xee, 0x90, 0x3d, 0xed, 0x70, 0x3b, 0xf7, 0xe8, 0x7b, 0xdb,
-	0x57, 0x12, 0x1c, 0x1d, 0xb6, 0x13, 0xb1, 0x82, 0x62, 0x8b, 0x50, 0xb4, 0xc5, 0x44, 0x05, 0xf5,
-	0x80, 0x4b, 0xb1, 0xd0, 0xa2, 0x7f, 0xc0, 0x54, 0x53, 0xb3, 0xea, 0x35, 0xe3, 0xe3, 0x70, 0x15,
-	0x8f, 0x52, 0xfa, 0xb6, 0x90, 0xe3, 0x08, 0x81, 0x6e, 0xc0, 0x02, 0xb7, 0x5b, 0x27, 0x56, 0xc3,
-	0x6b, 0xf2, 0x77, 0x10, 0xdb, 0x46, 0x34, 0x57, 0x1e, 0xf4, 0xe9, 0xf1, 0x80, 0x85, 0xfc, 0x9b,
-	0x04, 0xe8, 0x30, 0x0b, 0xc2, 0x59, 0x28, 0x6a, 0x8e, 0xc1, 0xf7, 0xd4, 0xa0, 0xa8, 0x8a, 0xea,
-	0x6c, 0xb7, 0x53, 0x29, 0x5e, 0xdb, 0xba, 0x13, 0x08, 0x71, 0xac, 0x67, 0xe0, 0x70, 0x8a, 0x06,
-	0xd3, 0x52, 0x80, 0x43, 0xc7, 0x14, 0xc7, 0x7a, 0x74, 0x09, 0x66, 0xf4, 0x96, 0x4f, 0x3d, 0xe2,
-	0xd6, 0x74, 0xdb, 0x21, 0xbc, 0x09, 0x4d, 0xa9, 0x47, 0xc5, 0x9d, 0x66, 0xae, 0xf7, 0xe8, 0x70,
-	0x02, 0x89, 0x14, 0x00, 0x56, 0x47, 0xd4, 0xd1, 0x98, 0x9f, 0x02, 0xf7, 0x33, 0xc7, 0x1e, 0x6c,
-	0x33, 0x92, 0xe2, 0x1e, 0x84, 0xfc, 0x0c, 0x96, 0x6a, 0xc4, 0x6d, 0x1b, 0x3a, 0xb9, 0xa6, 0xeb,
-	0xb6, 0x6f, 0x79, 0xe1, 0xc6, 0x5d, 0x85, 0x62, 0x04, 0x13, 0xa5, 0x76, 0x44, 0xf8, 0x2f, 0x46,
-	0x5c, 0x38, 0xc6, 0x44, 0xb5, 0x9d, 0x4b, 0xad, 0xed, 0xaf, 0x73, 0x30, 0x19, 0xd3, 0xe7, 0x77,
-	0x0d, 0xab, 0x2e, 0x98, 0x8f, 0x87, 0xe8, 0x7b, 0x86, 0x55, 0x7f, 0xd3, 0xa9, 0x4c, 0x0b, 0x18,
-	0xfb, 0xc4, 0x1c, 0x88, 0x6e, 0x40, 0xde, 0xa7, 0xc4, 0x15, 0x55, 0x7b, 0x32, 0x23, 0x8f, 0x1f,
-	0x51, 0xe2, 0x86, 0x2b, 0xd3, 0x14, 0x23, 0x65, 0x02, 0xcc, 0xad, 0xd1, 0x6d, 0x28, 0x34, 0xd8,
-	0x7b, 0x88, 0xc2, 0x3c, 0x95, 0x41, 0xd3, 0xfb, 0xfb, 0x23, 0x78, 0x7c, 0x2e, 0xc1, 0x01, 0x01,
-	0x6a, 0xc1, 0x1c, 0x4d, 0x04, 0x8e, 0x3f, 0x52, 0xf6, 0x0a, 0x34, 0x34, 0xd2, 0x2a, 0xea, 0x76,
-	0x2a, 0x73, 0x49, 0x15, 0xee, 0xe3, 0x96, 0xab, 0x30, 0xdd, 0x73, 0xad, 0x83, 0xfb, 0xa8, 0x7a,
-	0xf5, 0xc5, 0xeb, 0xf2, 0xd8, 0xcb, 0xd7, 0xe5, 0xb1, 0x57, 0xaf, 0xcb, 0x63, 0x9f, 0x76, 0xcb,
-	0xd2, 0x8b, 0x6e, 0x59, 0x7a, 0xd9, 0x2d, 0x4b, 0xaf, 0xba, 0x65, 0xe9, 0xa7, 0x6e, 0x59, 0x7a,
-	0xfe, 0x73, 0x79, 0xec, 0xe9, 0xb1, 0xd4, 0xff, 0x89, 0xfe, 0x1e, 0x00, 0x00, 0xff, 0xff, 0x16,
-	0x4e, 0x14, 0xcf, 0x2f, 0x15, 0x00, 0x00,
-}
+func (m *UserSubject) Reset() { *m = UserSubject{} }
 
 func (m *ExemptPriorityLevelConfiguration) Marshal() (dAtA []byte, err error) {
 	size := m.Size()
diff --git a/staging/src/k8s.io/api/flowcontrol/v1/generated.protomessage.pb.go b/staging/src/k8s.io/api/flowcontrol/v1/generated.protomessage.pb.go
new file mode 100644
index 0000000000000..51612dee82634
--- /dev/null
+++ b/staging/src/k8s.io/api/flowcontrol/v1/generated.protomessage.pb.go
@@ -0,0 +1,68 @@
+//go:build kubernetes_protomessage_one_more_release
+// +build kubernetes_protomessage_one_more_release
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by go-to-protobuf. DO NOT EDIT.
+
+package v1
+
+func (*ExemptPriorityLevelConfiguration) ProtoMessage() {}
+
+func (*FlowDistinguisherMethod) ProtoMessage() {}
+
+func (*FlowSchema) ProtoMessage() {}
+
+func (*FlowSchemaCondition) ProtoMessage() {}
+
+func (*FlowSchemaList) ProtoMessage() {}
+
+func (*FlowSchemaSpec) ProtoMessage() {}
+
+func (*FlowSchemaStatus) ProtoMessage() {}
+
+func (*GroupSubject) ProtoMessage() {}
+
+func (*LimitResponse) ProtoMessage() {}
+
+func (*LimitedPriorityLevelConfiguration) ProtoMessage() {}
+
+func (*NonResourcePolicyRule) ProtoMessage() {}
+
+func (*PolicyRulesWithSubjects) ProtoMessage() {}
+
+func (*PriorityLevelConfiguration) ProtoMessage() {}
+
+func (*PriorityLevelConfigurationCondition) ProtoMessage() {}
+
+func (*PriorityLevelConfigurationList) ProtoMessage() {}
+
+func (*PriorityLevelConfigurationReference) ProtoMessage() {}
+
+func (*PriorityLevelConfigurationSpec) ProtoMessage() {}
+
+func (*PriorityLevelConfigurationStatus) ProtoMessage() {}
+
+func (*QueuingConfiguration) ProtoMessage() {}
+
+func (*ResourcePolicyRule) ProtoMessage() {}
+
+func (*ServiceAccountSubject) ProtoMessage() {}
+
+func (*Subject) ProtoMessage() {}
+
+func (*UserSubject) ProtoMessage() {}
diff --git a/staging/src/k8s.io/api/flowcontrol/v1/zz_generated.model_name.go b/staging/src/k8s.io/api/flowcontrol/v1/zz_generated.model_name.go
new file mode 100644
index 0000000000000..a3bfb2c5dc4df
--- /dev/null
+++ b/staging/src/k8s.io/api/flowcontrol/v1/zz_generated.model_name.go
@@ -0,0 +1,137 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by openapi-gen. DO NOT EDIT.
+
+package v1
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ExemptPriorityLevelConfiguration) OpenAPIModelName() string {
+	return "io.k8s.api.flowcontrol.v1.ExemptPriorityLevelConfiguration"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in FlowDistinguisherMethod) OpenAPIModelName() string {
+	return "io.k8s.api.flowcontrol.v1.FlowDistinguisherMethod"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in FlowSchema) OpenAPIModelName() string {
+	return "io.k8s.api.flowcontrol.v1.FlowSchema"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in FlowSchemaCondition) OpenAPIModelName() string {
+	return "io.k8s.api.flowcontrol.v1.FlowSchemaCondition"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in FlowSchemaList) OpenAPIModelName() string {
+	return "io.k8s.api.flowcontrol.v1.FlowSchemaList"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in FlowSchemaSpec) OpenAPIModelName() string {
+	return "io.k8s.api.flowcontrol.v1.FlowSchemaSpec"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in FlowSchemaStatus) OpenAPIModelName() string {
+	return "io.k8s.api.flowcontrol.v1.FlowSchemaStatus"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in GroupSubject) OpenAPIModelName() string {
+	return "io.k8s.api.flowcontrol.v1.GroupSubject"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in LimitResponse) OpenAPIModelName() string {
+	return "io.k8s.api.flowcontrol.v1.LimitResponse"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in LimitedPriorityLevelConfiguration) OpenAPIModelName() string {
+	return "io.k8s.api.flowcontrol.v1.LimitedPriorityLevelConfiguration"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in NonResourcePolicyRule) OpenAPIModelName() string {
+	return "io.k8s.api.flowcontrol.v1.NonResourcePolicyRule"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in PolicyRulesWithSubjects) OpenAPIModelName() string {
+	return "io.k8s.api.flowcontrol.v1.PolicyRulesWithSubjects"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in PriorityLevelConfiguration) OpenAPIModelName() string {
+	return "io.k8s.api.flowcontrol.v1.PriorityLevelConfiguration"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in PriorityLevelConfigurationCondition) OpenAPIModelName() string {
+	return "io.k8s.api.flowcontrol.v1.PriorityLevelConfigurationCondition"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in PriorityLevelConfigurationList) OpenAPIModelName() string {
+	return "io.k8s.api.flowcontrol.v1.PriorityLevelConfigurationList"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in PriorityLevelConfigurationReference) OpenAPIModelName() string {
+	return "io.k8s.api.flowcontrol.v1.PriorityLevelConfigurationReference"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in PriorityLevelConfigurationSpec) OpenAPIModelName() string {
+	return "io.k8s.api.flowcontrol.v1.PriorityLevelConfigurationSpec"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in PriorityLevelConfigurationStatus) OpenAPIModelName() string {
+	return "io.k8s.api.flowcontrol.v1.PriorityLevelConfigurationStatus"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in QueuingConfiguration) OpenAPIModelName() string {
+	return "io.k8s.api.flowcontrol.v1.QueuingConfiguration"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ResourcePolicyRule) OpenAPIModelName() string {
+	return "io.k8s.api.flowcontrol.v1.ResourcePolicyRule"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ServiceAccountSubject) OpenAPIModelName() string {
+	return "io.k8s.api.flowcontrol.v1.ServiceAccountSubject"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in Subject) OpenAPIModelName() string {
+	return "io.k8s.api.flowcontrol.v1.Subject"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in UserSubject) OpenAPIModelName() string {
+	return "io.k8s.api.flowcontrol.v1.UserSubject"
+}
diff --git a/staging/src/k8s.io/api/flowcontrol/v1beta1/doc.go b/staging/src/k8s.io/api/flowcontrol/v1beta1/doc.go
index 20268c1f2dad5..e66df16d6a07c 100644
--- a/staging/src/k8s.io/api/flowcontrol/v1beta1/doc.go
+++ b/staging/src/k8s.io/api/flowcontrol/v1beta1/doc.go
@@ -18,6 +18,7 @@ limitations under the License.
 // +k8s:protobuf-gen=package
 // +k8s:openapi-gen=true
 // +k8s:prerelease-lifecycle-gen=true
+// +k8s:openapi-model-package=io.k8s.api.flowcontrol.v1beta1
 
 // +groupName=flowcontrol.apiserver.k8s.io
 
diff --git a/staging/src/k8s.io/api/flowcontrol/v1beta1/generated.pb.go b/staging/src/k8s.io/api/flowcontrol/v1beta1/generated.pb.go
index 96e368f6fdb9b..de8950c212bf8 100644
--- a/staging/src/k8s.io/api/flowcontrol/v1beta1/generated.pb.go
+++ b/staging/src/k8s.io/api/flowcontrol/v1beta1/generated.pb.go
@@ -24,802 +24,56 @@ import (
 
 	io "io"
 
-	proto "github.com/gogo/protobuf/proto"
-
-	math "math"
 	math_bits "math/bits"
 	reflect "reflect"
 	strings "strings"
 )
 
-// Reference imports to suppress errors if they are not otherwise used.
-var _ = proto.Marshal
-var _ = fmt.Errorf
-var _ = math.Inf
+func (m *ExemptPriorityLevelConfiguration) Reset() { *m = ExemptPriorityLevelConfiguration{} }
 
-// This is a compile-time assertion to ensure that this generated file
-// is compatible with the proto package it is being compiled against.
-// A compilation error at this line likely means your copy of the
-// proto package needs to be updated.
-const _ = proto.GoGoProtoPackageIsVersion3 // please upgrade the proto package
+func (m *FlowDistinguisherMethod) Reset() { *m = FlowDistinguisherMethod{} }
 
-func (m *ExemptPriorityLevelConfiguration) Reset()      { *m = ExemptPriorityLevelConfiguration{} }
-func (*ExemptPriorityLevelConfiguration) ProtoMessage() {}
-func (*ExemptPriorityLevelConfiguration) Descriptor() ([]byte, []int) {
-	return fileDescriptor_3a5cb22a034fcb2a, []int{0}
-}
-func (m *ExemptPriorityLevelConfiguration) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ExemptPriorityLevelConfiguration) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ExemptPriorityLevelConfiguration) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ExemptPriorityLevelConfiguration.Merge(m, src)
-}
-func (m *ExemptPriorityLevelConfiguration) XXX_Size() int {
-	return m.Size()
-}
-func (m *ExemptPriorityLevelConfiguration) XXX_DiscardUnknown() {
-	xxx_messageInfo_ExemptPriorityLevelConfiguration.DiscardUnknown(m)
-}
+func (m *FlowSchema) Reset() { *m = FlowSchema{} }
 
-var xxx_messageInfo_ExemptPriorityLevelConfiguration proto.InternalMessageInfo
+func (m *FlowSchemaCondition) Reset() { *m = FlowSchemaCondition{} }
 
-func (m *FlowDistinguisherMethod) Reset()      { *m = FlowDistinguisherMethod{} }
-func (*FlowDistinguisherMethod) ProtoMessage() {}
-func (*FlowDistinguisherMethod) Descriptor() ([]byte, []int) {
-	return fileDescriptor_3a5cb22a034fcb2a, []int{1}
-}
-func (m *FlowDistinguisherMethod) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *FlowDistinguisherMethod) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *FlowDistinguisherMethod) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_FlowDistinguisherMethod.Merge(m, src)
-}
-func (m *FlowDistinguisherMethod) XXX_Size() int {
-	return m.Size()
-}
-func (m *FlowDistinguisherMethod) XXX_DiscardUnknown() {
-	xxx_messageInfo_FlowDistinguisherMethod.DiscardUnknown(m)
-}
+func (m *FlowSchemaList) Reset() { *m = FlowSchemaList{} }
 
-var xxx_messageInfo_FlowDistinguisherMethod proto.InternalMessageInfo
+func (m *FlowSchemaSpec) Reset() { *m = FlowSchemaSpec{} }
 
-func (m *FlowSchema) Reset()      { *m = FlowSchema{} }
-func (*FlowSchema) ProtoMessage() {}
-func (*FlowSchema) Descriptor() ([]byte, []int) {
-	return fileDescriptor_3a5cb22a034fcb2a, []int{2}
-}
-func (m *FlowSchema) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *FlowSchema) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *FlowSchema) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_FlowSchema.Merge(m, src)
-}
-func (m *FlowSchema) XXX_Size() int {
-	return m.Size()
-}
-func (m *FlowSchema) XXX_DiscardUnknown() {
-	xxx_messageInfo_FlowSchema.DiscardUnknown(m)
-}
+func (m *FlowSchemaStatus) Reset() { *m = FlowSchemaStatus{} }
 
-var xxx_messageInfo_FlowSchema proto.InternalMessageInfo
+func (m *GroupSubject) Reset() { *m = GroupSubject{} }
 
-func (m *FlowSchemaCondition) Reset()      { *m = FlowSchemaCondition{} }
-func (*FlowSchemaCondition) ProtoMessage() {}
-func (*FlowSchemaCondition) Descriptor() ([]byte, []int) {
-	return fileDescriptor_3a5cb22a034fcb2a, []int{3}
-}
-func (m *FlowSchemaCondition) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *FlowSchemaCondition) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *FlowSchemaCondition) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_FlowSchemaCondition.Merge(m, src)
-}
-func (m *FlowSchemaCondition) XXX_Size() int {
-	return m.Size()
-}
-func (m *FlowSchemaCondition) XXX_DiscardUnknown() {
-	xxx_messageInfo_FlowSchemaCondition.DiscardUnknown(m)
-}
+func (m *LimitResponse) Reset() { *m = LimitResponse{} }
 
-var xxx_messageInfo_FlowSchemaCondition proto.InternalMessageInfo
+func (m *LimitedPriorityLevelConfiguration) Reset() { *m = LimitedPriorityLevelConfiguration{} }
 
-func (m *FlowSchemaList) Reset()      { *m = FlowSchemaList{} }
-func (*FlowSchemaList) ProtoMessage() {}
-func (*FlowSchemaList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_3a5cb22a034fcb2a, []int{4}
-}
-func (m *FlowSchemaList) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *FlowSchemaList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *FlowSchemaList) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_FlowSchemaList.Merge(m, src)
-}
-func (m *FlowSchemaList) XXX_Size() int {
-	return m.Size()
-}
-func (m *FlowSchemaList) XXX_DiscardUnknown() {
-	xxx_messageInfo_FlowSchemaList.DiscardUnknown(m)
-}
+func (m *NonResourcePolicyRule) Reset() { *m = NonResourcePolicyRule{} }
 
-var xxx_messageInfo_FlowSchemaList proto.InternalMessageInfo
+func (m *PolicyRulesWithSubjects) Reset() { *m = PolicyRulesWithSubjects{} }
 
-func (m *FlowSchemaSpec) Reset()      { *m = FlowSchemaSpec{} }
-func (*FlowSchemaSpec) ProtoMessage() {}
-func (*FlowSchemaSpec) Descriptor() ([]byte, []int) {
-	return fileDescriptor_3a5cb22a034fcb2a, []int{5}
-}
-func (m *FlowSchemaSpec) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *FlowSchemaSpec) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *FlowSchemaSpec) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_FlowSchemaSpec.Merge(m, src)
-}
-func (m *FlowSchemaSpec) XXX_Size() int {
-	return m.Size()
-}
-func (m *FlowSchemaSpec) XXX_DiscardUnknown() {
-	xxx_messageInfo_FlowSchemaSpec.DiscardUnknown(m)
-}
+func (m *PriorityLevelConfiguration) Reset() { *m = PriorityLevelConfiguration{} }
 
-var xxx_messageInfo_FlowSchemaSpec proto.InternalMessageInfo
+func (m *PriorityLevelConfigurationCondition) Reset() { *m = PriorityLevelConfigurationCondition{} }
 
-func (m *FlowSchemaStatus) Reset()      { *m = FlowSchemaStatus{} }
-func (*FlowSchemaStatus) ProtoMessage() {}
-func (*FlowSchemaStatus) Descriptor() ([]byte, []int) {
-	return fileDescriptor_3a5cb22a034fcb2a, []int{6}
-}
-func (m *FlowSchemaStatus) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *FlowSchemaStatus) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *FlowSchemaStatus) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_FlowSchemaStatus.Merge(m, src)
-}
-func (m *FlowSchemaStatus) XXX_Size() int {
-	return m.Size()
-}
-func (m *FlowSchemaStatus) XXX_DiscardUnknown() {
-	xxx_messageInfo_FlowSchemaStatus.DiscardUnknown(m)
-}
+func (m *PriorityLevelConfigurationList) Reset() { *m = PriorityLevelConfigurationList{} }
 
-var xxx_messageInfo_FlowSchemaStatus proto.InternalMessageInfo
+func (m *PriorityLevelConfigurationReference) Reset() { *m = PriorityLevelConfigurationReference{} }
 
-func (m *GroupSubject) Reset()      { *m = GroupSubject{} }
-func (*GroupSubject) ProtoMessage() {}
-func (*GroupSubject) Descriptor() ([]byte, []int) {
-	return fileDescriptor_3a5cb22a034fcb2a, []int{7}
-}
-func (m *GroupSubject) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *GroupSubject) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *GroupSubject) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_GroupSubject.Merge(m, src)
-}
-func (m *GroupSubject) XXX_Size() int {
-	return m.Size()
-}
-func (m *GroupSubject) XXX_DiscardUnknown() {
-	xxx_messageInfo_GroupSubject.DiscardUnknown(m)
-}
+func (m *PriorityLevelConfigurationSpec) Reset() { *m = PriorityLevelConfigurationSpec{} }
 
-var xxx_messageInfo_GroupSubject proto.InternalMessageInfo
+func (m *PriorityLevelConfigurationStatus) Reset() { *m = PriorityLevelConfigurationStatus{} }
 
-func (m *LimitResponse) Reset()      { *m = LimitResponse{} }
-func (*LimitResponse) ProtoMessage() {}
-func (*LimitResponse) Descriptor() ([]byte, []int) {
-	return fileDescriptor_3a5cb22a034fcb2a, []int{8}
-}
-func (m *LimitResponse) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *LimitResponse) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *LimitResponse) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_LimitResponse.Merge(m, src)
-}
-func (m *LimitResponse) XXX_Size() int {
-	return m.Size()
-}
-func (m *LimitResponse) XXX_DiscardUnknown() {
-	xxx_messageInfo_LimitResponse.DiscardUnknown(m)
-}
+func (m *QueuingConfiguration) Reset() { *m = QueuingConfiguration{} }
 
-var xxx_messageInfo_LimitResponse proto.InternalMessageInfo
+func (m *ResourcePolicyRule) Reset() { *m = ResourcePolicyRule{} }
 
-func (m *LimitedPriorityLevelConfiguration) Reset()      { *m = LimitedPriorityLevelConfiguration{} }
-func (*LimitedPriorityLevelConfiguration) ProtoMessage() {}
-func (*LimitedPriorityLevelConfiguration) Descriptor() ([]byte, []int) {
-	return fileDescriptor_3a5cb22a034fcb2a, []int{9}
-}
-func (m *LimitedPriorityLevelConfiguration) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *LimitedPriorityLevelConfiguration) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *LimitedPriorityLevelConfiguration) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_LimitedPriorityLevelConfiguration.Merge(m, src)
-}
-func (m *LimitedPriorityLevelConfiguration) XXX_Size() int {
-	return m.Size()
-}
-func (m *LimitedPriorityLevelConfiguration) XXX_DiscardUnknown() {
-	xxx_messageInfo_LimitedPriorityLevelConfiguration.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_LimitedPriorityLevelConfiguration proto.InternalMessageInfo
-
-func (m *NonResourcePolicyRule) Reset()      { *m = NonResourcePolicyRule{} }
-func (*NonResourcePolicyRule) ProtoMessage() {}
-func (*NonResourcePolicyRule) Descriptor() ([]byte, []int) {
-	return fileDescriptor_3a5cb22a034fcb2a, []int{10}
-}
-func (m *NonResourcePolicyRule) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *NonResourcePolicyRule) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *NonResourcePolicyRule) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_NonResourcePolicyRule.Merge(m, src)
-}
-func (m *NonResourcePolicyRule) XXX_Size() int {
-	return m.Size()
-}
-func (m *NonResourcePolicyRule) XXX_DiscardUnknown() {
-	xxx_messageInfo_NonResourcePolicyRule.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_NonResourcePolicyRule proto.InternalMessageInfo
-
-func (m *PolicyRulesWithSubjects) Reset()      { *m = PolicyRulesWithSubjects{} }
-func (*PolicyRulesWithSubjects) ProtoMessage() {}
-func (*PolicyRulesWithSubjects) Descriptor() ([]byte, []int) {
-	return fileDescriptor_3a5cb22a034fcb2a, []int{11}
-}
-func (m *PolicyRulesWithSubjects) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *PolicyRulesWithSubjects) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *PolicyRulesWithSubjects) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_PolicyRulesWithSubjects.Merge(m, src)
-}
-func (m *PolicyRulesWithSubjects) XXX_Size() int {
-	return m.Size()
-}
-func (m *PolicyRulesWithSubjects) XXX_DiscardUnknown() {
-	xxx_messageInfo_PolicyRulesWithSubjects.DiscardUnknown(m)
-}
+func (m *ServiceAccountSubject) Reset() { *m = ServiceAccountSubject{} }
 
-var xxx_messageInfo_PolicyRulesWithSubjects proto.InternalMessageInfo
+func (m *Subject) Reset() { *m = Subject{} }
 
-func (m *PriorityLevelConfiguration) Reset()      { *m = PriorityLevelConfiguration{} }
-func (*PriorityLevelConfiguration) ProtoMessage() {}
-func (*PriorityLevelConfiguration) Descriptor() ([]byte, []int) {
-	return fileDescriptor_3a5cb22a034fcb2a, []int{12}
-}
-func (m *PriorityLevelConfiguration) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *PriorityLevelConfiguration) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *PriorityLevelConfiguration) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_PriorityLevelConfiguration.Merge(m, src)
-}
-func (m *PriorityLevelConfiguration) XXX_Size() int {
-	return m.Size()
-}
-func (m *PriorityLevelConfiguration) XXX_DiscardUnknown() {
-	xxx_messageInfo_PriorityLevelConfiguration.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_PriorityLevelConfiguration proto.InternalMessageInfo
-
-func (m *PriorityLevelConfigurationCondition) Reset()      { *m = PriorityLevelConfigurationCondition{} }
-func (*PriorityLevelConfigurationCondition) ProtoMessage() {}
-func (*PriorityLevelConfigurationCondition) Descriptor() ([]byte, []int) {
-	return fileDescriptor_3a5cb22a034fcb2a, []int{13}
-}
-func (m *PriorityLevelConfigurationCondition) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *PriorityLevelConfigurationCondition) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *PriorityLevelConfigurationCondition) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_PriorityLevelConfigurationCondition.Merge(m, src)
-}
-func (m *PriorityLevelConfigurationCondition) XXX_Size() int {
-	return m.Size()
-}
-func (m *PriorityLevelConfigurationCondition) XXX_DiscardUnknown() {
-	xxx_messageInfo_PriorityLevelConfigurationCondition.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_PriorityLevelConfigurationCondition proto.InternalMessageInfo
-
-func (m *PriorityLevelConfigurationList) Reset()      { *m = PriorityLevelConfigurationList{} }
-func (*PriorityLevelConfigurationList) ProtoMessage() {}
-func (*PriorityLevelConfigurationList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_3a5cb22a034fcb2a, []int{14}
-}
-func (m *PriorityLevelConfigurationList) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *PriorityLevelConfigurationList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *PriorityLevelConfigurationList) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_PriorityLevelConfigurationList.Merge(m, src)
-}
-func (m *PriorityLevelConfigurationList) XXX_Size() int {
-	return m.Size()
-}
-func (m *PriorityLevelConfigurationList) XXX_DiscardUnknown() {
-	xxx_messageInfo_PriorityLevelConfigurationList.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_PriorityLevelConfigurationList proto.InternalMessageInfo
-
-func (m *PriorityLevelConfigurationReference) Reset()      { *m = PriorityLevelConfigurationReference{} }
-func (*PriorityLevelConfigurationReference) ProtoMessage() {}
-func (*PriorityLevelConfigurationReference) Descriptor() ([]byte, []int) {
-	return fileDescriptor_3a5cb22a034fcb2a, []int{15}
-}
-func (m *PriorityLevelConfigurationReference) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *PriorityLevelConfigurationReference) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *PriorityLevelConfigurationReference) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_PriorityLevelConfigurationReference.Merge(m, src)
-}
-func (m *PriorityLevelConfigurationReference) XXX_Size() int {
-	return m.Size()
-}
-func (m *PriorityLevelConfigurationReference) XXX_DiscardUnknown() {
-	xxx_messageInfo_PriorityLevelConfigurationReference.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_PriorityLevelConfigurationReference proto.InternalMessageInfo
-
-func (m *PriorityLevelConfigurationSpec) Reset()      { *m = PriorityLevelConfigurationSpec{} }
-func (*PriorityLevelConfigurationSpec) ProtoMessage() {}
-func (*PriorityLevelConfigurationSpec) Descriptor() ([]byte, []int) {
-	return fileDescriptor_3a5cb22a034fcb2a, []int{16}
-}
-func (m *PriorityLevelConfigurationSpec) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *PriorityLevelConfigurationSpec) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *PriorityLevelConfigurationSpec) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_PriorityLevelConfigurationSpec.Merge(m, src)
-}
-func (m *PriorityLevelConfigurationSpec) XXX_Size() int {
-	return m.Size()
-}
-func (m *PriorityLevelConfigurationSpec) XXX_DiscardUnknown() {
-	xxx_messageInfo_PriorityLevelConfigurationSpec.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_PriorityLevelConfigurationSpec proto.InternalMessageInfo
-
-func (m *PriorityLevelConfigurationStatus) Reset()      { *m = PriorityLevelConfigurationStatus{} }
-func (*PriorityLevelConfigurationStatus) ProtoMessage() {}
-func (*PriorityLevelConfigurationStatus) Descriptor() ([]byte, []int) {
-	return fileDescriptor_3a5cb22a034fcb2a, []int{17}
-}
-func (m *PriorityLevelConfigurationStatus) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *PriorityLevelConfigurationStatus) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *PriorityLevelConfigurationStatus) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_PriorityLevelConfigurationStatus.Merge(m, src)
-}
-func (m *PriorityLevelConfigurationStatus) XXX_Size() int {
-	return m.Size()
-}
-func (m *PriorityLevelConfigurationStatus) XXX_DiscardUnknown() {
-	xxx_messageInfo_PriorityLevelConfigurationStatus.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_PriorityLevelConfigurationStatus proto.InternalMessageInfo
-
-func (m *QueuingConfiguration) Reset()      { *m = QueuingConfiguration{} }
-func (*QueuingConfiguration) ProtoMessage() {}
-func (*QueuingConfiguration) Descriptor() ([]byte, []int) {
-	return fileDescriptor_3a5cb22a034fcb2a, []int{18}
-}
-func (m *QueuingConfiguration) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *QueuingConfiguration) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *QueuingConfiguration) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_QueuingConfiguration.Merge(m, src)
-}
-func (m *QueuingConfiguration) XXX_Size() int {
-	return m.Size()
-}
-func (m *QueuingConfiguration) XXX_DiscardUnknown() {
-	xxx_messageInfo_QueuingConfiguration.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_QueuingConfiguration proto.InternalMessageInfo
-
-func (m *ResourcePolicyRule) Reset()      { *m = ResourcePolicyRule{} }
-func (*ResourcePolicyRule) ProtoMessage() {}
-func (*ResourcePolicyRule) Descriptor() ([]byte, []int) {
-	return fileDescriptor_3a5cb22a034fcb2a, []int{19}
-}
-func (m *ResourcePolicyRule) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ResourcePolicyRule) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ResourcePolicyRule) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ResourcePolicyRule.Merge(m, src)
-}
-func (m *ResourcePolicyRule) XXX_Size() int {
-	return m.Size()
-}
-func (m *ResourcePolicyRule) XXX_DiscardUnknown() {
-	xxx_messageInfo_ResourcePolicyRule.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_ResourcePolicyRule proto.InternalMessageInfo
-
-func (m *ServiceAccountSubject) Reset()      { *m = ServiceAccountSubject{} }
-func (*ServiceAccountSubject) ProtoMessage() {}
-func (*ServiceAccountSubject) Descriptor() ([]byte, []int) {
-	return fileDescriptor_3a5cb22a034fcb2a, []int{20}
-}
-func (m *ServiceAccountSubject) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ServiceAccountSubject) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ServiceAccountSubject) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ServiceAccountSubject.Merge(m, src)
-}
-func (m *ServiceAccountSubject) XXX_Size() int {
-	return m.Size()
-}
-func (m *ServiceAccountSubject) XXX_DiscardUnknown() {
-	xxx_messageInfo_ServiceAccountSubject.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_ServiceAccountSubject proto.InternalMessageInfo
-
-func (m *Subject) Reset()      { *m = Subject{} }
-func (*Subject) ProtoMessage() {}
-func (*Subject) Descriptor() ([]byte, []int) {
-	return fileDescriptor_3a5cb22a034fcb2a, []int{21}
-}
-func (m *Subject) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *Subject) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *Subject) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_Subject.Merge(m, src)
-}
-func (m *Subject) XXX_Size() int {
-	return m.Size()
-}
-func (m *Subject) XXX_DiscardUnknown() {
-	xxx_messageInfo_Subject.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_Subject proto.InternalMessageInfo
-
-func (m *UserSubject) Reset()      { *m = UserSubject{} }
-func (*UserSubject) ProtoMessage() {}
-func (*UserSubject) Descriptor() ([]byte, []int) {
-	return fileDescriptor_3a5cb22a034fcb2a, []int{22}
-}
-func (m *UserSubject) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *UserSubject) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *UserSubject) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_UserSubject.Merge(m, src)
-}
-func (m *UserSubject) XXX_Size() int {
-	return m.Size()
-}
-func (m *UserSubject) XXX_DiscardUnknown() {
-	xxx_messageInfo_UserSubject.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_UserSubject proto.InternalMessageInfo
-
-func init() {
-	proto.RegisterType((*ExemptPriorityLevelConfiguration)(nil), "k8s.io.api.flowcontrol.v1beta1.ExemptPriorityLevelConfiguration")
-	proto.RegisterType((*FlowDistinguisherMethod)(nil), "k8s.io.api.flowcontrol.v1beta1.FlowDistinguisherMethod")
-	proto.RegisterType((*FlowSchema)(nil), "k8s.io.api.flowcontrol.v1beta1.FlowSchema")
-	proto.RegisterType((*FlowSchemaCondition)(nil), "k8s.io.api.flowcontrol.v1beta1.FlowSchemaCondition")
-	proto.RegisterType((*FlowSchemaList)(nil), "k8s.io.api.flowcontrol.v1beta1.FlowSchemaList")
-	proto.RegisterType((*FlowSchemaSpec)(nil), "k8s.io.api.flowcontrol.v1beta1.FlowSchemaSpec")
-	proto.RegisterType((*FlowSchemaStatus)(nil), "k8s.io.api.flowcontrol.v1beta1.FlowSchemaStatus")
-	proto.RegisterType((*GroupSubject)(nil), "k8s.io.api.flowcontrol.v1beta1.GroupSubject")
-	proto.RegisterType((*LimitResponse)(nil), "k8s.io.api.flowcontrol.v1beta1.LimitResponse")
-	proto.RegisterType((*LimitedPriorityLevelConfiguration)(nil), "k8s.io.api.flowcontrol.v1beta1.LimitedPriorityLevelConfiguration")
-	proto.RegisterType((*NonResourcePolicyRule)(nil), "k8s.io.api.flowcontrol.v1beta1.NonResourcePolicyRule")
-	proto.RegisterType((*PolicyRulesWithSubjects)(nil), "k8s.io.api.flowcontrol.v1beta1.PolicyRulesWithSubjects")
-	proto.RegisterType((*PriorityLevelConfiguration)(nil), "k8s.io.api.flowcontrol.v1beta1.PriorityLevelConfiguration")
-	proto.RegisterType((*PriorityLevelConfigurationCondition)(nil), "k8s.io.api.flowcontrol.v1beta1.PriorityLevelConfigurationCondition")
-	proto.RegisterType((*PriorityLevelConfigurationList)(nil), "k8s.io.api.flowcontrol.v1beta1.PriorityLevelConfigurationList")
-	proto.RegisterType((*PriorityLevelConfigurationReference)(nil), "k8s.io.api.flowcontrol.v1beta1.PriorityLevelConfigurationReference")
-	proto.RegisterType((*PriorityLevelConfigurationSpec)(nil), "k8s.io.api.flowcontrol.v1beta1.PriorityLevelConfigurationSpec")
-	proto.RegisterType((*PriorityLevelConfigurationStatus)(nil), "k8s.io.api.flowcontrol.v1beta1.PriorityLevelConfigurationStatus")
-	proto.RegisterType((*QueuingConfiguration)(nil), "k8s.io.api.flowcontrol.v1beta1.QueuingConfiguration")
-	proto.RegisterType((*ResourcePolicyRule)(nil), "k8s.io.api.flowcontrol.v1beta1.ResourcePolicyRule")
-	proto.RegisterType((*ServiceAccountSubject)(nil), "k8s.io.api.flowcontrol.v1beta1.ServiceAccountSubject")
-	proto.RegisterType((*Subject)(nil), "k8s.io.api.flowcontrol.v1beta1.Subject")
-	proto.RegisterType((*UserSubject)(nil), "k8s.io.api.flowcontrol.v1beta1.UserSubject")
-}
-
-func init() {
-	proto.RegisterFile("k8s.io/api/flowcontrol/v1beta1/generated.proto", fileDescriptor_3a5cb22a034fcb2a)
-}
-
-var fileDescriptor_3a5cb22a034fcb2a = []byte{
-	// 1599 bytes of a gzipped FileDescriptorProto
-	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xec, 0x58, 0xcf, 0x73, 0xdb, 0xc4,
-	0x17, 0x8f, 0x1c, 0x3b, 0x89, 0x5f, 0x7e, 0x76, 0xd3, 0x4c, 0xfc, 0x4d, 0xbf, 0x63, 0xa7, 0x62,
-	0x86, 0x02, 0x6d, 0xe5, 0xb6, 0xb4, 0xb4, 0xc0, 0xf0, 0x23, 0x4a, 0x4b, 0x29, 0x4d, 0xd2, 0x74,
-	0xd3, 0x42, 0xa7, 0x74, 0x86, 0x2a, 0xf2, 0xc6, 0x56, 0x63, 0xfd, 0xa8, 0x56, 0x4a, 0x08, 0xbd,
-	0x30, 0xfc, 0x05, 0x9c, 0xe1, 0xc8, 0x81, 0x13, 0x17, 0xae, 0x1c, 0x38, 0xd2, 0xe1, 0xd4, 0x63,
-	0x4f, 0x86, 0x9a, 0x13, 0xff, 0x01, 0x74, 0x86, 0x19, 0x66, 0x57, 0x2b, 0xc9, 0xb2, 0x2d, 0xcb,
-	0xd3, 0xce, 0xf4, 0xc4, 0x2d, 0x7a, 0xfb, 0x79, 0x9f, 0xb7, 0xef, 0xed, 0xfb, 0xe5, 0x80, 0xb2,
-	0x7b, 0x81, 0x2a, 0x86, 0x5d, 0xd5, 0x1c, 0xa3, 0xba, 0xd3, 0xb4, 0xf7, 0x75, 0xdb, 0xf2, 0x5c,
-	0xbb, 0x59, 0xdd, 0x3b, 0xbd, 0x4d, 0x3c, 0xed, 0x74, 0xb5, 0x4e, 0x2c, 0xe2, 0x6a, 0x1e, 0xa9,
-	0x29, 0x8e, 0x6b, 0x7b, 0x36, 0x2a, 0x07, 0x78, 0x45, 0x73, 0x0c, 0xa5, 0x03, 0xaf, 0x08, 0xfc,
-	0xd2, 0xc9, 0xba, 0xe1, 0x35, 0xfc, 0x6d, 0x45, 0xb7, 0xcd, 0x6a, 0xdd, 0xae, 0xdb, 0x55, 0xae,
-	0xb6, 0xed, 0xef, 0xf0, 0x2f, 0xfe, 0xc1, 0xff, 0x0a, 0xe8, 0x96, 0xce, 0xc6, 0xe6, 0x4d, 0x4d,
-	0x6f, 0x18, 0x16, 0x71, 0x0f, 0xaa, 0xce, 0x6e, 0x9d, 0x09, 0x68, 0xd5, 0x24, 0x9e, 0x56, 0xdd,
-	0xeb, 0xb9, 0xc4, 0x52, 0x35, 0x4d, 0xcb, 0xf5, 0x2d, 0xcf, 0x30, 0x49, 0x8f, 0xc2, 0x1b, 0x59,
-	0x0a, 0x54, 0x6f, 0x10, 0x53, 0xeb, 0xd6, 0x93, 0x7f, 0x92, 0x60, 0xf9, 0xd2, 0xe7, 0xc4, 0x74,
-	0xbc, 0x4d, 0xd7, 0xb0, 0x5d, 0xc3, 0x3b, 0x58, 0x23, 0x7b, 0xa4, 0xb9, 0x6a, 0x5b, 0x3b, 0x46,
-	0xdd, 0x77, 0x35, 0xcf, 0xb0, 0x2d, 0x74, 0x0b, 0x4a, 0x96, 0x6d, 0x1a, 0x96, 0xc6, 0xe4, 0xba,
-	0xef, 0xba, 0xc4, 0xd2, 0x0f, 0xb6, 0x1a, 0x9a, 0x4b, 0x68, 0x49, 0x5a, 0x96, 0x5e, 0x29, 0xa8,
-	0xff, 0x6f, 0xb7, 0x2a, 0xa5, 0x8d, 0x14, 0x0c, 0x4e, 0xd5, 0x46, 0xef, 0xc0, 0x6c, 0x93, 0x58,
-	0x35, 0x6d, 0xbb, 0x49, 0x36, 0x89, 0xab, 0x13, 0xcb, 0x2b, 0xe5, 0x38, 0xe1, 0x7c, 0xbb, 0x55,
-	0x99, 0x5d, 0x4b, 0x1e, 0xe1, 0x6e, 0xac, 0x7c, 0x1b, 0x16, 0x3f, 0x68, 0xda, 0xfb, 0x17, 0x0d,
-	0xea, 0x19, 0x56, 0xdd, 0x37, 0x68, 0x83, 0xb8, 0xeb, 0xc4, 0x6b, 0xd8, 0x35, 0xf4, 0x1e, 0xe4,
-	0xbd, 0x03, 0x87, 0xf0, 0xfb, 0x15, 0xd5, 0xe3, 0x0f, 0x5b, 0x95, 0x91, 0x76, 0xab, 0x92, 0xbf,
-	0x71, 0xe0, 0x90, 0xa7, 0xad, 0xca, 0x91, 0x14, 0x35, 0x76, 0x8c, 0xb9, 0xa2, 0xfc, 0x4d, 0x0e,
-	0x80, 0xa1, 0xb6, 0x78, 0xe0, 0xd0, 0x5d, 0x98, 0x60, 0x8f, 0x55, 0xd3, 0x3c, 0x8d, 0x73, 0x4e,
-	0x9e, 0x39, 0xa5, 0xc4, 0x99, 0x12, 0xc5, 0x5c, 0x71, 0x76, 0xeb, 0x4c, 0x40, 0x15, 0x86, 0x56,
-	0xf6, 0x4e, 0x2b, 0xd7, 0xb6, 0xef, 0x11, 0xdd, 0x5b, 0x27, 0x9e, 0xa6, 0x22, 0x71, 0x0b, 0x88,
-	0x65, 0x38, 0x62, 0x45, 0x9b, 0x90, 0xa7, 0x0e, 0xd1, 0x79, 0x00, 0x26, 0xcf, 0x28, 0xca, 0xe0,
-	0x3c, 0x54, 0xe2, 0xbb, 0x6d, 0x39, 0x44, 0x57, 0xa7, 0x42, 0x0f, 0xd9, 0x17, 0xe6, 0x4c, 0xe8,
-	0x16, 0x8c, 0x51, 0x4f, 0xf3, 0x7c, 0x5a, 0x1a, 0xed, 0xb9, 0x71, 0x16, 0x27, 0xd7, 0x53, 0x67,
-	0x04, 0xeb, 0x58, 0xf0, 0x8d, 0x05, 0x9f, 0xfc, 0x38, 0x07, 0xf3, 0x31, 0x78, 0xd5, 0xb6, 0x6a,
-	0x06, 0xcf, 0x94, 0xb7, 0x13, 0x51, 0x3f, 0xd6, 0x15, 0xf5, 0xc5, 0x3e, 0x2a, 0x71, 0xc4, 0xd1,
-	0x9b, 0xd1, 0x75, 0x73, 0x5c, 0xfd, 0x68, 0xd2, 0xf8, 0xd3, 0x56, 0x65, 0x36, 0x52, 0x4b, 0xde,
-	0x07, 0xed, 0x01, 0x6a, 0x6a, 0xd4, 0xbb, 0xe1, 0x6a, 0x16, 0x0d, 0x68, 0x0d, 0x93, 0x08, 0xaf,
-	0x5f, 0x1b, 0xee, 0x9d, 0x98, 0x86, 0xba, 0x24, 0x4c, 0xa2, 0xb5, 0x1e, 0x36, 0xdc, 0xc7, 0x02,
-	0x7a, 0x19, 0xc6, 0x5c, 0xa2, 0x51, 0xdb, 0x2a, 0xe5, 0xf9, 0x95, 0xa3, 0x78, 0x61, 0x2e, 0xc5,
-	0xe2, 0x14, 0xbd, 0x0a, 0xe3, 0x26, 0xa1, 0x54, 0xab, 0x93, 0x52, 0x81, 0x03, 0x67, 0x05, 0x70,
-	0x7c, 0x3d, 0x10, 0xe3, 0xf0, 0x5c, 0xfe, 0x59, 0x82, 0x99, 0x38, 0x4e, 0x6b, 0x06, 0xf5, 0xd0,
-	0x9d, 0x9e, 0xdc, 0x53, 0x86, 0xf3, 0x89, 0x69, 0xf3, 0xcc, 0x9b, 0x13, 0xe6, 0x26, 0x42, 0x49,
-	0x47, 0xde, 0x5d, 0x83, 0x82, 0xe1, 0x11, 0x93, 0x45, 0x7d, 0xb4, 0x2b, 0x5c, 0x19, 0x49, 0xa2,
-	0x4e, 0x0b, 0xda, 0xc2, 0x15, 0x46, 0x80, 0x03, 0x1e, 0xf9, 0xcf, 0xd1, 0x4e, 0x0f, 0x58, 0x3e,
-	0xa2, 0xef, 0x25, 0x58, 0x72, 0x52, 0x1b, 0x8c, 0x70, 0x6a, 0x35, 0xcb, 0x72, 0x7a, 0x8b, 0xc2,
-	0x64, 0x87, 0xb0, 0xbe, 0x42, 0x54, 0x59, 0x5c, 0x69, 0x69, 0x00, 0x78, 0xc0, 0x55, 0xd0, 0x47,
-	0x80, 0x4c, 0xcd, 0x63, 0x11, 0xad, 0x6f, 0xba, 0x44, 0x27, 0x35, 0xc6, 0x2a, 0x9a, 0x52, 0x94,
-	0x1d, 0xeb, 0x3d, 0x08, 0xdc, 0x47, 0x0b, 0x7d, 0x25, 0xc1, 0x7c, 0xad, 0xb7, 0xc9, 0x88, 0xbc,
-	0x3c, 0x3f, 0x4c, 0xa0, 0xfb, 0xf4, 0x28, 0x75, 0xb1, 0xdd, 0xaa, 0xcc, 0xf7, 0x39, 0xc0, 0xfd,
-	0x8c, 0xa1, 0x3b, 0x50, 0x70, 0xfd, 0x26, 0xa1, 0xa5, 0x3c, 0x7f, 0xde, 0x4c, 0xab, 0x9b, 0x76,
-	0xd3, 0xd0, 0x0f, 0x30, 0x53, 0xf9, 0xc4, 0xf0, 0x1a, 0x5b, 0x3e, 0xef, 0x55, 0x34, 0x7e, 0x6b,
-	0x7e, 0x84, 0x03, 0x52, 0xf9, 0x01, 0xcc, 0x75, 0x37, 0x0d, 0x54, 0x07, 0xd0, 0xc3, 0x3a, 0x65,
-	0x03, 0x82, 0x99, 0x7d, 0x7d, 0xf8, 0xac, 0x8a, 0x6a, 0x3c, 0xee, 0x97, 0x91, 0x88, 0xe2, 0x0e,
-	0x6a, 0xf9, 0x14, 0x4c, 0x5d, 0x76, 0x6d, 0xdf, 0x11, 0x77, 0x44, 0xcb, 0x90, 0xb7, 0x34, 0x33,
-	0xec, 0x3e, 0x51, 0x47, 0xdc, 0xd0, 0x4c, 0x82, 0xf9, 0x89, 0xfc, 0x9d, 0x04, 0xd3, 0x6b, 0x86,
-	0x69, 0x78, 0x98, 0x50, 0xc7, 0xb6, 0x28, 0x41, 0xe7, 0x12, 0x1d, 0xeb, 0x68, 0x57, 0xc7, 0x3a,
-	0x94, 0x00, 0x77, 0xf4, 0xaa, 0x4f, 0x61, 0xfc, 0xbe, 0x4f, 0x7c, 0xc3, 0xaa, 0x8b, 0x7e, 0x7d,
-	0x36, 0xcb, 0xc1, 0xeb, 0x01, 0x3c, 0x91, 0x6d, 0xea, 0x24, 0x6b, 0x01, 0xe2, 0x04, 0x87, 0x8c,
-	0xf2, 0x3f, 0x39, 0x38, 0xca, 0x0d, 0x93, 0xda, 0x80, 0xa9, 0x7c, 0x07, 0x4a, 0x1a, 0xa5, 0xbe,
-	0x4b, 0x6a, 0x69, 0x53, 0x79, 0x59, 0x78, 0x53, 0x5a, 0x49, 0xc1, 0xe1, 0x54, 0x06, 0x74, 0x0f,
-	0xa6, 0x9b, 0x9d, 0xbe, 0x0b, 0x37, 0x4f, 0x66, 0xb9, 0x99, 0x08, 0x98, 0xba, 0x20, 0x6e, 0x90,
-	0x0c, 0x3a, 0x4e, 0x52, 0xf7, 0xdb, 0x02, 0x46, 0x87, 0xdf, 0x02, 0xd0, 0x35, 0x58, 0xd8, 0xb6,
-	0x5d, 0xd7, 0xde, 0x37, 0xac, 0x3a, 0xb7, 0x13, 0x92, 0xe4, 0x39, 0xc9, 0xff, 0xda, 0xad, 0xca,
-	0x82, 0xda, 0x0f, 0x80, 0xfb, 0xeb, 0xc9, 0xfb, 0xb0, 0xb0, 0xc1, 0x7a, 0x0a, 0xb5, 0x7d, 0x57,
-	0x27, 0x71, 0x41, 0xa0, 0x0a, 0x14, 0xf6, 0x88, 0xbb, 0x1d, 0x24, 0x75, 0x51, 0x2d, 0xb2, 0x72,
-	0xf8, 0x98, 0x09, 0x70, 0x20, 0x67, 0x9e, 0x58, 0xb1, 0xe6, 0x4d, 0xbc, 0x46, 0x4b, 0x63, 0x1c,
-	0xca, 0x3d, 0xd9, 0x48, 0x1e, 0xe1, 0x6e, 0xac, 0xdc, 0xca, 0xc1, 0x62, 0x4a, 0xfd, 0xa1, 0x9b,
-	0x30, 0x41, 0xc5, 0xdf, 0xa2, 0xa6, 0x8e, 0x65, 0xbd, 0x85, 0xd0, 0x8d, 0xbb, 0x7f, 0x48, 0x86,
-	0x23, 0x2a, 0x64, 0xc3, 0xb4, 0x2b, 0xae, 0xc0, 0x6d, 0x8a, 0x29, 0x70, 0x26, 0x8b, 0xbb, 0x37,
-	0x3a, 0xf1, 0x63, 0xe3, 0x4e, 0x42, 0x9c, 0xe4, 0x47, 0x0f, 0x60, 0xae, 0xc3, 0xed, 0xc0, 0xe6,
-	0x28, 0xb7, 0x79, 0x2e, 0xcb, 0x66, 0xdf, 0x47, 0x51, 0x4b, 0xc2, 0xec, 0xdc, 0x46, 0x17, 0x2d,
-	0xee, 0x31, 0x24, 0xff, 0x9a, 0x83, 0x01, 0x83, 0xe1, 0x05, 0x2c, 0x79, 0x77, 0x13, 0x4b, 0xde,
-	0xbb, 0xcf, 0x3e, 0xf1, 0x52, 0x97, 0xbe, 0x46, 0xd7, 0xd2, 0xf7, 0xfe, 0x73, 0xd8, 0x18, 0xbc,
-	0x04, 0xfe, 0x95, 0x83, 0x97, 0xd2, 0x95, 0xe3, 0xa5, 0xf0, 0x6a, 0xa2, 0xc5, 0x9e, 0xef, 0x6a,
-	0xb1, 0xc7, 0x86, 0xa0, 0xf8, 0x6f, 0x49, 0xec, 0x5a, 0x12, 0x7f, 0x93, 0xa0, 0x9c, 0x1e, 0xb7,
-	0x17, 0xb0, 0x34, 0x7e, 0x96, 0x5c, 0x1a, 0xdf, 0x7a, 0xf6, 0x24, 0x4b, 0x59, 0x22, 0x2f, 0x0f,
-	0xca, 0xad, 0x68, 0xdd, 0x1b, 0x62, 0xe4, 0xff, 0x90, 0x1b, 0x14, 0x2a, 0xbe, 0x9d, 0x66, 0xfc,
-	0x6a, 0x49, 0x68, 0x5f, 0xb2, 0xd8, 0xe8, 0x31, 0xd9, 0xf4, 0x08, 0x12, 0xb2, 0x01, 0xe3, 0xcd,
-	0x60, 0x56, 0x8b, 0xa2, 0x5e, 0x19, 0x6a, 0x44, 0x0e, 0x1a, 0xed, 0xc1, 0x5a, 0x20, 0x60, 0x38,
-	0xa4, 0x47, 0x35, 0x18, 0x23, 0xfc, 0xa7, 0xfa, 0xb0, 0x95, 0x9d, 0xf5, 0xc3, 0x5e, 0x05, 0x96,
-	0x85, 0x01, 0x0a, 0x0b, 0x6e, 0xf9, 0x5b, 0x09, 0x96, 0xb3, 0x5a, 0x02, 0xda, 0xef, 0xb3, 0xe2,
-	0x3d, 0xc7, 0xfa, 0x3e, 0xfc, 0xca, 0xf7, 0xa3, 0x04, 0x87, 0xfb, 0x6d, 0x52, 0xac, 0xc8, 0xd8,
-	0xfa, 0x14, 0xed, 0x3e, 0x51, 0x91, 0x5d, 0xe7, 0x52, 0x2c, 0x4e, 0xd1, 0x09, 0x98, 0x68, 0x68,
-	0x56, 0x6d, 0xcb, 0xf8, 0x22, 0xdc, 0xea, 0xa3, 0x34, 0xff, 0x50, 0xc8, 0x71, 0x84, 0x40, 0x17,
-	0x61, 0x8e, 0xeb, 0xad, 0x11, 0xab, 0xee, 0x35, 0xf8, 0x8b, 0x88, 0xd5, 0x24, 0x9a, 0x3a, 0xd7,
-	0xbb, 0xce, 0x71, 0x8f, 0x86, 0xfc, 0xb7, 0x04, 0xe8, 0x59, 0xb6, 0x89, 0xe3, 0x50, 0xd4, 0x1c,
-	0x83, 0xaf, 0xb8, 0x41, 0xa1, 0x15, 0xd5, 0xe9, 0x76, 0xab, 0x52, 0x5c, 0xd9, 0xbc, 0x12, 0x08,
-	0x71, 0x7c, 0xce, 0xc0, 0xe1, 0xa0, 0x0d, 0x06, 0xaa, 0x00, 0x87, 0x86, 0x29, 0x8e, 0xcf, 0xd1,
-	0x05, 0x98, 0xd2, 0x9b, 0x3e, 0xf5, 0x88, 0xbb, 0xa5, 0xdb, 0x0e, 0xe1, 0x8d, 0x69, 0x42, 0x3d,
-	0x2c, 0x7c, 0x9a, 0x5a, 0xed, 0x38, 0xc3, 0x09, 0x24, 0x52, 0x00, 0x58, 0x59, 0x51, 0x47, 0x63,
-	0x76, 0x0a, 0xdc, 0xce, 0x0c, 0x7b, 0xb0, 0x8d, 0x48, 0x8a, 0x3b, 0x10, 0xf2, 0x3d, 0x58, 0xd8,
-	0x22, 0xee, 0x9e, 0xa1, 0x93, 0x15, 0x5d, 0xb7, 0x7d, 0xcb, 0x0b, 0x97, 0xf5, 0x2a, 0x14, 0x23,
-	0x98, 0xa8, 0xbc, 0x43, 0xc2, 0x7e, 0x31, 0xe2, 0xc2, 0x31, 0x26, 0x2a, 0xf5, 0x5c, 0x6a, 0xa9,
-	0xff, 0x92, 0x83, 0xf1, 0x98, 0x3e, 0xbf, 0x6b, 0x58, 0x35, 0xc1, 0x7c, 0x24, 0x44, 0x5f, 0x35,
-	0xac, 0xda, 0xd3, 0x56, 0x65, 0x52, 0xc0, 0xd8, 0x27, 0xe6, 0x40, 0x74, 0x05, 0xf2, 0x3e, 0x25,
-	0xae, 0x28, 0xe2, 0xe3, 0x59, 0xc9, 0x7c, 0x93, 0x12, 0x37, 0xdc, 0xaf, 0x26, 0x18, 0x33, 0x13,
-	0x60, 0x4e, 0x81, 0xd6, 0xa1, 0x50, 0x67, 0x8f, 0x22, 0xea, 0xf4, 0x44, 0x16, 0x57, 0xe7, 0x8f,
-	0x98, 0x20, 0x0d, 0xb8, 0x04, 0x07, 0x2c, 0xe8, 0x3e, 0xcc, 0xd0, 0x44, 0x08, 0xf9, 0x73, 0x0d,
-	0xb1, 0x2f, 0xf5, 0x0d, 0xbc, 0x8a, 0xda, 0xad, 0xca, 0x4c, 0xf2, 0x08, 0x77, 0x19, 0x90, 0xab,
-	0x30, 0xd9, 0xe1, 0x60, 0x76, 0x97, 0x55, 0x2f, 0x3e, 0x7c, 0x52, 0x1e, 0x79, 0xf4, 0xa4, 0x3c,
-	0xf2, 0xf8, 0x49, 0x79, 0xe4, 0xcb, 0x76, 0x59, 0x7a, 0xd8, 0x2e, 0x4b, 0x8f, 0xda, 0x65, 0xe9,
-	0x71, 0xbb, 0x2c, 0xfd, 0xde, 0x2e, 0x4b, 0x5f, 0xff, 0x51, 0x1e, 0xb9, 0x5d, 0x1e, 0xfc, 0xbf,
-	0xd8, 0x7f, 0x03, 0x00, 0x00, 0xff, 0xff, 0x24, 0x42, 0x4c, 0x0f, 0xac, 0x15, 0x00, 0x00,
-}
+func (m *UserSubject) Reset() { *m = UserSubject{} }
 
 func (m *ExemptPriorityLevelConfiguration) Marshal() (dAtA []byte, err error) {
 	size := m.Size()
diff --git a/staging/src/k8s.io/api/flowcontrol/v1beta1/generated.protomessage.pb.go b/staging/src/k8s.io/api/flowcontrol/v1beta1/generated.protomessage.pb.go
new file mode 100644
index 0000000000000..9d2059597a69d
--- /dev/null
+++ b/staging/src/k8s.io/api/flowcontrol/v1beta1/generated.protomessage.pb.go
@@ -0,0 +1,68 @@
+//go:build kubernetes_protomessage_one_more_release
+// +build kubernetes_protomessage_one_more_release
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by go-to-protobuf. DO NOT EDIT.
+
+package v1beta1
+
+func (*ExemptPriorityLevelConfiguration) ProtoMessage() {}
+
+func (*FlowDistinguisherMethod) ProtoMessage() {}
+
+func (*FlowSchema) ProtoMessage() {}
+
+func (*FlowSchemaCondition) ProtoMessage() {}
+
+func (*FlowSchemaList) ProtoMessage() {}
+
+func (*FlowSchemaSpec) ProtoMessage() {}
+
+func (*FlowSchemaStatus) ProtoMessage() {}
+
+func (*GroupSubject) ProtoMessage() {}
+
+func (*LimitResponse) ProtoMessage() {}
+
+func (*LimitedPriorityLevelConfiguration) ProtoMessage() {}
+
+func (*NonResourcePolicyRule) ProtoMessage() {}
+
+func (*PolicyRulesWithSubjects) ProtoMessage() {}
+
+func (*PriorityLevelConfiguration) ProtoMessage() {}
+
+func (*PriorityLevelConfigurationCondition) ProtoMessage() {}
+
+func (*PriorityLevelConfigurationList) ProtoMessage() {}
+
+func (*PriorityLevelConfigurationReference) ProtoMessage() {}
+
+func (*PriorityLevelConfigurationSpec) ProtoMessage() {}
+
+func (*PriorityLevelConfigurationStatus) ProtoMessage() {}
+
+func (*QueuingConfiguration) ProtoMessage() {}
+
+func (*ResourcePolicyRule) ProtoMessage() {}
+
+func (*ServiceAccountSubject) ProtoMessage() {}
+
+func (*Subject) ProtoMessage() {}
+
+func (*UserSubject) ProtoMessage() {}
diff --git a/staging/src/k8s.io/api/flowcontrol/v1beta1/zz_generated.model_name.go b/staging/src/k8s.io/api/flowcontrol/v1beta1/zz_generated.model_name.go
new file mode 100644
index 0000000000000..fe34dbc9b48e0
--- /dev/null
+++ b/staging/src/k8s.io/api/flowcontrol/v1beta1/zz_generated.model_name.go
@@ -0,0 +1,137 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by openapi-gen. DO NOT EDIT.
+
+package v1beta1
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ExemptPriorityLevelConfiguration) OpenAPIModelName() string {
+	return "io.k8s.api.flowcontrol.v1beta1.ExemptPriorityLevelConfiguration"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in FlowDistinguisherMethod) OpenAPIModelName() string {
+	return "io.k8s.api.flowcontrol.v1beta1.FlowDistinguisherMethod"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in FlowSchema) OpenAPIModelName() string {
+	return "io.k8s.api.flowcontrol.v1beta1.FlowSchema"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in FlowSchemaCondition) OpenAPIModelName() string {
+	return "io.k8s.api.flowcontrol.v1beta1.FlowSchemaCondition"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in FlowSchemaList) OpenAPIModelName() string {
+	return "io.k8s.api.flowcontrol.v1beta1.FlowSchemaList"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in FlowSchemaSpec) OpenAPIModelName() string {
+	return "io.k8s.api.flowcontrol.v1beta1.FlowSchemaSpec"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in FlowSchemaStatus) OpenAPIModelName() string {
+	return "io.k8s.api.flowcontrol.v1beta1.FlowSchemaStatus"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in GroupSubject) OpenAPIModelName() string {
+	return "io.k8s.api.flowcontrol.v1beta1.GroupSubject"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in LimitResponse) OpenAPIModelName() string {
+	return "io.k8s.api.flowcontrol.v1beta1.LimitResponse"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in LimitedPriorityLevelConfiguration) OpenAPIModelName() string {
+	return "io.k8s.api.flowcontrol.v1beta1.LimitedPriorityLevelConfiguration"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in NonResourcePolicyRule) OpenAPIModelName() string {
+	return "io.k8s.api.flowcontrol.v1beta1.NonResourcePolicyRule"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in PolicyRulesWithSubjects) OpenAPIModelName() string {
+	return "io.k8s.api.flowcontrol.v1beta1.PolicyRulesWithSubjects"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in PriorityLevelConfiguration) OpenAPIModelName() string {
+	return "io.k8s.api.flowcontrol.v1beta1.PriorityLevelConfiguration"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in PriorityLevelConfigurationCondition) OpenAPIModelName() string {
+	return "io.k8s.api.flowcontrol.v1beta1.PriorityLevelConfigurationCondition"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in PriorityLevelConfigurationList) OpenAPIModelName() string {
+	return "io.k8s.api.flowcontrol.v1beta1.PriorityLevelConfigurationList"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in PriorityLevelConfigurationReference) OpenAPIModelName() string {
+	return "io.k8s.api.flowcontrol.v1beta1.PriorityLevelConfigurationReference"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in PriorityLevelConfigurationSpec) OpenAPIModelName() string {
+	return "io.k8s.api.flowcontrol.v1beta1.PriorityLevelConfigurationSpec"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in PriorityLevelConfigurationStatus) OpenAPIModelName() string {
+	return "io.k8s.api.flowcontrol.v1beta1.PriorityLevelConfigurationStatus"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in QueuingConfiguration) OpenAPIModelName() string {
+	return "io.k8s.api.flowcontrol.v1beta1.QueuingConfiguration"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ResourcePolicyRule) OpenAPIModelName() string {
+	return "io.k8s.api.flowcontrol.v1beta1.ResourcePolicyRule"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ServiceAccountSubject) OpenAPIModelName() string {
+	return "io.k8s.api.flowcontrol.v1beta1.ServiceAccountSubject"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in Subject) OpenAPIModelName() string {
+	return "io.k8s.api.flowcontrol.v1beta1.Subject"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in UserSubject) OpenAPIModelName() string {
+	return "io.k8s.api.flowcontrol.v1beta1.UserSubject"
+}
diff --git a/staging/src/k8s.io/api/flowcontrol/v1beta2/doc.go b/staging/src/k8s.io/api/flowcontrol/v1beta2/doc.go
index 2dcad11ad9a18..fb00b5857b346 100644
--- a/staging/src/k8s.io/api/flowcontrol/v1beta2/doc.go
+++ b/staging/src/k8s.io/api/flowcontrol/v1beta2/doc.go
@@ -18,6 +18,7 @@ limitations under the License.
 // +k8s:protobuf-gen=package
 // +k8s:openapi-gen=true
 // +k8s:prerelease-lifecycle-gen=true
+// +k8s:openapi-model-package=io.k8s.api.flowcontrol.v1beta2
 
 // +groupName=flowcontrol.apiserver.k8s.io
 
diff --git a/staging/src/k8s.io/api/flowcontrol/v1beta2/generated.pb.go b/staging/src/k8s.io/api/flowcontrol/v1beta2/generated.pb.go
index f646446df9d4f..1d5a5d26195f2 100644
--- a/staging/src/k8s.io/api/flowcontrol/v1beta2/generated.pb.go
+++ b/staging/src/k8s.io/api/flowcontrol/v1beta2/generated.pb.go
@@ -24,803 +24,56 @@ import (
 
 	io "io"
 
-	proto "github.com/gogo/protobuf/proto"
-
-	math "math"
 	math_bits "math/bits"
 	reflect "reflect"
 	strings "strings"
 )
 
-// Reference imports to suppress errors if they are not otherwise used.
-var _ = proto.Marshal
-var _ = fmt.Errorf
-var _ = math.Inf
+func (m *ExemptPriorityLevelConfiguration) Reset() { *m = ExemptPriorityLevelConfiguration{} }
 
-// This is a compile-time assertion to ensure that this generated file
-// is compatible with the proto package it is being compiled against.
-// A compilation error at this line likely means your copy of the
-// proto package needs to be updated.
-const _ = proto.GoGoProtoPackageIsVersion3 // please upgrade the proto package
+func (m *FlowDistinguisherMethod) Reset() { *m = FlowDistinguisherMethod{} }
 
-func (m *ExemptPriorityLevelConfiguration) Reset()      { *m = ExemptPriorityLevelConfiguration{} }
-func (*ExemptPriorityLevelConfiguration) ProtoMessage() {}
-func (*ExemptPriorityLevelConfiguration) Descriptor() ([]byte, []int) {
-	return fileDescriptor_2e620af2eea53237, []int{0}
-}
-func (m *ExemptPriorityLevelConfiguration) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ExemptPriorityLevelConfiguration) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ExemptPriorityLevelConfiguration) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ExemptPriorityLevelConfiguration.Merge(m, src)
-}
-func (m *ExemptPriorityLevelConfiguration) XXX_Size() int {
-	return m.Size()
-}
-func (m *ExemptPriorityLevelConfiguration) XXX_DiscardUnknown() {
-	xxx_messageInfo_ExemptPriorityLevelConfiguration.DiscardUnknown(m)
-}
+func (m *FlowSchema) Reset() { *m = FlowSchema{} }
 
-var xxx_messageInfo_ExemptPriorityLevelConfiguration proto.InternalMessageInfo
+func (m *FlowSchemaCondition) Reset() { *m = FlowSchemaCondition{} }
 
-func (m *FlowDistinguisherMethod) Reset()      { *m = FlowDistinguisherMethod{} }
-func (*FlowDistinguisherMethod) ProtoMessage() {}
-func (*FlowDistinguisherMethod) Descriptor() ([]byte, []int) {
-	return fileDescriptor_2e620af2eea53237, []int{1}
-}
-func (m *FlowDistinguisherMethod) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *FlowDistinguisherMethod) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *FlowDistinguisherMethod) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_FlowDistinguisherMethod.Merge(m, src)
-}
-func (m *FlowDistinguisherMethod) XXX_Size() int {
-	return m.Size()
-}
-func (m *FlowDistinguisherMethod) XXX_DiscardUnknown() {
-	xxx_messageInfo_FlowDistinguisherMethod.DiscardUnknown(m)
-}
+func (m *FlowSchemaList) Reset() { *m = FlowSchemaList{} }
 
-var xxx_messageInfo_FlowDistinguisherMethod proto.InternalMessageInfo
+func (m *FlowSchemaSpec) Reset() { *m = FlowSchemaSpec{} }
 
-func (m *FlowSchema) Reset()      { *m = FlowSchema{} }
-func (*FlowSchema) ProtoMessage() {}
-func (*FlowSchema) Descriptor() ([]byte, []int) {
-	return fileDescriptor_2e620af2eea53237, []int{2}
-}
-func (m *FlowSchema) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *FlowSchema) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *FlowSchema) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_FlowSchema.Merge(m, src)
-}
-func (m *FlowSchema) XXX_Size() int {
-	return m.Size()
-}
-func (m *FlowSchema) XXX_DiscardUnknown() {
-	xxx_messageInfo_FlowSchema.DiscardUnknown(m)
-}
+func (m *FlowSchemaStatus) Reset() { *m = FlowSchemaStatus{} }
 
-var xxx_messageInfo_FlowSchema proto.InternalMessageInfo
+func (m *GroupSubject) Reset() { *m = GroupSubject{} }
 
-func (m *FlowSchemaCondition) Reset()      { *m = FlowSchemaCondition{} }
-func (*FlowSchemaCondition) ProtoMessage() {}
-func (*FlowSchemaCondition) Descriptor() ([]byte, []int) {
-	return fileDescriptor_2e620af2eea53237, []int{3}
-}
-func (m *FlowSchemaCondition) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *FlowSchemaCondition) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *FlowSchemaCondition) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_FlowSchemaCondition.Merge(m, src)
-}
-func (m *FlowSchemaCondition) XXX_Size() int {
-	return m.Size()
-}
-func (m *FlowSchemaCondition) XXX_DiscardUnknown() {
-	xxx_messageInfo_FlowSchemaCondition.DiscardUnknown(m)
-}
+func (m *LimitResponse) Reset() { *m = LimitResponse{} }
 
-var xxx_messageInfo_FlowSchemaCondition proto.InternalMessageInfo
+func (m *LimitedPriorityLevelConfiguration) Reset() { *m = LimitedPriorityLevelConfiguration{} }
 
-func (m *FlowSchemaList) Reset()      { *m = FlowSchemaList{} }
-func (*FlowSchemaList) ProtoMessage() {}
-func (*FlowSchemaList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_2e620af2eea53237, []int{4}
-}
-func (m *FlowSchemaList) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *FlowSchemaList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *FlowSchemaList) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_FlowSchemaList.Merge(m, src)
-}
-func (m *FlowSchemaList) XXX_Size() int {
-	return m.Size()
-}
-func (m *FlowSchemaList) XXX_DiscardUnknown() {
-	xxx_messageInfo_FlowSchemaList.DiscardUnknown(m)
-}
+func (m *NonResourcePolicyRule) Reset() { *m = NonResourcePolicyRule{} }
 
-var xxx_messageInfo_FlowSchemaList proto.InternalMessageInfo
+func (m *PolicyRulesWithSubjects) Reset() { *m = PolicyRulesWithSubjects{} }
 
-func (m *FlowSchemaSpec) Reset()      { *m = FlowSchemaSpec{} }
-func (*FlowSchemaSpec) ProtoMessage() {}
-func (*FlowSchemaSpec) Descriptor() ([]byte, []int) {
-	return fileDescriptor_2e620af2eea53237, []int{5}
-}
-func (m *FlowSchemaSpec) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *FlowSchemaSpec) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *FlowSchemaSpec) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_FlowSchemaSpec.Merge(m, src)
-}
-func (m *FlowSchemaSpec) XXX_Size() int {
-	return m.Size()
-}
-func (m *FlowSchemaSpec) XXX_DiscardUnknown() {
-	xxx_messageInfo_FlowSchemaSpec.DiscardUnknown(m)
-}
+func (m *PriorityLevelConfiguration) Reset() { *m = PriorityLevelConfiguration{} }
 
-var xxx_messageInfo_FlowSchemaSpec proto.InternalMessageInfo
+func (m *PriorityLevelConfigurationCondition) Reset() { *m = PriorityLevelConfigurationCondition{} }
 
-func (m *FlowSchemaStatus) Reset()      { *m = FlowSchemaStatus{} }
-func (*FlowSchemaStatus) ProtoMessage() {}
-func (*FlowSchemaStatus) Descriptor() ([]byte, []int) {
-	return fileDescriptor_2e620af2eea53237, []int{6}
-}
-func (m *FlowSchemaStatus) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *FlowSchemaStatus) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *FlowSchemaStatus) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_FlowSchemaStatus.Merge(m, src)
-}
-func (m *FlowSchemaStatus) XXX_Size() int {
-	return m.Size()
-}
-func (m *FlowSchemaStatus) XXX_DiscardUnknown() {
-	xxx_messageInfo_FlowSchemaStatus.DiscardUnknown(m)
-}
+func (m *PriorityLevelConfigurationList) Reset() { *m = PriorityLevelConfigurationList{} }
 
-var xxx_messageInfo_FlowSchemaStatus proto.InternalMessageInfo
+func (m *PriorityLevelConfigurationReference) Reset() { *m = PriorityLevelConfigurationReference{} }
 
-func (m *GroupSubject) Reset()      { *m = GroupSubject{} }
-func (*GroupSubject) ProtoMessage() {}
-func (*GroupSubject) Descriptor() ([]byte, []int) {
-	return fileDescriptor_2e620af2eea53237, []int{7}
-}
-func (m *GroupSubject) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *GroupSubject) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *GroupSubject) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_GroupSubject.Merge(m, src)
-}
-func (m *GroupSubject) XXX_Size() int {
-	return m.Size()
-}
-func (m *GroupSubject) XXX_DiscardUnknown() {
-	xxx_messageInfo_GroupSubject.DiscardUnknown(m)
-}
+func (m *PriorityLevelConfigurationSpec) Reset() { *m = PriorityLevelConfigurationSpec{} }
 
-var xxx_messageInfo_GroupSubject proto.InternalMessageInfo
+func (m *PriorityLevelConfigurationStatus) Reset() { *m = PriorityLevelConfigurationStatus{} }
 
-func (m *LimitResponse) Reset()      { *m = LimitResponse{} }
-func (*LimitResponse) ProtoMessage() {}
-func (*LimitResponse) Descriptor() ([]byte, []int) {
-	return fileDescriptor_2e620af2eea53237, []int{8}
-}
-func (m *LimitResponse) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *LimitResponse) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *LimitResponse) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_LimitResponse.Merge(m, src)
-}
-func (m *LimitResponse) XXX_Size() int {
-	return m.Size()
-}
-func (m *LimitResponse) XXX_DiscardUnknown() {
-	xxx_messageInfo_LimitResponse.DiscardUnknown(m)
-}
+func (m *QueuingConfiguration) Reset() { *m = QueuingConfiguration{} }
 
-var xxx_messageInfo_LimitResponse proto.InternalMessageInfo
+func (m *ResourcePolicyRule) Reset() { *m = ResourcePolicyRule{} }
 
-func (m *LimitedPriorityLevelConfiguration) Reset()      { *m = LimitedPriorityLevelConfiguration{} }
-func (*LimitedPriorityLevelConfiguration) ProtoMessage() {}
-func (*LimitedPriorityLevelConfiguration) Descriptor() ([]byte, []int) {
-	return fileDescriptor_2e620af2eea53237, []int{9}
-}
-func (m *LimitedPriorityLevelConfiguration) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *LimitedPriorityLevelConfiguration) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *LimitedPriorityLevelConfiguration) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_LimitedPriorityLevelConfiguration.Merge(m, src)
-}
-func (m *LimitedPriorityLevelConfiguration) XXX_Size() int {
-	return m.Size()
-}
-func (m *LimitedPriorityLevelConfiguration) XXX_DiscardUnknown() {
-	xxx_messageInfo_LimitedPriorityLevelConfiguration.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_LimitedPriorityLevelConfiguration proto.InternalMessageInfo
-
-func (m *NonResourcePolicyRule) Reset()      { *m = NonResourcePolicyRule{} }
-func (*NonResourcePolicyRule) ProtoMessage() {}
-func (*NonResourcePolicyRule) Descriptor() ([]byte, []int) {
-	return fileDescriptor_2e620af2eea53237, []int{10}
-}
-func (m *NonResourcePolicyRule) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *NonResourcePolicyRule) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *NonResourcePolicyRule) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_NonResourcePolicyRule.Merge(m, src)
-}
-func (m *NonResourcePolicyRule) XXX_Size() int {
-	return m.Size()
-}
-func (m *NonResourcePolicyRule) XXX_DiscardUnknown() {
-	xxx_messageInfo_NonResourcePolicyRule.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_NonResourcePolicyRule proto.InternalMessageInfo
-
-func (m *PolicyRulesWithSubjects) Reset()      { *m = PolicyRulesWithSubjects{} }
-func (*PolicyRulesWithSubjects) ProtoMessage() {}
-func (*PolicyRulesWithSubjects) Descriptor() ([]byte, []int) {
-	return fileDescriptor_2e620af2eea53237, []int{11}
-}
-func (m *PolicyRulesWithSubjects) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *PolicyRulesWithSubjects) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *PolicyRulesWithSubjects) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_PolicyRulesWithSubjects.Merge(m, src)
-}
-func (m *PolicyRulesWithSubjects) XXX_Size() int {
-	return m.Size()
-}
-func (m *PolicyRulesWithSubjects) XXX_DiscardUnknown() {
-	xxx_messageInfo_PolicyRulesWithSubjects.DiscardUnknown(m)
-}
+func (m *ServiceAccountSubject) Reset() { *m = ServiceAccountSubject{} }
 
-var xxx_messageInfo_PolicyRulesWithSubjects proto.InternalMessageInfo
+func (m *Subject) Reset() { *m = Subject{} }
 
-func (m *PriorityLevelConfiguration) Reset()      { *m = PriorityLevelConfiguration{} }
-func (*PriorityLevelConfiguration) ProtoMessage() {}
-func (*PriorityLevelConfiguration) Descriptor() ([]byte, []int) {
-	return fileDescriptor_2e620af2eea53237, []int{12}
-}
-func (m *PriorityLevelConfiguration) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *PriorityLevelConfiguration) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *PriorityLevelConfiguration) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_PriorityLevelConfiguration.Merge(m, src)
-}
-func (m *PriorityLevelConfiguration) XXX_Size() int {
-	return m.Size()
-}
-func (m *PriorityLevelConfiguration) XXX_DiscardUnknown() {
-	xxx_messageInfo_PriorityLevelConfiguration.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_PriorityLevelConfiguration proto.InternalMessageInfo
-
-func (m *PriorityLevelConfigurationCondition) Reset()      { *m = PriorityLevelConfigurationCondition{} }
-func (*PriorityLevelConfigurationCondition) ProtoMessage() {}
-func (*PriorityLevelConfigurationCondition) Descriptor() ([]byte, []int) {
-	return fileDescriptor_2e620af2eea53237, []int{13}
-}
-func (m *PriorityLevelConfigurationCondition) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *PriorityLevelConfigurationCondition) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *PriorityLevelConfigurationCondition) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_PriorityLevelConfigurationCondition.Merge(m, src)
-}
-func (m *PriorityLevelConfigurationCondition) XXX_Size() int {
-	return m.Size()
-}
-func (m *PriorityLevelConfigurationCondition) XXX_DiscardUnknown() {
-	xxx_messageInfo_PriorityLevelConfigurationCondition.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_PriorityLevelConfigurationCondition proto.InternalMessageInfo
-
-func (m *PriorityLevelConfigurationList) Reset()      { *m = PriorityLevelConfigurationList{} }
-func (*PriorityLevelConfigurationList) ProtoMessage() {}
-func (*PriorityLevelConfigurationList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_2e620af2eea53237, []int{14}
-}
-func (m *PriorityLevelConfigurationList) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *PriorityLevelConfigurationList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *PriorityLevelConfigurationList) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_PriorityLevelConfigurationList.Merge(m, src)
-}
-func (m *PriorityLevelConfigurationList) XXX_Size() int {
-	return m.Size()
-}
-func (m *PriorityLevelConfigurationList) XXX_DiscardUnknown() {
-	xxx_messageInfo_PriorityLevelConfigurationList.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_PriorityLevelConfigurationList proto.InternalMessageInfo
-
-func (m *PriorityLevelConfigurationReference) Reset()      { *m = PriorityLevelConfigurationReference{} }
-func (*PriorityLevelConfigurationReference) ProtoMessage() {}
-func (*PriorityLevelConfigurationReference) Descriptor() ([]byte, []int) {
-	return fileDescriptor_2e620af2eea53237, []int{15}
-}
-func (m *PriorityLevelConfigurationReference) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *PriorityLevelConfigurationReference) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *PriorityLevelConfigurationReference) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_PriorityLevelConfigurationReference.Merge(m, src)
-}
-func (m *PriorityLevelConfigurationReference) XXX_Size() int {
-	return m.Size()
-}
-func (m *PriorityLevelConfigurationReference) XXX_DiscardUnknown() {
-	xxx_messageInfo_PriorityLevelConfigurationReference.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_PriorityLevelConfigurationReference proto.InternalMessageInfo
-
-func (m *PriorityLevelConfigurationSpec) Reset()      { *m = PriorityLevelConfigurationSpec{} }
-func (*PriorityLevelConfigurationSpec) ProtoMessage() {}
-func (*PriorityLevelConfigurationSpec) Descriptor() ([]byte, []int) {
-	return fileDescriptor_2e620af2eea53237, []int{16}
-}
-func (m *PriorityLevelConfigurationSpec) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *PriorityLevelConfigurationSpec) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *PriorityLevelConfigurationSpec) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_PriorityLevelConfigurationSpec.Merge(m, src)
-}
-func (m *PriorityLevelConfigurationSpec) XXX_Size() int {
-	return m.Size()
-}
-func (m *PriorityLevelConfigurationSpec) XXX_DiscardUnknown() {
-	xxx_messageInfo_PriorityLevelConfigurationSpec.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_PriorityLevelConfigurationSpec proto.InternalMessageInfo
-
-func (m *PriorityLevelConfigurationStatus) Reset()      { *m = PriorityLevelConfigurationStatus{} }
-func (*PriorityLevelConfigurationStatus) ProtoMessage() {}
-func (*PriorityLevelConfigurationStatus) Descriptor() ([]byte, []int) {
-	return fileDescriptor_2e620af2eea53237, []int{17}
-}
-func (m *PriorityLevelConfigurationStatus) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *PriorityLevelConfigurationStatus) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *PriorityLevelConfigurationStatus) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_PriorityLevelConfigurationStatus.Merge(m, src)
-}
-func (m *PriorityLevelConfigurationStatus) XXX_Size() int {
-	return m.Size()
-}
-func (m *PriorityLevelConfigurationStatus) XXX_DiscardUnknown() {
-	xxx_messageInfo_PriorityLevelConfigurationStatus.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_PriorityLevelConfigurationStatus proto.InternalMessageInfo
-
-func (m *QueuingConfiguration) Reset()      { *m = QueuingConfiguration{} }
-func (*QueuingConfiguration) ProtoMessage() {}
-func (*QueuingConfiguration) Descriptor() ([]byte, []int) {
-	return fileDescriptor_2e620af2eea53237, []int{18}
-}
-func (m *QueuingConfiguration) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *QueuingConfiguration) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *QueuingConfiguration) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_QueuingConfiguration.Merge(m, src)
-}
-func (m *QueuingConfiguration) XXX_Size() int {
-	return m.Size()
-}
-func (m *QueuingConfiguration) XXX_DiscardUnknown() {
-	xxx_messageInfo_QueuingConfiguration.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_QueuingConfiguration proto.InternalMessageInfo
-
-func (m *ResourcePolicyRule) Reset()      { *m = ResourcePolicyRule{} }
-func (*ResourcePolicyRule) ProtoMessage() {}
-func (*ResourcePolicyRule) Descriptor() ([]byte, []int) {
-	return fileDescriptor_2e620af2eea53237, []int{19}
-}
-func (m *ResourcePolicyRule) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ResourcePolicyRule) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ResourcePolicyRule) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ResourcePolicyRule.Merge(m, src)
-}
-func (m *ResourcePolicyRule) XXX_Size() int {
-	return m.Size()
-}
-func (m *ResourcePolicyRule) XXX_DiscardUnknown() {
-	xxx_messageInfo_ResourcePolicyRule.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_ResourcePolicyRule proto.InternalMessageInfo
-
-func (m *ServiceAccountSubject) Reset()      { *m = ServiceAccountSubject{} }
-func (*ServiceAccountSubject) ProtoMessage() {}
-func (*ServiceAccountSubject) Descriptor() ([]byte, []int) {
-	return fileDescriptor_2e620af2eea53237, []int{20}
-}
-func (m *ServiceAccountSubject) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ServiceAccountSubject) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ServiceAccountSubject) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ServiceAccountSubject.Merge(m, src)
-}
-func (m *ServiceAccountSubject) XXX_Size() int {
-	return m.Size()
-}
-func (m *ServiceAccountSubject) XXX_DiscardUnknown() {
-	xxx_messageInfo_ServiceAccountSubject.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_ServiceAccountSubject proto.InternalMessageInfo
-
-func (m *Subject) Reset()      { *m = Subject{} }
-func (*Subject) ProtoMessage() {}
-func (*Subject) Descriptor() ([]byte, []int) {
-	return fileDescriptor_2e620af2eea53237, []int{21}
-}
-func (m *Subject) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *Subject) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *Subject) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_Subject.Merge(m, src)
-}
-func (m *Subject) XXX_Size() int {
-	return m.Size()
-}
-func (m *Subject) XXX_DiscardUnknown() {
-	xxx_messageInfo_Subject.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_Subject proto.InternalMessageInfo
-
-func (m *UserSubject) Reset()      { *m = UserSubject{} }
-func (*UserSubject) ProtoMessage() {}
-func (*UserSubject) Descriptor() ([]byte, []int) {
-	return fileDescriptor_2e620af2eea53237, []int{22}
-}
-func (m *UserSubject) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *UserSubject) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *UserSubject) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_UserSubject.Merge(m, src)
-}
-func (m *UserSubject) XXX_Size() int {
-	return m.Size()
-}
-func (m *UserSubject) XXX_DiscardUnknown() {
-	xxx_messageInfo_UserSubject.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_UserSubject proto.InternalMessageInfo
-
-func init() {
-	proto.RegisterType((*ExemptPriorityLevelConfiguration)(nil), "k8s.io.api.flowcontrol.v1beta2.ExemptPriorityLevelConfiguration")
-	proto.RegisterType((*FlowDistinguisherMethod)(nil), "k8s.io.api.flowcontrol.v1beta2.FlowDistinguisherMethod")
-	proto.RegisterType((*FlowSchema)(nil), "k8s.io.api.flowcontrol.v1beta2.FlowSchema")
-	proto.RegisterType((*FlowSchemaCondition)(nil), "k8s.io.api.flowcontrol.v1beta2.FlowSchemaCondition")
-	proto.RegisterType((*FlowSchemaList)(nil), "k8s.io.api.flowcontrol.v1beta2.FlowSchemaList")
-	proto.RegisterType((*FlowSchemaSpec)(nil), "k8s.io.api.flowcontrol.v1beta2.FlowSchemaSpec")
-	proto.RegisterType((*FlowSchemaStatus)(nil), "k8s.io.api.flowcontrol.v1beta2.FlowSchemaStatus")
-	proto.RegisterType((*GroupSubject)(nil), "k8s.io.api.flowcontrol.v1beta2.GroupSubject")
-	proto.RegisterType((*LimitResponse)(nil), "k8s.io.api.flowcontrol.v1beta2.LimitResponse")
-	proto.RegisterType((*LimitedPriorityLevelConfiguration)(nil), "k8s.io.api.flowcontrol.v1beta2.LimitedPriorityLevelConfiguration")
-	proto.RegisterType((*NonResourcePolicyRule)(nil), "k8s.io.api.flowcontrol.v1beta2.NonResourcePolicyRule")
-	proto.RegisterType((*PolicyRulesWithSubjects)(nil), "k8s.io.api.flowcontrol.v1beta2.PolicyRulesWithSubjects")
-	proto.RegisterType((*PriorityLevelConfiguration)(nil), "k8s.io.api.flowcontrol.v1beta2.PriorityLevelConfiguration")
-	proto.RegisterType((*PriorityLevelConfigurationCondition)(nil), "k8s.io.api.flowcontrol.v1beta2.PriorityLevelConfigurationCondition")
-	proto.RegisterType((*PriorityLevelConfigurationList)(nil), "k8s.io.api.flowcontrol.v1beta2.PriorityLevelConfigurationList")
-	proto.RegisterType((*PriorityLevelConfigurationReference)(nil), "k8s.io.api.flowcontrol.v1beta2.PriorityLevelConfigurationReference")
-	proto.RegisterType((*PriorityLevelConfigurationSpec)(nil), "k8s.io.api.flowcontrol.v1beta2.PriorityLevelConfigurationSpec")
-	proto.RegisterType((*PriorityLevelConfigurationStatus)(nil), "k8s.io.api.flowcontrol.v1beta2.PriorityLevelConfigurationStatus")
-	proto.RegisterType((*QueuingConfiguration)(nil), "k8s.io.api.flowcontrol.v1beta2.QueuingConfiguration")
-	proto.RegisterType((*ResourcePolicyRule)(nil), "k8s.io.api.flowcontrol.v1beta2.ResourcePolicyRule")
-	proto.RegisterType((*ServiceAccountSubject)(nil), "k8s.io.api.flowcontrol.v1beta2.ServiceAccountSubject")
-	proto.RegisterType((*Subject)(nil), "k8s.io.api.flowcontrol.v1beta2.Subject")
-	proto.RegisterType((*UserSubject)(nil), "k8s.io.api.flowcontrol.v1beta2.UserSubject")
-}
-
-func init() {
-	proto.RegisterFile("k8s.io/api/flowcontrol/v1beta2/generated.proto", fileDescriptor_2e620af2eea53237)
-}
-
-var fileDescriptor_2e620af2eea53237 = []byte{
-	// 1602 bytes of a gzipped FileDescriptorProto
-	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xec, 0x58, 0xcd, 0x73, 0xdb, 0xd4,
-	0x16, 0x8f, 0x1c, 0x3b, 0x89, 0x4f, 0x3e, 0x7b, 0xd3, 0x4c, 0xfc, 0xd2, 0x37, 0x76, 0xaa, 0x37,
-	0xf3, 0xfa, 0x1e, 0x6d, 0xe5, 0x36, 0xb4, 0xb4, 0xc0, 0xf0, 0x11, 0xa5, 0xa5, 0x94, 0x26, 0x69,
-	0x7a, 0xd3, 0x42, 0xa7, 0x74, 0x86, 0x2a, 0xf2, 0x8d, 0xad, 0xc6, 0xfa, 0xa8, 0xae, 0x94, 0x10,
-	0xba, 0x61, 0xf8, 0x0b, 0x58, 0xc3, 0x92, 0x05, 0x2b, 0x36, 0x6c, 0x59, 0xb0, 0xa4, 0xc3, 0xaa,
-	0xcb, 0xae, 0x0c, 0x35, 0x2b, 0xfe, 0x03, 0xe8, 0x0c, 0x33, 0xcc, 0xbd, 0xba, 0x92, 0x2c, 0xdb,
-	0xb2, 0x3c, 0xed, 0x4c, 0x57, 0xec, 0xa2, 0x73, 0x7f, 0xe7, 0x77, 0xee, 0x39, 0xf7, 0x7c, 0x39,
-	0xa0, 0xec, 0x5d, 0xa4, 0x8a, 0x61, 0x57, 0x35, 0xc7, 0xa8, 0xee, 0x36, 0xed, 0x03, 0xdd, 0xb6,
-	0x3c, 0xd7, 0x6e, 0x56, 0xf7, 0xcf, 0xee, 0x10, 0x4f, 0x5b, 0xa9, 0xd6, 0x89, 0x45, 0x5c, 0xcd,
-	0x23, 0x35, 0xc5, 0x71, 0x6d, 0xcf, 0x46, 0xe5, 0x00, 0xaf, 0x68, 0x8e, 0xa1, 0x74, 0xe0, 0x15,
-	0x81, 0x5f, 0x3a, 0x5d, 0x37, 0xbc, 0x86, 0xbf, 0xa3, 0xe8, 0xb6, 0x59, 0xad, 0xdb, 0x75, 0xbb,
-	0xca, 0xd5, 0x76, 0xfc, 0x5d, 0xfe, 0xc5, 0x3f, 0xf8, 0x5f, 0x01, 0xdd, 0xd2, 0xb9, 0xd8, 0xbc,
-	0xa9, 0xe9, 0x0d, 0xc3, 0x22, 0xee, 0x61, 0xd5, 0xd9, 0xab, 0x33, 0x01, 0xad, 0x9a, 0xc4, 0xd3,
-	0xaa, 0xfb, 0x67, 0xbb, 0x2f, 0xb1, 0x54, 0x4d, 0xd3, 0x72, 0x7d, 0xcb, 0x33, 0x4c, 0xd2, 0xa3,
-	0xf0, 0x5a, 0x96, 0x02, 0xd5, 0x1b, 0xc4, 0xd4, 0xba, 0xf5, 0xe4, 0x1f, 0x24, 0x58, 0xbe, 0xfc,
-	0x29, 0x31, 0x1d, 0x6f, 0xcb, 0x35, 0x6c, 0xd7, 0xf0, 0x0e, 0xd7, 0xc9, 0x3e, 0x69, 0xae, 0xd9,
-	0xd6, 0xae, 0x51, 0xf7, 0x5d, 0xcd, 0x33, 0x6c, 0x0b, 0xdd, 0x86, 0x92, 0x65, 0x9b, 0x86, 0xa5,
-	0x31, 0xb9, 0xee, 0xbb, 0x2e, 0xb1, 0xf4, 0xc3, 0xed, 0x86, 0xe6, 0x12, 0x5a, 0x92, 0x96, 0xa5,
-	0xff, 0x15, 0xd4, 0x7f, 0xb7, 0x5b, 0x95, 0xd2, 0x66, 0x0a, 0x06, 0xa7, 0x6a, 0xa3, 0xb7, 0x60,
-	0xb6, 0x49, 0xac, 0x9a, 0xb6, 0xd3, 0x24, 0x5b, 0xc4, 0xd5, 0x89, 0xe5, 0x95, 0x72, 0x9c, 0x70,
-	0xbe, 0xdd, 0xaa, 0xcc, 0xae, 0x27, 0x8f, 0x70, 0x37, 0x56, 0xbe, 0x03, 0x8b, 0xef, 0x35, 0xed,
-	0x83, 0x4b, 0x06, 0xf5, 0x0c, 0xab, 0xee, 0x1b, 0xb4, 0x41, 0xdc, 0x0d, 0xe2, 0x35, 0xec, 0x1a,
-	0x7a, 0x07, 0xf2, 0xde, 0xa1, 0x43, 0xf8, 0xfd, 0x8a, 0xea, 0xc9, 0x47, 0xad, 0xca, 0x48, 0xbb,
-	0x55, 0xc9, 0xdf, 0x3c, 0x74, 0xc8, 0xb3, 0x56, 0xe5, 0x58, 0x8a, 0x1a, 0x3b, 0xc6, 0x5c, 0x51,
-	0xfe, 0x2a, 0x07, 0xc0, 0x50, 0xdb, 0x3c, 0x70, 0xe8, 0x1e, 0x4c, 0xb0, 0xc7, 0xaa, 0x69, 0x9e,
-	0xc6, 0x39, 0x27, 0x57, 0xce, 0x28, 0x71, 0xa6, 0x44, 0x31, 0x57, 0x9c, 0xbd, 0x3a, 0x13, 0x50,
-	0x85, 0xa1, 0x95, 0xfd, 0xb3, 0xca, 0xf5, 0x9d, 0xfb, 0x44, 0xf7, 0x36, 0x88, 0xa7, 0xa9, 0x48,
-	0xdc, 0x02, 0x62, 0x19, 0x8e, 0x58, 0xd1, 0x16, 0xe4, 0xa9, 0x43, 0x74, 0x1e, 0x80, 0xc9, 0x15,
-	0x45, 0x19, 0x9c, 0x87, 0x4a, 0x7c, 0xb7, 0x6d, 0x87, 0xe8, 0xea, 0x54, 0xe8, 0x21, 0xfb, 0xc2,
-	0x9c, 0x09, 0xdd, 0x86, 0x31, 0xea, 0x69, 0x9e, 0x4f, 0x4b, 0xa3, 0x3d, 0x37, 0xce, 0xe2, 0xe4,
-	0x7a, 0xea, 0x8c, 0x60, 0x1d, 0x0b, 0xbe, 0xb1, 0xe0, 0x93, 0x9f, 0xe4, 0x60, 0x3e, 0x06, 0xaf,
-	0xd9, 0x56, 0xcd, 0xe0, 0x99, 0xf2, 0x66, 0x22, 0xea, 0x27, 0xba, 0xa2, 0xbe, 0xd8, 0x47, 0x25,
-	0x8e, 0x38, 0x7a, 0x3d, 0xba, 0x6e, 0x8e, 0xab, 0x1f, 0x4f, 0x1a, 0x7f, 0xd6, 0xaa, 0xcc, 0x46,
-	0x6a, 0xc9, 0xfb, 0xa0, 0x7d, 0x40, 0x4d, 0x8d, 0x7a, 0x37, 0x5d, 0xcd, 0xa2, 0x01, 0xad, 0x61,
-	0x12, 0xe1, 0xf5, 0x2b, 0xc3, 0xbd, 0x13, 0xd3, 0x50, 0x97, 0x84, 0x49, 0xb4, 0xde, 0xc3, 0x86,
-	0xfb, 0x58, 0x40, 0xff, 0x85, 0x31, 0x97, 0x68, 0xd4, 0xb6, 0x4a, 0x79, 0x7e, 0xe5, 0x28, 0x5e,
-	0x98, 0x4b, 0xb1, 0x38, 0x45, 0xff, 0x87, 0x71, 0x93, 0x50, 0xaa, 0xd5, 0x49, 0xa9, 0xc0, 0x81,
-	0xb3, 0x02, 0x38, 0xbe, 0x11, 0x88, 0x71, 0x78, 0x2e, 0xff, 0x28, 0xc1, 0x4c, 0x1c, 0xa7, 0x75,
-	0x83, 0x7a, 0xe8, 0x6e, 0x4f, 0xee, 0x29, 0xc3, 0xf9, 0xc4, 0xb4, 0x79, 0xe6, 0xcd, 0x09, 0x73,
-	0x13, 0xa1, 0xa4, 0x23, 0xef, 0xae, 0x43, 0xc1, 0xf0, 0x88, 0xc9, 0xa2, 0x3e, 0xda, 0x15, 0xae,
-	0x8c, 0x24, 0x51, 0xa7, 0x05, 0x6d, 0xe1, 0x2a, 0x23, 0xc0, 0x01, 0x8f, 0xfc, 0xfb, 0x68, 0xa7,
-	0x07, 0x2c, 0x1f, 0xd1, 0xb7, 0x12, 0x2c, 0x39, 0xa9, 0x0d, 0x46, 0x38, 0xb5, 0x96, 0x65, 0x39,
-	0xbd, 0x45, 0x61, 0xb2, 0x4b, 0x58, 0x5f, 0x21, 0xaa, 0x2c, 0xae, 0xb4, 0x34, 0x00, 0x3c, 0xe0,
-	0x2a, 0xe8, 0x03, 0x40, 0xa6, 0xe6, 0xb1, 0x88, 0xd6, 0xb7, 0x5c, 0xa2, 0x93, 0x1a, 0x63, 0x15,
-	0x4d, 0x29, 0xca, 0x8e, 0x8d, 0x1e, 0x04, 0xee, 0xa3, 0x85, 0xbe, 0x90, 0x60, 0xbe, 0xd6, 0xdb,
-	0x64, 0x44, 0x5e, 0x5e, 0x18, 0x26, 0xd0, 0x7d, 0x7a, 0x94, 0xba, 0xd8, 0x6e, 0x55, 0xe6, 0xfb,
-	0x1c, 0xe0, 0x7e, 0xc6, 0xd0, 0x5d, 0x28, 0xb8, 0x7e, 0x93, 0xd0, 0x52, 0x9e, 0x3f, 0x6f, 0xa6,
-	0xd5, 0x2d, 0xbb, 0x69, 0xe8, 0x87, 0x98, 0xa9, 0x7c, 0x64, 0x78, 0x8d, 0x6d, 0x9f, 0xf7, 0x2a,
-	0x1a, 0xbf, 0x35, 0x3f, 0xc2, 0x01, 0xa9, 0xfc, 0x10, 0xe6, 0xba, 0x9b, 0x06, 0xaa, 0x03, 0xe8,
-	0x61, 0x9d, 0xb2, 0x01, 0xc1, 0xcc, 0xbe, 0x3a, 0x7c, 0x56, 0x45, 0x35, 0x1e, 0xf7, 0xcb, 0x48,
-	0x44, 0x71, 0x07, 0xb5, 0x7c, 0x06, 0xa6, 0xae, 0xb8, 0xb6, 0xef, 0x88, 0x3b, 0xa2, 0x65, 0xc8,
-	0x5b, 0x9a, 0x19, 0x76, 0x9f, 0xa8, 0x23, 0x6e, 0x6a, 0x26, 0xc1, 0xfc, 0x44, 0xfe, 0x46, 0x82,
-	0xe9, 0x75, 0xc3, 0x34, 0x3c, 0x4c, 0xa8, 0x63, 0x5b, 0x94, 0xa0, 0xf3, 0x89, 0x8e, 0x75, 0xbc,
-	0xab, 0x63, 0x1d, 0x49, 0x80, 0x3b, 0x7a, 0xd5, 0xc7, 0x30, 0xfe, 0xc0, 0x27, 0xbe, 0x61, 0xd5,
-	0x45, 0xbf, 0x3e, 0x97, 0xe5, 0xe0, 0x8d, 0x00, 0x9e, 0xc8, 0x36, 0x75, 0x92, 0xb5, 0x00, 0x71,
-	0x82, 0x43, 0x46, 0xf9, 0xaf, 0x1c, 0x1c, 0xe7, 0x86, 0x49, 0x6d, 0xc0, 0x54, 0xbe, 0x0b, 0x25,
-	0x8d, 0x52, 0xdf, 0x25, 0xb5, 0xb4, 0xa9, 0xbc, 0x2c, 0xbc, 0x29, 0xad, 0xa6, 0xe0, 0x70, 0x2a,
-	0x03, 0xba, 0x0f, 0xd3, 0xcd, 0x4e, 0xdf, 0x85, 0x9b, 0xa7, 0xb3, 0xdc, 0x4c, 0x04, 0x4c, 0x5d,
-	0x10, 0x37, 0x48, 0x06, 0x1d, 0x27, 0xa9, 0xfb, 0x6d, 0x01, 0xa3, 0xc3, 0x6f, 0x01, 0xe8, 0x3a,
-	0x2c, 0xec, 0xd8, 0xae, 0x6b, 0x1f, 0x18, 0x56, 0x9d, 0xdb, 0x09, 0x49, 0xf2, 0x9c, 0xe4, 0x5f,
-	0xed, 0x56, 0x65, 0x41, 0xed, 0x07, 0xc0, 0xfd, 0xf5, 0xe4, 0x03, 0x58, 0xd8, 0x64, 0x3d, 0x85,
-	0xda, 0xbe, 0xab, 0x93, 0xb8, 0x20, 0x50, 0x05, 0x0a, 0xfb, 0xc4, 0xdd, 0x09, 0x92, 0xba, 0xa8,
-	0x16, 0x59, 0x39, 0x7c, 0xc8, 0x04, 0x38, 0x90, 0x33, 0x4f, 0xac, 0x58, 0xf3, 0x16, 0x5e, 0xa7,
-	0xa5, 0x31, 0x0e, 0xe5, 0x9e, 0x6c, 0x26, 0x8f, 0x70, 0x37, 0x56, 0x6e, 0xe5, 0x60, 0x31, 0xa5,
-	0xfe, 0xd0, 0x2d, 0x98, 0xa0, 0xe2, 0x6f, 0x51, 0x53, 0x27, 0xb2, 0xde, 0x42, 0xe8, 0xc6, 0xdd,
-	0x3f, 0x24, 0xc3, 0x11, 0x15, 0xb2, 0x61, 0xda, 0x15, 0x57, 0xe0, 0x36, 0xc5, 0x14, 0x58, 0xc9,
-	0xe2, 0xee, 0x8d, 0x4e, 0xfc, 0xd8, 0xb8, 0x93, 0x10, 0x27, 0xf9, 0xd1, 0x43, 0x98, 0xeb, 0x70,
-	0x3b, 0xb0, 0x39, 0xca, 0x6d, 0x9e, 0xcf, 0xb2, 0xd9, 0xf7, 0x51, 0xd4, 0x92, 0x30, 0x3b, 0xb7,
-	0xd9, 0x45, 0x8b, 0x7b, 0x0c, 0xc9, 0x3f, 0xe7, 0x60, 0xc0, 0x60, 0x78, 0x09, 0x4b, 0xde, 0xbd,
-	0xc4, 0x92, 0xf7, 0xf6, 0xf3, 0x4f, 0xbc, 0xd4, 0xa5, 0xaf, 0xd1, 0xb5, 0xf4, 0xbd, 0xfb, 0x02,
-	0x36, 0x06, 0x2f, 0x81, 0x7f, 0xe4, 0xe0, 0x3f, 0xe9, 0xca, 0xf1, 0x52, 0x78, 0x2d, 0xd1, 0x62,
-	0x2f, 0x74, 0xb5, 0xd8, 0x13, 0x43, 0x50, 0xfc, 0xb3, 0x24, 0x76, 0x2d, 0x89, 0xbf, 0x48, 0x50,
-	0x4e, 0x8f, 0xdb, 0x4b, 0x58, 0x1a, 0x3f, 0x49, 0x2e, 0x8d, 0x6f, 0x3c, 0x7f, 0x92, 0xa5, 0x2c,
-	0x91, 0x57, 0x06, 0xe5, 0x56, 0xb4, 0xee, 0x0d, 0x31, 0xf2, 0xbf, 0xcb, 0x0d, 0x0a, 0x15, 0xdf,
-	0x4e, 0x33, 0x7e, 0xb5, 0x24, 0xb4, 0x2f, 0x5b, 0x6c, 0xf4, 0x98, 0x6c, 0x7a, 0x04, 0x09, 0xd9,
-	0x80, 0xf1, 0x66, 0x30, 0xab, 0x45, 0x51, 0xaf, 0x0e, 0x35, 0x22, 0x07, 0x8d, 0xf6, 0x60, 0x2d,
-	0x10, 0x30, 0x1c, 0xd2, 0xa3, 0x1a, 0x8c, 0x11, 0xfe, 0x53, 0x7d, 0xd8, 0xca, 0xce, 0xfa, 0x61,
-	0xaf, 0x02, 0xcb, 0xc2, 0x00, 0x85, 0x05, 0xb7, 0xfc, 0xb5, 0x04, 0xcb, 0x59, 0x2d, 0x01, 0x1d,
-	0xf4, 0x59, 0xf1, 0x5e, 0x60, 0x7d, 0x1f, 0x7e, 0xe5, 0xfb, 0x5e, 0x82, 0xa3, 0xfd, 0x36, 0x29,
-	0x56, 0x64, 0x6c, 0x7d, 0x8a, 0x76, 0x9f, 0xa8, 0xc8, 0x6e, 0x70, 0x29, 0x16, 0xa7, 0xe8, 0x14,
-	0x4c, 0x34, 0x34, 0xab, 0xb6, 0x6d, 0x7c, 0x16, 0x6e, 0xf5, 0x51, 0x9a, 0xbf, 0x2f, 0xe4, 0x38,
-	0x42, 0xa0, 0x4b, 0x30, 0xc7, 0xf5, 0xd6, 0x89, 0x55, 0xf7, 0x1a, 0xfc, 0x45, 0xc4, 0x6a, 0x12,
-	0x4d, 0x9d, 0x1b, 0x5d, 0xe7, 0xb8, 0x47, 0x43, 0xfe, 0x53, 0x02, 0xf4, 0x3c, 0xdb, 0xc4, 0x49,
-	0x28, 0x6a, 0x8e, 0xc1, 0x57, 0xdc, 0xa0, 0xd0, 0x8a, 0xea, 0x74, 0xbb, 0x55, 0x29, 0xae, 0x6e,
-	0x5d, 0x0d, 0x84, 0x38, 0x3e, 0x67, 0xe0, 0x70, 0xd0, 0x06, 0x03, 0x55, 0x80, 0x43, 0xc3, 0x14,
-	0xc7, 0xe7, 0xe8, 0x22, 0x4c, 0xe9, 0x4d, 0x9f, 0x7a, 0xc4, 0xdd, 0xd6, 0x6d, 0x87, 0xf0, 0xc6,
-	0x34, 0xa1, 0x1e, 0x15, 0x3e, 0x4d, 0xad, 0x75, 0x9c, 0xe1, 0x04, 0x12, 0x29, 0x00, 0xac, 0xac,
-	0xa8, 0xa3, 0x31, 0x3b, 0x05, 0x6e, 0x67, 0x86, 0x3d, 0xd8, 0x66, 0x24, 0xc5, 0x1d, 0x08, 0xf9,
-	0x3e, 0x2c, 0x6c, 0x13, 0x77, 0xdf, 0xd0, 0xc9, 0xaa, 0xae, 0xdb, 0xbe, 0xe5, 0x85, 0xcb, 0x7a,
-	0x15, 0x8a, 0x11, 0x4c, 0x54, 0xde, 0x11, 0x61, 0xbf, 0x18, 0x71, 0xe1, 0x18, 0x13, 0x95, 0x7a,
-	0x2e, 0xb5, 0xd4, 0x7f, 0xca, 0xc1, 0x78, 0x4c, 0x9f, 0xdf, 0x33, 0xac, 0x9a, 0x60, 0x3e, 0x16,
-	0xa2, 0xaf, 0x19, 0x56, 0xed, 0x59, 0xab, 0x32, 0x29, 0x60, 0xec, 0x13, 0x73, 0x20, 0xba, 0x0a,
-	0x79, 0x9f, 0x12, 0x57, 0x14, 0xf1, 0xc9, 0xac, 0x64, 0xbe, 0x45, 0x89, 0x1b, 0xee, 0x57, 0x13,
-	0x8c, 0x99, 0x09, 0x30, 0xa7, 0x40, 0x1b, 0x50, 0xa8, 0xb3, 0x47, 0x11, 0x75, 0x7a, 0x2a, 0x8b,
-	0xab, 0xf3, 0x47, 0x4c, 0x90, 0x06, 0x5c, 0x82, 0x03, 0x16, 0xf4, 0x00, 0x66, 0x68, 0x22, 0x84,
-	0xfc, 0xb9, 0x86, 0xd8, 0x97, 0xfa, 0x06, 0x5e, 0x45, 0xed, 0x56, 0x65, 0x26, 0x79, 0x84, 0xbb,
-	0x0c, 0xc8, 0x55, 0x98, 0xec, 0x70, 0x30, 0xbb, 0xcb, 0xaa, 0x97, 0x1e, 0x3d, 0x2d, 0x8f, 0x3c,
-	0x7e, 0x5a, 0x1e, 0x79, 0xf2, 0xb4, 0x3c, 0xf2, 0x79, 0xbb, 0x2c, 0x3d, 0x6a, 0x97, 0xa5, 0xc7,
-	0xed, 0xb2, 0xf4, 0xa4, 0x5d, 0x96, 0x7e, 0x6d, 0x97, 0xa5, 0x2f, 0x7f, 0x2b, 0x8f, 0xdc, 0x29,
-	0x0f, 0xfe, 0x5f, 0xec, 0xdf, 0x01, 0x00, 0x00, 0xff, 0xff, 0xe3, 0xd5, 0xd0, 0x62, 0xac, 0x15,
-	0x00, 0x00,
-}
+func (m *UserSubject) Reset() { *m = UserSubject{} }
 
 func (m *ExemptPriorityLevelConfiguration) Marshal() (dAtA []byte, err error) {
 	size := m.Size()
diff --git a/staging/src/k8s.io/api/flowcontrol/v1beta2/generated.protomessage.pb.go b/staging/src/k8s.io/api/flowcontrol/v1beta2/generated.protomessage.pb.go
new file mode 100644
index 0000000000000..672834e9fa6ae
--- /dev/null
+++ b/staging/src/k8s.io/api/flowcontrol/v1beta2/generated.protomessage.pb.go
@@ -0,0 +1,68 @@
+//go:build kubernetes_protomessage_one_more_release
+// +build kubernetes_protomessage_one_more_release
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by go-to-protobuf. DO NOT EDIT.
+
+package v1beta2
+
+func (*ExemptPriorityLevelConfiguration) ProtoMessage() {}
+
+func (*FlowDistinguisherMethod) ProtoMessage() {}
+
+func (*FlowSchema) ProtoMessage() {}
+
+func (*FlowSchemaCondition) ProtoMessage() {}
+
+func (*FlowSchemaList) ProtoMessage() {}
+
+func (*FlowSchemaSpec) ProtoMessage() {}
+
+func (*FlowSchemaStatus) ProtoMessage() {}
+
+func (*GroupSubject) ProtoMessage() {}
+
+func (*LimitResponse) ProtoMessage() {}
+
+func (*LimitedPriorityLevelConfiguration) ProtoMessage() {}
+
+func (*NonResourcePolicyRule) ProtoMessage() {}
+
+func (*PolicyRulesWithSubjects) ProtoMessage() {}
+
+func (*PriorityLevelConfiguration) ProtoMessage() {}
+
+func (*PriorityLevelConfigurationCondition) ProtoMessage() {}
+
+func (*PriorityLevelConfigurationList) ProtoMessage() {}
+
+func (*PriorityLevelConfigurationReference) ProtoMessage() {}
+
+func (*PriorityLevelConfigurationSpec) ProtoMessage() {}
+
+func (*PriorityLevelConfigurationStatus) ProtoMessage() {}
+
+func (*QueuingConfiguration) ProtoMessage() {}
+
+func (*ResourcePolicyRule) ProtoMessage() {}
+
+func (*ServiceAccountSubject) ProtoMessage() {}
+
+func (*Subject) ProtoMessage() {}
+
+func (*UserSubject) ProtoMessage() {}
diff --git a/staging/src/k8s.io/api/flowcontrol/v1beta2/zz_generated.model_name.go b/staging/src/k8s.io/api/flowcontrol/v1beta2/zz_generated.model_name.go
new file mode 100644
index 0000000000000..eb25256d26873
--- /dev/null
+++ b/staging/src/k8s.io/api/flowcontrol/v1beta2/zz_generated.model_name.go
@@ -0,0 +1,137 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by openapi-gen. DO NOT EDIT.
+
+package v1beta2
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ExemptPriorityLevelConfiguration) OpenAPIModelName() string {
+	return "io.k8s.api.flowcontrol.v1beta2.ExemptPriorityLevelConfiguration"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in FlowDistinguisherMethod) OpenAPIModelName() string {
+	return "io.k8s.api.flowcontrol.v1beta2.FlowDistinguisherMethod"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in FlowSchema) OpenAPIModelName() string {
+	return "io.k8s.api.flowcontrol.v1beta2.FlowSchema"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in FlowSchemaCondition) OpenAPIModelName() string {
+	return "io.k8s.api.flowcontrol.v1beta2.FlowSchemaCondition"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in FlowSchemaList) OpenAPIModelName() string {
+	return "io.k8s.api.flowcontrol.v1beta2.FlowSchemaList"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in FlowSchemaSpec) OpenAPIModelName() string {
+	return "io.k8s.api.flowcontrol.v1beta2.FlowSchemaSpec"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in FlowSchemaStatus) OpenAPIModelName() string {
+	return "io.k8s.api.flowcontrol.v1beta2.FlowSchemaStatus"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in GroupSubject) OpenAPIModelName() string {
+	return "io.k8s.api.flowcontrol.v1beta2.GroupSubject"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in LimitResponse) OpenAPIModelName() string {
+	return "io.k8s.api.flowcontrol.v1beta2.LimitResponse"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in LimitedPriorityLevelConfiguration) OpenAPIModelName() string {
+	return "io.k8s.api.flowcontrol.v1beta2.LimitedPriorityLevelConfiguration"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in NonResourcePolicyRule) OpenAPIModelName() string {
+	return "io.k8s.api.flowcontrol.v1beta2.NonResourcePolicyRule"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in PolicyRulesWithSubjects) OpenAPIModelName() string {
+	return "io.k8s.api.flowcontrol.v1beta2.PolicyRulesWithSubjects"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in PriorityLevelConfiguration) OpenAPIModelName() string {
+	return "io.k8s.api.flowcontrol.v1beta2.PriorityLevelConfiguration"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in PriorityLevelConfigurationCondition) OpenAPIModelName() string {
+	return "io.k8s.api.flowcontrol.v1beta2.PriorityLevelConfigurationCondition"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in PriorityLevelConfigurationList) OpenAPIModelName() string {
+	return "io.k8s.api.flowcontrol.v1beta2.PriorityLevelConfigurationList"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in PriorityLevelConfigurationReference) OpenAPIModelName() string {
+	return "io.k8s.api.flowcontrol.v1beta2.PriorityLevelConfigurationReference"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in PriorityLevelConfigurationSpec) OpenAPIModelName() string {
+	return "io.k8s.api.flowcontrol.v1beta2.PriorityLevelConfigurationSpec"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in PriorityLevelConfigurationStatus) OpenAPIModelName() string {
+	return "io.k8s.api.flowcontrol.v1beta2.PriorityLevelConfigurationStatus"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in QueuingConfiguration) OpenAPIModelName() string {
+	return "io.k8s.api.flowcontrol.v1beta2.QueuingConfiguration"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ResourcePolicyRule) OpenAPIModelName() string {
+	return "io.k8s.api.flowcontrol.v1beta2.ResourcePolicyRule"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ServiceAccountSubject) OpenAPIModelName() string {
+	return "io.k8s.api.flowcontrol.v1beta2.ServiceAccountSubject"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in Subject) OpenAPIModelName() string {
+	return "io.k8s.api.flowcontrol.v1beta2.Subject"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in UserSubject) OpenAPIModelName() string {
+	return "io.k8s.api.flowcontrol.v1beta2.UserSubject"
+}
diff --git a/staging/src/k8s.io/api/flowcontrol/v1beta3/doc.go b/staging/src/k8s.io/api/flowcontrol/v1beta3/doc.go
index 95f4430d38362..ad57ab2bc8bf6 100644
--- a/staging/src/k8s.io/api/flowcontrol/v1beta3/doc.go
+++ b/staging/src/k8s.io/api/flowcontrol/v1beta3/doc.go
@@ -18,6 +18,7 @@ limitations under the License.
 // +k8s:protobuf-gen=package
 // +k8s:openapi-gen=true
 // +k8s:prerelease-lifecycle-gen=true
+// +k8s:openapi-model-package=io.k8s.api.flowcontrol.v1beta3
 
 // +groupName=flowcontrol.apiserver.k8s.io
 
diff --git a/staging/src/k8s.io/api/flowcontrol/v1beta3/generated.pb.go b/staging/src/k8s.io/api/flowcontrol/v1beta3/generated.pb.go
index e0a3fc1e180d2..2d6d94af1fd8e 100644
--- a/staging/src/k8s.io/api/flowcontrol/v1beta3/generated.pb.go
+++ b/staging/src/k8s.io/api/flowcontrol/v1beta3/generated.pb.go
@@ -24,802 +24,56 @@ import (
 
 	io "io"
 
-	proto "github.com/gogo/protobuf/proto"
-
-	math "math"
 	math_bits "math/bits"
 	reflect "reflect"
 	strings "strings"
 )
 
-// Reference imports to suppress errors if they are not otherwise used.
-var _ = proto.Marshal
-var _ = fmt.Errorf
-var _ = math.Inf
+func (m *ExemptPriorityLevelConfiguration) Reset() { *m = ExemptPriorityLevelConfiguration{} }
 
-// This is a compile-time assertion to ensure that this generated file
-// is compatible with the proto package it is being compiled against.
-// A compilation error at this line likely means your copy of the
-// proto package needs to be updated.
-const _ = proto.GoGoProtoPackageIsVersion3 // please upgrade the proto package
+func (m *FlowDistinguisherMethod) Reset() { *m = FlowDistinguisherMethod{} }
 
-func (m *ExemptPriorityLevelConfiguration) Reset()      { *m = ExemptPriorityLevelConfiguration{} }
-func (*ExemptPriorityLevelConfiguration) ProtoMessage() {}
-func (*ExemptPriorityLevelConfiguration) Descriptor() ([]byte, []int) {
-	return fileDescriptor_52ab6629c083d251, []int{0}
-}
-func (m *ExemptPriorityLevelConfiguration) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ExemptPriorityLevelConfiguration) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ExemptPriorityLevelConfiguration) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ExemptPriorityLevelConfiguration.Merge(m, src)
-}
-func (m *ExemptPriorityLevelConfiguration) XXX_Size() int {
-	return m.Size()
-}
-func (m *ExemptPriorityLevelConfiguration) XXX_DiscardUnknown() {
-	xxx_messageInfo_ExemptPriorityLevelConfiguration.DiscardUnknown(m)
-}
+func (m *FlowSchema) Reset() { *m = FlowSchema{} }
 
-var xxx_messageInfo_ExemptPriorityLevelConfiguration proto.InternalMessageInfo
+func (m *FlowSchemaCondition) Reset() { *m = FlowSchemaCondition{} }
 
-func (m *FlowDistinguisherMethod) Reset()      { *m = FlowDistinguisherMethod{} }
-func (*FlowDistinguisherMethod) ProtoMessage() {}
-func (*FlowDistinguisherMethod) Descriptor() ([]byte, []int) {
-	return fileDescriptor_52ab6629c083d251, []int{1}
-}
-func (m *FlowDistinguisherMethod) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *FlowDistinguisherMethod) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *FlowDistinguisherMethod) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_FlowDistinguisherMethod.Merge(m, src)
-}
-func (m *FlowDistinguisherMethod) XXX_Size() int {
-	return m.Size()
-}
-func (m *FlowDistinguisherMethod) XXX_DiscardUnknown() {
-	xxx_messageInfo_FlowDistinguisherMethod.DiscardUnknown(m)
-}
+func (m *FlowSchemaList) Reset() { *m = FlowSchemaList{} }
 
-var xxx_messageInfo_FlowDistinguisherMethod proto.InternalMessageInfo
+func (m *FlowSchemaSpec) Reset() { *m = FlowSchemaSpec{} }
 
-func (m *FlowSchema) Reset()      { *m = FlowSchema{} }
-func (*FlowSchema) ProtoMessage() {}
-func (*FlowSchema) Descriptor() ([]byte, []int) {
-	return fileDescriptor_52ab6629c083d251, []int{2}
-}
-func (m *FlowSchema) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *FlowSchema) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *FlowSchema) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_FlowSchema.Merge(m, src)
-}
-func (m *FlowSchema) XXX_Size() int {
-	return m.Size()
-}
-func (m *FlowSchema) XXX_DiscardUnknown() {
-	xxx_messageInfo_FlowSchema.DiscardUnknown(m)
-}
+func (m *FlowSchemaStatus) Reset() { *m = FlowSchemaStatus{} }
 
-var xxx_messageInfo_FlowSchema proto.InternalMessageInfo
+func (m *GroupSubject) Reset() { *m = GroupSubject{} }
 
-func (m *FlowSchemaCondition) Reset()      { *m = FlowSchemaCondition{} }
-func (*FlowSchemaCondition) ProtoMessage() {}
-func (*FlowSchemaCondition) Descriptor() ([]byte, []int) {
-	return fileDescriptor_52ab6629c083d251, []int{3}
-}
-func (m *FlowSchemaCondition) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *FlowSchemaCondition) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *FlowSchemaCondition) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_FlowSchemaCondition.Merge(m, src)
-}
-func (m *FlowSchemaCondition) XXX_Size() int {
-	return m.Size()
-}
-func (m *FlowSchemaCondition) XXX_DiscardUnknown() {
-	xxx_messageInfo_FlowSchemaCondition.DiscardUnknown(m)
-}
+func (m *LimitResponse) Reset() { *m = LimitResponse{} }
 
-var xxx_messageInfo_FlowSchemaCondition proto.InternalMessageInfo
+func (m *LimitedPriorityLevelConfiguration) Reset() { *m = LimitedPriorityLevelConfiguration{} }
 
-func (m *FlowSchemaList) Reset()      { *m = FlowSchemaList{} }
-func (*FlowSchemaList) ProtoMessage() {}
-func (*FlowSchemaList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_52ab6629c083d251, []int{4}
-}
-func (m *FlowSchemaList) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *FlowSchemaList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *FlowSchemaList) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_FlowSchemaList.Merge(m, src)
-}
-func (m *FlowSchemaList) XXX_Size() int {
-	return m.Size()
-}
-func (m *FlowSchemaList) XXX_DiscardUnknown() {
-	xxx_messageInfo_FlowSchemaList.DiscardUnknown(m)
-}
+func (m *NonResourcePolicyRule) Reset() { *m = NonResourcePolicyRule{} }
 
-var xxx_messageInfo_FlowSchemaList proto.InternalMessageInfo
+func (m *PolicyRulesWithSubjects) Reset() { *m = PolicyRulesWithSubjects{} }
 
-func (m *FlowSchemaSpec) Reset()      { *m = FlowSchemaSpec{} }
-func (*FlowSchemaSpec) ProtoMessage() {}
-func (*FlowSchemaSpec) Descriptor() ([]byte, []int) {
-	return fileDescriptor_52ab6629c083d251, []int{5}
-}
-func (m *FlowSchemaSpec) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *FlowSchemaSpec) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *FlowSchemaSpec) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_FlowSchemaSpec.Merge(m, src)
-}
-func (m *FlowSchemaSpec) XXX_Size() int {
-	return m.Size()
-}
-func (m *FlowSchemaSpec) XXX_DiscardUnknown() {
-	xxx_messageInfo_FlowSchemaSpec.DiscardUnknown(m)
-}
+func (m *PriorityLevelConfiguration) Reset() { *m = PriorityLevelConfiguration{} }
 
-var xxx_messageInfo_FlowSchemaSpec proto.InternalMessageInfo
+func (m *PriorityLevelConfigurationCondition) Reset() { *m = PriorityLevelConfigurationCondition{} }
 
-func (m *FlowSchemaStatus) Reset()      { *m = FlowSchemaStatus{} }
-func (*FlowSchemaStatus) ProtoMessage() {}
-func (*FlowSchemaStatus) Descriptor() ([]byte, []int) {
-	return fileDescriptor_52ab6629c083d251, []int{6}
-}
-func (m *FlowSchemaStatus) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *FlowSchemaStatus) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *FlowSchemaStatus) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_FlowSchemaStatus.Merge(m, src)
-}
-func (m *FlowSchemaStatus) XXX_Size() int {
-	return m.Size()
-}
-func (m *FlowSchemaStatus) XXX_DiscardUnknown() {
-	xxx_messageInfo_FlowSchemaStatus.DiscardUnknown(m)
-}
+func (m *PriorityLevelConfigurationList) Reset() { *m = PriorityLevelConfigurationList{} }
 
-var xxx_messageInfo_FlowSchemaStatus proto.InternalMessageInfo
+func (m *PriorityLevelConfigurationReference) Reset() { *m = PriorityLevelConfigurationReference{} }
 
-func (m *GroupSubject) Reset()      { *m = GroupSubject{} }
-func (*GroupSubject) ProtoMessage() {}
-func (*GroupSubject) Descriptor() ([]byte, []int) {
-	return fileDescriptor_52ab6629c083d251, []int{7}
-}
-func (m *GroupSubject) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *GroupSubject) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *GroupSubject) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_GroupSubject.Merge(m, src)
-}
-func (m *GroupSubject) XXX_Size() int {
-	return m.Size()
-}
-func (m *GroupSubject) XXX_DiscardUnknown() {
-	xxx_messageInfo_GroupSubject.DiscardUnknown(m)
-}
+func (m *PriorityLevelConfigurationSpec) Reset() { *m = PriorityLevelConfigurationSpec{} }
 
-var xxx_messageInfo_GroupSubject proto.InternalMessageInfo
+func (m *PriorityLevelConfigurationStatus) Reset() { *m = PriorityLevelConfigurationStatus{} }
 
-func (m *LimitResponse) Reset()      { *m = LimitResponse{} }
-func (*LimitResponse) ProtoMessage() {}
-func (*LimitResponse) Descriptor() ([]byte, []int) {
-	return fileDescriptor_52ab6629c083d251, []int{8}
-}
-func (m *LimitResponse) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *LimitResponse) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *LimitResponse) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_LimitResponse.Merge(m, src)
-}
-func (m *LimitResponse) XXX_Size() int {
-	return m.Size()
-}
-func (m *LimitResponse) XXX_DiscardUnknown() {
-	xxx_messageInfo_LimitResponse.DiscardUnknown(m)
-}
+func (m *QueuingConfiguration) Reset() { *m = QueuingConfiguration{} }
 
-var xxx_messageInfo_LimitResponse proto.InternalMessageInfo
+func (m *ResourcePolicyRule) Reset() { *m = ResourcePolicyRule{} }
 
-func (m *LimitedPriorityLevelConfiguration) Reset()      { *m = LimitedPriorityLevelConfiguration{} }
-func (*LimitedPriorityLevelConfiguration) ProtoMessage() {}
-func (*LimitedPriorityLevelConfiguration) Descriptor() ([]byte, []int) {
-	return fileDescriptor_52ab6629c083d251, []int{9}
-}
-func (m *LimitedPriorityLevelConfiguration) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *LimitedPriorityLevelConfiguration) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *LimitedPriorityLevelConfiguration) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_LimitedPriorityLevelConfiguration.Merge(m, src)
-}
-func (m *LimitedPriorityLevelConfiguration) XXX_Size() int {
-	return m.Size()
-}
-func (m *LimitedPriorityLevelConfiguration) XXX_DiscardUnknown() {
-	xxx_messageInfo_LimitedPriorityLevelConfiguration.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_LimitedPriorityLevelConfiguration proto.InternalMessageInfo
-
-func (m *NonResourcePolicyRule) Reset()      { *m = NonResourcePolicyRule{} }
-func (*NonResourcePolicyRule) ProtoMessage() {}
-func (*NonResourcePolicyRule) Descriptor() ([]byte, []int) {
-	return fileDescriptor_52ab6629c083d251, []int{10}
-}
-func (m *NonResourcePolicyRule) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *NonResourcePolicyRule) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *NonResourcePolicyRule) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_NonResourcePolicyRule.Merge(m, src)
-}
-func (m *NonResourcePolicyRule) XXX_Size() int {
-	return m.Size()
-}
-func (m *NonResourcePolicyRule) XXX_DiscardUnknown() {
-	xxx_messageInfo_NonResourcePolicyRule.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_NonResourcePolicyRule proto.InternalMessageInfo
-
-func (m *PolicyRulesWithSubjects) Reset()      { *m = PolicyRulesWithSubjects{} }
-func (*PolicyRulesWithSubjects) ProtoMessage() {}
-func (*PolicyRulesWithSubjects) Descriptor() ([]byte, []int) {
-	return fileDescriptor_52ab6629c083d251, []int{11}
-}
-func (m *PolicyRulesWithSubjects) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *PolicyRulesWithSubjects) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *PolicyRulesWithSubjects) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_PolicyRulesWithSubjects.Merge(m, src)
-}
-func (m *PolicyRulesWithSubjects) XXX_Size() int {
-	return m.Size()
-}
-func (m *PolicyRulesWithSubjects) XXX_DiscardUnknown() {
-	xxx_messageInfo_PolicyRulesWithSubjects.DiscardUnknown(m)
-}
+func (m *ServiceAccountSubject) Reset() { *m = ServiceAccountSubject{} }
 
-var xxx_messageInfo_PolicyRulesWithSubjects proto.InternalMessageInfo
+func (m *Subject) Reset() { *m = Subject{} }
 
-func (m *PriorityLevelConfiguration) Reset()      { *m = PriorityLevelConfiguration{} }
-func (*PriorityLevelConfiguration) ProtoMessage() {}
-func (*PriorityLevelConfiguration) Descriptor() ([]byte, []int) {
-	return fileDescriptor_52ab6629c083d251, []int{12}
-}
-func (m *PriorityLevelConfiguration) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *PriorityLevelConfiguration) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *PriorityLevelConfiguration) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_PriorityLevelConfiguration.Merge(m, src)
-}
-func (m *PriorityLevelConfiguration) XXX_Size() int {
-	return m.Size()
-}
-func (m *PriorityLevelConfiguration) XXX_DiscardUnknown() {
-	xxx_messageInfo_PriorityLevelConfiguration.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_PriorityLevelConfiguration proto.InternalMessageInfo
-
-func (m *PriorityLevelConfigurationCondition) Reset()      { *m = PriorityLevelConfigurationCondition{} }
-func (*PriorityLevelConfigurationCondition) ProtoMessage() {}
-func (*PriorityLevelConfigurationCondition) Descriptor() ([]byte, []int) {
-	return fileDescriptor_52ab6629c083d251, []int{13}
-}
-func (m *PriorityLevelConfigurationCondition) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *PriorityLevelConfigurationCondition) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *PriorityLevelConfigurationCondition) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_PriorityLevelConfigurationCondition.Merge(m, src)
-}
-func (m *PriorityLevelConfigurationCondition) XXX_Size() int {
-	return m.Size()
-}
-func (m *PriorityLevelConfigurationCondition) XXX_DiscardUnknown() {
-	xxx_messageInfo_PriorityLevelConfigurationCondition.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_PriorityLevelConfigurationCondition proto.InternalMessageInfo
-
-func (m *PriorityLevelConfigurationList) Reset()      { *m = PriorityLevelConfigurationList{} }
-func (*PriorityLevelConfigurationList) ProtoMessage() {}
-func (*PriorityLevelConfigurationList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_52ab6629c083d251, []int{14}
-}
-func (m *PriorityLevelConfigurationList) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *PriorityLevelConfigurationList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *PriorityLevelConfigurationList) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_PriorityLevelConfigurationList.Merge(m, src)
-}
-func (m *PriorityLevelConfigurationList) XXX_Size() int {
-	return m.Size()
-}
-func (m *PriorityLevelConfigurationList) XXX_DiscardUnknown() {
-	xxx_messageInfo_PriorityLevelConfigurationList.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_PriorityLevelConfigurationList proto.InternalMessageInfo
-
-func (m *PriorityLevelConfigurationReference) Reset()      { *m = PriorityLevelConfigurationReference{} }
-func (*PriorityLevelConfigurationReference) ProtoMessage() {}
-func (*PriorityLevelConfigurationReference) Descriptor() ([]byte, []int) {
-	return fileDescriptor_52ab6629c083d251, []int{15}
-}
-func (m *PriorityLevelConfigurationReference) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *PriorityLevelConfigurationReference) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *PriorityLevelConfigurationReference) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_PriorityLevelConfigurationReference.Merge(m, src)
-}
-func (m *PriorityLevelConfigurationReference) XXX_Size() int {
-	return m.Size()
-}
-func (m *PriorityLevelConfigurationReference) XXX_DiscardUnknown() {
-	xxx_messageInfo_PriorityLevelConfigurationReference.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_PriorityLevelConfigurationReference proto.InternalMessageInfo
-
-func (m *PriorityLevelConfigurationSpec) Reset()      { *m = PriorityLevelConfigurationSpec{} }
-func (*PriorityLevelConfigurationSpec) ProtoMessage() {}
-func (*PriorityLevelConfigurationSpec) Descriptor() ([]byte, []int) {
-	return fileDescriptor_52ab6629c083d251, []int{16}
-}
-func (m *PriorityLevelConfigurationSpec) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *PriorityLevelConfigurationSpec) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *PriorityLevelConfigurationSpec) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_PriorityLevelConfigurationSpec.Merge(m, src)
-}
-func (m *PriorityLevelConfigurationSpec) XXX_Size() int {
-	return m.Size()
-}
-func (m *PriorityLevelConfigurationSpec) XXX_DiscardUnknown() {
-	xxx_messageInfo_PriorityLevelConfigurationSpec.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_PriorityLevelConfigurationSpec proto.InternalMessageInfo
-
-func (m *PriorityLevelConfigurationStatus) Reset()      { *m = PriorityLevelConfigurationStatus{} }
-func (*PriorityLevelConfigurationStatus) ProtoMessage() {}
-func (*PriorityLevelConfigurationStatus) Descriptor() ([]byte, []int) {
-	return fileDescriptor_52ab6629c083d251, []int{17}
-}
-func (m *PriorityLevelConfigurationStatus) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *PriorityLevelConfigurationStatus) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *PriorityLevelConfigurationStatus) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_PriorityLevelConfigurationStatus.Merge(m, src)
-}
-func (m *PriorityLevelConfigurationStatus) XXX_Size() int {
-	return m.Size()
-}
-func (m *PriorityLevelConfigurationStatus) XXX_DiscardUnknown() {
-	xxx_messageInfo_PriorityLevelConfigurationStatus.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_PriorityLevelConfigurationStatus proto.InternalMessageInfo
-
-func (m *QueuingConfiguration) Reset()      { *m = QueuingConfiguration{} }
-func (*QueuingConfiguration) ProtoMessage() {}
-func (*QueuingConfiguration) Descriptor() ([]byte, []int) {
-	return fileDescriptor_52ab6629c083d251, []int{18}
-}
-func (m *QueuingConfiguration) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *QueuingConfiguration) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *QueuingConfiguration) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_QueuingConfiguration.Merge(m, src)
-}
-func (m *QueuingConfiguration) XXX_Size() int {
-	return m.Size()
-}
-func (m *QueuingConfiguration) XXX_DiscardUnknown() {
-	xxx_messageInfo_QueuingConfiguration.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_QueuingConfiguration proto.InternalMessageInfo
-
-func (m *ResourcePolicyRule) Reset()      { *m = ResourcePolicyRule{} }
-func (*ResourcePolicyRule) ProtoMessage() {}
-func (*ResourcePolicyRule) Descriptor() ([]byte, []int) {
-	return fileDescriptor_52ab6629c083d251, []int{19}
-}
-func (m *ResourcePolicyRule) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ResourcePolicyRule) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ResourcePolicyRule) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ResourcePolicyRule.Merge(m, src)
-}
-func (m *ResourcePolicyRule) XXX_Size() int {
-	return m.Size()
-}
-func (m *ResourcePolicyRule) XXX_DiscardUnknown() {
-	xxx_messageInfo_ResourcePolicyRule.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_ResourcePolicyRule proto.InternalMessageInfo
-
-func (m *ServiceAccountSubject) Reset()      { *m = ServiceAccountSubject{} }
-func (*ServiceAccountSubject) ProtoMessage() {}
-func (*ServiceAccountSubject) Descriptor() ([]byte, []int) {
-	return fileDescriptor_52ab6629c083d251, []int{20}
-}
-func (m *ServiceAccountSubject) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ServiceAccountSubject) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ServiceAccountSubject) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ServiceAccountSubject.Merge(m, src)
-}
-func (m *ServiceAccountSubject) XXX_Size() int {
-	return m.Size()
-}
-func (m *ServiceAccountSubject) XXX_DiscardUnknown() {
-	xxx_messageInfo_ServiceAccountSubject.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_ServiceAccountSubject proto.InternalMessageInfo
-
-func (m *Subject) Reset()      { *m = Subject{} }
-func (*Subject) ProtoMessage() {}
-func (*Subject) Descriptor() ([]byte, []int) {
-	return fileDescriptor_52ab6629c083d251, []int{21}
-}
-func (m *Subject) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *Subject) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *Subject) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_Subject.Merge(m, src)
-}
-func (m *Subject) XXX_Size() int {
-	return m.Size()
-}
-func (m *Subject) XXX_DiscardUnknown() {
-	xxx_messageInfo_Subject.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_Subject proto.InternalMessageInfo
-
-func (m *UserSubject) Reset()      { *m = UserSubject{} }
-func (*UserSubject) ProtoMessage() {}
-func (*UserSubject) Descriptor() ([]byte, []int) {
-	return fileDescriptor_52ab6629c083d251, []int{22}
-}
-func (m *UserSubject) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *UserSubject) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *UserSubject) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_UserSubject.Merge(m, src)
-}
-func (m *UserSubject) XXX_Size() int {
-	return m.Size()
-}
-func (m *UserSubject) XXX_DiscardUnknown() {
-	xxx_messageInfo_UserSubject.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_UserSubject proto.InternalMessageInfo
-
-func init() {
-	proto.RegisterType((*ExemptPriorityLevelConfiguration)(nil), "k8s.io.api.flowcontrol.v1beta3.ExemptPriorityLevelConfiguration")
-	proto.RegisterType((*FlowDistinguisherMethod)(nil), "k8s.io.api.flowcontrol.v1beta3.FlowDistinguisherMethod")
-	proto.RegisterType((*FlowSchema)(nil), "k8s.io.api.flowcontrol.v1beta3.FlowSchema")
-	proto.RegisterType((*FlowSchemaCondition)(nil), "k8s.io.api.flowcontrol.v1beta3.FlowSchemaCondition")
-	proto.RegisterType((*FlowSchemaList)(nil), "k8s.io.api.flowcontrol.v1beta3.FlowSchemaList")
-	proto.RegisterType((*FlowSchemaSpec)(nil), "k8s.io.api.flowcontrol.v1beta3.FlowSchemaSpec")
-	proto.RegisterType((*FlowSchemaStatus)(nil), "k8s.io.api.flowcontrol.v1beta3.FlowSchemaStatus")
-	proto.RegisterType((*GroupSubject)(nil), "k8s.io.api.flowcontrol.v1beta3.GroupSubject")
-	proto.RegisterType((*LimitResponse)(nil), "k8s.io.api.flowcontrol.v1beta3.LimitResponse")
-	proto.RegisterType((*LimitedPriorityLevelConfiguration)(nil), "k8s.io.api.flowcontrol.v1beta3.LimitedPriorityLevelConfiguration")
-	proto.RegisterType((*NonResourcePolicyRule)(nil), "k8s.io.api.flowcontrol.v1beta3.NonResourcePolicyRule")
-	proto.RegisterType((*PolicyRulesWithSubjects)(nil), "k8s.io.api.flowcontrol.v1beta3.PolicyRulesWithSubjects")
-	proto.RegisterType((*PriorityLevelConfiguration)(nil), "k8s.io.api.flowcontrol.v1beta3.PriorityLevelConfiguration")
-	proto.RegisterType((*PriorityLevelConfigurationCondition)(nil), "k8s.io.api.flowcontrol.v1beta3.PriorityLevelConfigurationCondition")
-	proto.RegisterType((*PriorityLevelConfigurationList)(nil), "k8s.io.api.flowcontrol.v1beta3.PriorityLevelConfigurationList")
-	proto.RegisterType((*PriorityLevelConfigurationReference)(nil), "k8s.io.api.flowcontrol.v1beta3.PriorityLevelConfigurationReference")
-	proto.RegisterType((*PriorityLevelConfigurationSpec)(nil), "k8s.io.api.flowcontrol.v1beta3.PriorityLevelConfigurationSpec")
-	proto.RegisterType((*PriorityLevelConfigurationStatus)(nil), "k8s.io.api.flowcontrol.v1beta3.PriorityLevelConfigurationStatus")
-	proto.RegisterType((*QueuingConfiguration)(nil), "k8s.io.api.flowcontrol.v1beta3.QueuingConfiguration")
-	proto.RegisterType((*ResourcePolicyRule)(nil), "k8s.io.api.flowcontrol.v1beta3.ResourcePolicyRule")
-	proto.RegisterType((*ServiceAccountSubject)(nil), "k8s.io.api.flowcontrol.v1beta3.ServiceAccountSubject")
-	proto.RegisterType((*Subject)(nil), "k8s.io.api.flowcontrol.v1beta3.Subject")
-	proto.RegisterType((*UserSubject)(nil), "k8s.io.api.flowcontrol.v1beta3.UserSubject")
-}
-
-func init() {
-	proto.RegisterFile("k8s.io/api/flowcontrol/v1beta3/generated.proto", fileDescriptor_52ab6629c083d251)
-}
-
-var fileDescriptor_52ab6629c083d251 = []byte{
-	// 1589 bytes of a gzipped FileDescriptorProto
-	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xec, 0x58, 0xcb, 0x6f, 0xdc, 0x54,
-	0x17, 0x8f, 0x27, 0x33, 0x49, 0xe6, 0xe4, 0xd9, 0x9b, 0x46, 0x99, 0x2f, 0xfd, 0x34, 0x93, 0xfa,
-	0x93, 0xbe, 0x02, 0x6d, 0x3d, 0x7d, 0xd2, 0x02, 0xe2, 0x51, 0xa7, 0xa5, 0x94, 0x26, 0x69, 0x7a,
-	0xd3, 0x42, 0x55, 0x2a, 0x51, 0xc7, 0x73, 0xe3, 0x71, 0x33, 0x7e, 0xd4, 0xd7, 0x4e, 0x08, 0xdd,
-	0x20, 0xfe, 0x02, 0xd6, 0xb0, 0x64, 0xc1, 0x8a, 0x0d, 0x5b, 0x16, 0x2c, 0xa9, 0x58, 0x75, 0xd9,
-	0xd5, 0x40, 0x87, 0x15, 0xff, 0x01, 0x54, 0x42, 0x42, 0xf7, 0xfa, 0xda, 0x1e, 0xcf, 0xcb, 0xa3,
-	0x54, 0xea, 0x8a, 0x5d, 0x7c, 0xee, 0x39, 0xbf, 0x73, 0xcf, 0xb9, 0xe7, 0xf1, 0x9b, 0x80, 0xb2,
-	0x73, 0x91, 0x2a, 0xa6, 0x53, 0xd5, 0x5c, 0xb3, 0xba, 0xdd, 0x70, 0xf6, 0x74, 0xc7, 0xf6, 0x3d,
-	0xa7, 0x51, 0xdd, 0x3d, 0xbd, 0x45, 0x7c, 0xed, 0x6c, 0xd5, 0x20, 0x36, 0xf1, 0x34, 0x9f, 0xd4,
-	0x14, 0xd7, 0x73, 0x7c, 0x07, 0x95, 0x43, 0x7d, 0x45, 0x73, 0x4d, 0xa5, 0x4d, 0x5f, 0x11, 0xfa,
-	0x4b, 0x27, 0x0d, 0xd3, 0xaf, 0x07, 0x5b, 0x8a, 0xee, 0x58, 0x55, 0xc3, 0x31, 0x9c, 0x2a, 0x37,
-	0xdb, 0x0a, 0xb6, 0xf9, 0x17, 0xff, 0xe0, 0x7f, 0x85, 0x70, 0x4b, 0xe7, 0x12, 0xf7, 0x96, 0xa6,
-	0xd7, 0x4d, 0x9b, 0x78, 0xfb, 0x55, 0x77, 0xc7, 0x60, 0x02, 0x5a, 0xb5, 0x88, 0xaf, 0x55, 0x77,
-	0x4f, 0x77, 0x5e, 0x62, 0xa9, 0xda, 0xcf, 0xca, 0x0b, 0x6c, 0xdf, 0xb4, 0x48, 0x97, 0xc1, 0xeb,
-	0x59, 0x06, 0x54, 0xaf, 0x13, 0x4b, 0xeb, 0xb4, 0x93, 0x7f, 0x94, 0x60, 0xf9, 0xca, 0x67, 0xc4,
-	0x72, 0xfd, 0x0d, 0xcf, 0x74, 0x3c, 0xd3, 0xdf, 0x5f, 0x25, 0xbb, 0xa4, 0xb1, 0xe2, 0xd8, 0xdb,
-	0xa6, 0x11, 0x78, 0x9a, 0x6f, 0x3a, 0x36, 0xba, 0x03, 0x25, 0xdb, 0xb1, 0x4c, 0x5b, 0x63, 0x72,
-	0x3d, 0xf0, 0x3c, 0x62, 0xeb, 0xfb, 0x9b, 0x75, 0xcd, 0x23, 0xb4, 0x24, 0x2d, 0x4b, 0xaf, 0x14,
-	0xd4, 0xff, 0xb6, 0x9a, 0x95, 0xd2, 0x7a, 0x1f, 0x1d, 0xdc, 0xd7, 0x1a, 0xbd, 0x0d, 0xb3, 0x0d,
-	0x62, 0xd7, 0xb4, 0xad, 0x06, 0xd9, 0x20, 0x9e, 0x4e, 0x6c, 0xbf, 0x94, 0xe3, 0x80, 0xf3, 0xad,
-	0x66, 0x65, 0x76, 0x35, 0x7d, 0x84, 0x3b, 0x75, 0xe5, 0xbb, 0xb0, 0xf8, 0x7e, 0xc3, 0xd9, 0xbb,
-	0x6c, 0x52, 0xdf, 0xb4, 0x8d, 0xc0, 0xa4, 0x75, 0xe2, 0xad, 0x11, 0xbf, 0xee, 0xd4, 0xd0, 0xbb,
-	0x90, 0xf7, 0xf7, 0x5d, 0xc2, 0xef, 0x57, 0x54, 0x8f, 0x3f, 0x6e, 0x56, 0x46, 0x5a, 0xcd, 0x4a,
-	0xfe, 0xd6, 0xbe, 0x4b, 0x9e, 0x37, 0x2b, 0x47, 0xfa, 0x98, 0xb1, 0x63, 0xcc, 0x0d, 0xe5, 0xaf,
-	0x73, 0x00, 0x4c, 0x6b, 0x93, 0x27, 0x0e, 0xdd, 0x87, 0x09, 0xf6, 0x58, 0x35, 0xcd, 0xd7, 0x38,
-	0xe6, 0xe4, 0x99, 0x53, 0x4a, 0x52, 0x29, 0x71, 0xce, 0x15, 0x77, 0xc7, 0x60, 0x02, 0xaa, 0x30,
-	0x6d, 0x65, 0xf7, 0xb4, 0x72, 0x63, 0xeb, 0x01, 0xd1, 0xfd, 0x35, 0xe2, 0x6b, 0x2a, 0x12, 0xb7,
-	0x80, 0x44, 0x86, 0x63, 0x54, 0xb4, 0x01, 0x79, 0xea, 0x12, 0x9d, 0x27, 0x60, 0xf2, 0x8c, 0xa2,
-	0x0c, 0xae, 0x43, 0x25, 0xb9, 0xdb, 0xa6, 0x4b, 0x74, 0x75, 0x2a, 0x8a, 0x90, 0x7d, 0x61, 0x8e,
-	0x84, 0xee, 0xc0, 0x18, 0xf5, 0x35, 0x3f, 0xa0, 0xa5, 0xd1, 0xae, 0x1b, 0x67, 0x61, 0x72, 0x3b,
-	0x75, 0x46, 0xa0, 0x8e, 0x85, 0xdf, 0x58, 0xe0, 0xc9, 0x4f, 0x73, 0x30, 0x9f, 0x28, 0xaf, 0x38,
-	0x76, 0xcd, 0xe4, 0x95, 0xf2, 0x56, 0x2a, 0xeb, 0xc7, 0x3a, 0xb2, 0xbe, 0xd8, 0xc3, 0x24, 0xc9,
-	0x38, 0x7a, 0x23, 0xbe, 0x6e, 0x8e, 0x9b, 0x1f, 0x4d, 0x3b, 0x7f, 0xde, 0xac, 0xcc, 0xc6, 0x66,
-	0xe9, 0xfb, 0xa0, 0x5d, 0x40, 0x0d, 0x8d, 0xfa, 0xb7, 0x3c, 0xcd, 0xa6, 0x21, 0xac, 0x69, 0x11,
-	0x11, 0xf5, 0x6b, 0xc3, 0xbd, 0x13, 0xb3, 0x50, 0x97, 0x84, 0x4b, 0xb4, 0xda, 0x85, 0x86, 0x7b,
-	0x78, 0x40, 0xff, 0x87, 0x31, 0x8f, 0x68, 0xd4, 0xb1, 0x4b, 0x79, 0x7e, 0xe5, 0x38, 0x5f, 0x98,
-	0x4b, 0xb1, 0x38, 0x45, 0xaf, 0xc2, 0xb8, 0x45, 0x28, 0xd5, 0x0c, 0x52, 0x2a, 0x70, 0xc5, 0x59,
-	0xa1, 0x38, 0xbe, 0x16, 0x8a, 0x71, 0x74, 0x2e, 0xff, 0x24, 0xc1, 0x4c, 0x92, 0xa7, 0x55, 0x93,
-	0xfa, 0xe8, 0x5e, 0x57, 0xed, 0x29, 0xc3, 0xc5, 0xc4, 0xac, 0x79, 0xe5, 0xcd, 0x09, 0x77, 0x13,
-	0x91, 0xa4, 0xad, 0xee, 0x6e, 0x40, 0xc1, 0xf4, 0x89, 0xc5, 0xb2, 0x3e, 0xda, 0x91, 0xae, 0x8c,
-	0x22, 0x51, 0xa7, 0x05, 0x6c, 0xe1, 0x1a, 0x03, 0xc0, 0x21, 0x8e, 0xfc, 0xc7, 0x68, 0x7b, 0x04,
-	0xac, 0x1e, 0xd1, 0x77, 0x12, 0x2c, 0xb9, 0x7d, 0x07, 0x8c, 0x08, 0x6a, 0x25, 0xcb, 0x73, 0xff,
-	0x11, 0x85, 0xc9, 0x36, 0x61, 0x73, 0x85, 0xa8, 0xb2, 0xb8, 0xd2, 0xd2, 0x00, 0xe5, 0x01, 0x57,
-	0x41, 0x1f, 0x02, 0xb2, 0x34, 0x9f, 0x65, 0xd4, 0xd8, 0xf0, 0x88, 0x4e, 0x6a, 0x0c, 0x55, 0x0c,
-	0xa5, 0xb8, 0x3a, 0xd6, 0xba, 0x34, 0x70, 0x0f, 0x2b, 0xf4, 0xa5, 0x04, 0xf3, 0xb5, 0xee, 0x21,
-	0x23, 0xea, 0xf2, 0xc2, 0x30, 0x89, 0xee, 0x31, 0xa3, 0xd4, 0xc5, 0x56, 0xb3, 0x32, 0xdf, 0xe3,
-	0x00, 0xf7, 0x72, 0x86, 0xee, 0x41, 0xc1, 0x0b, 0x1a, 0x84, 0x96, 0xf2, 0xfc, 0x79, 0x33, 0xbd,
-	0x6e, 0x38, 0x0d, 0x53, 0xdf, 0xc7, 0xcc, 0xe4, 0x63, 0xd3, 0xaf, 0x6f, 0x06, 0x7c, 0x56, 0xd1,
-	0xe4, 0xad, 0xf9, 0x11, 0x0e, 0x41, 0xe5, 0x47, 0x30, 0xd7, 0x39, 0x34, 0x90, 0x01, 0xa0, 0x47,
-	0x7d, 0xca, 0x16, 0x04, 0x73, 0x7b, 0x76, 0xf8, 0xaa, 0x8a, 0x7b, 0x3c, 0x99, 0x97, 0xb1, 0x88,
-	0xe2, 0x36, 0x68, 0xf9, 0x14, 0x4c, 0x5d, 0xf5, 0x9c, 0xc0, 0x15, 0x77, 0x44, 0xcb, 0x90, 0xb7,
-	0x35, 0x2b, 0x9a, 0x3e, 0xf1, 0x44, 0x5c, 0xd7, 0x2c, 0x82, 0xf9, 0x89, 0xfc, 0xad, 0x04, 0xd3,
-	0xab, 0xa6, 0x65, 0xfa, 0x98, 0x50, 0xd7, 0xb1, 0x29, 0x41, 0xe7, 0x53, 0x13, 0xeb, 0x68, 0xc7,
-	0xc4, 0x3a, 0x94, 0x52, 0x6e, 0x9b, 0x55, 0x9f, 0xc0, 0xf8, 0xc3, 0x80, 0x04, 0xa6, 0x6d, 0x88,
-	0x79, 0x7d, 0x2e, 0x2b, 0xc0, 0x9b, 0xa1, 0x7a, 0xaa, 0xda, 0xd4, 0x49, 0x36, 0x02, 0xc4, 0x09,
-	0x8e, 0x10, 0xe5, 0xbf, 0x73, 0x70, 0x94, 0x3b, 0x26, 0xb5, 0x01, 0x5b, 0xf9, 0x5e, 0xe6, 0x56,
-	0x5e, 0x16, 0xd1, 0x1c, 0x64, 0x33, 0x3f, 0x80, 0xe9, 0x46, 0x7b, 0xec, 0x22, 0xcc, 0x93, 0x59,
-	0x61, 0xa6, 0x12, 0xa6, 0x2e, 0x88, 0x1b, 0xa4, 0x93, 0x8e, 0xd3, 0xd0, 0xbd, 0x58, 0xc0, 0xe8,
-	0xf0, 0x2c, 0x00, 0xdd, 0x80, 0x85, 0x2d, 0xc7, 0xf3, 0x9c, 0x3d, 0xd3, 0x36, 0xb8, 0x9f, 0x08,
-	0x24, 0xcf, 0x41, 0xfe, 0xd3, 0x6a, 0x56, 0x16, 0xd4, 0x5e, 0x0a, 0xb8, 0xb7, 0x9d, 0xbc, 0x07,
-	0x0b, 0xeb, 0x6c, 0xa6, 0x50, 0x27, 0xf0, 0x74, 0x92, 0x34, 0x04, 0xaa, 0x40, 0x61, 0x97, 0x78,
-	0x5b, 0x61, 0x51, 0x17, 0xd5, 0x22, 0x6b, 0x87, 0x8f, 0x98, 0x00, 0x87, 0x72, 0x16, 0x89, 0x9d,
-	0x58, 0xde, 0xc6, 0xab, 0xb4, 0x34, 0xc6, 0x55, 0x79, 0x24, 0xeb, 0xe9, 0x23, 0xdc, 0xa9, 0x2b,
-	0x37, 0x73, 0xb0, 0xd8, 0xa7, 0xff, 0xd0, 0x6d, 0x98, 0xa0, 0xe2, 0x6f, 0xd1, 0x53, 0xc7, 0xb2,
-	0xde, 0x42, 0xd8, 0x26, 0xd3, 0x3f, 0x02, 0xc3, 0x31, 0x14, 0x72, 0x60, 0xda, 0x13, 0x57, 0xe0,
-	0x3e, 0xc5, 0x16, 0x38, 0x93, 0x85, 0xdd, 0x9d, 0x9d, 0xe4, 0xb1, 0x71, 0x3b, 0x20, 0x4e, 0xe3,
-	0xa3, 0x47, 0x30, 0xd7, 0x16, 0x76, 0xe8, 0x73, 0x94, 0xfb, 0x3c, 0x9f, 0xe5, 0xb3, 0xe7, 0xa3,
-	0xa8, 0x25, 0xe1, 0x76, 0x6e, 0xbd, 0x03, 0x16, 0x77, 0x39, 0x92, 0x7f, 0xc9, 0xc1, 0x80, 0xc5,
-	0xf0, 0x12, 0x48, 0xde, 0xfd, 0x14, 0xc9, 0x7b, 0xe7, 0xe0, 0x1b, 0xaf, 0x2f, 0xe9, 0xab, 0x77,
-	0x90, 0xbe, 0xf7, 0x5e, 0xc0, 0xc7, 0x60, 0x12, 0xf8, 0x67, 0x0e, 0xfe, 0xd7, 0xdf, 0x38, 0x21,
-	0x85, 0xd7, 0x53, 0x23, 0xf6, 0x42, 0xc7, 0x88, 0x3d, 0x36, 0x04, 0xc4, 0xbf, 0x24, 0xb1, 0x83,
-	0x24, 0xfe, 0x2a, 0x41, 0xb9, 0x7f, 0xde, 0x5e, 0x02, 0x69, 0xfc, 0x34, 0x4d, 0x1a, 0xdf, 0x3c,
-	0x78, 0x91, 0xf5, 0x21, 0x91, 0x57, 0x07, 0xd5, 0x56, 0x4c, 0xf7, 0x86, 0x58, 0xf9, 0xdf, 0xe7,
-	0x06, 0xa5, 0x8a, 0xb3, 0xd3, 0x8c, 0x5f, 0x2d, 0x29, 0xeb, 0x2b, 0x36, 0x5b, 0x3d, 0x16, 0xdb,
-	0x1e, 0x61, 0x41, 0xd6, 0x61, 0xbc, 0x11, 0xee, 0x6a, 0xd1, 0xd4, 0x97, 0x86, 0x5a, 0x91, 0x83,
-	0x56, 0x7b, 0x48, 0x0b, 0x84, 0x1a, 0x8e, 0xe0, 0x51, 0x0d, 0xc6, 0x08, 0xff, 0xa9, 0x3e, 0x6c,
-	0x67, 0x67, 0xfd, 0xb0, 0x57, 0x81, 0x55, 0x61, 0xa8, 0x85, 0x05, 0xb6, 0xfc, 0x8d, 0x04, 0xcb,
-	0x59, 0x23, 0x01, 0xed, 0xf5, 0xa0, 0x78, 0x2f, 0x40, 0xdf, 0x87, 0xa7, 0x7c, 0x3f, 0x48, 0x70,
-	0xb8, 0x17, 0x93, 0x62, 0x4d, 0xc6, 0xe8, 0x53, 0xcc, 0x7d, 0xe2, 0x26, 0xbb, 0xc9, 0xa5, 0x58,
-	0x9c, 0xa2, 0x13, 0x30, 0x51, 0xd7, 0xec, 0xda, 0xa6, 0xf9, 0x79, 0xc4, 0xea, 0xe3, 0x32, 0xff,
-	0x40, 0xc8, 0x71, 0xac, 0x81, 0x2e, 0xc3, 0x1c, 0xb7, 0x5b, 0x25, 0xb6, 0xe1, 0xd7, 0xf9, 0x8b,
-	0x08, 0x6a, 0x12, 0x6f, 0x9d, 0x9b, 0x1d, 0xe7, 0xb8, 0xcb, 0x42, 0xfe, 0x4b, 0x02, 0x74, 0x10,
-	0x36, 0x71, 0x1c, 0x8a, 0x9a, 0x6b, 0x72, 0x8a, 0x1b, 0x36, 0x5a, 0x51, 0x9d, 0x6e, 0x35, 0x2b,
-	0xc5, 0x4b, 0x1b, 0xd7, 0x42, 0x21, 0x4e, 0xce, 0x99, 0x72, 0xb4, 0x68, 0xc3, 0x85, 0x2a, 0x94,
-	0x23, 0xc7, 0x14, 0x27, 0xe7, 0xe8, 0x22, 0x4c, 0xe9, 0x8d, 0x80, 0xfa, 0xc4, 0xdb, 0xd4, 0x1d,
-	0x97, 0xf0, 0xc1, 0x34, 0xa1, 0x1e, 0x16, 0x31, 0x4d, 0xad, 0xb4, 0x9d, 0xe1, 0x94, 0x26, 0x52,
-	0x00, 0x58, 0x5b, 0x51, 0x57, 0x63, 0x7e, 0x0a, 0xdc, 0xcf, 0x0c, 0x7b, 0xb0, 0xf5, 0x58, 0x8a,
-	0xdb, 0x34, 0xe4, 0x07, 0xb0, 0xb0, 0x49, 0xbc, 0x5d, 0x53, 0x27, 0x97, 0x74, 0xdd, 0x09, 0x6c,
-	0x3f, 0x22, 0xeb, 0x55, 0x28, 0xc6, 0x6a, 0xa2, 0xf3, 0x0e, 0x09, 0xff, 0xc5, 0x18, 0x0b, 0x27,
-	0x3a, 0x71, 0xab, 0xe7, 0xfa, 0xb6, 0xfa, 0xcf, 0x39, 0x18, 0x4f, 0xe0, 0xf3, 0x3b, 0xa6, 0x5d,
-	0x13, 0xc8, 0x47, 0x22, 0xed, 0xeb, 0xa6, 0x5d, 0x7b, 0xde, 0xac, 0x4c, 0x0a, 0x35, 0xf6, 0x89,
-	0xb9, 0x22, 0xba, 0x06, 0xf9, 0x80, 0x12, 0x4f, 0x34, 0xf1, 0xf1, 0xac, 0x62, 0xbe, 0x4d, 0x89,
-	0x17, 0xf1, 0xab, 0x09, 0x86, 0xcc, 0x04, 0x98, 0x43, 0xa0, 0x35, 0x28, 0x18, 0xec, 0x51, 0x44,
-	0x9f, 0x9e, 0xc8, 0xc2, 0x6a, 0xff, 0x11, 0x13, 0x96, 0x01, 0x97, 0xe0, 0x10, 0x05, 0x3d, 0x84,
-	0x19, 0x9a, 0x4a, 0x21, 0x7f, 0xae, 0x21, 0xf8, 0x52, 0xcf, 0xc4, 0xab, 0xa8, 0xd5, 0xac, 0xcc,
-	0xa4, 0x8f, 0x70, 0x87, 0x03, 0xb9, 0x0a, 0x93, 0x6d, 0x01, 0x66, 0x4f, 0x59, 0xf5, 0xf2, 0xe3,
-	0x67, 0xe5, 0x91, 0x27, 0xcf, 0xca, 0x23, 0x4f, 0x9f, 0x95, 0x47, 0xbe, 0x68, 0x95, 0xa5, 0xc7,
-	0xad, 0xb2, 0xf4, 0xa4, 0x55, 0x96, 0x9e, 0xb6, 0xca, 0xd2, 0x6f, 0xad, 0xb2, 0xf4, 0xd5, 0xef,
-	0xe5, 0x91, 0xbb, 0xe5, 0xc1, 0xff, 0x8b, 0xfd, 0x27, 0x00, 0x00, 0xff, 0xff, 0x03, 0x5d, 0xec,
-	0x01, 0xac, 0x15, 0x00, 0x00,
-}
+func (m *UserSubject) Reset() { *m = UserSubject{} }
 
 func (m *ExemptPriorityLevelConfiguration) Marshal() (dAtA []byte, err error) {
 	size := m.Size()
diff --git a/staging/src/k8s.io/api/flowcontrol/v1beta3/generated.protomessage.pb.go b/staging/src/k8s.io/api/flowcontrol/v1beta3/generated.protomessage.pb.go
new file mode 100644
index 0000000000000..20407c045c02b
--- /dev/null
+++ b/staging/src/k8s.io/api/flowcontrol/v1beta3/generated.protomessage.pb.go
@@ -0,0 +1,68 @@
+//go:build kubernetes_protomessage_one_more_release
+// +build kubernetes_protomessage_one_more_release
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by go-to-protobuf. DO NOT EDIT.
+
+package v1beta3
+
+func (*ExemptPriorityLevelConfiguration) ProtoMessage() {}
+
+func (*FlowDistinguisherMethod) ProtoMessage() {}
+
+func (*FlowSchema) ProtoMessage() {}
+
+func (*FlowSchemaCondition) ProtoMessage() {}
+
+func (*FlowSchemaList) ProtoMessage() {}
+
+func (*FlowSchemaSpec) ProtoMessage() {}
+
+func (*FlowSchemaStatus) ProtoMessage() {}
+
+func (*GroupSubject) ProtoMessage() {}
+
+func (*LimitResponse) ProtoMessage() {}
+
+func (*LimitedPriorityLevelConfiguration) ProtoMessage() {}
+
+func (*NonResourcePolicyRule) ProtoMessage() {}
+
+func (*PolicyRulesWithSubjects) ProtoMessage() {}
+
+func (*PriorityLevelConfiguration) ProtoMessage() {}
+
+func (*PriorityLevelConfigurationCondition) ProtoMessage() {}
+
+func (*PriorityLevelConfigurationList) ProtoMessage() {}
+
+func (*PriorityLevelConfigurationReference) ProtoMessage() {}
+
+func (*PriorityLevelConfigurationSpec) ProtoMessage() {}
+
+func (*PriorityLevelConfigurationStatus) ProtoMessage() {}
+
+func (*QueuingConfiguration) ProtoMessage() {}
+
+func (*ResourcePolicyRule) ProtoMessage() {}
+
+func (*ServiceAccountSubject) ProtoMessage() {}
+
+func (*Subject) ProtoMessage() {}
+
+func (*UserSubject) ProtoMessage() {}
diff --git a/staging/src/k8s.io/api/flowcontrol/v1beta3/zz_generated.model_name.go b/staging/src/k8s.io/api/flowcontrol/v1beta3/zz_generated.model_name.go
new file mode 100644
index 0000000000000..0aae062783752
--- /dev/null
+++ b/staging/src/k8s.io/api/flowcontrol/v1beta3/zz_generated.model_name.go
@@ -0,0 +1,137 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by openapi-gen. DO NOT EDIT.
+
+package v1beta3
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ExemptPriorityLevelConfiguration) OpenAPIModelName() string {
+	return "io.k8s.api.flowcontrol.v1beta3.ExemptPriorityLevelConfiguration"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in FlowDistinguisherMethod) OpenAPIModelName() string {
+	return "io.k8s.api.flowcontrol.v1beta3.FlowDistinguisherMethod"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in FlowSchema) OpenAPIModelName() string {
+	return "io.k8s.api.flowcontrol.v1beta3.FlowSchema"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in FlowSchemaCondition) OpenAPIModelName() string {
+	return "io.k8s.api.flowcontrol.v1beta3.FlowSchemaCondition"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in FlowSchemaList) OpenAPIModelName() string {
+	return "io.k8s.api.flowcontrol.v1beta3.FlowSchemaList"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in FlowSchemaSpec) OpenAPIModelName() string {
+	return "io.k8s.api.flowcontrol.v1beta3.FlowSchemaSpec"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in FlowSchemaStatus) OpenAPIModelName() string {
+	return "io.k8s.api.flowcontrol.v1beta3.FlowSchemaStatus"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in GroupSubject) OpenAPIModelName() string {
+	return "io.k8s.api.flowcontrol.v1beta3.GroupSubject"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in LimitResponse) OpenAPIModelName() string {
+	return "io.k8s.api.flowcontrol.v1beta3.LimitResponse"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in LimitedPriorityLevelConfiguration) OpenAPIModelName() string {
+	return "io.k8s.api.flowcontrol.v1beta3.LimitedPriorityLevelConfiguration"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in NonResourcePolicyRule) OpenAPIModelName() string {
+	return "io.k8s.api.flowcontrol.v1beta3.NonResourcePolicyRule"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in PolicyRulesWithSubjects) OpenAPIModelName() string {
+	return "io.k8s.api.flowcontrol.v1beta3.PolicyRulesWithSubjects"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in PriorityLevelConfiguration) OpenAPIModelName() string {
+	return "io.k8s.api.flowcontrol.v1beta3.PriorityLevelConfiguration"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in PriorityLevelConfigurationCondition) OpenAPIModelName() string {
+	return "io.k8s.api.flowcontrol.v1beta3.PriorityLevelConfigurationCondition"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in PriorityLevelConfigurationList) OpenAPIModelName() string {
+	return "io.k8s.api.flowcontrol.v1beta3.PriorityLevelConfigurationList"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in PriorityLevelConfigurationReference) OpenAPIModelName() string {
+	return "io.k8s.api.flowcontrol.v1beta3.PriorityLevelConfigurationReference"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in PriorityLevelConfigurationSpec) OpenAPIModelName() string {
+	return "io.k8s.api.flowcontrol.v1beta3.PriorityLevelConfigurationSpec"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in PriorityLevelConfigurationStatus) OpenAPIModelName() string {
+	return "io.k8s.api.flowcontrol.v1beta3.PriorityLevelConfigurationStatus"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in QueuingConfiguration) OpenAPIModelName() string {
+	return "io.k8s.api.flowcontrol.v1beta3.QueuingConfiguration"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ResourcePolicyRule) OpenAPIModelName() string {
+	return "io.k8s.api.flowcontrol.v1beta3.ResourcePolicyRule"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ServiceAccountSubject) OpenAPIModelName() string {
+	return "io.k8s.api.flowcontrol.v1beta3.ServiceAccountSubject"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in Subject) OpenAPIModelName() string {
+	return "io.k8s.api.flowcontrol.v1beta3.Subject"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in UserSubject) OpenAPIModelName() string {
+	return "io.k8s.api.flowcontrol.v1beta3.UserSubject"
+}
diff --git a/staging/src/k8s.io/api/go.mod b/staging/src/k8s.io/api/go.mod
index d518276b50707..cbeb95b5a92f7 100644
--- a/staging/src/k8s.io/api/go.mod
+++ b/staging/src/k8s.io/api/go.mod
@@ -2,40 +2,40 @@
 
 module k8s.io/api
 
-go 1.24.0
+go 1.25.0
 
-godebug default=go1.24
+godebug default=go1.25
 
 require (
-	github.com/gogo/protobuf v1.3.2
 	k8s.io/apimachinery v0.0.0
+	k8s.io/klog/v2 v2.130.1
 )
 
 require (
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/fxamacker/cbor/v2 v2.9.0 // indirect
-	github.com/go-logr/logr v1.4.2 // indirect
+	github.com/go-logr/logr v1.4.3 // indirect
 	github.com/google/go-cmp v0.7.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/kr/pretty v0.3.1 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee // indirect
-	github.com/spf13/pflag v1.0.6 // indirect
+	github.com/spf13/pflag v1.0.9 // indirect
 	github.com/x448/float16 v0.8.4 // indirect
-	go.yaml.in/yaml/v2 v2.4.2 // indirect
-	golang.org/x/net v0.43.0 // indirect
-	golang.org/x/text v0.29.0 // indirect
+	go.yaml.in/yaml/v2 v2.4.3 // indirect
+	golang.org/x/net v0.47.0 // indirect
+	golang.org/x/text v0.31.0 // indirect
 	gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
-	k8s.io/klog/v2 v2.130.1 // indirect
-	k8s.io/utils v0.0.0-20250604170112-4c0f3b243397 // indirect
-	sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 // indirect
+	k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912 // indirect
+	k8s.io/utils v0.0.0-20251002143259-bc988d571ff4 // indirect
+	sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 // indirect
 	sigs.k8s.io/randfill v1.0.0 // indirect
 	sigs.k8s.io/structured-merge-diff/v6 v6.3.0 // indirect
 	sigs.k8s.io/yaml v1.6.0 // indirect
 )
 
 replace (
-	github.com/onsi/ginkgo/v2 => github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251001123353-fd5b1fb35db1
+	github.com/onsi/ginkgo/v2 => github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251120221002-696928a6a0d7
 	k8s.io/apimachinery => ../apimachinery
 )
diff --git a/staging/src/k8s.io/api/go.sum b/staging/src/k8s.io/api/go.sum
index 662133b49f990..efd188ea1a7aa 100644
--- a/staging/src/k8s.io/api/go.sum
+++ b/staging/src/k8s.io/api/go.sum
@@ -1,28 +1,28 @@
+github.com/NYTimes/gziphandler v1.1.1/go.mod h1:n/CVRwUEOgIxrgPvAQhUUr9oeUtvrhMomdKFjzJNB0c=
 github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkYZB8zMSxRWpUBQtwG5a7fFgvEO+odwuTv2gs=
 github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM=
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/emicklei/go-restful/v3 v3.11.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc=
 github.com/fxamacker/cbor/v2 v2.9.0 h1:NpKPmjDBgUfBms6tr6JZkTHtfFGcMKsw3eGcmD/sapM=
 github.com/fxamacker/cbor/v2 v2.9.0/go.mod h1:vM4b+DJCtHn+zz7h3FFp/hDAI9WNWCsZj23V5ytsSxQ=
-github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY=
-github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
+github.com/go-logr/logr v1.4.3 h1:CjnDlHq8ikf6E492q6eKboGOC0T8CDaOvkHCIg8idEI=
+github.com/go-logr/logr v1.4.3/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
 github.com/go-openapi/jsonpointer v0.21.0/go.mod h1:IUyH9l/+uyhIYQ/PXVA41Rexl+kOkAPDdXEYns6fzUY=
 github.com/go-openapi/jsonreference v0.20.2/go.mod h1:Bl1zwGIM8/wsvqjsOQLJ/SH+En5Ap4rVB5KVcIDZG2k=
 github.com/go-openapi/swag v0.23.0/go.mod h1:esZ8ITTYEsH1V2trKHjAN8Ai7xHb8RV+YSZ577vPjgQ=
-github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
-github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
+github.com/go-task/slim-sprig/v3 v3.0.0/go.mod h1:W848ghGpv3Qj3dhTPRyJypKRiqCdHZiAzKg9hl15HA8=
 github.com/google/gnostic-models v0.7.0/go.mod h1:whL5G0m6dmc5cPxKc5bdKdEN3UjI7OUGxBlw57miDrQ=
 github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
 github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
+github.com/google/pprof v0.0.0-20240727154555-813a5fbdbec8/go.mod h1:K1liHPHnj73Fdn/EKuT8nrFqBihUSKXoLYU0BuatOYo=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y=
 github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM=
 github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo=
-github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
-github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
 github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
 github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
 github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
@@ -38,83 +38,60 @@ github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJ
 github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk=
 github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee h1:W5t00kpgFdJifH4BDsTlE89Zl93FEloxaWZfGcifgq8=
 github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk=
+github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
 github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+o7JKHSa8/e818NopupXU1YMK5fe1lsApnBw=
-github.com/onsi/gomega v1.35.1/go.mod h1:PvZbdDc8J6XJEpDK4HCuRBm8a6Fzp9/DmhC9C7yFlog=
-github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251001123353-fd5b1fb35db1/go.mod h1:7Du3c42kxCUegi0IImZ1wUQzMBVecgIHjR1C+NkhLQo=
+github.com/onsi/gomega v1.38.2/go.mod h1:W2MJcYxRGV63b418Ai34Ud0hEdTVXq9NW9+Sx6uXf3k=
+github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251120221002-696928a6a0d7/go.mod h1:ArE1D/XhNXBXCBkKOLkbsb2c81dQHCRcF5zwn/ykDRo=
 github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e/go.mod h1:pJLUxLENpZxwdsKMEsNbx1VGcRFpLqf3715MtcvvzbA=
-github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U=
 github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/rogpeppe/go-internal v1.9.0/go.mod h1:WtVeX8xhTBvf0smdhujwtBcq4Qrzq/fJaraNFVN+nFs=
-github.com/rogpeppe/go-internal v1.13.1 h1:KvO1DLK/DRN07sQ1LQKScxyZJuNnedQ5/wKSR38lUII=
-github.com/rogpeppe/go-internal v1.13.1/go.mod h1:uMEvuHeurkdAXX61udpOXGD/AzZDWNMNyH2VO9fmH0o=
-github.com/spf13/pflag v1.0.6 h1:jFzHGLGAlb3ruxLB8MhbI6A8+AQX/2eW4qeyNZXNp2o=
-github.com/spf13/pflag v1.0.6/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
+github.com/rogpeppe/go-internal v1.14.1 h1:UQB4HGPB6osV0SQTLymcB4TgvyWu6ZyliaW0tI/otEQ=
+github.com/rogpeppe/go-internal v1.14.1/go.mod h1:MaRKkUm5W0goXpeCfT7UZI6fk/L7L7so1lCWt35ZSgc=
+github.com/spf13/pflag v1.0.9 h1:9exaQaMOCwffKiiiYk6/BndUBv+iRViNW+4lEMi0PvY=
+github.com/spf13/pflag v1.0.9/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
-github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
-github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
+github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
+github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
 github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM=
 github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg=
-github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
-github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
-go.yaml.in/yaml/v2 v2.4.2 h1:DzmwEr2rDGHl7lsFgAHxmNz/1NlQ7xLIrlN2h5d1eGI=
-go.yaml.in/yaml/v2 v2.4.2/go.mod h1:081UH+NErpNdqlCXm3TtEran0rJZGxAYx9hb/ELlsPU=
+go.yaml.in/yaml/v2 v2.4.3 h1:6gvOSjQoTB3vt1l+CU+tSyi/HOjfOjRLJ4YwYZGwRO0=
+go.yaml.in/yaml/v2 v2.4.3/go.mod h1:zSxWcmIDjOzPXpjlTTbAsKokqkDNAVtZO0WOMiT90s8=
 go.yaml.in/yaml/v3 v3.0.4 h1:tfq32ie2Jv2UxXFdLJdh3jXuOzWiL1fo0bu/FbuKpbc=
 go.yaml.in/yaml/v3 v3.0.4/go.mod h1:DhzuOOF2ATzADvBadXxruRBLzYTpT36CKvDb3+aBEFg=
-golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
-golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
-golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
-golang.org/x/crypto v0.41.0/go.mod h1:pO5AFd7FA68rFak7rOAGVuygIISepHftHnr8dr6+sUc=
-golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.27.0/go.mod h1:rWI627Fq0DEoudcK+MBkNkCe0EetEaDSwJJkCcjpazc=
-golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
-golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
-golang.org/x/net v0.43.0 h1:lat02VYK2j4aLzMzecihNvTlJNQUq316m2Mr9rnM6YE=
-golang.org/x/net v0.43.0/go.mod h1:vhO1fvI4dGsIjh73sWfUVjj3N7CA9WkKJNQm2svM6Jg=
-golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.17.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
-golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.36.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
-golang.org/x/term v0.34.0/go.mod h1:5jC53AEywhIVebHgPVeg0mj8OD3VO9OzclacVrqpaAw=
-golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
-golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.29.0 h1:1neNs90w9YzJ9BocxfsQNHKuAT4pkghyXc4nhZ6sJvk=
-golang.org/x/text v0.29.0/go.mod h1:7MhJOA9CD2qZyOKYazxdYMF85OwPdEr9jTtBpO7ydH4=
+golang.org/x/crypto v0.44.0/go.mod h1:013i+Nw79BMiQiMsOPcVCB5ZIJbYkerPrGnOa00tvmc=
+golang.org/x/mod v0.29.0/go.mod h1:NyhrlYXJ2H4eJiRy/WDBO6HMqZQ6q9nk4JzS3NuCK+w=
+golang.org/x/net v0.47.0 h1:Mx+4dIFzqraBXUugkia1OOvlD6LemFo1ALMHjrXDOhY=
+golang.org/x/net v0.47.0/go.mod h1:/jNxtkgq5yWUGYkaZGqo27cfGZ1c5Nen03aYrrKpVRU=
+golang.org/x/sync v0.18.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
+golang.org/x/sys v0.38.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
+golang.org/x/term v0.37.0/go.mod h1:5pB4lxRNYYVZuTLmy8oR2BH8dflOR+IbTYFD8fi3254=
+golang.org/x/text v0.31.0 h1:aC8ghyu4JhP8VojJ2lEHBnochRno1sgL6nEi9WGFGMM=
+golang.org/x/text v0.31.0/go.mod h1:tKRAlv61yKIjGGHX/4tP1LTbc13YSec1pxVEWXzfoeM=
 golang.org/x/time v0.9.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
-golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
-golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
-golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
-golang.org/x/tools v0.36.0/go.mod h1:WBDiHKJK8YgLHlcQPYQzNCkUxUypCaa5ZegCVutKm+s=
-golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-google.golang.org/protobuf v1.36.5/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE=
+golang.org/x/tools v0.38.0/go.mod h1:yEsQ/d/YK8cjh0L6rZlY8tgtlKiBNTL14pGDJPJpYQs=
+golang.org/x/tools/go/expect v0.1.0-deprecated/go.mod h1:eihoPOH+FgIqa3FpoTwguz/bVUSGBlGQU67vpBeOrBY=
+golang.org/x/tools/go/packages/packagestest v0.1.1-deprecated/go.mod h1:RVAQXBGNv1ib0J382/DPCRS/BPnsGebyM1Gj5VSDpG8=
+google.golang.org/protobuf v1.36.8/go.mod h1:fuxRtAxBytpl4zzqUh6/eyUujkJdNiuEkXntxiD/uRU=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
-gopkg.in/evanphx/json-patch.v4 v4.12.0/go.mod h1:p8EYWUEYMpynmqDbY58zCKCFZw8pRWMG4EsWvDvM72M=
+gopkg.in/evanphx/json-patch.v4 v4.13.0/go.mod h1:p8EYWUEYMpynmqDbY58zCKCFZw8pRWMG4EsWvDvM72M=
 gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc=
 gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+k8s.io/gengo/v2 v2.0.0-20250604051438-85fd79dbfd9f/go.mod h1:EJykeLsmFC60UQbYJezXkEsG2FLrt0GPNkU5iK5GWxU=
 k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk=
 k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE=
-k8s.io/kube-openapi v0.0.0-20250710124328-f3f2b991d03b/go.mod h1:UZ2yyWbFTpuhSbFhv24aGNOdoRdJZgsIObGBUaYVsts=
-k8s.io/utils v0.0.0-20250604170112-4c0f3b243397 h1:hwvWFiBzdWw1FhfY1FooPn3kzWuJ8tmbZBHi4zVsl1Y=
-k8s.io/utils v0.0.0-20250604170112-4c0f3b243397/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
-sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 h1:gBQPwqORJ8d8/YNZWEjoZs7npUVDpVXUUOFfW6CgAqE=
-sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8/go.mod h1:mdzfpAEoE6DHQEN0uh9ZbOCuHbLK5wOm7dK4ctXE9Tg=
+k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912 h1:Y3gxNAuB0OBLImH611+UDZcmKS3g6CthxToOb37KgwE=
+k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912/go.mod h1:kdmbQkyfwUagLfXIad1y2TdrjPFWp2Q89B3qkRwf/pQ=
+k8s.io/utils v0.0.0-20251002143259-bc988d571ff4 h1:SjGebBtkBqHFOli+05xYbK8YF1Dzkbzn+gDM4X9T4Ck=
+k8s.io/utils v0.0.0-20251002143259-bc988d571ff4/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
+sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 h1:IpInykpT6ceI+QxKBbEflcR5EXP7sU1kvOlxwZh5txg=
+sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730/go.mod h1:mdzfpAEoE6DHQEN0uh9ZbOCuHbLK5wOm7dK4ctXE9Tg=
 sigs.k8s.io/randfill v1.0.0 h1:JfjMILfT8A6RbawdsK2JXGBR5AQVfd+9TbzrlneTyrU=
 sigs.k8s.io/randfill v1.0.0/go.mod h1:XeLlZ/jmk4i1HRopwe7/aU3H5n1zNUcX6TM94b3QxOY=
 sigs.k8s.io/structured-merge-diff/v6 v6.3.0 h1:jTijUJbW353oVOd9oTlifJqOGEkUw2jB/fXCbTiQEco=
diff --git a/staging/src/k8s.io/api/imagepolicy/v1alpha1/doc.go b/staging/src/k8s.io/api/imagepolicy/v1alpha1/doc.go
index f5fbbdbf0c3e7..7e7a980c6c8aa 100644
--- a/staging/src/k8s.io/api/imagepolicy/v1alpha1/doc.go
+++ b/staging/src/k8s.io/api/imagepolicy/v1alpha1/doc.go
@@ -17,6 +17,7 @@ limitations under the License.
 // +k8s:deepcopy-gen=package
 // +k8s:protobuf-gen=package
 // +k8s:openapi-gen=true
+// +k8s:openapi-model-package=io.k8s.api.imagepolicy.v1alpha1
 
 // +groupName=imagepolicy.k8s.io
 
diff --git a/staging/src/k8s.io/api/imagepolicy/v1alpha1/generated.pb.go b/staging/src/k8s.io/api/imagepolicy/v1alpha1/generated.pb.go
index 57732a51648e8..c8e53c7fa599f 100644
--- a/staging/src/k8s.io/api/imagepolicy/v1alpha1/generated.pb.go
+++ b/staging/src/k8s.io/api/imagepolicy/v1alpha1/generated.pb.go
@@ -23,193 +23,20 @@ import (
 	fmt "fmt"
 
 	io "io"
+	"sort"
 
-	proto "github.com/gogo/protobuf/proto"
-	github_com_gogo_protobuf_sortkeys "github.com/gogo/protobuf/sortkeys"
-
-	math "math"
 	math_bits "math/bits"
 	reflect "reflect"
 	strings "strings"
 )
 
-// Reference imports to suppress errors if they are not otherwise used.
-var _ = proto.Marshal
-var _ = fmt.Errorf
-var _ = math.Inf
+func (m *ImageReview) Reset() { *m = ImageReview{} }
 
-// This is a compile-time assertion to ensure that this generated file
-// is compatible with the proto package it is being compiled against.
-// A compilation error at this line likely means your copy of the
-// proto package needs to be updated.
-const _ = proto.GoGoProtoPackageIsVersion3 // please upgrade the proto package
+func (m *ImageReviewContainerSpec) Reset() { *m = ImageReviewContainerSpec{} }
 
-func (m *ImageReview) Reset()      { *m = ImageReview{} }
-func (*ImageReview) ProtoMessage() {}
-func (*ImageReview) Descriptor() ([]byte, []int) {
-	return fileDescriptor_7620d1538838ac6f, []int{0}
-}
-func (m *ImageReview) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ImageReview) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ImageReview) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ImageReview.Merge(m, src)
-}
-func (m *ImageReview) XXX_Size() int {
-	return m.Size()
-}
-func (m *ImageReview) XXX_DiscardUnknown() {
-	xxx_messageInfo_ImageReview.DiscardUnknown(m)
-}
+func (m *ImageReviewSpec) Reset() { *m = ImageReviewSpec{} }
 
-var xxx_messageInfo_ImageReview proto.InternalMessageInfo
-
-func (m *ImageReviewContainerSpec) Reset()      { *m = ImageReviewContainerSpec{} }
-func (*ImageReviewContainerSpec) ProtoMessage() {}
-func (*ImageReviewContainerSpec) Descriptor() ([]byte, []int) {
-	return fileDescriptor_7620d1538838ac6f, []int{1}
-}
-func (m *ImageReviewContainerSpec) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ImageReviewContainerSpec) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ImageReviewContainerSpec) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ImageReviewContainerSpec.Merge(m, src)
-}
-func (m *ImageReviewContainerSpec) XXX_Size() int {
-	return m.Size()
-}
-func (m *ImageReviewContainerSpec) XXX_DiscardUnknown() {
-	xxx_messageInfo_ImageReviewContainerSpec.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_ImageReviewContainerSpec proto.InternalMessageInfo
-
-func (m *ImageReviewSpec) Reset()      { *m = ImageReviewSpec{} }
-func (*ImageReviewSpec) ProtoMessage() {}
-func (*ImageReviewSpec) Descriptor() ([]byte, []int) {
-	return fileDescriptor_7620d1538838ac6f, []int{2}
-}
-func (m *ImageReviewSpec) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ImageReviewSpec) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ImageReviewSpec) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ImageReviewSpec.Merge(m, src)
-}
-func (m *ImageReviewSpec) XXX_Size() int {
-	return m.Size()
-}
-func (m *ImageReviewSpec) XXX_DiscardUnknown() {
-	xxx_messageInfo_ImageReviewSpec.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_ImageReviewSpec proto.InternalMessageInfo
-
-func (m *ImageReviewStatus) Reset()      { *m = ImageReviewStatus{} }
-func (*ImageReviewStatus) ProtoMessage() {}
-func (*ImageReviewStatus) Descriptor() ([]byte, []int) {
-	return fileDescriptor_7620d1538838ac6f, []int{3}
-}
-func (m *ImageReviewStatus) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ImageReviewStatus) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ImageReviewStatus) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ImageReviewStatus.Merge(m, src)
-}
-func (m *ImageReviewStatus) XXX_Size() int {
-	return m.Size()
-}
-func (m *ImageReviewStatus) XXX_DiscardUnknown() {
-	xxx_messageInfo_ImageReviewStatus.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_ImageReviewStatus proto.InternalMessageInfo
-
-func init() {
-	proto.RegisterType((*ImageReview)(nil), "k8s.io.api.imagepolicy.v1alpha1.ImageReview")
-	proto.RegisterType((*ImageReviewContainerSpec)(nil), "k8s.io.api.imagepolicy.v1alpha1.ImageReviewContainerSpec")
-	proto.RegisterType((*ImageReviewSpec)(nil), "k8s.io.api.imagepolicy.v1alpha1.ImageReviewSpec")
-	proto.RegisterMapType((map[string]string)(nil), "k8s.io.api.imagepolicy.v1alpha1.ImageReviewSpec.AnnotationsEntry")
-	proto.RegisterType((*ImageReviewStatus)(nil), "k8s.io.api.imagepolicy.v1alpha1.ImageReviewStatus")
-	proto.RegisterMapType((map[string]string)(nil), "k8s.io.api.imagepolicy.v1alpha1.ImageReviewStatus.AuditAnnotationsEntry")
-}
-
-func init() {
-	proto.RegisterFile("k8s.io/api/imagepolicy/v1alpha1/generated.proto", fileDescriptor_7620d1538838ac6f)
-}
-
-var fileDescriptor_7620d1538838ac6f = []byte{
-	// 593 bytes of a gzipped FileDescriptorProto
-	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x94, 0x94, 0x4f, 0x6f, 0xd3, 0x30,
-	0x18, 0xc6, 0x9b, 0x74, 0xff, 0xea, 0x02, 0xeb, 0x0c, 0x48, 0x51, 0x0f, 0xe9, 0x54, 0x24, 0x34,
-	0x0e, 0xd8, 0xb4, 0x42, 0x68, 0x70, 0x00, 0x35, 0xd3, 0x24, 0x38, 0x00, 0x92, 0xb9, 0xed, 0x84,
-	0x9b, 0x9a, 0xd4, 0xb4, 0x89, 0xa3, 0xd8, 0xe9, 0xe8, 0x8d, 0x4f, 0x80, 0xf8, 0x06, 0x7c, 0x11,
-	0x3e, 0x40, 0x8f, 0x3b, 0xee, 0x34, 0xd1, 0x70, 0xe4, 0x4b, 0xa0, 0x38, 0x69, 0x13, 0xda, 0xa1,
-	0xa9, 0xb7, 0xbc, 0xef, 0xeb, 0xe7, 0xf7, 0x3e, 0x79, 0x62, 0x05, 0xe0, 0xd1, 0xb1, 0x44, 0x5c,
-	0x60, 0x1a, 0x72, 0xcc, 0x7d, 0xea, 0xb1, 0x50, 0x8c, 0xb9, 0x3b, 0xc5, 0x93, 0x0e, 0x1d, 0x87,
-	0x43, 0xda, 0xc1, 0x1e, 0x0b, 0x58, 0x44, 0x15, 0x1b, 0xa0, 0x30, 0x12, 0x4a, 0xc0, 0x56, 0x26,
-	0x40, 0x34, 0xe4, 0xa8, 0x24, 0x40, 0x0b, 0x41, 0xf3, 0xb1, 0xc7, 0xd5, 0x30, 0xee, 0x23, 0x57,
-	0xf8, 0xd8, 0x13, 0x9e, 0xc0, 0x5a, 0xd7, 0x8f, 0x3f, 0xe9, 0x4a, 0x17, 0xfa, 0x29, 0xe3, 0x35,
-	0x9f, 0x16, 0x06, 0x7c, 0xea, 0x0e, 0x79, 0xc0, 0xa2, 0x29, 0x0e, 0x47, 0x5e, 0xda, 0x90, 0xd8,
-	0x67, 0x8a, 0xe2, 0xc9, 0x9a, 0x8b, 0x26, 0xfe, 0x9f, 0x2a, 0x8a, 0x03, 0xc5, 0x7d, 0xb6, 0x26,
-	0x78, 0x76, 0x93, 0x40, 0xba, 0x43, 0xe6, 0xd3, 0x55, 0x5d, 0xfb, 0x87, 0x09, 0xea, 0x6f, 0xd2,
-	0xd7, 0x24, 0x6c, 0xc2, 0xd9, 0x39, 0xfc, 0x08, 0xf6, 0x52, 0x4f, 0x03, 0xaa, 0xa8, 0x65, 0x1c,
-	0x1a, 0x47, 0xf5, 0xee, 0x13, 0x54, 0x24, 0xb2, 0x44, 0xa3, 0x70, 0xe4, 0xa5, 0x0d, 0x89, 0xd2,
-	0xd3, 0x68, 0xd2, 0x41, 0xef, 0xfb, 0x9f, 0x99, 0xab, 0xde, 0x32, 0x45, 0x1d, 0x38, 0xbb, 0x6a,
-	0x55, 0x92, 0xab, 0x16, 0x28, 0x7a, 0x64, 0x49, 0x85, 0x04, 0x6c, 0xc9, 0x90, 0xb9, 0x96, 0xb9,
-	0x46, 0xbf, 0x36, 0x6f, 0x54, 0x72, 0xf7, 0x21, 0x64, 0xae, 0x73, 0x2b, 0xa7, 0x6f, 0xa5, 0x15,
-	0xd1, 0x2c, 0x78, 0x06, 0x76, 0xa4, 0xa2, 0x2a, 0x96, 0x56, 0x55, 0x53, 0xbb, 0x1b, 0x51, 0xb5,
-	0xd2, 0xb9, 0x93, 0x73, 0x77, 0xb2, 0x9a, 0xe4, 0xc4, 0xf6, 0x2b, 0x60, 0x95, 0x0e, 0x9f, 0x88,
-	0x40, 0xd1, 0x34, 0x82, 0x74, 0x3b, 0x7c, 0x00, 0xb6, 0x35, 0x5d, 0x47, 0x55, 0x73, 0x6e, 0xe7,
-	0x88, 0xed, 0x4c, 0x90, 0xcd, 0xda, 0x7f, 0x4c, 0xb0, 0xbf, 0xf2, 0x12, 0xd0, 0x07, 0xc0, 0x5d,
-	0x90, 0xa4, 0x65, 0x1c, 0x56, 0x8f, 0xea, 0xdd, 0xe7, 0x9b, 0x98, 0xfe, 0xc7, 0x47, 0x91, 0xf8,
-	0xb2, 0x2d, 0x49, 0x69, 0x01, 0xfc, 0x02, 0xea, 0x34, 0x08, 0x84, 0xa2, 0x8a, 0x8b, 0x40, 0x5a,
-	0xa6, 0xde, 0xd7, 0xdb, 0x34, 0x7a, 0xd4, 0x2b, 0x18, 0xa7, 0x81, 0x8a, 0xa6, 0xce, 0xdd, 0x7c,
-	0x6f, 0xbd, 0x34, 0x21, 0xe5, 0x55, 0x10, 0x83, 0x5a, 0x40, 0x7d, 0x26, 0x43, 0xea, 0x32, 0xfd,
-	0x71, 0x6a, 0xce, 0x41, 0x2e, 0xaa, 0xbd, 0x5b, 0x0c, 0x48, 0x71, 0xa6, 0xf9, 0x12, 0x34, 0x56,
-	0xd7, 0xc0, 0x06, 0xa8, 0x8e, 0xd8, 0x34, 0x0b, 0x99, 0xa4, 0x8f, 0xf0, 0x1e, 0xd8, 0x9e, 0xd0,
-	0x71, 0xcc, 0xf4, 0x2d, 0xaa, 0x91, 0xac, 0x78, 0x61, 0x1e, 0x1b, 0xed, 0x9f, 0x26, 0x38, 0x58,
-	0xfb, 0xb8, 0xf0, 0x11, 0xd8, 0xa5, 0xe3, 0xb1, 0x38, 0x67, 0x03, 0x4d, 0xd9, 0x73, 0xf6, 0x73,
-	0x13, 0xbb, 0xbd, 0xac, 0x4d, 0x16, 0x73, 0xf8, 0x10, 0xec, 0x44, 0x8c, 0x4a, 0x11, 0x64, 0xec,
-	0xe2, 0x5e, 0x10, 0xdd, 0x25, 0xf9, 0x14, 0x7e, 0x33, 0x40, 0x83, 0xc6, 0x03, 0xae, 0x4a, 0x76,
-	0xad, 0xaa, 0x4e, 0xf6, 0xf5, 0xe6, 0xd7, 0x0f, 0xf5, 0x56, 0x50, 0x59, 0xc0, 0x56, 0xbe, 0xbc,
-	0xb1, 0x3a, 0x26, 0x6b, 0xbb, 0x9b, 0x27, 0xe0, 0xfe, 0xb5, 0x90, 0x4d, 0xe2, 0x73, 0x4e, 0x67,
-	0x73, 0xbb, 0x72, 0x31, 0xb7, 0x2b, 0x97, 0x73, 0xbb, 0xf2, 0x35, 0xb1, 0x8d, 0x59, 0x62, 0x1b,
-	0x17, 0x89, 0x6d, 0x5c, 0x26, 0xb6, 0xf1, 0x2b, 0xb1, 0x8d, 0xef, 0xbf, 0xed, 0xca, 0x59, 0xeb,
-	0x86, 0xbf, 0xea, 0xdf, 0x00, 0x00, 0x00, 0xff, 0xff, 0x59, 0x86, 0x92, 0x15, 0x77, 0x05, 0x00,
-	0x00,
-}
+func (m *ImageReviewStatus) Reset() { *m = ImageReviewStatus{} }
 
 func (m *ImageReview) Marshal() (dAtA []byte, err error) {
 	size := m.Size()
@@ -322,7 +149,7 @@ func (m *ImageReviewSpec) MarshalToSizedBuffer(dAtA []byte) (int, error) {
 		for k := range m.Annotations {
 			keysForAnnotations = append(keysForAnnotations, string(k))
 		}
-		github_com_gogo_protobuf_sortkeys.Strings(keysForAnnotations)
+		sort.Strings(keysForAnnotations)
 		for iNdEx := len(keysForAnnotations) - 1; iNdEx >= 0; iNdEx-- {
 			v := m.Annotations[string(keysForAnnotations[iNdEx])]
 			baseI := i
@@ -383,7 +210,7 @@ func (m *ImageReviewStatus) MarshalToSizedBuffer(dAtA []byte) (int, error) {
 		for k := range m.AuditAnnotations {
 			keysForAuditAnnotations = append(keysForAuditAnnotations, string(k))
 		}
-		github_com_gogo_protobuf_sortkeys.Strings(keysForAuditAnnotations)
+		sort.Strings(keysForAuditAnnotations)
 		for iNdEx := len(keysForAuditAnnotations) - 1; iNdEx >= 0; iNdEx-- {
 			v := m.AuditAnnotations[string(keysForAuditAnnotations[iNdEx])]
 			baseI := i
@@ -541,7 +368,7 @@ func (this *ImageReviewSpec) String() string {
 	for k := range this.Annotations {
 		keysForAnnotations = append(keysForAnnotations, k)
 	}
-	github_com_gogo_protobuf_sortkeys.Strings(keysForAnnotations)
+	sort.Strings(keysForAnnotations)
 	mapStringForAnnotations := "map[string]string{"
 	for _, k := range keysForAnnotations {
 		mapStringForAnnotations += fmt.Sprintf("%v: %v,", k, this.Annotations[k])
@@ -563,7 +390,7 @@ func (this *ImageReviewStatus) String() string {
 	for k := range this.AuditAnnotations {
 		keysForAuditAnnotations = append(keysForAuditAnnotations, k)
 	}
-	github_com_gogo_protobuf_sortkeys.Strings(keysForAuditAnnotations)
+	sort.Strings(keysForAuditAnnotations)
 	mapStringForAuditAnnotations := "map[string]string{"
 	for _, k := range keysForAuditAnnotations {
 		mapStringForAuditAnnotations += fmt.Sprintf("%v: %v,", k, this.AuditAnnotations[k])
diff --git a/staging/src/k8s.io/api/imagepolicy/v1alpha1/generated.protomessage.pb.go b/staging/src/k8s.io/api/imagepolicy/v1alpha1/generated.protomessage.pb.go
new file mode 100644
index 0000000000000..215f52a377347
--- /dev/null
+++ b/staging/src/k8s.io/api/imagepolicy/v1alpha1/generated.protomessage.pb.go
@@ -0,0 +1,30 @@
+//go:build kubernetes_protomessage_one_more_release
+// +build kubernetes_protomessage_one_more_release
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by go-to-protobuf. DO NOT EDIT.
+
+package v1alpha1
+
+func (*ImageReview) ProtoMessage() {}
+
+func (*ImageReviewContainerSpec) ProtoMessage() {}
+
+func (*ImageReviewSpec) ProtoMessage() {}
+
+func (*ImageReviewStatus) ProtoMessage() {}
diff --git a/staging/src/k8s.io/api/imagepolicy/v1alpha1/zz_generated.model_name.go b/staging/src/k8s.io/api/imagepolicy/v1alpha1/zz_generated.model_name.go
new file mode 100644
index 0000000000000..e21c127a748e5
--- /dev/null
+++ b/staging/src/k8s.io/api/imagepolicy/v1alpha1/zz_generated.model_name.go
@@ -0,0 +1,42 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by openapi-gen. DO NOT EDIT.
+
+package v1alpha1
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ImageReview) OpenAPIModelName() string {
+	return "io.k8s.api.imagepolicy.v1alpha1.ImageReview"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ImageReviewContainerSpec) OpenAPIModelName() string {
+	return "io.k8s.api.imagepolicy.v1alpha1.ImageReviewContainerSpec"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ImageReviewSpec) OpenAPIModelName() string {
+	return "io.k8s.api.imagepolicy.v1alpha1.ImageReviewSpec"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ImageReviewStatus) OpenAPIModelName() string {
+	return "io.k8s.api.imagepolicy.v1alpha1.ImageReviewStatus"
+}
diff --git a/staging/src/k8s.io/api/networking/v1/doc.go b/staging/src/k8s.io/api/networking/v1/doc.go
index e2093b7df6737..42da00e2480f3 100644
--- a/staging/src/k8s.io/api/networking/v1/doc.go
+++ b/staging/src/k8s.io/api/networking/v1/doc.go
@@ -18,6 +18,8 @@ limitations under the License.
 // +k8s:protobuf-gen=package
 // +k8s:openapi-gen=true
 // +k8s:prerelease-lifecycle-gen=true
+// +k8s:openapi-model-package=io.k8s.api.networking.v1
+
 // +groupName=networking.k8s.io
 
 package v1
diff --git a/staging/src/k8s.io/api/networking/v1/generated.pb.go b/staging/src/k8s.io/api/networking/v1/generated.pb.go
index 062382b633ac9..ee5429f135bef 100644
--- a/staging/src/k8s.io/api/networking/v1/generated.pb.go
+++ b/staging/src/k8s.io/api/networking/v1/generated.pb.go
@@ -24,12 +24,10 @@ import (
 
 	io "io"
 
-	proto "github.com/gogo/protobuf/proto"
 	k8s_io_api_core_v1 "k8s.io/api/core/v1"
 	v11 "k8s.io/api/core/v1"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
-	math "math"
 	math_bits "math/bits"
 	reflect "reflect"
 	strings "strings"
@@ -37,1160 +35,75 @@ import (
 	intstr "k8s.io/apimachinery/pkg/util/intstr"
 )
 
-// Reference imports to suppress errors if they are not otherwise used.
-var _ = proto.Marshal
-var _ = fmt.Errorf
-var _ = math.Inf
+func (m *HTTPIngressPath) Reset() { *m = HTTPIngressPath{} }
 
-// This is a compile-time assertion to ensure that this generated file
-// is compatible with the proto package it is being compiled against.
-// A compilation error at this line likely means your copy of the
-// proto package needs to be updated.
-const _ = proto.GoGoProtoPackageIsVersion3 // please upgrade the proto package
+func (m *HTTPIngressRuleValue) Reset() { *m = HTTPIngressRuleValue{} }
 
-func (m *HTTPIngressPath) Reset()      { *m = HTTPIngressPath{} }
-func (*HTTPIngressPath) ProtoMessage() {}
-func (*HTTPIngressPath) Descriptor() ([]byte, []int) {
-	return fileDescriptor_2c41434372fec1d7, []int{0}
-}
-func (m *HTTPIngressPath) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *HTTPIngressPath) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *HTTPIngressPath) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_HTTPIngressPath.Merge(m, src)
-}
-func (m *HTTPIngressPath) XXX_Size() int {
-	return m.Size()
-}
-func (m *HTTPIngressPath) XXX_DiscardUnknown() {
-	xxx_messageInfo_HTTPIngressPath.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_HTTPIngressPath proto.InternalMessageInfo
-
-func (m *HTTPIngressRuleValue) Reset()      { *m = HTTPIngressRuleValue{} }
-func (*HTTPIngressRuleValue) ProtoMessage() {}
-func (*HTTPIngressRuleValue) Descriptor() ([]byte, []int) {
-	return fileDescriptor_2c41434372fec1d7, []int{1}
-}
-func (m *HTTPIngressRuleValue) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *HTTPIngressRuleValue) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *HTTPIngressRuleValue) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_HTTPIngressRuleValue.Merge(m, src)
-}
-func (m *HTTPIngressRuleValue) XXX_Size() int {
-	return m.Size()
-}
-func (m *HTTPIngressRuleValue) XXX_DiscardUnknown() {
-	xxx_messageInfo_HTTPIngressRuleValue.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_HTTPIngressRuleValue proto.InternalMessageInfo
-
-func (m *IPAddress) Reset()      { *m = IPAddress{} }
-func (*IPAddress) ProtoMessage() {}
-func (*IPAddress) Descriptor() ([]byte, []int) {
-	return fileDescriptor_2c41434372fec1d7, []int{2}
-}
-func (m *IPAddress) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *IPAddress) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *IPAddress) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_IPAddress.Merge(m, src)
-}
-func (m *IPAddress) XXX_Size() int {
-	return m.Size()
-}
-func (m *IPAddress) XXX_DiscardUnknown() {
-	xxx_messageInfo_IPAddress.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_IPAddress proto.InternalMessageInfo
-
-func (m *IPAddressList) Reset()      { *m = IPAddressList{} }
-func (*IPAddressList) ProtoMessage() {}
-func (*IPAddressList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_2c41434372fec1d7, []int{3}
-}
-func (m *IPAddressList) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *IPAddressList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *IPAddressList) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_IPAddressList.Merge(m, src)
-}
-func (m *IPAddressList) XXX_Size() int {
-	return m.Size()
-}
-func (m *IPAddressList) XXX_DiscardUnknown() {
-	xxx_messageInfo_IPAddressList.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_IPAddressList proto.InternalMessageInfo
-
-func (m *IPAddressSpec) Reset()      { *m = IPAddressSpec{} }
-func (*IPAddressSpec) ProtoMessage() {}
-func (*IPAddressSpec) Descriptor() ([]byte, []int) {
-	return fileDescriptor_2c41434372fec1d7, []int{4}
-}
-func (m *IPAddressSpec) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *IPAddressSpec) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *IPAddressSpec) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_IPAddressSpec.Merge(m, src)
-}
-func (m *IPAddressSpec) XXX_Size() int {
-	return m.Size()
-}
-func (m *IPAddressSpec) XXX_DiscardUnknown() {
-	xxx_messageInfo_IPAddressSpec.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_IPAddressSpec proto.InternalMessageInfo
-
-func (m *IPBlock) Reset()      { *m = IPBlock{} }
-func (*IPBlock) ProtoMessage() {}
-func (*IPBlock) Descriptor() ([]byte, []int) {
-	return fileDescriptor_2c41434372fec1d7, []int{5}
-}
-func (m *IPBlock) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *IPBlock) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *IPBlock) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_IPBlock.Merge(m, src)
-}
-func (m *IPBlock) XXX_Size() int {
-	return m.Size()
-}
-func (m *IPBlock) XXX_DiscardUnknown() {
-	xxx_messageInfo_IPBlock.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_IPBlock proto.InternalMessageInfo
-
-func (m *Ingress) Reset()      { *m = Ingress{} }
-func (*Ingress) ProtoMessage() {}
-func (*Ingress) Descriptor() ([]byte, []int) {
-	return fileDescriptor_2c41434372fec1d7, []int{6}
-}
-func (m *Ingress) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *Ingress) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *Ingress) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_Ingress.Merge(m, src)
-}
-func (m *Ingress) XXX_Size() int {
-	return m.Size()
-}
-func (m *Ingress) XXX_DiscardUnknown() {
-	xxx_messageInfo_Ingress.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_Ingress proto.InternalMessageInfo
-
-func (m *IngressBackend) Reset()      { *m = IngressBackend{} }
-func (*IngressBackend) ProtoMessage() {}
-func (*IngressBackend) Descriptor() ([]byte, []int) {
-	return fileDescriptor_2c41434372fec1d7, []int{7}
-}
-func (m *IngressBackend) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *IngressBackend) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *IngressBackend) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_IngressBackend.Merge(m, src)
-}
-func (m *IngressBackend) XXX_Size() int {
-	return m.Size()
-}
-func (m *IngressBackend) XXX_DiscardUnknown() {
-	xxx_messageInfo_IngressBackend.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_IngressBackend proto.InternalMessageInfo
-
-func (m *IngressClass) Reset()      { *m = IngressClass{} }
-func (*IngressClass) ProtoMessage() {}
-func (*IngressClass) Descriptor() ([]byte, []int) {
-	return fileDescriptor_2c41434372fec1d7, []int{8}
-}
-func (m *IngressClass) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *IngressClass) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *IngressClass) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_IngressClass.Merge(m, src)
-}
-func (m *IngressClass) XXX_Size() int {
-	return m.Size()
-}
-func (m *IngressClass) XXX_DiscardUnknown() {
-	xxx_messageInfo_IngressClass.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_IngressClass proto.InternalMessageInfo
-
-func (m *IngressClassList) Reset()      { *m = IngressClassList{} }
-func (*IngressClassList) ProtoMessage() {}
-func (*IngressClassList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_2c41434372fec1d7, []int{9}
-}
-func (m *IngressClassList) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *IngressClassList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *IngressClassList) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_IngressClassList.Merge(m, src)
-}
-func (m *IngressClassList) XXX_Size() int {
-	return m.Size()
-}
-func (m *IngressClassList) XXX_DiscardUnknown() {
-	xxx_messageInfo_IngressClassList.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_IngressClassList proto.InternalMessageInfo
-
-func (m *IngressClassParametersReference) Reset()      { *m = IngressClassParametersReference{} }
-func (*IngressClassParametersReference) ProtoMessage() {}
-func (*IngressClassParametersReference) Descriptor() ([]byte, []int) {
-	return fileDescriptor_2c41434372fec1d7, []int{10}
-}
-func (m *IngressClassParametersReference) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *IngressClassParametersReference) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *IngressClassParametersReference) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_IngressClassParametersReference.Merge(m, src)
-}
-func (m *IngressClassParametersReference) XXX_Size() int {
-	return m.Size()
-}
-func (m *IngressClassParametersReference) XXX_DiscardUnknown() {
-	xxx_messageInfo_IngressClassParametersReference.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_IngressClassParametersReference proto.InternalMessageInfo
-
-func (m *IngressClassSpec) Reset()      { *m = IngressClassSpec{} }
-func (*IngressClassSpec) ProtoMessage() {}
-func (*IngressClassSpec) Descriptor() ([]byte, []int) {
-	return fileDescriptor_2c41434372fec1d7, []int{11}
-}
-func (m *IngressClassSpec) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *IngressClassSpec) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *IngressClassSpec) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_IngressClassSpec.Merge(m, src)
-}
-func (m *IngressClassSpec) XXX_Size() int {
-	return m.Size()
-}
-func (m *IngressClassSpec) XXX_DiscardUnknown() {
-	xxx_messageInfo_IngressClassSpec.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_IngressClassSpec proto.InternalMessageInfo
-
-func (m *IngressList) Reset()      { *m = IngressList{} }
-func (*IngressList) ProtoMessage() {}
-func (*IngressList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_2c41434372fec1d7, []int{12}
-}
-func (m *IngressList) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *IngressList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *IngressList) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_IngressList.Merge(m, src)
-}
-func (m *IngressList) XXX_Size() int {
-	return m.Size()
-}
-func (m *IngressList) XXX_DiscardUnknown() {
-	xxx_messageInfo_IngressList.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_IngressList proto.InternalMessageInfo
-
-func (m *IngressLoadBalancerIngress) Reset()      { *m = IngressLoadBalancerIngress{} }
-func (*IngressLoadBalancerIngress) ProtoMessage() {}
-func (*IngressLoadBalancerIngress) Descriptor() ([]byte, []int) {
-	return fileDescriptor_2c41434372fec1d7, []int{13}
-}
-func (m *IngressLoadBalancerIngress) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *IngressLoadBalancerIngress) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *IngressLoadBalancerIngress) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_IngressLoadBalancerIngress.Merge(m, src)
-}
-func (m *IngressLoadBalancerIngress) XXX_Size() int {
-	return m.Size()
-}
-func (m *IngressLoadBalancerIngress) XXX_DiscardUnknown() {
-	xxx_messageInfo_IngressLoadBalancerIngress.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_IngressLoadBalancerIngress proto.InternalMessageInfo
-
-func (m *IngressLoadBalancerStatus) Reset()      { *m = IngressLoadBalancerStatus{} }
-func (*IngressLoadBalancerStatus) ProtoMessage() {}
-func (*IngressLoadBalancerStatus) Descriptor() ([]byte, []int) {
-	return fileDescriptor_2c41434372fec1d7, []int{14}
-}
-func (m *IngressLoadBalancerStatus) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *IngressLoadBalancerStatus) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *IngressLoadBalancerStatus) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_IngressLoadBalancerStatus.Merge(m, src)
-}
-func (m *IngressLoadBalancerStatus) XXX_Size() int {
-	return m.Size()
-}
-func (m *IngressLoadBalancerStatus) XXX_DiscardUnknown() {
-	xxx_messageInfo_IngressLoadBalancerStatus.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_IngressLoadBalancerStatus proto.InternalMessageInfo
-
-func (m *IngressPortStatus) Reset()      { *m = IngressPortStatus{} }
-func (*IngressPortStatus) ProtoMessage() {}
-func (*IngressPortStatus) Descriptor() ([]byte, []int) {
-	return fileDescriptor_2c41434372fec1d7, []int{15}
-}
-func (m *IngressPortStatus) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *IngressPortStatus) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *IngressPortStatus) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_IngressPortStatus.Merge(m, src)
-}
-func (m *IngressPortStatus) XXX_Size() int {
-	return m.Size()
-}
-func (m *IngressPortStatus) XXX_DiscardUnknown() {
-	xxx_messageInfo_IngressPortStatus.DiscardUnknown(m)
-}
+func (m *IPAddress) Reset() { *m = IPAddress{} }
 
-var xxx_messageInfo_IngressPortStatus proto.InternalMessageInfo
+func (m *IPAddressList) Reset() { *m = IPAddressList{} }
 
-func (m *IngressRule) Reset()      { *m = IngressRule{} }
-func (*IngressRule) ProtoMessage() {}
-func (*IngressRule) Descriptor() ([]byte, []int) {
-	return fileDescriptor_2c41434372fec1d7, []int{16}
-}
-func (m *IngressRule) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *IngressRule) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *IngressRule) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_IngressRule.Merge(m, src)
-}
-func (m *IngressRule) XXX_Size() int {
-	return m.Size()
-}
-func (m *IngressRule) XXX_DiscardUnknown() {
-	xxx_messageInfo_IngressRule.DiscardUnknown(m)
-}
+func (m *IPAddressSpec) Reset() { *m = IPAddressSpec{} }
 
-var xxx_messageInfo_IngressRule proto.InternalMessageInfo
+func (m *IPBlock) Reset() { *m = IPBlock{} }
 
-func (m *IngressRuleValue) Reset()      { *m = IngressRuleValue{} }
-func (*IngressRuleValue) ProtoMessage() {}
-func (*IngressRuleValue) Descriptor() ([]byte, []int) {
-	return fileDescriptor_2c41434372fec1d7, []int{17}
-}
-func (m *IngressRuleValue) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *IngressRuleValue) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *IngressRuleValue) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_IngressRuleValue.Merge(m, src)
-}
-func (m *IngressRuleValue) XXX_Size() int {
-	return m.Size()
-}
-func (m *IngressRuleValue) XXX_DiscardUnknown() {
-	xxx_messageInfo_IngressRuleValue.DiscardUnknown(m)
-}
+func (m *Ingress) Reset() { *m = Ingress{} }
 
-var xxx_messageInfo_IngressRuleValue proto.InternalMessageInfo
+func (m *IngressBackend) Reset() { *m = IngressBackend{} }
 
-func (m *IngressServiceBackend) Reset()      { *m = IngressServiceBackend{} }
-func (*IngressServiceBackend) ProtoMessage() {}
-func (*IngressServiceBackend) Descriptor() ([]byte, []int) {
-	return fileDescriptor_2c41434372fec1d7, []int{18}
-}
-func (m *IngressServiceBackend) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *IngressServiceBackend) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *IngressServiceBackend) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_IngressServiceBackend.Merge(m, src)
-}
-func (m *IngressServiceBackend) XXX_Size() int {
-	return m.Size()
-}
-func (m *IngressServiceBackend) XXX_DiscardUnknown() {
-	xxx_messageInfo_IngressServiceBackend.DiscardUnknown(m)
-}
+func (m *IngressClass) Reset() { *m = IngressClass{} }
 
-var xxx_messageInfo_IngressServiceBackend proto.InternalMessageInfo
+func (m *IngressClassList) Reset() { *m = IngressClassList{} }
 
-func (m *IngressSpec) Reset()      { *m = IngressSpec{} }
-func (*IngressSpec) ProtoMessage() {}
-func (*IngressSpec) Descriptor() ([]byte, []int) {
-	return fileDescriptor_2c41434372fec1d7, []int{19}
-}
-func (m *IngressSpec) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *IngressSpec) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *IngressSpec) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_IngressSpec.Merge(m, src)
-}
-func (m *IngressSpec) XXX_Size() int {
-	return m.Size()
-}
-func (m *IngressSpec) XXX_DiscardUnknown() {
-	xxx_messageInfo_IngressSpec.DiscardUnknown(m)
-}
+func (m *IngressClassParametersReference) Reset() { *m = IngressClassParametersReference{} }
 
-var xxx_messageInfo_IngressSpec proto.InternalMessageInfo
+func (m *IngressClassSpec) Reset() { *m = IngressClassSpec{} }
 
-func (m *IngressStatus) Reset()      { *m = IngressStatus{} }
-func (*IngressStatus) ProtoMessage() {}
-func (*IngressStatus) Descriptor() ([]byte, []int) {
-	return fileDescriptor_2c41434372fec1d7, []int{20}
-}
-func (m *IngressStatus) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *IngressStatus) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *IngressStatus) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_IngressStatus.Merge(m, src)
-}
-func (m *IngressStatus) XXX_Size() int {
-	return m.Size()
-}
-func (m *IngressStatus) XXX_DiscardUnknown() {
-	xxx_messageInfo_IngressStatus.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_IngressStatus proto.InternalMessageInfo
-
-func (m *IngressTLS) Reset()      { *m = IngressTLS{} }
-func (*IngressTLS) ProtoMessage() {}
-func (*IngressTLS) Descriptor() ([]byte, []int) {
-	return fileDescriptor_2c41434372fec1d7, []int{21}
-}
-func (m *IngressTLS) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *IngressTLS) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *IngressTLS) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_IngressTLS.Merge(m, src)
-}
-func (m *IngressTLS) XXX_Size() int {
-	return m.Size()
-}
-func (m *IngressTLS) XXX_DiscardUnknown() {
-	xxx_messageInfo_IngressTLS.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_IngressTLS proto.InternalMessageInfo
+func (m *IngressList) Reset() { *m = IngressList{} }
 
-func (m *NetworkPolicy) Reset()      { *m = NetworkPolicy{} }
-func (*NetworkPolicy) ProtoMessage() {}
-func (*NetworkPolicy) Descriptor() ([]byte, []int) {
-	return fileDescriptor_2c41434372fec1d7, []int{22}
-}
-func (m *NetworkPolicy) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *NetworkPolicy) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *NetworkPolicy) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_NetworkPolicy.Merge(m, src)
-}
-func (m *NetworkPolicy) XXX_Size() int {
-	return m.Size()
-}
-func (m *NetworkPolicy) XXX_DiscardUnknown() {
-	xxx_messageInfo_NetworkPolicy.DiscardUnknown(m)
-}
+func (m *IngressLoadBalancerIngress) Reset() { *m = IngressLoadBalancerIngress{} }
 
-var xxx_messageInfo_NetworkPolicy proto.InternalMessageInfo
-
-func (m *NetworkPolicyEgressRule) Reset()      { *m = NetworkPolicyEgressRule{} }
-func (*NetworkPolicyEgressRule) ProtoMessage() {}
-func (*NetworkPolicyEgressRule) Descriptor() ([]byte, []int) {
-	return fileDescriptor_2c41434372fec1d7, []int{23}
-}
-func (m *NetworkPolicyEgressRule) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *NetworkPolicyEgressRule) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *NetworkPolicyEgressRule) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_NetworkPolicyEgressRule.Merge(m, src)
-}
-func (m *NetworkPolicyEgressRule) XXX_Size() int {
-	return m.Size()
-}
-func (m *NetworkPolicyEgressRule) XXX_DiscardUnknown() {
-	xxx_messageInfo_NetworkPolicyEgressRule.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_NetworkPolicyEgressRule proto.InternalMessageInfo
-
-func (m *NetworkPolicyIngressRule) Reset()      { *m = NetworkPolicyIngressRule{} }
-func (*NetworkPolicyIngressRule) ProtoMessage() {}
-func (*NetworkPolicyIngressRule) Descriptor() ([]byte, []int) {
-	return fileDescriptor_2c41434372fec1d7, []int{24}
-}
-func (m *NetworkPolicyIngressRule) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *NetworkPolicyIngressRule) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *NetworkPolicyIngressRule) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_NetworkPolicyIngressRule.Merge(m, src)
-}
-func (m *NetworkPolicyIngressRule) XXX_Size() int {
-	return m.Size()
-}
-func (m *NetworkPolicyIngressRule) XXX_DiscardUnknown() {
-	xxx_messageInfo_NetworkPolicyIngressRule.DiscardUnknown(m)
-}
+func (m *IngressLoadBalancerStatus) Reset() { *m = IngressLoadBalancerStatus{} }
 
-var xxx_messageInfo_NetworkPolicyIngressRule proto.InternalMessageInfo
+func (m *IngressPortStatus) Reset() { *m = IngressPortStatus{} }
 
-func (m *NetworkPolicyList) Reset()      { *m = NetworkPolicyList{} }
-func (*NetworkPolicyList) ProtoMessage() {}
-func (*NetworkPolicyList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_2c41434372fec1d7, []int{25}
-}
-func (m *NetworkPolicyList) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *NetworkPolicyList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *NetworkPolicyList) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_NetworkPolicyList.Merge(m, src)
-}
-func (m *NetworkPolicyList) XXX_Size() int {
-	return m.Size()
-}
-func (m *NetworkPolicyList) XXX_DiscardUnknown() {
-	xxx_messageInfo_NetworkPolicyList.DiscardUnknown(m)
-}
+func (m *IngressRule) Reset() { *m = IngressRule{} }
 
-var xxx_messageInfo_NetworkPolicyList proto.InternalMessageInfo
+func (m *IngressRuleValue) Reset() { *m = IngressRuleValue{} }
 
-func (m *NetworkPolicyPeer) Reset()      { *m = NetworkPolicyPeer{} }
-func (*NetworkPolicyPeer) ProtoMessage() {}
-func (*NetworkPolicyPeer) Descriptor() ([]byte, []int) {
-	return fileDescriptor_2c41434372fec1d7, []int{26}
-}
-func (m *NetworkPolicyPeer) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *NetworkPolicyPeer) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *NetworkPolicyPeer) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_NetworkPolicyPeer.Merge(m, src)
-}
-func (m *NetworkPolicyPeer) XXX_Size() int {
-	return m.Size()
-}
-func (m *NetworkPolicyPeer) XXX_DiscardUnknown() {
-	xxx_messageInfo_NetworkPolicyPeer.DiscardUnknown(m)
-}
+func (m *IngressServiceBackend) Reset() { *m = IngressServiceBackend{} }
 
-var xxx_messageInfo_NetworkPolicyPeer proto.InternalMessageInfo
+func (m *IngressSpec) Reset() { *m = IngressSpec{} }
 
-func (m *NetworkPolicyPort) Reset()      { *m = NetworkPolicyPort{} }
-func (*NetworkPolicyPort) ProtoMessage() {}
-func (*NetworkPolicyPort) Descriptor() ([]byte, []int) {
-	return fileDescriptor_2c41434372fec1d7, []int{27}
-}
-func (m *NetworkPolicyPort) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *NetworkPolicyPort) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *NetworkPolicyPort) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_NetworkPolicyPort.Merge(m, src)
-}
-func (m *NetworkPolicyPort) XXX_Size() int {
-	return m.Size()
-}
-func (m *NetworkPolicyPort) XXX_DiscardUnknown() {
-	xxx_messageInfo_NetworkPolicyPort.DiscardUnknown(m)
-}
+func (m *IngressStatus) Reset() { *m = IngressStatus{} }
 
-var xxx_messageInfo_NetworkPolicyPort proto.InternalMessageInfo
+func (m *IngressTLS) Reset() { *m = IngressTLS{} }
 
-func (m *NetworkPolicySpec) Reset()      { *m = NetworkPolicySpec{} }
-func (*NetworkPolicySpec) ProtoMessage() {}
-func (*NetworkPolicySpec) Descriptor() ([]byte, []int) {
-	return fileDescriptor_2c41434372fec1d7, []int{28}
-}
-func (m *NetworkPolicySpec) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *NetworkPolicySpec) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *NetworkPolicySpec) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_NetworkPolicySpec.Merge(m, src)
-}
-func (m *NetworkPolicySpec) XXX_Size() int {
-	return m.Size()
-}
-func (m *NetworkPolicySpec) XXX_DiscardUnknown() {
-	xxx_messageInfo_NetworkPolicySpec.DiscardUnknown(m)
-}
+func (m *NetworkPolicy) Reset() { *m = NetworkPolicy{} }
 
-var xxx_messageInfo_NetworkPolicySpec proto.InternalMessageInfo
+func (m *NetworkPolicyEgressRule) Reset() { *m = NetworkPolicyEgressRule{} }
 
-func (m *ParentReference) Reset()      { *m = ParentReference{} }
-func (*ParentReference) ProtoMessage() {}
-func (*ParentReference) Descriptor() ([]byte, []int) {
-	return fileDescriptor_2c41434372fec1d7, []int{29}
-}
-func (m *ParentReference) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ParentReference) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ParentReference) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ParentReference.Merge(m, src)
-}
-func (m *ParentReference) XXX_Size() int {
-	return m.Size()
-}
-func (m *ParentReference) XXX_DiscardUnknown() {
-	xxx_messageInfo_ParentReference.DiscardUnknown(m)
-}
+func (m *NetworkPolicyIngressRule) Reset() { *m = NetworkPolicyIngressRule{} }
 
-var xxx_messageInfo_ParentReference proto.InternalMessageInfo
+func (m *NetworkPolicyList) Reset() { *m = NetworkPolicyList{} }
 
-func (m *ServiceBackendPort) Reset()      { *m = ServiceBackendPort{} }
-func (*ServiceBackendPort) ProtoMessage() {}
-func (*ServiceBackendPort) Descriptor() ([]byte, []int) {
-	return fileDescriptor_2c41434372fec1d7, []int{30}
-}
-func (m *ServiceBackendPort) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ServiceBackendPort) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ServiceBackendPort) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ServiceBackendPort.Merge(m, src)
-}
-func (m *ServiceBackendPort) XXX_Size() int {
-	return m.Size()
-}
-func (m *ServiceBackendPort) XXX_DiscardUnknown() {
-	xxx_messageInfo_ServiceBackendPort.DiscardUnknown(m)
-}
+func (m *NetworkPolicyPeer) Reset() { *m = NetworkPolicyPeer{} }
 
-var xxx_messageInfo_ServiceBackendPort proto.InternalMessageInfo
+func (m *NetworkPolicyPort) Reset() { *m = NetworkPolicyPort{} }
 
-func (m *ServiceCIDR) Reset()      { *m = ServiceCIDR{} }
-func (*ServiceCIDR) ProtoMessage() {}
-func (*ServiceCIDR) Descriptor() ([]byte, []int) {
-	return fileDescriptor_2c41434372fec1d7, []int{31}
-}
-func (m *ServiceCIDR) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ServiceCIDR) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ServiceCIDR) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ServiceCIDR.Merge(m, src)
-}
-func (m *ServiceCIDR) XXX_Size() int {
-	return m.Size()
-}
-func (m *ServiceCIDR) XXX_DiscardUnknown() {
-	xxx_messageInfo_ServiceCIDR.DiscardUnknown(m)
-}
+func (m *NetworkPolicySpec) Reset() { *m = NetworkPolicySpec{} }
 
-var xxx_messageInfo_ServiceCIDR proto.InternalMessageInfo
+func (m *ParentReference) Reset() { *m = ParentReference{} }
 
-func (m *ServiceCIDRList) Reset()      { *m = ServiceCIDRList{} }
-func (*ServiceCIDRList) ProtoMessage() {}
-func (*ServiceCIDRList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_2c41434372fec1d7, []int{32}
-}
-func (m *ServiceCIDRList) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ServiceCIDRList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ServiceCIDRList) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ServiceCIDRList.Merge(m, src)
-}
-func (m *ServiceCIDRList) XXX_Size() int {
-	return m.Size()
-}
-func (m *ServiceCIDRList) XXX_DiscardUnknown() {
-	xxx_messageInfo_ServiceCIDRList.DiscardUnknown(m)
-}
+func (m *ServiceBackendPort) Reset() { *m = ServiceBackendPort{} }
 
-var xxx_messageInfo_ServiceCIDRList proto.InternalMessageInfo
+func (m *ServiceCIDR) Reset() { *m = ServiceCIDR{} }
 
-func (m *ServiceCIDRSpec) Reset()      { *m = ServiceCIDRSpec{} }
-func (*ServiceCIDRSpec) ProtoMessage() {}
-func (*ServiceCIDRSpec) Descriptor() ([]byte, []int) {
-	return fileDescriptor_2c41434372fec1d7, []int{33}
-}
-func (m *ServiceCIDRSpec) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ServiceCIDRSpec) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ServiceCIDRSpec) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ServiceCIDRSpec.Merge(m, src)
-}
-func (m *ServiceCIDRSpec) XXX_Size() int {
-	return m.Size()
-}
-func (m *ServiceCIDRSpec) XXX_DiscardUnknown() {
-	xxx_messageInfo_ServiceCIDRSpec.DiscardUnknown(m)
-}
+func (m *ServiceCIDRList) Reset() { *m = ServiceCIDRList{} }
 
-var xxx_messageInfo_ServiceCIDRSpec proto.InternalMessageInfo
+func (m *ServiceCIDRSpec) Reset() { *m = ServiceCIDRSpec{} }
 
-func (m *ServiceCIDRStatus) Reset()      { *m = ServiceCIDRStatus{} }
-func (*ServiceCIDRStatus) ProtoMessage() {}
-func (*ServiceCIDRStatus) Descriptor() ([]byte, []int) {
-	return fileDescriptor_2c41434372fec1d7, []int{34}
-}
-func (m *ServiceCIDRStatus) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ServiceCIDRStatus) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ServiceCIDRStatus) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ServiceCIDRStatus.Merge(m, src)
-}
-func (m *ServiceCIDRStatus) XXX_Size() int {
-	return m.Size()
-}
-func (m *ServiceCIDRStatus) XXX_DiscardUnknown() {
-	xxx_messageInfo_ServiceCIDRStatus.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_ServiceCIDRStatus proto.InternalMessageInfo
-
-func init() {
-	proto.RegisterType((*HTTPIngressPath)(nil), "k8s.io.api.networking.v1.HTTPIngressPath")
-	proto.RegisterType((*HTTPIngressRuleValue)(nil), "k8s.io.api.networking.v1.HTTPIngressRuleValue")
-	proto.RegisterType((*IPAddress)(nil), "k8s.io.api.networking.v1.IPAddress")
-	proto.RegisterType((*IPAddressList)(nil), "k8s.io.api.networking.v1.IPAddressList")
-	proto.RegisterType((*IPAddressSpec)(nil), "k8s.io.api.networking.v1.IPAddressSpec")
-	proto.RegisterType((*IPBlock)(nil), "k8s.io.api.networking.v1.IPBlock")
-	proto.RegisterType((*Ingress)(nil), "k8s.io.api.networking.v1.Ingress")
-	proto.RegisterType((*IngressBackend)(nil), "k8s.io.api.networking.v1.IngressBackend")
-	proto.RegisterType((*IngressClass)(nil), "k8s.io.api.networking.v1.IngressClass")
-	proto.RegisterType((*IngressClassList)(nil), "k8s.io.api.networking.v1.IngressClassList")
-	proto.RegisterType((*IngressClassParametersReference)(nil), "k8s.io.api.networking.v1.IngressClassParametersReference")
-	proto.RegisterType((*IngressClassSpec)(nil), "k8s.io.api.networking.v1.IngressClassSpec")
-	proto.RegisterType((*IngressList)(nil), "k8s.io.api.networking.v1.IngressList")
-	proto.RegisterType((*IngressLoadBalancerIngress)(nil), "k8s.io.api.networking.v1.IngressLoadBalancerIngress")
-	proto.RegisterType((*IngressLoadBalancerStatus)(nil), "k8s.io.api.networking.v1.IngressLoadBalancerStatus")
-	proto.RegisterType((*IngressPortStatus)(nil), "k8s.io.api.networking.v1.IngressPortStatus")
-	proto.RegisterType((*IngressRule)(nil), "k8s.io.api.networking.v1.IngressRule")
-	proto.RegisterType((*IngressRuleValue)(nil), "k8s.io.api.networking.v1.IngressRuleValue")
-	proto.RegisterType((*IngressServiceBackend)(nil), "k8s.io.api.networking.v1.IngressServiceBackend")
-	proto.RegisterType((*IngressSpec)(nil), "k8s.io.api.networking.v1.IngressSpec")
-	proto.RegisterType((*IngressStatus)(nil), "k8s.io.api.networking.v1.IngressStatus")
-	proto.RegisterType((*IngressTLS)(nil), "k8s.io.api.networking.v1.IngressTLS")
-	proto.RegisterType((*NetworkPolicy)(nil), "k8s.io.api.networking.v1.NetworkPolicy")
-	proto.RegisterType((*NetworkPolicyEgressRule)(nil), "k8s.io.api.networking.v1.NetworkPolicyEgressRule")
-	proto.RegisterType((*NetworkPolicyIngressRule)(nil), "k8s.io.api.networking.v1.NetworkPolicyIngressRule")
-	proto.RegisterType((*NetworkPolicyList)(nil), "k8s.io.api.networking.v1.NetworkPolicyList")
-	proto.RegisterType((*NetworkPolicyPeer)(nil), "k8s.io.api.networking.v1.NetworkPolicyPeer")
-	proto.RegisterType((*NetworkPolicyPort)(nil), "k8s.io.api.networking.v1.NetworkPolicyPort")
-	proto.RegisterType((*NetworkPolicySpec)(nil), "k8s.io.api.networking.v1.NetworkPolicySpec")
-	proto.RegisterType((*ParentReference)(nil), "k8s.io.api.networking.v1.ParentReference")
-	proto.RegisterType((*ServiceBackendPort)(nil), "k8s.io.api.networking.v1.ServiceBackendPort")
-	proto.RegisterType((*ServiceCIDR)(nil), "k8s.io.api.networking.v1.ServiceCIDR")
-	proto.RegisterType((*ServiceCIDRList)(nil), "k8s.io.api.networking.v1.ServiceCIDRList")
-	proto.RegisterType((*ServiceCIDRSpec)(nil), "k8s.io.api.networking.v1.ServiceCIDRSpec")
-	proto.RegisterType((*ServiceCIDRStatus)(nil), "k8s.io.api.networking.v1.ServiceCIDRStatus")
-}
-
-func init() {
-	proto.RegisterFile("k8s.io/api/networking/v1/generated.proto", fileDescriptor_2c41434372fec1d7)
-}
-
-var fileDescriptor_2c41434372fec1d7 = []byte{
-	// 1884 bytes of a gzipped FileDescriptorProto
-	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xbc, 0x59, 0xcd, 0x8f, 0x1b, 0x49,
-	0x15, 0x9f, 0xf6, 0x8c, 0x67, 0xec, 0xe7, 0xf9, 0xc8, 0x14, 0x59, 0x61, 0x06, 0x61, 0x87, 0x5e,
-	0xb2, 0x3b, 0x4b, 0x76, 0x6d, 0x32, 0x1b, 0x21, 0xb8, 0x00, 0xdb, 0x93, 0x6c, 0xe2, 0xcd, 0xc4,
-	0xb1, 0xca, 0x56, 0x10, 0x88, 0x8f, 0xed, 0x69, 0xd7, 0x78, 0x7a, 0xa7, 0xdd, 0xd5, 0xaa, 0x2e,
-	0x87, 0x44, 0x42, 0x88, 0x0b, 0x07, 0x6e, 0xf0, 0x27, 0x20, 0xfe, 0x02, 0x04, 0xd2, 0xae, 0xb4,
-	0x82, 0x85, 0x0b, 0xca, 0x71, 0x25, 0x2e, 0x7b, 0xc1, 0x22, 0xe6, 0xbf, 0xc8, 0x09, 0xd5, 0x47,
-	0x7f, 0xd9, 0xee, 0xb1, 0x89, 0x22, 0x9f, 0xc6, 0xfd, 0xde, 0xab, 0xdf, 0x7b, 0xf5, 0xea, 0x7d,
-	0x55, 0x0d, 0x1c, 0x5e, 0x7c, 0x27, 0x6c, 0xb8, 0xb4, 0x69, 0x07, 0x6e, 0xd3, 0x27, 0xfc, 0x17,
-	0x94, 0x5d, 0xb8, 0xfe, 0xa0, 0xf9, 0xf8, 0x66, 0x73, 0x40, 0x7c, 0xc2, 0x6c, 0x4e, 0xfa, 0x8d,
-	0x80, 0x51, 0x4e, 0x51, 0x55, 0x49, 0x36, 0xec, 0xc0, 0x6d, 0x24, 0x92, 0x8d, 0xc7, 0x37, 0x0f,
-	0xde, 0x19, 0xb8, 0xfc, 0x7c, 0x74, 0xda, 0x70, 0xe8, 0xb0, 0x39, 0xa0, 0x03, 0xda, 0x94, 0x0b,
-	0x4e, 0x47, 0x67, 0xf2, 0x4b, 0x7e, 0xc8, 0x5f, 0x0a, 0xe8, 0xc0, 0x4c, 0xa9, 0x74, 0x28, 0x23,
-	0x73, 0x94, 0x1d, 0xdc, 0x4a, 0x64, 0x86, 0xb6, 0x73, 0xee, 0xfa, 0x84, 0x3d, 0x6d, 0x06, 0x17,
-	0x03, 0x41, 0x08, 0x9b, 0x43, 0xc2, 0xed, 0x79, 0xab, 0x9a, 0x79, 0xab, 0xd8, 0xc8, 0xe7, 0xee,
-	0x90, 0xcc, 0x2c, 0xf8, 0xf6, 0xa2, 0x05, 0xa1, 0x73, 0x4e, 0x86, 0xf6, 0xcc, 0xba, 0x77, 0xf3,
-	0xd6, 0x8d, 0xb8, 0xeb, 0x35, 0x5d, 0x9f, 0x87, 0x9c, 0x4d, 0x2f, 0x32, 0xff, 0x66, 0xc0, 0xde,
-	0xbd, 0x5e, 0xaf, 0xd3, 0xf2, 0x07, 0x8c, 0x84, 0x61, 0xc7, 0xe6, 0xe7, 0xe8, 0x1a, 0x6c, 0x04,
-	0x36, 0x3f, 0xaf, 0x1a, 0xd7, 0x8c, 0xc3, 0xb2, 0xb5, 0xfd, 0x6c, 0x5c, 0x5f, 0x9b, 0x8c, 0xeb,
-	0x1b, 0x82, 0x87, 0x25, 0x07, 0xdd, 0x82, 0x92, 0xf8, 0xdb, 0x7b, 0x1a, 0x90, 0xea, 0xba, 0x94,
-	0xaa, 0x4e, 0xc6, 0xf5, 0x52, 0x47, 0xd3, 0x5e, 0xa4, 0x7e, 0xe3, 0x58, 0x12, 0x75, 0x61, 0xeb,
-	0xd4, 0x76, 0x2e, 0x88, 0xdf, 0xaf, 0x16, 0xae, 0x19, 0x87, 0x95, 0xa3, 0xc3, 0x46, 0xde, 0xf1,
-	0x35, 0xb4, 0x3d, 0x96, 0x92, 0xb7, 0xf6, 0xb4, 0x11, 0x5b, 0x9a, 0x80, 0x23, 0x24, 0xf3, 0x0c,
-	0xae, 0xa6, 0xec, 0xc7, 0x23, 0x8f, 0x3c, 0xb2, 0xbd, 0x11, 0x41, 0x6d, 0x28, 0x0a, 0xc5, 0x61,
-	0xd5, 0xb8, 0xb6, 0x7e, 0x58, 0x39, 0x7a, 0x2b, 0x5f, 0xd5, 0xd4, 0xf6, 0xad, 0x1d, 0xad, 0xab,
-	0x28, 0xbe, 0x42, 0xac, 0x60, 0xcc, 0x4f, 0x0c, 0x28, 0xb7, 0x3a, 0xef, 0xf5, 0xfb, 0x42, 0x0e,
-	0x7d, 0x08, 0x25, 0x71, 0xde, 0x7d, 0x9b, 0xdb, 0xd2, 0x4d, 0x95, 0xa3, 0x6f, 0xa5, 0x14, 0xc4,
-	0xee, 0x6f, 0x04, 0x17, 0x03, 0x41, 0x08, 0x1b, 0x42, 0x5a, 0x28, 0x7b, 0x78, 0xfa, 0x11, 0x71,
-	0xf8, 0x03, 0xc2, 0x6d, 0x0b, 0x69, 0x3d, 0x90, 0xd0, 0x70, 0x8c, 0x8a, 0x5a, 0xb0, 0x11, 0x06,
-	0xc4, 0xd1, 0x9e, 0x7a, 0xf3, 0x12, 0x4f, 0x45, 0x46, 0x75, 0x03, 0xe2, 0x24, 0xa7, 0x25, 0xbe,
-	0xb0, 0x84, 0x30, 0x3f, 0x36, 0x60, 0x27, 0x96, 0x3a, 0x71, 0x43, 0x8e, 0x7e, 0x32, 0x63, 0x7e,
-	0x63, 0x39, 0xf3, 0xc5, 0x6a, 0x69, 0xfc, 0x15, 0xad, 0xa7, 0x14, 0x51, 0x52, 0xa6, 0xdf, 0x83,
-	0xa2, 0xcb, 0xc9, 0x30, 0xac, 0x16, 0xa4, 0xeb, 0x5f, 0x5f, 0xc2, 0xf6, 0xc4, 0xe9, 0x2d, 0xb1,
-	0x12, 0x2b, 0x00, 0x73, 0x90, 0x32, 0x5c, 0x6c, 0x08, 0x3d, 0x82, 0x72, 0x60, 0x33, 0xe2, 0x73,
-	0x4c, 0xce, 0xb4, 0xe5, 0x97, 0x9c, 0x6c, 0x27, 0x12, 0x25, 0x8c, 0xf8, 0x0e, 0xb1, 0x76, 0x26,
-	0xe3, 0x7a, 0x39, 0x26, 0xe2, 0x04, 0xca, 0x7c, 0x08, 0x5b, 0xad, 0x8e, 0xe5, 0x51, 0xe7, 0x42,
-	0x44, 0xbf, 0xe3, 0xf6, 0xd9, 0x74, 0xf4, 0x1f, 0xb7, 0x6e, 0x63, 0x2c, 0x39, 0xc8, 0x84, 0x4d,
-	0xf2, 0xc4, 0x21, 0x01, 0x97, 0x1b, 0x2c, 0x5b, 0x30, 0x19, 0xd7, 0x37, 0xef, 0x48, 0x0a, 0xd6,
-	0x1c, 0xf3, 0x37, 0x05, 0xd8, 0xd2, 0x41, 0xb5, 0x82, 0x60, 0xb9, 0x9b, 0x09, 0x96, 0xeb, 0x0b,
-	0xd3, 0x2a, 0x2f, 0x54, 0xd0, 0x43, 0xd8, 0x0c, 0xb9, 0xcd, 0x47, 0xa1, 0x4c, 0xeb, 0xcb, 0xe3,
-	0x4e, 0x43, 0x49, 0x71, 0x6b, 0x57, 0x83, 0x6d, 0xaa, 0x6f, 0xac, 0x61, 0xcc, 0x7f, 0x18, 0xb0,
-	0x9b, 0xcd, 0x65, 0xf4, 0x08, 0xb6, 0x42, 0xc2, 0x1e, 0xbb, 0x0e, 0xa9, 0x6e, 0x48, 0x25, 0xcd,
-	0xc5, 0x4a, 0x94, 0x7c, 0x54, 0x0d, 0x2a, 0xa2, 0x12, 0x68, 0x1a, 0x8e, 0xc0, 0xd0, 0x0f, 0xa1,
-	0xc4, 0x48, 0x48, 0x47, 0xcc, 0x21, 0xda, 0xfa, 0x77, 0xd2, 0xc0, 0xa2, 0xaa, 0x0b, 0x48, 0x51,
-	0x8a, 0xfa, 0x27, 0xd4, 0xb1, 0x3d, 0xe5, 0xca, 0x24, 0x3c, 0xb6, 0x45, 0x3c, 0x63, 0x0d, 0x81,
-	0x63, 0x30, 0x51, 0x23, 0xb7, 0xb5, 0x21, 0xc7, 0x9e, 0xbd, 0x92, 0x03, 0x3d, 0xc9, 0x1c, 0xe8,
-	0x37, 0x17, 0x3a, 0x48, 0xda, 0x95, 0x5b, 0x00, 0xfe, 0x6a, 0xc0, 0x95, 0xb4, 0xe0, 0x0a, 0x6a,
-	0xc0, 0xfd, 0x6c, 0x0d, 0x78, 0x63, 0xb9, 0x1d, 0xe4, 0x94, 0x81, 0x7f, 0x1b, 0x50, 0x4f, 0x8b,
-	0x75, 0x6c, 0x66, 0x0f, 0x09, 0x27, 0x2c, 0x8c, 0x0f, 0x0f, 0x1d, 0x42, 0xc9, 0xee, 0xb4, 0xee,
-	0x32, 0x3a, 0x0a, 0xa2, 0xd4, 0x15, 0xa6, 0xbd, 0xa7, 0x69, 0x38, 0xe6, 0x8a, 0x04, 0xbf, 0x70,
-	0x75, 0x0f, 0x4a, 0x25, 0xf8, 0x7d, 0xd7, 0xef, 0x63, 0xc9, 0x11, 0x12, 0xbe, 0x3d, 0x8c, 0x5a,
-	0x5b, 0x2c, 0xd1, 0xb6, 0x87, 0x04, 0x4b, 0x0e, 0xaa, 0x43, 0x31, 0x74, 0x68, 0xa0, 0x22, 0xb8,
-	0x6c, 0x95, 0x85, 0xc9, 0x5d, 0x41, 0xc0, 0x8a, 0x8e, 0x6e, 0x40, 0x59, 0x08, 0x86, 0x81, 0xed,
-	0x90, 0x6a, 0x51, 0x0a, 0xc9, 0xea, 0xd3, 0x8e, 0x88, 0x38, 0xe1, 0x9b, 0x7f, 0x9a, 0x3a, 0x1f,
-	0x59, 0xea, 0x8e, 0x00, 0x1c, 0xea, 0x73, 0x46, 0x3d, 0x8f, 0x44, 0xd5, 0x28, 0x0e, 0x9a, 0xe3,
-	0x98, 0x83, 0x53, 0x52, 0xc8, 0x05, 0x08, 0x62, 0xdf, 0xe8, 0xe0, 0xf9, 0xee, 0x72, 0xae, 0x9f,
-	0xe3, 0x53, 0x6b, 0x57, 0xa8, 0x4a, 0x31, 0x52, 0xe0, 0xe6, 0x9f, 0x0d, 0xa8, 0xe8, 0xf5, 0x2b,
-	0x08, 0xa7, 0xf7, 0xb3, 0xe1, 0xf4, 0xf5, 0xc5, 0x83, 0xc3, 0xfc, 0x48, 0xfa, 0xc4, 0x80, 0x83,
-	0xc8, 0x6a, 0x6a, 0xf7, 0x2d, 0xdb, 0xb3, 0x7d, 0x87, 0xb0, 0xa8, 0x52, 0x1f, 0x40, 0xc1, 0x8d,
-	0xc2, 0x07, 0x34, 0x40, 0xa1, 0xd5, 0xc1, 0x05, 0x37, 0x40, 0x6f, 0x43, 0xe9, 0x9c, 0x86, 0x5c,
-	0x06, 0x86, 0x0a, 0x9d, 0xd8, 0xe0, 0x7b, 0x9a, 0x8e, 0x63, 0x09, 0xd4, 0x81, 0x62, 0x40, 0x19,
-	0x0f, 0xab, 0x1b, 0xd2, 0xe0, 0x1b, 0x0b, 0x0d, 0xee, 0x50, 0xc6, 0x75, 0x2d, 0x4d, 0x06, 0x10,
-	0x81, 0x80, 0x15, 0x90, 0xf9, 0x4b, 0xf8, 0xca, 0x1c, 0xcb, 0xd5, 0x12, 0xf4, 0x73, 0xd8, 0x72,
-	0x15, 0x53, 0xcf, 0x3b, 0xb7, 0x16, 0x2a, 0x9c, 0xb3, 0xff, 0x64, 0xcc, 0x8a, 0xc6, 0xa9, 0x08,
-	0xd5, 0xfc, 0xa3, 0x01, 0xfb, 0x33, 0x96, 0xca, 0x49, 0x91, 0x32, 0x2e, 0x3d, 0x56, 0x4c, 0x4d,
-	0x8a, 0x94, 0x71, 0x2c, 0x39, 0xe8, 0x3e, 0x94, 0xe4, 0xa0, 0xe9, 0x50, 0x4f, 0x7b, 0xad, 0x19,
-	0x79, 0xad, 0xa3, 0xe9, 0x2f, 0xc6, 0xf5, 0xaf, 0xce, 0x4e, 0xdf, 0x8d, 0x88, 0x8d, 0x63, 0x00,
-	0x91, 0x75, 0x84, 0x31, 0xca, 0x74, 0x62, 0xca, 0xac, 0xbb, 0x23, 0x08, 0x58, 0xd1, 0xcd, 0x3f,
-	0x24, 0x41, 0x29, 0x26, 0x41, 0x61, 0x9f, 0x38, 0x91, 0xe9, 0x5e, 0x2e, 0xce, 0x0b, 0x4b, 0x0e,
-	0x0a, 0xe0, 0x8a, 0x3b, 0x35, 0x3a, 0x2e, 0x5d, 0x74, 0xe3, 0x15, 0x56, 0x55, 0x23, 0x5f, 0x99,
-	0xe6, 0xe0, 0x19, 0x74, 0xf3, 0x43, 0x98, 0x91, 0x12, 0xe5, 0xfe, 0x9c, 0xf3, 0x60, 0x4e, 0xe2,
-	0xe4, 0xcf, 0xaa, 0x89, 0xf6, 0x92, 0xdc, 0x53, 0xaf, 0xd7, 0xc1, 0x12, 0xc5, 0xfc, 0xad, 0x01,
-	0xaf, 0xcd, 0x6d, 0x9c, 0x71, 0x61, 0x33, 0x72, 0x0b, 0x5b, 0x5b, 0x9f, 0xa8, 0xf2, 0xc1, 0xdb,
-	0xf9, 0x96, 0x64, 0x91, 0xc5, 0x89, 0xcf, 0x3b, 0x7f, 0xf3, 0x9f, 0x85, 0xf8, 0x44, 0x64, 0x55,
-	0xfb, 0x41, 0xec, 0x6f, 0x59, 0x75, 0x84, 0x66, 0x5d, 0x43, 0xaf, 0xa6, 0xfc, 0x17, 0xf3, 0xf0,
-	0x8c, 0x34, 0xea, 0xc3, 0x6e, 0x9f, 0x9c, 0xd9, 0x23, 0x8f, 0x6b, 0xdd, 0xda, 0x6b, 0xcb, 0x5f,
-	0x26, 0xd0, 0x64, 0x5c, 0xdf, 0xbd, 0x9d, 0xc1, 0xc0, 0x53, 0x98, 0xe8, 0x18, 0xd6, 0xb9, 0x17,
-	0x95, 0x9b, 0x6f, 0x2c, 0x84, 0xee, 0x9d, 0x74, 0xad, 0x8a, 0xde, 0xfe, 0x7a, 0xef, 0xa4, 0x8b,
-	0xc5, 0x6a, 0xf4, 0x01, 0x14, 0xd9, 0xc8, 0x23, 0x62, 0x98, 0x5a, 0x5f, 0x6a, 0x2e, 0x13, 0x67,
-	0x9a, 0xa4, 0xbf, 0xf8, 0x0a, 0xb1, 0x82, 0x30, 0x7f, 0x05, 0x3b, 0x99, 0x89, 0x0b, 0x0d, 0x61,
-	0xdb, 0x4b, 0xa5, 0xb0, 0xf6, 0xc2, 0xbb, 0xff, 0x57, 0xde, 0xeb, 0x82, 0x73, 0x55, 0x6b, 0xdc,
-	0x4e, 0xf3, 0x70, 0x06, 0xde, 0xb4, 0x01, 0x92, 0xbd, 0x8a, 0x4c, 0x14, 0xe9, 0xa3, 0xaa, 0x8d,
-	0xce, 0x44, 0x91, 0x55, 0x21, 0x56, 0x74, 0xd1, 0xbd, 0x42, 0xe2, 0x30, 0xc2, 0xdb, 0x49, 0xbd,
-	0x8c, 0xbb, 0x57, 0x37, 0xe6, 0xe0, 0x94, 0x94, 0xf9, 0x77, 0x03, 0x76, 0xda, 0xca, 0xe4, 0x0e,
-	0xf5, 0x5c, 0xe7, 0xe9, 0x0a, 0x06, 0xad, 0x07, 0x99, 0x41, 0xeb, 0x92, 0x32, 0x9d, 0x31, 0x2c,
-	0x77, 0xd2, 0xfa, 0x8b, 0x01, 0x5f, 0xce, 0x48, 0xde, 0x49, 0x8a, 0x51, 0xdc, 0x12, 0x8c, 0x45,
-	0x2d, 0x21, 0x83, 0x20, 0x53, 0x6b, 0x6e, 0x4b, 0x40, 0x77, 0xa1, 0xc0, 0xa9, 0x8e, 0xd1, 0xa5,
-	0xe1, 0x08, 0x61, 0x49, 0x6f, 0xeb, 0x51, 0x5c, 0xe0, 0xd4, 0xfc, 0xd4, 0x80, 0x6a, 0x46, 0x2a,
-	0x5d, 0x44, 0x5f, 0xbd, 0xdd, 0x0f, 0x60, 0xe3, 0x8c, 0xd1, 0xe1, 0xcb, 0x58, 0x1e, 0x3b, 0xfd,
-	0x7d, 0x46, 0x87, 0x58, 0xc2, 0x98, 0x9f, 0x19, 0xb0, 0x9f, 0x91, 0x5c, 0xc1, 0x40, 0x72, 0x92,
-	0x1d, 0x48, 0xde, 0x5c, 0x72, 0x0f, 0x39, 0x63, 0xc9, 0x67, 0x85, 0xa9, 0x1d, 0x88, 0xbd, 0xa2,
-	0x33, 0xa8, 0x04, 0xb4, 0xdf, 0x25, 0x1e, 0x71, 0x38, 0x9d, 0x97, 0xe0, 0x97, 0x6d, 0xc2, 0x3e,
-	0x25, 0x5e, 0xb4, 0xd4, 0xda, 0x9b, 0x8c, 0xeb, 0x95, 0x4e, 0x82, 0x85, 0xd3, 0xc0, 0xe8, 0x09,
-	0xec, 0xc7, 0xb3, 0x68, 0xac, 0xad, 0xf0, 0xf2, 0xda, 0x5e, 0x9b, 0x8c, 0xeb, 0xfb, 0xed, 0x69,
-	0x44, 0x3c, 0xab, 0x04, 0xdd, 0x83, 0x2d, 0x37, 0x90, 0xd7, 0x6e, 0x7d, 0x63, 0xbb, 0x6c, 0xb0,
-	0x53, 0xf7, 0x73, 0x75, 0xf9, 0xd3, 0x1f, 0x38, 0x5a, 0x6e, 0xfe, 0x6b, 0x3a, 0x06, 0x44, 0xc0,
-	0xa1, 0xbb, 0xa9, 0xe9, 0x43, 0xf5, 0xbc, 0x1b, 0x2f, 0x37, 0x79, 0x64, 0xdb, 0x62, 0x7e, 0x11,
-	0x1a, 0x71, 0xd7, 0x6b, 0xa8, 0xa7, 0xb6, 0x46, 0xcb, 0xe7, 0x0f, 0x59, 0x97, 0x33, 0xd7, 0x1f,
-	0xa8, 0x16, 0x9d, 0x1a, 0x8b, 0xae, 0xc3, 0x96, 0xee, 0x9a, 0x72, 0xe3, 0x45, 0xb5, 0xab, 0x3b,
-	0x8a, 0x84, 0x23, 0x9e, 0xf9, 0x62, 0x3a, 0x2e, 0x64, 0x0f, 0xfd, 0xe8, 0x95, 0xc5, 0xc5, 0x97,
-	0x74, 0x34, 0xe6, 0xc7, 0xc6, 0x4f, 0x93, 0xc1, 0x52, 0x45, 0xfa, 0xd1, 0x92, 0x91, 0x9e, 0xee,
-	0x68, 0xb9, 0x63, 0x25, 0xfa, 0x11, 0x6c, 0x12, 0x85, 0xae, 0x5a, 0xe4, 0xcd, 0x25, 0xd1, 0x93,
-	0xb2, 0x9a, 0xbc, 0x3c, 0x68, 0x9a, 0x06, 0x44, 0xdf, 0x17, 0x5e, 0x12, 0xb2, 0xe2, 0xc2, 0xaf,
-	0xe6, 0xf0, 0xb2, 0xf5, 0x35, 0xb5, 0xd9, 0x98, 0xfc, 0x42, 0x5c, 0x70, 0xe2, 0x4f, 0x9c, 0x5e,
-	0x61, 0x7e, 0x6c, 0xc0, 0xde, 0xd4, 0x0b, 0x12, 0x7a, 0x1d, 0x8a, 0x83, 0xd4, 0x15, 0x33, 0xce,
-	0x66, 0x75, 0xc7, 0x54, 0x3c, 0x71, 0x53, 0x88, 0x1f, 0x22, 0xa6, 0x6e, 0x0a, 0xb3, 0xaf, 0x0b,
-	0xa8, 0x99, 0xbe, 0x29, 0xaa, 0xc1, 0x76, 0x5f, 0x8b, 0xcf, 0xbd, 0x2d, 0xc6, 0x43, 0xdc, 0x46,
-	0xde, 0x10, 0x67, 0xfe, 0x0c, 0xd0, 0xec, 0x78, 0xb6, 0xc4, 0xf0, 0xf7, 0x06, 0x6c, 0xfa, 0xa3,
-	0xe1, 0x29, 0x51, 0xd9, 0x5f, 0x4c, 0x5c, 0xdb, 0x96, 0x54, 0xac, 0xb9, 0xe6, 0xef, 0x0b, 0x50,
-	0xd1, 0x0a, 0x8e, 0x5b, 0xb7, 0xf1, 0x0a, 0xda, 0xf4, 0xfd, 0x4c, 0x9b, 0x7e, 0x6b, 0xe1, 0x58,
-	0x2a, 0xcc, 0xca, 0x7d, 0xe4, 0xea, 0x4e, 0x3d, 0x72, 0xdd, 0x58, 0x0e, 0xee, 0xf2, 0x87, 0xae,
-	0x4f, 0x0d, 0xd8, 0x4b, 0x49, 0xaf, 0xa0, 0x05, 0x7d, 0x90, 0x6d, 0x41, 0xd7, 0x97, 0xda, 0x45,
-	0x4e, 0x03, 0x3a, 0xca, 0x18, 0x2f, 0xab, 0x4c, 0x1d, 0x8a, 0x8e, 0xdb, 0x67, 0x99, 0x11, 0x4f,
-	0x30, 0x43, 0xac, 0xe8, 0xe6, 0x13, 0xd8, 0x9f, 0x71, 0x0f, 0x72, 0xe4, 0xab, 0x45, 0xdf, 0xe5,
-	0x2e, 0xf5, 0xa3, 0x89, 0xa1, 0xb9, 0xdc, 0xa6, 0x8f, 0xa3, 0x75, 0x99, 0x67, 0x0e, 0x0d, 0x85,
-	0x53, 0xb0, 0xd6, 0xf7, 0x9e, 0x3d, 0xaf, 0xad, 0x7d, 0xfe, 0xbc, 0xb6, 0xf6, 0xc5, 0xf3, 0xda,
-	0xda, 0xaf, 0x27, 0x35, 0xe3, 0xd9, 0xa4, 0x66, 0x7c, 0x3e, 0xa9, 0x19, 0x5f, 0x4c, 0x6a, 0xc6,
-	0x7f, 0x26, 0x35, 0xe3, 0x77, 0xff, 0xad, 0xad, 0xfd, 0xb8, 0x9a, 0xf7, 0x5f, 0xa4, 0xff, 0x05,
-	0x00, 0x00, 0xff, 0xff, 0xb5, 0x6b, 0x8c, 0x52, 0x60, 0x1a, 0x00, 0x00,
-}
+func (m *ServiceCIDRStatus) Reset() { *m = ServiceCIDRStatus{} }
 
 func (m *HTTPIngressPath) Marshal() (dAtA []byte, err error) {
 	size := m.Size()
diff --git a/staging/src/k8s.io/api/networking/v1/generated.protomessage.pb.go b/staging/src/k8s.io/api/networking/v1/generated.protomessage.pb.go
new file mode 100644
index 0000000000000..54918d47e709b
--- /dev/null
+++ b/staging/src/k8s.io/api/networking/v1/generated.protomessage.pb.go
@@ -0,0 +1,92 @@
+//go:build kubernetes_protomessage_one_more_release
+// +build kubernetes_protomessage_one_more_release
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by go-to-protobuf. DO NOT EDIT.
+
+package v1
+
+func (*HTTPIngressPath) ProtoMessage() {}
+
+func (*HTTPIngressRuleValue) ProtoMessage() {}
+
+func (*IPAddress) ProtoMessage() {}
+
+func (*IPAddressList) ProtoMessage() {}
+
+func (*IPAddressSpec) ProtoMessage() {}
+
+func (*IPBlock) ProtoMessage() {}
+
+func (*Ingress) ProtoMessage() {}
+
+func (*IngressBackend) ProtoMessage() {}
+
+func (*IngressClass) ProtoMessage() {}
+
+func (*IngressClassList) ProtoMessage() {}
+
+func (*IngressClassParametersReference) ProtoMessage() {}
+
+func (*IngressClassSpec) ProtoMessage() {}
+
+func (*IngressList) ProtoMessage() {}
+
+func (*IngressLoadBalancerIngress) ProtoMessage() {}
+
+func (*IngressLoadBalancerStatus) ProtoMessage() {}
+
+func (*IngressPortStatus) ProtoMessage() {}
+
+func (*IngressRule) ProtoMessage() {}
+
+func (*IngressRuleValue) ProtoMessage() {}
+
+func (*IngressServiceBackend) ProtoMessage() {}
+
+func (*IngressSpec) ProtoMessage() {}
+
+func (*IngressStatus) ProtoMessage() {}
+
+func (*IngressTLS) ProtoMessage() {}
+
+func (*NetworkPolicy) ProtoMessage() {}
+
+func (*NetworkPolicyEgressRule) ProtoMessage() {}
+
+func (*NetworkPolicyIngressRule) ProtoMessage() {}
+
+func (*NetworkPolicyList) ProtoMessage() {}
+
+func (*NetworkPolicyPeer) ProtoMessage() {}
+
+func (*NetworkPolicyPort) ProtoMessage() {}
+
+func (*NetworkPolicySpec) ProtoMessage() {}
+
+func (*ParentReference) ProtoMessage() {}
+
+func (*ServiceBackendPort) ProtoMessage() {}
+
+func (*ServiceCIDR) ProtoMessage() {}
+
+func (*ServiceCIDRList) ProtoMessage() {}
+
+func (*ServiceCIDRSpec) ProtoMessage() {}
+
+func (*ServiceCIDRStatus) ProtoMessage() {}
diff --git a/staging/src/k8s.io/api/networking/v1/zz_generated.model_name.go b/staging/src/k8s.io/api/networking/v1/zz_generated.model_name.go
new file mode 100644
index 0000000000000..c57789594a90b
--- /dev/null
+++ b/staging/src/k8s.io/api/networking/v1/zz_generated.model_name.go
@@ -0,0 +1,197 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by openapi-gen. DO NOT EDIT.
+
+package v1
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in HTTPIngressPath) OpenAPIModelName() string {
+	return "io.k8s.api.networking.v1.HTTPIngressPath"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in HTTPIngressRuleValue) OpenAPIModelName() string {
+	return "io.k8s.api.networking.v1.HTTPIngressRuleValue"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in IPAddress) OpenAPIModelName() string {
+	return "io.k8s.api.networking.v1.IPAddress"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in IPAddressList) OpenAPIModelName() string {
+	return "io.k8s.api.networking.v1.IPAddressList"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in IPAddressSpec) OpenAPIModelName() string {
+	return "io.k8s.api.networking.v1.IPAddressSpec"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in IPBlock) OpenAPIModelName() string {
+	return "io.k8s.api.networking.v1.IPBlock"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in Ingress) OpenAPIModelName() string {
+	return "io.k8s.api.networking.v1.Ingress"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in IngressBackend) OpenAPIModelName() string {
+	return "io.k8s.api.networking.v1.IngressBackend"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in IngressClass) OpenAPIModelName() string {
+	return "io.k8s.api.networking.v1.IngressClass"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in IngressClassList) OpenAPIModelName() string {
+	return "io.k8s.api.networking.v1.IngressClassList"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in IngressClassParametersReference) OpenAPIModelName() string {
+	return "io.k8s.api.networking.v1.IngressClassParametersReference"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in IngressClassSpec) OpenAPIModelName() string {
+	return "io.k8s.api.networking.v1.IngressClassSpec"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in IngressList) OpenAPIModelName() string {
+	return "io.k8s.api.networking.v1.IngressList"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in IngressLoadBalancerIngress) OpenAPIModelName() string {
+	return "io.k8s.api.networking.v1.IngressLoadBalancerIngress"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in IngressLoadBalancerStatus) OpenAPIModelName() string {
+	return "io.k8s.api.networking.v1.IngressLoadBalancerStatus"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in IngressPortStatus) OpenAPIModelName() string {
+	return "io.k8s.api.networking.v1.IngressPortStatus"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in IngressRule) OpenAPIModelName() string {
+	return "io.k8s.api.networking.v1.IngressRule"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in IngressRuleValue) OpenAPIModelName() string {
+	return "io.k8s.api.networking.v1.IngressRuleValue"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in IngressServiceBackend) OpenAPIModelName() string {
+	return "io.k8s.api.networking.v1.IngressServiceBackend"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in IngressSpec) OpenAPIModelName() string {
+	return "io.k8s.api.networking.v1.IngressSpec"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in IngressStatus) OpenAPIModelName() string {
+	return "io.k8s.api.networking.v1.IngressStatus"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in IngressTLS) OpenAPIModelName() string {
+	return "io.k8s.api.networking.v1.IngressTLS"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in NetworkPolicy) OpenAPIModelName() string {
+	return "io.k8s.api.networking.v1.NetworkPolicy"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in NetworkPolicyEgressRule) OpenAPIModelName() string {
+	return "io.k8s.api.networking.v1.NetworkPolicyEgressRule"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in NetworkPolicyIngressRule) OpenAPIModelName() string {
+	return "io.k8s.api.networking.v1.NetworkPolicyIngressRule"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in NetworkPolicyList) OpenAPIModelName() string {
+	return "io.k8s.api.networking.v1.NetworkPolicyList"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in NetworkPolicyPeer) OpenAPIModelName() string {
+	return "io.k8s.api.networking.v1.NetworkPolicyPeer"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in NetworkPolicyPort) OpenAPIModelName() string {
+	return "io.k8s.api.networking.v1.NetworkPolicyPort"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in NetworkPolicySpec) OpenAPIModelName() string {
+	return "io.k8s.api.networking.v1.NetworkPolicySpec"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ParentReference) OpenAPIModelName() string {
+	return "io.k8s.api.networking.v1.ParentReference"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ServiceBackendPort) OpenAPIModelName() string {
+	return "io.k8s.api.networking.v1.ServiceBackendPort"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ServiceCIDR) OpenAPIModelName() string {
+	return "io.k8s.api.networking.v1.ServiceCIDR"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ServiceCIDRList) OpenAPIModelName() string {
+	return "io.k8s.api.networking.v1.ServiceCIDRList"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ServiceCIDRSpec) OpenAPIModelName() string {
+	return "io.k8s.api.networking.v1.ServiceCIDRSpec"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ServiceCIDRStatus) OpenAPIModelName() string {
+	return "io.k8s.api.networking.v1.ServiceCIDRStatus"
+}
diff --git a/staging/src/k8s.io/api/networking/v1beta1/doc.go b/staging/src/k8s.io/api/networking/v1beta1/doc.go
index c5a03e04e8ae1..6ec15316621b9 100644
--- a/staging/src/k8s.io/api/networking/v1beta1/doc.go
+++ b/staging/src/k8s.io/api/networking/v1beta1/doc.go
@@ -18,6 +18,8 @@ limitations under the License.
 // +k8s:protobuf-gen=package
 // +k8s:openapi-gen=true
 // +k8s:prerelease-lifecycle-gen=true
+// +k8s:openapi-model-package=io.k8s.api.networking.v1beta1
+
 // +groupName=networking.k8s.io
 
 package v1beta1
diff --git a/staging/src/k8s.io/api/networking/v1beta1/generated.pb.go b/staging/src/k8s.io/api/networking/v1beta1/generated.pb.go
index a924725f28447..fb3b9f6a1d3fc 100644
--- a/staging/src/k8s.io/api/networking/v1beta1/generated.pb.go
+++ b/staging/src/k8s.io/api/networking/v1beta1/generated.pb.go
@@ -24,855 +24,64 @@ import (
 
 	io "io"
 
-	proto "github.com/gogo/protobuf/proto"
 	k8s_io_api_core_v1 "k8s.io/api/core/v1"
 	v11 "k8s.io/api/core/v1"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
-	math "math"
 	math_bits "math/bits"
 	reflect "reflect"
 	strings "strings"
 )
 
-// Reference imports to suppress errors if they are not otherwise used.
-var _ = proto.Marshal
-var _ = fmt.Errorf
-var _ = math.Inf
+func (m *HTTPIngressPath) Reset() { *m = HTTPIngressPath{} }
 
-// This is a compile-time assertion to ensure that this generated file
-// is compatible with the proto package it is being compiled against.
-// A compilation error at this line likely means your copy of the
-// proto package needs to be updated.
-const _ = proto.GoGoProtoPackageIsVersion3 // please upgrade the proto package
+func (m *HTTPIngressRuleValue) Reset() { *m = HTTPIngressRuleValue{} }
 
-func (m *HTTPIngressPath) Reset()      { *m = HTTPIngressPath{} }
-func (*HTTPIngressPath) ProtoMessage() {}
-func (*HTTPIngressPath) Descriptor() ([]byte, []int) {
-	return fileDescriptor_9497719c79c89d2d, []int{0}
-}
-func (m *HTTPIngressPath) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *HTTPIngressPath) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *HTTPIngressPath) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_HTTPIngressPath.Merge(m, src)
-}
-func (m *HTTPIngressPath) XXX_Size() int {
-	return m.Size()
-}
-func (m *HTTPIngressPath) XXX_DiscardUnknown() {
-	xxx_messageInfo_HTTPIngressPath.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_HTTPIngressPath proto.InternalMessageInfo
-
-func (m *HTTPIngressRuleValue) Reset()      { *m = HTTPIngressRuleValue{} }
-func (*HTTPIngressRuleValue) ProtoMessage() {}
-func (*HTTPIngressRuleValue) Descriptor() ([]byte, []int) {
-	return fileDescriptor_9497719c79c89d2d, []int{1}
-}
-func (m *HTTPIngressRuleValue) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *HTTPIngressRuleValue) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *HTTPIngressRuleValue) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_HTTPIngressRuleValue.Merge(m, src)
-}
-func (m *HTTPIngressRuleValue) XXX_Size() int {
-	return m.Size()
-}
-func (m *HTTPIngressRuleValue) XXX_DiscardUnknown() {
-	xxx_messageInfo_HTTPIngressRuleValue.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_HTTPIngressRuleValue proto.InternalMessageInfo
-
-func (m *IPAddress) Reset()      { *m = IPAddress{} }
-func (*IPAddress) ProtoMessage() {}
-func (*IPAddress) Descriptor() ([]byte, []int) {
-	return fileDescriptor_9497719c79c89d2d, []int{2}
-}
-func (m *IPAddress) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *IPAddress) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *IPAddress) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_IPAddress.Merge(m, src)
-}
-func (m *IPAddress) XXX_Size() int {
-	return m.Size()
-}
-func (m *IPAddress) XXX_DiscardUnknown() {
-	xxx_messageInfo_IPAddress.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_IPAddress proto.InternalMessageInfo
-
-func (m *IPAddressList) Reset()      { *m = IPAddressList{} }
-func (*IPAddressList) ProtoMessage() {}
-func (*IPAddressList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_9497719c79c89d2d, []int{3}
-}
-func (m *IPAddressList) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *IPAddressList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *IPAddressList) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_IPAddressList.Merge(m, src)
-}
-func (m *IPAddressList) XXX_Size() int {
-	return m.Size()
-}
-func (m *IPAddressList) XXX_DiscardUnknown() {
-	xxx_messageInfo_IPAddressList.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_IPAddressList proto.InternalMessageInfo
-
-func (m *IPAddressSpec) Reset()      { *m = IPAddressSpec{} }
-func (*IPAddressSpec) ProtoMessage() {}
-func (*IPAddressSpec) Descriptor() ([]byte, []int) {
-	return fileDescriptor_9497719c79c89d2d, []int{4}
-}
-func (m *IPAddressSpec) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *IPAddressSpec) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *IPAddressSpec) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_IPAddressSpec.Merge(m, src)
-}
-func (m *IPAddressSpec) XXX_Size() int {
-	return m.Size()
-}
-func (m *IPAddressSpec) XXX_DiscardUnknown() {
-	xxx_messageInfo_IPAddressSpec.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_IPAddressSpec proto.InternalMessageInfo
-
-func (m *Ingress) Reset()      { *m = Ingress{} }
-func (*Ingress) ProtoMessage() {}
-func (*Ingress) Descriptor() ([]byte, []int) {
-	return fileDescriptor_9497719c79c89d2d, []int{5}
-}
-func (m *Ingress) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *Ingress) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *Ingress) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_Ingress.Merge(m, src)
-}
-func (m *Ingress) XXX_Size() int {
-	return m.Size()
-}
-func (m *Ingress) XXX_DiscardUnknown() {
-	xxx_messageInfo_Ingress.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_Ingress proto.InternalMessageInfo
-
-func (m *IngressBackend) Reset()      { *m = IngressBackend{} }
-func (*IngressBackend) ProtoMessage() {}
-func (*IngressBackend) Descriptor() ([]byte, []int) {
-	return fileDescriptor_9497719c79c89d2d, []int{6}
-}
-func (m *IngressBackend) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *IngressBackend) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *IngressBackend) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_IngressBackend.Merge(m, src)
-}
-func (m *IngressBackend) XXX_Size() int {
-	return m.Size()
-}
-func (m *IngressBackend) XXX_DiscardUnknown() {
-	xxx_messageInfo_IngressBackend.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_IngressBackend proto.InternalMessageInfo
-
-func (m *IngressClass) Reset()      { *m = IngressClass{} }
-func (*IngressClass) ProtoMessage() {}
-func (*IngressClass) Descriptor() ([]byte, []int) {
-	return fileDescriptor_9497719c79c89d2d, []int{7}
-}
-func (m *IngressClass) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *IngressClass) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *IngressClass) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_IngressClass.Merge(m, src)
-}
-func (m *IngressClass) XXX_Size() int {
-	return m.Size()
-}
-func (m *IngressClass) XXX_DiscardUnknown() {
-	xxx_messageInfo_IngressClass.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_IngressClass proto.InternalMessageInfo
-
-func (m *IngressClassList) Reset()      { *m = IngressClassList{} }
-func (*IngressClassList) ProtoMessage() {}
-func (*IngressClassList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_9497719c79c89d2d, []int{8}
-}
-func (m *IngressClassList) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *IngressClassList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *IngressClassList) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_IngressClassList.Merge(m, src)
-}
-func (m *IngressClassList) XXX_Size() int {
-	return m.Size()
-}
-func (m *IngressClassList) XXX_DiscardUnknown() {
-	xxx_messageInfo_IngressClassList.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_IngressClassList proto.InternalMessageInfo
-
-func (m *IngressClassParametersReference) Reset()      { *m = IngressClassParametersReference{} }
-func (*IngressClassParametersReference) ProtoMessage() {}
-func (*IngressClassParametersReference) Descriptor() ([]byte, []int) {
-	return fileDescriptor_9497719c79c89d2d, []int{9}
-}
-func (m *IngressClassParametersReference) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *IngressClassParametersReference) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *IngressClassParametersReference) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_IngressClassParametersReference.Merge(m, src)
-}
-func (m *IngressClassParametersReference) XXX_Size() int {
-	return m.Size()
-}
-func (m *IngressClassParametersReference) XXX_DiscardUnknown() {
-	xxx_messageInfo_IngressClassParametersReference.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_IngressClassParametersReference proto.InternalMessageInfo
-
-func (m *IngressClassSpec) Reset()      { *m = IngressClassSpec{} }
-func (*IngressClassSpec) ProtoMessage() {}
-func (*IngressClassSpec) Descriptor() ([]byte, []int) {
-	return fileDescriptor_9497719c79c89d2d, []int{10}
-}
-func (m *IngressClassSpec) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *IngressClassSpec) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *IngressClassSpec) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_IngressClassSpec.Merge(m, src)
-}
-func (m *IngressClassSpec) XXX_Size() int {
-	return m.Size()
-}
-func (m *IngressClassSpec) XXX_DiscardUnknown() {
-	xxx_messageInfo_IngressClassSpec.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_IngressClassSpec proto.InternalMessageInfo
-
-func (m *IngressList) Reset()      { *m = IngressList{} }
-func (*IngressList) ProtoMessage() {}
-func (*IngressList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_9497719c79c89d2d, []int{11}
-}
-func (m *IngressList) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *IngressList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *IngressList) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_IngressList.Merge(m, src)
-}
-func (m *IngressList) XXX_Size() int {
-	return m.Size()
-}
-func (m *IngressList) XXX_DiscardUnknown() {
-	xxx_messageInfo_IngressList.DiscardUnknown(m)
-}
+func (m *IPAddress) Reset() { *m = IPAddress{} }
 
-var xxx_messageInfo_IngressList proto.InternalMessageInfo
-
-func (m *IngressLoadBalancerIngress) Reset()      { *m = IngressLoadBalancerIngress{} }
-func (*IngressLoadBalancerIngress) ProtoMessage() {}
-func (*IngressLoadBalancerIngress) Descriptor() ([]byte, []int) {
-	return fileDescriptor_9497719c79c89d2d, []int{12}
-}
-func (m *IngressLoadBalancerIngress) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *IngressLoadBalancerIngress) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *IngressLoadBalancerIngress) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_IngressLoadBalancerIngress.Merge(m, src)
-}
-func (m *IngressLoadBalancerIngress) XXX_Size() int {
-	return m.Size()
-}
-func (m *IngressLoadBalancerIngress) XXX_DiscardUnknown() {
-	xxx_messageInfo_IngressLoadBalancerIngress.DiscardUnknown(m)
-}
+func (m *IPAddressList) Reset() { *m = IPAddressList{} }
 
-var xxx_messageInfo_IngressLoadBalancerIngress proto.InternalMessageInfo
-
-func (m *IngressLoadBalancerStatus) Reset()      { *m = IngressLoadBalancerStatus{} }
-func (*IngressLoadBalancerStatus) ProtoMessage() {}
-func (*IngressLoadBalancerStatus) Descriptor() ([]byte, []int) {
-	return fileDescriptor_9497719c79c89d2d, []int{13}
-}
-func (m *IngressLoadBalancerStatus) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *IngressLoadBalancerStatus) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *IngressLoadBalancerStatus) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_IngressLoadBalancerStatus.Merge(m, src)
-}
-func (m *IngressLoadBalancerStatus) XXX_Size() int {
-	return m.Size()
-}
-func (m *IngressLoadBalancerStatus) XXX_DiscardUnknown() {
-	xxx_messageInfo_IngressLoadBalancerStatus.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_IngressLoadBalancerStatus proto.InternalMessageInfo
-
-func (m *IngressPortStatus) Reset()      { *m = IngressPortStatus{} }
-func (*IngressPortStatus) ProtoMessage() {}
-func (*IngressPortStatus) Descriptor() ([]byte, []int) {
-	return fileDescriptor_9497719c79c89d2d, []int{14}
-}
-func (m *IngressPortStatus) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *IngressPortStatus) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *IngressPortStatus) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_IngressPortStatus.Merge(m, src)
-}
-func (m *IngressPortStatus) XXX_Size() int {
-	return m.Size()
-}
-func (m *IngressPortStatus) XXX_DiscardUnknown() {
-	xxx_messageInfo_IngressPortStatus.DiscardUnknown(m)
-}
+func (m *IPAddressSpec) Reset() { *m = IPAddressSpec{} }
 
-var xxx_messageInfo_IngressPortStatus proto.InternalMessageInfo
+func (m *Ingress) Reset() { *m = Ingress{} }
 
-func (m *IngressRule) Reset()      { *m = IngressRule{} }
-func (*IngressRule) ProtoMessage() {}
-func (*IngressRule) Descriptor() ([]byte, []int) {
-	return fileDescriptor_9497719c79c89d2d, []int{15}
-}
-func (m *IngressRule) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *IngressRule) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *IngressRule) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_IngressRule.Merge(m, src)
-}
-func (m *IngressRule) XXX_Size() int {
-	return m.Size()
-}
-func (m *IngressRule) XXX_DiscardUnknown() {
-	xxx_messageInfo_IngressRule.DiscardUnknown(m)
-}
+func (m *IngressBackend) Reset() { *m = IngressBackend{} }
 
-var xxx_messageInfo_IngressRule proto.InternalMessageInfo
+func (m *IngressClass) Reset() { *m = IngressClass{} }
 
-func (m *IngressRuleValue) Reset()      { *m = IngressRuleValue{} }
-func (*IngressRuleValue) ProtoMessage() {}
-func (*IngressRuleValue) Descriptor() ([]byte, []int) {
-	return fileDescriptor_9497719c79c89d2d, []int{16}
-}
-func (m *IngressRuleValue) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *IngressRuleValue) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *IngressRuleValue) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_IngressRuleValue.Merge(m, src)
-}
-func (m *IngressRuleValue) XXX_Size() int {
-	return m.Size()
-}
-func (m *IngressRuleValue) XXX_DiscardUnknown() {
-	xxx_messageInfo_IngressRuleValue.DiscardUnknown(m)
-}
+func (m *IngressClassList) Reset() { *m = IngressClassList{} }
 
-var xxx_messageInfo_IngressRuleValue proto.InternalMessageInfo
+func (m *IngressClassParametersReference) Reset() { *m = IngressClassParametersReference{} }
 
-func (m *IngressSpec) Reset()      { *m = IngressSpec{} }
-func (*IngressSpec) ProtoMessage() {}
-func (*IngressSpec) Descriptor() ([]byte, []int) {
-	return fileDescriptor_9497719c79c89d2d, []int{17}
-}
-func (m *IngressSpec) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *IngressSpec) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *IngressSpec) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_IngressSpec.Merge(m, src)
-}
-func (m *IngressSpec) XXX_Size() int {
-	return m.Size()
-}
-func (m *IngressSpec) XXX_DiscardUnknown() {
-	xxx_messageInfo_IngressSpec.DiscardUnknown(m)
-}
+func (m *IngressClassSpec) Reset() { *m = IngressClassSpec{} }
 
-var xxx_messageInfo_IngressSpec proto.InternalMessageInfo
+func (m *IngressList) Reset() { *m = IngressList{} }
 
-func (m *IngressStatus) Reset()      { *m = IngressStatus{} }
-func (*IngressStatus) ProtoMessage() {}
-func (*IngressStatus) Descriptor() ([]byte, []int) {
-	return fileDescriptor_9497719c79c89d2d, []int{18}
-}
-func (m *IngressStatus) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *IngressStatus) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *IngressStatus) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_IngressStatus.Merge(m, src)
-}
-func (m *IngressStatus) XXX_Size() int {
-	return m.Size()
-}
-func (m *IngressStatus) XXX_DiscardUnknown() {
-	xxx_messageInfo_IngressStatus.DiscardUnknown(m)
-}
+func (m *IngressLoadBalancerIngress) Reset() { *m = IngressLoadBalancerIngress{} }
 
-var xxx_messageInfo_IngressStatus proto.InternalMessageInfo
+func (m *IngressLoadBalancerStatus) Reset() { *m = IngressLoadBalancerStatus{} }
 
-func (m *IngressTLS) Reset()      { *m = IngressTLS{} }
-func (*IngressTLS) ProtoMessage() {}
-func (*IngressTLS) Descriptor() ([]byte, []int) {
-	return fileDescriptor_9497719c79c89d2d, []int{19}
-}
-func (m *IngressTLS) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *IngressTLS) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *IngressTLS) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_IngressTLS.Merge(m, src)
-}
-func (m *IngressTLS) XXX_Size() int {
-	return m.Size()
-}
-func (m *IngressTLS) XXX_DiscardUnknown() {
-	xxx_messageInfo_IngressTLS.DiscardUnknown(m)
-}
+func (m *IngressPortStatus) Reset() { *m = IngressPortStatus{} }
 
-var xxx_messageInfo_IngressTLS proto.InternalMessageInfo
+func (m *IngressRule) Reset() { *m = IngressRule{} }
 
-func (m *ParentReference) Reset()      { *m = ParentReference{} }
-func (*ParentReference) ProtoMessage() {}
-func (*ParentReference) Descriptor() ([]byte, []int) {
-	return fileDescriptor_9497719c79c89d2d, []int{20}
-}
-func (m *ParentReference) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ParentReference) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ParentReference) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ParentReference.Merge(m, src)
-}
-func (m *ParentReference) XXX_Size() int {
-	return m.Size()
-}
-func (m *ParentReference) XXX_DiscardUnknown() {
-	xxx_messageInfo_ParentReference.DiscardUnknown(m)
-}
+func (m *IngressRuleValue) Reset() { *m = IngressRuleValue{} }
 
-var xxx_messageInfo_ParentReference proto.InternalMessageInfo
+func (m *IngressSpec) Reset() { *m = IngressSpec{} }
 
-func (m *ServiceCIDR) Reset()      { *m = ServiceCIDR{} }
-func (*ServiceCIDR) ProtoMessage() {}
-func (*ServiceCIDR) Descriptor() ([]byte, []int) {
-	return fileDescriptor_9497719c79c89d2d, []int{21}
-}
-func (m *ServiceCIDR) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ServiceCIDR) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ServiceCIDR) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ServiceCIDR.Merge(m, src)
-}
-func (m *ServiceCIDR) XXX_Size() int {
-	return m.Size()
-}
-func (m *ServiceCIDR) XXX_DiscardUnknown() {
-	xxx_messageInfo_ServiceCIDR.DiscardUnknown(m)
-}
+func (m *IngressStatus) Reset() { *m = IngressStatus{} }
 
-var xxx_messageInfo_ServiceCIDR proto.InternalMessageInfo
+func (m *IngressTLS) Reset() { *m = IngressTLS{} }
 
-func (m *ServiceCIDRList) Reset()      { *m = ServiceCIDRList{} }
-func (*ServiceCIDRList) ProtoMessage() {}
-func (*ServiceCIDRList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_9497719c79c89d2d, []int{22}
-}
-func (m *ServiceCIDRList) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ServiceCIDRList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ServiceCIDRList) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ServiceCIDRList.Merge(m, src)
-}
-func (m *ServiceCIDRList) XXX_Size() int {
-	return m.Size()
-}
-func (m *ServiceCIDRList) XXX_DiscardUnknown() {
-	xxx_messageInfo_ServiceCIDRList.DiscardUnknown(m)
-}
+func (m *ParentReference) Reset() { *m = ParentReference{} }
 
-var xxx_messageInfo_ServiceCIDRList proto.InternalMessageInfo
+func (m *ServiceCIDR) Reset() { *m = ServiceCIDR{} }
 
-func (m *ServiceCIDRSpec) Reset()      { *m = ServiceCIDRSpec{} }
-func (*ServiceCIDRSpec) ProtoMessage() {}
-func (*ServiceCIDRSpec) Descriptor() ([]byte, []int) {
-	return fileDescriptor_9497719c79c89d2d, []int{23}
-}
-func (m *ServiceCIDRSpec) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ServiceCIDRSpec) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ServiceCIDRSpec) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ServiceCIDRSpec.Merge(m, src)
-}
-func (m *ServiceCIDRSpec) XXX_Size() int {
-	return m.Size()
-}
-func (m *ServiceCIDRSpec) XXX_DiscardUnknown() {
-	xxx_messageInfo_ServiceCIDRSpec.DiscardUnknown(m)
-}
+func (m *ServiceCIDRList) Reset() { *m = ServiceCIDRList{} }
 
-var xxx_messageInfo_ServiceCIDRSpec proto.InternalMessageInfo
+func (m *ServiceCIDRSpec) Reset() { *m = ServiceCIDRSpec{} }
 
-func (m *ServiceCIDRStatus) Reset()      { *m = ServiceCIDRStatus{} }
-func (*ServiceCIDRStatus) ProtoMessage() {}
-func (*ServiceCIDRStatus) Descriptor() ([]byte, []int) {
-	return fileDescriptor_9497719c79c89d2d, []int{24}
-}
-func (m *ServiceCIDRStatus) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ServiceCIDRStatus) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ServiceCIDRStatus) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ServiceCIDRStatus.Merge(m, src)
-}
-func (m *ServiceCIDRStatus) XXX_Size() int {
-	return m.Size()
-}
-func (m *ServiceCIDRStatus) XXX_DiscardUnknown() {
-	xxx_messageInfo_ServiceCIDRStatus.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_ServiceCIDRStatus proto.InternalMessageInfo
-
-func init() {
-	proto.RegisterType((*HTTPIngressPath)(nil), "k8s.io.api.networking.v1beta1.HTTPIngressPath")
-	proto.RegisterType((*HTTPIngressRuleValue)(nil), "k8s.io.api.networking.v1beta1.HTTPIngressRuleValue")
-	proto.RegisterType((*IPAddress)(nil), "k8s.io.api.networking.v1beta1.IPAddress")
-	proto.RegisterType((*IPAddressList)(nil), "k8s.io.api.networking.v1beta1.IPAddressList")
-	proto.RegisterType((*IPAddressSpec)(nil), "k8s.io.api.networking.v1beta1.IPAddressSpec")
-	proto.RegisterType((*Ingress)(nil), "k8s.io.api.networking.v1beta1.Ingress")
-	proto.RegisterType((*IngressBackend)(nil), "k8s.io.api.networking.v1beta1.IngressBackend")
-	proto.RegisterType((*IngressClass)(nil), "k8s.io.api.networking.v1beta1.IngressClass")
-	proto.RegisterType((*IngressClassList)(nil), "k8s.io.api.networking.v1beta1.IngressClassList")
-	proto.RegisterType((*IngressClassParametersReference)(nil), "k8s.io.api.networking.v1beta1.IngressClassParametersReference")
-	proto.RegisterType((*IngressClassSpec)(nil), "k8s.io.api.networking.v1beta1.IngressClassSpec")
-	proto.RegisterType((*IngressList)(nil), "k8s.io.api.networking.v1beta1.IngressList")
-	proto.RegisterType((*IngressLoadBalancerIngress)(nil), "k8s.io.api.networking.v1beta1.IngressLoadBalancerIngress")
-	proto.RegisterType((*IngressLoadBalancerStatus)(nil), "k8s.io.api.networking.v1beta1.IngressLoadBalancerStatus")
-	proto.RegisterType((*IngressPortStatus)(nil), "k8s.io.api.networking.v1beta1.IngressPortStatus")
-	proto.RegisterType((*IngressRule)(nil), "k8s.io.api.networking.v1beta1.IngressRule")
-	proto.RegisterType((*IngressRuleValue)(nil), "k8s.io.api.networking.v1beta1.IngressRuleValue")
-	proto.RegisterType((*IngressSpec)(nil), "k8s.io.api.networking.v1beta1.IngressSpec")
-	proto.RegisterType((*IngressStatus)(nil), "k8s.io.api.networking.v1beta1.IngressStatus")
-	proto.RegisterType((*IngressTLS)(nil), "k8s.io.api.networking.v1beta1.IngressTLS")
-	proto.RegisterType((*ParentReference)(nil), "k8s.io.api.networking.v1beta1.ParentReference")
-	proto.RegisterType((*ServiceCIDR)(nil), "k8s.io.api.networking.v1beta1.ServiceCIDR")
-	proto.RegisterType((*ServiceCIDRList)(nil), "k8s.io.api.networking.v1beta1.ServiceCIDRList")
-	proto.RegisterType((*ServiceCIDRSpec)(nil), "k8s.io.api.networking.v1beta1.ServiceCIDRSpec")
-	proto.RegisterType((*ServiceCIDRStatus)(nil), "k8s.io.api.networking.v1beta1.ServiceCIDRStatus")
-}
-
-func init() {
-	proto.RegisterFile("k8s.io/api/networking/v1beta1/generated.proto", fileDescriptor_9497719c79c89d2d)
-}
-
-var fileDescriptor_9497719c79c89d2d = []byte{
-	// 1457 bytes of a gzipped FileDescriptorProto
-	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xbc, 0x58, 0xcb, 0x6f, 0x1b, 0xc5,
-	0x1f, 0xcf, 0x3a, 0x71, 0xe3, 0x8c, 0xd3, 0x26, 0x9d, 0x5f, 0x0f, 0xfe, 0x05, 0xd5, 0x8e, 0x16,
-	0x09, 0x85, 0x3e, 0x76, 0xdb, 0xb4, 0xa0, 0x72, 0x41, 0xd4, 0x01, 0x51, 0xab, 0x69, 0xb2, 0x8c,
-	0x0d, 0x54, 0xc0, 0x81, 0xc9, 0x7a, 0x6a, 0x2f, 0x5e, 0xef, 0xae, 0x66, 0xc7, 0x81, 0xde, 0x40,
-	0x9c, 0x38, 0xc1, 0x9d, 0x23, 0x12, 0x7f, 0x02, 0x70, 0xa0, 0x52, 0x05, 0x97, 0x1e, 0x7b, 0xec,
-	0x85, 0x88, 0x9a, 0xff, 0xa2, 0x27, 0xf4, 0x9d, 0x9d, 0x7d, 0xf9, 0xd1, 0x6c, 0x38, 0xe4, 0x54,
-	0xef, 0xf7, 0x3d, 0xdf, 0xe7, 0xa7, 0x41, 0x57, 0x07, 0xb7, 0x42, 0xc3, 0xf1, 0x4d, 0x1a, 0x38,
-	0xa6, 0xc7, 0xc4, 0x97, 0x3e, 0x1f, 0x38, 0x5e, 0xcf, 0x3c, 0xbc, 0x7e, 0xc0, 0x04, 0xbd, 0x6e,
-	0xf6, 0x98, 0xc7, 0x38, 0x15, 0xac, 0x6b, 0x04, 0xdc, 0x17, 0x3e, 0xbe, 0x18, 0x89, 0x1b, 0x34,
-	0x70, 0x8c, 0x54, 0xdc, 0x50, 0xe2, 0x1b, 0x57, 0x7b, 0x8e, 0xe8, 0x8f, 0x0e, 0x0c, 0xdb, 0x1f,
-	0x9a, 0x3d, 0xbf, 0xe7, 0x9b, 0x52, 0xeb, 0x60, 0xf4, 0x40, 0x7e, 0xc9, 0x0f, 0xf9, 0x2b, 0xb2,
-	0xb6, 0xa1, 0x67, 0x9c, 0xdb, 0x3e, 0x67, 0xe6, 0xe1, 0x94, 0xc7, 0x8d, 0x9b, 0xa9, 0xcc, 0x90,
-	0xda, 0x7d, 0xc7, 0x63, 0xfc, 0xa1, 0x19, 0x0c, 0x7a, 0x40, 0x08, 0xcd, 0x21, 0x13, 0x74, 0x96,
-	0x96, 0x39, 0x4f, 0x8b, 0x8f, 0x3c, 0xe1, 0x0c, 0xd9, 0x94, 0xc2, 0x9b, 0xc7, 0x29, 0x84, 0x76,
-	0x9f, 0x0d, 0xe9, 0x94, 0xde, 0x8d, 0x79, 0x7a, 0x23, 0xe1, 0xb8, 0xa6, 0xe3, 0x89, 0x50, 0xf0,
-	0x49, 0x25, 0xfd, 0x4f, 0x0d, 0xad, 0xdd, 0xe9, 0x74, 0xac, 0x96, 0xd7, 0xe3, 0x2c, 0x0c, 0x2d,
-	0x2a, 0xfa, 0x78, 0x13, 0x2d, 0x05, 0x54, 0xf4, 0x6b, 0xda, 0xa6, 0xb6, 0xb5, 0xd2, 0x5c, 0x7d,
-	0x72, 0xd4, 0x58, 0x18, 0x1f, 0x35, 0x96, 0x80, 0x47, 0x24, 0x07, 0xdf, 0x44, 0x15, 0xf8, 0xb7,
-	0xf3, 0x30, 0x60, 0xb5, 0x45, 0x29, 0x55, 0x1b, 0x1f, 0x35, 0x2a, 0x96, 0xa2, 0xbd, 0xc8, 0xfc,
-	0x26, 0x89, 0x24, 0xbe, 0x8f, 0x96, 0x0f, 0xa8, 0x3d, 0x60, 0x5e, 0xb7, 0x56, 0xda, 0xd4, 0xb6,
-	0xaa, 0xdb, 0x57, 0x8d, 0x97, 0xd6, 0xd0, 0x50, 0x41, 0x35, 0x23, 0xa5, 0xe6, 0x9a, 0x8a, 0x64,
-	0x59, 0x11, 0x48, 0x6c, 0x4e, 0x1f, 0xa0, 0x0b, 0x99, 0x47, 0x90, 0x91, 0xcb, 0x3e, 0xa2, 0xee,
-	0x88, 0xe1, 0x36, 0x2a, 0x83, 0xf7, 0xb0, 0xa6, 0x6d, 0x2e, 0x6e, 0x55, 0xb7, 0x8d, 0x63, 0xfc,
-	0x4d, 0x24, 0xa2, 0x79, 0x56, 0x39, 0x2c, 0xc3, 0x57, 0x48, 0x22, 0x5b, 0xfa, 0x23, 0x0d, 0xad,
-	0xb4, 0xac, 0xdb, 0xdd, 0x2e, 0xc8, 0xe1, 0xcf, 0x51, 0x05, 0x2a, 0xdf, 0xa5, 0x82, 0xca, 0x84,
-	0x55, 0xb7, 0xaf, 0x65, 0xbc, 0x24, 0x85, 0x30, 0x82, 0x41, 0x0f, 0x08, 0xa1, 0x01, 0xd2, 0xc6,
-	0xe1, 0x75, 0x63, 0xff, 0xe0, 0x0b, 0x66, 0x8b, 0x7b, 0x4c, 0xd0, 0x26, 0x56, 0x7e, 0x50, 0x4a,
-	0x23, 0x89, 0x55, 0xbc, 0x87, 0x96, 0xc2, 0x80, 0xd9, 0x2a, 0x67, 0x57, 0x8e, 0xcb, 0x59, 0x1c,
-	0x59, 0x3b, 0x60, 0x76, 0x5a, 0x3c, 0xf8, 0x22, 0xd2, 0x8e, 0xfe, 0xbb, 0x86, 0xce, 0x26, 0x52,
-	0xbb, 0x4e, 0x28, 0xf0, 0x67, 0x53, 0x6f, 0x30, 0x8a, 0xbd, 0x01, 0xb4, 0xe5, 0x0b, 0xd6, 0x95,
-	0x9f, 0x4a, 0x4c, 0xc9, 0xc4, 0x7f, 0x0f, 0x95, 0x1d, 0xc1, 0x86, 0x61, 0xad, 0x24, 0x8b, 0xb0,
-	0x55, 0xf4, 0x01, 0x69, 0xfa, 0x5b, 0xa0, 0x4e, 0x22, 0x2b, 0xba, 0x9b, 0x89, 0x1e, 0x5e, 0x85,
-	0x3f, 0x45, 0x2b, 0x01, 0xe5, 0xcc, 0x13, 0x84, 0x3d, 0x98, 0x11, 0xfe, 0x2c, 0x1f, 0x56, 0x2c,
-	0xcf, 0x38, 0xf3, 0x6c, 0xd6, 0x3c, 0x3b, 0x3e, 0x6a, 0xac, 0x24, 0x44, 0x92, 0xda, 0xd3, 0xbf,
-	0x2f, 0xa1, 0x65, 0xd5, 0x12, 0xa7, 0x50, 0xea, 0xdd, 0x5c, 0xa9, 0x2f, 0x15, 0x1b, 0x8f, 0x79,
-	0x85, 0xc6, 0x1d, 0x74, 0x26, 0x14, 0x54, 0x8c, 0x42, 0x39, 0xa3, 0x05, 0x5a, 0x47, 0xd9, 0x93,
-	0x3a, 0xcd, 0x73, 0xca, 0xe2, 0x99, 0xe8, 0x9b, 0x28, 0x5b, 0xfa, 0x77, 0x25, 0x74, 0x2e, 0x3f,
-	0x98, 0xf8, 0x0d, 0x54, 0x0d, 0x19, 0x3f, 0x74, 0x6c, 0xb6, 0x47, 0x87, 0x4c, 0xed, 0x8d, 0xff,
-	0x29, 0xfd, 0x6a, 0x3b, 0x65, 0x91, 0xac, 0x1c, 0xee, 0x25, 0x6a, 0x96, 0xcf, 0x85, 0x7a, 0xf4,
-	0xfc, 0x94, 0xc2, 0x1a, 0x33, 0xa2, 0x35, 0x66, 0xb4, 0x3c, 0xb1, 0xcf, 0xdb, 0x82, 0x3b, 0x5e,
-	0x6f, 0xca, 0x11, 0x18, 0x23, 0x59, 0xcb, 0xf8, 0x63, 0x54, 0xe1, 0x2c, 0xf4, 0x47, 0xdc, 0x66,
-	0x2a, 0x15, 0xb9, 0xcd, 0x03, 0xfb, 0x1e, 0xca, 0x04, 0x4b, 0xaa, 0xbb, 0xeb, 0xdb, 0xd4, 0x8d,
-	0x8a, 0x93, 0xf6, 0xc7, 0x2a, 0xb4, 0x36, 0x51, 0x26, 0x48, 0x62, 0x0c, 0xb6, 0xe7, 0xaa, 0xca,
-	0xc5, 0x8e, 0x4b, 0x4f, 0xa5, 0x45, 0x3e, 0xc8, 0xb5, 0x88, 0x59, 0xac, 0xa4, 0x32, 0xb8, 0xb9,
-	0x0b, 0xe1, 0x0f, 0x0d, 0xad, 0x67, 0x05, 0x4f, 0x61, 0x27, 0x58, 0xf9, 0x9d, 0x70, 0xf9, 0x04,
-	0xcf, 0x98, 0xb3, 0x16, 0xfe, 0xd2, 0x50, 0x23, 0x2b, 0x66, 0x51, 0x4e, 0x87, 0x4c, 0x30, 0x1e,
-	0x26, 0x65, 0xc4, 0x5b, 0xa8, 0x42, 0xad, 0xd6, 0xfb, 0xdc, 0x1f, 0x05, 0xf1, 0x71, 0x83, 0xf8,
-	0x6e, 0x2b, 0x1a, 0x49, 0xb8, 0x70, 0x02, 0x07, 0x8e, 0xba, 0x53, 0x99, 0x13, 0x78, 0xd7, 0xf1,
-	0xba, 0x44, 0x72, 0x40, 0xc2, 0x83, 0x66, 0x5f, 0xcc, 0x4b, 0xc8, 0x2e, 0x97, 0x1c, 0xdc, 0x40,
-	0xe5, 0xd0, 0xf6, 0x03, 0x56, 0x5b, 0x92, 0x22, 0x2b, 0x10, 0x72, 0x1b, 0x08, 0x24, 0xa2, 0xe3,
-	0xcb, 0x68, 0x05, 0x04, 0xc3, 0x80, 0xda, 0xac, 0x56, 0x96, 0x42, 0x72, 0x11, 0xed, 0xc5, 0x44,
-	0x92, 0xf2, 0xf5, 0x5f, 0x26, 0x8a, 0x24, 0x57, 0xdf, 0x36, 0x42, 0xb6, 0xef, 0x09, 0xee, 0xbb,
-	0x2e, 0xe3, 0xea, 0x49, 0x49, 0xfb, 0xec, 0x24, 0x1c, 0x92, 0x91, 0xc2, 0x1e, 0x42, 0x41, 0x92,
-	0x1b, 0xd5, 0x46, 0x6f, 0x9f, 0x20, 0xff, 0x33, 0x12, 0xdb, 0x3c, 0x07, 0xfe, 0x32, 0x8c, 0x8c,
-	0x07, 0xfd, 0x37, 0x0d, 0x55, 0x95, 0xfe, 0x29, 0x34, 0xd6, 0xdd, 0x7c, 0x63, 0xbd, 0x56, 0x10,
-	0x61, 0xcc, 0xee, 0xa9, 0x47, 0x1a, 0xda, 0x88, 0x43, 0xf7, 0x69, 0xb7, 0x49, 0x5d, 0xea, 0xd9,
-	0x8c, 0xc7, 0xf7, 0x60, 0x03, 0x95, 0x9c, 0xb8, 0x91, 0x90, 0x32, 0x50, 0x6a, 0x59, 0xa4, 0xe4,
-	0x04, 0xf8, 0x0a, 0xaa, 0xf4, 0xfd, 0x50, 0xc8, 0x16, 0x89, 0x9a, 0x28, 0x89, 0xfa, 0x8e, 0xa2,
-	0x93, 0x44, 0x02, 0x7f, 0x88, 0xca, 0x81, 0xcf, 0x45, 0x58, 0x5b, 0x92, 0x51, 0x5f, 0x2b, 0x16,
-	0x35, 0xec, 0x36, 0xb5, 0xac, 0x53, 0xa4, 0x02, 0x66, 0x48, 0x64, 0x4d, 0xff, 0x46, 0x43, 0xff,
-	0x9f, 0x11, 0x7f, 0xa4, 0x83, 0xbb, 0x68, 0xd9, 0x89, 0x98, 0x0a, 0x1e, 0xbd, 0x55, 0xcc, 0xed,
-	0x8c, 0x54, 0xa4, 0xd0, 0x2c, 0x86, 0x60, 0xb1, 0x69, 0xfd, 0x27, 0x0d, 0x9d, 0x9f, 0x8a, 0x57,
-	0x42, 0x4c, 0xd8, 0xf9, 0x90, 0xbc, 0x72, 0x06, 0x62, 0xc2, 0xea, 0x96, 0x1c, 0x7c, 0x17, 0x55,
-	0x24, 0x42, 0xb5, 0x7d, 0x57, 0x25, 0xd0, 0x8c, 0x13, 0x68, 0x29, 0xfa, 0x8b, 0xa3, 0xc6, 0x2b,
-	0xd3, 0xb0, 0xdd, 0x88, 0xd9, 0x24, 0x31, 0x00, 0xa3, 0xc8, 0x38, 0xf7, 0xb9, 0x9a, 0x56, 0x39,
-	0x8a, 0xef, 0x01, 0x81, 0x44, 0x74, 0xfd, 0xe7, 0xb4, 0x49, 0x01, 0x3d, 0x42, 0x7c, 0x50, 0x9c,
-	0x49, 0x08, 0x0c, 0xa5, 0x23, 0x92, 0x83, 0x47, 0x68, 0xdd, 0x99, 0x80, 0x9b, 0x27, 0xdb, 0xc9,
-	0x89, 0x5a, 0xb3, 0xa6, 0xcc, 0xaf, 0x4f, 0x72, 0xc8, 0x94, 0x0b, 0x9d, 0xa1, 0x29, 0x29, 0x38,
-	0x09, 0x7d, 0x21, 0x02, 0x35, 0x4d, 0x37, 0x8a, 0x83, 0xdc, 0x34, 0x84, 0x8a, 0x7c, 0x5d, 0xa7,
-	0x63, 0x11, 0x69, 0x4a, 0x7f, 0x5c, 0x4a, 0xf2, 0x21, 0x17, 0xcd, 0x3b, 0xc9, 0x6b, 0xe5, 0x0e,
-	0x90, 0x67, 0x3e, 0x5a, 0x6b, 0x17, 0x32, 0x81, 0x27, 0x3c, 0x32, 0x25, 0x8d, 0x3b, 0x29, 0xf8,
-	0xd7, 0xfe, 0x0b, 0xf8, 0xaf, 0xce, 0x02, 0xfe, 0xf8, 0x0e, 0x5a, 0x14, 0x6e, 0x3c, 0xec, 0xaf,
-	0x17, 0xb3, 0xd8, 0xd9, 0x6d, 0x37, 0xab, 0x2a, 0xe5, 0x8b, 0x9d, 0xdd, 0x36, 0x01, 0x13, 0x78,
-	0x1f, 0x95, 0xf9, 0xc8, 0x65, 0x80, 0x95, 0x16, 0x8b, 0x63, 0x2f, 0xc8, 0x60, 0x3a, 0x7c, 0xf0,
-	0x15, 0x92, 0xc8, 0x8e, 0xfe, 0x2d, 0xc0, 0xec, 0x2c, 0xa2, 0xc2, 0x1c, 0xad, 0xba, 0x99, 0xd9,
-	0x51, 0x79, 0xb8, 0x75, 0xf2, 0xa9, 0x53, 0x43, 0x7f, 0x41, 0xf9, 0x5d, 0xcd, 0xf2, 0x48, 0xce,
-	0x87, 0x4e, 0x11, 0x4a, 0x9f, 0x0d, 0x73, 0x00, 0xcd, 0x1b, 0x0d, 0xbc, 0x9a, 0x03, 0xe8, 0xe9,
-	0x90, 0x44, 0x74, 0x38, 0x28, 0x21, 0xb3, 0x39, 0x13, 0x7b, 0xe9, 0xe2, 0x4a, 0x0e, 0x4a, 0x3b,
-	0xe1, 0x90, 0x8c, 0x94, 0xfe, 0xab, 0x86, 0xd6, 0x26, 0x00, 0x35, 0x7e, 0x15, 0x95, 0x7b, 0x99,
-	0x33, 0x9b, 0x64, 0x28, 0xba, 0xb3, 0x11, 0x0f, 0x76, 0x64, 0x02, 0xcb, 0x26, 0x76, 0xe4, 0x34,
-	0xd6, 0xc2, 0x66, 0xf6, 0x5a, 0x46, 0x73, 0x7c, 0x5e, 0x89, 0xcf, 0xbc, 0x98, 0xc9, 0x85, 0x5e,
-	0x9a, 0x77, 0xa1, 0xf5, 0x1f, 0x4b, 0x28, 0x06, 0x8d, 0x3b, 0xad, 0x77, 0xc9, 0x29, 0xa0, 0x37,
-	0x2b, 0x87, 0xde, 0x8e, 0xfb, 0x6f, 0x4a, 0x26, 0xb6, 0xb9, 0x20, 0xff, 0xfe, 0x04, 0xc8, 0xbf,
-	0x76, 0x02, 0x9b, 0x2f, 0x07, 0xfa, 0x8f, 0x35, 0xb4, 0x96, 0x91, 0x3e, 0x85, 0xe3, 0xbd, 0x9f,
-	0x3f, 0xde, 0x97, 0x8a, 0x3f, 0x65, 0xce, 0x01, 0xdf, 0xce, 0xbd, 0x40, 0x6e, 0xb2, 0x06, 0x2a,
-	0xdb, 0x4e, 0x97, 0xe7, 0x46, 0x00, 0x98, 0x21, 0x89, 0xe8, 0xfa, 0x57, 0xe8, 0xfc, 0x54, 0x8e,
-	0xb0, 0x2d, 0x81, 0x56, 0xd7, 0x11, 0x8e, 0xef, 0xc5, 0xe7, 0xd2, 0x2c, 0xf6, 0xf2, 0x9d, 0x58,
-	0x2f, 0x87, 0xcc, 0x94, 0x29, 0x92, 0x31, 0xdb, 0xdc, 0x79, 0xf2, 0xbc, 0xbe, 0xf0, 0xf4, 0x79,
-	0x7d, 0xe1, 0xd9, 0xf3, 0xfa, 0xc2, 0xd7, 0xe3, 0xba, 0xf6, 0x64, 0x5c, 0xd7, 0x9e, 0x8e, 0xeb,
-	0xda, 0xb3, 0x71, 0x5d, 0xfb, 0x7b, 0x5c, 0xd7, 0x7e, 0xf8, 0xa7, 0xbe, 0xf0, 0xc9, 0xc5, 0x97,
-	0xfe, 0x99, 0xec, 0xdf, 0x00, 0x00, 0x00, 0xff, 0xff, 0xb7, 0xc2, 0xa4, 0xff, 0x46, 0x13, 0x00,
-	0x00,
-}
+func (m *ServiceCIDRStatus) Reset() { *m = ServiceCIDRStatus{} }
 
 func (m *HTTPIngressPath) Marshal() (dAtA []byte, err error) {
 	size := m.Size()
diff --git a/staging/src/k8s.io/api/networking/v1beta1/generated.protomessage.pb.go b/staging/src/k8s.io/api/networking/v1beta1/generated.protomessage.pb.go
new file mode 100644
index 0000000000000..abd29cba981b3
--- /dev/null
+++ b/staging/src/k8s.io/api/networking/v1beta1/generated.protomessage.pb.go
@@ -0,0 +1,72 @@
+//go:build kubernetes_protomessage_one_more_release
+// +build kubernetes_protomessage_one_more_release
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by go-to-protobuf. DO NOT EDIT.
+
+package v1beta1
+
+func (*HTTPIngressPath) ProtoMessage() {}
+
+func (*HTTPIngressRuleValue) ProtoMessage() {}
+
+func (*IPAddress) ProtoMessage() {}
+
+func (*IPAddressList) ProtoMessage() {}
+
+func (*IPAddressSpec) ProtoMessage() {}
+
+func (*Ingress) ProtoMessage() {}
+
+func (*IngressBackend) ProtoMessage() {}
+
+func (*IngressClass) ProtoMessage() {}
+
+func (*IngressClassList) ProtoMessage() {}
+
+func (*IngressClassParametersReference) ProtoMessage() {}
+
+func (*IngressClassSpec) ProtoMessage() {}
+
+func (*IngressList) ProtoMessage() {}
+
+func (*IngressLoadBalancerIngress) ProtoMessage() {}
+
+func (*IngressLoadBalancerStatus) ProtoMessage() {}
+
+func (*IngressPortStatus) ProtoMessage() {}
+
+func (*IngressRule) ProtoMessage() {}
+
+func (*IngressRuleValue) ProtoMessage() {}
+
+func (*IngressSpec) ProtoMessage() {}
+
+func (*IngressStatus) ProtoMessage() {}
+
+func (*IngressTLS) ProtoMessage() {}
+
+func (*ParentReference) ProtoMessage() {}
+
+func (*ServiceCIDR) ProtoMessage() {}
+
+func (*ServiceCIDRList) ProtoMessage() {}
+
+func (*ServiceCIDRSpec) ProtoMessage() {}
+
+func (*ServiceCIDRStatus) ProtoMessage() {}
diff --git a/staging/src/k8s.io/api/networking/v1beta1/zz_generated.model_name.go b/staging/src/k8s.io/api/networking/v1beta1/zz_generated.model_name.go
new file mode 100644
index 0000000000000..08bdb27a5efb7
--- /dev/null
+++ b/staging/src/k8s.io/api/networking/v1beta1/zz_generated.model_name.go
@@ -0,0 +1,147 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by openapi-gen. DO NOT EDIT.
+
+package v1beta1
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in HTTPIngressPath) OpenAPIModelName() string {
+	return "io.k8s.api.networking.v1beta1.HTTPIngressPath"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in HTTPIngressRuleValue) OpenAPIModelName() string {
+	return "io.k8s.api.networking.v1beta1.HTTPIngressRuleValue"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in IPAddress) OpenAPIModelName() string {
+	return "io.k8s.api.networking.v1beta1.IPAddress"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in IPAddressList) OpenAPIModelName() string {
+	return "io.k8s.api.networking.v1beta1.IPAddressList"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in IPAddressSpec) OpenAPIModelName() string {
+	return "io.k8s.api.networking.v1beta1.IPAddressSpec"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in Ingress) OpenAPIModelName() string {
+	return "io.k8s.api.networking.v1beta1.Ingress"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in IngressBackend) OpenAPIModelName() string {
+	return "io.k8s.api.networking.v1beta1.IngressBackend"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in IngressClass) OpenAPIModelName() string {
+	return "io.k8s.api.networking.v1beta1.IngressClass"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in IngressClassList) OpenAPIModelName() string {
+	return "io.k8s.api.networking.v1beta1.IngressClassList"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in IngressClassParametersReference) OpenAPIModelName() string {
+	return "io.k8s.api.networking.v1beta1.IngressClassParametersReference"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in IngressClassSpec) OpenAPIModelName() string {
+	return "io.k8s.api.networking.v1beta1.IngressClassSpec"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in IngressList) OpenAPIModelName() string {
+	return "io.k8s.api.networking.v1beta1.IngressList"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in IngressLoadBalancerIngress) OpenAPIModelName() string {
+	return "io.k8s.api.networking.v1beta1.IngressLoadBalancerIngress"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in IngressLoadBalancerStatus) OpenAPIModelName() string {
+	return "io.k8s.api.networking.v1beta1.IngressLoadBalancerStatus"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in IngressPortStatus) OpenAPIModelName() string {
+	return "io.k8s.api.networking.v1beta1.IngressPortStatus"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in IngressRule) OpenAPIModelName() string {
+	return "io.k8s.api.networking.v1beta1.IngressRule"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in IngressRuleValue) OpenAPIModelName() string {
+	return "io.k8s.api.networking.v1beta1.IngressRuleValue"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in IngressSpec) OpenAPIModelName() string {
+	return "io.k8s.api.networking.v1beta1.IngressSpec"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in IngressStatus) OpenAPIModelName() string {
+	return "io.k8s.api.networking.v1beta1.IngressStatus"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in IngressTLS) OpenAPIModelName() string {
+	return "io.k8s.api.networking.v1beta1.IngressTLS"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ParentReference) OpenAPIModelName() string {
+	return "io.k8s.api.networking.v1beta1.ParentReference"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ServiceCIDR) OpenAPIModelName() string {
+	return "io.k8s.api.networking.v1beta1.ServiceCIDR"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ServiceCIDRList) OpenAPIModelName() string {
+	return "io.k8s.api.networking.v1beta1.ServiceCIDRList"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ServiceCIDRSpec) OpenAPIModelName() string {
+	return "io.k8s.api.networking.v1beta1.ServiceCIDRSpec"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ServiceCIDRStatus) OpenAPIModelName() string {
+	return "io.k8s.api.networking.v1beta1.ServiceCIDRStatus"
+}
diff --git a/staging/src/k8s.io/api/node/v1/doc.go b/staging/src/k8s.io/api/node/v1/doc.go
index 3239af7039920..3f8bfbc01422e 100644
--- a/staging/src/k8s.io/api/node/v1/doc.go
+++ b/staging/src/k8s.io/api/node/v1/doc.go
@@ -18,6 +18,8 @@ limitations under the License.
 // +k8s:protobuf-gen=package
 // +k8s:openapi-gen=true
 // +k8s:prerelease-lifecycle-gen=true
+// +k8s:openapi-model-package=io.k8s.api.node.v1
+
 // +groupName=node.k8s.io
 
 package v1
diff --git a/staging/src/k8s.io/api/node/v1/generated.pb.go b/staging/src/k8s.io/api/node/v1/generated.pb.go
index 4c304f55f9c28..6fcb8ad0e7aa3 100644
--- a/staging/src/k8s.io/api/node/v1/generated.pb.go
+++ b/staging/src/k8s.io/api/node/v1/generated.pb.go
@@ -23,200 +23,25 @@ import (
 	fmt "fmt"
 
 	io "io"
+	"sort"
 
-	proto "github.com/gogo/protobuf/proto"
-	github_com_gogo_protobuf_sortkeys "github.com/gogo/protobuf/sortkeys"
 	k8s_io_api_core_v1 "k8s.io/api/core/v1"
 	v11 "k8s.io/api/core/v1"
 	k8s_io_apimachinery_pkg_api_resource "k8s.io/apimachinery/pkg/api/resource"
 	resource "k8s.io/apimachinery/pkg/api/resource"
 
-	math "math"
 	math_bits "math/bits"
 	reflect "reflect"
 	strings "strings"
 )
 
-// Reference imports to suppress errors if they are not otherwise used.
-var _ = proto.Marshal
-var _ = fmt.Errorf
-var _ = math.Inf
+func (m *Overhead) Reset() { *m = Overhead{} }
 
-// This is a compile-time assertion to ensure that this generated file
-// is compatible with the proto package it is being compiled against.
-// A compilation error at this line likely means your copy of the
-// proto package needs to be updated.
-const _ = proto.GoGoProtoPackageIsVersion3 // please upgrade the proto package
+func (m *RuntimeClass) Reset() { *m = RuntimeClass{} }
 
-func (m *Overhead) Reset()      { *m = Overhead{} }
-func (*Overhead) ProtoMessage() {}
-func (*Overhead) Descriptor() ([]byte, []int) {
-	return fileDescriptor_9007436710e7565b, []int{0}
-}
-func (m *Overhead) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *Overhead) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *Overhead) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_Overhead.Merge(m, src)
-}
-func (m *Overhead) XXX_Size() int {
-	return m.Size()
-}
-func (m *Overhead) XXX_DiscardUnknown() {
-	xxx_messageInfo_Overhead.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_Overhead proto.InternalMessageInfo
-
-func (m *RuntimeClass) Reset()      { *m = RuntimeClass{} }
-func (*RuntimeClass) ProtoMessage() {}
-func (*RuntimeClass) Descriptor() ([]byte, []int) {
-	return fileDescriptor_9007436710e7565b, []int{1}
-}
-func (m *RuntimeClass) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *RuntimeClass) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *RuntimeClass) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_RuntimeClass.Merge(m, src)
-}
-func (m *RuntimeClass) XXX_Size() int {
-	return m.Size()
-}
-func (m *RuntimeClass) XXX_DiscardUnknown() {
-	xxx_messageInfo_RuntimeClass.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_RuntimeClass proto.InternalMessageInfo
-
-func (m *RuntimeClassList) Reset()      { *m = RuntimeClassList{} }
-func (*RuntimeClassList) ProtoMessage() {}
-func (*RuntimeClassList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_9007436710e7565b, []int{2}
-}
-func (m *RuntimeClassList) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *RuntimeClassList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *RuntimeClassList) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_RuntimeClassList.Merge(m, src)
-}
-func (m *RuntimeClassList) XXX_Size() int {
-	return m.Size()
-}
-func (m *RuntimeClassList) XXX_DiscardUnknown() {
-	xxx_messageInfo_RuntimeClassList.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_RuntimeClassList proto.InternalMessageInfo
-
-func (m *Scheduling) Reset()      { *m = Scheduling{} }
-func (*Scheduling) ProtoMessage() {}
-func (*Scheduling) Descriptor() ([]byte, []int) {
-	return fileDescriptor_9007436710e7565b, []int{3}
-}
-func (m *Scheduling) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *Scheduling) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *Scheduling) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_Scheduling.Merge(m, src)
-}
-func (m *Scheduling) XXX_Size() int {
-	return m.Size()
-}
-func (m *Scheduling) XXX_DiscardUnknown() {
-	xxx_messageInfo_Scheduling.DiscardUnknown(m)
-}
+func (m *RuntimeClassList) Reset() { *m = RuntimeClassList{} }
 
-var xxx_messageInfo_Scheduling proto.InternalMessageInfo
-
-func init() {
-	proto.RegisterType((*Overhead)(nil), "k8s.io.api.node.v1.Overhead")
-	proto.RegisterMapType((k8s_io_api_core_v1.ResourceList)(nil), "k8s.io.api.node.v1.Overhead.PodFixedEntry")
-	proto.RegisterType((*RuntimeClass)(nil), "k8s.io.api.node.v1.RuntimeClass")
-	proto.RegisterType((*RuntimeClassList)(nil), "k8s.io.api.node.v1.RuntimeClassList")
-	proto.RegisterType((*Scheduling)(nil), "k8s.io.api.node.v1.Scheduling")
-	proto.RegisterMapType((map[string]string)(nil), "k8s.io.api.node.v1.Scheduling.NodeSelectorEntry")
-}
-
-func init() {
-	proto.RegisterFile("k8s.io/api/node/v1/generated.proto", fileDescriptor_9007436710e7565b)
-}
-
-var fileDescriptor_9007436710e7565b = []byte{
-	// 643 bytes of a gzipped FileDescriptorProto
-	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x94, 0x54, 0x4f, 0x6f, 0xd3, 0x4e,
-	0x10, 0xcd, 0xa6, 0xbf, 0xaa, 0xe9, 0x26, 0xfd, 0x51, 0x96, 0x1e, 0xa2, 0x08, 0x39, 0x51, 0x4e,
-	0x05, 0xa9, 0xeb, 0xb6, 0x42, 0xa8, 0xe2, 0x82, 0x64, 0x68, 0x05, 0x12, 0x14, 0x70, 0xe1, 0x82,
-	0x38, 0xb0, 0xb5, 0x17, 0x67, 0x9b, 0xd8, 0x1b, 0xd9, 0xeb, 0x88, 0xdc, 0x10, 0x17, 0x24, 0x4e,
-	0xfd, 0x2e, 0x1c, 0xf8, 0x0a, 0x15, 0xa7, 0x1e, 0x7b, 0x6a, 0xa9, 0xf9, 0x16, 0x9c, 0xd0, 0xae,
-	0xff, 0x64, 0x83, 0x43, 0x28, 0x37, 0xef, 0xec, 0x7b, 0x6f, 0x66, 0xde, 0xec, 0x18, 0x76, 0xfb,
-	0x3b, 0x11, 0x66, 0xdc, 0x24, 0x43, 0x66, 0x06, 0xdc, 0xa5, 0xe6, 0x68, 0xcb, 0xf4, 0x68, 0x40,
-	0x43, 0x22, 0xa8, 0x8b, 0x87, 0x21, 0x17, 0x1c, 0xa1, 0x14, 0x83, 0xc9, 0x90, 0x61, 0x89, 0xc1,
-	0xa3, 0xad, 0xd6, 0x86, 0xc7, 0x44, 0x2f, 0x3e, 0xc4, 0x0e, 0xf7, 0x4d, 0x8f, 0x7b, 0xdc, 0x54,
-	0xd0, 0xc3, 0xf8, 0x9d, 0x3a, 0xa9, 0x83, 0xfa, 0x4a, 0x25, 0x5a, 0x7a, 0x1a, 0x87, 0x87, 0xb3,
-	0xd2, 0xb4, 0xee, 0x4c, 0x30, 0x3e, 0x71, 0x7a, 0x2c, 0xa0, 0xe1, 0xd8, 0x1c, 0xf6, 0x3d, 0x45,
-	0x0a, 0x69, 0xc4, 0xe3, 0xd0, 0xa1, 0xff, 0xc4, 0x8a, 0x4c, 0x9f, 0x0a, 0x32, 0x2b, 0x97, 0xf9,
-	0x27, 0x56, 0x18, 0x07, 0x82, 0xf9, 0xe5, 0x34, 0x77, 0xff, 0x46, 0x88, 0x9c, 0x1e, 0xf5, 0xc9,
-	0xef, 0xbc, 0xee, 0xb7, 0x2a, 0xac, 0x3d, 0x1b, 0xd1, 0xb0, 0x47, 0x89, 0x8b, 0x4e, 0x01, 0xac,
-	0x0d, 0xb9, 0xbb, 0xc7, 0xde, 0x53, 0xb7, 0x09, 0x3a, 0x0b, 0xeb, 0xf5, 0xed, 0xdb, 0xb8, 0x6c,
-	0x2e, 0xce, 0x09, 0xf8, 0x79, 0x06, 0xde, 0x0d, 0x44, 0x38, 0xb6, 0x3e, 0x81, 0x93, 0xf3, 0x76,
-	0x25, 0x39, 0x6f, 0xd7, 0xf2, 0xf8, 0xcf, 0xf3, 0x76, 0xbb, 0xec, 0x2c, 0xb6, 0x33, 0xb3, 0x9e,
-	0xb0, 0x48, 0x7c, 0xbc, 0x98, 0x0b, 0xd9, 0x27, 0x3e, 0xfd, 0x7c, 0xd1, 0xde, 0xb8, 0x8a, 0xf7,
-	0xf8, 0x45, 0x4c, 0x02, 0xc1, 0xc4, 0xd8, 0x2e, 0xba, 0x68, 0xf5, 0xe1, 0xca, 0x54, 0x91, 0x68,
-	0x15, 0x2e, 0xf4, 0xe9, 0xb8, 0x09, 0x3a, 0x60, 0x7d, 0xd9, 0x96, 0x9f, 0xe8, 0x21, 0x5c, 0x1c,
-	0x91, 0x41, 0x4c, 0x9b, 0xd5, 0x0e, 0x58, 0xaf, 0x6f, 0x63, 0xad, 0xe3, 0x22, 0x17, 0x1e, 0xf6,
-	0x3d, 0x65, 0x41, 0x39, 0x57, 0x4a, 0xbe, 0x57, 0xdd, 0x01, 0xdd, 0x2f, 0x55, 0xd8, 0xb0, 0x53,
-	0xbf, 0x1f, 0x0c, 0x48, 0x14, 0xa1, 0xb7, 0xb0, 0x26, 0x27, 0xec, 0x12, 0x41, 0x54, 0xc6, 0xfa,
-	0xf6, 0xe6, 0x3c, 0xf5, 0x08, 0x4b, 0xb4, 0x72, 0xf8, 0xf0, 0x88, 0x3a, 0xe2, 0x29, 0x15, 0xc4,
-	0x42, 0x99, 0xa9, 0x70, 0x12, 0xb3, 0x0b, 0x55, 0x74, 0x0b, 0x2e, 0xf5, 0x48, 0xe0, 0x0e, 0x68,
-	0xa8, 0xca, 0x5f, 0xb6, 0xae, 0x65, 0xf0, 0xa5, 0x47, 0x69, 0xd8, 0xce, 0xef, 0xd1, 0x1e, 0xac,
-	0xf1, 0x6c, 0x70, 0xcd, 0x05, 0x55, 0xcc, 0xcd, 0x79, 0xc3, 0xb5, 0x1a, 0x72, 0x92, 0xf9, 0xc9,
-	0x2e, 0xb8, 0x68, 0x1f, 0x42, 0xf9, 0x98, 0xdc, 0x78, 0xc0, 0x02, 0xaf, 0xf9, 0x9f, 0x52, 0x32,
-	0x66, 0x29, 0x1d, 0x14, 0x28, 0xeb, 0x7f, 0xd9, 0xc0, 0xe4, 0x6c, 0x6b, 0x0a, 0xdd, 0xaf, 0x00,
-	0xae, 0xea, 0xae, 0xc9, 0x57, 0x81, 0xde, 0x94, 0x9c, 0xc3, 0x57, 0x73, 0x4e, 0xb2, 0x95, 0x6f,
-	0xab, 0xf9, 0x63, 0xcc, 0x23, 0x9a, 0x6b, 0xbb, 0x70, 0x91, 0x09, 0xea, 0x47, 0xcd, 0xaa, 0x7a,
-	0xe4, 0x9d, 0x59, 0xd5, 0xeb, 0x25, 0x59, 0x2b, 0x99, 0xd8, 0xe2, 0x63, 0x49, 0xb3, 0x53, 0x76,
-	0xf7, 0xb8, 0x0a, 0xb5, 0xa6, 0xd0, 0x11, 0x6c, 0x48, 0xf2, 0x01, 0x1d, 0x50, 0x47, 0xf0, 0x30,
-	0xdb, 0xa0, 0xcd, 0xf9, 0xd6, 0xe0, 0x7d, 0x8d, 0x92, 0xee, 0xd1, 0x5a, 0x96, 0xac, 0xa1, 0x5f,
-	0xd9, 0x53, 0xda, 0xe8, 0x15, 0xac, 0x0b, 0x3e, 0x90, 0xab, 0xcc, 0x78, 0x90, 0xf7, 0x31, 0x35,
-	0x05, 0xb9, 0x49, 0x32, 0xd5, 0xcb, 0x02, 0x66, 0xdd, 0xc8, 0x84, 0xeb, 0x93, 0x58, 0x64, 0xeb,
-	0x3a, 0xad, 0xfb, 0xf0, 0x7a, 0xa9, 0x9e, 0x19, 0x2b, 0xb3, 0xa6, 0xaf, 0xcc, 0xb2, 0xb6, 0x02,
-	0xd6, 0xce, 0xc9, 0xa5, 0x51, 0x39, 0xbd, 0x34, 0x2a, 0x67, 0x97, 0x46, 0xe5, 0x43, 0x62, 0x80,
-	0x93, 0xc4, 0x00, 0xa7, 0x89, 0x01, 0xce, 0x12, 0x03, 0x7c, 0x4f, 0x0c, 0x70, 0xfc, 0xc3, 0xa8,
-	0xbc, 0x46, 0xe5, 0xbf, 0xfa, 0xaf, 0x00, 0x00, 0x00, 0xff, 0xff, 0xd3, 0x3f, 0x9c, 0xd0, 0xea,
-	0x05, 0x00, 0x00,
-}
+func (m *Scheduling) Reset() { *m = Scheduling{} }
 
 func (m *Overhead) Marshal() (dAtA []byte, err error) {
 	size := m.Size()
@@ -243,7 +68,7 @@ func (m *Overhead) MarshalToSizedBuffer(dAtA []byte) (int, error) {
 		for k := range m.PodFixed {
 			keysForPodFixed = append(keysForPodFixed, string(k))
 		}
-		github_com_gogo_protobuf_sortkeys.Strings(keysForPodFixed)
+		sort.Strings(keysForPodFixed)
 		for iNdEx := len(keysForPodFixed) - 1; iNdEx >= 0; iNdEx-- {
 			v := m.PodFixed[k8s_io_api_core_v1.ResourceName(keysForPodFixed[iNdEx])]
 			baseI := i
@@ -418,7 +243,7 @@ func (m *Scheduling) MarshalToSizedBuffer(dAtA []byte) (int, error) {
 		for k := range m.NodeSelector {
 			keysForNodeSelector = append(keysForNodeSelector, string(k))
 		}
-		github_com_gogo_protobuf_sortkeys.Strings(keysForNodeSelector)
+		sort.Strings(keysForNodeSelector)
 		for iNdEx := len(keysForNodeSelector) - 1; iNdEx >= 0; iNdEx-- {
 			v := m.NodeSelector[string(keysForNodeSelector[iNdEx])]
 			baseI := i
@@ -544,7 +369,7 @@ func (this *Overhead) String() string {
 	for k := range this.PodFixed {
 		keysForPodFixed = append(keysForPodFixed, string(k))
 	}
-	github_com_gogo_protobuf_sortkeys.Strings(keysForPodFixed)
+	sort.Strings(keysForPodFixed)
 	mapStringForPodFixed := "k8s_io_api_core_v1.ResourceList{"
 	for _, k := range keysForPodFixed {
 		mapStringForPodFixed += fmt.Sprintf("%v: %v,", k, this.PodFixed[k8s_io_api_core_v1.ResourceName(k)])
@@ -598,7 +423,7 @@ func (this *Scheduling) String() string {
 	for k := range this.NodeSelector {
 		keysForNodeSelector = append(keysForNodeSelector, k)
 	}
-	github_com_gogo_protobuf_sortkeys.Strings(keysForNodeSelector)
+	sort.Strings(keysForNodeSelector)
 	mapStringForNodeSelector := "map[string]string{"
 	for _, k := range keysForNodeSelector {
 		mapStringForNodeSelector += fmt.Sprintf("%v: %v,", k, this.NodeSelector[k])
diff --git a/staging/src/k8s.io/api/node/v1/generated.protomessage.pb.go b/staging/src/k8s.io/api/node/v1/generated.protomessage.pb.go
new file mode 100644
index 0000000000000..97072dfa1eb5e
--- /dev/null
+++ b/staging/src/k8s.io/api/node/v1/generated.protomessage.pb.go
@@ -0,0 +1,30 @@
+//go:build kubernetes_protomessage_one_more_release
+// +build kubernetes_protomessage_one_more_release
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by go-to-protobuf. DO NOT EDIT.
+
+package v1
+
+func (*Overhead) ProtoMessage() {}
+
+func (*RuntimeClass) ProtoMessage() {}
+
+func (*RuntimeClassList) ProtoMessage() {}
+
+func (*Scheduling) ProtoMessage() {}
diff --git a/staging/src/k8s.io/api/node/v1/zz_generated.model_name.go b/staging/src/k8s.io/api/node/v1/zz_generated.model_name.go
new file mode 100644
index 0000000000000..68ca99f77ad9b
--- /dev/null
+++ b/staging/src/k8s.io/api/node/v1/zz_generated.model_name.go
@@ -0,0 +1,42 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by openapi-gen. DO NOT EDIT.
+
+package v1
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in Overhead) OpenAPIModelName() string {
+	return "io.k8s.api.node.v1.Overhead"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in RuntimeClass) OpenAPIModelName() string {
+	return "io.k8s.api.node.v1.RuntimeClass"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in RuntimeClassList) OpenAPIModelName() string {
+	return "io.k8s.api.node.v1.RuntimeClassList"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in Scheduling) OpenAPIModelName() string {
+	return "io.k8s.api.node.v1.Scheduling"
+}
diff --git a/staging/src/k8s.io/api/node/v1alpha1/doc.go b/staging/src/k8s.io/api/node/v1alpha1/doc.go
index 2f3d46ac20567..9774572876514 100644
--- a/staging/src/k8s.io/api/node/v1alpha1/doc.go
+++ b/staging/src/k8s.io/api/node/v1alpha1/doc.go
@@ -17,6 +17,7 @@ limitations under the License.
 // +k8s:deepcopy-gen=package
 // +k8s:protobuf-gen=package
 // +k8s:openapi-gen=true
+// +k8s:openapi-model-package=io.k8s.api.node.v1alpha1
 
 // +groupName=node.k8s.io
 
diff --git a/staging/src/k8s.io/api/node/v1alpha1/generated.pb.go b/staging/src/k8s.io/api/node/v1alpha1/generated.pb.go
index 16ac696433f1c..f25af72ee1f7f 100644
--- a/staging/src/k8s.io/api/node/v1alpha1/generated.pb.go
+++ b/staging/src/k8s.io/api/node/v1alpha1/generated.pb.go
@@ -23,231 +23,27 @@ import (
 	fmt "fmt"
 
 	io "io"
+	"sort"
 
-	proto "github.com/gogo/protobuf/proto"
-	github_com_gogo_protobuf_sortkeys "github.com/gogo/protobuf/sortkeys"
 	k8s_io_api_core_v1 "k8s.io/api/core/v1"
 	v11 "k8s.io/api/core/v1"
 	k8s_io_apimachinery_pkg_api_resource "k8s.io/apimachinery/pkg/api/resource"
 	resource "k8s.io/apimachinery/pkg/api/resource"
 
-	math "math"
 	math_bits "math/bits"
 	reflect "reflect"
 	strings "strings"
 )
 
-// Reference imports to suppress errors if they are not otherwise used.
-var _ = proto.Marshal
-var _ = fmt.Errorf
-var _ = math.Inf
+func (m *Overhead) Reset() { *m = Overhead{} }
 
-// This is a compile-time assertion to ensure that this generated file
-// is compatible with the proto package it is being compiled against.
-// A compilation error at this line likely means your copy of the
-// proto package needs to be updated.
-const _ = proto.GoGoProtoPackageIsVersion3 // please upgrade the proto package
+func (m *RuntimeClass) Reset() { *m = RuntimeClass{} }
 
-func (m *Overhead) Reset()      { *m = Overhead{} }
-func (*Overhead) ProtoMessage() {}
-func (*Overhead) Descriptor() ([]byte, []int) {
-	return fileDescriptor_a8fee97bf5273e47, []int{0}
-}
-func (m *Overhead) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *Overhead) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *Overhead) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_Overhead.Merge(m, src)
-}
-func (m *Overhead) XXX_Size() int {
-	return m.Size()
-}
-func (m *Overhead) XXX_DiscardUnknown() {
-	xxx_messageInfo_Overhead.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_Overhead proto.InternalMessageInfo
-
-func (m *RuntimeClass) Reset()      { *m = RuntimeClass{} }
-func (*RuntimeClass) ProtoMessage() {}
-func (*RuntimeClass) Descriptor() ([]byte, []int) {
-	return fileDescriptor_a8fee97bf5273e47, []int{1}
-}
-func (m *RuntimeClass) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *RuntimeClass) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *RuntimeClass) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_RuntimeClass.Merge(m, src)
-}
-func (m *RuntimeClass) XXX_Size() int {
-	return m.Size()
-}
-func (m *RuntimeClass) XXX_DiscardUnknown() {
-	xxx_messageInfo_RuntimeClass.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_RuntimeClass proto.InternalMessageInfo
-
-func (m *RuntimeClassList) Reset()      { *m = RuntimeClassList{} }
-func (*RuntimeClassList) ProtoMessage() {}
-func (*RuntimeClassList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_a8fee97bf5273e47, []int{2}
-}
-func (m *RuntimeClassList) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *RuntimeClassList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *RuntimeClassList) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_RuntimeClassList.Merge(m, src)
-}
-func (m *RuntimeClassList) XXX_Size() int {
-	return m.Size()
-}
-func (m *RuntimeClassList) XXX_DiscardUnknown() {
-	xxx_messageInfo_RuntimeClassList.DiscardUnknown(m)
-}
+func (m *RuntimeClassList) Reset() { *m = RuntimeClassList{} }
 
-var xxx_messageInfo_RuntimeClassList proto.InternalMessageInfo
+func (m *RuntimeClassSpec) Reset() { *m = RuntimeClassSpec{} }
 
-func (m *RuntimeClassSpec) Reset()      { *m = RuntimeClassSpec{} }
-func (*RuntimeClassSpec) ProtoMessage() {}
-func (*RuntimeClassSpec) Descriptor() ([]byte, []int) {
-	return fileDescriptor_a8fee97bf5273e47, []int{3}
-}
-func (m *RuntimeClassSpec) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *RuntimeClassSpec) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *RuntimeClassSpec) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_RuntimeClassSpec.Merge(m, src)
-}
-func (m *RuntimeClassSpec) XXX_Size() int {
-	return m.Size()
-}
-func (m *RuntimeClassSpec) XXX_DiscardUnknown() {
-	xxx_messageInfo_RuntimeClassSpec.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_RuntimeClassSpec proto.InternalMessageInfo
-
-func (m *Scheduling) Reset()      { *m = Scheduling{} }
-func (*Scheduling) ProtoMessage() {}
-func (*Scheduling) Descriptor() ([]byte, []int) {
-	return fileDescriptor_a8fee97bf5273e47, []int{4}
-}
-func (m *Scheduling) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *Scheduling) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *Scheduling) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_Scheduling.Merge(m, src)
-}
-func (m *Scheduling) XXX_Size() int {
-	return m.Size()
-}
-func (m *Scheduling) XXX_DiscardUnknown() {
-	xxx_messageInfo_Scheduling.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_Scheduling proto.InternalMessageInfo
-
-func init() {
-	proto.RegisterType((*Overhead)(nil), "k8s.io.api.node.v1alpha1.Overhead")
-	proto.RegisterMapType((k8s_io_api_core_v1.ResourceList)(nil), "k8s.io.api.node.v1alpha1.Overhead.PodFixedEntry")
-	proto.RegisterType((*RuntimeClass)(nil), "k8s.io.api.node.v1alpha1.RuntimeClass")
-	proto.RegisterType((*RuntimeClassList)(nil), "k8s.io.api.node.v1alpha1.RuntimeClassList")
-	proto.RegisterType((*RuntimeClassSpec)(nil), "k8s.io.api.node.v1alpha1.RuntimeClassSpec")
-	proto.RegisterType((*Scheduling)(nil), "k8s.io.api.node.v1alpha1.Scheduling")
-	proto.RegisterMapType((map[string]string)(nil), "k8s.io.api.node.v1alpha1.Scheduling.NodeSelectorEntry")
-}
-
-func init() {
-	proto.RegisterFile("k8s.io/api/node/v1alpha1/generated.proto", fileDescriptor_a8fee97bf5273e47)
-}
-
-var fileDescriptor_a8fee97bf5273e47 = []byte{
-	// 683 bytes of a gzipped FileDescriptorProto
-	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x94, 0x55, 0x3d, 0x6f, 0xd3, 0x4c,
-	0x1c, 0xcf, 0xa5, 0xad, 0x94, 0x5e, 0xd2, 0xaa, 0x8f, 0x9f, 0x0a, 0x45, 0x19, 0x9c, 0xca, 0x42,
-	0x28, 0x42, 0xea, 0x99, 0x56, 0xa8, 0xaa, 0x18, 0x8a, 0x64, 0x5e, 0x04, 0xa2, 0xb4, 0x70, 0x2d,
-	0x0b, 0x62, 0xe0, 0x6a, 0x1f, 0x8e, 0x89, 0xed, 0xb3, 0xec, 0x73, 0x44, 0x36, 0xc4, 0x82, 0xc4,
-	0xc4, 0xc4, 0xb7, 0x81, 0xb9, 0x63, 0x27, 0xd4, 0xa9, 0xa5, 0xe1, 0x3b, 0x30, 0x30, 0xa1, 0xb3,
-	0xcf, 0xc9, 0x25, 0x69, 0x68, 0xd8, 0x7c, 0x77, 0xbf, 0x97, 0xff, 0x6b, 0x02, 0x5b, 0x9d, 0xed,
-	0x04, 0x79, 0xcc, 0x24, 0x91, 0x67, 0x86, 0xcc, 0xa1, 0x66, 0x77, 0x83, 0xf8, 0x51, 0x9b, 0x6c,
-	0x98, 0x2e, 0x0d, 0x69, 0x4c, 0x38, 0x75, 0x50, 0x14, 0x33, 0xce, 0xb4, 0x7a, 0x8e, 0x44, 0x24,
-	0xf2, 0x90, 0x40, 0xa2, 0x02, 0xd9, 0x58, 0x77, 0x3d, 0xde, 0x4e, 0x8f, 0x90, 0xcd, 0x02, 0xd3,
-	0x65, 0x2e, 0x33, 0x33, 0xc2, 0x51, 0xfa, 0x26, 0x3b, 0x65, 0x87, 0xec, 0x2b, 0x17, 0x6a, 0x18,
-	0x8a, 0xa5, 0xcd, 0x62, 0x61, 0x39, 0x6e, 0xd6, 0xb8, 0x3d, 0xc4, 0x04, 0xc4, 0x6e, 0x7b, 0x21,
-	0x8d, 0x7b, 0x66, 0xd4, 0x71, 0x33, 0x52, 0x4c, 0x13, 0x96, 0xc6, 0x36, 0xfd, 0x27, 0x56, 0x62,
-	0x06, 0x94, 0x93, 0xcb, 0xbc, 0xcc, 0x69, 0xac, 0x38, 0x0d, 0xb9, 0x17, 0x4c, 0xda, 0x6c, 0x5d,
-	0x45, 0x48, 0xec, 0x36, 0x0d, 0xc8, 0x38, 0xcf, 0x38, 0x29, 0xc3, 0xca, 0x7e, 0x97, 0xc6, 0x6d,
-	0x4a, 0x1c, 0xed, 0x3b, 0x80, 0x95, 0x88, 0x39, 0x0f, 0xbd, 0x77, 0xd4, 0xa9, 0x83, 0xb5, 0xb9,
-	0x56, 0x75, 0xf3, 0x16, 0x9a, 0x56, 0x62, 0x54, 0xd0, 0xd0, 0x33, 0x49, 0x79, 0x10, 0xf2, 0xb8,
-	0x67, 0x7d, 0x04, 0xc7, 0x67, 0xcd, 0x52, 0xff, 0xac, 0x59, 0x29, 0xee, 0x7f, 0x9f, 0x35, 0x9b,
-	0x93, 0xf5, 0x45, 0x58, 0x96, 0x6c, 0xd7, 0x4b, 0xf8, 0x87, 0xf3, 0xbf, 0x42, 0xf6, 0x48, 0x40,
-	0x3f, 0x9d, 0x37, 0xd7, 0x67, 0xe9, 0x00, 0x7a, 0x9e, 0x92, 0x90, 0x7b, 0xbc, 0x87, 0x07, 0xb9,
-	0x34, 0x3a, 0x70, 0x69, 0x24, 0x48, 0x6d, 0x05, 0xce, 0x75, 0x68, 0xaf, 0x0e, 0xd6, 0x40, 0x6b,
-	0x11, 0x8b, 0x4f, 0xed, 0x3e, 0x5c, 0xe8, 0x12, 0x3f, 0xa5, 0xf5, 0xf2, 0x1a, 0x68, 0x55, 0x37,
-	0x91, 0x92, 0xf7, 0xc0, 0x0b, 0x45, 0x1d, 0x37, 0x2b, 0xc4, 0xa4, 0x57, 0x4e, 0xbe, 0x53, 0xde,
-	0x06, 0xc6, 0x37, 0x00, 0x6b, 0x38, 0xaf, 0xfa, 0x3d, 0x9f, 0x24, 0x89, 0xf6, 0x1a, 0x56, 0x44,
-	0x9f, 0x1d, 0xc2, 0x49, 0xe6, 0x38, 0x5a, 0xd5, 0x09, 0xf5, 0x04, 0x09, 0x34, 0xea, 0x6e, 0xa0,
-	0xfd, 0xa3, 0xb7, 0xd4, 0xe6, 0x4f, 0x29, 0x27, 0x96, 0x26, 0x8b, 0x0a, 0x87, 0x77, 0x78, 0xa0,
-	0xaa, 0xed, 0xc2, 0xf9, 0x24, 0xa2, 0xb6, 0x8c, 0xfd, 0xe6, 0xf4, 0x9e, 0xa9, 0x71, 0x1d, 0x44,
-	0xd4, 0xb6, 0x6a, 0x52, 0x77, 0x5e, 0x9c, 0x70, 0xa6, 0x62, 0x7c, 0x05, 0x70, 0x45, 0x05, 0x8a,
-	0x06, 0x69, 0xaf, 0x26, 0x92, 0x40, 0xb3, 0x25, 0x21, 0xd8, 0x59, 0x0a, 0x2b, 0xc5, 0x5c, 0x14,
-	0x37, 0x4a, 0x02, 0x4f, 0xe0, 0x82, 0xc7, 0x69, 0x90, 0xd4, 0xcb, 0xd9, 0xd4, 0xdd, 0x98, 0x2d,
-	0x03, 0x6b, 0x49, 0x4a, 0x2e, 0x3c, 0x16, 0x64, 0x9c, 0x6b, 0x18, 0xbf, 0xc6, 0xe2, 0x17, 0xa9,
-	0x69, 0x3b, 0x70, 0x59, 0xae, 0xc2, 0x23, 0x12, 0x3a, 0x3e, 0x8d, 0xf3, 0xe6, 0x5b, 0xd7, 0xa4,
-	0xc4, 0x32, 0x1e, 0x79, 0xc5, 0x63, 0x68, 0x6d, 0x17, 0x56, 0x98, 0x1c, 0x78, 0x59, 0x66, 0xe3,
-	0xea, 0xd5, 0xb0, 0x6a, 0x22, 0xdf, 0xe2, 0x84, 0x07, 0x0a, 0xda, 0x21, 0x84, 0x62, 0x21, 0x9d,
-	0xd4, 0xf7, 0x42, 0xb7, 0x3e, 0x97, 0xe9, 0x5d, 0x9f, 0xae, 0x77, 0x30, 0xc0, 0x5a, 0xcb, 0x62,
-	0x08, 0x86, 0x67, 0xac, 0xe8, 0x18, 0x5f, 0xca, 0x50, 0x79, 0xd2, 0x22, 0x58, 0x13, 0x32, 0x07,
-	0xd4, 0xa7, 0x36, 0x67, 0xb1, 0xdc, 0xe8, 0xad, 0x59, 0x6c, 0xd0, 0x9e, 0x42, 0xcc, 0xf7, 0x7a,
-	0x55, 0x16, 0xaa, 0xa6, 0x3e, 0xe1, 0x11, 0x07, 0xed, 0x05, 0xac, 0x72, 0xe6, 0x8b, 0x1f, 0x18,
-	0x8f, 0x85, 0x45, 0x33, 0x75, 0xd5, 0x50, 0x6c, 0xb6, 0x98, 0x8a, 0xc3, 0x01, 0xcc, 0xfa, 0x5f,
-	0x0a, 0x57, 0x87, 0x77, 0x09, 0x56, 0x75, 0x1a, 0x77, 0xe1, 0x7f, 0x13, 0xf1, 0x5c, 0xb2, 0xc2,
-	0xab, 0xea, 0x0a, 0x2f, 0x2a, 0x2b, 0x69, 0xed, 0x1c, 0x5f, 0xe8, 0xa5, 0x93, 0x0b, 0xbd, 0x74,
-	0x7a, 0xa1, 0x97, 0xde, 0xf7, 0x75, 0x70, 0xdc, 0xd7, 0xc1, 0x49, 0x5f, 0x07, 0xa7, 0x7d, 0x1d,
-	0xfc, 0xe8, 0xeb, 0xe0, 0xf3, 0x4f, 0xbd, 0xf4, 0xb2, 0x3e, 0xed, 0x7f, 0xe7, 0x4f, 0x00, 0x00,
-	0x00, 0xff, 0xff, 0xa7, 0x9b, 0x7f, 0x45, 0x92, 0x06, 0x00, 0x00,
-}
+func (m *Scheduling) Reset() { *m = Scheduling{} }
 
 func (m *Overhead) Marshal() (dAtA []byte, err error) {
 	size := m.Size()
@@ -274,7 +70,7 @@ func (m *Overhead) MarshalToSizedBuffer(dAtA []byte) (int, error) {
 		for k := range m.PodFixed {
 			keysForPodFixed = append(keysForPodFixed, string(k))
 		}
-		github_com_gogo_protobuf_sortkeys.Strings(keysForPodFixed)
+		sort.Strings(keysForPodFixed)
 		for iNdEx := len(keysForPodFixed) - 1; iNdEx >= 0; iNdEx-- {
 			v := m.PodFixed[k8s_io_api_core_v1.ResourceName(keysForPodFixed[iNdEx])]
 			baseI := i
@@ -482,7 +278,7 @@ func (m *Scheduling) MarshalToSizedBuffer(dAtA []byte) (int, error) {
 		for k := range m.NodeSelector {
 			keysForNodeSelector = append(keysForNodeSelector, string(k))
 		}
-		github_com_gogo_protobuf_sortkeys.Strings(keysForNodeSelector)
+		sort.Strings(keysForNodeSelector)
 		for iNdEx := len(keysForNodeSelector) - 1; iNdEx >= 0; iNdEx-- {
 			v := m.NodeSelector[string(keysForNodeSelector[iNdEx])]
 			baseI := i
@@ -619,7 +415,7 @@ func (this *Overhead) String() string {
 	for k := range this.PodFixed {
 		keysForPodFixed = append(keysForPodFixed, string(k))
 	}
-	github_com_gogo_protobuf_sortkeys.Strings(keysForPodFixed)
+	sort.Strings(keysForPodFixed)
 	mapStringForPodFixed := "k8s_io_api_core_v1.ResourceList{"
 	for _, k := range keysForPodFixed {
 		mapStringForPodFixed += fmt.Sprintf("%v: %v,", k, this.PodFixed[k8s_io_api_core_v1.ResourceName(k)])
@@ -683,7 +479,7 @@ func (this *Scheduling) String() string {
 	for k := range this.NodeSelector {
 		keysForNodeSelector = append(keysForNodeSelector, k)
 	}
-	github_com_gogo_protobuf_sortkeys.Strings(keysForNodeSelector)
+	sort.Strings(keysForNodeSelector)
 	mapStringForNodeSelector := "map[string]string{"
 	for _, k := range keysForNodeSelector {
 		mapStringForNodeSelector += fmt.Sprintf("%v: %v,", k, this.NodeSelector[k])
diff --git a/staging/src/k8s.io/api/node/v1alpha1/generated.protomessage.pb.go b/staging/src/k8s.io/api/node/v1alpha1/generated.protomessage.pb.go
new file mode 100644
index 0000000000000..acd3b604ee370
--- /dev/null
+++ b/staging/src/k8s.io/api/node/v1alpha1/generated.protomessage.pb.go
@@ -0,0 +1,32 @@
+//go:build kubernetes_protomessage_one_more_release
+// +build kubernetes_protomessage_one_more_release
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by go-to-protobuf. DO NOT EDIT.
+
+package v1alpha1
+
+func (*Overhead) ProtoMessage() {}
+
+func (*RuntimeClass) ProtoMessage() {}
+
+func (*RuntimeClassList) ProtoMessage() {}
+
+func (*RuntimeClassSpec) ProtoMessage() {}
+
+func (*Scheduling) ProtoMessage() {}
diff --git a/staging/src/k8s.io/api/node/v1alpha1/zz_generated.model_name.go b/staging/src/k8s.io/api/node/v1alpha1/zz_generated.model_name.go
new file mode 100644
index 0000000000000..444825deff1a3
--- /dev/null
+++ b/staging/src/k8s.io/api/node/v1alpha1/zz_generated.model_name.go
@@ -0,0 +1,47 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by openapi-gen. DO NOT EDIT.
+
+package v1alpha1
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in Overhead) OpenAPIModelName() string {
+	return "io.k8s.api.node.v1alpha1.Overhead"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in RuntimeClass) OpenAPIModelName() string {
+	return "io.k8s.api.node.v1alpha1.RuntimeClass"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in RuntimeClassList) OpenAPIModelName() string {
+	return "io.k8s.api.node.v1alpha1.RuntimeClassList"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in RuntimeClassSpec) OpenAPIModelName() string {
+	return "io.k8s.api.node.v1alpha1.RuntimeClassSpec"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in Scheduling) OpenAPIModelName() string {
+	return "io.k8s.api.node.v1alpha1.Scheduling"
+}
diff --git a/staging/src/k8s.io/api/node/v1beta1/doc.go b/staging/src/k8s.io/api/node/v1beta1/doc.go
index 7b47c8df6661b..2cf0f4a124e4d 100644
--- a/staging/src/k8s.io/api/node/v1beta1/doc.go
+++ b/staging/src/k8s.io/api/node/v1beta1/doc.go
@@ -18,6 +18,7 @@ limitations under the License.
 // +k8s:protobuf-gen=package
 // +k8s:openapi-gen=true
 // +k8s:prerelease-lifecycle-gen=true
+// +k8s:openapi-model-package=io.k8s.api.node.v1beta1
 
 // +groupName=node.k8s.io
 
diff --git a/staging/src/k8s.io/api/node/v1beta1/generated.pb.go b/staging/src/k8s.io/api/node/v1beta1/generated.pb.go
index 537961c259a9f..c97b8fc059190 100644
--- a/staging/src/k8s.io/api/node/v1beta1/generated.pb.go
+++ b/staging/src/k8s.io/api/node/v1beta1/generated.pb.go
@@ -23,200 +23,25 @@ import (
 	fmt "fmt"
 
 	io "io"
+	"sort"
 
-	proto "github.com/gogo/protobuf/proto"
-	github_com_gogo_protobuf_sortkeys "github.com/gogo/protobuf/sortkeys"
 	k8s_io_api_core_v1 "k8s.io/api/core/v1"
 	v11 "k8s.io/api/core/v1"
 	k8s_io_apimachinery_pkg_api_resource "k8s.io/apimachinery/pkg/api/resource"
 	resource "k8s.io/apimachinery/pkg/api/resource"
 
-	math "math"
 	math_bits "math/bits"
 	reflect "reflect"
 	strings "strings"
 )
 
-// Reference imports to suppress errors if they are not otherwise used.
-var _ = proto.Marshal
-var _ = fmt.Errorf
-var _ = math.Inf
+func (m *Overhead) Reset() { *m = Overhead{} }
 
-// This is a compile-time assertion to ensure that this generated file
-// is compatible with the proto package it is being compiled against.
-// A compilation error at this line likely means your copy of the
-// proto package needs to be updated.
-const _ = proto.GoGoProtoPackageIsVersion3 // please upgrade the proto package
+func (m *RuntimeClass) Reset() { *m = RuntimeClass{} }
 
-func (m *Overhead) Reset()      { *m = Overhead{} }
-func (*Overhead) ProtoMessage() {}
-func (*Overhead) Descriptor() ([]byte, []int) {
-	return fileDescriptor_73bb62abe8438af4, []int{0}
-}
-func (m *Overhead) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *Overhead) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *Overhead) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_Overhead.Merge(m, src)
-}
-func (m *Overhead) XXX_Size() int {
-	return m.Size()
-}
-func (m *Overhead) XXX_DiscardUnknown() {
-	xxx_messageInfo_Overhead.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_Overhead proto.InternalMessageInfo
-
-func (m *RuntimeClass) Reset()      { *m = RuntimeClass{} }
-func (*RuntimeClass) ProtoMessage() {}
-func (*RuntimeClass) Descriptor() ([]byte, []int) {
-	return fileDescriptor_73bb62abe8438af4, []int{1}
-}
-func (m *RuntimeClass) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *RuntimeClass) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *RuntimeClass) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_RuntimeClass.Merge(m, src)
-}
-func (m *RuntimeClass) XXX_Size() int {
-	return m.Size()
-}
-func (m *RuntimeClass) XXX_DiscardUnknown() {
-	xxx_messageInfo_RuntimeClass.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_RuntimeClass proto.InternalMessageInfo
-
-func (m *RuntimeClassList) Reset()      { *m = RuntimeClassList{} }
-func (*RuntimeClassList) ProtoMessage() {}
-func (*RuntimeClassList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_73bb62abe8438af4, []int{2}
-}
-func (m *RuntimeClassList) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *RuntimeClassList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *RuntimeClassList) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_RuntimeClassList.Merge(m, src)
-}
-func (m *RuntimeClassList) XXX_Size() int {
-	return m.Size()
-}
-func (m *RuntimeClassList) XXX_DiscardUnknown() {
-	xxx_messageInfo_RuntimeClassList.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_RuntimeClassList proto.InternalMessageInfo
-
-func (m *Scheduling) Reset()      { *m = Scheduling{} }
-func (*Scheduling) ProtoMessage() {}
-func (*Scheduling) Descriptor() ([]byte, []int) {
-	return fileDescriptor_73bb62abe8438af4, []int{3}
-}
-func (m *Scheduling) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *Scheduling) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *Scheduling) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_Scheduling.Merge(m, src)
-}
-func (m *Scheduling) XXX_Size() int {
-	return m.Size()
-}
-func (m *Scheduling) XXX_DiscardUnknown() {
-	xxx_messageInfo_Scheduling.DiscardUnknown(m)
-}
+func (m *RuntimeClassList) Reset() { *m = RuntimeClassList{} }
 
-var xxx_messageInfo_Scheduling proto.InternalMessageInfo
-
-func init() {
-	proto.RegisterType((*Overhead)(nil), "k8s.io.api.node.v1beta1.Overhead")
-	proto.RegisterMapType((k8s_io_api_core_v1.ResourceList)(nil), "k8s.io.api.node.v1beta1.Overhead.PodFixedEntry")
-	proto.RegisterType((*RuntimeClass)(nil), "k8s.io.api.node.v1beta1.RuntimeClass")
-	proto.RegisterType((*RuntimeClassList)(nil), "k8s.io.api.node.v1beta1.RuntimeClassList")
-	proto.RegisterType((*Scheduling)(nil), "k8s.io.api.node.v1beta1.Scheduling")
-	proto.RegisterMapType((map[string]string)(nil), "k8s.io.api.node.v1beta1.Scheduling.NodeSelectorEntry")
-}
-
-func init() {
-	proto.RegisterFile("k8s.io/api/node/v1beta1/generated.proto", fileDescriptor_73bb62abe8438af4)
-}
-
-var fileDescriptor_73bb62abe8438af4 = []byte{
-	// 654 bytes of a gzipped FileDescriptorProto
-	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x94, 0x54, 0xbb, 0x6f, 0x13, 0x31,
-	0x18, 0x8f, 0x53, 0xaa, 0xa6, 0x4e, 0x0a, 0xc5, 0x54, 0x6a, 0x94, 0xe1, 0x52, 0x82, 0x10, 0x65,
-	0xa8, 0x8f, 0x56, 0x80, 0x2a, 0x24, 0x84, 0x74, 0x3c, 0xc4, 0xb3, 0x85, 0x2b, 0x2c, 0x88, 0x01,
-	0xe7, 0xce, 0x5c, 0x4c, 0x72, 0xe7, 0xe8, 0xce, 0x17, 0x91, 0x0d, 0xb1, 0x20, 0x31, 0xb1, 0xf0,
-	0xdf, 0xc0, 0xde, 0x8d, 0x2e, 0x48, 0x9d, 0x5a, 0x1a, 0xfe, 0x0b, 0x26, 0x64, 0xdf, 0x23, 0x6e,
-	0xd3, 0xb4, 0x61, 0x8b, 0x7d, 0xbf, 0xc7, 0xf7, 0xfd, 0x3e, 0x7f, 0x81, 0x57, 0xda, 0xeb, 0x11,
-	0x66, 0xdc, 0x24, 0x5d, 0x66, 0x06, 0xdc, 0xa5, 0x66, 0x6f, 0xb5, 0x49, 0x05, 0x59, 0x35, 0x3d,
-	0x1a, 0xd0, 0x90, 0x08, 0xea, 0xe2, 0x6e, 0xc8, 0x05, 0x47, 0x8b, 0x09, 0x10, 0x93, 0x2e, 0xc3,
-	0x12, 0x88, 0x53, 0x60, 0x6d, 0xc5, 0x63, 0xa2, 0x15, 0x37, 0xb1, 0xc3, 0x7d, 0xd3, 0xe3, 0x1e,
-	0x37, 0x15, 0xbe, 0x19, 0xbf, 0x53, 0x27, 0x75, 0x50, 0xbf, 0x12, 0x9d, 0x5a, 0x43, 0x33, 0x74,
-	0x78, 0x28, 0x0d, 0x8f, 0x7a, 0xd5, 0xae, 0x0f, 0x31, 0x3e, 0x71, 0x5a, 0x2c, 0xa0, 0x61, 0xdf,
-	0xec, 0xb6, 0x3d, 0x45, 0x0a, 0x69, 0xc4, 0xe3, 0xd0, 0xa1, 0xff, 0xc5, 0x8a, 0x4c, 0x9f, 0x0a,
-	0x72, 0x9c, 0x97, 0x39, 0x8e, 0x15, 0xc6, 0x81, 0x60, 0xfe, 0xa8, 0xcd, 0xcd, 0xd3, 0x08, 0x91,
-	0xd3, 0xa2, 0x3e, 0x39, 0xca, 0x6b, 0xfc, 0x2c, 0xc2, 0xd2, 0x66, 0x8f, 0x86, 0x2d, 0x4a, 0x5c,
-	0xf4, 0x0b, 0xc0, 0x52, 0x97, 0xbb, 0x0f, 0xd8, 0x07, 0xea, 0x56, 0xc1, 0xd2, 0xd4, 0x72, 0x79,
-	0xcd, 0xc4, 0x63, 0x12, 0xc6, 0x19, 0x0b, 0x3f, 0x4f, 0x19, 0xf7, 0x03, 0x11, 0xf6, 0xad, 0xcf,
-	0x60, 0x7b, 0xaf, 0x5e, 0x18, 0xec, 0xd5, 0x4b, 0xd9, 0xfd, 0xdf, 0xbd, 0x7a, 0x7d, 0x34, 0x5e,
-	0x6c, 0xa7, 0x89, 0x3d, 0x65, 0x91, 0xf8, 0xb4, 0x7f, 0x22, 0x64, 0x83, 0xf8, 0xf4, 0xcb, 0x7e,
-	0x7d, 0x65, 0x92, 0x01, 0xe0, 0x17, 0x31, 0x09, 0x04, 0x13, 0x7d, 0x3b, 0x6f, 0xa5, 0xd6, 0x86,
-	0x73, 0x87, 0x8a, 0x44, 0xf3, 0x70, 0xaa, 0x4d, 0xfb, 0x55, 0xb0, 0x04, 0x96, 0x67, 0x6d, 0xf9,
-	0x13, 0xdd, 0x83, 0xd3, 0x3d, 0xd2, 0x89, 0x69, 0xb5, 0xb8, 0x04, 0x96, 0xcb, 0x6b, 0x58, 0x6b,
-	0x3b, 0xf7, 0xc2, 0xdd, 0xb6, 0xa7, 0x72, 0x18, 0xf5, 0x4a, 0xc8, 0xb7, 0x8a, 0xeb, 0xa0, 0xf1,
-	0xa3, 0x08, 0x2b, 0x76, 0x12, 0xfa, 0xdd, 0x0e, 0x89, 0x22, 0xf4, 0x16, 0x96, 0xe4, 0x98, 0x5d,
-	0x22, 0x88, 0x72, 0x2c, 0xaf, 0x5d, 0x3b, 0x49, 0x3d, 0xc2, 0x12, 0x8d, 0x7b, 0xab, 0x78, 0xb3,
-	0xf9, 0x9e, 0x3a, 0xe2, 0x19, 0x15, 0xc4, 0x42, 0x69, 0xa8, 0x70, 0x78, 0x67, 0xe7, 0xaa, 0xe8,
-	0x2a, 0x9c, 0x69, 0x91, 0xc0, 0xed, 0xd0, 0x50, 0x95, 0x3f, 0x6b, 0x9d, 0x4b, 0xe1, 0x33, 0x0f,
-	0x93, 0x6b, 0x3b, 0xfb, 0x8e, 0x9e, 0xc0, 0x12, 0x4f, 0x07, 0x57, 0x9d, 0x52, 0xc5, 0x5c, 0x3c,
-	0x75, 0xc2, 0x56, 0x45, 0x8e, 0x33, 0x3b, 0xd9, 0xb9, 0x00, 0xda, 0x82, 0x50, 0x3e, 0x2b, 0x37,
-	0xee, 0xb0, 0xc0, 0xab, 0x9e, 0x51, 0x72, 0x97, 0xc6, 0xca, 0x6d, 0xe5, 0x50, 0xeb, 0xac, 0x6c,
-	0x65, 0x78, 0xb6, 0x35, 0x99, 0xc6, 0x77, 0x00, 0xe7, 0xf5, 0xfc, 0xe4, 0xfb, 0x40, 0x6f, 0x46,
-	0x32, 0xc4, 0x93, 0x65, 0x28, 0xd9, 0x2a, 0xc1, 0xf9, 0xec, 0x59, 0x66, 0x37, 0x5a, 0x7e, 0x8f,
-	0xe1, 0x34, 0x13, 0xd4, 0x8f, 0xaa, 0x45, 0xf5, 0xe6, 0x2f, 0x8f, 0x6d, 0x41, 0xaf, 0xcb, 0x9a,
-	0x4b, 0x15, 0xa7, 0x1f, 0x49, 0xae, 0x9d, 0x48, 0x34, 0xbe, 0x15, 0xa1, 0xd6, 0x19, 0xe2, 0xb0,
-	0x22, 0x15, 0xb6, 0x68, 0x87, 0x3a, 0x82, 0x87, 0xe9, 0x56, 0xdd, 0x98, 0x20, 0x24, 0xbc, 0xa1,
-	0xf1, 0x92, 0xdd, 0x5a, 0x48, 0x1d, 0x2b, 0xfa, 0x27, 0xfb, 0x90, 0x01, 0x7a, 0x05, 0xcb, 0x82,
-	0x77, 0xe4, 0x8e, 0x33, 0x1e, 0x64, 0x1d, 0x19, 0xba, 0x9f, 0xdc, 0x2e, 0x19, 0xcd, 0xcb, 0x1c,
-	0x66, 0x5d, 0x48, 0x85, 0xcb, 0xc3, 0xbb, 0xc8, 0xd6, 0x75, 0x6a, 0x77, 0xe0, 0xf9, 0x91, 0x7a,
-	0x8e, 0x59, 0xa3, 0x05, 0x7d, 0x8d, 0x66, 0xb5, 0xb5, 0xb0, 0x6e, 0x6f, 0x1f, 0x18, 0x85, 0x9d,
-	0x03, 0xa3, 0xb0, 0x7b, 0x60, 0x14, 0x3e, 0x0e, 0x0c, 0xb0, 0x3d, 0x30, 0xc0, 0xce, 0xc0, 0x00,
-	0xbb, 0x03, 0x03, 0xfc, 0x1e, 0x18, 0xe0, 0xeb, 0x1f, 0xa3, 0xf0, 0x7a, 0x71, 0xcc, 0x1f, 0xff,
-	0xbf, 0x00, 0x00, 0x00, 0xff, 0xff, 0x7c, 0x67, 0x22, 0x03, 0x12, 0x06, 0x00, 0x00,
-}
+func (m *Scheduling) Reset() { *m = Scheduling{} }
 
 func (m *Overhead) Marshal() (dAtA []byte, err error) {
 	size := m.Size()
@@ -243,7 +68,7 @@ func (m *Overhead) MarshalToSizedBuffer(dAtA []byte) (int, error) {
 		for k := range m.PodFixed {
 			keysForPodFixed = append(keysForPodFixed, string(k))
 		}
-		github_com_gogo_protobuf_sortkeys.Strings(keysForPodFixed)
+		sort.Strings(keysForPodFixed)
 		for iNdEx := len(keysForPodFixed) - 1; iNdEx >= 0; iNdEx-- {
 			v := m.PodFixed[k8s_io_api_core_v1.ResourceName(keysForPodFixed[iNdEx])]
 			baseI := i
@@ -418,7 +243,7 @@ func (m *Scheduling) MarshalToSizedBuffer(dAtA []byte) (int, error) {
 		for k := range m.NodeSelector {
 			keysForNodeSelector = append(keysForNodeSelector, string(k))
 		}
-		github_com_gogo_protobuf_sortkeys.Strings(keysForNodeSelector)
+		sort.Strings(keysForNodeSelector)
 		for iNdEx := len(keysForNodeSelector) - 1; iNdEx >= 0; iNdEx-- {
 			v := m.NodeSelector[string(keysForNodeSelector[iNdEx])]
 			baseI := i
@@ -544,7 +369,7 @@ func (this *Overhead) String() string {
 	for k := range this.PodFixed {
 		keysForPodFixed = append(keysForPodFixed, string(k))
 	}
-	github_com_gogo_protobuf_sortkeys.Strings(keysForPodFixed)
+	sort.Strings(keysForPodFixed)
 	mapStringForPodFixed := "k8s_io_api_core_v1.ResourceList{"
 	for _, k := range keysForPodFixed {
 		mapStringForPodFixed += fmt.Sprintf("%v: %v,", k, this.PodFixed[k8s_io_api_core_v1.ResourceName(k)])
@@ -598,7 +423,7 @@ func (this *Scheduling) String() string {
 	for k := range this.NodeSelector {
 		keysForNodeSelector = append(keysForNodeSelector, k)
 	}
-	github_com_gogo_protobuf_sortkeys.Strings(keysForNodeSelector)
+	sort.Strings(keysForNodeSelector)
 	mapStringForNodeSelector := "map[string]string{"
 	for _, k := range keysForNodeSelector {
 		mapStringForNodeSelector += fmt.Sprintf("%v: %v,", k, this.NodeSelector[k])
diff --git a/staging/src/k8s.io/api/node/v1beta1/generated.protomessage.pb.go b/staging/src/k8s.io/api/node/v1beta1/generated.protomessage.pb.go
new file mode 100644
index 0000000000000..dfe8e29d95492
--- /dev/null
+++ b/staging/src/k8s.io/api/node/v1beta1/generated.protomessage.pb.go
@@ -0,0 +1,30 @@
+//go:build kubernetes_protomessage_one_more_release
+// +build kubernetes_protomessage_one_more_release
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by go-to-protobuf. DO NOT EDIT.
+
+package v1beta1
+
+func (*Overhead) ProtoMessage() {}
+
+func (*RuntimeClass) ProtoMessage() {}
+
+func (*RuntimeClassList) ProtoMessage() {}
+
+func (*Scheduling) ProtoMessage() {}
diff --git a/staging/src/k8s.io/api/node/v1beta1/zz_generated.model_name.go b/staging/src/k8s.io/api/node/v1beta1/zz_generated.model_name.go
new file mode 100644
index 0000000000000..06d7c803e5378
--- /dev/null
+++ b/staging/src/k8s.io/api/node/v1beta1/zz_generated.model_name.go
@@ -0,0 +1,42 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by openapi-gen. DO NOT EDIT.
+
+package v1beta1
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in Overhead) OpenAPIModelName() string {
+	return "io.k8s.api.node.v1beta1.Overhead"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in RuntimeClass) OpenAPIModelName() string {
+	return "io.k8s.api.node.v1beta1.RuntimeClass"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in RuntimeClassList) OpenAPIModelName() string {
+	return "io.k8s.api.node.v1beta1.RuntimeClassList"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in Scheduling) OpenAPIModelName() string {
+	return "io.k8s.api.node.v1beta1.Scheduling"
+}
diff --git a/staging/src/k8s.io/api/openapi_models_test.go b/staging/src/k8s.io/api/openapi_models_test.go
new file mode 100644
index 0000000000000..aeeae938927ce
--- /dev/null
+++ b/staging/src/k8s.io/api/openapi_models_test.go
@@ -0,0 +1,77 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package api
+
+import (
+	"reflect"
+	"strings"
+	"testing"
+
+	"k8s.io/apimachinery/pkg/runtime"
+)
+
+func TestOpenAPIDefinitionNames(t *testing.T) {
+	scheme := runtime.NewScheme()
+	for _, builder := range groups {
+		if err := builder.AddToScheme(scheme); err != nil {
+			t.Fatalf("unexpected error adding to scheme: %v", err)
+		}
+	}
+
+	kinds := scheme.AllKnownTypes()
+	for gvk := range kinds {
+		if gvk.Version == runtime.APIVersionInternal {
+			continue
+		}
+		t.Run(gvk.String(), func(t *testing.T) {
+			example, err := scheme.New(gvk)
+			if err != nil {
+				t.Fatalf("unexpected error creating example: %v", err)
+			}
+
+			namer, ok := example.(OpenAPIModelNamer)
+			if !ok {
+				t.Fatalf("type %v does not implement OpenAPICanonicalTypeName\n", gvk)
+			}
+			lookupName := namer.OpenAPIModelName()
+
+			rtype := reflect.TypeOf(example).Elem()
+			reflectName := ToRESTFriendlyName(rtype.PkgPath() + "." + rtype.Name())
+
+			if lookupName != reflectName {
+				t.Errorf("expected %v, got %v", reflectName, lookupName)
+			}
+		})
+	}
+}
+
+type OpenAPIModelNamer interface {
+	OpenAPIModelName() string
+}
+
+func ToRESTFriendlyName(name string) string {
+	nameParts := strings.Split(name, "/")
+	// Reverse first part. e.g., io.k8s... instead of k8s.io...
+	if len(nameParts) > 0 && strings.Contains(nameParts[0], ".") {
+		parts := strings.Split(nameParts[0], ".")
+		for i, j := 0, len(parts)-1; i < j; i, j = i+1, j-1 {
+			parts[i], parts[j] = parts[j], parts[i]
+		}
+		nameParts[0] = strings.Join(parts, ".")
+	}
+	return strings.Join(nameParts, ".")
+}
diff --git a/staging/src/k8s.io/api/policy/v1/doc.go b/staging/src/k8s.io/api/policy/v1/doc.go
index ff47e7fd49233..9b5314bc0bdcd 100644
--- a/staging/src/k8s.io/api/policy/v1/doc.go
+++ b/staging/src/k8s.io/api/policy/v1/doc.go
@@ -18,6 +18,7 @@ limitations under the License.
 // +k8s:protobuf-gen=package
 // +k8s:openapi-gen=true
 // +k8s:prerelease-lifecycle-gen=true
+// +k8s:openapi-model-package=io.k8s.api.policy.v1
 
 // Package policy is for any kind of policy object.  Suitable examples, even if
 // they aren't all here, are PodDisruptionBudget,
diff --git a/staging/src/k8s.io/api/policy/v1/generated.pb.go b/staging/src/k8s.io/api/policy/v1/generated.pb.go
index dd61b7266c47d..1d3e0e339e07d 100644
--- a/staging/src/k8s.io/api/policy/v1/generated.pb.go
+++ b/staging/src/k8s.io/api/policy/v1/generated.pb.go
@@ -23,12 +23,10 @@ import (
 	fmt "fmt"
 
 	io "io"
+	"sort"
 
-	proto "github.com/gogo/protobuf/proto"
-	github_com_gogo_protobuf_sortkeys "github.com/gogo/protobuf/sortkeys"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
-	math "math"
 	math_bits "math/bits"
 	reflect "reflect"
 	strings "strings"
@@ -36,226 +34,15 @@ import (
 	intstr "k8s.io/apimachinery/pkg/util/intstr"
 )
 
-// Reference imports to suppress errors if they are not otherwise used.
-var _ = proto.Marshal
-var _ = fmt.Errorf
-var _ = math.Inf
+func (m *Eviction) Reset() { *m = Eviction{} }
 
-// This is a compile-time assertion to ensure that this generated file
-// is compatible with the proto package it is being compiled against.
-// A compilation error at this line likely means your copy of the
-// proto package needs to be updated.
-const _ = proto.GoGoProtoPackageIsVersion3 // please upgrade the proto package
+func (m *PodDisruptionBudget) Reset() { *m = PodDisruptionBudget{} }
 
-func (m *Eviction) Reset()      { *m = Eviction{} }
-func (*Eviction) ProtoMessage() {}
-func (*Eviction) Descriptor() ([]byte, []int) {
-	return fileDescriptor_204bc6fa48ff56f7, []int{0}
-}
-func (m *Eviction) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *Eviction) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *Eviction) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_Eviction.Merge(m, src)
-}
-func (m *Eviction) XXX_Size() int {
-	return m.Size()
-}
-func (m *Eviction) XXX_DiscardUnknown() {
-	xxx_messageInfo_Eviction.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_Eviction proto.InternalMessageInfo
-
-func (m *PodDisruptionBudget) Reset()      { *m = PodDisruptionBudget{} }
-func (*PodDisruptionBudget) ProtoMessage() {}
-func (*PodDisruptionBudget) Descriptor() ([]byte, []int) {
-	return fileDescriptor_204bc6fa48ff56f7, []int{1}
-}
-func (m *PodDisruptionBudget) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *PodDisruptionBudget) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *PodDisruptionBudget) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_PodDisruptionBudget.Merge(m, src)
-}
-func (m *PodDisruptionBudget) XXX_Size() int {
-	return m.Size()
-}
-func (m *PodDisruptionBudget) XXX_DiscardUnknown() {
-	xxx_messageInfo_PodDisruptionBudget.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_PodDisruptionBudget proto.InternalMessageInfo
-
-func (m *PodDisruptionBudgetList) Reset()      { *m = PodDisruptionBudgetList{} }
-func (*PodDisruptionBudgetList) ProtoMessage() {}
-func (*PodDisruptionBudgetList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_204bc6fa48ff56f7, []int{2}
-}
-func (m *PodDisruptionBudgetList) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *PodDisruptionBudgetList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *PodDisruptionBudgetList) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_PodDisruptionBudgetList.Merge(m, src)
-}
-func (m *PodDisruptionBudgetList) XXX_Size() int {
-	return m.Size()
-}
-func (m *PodDisruptionBudgetList) XXX_DiscardUnknown() {
-	xxx_messageInfo_PodDisruptionBudgetList.DiscardUnknown(m)
-}
+func (m *PodDisruptionBudgetList) Reset() { *m = PodDisruptionBudgetList{} }
 
-var xxx_messageInfo_PodDisruptionBudgetList proto.InternalMessageInfo
+func (m *PodDisruptionBudgetSpec) Reset() { *m = PodDisruptionBudgetSpec{} }
 
-func (m *PodDisruptionBudgetSpec) Reset()      { *m = PodDisruptionBudgetSpec{} }
-func (*PodDisruptionBudgetSpec) ProtoMessage() {}
-func (*PodDisruptionBudgetSpec) Descriptor() ([]byte, []int) {
-	return fileDescriptor_204bc6fa48ff56f7, []int{3}
-}
-func (m *PodDisruptionBudgetSpec) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *PodDisruptionBudgetSpec) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *PodDisruptionBudgetSpec) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_PodDisruptionBudgetSpec.Merge(m, src)
-}
-func (m *PodDisruptionBudgetSpec) XXX_Size() int {
-	return m.Size()
-}
-func (m *PodDisruptionBudgetSpec) XXX_DiscardUnknown() {
-	xxx_messageInfo_PodDisruptionBudgetSpec.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_PodDisruptionBudgetSpec proto.InternalMessageInfo
-
-func (m *PodDisruptionBudgetStatus) Reset()      { *m = PodDisruptionBudgetStatus{} }
-func (*PodDisruptionBudgetStatus) ProtoMessage() {}
-func (*PodDisruptionBudgetStatus) Descriptor() ([]byte, []int) {
-	return fileDescriptor_204bc6fa48ff56f7, []int{4}
-}
-func (m *PodDisruptionBudgetStatus) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *PodDisruptionBudgetStatus) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *PodDisruptionBudgetStatus) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_PodDisruptionBudgetStatus.Merge(m, src)
-}
-func (m *PodDisruptionBudgetStatus) XXX_Size() int {
-	return m.Size()
-}
-func (m *PodDisruptionBudgetStatus) XXX_DiscardUnknown() {
-	xxx_messageInfo_PodDisruptionBudgetStatus.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_PodDisruptionBudgetStatus proto.InternalMessageInfo
-
-func init() {
-	proto.RegisterType((*Eviction)(nil), "k8s.io.api.policy.v1.Eviction")
-	proto.RegisterType((*PodDisruptionBudget)(nil), "k8s.io.api.policy.v1.PodDisruptionBudget")
-	proto.RegisterType((*PodDisruptionBudgetList)(nil), "k8s.io.api.policy.v1.PodDisruptionBudgetList")
-	proto.RegisterType((*PodDisruptionBudgetSpec)(nil), "k8s.io.api.policy.v1.PodDisruptionBudgetSpec")
-	proto.RegisterType((*PodDisruptionBudgetStatus)(nil), "k8s.io.api.policy.v1.PodDisruptionBudgetStatus")
-	proto.RegisterMapType((map[string]v1.Time)(nil), "k8s.io.api.policy.v1.PodDisruptionBudgetStatus.DisruptedPodsEntry")
-}
-
-func init() {
-	proto.RegisterFile("k8s.io/api/policy/v1/generated.proto", fileDescriptor_204bc6fa48ff56f7)
-}
-
-var fileDescriptor_204bc6fa48ff56f7 = []byte{
-	// 840 bytes of a gzipped FileDescriptorProto
-	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xbc, 0x96, 0x4d, 0x8f, 0xdb, 0x44,
-	0x18, 0xc7, 0xe3, 0xcd, 0x66, 0xd9, 0x4e, 0x93, 0x68, 0x19, 0x16, 0x58, 0x72, 0x70, 0xaa, 0x88,
-	0xc3, 0x82, 0xd4, 0x31, 0xdb, 0x22, 0xb4, 0xea, 0x01, 0xb5, 0x6e, 0x56, 0x50, 0xd4, 0x25, 0xab,
-	0xd9, 0x56, 0x48, 0x08, 0x24, 0x26, 0xf6, 0xd3, 0x64, 0x58, 0xdb, 0x63, 0x79, 0xc6, 0xa1, 0x39,
-	0xd1, 0x8f, 0xc0, 0x57, 0xe0, 0xa3, 0x70, 0x62, 0x8f, 0xe5, 0x56, 0x71, 0x88, 0x58, 0xf3, 0x2d,
-	0x38, 0x21, 0x8f, 0x9d, 0x17, 0x27, 0x0e, 0xcd, 0x72, 0xe8, 0xcd, 0xf3, 0xcc, 0xf3, 0xff, 0x3d,
-	0xf3, 0xbc, 0xcc, 0x24, 0xe8, 0xc3, 0x8b, 0x63, 0x49, 0xb8, 0xb0, 0x58, 0xc8, 0xad, 0x50, 0x78,
-	0xdc, 0x19, 0x5b, 0xa3, 0x23, 0x6b, 0x00, 0x01, 0x44, 0x4c, 0x81, 0x4b, 0xc2, 0x48, 0x28, 0x81,
-	0xf7, 0x33, 0x2f, 0xc2, 0x42, 0x4e, 0x32, 0x2f, 0x32, 0x3a, 0x6a, 0xdd, 0x1e, 0x70, 0x35, 0x8c,
-	0xfb, 0xc4, 0x11, 0xbe, 0x35, 0x10, 0x03, 0x61, 0x69, 0xe7, 0x7e, 0xfc, 0x4c, 0xaf, 0xf4, 0x42,
-	0x7f, 0x65, 0x90, 0xd6, 0xa7, 0xf3, 0x50, 0x3e, 0x73, 0x86, 0x3c, 0x80, 0x68, 0x6c, 0x85, 0x17,
-	0x83, 0xd4, 0x20, 0x2d, 0x1f, 0x14, 0x2b, 0x09, 0xdd, 0xb2, 0xd6, 0xa9, 0xa2, 0x38, 0x50, 0xdc,
-	0x87, 0x15, 0xc1, 0x67, 0xaf, 0x13, 0x48, 0x67, 0x08, 0x3e, 0x5b, 0xd1, 0xdd, 0x5d, 0xa7, 0x8b,
-	0x15, 0xf7, 0x2c, 0x1e, 0x28, 0xa9, 0xa2, 0x65, 0x51, 0xe7, 0x4f, 0x03, 0xed, 0x9e, 0x8c, 0xb8,
-	0xa3, 0xb8, 0x08, 0xf0, 0x0f, 0x68, 0x37, 0xcd, 0xc2, 0x65, 0x8a, 0x1d, 0x18, 0xb7, 0x8c, 0xc3,
-	0x9b, 0x77, 0x3e, 0x21, 0xf3, 0xc2, 0xcd, 0xa0, 0x24, 0xbc, 0x18, 0xa4, 0x06, 0x49, 0x52, 0x6f,
-	0x32, 0x3a, 0x22, 0xbd, 0xfe, 0x8f, 0xe0, 0xa8, 0x53, 0x50, 0xcc, 0xc6, 0x97, 0x93, 0x76, 0x25,
-	0x99, 0xb4, 0xd1, 0xdc, 0x46, 0x67, 0x54, 0xec, 0xa1, 0x86, 0x0b, 0x1e, 0x28, 0xe8, 0x85, 0x69,
-	0x44, 0x79, 0xb0, 0xa5, 0xc3, 0xdc, 0xdd, 0x2c, 0x4c, 0x77, 0x51, 0x6a, 0xbf, 0x9d, 0x4c, 0xda,
-	0x8d, 0x82, 0x89, 0x16, 0xe1, 0x9d, 0x5f, 0xb7, 0xd0, 0x3b, 0x67, 0xc2, 0xed, 0x72, 0x19, 0xc5,
-	0xda, 0x64, 0xc7, 0xee, 0x00, 0xd4, 0x1b, 0xc8, 0xb3, 0x87, 0xb6, 0x65, 0x08, 0x4e, 0x9e, 0xde,
-	0x6d, 0x52, 0x36, 0x7e, 0xa4, 0xe4, 0x68, 0xe7, 0x21, 0x38, 0x76, 0x3d, 0x47, 0x6f, 0xa7, 0x2b,
-	0xaa, 0x41, 0xf8, 0x1b, 0xb4, 0x23, 0x15, 0x53, 0xb1, 0x3c, 0xa8, 0x6a, 0xa4, 0xb5, 0x39, 0x52,
-	0xcb, 0xec, 0x66, 0x0e, 0xdd, 0xc9, 0xd6, 0x34, 0xc7, 0x75, 0x7e, 0x37, 0xd0, 0xfb, 0x25, 0xaa,
-	0xc7, 0x5c, 0x2a, 0xfc, 0xdd, 0x4a, 0x9d, 0xc8, 0x66, 0x75, 0x4a, 0xd5, 0xba, 0x4a, 0x7b, 0x79,
-	0xd4, 0xdd, 0xa9, 0x65, 0xa1, 0x46, 0x5f, 0xa3, 0x1a, 0x57, 0xe0, 0xa7, 0x33, 0x50, 0x3d, 0xbc,
-	0x79, 0xe7, 0xa3, 0x8d, 0x33, 0xb2, 0x1b, 0x39, 0xb5, 0xf6, 0x28, 0xd5, 0xd3, 0x0c, 0xd3, 0xf9,
-	0xa3, 0x5a, 0x9a, 0x49, 0x5a, 0x44, 0xfc, 0x0c, 0xd5, 0x7d, 0x1e, 0x3c, 0x18, 0x31, 0xee, 0xb1,
-	0xbe, 0x07, 0xaf, 0xed, 0x7a, 0x7a, 0x65, 0x48, 0x76, 0x65, 0xc8, 0xa3, 0x40, 0xf5, 0xa2, 0x73,
-	0x15, 0xf1, 0x60, 0x60, 0xef, 0x25, 0x93, 0x76, 0xfd, 0x74, 0x81, 0x44, 0x0b, 0x5c, 0xfc, 0x3d,
-	0xda, 0x95, 0xe0, 0x81, 0xa3, 0x44, 0x74, 0xbd, 0xd1, 0x7e, 0xcc, 0xfa, 0xe0, 0x9d, 0xe7, 0x52,
-	0xbb, 0x9e, 0x96, 0x6c, 0xba, 0xa2, 0x33, 0x24, 0xf6, 0x50, 0xd3, 0x67, 0xcf, 0x9f, 0x06, 0x6c,
-	0x96, 0x48, 0xf5, 0x7f, 0x26, 0x82, 0x93, 0x49, 0xbb, 0x79, 0x5a, 0x60, 0xd1, 0x25, 0x36, 0x7e,
-	0x61, 0xa0, 0x56, 0x1c, 0x0c, 0x81, 0x79, 0x6a, 0x38, 0x3e, 0x13, 0xee, 0xf4, 0x9d, 0x38, 0xd3,
-	0xcd, 0x39, 0xd8, 0xbe, 0x65, 0x1c, 0xde, 0xb0, 0xef, 0x27, 0x93, 0x76, 0xeb, 0xe9, 0x5a, 0xaf,
-	0x7f, 0x26, 0x6d, 0x73, 0xfd, 0xee, 0x93, 0x71, 0x08, 0xf4, 0x3f, 0x62, 0x74, 0x7e, 0xab, 0xa1,
-	0x0f, 0xd6, 0xce, 0x34, 0xfe, 0x0a, 0x61, 0xd1, 0x97, 0x10, 0x8d, 0xc0, 0xfd, 0x22, 0x7b, 0xd7,
-	0xb8, 0x08, 0x74, 0x6f, 0xab, 0x76, 0x2b, 0x9f, 0x11, 0xdc, 0x5b, 0xf1, 0xa0, 0x25, 0x2a, 0xfc,
-	0x33, 0x6a, 0xb8, 0x59, 0x14, 0x70, 0xcf, 0x84, 0x3b, 0x9d, 0x4a, 0xfb, 0x9a, 0xf7, 0x8c, 0x74,
-	0x17, 0x21, 0x27, 0x81, 0x8a, 0xc6, 0xf6, 0xbb, 0xf9, 0x51, 0x1a, 0x85, 0x3d, 0x5a, 0x8c, 0x97,
-	0x26, 0xe3, 0xce, 0x90, 0xf2, 0x81, 0xe7, 0x89, 0x9f, 0xc0, 0xd5, 0xfd, 0xad, 0xcd, 0x93, 0xe9,
-	0xae, 0x78, 0xd0, 0x12, 0x15, 0xfe, 0x1c, 0x35, 0x9d, 0x38, 0x8a, 0x20, 0x50, 0x5f, 0x66, 0x95,
-	0xd5, 0xcd, 0xaa, 0xd9, 0xef, 0xe5, 0x9c, 0xe6, 0xc3, 0xc2, 0x2e, 0x5d, 0xf2, 0x4e, 0xf5, 0x2e,
-	0x48, 0x1e, 0x81, 0x3b, 0xd5, 0xd7, 0x8a, 0xfa, 0x6e, 0x61, 0x97, 0x2e, 0x79, 0xe3, 0x63, 0x54,
-	0x87, 0xe7, 0x21, 0x38, 0xd3, 0x5a, 0xee, 0x68, 0xf5, 0x7e, 0xae, 0xae, 0x9f, 0x2c, 0xec, 0xd1,
-	0x82, 0x27, 0x76, 0x10, 0x72, 0x44, 0xe0, 0xf2, 0xec, 0xd7, 0xe1, 0x2d, 0xdd, 0x03, 0x6b, 0xb3,
-	0x2b, 0xf4, 0x70, 0xaa, 0x9b, 0xbf, 0xcd, 0x33, 0x93, 0xa4, 0x0b, 0xd8, 0x96, 0x87, 0xf0, 0x6a,
-	0x9b, 0xf0, 0x1e, 0xaa, 0x5e, 0xc0, 0x58, 0x8f, 0xcf, 0x0d, 0x9a, 0x7e, 0xe2, 0xfb, 0xa8, 0x36,
-	0x62, 0x5e, 0x0c, 0xf9, 0x55, 0xfe, 0x78, 0xb3, 0x73, 0x3c, 0xe1, 0x3e, 0xd0, 0x4c, 0x78, 0x6f,
-	0xeb, 0xd8, 0xb0, 0xef, 0x5d, 0x5e, 0x99, 0x95, 0x97, 0x57, 0x66, 0xe5, 0xd5, 0x95, 0x59, 0x79,
-	0x91, 0x98, 0xc6, 0x65, 0x62, 0x1a, 0x2f, 0x13, 0xd3, 0x78, 0x95, 0x98, 0xc6, 0x5f, 0x89, 0x69,
-	0xfc, 0xf2, 0xb7, 0x59, 0xf9, 0x76, 0xbf, 0xec, 0x7f, 0xcc, 0xbf, 0x01, 0x00, 0x00, 0xff, 0xff,
-	0x0f, 0x42, 0xd2, 0x33, 0xde, 0x08, 0x00, 0x00,
-}
+func (m *PodDisruptionBudgetStatus) Reset() { *m = PodDisruptionBudgetStatus{} }
 
 func (m *Eviction) Marshal() (dAtA []byte, err error) {
 	size := m.Size()
@@ -519,7 +306,7 @@ func (m *PodDisruptionBudgetStatus) MarshalToSizedBuffer(dAtA []byte) (int, erro
 		for k := range m.DisruptedPods {
 			keysForDisruptedPods = append(keysForDisruptedPods, string(k))
 		}
-		github_com_gogo_protobuf_sortkeys.Strings(keysForDisruptedPods)
+		sort.Strings(keysForDisruptedPods)
 		for iNdEx := len(keysForDisruptedPods) - 1; iNdEx >= 0; iNdEx-- {
 			v := m.DisruptedPods[string(keysForDisruptedPods[iNdEx])]
 			baseI := i
@@ -732,7 +519,7 @@ func (this *PodDisruptionBudgetStatus) String() string {
 	for k := range this.DisruptedPods {
 		keysForDisruptedPods = append(keysForDisruptedPods, k)
 	}
-	github_com_gogo_protobuf_sortkeys.Strings(keysForDisruptedPods)
+	sort.Strings(keysForDisruptedPods)
 	mapStringForDisruptedPods := "map[string]v1.Time{"
 	for _, k := range keysForDisruptedPods {
 		mapStringForDisruptedPods += fmt.Sprintf("%v: %v,", k, this.DisruptedPods[k])
diff --git a/staging/src/k8s.io/api/policy/v1/generated.protomessage.pb.go b/staging/src/k8s.io/api/policy/v1/generated.protomessage.pb.go
new file mode 100644
index 0000000000000..2ede21763990b
--- /dev/null
+++ b/staging/src/k8s.io/api/policy/v1/generated.protomessage.pb.go
@@ -0,0 +1,32 @@
+//go:build kubernetes_protomessage_one_more_release
+// +build kubernetes_protomessage_one_more_release
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by go-to-protobuf. DO NOT EDIT.
+
+package v1
+
+func (*Eviction) ProtoMessage() {}
+
+func (*PodDisruptionBudget) ProtoMessage() {}
+
+func (*PodDisruptionBudgetList) ProtoMessage() {}
+
+func (*PodDisruptionBudgetSpec) ProtoMessage() {}
+
+func (*PodDisruptionBudgetStatus) ProtoMessage() {}
diff --git a/staging/src/k8s.io/api/policy/v1/zz_generated.model_name.go b/staging/src/k8s.io/api/policy/v1/zz_generated.model_name.go
new file mode 100644
index 0000000000000..238348e58fb3c
--- /dev/null
+++ b/staging/src/k8s.io/api/policy/v1/zz_generated.model_name.go
@@ -0,0 +1,47 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by openapi-gen. DO NOT EDIT.
+
+package v1
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in Eviction) OpenAPIModelName() string {
+	return "io.k8s.api.policy.v1.Eviction"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in PodDisruptionBudget) OpenAPIModelName() string {
+	return "io.k8s.api.policy.v1.PodDisruptionBudget"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in PodDisruptionBudgetList) OpenAPIModelName() string {
+	return "io.k8s.api.policy.v1.PodDisruptionBudgetList"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in PodDisruptionBudgetSpec) OpenAPIModelName() string {
+	return "io.k8s.api.policy.v1.PodDisruptionBudgetSpec"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in PodDisruptionBudgetStatus) OpenAPIModelName() string {
+	return "io.k8s.api.policy.v1.PodDisruptionBudgetStatus"
+}
diff --git a/staging/src/k8s.io/api/policy/v1beta1/doc.go b/staging/src/k8s.io/api/policy/v1beta1/doc.go
index 777106c6002e2..3888e9216f8a1 100644
--- a/staging/src/k8s.io/api/policy/v1beta1/doc.go
+++ b/staging/src/k8s.io/api/policy/v1beta1/doc.go
@@ -18,6 +18,7 @@ limitations under the License.
 // +k8s:protobuf-gen=package
 // +k8s:openapi-gen=true
 // +k8s:prerelease-lifecycle-gen=true
+// +k8s:openapi-model-package=io.k8s.api.policy.v1beta1
 
 // Package policy is for any kind of policy object.  Suitable examples, even if
 // they aren't all here, are PodDisruptionBudget,
diff --git a/staging/src/k8s.io/api/policy/v1beta1/generated.pb.go b/staging/src/k8s.io/api/policy/v1beta1/generated.pb.go
index c3845e994e501..84979dc3f4b40 100644
--- a/staging/src/k8s.io/api/policy/v1beta1/generated.pb.go
+++ b/staging/src/k8s.io/api/policy/v1beta1/generated.pb.go
@@ -23,12 +23,10 @@ import (
 	fmt "fmt"
 
 	io "io"
+	"sort"
 
-	proto "github.com/gogo/protobuf/proto"
-	github_com_gogo_protobuf_sortkeys "github.com/gogo/protobuf/sortkeys"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
-	math "math"
 	math_bits "math/bits"
 	reflect "reflect"
 	strings "strings"
@@ -36,226 +34,15 @@ import (
 	intstr "k8s.io/apimachinery/pkg/util/intstr"
 )
 
-// Reference imports to suppress errors if they are not otherwise used.
-var _ = proto.Marshal
-var _ = fmt.Errorf
-var _ = math.Inf
+func (m *Eviction) Reset() { *m = Eviction{} }
 
-// This is a compile-time assertion to ensure that this generated file
-// is compatible with the proto package it is being compiled against.
-// A compilation error at this line likely means your copy of the
-// proto package needs to be updated.
-const _ = proto.GoGoProtoPackageIsVersion3 // please upgrade the proto package
+func (m *PodDisruptionBudget) Reset() { *m = PodDisruptionBudget{} }
 
-func (m *Eviction) Reset()      { *m = Eviction{} }
-func (*Eviction) ProtoMessage() {}
-func (*Eviction) Descriptor() ([]byte, []int) {
-	return fileDescriptor_68b366237812cc96, []int{0}
-}
-func (m *Eviction) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *Eviction) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *Eviction) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_Eviction.Merge(m, src)
-}
-func (m *Eviction) XXX_Size() int {
-	return m.Size()
-}
-func (m *Eviction) XXX_DiscardUnknown() {
-	xxx_messageInfo_Eviction.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_Eviction proto.InternalMessageInfo
-
-func (m *PodDisruptionBudget) Reset()      { *m = PodDisruptionBudget{} }
-func (*PodDisruptionBudget) ProtoMessage() {}
-func (*PodDisruptionBudget) Descriptor() ([]byte, []int) {
-	return fileDescriptor_68b366237812cc96, []int{1}
-}
-func (m *PodDisruptionBudget) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *PodDisruptionBudget) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *PodDisruptionBudget) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_PodDisruptionBudget.Merge(m, src)
-}
-func (m *PodDisruptionBudget) XXX_Size() int {
-	return m.Size()
-}
-func (m *PodDisruptionBudget) XXX_DiscardUnknown() {
-	xxx_messageInfo_PodDisruptionBudget.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_PodDisruptionBudget proto.InternalMessageInfo
-
-func (m *PodDisruptionBudgetList) Reset()      { *m = PodDisruptionBudgetList{} }
-func (*PodDisruptionBudgetList) ProtoMessage() {}
-func (*PodDisruptionBudgetList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_68b366237812cc96, []int{2}
-}
-func (m *PodDisruptionBudgetList) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *PodDisruptionBudgetList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *PodDisruptionBudgetList) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_PodDisruptionBudgetList.Merge(m, src)
-}
-func (m *PodDisruptionBudgetList) XXX_Size() int {
-	return m.Size()
-}
-func (m *PodDisruptionBudgetList) XXX_DiscardUnknown() {
-	xxx_messageInfo_PodDisruptionBudgetList.DiscardUnknown(m)
-}
+func (m *PodDisruptionBudgetList) Reset() { *m = PodDisruptionBudgetList{} }
 
-var xxx_messageInfo_PodDisruptionBudgetList proto.InternalMessageInfo
+func (m *PodDisruptionBudgetSpec) Reset() { *m = PodDisruptionBudgetSpec{} }
 
-func (m *PodDisruptionBudgetSpec) Reset()      { *m = PodDisruptionBudgetSpec{} }
-func (*PodDisruptionBudgetSpec) ProtoMessage() {}
-func (*PodDisruptionBudgetSpec) Descriptor() ([]byte, []int) {
-	return fileDescriptor_68b366237812cc96, []int{3}
-}
-func (m *PodDisruptionBudgetSpec) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *PodDisruptionBudgetSpec) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *PodDisruptionBudgetSpec) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_PodDisruptionBudgetSpec.Merge(m, src)
-}
-func (m *PodDisruptionBudgetSpec) XXX_Size() int {
-	return m.Size()
-}
-func (m *PodDisruptionBudgetSpec) XXX_DiscardUnknown() {
-	xxx_messageInfo_PodDisruptionBudgetSpec.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_PodDisruptionBudgetSpec proto.InternalMessageInfo
-
-func (m *PodDisruptionBudgetStatus) Reset()      { *m = PodDisruptionBudgetStatus{} }
-func (*PodDisruptionBudgetStatus) ProtoMessage() {}
-func (*PodDisruptionBudgetStatus) Descriptor() ([]byte, []int) {
-	return fileDescriptor_68b366237812cc96, []int{4}
-}
-func (m *PodDisruptionBudgetStatus) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *PodDisruptionBudgetStatus) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *PodDisruptionBudgetStatus) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_PodDisruptionBudgetStatus.Merge(m, src)
-}
-func (m *PodDisruptionBudgetStatus) XXX_Size() int {
-	return m.Size()
-}
-func (m *PodDisruptionBudgetStatus) XXX_DiscardUnknown() {
-	xxx_messageInfo_PodDisruptionBudgetStatus.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_PodDisruptionBudgetStatus proto.InternalMessageInfo
-
-func init() {
-	proto.RegisterType((*Eviction)(nil), "k8s.io.api.policy.v1beta1.Eviction")
-	proto.RegisterType((*PodDisruptionBudget)(nil), "k8s.io.api.policy.v1beta1.PodDisruptionBudget")
-	proto.RegisterType((*PodDisruptionBudgetList)(nil), "k8s.io.api.policy.v1beta1.PodDisruptionBudgetList")
-	proto.RegisterType((*PodDisruptionBudgetSpec)(nil), "k8s.io.api.policy.v1beta1.PodDisruptionBudgetSpec")
-	proto.RegisterType((*PodDisruptionBudgetStatus)(nil), "k8s.io.api.policy.v1beta1.PodDisruptionBudgetStatus")
-	proto.RegisterMapType((map[string]v1.Time)(nil), "k8s.io.api.policy.v1beta1.PodDisruptionBudgetStatus.DisruptedPodsEntry")
-}
-
-func init() {
-	proto.RegisterFile("k8s.io/api/policy/v1beta1/generated.proto", fileDescriptor_68b366237812cc96)
-}
-
-var fileDescriptor_68b366237812cc96 = []byte{
-	// 843 bytes of a gzipped FileDescriptorProto
-	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xbc, 0x96, 0x4d, 0x8f, 0xdb, 0x44,
-	0x18, 0xc7, 0xe3, 0xcd, 0x66, 0xd9, 0x0e, 0x49, 0xb4, 0x0c, 0x6f, 0xbb, 0x39, 0x38, 0x55, 0x4e,
-	0x05, 0x89, 0x31, 0xdb, 0x56, 0x68, 0xc5, 0x01, 0x5a, 0x37, 0xab, 0x52, 0xd4, 0xd5, 0xae, 0x26,
-	0xdb, 0x0b, 0x2a, 0x12, 0x13, 0xfb, 0xa9, 0x33, 0xc4, 0xf6, 0x58, 0x9e, 0x71, 0x68, 0x6e, 0x3d,
-	0xf0, 0x01, 0xf8, 0x1e, 0x7c, 0x10, 0xf6, 0xc0, 0xa1, 0xdc, 0x2a, 0x0e, 0x11, 0x6b, 0xbe, 0x05,
-	0x27, 0xe4, 0xb1, 0xf3, 0xe2, 0xbc, 0xd0, 0xb4, 0x07, 0x6e, 0x9e, 0x67, 0x9e, 0xff, 0xef, 0x99,
-	0xe7, 0x65, 0x26, 0x41, 0x9f, 0x0c, 0x4f, 0x24, 0xe1, 0xc2, 0x62, 0x11, 0xb7, 0x22, 0xe1, 0x73,
-	0x67, 0x6c, 0x8d, 0x8e, 0xfb, 0xa0, 0xd8, 0xb1, 0xe5, 0x41, 0x08, 0x31, 0x53, 0xe0, 0x92, 0x28,
-	0x16, 0x4a, 0xe0, 0xa3, 0xdc, 0x95, 0xb0, 0x88, 0x93, 0xdc, 0x95, 0x14, 0xae, 0xad, 0xcf, 0x3c,
-	0xae, 0x06, 0x49, 0x9f, 0x38, 0x22, 0xb0, 0x3c, 0xe1, 0x09, 0x4b, 0x2b, 0xfa, 0xc9, 0x33, 0xbd,
-	0xd2, 0x0b, 0xfd, 0x95, 0x93, 0x5a, 0x77, 0xe7, 0x41, 0x03, 0xe6, 0x0c, 0x78, 0x08, 0xf1, 0xd8,
-	0x8a, 0x86, 0x5e, 0x66, 0x90, 0x56, 0x00, 0x8a, 0x59, 0xa3, 0x95, 0xf8, 0x2d, 0x6b, 0x93, 0x2a,
-	0x4e, 0x42, 0xc5, 0x03, 0x58, 0x11, 0x7c, 0xf1, 0x3a, 0x81, 0x74, 0x06, 0x10, 0xb0, 0x15, 0xdd,
-	0x9d, 0x4d, 0xba, 0x44, 0x71, 0xdf, 0xe2, 0xa1, 0x92, 0x2a, 0x5e, 0x16, 0x75, 0xfe, 0x34, 0xd0,
-	0xfe, 0xe9, 0x88, 0x3b, 0x8a, 0x8b, 0x10, 0xff, 0x80, 0xf6, 0xb3, 0x2c, 0x5c, 0xa6, 0xd8, 0xa1,
-	0x71, 0xd3, 0xb8, 0xf5, 0xee, 0xed, 0xcf, 0xc9, 0xbc, 0x7a, 0x33, 0x28, 0x89, 0x86, 0x5e, 0x66,
-	0x90, 0x24, 0xf3, 0x26, 0xa3, 0x63, 0x72, 0xde, 0xff, 0x11, 0x1c, 0x75, 0x06, 0x8a, 0xd9, 0xf8,
-	0x6a, 0xd2, 0xae, 0xa4, 0x93, 0x36, 0x9a, 0xdb, 0xe8, 0x8c, 0x8a, 0x7d, 0xd4, 0x70, 0xc1, 0x07,
-	0x05, 0xe7, 0x51, 0x16, 0x51, 0x1e, 0xee, 0xe8, 0x30, 0x77, 0xb6, 0x0b, 0xd3, 0x5d, 0x94, 0xda,
-	0xef, 0xa5, 0x93, 0x76, 0xa3, 0x64, 0xa2, 0x65, 0x78, 0xe7, 0xd7, 0x1d, 0xf4, 0xfe, 0x85, 0x70,
-	0xbb, 0x5c, 0xc6, 0x89, 0x36, 0xd9, 0x89, 0xeb, 0x81, 0xfa, 0x1f, 0xf2, 0xbc, 0x44, 0xbb, 0x32,
-	0x02, 0xa7, 0x48, 0xef, 0x36, 0xd9, 0x38, 0x83, 0x64, 0xcd, 0xf9, 0x7a, 0x11, 0x38, 0x76, 0xbd,
-	0xe0, 0xef, 0x66, 0x2b, 0xaa, 0x69, 0xf8, 0x29, 0xda, 0x93, 0x8a, 0xa9, 0x44, 0x1e, 0x56, 0x35,
-	0xf7, 0xee, 0x1b, 0x72, 0xb5, 0xd6, 0x6e, 0x16, 0xe4, 0xbd, 0x7c, 0x4d, 0x0b, 0x66, 0xe7, 0x77,
-	0x03, 0x7d, 0xbc, 0x46, 0xf5, 0x98, 0x4b, 0x85, 0x9f, 0xae, 0x54, 0x8c, 0x6c, 0x57, 0xb1, 0x4c,
-	0xad, 0xeb, 0x75, 0x50, 0x44, 0xdd, 0x9f, 0x5a, 0x16, 0xaa, 0xd5, 0x43, 0x35, 0xae, 0x20, 0xc8,
-	0xa6, 0xa1, 0xba, 0x84, 0xde, 0x22, 0x2d, 0xbb, 0x51, 0xa0, 0x6b, 0x8f, 0x32, 0x08, 0xcd, 0x59,
-	0x9d, 0x3f, 0xaa, 0x6b, 0xd3, 0xc9, 0xca, 0x89, 0x9f, 0xa1, 0x7a, 0xc0, 0xc3, 0xfb, 0x23, 0xc6,
-	0x7d, 0xd6, 0xf7, 0xe1, 0xb5, 0x43, 0x90, 0xdd, 0x20, 0x92, 0xdf, 0x20, 0xf2, 0x28, 0x54, 0xe7,
-	0x71, 0x4f, 0xc5, 0x3c, 0xf4, 0xec, 0x83, 0x74, 0xd2, 0xae, 0x9f, 0x2d, 0x90, 0x68, 0x89, 0x8b,
-	0xbf, 0x47, 0xfb, 0x12, 0x7c, 0x70, 0x94, 0x88, 0xdf, 0x6c, 0xd2, 0x1f, 0xb3, 0x3e, 0xf8, 0xbd,
-	0x42, 0x6a, 0xd7, 0xb3, 0xba, 0x4d, 0x57, 0x74, 0x86, 0xc4, 0x3e, 0x6a, 0x06, 0xec, 0xf9, 0x93,
-	0x90, 0xcd, 0x12, 0xa9, 0xbe, 0x65, 0x22, 0x38, 0x9d, 0xb4, 0x9b, 0x67, 0x25, 0x16, 0x5d, 0x62,
-	0xe3, 0x17, 0x06, 0x6a, 0x25, 0xe1, 0x00, 0x98, 0xaf, 0x06, 0xe3, 0x0b, 0xe1, 0x4e, 0x9f, 0x8d,
-	0x0b, 0xdd, 0xa1, 0xc3, 0xdd, 0x9b, 0xc6, 0xad, 0x1b, 0xf6, 0xbd, 0x74, 0xd2, 0x6e, 0x3d, 0xd9,
-	0xe8, 0xf5, 0xcf, 0xa4, 0x6d, 0x6e, 0xde, 0xbd, 0x1c, 0x47, 0x40, 0xff, 0x23, 0x46, 0xe7, 0xb7,
-	0x1a, 0x3a, 0xda, 0x38, 0xd8, 0xf8, 0x5b, 0x84, 0x45, 0x5f, 0x42, 0x3c, 0x02, 0xf7, 0x61, 0xfe,
-	0xcc, 0x71, 0x11, 0xea, 0xde, 0x56, 0xed, 0x56, 0x31, 0x23, 0xf8, 0x7c, 0xc5, 0x83, 0xae, 0x51,
-	0xe1, 0x9f, 0x0d, 0xd4, 0x70, 0xf3, 0x30, 0xe0, 0x5e, 0x08, 0x77, 0x3a, 0x9b, 0x0f, 0xdf, 0xe6,
-	0xca, 0x91, 0xee, 0x22, 0xe9, 0x34, 0x54, 0xf1, 0xd8, 0xfe, 0xb0, 0x38, 0x50, 0xa3, 0xb4, 0x47,
-	0xcb, 0x41, 0xb3, 0x94, 0xdc, 0x19, 0x52, 0xde, 0xf7, 0x7d, 0xf1, 0x13, 0xb8, 0xba, 0xcb, 0xb5,
-	0x79, 0x4a, 0xdd, 0x15, 0x0f, 0xba, 0x46, 0x85, 0xbf, 0x42, 0x4d, 0x27, 0x89, 0x63, 0x08, 0xd5,
-	0x37, 0x79, 0x7d, 0x75, 0xcb, 0x6a, 0xf6, 0x47, 0x05, 0xa7, 0xf9, 0xa0, 0xb4, 0x4b, 0x97, 0xbc,
-	0x33, 0xbd, 0x0b, 0x92, 0xc7, 0xe0, 0x4e, 0xf5, 0xb5, 0xb2, 0xbe, 0x5b, 0xda, 0xa5, 0x4b, 0xde,
-	0xf8, 0x04, 0xd5, 0xe1, 0x79, 0x04, 0xce, 0xb4, 0xa0, 0x7b, 0x5a, 0xfd, 0x41, 0xa1, 0xae, 0x9f,
-	0x2e, 0xec, 0xd1, 0x92, 0x27, 0x76, 0x10, 0x72, 0x44, 0xe8, 0xf2, 0xfc, 0x27, 0xe3, 0x1d, 0xdd,
-	0x08, 0x6b, 0xbb, 0x8b, 0xf4, 0x60, 0xaa, 0x9b, 0x3f, 0xd8, 0x33, 0x93, 0xa4, 0x0b, 0xd8, 0x96,
-	0x8f, 0xf0, 0x6a, 0x9b, 0xf0, 0x01, 0xaa, 0x0e, 0x61, 0xac, 0x87, 0xe8, 0x06, 0xcd, 0x3e, 0xf1,
-	0x3d, 0x54, 0x1b, 0x31, 0x3f, 0x81, 0xe2, 0x42, 0x7f, 0xba, 0xdd, 0x39, 0x2e, 0x79, 0x00, 0x34,
-	0x17, 0x7e, 0xb9, 0x73, 0x62, 0xd8, 0x5f, 0x5f, 0x5d, 0x9b, 0x95, 0x97, 0xd7, 0x66, 0xe5, 0xd5,
-	0xb5, 0x59, 0x79, 0x91, 0x9a, 0xc6, 0x55, 0x6a, 0x1a, 0x2f, 0x53, 0xd3, 0x78, 0x95, 0x9a, 0xc6,
-	0x5f, 0xa9, 0x69, 0xfc, 0xf2, 0xb7, 0x59, 0xf9, 0xee, 0x68, 0xe3, 0xdf, 0x9c, 0x7f, 0x03, 0x00,
-	0x00, 0xff, 0xff, 0x3c, 0xbe, 0x15, 0xfb, 0x02, 0x09, 0x00, 0x00,
-}
+func (m *PodDisruptionBudgetStatus) Reset() { *m = PodDisruptionBudgetStatus{} }
 
 func (m *Eviction) Marshal() (dAtA []byte, err error) {
 	size := m.Size()
@@ -519,7 +306,7 @@ func (m *PodDisruptionBudgetStatus) MarshalToSizedBuffer(dAtA []byte) (int, erro
 		for k := range m.DisruptedPods {
 			keysForDisruptedPods = append(keysForDisruptedPods, string(k))
 		}
-		github_com_gogo_protobuf_sortkeys.Strings(keysForDisruptedPods)
+		sort.Strings(keysForDisruptedPods)
 		for iNdEx := len(keysForDisruptedPods) - 1; iNdEx >= 0; iNdEx-- {
 			v := m.DisruptedPods[string(keysForDisruptedPods[iNdEx])]
 			baseI := i
@@ -732,7 +519,7 @@ func (this *PodDisruptionBudgetStatus) String() string {
 	for k := range this.DisruptedPods {
 		keysForDisruptedPods = append(keysForDisruptedPods, k)
 	}
-	github_com_gogo_protobuf_sortkeys.Strings(keysForDisruptedPods)
+	sort.Strings(keysForDisruptedPods)
 	mapStringForDisruptedPods := "map[string]v1.Time{"
 	for _, k := range keysForDisruptedPods {
 		mapStringForDisruptedPods += fmt.Sprintf("%v: %v,", k, this.DisruptedPods[k])
diff --git a/staging/src/k8s.io/api/policy/v1beta1/generated.protomessage.pb.go b/staging/src/k8s.io/api/policy/v1beta1/generated.protomessage.pb.go
new file mode 100644
index 0000000000000..01e0847fceab2
--- /dev/null
+++ b/staging/src/k8s.io/api/policy/v1beta1/generated.protomessage.pb.go
@@ -0,0 +1,32 @@
+//go:build kubernetes_protomessage_one_more_release
+// +build kubernetes_protomessage_one_more_release
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by go-to-protobuf. DO NOT EDIT.
+
+package v1beta1
+
+func (*Eviction) ProtoMessage() {}
+
+func (*PodDisruptionBudget) ProtoMessage() {}
+
+func (*PodDisruptionBudgetList) ProtoMessage() {}
+
+func (*PodDisruptionBudgetSpec) ProtoMessage() {}
+
+func (*PodDisruptionBudgetStatus) ProtoMessage() {}
diff --git a/staging/src/k8s.io/api/policy/v1beta1/zz_generated.model_name.go b/staging/src/k8s.io/api/policy/v1beta1/zz_generated.model_name.go
new file mode 100644
index 0000000000000..236493b121aa3
--- /dev/null
+++ b/staging/src/k8s.io/api/policy/v1beta1/zz_generated.model_name.go
@@ -0,0 +1,47 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by openapi-gen. DO NOT EDIT.
+
+package v1beta1
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in Eviction) OpenAPIModelName() string {
+	return "io.k8s.api.policy.v1beta1.Eviction"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in PodDisruptionBudget) OpenAPIModelName() string {
+	return "io.k8s.api.policy.v1beta1.PodDisruptionBudget"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in PodDisruptionBudgetList) OpenAPIModelName() string {
+	return "io.k8s.api.policy.v1beta1.PodDisruptionBudgetList"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in PodDisruptionBudgetSpec) OpenAPIModelName() string {
+	return "io.k8s.api.policy.v1beta1.PodDisruptionBudgetSpec"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in PodDisruptionBudgetStatus) OpenAPIModelName() string {
+	return "io.k8s.api.policy.v1beta1.PodDisruptionBudgetStatus"
+}
diff --git a/staging/src/k8s.io/api/rbac/v1/doc.go b/staging/src/k8s.io/api/rbac/v1/doc.go
index 408546274b016..f120f5d3a2308 100644
--- a/staging/src/k8s.io/api/rbac/v1/doc.go
+++ b/staging/src/k8s.io/api/rbac/v1/doc.go
@@ -18,6 +18,8 @@ limitations under the License.
 // +k8s:protobuf-gen=package
 // +k8s:openapi-gen=true
 // +k8s:prerelease-lifecycle-gen=true
+// +k8s:openapi-model-package=io.k8s.api.rbac.v1
+
 // +groupName=rbac.authorization.k8s.io
 
 package v1
diff --git a/staging/src/k8s.io/api/rbac/v1/generated.pb.go b/staging/src/k8s.io/api/rbac/v1/generated.pb.go
index 112d18fb0651f..ed31ec959a2ea 100644
--- a/staging/src/k8s.io/api/rbac/v1/generated.pb.go
+++ b/staging/src/k8s.io/api/rbac/v1/generated.pb.go
@@ -24,434 +24,36 @@ import (
 
 	io "io"
 
-	proto "github.com/gogo/protobuf/proto"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
-	math "math"
 	math_bits "math/bits"
 	reflect "reflect"
 	strings "strings"
 )
 
-// Reference imports to suppress errors if they are not otherwise used.
-var _ = proto.Marshal
-var _ = fmt.Errorf
-var _ = math.Inf
+func (m *AggregationRule) Reset() { *m = AggregationRule{} }
 
-// This is a compile-time assertion to ensure that this generated file
-// is compatible with the proto package it is being compiled against.
-// A compilation error at this line likely means your copy of the
-// proto package needs to be updated.
-const _ = proto.GoGoProtoPackageIsVersion3 // please upgrade the proto package
+func (m *ClusterRole) Reset() { *m = ClusterRole{} }
 
-func (m *AggregationRule) Reset()      { *m = AggregationRule{} }
-func (*AggregationRule) ProtoMessage() {}
-func (*AggregationRule) Descriptor() ([]byte, []int) {
-	return fileDescriptor_c8ba2e7dd472de66, []int{0}
-}
-func (m *AggregationRule) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *AggregationRule) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *AggregationRule) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_AggregationRule.Merge(m, src)
-}
-func (m *AggregationRule) XXX_Size() int {
-	return m.Size()
-}
-func (m *AggregationRule) XXX_DiscardUnknown() {
-	xxx_messageInfo_AggregationRule.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_AggregationRule proto.InternalMessageInfo
-
-func (m *ClusterRole) Reset()      { *m = ClusterRole{} }
-func (*ClusterRole) ProtoMessage() {}
-func (*ClusterRole) Descriptor() ([]byte, []int) {
-	return fileDescriptor_c8ba2e7dd472de66, []int{1}
-}
-func (m *ClusterRole) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ClusterRole) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ClusterRole) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ClusterRole.Merge(m, src)
-}
-func (m *ClusterRole) XXX_Size() int {
-	return m.Size()
-}
-func (m *ClusterRole) XXX_DiscardUnknown() {
-	xxx_messageInfo_ClusterRole.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_ClusterRole proto.InternalMessageInfo
-
-func (m *ClusterRoleBinding) Reset()      { *m = ClusterRoleBinding{} }
-func (*ClusterRoleBinding) ProtoMessage() {}
-func (*ClusterRoleBinding) Descriptor() ([]byte, []int) {
-	return fileDescriptor_c8ba2e7dd472de66, []int{2}
-}
-func (m *ClusterRoleBinding) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ClusterRoleBinding) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ClusterRoleBinding) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ClusterRoleBinding.Merge(m, src)
-}
-func (m *ClusterRoleBinding) XXX_Size() int {
-	return m.Size()
-}
-func (m *ClusterRoleBinding) XXX_DiscardUnknown() {
-	xxx_messageInfo_ClusterRoleBinding.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_ClusterRoleBinding proto.InternalMessageInfo
-
-func (m *ClusterRoleBindingList) Reset()      { *m = ClusterRoleBindingList{} }
-func (*ClusterRoleBindingList) ProtoMessage() {}
-func (*ClusterRoleBindingList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_c8ba2e7dd472de66, []int{3}
-}
-func (m *ClusterRoleBindingList) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ClusterRoleBindingList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ClusterRoleBindingList) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ClusterRoleBindingList.Merge(m, src)
-}
-func (m *ClusterRoleBindingList) XXX_Size() int {
-	return m.Size()
-}
-func (m *ClusterRoleBindingList) XXX_DiscardUnknown() {
-	xxx_messageInfo_ClusterRoleBindingList.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_ClusterRoleBindingList proto.InternalMessageInfo
-
-func (m *ClusterRoleList) Reset()      { *m = ClusterRoleList{} }
-func (*ClusterRoleList) ProtoMessage() {}
-func (*ClusterRoleList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_c8ba2e7dd472de66, []int{4}
-}
-func (m *ClusterRoleList) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ClusterRoleList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ClusterRoleList) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ClusterRoleList.Merge(m, src)
-}
-func (m *ClusterRoleList) XXX_Size() int {
-	return m.Size()
-}
-func (m *ClusterRoleList) XXX_DiscardUnknown() {
-	xxx_messageInfo_ClusterRoleList.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_ClusterRoleList proto.InternalMessageInfo
-
-func (m *PolicyRule) Reset()      { *m = PolicyRule{} }
-func (*PolicyRule) ProtoMessage() {}
-func (*PolicyRule) Descriptor() ([]byte, []int) {
-	return fileDescriptor_c8ba2e7dd472de66, []int{5}
-}
-func (m *PolicyRule) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *PolicyRule) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *PolicyRule) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_PolicyRule.Merge(m, src)
-}
-func (m *PolicyRule) XXX_Size() int {
-	return m.Size()
-}
-func (m *PolicyRule) XXX_DiscardUnknown() {
-	xxx_messageInfo_PolicyRule.DiscardUnknown(m)
-}
+func (m *ClusterRoleBinding) Reset() { *m = ClusterRoleBinding{} }
 
-var xxx_messageInfo_PolicyRule proto.InternalMessageInfo
+func (m *ClusterRoleBindingList) Reset() { *m = ClusterRoleBindingList{} }
 
-func (m *Role) Reset()      { *m = Role{} }
-func (*Role) ProtoMessage() {}
-func (*Role) Descriptor() ([]byte, []int) {
-	return fileDescriptor_c8ba2e7dd472de66, []int{6}
-}
-func (m *Role) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *Role) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *Role) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_Role.Merge(m, src)
-}
-func (m *Role) XXX_Size() int {
-	return m.Size()
-}
-func (m *Role) XXX_DiscardUnknown() {
-	xxx_messageInfo_Role.DiscardUnknown(m)
-}
+func (m *ClusterRoleList) Reset() { *m = ClusterRoleList{} }
 
-var xxx_messageInfo_Role proto.InternalMessageInfo
+func (m *PolicyRule) Reset() { *m = PolicyRule{} }
 
-func (m *RoleBinding) Reset()      { *m = RoleBinding{} }
-func (*RoleBinding) ProtoMessage() {}
-func (*RoleBinding) Descriptor() ([]byte, []int) {
-	return fileDescriptor_c8ba2e7dd472de66, []int{7}
-}
-func (m *RoleBinding) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *RoleBinding) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *RoleBinding) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_RoleBinding.Merge(m, src)
-}
-func (m *RoleBinding) XXX_Size() int {
-	return m.Size()
-}
-func (m *RoleBinding) XXX_DiscardUnknown() {
-	xxx_messageInfo_RoleBinding.DiscardUnknown(m)
-}
+func (m *Role) Reset() { *m = Role{} }
 
-var xxx_messageInfo_RoleBinding proto.InternalMessageInfo
+func (m *RoleBinding) Reset() { *m = RoleBinding{} }
 
-func (m *RoleBindingList) Reset()      { *m = RoleBindingList{} }
-func (*RoleBindingList) ProtoMessage() {}
-func (*RoleBindingList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_c8ba2e7dd472de66, []int{8}
-}
-func (m *RoleBindingList) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *RoleBindingList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *RoleBindingList) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_RoleBindingList.Merge(m, src)
-}
-func (m *RoleBindingList) XXX_Size() int {
-	return m.Size()
-}
-func (m *RoleBindingList) XXX_DiscardUnknown() {
-	xxx_messageInfo_RoleBindingList.DiscardUnknown(m)
-}
+func (m *RoleBindingList) Reset() { *m = RoleBindingList{} }
 
-var xxx_messageInfo_RoleBindingList proto.InternalMessageInfo
+func (m *RoleList) Reset() { *m = RoleList{} }
 
-func (m *RoleList) Reset()      { *m = RoleList{} }
-func (*RoleList) ProtoMessage() {}
-func (*RoleList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_c8ba2e7dd472de66, []int{9}
-}
-func (m *RoleList) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *RoleList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *RoleList) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_RoleList.Merge(m, src)
-}
-func (m *RoleList) XXX_Size() int {
-	return m.Size()
-}
-func (m *RoleList) XXX_DiscardUnknown() {
-	xxx_messageInfo_RoleList.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_RoleList proto.InternalMessageInfo
+func (m *RoleRef) Reset() { *m = RoleRef{} }
 
-func (m *RoleRef) Reset()      { *m = RoleRef{} }
-func (*RoleRef) ProtoMessage() {}
-func (*RoleRef) Descriptor() ([]byte, []int) {
-	return fileDescriptor_c8ba2e7dd472de66, []int{10}
-}
-func (m *RoleRef) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *RoleRef) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *RoleRef) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_RoleRef.Merge(m, src)
-}
-func (m *RoleRef) XXX_Size() int {
-	return m.Size()
-}
-func (m *RoleRef) XXX_DiscardUnknown() {
-	xxx_messageInfo_RoleRef.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_RoleRef proto.InternalMessageInfo
-
-func (m *Subject) Reset()      { *m = Subject{} }
-func (*Subject) ProtoMessage() {}
-func (*Subject) Descriptor() ([]byte, []int) {
-	return fileDescriptor_c8ba2e7dd472de66, []int{11}
-}
-func (m *Subject) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *Subject) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *Subject) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_Subject.Merge(m, src)
-}
-func (m *Subject) XXX_Size() int {
-	return m.Size()
-}
-func (m *Subject) XXX_DiscardUnknown() {
-	xxx_messageInfo_Subject.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_Subject proto.InternalMessageInfo
-
-func init() {
-	proto.RegisterType((*AggregationRule)(nil), "k8s.io.api.rbac.v1.AggregationRule")
-	proto.RegisterType((*ClusterRole)(nil), "k8s.io.api.rbac.v1.ClusterRole")
-	proto.RegisterType((*ClusterRoleBinding)(nil), "k8s.io.api.rbac.v1.ClusterRoleBinding")
-	proto.RegisterType((*ClusterRoleBindingList)(nil), "k8s.io.api.rbac.v1.ClusterRoleBindingList")
-	proto.RegisterType((*ClusterRoleList)(nil), "k8s.io.api.rbac.v1.ClusterRoleList")
-	proto.RegisterType((*PolicyRule)(nil), "k8s.io.api.rbac.v1.PolicyRule")
-	proto.RegisterType((*Role)(nil), "k8s.io.api.rbac.v1.Role")
-	proto.RegisterType((*RoleBinding)(nil), "k8s.io.api.rbac.v1.RoleBinding")
-	proto.RegisterType((*RoleBindingList)(nil), "k8s.io.api.rbac.v1.RoleBindingList")
-	proto.RegisterType((*RoleList)(nil), "k8s.io.api.rbac.v1.RoleList")
-	proto.RegisterType((*RoleRef)(nil), "k8s.io.api.rbac.v1.RoleRef")
-	proto.RegisterType((*Subject)(nil), "k8s.io.api.rbac.v1.Subject")
-}
-
-func init() {
-	proto.RegisterFile("k8s.io/api/rbac/v1/generated.proto", fileDescriptor_c8ba2e7dd472de66)
-}
-
-var fileDescriptor_c8ba2e7dd472de66 = []byte{
-	// 790 bytes of a gzipped FileDescriptorProto
-	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xe4, 0x56, 0x4d, 0x6f, 0xd3, 0x4a,
-	0x14, 0xcd, 0xa4, 0x89, 0x1a, 0x4f, 0x5e, 0x94, 0xd7, 0x79, 0xd5, 0x93, 0xd5, 0xf7, 0xe4, 0x54,
-	0x46, 0x42, 0x95, 0x00, 0x9b, 0x16, 0x04, 0xdd, 0x74, 0x51, 0x17, 0x81, 0xaa, 0x96, 0x52, 0x4d,
-	0x05, 0x0b, 0xc4, 0x82, 0x89, 0x33, 0x75, 0x87, 0xf8, 0x4b, 0x1e, 0x3b, 0x52, 0xc5, 0x06, 0x21,
-	0xb1, 0x60, 0xc7, 0x12, 0x7e, 0x01, 0x1b, 0x58, 0xf2, 0x0b, 0xd8, 0x74, 0xd9, 0x65, 0x57, 0x11,
-	0x35, 0x3f, 0x04, 0xe4, 0xaf, 0x38, 0x1f, 0x2e, 0xcd, 0x2a, 0x12, 0x62, 0x95, 0xcc, 0xbd, 0xe7,
-	0x9e, 0x7b, 0xe6, 0xd8, 0xf7, 0x26, 0x50, 0xee, 0xae, 0x73, 0x85, 0x39, 0x2a, 0x71, 0x99, 0xea,
-	0xb5, 0x89, 0xae, 0xf6, 0x56, 0x55, 0x83, 0xda, 0xd4, 0x23, 0x3e, 0xed, 0x28, 0xae, 0xe7, 0xf8,
-	0x0e, 0x42, 0x09, 0x46, 0x21, 0x2e, 0x53, 0x22, 0x8c, 0xd2, 0x5b, 0x5d, 0xba, 0x61, 0x30, 0xff,
-	0x28, 0x68, 0x2b, 0xba, 0x63, 0xa9, 0x86, 0x63, 0x38, 0x6a, 0x0c, 0x6d, 0x07, 0x87, 0xf1, 0x29,
-	0x3e, 0xc4, 0xdf, 0x12, 0x8a, 0xa5, 0xdb, 0x79, 0x1b, 0x8b, 0xe8, 0x47, 0xcc, 0xa6, 0xde, 0xb1,
-	0xea, 0x76, 0x8d, 0x28, 0xc0, 0x55, 0x8b, 0xfa, 0xa4, 0xa0, 0xf1, 0x92, 0x7a, 0x51, 0x95, 0x17,
-	0xd8, 0x3e, 0xb3, 0xe8, 0x44, 0xc1, 0x9d, 0xcb, 0x0a, 0xb8, 0x7e, 0x44, 0x2d, 0x32, 0x5e, 0x27,
-	0x7f, 0x00, 0xb0, 0xb9, 0x69, 0x18, 0x1e, 0x35, 0x88, 0xcf, 0x1c, 0x1b, 0x07, 0x26, 0x45, 0x6f,
-	0x00, 0x5c, 0xd4, 0xcd, 0x80, 0xfb, 0xd4, 0xc3, 0x8e, 0x49, 0x0f, 0xa8, 0x49, 0x75, 0xdf, 0xf1,
-	0xb8, 0x08, 0x96, 0xe7, 0x56, 0xea, 0x6b, 0xb7, 0x94, 0xdc, 0x95, 0x41, 0x2f, 0xc5, 0xed, 0x1a,
-	0x51, 0x80, 0x2b, 0xd1, 0x95, 0x94, 0xde, 0xaa, 0xb2, 0x4b, 0xda, 0xd4, 0xcc, 0x6a, 0xb5, 0xff,
-	0x4f, 0xfa, 0xad, 0x52, 0xd8, 0x6f, 0x2d, 0x6e, 0x15, 0x10, 0xe3, 0xc2, 0x76, 0xf2, 0xfb, 0x32,
-	0xac, 0x0f, 0xc1, 0xd1, 0x73, 0x58, 0x8b, 0xc8, 0x3b, 0xc4, 0x27, 0x22, 0x58, 0x06, 0x2b, 0xf5,
-	0xb5, 0x9b, 0xd3, 0x49, 0x79, 0xd4, 0x7e, 0x41, 0x75, 0xff, 0x21, 0xf5, 0x89, 0x86, 0x52, 0x1d,
-	0x30, 0x8f, 0xe1, 0x01, 0x2b, 0xda, 0x82, 0x55, 0x2f, 0x30, 0x29, 0x17, 0xcb, 0xf1, 0x4d, 0x25,
-	0x65, 0xf2, 0xf9, 0x2b, 0xfb, 0x8e, 0xc9, 0xf4, 0xe3, 0xc8, 0x28, 0xad, 0x91, 0x92, 0x55, 0xa3,
-	0x13, 0xc7, 0x49, 0x2d, 0x6a, 0xc3, 0x26, 0x19, 0x75, 0x54, 0x9c, 0x8b, 0xd5, 0x5e, 0x29, 0xa2,
-	0x1b, 0x33, 0x5f, 0xfb, 0x27, 0xec, 0xb7, 0xc6, 0x9f, 0x08, 0x1e, 0x27, 0x94, 0xdf, 0x96, 0x21,
-	0x1a, 0xb2, 0x46, 0x63, 0x76, 0x87, 0xd9, 0xc6, 0x0c, 0x1c, 0xda, 0x86, 0x35, 0x1e, 0xc4, 0x89,
-	0xcc, 0xa4, 0xff, 0x8a, 0x6e, 0x75, 0x90, 0x60, 0xb4, 0xbf, 0x53, 0xb2, 0x5a, 0x1a, 0xe0, 0x78,
-	0x50, 0x8e, 0xee, 0xc3, 0x79, 0xcf, 0x31, 0x29, 0xa6, 0x87, 0xa9, 0x3f, 0x85, 0x4c, 0x38, 0x81,
-	0x68, 0xcd, 0x94, 0x69, 0x3e, 0x0d, 0xe0, 0xac, 0x58, 0xfe, 0x0a, 0xe0, 0xbf, 0x93, 0x5e, 0xec,
-	0x32, 0xee, 0xa3, 0x67, 0x13, 0x7e, 0x28, 0x53, 0xbe, 0xbc, 0x8c, 0x27, 0x6e, 0x0c, 0x2e, 0x90,
-	0x45, 0x86, 0xbc, 0xd8, 0x81, 0x55, 0xe6, 0x53, 0x2b, 0x33, 0xe2, 0x6a, 0x91, 0xfc, 0x49, 0x61,
-	0xf9, 0x5b, 0xb3, 0x1d, 0x15, 0xe3, 0x84, 0x43, 0xfe, 0x02, 0x60, 0x73, 0x08, 0x3c, 0x03, 0xf9,
-	0xf7, 0x46, 0xe5, 0xb7, 0x2e, 0x93, 0x5f, 0xac, 0xfb, 0x07, 0x80, 0x30, 0x1f, 0x09, 0xd4, 0x82,
-	0xd5, 0x1e, 0xf5, 0xda, 0xc9, 0xae, 0x10, 0x34, 0x21, 0xc2, 0x3f, 0x89, 0x02, 0x38, 0x89, 0xa3,
-	0x6b, 0x50, 0x20, 0x2e, 0x7b, 0xe0, 0x39, 0x81, 0x9b, 0x74, 0x16, 0xb4, 0x46, 0xd8, 0x6f, 0x09,
-	0x9b, 0xfb, 0xdb, 0x49, 0x10, 0xe7, 0xf9, 0x08, 0xec, 0x51, 0xee, 0x04, 0x9e, 0x4e, 0xb9, 0x38,
-	0x97, 0x83, 0x71, 0x16, 0xc4, 0x79, 0x1e, 0xdd, 0x85, 0x8d, 0xec, 0xb0, 0x47, 0x2c, 0xca, 0xc5,
-	0x4a, 0x5c, 0xb0, 0x10, 0xf6, 0x5b, 0x0d, 0x3c, 0x9c, 0xc0, 0xa3, 0x38, 0xb4, 0x01, 0x9b, 0xb6,
-	0x63, 0x67, 0x90, 0xc7, 0x78, 0x97, 0x8b, 0xd5, 0xb8, 0x34, 0x9e, 0xc5, 0xbd, 0xd1, 0x14, 0x1e,
-	0xc7, 0xca, 0x9f, 0x01, 0xac, 0xfc, 0x46, 0xfb, 0x49, 0x7e, 0x5d, 0x86, 0xf5, 0x3f, 0x7e, 0x69,
-	0x44, 0xe3, 0x36, 0xdb, 0x6d, 0x31, 0xcd, 0xb8, 0x5d, 0xbe, 0x26, 0x3e, 0x02, 0x58, 0x9b, 0xd1,
-	0x7e, 0xd8, 0x18, 0x15, 0x2c, 0x5e, 0x28, 0xb8, 0x58, 0xe9, 0x4b, 0x98, 0xb9, 0x8e, 0xae, 0xc3,
-	0x5a, 0x36, 0xd3, 0xb1, 0x4e, 0x21, 0xef, 0x9b, 0x8d, 0x3d, 0x1e, 0x20, 0xd0, 0x32, 0xac, 0x74,
-	0x99, 0xdd, 0x11, 0xcb, 0x31, 0xf2, 0xaf, 0x14, 0x59, 0xd9, 0x61, 0x76, 0x07, 0xc7, 0x99, 0x08,
-	0x61, 0x13, 0x2b, 0xf9, 0x59, 0x1d, 0x42, 0x44, 0xd3, 0x8c, 0xe3, 0x8c, 0xfc, 0x09, 0xc0, 0xf9,
-	0xf4, 0xed, 0x19, 0xf0, 0x81, 0x0b, 0xf9, 0x86, 0xf5, 0x95, 0xa7, 0xd1, 0xf7, 0xeb, 0xee, 0x48,
-	0x85, 0x42, 0xf4, 0xc9, 0x5d, 0xa2, 0x53, 0xb1, 0x12, 0xc3, 0x16, 0x52, 0x98, 0xb0, 0x97, 0x25,
-	0x70, 0x8e, 0xd1, 0xd6, 0x4f, 0xce, 0xa5, 0xd2, 0xe9, 0xb9, 0x54, 0x3a, 0x3b, 0x97, 0x4a, 0xaf,
-	0x42, 0x09, 0x9c, 0x84, 0x12, 0x38, 0x0d, 0x25, 0x70, 0x16, 0x4a, 0xe0, 0x5b, 0x28, 0x81, 0x77,
-	0xdf, 0xa5, 0xd2, 0x53, 0x34, 0xf9, 0x8f, 0xf5, 0x67, 0x00, 0x00, 0x00, 0xff, 0xff, 0x67, 0xff,
-	0x5a, 0x4f, 0xc6, 0x0a, 0x00, 0x00,
-}
+func (m *Subject) Reset() { *m = Subject{} }
 
 func (m *AggregationRule) Marshal() (dAtA []byte, err error) {
 	size := m.Size()
diff --git a/staging/src/k8s.io/api/rbac/v1/generated.proto b/staging/src/k8s.io/api/rbac/v1/generated.proto
index 87b8f832d334e..56869814ec487 100644
--- a/staging/src/k8s.io/api/rbac/v1/generated.proto
+++ b/staging/src/k8s.io/api/rbac/v1/generated.proto
@@ -185,6 +185,8 @@ message RoleRef {
   optional string kind = 2;
 
   // Name is the name of resource being referenced
+  // +required
+  // +k8s:required
   optional string name = 3;
 }
 
@@ -203,6 +205,8 @@ message Subject {
   optional string apiGroup = 2;
 
   // Name of the object being referenced.
+  // +required
+  // +k8s:required
   optional string name = 3;
 
   // Namespace of the referenced object.  If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
diff --git a/staging/src/k8s.io/api/rbac/v1/generated.protomessage.pb.go b/staging/src/k8s.io/api/rbac/v1/generated.protomessage.pb.go
new file mode 100644
index 0000000000000..6e29e012fa59a
--- /dev/null
+++ b/staging/src/k8s.io/api/rbac/v1/generated.protomessage.pb.go
@@ -0,0 +1,46 @@
+//go:build kubernetes_protomessage_one_more_release
+// +build kubernetes_protomessage_one_more_release
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by go-to-protobuf. DO NOT EDIT.
+
+package v1
+
+func (*AggregationRule) ProtoMessage() {}
+
+func (*ClusterRole) ProtoMessage() {}
+
+func (*ClusterRoleBinding) ProtoMessage() {}
+
+func (*ClusterRoleBindingList) ProtoMessage() {}
+
+func (*ClusterRoleList) ProtoMessage() {}
+
+func (*PolicyRule) ProtoMessage() {}
+
+func (*Role) ProtoMessage() {}
+
+func (*RoleBinding) ProtoMessage() {}
+
+func (*RoleBindingList) ProtoMessage() {}
+
+func (*RoleList) ProtoMessage() {}
+
+func (*RoleRef) ProtoMessage() {}
+
+func (*Subject) ProtoMessage() {}
diff --git a/staging/src/k8s.io/api/rbac/v1/types.go b/staging/src/k8s.io/api/rbac/v1/types.go
index f9628b8536a41..2fde11b30640f 100644
--- a/staging/src/k8s.io/api/rbac/v1/types.go
+++ b/staging/src/k8s.io/api/rbac/v1/types.go
@@ -86,6 +86,8 @@ type Subject struct {
 	// +optional
 	APIGroup string `json:"apiGroup,omitempty" protobuf:"bytes,2,opt,name=apiGroup"`
 	// Name of the object being referenced.
+	// +required
+	// +k8s:required
 	Name string `json:"name" protobuf:"bytes,3,opt,name=name"`
 	// Namespace of the referenced object.  If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
 	// the Authorizer should report an error.
@@ -101,6 +103,8 @@ type RoleRef struct {
 	// Kind is the type of resource being referenced
 	Kind string `json:"kind" protobuf:"bytes,2,opt,name=kind"`
 	// Name is the name of resource being referenced
+	// +required
+	// +k8s:required
 	Name string `json:"name" protobuf:"bytes,3,opt,name=name"`
 }
 
diff --git a/staging/src/k8s.io/api/rbac/v1/zz_generated.model_name.go b/staging/src/k8s.io/api/rbac/v1/zz_generated.model_name.go
new file mode 100644
index 0000000000000..94da8174c578b
--- /dev/null
+++ b/staging/src/k8s.io/api/rbac/v1/zz_generated.model_name.go
@@ -0,0 +1,82 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by openapi-gen. DO NOT EDIT.
+
+package v1
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in AggregationRule) OpenAPIModelName() string {
+	return "io.k8s.api.rbac.v1.AggregationRule"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ClusterRole) OpenAPIModelName() string {
+	return "io.k8s.api.rbac.v1.ClusterRole"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ClusterRoleBinding) OpenAPIModelName() string {
+	return "io.k8s.api.rbac.v1.ClusterRoleBinding"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ClusterRoleBindingList) OpenAPIModelName() string {
+	return "io.k8s.api.rbac.v1.ClusterRoleBindingList"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ClusterRoleList) OpenAPIModelName() string {
+	return "io.k8s.api.rbac.v1.ClusterRoleList"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in PolicyRule) OpenAPIModelName() string {
+	return "io.k8s.api.rbac.v1.PolicyRule"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in Role) OpenAPIModelName() string {
+	return "io.k8s.api.rbac.v1.Role"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in RoleBinding) OpenAPIModelName() string {
+	return "io.k8s.api.rbac.v1.RoleBinding"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in RoleBindingList) OpenAPIModelName() string {
+	return "io.k8s.api.rbac.v1.RoleBindingList"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in RoleList) OpenAPIModelName() string {
+	return "io.k8s.api.rbac.v1.RoleList"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in RoleRef) OpenAPIModelName() string {
+	return "io.k8s.api.rbac.v1.RoleRef"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in Subject) OpenAPIModelName() string {
+	return "io.k8s.api.rbac.v1.Subject"
+}
diff --git a/staging/src/k8s.io/api/rbac/v1alpha1/doc.go b/staging/src/k8s.io/api/rbac/v1alpha1/doc.go
index 70d3c0e97185e..079b791b15ef2 100644
--- a/staging/src/k8s.io/api/rbac/v1alpha1/doc.go
+++ b/staging/src/k8s.io/api/rbac/v1alpha1/doc.go
@@ -17,6 +17,7 @@ limitations under the License.
 // +k8s:deepcopy-gen=package
 // +k8s:protobuf-gen=package
 // +k8s:openapi-gen=true
+// +k8s:openapi-model-package=io.k8s.api.rbac.v1alpha1
 
 // +groupName=rbac.authorization.k8s.io
 
diff --git a/staging/src/k8s.io/api/rbac/v1alpha1/generated.pb.go b/staging/src/k8s.io/api/rbac/v1alpha1/generated.pb.go
index ee3c7bfcc0cfa..f2ed252b6d116 100644
--- a/staging/src/k8s.io/api/rbac/v1alpha1/generated.pb.go
+++ b/staging/src/k8s.io/api/rbac/v1alpha1/generated.pb.go
@@ -24,436 +24,36 @@ import (
 
 	io "io"
 
-	proto "github.com/gogo/protobuf/proto"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
-	math "math"
 	math_bits "math/bits"
 	reflect "reflect"
 	strings "strings"
 )
 
-// Reference imports to suppress errors if they are not otherwise used.
-var _ = proto.Marshal
-var _ = fmt.Errorf
-var _ = math.Inf
+func (m *AggregationRule) Reset() { *m = AggregationRule{} }
 
-// This is a compile-time assertion to ensure that this generated file
-// is compatible with the proto package it is being compiled against.
-// A compilation error at this line likely means your copy of the
-// proto package needs to be updated.
-const _ = proto.GoGoProtoPackageIsVersion3 // please upgrade the proto package
+func (m *ClusterRole) Reset() { *m = ClusterRole{} }
 
-func (m *AggregationRule) Reset()      { *m = AggregationRule{} }
-func (*AggregationRule) ProtoMessage() {}
-func (*AggregationRule) Descriptor() ([]byte, []int) {
-	return fileDescriptor_758889dfd9a88fa6, []int{0}
-}
-func (m *AggregationRule) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *AggregationRule) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *AggregationRule) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_AggregationRule.Merge(m, src)
-}
-func (m *AggregationRule) XXX_Size() int {
-	return m.Size()
-}
-func (m *AggregationRule) XXX_DiscardUnknown() {
-	xxx_messageInfo_AggregationRule.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_AggregationRule proto.InternalMessageInfo
-
-func (m *ClusterRole) Reset()      { *m = ClusterRole{} }
-func (*ClusterRole) ProtoMessage() {}
-func (*ClusterRole) Descriptor() ([]byte, []int) {
-	return fileDescriptor_758889dfd9a88fa6, []int{1}
-}
-func (m *ClusterRole) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ClusterRole) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ClusterRole) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ClusterRole.Merge(m, src)
-}
-func (m *ClusterRole) XXX_Size() int {
-	return m.Size()
-}
-func (m *ClusterRole) XXX_DiscardUnknown() {
-	xxx_messageInfo_ClusterRole.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_ClusterRole proto.InternalMessageInfo
-
-func (m *ClusterRoleBinding) Reset()      { *m = ClusterRoleBinding{} }
-func (*ClusterRoleBinding) ProtoMessage() {}
-func (*ClusterRoleBinding) Descriptor() ([]byte, []int) {
-	return fileDescriptor_758889dfd9a88fa6, []int{2}
-}
-func (m *ClusterRoleBinding) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ClusterRoleBinding) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ClusterRoleBinding) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ClusterRoleBinding.Merge(m, src)
-}
-func (m *ClusterRoleBinding) XXX_Size() int {
-	return m.Size()
-}
-func (m *ClusterRoleBinding) XXX_DiscardUnknown() {
-	xxx_messageInfo_ClusterRoleBinding.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_ClusterRoleBinding proto.InternalMessageInfo
-
-func (m *ClusterRoleBindingList) Reset()      { *m = ClusterRoleBindingList{} }
-func (*ClusterRoleBindingList) ProtoMessage() {}
-func (*ClusterRoleBindingList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_758889dfd9a88fa6, []int{3}
-}
-func (m *ClusterRoleBindingList) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ClusterRoleBindingList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ClusterRoleBindingList) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ClusterRoleBindingList.Merge(m, src)
-}
-func (m *ClusterRoleBindingList) XXX_Size() int {
-	return m.Size()
-}
-func (m *ClusterRoleBindingList) XXX_DiscardUnknown() {
-	xxx_messageInfo_ClusterRoleBindingList.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_ClusterRoleBindingList proto.InternalMessageInfo
-
-func (m *ClusterRoleList) Reset()      { *m = ClusterRoleList{} }
-func (*ClusterRoleList) ProtoMessage() {}
-func (*ClusterRoleList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_758889dfd9a88fa6, []int{4}
-}
-func (m *ClusterRoleList) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ClusterRoleList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ClusterRoleList) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ClusterRoleList.Merge(m, src)
-}
-func (m *ClusterRoleList) XXX_Size() int {
-	return m.Size()
-}
-func (m *ClusterRoleList) XXX_DiscardUnknown() {
-	xxx_messageInfo_ClusterRoleList.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_ClusterRoleList proto.InternalMessageInfo
-
-func (m *PolicyRule) Reset()      { *m = PolicyRule{} }
-func (*PolicyRule) ProtoMessage() {}
-func (*PolicyRule) Descriptor() ([]byte, []int) {
-	return fileDescriptor_758889dfd9a88fa6, []int{5}
-}
-func (m *PolicyRule) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *PolicyRule) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *PolicyRule) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_PolicyRule.Merge(m, src)
-}
-func (m *PolicyRule) XXX_Size() int {
-	return m.Size()
-}
-func (m *PolicyRule) XXX_DiscardUnknown() {
-	xxx_messageInfo_PolicyRule.DiscardUnknown(m)
-}
+func (m *ClusterRoleBinding) Reset() { *m = ClusterRoleBinding{} }
 
-var xxx_messageInfo_PolicyRule proto.InternalMessageInfo
+func (m *ClusterRoleBindingList) Reset() { *m = ClusterRoleBindingList{} }
 
-func (m *Role) Reset()      { *m = Role{} }
-func (*Role) ProtoMessage() {}
-func (*Role) Descriptor() ([]byte, []int) {
-	return fileDescriptor_758889dfd9a88fa6, []int{6}
-}
-func (m *Role) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *Role) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *Role) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_Role.Merge(m, src)
-}
-func (m *Role) XXX_Size() int {
-	return m.Size()
-}
-func (m *Role) XXX_DiscardUnknown() {
-	xxx_messageInfo_Role.DiscardUnknown(m)
-}
+func (m *ClusterRoleList) Reset() { *m = ClusterRoleList{} }
 
-var xxx_messageInfo_Role proto.InternalMessageInfo
+func (m *PolicyRule) Reset() { *m = PolicyRule{} }
 
-func (m *RoleBinding) Reset()      { *m = RoleBinding{} }
-func (*RoleBinding) ProtoMessage() {}
-func (*RoleBinding) Descriptor() ([]byte, []int) {
-	return fileDescriptor_758889dfd9a88fa6, []int{7}
-}
-func (m *RoleBinding) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *RoleBinding) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *RoleBinding) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_RoleBinding.Merge(m, src)
-}
-func (m *RoleBinding) XXX_Size() int {
-	return m.Size()
-}
-func (m *RoleBinding) XXX_DiscardUnknown() {
-	xxx_messageInfo_RoleBinding.DiscardUnknown(m)
-}
+func (m *Role) Reset() { *m = Role{} }
 
-var xxx_messageInfo_RoleBinding proto.InternalMessageInfo
+func (m *RoleBinding) Reset() { *m = RoleBinding{} }
 
-func (m *RoleBindingList) Reset()      { *m = RoleBindingList{} }
-func (*RoleBindingList) ProtoMessage() {}
-func (*RoleBindingList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_758889dfd9a88fa6, []int{8}
-}
-func (m *RoleBindingList) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *RoleBindingList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *RoleBindingList) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_RoleBindingList.Merge(m, src)
-}
-func (m *RoleBindingList) XXX_Size() int {
-	return m.Size()
-}
-func (m *RoleBindingList) XXX_DiscardUnknown() {
-	xxx_messageInfo_RoleBindingList.DiscardUnknown(m)
-}
+func (m *RoleBindingList) Reset() { *m = RoleBindingList{} }
 
-var xxx_messageInfo_RoleBindingList proto.InternalMessageInfo
+func (m *RoleList) Reset() { *m = RoleList{} }
 
-func (m *RoleList) Reset()      { *m = RoleList{} }
-func (*RoleList) ProtoMessage() {}
-func (*RoleList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_758889dfd9a88fa6, []int{9}
-}
-func (m *RoleList) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *RoleList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *RoleList) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_RoleList.Merge(m, src)
-}
-func (m *RoleList) XXX_Size() int {
-	return m.Size()
-}
-func (m *RoleList) XXX_DiscardUnknown() {
-	xxx_messageInfo_RoleList.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_RoleList proto.InternalMessageInfo
+func (m *RoleRef) Reset() { *m = RoleRef{} }
 
-func (m *RoleRef) Reset()      { *m = RoleRef{} }
-func (*RoleRef) ProtoMessage() {}
-func (*RoleRef) Descriptor() ([]byte, []int) {
-	return fileDescriptor_758889dfd9a88fa6, []int{10}
-}
-func (m *RoleRef) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *RoleRef) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *RoleRef) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_RoleRef.Merge(m, src)
-}
-func (m *RoleRef) XXX_Size() int {
-	return m.Size()
-}
-func (m *RoleRef) XXX_DiscardUnknown() {
-	xxx_messageInfo_RoleRef.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_RoleRef proto.InternalMessageInfo
-
-func (m *Subject) Reset()      { *m = Subject{} }
-func (*Subject) ProtoMessage() {}
-func (*Subject) Descriptor() ([]byte, []int) {
-	return fileDescriptor_758889dfd9a88fa6, []int{11}
-}
-func (m *Subject) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *Subject) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *Subject) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_Subject.Merge(m, src)
-}
-func (m *Subject) XXX_Size() int {
-	return m.Size()
-}
-func (m *Subject) XXX_DiscardUnknown() {
-	xxx_messageInfo_Subject.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_Subject proto.InternalMessageInfo
-
-func init() {
-	proto.RegisterType((*AggregationRule)(nil), "k8s.io.api.rbac.v1alpha1.AggregationRule")
-	proto.RegisterType((*ClusterRole)(nil), "k8s.io.api.rbac.v1alpha1.ClusterRole")
-	proto.RegisterType((*ClusterRoleBinding)(nil), "k8s.io.api.rbac.v1alpha1.ClusterRoleBinding")
-	proto.RegisterType((*ClusterRoleBindingList)(nil), "k8s.io.api.rbac.v1alpha1.ClusterRoleBindingList")
-	proto.RegisterType((*ClusterRoleList)(nil), "k8s.io.api.rbac.v1alpha1.ClusterRoleList")
-	proto.RegisterType((*PolicyRule)(nil), "k8s.io.api.rbac.v1alpha1.PolicyRule")
-	proto.RegisterType((*Role)(nil), "k8s.io.api.rbac.v1alpha1.Role")
-	proto.RegisterType((*RoleBinding)(nil), "k8s.io.api.rbac.v1alpha1.RoleBinding")
-	proto.RegisterType((*RoleBindingList)(nil), "k8s.io.api.rbac.v1alpha1.RoleBindingList")
-	proto.RegisterType((*RoleList)(nil), "k8s.io.api.rbac.v1alpha1.RoleList")
-	proto.RegisterType((*RoleRef)(nil), "k8s.io.api.rbac.v1alpha1.RoleRef")
-	proto.RegisterType((*Subject)(nil), "k8s.io.api.rbac.v1alpha1.Subject")
-}
-
-func init() {
-	proto.RegisterFile("k8s.io/api/rbac/v1alpha1/generated.proto", fileDescriptor_758889dfd9a88fa6)
-}
-
-var fileDescriptor_758889dfd9a88fa6 = []byte{
-	// 819 bytes of a gzipped FileDescriptorProto
-	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xec, 0x56, 0xcf, 0x6f, 0xe3, 0x44,
-	0x14, 0xce, 0xa4, 0x09, 0x4d, 0x26, 0x44, 0xa1, 0x43, 0x85, 0xac, 0x0a, 0x39, 0xc5, 0x02, 0xa9,
-	0x88, 0x62, 0xd3, 0x82, 0x80, 0x0b, 0x48, 0x75, 0x0f, 0x28, 0x10, 0xda, 0x32, 0x15, 0x3d, 0x20,
-	0x0e, 0x4c, 0x9c, 0xa9, 0x33, 0xc4, 0xbf, 0xe4, 0xb1, 0x23, 0x55, 0x5c, 0xb8, 0x70, 0x45, 0x5c,
-	0x38, 0x70, 0xe7, 0xca, 0x85, 0x3d, 0xee, 0x3f, 0xd0, 0xbd, 0xf5, 0xd8, 0x53, 0xb4, 0xf5, 0xfe,
-	0x21, 0xbb, 0xf2, 0xd8, 0x8e, 0x9d, 0x5f, 0x9b, 0x9c, 0x22, 0xad, 0xb4, 0xa7, 0x64, 0xde, 0xfb,
-	0xde, 0xf7, 0xde, 0xfb, 0x66, 0xde, 0x4b, 0xe0, 0xc1, 0xf0, 0x4b, 0xae, 0x32, 0x57, 0x23, 0x1e,
-	0xd3, 0xfc, 0x1e, 0x31, 0xb4, 0xd1, 0x11, 0xb1, 0xbc, 0x01, 0x39, 0xd2, 0x4c, 0xea, 0x50, 0x9f,
-	0x04, 0xb4, 0xaf, 0x7a, 0xbe, 0x1b, 0xb8, 0x48, 0x4a, 0x90, 0x2a, 0xf1, 0x98, 0x1a, 0x23, 0xd5,
-	0x0c, 0xb9, 0xf7, 0xb1, 0xc9, 0x82, 0x41, 0xd8, 0x53, 0x0d, 0xd7, 0xd6, 0x4c, 0xd7, 0x74, 0x35,
-	0x11, 0xd0, 0x0b, 0xaf, 0xc5, 0x49, 0x1c, 0xc4, 0xb7, 0x84, 0x68, 0xef, 0xb3, 0x3c, 0xa5, 0x4d,
-	0x8c, 0x01, 0x73, 0xa8, 0x7f, 0xa3, 0x79, 0x43, 0x33, 0x36, 0x70, 0xcd, 0xa6, 0x01, 0xd1, 0x46,
-	0x73, 0xe9, 0xf7, 0xb4, 0x65, 0x51, 0x7e, 0xe8, 0x04, 0xcc, 0xa6, 0x73, 0x01, 0x9f, 0xaf, 0x0a,
-	0xe0, 0xc6, 0x80, 0xda, 0x64, 0x36, 0x4e, 0xf9, 0x07, 0xc0, 0xd6, 0x89, 0x69, 0xfa, 0xd4, 0x24,
-	0x01, 0x73, 0x1d, 0x1c, 0x5a, 0x14, 0xfd, 0x01, 0xe0, 0xae, 0x61, 0x85, 0x3c, 0xa0, 0x3e, 0x76,
-	0x2d, 0x7a, 0x49, 0x2d, 0x6a, 0x04, 0xae, 0xcf, 0x25, 0xb0, 0xbf, 0x75, 0xd0, 0x38, 0xfe, 0x54,
-	0xcd, 0xb5, 0x99, 0xe4, 0x52, 0xbd, 0xa1, 0x19, 0x1b, 0xb8, 0x1a, 0xb7, 0xa4, 0x8e, 0x8e, 0xd4,
-	0x2e, 0xe9, 0x51, 0x2b, 0x8b, 0xd5, 0xdf, 0xbd, 0x1d, 0xb7, 0x4b, 0xd1, 0xb8, 0xbd, 0x7b, 0xba,
-	0x80, 0x18, 0x2f, 0x4c, 0xa7, 0xfc, 0x5b, 0x86, 0x8d, 0x02, 0x1c, 0xfd, 0x02, 0x6b, 0x31, 0x79,
-	0x9f, 0x04, 0x44, 0x02, 0xfb, 0xe0, 0xa0, 0x71, 0xfc, 0xc9, 0x7a, 0xa5, 0x9c, 0xf7, 0x7e, 0xa5,
-	0x46, 0xf0, 0x3d, 0x0d, 0x88, 0x8e, 0xd2, 0x3a, 0x60, 0x6e, 0xc3, 0x13, 0x56, 0xd4, 0x81, 0x55,
-	0x3f, 0xb4, 0x28, 0x97, 0xca, 0xa2, 0xd3, 0xf7, 0xd5, 0x65, 0xaf, 0x40, 0xbd, 0x70, 0x2d, 0x66,
-	0xdc, 0xc4, 0x72, 0xe9, 0xcd, 0x94, 0xb2, 0x1a, 0x9f, 0x38, 0x4e, 0x18, 0xd0, 0x00, 0xb6, 0xc8,
-	0xb4, 0xae, 0xd2, 0x96, 0xa8, 0xf9, 0xc3, 0xe5, 0xa4, 0x33, 0x17, 0xa1, 0xbf, 0x1d, 0x8d, 0xdb,
-	0xb3, 0xb7, 0x83, 0x67, 0x69, 0x95, 0xbf, 0xcb, 0x10, 0x15, 0x64, 0xd2, 0x99, 0xd3, 0x67, 0x8e,
-	0xb9, 0x01, 0xb5, 0xce, 0x61, 0x8d, 0x87, 0xc2, 0x91, 0x09, 0xf6, 0xde, 0xf2, 0xde, 0x2e, 0x13,
-	0xa4, 0xfe, 0x56, 0x4a, 0x59, 0x4b, 0x0d, 0x1c, 0x4f, 0x48, 0x50, 0x17, 0x6e, 0xfb, 0xae, 0x45,
-	0x31, 0xbd, 0x4e, 0xb5, 0x7a, 0x09, 0x1f, 0x4e, 0x80, 0x7a, 0x2b, 0xe5, 0xdb, 0x4e, 0x0d, 0x38,
-	0xa3, 0x50, 0x9e, 0x00, 0xf8, 0xce, 0xbc, 0x2e, 0x5d, 0xc6, 0x03, 0xf4, 0xf3, 0x9c, 0x36, 0xea,
-	0x9a, 0x8f, 0x9a, 0xf1, 0x44, 0x99, 0x49, 0x1b, 0x99, 0xa5, 0xa0, 0xcb, 0x0f, 0xb0, 0xca, 0x02,
-	0x6a, 0x67, 0xa2, 0x1c, 0x2e, 0x6f, 0x62, 0xbe, 0xbc, 0xfc, 0x35, 0x75, 0x62, 0x0a, 0x9c, 0x30,
-	0x29, 0x8f, 0x01, 0x6c, 0x15, 0xc0, 0x1b, 0x68, 0xe2, 0xdb, 0xe9, 0x26, 0x3e, 0x58, 0xaf, 0x89,
-	0xc5, 0xd5, 0x3f, 0x07, 0x10, 0xe6, 0x03, 0x83, 0xda, 0xb0, 0x3a, 0xa2, 0x7e, 0x2f, 0xd9, 0x27,
-	0x75, 0xbd, 0x1e, 0xe3, 0xaf, 0x62, 0x03, 0x4e, 0xec, 0xe8, 0x23, 0x58, 0x27, 0x1e, 0xfb, 0xc6,
-	0x77, 0x43, 0x8f, 0x4b, 0x5b, 0x02, 0xd4, 0x8c, 0xc6, 0xed, 0xfa, 0xc9, 0x45, 0x27, 0x31, 0xe2,
-	0xdc, 0x1f, 0x83, 0x7d, 0xca, 0xdd, 0xd0, 0x37, 0x28, 0x97, 0x2a, 0x39, 0x18, 0x67, 0x46, 0x9c,
-	0xfb, 0xd1, 0x17, 0xb0, 0x99, 0x1d, 0xce, 0x88, 0x4d, 0xb9, 0x54, 0x15, 0x01, 0x3b, 0xd1, 0xb8,
-	0xdd, 0xc4, 0x45, 0x07, 0x9e, 0xc6, 0xa1, 0xaf, 0x60, 0xcb, 0x71, 0x9d, 0x0c, 0xf2, 0x23, 0xee,
-	0x72, 0xe9, 0x0d, 0x11, 0x2a, 0x66, 0xf4, 0x6c, 0xda, 0x85, 0x67, 0xb1, 0xca, 0x23, 0x00, 0x2b,
-	0xaf, 0xdc, 0x0e, 0x53, 0xfe, 0x2c, 0xc3, 0xc6, 0xeb, 0x95, 0x52, 0x58, 0x29, 0xf1, 0x18, 0x6e,
-	0x76, 0x97, 0xac, 0x3f, 0x86, 0xab, 0x97, 0xc8, 0x7f, 0x00, 0xd6, 0x36, 0xb4, 0x3d, 0x4e, 0xa7,
-	0xcb, 0x96, 0x57, 0x94, 0xbd, 0xb8, 0xde, 0xdf, 0x60, 0x76, 0x03, 0xe8, 0x10, 0xd6, 0xb2, 0x89,
-	0x17, 0xd5, 0xd6, 0xf3, 0xec, 0xd9, 0x52, 0xc0, 0x13, 0x04, 0xda, 0x87, 0x95, 0x21, 0x73, 0xfa,
-	0x52, 0x59, 0x20, 0xdf, 0x4c, 0x91, 0x95, 0xef, 0x98, 0xd3, 0xc7, 0xc2, 0x13, 0x23, 0x1c, 0x62,
-	0x27, 0x3f, 0xc9, 0x05, 0x44, 0x3c, 0xeb, 0x58, 0x78, 0x94, 0xff, 0x01, 0xdc, 0x4e, 0xdf, 0xd3,
-	0x84, 0x0f, 0x2c, 0xe5, 0x3b, 0x86, 0x90, 0x78, 0xec, 0x8a, 0xfa, 0x9c, 0xb9, 0x4e, 0x9a, 0x77,
-	0xf2, 0xd2, 0x4f, 0x2e, 0x3a, 0xa9, 0x07, 0x17, 0x50, 0xab, 0x6b, 0x40, 0x1a, 0xac, 0xc7, 0x9f,
-	0xdc, 0x23, 0x06, 0x95, 0x2a, 0x02, 0xb6, 0x93, 0xc2, 0xea, 0x67, 0x99, 0x03, 0xe7, 0x18, 0xfd,
-	0xeb, 0xdb, 0x07, 0xb9, 0x74, 0xf7, 0x20, 0x97, 0xee, 0x1f, 0xe4, 0xd2, 0xef, 0x91, 0x0c, 0x6e,
-	0x23, 0x19, 0xdc, 0x45, 0x32, 0xb8, 0x8f, 0x64, 0xf0, 0x34, 0x92, 0xc1, 0x5f, 0xcf, 0xe4, 0xd2,
-	0x4f, 0xd2, 0xb2, 0x7f, 0xc1, 0x2f, 0x02, 0x00, 0x00, 0xff, 0xff, 0xf1, 0x02, 0x55, 0xe5, 0x20,
-	0x0b, 0x00, 0x00,
-}
+func (m *Subject) Reset() { *m = Subject{} }
 
 func (m *AggregationRule) Marshal() (dAtA []byte, err error) {
 	size := m.Size()
diff --git a/staging/src/k8s.io/api/rbac/v1alpha1/generated.proto b/staging/src/k8s.io/api/rbac/v1alpha1/generated.proto
index 19d43cdee58b4..f787f3976e7c3 100644
--- a/staging/src/k8s.io/api/rbac/v1alpha1/generated.proto
+++ b/staging/src/k8s.io/api/rbac/v1alpha1/generated.proto
@@ -190,6 +190,8 @@ message RoleRef {
   optional string kind = 2;
 
   // Name is the name of resource being referenced
+  // +required
+  // +k8s:required
   optional string name = 3;
 }
 
@@ -208,6 +210,8 @@ message Subject {
   optional string apiVersion = 2;
 
   // Name of the object being referenced.
+  // +required
+  // +k8s:required
   optional string name = 3;
 
   // Namespace of the referenced object.  If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
diff --git a/staging/src/k8s.io/api/rbac/v1alpha1/generated.protomessage.pb.go b/staging/src/k8s.io/api/rbac/v1alpha1/generated.protomessage.pb.go
new file mode 100644
index 0000000000000..20f8d575ea1ea
--- /dev/null
+++ b/staging/src/k8s.io/api/rbac/v1alpha1/generated.protomessage.pb.go
@@ -0,0 +1,46 @@
+//go:build kubernetes_protomessage_one_more_release
+// +build kubernetes_protomessage_one_more_release
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by go-to-protobuf. DO NOT EDIT.
+
+package v1alpha1
+
+func (*AggregationRule) ProtoMessage() {}
+
+func (*ClusterRole) ProtoMessage() {}
+
+func (*ClusterRoleBinding) ProtoMessage() {}
+
+func (*ClusterRoleBindingList) ProtoMessage() {}
+
+func (*ClusterRoleList) ProtoMessage() {}
+
+func (*PolicyRule) ProtoMessage() {}
+
+func (*Role) ProtoMessage() {}
+
+func (*RoleBinding) ProtoMessage() {}
+
+func (*RoleBindingList) ProtoMessage() {}
+
+func (*RoleList) ProtoMessage() {}
+
+func (*RoleRef) ProtoMessage() {}
+
+func (*Subject) ProtoMessage() {}
diff --git a/staging/src/k8s.io/api/rbac/v1alpha1/types.go b/staging/src/k8s.io/api/rbac/v1alpha1/types.go
index 2146b4ce39f05..a0d52ee4fc7d8 100644
--- a/staging/src/k8s.io/api/rbac/v1alpha1/types.go
+++ b/staging/src/k8s.io/api/rbac/v1alpha1/types.go
@@ -86,6 +86,8 @@ type Subject struct {
 	// +optional
 	APIVersion string `json:"apiVersion,omitempty" protobuf:"bytes,2,opt,name=apiVersion"`
 	// Name of the object being referenced.
+	// +required
+	// +k8s:required
 	Name string `json:"name" protobuf:"bytes,3,opt,name=name"`
 	// Namespace of the referenced object.  If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
 	// the Authorizer should report an error.
@@ -100,6 +102,8 @@ type RoleRef struct {
 	// Kind is the type of resource being referenced
 	Kind string `json:"kind" protobuf:"bytes,2,opt,name=kind"`
 	// Name is the name of resource being referenced
+	// +required
+	// +k8s:required
 	Name string `json:"name" protobuf:"bytes,3,opt,name=name"`
 }
 
diff --git a/staging/src/k8s.io/api/rbac/v1alpha1/zz_generated.model_name.go b/staging/src/k8s.io/api/rbac/v1alpha1/zz_generated.model_name.go
new file mode 100644
index 0000000000000..5d9ca16c8b554
--- /dev/null
+++ b/staging/src/k8s.io/api/rbac/v1alpha1/zz_generated.model_name.go
@@ -0,0 +1,82 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by openapi-gen. DO NOT EDIT.
+
+package v1alpha1
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in AggregationRule) OpenAPIModelName() string {
+	return "io.k8s.api.rbac.v1alpha1.AggregationRule"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ClusterRole) OpenAPIModelName() string {
+	return "io.k8s.api.rbac.v1alpha1.ClusterRole"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ClusterRoleBinding) OpenAPIModelName() string {
+	return "io.k8s.api.rbac.v1alpha1.ClusterRoleBinding"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ClusterRoleBindingList) OpenAPIModelName() string {
+	return "io.k8s.api.rbac.v1alpha1.ClusterRoleBindingList"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ClusterRoleList) OpenAPIModelName() string {
+	return "io.k8s.api.rbac.v1alpha1.ClusterRoleList"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in PolicyRule) OpenAPIModelName() string {
+	return "io.k8s.api.rbac.v1alpha1.PolicyRule"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in Role) OpenAPIModelName() string {
+	return "io.k8s.api.rbac.v1alpha1.Role"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in RoleBinding) OpenAPIModelName() string {
+	return "io.k8s.api.rbac.v1alpha1.RoleBinding"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in RoleBindingList) OpenAPIModelName() string {
+	return "io.k8s.api.rbac.v1alpha1.RoleBindingList"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in RoleList) OpenAPIModelName() string {
+	return "io.k8s.api.rbac.v1alpha1.RoleList"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in RoleRef) OpenAPIModelName() string {
+	return "io.k8s.api.rbac.v1alpha1.RoleRef"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in Subject) OpenAPIModelName() string {
+	return "io.k8s.api.rbac.v1alpha1.Subject"
+}
diff --git a/staging/src/k8s.io/api/rbac/v1beta1/doc.go b/staging/src/k8s.io/api/rbac/v1beta1/doc.go
index 504a58d8bfa0f..b1890610fa744 100644
--- a/staging/src/k8s.io/api/rbac/v1beta1/doc.go
+++ b/staging/src/k8s.io/api/rbac/v1beta1/doc.go
@@ -18,6 +18,7 @@ limitations under the License.
 // +k8s:protobuf-gen=package
 // +k8s:openapi-gen=true
 // +k8s:prerelease-lifecycle-gen=true
+// +k8s:openapi-model-package=io.k8s.api.rbac.v1beta1
 
 // +groupName=rbac.authorization.k8s.io
 
diff --git a/staging/src/k8s.io/api/rbac/v1beta1/generated.pb.go b/staging/src/k8s.io/api/rbac/v1beta1/generated.pb.go
index 9052d7e8dbbcf..0980b011980f7 100644
--- a/staging/src/k8s.io/api/rbac/v1beta1/generated.pb.go
+++ b/staging/src/k8s.io/api/rbac/v1beta1/generated.pb.go
@@ -24,434 +24,36 @@ import (
 
 	io "io"
 
-	proto "github.com/gogo/protobuf/proto"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
-	math "math"
 	math_bits "math/bits"
 	reflect "reflect"
 	strings "strings"
 )
 
-// Reference imports to suppress errors if they are not otherwise used.
-var _ = proto.Marshal
-var _ = fmt.Errorf
-var _ = math.Inf
+func (m *AggregationRule) Reset() { *m = AggregationRule{} }
 
-// This is a compile-time assertion to ensure that this generated file
-// is compatible with the proto package it is being compiled against.
-// A compilation error at this line likely means your copy of the
-// proto package needs to be updated.
-const _ = proto.GoGoProtoPackageIsVersion3 // please upgrade the proto package
+func (m *ClusterRole) Reset() { *m = ClusterRole{} }
 
-func (m *AggregationRule) Reset()      { *m = AggregationRule{} }
-func (*AggregationRule) ProtoMessage() {}
-func (*AggregationRule) Descriptor() ([]byte, []int) {
-	return fileDescriptor_c5bc2d145acd4e45, []int{0}
-}
-func (m *AggregationRule) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *AggregationRule) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *AggregationRule) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_AggregationRule.Merge(m, src)
-}
-func (m *AggregationRule) XXX_Size() int {
-	return m.Size()
-}
-func (m *AggregationRule) XXX_DiscardUnknown() {
-	xxx_messageInfo_AggregationRule.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_AggregationRule proto.InternalMessageInfo
-
-func (m *ClusterRole) Reset()      { *m = ClusterRole{} }
-func (*ClusterRole) ProtoMessage() {}
-func (*ClusterRole) Descriptor() ([]byte, []int) {
-	return fileDescriptor_c5bc2d145acd4e45, []int{1}
-}
-func (m *ClusterRole) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ClusterRole) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ClusterRole) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ClusterRole.Merge(m, src)
-}
-func (m *ClusterRole) XXX_Size() int {
-	return m.Size()
-}
-func (m *ClusterRole) XXX_DiscardUnknown() {
-	xxx_messageInfo_ClusterRole.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_ClusterRole proto.InternalMessageInfo
-
-func (m *ClusterRoleBinding) Reset()      { *m = ClusterRoleBinding{} }
-func (*ClusterRoleBinding) ProtoMessage() {}
-func (*ClusterRoleBinding) Descriptor() ([]byte, []int) {
-	return fileDescriptor_c5bc2d145acd4e45, []int{2}
-}
-func (m *ClusterRoleBinding) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ClusterRoleBinding) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ClusterRoleBinding) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ClusterRoleBinding.Merge(m, src)
-}
-func (m *ClusterRoleBinding) XXX_Size() int {
-	return m.Size()
-}
-func (m *ClusterRoleBinding) XXX_DiscardUnknown() {
-	xxx_messageInfo_ClusterRoleBinding.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_ClusterRoleBinding proto.InternalMessageInfo
-
-func (m *ClusterRoleBindingList) Reset()      { *m = ClusterRoleBindingList{} }
-func (*ClusterRoleBindingList) ProtoMessage() {}
-func (*ClusterRoleBindingList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_c5bc2d145acd4e45, []int{3}
-}
-func (m *ClusterRoleBindingList) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ClusterRoleBindingList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ClusterRoleBindingList) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ClusterRoleBindingList.Merge(m, src)
-}
-func (m *ClusterRoleBindingList) XXX_Size() int {
-	return m.Size()
-}
-func (m *ClusterRoleBindingList) XXX_DiscardUnknown() {
-	xxx_messageInfo_ClusterRoleBindingList.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_ClusterRoleBindingList proto.InternalMessageInfo
-
-func (m *ClusterRoleList) Reset()      { *m = ClusterRoleList{} }
-func (*ClusterRoleList) ProtoMessage() {}
-func (*ClusterRoleList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_c5bc2d145acd4e45, []int{4}
-}
-func (m *ClusterRoleList) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ClusterRoleList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ClusterRoleList) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ClusterRoleList.Merge(m, src)
-}
-func (m *ClusterRoleList) XXX_Size() int {
-	return m.Size()
-}
-func (m *ClusterRoleList) XXX_DiscardUnknown() {
-	xxx_messageInfo_ClusterRoleList.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_ClusterRoleList proto.InternalMessageInfo
-
-func (m *PolicyRule) Reset()      { *m = PolicyRule{} }
-func (*PolicyRule) ProtoMessage() {}
-func (*PolicyRule) Descriptor() ([]byte, []int) {
-	return fileDescriptor_c5bc2d145acd4e45, []int{5}
-}
-func (m *PolicyRule) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *PolicyRule) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *PolicyRule) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_PolicyRule.Merge(m, src)
-}
-func (m *PolicyRule) XXX_Size() int {
-	return m.Size()
-}
-func (m *PolicyRule) XXX_DiscardUnknown() {
-	xxx_messageInfo_PolicyRule.DiscardUnknown(m)
-}
+func (m *ClusterRoleBinding) Reset() { *m = ClusterRoleBinding{} }
 
-var xxx_messageInfo_PolicyRule proto.InternalMessageInfo
+func (m *ClusterRoleBindingList) Reset() { *m = ClusterRoleBindingList{} }
 
-func (m *Role) Reset()      { *m = Role{} }
-func (*Role) ProtoMessage() {}
-func (*Role) Descriptor() ([]byte, []int) {
-	return fileDescriptor_c5bc2d145acd4e45, []int{6}
-}
-func (m *Role) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *Role) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *Role) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_Role.Merge(m, src)
-}
-func (m *Role) XXX_Size() int {
-	return m.Size()
-}
-func (m *Role) XXX_DiscardUnknown() {
-	xxx_messageInfo_Role.DiscardUnknown(m)
-}
+func (m *ClusterRoleList) Reset() { *m = ClusterRoleList{} }
 
-var xxx_messageInfo_Role proto.InternalMessageInfo
+func (m *PolicyRule) Reset() { *m = PolicyRule{} }
 
-func (m *RoleBinding) Reset()      { *m = RoleBinding{} }
-func (*RoleBinding) ProtoMessage() {}
-func (*RoleBinding) Descriptor() ([]byte, []int) {
-	return fileDescriptor_c5bc2d145acd4e45, []int{7}
-}
-func (m *RoleBinding) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *RoleBinding) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *RoleBinding) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_RoleBinding.Merge(m, src)
-}
-func (m *RoleBinding) XXX_Size() int {
-	return m.Size()
-}
-func (m *RoleBinding) XXX_DiscardUnknown() {
-	xxx_messageInfo_RoleBinding.DiscardUnknown(m)
-}
+func (m *Role) Reset() { *m = Role{} }
 
-var xxx_messageInfo_RoleBinding proto.InternalMessageInfo
+func (m *RoleBinding) Reset() { *m = RoleBinding{} }
 
-func (m *RoleBindingList) Reset()      { *m = RoleBindingList{} }
-func (*RoleBindingList) ProtoMessage() {}
-func (*RoleBindingList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_c5bc2d145acd4e45, []int{8}
-}
-func (m *RoleBindingList) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *RoleBindingList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *RoleBindingList) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_RoleBindingList.Merge(m, src)
-}
-func (m *RoleBindingList) XXX_Size() int {
-	return m.Size()
-}
-func (m *RoleBindingList) XXX_DiscardUnknown() {
-	xxx_messageInfo_RoleBindingList.DiscardUnknown(m)
-}
+func (m *RoleBindingList) Reset() { *m = RoleBindingList{} }
 
-var xxx_messageInfo_RoleBindingList proto.InternalMessageInfo
+func (m *RoleList) Reset() { *m = RoleList{} }
 
-func (m *RoleList) Reset()      { *m = RoleList{} }
-func (*RoleList) ProtoMessage() {}
-func (*RoleList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_c5bc2d145acd4e45, []int{9}
-}
-func (m *RoleList) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *RoleList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *RoleList) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_RoleList.Merge(m, src)
-}
-func (m *RoleList) XXX_Size() int {
-	return m.Size()
-}
-func (m *RoleList) XXX_DiscardUnknown() {
-	xxx_messageInfo_RoleList.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_RoleList proto.InternalMessageInfo
+func (m *RoleRef) Reset() { *m = RoleRef{} }
 
-func (m *RoleRef) Reset()      { *m = RoleRef{} }
-func (*RoleRef) ProtoMessage() {}
-func (*RoleRef) Descriptor() ([]byte, []int) {
-	return fileDescriptor_c5bc2d145acd4e45, []int{10}
-}
-func (m *RoleRef) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *RoleRef) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *RoleRef) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_RoleRef.Merge(m, src)
-}
-func (m *RoleRef) XXX_Size() int {
-	return m.Size()
-}
-func (m *RoleRef) XXX_DiscardUnknown() {
-	xxx_messageInfo_RoleRef.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_RoleRef proto.InternalMessageInfo
-
-func (m *Subject) Reset()      { *m = Subject{} }
-func (*Subject) ProtoMessage() {}
-func (*Subject) Descriptor() ([]byte, []int) {
-	return fileDescriptor_c5bc2d145acd4e45, []int{11}
-}
-func (m *Subject) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *Subject) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *Subject) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_Subject.Merge(m, src)
-}
-func (m *Subject) XXX_Size() int {
-	return m.Size()
-}
-func (m *Subject) XXX_DiscardUnknown() {
-	xxx_messageInfo_Subject.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_Subject proto.InternalMessageInfo
-
-func init() {
-	proto.RegisterType((*AggregationRule)(nil), "k8s.io.api.rbac.v1beta1.AggregationRule")
-	proto.RegisterType((*ClusterRole)(nil), "k8s.io.api.rbac.v1beta1.ClusterRole")
-	proto.RegisterType((*ClusterRoleBinding)(nil), "k8s.io.api.rbac.v1beta1.ClusterRoleBinding")
-	proto.RegisterType((*ClusterRoleBindingList)(nil), "k8s.io.api.rbac.v1beta1.ClusterRoleBindingList")
-	proto.RegisterType((*ClusterRoleList)(nil), "k8s.io.api.rbac.v1beta1.ClusterRoleList")
-	proto.RegisterType((*PolicyRule)(nil), "k8s.io.api.rbac.v1beta1.PolicyRule")
-	proto.RegisterType((*Role)(nil), "k8s.io.api.rbac.v1beta1.Role")
-	proto.RegisterType((*RoleBinding)(nil), "k8s.io.api.rbac.v1beta1.RoleBinding")
-	proto.RegisterType((*RoleBindingList)(nil), "k8s.io.api.rbac.v1beta1.RoleBindingList")
-	proto.RegisterType((*RoleList)(nil), "k8s.io.api.rbac.v1beta1.RoleList")
-	proto.RegisterType((*RoleRef)(nil), "k8s.io.api.rbac.v1beta1.RoleRef")
-	proto.RegisterType((*Subject)(nil), "k8s.io.api.rbac.v1beta1.Subject")
-}
-
-func init() {
-	proto.RegisterFile("k8s.io/api/rbac/v1beta1/generated.proto", fileDescriptor_c5bc2d145acd4e45)
-}
-
-var fileDescriptor_c5bc2d145acd4e45 = []byte{
-	// 800 bytes of a gzipped FileDescriptorProto
-	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xec, 0x56, 0x3b, 0x6f, 0xe3, 0x46,
-	0x10, 0xd6, 0xca, 0x12, 0x2c, 0xae, 0x22, 0x28, 0xde, 0x18, 0x31, 0x61, 0x24, 0x94, 0xa0, 0x04,
-	0x88, 0x01, 0x27, 0x64, 0xec, 0x04, 0x49, 0x1a, 0x17, 0x66, 0x8a, 0xc4, 0xb0, 0xa3, 0x18, 0x6b,
-	0x24, 0x45, 0x90, 0x22, 0x2b, 0x6a, 0x4d, 0x6f, 0xc4, 0x17, 0xb8, 0xa4, 0x00, 0x23, 0x4d, 0x9a,
-	0xeb, 0xae, 0x38, 0xe0, 0xaa, 0x6b, 0xaf, 0xbe, 0xea, 0xca, 0xfb, 0x05, 0x2a, 0x5d, 0xba, 0x12,
-	0xce, 0xbc, 0x1f, 0x72, 0x87, 0xe5, 0x43, 0xd4, 0x8b, 0xb6, 0x2a, 0x01, 0x07, 0x5c, 0x25, 0xed,
-	0xcc, 0x37, 0xdf, 0xcc, 0x7c, 0xbb, 0x33, 0x12, 0xfc, 0x6a, 0xf0, 0x13, 0x57, 0x99, 0xab, 0x11,
-	0x8f, 0x69, 0x7e, 0x8f, 0x18, 0xda, 0xf0, 0xa0, 0x47, 0x03, 0x72, 0xa0, 0x99, 0xd4, 0xa1, 0x3e,
-	0x09, 0x68, 0x5f, 0xf5, 0x7c, 0x37, 0x70, 0xd1, 0x4e, 0x02, 0x54, 0x89, 0xc7, 0x54, 0x01, 0x54,
-	0x53, 0xe0, 0xee, 0x37, 0x26, 0x0b, 0xae, 0xc2, 0x9e, 0x6a, 0xb8, 0xb6, 0x66, 0xba, 0xa6, 0xab,
-	0xc5, 0xf8, 0x5e, 0x78, 0x19, 0x9f, 0xe2, 0x43, 0xfc, 0x2d, 0xe1, 0xd9, 0xfd, 0x3e, 0x4f, 0x68,
-	0x13, 0xe3, 0x8a, 0x39, 0xd4, 0xbf, 0xd6, 0xbc, 0x81, 0x29, 0x0c, 0x5c, 0xb3, 0x69, 0x40, 0xb4,
-	0xe1, 0x42, 0xf6, 0x5d, 0xad, 0x28, 0xca, 0x0f, 0x9d, 0x80, 0xd9, 0x74, 0x21, 0xe0, 0x87, 0x87,
-	0x02, 0xb8, 0x71, 0x45, 0x6d, 0x32, 0x1f, 0xd7, 0x79, 0x06, 0x60, 0xf3, 0xd8, 0x34, 0x7d, 0x6a,
-	0x92, 0x80, 0xb9, 0x0e, 0x0e, 0x2d, 0x8a, 0x1e, 0x01, 0xb8, 0x6d, 0x58, 0x21, 0x0f, 0xa8, 0x8f,
-	0x5d, 0x8b, 0x5e, 0x50, 0x8b, 0x1a, 0x81, 0xeb, 0x73, 0x19, 0xb4, 0x37, 0xf6, 0xea, 0x87, 0xdf,
-	0xa9, 0xb9, 0x34, 0x93, 0x5c, 0xaa, 0x37, 0x30, 0x85, 0x81, 0xab, 0xa2, 0x25, 0x75, 0x78, 0xa0,
-	0x9e, 0x91, 0x1e, 0xb5, 0xb2, 0x58, 0xfd, 0xb3, 0xd1, 0xb8, 0x55, 0x8a, 0xc6, 0xad, 0xed, 0x9f,
-	0x97, 0x10, 0xe3, 0xa5, 0xe9, 0x3a, 0xcf, 0xcb, 0xb0, 0x3e, 0x05, 0x47, 0xff, 0xc0, 0x9a, 0x20,
-	0xef, 0x93, 0x80, 0xc8, 0xa0, 0x0d, 0xf6, 0xea, 0x87, 0xdf, 0xae, 0x56, 0xca, 0xef, 0xbd, 0x7f,
-	0xa9, 0x11, 0xfc, 0x46, 0x03, 0xa2, 0xa3, 0xb4, 0x0e, 0x98, 0xdb, 0xf0, 0x84, 0x15, 0xfd, 0x0a,
-	0xab, 0x7e, 0x68, 0x51, 0x2e, 0x97, 0xe3, 0x4e, 0xbf, 0x50, 0x0b, 0x1e, 0x81, 0x7a, 0xee, 0x5a,
-	0xcc, 0xb8, 0x16, 0x6a, 0xe9, 0x8d, 0x94, 0xb1, 0x2a, 0x4e, 0x1c, 0x27, 0x04, 0xc8, 0x84, 0x4d,
-	0x32, 0x2b, 0xab, 0xbc, 0x11, 0x97, 0xbc, 0x57, 0xc8, 0x39, 0x77, 0x0d, 0xfa, 0x27, 0xd1, 0xb8,
-	0x35, 0x7f, 0x37, 0x78, 0x9e, 0xb5, 0xf3, 0xb4, 0x0c, 0xd1, 0x94, 0x48, 0x3a, 0x73, 0xfa, 0xcc,
-	0x31, 0xd7, 0xa0, 0x55, 0x17, 0xd6, 0x78, 0x18, 0x3b, 0x32, 0xb9, 0xda, 0x85, 0xad, 0x5d, 0x24,
-	0x40, 0xfd, 0xe3, 0x94, 0xb1, 0x96, 0x1a, 0x38, 0x9e, 0x70, 0xa0, 0x53, 0xb8, 0xe9, 0xbb, 0x16,
-	0xc5, 0xf4, 0x32, 0x55, 0xaa, 0x98, 0x0e, 0x27, 0x38, 0xbd, 0x99, 0xd2, 0x6d, 0xa6, 0x06, 0x9c,
-	0x31, 0x74, 0x46, 0x00, 0x7e, 0xba, 0xa8, 0xca, 0x19, 0xe3, 0x01, 0xfa, 0x7b, 0x41, 0x19, 0x75,
-	0xc5, 0x07, 0xcd, 0x78, 0xa2, 0xcb, 0xa4, 0x8b, 0xcc, 0x32, 0xa5, 0xca, 0x39, 0xac, 0xb2, 0x80,
-	0xda, 0x99, 0x24, 0xfb, 0x85, 0x3d, 0x2c, 0x56, 0x97, 0xbf, 0xa4, 0x13, 0xc1, 0x80, 0x13, 0xa2,
-	0xce, 0x2b, 0x00, 0x9b, 0x53, 0xe0, 0x35, 0xf4, 0x70, 0x32, 0xdb, 0xc3, 0x97, 0x2b, 0xf5, 0xb0,
-	0xbc, 0xf8, 0xb7, 0x00, 0xc2, 0x7c, 0x56, 0x50, 0x0b, 0x56, 0x87, 0xd4, 0xef, 0x25, 0x9b, 0x44,
-	0xd2, 0x25, 0x81, 0xff, 0x53, 0x18, 0x70, 0x62, 0x47, 0xfb, 0x50, 0x22, 0x1e, 0xfb, 0xc5, 0x77,
-	0x43, 0x2f, 0x49, 0x2f, 0xe9, 0x8d, 0x68, 0xdc, 0x92, 0x8e, 0xcf, 0x4f, 0x12, 0x23, 0xce, 0xfd,
-	0x02, 0xec, 0x53, 0xee, 0x86, 0xbe, 0x41, 0xb9, 0xbc, 0x91, 0x83, 0x71, 0x66, 0xc4, 0xb9, 0x1f,
-	0xfd, 0x08, 0x1b, 0xd9, 0xa1, 0x4b, 0x6c, 0xca, 0xe5, 0x4a, 0x1c, 0xb0, 0x15, 0x8d, 0x5b, 0x0d,
-	0x3c, 0xed, 0xc0, 0xb3, 0x38, 0x74, 0x04, 0x9b, 0x8e, 0xeb, 0x64, 0x90, 0x3f, 0xf0, 0x19, 0x97,
-	0xab, 0x71, 0x68, 0x3c, 0x9f, 0xdd, 0x59, 0x17, 0x9e, 0xc7, 0x76, 0x5e, 0x02, 0x58, 0x79, 0xdf,
-	0xb6, 0x57, 0xe7, 0x71, 0x19, 0xd6, 0x3f, 0x6c, 0x93, 0xc9, 0x36, 0x11, 0x23, 0xb8, 0xde, 0x35,
-	0xb2, 0xf2, 0x08, 0x3e, 0xbc, 0x3f, 0x5e, 0x00, 0x58, 0x5b, 0xd3, 0xe2, 0xd0, 0x67, 0xab, 0xfe,
-	0xfc, 0xfe, 0xaa, 0x97, 0x97, 0xfb, 0x1f, 0xcc, 0xf4, 0x47, 0x5f, 0xc3, 0x5a, 0x36, 0xec, 0x71,
-	0xb1, 0x52, 0x9e, 0x3c, 0xdb, 0x07, 0x78, 0x82, 0x40, 0x6d, 0x58, 0x19, 0x30, 0xa7, 0x2f, 0x97,
-	0x63, 0xe4, 0x47, 0x29, 0xb2, 0x72, 0xca, 0x9c, 0x3e, 0x8e, 0x3d, 0x02, 0xe1, 0x10, 0x3b, 0xf9,
-	0x21, 0x9e, 0x42, 0x88, 0x31, 0xc7, 0xb1, 0x47, 0x68, 0xb5, 0x99, 0x3e, 0xa6, 0x09, 0x1f, 0x28,
-	0xe4, 0x9b, 0xae, 0xaf, 0xbc, 0x4a, 0x7d, 0xf7, 0x67, 0x47, 0x1a, 0x94, 0xc4, 0x27, 0xf7, 0x88,
-	0x41, 0xe5, 0x4a, 0x0c, 0xdb, 0x4a, 0x61, 0x52, 0x37, 0x73, 0xe0, 0x1c, 0xa3, 0x1f, 0x8d, 0xee,
-	0x94, 0xd2, 0xcd, 0x9d, 0x52, 0xba, 0xbd, 0x53, 0x4a, 0xff, 0x47, 0x0a, 0x18, 0x45, 0x0a, 0xb8,
-	0x89, 0x14, 0x70, 0x1b, 0x29, 0xe0, 0x75, 0xa4, 0x80, 0x27, 0x6f, 0x94, 0xd2, 0x5f, 0x3b, 0x05,
-	0x7f, 0x79, 0xdf, 0x05, 0x00, 0x00, 0xff, 0xff, 0x75, 0xfb, 0x5a, 0x79, 0x0c, 0x0b, 0x00, 0x00,
-}
+func (m *Subject) Reset() { *m = Subject{} }
 
 func (m *AggregationRule) Marshal() (dAtA []byte, err error) {
 	size := m.Size()
diff --git a/staging/src/k8s.io/api/rbac/v1beta1/generated.proto b/staging/src/k8s.io/api/rbac/v1beta1/generated.proto
index 8bfbd0c8ac636..cac7b413e87da 100644
--- a/staging/src/k8s.io/api/rbac/v1beta1/generated.proto
+++ b/staging/src/k8s.io/api/rbac/v1beta1/generated.proto
@@ -191,6 +191,8 @@ message RoleRef {
   optional string kind = 2;
 
   // Name is the name of resource being referenced
+  // +required
+  // +k8s:required
   optional string name = 3;
 }
 
@@ -208,6 +210,8 @@ message Subject {
   optional string apiGroup = 2;
 
   // Name of the object being referenced.
+  // +required
+  // +k8s:required
   optional string name = 3;
 
   // Namespace of the referenced object.  If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
diff --git a/staging/src/k8s.io/api/rbac/v1beta1/generated.protomessage.pb.go b/staging/src/k8s.io/api/rbac/v1beta1/generated.protomessage.pb.go
new file mode 100644
index 0000000000000..b29896836740c
--- /dev/null
+++ b/staging/src/k8s.io/api/rbac/v1beta1/generated.protomessage.pb.go
@@ -0,0 +1,46 @@
+//go:build kubernetes_protomessage_one_more_release
+// +build kubernetes_protomessage_one_more_release
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by go-to-protobuf. DO NOT EDIT.
+
+package v1beta1
+
+func (*AggregationRule) ProtoMessage() {}
+
+func (*ClusterRole) ProtoMessage() {}
+
+func (*ClusterRoleBinding) ProtoMessage() {}
+
+func (*ClusterRoleBindingList) ProtoMessage() {}
+
+func (*ClusterRoleList) ProtoMessage() {}
+
+func (*PolicyRule) ProtoMessage() {}
+
+func (*Role) ProtoMessage() {}
+
+func (*RoleBinding) ProtoMessage() {}
+
+func (*RoleBindingList) ProtoMessage() {}
+
+func (*RoleList) ProtoMessage() {}
+
+func (*RoleRef) ProtoMessage() {}
+
+func (*Subject) ProtoMessage() {}
diff --git a/staging/src/k8s.io/api/rbac/v1beta1/types.go b/staging/src/k8s.io/api/rbac/v1beta1/types.go
index 9cfaaceb92c61..861e33c975586 100644
--- a/staging/src/k8s.io/api/rbac/v1beta1/types.go
+++ b/staging/src/k8s.io/api/rbac/v1beta1/types.go
@@ -86,6 +86,8 @@ type Subject struct {
 	// +optional
 	APIGroup string `json:"apiGroup,omitempty" protobuf:"bytes,2,opt,name=apiGroup"`
 	// Name of the object being referenced.
+	// +required
+	// +k8s:required
 	Name string `json:"name" protobuf:"bytes,3,opt,name=name"`
 	// Namespace of the referenced object.  If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
 	// the Authorizer should report an error.
@@ -100,6 +102,8 @@ type RoleRef struct {
 	// Kind is the type of resource being referenced
 	Kind string `json:"kind" protobuf:"bytes,2,opt,name=kind"`
 	// Name is the name of resource being referenced
+	// +required
+	// +k8s:required
 	Name string `json:"name" protobuf:"bytes,3,opt,name=name"`
 }
 
diff --git a/staging/src/k8s.io/api/rbac/v1beta1/zz_generated.model_name.go b/staging/src/k8s.io/api/rbac/v1beta1/zz_generated.model_name.go
new file mode 100644
index 0000000000000..073ba67b40b23
--- /dev/null
+++ b/staging/src/k8s.io/api/rbac/v1beta1/zz_generated.model_name.go
@@ -0,0 +1,82 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by openapi-gen. DO NOT EDIT.
+
+package v1beta1
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in AggregationRule) OpenAPIModelName() string {
+	return "io.k8s.api.rbac.v1beta1.AggregationRule"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ClusterRole) OpenAPIModelName() string {
+	return "io.k8s.api.rbac.v1beta1.ClusterRole"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ClusterRoleBinding) OpenAPIModelName() string {
+	return "io.k8s.api.rbac.v1beta1.ClusterRoleBinding"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ClusterRoleBindingList) OpenAPIModelName() string {
+	return "io.k8s.api.rbac.v1beta1.ClusterRoleBindingList"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ClusterRoleList) OpenAPIModelName() string {
+	return "io.k8s.api.rbac.v1beta1.ClusterRoleList"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in PolicyRule) OpenAPIModelName() string {
+	return "io.k8s.api.rbac.v1beta1.PolicyRule"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in Role) OpenAPIModelName() string {
+	return "io.k8s.api.rbac.v1beta1.Role"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in RoleBinding) OpenAPIModelName() string {
+	return "io.k8s.api.rbac.v1beta1.RoleBinding"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in RoleBindingList) OpenAPIModelName() string {
+	return "io.k8s.api.rbac.v1beta1.RoleBindingList"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in RoleList) OpenAPIModelName() string {
+	return "io.k8s.api.rbac.v1beta1.RoleList"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in RoleRef) OpenAPIModelName() string {
+	return "io.k8s.api.rbac.v1beta1.RoleRef"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in Subject) OpenAPIModelName() string {
+	return "io.k8s.api.rbac.v1beta1.Subject"
+}
diff --git a/staging/src/k8s.io/api/resource/v1/doc.go b/staging/src/k8s.io/api/resource/v1/doc.go
index c94ca75ddc334..645c1cb53f4ee 100644
--- a/staging/src/k8s.io/api/resource/v1/doc.go
+++ b/staging/src/k8s.io/api/resource/v1/doc.go
@@ -18,6 +18,7 @@ limitations under the License.
 // +k8s:deepcopy-gen=package
 // +k8s:protobuf-gen=package
 // +k8s:prerelease-lifecycle-gen=true
+// +k8s:openapi-model-package=io.k8s.api.resource.v1
 // +groupName=resource.k8s.io
 
 // Package v1 is the v1 version of the resource API.
diff --git a/staging/src/k8s.io/api/resource/v1/generated.pb.go b/staging/src/k8s.io/api/resource/v1/generated.pb.go
index 5695e2c7e04f4..e690204905ae8 100644
--- a/staging/src/k8s.io/api/resource/v1/generated.pb.go
+++ b/staging/src/k8s.io/api/resource/v1/generated.pb.go
@@ -23,15 +23,13 @@ import (
 	fmt "fmt"
 
 	io "io"
+	"sort"
 
-	proto "github.com/gogo/protobuf/proto"
-	github_com_gogo_protobuf_sortkeys "github.com/gogo/protobuf/sortkeys"
 	v11 "k8s.io/api/core/v1"
 	resource "k8s.io/apimachinery/pkg/api/resource"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	runtime "k8s.io/apimachinery/pkg/runtime"
 
-	math "math"
 	math_bits "math/bits"
 	reflect "reflect"
 	strings "strings"
@@ -39,1470 +37,91 @@ import (
 	k8s_io_apimachinery_pkg_types "k8s.io/apimachinery/pkg/types"
 )
 
-// Reference imports to suppress errors if they are not otherwise used.
-var _ = proto.Marshal
-var _ = fmt.Errorf
-var _ = math.Inf
+func (m *AllocatedDeviceStatus) Reset() { *m = AllocatedDeviceStatus{} }
 
-// This is a compile-time assertion to ensure that this generated file
-// is compatible with the proto package it is being compiled against.
-// A compilation error at this line likely means your copy of the
-// proto package needs to be updated.
-const _ = proto.GoGoProtoPackageIsVersion3 // please upgrade the proto package
+func (m *AllocationResult) Reset() { *m = AllocationResult{} }
 
-func (m *AllocatedDeviceStatus) Reset()      { *m = AllocatedDeviceStatus{} }
-func (*AllocatedDeviceStatus) ProtoMessage() {}
-func (*AllocatedDeviceStatus) Descriptor() ([]byte, []int) {
-	return fileDescriptor_f4fc532aec02d243, []int{0}
-}
-func (m *AllocatedDeviceStatus) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *AllocatedDeviceStatus) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *AllocatedDeviceStatus) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_AllocatedDeviceStatus.Merge(m, src)
-}
-func (m *AllocatedDeviceStatus) XXX_Size() int {
-	return m.Size()
-}
-func (m *AllocatedDeviceStatus) XXX_DiscardUnknown() {
-	xxx_messageInfo_AllocatedDeviceStatus.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_AllocatedDeviceStatus proto.InternalMessageInfo
-
-func (m *AllocationResult) Reset()      { *m = AllocationResult{} }
-func (*AllocationResult) ProtoMessage() {}
-func (*AllocationResult) Descriptor() ([]byte, []int) {
-	return fileDescriptor_f4fc532aec02d243, []int{1}
-}
-func (m *AllocationResult) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *AllocationResult) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *AllocationResult) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_AllocationResult.Merge(m, src)
-}
-func (m *AllocationResult) XXX_Size() int {
-	return m.Size()
-}
-func (m *AllocationResult) XXX_DiscardUnknown() {
-	xxx_messageInfo_AllocationResult.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_AllocationResult proto.InternalMessageInfo
-
-func (m *CELDeviceSelector) Reset()      { *m = CELDeviceSelector{} }
-func (*CELDeviceSelector) ProtoMessage() {}
-func (*CELDeviceSelector) Descriptor() ([]byte, []int) {
-	return fileDescriptor_f4fc532aec02d243, []int{2}
-}
-func (m *CELDeviceSelector) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *CELDeviceSelector) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *CELDeviceSelector) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_CELDeviceSelector.Merge(m, src)
-}
-func (m *CELDeviceSelector) XXX_Size() int {
-	return m.Size()
-}
-func (m *CELDeviceSelector) XXX_DiscardUnknown() {
-	xxx_messageInfo_CELDeviceSelector.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_CELDeviceSelector proto.InternalMessageInfo
-
-func (m *CapacityRequestPolicy) Reset()      { *m = CapacityRequestPolicy{} }
-func (*CapacityRequestPolicy) ProtoMessage() {}
-func (*CapacityRequestPolicy) Descriptor() ([]byte, []int) {
-	return fileDescriptor_f4fc532aec02d243, []int{3}
-}
-func (m *CapacityRequestPolicy) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *CapacityRequestPolicy) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *CapacityRequestPolicy) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_CapacityRequestPolicy.Merge(m, src)
-}
-func (m *CapacityRequestPolicy) XXX_Size() int {
-	return m.Size()
-}
-func (m *CapacityRequestPolicy) XXX_DiscardUnknown() {
-	xxx_messageInfo_CapacityRequestPolicy.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_CapacityRequestPolicy proto.InternalMessageInfo
-
-func (m *CapacityRequestPolicyRange) Reset()      { *m = CapacityRequestPolicyRange{} }
-func (*CapacityRequestPolicyRange) ProtoMessage() {}
-func (*CapacityRequestPolicyRange) Descriptor() ([]byte, []int) {
-	return fileDescriptor_f4fc532aec02d243, []int{4}
-}
-func (m *CapacityRequestPolicyRange) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *CapacityRequestPolicyRange) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *CapacityRequestPolicyRange) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_CapacityRequestPolicyRange.Merge(m, src)
-}
-func (m *CapacityRequestPolicyRange) XXX_Size() int {
-	return m.Size()
-}
-func (m *CapacityRequestPolicyRange) XXX_DiscardUnknown() {
-	xxx_messageInfo_CapacityRequestPolicyRange.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_CapacityRequestPolicyRange proto.InternalMessageInfo
-
-func (m *CapacityRequirements) Reset()      { *m = CapacityRequirements{} }
-func (*CapacityRequirements) ProtoMessage() {}
-func (*CapacityRequirements) Descriptor() ([]byte, []int) {
-	return fileDescriptor_f4fc532aec02d243, []int{5}
-}
-func (m *CapacityRequirements) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *CapacityRequirements) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *CapacityRequirements) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_CapacityRequirements.Merge(m, src)
-}
-func (m *CapacityRequirements) XXX_Size() int {
-	return m.Size()
-}
-func (m *CapacityRequirements) XXX_DiscardUnknown() {
-	xxx_messageInfo_CapacityRequirements.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_CapacityRequirements proto.InternalMessageInfo
-
-func (m *Counter) Reset()      { *m = Counter{} }
-func (*Counter) ProtoMessage() {}
-func (*Counter) Descriptor() ([]byte, []int) {
-	return fileDescriptor_f4fc532aec02d243, []int{6}
-}
-func (m *Counter) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *Counter) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *Counter) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_Counter.Merge(m, src)
-}
-func (m *Counter) XXX_Size() int {
-	return m.Size()
-}
-func (m *Counter) XXX_DiscardUnknown() {
-	xxx_messageInfo_Counter.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_Counter proto.InternalMessageInfo
-
-func (m *CounterSet) Reset()      { *m = CounterSet{} }
-func (*CounterSet) ProtoMessage() {}
-func (*CounterSet) Descriptor() ([]byte, []int) {
-	return fileDescriptor_f4fc532aec02d243, []int{7}
-}
-func (m *CounterSet) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *CounterSet) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *CounterSet) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_CounterSet.Merge(m, src)
-}
-func (m *CounterSet) XXX_Size() int {
-	return m.Size()
-}
-func (m *CounterSet) XXX_DiscardUnknown() {
-	xxx_messageInfo_CounterSet.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_CounterSet proto.InternalMessageInfo
-
-func (m *Device) Reset()      { *m = Device{} }
-func (*Device) ProtoMessage() {}
-func (*Device) Descriptor() ([]byte, []int) {
-	return fileDescriptor_f4fc532aec02d243, []int{8}
-}
-func (m *Device) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *Device) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *Device) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_Device.Merge(m, src)
-}
-func (m *Device) XXX_Size() int {
-	return m.Size()
-}
-func (m *Device) XXX_DiscardUnknown() {
-	xxx_messageInfo_Device.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_Device proto.InternalMessageInfo
-
-func (m *DeviceAllocationConfiguration) Reset()      { *m = DeviceAllocationConfiguration{} }
-func (*DeviceAllocationConfiguration) ProtoMessage() {}
-func (*DeviceAllocationConfiguration) Descriptor() ([]byte, []int) {
-	return fileDescriptor_f4fc532aec02d243, []int{9}
-}
-func (m *DeviceAllocationConfiguration) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *DeviceAllocationConfiguration) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *DeviceAllocationConfiguration) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_DeviceAllocationConfiguration.Merge(m, src)
-}
-func (m *DeviceAllocationConfiguration) XXX_Size() int {
-	return m.Size()
-}
-func (m *DeviceAllocationConfiguration) XXX_DiscardUnknown() {
-	xxx_messageInfo_DeviceAllocationConfiguration.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_DeviceAllocationConfiguration proto.InternalMessageInfo
-
-func (m *DeviceAllocationResult) Reset()      { *m = DeviceAllocationResult{} }
-func (*DeviceAllocationResult) ProtoMessage() {}
-func (*DeviceAllocationResult) Descriptor() ([]byte, []int) {
-	return fileDescriptor_f4fc532aec02d243, []int{10}
-}
-func (m *DeviceAllocationResult) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *DeviceAllocationResult) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *DeviceAllocationResult) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_DeviceAllocationResult.Merge(m, src)
-}
-func (m *DeviceAllocationResult) XXX_Size() int {
-	return m.Size()
-}
-func (m *DeviceAllocationResult) XXX_DiscardUnknown() {
-	xxx_messageInfo_DeviceAllocationResult.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_DeviceAllocationResult proto.InternalMessageInfo
-
-func (m *DeviceAttribute) Reset()      { *m = DeviceAttribute{} }
-func (*DeviceAttribute) ProtoMessage() {}
-func (*DeviceAttribute) Descriptor() ([]byte, []int) {
-	return fileDescriptor_f4fc532aec02d243, []int{11}
-}
-func (m *DeviceAttribute) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *DeviceAttribute) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *DeviceAttribute) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_DeviceAttribute.Merge(m, src)
-}
-func (m *DeviceAttribute) XXX_Size() int {
-	return m.Size()
-}
-func (m *DeviceAttribute) XXX_DiscardUnknown() {
-	xxx_messageInfo_DeviceAttribute.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_DeviceAttribute proto.InternalMessageInfo
-
-func (m *DeviceCapacity) Reset()      { *m = DeviceCapacity{} }
-func (*DeviceCapacity) ProtoMessage() {}
-func (*DeviceCapacity) Descriptor() ([]byte, []int) {
-	return fileDescriptor_f4fc532aec02d243, []int{12}
-}
-func (m *DeviceCapacity) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *DeviceCapacity) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *DeviceCapacity) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_DeviceCapacity.Merge(m, src)
-}
-func (m *DeviceCapacity) XXX_Size() int {
-	return m.Size()
-}
-func (m *DeviceCapacity) XXX_DiscardUnknown() {
-	xxx_messageInfo_DeviceCapacity.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_DeviceCapacity proto.InternalMessageInfo
-
-func (m *DeviceClaim) Reset()      { *m = DeviceClaim{} }
-func (*DeviceClaim) ProtoMessage() {}
-func (*DeviceClaim) Descriptor() ([]byte, []int) {
-	return fileDescriptor_f4fc532aec02d243, []int{13}
-}
-func (m *DeviceClaim) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *DeviceClaim) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *DeviceClaim) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_DeviceClaim.Merge(m, src)
-}
-func (m *DeviceClaim) XXX_Size() int {
-	return m.Size()
-}
-func (m *DeviceClaim) XXX_DiscardUnknown() {
-	xxx_messageInfo_DeviceClaim.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_DeviceClaim proto.InternalMessageInfo
-
-func (m *DeviceClaimConfiguration) Reset()      { *m = DeviceClaimConfiguration{} }
-func (*DeviceClaimConfiguration) ProtoMessage() {}
-func (*DeviceClaimConfiguration) Descriptor() ([]byte, []int) {
-	return fileDescriptor_f4fc532aec02d243, []int{14}
-}
-func (m *DeviceClaimConfiguration) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *DeviceClaimConfiguration) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *DeviceClaimConfiguration) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_DeviceClaimConfiguration.Merge(m, src)
-}
-func (m *DeviceClaimConfiguration) XXX_Size() int {
-	return m.Size()
-}
-func (m *DeviceClaimConfiguration) XXX_DiscardUnknown() {
-	xxx_messageInfo_DeviceClaimConfiguration.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_DeviceClaimConfiguration proto.InternalMessageInfo
-
-func (m *DeviceClass) Reset()      { *m = DeviceClass{} }
-func (*DeviceClass) ProtoMessage() {}
-func (*DeviceClass) Descriptor() ([]byte, []int) {
-	return fileDescriptor_f4fc532aec02d243, []int{15}
-}
-func (m *DeviceClass) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *DeviceClass) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *DeviceClass) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_DeviceClass.Merge(m, src)
-}
-func (m *DeviceClass) XXX_Size() int {
-	return m.Size()
-}
-func (m *DeviceClass) XXX_DiscardUnknown() {
-	xxx_messageInfo_DeviceClass.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_DeviceClass proto.InternalMessageInfo
-
-func (m *DeviceClassConfiguration) Reset()      { *m = DeviceClassConfiguration{} }
-func (*DeviceClassConfiguration) ProtoMessage() {}
-func (*DeviceClassConfiguration) Descriptor() ([]byte, []int) {
-	return fileDescriptor_f4fc532aec02d243, []int{16}
-}
-func (m *DeviceClassConfiguration) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *DeviceClassConfiguration) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *DeviceClassConfiguration) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_DeviceClassConfiguration.Merge(m, src)
-}
-func (m *DeviceClassConfiguration) XXX_Size() int {
-	return m.Size()
-}
-func (m *DeviceClassConfiguration) XXX_DiscardUnknown() {
-	xxx_messageInfo_DeviceClassConfiguration.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_DeviceClassConfiguration proto.InternalMessageInfo
-
-func (m *DeviceClassList) Reset()      { *m = DeviceClassList{} }
-func (*DeviceClassList) ProtoMessage() {}
-func (*DeviceClassList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_f4fc532aec02d243, []int{17}
-}
-func (m *DeviceClassList) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *DeviceClassList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *DeviceClassList) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_DeviceClassList.Merge(m, src)
-}
-func (m *DeviceClassList) XXX_Size() int {
-	return m.Size()
-}
-func (m *DeviceClassList) XXX_DiscardUnknown() {
-	xxx_messageInfo_DeviceClassList.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_DeviceClassList proto.InternalMessageInfo
-
-func (m *DeviceClassSpec) Reset()      { *m = DeviceClassSpec{} }
-func (*DeviceClassSpec) ProtoMessage() {}
-func (*DeviceClassSpec) Descriptor() ([]byte, []int) {
-	return fileDescriptor_f4fc532aec02d243, []int{18}
-}
-func (m *DeviceClassSpec) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *DeviceClassSpec) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *DeviceClassSpec) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_DeviceClassSpec.Merge(m, src)
-}
-func (m *DeviceClassSpec) XXX_Size() int {
-	return m.Size()
-}
-func (m *DeviceClassSpec) XXX_DiscardUnknown() {
-	xxx_messageInfo_DeviceClassSpec.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_DeviceClassSpec proto.InternalMessageInfo
-
-func (m *DeviceConfiguration) Reset()      { *m = DeviceConfiguration{} }
-func (*DeviceConfiguration) ProtoMessage() {}
-func (*DeviceConfiguration) Descriptor() ([]byte, []int) {
-	return fileDescriptor_f4fc532aec02d243, []int{19}
-}
-func (m *DeviceConfiguration) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *DeviceConfiguration) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *DeviceConfiguration) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_DeviceConfiguration.Merge(m, src)
-}
-func (m *DeviceConfiguration) XXX_Size() int {
-	return m.Size()
-}
-func (m *DeviceConfiguration) XXX_DiscardUnknown() {
-	xxx_messageInfo_DeviceConfiguration.DiscardUnknown(m)
-}
+func (m *CELDeviceSelector) Reset() { *m = CELDeviceSelector{} }
 
-var xxx_messageInfo_DeviceConfiguration proto.InternalMessageInfo
+func (m *CapacityRequestPolicy) Reset() { *m = CapacityRequestPolicy{} }
 
-func (m *DeviceConstraint) Reset()      { *m = DeviceConstraint{} }
-func (*DeviceConstraint) ProtoMessage() {}
-func (*DeviceConstraint) Descriptor() ([]byte, []int) {
-	return fileDescriptor_f4fc532aec02d243, []int{20}
-}
-func (m *DeviceConstraint) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *DeviceConstraint) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *DeviceConstraint) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_DeviceConstraint.Merge(m, src)
-}
-func (m *DeviceConstraint) XXX_Size() int {
-	return m.Size()
-}
-func (m *DeviceConstraint) XXX_DiscardUnknown() {
-	xxx_messageInfo_DeviceConstraint.DiscardUnknown(m)
-}
+func (m *CapacityRequestPolicyRange) Reset() { *m = CapacityRequestPolicyRange{} }
 
-var xxx_messageInfo_DeviceConstraint proto.InternalMessageInfo
+func (m *CapacityRequirements) Reset() { *m = CapacityRequirements{} }
 
-func (m *DeviceCounterConsumption) Reset()      { *m = DeviceCounterConsumption{} }
-func (*DeviceCounterConsumption) ProtoMessage() {}
-func (*DeviceCounterConsumption) Descriptor() ([]byte, []int) {
-	return fileDescriptor_f4fc532aec02d243, []int{21}
-}
-func (m *DeviceCounterConsumption) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *DeviceCounterConsumption) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *DeviceCounterConsumption) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_DeviceCounterConsumption.Merge(m, src)
-}
-func (m *DeviceCounterConsumption) XXX_Size() int {
-	return m.Size()
-}
-func (m *DeviceCounterConsumption) XXX_DiscardUnknown() {
-	xxx_messageInfo_DeviceCounterConsumption.DiscardUnknown(m)
-}
+func (m *Counter) Reset() { *m = Counter{} }
 
-var xxx_messageInfo_DeviceCounterConsumption proto.InternalMessageInfo
+func (m *CounterSet) Reset() { *m = CounterSet{} }
 
-func (m *DeviceRequest) Reset()      { *m = DeviceRequest{} }
-func (*DeviceRequest) ProtoMessage() {}
-func (*DeviceRequest) Descriptor() ([]byte, []int) {
-	return fileDescriptor_f4fc532aec02d243, []int{22}
-}
-func (m *DeviceRequest) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *DeviceRequest) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *DeviceRequest) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_DeviceRequest.Merge(m, src)
-}
-func (m *DeviceRequest) XXX_Size() int {
-	return m.Size()
-}
-func (m *DeviceRequest) XXX_DiscardUnknown() {
-	xxx_messageInfo_DeviceRequest.DiscardUnknown(m)
-}
+func (m *Device) Reset() { *m = Device{} }
 
-var xxx_messageInfo_DeviceRequest proto.InternalMessageInfo
+func (m *DeviceAllocationConfiguration) Reset() { *m = DeviceAllocationConfiguration{} }
 
-func (m *DeviceRequestAllocationResult) Reset()      { *m = DeviceRequestAllocationResult{} }
-func (*DeviceRequestAllocationResult) ProtoMessage() {}
-func (*DeviceRequestAllocationResult) Descriptor() ([]byte, []int) {
-	return fileDescriptor_f4fc532aec02d243, []int{23}
-}
-func (m *DeviceRequestAllocationResult) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *DeviceRequestAllocationResult) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *DeviceRequestAllocationResult) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_DeviceRequestAllocationResult.Merge(m, src)
-}
-func (m *DeviceRequestAllocationResult) XXX_Size() int {
-	return m.Size()
-}
-func (m *DeviceRequestAllocationResult) XXX_DiscardUnknown() {
-	xxx_messageInfo_DeviceRequestAllocationResult.DiscardUnknown(m)
-}
+func (m *DeviceAllocationResult) Reset() { *m = DeviceAllocationResult{} }
 
-var xxx_messageInfo_DeviceRequestAllocationResult proto.InternalMessageInfo
+func (m *DeviceAttribute) Reset() { *m = DeviceAttribute{} }
 
-func (m *DeviceSelector) Reset()      { *m = DeviceSelector{} }
-func (*DeviceSelector) ProtoMessage() {}
-func (*DeviceSelector) Descriptor() ([]byte, []int) {
-	return fileDescriptor_f4fc532aec02d243, []int{24}
-}
-func (m *DeviceSelector) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *DeviceSelector) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *DeviceSelector) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_DeviceSelector.Merge(m, src)
-}
-func (m *DeviceSelector) XXX_Size() int {
-	return m.Size()
-}
-func (m *DeviceSelector) XXX_DiscardUnknown() {
-	xxx_messageInfo_DeviceSelector.DiscardUnknown(m)
-}
+func (m *DeviceCapacity) Reset() { *m = DeviceCapacity{} }
 
-var xxx_messageInfo_DeviceSelector proto.InternalMessageInfo
+func (m *DeviceClaim) Reset() { *m = DeviceClaim{} }
 
-func (m *DeviceSubRequest) Reset()      { *m = DeviceSubRequest{} }
-func (*DeviceSubRequest) ProtoMessage() {}
-func (*DeviceSubRequest) Descriptor() ([]byte, []int) {
-	return fileDescriptor_f4fc532aec02d243, []int{25}
-}
-func (m *DeviceSubRequest) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *DeviceSubRequest) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *DeviceSubRequest) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_DeviceSubRequest.Merge(m, src)
-}
-func (m *DeviceSubRequest) XXX_Size() int {
-	return m.Size()
-}
-func (m *DeviceSubRequest) XXX_DiscardUnknown() {
-	xxx_messageInfo_DeviceSubRequest.DiscardUnknown(m)
-}
+func (m *DeviceClaimConfiguration) Reset() { *m = DeviceClaimConfiguration{} }
 
-var xxx_messageInfo_DeviceSubRequest proto.InternalMessageInfo
+func (m *DeviceClass) Reset() { *m = DeviceClass{} }
 
-func (m *DeviceTaint) Reset()      { *m = DeviceTaint{} }
-func (*DeviceTaint) ProtoMessage() {}
-func (*DeviceTaint) Descriptor() ([]byte, []int) {
-	return fileDescriptor_f4fc532aec02d243, []int{26}
-}
-func (m *DeviceTaint) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *DeviceTaint) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *DeviceTaint) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_DeviceTaint.Merge(m, src)
-}
-func (m *DeviceTaint) XXX_Size() int {
-	return m.Size()
-}
-func (m *DeviceTaint) XXX_DiscardUnknown() {
-	xxx_messageInfo_DeviceTaint.DiscardUnknown(m)
-}
+func (m *DeviceClassConfiguration) Reset() { *m = DeviceClassConfiguration{} }
 
-var xxx_messageInfo_DeviceTaint proto.InternalMessageInfo
+func (m *DeviceClassList) Reset() { *m = DeviceClassList{} }
 
-func (m *DeviceToleration) Reset()      { *m = DeviceToleration{} }
-func (*DeviceToleration) ProtoMessage() {}
-func (*DeviceToleration) Descriptor() ([]byte, []int) {
-	return fileDescriptor_f4fc532aec02d243, []int{27}
-}
-func (m *DeviceToleration) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *DeviceToleration) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *DeviceToleration) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_DeviceToleration.Merge(m, src)
-}
-func (m *DeviceToleration) XXX_Size() int {
-	return m.Size()
-}
-func (m *DeviceToleration) XXX_DiscardUnknown() {
-	xxx_messageInfo_DeviceToleration.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_DeviceToleration proto.InternalMessageInfo
-
-func (m *ExactDeviceRequest) Reset()      { *m = ExactDeviceRequest{} }
-func (*ExactDeviceRequest) ProtoMessage() {}
-func (*ExactDeviceRequest) Descriptor() ([]byte, []int) {
-	return fileDescriptor_f4fc532aec02d243, []int{28}
-}
-func (m *ExactDeviceRequest) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ExactDeviceRequest) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ExactDeviceRequest) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ExactDeviceRequest.Merge(m, src)
-}
-func (m *ExactDeviceRequest) XXX_Size() int {
-	return m.Size()
-}
-func (m *ExactDeviceRequest) XXX_DiscardUnknown() {
-	xxx_messageInfo_ExactDeviceRequest.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_ExactDeviceRequest proto.InternalMessageInfo
-
-func (m *NetworkDeviceData) Reset()      { *m = NetworkDeviceData{} }
-func (*NetworkDeviceData) ProtoMessage() {}
-func (*NetworkDeviceData) Descriptor() ([]byte, []int) {
-	return fileDescriptor_f4fc532aec02d243, []int{29}
-}
-func (m *NetworkDeviceData) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *NetworkDeviceData) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *NetworkDeviceData) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_NetworkDeviceData.Merge(m, src)
-}
-func (m *NetworkDeviceData) XXX_Size() int {
-	return m.Size()
-}
-func (m *NetworkDeviceData) XXX_DiscardUnknown() {
-	xxx_messageInfo_NetworkDeviceData.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_NetworkDeviceData proto.InternalMessageInfo
-
-func (m *OpaqueDeviceConfiguration) Reset()      { *m = OpaqueDeviceConfiguration{} }
-func (*OpaqueDeviceConfiguration) ProtoMessage() {}
-func (*OpaqueDeviceConfiguration) Descriptor() ([]byte, []int) {
-	return fileDescriptor_f4fc532aec02d243, []int{30}
-}
-func (m *OpaqueDeviceConfiguration) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *OpaqueDeviceConfiguration) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *OpaqueDeviceConfiguration) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_OpaqueDeviceConfiguration.Merge(m, src)
-}
-func (m *OpaqueDeviceConfiguration) XXX_Size() int {
-	return m.Size()
-}
-func (m *OpaqueDeviceConfiguration) XXX_DiscardUnknown() {
-	xxx_messageInfo_OpaqueDeviceConfiguration.DiscardUnknown(m)
-}
+func (m *DeviceClassSpec) Reset() { *m = DeviceClassSpec{} }
 
-var xxx_messageInfo_OpaqueDeviceConfiguration proto.InternalMessageInfo
+func (m *DeviceConfiguration) Reset() { *m = DeviceConfiguration{} }
 
-func (m *ResourceClaim) Reset()      { *m = ResourceClaim{} }
-func (*ResourceClaim) ProtoMessage() {}
-func (*ResourceClaim) Descriptor() ([]byte, []int) {
-	return fileDescriptor_f4fc532aec02d243, []int{31}
-}
-func (m *ResourceClaim) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ResourceClaim) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ResourceClaim) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ResourceClaim.Merge(m, src)
-}
-func (m *ResourceClaim) XXX_Size() int {
-	return m.Size()
-}
-func (m *ResourceClaim) XXX_DiscardUnknown() {
-	xxx_messageInfo_ResourceClaim.DiscardUnknown(m)
-}
+func (m *DeviceConstraint) Reset() { *m = DeviceConstraint{} }
 
-var xxx_messageInfo_ResourceClaim proto.InternalMessageInfo
+func (m *DeviceCounterConsumption) Reset() { *m = DeviceCounterConsumption{} }
 
-func (m *ResourceClaimConsumerReference) Reset()      { *m = ResourceClaimConsumerReference{} }
-func (*ResourceClaimConsumerReference) ProtoMessage() {}
-func (*ResourceClaimConsumerReference) Descriptor() ([]byte, []int) {
-	return fileDescriptor_f4fc532aec02d243, []int{32}
-}
-func (m *ResourceClaimConsumerReference) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ResourceClaimConsumerReference) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ResourceClaimConsumerReference) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ResourceClaimConsumerReference.Merge(m, src)
-}
-func (m *ResourceClaimConsumerReference) XXX_Size() int {
-	return m.Size()
-}
-func (m *ResourceClaimConsumerReference) XXX_DiscardUnknown() {
-	xxx_messageInfo_ResourceClaimConsumerReference.DiscardUnknown(m)
-}
+func (m *DeviceRequest) Reset() { *m = DeviceRequest{} }
 
-var xxx_messageInfo_ResourceClaimConsumerReference proto.InternalMessageInfo
+func (m *DeviceRequestAllocationResult) Reset() { *m = DeviceRequestAllocationResult{} }
 
-func (m *ResourceClaimList) Reset()      { *m = ResourceClaimList{} }
-func (*ResourceClaimList) ProtoMessage() {}
-func (*ResourceClaimList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_f4fc532aec02d243, []int{33}
-}
-func (m *ResourceClaimList) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ResourceClaimList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ResourceClaimList) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ResourceClaimList.Merge(m, src)
-}
-func (m *ResourceClaimList) XXX_Size() int {
-	return m.Size()
-}
-func (m *ResourceClaimList) XXX_DiscardUnknown() {
-	xxx_messageInfo_ResourceClaimList.DiscardUnknown(m)
-}
+func (m *DeviceSelector) Reset() { *m = DeviceSelector{} }
 
-var xxx_messageInfo_ResourceClaimList proto.InternalMessageInfo
+func (m *DeviceSubRequest) Reset() { *m = DeviceSubRequest{} }
 
-func (m *ResourceClaimSpec) Reset()      { *m = ResourceClaimSpec{} }
-func (*ResourceClaimSpec) ProtoMessage() {}
-func (*ResourceClaimSpec) Descriptor() ([]byte, []int) {
-	return fileDescriptor_f4fc532aec02d243, []int{34}
-}
-func (m *ResourceClaimSpec) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ResourceClaimSpec) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ResourceClaimSpec) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ResourceClaimSpec.Merge(m, src)
-}
-func (m *ResourceClaimSpec) XXX_Size() int {
-	return m.Size()
-}
-func (m *ResourceClaimSpec) XXX_DiscardUnknown() {
-	xxx_messageInfo_ResourceClaimSpec.DiscardUnknown(m)
-}
+func (m *DeviceTaint) Reset() { *m = DeviceTaint{} }
 
-var xxx_messageInfo_ResourceClaimSpec proto.InternalMessageInfo
+func (m *DeviceToleration) Reset() { *m = DeviceToleration{} }
 
-func (m *ResourceClaimStatus) Reset()      { *m = ResourceClaimStatus{} }
-func (*ResourceClaimStatus) ProtoMessage() {}
-func (*ResourceClaimStatus) Descriptor() ([]byte, []int) {
-	return fileDescriptor_f4fc532aec02d243, []int{35}
-}
-func (m *ResourceClaimStatus) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ResourceClaimStatus) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ResourceClaimStatus) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ResourceClaimStatus.Merge(m, src)
-}
-func (m *ResourceClaimStatus) XXX_Size() int {
-	return m.Size()
-}
-func (m *ResourceClaimStatus) XXX_DiscardUnknown() {
-	xxx_messageInfo_ResourceClaimStatus.DiscardUnknown(m)
-}
+func (m *ExactDeviceRequest) Reset() { *m = ExactDeviceRequest{} }
 
-var xxx_messageInfo_ResourceClaimStatus proto.InternalMessageInfo
+func (m *NetworkDeviceData) Reset() { *m = NetworkDeviceData{} }
 
-func (m *ResourceClaimTemplate) Reset()      { *m = ResourceClaimTemplate{} }
-func (*ResourceClaimTemplate) ProtoMessage() {}
-func (*ResourceClaimTemplate) Descriptor() ([]byte, []int) {
-	return fileDescriptor_f4fc532aec02d243, []int{36}
-}
-func (m *ResourceClaimTemplate) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ResourceClaimTemplate) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ResourceClaimTemplate) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ResourceClaimTemplate.Merge(m, src)
-}
-func (m *ResourceClaimTemplate) XXX_Size() int {
-	return m.Size()
-}
-func (m *ResourceClaimTemplate) XXX_DiscardUnknown() {
-	xxx_messageInfo_ResourceClaimTemplate.DiscardUnknown(m)
-}
+func (m *OpaqueDeviceConfiguration) Reset() { *m = OpaqueDeviceConfiguration{} }
 
-var xxx_messageInfo_ResourceClaimTemplate proto.InternalMessageInfo
+func (m *ResourceClaim) Reset() { *m = ResourceClaim{} }
 
-func (m *ResourceClaimTemplateList) Reset()      { *m = ResourceClaimTemplateList{} }
-func (*ResourceClaimTemplateList) ProtoMessage() {}
-func (*ResourceClaimTemplateList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_f4fc532aec02d243, []int{37}
-}
-func (m *ResourceClaimTemplateList) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ResourceClaimTemplateList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ResourceClaimTemplateList) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ResourceClaimTemplateList.Merge(m, src)
-}
-func (m *ResourceClaimTemplateList) XXX_Size() int {
-	return m.Size()
-}
-func (m *ResourceClaimTemplateList) XXX_DiscardUnknown() {
-	xxx_messageInfo_ResourceClaimTemplateList.DiscardUnknown(m)
-}
+func (m *ResourceClaimConsumerReference) Reset() { *m = ResourceClaimConsumerReference{} }
 
-var xxx_messageInfo_ResourceClaimTemplateList proto.InternalMessageInfo
+func (m *ResourceClaimList) Reset() { *m = ResourceClaimList{} }
 
-func (m *ResourceClaimTemplateSpec) Reset()      { *m = ResourceClaimTemplateSpec{} }
-func (*ResourceClaimTemplateSpec) ProtoMessage() {}
-func (*ResourceClaimTemplateSpec) Descriptor() ([]byte, []int) {
-	return fileDescriptor_f4fc532aec02d243, []int{38}
-}
-func (m *ResourceClaimTemplateSpec) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ResourceClaimTemplateSpec) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ResourceClaimTemplateSpec) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ResourceClaimTemplateSpec.Merge(m, src)
-}
-func (m *ResourceClaimTemplateSpec) XXX_Size() int {
-	return m.Size()
-}
-func (m *ResourceClaimTemplateSpec) XXX_DiscardUnknown() {
-	xxx_messageInfo_ResourceClaimTemplateSpec.DiscardUnknown(m)
-}
+func (m *ResourceClaimSpec) Reset() { *m = ResourceClaimSpec{} }
 
-var xxx_messageInfo_ResourceClaimTemplateSpec proto.InternalMessageInfo
+func (m *ResourceClaimStatus) Reset() { *m = ResourceClaimStatus{} }
 
-func (m *ResourcePool) Reset()      { *m = ResourcePool{} }
-func (*ResourcePool) ProtoMessage() {}
-func (*ResourcePool) Descriptor() ([]byte, []int) {
-	return fileDescriptor_f4fc532aec02d243, []int{39}
-}
-func (m *ResourcePool) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ResourcePool) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ResourcePool) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ResourcePool.Merge(m, src)
-}
-func (m *ResourcePool) XXX_Size() int {
-	return m.Size()
-}
-func (m *ResourcePool) XXX_DiscardUnknown() {
-	xxx_messageInfo_ResourcePool.DiscardUnknown(m)
-}
+func (m *ResourceClaimTemplate) Reset() { *m = ResourceClaimTemplate{} }
 
-var xxx_messageInfo_ResourcePool proto.InternalMessageInfo
+func (m *ResourceClaimTemplateList) Reset() { *m = ResourceClaimTemplateList{} }
 
-func (m *ResourceSlice) Reset()      { *m = ResourceSlice{} }
-func (*ResourceSlice) ProtoMessage() {}
-func (*ResourceSlice) Descriptor() ([]byte, []int) {
-	return fileDescriptor_f4fc532aec02d243, []int{40}
-}
-func (m *ResourceSlice) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ResourceSlice) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ResourceSlice) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ResourceSlice.Merge(m, src)
-}
-func (m *ResourceSlice) XXX_Size() int {
-	return m.Size()
-}
-func (m *ResourceSlice) XXX_DiscardUnknown() {
-	xxx_messageInfo_ResourceSlice.DiscardUnknown(m)
-}
+func (m *ResourceClaimTemplateSpec) Reset() { *m = ResourceClaimTemplateSpec{} }
 
-var xxx_messageInfo_ResourceSlice proto.InternalMessageInfo
+func (m *ResourcePool) Reset() { *m = ResourcePool{} }
 
-func (m *ResourceSliceList) Reset()      { *m = ResourceSliceList{} }
-func (*ResourceSliceList) ProtoMessage() {}
-func (*ResourceSliceList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_f4fc532aec02d243, []int{41}
-}
-func (m *ResourceSliceList) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ResourceSliceList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ResourceSliceList) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ResourceSliceList.Merge(m, src)
-}
-func (m *ResourceSliceList) XXX_Size() int {
-	return m.Size()
-}
-func (m *ResourceSliceList) XXX_DiscardUnknown() {
-	xxx_messageInfo_ResourceSliceList.DiscardUnknown(m)
-}
+func (m *ResourceSlice) Reset() { *m = ResourceSlice{} }
 
-var xxx_messageInfo_ResourceSliceList proto.InternalMessageInfo
+func (m *ResourceSliceList) Reset() { *m = ResourceSliceList{} }
 
-func (m *ResourceSliceSpec) Reset()      { *m = ResourceSliceSpec{} }
-func (*ResourceSliceSpec) ProtoMessage() {}
-func (*ResourceSliceSpec) Descriptor() ([]byte, []int) {
-	return fileDescriptor_f4fc532aec02d243, []int{42}
-}
-func (m *ResourceSliceSpec) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ResourceSliceSpec) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ResourceSliceSpec) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ResourceSliceSpec.Merge(m, src)
-}
-func (m *ResourceSliceSpec) XXX_Size() int {
-	return m.Size()
-}
-func (m *ResourceSliceSpec) XXX_DiscardUnknown() {
-	xxx_messageInfo_ResourceSliceSpec.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_ResourceSliceSpec proto.InternalMessageInfo
-
-func init() {
-	proto.RegisterType((*AllocatedDeviceStatus)(nil), "k8s.io.api.resource.v1.AllocatedDeviceStatus")
-	proto.RegisterType((*AllocationResult)(nil), "k8s.io.api.resource.v1.AllocationResult")
-	proto.RegisterType((*CELDeviceSelector)(nil), "k8s.io.api.resource.v1.CELDeviceSelector")
-	proto.RegisterType((*CapacityRequestPolicy)(nil), "k8s.io.api.resource.v1.CapacityRequestPolicy")
-	proto.RegisterType((*CapacityRequestPolicyRange)(nil), "k8s.io.api.resource.v1.CapacityRequestPolicyRange")
-	proto.RegisterType((*CapacityRequirements)(nil), "k8s.io.api.resource.v1.CapacityRequirements")
-	proto.RegisterMapType((map[QualifiedName]resource.Quantity)(nil), "k8s.io.api.resource.v1.CapacityRequirements.RequestsEntry")
-	proto.RegisterType((*Counter)(nil), "k8s.io.api.resource.v1.Counter")
-	proto.RegisterType((*CounterSet)(nil), "k8s.io.api.resource.v1.CounterSet")
-	proto.RegisterMapType((map[string]Counter)(nil), "k8s.io.api.resource.v1.CounterSet.CountersEntry")
-	proto.RegisterType((*Device)(nil), "k8s.io.api.resource.v1.Device")
-	proto.RegisterMapType((map[QualifiedName]DeviceAttribute)(nil), "k8s.io.api.resource.v1.Device.AttributesEntry")
-	proto.RegisterMapType((map[QualifiedName]DeviceCapacity)(nil), "k8s.io.api.resource.v1.Device.CapacityEntry")
-	proto.RegisterType((*DeviceAllocationConfiguration)(nil), "k8s.io.api.resource.v1.DeviceAllocationConfiguration")
-	proto.RegisterType((*DeviceAllocationResult)(nil), "k8s.io.api.resource.v1.DeviceAllocationResult")
-	proto.RegisterType((*DeviceAttribute)(nil), "k8s.io.api.resource.v1.DeviceAttribute")
-	proto.RegisterType((*DeviceCapacity)(nil), "k8s.io.api.resource.v1.DeviceCapacity")
-	proto.RegisterType((*DeviceClaim)(nil), "k8s.io.api.resource.v1.DeviceClaim")
-	proto.RegisterType((*DeviceClaimConfiguration)(nil), "k8s.io.api.resource.v1.DeviceClaimConfiguration")
-	proto.RegisterType((*DeviceClass)(nil), "k8s.io.api.resource.v1.DeviceClass")
-	proto.RegisterType((*DeviceClassConfiguration)(nil), "k8s.io.api.resource.v1.DeviceClassConfiguration")
-	proto.RegisterType((*DeviceClassList)(nil), "k8s.io.api.resource.v1.DeviceClassList")
-	proto.RegisterType((*DeviceClassSpec)(nil), "k8s.io.api.resource.v1.DeviceClassSpec")
-	proto.RegisterType((*DeviceConfiguration)(nil), "k8s.io.api.resource.v1.DeviceConfiguration")
-	proto.RegisterType((*DeviceConstraint)(nil), "k8s.io.api.resource.v1.DeviceConstraint")
-	proto.RegisterType((*DeviceCounterConsumption)(nil), "k8s.io.api.resource.v1.DeviceCounterConsumption")
-	proto.RegisterMapType((map[string]Counter)(nil), "k8s.io.api.resource.v1.DeviceCounterConsumption.CountersEntry")
-	proto.RegisterType((*DeviceRequest)(nil), "k8s.io.api.resource.v1.DeviceRequest")
-	proto.RegisterType((*DeviceRequestAllocationResult)(nil), "k8s.io.api.resource.v1.DeviceRequestAllocationResult")
-	proto.RegisterMapType((map[QualifiedName]resource.Quantity)(nil), "k8s.io.api.resource.v1.DeviceRequestAllocationResult.ConsumedCapacityEntry")
-	proto.RegisterType((*DeviceSelector)(nil), "k8s.io.api.resource.v1.DeviceSelector")
-	proto.RegisterType((*DeviceSubRequest)(nil), "k8s.io.api.resource.v1.DeviceSubRequest")
-	proto.RegisterType((*DeviceTaint)(nil), "k8s.io.api.resource.v1.DeviceTaint")
-	proto.RegisterType((*DeviceToleration)(nil), "k8s.io.api.resource.v1.DeviceToleration")
-	proto.RegisterType((*ExactDeviceRequest)(nil), "k8s.io.api.resource.v1.ExactDeviceRequest")
-	proto.RegisterType((*NetworkDeviceData)(nil), "k8s.io.api.resource.v1.NetworkDeviceData")
-	proto.RegisterType((*OpaqueDeviceConfiguration)(nil), "k8s.io.api.resource.v1.OpaqueDeviceConfiguration")
-	proto.RegisterType((*ResourceClaim)(nil), "k8s.io.api.resource.v1.ResourceClaim")
-	proto.RegisterType((*ResourceClaimConsumerReference)(nil), "k8s.io.api.resource.v1.ResourceClaimConsumerReference")
-	proto.RegisterType((*ResourceClaimList)(nil), "k8s.io.api.resource.v1.ResourceClaimList")
-	proto.RegisterType((*ResourceClaimSpec)(nil), "k8s.io.api.resource.v1.ResourceClaimSpec")
-	proto.RegisterType((*ResourceClaimStatus)(nil), "k8s.io.api.resource.v1.ResourceClaimStatus")
-	proto.RegisterType((*ResourceClaimTemplate)(nil), "k8s.io.api.resource.v1.ResourceClaimTemplate")
-	proto.RegisterType((*ResourceClaimTemplateList)(nil), "k8s.io.api.resource.v1.ResourceClaimTemplateList")
-	proto.RegisterType((*ResourceClaimTemplateSpec)(nil), "k8s.io.api.resource.v1.ResourceClaimTemplateSpec")
-	proto.RegisterType((*ResourcePool)(nil), "k8s.io.api.resource.v1.ResourcePool")
-	proto.RegisterType((*ResourceSlice)(nil), "k8s.io.api.resource.v1.ResourceSlice")
-	proto.RegisterType((*ResourceSliceList)(nil), "k8s.io.api.resource.v1.ResourceSliceList")
-	proto.RegisterType((*ResourceSliceSpec)(nil), "k8s.io.api.resource.v1.ResourceSliceSpec")
-}
-
-func init() {
-	proto.RegisterFile("k8s.io/api/resource/v1/generated.proto", fileDescriptor_f4fc532aec02d243)
-}
-
-var fileDescriptor_f4fc532aec02d243 = []byte{
-	// 3028 bytes of a gzipped FileDescriptorProto
-	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xd4, 0x5b, 0x4d, 0x6c, 0x24, 0x47,
-	0xf5, 0x77, 0xcf, 0xcc, 0x8e, 0xc7, 0x6f, 0x6c, 0xaf, 0x5d, 0xbb, 0xeb, 0x4c, 0xfc, 0xff, 0xc7,
-	0xe3, 0xf4, 0x92, 0xc4, 0x49, 0x76, 0xc7, 0x6b, 0x8b, 0x44, 0x51, 0x12, 0x10, 0x1e, 0xdb, 0x9b,
-	0x38, 0xfb, 0x11, 0xa7, 0xc6, 0x6b, 0x36, 0x28, 0x84, 0xb4, 0x7b, 0xca, 0x76, 0xe3, 0x9e, 0xee,
-	0x49, 0x77, 0x8d, 0x77, 0xcd, 0x29, 0xe2, 0x00, 0x57, 0x04, 0x12, 0x02, 0x24, 0x24, 0x94, 0x03,
-	0x12, 0x17, 0x84, 0x38, 0x11, 0x04, 0x28, 0xc7, 0x08, 0x29, 0x28, 0x17, 0xa4, 0x20, 0xa1, 0x81,
-	0x1d, 0x4e, 0x48, 0x08, 0x89, 0x0b, 0x07, 0x1f, 0x10, 0xaa, 0xea, 0xaa, 0xfe, 0x9a, 0x6e, 0x4f,
-	0xdb, 0x59, 0xaf, 0x96, 0x9b, 0xe7, 0xd5, 0x7b, 0xbf, 0xaa, 0x7a, 0xf5, 0xbe, 0xea, 0x75, 0x19,
-	0x9e, 0xdc, 0x7b, 0xc1, 0xad, 0x19, 0xf6, 0xbc, 0xd6, 0x36, 0xe6, 0x1d, 0xe2, 0xda, 0x1d, 0x47,
-	0x27, 0xf3, 0xfb, 0x0b, 0xf3, 0x3b, 0xc4, 0x22, 0x8e, 0x46, 0x49, 0xb3, 0xd6, 0x76, 0x6c, 0x6a,
-	0xa3, 0x29, 0x8f, 0xaf, 0xa6, 0xb5, 0x8d, 0x9a, 0xe4, 0xab, 0xed, 0x2f, 0x4c, 0x5f, 0xde, 0x31,
-	0xe8, 0x6e, 0x67, 0xab, 0xa6, 0xdb, 0xad, 0xf9, 0x1d, 0x7b, 0xc7, 0x9e, 0xe7, 0xec, 0x5b, 0x9d,
-	0x6d, 0xfe, 0x8b, 0xff, 0xe0, 0x7f, 0x79, 0x30, 0xd3, 0x6a, 0x68, 0x3a, 0xdd, 0x76, 0x92, 0xa6,
-	0x9a, 0xfe, 0x7c, 0xc0, 0xd3, 0xd2, 0xf4, 0x5d, 0xc3, 0x22, 0xce, 0xc1, 0x7c, 0x7b, 0x6f, 0x27,
-	0xba, 0xc6, 0xe3, 0x48, 0xb9, 0xf3, 0x2d, 0x42, 0xb5, 0xa4, 0xb9, 0xe6, 0xd3, 0xa4, 0x9c, 0x8e,
-	0x45, 0x8d, 0x56, 0xff, 0x34, 0xcf, 0x0f, 0x12, 0x70, 0xf5, 0x5d, 0xd2, 0xd2, 0xe2, 0x72, 0xea,
-	0x87, 0x79, 0xb8, 0xb0, 0x64, 0x9a, 0xb6, 0xce, 0x68, 0x2b, 0x64, 0xdf, 0xd0, 0x49, 0x83, 0x6a,
-	0xb4, 0xe3, 0xa2, 0x27, 0xa1, 0xd8, 0x74, 0x8c, 0x7d, 0xe2, 0x54, 0x94, 0x59, 0x65, 0x6e, 0xa4,
-	0x3e, 0xfe, 0x51, 0xb7, 0x3a, 0xd4, 0xeb, 0x56, 0x8b, 0x2b, 0x9c, 0x8a, 0xc5, 0x28, 0x9a, 0x85,
-	0x42, 0xdb, 0xb6, 0xcd, 0x4a, 0x8e, 0x73, 0x8d, 0x0a, 0xae, 0xc2, 0xba, 0x6d, 0x9b, 0x98, 0x8f,
-	0x70, 0x24, 0x8e, 0x5c, 0xc9, 0xc7, 0x90, 0x38, 0x15, 0x8b, 0x51, 0xf4, 0x04, 0x0c, 0xbb, 0xbb,
-	0x9a, 0x43, 0xd6, 0x56, 0x2a, 0xc3, 0x9c, 0xb1, 0xdc, 0xeb, 0x56, 0x87, 0x1b, 0x1e, 0x09, 0xcb,
-	0x31, 0xa4, 0x03, 0xe8, 0xb6, 0xd5, 0x34, 0xa8, 0x61, 0x5b, 0x6e, 0xa5, 0x30, 0x9b, 0x9f, 0x2b,
-	0x2f, 0xce, 0xd7, 0x02, 0x3b, 0xf0, 0xf7, 0x5f, 0x6b, 0xef, 0xed, 0x30, 0x82, 0x5b, 0x63, 0x6a,
-	0xae, 0xed, 0x2f, 0xd4, 0x96, 0xa5, 0x5c, 0x1d, 0x89, 0x35, 0x80, 0x4f, 0x72, 0x71, 0x08, 0x16,
-	0x5d, 0x83, 0x42, 0x53, 0xa3, 0x5a, 0xe5, 0xcc, 0xac, 0x32, 0x57, 0x5e, 0xbc, 0x9c, 0x0a, 0x2f,
-	0xd4, 0x5b, 0xc3, 0xda, 0x9d, 0xd5, 0xbb, 0x94, 0x58, 0x2e, 0x03, 0x2f, 0x31, 0x05, 0xac, 0x68,
-	0x54, 0xc3, 0x1c, 0x04, 0xbd, 0x05, 0x65, 0x8b, 0xd0, 0x3b, 0xb6, 0xb3, 0xc7, 0x88, 0x95, 0x22,
-	0xc7, 0x7c, 0xba, 0x96, 0x6c, 0xba, 0xb5, 0x9b, 0x82, 0x95, 0x2b, 0x85, 0x09, 0xd4, 0xcf, 0xf6,
-	0xba, 0xd5, 0xf2, 0xcd, 0x00, 0x01, 0x87, 0xe1, 0xd4, 0xdf, 0xe4, 0x60, 0x42, 0x1c, 0xa1, 0x61,
-	0x5b, 0x98, 0xb8, 0x1d, 0x93, 0xa2, 0x37, 0x61, 0xd8, 0xd3, 0xaa, 0xcb, 0x8f, 0xaf, 0xbc, 0x58,
-	0x4b, 0x9b, 0xce, 0x9b, 0x27, 0x0e, 0x50, 0x3f, 0x2b, 0x14, 0x34, 0xec, 0x8d, 0xbb, 0x58, 0xe2,
-	0xa1, 0x4d, 0x18, 0xb5, 0xec, 0x26, 0x69, 0x10, 0x93, 0xe8, 0xd4, 0x76, 0xf8, 0xa1, 0x96, 0x17,
-	0x67, 0xc3, 0xf8, 0xcc, 0x85, 0xf8, 0x56, 0x42, 0x7c, 0xf5, 0x89, 0x5e, 0xb7, 0x3a, 0x1a, 0xa6,
-	0xe0, 0x08, 0x0e, 0xea, 0xc0, 0x39, 0xcd, 0x5f, 0xc5, 0x86, 0xd1, 0x22, 0x2e, 0xd5, 0x5a, 0x6d,
-	0x71, 0x02, 0xcf, 0x64, 0x3b, 0x60, 0x26, 0x56, 0x7f, 0xa4, 0xd7, 0xad, 0x9e, 0x5b, 0xea, 0x87,
-	0xc2, 0x49, 0xf8, 0xea, 0x2b, 0x30, 0xb9, 0xbc, 0x7a, 0x5d, 0x98, 0xbe, 0x5c, 0xcb, 0x22, 0x00,
-	0xb9, 0xdb, 0x76, 0x88, 0xcb, 0xce, 0x53, 0x38, 0x80, 0x6f, 0x32, 0xab, 0xfe, 0x08, 0x0e, 0x71,
-	0xa9, 0x1f, 0xe4, 0xe0, 0xc2, 0xb2, 0xd6, 0xd6, 0x74, 0x83, 0x1e, 0x60, 0xf2, 0x6e, 0x87, 0xb8,
-	0x74, 0xdd, 0x36, 0x0d, 0xfd, 0x00, 0xdd, 0x62, 0x87, 0xb1, 0xad, 0x75, 0x4c, 0x9a, 0x70, 0x18,
-	0x7d, 0xbb, 0x09, 0x4e, 0xe7, 0x8d, 0x8e, 0x66, 0x51, 0x83, 0x1e, 0x78, 0x8e, 0xb0, 0xe2, 0x41,
-	0x60, 0x89, 0x85, 0x08, 0x94, 0xf7, 0x35, 0xd3, 0x68, 0x6e, 0x6a, 0x66, 0x87, 0xb8, 0x95, 0x3c,
-	0xf7, 0x84, 0xe3, 0x42, 0x9f, 0x13, 0xbb, 0x2a, 0x6f, 0x06, 0x50, 0x38, 0x8c, 0x8b, 0xb6, 0x00,
-	0xf8, 0x4f, 0xac, 0x59, 0x3b, 0xa4, 0x52, 0xe0, 0x1b, 0x58, 0x4c, 0xb3, 0xa6, 0x44, 0x05, 0x70,
-	0xc9, 0xfa, 0x38, 0xd3, 0xdd, 0xa6, 0x8f, 0x84, 0x43, 0xa8, 0xea, 0x7b, 0x39, 0x98, 0x4e, 0x17,
-	0x45, 0x6b, 0x90, 0x6f, 0x19, 0xd6, 0x09, 0x95, 0x37, 0xdc, 0xeb, 0x56, 0xf3, 0x37, 0x0c, 0x0b,
-	0x33, 0x0c, 0x0e, 0xa5, 0xdd, 0xe5, 0xd1, 0xea, 0xa4, 0x50, 0xda, 0x5d, 0xcc, 0x30, 0xd0, 0x75,
-	0x28, 0xb8, 0x94, 0xb4, 0x85, 0x03, 0x1c, 0x17, 0x8b, 0x07, 0x89, 0x06, 0x25, 0x6d, 0xcc, 0x51,
-	0xd4, 0xff, 0x28, 0x70, 0x3e, 0xac, 0x02, 0xc3, 0x21, 0x2d, 0x62, 0x51, 0x17, 0x1d, 0x40, 0xc9,
-	0xf1, 0x54, 0xc2, 0x7c, 0x99, 0x9d, 0xf1, 0x8b, 0x59, 0xb4, 0x2f, 0xe5, 0x6b, 0x42, 0x9f, 0xee,
-	0xaa, 0x45, 0x9d, 0x83, 0xfa, 0xe3, 0xe2, 0xbc, 0x4b, 0x92, 0xfc, 0xcd, 0xbf, 0x54, 0xc7, 0xde,
-	0xe8, 0x68, 0xa6, 0xb1, 0x6d, 0x90, 0xe6, 0x4d, 0xad, 0x45, 0xb0, 0x3f, 0xdd, 0xf4, 0x1e, 0x8c,
-	0x45, 0xa4, 0xd1, 0x04, 0xe4, 0xf7, 0xc8, 0x81, 0xe7, 0x10, 0x98, 0xfd, 0x89, 0x56, 0xe0, 0xcc,
-	0x3e, 0xb3, 0x93, 0x93, 0x69, 0x14, 0x7b, 0xc2, 0x2f, 0xe6, 0x5e, 0x50, 0xd4, 0xb7, 0x61, 0x78,
-	0xd9, 0xee, 0x58, 0x94, 0x38, 0xa8, 0x21, 0x41, 0x4f, 0x76, 0xe2, 0x63, 0x62, 0x8f, 0x67, 0xb8,
-	0x05, 0x8b, 0x39, 0xd4, 0x7f, 0x28, 0x00, 0x62, 0x82, 0x06, 0xa1, 0x2c, 0x6f, 0x59, 0x5a, 0x8b,
-	0x08, 0xe7, 0xf6, 0xf3, 0x16, 0xd7, 0x00, 0x1f, 0x41, 0x6f, 0x43, 0x49, 0xf7, 0xf8, 0xdd, 0x4a,
-	0x8e, 0x2b, 0xfe, 0x4a, 0xaa, 0xe2, 0x7d, 0x5c, 0xf9, 0xa7, 0x50, 0xf7, 0x84, 0x54, 0xb7, 0x24,
-	0x63, 0x1f, 0x73, 0xfa, 0x2d, 0x18, 0x8b, 0x30, 0x27, 0x68, 0xf7, 0xb9, 0xa8, 0x76, 0xab, 0x03,
-	0xe6, 0x0f, 0xab, 0xf3, 0xdf, 0x25, 0x10, 0x09, 0x36, 0xc3, 0x56, 0x5d, 0x00, 0x8d, 0x52, 0xc7,
-	0xd8, 0xea, 0x50, 0x22, 0x37, 0x3b, 0x20, 0x63, 0xd4, 0x96, 0x7c, 0x01, 0x6f, 0xab, 0x17, 0x65,
-	0x7c, 0x0c, 0x06, 0xfa, 0x6d, 0x2b, 0x34, 0x0d, 0xda, 0x83, 0x92, 0x2e, 0x0c, 0x56, 0x04, 0xaf,
-	0x4b, 0x03, 0xa6, 0x94, 0xf6, 0x1d, 0x33, 0x65, 0x49, 0x4e, 0x30, 0x65, 0x39, 0x01, 0xda, 0x87,
-	0x09, 0xdd, 0xb6, 0xdc, 0x4e, 0x8b, 0xb8, 0x52, 0xe9, 0xa2, 0x76, 0xb8, 0x72, 0xf4, 0xa4, 0x82,
-	0x7b, 0x99, 0x0b, 0xb7, 0x79, 0xf1, 0x50, 0x11, 0x13, 0x4f, 0x2c, 0xc7, 0x10, 0x71, 0xdf, 0x1c,
-	0x68, 0x0e, 0x4a, 0x2c, 0xcb, 0xb1, 0xd5, 0xf0, 0x54, 0x36, 0x52, 0x1f, 0x65, 0x4b, 0xbe, 0x29,
-	0x68, 0xd8, 0x1f, 0xed, 0xcb, 0xab, 0xc5, 0xfb, 0x94, 0x57, 0xe7, 0xa0, 0xa4, 0x99, 0x26, 0x63,
-	0x70, 0x79, 0x5d, 0x55, 0xf2, 0x56, 0xb0, 0x24, 0x68, 0xd8, 0x1f, 0x45, 0xd7, 0xa0, 0x48, 0x35,
-	0xc3, 0xa2, 0x6e, 0xa5, 0xc4, 0x35, 0x73, 0xf1, 0x68, 0xcd, 0x6c, 0x30, 0xde, 0xa0, 0x9a, 0xe3,
-	0x3f, 0x5d, 0x2c, 0x20, 0xd0, 0x02, 0x94, 0xb7, 0x0c, 0xab, 0xe9, 0x6e, 0xd8, 0x0c, 0xbc, 0x32,
-	0xc2, 0x67, 0xe6, 0x95, 0x4c, 0x3d, 0x20, 0xe3, 0x30, 0x0f, 0x5a, 0x86, 0x49, 0xf6, 0xd3, 0xb0,
-	0x76, 0x82, 0xaa, 0xac, 0x02, 0xb3, 0xf9, 0xb9, 0x91, 0xfa, 0x85, 0x5e, 0xb7, 0x3a, 0x59, 0x8f,
-	0x0f, 0xe2, 0x7e, 0x7e, 0x74, 0x1b, 0x2a, 0x82, 0x78, 0x55, 0x33, 0xcc, 0x8e, 0x43, 0x42, 0x58,
-	0x65, 0x8e, 0xf5, 0xff, 0xbd, 0x6e, 0xb5, 0x52, 0x4f, 0xe1, 0xc1, 0xa9, 0xd2, 0x0c, 0x99, 0x15,
-	0x10, 0x77, 0x6e, 0x74, 0x4c, 0x6a, 0xb4, 0xcd, 0x50, 0xcd, 0xe4, 0x56, 0x46, 0xf9, 0xf6, 0x38,
-	0xf2, 0x52, 0x0a, 0x0f, 0x4e, 0x95, 0x9e, 0xde, 0x86, 0xb3, 0x31, 0x6f, 0x4a, 0x88, 0x05, 0x5f,
-	0x88, 0xc6, 0x82, 0xa7, 0x06, 0x14, 0x74, 0x12, 0x2f, 0x14, 0x13, 0xa6, 0x75, 0x18, 0x8b, 0xb8,
-	0x50, 0xc2, 0x2c, 0x2f, 0x47, 0x67, 0x79, 0x72, 0x80, 0x73, 0xc8, 0x84, 0x13, 0x0a, 0x3c, 0xdf,
-	0xce, 0xc1, 0x63, 0xf1, 0xa2, 0x72, 0xd9, 0xb6, 0xb6, 0x8d, 0x9d, 0x8e, 0xc3, 0x7f, 0xa0, 0x2f,
-	0x41, 0xd1, 0x03, 0x12, 0x11, 0x69, 0x4e, 0x9a, 0x50, 0x83, 0x53, 0x0f, 0xbb, 0xd5, 0xa9, 0xb8,
-	0xa8, 0x37, 0x82, 0x85, 0x1c, 0xb3, 0x69, 0x3f, 0x27, 0xe6, 0xf8, 0xa1, 0x8e, 0x86, 0x73, 0x5a,
-	0x90, 0xc2, 0xd0, 0x37, 0xe0, 0x5c, 0x53, 0xf8, 0x71, 0x68, 0x09, 0x22, 0x67, 0x3f, 0x3b, 0xc8,
-	0xf5, 0x43, 0x22, 0xf5, 0xff, 0x13, 0xab, 0x3c, 0x97, 0x30, 0x88, 0x93, 0x26, 0x51, 0xff, 0xa4,
-	0xc0, 0x54, 0x72, 0x79, 0x8d, 0xde, 0x81, 0x61, 0x87, 0xff, 0x25, 0x73, 0xfa, 0x73, 0x47, 0x2f,
-	0x45, 0xec, 0x2c, 0xbd, 0x4c, 0xf7, 0x7e, 0xbb, 0x58, 0xc2, 0xa2, 0xaf, 0x42, 0x51, 0xe7, 0xab,
-	0x11, 0xe1, 0xfc, 0xb9, 0xac, 0x17, 0x80, 0xe8, 0xae, 0x7d, 0xf7, 0xf6, 0xc8, 0x58, 0x80, 0xaa,
-	0x3f, 0x53, 0xe0, 0x6c, 0xcc, 0xd2, 0xd0, 0x0c, 0xe4, 0x0d, 0x8b, 0x72, 0xcb, 0xc9, 0x7b, 0x07,
-	0xb2, 0x66, 0x51, 0x2f, 0x07, 0xb3, 0x01, 0xf4, 0x38, 0x14, 0xb6, 0xd8, 0x55, 0x31, 0xcf, 0x9d,
-	0x65, 0xac, 0xd7, 0xad, 0x8e, 0xd4, 0x6d, 0xdb, 0xf4, 0x38, 0xf8, 0x10, 0x7a, 0x0a, 0x8a, 0x2e,
-	0x75, 0x0c, 0x6b, 0x87, 0x17, 0x9a, 0x23, 0x5e, 0xc0, 0x68, 0x70, 0x8a, 0xc7, 0x26, 0x86, 0xd1,
-	0x33, 0x30, 0xbc, 0x4f, 0x1c, 0x5e, 0x9e, 0x7b, 0x61, 0x95, 0x87, 0xc1, 0x4d, 0x8f, 0xe4, 0xb1,
-	0x4a, 0x06, 0xf5, 0x63, 0x05, 0xc6, 0xa3, 0xf6, 0x7a, 0x2a, 0x15, 0x06, 0xda, 0x86, 0x31, 0x27,
-	0x5c, 0xbc, 0x0a, 0x1f, 0xba, 0x7c, 0xac, 0x62, 0xb9, 0x3e, 0xd9, 0xeb, 0x56, 0xc7, 0xa2, 0x45,
-	0x70, 0x14, 0x56, 0xfd, 0x71, 0x0e, 0xca, 0x62, 0x3f, 0xa6, 0x66, 0xb4, 0x50, 0xa3, 0xaf, 0x42,
-	0x7c, 0x22, 0x93, 0x35, 0x05, 0xd5, 0x49, 0x82, 0xe3, 0x7c, 0x0d, 0xca, 0x2c, 0x99, 0x51, 0xc7,
-	0xcb, 0x08, 0x9e, 0x11, 0xcd, 0x0d, 0x74, 0x18, 0x21, 0x10, 0xdc, 0x2b, 0x02, 0x9a, 0x8b, 0xc3,
-	0x88, 0xe8, 0xb6, 0x6f, 0xa0, 0xf9, 0x4c, 0x79, 0x98, 0x6d, 0x35, 0x9b, 0x6d, 0x7e, 0xa8, 0x40,
-	0x25, 0x4d, 0x28, 0x12, 0x3a, 0x94, 0x93, 0x84, 0x8e, 0xdc, 0x83, 0x08, 0x1d, 0xbf, 0x56, 0x42,
-	0x47, 0xec, 0xba, 0xe8, 0x1d, 0x28, 0xb1, 0x3b, 0x2e, 0xef, 0x49, 0x78, 0x26, 0x7b, 0x25, 0xdb,
-	0x8d, 0xf8, 0xf5, 0xad, 0xaf, 0x13, 0x9d, 0xde, 0x20, 0x54, 0x0b, 0x2e, 0xb0, 0x01, 0x0d, 0xfb,
-	0xa8, 0x68, 0x0d, 0x0a, 0x6e, 0x9b, 0xe8, 0xd9, 0xb2, 0x0b, 0x5f, 0x54, 0xa3, 0x4d, 0xf4, 0xa0,
-	0x9a, 0x64, 0xbf, 0x30, 0x87, 0x50, 0xbf, 0x1f, 0xd6, 0xbf, 0xeb, 0x46, 0xf5, 0x9f, 0xa2, 0x55,
-	0xe5, 0x41, 0x68, 0xf5, 0x03, 0x3f, 0x68, 0xf1, 0x85, 0x5d, 0x37, 0x5c, 0x8a, 0xde, 0xea, 0xd3,
-	0x6c, 0x2d, 0x9b, 0x66, 0x99, 0x34, 0xd7, 0xab, 0xef, 0x45, 0x92, 0x12, 0xd2, 0xea, 0xab, 0x70,
-	0xc6, 0xa0, 0xa4, 0x25, 0xfd, 0xe7, 0x62, 0x06, 0xb5, 0x06, 0xc1, 0x65, 0x8d, 0x49, 0x62, 0x0f,
-	0x40, 0xfd, 0x6e, 0x2e, 0xb2, 0x76, 0xa6, 0x6e, 0xf4, 0x65, 0x18, 0x71, 0x45, 0x99, 0x27, 0x3d,
-	0x7f, 0x40, 0xc2, 0xf6, 0xab, 0xc6, 0x49, 0x31, 0xc9, 0x88, 0xa4, 0xb8, 0x38, 0xc0, 0x0a, 0xf9,
-	0x66, 0x2e, 0xa3, 0x6f, 0xc6, 0x8e, 0x39, 0xcd, 0x37, 0xd1, 0x75, 0x38, 0x4f, 0xee, 0x52, 0x62,
-	0x35, 0x49, 0x13, 0x0b, 0x1c, 0x5e, 0x1b, 0x7b, 0xe1, 0xbe, 0xd2, 0xeb, 0x56, 0xcf, 0xaf, 0x26,
-	0x8c, 0xe3, 0x44, 0x29, 0xd5, 0x84, 0xa4, 0xc3, 0x47, 0xb7, 0xa0, 0x68, 0xb7, 0xb5, 0x77, 0xfd,
-	0xf0, 0xbe, 0x90, 0xb6, 0xfc, 0xd7, 0x39, 0x57, 0x92, 0x71, 0x01, 0x5b, 0xbb, 0x37, 0x8c, 0x05,
-	0x98, 0xfa, 0x77, 0x05, 0x26, 0xe2, 0x81, 0xee, 0x18, 0xf1, 0x64, 0x1d, 0xc6, 0x5b, 0x1a, 0xd5,
-	0x77, 0xfd, 0x84, 0x29, 0x7a, 0xa6, 0x73, 0xbd, 0x6e, 0x75, 0xfc, 0x46, 0x64, 0xe4, 0xb0, 0x5b,
-	0x45, 0x57, 0x3b, 0xa6, 0x79, 0x10, 0xbd, 0xce, 0xc4, 0xe4, 0xd1, 0x9b, 0x30, 0xd9, 0x34, 0x5c,
-	0x6a, 0x58, 0x3a, 0x0d, 0x40, 0xbd, 0x26, 0xeb, 0xb3, 0xac, 0x60, 0x5e, 0x89, 0x0f, 0xa6, 0xe0,
-	0xf6, 0xa3, 0xa8, 0x3f, 0xca, 0xf9, 0x3e, 0xdc, 0x77, 0x01, 0x42, 0x8b, 0x00, 0xba, 0x7f, 0xe3,
-	0x8d, 0xb7, 0xc7, 0x82, 0xbb, 0x30, 0x0e, 0x71, 0x21, 0xb3, 0xef, 0x36, 0xfd, 0xc5, 0xe3, 0x5e,
-	0xbc, 0x1e, 0x9a, 0xbb, 0xf5, 0x3f, 0x15, 0x18, 0x8b, 0x64, 0xd2, 0x0c, 0x57, 0xec, 0x37, 0x60,
-	0x98, 0xdc, 0xd5, 0x74, 0x6a, 0xca, 0xb2, 0xe0, 0x99, 0xb4, 0x09, 0x57, 0x19, 0x5b, 0x34, 0x51,
-	0xf3, 0x06, 0xe0, 0xaa, 0x27, 0x8e, 0x25, 0x0e, 0xda, 0x85, 0xf1, 0x6d, 0xc3, 0x71, 0xe9, 0xd2,
-	0xbe, 0x66, 0x98, 0xda, 0x96, 0x49, 0x44, 0x26, 0x1d, 0x90, 0xa5, 0x1b, 0x9d, 0x2d, 0x89, 0x3b,
-	0x25, 0x16, 0x3a, 0x7e, 0x35, 0x82, 0x83, 0x63, 0xb8, 0xea, 0x1f, 0x8b, 0xb2, 0xa6, 0x4f, 0x29,
-	0x44, 0xd1, 0xd3, 0xac, 0xa0, 0xe5, 0x43, 0x42, 0x07, 0xa1, 0xca, 0x94, 0x93, 0xb1, 0x1c, 0x0f,
-	0x7d, 0x59, 0xc8, 0x65, 0xfa, 0xb2, 0x90, 0xcf, 0xf0, 0x65, 0xa1, 0x70, 0xe4, 0x97, 0x85, 0x05,
-	0x28, 0x6b, 0xcd, 0x96, 0x61, 0x2d, 0xe9, 0x3a, 0x71, 0x5d, 0x5e, 0x30, 0x8a, 0xbb, 0xe8, 0x52,
-	0x40, 0xc6, 0x61, 0x1e, 0x56, 0xfe, 0x50, 0xdb, 0x24, 0x8e, 0xb8, 0xdf, 0x15, 0xb3, 0x28, 0x76,
-	0xc3, 0x17, 0x08, 0xca, 0x9f, 0x80, 0xe6, 0xe2, 0x30, 0x62, 0xf2, 0x65, 0x77, 0xf8, 0x3e, 0x5e,
-	0x76, 0x4b, 0x9f, 0xe9, 0xb2, 0xfb, 0x5a, 0xf0, 0x31, 0x66, 0x84, 0xeb, 0xf6, 0x4a, 0xe8, 0x63,
-	0xcc, 0x61, 0xb7, 0xfa, 0x78, 0xda, 0x07, 0x27, 0x7a, 0xd0, 0x26, 0x6e, 0xed, 0x56, 0xf8, 0x8b,
-	0xcd, 0xfb, 0x8a, 0xdf, 0x7c, 0x69, 0xca, 0x9a, 0x97, 0xdf, 0xeb, 0xcb, 0x8b, 0xd7, 0x4e, 0x74,
-	0xed, 0xa9, 0x2d, 0xc7, 0xd0, 0xbc, 0x80, 0xf0, 0x74, 0xac, 0x2f, 0xd3, 0x4c, 0x6f, 0x0c, 0xf5,
-	0xad, 0x67, 0xda, 0x85, 0x0b, 0x89, 0xa8, 0xa7, 0xda, 0xf3, 0xdc, 0x94, 0x17, 0x13, 0xbf, 0x5b,
-	0xb3, 0x02, 0x79, 0x9d, 0x98, 0x22, 0x6f, 0xa5, 0x7e, 0x23, 0xea, 0xfb, 0x62, 0xe1, 0xb5, 0xa6,
-	0x97, 0x57, 0xaf, 0x63, 0x26, 0xae, 0x7e, 0xab, 0x20, 0x33, 0x55, 0xe0, 0xec, 0x19, 0x62, 0xd4,
-	0x12, 0x9c, 0x6d, 0x06, 0x09, 0x9d, 0xe7, 0x65, 0xcf, 0x45, 0x1f, 0x11, 0xcc, 0xe1, 0x0a, 0x84,
-	0xcb, 0xc5, 0xf9, 0xa3, 0x25, 0x49, 0xfe, 0x3e, 0x96, 0x24, 0x9b, 0x30, 0x1e, 0x7c, 0xbe, 0xb9,
-	0x61, 0x37, 0xa5, 0xcf, 0xd7, 0x64, 0x08, 0x5b, 0x8a, 0x8c, 0x1e, 0x76, 0xab, 0xe7, 0xe3, 0x37,
-	0x5b, 0x46, 0xc7, 0x31, 0x14, 0x74, 0x11, 0xce, 0xf0, 0xac, 0xc1, 0xa3, 0x42, 0x3e, 0x28, 0xbe,
-	0x78, 0xd8, 0xc7, 0xde, 0xd8, 0xe9, 0x47, 0x83, 0xcd, 0x50, 0x2f, 0x74, 0x98, 0x9f, 0xfd, 0xa5,
-	0xe3, 0x34, 0xf9, 0xbd, 0x9a, 0xc3, 0x1f, 0xf1, 0xb1, 0xd4, 0x7f, 0xf9, 0xf7, 0x08, 0xde, 0x9e,
-	0x43, 0x8f, 0x85, 0x8c, 0xb9, 0x5e, 0x16, 0xcb, 0xca, 0x5f, 0x23, 0x07, 0x9e, 0x65, 0x5f, 0x0c,
-	0x5b, 0xf6, 0x48, 0xca, 0x35, 0xf7, 0x25, 0x28, 0x92, 0xed, 0x6d, 0xa2, 0x53, 0x11, 0x99, 0x65,
-	0xe3, 0xb7, 0xb8, 0xca, 0xa9, 0x87, 0xac, 0xf0, 0x08, 0xa6, 0xf4, 0x88, 0x58, 0x88, 0x30, 0xfb,
-	0xa0, 0x46, 0x8b, 0x2c, 0x35, 0x9b, 0xa4, 0x29, 0x3e, 0x26, 0x1d, 0xe7, 0xdb, 0x1e, 0x6f, 0x1a,
-	0x6c, 0x48, 0x00, 0x1c, 0x60, 0xbd, 0x58, 0xfa, 0xc1, 0x4f, 0xaa, 0x43, 0xef, 0xfd, 0x79, 0x76,
-	0x48, 0x7d, 0x3f, 0x27, 0x8d, 0x3f, 0x50, 0xf7, 0xa0, 0x8d, 0xbf, 0x0a, 0x25, 0xbb, 0xcd, 0x78,
-	0x6d, 0x99, 0x95, 0x2e, 0xc9, 0xea, 0xe2, 0x75, 0x41, 0x3f, 0xec, 0x56, 0x2b, 0x71, 0x58, 0x39,
-	0x86, 0x7d, 0xe9, 0x40, 0x85, 0xf9, 0x4c, 0x2a, 0x2c, 0x1c, 0x5f, 0x85, 0xcb, 0x30, 0x19, 0x98,
-	0x4e, 0x83, 0xe8, 0xb6, 0xd5, 0x74, 0x85, 0xf5, 0xf2, 0xcc, 0xb1, 0x11, 0x1f, 0xc4, 0xfd, 0xfc,
-	0xea, 0x0f, 0x0b, 0x80, 0xfa, 0x0b, 0x8d, 0xa4, 0x08, 0xa0, 0x7c, 0x96, 0x08, 0x90, 0x3b, 0xd5,
-	0x08, 0x90, 0xbf, 0xbf, 0x11, 0xa0, 0x70, 0x44, 0x04, 0x78, 0x18, 0x4b, 0x88, 0xd3, 0x0a, 0x1a,
-	0x3f, 0x57, 0x60, 0xb2, 0xef, 0x15, 0x02, 0x7a, 0x09, 0xc6, 0x0c, 0x56, 0x08, 0x6f, 0x6b, 0xe2,
-	0xca, 0xe6, 0x19, 0xc6, 0x05, 0xb1, 0xcc, 0xb1, 0xb5, 0xf0, 0x20, 0x8e, 0xf2, 0xa2, 0x47, 0x21,
-	0x6f, 0xb4, 0x65, 0xaf, 0x96, 0xe7, 0xaa, 0xb5, 0x75, 0x17, 0x33, 0x1a, 0x33, 0xb9, 0x5d, 0xcd,
-	0x69, 0xde, 0xd1, 0x1c, 0xe6, 0xc9, 0x0e, 0xd3, 0x6e, 0x3e, 0x6a, 0x72, 0xaf, 0x46, 0x87, 0x71,
-	0x9c, 0x5f, 0xfd, 0xa9, 0x02, 0x8f, 0xa6, 0x5e, 0xe5, 0x32, 0xbf, 0x64, 0xd1, 0x00, 0xda, 0x9a,
-	0xa3, 0xb5, 0x88, 0xb8, 0xa3, 0x9c, 0xe0, 0xe5, 0x87, 0x7f, 0x09, 0x5a, 0xf7, 0x81, 0x70, 0x08,
-	0x54, 0xfd, 0x5e, 0x0e, 0xc6, 0xe4, 0x05, 0xd6, 0xeb, 0xdd, 0x9d, 0x7e, 0x63, 0xe7, 0x5a, 0xa4,
-	0xb1, 0x93, 0x5a, 0x52, 0x44, 0x96, 0x95, 0xd6, 0xda, 0x41, 0x0d, 0x28, 0xba, 0xfc, 0x7d, 0xd0,
-	0xa0, 0x0e, 0x7a, 0x14, 0x8e, 0x8b, 0x04, 0x8a, 0xf7, 0x7e, 0x63, 0x01, 0xa5, 0xf6, 0x14, 0x98,
-	0x89, 0xf0, 0x8b, 0x42, 0xcc, 0xc1, 0x64, 0x9b, 0x38, 0xc4, 0xd2, 0x09, 0xba, 0x04, 0x25, 0xad,
-	0x6d, 0xbc, 0xe2, 0xd8, 0x9d, 0xb6, 0x38, 0x45, 0xff, 0xf6, 0xb7, 0xb4, 0xbe, 0xc6, 0xe9, 0xd8,
-	0xe7, 0x60, 0xdc, 0x72, 0x2d, 0xc2, 0x96, 0x42, 0x9d, 0x4e, 0x8f, 0x8e, 0x7d, 0x0e, 0xbf, 0x2e,
-	0x2a, 0xa4, 0xd6, 0x45, 0x75, 0xc8, 0x77, 0x8c, 0xa6, 0x68, 0x34, 0x5f, 0x91, 0xc9, 0xe3, 0x56,
-	0xd6, 0x42, 0x98, 0x09, 0xab, 0xbf, 0x55, 0x60, 0x32, 0xb2, 0xc9, 0x07, 0xd0, 0x7d, 0x7a, 0x2d,
-	0xda, 0x7d, 0x7a, 0x22, 0xd3, 0x61, 0xa5, 0xf4, 0x9f, 0xf4, 0xd8, 0xf2, 0x79, 0x03, 0xea, 0x66,
-	0xfc, 0x99, 0xd1, 0xc5, 0x0c, 0x4d, 0xdc, 0xf4, 0xb7, 0x45, 0xea, 0xaf, 0x72, 0x70, 0x2e, 0xc1,
-	0x72, 0xd0, 0x6d, 0x80, 0x20, 0x68, 0x8b, 0xa9, 0x52, 0x23, 0x69, 0xdf, 0x47, 0x12, 0xfe, 0xf2,
-	0x24, 0x44, 0x0d, 0x61, 0xa1, 0x16, 0x94, 0x1d, 0xe2, 0x12, 0x67, 0x9f, 0x34, 0xaf, 0xf2, 0xdc,
-	0xcf, 0x14, 0xf5, 0x7c, 0x26, 0x45, 0xf5, 0x59, 0x69, 0x10, 0xb2, 0x71, 0x00, 0x89, 0xc3, 0xf8,
-	0xe8, 0x76, 0xa0, 0x30, 0xef, 0xeb, 0xf3, 0xe5, 0x01, 0xbb, 0x88, 0xbe, 0xca, 0x3b, 0x42, 0x75,
-	0x7f, 0x50, 0xe0, 0x42, 0x64, 0x79, 0x1b, 0xa4, 0xd5, 0x36, 0x35, 0x4a, 0x1e, 0x40, 0x88, 0x69,
-	0x44, 0x42, 0xcc, 0x42, 0x26, 0xed, 0xc9, 0xe5, 0xa5, 0x76, 0x91, 0x3f, 0x56, 0xe0, 0xd1, 0x44,
-	0x89, 0x07, 0xe0, 0x38, 0x38, 0xea, 0x38, 0x97, 0x8f, 0xb5, 0xa3, 0x14, 0x07, 0xfa, 0x7d, 0xda,
-	0x7e, 0xb8, 0x27, 0xfd, 0x6f, 0xe5, 0x01, 0xf5, 0x17, 0x0a, 0x8c, 0x4a, 0xce, 0x75, 0xdb, 0x36,
-	0x33, 0x5c, 0x2e, 0x17, 0x01, 0xc4, 0xeb, 0x53, 0xf9, 0x15, 0x25, 0x1f, 0xac, 0xf8, 0x15, 0x7f,
-	0x04, 0x87, 0xb8, 0xd0, 0x6b, 0x80, 0xe4, 0xda, 0x1a, 0xa6, 0xec, 0x09, 0xf2, 0x90, 0x9e, 0xaf,
-	0x4f, 0x0b, 0x59, 0x84, 0xfb, 0x38, 0x70, 0x82, 0x94, 0xfa, 0x3b, 0x25, 0xc8, 0xbd, 0x9c, 0xfc,
-	0xf0, 0xe9, 0x9c, 0x2f, 0x2b, 0x55, 0xe7, 0xe1, 0x0c, 0xc2, 0x39, 0x1f, 0xc2, 0x0c, 0xc2, 0xd7,
-	0x95, 0xe2, 0x00, 0xbf, 0x2c, 0xc4, 0xd6, 0xcf, 0x0d, 0x3f, 0x6b, 0x75, 0x76, 0x35, 0xf4, 0xce,
-	0xb8, 0xbc, 0xf8, 0xb9, 0x41, 0x0b, 0x61, 0x46, 0x99, 0xd8, 0x33, 0x0c, 0x3f, 0xc8, 0xc9, 0x1f,
-	0xeb, 0x41, 0x4e, 0xe1, 0x14, 0x1e, 0xe4, 0x9c, 0x39, 0xf2, 0x41, 0xce, 0x5a, 0x90, 0x2d, 0xbc,
-	0xdb, 0xc3, 0xcc, 0xd1, 0xe9, 0xf5, 0x88, 0x57, 0xbb, 0x18, 0xa6, 0xda, 0xc4, 0xf1, 0xc8, 0xc1,
-	0xda, 0x98, 0x27, 0x7a, 0x6f, 0x82, 0xa6, 0x7b, 0xdd, 0xea, 0xd4, 0x7a, 0x22, 0x07, 0x4e, 0x91,
-	0x44, 0x5b, 0x30, 0xce, 0x5b, 0x7c, 0x4d, 0xff, 0x45, 0x95, 0xf7, 0x6e, 0x48, 0x1d, 0xfc, 0x4c,
-	0x2e, 0xe8, 0x3c, 0x37, 0x22, 0x08, 0x38, 0x86, 0x58, 0x7f, 0xf9, 0xa3, 0x7b, 0x33, 0x43, 0x9f,
-	0xdc, 0x9b, 0x19, 0xfa, 0xf4, 0xde, 0xcc, 0xd0, 0x7b, 0xbd, 0x19, 0xe5, 0xa3, 0xde, 0x8c, 0xf2,
-	0x49, 0x6f, 0x46, 0xf9, 0xb4, 0x37, 0xa3, 0xfc, 0xb5, 0x37, 0xa3, 0x7c, 0xe7, 0x6f, 0x33, 0x43,
-	0x5f, 0x99, 0x4a, 0xfe, 0x77, 0x81, 0xff, 0x06, 0x00, 0x00, 0xff, 0xff, 0x0d, 0x0c, 0xec, 0x16,
-	0x47, 0x30, 0x00, 0x00,
-}
+func (m *ResourceSliceSpec) Reset() { *m = ResourceSliceSpec{} }
 
 func (m *AllocatedDeviceStatus) Marshal() (dAtA []byte, err error) {
 	size := m.Size()
@@ -1817,7 +436,7 @@ func (m *CapacityRequirements) MarshalToSizedBuffer(dAtA []byte) (int, error) {
 		for k := range m.Requests {
 			keysForRequests = append(keysForRequests, string(k))
 		}
-		github_com_gogo_protobuf_sortkeys.Strings(keysForRequests)
+		sort.Strings(keysForRequests)
 		for iNdEx := len(keysForRequests) - 1; iNdEx >= 0; iNdEx-- {
 			v := m.Requests[QualifiedName(keysForRequests[iNdEx])]
 			baseI := i
@@ -1902,7 +521,7 @@ func (m *CounterSet) MarshalToSizedBuffer(dAtA []byte) (int, error) {
 		for k := range m.Counters {
 			keysForCounters = append(keysForCounters, string(k))
 		}
-		github_com_gogo_protobuf_sortkeys.Strings(keysForCounters)
+		sort.Strings(keysForCounters)
 		for iNdEx := len(keysForCounters) - 1; iNdEx >= 0; iNdEx-- {
 			v := m.Counters[string(keysForCounters[iNdEx])]
 			baseI := i
@@ -2054,7 +673,7 @@ func (m *Device) MarshalToSizedBuffer(dAtA []byte) (int, error) {
 		for k := range m.Capacity {
 			keysForCapacity = append(keysForCapacity, string(k))
 		}
-		github_com_gogo_protobuf_sortkeys.Strings(keysForCapacity)
+		sort.Strings(keysForCapacity)
 		for iNdEx := len(keysForCapacity) - 1; iNdEx >= 0; iNdEx-- {
 			v := m.Capacity[QualifiedName(keysForCapacity[iNdEx])]
 			baseI := i
@@ -2083,7 +702,7 @@ func (m *Device) MarshalToSizedBuffer(dAtA []byte) (int, error) {
 		for k := range m.Attributes {
 			keysForAttributes = append(keysForAttributes, string(k))
 		}
-		github_com_gogo_protobuf_sortkeys.Strings(keysForAttributes)
+		sort.Strings(keysForAttributes)
 		for iNdEx := len(keysForAttributes) - 1; iNdEx >= 0; iNdEx-- {
 			v := m.Attributes[QualifiedName(keysForAttributes[iNdEx])]
 			baseI := i
@@ -2704,7 +1323,7 @@ func (m *DeviceCounterConsumption) MarshalToSizedBuffer(dAtA []byte) (int, error
 		for k := range m.Counters {
 			keysForCounters = append(keysForCounters, string(k))
 		}
-		github_com_gogo_protobuf_sortkeys.Strings(keysForCounters)
+		sort.Strings(keysForCounters)
 		for iNdEx := len(keysForCounters) - 1; iNdEx >= 0; iNdEx-- {
 			v := m.Counters[string(keysForCounters[iNdEx])]
 			baseI := i
@@ -2815,7 +1434,7 @@ func (m *DeviceRequestAllocationResult) MarshalToSizedBuffer(dAtA []byte) (int,
 		for k := range m.ConsumedCapacity {
 			keysForConsumedCapacity = append(keysForConsumedCapacity, string(k))
 		}
-		github_com_gogo_protobuf_sortkeys.Strings(keysForConsumedCapacity)
+		sort.Strings(keysForConsumedCapacity)
 		for iNdEx := len(keysForConsumedCapacity) - 1; iNdEx >= 0; iNdEx-- {
 			v := m.ConsumedCapacity[QualifiedName(keysForConsumedCapacity[iNdEx])]
 			baseI := i
@@ -4890,7 +3509,7 @@ func (this *CapacityRequirements) String() string {
 	for k := range this.Requests {
 		keysForRequests = append(keysForRequests, string(k))
 	}
-	github_com_gogo_protobuf_sortkeys.Strings(keysForRequests)
+	sort.Strings(keysForRequests)
 	mapStringForRequests := "map[QualifiedName]resource.Quantity{"
 	for _, k := range keysForRequests {
 		mapStringForRequests += fmt.Sprintf("%v: %v,", k, this.Requests[QualifiedName(k)])
@@ -4920,7 +3539,7 @@ func (this *CounterSet) String() string {
 	for k := range this.Counters {
 		keysForCounters = append(keysForCounters, k)
 	}
-	github_com_gogo_protobuf_sortkeys.Strings(keysForCounters)
+	sort.Strings(keysForCounters)
 	mapStringForCounters := "map[string]Counter{"
 	for _, k := range keysForCounters {
 		mapStringForCounters += fmt.Sprintf("%v: %v,", k, this.Counters[k])
@@ -4951,7 +3570,7 @@ func (this *Device) String() string {
 	for k := range this.Attributes {
 		keysForAttributes = append(keysForAttributes, string(k))
 	}
-	github_com_gogo_protobuf_sortkeys.Strings(keysForAttributes)
+	sort.Strings(keysForAttributes)
 	mapStringForAttributes := "map[QualifiedName]DeviceAttribute{"
 	for _, k := range keysForAttributes {
 		mapStringForAttributes += fmt.Sprintf("%v: %v,", k, this.Attributes[QualifiedName(k)])
@@ -4961,7 +3580,7 @@ func (this *Device) String() string {
 	for k := range this.Capacity {
 		keysForCapacity = append(keysForCapacity, string(k))
 	}
-	github_com_gogo_protobuf_sortkeys.Strings(keysForCapacity)
+	sort.Strings(keysForCapacity)
 	mapStringForCapacity := "map[QualifiedName]DeviceCapacity{"
 	for _, k := range keysForCapacity {
 		mapStringForCapacity += fmt.Sprintf("%v: %v,", k, this.Capacity[QualifiedName(k)])
@@ -5168,7 +3787,7 @@ func (this *DeviceCounterConsumption) String() string {
 	for k := range this.Counters {
 		keysForCounters = append(keysForCounters, k)
 	}
-	github_com_gogo_protobuf_sortkeys.Strings(keysForCounters)
+	sort.Strings(keysForCounters)
 	mapStringForCounters := "map[string]Counter{"
 	for _, k := range keysForCounters {
 		mapStringForCounters += fmt.Sprintf("%v: %v,", k, this.Counters[k])
@@ -5211,7 +3830,7 @@ func (this *DeviceRequestAllocationResult) String() string {
 	for k := range this.ConsumedCapacity {
 		keysForConsumedCapacity = append(keysForConsumedCapacity, string(k))
 	}
-	github_com_gogo_protobuf_sortkeys.Strings(keysForConsumedCapacity)
+	sort.Strings(keysForConsumedCapacity)
 	mapStringForConsumedCapacity := "map[QualifiedName]resource.Quantity{"
 	for _, k := range keysForConsumedCapacity {
 		mapStringForConsumedCapacity += fmt.Sprintf("%v: %v,", k, this.ConsumedCapacity[QualifiedName(k)])
diff --git a/staging/src/k8s.io/api/resource/v1/generated.proto b/staging/src/k8s.io/api/resource/v1/generated.proto
index 816a430c26b86..c254137c43bd7 100644
--- a/staging/src/k8s.io/api/resource/v1/generated.proto
+++ b/staging/src/k8s.io/api/resource/v1/generated.proto
@@ -41,7 +41,7 @@ message AllocatedDeviceStatus {
   // needed on a node.
   //
   // Must be a DNS subdomain and should end with a DNS domain owned by the
-  // vendor of the driver.
+  // vendor of the driver. It should use only lower case characters.
   //
   // +required
   optional string driver = 1;
@@ -65,6 +65,8 @@ message AllocatedDeviceStatus {
   //
   // +optional
   // +featureGate=DRAConsumableCapacity
+  // +k8s:optional
+  // +k8s:format=k8s-uuid
   optional string shareID = 7;
 
   // Conditions contains the latest observation of the device's state.
@@ -88,6 +90,7 @@ message AllocatedDeviceStatus {
   // NetworkData contains network-related information specific to the device.
   //
   // +optional
+  // +k8s:optional
   optional NetworkDeviceData networkData = 6;
 }
 
@@ -293,7 +296,7 @@ message Counter {
 
 // CounterSet defines a named set of counters
 // that are available to be used by devices defined in the
-// ResourceSlice.
+// ResourcePool.
 //
 // The counters are not allocatable by themselves, but
 // can be referenced by devices. When a device is allocated,
@@ -304,12 +307,14 @@ message CounterSet {
   // It must be a DNS label.
   //
   // +required
+  // +k8s:required
+  // +k8s:format=k8s-short-name
   optional string name = 1;
 
   // Counters defines the set of counters for this CounterSet
   // The name of each counter must be unique in that set and must be a DNS label.
   //
-  // The maximum number of counters in all sets is 32.
+  // The maximum number of counters is 32.
   //
   // +required
   map<string, Counter> counters = 2;
@@ -346,14 +351,17 @@ message Device {
   //
   // There can only be a single entry per counterSet.
   //
-  // The total number of device counter consumption entries
-  // must be <= 32. In addition, the total number in the
-  // entire ResourceSlice must be <= 1024 (for example,
-  // 64 devices with 16 counters each).
+  // The maximum number of device counter consumptions per
+  // device is 2.
   //
   // +optional
+  // +k8s:optional
   // +listType=atomic
+  // +k8s:listType=atomic
+  // +k8s:unique=map
+  // +k8s:listMapKey=counterSet
   // +featureGate=DRAPartitionableDevices
+  // +k8s:maxItems=2
   repeated DeviceCounterConsumption consumesCounters = 4;
 
   // NodeName identifies the node where the device is available.
@@ -390,7 +398,9 @@ message Device {
 
   // If specified, these are the driver-defined taints.
   //
-  // The maximum number of taints is 4.
+  // The maximum number of taints is 16. If taints are set for
+  // any device in a ResourceSlice, then the maximum number of
+  // allowed devices per ResourceSlice is 64 instead of 128.
   //
   // This is an alpha field and requires enabling the DRADeviceTaints
   // feature gate.
@@ -427,6 +437,8 @@ message Device {
   // +optional
   // +listType=atomic
   // +featureGate=DRADeviceBindingConditions,DRAResourceClaimDeviceStatus
+  // +k8s:optional
+  // +k8s:maxItems=4
   repeated string bindingConditions = 10;
 
   // BindingFailureConditions defines the conditions for binding failure.
@@ -443,6 +455,8 @@ message Device {
   // +optional
   // +listType=atomic
   // +featureGate=DRADeviceBindingConditions,DRAResourceClaimDeviceStatus
+  // +k8s:optional
+  // +k8s:maxItems=4
   repeated string bindingFailureConditions = 11;
 
   // AllowMultipleAllocations marks whether the device is allowed to be allocated to multiple DeviceRequests.
@@ -462,6 +476,7 @@ message DeviceAllocationConfiguration {
   // or from a claim.
   //
   // +required
+  // +k8s:required
   optional string source = 1;
 
   // Requests lists the names of requests where the configuration applies.
@@ -473,6 +488,10 @@ message DeviceAllocationConfiguration {
   //
   // +optional
   // +listType=atomic
+  // +k8s:optional
+  // +k8s:listType=atomic
+  // +k8s:unique=set
+  // +k8s:maxItems=32
   repeated string requests = 2;
 
   optional DeviceConfiguration deviceConfiguration = 3;
@@ -484,6 +503,8 @@ message DeviceAllocationResult {
   //
   // +optional
   // +listType=atomic
+  // +k8s:optional
+  // +k8s:maxItems=32
   repeated DeviceRequestAllocationResult results = 1;
 
   // This field is a combination of all the claim and class configuration parameters.
@@ -496,6 +517,8 @@ message DeviceAllocationResult {
   //
   // +optional
   // +listType=atomic
+  // +k8s:optional
+  // +k8s:maxItems=64
   repeated DeviceAllocationConfiguration config = 2;
 }
 
@@ -504,26 +527,30 @@ message DeviceAttribute {
   // IntValue is a number.
   //
   // +optional
-  // +oneOf=ValueType
+  // +k8s:optional
+  // +k8s:unionMember
   optional int64 int = 2;
 
   // BoolValue is a true/false value.
   //
   // +optional
-  // +oneOf=ValueType
+  // +k8s:optional
+  // +k8s:unionMember
   optional bool bool = 3;
 
   // StringValue is a string. Must not be longer than 64 characters.
   //
   // +optional
-  // +oneOf=ValueType
+  // +k8s:optional
+  // +k8s:unionMember
   optional string string = 4;
 
   // VersionValue is a semantic version according to semver.org spec 2.0.0.
   // Must not be longer than 64 characters.
   //
   // +optional
-  // +oneOf=ValueType
+  // +k8s:optional
+  // +k8s:unionMember
   optional string version = 5;
 }
 
@@ -560,6 +587,11 @@ message DeviceClaim {
   //
   // +optional
   // +listType=atomic
+  // +k8s:optional
+  // +k8s:listType=atomic
+  // +k8s:unique=map
+  // +k8s:listMapKey=name
+  // +k8s:maxItems=32
   repeated DeviceRequest requests = 1;
 
   // These constraints must be satisfied by the set of devices that get
@@ -567,6 +599,8 @@ message DeviceClaim {
   //
   // +optional
   // +listType=atomic
+  // +k8s:optional
+  // +k8s:maxItems=32
   repeated DeviceConstraint constraints = 2;
 
   // This field holds configuration for multiple potential drivers which
@@ -575,6 +609,8 @@ message DeviceClaim {
   //
   // +optional
   // +listType=atomic
+  // +k8s:optional
+  // +k8s:maxItems=32
   repeated DeviceClaimConfiguration config = 3;
 }
 
@@ -589,6 +625,10 @@ message DeviceClaimConfiguration {
   //
   // +optional
   // +listType=atomic
+  // +k8s:optional
+  // +k8s:listType=atomic
+  // +k8s:unique=set
+  // +k8s:maxItems=32
   repeated string requests = 1;
 
   optional DeviceConfiguration deviceConfiguration = 2;
@@ -604,6 +644,8 @@ message DeviceClaimConfiguration {
 message DeviceClass {
   // Standard object metadata
   // +optional
+  // +k8s:subfield(name)=+k8s:optional
+  // +k8s:subfield(name)=+k8s:format=k8s-long-name
   optional .k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
 
   // Spec defines what can be allocated and how to configure it.
@@ -639,6 +681,8 @@ message DeviceClassSpec {
   //
   // +optional
   // +listType=atomic
+  // +k8s:optional
+  // +k8s:maxItems=32
   repeated DeviceSelector selectors = 1;
 
   // Config defines configuration parameters that apply to each device that is claimed via this class.
@@ -649,6 +693,8 @@ message DeviceClassSpec {
   //
   // +optional
   // +listType=atomic
+  // +k8s:optional
+  // +k8s:maxItems=32
   repeated DeviceClassConfiguration config = 2;
 
   // ExtendedResourceName is the extended resource name for the devices of this class.
@@ -663,6 +709,8 @@ message DeviceClassSpec {
   // This is an alpha field.
   // +optional
   // +featureGate=DRAExtendedResource
+  // +k8s:optional
+  // +k8s:format=k8s-extended-resource-name
   optional string extendedResourceName = 4;
 }
 
@@ -674,6 +722,7 @@ message DeviceConfiguration {
   //
   // +optional
   // +oneOf=ConfigurationType
+  // +k8s:optional
   optional OpaqueDeviceConfiguration opaque = 1;
 }
 
@@ -691,6 +740,10 @@ message DeviceConstraint {
   //
   // +optional
   // +listType=atomic
+  // +k8s:optional
+  // +k8s:listType=atomic
+  // +k8s:unique=set
+  // +k8s:maxItems=32
   repeated string requests = 1;
 
   // MatchAttribute requires that all devices in question have this
@@ -708,6 +761,8 @@ message DeviceConstraint {
   //
   // +optional
   // +oneOf=ConstraintType
+  // +k8s:optional
+  // +k8s:format=k8s-resource-fully-qualified-name
   optional string matchAttribute = 2;
 
   // DistinctAttribute requires that all devices in question have this
@@ -734,14 +789,13 @@ message DeviceCounterConsumption {
   // counters defined will be consumed.
   //
   // +required
+  // +k8s:required
+  // +k8s:format=k8s-short-name
   optional string counterSet = 1;
 
   // Counters defines the counters that will be consumed by the device.
   //
-  // The maximum number counters in a device is 32.
-  // In addition, the maximum number of all counters
-  // in all devices is 1024 (for example, 64 devices with
-  // 16 counters each).
+  // The maximum number of counters is 32.
   //
   // +required
   map<string, Counter> counters = 2;
@@ -773,6 +827,7 @@ message DeviceRequest {
   //
   // +optional
   // +oneOf=deviceRequestType
+  // +k8s:optional
   optional ExactDeviceRequest exactly = 2;
 
   // FirstAvailable contains subrequests, of which exactly one will be
@@ -793,6 +848,11 @@ message DeviceRequest {
   // +oneOf=deviceRequestType
   // +listType=atomic
   // +featureGate=DRAPrioritizedList
+  // +k8s:optional
+  // +k8s:listType=atomic
+  // +k8s:unique=map
+  // +k8s:listMapKey=name
+  // +k8s:maxItems=8
   repeated DeviceSubRequest firstAvailable = 3;
 }
 
@@ -814,9 +874,11 @@ message DeviceRequestAllocationResult {
   // needed on a node.
   //
   // Must be a DNS subdomain and should end with a DNS domain owned by the
-  // vendor of the driver.
+  // vendor of the driver. It should use only lower case characters.
   //
   // +required
+  // +k8s:format=k8s-long-name-caseless
+  // +k8s:required
   optional string driver = 2;
 
   // This name together with the driver name and the device name field
@@ -826,6 +888,8 @@ message DeviceRequestAllocationResult {
   // DNS sub-domains separated by slashes.
   //
   // +required
+  // +k8s:required
+  // +k8s:format=k8s-resource-pool-name
   optional string pool = 3;
 
   // Device references one device instance via its name in the driver's
@@ -868,6 +932,8 @@ message DeviceRequestAllocationResult {
   // +optional
   // +listType=atomic
   // +featureGate=DRADeviceBindingConditions,DRAResourceClaimDeviceStatus
+  // +k8s:optional
+  // +k8s:maxItems=4
   repeated string bindingConditions = 7;
 
   // BindingFailureConditions contains a copy of the BindingFailureConditions
@@ -879,6 +945,8 @@ message DeviceRequestAllocationResult {
   // +optional
   // +listType=atomic
   // +featureGate=DRADeviceBindingConditions,DRAResourceClaimDeviceStatus
+  // +k8s:optional
+  // +k8s:maxItems=4
   repeated string bindingFailureConditions = 8;
 
   // ShareID uniquely identifies an individual allocation share of the device,
@@ -888,6 +956,8 @@ message DeviceRequestAllocationResult {
   //
   // +optional
   // +featureGate=DRAConsumableCapacity
+  // +k8s:optional
+  // +k8s:format=k8s-uuid
   optional string shareID = 9;
 
   // ConsumedCapacity tracks the amount of capacity consumed per device as part of the claim request.
@@ -944,6 +1014,8 @@ message DeviceSubRequest {
   // to reference.
   //
   // +required
+  // +k8s:required
+  // +k8s:format=k8s-long-name
   optional string deviceClassName = 2;
 
   // Selectors define criteria which must be satisfied by a specific
@@ -953,6 +1025,8 @@ message DeviceSubRequest {
   //
   // +optional
   // +listType=atomic
+  // +k8s:optional
+  // +k8s:maxItems=32
   repeated DeviceSelector selectors = 3;
 
   // AllocationMode and its related fields define how devices are allocated
@@ -1044,10 +1118,13 @@ message DeviceTaint {
 
   // The effect of the taint on claims that do not tolerate the taint
   // and through such claims on the pods using them.
-  // Valid effects are NoSchedule and NoExecute. PreferNoSchedule as used for
-  // nodes is not valid here.
+  //
+  // Valid effects are None, NoSchedule and NoExecute. PreferNoSchedule as used for
+  // nodes is not valid here. More effects may get added in the future.
+  // Consumers must treat unknown effects like None.
   //
   // +required
+  // +k8s:required
   optional string effect = 3;
 
   // TimeAdded represents the time at which the taint was added.
@@ -1065,6 +1142,8 @@ message DeviceToleration {
   // Must be a label name.
   //
   // +optional
+  // +k8s:optional
+  // +k8s:format=k8s-label-key
   optional string key = 1;
 
   // Operator represents a key's relationship to the value.
@@ -1124,6 +1203,8 @@ message ExactDeviceRequest {
   //
   // +optional
   // +listType=atomic
+  // +k8s:optional
+  // +k8s:maxItems=32
   repeated DeviceSelector selectors = 2;
 
   // AllocationMode and its related fields define how devices are allocated
@@ -1146,6 +1227,7 @@ message ExactDeviceRequest {
   // requests with unknown modes.
   //
   // +optional
+  // +k8s:optional
   optional string allocationMode = 3;
 
   // Count is used only when the count mode is "ExactCount". Must be greater than zero.
@@ -1221,6 +1303,8 @@ message NetworkDeviceData {
   // Must not be longer than 256 characters.
   //
   // +optional
+  // +k8s:optional
+  // +k8s:maxLength=256
   optional string interfaceName = 1;
 
   // IPs lists the network addresses assigned to the device's network interface.
@@ -1231,6 +1315,10 @@ message NetworkDeviceData {
   //
   // +optional
   // +listType=atomic
+  // +k8s:optional
+  // +k8s:listType=atomic
+  // +k8s:unique=set
+  // +k8s:maxItems=16
   repeated string ips = 2;
 
   // HardwareAddress represents the hardware address (e.g. MAC Address) of the device's network interface.
@@ -1238,6 +1326,8 @@ message NetworkDeviceData {
   // Must not be longer than 128 characters.
   //
   // +optional
+  // +k8s:optional
+  // +k8s:maxLength=128
   optional string hardwareAddress = 3;
 }
 
@@ -1251,9 +1341,11 @@ message OpaqueDeviceConfiguration {
   // to decide whether it needs to validate them.
   //
   // Must be a DNS subdomain and should end with a DNS domain owned by the
-  // vendor of the driver.
+  // vendor of the driver. It should use only lower case characters.
   //
   // +required
+  // +k8s:required
+  // +k8s:format=k8s-long-name-caseless
   optional string driver = 1;
 
   // Parameters can contain arbitrary data. It is the responsibility of
@@ -1282,6 +1374,7 @@ message ResourceClaim {
 
   // Spec describes what is being requested and how to configure it.
   // The spec is immutable.
+  // +k8s:immutable
   optional ResourceClaimSpec spec = 2;
 
   // Status describes whether the claim is ready to use and what has been allocated.
@@ -1336,6 +1429,8 @@ message ResourceClaimStatus {
   // Allocation is set once the claim has been allocated successfully.
   //
   // +optional
+  // +k8s:optional
+  // +k8s:update=NoModify
   optional AllocationResult allocation = 1;
 
   // ReservedFor indicates which entities are currently allowed to use
@@ -1363,6 +1458,10 @@ message ResourceClaimStatus {
   // +listMapKey=uid
   // +patchStrategy=merge
   // +patchMergeKey=uid
+  // +k8s:optional
+  // +k8s:listType=map
+  // +k8s:listMapKey=uid
+  // +k8s:maxItems=256
   repeated ResourceClaimConsumerReference reservedFor = 2;
 
   // Devices contains the status of each device allocated for this
@@ -1370,12 +1469,18 @@ message ResourceClaimStatus {
   // information. Entries are owned by their respective drivers.
   //
   // +optional
+  // +k8s:optional
   // +listType=map
   // +listMapKey=driver
   // +listMapKey=device
   // +listMapKey=pool
   // +listMapKey=shareID
   // +featureGate=DRAResourceClaimDeviceStatus
+  // +k8s:listType=map
+  // +k8s:listMapKey=driver
+  // +k8s:listMapKey=device
+  // +k8s:listMapKey=pool
+  // +k8s:listMapKey=shareID
   repeated AllocatedDeviceStatus devices = 4;
 }
 
@@ -1509,7 +1614,8 @@ message ResourceSliceSpec {
   // objects with a certain driver name.
   //
   // Must be a DNS subdomain and should end with a DNS domain owned by the
-  // vendor of the driver. This field is immutable.
+  // vendor of the driver. It should use only lower case characters.
+  // This field is immutable.
   //
   // +required
   optional string driver = 1;
@@ -1556,10 +1662,14 @@ message ResourceSliceSpec {
 
   // Devices lists some or all of the devices in this pool.
   //
-  // Must not have more than 128 entries.
+  // Must not have more than 128 entries. If any device uses taints or consumes counters the limit is 64.
+  //
+  // Only one of Devices and SharedCounters can be set in a ResourceSlice.
   //
   // +optional
   // +listType=atomic
+  // +k8s:optional
+  // +zeroOrOneOf=ResourceSliceType
   repeated Device devices = 6;
 
   // PerDeviceNodeSelection defines whether the access from nodes to
@@ -1577,13 +1687,21 @@ message ResourceSliceSpec {
   // SharedCounters defines a list of counter sets, each of which
   // has a name and a list of counters available.
   //
-  // The names of the SharedCounters must be unique in the ResourceSlice.
+  // The names of the counter sets must be unique in the ResourcePool.
+  //
+  // Only one of Devices and SharedCounters can be set in a ResourceSlice.
   //
-  // The maximum number of counters in all sets is 32.
+  // The maximum number of counter sets is 8.
   //
   // +optional
+  // +k8s:optional
   // +listType=atomic
+  // +k8s:listType=atomic
+  // +k8s:unique=map
+  // +k8s:listMapKey=name
   // +featureGate=DRAPartitionableDevices
+  // +zeroOrOneOf=ResourceSliceType
+  // +k8s:maxItems=8
   repeated CounterSet sharedCounters = 8;
 }
 
diff --git a/staging/src/k8s.io/api/resource/v1/generated.protomessage.pb.go b/staging/src/k8s.io/api/resource/v1/generated.protomessage.pb.go
new file mode 100644
index 0000000000000..97035a9360571
--- /dev/null
+++ b/staging/src/k8s.io/api/resource/v1/generated.protomessage.pb.go
@@ -0,0 +1,108 @@
+//go:build kubernetes_protomessage_one_more_release
+// +build kubernetes_protomessage_one_more_release
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by go-to-protobuf. DO NOT EDIT.
+
+package v1
+
+func (*AllocatedDeviceStatus) ProtoMessage() {}
+
+func (*AllocationResult) ProtoMessage() {}
+
+func (*CELDeviceSelector) ProtoMessage() {}
+
+func (*CapacityRequestPolicy) ProtoMessage() {}
+
+func (*CapacityRequestPolicyRange) ProtoMessage() {}
+
+func (*CapacityRequirements) ProtoMessage() {}
+
+func (*Counter) ProtoMessage() {}
+
+func (*CounterSet) ProtoMessage() {}
+
+func (*Device) ProtoMessage() {}
+
+func (*DeviceAllocationConfiguration) ProtoMessage() {}
+
+func (*DeviceAllocationResult) ProtoMessage() {}
+
+func (*DeviceAttribute) ProtoMessage() {}
+
+func (*DeviceCapacity) ProtoMessage() {}
+
+func (*DeviceClaim) ProtoMessage() {}
+
+func (*DeviceClaimConfiguration) ProtoMessage() {}
+
+func (*DeviceClass) ProtoMessage() {}
+
+func (*DeviceClassConfiguration) ProtoMessage() {}
+
+func (*DeviceClassList) ProtoMessage() {}
+
+func (*DeviceClassSpec) ProtoMessage() {}
+
+func (*DeviceConfiguration) ProtoMessage() {}
+
+func (*DeviceConstraint) ProtoMessage() {}
+
+func (*DeviceCounterConsumption) ProtoMessage() {}
+
+func (*DeviceRequest) ProtoMessage() {}
+
+func (*DeviceRequestAllocationResult) ProtoMessage() {}
+
+func (*DeviceSelector) ProtoMessage() {}
+
+func (*DeviceSubRequest) ProtoMessage() {}
+
+func (*DeviceTaint) ProtoMessage() {}
+
+func (*DeviceToleration) ProtoMessage() {}
+
+func (*ExactDeviceRequest) ProtoMessage() {}
+
+func (*NetworkDeviceData) ProtoMessage() {}
+
+func (*OpaqueDeviceConfiguration) ProtoMessage() {}
+
+func (*ResourceClaim) ProtoMessage() {}
+
+func (*ResourceClaimConsumerReference) ProtoMessage() {}
+
+func (*ResourceClaimList) ProtoMessage() {}
+
+func (*ResourceClaimSpec) ProtoMessage() {}
+
+func (*ResourceClaimStatus) ProtoMessage() {}
+
+func (*ResourceClaimTemplate) ProtoMessage() {}
+
+func (*ResourceClaimTemplateList) ProtoMessage() {}
+
+func (*ResourceClaimTemplateSpec) ProtoMessage() {}
+
+func (*ResourcePool) ProtoMessage() {}
+
+func (*ResourceSlice) ProtoMessage() {}
+
+func (*ResourceSliceList) ProtoMessage() {}
+
+func (*ResourceSliceSpec) ProtoMessage() {}
diff --git a/staging/src/k8s.io/api/resource/v1/types.go b/staging/src/k8s.io/api/resource/v1/types.go
index f29504444fff1..29b4a5fbaccbf 100644
--- a/staging/src/k8s.io/api/resource/v1/types.go
+++ b/staging/src/k8s.io/api/resource/v1/types.go
@@ -101,7 +101,8 @@ type ResourceSliceSpec struct {
 	// objects with a certain driver name.
 	//
 	// Must be a DNS subdomain and should end with a DNS domain owned by the
-	// vendor of the driver. This field is immutable.
+	// vendor of the driver. It should use only lower case characters.
+	// This field is immutable.
 	//
 	// +required
 	Driver string `json:"driver" protobuf:"bytes,1,name=driver"`
@@ -148,11 +149,15 @@ type ResourceSliceSpec struct {
 
 	// Devices lists some or all of the devices in this pool.
 	//
-	// Must not have more than 128 entries.
+	// Must not have more than 128 entries. If any device uses taints or consumes counters the limit is 64.
+	//
+	// Only one of Devices and SharedCounters can be set in a ResourceSlice.
 	//
 	// +optional
 	// +listType=atomic
-	Devices []Device `json:"devices" protobuf:"bytes,6,name=devices"`
+	// +k8s:optional
+	// +zeroOrOneOf=ResourceSliceType
+	Devices []Device `json:"devices,omitempty" protobuf:"bytes,6,name=devices"`
 
 	// PerDeviceNodeSelection defines whether the access from nodes to
 	// resources in the pool is set on the ResourceSlice level or on each
@@ -169,19 +174,27 @@ type ResourceSliceSpec struct {
 	// SharedCounters defines a list of counter sets, each of which
 	// has a name and a list of counters available.
 	//
-	// The names of the SharedCounters must be unique in the ResourceSlice.
+	// The names of the counter sets must be unique in the ResourcePool.
 	//
-	// The maximum number of counters in all sets is 32.
+	// Only one of Devices and SharedCounters can be set in a ResourceSlice.
+	//
+	// The maximum number of counter sets is 8.
 	//
 	// +optional
+	// +k8s:optional
 	// +listType=atomic
+	// +k8s:listType=atomic
+	// +k8s:unique=map
+	// +k8s:listMapKey=name
 	// +featureGate=DRAPartitionableDevices
+	// +zeroOrOneOf=ResourceSliceType
+	// +k8s:maxItems=8
 	SharedCounters []CounterSet `json:"sharedCounters,omitempty" protobuf:"bytes,8,name=sharedCounters"`
 }
 
 // CounterSet defines a named set of counters
 // that are available to be used by devices defined in the
-// ResourceSlice.
+// ResourcePool.
 //
 // The counters are not allocatable by themselves, but
 // can be referenced by devices. When a device is allocated,
@@ -192,12 +205,14 @@ type CounterSet struct {
 	// It must be a DNS label.
 	//
 	// +required
+	// +k8s:required
+	// +k8s:format=k8s-short-name
 	Name string `json:"name" protobuf:"bytes,1,name=name"`
 
 	// Counters defines the set of counters for this CounterSet
 	// The name of each counter must be unique in that set and must be a DNS label.
 	//
-	// The maximum number of counters in all sets is 32.
+	// The maximum number of counters is 32.
 	//
 	// +required
 	Counters map[string]Counter `json:"counters,omitempty" protobuf:"bytes,2,name=counters"`
@@ -246,13 +261,27 @@ type ResourcePool struct {
 
 const ResourceSliceMaxSharedCapacity = 128
 const ResourceSliceMaxDevices = 128
+const ResourceSliceMaxDevicesWithTaintsOrConsumesCounters = 64
 const PoolNameMaxLength = validation.DNS1123SubdomainMaxLength // Same as for a single node name.
 const BindingConditionsMaxSize = 4
 const BindingFailureConditionsMaxSize = 4
 
-// Defines the max number of shared counters that can be specified
-// in a ResourceSlice. The number is summed up across all sets.
-const ResourceSliceMaxSharedCounters = 32
+// Defines the maximum number of counter sets (through the
+// SharedCounters field) that can be defined in a ResourceSlice.
+const ResourceSliceMaxCounterSets = 8
+
+// Defines the maximum number of counters that can be defined
+// in a counter set.
+const ResourceSliceMaxCountersPerCounterSet = 32
+
+// Defines the maximum number of device counter consumptions
+// (through the ConsumesCounters field) that can be defined per
+// device.
+const ResourceSliceMaxDeviceCounterConsumptionsPerDevice = 2
+
+// Defines the maximum number of counters that can be defined
+// per device counter consumption.
+const ResourceSliceMaxCountersPerDeviceCounterConsumption = 32
 
 // Device represents one individual hardware instance that can be selected based
 // on its attributes. Besides the name, exactly one field must be set.
@@ -285,14 +314,17 @@ type Device struct {
 	//
 	// There can only be a single entry per counterSet.
 	//
-	// The total number of device counter consumption entries
-	// must be <= 32. In addition, the total number in the
-	// entire ResourceSlice must be <= 1024 (for example,
-	// 64 devices with 16 counters each).
+	// The maximum number of device counter consumptions per
+	// device is 2.
 	//
 	// +optional
+	// +k8s:optional
 	// +listType=atomic
+	// +k8s:listType=atomic
+	// +k8s:unique=map
+	// +k8s:listMapKey=counterSet
 	// +featureGate=DRAPartitionableDevices
+	// +k8s:maxItems=2
 	ConsumesCounters []DeviceCounterConsumption `json:"consumesCounters,omitempty" protobuf:"bytes,4,rep,name=consumesCounters"`
 
 	// NodeName identifies the node where the device is available.
@@ -329,7 +361,9 @@ type Device struct {
 
 	// If specified, these are the driver-defined taints.
 	//
-	// The maximum number of taints is 4.
+	// The maximum number of taints is 16. If taints are set for
+	// any device in a ResourceSlice, then the maximum number of
+	// allowed devices per ResourceSlice is 64 instead of 128.
 	//
 	// This is an alpha field and requires enabling the DRADeviceTaints
 	// feature gate.
@@ -366,6 +400,8 @@ type Device struct {
 	// +optional
 	// +listType=atomic
 	// +featureGate=DRADeviceBindingConditions,DRAResourceClaimDeviceStatus
+	// +k8s:optional
+	// +k8s:maxItems=4
 	BindingConditions []string `json:"bindingConditions,omitempty" protobuf:"bytes,10,rep,name=bindingConditions"`
 
 	// BindingFailureConditions defines the conditions for binding failure.
@@ -382,6 +418,8 @@ type Device struct {
 	// +optional
 	// +listType=atomic
 	// +featureGate=DRADeviceBindingConditions,DRAResourceClaimDeviceStatus
+	// +k8s:optional
+	// +k8s:maxItems=4
 	BindingFailureConditions []string `json:"bindingFailureConditions,omitempty" protobuf:"bytes,11,rep,name=bindingFailureConditions"`
 
 	// AllowMultipleAllocations marks whether the device is allowed to be allocated to multiple DeviceRequests.
@@ -401,14 +439,13 @@ type DeviceCounterConsumption struct {
 	// counters defined will be consumed.
 	//
 	// +required
+	// +k8s:required
+	// +k8s:format=k8s-short-name
 	CounterSet string `json:"counterSet" protobuf:"bytes,1,opt,name=counterSet"`
 
 	// Counters defines the counters that will be consumed by the device.
 	//
-	// The maximum number counters in a device is 32.
-	// In addition, the maximum number of all counters
-	// in all devices is 1024 (for example, 64 devices with
-	// 16 counters each).
+	// The maximum number of counters is 32.
 	//
 	// +required
 	Counters map[string]Counter `json:"counters,omitempty" protobuf:"bytes,2,opt,name=counters"`
@@ -531,14 +568,6 @@ type CapacityRequestPolicyRange struct {
 // Limit for the sum of the number of entries in both attributes and capacity.
 const ResourceSliceMaxAttributesAndCapacitiesPerDevice = 32
 
-// Limit for the total number of counters in each device.
-const ResourceSliceMaxCountersPerDevice = 32
-
-// Limit for the total number of counters defined in devices in
-// a ResourceSlice. We want to allow up to 64 devices to specify
-// up to 16 counters, so the limit for the ResourceSlice will be 1024.
-const ResourceSliceMaxDeviceCountersPerSlice = 1024 // 64 * 16
-
 // QualifiedName is the name of a device attribute or capacity.
 //
 // Attributes and capacities are defined either by the owner of the specific
@@ -558,6 +587,9 @@ const ResourceSliceMaxDeviceCountersPerSlice = 1024 // 64 * 16
 type QualifiedName string
 
 // FullyQualifiedName is a QualifiedName where the domain is set.
+// Format validation cannot be added to this type because one of its usages,
+// DistinctAttribute, is validated conditionally. This conditional validation
+// cannot be expressed declaratively.
 type FullyQualifiedName string
 
 // DeviceMaxDomainLength is the maximum length of the domain prefix in a fully-qualified name.
@@ -575,34 +607,38 @@ type DeviceAttribute struct {
 	// IntValue is a number.
 	//
 	// +optional
-	// +oneOf=ValueType
+	// +k8s:optional
+	// +k8s:unionMember
 	IntValue *int64 `json:"int,omitempty" protobuf:"varint,2,opt,name=int"`
 
 	// BoolValue is a true/false value.
 	//
 	// +optional
-	// +oneOf=ValueType
+	// +k8s:optional
+	// +k8s:unionMember
 	BoolValue *bool `json:"bool,omitempty" protobuf:"varint,3,opt,name=bool"`
 
 	// StringValue is a string. Must not be longer than 64 characters.
 	//
 	// +optional
-	// +oneOf=ValueType
+	// +k8s:optional
+	// +k8s:unionMember
 	StringValue *string `json:"string,omitempty" protobuf:"bytes,4,opt,name=string"`
 
 	// VersionValue is a semantic version according to semver.org spec 2.0.0.
 	// Must not be longer than 64 characters.
 	//
 	// +optional
-	// +oneOf=ValueType
+	// +k8s:optional
+	// +k8s:unionMember
 	VersionValue *string `json:"version,omitempty" protobuf:"bytes,5,opt,name=version"`
 }
 
 // DeviceAttributeMaxValueLength is the maximum length of a string or version attribute value.
 const DeviceAttributeMaxValueLength = 64
 
-// DeviceTaintsMaxLength is the maximum number of taints per device.
-const DeviceTaintsMaxLength = 4
+// DeviceTaintsMaxLength is the maximum number of taints per Device.
+const DeviceTaintsMaxLength = 16
 
 // The device this taint is attached to has the "effect" on
 // any claim which does not tolerate the taint and, through the claim,
@@ -624,16 +660,27 @@ type DeviceTaint struct {
 
 	// The effect of the taint on claims that do not tolerate the taint
 	// and through such claims on the pods using them.
-	// Valid effects are NoSchedule and NoExecute. PreferNoSchedule as used for
-	// nodes is not valid here.
+	//
+	// Valid effects are None, NoSchedule and NoExecute. PreferNoSchedule as used for
+	// nodes is not valid here. More effects may get added in the future.
+	// Consumers must treat unknown effects like None.
 	//
 	// +required
+	// +k8s:required
 	Effect DeviceTaintEffect `json:"effect" protobuf:"bytes,3,name=effect,casttype=DeviceTaintEffect"`
 
 	// ^^^^
 	//
 	// Implementing PreferNoSchedule would depend on a scoring solution for DRA.
 	// It might get added as part of that.
+	//
+	// A possible future new effect is NoExecuteWithPodDisruptionBudget:
+	// honor the pod disruption budget instead of simply deleting pods.
+	// This is currently undecided, it could also be a separate field.
+	//
+	// Validation must be prepared to allow unknown enums in stored objects,
+	// which will enable adding new enums within a single release without
+	// ratcheting.
 
 	// TimeAdded represents the time at which the taint was added.
 	// Added automatically during create or update if not set.
@@ -649,9 +696,13 @@ type DeviceTaint struct {
 }
 
 // +enum
+// +k8s:enum
 type DeviceTaintEffect string
 
 const (
+	// No effect, the taint is purely informational.
+	DeviceTaintEffectNone DeviceTaintEffect = "None"
+
 	// Do not allow new pods to schedule which use a tainted device unless they tolerate the taint,
 	// but allow all pods submitted to Kubelet without going through the scheduler
 	// to start, and allow all already-running pods to continue running.
@@ -678,6 +729,7 @@ type ResourceSliceList struct {
 // +genclient
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
 // +k8s:prerelease-lifecycle-gen:introduced=1.34
+// +k8s:supportsSubresource=/status
 
 // ResourceClaim describes a request for access to resources in the cluster,
 // for use by workloads. For example, if a workload needs an accelerator device
@@ -695,6 +747,7 @@ type ResourceClaim struct {
 
 	// Spec describes what is being requested and how to configure it.
 	// The spec is immutable.
+	// +k8s:immutable
 	Spec ResourceClaimSpec `json:"spec" protobuf:"bytes,2,name=spec"`
 
 	// Status describes whether the claim is ready to use and what has been allocated.
@@ -722,6 +775,11 @@ type DeviceClaim struct {
 	//
 	// +optional
 	// +listType=atomic
+	// +k8s:optional
+	// +k8s:listType=atomic
+	// +k8s:unique=map
+	// +k8s:listMapKey=name
+	// +k8s:maxItems=32
 	Requests []DeviceRequest `json:"requests" protobuf:"bytes,1,name=requests"`
 
 	// These constraints must be satisfied by the set of devices that get
@@ -729,6 +787,8 @@ type DeviceClaim struct {
 	//
 	// +optional
 	// +listType=atomic
+	// +k8s:optional
+	// +k8s:maxItems=32
 	Constraints []DeviceConstraint `json:"constraints,omitempty" protobuf:"bytes,2,opt,name=constraints"`
 
 	// This field holds configuration for multiple potential drivers which
@@ -737,6 +797,8 @@ type DeviceClaim struct {
 	//
 	// +optional
 	// +listType=atomic
+	// +k8s:optional
+	// +k8s:maxItems=32
 	Config []DeviceClaimConfiguration `json:"config,omitempty" protobuf:"bytes,3,opt,name=config"`
 
 	// Potential future extension, ignored by older schedulers. This is
@@ -787,6 +849,7 @@ type DeviceRequest struct {
 	//
 	// +optional
 	// +oneOf=deviceRequestType
+	// +k8s:optional
 	Exactly *ExactDeviceRequest `json:"exactly,omitempty" protobuf:"bytes,2,name=exactly"`
 
 	// FirstAvailable contains subrequests, of which exactly one will be
@@ -807,6 +870,11 @@ type DeviceRequest struct {
 	// +oneOf=deviceRequestType
 	// +listType=atomic
 	// +featureGate=DRAPrioritizedList
+	// +k8s:optional
+	// +k8s:listType=atomic
+	// +k8s:unique=map
+	// +k8s:listMapKey=name
+	// +k8s:maxItems=8
 	FirstAvailable []DeviceSubRequest `json:"firstAvailable,omitempty" protobuf:"bytes,3,name=firstAvailable"`
 }
 
@@ -834,6 +902,8 @@ type ExactDeviceRequest struct {
 	//
 	// +optional
 	// +listType=atomic
+	// +k8s:optional
+	// +k8s:maxItems=32
 	Selectors []DeviceSelector `json:"selectors,omitempty" protobuf:"bytes,2,name=selectors"`
 
 	// AllocationMode and its related fields define how devices are allocated
@@ -856,6 +926,7 @@ type ExactDeviceRequest struct {
 	// requests with unknown modes.
 	//
 	// +optional
+	// +k8s:optional
 	AllocationMode DeviceAllocationMode `json:"allocationMode,omitempty" protobuf:"bytes,3,opt,name=allocationMode"`
 
 	// Count is used only when the count mode is "ExactCount". Must be greater than zero.
@@ -951,6 +1022,8 @@ type DeviceSubRequest struct {
 	// to reference.
 	//
 	// +required
+	// +k8s:required
+	// +k8s:format=k8s-long-name
 	DeviceClassName string `json:"deviceClassName" protobuf:"bytes,2,name=deviceClassName"`
 
 	// Selectors define criteria which must be satisfied by a specific
@@ -960,6 +1033,8 @@ type DeviceSubRequest struct {
 	//
 	// +optional
 	// +listType=atomic
+	// +k8s:optional
+	// +k8s:maxItems=32
 	Selectors []DeviceSelector `json:"selectors,omitempty" protobuf:"bytes,3,name=selectors"`
 
 	// AllocationMode and its related fields define how devices are allocated
@@ -1066,6 +1141,8 @@ const (
 	DeviceTolerationsMaxLength         = 16
 )
 
+// +enum
+// +k8s:enum
 type DeviceAllocationMode string
 
 // Valid [DeviceRequest.CountMode] values.
@@ -1184,6 +1261,10 @@ type DeviceConstraint struct {
 	//
 	// +optional
 	// +listType=atomic
+	// +k8s:optional
+	// +k8s:listType=atomic
+	// +k8s:unique=set
+	// +k8s:maxItems=32
 	Requests []string `json:"requests,omitempty" protobuf:"bytes,1,opt,name=requests"`
 
 	// MatchAttribute requires that all devices in question have this
@@ -1201,6 +1282,8 @@ type DeviceConstraint struct {
 	//
 	// +optional
 	// +oneOf=ConstraintType
+	// +k8s:optional
+	// +k8s:format=k8s-resource-fully-qualified-name
 	MatchAttribute *FullyQualifiedName `json:"matchAttribute,omitempty" protobuf:"bytes,2,opt,name=matchAttribute"`
 
 	// Potential future extension, not part of the current design:
@@ -1241,6 +1324,10 @@ type DeviceClaimConfiguration struct {
 	//
 	// +optional
 	// +listType=atomic
+	// +k8s:optional
+	// +k8s:listType=atomic
+	// +k8s:unique=set
+	// +k8s:maxItems=32
 	Requests []string `json:"requests,omitempty" protobuf:"bytes,1,opt,name=requests"`
 
 	DeviceConfiguration `json:",inline" protobuf:"bytes,2,name=deviceConfiguration"`
@@ -1254,6 +1341,7 @@ type DeviceConfiguration struct {
 	//
 	// +optional
 	// +oneOf=ConfigurationType
+	// +k8s:optional
 	Opaque *OpaqueDeviceConfiguration `json:"opaque,omitempty" protobuf:"bytes,1,opt,name=opaque"`
 }
 
@@ -1267,9 +1355,11 @@ type OpaqueDeviceConfiguration struct {
 	// to decide whether it needs to validate them.
 	//
 	// Must be a DNS subdomain and should end with a DNS domain owned by the
-	// vendor of the driver.
+	// vendor of the driver. It should use only lower case characters.
 	//
 	// +required
+	// +k8s:required
+	// +k8s:format=k8s-long-name-caseless
 	Driver string `json:"driver" protobuf:"bytes,1,name=driver"`
 
 	// Parameters can contain arbitrary data. It is the responsibility of
@@ -1295,6 +1385,8 @@ type DeviceToleration struct {
 	// Must be a label name.
 	//
 	// +optional
+	// +k8s:optional
+	// +k8s:format=k8s-label-key
 	Key string `json:"key,omitempty" protobuf:"bytes,1,opt,name=key"`
 
 	// Operator represents a key's relationship to the value.
@@ -1333,6 +1425,7 @@ type DeviceToleration struct {
 // A toleration operator is the set of operators that can be used in a toleration.
 //
 // +enum
+// +k8s:enum
 type DeviceTolerationOperator string
 
 const (
@@ -1346,6 +1439,8 @@ type ResourceClaimStatus struct {
 	// Allocation is set once the claim has been allocated successfully.
 	//
 	// +optional
+	// +k8s:optional
+	// +k8s:update=NoModify
 	Allocation *AllocationResult `json:"allocation,omitempty" protobuf:"bytes,1,opt,name=allocation"`
 
 	// ReservedFor indicates which entities are currently allowed to use
@@ -1373,6 +1468,10 @@ type ResourceClaimStatus struct {
 	// +listMapKey=uid
 	// +patchStrategy=merge
 	// +patchMergeKey=uid
+	// +k8s:optional
+	// +k8s:listType=map
+	// +k8s:listMapKey=uid
+	// +k8s:maxItems=256
 	ReservedFor []ResourceClaimConsumerReference `json:"reservedFor,omitempty" protobuf:"bytes,2,opt,name=reservedFor" patchStrategy:"merge" patchMergeKey:"uid"`
 
 	// DeallocationRequested is tombstoned since Kubernetes 1.32 where
@@ -1385,12 +1484,18 @@ type ResourceClaimStatus struct {
 	// information. Entries are owned by their respective drivers.
 	//
 	// +optional
+	// +k8s:optional
 	// +listType=map
 	// +listMapKey=driver
 	// +listMapKey=device
 	// +listMapKey=pool
 	// +listMapKey=shareID
 	// +featureGate=DRAResourceClaimDeviceStatus
+	// +k8s:listType=map
+	// +k8s:listMapKey=driver
+	// +k8s:listMapKey=device
+	// +k8s:listMapKey=pool
+	// +k8s:listMapKey=shareID
 	Devices []AllocatedDeviceStatus `json:"devices,omitempty" protobuf:"bytes,4,opt,name=devices"`
 }
 
@@ -1453,6 +1558,8 @@ type DeviceAllocationResult struct {
 	//
 	// +optional
 	// +listType=atomic
+	// +k8s:optional
+	// +k8s:maxItems=32
 	Results []DeviceRequestAllocationResult `json:"results,omitempty" protobuf:"bytes,1,opt,name=results"`
 
 	// This field is a combination of all the claim and class configuration parameters.
@@ -1465,6 +1572,8 @@ type DeviceAllocationResult struct {
 	//
 	// +optional
 	// +listType=atomic
+	// +k8s:optional
+	// +k8s:maxItems=64
 	Config []DeviceAllocationConfiguration `json:"config,omitempty" protobuf:"bytes,2,opt,name=config"`
 }
 
@@ -1490,9 +1599,11 @@ type DeviceRequestAllocationResult struct {
 	// needed on a node.
 	//
 	// Must be a DNS subdomain and should end with a DNS domain owned by the
-	// vendor of the driver.
+	// vendor of the driver. It should use only lower case characters.
 	//
 	// +required
+	// +k8s:format=k8s-long-name-caseless
+	// +k8s:required
 	Driver string `json:"driver" protobuf:"bytes,2,name=driver"`
 
 	// This name together with the driver name and the device name field
@@ -1502,6 +1613,8 @@ type DeviceRequestAllocationResult struct {
 	// DNS sub-domains separated by slashes.
 	//
 	// +required
+	// +k8s:required
+	// +k8s:format=k8s-resource-pool-name
 	Pool string `json:"pool" protobuf:"bytes,3,name=pool"`
 
 	// Device references one device instance via its name in the driver's
@@ -1544,6 +1657,8 @@ type DeviceRequestAllocationResult struct {
 	// +optional
 	// +listType=atomic
 	// +featureGate=DRADeviceBindingConditions,DRAResourceClaimDeviceStatus
+	// +k8s:optional
+	// +k8s:maxItems=4
 	BindingConditions []string `json:"bindingConditions,omitempty" protobuf:"bytes,7,rep,name=bindingConditions"`
 
 	// BindingFailureConditions contains a copy of the BindingFailureConditions
@@ -1555,6 +1670,8 @@ type DeviceRequestAllocationResult struct {
 	// +optional
 	// +listType=atomic
 	// +featureGate=DRADeviceBindingConditions,DRAResourceClaimDeviceStatus
+	// +k8s:optional
+	// +k8s:maxItems=4
 	BindingFailureConditions []string `json:"bindingFailureConditions,omitempty" protobuf:"bytes,8,rep,name=bindingFailureConditions"`
 
 	// ShareID uniquely identifies an individual allocation share of the device,
@@ -1564,6 +1681,8 @@ type DeviceRequestAllocationResult struct {
 	//
 	// +optional
 	// +featureGate=DRAConsumableCapacity
+	// +k8s:optional
+	// +k8s:format=k8s-uuid
 	ShareID *types.UID `json:"shareID,omitempty" protobuf:"bytes,9,opt,name=shareID"`
 
 	// ConsumedCapacity tracks the amount of capacity consumed per device as part of the claim request.
@@ -1587,6 +1706,7 @@ type DeviceAllocationConfiguration struct {
 	// or from a claim.
 	//
 	// +required
+	// +k8s:required
 	Source AllocationConfigSource `json:"source" protobuf:"bytes,1,name=source"`
 
 	// Requests lists the names of requests where the configuration applies.
@@ -1598,17 +1718,23 @@ type DeviceAllocationConfiguration struct {
 	//
 	// +optional
 	// +listType=atomic
+	// +k8s:optional
+	// +k8s:listType=atomic
+	// +k8s:unique=set
+	// +k8s:maxItems=32
 	Requests []string `json:"requests,omitempty" protobuf:"bytes,2,opt,name=requests"`
 
 	DeviceConfiguration `json:",inline" protobuf:"bytes,3,name=deviceConfiguration"`
 }
 
+// +enum
+// +k8s:enum
 type AllocationConfigSource string
 
 // Valid [DeviceAllocationConfiguration.Source] values.
 const (
-	AllocationConfigSourceClass = "FromClass"
-	AllocationConfigSourceClaim = "FromClaim"
+	AllocationConfigSourceClass AllocationConfigSource = "FromClass"
+	AllocationConfigSourceClaim AllocationConfigSource = "FromClaim"
 )
 
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
@@ -1641,6 +1767,8 @@ type DeviceClass struct {
 	metav1.TypeMeta `json:",inline"`
 	// Standard object metadata
 	// +optional
+	// +k8s:subfield(name)=+k8s:optional
+	// +k8s:subfield(name)=+k8s:format=k8s-long-name
 	metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
 
 	// Spec defines what can be allocated and how to configure it.
@@ -1661,6 +1789,8 @@ type DeviceClassSpec struct {
 	//
 	// +optional
 	// +listType=atomic
+	// +k8s:optional
+	// +k8s:maxItems=32
 	Selectors []DeviceSelector `json:"selectors,omitempty" protobuf:"bytes,1,opt,name=selectors"`
 
 	// Config defines configuration parameters that apply to each device that is claimed via this class.
@@ -1671,6 +1801,8 @@ type DeviceClassSpec struct {
 	//
 	// +optional
 	// +listType=atomic
+	// +k8s:optional
+	// +k8s:maxItems=32
 	Config []DeviceClassConfiguration `json:"config,omitempty" protobuf:"bytes,2,opt,name=config"`
 
 	// SuitableNodes is tombstoned since Kubernetes 1.32 where
@@ -1690,6 +1822,8 @@ type DeviceClassSpec struct {
 	// This is an alpha field.
 	// +optional
 	// +featureGate=DRAExtendedResource
+	// +k8s:optional
+	// +k8s:format=k8s-extended-resource-name
 	ExtendedResourceName *string `json:"extendedResourceName,omitempty" protobuf:"bytes,4,opt,name=extendedResourceName"`
 }
 
@@ -1791,7 +1925,7 @@ type AllocatedDeviceStatus struct {
 	// needed on a node.
 	//
 	// Must be a DNS subdomain and should end with a DNS domain owned by the
-	// vendor of the driver.
+	// vendor of the driver. It should use only lower case characters.
 	//
 	// +required
 	Driver string `json:"driver" protobuf:"bytes,1,rep,name=driver"`
@@ -1815,6 +1949,8 @@ type AllocatedDeviceStatus struct {
 	//
 	// +optional
 	// +featureGate=DRAConsumableCapacity
+	// +k8s:optional
+	// +k8s:format=k8s-uuid
 	ShareID *string `json:"shareID,omitempty" protobuf:"bytes,7,opt,name=shareID"`
 
 	// Conditions contains the latest observation of the device's state.
@@ -1838,6 +1974,7 @@ type AllocatedDeviceStatus struct {
 	// NetworkData contains network-related information specific to the device.
 	//
 	// +optional
+	// +k8s:optional
 	NetworkData *NetworkDeviceData `json:"networkData,omitempty" protobuf:"bytes,6,opt,name=networkData"`
 }
 
@@ -1852,6 +1989,8 @@ type NetworkDeviceData struct {
 	// Must not be longer than 256 characters.
 	//
 	// +optional
+	// +k8s:optional
+	// +k8s:maxLength=256
 	InterfaceName string `json:"interfaceName,omitempty" protobuf:"bytes,1,opt,name=interfaceName"`
 
 	// IPs lists the network addresses assigned to the device's network interface.
@@ -1862,6 +2001,10 @@ type NetworkDeviceData struct {
 	//
 	// +optional
 	// +listType=atomic
+	// +k8s:optional
+	// +k8s:listType=atomic
+	// +k8s:unique=set
+	// +k8s:maxItems=16
 	IPs []string `json:"ips,omitempty" protobuf:"bytes,2,opt,name=ips"`
 
 	// HardwareAddress represents the hardware address (e.g. MAC Address) of the device's network interface.
@@ -1869,5 +2012,7 @@ type NetworkDeviceData struct {
 	// Must not be longer than 128 characters.
 	//
 	// +optional
+	// +k8s:optional
+	// +k8s:maxLength=128
 	HardwareAddress string `json:"hardwareAddress,omitempty" protobuf:"bytes,3,opt,name=hardwareAddress"`
 }
diff --git a/staging/src/k8s.io/api/resource/v1/types_swagger_doc_generated.go b/staging/src/k8s.io/api/resource/v1/types_swagger_doc_generated.go
index bf81ced64ce66..6ba5f598c6885 100644
--- a/staging/src/k8s.io/api/resource/v1/types_swagger_doc_generated.go
+++ b/staging/src/k8s.io/api/resource/v1/types_swagger_doc_generated.go
@@ -29,7 +29,7 @@ package v1
 // AUTO-GENERATED FUNCTIONS START HERE. DO NOT EDIT.
 var map_AllocatedDeviceStatus = map[string]string{
 	"":            "AllocatedDeviceStatus contains the status of an allocated device, if the driver chooses to report it. This may include driver-specific information.\n\nThe combination of Driver, Pool, Device, and ShareID must match the corresponding key in Status.Allocation.Devices.",
-	"driver":      "Driver specifies the name of the DRA driver whose kubelet plugin should be invoked to process the allocation once the claim is needed on a node.\n\nMust be a DNS subdomain and should end with a DNS domain owned by the vendor of the driver.",
+	"driver":      "Driver specifies the name of the DRA driver whose kubelet plugin should be invoked to process the allocation once the claim is needed on a node.\n\nMust be a DNS subdomain and should end with a DNS domain owned by the vendor of the driver. It should use only lower case characters.",
 	"pool":        "This name together with the driver name and the device name field identify which device was allocated (`<driver name>/<pool name>/<device name>`).\n\nMust not be longer than 253 characters and may contain one or more DNS sub-domains separated by slashes.",
 	"device":      "Device references one device instance via its name in the driver's resource pool. It must be a DNS label.",
 	"shareID":     "ShareID uniquely identifies an individual allocation share of the device.",
@@ -103,9 +103,9 @@ func (Counter) SwaggerDoc() map[string]string {
 }
 
 var map_CounterSet = map[string]string{
-	"":         "CounterSet defines a named set of counters that are available to be used by devices defined in the ResourceSlice.\n\nThe counters are not allocatable by themselves, but can be referenced by devices. When a device is allocated, the portion of counters it uses will no longer be available for use by other devices.",
+	"":         "CounterSet defines a named set of counters that are available to be used by devices defined in the ResourcePool.\n\nThe counters are not allocatable by themselves, but can be referenced by devices. When a device is allocated, the portion of counters it uses will no longer be available for use by other devices.",
 	"name":     "Name defines the name of the counter set. It must be a DNS label.",
-	"counters": "Counters defines the set of counters for this CounterSet The name of each counter must be unique in that set and must be a DNS label.\n\nThe maximum number of counters in all sets is 32.",
+	"counters": "Counters defines the set of counters for this CounterSet The name of each counter must be unique in that set and must be a DNS label.\n\nThe maximum number of counters is 32.",
 }
 
 func (CounterSet) SwaggerDoc() map[string]string {
@@ -117,11 +117,11 @@ var map_Device = map[string]string{
 	"name":                     "Name is unique identifier among all devices managed by the driver in the pool. It must be a DNS label.",
 	"attributes":               "Attributes defines the set of attributes for this device. The name of each attribute must be unique in that set.\n\nThe maximum number of attributes and capacities combined is 32.",
 	"capacity":                 "Capacity defines the set of capacities for this device. The name of each capacity must be unique in that set.\n\nThe maximum number of attributes and capacities combined is 32.",
-	"consumesCounters":         "ConsumesCounters defines a list of references to sharedCounters and the set of counters that the device will consume from those counter sets.\n\nThere can only be a single entry per counterSet.\n\nThe total number of device counter consumption entries must be <= 32. In addition, the total number in the entire ResourceSlice must be <= 1024 (for example, 64 devices with 16 counters each).",
+	"consumesCounters":         "ConsumesCounters defines a list of references to sharedCounters and the set of counters that the device will consume from those counter sets.\n\nThere can only be a single entry per counterSet.\n\nThe maximum number of device counter consumptions per device is 2.",
 	"nodeName":                 "NodeName identifies the node where the device is available.\n\nMust only be set if Spec.PerDeviceNodeSelection is set to true. At most one of NodeName, NodeSelector and AllNodes can be set.",
 	"nodeSelector":             "NodeSelector defines the nodes where the device is available.\n\nMust use exactly one term.\n\nMust only be set if Spec.PerDeviceNodeSelection is set to true. At most one of NodeName, NodeSelector and AllNodes can be set.",
 	"allNodes":                 "AllNodes indicates that all nodes have access to the device.\n\nMust only be set if Spec.PerDeviceNodeSelection is set to true. At most one of NodeName, NodeSelector and AllNodes can be set.",
-	"taints":                   "If specified, these are the driver-defined taints.\n\nThe maximum number of taints is 4.\n\nThis is an alpha field and requires enabling the DRADeviceTaints feature gate.",
+	"taints":                   "If specified, these are the driver-defined taints.\n\nThe maximum number of taints is 16. If taints are set for any device in a ResourceSlice, then the maximum number of allowed devices per ResourceSlice is 64 instead of 128.\n\nThis is an alpha field and requires enabling the DRADeviceTaints feature gate.",
 	"bindsToNode":              "BindsToNode indicates if the usage of an allocation involving this device has to be limited to exactly the node that was chosen when allocating the claim. If set to true, the scheduler will set the ResourceClaim.Status.Allocation.NodeSelector to match the node where the allocation was made.\n\nThis is an alpha field and requires enabling the DRADeviceBindingConditions and DRAResourceClaimDeviceStatus feature gates.",
 	"bindingConditions":        "BindingConditions defines the conditions for proceeding with binding. All of these conditions must be set in the per-device status conditions with a value of True to proceed with binding the pod to the node while scheduling the pod.\n\nThe maximum number of binding conditions is 4.\n\nThe conditions must be a valid condition type string.\n\nThis is an alpha field and requires enabling the DRADeviceBindingConditions and DRAResourceClaimDeviceStatus feature gates.",
 	"bindingFailureConditions": "BindingFailureConditions defines the conditions for binding failure. They may be set in the per-device status conditions. If any is set to \"True\", a binding failure occurred.\n\nThe maximum number of binding failure conditions is 4.\n\nThe conditions must be a valid condition type string.\n\nThis is an alpha field and requires enabling the DRADeviceBindingConditions and DRAResourceClaimDeviceStatus feature gates.",
@@ -256,7 +256,7 @@ func (DeviceConstraint) SwaggerDoc() map[string]string {
 var map_DeviceCounterConsumption = map[string]string{
 	"":           "DeviceCounterConsumption defines a set of counters that a device will consume from a CounterSet.",
 	"counterSet": "CounterSet is the name of the set from which the counters defined will be consumed.",
-	"counters":   "Counters defines the counters that will be consumed by the device.\n\nThe maximum number counters in a device is 32. In addition, the maximum number of all counters in all devices is 1024 (for example, 64 devices with 16 counters each).",
+	"counters":   "Counters defines the counters that will be consumed by the device.\n\nThe maximum number of counters is 32.",
 }
 
 func (DeviceCounterConsumption) SwaggerDoc() map[string]string {
@@ -277,7 +277,7 @@ func (DeviceRequest) SwaggerDoc() map[string]string {
 var map_DeviceRequestAllocationResult = map[string]string{
 	"":                         "DeviceRequestAllocationResult contains the allocation result for one request.",
 	"request":                  "Request is the name of the request in the claim which caused this device to be allocated. If it references a subrequest in the firstAvailable list on a DeviceRequest, this field must include both the name of the main request and the subrequest using the format <main request>/<subrequest>.\n\nMultiple devices may have been allocated per request.",
-	"driver":                   "Driver specifies the name of the DRA driver whose kubelet plugin should be invoked to process the allocation once the claim is needed on a node.\n\nMust be a DNS subdomain and should end with a DNS domain owned by the vendor of the driver.",
+	"driver":                   "Driver specifies the name of the DRA driver whose kubelet plugin should be invoked to process the allocation once the claim is needed on a node.\n\nMust be a DNS subdomain and should end with a DNS domain owned by the vendor of the driver. It should use only lower case characters.",
 	"pool":                     "This name together with the driver name and the device name field identify which device was allocated (`<driver name>/<pool name>/<device name>`).\n\nMust not be longer than 253 characters and may contain one or more DNS sub-domains separated by slashes.",
 	"device":                   "Device references one device instance via its name in the driver's resource pool. It must be a DNS label.",
 	"adminAccess":              "AdminAccess indicates that this device was allocated for administrative access. See the corresponding request field for a definition of mode.\n\nThis is an alpha field and requires enabling the DRAAdminAccess feature gate. Admin access is disabled if this field is unset or set to false, otherwise it is enabled.",
@@ -320,7 +320,7 @@ var map_DeviceTaint = map[string]string{
 	"":          "The device this taint is attached to has the \"effect\" on any claim which does not tolerate the taint and, through the claim, to pods using the claim.",
 	"key":       "The taint key to be applied to a device. Must be a label name.",
 	"value":     "The taint value corresponding to the taint key. Must be a label value.",
-	"effect":    "The effect of the taint on claims that do not tolerate the taint and through such claims on the pods using them. Valid effects are NoSchedule and NoExecute. PreferNoSchedule as used for nodes is not valid here.",
+	"effect":    "The effect of the taint on claims that do not tolerate the taint and through such claims on the pods using them.\n\nValid effects are None, NoSchedule and NoExecute. PreferNoSchedule as used for nodes is not valid here. More effects may get added in the future. Consumers must treat unknown effects like None.",
 	"timeAdded": "TimeAdded represents the time at which the taint was added. Added automatically during create or update if not set.",
 }
 
@@ -369,7 +369,7 @@ func (NetworkDeviceData) SwaggerDoc() map[string]string {
 
 var map_OpaqueDeviceConfiguration = map[string]string{
 	"":           "OpaqueDeviceConfiguration contains configuration parameters for a driver in a format defined by the driver vendor.",
-	"driver":     "Driver is used to determine which kubelet plugin needs to be passed these configuration parameters.\n\nAn admission policy provided by the driver developer could use this to decide whether it needs to validate them.\n\nMust be a DNS subdomain and should end with a DNS domain owned by the vendor of the driver.",
+	"driver":     "Driver is used to determine which kubelet plugin needs to be passed these configuration parameters.\n\nAn admission policy provided by the driver developer could use this to decide whether it needs to validate them.\n\nMust be a DNS subdomain and should end with a DNS domain owned by the vendor of the driver. It should use only lower case characters.",
 	"parameters": "Parameters can contain arbitrary data. It is the responsibility of the driver developer to handle validation and versioning. Typically this includes self-identification and a version (\"kind\" + \"apiVersion\" for Kubernetes types), with conversion between different versions.\n\nThe length of the raw data must be smaller or equal to 10 Ki.",
 }
 
@@ -493,14 +493,14 @@ func (ResourceSliceList) SwaggerDoc() map[string]string {
 
 var map_ResourceSliceSpec = map[string]string{
 	"":                       "ResourceSliceSpec contains the information published by the driver in one ResourceSlice.",
-	"driver":                 "Driver identifies the DRA driver providing the capacity information. A field selector can be used to list only ResourceSlice objects with a certain driver name.\n\nMust be a DNS subdomain and should end with a DNS domain owned by the vendor of the driver. This field is immutable.",
+	"driver":                 "Driver identifies the DRA driver providing the capacity information. A field selector can be used to list only ResourceSlice objects with a certain driver name.\n\nMust be a DNS subdomain and should end with a DNS domain owned by the vendor of the driver. It should use only lower case characters. This field is immutable.",
 	"pool":                   "Pool describes the pool that this ResourceSlice belongs to.",
 	"nodeName":               "NodeName identifies the node which provides the resources in this pool. A field selector can be used to list only ResourceSlice objects belonging to a certain node.\n\nThis field can be used to limit access from nodes to ResourceSlices with the same node name. It also indicates to autoscalers that adding new nodes of the same type as some old node might also make new resources available.\n\nExactly one of NodeName, NodeSelector, AllNodes, and PerDeviceNodeSelection must be set. This field is immutable.",
 	"nodeSelector":           "NodeSelector defines which nodes have access to the resources in the pool, when that pool is not limited to a single node.\n\nMust use exactly one term.\n\nExactly one of NodeName, NodeSelector, AllNodes, and PerDeviceNodeSelection must be set.",
 	"allNodes":               "AllNodes indicates that all nodes have access to the resources in the pool.\n\nExactly one of NodeName, NodeSelector, AllNodes, and PerDeviceNodeSelection must be set.",
-	"devices":                "Devices lists some or all of the devices in this pool.\n\nMust not have more than 128 entries.",
+	"devices":                "Devices lists some or all of the devices in this pool.\n\nMust not have more than 128 entries. If any device uses taints or consumes counters the limit is 64.\n\nOnly one of Devices and SharedCounters can be set in a ResourceSlice.",
 	"perDeviceNodeSelection": "PerDeviceNodeSelection defines whether the access from nodes to resources in the pool is set on the ResourceSlice level or on each device. If it is set to true, every device defined the ResourceSlice must specify this individually.\n\nExactly one of NodeName, NodeSelector, AllNodes, and PerDeviceNodeSelection must be set.",
-	"sharedCounters":         "SharedCounters defines a list of counter sets, each of which has a name and a list of counters available.\n\nThe names of the SharedCounters must be unique in the ResourceSlice.\n\nThe maximum number of counters in all sets is 32.",
+	"sharedCounters":         "SharedCounters defines a list of counter sets, each of which has a name and a list of counters available.\n\nThe names of the counter sets must be unique in the ResourcePool.\n\nOnly one of Devices and SharedCounters can be set in a ResourceSlice.\n\nThe maximum number of counter sets is 8.",
 }
 
 func (ResourceSliceSpec) SwaggerDoc() map[string]string {
diff --git a/staging/src/k8s.io/api/resource/v1/zz_generated.model_name.go b/staging/src/k8s.io/api/resource/v1/zz_generated.model_name.go
new file mode 100644
index 0000000000000..c0de4f9e9db2e
--- /dev/null
+++ b/staging/src/k8s.io/api/resource/v1/zz_generated.model_name.go
@@ -0,0 +1,237 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by openapi-gen. DO NOT EDIT.
+
+package v1
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in AllocatedDeviceStatus) OpenAPIModelName() string {
+	return "io.k8s.api.resource.v1.AllocatedDeviceStatus"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in AllocationResult) OpenAPIModelName() string {
+	return "io.k8s.api.resource.v1.AllocationResult"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in CELDeviceSelector) OpenAPIModelName() string {
+	return "io.k8s.api.resource.v1.CELDeviceSelector"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in CapacityRequestPolicy) OpenAPIModelName() string {
+	return "io.k8s.api.resource.v1.CapacityRequestPolicy"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in CapacityRequestPolicyRange) OpenAPIModelName() string {
+	return "io.k8s.api.resource.v1.CapacityRequestPolicyRange"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in CapacityRequirements) OpenAPIModelName() string {
+	return "io.k8s.api.resource.v1.CapacityRequirements"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in Counter) OpenAPIModelName() string {
+	return "io.k8s.api.resource.v1.Counter"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in CounterSet) OpenAPIModelName() string {
+	return "io.k8s.api.resource.v1.CounterSet"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in Device) OpenAPIModelName() string {
+	return "io.k8s.api.resource.v1.Device"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in DeviceAllocationConfiguration) OpenAPIModelName() string {
+	return "io.k8s.api.resource.v1.DeviceAllocationConfiguration"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in DeviceAllocationResult) OpenAPIModelName() string {
+	return "io.k8s.api.resource.v1.DeviceAllocationResult"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in DeviceAttribute) OpenAPIModelName() string {
+	return "io.k8s.api.resource.v1.DeviceAttribute"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in DeviceCapacity) OpenAPIModelName() string {
+	return "io.k8s.api.resource.v1.DeviceCapacity"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in DeviceClaim) OpenAPIModelName() string {
+	return "io.k8s.api.resource.v1.DeviceClaim"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in DeviceClaimConfiguration) OpenAPIModelName() string {
+	return "io.k8s.api.resource.v1.DeviceClaimConfiguration"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in DeviceClass) OpenAPIModelName() string {
+	return "io.k8s.api.resource.v1.DeviceClass"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in DeviceClassConfiguration) OpenAPIModelName() string {
+	return "io.k8s.api.resource.v1.DeviceClassConfiguration"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in DeviceClassList) OpenAPIModelName() string {
+	return "io.k8s.api.resource.v1.DeviceClassList"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in DeviceClassSpec) OpenAPIModelName() string {
+	return "io.k8s.api.resource.v1.DeviceClassSpec"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in DeviceConfiguration) OpenAPIModelName() string {
+	return "io.k8s.api.resource.v1.DeviceConfiguration"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in DeviceConstraint) OpenAPIModelName() string {
+	return "io.k8s.api.resource.v1.DeviceConstraint"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in DeviceCounterConsumption) OpenAPIModelName() string {
+	return "io.k8s.api.resource.v1.DeviceCounterConsumption"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in DeviceRequest) OpenAPIModelName() string {
+	return "io.k8s.api.resource.v1.DeviceRequest"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in DeviceRequestAllocationResult) OpenAPIModelName() string {
+	return "io.k8s.api.resource.v1.DeviceRequestAllocationResult"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in DeviceSelector) OpenAPIModelName() string {
+	return "io.k8s.api.resource.v1.DeviceSelector"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in DeviceSubRequest) OpenAPIModelName() string {
+	return "io.k8s.api.resource.v1.DeviceSubRequest"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in DeviceTaint) OpenAPIModelName() string {
+	return "io.k8s.api.resource.v1.DeviceTaint"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in DeviceToleration) OpenAPIModelName() string {
+	return "io.k8s.api.resource.v1.DeviceToleration"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ExactDeviceRequest) OpenAPIModelName() string {
+	return "io.k8s.api.resource.v1.ExactDeviceRequest"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in NetworkDeviceData) OpenAPIModelName() string {
+	return "io.k8s.api.resource.v1.NetworkDeviceData"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in OpaqueDeviceConfiguration) OpenAPIModelName() string {
+	return "io.k8s.api.resource.v1.OpaqueDeviceConfiguration"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ResourceClaim) OpenAPIModelName() string {
+	return "io.k8s.api.resource.v1.ResourceClaim"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ResourceClaimConsumerReference) OpenAPIModelName() string {
+	return "io.k8s.api.resource.v1.ResourceClaimConsumerReference"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ResourceClaimList) OpenAPIModelName() string {
+	return "io.k8s.api.resource.v1.ResourceClaimList"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ResourceClaimSpec) OpenAPIModelName() string {
+	return "io.k8s.api.resource.v1.ResourceClaimSpec"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ResourceClaimStatus) OpenAPIModelName() string {
+	return "io.k8s.api.resource.v1.ResourceClaimStatus"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ResourceClaimTemplate) OpenAPIModelName() string {
+	return "io.k8s.api.resource.v1.ResourceClaimTemplate"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ResourceClaimTemplateList) OpenAPIModelName() string {
+	return "io.k8s.api.resource.v1.ResourceClaimTemplateList"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ResourceClaimTemplateSpec) OpenAPIModelName() string {
+	return "io.k8s.api.resource.v1.ResourceClaimTemplateSpec"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ResourcePool) OpenAPIModelName() string {
+	return "io.k8s.api.resource.v1.ResourcePool"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ResourceSlice) OpenAPIModelName() string {
+	return "io.k8s.api.resource.v1.ResourceSlice"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ResourceSliceList) OpenAPIModelName() string {
+	return "io.k8s.api.resource.v1.ResourceSliceList"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ResourceSliceSpec) OpenAPIModelName() string {
+	return "io.k8s.api.resource.v1.ResourceSliceSpec"
+}
diff --git a/staging/src/k8s.io/api/resource/v1alpha3/doc.go b/staging/src/k8s.io/api/resource/v1alpha3/doc.go
index 82e64f1d00ca7..b6bfd79c36966 100644
--- a/staging/src/k8s.io/api/resource/v1alpha3/doc.go
+++ b/staging/src/k8s.io/api/resource/v1alpha3/doc.go
@@ -18,6 +18,8 @@ limitations under the License.
 // +k8s:deepcopy-gen=package
 // +k8s:protobuf-gen=package
 // +k8s:prerelease-lifecycle-gen=true
+// +k8s:openapi-model-package=io.k8s.api.resource.v1alpha3
+
 // +groupName=resource.k8s.io
 
 // Package v1alpha3 is the v1alpha3 version of the resource API.
diff --git a/staging/src/k8s.io/api/resource/v1alpha3/generated.pb.go b/staging/src/k8s.io/api/resource/v1alpha3/generated.pb.go
index dc37717ef72eb..66b9f8f6203dc 100644
--- a/staging/src/k8s.io/api/resource/v1alpha3/generated.pb.go
+++ b/staging/src/k8s.io/api/resource/v1alpha3/generated.pb.go
@@ -24,284 +24,28 @@ import (
 
 	io "io"
 
-	proto "github.com/gogo/protobuf/proto"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
-	math "math"
 	math_bits "math/bits"
 	reflect "reflect"
 	strings "strings"
 )
 
-// Reference imports to suppress errors if they are not otherwise used.
-var _ = proto.Marshal
-var _ = fmt.Errorf
-var _ = math.Inf
+func (m *CELDeviceSelector) Reset() { *m = CELDeviceSelector{} }
 
-// This is a compile-time assertion to ensure that this generated file
-// is compatible with the proto package it is being compiled against.
-// A compilation error at this line likely means your copy of the
-// proto package needs to be updated.
-const _ = proto.GoGoProtoPackageIsVersion3 // please upgrade the proto package
+func (m *DeviceSelector) Reset() { *m = DeviceSelector{} }
 
-func (m *CELDeviceSelector) Reset()      { *m = CELDeviceSelector{} }
-func (*CELDeviceSelector) ProtoMessage() {}
-func (*CELDeviceSelector) Descriptor() ([]byte, []int) {
-	return fileDescriptor_66649ee9bbcd89d2, []int{0}
-}
-func (m *CELDeviceSelector) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *CELDeviceSelector) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *CELDeviceSelector) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_CELDeviceSelector.Merge(m, src)
-}
-func (m *CELDeviceSelector) XXX_Size() int {
-	return m.Size()
-}
-func (m *CELDeviceSelector) XXX_DiscardUnknown() {
-	xxx_messageInfo_CELDeviceSelector.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_CELDeviceSelector proto.InternalMessageInfo
-
-func (m *DeviceSelector) Reset()      { *m = DeviceSelector{} }
-func (*DeviceSelector) ProtoMessage() {}
-func (*DeviceSelector) Descriptor() ([]byte, []int) {
-	return fileDescriptor_66649ee9bbcd89d2, []int{1}
-}
-func (m *DeviceSelector) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *DeviceSelector) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *DeviceSelector) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_DeviceSelector.Merge(m, src)
-}
-func (m *DeviceSelector) XXX_Size() int {
-	return m.Size()
-}
-func (m *DeviceSelector) XXX_DiscardUnknown() {
-	xxx_messageInfo_DeviceSelector.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_DeviceSelector proto.InternalMessageInfo
-
-func (m *DeviceTaint) Reset()      { *m = DeviceTaint{} }
-func (*DeviceTaint) ProtoMessage() {}
-func (*DeviceTaint) Descriptor() ([]byte, []int) {
-	return fileDescriptor_66649ee9bbcd89d2, []int{2}
-}
-func (m *DeviceTaint) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *DeviceTaint) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *DeviceTaint) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_DeviceTaint.Merge(m, src)
-}
-func (m *DeviceTaint) XXX_Size() int {
-	return m.Size()
-}
-func (m *DeviceTaint) XXX_DiscardUnknown() {
-	xxx_messageInfo_DeviceTaint.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_DeviceTaint proto.InternalMessageInfo
-
-func (m *DeviceTaintRule) Reset()      { *m = DeviceTaintRule{} }
-func (*DeviceTaintRule) ProtoMessage() {}
-func (*DeviceTaintRule) Descriptor() ([]byte, []int) {
-	return fileDescriptor_66649ee9bbcd89d2, []int{3}
-}
-func (m *DeviceTaintRule) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *DeviceTaintRule) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *DeviceTaintRule) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_DeviceTaintRule.Merge(m, src)
-}
-func (m *DeviceTaintRule) XXX_Size() int {
-	return m.Size()
-}
-func (m *DeviceTaintRule) XXX_DiscardUnknown() {
-	xxx_messageInfo_DeviceTaintRule.DiscardUnknown(m)
-}
+func (m *DeviceTaint) Reset() { *m = DeviceTaint{} }
 
-var xxx_messageInfo_DeviceTaintRule proto.InternalMessageInfo
+func (m *DeviceTaintRule) Reset() { *m = DeviceTaintRule{} }
 
-func (m *DeviceTaintRuleList) Reset()      { *m = DeviceTaintRuleList{} }
-func (*DeviceTaintRuleList) ProtoMessage() {}
-func (*DeviceTaintRuleList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_66649ee9bbcd89d2, []int{4}
-}
-func (m *DeviceTaintRuleList) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *DeviceTaintRuleList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *DeviceTaintRuleList) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_DeviceTaintRuleList.Merge(m, src)
-}
-func (m *DeviceTaintRuleList) XXX_Size() int {
-	return m.Size()
-}
-func (m *DeviceTaintRuleList) XXX_DiscardUnknown() {
-	xxx_messageInfo_DeviceTaintRuleList.DiscardUnknown(m)
-}
+func (m *DeviceTaintRuleList) Reset() { *m = DeviceTaintRuleList{} }
 
-var xxx_messageInfo_DeviceTaintRuleList proto.InternalMessageInfo
+func (m *DeviceTaintRuleSpec) Reset() { *m = DeviceTaintRuleSpec{} }
 
-func (m *DeviceTaintRuleSpec) Reset()      { *m = DeviceTaintRuleSpec{} }
-func (*DeviceTaintRuleSpec) ProtoMessage() {}
-func (*DeviceTaintRuleSpec) Descriptor() ([]byte, []int) {
-	return fileDescriptor_66649ee9bbcd89d2, []int{5}
-}
-func (m *DeviceTaintRuleSpec) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *DeviceTaintRuleSpec) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *DeviceTaintRuleSpec) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_DeviceTaintRuleSpec.Merge(m, src)
-}
-func (m *DeviceTaintRuleSpec) XXX_Size() int {
-	return m.Size()
-}
-func (m *DeviceTaintRuleSpec) XXX_DiscardUnknown() {
-	xxx_messageInfo_DeviceTaintRuleSpec.DiscardUnknown(m)
-}
+func (m *DeviceTaintRuleStatus) Reset() { *m = DeviceTaintRuleStatus{} }
 
-var xxx_messageInfo_DeviceTaintRuleSpec proto.InternalMessageInfo
-
-func (m *DeviceTaintSelector) Reset()      { *m = DeviceTaintSelector{} }
-func (*DeviceTaintSelector) ProtoMessage() {}
-func (*DeviceTaintSelector) Descriptor() ([]byte, []int) {
-	return fileDescriptor_66649ee9bbcd89d2, []int{6}
-}
-func (m *DeviceTaintSelector) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *DeviceTaintSelector) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *DeviceTaintSelector) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_DeviceTaintSelector.Merge(m, src)
-}
-func (m *DeviceTaintSelector) XXX_Size() int {
-	return m.Size()
-}
-func (m *DeviceTaintSelector) XXX_DiscardUnknown() {
-	xxx_messageInfo_DeviceTaintSelector.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_DeviceTaintSelector proto.InternalMessageInfo
-
-func init() {
-	proto.RegisterType((*CELDeviceSelector)(nil), "k8s.io.api.resource.v1alpha3.CELDeviceSelector")
-	proto.RegisterType((*DeviceSelector)(nil), "k8s.io.api.resource.v1alpha3.DeviceSelector")
-	proto.RegisterType((*DeviceTaint)(nil), "k8s.io.api.resource.v1alpha3.DeviceTaint")
-	proto.RegisterType((*DeviceTaintRule)(nil), "k8s.io.api.resource.v1alpha3.DeviceTaintRule")
-	proto.RegisterType((*DeviceTaintRuleList)(nil), "k8s.io.api.resource.v1alpha3.DeviceTaintRuleList")
-	proto.RegisterType((*DeviceTaintRuleSpec)(nil), "k8s.io.api.resource.v1alpha3.DeviceTaintRuleSpec")
-	proto.RegisterType((*DeviceTaintSelector)(nil), "k8s.io.api.resource.v1alpha3.DeviceTaintSelector")
-}
-
-func init() {
-	proto.RegisterFile("k8s.io/api/resource/v1alpha3/generated.proto", fileDescriptor_66649ee9bbcd89d2)
-}
-
-var fileDescriptor_66649ee9bbcd89d2 = []byte{
-	// 716 bytes of a gzipped FileDescriptorProto
-	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x94, 0x55, 0xbf, 0x6f, 0xd3, 0x40,
-	0x14, 0x8e, 0x9b, 0xa4, 0x24, 0x17, 0xda, 0xd2, 0xeb, 0x12, 0x55, 0xc5, 0xae, 0xdc, 0xa5, 0xa0,
-	0xd6, 0x26, 0x01, 0x21, 0x04, 0x62, 0x20, 0x6d, 0x84, 0x80, 0x52, 0xd0, 0xb5, 0x02, 0x09, 0x15,
-	0x89, 0xab, 0xf3, 0x9a, 0x98, 0xd8, 0xb1, 0xe5, 0x73, 0x22, 0xba, 0xf5, 0x4f, 0x60, 0x84, 0x8d,
-	0xff, 0x86, 0x8c, 0x1d, 0x18, 0x3a, 0xa0, 0x88, 0x9a, 0xbf, 0x80, 0x95, 0x09, 0xdd, 0xf9, 0x12,
-	0xa7, 0x8e, 0x28, 0x61, 0x8b, 0xbf, 0xfb, 0xde, 0xf7, 0xde, 0xf7, 0x7e, 0x28, 0x68, 0xa3, 0x7d,
-	0x8f, 0x19, 0xb6, 0x67, 0x52, 0xdf, 0x36, 0x03, 0x60, 0x5e, 0x37, 0xb0, 0xc0, 0xec, 0x55, 0xa8,
-	0xe3, 0xb7, 0xe8, 0x6d, 0xb3, 0x09, 0x1d, 0x08, 0x68, 0x08, 0x0d, 0xc3, 0x0f, 0xbc, 0xd0, 0xc3,
-	0x2b, 0x31, 0xdb, 0xa0, 0xbe, 0x6d, 0x0c, 0xd9, 0xc6, 0x90, 0xbd, 0xbc, 0xd9, 0xb4, 0xc3, 0x56,
-	0xf7, 0xd0, 0xb0, 0x3c, 0xd7, 0x6c, 0x7a, 0x4d, 0xcf, 0x14, 0x41, 0x87, 0xdd, 0x23, 0xf1, 0x25,
-	0x3e, 0xc4, 0xaf, 0x58, 0x6c, 0xf9, 0x4e, 0x92, 0xda, 0xa5, 0x56, 0xcb, 0xee, 0x40, 0x70, 0x6c,
-	0xfa, 0xed, 0x26, 0x07, 0x98, 0xe9, 0x42, 0x48, 0xcd, 0x5e, 0x25, 0x5d, 0xc2, 0xb2, 0xf9, 0xb7,
-	0xa8, 0xa0, 0xdb, 0x09, 0x6d, 0x17, 0x26, 0x02, 0xee, 0xfe, 0x2b, 0x80, 0x59, 0x2d, 0x70, 0x69,
-	0x3a, 0x4e, 0x7f, 0x8c, 0x16, 0xb7, 0xea, 0x3b, 0xdb, 0xd0, 0xb3, 0x2d, 0xd8, 0x03, 0x07, 0xac,
-	0xd0, 0x0b, 0x70, 0x15, 0x21, 0xf8, 0xe0, 0x07, 0xc0, 0x98, 0xed, 0x75, 0xca, 0xca, 0xaa, 0xb2,
-	0x5e, 0xac, 0xe1, 0xfe, 0x40, 0xcb, 0x44, 0x03, 0x0d, 0xd5, 0x47, 0x2f, 0x64, 0x8c, 0xa5, 0x1f,
-	0xa0, 0xf9, 0x94, 0xca, 0x53, 0x94, 0xb5, 0xc0, 0x11, 0xe1, 0xa5, 0xaa, 0x69, 0x5c, 0xd6, 0x54,
-	0x63, 0xa2, 0x86, 0xda, 0x95, 0x68, 0xa0, 0x65, 0xb7, 0xea, 0x3b, 0x84, 0x8b, 0xe8, 0xbf, 0x14,
-	0x54, 0x8a, 0x09, 0xfb, 0xd4, 0xee, 0x84, 0xf8, 0x3a, 0xca, 0xb6, 0xe1, 0x58, 0x96, 0x56, 0x92,
-	0xa5, 0x65, 0x9f, 0xc1, 0x31, 0xe1, 0x38, 0x5e, 0x43, 0xf9, 0x1e, 0x75, 0xba, 0x50, 0x9e, 0x11,
-	0x84, 0x39, 0x49, 0xc8, 0xbf, 0xe2, 0x20, 0x89, 0xdf, 0xf0, 0x03, 0x34, 0x0b, 0x47, 0x47, 0x60,
-	0x85, 0xe5, 0xac, 0x60, 0xad, 0x49, 0xd6, 0x6c, 0x5d, 0xa0, 0xbf, 0x07, 0xda, 0xe2, 0x58, 0xca,
-	0x18, 0x24, 0x32, 0x04, 0xbf, 0x46, 0x45, 0xde, 0xd6, 0x47, 0x8d, 0x06, 0x34, 0xca, 0x39, 0x61,
-	0xf1, 0xe6, 0x98, 0xc5, 0xd1, 0x0c, 0x0c, 0xbf, 0xdd, 0xe4, 0x00, 0x33, 0xf8, 0xa8, 0x8d, 0x5e,
-	0xc5, 0xd8, 0xb7, 0x5d, 0xa8, 0xcd, 0x45, 0x03, 0xad, 0xb8, 0x3f, 0x14, 0x20, 0x89, 0xd6, 0xfd,
-	0xc2, 0xa7, 0x2f, 0x5a, 0xe6, 0xe4, 0xfb, 0x6a, 0x46, 0xef, 0x2b, 0x68, 0x61, 0xac, 0x00, 0xd2,
-	0x75, 0x00, 0xbf, 0x43, 0x05, 0xae, 0xd3, 0xa0, 0x21, 0x95, 0x8d, 0xbd, 0x35, 0x5d, 0xd6, 0x17,
-	0x87, 0xef, 0xc1, 0x0a, 0x9f, 0x43, 0x48, 0x93, 0x49, 0x26, 0x18, 0x19, 0xa9, 0xe2, 0x3d, 0x94,
-	0x63, 0x3e, 0x58, 0xa2, 0x73, 0xa5, 0x6a, 0xe5, 0xf2, 0xb1, 0xa5, 0xca, 0xdb, 0xf3, 0xc1, 0xaa,
-	0x5d, 0x95, 0xf2, 0x39, 0xfe, 0x45, 0x84, 0x98, 0xfe, 0x55, 0x41, 0x4b, 0x29, 0xee, 0x8e, 0xcd,
-	0x42, 0x7c, 0x30, 0x61, 0xc7, 0x98, 0xce, 0x0e, 0x8f, 0x16, 0x66, 0xae, 0xc9, 0x6c, 0x85, 0x21,
-	0x32, 0x66, 0x85, 0xa0, 0xbc, 0x1d, 0x82, 0xcb, 0xca, 0x33, 0xab, 0xd9, 0xf5, 0x52, 0x75, 0xf3,
-	0xbf, 0xbc, 0x24, 0x4b, 0xf3, 0x84, 0x6b, 0x90, 0x58, 0x4a, 0xff, 0x36, 0xe9, 0x84, 0xfb, 0xc4,
-	0x2e, 0x9a, 0x6f, 0x5c, 0x58, 0x60, 0xe9, 0x67, 0xfa, 0x06, 0x8e, 0x36, 0x1f, 0x47, 0x03, 0x2d,
-	0x75, 0x4b, 0x24, 0x25, 0x8e, 0x77, 0x51, 0x3e, 0xe4, 0x41, 0x72, 0x4c, 0x37, 0xa6, 0xce, 0x92,
-	0xd8, 0x8a, 0xeb, 0x8f, 0x65, 0xf4, 0xcf, 0x33, 0x17, 0x6c, 0x8d, 0xf2, 0x3c, 0x44, 0x0b, 0x71,
-	0xe6, 0x2d, 0x87, 0x32, 0xb6, 0x4b, 0x5d, 0x90, 0x37, 0xb7, 0x14, 0x0d, 0x34, 0xb9, 0x9d, 0xa3,
-	0x27, 0x92, 0xe6, 0x62, 0x1d, 0xcd, 0x36, 0x02, 0xbb, 0x07, 0x81, 0x3c, 0x44, 0xc4, 0xcf, 0x6b,
-	0x5b, 0x20, 0x44, 0xbe, 0xe0, 0x15, 0x94, 0xf3, 0x3d, 0xcf, 0x91, 0x47, 0x58, 0xe0, 0x9b, 0xf3,
-	0xd2, 0xf3, 0x1c, 0x22, 0x50, 0xa1, 0x20, 0x44, 0xc5, 0x91, 0x0d, 0x15, 0x04, 0x42, 0xe4, 0x0b,
-	0x7e, 0x8b, 0x8a, 0x4c, 0x16, 0xcc, 0xca, 0x79, 0x31, 0xeb, 0x8d, 0x69, 0x1a, 0x32, 0xea, 0xf8,
-	0xa2, 0xec, 0x49, 0x71, 0x88, 0x30, 0x92, 0x28, 0xd6, 0x6a, 0xfd, 0x73, 0x35, 0x73, 0x7a, 0xae,
-	0x66, 0xce, 0xce, 0xd5, 0xcc, 0x49, 0xa4, 0x2a, 0xfd, 0x48, 0x55, 0x4e, 0x23, 0x55, 0x39, 0x8b,
-	0x54, 0xe5, 0x47, 0xa4, 0x2a, 0x1f, 0x7f, 0xaa, 0x99, 0x37, 0x2b, 0x97, 0xfd, 0xc5, 0xfc, 0x09,
-	0x00, 0x00, 0xff, 0xff, 0x7e, 0xb1, 0x06, 0x7b, 0x81, 0x06, 0x00, 0x00,
-}
+func (m *DeviceTaintSelector) Reset() { *m = DeviceTaintSelector{} }
 
 func (m *CELDeviceSelector) Marshal() (dAtA []byte, err error) {
 	size := m.Size()
@@ -436,6 +180,16 @@ func (m *DeviceTaintRule) MarshalToSizedBuffer(dAtA []byte) (int, error) {
 	_ = i
 	var l int
 	_ = l
+	{
+		size, err := m.Status.MarshalToSizedBuffer(dAtA[:i])
+		if err != nil {
+			return 0, err
+		}
+		i -= size
+		i = encodeVarintGenerated(dAtA, i, uint64(size))
+	}
+	i--
+	dAtA[i] = 0x1a
 	{
 		size, err := m.Spec.MarshalToSizedBuffer(dAtA[:i])
 		if err != nil {
@@ -551,7 +305,7 @@ func (m *DeviceTaintRuleSpec) MarshalToSizedBuffer(dAtA []byte) (int, error) {
 	return len(dAtA) - i, nil
 }
 
-func (m *DeviceTaintSelector) Marshal() (dAtA []byte, err error) {
+func (m *DeviceTaintRuleStatus) Marshal() (dAtA []byte, err error) {
 	size := m.Size()
 	dAtA = make([]byte, size)
 	n, err := m.MarshalToSizedBuffer(dAtA[:size])
@@ -561,20 +315,20 @@ func (m *DeviceTaintSelector) Marshal() (dAtA []byte, err error) {
 	return dAtA[:n], nil
 }
 
-func (m *DeviceTaintSelector) MarshalTo(dAtA []byte) (int, error) {
+func (m *DeviceTaintRuleStatus) MarshalTo(dAtA []byte) (int, error) {
 	size := m.Size()
 	return m.MarshalToSizedBuffer(dAtA[:size])
 }
 
-func (m *DeviceTaintSelector) MarshalToSizedBuffer(dAtA []byte) (int, error) {
+func (m *DeviceTaintRuleStatus) MarshalToSizedBuffer(dAtA []byte) (int, error) {
 	i := len(dAtA)
 	_ = i
 	var l int
 	_ = l
-	if len(m.Selectors) > 0 {
-		for iNdEx := len(m.Selectors) - 1; iNdEx >= 0; iNdEx-- {
+	if len(m.Conditions) > 0 {
+		for iNdEx := len(m.Conditions) - 1; iNdEx >= 0; iNdEx-- {
 			{
-				size, err := m.Selectors[iNdEx].MarshalToSizedBuffer(dAtA[:i])
+				size, err := m.Conditions[iNdEx].MarshalToSizedBuffer(dAtA[:i])
 				if err != nil {
 					return 0, err
 				}
@@ -582,9 +336,32 @@ func (m *DeviceTaintSelector) MarshalToSizedBuffer(dAtA []byte) (int, error) {
 				i = encodeVarintGenerated(dAtA, i, uint64(size))
 			}
 			i--
-			dAtA[i] = 0x2a
+			dAtA[i] = 0xa
 		}
 	}
+	return len(dAtA) - i, nil
+}
+
+func (m *DeviceTaintSelector) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalToSizedBuffer(dAtA[:size])
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *DeviceTaintSelector) MarshalTo(dAtA []byte) (int, error) {
+	size := m.Size()
+	return m.MarshalToSizedBuffer(dAtA[:size])
+}
+
+func (m *DeviceTaintSelector) MarshalToSizedBuffer(dAtA []byte) (int, error) {
+	i := len(dAtA)
+	_ = i
+	var l int
+	_ = l
 	if m.Device != nil {
 		i -= len(*m.Device)
 		copy(dAtA[i:], *m.Device)
@@ -606,13 +383,6 @@ func (m *DeviceTaintSelector) MarshalToSizedBuffer(dAtA []byte) (int, error) {
 		i--
 		dAtA[i] = 0x12
 	}
-	if m.DeviceClassName != nil {
-		i -= len(*m.DeviceClassName)
-		copy(dAtA[i:], *m.DeviceClassName)
-		i = encodeVarintGenerated(dAtA, i, uint64(len(*m.DeviceClassName)))
-		i--
-		dAtA[i] = 0xa
-	}
 	return len(dAtA) - i, nil
 }
 
@@ -680,6 +450,8 @@ func (m *DeviceTaintRule) Size() (n int) {
 	n += 1 + l + sovGenerated(uint64(l))
 	l = m.Spec.Size()
 	n += 1 + l + sovGenerated(uint64(l))
+	l = m.Status.Size()
+	n += 1 + l + sovGenerated(uint64(l))
 	return n
 }
 
@@ -715,16 +487,27 @@ func (m *DeviceTaintRuleSpec) Size() (n int) {
 	return n
 }
 
-func (m *DeviceTaintSelector) Size() (n int) {
+func (m *DeviceTaintRuleStatus) Size() (n int) {
 	if m == nil {
 		return 0
 	}
 	var l int
 	_ = l
-	if m.DeviceClassName != nil {
-		l = len(*m.DeviceClassName)
-		n += 1 + l + sovGenerated(uint64(l))
+	if len(m.Conditions) > 0 {
+		for _, e := range m.Conditions {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	return n
+}
+
+func (m *DeviceTaintSelector) Size() (n int) {
+	if m == nil {
+		return 0
 	}
+	var l int
+	_ = l
 	if m.Driver != nil {
 		l = len(*m.Driver)
 		n += 1 + l + sovGenerated(uint64(l))
@@ -737,12 +520,6 @@ func (m *DeviceTaintSelector) Size() (n int) {
 		l = len(*m.Device)
 		n += 1 + l + sovGenerated(uint64(l))
 	}
-	if len(m.Selectors) > 0 {
-		for _, e := range m.Selectors {
-			l = e.Size()
-			n += 1 + l + sovGenerated(uint64(l))
-		}
-	}
 	return n
 }
 
@@ -779,6 +556,7 @@ func (this *DeviceTaintRule) String() string {
 	s := strings.Join([]string{`&DeviceTaintRule{`,
 		`ObjectMeta:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.ObjectMeta), "ObjectMeta", "v1.ObjectMeta", 1), `&`, ``, 1) + `,`,
 		`Spec:` + strings.Replace(strings.Replace(this.Spec.String(), "DeviceTaintRuleSpec", "DeviceTaintRuleSpec", 1), `&`, ``, 1) + `,`,
+		`Status:` + strings.Replace(strings.Replace(this.Status.String(), "DeviceTaintRuleStatus", "DeviceTaintRuleStatus", 1), `&`, ``, 1) + `,`,
 		`}`,
 	}, "")
 	return s
@@ -810,21 +588,29 @@ func (this *DeviceTaintRuleSpec) String() string {
 	}, "")
 	return s
 }
-func (this *DeviceTaintSelector) String() string {
+func (this *DeviceTaintRuleStatus) String() string {
 	if this == nil {
 		return "nil"
 	}
-	repeatedStringForSelectors := "[]DeviceSelector{"
-	for _, f := range this.Selectors {
-		repeatedStringForSelectors += strings.Replace(strings.Replace(f.String(), "DeviceSelector", "DeviceSelector", 1), `&`, ``, 1) + ","
+	repeatedStringForConditions := "[]Condition{"
+	for _, f := range this.Conditions {
+		repeatedStringForConditions += fmt.Sprintf("%v", f) + ","
+	}
+	repeatedStringForConditions += "}"
+	s := strings.Join([]string{`&DeviceTaintRuleStatus{`,
+		`Conditions:` + repeatedStringForConditions + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *DeviceTaintSelector) String() string {
+	if this == nil {
+		return "nil"
 	}
-	repeatedStringForSelectors += "}"
 	s := strings.Join([]string{`&DeviceTaintSelector{`,
-		`DeviceClassName:` + valueToStringGenerated(this.DeviceClassName) + `,`,
 		`Driver:` + valueToStringGenerated(this.Driver) + `,`,
 		`Pool:` + valueToStringGenerated(this.Pool) + `,`,
 		`Device:` + valueToStringGenerated(this.Device) + `,`,
-		`Selectors:` + repeatedStringForSelectors + `,`,
 		`}`,
 	}, "")
 	return s
@@ -1282,6 +1068,39 @@ func (m *DeviceTaintRule) Unmarshal(dAtA []byte) error {
 				return err
 			}
 			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Status", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= int(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.Status.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
 		default:
 			iNdEx = preIndex
 			skippy, err := skipGenerated(dAtA[iNdEx:])
@@ -1539,7 +1358,7 @@ func (m *DeviceTaintRuleSpec) Unmarshal(dAtA []byte) error {
 	}
 	return nil
 }
-func (m *DeviceTaintSelector) Unmarshal(dAtA []byte) error {
+func (m *DeviceTaintRuleStatus) Unmarshal(dAtA []byte) error {
 	l := len(dAtA)
 	iNdEx := 0
 	for iNdEx < l {
@@ -1562,17 +1381,17 @@ func (m *DeviceTaintSelector) Unmarshal(dAtA []byte) error {
 		fieldNum := int32(wire >> 3)
 		wireType := int(wire & 0x7)
 		if wireType == 4 {
-			return fmt.Errorf("proto: DeviceTaintSelector: wiretype end group for non-group")
+			return fmt.Errorf("proto: DeviceTaintRuleStatus: wiretype end group for non-group")
 		}
 		if fieldNum <= 0 {
-			return fmt.Errorf("proto: DeviceTaintSelector: illegal tag %d (wire type %d)", fieldNum, wire)
+			return fmt.Errorf("proto: DeviceTaintRuleStatus: illegal tag %d (wire type %d)", fieldNum, wire)
 		}
 		switch fieldNum {
 		case 1:
 			if wireType != 2 {
-				return fmt.Errorf("proto: wrong wireType = %d for field DeviceClassName", wireType)
+				return fmt.Errorf("proto: wrong wireType = %d for field Conditions", wireType)
 			}
-			var stringLen uint64
+			var msglen int
 			for shift := uint(0); ; shift += 7 {
 				if shift >= 64 {
 					return ErrIntOverflowGenerated
@@ -1582,25 +1401,76 @@ func (m *DeviceTaintSelector) Unmarshal(dAtA []byte) error {
 				}
 				b := dAtA[iNdEx]
 				iNdEx++
-				stringLen |= uint64(b&0x7F) << shift
+				msglen |= int(b&0x7F) << shift
 				if b < 0x80 {
 					break
 				}
 			}
-			intStringLen := int(stringLen)
-			if intStringLen < 0 {
+			if msglen < 0 {
 				return ErrInvalidLengthGenerated
 			}
-			postIndex := iNdEx + intStringLen
+			postIndex := iNdEx + msglen
 			if postIndex < 0 {
 				return ErrInvalidLengthGenerated
 			}
 			if postIndex > l {
 				return io.ErrUnexpectedEOF
 			}
-			s := string(dAtA[iNdEx:postIndex])
-			m.DeviceClassName = &s
+			m.Conditions = append(m.Conditions, v1.Condition{})
+			if err := m.Conditions[len(m.Conditions)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
 			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if (skippy < 0) || (iNdEx+skippy) < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *DeviceTaintSelector) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= uint64(b&0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: DeviceTaintSelector: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: DeviceTaintSelector: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
 		case 2:
 			if wireType != 2 {
 				return fmt.Errorf("proto: wrong wireType = %d for field Driver", wireType)
@@ -1700,40 +1570,6 @@ func (m *DeviceTaintSelector) Unmarshal(dAtA []byte) error {
 			s := string(dAtA[iNdEx:postIndex])
 			m.Device = &s
 			iNdEx = postIndex
-		case 5:
-			if wireType != 2 {
-				return fmt.Errorf("proto: wrong wireType = %d for field Selectors", wireType)
-			}
-			var msglen int
-			for shift := uint(0); ; shift += 7 {
-				if shift >= 64 {
-					return ErrIntOverflowGenerated
-				}
-				if iNdEx >= l {
-					return io.ErrUnexpectedEOF
-				}
-				b := dAtA[iNdEx]
-				iNdEx++
-				msglen |= int(b&0x7F) << shift
-				if b < 0x80 {
-					break
-				}
-			}
-			if msglen < 0 {
-				return ErrInvalidLengthGenerated
-			}
-			postIndex := iNdEx + msglen
-			if postIndex < 0 {
-				return ErrInvalidLengthGenerated
-			}
-			if postIndex > l {
-				return io.ErrUnexpectedEOF
-			}
-			m.Selectors = append(m.Selectors, DeviceSelector{})
-			if err := m.Selectors[len(m.Selectors)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
-				return err
-			}
-			iNdEx = postIndex
 		default:
 			iNdEx = preIndex
 			skippy, err := skipGenerated(dAtA[iNdEx:])
diff --git a/staging/src/k8s.io/api/resource/v1alpha3/generated.proto b/staging/src/k8s.io/api/resource/v1alpha3/generated.proto
index d334479007ea1..6414216db2967 100644
--- a/staging/src/k8s.io/api/resource/v1alpha3/generated.proto
+++ b/staging/src/k8s.io/api/resource/v1alpha3/generated.proto
@@ -114,8 +114,10 @@ message DeviceTaint {
 
   // The effect of the taint on claims that do not tolerate the taint
   // and through such claims on the pods using them.
-  // Valid effects are NoSchedule and NoExecute. PreferNoSchedule as used for
-  // nodes is not valid here.
+  //
+  // Valid effects are None, NoSchedule and NoExecute. PreferNoSchedule as used for
+  // nodes is not valid here. More effects may get added in the future.
+  // Consumers must treat unknown effects like None.
   //
   // +required
   optional string effect = 3;
@@ -139,6 +141,11 @@ message DeviceTaintRule {
   //
   // Changing the spec automatically increments the metadata.generation number.
   optional DeviceTaintRuleSpec spec = 2;
+
+  // Status provides information about what was requested in the spec.
+  //
+  // +optional
+  optional DeviceTaintRuleStatus status = 3;
 }
 
 // DeviceTaintRuleList is a collection of DeviceTaintRules.
@@ -154,7 +161,7 @@ message DeviceTaintRuleList {
 // DeviceTaintRuleSpec specifies the selector and one taint.
 message DeviceTaintRuleSpec {
   // DeviceSelector defines which device(s) the taint is applied to.
-  // All selector criteria must be satified for a device to
+  // All selector criteria must be satisfied for a device to
   // match. The empty selector matches all devices. Without
   // a selector, no devices are matches.
   //
@@ -167,17 +174,41 @@ message DeviceTaintRuleSpec {
   optional DeviceTaint taint = 2;
 }
 
+// DeviceTaintRuleStatus provides information about an on-going pod eviction.
+message DeviceTaintRuleStatus {
+  // Conditions provide information about the state of the DeviceTaintRule
+  // and the cluster at some point in time,
+  // in a machine-readable and human-readable format.
+  //
+  // The following condition is currently defined as part of this API, more may
+  // get added:
+  // - Type: EvictionInProgress
+  // - Status: True if there are currently pods which need to be evicted, False otherwise
+  //   (includes the effects which don't cause eviction).
+  // - Reason: not specified, may change
+  // - Message: includes information about number of pending pods and already evicted pods
+  //   in a human-readable format, updated periodically, may change
+  //
+  // For `effect: None`, the condition above gets set once for each change to
+  // the spec, with the message containing information about what would happen
+  // if the effect was `NoExecute`. This feedback can be used to decide whether
+  // changing the effect to `NoExecute` will work as intended. It only gets
+  // set once to avoid having to constantly update the status.
+  //
+  // Must have 8 or fewer entries.
+  //
+  // +optional
+  // +listType=map
+  // +listMapKey=type
+  // +patchStrategy=merge
+  // +patchMergeKey=type
+  repeated .k8s.io.apimachinery.pkg.apis.meta.v1.Condition conditions = 1;
+}
+
 // DeviceTaintSelector defines which device(s) a DeviceTaintRule applies to.
 // The empty selector matches all devices. Without a selector, no devices
 // are matched.
 message DeviceTaintSelector {
-  // If DeviceClassName is set, the selectors defined there must be
-  // satisfied by a device to be selected. This field corresponds
-  // to class.metadata.name.
-  //
-  // +optional
-  optional string deviceClassName = 1;
-
   // If driver is set, only devices from that driver are selected.
   // This fields corresponds to slice.spec.driver.
   //
@@ -204,13 +235,5 @@ message DeviceTaintSelector {
   //
   // +optional
   optional string device = 4;
-
-  // Selectors contains the same selection criteria as a ResourceClaim.
-  // Currently, CEL expressions are supported. All of these selectors
-  // must be satisfied.
-  //
-  // +optional
-  // +listType=atomic
-  repeated DeviceSelector selectors = 5;
 }
 
diff --git a/staging/src/k8s.io/api/resource/v1alpha3/generated.protomessage.pb.go b/staging/src/k8s.io/api/resource/v1alpha3/generated.protomessage.pb.go
new file mode 100644
index 0000000000000..aba6231f3d333
--- /dev/null
+++ b/staging/src/k8s.io/api/resource/v1alpha3/generated.protomessage.pb.go
@@ -0,0 +1,38 @@
+//go:build kubernetes_protomessage_one_more_release
+// +build kubernetes_protomessage_one_more_release
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by go-to-protobuf. DO NOT EDIT.
+
+package v1alpha3
+
+func (*CELDeviceSelector) ProtoMessage() {}
+
+func (*DeviceSelector) ProtoMessage() {}
+
+func (*DeviceTaint) ProtoMessage() {}
+
+func (*DeviceTaintRule) ProtoMessage() {}
+
+func (*DeviceTaintRuleList) ProtoMessage() {}
+
+func (*DeviceTaintRuleSpec) ProtoMessage() {}
+
+func (*DeviceTaintRuleStatus) ProtoMessage() {}
+
+func (*DeviceTaintSelector) ProtoMessage() {}
diff --git a/staging/src/k8s.io/api/resource/v1alpha3/types.go b/staging/src/k8s.io/api/resource/v1alpha3/types.go
index da9a9ca286b51..ba02edabaa622 100644
--- a/staging/src/k8s.io/api/resource/v1alpha3/types.go
+++ b/staging/src/k8s.io/api/resource/v1alpha3/types.go
@@ -134,8 +134,10 @@ type DeviceTaint struct {
 
 	// The effect of the taint on claims that do not tolerate the taint
 	// and through such claims on the pods using them.
-	// Valid effects are NoSchedule and NoExecute. PreferNoSchedule as used for
-	// nodes is not valid here.
+	//
+	// Valid effects are None, NoSchedule and NoExecute. PreferNoSchedule as used for
+	// nodes is not valid here. More effects may get added in the future.
+	// Consumers must treat unknown effects like None.
 	//
 	// +required
 	Effect DeviceTaintEffect `json:"effect" protobuf:"bytes,3,name=effect,casttype=DeviceTaintEffect"`
@@ -144,6 +146,14 @@ type DeviceTaint struct {
 	//
 	// Implementing PreferNoSchedule would depend on a scoring solution for DRA.
 	// It might get added as part of that.
+	//
+	// A possible future new effect is NoExecuteWithPodDisruptionBudget:
+	// honor the pod disruption budget instead of simply deleting pods.
+	// This is currently undecided, it could also be a separate field.
+	//
+	// Validation must be prepared to allow unknown enums in stored objects,
+	// which will enable adding new enums within a single release without
+	// ratcheting.
 
 	// TimeAdded represents the time at which the taint was added.
 	// Added automatically during create or update if not set.
@@ -162,6 +172,9 @@ type DeviceTaint struct {
 type DeviceTaintEffect string
 
 const (
+	// No effect, the taint is purely informational.
+	DeviceTaintEffectNone DeviceTaintEffect = "None"
+
 	// Do not allow new pods to schedule which use a tainted device unless they tolerate the taint,
 	// but allow all pods submitted to Kubelet without going through the scheduler
 	// to start, and allow all already-running pods to continue running.
@@ -190,18 +203,16 @@ type DeviceTaintRule struct {
 	// Changing the spec automatically increments the metadata.generation number.
 	Spec DeviceTaintRuleSpec `json:"spec" protobuf:"bytes,2,name=spec"`
 
-	// ^^^
-	// A spec gets added because adding a status seems likely.
-	// Such a status could provide feedback on applying the
-	// eviction and/or statistics (number of matching devices,
-	// affected allocated claims, pods remaining to be evicted,
-	// etc.).
+	// Status provides information about what was requested in the spec.
+	//
+	// +optional
+	Status DeviceTaintRuleStatus `json:"status,omitempty" protobuf:"bytes,3,opt,name=status"`
 }
 
 // DeviceTaintRuleSpec specifies the selector and one taint.
 type DeviceTaintRuleSpec struct {
 	// DeviceSelector defines which device(s) the taint is applied to.
-	// All selector criteria must be satified for a device to
+	// All selector criteria must be satisfied for a device to
 	// match. The empty selector matches all devices. Without
 	// a selector, no devices are matches.
 	//
@@ -223,7 +234,12 @@ type DeviceTaintSelector struct {
 	// to class.metadata.name.
 	//
 	// +optional
-	DeviceClassName *string `json:"deviceClassName,omitempty" protobuf:"bytes,1,opt,name=deviceClassName"`
+	//
+	// Tombstoned since 1.35 because it turned out that supporting this in all cases
+	// would depend on copying the device attributes into the ResourceClaim allocation
+	// result. Without that the eviction controller cannot evaluate these CEL expressions.
+	//
+	// DeviceClassName *string `json:"deviceClassName,omitempty" protobuf:"bytes,1,opt,name=deviceClassName"`
 
 	// If driver is set, only devices from that driver are selected.
 	// This fields corresponds to slice.spec.driver.
@@ -258,9 +274,51 @@ type DeviceTaintSelector struct {
 	//
 	// +optional
 	// +listType=atomic
-	Selectors []DeviceSelector `json:"selectors,omitempty" protobuf:"bytes,5,rep,name=selectors"`
+	//
+	// Tombstoned since 1.35 because it turned out that supporting this in all cases
+	// would depend on copying the device attributes into the ResourceClaim allocation
+	// result. Without that the eviction controller cannot evaluate these CEL expressions.
+	//
+	// Selectors []DeviceSelector `json:"selectors,omitempty" protobuf:"bytes,5,rep,name=selectors"`
+}
+
+// DeviceTaintRuleStatus provides information about an on-going pod eviction.
+type DeviceTaintRuleStatus struct {
+	// Conditions provide information about the state of the DeviceTaintRule
+	// and the cluster at some point in time,
+	// in a machine-readable and human-readable format.
+	//
+	// The following condition is currently defined as part of this API, more may
+	// get added:
+	// - Type: EvictionInProgress
+	// - Status: True if there are currently pods which need to be evicted, False otherwise
+	//   (includes the effects which don't cause eviction).
+	// - Reason: not specified, may change
+	// - Message: includes information about number of pending pods and already evicted pods
+	//   in a human-readable format, updated periodically, may change
+	//
+	// For `effect: None`, the condition above gets set once for each change to
+	// the spec, with the message containing information about what would happen
+	// if the effect was `NoExecute`. This feedback can be used to decide whether
+	// changing the effect to `NoExecute` will work as intended. It only gets
+	// set once to avoid having to constantly update the status.
+	//
+	// Must have 8 or fewer entries.
+	//
+	// +optional
+	// +listType=map
+	// +listMapKey=type
+	// +patchStrategy=merge
+	// +patchMergeKey=type
+	Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type" protobuf:"bytes,1,rep,name=conditions"`
 }
 
+// DeviceTaintRuleStatusMaxConditions is the maximum number of conditions in DeviceTaintRuleStatus.
+const DeviceTaintRuleStatusMaxConditions = 8
+
+// DeviceTaintConditionEvictionInProgress is the publicly documented condition type for the DeviceTaintRuleStatus.
+const DeviceTaintConditionEvictionInProgress = "EvictionInProgress"
+
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
 // +k8s:prerelease-lifecycle-gen:introduced=1.33
 
diff --git a/staging/src/k8s.io/api/resource/v1alpha3/types_swagger_doc_generated.go b/staging/src/k8s.io/api/resource/v1alpha3/types_swagger_doc_generated.go
index 6c4c4eb1b11b0..30981bd7e600e 100644
--- a/staging/src/k8s.io/api/resource/v1alpha3/types_swagger_doc_generated.go
+++ b/staging/src/k8s.io/api/resource/v1alpha3/types_swagger_doc_generated.go
@@ -49,7 +49,7 @@ var map_DeviceTaint = map[string]string{
 	"":          "The device this taint is attached to has the \"effect\" on any claim which does not tolerate the taint and, through the claim, to pods using the claim.",
 	"key":       "The taint key to be applied to a device. Must be a label name.",
 	"value":     "The taint value corresponding to the taint key. Must be a label value.",
-	"effect":    "The effect of the taint on claims that do not tolerate the taint and through such claims on the pods using them. Valid effects are NoSchedule and NoExecute. PreferNoSchedule as used for nodes is not valid here.",
+	"effect":    "The effect of the taint on claims that do not tolerate the taint and through such claims on the pods using them.\n\nValid effects are None, NoSchedule and NoExecute. PreferNoSchedule as used for nodes is not valid here. More effects may get added in the future. Consumers must treat unknown effects like None.",
 	"timeAdded": "TimeAdded represents the time at which the taint was added. Added automatically during create or update if not set.",
 }
 
@@ -61,6 +61,7 @@ var map_DeviceTaintRule = map[string]string{
 	"":         "DeviceTaintRule adds one taint to all devices which match the selector. This has the same effect as if the taint was specified directly in the ResourceSlice by the DRA driver.",
 	"metadata": "Standard object metadata",
 	"spec":     "Spec specifies the selector and one taint.\n\nChanging the spec automatically increments the metadata.generation number.",
+	"status":   "Status provides information about what was requested in the spec.",
 }
 
 func (DeviceTaintRule) SwaggerDoc() map[string]string {
@@ -79,7 +80,7 @@ func (DeviceTaintRuleList) SwaggerDoc() map[string]string {
 
 var map_DeviceTaintRuleSpec = map[string]string{
 	"":               "DeviceTaintRuleSpec specifies the selector and one taint.",
-	"deviceSelector": "DeviceSelector defines which device(s) the taint is applied to. All selector criteria must be satified for a device to match. The empty selector matches all devices. Without a selector, no devices are matches.",
+	"deviceSelector": "DeviceSelector defines which device(s) the taint is applied to. All selector criteria must be satisfied for a device to match. The empty selector matches all devices. Without a selector, no devices are matches.",
 	"taint":          "The taint that gets applied to matching devices.",
 }
 
@@ -87,13 +88,20 @@ func (DeviceTaintRuleSpec) SwaggerDoc() map[string]string {
 	return map_DeviceTaintRuleSpec
 }
 
+var map_DeviceTaintRuleStatus = map[string]string{
+	"":           "DeviceTaintRuleStatus provides information about an on-going pod eviction.",
+	"conditions": "Conditions provide information about the state of the DeviceTaintRule and the cluster at some point in time, in a machine-readable and human-readable format.\n\nThe following condition is currently defined as part of this API, more may get added: - Type: EvictionInProgress - Status: True if there are currently pods which need to be evicted, False otherwise\n  (includes the effects which don't cause eviction).\n- Reason: not specified, may change - Message: includes information about number of pending pods and already evicted pods\n  in a human-readable format, updated periodically, may change\n\nFor `effect: None`, the condition above gets set once for each change to the spec, with the message containing information about what would happen if the effect was `NoExecute`. This feedback can be used to decide whether changing the effect to `NoExecute` will work as intended. It only gets set once to avoid having to constantly update the status.\n\nMust have 8 or fewer entries.",
+}
+
+func (DeviceTaintRuleStatus) SwaggerDoc() map[string]string {
+	return map_DeviceTaintRuleStatus
+}
+
 var map_DeviceTaintSelector = map[string]string{
-	"":                "DeviceTaintSelector defines which device(s) a DeviceTaintRule applies to. The empty selector matches all devices. Without a selector, no devices are matched.",
-	"deviceClassName": "If DeviceClassName is set, the selectors defined there must be satisfied by a device to be selected. This field corresponds to class.metadata.name.",
-	"driver":          "If driver is set, only devices from that driver are selected. This fields corresponds to slice.spec.driver.",
-	"pool":            "If pool is set, only devices in that pool are selected.\n\nAlso setting the driver name may be useful to avoid ambiguity when different drivers use the same pool name, but this is not required because selecting pools from different drivers may also be useful, for example when drivers with node-local devices use the node name as their pool name.",
-	"device":          "If device is set, only devices with that name are selected. This field corresponds to slice.spec.devices[].name.\n\nSetting also driver and pool may be required to avoid ambiguity, but is not required.",
-	"selectors":       "Selectors contains the same selection criteria as a ResourceClaim. Currently, CEL expressions are supported. All of these selectors must be satisfied.",
+	"":       "DeviceTaintSelector defines which device(s) a DeviceTaintRule applies to. The empty selector matches all devices. Without a selector, no devices are matched.",
+	"driver": "If driver is set, only devices from that driver are selected. This fields corresponds to slice.spec.driver.",
+	"pool":   "If pool is set, only devices in that pool are selected.\n\nAlso setting the driver name may be useful to avoid ambiguity when different drivers use the same pool name, but this is not required because selecting pools from different drivers may also be useful, for example when drivers with node-local devices use the node name as their pool name.",
+	"device": "If device is set, only devices with that name are selected. This field corresponds to slice.spec.devices[].name.\n\nSetting also driver and pool may be required to avoid ambiguity, but is not required.",
 }
 
 func (DeviceTaintSelector) SwaggerDoc() map[string]string {
diff --git a/staging/src/k8s.io/api/resource/v1alpha3/zz_generated.deepcopy.go b/staging/src/k8s.io/api/resource/v1alpha3/zz_generated.deepcopy.go
index e10736b97e4c2..6813ab043c6df 100644
--- a/staging/src/k8s.io/api/resource/v1alpha3/zz_generated.deepcopy.go
+++ b/staging/src/k8s.io/api/resource/v1alpha3/zz_generated.deepcopy.go
@@ -22,6 +22,7 @@ limitations under the License.
 package v1alpha3
 
 import (
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	runtime "k8s.io/apimachinery/pkg/runtime"
 )
 
@@ -88,6 +89,7 @@ func (in *DeviceTaintRule) DeepCopyInto(out *DeviceTaintRule) {
 	out.TypeMeta = in.TypeMeta
 	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
 	in.Spec.DeepCopyInto(&out.Spec)
+	in.Status.DeepCopyInto(&out.Status)
 	return
 }
 
@@ -165,13 +167,31 @@ func (in *DeviceTaintRuleSpec) DeepCopy() *DeviceTaintRuleSpec {
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *DeviceTaintSelector) DeepCopyInto(out *DeviceTaintSelector) {
+func (in *DeviceTaintRuleStatus) DeepCopyInto(out *DeviceTaintRuleStatus) {
 	*out = *in
-	if in.DeviceClassName != nil {
-		in, out := &in.DeviceClassName, &out.DeviceClassName
-		*out = new(string)
-		**out = **in
+	if in.Conditions != nil {
+		in, out := &in.Conditions, &out.Conditions
+		*out = make([]v1.Condition, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DeviceTaintRuleStatus.
+func (in *DeviceTaintRuleStatus) DeepCopy() *DeviceTaintRuleStatus {
+	if in == nil {
+		return nil
 	}
+	out := new(DeviceTaintRuleStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *DeviceTaintSelector) DeepCopyInto(out *DeviceTaintSelector) {
+	*out = *in
 	if in.Driver != nil {
 		in, out := &in.Driver, &out.Driver
 		*out = new(string)
@@ -187,13 +207,6 @@ func (in *DeviceTaintSelector) DeepCopyInto(out *DeviceTaintSelector) {
 		*out = new(string)
 		**out = **in
 	}
-	if in.Selectors != nil {
-		in, out := &in.Selectors, &out.Selectors
-		*out = make([]DeviceSelector, len(*in))
-		for i := range *in {
-			(*in)[i].DeepCopyInto(&(*out)[i])
-		}
-	}
 	return
 }
 
diff --git a/staging/src/k8s.io/api/resource/v1alpha3/zz_generated.model_name.go b/staging/src/k8s.io/api/resource/v1alpha3/zz_generated.model_name.go
new file mode 100644
index 0000000000000..1c1672b4d61db
--- /dev/null
+++ b/staging/src/k8s.io/api/resource/v1alpha3/zz_generated.model_name.go
@@ -0,0 +1,62 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by openapi-gen. DO NOT EDIT.
+
+package v1alpha3
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in CELDeviceSelector) OpenAPIModelName() string {
+	return "io.k8s.api.resource.v1alpha3.CELDeviceSelector"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in DeviceSelector) OpenAPIModelName() string {
+	return "io.k8s.api.resource.v1alpha3.DeviceSelector"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in DeviceTaint) OpenAPIModelName() string {
+	return "io.k8s.api.resource.v1alpha3.DeviceTaint"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in DeviceTaintRule) OpenAPIModelName() string {
+	return "io.k8s.api.resource.v1alpha3.DeviceTaintRule"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in DeviceTaintRuleList) OpenAPIModelName() string {
+	return "io.k8s.api.resource.v1alpha3.DeviceTaintRuleList"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in DeviceTaintRuleSpec) OpenAPIModelName() string {
+	return "io.k8s.api.resource.v1alpha3.DeviceTaintRuleSpec"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in DeviceTaintRuleStatus) OpenAPIModelName() string {
+	return "io.k8s.api.resource.v1alpha3.DeviceTaintRuleStatus"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in DeviceTaintSelector) OpenAPIModelName() string {
+	return "io.k8s.api.resource.v1alpha3.DeviceTaintSelector"
+}
diff --git a/staging/src/k8s.io/api/resource/v1beta1/doc.go b/staging/src/k8s.io/api/resource/v1beta1/doc.go
index 1e08b69a17560..290c7bacff929 100644
--- a/staging/src/k8s.io/api/resource/v1beta1/doc.go
+++ b/staging/src/k8s.io/api/resource/v1beta1/doc.go
@@ -18,6 +18,8 @@ limitations under the License.
 // +k8s:deepcopy-gen=package
 // +k8s:protobuf-gen=package
 // +k8s:prerelease-lifecycle-gen=true
+// +k8s:openapi-model-package=io.k8s.api.resource.v1beta1
+
 // +groupName=resource.k8s.io
 
 // Package v1beta1 is the v1beta1 version of the resource API.
diff --git a/staging/src/k8s.io/api/resource/v1beta1/generated.pb.go b/staging/src/k8s.io/api/resource/v1beta1/generated.pb.go
index c1f9ab09ed366..1ac7de8a8fcf7 100644
--- a/staging/src/k8s.io/api/resource/v1beta1/generated.pb.go
+++ b/staging/src/k8s.io/api/resource/v1beta1/generated.pb.go
@@ -23,15 +23,13 @@ import (
 	fmt "fmt"
 
 	io "io"
+	"sort"
 
-	proto "github.com/gogo/protobuf/proto"
-	github_com_gogo_protobuf_sortkeys "github.com/gogo/protobuf/sortkeys"
 	v11 "k8s.io/api/core/v1"
 	resource "k8s.io/apimachinery/pkg/api/resource"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	runtime "k8s.io/apimachinery/pkg/runtime"
 
-	math "math"
 	math_bits "math/bits"
 	reflect "reflect"
 	strings "strings"
@@ -39,1470 +37,91 @@ import (
 	k8s_io_apimachinery_pkg_types "k8s.io/apimachinery/pkg/types"
 )
 
-// Reference imports to suppress errors if they are not otherwise used.
-var _ = proto.Marshal
-var _ = fmt.Errorf
-var _ = math.Inf
+func (m *AllocatedDeviceStatus) Reset() { *m = AllocatedDeviceStatus{} }
 
-// This is a compile-time assertion to ensure that this generated file
-// is compatible with the proto package it is being compiled against.
-// A compilation error at this line likely means your copy of the
-// proto package needs to be updated.
-const _ = proto.GoGoProtoPackageIsVersion3 // please upgrade the proto package
+func (m *AllocationResult) Reset() { *m = AllocationResult{} }
 
-func (m *AllocatedDeviceStatus) Reset()      { *m = AllocatedDeviceStatus{} }
-func (*AllocatedDeviceStatus) ProtoMessage() {}
-func (*AllocatedDeviceStatus) Descriptor() ([]byte, []int) {
-	return fileDescriptor_ba331e3ec6484c27, []int{0}
-}
-func (m *AllocatedDeviceStatus) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *AllocatedDeviceStatus) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *AllocatedDeviceStatus) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_AllocatedDeviceStatus.Merge(m, src)
-}
-func (m *AllocatedDeviceStatus) XXX_Size() int {
-	return m.Size()
-}
-func (m *AllocatedDeviceStatus) XXX_DiscardUnknown() {
-	xxx_messageInfo_AllocatedDeviceStatus.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_AllocatedDeviceStatus proto.InternalMessageInfo
-
-func (m *AllocationResult) Reset()      { *m = AllocationResult{} }
-func (*AllocationResult) ProtoMessage() {}
-func (*AllocationResult) Descriptor() ([]byte, []int) {
-	return fileDescriptor_ba331e3ec6484c27, []int{1}
-}
-func (m *AllocationResult) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *AllocationResult) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *AllocationResult) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_AllocationResult.Merge(m, src)
-}
-func (m *AllocationResult) XXX_Size() int {
-	return m.Size()
-}
-func (m *AllocationResult) XXX_DiscardUnknown() {
-	xxx_messageInfo_AllocationResult.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_AllocationResult proto.InternalMessageInfo
-
-func (m *BasicDevice) Reset()      { *m = BasicDevice{} }
-func (*BasicDevice) ProtoMessage() {}
-func (*BasicDevice) Descriptor() ([]byte, []int) {
-	return fileDescriptor_ba331e3ec6484c27, []int{2}
-}
-func (m *BasicDevice) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *BasicDevice) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *BasicDevice) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_BasicDevice.Merge(m, src)
-}
-func (m *BasicDevice) XXX_Size() int {
-	return m.Size()
-}
-func (m *BasicDevice) XXX_DiscardUnknown() {
-	xxx_messageInfo_BasicDevice.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_BasicDevice proto.InternalMessageInfo
-
-func (m *CELDeviceSelector) Reset()      { *m = CELDeviceSelector{} }
-func (*CELDeviceSelector) ProtoMessage() {}
-func (*CELDeviceSelector) Descriptor() ([]byte, []int) {
-	return fileDescriptor_ba331e3ec6484c27, []int{3}
-}
-func (m *CELDeviceSelector) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *CELDeviceSelector) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *CELDeviceSelector) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_CELDeviceSelector.Merge(m, src)
-}
-func (m *CELDeviceSelector) XXX_Size() int {
-	return m.Size()
-}
-func (m *CELDeviceSelector) XXX_DiscardUnknown() {
-	xxx_messageInfo_CELDeviceSelector.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_CELDeviceSelector proto.InternalMessageInfo
-
-func (m *CapacityRequestPolicy) Reset()      { *m = CapacityRequestPolicy{} }
-func (*CapacityRequestPolicy) ProtoMessage() {}
-func (*CapacityRequestPolicy) Descriptor() ([]byte, []int) {
-	return fileDescriptor_ba331e3ec6484c27, []int{4}
-}
-func (m *CapacityRequestPolicy) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *CapacityRequestPolicy) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *CapacityRequestPolicy) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_CapacityRequestPolicy.Merge(m, src)
-}
-func (m *CapacityRequestPolicy) XXX_Size() int {
-	return m.Size()
-}
-func (m *CapacityRequestPolicy) XXX_DiscardUnknown() {
-	xxx_messageInfo_CapacityRequestPolicy.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_CapacityRequestPolicy proto.InternalMessageInfo
-
-func (m *CapacityRequestPolicyRange) Reset()      { *m = CapacityRequestPolicyRange{} }
-func (*CapacityRequestPolicyRange) ProtoMessage() {}
-func (*CapacityRequestPolicyRange) Descriptor() ([]byte, []int) {
-	return fileDescriptor_ba331e3ec6484c27, []int{5}
-}
-func (m *CapacityRequestPolicyRange) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *CapacityRequestPolicyRange) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *CapacityRequestPolicyRange) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_CapacityRequestPolicyRange.Merge(m, src)
-}
-func (m *CapacityRequestPolicyRange) XXX_Size() int {
-	return m.Size()
-}
-func (m *CapacityRequestPolicyRange) XXX_DiscardUnknown() {
-	xxx_messageInfo_CapacityRequestPolicyRange.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_CapacityRequestPolicyRange proto.InternalMessageInfo
-
-func (m *CapacityRequirements) Reset()      { *m = CapacityRequirements{} }
-func (*CapacityRequirements) ProtoMessage() {}
-func (*CapacityRequirements) Descriptor() ([]byte, []int) {
-	return fileDescriptor_ba331e3ec6484c27, []int{6}
-}
-func (m *CapacityRequirements) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *CapacityRequirements) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *CapacityRequirements) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_CapacityRequirements.Merge(m, src)
-}
-func (m *CapacityRequirements) XXX_Size() int {
-	return m.Size()
-}
-func (m *CapacityRequirements) XXX_DiscardUnknown() {
-	xxx_messageInfo_CapacityRequirements.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_CapacityRequirements proto.InternalMessageInfo
-
-func (m *Counter) Reset()      { *m = Counter{} }
-func (*Counter) ProtoMessage() {}
-func (*Counter) Descriptor() ([]byte, []int) {
-	return fileDescriptor_ba331e3ec6484c27, []int{7}
-}
-func (m *Counter) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *Counter) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *Counter) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_Counter.Merge(m, src)
-}
-func (m *Counter) XXX_Size() int {
-	return m.Size()
-}
-func (m *Counter) XXX_DiscardUnknown() {
-	xxx_messageInfo_Counter.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_Counter proto.InternalMessageInfo
-
-func (m *CounterSet) Reset()      { *m = CounterSet{} }
-func (*CounterSet) ProtoMessage() {}
-func (*CounterSet) Descriptor() ([]byte, []int) {
-	return fileDescriptor_ba331e3ec6484c27, []int{8}
-}
-func (m *CounterSet) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *CounterSet) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *CounterSet) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_CounterSet.Merge(m, src)
-}
-func (m *CounterSet) XXX_Size() int {
-	return m.Size()
-}
-func (m *CounterSet) XXX_DiscardUnknown() {
-	xxx_messageInfo_CounterSet.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_CounterSet proto.InternalMessageInfo
-
-func (m *Device) Reset()      { *m = Device{} }
-func (*Device) ProtoMessage() {}
-func (*Device) Descriptor() ([]byte, []int) {
-	return fileDescriptor_ba331e3ec6484c27, []int{9}
-}
-func (m *Device) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *Device) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *Device) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_Device.Merge(m, src)
-}
-func (m *Device) XXX_Size() int {
-	return m.Size()
-}
-func (m *Device) XXX_DiscardUnknown() {
-	xxx_messageInfo_Device.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_Device proto.InternalMessageInfo
-
-func (m *DeviceAllocationConfiguration) Reset()      { *m = DeviceAllocationConfiguration{} }
-func (*DeviceAllocationConfiguration) ProtoMessage() {}
-func (*DeviceAllocationConfiguration) Descriptor() ([]byte, []int) {
-	return fileDescriptor_ba331e3ec6484c27, []int{10}
-}
-func (m *DeviceAllocationConfiguration) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *DeviceAllocationConfiguration) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *DeviceAllocationConfiguration) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_DeviceAllocationConfiguration.Merge(m, src)
-}
-func (m *DeviceAllocationConfiguration) XXX_Size() int {
-	return m.Size()
-}
-func (m *DeviceAllocationConfiguration) XXX_DiscardUnknown() {
-	xxx_messageInfo_DeviceAllocationConfiguration.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_DeviceAllocationConfiguration proto.InternalMessageInfo
-
-func (m *DeviceAllocationResult) Reset()      { *m = DeviceAllocationResult{} }
-func (*DeviceAllocationResult) ProtoMessage() {}
-func (*DeviceAllocationResult) Descriptor() ([]byte, []int) {
-	return fileDescriptor_ba331e3ec6484c27, []int{11}
-}
-func (m *DeviceAllocationResult) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *DeviceAllocationResult) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *DeviceAllocationResult) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_DeviceAllocationResult.Merge(m, src)
-}
-func (m *DeviceAllocationResult) XXX_Size() int {
-	return m.Size()
-}
-func (m *DeviceAllocationResult) XXX_DiscardUnknown() {
-	xxx_messageInfo_DeviceAllocationResult.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_DeviceAllocationResult proto.InternalMessageInfo
-
-func (m *DeviceAttribute) Reset()      { *m = DeviceAttribute{} }
-func (*DeviceAttribute) ProtoMessage() {}
-func (*DeviceAttribute) Descriptor() ([]byte, []int) {
-	return fileDescriptor_ba331e3ec6484c27, []int{12}
-}
-func (m *DeviceAttribute) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *DeviceAttribute) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *DeviceAttribute) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_DeviceAttribute.Merge(m, src)
-}
-func (m *DeviceAttribute) XXX_Size() int {
-	return m.Size()
-}
-func (m *DeviceAttribute) XXX_DiscardUnknown() {
-	xxx_messageInfo_DeviceAttribute.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_DeviceAttribute proto.InternalMessageInfo
-
-func (m *DeviceCapacity) Reset()      { *m = DeviceCapacity{} }
-func (*DeviceCapacity) ProtoMessage() {}
-func (*DeviceCapacity) Descriptor() ([]byte, []int) {
-	return fileDescriptor_ba331e3ec6484c27, []int{13}
-}
-func (m *DeviceCapacity) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *DeviceCapacity) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *DeviceCapacity) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_DeviceCapacity.Merge(m, src)
-}
-func (m *DeviceCapacity) XXX_Size() int {
-	return m.Size()
-}
-func (m *DeviceCapacity) XXX_DiscardUnknown() {
-	xxx_messageInfo_DeviceCapacity.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_DeviceCapacity proto.InternalMessageInfo
-
-func (m *DeviceClaim) Reset()      { *m = DeviceClaim{} }
-func (*DeviceClaim) ProtoMessage() {}
-func (*DeviceClaim) Descriptor() ([]byte, []int) {
-	return fileDescriptor_ba331e3ec6484c27, []int{14}
-}
-func (m *DeviceClaim) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *DeviceClaim) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *DeviceClaim) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_DeviceClaim.Merge(m, src)
-}
-func (m *DeviceClaim) XXX_Size() int {
-	return m.Size()
-}
-func (m *DeviceClaim) XXX_DiscardUnknown() {
-	xxx_messageInfo_DeviceClaim.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_DeviceClaim proto.InternalMessageInfo
-
-func (m *DeviceClaimConfiguration) Reset()      { *m = DeviceClaimConfiguration{} }
-func (*DeviceClaimConfiguration) ProtoMessage() {}
-func (*DeviceClaimConfiguration) Descriptor() ([]byte, []int) {
-	return fileDescriptor_ba331e3ec6484c27, []int{15}
-}
-func (m *DeviceClaimConfiguration) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *DeviceClaimConfiguration) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *DeviceClaimConfiguration) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_DeviceClaimConfiguration.Merge(m, src)
-}
-func (m *DeviceClaimConfiguration) XXX_Size() int {
-	return m.Size()
-}
-func (m *DeviceClaimConfiguration) XXX_DiscardUnknown() {
-	xxx_messageInfo_DeviceClaimConfiguration.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_DeviceClaimConfiguration proto.InternalMessageInfo
-
-func (m *DeviceClass) Reset()      { *m = DeviceClass{} }
-func (*DeviceClass) ProtoMessage() {}
-func (*DeviceClass) Descriptor() ([]byte, []int) {
-	return fileDescriptor_ba331e3ec6484c27, []int{16}
-}
-func (m *DeviceClass) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *DeviceClass) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *DeviceClass) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_DeviceClass.Merge(m, src)
-}
-func (m *DeviceClass) XXX_Size() int {
-	return m.Size()
-}
-func (m *DeviceClass) XXX_DiscardUnknown() {
-	xxx_messageInfo_DeviceClass.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_DeviceClass proto.InternalMessageInfo
-
-func (m *DeviceClassConfiguration) Reset()      { *m = DeviceClassConfiguration{} }
-func (*DeviceClassConfiguration) ProtoMessage() {}
-func (*DeviceClassConfiguration) Descriptor() ([]byte, []int) {
-	return fileDescriptor_ba331e3ec6484c27, []int{17}
-}
-func (m *DeviceClassConfiguration) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *DeviceClassConfiguration) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *DeviceClassConfiguration) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_DeviceClassConfiguration.Merge(m, src)
-}
-func (m *DeviceClassConfiguration) XXX_Size() int {
-	return m.Size()
-}
-func (m *DeviceClassConfiguration) XXX_DiscardUnknown() {
-	xxx_messageInfo_DeviceClassConfiguration.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_DeviceClassConfiguration proto.InternalMessageInfo
-
-func (m *DeviceClassList) Reset()      { *m = DeviceClassList{} }
-func (*DeviceClassList) ProtoMessage() {}
-func (*DeviceClassList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_ba331e3ec6484c27, []int{18}
-}
-func (m *DeviceClassList) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *DeviceClassList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *DeviceClassList) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_DeviceClassList.Merge(m, src)
-}
-func (m *DeviceClassList) XXX_Size() int {
-	return m.Size()
-}
-func (m *DeviceClassList) XXX_DiscardUnknown() {
-	xxx_messageInfo_DeviceClassList.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_DeviceClassList proto.InternalMessageInfo
-
-func (m *DeviceClassSpec) Reset()      { *m = DeviceClassSpec{} }
-func (*DeviceClassSpec) ProtoMessage() {}
-func (*DeviceClassSpec) Descriptor() ([]byte, []int) {
-	return fileDescriptor_ba331e3ec6484c27, []int{19}
-}
-func (m *DeviceClassSpec) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *DeviceClassSpec) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *DeviceClassSpec) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_DeviceClassSpec.Merge(m, src)
-}
-func (m *DeviceClassSpec) XXX_Size() int {
-	return m.Size()
-}
-func (m *DeviceClassSpec) XXX_DiscardUnknown() {
-	xxx_messageInfo_DeviceClassSpec.DiscardUnknown(m)
-}
+func (m *BasicDevice) Reset() { *m = BasicDevice{} }
 
-var xxx_messageInfo_DeviceClassSpec proto.InternalMessageInfo
+func (m *CELDeviceSelector) Reset() { *m = CELDeviceSelector{} }
 
-func (m *DeviceConfiguration) Reset()      { *m = DeviceConfiguration{} }
-func (*DeviceConfiguration) ProtoMessage() {}
-func (*DeviceConfiguration) Descriptor() ([]byte, []int) {
-	return fileDescriptor_ba331e3ec6484c27, []int{20}
-}
-func (m *DeviceConfiguration) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *DeviceConfiguration) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *DeviceConfiguration) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_DeviceConfiguration.Merge(m, src)
-}
-func (m *DeviceConfiguration) XXX_Size() int {
-	return m.Size()
-}
-func (m *DeviceConfiguration) XXX_DiscardUnknown() {
-	xxx_messageInfo_DeviceConfiguration.DiscardUnknown(m)
-}
+func (m *CapacityRequestPolicy) Reset() { *m = CapacityRequestPolicy{} }
 
-var xxx_messageInfo_DeviceConfiguration proto.InternalMessageInfo
+func (m *CapacityRequestPolicyRange) Reset() { *m = CapacityRequestPolicyRange{} }
 
-func (m *DeviceConstraint) Reset()      { *m = DeviceConstraint{} }
-func (*DeviceConstraint) ProtoMessage() {}
-func (*DeviceConstraint) Descriptor() ([]byte, []int) {
-	return fileDescriptor_ba331e3ec6484c27, []int{21}
-}
-func (m *DeviceConstraint) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *DeviceConstraint) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *DeviceConstraint) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_DeviceConstraint.Merge(m, src)
-}
-func (m *DeviceConstraint) XXX_Size() int {
-	return m.Size()
-}
-func (m *DeviceConstraint) XXX_DiscardUnknown() {
-	xxx_messageInfo_DeviceConstraint.DiscardUnknown(m)
-}
+func (m *CapacityRequirements) Reset() { *m = CapacityRequirements{} }
 
-var xxx_messageInfo_DeviceConstraint proto.InternalMessageInfo
+func (m *Counter) Reset() { *m = Counter{} }
 
-func (m *DeviceCounterConsumption) Reset()      { *m = DeviceCounterConsumption{} }
-func (*DeviceCounterConsumption) ProtoMessage() {}
-func (*DeviceCounterConsumption) Descriptor() ([]byte, []int) {
-	return fileDescriptor_ba331e3ec6484c27, []int{22}
-}
-func (m *DeviceCounterConsumption) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *DeviceCounterConsumption) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *DeviceCounterConsumption) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_DeviceCounterConsumption.Merge(m, src)
-}
-func (m *DeviceCounterConsumption) XXX_Size() int {
-	return m.Size()
-}
-func (m *DeviceCounterConsumption) XXX_DiscardUnknown() {
-	xxx_messageInfo_DeviceCounterConsumption.DiscardUnknown(m)
-}
+func (m *CounterSet) Reset() { *m = CounterSet{} }
 
-var xxx_messageInfo_DeviceCounterConsumption proto.InternalMessageInfo
+func (m *Device) Reset() { *m = Device{} }
 
-func (m *DeviceRequest) Reset()      { *m = DeviceRequest{} }
-func (*DeviceRequest) ProtoMessage() {}
-func (*DeviceRequest) Descriptor() ([]byte, []int) {
-	return fileDescriptor_ba331e3ec6484c27, []int{23}
-}
-func (m *DeviceRequest) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *DeviceRequest) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *DeviceRequest) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_DeviceRequest.Merge(m, src)
-}
-func (m *DeviceRequest) XXX_Size() int {
-	return m.Size()
-}
-func (m *DeviceRequest) XXX_DiscardUnknown() {
-	xxx_messageInfo_DeviceRequest.DiscardUnknown(m)
-}
+func (m *DeviceAllocationConfiguration) Reset() { *m = DeviceAllocationConfiguration{} }
 
-var xxx_messageInfo_DeviceRequest proto.InternalMessageInfo
+func (m *DeviceAllocationResult) Reset() { *m = DeviceAllocationResult{} }
 
-func (m *DeviceRequestAllocationResult) Reset()      { *m = DeviceRequestAllocationResult{} }
-func (*DeviceRequestAllocationResult) ProtoMessage() {}
-func (*DeviceRequestAllocationResult) Descriptor() ([]byte, []int) {
-	return fileDescriptor_ba331e3ec6484c27, []int{24}
-}
-func (m *DeviceRequestAllocationResult) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *DeviceRequestAllocationResult) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *DeviceRequestAllocationResult) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_DeviceRequestAllocationResult.Merge(m, src)
-}
-func (m *DeviceRequestAllocationResult) XXX_Size() int {
-	return m.Size()
-}
-func (m *DeviceRequestAllocationResult) XXX_DiscardUnknown() {
-	xxx_messageInfo_DeviceRequestAllocationResult.DiscardUnknown(m)
-}
+func (m *DeviceAttribute) Reset() { *m = DeviceAttribute{} }
 
-var xxx_messageInfo_DeviceRequestAllocationResult proto.InternalMessageInfo
+func (m *DeviceCapacity) Reset() { *m = DeviceCapacity{} }
 
-func (m *DeviceSelector) Reset()      { *m = DeviceSelector{} }
-func (*DeviceSelector) ProtoMessage() {}
-func (*DeviceSelector) Descriptor() ([]byte, []int) {
-	return fileDescriptor_ba331e3ec6484c27, []int{25}
-}
-func (m *DeviceSelector) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *DeviceSelector) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *DeviceSelector) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_DeviceSelector.Merge(m, src)
-}
-func (m *DeviceSelector) XXX_Size() int {
-	return m.Size()
-}
-func (m *DeviceSelector) XXX_DiscardUnknown() {
-	xxx_messageInfo_DeviceSelector.DiscardUnknown(m)
-}
+func (m *DeviceClaim) Reset() { *m = DeviceClaim{} }
 
-var xxx_messageInfo_DeviceSelector proto.InternalMessageInfo
+func (m *DeviceClaimConfiguration) Reset() { *m = DeviceClaimConfiguration{} }
 
-func (m *DeviceSubRequest) Reset()      { *m = DeviceSubRequest{} }
-func (*DeviceSubRequest) ProtoMessage() {}
-func (*DeviceSubRequest) Descriptor() ([]byte, []int) {
-	return fileDescriptor_ba331e3ec6484c27, []int{26}
-}
-func (m *DeviceSubRequest) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *DeviceSubRequest) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *DeviceSubRequest) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_DeviceSubRequest.Merge(m, src)
-}
-func (m *DeviceSubRequest) XXX_Size() int {
-	return m.Size()
-}
-func (m *DeviceSubRequest) XXX_DiscardUnknown() {
-	xxx_messageInfo_DeviceSubRequest.DiscardUnknown(m)
-}
+func (m *DeviceClass) Reset() { *m = DeviceClass{} }
 
-var xxx_messageInfo_DeviceSubRequest proto.InternalMessageInfo
+func (m *DeviceClassConfiguration) Reset() { *m = DeviceClassConfiguration{} }
 
-func (m *DeviceTaint) Reset()      { *m = DeviceTaint{} }
-func (*DeviceTaint) ProtoMessage() {}
-func (*DeviceTaint) Descriptor() ([]byte, []int) {
-	return fileDescriptor_ba331e3ec6484c27, []int{27}
-}
-func (m *DeviceTaint) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *DeviceTaint) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *DeviceTaint) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_DeviceTaint.Merge(m, src)
-}
-func (m *DeviceTaint) XXX_Size() int {
-	return m.Size()
-}
-func (m *DeviceTaint) XXX_DiscardUnknown() {
-	xxx_messageInfo_DeviceTaint.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_DeviceTaint proto.InternalMessageInfo
-
-func (m *DeviceToleration) Reset()      { *m = DeviceToleration{} }
-func (*DeviceToleration) ProtoMessage() {}
-func (*DeviceToleration) Descriptor() ([]byte, []int) {
-	return fileDescriptor_ba331e3ec6484c27, []int{28}
-}
-func (m *DeviceToleration) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *DeviceToleration) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *DeviceToleration) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_DeviceToleration.Merge(m, src)
-}
-func (m *DeviceToleration) XXX_Size() int {
-	return m.Size()
-}
-func (m *DeviceToleration) XXX_DiscardUnknown() {
-	xxx_messageInfo_DeviceToleration.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_DeviceToleration proto.InternalMessageInfo
-
-func (m *NetworkDeviceData) Reset()      { *m = NetworkDeviceData{} }
-func (*NetworkDeviceData) ProtoMessage() {}
-func (*NetworkDeviceData) Descriptor() ([]byte, []int) {
-	return fileDescriptor_ba331e3ec6484c27, []int{29}
-}
-func (m *NetworkDeviceData) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *NetworkDeviceData) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *NetworkDeviceData) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_NetworkDeviceData.Merge(m, src)
-}
-func (m *NetworkDeviceData) XXX_Size() int {
-	return m.Size()
-}
-func (m *NetworkDeviceData) XXX_DiscardUnknown() {
-	xxx_messageInfo_NetworkDeviceData.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_NetworkDeviceData proto.InternalMessageInfo
-
-func (m *OpaqueDeviceConfiguration) Reset()      { *m = OpaqueDeviceConfiguration{} }
-func (*OpaqueDeviceConfiguration) ProtoMessage() {}
-func (*OpaqueDeviceConfiguration) Descriptor() ([]byte, []int) {
-	return fileDescriptor_ba331e3ec6484c27, []int{30}
-}
-func (m *OpaqueDeviceConfiguration) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *OpaqueDeviceConfiguration) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *OpaqueDeviceConfiguration) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_OpaqueDeviceConfiguration.Merge(m, src)
-}
-func (m *OpaqueDeviceConfiguration) XXX_Size() int {
-	return m.Size()
-}
-func (m *OpaqueDeviceConfiguration) XXX_DiscardUnknown() {
-	xxx_messageInfo_OpaqueDeviceConfiguration.DiscardUnknown(m)
-}
+func (m *DeviceClassList) Reset() { *m = DeviceClassList{} }
 
-var xxx_messageInfo_OpaqueDeviceConfiguration proto.InternalMessageInfo
+func (m *DeviceClassSpec) Reset() { *m = DeviceClassSpec{} }
 
-func (m *ResourceClaim) Reset()      { *m = ResourceClaim{} }
-func (*ResourceClaim) ProtoMessage() {}
-func (*ResourceClaim) Descriptor() ([]byte, []int) {
-	return fileDescriptor_ba331e3ec6484c27, []int{31}
-}
-func (m *ResourceClaim) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ResourceClaim) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ResourceClaim) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ResourceClaim.Merge(m, src)
-}
-func (m *ResourceClaim) XXX_Size() int {
-	return m.Size()
-}
-func (m *ResourceClaim) XXX_DiscardUnknown() {
-	xxx_messageInfo_ResourceClaim.DiscardUnknown(m)
-}
+func (m *DeviceConfiguration) Reset() { *m = DeviceConfiguration{} }
 
-var xxx_messageInfo_ResourceClaim proto.InternalMessageInfo
+func (m *DeviceConstraint) Reset() { *m = DeviceConstraint{} }
 
-func (m *ResourceClaimConsumerReference) Reset()      { *m = ResourceClaimConsumerReference{} }
-func (*ResourceClaimConsumerReference) ProtoMessage() {}
-func (*ResourceClaimConsumerReference) Descriptor() ([]byte, []int) {
-	return fileDescriptor_ba331e3ec6484c27, []int{32}
-}
-func (m *ResourceClaimConsumerReference) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ResourceClaimConsumerReference) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ResourceClaimConsumerReference) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ResourceClaimConsumerReference.Merge(m, src)
-}
-func (m *ResourceClaimConsumerReference) XXX_Size() int {
-	return m.Size()
-}
-func (m *ResourceClaimConsumerReference) XXX_DiscardUnknown() {
-	xxx_messageInfo_ResourceClaimConsumerReference.DiscardUnknown(m)
-}
+func (m *DeviceCounterConsumption) Reset() { *m = DeviceCounterConsumption{} }
 
-var xxx_messageInfo_ResourceClaimConsumerReference proto.InternalMessageInfo
+func (m *DeviceRequest) Reset() { *m = DeviceRequest{} }
 
-func (m *ResourceClaimList) Reset()      { *m = ResourceClaimList{} }
-func (*ResourceClaimList) ProtoMessage() {}
-func (*ResourceClaimList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_ba331e3ec6484c27, []int{33}
-}
-func (m *ResourceClaimList) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ResourceClaimList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ResourceClaimList) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ResourceClaimList.Merge(m, src)
-}
-func (m *ResourceClaimList) XXX_Size() int {
-	return m.Size()
-}
-func (m *ResourceClaimList) XXX_DiscardUnknown() {
-	xxx_messageInfo_ResourceClaimList.DiscardUnknown(m)
-}
+func (m *DeviceRequestAllocationResult) Reset() { *m = DeviceRequestAllocationResult{} }
 
-var xxx_messageInfo_ResourceClaimList proto.InternalMessageInfo
+func (m *DeviceSelector) Reset() { *m = DeviceSelector{} }
 
-func (m *ResourceClaimSpec) Reset()      { *m = ResourceClaimSpec{} }
-func (*ResourceClaimSpec) ProtoMessage() {}
-func (*ResourceClaimSpec) Descriptor() ([]byte, []int) {
-	return fileDescriptor_ba331e3ec6484c27, []int{34}
-}
-func (m *ResourceClaimSpec) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ResourceClaimSpec) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ResourceClaimSpec) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ResourceClaimSpec.Merge(m, src)
-}
-func (m *ResourceClaimSpec) XXX_Size() int {
-	return m.Size()
-}
-func (m *ResourceClaimSpec) XXX_DiscardUnknown() {
-	xxx_messageInfo_ResourceClaimSpec.DiscardUnknown(m)
-}
+func (m *DeviceSubRequest) Reset() { *m = DeviceSubRequest{} }
 
-var xxx_messageInfo_ResourceClaimSpec proto.InternalMessageInfo
+func (m *DeviceTaint) Reset() { *m = DeviceTaint{} }
 
-func (m *ResourceClaimStatus) Reset()      { *m = ResourceClaimStatus{} }
-func (*ResourceClaimStatus) ProtoMessage() {}
-func (*ResourceClaimStatus) Descriptor() ([]byte, []int) {
-	return fileDescriptor_ba331e3ec6484c27, []int{35}
-}
-func (m *ResourceClaimStatus) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ResourceClaimStatus) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ResourceClaimStatus) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ResourceClaimStatus.Merge(m, src)
-}
-func (m *ResourceClaimStatus) XXX_Size() int {
-	return m.Size()
-}
-func (m *ResourceClaimStatus) XXX_DiscardUnknown() {
-	xxx_messageInfo_ResourceClaimStatus.DiscardUnknown(m)
-}
+func (m *DeviceToleration) Reset() { *m = DeviceToleration{} }
 
-var xxx_messageInfo_ResourceClaimStatus proto.InternalMessageInfo
+func (m *NetworkDeviceData) Reset() { *m = NetworkDeviceData{} }
 
-func (m *ResourceClaimTemplate) Reset()      { *m = ResourceClaimTemplate{} }
-func (*ResourceClaimTemplate) ProtoMessage() {}
-func (*ResourceClaimTemplate) Descriptor() ([]byte, []int) {
-	return fileDescriptor_ba331e3ec6484c27, []int{36}
-}
-func (m *ResourceClaimTemplate) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ResourceClaimTemplate) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ResourceClaimTemplate) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ResourceClaimTemplate.Merge(m, src)
-}
-func (m *ResourceClaimTemplate) XXX_Size() int {
-	return m.Size()
-}
-func (m *ResourceClaimTemplate) XXX_DiscardUnknown() {
-	xxx_messageInfo_ResourceClaimTemplate.DiscardUnknown(m)
-}
+func (m *OpaqueDeviceConfiguration) Reset() { *m = OpaqueDeviceConfiguration{} }
 
-var xxx_messageInfo_ResourceClaimTemplate proto.InternalMessageInfo
+func (m *ResourceClaim) Reset() { *m = ResourceClaim{} }
 
-func (m *ResourceClaimTemplateList) Reset()      { *m = ResourceClaimTemplateList{} }
-func (*ResourceClaimTemplateList) ProtoMessage() {}
-func (*ResourceClaimTemplateList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_ba331e3ec6484c27, []int{37}
-}
-func (m *ResourceClaimTemplateList) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ResourceClaimTemplateList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ResourceClaimTemplateList) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ResourceClaimTemplateList.Merge(m, src)
-}
-func (m *ResourceClaimTemplateList) XXX_Size() int {
-	return m.Size()
-}
-func (m *ResourceClaimTemplateList) XXX_DiscardUnknown() {
-	xxx_messageInfo_ResourceClaimTemplateList.DiscardUnknown(m)
-}
+func (m *ResourceClaimConsumerReference) Reset() { *m = ResourceClaimConsumerReference{} }
 
-var xxx_messageInfo_ResourceClaimTemplateList proto.InternalMessageInfo
+func (m *ResourceClaimList) Reset() { *m = ResourceClaimList{} }
 
-func (m *ResourceClaimTemplateSpec) Reset()      { *m = ResourceClaimTemplateSpec{} }
-func (*ResourceClaimTemplateSpec) ProtoMessage() {}
-func (*ResourceClaimTemplateSpec) Descriptor() ([]byte, []int) {
-	return fileDescriptor_ba331e3ec6484c27, []int{38}
-}
-func (m *ResourceClaimTemplateSpec) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ResourceClaimTemplateSpec) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ResourceClaimTemplateSpec) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ResourceClaimTemplateSpec.Merge(m, src)
-}
-func (m *ResourceClaimTemplateSpec) XXX_Size() int {
-	return m.Size()
-}
-func (m *ResourceClaimTemplateSpec) XXX_DiscardUnknown() {
-	xxx_messageInfo_ResourceClaimTemplateSpec.DiscardUnknown(m)
-}
+func (m *ResourceClaimSpec) Reset() { *m = ResourceClaimSpec{} }
 
-var xxx_messageInfo_ResourceClaimTemplateSpec proto.InternalMessageInfo
+func (m *ResourceClaimStatus) Reset() { *m = ResourceClaimStatus{} }
 
-func (m *ResourcePool) Reset()      { *m = ResourcePool{} }
-func (*ResourcePool) ProtoMessage() {}
-func (*ResourcePool) Descriptor() ([]byte, []int) {
-	return fileDescriptor_ba331e3ec6484c27, []int{39}
-}
-func (m *ResourcePool) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ResourcePool) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ResourcePool) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ResourcePool.Merge(m, src)
-}
-func (m *ResourcePool) XXX_Size() int {
-	return m.Size()
-}
-func (m *ResourcePool) XXX_DiscardUnknown() {
-	xxx_messageInfo_ResourcePool.DiscardUnknown(m)
-}
+func (m *ResourceClaimTemplate) Reset() { *m = ResourceClaimTemplate{} }
 
-var xxx_messageInfo_ResourcePool proto.InternalMessageInfo
+func (m *ResourceClaimTemplateList) Reset() { *m = ResourceClaimTemplateList{} }
 
-func (m *ResourceSlice) Reset()      { *m = ResourceSlice{} }
-func (*ResourceSlice) ProtoMessage() {}
-func (*ResourceSlice) Descriptor() ([]byte, []int) {
-	return fileDescriptor_ba331e3ec6484c27, []int{40}
-}
-func (m *ResourceSlice) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ResourceSlice) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ResourceSlice) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ResourceSlice.Merge(m, src)
-}
-func (m *ResourceSlice) XXX_Size() int {
-	return m.Size()
-}
-func (m *ResourceSlice) XXX_DiscardUnknown() {
-	xxx_messageInfo_ResourceSlice.DiscardUnknown(m)
-}
+func (m *ResourceClaimTemplateSpec) Reset() { *m = ResourceClaimTemplateSpec{} }
 
-var xxx_messageInfo_ResourceSlice proto.InternalMessageInfo
+func (m *ResourcePool) Reset() { *m = ResourcePool{} }
 
-func (m *ResourceSliceList) Reset()      { *m = ResourceSliceList{} }
-func (*ResourceSliceList) ProtoMessage() {}
-func (*ResourceSliceList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_ba331e3ec6484c27, []int{41}
-}
-func (m *ResourceSliceList) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ResourceSliceList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ResourceSliceList) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ResourceSliceList.Merge(m, src)
-}
-func (m *ResourceSliceList) XXX_Size() int {
-	return m.Size()
-}
-func (m *ResourceSliceList) XXX_DiscardUnknown() {
-	xxx_messageInfo_ResourceSliceList.DiscardUnknown(m)
-}
+func (m *ResourceSlice) Reset() { *m = ResourceSlice{} }
 
-var xxx_messageInfo_ResourceSliceList proto.InternalMessageInfo
+func (m *ResourceSliceList) Reset() { *m = ResourceSliceList{} }
 
-func (m *ResourceSliceSpec) Reset()      { *m = ResourceSliceSpec{} }
-func (*ResourceSliceSpec) ProtoMessage() {}
-func (*ResourceSliceSpec) Descriptor() ([]byte, []int) {
-	return fileDescriptor_ba331e3ec6484c27, []int{42}
-}
-func (m *ResourceSliceSpec) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ResourceSliceSpec) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ResourceSliceSpec) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ResourceSliceSpec.Merge(m, src)
-}
-func (m *ResourceSliceSpec) XXX_Size() int {
-	return m.Size()
-}
-func (m *ResourceSliceSpec) XXX_DiscardUnknown() {
-	xxx_messageInfo_ResourceSliceSpec.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_ResourceSliceSpec proto.InternalMessageInfo
-
-func init() {
-	proto.RegisterType((*AllocatedDeviceStatus)(nil), "k8s.io.api.resource.v1beta1.AllocatedDeviceStatus")
-	proto.RegisterType((*AllocationResult)(nil), "k8s.io.api.resource.v1beta1.AllocationResult")
-	proto.RegisterType((*BasicDevice)(nil), "k8s.io.api.resource.v1beta1.BasicDevice")
-	proto.RegisterMapType((map[QualifiedName]DeviceAttribute)(nil), "k8s.io.api.resource.v1beta1.BasicDevice.AttributesEntry")
-	proto.RegisterMapType((map[QualifiedName]DeviceCapacity)(nil), "k8s.io.api.resource.v1beta1.BasicDevice.CapacityEntry")
-	proto.RegisterType((*CELDeviceSelector)(nil), "k8s.io.api.resource.v1beta1.CELDeviceSelector")
-	proto.RegisterType((*CapacityRequestPolicy)(nil), "k8s.io.api.resource.v1beta1.CapacityRequestPolicy")
-	proto.RegisterType((*CapacityRequestPolicyRange)(nil), "k8s.io.api.resource.v1beta1.CapacityRequestPolicyRange")
-	proto.RegisterType((*CapacityRequirements)(nil), "k8s.io.api.resource.v1beta1.CapacityRequirements")
-	proto.RegisterMapType((map[QualifiedName]resource.Quantity)(nil), "k8s.io.api.resource.v1beta1.CapacityRequirements.RequestsEntry")
-	proto.RegisterType((*Counter)(nil), "k8s.io.api.resource.v1beta1.Counter")
-	proto.RegisterType((*CounterSet)(nil), "k8s.io.api.resource.v1beta1.CounterSet")
-	proto.RegisterMapType((map[string]Counter)(nil), "k8s.io.api.resource.v1beta1.CounterSet.CountersEntry")
-	proto.RegisterType((*Device)(nil), "k8s.io.api.resource.v1beta1.Device")
-	proto.RegisterType((*DeviceAllocationConfiguration)(nil), "k8s.io.api.resource.v1beta1.DeviceAllocationConfiguration")
-	proto.RegisterType((*DeviceAllocationResult)(nil), "k8s.io.api.resource.v1beta1.DeviceAllocationResult")
-	proto.RegisterType((*DeviceAttribute)(nil), "k8s.io.api.resource.v1beta1.DeviceAttribute")
-	proto.RegisterType((*DeviceCapacity)(nil), "k8s.io.api.resource.v1beta1.DeviceCapacity")
-	proto.RegisterType((*DeviceClaim)(nil), "k8s.io.api.resource.v1beta1.DeviceClaim")
-	proto.RegisterType((*DeviceClaimConfiguration)(nil), "k8s.io.api.resource.v1beta1.DeviceClaimConfiguration")
-	proto.RegisterType((*DeviceClass)(nil), "k8s.io.api.resource.v1beta1.DeviceClass")
-	proto.RegisterType((*DeviceClassConfiguration)(nil), "k8s.io.api.resource.v1beta1.DeviceClassConfiguration")
-	proto.RegisterType((*DeviceClassList)(nil), "k8s.io.api.resource.v1beta1.DeviceClassList")
-	proto.RegisterType((*DeviceClassSpec)(nil), "k8s.io.api.resource.v1beta1.DeviceClassSpec")
-	proto.RegisterType((*DeviceConfiguration)(nil), "k8s.io.api.resource.v1beta1.DeviceConfiguration")
-	proto.RegisterType((*DeviceConstraint)(nil), "k8s.io.api.resource.v1beta1.DeviceConstraint")
-	proto.RegisterType((*DeviceCounterConsumption)(nil), "k8s.io.api.resource.v1beta1.DeviceCounterConsumption")
-	proto.RegisterMapType((map[string]Counter)(nil), "k8s.io.api.resource.v1beta1.DeviceCounterConsumption.CountersEntry")
-	proto.RegisterType((*DeviceRequest)(nil), "k8s.io.api.resource.v1beta1.DeviceRequest")
-	proto.RegisterType((*DeviceRequestAllocationResult)(nil), "k8s.io.api.resource.v1beta1.DeviceRequestAllocationResult")
-	proto.RegisterMapType((map[QualifiedName]resource.Quantity)(nil), "k8s.io.api.resource.v1beta1.DeviceRequestAllocationResult.ConsumedCapacityEntry")
-	proto.RegisterType((*DeviceSelector)(nil), "k8s.io.api.resource.v1beta1.DeviceSelector")
-	proto.RegisterType((*DeviceSubRequest)(nil), "k8s.io.api.resource.v1beta1.DeviceSubRequest")
-	proto.RegisterType((*DeviceTaint)(nil), "k8s.io.api.resource.v1beta1.DeviceTaint")
-	proto.RegisterType((*DeviceToleration)(nil), "k8s.io.api.resource.v1beta1.DeviceToleration")
-	proto.RegisterType((*NetworkDeviceData)(nil), "k8s.io.api.resource.v1beta1.NetworkDeviceData")
-	proto.RegisterType((*OpaqueDeviceConfiguration)(nil), "k8s.io.api.resource.v1beta1.OpaqueDeviceConfiguration")
-	proto.RegisterType((*ResourceClaim)(nil), "k8s.io.api.resource.v1beta1.ResourceClaim")
-	proto.RegisterType((*ResourceClaimConsumerReference)(nil), "k8s.io.api.resource.v1beta1.ResourceClaimConsumerReference")
-	proto.RegisterType((*ResourceClaimList)(nil), "k8s.io.api.resource.v1beta1.ResourceClaimList")
-	proto.RegisterType((*ResourceClaimSpec)(nil), "k8s.io.api.resource.v1beta1.ResourceClaimSpec")
-	proto.RegisterType((*ResourceClaimStatus)(nil), "k8s.io.api.resource.v1beta1.ResourceClaimStatus")
-	proto.RegisterType((*ResourceClaimTemplate)(nil), "k8s.io.api.resource.v1beta1.ResourceClaimTemplate")
-	proto.RegisterType((*ResourceClaimTemplateList)(nil), "k8s.io.api.resource.v1beta1.ResourceClaimTemplateList")
-	proto.RegisterType((*ResourceClaimTemplateSpec)(nil), "k8s.io.api.resource.v1beta1.ResourceClaimTemplateSpec")
-	proto.RegisterType((*ResourcePool)(nil), "k8s.io.api.resource.v1beta1.ResourcePool")
-	proto.RegisterType((*ResourceSlice)(nil), "k8s.io.api.resource.v1beta1.ResourceSlice")
-	proto.RegisterType((*ResourceSliceList)(nil), "k8s.io.api.resource.v1beta1.ResourceSliceList")
-	proto.RegisterType((*ResourceSliceSpec)(nil), "k8s.io.api.resource.v1beta1.ResourceSliceSpec")
-}
-
-func init() {
-	proto.RegisterFile("k8s.io/api/resource/v1beta1/generated.proto", fileDescriptor_ba331e3ec6484c27)
-}
-
-var fileDescriptor_ba331e3ec6484c27 = []byte{
-	// 3039 bytes of a gzipped FileDescriptorProto
-	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xec, 0x5b, 0x4d, 0x6c, 0x24, 0x47,
-	0xf5, 0x77, 0xcf, 0x8c, 0x3d, 0xe3, 0x37, 0x6b, 0xaf, 0x5d, 0xfb, 0x91, 0x89, 0xf3, 0x8f, 0xc7,
-	0xe9, 0xfd, 0x43, 0x9c, 0xcd, 0x66, 0x9c, 0x1d, 0x20, 0x44, 0x9b, 0x03, 0xcc, 0xd8, 0xde, 0xc4,
-	0xc9, 0xae, 0xd7, 0xa9, 0x71, 0x36, 0x4b, 0xbe, 0x44, 0xbb, 0xbb, 0x6c, 0x37, 0xee, 0xe9, 0x9e,
-	0xed, 0xee, 0xf1, 0xae, 0x85, 0x80, 0x00, 0x57, 0x0e, 0x5c, 0x90, 0x90, 0x00, 0x09, 0x21, 0x04,
-	0x42, 0x42, 0x88, 0x03, 0xe7, 0x20, 0x40, 0x11, 0xe1, 0x44, 0x14, 0x2e, 0x39, 0xa0, 0x09, 0x99,
-	0x9c, 0x38, 0x72, 0xe1, 0xb0, 0x27, 0x54, 0xd5, 0x55, 0xdd, 0xd5, 0x3d, 0xd3, 0x93, 0x1e, 0x67,
-	0x77, 0x15, 0x24, 0x6e, 0x9e, 0x57, 0xef, 0xfd, 0xaa, 0xea, 0xd5, 0xfb, 0xaa, 0xd7, 0x65, 0x78,
-	0xfc, 0xe0, 0x69, 0xaf, 0x66, 0x3a, 0x2b, 0x5a, 0xc7, 0x5c, 0x71, 0x89, 0xe7, 0x74, 0x5d, 0x9d,
-	0xac, 0x1c, 0x5e, 0xdc, 0x21, 0xbe, 0x76, 0x71, 0x65, 0x8f, 0xd8, 0xc4, 0xd5, 0x7c, 0x62, 0xd4,
-	0x3a, 0xae, 0xe3, 0x3b, 0xe8, 0xa1, 0x80, 0xb9, 0xa6, 0x75, 0xcc, 0x9a, 0x60, 0xae, 0x71, 0xe6,
-	0x85, 0x27, 0xf6, 0x4c, 0x7f, 0xbf, 0xbb, 0x53, 0xd3, 0x9d, 0xf6, 0xca, 0x9e, 0xb3, 0xe7, 0xac,
-	0x30, 0x99, 0x9d, 0xee, 0x2e, 0xfb, 0xc5, 0x7e, 0xb0, 0xbf, 0x02, 0xac, 0x05, 0x55, 0x9a, 0x58,
-	0x77, 0x5c, 0x3a, 0x69, 0x72, 0xbe, 0x85, 0xcf, 0x47, 0x3c, 0x6d, 0x4d, 0xdf, 0x37, 0x6d, 0xe2,
-	0x1e, 0xad, 0x74, 0x0e, 0xf6, 0xe2, 0xab, 0x1d, 0x47, 0xca, 0x5b, 0x69, 0x13, 0x5f, 0x1b, 0x36,
-	0xd7, 0x4a, 0x9a, 0x94, 0xdb, 0xb5, 0x7d, 0xb3, 0x3d, 0x38, 0xcd, 0x53, 0x1f, 0x27, 0xe0, 0xe9,
-	0xfb, 0xa4, 0xad, 0x25, 0xe5, 0xd4, 0xb7, 0xf3, 0x70, 0xa6, 0x61, 0x59, 0x8e, 0x4e, 0x69, 0x6b,
-	0xe4, 0xd0, 0xd4, 0x49, 0xcb, 0xd7, 0xfc, 0xae, 0x87, 0x3e, 0x0b, 0x53, 0x86, 0x6b, 0x1e, 0x12,
-	0xb7, 0xa2, 0x2c, 0x29, 0xcb, 0xd3, 0xcd, 0xd9, 0x77, 0x7a, 0xd5, 0x89, 0x7e, 0xaf, 0x3a, 0xb5,
-	0xc6, 0xa8, 0x98, 0x8f, 0xa2, 0x25, 0x28, 0x74, 0x1c, 0xc7, 0xaa, 0xe4, 0x18, 0xd7, 0x09, 0xce,
-	0x55, 0xd8, 0x72, 0x1c, 0x0b, 0xb3, 0x11, 0x86, 0xc4, 0x90, 0x2b, 0xf9, 0x04, 0x12, 0xa3, 0x62,
-	0x3e, 0x8a, 0x3e, 0x03, 0x45, 0x6f, 0x5f, 0x73, 0xc9, 0xc6, 0x5a, 0xa5, 0xc8, 0x18, 0xcb, 0xfd,
-	0x5e, 0xb5, 0xd8, 0x0a, 0x48, 0x58, 0x8c, 0x21, 0x1d, 0x40, 0x77, 0x6c, 0xc3, 0xf4, 0x4d, 0xc7,
-	0xf6, 0x2a, 0x85, 0xa5, 0xfc, 0x72, 0xb9, 0xbe, 0x52, 0x8b, 0x8c, 0x21, 0xdc, 0x7f, 0xad, 0x73,
-	0xb0, 0x47, 0x09, 0x5e, 0x8d, 0xaa, 0xb9, 0x76, 0x78, 0xb1, 0xb6, 0x2a, 0xe4, 0x9a, 0x88, 0xaf,
-	0x01, 0x42, 0x92, 0x87, 0x25, 0x58, 0xf4, 0x02, 0x14, 0x0c, 0xcd, 0xd7, 0x2a, 0x93, 0x4b, 0xca,
-	0x72, 0xb9, 0xfe, 0x44, 0x2a, 0x3c, 0x57, 0x6f, 0x0d, 0x6b, 0xb7, 0xd6, 0x6f, 0xfb, 0xc4, 0xf6,
-	0x28, 0x78, 0x89, 0x2a, 0x60, 0x4d, 0xf3, 0x35, 0xcc, 0x40, 0x90, 0x06, 0x65, 0x9b, 0xf8, 0xb7,
-	0x1c, 0xf7, 0x80, 0x12, 0x2b, 0x53, 0x0c, 0xb3, 0x56, 0x1b, 0x61, 0xbf, 0xb5, 0x4d, 0xce, 0xcf,
-	0x34, 0x43, 0xa5, 0x9a, 0x27, 0xfb, 0xbd, 0x6a, 0x79, 0x33, 0x82, 0xc1, 0x32, 0xa6, 0xfa, 0x87,
-	0x1c, 0xcc, 0xf1, 0x73, 0x34, 0x1d, 0x1b, 0x13, 0xaf, 0x6b, 0xf9, 0xe8, 0x0d, 0x28, 0x06, 0xaa,
-	0xf5, 0xd8, 0x19, 0x96, 0xeb, 0x9f, 0x1b, 0x39, 0x67, 0x30, 0x59, 0x12, 0xa5, 0x79, 0x92, 0xab,
-	0xaa, 0x18, 0x8c, 0x7b, 0x58, 0x80, 0xa2, 0xeb, 0x70, 0xc2, 0x76, 0x0c, 0xd2, 0x22, 0x16, 0xd1,
-	0x7d, 0xc7, 0x65, 0xc7, 0x5b, 0xae, 0x2f, 0xc9, 0x93, 0x50, 0x67, 0xa2, 0x9a, 0xdf, 0x94, 0xf8,
-	0x9a, 0x73, 0xfd, 0x5e, 0xf5, 0x84, 0x4c, 0xc1, 0x31, 0x1c, 0xd4, 0x85, 0x53, 0x5a, 0xb8, 0x8a,
-	0x6d, 0xb3, 0x4d, 0x3c, 0x5f, 0x6b, 0x77, 0xf8, 0x59, 0x9c, 0xcf, 0x76, 0xd4, 0x54, 0xac, 0xf9,
-	0x40, 0xbf, 0x57, 0x3d, 0xd5, 0x18, 0x84, 0xc2, 0xc3, 0xf0, 0xd5, 0x6f, 0x4f, 0x43, 0xb9, 0xa9,
-	0x79, 0xa6, 0x1e, 0x6c, 0x14, 0x7d, 0x03, 0x40, 0xf3, 0x7d, 0xd7, 0xdc, 0xe9, 0xfa, 0x4c, 0x83,
-	0xd4, 0xd0, 0x9e, 0x1e, 0xa9, 0x41, 0x49, 0xba, 0xd6, 0x08, 0x45, 0xd7, 0x6d, 0xdf, 0x3d, 0x6a,
-	0x9e, 0x13, 0x16, 0x17, 0x0d, 0x7c, 0xe7, 0x83, 0xea, 0xcc, 0x8b, 0x5d, 0xcd, 0x32, 0x77, 0x4d,
-	0x62, 0x6c, 0x6a, 0x6d, 0x82, 0xa5, 0x09, 0x51, 0x17, 0x4a, 0xba, 0xd6, 0xd1, 0x74, 0xd3, 0x3f,
-	0xaa, 0xe4, 0xd8, 0xe4, 0x4f, 0x65, 0x9e, 0x7c, 0x95, 0x0b, 0x06, 0x53, 0x3f, 0xc2, 0xa7, 0x2e,
-	0x09, 0xf2, 0xe0, 0xc4, 0xe1, 0x54, 0xe8, 0xeb, 0x30, 0xa7, 0x3b, 0xb6, 0xd7, 0x6d, 0x13, 0x6f,
-	0xd5, 0xe9, 0xda, 0x3e, 0x71, 0xbd, 0x4a, 0x9e, 0x4d, 0xff, 0x85, 0x0c, 0xd6, 0xc3, 0x45, 0x56,
-	0x19, 0x42, 0x87, 0xb9, 0x5a, 0x85, 0xcf, 0x3e, 0xb7, 0x9a, 0x80, 0xc5, 0x03, 0x13, 0xa1, 0x65,
-	0x28, 0x51, 0x4b, 0xa0, 0x4b, 0xaa, 0x14, 0x82, 0x80, 0x42, 0xd7, 0xbd, 0xc9, 0x69, 0x38, 0x1c,
-	0x1d, 0xb0, 0xbd, 0xc9, 0xbb, 0x64, 0x7b, 0xcb, 0x50, 0xd2, 0x2c, 0x8b, 0x32, 0x78, 0xcc, 0x51,
-	0x4b, 0xc1, 0x0a, 0x1a, 0x9c, 0x86, 0xc3, 0x51, 0xb4, 0x05, 0x53, 0xbe, 0x66, 0xda, 0xbe, 0x57,
-	0x29, 0x32, 0xf5, 0x2c, 0x67, 0x50, 0xcf, 0x36, 0x15, 0x88, 0x02, 0x20, 0xfb, 0xe9, 0x61, 0x8e,
-	0x83, 0x2e, 0x42, 0x79, 0xc7, 0xb4, 0x0d, 0x6f, 0xdb, 0xa1, 0x33, 0x54, 0x4a, 0x6c, 0x7a, 0xe6,
-	0xf7, 0xcd, 0x88, 0x8c, 0x65, 0x1e, 0xb4, 0x0a, 0xf3, 0xf4, 0xa7, 0x69, 0xef, 0x45, 0x81, 0xac,
-	0x32, 0xbd, 0x94, 0x5f, 0x9e, 0x6e, 0x9e, 0xe9, 0xf7, 0xaa, 0xf3, 0xcd, 0xe4, 0x20, 0x1e, 0xe4,
-	0x47, 0x37, 0xa0, 0xc2, 0x89, 0x97, 0x35, 0xd3, 0xea, 0xba, 0x44, 0xc2, 0x02, 0x86, 0xf5, 0x7f,
-	0xfd, 0x5e, 0xb5, 0xd2, 0x4c, 0xe1, 0xc1, 0xa9, 0xd2, 0x14, 0x99, 0x7a, 0xda, 0xad, 0xab, 0x5d,
-	0xcb, 0x37, 0x3b, 0x96, 0x14, 0x5c, 0xbc, 0x4a, 0x99, 0x6d, 0x8f, 0x21, 0x37, 0x52, 0x78, 0x70,
-	0xaa, 0xf4, 0xc2, 0x01, 0x9c, 0x4c, 0x78, 0x18, 0x9a, 0x83, 0xfc, 0x01, 0x39, 0x0a, 0xd2, 0x15,
-	0xa6, 0x7f, 0xa2, 0x26, 0x4c, 0x1e, 0x6a, 0x56, 0x97, 0xb0, 0xe4, 0x54, 0xae, 0x5f, 0xc8, 0x12,
-	0xfe, 0x04, 0x28, 0x0e, 0x44, 0x2f, 0xe5, 0x9e, 0x56, 0x16, 0xf6, 0x61, 0x26, 0xe6, 0x51, 0x43,
-	0xa6, 0x6a, 0xc4, 0xa7, 0x7a, 0x3c, 0x8b, 0xaf, 0x70, 0x48, 0x69, 0x26, 0xf5, 0x59, 0x98, 0x5f,
-	0x5d, 0xbf, 0xc2, 0x13, 0xb1, 0xb0, 0xc9, 0x3a, 0x00, 0xb9, 0xdd, 0x71, 0x89, 0x47, 0xb3, 0x0b,
-	0x4f, 0xc7, 0x61, 0x02, 0x5b, 0x0f, 0x47, 0xb0, 0xc4, 0xa5, 0xbe, 0x95, 0x83, 0x33, 0xe1, 0x04,
-	0xe4, 0x66, 0x97, 0x78, 0xfe, 0x96, 0x63, 0x99, 0xfa, 0x11, 0x7a, 0x89, 0x66, 0x85, 0x5d, 0xad,
-	0x6b, 0xf9, 0x3c, 0x2b, 0xd4, 0x46, 0x45, 0xd4, 0x68, 0xf1, 0x2f, 0x76, 0x35, 0xdb, 0x37, 0xfd,
-	0xa3, 0x20, 0x2d, 0xaf, 0x05, 0x10, 0x58, 0x60, 0x21, 0x02, 0xe5, 0x43, 0xcd, 0x32, 0x8d, 0xeb,
-	0x74, 0x2f, 0x22, 0x64, 0x8c, 0x0b, 0x7d, 0x8a, 0xef, 0xaa, 0x7c, 0x3d, 0x82, 0xc2, 0x32, 0x2e,
-	0xda, 0x03, 0x60, 0x3f, 0xb1, 0x66, 0xef, 0x05, 0x31, 0xa2, 0x5c, 0xff, 0xe2, 0x48, 0x65, 0x0f,
-	0xd5, 0x02, 0x13, 0x6f, 0xce, 0x52, 0x05, 0x5e, 0x0f, 0xe1, 0xb0, 0x04, 0xad, 0xbe, 0x99, 0x83,
-	0x85, 0x74, 0x51, 0xb4, 0x01, 0xf9, 0xb6, 0x69, 0x1f, 0x53, 0x83, 0xc5, 0x7e, 0xaf, 0x9a, 0xbf,
-	0x6a, 0xda, 0x98, 0x62, 0x30, 0x28, 0xed, 0x36, 0x37, 0x9c, 0xe3, 0x41, 0x69, 0xb7, 0x31, 0xc5,
-	0x40, 0x57, 0xa0, 0xe0, 0xf9, 0xa4, 0xc3, 0x33, 0xf1, 0xb8, 0x58, 0xac, 0x6e, 0x69, 0xf9, 0xa4,
-	0x83, 0x19, 0x8a, 0xfa, 0xdd, 0x1c, 0x9c, 0x96, 0x55, 0x60, 0xba, 0xa4, 0x4d, 0x68, 0xa0, 0xfa,
-	0x26, 0x94, 0xdc, 0x40, 0x25, 0x22, 0x2f, 0x7e, 0x29, 0xf3, 0x11, 0x08, 0x90, 0x1a, 0x57, 0xaa,
-	0x97, 0xc8, 0x51, 0x82, 0x3c, 0x24, 0x47, 0x89, 0x39, 0x17, 0x0e, 0x60, 0x26, 0x26, 0x3d, 0xc4,
-	0x1f, 0xd7, 0xe2, 0xfe, 0x38, 0xa6, 0x2a, 0x64, 0x97, 0x7c, 0x03, 0x8a, 0x3c, 0x3f, 0xa1, 0x96,
-	0x00, 0x3d, 0xde, 0xb1, 0xcf, 0xf0, 0x3d, 0x4e, 0x32, 0x5b, 0xe6, 0x73, 0xa8, 0xff, 0x56, 0x00,
-	0xf8, 0x04, 0x2d, 0xe2, 0xd3, 0x7a, 0xda, 0xa6, 0xe9, 0x4f, 0x89, 0xd7, 0xd3, 0x4c, 0x03, 0x6c,
-	0x04, 0xe9, 0x50, 0xd2, 0x45, 0x66, 0xce, 0x65, 0xc8, 0xcc, 0x11, 0xb8, 0xf8, 0x93, 0xeb, 0x7c,
-	0x2e, 0xac, 0x0b, 0x44, 0x46, 0x0e, 0x81, 0x17, 0x34, 0x98, 0x89, 0x31, 0x0f, 0x51, 0xf1, 0xa5,
-	0xb8, 0x8a, 0xff, 0x3f, 0xcb, 0x22, 0x64, 0xc5, 0x76, 0x81, 0xdf, 0x00, 0x32, 0xec, 0x79, 0x03,
-	0x26, 0x77, 0x68, 0x7d, 0xc3, 0xe7, 0x5a, 0xce, 0x5a, 0x09, 0x35, 0xa7, 0xa9, 0xbe, 0x19, 0x01,
-	0x07, 0x08, 0xea, 0xf7, 0x72, 0xf0, 0x70, 0xb2, 0xd4, 0x5d, 0x75, 0xec, 0x5d, 0x73, 0xaf, 0xeb,
-	0xb2, 0x1f, 0xe8, 0xcb, 0x30, 0x15, 0x20, 0xf2, 0x05, 0x2d, 0x8b, 0x7c, 0xdd, 0x62, 0xd4, 0x3b,
-	0xbd, 0xea, 0xd9, 0xa4, 0x68, 0x30, 0x82, 0xb9, 0x1c, 0xad, 0x22, 0x42, 0x07, 0xc9, 0xb1, 0x0c,
-	0x7a, 0x42, 0xb6, 0xed, 0xc8, 0x94, 0xd1, 0xb7, 0xe0, 0x94, 0xc1, 0x2b, 0x27, 0x69, 0x09, 0xdc,
-	0x81, 0x9f, 0xcc, 0x54, 0x71, 0x49, 0x72, 0xcd, 0x87, 0xf8, 0x52, 0x4f, 0x0d, 0x19, 0xc4, 0xc3,
-	0x66, 0x52, 0x3f, 0x52, 0xe0, 0xec, 0xf0, 0xca, 0x1f, 0x11, 0x28, 0xba, 0xec, 0x2f, 0xe1, 0xe5,
-	0x97, 0x32, 0xac, 0x87, 0xef, 0x31, 0xfd, 0x1a, 0x11, 0xfc, 0xf6, 0xb0, 0xc0, 0x46, 0x3b, 0x30,
-	0xa5, 0xb3, 0x25, 0x71, 0x6b, 0xbe, 0x34, 0xd6, 0x2d, 0x25, 0xbe, 0xff, 0xb0, 0xb4, 0x0a, 0xc8,
-	0x98, 0x23, 0xab, 0xbf, 0x52, 0xe0, 0x64, 0x22, 0xc1, 0xa3, 0x45, 0xc8, 0x9b, 0xb6, 0xcf, 0x2c,
-	0x2a, 0x1f, 0x9c, 0xcf, 0x86, 0xed, 0x07, 0xae, 0x49, 0x07, 0xd0, 0x23, 0x50, 0xd8, 0xa1, 0x37,
-	0xdb, 0x3c, 0x2b, 0x54, 0x66, 0xfa, 0xbd, 0xea, 0x74, 0xd3, 0x71, 0xac, 0x80, 0x83, 0x0d, 0xa1,
-	0x47, 0x61, 0xca, 0xf3, 0x5d, 0xd3, 0xde, 0xe3, 0xd5, 0x2a, 0x2b, 0xd6, 0x5a, 0x8c, 0x12, 0xb0,
-	0xf1, 0x61, 0x74, 0x1e, 0x8a, 0x87, 0xc4, 0x65, 0xf9, 0x7b, 0x92, 0x71, 0xb2, 0x3a, 0xf4, 0x7a,
-	0x40, 0x0a, 0x58, 0x05, 0x83, 0xfa, 0x9e, 0x02, 0xb3, 0xf1, 0x0a, 0xe1, 0x9e, 0x04, 0x1e, 0x74,
-	0x00, 0x33, 0xae, 0x9c, 0xd8, 0xb8, 0x6f, 0xd5, 0xc7, 0xcf, 0xa6, 0xcd, 0xf9, 0x7e, 0xaf, 0x3a,
-	0x13, 0xcf, 0x92, 0x71, 0x6c, 0xf5, 0xd7, 0x39, 0x28, 0xf3, 0x4d, 0x59, 0x9a, 0xd9, 0x46, 0x37,
-	0x06, 0x52, 0xc8, 0xf9, 0xec, 0xc6, 0x15, 0x45, 0xae, 0x21, 0x1e, 0x65, 0x40, 0x99, 0xde, 0x2b,
-	0x7c, 0x37, 0x28, 0xce, 0x03, 0x9b, 0x7a, 0x22, 0x9b, 0x27, 0x71, 0xa9, 0xa8, 0x0e, 0x89, 0x68,
-	0x1e, 0x96, 0x61, 0xd1, 0xeb, 0xa1, 0xd1, 0x8e, 0x71, 0x39, 0xa2, 0x3b, 0xcf, 0x66, 0xaf, 0x6f,
-	0x2b, 0x50, 0x49, 0x13, 0x8a, 0x45, 0x17, 0xe5, 0x38, 0xd1, 0x25, 0x77, 0xdf, 0xa2, 0xcb, 0xef,
-	0x15, 0xe9, 0xd8, 0x3d, 0x0f, 0x7d, 0x15, 0x4a, 0xf4, 0x86, 0xce, 0x7a, 0x2b, 0xca, 0xc0, 0x2a,
-	0x46, 0xdc, 0xe7, 0xaf, 0xed, 0x7c, 0x8d, 0xe8, 0xfe, 0x55, 0xe2, 0x6b, 0x51, 0xe9, 0x1b, 0xd1,
-	0x70, 0x88, 0x8a, 0x36, 0xa1, 0xe0, 0x75, 0x88, 0x3e, 0x46, 0xc9, 0xcf, 0x56, 0xd6, 0xea, 0x10,
-	0x3d, 0xca, 0x3c, 0xf4, 0x17, 0x66, 0x38, 0xea, 0x8f, 0xe4, 0x93, 0xf0, 0xbc, 0xf8, 0x49, 0xa4,
-	0xe8, 0x57, 0xb9, 0x6f, 0xfa, 0x7d, 0x2b, 0x8c, 0x6b, 0x6c, 0x75, 0x57, 0x4c, 0xcf, 0x47, 0xaf,
-	0x0d, 0xe8, 0xb8, 0x96, 0x4d, 0xc7, 0x54, 0x9a, 0x69, 0x38, 0x74, 0x2f, 0x41, 0x91, 0xf4, 0x7b,
-	0x15, 0x26, 0x4d, 0x9f, 0xb4, 0x85, 0x63, 0x2d, 0x67, 0x55, 0x70, 0x14, 0x84, 0x36, 0xa8, 0x38,
-	0x0e, 0x50, 0xd4, 0x1f, 0xe7, 0x62, 0x1b, 0xa0, 0x8a, 0x47, 0xaf, 0xc1, 0xb4, 0xc7, 0xef, 0x3e,
-	0x22, 0x38, 0x64, 0xb9, 0x4f, 0x85, 0x77, 0xfc, 0x79, 0x3e, 0xd3, 0xb4, 0xa0, 0x78, 0x38, 0x02,
-	0x94, 0x3c, 0x37, 0x37, 0x8e, 0xe7, 0x26, 0x8e, 0x3e, 0xcd, 0x73, 0xd1, 0x15, 0x38, 0x4d, 0x6e,
-	0xfb, 0xc4, 0x36, 0x88, 0x81, 0x39, 0x98, 0xd4, 0xce, 0xa8, 0xf4, 0x7b, 0xd5, 0xd3, 0xeb, 0x43,
-	0xc6, 0xf1, 0x50, 0x29, 0xf5, 0x26, 0x0c, 0xb3, 0x05, 0xf4, 0x0a, 0x4c, 0x39, 0x1d, 0xed, 0x66,
-	0x98, 0x10, 0x46, 0x77, 0x86, 0xae, 0x31, 0xd6, 0x61, 0x06, 0x07, 0x74, 0x03, 0xc1, 0x30, 0xe6,
-	0x88, 0xea, 0x3f, 0x15, 0x98, 0x4b, 0x06, 0xc4, 0x31, 0x42, 0xce, 0x16, 0xcc, 0xb6, 0x35, 0x5f,
-	0xdf, 0x0f, 0xf3, 0x2c, 0xef, 0x0c, 0x2f, 0xf7, 0x7b, 0xd5, 0xd9, 0xab, 0xb1, 0x91, 0x3b, 0xbd,
-	0x2a, 0xba, 0xdc, 0xb5, 0xac, 0xa3, 0x78, 0x9d, 0x9f, 0x90, 0x47, 0x5f, 0x81, 0x79, 0xc3, 0xf4,
-	0x7c, 0xd3, 0xd6, 0xfd, 0x08, 0x34, 0x68, 0x25, 0x3f, 0xde, 0xef, 0x55, 0xe7, 0xd7, 0x92, 0x83,
-	0x29, 0xb8, 0x83, 0x28, 0xea, 0xcf, 0x73, 0xa1, 0x73, 0x0f, 0x34, 0xae, 0xe8, 0xb5, 0x5b, 0x0f,
-	0x4b, 0xe7, 0xe4, 0xb5, 0x3b, 0x2a, 0xaa, 0xb1, 0xc4, 0x85, 0x6e, 0x0e, 0xd4, 0xe6, 0xab, 0xc7,
-	0xea, 0x9a, 0x7d, 0xba, 0x2a, 0xf5, 0xdf, 0x4d, 0xc2, 0x4c, 0x2c, 0x01, 0x67, 0xa8, 0xd8, 0x1b,
-	0x70, 0xd2, 0x88, 0x7c, 0x87, 0xb9, 0x40, 0x60, 0x08, 0x0f, 0x70, 0x66, 0xd9, 0xed, 0x99, 0x5c,
-	0x92, 0x3f, 0x1e, 0x07, 0xf2, 0x77, 0x3b, 0x0e, 0x5c, 0x87, 0xd9, 0xa8, 0x0b, 0x7c, 0xd5, 0x31,
-	0x84, 0x8b, 0xd6, 0xb8, 0xd4, 0x6c, 0x23, 0x36, 0x7a, 0xa7, 0x57, 0x3d, 0x9d, 0xac, 0x3d, 0x29,
-	0x1d, 0x27, 0x50, 0xd0, 0x39, 0x98, 0x64, 0x67, 0xc3, 0x0a, 0xbd, 0x7c, 0x14, 0xf6, 0x98, 0x5e,
-	0x71, 0x30, 0x86, 0x2e, 0x42, 0x59, 0x33, 0xda, 0xa6, 0xdd, 0xd0, 0x75, 0xe2, 0x89, 0x4e, 0x23,
-	0xab, 0x1e, 0x1b, 0x11, 0x19, 0xcb, 0x3c, 0xa8, 0x0d, 0xb3, 0xbb, 0xa6, 0xeb, 0xf9, 0x8d, 0x43,
-	0xcd, 0xb4, 0xb4, 0x1d, 0x8b, 0xf0, 0xbe, 0x63, 0x96, 0xd2, 0xa6, 0xd5, 0xdd, 0x11, 0xa5, 0xd3,
-	0x59, 0xb1, 0xbd, 0xcb, 0x31, 0x30, 0x9c, 0x00, 0xa7, 0x65, 0x94, 0xef, 0x58, 0xc4, 0xe5, 0xdd,
-	0xba, 0x52, 0xe6, 0xb9, 0xb6, 0x43, 0xa9, 0xa8, 0x8c, 0x8a, 0x68, 0x1e, 0x96, 0x61, 0xd1, 0xab,
-	0x52, 0x93, 0x7b, 0x9a, 0x19, 0xe7, 0xc5, 0xb1, 0x3b, 0x09, 0x41, 0x28, 0x0a, 0x47, 0x42, 0x40,
-	0xf5, 0x83, 0x29, 0x71, 0xd3, 0x4b, 0xb9, 0x94, 0xa0, 0xc7, 0xe8, 0x0d, 0x87, 0x0d, 0x71, 0x4b,
-	0x96, 0x6e, 0x29, 0x8c, 0x8c, 0xc5, 0xb8, 0xf4, 0x3d, 0x2c, 0x97, 0xe9, 0x7b, 0x58, 0x3e, 0xc3,
-	0xf7, 0xb0, 0xc2, 0xc8, 0xef, 0x61, 0x09, 0x1b, 0x99, 0xcc, 0x60, 0x23, 0x89, 0x43, 0x9b, 0xba,
-	0x37, 0x87, 0x36, 0xb4, 0xe9, 0x5c, 0xbc, 0x8b, 0x4d, 0xe7, 0xd2, 0x27, 0x6a, 0x3a, 0x3f, 0x1f,
-	0x7d, 0x47, 0x9c, 0x66, 0x0a, 0x7e, 0x52, 0xfa, 0x8e, 0x78, 0xa7, 0x57, 0x7d, 0x24, 0xed, 0x5b,
-	0xa9, 0x7f, 0xd4, 0x21, 0x5e, 0xed, 0x25, 0xf9, 0x63, 0xe3, 0x2f, 0x95, 0xf0, 0x73, 0x88, 0x21,
-	0x2c, 0x8c, 0xf5, 0xc4, 0xcb, 0xf5, 0xad, 0xe3, 0x5f, 0x86, 0x6b, 0xab, 0x09, 0xc8, 0x20, 0xca,
-	0x3f, 0x96, 0xf8, 0x52, 0x62, 0xa4, 0x7f, 0xaf, 0x19, 0x58, 0xd4, 0x82, 0x07, 0x67, 0x86, 0xa2,
-	0xde, 0xd3, 0xde, 0xd8, 0xab, 0xe2, 0xa6, 0x1a, 0xf6, 0xaa, 0x37, 0x20, 0xaf, 0x13, 0x6b, 0x48,
-	0xdd, 0x39, 0xc4, 0x97, 0x93, 0x8d, 0xee, 0xa0, 0x99, 0xb9, 0xba, 0x7e, 0x05, 0x53, 0x0c, 0xf5,
-	0x07, 0x05, 0x51, 0x88, 0x44, 0xe1, 0xeb, 0x7f, 0x89, 0xe7, 0x13, 0x26, 0x9e, 0x44, 0x84, 0x28,
-	0xde, 0xfb, 0xb0, 0x5e, 0xba, 0xdb, 0x61, 0xfd, 0x5f, 0xe1, 0x9d, 0x92, 0x7d, 0x3f, 0x43, 0x0f,
-	0x4b, 0x06, 0xde, 0x2c, 0xf3, 0xb5, 0xe5, 0x5f, 0x20, 0x47, 0x81, 0xb5, 0x9f, 0x93, 0xad, 0x7d,
-	0x3a, 0xa5, 0x17, 0xf2, 0x0c, 0x4c, 0x91, 0xdd, 0x5d, 0xa2, 0xfb, 0x3c, 0x6e, 0x8b, 0xaf, 0xb5,
-	0x53, 0xeb, 0x8c, 0x7a, 0x87, 0x96, 0x99, 0xd1, 0x94, 0x01, 0x11, 0x73, 0x11, 0xf4, 0x32, 0x4c,
-	0xfb, 0x66, 0x9b, 0x34, 0x0c, 0x83, 0x18, 0xfc, 0x93, 0xc4, 0x38, 0x5f, 0xa9, 0x59, 0x67, 0x69,
-	0x5b, 0x00, 0xe0, 0x08, 0xeb, 0x52, 0xe9, 0x87, 0x3f, 0xad, 0x4e, 0xbc, 0xf9, 0xf7, 0xa5, 0x09,
-	0xf5, 0x67, 0x39, 0xe1, 0x0b, 0x91, 0xce, 0x3f, 0x6e, 0xe3, 0xcf, 0x41, 0xc9, 0xe9, 0x50, 0x5e,
-	0x47, 0xe4, 0xac, 0x0b, 0xa2, 0x8c, 0xbc, 0xc6, 0xe9, 0x77, 0x7a, 0xd5, 0x4a, 0x12, 0x56, 0x8c,
-	0xe1, 0x50, 0x3a, 0x52, 0x61, 0x3e, 0x93, 0x0a, 0x0b, 0xe3, 0xab, 0x70, 0x15, 0xe6, 0x23, 0xfb,
-	0x69, 0x11, 0xdd, 0xb1, 0x0d, 0x8f, 0xdb, 0x31, 0x4b, 0x29, 0xdb, 0xc9, 0x41, 0x3c, 0xc8, 0xaf,
-	0xfe, 0x46, 0x81, 0xf9, 0x81, 0x87, 0x13, 0xe8, 0x19, 0x98, 0x31, 0x69, 0x41, 0xbb, 0xab, 0xf1,
-	0x9b, 0x58, 0xa0, 0xaf, 0x33, 0x7c, 0x79, 0x33, 0x1b, 0xf2, 0x20, 0x8e, 0xf3, 0xa2, 0x07, 0x21,
-	0x6f, 0x76, 0x44, 0x0f, 0x97, 0x85, 0xa7, 0x8d, 0x2d, 0x0f, 0x53, 0x1a, 0x8d, 0x33, 0xfb, 0x9a,
-	0x6b, 0xdc, 0xd2, 0x5c, 0x7a, 0x5a, 0x2e, 0x4d, 0xd1, 0xf9, 0x78, 0x9c, 0x79, 0x2e, 0x3e, 0x8c,
-	0x93, 0xfc, 0xea, 0x2f, 0x14, 0x78, 0x30, 0xf5, 0x72, 0x96, 0xf9, 0x05, 0x8e, 0x06, 0xd0, 0xd1,
-	0x5c, 0xad, 0x4d, 0xf8, 0xad, 0xe3, 0x18, 0x2f, 0x56, 0xc2, 0x6b, 0xcd, 0x56, 0x08, 0x84, 0x25,
-	0x50, 0xf5, 0x27, 0x39, 0x98, 0x11, 0xf7, 0xd2, 0xa0, 0x7f, 0x77, 0xef, 0x1b, 0x39, 0x5b, 0xb1,
-	0x46, 0xce, 0xe8, 0x54, 0x12, 0x5b, 0x5b, 0x5a, 0x2b, 0x07, 0xdd, 0x80, 0x29, 0x8f, 0x3d, 0x6e,
-	0xca, 0xd4, 0x5e, 0x8f, 0x63, 0x32, 0xb9, 0xe8, 0x08, 0x82, 0xdf, 0x98, 0xe3, 0xa9, 0x7d, 0x05,
-	0x16, 0x63, 0xfc, 0x3c, 0x15, 0xbb, 0x98, 0xec, 0x12, 0x97, 0xd8, 0x3a, 0x41, 0x17, 0xa0, 0xa4,
-	0x75, 0xcc, 0x67, 0x5d, 0xa7, 0xdb, 0xe1, 0xe7, 0x19, 0x5e, 0xea, 0x1a, 0x5b, 0x1b, 0x8c, 0x8e,
-	0x43, 0x0e, 0xca, 0x2d, 0x16, 0xc4, 0xad, 0x4a, 0x6a, 0x79, 0x06, 0x74, 0x1c, 0x72, 0x84, 0x49,
-	0xb1, 0x90, 0x9a, 0x14, 0x9b, 0x90, 0xef, 0x9a, 0x06, 0xef, 0x3d, 0x3f, 0x29, 0x42, 0xc5, 0x4b,
-	0x59, 0xeb, 0x21, 0x2a, 0xac, 0xfe, 0x51, 0x81, 0xf9, 0xd8, 0x26, 0xef, 0x43, 0xb7, 0xe9, 0x5a,
-	0xbc, 0xdb, 0x74, 0x3e, 0xfb, 0x89, 0xa5, 0xf4, 0x9b, 0xf6, 0x13, 0x7b, 0x60, 0x0d, 0xa7, 0x56,
-	0xf2, 0xa1, 0xd4, 0x72, 0xd6, 0x6e, 0x6e, 0xfa, 0xeb, 0x28, 0xf5, 0xcf, 0x39, 0x38, 0x35, 0xc4,
-	0x86, 0xd0, 0xeb, 0x00, 0x51, 0xe2, 0xe6, 0xf3, 0x8d, 0x4e, 0xc0, 0x03, 0xdf, 0x52, 0xd8, 0x77,
-	0x6b, 0x89, 0x2a, 0x01, 0x22, 0x17, 0xca, 0x2e, 0xf1, 0x88, 0x7b, 0x48, 0x8c, 0xcb, 0x2c, 0xf0,
-	0x53, 0xbd, 0x3d, 0x93, 0x5d, 0x6f, 0x03, 0x96, 0x1b, 0xa5, 0x7b, 0x1c, 0xe1, 0x62, 0x79, 0x12,
-	0xf4, 0x7a, 0xa4, 0xbf, 0xe0, 0x3d, 0x5e, 0x3d, 0xcb, 0x7e, 0xe2, 0x0f, 0x0e, 0x47, 0x68, 0xf2,
-	0x6f, 0x0a, 0x9c, 0x89, 0xad, 0x71, 0x9b, 0xb4, 0x3b, 0x96, 0xe6, 0x93, 0xfb, 0x10, 0x85, 0x6e,
-	0xc4, 0xa2, 0xd0, 0x53, 0xd9, 0xf5, 0x28, 0xd6, 0x98, 0xda, 0x58, 0x7e, 0x4f, 0x81, 0x07, 0x87,
-	0x4a, 0xdc, 0x07, 0xb7, 0x7a, 0x39, 0xee, 0x56, 0xf5, 0xf1, 0xb7, 0x95, 0xe2, 0x5e, 0x7f, 0x4d,
-	0xdb, 0x14, 0xf3, 0xb3, 0xff, 0xc2, 0xa4, 0xa1, 0xfe, 0x56, 0x81, 0x13, 0x82, 0x93, 0x5e, 0xe2,
-	0x33, 0xdc, 0x40, 0xea, 0x00, 0xfc, 0x9d, 0xad, 0xf8, 0xd8, 0x92, 0x8f, 0x96, 0xfd, 0x6c, 0x38,
-	0x82, 0x25, 0x2e, 0xf4, 0x3c, 0x20, 0xb1, 0xc0, 0x96, 0x25, 0x5a, 0x82, 0x2c, 0xf4, 0xe7, 0x9b,
-	0x0b, 0x5c, 0x16, 0xe1, 0x01, 0x0e, 0x3c, 0x44, 0x4a, 0xfd, 0x93, 0x12, 0x65, 0x6b, 0x46, 0xfe,
-	0x94, 0x2a, 0x9e, 0xad, 0x2d, 0x55, 0xf1, 0x72, 0xba, 0x61, 0x9c, 0x9f, 0xd6, 0x74, 0xc3, 0x16,
-	0x97, 0xe2, 0x0f, 0x7f, 0x29, 0x24, 0x36, 0xc1, 0xfc, 0x20, 0x6b, 0x65, 0xf7, 0x82, 0xf4, 0xb6,
-	0xba, 0x5c, 0x7f, 0x2c, 0xd3, 0x6a, 0xa8, 0x8d, 0x0e, 0x6d, 0x3b, 0x5d, 0x90, 0xde, 0x56, 0x26,
-	0x4a, 0x8a, 0x0c, 0xef, 0x2b, 0x0b, 0x77, 0xe9, 0x7d, 0xe5, 0x05, 0xe9, 0x7d, 0x65, 0xd0, 0xd1,
-	0x8a, 0xca, 0xa0, 0xc1, 0x37, 0x96, 0x9b, 0x51, 0x62, 0x09, 0x7a, 0x59, 0xe7, 0x32, 0x24, 0xe6,
-	0x11, 0x2f, 0x96, 0x31, 0x9c, 0xed, 0x10, 0x37, 0x20, 0x47, 0x8b, 0xa4, 0x5e, 0x5a, 0x64, 0x6b,
-	0x59, 0xe8, 0xf7, 0xaa, 0x67, 0xb7, 0x86, 0x72, 0xe0, 0x14, 0x49, 0xb4, 0x07, 0xb3, 0xac, 0x5b,
-	0x64, 0x84, 0xcf, 0x65, 0x83, 0x5e, 0xe9, 0xa3, 0x19, 0x1f, 0xe5, 0x44, 0x1d, 0xd9, 0x56, 0x0c,
-	0x06, 0x27, 0x60, 0x9b, 0x8d, 0x77, 0x3e, 0x5c, 0x9c, 0x78, 0xf7, 0xc3, 0xc5, 0x89, 0xf7, 0x3f,
-	0x5c, 0x9c, 0x78, 0xb3, 0xbf, 0xa8, 0xbc, 0xd3, 0x5f, 0x54, 0xde, 0xed, 0x2f, 0x2a, 0xef, 0xf7,
-	0x17, 0x95, 0x7f, 0xf4, 0x17, 0x95, 0xef, 0x7f, 0xb4, 0x38, 0xf1, 0xca, 0x43, 0x23, 0xfe, 0x87,
-	0xe2, 0x3f, 0x01, 0x00, 0x00, 0xff, 0xff, 0xdf, 0x31, 0x43, 0xa8, 0x61, 0x31, 0x00, 0x00,
-}
+func (m *ResourceSliceSpec) Reset() { *m = ResourceSliceSpec{} }
 
 func (m *AllocatedDeviceStatus) Marshal() (dAtA []byte, err error) {
 	size := m.Size()
@@ -1764,7 +383,7 @@ func (m *BasicDevice) MarshalToSizedBuffer(dAtA []byte) (int, error) {
 		for k := range m.Capacity {
 			keysForCapacity = append(keysForCapacity, string(k))
 		}
-		github_com_gogo_protobuf_sortkeys.Strings(keysForCapacity)
+		sort.Strings(keysForCapacity)
 		for iNdEx := len(keysForCapacity) - 1; iNdEx >= 0; iNdEx-- {
 			v := m.Capacity[QualifiedName(keysForCapacity[iNdEx])]
 			baseI := i
@@ -1793,7 +412,7 @@ func (m *BasicDevice) MarshalToSizedBuffer(dAtA []byte) (int, error) {
 		for k := range m.Attributes {
 			keysForAttributes = append(keysForAttributes, string(k))
 		}
-		github_com_gogo_protobuf_sortkeys.Strings(keysForAttributes)
+		sort.Strings(keysForAttributes)
 		for iNdEx := len(keysForAttributes) - 1; iNdEx >= 0; iNdEx-- {
 			v := m.Attributes[QualifiedName(keysForAttributes[iNdEx])]
 			baseI := i
@@ -1993,7 +612,7 @@ func (m *CapacityRequirements) MarshalToSizedBuffer(dAtA []byte) (int, error) {
 		for k := range m.Requests {
 			keysForRequests = append(keysForRequests, string(k))
 		}
-		github_com_gogo_protobuf_sortkeys.Strings(keysForRequests)
+		sort.Strings(keysForRequests)
 		for iNdEx := len(keysForRequests) - 1; iNdEx >= 0; iNdEx-- {
 			v := m.Requests[QualifiedName(keysForRequests[iNdEx])]
 			baseI := i
@@ -2078,7 +697,7 @@ func (m *CounterSet) MarshalToSizedBuffer(dAtA []byte) (int, error) {
 		for k := range m.Counters {
 			keysForCounters = append(keysForCounters, string(k))
 		}
-		github_com_gogo_protobuf_sortkeys.Strings(keysForCounters)
+		sort.Strings(keysForCounters)
 		for iNdEx := len(keysForCounters) - 1; iNdEx >= 0; iNdEx-- {
 			v := m.Counters[string(keysForCounters[iNdEx])]
 			baseI := i
@@ -2739,7 +1358,7 @@ func (m *DeviceCounterConsumption) MarshalToSizedBuffer(dAtA []byte) (int, error
 		for k := range m.Counters {
 			keysForCounters = append(keysForCounters, string(k))
 		}
-		github_com_gogo_protobuf_sortkeys.Strings(keysForCounters)
+		sort.Strings(keysForCounters)
 		for iNdEx := len(keysForCounters) - 1; iNdEx >= 0; iNdEx-- {
 			v := m.Counters[string(keysForCounters[iNdEx])]
 			baseI := i
@@ -2901,7 +1520,7 @@ func (m *DeviceRequestAllocationResult) MarshalToSizedBuffer(dAtA []byte) (int,
 		for k := range m.ConsumedCapacity {
 			keysForConsumedCapacity = append(keysForConsumedCapacity, string(k))
 		}
-		github_com_gogo_protobuf_sortkeys.Strings(keysForConsumedCapacity)
+		sort.Strings(keysForConsumedCapacity)
 		for iNdEx := len(keysForConsumedCapacity) - 1; iNdEx >= 0; iNdEx-- {
 			v := m.ConsumedCapacity[QualifiedName(keysForConsumedCapacity[iNdEx])]
 			baseI := i
@@ -4853,7 +3472,7 @@ func (this *BasicDevice) String() string {
 	for k := range this.Attributes {
 		keysForAttributes = append(keysForAttributes, string(k))
 	}
-	github_com_gogo_protobuf_sortkeys.Strings(keysForAttributes)
+	sort.Strings(keysForAttributes)
 	mapStringForAttributes := "map[QualifiedName]DeviceAttribute{"
 	for _, k := range keysForAttributes {
 		mapStringForAttributes += fmt.Sprintf("%v: %v,", k, this.Attributes[QualifiedName(k)])
@@ -4863,7 +3482,7 @@ func (this *BasicDevice) String() string {
 	for k := range this.Capacity {
 		keysForCapacity = append(keysForCapacity, string(k))
 	}
-	github_com_gogo_protobuf_sortkeys.Strings(keysForCapacity)
+	sort.Strings(keysForCapacity)
 	mapStringForCapacity := "map[QualifiedName]DeviceCapacity{"
 	for _, k := range keysForCapacity {
 		mapStringForCapacity += fmt.Sprintf("%v: %v,", k, this.Capacity[QualifiedName(k)])
@@ -4932,7 +3551,7 @@ func (this *CapacityRequirements) String() string {
 	for k := range this.Requests {
 		keysForRequests = append(keysForRequests, string(k))
 	}
-	github_com_gogo_protobuf_sortkeys.Strings(keysForRequests)
+	sort.Strings(keysForRequests)
 	mapStringForRequests := "map[QualifiedName]resource.Quantity{"
 	for _, k := range keysForRequests {
 		mapStringForRequests += fmt.Sprintf("%v: %v,", k, this.Requests[QualifiedName(k)])
@@ -4962,7 +3581,7 @@ func (this *CounterSet) String() string {
 	for k := range this.Counters {
 		keysForCounters = append(keysForCounters, k)
 	}
-	github_com_gogo_protobuf_sortkeys.Strings(keysForCounters)
+	sort.Strings(keysForCounters)
 	mapStringForCounters := "map[string]Counter{"
 	for _, k := range keysForCounters {
 		mapStringForCounters += fmt.Sprintf("%v: %v,", k, this.Counters[k])
@@ -5170,7 +3789,7 @@ func (this *DeviceCounterConsumption) String() string {
 	for k := range this.Counters {
 		keysForCounters = append(keysForCounters, k)
 	}
-	github_com_gogo_protobuf_sortkeys.Strings(keysForCounters)
+	sort.Strings(keysForCounters)
 	mapStringForCounters := "map[string]Counter{"
 	for _, k := range keysForCounters {
 		mapStringForCounters += fmt.Sprintf("%v: %v,", k, this.Counters[k])
@@ -5229,7 +3848,7 @@ func (this *DeviceRequestAllocationResult) String() string {
 	for k := range this.ConsumedCapacity {
 		keysForConsumedCapacity = append(keysForConsumedCapacity, string(k))
 	}
-	github_com_gogo_protobuf_sortkeys.Strings(keysForConsumedCapacity)
+	sort.Strings(keysForConsumedCapacity)
 	mapStringForConsumedCapacity := "map[QualifiedName]resource.Quantity{"
 	for _, k := range keysForConsumedCapacity {
 		mapStringForConsumedCapacity += fmt.Sprintf("%v: %v,", k, this.ConsumedCapacity[QualifiedName(k)])
diff --git a/staging/src/k8s.io/api/resource/v1beta1/generated.proto b/staging/src/k8s.io/api/resource/v1beta1/generated.proto
index 6ce65b4d81278..fe2397a8795c8 100644
--- a/staging/src/k8s.io/api/resource/v1beta1/generated.proto
+++ b/staging/src/k8s.io/api/resource/v1beta1/generated.proto
@@ -41,7 +41,7 @@ message AllocatedDeviceStatus {
   // needed on a node.
   //
   // Must be a DNS subdomain and should end with a DNS domain owned by the
-  // vendor of the driver.
+  // vendor of the driver. It should use only lower case characters.
   //
   // +required
   optional string driver = 1;
@@ -65,6 +65,8 @@ message AllocatedDeviceStatus {
   //
   // +optional
   // +featureGate=DRAConsumableCapacity
+  // +k8s:optional
+  // +k8s:format=k8s-uuid
   optional string shareID = 7;
 
   // Conditions contains the latest observation of the device's state.
@@ -88,6 +90,7 @@ message AllocatedDeviceStatus {
   // NetworkData contains network-related information specific to the device.
   //
   // +optional
+  // +k8s:optional
   optional NetworkDeviceData networkData = 6;
 }
 
@@ -139,14 +142,17 @@ message BasicDevice {
   //
   // There can only be a single entry per counterSet.
   //
-  // The total number of device counter consumption entries
-  // must be <= 32. In addition, the total number in the
-  // entire ResourceSlice must be <= 1024 (for example,
-  // 64 devices with 16 counters each).
+  // The maximum number of device counter consumptions per
+  // device is 2.
   //
   // +optional
+  // +k8s:optional
   // +listType=atomic
+  // +k8s:listType=atomic
+  // +k8s:unique=map
+  // +k8s:listMapKey=counterSet
   // +featureGate=DRAPartitionableDevices
+  // +k8s:maxItems=2
   repeated DeviceCounterConsumption consumesCounters = 3;
 
   // NodeName identifies the node where the device is available.
@@ -182,7 +188,9 @@ message BasicDevice {
 
   // If specified, these are the driver-defined taints.
   //
-  // The maximum number of taints is 4.
+  // The maximum number of taints is 16. If taints are set for
+  // any device in a ResourceSlice, then the maximum number of
+  // allowed devices per ResourceSlice is 64 instead of 128.
   //
   // This is an alpha field and requires enabling the DRADeviceTaints
   // feature gate.
@@ -219,6 +227,8 @@ message BasicDevice {
   // +optional
   // +listType=atomic
   // +featureGate=DRADeviceBindingConditions,DRAResourceClaimDeviceStatus
+  // +k8s:optional
+  // +k8s:maxItems=4
   repeated string bindingConditions = 9;
 
   // BindingFailureConditions defines the conditions for binding failure.
@@ -235,6 +245,8 @@ message BasicDevice {
   // +optional
   // +listType=atomic
   // +featureGate=DRADeviceBindingConditions,DRAResourceClaimDeviceStatus
+  // +k8s:optional
+  // +k8s:maxItems=4
   repeated string bindingFailureConditions = 10;
 
   // AllowMultipleAllocations marks whether the device is allowed to be allocated to multiple DeviceRequests.
@@ -425,7 +437,7 @@ message Counter {
 
 // CounterSet defines a named set of counters
 // that are available to be used by devices defined in the
-// ResourceSlice.
+// ResourcePool.
 //
 // The counters are not allocatable by themselves, but
 // can be referenced by devices. When a device is allocated,
@@ -436,6 +448,8 @@ message CounterSet {
   // It must be a DNS label.
   //
   // +required
+  // +k8s:required
+  // +k8s:format=k8s-short-name
   optional string name = 1;
 
   // Counters defines the set of counters for this CounterSet
@@ -470,6 +484,7 @@ message DeviceAllocationConfiguration {
   // or from a claim.
   //
   // +required
+  // +k8s:required
   optional string source = 1;
 
   // Requests lists the names of requests where the configuration applies.
@@ -481,6 +496,10 @@ message DeviceAllocationConfiguration {
   //
   // +optional
   // +listType=atomic
+  // +k8s:optional
+  // +k8s:listType=atomic
+  // +k8s:unique=set
+  // +k8s:maxItems=32
   repeated string requests = 2;
 
   optional DeviceConfiguration deviceConfiguration = 3;
@@ -492,6 +511,8 @@ message DeviceAllocationResult {
   //
   // +optional
   // +listType=atomic
+  // +k8s:optional
+  // +k8s:maxItems=32
   repeated DeviceRequestAllocationResult results = 1;
 
   // This field is a combination of all the claim and class configuration parameters.
@@ -504,6 +525,8 @@ message DeviceAllocationResult {
   //
   // +optional
   // +listType=atomic
+  // +k8s:optional
+  // +k8s:maxItems=64
   repeated DeviceAllocationConfiguration config = 2;
 }
 
@@ -512,26 +535,30 @@ message DeviceAttribute {
   // IntValue is a number.
   //
   // +optional
-  // +oneOf=ValueType
+  // +k8s:optional
+  // +k8s:unionMember
   optional int64 int = 2;
 
   // BoolValue is a true/false value.
   //
   // +optional
-  // +oneOf=ValueType
+  // +k8s:optional
+  // +k8s:unionMember
   optional bool bool = 3;
 
   // StringValue is a string. Must not be longer than 64 characters.
   //
   // +optional
-  // +oneOf=ValueType
+  // +k8s:optional
+  // +k8s:unionMember
   optional string string = 4;
 
   // VersionValue is a semantic version according to semver.org spec 2.0.0.
   // Must not be longer than 64 characters.
   //
   // +optional
-  // +oneOf=ValueType
+  // +k8s:optional
+  // +k8s:unionMember
   optional string version = 5;
 }
 
@@ -568,6 +595,11 @@ message DeviceClaim {
   //
   // +optional
   // +listType=atomic
+  // +k8s:optional
+  // +k8s:listType=atomic
+  // +k8s:unique=map
+  // +k8s:listMapKey=name
+  // +k8s:maxItems=32
   repeated DeviceRequest requests = 1;
 
   // These constraints must be satisfied by the set of devices that get
@@ -575,6 +607,8 @@ message DeviceClaim {
   //
   // +optional
   // +listType=atomic
+  // +k8s:optional
+  // +k8s:maxItems=32
   repeated DeviceConstraint constraints = 2;
 
   // This field holds configuration for multiple potential drivers which
@@ -583,6 +617,8 @@ message DeviceClaim {
   //
   // +optional
   // +listType=atomic
+  // +k8s:optional
+  // +k8s:maxItems=32
   repeated DeviceClaimConfiguration config = 3;
 }
 
@@ -597,6 +633,10 @@ message DeviceClaimConfiguration {
   //
   // +optional
   // +listType=atomic
+  // +k8s:optional
+  // +k8s:listType=atomic
+  // +k8s:unique=set
+  // +k8s:maxItems=32
   repeated string requests = 1;
 
   optional DeviceConfiguration deviceConfiguration = 2;
@@ -612,6 +652,8 @@ message DeviceClaimConfiguration {
 message DeviceClass {
   // Standard object metadata
   // +optional
+  // +k8s:subfield(name)=+k8s:optional
+  // +k8s:subfield(name)=+k8s:format=k8s-long-name
   optional .k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
 
   // Spec defines what can be allocated and how to configure it.
@@ -647,6 +689,8 @@ message DeviceClassSpec {
   //
   // +optional
   // +listType=atomic
+  // +k8s:optional
+  // +k8s:maxItems=32
   repeated DeviceSelector selectors = 1;
 
   // Config defines configuration parameters that apply to each device that is claimed via this class.
@@ -657,6 +701,8 @@ message DeviceClassSpec {
   //
   // +optional
   // +listType=atomic
+  // +k8s:optional
+  // +k8s:maxItems=32
   repeated DeviceClassConfiguration config = 2;
 
   // ExtendedResourceName is the extended resource name for the devices of this class.
@@ -671,6 +717,8 @@ message DeviceClassSpec {
   // This is an alpha field.
   // +optional
   // +featureGate=DRAExtendedResource
+  // +k8s:optional
+  // +k8s:format=k8s-extended-resource-name
   optional string extendedResourceName = 4;
 }
 
@@ -682,6 +730,7 @@ message DeviceConfiguration {
   //
   // +optional
   // +oneOf=ConfigurationType
+  // +k8s:optional
   optional OpaqueDeviceConfiguration opaque = 1;
 }
 
@@ -699,6 +748,10 @@ message DeviceConstraint {
   //
   // +optional
   // +listType=atomic
+  // +k8s:optional
+  // +k8s:listType=atomic
+  // +k8s:unique=set
+  // +k8s:maxItems=32
   repeated string requests = 1;
 
   // MatchAttribute requires that all devices in question have this
@@ -716,6 +769,8 @@ message DeviceConstraint {
   //
   // +optional
   // +oneOf=ConstraintType
+  // +k8s:optional
+  // +k8s:format=k8s-resource-fully-qualified-name
   optional string matchAttribute = 2;
 
   // DistinctAttribute requires that all devices in question have this
@@ -742,14 +797,13 @@ message DeviceCounterConsumption {
   // counters defined will be consumed.
   //
   // +required
+  // +k8s:required
+  // +k8s:format=k8s-short-name
   optional string counterSet = 1;
 
   // Counters defines the counters that will be consumed by the device.
   //
-  // The maximum number counters in a device is 32.
-  // In addition, the maximum number of all counters
-  // in all devices is 1024 (for example, 64 devices with
-  // 16 counters each).
+  // The maximum number of counters is 32.
   //
   // +required
   map<string, Counter> counters = 2;
@@ -797,6 +851,8 @@ message DeviceRequest {
   //
   // +optional
   // +listType=atomic
+  // +k8s:optional
+  // +k8s:maxItems=32
   repeated DeviceSelector selectors = 3;
 
   // AllocationMode and its related fields define how devices are allocated
@@ -822,6 +878,7 @@ message DeviceRequest {
   // requests with unknown modes.
   //
   // +optional
+  // +k8s:optional
   optional string allocationMode = 4;
 
   // Count is used only when the count mode is "ExactCount". Must be greater than zero.
@@ -871,6 +928,11 @@ message DeviceRequest {
   // +oneOf=deviceRequestType
   // +listType=atomic
   // +featureGate=DRAPrioritizedList
+  // +k8s:optional
+  // +k8s:listType=atomic
+  // +k8s:unique=map
+  // +k8s:listMapKey=name
+  // +k8s:maxItems=8
   repeated DeviceSubRequest firstAvailable = 7;
 
   // If specified, the request's tolerations.
@@ -935,9 +997,11 @@ message DeviceRequestAllocationResult {
   // needed on a node.
   //
   // Must be a DNS subdomain and should end with a DNS domain owned by the
-  // vendor of the driver.
+  // vendor of the driver. It should use only lower case characters.
   //
   // +required
+  // +k8s:format=k8s-long-name-caseless
+  // +k8s:required
   optional string driver = 2;
 
   // This name together with the driver name and the device name field
@@ -947,6 +1011,8 @@ message DeviceRequestAllocationResult {
   // DNS sub-domains separated by slashes.
   //
   // +required
+  // +k8s:required
+  // +k8s:format=k8s-resource-pool-name
   optional string pool = 3;
 
   // Device references one device instance via its name in the driver's
@@ -978,6 +1044,8 @@ message DeviceRequestAllocationResult {
   // +optional
   // +listType=atomic
   // +featureGate=DRADeviceTaints
+  // +k8s:optional
+  // +k8s:maxItems=16
   repeated DeviceToleration tolerations = 6;
 
   // BindingConditions contains a copy of the BindingConditions
@@ -989,6 +1057,8 @@ message DeviceRequestAllocationResult {
   // +optional
   // +listType=atomic
   // +featureGate=DRADeviceBindingConditions,DRAResourceClaimDeviceStatus
+  // +k8s:optional
+  // +k8s:maxItems=4
   repeated string bindingConditions = 7;
 
   // BindingFailureConditions contains a copy of the BindingFailureConditions
@@ -1000,6 +1070,8 @@ message DeviceRequestAllocationResult {
   // +optional
   // +listType=atomic
   // +featureGate=DRADeviceBindingConditions,DRAResourceClaimDeviceStatus
+  // +k8s:optional
+  // +k8s:maxItems=4
   repeated string bindingFailureConditions = 8;
 
   // ShareID uniquely identifies an individual allocation share of the device,
@@ -1009,6 +1081,8 @@ message DeviceRequestAllocationResult {
   //
   // +optional
   // +featureGate=DRAConsumableCapacity
+  // +k8s:optional
+  // +k8s:format=k8s-uuid
   optional string shareID = 9;
 
   // ConsumedCapacity tracks the amount of capacity consumed per device as part of the claim request.
@@ -1066,6 +1140,8 @@ message DeviceSubRequest {
   // to reference.
   //
   // +required
+  // +k8s:required
+  // +k8s:format=k8s-long-name
   optional string deviceClassName = 2;
 
   // Selectors define criteria which must be satisfied by a specific
@@ -1075,6 +1151,7 @@ message DeviceSubRequest {
   //
   // +optional
   // +listType=atomic
+  // +k8s:maxItems=32
   repeated DeviceSelector selectors = 3;
 
   // AllocationMode and its related fields define how devices are allocated
@@ -1166,10 +1243,13 @@ message DeviceTaint {
 
   // The effect of the taint on claims that do not tolerate the taint
   // and through such claims on the pods using them.
-  // Valid effects are NoSchedule and NoExecute. PreferNoSchedule as used for
-  // nodes is not valid here.
+  //
+  // Valid effects are None, NoSchedule and NoExecute. PreferNoSchedule as used for
+  // nodes is not valid here. More effects may get added in the future.
+  // Consumers must treat unknown effects like None.
   //
   // +required
+  // +k8s:required
   optional string effect = 3;
 
   // TimeAdded represents the time at which the taint was added.
@@ -1187,6 +1267,8 @@ message DeviceToleration {
   // Must be a label name.
   //
   // +optional
+  // +k8s:optional
+  // +k8s:format=k8s-label-key
   optional string key = 1;
 
   // Operator represents a key's relationship to the value.
@@ -1233,6 +1315,8 @@ message NetworkDeviceData {
   // Must not be longer than 256 characters.
   //
   // +optional
+  // +k8s:optional
+  // +k8s:maxLength=256
   optional string interfaceName = 1;
 
   // IPs lists the network addresses assigned to the device's network interface.
@@ -1245,6 +1329,10 @@ message NetworkDeviceData {
   //
   // +optional
   // +listType=atomic
+  // +k8s:optional
+  // +k8s:listType=atomic
+  // +k8s:unique=set
+  // +k8s:maxItems=16
   repeated string ips = 2;
 
   // HardwareAddress represents the hardware address (e.g. MAC Address) of the device's network interface.
@@ -1252,6 +1340,8 @@ message NetworkDeviceData {
   // Must not be longer than 128 characters.
   //
   // +optional
+  // +k8s:optional
+  // +k8s:maxLength=128
   optional string hardwareAddress = 3;
 }
 
@@ -1265,9 +1355,11 @@ message OpaqueDeviceConfiguration {
   // to decide whether it needs to validate them.
   //
   // Must be a DNS subdomain and should end with a DNS domain owned by the
-  // vendor of the driver.
+  // vendor of the driver. It should use only lower case characters.
   //
   // +required
+  // +k8s:required
+  // +k8s:format=k8s-long-name-caseless
   optional string driver = 1;
 
   // Parameters can contain arbitrary data. It is the responsibility of
@@ -1296,6 +1388,7 @@ message ResourceClaim {
 
   // Spec describes what is being requested and how to configure it.
   // The spec is immutable.
+  // +k8s:immutable
   optional ResourceClaimSpec spec = 2;
 
   // Status describes whether the claim is ready to use and what has been allocated.
@@ -1350,6 +1443,8 @@ message ResourceClaimStatus {
   // Allocation is set once the claim has been allocated successfully.
   //
   // +optional
+  // +k8s:optional
+  // +k8s:update=NoModify
   optional AllocationResult allocation = 1;
 
   // ReservedFor indicates which entities are currently allowed to use
@@ -1377,6 +1472,10 @@ message ResourceClaimStatus {
   // +listMapKey=uid
   // +patchStrategy=merge
   // +patchMergeKey=uid
+  // +k8s:optional
+  // +k8s:listType=map
+  // +k8s:listMapKey=uid
+  // +k8s:maxItems=256
   repeated ResourceClaimConsumerReference reservedFor = 2;
 
   // Devices contains the status of each device allocated for this
@@ -1384,12 +1483,18 @@ message ResourceClaimStatus {
   // information. Entries are owned by their respective drivers.
   //
   // +optional
+  // +k8s:optional
   // +listType=map
   // +listMapKey=driver
   // +listMapKey=device
   // +listMapKey=pool
   // +listMapKey=shareID
   // +featureGate=DRAResourceClaimDeviceStatus
+  // +k8s:listType=map
+  // +k8s:listMapKey=driver
+  // +k8s:listMapKey=device
+  // +k8s:listMapKey=pool
+  // +k8s:listMapKey=shareID
   repeated AllocatedDeviceStatus devices = 4;
 }
 
@@ -1523,7 +1628,8 @@ message ResourceSliceSpec {
   // objects with a certain driver name.
   //
   // Must be a DNS subdomain and should end with a DNS domain owned by the
-  // vendor of the driver. This field is immutable.
+  // vendor of the driver. It should use only lower case characters.
+  // This field is immutable.
   //
   // +required
   optional string driver = 1;
@@ -1570,10 +1676,14 @@ message ResourceSliceSpec {
 
   // Devices lists some or all of the devices in this pool.
   //
-  // Must not have more than 128 entries.
+  // Must not have more than 128 entries. If any device uses taints or consumes counters the limit is 64.
+  //
+  // Only one of Devices and SharedCounters can be set in a ResourceSlice.
   //
   // +optional
   // +listType=atomic
+  // +k8s:optional
+  // +zeroOrOneOf=ResourceSliceType
   repeated Device devices = 6;
 
   // PerDeviceNodeSelection defines whether the access from nodes to
@@ -1591,13 +1701,21 @@ message ResourceSliceSpec {
   // SharedCounters defines a list of counter sets, each of which
   // has a name and a list of counters available.
   //
-  // The names of the SharedCounters must be unique in the ResourceSlice.
+  // The names of the counter sets must be unique in the ResourcePool.
+  //
+  // Only one of Devices and SharedCounters can be set in a ResourceSlice.
   //
-  // The maximum number of SharedCounters is 32.
+  // The maximum number of counter sets is 8.
   //
   // +optional
+  // +k8s:optional
   // +listType=atomic
+  // +k8s:listType=atomic
+  // +k8s:unique=map
+  // +k8s:listMapKey=name
   // +featureGate=DRAPartitionableDevices
+  // +zeroOrOneOf=ResourceSliceType
+  // +k8s:maxItems=8
   repeated CounterSet sharedCounters = 8;
 }
 
diff --git a/staging/src/k8s.io/api/resource/v1beta1/generated.protomessage.pb.go b/staging/src/k8s.io/api/resource/v1beta1/generated.protomessage.pb.go
new file mode 100644
index 0000000000000..e47160fb83872
--- /dev/null
+++ b/staging/src/k8s.io/api/resource/v1beta1/generated.protomessage.pb.go
@@ -0,0 +1,108 @@
+//go:build kubernetes_protomessage_one_more_release
+// +build kubernetes_protomessage_one_more_release
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by go-to-protobuf. DO NOT EDIT.
+
+package v1beta1
+
+func (*AllocatedDeviceStatus) ProtoMessage() {}
+
+func (*AllocationResult) ProtoMessage() {}
+
+func (*BasicDevice) ProtoMessage() {}
+
+func (*CELDeviceSelector) ProtoMessage() {}
+
+func (*CapacityRequestPolicy) ProtoMessage() {}
+
+func (*CapacityRequestPolicyRange) ProtoMessage() {}
+
+func (*CapacityRequirements) ProtoMessage() {}
+
+func (*Counter) ProtoMessage() {}
+
+func (*CounterSet) ProtoMessage() {}
+
+func (*Device) ProtoMessage() {}
+
+func (*DeviceAllocationConfiguration) ProtoMessage() {}
+
+func (*DeviceAllocationResult) ProtoMessage() {}
+
+func (*DeviceAttribute) ProtoMessage() {}
+
+func (*DeviceCapacity) ProtoMessage() {}
+
+func (*DeviceClaim) ProtoMessage() {}
+
+func (*DeviceClaimConfiguration) ProtoMessage() {}
+
+func (*DeviceClass) ProtoMessage() {}
+
+func (*DeviceClassConfiguration) ProtoMessage() {}
+
+func (*DeviceClassList) ProtoMessage() {}
+
+func (*DeviceClassSpec) ProtoMessage() {}
+
+func (*DeviceConfiguration) ProtoMessage() {}
+
+func (*DeviceConstraint) ProtoMessage() {}
+
+func (*DeviceCounterConsumption) ProtoMessage() {}
+
+func (*DeviceRequest) ProtoMessage() {}
+
+func (*DeviceRequestAllocationResult) ProtoMessage() {}
+
+func (*DeviceSelector) ProtoMessage() {}
+
+func (*DeviceSubRequest) ProtoMessage() {}
+
+func (*DeviceTaint) ProtoMessage() {}
+
+func (*DeviceToleration) ProtoMessage() {}
+
+func (*NetworkDeviceData) ProtoMessage() {}
+
+func (*OpaqueDeviceConfiguration) ProtoMessage() {}
+
+func (*ResourceClaim) ProtoMessage() {}
+
+func (*ResourceClaimConsumerReference) ProtoMessage() {}
+
+func (*ResourceClaimList) ProtoMessage() {}
+
+func (*ResourceClaimSpec) ProtoMessage() {}
+
+func (*ResourceClaimStatus) ProtoMessage() {}
+
+func (*ResourceClaimTemplate) ProtoMessage() {}
+
+func (*ResourceClaimTemplateList) ProtoMessage() {}
+
+func (*ResourceClaimTemplateSpec) ProtoMessage() {}
+
+func (*ResourcePool) ProtoMessage() {}
+
+func (*ResourceSlice) ProtoMessage() {}
+
+func (*ResourceSliceList) ProtoMessage() {}
+
+func (*ResourceSliceSpec) ProtoMessage() {}
diff --git a/staging/src/k8s.io/api/resource/v1beta1/types.go b/staging/src/k8s.io/api/resource/v1beta1/types.go
index 27967f38ec11a..c55e2e92c931a 100644
--- a/staging/src/k8s.io/api/resource/v1beta1/types.go
+++ b/staging/src/k8s.io/api/resource/v1beta1/types.go
@@ -101,7 +101,8 @@ type ResourceSliceSpec struct {
 	// objects with a certain driver name.
 	//
 	// Must be a DNS subdomain and should end with a DNS domain owned by the
-	// vendor of the driver. This field is immutable.
+	// vendor of the driver. It should use only lower case characters.
+	// This field is immutable.
 	//
 	// +required
 	Driver string `json:"driver" protobuf:"bytes,1,name=driver"`
@@ -148,11 +149,15 @@ type ResourceSliceSpec struct {
 
 	// Devices lists some or all of the devices in this pool.
 	//
-	// Must not have more than 128 entries.
+	// Must not have more than 128 entries. If any device uses taints or consumes counters the limit is 64.
+	//
+	// Only one of Devices and SharedCounters can be set in a ResourceSlice.
 	//
 	// +optional
 	// +listType=atomic
-	Devices []Device `json:"devices" protobuf:"bytes,6,name=devices"`
+	// +k8s:optional
+	// +zeroOrOneOf=ResourceSliceType
+	Devices []Device `json:"devices,omitempty" protobuf:"bytes,6,name=devices"`
 
 	// PerDeviceNodeSelection defines whether the access from nodes to
 	// resources in the pool is set on the ResourceSlice level or on each
@@ -169,19 +174,27 @@ type ResourceSliceSpec struct {
 	// SharedCounters defines a list of counter sets, each of which
 	// has a name and a list of counters available.
 	//
-	// The names of the SharedCounters must be unique in the ResourceSlice.
+	// The names of the counter sets must be unique in the ResourcePool.
 	//
-	// The maximum number of SharedCounters is 32.
+	// Only one of Devices and SharedCounters can be set in a ResourceSlice.
+	//
+	// The maximum number of counter sets is 8.
 	//
 	// +optional
+	// +k8s:optional
 	// +listType=atomic
+	// +k8s:listType=atomic
+	// +k8s:unique=map
+	// +k8s:listMapKey=name
 	// +featureGate=DRAPartitionableDevices
+	// +zeroOrOneOf=ResourceSliceType
+	// +k8s:maxItems=8
 	SharedCounters []CounterSet `json:"sharedCounters,omitempty" protobuf:"bytes,8,name=sharedCounters"`
 }
 
 // CounterSet defines a named set of counters
 // that are available to be used by devices defined in the
-// ResourceSlice.
+// ResourcePool.
 //
 // The counters are not allocatable by themselves, but
 // can be referenced by devices. When a device is allocated,
@@ -192,6 +205,8 @@ type CounterSet struct {
 	// It must be a DNS label.
 	//
 	// +required
+	// +k8s:required
+	// +k8s:format=k8s-short-name
 	Name string `json:"name" protobuf:"bytes,1,name=name"`
 
 	// Counters defines the set of counters for this CounterSet
@@ -254,10 +269,28 @@ type ResourcePool struct {
 
 const ResourceSliceMaxSharedCapacity = 128
 const ResourceSliceMaxDevices = 128
+const ResourceSliceMaxDevicesWithTaintsOrConsumesCounters = 64
 const PoolNameMaxLength = validation.DNS1123SubdomainMaxLength // Same as for a single node name.
 const BindingConditionsMaxSize = 4
 const BindingFailureConditionsMaxSize = 4
 
+// Defines the maximum number of counter sets (through the
+// SharedCounters field) that can be defined in a ResourceSlice.
+const ResourceSliceMaxCounterSets = 8
+
+// Defines the maximum number of counters that can be defined
+// in a counter set.
+const ResourceSliceMaxCountersPerCounterSet = 32
+
+// Defines the maximum number of device counter consumptions
+// (through the ConsumesCounters field) that can be defined per
+// device.
+const ResourceSliceMaxDeviceCounterConsumptionsPerDevice = 2
+
+// Defines the maximum number of counters that can be defined
+// per device counter consumption.
+const ResourceSliceMaxCountersPerDeviceCounterConsumption = 32
+
 // Device represents one individual hardware instance that can be selected based
 // on its attributes. Besides the name, exactly one field must be set.
 type Device struct {
@@ -298,14 +331,17 @@ type BasicDevice struct {
 	//
 	// There can only be a single entry per counterSet.
 	//
-	// The total number of device counter consumption entries
-	// must be <= 32. In addition, the total number in the
-	// entire ResourceSlice must be <= 1024 (for example,
-	// 64 devices with 16 counters each).
+	// The maximum number of device counter consumptions per
+	// device is 2.
 	//
 	// +optional
+	// +k8s:optional
 	// +listType=atomic
+	// +k8s:listType=atomic
+	// +k8s:unique=map
+	// +k8s:listMapKey=counterSet
 	// +featureGate=DRAPartitionableDevices
+	// +k8s:maxItems=2
 	ConsumesCounters []DeviceCounterConsumption `json:"consumesCounters,omitempty" protobuf:"bytes,3,rep,name=consumesCounters"`
 
 	// NodeName identifies the node where the device is available.
@@ -341,7 +377,9 @@ type BasicDevice struct {
 
 	// If specified, these are the driver-defined taints.
 	//
-	// The maximum number of taints is 4.
+	// The maximum number of taints is 16. If taints are set for
+	// any device in a ResourceSlice, then the maximum number of
+	// allowed devices per ResourceSlice is 64 instead of 128.
 	//
 	// This is an alpha field and requires enabling the DRADeviceTaints
 	// feature gate.
@@ -378,6 +416,8 @@ type BasicDevice struct {
 	// +optional
 	// +listType=atomic
 	// +featureGate=DRADeviceBindingConditions,DRAResourceClaimDeviceStatus
+	// +k8s:optional
+	// +k8s:maxItems=4
 	BindingConditions []string `json:"bindingConditions,omitempty" protobuf:"bytes,9,rep,name=bindingConditions"`
 
 	// BindingFailureConditions defines the conditions for binding failure.
@@ -394,6 +434,8 @@ type BasicDevice struct {
 	// +optional
 	// +listType=atomic
 	// +featureGate=DRADeviceBindingConditions,DRAResourceClaimDeviceStatus
+	// +k8s:optional
+	// +k8s:maxItems=4
 	BindingFailureConditions []string `json:"bindingFailureConditions,omitempty" protobuf:"bytes,10,rep,name=bindingFailureConditions"`
 
 	// AllowMultipleAllocations marks whether the device is allowed to be allocated to multiple DeviceRequests.
@@ -413,14 +455,13 @@ type DeviceCounterConsumption struct {
 	// counters defined will be consumed.
 	//
 	// +required
+	// +k8s:required
+	// +k8s:format=k8s-short-name
 	CounterSet string `json:"counterSet" protobuf:"bytes,1,opt,name=counterSet"`
 
 	// Counters defines the counters that will be consumed by the device.
 	//
-	// The maximum number counters in a device is 32.
-	// In addition, the maximum number of all counters
-	// in all devices is 1024 (for example, 64 devices with
-	// 16 counters each).
+	// The maximum number of counters is 32.
 	//
 	// +required
 	Counters map[string]Counter `json:"counters,omitempty" protobuf:"bytes,2,opt,name=counters"`
@@ -535,14 +576,6 @@ type CapacityRequestPolicyRange struct {
 // Limit for the sum of the number of entries in both attributes and capacity.
 const ResourceSliceMaxAttributesAndCapacitiesPerDevice = 32
 
-// Limit for the total number of counters in each device.
-const ResourceSliceMaxCountersPerDevice = 32
-
-// Limit for the total number of counters defined in devices in
-// a ResourceSlice. We want to allow up to 64 devices to specify
-// up to 16 counters, so the limit for the ResourceSlice will be 1024.
-const ResourceSliceMaxDeviceCountersPerSlice = 1024 // 64 * 16
-
 // QualifiedName is the name of a device attribute or capacity.
 //
 // Attributes and capacities are defined either by the owner of the specific
@@ -562,6 +595,9 @@ const ResourceSliceMaxDeviceCountersPerSlice = 1024 // 64 * 16
 type QualifiedName string
 
 // FullyQualifiedName is a QualifiedName where the domain is set.
+// Format validation cannot be added to this type because one of its usages,
+// DistinctAttribute, is validated conditionally. This conditional validation
+// cannot be expressed declaratively.
 type FullyQualifiedName string
 
 // DeviceMaxDomainLength is the maximum length of the domain prefix in a fully-qualified name.
@@ -579,34 +615,38 @@ type DeviceAttribute struct {
 	// IntValue is a number.
 	//
 	// +optional
-	// +oneOf=ValueType
+	// +k8s:optional
+	// +k8s:unionMember
 	IntValue *int64 `json:"int,omitempty" protobuf:"varint,2,opt,name=int"`
 
 	// BoolValue is a true/false value.
 	//
 	// +optional
-	// +oneOf=ValueType
+	// +k8s:optional
+	// +k8s:unionMember
 	BoolValue *bool `json:"bool,omitempty" protobuf:"varint,3,opt,name=bool"`
 
 	// StringValue is a string. Must not be longer than 64 characters.
 	//
 	// +optional
-	// +oneOf=ValueType
+	// +k8s:optional
+	// +k8s:unionMember
 	StringValue *string `json:"string,omitempty" protobuf:"bytes,4,opt,name=string"`
 
 	// VersionValue is a semantic version according to semver.org spec 2.0.0.
 	// Must not be longer than 64 characters.
 	//
 	// +optional
-	// +oneOf=ValueType
+	// +k8s:optional
+	// +k8s:unionMember
 	VersionValue *string `json:"version,omitempty" protobuf:"bytes,5,opt,name=version"`
 }
 
 // DeviceAttributeMaxValueLength is the maximum length of a string or version attribute value.
 const DeviceAttributeMaxValueLength = 64
 
-// DeviceTaintsMaxLength is the maximum number of taints per device.
-const DeviceTaintsMaxLength = 4
+// DeviceTaintsMaxLength is the maximum number of taints per Device.
+const DeviceTaintsMaxLength = 16
 
 // The device this taint is attached to has the "effect" on
 // any claim which does not tolerate the taint and, through the claim,
@@ -628,16 +668,27 @@ type DeviceTaint struct {
 
 	// The effect of the taint on claims that do not tolerate the taint
 	// and through such claims on the pods using them.
-	// Valid effects are NoSchedule and NoExecute. PreferNoSchedule as used for
-	// nodes is not valid here.
+	//
+	// Valid effects are None, NoSchedule and NoExecute. PreferNoSchedule as used for
+	// nodes is not valid here. More effects may get added in the future.
+	// Consumers must treat unknown effects like None.
 	//
 	// +required
+	// +k8s:required
 	Effect DeviceTaintEffect `json:"effect" protobuf:"bytes,3,name=effect,casttype=DeviceTaintEffect"`
 
 	// ^^^^
 	//
 	// Implementing PreferNoSchedule would depend on a scoring solution for DRA.
 	// It might get added as part of that.
+	//
+	// A possible future new effect is NoExecuteWithPodDisruptionBudget:
+	// honor the pod disruption budget instead of simply deleting pods.
+	// This is currently undecided, it could also be a separate field.
+	//
+	// Validation must be prepared to allow unknown enums in stored objects,
+	// which will enable adding new enums within a single release without
+	// ratcheting.
 
 	// TimeAdded represents the time at which the taint was added.
 	// Added automatically during create or update if not set.
@@ -653,9 +704,13 @@ type DeviceTaint struct {
 }
 
 // +enum
+// +k8s:enum
 type DeviceTaintEffect string
 
 const (
+	// No effect, the taint is purely informational.
+	DeviceTaintEffectNone DeviceTaintEffect = "None"
+
 	// Do not allow new pods to schedule which use a tainted device unless they tolerate the taint,
 	// but allow all pods submitted to Kubelet without going through the scheduler
 	// to start, and allow all already-running pods to continue running.
@@ -682,6 +737,7 @@ type ResourceSliceList struct {
 // +genclient
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
 // +k8s:prerelease-lifecycle-gen:introduced=1.32
+// +k8s:supportsSubresource=/status
 
 // ResourceClaim describes a request for access to resources in the cluster,
 // for use by workloads. For example, if a workload needs an accelerator device
@@ -699,6 +755,7 @@ type ResourceClaim struct {
 
 	// Spec describes what is being requested and how to configure it.
 	// The spec is immutable.
+	// +k8s:immutable
 	Spec ResourceClaimSpec `json:"spec" protobuf:"bytes,2,name=spec"`
 
 	// Status describes whether the claim is ready to use and what has been allocated.
@@ -726,6 +783,11 @@ type DeviceClaim struct {
 	//
 	// +optional
 	// +listType=atomic
+	// +k8s:optional
+	// +k8s:listType=atomic
+	// +k8s:unique=map
+	// +k8s:listMapKey=name
+	// +k8s:maxItems=32
 	Requests []DeviceRequest `json:"requests" protobuf:"bytes,1,name=requests"`
 
 	// These constraints must be satisfied by the set of devices that get
@@ -733,6 +795,8 @@ type DeviceClaim struct {
 	//
 	// +optional
 	// +listType=atomic
+	// +k8s:optional
+	// +k8s:maxItems=32
 	Constraints []DeviceConstraint `json:"constraints,omitempty" protobuf:"bytes,2,opt,name=constraints"`
 
 	// This field holds configuration for multiple potential drivers which
@@ -741,6 +805,8 @@ type DeviceClaim struct {
 	//
 	// +optional
 	// +listType=atomic
+	// +k8s:optional
+	// +k8s:maxItems=32
 	Config []DeviceClaimConfiguration `json:"config,omitempty" protobuf:"bytes,3,opt,name=config"`
 
 	// Potential future extension, ignored by older schedulers. This is
@@ -807,6 +873,8 @@ type DeviceRequest struct {
 	//
 	// +optional
 	// +listType=atomic
+	// +k8s:optional
+	// +k8s:maxItems=32
 	Selectors []DeviceSelector `json:"selectors,omitempty" protobuf:"bytes,3,name=selectors"`
 
 	// AllocationMode and its related fields define how devices are allocated
@@ -832,6 +900,7 @@ type DeviceRequest struct {
 	// requests with unknown modes.
 	//
 	// +optional
+	// +k8s:optional
 	AllocationMode DeviceAllocationMode `json:"allocationMode,omitempty" protobuf:"bytes,4,opt,name=allocationMode"`
 
 	// Count is used only when the count mode is "ExactCount". Must be greater than zero.
@@ -881,6 +950,11 @@ type DeviceRequest struct {
 	// +oneOf=deviceRequestType
 	// +listType=atomic
 	// +featureGate=DRAPrioritizedList
+	// +k8s:optional
+	// +k8s:listType=atomic
+	// +k8s:unique=map
+	// +k8s:listMapKey=name
+	// +k8s:maxItems=8
 	FirstAvailable []DeviceSubRequest `json:"firstAvailable,omitempty" protobuf:"bytes,7,name=firstAvailable"`
 
 	// If specified, the request's tolerations.
@@ -959,6 +1033,8 @@ type DeviceSubRequest struct {
 	// to reference.
 	//
 	// +required
+	// +k8s:required
+	// +k8s:format=k8s-long-name
 	DeviceClassName string `json:"deviceClassName" protobuf:"bytes,2,name=deviceClassName"`
 
 	// Selectors define criteria which must be satisfied by a specific
@@ -968,6 +1044,7 @@ type DeviceSubRequest struct {
 	//
 	// +optional
 	// +listType=atomic
+	// +k8s:maxItems=32
 	Selectors []DeviceSelector `json:"selectors,omitempty" protobuf:"bytes,3,name=selectors"`
 
 	// AllocationMode and its related fields define how devices are allocated
@@ -1074,6 +1151,8 @@ const (
 	DeviceTolerationsMaxLength         = 16
 )
 
+// +enum
+// +k8s:enum
 type DeviceAllocationMode string
 
 // Valid [DeviceRequest.CountMode] values.
@@ -1192,6 +1271,10 @@ type DeviceConstraint struct {
 	//
 	// +optional
 	// +listType=atomic
+	// +k8s:optional
+	// +k8s:listType=atomic
+	// +k8s:unique=set
+	// +k8s:maxItems=32
 	Requests []string `json:"requests,omitempty" protobuf:"bytes,1,opt,name=requests"`
 
 	// MatchAttribute requires that all devices in question have this
@@ -1209,6 +1292,8 @@ type DeviceConstraint struct {
 	//
 	// +optional
 	// +oneOf=ConstraintType
+	// +k8s:optional
+	// +k8s:format=k8s-resource-fully-qualified-name
 	MatchAttribute *FullyQualifiedName `json:"matchAttribute,omitempty" protobuf:"bytes,2,opt,name=matchAttribute"`
 
 	// Potential future extension, not part of the current design:
@@ -1249,6 +1334,10 @@ type DeviceClaimConfiguration struct {
 	//
 	// +optional
 	// +listType=atomic
+	// +k8s:optional
+	// +k8s:listType=atomic
+	// +k8s:unique=set
+	// +k8s:maxItems=32
 	Requests []string `json:"requests,omitempty" protobuf:"bytes,1,opt,name=requests"`
 
 	DeviceConfiguration `json:",inline" protobuf:"bytes,2,name=deviceConfiguration"`
@@ -1262,6 +1351,7 @@ type DeviceConfiguration struct {
 	//
 	// +optional
 	// +oneOf=ConfigurationType
+	// +k8s:optional
 	Opaque *OpaqueDeviceConfiguration `json:"opaque,omitempty" protobuf:"bytes,1,opt,name=opaque"`
 }
 
@@ -1275,9 +1365,11 @@ type OpaqueDeviceConfiguration struct {
 	// to decide whether it needs to validate them.
 	//
 	// Must be a DNS subdomain and should end with a DNS domain owned by the
-	// vendor of the driver.
+	// vendor of the driver. It should use only lower case characters.
 	//
 	// +required
+	// +k8s:required
+	// +k8s:format=k8s-long-name-caseless
 	Driver string `json:"driver" protobuf:"bytes,1,name=driver"`
 
 	// Parameters can contain arbitrary data. It is the responsibility of
@@ -1303,6 +1395,8 @@ type DeviceToleration struct {
 	// Must be a label name.
 	//
 	// +optional
+	// +k8s:optional
+	// +k8s:format=k8s-label-key
 	Key string `json:"key,omitempty" protobuf:"bytes,1,opt,name=key"`
 
 	// Operator represents a key's relationship to the value.
@@ -1341,6 +1435,7 @@ type DeviceToleration struct {
 // A toleration operator is the set of operators that can be used in a toleration.
 //
 // +enum
+// +k8s:enum
 type DeviceTolerationOperator string
 
 const (
@@ -1354,6 +1449,8 @@ type ResourceClaimStatus struct {
 	// Allocation is set once the claim has been allocated successfully.
 	//
 	// +optional
+	// +k8s:optional
+	// +k8s:update=NoModify
 	Allocation *AllocationResult `json:"allocation,omitempty" protobuf:"bytes,1,opt,name=allocation"`
 
 	// ReservedFor indicates which entities are currently allowed to use
@@ -1381,6 +1478,10 @@ type ResourceClaimStatus struct {
 	// +listMapKey=uid
 	// +patchStrategy=merge
 	// +patchMergeKey=uid
+	// +k8s:optional
+	// +k8s:listType=map
+	// +k8s:listMapKey=uid
+	// +k8s:maxItems=256
 	ReservedFor []ResourceClaimConsumerReference `json:"reservedFor,omitempty" protobuf:"bytes,2,opt,name=reservedFor" patchStrategy:"merge" patchMergeKey:"uid"`
 
 	// DeallocationRequested is tombstoned since Kubernetes 1.32 where
@@ -1393,12 +1494,18 @@ type ResourceClaimStatus struct {
 	// information. Entries are owned by their respective drivers.
 	//
 	// +optional
+	// +k8s:optional
 	// +listType=map
 	// +listMapKey=driver
 	// +listMapKey=device
 	// +listMapKey=pool
 	// +listMapKey=shareID
 	// +featureGate=DRAResourceClaimDeviceStatus
+	// +k8s:listType=map
+	// +k8s:listMapKey=driver
+	// +k8s:listMapKey=device
+	// +k8s:listMapKey=pool
+	// +k8s:listMapKey=shareID
 	Devices []AllocatedDeviceStatus `json:"devices,omitempty" protobuf:"bytes,4,opt,name=devices"`
 }
 
@@ -1461,6 +1568,8 @@ type DeviceAllocationResult struct {
 	//
 	// +optional
 	// +listType=atomic
+	// +k8s:optional
+	// +k8s:maxItems=32
 	Results []DeviceRequestAllocationResult `json:"results,omitempty" protobuf:"bytes,1,opt,name=results"`
 
 	// This field is a combination of all the claim and class configuration parameters.
@@ -1473,6 +1582,8 @@ type DeviceAllocationResult struct {
 	//
 	// +optional
 	// +listType=atomic
+	// +k8s:optional
+	// +k8s:maxItems=64
 	Config []DeviceAllocationConfiguration `json:"config,omitempty" protobuf:"bytes,2,opt,name=config"`
 }
 
@@ -1498,9 +1609,11 @@ type DeviceRequestAllocationResult struct {
 	// needed on a node.
 	//
 	// Must be a DNS subdomain and should end with a DNS domain owned by the
-	// vendor of the driver.
+	// vendor of the driver. It should use only lower case characters.
 	//
 	// +required
+	// +k8s:format=k8s-long-name-caseless
+	// +k8s:required
 	Driver string `json:"driver" protobuf:"bytes,2,name=driver"`
 
 	// This name together with the driver name and the device name field
@@ -1510,6 +1623,8 @@ type DeviceRequestAllocationResult struct {
 	// DNS sub-domains separated by slashes.
 	//
 	// +required
+	// +k8s:required
+	// +k8s:format=k8s-resource-pool-name
 	Pool string `json:"pool" protobuf:"bytes,3,name=pool"`
 
 	// Device references one device instance via its name in the driver's
@@ -1541,6 +1656,8 @@ type DeviceRequestAllocationResult struct {
 	// +optional
 	// +listType=atomic
 	// +featureGate=DRADeviceTaints
+	// +k8s:optional
+	// +k8s:maxItems=16
 	Tolerations []DeviceToleration `json:"tolerations,omitempty" protobuf:"bytes,6,opt,name=tolerations"`
 
 	// BindingConditions contains a copy of the BindingConditions
@@ -1552,6 +1669,8 @@ type DeviceRequestAllocationResult struct {
 	// +optional
 	// +listType=atomic
 	// +featureGate=DRADeviceBindingConditions,DRAResourceClaimDeviceStatus
+	// +k8s:optional
+	// +k8s:maxItems=4
 	BindingConditions []string `json:"bindingConditions,omitempty" protobuf:"bytes,7,rep,name=bindingConditions"`
 
 	// BindingFailureConditions contains a copy of the BindingFailureConditions
@@ -1563,6 +1682,8 @@ type DeviceRequestAllocationResult struct {
 	// +optional
 	// +listType=atomic
 	// +featureGate=DRADeviceBindingConditions,DRAResourceClaimDeviceStatus
+	// +k8s:optional
+	// +k8s:maxItems=4
 	BindingFailureConditions []string `json:"bindingFailureConditions,omitempty" protobuf:"bytes,8,rep,name=bindingFailureConditions"`
 
 	// ShareID uniquely identifies an individual allocation share of the device,
@@ -1572,6 +1693,8 @@ type DeviceRequestAllocationResult struct {
 	//
 	// +optional
 	// +featureGate=DRAConsumableCapacity
+	// +k8s:optional
+	// +k8s:format=k8s-uuid
 	ShareID *types.UID `json:"shareID,omitempty" protobuf:"bytes,9,opt,name=shareID"`
 
 	// ConsumedCapacity tracks the amount of capacity consumed per device as part of the claim request.
@@ -1595,6 +1718,7 @@ type DeviceAllocationConfiguration struct {
 	// or from a claim.
 	//
 	// +required
+	// +k8s:required
 	Source AllocationConfigSource `json:"source" protobuf:"bytes,1,name=source"`
 
 	// Requests lists the names of requests where the configuration applies.
@@ -1606,17 +1730,23 @@ type DeviceAllocationConfiguration struct {
 	//
 	// +optional
 	// +listType=atomic
+	// +k8s:optional
+	// +k8s:listType=atomic
+	// +k8s:unique=set
+	// +k8s:maxItems=32
 	Requests []string `json:"requests,omitempty" protobuf:"bytes,2,opt,name=requests"`
 
 	DeviceConfiguration `json:",inline" protobuf:"bytes,3,name=deviceConfiguration"`
 }
 
+// +enum
+// +k8s:enum
 type AllocationConfigSource string
 
 // Valid [DeviceAllocationConfiguration.Source] values.
 const (
-	AllocationConfigSourceClass = "FromClass"
-	AllocationConfigSourceClaim = "FromClaim"
+	AllocationConfigSourceClass AllocationConfigSource = "FromClass"
+	AllocationConfigSourceClaim AllocationConfigSource = "FromClaim"
 )
 
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
@@ -1649,6 +1779,8 @@ type DeviceClass struct {
 	metav1.TypeMeta `json:",inline"`
 	// Standard object metadata
 	// +optional
+	// +k8s:subfield(name)=+k8s:optional
+	// +k8s:subfield(name)=+k8s:format=k8s-long-name
 	metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
 
 	// Spec defines what can be allocated and how to configure it.
@@ -1669,6 +1801,8 @@ type DeviceClassSpec struct {
 	//
 	// +optional
 	// +listType=atomic
+	// +k8s:optional
+	// +k8s:maxItems=32
 	Selectors []DeviceSelector `json:"selectors,omitempty" protobuf:"bytes,1,opt,name=selectors"`
 
 	// Config defines configuration parameters that apply to each device that is claimed via this class.
@@ -1679,6 +1813,8 @@ type DeviceClassSpec struct {
 	//
 	// +optional
 	// +listType=atomic
+	// +k8s:optional
+	// +k8s:maxItems=32
 	Config []DeviceClassConfiguration `json:"config,omitempty" protobuf:"bytes,2,opt,name=config"`
 
 	// SuitableNodes is tombstoned since Kubernetes 1.32 where
@@ -1698,6 +1834,8 @@ type DeviceClassSpec struct {
 	// This is an alpha field.
 	// +optional
 	// +featureGate=DRAExtendedResource
+	// +k8s:optional
+	// +k8s:format=k8s-extended-resource-name
 	ExtendedResourceName *string `json:"extendedResourceName,omitempty" protobuf:"bytes,4,opt,name=extendedResourceName"`
 }
 
@@ -1799,7 +1937,7 @@ type AllocatedDeviceStatus struct {
 	// needed on a node.
 	//
 	// Must be a DNS subdomain and should end with a DNS domain owned by the
-	// vendor of the driver.
+	// vendor of the driver. It should use only lower case characters.
 	//
 	// +required
 	Driver string `json:"driver" protobuf:"bytes,1,rep,name=driver"`
@@ -1823,6 +1961,8 @@ type AllocatedDeviceStatus struct {
 	//
 	// +optional
 	// +featureGate=DRAConsumableCapacity
+	// +k8s:optional
+	// +k8s:format=k8s-uuid
 	ShareID *string `json:"shareID,omitempty" protobuf:"bytes,7,opt,name=shareID"`
 
 	// Conditions contains the latest observation of the device's state.
@@ -1846,6 +1986,7 @@ type AllocatedDeviceStatus struct {
 	// NetworkData contains network-related information specific to the device.
 	//
 	// +optional
+	// +k8s:optional
 	NetworkData *NetworkDeviceData `json:"networkData,omitempty" protobuf:"bytes,6,opt,name=networkData"`
 }
 
@@ -1860,6 +2001,8 @@ type NetworkDeviceData struct {
 	// Must not be longer than 256 characters.
 	//
 	// +optional
+	// +k8s:optional
+	// +k8s:maxLength=256
 	InterfaceName string `json:"interfaceName,omitempty" protobuf:"bytes,1,opt,name=interfaceName"`
 
 	// IPs lists the network addresses assigned to the device's network interface.
@@ -1872,6 +2015,10 @@ type NetworkDeviceData struct {
 	//
 	// +optional
 	// +listType=atomic
+	// +k8s:optional
+	// +k8s:listType=atomic
+	// +k8s:unique=set
+	// +k8s:maxItems=16
 	IPs []string `json:"ips,omitempty" protobuf:"bytes,2,opt,name=ips"`
 
 	// HardwareAddress represents the hardware address (e.g. MAC Address) of the device's network interface.
@@ -1879,5 +2026,7 @@ type NetworkDeviceData struct {
 	// Must not be longer than 128 characters.
 	//
 	// +optional
+	// +k8s:optional
+	// +k8s:maxLength=128
 	HardwareAddress string `json:"hardwareAddress,omitempty" protobuf:"bytes,3,opt,name=hardwareAddress"`
 }
diff --git a/staging/src/k8s.io/api/resource/v1beta1/types_swagger_doc_generated.go b/staging/src/k8s.io/api/resource/v1beta1/types_swagger_doc_generated.go
index 473fbb9503132..070536e67f79d 100644
--- a/staging/src/k8s.io/api/resource/v1beta1/types_swagger_doc_generated.go
+++ b/staging/src/k8s.io/api/resource/v1beta1/types_swagger_doc_generated.go
@@ -29,7 +29,7 @@ package v1beta1
 // AUTO-GENERATED FUNCTIONS START HERE. DO NOT EDIT.
 var map_AllocatedDeviceStatus = map[string]string{
 	"":            "AllocatedDeviceStatus contains the status of an allocated device, if the driver chooses to report it. This may include driver-specific information.\n\nThe combination of Driver, Pool, Device, and ShareID must match the corresponding key in Status.Allocation.Devices.",
-	"driver":      "Driver specifies the name of the DRA driver whose kubelet plugin should be invoked to process the allocation once the claim is needed on a node.\n\nMust be a DNS subdomain and should end with a DNS domain owned by the vendor of the driver.",
+	"driver":      "Driver specifies the name of the DRA driver whose kubelet plugin should be invoked to process the allocation once the claim is needed on a node.\n\nMust be a DNS subdomain and should end with a DNS domain owned by the vendor of the driver. It should use only lower case characters.",
 	"pool":        "This name together with the driver name and the device name field identify which device was allocated (`<driver name>/<pool name>/<device name>`).\n\nMust not be longer than 253 characters and may contain one or more DNS sub-domains separated by slashes.",
 	"device":      "Device references one device instance via its name in the driver's resource pool. It must be a DNS label.",
 	"shareID":     "ShareID uniquely identifies an individual allocation share of the device.",
@@ -57,11 +57,11 @@ var map_BasicDevice = map[string]string{
 	"":                         "BasicDevice defines one device instance.",
 	"attributes":               "Attributes defines the set of attributes for this device. The name of each attribute must be unique in that set.\n\nThe maximum number of attributes and capacities combined is 32.",
 	"capacity":                 "Capacity defines the set of capacities for this device. The name of each capacity must be unique in that set.\n\nThe maximum number of attributes and capacities combined is 32.",
-	"consumesCounters":         "ConsumesCounters defines a list of references to sharedCounters and the set of counters that the device will consume from those counter sets.\n\nThere can only be a single entry per counterSet.\n\nThe total number of device counter consumption entries must be <= 32. In addition, the total number in the entire ResourceSlice must be <= 1024 (for example, 64 devices with 16 counters each).",
+	"consumesCounters":         "ConsumesCounters defines a list of references to sharedCounters and the set of counters that the device will consume from those counter sets.\n\nThere can only be a single entry per counterSet.\n\nThe maximum number of device counter consumptions per device is 2.",
 	"nodeName":                 "NodeName identifies the node where the device is available.\n\nMust only be set if Spec.PerDeviceNodeSelection is set to true. At most one of NodeName, NodeSelector and AllNodes can be set.",
 	"nodeSelector":             "NodeSelector defines the nodes where the device is available.\n\nMust use exactly one term.\n\nMust only be set if Spec.PerDeviceNodeSelection is set to true. At most one of NodeName, NodeSelector and AllNodes can be set.",
 	"allNodes":                 "AllNodes indicates that all nodes have access to the device.\n\nMust only be set if Spec.PerDeviceNodeSelection is set to true. At most one of NodeName, NodeSelector and AllNodes can be set.",
-	"taints":                   "If specified, these are the driver-defined taints.\n\nThe maximum number of taints is 4.\n\nThis is an alpha field and requires enabling the DRADeviceTaints feature gate.",
+	"taints":                   "If specified, these are the driver-defined taints.\n\nThe maximum number of taints is 16. If taints are set for any device in a ResourceSlice, then the maximum number of allowed devices per ResourceSlice is 64 instead of 128.\n\nThis is an alpha field and requires enabling the DRADeviceTaints feature gate.",
 	"bindsToNode":              "BindsToNode indicates if the usage of an allocation involving this device has to be limited to exactly the node that was chosen when allocating the claim. If set to true, the scheduler will set the ResourceClaim.Status.Allocation.NodeSelector to match the node where the allocation was made.\n\nThis is an alpha field and requires enabling the DRADeviceBindingConditions and DRAResourceClaimDeviceStatus feature gates.",
 	"bindingConditions":        "BindingConditions defines the conditions for proceeding with binding. All of these conditions must be set in the per-device status conditions with a value of True to proceed with binding the pod to the node while scheduling the pod.\n\nThe maximum number of binding conditions is 4.\n\nThe conditions must be a valid condition type string.\n\nThis is an alpha field and requires enabling the DRADeviceBindingConditions and DRAResourceClaimDeviceStatus feature gates.",
 	"bindingFailureConditions": "BindingFailureConditions defines the conditions for binding failure. They may be set in the per-device status conditions. If any is true, a binding failure occurred.\n\nThe maximum number of binding failure conditions is 4.\n\nThe conditions must be a valid condition type string.\n\nThis is an alpha field and requires enabling the DRADeviceBindingConditions and DRAResourceClaimDeviceStatus feature gates.",
@@ -122,7 +122,7 @@ func (Counter) SwaggerDoc() map[string]string {
 }
 
 var map_CounterSet = map[string]string{
-	"":         "CounterSet defines a named set of counters that are available to be used by devices defined in the ResourceSlice.\n\nThe counters are not allocatable by themselves, but can be referenced by devices. When a device is allocated, the portion of counters it uses will no longer be available for use by other devices.",
+	"":         "CounterSet defines a named set of counters that are available to be used by devices defined in the ResourcePool.\n\nThe counters are not allocatable by themselves, but can be referenced by devices. When a device is allocated, the portion of counters it uses will no longer be available for use by other devices.",
 	"name":     "Name defines the name of the counter set. It must be a DNS label.",
 	"counters": "Counters defines the set of counters for this CounterSet The name of each counter must be unique in that set and must be a DNS label.\n\nThe maximum number of counters is 32.",
 }
@@ -265,7 +265,7 @@ func (DeviceConstraint) SwaggerDoc() map[string]string {
 var map_DeviceCounterConsumption = map[string]string{
 	"":           "DeviceCounterConsumption defines a set of counters that a device will consume from a CounterSet.",
 	"counterSet": "CounterSet is the name of the set from which the counters defined will be consumed.",
-	"counters":   "Counters defines the counters that will be consumed by the device.\n\nThe maximum number counters in a device is 32. In addition, the maximum number of all counters in all devices is 1024 (for example, 64 devices with 16 counters each).",
+	"counters":   "Counters defines the counters that will be consumed by the device.\n\nThe maximum number of counters is 32.",
 }
 
 func (DeviceCounterConsumption) SwaggerDoc() map[string]string {
@@ -292,7 +292,7 @@ func (DeviceRequest) SwaggerDoc() map[string]string {
 var map_DeviceRequestAllocationResult = map[string]string{
 	"":                         "DeviceRequestAllocationResult contains the allocation result for one request.",
 	"request":                  "Request is the name of the request in the claim which caused this device to be allocated. If it references a subrequest in the firstAvailable list on a DeviceRequest, this field must include both the name of the main request and the subrequest using the format <main request>/<subrequest>.\n\nMultiple devices may have been allocated per request.",
-	"driver":                   "Driver specifies the name of the DRA driver whose kubelet plugin should be invoked to process the allocation once the claim is needed on a node.\n\nMust be a DNS subdomain and should end with a DNS domain owned by the vendor of the driver.",
+	"driver":                   "Driver specifies the name of the DRA driver whose kubelet plugin should be invoked to process the allocation once the claim is needed on a node.\n\nMust be a DNS subdomain and should end with a DNS domain owned by the vendor of the driver. It should use only lower case characters.",
 	"pool":                     "This name together with the driver name and the device name field identify which device was allocated (`<driver name>/<pool name>/<device name>`).\n\nMust not be longer than 253 characters and may contain one or more DNS sub-domains separated by slashes.",
 	"device":                   "Device references one device instance via its name in the driver's resource pool. It must be a DNS label.",
 	"adminAccess":              "AdminAccess indicates that this device was allocated for administrative access. See the corresponding request field for a definition of mode.\n\nThis is an alpha field and requires enabling the DRAAdminAccess feature gate. Admin access is disabled if this field is unset or set to false, otherwise it is enabled.",
@@ -335,7 +335,7 @@ var map_DeviceTaint = map[string]string{
 	"":          "The device this taint is attached to has the \"effect\" on any claim which does not tolerate the taint and, through the claim, to pods using the claim.",
 	"key":       "The taint key to be applied to a device. Must be a label name.",
 	"value":     "The taint value corresponding to the taint key. Must be a label value.",
-	"effect":    "The effect of the taint on claims that do not tolerate the taint and through such claims on the pods using them. Valid effects are NoSchedule and NoExecute. PreferNoSchedule as used for nodes is not valid here.",
+	"effect":    "The effect of the taint on claims that do not tolerate the taint and through such claims on the pods using them.\n\nValid effects are None, NoSchedule and NoExecute. PreferNoSchedule as used for nodes is not valid here. More effects may get added in the future. Consumers must treat unknown effects like None.",
 	"timeAdded": "TimeAdded represents the time at which the taint was added. Added automatically during create or update if not set.",
 }
 
@@ -369,7 +369,7 @@ func (NetworkDeviceData) SwaggerDoc() map[string]string {
 
 var map_OpaqueDeviceConfiguration = map[string]string{
 	"":           "OpaqueDeviceConfiguration contains configuration parameters for a driver in a format defined by the driver vendor.",
-	"driver":     "Driver is used to determine which kubelet plugin needs to be passed these configuration parameters.\n\nAn admission policy provided by the driver developer could use this to decide whether it needs to validate them.\n\nMust be a DNS subdomain and should end with a DNS domain owned by the vendor of the driver.",
+	"driver":     "Driver is used to determine which kubelet plugin needs to be passed these configuration parameters.\n\nAn admission policy provided by the driver developer could use this to decide whether it needs to validate them.\n\nMust be a DNS subdomain and should end with a DNS domain owned by the vendor of the driver. It should use only lower case characters.",
 	"parameters": "Parameters can contain arbitrary data. It is the responsibility of the driver developer to handle validation and versioning. Typically this includes self-identification and a version (\"kind\" + \"apiVersion\" for Kubernetes types), with conversion between different versions.\n\nThe length of the raw data must be smaller or equal to 10 Ki.",
 }
 
@@ -493,14 +493,14 @@ func (ResourceSliceList) SwaggerDoc() map[string]string {
 
 var map_ResourceSliceSpec = map[string]string{
 	"":                       "ResourceSliceSpec contains the information published by the driver in one ResourceSlice.",
-	"driver":                 "Driver identifies the DRA driver providing the capacity information. A field selector can be used to list only ResourceSlice objects with a certain driver name.\n\nMust be a DNS subdomain and should end with a DNS domain owned by the vendor of the driver. This field is immutable.",
+	"driver":                 "Driver identifies the DRA driver providing the capacity information. A field selector can be used to list only ResourceSlice objects with a certain driver name.\n\nMust be a DNS subdomain and should end with a DNS domain owned by the vendor of the driver. It should use only lower case characters. This field is immutable.",
 	"pool":                   "Pool describes the pool that this ResourceSlice belongs to.",
 	"nodeName":               "NodeName identifies the node which provides the resources in this pool. A field selector can be used to list only ResourceSlice objects belonging to a certain node.\n\nThis field can be used to limit access from nodes to ResourceSlices with the same node name. It also indicates to autoscalers that adding new nodes of the same type as some old node might also make new resources available.\n\nExactly one of NodeName, NodeSelector, AllNodes, and PerDeviceNodeSelection must be set. This field is immutable.",
 	"nodeSelector":           "NodeSelector defines which nodes have access to the resources in the pool, when that pool is not limited to a single node.\n\nMust use exactly one term.\n\nExactly one of NodeName, NodeSelector, AllNodes, and PerDeviceNodeSelection must be set.",
 	"allNodes":               "AllNodes indicates that all nodes have access to the resources in the pool.\n\nExactly one of NodeName, NodeSelector, AllNodes, and PerDeviceNodeSelection must be set.",
-	"devices":                "Devices lists some or all of the devices in this pool.\n\nMust not have more than 128 entries.",
+	"devices":                "Devices lists some or all of the devices in this pool.\n\nMust not have more than 128 entries. If any device uses taints or consumes counters the limit is 64.\n\nOnly one of Devices and SharedCounters can be set in a ResourceSlice.",
 	"perDeviceNodeSelection": "PerDeviceNodeSelection defines whether the access from nodes to resources in the pool is set on the ResourceSlice level or on each device. If it is set to true, every device defined the ResourceSlice must specify this individually.\n\nExactly one of NodeName, NodeSelector, AllNodes, and PerDeviceNodeSelection must be set.",
-	"sharedCounters":         "SharedCounters defines a list of counter sets, each of which has a name and a list of counters available.\n\nThe names of the SharedCounters must be unique in the ResourceSlice.\n\nThe maximum number of SharedCounters is 32.",
+	"sharedCounters":         "SharedCounters defines a list of counter sets, each of which has a name and a list of counters available.\n\nThe names of the counter sets must be unique in the ResourcePool.\n\nOnly one of Devices and SharedCounters can be set in a ResourceSlice.\n\nThe maximum number of counter sets is 8.",
 }
 
 func (ResourceSliceSpec) SwaggerDoc() map[string]string {
diff --git a/staging/src/k8s.io/api/resource/v1beta1/zz_generated.model_name.go b/staging/src/k8s.io/api/resource/v1beta1/zz_generated.model_name.go
new file mode 100644
index 0000000000000..0d4983d34e016
--- /dev/null
+++ b/staging/src/k8s.io/api/resource/v1beta1/zz_generated.model_name.go
@@ -0,0 +1,237 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by openapi-gen. DO NOT EDIT.
+
+package v1beta1
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in AllocatedDeviceStatus) OpenAPIModelName() string {
+	return "io.k8s.api.resource.v1beta1.AllocatedDeviceStatus"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in AllocationResult) OpenAPIModelName() string {
+	return "io.k8s.api.resource.v1beta1.AllocationResult"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in BasicDevice) OpenAPIModelName() string {
+	return "io.k8s.api.resource.v1beta1.BasicDevice"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in CELDeviceSelector) OpenAPIModelName() string {
+	return "io.k8s.api.resource.v1beta1.CELDeviceSelector"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in CapacityRequestPolicy) OpenAPIModelName() string {
+	return "io.k8s.api.resource.v1beta1.CapacityRequestPolicy"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in CapacityRequestPolicyRange) OpenAPIModelName() string {
+	return "io.k8s.api.resource.v1beta1.CapacityRequestPolicyRange"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in CapacityRequirements) OpenAPIModelName() string {
+	return "io.k8s.api.resource.v1beta1.CapacityRequirements"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in Counter) OpenAPIModelName() string {
+	return "io.k8s.api.resource.v1beta1.Counter"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in CounterSet) OpenAPIModelName() string {
+	return "io.k8s.api.resource.v1beta1.CounterSet"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in Device) OpenAPIModelName() string {
+	return "io.k8s.api.resource.v1beta1.Device"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in DeviceAllocationConfiguration) OpenAPIModelName() string {
+	return "io.k8s.api.resource.v1beta1.DeviceAllocationConfiguration"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in DeviceAllocationResult) OpenAPIModelName() string {
+	return "io.k8s.api.resource.v1beta1.DeviceAllocationResult"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in DeviceAttribute) OpenAPIModelName() string {
+	return "io.k8s.api.resource.v1beta1.DeviceAttribute"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in DeviceCapacity) OpenAPIModelName() string {
+	return "io.k8s.api.resource.v1beta1.DeviceCapacity"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in DeviceClaim) OpenAPIModelName() string {
+	return "io.k8s.api.resource.v1beta1.DeviceClaim"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in DeviceClaimConfiguration) OpenAPIModelName() string {
+	return "io.k8s.api.resource.v1beta1.DeviceClaimConfiguration"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in DeviceClass) OpenAPIModelName() string {
+	return "io.k8s.api.resource.v1beta1.DeviceClass"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in DeviceClassConfiguration) OpenAPIModelName() string {
+	return "io.k8s.api.resource.v1beta1.DeviceClassConfiguration"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in DeviceClassList) OpenAPIModelName() string {
+	return "io.k8s.api.resource.v1beta1.DeviceClassList"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in DeviceClassSpec) OpenAPIModelName() string {
+	return "io.k8s.api.resource.v1beta1.DeviceClassSpec"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in DeviceConfiguration) OpenAPIModelName() string {
+	return "io.k8s.api.resource.v1beta1.DeviceConfiguration"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in DeviceConstraint) OpenAPIModelName() string {
+	return "io.k8s.api.resource.v1beta1.DeviceConstraint"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in DeviceCounterConsumption) OpenAPIModelName() string {
+	return "io.k8s.api.resource.v1beta1.DeviceCounterConsumption"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in DeviceRequest) OpenAPIModelName() string {
+	return "io.k8s.api.resource.v1beta1.DeviceRequest"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in DeviceRequestAllocationResult) OpenAPIModelName() string {
+	return "io.k8s.api.resource.v1beta1.DeviceRequestAllocationResult"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in DeviceSelector) OpenAPIModelName() string {
+	return "io.k8s.api.resource.v1beta1.DeviceSelector"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in DeviceSubRequest) OpenAPIModelName() string {
+	return "io.k8s.api.resource.v1beta1.DeviceSubRequest"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in DeviceTaint) OpenAPIModelName() string {
+	return "io.k8s.api.resource.v1beta1.DeviceTaint"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in DeviceToleration) OpenAPIModelName() string {
+	return "io.k8s.api.resource.v1beta1.DeviceToleration"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in NetworkDeviceData) OpenAPIModelName() string {
+	return "io.k8s.api.resource.v1beta1.NetworkDeviceData"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in OpaqueDeviceConfiguration) OpenAPIModelName() string {
+	return "io.k8s.api.resource.v1beta1.OpaqueDeviceConfiguration"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ResourceClaim) OpenAPIModelName() string {
+	return "io.k8s.api.resource.v1beta1.ResourceClaim"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ResourceClaimConsumerReference) OpenAPIModelName() string {
+	return "io.k8s.api.resource.v1beta1.ResourceClaimConsumerReference"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ResourceClaimList) OpenAPIModelName() string {
+	return "io.k8s.api.resource.v1beta1.ResourceClaimList"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ResourceClaimSpec) OpenAPIModelName() string {
+	return "io.k8s.api.resource.v1beta1.ResourceClaimSpec"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ResourceClaimStatus) OpenAPIModelName() string {
+	return "io.k8s.api.resource.v1beta1.ResourceClaimStatus"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ResourceClaimTemplate) OpenAPIModelName() string {
+	return "io.k8s.api.resource.v1beta1.ResourceClaimTemplate"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ResourceClaimTemplateList) OpenAPIModelName() string {
+	return "io.k8s.api.resource.v1beta1.ResourceClaimTemplateList"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ResourceClaimTemplateSpec) OpenAPIModelName() string {
+	return "io.k8s.api.resource.v1beta1.ResourceClaimTemplateSpec"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ResourcePool) OpenAPIModelName() string {
+	return "io.k8s.api.resource.v1beta1.ResourcePool"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ResourceSlice) OpenAPIModelName() string {
+	return "io.k8s.api.resource.v1beta1.ResourceSlice"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ResourceSliceList) OpenAPIModelName() string {
+	return "io.k8s.api.resource.v1beta1.ResourceSliceList"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ResourceSliceSpec) OpenAPIModelName() string {
+	return "io.k8s.api.resource.v1beta1.ResourceSliceSpec"
+}
diff --git a/staging/src/k8s.io/api/resource/v1beta2/doc.go b/staging/src/k8s.io/api/resource/v1beta2/doc.go
index 365113ae4e174..4570270a27b12 100644
--- a/staging/src/k8s.io/api/resource/v1beta2/doc.go
+++ b/staging/src/k8s.io/api/resource/v1beta2/doc.go
@@ -18,6 +18,8 @@ limitations under the License.
 // +k8s:deepcopy-gen=package
 // +k8s:protobuf-gen=package
 // +k8s:prerelease-lifecycle-gen=true
+// +k8s:openapi-model-package=io.k8s.api.resource.v1beta2
+
 // +groupName=resource.k8s.io
 
 // Package v1beta2 is the v1beta2 version of the resource API.
diff --git a/staging/src/k8s.io/api/resource/v1beta2/generated.pb.go b/staging/src/k8s.io/api/resource/v1beta2/generated.pb.go
index f512f41d6d0d1..5a36e6d2b5dfc 100644
--- a/staging/src/k8s.io/api/resource/v1beta2/generated.pb.go
+++ b/staging/src/k8s.io/api/resource/v1beta2/generated.pb.go
@@ -23,15 +23,13 @@ import (
 	fmt "fmt"
 
 	io "io"
+	"sort"
 
-	proto "github.com/gogo/protobuf/proto"
-	github_com_gogo_protobuf_sortkeys "github.com/gogo/protobuf/sortkeys"
 	v11 "k8s.io/api/core/v1"
 	resource "k8s.io/apimachinery/pkg/api/resource"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	runtime "k8s.io/apimachinery/pkg/runtime"
 
-	math "math"
 	math_bits "math/bits"
 	reflect "reflect"
 	strings "strings"
@@ -39,1470 +37,91 @@ import (
 	k8s_io_apimachinery_pkg_types "k8s.io/apimachinery/pkg/types"
 )
 
-// Reference imports to suppress errors if they are not otherwise used.
-var _ = proto.Marshal
-var _ = fmt.Errorf
-var _ = math.Inf
+func (m *AllocatedDeviceStatus) Reset() { *m = AllocatedDeviceStatus{} }
 
-// This is a compile-time assertion to ensure that this generated file
-// is compatible with the proto package it is being compiled against.
-// A compilation error at this line likely means your copy of the
-// proto package needs to be updated.
-const _ = proto.GoGoProtoPackageIsVersion3 // please upgrade the proto package
+func (m *AllocationResult) Reset() { *m = AllocationResult{} }
 
-func (m *AllocatedDeviceStatus) Reset()      { *m = AllocatedDeviceStatus{} }
-func (*AllocatedDeviceStatus) ProtoMessage() {}
-func (*AllocatedDeviceStatus) Descriptor() ([]byte, []int) {
-	return fileDescriptor_57f2e1d27c072d6e, []int{0}
-}
-func (m *AllocatedDeviceStatus) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *AllocatedDeviceStatus) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *AllocatedDeviceStatus) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_AllocatedDeviceStatus.Merge(m, src)
-}
-func (m *AllocatedDeviceStatus) XXX_Size() int {
-	return m.Size()
-}
-func (m *AllocatedDeviceStatus) XXX_DiscardUnknown() {
-	xxx_messageInfo_AllocatedDeviceStatus.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_AllocatedDeviceStatus proto.InternalMessageInfo
-
-func (m *AllocationResult) Reset()      { *m = AllocationResult{} }
-func (*AllocationResult) ProtoMessage() {}
-func (*AllocationResult) Descriptor() ([]byte, []int) {
-	return fileDescriptor_57f2e1d27c072d6e, []int{1}
-}
-func (m *AllocationResult) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *AllocationResult) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *AllocationResult) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_AllocationResult.Merge(m, src)
-}
-func (m *AllocationResult) XXX_Size() int {
-	return m.Size()
-}
-func (m *AllocationResult) XXX_DiscardUnknown() {
-	xxx_messageInfo_AllocationResult.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_AllocationResult proto.InternalMessageInfo
-
-func (m *CELDeviceSelector) Reset()      { *m = CELDeviceSelector{} }
-func (*CELDeviceSelector) ProtoMessage() {}
-func (*CELDeviceSelector) Descriptor() ([]byte, []int) {
-	return fileDescriptor_57f2e1d27c072d6e, []int{2}
-}
-func (m *CELDeviceSelector) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *CELDeviceSelector) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *CELDeviceSelector) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_CELDeviceSelector.Merge(m, src)
-}
-func (m *CELDeviceSelector) XXX_Size() int {
-	return m.Size()
-}
-func (m *CELDeviceSelector) XXX_DiscardUnknown() {
-	xxx_messageInfo_CELDeviceSelector.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_CELDeviceSelector proto.InternalMessageInfo
-
-func (m *CapacityRequestPolicy) Reset()      { *m = CapacityRequestPolicy{} }
-func (*CapacityRequestPolicy) ProtoMessage() {}
-func (*CapacityRequestPolicy) Descriptor() ([]byte, []int) {
-	return fileDescriptor_57f2e1d27c072d6e, []int{3}
-}
-func (m *CapacityRequestPolicy) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *CapacityRequestPolicy) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *CapacityRequestPolicy) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_CapacityRequestPolicy.Merge(m, src)
-}
-func (m *CapacityRequestPolicy) XXX_Size() int {
-	return m.Size()
-}
-func (m *CapacityRequestPolicy) XXX_DiscardUnknown() {
-	xxx_messageInfo_CapacityRequestPolicy.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_CapacityRequestPolicy proto.InternalMessageInfo
-
-func (m *CapacityRequestPolicyRange) Reset()      { *m = CapacityRequestPolicyRange{} }
-func (*CapacityRequestPolicyRange) ProtoMessage() {}
-func (*CapacityRequestPolicyRange) Descriptor() ([]byte, []int) {
-	return fileDescriptor_57f2e1d27c072d6e, []int{4}
-}
-func (m *CapacityRequestPolicyRange) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *CapacityRequestPolicyRange) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *CapacityRequestPolicyRange) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_CapacityRequestPolicyRange.Merge(m, src)
-}
-func (m *CapacityRequestPolicyRange) XXX_Size() int {
-	return m.Size()
-}
-func (m *CapacityRequestPolicyRange) XXX_DiscardUnknown() {
-	xxx_messageInfo_CapacityRequestPolicyRange.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_CapacityRequestPolicyRange proto.InternalMessageInfo
-
-func (m *CapacityRequirements) Reset()      { *m = CapacityRequirements{} }
-func (*CapacityRequirements) ProtoMessage() {}
-func (*CapacityRequirements) Descriptor() ([]byte, []int) {
-	return fileDescriptor_57f2e1d27c072d6e, []int{5}
-}
-func (m *CapacityRequirements) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *CapacityRequirements) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *CapacityRequirements) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_CapacityRequirements.Merge(m, src)
-}
-func (m *CapacityRequirements) XXX_Size() int {
-	return m.Size()
-}
-func (m *CapacityRequirements) XXX_DiscardUnknown() {
-	xxx_messageInfo_CapacityRequirements.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_CapacityRequirements proto.InternalMessageInfo
-
-func (m *Counter) Reset()      { *m = Counter{} }
-func (*Counter) ProtoMessage() {}
-func (*Counter) Descriptor() ([]byte, []int) {
-	return fileDescriptor_57f2e1d27c072d6e, []int{6}
-}
-func (m *Counter) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *Counter) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *Counter) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_Counter.Merge(m, src)
-}
-func (m *Counter) XXX_Size() int {
-	return m.Size()
-}
-func (m *Counter) XXX_DiscardUnknown() {
-	xxx_messageInfo_Counter.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_Counter proto.InternalMessageInfo
-
-func (m *CounterSet) Reset()      { *m = CounterSet{} }
-func (*CounterSet) ProtoMessage() {}
-func (*CounterSet) Descriptor() ([]byte, []int) {
-	return fileDescriptor_57f2e1d27c072d6e, []int{7}
-}
-func (m *CounterSet) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *CounterSet) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *CounterSet) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_CounterSet.Merge(m, src)
-}
-func (m *CounterSet) XXX_Size() int {
-	return m.Size()
-}
-func (m *CounterSet) XXX_DiscardUnknown() {
-	xxx_messageInfo_CounterSet.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_CounterSet proto.InternalMessageInfo
-
-func (m *Device) Reset()      { *m = Device{} }
-func (*Device) ProtoMessage() {}
-func (*Device) Descriptor() ([]byte, []int) {
-	return fileDescriptor_57f2e1d27c072d6e, []int{8}
-}
-func (m *Device) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *Device) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *Device) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_Device.Merge(m, src)
-}
-func (m *Device) XXX_Size() int {
-	return m.Size()
-}
-func (m *Device) XXX_DiscardUnknown() {
-	xxx_messageInfo_Device.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_Device proto.InternalMessageInfo
-
-func (m *DeviceAllocationConfiguration) Reset()      { *m = DeviceAllocationConfiguration{} }
-func (*DeviceAllocationConfiguration) ProtoMessage() {}
-func (*DeviceAllocationConfiguration) Descriptor() ([]byte, []int) {
-	return fileDescriptor_57f2e1d27c072d6e, []int{9}
-}
-func (m *DeviceAllocationConfiguration) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *DeviceAllocationConfiguration) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *DeviceAllocationConfiguration) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_DeviceAllocationConfiguration.Merge(m, src)
-}
-func (m *DeviceAllocationConfiguration) XXX_Size() int {
-	return m.Size()
-}
-func (m *DeviceAllocationConfiguration) XXX_DiscardUnknown() {
-	xxx_messageInfo_DeviceAllocationConfiguration.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_DeviceAllocationConfiguration proto.InternalMessageInfo
-
-func (m *DeviceAllocationResult) Reset()      { *m = DeviceAllocationResult{} }
-func (*DeviceAllocationResult) ProtoMessage() {}
-func (*DeviceAllocationResult) Descriptor() ([]byte, []int) {
-	return fileDescriptor_57f2e1d27c072d6e, []int{10}
-}
-func (m *DeviceAllocationResult) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *DeviceAllocationResult) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *DeviceAllocationResult) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_DeviceAllocationResult.Merge(m, src)
-}
-func (m *DeviceAllocationResult) XXX_Size() int {
-	return m.Size()
-}
-func (m *DeviceAllocationResult) XXX_DiscardUnknown() {
-	xxx_messageInfo_DeviceAllocationResult.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_DeviceAllocationResult proto.InternalMessageInfo
-
-func (m *DeviceAttribute) Reset()      { *m = DeviceAttribute{} }
-func (*DeviceAttribute) ProtoMessage() {}
-func (*DeviceAttribute) Descriptor() ([]byte, []int) {
-	return fileDescriptor_57f2e1d27c072d6e, []int{11}
-}
-func (m *DeviceAttribute) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *DeviceAttribute) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *DeviceAttribute) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_DeviceAttribute.Merge(m, src)
-}
-func (m *DeviceAttribute) XXX_Size() int {
-	return m.Size()
-}
-func (m *DeviceAttribute) XXX_DiscardUnknown() {
-	xxx_messageInfo_DeviceAttribute.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_DeviceAttribute proto.InternalMessageInfo
-
-func (m *DeviceCapacity) Reset()      { *m = DeviceCapacity{} }
-func (*DeviceCapacity) ProtoMessage() {}
-func (*DeviceCapacity) Descriptor() ([]byte, []int) {
-	return fileDescriptor_57f2e1d27c072d6e, []int{12}
-}
-func (m *DeviceCapacity) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *DeviceCapacity) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *DeviceCapacity) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_DeviceCapacity.Merge(m, src)
-}
-func (m *DeviceCapacity) XXX_Size() int {
-	return m.Size()
-}
-func (m *DeviceCapacity) XXX_DiscardUnknown() {
-	xxx_messageInfo_DeviceCapacity.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_DeviceCapacity proto.InternalMessageInfo
-
-func (m *DeviceClaim) Reset()      { *m = DeviceClaim{} }
-func (*DeviceClaim) ProtoMessage() {}
-func (*DeviceClaim) Descriptor() ([]byte, []int) {
-	return fileDescriptor_57f2e1d27c072d6e, []int{13}
-}
-func (m *DeviceClaim) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *DeviceClaim) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *DeviceClaim) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_DeviceClaim.Merge(m, src)
-}
-func (m *DeviceClaim) XXX_Size() int {
-	return m.Size()
-}
-func (m *DeviceClaim) XXX_DiscardUnknown() {
-	xxx_messageInfo_DeviceClaim.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_DeviceClaim proto.InternalMessageInfo
-
-func (m *DeviceClaimConfiguration) Reset()      { *m = DeviceClaimConfiguration{} }
-func (*DeviceClaimConfiguration) ProtoMessage() {}
-func (*DeviceClaimConfiguration) Descriptor() ([]byte, []int) {
-	return fileDescriptor_57f2e1d27c072d6e, []int{14}
-}
-func (m *DeviceClaimConfiguration) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *DeviceClaimConfiguration) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *DeviceClaimConfiguration) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_DeviceClaimConfiguration.Merge(m, src)
-}
-func (m *DeviceClaimConfiguration) XXX_Size() int {
-	return m.Size()
-}
-func (m *DeviceClaimConfiguration) XXX_DiscardUnknown() {
-	xxx_messageInfo_DeviceClaimConfiguration.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_DeviceClaimConfiguration proto.InternalMessageInfo
-
-func (m *DeviceClass) Reset()      { *m = DeviceClass{} }
-func (*DeviceClass) ProtoMessage() {}
-func (*DeviceClass) Descriptor() ([]byte, []int) {
-	return fileDescriptor_57f2e1d27c072d6e, []int{15}
-}
-func (m *DeviceClass) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *DeviceClass) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *DeviceClass) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_DeviceClass.Merge(m, src)
-}
-func (m *DeviceClass) XXX_Size() int {
-	return m.Size()
-}
-func (m *DeviceClass) XXX_DiscardUnknown() {
-	xxx_messageInfo_DeviceClass.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_DeviceClass proto.InternalMessageInfo
-
-func (m *DeviceClassConfiguration) Reset()      { *m = DeviceClassConfiguration{} }
-func (*DeviceClassConfiguration) ProtoMessage() {}
-func (*DeviceClassConfiguration) Descriptor() ([]byte, []int) {
-	return fileDescriptor_57f2e1d27c072d6e, []int{16}
-}
-func (m *DeviceClassConfiguration) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *DeviceClassConfiguration) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *DeviceClassConfiguration) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_DeviceClassConfiguration.Merge(m, src)
-}
-func (m *DeviceClassConfiguration) XXX_Size() int {
-	return m.Size()
-}
-func (m *DeviceClassConfiguration) XXX_DiscardUnknown() {
-	xxx_messageInfo_DeviceClassConfiguration.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_DeviceClassConfiguration proto.InternalMessageInfo
-
-func (m *DeviceClassList) Reset()      { *m = DeviceClassList{} }
-func (*DeviceClassList) ProtoMessage() {}
-func (*DeviceClassList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_57f2e1d27c072d6e, []int{17}
-}
-func (m *DeviceClassList) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *DeviceClassList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *DeviceClassList) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_DeviceClassList.Merge(m, src)
-}
-func (m *DeviceClassList) XXX_Size() int {
-	return m.Size()
-}
-func (m *DeviceClassList) XXX_DiscardUnknown() {
-	xxx_messageInfo_DeviceClassList.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_DeviceClassList proto.InternalMessageInfo
-
-func (m *DeviceClassSpec) Reset()      { *m = DeviceClassSpec{} }
-func (*DeviceClassSpec) ProtoMessage() {}
-func (*DeviceClassSpec) Descriptor() ([]byte, []int) {
-	return fileDescriptor_57f2e1d27c072d6e, []int{18}
-}
-func (m *DeviceClassSpec) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *DeviceClassSpec) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *DeviceClassSpec) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_DeviceClassSpec.Merge(m, src)
-}
-func (m *DeviceClassSpec) XXX_Size() int {
-	return m.Size()
-}
-func (m *DeviceClassSpec) XXX_DiscardUnknown() {
-	xxx_messageInfo_DeviceClassSpec.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_DeviceClassSpec proto.InternalMessageInfo
-
-func (m *DeviceConfiguration) Reset()      { *m = DeviceConfiguration{} }
-func (*DeviceConfiguration) ProtoMessage() {}
-func (*DeviceConfiguration) Descriptor() ([]byte, []int) {
-	return fileDescriptor_57f2e1d27c072d6e, []int{19}
-}
-func (m *DeviceConfiguration) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *DeviceConfiguration) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *DeviceConfiguration) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_DeviceConfiguration.Merge(m, src)
-}
-func (m *DeviceConfiguration) XXX_Size() int {
-	return m.Size()
-}
-func (m *DeviceConfiguration) XXX_DiscardUnknown() {
-	xxx_messageInfo_DeviceConfiguration.DiscardUnknown(m)
-}
+func (m *CELDeviceSelector) Reset() { *m = CELDeviceSelector{} }
 
-var xxx_messageInfo_DeviceConfiguration proto.InternalMessageInfo
+func (m *CapacityRequestPolicy) Reset() { *m = CapacityRequestPolicy{} }
 
-func (m *DeviceConstraint) Reset()      { *m = DeviceConstraint{} }
-func (*DeviceConstraint) ProtoMessage() {}
-func (*DeviceConstraint) Descriptor() ([]byte, []int) {
-	return fileDescriptor_57f2e1d27c072d6e, []int{20}
-}
-func (m *DeviceConstraint) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *DeviceConstraint) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *DeviceConstraint) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_DeviceConstraint.Merge(m, src)
-}
-func (m *DeviceConstraint) XXX_Size() int {
-	return m.Size()
-}
-func (m *DeviceConstraint) XXX_DiscardUnknown() {
-	xxx_messageInfo_DeviceConstraint.DiscardUnknown(m)
-}
+func (m *CapacityRequestPolicyRange) Reset() { *m = CapacityRequestPolicyRange{} }
 
-var xxx_messageInfo_DeviceConstraint proto.InternalMessageInfo
+func (m *CapacityRequirements) Reset() { *m = CapacityRequirements{} }
 
-func (m *DeviceCounterConsumption) Reset()      { *m = DeviceCounterConsumption{} }
-func (*DeviceCounterConsumption) ProtoMessage() {}
-func (*DeviceCounterConsumption) Descriptor() ([]byte, []int) {
-	return fileDescriptor_57f2e1d27c072d6e, []int{21}
-}
-func (m *DeviceCounterConsumption) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *DeviceCounterConsumption) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *DeviceCounterConsumption) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_DeviceCounterConsumption.Merge(m, src)
-}
-func (m *DeviceCounterConsumption) XXX_Size() int {
-	return m.Size()
-}
-func (m *DeviceCounterConsumption) XXX_DiscardUnknown() {
-	xxx_messageInfo_DeviceCounterConsumption.DiscardUnknown(m)
-}
+func (m *Counter) Reset() { *m = Counter{} }
 
-var xxx_messageInfo_DeviceCounterConsumption proto.InternalMessageInfo
+func (m *CounterSet) Reset() { *m = CounterSet{} }
 
-func (m *DeviceRequest) Reset()      { *m = DeviceRequest{} }
-func (*DeviceRequest) ProtoMessage() {}
-func (*DeviceRequest) Descriptor() ([]byte, []int) {
-	return fileDescriptor_57f2e1d27c072d6e, []int{22}
-}
-func (m *DeviceRequest) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *DeviceRequest) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *DeviceRequest) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_DeviceRequest.Merge(m, src)
-}
-func (m *DeviceRequest) XXX_Size() int {
-	return m.Size()
-}
-func (m *DeviceRequest) XXX_DiscardUnknown() {
-	xxx_messageInfo_DeviceRequest.DiscardUnknown(m)
-}
+func (m *Device) Reset() { *m = Device{} }
 
-var xxx_messageInfo_DeviceRequest proto.InternalMessageInfo
+func (m *DeviceAllocationConfiguration) Reset() { *m = DeviceAllocationConfiguration{} }
 
-func (m *DeviceRequestAllocationResult) Reset()      { *m = DeviceRequestAllocationResult{} }
-func (*DeviceRequestAllocationResult) ProtoMessage() {}
-func (*DeviceRequestAllocationResult) Descriptor() ([]byte, []int) {
-	return fileDescriptor_57f2e1d27c072d6e, []int{23}
-}
-func (m *DeviceRequestAllocationResult) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *DeviceRequestAllocationResult) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *DeviceRequestAllocationResult) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_DeviceRequestAllocationResult.Merge(m, src)
-}
-func (m *DeviceRequestAllocationResult) XXX_Size() int {
-	return m.Size()
-}
-func (m *DeviceRequestAllocationResult) XXX_DiscardUnknown() {
-	xxx_messageInfo_DeviceRequestAllocationResult.DiscardUnknown(m)
-}
+func (m *DeviceAllocationResult) Reset() { *m = DeviceAllocationResult{} }
 
-var xxx_messageInfo_DeviceRequestAllocationResult proto.InternalMessageInfo
+func (m *DeviceAttribute) Reset() { *m = DeviceAttribute{} }
 
-func (m *DeviceSelector) Reset()      { *m = DeviceSelector{} }
-func (*DeviceSelector) ProtoMessage() {}
-func (*DeviceSelector) Descriptor() ([]byte, []int) {
-	return fileDescriptor_57f2e1d27c072d6e, []int{24}
-}
-func (m *DeviceSelector) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *DeviceSelector) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *DeviceSelector) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_DeviceSelector.Merge(m, src)
-}
-func (m *DeviceSelector) XXX_Size() int {
-	return m.Size()
-}
-func (m *DeviceSelector) XXX_DiscardUnknown() {
-	xxx_messageInfo_DeviceSelector.DiscardUnknown(m)
-}
+func (m *DeviceCapacity) Reset() { *m = DeviceCapacity{} }
 
-var xxx_messageInfo_DeviceSelector proto.InternalMessageInfo
+func (m *DeviceClaim) Reset() { *m = DeviceClaim{} }
 
-func (m *DeviceSubRequest) Reset()      { *m = DeviceSubRequest{} }
-func (*DeviceSubRequest) ProtoMessage() {}
-func (*DeviceSubRequest) Descriptor() ([]byte, []int) {
-	return fileDescriptor_57f2e1d27c072d6e, []int{25}
-}
-func (m *DeviceSubRequest) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *DeviceSubRequest) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *DeviceSubRequest) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_DeviceSubRequest.Merge(m, src)
-}
-func (m *DeviceSubRequest) XXX_Size() int {
-	return m.Size()
-}
-func (m *DeviceSubRequest) XXX_DiscardUnknown() {
-	xxx_messageInfo_DeviceSubRequest.DiscardUnknown(m)
-}
+func (m *DeviceClaimConfiguration) Reset() { *m = DeviceClaimConfiguration{} }
 
-var xxx_messageInfo_DeviceSubRequest proto.InternalMessageInfo
+func (m *DeviceClass) Reset() { *m = DeviceClass{} }
 
-func (m *DeviceTaint) Reset()      { *m = DeviceTaint{} }
-func (*DeviceTaint) ProtoMessage() {}
-func (*DeviceTaint) Descriptor() ([]byte, []int) {
-	return fileDescriptor_57f2e1d27c072d6e, []int{26}
-}
-func (m *DeviceTaint) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *DeviceTaint) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *DeviceTaint) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_DeviceTaint.Merge(m, src)
-}
-func (m *DeviceTaint) XXX_Size() int {
-	return m.Size()
-}
-func (m *DeviceTaint) XXX_DiscardUnknown() {
-	xxx_messageInfo_DeviceTaint.DiscardUnknown(m)
-}
+func (m *DeviceClassConfiguration) Reset() { *m = DeviceClassConfiguration{} }
 
-var xxx_messageInfo_DeviceTaint proto.InternalMessageInfo
+func (m *DeviceClassList) Reset() { *m = DeviceClassList{} }
 
-func (m *DeviceToleration) Reset()      { *m = DeviceToleration{} }
-func (*DeviceToleration) ProtoMessage() {}
-func (*DeviceToleration) Descriptor() ([]byte, []int) {
-	return fileDescriptor_57f2e1d27c072d6e, []int{27}
-}
-func (m *DeviceToleration) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *DeviceToleration) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *DeviceToleration) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_DeviceToleration.Merge(m, src)
-}
-func (m *DeviceToleration) XXX_Size() int {
-	return m.Size()
-}
-func (m *DeviceToleration) XXX_DiscardUnknown() {
-	xxx_messageInfo_DeviceToleration.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_DeviceToleration proto.InternalMessageInfo
-
-func (m *ExactDeviceRequest) Reset()      { *m = ExactDeviceRequest{} }
-func (*ExactDeviceRequest) ProtoMessage() {}
-func (*ExactDeviceRequest) Descriptor() ([]byte, []int) {
-	return fileDescriptor_57f2e1d27c072d6e, []int{28}
-}
-func (m *ExactDeviceRequest) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ExactDeviceRequest) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ExactDeviceRequest) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ExactDeviceRequest.Merge(m, src)
-}
-func (m *ExactDeviceRequest) XXX_Size() int {
-	return m.Size()
-}
-func (m *ExactDeviceRequest) XXX_DiscardUnknown() {
-	xxx_messageInfo_ExactDeviceRequest.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_ExactDeviceRequest proto.InternalMessageInfo
-
-func (m *NetworkDeviceData) Reset()      { *m = NetworkDeviceData{} }
-func (*NetworkDeviceData) ProtoMessage() {}
-func (*NetworkDeviceData) Descriptor() ([]byte, []int) {
-	return fileDescriptor_57f2e1d27c072d6e, []int{29}
-}
-func (m *NetworkDeviceData) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *NetworkDeviceData) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *NetworkDeviceData) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_NetworkDeviceData.Merge(m, src)
-}
-func (m *NetworkDeviceData) XXX_Size() int {
-	return m.Size()
-}
-func (m *NetworkDeviceData) XXX_DiscardUnknown() {
-	xxx_messageInfo_NetworkDeviceData.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_NetworkDeviceData proto.InternalMessageInfo
-
-func (m *OpaqueDeviceConfiguration) Reset()      { *m = OpaqueDeviceConfiguration{} }
-func (*OpaqueDeviceConfiguration) ProtoMessage() {}
-func (*OpaqueDeviceConfiguration) Descriptor() ([]byte, []int) {
-	return fileDescriptor_57f2e1d27c072d6e, []int{30}
-}
-func (m *OpaqueDeviceConfiguration) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *OpaqueDeviceConfiguration) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *OpaqueDeviceConfiguration) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_OpaqueDeviceConfiguration.Merge(m, src)
-}
-func (m *OpaqueDeviceConfiguration) XXX_Size() int {
-	return m.Size()
-}
-func (m *OpaqueDeviceConfiguration) XXX_DiscardUnknown() {
-	xxx_messageInfo_OpaqueDeviceConfiguration.DiscardUnknown(m)
-}
+func (m *DeviceClassSpec) Reset() { *m = DeviceClassSpec{} }
 
-var xxx_messageInfo_OpaqueDeviceConfiguration proto.InternalMessageInfo
+func (m *DeviceConfiguration) Reset() { *m = DeviceConfiguration{} }
 
-func (m *ResourceClaim) Reset()      { *m = ResourceClaim{} }
-func (*ResourceClaim) ProtoMessage() {}
-func (*ResourceClaim) Descriptor() ([]byte, []int) {
-	return fileDescriptor_57f2e1d27c072d6e, []int{31}
-}
-func (m *ResourceClaim) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ResourceClaim) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ResourceClaim) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ResourceClaim.Merge(m, src)
-}
-func (m *ResourceClaim) XXX_Size() int {
-	return m.Size()
-}
-func (m *ResourceClaim) XXX_DiscardUnknown() {
-	xxx_messageInfo_ResourceClaim.DiscardUnknown(m)
-}
+func (m *DeviceConstraint) Reset() { *m = DeviceConstraint{} }
 
-var xxx_messageInfo_ResourceClaim proto.InternalMessageInfo
+func (m *DeviceCounterConsumption) Reset() { *m = DeviceCounterConsumption{} }
 
-func (m *ResourceClaimConsumerReference) Reset()      { *m = ResourceClaimConsumerReference{} }
-func (*ResourceClaimConsumerReference) ProtoMessage() {}
-func (*ResourceClaimConsumerReference) Descriptor() ([]byte, []int) {
-	return fileDescriptor_57f2e1d27c072d6e, []int{32}
-}
-func (m *ResourceClaimConsumerReference) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ResourceClaimConsumerReference) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ResourceClaimConsumerReference) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ResourceClaimConsumerReference.Merge(m, src)
-}
-func (m *ResourceClaimConsumerReference) XXX_Size() int {
-	return m.Size()
-}
-func (m *ResourceClaimConsumerReference) XXX_DiscardUnknown() {
-	xxx_messageInfo_ResourceClaimConsumerReference.DiscardUnknown(m)
-}
+func (m *DeviceRequest) Reset() { *m = DeviceRequest{} }
 
-var xxx_messageInfo_ResourceClaimConsumerReference proto.InternalMessageInfo
+func (m *DeviceRequestAllocationResult) Reset() { *m = DeviceRequestAllocationResult{} }
 
-func (m *ResourceClaimList) Reset()      { *m = ResourceClaimList{} }
-func (*ResourceClaimList) ProtoMessage() {}
-func (*ResourceClaimList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_57f2e1d27c072d6e, []int{33}
-}
-func (m *ResourceClaimList) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ResourceClaimList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ResourceClaimList) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ResourceClaimList.Merge(m, src)
-}
-func (m *ResourceClaimList) XXX_Size() int {
-	return m.Size()
-}
-func (m *ResourceClaimList) XXX_DiscardUnknown() {
-	xxx_messageInfo_ResourceClaimList.DiscardUnknown(m)
-}
+func (m *DeviceSelector) Reset() { *m = DeviceSelector{} }
 
-var xxx_messageInfo_ResourceClaimList proto.InternalMessageInfo
+func (m *DeviceSubRequest) Reset() { *m = DeviceSubRequest{} }
 
-func (m *ResourceClaimSpec) Reset()      { *m = ResourceClaimSpec{} }
-func (*ResourceClaimSpec) ProtoMessage() {}
-func (*ResourceClaimSpec) Descriptor() ([]byte, []int) {
-	return fileDescriptor_57f2e1d27c072d6e, []int{34}
-}
-func (m *ResourceClaimSpec) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ResourceClaimSpec) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ResourceClaimSpec) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ResourceClaimSpec.Merge(m, src)
-}
-func (m *ResourceClaimSpec) XXX_Size() int {
-	return m.Size()
-}
-func (m *ResourceClaimSpec) XXX_DiscardUnknown() {
-	xxx_messageInfo_ResourceClaimSpec.DiscardUnknown(m)
-}
+func (m *DeviceTaint) Reset() { *m = DeviceTaint{} }
 
-var xxx_messageInfo_ResourceClaimSpec proto.InternalMessageInfo
+func (m *DeviceToleration) Reset() { *m = DeviceToleration{} }
 
-func (m *ResourceClaimStatus) Reset()      { *m = ResourceClaimStatus{} }
-func (*ResourceClaimStatus) ProtoMessage() {}
-func (*ResourceClaimStatus) Descriptor() ([]byte, []int) {
-	return fileDescriptor_57f2e1d27c072d6e, []int{35}
-}
-func (m *ResourceClaimStatus) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ResourceClaimStatus) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ResourceClaimStatus) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ResourceClaimStatus.Merge(m, src)
-}
-func (m *ResourceClaimStatus) XXX_Size() int {
-	return m.Size()
-}
-func (m *ResourceClaimStatus) XXX_DiscardUnknown() {
-	xxx_messageInfo_ResourceClaimStatus.DiscardUnknown(m)
-}
+func (m *ExactDeviceRequest) Reset() { *m = ExactDeviceRequest{} }
 
-var xxx_messageInfo_ResourceClaimStatus proto.InternalMessageInfo
+func (m *NetworkDeviceData) Reset() { *m = NetworkDeviceData{} }
 
-func (m *ResourceClaimTemplate) Reset()      { *m = ResourceClaimTemplate{} }
-func (*ResourceClaimTemplate) ProtoMessage() {}
-func (*ResourceClaimTemplate) Descriptor() ([]byte, []int) {
-	return fileDescriptor_57f2e1d27c072d6e, []int{36}
-}
-func (m *ResourceClaimTemplate) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ResourceClaimTemplate) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ResourceClaimTemplate) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ResourceClaimTemplate.Merge(m, src)
-}
-func (m *ResourceClaimTemplate) XXX_Size() int {
-	return m.Size()
-}
-func (m *ResourceClaimTemplate) XXX_DiscardUnknown() {
-	xxx_messageInfo_ResourceClaimTemplate.DiscardUnknown(m)
-}
+func (m *OpaqueDeviceConfiguration) Reset() { *m = OpaqueDeviceConfiguration{} }
 
-var xxx_messageInfo_ResourceClaimTemplate proto.InternalMessageInfo
+func (m *ResourceClaim) Reset() { *m = ResourceClaim{} }
 
-func (m *ResourceClaimTemplateList) Reset()      { *m = ResourceClaimTemplateList{} }
-func (*ResourceClaimTemplateList) ProtoMessage() {}
-func (*ResourceClaimTemplateList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_57f2e1d27c072d6e, []int{37}
-}
-func (m *ResourceClaimTemplateList) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ResourceClaimTemplateList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ResourceClaimTemplateList) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ResourceClaimTemplateList.Merge(m, src)
-}
-func (m *ResourceClaimTemplateList) XXX_Size() int {
-	return m.Size()
-}
-func (m *ResourceClaimTemplateList) XXX_DiscardUnknown() {
-	xxx_messageInfo_ResourceClaimTemplateList.DiscardUnknown(m)
-}
+func (m *ResourceClaimConsumerReference) Reset() { *m = ResourceClaimConsumerReference{} }
 
-var xxx_messageInfo_ResourceClaimTemplateList proto.InternalMessageInfo
+func (m *ResourceClaimList) Reset() { *m = ResourceClaimList{} }
 
-func (m *ResourceClaimTemplateSpec) Reset()      { *m = ResourceClaimTemplateSpec{} }
-func (*ResourceClaimTemplateSpec) ProtoMessage() {}
-func (*ResourceClaimTemplateSpec) Descriptor() ([]byte, []int) {
-	return fileDescriptor_57f2e1d27c072d6e, []int{38}
-}
-func (m *ResourceClaimTemplateSpec) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ResourceClaimTemplateSpec) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ResourceClaimTemplateSpec) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ResourceClaimTemplateSpec.Merge(m, src)
-}
-func (m *ResourceClaimTemplateSpec) XXX_Size() int {
-	return m.Size()
-}
-func (m *ResourceClaimTemplateSpec) XXX_DiscardUnknown() {
-	xxx_messageInfo_ResourceClaimTemplateSpec.DiscardUnknown(m)
-}
+func (m *ResourceClaimSpec) Reset() { *m = ResourceClaimSpec{} }
 
-var xxx_messageInfo_ResourceClaimTemplateSpec proto.InternalMessageInfo
+func (m *ResourceClaimStatus) Reset() { *m = ResourceClaimStatus{} }
 
-func (m *ResourcePool) Reset()      { *m = ResourcePool{} }
-func (*ResourcePool) ProtoMessage() {}
-func (*ResourcePool) Descriptor() ([]byte, []int) {
-	return fileDescriptor_57f2e1d27c072d6e, []int{39}
-}
-func (m *ResourcePool) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ResourcePool) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ResourcePool) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ResourcePool.Merge(m, src)
-}
-func (m *ResourcePool) XXX_Size() int {
-	return m.Size()
-}
-func (m *ResourcePool) XXX_DiscardUnknown() {
-	xxx_messageInfo_ResourcePool.DiscardUnknown(m)
-}
+func (m *ResourceClaimTemplate) Reset() { *m = ResourceClaimTemplate{} }
 
-var xxx_messageInfo_ResourcePool proto.InternalMessageInfo
+func (m *ResourceClaimTemplateList) Reset() { *m = ResourceClaimTemplateList{} }
 
-func (m *ResourceSlice) Reset()      { *m = ResourceSlice{} }
-func (*ResourceSlice) ProtoMessage() {}
-func (*ResourceSlice) Descriptor() ([]byte, []int) {
-	return fileDescriptor_57f2e1d27c072d6e, []int{40}
-}
-func (m *ResourceSlice) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ResourceSlice) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ResourceSlice) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ResourceSlice.Merge(m, src)
-}
-func (m *ResourceSlice) XXX_Size() int {
-	return m.Size()
-}
-func (m *ResourceSlice) XXX_DiscardUnknown() {
-	xxx_messageInfo_ResourceSlice.DiscardUnknown(m)
-}
+func (m *ResourceClaimTemplateSpec) Reset() { *m = ResourceClaimTemplateSpec{} }
 
-var xxx_messageInfo_ResourceSlice proto.InternalMessageInfo
+func (m *ResourcePool) Reset() { *m = ResourcePool{} }
 
-func (m *ResourceSliceList) Reset()      { *m = ResourceSliceList{} }
-func (*ResourceSliceList) ProtoMessage() {}
-func (*ResourceSliceList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_57f2e1d27c072d6e, []int{41}
-}
-func (m *ResourceSliceList) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ResourceSliceList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ResourceSliceList) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ResourceSliceList.Merge(m, src)
-}
-func (m *ResourceSliceList) XXX_Size() int {
-	return m.Size()
-}
-func (m *ResourceSliceList) XXX_DiscardUnknown() {
-	xxx_messageInfo_ResourceSliceList.DiscardUnknown(m)
-}
+func (m *ResourceSlice) Reset() { *m = ResourceSlice{} }
 
-var xxx_messageInfo_ResourceSliceList proto.InternalMessageInfo
+func (m *ResourceSliceList) Reset() { *m = ResourceSliceList{} }
 
-func (m *ResourceSliceSpec) Reset()      { *m = ResourceSliceSpec{} }
-func (*ResourceSliceSpec) ProtoMessage() {}
-func (*ResourceSliceSpec) Descriptor() ([]byte, []int) {
-	return fileDescriptor_57f2e1d27c072d6e, []int{42}
-}
-func (m *ResourceSliceSpec) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ResourceSliceSpec) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ResourceSliceSpec) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ResourceSliceSpec.Merge(m, src)
-}
-func (m *ResourceSliceSpec) XXX_Size() int {
-	return m.Size()
-}
-func (m *ResourceSliceSpec) XXX_DiscardUnknown() {
-	xxx_messageInfo_ResourceSliceSpec.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_ResourceSliceSpec proto.InternalMessageInfo
-
-func init() {
-	proto.RegisterType((*AllocatedDeviceStatus)(nil), "k8s.io.api.resource.v1beta2.AllocatedDeviceStatus")
-	proto.RegisterType((*AllocationResult)(nil), "k8s.io.api.resource.v1beta2.AllocationResult")
-	proto.RegisterType((*CELDeviceSelector)(nil), "k8s.io.api.resource.v1beta2.CELDeviceSelector")
-	proto.RegisterType((*CapacityRequestPolicy)(nil), "k8s.io.api.resource.v1beta2.CapacityRequestPolicy")
-	proto.RegisterType((*CapacityRequestPolicyRange)(nil), "k8s.io.api.resource.v1beta2.CapacityRequestPolicyRange")
-	proto.RegisterType((*CapacityRequirements)(nil), "k8s.io.api.resource.v1beta2.CapacityRequirements")
-	proto.RegisterMapType((map[QualifiedName]resource.Quantity)(nil), "k8s.io.api.resource.v1beta2.CapacityRequirements.RequestsEntry")
-	proto.RegisterType((*Counter)(nil), "k8s.io.api.resource.v1beta2.Counter")
-	proto.RegisterType((*CounterSet)(nil), "k8s.io.api.resource.v1beta2.CounterSet")
-	proto.RegisterMapType((map[string]Counter)(nil), "k8s.io.api.resource.v1beta2.CounterSet.CountersEntry")
-	proto.RegisterType((*Device)(nil), "k8s.io.api.resource.v1beta2.Device")
-	proto.RegisterMapType((map[QualifiedName]DeviceAttribute)(nil), "k8s.io.api.resource.v1beta2.Device.AttributesEntry")
-	proto.RegisterMapType((map[QualifiedName]DeviceCapacity)(nil), "k8s.io.api.resource.v1beta2.Device.CapacityEntry")
-	proto.RegisterType((*DeviceAllocationConfiguration)(nil), "k8s.io.api.resource.v1beta2.DeviceAllocationConfiguration")
-	proto.RegisterType((*DeviceAllocationResult)(nil), "k8s.io.api.resource.v1beta2.DeviceAllocationResult")
-	proto.RegisterType((*DeviceAttribute)(nil), "k8s.io.api.resource.v1beta2.DeviceAttribute")
-	proto.RegisterType((*DeviceCapacity)(nil), "k8s.io.api.resource.v1beta2.DeviceCapacity")
-	proto.RegisterType((*DeviceClaim)(nil), "k8s.io.api.resource.v1beta2.DeviceClaim")
-	proto.RegisterType((*DeviceClaimConfiguration)(nil), "k8s.io.api.resource.v1beta2.DeviceClaimConfiguration")
-	proto.RegisterType((*DeviceClass)(nil), "k8s.io.api.resource.v1beta2.DeviceClass")
-	proto.RegisterType((*DeviceClassConfiguration)(nil), "k8s.io.api.resource.v1beta2.DeviceClassConfiguration")
-	proto.RegisterType((*DeviceClassList)(nil), "k8s.io.api.resource.v1beta2.DeviceClassList")
-	proto.RegisterType((*DeviceClassSpec)(nil), "k8s.io.api.resource.v1beta2.DeviceClassSpec")
-	proto.RegisterType((*DeviceConfiguration)(nil), "k8s.io.api.resource.v1beta2.DeviceConfiguration")
-	proto.RegisterType((*DeviceConstraint)(nil), "k8s.io.api.resource.v1beta2.DeviceConstraint")
-	proto.RegisterType((*DeviceCounterConsumption)(nil), "k8s.io.api.resource.v1beta2.DeviceCounterConsumption")
-	proto.RegisterMapType((map[string]Counter)(nil), "k8s.io.api.resource.v1beta2.DeviceCounterConsumption.CountersEntry")
-	proto.RegisterType((*DeviceRequest)(nil), "k8s.io.api.resource.v1beta2.DeviceRequest")
-	proto.RegisterType((*DeviceRequestAllocationResult)(nil), "k8s.io.api.resource.v1beta2.DeviceRequestAllocationResult")
-	proto.RegisterMapType((map[QualifiedName]resource.Quantity)(nil), "k8s.io.api.resource.v1beta2.DeviceRequestAllocationResult.ConsumedCapacityEntry")
-	proto.RegisterType((*DeviceSelector)(nil), "k8s.io.api.resource.v1beta2.DeviceSelector")
-	proto.RegisterType((*DeviceSubRequest)(nil), "k8s.io.api.resource.v1beta2.DeviceSubRequest")
-	proto.RegisterType((*DeviceTaint)(nil), "k8s.io.api.resource.v1beta2.DeviceTaint")
-	proto.RegisterType((*DeviceToleration)(nil), "k8s.io.api.resource.v1beta2.DeviceToleration")
-	proto.RegisterType((*ExactDeviceRequest)(nil), "k8s.io.api.resource.v1beta2.ExactDeviceRequest")
-	proto.RegisterType((*NetworkDeviceData)(nil), "k8s.io.api.resource.v1beta2.NetworkDeviceData")
-	proto.RegisterType((*OpaqueDeviceConfiguration)(nil), "k8s.io.api.resource.v1beta2.OpaqueDeviceConfiguration")
-	proto.RegisterType((*ResourceClaim)(nil), "k8s.io.api.resource.v1beta2.ResourceClaim")
-	proto.RegisterType((*ResourceClaimConsumerReference)(nil), "k8s.io.api.resource.v1beta2.ResourceClaimConsumerReference")
-	proto.RegisterType((*ResourceClaimList)(nil), "k8s.io.api.resource.v1beta2.ResourceClaimList")
-	proto.RegisterType((*ResourceClaimSpec)(nil), "k8s.io.api.resource.v1beta2.ResourceClaimSpec")
-	proto.RegisterType((*ResourceClaimStatus)(nil), "k8s.io.api.resource.v1beta2.ResourceClaimStatus")
-	proto.RegisterType((*ResourceClaimTemplate)(nil), "k8s.io.api.resource.v1beta2.ResourceClaimTemplate")
-	proto.RegisterType((*ResourceClaimTemplateList)(nil), "k8s.io.api.resource.v1beta2.ResourceClaimTemplateList")
-	proto.RegisterType((*ResourceClaimTemplateSpec)(nil), "k8s.io.api.resource.v1beta2.ResourceClaimTemplateSpec")
-	proto.RegisterType((*ResourcePool)(nil), "k8s.io.api.resource.v1beta2.ResourcePool")
-	proto.RegisterType((*ResourceSlice)(nil), "k8s.io.api.resource.v1beta2.ResourceSlice")
-	proto.RegisterType((*ResourceSliceList)(nil), "k8s.io.api.resource.v1beta2.ResourceSliceList")
-	proto.RegisterType((*ResourceSliceSpec)(nil), "k8s.io.api.resource.v1beta2.ResourceSliceSpec")
-}
-
-func init() {
-	proto.RegisterFile("k8s.io/api/resource/v1beta2/generated.proto", fileDescriptor_57f2e1d27c072d6e)
-}
-
-var fileDescriptor_57f2e1d27c072d6e = []byte{
-	// 3037 bytes of a gzipped FileDescriptorProto
-	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xd4, 0x5b, 0xcf, 0x6f, 0x24, 0x47,
-	0xf5, 0x77, 0xcf, 0xcc, 0x8e, 0xc7, 0x6f, 0x6c, 0xaf, 0x5d, 0xfb, 0x23, 0x13, 0xe7, 0x1b, 0x8f,
-	0xd3, 0xfb, 0x85, 0x38, 0x9b, 0x64, 0x9c, 0x35, 0x24, 0x44, 0x9b, 0x03, 0xcc, 0xd8, 0xde, 0xc4,
-	0xc9, 0xae, 0xd7, 0xa9, 0x71, 0x9c, 0x25, 0xbf, 0x44, 0xbb, 0xbb, 0x6c, 0x37, 0xee, 0xe9, 0x9e,
-	0xed, 0xae, 0xf1, 0xda, 0x42, 0x82, 0x08, 0xae, 0x1c, 0x38, 0x80, 0x84, 0x04, 0x48, 0x08, 0x21,
-	0x7e, 0x48, 0x08, 0xf1, 0x17, 0x04, 0x05, 0x14, 0x91, 0x1b, 0x51, 0xb8, 0xe4, 0x80, 0x26, 0x64,
-	0x72, 0xe2, 0xc8, 0x05, 0xa1, 0x3d, 0xa1, 0xaa, 0xae, 0xea, 0x5f, 0x33, 0x3d, 0xe9, 0x71, 0x76,
-	0x57, 0xcb, 0xcd, 0xf3, 0xea, 0xbd, 0x4f, 0x55, 0xbd, 0x7a, 0xbf, 0xea, 0x75, 0x19, 0x1e, 0x3f,
-	0x78, 0xd6, 0xab, 0x99, 0xce, 0x92, 0xd6, 0x36, 0x97, 0x5c, 0xe2, 0x39, 0x1d, 0x57, 0x27, 0x4b,
-	0x87, 0x97, 0x76, 0x08, 0xd5, 0x96, 0x97, 0xf6, 0x88, 0x4d, 0x5c, 0x8d, 0x12, 0xa3, 0xd6, 0x76,
-	0x1d, 0xea, 0xa0, 0x87, 0x7c, 0xe6, 0x9a, 0xd6, 0x36, 0x6b, 0x92, 0xb9, 0x26, 0x98, 0xe7, 0x9e,
-	0xdc, 0x33, 0xe9, 0x7e, 0x67, 0xa7, 0xa6, 0x3b, 0xad, 0xa5, 0x3d, 0x67, 0xcf, 0x59, 0xe2, 0x32,
-	0x3b, 0x9d, 0x5d, 0xfe, 0x8b, 0xff, 0xe0, 0x7f, 0xf9, 0x58, 0x73, 0x6a, 0x64, 0x62, 0xdd, 0x71,
-	0xd9, 0xa4, 0xc9, 0xf9, 0xe6, 0xbe, 0x1c, 0xf2, 0xb4, 0x34, 0x7d, 0xdf, 0xb4, 0x89, 0x7b, 0xbc,
-	0xd4, 0x3e, 0xd8, 0x8b, 0xaf, 0x76, 0x14, 0x29, 0x6f, 0xa9, 0x45, 0xa8, 0x36, 0x68, 0xae, 0xa5,
-	0x34, 0x29, 0xb7, 0x63, 0x53, 0xb3, 0xd5, 0x3f, 0xcd, 0x33, 0x9f, 0x25, 0xe0, 0xe9, 0xfb, 0xa4,
-	0xa5, 0x25, 0xe5, 0xd4, 0xf7, 0xf2, 0x70, 0xae, 0x6e, 0x59, 0x8e, 0xce, 0x68, 0xab, 0xe4, 0xd0,
-	0xd4, 0x49, 0x93, 0x6a, 0xb4, 0xe3, 0xa1, 0x2f, 0x42, 0xd1, 0x70, 0xcd, 0x43, 0xe2, 0x56, 0x94,
-	0x05, 0x65, 0x71, 0xa2, 0x31, 0xfd, 0x7e, 0xb7, 0x3a, 0xd6, 0xeb, 0x56, 0x8b, 0xab, 0x9c, 0x8a,
-	0xc5, 0x28, 0x5a, 0x80, 0x42, 0xdb, 0x71, 0xac, 0x4a, 0x8e, 0x73, 0x4d, 0x0a, 0xae, 0xc2, 0xa6,
-	0xe3, 0x58, 0x98, 0x8f, 0x70, 0x24, 0x8e, 0x5c, 0xc9, 0x27, 0x90, 0x38, 0x15, 0x8b, 0x51, 0xf4,
-	0x05, 0x18, 0xf7, 0xf6, 0x35, 0x97, 0xac, 0xaf, 0x56, 0xc6, 0x39, 0x63, 0xb9, 0xd7, 0xad, 0x8e,
-	0x37, 0x7d, 0x12, 0x96, 0x63, 0x48, 0x07, 0xd0, 0x1d, 0xdb, 0x30, 0xa9, 0xe9, 0xd8, 0x5e, 0xa5,
-	0xb0, 0x90, 0x5f, 0x2c, 0x2f, 0x2f, 0xd5, 0x42, 0x63, 0x08, 0xf6, 0x5f, 0x6b, 0x1f, 0xec, 0x31,
-	0x82, 0x57, 0x63, 0x6a, 0xae, 0x1d, 0x5e, 0xaa, 0xad, 0x48, 0xb9, 0x06, 0x12, 0x6b, 0x80, 0x80,
-	0xe4, 0xe1, 0x08, 0x2c, 0x7a, 0x09, 0x0a, 0x86, 0x46, 0xb5, 0xca, 0xa9, 0x05, 0x65, 0xb1, 0xbc,
-	0xfc, 0x64, 0x2a, 0xbc, 0x50, 0x6f, 0x0d, 0x6b, 0xb7, 0xd6, 0x8e, 0x28, 0xb1, 0x3d, 0x06, 0x5e,
-	0x62, 0x0a, 0x58, 0xd5, 0xa8, 0x86, 0x39, 0x08, 0xd2, 0xa0, 0x6c, 0x13, 0x7a, 0xcb, 0x71, 0x0f,
-	0x18, 0xb1, 0x52, 0xe4, 0x98, 0xb5, 0xda, 0x10, 0xfb, 0xad, 0x6d, 0x08, 0x7e, 0xae, 0x19, 0x26,
-	0xd5, 0x38, 0xdd, 0xeb, 0x56, 0xcb, 0x1b, 0x21, 0x0c, 0x8e, 0x62, 0xaa, 0xef, 0xe6, 0x60, 0x46,
-	0x9c, 0xa3, 0xe9, 0xd8, 0x98, 0x78, 0x1d, 0x8b, 0xa2, 0xb7, 0x60, 0xdc, 0x57, 0xad, 0xc7, 0xcf,
-	0xb0, 0xbc, 0xfc, 0xa5, 0xa1, 0x73, 0xfa, 0x93, 0x25, 0x51, 0x1a, 0xa7, 0x85, 0xaa, 0xc6, 0xfd,
-	0x71, 0x0f, 0x4b, 0x50, 0xb4, 0x0d, 0x93, 0xb6, 0x63, 0x90, 0x26, 0xb1, 0x88, 0x4e, 0x1d, 0x97,
-	0x1f, 0x6f, 0x79, 0x79, 0x21, 0x3a, 0x09, 0x73, 0x26, 0xa6, 0xf9, 0x8d, 0x08, 0x5f, 0x63, 0xa6,
-	0xd7, 0xad, 0x4e, 0x46, 0x29, 0x38, 0x86, 0x83, 0x3a, 0x70, 0x46, 0x0b, 0x56, 0xb1, 0x65, 0xb6,
-	0x88, 0x47, 0xb5, 0x56, 0x5b, 0x9c, 0xc5, 0xc5, 0x6c, 0x47, 0xcd, 0xc4, 0x1a, 0x0f, 0xf4, 0xba,
-	0xd5, 0x33, 0xf5, 0x7e, 0x28, 0x3c, 0x08, 0x5f, 0x7d, 0x1e, 0x66, 0x57, 0xd6, 0xae, 0x0a, 0x27,
-	0x90, 0x6b, 0x59, 0x06, 0x20, 0x47, 0x6d, 0x97, 0x78, 0xec, 0x64, 0x85, 0x2b, 0x04, 0xc6, 0xb3,
-	0x16, 0x8c, 0xe0, 0x08, 0x97, 0xfa, 0x4e, 0x0e, 0xce, 0xad, 0x68, 0x6d, 0x4d, 0x37, 0xe9, 0x31,
-	0x26, 0x37, 0x3b, 0xc4, 0xa3, 0x9b, 0x8e, 0x65, 0xea, 0xc7, 0xe8, 0x15, 0x76, 0x22, 0xbb, 0x5a,
-	0xc7, 0xa2, 0xe2, 0x44, 0x6a, 0xc3, 0x76, 0x13, 0x1e, 0xd1, 0xcb, 0x1d, 0xcd, 0xa6, 0x26, 0x3d,
-	0xf6, 0x5d, 0x62, 0xd5, 0x87, 0xc0, 0x12, 0x0b, 0x11, 0x28, 0x1f, 0x6a, 0x96, 0x69, 0x6c, 0x6b,
-	0x56, 0x87, 0x78, 0x95, 0x3c, 0xf7, 0x89, 0x51, 0xa1, 0xcf, 0x88, 0x5d, 0x95, 0xb7, 0x43, 0x28,
-	0x1c, 0xc5, 0x45, 0x7b, 0x00, 0xfc, 0x27, 0xd6, 0xec, 0x3d, 0x52, 0x29, 0xf0, 0x0d, 0x7c, 0x65,
-	0xa8, 0x49, 0x0d, 0xd4, 0x02, 0x17, 0x6f, 0x4c, 0x33, 0x05, 0x6e, 0x07, 0x70, 0x38, 0x02, 0xad,
-	0xbe, 0x9d, 0x83, 0xb9, 0x74, 0x51, 0xb4, 0x0e, 0xf9, 0x96, 0x69, 0x9f, 0x50, 0x83, 0xe3, 0xbd,
-	0x6e, 0x35, 0x7f, 0xcd, 0xb4, 0x31, 0xc3, 0xe0, 0x50, 0xda, 0x11, 0x0f, 0x5e, 0x27, 0x85, 0xd2,
-	0x8e, 0x30, 0xc3, 0x40, 0x57, 0xa1, 0xe0, 0x51, 0xd2, 0x16, 0x5e, 0x30, 0x2a, 0x16, 0x8f, 0x19,
-	0x4d, 0x4a, 0xda, 0x98, 0xa3, 0xa8, 0xdf, 0xcb, 0xc1, 0xd9, 0xa8, 0x0a, 0x4c, 0x97, 0xb4, 0x88,
-	0x4d, 0x3d, 0xf4, 0x6d, 0x28, 0xb9, 0xbe, 0x4a, 0x98, 0x57, 0xb3, 0x83, 0xfe, 0x6a, 0xe6, 0x23,
-	0x90, 0x20, 0x35, 0xa1, 0x54, 0x6f, 0xcd, 0xa6, 0xee, 0x71, 0xe3, 0x11, 0x71, 0xf2, 0x25, 0x49,
-	0xfe, 0xee, 0xc7, 0xd5, 0xa9, 0x97, 0x3b, 0x9a, 0x65, 0xee, 0x9a, 0xc4, 0xd8, 0xd0, 0x5a, 0x04,
-	0x07, 0x73, 0xce, 0x1d, 0xc0, 0x54, 0x4c, 0x1a, 0xcd, 0x40, 0xfe, 0x80, 0x1c, 0xfb, 0xae, 0x81,
-	0xd9, 0x9f, 0x68, 0x15, 0x4e, 0x1d, 0x32, 0x8b, 0x39, 0x99, 0x5a, 0xb1, 0x2f, 0x7c, 0x39, 0xf7,
-	0xac, 0xa2, 0xbe, 0x05, 0xe3, 0x2b, 0x4e, 0xc7, 0xa6, 0xc4, 0x45, 0x4d, 0x09, 0x7a, 0xb2, 0x63,
-	0x9f, 0x12, 0x7b, 0x3c, 0xc5, 0x6d, 0x59, 0xcc, 0xa1, 0xfe, 0x5b, 0x01, 0x10, 0x13, 0x34, 0x09,
-	0x65, 0xb9, 0xcc, 0xd6, 0x5a, 0x44, 0xb8, 0x79, 0x90, 0xcb, 0xb8, 0x06, 0xf8, 0x08, 0xd2, 0xa1,
-	0xa4, 0xfb, 0xfc, 0x5e, 0x25, 0xc7, 0xb5, 0xff, 0xf4, 0x70, 0xed, 0x07, 0xe0, 0xf2, 0x4f, 0xa1,
-	0xf3, 0x19, 0xa9, 0x73, 0x49, 0xc6, 0x01, 0xf0, 0x9c, 0x06, 0x53, 0x31, 0xe6, 0x01, 0x2a, 0xbe,
-	0x1c, 0x57, 0xf1, 0xff, 0x67, 0x59, 0x44, 0x54, 0xb1, 0x3f, 0x9c, 0x00, 0x91, 0x7e, 0x33, 0x6c,
-	0xfa, 0x08, 0x40, 0xa3, 0xd4, 0x35, 0x77, 0x3a, 0x94, 0xc8, 0x6d, 0x67, 0x49, 0x25, 0xb5, 0x7a,
-	0x20, 0xe5, 0x6f, 0xfa, 0x82, 0x0c, 0x9c, 0xe1, 0x40, 0xbf, 0xa9, 0x45, 0xe6, 0x42, 0x6d, 0x28,
-	0xe9, 0xc2, 0x7e, 0x45, 0x54, 0xbb, 0x94, 0x65, 0x5e, 0x69, 0xf3, 0x09, 0xf3, 0x96, 0xe4, 0x01,
-	0xe6, 0x2d, 0x67, 0x41, 0xdf, 0x82, 0x19, 0xdd, 0xb1, 0xbd, 0x4e, 0x8b, 0x78, 0xf2, 0x0c, 0x44,
-	0x8d, 0xf1, 0x74, 0x86, 0x99, 0x85, 0xc8, 0x0a, 0x47, 0x68, 0xf3, 0x4a, 0xa3, 0x22, 0x66, 0x9f,
-	0x59, 0x49, 0xc0, 0xe2, 0xbe, 0x89, 0xd0, 0x22, 0x94, 0x58, 0x22, 0x64, 0x4b, 0xe2, 0xd9, 0x6e,
-	0xa2, 0x31, 0xc9, 0xd6, 0xbd, 0x21, 0x68, 0x38, 0x18, 0xed, 0x4b, 0xbd, 0xc5, 0x3b, 0x94, 0x7a,
-	0x17, 0xa1, 0xa4, 0x59, 0x16, 0x63, 0xf0, 0x78, 0x11, 0x56, 0xf2, 0x57, 0x50, 0x17, 0x34, 0x1c,
-	0x8c, 0xa2, 0x4d, 0x28, 0x52, 0xcd, 0xb4, 0xa9, 0x57, 0x29, 0x71, 0xf5, 0x2c, 0x66, 0x50, 0xcf,
-	0x16, 0x13, 0x08, 0xeb, 0x3f, 0xfe, 0xd3, 0xc3, 0x02, 0x07, 0x5d, 0x82, 0xf2, 0x8e, 0x69, 0x1b,
-	0xde, 0x96, 0xc3, 0x66, 0xa8, 0x4c, 0xf0, 0xe9, 0x79, 0xd9, 0xd3, 0x08, 0xc9, 0x38, 0xca, 0x83,
-	0x56, 0x60, 0x96, 0xfd, 0x34, 0xed, 0xbd, 0xb0, 0x8e, 0xab, 0xc0, 0x42, 0x7e, 0x71, 0xa2, 0x71,
-	0xae, 0xd7, 0xad, 0xce, 0x36, 0x92, 0x83, 0xb8, 0x9f, 0x1f, 0xdd, 0x80, 0x8a, 0x20, 0x5e, 0xd1,
-	0x4c, 0xab, 0xe3, 0x92, 0x08, 0x56, 0x99, 0x63, 0xfd, 0x5f, 0xaf, 0x5b, 0xad, 0x34, 0x52, 0x78,
-	0x70, 0xaa, 0x34, 0x43, 0x66, 0x85, 0xc6, 0xad, 0x6b, 0x1d, 0x8b, 0x9a, 0x6d, 0x2b, 0x52, 0x5b,
-	0x79, 0x95, 0x49, 0xbe, 0x3d, 0x8e, 0x5c, 0x4f, 0xe1, 0xc1, 0xa9, 0xd2, 0x73, 0x07, 0x70, 0x3a,
-	0xe1, 0x5c, 0x03, 0x82, 0x44, 0x23, 0x1e, 0x24, 0x9e, 0xc8, 0x52, 0xfd, 0x49, 0xd0, 0x48, 0xb0,
-	0x98, 0xdb, 0x87, 0xa9, 0x98, 0x47, 0x0d, 0x98, 0xaa, 0x1e, 0x9f, 0xea, 0xf1, 0x2c, 0xbe, 0x22,
-	0x13, 0x53, 0x24, 0x2c, 0x7d, 0x3f, 0x07, 0x0f, 0x27, 0xcb, 0xd0, 0x15, 0xc7, 0xde, 0x35, 0xf7,
-	0x3a, 0x2e, 0xff, 0x81, 0xbe, 0x06, 0x45, 0x1f, 0x4d, 0xc4, 0xab, 0x45, 0x69, 0x4c, 0x4d, 0x4e,
-	0xbd, 0xdd, 0xad, 0x9e, 0x4f, 0x8a, 0xfa, 0x23, 0x58, 0xc8, 0x31, 0x13, 0x0f, 0x12, 0x68, 0x8e,
-	0x1f, 0xef, 0x64, 0x34, 0xf7, 0x85, 0xa9, 0x0e, 0x7d, 0x07, 0xce, 0x18, 0xc2, 0xad, 0x23, 0x4b,
-	0x10, 0x09, 0xfe, 0xa9, 0x4c, 0xe1, 0x20, 0x22, 0xd7, 0x78, 0x48, 0x2c, 0xf5, 0xcc, 0x80, 0x41,
-	0x3c, 0x68, 0x26, 0xf5, 0x53, 0x05, 0xce, 0x0f, 0xae, 0xca, 0x11, 0x81, 0x71, 0x97, 0xff, 0x25,
-	0xab, 0x80, 0xcb, 0x19, 0xd6, 0x23, 0xf6, 0x98, 0x5e, 0xe2, 0xfb, 0xbf, 0x3d, 0x2c, 0xb1, 0xd1,
-	0x0e, 0x14, 0x75, 0xbe, 0x24, 0x11, 0xf6, 0x2f, 0x8f, 0x74, 0x83, 0x88, 0xef, 0x3f, 0xf0, 0x7b,
-	0x9f, 0x8c, 0x05, 0xb2, 0xfa, 0x5b, 0x05, 0x4e, 0x27, 0xac, 0x0f, 0xcd, 0x43, 0xde, 0xb4, 0x29,
-	0xb7, 0xa6, 0xbc, 0x7f, 0x3e, 0xeb, 0x36, 0xf5, 0x53, 0x37, 0x1b, 0x40, 0x8f, 0x40, 0x61, 0x87,
-	0xdd, 0x3a, 0xf3, 0xdc, 0x8b, 0xa6, 0x7a, 0xdd, 0xea, 0x44, 0xc3, 0x71, 0x2c, 0x9f, 0x83, 0x0f,
-	0xa1, 0x47, 0xa1, 0xe8, 0x51, 0xd7, 0xb4, 0xf7, 0x78, 0xa5, 0x3a, 0xe1, 0x47, 0x92, 0x26, 0xa7,
-	0xf8, 0x6c, 0x62, 0x18, 0x5d, 0x84, 0xf1, 0x43, 0xe2, 0xf2, 0xfa, 0xde, 0x0f, 0xba, 0x3c, 0x48,
-	0x6e, 0xfb, 0x24, 0x9f, 0x55, 0x32, 0xa8, 0x1f, 0x2a, 0x30, 0x1d, 0x37, 0xdf, 0xbb, 0x52, 0x98,
-	0xa0, 0x03, 0x98, 0x72, 0xa3, 0x85, 0xaf, 0xf0, 0xab, 0xe5, 0xd1, 0xab, 0xed, 0xc6, 0x6c, 0xaf,
-	0x5b, 0x9d, 0x8a, 0x57, 0xd1, 0x71, 0x6c, 0xf5, 0x77, 0x39, 0x28, 0x8b, 0x4d, 0x59, 0x9a, 0xd9,
-	0x42, 0x37, 0xfa, 0x4a, 0xcc, 0x8b, 0xd9, 0x8d, 0x2b, 0xac, 0x6c, 0x06, 0x78, 0x94, 0x01, 0x65,
-	0x96, 0xf4, 0xa8, 0xeb, 0x67, 0x0e, 0xdf, 0xa6, 0x9e, 0xcc, 0xe6, 0x49, 0x42, 0x2a, 0xbc, 0xa7,
-	0x84, 0x34, 0x0f, 0x47, 0x61, 0xd1, 0x9b, 0x81, 0xd1, 0xe6, 0xb3, 0x67, 0x6e, 0xb6, 0xf3, 0x6c,
-	0xf6, 0xfa, 0x9e, 0x02, 0x95, 0x34, 0xa1, 0x58, 0x74, 0x51, 0x4e, 0x12, 0x5d, 0x72, 0xf7, 0x2c,
-	0xba, 0xfc, 0x51, 0x89, 0x1c, 0xbb, 0xe7, 0xa1, 0x6f, 0x40, 0x89, 0xdd, 0x9e, 0x79, 0xdf, 0x43,
-	0xe9, 0x5b, 0xc5, 0x90, 0xbb, 0xf6, 0xf5, 0x9d, 0x6f, 0x12, 0x9d, 0x5e, 0x23, 0x54, 0x0b, 0xaf,
-	0xc6, 0x21, 0x0d, 0x07, 0xa8, 0x68, 0x03, 0x0a, 0x5e, 0x9b, 0xe8, 0x23, 0xe4, 0x23, 0xbe, 0xb2,
-	0x66, 0x9b, 0xe8, 0x61, 0x61, 0xca, 0x7e, 0x61, 0x8e, 0xa3, 0xfe, 0x24, 0x7a, 0x12, 0x9e, 0x17,
-	0x3f, 0x89, 0x14, 0xfd, 0x2a, 0xf7, 0x4c, 0xbf, 0xef, 0x04, 0x71, 0x8d, 0xaf, 0xee, 0xaa, 0xe9,
-	0x51, 0xf4, 0x46, 0x9f, 0x8e, 0x6b, 0xd9, 0x74, 0xcc, 0xa4, 0xb9, 0x86, 0x03, 0xf7, 0x92, 0x94,
-	0x88, 0x7e, 0xaf, 0xc1, 0x29, 0x93, 0x92, 0x96, 0x74, 0xac, 0xc5, 0xac, 0x0a, 0x0e, 0x83, 0xd0,
-	0x3a, 0x13, 0xc7, 0x3e, 0x8a, 0xfa, 0xd3, 0x5c, 0x6c, 0x03, 0x4c, 0xf1, 0xe8, 0x0d, 0x98, 0xf0,
-	0x44, 0xb1, 0x28, 0x83, 0x43, 0x96, 0x64, 0x1f, 0x14, 0xa0, 0xb3, 0x62, 0xa6, 0x09, 0x49, 0xf1,
-	0x70, 0x08, 0x18, 0xf1, 0xdc, 0xdc, 0x28, 0x9e, 0x9b, 0x38, 0xfa, 0x34, 0xcf, 0x45, 0x57, 0xe1,
-	0x2c, 0x39, 0xa2, 0xc4, 0x36, 0x88, 0x81, 0x05, 0x18, 0xaf, 0xb5, 0xfd, 0x04, 0x51, 0xe9, 0x75,
-	0xab, 0x67, 0xd7, 0x06, 0x8c, 0xe3, 0x81, 0x52, 0xea, 0x4d, 0x18, 0x64, 0x0b, 0xe8, 0x35, 0x28,
-	0x3a, 0x6d, 0xed, 0x66, 0x90, 0x10, 0x9e, 0x19, 0xba, 0x87, 0xeb, 0x9c, 0x75, 0x90, 0xc1, 0x01,
-	0xdb, 0x80, 0x3f, 0x8c, 0x05, 0xa2, 0xfa, 0x4f, 0x05, 0x66, 0x92, 0x01, 0x71, 0x84, 0x90, 0xb3,
-	0x09, 0xd3, 0x2d, 0x8d, 0xea, 0xfb, 0x41, 0x9e, 0x15, 0x5d, 0xdb, 0xc5, 0x5e, 0xb7, 0x3a, 0x7d,
-	0x2d, 0x36, 0x72, 0xbb, 0x5b, 0x45, 0x57, 0x3a, 0x96, 0x75, 0x1c, 0xbf, 0x28, 0x25, 0xe4, 0xd1,
-	0xd7, 0x61, 0xd6, 0x30, 0x3d, 0x6a, 0xda, 0x3a, 0x0d, 0x41, 0xfd, 0x36, 0xef, 0xe3, 0xac, 0x00,
-	0x5f, 0x4d, 0x0e, 0xa6, 0xe0, 0xf6, 0xa3, 0xa8, 0xbf, 0xcc, 0x05, 0xce, 0xdd, 0x77, 0xab, 0x42,
-	0xcb, 0x00, 0x7a, 0x70, 0xb5, 0x4e, 0xb6, 0xe5, 0xc2, 0x4b, 0x37, 0x8e, 0x70, 0xa1, 0x9b, 0x7d,
-	0x77, 0xf7, 0x95, 0x13, 0x5d, 0xe9, 0xee, 0xaf, 0x9b, 0xfc, 0x7f, 0x14, 0x98, 0x8a, 0x25, 0xe0,
-	0x0c, 0x17, 0xfa, 0x6d, 0x18, 0x27, 0x47, 0x9a, 0x4e, 0x2d, 0x59, 0x57, 0x2c, 0x0d, 0x9d, 0x75,
-	0x8d, 0xf1, 0xc6, 0x93, 0x3c, 0xef, 0x43, 0xae, 0xf9, 0x18, 0x58, 0x82, 0xa1, 0x16, 0x4c, 0xef,
-	0x9a, 0xae, 0x47, 0xeb, 0x87, 0x9a, 0x69, 0x69, 0x3b, 0x16, 0x11, 0x09, 0x38, 0x4b, 0x86, 0x6f,
-	0x76, 0x76, 0x24, 0xf8, 0x79, 0xb1, 0xe4, 0xe9, 0x2b, 0x31, 0x30, 0x9c, 0x00, 0x57, 0x3f, 0x2e,
-	0xca, 0xdb, 0x42, 0x4a, 0x61, 0x8b, 0x1e, 0x63, 0x55, 0x32, 0x1f, 0x12, 0xda, 0x88, 0x54, 0xba,
-	0x9c, 0x8c, 0xe5, 0x78, 0xe4, 0x7b, 0x47, 0x2e, 0xd3, 0xf7, 0x8e, 0x7c, 0x86, 0xef, 0x1d, 0x85,
-	0xa1, 0xdf, 0x3b, 0x2e, 0x41, 0x59, 0x33, 0x5a, 0xa6, 0x5d, 0xd7, 0x75, 0xe2, 0x79, 0xbc, 0xf6,
-	0x14, 0xf7, 0xdd, 0x7a, 0x48, 0xc6, 0x51, 0x1e, 0x56, 0x3f, 0x51, 0xc7, 0x22, 0xae, 0xb8, 0x43,
-	0x16, 0x33, 0x6b, 0x77, 0x2b, 0x90, 0x0a, 0xeb, 0xa7, 0x90, 0xe6, 0xe1, 0x28, 0xec, 0xe0, 0x5b,
-	0xf5, 0xf8, 0x1d, 0xbc, 0x55, 0x97, 0x3e, 0xd7, 0xad, 0xfa, 0xc5, 0xf0, 0x3b, 0xd1, 0x04, 0x57,
-	0xf0, 0x53, 0x91, 0xef, 0x44, 0xb7, 0xbb, 0xd5, 0x47, 0xd2, 0xbe, 0x85, 0xd1, 0xe3, 0x36, 0xf1,
-	0x6a, 0xaf, 0x44, 0x3f, 0x26, 0xfd, 0x5a, 0x09, 0xfa, 0x3d, 0x86, 0x2c, 0x9f, 0x79, 0x03, 0xa1,
-	0xbc, 0xbc, 0x79, 0xf2, 0x0b, 0x55, 0x6d, 0x25, 0x01, 0xe9, 0x47, 0x8a, 0xc7, 0x12, 0xad, 0x20,
-	0x23, 0xbd, 0x21, 0xd5, 0xb7, 0xa8, 0x39, 0x0f, 0xce, 0x0d, 0x44, 0xbd, 0xab, 0xfd, 0xd7, 0xd7,
-	0xe5, 0x6d, 0x27, 0x68, 0x10, 0xad, 0x43, 0x5e, 0x27, 0xd6, 0x80, 0xda, 0x65, 0x40, 0xb0, 0x4a,
-	0x7e, 0x4c, 0xf1, 0x1b, 0xe6, 0x2b, 0x6b, 0x57, 0x31, 0xc3, 0x50, 0x7f, 0x54, 0x90, 0xc9, 0x2c,
-	0xf4, 0xfd, 0x0c, 0xc1, 0xab, 0x0e, 0xa7, 0x8d, 0x30, 0xf1, 0xf3, 0xfc, 0xed, 0x7b, 0xec, 0x03,
-	0x82, 0x39, 0x5a, 0xb3, 0x70, 0xb9, 0x24, 0x7f, 0xbc, 0x88, 0xc9, 0xdf, 0xe9, 0x22, 0x66, 0x1b,
-	0xa6, 0xc3, 0xcf, 0x4b, 0xd7, 0x1c, 0x43, 0xc6, 0x81, 0x9a, 0x0c, 0x6b, 0xf5, 0xd8, 0xe8, 0xed,
-	0x6e, 0xf5, 0x6c, 0xf2, 0xe2, 0xcc, 0xe8, 0x38, 0x81, 0x82, 0x2e, 0xc0, 0x29, 0x9e, 0x58, 0x78,
-	0xa4, 0xc8, 0x87, 0x35, 0x1b, 0x4f, 0x0a, 0xd8, 0x1f, 0xbb, 0x47, 0x11, 0xe2, 0xf5, 0x48, 0x5f,
-	0x76, 0x9c, 0x9b, 0xc2, 0xa5, 0x91, 0x3f, 0x42, 0xf8, 0x55, 0x4a, 0x30, 0x12, 0x00, 0xaa, 0xff,
-	0x0a, 0xee, 0x25, 0xbc, 0x41, 0x88, 0x1e, 0x8e, 0x18, 0x78, 0xa3, 0x2c, 0xd6, 0x96, 0x7f, 0x89,
-	0x1c, 0xfb, 0xd6, 0x7e, 0x21, 0x6a, 0xed, 0x13, 0x29, 0xf7, 0xe9, 0xe7, 0xa0, 0x48, 0x76, 0x77,
-	0x89, 0x4e, 0x45, 0xdc, 0x96, 0x9d, 0xe8, 0xe2, 0x1a, 0xa7, 0xde, 0x66, 0xa5, 0x4a, 0x38, 0xa5,
-	0x4f, 0xc4, 0x42, 0x04, 0xbd, 0x0a, 0x13, 0xd4, 0x6c, 0x91, 0xba, 0x61, 0x10, 0x43, 0x7c, 0xf6,
-	0x1a, 0xe5, 0x2b, 0x24, 0xef, 0x4e, 0x6c, 0x49, 0x00, 0x1c, 0x62, 0x5d, 0x2e, 0xfd, 0xf8, 0xe7,
-	0xd5, 0xb1, 0xb7, 0xff, 0xbe, 0x30, 0xa6, 0xfe, 0x22, 0x27, 0x7d, 0x21, 0xd4, 0xf9, 0x67, 0x6d,
-	0xfc, 0x05, 0x28, 0x39, 0x6d, 0xc6, 0xeb, 0xc8, 0x9c, 0xf5, 0x84, 0x2c, 0x45, 0xae, 0x0b, 0xfa,
-	0xed, 0x6e, 0xb5, 0x92, 0x84, 0x95, 0x63, 0x38, 0x90, 0x0e, 0x55, 0x98, 0xcf, 0xa4, 0xc2, 0xc2,
-	0xe8, 0x2a, 0x5c, 0x81, 0xd9, 0xd0, 0x7e, 0x9a, 0x44, 0x77, 0x6c, 0xc3, 0x13, 0x76, 0xcc, 0x53,
-	0xca, 0x56, 0x72, 0x10, 0xf7, 0xf3, 0xab, 0xbf, 0x29, 0x00, 0xea, 0xaf, 0x45, 0x06, 0x05, 0x04,
-	0xe5, 0xf3, 0x04, 0x84, 0xdc, 0xdd, 0x0f, 0x08, 0xf9, 0x3b, 0x1b, 0x10, 0x0a, 0x43, 0x02, 0xc2,
-	0x7d, 0x5b, 0x65, 0xdc, 0xd5, 0x18, 0xf2, 0x7b, 0x05, 0x66, 0xfb, 0xde, 0x50, 0xa0, 0xe7, 0x60,
-	0xca, 0x64, 0xf5, 0xf3, 0xae, 0x26, 0x2e, 0x7e, 0xbe, 0x9d, 0x9c, 0x13, 0x6b, 0x9d, 0x5a, 0x8f,
-	0x0e, 0xe2, 0x38, 0x2f, 0x7a, 0x10, 0xf2, 0x66, 0x5b, 0xb6, 0x8c, 0x79, 0x26, 0x5b, 0xdf, 0xf4,
-	0x30, 0xa3, 0x31, 0x0b, 0xdc, 0xd7, 0x5c, 0xe3, 0x96, 0xe6, 0x32, 0xc7, 0x76, 0x99, 0x9e, 0xf3,
-	0x71, 0x0b, 0x7c, 0x21, 0x3e, 0x8c, 0x93, 0xfc, 0xea, 0xaf, 0x14, 0x78, 0x30, 0xf5, 0x2e, 0x98,
-	0xf9, 0x31, 0x8e, 0x06, 0xd0, 0xd6, 0x5c, 0xad, 0x45, 0xc4, 0x25, 0xe7, 0x04, 0x8f, 0x57, 0x82,
-	0x5b, 0xd4, 0x66, 0x00, 0x84, 0x23, 0xa0, 0xea, 0xcf, 0x72, 0x30, 0x25, 0xaf, 0xc1, 0x7e, 0xbb,
-	0xf0, 0xee, 0xf7, 0x8d, 0x36, 0x63, 0x7d, 0xa3, 0xe1, 0x55, 0x47, 0x6c, 0x6d, 0x69, 0x9d, 0x23,
-	0x74, 0x03, 0x8a, 0x1e, 0x7f, 0xe7, 0x94, 0xa9, 0x9b, 0x1f, 0xc7, 0xe4, 0x72, 0xe1, 0x11, 0xf8,
-	0xbf, 0xb1, 0xc0, 0x53, 0x7b, 0x0a, 0xcc, 0xc7, 0xf8, 0x45, 0xd5, 0xe6, 0x62, 0xb2, 0x4b, 0x5c,
-	0x62, 0xeb, 0x04, 0x3d, 0x01, 0x25, 0xad, 0x6d, 0x3e, 0xef, 0x3a, 0x9d, 0xb6, 0x38, 0xcf, 0xe0,
-	0x0e, 0x59, 0xdf, 0x5c, 0xe7, 0x74, 0x1c, 0x70, 0x30, 0x6e, 0xb9, 0x20, 0x61, 0x55, 0x91, 0x0e,
-	0xab, 0x4f, 0xc7, 0x01, 0x47, 0x50, 0x3f, 0x15, 0x52, 0xeb, 0xa7, 0x06, 0xe4, 0x3b, 0xa6, 0x21,
-	0x5a, 0xdd, 0x4f, 0xc9, 0xac, 0xf2, 0x4a, 0xd6, 0xd2, 0x99, 0x09, 0xab, 0x7f, 0x52, 0x60, 0x36,
-	0xb6, 0xc9, 0x7b, 0xd0, 0xdc, 0xba, 0x1e, 0x6f, 0x6e, 0x5d, 0xcc, 0x7e, 0x62, 0x29, 0xed, 0xad,
-	0xfd, 0xc4, 0x1e, 0x78, 0x7f, 0xab, 0x99, 0x7c, 0x33, 0xb5, 0x98, 0xb5, 0x79, 0x9c, 0xfe, 0x50,
-	0x4a, 0xfd, 0x4b, 0x0e, 0xce, 0x0c, 0xb0, 0x21, 0xf4, 0x26, 0x40, 0x18, 0xd2, 0xc5, 0x7c, 0xc3,
-	0xe3, 0x6c, 0xdf, 0xa7, 0x1b, 0xfe, 0x8c, 0x26, 0x42, 0x8d, 0x00, 0x22, 0x17, 0xca, 0x2e, 0xf1,
-	0x88, 0x7b, 0x48, 0x8c, 0x2b, 0xbc, 0x46, 0x60, 0x7a, 0x7b, 0x2e, 0xbb, 0xde, 0xfa, 0x2c, 0x37,
-	0x8c, 0xea, 0x38, 0xc4, 0xc5, 0xd1, 0x49, 0xd0, 0x9b, 0xa1, 0xfe, 0xfc, 0xcf, 0xe6, 0xcb, 0x59,
-	0xf6, 0x13, 0x7f, 0x7b, 0x38, 0x44, 0x93, 0x7f, 0x53, 0xe0, 0x5c, 0x6c, 0x8d, 0x5b, 0xa4, 0xd5,
-	0xb6, 0x34, 0x4a, 0xee, 0x41, 0x14, 0xba, 0x11, 0x8b, 0x42, 0xcf, 0x64, 0xd7, 0xa3, 0x5c, 0x63,
-	0x6a, 0x1f, 0xfb, 0x43, 0x05, 0x1e, 0x1c, 0x28, 0x71, 0x0f, 0xdc, 0xea, 0xd5, 0xb8, 0x5b, 0x2d,
-	0x8f, 0xbe, 0xad, 0x14, 0xf7, 0xfa, 0x6b, 0xda, 0xa6, 0xb8, 0x9f, 0xfd, 0x0f, 0x26, 0x0d, 0xf5,
-	0x0f, 0x0a, 0x4c, 0x4a, 0xce, 0x4d, 0xc7, 0xb1, 0x32, 0x5c, 0x56, 0x97, 0x01, 0xc4, 0x93, 0x5b,
-	0xf9, 0x6d, 0x27, 0x1f, 0x2e, 0xfb, 0xf9, 0x60, 0x04, 0x47, 0xb8, 0xd0, 0x8b, 0x80, 0xe4, 0x02,
-	0x9b, 0x96, 0xec, 0x40, 0xf2, 0xd0, 0x9f, 0x6f, 0xcc, 0x09, 0x59, 0x84, 0xfb, 0x38, 0xf0, 0x00,
-	0x29, 0xf5, 0xcf, 0x4a, 0x98, 0xad, 0x39, 0xf9, 0x3e, 0x55, 0x3c, 0x5f, 0x5b, 0xaa, 0xe2, 0xa3,
-	0xe9, 0x86, 0x73, 0xde, 0xaf, 0xe9, 0x86, 0x2f, 0x2e, 0xc5, 0x1f, 0xde, 0x2d, 0x24, 0x36, 0xc1,
-	0xfd, 0x20, 0x6b, 0x65, 0xf7, 0x52, 0xe4, 0x99, 0x75, 0x79, 0xf9, 0xb1, 0x4c, 0xab, 0x61, 0x36,
-	0x3a, 0xb0, 0x43, 0x19, 0x7d, 0x67, 0x94, 0x1f, 0xe9, 0x9d, 0x51, 0xe1, 0x2e, 0xbc, 0x33, 0x3a,
-	0x35, 0xf4, 0x9d, 0xd1, 0x46, 0x98, 0x50, 0xfc, 0x8b, 0xc8, 0x85, 0x0c, 0x09, 0x79, 0xc8, 0xa3,
-	0x65, 0x0c, 0xe7, 0xdb, 0xc4, 0xf5, 0xc9, 0xe1, 0x02, 0x99, 0x77, 0xfa, 0xef, 0x9d, 0xe6, 0x7a,
-	0xdd, 0xea, 0xf9, 0xcd, 0x81, 0x1c, 0x38, 0x45, 0x12, 0xed, 0xc1, 0x34, 0x6f, 0x28, 0x1a, 0xc1,
-	0x93, 0x31, 0xff, 0x4d, 0xd4, 0xa3, 0x19, 0xdf, 0x06, 0x86, 0x1d, 0xef, 0x66, 0x0c, 0x06, 0x27,
-	0x60, 0x1b, 0xf5, 0xf7, 0x3f, 0x99, 0x1f, 0xfb, 0xe0, 0x93, 0xf9, 0xb1, 0x8f, 0x3e, 0x99, 0x1f,
-	0x7b, 0xbb, 0x37, 0xaf, 0xbc, 0xdf, 0x9b, 0x57, 0x3e, 0xe8, 0xcd, 0x2b, 0x1f, 0xf5, 0xe6, 0x95,
-	0x7f, 0xf4, 0xe6, 0x95, 0x1f, 0x7c, 0x3a, 0x3f, 0xf6, 0xda, 0x43, 0x43, 0xfe, 0x8d, 0xe2, 0xbf,
-	0x01, 0x00, 0x00, 0xff, 0xff, 0x60, 0x24, 0x5a, 0x50, 0x64, 0x31, 0x00, 0x00,
-}
+func (m *ResourceSliceSpec) Reset() { *m = ResourceSliceSpec{} }
 
 func (m *AllocatedDeviceStatus) Marshal() (dAtA []byte, err error) {
 	size := m.Size()
@@ -1817,7 +436,7 @@ func (m *CapacityRequirements) MarshalToSizedBuffer(dAtA []byte) (int, error) {
 		for k := range m.Requests {
 			keysForRequests = append(keysForRequests, string(k))
 		}
-		github_com_gogo_protobuf_sortkeys.Strings(keysForRequests)
+		sort.Strings(keysForRequests)
 		for iNdEx := len(keysForRequests) - 1; iNdEx >= 0; iNdEx-- {
 			v := m.Requests[QualifiedName(keysForRequests[iNdEx])]
 			baseI := i
@@ -1902,7 +521,7 @@ func (m *CounterSet) MarshalToSizedBuffer(dAtA []byte) (int, error) {
 		for k := range m.Counters {
 			keysForCounters = append(keysForCounters, string(k))
 		}
-		github_com_gogo_protobuf_sortkeys.Strings(keysForCounters)
+		sort.Strings(keysForCounters)
 		for iNdEx := len(keysForCounters) - 1; iNdEx >= 0; iNdEx-- {
 			v := m.Counters[string(keysForCounters[iNdEx])]
 			baseI := i
@@ -2054,7 +673,7 @@ func (m *Device) MarshalToSizedBuffer(dAtA []byte) (int, error) {
 		for k := range m.Capacity {
 			keysForCapacity = append(keysForCapacity, string(k))
 		}
-		github_com_gogo_protobuf_sortkeys.Strings(keysForCapacity)
+		sort.Strings(keysForCapacity)
 		for iNdEx := len(keysForCapacity) - 1; iNdEx >= 0; iNdEx-- {
 			v := m.Capacity[QualifiedName(keysForCapacity[iNdEx])]
 			baseI := i
@@ -2083,7 +702,7 @@ func (m *Device) MarshalToSizedBuffer(dAtA []byte) (int, error) {
 		for k := range m.Attributes {
 			keysForAttributes = append(keysForAttributes, string(k))
 		}
-		github_com_gogo_protobuf_sortkeys.Strings(keysForAttributes)
+		sort.Strings(keysForAttributes)
 		for iNdEx := len(keysForAttributes) - 1; iNdEx >= 0; iNdEx-- {
 			v := m.Attributes[QualifiedName(keysForAttributes[iNdEx])]
 			baseI := i
@@ -2704,7 +1323,7 @@ func (m *DeviceCounterConsumption) MarshalToSizedBuffer(dAtA []byte) (int, error
 		for k := range m.Counters {
 			keysForCounters = append(keysForCounters, string(k))
 		}
-		github_com_gogo_protobuf_sortkeys.Strings(keysForCounters)
+		sort.Strings(keysForCounters)
 		for iNdEx := len(keysForCounters) - 1; iNdEx >= 0; iNdEx-- {
 			v := m.Counters[string(keysForCounters[iNdEx])]
 			baseI := i
@@ -2815,7 +1434,7 @@ func (m *DeviceRequestAllocationResult) MarshalToSizedBuffer(dAtA []byte) (int,
 		for k := range m.ConsumedCapacity {
 			keysForConsumedCapacity = append(keysForConsumedCapacity, string(k))
 		}
-		github_com_gogo_protobuf_sortkeys.Strings(keysForConsumedCapacity)
+		sort.Strings(keysForConsumedCapacity)
 		for iNdEx := len(keysForConsumedCapacity) - 1; iNdEx >= 0; iNdEx-- {
 			v := m.ConsumedCapacity[QualifiedName(keysForConsumedCapacity[iNdEx])]
 			baseI := i
@@ -4890,7 +3509,7 @@ func (this *CapacityRequirements) String() string {
 	for k := range this.Requests {
 		keysForRequests = append(keysForRequests, string(k))
 	}
-	github_com_gogo_protobuf_sortkeys.Strings(keysForRequests)
+	sort.Strings(keysForRequests)
 	mapStringForRequests := "map[QualifiedName]resource.Quantity{"
 	for _, k := range keysForRequests {
 		mapStringForRequests += fmt.Sprintf("%v: %v,", k, this.Requests[QualifiedName(k)])
@@ -4920,7 +3539,7 @@ func (this *CounterSet) String() string {
 	for k := range this.Counters {
 		keysForCounters = append(keysForCounters, k)
 	}
-	github_com_gogo_protobuf_sortkeys.Strings(keysForCounters)
+	sort.Strings(keysForCounters)
 	mapStringForCounters := "map[string]Counter{"
 	for _, k := range keysForCounters {
 		mapStringForCounters += fmt.Sprintf("%v: %v,", k, this.Counters[k])
@@ -4951,7 +3570,7 @@ func (this *Device) String() string {
 	for k := range this.Attributes {
 		keysForAttributes = append(keysForAttributes, string(k))
 	}
-	github_com_gogo_protobuf_sortkeys.Strings(keysForAttributes)
+	sort.Strings(keysForAttributes)
 	mapStringForAttributes := "map[QualifiedName]DeviceAttribute{"
 	for _, k := range keysForAttributes {
 		mapStringForAttributes += fmt.Sprintf("%v: %v,", k, this.Attributes[QualifiedName(k)])
@@ -4961,7 +3580,7 @@ func (this *Device) String() string {
 	for k := range this.Capacity {
 		keysForCapacity = append(keysForCapacity, string(k))
 	}
-	github_com_gogo_protobuf_sortkeys.Strings(keysForCapacity)
+	sort.Strings(keysForCapacity)
 	mapStringForCapacity := "map[QualifiedName]DeviceCapacity{"
 	for _, k := range keysForCapacity {
 		mapStringForCapacity += fmt.Sprintf("%v: %v,", k, this.Capacity[QualifiedName(k)])
@@ -5168,7 +3787,7 @@ func (this *DeviceCounterConsumption) String() string {
 	for k := range this.Counters {
 		keysForCounters = append(keysForCounters, k)
 	}
-	github_com_gogo_protobuf_sortkeys.Strings(keysForCounters)
+	sort.Strings(keysForCounters)
 	mapStringForCounters := "map[string]Counter{"
 	for _, k := range keysForCounters {
 		mapStringForCounters += fmt.Sprintf("%v: %v,", k, this.Counters[k])
@@ -5211,7 +3830,7 @@ func (this *DeviceRequestAllocationResult) String() string {
 	for k := range this.ConsumedCapacity {
 		keysForConsumedCapacity = append(keysForConsumedCapacity, string(k))
 	}
-	github_com_gogo_protobuf_sortkeys.Strings(keysForConsumedCapacity)
+	sort.Strings(keysForConsumedCapacity)
 	mapStringForConsumedCapacity := "map[QualifiedName]resource.Quantity{"
 	for _, k := range keysForConsumedCapacity {
 		mapStringForConsumedCapacity += fmt.Sprintf("%v: %v,", k, this.ConsumedCapacity[QualifiedName(k)])
diff --git a/staging/src/k8s.io/api/resource/v1beta2/generated.proto b/staging/src/k8s.io/api/resource/v1beta2/generated.proto
index 213a5615a7bea..76af5aa4e205d 100644
--- a/staging/src/k8s.io/api/resource/v1beta2/generated.proto
+++ b/staging/src/k8s.io/api/resource/v1beta2/generated.proto
@@ -41,7 +41,7 @@ message AllocatedDeviceStatus {
   // needed on a node.
   //
   // Must be a DNS subdomain and should end with a DNS domain owned by the
-  // vendor of the driver.
+  // vendor of the driver. It should use only lower case characters.
   //
   // +required
   optional string driver = 1;
@@ -65,6 +65,8 @@ message AllocatedDeviceStatus {
   //
   // +optional
   // +featureGate=DRAConsumableCapacity
+  // +k8s:optional
+  // +k8s:format=k8s-uuid
   optional string shareID = 7;
 
   // Conditions contains the latest observation of the device's state.
@@ -88,6 +90,7 @@ message AllocatedDeviceStatus {
   // NetworkData contains network-related information specific to the device.
   //
   // +optional
+  // +k8s:optional
   optional NetworkDeviceData networkData = 6;
 }
 
@@ -293,7 +296,7 @@ message Counter {
 
 // CounterSet defines a named set of counters
 // that are available to be used by devices defined in the
-// ResourceSlice.
+// ResourcePool.
 //
 // The counters are not allocatable by themselves, but
 // can be referenced by devices. When a device is allocated,
@@ -304,12 +307,14 @@ message CounterSet {
   // It must be a DNS label.
   //
   // +required
+  // +k8s:required
+  // +k8s:format=k8s-short-name
   optional string name = 1;
 
   // Counters defines the set of counters for this CounterSet
   // The name of each counter must be unique in that set and must be a DNS label.
   //
-  // The maximum number of counters in all sets is 32.
+  // The maximum number of counters is 32.
   //
   // +required
   map<string, Counter> counters = 2;
@@ -346,14 +351,17 @@ message Device {
   //
   // There can only be a single entry per counterSet.
   //
-  // The total number of device counter consumption entries
-  // must be <= 32. In addition, the total number in the
-  // entire ResourceSlice must be <= 1024 (for example,
-  // 64 devices with 16 counters each).
+  // The maximum number of device counter consumptions per
+  // device is 2.
   //
   // +optional
+  // +k8s:optional
   // +listType=atomic
+  // +k8s:listType=atomic
+  // +k8s:unique=map
+  // +k8s:listMapKey=counterSet
   // +featureGate=DRAPartitionableDevices
+  // +k8s:maxItems=2
   repeated DeviceCounterConsumption consumesCounters = 4;
 
   // NodeName identifies the node where the device is available.
@@ -390,7 +398,9 @@ message Device {
 
   // If specified, these are the driver-defined taints.
   //
-  // The maximum number of taints is 4.
+  // The maximum number of taints is 16. If taints are set for
+  // any device in a ResourceSlice, then the maximum number of
+  // allowed devices per ResourceSlice is 64 instead of 128.
   //
   // This is an alpha field and requires enabling the DRADeviceTaints
   // feature gate.
@@ -427,6 +437,8 @@ message Device {
   // +optional
   // +listType=atomic
   // +featureGate=DRADeviceBindingConditions,DRAResourceClaimDeviceStatus
+  // +k8s:optional
+  // +k8s:maxItems=4
   repeated string bindingConditions = 10;
 
   // BindingFailureConditions defines the conditions for binding failure.
@@ -443,6 +455,8 @@ message Device {
   // +optional
   // +listType=atomic
   // +featureGate=DRADeviceBindingConditions,DRAResourceClaimDeviceStatus
+  // +k8s:optional
+  // +k8s:maxItems=4
   repeated string bindingFailureConditions = 11;
 
   // AllowMultipleAllocations marks whether the device is allowed to be allocated to multiple DeviceRequests.
@@ -462,6 +476,7 @@ message DeviceAllocationConfiguration {
   // or from a claim.
   //
   // +required
+  // +k8s:required
   optional string source = 1;
 
   // Requests lists the names of requests where the configuration applies.
@@ -473,6 +488,10 @@ message DeviceAllocationConfiguration {
   //
   // +optional
   // +listType=atomic
+  // +k8s:optional
+  // +k8s:listType=atomic
+  // +k8s:unique=set
+  // +k8s:maxItems=32
   repeated string requests = 2;
 
   optional DeviceConfiguration deviceConfiguration = 3;
@@ -484,6 +503,8 @@ message DeviceAllocationResult {
   //
   // +optional
   // +listType=atomic
+  // +k8s:optional
+  // +k8s:maxItems=32
   repeated DeviceRequestAllocationResult results = 1;
 
   // This field is a combination of all the claim and class configuration parameters.
@@ -496,6 +517,8 @@ message DeviceAllocationResult {
   //
   // +optional
   // +listType=atomic
+  // +k8s:optional
+  // +k8s:maxItems=64
   repeated DeviceAllocationConfiguration config = 2;
 }
 
@@ -504,26 +527,30 @@ message DeviceAttribute {
   // IntValue is a number.
   //
   // +optional
-  // +oneOf=ValueType
+  // +k8s:optional
+  // +k8s:unionMember
   optional int64 int = 2;
 
   // BoolValue is a true/false value.
   //
   // +optional
-  // +oneOf=ValueType
+  // +k8s:optional
+  // +k8s:unionMember
   optional bool bool = 3;
 
   // StringValue is a string. Must not be longer than 64 characters.
   //
   // +optional
-  // +oneOf=ValueType
+  // +k8s:optional
+  // +k8s:unionMember
   optional string string = 4;
 
   // VersionValue is a semantic version according to semver.org spec 2.0.0.
   // Must not be longer than 64 characters.
   //
   // +optional
-  // +oneOf=ValueType
+  // +k8s:optional
+  // +k8s:unionMember
   optional string version = 5;
 }
 
@@ -560,6 +587,11 @@ message DeviceClaim {
   //
   // +optional
   // +listType=atomic
+  // +k8s:optional
+  // +k8s:listType=atomic
+  // +k8s:unique=map
+  // +k8s:listMapKey=name
+  // +k8s:maxItems=32
   repeated DeviceRequest requests = 1;
 
   // These constraints must be satisfied by the set of devices that get
@@ -567,6 +599,8 @@ message DeviceClaim {
   //
   // +optional
   // +listType=atomic
+  // +k8s:optional
+  // +k8s:maxItems=32
   repeated DeviceConstraint constraints = 2;
 
   // This field holds configuration for multiple potential drivers which
@@ -575,6 +609,8 @@ message DeviceClaim {
   //
   // +optional
   // +listType=atomic
+  // +k8s:optional
+  // +k8s:maxItems=32
   repeated DeviceClaimConfiguration config = 3;
 }
 
@@ -589,6 +625,10 @@ message DeviceClaimConfiguration {
   //
   // +optional
   // +listType=atomic
+  // +k8s:optional
+  // +k8s:listType=atomic
+  // +k8s:unique=set
+  // +k8s:maxItems=32
   repeated string requests = 1;
 
   optional DeviceConfiguration deviceConfiguration = 2;
@@ -604,6 +644,8 @@ message DeviceClaimConfiguration {
 message DeviceClass {
   // Standard object metadata
   // +optional
+  // +k8s:subfield(name)=+k8s:optional
+  // +k8s:subfield(name)=+k8s:format=k8s-long-name
   optional .k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
 
   // Spec defines what can be allocated and how to configure it.
@@ -639,6 +681,8 @@ message DeviceClassSpec {
   //
   // +optional
   // +listType=atomic
+  // +k8s:optional
+  // +k8s:maxItems=32
   repeated DeviceSelector selectors = 1;
 
   // Config defines configuration parameters that apply to each device that is claimed via this class.
@@ -649,6 +693,8 @@ message DeviceClassSpec {
   //
   // +optional
   // +listType=atomic
+  // +k8s:optional
+  // +k8s:maxItems=32
   repeated DeviceClassConfiguration config = 2;
 
   // ExtendedResourceName is the extended resource name for the devices of this class.
@@ -663,6 +709,8 @@ message DeviceClassSpec {
   // This is an alpha field.
   // +optional
   // +featureGate=DRAExtendedResource
+  // +k8s:optional
+  // +k8s:format=k8s-extended-resource-name
   optional string extendedResourceName = 4;
 }
 
@@ -674,6 +722,7 @@ message DeviceConfiguration {
   //
   // +optional
   // +oneOf=ConfigurationType
+  // +k8s:optional
   optional OpaqueDeviceConfiguration opaque = 1;
 }
 
@@ -691,6 +740,10 @@ message DeviceConstraint {
   //
   // +optional
   // +listType=atomic
+  // +k8s:optional
+  // +k8s:listType=atomic
+  // +k8s:unique=set
+  // +k8s:maxItems=32
   repeated string requests = 1;
 
   // MatchAttribute requires that all devices in question have this
@@ -708,6 +761,8 @@ message DeviceConstraint {
   //
   // +optional
   // +oneOf=ConstraintType
+  // +k8s:optional
+  // +k8s:format=k8s-resource-fully-qualified-name
   optional string matchAttribute = 2;
 
   // DistinctAttribute requires that all devices in question have this
@@ -734,14 +789,13 @@ message DeviceCounterConsumption {
   // counters defined will be consumed.
   //
   // +required
+  // +k8s:required
+  // +k8s:format=k8s-short-name
   optional string counterSet = 1;
 
   // Counters defines the counters that will be consumed by the device.
   //
-  // The maximum number counters in a device is 32.
-  // In addition, the maximum number of all counters
-  // in all devices is 1024 (for example, 64 devices with
-  // 16 counters each).
+  // The maximum number of counters is 32.
   //
   // +required
   map<string, Counter> counters = 2;
@@ -773,6 +827,7 @@ message DeviceRequest {
   //
   // +optional
   // +oneOf=deviceRequestType
+  // +k8s:optional
   optional ExactDeviceRequest exactly = 2;
 
   // FirstAvailable contains subrequests, of which exactly one will be
@@ -793,6 +848,11 @@ message DeviceRequest {
   // +oneOf=deviceRequestType
   // +listType=atomic
   // +featureGate=DRAPrioritizedList
+  // +k8s:optional
+  // +k8s:listType=atomic
+  // +k8s:unique=map
+  // +k8s:listMapKey=name
+  // +k8s:maxItems=8
   repeated DeviceSubRequest firstAvailable = 3;
 }
 
@@ -814,9 +874,11 @@ message DeviceRequestAllocationResult {
   // needed on a node.
   //
   // Must be a DNS subdomain and should end with a DNS domain owned by the
-  // vendor of the driver.
+  // vendor of the driver. It should use only lower case characters.
   //
   // +required
+  // +k8s:format=k8s-long-name-caseless
+  // +k8s:required
   optional string driver = 2;
 
   // This name together with the driver name and the device name field
@@ -826,6 +888,8 @@ message DeviceRequestAllocationResult {
   // DNS sub-domains separated by slashes.
   //
   // +required
+  // +k8s:required
+  // +k8s:format=k8s-resource-pool-name
   optional string pool = 3;
 
   // Device references one device instance via its name in the driver's
@@ -868,6 +932,8 @@ message DeviceRequestAllocationResult {
   // +optional
   // +listType=atomic
   // +featureGate=DRADeviceBindingConditions,DRAResourceClaimDeviceStatus
+  // +k8s:optional
+  // +k8s:maxItems=4
   repeated string bindingConditions = 7;
 
   // BindingFailureConditions contains a copy of the BindingFailureConditions
@@ -879,6 +945,8 @@ message DeviceRequestAllocationResult {
   // +optional
   // +listType=atomic
   // +featureGate=DRADeviceBindingConditions,DRAResourceClaimDeviceStatus
+  // +k8s:optional
+  // +k8s:maxItems=4
   repeated string bindingFailureConditions = 8;
 
   // ShareID uniquely identifies an individual allocation share of the device,
@@ -888,6 +956,8 @@ message DeviceRequestAllocationResult {
   //
   // +optional
   // +featureGate=DRAConsumableCapacity
+  // +k8s:optional
+  // +k8s:format=k8s-uuid
   optional string shareID = 9;
 
   // ConsumedCapacity tracks the amount of capacity consumed per device as part of the claim request.
@@ -944,6 +1014,8 @@ message DeviceSubRequest {
   // to reference.
   //
   // +required
+  // +k8s:required
+  // +k8s:format=k8s-long-name
   optional string deviceClassName = 2;
 
   // Selectors define criteria which must be satisfied by a specific
@@ -953,6 +1025,8 @@ message DeviceSubRequest {
   //
   // +optional
   // +listType=atomic
+  // +k8s:optional
+  // +k8s:maxItems=32
   repeated DeviceSelector selectors = 3;
 
   // AllocationMode and its related fields define how devices are allocated
@@ -1044,10 +1118,13 @@ message DeviceTaint {
 
   // The effect of the taint on claims that do not tolerate the taint
   // and through such claims on the pods using them.
-  // Valid effects are NoSchedule and NoExecute. PreferNoSchedule as used for
-  // nodes is not valid here.
+  //
+  // Valid effects are None, NoSchedule and NoExecute. PreferNoSchedule as used for
+  // nodes is not valid here. More effects may get added in the future.
+  // Consumers must treat unknown effects like None.
   //
   // +required
+  // +k8s:required
   optional string effect = 3;
 
   // TimeAdded represents the time at which the taint was added.
@@ -1065,6 +1142,8 @@ message DeviceToleration {
   // Must be a label name.
   //
   // +optional
+  // +k8s:optional
+  // +k8s:format=k8s-label-key
   optional string key = 1;
 
   // Operator represents a key's relationship to the value.
@@ -1124,6 +1203,8 @@ message ExactDeviceRequest {
   //
   // +optional
   // +listType=atomic
+  // +k8s:optional
+  // +k8s:maxItems=32
   repeated DeviceSelector selectors = 2;
 
   // AllocationMode and its related fields define how devices are allocated
@@ -1146,6 +1227,7 @@ message ExactDeviceRequest {
   // requests with unknown modes.
   //
   // +optional
+  // +k8s:optional
   optional string allocationMode = 3;
 
   // Count is used only when the count mode is "ExactCount". Must be greater than zero.
@@ -1221,6 +1303,8 @@ message NetworkDeviceData {
   // Must not be longer than 256 characters.
   //
   // +optional
+  // +k8s:optional
+  // +k8s:maxLength=256
   optional string interfaceName = 1;
 
   // IPs lists the network addresses assigned to the device's network interface.
@@ -1231,6 +1315,10 @@ message NetworkDeviceData {
   //
   // +optional
   // +listType=atomic
+  // +k8s:optional
+  // +k8s:listType=atomic
+  // +k8s:unique=set
+  // +k8s:maxItems=16
   repeated string ips = 2;
 
   // HardwareAddress represents the hardware address (e.g. MAC Address) of the device's network interface.
@@ -1238,6 +1326,8 @@ message NetworkDeviceData {
   // Must not be longer than 128 characters.
   //
   // +optional
+  // +k8s:optional
+  // +k8s:maxLength=128
   optional string hardwareAddress = 3;
 }
 
@@ -1251,9 +1341,11 @@ message OpaqueDeviceConfiguration {
   // to decide whether it needs to validate them.
   //
   // Must be a DNS subdomain and should end with a DNS domain owned by the
-  // vendor of the driver.
+  // vendor of the driver. It should use only lower case characters.
   //
   // +required
+  // +k8s:required
+  // +k8s:format=k8s-long-name-caseless
   optional string driver = 1;
 
   // Parameters can contain arbitrary data. It is the responsibility of
@@ -1282,6 +1374,7 @@ message ResourceClaim {
 
   // Spec describes what is being requested and how to configure it.
   // The spec is immutable.
+  // +k8s:immutable
   optional ResourceClaimSpec spec = 2;
 
   // Status describes whether the claim is ready to use and what has been allocated.
@@ -1336,6 +1429,8 @@ message ResourceClaimStatus {
   // Allocation is set once the claim has been allocated successfully.
   //
   // +optional
+  // +k8s:optional
+  // +k8s:update=NoModify
   optional AllocationResult allocation = 1;
 
   // ReservedFor indicates which entities are currently allowed to use
@@ -1363,6 +1458,10 @@ message ResourceClaimStatus {
   // +listMapKey=uid
   // +patchStrategy=merge
   // +patchMergeKey=uid
+  // +k8s:optional
+  // +k8s:listType=map
+  // +k8s:listMapKey=uid
+  // +k8s:maxItems=256
   repeated ResourceClaimConsumerReference reservedFor = 2;
 
   // Devices contains the status of each device allocated for this
@@ -1370,12 +1469,18 @@ message ResourceClaimStatus {
   // information. Entries are owned by their respective drivers.
   //
   // +optional
+  // +k8s:optional
   // +listType=map
   // +listMapKey=driver
   // +listMapKey=device
   // +listMapKey=pool
   // +listMapKey=shareID
   // +featureGate=DRAResourceClaimDeviceStatus
+  // +k8s:listType=map
+  // +k8s:listMapKey=driver
+  // +k8s:listMapKey=device
+  // +k8s:listMapKey=pool
+  // +k8s:listMapKey=shareID
   repeated AllocatedDeviceStatus devices = 4;
 }
 
@@ -1509,7 +1614,8 @@ message ResourceSliceSpec {
   // objects with a certain driver name.
   //
   // Must be a DNS subdomain and should end with a DNS domain owned by the
-  // vendor of the driver. This field is immutable.
+  // vendor of the driver. It should use only lower case characters.
+  // This field is immutable.
   //
   // +required
   optional string driver = 1;
@@ -1556,10 +1662,14 @@ message ResourceSliceSpec {
 
   // Devices lists some or all of the devices in this pool.
   //
-  // Must not have more than 128 entries.
+  // Must not have more than 128 entries. If any device uses taints or consumes counters the limit is 64.
+  //
+  // Only one of Devices and SharedCounters can be set in a ResourceSlice.
   //
   // +optional
   // +listType=atomic
+  // +k8s:optional
+  // +zeroOrOneOf=ResourceSliceType
   repeated Device devices = 6;
 
   // PerDeviceNodeSelection defines whether the access from nodes to
@@ -1577,13 +1687,21 @@ message ResourceSliceSpec {
   // SharedCounters defines a list of counter sets, each of which
   // has a name and a list of counters available.
   //
-  // The names of the SharedCounters must be unique in the ResourceSlice.
+  // The names of the counter sets must be unique in the ResourcePool.
+  //
+  // Only one of Devices and SharedCounters can be set in a ResourceSlice.
   //
-  // The maximum number of counters in all sets is 32.
+  // The maximum number of counter sets is 8.
   //
   // +optional
+  // +k8s:optional
   // +listType=atomic
+  // +k8s:listType=atomic
+  // +k8s:unique=map
+  // +k8s:listMapKey=name
   // +featureGate=DRAPartitionableDevices
+  // +zeroOrOneOf=ResourceSliceType
+  // +k8s:maxItems=8
   repeated CounterSet sharedCounters = 8;
 }
 
diff --git a/staging/src/k8s.io/api/resource/v1beta2/generated.protomessage.pb.go b/staging/src/k8s.io/api/resource/v1beta2/generated.protomessage.pb.go
new file mode 100644
index 0000000000000..b6417d18c240f
--- /dev/null
+++ b/staging/src/k8s.io/api/resource/v1beta2/generated.protomessage.pb.go
@@ -0,0 +1,108 @@
+//go:build kubernetes_protomessage_one_more_release
+// +build kubernetes_protomessage_one_more_release
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by go-to-protobuf. DO NOT EDIT.
+
+package v1beta2
+
+func (*AllocatedDeviceStatus) ProtoMessage() {}
+
+func (*AllocationResult) ProtoMessage() {}
+
+func (*CELDeviceSelector) ProtoMessage() {}
+
+func (*CapacityRequestPolicy) ProtoMessage() {}
+
+func (*CapacityRequestPolicyRange) ProtoMessage() {}
+
+func (*CapacityRequirements) ProtoMessage() {}
+
+func (*Counter) ProtoMessage() {}
+
+func (*CounterSet) ProtoMessage() {}
+
+func (*Device) ProtoMessage() {}
+
+func (*DeviceAllocationConfiguration) ProtoMessage() {}
+
+func (*DeviceAllocationResult) ProtoMessage() {}
+
+func (*DeviceAttribute) ProtoMessage() {}
+
+func (*DeviceCapacity) ProtoMessage() {}
+
+func (*DeviceClaim) ProtoMessage() {}
+
+func (*DeviceClaimConfiguration) ProtoMessage() {}
+
+func (*DeviceClass) ProtoMessage() {}
+
+func (*DeviceClassConfiguration) ProtoMessage() {}
+
+func (*DeviceClassList) ProtoMessage() {}
+
+func (*DeviceClassSpec) ProtoMessage() {}
+
+func (*DeviceConfiguration) ProtoMessage() {}
+
+func (*DeviceConstraint) ProtoMessage() {}
+
+func (*DeviceCounterConsumption) ProtoMessage() {}
+
+func (*DeviceRequest) ProtoMessage() {}
+
+func (*DeviceRequestAllocationResult) ProtoMessage() {}
+
+func (*DeviceSelector) ProtoMessage() {}
+
+func (*DeviceSubRequest) ProtoMessage() {}
+
+func (*DeviceTaint) ProtoMessage() {}
+
+func (*DeviceToleration) ProtoMessage() {}
+
+func (*ExactDeviceRequest) ProtoMessage() {}
+
+func (*NetworkDeviceData) ProtoMessage() {}
+
+func (*OpaqueDeviceConfiguration) ProtoMessage() {}
+
+func (*ResourceClaim) ProtoMessage() {}
+
+func (*ResourceClaimConsumerReference) ProtoMessage() {}
+
+func (*ResourceClaimList) ProtoMessage() {}
+
+func (*ResourceClaimSpec) ProtoMessage() {}
+
+func (*ResourceClaimStatus) ProtoMessage() {}
+
+func (*ResourceClaimTemplate) ProtoMessage() {}
+
+func (*ResourceClaimTemplateList) ProtoMessage() {}
+
+func (*ResourceClaimTemplateSpec) ProtoMessage() {}
+
+func (*ResourcePool) ProtoMessage() {}
+
+func (*ResourceSlice) ProtoMessage() {}
+
+func (*ResourceSliceList) ProtoMessage() {}
+
+func (*ResourceSliceSpec) ProtoMessage() {}
diff --git a/staging/src/k8s.io/api/resource/v1beta2/types.go b/staging/src/k8s.io/api/resource/v1beta2/types.go
index 9fa98abdf2d21..49534348843ce 100644
--- a/staging/src/k8s.io/api/resource/v1beta2/types.go
+++ b/staging/src/k8s.io/api/resource/v1beta2/types.go
@@ -101,7 +101,8 @@ type ResourceSliceSpec struct {
 	// objects with a certain driver name.
 	//
 	// Must be a DNS subdomain and should end with a DNS domain owned by the
-	// vendor of the driver. This field is immutable.
+	// vendor of the driver. It should use only lower case characters.
+	// This field is immutable.
 	//
 	// +required
 	Driver string `json:"driver" protobuf:"bytes,1,name=driver"`
@@ -148,11 +149,15 @@ type ResourceSliceSpec struct {
 
 	// Devices lists some or all of the devices in this pool.
 	//
-	// Must not have more than 128 entries.
+	// Must not have more than 128 entries. If any device uses taints or consumes counters the limit is 64.
+	//
+	// Only one of Devices and SharedCounters can be set in a ResourceSlice.
 	//
 	// +optional
 	// +listType=atomic
-	Devices []Device `json:"devices" protobuf:"bytes,6,name=devices"`
+	// +k8s:optional
+	// +zeroOrOneOf=ResourceSliceType
+	Devices []Device `json:"devices,omitempty" protobuf:"bytes,6,name=devices"`
 
 	// PerDeviceNodeSelection defines whether the access from nodes to
 	// resources in the pool is set on the ResourceSlice level or on each
@@ -169,19 +174,27 @@ type ResourceSliceSpec struct {
 	// SharedCounters defines a list of counter sets, each of which
 	// has a name and a list of counters available.
 	//
-	// The names of the SharedCounters must be unique in the ResourceSlice.
+	// The names of the counter sets must be unique in the ResourcePool.
 	//
-	// The maximum number of counters in all sets is 32.
+	// Only one of Devices and SharedCounters can be set in a ResourceSlice.
+	//
+	// The maximum number of counter sets is 8.
 	//
 	// +optional
+	// +k8s:optional
 	// +listType=atomic
+	// +k8s:listType=atomic
+	// +k8s:unique=map
+	// +k8s:listMapKey=name
 	// +featureGate=DRAPartitionableDevices
+	// +zeroOrOneOf=ResourceSliceType
+	// +k8s:maxItems=8
 	SharedCounters []CounterSet `json:"sharedCounters,omitempty" protobuf:"bytes,8,name=sharedCounters"`
 }
 
 // CounterSet defines a named set of counters
 // that are available to be used by devices defined in the
-// ResourceSlice.
+// ResourcePool.
 //
 // The counters are not allocatable by themselves, but
 // can be referenced by devices. When a device is allocated,
@@ -192,12 +205,14 @@ type CounterSet struct {
 	// It must be a DNS label.
 	//
 	// +required
+	// +k8s:required
+	// +k8s:format=k8s-short-name
 	Name string `json:"name" protobuf:"bytes,1,name=name"`
 
 	// Counters defines the set of counters for this CounterSet
 	// The name of each counter must be unique in that set and must be a DNS label.
 	//
-	// The maximum number of counters in all sets is 32.
+	// The maximum number of counters is 32.
 	//
 	// +required
 	Counters map[string]Counter `json:"counters,omitempty" protobuf:"bytes,2,name=counters"`
@@ -246,13 +261,27 @@ type ResourcePool struct {
 
 const ResourceSliceMaxSharedCapacity = 128
 const ResourceSliceMaxDevices = 128
+const ResourceSliceMaxDevicesWithTaintsOrConsumesCounters = 64
 const PoolNameMaxLength = validation.DNS1123SubdomainMaxLength // Same as for a single node name.
 const BindingConditionsMaxSize = 4
 const BindingFailureConditionsMaxSize = 4
 
-// Defines the max number of shared counters that can be specified
-// in a ResourceSlice. The number is summed up across all sets.
-const ResourceSliceMaxSharedCounters = 32
+// Defines the maximum number of counter sets (through the
+// SharedCounters field) that can be defined in a ResourceSlice.
+const ResourceSliceMaxCounterSets = 8
+
+// Defines the maximum number of counters that can be defined
+// in a counter set.
+const ResourceSliceMaxCountersPerCounterSet = 32
+
+// Defines the maximum number of device counter consumptions
+// (through the ConsumesCounters field) that can be defined per
+// device.
+const ResourceSliceMaxDeviceCounterConsumptionsPerDevice = 2
+
+// Defines the maximum number of counters that can be defined
+// per device counter consumption.
+const ResourceSliceMaxCountersPerDeviceCounterConsumption = 32
 
 // Device represents one individual hardware instance that can be selected based
 // on its attributes. Besides the name, exactly one field must be set.
@@ -285,14 +314,17 @@ type Device struct {
 	//
 	// There can only be a single entry per counterSet.
 	//
-	// The total number of device counter consumption entries
-	// must be <= 32. In addition, the total number in the
-	// entire ResourceSlice must be <= 1024 (for example,
-	// 64 devices with 16 counters each).
+	// The maximum number of device counter consumptions per
+	// device is 2.
 	//
 	// +optional
+	// +k8s:optional
 	// +listType=atomic
+	// +k8s:listType=atomic
+	// +k8s:unique=map
+	// +k8s:listMapKey=counterSet
 	// +featureGate=DRAPartitionableDevices
+	// +k8s:maxItems=2
 	ConsumesCounters []DeviceCounterConsumption `json:"consumesCounters,omitempty" protobuf:"bytes,4,rep,name=consumesCounters"`
 
 	// NodeName identifies the node where the device is available.
@@ -329,7 +361,9 @@ type Device struct {
 
 	// If specified, these are the driver-defined taints.
 	//
-	// The maximum number of taints is 4.
+	// The maximum number of taints is 16. If taints are set for
+	// any device in a ResourceSlice, then the maximum number of
+	// allowed devices per ResourceSlice is 64 instead of 128.
 	//
 	// This is an alpha field and requires enabling the DRADeviceTaints
 	// feature gate.
@@ -366,6 +400,8 @@ type Device struct {
 	// +optional
 	// +listType=atomic
 	// +featureGate=DRADeviceBindingConditions,DRAResourceClaimDeviceStatus
+	// +k8s:optional
+	// +k8s:maxItems=4
 	BindingConditions []string `json:"bindingConditions,omitempty" protobuf:"bytes,10,rep,name=bindingConditions"`
 
 	// BindingFailureConditions defines the conditions for binding failure.
@@ -382,6 +418,8 @@ type Device struct {
 	// +optional
 	// +listType=atomic
 	// +featureGate=DRADeviceBindingConditions,DRAResourceClaimDeviceStatus
+	// +k8s:optional
+	// +k8s:maxItems=4
 	BindingFailureConditions []string `json:"bindingFailureConditions,omitempty" protobuf:"bytes,11,rep,name=bindingFailureConditions"`
 
 	// AllowMultipleAllocations marks whether the device is allowed to be allocated to multiple DeviceRequests.
@@ -401,14 +439,13 @@ type DeviceCounterConsumption struct {
 	// counters defined will be consumed.
 	//
 	// +required
+	// +k8s:required
+	// +k8s:format=k8s-short-name
 	CounterSet string `json:"counterSet" protobuf:"bytes,1,opt,name=counterSet"`
 
 	// Counters defines the counters that will be consumed by the device.
 	//
-	// The maximum number counters in a device is 32.
-	// In addition, the maximum number of all counters
-	// in all devices is 1024 (for example, 64 devices with
-	// 16 counters each).
+	// The maximum number of counters is 32.
 	//
 	// +required
 	Counters map[string]Counter `json:"counters,omitempty" protobuf:"bytes,2,opt,name=counters"`
@@ -531,14 +568,6 @@ type CapacityRequestPolicyRange struct {
 // Limit for the sum of the number of entries in both attributes and capacity.
 const ResourceSliceMaxAttributesAndCapacitiesPerDevice = 32
 
-// Limit for the total number of counters in each device.
-const ResourceSliceMaxCountersPerDevice = 32
-
-// Limit for the total number of counters defined in devices in
-// a ResourceSlice. We want to allow up to 64 devices to specify
-// up to 16 counters, so the limit for the ResourceSlice will be 1024.
-const ResourceSliceMaxDeviceCountersPerSlice = 1024 // 64 * 16
-
 // QualifiedName is the name of a device attribute or capacity.
 //
 // Attributes and capacities are defined either by the owner of the specific
@@ -558,6 +587,9 @@ const ResourceSliceMaxDeviceCountersPerSlice = 1024 // 64 * 16
 type QualifiedName string
 
 // FullyQualifiedName is a QualifiedName where the domain is set.
+// Format validation cannot be added to this type because one of its usages,
+// DistinctAttribute, is validated conditionally. This conditional validation
+// cannot be expressed declaratively.
 type FullyQualifiedName string
 
 // DeviceMaxDomainLength is the maximum length of the domain prefix in a fully-qualified name.
@@ -575,34 +607,38 @@ type DeviceAttribute struct {
 	// IntValue is a number.
 	//
 	// +optional
-	// +oneOf=ValueType
+	// +k8s:optional
+	// +k8s:unionMember
 	IntValue *int64 `json:"int,omitempty" protobuf:"varint,2,opt,name=int"`
 
 	// BoolValue is a true/false value.
 	//
 	// +optional
-	// +oneOf=ValueType
+	// +k8s:optional
+	// +k8s:unionMember
 	BoolValue *bool `json:"bool,omitempty" protobuf:"varint,3,opt,name=bool"`
 
 	// StringValue is a string. Must not be longer than 64 characters.
 	//
 	// +optional
-	// +oneOf=ValueType
+	// +k8s:optional
+	// +k8s:unionMember
 	StringValue *string `json:"string,omitempty" protobuf:"bytes,4,opt,name=string"`
 
 	// VersionValue is a semantic version according to semver.org spec 2.0.0.
 	// Must not be longer than 64 characters.
 	//
 	// +optional
-	// +oneOf=ValueType
+	// +k8s:optional
+	// +k8s:unionMember
 	VersionValue *string `json:"version,omitempty" protobuf:"bytes,5,opt,name=version"`
 }
 
 // DeviceAttributeMaxValueLength is the maximum length of a string or version attribute value.
 const DeviceAttributeMaxValueLength = 64
 
-// DeviceTaintsMaxLength is the maximum number of taints per device.
-const DeviceTaintsMaxLength = 4
+// DeviceTaintsMaxLength is the maximum number of taints per Device.
+const DeviceTaintsMaxLength = 16
 
 // The device this taint is attached to has the "effect" on
 // any claim which does not tolerate the taint and, through the claim,
@@ -624,16 +660,27 @@ type DeviceTaint struct {
 
 	// The effect of the taint on claims that do not tolerate the taint
 	// and through such claims on the pods using them.
-	// Valid effects are NoSchedule and NoExecute. PreferNoSchedule as used for
-	// nodes is not valid here.
+	//
+	// Valid effects are None, NoSchedule and NoExecute. PreferNoSchedule as used for
+	// nodes is not valid here. More effects may get added in the future.
+	// Consumers must treat unknown effects like None.
 	//
 	// +required
+	// +k8s:required
 	Effect DeviceTaintEffect `json:"effect" protobuf:"bytes,3,name=effect,casttype=DeviceTaintEffect"`
 
 	// ^^^^
 	//
 	// Implementing PreferNoSchedule would depend on a scoring solution for DRA.
 	// It might get added as part of that.
+	//
+	// A possible future new effect is NoExecuteWithPodDisruptionBudget:
+	// honor the pod disruption budget instead of simply deleting pods.
+	// This is currently undecided, it could also be a separate field.
+	//
+	// Validation must be prepared to allow unknown enums in stored objects,
+	// which will enable adding new enums within a single release without
+	// ratcheting.
 
 	// TimeAdded represents the time at which the taint was added.
 	// Added automatically during create or update if not set.
@@ -649,9 +696,13 @@ type DeviceTaint struct {
 }
 
 // +enum
+// +k8s:enum
 type DeviceTaintEffect string
 
 const (
+	// No effect, the taint is purely informational.
+	DeviceTaintEffectNone DeviceTaintEffect = "None"
+
 	// Do not allow new pods to schedule which use a tainted device unless they tolerate the taint,
 	// but allow all pods submitted to Kubelet without going through the scheduler
 	// to start, and allow all already-running pods to continue running.
@@ -678,6 +729,7 @@ type ResourceSliceList struct {
 // +genclient
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
 // +k8s:prerelease-lifecycle-gen:introduced=1.33
+// +k8s:supportsSubresource=/status
 
 // ResourceClaim describes a request for access to resources in the cluster,
 // for use by workloads. For example, if a workload needs an accelerator device
@@ -695,6 +747,7 @@ type ResourceClaim struct {
 
 	// Spec describes what is being requested and how to configure it.
 	// The spec is immutable.
+	// +k8s:immutable
 	Spec ResourceClaimSpec `json:"spec" protobuf:"bytes,2,name=spec"`
 
 	// Status describes whether the claim is ready to use and what has been allocated.
@@ -722,6 +775,11 @@ type DeviceClaim struct {
 	//
 	// +optional
 	// +listType=atomic
+	// +k8s:optional
+	// +k8s:listType=atomic
+	// +k8s:unique=map
+	// +k8s:listMapKey=name
+	// +k8s:maxItems=32
 	Requests []DeviceRequest `json:"requests" protobuf:"bytes,1,name=requests"`
 
 	// These constraints must be satisfied by the set of devices that get
@@ -729,6 +787,8 @@ type DeviceClaim struct {
 	//
 	// +optional
 	// +listType=atomic
+	// +k8s:optional
+	// +k8s:maxItems=32
 	Constraints []DeviceConstraint `json:"constraints,omitempty" protobuf:"bytes,2,opt,name=constraints"`
 
 	// This field holds configuration for multiple potential drivers which
@@ -737,6 +797,8 @@ type DeviceClaim struct {
 	//
 	// +optional
 	// +listType=atomic
+	// +k8s:optional
+	// +k8s:maxItems=32
 	Config []DeviceClaimConfiguration `json:"config,omitempty" protobuf:"bytes,3,opt,name=config"`
 
 	// Potential future extension, ignored by older schedulers. This is
@@ -787,6 +849,7 @@ type DeviceRequest struct {
 	//
 	// +optional
 	// +oneOf=deviceRequestType
+	// +k8s:optional
 	Exactly *ExactDeviceRequest `json:"exactly,omitempty" protobuf:"bytes,2,name=exactly"`
 
 	// FirstAvailable contains subrequests, of which exactly one will be
@@ -807,6 +870,11 @@ type DeviceRequest struct {
 	// +oneOf=deviceRequestType
 	// +listType=atomic
 	// +featureGate=DRAPrioritizedList
+	// +k8s:optional
+	// +k8s:listType=atomic
+	// +k8s:unique=map
+	// +k8s:listMapKey=name
+	// +k8s:maxItems=8
 	FirstAvailable []DeviceSubRequest `json:"firstAvailable,omitempty" protobuf:"bytes,3,name=firstAvailable"`
 }
 
@@ -834,6 +902,8 @@ type ExactDeviceRequest struct {
 	//
 	// +optional
 	// +listType=atomic
+	// +k8s:optional
+	// +k8s:maxItems=32
 	Selectors []DeviceSelector `json:"selectors,omitempty" protobuf:"bytes,2,name=selectors"`
 
 	// AllocationMode and its related fields define how devices are allocated
@@ -856,6 +926,7 @@ type ExactDeviceRequest struct {
 	// requests with unknown modes.
 	//
 	// +optional
+	// +k8s:optional
 	AllocationMode DeviceAllocationMode `json:"allocationMode,omitempty" protobuf:"bytes,3,opt,name=allocationMode"`
 
 	// Count is used only when the count mode is "ExactCount". Must be greater than zero.
@@ -951,6 +1022,8 @@ type DeviceSubRequest struct {
 	// to reference.
 	//
 	// +required
+	// +k8s:required
+	// +k8s:format=k8s-long-name
 	DeviceClassName string `json:"deviceClassName" protobuf:"bytes,2,name=deviceClassName"`
 
 	// Selectors define criteria which must be satisfied by a specific
@@ -960,6 +1033,8 @@ type DeviceSubRequest struct {
 	//
 	// +optional
 	// +listType=atomic
+	// +k8s:optional
+	// +k8s:maxItems=32
 	Selectors []DeviceSelector `json:"selectors,omitempty" protobuf:"bytes,3,name=selectors"`
 
 	// AllocationMode and its related fields define how devices are allocated
@@ -1066,6 +1141,8 @@ const (
 	DeviceTolerationsMaxLength         = 16
 )
 
+// +enum
+// +k8s:enum
 type DeviceAllocationMode string
 
 // Valid [DeviceRequest.CountMode] values.
@@ -1184,6 +1261,10 @@ type DeviceConstraint struct {
 	//
 	// +optional
 	// +listType=atomic
+	// +k8s:optional
+	// +k8s:listType=atomic
+	// +k8s:unique=set
+	// +k8s:maxItems=32
 	Requests []string `json:"requests,omitempty" protobuf:"bytes,1,opt,name=requests"`
 
 	// MatchAttribute requires that all devices in question have this
@@ -1201,6 +1282,8 @@ type DeviceConstraint struct {
 	//
 	// +optional
 	// +oneOf=ConstraintType
+	// +k8s:optional
+	// +k8s:format=k8s-resource-fully-qualified-name
 	MatchAttribute *FullyQualifiedName `json:"matchAttribute,omitempty" protobuf:"bytes,2,opt,name=matchAttribute"`
 
 	// Potential future extension, not part of the current design:
@@ -1241,6 +1324,10 @@ type DeviceClaimConfiguration struct {
 	//
 	// +optional
 	// +listType=atomic
+	// +k8s:optional
+	// +k8s:listType=atomic
+	// +k8s:unique=set
+	// +k8s:maxItems=32
 	Requests []string `json:"requests,omitempty" protobuf:"bytes,1,opt,name=requests"`
 
 	DeviceConfiguration `json:",inline" protobuf:"bytes,2,name=deviceConfiguration"`
@@ -1254,6 +1341,7 @@ type DeviceConfiguration struct {
 	//
 	// +optional
 	// +oneOf=ConfigurationType
+	// +k8s:optional
 	Opaque *OpaqueDeviceConfiguration `json:"opaque,omitempty" protobuf:"bytes,1,opt,name=opaque"`
 }
 
@@ -1267,9 +1355,11 @@ type OpaqueDeviceConfiguration struct {
 	// to decide whether it needs to validate them.
 	//
 	// Must be a DNS subdomain and should end with a DNS domain owned by the
-	// vendor of the driver.
+	// vendor of the driver. It should use only lower case characters.
 	//
 	// +required
+	// +k8s:required
+	// +k8s:format=k8s-long-name-caseless
 	Driver string `json:"driver" protobuf:"bytes,1,name=driver"`
 
 	// Parameters can contain arbitrary data. It is the responsibility of
@@ -1295,6 +1385,8 @@ type DeviceToleration struct {
 	// Must be a label name.
 	//
 	// +optional
+	// +k8s:optional
+	// +k8s:format=k8s-label-key
 	Key string `json:"key,omitempty" protobuf:"bytes,1,opt,name=key"`
 
 	// Operator represents a key's relationship to the value.
@@ -1333,6 +1425,7 @@ type DeviceToleration struct {
 // A toleration operator is the set of operators that can be used in a toleration.
 //
 // +enum
+// +k8s:enum
 type DeviceTolerationOperator string
 
 const (
@@ -1346,6 +1439,8 @@ type ResourceClaimStatus struct {
 	// Allocation is set once the claim has been allocated successfully.
 	//
 	// +optional
+	// +k8s:optional
+	// +k8s:update=NoModify
 	Allocation *AllocationResult `json:"allocation,omitempty" protobuf:"bytes,1,opt,name=allocation"`
 
 	// ReservedFor indicates which entities are currently allowed to use
@@ -1373,6 +1468,10 @@ type ResourceClaimStatus struct {
 	// +listMapKey=uid
 	// +patchStrategy=merge
 	// +patchMergeKey=uid
+	// +k8s:optional
+	// +k8s:listType=map
+	// +k8s:listMapKey=uid
+	// +k8s:maxItems=256
 	ReservedFor []ResourceClaimConsumerReference `json:"reservedFor,omitempty" protobuf:"bytes,2,opt,name=reservedFor" patchStrategy:"merge" patchMergeKey:"uid"`
 
 	// DeallocationRequested is tombstoned since Kubernetes 1.32 where
@@ -1385,12 +1484,18 @@ type ResourceClaimStatus struct {
 	// information. Entries are owned by their respective drivers.
 	//
 	// +optional
+	// +k8s:optional
 	// +listType=map
 	// +listMapKey=driver
 	// +listMapKey=device
 	// +listMapKey=pool
 	// +listMapKey=shareID
 	// +featureGate=DRAResourceClaimDeviceStatus
+	// +k8s:listType=map
+	// +k8s:listMapKey=driver
+	// +k8s:listMapKey=device
+	// +k8s:listMapKey=pool
+	// +k8s:listMapKey=shareID
 	Devices []AllocatedDeviceStatus `json:"devices,omitempty" protobuf:"bytes,4,opt,name=devices"`
 }
 
@@ -1453,6 +1558,8 @@ type DeviceAllocationResult struct {
 	//
 	// +optional
 	// +listType=atomic
+	// +k8s:optional
+	// +k8s:maxItems=32
 	Results []DeviceRequestAllocationResult `json:"results,omitempty" protobuf:"bytes,1,opt,name=results"`
 
 	// This field is a combination of all the claim and class configuration parameters.
@@ -1465,6 +1572,8 @@ type DeviceAllocationResult struct {
 	//
 	// +optional
 	// +listType=atomic
+	// +k8s:optional
+	// +k8s:maxItems=64
 	Config []DeviceAllocationConfiguration `json:"config,omitempty" protobuf:"bytes,2,opt,name=config"`
 }
 
@@ -1490,9 +1599,11 @@ type DeviceRequestAllocationResult struct {
 	// needed on a node.
 	//
 	// Must be a DNS subdomain and should end with a DNS domain owned by the
-	// vendor of the driver.
+	// vendor of the driver. It should use only lower case characters.
 	//
 	// +required
+	// +k8s:format=k8s-long-name-caseless
+	// +k8s:required
 	Driver string `json:"driver" protobuf:"bytes,2,name=driver"`
 
 	// This name together with the driver name and the device name field
@@ -1502,6 +1613,8 @@ type DeviceRequestAllocationResult struct {
 	// DNS sub-domains separated by slashes.
 	//
 	// +required
+	// +k8s:required
+	// +k8s:format=k8s-resource-pool-name
 	Pool string `json:"pool" protobuf:"bytes,3,name=pool"`
 
 	// Device references one device instance via its name in the driver's
@@ -1544,6 +1657,8 @@ type DeviceRequestAllocationResult struct {
 	// +optional
 	// +listType=atomic
 	// +featureGate=DRADeviceBindingConditions,DRAResourceClaimDeviceStatus
+	// +k8s:optional
+	// +k8s:maxItems=4
 	BindingConditions []string `json:"bindingConditions,omitempty" protobuf:"bytes,7,rep,name=bindingConditions"`
 
 	// BindingFailureConditions contains a copy of the BindingFailureConditions
@@ -1555,6 +1670,8 @@ type DeviceRequestAllocationResult struct {
 	// +optional
 	// +listType=atomic
 	// +featureGate=DRADeviceBindingConditions,DRAResourceClaimDeviceStatus
+	// +k8s:optional
+	// +k8s:maxItems=4
 	BindingFailureConditions []string `json:"bindingFailureConditions,omitempty" protobuf:"bytes,8,rep,name=bindingFailureConditions"`
 
 	// ShareID uniquely identifies an individual allocation share of the device,
@@ -1564,6 +1681,8 @@ type DeviceRequestAllocationResult struct {
 	//
 	// +optional
 	// +featureGate=DRAConsumableCapacity
+	// +k8s:optional
+	// +k8s:format=k8s-uuid
 	ShareID *types.UID `json:"shareID,omitempty" protobuf:"bytes,9,opt,name=shareID"`
 
 	// ConsumedCapacity tracks the amount of capacity consumed per device as part of the claim request.
@@ -1587,6 +1706,7 @@ type DeviceAllocationConfiguration struct {
 	// or from a claim.
 	//
 	// +required
+	// +k8s:required
 	Source AllocationConfigSource `json:"source" protobuf:"bytes,1,name=source"`
 
 	// Requests lists the names of requests where the configuration applies.
@@ -1598,17 +1718,23 @@ type DeviceAllocationConfiguration struct {
 	//
 	// +optional
 	// +listType=atomic
+	// +k8s:optional
+	// +k8s:listType=atomic
+	// +k8s:unique=set
+	// +k8s:maxItems=32
 	Requests []string `json:"requests,omitempty" protobuf:"bytes,2,opt,name=requests"`
 
 	DeviceConfiguration `json:",inline" protobuf:"bytes,3,name=deviceConfiguration"`
 }
 
+// +enum
+// +k8s:enum
 type AllocationConfigSource string
 
 // Valid [DeviceAllocationConfiguration.Source] values.
 const (
-	AllocationConfigSourceClass = "FromClass"
-	AllocationConfigSourceClaim = "FromClaim"
+	AllocationConfigSourceClass AllocationConfigSource = "FromClass"
+	AllocationConfigSourceClaim AllocationConfigSource = "FromClaim"
 )
 
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
@@ -1641,6 +1767,8 @@ type DeviceClass struct {
 	metav1.TypeMeta `json:",inline"`
 	// Standard object metadata
 	// +optional
+	// +k8s:subfield(name)=+k8s:optional
+	// +k8s:subfield(name)=+k8s:format=k8s-long-name
 	metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
 
 	// Spec defines what can be allocated and how to configure it.
@@ -1661,6 +1789,8 @@ type DeviceClassSpec struct {
 	//
 	// +optional
 	// +listType=atomic
+	// +k8s:optional
+	// +k8s:maxItems=32
 	Selectors []DeviceSelector `json:"selectors,omitempty" protobuf:"bytes,1,opt,name=selectors"`
 
 	// Config defines configuration parameters that apply to each device that is claimed via this class.
@@ -1671,6 +1801,8 @@ type DeviceClassSpec struct {
 	//
 	// +optional
 	// +listType=atomic
+	// +k8s:optional
+	// +k8s:maxItems=32
 	Config []DeviceClassConfiguration `json:"config,omitempty" protobuf:"bytes,2,opt,name=config"`
 
 	// SuitableNodes is tombstoned since Kubernetes 1.32 where
@@ -1690,6 +1822,8 @@ type DeviceClassSpec struct {
 	// This is an alpha field.
 	// +optional
 	// +featureGate=DRAExtendedResource
+	// +k8s:optional
+	// +k8s:format=k8s-extended-resource-name
 	ExtendedResourceName *string `json:"extendedResourceName,omitempty" protobuf:"bytes,4,opt,name=extendedResourceName"`
 }
 
@@ -1791,7 +1925,7 @@ type AllocatedDeviceStatus struct {
 	// needed on a node.
 	//
 	// Must be a DNS subdomain and should end with a DNS domain owned by the
-	// vendor of the driver.
+	// vendor of the driver. It should use only lower case characters.
 	//
 	// +required
 	Driver string `json:"driver" protobuf:"bytes,1,rep,name=driver"`
@@ -1815,6 +1949,8 @@ type AllocatedDeviceStatus struct {
 	//
 	// +optional
 	// +featureGate=DRAConsumableCapacity
+	// +k8s:optional
+	// +k8s:format=k8s-uuid
 	ShareID *string `json:"shareID,omitempty" protobuf:"bytes,7,opt,name=shareID"`
 
 	// Conditions contains the latest observation of the device's state.
@@ -1838,6 +1974,7 @@ type AllocatedDeviceStatus struct {
 	// NetworkData contains network-related information specific to the device.
 	//
 	// +optional
+	// +k8s:optional
 	NetworkData *NetworkDeviceData `json:"networkData,omitempty" protobuf:"bytes,6,opt,name=networkData"`
 }
 
@@ -1852,6 +1989,8 @@ type NetworkDeviceData struct {
 	// Must not be longer than 256 characters.
 	//
 	// +optional
+	// +k8s:optional
+	// +k8s:maxLength=256
 	InterfaceName string `json:"interfaceName,omitempty" protobuf:"bytes,1,opt,name=interfaceName"`
 
 	// IPs lists the network addresses assigned to the device's network interface.
@@ -1862,6 +2001,10 @@ type NetworkDeviceData struct {
 	//
 	// +optional
 	// +listType=atomic
+	// +k8s:optional
+	// +k8s:listType=atomic
+	// +k8s:unique=set
+	// +k8s:maxItems=16
 	IPs []string `json:"ips,omitempty" protobuf:"bytes,2,opt,name=ips"`
 
 	// HardwareAddress represents the hardware address (e.g. MAC Address) of the device's network interface.
@@ -1869,5 +2012,7 @@ type NetworkDeviceData struct {
 	// Must not be longer than 128 characters.
 	//
 	// +optional
+	// +k8s:optional
+	// +k8s:maxLength=128
 	HardwareAddress string `json:"hardwareAddress,omitempty" protobuf:"bytes,3,opt,name=hardwareAddress"`
 }
diff --git a/staging/src/k8s.io/api/resource/v1beta2/types_swagger_doc_generated.go b/staging/src/k8s.io/api/resource/v1beta2/types_swagger_doc_generated.go
index c390ad21d96ad..a086f9bf23ee0 100644
--- a/staging/src/k8s.io/api/resource/v1beta2/types_swagger_doc_generated.go
+++ b/staging/src/k8s.io/api/resource/v1beta2/types_swagger_doc_generated.go
@@ -29,7 +29,7 @@ package v1beta2
 // AUTO-GENERATED FUNCTIONS START HERE. DO NOT EDIT.
 var map_AllocatedDeviceStatus = map[string]string{
 	"":            "AllocatedDeviceStatus contains the status of an allocated device, if the driver chooses to report it. This may include driver-specific information.\n\nThe combination of Driver, Pool, Device, and ShareID must match the corresponding key in Status.Allocation.Devices.",
-	"driver":      "Driver specifies the name of the DRA driver whose kubelet plugin should be invoked to process the allocation once the claim is needed on a node.\n\nMust be a DNS subdomain and should end with a DNS domain owned by the vendor of the driver.",
+	"driver":      "Driver specifies the name of the DRA driver whose kubelet plugin should be invoked to process the allocation once the claim is needed on a node.\n\nMust be a DNS subdomain and should end with a DNS domain owned by the vendor of the driver. It should use only lower case characters.",
 	"pool":        "This name together with the driver name and the device name field identify which device was allocated (`<driver name>/<pool name>/<device name>`).\n\nMust not be longer than 253 characters and may contain one or more DNS sub-domains separated by slashes.",
 	"device":      "Device references one device instance via its name in the driver's resource pool. It must be a DNS label.",
 	"shareID":     "ShareID uniquely identifies an individual allocation share of the device.",
@@ -103,9 +103,9 @@ func (Counter) SwaggerDoc() map[string]string {
 }
 
 var map_CounterSet = map[string]string{
-	"":         "CounterSet defines a named set of counters that are available to be used by devices defined in the ResourceSlice.\n\nThe counters are not allocatable by themselves, but can be referenced by devices. When a device is allocated, the portion of counters it uses will no longer be available for use by other devices.",
+	"":         "CounterSet defines a named set of counters that are available to be used by devices defined in the ResourcePool.\n\nThe counters are not allocatable by themselves, but can be referenced by devices. When a device is allocated, the portion of counters it uses will no longer be available for use by other devices.",
 	"name":     "Name defines the name of the counter set. It must be a DNS label.",
-	"counters": "Counters defines the set of counters for this CounterSet The name of each counter must be unique in that set and must be a DNS label.\n\nThe maximum number of counters in all sets is 32.",
+	"counters": "Counters defines the set of counters for this CounterSet The name of each counter must be unique in that set and must be a DNS label.\n\nThe maximum number of counters is 32.",
 }
 
 func (CounterSet) SwaggerDoc() map[string]string {
@@ -117,11 +117,11 @@ var map_Device = map[string]string{
 	"name":                     "Name is unique identifier among all devices managed by the driver in the pool. It must be a DNS label.",
 	"attributes":               "Attributes defines the set of attributes for this device. The name of each attribute must be unique in that set.\n\nThe maximum number of attributes and capacities combined is 32.",
 	"capacity":                 "Capacity defines the set of capacities for this device. The name of each capacity must be unique in that set.\n\nThe maximum number of attributes and capacities combined is 32.",
-	"consumesCounters":         "ConsumesCounters defines a list of references to sharedCounters and the set of counters that the device will consume from those counter sets.\n\nThere can only be a single entry per counterSet.\n\nThe total number of device counter consumption entries must be <= 32. In addition, the total number in the entire ResourceSlice must be <= 1024 (for example, 64 devices with 16 counters each).",
+	"consumesCounters":         "ConsumesCounters defines a list of references to sharedCounters and the set of counters that the device will consume from those counter sets.\n\nThere can only be a single entry per counterSet.\n\nThe maximum number of device counter consumptions per device is 2.",
 	"nodeName":                 "NodeName identifies the node where the device is available.\n\nMust only be set if Spec.PerDeviceNodeSelection is set to true. At most one of NodeName, NodeSelector and AllNodes can be set.",
 	"nodeSelector":             "NodeSelector defines the nodes where the device is available.\n\nMust use exactly one term.\n\nMust only be set if Spec.PerDeviceNodeSelection is set to true. At most one of NodeName, NodeSelector and AllNodes can be set.",
 	"allNodes":                 "AllNodes indicates that all nodes have access to the device.\n\nMust only be set if Spec.PerDeviceNodeSelection is set to true. At most one of NodeName, NodeSelector and AllNodes can be set.",
-	"taints":                   "If specified, these are the driver-defined taints.\n\nThe maximum number of taints is 4.\n\nThis is an alpha field and requires enabling the DRADeviceTaints feature gate.",
+	"taints":                   "If specified, these are the driver-defined taints.\n\nThe maximum number of taints is 16. If taints are set for any device in a ResourceSlice, then the maximum number of allowed devices per ResourceSlice is 64 instead of 128.\n\nThis is an alpha field and requires enabling the DRADeviceTaints feature gate.",
 	"bindsToNode":              "BindsToNode indicates if the usage of an allocation involving this device has to be limited to exactly the node that was chosen when allocating the claim. If set to true, the scheduler will set the ResourceClaim.Status.Allocation.NodeSelector to match the node where the allocation was made.\n\nThis is an alpha field and requires enabling the DRADeviceBindingConditions and DRAResourceClaimDeviceStatus feature gates.",
 	"bindingConditions":        "BindingConditions defines the conditions for proceeding with binding. All of these conditions must be set in the per-device status conditions with a value of True to proceed with binding the pod to the node while scheduling the pod.\n\nThe maximum number of binding conditions is 4.\n\nThe conditions must be a valid condition type string.\n\nThis is an alpha field and requires enabling the DRADeviceBindingConditions and DRAResourceClaimDeviceStatus feature gates.",
 	"bindingFailureConditions": "BindingFailureConditions defines the conditions for binding failure. They may be set in the per-device status conditions. If any is set to \"True\", a binding failure occurred.\n\nThe maximum number of binding failure conditions is 4.\n\nThe conditions must be a valid condition type string.\n\nThis is an alpha field and requires enabling the DRADeviceBindingConditions and DRAResourceClaimDeviceStatus feature gates.",
@@ -256,7 +256,7 @@ func (DeviceConstraint) SwaggerDoc() map[string]string {
 var map_DeviceCounterConsumption = map[string]string{
 	"":           "DeviceCounterConsumption defines a set of counters that a device will consume from a CounterSet.",
 	"counterSet": "CounterSet is the name of the set from which the counters defined will be consumed.",
-	"counters":   "Counters defines the counters that will be consumed by the device.\n\nThe maximum number counters in a device is 32. In addition, the maximum number of all counters in all devices is 1024 (for example, 64 devices with 16 counters each).",
+	"counters":   "Counters defines the counters that will be consumed by the device.\n\nThe maximum number of counters is 32.",
 }
 
 func (DeviceCounterConsumption) SwaggerDoc() map[string]string {
@@ -277,7 +277,7 @@ func (DeviceRequest) SwaggerDoc() map[string]string {
 var map_DeviceRequestAllocationResult = map[string]string{
 	"":                         "DeviceRequestAllocationResult contains the allocation result for one request.",
 	"request":                  "Request is the name of the request in the claim which caused this device to be allocated. If it references a subrequest in the firstAvailable list on a DeviceRequest, this field must include both the name of the main request and the subrequest using the format <main request>/<subrequest>.\n\nMultiple devices may have been allocated per request.",
-	"driver":                   "Driver specifies the name of the DRA driver whose kubelet plugin should be invoked to process the allocation once the claim is needed on a node.\n\nMust be a DNS subdomain and should end with a DNS domain owned by the vendor of the driver.",
+	"driver":                   "Driver specifies the name of the DRA driver whose kubelet plugin should be invoked to process the allocation once the claim is needed on a node.\n\nMust be a DNS subdomain and should end with a DNS domain owned by the vendor of the driver. It should use only lower case characters.",
 	"pool":                     "This name together with the driver name and the device name field identify which device was allocated (`<driver name>/<pool name>/<device name>`).\n\nMust not be longer than 253 characters and may contain one or more DNS sub-domains separated by slashes.",
 	"device":                   "Device references one device instance via its name in the driver's resource pool. It must be a DNS label.",
 	"adminAccess":              "AdminAccess indicates that this device was allocated for administrative access. See the corresponding request field for a definition of mode.\n\nThis is an alpha field and requires enabling the DRAAdminAccess feature gate. Admin access is disabled if this field is unset or set to false, otherwise it is enabled.",
@@ -320,7 +320,7 @@ var map_DeviceTaint = map[string]string{
 	"":          "The device this taint is attached to has the \"effect\" on any claim which does not tolerate the taint and, through the claim, to pods using the claim.",
 	"key":       "The taint key to be applied to a device. Must be a label name.",
 	"value":     "The taint value corresponding to the taint key. Must be a label value.",
-	"effect":    "The effect of the taint on claims that do not tolerate the taint and through such claims on the pods using them. Valid effects are NoSchedule and NoExecute. PreferNoSchedule as used for nodes is not valid here.",
+	"effect":    "The effect of the taint on claims that do not tolerate the taint and through such claims on the pods using them.\n\nValid effects are None, NoSchedule and NoExecute. PreferNoSchedule as used for nodes is not valid here. More effects may get added in the future. Consumers must treat unknown effects like None.",
 	"timeAdded": "TimeAdded represents the time at which the taint was added. Added automatically during create or update if not set.",
 }
 
@@ -369,7 +369,7 @@ func (NetworkDeviceData) SwaggerDoc() map[string]string {
 
 var map_OpaqueDeviceConfiguration = map[string]string{
 	"":           "OpaqueDeviceConfiguration contains configuration parameters for a driver in a format defined by the driver vendor.",
-	"driver":     "Driver is used to determine which kubelet plugin needs to be passed these configuration parameters.\n\nAn admission policy provided by the driver developer could use this to decide whether it needs to validate them.\n\nMust be a DNS subdomain and should end with a DNS domain owned by the vendor of the driver.",
+	"driver":     "Driver is used to determine which kubelet plugin needs to be passed these configuration parameters.\n\nAn admission policy provided by the driver developer could use this to decide whether it needs to validate them.\n\nMust be a DNS subdomain and should end with a DNS domain owned by the vendor of the driver. It should use only lower case characters.",
 	"parameters": "Parameters can contain arbitrary data. It is the responsibility of the driver developer to handle validation and versioning. Typically this includes self-identification and a version (\"kind\" + \"apiVersion\" for Kubernetes types), with conversion between different versions.\n\nThe length of the raw data must be smaller or equal to 10 Ki.",
 }
 
@@ -493,14 +493,14 @@ func (ResourceSliceList) SwaggerDoc() map[string]string {
 
 var map_ResourceSliceSpec = map[string]string{
 	"":                       "ResourceSliceSpec contains the information published by the driver in one ResourceSlice.",
-	"driver":                 "Driver identifies the DRA driver providing the capacity information. A field selector can be used to list only ResourceSlice objects with a certain driver name.\n\nMust be a DNS subdomain and should end with a DNS domain owned by the vendor of the driver. This field is immutable.",
+	"driver":                 "Driver identifies the DRA driver providing the capacity information. A field selector can be used to list only ResourceSlice objects with a certain driver name.\n\nMust be a DNS subdomain and should end with a DNS domain owned by the vendor of the driver. It should use only lower case characters. This field is immutable.",
 	"pool":                   "Pool describes the pool that this ResourceSlice belongs to.",
 	"nodeName":               "NodeName identifies the node which provides the resources in this pool. A field selector can be used to list only ResourceSlice objects belonging to a certain node.\n\nThis field can be used to limit access from nodes to ResourceSlices with the same node name. It also indicates to autoscalers that adding new nodes of the same type as some old node might also make new resources available.\n\nExactly one of NodeName, NodeSelector, AllNodes, and PerDeviceNodeSelection must be set. This field is immutable.",
 	"nodeSelector":           "NodeSelector defines which nodes have access to the resources in the pool, when that pool is not limited to a single node.\n\nMust use exactly one term.\n\nExactly one of NodeName, NodeSelector, AllNodes, and PerDeviceNodeSelection must be set.",
 	"allNodes":               "AllNodes indicates that all nodes have access to the resources in the pool.\n\nExactly one of NodeName, NodeSelector, AllNodes, and PerDeviceNodeSelection must be set.",
-	"devices":                "Devices lists some or all of the devices in this pool.\n\nMust not have more than 128 entries.",
+	"devices":                "Devices lists some or all of the devices in this pool.\n\nMust not have more than 128 entries. If any device uses taints or consumes counters the limit is 64.\n\nOnly one of Devices and SharedCounters can be set in a ResourceSlice.",
 	"perDeviceNodeSelection": "PerDeviceNodeSelection defines whether the access from nodes to resources in the pool is set on the ResourceSlice level or on each device. If it is set to true, every device defined the ResourceSlice must specify this individually.\n\nExactly one of NodeName, NodeSelector, AllNodes, and PerDeviceNodeSelection must be set.",
-	"sharedCounters":         "SharedCounters defines a list of counter sets, each of which has a name and a list of counters available.\n\nThe names of the SharedCounters must be unique in the ResourceSlice.\n\nThe maximum number of counters in all sets is 32.",
+	"sharedCounters":         "SharedCounters defines a list of counter sets, each of which has a name and a list of counters available.\n\nThe names of the counter sets must be unique in the ResourcePool.\n\nOnly one of Devices and SharedCounters can be set in a ResourceSlice.\n\nThe maximum number of counter sets is 8.",
 }
 
 func (ResourceSliceSpec) SwaggerDoc() map[string]string {
diff --git a/staging/src/k8s.io/api/resource/v1beta2/zz_generated.model_name.go b/staging/src/k8s.io/api/resource/v1beta2/zz_generated.model_name.go
new file mode 100644
index 0000000000000..0518ff73ce919
--- /dev/null
+++ b/staging/src/k8s.io/api/resource/v1beta2/zz_generated.model_name.go
@@ -0,0 +1,237 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by openapi-gen. DO NOT EDIT.
+
+package v1beta2
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in AllocatedDeviceStatus) OpenAPIModelName() string {
+	return "io.k8s.api.resource.v1beta2.AllocatedDeviceStatus"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in AllocationResult) OpenAPIModelName() string {
+	return "io.k8s.api.resource.v1beta2.AllocationResult"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in CELDeviceSelector) OpenAPIModelName() string {
+	return "io.k8s.api.resource.v1beta2.CELDeviceSelector"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in CapacityRequestPolicy) OpenAPIModelName() string {
+	return "io.k8s.api.resource.v1beta2.CapacityRequestPolicy"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in CapacityRequestPolicyRange) OpenAPIModelName() string {
+	return "io.k8s.api.resource.v1beta2.CapacityRequestPolicyRange"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in CapacityRequirements) OpenAPIModelName() string {
+	return "io.k8s.api.resource.v1beta2.CapacityRequirements"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in Counter) OpenAPIModelName() string {
+	return "io.k8s.api.resource.v1beta2.Counter"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in CounterSet) OpenAPIModelName() string {
+	return "io.k8s.api.resource.v1beta2.CounterSet"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in Device) OpenAPIModelName() string {
+	return "io.k8s.api.resource.v1beta2.Device"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in DeviceAllocationConfiguration) OpenAPIModelName() string {
+	return "io.k8s.api.resource.v1beta2.DeviceAllocationConfiguration"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in DeviceAllocationResult) OpenAPIModelName() string {
+	return "io.k8s.api.resource.v1beta2.DeviceAllocationResult"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in DeviceAttribute) OpenAPIModelName() string {
+	return "io.k8s.api.resource.v1beta2.DeviceAttribute"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in DeviceCapacity) OpenAPIModelName() string {
+	return "io.k8s.api.resource.v1beta2.DeviceCapacity"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in DeviceClaim) OpenAPIModelName() string {
+	return "io.k8s.api.resource.v1beta2.DeviceClaim"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in DeviceClaimConfiguration) OpenAPIModelName() string {
+	return "io.k8s.api.resource.v1beta2.DeviceClaimConfiguration"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in DeviceClass) OpenAPIModelName() string {
+	return "io.k8s.api.resource.v1beta2.DeviceClass"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in DeviceClassConfiguration) OpenAPIModelName() string {
+	return "io.k8s.api.resource.v1beta2.DeviceClassConfiguration"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in DeviceClassList) OpenAPIModelName() string {
+	return "io.k8s.api.resource.v1beta2.DeviceClassList"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in DeviceClassSpec) OpenAPIModelName() string {
+	return "io.k8s.api.resource.v1beta2.DeviceClassSpec"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in DeviceConfiguration) OpenAPIModelName() string {
+	return "io.k8s.api.resource.v1beta2.DeviceConfiguration"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in DeviceConstraint) OpenAPIModelName() string {
+	return "io.k8s.api.resource.v1beta2.DeviceConstraint"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in DeviceCounterConsumption) OpenAPIModelName() string {
+	return "io.k8s.api.resource.v1beta2.DeviceCounterConsumption"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in DeviceRequest) OpenAPIModelName() string {
+	return "io.k8s.api.resource.v1beta2.DeviceRequest"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in DeviceRequestAllocationResult) OpenAPIModelName() string {
+	return "io.k8s.api.resource.v1beta2.DeviceRequestAllocationResult"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in DeviceSelector) OpenAPIModelName() string {
+	return "io.k8s.api.resource.v1beta2.DeviceSelector"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in DeviceSubRequest) OpenAPIModelName() string {
+	return "io.k8s.api.resource.v1beta2.DeviceSubRequest"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in DeviceTaint) OpenAPIModelName() string {
+	return "io.k8s.api.resource.v1beta2.DeviceTaint"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in DeviceToleration) OpenAPIModelName() string {
+	return "io.k8s.api.resource.v1beta2.DeviceToleration"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ExactDeviceRequest) OpenAPIModelName() string {
+	return "io.k8s.api.resource.v1beta2.ExactDeviceRequest"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in NetworkDeviceData) OpenAPIModelName() string {
+	return "io.k8s.api.resource.v1beta2.NetworkDeviceData"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in OpaqueDeviceConfiguration) OpenAPIModelName() string {
+	return "io.k8s.api.resource.v1beta2.OpaqueDeviceConfiguration"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ResourceClaim) OpenAPIModelName() string {
+	return "io.k8s.api.resource.v1beta2.ResourceClaim"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ResourceClaimConsumerReference) OpenAPIModelName() string {
+	return "io.k8s.api.resource.v1beta2.ResourceClaimConsumerReference"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ResourceClaimList) OpenAPIModelName() string {
+	return "io.k8s.api.resource.v1beta2.ResourceClaimList"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ResourceClaimSpec) OpenAPIModelName() string {
+	return "io.k8s.api.resource.v1beta2.ResourceClaimSpec"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ResourceClaimStatus) OpenAPIModelName() string {
+	return "io.k8s.api.resource.v1beta2.ResourceClaimStatus"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ResourceClaimTemplate) OpenAPIModelName() string {
+	return "io.k8s.api.resource.v1beta2.ResourceClaimTemplate"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ResourceClaimTemplateList) OpenAPIModelName() string {
+	return "io.k8s.api.resource.v1beta2.ResourceClaimTemplateList"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ResourceClaimTemplateSpec) OpenAPIModelName() string {
+	return "io.k8s.api.resource.v1beta2.ResourceClaimTemplateSpec"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ResourcePool) OpenAPIModelName() string {
+	return "io.k8s.api.resource.v1beta2.ResourcePool"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ResourceSlice) OpenAPIModelName() string {
+	return "io.k8s.api.resource.v1beta2.ResourceSlice"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ResourceSliceList) OpenAPIModelName() string {
+	return "io.k8s.api.resource.v1beta2.ResourceSliceList"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ResourceSliceSpec) OpenAPIModelName() string {
+	return "io.k8s.api.resource.v1beta2.ResourceSliceSpec"
+}
diff --git a/staging/src/k8s.io/api/roundtrip_test.go b/staging/src/k8s.io/api/roundtrip_test.go
index 630b77d25e5b4..e8aac998c0dbe 100644
--- a/staging/src/k8s.io/api/roundtrip_test.go
+++ b/staging/src/k8s.io/api/roundtrip_test.go
@@ -78,7 +78,7 @@ import (
 	storagev1 "k8s.io/api/storage/v1"
 	storagev1alpha1 "k8s.io/api/storage/v1alpha1"
 	storagev1beta1 "k8s.io/api/storage/v1beta1"
-	svmv1alpha1 "k8s.io/api/storagemigration/v1alpha1"
+	svmv1beta1 "k8s.io/api/storagemigration/v1beta1"
 
 	"k8s.io/apimachinery/pkg/api/apitesting/fuzzer"
 	"k8s.io/apimachinery/pkg/api/apitesting/roundtrip"
@@ -146,7 +146,7 @@ var groups = []runtime.SchemeBuilder{
 	storagev1alpha1.SchemeBuilder,
 	storagev1beta1.SchemeBuilder,
 	storagev1.SchemeBuilder,
-	svmv1alpha1.SchemeBuilder,
+	svmv1beta1.SchemeBuilder,
 }
 
 func TestRoundTripExternalTypes(t *testing.T) {
diff --git a/staging/src/k8s.io/api/scheduling/OWNERS b/staging/src/k8s.io/api/scheduling/OWNERS
new file mode 100644
index 0000000000000..0c9596d13a877
--- /dev/null
+++ b/staging/src/k8s.io/api/scheduling/OWNERS
@@ -0,0 +1,7 @@
+# See the OWNERS docs at https://go.k8s.io/owners
+
+reviewers:
+  - sig-scheduling-maintainers
+  - sig-scheduling
+labels:
+  - sig/scheduling
diff --git a/staging/src/k8s.io/api/scheduling/v1/doc.go b/staging/src/k8s.io/api/scheduling/v1/doc.go
index c587bee9ea53b..8fee2e90bb616 100644
--- a/staging/src/k8s.io/api/scheduling/v1/doc.go
+++ b/staging/src/k8s.io/api/scheduling/v1/doc.go
@@ -18,6 +18,8 @@ limitations under the License.
 // +k8s:protobuf-gen=package
 // +k8s:openapi-gen=true
 // +k8s:prerelease-lifecycle-gen=true
+// +k8s:openapi-model-package=io.k8s.api.scheduling.v1
+
 // +groupName=scheduling.k8s.io
 
 package v1
diff --git a/staging/src/k8s.io/api/scheduling/v1/generated.pb.go b/staging/src/k8s.io/api/scheduling/v1/generated.pb.go
index 6fef1a9379abc..752e559eafb33 100644
--- a/staging/src/k8s.io/api/scheduling/v1/generated.pb.go
+++ b/staging/src/k8s.io/api/scheduling/v1/generated.pb.go
@@ -24,125 +24,16 @@ import (
 
 	io "io"
 
-	proto "github.com/gogo/protobuf/proto"
-
 	k8s_io_api_core_v1 "k8s.io/api/core/v1"
 
-	math "math"
 	math_bits "math/bits"
 	reflect "reflect"
 	strings "strings"
 )
 
-// Reference imports to suppress errors if they are not otherwise used.
-var _ = proto.Marshal
-var _ = fmt.Errorf
-var _ = math.Inf
-
-// This is a compile-time assertion to ensure that this generated file
-// is compatible with the proto package it is being compiled against.
-// A compilation error at this line likely means your copy of the
-// proto package needs to be updated.
-const _ = proto.GoGoProtoPackageIsVersion3 // please upgrade the proto package
+func (m *PriorityClass) Reset() { *m = PriorityClass{} }
 
-func (m *PriorityClass) Reset()      { *m = PriorityClass{} }
-func (*PriorityClass) ProtoMessage() {}
-func (*PriorityClass) Descriptor() ([]byte, []int) {
-	return fileDescriptor_3f12bd05064e996e, []int{0}
-}
-func (m *PriorityClass) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *PriorityClass) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *PriorityClass) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_PriorityClass.Merge(m, src)
-}
-func (m *PriorityClass) XXX_Size() int {
-	return m.Size()
-}
-func (m *PriorityClass) XXX_DiscardUnknown() {
-	xxx_messageInfo_PriorityClass.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_PriorityClass proto.InternalMessageInfo
-
-func (m *PriorityClassList) Reset()      { *m = PriorityClassList{} }
-func (*PriorityClassList) ProtoMessage() {}
-func (*PriorityClassList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_3f12bd05064e996e, []int{1}
-}
-func (m *PriorityClassList) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *PriorityClassList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *PriorityClassList) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_PriorityClassList.Merge(m, src)
-}
-func (m *PriorityClassList) XXX_Size() int {
-	return m.Size()
-}
-func (m *PriorityClassList) XXX_DiscardUnknown() {
-	xxx_messageInfo_PriorityClassList.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_PriorityClassList proto.InternalMessageInfo
-
-func init() {
-	proto.RegisterType((*PriorityClass)(nil), "k8s.io.api.scheduling.v1.PriorityClass")
-	proto.RegisterType((*PriorityClassList)(nil), "k8s.io.api.scheduling.v1.PriorityClassList")
-}
-
-func init() {
-	proto.RegisterFile("k8s.io/api/scheduling/v1/generated.proto", fileDescriptor_3f12bd05064e996e)
-}
-
-var fileDescriptor_3f12bd05064e996e = []byte{
-	// 476 bytes of a gzipped FileDescriptorProto
-	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x8c, 0x93, 0x3f, 0x8f, 0xd3, 0x30,
-	0x18, 0xc6, 0xe3, 0x1e, 0x91, 0x8a, 0xab, 0x4a, 0x25, 0x08, 0x29, 0xea, 0xe0, 0x46, 0xbd, 0x81,
-	0x2c, 0xd8, 0xf4, 0x04, 0x08, 0xe9, 0x24, 0x86, 0x70, 0x12, 0x42, 0x3a, 0x44, 0x95, 0x81, 0x01,
-	0x31, 0xe0, 0xa6, 0x3e, 0xd7, 0x34, 0x89, 0x23, 0xdb, 0xa9, 0xd4, 0x8d, 0x8f, 0xc0, 0x37, 0x62,
-	0xed, 0x78, 0xe3, 0x4d, 0x15, 0x0d, 0x1f, 0x81, 0x8d, 0x09, 0x25, 0x2d, 0x97, 0xfe, 0xb9, 0x0a,
-	0xb6, 0xbc, 0xef, 0xfb, 0xfc, 0x1e, 0xdb, 0x4f, 0x6c, 0xe8, 0x4f, 0x5f, 0x6a, 0x2c, 0x24, 0xa1,
-	0x99, 0x20, 0x3a, 0x9a, 0xb0, 0x71, 0x1e, 0x8b, 0x94, 0x93, 0xd9, 0x80, 0x70, 0x96, 0x32, 0x45,
-	0x0d, 0x1b, 0xe3, 0x4c, 0x49, 0x23, 0x1d, 0x77, 0xad, 0xc4, 0x34, 0x13, 0xb8, 0x56, 0xe2, 0xd9,
-	0xa0, 0xfb, 0x84, 0x0b, 0x33, 0xc9, 0x47, 0x38, 0x92, 0x09, 0xe1, 0x92, 0x4b, 0x52, 0x01, 0xa3,
-	0xfc, 0xaa, 0xaa, 0xaa, 0xa2, 0xfa, 0x5a, 0x1b, 0x75, 0xfb, 0x5b, 0x4b, 0x46, 0x52, 0xb1, 0x3b,
-	0x16, 0xeb, 0x3e, 0xab, 0x35, 0x09, 0x8d, 0x26, 0x22, 0x65, 0x6a, 0x4e, 0xb2, 0x29, 0x2f, 0x1b,
-	0x9a, 0x24, 0xcc, 0xd0, 0xbb, 0x28, 0x72, 0x8c, 0x52, 0x79, 0x6a, 0x44, 0xc2, 0x0e, 0x80, 0x17,
-	0xff, 0x02, 0xca, 0x83, 0x26, 0x74, 0x9f, 0xeb, 0xff, 0x6a, 0xc0, 0xf6, 0x50, 0x09, 0xa9, 0x84,
-	0x99, 0xbf, 0x8e, 0xa9, 0xd6, 0xce, 0x67, 0xd8, 0x2c, 0x77, 0x35, 0xa6, 0x86, 0xba, 0xc0, 0x03,
-	0x7e, 0xeb, 0xec, 0x29, 0xae, 0x03, 0xbb, 0x35, 0xc7, 0xd9, 0x94, 0x97, 0x0d, 0x8d, 0x4b, 0x35,
-	0x9e, 0x0d, 0xf0, 0xfb, 0xd1, 0x17, 0x16, 0x99, 0x77, 0xcc, 0xd0, 0xc0, 0x59, 0x2c, 0x7b, 0x56,
-	0xb1, 0xec, 0xc1, 0xba, 0x17, 0xde, 0xba, 0x3a, 0xa7, 0xd0, 0x9e, 0xd1, 0x38, 0x67, 0x6e, 0xc3,
-	0x03, 0xbe, 0x1d, 0xb4, 0x37, 0x62, 0xfb, 0x43, 0xd9, 0x0c, 0xd7, 0x33, 0xe7, 0x1c, 0xb6, 0x79,
-	0x2c, 0x47, 0x34, 0xbe, 0x60, 0x57, 0x34, 0x8f, 0x8d, 0x7b, 0xe2, 0x01, 0xbf, 0x19, 0x3c, 0xda,
-	0x88, 0xdb, 0x6f, 0xb6, 0x87, 0xe1, 0xae, 0xd6, 0x79, 0x0e, 0x5b, 0x63, 0xa6, 0x23, 0x25, 0x32,
-	0x23, 0x64, 0xea, 0xde, 0xf3, 0x80, 0x7f, 0x3f, 0x78, 0xb8, 0x41, 0x5b, 0x17, 0xf5, 0x28, 0xdc,
-	0xd6, 0x39, 0x1c, 0x76, 0x32, 0xc5, 0x58, 0x52, 0x55, 0x43, 0x19, 0x8b, 0x68, 0xee, 0xda, 0x15,
-	0x7b, 0x5e, 0x2c, 0x7b, 0x9d, 0xe1, 0xde, 0xec, 0xf7, 0xb2, 0x77, 0x7a, 0x78, 0x03, 0xf0, 0xbe,
-	0x2c, 0x3c, 0x30, 0xed, 0x7f, 0x07, 0xf0, 0xc1, 0x4e, 0xea, 0x97, 0x42, 0x1b, 0xe7, 0xd3, 0x41,
-	0xf2, 0xf8, 0xff, 0x92, 0x2f, 0xe9, 0x2a, 0xf7, 0xce, 0xe6, 0x88, 0xcd, 0xbf, 0x9d, 0xad, 0xd4,
-	0x2f, 0xa1, 0x2d, 0x0c, 0x4b, 0xb4, 0xdb, 0xf0, 0x4e, 0xfc, 0xd6, 0xd9, 0x63, 0x7c, 0xec, 0x15,
-	0xe0, 0x9d, 0x9d, 0xd5, 0xbf, 0xe7, 0x6d, 0x49, 0x87, 0x6b, 0x93, 0xe0, 0xd5, 0x62, 0x85, 0xac,
-	0xeb, 0x15, 0xb2, 0x6e, 0x56, 0xc8, 0xfa, 0x5a, 0x20, 0xb0, 0x28, 0x10, 0xb8, 0x2e, 0x10, 0xb8,
-	0x29, 0x10, 0xf8, 0x51, 0x20, 0xf0, 0xed, 0x27, 0xb2, 0x3e, 0xba, 0xc7, 0xde, 0xe4, 0x9f, 0x00,
-	0x00, 0x00, 0xff, 0xff, 0x9a, 0x3d, 0x5f, 0x2e, 0xae, 0x03, 0x00, 0x00,
-}
+func (m *PriorityClassList) Reset() { *m = PriorityClassList{} }
 
 func (m *PriorityClass) Marshal() (dAtA []byte, err error) {
 	size := m.Size()
diff --git a/staging/src/k8s.io/api/scheduling/v1/generated.protomessage.pb.go b/staging/src/k8s.io/api/scheduling/v1/generated.protomessage.pb.go
new file mode 100644
index 0000000000000..261d4903e7b25
--- /dev/null
+++ b/staging/src/k8s.io/api/scheduling/v1/generated.protomessage.pb.go
@@ -0,0 +1,26 @@
+//go:build kubernetes_protomessage_one_more_release
+// +build kubernetes_protomessage_one_more_release
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by go-to-protobuf. DO NOT EDIT.
+
+package v1
+
+func (*PriorityClass) ProtoMessage() {}
+
+func (*PriorityClassList) ProtoMessage() {}
diff --git a/staging/src/k8s.io/api/scheduling/v1/zz_generated.model_name.go b/staging/src/k8s.io/api/scheduling/v1/zz_generated.model_name.go
new file mode 100644
index 0000000000000..a5cc1d1120e20
--- /dev/null
+++ b/staging/src/k8s.io/api/scheduling/v1/zz_generated.model_name.go
@@ -0,0 +1,32 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by openapi-gen. DO NOT EDIT.
+
+package v1
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in PriorityClass) OpenAPIModelName() string {
+	return "io.k8s.api.scheduling.v1.PriorityClass"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in PriorityClassList) OpenAPIModelName() string {
+	return "io.k8s.api.scheduling.v1.PriorityClassList"
+}
diff --git a/staging/src/k8s.io/api/scheduling/v1alpha1/doc.go b/staging/src/k8s.io/api/scheduling/v1alpha1/doc.go
index 476ab6f66c1ce..2b6182e86488f 100644
--- a/staging/src/k8s.io/api/scheduling/v1alpha1/doc.go
+++ b/staging/src/k8s.io/api/scheduling/v1alpha1/doc.go
@@ -17,6 +17,7 @@ limitations under the License.
 // +k8s:deepcopy-gen=package
 // +k8s:protobuf-gen=package
 // +k8s:openapi-gen=true
+// +k8s:openapi-model-package=io.k8s.api.scheduling.v1alpha1
 
 // +groupName=scheduling.k8s.io
 
diff --git a/staging/src/k8s.io/api/scheduling/v1alpha1/generated.pb.go b/staging/src/k8s.io/api/scheduling/v1alpha1/generated.pb.go
index 83e504b5a33a0..64c39b4c35d1a 100644
--- a/staging/src/k8s.io/api/scheduling/v1alpha1/generated.pb.go
+++ b/staging/src/k8s.io/api/scheduling/v1alpha1/generated.pb.go
@@ -24,124 +24,165 @@ import (
 
 	io "io"
 
-	proto "github.com/gogo/protobuf/proto"
-
 	k8s_io_api_core_v1 "k8s.io/api/core/v1"
 
-	math "math"
 	math_bits "math/bits"
 	reflect "reflect"
 	strings "strings"
 )
 
-// Reference imports to suppress errors if they are not otherwise used.
-var _ = proto.Marshal
-var _ = fmt.Errorf
-var _ = math.Inf
+func (m *BasicSchedulingPolicy) Reset() { *m = BasicSchedulingPolicy{} }
+
+func (m *GangSchedulingPolicy) Reset() { *m = GangSchedulingPolicy{} }
+
+func (m *PodGroup) Reset() { *m = PodGroup{} }
+
+func (m *PodGroupPolicy) Reset() { *m = PodGroupPolicy{} }
+
+func (m *PriorityClass) Reset() { *m = PriorityClass{} }
+
+func (m *PriorityClassList) Reset() { *m = PriorityClassList{} }
+
+func (m *TypedLocalObjectReference) Reset() { *m = TypedLocalObjectReference{} }
+
+func (m *Workload) Reset() { *m = Workload{} }
 
-// This is a compile-time assertion to ensure that this generated file
-// is compatible with the proto package it is being compiled against.
-// A compilation error at this line likely means your copy of the
-// proto package needs to be updated.
-const _ = proto.GoGoProtoPackageIsVersion3 // please upgrade the proto package
+func (m *WorkloadList) Reset() { *m = WorkloadList{} }
+
+func (m *WorkloadSpec) Reset() { *m = WorkloadSpec{} }
+
+func (m *BasicSchedulingPolicy) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalToSizedBuffer(dAtA[:size])
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
 
-func (m *PriorityClass) Reset()      { *m = PriorityClass{} }
-func (*PriorityClass) ProtoMessage() {}
-func (*PriorityClass) Descriptor() ([]byte, []int) {
-	return fileDescriptor_260442fbb28d876a, []int{0}
+func (m *BasicSchedulingPolicy) MarshalTo(dAtA []byte) (int, error) {
+	size := m.Size()
+	return m.MarshalToSizedBuffer(dAtA[:size])
 }
-func (m *PriorityClass) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
+
+func (m *BasicSchedulingPolicy) MarshalToSizedBuffer(dAtA []byte) (int, error) {
+	i := len(dAtA)
+	_ = i
+	var l int
+	_ = l
+	return len(dAtA) - i, nil
 }
-func (m *PriorityClass) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
+
+func (m *GangSchedulingPolicy) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalToSizedBuffer(dAtA[:size])
 	if err != nil {
 		return nil, err
 	}
-	return b[:n], nil
-}
-func (m *PriorityClass) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_PriorityClass.Merge(m, src)
+	return dAtA[:n], nil
 }
-func (m *PriorityClass) XXX_Size() int {
-	return m.Size()
+
+func (m *GangSchedulingPolicy) MarshalTo(dAtA []byte) (int, error) {
+	size := m.Size()
+	return m.MarshalToSizedBuffer(dAtA[:size])
 }
-func (m *PriorityClass) XXX_DiscardUnknown() {
-	xxx_messageInfo_PriorityClass.DiscardUnknown(m)
+
+func (m *GangSchedulingPolicy) MarshalToSizedBuffer(dAtA []byte) (int, error) {
+	i := len(dAtA)
+	_ = i
+	var l int
+	_ = l
+	i = encodeVarintGenerated(dAtA, i, uint64(m.MinCount))
+	i--
+	dAtA[i] = 0x8
+	return len(dAtA) - i, nil
 }
 
-var xxx_messageInfo_PriorityClass proto.InternalMessageInfo
+func (m *PodGroup) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalToSizedBuffer(dAtA[:size])
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
 
-func (m *PriorityClassList) Reset()      { *m = PriorityClassList{} }
-func (*PriorityClassList) ProtoMessage() {}
-func (*PriorityClassList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_260442fbb28d876a, []int{1}
+func (m *PodGroup) MarshalTo(dAtA []byte) (int, error) {
+	size := m.Size()
+	return m.MarshalToSizedBuffer(dAtA[:size])
 }
-func (m *PriorityClassList) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
+
+func (m *PodGroup) MarshalToSizedBuffer(dAtA []byte) (int, error) {
+	i := len(dAtA)
+	_ = i
+	var l int
+	_ = l
+	{
+		size, err := m.Policy.MarshalToSizedBuffer(dAtA[:i])
+		if err != nil {
+			return 0, err
+		}
+		i -= size
+		i = encodeVarintGenerated(dAtA, i, uint64(size))
+	}
+	i--
+	dAtA[i] = 0x1a
+	i -= len(m.Name)
+	copy(dAtA[i:], m.Name)
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Name)))
+	i--
+	dAtA[i] = 0xa
+	return len(dAtA) - i, nil
 }
-func (m *PriorityClassList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
+
+func (m *PodGroupPolicy) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalToSizedBuffer(dAtA[:size])
 	if err != nil {
 		return nil, err
 	}
-	return b[:n], nil
-}
-func (m *PriorityClassList) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_PriorityClassList.Merge(m, src)
-}
-func (m *PriorityClassList) XXX_Size() int {
-	return m.Size()
-}
-func (m *PriorityClassList) XXX_DiscardUnknown() {
-	xxx_messageInfo_PriorityClassList.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_PriorityClassList proto.InternalMessageInfo
-
-func init() {
-	proto.RegisterType((*PriorityClass)(nil), "k8s.io.api.scheduling.v1alpha1.PriorityClass")
-	proto.RegisterType((*PriorityClassList)(nil), "k8s.io.api.scheduling.v1alpha1.PriorityClassList")
-}
-
-func init() {
-	proto.RegisterFile("k8s.io/api/scheduling/v1alpha1/generated.proto", fileDescriptor_260442fbb28d876a)
-}
-
-var fileDescriptor_260442fbb28d876a = []byte{
-	// 480 bytes of a gzipped FileDescriptorProto
-	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x8c, 0x93, 0x31, 0x8f, 0xd3, 0x30,
-	0x18, 0x86, 0xeb, 0x1e, 0x91, 0x8a, 0xab, 0x4a, 0x25, 0x08, 0x29, 0xea, 0xe0, 0x46, 0xbd, 0x25,
-	0xcb, 0xd9, 0xf4, 0x04, 0x08, 0xe9, 0xb6, 0x50, 0x09, 0x21, 0x81, 0xa8, 0x32, 0x30, 0x20, 0x06,
-	0xdc, 0xd4, 0xe7, 0x9a, 0x26, 0x71, 0x64, 0x3b, 0x95, 0xba, 0xf1, 0x13, 0xf8, 0x53, 0x48, 0x1d,
-	0x6f, 0xbc, 0xa9, 0xa2, 0xe1, 0x27, 0xb0, 0x31, 0xa1, 0xa4, 0xbd, 0x4b, 0xdb, 0xc0, 0x71, 0x5b,
-	0xbe, 0xef, 0x7b, 0xde, 0xd7, 0xf6, 0x1b, 0x1b, 0xe2, 0xf9, 0x4b, 0x8d, 0x85, 0x24, 0x34, 0x15,
-	0x44, 0x87, 0x33, 0x36, 0xcd, 0x22, 0x91, 0x70, 0xb2, 0x18, 0xd2, 0x28, 0x9d, 0xd1, 0x21, 0xe1,
-	0x2c, 0x61, 0x8a, 0x1a, 0x36, 0xc5, 0xa9, 0x92, 0x46, 0xda, 0x68, 0xcb, 0x63, 0x9a, 0x0a, 0x5c,
-	0xf1, 0xf8, 0x86, 0xef, 0x9d, 0x71, 0x61, 0x66, 0xd9, 0x04, 0x87, 0x32, 0x26, 0x5c, 0x72, 0x49,
-	0x4a, 0xd9, 0x24, 0xbb, 0x2c, 0xab, 0xb2, 0x28, 0xbf, 0xb6, 0x76, 0xbd, 0xc1, 0xde, 0xf2, 0xa1,
-	0x54, 0x8c, 0x2c, 0x6a, 0x4b, 0xf6, 0x9e, 0x55, 0x4c, 0x4c, 0xc3, 0x99, 0x48, 0x98, 0x5a, 0x92,
-	0x74, 0xce, 0x8b, 0x86, 0x26, 0x31, 0x33, 0xf4, 0x6f, 0x2a, 0xf2, 0x2f, 0x95, 0xca, 0x12, 0x23,
-	0x62, 0x56, 0x13, 0xbc, 0xf8, 0x9f, 0xa0, 0x38, 0x6e, 0x4c, 0x8f, 0x75, 0x83, 0x5f, 0x4d, 0xd8,
-	0x19, 0x2b, 0x21, 0x95, 0x30, 0xcb, 0x57, 0x11, 0xd5, 0xda, 0xfe, 0x0c, 0x5b, 0xc5, 0xae, 0xa6,
-	0xd4, 0x50, 0x07, 0xb8, 0xc0, 0x6b, 0x9f, 0x3f, 0xc5, 0x55, 0x6c, 0xb7, 0xe6, 0x38, 0x9d, 0xf3,
-	0xa2, 0xa1, 0x71, 0x41, 0xe3, 0xc5, 0x10, 0xbf, 0x9f, 0x7c, 0x61, 0xa1, 0x79, 0xc7, 0x0c, 0xf5,
-	0xed, 0xd5, 0xba, 0xdf, 0xc8, 0xd7, 0x7d, 0x58, 0xf5, 0x82, 0x5b, 0x57, 0xfb, 0x14, 0x5a, 0x0b,
-	0x1a, 0x65, 0xcc, 0x69, 0xba, 0xc0, 0xb3, 0xfc, 0xce, 0x0e, 0xb6, 0x3e, 0x14, 0xcd, 0x60, 0x3b,
-	0xb3, 0x2f, 0x60, 0x87, 0x47, 0x72, 0x42, 0xa3, 0x11, 0xbb, 0xa4, 0x59, 0x64, 0x9c, 0x13, 0x17,
-	0x78, 0x2d, 0xff, 0xc9, 0x0e, 0xee, 0xbc, 0xde, 0x1f, 0x06, 0x87, 0xac, 0xfd, 0x1c, 0xb6, 0xa7,
-	0x4c, 0x87, 0x4a, 0xa4, 0x46, 0xc8, 0xc4, 0x79, 0xe0, 0x02, 0xef, 0xa1, 0xff, 0x78, 0x27, 0x6d,
-	0x8f, 0xaa, 0x51, 0xb0, 0xcf, 0xd9, 0x1c, 0x76, 0x53, 0xc5, 0x58, 0x5c, 0x56, 0x63, 0x19, 0x89,
-	0x70, 0xe9, 0x58, 0xa5, 0xf6, 0x22, 0x5f, 0xf7, 0xbb, 0xe3, 0xa3, 0xd9, 0xef, 0x75, 0xff, 0xb4,
-	0x7e, 0x03, 0xf0, 0x31, 0x16, 0xd4, 0x4c, 0x07, 0xdf, 0x01, 0x7c, 0x74, 0x90, 0xfa, 0x5b, 0xa1,
-	0x8d, 0xfd, 0xa9, 0x96, 0x3c, 0xbe, 0x5f, 0xf2, 0x85, 0xba, 0xcc, 0xbd, 0xbb, 0x3b, 0x62, 0xeb,
-	0xa6, 0xb3, 0x97, 0x7a, 0x00, 0x2d, 0x61, 0x58, 0xac, 0x9d, 0xa6, 0x7b, 0xe2, 0xb5, 0xcf, 0xcf,
-	0xf0, 0xdd, 0x6f, 0x01, 0x1f, 0xec, 0xaf, 0xfa, 0x49, 0x6f, 0x0a, 0x8f, 0x60, 0x6b, 0xe5, 0x8f,
-	0x56, 0x1b, 0xd4, 0xb8, 0xda, 0xa0, 0xc6, 0xf5, 0x06, 0x35, 0xbe, 0xe6, 0x08, 0xac, 0x72, 0x04,
-	0xae, 0x72, 0x04, 0xae, 0x73, 0x04, 0x7e, 0xe4, 0x08, 0x7c, 0xfb, 0x89, 0x1a, 0x1f, 0xd1, 0xdd,
-	0xaf, 0xf4, 0x4f, 0x00, 0x00, 0x00, 0xff, 0xff, 0x8e, 0xfe, 0x45, 0x7e, 0xc6, 0x03, 0x00, 0x00,
+	return dAtA[:n], nil
+}
+
+func (m *PodGroupPolicy) MarshalTo(dAtA []byte) (int, error) {
+	size := m.Size()
+	return m.MarshalToSizedBuffer(dAtA[:size])
+}
+
+func (m *PodGroupPolicy) MarshalToSizedBuffer(dAtA []byte) (int, error) {
+	i := len(dAtA)
+	_ = i
+	var l int
+	_ = l
+	if m.Gang != nil {
+		{
+			size, err := m.Gang.MarshalToSizedBuffer(dAtA[:i])
+			if err != nil {
+				return 0, err
+			}
+			i -= size
+			i = encodeVarintGenerated(dAtA, i, uint64(size))
+		}
+		i--
+		dAtA[i] = 0x1a
+	}
+	if m.Basic != nil {
+		{
+			size, err := m.Basic.MarshalToSizedBuffer(dAtA[:i])
+			if err != nil {
+				return 0, err
+			}
+			i -= size
+			i = encodeVarintGenerated(dAtA, i, uint64(size))
+		}
+		i--
+		dAtA[i] = 0x12
+	}
+	return len(dAtA) - i, nil
 }
 
 func (m *PriorityClass) Marshal() (dAtA []byte, err error) {
@@ -247,6 +288,183 @@ func (m *PriorityClassList) MarshalToSizedBuffer(dAtA []byte) (int, error) {
 	return len(dAtA) - i, nil
 }
 
+func (m *TypedLocalObjectReference) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalToSizedBuffer(dAtA[:size])
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *TypedLocalObjectReference) MarshalTo(dAtA []byte) (int, error) {
+	size := m.Size()
+	return m.MarshalToSizedBuffer(dAtA[:size])
+}
+
+func (m *TypedLocalObjectReference) MarshalToSizedBuffer(dAtA []byte) (int, error) {
+	i := len(dAtA)
+	_ = i
+	var l int
+	_ = l
+	i -= len(m.Name)
+	copy(dAtA[i:], m.Name)
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Name)))
+	i--
+	dAtA[i] = 0x1a
+	i -= len(m.Kind)
+	copy(dAtA[i:], m.Kind)
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Kind)))
+	i--
+	dAtA[i] = 0x12
+	i -= len(m.APIGroup)
+	copy(dAtA[i:], m.APIGroup)
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.APIGroup)))
+	i--
+	dAtA[i] = 0xa
+	return len(dAtA) - i, nil
+}
+
+func (m *Workload) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalToSizedBuffer(dAtA[:size])
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *Workload) MarshalTo(dAtA []byte) (int, error) {
+	size := m.Size()
+	return m.MarshalToSizedBuffer(dAtA[:size])
+}
+
+func (m *Workload) MarshalToSizedBuffer(dAtA []byte) (int, error) {
+	i := len(dAtA)
+	_ = i
+	var l int
+	_ = l
+	{
+		size, err := m.Spec.MarshalToSizedBuffer(dAtA[:i])
+		if err != nil {
+			return 0, err
+		}
+		i -= size
+		i = encodeVarintGenerated(dAtA, i, uint64(size))
+	}
+	i--
+	dAtA[i] = 0x12
+	{
+		size, err := m.ObjectMeta.MarshalToSizedBuffer(dAtA[:i])
+		if err != nil {
+			return 0, err
+		}
+		i -= size
+		i = encodeVarintGenerated(dAtA, i, uint64(size))
+	}
+	i--
+	dAtA[i] = 0xa
+	return len(dAtA) - i, nil
+}
+
+func (m *WorkloadList) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalToSizedBuffer(dAtA[:size])
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *WorkloadList) MarshalTo(dAtA []byte) (int, error) {
+	size := m.Size()
+	return m.MarshalToSizedBuffer(dAtA[:size])
+}
+
+func (m *WorkloadList) MarshalToSizedBuffer(dAtA []byte) (int, error) {
+	i := len(dAtA)
+	_ = i
+	var l int
+	_ = l
+	if len(m.Items) > 0 {
+		for iNdEx := len(m.Items) - 1; iNdEx >= 0; iNdEx-- {
+			{
+				size, err := m.Items[iNdEx].MarshalToSizedBuffer(dAtA[:i])
+				if err != nil {
+					return 0, err
+				}
+				i -= size
+				i = encodeVarintGenerated(dAtA, i, uint64(size))
+			}
+			i--
+			dAtA[i] = 0x12
+		}
+	}
+	{
+		size, err := m.ListMeta.MarshalToSizedBuffer(dAtA[:i])
+		if err != nil {
+			return 0, err
+		}
+		i -= size
+		i = encodeVarintGenerated(dAtA, i, uint64(size))
+	}
+	i--
+	dAtA[i] = 0xa
+	return len(dAtA) - i, nil
+}
+
+func (m *WorkloadSpec) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalToSizedBuffer(dAtA[:size])
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *WorkloadSpec) MarshalTo(dAtA []byte) (int, error) {
+	size := m.Size()
+	return m.MarshalToSizedBuffer(dAtA[:size])
+}
+
+func (m *WorkloadSpec) MarshalToSizedBuffer(dAtA []byte) (int, error) {
+	i := len(dAtA)
+	_ = i
+	var l int
+	_ = l
+	if len(m.PodGroups) > 0 {
+		for iNdEx := len(m.PodGroups) - 1; iNdEx >= 0; iNdEx-- {
+			{
+				size, err := m.PodGroups[iNdEx].MarshalToSizedBuffer(dAtA[:i])
+				if err != nil {
+					return 0, err
+				}
+				i -= size
+				i = encodeVarintGenerated(dAtA, i, uint64(size))
+			}
+			i--
+			dAtA[i] = 0x12
+		}
+	}
+	if m.ControllerRef != nil {
+		{
+			size, err := m.ControllerRef.MarshalToSizedBuffer(dAtA[:i])
+			if err != nil {
+				return 0, err
+			}
+			i -= size
+			i = encodeVarintGenerated(dAtA, i, uint64(size))
+		}
+		i--
+		dAtA[i] = 0xa
+	}
+	return len(dAtA) - i, nil
+}
+
 func encodeVarintGenerated(dAtA []byte, offset int, v uint64) int {
 	offset -= sovGenerated(v)
 	base := offset
@@ -258,39 +476,152 @@ func encodeVarintGenerated(dAtA []byte, offset int, v uint64) int {
 	dAtA[offset] = uint8(v)
 	return base
 }
-func (m *PriorityClass) Size() (n int) {
+func (m *BasicSchedulingPolicy) Size() (n int) {
 	if m == nil {
 		return 0
 	}
 	var l int
 	_ = l
-	l = m.ObjectMeta.Size()
-	n += 1 + l + sovGenerated(uint64(l))
-	n += 1 + sovGenerated(uint64(m.Value))
-	n += 2
-	l = len(m.Description)
-	n += 1 + l + sovGenerated(uint64(l))
-	if m.PreemptionPolicy != nil {
-		l = len(*m.PreemptionPolicy)
-		n += 1 + l + sovGenerated(uint64(l))
-	}
 	return n
 }
 
-func (m *PriorityClassList) Size() (n int) {
+func (m *GangSchedulingPolicy) Size() (n int) {
 	if m == nil {
 		return 0
 	}
 	var l int
 	_ = l
-	l = m.ListMeta.Size()
-	n += 1 + l + sovGenerated(uint64(l))
-	if len(m.Items) > 0 {
-		for _, e := range m.Items {
-			l = e.Size()
-			n += 1 + l + sovGenerated(uint64(l))
-		}
-	}
+	n += 1 + sovGenerated(uint64(m.MinCount))
+	return n
+}
+
+func (m *PodGroup) Size() (n int) {
+	if m == nil {
+		return 0
+	}
+	var l int
+	_ = l
+	l = len(m.Name)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = m.Policy.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func (m *PodGroupPolicy) Size() (n int) {
+	if m == nil {
+		return 0
+	}
+	var l int
+	_ = l
+	if m.Basic != nil {
+		l = m.Basic.Size()
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	if m.Gang != nil {
+		l = m.Gang.Size()
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	return n
+}
+
+func (m *PriorityClass) Size() (n int) {
+	if m == nil {
+		return 0
+	}
+	var l int
+	_ = l
+	l = m.ObjectMeta.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	n += 1 + sovGenerated(uint64(m.Value))
+	n += 2
+	l = len(m.Description)
+	n += 1 + l + sovGenerated(uint64(l))
+	if m.PreemptionPolicy != nil {
+		l = len(*m.PreemptionPolicy)
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	return n
+}
+
+func (m *PriorityClassList) Size() (n int) {
+	if m == nil {
+		return 0
+	}
+	var l int
+	_ = l
+	l = m.ListMeta.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	if len(m.Items) > 0 {
+		for _, e := range m.Items {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	return n
+}
+
+func (m *TypedLocalObjectReference) Size() (n int) {
+	if m == nil {
+		return 0
+	}
+	var l int
+	_ = l
+	l = len(m.APIGroup)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.Kind)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.Name)
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func (m *Workload) Size() (n int) {
+	if m == nil {
+		return 0
+	}
+	var l int
+	_ = l
+	l = m.ObjectMeta.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	l = m.Spec.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func (m *WorkloadList) Size() (n int) {
+	if m == nil {
+		return 0
+	}
+	var l int
+	_ = l
+	l = m.ListMeta.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	if len(m.Items) > 0 {
+		for _, e := range m.Items {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	return n
+}
+
+func (m *WorkloadSpec) Size() (n int) {
+	if m == nil {
+		return 0
+	}
+	var l int
+	_ = l
+	if m.ControllerRef != nil {
+		l = m.ControllerRef.Size()
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	if len(m.PodGroups) > 0 {
+		for _, e := range m.PodGroups {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
 	return n
 }
 
@@ -300,6 +631,47 @@ func sovGenerated(x uint64) (n int) {
 func sozGenerated(x uint64) (n int) {
 	return sovGenerated(uint64((x << 1) ^ uint64((int64(x) >> 63))))
 }
+func (this *BasicSchedulingPolicy) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&BasicSchedulingPolicy{`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *GangSchedulingPolicy) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&GangSchedulingPolicy{`,
+		`MinCount:` + fmt.Sprintf("%v", this.MinCount) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *PodGroup) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&PodGroup{`,
+		`Name:` + fmt.Sprintf("%v", this.Name) + `,`,
+		`Policy:` + strings.Replace(strings.Replace(this.Policy.String(), "PodGroupPolicy", "PodGroupPolicy", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *PodGroupPolicy) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&PodGroupPolicy{`,
+		`Basic:` + strings.Replace(this.Basic.String(), "BasicSchedulingPolicy", "BasicSchedulingPolicy", 1) + `,`,
+		`Gang:` + strings.Replace(this.Gang.String(), "GangSchedulingPolicy", "GangSchedulingPolicy", 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
 func (this *PriorityClass) String() string {
 	if this == nil {
 		return "nil"
@@ -330,15 +702,730 @@ func (this *PriorityClassList) String() string {
 	}, "")
 	return s
 }
+func (this *TypedLocalObjectReference) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&TypedLocalObjectReference{`,
+		`APIGroup:` + fmt.Sprintf("%v", this.APIGroup) + `,`,
+		`Kind:` + fmt.Sprintf("%v", this.Kind) + `,`,
+		`Name:` + fmt.Sprintf("%v", this.Name) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *Workload) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&Workload{`,
+		`ObjectMeta:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.ObjectMeta), "ObjectMeta", "v1.ObjectMeta", 1), `&`, ``, 1) + `,`,
+		`Spec:` + strings.Replace(strings.Replace(this.Spec.String(), "WorkloadSpec", "WorkloadSpec", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *WorkloadList) String() string {
+	if this == nil {
+		return "nil"
+	}
+	repeatedStringForItems := "[]Workload{"
+	for _, f := range this.Items {
+		repeatedStringForItems += strings.Replace(strings.Replace(f.String(), "Workload", "Workload", 1), `&`, ``, 1) + ","
+	}
+	repeatedStringForItems += "}"
+	s := strings.Join([]string{`&WorkloadList{`,
+		`ListMeta:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.ListMeta), "ListMeta", "v1.ListMeta", 1), `&`, ``, 1) + `,`,
+		`Items:` + repeatedStringForItems + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *WorkloadSpec) String() string {
+	if this == nil {
+		return "nil"
+	}
+	repeatedStringForPodGroups := "[]PodGroup{"
+	for _, f := range this.PodGroups {
+		repeatedStringForPodGroups += strings.Replace(strings.Replace(f.String(), "PodGroup", "PodGroup", 1), `&`, ``, 1) + ","
+	}
+	repeatedStringForPodGroups += "}"
+	s := strings.Join([]string{`&WorkloadSpec{`,
+		`ControllerRef:` + strings.Replace(this.ControllerRef.String(), "TypedLocalObjectReference", "TypedLocalObjectReference", 1) + `,`,
+		`PodGroups:` + repeatedStringForPodGroups + `,`,
+		`}`,
+	}, "")
+	return s
+}
 func valueToStringGenerated(v interface{}) string {
 	rv := reflect.ValueOf(v)
 	if rv.IsNil() {
 		return "nil"
 	}
-	pv := reflect.Indirect(rv).Interface()
-	return fmt.Sprintf("*%v", pv)
+	pv := reflect.Indirect(rv).Interface()
+	return fmt.Sprintf("*%v", pv)
+}
+func (m *BasicSchedulingPolicy) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= uint64(b&0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: BasicSchedulingPolicy: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: BasicSchedulingPolicy: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if (skippy < 0) || (iNdEx+skippy) < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *GangSchedulingPolicy) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= uint64(b&0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: GangSchedulingPolicy: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: GangSchedulingPolicy: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field MinCount", wireType)
+			}
+			m.MinCount = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.MinCount |= int32(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if (skippy < 0) || (iNdEx+skippy) < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *PodGroup) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= uint64(b&0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: PodGroup: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: PodGroup: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Name", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= uint64(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Name = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Policy", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= int(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.Policy.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if (skippy < 0) || (iNdEx+skippy) < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *PodGroupPolicy) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= uint64(b&0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: PodGroupPolicy: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: PodGroupPolicy: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Basic", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= int(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.Basic == nil {
+				m.Basic = &BasicSchedulingPolicy{}
+			}
+			if err := m.Basic.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Gang", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= int(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.Gang == nil {
+				m.Gang = &GangSchedulingPolicy{}
+			}
+			if err := m.Gang.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if (skippy < 0) || (iNdEx+skippy) < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *PriorityClass) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= uint64(b&0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: PriorityClass: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: PriorityClass: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ObjectMeta", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= int(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.ObjectMeta.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Value", wireType)
+			}
+			m.Value = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.Value |= int32(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+		case 3:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field GlobalDefault", wireType)
+			}
+			var v int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= int(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			m.GlobalDefault = bool(v != 0)
+		case 4:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Description", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= uint64(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Description = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 5:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field PreemptionPolicy", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= uint64(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			s := k8s_io_api_core_v1.PreemptionPolicy(dAtA[iNdEx:postIndex])
+			m.PreemptionPolicy = &s
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if (skippy < 0) || (iNdEx+skippy) < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *PriorityClassList) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= uint64(b&0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: PriorityClassList: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: PriorityClassList: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ListMeta", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= int(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.ListMeta.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Items", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= int(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Items = append(m.Items, PriorityClass{})
+			if err := m.Items[len(m.Items)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if (skippy < 0) || (iNdEx+skippy) < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
 }
-func (m *PriorityClass) Unmarshal(dAtA []byte) error {
+func (m *TypedLocalObjectReference) Unmarshal(dAtA []byte) error {
 	l := len(dAtA)
 	iNdEx := 0
 	for iNdEx < l {
@@ -361,17 +1448,17 @@ func (m *PriorityClass) Unmarshal(dAtA []byte) error {
 		fieldNum := int32(wire >> 3)
 		wireType := int(wire & 0x7)
 		if wireType == 4 {
-			return fmt.Errorf("proto: PriorityClass: wiretype end group for non-group")
+			return fmt.Errorf("proto: TypedLocalObjectReference: wiretype end group for non-group")
 		}
 		if fieldNum <= 0 {
-			return fmt.Errorf("proto: PriorityClass: illegal tag %d (wire type %d)", fieldNum, wire)
+			return fmt.Errorf("proto: TypedLocalObjectReference: illegal tag %d (wire type %d)", fieldNum, wire)
 		}
 		switch fieldNum {
 		case 1:
 			if wireType != 2 {
-				return fmt.Errorf("proto: wrong wireType = %d for field ObjectMeta", wireType)
+				return fmt.Errorf("proto: wrong wireType = %d for field APIGroup", wireType)
 			}
-			var msglen int
+			var stringLen uint64
 			for shift := uint(0); ; shift += 7 {
 				if shift >= 64 {
 					return ErrIntOverflowGenerated
@@ -381,30 +1468,29 @@ func (m *PriorityClass) Unmarshal(dAtA []byte) error {
 				}
 				b := dAtA[iNdEx]
 				iNdEx++
-				msglen |= int(b&0x7F) << shift
+				stringLen |= uint64(b&0x7F) << shift
 				if b < 0x80 {
 					break
 				}
 			}
-			if msglen < 0 {
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
 				return ErrInvalidLengthGenerated
 			}
-			postIndex := iNdEx + msglen
+			postIndex := iNdEx + intStringLen
 			if postIndex < 0 {
 				return ErrInvalidLengthGenerated
 			}
 			if postIndex > l {
 				return io.ErrUnexpectedEOF
 			}
-			if err := m.ObjectMeta.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
-				return err
-			}
+			m.APIGroup = string(dAtA[iNdEx:postIndex])
 			iNdEx = postIndex
 		case 2:
-			if wireType != 0 {
-				return fmt.Errorf("proto: wrong wireType = %d for field Value", wireType)
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Kind", wireType)
 			}
-			m.Value = 0
+			var stringLen uint64
 			for shift := uint(0); ; shift += 7 {
 				if shift >= 64 {
 					return ErrIntOverflowGenerated
@@ -414,16 +1500,29 @@ func (m *PriorityClass) Unmarshal(dAtA []byte) error {
 				}
 				b := dAtA[iNdEx]
 				iNdEx++
-				m.Value |= int32(b&0x7F) << shift
+				stringLen |= uint64(b&0x7F) << shift
 				if b < 0x80 {
 					break
 				}
 			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Kind = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
 		case 3:
-			if wireType != 0 {
-				return fmt.Errorf("proto: wrong wireType = %d for field GlobalDefault", wireType)
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Name", wireType)
 			}
-			var v int
+			var stringLen uint64
 			for shift := uint(0); ; shift += 7 {
 				if shift >= 64 {
 					return ErrIntOverflowGenerated
@@ -433,17 +1532,79 @@ func (m *PriorityClass) Unmarshal(dAtA []byte) error {
 				}
 				b := dAtA[iNdEx]
 				iNdEx++
-				v |= int(b&0x7F) << shift
+				stringLen |= uint64(b&0x7F) << shift
 				if b < 0x80 {
 					break
 				}
 			}
-			m.GlobalDefault = bool(v != 0)
-		case 4:
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Name = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if (skippy < 0) || (iNdEx+skippy) < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *Workload) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= uint64(b&0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: Workload: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: Workload: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
 			if wireType != 2 {
-				return fmt.Errorf("proto: wrong wireType = %d for field Description", wireType)
+				return fmt.Errorf("proto: wrong wireType = %d for field ObjectMeta", wireType)
 			}
-			var stringLen uint64
+			var msglen int
 			for shift := uint(0); ; shift += 7 {
 				if shift >= 64 {
 					return ErrIntOverflowGenerated
@@ -453,29 +1614,30 @@ func (m *PriorityClass) Unmarshal(dAtA []byte) error {
 				}
 				b := dAtA[iNdEx]
 				iNdEx++
-				stringLen |= uint64(b&0x7F) << shift
+				msglen |= int(b&0x7F) << shift
 				if b < 0x80 {
 					break
 				}
 			}
-			intStringLen := int(stringLen)
-			if intStringLen < 0 {
+			if msglen < 0 {
 				return ErrInvalidLengthGenerated
 			}
-			postIndex := iNdEx + intStringLen
+			postIndex := iNdEx + msglen
 			if postIndex < 0 {
 				return ErrInvalidLengthGenerated
 			}
 			if postIndex > l {
 				return io.ErrUnexpectedEOF
 			}
-			m.Description = string(dAtA[iNdEx:postIndex])
+			if err := m.ObjectMeta.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
 			iNdEx = postIndex
-		case 5:
+		case 2:
 			if wireType != 2 {
-				return fmt.Errorf("proto: wrong wireType = %d for field PreemptionPolicy", wireType)
+				return fmt.Errorf("proto: wrong wireType = %d for field Spec", wireType)
 			}
-			var stringLen uint64
+			var msglen int
 			for shift := uint(0); ; shift += 7 {
 				if shift >= 64 {
 					return ErrIntOverflowGenerated
@@ -485,24 +1647,24 @@ func (m *PriorityClass) Unmarshal(dAtA []byte) error {
 				}
 				b := dAtA[iNdEx]
 				iNdEx++
-				stringLen |= uint64(b&0x7F) << shift
+				msglen |= int(b&0x7F) << shift
 				if b < 0x80 {
 					break
 				}
 			}
-			intStringLen := int(stringLen)
-			if intStringLen < 0 {
+			if msglen < 0 {
 				return ErrInvalidLengthGenerated
 			}
-			postIndex := iNdEx + intStringLen
+			postIndex := iNdEx + msglen
 			if postIndex < 0 {
 				return ErrInvalidLengthGenerated
 			}
 			if postIndex > l {
 				return io.ErrUnexpectedEOF
 			}
-			s := k8s_io_api_core_v1.PreemptionPolicy(dAtA[iNdEx:postIndex])
-			m.PreemptionPolicy = &s
+			if err := m.Spec.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
 			iNdEx = postIndex
 		default:
 			iNdEx = preIndex
@@ -525,7 +1687,7 @@ func (m *PriorityClass) Unmarshal(dAtA []byte) error {
 	}
 	return nil
 }
-func (m *PriorityClassList) Unmarshal(dAtA []byte) error {
+func (m *WorkloadList) Unmarshal(dAtA []byte) error {
 	l := len(dAtA)
 	iNdEx := 0
 	for iNdEx < l {
@@ -548,10 +1710,10 @@ func (m *PriorityClassList) Unmarshal(dAtA []byte) error {
 		fieldNum := int32(wire >> 3)
 		wireType := int(wire & 0x7)
 		if wireType == 4 {
-			return fmt.Errorf("proto: PriorityClassList: wiretype end group for non-group")
+			return fmt.Errorf("proto: WorkloadList: wiretype end group for non-group")
 		}
 		if fieldNum <= 0 {
-			return fmt.Errorf("proto: PriorityClassList: illegal tag %d (wire type %d)", fieldNum, wire)
+			return fmt.Errorf("proto: WorkloadList: illegal tag %d (wire type %d)", fieldNum, wire)
 		}
 		switch fieldNum {
 		case 1:
@@ -616,7 +1778,7 @@ func (m *PriorityClassList) Unmarshal(dAtA []byte) error {
 			if postIndex > l {
 				return io.ErrUnexpectedEOF
 			}
-			m.Items = append(m.Items, PriorityClass{})
+			m.Items = append(m.Items, Workload{})
 			if err := m.Items[len(m.Items)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
 				return err
 			}
@@ -642,6 +1804,126 @@ func (m *PriorityClassList) Unmarshal(dAtA []byte) error {
 	}
 	return nil
 }
+func (m *WorkloadSpec) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= uint64(b&0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: WorkloadSpec: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: WorkloadSpec: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ControllerRef", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= int(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.ControllerRef == nil {
+				m.ControllerRef = &TypedLocalObjectReference{}
+			}
+			if err := m.ControllerRef.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field PodGroups", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= int(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.PodGroups = append(m.PodGroups, PodGroup{})
+			if err := m.PodGroups[len(m.PodGroups)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if (skippy < 0) || (iNdEx+skippy) < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
 func skipGenerated(dAtA []byte) (n int, err error) {
 	l := len(dAtA)
 	iNdEx := 0
diff --git a/staging/src/k8s.io/api/scheduling/v1alpha1/generated.proto b/staging/src/k8s.io/api/scheduling/v1alpha1/generated.proto
index e42dccc688bd6..6014f60e20c85 100644
--- a/staging/src/k8s.io/api/scheduling/v1alpha1/generated.proto
+++ b/staging/src/k8s.io/api/scheduling/v1alpha1/generated.proto
@@ -29,6 +29,52 @@ import "k8s.io/apimachinery/pkg/runtime/schema/generated.proto";
 // Package-wide variables from generator "generated".
 option go_package = "k8s.io/api/scheduling/v1alpha1";
 
+// BasicSchedulingPolicy indicates that standard Kubernetes
+// scheduling behavior should be used.
+message BasicSchedulingPolicy {
+}
+
+// GangSchedulingPolicy defines the parameters for gang scheduling.
+message GangSchedulingPolicy {
+  // MinCount is the minimum number of pods that must be schedulable or scheduled
+  // at the same time for the scheduler to admit the entire group.
+  // It must be a positive integer.
+  //
+  // +required
+  optional int32 minCount = 1;
+}
+
+// PodGroup represents a set of pods with a common scheduling policy.
+message PodGroup {
+  // Name is a unique identifier for the PodGroup within the Workload.
+  // It must be a DNS label. This field is immutable.
+  //
+  // +required
+  optional string name = 1;
+
+  // Policy defines the scheduling policy for this PodGroup.
+  //
+  // +required
+  optional PodGroupPolicy policy = 3;
+}
+
+// PodGroupPolicy defines the scheduling configuration for a PodGroup.
+message PodGroupPolicy {
+  // Basic specifies that the pods in this group should be scheduled using
+  // standard Kubernetes scheduling behavior.
+  //
+  // +optional
+  // +oneOf=PolicySelection
+  optional BasicSchedulingPolicy basic = 2;
+
+  // Gang specifies that the pods in this group should be scheduled using
+  // all-or-nothing semantics.
+  //
+  // +optional
+  // +oneOf=PolicySelection
+  optional GangSchedulingPolicy gang = 3;
+}
+
 // DEPRECATED - This group version of PriorityClass is deprecated by scheduling.k8s.io/v1/PriorityClass.
 // PriorityClass defines mapping from a priority class name to the priority
 // integer value. The value can be any valid integer.
@@ -73,3 +119,72 @@ message PriorityClassList {
   repeated PriorityClass items = 2;
 }
 
+// TypedLocalObjectReference allows to reference typed object inside the same namespace.
+message TypedLocalObjectReference {
+  // APIGroup is the group for the resource being referenced.
+  // If APIGroup is empty, the specified Kind must be in the core API group.
+  // For any other third-party types, setting APIGroup is required.
+  // It must be a DNS subdomain.
+  //
+  // +optional
+  optional string apiGroup = 1;
+
+  // Kind is the type of resource being referenced.
+  // It must be a path segment name.
+  //
+  // +required
+  optional string kind = 2;
+
+  // Name is the name of resource being referenced.
+  // It must be a path segment name.
+  //
+  // +required
+  optional string name = 3;
+}
+
+// Workload allows for expressing scheduling constraints that should be used
+// when managing lifecycle of workloads from scheduling perspective,
+// including scheduling, preemption, eviction and other phases.
+message Workload {
+  // Standard object's metadata.
+  // Name must be a DNS subdomain.
+  //
+  // +optional
+  optional .k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
+
+  // Spec defines the desired behavior of a Workload.
+  //
+  // +required
+  optional WorkloadSpec spec = 2;
+}
+
+// WorkloadList contains a list of Workload resources.
+message WorkloadList {
+  // Standard list metadata.
+  //
+  // +optional
+  optional .k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
+
+  // Items is the list of Workloads.
+  repeated Workload items = 2;
+}
+
+// WorkloadSpec defines the desired state of a Workload.
+message WorkloadSpec {
+  // ControllerRef is an optional reference to the controlling object, such as a
+  // Deployment or Job. This field is intended for use by tools like CLIs
+  // to provide a link back to the original workload definition.
+  // When set, it cannot be changed.
+  //
+  // +optional
+  optional TypedLocalObjectReference controllerRef = 1;
+
+  // PodGroups is the list of pod groups that make up the Workload.
+  // The maximum number of pod groups is 8. This field is immutable.
+  //
+  // +required
+  // +listType=map
+  // +listMapKey=name
+  repeated PodGroup podGroups = 2;
+}
+
diff --git a/staging/src/k8s.io/api/scheduling/v1alpha1/generated.protomessage.pb.go b/staging/src/k8s.io/api/scheduling/v1alpha1/generated.protomessage.pb.go
new file mode 100644
index 0000000000000..a92e57b1e76a8
--- /dev/null
+++ b/staging/src/k8s.io/api/scheduling/v1alpha1/generated.protomessage.pb.go
@@ -0,0 +1,42 @@
+//go:build kubernetes_protomessage_one_more_release
+// +build kubernetes_protomessage_one_more_release
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by go-to-protobuf. DO NOT EDIT.
+
+package v1alpha1
+
+func (*BasicSchedulingPolicy) ProtoMessage() {}
+
+func (*GangSchedulingPolicy) ProtoMessage() {}
+
+func (*PodGroup) ProtoMessage() {}
+
+func (*PodGroupPolicy) ProtoMessage() {}
+
+func (*PriorityClass) ProtoMessage() {}
+
+func (*PriorityClassList) ProtoMessage() {}
+
+func (*TypedLocalObjectReference) ProtoMessage() {}
+
+func (*Workload) ProtoMessage() {}
+
+func (*WorkloadList) ProtoMessage() {}
+
+func (*WorkloadSpec) ProtoMessage() {}
diff --git a/staging/src/k8s.io/api/scheduling/v1alpha1/register.go b/staging/src/k8s.io/api/scheduling/v1alpha1/register.go
index 24689f0ad841e..25de55d308dc6 100644
--- a/staging/src/k8s.io/api/scheduling/v1alpha1/register.go
+++ b/staging/src/k8s.io/api/scheduling/v1alpha1/register.go
@@ -46,6 +46,8 @@ func addKnownTypes(scheme *runtime.Scheme) error {
 	scheme.AddKnownTypes(SchemeGroupVersion,
 		&PriorityClass{},
 		&PriorityClassList{},
+		&Workload{},
+		&WorkloadList{},
 	)
 	metav1.AddToGroupVersion(scheme, SchemeGroupVersion)
 	return nil
diff --git a/staging/src/k8s.io/api/scheduling/v1alpha1/types.go b/staging/src/k8s.io/api/scheduling/v1alpha1/types.go
index 26ba8ff5dcc11..480b53da015e5 100644
--- a/staging/src/k8s.io/api/scheduling/v1alpha1/types.go
+++ b/staging/src/k8s.io/api/scheduling/v1alpha1/types.go
@@ -72,3 +72,130 @@ type PriorityClassList struct {
 	// items is the list of PriorityClasses
 	Items []PriorityClass `json:"items" protobuf:"bytes,2,rep,name=items"`
 }
+
+// +genclient
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// Workload allows for expressing scheduling constraints that should be used
+// when managing lifecycle of workloads from scheduling perspective,
+// including scheduling, preemption, eviction and other phases.
+type Workload struct {
+	metav1.TypeMeta `json:",inline"`
+	// Standard object's metadata.
+	// Name must be a DNS subdomain.
+	//
+	// +optional
+	metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
+
+	// Spec defines the desired behavior of a Workload.
+	//
+	// +required
+	Spec WorkloadSpec `json:"spec" protobuf:"bytes,2,opt,name=spec"`
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// WorkloadList contains a list of Workload resources.
+type WorkloadList struct {
+	metav1.TypeMeta `json:",inline"`
+	// Standard list metadata.
+	//
+	// +optional
+	metav1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
+
+	// Items is the list of Workloads.
+	Items []Workload `json:"items" protobuf:"bytes,2,rep,name=items"`
+}
+
+// WorkloadMaxPodGroups is the maximum number of pod groups per Workload.
+const WorkloadMaxPodGroups = 8
+
+// WorkloadSpec defines the desired state of a Workload.
+type WorkloadSpec struct {
+	// ControllerRef is an optional reference to the controlling object, such as a
+	// Deployment or Job. This field is intended for use by tools like CLIs
+	// to provide a link back to the original workload definition.
+	// When set, it cannot be changed.
+	//
+	// +optional
+	ControllerRef *TypedLocalObjectReference `json:"controllerRef,omitempty" protobuf:"bytes,1,opt,name=controllerRef"`
+
+	// PodGroups is the list of pod groups that make up the Workload.
+	// The maximum number of pod groups is 8. This field is immutable.
+	//
+	// +required
+	// +listType=map
+	// +listMapKey=name
+	PodGroups []PodGroup `json:"podGroups" protobuf:"bytes,2,rep,name=podGroups"`
+}
+
+// TypedLocalObjectReference allows to reference typed object inside the same namespace.
+type TypedLocalObjectReference struct {
+	// APIGroup is the group for the resource being referenced.
+	// If APIGroup is empty, the specified Kind must be in the core API group.
+	// For any other third-party types, setting APIGroup is required.
+	// It must be a DNS subdomain.
+	//
+	// +optional
+	APIGroup string `json:"apiGroup,omitempty" protobuf:"bytes,1,opt,name=apiGroup"`
+	// Kind is the type of resource being referenced.
+	// It must be a path segment name.
+	//
+	// +required
+	Kind string `json:"kind" protobuf:"bytes,2,opt,name=kind"`
+	// Name is the name of resource being referenced.
+	// It must be a path segment name.
+	//
+	// +required
+	Name string `json:"name" protobuf:"bytes,3,opt,name=name"`
+}
+
+// PodGroup represents a set of pods with a common scheduling policy.
+type PodGroup struct {
+	// Name is a unique identifier for the PodGroup within the Workload.
+	// It must be a DNS label. This field is immutable.
+	//
+	// +required
+	Name string `json:"name" protobuf:"bytes,1,opt,name=name"`
+
+	// Policy defines the scheduling policy for this PodGroup.
+	//
+	// +required
+	Policy PodGroupPolicy `json:"policy" protobuf:"bytes,3,opt,name=policy"`
+}
+
+// PodGroupPolicy defines the scheduling configuration for a PodGroup.
+type PodGroupPolicy struct {
+	// Basic specifies that the pods in this group should be scheduled using
+	// standard Kubernetes scheduling behavior.
+	//
+	// +optional
+	// +oneOf=PolicySelection
+	Basic *BasicSchedulingPolicy `json:"basic,omitempty" protobuf:"bytes,2,opt,name=basic"`
+
+	// Gang specifies that the pods in this group should be scheduled using
+	// all-or-nothing semantics.
+	//
+	// +optional
+	// +oneOf=PolicySelection
+	Gang *GangSchedulingPolicy `json:"gang,omitempty" protobuf:"bytes,3,opt,name=gang"`
+}
+
+// BasicSchedulingPolicy indicates that standard Kubernetes
+// scheduling behavior should be used.
+type BasicSchedulingPolicy struct {
+	// This is intentionally empty. Its presence indicates that the basic
+	// scheduling policy should be applied. In the future, new fields may appear,
+	// describing such constraints on a pod group level without "all or nothing"
+	// (gang) scheduling.
+}
+
+// GangSchedulingPolicy defines the parameters for gang scheduling.
+type GangSchedulingPolicy struct {
+	// MinCount is the minimum number of pods that must be schedulable or scheduled
+	// at the same time for the scheduler to admit the entire group.
+	// It must be a positive integer.
+	//
+	// +required
+	MinCount int32 `json:"minCount" protobuf:"varint,1,opt,name=minCount"`
+}
diff --git a/staging/src/k8s.io/api/scheduling/v1alpha1/types_swagger_doc_generated.go b/staging/src/k8s.io/api/scheduling/v1alpha1/types_swagger_doc_generated.go
index 557005db64e00..a2915bff44bae 100644
--- a/staging/src/k8s.io/api/scheduling/v1alpha1/types_swagger_doc_generated.go
+++ b/staging/src/k8s.io/api/scheduling/v1alpha1/types_swagger_doc_generated.go
@@ -27,6 +27,43 @@ package v1alpha1
 // Those methods can be generated by using hack/update-codegen.sh
 
 // AUTO-GENERATED FUNCTIONS START HERE. DO NOT EDIT.
+var map_BasicSchedulingPolicy = map[string]string{
+	"": "BasicSchedulingPolicy indicates that standard Kubernetes scheduling behavior should be used.",
+}
+
+func (BasicSchedulingPolicy) SwaggerDoc() map[string]string {
+	return map_BasicSchedulingPolicy
+}
+
+var map_GangSchedulingPolicy = map[string]string{
+	"":         "GangSchedulingPolicy defines the parameters for gang scheduling.",
+	"minCount": "MinCount is the minimum number of pods that must be schedulable or scheduled at the same time for the scheduler to admit the entire group. It must be a positive integer.",
+}
+
+func (GangSchedulingPolicy) SwaggerDoc() map[string]string {
+	return map_GangSchedulingPolicy
+}
+
+var map_PodGroup = map[string]string{
+	"":       "PodGroup represents a set of pods with a common scheduling policy.",
+	"name":   "Name is a unique identifier for the PodGroup within the Workload. It must be a DNS label. This field is immutable.",
+	"policy": "Policy defines the scheduling policy for this PodGroup.",
+}
+
+func (PodGroup) SwaggerDoc() map[string]string {
+	return map_PodGroup
+}
+
+var map_PodGroupPolicy = map[string]string{
+	"":      "PodGroupPolicy defines the scheduling configuration for a PodGroup.",
+	"basic": "Basic specifies that the pods in this group should be scheduled using standard Kubernetes scheduling behavior.",
+	"gang":  "Gang specifies that the pods in this group should be scheduled using all-or-nothing semantics.",
+}
+
+func (PodGroupPolicy) SwaggerDoc() map[string]string {
+	return map_PodGroupPolicy
+}
+
 var map_PriorityClass = map[string]string{
 	"":                 "DEPRECATED - This group version of PriorityClass is deprecated by scheduling.k8s.io/v1/PriorityClass. PriorityClass defines mapping from a priority class name to the priority integer value. The value can be any valid integer.",
 	"metadata":         "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
@@ -50,4 +87,45 @@ func (PriorityClassList) SwaggerDoc() map[string]string {
 	return map_PriorityClassList
 }
 
+var map_TypedLocalObjectReference = map[string]string{
+	"":         "TypedLocalObjectReference allows to reference typed object inside the same namespace.",
+	"apiGroup": "APIGroup is the group for the resource being referenced. If APIGroup is empty, the specified Kind must be in the core API group. For any other third-party types, setting APIGroup is required. It must be a DNS subdomain.",
+	"kind":     "Kind is the type of resource being referenced. It must be a path segment name.",
+	"name":     "Name is the name of resource being referenced. It must be a path segment name.",
+}
+
+func (TypedLocalObjectReference) SwaggerDoc() map[string]string {
+	return map_TypedLocalObjectReference
+}
+
+var map_Workload = map[string]string{
+	"":         "Workload allows for expressing scheduling constraints that should be used when managing lifecycle of workloads from scheduling perspective, including scheduling, preemption, eviction and other phases.",
+	"metadata": "Standard object's metadata. Name must be a DNS subdomain.",
+	"spec":     "Spec defines the desired behavior of a Workload.",
+}
+
+func (Workload) SwaggerDoc() map[string]string {
+	return map_Workload
+}
+
+var map_WorkloadList = map[string]string{
+	"":         "WorkloadList contains a list of Workload resources.",
+	"metadata": "Standard list metadata.",
+	"items":    "Items is the list of Workloads.",
+}
+
+func (WorkloadList) SwaggerDoc() map[string]string {
+	return map_WorkloadList
+}
+
+var map_WorkloadSpec = map[string]string{
+	"":              "WorkloadSpec defines the desired state of a Workload.",
+	"controllerRef": "ControllerRef is an optional reference to the controlling object, such as a Deployment or Job. This field is intended for use by tools like CLIs to provide a link back to the original workload definition. When set, it cannot be changed.",
+	"podGroups":     "PodGroups is the list of pod groups that make up the Workload. The maximum number of pod groups is 8. This field is immutable.",
+}
+
+func (WorkloadSpec) SwaggerDoc() map[string]string {
+	return map_WorkloadSpec
+}
+
 // AUTO-GENERATED FUNCTIONS END HERE
diff --git a/staging/src/k8s.io/api/scheduling/v1alpha1/zz_generated.deepcopy.go b/staging/src/k8s.io/api/scheduling/v1alpha1/zz_generated.deepcopy.go
index b130c990e48c2..ccaf45d72ccf2 100644
--- a/staging/src/k8s.io/api/scheduling/v1alpha1/zz_generated.deepcopy.go
+++ b/staging/src/k8s.io/api/scheduling/v1alpha1/zz_generated.deepcopy.go
@@ -26,6 +26,81 @@ import (
 	runtime "k8s.io/apimachinery/pkg/runtime"
 )
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *BasicSchedulingPolicy) DeepCopyInto(out *BasicSchedulingPolicy) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BasicSchedulingPolicy.
+func (in *BasicSchedulingPolicy) DeepCopy() *BasicSchedulingPolicy {
+	if in == nil {
+		return nil
+	}
+	out := new(BasicSchedulingPolicy)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *GangSchedulingPolicy) DeepCopyInto(out *GangSchedulingPolicy) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GangSchedulingPolicy.
+func (in *GangSchedulingPolicy) DeepCopy() *GangSchedulingPolicy {
+	if in == nil {
+		return nil
+	}
+	out := new(GangSchedulingPolicy)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *PodGroup) DeepCopyInto(out *PodGroup) {
+	*out = *in
+	in.Policy.DeepCopyInto(&out.Policy)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PodGroup.
+func (in *PodGroup) DeepCopy() *PodGroup {
+	if in == nil {
+		return nil
+	}
+	out := new(PodGroup)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *PodGroupPolicy) DeepCopyInto(out *PodGroupPolicy) {
+	*out = *in
+	if in.Basic != nil {
+		in, out := &in.Basic, &out.Basic
+		*out = new(BasicSchedulingPolicy)
+		**out = **in
+	}
+	if in.Gang != nil {
+		in, out := &in.Gang, &out.Gang
+		*out = new(GangSchedulingPolicy)
+		**out = **in
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PodGroupPolicy.
+func (in *PodGroupPolicy) DeepCopy() *PodGroupPolicy {
+	if in == nil {
+		return nil
+	}
+	out := new(PodGroupPolicy)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *PriorityClass) DeepCopyInto(out *PriorityClass) {
 	*out = *in
@@ -89,3 +164,107 @@ func (in *PriorityClassList) DeepCopyObject() runtime.Object {
 	}
 	return nil
 }
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *TypedLocalObjectReference) DeepCopyInto(out *TypedLocalObjectReference) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TypedLocalObjectReference.
+func (in *TypedLocalObjectReference) DeepCopy() *TypedLocalObjectReference {
+	if in == nil {
+		return nil
+	}
+	out := new(TypedLocalObjectReference)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *Workload) DeepCopyInto(out *Workload) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Workload.
+func (in *Workload) DeepCopy() *Workload {
+	if in == nil {
+		return nil
+	}
+	out := new(Workload)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *Workload) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *WorkloadList) DeepCopyInto(out *WorkloadList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]Workload, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WorkloadList.
+func (in *WorkloadList) DeepCopy() *WorkloadList {
+	if in == nil {
+		return nil
+	}
+	out := new(WorkloadList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *WorkloadList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *WorkloadSpec) DeepCopyInto(out *WorkloadSpec) {
+	*out = *in
+	if in.ControllerRef != nil {
+		in, out := &in.ControllerRef, &out.ControllerRef
+		*out = new(TypedLocalObjectReference)
+		**out = **in
+	}
+	if in.PodGroups != nil {
+		in, out := &in.PodGroups, &out.PodGroups
+		*out = make([]PodGroup, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WorkloadSpec.
+func (in *WorkloadSpec) DeepCopy() *WorkloadSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(WorkloadSpec)
+	in.DeepCopyInto(out)
+	return out
+}
diff --git a/staging/src/k8s.io/api/scheduling/v1alpha1/zz_generated.model_name.go b/staging/src/k8s.io/api/scheduling/v1alpha1/zz_generated.model_name.go
new file mode 100644
index 0000000000000..25844f419a826
--- /dev/null
+++ b/staging/src/k8s.io/api/scheduling/v1alpha1/zz_generated.model_name.go
@@ -0,0 +1,72 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by openapi-gen. DO NOT EDIT.
+
+package v1alpha1
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in BasicSchedulingPolicy) OpenAPIModelName() string {
+	return "io.k8s.api.scheduling.v1alpha1.BasicSchedulingPolicy"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in GangSchedulingPolicy) OpenAPIModelName() string {
+	return "io.k8s.api.scheduling.v1alpha1.GangSchedulingPolicy"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in PodGroup) OpenAPIModelName() string {
+	return "io.k8s.api.scheduling.v1alpha1.PodGroup"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in PodGroupPolicy) OpenAPIModelName() string {
+	return "io.k8s.api.scheduling.v1alpha1.PodGroupPolicy"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in PriorityClass) OpenAPIModelName() string {
+	return "io.k8s.api.scheduling.v1alpha1.PriorityClass"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in PriorityClassList) OpenAPIModelName() string {
+	return "io.k8s.api.scheduling.v1alpha1.PriorityClassList"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in TypedLocalObjectReference) OpenAPIModelName() string {
+	return "io.k8s.api.scheduling.v1alpha1.TypedLocalObjectReference"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in Workload) OpenAPIModelName() string {
+	return "io.k8s.api.scheduling.v1alpha1.Workload"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in WorkloadList) OpenAPIModelName() string {
+	return "io.k8s.api.scheduling.v1alpha1.WorkloadList"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in WorkloadSpec) OpenAPIModelName() string {
+	return "io.k8s.api.scheduling.v1alpha1.WorkloadSpec"
+}
diff --git a/staging/src/k8s.io/api/scheduling/v1beta1/doc.go b/staging/src/k8s.io/api/scheduling/v1beta1/doc.go
index 1bc3610611670..ef4bd57d5d12d 100644
--- a/staging/src/k8s.io/api/scheduling/v1beta1/doc.go
+++ b/staging/src/k8s.io/api/scheduling/v1beta1/doc.go
@@ -18,6 +18,7 @@ limitations under the License.
 // +k8s:protobuf-gen=package
 // +k8s:openapi-gen=true
 // +k8s:prerelease-lifecycle-gen=true
+// +k8s:openapi-model-package=io.k8s.api.scheduling.v1beta1
 
 // +groupName=scheduling.k8s.io
 
diff --git a/staging/src/k8s.io/api/scheduling/v1beta1/generated.pb.go b/staging/src/k8s.io/api/scheduling/v1beta1/generated.pb.go
index 68e8e90d1d928..cd25ded4089f6 100644
--- a/staging/src/k8s.io/api/scheduling/v1beta1/generated.pb.go
+++ b/staging/src/k8s.io/api/scheduling/v1beta1/generated.pb.go
@@ -24,126 +24,16 @@ import (
 
 	io "io"
 
-	proto "github.com/gogo/protobuf/proto"
-
 	k8s_io_api_core_v1 "k8s.io/api/core/v1"
 
-	math "math"
 	math_bits "math/bits"
 	reflect "reflect"
 	strings "strings"
 )
 
-// Reference imports to suppress errors if they are not otherwise used.
-var _ = proto.Marshal
-var _ = fmt.Errorf
-var _ = math.Inf
-
-// This is a compile-time assertion to ensure that this generated file
-// is compatible with the proto package it is being compiled against.
-// A compilation error at this line likely means your copy of the
-// proto package needs to be updated.
-const _ = proto.GoGoProtoPackageIsVersion3 // please upgrade the proto package
+func (m *PriorityClass) Reset() { *m = PriorityClass{} }
 
-func (m *PriorityClass) Reset()      { *m = PriorityClass{} }
-func (*PriorityClass) ProtoMessage() {}
-func (*PriorityClass) Descriptor() ([]byte, []int) {
-	return fileDescriptor_9edc3acf997efcf2, []int{0}
-}
-func (m *PriorityClass) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *PriorityClass) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *PriorityClass) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_PriorityClass.Merge(m, src)
-}
-func (m *PriorityClass) XXX_Size() int {
-	return m.Size()
-}
-func (m *PriorityClass) XXX_DiscardUnknown() {
-	xxx_messageInfo_PriorityClass.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_PriorityClass proto.InternalMessageInfo
-
-func (m *PriorityClassList) Reset()      { *m = PriorityClassList{} }
-func (*PriorityClassList) ProtoMessage() {}
-func (*PriorityClassList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_9edc3acf997efcf2, []int{1}
-}
-func (m *PriorityClassList) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *PriorityClassList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *PriorityClassList) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_PriorityClassList.Merge(m, src)
-}
-func (m *PriorityClassList) XXX_Size() int {
-	return m.Size()
-}
-func (m *PriorityClassList) XXX_DiscardUnknown() {
-	xxx_messageInfo_PriorityClassList.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_PriorityClassList proto.InternalMessageInfo
-
-func init() {
-	proto.RegisterType((*PriorityClass)(nil), "k8s.io.api.scheduling.v1beta1.PriorityClass")
-	proto.RegisterType((*PriorityClassList)(nil), "k8s.io.api.scheduling.v1beta1.PriorityClassList")
-}
-
-func init() {
-	proto.RegisterFile("k8s.io/api/scheduling/v1beta1/generated.proto", fileDescriptor_9edc3acf997efcf2)
-}
-
-var fileDescriptor_9edc3acf997efcf2 = []byte{
-	// 481 bytes of a gzipped FileDescriptorProto
-	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x8c, 0x93, 0x31, 0x8f, 0xd3, 0x30,
-	0x18, 0x86, 0xe3, 0x1e, 0x91, 0x8a, 0xab, 0x4a, 0x25, 0x08, 0x29, 0xaa, 0x74, 0x69, 0xd4, 0x5b,
-	0x32, 0x70, 0x36, 0x3d, 0x01, 0x42, 0xba, 0x2d, 0x77, 0x12, 0x42, 0x02, 0x51, 0x32, 0x30, 0x20,
-	0x06, 0x9c, 0xd4, 0x97, 0x9a, 0x26, 0x71, 0x64, 0x3b, 0x95, 0xba, 0xf1, 0x13, 0xf8, 0x51, 0x0c,
-	0x1d, 0x6f, 0xbc, 0xa9, 0xa2, 0xe1, 0x27, 0xb0, 0x31, 0xa1, 0xa4, 0xe1, 0xd2, 0x36, 0x50, 0x6e,
-	0xcb, 0xf7, 0x7d, 0xcf, 0xfb, 0xda, 0x7e, 0x63, 0xc3, 0xd3, 0xd9, 0x0b, 0x89, 0x18, 0xc7, 0x24,
-	0x65, 0x58, 0x06, 0x53, 0x3a, 0xc9, 0x22, 0x96, 0x84, 0x78, 0x3e, 0xf2, 0xa9, 0x22, 0x23, 0x1c,
-	0xd2, 0x84, 0x0a, 0xa2, 0xe8, 0x04, 0xa5, 0x82, 0x2b, 0x6e, 0x1c, 0x6f, 0x70, 0x44, 0x52, 0x86,
-	0x6a, 0x1c, 0x55, 0x78, 0xff, 0x34, 0x64, 0x6a, 0x9a, 0xf9, 0x28, 0xe0, 0x31, 0x0e, 0x79, 0xc8,
-	0x71, 0xa9, 0xf2, 0xb3, 0xab, 0xb2, 0x2a, 0x8b, 0xf2, 0x6b, 0xe3, 0xd6, 0x1f, 0x6e, 0x2d, 0x1e,
-	0x70, 0x41, 0xf1, 0xbc, 0xb1, 0x62, 0xff, 0x69, 0xcd, 0xc4, 0x24, 0x98, 0xb2, 0x84, 0x8a, 0x05,
-	0x4e, 0x67, 0x61, 0xd1, 0x90, 0x38, 0xa6, 0x8a, 0xfc, 0x4d, 0x85, 0xff, 0xa5, 0x12, 0x59, 0xa2,
-	0x58, 0x4c, 0x1b, 0x82, 0xe7, 0xff, 0x13, 0x14, 0xa7, 0x8d, 0xc9, 0xbe, 0x6e, 0xf8, 0xb3, 0x05,
-	0xbb, 0x63, 0xc1, 0xb8, 0x60, 0x6a, 0x71, 0x11, 0x11, 0x29, 0x8d, 0x4f, 0xb0, 0x5d, 0xec, 0x6a,
-	0x42, 0x14, 0x31, 0x81, 0x0d, 0x9c, 0xce, 0xd9, 0x13, 0x54, 0xa7, 0x76, 0x6b, 0x8e, 0xd2, 0x59,
-	0x58, 0x34, 0x24, 0x2a, 0x68, 0x34, 0x1f, 0xa1, 0xb7, 0xfe, 0x67, 0x1a, 0xa8, 0x37, 0x54, 0x11,
-	0xd7, 0x58, 0xae, 0x06, 0x5a, 0xbe, 0x1a, 0xc0, 0xba, 0xe7, 0xdd, 0xba, 0x1a, 0x27, 0x50, 0x9f,
-	0x93, 0x28, 0xa3, 0x66, 0xcb, 0x06, 0x8e, 0xee, 0x76, 0x2b, 0x58, 0x7f, 0x5f, 0x34, 0xbd, 0xcd,
-	0xcc, 0x38, 0x87, 0xdd, 0x30, 0xe2, 0x3e, 0x89, 0x2e, 0xe9, 0x15, 0xc9, 0x22, 0x65, 0x1e, 0xd9,
-	0xc0, 0x69, 0xbb, 0x8f, 0x2a, 0xb8, 0xfb, 0x72, 0x7b, 0xe8, 0xed, 0xb2, 0xc6, 0x33, 0xd8, 0x99,
-	0x50, 0x19, 0x08, 0x96, 0x2a, 0xc6, 0x13, 0xf3, 0x9e, 0x0d, 0x9c, 0xfb, 0xee, 0xc3, 0x4a, 0xda,
-	0xb9, 0xac, 0x47, 0xde, 0x36, 0x67, 0x84, 0xb0, 0x97, 0x0a, 0x4a, 0xe3, 0xb2, 0x1a, 0xf3, 0x88,
-	0x05, 0x0b, 0x53, 0x2f, 0xb5, 0xe7, 0xf9, 0x6a, 0xd0, 0x1b, 0xef, 0xcd, 0x7e, 0xad, 0x06, 0x27,
-	0xcd, 0x1b, 0x80, 0xf6, 0x31, 0xaf, 0x61, 0x3a, 0xfc, 0x06, 0xe0, 0x83, 0x9d, 0xd4, 0x5f, 0x33,
-	0xa9, 0x8c, 0x8f, 0x8d, 0xe4, 0xd1, 0xdd, 0x92, 0x2f, 0xd4, 0x65, 0xee, 0xbd, 0xea, 0x88, 0xed,
-	0x3f, 0x9d, 0xad, 0xd4, 0xdf, 0x41, 0x9d, 0x29, 0x1a, 0x4b, 0xb3, 0x65, 0x1f, 0x39, 0x9d, 0xb3,
-	0xc7, 0xe8, 0xe0, 0x53, 0x40, 0x3b, 0xdb, 0xab, 0xff, 0xd1, 0xab, 0xc2, 0xc2, 0xdb, 0x38, 0xb9,
-	0x17, 0xcb, 0xb5, 0xa5, 0x5d, 0xaf, 0x2d, 0xed, 0x66, 0x6d, 0x69, 0x5f, 0x72, 0x0b, 0x2c, 0x73,
-	0x0b, 0x5c, 0xe7, 0x16, 0xb8, 0xc9, 0x2d, 0xf0, 0x3d, 0xb7, 0xc0, 0xd7, 0x1f, 0x96, 0xf6, 0xe1,
-	0xf8, 0xe0, 0x13, 0xfd, 0x1d, 0x00, 0x00, 0xff, 0xff, 0x04, 0x2e, 0xb0, 0xce, 0xc2, 0x03, 0x00,
-	0x00,
-}
+func (m *PriorityClassList) Reset() { *m = PriorityClassList{} }
 
 func (m *PriorityClass) Marshal() (dAtA []byte, err error) {
 	size := m.Size()
diff --git a/staging/src/k8s.io/api/scheduling/v1beta1/generated.protomessage.pb.go b/staging/src/k8s.io/api/scheduling/v1beta1/generated.protomessage.pb.go
new file mode 100644
index 0000000000000..0c7339ae79ea1
--- /dev/null
+++ b/staging/src/k8s.io/api/scheduling/v1beta1/generated.protomessage.pb.go
@@ -0,0 +1,26 @@
+//go:build kubernetes_protomessage_one_more_release
+// +build kubernetes_protomessage_one_more_release
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by go-to-protobuf. DO NOT EDIT.
+
+package v1beta1
+
+func (*PriorityClass) ProtoMessage() {}
+
+func (*PriorityClassList) ProtoMessage() {}
diff --git a/staging/src/k8s.io/api/scheduling/v1beta1/zz_generated.model_name.go b/staging/src/k8s.io/api/scheduling/v1beta1/zz_generated.model_name.go
new file mode 100644
index 0000000000000..16f40100cc24b
--- /dev/null
+++ b/staging/src/k8s.io/api/scheduling/v1beta1/zz_generated.model_name.go
@@ -0,0 +1,32 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by openapi-gen. DO NOT EDIT.
+
+package v1beta1
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in PriorityClass) OpenAPIModelName() string {
+	return "io.k8s.api.scheduling.v1beta1.PriorityClass"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in PriorityClassList) OpenAPIModelName() string {
+	return "io.k8s.api.scheduling.v1beta1.PriorityClassList"
+}
diff --git a/staging/src/k8s.io/api/storage/v1/doc.go b/staging/src/k8s.io/api/storage/v1/doc.go
index 162a99522e59b..d344f997e0ee0 100644
--- a/staging/src/k8s.io/api/storage/v1/doc.go
+++ b/staging/src/k8s.io/api/storage/v1/doc.go
@@ -19,5 +19,6 @@ limitations under the License.
 // +groupName=storage.k8s.io
 // +k8s:openapi-gen=true
 // +k8s:prerelease-lifecycle-gen=true
+// +k8s:openapi-model-package=io.k8s.api.storage.v1
 
 package v1
diff --git a/staging/src/k8s.io/api/storage/v1/generated.pb.go b/staging/src/k8s.io/api/storage/v1/generated.pb.go
index 2b7aea92c5acb..52003c313298d 100644
--- a/staging/src/k8s.io/api/storage/v1/generated.pb.go
+++ b/staging/src/k8s.io/api/storage/v1/generated.pb.go
@@ -23,765 +23,59 @@ import (
 	fmt "fmt"
 
 	io "io"
+	"sort"
 
-	proto "github.com/gogo/protobuf/proto"
-	github_com_gogo_protobuf_sortkeys "github.com/gogo/protobuf/sortkeys"
 	k8s_io_api_core_v1 "k8s.io/api/core/v1"
 	v11 "k8s.io/api/core/v1"
 	resource "k8s.io/apimachinery/pkg/api/resource"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
-	math "math"
 	math_bits "math/bits"
 	reflect "reflect"
 	strings "strings"
 )
 
-// Reference imports to suppress errors if they are not otherwise used.
-var _ = proto.Marshal
-var _ = fmt.Errorf
-var _ = math.Inf
+func (m *CSIDriver) Reset() { *m = CSIDriver{} }
 
-// This is a compile-time assertion to ensure that this generated file
-// is compatible with the proto package it is being compiled against.
-// A compilation error at this line likely means your copy of the
-// proto package needs to be updated.
-const _ = proto.GoGoProtoPackageIsVersion3 // please upgrade the proto package
+func (m *CSIDriverList) Reset() { *m = CSIDriverList{} }
 
-func (m *CSIDriver) Reset()      { *m = CSIDriver{} }
-func (*CSIDriver) ProtoMessage() {}
-func (*CSIDriver) Descriptor() ([]byte, []int) {
-	return fileDescriptor_662262cc70094b41, []int{0}
-}
-func (m *CSIDriver) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *CSIDriver) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *CSIDriver) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_CSIDriver.Merge(m, src)
-}
-func (m *CSIDriver) XXX_Size() int {
-	return m.Size()
-}
-func (m *CSIDriver) XXX_DiscardUnknown() {
-	xxx_messageInfo_CSIDriver.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_CSIDriver proto.InternalMessageInfo
+func (m *CSIDriverSpec) Reset() { *m = CSIDriverSpec{} }
 
-func (m *CSIDriverList) Reset()      { *m = CSIDriverList{} }
-func (*CSIDriverList) ProtoMessage() {}
-func (*CSIDriverList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_662262cc70094b41, []int{1}
-}
-func (m *CSIDriverList) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *CSIDriverList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *CSIDriverList) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_CSIDriverList.Merge(m, src)
-}
-func (m *CSIDriverList) XXX_Size() int {
-	return m.Size()
-}
-func (m *CSIDriverList) XXX_DiscardUnknown() {
-	xxx_messageInfo_CSIDriverList.DiscardUnknown(m)
-}
+func (m *CSINode) Reset() { *m = CSINode{} }
 
-var xxx_messageInfo_CSIDriverList proto.InternalMessageInfo
+func (m *CSINodeDriver) Reset() { *m = CSINodeDriver{} }
 
-func (m *CSIDriverSpec) Reset()      { *m = CSIDriverSpec{} }
-func (*CSIDriverSpec) ProtoMessage() {}
-func (*CSIDriverSpec) Descriptor() ([]byte, []int) {
-	return fileDescriptor_662262cc70094b41, []int{2}
-}
-func (m *CSIDriverSpec) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *CSIDriverSpec) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *CSIDriverSpec) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_CSIDriverSpec.Merge(m, src)
-}
-func (m *CSIDriverSpec) XXX_Size() int {
-	return m.Size()
-}
-func (m *CSIDriverSpec) XXX_DiscardUnknown() {
-	xxx_messageInfo_CSIDriverSpec.DiscardUnknown(m)
-}
+func (m *CSINodeList) Reset() { *m = CSINodeList{} }
 
-var xxx_messageInfo_CSIDriverSpec proto.InternalMessageInfo
+func (m *CSINodeSpec) Reset() { *m = CSINodeSpec{} }
 
-func (m *CSINode) Reset()      { *m = CSINode{} }
-func (*CSINode) ProtoMessage() {}
-func (*CSINode) Descriptor() ([]byte, []int) {
-	return fileDescriptor_662262cc70094b41, []int{3}
-}
-func (m *CSINode) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *CSINode) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *CSINode) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_CSINode.Merge(m, src)
-}
-func (m *CSINode) XXX_Size() int {
-	return m.Size()
-}
-func (m *CSINode) XXX_DiscardUnknown() {
-	xxx_messageInfo_CSINode.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_CSINode proto.InternalMessageInfo
-
-func (m *CSINodeDriver) Reset()      { *m = CSINodeDriver{} }
-func (*CSINodeDriver) ProtoMessage() {}
-func (*CSINodeDriver) Descriptor() ([]byte, []int) {
-	return fileDescriptor_662262cc70094b41, []int{4}
-}
-func (m *CSINodeDriver) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *CSINodeDriver) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *CSINodeDriver) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_CSINodeDriver.Merge(m, src)
-}
-func (m *CSINodeDriver) XXX_Size() int {
-	return m.Size()
-}
-func (m *CSINodeDriver) XXX_DiscardUnknown() {
-	xxx_messageInfo_CSINodeDriver.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_CSINodeDriver proto.InternalMessageInfo
-
-func (m *CSINodeList) Reset()      { *m = CSINodeList{} }
-func (*CSINodeList) ProtoMessage() {}
-func (*CSINodeList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_662262cc70094b41, []int{5}
-}
-func (m *CSINodeList) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *CSINodeList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *CSINodeList) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_CSINodeList.Merge(m, src)
-}
-func (m *CSINodeList) XXX_Size() int {
-	return m.Size()
-}
-func (m *CSINodeList) XXX_DiscardUnknown() {
-	xxx_messageInfo_CSINodeList.DiscardUnknown(m)
-}
+func (m *CSIStorageCapacity) Reset() { *m = CSIStorageCapacity{} }
 
-var xxx_messageInfo_CSINodeList proto.InternalMessageInfo
+func (m *CSIStorageCapacityList) Reset() { *m = CSIStorageCapacityList{} }
 
-func (m *CSINodeSpec) Reset()      { *m = CSINodeSpec{} }
-func (*CSINodeSpec) ProtoMessage() {}
-func (*CSINodeSpec) Descriptor() ([]byte, []int) {
-	return fileDescriptor_662262cc70094b41, []int{6}
-}
-func (m *CSINodeSpec) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *CSINodeSpec) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *CSINodeSpec) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_CSINodeSpec.Merge(m, src)
-}
-func (m *CSINodeSpec) XXX_Size() int {
-	return m.Size()
-}
-func (m *CSINodeSpec) XXX_DiscardUnknown() {
-	xxx_messageInfo_CSINodeSpec.DiscardUnknown(m)
-}
+func (m *StorageClass) Reset() { *m = StorageClass{} }
 
-var xxx_messageInfo_CSINodeSpec proto.InternalMessageInfo
+func (m *StorageClassList) Reset() { *m = StorageClassList{} }
 
-func (m *CSIStorageCapacity) Reset()      { *m = CSIStorageCapacity{} }
-func (*CSIStorageCapacity) ProtoMessage() {}
-func (*CSIStorageCapacity) Descriptor() ([]byte, []int) {
-	return fileDescriptor_662262cc70094b41, []int{7}
-}
-func (m *CSIStorageCapacity) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *CSIStorageCapacity) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *CSIStorageCapacity) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_CSIStorageCapacity.Merge(m, src)
-}
-func (m *CSIStorageCapacity) XXX_Size() int {
-	return m.Size()
-}
-func (m *CSIStorageCapacity) XXX_DiscardUnknown() {
-	xxx_messageInfo_CSIStorageCapacity.DiscardUnknown(m)
-}
+func (m *TokenRequest) Reset() { *m = TokenRequest{} }
 
-var xxx_messageInfo_CSIStorageCapacity proto.InternalMessageInfo
+func (m *VolumeAttachment) Reset() { *m = VolumeAttachment{} }
 
-func (m *CSIStorageCapacityList) Reset()      { *m = CSIStorageCapacityList{} }
-func (*CSIStorageCapacityList) ProtoMessage() {}
-func (*CSIStorageCapacityList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_662262cc70094b41, []int{8}
-}
-func (m *CSIStorageCapacityList) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *CSIStorageCapacityList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *CSIStorageCapacityList) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_CSIStorageCapacityList.Merge(m, src)
-}
-func (m *CSIStorageCapacityList) XXX_Size() int {
-	return m.Size()
-}
-func (m *CSIStorageCapacityList) XXX_DiscardUnknown() {
-	xxx_messageInfo_CSIStorageCapacityList.DiscardUnknown(m)
-}
+func (m *VolumeAttachmentList) Reset() { *m = VolumeAttachmentList{} }
 
-var xxx_messageInfo_CSIStorageCapacityList proto.InternalMessageInfo
+func (m *VolumeAttachmentSource) Reset() { *m = VolumeAttachmentSource{} }
 
-func (m *StorageClass) Reset()      { *m = StorageClass{} }
-func (*StorageClass) ProtoMessage() {}
-func (*StorageClass) Descriptor() ([]byte, []int) {
-	return fileDescriptor_662262cc70094b41, []int{9}
-}
-func (m *StorageClass) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *StorageClass) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *StorageClass) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_StorageClass.Merge(m, src)
-}
-func (m *StorageClass) XXX_Size() int {
-	return m.Size()
-}
-func (m *StorageClass) XXX_DiscardUnknown() {
-	xxx_messageInfo_StorageClass.DiscardUnknown(m)
-}
+func (m *VolumeAttachmentSpec) Reset() { *m = VolumeAttachmentSpec{} }
 
-var xxx_messageInfo_StorageClass proto.InternalMessageInfo
+func (m *VolumeAttachmentStatus) Reset() { *m = VolumeAttachmentStatus{} }
 
-func (m *StorageClassList) Reset()      { *m = StorageClassList{} }
-func (*StorageClassList) ProtoMessage() {}
-func (*StorageClassList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_662262cc70094b41, []int{10}
-}
-func (m *StorageClassList) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *StorageClassList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *StorageClassList) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_StorageClassList.Merge(m, src)
-}
-func (m *StorageClassList) XXX_Size() int {
-	return m.Size()
-}
-func (m *StorageClassList) XXX_DiscardUnknown() {
-	xxx_messageInfo_StorageClassList.DiscardUnknown(m)
-}
+func (m *VolumeAttributesClass) Reset() { *m = VolumeAttributesClass{} }
 
-var xxx_messageInfo_StorageClassList proto.InternalMessageInfo
+func (m *VolumeAttributesClassList) Reset() { *m = VolumeAttributesClassList{} }
 
-func (m *TokenRequest) Reset()      { *m = TokenRequest{} }
-func (*TokenRequest) ProtoMessage() {}
-func (*TokenRequest) Descriptor() ([]byte, []int) {
-	return fileDescriptor_662262cc70094b41, []int{11}
-}
-func (m *TokenRequest) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *TokenRequest) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *TokenRequest) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_TokenRequest.Merge(m, src)
-}
-func (m *TokenRequest) XXX_Size() int {
-	return m.Size()
-}
-func (m *TokenRequest) XXX_DiscardUnknown() {
-	xxx_messageInfo_TokenRequest.DiscardUnknown(m)
-}
+func (m *VolumeError) Reset() { *m = VolumeError{} }
 
-var xxx_messageInfo_TokenRequest proto.InternalMessageInfo
-
-func (m *VolumeAttachment) Reset()      { *m = VolumeAttachment{} }
-func (*VolumeAttachment) ProtoMessage() {}
-func (*VolumeAttachment) Descriptor() ([]byte, []int) {
-	return fileDescriptor_662262cc70094b41, []int{12}
-}
-func (m *VolumeAttachment) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *VolumeAttachment) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *VolumeAttachment) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_VolumeAttachment.Merge(m, src)
-}
-func (m *VolumeAttachment) XXX_Size() int {
-	return m.Size()
-}
-func (m *VolumeAttachment) XXX_DiscardUnknown() {
-	xxx_messageInfo_VolumeAttachment.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_VolumeAttachment proto.InternalMessageInfo
-
-func (m *VolumeAttachmentList) Reset()      { *m = VolumeAttachmentList{} }
-func (*VolumeAttachmentList) ProtoMessage() {}
-func (*VolumeAttachmentList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_662262cc70094b41, []int{13}
-}
-func (m *VolumeAttachmentList) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *VolumeAttachmentList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *VolumeAttachmentList) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_VolumeAttachmentList.Merge(m, src)
-}
-func (m *VolumeAttachmentList) XXX_Size() int {
-	return m.Size()
-}
-func (m *VolumeAttachmentList) XXX_DiscardUnknown() {
-	xxx_messageInfo_VolumeAttachmentList.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_VolumeAttachmentList proto.InternalMessageInfo
-
-func (m *VolumeAttachmentSource) Reset()      { *m = VolumeAttachmentSource{} }
-func (*VolumeAttachmentSource) ProtoMessage() {}
-func (*VolumeAttachmentSource) Descriptor() ([]byte, []int) {
-	return fileDescriptor_662262cc70094b41, []int{14}
-}
-func (m *VolumeAttachmentSource) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *VolumeAttachmentSource) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *VolumeAttachmentSource) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_VolumeAttachmentSource.Merge(m, src)
-}
-func (m *VolumeAttachmentSource) XXX_Size() int {
-	return m.Size()
-}
-func (m *VolumeAttachmentSource) XXX_DiscardUnknown() {
-	xxx_messageInfo_VolumeAttachmentSource.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_VolumeAttachmentSource proto.InternalMessageInfo
-
-func (m *VolumeAttachmentSpec) Reset()      { *m = VolumeAttachmentSpec{} }
-func (*VolumeAttachmentSpec) ProtoMessage() {}
-func (*VolumeAttachmentSpec) Descriptor() ([]byte, []int) {
-	return fileDescriptor_662262cc70094b41, []int{15}
-}
-func (m *VolumeAttachmentSpec) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *VolumeAttachmentSpec) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *VolumeAttachmentSpec) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_VolumeAttachmentSpec.Merge(m, src)
-}
-func (m *VolumeAttachmentSpec) XXX_Size() int {
-	return m.Size()
-}
-func (m *VolumeAttachmentSpec) XXX_DiscardUnknown() {
-	xxx_messageInfo_VolumeAttachmentSpec.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_VolumeAttachmentSpec proto.InternalMessageInfo
-
-func (m *VolumeAttachmentStatus) Reset()      { *m = VolumeAttachmentStatus{} }
-func (*VolumeAttachmentStatus) ProtoMessage() {}
-func (*VolumeAttachmentStatus) Descriptor() ([]byte, []int) {
-	return fileDescriptor_662262cc70094b41, []int{16}
-}
-func (m *VolumeAttachmentStatus) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *VolumeAttachmentStatus) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *VolumeAttachmentStatus) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_VolumeAttachmentStatus.Merge(m, src)
-}
-func (m *VolumeAttachmentStatus) XXX_Size() int {
-	return m.Size()
-}
-func (m *VolumeAttachmentStatus) XXX_DiscardUnknown() {
-	xxx_messageInfo_VolumeAttachmentStatus.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_VolumeAttachmentStatus proto.InternalMessageInfo
-
-func (m *VolumeAttributesClass) Reset()      { *m = VolumeAttributesClass{} }
-func (*VolumeAttributesClass) ProtoMessage() {}
-func (*VolumeAttributesClass) Descriptor() ([]byte, []int) {
-	return fileDescriptor_662262cc70094b41, []int{17}
-}
-func (m *VolumeAttributesClass) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *VolumeAttributesClass) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *VolumeAttributesClass) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_VolumeAttributesClass.Merge(m, src)
-}
-func (m *VolumeAttributesClass) XXX_Size() int {
-	return m.Size()
-}
-func (m *VolumeAttributesClass) XXX_DiscardUnknown() {
-	xxx_messageInfo_VolumeAttributesClass.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_VolumeAttributesClass proto.InternalMessageInfo
-
-func (m *VolumeAttributesClassList) Reset()      { *m = VolumeAttributesClassList{} }
-func (*VolumeAttributesClassList) ProtoMessage() {}
-func (*VolumeAttributesClassList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_662262cc70094b41, []int{18}
-}
-func (m *VolumeAttributesClassList) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *VolumeAttributesClassList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *VolumeAttributesClassList) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_VolumeAttributesClassList.Merge(m, src)
-}
-func (m *VolumeAttributesClassList) XXX_Size() int {
-	return m.Size()
-}
-func (m *VolumeAttributesClassList) XXX_DiscardUnknown() {
-	xxx_messageInfo_VolumeAttributesClassList.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_VolumeAttributesClassList proto.InternalMessageInfo
-
-func (m *VolumeError) Reset()      { *m = VolumeError{} }
-func (*VolumeError) ProtoMessage() {}
-func (*VolumeError) Descriptor() ([]byte, []int) {
-	return fileDescriptor_662262cc70094b41, []int{19}
-}
-func (m *VolumeError) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *VolumeError) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *VolumeError) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_VolumeError.Merge(m, src)
-}
-func (m *VolumeError) XXX_Size() int {
-	return m.Size()
-}
-func (m *VolumeError) XXX_DiscardUnknown() {
-	xxx_messageInfo_VolumeError.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_VolumeError proto.InternalMessageInfo
-
-func (m *VolumeNodeResources) Reset()      { *m = VolumeNodeResources{} }
-func (*VolumeNodeResources) ProtoMessage() {}
-func (*VolumeNodeResources) Descriptor() ([]byte, []int) {
-	return fileDescriptor_662262cc70094b41, []int{20}
-}
-func (m *VolumeNodeResources) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *VolumeNodeResources) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *VolumeNodeResources) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_VolumeNodeResources.Merge(m, src)
-}
-func (m *VolumeNodeResources) XXX_Size() int {
-	return m.Size()
-}
-func (m *VolumeNodeResources) XXX_DiscardUnknown() {
-	xxx_messageInfo_VolumeNodeResources.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_VolumeNodeResources proto.InternalMessageInfo
-
-func init() {
-	proto.RegisterType((*CSIDriver)(nil), "k8s.io.api.storage.v1.CSIDriver")
-	proto.RegisterType((*CSIDriverList)(nil), "k8s.io.api.storage.v1.CSIDriverList")
-	proto.RegisterType((*CSIDriverSpec)(nil), "k8s.io.api.storage.v1.CSIDriverSpec")
-	proto.RegisterType((*CSINode)(nil), "k8s.io.api.storage.v1.CSINode")
-	proto.RegisterType((*CSINodeDriver)(nil), "k8s.io.api.storage.v1.CSINodeDriver")
-	proto.RegisterType((*CSINodeList)(nil), "k8s.io.api.storage.v1.CSINodeList")
-	proto.RegisterType((*CSINodeSpec)(nil), "k8s.io.api.storage.v1.CSINodeSpec")
-	proto.RegisterType((*CSIStorageCapacity)(nil), "k8s.io.api.storage.v1.CSIStorageCapacity")
-	proto.RegisterType((*CSIStorageCapacityList)(nil), "k8s.io.api.storage.v1.CSIStorageCapacityList")
-	proto.RegisterType((*StorageClass)(nil), "k8s.io.api.storage.v1.StorageClass")
-	proto.RegisterMapType((map[string]string)(nil), "k8s.io.api.storage.v1.StorageClass.ParametersEntry")
-	proto.RegisterType((*StorageClassList)(nil), "k8s.io.api.storage.v1.StorageClassList")
-	proto.RegisterType((*TokenRequest)(nil), "k8s.io.api.storage.v1.TokenRequest")
-	proto.RegisterType((*VolumeAttachment)(nil), "k8s.io.api.storage.v1.VolumeAttachment")
-	proto.RegisterType((*VolumeAttachmentList)(nil), "k8s.io.api.storage.v1.VolumeAttachmentList")
-	proto.RegisterType((*VolumeAttachmentSource)(nil), "k8s.io.api.storage.v1.VolumeAttachmentSource")
-	proto.RegisterType((*VolumeAttachmentSpec)(nil), "k8s.io.api.storage.v1.VolumeAttachmentSpec")
-	proto.RegisterType((*VolumeAttachmentStatus)(nil), "k8s.io.api.storage.v1.VolumeAttachmentStatus")
-	proto.RegisterMapType((map[string]string)(nil), "k8s.io.api.storage.v1.VolumeAttachmentStatus.AttachmentMetadataEntry")
-	proto.RegisterType((*VolumeAttributesClass)(nil), "k8s.io.api.storage.v1.VolumeAttributesClass")
-	proto.RegisterMapType((map[string]string)(nil), "k8s.io.api.storage.v1.VolumeAttributesClass.ParametersEntry")
-	proto.RegisterType((*VolumeAttributesClassList)(nil), "k8s.io.api.storage.v1.VolumeAttributesClassList")
-	proto.RegisterType((*VolumeError)(nil), "k8s.io.api.storage.v1.VolumeError")
-	proto.RegisterType((*VolumeNodeResources)(nil), "k8s.io.api.storage.v1.VolumeNodeResources")
-}
-
-func init() {
-	proto.RegisterFile("k8s.io/api/storage/v1/generated.proto", fileDescriptor_662262cc70094b41)
-}
-
-var fileDescriptor_662262cc70094b41 = []byte{
-	// 1782 bytes of a gzipped FileDescriptorProto
-	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xbc, 0x59, 0x4b, 0x73, 0x2b, 0x47,
-	0x15, 0xf6, 0x58, 0x96, 0x6d, 0xb5, 0xac, 0x6b, 0xbb, 0xaf, 0x1d, 0x26, 0x5e, 0x48, 0xae, 0x49,
-	0x08, 0xce, 0x6b, 0x94, 0xeb, 0x84, 0x54, 0x2a, 0x90, 0x85, 0x47, 0x56, 0x88, 0x0b, 0xcb, 0xd7,
-	0x69, 0x39, 0xa9, 0x14, 0x05, 0x54, 0xda, 0x33, 0x6d, 0xb9, 0x63, 0xcd, 0x23, 0xd3, 0x3d, 0xc2,
-	0x62, 0x05, 0x3f, 0x80, 0x2a, 0xd8, 0xf2, 0x2b, 0xa0, 0x80, 0x0d, 0x4b, 0x16, 0xd4, 0x85, 0x62,
-	0x91, 0x62, 0x95, 0x95, 0x8a, 0x2b, 0xd6, 0xb0, 0x64, 0xe1, 0x15, 0xd5, 0x3d, 0xa3, 0x79, 0x69,
-	0xe4, 0x47, 0xa5, 0x4a, 0x3b, 0xf7, 0x79, 0x7c, 0x7d, 0xba, 0xcf, 0x39, 0x5f, 0x1f, 0x8d, 0xc1,
-	0xb7, 0xaf, 0xde, 0x63, 0x3a, 0x75, 0x9b, 0xd8, 0xa3, 0x4d, 0xc6, 0x5d, 0x1f, 0xf7, 0x48, 0x73,
-	0xf0, 0xa4, 0xd9, 0x23, 0x0e, 0xf1, 0x31, 0x27, 0x96, 0xee, 0xf9, 0x2e, 0x77, 0xe1, 0x76, 0x68,
-	0xa6, 0x63, 0x8f, 0xea, 0x91, 0x99, 0x3e, 0x78, 0xb2, 0xf3, 0x66, 0x8f, 0xf2, 0xcb, 0xe0, 0x5c,
-	0x37, 0x5d, 0xbb, 0xd9, 0x73, 0x7b, 0x6e, 0x53, 0x5a, 0x9f, 0x07, 0x17, 0x72, 0x25, 0x17, 0xf2,
-	0xaf, 0x10, 0x65, 0x47, 0x4b, 0x6d, 0x66, 0xba, 0x7e, 0xd1, 0x4e, 0x3b, 0xef, 0x24, 0x36, 0x36,
-	0x36, 0x2f, 0xa9, 0x43, 0xfc, 0x61, 0xd3, 0xbb, 0xea, 0x49, 0x27, 0x9f, 0x30, 0x37, 0xf0, 0x4d,
-	0xf2, 0x20, 0x2f, 0xd6, 0xb4, 0x09, 0xc7, 0x45, 0x7b, 0x35, 0x67, 0x79, 0xf9, 0x81, 0xc3, 0xa9,
-	0x3d, 0xbd, 0xcd, 0xbb, 0x77, 0x39, 0x30, 0xf3, 0x92, 0xd8, 0x38, 0xef, 0xa7, 0xfd, 0x49, 0x01,
-	0x95, 0x56, 0xf7, 0xe8, 0xd0, 0xa7, 0x03, 0xe2, 0xc3, 0xcf, 0xc1, 0xaa, 0x88, 0xc8, 0xc2, 0x1c,
-	0xab, 0xca, 0xae, 0xb2, 0x57, 0xdd, 0x7f, 0x4b, 0x4f, 0xee, 0x37, 0x06, 0xd6, 0xbd, 0xab, 0x9e,
-	0x10, 0x30, 0x5d, 0x58, 0xeb, 0x83, 0x27, 0xfa, 0xd3, 0xf3, 0x2f, 0x88, 0xc9, 0x3b, 0x84, 0x63,
-	0x03, 0x3e, 0x1b, 0x35, 0x16, 0xc6, 0xa3, 0x06, 0x48, 0x64, 0x28, 0x46, 0x85, 0x1f, 0x82, 0x25,
-	0xe6, 0x11, 0x53, 0x5d, 0x94, 0xe8, 0x2f, 0xeb, 0x85, 0xd9, 0xd3, 0xe3, 0x88, 0xba, 0x1e, 0x31,
-	0x8d, 0xb5, 0x08, 0x71, 0x49, 0xac, 0x90, 0xf4, 0xd7, 0xfe, 0xa8, 0x80, 0x5a, 0x6c, 0x75, 0x4c,
-	0x19, 0x87, 0x3f, 0x9e, 0x8a, 0x5d, 0xbf, 0x5f, 0xec, 0xc2, 0x5b, 0x46, 0xbe, 0x11, 0xed, 0xb3,
-	0x3a, 0x91, 0xa4, 0xe2, 0x6e, 0x83, 0x32, 0xe5, 0xc4, 0x66, 0xea, 0xe2, 0x6e, 0x69, 0xaf, 0xba,
-	0xbf, 0x7b, 0x57, 0xe0, 0x46, 0x2d, 0x02, 0x2b, 0x1f, 0x09, 0x37, 0x14, 0x7a, 0x6b, 0x7f, 0x2f,
-	0xa7, 0xc2, 0x16, 0xc7, 0x81, 0xef, 0x83, 0x47, 0x98, 0x73, 0x6c, 0x5e, 0x22, 0xf2, 0x65, 0x40,
-	0x7d, 0x62, 0xc9, 0xe0, 0x57, 0x0d, 0x38, 0x1e, 0x35, 0x1e, 0x1d, 0x64, 0x34, 0x28, 0x67, 0x29,
-	0x7c, 0x3d, 0xd7, 0x3a, 0x72, 0x2e, 0xdc, 0xa7, 0x4e, 0xc7, 0x0d, 0x1c, 0x2e, 0xaf, 0x35, 0xf2,
-	0x3d, 0xcd, 0x68, 0x50, 0xce, 0x12, 0x9a, 0x60, 0x6b, 0xe0, 0xf6, 0x03, 0x9b, 0x1c, 0xd3, 0x0b,
-	0x62, 0x0e, 0xcd, 0x3e, 0xe9, 0xb8, 0x16, 0x61, 0x6a, 0x69, 0xb7, 0xb4, 0x57, 0x31, 0x9a, 0xe3,
-	0x51, 0x63, 0xeb, 0xd3, 0x02, 0xfd, 0xcd, 0xa8, 0xf1, 0xb8, 0x40, 0x8e, 0x0a, 0xc1, 0xe0, 0x07,
-	0x60, 0x3d, 0xba, 0x9c, 0x16, 0xf6, 0xb0, 0x49, 0xf9, 0x50, 0x5d, 0x92, 0x11, 0x3e, 0x1e, 0x8f,
-	0x1a, 0xeb, 0xdd, 0xac, 0x0a, 0xe5, 0x6d, 0xe1, 0x47, 0xa0, 0x76, 0xc1, 0x7e, 0xe0, 0xbb, 0x81,
-	0x77, 0xea, 0xf6, 0xa9, 0x39, 0x54, 0xcb, 0xbb, 0xca, 0x5e, 0xc5, 0xd0, 0xc6, 0xa3, 0x46, 0xed,
-	0xc3, 0x6e, 0x4a, 0x71, 0x93, 0x17, 0xa0, 0xac, 0x23, 0xfc, 0x1c, 0xd4, 0xb8, 0x7b, 0x45, 0x1c,
-	0x71, 0x75, 0x84, 0x71, 0xa6, 0x2e, 0xcb, 0x34, 0xbe, 0x34, 0x23, 0x8d, 0x67, 0x29, 0x5b, 0x63,
-	0x3b, 0xca, 0x64, 0x2d, 0x2d, 0x65, 0x28, 0x0b, 0x08, 0x5b, 0x60, 0xd3, 0x0f, 0xf3, 0xc2, 0x10,
-	0xf1, 0x82, 0xf3, 0x3e, 0x65, 0x97, 0xea, 0x8a, 0x3c, 0xec, 0xf6, 0x78, 0xd4, 0xd8, 0x44, 0x79,
-	0x25, 0x9a, 0xb6, 0x87, 0xef, 0x80, 0x35, 0x46, 0x8e, 0xa9, 0x13, 0x5c, 0x87, 0xe9, 0x5c, 0x95,
-	0xfe, 0x1b, 0xe3, 0x51, 0x63, 0xad, 0xdb, 0x4e, 0xe4, 0x28, 0x63, 0x05, 0x07, 0x40, 0x73, 0x5c,
-	0x8b, 0x1c, 0xf4, 0xfb, 0xae, 0x89, 0x39, 0x3e, 0xef, 0x93, 0x4f, 0x3c, 0x0b, 0x73, 0x72, 0x4a,
-	0x7c, 0xea, 0x5a, 0x5d, 0x62, 0xba, 0x8e, 0xc5, 0xd4, 0xca, 0xae, 0xb2, 0x57, 0x32, 0x5e, 0x19,
-	0x8f, 0x1a, 0xda, 0xc9, 0x9d, 0xd6, 0xe8, 0x1e, 0x88, 0xda, 0xef, 0x15, 0xb0, 0xd2, 0xea, 0x1e,
-	0x09, 0xb4, 0x39, 0x30, 0xc7, 0x61, 0x86, 0x39, 0xb4, 0xd9, 0x0d, 0x28, 0xe2, 0x99, 0xc9, 0x1b,
-	0xff, 0x0d, 0x79, 0x43, 0xd8, 0x44, 0x9c, 0xb7, 0x0b, 0x96, 0x1c, 0x6c, 0x13, 0x19, 0x75, 0x25,
-	0xf1, 0x39, 0xc1, 0x36, 0x41, 0x52, 0x03, 0x5f, 0x01, 0xcb, 0xe2, 0x36, 0x8e, 0x0e, 0xe5, 0xde,
-	0x15, 0xe3, 0x51, 0x64, 0xb3, 0x7c, 0x22, 0xa5, 0x28, 0xd2, 0x8a, 0xec, 0x71, 0xd7, 0x73, 0xfb,
-	0x6e, 0x6f, 0xf8, 0x43, 0x32, 0x9c, 0xb4, 0x92, 0xcc, 0xde, 0x59, 0x4a, 0x8e, 0x32, 0x56, 0xf0,
-	0x27, 0xa0, 0x8a, 0x93, 0x7b, 0x96, 0xfd, 0x51, 0xdd, 0x7f, 0x6d, 0xc6, 0xf1, 0xc2, 0xd6, 0x13,
-	0xfb, 0xa2, 0xe8, 0xc1, 0x61, 0xc6, 0xfa, 0x78, 0xd4, 0xa8, 0xa6, 0x52, 0x85, 0xd2, 0x78, 0xda,
-	0xef, 0x14, 0x50, 0x8d, 0x0e, 0x3c, 0x07, 0x9a, 0x6c, 0x65, 0x69, 0xb2, 0x7e, 0x7b, 0x96, 0x66,
-	0x90, 0xe4, 0x4f, 0xe3, 0x88, 0x25, 0x43, 0x3e, 0x05, 0x2b, 0x96, 0x4c, 0x15, 0x53, 0x15, 0x89,
-	0xfa, 0xf2, 0xed, 0xa8, 0x11, 0x01, 0xaf, 0x47, 0xd8, 0x2b, 0xe1, 0x9a, 0xa1, 0x09, 0x8a, 0xf6,
-	0xbf, 0x12, 0x80, 0xad, 0xee, 0x51, 0x8e, 0x7e, 0xe6, 0x50, 0xc2, 0x14, 0xac, 0x89, 0x52, 0x99,
-	0x14, 0x43, 0x54, 0xca, 0x6f, 0xdf, 0xf3, 0xfe, 0xf1, 0x39, 0xe9, 0x77, 0x49, 0x9f, 0x98, 0xdc,
-	0xf5, 0xc3, 0xaa, 0x3a, 0x49, 0x81, 0xa1, 0x0c, 0x34, 0x3c, 0x04, 0x1b, 0x13, 0x36, 0xed, 0x63,
-	0xc6, 0x44, 0x35, 0xab, 0x25, 0x59, 0xbd, 0x6a, 0x14, 0xe2, 0x46, 0x37, 0xa7, 0x47, 0x53, 0x1e,
-	0xf0, 0x33, 0xb0, 0x6a, 0xa6, 0x89, 0xfb, 0x8e, 0x62, 0xd1, 0x27, 0x53, 0x90, 0xfe, 0x71, 0x80,
-	0x1d, 0x4e, 0xf9, 0xd0, 0x58, 0x13, 0x85, 0x12, 0x33, 0x7c, 0x8c, 0x06, 0x19, 0xd8, 0xb4, 0xf1,
-	0x35, 0xb5, 0x03, 0x3b, 0x2c, 0xe9, 0x2e, 0xfd, 0x39, 0x91, 0xf4, 0xfe, 0xf0, 0x2d, 0x24, 0xbd,
-	0x76, 0xf2, 0x60, 0x68, 0x1a, 0x5f, 0xfb, 0xab, 0x02, 0x5e, 0x98, 0x4e, 0xfc, 0x1c, 0xda, 0xe2,
-	0x24, 0xdb, 0x16, 0xaf, 0xce, 0x2e, 0xe0, 0x5c, 0x6c, 0x33, 0x3a, 0xe4, 0x57, 0xcb, 0x60, 0x2d,
-	0x9d, 0xbe, 0x39, 0xd4, 0xee, 0x77, 0x41, 0xd5, 0xf3, 0xdd, 0x01, 0x65, 0xd4, 0x75, 0x88, 0x1f,
-	0x31, 0xe1, 0xe3, 0xc8, 0xa5, 0x7a, 0x9a, 0xa8, 0x50, 0xda, 0x0e, 0xf6, 0x00, 0xf0, 0xb0, 0x8f,
-	0x6d, 0xc2, 0x45, 0xff, 0x96, 0xe4, 0xf1, 0xdf, 0x9e, 0x71, 0xfc, 0xf4, 0x89, 0xf4, 0xd3, 0xd8,
-	0xab, 0xed, 0x70, 0x7f, 0x98, 0x44, 0x97, 0x28, 0x50, 0x0a, 0x1a, 0x5e, 0x81, 0x9a, 0x4f, 0xcc,
-	0x3e, 0xa6, 0x76, 0x34, 0x2b, 0x2c, 0xc9, 0x08, 0xdb, 0xe2, 0xe1, 0x46, 0x69, 0xc5, 0xcd, 0xa8,
-	0xf1, 0xd6, 0xf4, 0xb4, 0xaf, 0x9f, 0x12, 0x9f, 0x51, 0xc6, 0x89, 0xc3, 0xc3, 0x82, 0xc9, 0xf8,
-	0xa0, 0x2c, 0xb6, 0x60, 0x7a, 0x5b, 0x3c, 0xbd, 0x4f, 0x3d, 0x4e, 0x5d, 0x87, 0xa9, 0xe5, 0x84,
-	0xe9, 0x3b, 0x29, 0x39, 0xca, 0x58, 0xc1, 0x63, 0xb0, 0x25, 0x98, 0xf9, 0x67, 0xe1, 0x06, 0xed,
-	0x6b, 0x0f, 0x3b, 0xe2, 0x96, 0xd4, 0x65, 0xf9, 0xca, 0xab, 0x62, 0xe4, 0x3a, 0x28, 0xd0, 0xa3,
-	0x42, 0x2f, 0xf8, 0x19, 0xd8, 0x0c, 0x67, 0x2e, 0x83, 0x3a, 0x16, 0x75, 0x7a, 0x62, 0xe2, 0x92,
-	0x03, 0x47, 0xc5, 0x78, 0x4d, 0x74, 0xc4, 0xa7, 0x79, 0xe5, 0x4d, 0x91, 0x10, 0x4d, 0x83, 0xc0,
-	0x2f, 0xc1, 0xa6, 0xdc, 0x91, 0x58, 0x11, 0x9d, 0x50, 0xc2, 0xd4, 0x55, 0x99, 0xba, 0xbd, 0x74,
-	0xea, 0xc4, 0xd5, 0x85, 0xd3, 0x52, 0x48, 0x3a, 0x13, 0x72, 0x3a, 0x23, 0xbe, 0x6d, 0xbc, 0x18,
-	0xe5, 0x6b, 0xf3, 0x20, 0x0f, 0x85, 0xa6, 0xd1, 0x77, 0x3e, 0x00, 0xeb, 0xb9, 0x84, 0xc3, 0x0d,
-	0x50, 0xba, 0x22, 0xc3, 0xf0, 0x59, 0x46, 0xe2, 0x4f, 0xb8, 0x05, 0xca, 0x03, 0xdc, 0x0f, 0x48,
-	0x58, 0x7c, 0x28, 0x5c, 0xbc, 0xbf, 0xf8, 0x9e, 0xa2, 0xfd, 0x59, 0x01, 0x19, 0x3a, 0x9b, 0x43,
-	0x4b, 0x7f, 0x94, 0x6d, 0xe9, 0x97, 0xee, 0x51, 0xd3, 0x33, 0x9a, 0xf9, 0x97, 0x0a, 0x58, 0x4b,
-	0x8f, 0x96, 0xf0, 0x0d, 0xb0, 0x8a, 0x03, 0x8b, 0x12, 0xc7, 0x9c, 0x4c, 0x25, 0x71, 0x20, 0x07,
-	0x91, 0x1c, 0xc5, 0x16, 0x62, 0xf0, 0x24, 0xd7, 0x1e, 0xf5, 0xb1, 0x28, 0xb2, 0xc9, 0xb0, 0xb7,
-	0x28, 0x87, 0x3d, 0xc9, 0x8c, 0xed, 0xbc, 0x12, 0x4d, 0xdb, 0x6b, 0xbf, 0x5d, 0x04, 0x1b, 0x61,
-	0x6d, 0x84, 0x3f, 0x39, 0x6c, 0xe2, 0xf0, 0x39, 0x90, 0x4a, 0x27, 0x33, 0xd3, 0xbd, 0x7e, 0xeb,
-	0xd0, 0x93, 0x04, 0x36, 0x6b, 0xb8, 0x83, 0x9f, 0x80, 0x65, 0xc6, 0x31, 0x0f, 0x98, 0x7c, 0xea,
-	0xaa, 0xfb, 0x6f, 0xde, 0x17, 0x50, 0x3a, 0x25, 0x73, 0x5d, 0xb8, 0x46, 0x11, 0x98, 0xf6, 0x17,
-	0x05, 0x6c, 0xe5, 0x5d, 0xe6, 0x50, 0x61, 0xc7, 0xd9, 0x0a, 0xfb, 0xce, 0x3d, 0x0f, 0x33, 0xa3,
-	0xca, 0xfe, 0xa9, 0x80, 0x17, 0xa6, 0xce, 0x2d, 0x5f, 0x52, 0xc1, 0x4b, 0x5e, 0x8e, 0xfd, 0x4e,
-	0x92, 0x89, 0x58, 0xf2, 0xd2, 0x69, 0x81, 0x1e, 0x15, 0x7a, 0xc1, 0x2f, 0xc0, 0x06, 0x75, 0xfa,
-	0xd4, 0x21, 0xd1, 0xc3, 0x9b, 0xe4, 0xb7, 0x90, 0x3c, 0xf2, 0xc8, 0x32, 0xb9, 0x5b, 0x62, 0x3e,
-	0x39, 0xca, 0xa1, 0xa0, 0x29, 0x5c, 0xed, 0x6f, 0x05, 0x99, 0x91, 0x33, 0xa3, 0x68, 0x21, 0x29,
-	0x21, 0xfe, 0x54, 0x0b, 0x45, 0x72, 0x14, 0x5b, 0xc8, 0xba, 0x91, 0x57, 0x11, 0x05, 0x7a, 0xef,
-	0xba, 0x91, 0x4e, 0xa9, 0xba, 0x91, 0x6b, 0x14, 0x81, 0x89, 0x20, 0xc4, 0x4c, 0x96, 0x9a, 0xbd,
-	0xe2, 0x20, 0x4e, 0x22, 0x39, 0x8a, 0x2d, 0xb4, 0xff, 0x94, 0x0a, 0x12, 0x24, 0x0b, 0x30, 0x75,
-	0x9a, 0xc9, 0xd7, 0x81, 0xfc, 0x69, 0xac, 0xf8, 0x34, 0x16, 0xfc, 0x8d, 0x02, 0x20, 0x8e, 0x21,
-	0x3a, 0x93, 0x02, 0x0d, 0xab, 0xa8, 0xfd, 0xa0, 0x96, 0xd0, 0x0f, 0xa6, 0x70, 0xc2, 0xd7, 0x78,
-	0x27, 0xda, 0x1f, 0x4e, 0x1b, 0xa0, 0x82, 0xcd, 0xa1, 0x05, 0xaa, 0xa1, 0xb4, 0xed, 0xfb, 0xae,
-	0x1f, 0xb5, 0xa7, 0x76, 0x6b, 0x2c, 0xd2, 0xd2, 0xa8, 0xcb, 0x1f, 0x37, 0x89, 0xeb, 0xcd, 0xa8,
-	0x51, 0x4d, 0xe9, 0x51, 0x1a, 0x56, 0xec, 0x62, 0x91, 0x64, 0x97, 0xa5, 0x87, 0xed, 0x72, 0x48,
-	0x66, 0xef, 0x92, 0x82, 0xdd, 0x69, 0x83, 0x6f, 0xcd, 0xb8, 0x96, 0x07, 0xbd, 0x59, 0xa3, 0x45,
-	0xb0, 0x1d, 0xdf, 0xba, 0x4f, 0xcf, 0x03, 0x4e, 0xd8, 0xbc, 0x86, 0xb9, 0x7d, 0x00, 0xc2, 0x1f,
-	0x43, 0xb2, 0x36, 0xc3, 0x59, 0x2e, 0xf6, 0x38, 0x8c, 0x35, 0x28, 0x65, 0x05, 0xbd, 0x82, 0x49,
-	0xee, 0xfb, 0x77, 0x55, 0x53, 0xfa, 0x5c, 0x0f, 0x1d, 0xe9, 0xbe, 0xe9, 0x50, 0xf0, 0x0f, 0x05,
-	0xbc, 0x58, 0x18, 0xc8, 0x1c, 0xb8, 0xfb, 0xe3, 0x2c, 0x77, 0xbf, 0xf1, 0x90, 0x7b, 0x9a, 0x41,
-	0xe0, 0x7f, 0x50, 0x40, 0xba, 0x26, 0xe1, 0x31, 0x58, 0xe2, 0x34, 0x62, 0xe9, 0xec, 0x07, 0x83,
-	0x5b, 0x82, 0x3f, 0xa3, 0x36, 0x49, 0x9e, 0x4e, 0xb1, 0x42, 0x12, 0x05, 0xbe, 0x0a, 0x56, 0x6c,
-	0xc2, 0x18, 0xee, 0x4d, 0xca, 0x21, 0xfe, 0xf9, 0xdc, 0x09, 0xc5, 0x68, 0xa2, 0x87, 0xaf, 0x83,
-	0x0a, 0x11, 0x11, 0xb4, 0xc4, 0xc0, 0x29, 0x3a, 0xb9, 0x6c, 0xd4, 0xc6, 0xa3, 0x46, 0xa5, 0x3d,
-	0x11, 0xa2, 0x44, 0xaf, 0xbd, 0x0b, 0x1e, 0x17, 0x7c, 0xb3, 0x80, 0x0d, 0x50, 0x36, 0xe5, 0x17,
-	0x2e, 0x45, 0xfa, 0x57, 0xc4, 0x69, 0x5b, 0xf2, 0xd3, 0x56, 0x28, 0x37, 0xbe, 0xf7, 0xec, 0x79,
-	0x7d, 0xe1, 0xab, 0xe7, 0xf5, 0x85, 0xaf, 0x9f, 0xd7, 0x17, 0x7e, 0x31, 0xae, 0x2b, 0xcf, 0xc6,
-	0x75, 0xe5, 0xab, 0x71, 0x5d, 0xf9, 0x7a, 0x5c, 0x57, 0xfe, 0x35, 0xae, 0x2b, 0xbf, 0xfe, 0x77,
-	0x7d, 0xe1, 0x47, 0xdb, 0x85, 0xff, 0x23, 0xf8, 0x7f, 0x00, 0x00, 0x00, 0xff, 0xff, 0x0a, 0xc6,
-	0x28, 0xb1, 0x3b, 0x18, 0x00, 0x00,
-}
+func (m *VolumeNodeResources) Reset() { *m = VolumeNodeResources{} }
 
 func (m *CSIDriver) Marshal() (dAtA []byte, err error) {
 	size := m.Size()
@@ -893,6 +187,16 @@ func (m *CSIDriverSpec) MarshalToSizedBuffer(dAtA []byte) (int, error) {
 	_ = i
 	var l int
 	_ = l
+	if m.ServiceAccountTokenInSecrets != nil {
+		i--
+		if *m.ServiceAccountTokenInSecrets {
+			dAtA[i] = 1
+		} else {
+			dAtA[i] = 0
+		}
+		i--
+		dAtA[i] = 0x50
+	}
 	if m.NodeAllocatableUpdatePeriodSeconds != nil {
 		i = encodeVarintGenerated(dAtA, i, uint64(*m.NodeAllocatableUpdatePeriodSeconds))
 		i--
@@ -1355,7 +659,7 @@ func (m *StorageClass) MarshalToSizedBuffer(dAtA []byte) (int, error) {
 		for k := range m.Parameters {
 			keysForParameters = append(keysForParameters, string(k))
 		}
-		github_com_gogo_protobuf_sortkeys.Strings(keysForParameters)
+		sort.Strings(keysForParameters)
 		for iNdEx := len(keysForParameters) - 1; iNdEx >= 0; iNdEx-- {
 			v := m.Parameters[string(keysForParameters[iNdEx])]
 			baseI := i
@@ -1706,7 +1010,7 @@ func (m *VolumeAttachmentStatus) MarshalToSizedBuffer(dAtA []byte) (int, error)
 		for k := range m.AttachmentMetadata {
 			keysForAttachmentMetadata = append(keysForAttachmentMetadata, string(k))
 		}
-		github_com_gogo_protobuf_sortkeys.Strings(keysForAttachmentMetadata)
+		sort.Strings(keysForAttachmentMetadata)
 		for iNdEx := len(keysForAttachmentMetadata) - 1; iNdEx >= 0; iNdEx-- {
 			v := m.AttachmentMetadata[string(keysForAttachmentMetadata[iNdEx])]
 			baseI := i
@@ -1761,7 +1065,7 @@ func (m *VolumeAttributesClass) MarshalToSizedBuffer(dAtA []byte) (int, error) {
 		for k := range m.Parameters {
 			keysForParameters = append(keysForParameters, string(k))
 		}
-		github_com_gogo_protobuf_sortkeys.Strings(keysForParameters)
+		sort.Strings(keysForParameters)
 		for iNdEx := len(keysForParameters) - 1; iNdEx >= 0; iNdEx-- {
 			v := m.Parameters[string(keysForParameters[iNdEx])]
 			baseI := i
@@ -1997,6 +1301,9 @@ func (m *CSIDriverSpec) Size() (n int) {
 	if m.NodeAllocatableUpdatePeriodSeconds != nil {
 		n += 1 + sovGenerated(uint64(*m.NodeAllocatableUpdatePeriodSeconds))
 	}
+	if m.ServiceAccountTokenInSecrets != nil {
+		n += 2
+	}
 	return n
 }
 
@@ -2393,6 +1700,7 @@ func (this *CSIDriverSpec) String() string {
 		`RequiresRepublish:` + valueToStringGenerated(this.RequiresRepublish) + `,`,
 		`SELinuxMount:` + valueToStringGenerated(this.SELinuxMount) + `,`,
 		`NodeAllocatableUpdatePeriodSeconds:` + valueToStringGenerated(this.NodeAllocatableUpdatePeriodSeconds) + `,`,
+		`ServiceAccountTokenInSecrets:` + valueToStringGenerated(this.ServiceAccountTokenInSecrets) + `,`,
 		`}`,
 	}, "")
 	return s
@@ -2495,7 +1803,7 @@ func (this *StorageClass) String() string {
 	for k := range this.Parameters {
 		keysForParameters = append(keysForParameters, k)
 	}
-	github_com_gogo_protobuf_sortkeys.Strings(keysForParameters)
+	sort.Strings(keysForParameters)
 	mapStringForParameters := "map[string]string{"
 	for _, k := range keysForParameters {
 		mapStringForParameters += fmt.Sprintf("%v: %v,", k, this.Parameters[k])
@@ -2600,7 +1908,7 @@ func (this *VolumeAttachmentStatus) String() string {
 	for k := range this.AttachmentMetadata {
 		keysForAttachmentMetadata = append(keysForAttachmentMetadata, k)
 	}
-	github_com_gogo_protobuf_sortkeys.Strings(keysForAttachmentMetadata)
+	sort.Strings(keysForAttachmentMetadata)
 	mapStringForAttachmentMetadata := "map[string]string{"
 	for _, k := range keysForAttachmentMetadata {
 		mapStringForAttachmentMetadata += fmt.Sprintf("%v: %v,", k, this.AttachmentMetadata[k])
@@ -2623,7 +1931,7 @@ func (this *VolumeAttributesClass) String() string {
 	for k := range this.Parameters {
 		keysForParameters = append(keysForParameters, k)
 	}
-	github_com_gogo_protobuf_sortkeys.Strings(keysForParameters)
+	sort.Strings(keysForParameters)
 	mapStringForParameters := "map[string]string{"
 	for _, k := range keysForParameters {
 		mapStringForParameters += fmt.Sprintf("%v: %v,", k, this.Parameters[k])
@@ -3169,6 +2477,27 @@ func (m *CSIDriverSpec) Unmarshal(dAtA []byte) error {
 				}
 			}
 			m.NodeAllocatableUpdatePeriodSeconds = &v
+		case 10:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ServiceAccountTokenInSecrets", wireType)
+			}
+			var v int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= int(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			b := bool(v != 0)
+			m.ServiceAccountTokenInSecrets = &b
 		default:
 			iNdEx = preIndex
 			skippy, err := skipGenerated(dAtA[iNdEx:])
diff --git a/staging/src/k8s.io/api/storage/v1/generated.proto b/staging/src/k8s.io/api/storage/v1/generated.proto
index d6965bf7ab84a..d77bea9cc0852 100644
--- a/staging/src/k8s.io/api/storage/v1/generated.proto
+++ b/staging/src/k8s.io/api/storage/v1/generated.proto
@@ -225,6 +225,30 @@ message CSIDriverSpec {
   // +featureGate=MutableCSINodeAllocatableCount
   // +optional
   optional int64 nodeAllocatableUpdatePeriodSeconds = 9;
+
+  // serviceAccountTokenInSecrets is an opt-in for CSI drivers to indicate that
+  // service account tokens should be passed via the Secrets field in NodePublishVolumeRequest
+  // instead of the VolumeContext field. The CSI specification provides a dedicated Secrets
+  // field for sensitive information like tokens, which is the appropriate mechanism for
+  // handling credentials. This addresses security concerns where sensitive tokens were being
+  // logged as part of volume context.
+  //
+  // When "true", kubelet will pass the tokens only in the Secrets field with the key
+  // "csi.storage.k8s.io/serviceAccount.tokens". The CSI driver must be updated to read
+  // tokens from the Secrets field instead of VolumeContext.
+  //
+  // When "false" or not set, kubelet will pass the tokens in VolumeContext with the key
+  // "csi.storage.k8s.io/serviceAccount.tokens" (existing behavior). This maintains backward
+  // compatibility with existing CSI drivers.
+  //
+  // This field can only be set when TokenRequests is configured. The API server will reject
+  // CSIDriver specs that set this field without TokenRequests.
+  //
+  // Default behavior if unset is to pass tokens in the VolumeContext field.
+  //
+  // +featureGate=CSIServiceAccountTokenSecrets
+  // +optional
+  optional bool serviceAccountTokenInSecrets = 10;
 }
 
 // CSINode holds information about all CSI drivers installed on a node.
@@ -409,6 +433,8 @@ message StorageClass {
   optional .k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
 
   // provisioner indicates the type of the provisioner.
+  // +required
+  // +k8s:required
   optional string provisioner = 2;
 
   // parameters holds the parameters for the provisioner that should
diff --git a/staging/src/k8s.io/api/storage/v1/generated.protomessage.pb.go b/staging/src/k8s.io/api/storage/v1/generated.protomessage.pb.go
new file mode 100644
index 0000000000000..370206042254e
--- /dev/null
+++ b/staging/src/k8s.io/api/storage/v1/generated.protomessage.pb.go
@@ -0,0 +1,64 @@
+//go:build kubernetes_protomessage_one_more_release
+// +build kubernetes_protomessage_one_more_release
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by go-to-protobuf. DO NOT EDIT.
+
+package v1
+
+func (*CSIDriver) ProtoMessage() {}
+
+func (*CSIDriverList) ProtoMessage() {}
+
+func (*CSIDriverSpec) ProtoMessage() {}
+
+func (*CSINode) ProtoMessage() {}
+
+func (*CSINodeDriver) ProtoMessage() {}
+
+func (*CSINodeList) ProtoMessage() {}
+
+func (*CSINodeSpec) ProtoMessage() {}
+
+func (*CSIStorageCapacity) ProtoMessage() {}
+
+func (*CSIStorageCapacityList) ProtoMessage() {}
+
+func (*StorageClass) ProtoMessage() {}
+
+func (*StorageClassList) ProtoMessage() {}
+
+func (*TokenRequest) ProtoMessage() {}
+
+func (*VolumeAttachment) ProtoMessage() {}
+
+func (*VolumeAttachmentList) ProtoMessage() {}
+
+func (*VolumeAttachmentSource) ProtoMessage() {}
+
+func (*VolumeAttachmentSpec) ProtoMessage() {}
+
+func (*VolumeAttachmentStatus) ProtoMessage() {}
+
+func (*VolumeAttributesClass) ProtoMessage() {}
+
+func (*VolumeAttributesClassList) ProtoMessage() {}
+
+func (*VolumeError) ProtoMessage() {}
+
+func (*VolumeNodeResources) ProtoMessage() {}
diff --git a/staging/src/k8s.io/api/storage/v1/types.go b/staging/src/k8s.io/api/storage/v1/types.go
index 6d004e5ba929d..b198cb7138a77 100644
--- a/staging/src/k8s.io/api/storage/v1/types.go
+++ b/staging/src/k8s.io/api/storage/v1/types.go
@@ -41,6 +41,8 @@ type StorageClass struct {
 	metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
 
 	// provisioner indicates the type of the provisioner.
+	// +required
+	// +k8s:required
 	Provisioner string `json:"provisioner" protobuf:"bytes,2,opt,name=provisioner"`
 
 	// parameters holds the parameters for the provisioner that should
@@ -443,6 +445,30 @@ type CSIDriverSpec struct {
 	// +featureGate=MutableCSINodeAllocatableCount
 	// +optional
 	NodeAllocatableUpdatePeriodSeconds *int64 `json:"nodeAllocatableUpdatePeriodSeconds,omitempty" protobuf:"varint,9,opt,name=nodeAllocatableUpdatePeriodSeconds"`
+
+	// serviceAccountTokenInSecrets is an opt-in for CSI drivers to indicate that
+	// service account tokens should be passed via the Secrets field in NodePublishVolumeRequest
+	// instead of the VolumeContext field. The CSI specification provides a dedicated Secrets
+	// field for sensitive information like tokens, which is the appropriate mechanism for
+	// handling credentials. This addresses security concerns where sensitive tokens were being
+	// logged as part of volume context.
+	//
+	// When "true", kubelet will pass the tokens only in the Secrets field with the key
+	// "csi.storage.k8s.io/serviceAccount.tokens". The CSI driver must be updated to read
+	// tokens from the Secrets field instead of VolumeContext.
+	//
+	// When "false" or not set, kubelet will pass the tokens in VolumeContext with the key
+	// "csi.storage.k8s.io/serviceAccount.tokens" (existing behavior). This maintains backward
+	// compatibility with existing CSI drivers.
+	//
+	// This field can only be set when TokenRequests is configured. The API server will reject
+	// CSIDriver specs that set this field without TokenRequests.
+	//
+	// Default behavior if unset is to pass tokens in the VolumeContext field.
+	//
+	// +featureGate=CSIServiceAccountTokenSecrets
+	// +optional
+	ServiceAccountTokenInSecrets *bool `json:"serviceAccountTokenInSecrets,omitempty" protobuf:"varint,10,opt,name=serviceAccountTokenInSecrets"`
 }
 
 // FSGroupPolicy specifies if a CSI Driver supports modifying
diff --git a/staging/src/k8s.io/api/storage/v1/types_swagger_doc_generated.go b/staging/src/k8s.io/api/storage/v1/types_swagger_doc_generated.go
index 2e5a844311f74..7f06c2744f9cb 100644
--- a/staging/src/k8s.io/api/storage/v1/types_swagger_doc_generated.go
+++ b/staging/src/k8s.io/api/storage/v1/types_swagger_doc_generated.go
@@ -58,6 +58,7 @@ var map_CSIDriverSpec = map[string]string{
 	"requiresRepublish":                  "requiresRepublish indicates the CSI driver wants `NodePublishVolume` being periodically called to reflect any possible change in the mounted volume. This field defaults to false.\n\nNote: After a successful initial NodePublishVolume call, subsequent calls to NodePublishVolume should only update the contents of the volume. New mount points will not be seen by a running container.",
 	"seLinuxMount":                       "seLinuxMount specifies if the CSI driver supports \"-o context\" mount option.\n\nWhen \"true\", the CSI driver must ensure that all volumes provided by this CSI driver can be mounted separately with different `-o context` options. This is typical for storage backends that provide volumes as filesystems on block devices or as independent shared volumes. Kubernetes will call NodeStage / NodePublish with \"-o context=xyz\" mount option when mounting a ReadWriteOncePod volume used in Pod that has explicitly set SELinux context. In the future, it may be expanded to other volume AccessModes. In any case, Kubernetes will ensure that the volume is mounted only with a single SELinux context.\n\nWhen \"false\", Kubernetes won't pass any special SELinux mount options to the driver. This is typical for volumes that represent subdirectories of a bigger shared filesystem.\n\nDefault is \"false\".",
 	"nodeAllocatableUpdatePeriodSeconds": "nodeAllocatableUpdatePeriodSeconds specifies the interval between periodic updates of the CSINode allocatable capacity for this driver. When set, both periodic updates and updates triggered by capacity-related failures are enabled. If not set, no updates occur (neither periodic nor upon detecting capacity-related failures), and the allocatable.count remains static. The minimum allowed value for this field is 10 seconds.\n\nThis is a beta feature and requires the MutableCSINodeAllocatableCount feature gate to be enabled.\n\nThis field is mutable.",
+	"serviceAccountTokenInSecrets":       "serviceAccountTokenInSecrets is an opt-in for CSI drivers to indicate that service account tokens should be passed via the Secrets field in NodePublishVolumeRequest instead of the VolumeContext field. The CSI specification provides a dedicated Secrets field for sensitive information like tokens, which is the appropriate mechanism for handling credentials. This addresses security concerns where sensitive tokens were being logged as part of volume context.\n\nWhen \"true\", kubelet will pass the tokens only in the Secrets field with the key \"csi.storage.k8s.io/serviceAccount.tokens\". The CSI driver must be updated to read tokens from the Secrets field instead of VolumeContext.\n\nWhen \"false\" or not set, kubelet will pass the tokens in VolumeContext with the key \"csi.storage.k8s.io/serviceAccount.tokens\" (existing behavior). This maintains backward compatibility with existing CSI drivers.\n\nThis field can only be set when TokenRequests is configured. The API server will reject CSIDriver specs that set this field without TokenRequests.\n\nDefault behavior if unset is to pass tokens in the VolumeContext field.",
 }
 
 func (CSIDriverSpec) SwaggerDoc() map[string]string {
diff --git a/staging/src/k8s.io/api/storage/v1/zz_generated.deepcopy.go b/staging/src/k8s.io/api/storage/v1/zz_generated.deepcopy.go
index 3379fc451882e..b9e0a7d91253b 100644
--- a/staging/src/k8s.io/api/storage/v1/zz_generated.deepcopy.go
+++ b/staging/src/k8s.io/api/storage/v1/zz_generated.deepcopy.go
@@ -137,6 +137,11 @@ func (in *CSIDriverSpec) DeepCopyInto(out *CSIDriverSpec) {
 		*out = new(int64)
 		**out = **in
 	}
+	if in.ServiceAccountTokenInSecrets != nil {
+		in, out := &in.ServiceAccountTokenInSecrets, &out.ServiceAccountTokenInSecrets
+		*out = new(bool)
+		**out = **in
+	}
 	return
 }
 
diff --git a/staging/src/k8s.io/api/storage/v1/zz_generated.model_name.go b/staging/src/k8s.io/api/storage/v1/zz_generated.model_name.go
new file mode 100644
index 0000000000000..6ef6371006673
--- /dev/null
+++ b/staging/src/k8s.io/api/storage/v1/zz_generated.model_name.go
@@ -0,0 +1,127 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by openapi-gen. DO NOT EDIT.
+
+package v1
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in CSIDriver) OpenAPIModelName() string {
+	return "io.k8s.api.storage.v1.CSIDriver"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in CSIDriverList) OpenAPIModelName() string {
+	return "io.k8s.api.storage.v1.CSIDriverList"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in CSIDriverSpec) OpenAPIModelName() string {
+	return "io.k8s.api.storage.v1.CSIDriverSpec"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in CSINode) OpenAPIModelName() string {
+	return "io.k8s.api.storage.v1.CSINode"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in CSINodeDriver) OpenAPIModelName() string {
+	return "io.k8s.api.storage.v1.CSINodeDriver"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in CSINodeList) OpenAPIModelName() string {
+	return "io.k8s.api.storage.v1.CSINodeList"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in CSINodeSpec) OpenAPIModelName() string {
+	return "io.k8s.api.storage.v1.CSINodeSpec"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in CSIStorageCapacity) OpenAPIModelName() string {
+	return "io.k8s.api.storage.v1.CSIStorageCapacity"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in CSIStorageCapacityList) OpenAPIModelName() string {
+	return "io.k8s.api.storage.v1.CSIStorageCapacityList"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in StorageClass) OpenAPIModelName() string {
+	return "io.k8s.api.storage.v1.StorageClass"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in StorageClassList) OpenAPIModelName() string {
+	return "io.k8s.api.storage.v1.StorageClassList"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in TokenRequest) OpenAPIModelName() string {
+	return "io.k8s.api.storage.v1.TokenRequest"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in VolumeAttachment) OpenAPIModelName() string {
+	return "io.k8s.api.storage.v1.VolumeAttachment"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in VolumeAttachmentList) OpenAPIModelName() string {
+	return "io.k8s.api.storage.v1.VolumeAttachmentList"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in VolumeAttachmentSource) OpenAPIModelName() string {
+	return "io.k8s.api.storage.v1.VolumeAttachmentSource"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in VolumeAttachmentSpec) OpenAPIModelName() string {
+	return "io.k8s.api.storage.v1.VolumeAttachmentSpec"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in VolumeAttachmentStatus) OpenAPIModelName() string {
+	return "io.k8s.api.storage.v1.VolumeAttachmentStatus"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in VolumeAttributesClass) OpenAPIModelName() string {
+	return "io.k8s.api.storage.v1.VolumeAttributesClass"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in VolumeAttributesClassList) OpenAPIModelName() string {
+	return "io.k8s.api.storage.v1.VolumeAttributesClassList"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in VolumeError) OpenAPIModelName() string {
+	return "io.k8s.api.storage.v1.VolumeError"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in VolumeNodeResources) OpenAPIModelName() string {
+	return "io.k8s.api.storage.v1.VolumeNodeResources"
+}
diff --git a/staging/src/k8s.io/api/storage/v1alpha1/doc.go b/staging/src/k8s.io/api/storage/v1alpha1/doc.go
index 90af522ade321..18f9c9c3a2f39 100644
--- a/staging/src/k8s.io/api/storage/v1alpha1/doc.go
+++ b/staging/src/k8s.io/api/storage/v1alpha1/doc.go
@@ -19,5 +19,6 @@ limitations under the License.
 // +groupName=storage.k8s.io
 // +k8s:openapi-gen=true
 // +k8s:prerelease-lifecycle-gen=true
+// +k8s:openapi-model-package=io.k8s.api.storage.v1alpha1
 
 package v1alpha1
diff --git a/staging/src/k8s.io/api/storage/v1alpha1/generated.pb.go b/staging/src/k8s.io/api/storage/v1alpha1/generated.pb.go
index c0a2f36aafc74..ffcb6b5ae49c0 100644
--- a/staging/src/k8s.io/api/storage/v1alpha1/generated.pb.go
+++ b/staging/src/k8s.io/api/storage/v1alpha1/generated.pb.go
@@ -23,397 +23,36 @@ import (
 	fmt "fmt"
 
 	io "io"
+	"sort"
 
-	proto "github.com/gogo/protobuf/proto"
-	github_com_gogo_protobuf_sortkeys "github.com/gogo/protobuf/sortkeys"
 	v11 "k8s.io/api/core/v1"
 	resource "k8s.io/apimachinery/pkg/api/resource"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
-	math "math"
 	math_bits "math/bits"
 	reflect "reflect"
 	strings "strings"
 )
 
-// Reference imports to suppress errors if they are not otherwise used.
-var _ = proto.Marshal
-var _ = fmt.Errorf
-var _ = math.Inf
+func (m *CSIStorageCapacity) Reset() { *m = CSIStorageCapacity{} }
 
-// This is a compile-time assertion to ensure that this generated file
-// is compatible with the proto package it is being compiled against.
-// A compilation error at this line likely means your copy of the
-// proto package needs to be updated.
-const _ = proto.GoGoProtoPackageIsVersion3 // please upgrade the proto package
+func (m *CSIStorageCapacityList) Reset() { *m = CSIStorageCapacityList{} }
 
-func (m *CSIStorageCapacity) Reset()      { *m = CSIStorageCapacity{} }
-func (*CSIStorageCapacity) ProtoMessage() {}
-func (*CSIStorageCapacity) Descriptor() ([]byte, []int) {
-	return fileDescriptor_02e7952e43280c27, []int{0}
-}
-func (m *CSIStorageCapacity) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *CSIStorageCapacity) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *CSIStorageCapacity) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_CSIStorageCapacity.Merge(m, src)
-}
-func (m *CSIStorageCapacity) XXX_Size() int {
-	return m.Size()
-}
-func (m *CSIStorageCapacity) XXX_DiscardUnknown() {
-	xxx_messageInfo_CSIStorageCapacity.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_CSIStorageCapacity proto.InternalMessageInfo
-
-func (m *CSIStorageCapacityList) Reset()      { *m = CSIStorageCapacityList{} }
-func (*CSIStorageCapacityList) ProtoMessage() {}
-func (*CSIStorageCapacityList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_02e7952e43280c27, []int{1}
-}
-func (m *CSIStorageCapacityList) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *CSIStorageCapacityList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *CSIStorageCapacityList) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_CSIStorageCapacityList.Merge(m, src)
-}
-func (m *CSIStorageCapacityList) XXX_Size() int {
-	return m.Size()
-}
-func (m *CSIStorageCapacityList) XXX_DiscardUnknown() {
-	xxx_messageInfo_CSIStorageCapacityList.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_CSIStorageCapacityList proto.InternalMessageInfo
-
-func (m *VolumeAttachment) Reset()      { *m = VolumeAttachment{} }
-func (*VolumeAttachment) ProtoMessage() {}
-func (*VolumeAttachment) Descriptor() ([]byte, []int) {
-	return fileDescriptor_02e7952e43280c27, []int{2}
-}
-func (m *VolumeAttachment) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *VolumeAttachment) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *VolumeAttachment) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_VolumeAttachment.Merge(m, src)
-}
-func (m *VolumeAttachment) XXX_Size() int {
-	return m.Size()
-}
-func (m *VolumeAttachment) XXX_DiscardUnknown() {
-	xxx_messageInfo_VolumeAttachment.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_VolumeAttachment proto.InternalMessageInfo
-
-func (m *VolumeAttachmentList) Reset()      { *m = VolumeAttachmentList{} }
-func (*VolumeAttachmentList) ProtoMessage() {}
-func (*VolumeAttachmentList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_02e7952e43280c27, []int{3}
-}
-func (m *VolumeAttachmentList) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *VolumeAttachmentList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *VolumeAttachmentList) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_VolumeAttachmentList.Merge(m, src)
-}
-func (m *VolumeAttachmentList) XXX_Size() int {
-	return m.Size()
-}
-func (m *VolumeAttachmentList) XXX_DiscardUnknown() {
-	xxx_messageInfo_VolumeAttachmentList.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_VolumeAttachmentList proto.InternalMessageInfo
-
-func (m *VolumeAttachmentSource) Reset()      { *m = VolumeAttachmentSource{} }
-func (*VolumeAttachmentSource) ProtoMessage() {}
-func (*VolumeAttachmentSource) Descriptor() ([]byte, []int) {
-	return fileDescriptor_02e7952e43280c27, []int{4}
-}
-func (m *VolumeAttachmentSource) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *VolumeAttachmentSource) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *VolumeAttachmentSource) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_VolumeAttachmentSource.Merge(m, src)
-}
-func (m *VolumeAttachmentSource) XXX_Size() int {
-	return m.Size()
-}
-func (m *VolumeAttachmentSource) XXX_DiscardUnknown() {
-	xxx_messageInfo_VolumeAttachmentSource.DiscardUnknown(m)
-}
+func (m *VolumeAttachment) Reset() { *m = VolumeAttachment{} }
 
-var xxx_messageInfo_VolumeAttachmentSource proto.InternalMessageInfo
+func (m *VolumeAttachmentList) Reset() { *m = VolumeAttachmentList{} }
 
-func (m *VolumeAttachmentSpec) Reset()      { *m = VolumeAttachmentSpec{} }
-func (*VolumeAttachmentSpec) ProtoMessage() {}
-func (*VolumeAttachmentSpec) Descriptor() ([]byte, []int) {
-	return fileDescriptor_02e7952e43280c27, []int{5}
-}
-func (m *VolumeAttachmentSpec) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *VolumeAttachmentSpec) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *VolumeAttachmentSpec) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_VolumeAttachmentSpec.Merge(m, src)
-}
-func (m *VolumeAttachmentSpec) XXX_Size() int {
-	return m.Size()
-}
-func (m *VolumeAttachmentSpec) XXX_DiscardUnknown() {
-	xxx_messageInfo_VolumeAttachmentSpec.DiscardUnknown(m)
-}
+func (m *VolumeAttachmentSource) Reset() { *m = VolumeAttachmentSource{} }
 
-var xxx_messageInfo_VolumeAttachmentSpec proto.InternalMessageInfo
+func (m *VolumeAttachmentSpec) Reset() { *m = VolumeAttachmentSpec{} }
 
-func (m *VolumeAttachmentStatus) Reset()      { *m = VolumeAttachmentStatus{} }
-func (*VolumeAttachmentStatus) ProtoMessage() {}
-func (*VolumeAttachmentStatus) Descriptor() ([]byte, []int) {
-	return fileDescriptor_02e7952e43280c27, []int{6}
-}
-func (m *VolumeAttachmentStatus) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *VolumeAttachmentStatus) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *VolumeAttachmentStatus) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_VolumeAttachmentStatus.Merge(m, src)
-}
-func (m *VolumeAttachmentStatus) XXX_Size() int {
-	return m.Size()
-}
-func (m *VolumeAttachmentStatus) XXX_DiscardUnknown() {
-	xxx_messageInfo_VolumeAttachmentStatus.DiscardUnknown(m)
-}
+func (m *VolumeAttachmentStatus) Reset() { *m = VolumeAttachmentStatus{} }
 
-var xxx_messageInfo_VolumeAttachmentStatus proto.InternalMessageInfo
+func (m *VolumeAttributesClass) Reset() { *m = VolumeAttributesClass{} }
 
-func (m *VolumeAttributesClass) Reset()      { *m = VolumeAttributesClass{} }
-func (*VolumeAttributesClass) ProtoMessage() {}
-func (*VolumeAttributesClass) Descriptor() ([]byte, []int) {
-	return fileDescriptor_02e7952e43280c27, []int{7}
-}
-func (m *VolumeAttributesClass) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *VolumeAttributesClass) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *VolumeAttributesClass) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_VolumeAttributesClass.Merge(m, src)
-}
-func (m *VolumeAttributesClass) XXX_Size() int {
-	return m.Size()
-}
-func (m *VolumeAttributesClass) XXX_DiscardUnknown() {
-	xxx_messageInfo_VolumeAttributesClass.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_VolumeAttributesClass proto.InternalMessageInfo
-
-func (m *VolumeAttributesClassList) Reset()      { *m = VolumeAttributesClassList{} }
-func (*VolumeAttributesClassList) ProtoMessage() {}
-func (*VolumeAttributesClassList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_02e7952e43280c27, []int{8}
-}
-func (m *VolumeAttributesClassList) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *VolumeAttributesClassList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *VolumeAttributesClassList) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_VolumeAttributesClassList.Merge(m, src)
-}
-func (m *VolumeAttributesClassList) XXX_Size() int {
-	return m.Size()
-}
-func (m *VolumeAttributesClassList) XXX_DiscardUnknown() {
-	xxx_messageInfo_VolumeAttributesClassList.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_VolumeAttributesClassList proto.InternalMessageInfo
+func (m *VolumeAttributesClassList) Reset() { *m = VolumeAttributesClassList{} }
 
-func (m *VolumeError) Reset()      { *m = VolumeError{} }
-func (*VolumeError) ProtoMessage() {}
-func (*VolumeError) Descriptor() ([]byte, []int) {
-	return fileDescriptor_02e7952e43280c27, []int{9}
-}
-func (m *VolumeError) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *VolumeError) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *VolumeError) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_VolumeError.Merge(m, src)
-}
-func (m *VolumeError) XXX_Size() int {
-	return m.Size()
-}
-func (m *VolumeError) XXX_DiscardUnknown() {
-	xxx_messageInfo_VolumeError.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_VolumeError proto.InternalMessageInfo
-
-func init() {
-	proto.RegisterType((*CSIStorageCapacity)(nil), "k8s.io.api.storage.v1alpha1.CSIStorageCapacity")
-	proto.RegisterType((*CSIStorageCapacityList)(nil), "k8s.io.api.storage.v1alpha1.CSIStorageCapacityList")
-	proto.RegisterType((*VolumeAttachment)(nil), "k8s.io.api.storage.v1alpha1.VolumeAttachment")
-	proto.RegisterType((*VolumeAttachmentList)(nil), "k8s.io.api.storage.v1alpha1.VolumeAttachmentList")
-	proto.RegisterType((*VolumeAttachmentSource)(nil), "k8s.io.api.storage.v1alpha1.VolumeAttachmentSource")
-	proto.RegisterType((*VolumeAttachmentSpec)(nil), "k8s.io.api.storage.v1alpha1.VolumeAttachmentSpec")
-	proto.RegisterType((*VolumeAttachmentStatus)(nil), "k8s.io.api.storage.v1alpha1.VolumeAttachmentStatus")
-	proto.RegisterMapType((map[string]string)(nil), "k8s.io.api.storage.v1alpha1.VolumeAttachmentStatus.AttachmentMetadataEntry")
-	proto.RegisterType((*VolumeAttributesClass)(nil), "k8s.io.api.storage.v1alpha1.VolumeAttributesClass")
-	proto.RegisterMapType((map[string]string)(nil), "k8s.io.api.storage.v1alpha1.VolumeAttributesClass.ParametersEntry")
-	proto.RegisterType((*VolumeAttributesClassList)(nil), "k8s.io.api.storage.v1alpha1.VolumeAttributesClassList")
-	proto.RegisterType((*VolumeError)(nil), "k8s.io.api.storage.v1alpha1.VolumeError")
-}
-
-func init() {
-	proto.RegisterFile("k8s.io/api/storage/v1alpha1/generated.proto", fileDescriptor_02e7952e43280c27)
-}
-
-var fileDescriptor_02e7952e43280c27 = []byte{
-	// 1031 bytes of a gzipped FileDescriptorProto
-	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xbc, 0x57, 0x4d, 0x6f, 0x1b, 0x45,
-	0x18, 0xce, 0xfa, 0xa3, 0x75, 0xc6, 0x29, 0x75, 0x47, 0x6e, 0x31, 0xae, 0xb4, 0xae, 0x7c, 0x32,
-	0x94, 0xee, 0x92, 0x80, 0x50, 0x85, 0xc4, 0xc1, 0x9b, 0xe4, 0x10, 0x91, 0x84, 0x32, 0x8e, 0x00,
-	0x01, 0x07, 0xc6, 0xeb, 0xc1, 0x9e, 0xc4, 0xfb, 0xa1, 0x99, 0x59, 0x0b, 0x73, 0xe2, 0x27, 0x70,
-	0xe3, 0x1f, 0xf0, 0x07, 0xf8, 0x13, 0x39, 0x20, 0x51, 0xf5, 0xd4, 0x93, 0x45, 0x16, 0x7e, 0x03,
-	0x07, 0x2e, 0xa0, 0x9d, 0x1d, 0xef, 0x6e, 0xbc, 0x76, 0x70, 0x72, 0xc8, 0xcd, 0xf3, 0x7e, 0x3c,
-	0xef, 0xd7, 0xf3, 0xbe, 0x9b, 0x80, 0xa7, 0x67, 0xcf, 0xb9, 0x41, 0x3d, 0x13, 0xfb, 0xd4, 0xe4,
-	0xc2, 0x63, 0x78, 0x48, 0xcc, 0xc9, 0x36, 0x1e, 0xfb, 0x23, 0xbc, 0x6d, 0x0e, 0x89, 0x4b, 0x18,
-	0x16, 0x64, 0x60, 0xf8, 0xcc, 0x13, 0x1e, 0x7c, 0x1c, 0x1b, 0x1b, 0xd8, 0xa7, 0x86, 0x32, 0x36,
-	0xe6, 0xc6, 0xcd, 0x67, 0x43, 0x2a, 0x46, 0x41, 0xdf, 0xb0, 0x3d, 0xc7, 0x1c, 0x7a, 0x43, 0xcf,
-	0x94, 0x3e, 0xfd, 0xe0, 0x3b, 0xf9, 0x92, 0x0f, 0xf9, 0x2b, 0xc6, 0x6a, 0xb6, 0x33, 0x81, 0x6d,
-	0x8f, 0x45, 0x51, 0x17, 0xe3, 0x35, 0x3f, 0x48, 0x6d, 0x1c, 0x6c, 0x8f, 0xa8, 0x4b, 0xd8, 0xd4,
-	0xf4, 0xcf, 0x86, 0xd2, 0x89, 0x11, 0xee, 0x05, 0xcc, 0x26, 0xd7, 0xf2, 0xe2, 0xa6, 0x43, 0x04,
-	0x5e, 0x16, 0xcb, 0x5c, 0xe5, 0xc5, 0x02, 0x57, 0x50, 0x27, 0x1f, 0xe6, 0xc3, 0xff, 0x73, 0xe0,
-	0xf6, 0x88, 0x38, 0x78, 0xd1, 0xaf, 0xfd, 0x77, 0x11, 0xc0, 0xdd, 0xde, 0x41, 0x2f, 0xee, 0xdf,
-	0x2e, 0xf6, 0xb1, 0x4d, 0xc5, 0x14, 0x7e, 0x0b, 0x2a, 0x51, 0x6a, 0x03, 0x2c, 0x70, 0x43, 0x7b,
-	0xa2, 0x75, 0xaa, 0x3b, 0xef, 0x19, 0x69, 0xbb, 0x93, 0x08, 0x86, 0x7f, 0x36, 0x8c, 0x04, 0xdc,
-	0x88, 0xac, 0x8d, 0xc9, 0xb6, 0xf1, 0x69, 0xff, 0x94, 0xd8, 0xe2, 0x88, 0x08, 0x6c, 0xc1, 0xf3,
-	0x59, 0x6b, 0x23, 0x9c, 0xb5, 0x40, 0x2a, 0x43, 0x09, 0x2a, 0xa4, 0x60, 0xcb, 0xf5, 0x06, 0xe4,
-	0xc4, 0xf3, 0xbd, 0xb1, 0x37, 0x9c, 0x36, 0x0a, 0x32, 0xca, 0xfb, 0xeb, 0x45, 0x39, 0xc4, 0x7d,
-	0x32, 0xee, 0x91, 0x31, 0xb1, 0x85, 0xc7, 0xac, 0x5a, 0x38, 0x6b, 0x6d, 0x1d, 0x67, 0xc0, 0xd0,
-	0x25, 0x68, 0xb8, 0x07, 0x6a, 0x8a, 0x1f, 0xbb, 0x63, 0xcc, 0xf9, 0x31, 0x76, 0x48, 0xa3, 0xf8,
-	0x44, 0xeb, 0x6c, 0x5a, 0x0d, 0x95, 0x62, 0xad, 0xb7, 0xa0, 0x47, 0x39, 0x0f, 0xf8, 0x25, 0xa8,
-	0xd8, 0xaa, 0x3d, 0x8d, 0x92, 0x4c, 0xd6, 0xb8, 0x2a, 0x59, 0x63, 0xce, 0x08, 0xe3, 0xb3, 0x00,
-	0xbb, 0x82, 0x8a, 0xa9, 0xb5, 0x15, 0xce, 0x5a, 0x95, 0x79, 0x8b, 0x51, 0x82, 0x06, 0x39, 0x78,
-	0xe0, 0xe0, 0xef, 0xa9, 0x13, 0x38, 0x9f, 0x7b, 0xe3, 0xc0, 0x21, 0x3d, 0xfa, 0x03, 0x69, 0x94,
-	0x6f, 0x14, 0xe2, 0x61, 0x38, 0x6b, 0x3d, 0x38, 0x5a, 0x04, 0x43, 0x79, 0xfc, 0xf6, 0x6f, 0x1a,
-	0x78, 0x94, 0x1f, 0xfc, 0x21, 0xe5, 0x02, 0x7e, 0x93, 0x1b, 0xbe, 0xb1, 0xe6, 0x58, 0x28, 0x8f,
-	0x47, 0x5f, 0x53, 0x7d, 0xad, 0xcc, 0x25, 0x99, 0xc1, 0x9f, 0x80, 0x32, 0x15, 0xc4, 0xe1, 0x8d,
-	0xc2, 0x93, 0x62, 0xa7, 0xba, 0x63, 0x1a, 0x57, 0xac, 0xb1, 0x91, 0xcf, 0xd0, 0xba, 0xa7, 0xb0,
-	0xcb, 0x07, 0x11, 0x0a, 0x8a, 0xc1, 0xda, 0xbf, 0x14, 0x40, 0x2d, 0xae, 0xae, 0x2b, 0x04, 0xb6,
-	0x47, 0x0e, 0x71, 0xc5, 0x2d, 0xb0, 0xb8, 0x07, 0x4a, 0xdc, 0x27, 0xb6, 0x62, 0xef, 0xf6, 0x95,
-	0xb5, 0x2c, 0xa6, 0xd7, 0xf3, 0x89, 0x6d, 0x6d, 0x29, 0xf8, 0x52, 0xf4, 0x42, 0x12, 0x0c, 0x7e,
-	0x0d, 0xee, 0x70, 0x81, 0x45, 0xc0, 0x25, 0x4b, 0x2f, 0x2f, 0xc5, 0x1a, 0xb0, 0xd2, 0xd5, 0x7a,
-	0x43, 0x01, 0xdf, 0x89, 0xdf, 0x48, 0x41, 0xb6, 0xcf, 0x35, 0x50, 0x5f, 0x74, 0xb9, 0x85, 0xa9,
-	0xa3, 0xcb, 0x53, 0x7f, 0x76, 0xad, 0x92, 0x56, 0xcc, 0xfc, 0x95, 0x06, 0x1e, 0xe5, 0xaa, 0x97,
-	0x0b, 0x01, 0x0f, 0x41, 0xdd, 0x27, 0x8c, 0x53, 0x2e, 0x88, 0x2b, 0x62, 0x1b, 0xb9, 0xf6, 0x5a,
-	0xbc, 0xf6, 0xe1, 0xac, 0x55, 0x7f, 0xb1, 0x44, 0x8f, 0x96, 0x7a, 0xc1, 0x53, 0x50, 0xa3, 0xee,
-	0x98, 0xba, 0x44, 0xed, 0x4f, 0x3a, 0xf1, 0x4e, 0xb6, 0x8e, 0xe8, 0xc3, 0x11, 0x35, 0x64, 0x11,
-	0x59, 0x0e, 0xba, 0x1e, 0x9d, 0x99, 0x83, 0x05, 0x14, 0x94, 0xc3, 0x6d, 0xff, 0xbe, 0x64, 0x3e,
-	0x91, 0x02, 0xbe, 0x0b, 0x2a, 0x58, 0x4a, 0x08, 0x53, 0x65, 0x24, 0xfd, 0xee, 0x2a, 0x39, 0x4a,
-	0x2c, 0x24, 0x87, 0x64, 0x2b, 0x96, 0x1c, 0xd6, 0x35, 0x38, 0x24, 0x5d, 0x33, 0x1c, 0x92, 0x6f,
-	0xa4, 0x20, 0xa3, 0x54, 0xa2, 0x03, 0x9b, 0x39, 0xa4, 0x49, 0x2a, 0xc7, 0x4a, 0x8e, 0x12, 0x8b,
-	0xf6, 0xbf, 0xc5, 0x25, 0x63, 0x92, 0x64, 0xcc, 0xd4, 0x34, 0x90, 0x35, 0x55, 0x72, 0x35, 0x0d,
-	0x92, 0x9a, 0x06, 0xf0, 0x67, 0x0d, 0x40, 0x9c, 0x40, 0x1c, 0xcd, 0xc9, 0x1a, 0x33, 0xea, 0x93,
-	0x1b, 0x2c, 0x89, 0xd1, 0xcd, 0xa1, 0xed, 0xbb, 0x82, 0x4d, 0xad, 0xa6, 0xca, 0x02, 0xe6, 0x0d,
-	0xd0, 0x92, 0x14, 0xe0, 0x29, 0xa8, 0xc6, 0xd2, 0x7d, 0xc6, 0x3c, 0xa6, 0xd6, 0xb6, 0xb3, 0x46,
-	0x46, 0xd2, 0xde, 0xd2, 0xc3, 0x59, 0xab, 0xda, 0x4d, 0x01, 0xfe, 0x99, 0xb5, 0xaa, 0x19, 0x3d,
-	0xca, 0x82, 0x47, 0xb1, 0x06, 0x24, 0x8d, 0x55, 0xba, 0x49, 0xac, 0x3d, 0xb2, 0x3a, 0x56, 0x06,
-	0xbc, 0xb9, 0x0f, 0xde, 0x5c, 0xd1, 0x22, 0x58, 0x03, 0xc5, 0x33, 0x32, 0x8d, 0x99, 0x88, 0xa2,
-	0x9f, 0xb0, 0x0e, 0xca, 0x13, 0x3c, 0x0e, 0x62, 0xc6, 0x6d, 0xa2, 0xf8, 0xf1, 0x51, 0xe1, 0xb9,
-	0xd6, 0xfe, 0xab, 0x00, 0x1e, 0x26, 0x13, 0x60, 0xb4, 0x1f, 0x08, 0xc2, 0xe5, 0x87, 0xf5, 0x16,
-	0x2e, 0xf4, 0x0e, 0x00, 0x03, 0x46, 0x27, 0x84, 0x49, 0xb6, 0xca, 0xd4, 0x52, 0x8f, 0xbd, 0x44,
-	0x83, 0x32, 0x56, 0x70, 0x02, 0x80, 0x8f, 0x19, 0x76, 0x88, 0x20, 0x2c, 0x3a, 0xc2, 0x11, 0xbf,
-	0xac, 0xf5, 0xf8, 0x95, 0xad, 0xce, 0x78, 0x91, 0x80, 0xc4, 0xb4, 0x4a, 0xe2, 0xa6, 0x0a, 0x94,
-	0x89, 0xd4, 0xfc, 0x18, 0xdc, 0x5f, 0x70, 0xb9, 0x56, 0x9b, 0x5f, 0x69, 0xe0, 0xad, 0xa5, 0x89,
-	0xdc, 0xc2, 0x7d, 0xff, 0xe2, 0xf2, 0x7d, 0xdf, 0xb9, 0x7e, 0xb7, 0x56, 0x1c, 0xf9, 0x5f, 0x35,
-	0x90, 0xe5, 0x27, 0x3c, 0x04, 0xa5, 0xe8, 0xef, 0x59, 0x55, 0xc2, 0x3b, 0xeb, 0x95, 0x70, 0x42,
-	0x1d, 0x92, 0x7e, 0x6a, 0xa3, 0x17, 0x92, 0x28, 0xf0, 0x6d, 0x70, 0xd7, 0x21, 0x9c, 0xe3, 0xe1,
-	0x9c, 0x1a, 0xf7, 0x95, 0xd1, 0xdd, 0xa3, 0x58, 0x8c, 0xe6, 0x7a, 0xf8, 0x14, 0x6c, 0x92, 0x28,
-	0x83, 0x5d, 0x6f, 0x10, 0x5f, 0xbd, 0xb2, 0x75, 0x2f, 0x9c, 0xb5, 0x36, 0xf7, 0xe7, 0x42, 0x94,
-	0xea, 0xad, 0xee, 0xf9, 0x85, 0xbe, 0xf1, 0xf2, 0x42, 0xdf, 0x78, 0x7d, 0xa1, 0x6f, 0xfc, 0x18,
-	0xea, 0xda, 0x79, 0xa8, 0x6b, 0x2f, 0x43, 0x5d, 0x7b, 0x1d, 0xea, 0xda, 0x1f, 0xa1, 0xae, 0xfd,
-	0xf4, 0xa7, 0xbe, 0xf1, 0xd5, 0xe3, 0x2b, 0xfe, 0xdd, 0xf9, 0x2f, 0x00, 0x00, 0xff, 0xff, 0x23,
-	0x8e, 0x6a, 0x20, 0x0c, 0x0d, 0x00, 0x00,
-}
+func (m *VolumeError) Reset() { *m = VolumeError{} }
 
 func (m *CSIStorageCapacity) Marshal() (dAtA []byte, err error) {
 	size := m.Size()
@@ -770,7 +409,7 @@ func (m *VolumeAttachmentStatus) MarshalToSizedBuffer(dAtA []byte) (int, error)
 		for k := range m.AttachmentMetadata {
 			keysForAttachmentMetadata = append(keysForAttachmentMetadata, string(k))
 		}
-		github_com_gogo_protobuf_sortkeys.Strings(keysForAttachmentMetadata)
+		sort.Strings(keysForAttachmentMetadata)
 		for iNdEx := len(keysForAttachmentMetadata) - 1; iNdEx >= 0; iNdEx-- {
 			v := m.AttachmentMetadata[string(keysForAttachmentMetadata[iNdEx])]
 			baseI := i
@@ -825,7 +464,7 @@ func (m *VolumeAttributesClass) MarshalToSizedBuffer(dAtA []byte) (int, error) {
 		for k := range m.Parameters {
 			keysForParameters = append(keysForParameters, string(k))
 		}
-		github_com_gogo_protobuf_sortkeys.Strings(keysForParameters)
+		sort.Strings(keysForParameters)
 		for iNdEx := len(keysForParameters) - 1; iNdEx >= 0; iNdEx-- {
 			v := m.Parameters[string(keysForParameters[iNdEx])]
 			baseI := i
@@ -1244,7 +883,7 @@ func (this *VolumeAttachmentStatus) String() string {
 	for k := range this.AttachmentMetadata {
 		keysForAttachmentMetadata = append(keysForAttachmentMetadata, k)
 	}
-	github_com_gogo_protobuf_sortkeys.Strings(keysForAttachmentMetadata)
+	sort.Strings(keysForAttachmentMetadata)
 	mapStringForAttachmentMetadata := "map[string]string{"
 	for _, k := range keysForAttachmentMetadata {
 		mapStringForAttachmentMetadata += fmt.Sprintf("%v: %v,", k, this.AttachmentMetadata[k])
@@ -1267,7 +906,7 @@ func (this *VolumeAttributesClass) String() string {
 	for k := range this.Parameters {
 		keysForParameters = append(keysForParameters, k)
 	}
-	github_com_gogo_protobuf_sortkeys.Strings(keysForParameters)
+	sort.Strings(keysForParameters)
 	mapStringForParameters := "map[string]string{"
 	for _, k := range keysForParameters {
 		mapStringForParameters += fmt.Sprintf("%v: %v,", k, this.Parameters[k])
diff --git a/staging/src/k8s.io/api/storage/v1alpha1/generated.protomessage.pb.go b/staging/src/k8s.io/api/storage/v1alpha1/generated.protomessage.pb.go
new file mode 100644
index 0000000000000..d58dcac3c243f
--- /dev/null
+++ b/staging/src/k8s.io/api/storage/v1alpha1/generated.protomessage.pb.go
@@ -0,0 +1,42 @@
+//go:build kubernetes_protomessage_one_more_release
+// +build kubernetes_protomessage_one_more_release
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by go-to-protobuf. DO NOT EDIT.
+
+package v1alpha1
+
+func (*CSIStorageCapacity) ProtoMessage() {}
+
+func (*CSIStorageCapacityList) ProtoMessage() {}
+
+func (*VolumeAttachment) ProtoMessage() {}
+
+func (*VolumeAttachmentList) ProtoMessage() {}
+
+func (*VolumeAttachmentSource) ProtoMessage() {}
+
+func (*VolumeAttachmentSpec) ProtoMessage() {}
+
+func (*VolumeAttachmentStatus) ProtoMessage() {}
+
+func (*VolumeAttributesClass) ProtoMessage() {}
+
+func (*VolumeAttributesClassList) ProtoMessage() {}
+
+func (*VolumeError) ProtoMessage() {}
diff --git a/staging/src/k8s.io/api/storage/v1alpha1/zz_generated.model_name.go b/staging/src/k8s.io/api/storage/v1alpha1/zz_generated.model_name.go
new file mode 100644
index 0000000000000..d35ce682b7d36
--- /dev/null
+++ b/staging/src/k8s.io/api/storage/v1alpha1/zz_generated.model_name.go
@@ -0,0 +1,72 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by openapi-gen. DO NOT EDIT.
+
+package v1alpha1
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in CSIStorageCapacity) OpenAPIModelName() string {
+	return "io.k8s.api.storage.v1alpha1.CSIStorageCapacity"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in CSIStorageCapacityList) OpenAPIModelName() string {
+	return "io.k8s.api.storage.v1alpha1.CSIStorageCapacityList"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in VolumeAttachment) OpenAPIModelName() string {
+	return "io.k8s.api.storage.v1alpha1.VolumeAttachment"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in VolumeAttachmentList) OpenAPIModelName() string {
+	return "io.k8s.api.storage.v1alpha1.VolumeAttachmentList"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in VolumeAttachmentSource) OpenAPIModelName() string {
+	return "io.k8s.api.storage.v1alpha1.VolumeAttachmentSource"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in VolumeAttachmentSpec) OpenAPIModelName() string {
+	return "io.k8s.api.storage.v1alpha1.VolumeAttachmentSpec"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in VolumeAttachmentStatus) OpenAPIModelName() string {
+	return "io.k8s.api.storage.v1alpha1.VolumeAttachmentStatus"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in VolumeAttributesClass) OpenAPIModelName() string {
+	return "io.k8s.api.storage.v1alpha1.VolumeAttributesClass"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in VolumeAttributesClassList) OpenAPIModelName() string {
+	return "io.k8s.api.storage.v1alpha1.VolumeAttributesClassList"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in VolumeError) OpenAPIModelName() string {
+	return "io.k8s.api.storage.v1alpha1.VolumeError"
+}
diff --git a/staging/src/k8s.io/api/storage/v1beta1/doc.go b/staging/src/k8s.io/api/storage/v1beta1/doc.go
index 174482b609201..f0eac351950bf 100644
--- a/staging/src/k8s.io/api/storage/v1beta1/doc.go
+++ b/staging/src/k8s.io/api/storage/v1beta1/doc.go
@@ -19,5 +19,6 @@ limitations under the License.
 // +groupName=storage.k8s.io
 // +k8s:openapi-gen=true
 // +k8s:prerelease-lifecycle-gen=true
+// +k8s:openapi-model-package=io.k8s.api.storage.v1beta1
 
 package v1beta1
diff --git a/staging/src/k8s.io/api/storage/v1beta1/generated.pb.go b/staging/src/k8s.io/api/storage/v1beta1/generated.pb.go
index 6d75868d6e953..ed03dd5059faf 100644
--- a/staging/src/k8s.io/api/storage/v1beta1/generated.pb.go
+++ b/staging/src/k8s.io/api/storage/v1beta1/generated.pb.go
@@ -23,765 +23,59 @@ import (
 	fmt "fmt"
 
 	io "io"
+	"sort"
 
-	proto "github.com/gogo/protobuf/proto"
-	github_com_gogo_protobuf_sortkeys "github.com/gogo/protobuf/sortkeys"
 	k8s_io_api_core_v1 "k8s.io/api/core/v1"
 	v11 "k8s.io/api/core/v1"
 	resource "k8s.io/apimachinery/pkg/api/resource"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
-	math "math"
 	math_bits "math/bits"
 	reflect "reflect"
 	strings "strings"
 )
 
-// Reference imports to suppress errors if they are not otherwise used.
-var _ = proto.Marshal
-var _ = fmt.Errorf
-var _ = math.Inf
+func (m *CSIDriver) Reset() { *m = CSIDriver{} }
 
-// This is a compile-time assertion to ensure that this generated file
-// is compatible with the proto package it is being compiled against.
-// A compilation error at this line likely means your copy of the
-// proto package needs to be updated.
-const _ = proto.GoGoProtoPackageIsVersion3 // please upgrade the proto package
+func (m *CSIDriverList) Reset() { *m = CSIDriverList{} }
 
-func (m *CSIDriver) Reset()      { *m = CSIDriver{} }
-func (*CSIDriver) ProtoMessage() {}
-func (*CSIDriver) Descriptor() ([]byte, []int) {
-	return fileDescriptor_73e4f72503e71065, []int{0}
-}
-func (m *CSIDriver) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *CSIDriver) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *CSIDriver) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_CSIDriver.Merge(m, src)
-}
-func (m *CSIDriver) XXX_Size() int {
-	return m.Size()
-}
-func (m *CSIDriver) XXX_DiscardUnknown() {
-	xxx_messageInfo_CSIDriver.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_CSIDriver proto.InternalMessageInfo
+func (m *CSIDriverSpec) Reset() { *m = CSIDriverSpec{} }
 
-func (m *CSIDriverList) Reset()      { *m = CSIDriverList{} }
-func (*CSIDriverList) ProtoMessage() {}
-func (*CSIDriverList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_73e4f72503e71065, []int{1}
-}
-func (m *CSIDriverList) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *CSIDriverList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *CSIDriverList) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_CSIDriverList.Merge(m, src)
-}
-func (m *CSIDriverList) XXX_Size() int {
-	return m.Size()
-}
-func (m *CSIDriverList) XXX_DiscardUnknown() {
-	xxx_messageInfo_CSIDriverList.DiscardUnknown(m)
-}
+func (m *CSINode) Reset() { *m = CSINode{} }
 
-var xxx_messageInfo_CSIDriverList proto.InternalMessageInfo
+func (m *CSINodeDriver) Reset() { *m = CSINodeDriver{} }
 
-func (m *CSIDriverSpec) Reset()      { *m = CSIDriverSpec{} }
-func (*CSIDriverSpec) ProtoMessage() {}
-func (*CSIDriverSpec) Descriptor() ([]byte, []int) {
-	return fileDescriptor_73e4f72503e71065, []int{2}
-}
-func (m *CSIDriverSpec) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *CSIDriverSpec) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *CSIDriverSpec) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_CSIDriverSpec.Merge(m, src)
-}
-func (m *CSIDriverSpec) XXX_Size() int {
-	return m.Size()
-}
-func (m *CSIDriverSpec) XXX_DiscardUnknown() {
-	xxx_messageInfo_CSIDriverSpec.DiscardUnknown(m)
-}
+func (m *CSINodeList) Reset() { *m = CSINodeList{} }
 
-var xxx_messageInfo_CSIDriverSpec proto.InternalMessageInfo
+func (m *CSINodeSpec) Reset() { *m = CSINodeSpec{} }
 
-func (m *CSINode) Reset()      { *m = CSINode{} }
-func (*CSINode) ProtoMessage() {}
-func (*CSINode) Descriptor() ([]byte, []int) {
-	return fileDescriptor_73e4f72503e71065, []int{3}
-}
-func (m *CSINode) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *CSINode) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *CSINode) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_CSINode.Merge(m, src)
-}
-func (m *CSINode) XXX_Size() int {
-	return m.Size()
-}
-func (m *CSINode) XXX_DiscardUnknown() {
-	xxx_messageInfo_CSINode.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_CSINode proto.InternalMessageInfo
-
-func (m *CSINodeDriver) Reset()      { *m = CSINodeDriver{} }
-func (*CSINodeDriver) ProtoMessage() {}
-func (*CSINodeDriver) Descriptor() ([]byte, []int) {
-	return fileDescriptor_73e4f72503e71065, []int{4}
-}
-func (m *CSINodeDriver) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *CSINodeDriver) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *CSINodeDriver) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_CSINodeDriver.Merge(m, src)
-}
-func (m *CSINodeDriver) XXX_Size() int {
-	return m.Size()
-}
-func (m *CSINodeDriver) XXX_DiscardUnknown() {
-	xxx_messageInfo_CSINodeDriver.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_CSINodeDriver proto.InternalMessageInfo
-
-func (m *CSINodeList) Reset()      { *m = CSINodeList{} }
-func (*CSINodeList) ProtoMessage() {}
-func (*CSINodeList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_73e4f72503e71065, []int{5}
-}
-func (m *CSINodeList) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *CSINodeList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *CSINodeList) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_CSINodeList.Merge(m, src)
-}
-func (m *CSINodeList) XXX_Size() int {
-	return m.Size()
-}
-func (m *CSINodeList) XXX_DiscardUnknown() {
-	xxx_messageInfo_CSINodeList.DiscardUnknown(m)
-}
+func (m *CSIStorageCapacity) Reset() { *m = CSIStorageCapacity{} }
 
-var xxx_messageInfo_CSINodeList proto.InternalMessageInfo
+func (m *CSIStorageCapacityList) Reset() { *m = CSIStorageCapacityList{} }
 
-func (m *CSINodeSpec) Reset()      { *m = CSINodeSpec{} }
-func (*CSINodeSpec) ProtoMessage() {}
-func (*CSINodeSpec) Descriptor() ([]byte, []int) {
-	return fileDescriptor_73e4f72503e71065, []int{6}
-}
-func (m *CSINodeSpec) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *CSINodeSpec) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *CSINodeSpec) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_CSINodeSpec.Merge(m, src)
-}
-func (m *CSINodeSpec) XXX_Size() int {
-	return m.Size()
-}
-func (m *CSINodeSpec) XXX_DiscardUnknown() {
-	xxx_messageInfo_CSINodeSpec.DiscardUnknown(m)
-}
+func (m *StorageClass) Reset() { *m = StorageClass{} }
 
-var xxx_messageInfo_CSINodeSpec proto.InternalMessageInfo
+func (m *StorageClassList) Reset() { *m = StorageClassList{} }
 
-func (m *CSIStorageCapacity) Reset()      { *m = CSIStorageCapacity{} }
-func (*CSIStorageCapacity) ProtoMessage() {}
-func (*CSIStorageCapacity) Descriptor() ([]byte, []int) {
-	return fileDescriptor_73e4f72503e71065, []int{7}
-}
-func (m *CSIStorageCapacity) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *CSIStorageCapacity) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *CSIStorageCapacity) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_CSIStorageCapacity.Merge(m, src)
-}
-func (m *CSIStorageCapacity) XXX_Size() int {
-	return m.Size()
-}
-func (m *CSIStorageCapacity) XXX_DiscardUnknown() {
-	xxx_messageInfo_CSIStorageCapacity.DiscardUnknown(m)
-}
+func (m *TokenRequest) Reset() { *m = TokenRequest{} }
 
-var xxx_messageInfo_CSIStorageCapacity proto.InternalMessageInfo
+func (m *VolumeAttachment) Reset() { *m = VolumeAttachment{} }
 
-func (m *CSIStorageCapacityList) Reset()      { *m = CSIStorageCapacityList{} }
-func (*CSIStorageCapacityList) ProtoMessage() {}
-func (*CSIStorageCapacityList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_73e4f72503e71065, []int{8}
-}
-func (m *CSIStorageCapacityList) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *CSIStorageCapacityList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *CSIStorageCapacityList) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_CSIStorageCapacityList.Merge(m, src)
-}
-func (m *CSIStorageCapacityList) XXX_Size() int {
-	return m.Size()
-}
-func (m *CSIStorageCapacityList) XXX_DiscardUnknown() {
-	xxx_messageInfo_CSIStorageCapacityList.DiscardUnknown(m)
-}
+func (m *VolumeAttachmentList) Reset() { *m = VolumeAttachmentList{} }
 
-var xxx_messageInfo_CSIStorageCapacityList proto.InternalMessageInfo
+func (m *VolumeAttachmentSource) Reset() { *m = VolumeAttachmentSource{} }
 
-func (m *StorageClass) Reset()      { *m = StorageClass{} }
-func (*StorageClass) ProtoMessage() {}
-func (*StorageClass) Descriptor() ([]byte, []int) {
-	return fileDescriptor_73e4f72503e71065, []int{9}
-}
-func (m *StorageClass) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *StorageClass) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *StorageClass) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_StorageClass.Merge(m, src)
-}
-func (m *StorageClass) XXX_Size() int {
-	return m.Size()
-}
-func (m *StorageClass) XXX_DiscardUnknown() {
-	xxx_messageInfo_StorageClass.DiscardUnknown(m)
-}
+func (m *VolumeAttachmentSpec) Reset() { *m = VolumeAttachmentSpec{} }
 
-var xxx_messageInfo_StorageClass proto.InternalMessageInfo
+func (m *VolumeAttachmentStatus) Reset() { *m = VolumeAttachmentStatus{} }
 
-func (m *StorageClassList) Reset()      { *m = StorageClassList{} }
-func (*StorageClassList) ProtoMessage() {}
-func (*StorageClassList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_73e4f72503e71065, []int{10}
-}
-func (m *StorageClassList) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *StorageClassList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *StorageClassList) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_StorageClassList.Merge(m, src)
-}
-func (m *StorageClassList) XXX_Size() int {
-	return m.Size()
-}
-func (m *StorageClassList) XXX_DiscardUnknown() {
-	xxx_messageInfo_StorageClassList.DiscardUnknown(m)
-}
+func (m *VolumeAttributesClass) Reset() { *m = VolumeAttributesClass{} }
 
-var xxx_messageInfo_StorageClassList proto.InternalMessageInfo
+func (m *VolumeAttributesClassList) Reset() { *m = VolumeAttributesClassList{} }
 
-func (m *TokenRequest) Reset()      { *m = TokenRequest{} }
-func (*TokenRequest) ProtoMessage() {}
-func (*TokenRequest) Descriptor() ([]byte, []int) {
-	return fileDescriptor_73e4f72503e71065, []int{11}
-}
-func (m *TokenRequest) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *TokenRequest) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *TokenRequest) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_TokenRequest.Merge(m, src)
-}
-func (m *TokenRequest) XXX_Size() int {
-	return m.Size()
-}
-func (m *TokenRequest) XXX_DiscardUnknown() {
-	xxx_messageInfo_TokenRequest.DiscardUnknown(m)
-}
+func (m *VolumeError) Reset() { *m = VolumeError{} }
 
-var xxx_messageInfo_TokenRequest proto.InternalMessageInfo
-
-func (m *VolumeAttachment) Reset()      { *m = VolumeAttachment{} }
-func (*VolumeAttachment) ProtoMessage() {}
-func (*VolumeAttachment) Descriptor() ([]byte, []int) {
-	return fileDescriptor_73e4f72503e71065, []int{12}
-}
-func (m *VolumeAttachment) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *VolumeAttachment) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *VolumeAttachment) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_VolumeAttachment.Merge(m, src)
-}
-func (m *VolumeAttachment) XXX_Size() int {
-	return m.Size()
-}
-func (m *VolumeAttachment) XXX_DiscardUnknown() {
-	xxx_messageInfo_VolumeAttachment.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_VolumeAttachment proto.InternalMessageInfo
-
-func (m *VolumeAttachmentList) Reset()      { *m = VolumeAttachmentList{} }
-func (*VolumeAttachmentList) ProtoMessage() {}
-func (*VolumeAttachmentList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_73e4f72503e71065, []int{13}
-}
-func (m *VolumeAttachmentList) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *VolumeAttachmentList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *VolumeAttachmentList) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_VolumeAttachmentList.Merge(m, src)
-}
-func (m *VolumeAttachmentList) XXX_Size() int {
-	return m.Size()
-}
-func (m *VolumeAttachmentList) XXX_DiscardUnknown() {
-	xxx_messageInfo_VolumeAttachmentList.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_VolumeAttachmentList proto.InternalMessageInfo
-
-func (m *VolumeAttachmentSource) Reset()      { *m = VolumeAttachmentSource{} }
-func (*VolumeAttachmentSource) ProtoMessage() {}
-func (*VolumeAttachmentSource) Descriptor() ([]byte, []int) {
-	return fileDescriptor_73e4f72503e71065, []int{14}
-}
-func (m *VolumeAttachmentSource) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *VolumeAttachmentSource) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *VolumeAttachmentSource) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_VolumeAttachmentSource.Merge(m, src)
-}
-func (m *VolumeAttachmentSource) XXX_Size() int {
-	return m.Size()
-}
-func (m *VolumeAttachmentSource) XXX_DiscardUnknown() {
-	xxx_messageInfo_VolumeAttachmentSource.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_VolumeAttachmentSource proto.InternalMessageInfo
-
-func (m *VolumeAttachmentSpec) Reset()      { *m = VolumeAttachmentSpec{} }
-func (*VolumeAttachmentSpec) ProtoMessage() {}
-func (*VolumeAttachmentSpec) Descriptor() ([]byte, []int) {
-	return fileDescriptor_73e4f72503e71065, []int{15}
-}
-func (m *VolumeAttachmentSpec) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *VolumeAttachmentSpec) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *VolumeAttachmentSpec) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_VolumeAttachmentSpec.Merge(m, src)
-}
-func (m *VolumeAttachmentSpec) XXX_Size() int {
-	return m.Size()
-}
-func (m *VolumeAttachmentSpec) XXX_DiscardUnknown() {
-	xxx_messageInfo_VolumeAttachmentSpec.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_VolumeAttachmentSpec proto.InternalMessageInfo
-
-func (m *VolumeAttachmentStatus) Reset()      { *m = VolumeAttachmentStatus{} }
-func (*VolumeAttachmentStatus) ProtoMessage() {}
-func (*VolumeAttachmentStatus) Descriptor() ([]byte, []int) {
-	return fileDescriptor_73e4f72503e71065, []int{16}
-}
-func (m *VolumeAttachmentStatus) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *VolumeAttachmentStatus) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *VolumeAttachmentStatus) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_VolumeAttachmentStatus.Merge(m, src)
-}
-func (m *VolumeAttachmentStatus) XXX_Size() int {
-	return m.Size()
-}
-func (m *VolumeAttachmentStatus) XXX_DiscardUnknown() {
-	xxx_messageInfo_VolumeAttachmentStatus.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_VolumeAttachmentStatus proto.InternalMessageInfo
-
-func (m *VolumeAttributesClass) Reset()      { *m = VolumeAttributesClass{} }
-func (*VolumeAttributesClass) ProtoMessage() {}
-func (*VolumeAttributesClass) Descriptor() ([]byte, []int) {
-	return fileDescriptor_73e4f72503e71065, []int{17}
-}
-func (m *VolumeAttributesClass) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *VolumeAttributesClass) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *VolumeAttributesClass) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_VolumeAttributesClass.Merge(m, src)
-}
-func (m *VolumeAttributesClass) XXX_Size() int {
-	return m.Size()
-}
-func (m *VolumeAttributesClass) XXX_DiscardUnknown() {
-	xxx_messageInfo_VolumeAttributesClass.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_VolumeAttributesClass proto.InternalMessageInfo
-
-func (m *VolumeAttributesClassList) Reset()      { *m = VolumeAttributesClassList{} }
-func (*VolumeAttributesClassList) ProtoMessage() {}
-func (*VolumeAttributesClassList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_73e4f72503e71065, []int{18}
-}
-func (m *VolumeAttributesClassList) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *VolumeAttributesClassList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *VolumeAttributesClassList) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_VolumeAttributesClassList.Merge(m, src)
-}
-func (m *VolumeAttributesClassList) XXX_Size() int {
-	return m.Size()
-}
-func (m *VolumeAttributesClassList) XXX_DiscardUnknown() {
-	xxx_messageInfo_VolumeAttributesClassList.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_VolumeAttributesClassList proto.InternalMessageInfo
-
-func (m *VolumeError) Reset()      { *m = VolumeError{} }
-func (*VolumeError) ProtoMessage() {}
-func (*VolumeError) Descriptor() ([]byte, []int) {
-	return fileDescriptor_73e4f72503e71065, []int{19}
-}
-func (m *VolumeError) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *VolumeError) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *VolumeError) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_VolumeError.Merge(m, src)
-}
-func (m *VolumeError) XXX_Size() int {
-	return m.Size()
-}
-func (m *VolumeError) XXX_DiscardUnknown() {
-	xxx_messageInfo_VolumeError.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_VolumeError proto.InternalMessageInfo
-
-func (m *VolumeNodeResources) Reset()      { *m = VolumeNodeResources{} }
-func (*VolumeNodeResources) ProtoMessage() {}
-func (*VolumeNodeResources) Descriptor() ([]byte, []int) {
-	return fileDescriptor_73e4f72503e71065, []int{20}
-}
-func (m *VolumeNodeResources) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *VolumeNodeResources) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *VolumeNodeResources) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_VolumeNodeResources.Merge(m, src)
-}
-func (m *VolumeNodeResources) XXX_Size() int {
-	return m.Size()
-}
-func (m *VolumeNodeResources) XXX_DiscardUnknown() {
-	xxx_messageInfo_VolumeNodeResources.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_VolumeNodeResources proto.InternalMessageInfo
-
-func init() {
-	proto.RegisterType((*CSIDriver)(nil), "k8s.io.api.storage.v1beta1.CSIDriver")
-	proto.RegisterType((*CSIDriverList)(nil), "k8s.io.api.storage.v1beta1.CSIDriverList")
-	proto.RegisterType((*CSIDriverSpec)(nil), "k8s.io.api.storage.v1beta1.CSIDriverSpec")
-	proto.RegisterType((*CSINode)(nil), "k8s.io.api.storage.v1beta1.CSINode")
-	proto.RegisterType((*CSINodeDriver)(nil), "k8s.io.api.storage.v1beta1.CSINodeDriver")
-	proto.RegisterType((*CSINodeList)(nil), "k8s.io.api.storage.v1beta1.CSINodeList")
-	proto.RegisterType((*CSINodeSpec)(nil), "k8s.io.api.storage.v1beta1.CSINodeSpec")
-	proto.RegisterType((*CSIStorageCapacity)(nil), "k8s.io.api.storage.v1beta1.CSIStorageCapacity")
-	proto.RegisterType((*CSIStorageCapacityList)(nil), "k8s.io.api.storage.v1beta1.CSIStorageCapacityList")
-	proto.RegisterType((*StorageClass)(nil), "k8s.io.api.storage.v1beta1.StorageClass")
-	proto.RegisterMapType((map[string]string)(nil), "k8s.io.api.storage.v1beta1.StorageClass.ParametersEntry")
-	proto.RegisterType((*StorageClassList)(nil), "k8s.io.api.storage.v1beta1.StorageClassList")
-	proto.RegisterType((*TokenRequest)(nil), "k8s.io.api.storage.v1beta1.TokenRequest")
-	proto.RegisterType((*VolumeAttachment)(nil), "k8s.io.api.storage.v1beta1.VolumeAttachment")
-	proto.RegisterType((*VolumeAttachmentList)(nil), "k8s.io.api.storage.v1beta1.VolumeAttachmentList")
-	proto.RegisterType((*VolumeAttachmentSource)(nil), "k8s.io.api.storage.v1beta1.VolumeAttachmentSource")
-	proto.RegisterType((*VolumeAttachmentSpec)(nil), "k8s.io.api.storage.v1beta1.VolumeAttachmentSpec")
-	proto.RegisterType((*VolumeAttachmentStatus)(nil), "k8s.io.api.storage.v1beta1.VolumeAttachmentStatus")
-	proto.RegisterMapType((map[string]string)(nil), "k8s.io.api.storage.v1beta1.VolumeAttachmentStatus.AttachmentMetadataEntry")
-	proto.RegisterType((*VolumeAttributesClass)(nil), "k8s.io.api.storage.v1beta1.VolumeAttributesClass")
-	proto.RegisterMapType((map[string]string)(nil), "k8s.io.api.storage.v1beta1.VolumeAttributesClass.ParametersEntry")
-	proto.RegisterType((*VolumeAttributesClassList)(nil), "k8s.io.api.storage.v1beta1.VolumeAttributesClassList")
-	proto.RegisterType((*VolumeError)(nil), "k8s.io.api.storage.v1beta1.VolumeError")
-	proto.RegisterType((*VolumeNodeResources)(nil), "k8s.io.api.storage.v1beta1.VolumeNodeResources")
-}
-
-func init() {
-	proto.RegisterFile("k8s.io/api/storage/v1beta1/generated.proto", fileDescriptor_73e4f72503e71065)
-}
-
-var fileDescriptor_73e4f72503e71065 = []byte{
-	// 1787 bytes of a gzipped FileDescriptorProto
-	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xbc, 0x59, 0x4f, 0x6f, 0x24, 0x47,
-	0x15, 0x77, 0x7b, 0xfc, 0x6f, 0x6a, 0xec, 0xb5, 0x5d, 0xeb, 0x0d, 0x13, 0x1f, 0x66, 0xac, 0x46,
-	0x24, 0xde, 0x25, 0xf4, 0xec, 0x9a, 0x10, 0xad, 0x22, 0x45, 0xc2, 0x6d, 0x1b, 0xe2, 0xc4, 0xf6,
-	0x3a, 0x35, 0x66, 0x15, 0x45, 0x1c, 0xa8, 0xe9, 0xae, 0x1d, 0x57, 0x3c, 0xfd, 0x27, 0x5d, 0xd5,
-	0xc6, 0xc3, 0x09, 0xbe, 0x01, 0xe2, 0xc0, 0x27, 0xe0, 0x1b, 0x20, 0x90, 0xe0, 0xc2, 0x91, 0x95,
-	0x90, 0x20, 0x70, 0xca, 0x69, 0xc4, 0x4e, 0x3e, 0x02, 0x12, 0x07, 0x8b, 0x03, 0xaa, 0xea, 0x9a,
-	0xfe, 0x3f, 0xeb, 0x19, 0x90, 0xe6, 0xe6, 0x7a, 0x7f, 0x7e, 0xf5, 0xaa, 0xde, 0x7b, 0xbf, 0x7a,
-	0x3d, 0x06, 0x8f, 0xae, 0x9e, 0x32, 0x83, 0x7a, 0x2d, 0xec, 0xd3, 0x16, 0xe3, 0x5e, 0x80, 0xbb,
-	0xa4, 0x75, 0xfd, 0xa4, 0x43, 0x38, 0x7e, 0xd2, 0xea, 0x12, 0x97, 0x04, 0x98, 0x13, 0xdb, 0xf0,
-	0x03, 0x8f, 0x7b, 0x70, 0x3b, 0xb2, 0x35, 0xb0, 0x4f, 0x0d, 0x65, 0x6b, 0x28, 0xdb, 0xed, 0xef,
-	0x74, 0x29, 0xbf, 0x0c, 0x3b, 0x86, 0xe5, 0x39, 0xad, 0xae, 0xd7, 0xf5, 0x5a, 0xd2, 0xa5, 0x13,
-	0xbe, 0x90, 0x2b, 0xb9, 0x90, 0x7f, 0x45, 0x50, 0xdb, 0x7a, 0x6a, 0x5b, 0xcb, 0x0b, 0xc4, 0x9e,
-	0xf9, 0xed, 0xb6, 0xdf, 0x4d, 0x6c, 0x1c, 0x6c, 0x5d, 0x52, 0x97, 0x04, 0xfd, 0x96, 0x7f, 0xd5,
-	0x95, 0x4e, 0x01, 0x61, 0x5e, 0x18, 0x58, 0x64, 0x2a, 0x2f, 0xd6, 0x72, 0x08, 0xc7, 0x65, 0x7b,
-	0xb5, 0xc6, 0x79, 0x05, 0xa1, 0xcb, 0xa9, 0x53, 0xdc, 0xe6, 0xbd, 0xbb, 0x1c, 0x98, 0x75, 0x49,
-	0x1c, 0x9c, 0xf7, 0xd3, 0xff, 0xa8, 0x81, 0xea, 0x41, 0xfb, 0xf8, 0x30, 0xa0, 0xd7, 0x24, 0x80,
-	0x3f, 0x01, 0x2b, 0x22, 0x22, 0x1b, 0x73, 0x5c, 0xd7, 0x76, 0xb4, 0xdd, 0xda, 0xde, 0x63, 0x23,
-	0xb9, 0xe4, 0x18, 0xd8, 0xf0, 0xaf, 0xba, 0x42, 0xc0, 0x0c, 0x61, 0x6d, 0x5c, 0x3f, 0x31, 0x9e,
-	0x75, 0x3e, 0x27, 0x16, 0x3f, 0x25, 0x1c, 0x9b, 0xf0, 0xe5, 0xa0, 0x39, 0x37, 0x1c, 0x34, 0x41,
-	0x22, 0x43, 0x31, 0x2a, 0xfc, 0x18, 0x2c, 0x30, 0x9f, 0x58, 0xf5, 0x79, 0x89, 0xfe, 0xd0, 0x18,
-	0x9f, 0x42, 0x23, 0x0e, 0xab, 0xed, 0x13, 0xcb, 0x5c, 0x55, 0xb0, 0x0b, 0x62, 0x85, 0x24, 0x88,
-	0xfe, 0x07, 0x0d, 0xac, 0xc5, 0x56, 0x27, 0x94, 0x71, 0xf8, 0xe3, 0xc2, 0x01, 0x8c, 0xc9, 0x0e,
-	0x20, 0xbc, 0x65, 0xf8, 0x1b, 0x6a, 0x9f, 0x95, 0x91, 0x24, 0x15, 0xfc, 0x47, 0x60, 0x91, 0x72,
-	0xe2, 0xb0, 0xfa, 0xfc, 0x4e, 0x65, 0xb7, 0xb6, 0xf7, 0xad, 0x89, 0xa2, 0x37, 0xd7, 0x14, 0xe2,
-	0xe2, 0xb1, 0xf0, 0x45, 0x11, 0x84, 0xfe, 0xb7, 0xc5, 0x54, 0xec, 0xe2, 0x4c, 0xf0, 0x7d, 0x70,
-	0x0f, 0x73, 0x8e, 0xad, 0x4b, 0x44, 0xbe, 0x08, 0x69, 0x40, 0x6c, 0x79, 0x82, 0x15, 0x13, 0x0e,
-	0x07, 0xcd, 0x7b, 0xfb, 0x19, 0x0d, 0xca, 0x59, 0x0a, 0x5f, 0xdf, 0xb3, 0x8f, 0xdd, 0x17, 0xde,
-	0x33, 0xf7, 0xd4, 0x0b, 0x5d, 0x2e, 0x2f, 0x58, 0xf9, 0x9e, 0x67, 0x34, 0x28, 0x67, 0x09, 0x2d,
-	0xb0, 0x75, 0xed, 0xf5, 0x42, 0x87, 0x9c, 0xd0, 0x17, 0xc4, 0xea, 0x5b, 0x3d, 0x72, 0xea, 0xd9,
-	0x84, 0xd5, 0x2b, 0x3b, 0x95, 0xdd, 0xaa, 0xd9, 0x1a, 0x0e, 0x9a, 0x5b, 0xcf, 0x4b, 0xf4, 0xb7,
-	0x83, 0xe6, 0xfd, 0x12, 0x39, 0x2a, 0x05, 0x83, 0x1f, 0x80, 0x75, 0x75, 0x43, 0x07, 0xd8, 0xc7,
-	0x16, 0xe5, 0xfd, 0xfa, 0x82, 0x8c, 0xf0, 0xfe, 0x70, 0xd0, 0x5c, 0x6f, 0x67, 0x55, 0x28, 0x6f,
-	0x0b, 0x3f, 0x04, 0x6b, 0x2f, 0xd8, 0x0f, 0x03, 0x2f, 0xf4, 0xcf, 0xbd, 0x1e, 0xb5, 0xfa, 0xf5,
-	0xc5, 0x1d, 0x6d, 0xb7, 0x6a, 0xea, 0xc3, 0x41, 0x73, 0xed, 0x07, 0xed, 0x94, 0xe2, 0x36, 0x2f,
-	0x40, 0x59, 0x47, 0x48, 0xc0, 0x1a, 0xf7, 0xae, 0x88, 0x2b, 0xae, 0x8e, 0x30, 0xce, 0xea, 0x4b,
-	0x32, 0x97, 0xbb, 0xaf, 0xcb, 0xe5, 0x45, 0xca, 0xc1, 0x7c, 0xa0, 0xd2, 0xb9, 0x96, 0x96, 0x32,
-	0x94, 0x45, 0x85, 0x07, 0x60, 0x33, 0x88, 0x92, 0xc3, 0x10, 0xf1, 0xc3, 0x4e, 0x8f, 0xb2, 0xcb,
-	0xfa, 0xb2, 0x3c, 0xf1, 0x83, 0xe1, 0xa0, 0xb9, 0x89, 0xf2, 0x4a, 0x54, 0xb4, 0x87, 0xef, 0x82,
-	0x55, 0x46, 0x4e, 0xa8, 0x1b, 0xde, 0x44, 0x39, 0x5d, 0x91, 0xfe, 0x1b, 0xc3, 0x41, 0x73, 0xb5,
-	0x7d, 0x94, 0xc8, 0x51, 0xc6, 0x0a, 0x5e, 0x03, 0xdd, 0xf5, 0x6c, 0xb2, 0xdf, 0xeb, 0x79, 0x16,
-	0xe6, 0xb8, 0xd3, 0x23, 0x3f, 0xf2, 0x6d, 0xcc, 0xc9, 0x39, 0x09, 0xa8, 0x67, 0xb7, 0x89, 0xe5,
-	0xb9, 0x36, 0xab, 0x57, 0x77, 0xb4, 0xdd, 0x8a, 0xf9, 0xd6, 0x70, 0xd0, 0xd4, 0xcf, 0xee, 0xb4,
-	0x46, 0x13, 0x20, 0xea, 0xbf, 0xd7, 0xc0, 0xf2, 0x41, 0xfb, 0x58, 0xa0, 0xcd, 0x80, 0x48, 0x8e,
-	0x33, 0x44, 0xf2, 0xf6, 0x1d, 0xad, 0x28, 0x82, 0x1a, 0x4b, 0x23, 0xff, 0x8a, 0x68, 0x44, 0xd8,
-	0x28, 0x1e, 0xdc, 0x01, 0x0b, 0x2e, 0x76, 0x88, 0x0c, 0xbd, 0x9a, 0xf8, 0x9c, 0x61, 0x87, 0x20,
-	0xa9, 0x81, 0x6f, 0x81, 0x25, 0x71, 0x25, 0xc7, 0x87, 0x32, 0x80, 0xaa, 0x79, 0x4f, 0xd9, 0x2c,
-	0x9d, 0x49, 0x29, 0x52, 0x5a, 0x91, 0x42, 0xee, 0xf9, 0x5e, 0xcf, 0xeb, 0xf6, 0x3f, 0x26, 0xfd,
-	0x51, 0x53, 0xc9, 0x14, 0x5e, 0xa4, 0xe4, 0x28, 0x63, 0x05, 0x3b, 0xa0, 0x86, 0x93, 0xcb, 0x96,
-	0x9d, 0x52, 0xdb, 0x6b, 0xbd, 0xee, 0x8c, 0x51, 0x27, 0x8a, 0xcd, 0x91, 0x7a, 0x89, 0x98, 0xb9,
-	0x3e, 0x1c, 0x34, 0x6b, 0xa9, 0xa4, 0xa1, 0x34, 0xa8, 0xfe, 0x3b, 0x0d, 0xd4, 0xd4, 0xa9, 0x67,
-	0x40, 0x9d, 0x1f, 0x66, 0xa9, 0xf3, 0x9b, 0x13, 0xe4, 0x6b, 0x0c, 0x71, 0x5a, 0x71, 0xd8, 0x92,
-	0x35, 0x2f, 0xc0, 0xb2, 0x2d, 0x93, 0xc6, 0xea, 0x9a, 0x84, 0x7e, 0x38, 0x01, 0xb4, 0x62, 0xe6,
-	0x75, 0xb5, 0xc1, 0x72, 0xb4, 0x66, 0x68, 0x04, 0xa5, 0xff, 0xbb, 0x02, 0xe0, 0x41, 0xfb, 0x38,
-	0xc7, 0x4b, 0x33, 0x28, 0x6b, 0x0a, 0x56, 0x45, 0xe5, 0x8c, 0x6a, 0x43, 0x95, 0xf7, 0x77, 0x27,
-	0xcc, 0x04, 0xee, 0x90, 0x5e, 0x9b, 0xf4, 0x88, 0xc5, 0xbd, 0x20, 0x2a, 0xb2, 0xb3, 0x14, 0x18,
-	0xca, 0x40, 0xc3, 0x43, 0xb0, 0x31, 0xa2, 0xd9, 0x1e, 0x66, 0x4c, 0x14, 0x77, 0xbd, 0x22, 0x8b,
-	0xb9, 0xae, 0x42, 0xdc, 0x68, 0xe7, 0xf4, 0xa8, 0xe0, 0x01, 0x3f, 0x05, 0x2b, 0x56, 0x9a, 0xd1,
-	0xef, 0x28, 0x1b, 0x63, 0x34, 0x28, 0x19, 0x9f, 0x84, 0xd8, 0xe5, 0x94, 0xf7, 0xcd, 0x55, 0x51,
-	0x32, 0x31, 0xf5, 0xc7, 0x68, 0x90, 0x81, 0x4d, 0x07, 0xdf, 0x50, 0x27, 0x74, 0xa2, 0xe2, 0x6e,
-	0xd3, 0x9f, 0x11, 0xc9, 0xfb, 0xd3, 0x6f, 0x21, 0x29, 0xf7, 0x34, 0x0f, 0x86, 0x8a, 0xf8, 0xfa,
-	0x5f, 0x34, 0xf0, 0x46, 0x31, 0xf1, 0x33, 0x68, 0x90, 0x76, 0xb6, 0x41, 0x8c, 0x3b, 0xaa, 0x38,
-	0x17, 0xe0, 0x98, 0x5e, 0xf9, 0xd5, 0x12, 0x58, 0x4d, 0xe7, 0x70, 0x06, 0x05, 0xfc, 0x3d, 0x50,
-	0xf3, 0x03, 0xef, 0x9a, 0x32, 0xea, 0xb9, 0x24, 0x50, 0xec, 0x78, 0x5f, 0xb9, 0xd4, 0xce, 0x13,
-	0x15, 0x4a, 0xdb, 0xc1, 0x1e, 0x00, 0x3e, 0x0e, 0xb0, 0x43, 0xb8, 0xe8, 0xe4, 0x8a, 0xbc, 0x83,
-	0xa7, 0xaf, 0xbb, 0x83, 0xf4, 0xb1, 0x8c, 0xf3, 0xd8, 0xf5, 0xc8, 0xe5, 0x41, 0x3f, 0x09, 0x31,
-	0x51, 0xa0, 0x14, 0x3e, 0xbc, 0x02, 0x6b, 0x01, 0xb1, 0x7a, 0x98, 0x3a, 0x6a, 0x9c, 0x58, 0x90,
-	0x61, 0x1e, 0x89, 0x67, 0x1d, 0xa5, 0x15, 0xb7, 0x83, 0xe6, 0xe3, 0xe2, 0xa7, 0x81, 0x71, 0x4e,
-	0x02, 0x46, 0x19, 0x27, 0x2e, 0x8f, 0x4a, 0x27, 0xe3, 0x83, 0xb2, 0xd8, 0xe2, 0x09, 0x70, 0xc4,
-	0xc3, 0xfc, 0xcc, 0xe7, 0xd4, 0x73, 0x59, 0x7d, 0x31, 0x79, 0x02, 0x4e, 0x53, 0x72, 0x94, 0xb1,
-	0x82, 0x27, 0x60, 0x4b, 0xb0, 0xf5, 0x4f, 0xa3, 0x0d, 0x8e, 0x6e, 0x7c, 0xec, 0x8a, 0xab, 0xaa,
-	0x2f, 0xc9, 0x19, 0xa0, 0x2e, 0xa6, 0xb2, 0xfd, 0x12, 0x3d, 0x2a, 0xf5, 0x82, 0x9f, 0x82, 0xcd,
-	0x68, 0x2c, 0x33, 0xa9, 0x6b, 0x53, 0xb7, 0x2b, 0x86, 0x32, 0x39, 0x8e, 0x54, 0xcd, 0x47, 0xa2,
-	0x37, 0x9e, 0xe7, 0x95, 0xb7, 0x65, 0x42, 0x54, 0x04, 0x81, 0x5f, 0x80, 0x4d, 0xb9, 0x23, 0xb1,
-	0x15, 0xb1, 0x50, 0xc2, 0xea, 0x2b, 0xc5, 0x99, 0x4a, 0x5c, 0x9d, 0x28, 0xa4, 0x11, 0xfd, 0x8c,
-	0x68, 0xea, 0x82, 0x04, 0x8e, 0xf9, 0xa6, 0xca, 0xd7, 0xe6, 0x7e, 0x1e, 0x0a, 0x15, 0xd1, 0xb7,
-	0x3f, 0x00, 0xeb, 0xb9, 0x84, 0xc3, 0x0d, 0x50, 0xb9, 0x22, 0xfd, 0xe8, 0xbd, 0x46, 0xe2, 0x4f,
-	0xb8, 0x05, 0x16, 0xaf, 0x71, 0x2f, 0x24, 0x51, 0x05, 0xa2, 0x68, 0xf1, 0xfe, 0xfc, 0x53, 0x4d,
-	0xff, 0x93, 0x06, 0x32, 0xc4, 0x36, 0x83, 0xe6, 0x3e, 0xcd, 0x36, 0xf7, 0xee, 0xa4, 0x85, 0x3d,
-	0xa6, 0xad, 0x7f, 0xa1, 0x81, 0xd5, 0xf4, 0xf4, 0x09, 0xdf, 0x01, 0x2b, 0x38, 0xb4, 0x29, 0x71,
-	0xad, 0xd1, 0xcc, 0x12, 0x47, 0xb3, 0xaf, 0xe4, 0x28, 0xb6, 0x10, 0xb3, 0x29, 0xb9, 0xf1, 0x69,
-	0x80, 0x45, 0xa5, 0x8d, 0xe6, 0xc1, 0x79, 0x39, 0x0f, 0x4a, 0xa2, 0x3c, 0xca, 0x2b, 0x51, 0xd1,
-	0x5e, 0xff, 0xcd, 0x3c, 0xd8, 0x88, 0x0a, 0x24, 0xfa, 0x34, 0x71, 0x88, 0xcb, 0x67, 0x40, 0x2f,
-	0x28, 0x33, 0xf6, 0x3d, 0xbe, 0x7b, 0x24, 0x4a, 0xa2, 0x1b, 0x37, 0xff, 0xc1, 0xcf, 0xc0, 0x12,
-	0xe3, 0x98, 0x87, 0x4c, 0x3e, 0x7f, 0xb5, 0xbd, 0xbd, 0xa9, 0x50, 0xa5, 0x67, 0x32, 0xff, 0x45,
-	0x6b, 0xa4, 0x10, 0xf5, 0x3f, 0x6b, 0x60, 0x2b, 0xef, 0x32, 0x83, 0x82, 0xfb, 0x24, 0x5b, 0x70,
-	0xef, 0x4c, 0x73, 0xa2, 0x31, 0x45, 0xf7, 0x0f, 0x0d, 0xbc, 0x51, 0x38, 0xbc, 0x7c, 0x67, 0x05,
-	0x57, 0xf9, 0x39, 0x46, 0x3c, 0x4b, 0xc6, 0x67, 0xc9, 0x55, 0xe7, 0x25, 0x7a, 0x54, 0xea, 0x05,
-	0x3f, 0x07, 0x1b, 0xd4, 0xed, 0x51, 0x97, 0xa8, 0x67, 0x39, 0x49, 0x77, 0x29, 0xa1, 0xe4, 0x91,
-	0x65, 0x9a, 0xb7, 0xc4, 0xf4, 0x72, 0x9c, 0x43, 0x41, 0x05, 0x5c, 0xfd, 0xaf, 0x25, 0xe9, 0x91,
-	0x63, 0xa5, 0xe8, 0x28, 0x29, 0x21, 0x41, 0xa1, 0xa3, 0x94, 0x1c, 0xc5, 0x16, 0xb2, 0x82, 0xe4,
-	0x55, 0xa8, 0x40, 0xa7, 0xab, 0x20, 0xe9, 0x99, 0xaa, 0x20, 0xb9, 0x46, 0x0a, 0x51, 0x44, 0x22,
-	0xc6, 0xb6, 0xd4, 0x78, 0x16, 0x47, 0x72, 0xa6, 0xe4, 0x28, 0xb6, 0xd0, 0xff, 0x53, 0x29, 0xc9,
-	0x92, 0x2c, 0xc5, 0xd4, 0x91, 0x46, 0xbf, 0x2c, 0xe4, 0x8f, 0x64, 0xc7, 0x47, 0xb2, 0xe1, 0xaf,
-	0x35, 0x00, 0x71, 0x0c, 0x71, 0x3a, 0x2a, 0xd5, 0xa8, 0x9e, 0x3e, 0x9a, 0xbe, 0x43, 0x8c, 0xfd,
-	0x02, 0x58, 0xf4, 0x56, 0x6f, 0xab, 0x20, 0x60, 0xd1, 0x00, 0x95, 0x44, 0x00, 0x29, 0xa8, 0x45,
-	0xd2, 0xa3, 0x20, 0xf0, 0x02, 0xd5, 0xb2, 0x6f, 0xdf, 0x1d, 0x90, 0x34, 0x37, 0x1b, 0xf2, 0x9b,
-	0x28, 0xf1, 0xbf, 0x1d, 0x34, 0x6b, 0x29, 0x3d, 0x4a, 0x63, 0x8b, 0xad, 0x6c, 0x92, 0x6c, 0xb5,
-	0xf0, 0x3f, 0x6c, 0x75, 0x48, 0xc6, 0x6f, 0x95, 0xc2, 0xde, 0x3e, 0x02, 0xdf, 0x18, 0x73, 0x41,
-	0x53, 0xbd, 0x6d, 0x5f, 0xcf, 0x83, 0x07, 0xf1, 0xfd, 0x07, 0xb4, 0x13, 0x72, 0xc2, 0x66, 0x35,
-	0xf9, 0xed, 0x01, 0x10, 0x7d, 0x3e, 0xc9, 0x52, 0x8d, 0x06, 0xbf, 0xd8, 0xe3, 0x30, 0xd6, 0xa0,
-	0x94, 0x15, 0x0c, 0x4b, 0xc6, 0xbe, 0xfd, 0x89, 0x8a, 0x2b, 0x7d, 0xb8, 0x69, 0xe7, 0xbf, 0xff,
-	0x77, 0x82, 0xf8, 0xbb, 0x06, 0xde, 0x2c, 0x0d, 0x64, 0x06, 0xcc, 0xfe, 0x3c, 0xcb, 0xec, 0x4f,
-	0xa6, 0xbe, 0xac, 0x31, 0xf4, 0xfe, 0x5b, 0x0d, 0xa4, 0xab, 0x13, 0x9e, 0x80, 0x05, 0x4e, 0x15,
-	0x87, 0xd7, 0xf6, 0x1e, 0x4d, 0x76, 0x82, 0x0b, 0xea, 0x90, 0xe4, 0x89, 0x15, 0x2b, 0x24, 0x51,
-	0xe0, 0x43, 0xb0, 0xec, 0x10, 0xc6, 0x70, 0x77, 0x54, 0x18, 0xf1, 0xa7, 0xf7, 0x69, 0x24, 0x46,
-	0x23, 0x3d, 0xfc, 0x36, 0xa8, 0x12, 0x11, 0xc1, 0x81, 0x18, 0x51, 0x45, 0x77, 0x2f, 0x9a, 0x6b,
-	0xc3, 0x41, 0xb3, 0x7a, 0x34, 0x12, 0xa2, 0x44, 0xaf, 0xbf, 0x07, 0xee, 0x97, 0xfc, 0xf2, 0x01,
-	0x9b, 0x60, 0xd1, 0x92, 0xbf, 0x98, 0x69, 0xd2, 0xbf, 0x2a, 0x4e, 0x7b, 0x20, 0x7f, 0x2a, 0x8b,
-	0xe4, 0xe6, 0xf7, 0x5f, 0xbe, 0x6a, 0xcc, 0x7d, 0xf9, 0xaa, 0x31, 0xf7, 0xd5, 0xab, 0xc6, 0xdc,
-	0xcf, 0x87, 0x0d, 0xed, 0xe5, 0xb0, 0xa1, 0x7d, 0x39, 0x6c, 0x68, 0x5f, 0x0d, 0x1b, 0xda, 0x3f,
-	0x87, 0x0d, 0xed, 0x97, 0x5f, 0x37, 0xe6, 0x3e, 0xdb, 0x1e, 0xff, 0xcf, 0x88, 0xff, 0x06, 0x00,
-	0x00, 0xff, 0xff, 0x4a, 0x00, 0x2b, 0x10, 0xa9, 0x18, 0x00, 0x00,
-}
+func (m *VolumeNodeResources) Reset() { *m = VolumeNodeResources{} }
 
 func (m *CSIDriver) Marshal() (dAtA []byte, err error) {
 	size := m.Size()
@@ -893,6 +187,16 @@ func (m *CSIDriverSpec) MarshalToSizedBuffer(dAtA []byte) (int, error) {
 	_ = i
 	var l int
 	_ = l
+	if m.ServiceAccountTokenInSecrets != nil {
+		i--
+		if *m.ServiceAccountTokenInSecrets {
+			dAtA[i] = 1
+		} else {
+			dAtA[i] = 0
+		}
+		i--
+		dAtA[i] = 0x50
+	}
 	if m.NodeAllocatableUpdatePeriodSeconds != nil {
 		i = encodeVarintGenerated(dAtA, i, uint64(*m.NodeAllocatableUpdatePeriodSeconds))
 		i--
@@ -1355,7 +659,7 @@ func (m *StorageClass) MarshalToSizedBuffer(dAtA []byte) (int, error) {
 		for k := range m.Parameters {
 			keysForParameters = append(keysForParameters, string(k))
 		}
-		github_com_gogo_protobuf_sortkeys.Strings(keysForParameters)
+		sort.Strings(keysForParameters)
 		for iNdEx := len(keysForParameters) - 1; iNdEx >= 0; iNdEx-- {
 			v := m.Parameters[string(keysForParameters[iNdEx])]
 			baseI := i
@@ -1706,7 +1010,7 @@ func (m *VolumeAttachmentStatus) MarshalToSizedBuffer(dAtA []byte) (int, error)
 		for k := range m.AttachmentMetadata {
 			keysForAttachmentMetadata = append(keysForAttachmentMetadata, string(k))
 		}
-		github_com_gogo_protobuf_sortkeys.Strings(keysForAttachmentMetadata)
+		sort.Strings(keysForAttachmentMetadata)
 		for iNdEx := len(keysForAttachmentMetadata) - 1; iNdEx >= 0; iNdEx-- {
 			v := m.AttachmentMetadata[string(keysForAttachmentMetadata[iNdEx])]
 			baseI := i
@@ -1761,7 +1065,7 @@ func (m *VolumeAttributesClass) MarshalToSizedBuffer(dAtA []byte) (int, error) {
 		for k := range m.Parameters {
 			keysForParameters = append(keysForParameters, string(k))
 		}
-		github_com_gogo_protobuf_sortkeys.Strings(keysForParameters)
+		sort.Strings(keysForParameters)
 		for iNdEx := len(keysForParameters) - 1; iNdEx >= 0; iNdEx-- {
 			v := m.Parameters[string(keysForParameters[iNdEx])]
 			baseI := i
@@ -1997,6 +1301,9 @@ func (m *CSIDriverSpec) Size() (n int) {
 	if m.NodeAllocatableUpdatePeriodSeconds != nil {
 		n += 1 + sovGenerated(uint64(*m.NodeAllocatableUpdatePeriodSeconds))
 	}
+	if m.ServiceAccountTokenInSecrets != nil {
+		n += 2
+	}
 	return n
 }
 
@@ -2393,6 +1700,7 @@ func (this *CSIDriverSpec) String() string {
 		`RequiresRepublish:` + valueToStringGenerated(this.RequiresRepublish) + `,`,
 		`SELinuxMount:` + valueToStringGenerated(this.SELinuxMount) + `,`,
 		`NodeAllocatableUpdatePeriodSeconds:` + valueToStringGenerated(this.NodeAllocatableUpdatePeriodSeconds) + `,`,
+		`ServiceAccountTokenInSecrets:` + valueToStringGenerated(this.ServiceAccountTokenInSecrets) + `,`,
 		`}`,
 	}, "")
 	return s
@@ -2495,7 +1803,7 @@ func (this *StorageClass) String() string {
 	for k := range this.Parameters {
 		keysForParameters = append(keysForParameters, k)
 	}
-	github_com_gogo_protobuf_sortkeys.Strings(keysForParameters)
+	sort.Strings(keysForParameters)
 	mapStringForParameters := "map[string]string{"
 	for _, k := range keysForParameters {
 		mapStringForParameters += fmt.Sprintf("%v: %v,", k, this.Parameters[k])
@@ -2600,7 +1908,7 @@ func (this *VolumeAttachmentStatus) String() string {
 	for k := range this.AttachmentMetadata {
 		keysForAttachmentMetadata = append(keysForAttachmentMetadata, k)
 	}
-	github_com_gogo_protobuf_sortkeys.Strings(keysForAttachmentMetadata)
+	sort.Strings(keysForAttachmentMetadata)
 	mapStringForAttachmentMetadata := "map[string]string{"
 	for _, k := range keysForAttachmentMetadata {
 		mapStringForAttachmentMetadata += fmt.Sprintf("%v: %v,", k, this.AttachmentMetadata[k])
@@ -2623,7 +1931,7 @@ func (this *VolumeAttributesClass) String() string {
 	for k := range this.Parameters {
 		keysForParameters = append(keysForParameters, k)
 	}
-	github_com_gogo_protobuf_sortkeys.Strings(keysForParameters)
+	sort.Strings(keysForParameters)
 	mapStringForParameters := "map[string]string{"
 	for _, k := range keysForParameters {
 		mapStringForParameters += fmt.Sprintf("%v: %v,", k, this.Parameters[k])
@@ -3169,6 +2477,27 @@ func (m *CSIDriverSpec) Unmarshal(dAtA []byte) error {
 				}
 			}
 			m.NodeAllocatableUpdatePeriodSeconds = &v
+		case 10:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ServiceAccountTokenInSecrets", wireType)
+			}
+			var v int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= int(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			b := bool(v != 0)
+			m.ServiceAccountTokenInSecrets = &b
 		default:
 			iNdEx = preIndex
 			skippy, err := skipGenerated(dAtA[iNdEx:])
diff --git a/staging/src/k8s.io/api/storage/v1beta1/generated.proto b/staging/src/k8s.io/api/storage/v1beta1/generated.proto
index fe597c9e4482f..33b904ee6d940 100644
--- a/staging/src/k8s.io/api/storage/v1beta1/generated.proto
+++ b/staging/src/k8s.io/api/storage/v1beta1/generated.proto
@@ -227,6 +227,30 @@ message CSIDriverSpec {
   // +featureGate=MutableCSINodeAllocatableCount
   // +optional
   optional int64 nodeAllocatableUpdatePeriodSeconds = 9;
+
+  // serviceAccountTokenInSecrets is an opt-in for CSI drivers to indicate that
+  // service account tokens should be passed via the Secrets field in NodePublishVolumeRequest
+  // instead of the VolumeContext field. The CSI specification provides a dedicated Secrets
+  // field for sensitive information like tokens, which is the appropriate mechanism for
+  // handling credentials. This addresses security concerns where sensitive tokens were being
+  // logged as part of volume context.
+  //
+  // When "true", kubelet will pass the tokens only in the Secrets field with the key
+  // "csi.storage.k8s.io/serviceAccount.tokens". The CSI driver must be updated to read
+  // tokens from the Secrets field instead of VolumeContext.
+  //
+  // When "false" or not set, kubelet will pass the tokens in VolumeContext with the key
+  // "csi.storage.k8s.io/serviceAccount.tokens" (existing behavior). This maintains backward
+  // compatibility with existing CSI drivers.
+  //
+  // This field can only be set when TokenRequests is configured. The API server will reject
+  // CSIDriver specs that set this field without TokenRequests.
+  //
+  // Default behavior if unset is to pass tokens in the VolumeContext field.
+  //
+  // +featureGate=CSIServiceAccountTokenSecrets
+  // +optional
+  optional bool serviceAccountTokenInSecrets = 10;
 }
 
 // DEPRECATED - This group version of CSINode is deprecated by storage/v1/CSINode.
@@ -411,6 +435,8 @@ message StorageClass {
   optional .k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
 
   // provisioner indicates the type of the provisioner.
+  // +required
+  // +k8s:required
   optional string provisioner = 2;
 
   // parameters holds the parameters for the provisioner that should
diff --git a/staging/src/k8s.io/api/storage/v1beta1/generated.protomessage.pb.go b/staging/src/k8s.io/api/storage/v1beta1/generated.protomessage.pb.go
new file mode 100644
index 0000000000000..a288b7fb6a0a2
--- /dev/null
+++ b/staging/src/k8s.io/api/storage/v1beta1/generated.protomessage.pb.go
@@ -0,0 +1,64 @@
+//go:build kubernetes_protomessage_one_more_release
+// +build kubernetes_protomessage_one_more_release
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by go-to-protobuf. DO NOT EDIT.
+
+package v1beta1
+
+func (*CSIDriver) ProtoMessage() {}
+
+func (*CSIDriverList) ProtoMessage() {}
+
+func (*CSIDriverSpec) ProtoMessage() {}
+
+func (*CSINode) ProtoMessage() {}
+
+func (*CSINodeDriver) ProtoMessage() {}
+
+func (*CSINodeList) ProtoMessage() {}
+
+func (*CSINodeSpec) ProtoMessage() {}
+
+func (*CSIStorageCapacity) ProtoMessage() {}
+
+func (*CSIStorageCapacityList) ProtoMessage() {}
+
+func (*StorageClass) ProtoMessage() {}
+
+func (*StorageClassList) ProtoMessage() {}
+
+func (*TokenRequest) ProtoMessage() {}
+
+func (*VolumeAttachment) ProtoMessage() {}
+
+func (*VolumeAttachmentList) ProtoMessage() {}
+
+func (*VolumeAttachmentSource) ProtoMessage() {}
+
+func (*VolumeAttachmentSpec) ProtoMessage() {}
+
+func (*VolumeAttachmentStatus) ProtoMessage() {}
+
+func (*VolumeAttributesClass) ProtoMessage() {}
+
+func (*VolumeAttributesClassList) ProtoMessage() {}
+
+func (*VolumeError) ProtoMessage() {}
+
+func (*VolumeNodeResources) ProtoMessage() {}
diff --git a/staging/src/k8s.io/api/storage/v1beta1/types.go b/staging/src/k8s.io/api/storage/v1beta1/types.go
index 4f350b0b73c21..b5dde72ad9519 100644
--- a/staging/src/k8s.io/api/storage/v1beta1/types.go
+++ b/staging/src/k8s.io/api/storage/v1beta1/types.go
@@ -43,6 +43,8 @@ type StorageClass struct {
 	metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
 
 	// provisioner indicates the type of the provisioner.
+	// +required
+	// +k8s:required
 	Provisioner string `json:"provisioner" protobuf:"bytes,2,opt,name=provisioner"`
 
 	// parameters holds the parameters for the provisioner that should
@@ -456,6 +458,30 @@ type CSIDriverSpec struct {
 	// +featureGate=MutableCSINodeAllocatableCount
 	// +optional
 	NodeAllocatableUpdatePeriodSeconds *int64 `json:"nodeAllocatableUpdatePeriodSeconds,omitempty" protobuf:"varint,9,opt,name=nodeAllocatableUpdatePeriodSeconds"`
+
+	// serviceAccountTokenInSecrets is an opt-in for CSI drivers to indicate that
+	// service account tokens should be passed via the Secrets field in NodePublishVolumeRequest
+	// instead of the VolumeContext field. The CSI specification provides a dedicated Secrets
+	// field for sensitive information like tokens, which is the appropriate mechanism for
+	// handling credentials. This addresses security concerns where sensitive tokens were being
+	// logged as part of volume context.
+	//
+	// When "true", kubelet will pass the tokens only in the Secrets field with the key
+	// "csi.storage.k8s.io/serviceAccount.tokens". The CSI driver must be updated to read
+	// tokens from the Secrets field instead of VolumeContext.
+	//
+	// When "false" or not set, kubelet will pass the tokens in VolumeContext with the key
+	// "csi.storage.k8s.io/serviceAccount.tokens" (existing behavior). This maintains backward
+	// compatibility with existing CSI drivers.
+	//
+	// This field can only be set when TokenRequests is configured. The API server will reject
+	// CSIDriver specs that set this field without TokenRequests.
+	//
+	// Default behavior if unset is to pass tokens in the VolumeContext field.
+	//
+	// +featureGate=CSIServiceAccountTokenSecrets
+	// +optional
+	ServiceAccountTokenInSecrets *bool `json:"serviceAccountTokenInSecrets,omitempty" protobuf:"varint,10,opt,name=serviceAccountTokenInSecrets"`
 }
 
 // FSGroupPolicy specifies if a CSI Driver supports modifying
diff --git a/staging/src/k8s.io/api/storage/v1beta1/types_swagger_doc_generated.go b/staging/src/k8s.io/api/storage/v1beta1/types_swagger_doc_generated.go
index 7c5276e41b915..78da9266e09f8 100644
--- a/staging/src/k8s.io/api/storage/v1beta1/types_swagger_doc_generated.go
+++ b/staging/src/k8s.io/api/storage/v1beta1/types_swagger_doc_generated.go
@@ -58,6 +58,7 @@ var map_CSIDriverSpec = map[string]string{
 	"requiresRepublish":                  "requiresRepublish indicates the CSI driver wants `NodePublishVolume` being periodically called to reflect any possible change in the mounted volume. This field defaults to false.\n\nNote: After a successful initial NodePublishVolume call, subsequent calls to NodePublishVolume should only update the contents of the volume. New mount points will not be seen by a running container.",
 	"seLinuxMount":                       "seLinuxMount specifies if the CSI driver supports \"-o context\" mount option.\n\nWhen \"true\", the CSI driver must ensure that all volumes provided by this CSI driver can be mounted separately with different `-o context` options. This is typical for storage backends that provide volumes as filesystems on block devices or as independent shared volumes. Kubernetes will call NodeStage / NodePublish with \"-o context=xyz\" mount option when mounting a ReadWriteOncePod volume used in Pod that has explicitly set SELinux context. In the future, it may be expanded to other volume AccessModes. In any case, Kubernetes will ensure that the volume is mounted only with a single SELinux context.\n\nWhen \"false\", Kubernetes won't pass any special SELinux mount options to the driver. This is typical for volumes that represent subdirectories of a bigger shared filesystem.\n\nDefault is \"false\".",
 	"nodeAllocatableUpdatePeriodSeconds": "nodeAllocatableUpdatePeriodSeconds specifies the interval between periodic updates of the CSINode allocatable capacity for this driver. When set, both periodic updates and updates triggered by capacity-related failures are enabled. If not set, no updates occur (neither periodic nor upon detecting capacity-related failures), and the allocatable.count remains static. The minimum allowed value for this field is 10 seconds.\n\nThis is a beta feature and requires the MutableCSINodeAllocatableCount feature gate to be enabled.\n\nThis field is mutable.",
+	"serviceAccountTokenInSecrets":       "serviceAccountTokenInSecrets is an opt-in for CSI drivers to indicate that service account tokens should be passed via the Secrets field in NodePublishVolumeRequest instead of the VolumeContext field. The CSI specification provides a dedicated Secrets field for sensitive information like tokens, which is the appropriate mechanism for handling credentials. This addresses security concerns where sensitive tokens were being logged as part of volume context.\n\nWhen \"true\", kubelet will pass the tokens only in the Secrets field with the key \"csi.storage.k8s.io/serviceAccount.tokens\". The CSI driver must be updated to read tokens from the Secrets field instead of VolumeContext.\n\nWhen \"false\" or not set, kubelet will pass the tokens in VolumeContext with the key \"csi.storage.k8s.io/serviceAccount.tokens\" (existing behavior). This maintains backward compatibility with existing CSI drivers.\n\nThis field can only be set when TokenRequests is configured. The API server will reject CSIDriver specs that set this field without TokenRequests.\n\nDefault behavior if unset is to pass tokens in the VolumeContext field.",
 }
 
 func (CSIDriverSpec) SwaggerDoc() map[string]string {
diff --git a/staging/src/k8s.io/api/storage/v1beta1/zz_generated.deepcopy.go b/staging/src/k8s.io/api/storage/v1beta1/zz_generated.deepcopy.go
index a5ef9b5c2f3a4..94cc629da649a 100644
--- a/staging/src/k8s.io/api/storage/v1beta1/zz_generated.deepcopy.go
+++ b/staging/src/k8s.io/api/storage/v1beta1/zz_generated.deepcopy.go
@@ -137,6 +137,11 @@ func (in *CSIDriverSpec) DeepCopyInto(out *CSIDriverSpec) {
 		*out = new(int64)
 		**out = **in
 	}
+	if in.ServiceAccountTokenInSecrets != nil {
+		in, out := &in.ServiceAccountTokenInSecrets, &out.ServiceAccountTokenInSecrets
+		*out = new(bool)
+		**out = **in
+	}
 	return
 }
 
diff --git a/staging/src/k8s.io/api/storage/v1beta1/zz_generated.model_name.go b/staging/src/k8s.io/api/storage/v1beta1/zz_generated.model_name.go
new file mode 100644
index 0000000000000..8453d86b22afb
--- /dev/null
+++ b/staging/src/k8s.io/api/storage/v1beta1/zz_generated.model_name.go
@@ -0,0 +1,127 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by openapi-gen. DO NOT EDIT.
+
+package v1beta1
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in CSIDriver) OpenAPIModelName() string {
+	return "io.k8s.api.storage.v1beta1.CSIDriver"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in CSIDriverList) OpenAPIModelName() string {
+	return "io.k8s.api.storage.v1beta1.CSIDriverList"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in CSIDriverSpec) OpenAPIModelName() string {
+	return "io.k8s.api.storage.v1beta1.CSIDriverSpec"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in CSINode) OpenAPIModelName() string {
+	return "io.k8s.api.storage.v1beta1.CSINode"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in CSINodeDriver) OpenAPIModelName() string {
+	return "io.k8s.api.storage.v1beta1.CSINodeDriver"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in CSINodeList) OpenAPIModelName() string {
+	return "io.k8s.api.storage.v1beta1.CSINodeList"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in CSINodeSpec) OpenAPIModelName() string {
+	return "io.k8s.api.storage.v1beta1.CSINodeSpec"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in CSIStorageCapacity) OpenAPIModelName() string {
+	return "io.k8s.api.storage.v1beta1.CSIStorageCapacity"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in CSIStorageCapacityList) OpenAPIModelName() string {
+	return "io.k8s.api.storage.v1beta1.CSIStorageCapacityList"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in StorageClass) OpenAPIModelName() string {
+	return "io.k8s.api.storage.v1beta1.StorageClass"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in StorageClassList) OpenAPIModelName() string {
+	return "io.k8s.api.storage.v1beta1.StorageClassList"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in TokenRequest) OpenAPIModelName() string {
+	return "io.k8s.api.storage.v1beta1.TokenRequest"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in VolumeAttachment) OpenAPIModelName() string {
+	return "io.k8s.api.storage.v1beta1.VolumeAttachment"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in VolumeAttachmentList) OpenAPIModelName() string {
+	return "io.k8s.api.storage.v1beta1.VolumeAttachmentList"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in VolumeAttachmentSource) OpenAPIModelName() string {
+	return "io.k8s.api.storage.v1beta1.VolumeAttachmentSource"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in VolumeAttachmentSpec) OpenAPIModelName() string {
+	return "io.k8s.api.storage.v1beta1.VolumeAttachmentSpec"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in VolumeAttachmentStatus) OpenAPIModelName() string {
+	return "io.k8s.api.storage.v1beta1.VolumeAttachmentStatus"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in VolumeAttributesClass) OpenAPIModelName() string {
+	return "io.k8s.api.storage.v1beta1.VolumeAttributesClass"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in VolumeAttributesClassList) OpenAPIModelName() string {
+	return "io.k8s.api.storage.v1beta1.VolumeAttributesClassList"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in VolumeError) OpenAPIModelName() string {
+	return "io.k8s.api.storage.v1beta1.VolumeError"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in VolumeNodeResources) OpenAPIModelName() string {
+	return "io.k8s.api.storage.v1beta1.VolumeNodeResources"
+}
diff --git a/staging/src/k8s.io/api/storagemigration/v1alpha1/doc.go b/staging/src/k8s.io/api/storagemigration/v1alpha1/doc.go
deleted file mode 100644
index df8f3a65d450f..0000000000000
--- a/staging/src/k8s.io/api/storagemigration/v1alpha1/doc.go
+++ /dev/null
@@ -1,23 +0,0 @@
-/*
-Copyright 2024 The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-// +k8s:deepcopy-gen=package
-// +k8s:protobuf-gen=package
-// +k8s:openapi-gen=true
-// +k8s:prerelease-lifecycle-gen=true
-// +groupName=storagemigration.k8s.io
-
-package v1alpha1
diff --git a/staging/src/k8s.io/api/storagemigration/v1alpha1/generated.pb.go b/staging/src/k8s.io/api/storagemigration/v1alpha1/generated.pb.go
deleted file mode 100644
index ed57f34b59ebe..0000000000000
--- a/staging/src/k8s.io/api/storagemigration/v1alpha1/generated.pb.go
+++ /dev/null
@@ -1,1688 +0,0 @@
-/*
-Copyright The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-// Code generated by protoc-gen-gogo. DO NOT EDIT.
-// source: k8s.io/api/storagemigration/v1alpha1/generated.proto
-
-package v1alpha1
-
-import (
-	fmt "fmt"
-
-	io "io"
-
-	proto "github.com/gogo/protobuf/proto"
-
-	k8s_io_api_core_v1 "k8s.io/api/core/v1"
-
-	math "math"
-	math_bits "math/bits"
-	reflect "reflect"
-	strings "strings"
-)
-
-// Reference imports to suppress errors if they are not otherwise used.
-var _ = proto.Marshal
-var _ = fmt.Errorf
-var _ = math.Inf
-
-// This is a compile-time assertion to ensure that this generated file
-// is compatible with the proto package it is being compiled against.
-// A compilation error at this line likely means your copy of the
-// proto package needs to be updated.
-const _ = proto.GoGoProtoPackageIsVersion3 // please upgrade the proto package
-
-func (m *GroupVersionResource) Reset()      { *m = GroupVersionResource{} }
-func (*GroupVersionResource) ProtoMessage() {}
-func (*GroupVersionResource) Descriptor() ([]byte, []int) {
-	return fileDescriptor_0117377a57b172b9, []int{0}
-}
-func (m *GroupVersionResource) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *GroupVersionResource) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *GroupVersionResource) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_GroupVersionResource.Merge(m, src)
-}
-func (m *GroupVersionResource) XXX_Size() int {
-	return m.Size()
-}
-func (m *GroupVersionResource) XXX_DiscardUnknown() {
-	xxx_messageInfo_GroupVersionResource.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_GroupVersionResource proto.InternalMessageInfo
-
-func (m *MigrationCondition) Reset()      { *m = MigrationCondition{} }
-func (*MigrationCondition) ProtoMessage() {}
-func (*MigrationCondition) Descriptor() ([]byte, []int) {
-	return fileDescriptor_0117377a57b172b9, []int{1}
-}
-func (m *MigrationCondition) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *MigrationCondition) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *MigrationCondition) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_MigrationCondition.Merge(m, src)
-}
-func (m *MigrationCondition) XXX_Size() int {
-	return m.Size()
-}
-func (m *MigrationCondition) XXX_DiscardUnknown() {
-	xxx_messageInfo_MigrationCondition.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_MigrationCondition proto.InternalMessageInfo
-
-func (m *StorageVersionMigration) Reset()      { *m = StorageVersionMigration{} }
-func (*StorageVersionMigration) ProtoMessage() {}
-func (*StorageVersionMigration) Descriptor() ([]byte, []int) {
-	return fileDescriptor_0117377a57b172b9, []int{2}
-}
-func (m *StorageVersionMigration) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *StorageVersionMigration) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *StorageVersionMigration) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_StorageVersionMigration.Merge(m, src)
-}
-func (m *StorageVersionMigration) XXX_Size() int {
-	return m.Size()
-}
-func (m *StorageVersionMigration) XXX_DiscardUnknown() {
-	xxx_messageInfo_StorageVersionMigration.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_StorageVersionMigration proto.InternalMessageInfo
-
-func (m *StorageVersionMigrationList) Reset()      { *m = StorageVersionMigrationList{} }
-func (*StorageVersionMigrationList) ProtoMessage() {}
-func (*StorageVersionMigrationList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_0117377a57b172b9, []int{3}
-}
-func (m *StorageVersionMigrationList) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *StorageVersionMigrationList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *StorageVersionMigrationList) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_StorageVersionMigrationList.Merge(m, src)
-}
-func (m *StorageVersionMigrationList) XXX_Size() int {
-	return m.Size()
-}
-func (m *StorageVersionMigrationList) XXX_DiscardUnknown() {
-	xxx_messageInfo_StorageVersionMigrationList.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_StorageVersionMigrationList proto.InternalMessageInfo
-
-func (m *StorageVersionMigrationSpec) Reset()      { *m = StorageVersionMigrationSpec{} }
-func (*StorageVersionMigrationSpec) ProtoMessage() {}
-func (*StorageVersionMigrationSpec) Descriptor() ([]byte, []int) {
-	return fileDescriptor_0117377a57b172b9, []int{4}
-}
-func (m *StorageVersionMigrationSpec) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *StorageVersionMigrationSpec) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *StorageVersionMigrationSpec) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_StorageVersionMigrationSpec.Merge(m, src)
-}
-func (m *StorageVersionMigrationSpec) XXX_Size() int {
-	return m.Size()
-}
-func (m *StorageVersionMigrationSpec) XXX_DiscardUnknown() {
-	xxx_messageInfo_StorageVersionMigrationSpec.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_StorageVersionMigrationSpec proto.InternalMessageInfo
-
-func (m *StorageVersionMigrationStatus) Reset()      { *m = StorageVersionMigrationStatus{} }
-func (*StorageVersionMigrationStatus) ProtoMessage() {}
-func (*StorageVersionMigrationStatus) Descriptor() ([]byte, []int) {
-	return fileDescriptor_0117377a57b172b9, []int{5}
-}
-func (m *StorageVersionMigrationStatus) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *StorageVersionMigrationStatus) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *StorageVersionMigrationStatus) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_StorageVersionMigrationStatus.Merge(m, src)
-}
-func (m *StorageVersionMigrationStatus) XXX_Size() int {
-	return m.Size()
-}
-func (m *StorageVersionMigrationStatus) XXX_DiscardUnknown() {
-	xxx_messageInfo_StorageVersionMigrationStatus.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_StorageVersionMigrationStatus proto.InternalMessageInfo
-
-func init() {
-	proto.RegisterType((*GroupVersionResource)(nil), "k8s.io.api.storagemigration.v1alpha1.GroupVersionResource")
-	proto.RegisterType((*MigrationCondition)(nil), "k8s.io.api.storagemigration.v1alpha1.MigrationCondition")
-	proto.RegisterType((*StorageVersionMigration)(nil), "k8s.io.api.storagemigration.v1alpha1.StorageVersionMigration")
-	proto.RegisterType((*StorageVersionMigrationList)(nil), "k8s.io.api.storagemigration.v1alpha1.StorageVersionMigrationList")
-	proto.RegisterType((*StorageVersionMigrationSpec)(nil), "k8s.io.api.storagemigration.v1alpha1.StorageVersionMigrationSpec")
-	proto.RegisterType((*StorageVersionMigrationStatus)(nil), "k8s.io.api.storagemigration.v1alpha1.StorageVersionMigrationStatus")
-}
-
-func init() {
-	proto.RegisterFile("k8s.io/api/storagemigration/v1alpha1/generated.proto", fileDescriptor_0117377a57b172b9)
-}
-
-var fileDescriptor_0117377a57b172b9 = []byte{
-	// 719 bytes of a gzipped FileDescriptorProto
-	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xa4, 0x55, 0xcf, 0x4f, 0x13, 0x4f,
-	0x14, 0xef, 0x42, 0x0b, 0x7c, 0xa7, 0x5f, 0xc0, 0x4c, 0x14, 0x1a, 0x8c, 0x5b, 0x53, 0x09, 0x41,
-	0xa3, 0xb3, 0xd2, 0x10, 0x43, 0x30, 0x1e, 0x28, 0x07, 0xa3, 0x81, 0x98, 0x0c, 0xc8, 0xc1, 0x78,
-	0x70, 0xba, 0x1d, 0xb7, 0x43, 0xd9, 0x9d, 0xcd, 0xce, 0x6c, 0x13, 0x6e, 0xfe, 0x09, 0x1e, 0xfc,
-	0x93, 0x3c, 0x70, 0x31, 0xe1, 0xc8, 0xc5, 0x2a, 0xf5, 0xbf, 0xe0, 0x64, 0x66, 0x76, 0x76, 0xfb,
-	0x8b, 0x62, 0x13, 0x6e, 0x3b, 0xef, 0xbd, 0xcf, 0x67, 0xde, 0x7b, 0x9f, 0x79, 0x6f, 0xc1, 0x66,
-	0x6b, 0x4b, 0x20, 0xc6, 0x1d, 0x12, 0x32, 0x47, 0x48, 0x1e, 0x11, 0x8f, 0xfa, 0xcc, 0x8b, 0x88,
-	0x64, 0x3c, 0x70, 0xda, 0x1b, 0xe4, 0x24, 0x6c, 0x92, 0x0d, 0xc7, 0xa3, 0x01, 0x8d, 0x88, 0xa4,
-	0x0d, 0x14, 0x46, 0x5c, 0x72, 0xb8, 0x9a, 0xa0, 0x10, 0x09, 0x19, 0x1a, 0x46, 0xa1, 0x14, 0xb5,
-	0xf2, 0xcc, 0x63, 0xb2, 0x19, 0xd7, 0x91, 0xcb, 0x7d, 0xc7, 0xe3, 0x1e, 0x77, 0x34, 0xb8, 0x1e,
-	0x7f, 0xd6, 0x27, 0x7d, 0xd0, 0x5f, 0x09, 0xe9, 0x4a, 0xa5, 0x2f, 0x15, 0x97, 0x47, 0xd4, 0x69,
-	0x8f, 0x5c, 0xbc, 0xd2, 0x97, 0xae, 0x4f, 0xdc, 0x26, 0x0b, 0x68, 0x74, 0xea, 0x84, 0x2d, 0x4f,
-	0x19, 0x84, 0xe3, 0x53, 0x49, 0xae, 0x43, 0x39, 0xe3, 0x50, 0x51, 0x1c, 0x48, 0xe6, 0xd3, 0x11,
-	0xc0, 0x8b, 0x7f, 0x01, 0x84, 0xdb, 0xa4, 0x3e, 0x19, 0xc6, 0x55, 0xbe, 0x59, 0xe0, 0xee, 0xeb,
-	0x88, 0xc7, 0xe1, 0x11, 0x8d, 0x04, 0xe3, 0x01, 0xa6, 0x82, 0xc7, 0x91, 0x4b, 0xe1, 0x23, 0x50,
-	0xf0, 0x94, 0xbd, 0x64, 0x3d, 0xb4, 0xd6, 0xff, 0xab, 0xcd, 0x9f, 0x75, 0xca, 0xb9, 0x6e, 0xa7,
-	0x5c, 0xd0, 0xc1, 0x38, 0xf1, 0xc1, 0xc7, 0x60, 0xb6, 0x9d, 0xe0, 0x4a, 0x53, 0x3a, 0x6c, 0xd1,
-	0x84, 0xcd, 0xa6, 0x74, 0xa9, 0x1f, 0x3e, 0x05, 0x73, 0x91, 0xe1, 0x2e, 0x4d, 0xeb, 0xd8, 0x3b,
-	0x26, 0x76, 0x2e, 0xbd, 0x13, 0x67, 0x11, 0x95, 0x9f, 0x53, 0x00, 0xee, 0xa7, 0xfa, 0xec, 0xf2,
-	0xa0, 0xc1, 0xd4, 0x07, 0xdc, 0x06, 0x79, 0x79, 0x1a, 0x52, 0x93, 0xd3, 0x9a, 0x21, 0xc8, 0x1f,
-	0x9e, 0x86, 0xf4, 0xaa, 0x53, 0x5e, 0x1a, 0x45, 0x28, 0x0f, 0xd6, 0x18, 0xb8, 0x07, 0x66, 0x84,
-	0x24, 0x32, 0x16, 0x26, 0xd5, 0x4d, 0x83, 0x9e, 0x39, 0xd0, 0xd6, 0xab, 0x4e, 0xf9, 0x1a, 0x39,
-	0x51, 0xc6, 0x94, 0x44, 0x61, 0xc3, 0x01, 0x8f, 0xc1, 0xc2, 0x09, 0x11, 0xf2, 0x7d, 0xd8, 0x20,
-	0x92, 0x1e, 0x32, 0x3f, 0x29, 0xaa, 0x58, 0x7d, 0x82, 0x7a, 0x0f, 0x2d, 0x13, 0x02, 0x85, 0x2d,
-	0x4f, 0x19, 0x04, 0x52, 0x7a, 0xa3, 0xf6, 0x06, 0x52, 0x88, 0xda, 0x92, 0xc9, 0x60, 0x61, 0x6f,
-	0x80, 0x09, 0x0f, 0x31, 0xc3, 0x35, 0x30, 0x13, 0x51, 0x22, 0x78, 0x50, 0xca, 0xeb, 0xcc, 0x17,
-	0xd2, 0xcc, 0xb1, 0xb6, 0x62, 0xe3, 0x55, 0x6a, 0xf8, 0x54, 0x08, 0xe2, 0xd1, 0x52, 0x61, 0x50,
-	0x8d, 0xfd, 0xc4, 0x8c, 0x53, 0x7f, 0xe5, 0xc7, 0x14, 0x58, 0x3e, 0x48, 0xc6, 0xc0, 0x28, 0x95,
-	0xf5, 0x0e, 0x7e, 0x02, 0x73, 0x2a, 0xcd, 0x06, 0x91, 0x44, 0x37, 0xba, 0x58, 0x7d, 0x3e, 0x59,
-	0x51, 0xef, 0xea, 0xc7, 0xd4, 0x95, 0xfb, 0x54, 0x92, 0x1a, 0x34, 0x37, 0x83, 0x9e, 0x0d, 0x67,
-	0xac, 0xd0, 0x05, 0x79, 0x11, 0x52, 0x57, 0x0b, 0x51, 0xac, 0xee, 0xa0, 0x49, 0x66, 0x13, 0x8d,
-	0x49, 0xf7, 0x20, 0xa4, 0x6e, 0xed, 0xff, 0xf4, 0x25, 0xa8, 0x13, 0xd6, 0xe4, 0xb0, 0x95, 0xe9,
-	0x9d, 0x28, 0xb3, 0x7b, 0xbb, 0x6b, 0x34, 0x55, 0xaf, 0xf5, 0x83, 0xcf, 0xa1, 0xf2, 0xcb, 0x02,
-	0xf7, 0xc7, 0x20, 0xf7, 0x98, 0x90, 0xf0, 0xe3, 0x48, 0x4f, 0xd1, 0x64, 0x3d, 0x55, 0x68, 0xdd,
-	0xd1, 0x6c, 0x5a, 0x52, 0x4b, 0x5f, 0x3f, 0xeb, 0xa0, 0xc0, 0x24, 0xf5, 0xd5, 0xcb, 0x9e, 0x5e,
-	0x2f, 0x56, 0x5f, 0xdd, 0xaa, 0xd2, 0xde, 0xa8, 0xbf, 0x51, 0x9c, 0x38, 0xa1, 0xae, 0x7c, 0x1f,
-	0x5f, 0xa1, 0x6a, 0x3a, 0x6c, 0xf6, 0xcd, 0x77, 0x52, 0xe1, 0xf6, 0x64, 0x69, 0x5c, 0xb7, 0x7d,
-	0x6e, 0xda, 0x0d, 0xf0, 0x25, 0x98, 0x77, 0x79, 0x20, 0x59, 0x10, 0xd3, 0x43, 0xde, 0xa2, 0xe9,
-	0xea, 0xb9, 0x67, 0x20, 0xf3, 0xbb, 0xfd, 0x4e, 0x3c, 0x18, 0x5b, 0x39, 0xb7, 0xc0, 0x83, 0x1b,
-	0x25, 0x86, 0x27, 0x00, 0xb8, 0xe9, 0xd0, 0x8b, 0x92, 0xa5, 0x3b, 0xba, 0x35, 0x59, 0x29, 0xa3,
-	0xfb, 0xa7, 0x37, 0x08, 0x99, 0x49, 0xe0, 0x3e, 0x7e, 0xb8, 0x03, 0x16, 0xd3, 0xc2, 0x8e, 0x06,
-	0x36, 0xe9, 0xb2, 0x01, 0x2e, 0xe2, 0x41, 0x37, 0x1e, 0x8e, 0xaf, 0xbd, 0x3d, 0xbb, 0xb4, 0x73,
-	0xe7, 0x97, 0x76, 0xee, 0xe2, 0xd2, 0xce, 0x7d, 0xe9, 0xda, 0xd6, 0x59, 0xd7, 0xb6, 0xce, 0xbb,
-	0xb6, 0x75, 0xd1, 0xb5, 0xad, 0xdf, 0x5d, 0xdb, 0xfa, 0xfa, 0xc7, 0xce, 0x7d, 0x58, 0x9d, 0xe4,
-	0xb7, 0xf9, 0x37, 0x00, 0x00, 0xff, 0xff, 0x01, 0xc1, 0xb1, 0xd8, 0x5d, 0x07, 0x00, 0x00,
-}
-
-func (m *GroupVersionResource) Marshal() (dAtA []byte, err error) {
-	size := m.Size()
-	dAtA = make([]byte, size)
-	n, err := m.MarshalToSizedBuffer(dAtA[:size])
-	if err != nil {
-		return nil, err
-	}
-	return dAtA[:n], nil
-}
-
-func (m *GroupVersionResource) MarshalTo(dAtA []byte) (int, error) {
-	size := m.Size()
-	return m.MarshalToSizedBuffer(dAtA[:size])
-}
-
-func (m *GroupVersionResource) MarshalToSizedBuffer(dAtA []byte) (int, error) {
-	i := len(dAtA)
-	_ = i
-	var l int
-	_ = l
-	i -= len(m.Resource)
-	copy(dAtA[i:], m.Resource)
-	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Resource)))
-	i--
-	dAtA[i] = 0x1a
-	i -= len(m.Version)
-	copy(dAtA[i:], m.Version)
-	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Version)))
-	i--
-	dAtA[i] = 0x12
-	i -= len(m.Group)
-	copy(dAtA[i:], m.Group)
-	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Group)))
-	i--
-	dAtA[i] = 0xa
-	return len(dAtA) - i, nil
-}
-
-func (m *MigrationCondition) Marshal() (dAtA []byte, err error) {
-	size := m.Size()
-	dAtA = make([]byte, size)
-	n, err := m.MarshalToSizedBuffer(dAtA[:size])
-	if err != nil {
-		return nil, err
-	}
-	return dAtA[:n], nil
-}
-
-func (m *MigrationCondition) MarshalTo(dAtA []byte) (int, error) {
-	size := m.Size()
-	return m.MarshalToSizedBuffer(dAtA[:size])
-}
-
-func (m *MigrationCondition) MarshalToSizedBuffer(dAtA []byte) (int, error) {
-	i := len(dAtA)
-	_ = i
-	var l int
-	_ = l
-	i -= len(m.Message)
-	copy(dAtA[i:], m.Message)
-	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Message)))
-	i--
-	dAtA[i] = 0x2a
-	i -= len(m.Reason)
-	copy(dAtA[i:], m.Reason)
-	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Reason)))
-	i--
-	dAtA[i] = 0x22
-	{
-		size, err := m.LastUpdateTime.MarshalToSizedBuffer(dAtA[:i])
-		if err != nil {
-			return 0, err
-		}
-		i -= size
-		i = encodeVarintGenerated(dAtA, i, uint64(size))
-	}
-	i--
-	dAtA[i] = 0x1a
-	i -= len(m.Status)
-	copy(dAtA[i:], m.Status)
-	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Status)))
-	i--
-	dAtA[i] = 0x12
-	i -= len(m.Type)
-	copy(dAtA[i:], m.Type)
-	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Type)))
-	i--
-	dAtA[i] = 0xa
-	return len(dAtA) - i, nil
-}
-
-func (m *StorageVersionMigration) Marshal() (dAtA []byte, err error) {
-	size := m.Size()
-	dAtA = make([]byte, size)
-	n, err := m.MarshalToSizedBuffer(dAtA[:size])
-	if err != nil {
-		return nil, err
-	}
-	return dAtA[:n], nil
-}
-
-func (m *StorageVersionMigration) MarshalTo(dAtA []byte) (int, error) {
-	size := m.Size()
-	return m.MarshalToSizedBuffer(dAtA[:size])
-}
-
-func (m *StorageVersionMigration) MarshalToSizedBuffer(dAtA []byte) (int, error) {
-	i := len(dAtA)
-	_ = i
-	var l int
-	_ = l
-	{
-		size, err := m.Status.MarshalToSizedBuffer(dAtA[:i])
-		if err != nil {
-			return 0, err
-		}
-		i -= size
-		i = encodeVarintGenerated(dAtA, i, uint64(size))
-	}
-	i--
-	dAtA[i] = 0x1a
-	{
-		size, err := m.Spec.MarshalToSizedBuffer(dAtA[:i])
-		if err != nil {
-			return 0, err
-		}
-		i -= size
-		i = encodeVarintGenerated(dAtA, i, uint64(size))
-	}
-	i--
-	dAtA[i] = 0x12
-	{
-		size, err := m.ObjectMeta.MarshalToSizedBuffer(dAtA[:i])
-		if err != nil {
-			return 0, err
-		}
-		i -= size
-		i = encodeVarintGenerated(dAtA, i, uint64(size))
-	}
-	i--
-	dAtA[i] = 0xa
-	return len(dAtA) - i, nil
-}
-
-func (m *StorageVersionMigrationList) Marshal() (dAtA []byte, err error) {
-	size := m.Size()
-	dAtA = make([]byte, size)
-	n, err := m.MarshalToSizedBuffer(dAtA[:size])
-	if err != nil {
-		return nil, err
-	}
-	return dAtA[:n], nil
-}
-
-func (m *StorageVersionMigrationList) MarshalTo(dAtA []byte) (int, error) {
-	size := m.Size()
-	return m.MarshalToSizedBuffer(dAtA[:size])
-}
-
-func (m *StorageVersionMigrationList) MarshalToSizedBuffer(dAtA []byte) (int, error) {
-	i := len(dAtA)
-	_ = i
-	var l int
-	_ = l
-	if len(m.Items) > 0 {
-		for iNdEx := len(m.Items) - 1; iNdEx >= 0; iNdEx-- {
-			{
-				size, err := m.Items[iNdEx].MarshalToSizedBuffer(dAtA[:i])
-				if err != nil {
-					return 0, err
-				}
-				i -= size
-				i = encodeVarintGenerated(dAtA, i, uint64(size))
-			}
-			i--
-			dAtA[i] = 0x12
-		}
-	}
-	{
-		size, err := m.ListMeta.MarshalToSizedBuffer(dAtA[:i])
-		if err != nil {
-			return 0, err
-		}
-		i -= size
-		i = encodeVarintGenerated(dAtA, i, uint64(size))
-	}
-	i--
-	dAtA[i] = 0xa
-	return len(dAtA) - i, nil
-}
-
-func (m *StorageVersionMigrationSpec) Marshal() (dAtA []byte, err error) {
-	size := m.Size()
-	dAtA = make([]byte, size)
-	n, err := m.MarshalToSizedBuffer(dAtA[:size])
-	if err != nil {
-		return nil, err
-	}
-	return dAtA[:n], nil
-}
-
-func (m *StorageVersionMigrationSpec) MarshalTo(dAtA []byte) (int, error) {
-	size := m.Size()
-	return m.MarshalToSizedBuffer(dAtA[:size])
-}
-
-func (m *StorageVersionMigrationSpec) MarshalToSizedBuffer(dAtA []byte) (int, error) {
-	i := len(dAtA)
-	_ = i
-	var l int
-	_ = l
-	i -= len(m.ContinueToken)
-	copy(dAtA[i:], m.ContinueToken)
-	i = encodeVarintGenerated(dAtA, i, uint64(len(m.ContinueToken)))
-	i--
-	dAtA[i] = 0x12
-	{
-		size, err := m.Resource.MarshalToSizedBuffer(dAtA[:i])
-		if err != nil {
-			return 0, err
-		}
-		i -= size
-		i = encodeVarintGenerated(dAtA, i, uint64(size))
-	}
-	i--
-	dAtA[i] = 0xa
-	return len(dAtA) - i, nil
-}
-
-func (m *StorageVersionMigrationStatus) Marshal() (dAtA []byte, err error) {
-	size := m.Size()
-	dAtA = make([]byte, size)
-	n, err := m.MarshalToSizedBuffer(dAtA[:size])
-	if err != nil {
-		return nil, err
-	}
-	return dAtA[:n], nil
-}
-
-func (m *StorageVersionMigrationStatus) MarshalTo(dAtA []byte) (int, error) {
-	size := m.Size()
-	return m.MarshalToSizedBuffer(dAtA[:size])
-}
-
-func (m *StorageVersionMigrationStatus) MarshalToSizedBuffer(dAtA []byte) (int, error) {
-	i := len(dAtA)
-	_ = i
-	var l int
-	_ = l
-	i -= len(m.ResourceVersion)
-	copy(dAtA[i:], m.ResourceVersion)
-	i = encodeVarintGenerated(dAtA, i, uint64(len(m.ResourceVersion)))
-	i--
-	dAtA[i] = 0x12
-	if len(m.Conditions) > 0 {
-		for iNdEx := len(m.Conditions) - 1; iNdEx >= 0; iNdEx-- {
-			{
-				size, err := m.Conditions[iNdEx].MarshalToSizedBuffer(dAtA[:i])
-				if err != nil {
-					return 0, err
-				}
-				i -= size
-				i = encodeVarintGenerated(dAtA, i, uint64(size))
-			}
-			i--
-			dAtA[i] = 0xa
-		}
-	}
-	return len(dAtA) - i, nil
-}
-
-func encodeVarintGenerated(dAtA []byte, offset int, v uint64) int {
-	offset -= sovGenerated(v)
-	base := offset
-	for v >= 1<<7 {
-		dAtA[offset] = uint8(v&0x7f | 0x80)
-		v >>= 7
-		offset++
-	}
-	dAtA[offset] = uint8(v)
-	return base
-}
-func (m *GroupVersionResource) Size() (n int) {
-	if m == nil {
-		return 0
-	}
-	var l int
-	_ = l
-	l = len(m.Group)
-	n += 1 + l + sovGenerated(uint64(l))
-	l = len(m.Version)
-	n += 1 + l + sovGenerated(uint64(l))
-	l = len(m.Resource)
-	n += 1 + l + sovGenerated(uint64(l))
-	return n
-}
-
-func (m *MigrationCondition) Size() (n int) {
-	if m == nil {
-		return 0
-	}
-	var l int
-	_ = l
-	l = len(m.Type)
-	n += 1 + l + sovGenerated(uint64(l))
-	l = len(m.Status)
-	n += 1 + l + sovGenerated(uint64(l))
-	l = m.LastUpdateTime.Size()
-	n += 1 + l + sovGenerated(uint64(l))
-	l = len(m.Reason)
-	n += 1 + l + sovGenerated(uint64(l))
-	l = len(m.Message)
-	n += 1 + l + sovGenerated(uint64(l))
-	return n
-}
-
-func (m *StorageVersionMigration) Size() (n int) {
-	if m == nil {
-		return 0
-	}
-	var l int
-	_ = l
-	l = m.ObjectMeta.Size()
-	n += 1 + l + sovGenerated(uint64(l))
-	l = m.Spec.Size()
-	n += 1 + l + sovGenerated(uint64(l))
-	l = m.Status.Size()
-	n += 1 + l + sovGenerated(uint64(l))
-	return n
-}
-
-func (m *StorageVersionMigrationList) Size() (n int) {
-	if m == nil {
-		return 0
-	}
-	var l int
-	_ = l
-	l = m.ListMeta.Size()
-	n += 1 + l + sovGenerated(uint64(l))
-	if len(m.Items) > 0 {
-		for _, e := range m.Items {
-			l = e.Size()
-			n += 1 + l + sovGenerated(uint64(l))
-		}
-	}
-	return n
-}
-
-func (m *StorageVersionMigrationSpec) Size() (n int) {
-	if m == nil {
-		return 0
-	}
-	var l int
-	_ = l
-	l = m.Resource.Size()
-	n += 1 + l + sovGenerated(uint64(l))
-	l = len(m.ContinueToken)
-	n += 1 + l + sovGenerated(uint64(l))
-	return n
-}
-
-func (m *StorageVersionMigrationStatus) Size() (n int) {
-	if m == nil {
-		return 0
-	}
-	var l int
-	_ = l
-	if len(m.Conditions) > 0 {
-		for _, e := range m.Conditions {
-			l = e.Size()
-			n += 1 + l + sovGenerated(uint64(l))
-		}
-	}
-	l = len(m.ResourceVersion)
-	n += 1 + l + sovGenerated(uint64(l))
-	return n
-}
-
-func sovGenerated(x uint64) (n int) {
-	return (math_bits.Len64(x|1) + 6) / 7
-}
-func sozGenerated(x uint64) (n int) {
-	return sovGenerated(uint64((x << 1) ^ uint64((int64(x) >> 63))))
-}
-func (this *GroupVersionResource) String() string {
-	if this == nil {
-		return "nil"
-	}
-	s := strings.Join([]string{`&GroupVersionResource{`,
-		`Group:` + fmt.Sprintf("%v", this.Group) + `,`,
-		`Version:` + fmt.Sprintf("%v", this.Version) + `,`,
-		`Resource:` + fmt.Sprintf("%v", this.Resource) + `,`,
-		`}`,
-	}, "")
-	return s
-}
-func (this *MigrationCondition) String() string {
-	if this == nil {
-		return "nil"
-	}
-	s := strings.Join([]string{`&MigrationCondition{`,
-		`Type:` + fmt.Sprintf("%v", this.Type) + `,`,
-		`Status:` + fmt.Sprintf("%v", this.Status) + `,`,
-		`LastUpdateTime:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.LastUpdateTime), "Time", "v1.Time", 1), `&`, ``, 1) + `,`,
-		`Reason:` + fmt.Sprintf("%v", this.Reason) + `,`,
-		`Message:` + fmt.Sprintf("%v", this.Message) + `,`,
-		`}`,
-	}, "")
-	return s
-}
-func (this *StorageVersionMigration) String() string {
-	if this == nil {
-		return "nil"
-	}
-	s := strings.Join([]string{`&StorageVersionMigration{`,
-		`ObjectMeta:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.ObjectMeta), "ObjectMeta", "v1.ObjectMeta", 1), `&`, ``, 1) + `,`,
-		`Spec:` + strings.Replace(strings.Replace(this.Spec.String(), "StorageVersionMigrationSpec", "StorageVersionMigrationSpec", 1), `&`, ``, 1) + `,`,
-		`Status:` + strings.Replace(strings.Replace(this.Status.String(), "StorageVersionMigrationStatus", "StorageVersionMigrationStatus", 1), `&`, ``, 1) + `,`,
-		`}`,
-	}, "")
-	return s
-}
-func (this *StorageVersionMigrationList) String() string {
-	if this == nil {
-		return "nil"
-	}
-	repeatedStringForItems := "[]StorageVersionMigration{"
-	for _, f := range this.Items {
-		repeatedStringForItems += strings.Replace(strings.Replace(f.String(), "StorageVersionMigration", "StorageVersionMigration", 1), `&`, ``, 1) + ","
-	}
-	repeatedStringForItems += "}"
-	s := strings.Join([]string{`&StorageVersionMigrationList{`,
-		`ListMeta:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.ListMeta), "ListMeta", "v1.ListMeta", 1), `&`, ``, 1) + `,`,
-		`Items:` + repeatedStringForItems + `,`,
-		`}`,
-	}, "")
-	return s
-}
-func (this *StorageVersionMigrationSpec) String() string {
-	if this == nil {
-		return "nil"
-	}
-	s := strings.Join([]string{`&StorageVersionMigrationSpec{`,
-		`Resource:` + strings.Replace(strings.Replace(this.Resource.String(), "GroupVersionResource", "GroupVersionResource", 1), `&`, ``, 1) + `,`,
-		`ContinueToken:` + fmt.Sprintf("%v", this.ContinueToken) + `,`,
-		`}`,
-	}, "")
-	return s
-}
-func (this *StorageVersionMigrationStatus) String() string {
-	if this == nil {
-		return "nil"
-	}
-	repeatedStringForConditions := "[]MigrationCondition{"
-	for _, f := range this.Conditions {
-		repeatedStringForConditions += strings.Replace(strings.Replace(f.String(), "MigrationCondition", "MigrationCondition", 1), `&`, ``, 1) + ","
-	}
-	repeatedStringForConditions += "}"
-	s := strings.Join([]string{`&StorageVersionMigrationStatus{`,
-		`Conditions:` + repeatedStringForConditions + `,`,
-		`ResourceVersion:` + fmt.Sprintf("%v", this.ResourceVersion) + `,`,
-		`}`,
-	}, "")
-	return s
-}
-func valueToStringGenerated(v interface{}) string {
-	rv := reflect.ValueOf(v)
-	if rv.IsNil() {
-		return "nil"
-	}
-	pv := reflect.Indirect(rv).Interface()
-	return fmt.Sprintf("*%v", pv)
-}
-func (m *GroupVersionResource) Unmarshal(dAtA []byte) error {
-	l := len(dAtA)
-	iNdEx := 0
-	for iNdEx < l {
-		preIndex := iNdEx
-		var wire uint64
-		for shift := uint(0); ; shift += 7 {
-			if shift >= 64 {
-				return ErrIntOverflowGenerated
-			}
-			if iNdEx >= l {
-				return io.ErrUnexpectedEOF
-			}
-			b := dAtA[iNdEx]
-			iNdEx++
-			wire |= uint64(b&0x7F) << shift
-			if b < 0x80 {
-				break
-			}
-		}
-		fieldNum := int32(wire >> 3)
-		wireType := int(wire & 0x7)
-		if wireType == 4 {
-			return fmt.Errorf("proto: GroupVersionResource: wiretype end group for non-group")
-		}
-		if fieldNum <= 0 {
-			return fmt.Errorf("proto: GroupVersionResource: illegal tag %d (wire type %d)", fieldNum, wire)
-		}
-		switch fieldNum {
-		case 1:
-			if wireType != 2 {
-				return fmt.Errorf("proto: wrong wireType = %d for field Group", wireType)
-			}
-			var stringLen uint64
-			for shift := uint(0); ; shift += 7 {
-				if shift >= 64 {
-					return ErrIntOverflowGenerated
-				}
-				if iNdEx >= l {
-					return io.ErrUnexpectedEOF
-				}
-				b := dAtA[iNdEx]
-				iNdEx++
-				stringLen |= uint64(b&0x7F) << shift
-				if b < 0x80 {
-					break
-				}
-			}
-			intStringLen := int(stringLen)
-			if intStringLen < 0 {
-				return ErrInvalidLengthGenerated
-			}
-			postIndex := iNdEx + intStringLen
-			if postIndex < 0 {
-				return ErrInvalidLengthGenerated
-			}
-			if postIndex > l {
-				return io.ErrUnexpectedEOF
-			}
-			m.Group = string(dAtA[iNdEx:postIndex])
-			iNdEx = postIndex
-		case 2:
-			if wireType != 2 {
-				return fmt.Errorf("proto: wrong wireType = %d for field Version", wireType)
-			}
-			var stringLen uint64
-			for shift := uint(0); ; shift += 7 {
-				if shift >= 64 {
-					return ErrIntOverflowGenerated
-				}
-				if iNdEx >= l {
-					return io.ErrUnexpectedEOF
-				}
-				b := dAtA[iNdEx]
-				iNdEx++
-				stringLen |= uint64(b&0x7F) << shift
-				if b < 0x80 {
-					break
-				}
-			}
-			intStringLen := int(stringLen)
-			if intStringLen < 0 {
-				return ErrInvalidLengthGenerated
-			}
-			postIndex := iNdEx + intStringLen
-			if postIndex < 0 {
-				return ErrInvalidLengthGenerated
-			}
-			if postIndex > l {
-				return io.ErrUnexpectedEOF
-			}
-			m.Version = string(dAtA[iNdEx:postIndex])
-			iNdEx = postIndex
-		case 3:
-			if wireType != 2 {
-				return fmt.Errorf("proto: wrong wireType = %d for field Resource", wireType)
-			}
-			var stringLen uint64
-			for shift := uint(0); ; shift += 7 {
-				if shift >= 64 {
-					return ErrIntOverflowGenerated
-				}
-				if iNdEx >= l {
-					return io.ErrUnexpectedEOF
-				}
-				b := dAtA[iNdEx]
-				iNdEx++
-				stringLen |= uint64(b&0x7F) << shift
-				if b < 0x80 {
-					break
-				}
-			}
-			intStringLen := int(stringLen)
-			if intStringLen < 0 {
-				return ErrInvalidLengthGenerated
-			}
-			postIndex := iNdEx + intStringLen
-			if postIndex < 0 {
-				return ErrInvalidLengthGenerated
-			}
-			if postIndex > l {
-				return io.ErrUnexpectedEOF
-			}
-			m.Resource = string(dAtA[iNdEx:postIndex])
-			iNdEx = postIndex
-		default:
-			iNdEx = preIndex
-			skippy, err := skipGenerated(dAtA[iNdEx:])
-			if err != nil {
-				return err
-			}
-			if (skippy < 0) || (iNdEx+skippy) < 0 {
-				return ErrInvalidLengthGenerated
-			}
-			if (iNdEx + skippy) > l {
-				return io.ErrUnexpectedEOF
-			}
-			iNdEx += skippy
-		}
-	}
-
-	if iNdEx > l {
-		return io.ErrUnexpectedEOF
-	}
-	return nil
-}
-func (m *MigrationCondition) Unmarshal(dAtA []byte) error {
-	l := len(dAtA)
-	iNdEx := 0
-	for iNdEx < l {
-		preIndex := iNdEx
-		var wire uint64
-		for shift := uint(0); ; shift += 7 {
-			if shift >= 64 {
-				return ErrIntOverflowGenerated
-			}
-			if iNdEx >= l {
-				return io.ErrUnexpectedEOF
-			}
-			b := dAtA[iNdEx]
-			iNdEx++
-			wire |= uint64(b&0x7F) << shift
-			if b < 0x80 {
-				break
-			}
-		}
-		fieldNum := int32(wire >> 3)
-		wireType := int(wire & 0x7)
-		if wireType == 4 {
-			return fmt.Errorf("proto: MigrationCondition: wiretype end group for non-group")
-		}
-		if fieldNum <= 0 {
-			return fmt.Errorf("proto: MigrationCondition: illegal tag %d (wire type %d)", fieldNum, wire)
-		}
-		switch fieldNum {
-		case 1:
-			if wireType != 2 {
-				return fmt.Errorf("proto: wrong wireType = %d for field Type", wireType)
-			}
-			var stringLen uint64
-			for shift := uint(0); ; shift += 7 {
-				if shift >= 64 {
-					return ErrIntOverflowGenerated
-				}
-				if iNdEx >= l {
-					return io.ErrUnexpectedEOF
-				}
-				b := dAtA[iNdEx]
-				iNdEx++
-				stringLen |= uint64(b&0x7F) << shift
-				if b < 0x80 {
-					break
-				}
-			}
-			intStringLen := int(stringLen)
-			if intStringLen < 0 {
-				return ErrInvalidLengthGenerated
-			}
-			postIndex := iNdEx + intStringLen
-			if postIndex < 0 {
-				return ErrInvalidLengthGenerated
-			}
-			if postIndex > l {
-				return io.ErrUnexpectedEOF
-			}
-			m.Type = MigrationConditionType(dAtA[iNdEx:postIndex])
-			iNdEx = postIndex
-		case 2:
-			if wireType != 2 {
-				return fmt.Errorf("proto: wrong wireType = %d for field Status", wireType)
-			}
-			var stringLen uint64
-			for shift := uint(0); ; shift += 7 {
-				if shift >= 64 {
-					return ErrIntOverflowGenerated
-				}
-				if iNdEx >= l {
-					return io.ErrUnexpectedEOF
-				}
-				b := dAtA[iNdEx]
-				iNdEx++
-				stringLen |= uint64(b&0x7F) << shift
-				if b < 0x80 {
-					break
-				}
-			}
-			intStringLen := int(stringLen)
-			if intStringLen < 0 {
-				return ErrInvalidLengthGenerated
-			}
-			postIndex := iNdEx + intStringLen
-			if postIndex < 0 {
-				return ErrInvalidLengthGenerated
-			}
-			if postIndex > l {
-				return io.ErrUnexpectedEOF
-			}
-			m.Status = k8s_io_api_core_v1.ConditionStatus(dAtA[iNdEx:postIndex])
-			iNdEx = postIndex
-		case 3:
-			if wireType != 2 {
-				return fmt.Errorf("proto: wrong wireType = %d for field LastUpdateTime", wireType)
-			}
-			var msglen int
-			for shift := uint(0); ; shift += 7 {
-				if shift >= 64 {
-					return ErrIntOverflowGenerated
-				}
-				if iNdEx >= l {
-					return io.ErrUnexpectedEOF
-				}
-				b := dAtA[iNdEx]
-				iNdEx++
-				msglen |= int(b&0x7F) << shift
-				if b < 0x80 {
-					break
-				}
-			}
-			if msglen < 0 {
-				return ErrInvalidLengthGenerated
-			}
-			postIndex := iNdEx + msglen
-			if postIndex < 0 {
-				return ErrInvalidLengthGenerated
-			}
-			if postIndex > l {
-				return io.ErrUnexpectedEOF
-			}
-			if err := m.LastUpdateTime.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
-				return err
-			}
-			iNdEx = postIndex
-		case 4:
-			if wireType != 2 {
-				return fmt.Errorf("proto: wrong wireType = %d for field Reason", wireType)
-			}
-			var stringLen uint64
-			for shift := uint(0); ; shift += 7 {
-				if shift >= 64 {
-					return ErrIntOverflowGenerated
-				}
-				if iNdEx >= l {
-					return io.ErrUnexpectedEOF
-				}
-				b := dAtA[iNdEx]
-				iNdEx++
-				stringLen |= uint64(b&0x7F) << shift
-				if b < 0x80 {
-					break
-				}
-			}
-			intStringLen := int(stringLen)
-			if intStringLen < 0 {
-				return ErrInvalidLengthGenerated
-			}
-			postIndex := iNdEx + intStringLen
-			if postIndex < 0 {
-				return ErrInvalidLengthGenerated
-			}
-			if postIndex > l {
-				return io.ErrUnexpectedEOF
-			}
-			m.Reason = string(dAtA[iNdEx:postIndex])
-			iNdEx = postIndex
-		case 5:
-			if wireType != 2 {
-				return fmt.Errorf("proto: wrong wireType = %d for field Message", wireType)
-			}
-			var stringLen uint64
-			for shift := uint(0); ; shift += 7 {
-				if shift >= 64 {
-					return ErrIntOverflowGenerated
-				}
-				if iNdEx >= l {
-					return io.ErrUnexpectedEOF
-				}
-				b := dAtA[iNdEx]
-				iNdEx++
-				stringLen |= uint64(b&0x7F) << shift
-				if b < 0x80 {
-					break
-				}
-			}
-			intStringLen := int(stringLen)
-			if intStringLen < 0 {
-				return ErrInvalidLengthGenerated
-			}
-			postIndex := iNdEx + intStringLen
-			if postIndex < 0 {
-				return ErrInvalidLengthGenerated
-			}
-			if postIndex > l {
-				return io.ErrUnexpectedEOF
-			}
-			m.Message = string(dAtA[iNdEx:postIndex])
-			iNdEx = postIndex
-		default:
-			iNdEx = preIndex
-			skippy, err := skipGenerated(dAtA[iNdEx:])
-			if err != nil {
-				return err
-			}
-			if (skippy < 0) || (iNdEx+skippy) < 0 {
-				return ErrInvalidLengthGenerated
-			}
-			if (iNdEx + skippy) > l {
-				return io.ErrUnexpectedEOF
-			}
-			iNdEx += skippy
-		}
-	}
-
-	if iNdEx > l {
-		return io.ErrUnexpectedEOF
-	}
-	return nil
-}
-func (m *StorageVersionMigration) Unmarshal(dAtA []byte) error {
-	l := len(dAtA)
-	iNdEx := 0
-	for iNdEx < l {
-		preIndex := iNdEx
-		var wire uint64
-		for shift := uint(0); ; shift += 7 {
-			if shift >= 64 {
-				return ErrIntOverflowGenerated
-			}
-			if iNdEx >= l {
-				return io.ErrUnexpectedEOF
-			}
-			b := dAtA[iNdEx]
-			iNdEx++
-			wire |= uint64(b&0x7F) << shift
-			if b < 0x80 {
-				break
-			}
-		}
-		fieldNum := int32(wire >> 3)
-		wireType := int(wire & 0x7)
-		if wireType == 4 {
-			return fmt.Errorf("proto: StorageVersionMigration: wiretype end group for non-group")
-		}
-		if fieldNum <= 0 {
-			return fmt.Errorf("proto: StorageVersionMigration: illegal tag %d (wire type %d)", fieldNum, wire)
-		}
-		switch fieldNum {
-		case 1:
-			if wireType != 2 {
-				return fmt.Errorf("proto: wrong wireType = %d for field ObjectMeta", wireType)
-			}
-			var msglen int
-			for shift := uint(0); ; shift += 7 {
-				if shift >= 64 {
-					return ErrIntOverflowGenerated
-				}
-				if iNdEx >= l {
-					return io.ErrUnexpectedEOF
-				}
-				b := dAtA[iNdEx]
-				iNdEx++
-				msglen |= int(b&0x7F) << shift
-				if b < 0x80 {
-					break
-				}
-			}
-			if msglen < 0 {
-				return ErrInvalidLengthGenerated
-			}
-			postIndex := iNdEx + msglen
-			if postIndex < 0 {
-				return ErrInvalidLengthGenerated
-			}
-			if postIndex > l {
-				return io.ErrUnexpectedEOF
-			}
-			if err := m.ObjectMeta.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
-				return err
-			}
-			iNdEx = postIndex
-		case 2:
-			if wireType != 2 {
-				return fmt.Errorf("proto: wrong wireType = %d for field Spec", wireType)
-			}
-			var msglen int
-			for shift := uint(0); ; shift += 7 {
-				if shift >= 64 {
-					return ErrIntOverflowGenerated
-				}
-				if iNdEx >= l {
-					return io.ErrUnexpectedEOF
-				}
-				b := dAtA[iNdEx]
-				iNdEx++
-				msglen |= int(b&0x7F) << shift
-				if b < 0x80 {
-					break
-				}
-			}
-			if msglen < 0 {
-				return ErrInvalidLengthGenerated
-			}
-			postIndex := iNdEx + msglen
-			if postIndex < 0 {
-				return ErrInvalidLengthGenerated
-			}
-			if postIndex > l {
-				return io.ErrUnexpectedEOF
-			}
-			if err := m.Spec.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
-				return err
-			}
-			iNdEx = postIndex
-		case 3:
-			if wireType != 2 {
-				return fmt.Errorf("proto: wrong wireType = %d for field Status", wireType)
-			}
-			var msglen int
-			for shift := uint(0); ; shift += 7 {
-				if shift >= 64 {
-					return ErrIntOverflowGenerated
-				}
-				if iNdEx >= l {
-					return io.ErrUnexpectedEOF
-				}
-				b := dAtA[iNdEx]
-				iNdEx++
-				msglen |= int(b&0x7F) << shift
-				if b < 0x80 {
-					break
-				}
-			}
-			if msglen < 0 {
-				return ErrInvalidLengthGenerated
-			}
-			postIndex := iNdEx + msglen
-			if postIndex < 0 {
-				return ErrInvalidLengthGenerated
-			}
-			if postIndex > l {
-				return io.ErrUnexpectedEOF
-			}
-			if err := m.Status.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
-				return err
-			}
-			iNdEx = postIndex
-		default:
-			iNdEx = preIndex
-			skippy, err := skipGenerated(dAtA[iNdEx:])
-			if err != nil {
-				return err
-			}
-			if (skippy < 0) || (iNdEx+skippy) < 0 {
-				return ErrInvalidLengthGenerated
-			}
-			if (iNdEx + skippy) > l {
-				return io.ErrUnexpectedEOF
-			}
-			iNdEx += skippy
-		}
-	}
-
-	if iNdEx > l {
-		return io.ErrUnexpectedEOF
-	}
-	return nil
-}
-func (m *StorageVersionMigrationList) Unmarshal(dAtA []byte) error {
-	l := len(dAtA)
-	iNdEx := 0
-	for iNdEx < l {
-		preIndex := iNdEx
-		var wire uint64
-		for shift := uint(0); ; shift += 7 {
-			if shift >= 64 {
-				return ErrIntOverflowGenerated
-			}
-			if iNdEx >= l {
-				return io.ErrUnexpectedEOF
-			}
-			b := dAtA[iNdEx]
-			iNdEx++
-			wire |= uint64(b&0x7F) << shift
-			if b < 0x80 {
-				break
-			}
-		}
-		fieldNum := int32(wire >> 3)
-		wireType := int(wire & 0x7)
-		if wireType == 4 {
-			return fmt.Errorf("proto: StorageVersionMigrationList: wiretype end group for non-group")
-		}
-		if fieldNum <= 0 {
-			return fmt.Errorf("proto: StorageVersionMigrationList: illegal tag %d (wire type %d)", fieldNum, wire)
-		}
-		switch fieldNum {
-		case 1:
-			if wireType != 2 {
-				return fmt.Errorf("proto: wrong wireType = %d for field ListMeta", wireType)
-			}
-			var msglen int
-			for shift := uint(0); ; shift += 7 {
-				if shift >= 64 {
-					return ErrIntOverflowGenerated
-				}
-				if iNdEx >= l {
-					return io.ErrUnexpectedEOF
-				}
-				b := dAtA[iNdEx]
-				iNdEx++
-				msglen |= int(b&0x7F) << shift
-				if b < 0x80 {
-					break
-				}
-			}
-			if msglen < 0 {
-				return ErrInvalidLengthGenerated
-			}
-			postIndex := iNdEx + msglen
-			if postIndex < 0 {
-				return ErrInvalidLengthGenerated
-			}
-			if postIndex > l {
-				return io.ErrUnexpectedEOF
-			}
-			if err := m.ListMeta.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
-				return err
-			}
-			iNdEx = postIndex
-		case 2:
-			if wireType != 2 {
-				return fmt.Errorf("proto: wrong wireType = %d for field Items", wireType)
-			}
-			var msglen int
-			for shift := uint(0); ; shift += 7 {
-				if shift >= 64 {
-					return ErrIntOverflowGenerated
-				}
-				if iNdEx >= l {
-					return io.ErrUnexpectedEOF
-				}
-				b := dAtA[iNdEx]
-				iNdEx++
-				msglen |= int(b&0x7F) << shift
-				if b < 0x80 {
-					break
-				}
-			}
-			if msglen < 0 {
-				return ErrInvalidLengthGenerated
-			}
-			postIndex := iNdEx + msglen
-			if postIndex < 0 {
-				return ErrInvalidLengthGenerated
-			}
-			if postIndex > l {
-				return io.ErrUnexpectedEOF
-			}
-			m.Items = append(m.Items, StorageVersionMigration{})
-			if err := m.Items[len(m.Items)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
-				return err
-			}
-			iNdEx = postIndex
-		default:
-			iNdEx = preIndex
-			skippy, err := skipGenerated(dAtA[iNdEx:])
-			if err != nil {
-				return err
-			}
-			if (skippy < 0) || (iNdEx+skippy) < 0 {
-				return ErrInvalidLengthGenerated
-			}
-			if (iNdEx + skippy) > l {
-				return io.ErrUnexpectedEOF
-			}
-			iNdEx += skippy
-		}
-	}
-
-	if iNdEx > l {
-		return io.ErrUnexpectedEOF
-	}
-	return nil
-}
-func (m *StorageVersionMigrationSpec) Unmarshal(dAtA []byte) error {
-	l := len(dAtA)
-	iNdEx := 0
-	for iNdEx < l {
-		preIndex := iNdEx
-		var wire uint64
-		for shift := uint(0); ; shift += 7 {
-			if shift >= 64 {
-				return ErrIntOverflowGenerated
-			}
-			if iNdEx >= l {
-				return io.ErrUnexpectedEOF
-			}
-			b := dAtA[iNdEx]
-			iNdEx++
-			wire |= uint64(b&0x7F) << shift
-			if b < 0x80 {
-				break
-			}
-		}
-		fieldNum := int32(wire >> 3)
-		wireType := int(wire & 0x7)
-		if wireType == 4 {
-			return fmt.Errorf("proto: StorageVersionMigrationSpec: wiretype end group for non-group")
-		}
-		if fieldNum <= 0 {
-			return fmt.Errorf("proto: StorageVersionMigrationSpec: illegal tag %d (wire type %d)", fieldNum, wire)
-		}
-		switch fieldNum {
-		case 1:
-			if wireType != 2 {
-				return fmt.Errorf("proto: wrong wireType = %d for field Resource", wireType)
-			}
-			var msglen int
-			for shift := uint(0); ; shift += 7 {
-				if shift >= 64 {
-					return ErrIntOverflowGenerated
-				}
-				if iNdEx >= l {
-					return io.ErrUnexpectedEOF
-				}
-				b := dAtA[iNdEx]
-				iNdEx++
-				msglen |= int(b&0x7F) << shift
-				if b < 0x80 {
-					break
-				}
-			}
-			if msglen < 0 {
-				return ErrInvalidLengthGenerated
-			}
-			postIndex := iNdEx + msglen
-			if postIndex < 0 {
-				return ErrInvalidLengthGenerated
-			}
-			if postIndex > l {
-				return io.ErrUnexpectedEOF
-			}
-			if err := m.Resource.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
-				return err
-			}
-			iNdEx = postIndex
-		case 2:
-			if wireType != 2 {
-				return fmt.Errorf("proto: wrong wireType = %d for field ContinueToken", wireType)
-			}
-			var stringLen uint64
-			for shift := uint(0); ; shift += 7 {
-				if shift >= 64 {
-					return ErrIntOverflowGenerated
-				}
-				if iNdEx >= l {
-					return io.ErrUnexpectedEOF
-				}
-				b := dAtA[iNdEx]
-				iNdEx++
-				stringLen |= uint64(b&0x7F) << shift
-				if b < 0x80 {
-					break
-				}
-			}
-			intStringLen := int(stringLen)
-			if intStringLen < 0 {
-				return ErrInvalidLengthGenerated
-			}
-			postIndex := iNdEx + intStringLen
-			if postIndex < 0 {
-				return ErrInvalidLengthGenerated
-			}
-			if postIndex > l {
-				return io.ErrUnexpectedEOF
-			}
-			m.ContinueToken = string(dAtA[iNdEx:postIndex])
-			iNdEx = postIndex
-		default:
-			iNdEx = preIndex
-			skippy, err := skipGenerated(dAtA[iNdEx:])
-			if err != nil {
-				return err
-			}
-			if (skippy < 0) || (iNdEx+skippy) < 0 {
-				return ErrInvalidLengthGenerated
-			}
-			if (iNdEx + skippy) > l {
-				return io.ErrUnexpectedEOF
-			}
-			iNdEx += skippy
-		}
-	}
-
-	if iNdEx > l {
-		return io.ErrUnexpectedEOF
-	}
-	return nil
-}
-func (m *StorageVersionMigrationStatus) Unmarshal(dAtA []byte) error {
-	l := len(dAtA)
-	iNdEx := 0
-	for iNdEx < l {
-		preIndex := iNdEx
-		var wire uint64
-		for shift := uint(0); ; shift += 7 {
-			if shift >= 64 {
-				return ErrIntOverflowGenerated
-			}
-			if iNdEx >= l {
-				return io.ErrUnexpectedEOF
-			}
-			b := dAtA[iNdEx]
-			iNdEx++
-			wire |= uint64(b&0x7F) << shift
-			if b < 0x80 {
-				break
-			}
-		}
-		fieldNum := int32(wire >> 3)
-		wireType := int(wire & 0x7)
-		if wireType == 4 {
-			return fmt.Errorf("proto: StorageVersionMigrationStatus: wiretype end group for non-group")
-		}
-		if fieldNum <= 0 {
-			return fmt.Errorf("proto: StorageVersionMigrationStatus: illegal tag %d (wire type %d)", fieldNum, wire)
-		}
-		switch fieldNum {
-		case 1:
-			if wireType != 2 {
-				return fmt.Errorf("proto: wrong wireType = %d for field Conditions", wireType)
-			}
-			var msglen int
-			for shift := uint(0); ; shift += 7 {
-				if shift >= 64 {
-					return ErrIntOverflowGenerated
-				}
-				if iNdEx >= l {
-					return io.ErrUnexpectedEOF
-				}
-				b := dAtA[iNdEx]
-				iNdEx++
-				msglen |= int(b&0x7F) << shift
-				if b < 0x80 {
-					break
-				}
-			}
-			if msglen < 0 {
-				return ErrInvalidLengthGenerated
-			}
-			postIndex := iNdEx + msglen
-			if postIndex < 0 {
-				return ErrInvalidLengthGenerated
-			}
-			if postIndex > l {
-				return io.ErrUnexpectedEOF
-			}
-			m.Conditions = append(m.Conditions, MigrationCondition{})
-			if err := m.Conditions[len(m.Conditions)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
-				return err
-			}
-			iNdEx = postIndex
-		case 2:
-			if wireType != 2 {
-				return fmt.Errorf("proto: wrong wireType = %d for field ResourceVersion", wireType)
-			}
-			var stringLen uint64
-			for shift := uint(0); ; shift += 7 {
-				if shift >= 64 {
-					return ErrIntOverflowGenerated
-				}
-				if iNdEx >= l {
-					return io.ErrUnexpectedEOF
-				}
-				b := dAtA[iNdEx]
-				iNdEx++
-				stringLen |= uint64(b&0x7F) << shift
-				if b < 0x80 {
-					break
-				}
-			}
-			intStringLen := int(stringLen)
-			if intStringLen < 0 {
-				return ErrInvalidLengthGenerated
-			}
-			postIndex := iNdEx + intStringLen
-			if postIndex < 0 {
-				return ErrInvalidLengthGenerated
-			}
-			if postIndex > l {
-				return io.ErrUnexpectedEOF
-			}
-			m.ResourceVersion = string(dAtA[iNdEx:postIndex])
-			iNdEx = postIndex
-		default:
-			iNdEx = preIndex
-			skippy, err := skipGenerated(dAtA[iNdEx:])
-			if err != nil {
-				return err
-			}
-			if (skippy < 0) || (iNdEx+skippy) < 0 {
-				return ErrInvalidLengthGenerated
-			}
-			if (iNdEx + skippy) > l {
-				return io.ErrUnexpectedEOF
-			}
-			iNdEx += skippy
-		}
-	}
-
-	if iNdEx > l {
-		return io.ErrUnexpectedEOF
-	}
-	return nil
-}
-func skipGenerated(dAtA []byte) (n int, err error) {
-	l := len(dAtA)
-	iNdEx := 0
-	depth := 0
-	for iNdEx < l {
-		var wire uint64
-		for shift := uint(0); ; shift += 7 {
-			if shift >= 64 {
-				return 0, ErrIntOverflowGenerated
-			}
-			if iNdEx >= l {
-				return 0, io.ErrUnexpectedEOF
-			}
-			b := dAtA[iNdEx]
-			iNdEx++
-			wire |= (uint64(b) & 0x7F) << shift
-			if b < 0x80 {
-				break
-			}
-		}
-		wireType := int(wire & 0x7)
-		switch wireType {
-		case 0:
-			for shift := uint(0); ; shift += 7 {
-				if shift >= 64 {
-					return 0, ErrIntOverflowGenerated
-				}
-				if iNdEx >= l {
-					return 0, io.ErrUnexpectedEOF
-				}
-				iNdEx++
-				if dAtA[iNdEx-1] < 0x80 {
-					break
-				}
-			}
-		case 1:
-			iNdEx += 8
-		case 2:
-			var length int
-			for shift := uint(0); ; shift += 7 {
-				if shift >= 64 {
-					return 0, ErrIntOverflowGenerated
-				}
-				if iNdEx >= l {
-					return 0, io.ErrUnexpectedEOF
-				}
-				b := dAtA[iNdEx]
-				iNdEx++
-				length |= (int(b) & 0x7F) << shift
-				if b < 0x80 {
-					break
-				}
-			}
-			if length < 0 {
-				return 0, ErrInvalidLengthGenerated
-			}
-			iNdEx += length
-		case 3:
-			depth++
-		case 4:
-			if depth == 0 {
-				return 0, ErrUnexpectedEndOfGroupGenerated
-			}
-			depth--
-		case 5:
-			iNdEx += 4
-		default:
-			return 0, fmt.Errorf("proto: illegal wireType %d", wireType)
-		}
-		if iNdEx < 0 {
-			return 0, ErrInvalidLengthGenerated
-		}
-		if depth == 0 {
-			return iNdEx, nil
-		}
-	}
-	return 0, io.ErrUnexpectedEOF
-}
-
-var (
-	ErrInvalidLengthGenerated        = fmt.Errorf("proto: negative length found during unmarshaling")
-	ErrIntOverflowGenerated          = fmt.Errorf("proto: integer overflow")
-	ErrUnexpectedEndOfGroupGenerated = fmt.Errorf("proto: unexpected end of group")
-)
diff --git a/staging/src/k8s.io/api/storagemigration/v1alpha1/generated.proto b/staging/src/k8s.io/api/storagemigration/v1alpha1/generated.proto
deleted file mode 100644
index 341e0bc5cfaf5..0000000000000
--- a/staging/src/k8s.io/api/storagemigration/v1alpha1/generated.proto
+++ /dev/null
@@ -1,127 +0,0 @@
-/*
-Copyright The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-
-// This file was autogenerated by go-to-protobuf. Do not edit it manually!
-
-syntax = "proto2";
-
-package k8s.io.api.storagemigration.v1alpha1;
-
-import "k8s.io/api/core/v1/generated.proto";
-import "k8s.io/apimachinery/pkg/apis/meta/v1/generated.proto";
-import "k8s.io/apimachinery/pkg/runtime/generated.proto";
-import "k8s.io/apimachinery/pkg/runtime/schema/generated.proto";
-
-// Package-wide variables from generator "generated".
-option go_package = "k8s.io/api/storagemigration/v1alpha1";
-
-// The names of the group, the version, and the resource.
-message GroupVersionResource {
-  // The name of the group.
-  optional string group = 1;
-
-  // The name of the version.
-  optional string version = 2;
-
-  // The name of the resource.
-  optional string resource = 3;
-}
-
-// Describes the state of a migration at a certain point.
-message MigrationCondition {
-  // Type of the condition.
-  optional string type = 1;
-
-  // Status of the condition, one of True, False, Unknown.
-  optional string status = 2;
-
-  // The last time this condition was updated.
-  // +optional
-  optional .k8s.io.apimachinery.pkg.apis.meta.v1.Time lastUpdateTime = 3;
-
-  // The reason for the condition's last transition.
-  // +optional
-  optional string reason = 4;
-
-  // A human readable message indicating details about the transition.
-  // +optional
-  optional string message = 5;
-}
-
-// StorageVersionMigration represents a migration of stored data to the latest
-// storage version.
-message StorageVersionMigration {
-  // Standard object metadata.
-  // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
-  // +optional
-  optional .k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
-
-  // Specification of the migration.
-  // +optional
-  optional StorageVersionMigrationSpec spec = 2;
-
-  // Status of the migration.
-  // +optional
-  optional StorageVersionMigrationStatus status = 3;
-}
-
-// StorageVersionMigrationList is a collection of storage version migrations.
-message StorageVersionMigrationList {
-  // Standard list metadata
-  // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
-  // +optional
-  optional .k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
-
-  // Items is the list of StorageVersionMigration
-  // +patchMergeKey=type
-  // +patchStrategy=merge
-  // +listType=map
-  // +listMapKey=type
-  repeated StorageVersionMigration items = 2;
-}
-
-// Spec of the storage version migration.
-message StorageVersionMigrationSpec {
-  // The resource that is being migrated. The migrator sends requests to
-  // the endpoint serving the resource.
-  // Immutable.
-  optional GroupVersionResource resource = 1;
-
-  // The token used in the list options to get the next chunk of objects
-  // to migrate. When the .status.conditions indicates the migration is
-  // "Running", users can use this token to check the progress of the
-  // migration.
-  // +optional
-  optional string continueToken = 2;
-}
-
-// Status of the storage version migration.
-message StorageVersionMigrationStatus {
-  // The latest available observations of the migration's current state.
-  // +patchMergeKey=type
-  // +patchStrategy=merge
-  // +listType=map
-  // +listMapKey=type
-  // +optional
-  repeated MigrationCondition conditions = 1;
-
-  // ResourceVersion to compare with the GC cache for performing the migration.
-  // This is the current resource version of given group, version and resource when
-  // kube-controller-manager first observes this StorageVersionMigration resource.
-  optional string resourceVersion = 2;
-}
-
diff --git a/staging/src/k8s.io/api/storagemigration/v1alpha1/register.go b/staging/src/k8s.io/api/storagemigration/v1alpha1/register.go
deleted file mode 100644
index c9706050f12e9..0000000000000
--- a/staging/src/k8s.io/api/storagemigration/v1alpha1/register.go
+++ /dev/null
@@ -1,58 +0,0 @@
-/*
-Copyright 2024 The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package v1alpha1
-
-import (
-	"k8s.io/apimachinery/pkg/runtime"
-	"k8s.io/apimachinery/pkg/runtime/schema"
-
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-)
-
-// GroupName is the group name use in this package
-const GroupName = "storagemigration.k8s.io"
-
-// SchemeGroupVersion is group version used to register these objects
-var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1alpha1"}
-
-// Kind takes an unqualified kind and returns a Group qualified GroupKind
-func Kind(kind string) schema.GroupKind {
-	return SchemeGroupVersion.WithKind(kind).GroupKind()
-}
-
-// Resource takes an unqualified resource and returns a Group qualified GroupResource
-func Resource(resource string) schema.GroupResource {
-	return SchemeGroupVersion.WithResource(resource).GroupResource()
-}
-
-var (
-	SchemeBuilder      = runtime.NewSchemeBuilder(addKnownTypes)
-	localSchemeBuilder = &SchemeBuilder
-	AddToScheme        = localSchemeBuilder.AddToScheme
-)
-
-// Adds the list of known types to the given scheme.
-func addKnownTypes(scheme *runtime.Scheme) error {
-	scheme.AddKnownTypes(SchemeGroupVersion,
-		&StorageVersionMigration{},
-		&StorageVersionMigrationList{},
-	)
-
-	// Add the watch version that applies
-	metav1.AddToGroupVersion(scheme, SchemeGroupVersion)
-	return nil
-}
diff --git a/staging/src/k8s.io/api/storagemigration/v1alpha1/types.go b/staging/src/k8s.io/api/storagemigration/v1alpha1/types.go
deleted file mode 100644
index 0f343d1e956e2..0000000000000
--- a/staging/src/k8s.io/api/storagemigration/v1alpha1/types.go
+++ /dev/null
@@ -1,131 +0,0 @@
-/*
-Copyright 2024 The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package v1alpha1
-
-import (
-	corev1 "k8s.io/api/core/v1"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-)
-
-// +genclient
-// +genclient:nonNamespaced
-// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
-// +k8s:prerelease-lifecycle-gen:introduced=1.30
-
-// StorageVersionMigration represents a migration of stored data to the latest
-// storage version.
-type StorageVersionMigration struct {
-	metav1.TypeMeta `json:",inline"`
-	// Standard object metadata.
-	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
-	// +optional
-	metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
-	// Specification of the migration.
-	// +optional
-	Spec StorageVersionMigrationSpec `json:"spec,omitempty" protobuf:"bytes,2,opt,name=spec"`
-	// Status of the migration.
-	// +optional
-	Status StorageVersionMigrationStatus `json:"status,omitempty" protobuf:"bytes,3,opt,name=status"`
-}
-
-// Spec of the storage version migration.
-type StorageVersionMigrationSpec struct {
-	// The resource that is being migrated. The migrator sends requests to
-	// the endpoint serving the resource.
-	// Immutable.
-	Resource GroupVersionResource `json:"resource" protobuf:"bytes,1,opt,name=resource"`
-	// The token used in the list options to get the next chunk of objects
-	// to migrate. When the .status.conditions indicates the migration is
-	// "Running", users can use this token to check the progress of the
-	// migration.
-	// +optional
-	ContinueToken string `json:"continueToken,omitempty" protobuf:"bytes,2,opt,name=continueToken"`
-	// TODO: consider recording the storage version hash when the migration
-	// is created. It can avoid races.
-}
-
-// The names of the group, the version, and the resource.
-type GroupVersionResource struct {
-	// The name of the group.
-	Group string `json:"group,omitempty" protobuf:"bytes,1,opt,name=group"`
-	// The name of the version.
-	Version string `json:"version,omitempty" protobuf:"bytes,2,opt,name=version"`
-	// The name of the resource.
-	Resource string `json:"resource,omitempty" protobuf:"bytes,3,opt,name=resource"`
-}
-
-type MigrationConditionType string
-
-const (
-	// Indicates that the migration is running.
-	MigrationRunning MigrationConditionType = "Running"
-	// Indicates that the migration has completed successfully.
-	MigrationSucceeded MigrationConditionType = "Succeeded"
-	// Indicates that the migration has failed.
-	MigrationFailed MigrationConditionType = "Failed"
-)
-
-// Describes the state of a migration at a certain point.
-type MigrationCondition struct {
-	// Type of the condition.
-	Type MigrationConditionType `json:"type" protobuf:"bytes,1,opt,name=type,casttype=MigrationConditionType"`
-	// Status of the condition, one of True, False, Unknown.
-	Status corev1.ConditionStatus `json:"status" protobuf:"bytes,2,opt,name=status,casttype=k8s.io/api/core/v1.ConditionStatus"`
-	// The last time this condition was updated.
-	// +optional
-	LastUpdateTime metav1.Time `json:"lastUpdateTime,omitempty" protobuf:"bytes,3,opt,name=lastUpdateTime"`
-	// The reason for the condition's last transition.
-	// +optional
-	Reason string `json:"reason,omitempty" protobuf:"bytes,4,opt,name=reason"`
-	// A human readable message indicating details about the transition.
-	// +optional
-	Message string `json:"message,omitempty" protobuf:"bytes,5,opt,name=message"`
-}
-
-// Status of the storage version migration.
-type StorageVersionMigrationStatus struct {
-	// The latest available observations of the migration's current state.
-	// +patchMergeKey=type
-	// +patchStrategy=merge
-	// +listType=map
-	// +listMapKey=type
-	// +optional
-	Conditions []MigrationCondition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type" protobuf:"bytes,1,rep,name=conditions"`
-	// ResourceVersion to compare with the GC cache for performing the migration.
-	// This is the current resource version of given group, version and resource when
-	// kube-controller-manager first observes this StorageVersionMigration resource.
-	ResourceVersion string `json:"resourceVersion,omitempty" protobuf:"bytes,2,opt,name=resourceVersion"`
-}
-
-// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
-// +k8s:prerelease-lifecycle-gen:introduced=1.30
-
-// StorageVersionMigrationList is a collection of storage version migrations.
-type StorageVersionMigrationList struct {
-	metav1.TypeMeta `json:",inline"`
-
-	// Standard list metadata
-	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
-	// +optional
-	metav1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
-	// Items is the list of StorageVersionMigration
-	// +patchMergeKey=type
-	// +patchStrategy=merge
-	// +listType=map
-	// +listMapKey=type
-	Items []StorageVersionMigration `json:"items" listType:"map" listMapKey:"type" patchStrategy:"merge" patchMergeKey:"type" protobuf:"bytes,2,rep,name=items"`
-}
diff --git a/staging/src/k8s.io/api/storagemigration/v1alpha1/types_swagger_doc_generated.go b/staging/src/k8s.io/api/storagemigration/v1alpha1/types_swagger_doc_generated.go
deleted file mode 100644
index 257d72a2363af..0000000000000
--- a/staging/src/k8s.io/api/storagemigration/v1alpha1/types_swagger_doc_generated.go
+++ /dev/null
@@ -1,95 +0,0 @@
-/*
-Copyright The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package v1alpha1
-
-// This file contains a collection of methods that can be used from go-restful to
-// generate Swagger API documentation for its models. Please read this PR for more
-// information on the implementation: https://github.com/emicklei/go-restful/pull/215
-//
-// TODOs are ignored from the parser (e.g. TODO(andronat):... || TODO:...) if and only if
-// they are on one line! For multiple line or blocks that you want to ignore use ---.
-// Any context after a --- is ignored.
-//
-// Those methods can be generated by using hack/update-codegen.sh
-
-// AUTO-GENERATED FUNCTIONS START HERE. DO NOT EDIT.
-var map_GroupVersionResource = map[string]string{
-	"":         "The names of the group, the version, and the resource.",
-	"group":    "The name of the group.",
-	"version":  "The name of the version.",
-	"resource": "The name of the resource.",
-}
-
-func (GroupVersionResource) SwaggerDoc() map[string]string {
-	return map_GroupVersionResource
-}
-
-var map_MigrationCondition = map[string]string{
-	"":               "Describes the state of a migration at a certain point.",
-	"type":           "Type of the condition.",
-	"status":         "Status of the condition, one of True, False, Unknown.",
-	"lastUpdateTime": "The last time this condition was updated.",
-	"reason":         "The reason for the condition's last transition.",
-	"message":        "A human readable message indicating details about the transition.",
-}
-
-func (MigrationCondition) SwaggerDoc() map[string]string {
-	return map_MigrationCondition
-}
-
-var map_StorageVersionMigration = map[string]string{
-	"":         "StorageVersionMigration represents a migration of stored data to the latest storage version.",
-	"metadata": "Standard object metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
-	"spec":     "Specification of the migration.",
-	"status":   "Status of the migration.",
-}
-
-func (StorageVersionMigration) SwaggerDoc() map[string]string {
-	return map_StorageVersionMigration
-}
-
-var map_StorageVersionMigrationList = map[string]string{
-	"":         "StorageVersionMigrationList is a collection of storage version migrations.",
-	"metadata": "Standard list metadata More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
-	"items":    "Items is the list of StorageVersionMigration",
-}
-
-func (StorageVersionMigrationList) SwaggerDoc() map[string]string {
-	return map_StorageVersionMigrationList
-}
-
-var map_StorageVersionMigrationSpec = map[string]string{
-	"":              "Spec of the storage version migration.",
-	"resource":      "The resource that is being migrated. The migrator sends requests to the endpoint serving the resource. Immutable.",
-	"continueToken": "The token used in the list options to get the next chunk of objects to migrate. When the .status.conditions indicates the migration is \"Running\", users can use this token to check the progress of the migration.",
-}
-
-func (StorageVersionMigrationSpec) SwaggerDoc() map[string]string {
-	return map_StorageVersionMigrationSpec
-}
-
-var map_StorageVersionMigrationStatus = map[string]string{
-	"":                "Status of the storage version migration.",
-	"conditions":      "The latest available observations of the migration's current state.",
-	"resourceVersion": "ResourceVersion to compare with the GC cache for performing the migration. This is the current resource version of given group, version and resource when kube-controller-manager first observes this StorageVersionMigration resource.",
-}
-
-func (StorageVersionMigrationStatus) SwaggerDoc() map[string]string {
-	return map_StorageVersionMigrationStatus
-}
-
-// AUTO-GENERATED FUNCTIONS END HERE
diff --git a/staging/src/k8s.io/api/storagemigration/v1alpha1/zz_generated.deepcopy.go b/staging/src/k8s.io/api/storagemigration/v1alpha1/zz_generated.deepcopy.go
deleted file mode 100644
index 9d35011d59c9b..0000000000000
--- a/staging/src/k8s.io/api/storagemigration/v1alpha1/zz_generated.deepcopy.go
+++ /dev/null
@@ -1,160 +0,0 @@
-//go:build !ignore_autogenerated
-// +build !ignore_autogenerated
-
-/*
-Copyright The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-// Code generated by deepcopy-gen. DO NOT EDIT.
-
-package v1alpha1
-
-import (
-	runtime "k8s.io/apimachinery/pkg/runtime"
-)
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *GroupVersionResource) DeepCopyInto(out *GroupVersionResource) {
-	*out = *in
-	return
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GroupVersionResource.
-func (in *GroupVersionResource) DeepCopy() *GroupVersionResource {
-	if in == nil {
-		return nil
-	}
-	out := new(GroupVersionResource)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *MigrationCondition) DeepCopyInto(out *MigrationCondition) {
-	*out = *in
-	in.LastUpdateTime.DeepCopyInto(&out.LastUpdateTime)
-	return
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MigrationCondition.
-func (in *MigrationCondition) DeepCopy() *MigrationCondition {
-	if in == nil {
-		return nil
-	}
-	out := new(MigrationCondition)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *StorageVersionMigration) DeepCopyInto(out *StorageVersionMigration) {
-	*out = *in
-	out.TypeMeta = in.TypeMeta
-	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
-	out.Spec = in.Spec
-	in.Status.DeepCopyInto(&out.Status)
-	return
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new StorageVersionMigration.
-func (in *StorageVersionMigration) DeepCopy() *StorageVersionMigration {
-	if in == nil {
-		return nil
-	}
-	out := new(StorageVersionMigration)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
-func (in *StorageVersionMigration) DeepCopyObject() runtime.Object {
-	if c := in.DeepCopy(); c != nil {
-		return c
-	}
-	return nil
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *StorageVersionMigrationList) DeepCopyInto(out *StorageVersionMigrationList) {
-	*out = *in
-	out.TypeMeta = in.TypeMeta
-	in.ListMeta.DeepCopyInto(&out.ListMeta)
-	if in.Items != nil {
-		in, out := &in.Items, &out.Items
-		*out = make([]StorageVersionMigration, len(*in))
-		for i := range *in {
-			(*in)[i].DeepCopyInto(&(*out)[i])
-		}
-	}
-	return
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new StorageVersionMigrationList.
-func (in *StorageVersionMigrationList) DeepCopy() *StorageVersionMigrationList {
-	if in == nil {
-		return nil
-	}
-	out := new(StorageVersionMigrationList)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
-func (in *StorageVersionMigrationList) DeepCopyObject() runtime.Object {
-	if c := in.DeepCopy(); c != nil {
-		return c
-	}
-	return nil
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *StorageVersionMigrationSpec) DeepCopyInto(out *StorageVersionMigrationSpec) {
-	*out = *in
-	out.Resource = in.Resource
-	return
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new StorageVersionMigrationSpec.
-func (in *StorageVersionMigrationSpec) DeepCopy() *StorageVersionMigrationSpec {
-	if in == nil {
-		return nil
-	}
-	out := new(StorageVersionMigrationSpec)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *StorageVersionMigrationStatus) DeepCopyInto(out *StorageVersionMigrationStatus) {
-	*out = *in
-	if in.Conditions != nil {
-		in, out := &in.Conditions, &out.Conditions
-		*out = make([]MigrationCondition, len(*in))
-		for i := range *in {
-			(*in)[i].DeepCopyInto(&(*out)[i])
-		}
-	}
-	return
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new StorageVersionMigrationStatus.
-func (in *StorageVersionMigrationStatus) DeepCopy() *StorageVersionMigrationStatus {
-	if in == nil {
-		return nil
-	}
-	out := new(StorageVersionMigrationStatus)
-	in.DeepCopyInto(out)
-	return out
-}
diff --git a/staging/src/k8s.io/api/storagemigration/v1beta1/doc.go b/staging/src/k8s.io/api/storagemigration/v1beta1/doc.go
new file mode 100644
index 0000000000000..a0809939602c0
--- /dev/null
+++ b/staging/src/k8s.io/api/storagemigration/v1beta1/doc.go
@@ -0,0 +1,25 @@
+/*
+Copyright 2024 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// +k8s:deepcopy-gen=package
+// +k8s:protobuf-gen=package
+// +k8s:openapi-gen=true
+// +k8s:prerelease-lifecycle-gen=true
+// +k8s:openapi-model-package=io.k8s.api.storagemigration.v1beta1
+
+// +groupName=storagemigration.k8s.io
+
+package v1beta1
diff --git a/staging/src/k8s.io/api/storagemigration/v1beta1/generated.pb.go b/staging/src/k8s.io/api/storagemigration/v1beta1/generated.pb.go
new file mode 100644
index 0000000000000..309d61c9ae515
--- /dev/null
+++ b/staging/src/k8s.io/api/storagemigration/v1beta1/generated.pb.go
@@ -0,0 +1,904 @@
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by protoc-gen-gogo. DO NOT EDIT.
+// source: k8s.io/api/storagemigration/v1beta1/generated.proto
+
+package v1beta1
+
+import (
+	fmt "fmt"
+
+	io "io"
+
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+	math_bits "math/bits"
+	reflect "reflect"
+	strings "strings"
+)
+
+func (m *StorageVersionMigration) Reset() { *m = StorageVersionMigration{} }
+
+func (m *StorageVersionMigrationList) Reset() { *m = StorageVersionMigrationList{} }
+
+func (m *StorageVersionMigrationSpec) Reset() { *m = StorageVersionMigrationSpec{} }
+
+func (m *StorageVersionMigrationStatus) Reset() { *m = StorageVersionMigrationStatus{} }
+
+func (m *StorageVersionMigration) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalToSizedBuffer(dAtA[:size])
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *StorageVersionMigration) MarshalTo(dAtA []byte) (int, error) {
+	size := m.Size()
+	return m.MarshalToSizedBuffer(dAtA[:size])
+}
+
+func (m *StorageVersionMigration) MarshalToSizedBuffer(dAtA []byte) (int, error) {
+	i := len(dAtA)
+	_ = i
+	var l int
+	_ = l
+	{
+		size, err := m.Status.MarshalToSizedBuffer(dAtA[:i])
+		if err != nil {
+			return 0, err
+		}
+		i -= size
+		i = encodeVarintGenerated(dAtA, i, uint64(size))
+	}
+	i--
+	dAtA[i] = 0x1a
+	{
+		size, err := m.Spec.MarshalToSizedBuffer(dAtA[:i])
+		if err != nil {
+			return 0, err
+		}
+		i -= size
+		i = encodeVarintGenerated(dAtA, i, uint64(size))
+	}
+	i--
+	dAtA[i] = 0x12
+	{
+		size, err := m.ObjectMeta.MarshalToSizedBuffer(dAtA[:i])
+		if err != nil {
+			return 0, err
+		}
+		i -= size
+		i = encodeVarintGenerated(dAtA, i, uint64(size))
+	}
+	i--
+	dAtA[i] = 0xa
+	return len(dAtA) - i, nil
+}
+
+func (m *StorageVersionMigrationList) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalToSizedBuffer(dAtA[:size])
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *StorageVersionMigrationList) MarshalTo(dAtA []byte) (int, error) {
+	size := m.Size()
+	return m.MarshalToSizedBuffer(dAtA[:size])
+}
+
+func (m *StorageVersionMigrationList) MarshalToSizedBuffer(dAtA []byte) (int, error) {
+	i := len(dAtA)
+	_ = i
+	var l int
+	_ = l
+	if len(m.Items) > 0 {
+		for iNdEx := len(m.Items) - 1; iNdEx >= 0; iNdEx-- {
+			{
+				size, err := m.Items[iNdEx].MarshalToSizedBuffer(dAtA[:i])
+				if err != nil {
+					return 0, err
+				}
+				i -= size
+				i = encodeVarintGenerated(dAtA, i, uint64(size))
+			}
+			i--
+			dAtA[i] = 0x12
+		}
+	}
+	{
+		size, err := m.ListMeta.MarshalToSizedBuffer(dAtA[:i])
+		if err != nil {
+			return 0, err
+		}
+		i -= size
+		i = encodeVarintGenerated(dAtA, i, uint64(size))
+	}
+	i--
+	dAtA[i] = 0xa
+	return len(dAtA) - i, nil
+}
+
+func (m *StorageVersionMigrationSpec) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalToSizedBuffer(dAtA[:size])
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *StorageVersionMigrationSpec) MarshalTo(dAtA []byte) (int, error) {
+	size := m.Size()
+	return m.MarshalToSizedBuffer(dAtA[:size])
+}
+
+func (m *StorageVersionMigrationSpec) MarshalToSizedBuffer(dAtA []byte) (int, error) {
+	i := len(dAtA)
+	_ = i
+	var l int
+	_ = l
+	{
+		size, err := m.Resource.MarshalToSizedBuffer(dAtA[:i])
+		if err != nil {
+			return 0, err
+		}
+		i -= size
+		i = encodeVarintGenerated(dAtA, i, uint64(size))
+	}
+	i--
+	dAtA[i] = 0xa
+	return len(dAtA) - i, nil
+}
+
+func (m *StorageVersionMigrationStatus) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalToSizedBuffer(dAtA[:size])
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *StorageVersionMigrationStatus) MarshalTo(dAtA []byte) (int, error) {
+	size := m.Size()
+	return m.MarshalToSizedBuffer(dAtA[:size])
+}
+
+func (m *StorageVersionMigrationStatus) MarshalToSizedBuffer(dAtA []byte) (int, error) {
+	i := len(dAtA)
+	_ = i
+	var l int
+	_ = l
+	i -= len(m.ResourceVersion)
+	copy(dAtA[i:], m.ResourceVersion)
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.ResourceVersion)))
+	i--
+	dAtA[i] = 0x12
+	if len(m.Conditions) > 0 {
+		for iNdEx := len(m.Conditions) - 1; iNdEx >= 0; iNdEx-- {
+			{
+				size, err := m.Conditions[iNdEx].MarshalToSizedBuffer(dAtA[:i])
+				if err != nil {
+					return 0, err
+				}
+				i -= size
+				i = encodeVarintGenerated(dAtA, i, uint64(size))
+			}
+			i--
+			dAtA[i] = 0xa
+		}
+	}
+	return len(dAtA) - i, nil
+}
+
+func encodeVarintGenerated(dAtA []byte, offset int, v uint64) int {
+	offset -= sovGenerated(v)
+	base := offset
+	for v >= 1<<7 {
+		dAtA[offset] = uint8(v&0x7f | 0x80)
+		v >>= 7
+		offset++
+	}
+	dAtA[offset] = uint8(v)
+	return base
+}
+func (m *StorageVersionMigration) Size() (n int) {
+	if m == nil {
+		return 0
+	}
+	var l int
+	_ = l
+	l = m.ObjectMeta.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	l = m.Spec.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	l = m.Status.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func (m *StorageVersionMigrationList) Size() (n int) {
+	if m == nil {
+		return 0
+	}
+	var l int
+	_ = l
+	l = m.ListMeta.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	if len(m.Items) > 0 {
+		for _, e := range m.Items {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	return n
+}
+
+func (m *StorageVersionMigrationSpec) Size() (n int) {
+	if m == nil {
+		return 0
+	}
+	var l int
+	_ = l
+	l = m.Resource.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func (m *StorageVersionMigrationStatus) Size() (n int) {
+	if m == nil {
+		return 0
+	}
+	var l int
+	_ = l
+	if len(m.Conditions) > 0 {
+		for _, e := range m.Conditions {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	l = len(m.ResourceVersion)
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func sovGenerated(x uint64) (n int) {
+	return (math_bits.Len64(x|1) + 6) / 7
+}
+func sozGenerated(x uint64) (n int) {
+	return sovGenerated(uint64((x << 1) ^ uint64((int64(x) >> 63))))
+}
+func (this *StorageVersionMigration) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&StorageVersionMigration{`,
+		`ObjectMeta:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.ObjectMeta), "ObjectMeta", "v1.ObjectMeta", 1), `&`, ``, 1) + `,`,
+		`Spec:` + strings.Replace(strings.Replace(this.Spec.String(), "StorageVersionMigrationSpec", "StorageVersionMigrationSpec", 1), `&`, ``, 1) + `,`,
+		`Status:` + strings.Replace(strings.Replace(this.Status.String(), "StorageVersionMigrationStatus", "StorageVersionMigrationStatus", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *StorageVersionMigrationList) String() string {
+	if this == nil {
+		return "nil"
+	}
+	repeatedStringForItems := "[]StorageVersionMigration{"
+	for _, f := range this.Items {
+		repeatedStringForItems += strings.Replace(strings.Replace(f.String(), "StorageVersionMigration", "StorageVersionMigration", 1), `&`, ``, 1) + ","
+	}
+	repeatedStringForItems += "}"
+	s := strings.Join([]string{`&StorageVersionMigrationList{`,
+		`ListMeta:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.ListMeta), "ListMeta", "v1.ListMeta", 1), `&`, ``, 1) + `,`,
+		`Items:` + repeatedStringForItems + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *StorageVersionMigrationSpec) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&StorageVersionMigrationSpec{`,
+		`Resource:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.Resource), "GroupResource", "v1.GroupResource", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *StorageVersionMigrationStatus) String() string {
+	if this == nil {
+		return "nil"
+	}
+	repeatedStringForConditions := "[]Condition{"
+	for _, f := range this.Conditions {
+		repeatedStringForConditions += fmt.Sprintf("%v", f) + ","
+	}
+	repeatedStringForConditions += "}"
+	s := strings.Join([]string{`&StorageVersionMigrationStatus{`,
+		`Conditions:` + repeatedStringForConditions + `,`,
+		`ResourceVersion:` + fmt.Sprintf("%v", this.ResourceVersion) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func valueToStringGenerated(v interface{}) string {
+	rv := reflect.ValueOf(v)
+	if rv.IsNil() {
+		return "nil"
+	}
+	pv := reflect.Indirect(rv).Interface()
+	return fmt.Sprintf("*%v", pv)
+}
+func (m *StorageVersionMigration) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= uint64(b&0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: StorageVersionMigration: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: StorageVersionMigration: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ObjectMeta", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= int(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.ObjectMeta.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Spec", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= int(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.Spec.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Status", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= int(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.Status.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if (skippy < 0) || (iNdEx+skippy) < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *StorageVersionMigrationList) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= uint64(b&0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: StorageVersionMigrationList: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: StorageVersionMigrationList: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ListMeta", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= int(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.ListMeta.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Items", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= int(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Items = append(m.Items, StorageVersionMigration{})
+			if err := m.Items[len(m.Items)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if (skippy < 0) || (iNdEx+skippy) < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *StorageVersionMigrationSpec) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= uint64(b&0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: StorageVersionMigrationSpec: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: StorageVersionMigrationSpec: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Resource", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= int(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.Resource.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if (skippy < 0) || (iNdEx+skippy) < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *StorageVersionMigrationStatus) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= uint64(b&0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: StorageVersionMigrationStatus: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: StorageVersionMigrationStatus: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Conditions", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= int(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Conditions = append(m.Conditions, v1.Condition{})
+			if err := m.Conditions[len(m.Conditions)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ResourceVersion", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= uint64(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.ResourceVersion = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if (skippy < 0) || (iNdEx+skippy) < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func skipGenerated(dAtA []byte) (n int, err error) {
+	l := len(dAtA)
+	iNdEx := 0
+	depth := 0
+	for iNdEx < l {
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return 0, ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return 0, io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		wireType := int(wire & 0x7)
+		switch wireType {
+		case 0:
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return 0, ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return 0, io.ErrUnexpectedEOF
+				}
+				iNdEx++
+				if dAtA[iNdEx-1] < 0x80 {
+					break
+				}
+			}
+		case 1:
+			iNdEx += 8
+		case 2:
+			var length int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return 0, ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return 0, io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				length |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if length < 0 {
+				return 0, ErrInvalidLengthGenerated
+			}
+			iNdEx += length
+		case 3:
+			depth++
+		case 4:
+			if depth == 0 {
+				return 0, ErrUnexpectedEndOfGroupGenerated
+			}
+			depth--
+		case 5:
+			iNdEx += 4
+		default:
+			return 0, fmt.Errorf("proto: illegal wireType %d", wireType)
+		}
+		if iNdEx < 0 {
+			return 0, ErrInvalidLengthGenerated
+		}
+		if depth == 0 {
+			return iNdEx, nil
+		}
+	}
+	return 0, io.ErrUnexpectedEOF
+}
+
+var (
+	ErrInvalidLengthGenerated        = fmt.Errorf("proto: negative length found during unmarshaling")
+	ErrIntOverflowGenerated          = fmt.Errorf("proto: integer overflow")
+	ErrUnexpectedEndOfGroupGenerated = fmt.Errorf("proto: unexpected end of group")
+)
diff --git a/staging/src/k8s.io/api/storagemigration/v1beta1/generated.proto b/staging/src/k8s.io/api/storagemigration/v1beta1/generated.proto
new file mode 100644
index 0000000000000..d7d08d88c7114
--- /dev/null
+++ b/staging/src/k8s.io/api/storagemigration/v1beta1/generated.proto
@@ -0,0 +1,82 @@
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+
+// This file was autogenerated by go-to-protobuf. Do not edit it manually!
+
+syntax = "proto2";
+
+package k8s.io.api.storagemigration.v1beta1;
+
+import "k8s.io/apimachinery/pkg/apis/meta/v1/generated.proto";
+import "k8s.io/apimachinery/pkg/runtime/generated.proto";
+import "k8s.io/apimachinery/pkg/runtime/schema/generated.proto";
+
+// Package-wide variables from generator "generated".
+option go_package = "k8s.io/api/storagemigration/v1beta1";
+
+// StorageVersionMigration represents a migration of stored data to the latest
+// storage version.
+message StorageVersionMigration {
+  // Standard object metadata.
+  // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+  // +optional
+  optional .k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
+
+  // Specification of the migration.
+  // +optional
+  optional StorageVersionMigrationSpec spec = 2;
+
+  // Status of the migration.
+  // +optional
+  optional StorageVersionMigrationStatus status = 3;
+}
+
+// StorageVersionMigrationList is a collection of storage version migrations.
+message StorageVersionMigrationList {
+  // Standard list metadata
+  // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+  // +optional
+  optional .k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
+
+  // Items is the list of StorageVersionMigration
+  repeated StorageVersionMigration items = 2;
+}
+
+// Spec of the storage version migration.
+message StorageVersionMigrationSpec {
+  // The resource that is being migrated. The migrator sends requests to
+  // the endpoint serving the resource.
+  // Immutable.
+  optional .k8s.io.apimachinery.pkg.apis.meta.v1.GroupResource resource = 1;
+}
+
+// Status of the storage version migration.
+message StorageVersionMigrationStatus {
+  // The latest available observations of the migration's current state.
+  // +patchMergeKey=type
+  // +patchStrategy=merge
+  // +listType=map
+  // +listMapKey=type
+  // +optional
+  repeated .k8s.io.apimachinery.pkg.apis.meta.v1.Condition conditions = 1;
+
+  // ResourceVersion to compare with the GC cache for performing the migration.
+  // This is the current resource version of given group, version and resource when
+  // kube-controller-manager first observes this StorageVersionMigration resource.
+  optional string resourceVersion = 2;
+}
+
diff --git a/staging/src/k8s.io/api/storagemigration/v1beta1/generated.protomessage.pb.go b/staging/src/k8s.io/api/storagemigration/v1beta1/generated.protomessage.pb.go
new file mode 100644
index 0000000000000..39cafd8a9e747
--- /dev/null
+++ b/staging/src/k8s.io/api/storagemigration/v1beta1/generated.protomessage.pb.go
@@ -0,0 +1,30 @@
+//go:build kubernetes_protomessage_one_more_release
+// +build kubernetes_protomessage_one_more_release
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by go-to-protobuf. DO NOT EDIT.
+
+package v1beta1
+
+func (*StorageVersionMigration) ProtoMessage() {}
+
+func (*StorageVersionMigrationList) ProtoMessage() {}
+
+func (*StorageVersionMigrationSpec) ProtoMessage() {}
+
+func (*StorageVersionMigrationStatus) ProtoMessage() {}
diff --git a/staging/src/k8s.io/api/storagemigration/v1beta1/register.go b/staging/src/k8s.io/api/storagemigration/v1beta1/register.go
new file mode 100644
index 0000000000000..dcc8dee375c46
--- /dev/null
+++ b/staging/src/k8s.io/api/storagemigration/v1beta1/register.go
@@ -0,0 +1,58 @@
+/*
+Copyright 2024 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1beta1
+
+import (
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// GroupName is the group name use in this package
+const GroupName = "storagemigration.k8s.io"
+
+// SchemeGroupVersion is group version used to register these objects
+var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1beta1"}
+
+// Kind takes an unqualified kind and returns a Group qualified GroupKind
+func Kind(kind string) schema.GroupKind {
+	return SchemeGroupVersion.WithKind(kind).GroupKind()
+}
+
+// Resource takes an unqualified resource and returns a Group qualified GroupResource
+func Resource(resource string) schema.GroupResource {
+	return SchemeGroupVersion.WithResource(resource).GroupResource()
+}
+
+var (
+	SchemeBuilder      = runtime.NewSchemeBuilder(addKnownTypes)
+	localSchemeBuilder = &SchemeBuilder
+	AddToScheme        = localSchemeBuilder.AddToScheme
+)
+
+// Adds the list of known types to the given scheme.
+func addKnownTypes(scheme *runtime.Scheme) error {
+	scheme.AddKnownTypes(SchemeGroupVersion,
+		&StorageVersionMigration{},
+		&StorageVersionMigrationList{},
+	)
+
+	// Add the watch version that applies
+	metav1.AddToGroupVersion(scheme, SchemeGroupVersion)
+	return nil
+}
diff --git a/staging/src/k8s.io/api/storagemigration/v1beta1/types.go b/staging/src/k8s.io/api/storagemigration/v1beta1/types.go
new file mode 100644
index 0000000000000..9655f737ae5ed
--- /dev/null
+++ b/staging/src/k8s.io/api/storagemigration/v1beta1/types.go
@@ -0,0 +1,91 @@
+/*
+Copyright 2024 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1beta1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// +genclient
+// +genclient:nonNamespaced
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+// +k8s:prerelease-lifecycle-gen:introduced=1.35
+
+// StorageVersionMigration represents a migration of stored data to the latest
+// storage version.
+type StorageVersionMigration struct {
+	metav1.TypeMeta `json:",inline"`
+	// Standard object metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	// +optional
+	metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
+	// Specification of the migration.
+	// +optional
+	Spec StorageVersionMigrationSpec `json:"spec,omitempty" protobuf:"bytes,2,opt,name=spec"`
+	// Status of the migration.
+	// +optional
+	Status StorageVersionMigrationStatus `json:"status,omitempty" protobuf:"bytes,3,opt,name=status"`
+}
+
+// Spec of the storage version migration.
+type StorageVersionMigrationSpec struct {
+	// The resource that is being migrated. The migrator sends requests to
+	// the endpoint serving the resource.
+	// Immutable.
+	Resource metav1.GroupResource `json:"resource" protobuf:"bytes,1,opt,name=resource"`
+}
+
+type MigrationConditionType string
+
+const (
+	// Indicates that the migration is running.
+	MigrationRunning MigrationConditionType = "Running"
+	// Indicates that the migration has completed successfully.
+	MigrationSucceeded MigrationConditionType = "Succeeded"
+	// Indicates that the migration has failed.
+	MigrationFailed MigrationConditionType = "Failed"
+)
+
+// Status of the storage version migration.
+type StorageVersionMigrationStatus struct {
+	// The latest available observations of the migration's current state.
+	// +patchMergeKey=type
+	// +patchStrategy=merge
+	// +listType=map
+	// +listMapKey=type
+	// +optional
+	Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type" protobuf:"bytes,1,rep,name=conditions"`
+	// ResourceVersion to compare with the GC cache for performing the migration.
+	// This is the current resource version of given group, version and resource when
+	// kube-controller-manager first observes this StorageVersionMigration resource.
+	ResourceVersion string `json:"resourceVersion,omitempty" protobuf:"bytes,2,opt,name=resourceVersion"`
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+// +k8s:prerelease-lifecycle-gen:introduced=1.35
+
+// StorageVersionMigrationList is a collection of storage version migrations.
+type StorageVersionMigrationList struct {
+	metav1.TypeMeta `json:",inline"`
+
+	// Standard list metadata
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	// +optional
+	metav1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
+	// Items is the list of StorageVersionMigration
+	Items []StorageVersionMigration `json:"items" protobuf:"bytes,2,rep,name=items"`
+}
diff --git a/staging/src/k8s.io/api/storagemigration/v1beta1/types_swagger_doc_generated.go b/staging/src/k8s.io/api/storagemigration/v1beta1/types_swagger_doc_generated.go
new file mode 100644
index 0000000000000..90e4ccc3a2706
--- /dev/null
+++ b/staging/src/k8s.io/api/storagemigration/v1beta1/types_swagger_doc_generated.go
@@ -0,0 +1,70 @@
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1beta1
+
+// This file contains a collection of methods that can be used from go-restful to
+// generate Swagger API documentation for its models. Please read this PR for more
+// information on the implementation: https://github.com/emicklei/go-restful/pull/215
+//
+// TODOs are ignored from the parser (e.g. TODO(andronat):... || TODO:...) if and only if
+// they are on one line! For multiple line or blocks that you want to ignore use ---.
+// Any context after a --- is ignored.
+//
+// Those methods can be generated by using hack/update-codegen.sh
+
+// AUTO-GENERATED FUNCTIONS START HERE. DO NOT EDIT.
+var map_StorageVersionMigration = map[string]string{
+	"":         "StorageVersionMigration represents a migration of stored data to the latest storage version.",
+	"metadata": "Standard object metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
+	"spec":     "Specification of the migration.",
+	"status":   "Status of the migration.",
+}
+
+func (StorageVersionMigration) SwaggerDoc() map[string]string {
+	return map_StorageVersionMigration
+}
+
+var map_StorageVersionMigrationList = map[string]string{
+	"":         "StorageVersionMigrationList is a collection of storage version migrations.",
+	"metadata": "Standard list metadata More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
+	"items":    "Items is the list of StorageVersionMigration",
+}
+
+func (StorageVersionMigrationList) SwaggerDoc() map[string]string {
+	return map_StorageVersionMigrationList
+}
+
+var map_StorageVersionMigrationSpec = map[string]string{
+	"":         "Spec of the storage version migration.",
+	"resource": "The resource that is being migrated. The migrator sends requests to the endpoint serving the resource. Immutable.",
+}
+
+func (StorageVersionMigrationSpec) SwaggerDoc() map[string]string {
+	return map_StorageVersionMigrationSpec
+}
+
+var map_StorageVersionMigrationStatus = map[string]string{
+	"":                "Status of the storage version migration.",
+	"conditions":      "The latest available observations of the migration's current state.",
+	"resourceVersion": "ResourceVersion to compare with the GC cache for performing the migration. This is the current resource version of given group, version and resource when kube-controller-manager first observes this StorageVersionMigration resource.",
+}
+
+func (StorageVersionMigrationStatus) SwaggerDoc() map[string]string {
+	return map_StorageVersionMigrationStatus
+}
+
+// AUTO-GENERATED FUNCTIONS END HERE
diff --git a/staging/src/k8s.io/api/storagemigration/v1beta1/zz_generated.deepcopy.go b/staging/src/k8s.io/api/storagemigration/v1beta1/zz_generated.deepcopy.go
new file mode 100644
index 0000000000000..2da553daa2f75
--- /dev/null
+++ b/staging/src/k8s.io/api/storagemigration/v1beta1/zz_generated.deepcopy.go
@@ -0,0 +1,128 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by deepcopy-gen. DO NOT EDIT.
+
+package v1beta1
+
+import (
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	runtime "k8s.io/apimachinery/pkg/runtime"
+)
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *StorageVersionMigration) DeepCopyInto(out *StorageVersionMigration) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	out.Spec = in.Spec
+	in.Status.DeepCopyInto(&out.Status)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new StorageVersionMigration.
+func (in *StorageVersionMigration) DeepCopy() *StorageVersionMigration {
+	if in == nil {
+		return nil
+	}
+	out := new(StorageVersionMigration)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *StorageVersionMigration) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *StorageVersionMigrationList) DeepCopyInto(out *StorageVersionMigrationList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]StorageVersionMigration, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new StorageVersionMigrationList.
+func (in *StorageVersionMigrationList) DeepCopy() *StorageVersionMigrationList {
+	if in == nil {
+		return nil
+	}
+	out := new(StorageVersionMigrationList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *StorageVersionMigrationList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *StorageVersionMigrationSpec) DeepCopyInto(out *StorageVersionMigrationSpec) {
+	*out = *in
+	out.Resource = in.Resource
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new StorageVersionMigrationSpec.
+func (in *StorageVersionMigrationSpec) DeepCopy() *StorageVersionMigrationSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(StorageVersionMigrationSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *StorageVersionMigrationStatus) DeepCopyInto(out *StorageVersionMigrationStatus) {
+	*out = *in
+	if in.Conditions != nil {
+		in, out := &in.Conditions, &out.Conditions
+		*out = make([]v1.Condition, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new StorageVersionMigrationStatus.
+func (in *StorageVersionMigrationStatus) DeepCopy() *StorageVersionMigrationStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(StorageVersionMigrationStatus)
+	in.DeepCopyInto(out)
+	return out
+}
diff --git a/staging/src/k8s.io/api/storagemigration/v1beta1/zz_generated.model_name.go b/staging/src/k8s.io/api/storagemigration/v1beta1/zz_generated.model_name.go
new file mode 100644
index 0000000000000..5a6701c36d61b
--- /dev/null
+++ b/staging/src/k8s.io/api/storagemigration/v1beta1/zz_generated.model_name.go
@@ -0,0 +1,42 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by openapi-gen. DO NOT EDIT.
+
+package v1beta1
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in StorageVersionMigration) OpenAPIModelName() string {
+	return "io.k8s.api.storagemigration.v1beta1.StorageVersionMigration"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in StorageVersionMigrationList) OpenAPIModelName() string {
+	return "io.k8s.api.storagemigration.v1beta1.StorageVersionMigrationList"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in StorageVersionMigrationSpec) OpenAPIModelName() string {
+	return "io.k8s.api.storagemigration.v1beta1.StorageVersionMigrationSpec"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in StorageVersionMigrationStatus) OpenAPIModelName() string {
+	return "io.k8s.api.storagemigration.v1beta1.StorageVersionMigrationStatus"
+}
diff --git a/staging/src/k8s.io/api/storagemigration/v1alpha1/zz_generated.prerelease-lifecycle.go b/staging/src/k8s.io/api/storagemigration/v1beta1/zz_generated.prerelease-lifecycle.go
similarity index 96%
rename from staging/src/k8s.io/api/storagemigration/v1alpha1/zz_generated.prerelease-lifecycle.go
rename to staging/src/k8s.io/api/storagemigration/v1beta1/zz_generated.prerelease-lifecycle.go
index acdb5743512e6..f52614f7d33a4 100644
--- a/staging/src/k8s.io/api/storagemigration/v1alpha1/zz_generated.prerelease-lifecycle.go
+++ b/staging/src/k8s.io/api/storagemigration/v1beta1/zz_generated.prerelease-lifecycle.go
@@ -19,40 +19,40 @@ limitations under the License.
 
 // Code generated by prerelease-lifecycle-gen. DO NOT EDIT.
 
-package v1alpha1
+package v1beta1
 
 // APILifecycleIntroduced is an autogenerated function, returning the release in which the API struct was introduced as int versions of major and minor for comparison.
 // It is controlled by "k8s:prerelease-lifecycle-gen:introduced" tags in types.go.
 func (in *StorageVersionMigration) APILifecycleIntroduced() (major, minor int) {
-	return 1, 30
+	return 1, 35
 }
 
 // APILifecycleDeprecated is an autogenerated function, returning the release in which the API struct was or will be deprecated as int versions of major and minor for comparison.
 // It is controlled by "k8s:prerelease-lifecycle-gen:deprecated" tags in types.go or  "k8s:prerelease-lifecycle-gen:introduced" plus three minor.
 func (in *StorageVersionMigration) APILifecycleDeprecated() (major, minor int) {
-	return 1, 33
+	return 1, 38
 }
 
 // APILifecycleRemoved is an autogenerated function, returning the release in which the API is no longer served as int versions of major and minor for comparison.
 // It is controlled by "k8s:prerelease-lifecycle-gen:removed" tags in types.go or  "k8s:prerelease-lifecycle-gen:deprecated" plus three minor.
 func (in *StorageVersionMigration) APILifecycleRemoved() (major, minor int) {
-	return 1, 36
+	return 1, 41
 }
 
 // APILifecycleIntroduced is an autogenerated function, returning the release in which the API struct was introduced as int versions of major and minor for comparison.
 // It is controlled by "k8s:prerelease-lifecycle-gen:introduced" tags in types.go.
 func (in *StorageVersionMigrationList) APILifecycleIntroduced() (major, minor int) {
-	return 1, 30
+	return 1, 35
 }
 
 // APILifecycleDeprecated is an autogenerated function, returning the release in which the API struct was or will be deprecated as int versions of major and minor for comparison.
 // It is controlled by "k8s:prerelease-lifecycle-gen:deprecated" tags in types.go or  "k8s:prerelease-lifecycle-gen:introduced" plus three minor.
 func (in *StorageVersionMigrationList) APILifecycleDeprecated() (major, minor int) {
-	return 1, 33
+	return 1, 38
 }
 
 // APILifecycleRemoved is an autogenerated function, returning the release in which the API is no longer served as int versions of major and minor for comparison.
 // It is controlled by "k8s:prerelease-lifecycle-gen:removed" tags in types.go or  "k8s:prerelease-lifecycle-gen:deprecated" plus three minor.
 func (in *StorageVersionMigrationList) APILifecycleRemoved() (major, minor int) {
-	return 1, 36
+	return 1, 41
 }
diff --git a/staging/src/k8s.io/api/testdata/HEAD/apps.v1.DaemonSet.json b/staging/src/k8s.io/api/testdata/HEAD/apps.v1.DaemonSet.json
index 6d0dcb9035de6..48b204ffd730e 100644
--- a/staging/src/k8s.io/api/testdata/HEAD/apps.v1.DaemonSet.json
+++ b/staging/src/k8s.io/api/testdata/HEAD/apps.v1.DaemonSet.json
@@ -367,7 +367,10 @@
                     "maxExpirationSeconds": 3,
                     "credentialBundlePath": "credentialBundlePathValue",
                     "keyPath": "keyPathValue",
-                    "certificateChainPath": "certificateChainPathValue"
+                    "certificateChainPath": "certificateChainPathValue",
+                    "userAnnotations": {
+                      "userAnnotationsKey": "userAnnotationsValue"
+                    }
                   }
                 }
               ],
@@ -1843,7 +1846,12 @@
             }
           ]
         },
-        "hostnameOverride": "hostnameOverrideValue"
+        "hostnameOverride": "hostnameOverrideValue",
+        "workloadRef": {
+          "name": "nameValue",
+          "podGroup": "podGroupValue",
+          "podGroupReplicaKey": "podGroupReplicaKeyValue"
+        }
       }
     },
     "updateStrategy": {
diff --git a/staging/src/k8s.io/api/testdata/HEAD/apps.v1.DaemonSet.pb b/staging/src/k8s.io/api/testdata/HEAD/apps.v1.DaemonSet.pb
index 5ce7c1d6fa7b3..86fae4aca19c7 100644
Binary files a/staging/src/k8s.io/api/testdata/HEAD/apps.v1.DaemonSet.pb and b/staging/src/k8s.io/api/testdata/HEAD/apps.v1.DaemonSet.pb differ
diff --git a/staging/src/k8s.io/api/testdata/HEAD/apps.v1.DaemonSet.yaml b/staging/src/k8s.io/api/testdata/HEAD/apps.v1.DaemonSet.yaml
index 1180b32af982e..e57a716d19c38 100644
--- a/staging/src/k8s.io/api/testdata/HEAD/apps.v1.DaemonSet.yaml
+++ b/staging/src/k8s.io/api/testdata/HEAD/apps.v1.DaemonSet.yaml
@@ -1206,6 +1206,8 @@ spec:
               keyType: keyTypeValue
               maxExpirationSeconds: 3
               signerName: signerNameValue
+              userAnnotations:
+                userAnnotationsKey: userAnnotationsValue
             secret:
               items:
               - key: keyValue
@@ -1267,6 +1269,10 @@ spec:
           storagePolicyID: storagePolicyIDValue
           storagePolicyName: storagePolicyNameValue
           volumePath: volumePathValue
+      workloadRef:
+        name: nameValue
+        podGroup: podGroupValue
+        podGroupReplicaKey: podGroupReplicaKeyValue
   updateStrategy:
     rollingUpdate:
       maxSurge: maxSurgeValue
diff --git a/staging/src/k8s.io/api/testdata/HEAD/apps.v1.Deployment.json b/staging/src/k8s.io/api/testdata/HEAD/apps.v1.Deployment.json
index d2a93e6cc9a91..5168ada9be23f 100644
--- a/staging/src/k8s.io/api/testdata/HEAD/apps.v1.Deployment.json
+++ b/staging/src/k8s.io/api/testdata/HEAD/apps.v1.Deployment.json
@@ -368,7 +368,10 @@
                     "maxExpirationSeconds": 3,
                     "credentialBundlePath": "credentialBundlePathValue",
                     "keyPath": "keyPathValue",
-                    "certificateChainPath": "certificateChainPathValue"
+                    "certificateChainPath": "certificateChainPathValue",
+                    "userAnnotations": {
+                      "userAnnotationsKey": "userAnnotationsValue"
+                    }
                   }
                 }
               ],
@@ -1844,7 +1847,12 @@
             }
           ]
         },
-        "hostnameOverride": "hostnameOverrideValue"
+        "hostnameOverride": "hostnameOverrideValue",
+        "workloadRef": {
+          "name": "nameValue",
+          "podGroup": "podGroupValue",
+          "podGroupReplicaKey": "podGroupReplicaKeyValue"
+        }
       }
     },
     "strategy": {
diff --git a/staging/src/k8s.io/api/testdata/HEAD/apps.v1.Deployment.pb b/staging/src/k8s.io/api/testdata/HEAD/apps.v1.Deployment.pb
index 1cde4fc61f19b..bff40b2ef4e60 100644
Binary files a/staging/src/k8s.io/api/testdata/HEAD/apps.v1.Deployment.pb and b/staging/src/k8s.io/api/testdata/HEAD/apps.v1.Deployment.pb differ
diff --git a/staging/src/k8s.io/api/testdata/HEAD/apps.v1.Deployment.yaml b/staging/src/k8s.io/api/testdata/HEAD/apps.v1.Deployment.yaml
index 558ece9a5a776..e730e6296ddb6 100644
--- a/staging/src/k8s.io/api/testdata/HEAD/apps.v1.Deployment.yaml
+++ b/staging/src/k8s.io/api/testdata/HEAD/apps.v1.Deployment.yaml
@@ -1214,6 +1214,8 @@ spec:
               keyType: keyTypeValue
               maxExpirationSeconds: 3
               signerName: signerNameValue
+              userAnnotations:
+                userAnnotationsKey: userAnnotationsValue
             secret:
               items:
               - key: keyValue
@@ -1275,6 +1277,10 @@ spec:
           storagePolicyID: storagePolicyIDValue
           storagePolicyName: storagePolicyNameValue
           volumePath: volumePathValue
+      workloadRef:
+        name: nameValue
+        podGroup: podGroupValue
+        podGroupReplicaKey: podGroupReplicaKeyValue
 status:
   availableReplicas: 4
   collisionCount: 8
diff --git a/staging/src/k8s.io/api/testdata/HEAD/apps.v1.ReplicaSet.json b/staging/src/k8s.io/api/testdata/HEAD/apps.v1.ReplicaSet.json
index 6b2ef0f61af3e..77dbe6c40b1e2 100644
--- a/staging/src/k8s.io/api/testdata/HEAD/apps.v1.ReplicaSet.json
+++ b/staging/src/k8s.io/api/testdata/HEAD/apps.v1.ReplicaSet.json
@@ -369,7 +369,10 @@
                     "maxExpirationSeconds": 3,
                     "credentialBundlePath": "credentialBundlePathValue",
                     "keyPath": "keyPathValue",
-                    "certificateChainPath": "certificateChainPathValue"
+                    "certificateChainPath": "certificateChainPathValue",
+                    "userAnnotations": {
+                      "userAnnotationsKey": "userAnnotationsValue"
+                    }
                   }
                 }
               ],
@@ -1845,7 +1848,12 @@
             }
           ]
         },
-        "hostnameOverride": "hostnameOverrideValue"
+        "hostnameOverride": "hostnameOverrideValue",
+        "workloadRef": {
+          "name": "nameValue",
+          "podGroup": "podGroupValue",
+          "podGroupReplicaKey": "podGroupReplicaKeyValue"
+        }
       }
     }
   },
diff --git a/staging/src/k8s.io/api/testdata/HEAD/apps.v1.ReplicaSet.pb b/staging/src/k8s.io/api/testdata/HEAD/apps.v1.ReplicaSet.pb
index 21dce4311f643..b19b378ed0057 100644
Binary files a/staging/src/k8s.io/api/testdata/HEAD/apps.v1.ReplicaSet.pb and b/staging/src/k8s.io/api/testdata/HEAD/apps.v1.ReplicaSet.pb differ
diff --git a/staging/src/k8s.io/api/testdata/HEAD/apps.v1.ReplicaSet.yaml b/staging/src/k8s.io/api/testdata/HEAD/apps.v1.ReplicaSet.yaml
index 9939c9cdd25e5..7ba70c61ad092 100644
--- a/staging/src/k8s.io/api/testdata/HEAD/apps.v1.ReplicaSet.yaml
+++ b/staging/src/k8s.io/api/testdata/HEAD/apps.v1.ReplicaSet.yaml
@@ -1206,6 +1206,8 @@ spec:
               keyType: keyTypeValue
               maxExpirationSeconds: 3
               signerName: signerNameValue
+              userAnnotations:
+                userAnnotationsKey: userAnnotationsValue
             secret:
               items:
               - key: keyValue
@@ -1267,6 +1269,10 @@ spec:
           storagePolicyID: storagePolicyIDValue
           storagePolicyName: storagePolicyNameValue
           volumePath: volumePathValue
+      workloadRef:
+        name: nameValue
+        podGroup: podGroupValue
+        podGroupReplicaKey: podGroupReplicaKeyValue
 status:
   availableReplicas: 5
   conditions:
diff --git a/staging/src/k8s.io/api/testdata/HEAD/apps.v1.StatefulSet.json b/staging/src/k8s.io/api/testdata/HEAD/apps.v1.StatefulSet.json
index 0158c869ecf35..66c5c1bbf8e2a 100644
--- a/staging/src/k8s.io/api/testdata/HEAD/apps.v1.StatefulSet.json
+++ b/staging/src/k8s.io/api/testdata/HEAD/apps.v1.StatefulSet.json
@@ -368,7 +368,10 @@
                     "maxExpirationSeconds": 3,
                     "credentialBundlePath": "credentialBundlePathValue",
                     "keyPath": "keyPathValue",
-                    "certificateChainPath": "certificateChainPathValue"
+                    "certificateChainPath": "certificateChainPathValue",
+                    "userAnnotations": {
+                      "userAnnotationsKey": "userAnnotationsValue"
+                    }
                   }
                 }
               ],
@@ -1844,7 +1847,12 @@
             }
           ]
         },
-        "hostnameOverride": "hostnameOverrideValue"
+        "hostnameOverride": "hostnameOverrideValue",
+        "workloadRef": {
+          "name": "nameValue",
+          "podGroup": "podGroupValue",
+          "podGroupReplicaKey": "podGroupReplicaKeyValue"
+        }
       }
     },
     "volumeClaimTemplates": [
diff --git a/staging/src/k8s.io/api/testdata/HEAD/apps.v1.StatefulSet.pb b/staging/src/k8s.io/api/testdata/HEAD/apps.v1.StatefulSet.pb
index 080ea19af8787..eaad0ed30100a 100644
Binary files a/staging/src/k8s.io/api/testdata/HEAD/apps.v1.StatefulSet.pb and b/staging/src/k8s.io/api/testdata/HEAD/apps.v1.StatefulSet.pb differ
diff --git a/staging/src/k8s.io/api/testdata/HEAD/apps.v1.StatefulSet.yaml b/staging/src/k8s.io/api/testdata/HEAD/apps.v1.StatefulSet.yaml
index 052f5013f71b6..593d4a368d45e 100644
--- a/staging/src/k8s.io/api/testdata/HEAD/apps.v1.StatefulSet.yaml
+++ b/staging/src/k8s.io/api/testdata/HEAD/apps.v1.StatefulSet.yaml
@@ -1214,6 +1214,8 @@ spec:
               keyType: keyTypeValue
               maxExpirationSeconds: 3
               signerName: signerNameValue
+              userAnnotations:
+                userAnnotationsKey: userAnnotationsValue
             secret:
               items:
               - key: keyValue
@@ -1275,6 +1277,10 @@ spec:
           storagePolicyID: storagePolicyIDValue
           storagePolicyName: storagePolicyNameValue
           volumePath: volumePathValue
+      workloadRef:
+        name: nameValue
+        podGroup: podGroupValue
+        podGroupReplicaKey: podGroupReplicaKeyValue
   updateStrategy:
     rollingUpdate:
       maxUnavailable: maxUnavailableValue
diff --git a/staging/src/k8s.io/api/testdata/HEAD/apps.v1beta1.Deployment.json b/staging/src/k8s.io/api/testdata/HEAD/apps.v1beta1.Deployment.json
index 44a1fa56abcab..1a2a057e02f9e 100644
--- a/staging/src/k8s.io/api/testdata/HEAD/apps.v1beta1.Deployment.json
+++ b/staging/src/k8s.io/api/testdata/HEAD/apps.v1beta1.Deployment.json
@@ -368,7 +368,10 @@
                     "maxExpirationSeconds": 3,
                     "credentialBundlePath": "credentialBundlePathValue",
                     "keyPath": "keyPathValue",
-                    "certificateChainPath": "certificateChainPathValue"
+                    "certificateChainPath": "certificateChainPathValue",
+                    "userAnnotations": {
+                      "userAnnotationsKey": "userAnnotationsValue"
+                    }
                   }
                 }
               ],
@@ -1844,7 +1847,12 @@
             }
           ]
         },
-        "hostnameOverride": "hostnameOverrideValue"
+        "hostnameOverride": "hostnameOverrideValue",
+        "workloadRef": {
+          "name": "nameValue",
+          "podGroup": "podGroupValue",
+          "podGroupReplicaKey": "podGroupReplicaKeyValue"
+        }
       }
     },
     "strategy": {
diff --git a/staging/src/k8s.io/api/testdata/HEAD/apps.v1beta1.Deployment.pb b/staging/src/k8s.io/api/testdata/HEAD/apps.v1beta1.Deployment.pb
index 45a8516719012..596d4ed64af91 100644
Binary files a/staging/src/k8s.io/api/testdata/HEAD/apps.v1beta1.Deployment.pb and b/staging/src/k8s.io/api/testdata/HEAD/apps.v1beta1.Deployment.pb differ
diff --git a/staging/src/k8s.io/api/testdata/HEAD/apps.v1beta1.Deployment.yaml b/staging/src/k8s.io/api/testdata/HEAD/apps.v1beta1.Deployment.yaml
index 69f5ebcbe91ab..d04c97bfc7c7a 100644
--- a/staging/src/k8s.io/api/testdata/HEAD/apps.v1beta1.Deployment.yaml
+++ b/staging/src/k8s.io/api/testdata/HEAD/apps.v1beta1.Deployment.yaml
@@ -1216,6 +1216,8 @@ spec:
               keyType: keyTypeValue
               maxExpirationSeconds: 3
               signerName: signerNameValue
+              userAnnotations:
+                userAnnotationsKey: userAnnotationsValue
             secret:
               items:
               - key: keyValue
@@ -1277,6 +1279,10 @@ spec:
           storagePolicyID: storagePolicyIDValue
           storagePolicyName: storagePolicyNameValue
           volumePath: volumePathValue
+      workloadRef:
+        name: nameValue
+        podGroup: podGroupValue
+        podGroupReplicaKey: podGroupReplicaKeyValue
 status:
   availableReplicas: 4
   collisionCount: 8
diff --git a/staging/src/k8s.io/api/testdata/HEAD/apps.v1beta1.StatefulSet.json b/staging/src/k8s.io/api/testdata/HEAD/apps.v1beta1.StatefulSet.json
index 2952aff2de268..064d41d805f09 100644
--- a/staging/src/k8s.io/api/testdata/HEAD/apps.v1beta1.StatefulSet.json
+++ b/staging/src/k8s.io/api/testdata/HEAD/apps.v1beta1.StatefulSet.json
@@ -368,7 +368,10 @@
                     "maxExpirationSeconds": 3,
                     "credentialBundlePath": "credentialBundlePathValue",
                     "keyPath": "keyPathValue",
-                    "certificateChainPath": "certificateChainPathValue"
+                    "certificateChainPath": "certificateChainPathValue",
+                    "userAnnotations": {
+                      "userAnnotationsKey": "userAnnotationsValue"
+                    }
                   }
                 }
               ],
@@ -1844,7 +1847,12 @@
             }
           ]
         },
-        "hostnameOverride": "hostnameOverrideValue"
+        "hostnameOverride": "hostnameOverrideValue",
+        "workloadRef": {
+          "name": "nameValue",
+          "podGroup": "podGroupValue",
+          "podGroupReplicaKey": "podGroupReplicaKeyValue"
+        }
       }
     },
     "volumeClaimTemplates": [
diff --git a/staging/src/k8s.io/api/testdata/HEAD/apps.v1beta1.StatefulSet.pb b/staging/src/k8s.io/api/testdata/HEAD/apps.v1beta1.StatefulSet.pb
index f531b98d8331c..6975bae4a37e5 100644
Binary files a/staging/src/k8s.io/api/testdata/HEAD/apps.v1beta1.StatefulSet.pb and b/staging/src/k8s.io/api/testdata/HEAD/apps.v1beta1.StatefulSet.pb differ
diff --git a/staging/src/k8s.io/api/testdata/HEAD/apps.v1beta1.StatefulSet.yaml b/staging/src/k8s.io/api/testdata/HEAD/apps.v1beta1.StatefulSet.yaml
index 6362cf5a04a50..fb99d0e602cab 100644
--- a/staging/src/k8s.io/api/testdata/HEAD/apps.v1beta1.StatefulSet.yaml
+++ b/staging/src/k8s.io/api/testdata/HEAD/apps.v1beta1.StatefulSet.yaml
@@ -1214,6 +1214,8 @@ spec:
               keyType: keyTypeValue
               maxExpirationSeconds: 3
               signerName: signerNameValue
+              userAnnotations:
+                userAnnotationsKey: userAnnotationsValue
             secret:
               items:
               - key: keyValue
@@ -1275,6 +1277,10 @@ spec:
           storagePolicyID: storagePolicyIDValue
           storagePolicyName: storagePolicyNameValue
           volumePath: volumePathValue
+      workloadRef:
+        name: nameValue
+        podGroup: podGroupValue
+        podGroupReplicaKey: podGroupReplicaKeyValue
   updateStrategy:
     rollingUpdate:
       maxUnavailable: maxUnavailableValue
diff --git a/staging/src/k8s.io/api/testdata/HEAD/apps.v1beta2.DaemonSet.json b/staging/src/k8s.io/api/testdata/HEAD/apps.v1beta2.DaemonSet.json
index f018c09bb142a..d6eee9ea6e9d0 100644
--- a/staging/src/k8s.io/api/testdata/HEAD/apps.v1beta2.DaemonSet.json
+++ b/staging/src/k8s.io/api/testdata/HEAD/apps.v1beta2.DaemonSet.json
@@ -367,7 +367,10 @@
                     "maxExpirationSeconds": 3,
                     "credentialBundlePath": "credentialBundlePathValue",
                     "keyPath": "keyPathValue",
-                    "certificateChainPath": "certificateChainPathValue"
+                    "certificateChainPath": "certificateChainPathValue",
+                    "userAnnotations": {
+                      "userAnnotationsKey": "userAnnotationsValue"
+                    }
                   }
                 }
               ],
@@ -1843,7 +1846,12 @@
             }
           ]
         },
-        "hostnameOverride": "hostnameOverrideValue"
+        "hostnameOverride": "hostnameOverrideValue",
+        "workloadRef": {
+          "name": "nameValue",
+          "podGroup": "podGroupValue",
+          "podGroupReplicaKey": "podGroupReplicaKeyValue"
+        }
       }
     },
     "updateStrategy": {
diff --git a/staging/src/k8s.io/api/testdata/HEAD/apps.v1beta2.DaemonSet.pb b/staging/src/k8s.io/api/testdata/HEAD/apps.v1beta2.DaemonSet.pb
index 666b353abfba8..d2fa55813e098 100644
Binary files a/staging/src/k8s.io/api/testdata/HEAD/apps.v1beta2.DaemonSet.pb and b/staging/src/k8s.io/api/testdata/HEAD/apps.v1beta2.DaemonSet.pb differ
diff --git a/staging/src/k8s.io/api/testdata/HEAD/apps.v1beta2.DaemonSet.yaml b/staging/src/k8s.io/api/testdata/HEAD/apps.v1beta2.DaemonSet.yaml
index 2481149fcade6..6c5827f42d10b 100644
--- a/staging/src/k8s.io/api/testdata/HEAD/apps.v1beta2.DaemonSet.yaml
+++ b/staging/src/k8s.io/api/testdata/HEAD/apps.v1beta2.DaemonSet.yaml
@@ -1206,6 +1206,8 @@ spec:
               keyType: keyTypeValue
               maxExpirationSeconds: 3
               signerName: signerNameValue
+              userAnnotations:
+                userAnnotationsKey: userAnnotationsValue
             secret:
               items:
               - key: keyValue
@@ -1267,6 +1269,10 @@ spec:
           storagePolicyID: storagePolicyIDValue
           storagePolicyName: storagePolicyNameValue
           volumePath: volumePathValue
+      workloadRef:
+        name: nameValue
+        podGroup: podGroupValue
+        podGroupReplicaKey: podGroupReplicaKeyValue
   updateStrategy:
     rollingUpdate:
       maxSurge: maxSurgeValue
diff --git a/staging/src/k8s.io/api/testdata/HEAD/apps.v1beta2.Deployment.json b/staging/src/k8s.io/api/testdata/HEAD/apps.v1beta2.Deployment.json
index cf90eceac494b..62cd655717b2c 100644
--- a/staging/src/k8s.io/api/testdata/HEAD/apps.v1beta2.Deployment.json
+++ b/staging/src/k8s.io/api/testdata/HEAD/apps.v1beta2.Deployment.json
@@ -368,7 +368,10 @@
                     "maxExpirationSeconds": 3,
                     "credentialBundlePath": "credentialBundlePathValue",
                     "keyPath": "keyPathValue",
-                    "certificateChainPath": "certificateChainPathValue"
+                    "certificateChainPath": "certificateChainPathValue",
+                    "userAnnotations": {
+                      "userAnnotationsKey": "userAnnotationsValue"
+                    }
                   }
                 }
               ],
@@ -1844,7 +1847,12 @@
             }
           ]
         },
-        "hostnameOverride": "hostnameOverrideValue"
+        "hostnameOverride": "hostnameOverrideValue",
+        "workloadRef": {
+          "name": "nameValue",
+          "podGroup": "podGroupValue",
+          "podGroupReplicaKey": "podGroupReplicaKeyValue"
+        }
       }
     },
     "strategy": {
diff --git a/staging/src/k8s.io/api/testdata/HEAD/apps.v1beta2.Deployment.pb b/staging/src/k8s.io/api/testdata/HEAD/apps.v1beta2.Deployment.pb
index 4dcc3e56a9c63..bf681bb8d865e 100644
Binary files a/staging/src/k8s.io/api/testdata/HEAD/apps.v1beta2.Deployment.pb and b/staging/src/k8s.io/api/testdata/HEAD/apps.v1beta2.Deployment.pb differ
diff --git a/staging/src/k8s.io/api/testdata/HEAD/apps.v1beta2.Deployment.yaml b/staging/src/k8s.io/api/testdata/HEAD/apps.v1beta2.Deployment.yaml
index 8eba35a2b83c8..9dc11ada486c0 100644
--- a/staging/src/k8s.io/api/testdata/HEAD/apps.v1beta2.Deployment.yaml
+++ b/staging/src/k8s.io/api/testdata/HEAD/apps.v1beta2.Deployment.yaml
@@ -1214,6 +1214,8 @@ spec:
               keyType: keyTypeValue
               maxExpirationSeconds: 3
               signerName: signerNameValue
+              userAnnotations:
+                userAnnotationsKey: userAnnotationsValue
             secret:
               items:
               - key: keyValue
@@ -1275,6 +1277,10 @@ spec:
           storagePolicyID: storagePolicyIDValue
           storagePolicyName: storagePolicyNameValue
           volumePath: volumePathValue
+      workloadRef:
+        name: nameValue
+        podGroup: podGroupValue
+        podGroupReplicaKey: podGroupReplicaKeyValue
 status:
   availableReplicas: 4
   collisionCount: 8
diff --git a/staging/src/k8s.io/api/testdata/HEAD/apps.v1beta2.ReplicaSet.json b/staging/src/k8s.io/api/testdata/HEAD/apps.v1beta2.ReplicaSet.json
index 53d19e86b0b5a..d2e880c58f0d5 100644
--- a/staging/src/k8s.io/api/testdata/HEAD/apps.v1beta2.ReplicaSet.json
+++ b/staging/src/k8s.io/api/testdata/HEAD/apps.v1beta2.ReplicaSet.json
@@ -369,7 +369,10 @@
                     "maxExpirationSeconds": 3,
                     "credentialBundlePath": "credentialBundlePathValue",
                     "keyPath": "keyPathValue",
-                    "certificateChainPath": "certificateChainPathValue"
+                    "certificateChainPath": "certificateChainPathValue",
+                    "userAnnotations": {
+                      "userAnnotationsKey": "userAnnotationsValue"
+                    }
                   }
                 }
               ],
@@ -1845,7 +1848,12 @@
             }
           ]
         },
-        "hostnameOverride": "hostnameOverrideValue"
+        "hostnameOverride": "hostnameOverrideValue",
+        "workloadRef": {
+          "name": "nameValue",
+          "podGroup": "podGroupValue",
+          "podGroupReplicaKey": "podGroupReplicaKeyValue"
+        }
       }
     }
   },
diff --git a/staging/src/k8s.io/api/testdata/HEAD/apps.v1beta2.ReplicaSet.pb b/staging/src/k8s.io/api/testdata/HEAD/apps.v1beta2.ReplicaSet.pb
index 8d1be4d0b5630..15275cd57a1eb 100644
Binary files a/staging/src/k8s.io/api/testdata/HEAD/apps.v1beta2.ReplicaSet.pb and b/staging/src/k8s.io/api/testdata/HEAD/apps.v1beta2.ReplicaSet.pb differ
diff --git a/staging/src/k8s.io/api/testdata/HEAD/apps.v1beta2.ReplicaSet.yaml b/staging/src/k8s.io/api/testdata/HEAD/apps.v1beta2.ReplicaSet.yaml
index 1cf516f35cc9b..ec1574bc98b76 100644
--- a/staging/src/k8s.io/api/testdata/HEAD/apps.v1beta2.ReplicaSet.yaml
+++ b/staging/src/k8s.io/api/testdata/HEAD/apps.v1beta2.ReplicaSet.yaml
@@ -1206,6 +1206,8 @@ spec:
               keyType: keyTypeValue
               maxExpirationSeconds: 3
               signerName: signerNameValue
+              userAnnotations:
+                userAnnotationsKey: userAnnotationsValue
             secret:
               items:
               - key: keyValue
@@ -1267,6 +1269,10 @@ spec:
           storagePolicyID: storagePolicyIDValue
           storagePolicyName: storagePolicyNameValue
           volumePath: volumePathValue
+      workloadRef:
+        name: nameValue
+        podGroup: podGroupValue
+        podGroupReplicaKey: podGroupReplicaKeyValue
 status:
   availableReplicas: 5
   conditions:
diff --git a/staging/src/k8s.io/api/testdata/HEAD/apps.v1beta2.StatefulSet.json b/staging/src/k8s.io/api/testdata/HEAD/apps.v1beta2.StatefulSet.json
index f281b75d16364..28a32b44dcd41 100644
--- a/staging/src/k8s.io/api/testdata/HEAD/apps.v1beta2.StatefulSet.json
+++ b/staging/src/k8s.io/api/testdata/HEAD/apps.v1beta2.StatefulSet.json
@@ -368,7 +368,10 @@
                     "maxExpirationSeconds": 3,
                     "credentialBundlePath": "credentialBundlePathValue",
                     "keyPath": "keyPathValue",
-                    "certificateChainPath": "certificateChainPathValue"
+                    "certificateChainPath": "certificateChainPathValue",
+                    "userAnnotations": {
+                      "userAnnotationsKey": "userAnnotationsValue"
+                    }
                   }
                 }
               ],
@@ -1844,7 +1847,12 @@
             }
           ]
         },
-        "hostnameOverride": "hostnameOverrideValue"
+        "hostnameOverride": "hostnameOverrideValue",
+        "workloadRef": {
+          "name": "nameValue",
+          "podGroup": "podGroupValue",
+          "podGroupReplicaKey": "podGroupReplicaKeyValue"
+        }
       }
     },
     "volumeClaimTemplates": [
diff --git a/staging/src/k8s.io/api/testdata/HEAD/apps.v1beta2.StatefulSet.pb b/staging/src/k8s.io/api/testdata/HEAD/apps.v1beta2.StatefulSet.pb
index 840dcc0a21f43..2a7abed471fff 100644
Binary files a/staging/src/k8s.io/api/testdata/HEAD/apps.v1beta2.StatefulSet.pb and b/staging/src/k8s.io/api/testdata/HEAD/apps.v1beta2.StatefulSet.pb differ
diff --git a/staging/src/k8s.io/api/testdata/HEAD/apps.v1beta2.StatefulSet.yaml b/staging/src/k8s.io/api/testdata/HEAD/apps.v1beta2.StatefulSet.yaml
index 726b114d7a2ff..1a799675be072 100644
--- a/staging/src/k8s.io/api/testdata/HEAD/apps.v1beta2.StatefulSet.yaml
+++ b/staging/src/k8s.io/api/testdata/HEAD/apps.v1beta2.StatefulSet.yaml
@@ -1214,6 +1214,8 @@ spec:
               keyType: keyTypeValue
               maxExpirationSeconds: 3
               signerName: signerNameValue
+              userAnnotations:
+                userAnnotationsKey: userAnnotationsValue
             secret:
               items:
               - key: keyValue
@@ -1275,6 +1277,10 @@ spec:
           storagePolicyID: storagePolicyIDValue
           storagePolicyName: storagePolicyNameValue
           volumePath: volumePathValue
+      workloadRef:
+        name: nameValue
+        podGroup: podGroupValue
+        podGroupReplicaKey: podGroupReplicaKeyValue
   updateStrategy:
     rollingUpdate:
       maxUnavailable: maxUnavailableValue
diff --git a/staging/src/k8s.io/api/testdata/HEAD/batch.v1.CronJob.json b/staging/src/k8s.io/api/testdata/HEAD/batch.v1.CronJob.json
index f6aafb1835bea..1f5b8df2388be 100644
--- a/staging/src/k8s.io/api/testdata/HEAD/batch.v1.CronJob.json
+++ b/staging/src/k8s.io/api/testdata/HEAD/batch.v1.CronJob.json
@@ -451,7 +451,10 @@
                         "maxExpirationSeconds": 3,
                         "credentialBundlePath": "credentialBundlePathValue",
                         "keyPath": "keyPathValue",
-                        "certificateChainPath": "certificateChainPathValue"
+                        "certificateChainPath": "certificateChainPathValue",
+                        "userAnnotations": {
+                          "userAnnotationsKey": "userAnnotationsValue"
+                        }
                       }
                     }
                   ],
@@ -1927,7 +1930,12 @@
                 }
               ]
             },
-            "hostnameOverride": "hostnameOverrideValue"
+            "hostnameOverride": "hostnameOverrideValue",
+            "workloadRef": {
+              "name": "nameValue",
+              "podGroup": "podGroupValue",
+              "podGroupReplicaKey": "podGroupReplicaKeyValue"
+            }
           }
         },
         "ttlSecondsAfterFinished": 8,
diff --git a/staging/src/k8s.io/api/testdata/HEAD/batch.v1.CronJob.pb b/staging/src/k8s.io/api/testdata/HEAD/batch.v1.CronJob.pb
index 4889e68bcc8f3..775ebf95206f0 100644
Binary files a/staging/src/k8s.io/api/testdata/HEAD/batch.v1.CronJob.pb and b/staging/src/k8s.io/api/testdata/HEAD/batch.v1.CronJob.pb differ
diff --git a/staging/src/k8s.io/api/testdata/HEAD/batch.v1.CronJob.yaml b/staging/src/k8s.io/api/testdata/HEAD/batch.v1.CronJob.yaml
index cf1b872a50c8b..b08dfe35206ff 100644
--- a/staging/src/k8s.io/api/testdata/HEAD/batch.v1.CronJob.yaml
+++ b/staging/src/k8s.io/api/testdata/HEAD/batch.v1.CronJob.yaml
@@ -1266,6 +1266,8 @@ spec:
                   keyType: keyTypeValue
                   maxExpirationSeconds: 3
                   signerName: signerNameValue
+                  userAnnotations:
+                    userAnnotationsKey: userAnnotationsValue
                 secret:
                   items:
                   - key: keyValue
@@ -1327,6 +1329,10 @@ spec:
               storagePolicyID: storagePolicyIDValue
               storagePolicyName: storagePolicyNameValue
               volumePath: volumePathValue
+          workloadRef:
+            name: nameValue
+            podGroup: podGroupValue
+            podGroupReplicaKey: podGroupReplicaKeyValue
       ttlSecondsAfterFinished: 8
   schedule: scheduleValue
   startingDeadlineSeconds: 2
diff --git a/staging/src/k8s.io/api/testdata/HEAD/batch.v1.Job.json b/staging/src/k8s.io/api/testdata/HEAD/batch.v1.Job.json
index 8996a2246df45..cae93ab95027e 100644
--- a/staging/src/k8s.io/api/testdata/HEAD/batch.v1.Job.json
+++ b/staging/src/k8s.io/api/testdata/HEAD/batch.v1.Job.json
@@ -402,7 +402,10 @@
                     "maxExpirationSeconds": 3,
                     "credentialBundlePath": "credentialBundlePathValue",
                     "keyPath": "keyPathValue",
-                    "certificateChainPath": "certificateChainPathValue"
+                    "certificateChainPath": "certificateChainPathValue",
+                    "userAnnotations": {
+                      "userAnnotationsKey": "userAnnotationsValue"
+                    }
                   }
                 }
               ],
@@ -1878,7 +1881,12 @@
             }
           ]
         },
-        "hostnameOverride": "hostnameOverrideValue"
+        "hostnameOverride": "hostnameOverrideValue",
+        "workloadRef": {
+          "name": "nameValue",
+          "podGroup": "podGroupValue",
+          "podGroupReplicaKey": "podGroupReplicaKeyValue"
+        }
       }
     },
     "ttlSecondsAfterFinished": 8,
diff --git a/staging/src/k8s.io/api/testdata/HEAD/batch.v1.Job.pb b/staging/src/k8s.io/api/testdata/HEAD/batch.v1.Job.pb
index 5395e9eddb5ce..8f767838b8817 100644
Binary files a/staging/src/k8s.io/api/testdata/HEAD/batch.v1.Job.pb and b/staging/src/k8s.io/api/testdata/HEAD/batch.v1.Job.pb differ
diff --git a/staging/src/k8s.io/api/testdata/HEAD/batch.v1.Job.yaml b/staging/src/k8s.io/api/testdata/HEAD/batch.v1.Job.yaml
index 301e24af34f5d..3d25c120ee32f 100644
--- a/staging/src/k8s.io/api/testdata/HEAD/batch.v1.Job.yaml
+++ b/staging/src/k8s.io/api/testdata/HEAD/batch.v1.Job.yaml
@@ -1230,6 +1230,8 @@ spec:
               keyType: keyTypeValue
               maxExpirationSeconds: 3
               signerName: signerNameValue
+              userAnnotations:
+                userAnnotationsKey: userAnnotationsValue
             secret:
               items:
               - key: keyValue
@@ -1291,6 +1293,10 @@ spec:
           storagePolicyID: storagePolicyIDValue
           storagePolicyName: storagePolicyNameValue
           volumePath: volumePathValue
+      workloadRef:
+        name: nameValue
+        podGroup: podGroupValue
+        podGroupReplicaKey: podGroupReplicaKeyValue
   ttlSecondsAfterFinished: 8
 status:
   active: 4
diff --git a/staging/src/k8s.io/api/testdata/HEAD/batch.v1beta1.CronJob.json b/staging/src/k8s.io/api/testdata/HEAD/batch.v1beta1.CronJob.json
index dc6ace974dce6..5436d0cf4e83d 100644
--- a/staging/src/k8s.io/api/testdata/HEAD/batch.v1beta1.CronJob.json
+++ b/staging/src/k8s.io/api/testdata/HEAD/batch.v1beta1.CronJob.json
@@ -451,7 +451,10 @@
                         "maxExpirationSeconds": 3,
                         "credentialBundlePath": "credentialBundlePathValue",
                         "keyPath": "keyPathValue",
-                        "certificateChainPath": "certificateChainPathValue"
+                        "certificateChainPath": "certificateChainPathValue",
+                        "userAnnotations": {
+                          "userAnnotationsKey": "userAnnotationsValue"
+                        }
                       }
                     }
                   ],
@@ -1927,7 +1930,12 @@
                 }
               ]
             },
-            "hostnameOverride": "hostnameOverrideValue"
+            "hostnameOverride": "hostnameOverrideValue",
+            "workloadRef": {
+              "name": "nameValue",
+              "podGroup": "podGroupValue",
+              "podGroupReplicaKey": "podGroupReplicaKeyValue"
+            }
           }
         },
         "ttlSecondsAfterFinished": 8,
diff --git a/staging/src/k8s.io/api/testdata/HEAD/batch.v1beta1.CronJob.pb b/staging/src/k8s.io/api/testdata/HEAD/batch.v1beta1.CronJob.pb
index a6776263a4dc2..6bfb4158e7f31 100644
Binary files a/staging/src/k8s.io/api/testdata/HEAD/batch.v1beta1.CronJob.pb and b/staging/src/k8s.io/api/testdata/HEAD/batch.v1beta1.CronJob.pb differ
diff --git a/staging/src/k8s.io/api/testdata/HEAD/batch.v1beta1.CronJob.yaml b/staging/src/k8s.io/api/testdata/HEAD/batch.v1beta1.CronJob.yaml
index 90eb8120b3ff8..21d9f01c16bd4 100644
--- a/staging/src/k8s.io/api/testdata/HEAD/batch.v1beta1.CronJob.yaml
+++ b/staging/src/k8s.io/api/testdata/HEAD/batch.v1beta1.CronJob.yaml
@@ -1266,6 +1266,8 @@ spec:
                   keyType: keyTypeValue
                   maxExpirationSeconds: 3
                   signerName: signerNameValue
+                  userAnnotations:
+                    userAnnotationsKey: userAnnotationsValue
                 secret:
                   items:
                   - key: keyValue
@@ -1327,6 +1329,10 @@ spec:
               storagePolicyID: storagePolicyIDValue
               storagePolicyName: storagePolicyNameValue
               volumePath: volumePathValue
+          workloadRef:
+            name: nameValue
+            podGroup: podGroupValue
+            podGroupReplicaKey: podGroupReplicaKeyValue
       ttlSecondsAfterFinished: 8
   schedule: scheduleValue
   startingDeadlineSeconds: 2
diff --git a/staging/src/k8s.io/api/testdata/HEAD/certificates.k8s.io.v1beta1.PodCertificateRequest.json b/staging/src/k8s.io/api/testdata/HEAD/certificates.k8s.io.v1beta1.PodCertificateRequest.json
new file mode 100644
index 0000000000000..93a2f04448c19
--- /dev/null
+++ b/staging/src/k8s.io/api/testdata/HEAD/certificates.k8s.io.v1beta1.PodCertificateRequest.json
@@ -0,0 +1,77 @@
+{
+  "kind": "PodCertificateRequest",
+  "apiVersion": "certificates.k8s.io/v1beta1",
+  "metadata": {
+    "name": "nameValue",
+    "generateName": "generateNameValue",
+    "namespace": "namespaceValue",
+    "selfLink": "selfLinkValue",
+    "uid": "uidValue",
+    "resourceVersion": "resourceVersionValue",
+    "generation": 7,
+    "creationTimestamp": "2008-01-01T01:01:01Z",
+    "deletionTimestamp": "2009-01-01T01:01:01Z",
+    "deletionGracePeriodSeconds": 10,
+    "labels": {
+      "labelsKey": "labelsValue"
+    },
+    "annotations": {
+      "annotationsKey": "annotationsValue"
+    },
+    "ownerReferences": [
+      {
+        "apiVersion": "apiVersionValue",
+        "kind": "kindValue",
+        "name": "nameValue",
+        "uid": "uidValue",
+        "controller": true,
+        "blockOwnerDeletion": true
+      }
+    ],
+    "finalizers": [
+      "finalizersValue"
+    ],
+    "managedFields": [
+      {
+        "manager": "managerValue",
+        "operation": "operationValue",
+        "apiVersion": "apiVersionValue",
+        "time": "2004-01-01T01:01:01Z",
+        "fieldsType": "fieldsTypeValue",
+        "fieldsV1": {},
+        "subresource": "subresourceValue"
+      }
+    ]
+  },
+  "spec": {
+    "signerName": "signerNameValue",
+    "podName": "podNameValue",
+    "podUID": "podUIDValue",
+    "serviceAccountName": "serviceAccountNameValue",
+    "serviceAccountUID": "serviceAccountUIDValue",
+    "nodeName": "nodeNameValue",
+    "nodeUID": "nodeUIDValue",
+    "maxExpirationSeconds": 8,
+    "pkixPublicKey": "CQ==",
+    "proofOfPossession": "Cg==",
+    "unverifiedUserAnnotations": {
+      "unverifiedUserAnnotationsKey": "unverifiedUserAnnotationsValue"
+    }
+  },
+  "status": {
+    "conditions": [
+      {
+        "type": "typeValue",
+        "status": "statusValue",
+        "observedGeneration": 3,
+        "lastTransitionTime": "2004-01-01T01:01:01Z",
+        "reason": "reasonValue",
+        "message": "messageValue"
+      }
+    ],
+    "certificateChain": "certificateChainValue",
+    "notBefore": "2004-01-01T01:01:01Z",
+    "beginRefreshAt": "2005-01-01T01:01:01Z",
+    "notAfter": "2006-01-01T01:01:01Z"
+  }
+}
\ No newline at end of file
diff --git a/staging/src/k8s.io/api/testdata/HEAD/certificates.k8s.io.v1beta1.PodCertificateRequest.pb b/staging/src/k8s.io/api/testdata/HEAD/certificates.k8s.io.v1beta1.PodCertificateRequest.pb
new file mode 100644
index 0000000000000..3b2e1ebfecdf8
Binary files /dev/null and b/staging/src/k8s.io/api/testdata/HEAD/certificates.k8s.io.v1beta1.PodCertificateRequest.pb differ
diff --git a/staging/src/k8s.io/api/testdata/HEAD/certificates.k8s.io.v1beta1.PodCertificateRequest.yaml b/staging/src/k8s.io/api/testdata/HEAD/certificates.k8s.io.v1beta1.PodCertificateRequest.yaml
new file mode 100644
index 0000000000000..f8cec35717984
--- /dev/null
+++ b/staging/src/k8s.io/api/testdata/HEAD/certificates.k8s.io.v1beta1.PodCertificateRequest.yaml
@@ -0,0 +1,59 @@
+apiVersion: certificates.k8s.io/v1beta1
+kind: PodCertificateRequest
+metadata:
+  annotations:
+    annotationsKey: annotationsValue
+  creationTimestamp: "2008-01-01T01:01:01Z"
+  deletionGracePeriodSeconds: 10
+  deletionTimestamp: "2009-01-01T01:01:01Z"
+  finalizers:
+  - finalizersValue
+  generateName: generateNameValue
+  generation: 7
+  labels:
+    labelsKey: labelsValue
+  managedFields:
+  - apiVersion: apiVersionValue
+    fieldsType: fieldsTypeValue
+    fieldsV1: {}
+    manager: managerValue
+    operation: operationValue
+    subresource: subresourceValue
+    time: "2004-01-01T01:01:01Z"
+  name: nameValue
+  namespace: namespaceValue
+  ownerReferences:
+  - apiVersion: apiVersionValue
+    blockOwnerDeletion: true
+    controller: true
+    kind: kindValue
+    name: nameValue
+    uid: uidValue
+  resourceVersion: resourceVersionValue
+  selfLink: selfLinkValue
+  uid: uidValue
+spec:
+  maxExpirationSeconds: 8
+  nodeName: nodeNameValue
+  nodeUID: nodeUIDValue
+  pkixPublicKey: CQ==
+  podName: podNameValue
+  podUID: podUIDValue
+  proofOfPossession: Cg==
+  serviceAccountName: serviceAccountNameValue
+  serviceAccountUID: serviceAccountUIDValue
+  signerName: signerNameValue
+  unverifiedUserAnnotations:
+    unverifiedUserAnnotationsKey: unverifiedUserAnnotationsValue
+status:
+  beginRefreshAt: "2005-01-01T01:01:01Z"
+  certificateChain: certificateChainValue
+  conditions:
+  - lastTransitionTime: "2004-01-01T01:01:01Z"
+    message: messageValue
+    observedGeneration: 3
+    reason: reasonValue
+    status: statusValue
+    type: typeValue
+  notAfter: "2006-01-01T01:01:01Z"
+  notBefore: "2004-01-01T01:01:01Z"
diff --git a/staging/src/k8s.io/api/testdata/HEAD/core.v1.Node.json b/staging/src/k8s.io/api/testdata/HEAD/core.v1.Node.json
index 81dae37e4c40d..e207e4c6a5420 100644
--- a/staging/src/k8s.io/api/testdata/HEAD/core.v1.Node.json
+++ b/staging/src/k8s.io/api/testdata/HEAD/core.v1.Node.json
@@ -171,6 +171,9 @@
     ],
     "features": {
       "supplementalGroupsPolicy": true
-    }
+    },
+    "declaredFeatures": [
+      "declaredFeaturesValue"
+    ]
   }
 }
\ No newline at end of file
diff --git a/staging/src/k8s.io/api/testdata/HEAD/core.v1.Node.pb b/staging/src/k8s.io/api/testdata/HEAD/core.v1.Node.pb
index 86cc18929fa4a..05c5adcfb9b47 100644
Binary files a/staging/src/k8s.io/api/testdata/HEAD/core.v1.Node.pb and b/staging/src/k8s.io/api/testdata/HEAD/core.v1.Node.pb differ
diff --git a/staging/src/k8s.io/api/testdata/HEAD/core.v1.Node.yaml b/staging/src/k8s.io/api/testdata/HEAD/core.v1.Node.yaml
index 0d2da7a4bb9ef..e5fdd6b9c35ff 100644
--- a/staging/src/k8s.io/api/testdata/HEAD/core.v1.Node.yaml
+++ b/staging/src/k8s.io/api/testdata/HEAD/core.v1.Node.yaml
@@ -92,6 +92,8 @@ status:
   daemonEndpoints:
     kubeletEndpoint:
       Port: 1
+  declaredFeatures:
+  - declaredFeaturesValue
   features:
     supplementalGroupsPolicy: true
   images:
diff --git a/staging/src/k8s.io/api/testdata/HEAD/core.v1.Pod.json b/staging/src/k8s.io/api/testdata/HEAD/core.v1.Pod.json
index 2badc35f477a5..8316bb1654163 100644
--- a/staging/src/k8s.io/api/testdata/HEAD/core.v1.Pod.json
+++ b/staging/src/k8s.io/api/testdata/HEAD/core.v1.Pod.json
@@ -309,7 +309,10 @@
                 "maxExpirationSeconds": 3,
                 "credentialBundlePath": "credentialBundlePathValue",
                 "keyPath": "keyPathValue",
-                "certificateChainPath": "certificateChainPathValue"
+                "certificateChainPath": "certificateChainPathValue",
+                "userAnnotations": {
+                  "userAnnotationsKey": "userAnnotationsValue"
+                }
               }
             }
           ],
@@ -1785,7 +1788,12 @@
         }
       ]
     },
-    "hostnameOverride": "hostnameOverrideValue"
+    "hostnameOverride": "hostnameOverrideValue",
+    "workloadRef": {
+      "name": "nameValue",
+      "podGroup": "podGroupValue",
+      "podGroupReplicaKey": "podGroupReplicaKeyValue"
+    }
   },
   "status": {
     "observedGeneration": 17,
@@ -2113,6 +2121,23 @@
         }
       ],
       "resourceClaimName": "resourceClaimNameValue"
+    },
+    "allocatedResources": {
+      "allocatedResourcesKey": "0"
+    },
+    "resources": {
+      "limits": {
+        "limitsKey": "0"
+      },
+      "requests": {
+        "requestsKey": "0"
+      },
+      "claims": [
+        {
+          "name": "nameValue",
+          "request": "requestValue"
+        }
+      ]
     }
   }
 }
\ No newline at end of file
diff --git a/staging/src/k8s.io/api/testdata/HEAD/core.v1.Pod.pb b/staging/src/k8s.io/api/testdata/HEAD/core.v1.Pod.pb
index 41e3958fcc61d..5edf767085d42 100644
Binary files a/staging/src/k8s.io/api/testdata/HEAD/core.v1.Pod.pb and b/staging/src/k8s.io/api/testdata/HEAD/core.v1.Pod.pb differ
diff --git a/staging/src/k8s.io/api/testdata/HEAD/core.v1.Pod.yaml b/staging/src/k8s.io/api/testdata/HEAD/core.v1.Pod.yaml
index 36d9a59473971..1335003613c70 100644
--- a/staging/src/k8s.io/api/testdata/HEAD/core.v1.Pod.yaml
+++ b/staging/src/k8s.io/api/testdata/HEAD/core.v1.Pod.yaml
@@ -1162,6 +1162,8 @@ spec:
           keyType: keyTypeValue
           maxExpirationSeconds: 3
           signerName: signerNameValue
+          userAnnotations:
+            userAnnotationsKey: userAnnotationsValue
         secret:
           items:
           - key: keyValue
@@ -1223,7 +1225,13 @@ spec:
       storagePolicyID: storagePolicyIDValue
       storagePolicyName: storagePolicyNameValue
       volumePath: volumePathValue
+  workloadRef:
+    name: nameValue
+    podGroup: podGroupValue
+    podGroupReplicaKey: podGroupReplicaKeyValue
 status:
+  allocatedResources:
+    allocatedResourcesKey: "0"
   conditions:
   - lastProbeTime: "2003-01-01T01:01:01Z"
     lastTransitionTime: "2004-01-01T01:01:01Z"
@@ -1443,4 +1451,12 @@ status:
   resourceClaimStatuses:
   - name: nameValue
     resourceClaimName: resourceClaimNameValue
+  resources:
+    claims:
+    - name: nameValue
+      request: requestValue
+    limits:
+      limitsKey: "0"
+    requests:
+      requestsKey: "0"
   startTime: "2007-01-01T01:01:01Z"
diff --git a/staging/src/k8s.io/api/testdata/HEAD/core.v1.PodStatusResult.json b/staging/src/k8s.io/api/testdata/HEAD/core.v1.PodStatusResult.json
index e65f3718c292c..eb59a472428c5 100644
--- a/staging/src/k8s.io/api/testdata/HEAD/core.v1.PodStatusResult.json
+++ b/staging/src/k8s.io/api/testdata/HEAD/core.v1.PodStatusResult.json
@@ -369,6 +369,23 @@
         }
       ],
       "resourceClaimName": "resourceClaimNameValue"
+    },
+    "allocatedResources": {
+      "allocatedResourcesKey": "0"
+    },
+    "resources": {
+      "limits": {
+        "limitsKey": "0"
+      },
+      "requests": {
+        "requestsKey": "0"
+      },
+      "claims": [
+        {
+          "name": "nameValue",
+          "request": "requestValue"
+        }
+      ]
     }
   }
 }
\ No newline at end of file
diff --git a/staging/src/k8s.io/api/testdata/HEAD/core.v1.PodStatusResult.pb b/staging/src/k8s.io/api/testdata/HEAD/core.v1.PodStatusResult.pb
index 82f5a5c5c5c73..a06ad0fe01372 100644
Binary files a/staging/src/k8s.io/api/testdata/HEAD/core.v1.PodStatusResult.pb and b/staging/src/k8s.io/api/testdata/HEAD/core.v1.PodStatusResult.pb differ
diff --git a/staging/src/k8s.io/api/testdata/HEAD/core.v1.PodStatusResult.yaml b/staging/src/k8s.io/api/testdata/HEAD/core.v1.PodStatusResult.yaml
index 96fbedba0809f..561d88be58d30 100644
--- a/staging/src/k8s.io/api/testdata/HEAD/core.v1.PodStatusResult.yaml
+++ b/staging/src/k8s.io/api/testdata/HEAD/core.v1.PodStatusResult.yaml
@@ -33,6 +33,8 @@ metadata:
   selfLink: selfLinkValue
   uid: uidValue
 status:
+  allocatedResources:
+    allocatedResourcesKey: "0"
   conditions:
   - lastProbeTime: "2003-01-01T01:01:01Z"
     lastTransitionTime: "2004-01-01T01:01:01Z"
@@ -252,4 +254,12 @@ status:
   resourceClaimStatuses:
   - name: nameValue
     resourceClaimName: resourceClaimNameValue
+  resources:
+    claims:
+    - name: nameValue
+      request: requestValue
+    limits:
+      limitsKey: "0"
+    requests:
+      requestsKey: "0"
   startTime: "2007-01-01T01:01:01Z"
diff --git a/staging/src/k8s.io/api/testdata/HEAD/core.v1.PodTemplate.json b/staging/src/k8s.io/api/testdata/HEAD/core.v1.PodTemplate.json
index b665fdd23c209..52e8ad2c7d6d6 100644
--- a/staging/src/k8s.io/api/testdata/HEAD/core.v1.PodTemplate.json
+++ b/staging/src/k8s.io/api/testdata/HEAD/core.v1.PodTemplate.json
@@ -352,7 +352,10 @@
                   "maxExpirationSeconds": 3,
                   "credentialBundlePath": "credentialBundlePathValue",
                   "keyPath": "keyPathValue",
-                  "certificateChainPath": "certificateChainPathValue"
+                  "certificateChainPath": "certificateChainPathValue",
+                  "userAnnotations": {
+                    "userAnnotationsKey": "userAnnotationsValue"
+                  }
                 }
               }
             ],
@@ -1828,7 +1831,12 @@
           }
         ]
       },
-      "hostnameOverride": "hostnameOverrideValue"
+      "hostnameOverride": "hostnameOverrideValue",
+      "workloadRef": {
+        "name": "nameValue",
+        "podGroup": "podGroupValue",
+        "podGroupReplicaKey": "podGroupReplicaKeyValue"
+      }
     }
   }
 }
\ No newline at end of file
diff --git a/staging/src/k8s.io/api/testdata/HEAD/core.v1.PodTemplate.pb b/staging/src/k8s.io/api/testdata/HEAD/core.v1.PodTemplate.pb
index eac7bca891351..c8a6030194004 100644
Binary files a/staging/src/k8s.io/api/testdata/HEAD/core.v1.PodTemplate.pb and b/staging/src/k8s.io/api/testdata/HEAD/core.v1.PodTemplate.pb differ
diff --git a/staging/src/k8s.io/api/testdata/HEAD/core.v1.PodTemplate.yaml b/staging/src/k8s.io/api/testdata/HEAD/core.v1.PodTemplate.yaml
index 5edb7f29b6de3..4080ec597c8b8 100644
--- a/staging/src/k8s.io/api/testdata/HEAD/core.v1.PodTemplate.yaml
+++ b/staging/src/k8s.io/api/testdata/HEAD/core.v1.PodTemplate.yaml
@@ -1195,6 +1195,8 @@ template:
             keyType: keyTypeValue
             maxExpirationSeconds: 3
             signerName: signerNameValue
+            userAnnotations:
+              userAnnotationsKey: userAnnotationsValue
           secret:
             items:
             - key: keyValue
@@ -1256,3 +1258,7 @@ template:
         storagePolicyID: storagePolicyIDValue
         storagePolicyName: storagePolicyNameValue
         volumePath: volumePathValue
+    workloadRef:
+      name: nameValue
+      podGroup: podGroupValue
+      podGroupReplicaKey: podGroupReplicaKeyValue
diff --git a/staging/src/k8s.io/api/testdata/HEAD/core.v1.ReplicationController.json b/staging/src/k8s.io/api/testdata/HEAD/core.v1.ReplicationController.json
index 09d3e9f2331dc..f4db5d62148a6 100644
--- a/staging/src/k8s.io/api/testdata/HEAD/core.v1.ReplicationController.json
+++ b/staging/src/k8s.io/api/testdata/HEAD/core.v1.ReplicationController.json
@@ -358,7 +358,10 @@
                     "maxExpirationSeconds": 3,
                     "credentialBundlePath": "credentialBundlePathValue",
                     "keyPath": "keyPathValue",
-                    "certificateChainPath": "certificateChainPathValue"
+                    "certificateChainPath": "certificateChainPathValue",
+                    "userAnnotations": {
+                      "userAnnotationsKey": "userAnnotationsValue"
+                    }
                   }
                 }
               ],
@@ -1834,7 +1837,12 @@
             }
           ]
         },
-        "hostnameOverride": "hostnameOverrideValue"
+        "hostnameOverride": "hostnameOverrideValue",
+        "workloadRef": {
+          "name": "nameValue",
+          "podGroup": "podGroupValue",
+          "podGroupReplicaKey": "podGroupReplicaKeyValue"
+        }
       }
     }
   },
diff --git a/staging/src/k8s.io/api/testdata/HEAD/core.v1.ReplicationController.pb b/staging/src/k8s.io/api/testdata/HEAD/core.v1.ReplicationController.pb
index 9476529df60e5..799572d89be5d 100644
Binary files a/staging/src/k8s.io/api/testdata/HEAD/core.v1.ReplicationController.pb and b/staging/src/k8s.io/api/testdata/HEAD/core.v1.ReplicationController.pb differ
diff --git a/staging/src/k8s.io/api/testdata/HEAD/core.v1.ReplicationController.yaml b/staging/src/k8s.io/api/testdata/HEAD/core.v1.ReplicationController.yaml
index 205da180c964d..7bee55311ba73 100644
--- a/staging/src/k8s.io/api/testdata/HEAD/core.v1.ReplicationController.yaml
+++ b/staging/src/k8s.io/api/testdata/HEAD/core.v1.ReplicationController.yaml
@@ -1200,6 +1200,8 @@ spec:
               keyType: keyTypeValue
               maxExpirationSeconds: 3
               signerName: signerNameValue
+              userAnnotations:
+                userAnnotationsKey: userAnnotationsValue
             secret:
               items:
               - key: keyValue
@@ -1261,6 +1263,10 @@ spec:
           storagePolicyID: storagePolicyIDValue
           storagePolicyName: storagePolicyNameValue
           volumePath: volumePathValue
+      workloadRef:
+        name: nameValue
+        podGroup: podGroupValue
+        podGroupReplicaKey: podGroupReplicaKeyValue
 status:
   availableReplicas: 5
   conditions:
diff --git a/staging/src/k8s.io/api/testdata/HEAD/extensions.v1beta1.DaemonSet.json b/staging/src/k8s.io/api/testdata/HEAD/extensions.v1beta1.DaemonSet.json
index 93d20033ba04e..dbde12274e6af 100644
--- a/staging/src/k8s.io/api/testdata/HEAD/extensions.v1beta1.DaemonSet.json
+++ b/staging/src/k8s.io/api/testdata/HEAD/extensions.v1beta1.DaemonSet.json
@@ -367,7 +367,10 @@
                     "maxExpirationSeconds": 3,
                     "credentialBundlePath": "credentialBundlePathValue",
                     "keyPath": "keyPathValue",
-                    "certificateChainPath": "certificateChainPathValue"
+                    "certificateChainPath": "certificateChainPathValue",
+                    "userAnnotations": {
+                      "userAnnotationsKey": "userAnnotationsValue"
+                    }
                   }
                 }
               ],
@@ -1843,7 +1846,12 @@
             }
           ]
         },
-        "hostnameOverride": "hostnameOverrideValue"
+        "hostnameOverride": "hostnameOverrideValue",
+        "workloadRef": {
+          "name": "nameValue",
+          "podGroup": "podGroupValue",
+          "podGroupReplicaKey": "podGroupReplicaKeyValue"
+        }
       }
     },
     "updateStrategy": {
diff --git a/staging/src/k8s.io/api/testdata/HEAD/extensions.v1beta1.DaemonSet.pb b/staging/src/k8s.io/api/testdata/HEAD/extensions.v1beta1.DaemonSet.pb
index fc8e2a557a213..161b76999178e 100644
Binary files a/staging/src/k8s.io/api/testdata/HEAD/extensions.v1beta1.DaemonSet.pb and b/staging/src/k8s.io/api/testdata/HEAD/extensions.v1beta1.DaemonSet.pb differ
diff --git a/staging/src/k8s.io/api/testdata/HEAD/extensions.v1beta1.DaemonSet.yaml b/staging/src/k8s.io/api/testdata/HEAD/extensions.v1beta1.DaemonSet.yaml
index 7bdf4a9a41d51..6512376d9748c 100644
--- a/staging/src/k8s.io/api/testdata/HEAD/extensions.v1beta1.DaemonSet.yaml
+++ b/staging/src/k8s.io/api/testdata/HEAD/extensions.v1beta1.DaemonSet.yaml
@@ -1206,6 +1206,8 @@ spec:
               keyType: keyTypeValue
               maxExpirationSeconds: 3
               signerName: signerNameValue
+              userAnnotations:
+                userAnnotationsKey: userAnnotationsValue
             secret:
               items:
               - key: keyValue
@@ -1267,6 +1269,10 @@ spec:
           storagePolicyID: storagePolicyIDValue
           storagePolicyName: storagePolicyNameValue
           volumePath: volumePathValue
+      workloadRef:
+        name: nameValue
+        podGroup: podGroupValue
+        podGroupReplicaKey: podGroupReplicaKeyValue
   templateGeneration: 5
   updateStrategy:
     rollingUpdate:
diff --git a/staging/src/k8s.io/api/testdata/HEAD/extensions.v1beta1.Deployment.json b/staging/src/k8s.io/api/testdata/HEAD/extensions.v1beta1.Deployment.json
index b352d70c394b1..be0cd57a8cf09 100644
--- a/staging/src/k8s.io/api/testdata/HEAD/extensions.v1beta1.Deployment.json
+++ b/staging/src/k8s.io/api/testdata/HEAD/extensions.v1beta1.Deployment.json
@@ -368,7 +368,10 @@
                     "maxExpirationSeconds": 3,
                     "credentialBundlePath": "credentialBundlePathValue",
                     "keyPath": "keyPathValue",
-                    "certificateChainPath": "certificateChainPathValue"
+                    "certificateChainPath": "certificateChainPathValue",
+                    "userAnnotations": {
+                      "userAnnotationsKey": "userAnnotationsValue"
+                    }
                   }
                 }
               ],
@@ -1844,7 +1847,12 @@
             }
           ]
         },
-        "hostnameOverride": "hostnameOverrideValue"
+        "hostnameOverride": "hostnameOverrideValue",
+        "workloadRef": {
+          "name": "nameValue",
+          "podGroup": "podGroupValue",
+          "podGroupReplicaKey": "podGroupReplicaKeyValue"
+        }
       }
     },
     "strategy": {
diff --git a/staging/src/k8s.io/api/testdata/HEAD/extensions.v1beta1.Deployment.pb b/staging/src/k8s.io/api/testdata/HEAD/extensions.v1beta1.Deployment.pb
index cebc6f20c5ac0..c2c612c2efb0e 100644
Binary files a/staging/src/k8s.io/api/testdata/HEAD/extensions.v1beta1.Deployment.pb and b/staging/src/k8s.io/api/testdata/HEAD/extensions.v1beta1.Deployment.pb differ
diff --git a/staging/src/k8s.io/api/testdata/HEAD/extensions.v1beta1.Deployment.yaml b/staging/src/k8s.io/api/testdata/HEAD/extensions.v1beta1.Deployment.yaml
index 7a42f9927a7d3..b47e20398aebb 100644
--- a/staging/src/k8s.io/api/testdata/HEAD/extensions.v1beta1.Deployment.yaml
+++ b/staging/src/k8s.io/api/testdata/HEAD/extensions.v1beta1.Deployment.yaml
@@ -1216,6 +1216,8 @@ spec:
               keyType: keyTypeValue
               maxExpirationSeconds: 3
               signerName: signerNameValue
+              userAnnotations:
+                userAnnotationsKey: userAnnotationsValue
             secret:
               items:
               - key: keyValue
@@ -1277,6 +1279,10 @@ spec:
           storagePolicyID: storagePolicyIDValue
           storagePolicyName: storagePolicyNameValue
           volumePath: volumePathValue
+      workloadRef:
+        name: nameValue
+        podGroup: podGroupValue
+        podGroupReplicaKey: podGroupReplicaKeyValue
 status:
   availableReplicas: 4
   collisionCount: 8
diff --git a/staging/src/k8s.io/api/testdata/HEAD/extensions.v1beta1.ReplicaSet.json b/staging/src/k8s.io/api/testdata/HEAD/extensions.v1beta1.ReplicaSet.json
index 7a31a72303124..760674be7cd34 100644
--- a/staging/src/k8s.io/api/testdata/HEAD/extensions.v1beta1.ReplicaSet.json
+++ b/staging/src/k8s.io/api/testdata/HEAD/extensions.v1beta1.ReplicaSet.json
@@ -369,7 +369,10 @@
                     "maxExpirationSeconds": 3,
                     "credentialBundlePath": "credentialBundlePathValue",
                     "keyPath": "keyPathValue",
-                    "certificateChainPath": "certificateChainPathValue"
+                    "certificateChainPath": "certificateChainPathValue",
+                    "userAnnotations": {
+                      "userAnnotationsKey": "userAnnotationsValue"
+                    }
                   }
                 }
               ],
@@ -1845,7 +1848,12 @@
             }
           ]
         },
-        "hostnameOverride": "hostnameOverrideValue"
+        "hostnameOverride": "hostnameOverrideValue",
+        "workloadRef": {
+          "name": "nameValue",
+          "podGroup": "podGroupValue",
+          "podGroupReplicaKey": "podGroupReplicaKeyValue"
+        }
       }
     }
   },
diff --git a/staging/src/k8s.io/api/testdata/HEAD/extensions.v1beta1.ReplicaSet.pb b/staging/src/k8s.io/api/testdata/HEAD/extensions.v1beta1.ReplicaSet.pb
index 89749c919c7dc..b61e355108b7b 100644
Binary files a/staging/src/k8s.io/api/testdata/HEAD/extensions.v1beta1.ReplicaSet.pb and b/staging/src/k8s.io/api/testdata/HEAD/extensions.v1beta1.ReplicaSet.pb differ
diff --git a/staging/src/k8s.io/api/testdata/HEAD/extensions.v1beta1.ReplicaSet.yaml b/staging/src/k8s.io/api/testdata/HEAD/extensions.v1beta1.ReplicaSet.yaml
index 1bd12ba887a88..d983d21a3fbb1 100644
--- a/staging/src/k8s.io/api/testdata/HEAD/extensions.v1beta1.ReplicaSet.yaml
+++ b/staging/src/k8s.io/api/testdata/HEAD/extensions.v1beta1.ReplicaSet.yaml
@@ -1206,6 +1206,8 @@ spec:
               keyType: keyTypeValue
               maxExpirationSeconds: 3
               signerName: signerNameValue
+              userAnnotations:
+                userAnnotationsKey: userAnnotationsValue
             secret:
               items:
               - key: keyValue
@@ -1267,6 +1269,10 @@ spec:
           storagePolicyID: storagePolicyIDValue
           storagePolicyName: storagePolicyNameValue
           volumePath: volumePathValue
+      workloadRef:
+        name: nameValue
+        podGroup: podGroupValue
+        podGroupReplicaKey: podGroupReplicaKeyValue
 status:
   availableReplicas: 5
   conditions:
diff --git a/staging/src/k8s.io/api/testdata/HEAD/resource.k8s.io.v1alpha3.DeviceTaintRule.json b/staging/src/k8s.io/api/testdata/HEAD/resource.k8s.io.v1alpha3.DeviceTaintRule.json
index 84ad149568007..c574f84cb2e14 100644
--- a/staging/src/k8s.io/api/testdata/HEAD/resource.k8s.io.v1alpha3.DeviceTaintRule.json
+++ b/staging/src/k8s.io/api/testdata/HEAD/resource.k8s.io.v1alpha3.DeviceTaintRule.json
@@ -45,17 +45,9 @@
   },
   "spec": {
     "deviceSelector": {
-      "deviceClassName": "deviceClassNameValue",
       "driver": "driverValue",
       "pool": "poolValue",
-      "device": "deviceValue",
-      "selectors": [
-        {
-          "cel": {
-            "expression": "expressionValue"
-          }
-        }
-      ]
+      "device": "deviceValue"
     },
     "taint": {
       "key": "keyValue",
@@ -63,5 +55,17 @@
       "effect": "effectValue",
       "timeAdded": "2004-01-01T01:01:01Z"
     }
+  },
+  "status": {
+    "conditions": [
+      {
+        "type": "typeValue",
+        "status": "statusValue",
+        "observedGeneration": 3,
+        "lastTransitionTime": "2004-01-01T01:01:01Z",
+        "reason": "reasonValue",
+        "message": "messageValue"
+      }
+    ]
   }
 }
\ No newline at end of file
diff --git a/staging/src/k8s.io/api/testdata/HEAD/resource.k8s.io.v1alpha3.DeviceTaintRule.pb b/staging/src/k8s.io/api/testdata/HEAD/resource.k8s.io.v1alpha3.DeviceTaintRule.pb
index 60244465bfcc2..feaa316ef8d42 100644
Binary files a/staging/src/k8s.io/api/testdata/HEAD/resource.k8s.io.v1alpha3.DeviceTaintRule.pb and b/staging/src/k8s.io/api/testdata/HEAD/resource.k8s.io.v1alpha3.DeviceTaintRule.pb differ
diff --git a/staging/src/k8s.io/api/testdata/HEAD/resource.k8s.io.v1alpha3.DeviceTaintRule.yaml b/staging/src/k8s.io/api/testdata/HEAD/resource.k8s.io.v1alpha3.DeviceTaintRule.yaml
index 8d06614b992c9..8c2bc6cfd3dbc 100644
--- a/staging/src/k8s.io/api/testdata/HEAD/resource.k8s.io.v1alpha3.DeviceTaintRule.yaml
+++ b/staging/src/k8s.io/api/testdata/HEAD/resource.k8s.io.v1alpha3.DeviceTaintRule.yaml
@@ -35,14 +35,18 @@ metadata:
 spec:
   deviceSelector:
     device: deviceValue
-    deviceClassName: deviceClassNameValue
     driver: driverValue
     pool: poolValue
-    selectors:
-    - cel:
-        expression: expressionValue
   taint:
     effect: effectValue
     key: keyValue
     timeAdded: "2004-01-01T01:01:01Z"
     value: valueValue
+status:
+  conditions:
+  - lastTransitionTime: "2004-01-01T01:01:01Z"
+    message: messageValue
+    observedGeneration: 3
+    reason: reasonValue
+    status: statusValue
+    type: typeValue
diff --git a/staging/src/k8s.io/api/testdata/HEAD/scheduling.k8s.io.v1alpha1.Workload.json b/staging/src/k8s.io/api/testdata/HEAD/scheduling.k8s.io.v1alpha1.Workload.json
new file mode 100644
index 0000000000000..19c3499b20d99
--- /dev/null
+++ b/staging/src/k8s.io/api/testdata/HEAD/scheduling.k8s.io.v1alpha1.Workload.json
@@ -0,0 +1,64 @@
+{
+  "kind": "Workload",
+  "apiVersion": "scheduling.k8s.io/v1alpha1",
+  "metadata": {
+    "name": "nameValue",
+    "generateName": "generateNameValue",
+    "namespace": "namespaceValue",
+    "selfLink": "selfLinkValue",
+    "uid": "uidValue",
+    "resourceVersion": "resourceVersionValue",
+    "generation": 7,
+    "creationTimestamp": "2008-01-01T01:01:01Z",
+    "deletionTimestamp": "2009-01-01T01:01:01Z",
+    "deletionGracePeriodSeconds": 10,
+    "labels": {
+      "labelsKey": "labelsValue"
+    },
+    "annotations": {
+      "annotationsKey": "annotationsValue"
+    },
+    "ownerReferences": [
+      {
+        "apiVersion": "apiVersionValue",
+        "kind": "kindValue",
+        "name": "nameValue",
+        "uid": "uidValue",
+        "controller": true,
+        "blockOwnerDeletion": true
+      }
+    ],
+    "finalizers": [
+      "finalizersValue"
+    ],
+    "managedFields": [
+      {
+        "manager": "managerValue",
+        "operation": "operationValue",
+        "apiVersion": "apiVersionValue",
+        "time": "2004-01-01T01:01:01Z",
+        "fieldsType": "fieldsTypeValue",
+        "fieldsV1": {},
+        "subresource": "subresourceValue"
+      }
+    ]
+  },
+  "spec": {
+    "controllerRef": {
+      "apiGroup": "apiGroupValue",
+      "kind": "kindValue",
+      "name": "nameValue"
+    },
+    "podGroups": [
+      {
+        "name": "nameValue",
+        "policy": {
+          "basic": {},
+          "gang": {
+            "minCount": 1
+          }
+        }
+      }
+    ]
+  }
+}
\ No newline at end of file
diff --git a/staging/src/k8s.io/api/testdata/HEAD/scheduling.k8s.io.v1alpha1.Workload.pb b/staging/src/k8s.io/api/testdata/HEAD/scheduling.k8s.io.v1alpha1.Workload.pb
new file mode 100644
index 0000000000000..f69c06766c163
Binary files /dev/null and b/staging/src/k8s.io/api/testdata/HEAD/scheduling.k8s.io.v1alpha1.Workload.pb differ
diff --git a/staging/src/k8s.io/api/testdata/HEAD/scheduling.k8s.io.v1alpha1.Workload.yaml b/staging/src/k8s.io/api/testdata/HEAD/scheduling.k8s.io.v1alpha1.Workload.yaml
new file mode 100644
index 0000000000000..9e520d1daf645
--- /dev/null
+++ b/staging/src/k8s.io/api/testdata/HEAD/scheduling.k8s.io.v1alpha1.Workload.yaml
@@ -0,0 +1,45 @@
+apiVersion: scheduling.k8s.io/v1alpha1
+kind: Workload
+metadata:
+  annotations:
+    annotationsKey: annotationsValue
+  creationTimestamp: "2008-01-01T01:01:01Z"
+  deletionGracePeriodSeconds: 10
+  deletionTimestamp: "2009-01-01T01:01:01Z"
+  finalizers:
+  - finalizersValue
+  generateName: generateNameValue
+  generation: 7
+  labels:
+    labelsKey: labelsValue
+  managedFields:
+  - apiVersion: apiVersionValue
+    fieldsType: fieldsTypeValue
+    fieldsV1: {}
+    manager: managerValue
+    operation: operationValue
+    subresource: subresourceValue
+    time: "2004-01-01T01:01:01Z"
+  name: nameValue
+  namespace: namespaceValue
+  ownerReferences:
+  - apiVersion: apiVersionValue
+    blockOwnerDeletion: true
+    controller: true
+    kind: kindValue
+    name: nameValue
+    uid: uidValue
+  resourceVersion: resourceVersionValue
+  selfLink: selfLinkValue
+  uid: uidValue
+spec:
+  controllerRef:
+    apiGroup: apiGroupValue
+    kind: kindValue
+    name: nameValue
+  podGroups:
+  - name: nameValue
+    policy:
+      basic: {}
+      gang:
+        minCount: 1
diff --git a/staging/src/k8s.io/api/testdata/HEAD/storage.k8s.io.v1.CSIDriver.json b/staging/src/k8s.io/api/testdata/HEAD/storage.k8s.io.v1.CSIDriver.json
index 84efb979be320..addc685f37eb0 100644
--- a/staging/src/k8s.io/api/testdata/HEAD/storage.k8s.io.v1.CSIDriver.json
+++ b/staging/src/k8s.io/api/testdata/HEAD/storage.k8s.io.v1.CSIDriver.json
@@ -59,6 +59,7 @@
     ],
     "requiresRepublish": true,
     "seLinuxMount": true,
-    "nodeAllocatableUpdatePeriodSeconds": 9
+    "nodeAllocatableUpdatePeriodSeconds": 9,
+    "serviceAccountTokenInSecrets": true
   }
 }
\ No newline at end of file
diff --git a/staging/src/k8s.io/api/testdata/HEAD/storage.k8s.io.v1.CSIDriver.pb b/staging/src/k8s.io/api/testdata/HEAD/storage.k8s.io.v1.CSIDriver.pb
index 07aeaa7f75626..c5e60ad070b16 100644
Binary files a/staging/src/k8s.io/api/testdata/HEAD/storage.k8s.io.v1.CSIDriver.pb and b/staging/src/k8s.io/api/testdata/HEAD/storage.k8s.io.v1.CSIDriver.pb differ
diff --git a/staging/src/k8s.io/api/testdata/HEAD/storage.k8s.io.v1.CSIDriver.yaml b/staging/src/k8s.io/api/testdata/HEAD/storage.k8s.io.v1.CSIDriver.yaml
index 748c7614a9e8f..9ede049a06fec 100644
--- a/staging/src/k8s.io/api/testdata/HEAD/storage.k8s.io.v1.CSIDriver.yaml
+++ b/staging/src/k8s.io/api/testdata/HEAD/storage.k8s.io.v1.CSIDriver.yaml
@@ -39,6 +39,7 @@ spec:
   podInfoOnMount: true
   requiresRepublish: true
   seLinuxMount: true
+  serviceAccountTokenInSecrets: true
   storageCapacity: true
   tokenRequests:
   - audience: audienceValue
diff --git a/staging/src/k8s.io/api/testdata/HEAD/storage.k8s.io.v1beta1.CSIDriver.json b/staging/src/k8s.io/api/testdata/HEAD/storage.k8s.io.v1beta1.CSIDriver.json
index 0953f5e354d9c..687d508ad41e4 100644
--- a/staging/src/k8s.io/api/testdata/HEAD/storage.k8s.io.v1beta1.CSIDriver.json
+++ b/staging/src/k8s.io/api/testdata/HEAD/storage.k8s.io.v1beta1.CSIDriver.json
@@ -59,6 +59,7 @@
     ],
     "requiresRepublish": true,
     "seLinuxMount": true,
-    "nodeAllocatableUpdatePeriodSeconds": 9
+    "nodeAllocatableUpdatePeriodSeconds": 9,
+    "serviceAccountTokenInSecrets": true
   }
 }
\ No newline at end of file
diff --git a/staging/src/k8s.io/api/testdata/HEAD/storage.k8s.io.v1beta1.CSIDriver.pb b/staging/src/k8s.io/api/testdata/HEAD/storage.k8s.io.v1beta1.CSIDriver.pb
index 7cd87c4455469..7976348b86bcb 100644
Binary files a/staging/src/k8s.io/api/testdata/HEAD/storage.k8s.io.v1beta1.CSIDriver.pb and b/staging/src/k8s.io/api/testdata/HEAD/storage.k8s.io.v1beta1.CSIDriver.pb differ
diff --git a/staging/src/k8s.io/api/testdata/HEAD/storage.k8s.io.v1beta1.CSIDriver.yaml b/staging/src/k8s.io/api/testdata/HEAD/storage.k8s.io.v1beta1.CSIDriver.yaml
index 82e08fa9fc081..7eb84a3419203 100644
--- a/staging/src/k8s.io/api/testdata/HEAD/storage.k8s.io.v1beta1.CSIDriver.yaml
+++ b/staging/src/k8s.io/api/testdata/HEAD/storage.k8s.io.v1beta1.CSIDriver.yaml
@@ -39,6 +39,7 @@ spec:
   podInfoOnMount: true
   requiresRepublish: true
   seLinuxMount: true
+  serviceAccountTokenInSecrets: true
   storageCapacity: true
   tokenRequests:
   - audience: audienceValue
diff --git a/staging/src/k8s.io/api/testdata/HEAD/storagemigration.k8s.io.v1alpha1.StorageVersionMigration.json b/staging/src/k8s.io/api/testdata/HEAD/storagemigration.k8s.io.v1alpha1.StorageVersionMigration.json
deleted file mode 100644
index 77ce9bf4513d4..0000000000000
--- a/staging/src/k8s.io/api/testdata/HEAD/storagemigration.k8s.io.v1alpha1.StorageVersionMigration.json
+++ /dev/null
@@ -1,66 +0,0 @@
-{
-  "kind": "StorageVersionMigration",
-  "apiVersion": "storagemigration.k8s.io/v1alpha1",
-  "metadata": {
-    "name": "nameValue",
-    "generateName": "generateNameValue",
-    "namespace": "namespaceValue",
-    "selfLink": "selfLinkValue",
-    "uid": "uidValue",
-    "resourceVersion": "resourceVersionValue",
-    "generation": 7,
-    "creationTimestamp": "2008-01-01T01:01:01Z",
-    "deletionTimestamp": "2009-01-01T01:01:01Z",
-    "deletionGracePeriodSeconds": 10,
-    "labels": {
-      "labelsKey": "labelsValue"
-    },
-    "annotations": {
-      "annotationsKey": "annotationsValue"
-    },
-    "ownerReferences": [
-      {
-        "apiVersion": "apiVersionValue",
-        "kind": "kindValue",
-        "name": "nameValue",
-        "uid": "uidValue",
-        "controller": true,
-        "blockOwnerDeletion": true
-      }
-    ],
-    "finalizers": [
-      "finalizersValue"
-    ],
-    "managedFields": [
-      {
-        "manager": "managerValue",
-        "operation": "operationValue",
-        "apiVersion": "apiVersionValue",
-        "time": "2004-01-01T01:01:01Z",
-        "fieldsType": "fieldsTypeValue",
-        "fieldsV1": {},
-        "subresource": "subresourceValue"
-      }
-    ]
-  },
-  "spec": {
-    "resource": {
-      "group": "groupValue",
-      "version": "versionValue",
-      "resource": "resourceValue"
-    },
-    "continueToken": "continueTokenValue"
-  },
-  "status": {
-    "conditions": [
-      {
-        "type": "typeValue",
-        "status": "statusValue",
-        "lastUpdateTime": "2003-01-01T01:01:01Z",
-        "reason": "reasonValue",
-        "message": "messageValue"
-      }
-    ],
-    "resourceVersion": "resourceVersionValue"
-  }
-}
\ No newline at end of file
diff --git a/staging/src/k8s.io/api/testdata/HEAD/storagemigration.k8s.io.v1alpha1.StorageVersionMigration.pb b/staging/src/k8s.io/api/testdata/HEAD/storagemigration.k8s.io.v1alpha1.StorageVersionMigration.pb
deleted file mode 100644
index 59b8eca2ec5cd..0000000000000
Binary files a/staging/src/k8s.io/api/testdata/HEAD/storagemigration.k8s.io.v1alpha1.StorageVersionMigration.pb and /dev/null differ
diff --git a/staging/src/k8s.io/api/testdata/HEAD/storagemigration.k8s.io.v1alpha1.StorageVersionMigration.yaml b/staging/src/k8s.io/api/testdata/HEAD/storagemigration.k8s.io.v1alpha1.StorageVersionMigration.yaml
deleted file mode 100644
index 577d619c12625..0000000000000
--- a/staging/src/k8s.io/api/testdata/HEAD/storagemigration.k8s.io.v1alpha1.StorageVersionMigration.yaml
+++ /dev/null
@@ -1,48 +0,0 @@
-apiVersion: storagemigration.k8s.io/v1alpha1
-kind: StorageVersionMigration
-metadata:
-  annotations:
-    annotationsKey: annotationsValue
-  creationTimestamp: "2008-01-01T01:01:01Z"
-  deletionGracePeriodSeconds: 10
-  deletionTimestamp: "2009-01-01T01:01:01Z"
-  finalizers:
-  - finalizersValue
-  generateName: generateNameValue
-  generation: 7
-  labels:
-    labelsKey: labelsValue
-  managedFields:
-  - apiVersion: apiVersionValue
-    fieldsType: fieldsTypeValue
-    fieldsV1: {}
-    manager: managerValue
-    operation: operationValue
-    subresource: subresourceValue
-    time: "2004-01-01T01:01:01Z"
-  name: nameValue
-  namespace: namespaceValue
-  ownerReferences:
-  - apiVersion: apiVersionValue
-    blockOwnerDeletion: true
-    controller: true
-    kind: kindValue
-    name: nameValue
-    uid: uidValue
-  resourceVersion: resourceVersionValue
-  selfLink: selfLinkValue
-  uid: uidValue
-spec:
-  continueToken: continueTokenValue
-  resource:
-    group: groupValue
-    resource: resourceValue
-    version: versionValue
-status:
-  conditions:
-  - lastUpdateTime: "2003-01-01T01:01:01Z"
-    message: messageValue
-    reason: reasonValue
-    status: statusValue
-    type: typeValue
-  resourceVersion: resourceVersionValue
diff --git a/staging/src/k8s.io/api/testdata/HEAD/storagemigration.k8s.io.v1beta1.StorageVersionMigration.json b/staging/src/k8s.io/api/testdata/HEAD/storagemigration.k8s.io.v1beta1.StorageVersionMigration.json
new file mode 100644
index 0000000000000..4b805fe541d68
--- /dev/null
+++ b/staging/src/k8s.io/api/testdata/HEAD/storagemigration.k8s.io.v1beta1.StorageVersionMigration.json
@@ -0,0 +1,65 @@
+{
+  "kind": "StorageVersionMigration",
+  "apiVersion": "storagemigration.k8s.io/v1beta1",
+  "metadata": {
+    "name": "nameValue",
+    "generateName": "generateNameValue",
+    "namespace": "namespaceValue",
+    "selfLink": "selfLinkValue",
+    "uid": "uidValue",
+    "resourceVersion": "resourceVersionValue",
+    "generation": 7,
+    "creationTimestamp": "2008-01-01T01:01:01Z",
+    "deletionTimestamp": "2009-01-01T01:01:01Z",
+    "deletionGracePeriodSeconds": 10,
+    "labels": {
+      "labelsKey": "labelsValue"
+    },
+    "annotations": {
+      "annotationsKey": "annotationsValue"
+    },
+    "ownerReferences": [
+      {
+        "apiVersion": "apiVersionValue",
+        "kind": "kindValue",
+        "name": "nameValue",
+        "uid": "uidValue",
+        "controller": true,
+        "blockOwnerDeletion": true
+      }
+    ],
+    "finalizers": [
+      "finalizersValue"
+    ],
+    "managedFields": [
+      {
+        "manager": "managerValue",
+        "operation": "operationValue",
+        "apiVersion": "apiVersionValue",
+        "time": "2004-01-01T01:01:01Z",
+        "fieldsType": "fieldsTypeValue",
+        "fieldsV1": {},
+        "subresource": "subresourceValue"
+      }
+    ]
+  },
+  "spec": {
+    "resource": {
+      "group": "groupValue",
+      "resource": "resourceValue"
+    }
+  },
+  "status": {
+    "conditions": [
+      {
+        "type": "typeValue",
+        "status": "statusValue",
+        "observedGeneration": 3,
+        "lastTransitionTime": "2004-01-01T01:01:01Z",
+        "reason": "reasonValue",
+        "message": "messageValue"
+      }
+    ],
+    "resourceVersion": "resourceVersionValue"
+  }
+}
\ No newline at end of file
diff --git a/staging/src/k8s.io/api/testdata/HEAD/storagemigration.k8s.io.v1beta1.StorageVersionMigration.pb b/staging/src/k8s.io/api/testdata/HEAD/storagemigration.k8s.io.v1beta1.StorageVersionMigration.pb
new file mode 100644
index 0000000000000..dc4895e52c15b
Binary files /dev/null and b/staging/src/k8s.io/api/testdata/HEAD/storagemigration.k8s.io.v1beta1.StorageVersionMigration.pb differ
diff --git a/staging/src/k8s.io/api/testdata/HEAD/storagemigration.k8s.io.v1beta1.StorageVersionMigration.yaml b/staging/src/k8s.io/api/testdata/HEAD/storagemigration.k8s.io.v1beta1.StorageVersionMigration.yaml
new file mode 100644
index 0000000000000..8c34b8f4a9f0d
--- /dev/null
+++ b/staging/src/k8s.io/api/testdata/HEAD/storagemigration.k8s.io.v1beta1.StorageVersionMigration.yaml
@@ -0,0 +1,47 @@
+apiVersion: storagemigration.k8s.io/v1beta1
+kind: StorageVersionMigration
+metadata:
+  annotations:
+    annotationsKey: annotationsValue
+  creationTimestamp: "2008-01-01T01:01:01Z"
+  deletionGracePeriodSeconds: 10
+  deletionTimestamp: "2009-01-01T01:01:01Z"
+  finalizers:
+  - finalizersValue
+  generateName: generateNameValue
+  generation: 7
+  labels:
+    labelsKey: labelsValue
+  managedFields:
+  - apiVersion: apiVersionValue
+    fieldsType: fieldsTypeValue
+    fieldsV1: {}
+    manager: managerValue
+    operation: operationValue
+    subresource: subresourceValue
+    time: "2004-01-01T01:01:01Z"
+  name: nameValue
+  namespace: namespaceValue
+  ownerReferences:
+  - apiVersion: apiVersionValue
+    blockOwnerDeletion: true
+    controller: true
+    kind: kindValue
+    name: nameValue
+    uid: uidValue
+  resourceVersion: resourceVersionValue
+  selfLink: selfLinkValue
+  uid: uidValue
+spec:
+  resource:
+    group: groupValue
+    resource: resourceValue
+status:
+  conditions:
+  - lastTransitionTime: "2004-01-01T01:01:01Z"
+    message: messageValue
+    observedGeneration: 3
+    reason: reasonValue
+    status: statusValue
+    type: typeValue
+  resourceVersion: resourceVersionValue
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/core.v1.Pod.after_roundtrip.pb b/staging/src/k8s.io/api/testdata/v1.32.0/core.v1.Pod.after_roundtrip.pb
deleted file mode 100644
index 3cfdaa73be3c2..0000000000000
Binary files a/staging/src/k8s.io/api/testdata/v1.32.0/core.v1.Pod.after_roundtrip.pb and /dev/null differ
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/core.v1.PodStatusResult.after_roundtrip.pb b/staging/src/k8s.io/api/testdata/v1.32.0/core.v1.PodStatusResult.after_roundtrip.pb
deleted file mode 100644
index 13be65b0a5e2b..0000000000000
Binary files a/staging/src/k8s.io/api/testdata/v1.32.0/core.v1.PodStatusResult.after_roundtrip.pb and /dev/null differ
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/networking.k8s.io.v1alpha1.IPAddress.json b/staging/src/k8s.io/api/testdata/v1.32.0/networking.k8s.io.v1alpha1.IPAddress.json
deleted file mode 100644
index c5f84c6f50690..0000000000000
--- a/staging/src/k8s.io/api/testdata/v1.32.0/networking.k8s.io.v1alpha1.IPAddress.json
+++ /dev/null
@@ -1,54 +0,0 @@
-{
-  "kind": "IPAddress",
-  "apiVersion": "networking.k8s.io/v1alpha1",
-  "metadata": {
-    "name": "nameValue",
-    "generateName": "generateNameValue",
-    "namespace": "namespaceValue",
-    "selfLink": "selfLinkValue",
-    "uid": "uidValue",
-    "resourceVersion": "resourceVersionValue",
-    "generation": 7,
-    "creationTimestamp": "2008-01-01T01:01:01Z",
-    "deletionTimestamp": "2009-01-01T01:01:01Z",
-    "deletionGracePeriodSeconds": 10,
-    "labels": {
-      "labelsKey": "labelsValue"
-    },
-    "annotations": {
-      "annotationsKey": "annotationsValue"
-    },
-    "ownerReferences": [
-      {
-        "apiVersion": "apiVersionValue",
-        "kind": "kindValue",
-        "name": "nameValue",
-        "uid": "uidValue",
-        "controller": true,
-        "blockOwnerDeletion": true
-      }
-    ],
-    "finalizers": [
-      "finalizersValue"
-    ],
-    "managedFields": [
-      {
-        "manager": "managerValue",
-        "operation": "operationValue",
-        "apiVersion": "apiVersionValue",
-        "time": "2004-01-01T01:01:01Z",
-        "fieldsType": "fieldsTypeValue",
-        "fieldsV1": {},
-        "subresource": "subresourceValue"
-      }
-    ]
-  },
-  "spec": {
-    "parentRef": {
-      "group": "groupValue",
-      "resource": "resourceValue",
-      "namespace": "namespaceValue",
-      "name": "nameValue"
-    }
-  }
-}
\ No newline at end of file
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/networking.k8s.io.v1alpha1.IPAddress.pb b/staging/src/k8s.io/api/testdata/v1.32.0/networking.k8s.io.v1alpha1.IPAddress.pb
deleted file mode 100644
index 7fceacd6bcacc..0000000000000
Binary files a/staging/src/k8s.io/api/testdata/v1.32.0/networking.k8s.io.v1alpha1.IPAddress.pb and /dev/null differ
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/networking.k8s.io.v1alpha1.IPAddress.yaml b/staging/src/k8s.io/api/testdata/v1.32.0/networking.k8s.io.v1alpha1.IPAddress.yaml
deleted file mode 100644
index 0bf2b17cb87f6..0000000000000
--- a/staging/src/k8s.io/api/testdata/v1.32.0/networking.k8s.io.v1alpha1.IPAddress.yaml
+++ /dev/null
@@ -1,40 +0,0 @@
-apiVersion: networking.k8s.io/v1alpha1
-kind: IPAddress
-metadata:
-  annotations:
-    annotationsKey: annotationsValue
-  creationTimestamp: "2008-01-01T01:01:01Z"
-  deletionGracePeriodSeconds: 10
-  deletionTimestamp: "2009-01-01T01:01:01Z"
-  finalizers:
-  - finalizersValue
-  generateName: generateNameValue
-  generation: 7
-  labels:
-    labelsKey: labelsValue
-  managedFields:
-  - apiVersion: apiVersionValue
-    fieldsType: fieldsTypeValue
-    fieldsV1: {}
-    manager: managerValue
-    operation: operationValue
-    subresource: subresourceValue
-    time: "2004-01-01T01:01:01Z"
-  name: nameValue
-  namespace: namespaceValue
-  ownerReferences:
-  - apiVersion: apiVersionValue
-    blockOwnerDeletion: true
-    controller: true
-    kind: kindValue
-    name: nameValue
-    uid: uidValue
-  resourceVersion: resourceVersionValue
-  selfLink: selfLinkValue
-  uid: uidValue
-spec:
-  parentRef:
-    group: groupValue
-    name: nameValue
-    namespace: namespaceValue
-    resource: resourceValue
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/networking.k8s.io.v1alpha1.ServiceCIDR.json b/staging/src/k8s.io/api/testdata/v1.32.0/networking.k8s.io.v1alpha1.ServiceCIDR.json
deleted file mode 100644
index cd77b39a0f77b..0000000000000
--- a/staging/src/k8s.io/api/testdata/v1.32.0/networking.k8s.io.v1alpha1.ServiceCIDR.json
+++ /dev/null
@@ -1,63 +0,0 @@
-{
-  "kind": "ServiceCIDR",
-  "apiVersion": "networking.k8s.io/v1alpha1",
-  "metadata": {
-    "name": "nameValue",
-    "generateName": "generateNameValue",
-    "namespace": "namespaceValue",
-    "selfLink": "selfLinkValue",
-    "uid": "uidValue",
-    "resourceVersion": "resourceVersionValue",
-    "generation": 7,
-    "creationTimestamp": "2008-01-01T01:01:01Z",
-    "deletionTimestamp": "2009-01-01T01:01:01Z",
-    "deletionGracePeriodSeconds": 10,
-    "labels": {
-      "labelsKey": "labelsValue"
-    },
-    "annotations": {
-      "annotationsKey": "annotationsValue"
-    },
-    "ownerReferences": [
-      {
-        "apiVersion": "apiVersionValue",
-        "kind": "kindValue",
-        "name": "nameValue",
-        "uid": "uidValue",
-        "controller": true,
-        "blockOwnerDeletion": true
-      }
-    ],
-    "finalizers": [
-      "finalizersValue"
-    ],
-    "managedFields": [
-      {
-        "manager": "managerValue",
-        "operation": "operationValue",
-        "apiVersion": "apiVersionValue",
-        "time": "2004-01-01T01:01:01Z",
-        "fieldsType": "fieldsTypeValue",
-        "fieldsV1": {},
-        "subresource": "subresourceValue"
-      }
-    ]
-  },
-  "spec": {
-    "cidrs": [
-      "cidrsValue"
-    ]
-  },
-  "status": {
-    "conditions": [
-      {
-        "type": "typeValue",
-        "status": "statusValue",
-        "observedGeneration": 3,
-        "lastTransitionTime": "2004-01-01T01:01:01Z",
-        "reason": "reasonValue",
-        "message": "messageValue"
-      }
-    ]
-  }
-}
\ No newline at end of file
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/networking.k8s.io.v1alpha1.ServiceCIDR.pb b/staging/src/k8s.io/api/testdata/v1.32.0/networking.k8s.io.v1alpha1.ServiceCIDR.pb
deleted file mode 100644
index 970393e6fae7b..0000000000000
Binary files a/staging/src/k8s.io/api/testdata/v1.32.0/networking.k8s.io.v1alpha1.ServiceCIDR.pb and /dev/null differ
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/networking.k8s.io.v1alpha1.ServiceCIDR.yaml b/staging/src/k8s.io/api/testdata/v1.32.0/networking.k8s.io.v1alpha1.ServiceCIDR.yaml
deleted file mode 100644
index 4bf6b492dc712..0000000000000
--- a/staging/src/k8s.io/api/testdata/v1.32.0/networking.k8s.io.v1alpha1.ServiceCIDR.yaml
+++ /dev/null
@@ -1,45 +0,0 @@
-apiVersion: networking.k8s.io/v1alpha1
-kind: ServiceCIDR
-metadata:
-  annotations:
-    annotationsKey: annotationsValue
-  creationTimestamp: "2008-01-01T01:01:01Z"
-  deletionGracePeriodSeconds: 10
-  deletionTimestamp: "2009-01-01T01:01:01Z"
-  finalizers:
-  - finalizersValue
-  generateName: generateNameValue
-  generation: 7
-  labels:
-    labelsKey: labelsValue
-  managedFields:
-  - apiVersion: apiVersionValue
-    fieldsType: fieldsTypeValue
-    fieldsV1: {}
-    manager: managerValue
-    operation: operationValue
-    subresource: subresourceValue
-    time: "2004-01-01T01:01:01Z"
-  name: nameValue
-  namespace: namespaceValue
-  ownerReferences:
-  - apiVersion: apiVersionValue
-    blockOwnerDeletion: true
-    controller: true
-    kind: kindValue
-    name: nameValue
-    uid: uidValue
-  resourceVersion: resourceVersionValue
-  selfLink: selfLinkValue
-  uid: uidValue
-spec:
-  cidrs:
-  - cidrsValue
-status:
-  conditions:
-  - lastTransitionTime: "2004-01-01T01:01:01Z"
-    message: messageValue
-    observedGeneration: 3
-    reason: reasonValue
-    status: statusValue
-    type: typeValue
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/resource.k8s.io.v1alpha3.DeviceClass.json b/staging/src/k8s.io/api/testdata/v1.32.0/resource.k8s.io.v1alpha3.DeviceClass.json
deleted file mode 100644
index cc837baa17313..0000000000000
--- a/staging/src/k8s.io/api/testdata/v1.32.0/resource.k8s.io.v1alpha3.DeviceClass.json
+++ /dev/null
@@ -1,72 +0,0 @@
-{
-  "kind": "DeviceClass",
-  "apiVersion": "resource.k8s.io/v1alpha3",
-  "metadata": {
-    "name": "nameValue",
-    "generateName": "generateNameValue",
-    "namespace": "namespaceValue",
-    "selfLink": "selfLinkValue",
-    "uid": "uidValue",
-    "resourceVersion": "resourceVersionValue",
-    "generation": 7,
-    "creationTimestamp": "2008-01-01T01:01:01Z",
-    "deletionTimestamp": "2009-01-01T01:01:01Z",
-    "deletionGracePeriodSeconds": 10,
-    "labels": {
-      "labelsKey": "labelsValue"
-    },
-    "annotations": {
-      "annotationsKey": "annotationsValue"
-    },
-    "ownerReferences": [
-      {
-        "apiVersion": "apiVersionValue",
-        "kind": "kindValue",
-        "name": "nameValue",
-        "uid": "uidValue",
-        "controller": true,
-        "blockOwnerDeletion": true
-      }
-    ],
-    "finalizers": [
-      "finalizersValue"
-    ],
-    "managedFields": [
-      {
-        "manager": "managerValue",
-        "operation": "operationValue",
-        "apiVersion": "apiVersionValue",
-        "time": "2004-01-01T01:01:01Z",
-        "fieldsType": "fieldsTypeValue",
-        "fieldsV1": {},
-        "subresource": "subresourceValue"
-      }
-    ]
-  },
-  "spec": {
-    "selectors": [
-      {
-        "cel": {
-          "expression": "expressionValue"
-        }
-      }
-    ],
-    "config": [
-      {
-        "opaque": {
-          "driver": "driverValue",
-          "parameters": {
-            "apiVersion": "example.com/v1",
-            "kind": "CustomType",
-            "spec": {
-              "replicas": 1
-            },
-            "status": {
-              "available": 1
-            }
-          }
-        }
-      }
-    ]
-  }
-}
\ No newline at end of file
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/resource.k8s.io.v1alpha3.DeviceClass.pb b/staging/src/k8s.io/api/testdata/v1.32.0/resource.k8s.io.v1alpha3.DeviceClass.pb
deleted file mode 100644
index 1ed35bed01c1d..0000000000000
Binary files a/staging/src/k8s.io/api/testdata/v1.32.0/resource.k8s.io.v1alpha3.DeviceClass.pb and /dev/null differ
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/resource.k8s.io.v1alpha3.DeviceClass.yaml b/staging/src/k8s.io/api/testdata/v1.32.0/resource.k8s.io.v1alpha3.DeviceClass.yaml
deleted file mode 100644
index 9f786dc430e8b..0000000000000
--- a/staging/src/k8s.io/api/testdata/v1.32.0/resource.k8s.io.v1alpha3.DeviceClass.yaml
+++ /dev/null
@@ -1,48 +0,0 @@
-apiVersion: resource.k8s.io/v1alpha3
-kind: DeviceClass
-metadata:
-  annotations:
-    annotationsKey: annotationsValue
-  creationTimestamp: "2008-01-01T01:01:01Z"
-  deletionGracePeriodSeconds: 10
-  deletionTimestamp: "2009-01-01T01:01:01Z"
-  finalizers:
-  - finalizersValue
-  generateName: generateNameValue
-  generation: 7
-  labels:
-    labelsKey: labelsValue
-  managedFields:
-  - apiVersion: apiVersionValue
-    fieldsType: fieldsTypeValue
-    fieldsV1: {}
-    manager: managerValue
-    operation: operationValue
-    subresource: subresourceValue
-    time: "2004-01-01T01:01:01Z"
-  name: nameValue
-  namespace: namespaceValue
-  ownerReferences:
-  - apiVersion: apiVersionValue
-    blockOwnerDeletion: true
-    controller: true
-    kind: kindValue
-    name: nameValue
-    uid: uidValue
-  resourceVersion: resourceVersionValue
-  selfLink: selfLinkValue
-  uid: uidValue
-spec:
-  config:
-  - opaque:
-      driver: driverValue
-      parameters:
-        apiVersion: example.com/v1
-        kind: CustomType
-        spec:
-          replicas: 1
-        status:
-          available: 1
-  selectors:
-  - cel:
-      expression: expressionValue
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/resource.k8s.io.v1alpha3.ResourceClaim.json b/staging/src/k8s.io/api/testdata/v1.32.0/resource.k8s.io.v1alpha3.ResourceClaim.json
deleted file mode 100644
index f61f244ae7e43..0000000000000
--- a/staging/src/k8s.io/api/testdata/v1.32.0/resource.k8s.io.v1alpha3.ResourceClaim.json
+++ /dev/null
@@ -1,196 +0,0 @@
-{
-  "kind": "ResourceClaim",
-  "apiVersion": "resource.k8s.io/v1alpha3",
-  "metadata": {
-    "name": "nameValue",
-    "generateName": "generateNameValue",
-    "namespace": "namespaceValue",
-    "selfLink": "selfLinkValue",
-    "uid": "uidValue",
-    "resourceVersion": "resourceVersionValue",
-    "generation": 7,
-    "creationTimestamp": "2008-01-01T01:01:01Z",
-    "deletionTimestamp": "2009-01-01T01:01:01Z",
-    "deletionGracePeriodSeconds": 10,
-    "labels": {
-      "labelsKey": "labelsValue"
-    },
-    "annotations": {
-      "annotationsKey": "annotationsValue"
-    },
-    "ownerReferences": [
-      {
-        "apiVersion": "apiVersionValue",
-        "kind": "kindValue",
-        "name": "nameValue",
-        "uid": "uidValue",
-        "controller": true,
-        "blockOwnerDeletion": true
-      }
-    ],
-    "finalizers": [
-      "finalizersValue"
-    ],
-    "managedFields": [
-      {
-        "manager": "managerValue",
-        "operation": "operationValue",
-        "apiVersion": "apiVersionValue",
-        "time": "2004-01-01T01:01:01Z",
-        "fieldsType": "fieldsTypeValue",
-        "fieldsV1": {},
-        "subresource": "subresourceValue"
-      }
-    ]
-  },
-  "spec": {
-    "devices": {
-      "requests": [
-        {
-          "name": "nameValue",
-          "deviceClassName": "deviceClassNameValue",
-          "selectors": [
-            {
-              "cel": {
-                "expression": "expressionValue"
-              }
-            }
-          ],
-          "allocationMode": "allocationModeValue",
-          "count": 5,
-          "adminAccess": true
-        }
-      ],
-      "constraints": [
-        {
-          "requests": [
-            "requestsValue"
-          ],
-          "matchAttribute": "matchAttributeValue"
-        }
-      ],
-      "config": [
-        {
-          "requests": [
-            "requestsValue"
-          ],
-          "opaque": {
-            "driver": "driverValue",
-            "parameters": {
-              "apiVersion": "example.com/v1",
-              "kind": "CustomType",
-              "spec": {
-                "replicas": 1
-              },
-              "status": {
-                "available": 1
-              }
-            }
-          }
-        }
-      ]
-    }
-  },
-  "status": {
-    "allocation": {
-      "devices": {
-        "results": [
-          {
-            "request": "requestValue",
-            "driver": "driverValue",
-            "pool": "poolValue",
-            "device": "deviceValue",
-            "adminAccess": true
-          }
-        ],
-        "config": [
-          {
-            "source": "sourceValue",
-            "requests": [
-              "requestsValue"
-            ],
-            "opaque": {
-              "driver": "driverValue",
-              "parameters": {
-                "apiVersion": "example.com/v1",
-                "kind": "CustomType",
-                "spec": {
-                  "replicas": 1
-                },
-                "status": {
-                  "available": 1
-                }
-              }
-            }
-          }
-        ]
-      },
-      "nodeSelector": {
-        "nodeSelectorTerms": [
-          {
-            "matchExpressions": [
-              {
-                "key": "keyValue",
-                "operator": "operatorValue",
-                "values": [
-                  "valuesValue"
-                ]
-              }
-            ],
-            "matchFields": [
-              {
-                "key": "keyValue",
-                "operator": "operatorValue",
-                "values": [
-                  "valuesValue"
-                ]
-              }
-            ]
-          }
-        ]
-      }
-    },
-    "reservedFor": [
-      {
-        "apiGroup": "apiGroupValue",
-        "resource": "resourceValue",
-        "name": "nameValue",
-        "uid": "uidValue"
-      }
-    ],
-    "devices": [
-      {
-        "driver": "driverValue",
-        "pool": "poolValue",
-        "device": "deviceValue",
-        "conditions": [
-          {
-            "type": "typeValue",
-            "status": "statusValue",
-            "observedGeneration": 3,
-            "lastTransitionTime": "2004-01-01T01:01:01Z",
-            "reason": "reasonValue",
-            "message": "messageValue"
-          }
-        ],
-        "data": {
-          "apiVersion": "example.com/v1",
-          "kind": "CustomType",
-          "spec": {
-            "replicas": 1
-          },
-          "status": {
-            "available": 1
-          }
-        },
-        "networkData": {
-          "interfaceName": "interfaceNameValue",
-          "ips": [
-            "ipsValue"
-          ],
-          "hardwareAddress": "hardwareAddressValue"
-        }
-      }
-    ]
-  }
-}
\ No newline at end of file
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/resource.k8s.io.v1alpha3.ResourceClaim.pb b/staging/src/k8s.io/api/testdata/v1.32.0/resource.k8s.io.v1alpha3.ResourceClaim.pb
deleted file mode 100644
index 30923fd8e35ce..0000000000000
Binary files a/staging/src/k8s.io/api/testdata/v1.32.0/resource.k8s.io.v1alpha3.ResourceClaim.pb and /dev/null differ
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/resource.k8s.io.v1alpha3.ResourceClaim.yaml b/staging/src/k8s.io/api/testdata/v1.32.0/resource.k8s.io.v1alpha3.ResourceClaim.yaml
deleted file mode 100644
index bc7855856b182..0000000000000
--- a/staging/src/k8s.io/api/testdata/v1.32.0/resource.k8s.io.v1alpha3.ResourceClaim.yaml
+++ /dev/null
@@ -1,123 +0,0 @@
-apiVersion: resource.k8s.io/v1alpha3
-kind: ResourceClaim
-metadata:
-  annotations:
-    annotationsKey: annotationsValue
-  creationTimestamp: "2008-01-01T01:01:01Z"
-  deletionGracePeriodSeconds: 10
-  deletionTimestamp: "2009-01-01T01:01:01Z"
-  finalizers:
-  - finalizersValue
-  generateName: generateNameValue
-  generation: 7
-  labels:
-    labelsKey: labelsValue
-  managedFields:
-  - apiVersion: apiVersionValue
-    fieldsType: fieldsTypeValue
-    fieldsV1: {}
-    manager: managerValue
-    operation: operationValue
-    subresource: subresourceValue
-    time: "2004-01-01T01:01:01Z"
-  name: nameValue
-  namespace: namespaceValue
-  ownerReferences:
-  - apiVersion: apiVersionValue
-    blockOwnerDeletion: true
-    controller: true
-    kind: kindValue
-    name: nameValue
-    uid: uidValue
-  resourceVersion: resourceVersionValue
-  selfLink: selfLinkValue
-  uid: uidValue
-spec:
-  devices:
-    config:
-    - opaque:
-        driver: driverValue
-        parameters:
-          apiVersion: example.com/v1
-          kind: CustomType
-          spec:
-            replicas: 1
-          status:
-            available: 1
-      requests:
-      - requestsValue
-    constraints:
-    - matchAttribute: matchAttributeValue
-      requests:
-      - requestsValue
-    requests:
-    - adminAccess: true
-      allocationMode: allocationModeValue
-      count: 5
-      deviceClassName: deviceClassNameValue
-      name: nameValue
-      selectors:
-      - cel:
-          expression: expressionValue
-status:
-  allocation:
-    devices:
-      config:
-      - opaque:
-          driver: driverValue
-          parameters:
-            apiVersion: example.com/v1
-            kind: CustomType
-            spec:
-              replicas: 1
-            status:
-              available: 1
-        requests:
-        - requestsValue
-        source: sourceValue
-      results:
-      - adminAccess: true
-        device: deviceValue
-        driver: driverValue
-        pool: poolValue
-        request: requestValue
-    nodeSelector:
-      nodeSelectorTerms:
-      - matchExpressions:
-        - key: keyValue
-          operator: operatorValue
-          values:
-          - valuesValue
-        matchFields:
-        - key: keyValue
-          operator: operatorValue
-          values:
-          - valuesValue
-  devices:
-  - conditions:
-    - lastTransitionTime: "2004-01-01T01:01:01Z"
-      message: messageValue
-      observedGeneration: 3
-      reason: reasonValue
-      status: statusValue
-      type: typeValue
-    data:
-      apiVersion: example.com/v1
-      kind: CustomType
-      spec:
-        replicas: 1
-      status:
-        available: 1
-    device: deviceValue
-    driver: driverValue
-    networkData:
-      hardwareAddress: hardwareAddressValue
-      interfaceName: interfaceNameValue
-      ips:
-      - ipsValue
-    pool: poolValue
-  reservedFor:
-  - apiGroup: apiGroupValue
-    name: nameValue
-    resource: resourceValue
-    uid: uidValue
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/resource.k8s.io.v1alpha3.ResourceClaimTemplate.json b/staging/src/k8s.io/api/testdata/v1.32.0/resource.k8s.io.v1alpha3.ResourceClaimTemplate.json
deleted file mode 100644
index 0669af6df4672..0000000000000
--- a/staging/src/k8s.io/api/testdata/v1.32.0/resource.k8s.io.v1alpha3.ResourceClaimTemplate.json
+++ /dev/null
@@ -1,138 +0,0 @@
-{
-  "kind": "ResourceClaimTemplate",
-  "apiVersion": "resource.k8s.io/v1alpha3",
-  "metadata": {
-    "name": "nameValue",
-    "generateName": "generateNameValue",
-    "namespace": "namespaceValue",
-    "selfLink": "selfLinkValue",
-    "uid": "uidValue",
-    "resourceVersion": "resourceVersionValue",
-    "generation": 7,
-    "creationTimestamp": "2008-01-01T01:01:01Z",
-    "deletionTimestamp": "2009-01-01T01:01:01Z",
-    "deletionGracePeriodSeconds": 10,
-    "labels": {
-      "labelsKey": "labelsValue"
-    },
-    "annotations": {
-      "annotationsKey": "annotationsValue"
-    },
-    "ownerReferences": [
-      {
-        "apiVersion": "apiVersionValue",
-        "kind": "kindValue",
-        "name": "nameValue",
-        "uid": "uidValue",
-        "controller": true,
-        "blockOwnerDeletion": true
-      }
-    ],
-    "finalizers": [
-      "finalizersValue"
-    ],
-    "managedFields": [
-      {
-        "manager": "managerValue",
-        "operation": "operationValue",
-        "apiVersion": "apiVersionValue",
-        "time": "2004-01-01T01:01:01Z",
-        "fieldsType": "fieldsTypeValue",
-        "fieldsV1": {},
-        "subresource": "subresourceValue"
-      }
-    ]
-  },
-  "spec": {
-    "metadata": {
-      "name": "nameValue",
-      "generateName": "generateNameValue",
-      "namespace": "namespaceValue",
-      "selfLink": "selfLinkValue",
-      "uid": "uidValue",
-      "resourceVersion": "resourceVersionValue",
-      "generation": 7,
-      "creationTimestamp": "2008-01-01T01:01:01Z",
-      "deletionTimestamp": "2009-01-01T01:01:01Z",
-      "deletionGracePeriodSeconds": 10,
-      "labels": {
-        "labelsKey": "labelsValue"
-      },
-      "annotations": {
-        "annotationsKey": "annotationsValue"
-      },
-      "ownerReferences": [
-        {
-          "apiVersion": "apiVersionValue",
-          "kind": "kindValue",
-          "name": "nameValue",
-          "uid": "uidValue",
-          "controller": true,
-          "blockOwnerDeletion": true
-        }
-      ],
-      "finalizers": [
-        "finalizersValue"
-      ],
-      "managedFields": [
-        {
-          "manager": "managerValue",
-          "operation": "operationValue",
-          "apiVersion": "apiVersionValue",
-          "time": "2004-01-01T01:01:01Z",
-          "fieldsType": "fieldsTypeValue",
-          "fieldsV1": {},
-          "subresource": "subresourceValue"
-        }
-      ]
-    },
-    "spec": {
-      "devices": {
-        "requests": [
-          {
-            "name": "nameValue",
-            "deviceClassName": "deviceClassNameValue",
-            "selectors": [
-              {
-                "cel": {
-                  "expression": "expressionValue"
-                }
-              }
-            ],
-            "allocationMode": "allocationModeValue",
-            "count": 5,
-            "adminAccess": true
-          }
-        ],
-        "constraints": [
-          {
-            "requests": [
-              "requestsValue"
-            ],
-            "matchAttribute": "matchAttributeValue"
-          }
-        ],
-        "config": [
-          {
-            "requests": [
-              "requestsValue"
-            ],
-            "opaque": {
-              "driver": "driverValue",
-              "parameters": {
-                "apiVersion": "example.com/v1",
-                "kind": "CustomType",
-                "spec": {
-                  "replicas": 1
-                },
-                "status": {
-                  "available": 1
-                }
-              }
-            }
-          }
-        ]
-      }
-    }
-  }
-}
\ No newline at end of file
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/resource.k8s.io.v1alpha3.ResourceClaimTemplate.pb b/staging/src/k8s.io/api/testdata/v1.32.0/resource.k8s.io.v1alpha3.ResourceClaimTemplate.pb
deleted file mode 100644
index fab18a8e9e5f8..0000000000000
Binary files a/staging/src/k8s.io/api/testdata/v1.32.0/resource.k8s.io.v1alpha3.ResourceClaimTemplate.pb and /dev/null differ
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/resource.k8s.io.v1alpha3.ResourceClaimTemplate.yaml b/staging/src/k8s.io/api/testdata/v1.32.0/resource.k8s.io.v1alpha3.ResourceClaimTemplate.yaml
deleted file mode 100644
index b0e5939dd5fe9..0000000000000
--- a/staging/src/k8s.io/api/testdata/v1.32.0/resource.k8s.io.v1alpha3.ResourceClaimTemplate.yaml
+++ /dev/null
@@ -1,94 +0,0 @@
-apiVersion: resource.k8s.io/v1alpha3
-kind: ResourceClaimTemplate
-metadata:
-  annotations:
-    annotationsKey: annotationsValue
-  creationTimestamp: "2008-01-01T01:01:01Z"
-  deletionGracePeriodSeconds: 10
-  deletionTimestamp: "2009-01-01T01:01:01Z"
-  finalizers:
-  - finalizersValue
-  generateName: generateNameValue
-  generation: 7
-  labels:
-    labelsKey: labelsValue
-  managedFields:
-  - apiVersion: apiVersionValue
-    fieldsType: fieldsTypeValue
-    fieldsV1: {}
-    manager: managerValue
-    operation: operationValue
-    subresource: subresourceValue
-    time: "2004-01-01T01:01:01Z"
-  name: nameValue
-  namespace: namespaceValue
-  ownerReferences:
-  - apiVersion: apiVersionValue
-    blockOwnerDeletion: true
-    controller: true
-    kind: kindValue
-    name: nameValue
-    uid: uidValue
-  resourceVersion: resourceVersionValue
-  selfLink: selfLinkValue
-  uid: uidValue
-spec:
-  metadata:
-    annotations:
-      annotationsKey: annotationsValue
-    creationTimestamp: "2008-01-01T01:01:01Z"
-    deletionGracePeriodSeconds: 10
-    deletionTimestamp: "2009-01-01T01:01:01Z"
-    finalizers:
-    - finalizersValue
-    generateName: generateNameValue
-    generation: 7
-    labels:
-      labelsKey: labelsValue
-    managedFields:
-    - apiVersion: apiVersionValue
-      fieldsType: fieldsTypeValue
-      fieldsV1: {}
-      manager: managerValue
-      operation: operationValue
-      subresource: subresourceValue
-      time: "2004-01-01T01:01:01Z"
-    name: nameValue
-    namespace: namespaceValue
-    ownerReferences:
-    - apiVersion: apiVersionValue
-      blockOwnerDeletion: true
-      controller: true
-      kind: kindValue
-      name: nameValue
-      uid: uidValue
-    resourceVersion: resourceVersionValue
-    selfLink: selfLinkValue
-    uid: uidValue
-  spec:
-    devices:
-      config:
-      - opaque:
-          driver: driverValue
-          parameters:
-            apiVersion: example.com/v1
-            kind: CustomType
-            spec:
-              replicas: 1
-            status:
-              available: 1
-        requests:
-        - requestsValue
-      constraints:
-      - matchAttribute: matchAttributeValue
-        requests:
-        - requestsValue
-      requests:
-      - adminAccess: true
-        allocationMode: allocationModeValue
-        count: 5
-        deviceClassName: deviceClassNameValue
-        name: nameValue
-        selectors:
-        - cel:
-            expression: expressionValue
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/resource.k8s.io.v1alpha3.ResourceSlice.json b/staging/src/k8s.io/api/testdata/v1.32.0/resource.k8s.io.v1alpha3.ResourceSlice.json
deleted file mode 100644
index a3a916ae36352..0000000000000
--- a/staging/src/k8s.io/api/testdata/v1.32.0/resource.k8s.io.v1alpha3.ResourceSlice.json
+++ /dev/null
@@ -1,98 +0,0 @@
-{
-  "kind": "ResourceSlice",
-  "apiVersion": "resource.k8s.io/v1alpha3",
-  "metadata": {
-    "name": "nameValue",
-    "generateName": "generateNameValue",
-    "namespace": "namespaceValue",
-    "selfLink": "selfLinkValue",
-    "uid": "uidValue",
-    "resourceVersion": "resourceVersionValue",
-    "generation": 7,
-    "creationTimestamp": "2008-01-01T01:01:01Z",
-    "deletionTimestamp": "2009-01-01T01:01:01Z",
-    "deletionGracePeriodSeconds": 10,
-    "labels": {
-      "labelsKey": "labelsValue"
-    },
-    "annotations": {
-      "annotationsKey": "annotationsValue"
-    },
-    "ownerReferences": [
-      {
-        "apiVersion": "apiVersionValue",
-        "kind": "kindValue",
-        "name": "nameValue",
-        "uid": "uidValue",
-        "controller": true,
-        "blockOwnerDeletion": true
-      }
-    ],
-    "finalizers": [
-      "finalizersValue"
-    ],
-    "managedFields": [
-      {
-        "manager": "managerValue",
-        "operation": "operationValue",
-        "apiVersion": "apiVersionValue",
-        "time": "2004-01-01T01:01:01Z",
-        "fieldsType": "fieldsTypeValue",
-        "fieldsV1": {},
-        "subresource": "subresourceValue"
-      }
-    ]
-  },
-  "spec": {
-    "driver": "driverValue",
-    "pool": {
-      "name": "nameValue",
-      "generation": 2,
-      "resourceSliceCount": 3
-    },
-    "nodeName": "nodeNameValue",
-    "nodeSelector": {
-      "nodeSelectorTerms": [
-        {
-          "matchExpressions": [
-            {
-              "key": "keyValue",
-              "operator": "operatorValue",
-              "values": [
-                "valuesValue"
-              ]
-            }
-          ],
-          "matchFields": [
-            {
-              "key": "keyValue",
-              "operator": "operatorValue",
-              "values": [
-                "valuesValue"
-              ]
-            }
-          ]
-        }
-      ]
-    },
-    "allNodes": true,
-    "devices": [
-      {
-        "name": "nameValue",
-        "basic": {
-          "attributes": {
-            "attributesKey": {
-              "int": 2,
-              "bool": true,
-              "string": "stringValue",
-              "version": "versionValue"
-            }
-          },
-          "capacity": {
-            "capacityKey": "0"
-          }
-        }
-      }
-    ]
-  }
-}
\ No newline at end of file
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/resource.k8s.io.v1alpha3.ResourceSlice.pb b/staging/src/k8s.io/api/testdata/v1.32.0/resource.k8s.io.v1alpha3.ResourceSlice.pb
deleted file mode 100644
index 9a36629f9a87a..0000000000000
Binary files a/staging/src/k8s.io/api/testdata/v1.32.0/resource.k8s.io.v1alpha3.ResourceSlice.pb and /dev/null differ
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/resource.k8s.io.v1alpha3.ResourceSlice.yaml b/staging/src/k8s.io/api/testdata/v1.32.0/resource.k8s.io.v1alpha3.ResourceSlice.yaml
deleted file mode 100644
index 93d7f2e117023..0000000000000
--- a/staging/src/k8s.io/api/testdata/v1.32.0/resource.k8s.io.v1alpha3.ResourceSlice.yaml
+++ /dev/null
@@ -1,65 +0,0 @@
-apiVersion: resource.k8s.io/v1alpha3
-kind: ResourceSlice
-metadata:
-  annotations:
-    annotationsKey: annotationsValue
-  creationTimestamp: "2008-01-01T01:01:01Z"
-  deletionGracePeriodSeconds: 10
-  deletionTimestamp: "2009-01-01T01:01:01Z"
-  finalizers:
-  - finalizersValue
-  generateName: generateNameValue
-  generation: 7
-  labels:
-    labelsKey: labelsValue
-  managedFields:
-  - apiVersion: apiVersionValue
-    fieldsType: fieldsTypeValue
-    fieldsV1: {}
-    manager: managerValue
-    operation: operationValue
-    subresource: subresourceValue
-    time: "2004-01-01T01:01:01Z"
-  name: nameValue
-  namespace: namespaceValue
-  ownerReferences:
-  - apiVersion: apiVersionValue
-    blockOwnerDeletion: true
-    controller: true
-    kind: kindValue
-    name: nameValue
-    uid: uidValue
-  resourceVersion: resourceVersionValue
-  selfLink: selfLinkValue
-  uid: uidValue
-spec:
-  allNodes: true
-  devices:
-  - basic:
-      attributes:
-        attributesKey:
-          bool: true
-          int: 2
-          string: stringValue
-          version: versionValue
-      capacity:
-        capacityKey: "0"
-    name: nameValue
-  driver: driverValue
-  nodeName: nodeNameValue
-  nodeSelector:
-    nodeSelectorTerms:
-    - matchExpressions:
-      - key: keyValue
-        operator: operatorValue
-        values:
-        - valuesValue
-      matchFields:
-      - key: keyValue
-        operator: operatorValue
-        values:
-        - valuesValue
-  pool:
-    generation: 2
-    name: nameValue
-    resourceSliceCount: 3
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/resource.k8s.io.v1beta1.ResourceClaim.json b/staging/src/k8s.io/api/testdata/v1.32.0/resource.k8s.io.v1beta1.ResourceClaim.json
deleted file mode 100644
index f0f993218bc02..0000000000000
--- a/staging/src/k8s.io/api/testdata/v1.32.0/resource.k8s.io.v1beta1.ResourceClaim.json
+++ /dev/null
@@ -1,196 +0,0 @@
-{
-  "kind": "ResourceClaim",
-  "apiVersion": "resource.k8s.io/v1beta1",
-  "metadata": {
-    "name": "nameValue",
-    "generateName": "generateNameValue",
-    "namespace": "namespaceValue",
-    "selfLink": "selfLinkValue",
-    "uid": "uidValue",
-    "resourceVersion": "resourceVersionValue",
-    "generation": 7,
-    "creationTimestamp": "2008-01-01T01:01:01Z",
-    "deletionTimestamp": "2009-01-01T01:01:01Z",
-    "deletionGracePeriodSeconds": 10,
-    "labels": {
-      "labelsKey": "labelsValue"
-    },
-    "annotations": {
-      "annotationsKey": "annotationsValue"
-    },
-    "ownerReferences": [
-      {
-        "apiVersion": "apiVersionValue",
-        "kind": "kindValue",
-        "name": "nameValue",
-        "uid": "uidValue",
-        "controller": true,
-        "blockOwnerDeletion": true
-      }
-    ],
-    "finalizers": [
-      "finalizersValue"
-    ],
-    "managedFields": [
-      {
-        "manager": "managerValue",
-        "operation": "operationValue",
-        "apiVersion": "apiVersionValue",
-        "time": "2004-01-01T01:01:01Z",
-        "fieldsType": "fieldsTypeValue",
-        "fieldsV1": {},
-        "subresource": "subresourceValue"
-      }
-    ]
-  },
-  "spec": {
-    "devices": {
-      "requests": [
-        {
-          "name": "nameValue",
-          "deviceClassName": "deviceClassNameValue",
-          "selectors": [
-            {
-              "cel": {
-                "expression": "expressionValue"
-              }
-            }
-          ],
-          "allocationMode": "allocationModeValue",
-          "count": 5,
-          "adminAccess": true
-        }
-      ],
-      "constraints": [
-        {
-          "requests": [
-            "requestsValue"
-          ],
-          "matchAttribute": "matchAttributeValue"
-        }
-      ],
-      "config": [
-        {
-          "requests": [
-            "requestsValue"
-          ],
-          "opaque": {
-            "driver": "driverValue",
-            "parameters": {
-              "apiVersion": "example.com/v1",
-              "kind": "CustomType",
-              "spec": {
-                "replicas": 1
-              },
-              "status": {
-                "available": 1
-              }
-            }
-          }
-        }
-      ]
-    }
-  },
-  "status": {
-    "allocation": {
-      "devices": {
-        "results": [
-          {
-            "request": "requestValue",
-            "driver": "driverValue",
-            "pool": "poolValue",
-            "device": "deviceValue",
-            "adminAccess": true
-          }
-        ],
-        "config": [
-          {
-            "source": "sourceValue",
-            "requests": [
-              "requestsValue"
-            ],
-            "opaque": {
-              "driver": "driverValue",
-              "parameters": {
-                "apiVersion": "example.com/v1",
-                "kind": "CustomType",
-                "spec": {
-                  "replicas": 1
-                },
-                "status": {
-                  "available": 1
-                }
-              }
-            }
-          }
-        ]
-      },
-      "nodeSelector": {
-        "nodeSelectorTerms": [
-          {
-            "matchExpressions": [
-              {
-                "key": "keyValue",
-                "operator": "operatorValue",
-                "values": [
-                  "valuesValue"
-                ]
-              }
-            ],
-            "matchFields": [
-              {
-                "key": "keyValue",
-                "operator": "operatorValue",
-                "values": [
-                  "valuesValue"
-                ]
-              }
-            ]
-          }
-        ]
-      }
-    },
-    "reservedFor": [
-      {
-        "apiGroup": "apiGroupValue",
-        "resource": "resourceValue",
-        "name": "nameValue",
-        "uid": "uidValue"
-      }
-    ],
-    "devices": [
-      {
-        "driver": "driverValue",
-        "pool": "poolValue",
-        "device": "deviceValue",
-        "conditions": [
-          {
-            "type": "typeValue",
-            "status": "statusValue",
-            "observedGeneration": 3,
-            "lastTransitionTime": "2004-01-01T01:01:01Z",
-            "reason": "reasonValue",
-            "message": "messageValue"
-          }
-        ],
-        "data": {
-          "apiVersion": "example.com/v1",
-          "kind": "CustomType",
-          "spec": {
-            "replicas": 1
-          },
-          "status": {
-            "available": 1
-          }
-        },
-        "networkData": {
-          "interfaceName": "interfaceNameValue",
-          "ips": [
-            "ipsValue"
-          ],
-          "hardwareAddress": "hardwareAddressValue"
-        }
-      }
-    ]
-  }
-}
\ No newline at end of file
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/resource.k8s.io.v1beta1.ResourceClaim.pb b/staging/src/k8s.io/api/testdata/v1.32.0/resource.k8s.io.v1beta1.ResourceClaim.pb
deleted file mode 100644
index 9265e325d91c2..0000000000000
Binary files a/staging/src/k8s.io/api/testdata/v1.32.0/resource.k8s.io.v1beta1.ResourceClaim.pb and /dev/null differ
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/resource.k8s.io.v1beta1.ResourceClaim.yaml b/staging/src/k8s.io/api/testdata/v1.32.0/resource.k8s.io.v1beta1.ResourceClaim.yaml
deleted file mode 100644
index 71d30617a5631..0000000000000
--- a/staging/src/k8s.io/api/testdata/v1.32.0/resource.k8s.io.v1beta1.ResourceClaim.yaml
+++ /dev/null
@@ -1,123 +0,0 @@
-apiVersion: resource.k8s.io/v1beta1
-kind: ResourceClaim
-metadata:
-  annotations:
-    annotationsKey: annotationsValue
-  creationTimestamp: "2008-01-01T01:01:01Z"
-  deletionGracePeriodSeconds: 10
-  deletionTimestamp: "2009-01-01T01:01:01Z"
-  finalizers:
-  - finalizersValue
-  generateName: generateNameValue
-  generation: 7
-  labels:
-    labelsKey: labelsValue
-  managedFields:
-  - apiVersion: apiVersionValue
-    fieldsType: fieldsTypeValue
-    fieldsV1: {}
-    manager: managerValue
-    operation: operationValue
-    subresource: subresourceValue
-    time: "2004-01-01T01:01:01Z"
-  name: nameValue
-  namespace: namespaceValue
-  ownerReferences:
-  - apiVersion: apiVersionValue
-    blockOwnerDeletion: true
-    controller: true
-    kind: kindValue
-    name: nameValue
-    uid: uidValue
-  resourceVersion: resourceVersionValue
-  selfLink: selfLinkValue
-  uid: uidValue
-spec:
-  devices:
-    config:
-    - opaque:
-        driver: driverValue
-        parameters:
-          apiVersion: example.com/v1
-          kind: CustomType
-          spec:
-            replicas: 1
-          status:
-            available: 1
-      requests:
-      - requestsValue
-    constraints:
-    - matchAttribute: matchAttributeValue
-      requests:
-      - requestsValue
-    requests:
-    - adminAccess: true
-      allocationMode: allocationModeValue
-      count: 5
-      deviceClassName: deviceClassNameValue
-      name: nameValue
-      selectors:
-      - cel:
-          expression: expressionValue
-status:
-  allocation:
-    devices:
-      config:
-      - opaque:
-          driver: driverValue
-          parameters:
-            apiVersion: example.com/v1
-            kind: CustomType
-            spec:
-              replicas: 1
-            status:
-              available: 1
-        requests:
-        - requestsValue
-        source: sourceValue
-      results:
-      - adminAccess: true
-        device: deviceValue
-        driver: driverValue
-        pool: poolValue
-        request: requestValue
-    nodeSelector:
-      nodeSelectorTerms:
-      - matchExpressions:
-        - key: keyValue
-          operator: operatorValue
-          values:
-          - valuesValue
-        matchFields:
-        - key: keyValue
-          operator: operatorValue
-          values:
-          - valuesValue
-  devices:
-  - conditions:
-    - lastTransitionTime: "2004-01-01T01:01:01Z"
-      message: messageValue
-      observedGeneration: 3
-      reason: reasonValue
-      status: statusValue
-      type: typeValue
-    data:
-      apiVersion: example.com/v1
-      kind: CustomType
-      spec:
-        replicas: 1
-      status:
-        available: 1
-    device: deviceValue
-    driver: driverValue
-    networkData:
-      hardwareAddress: hardwareAddressValue
-      interfaceName: interfaceNameValue
-      ips:
-      - ipsValue
-    pool: poolValue
-  reservedFor:
-  - apiGroup: apiGroupValue
-    name: nameValue
-    resource: resourceValue
-    uid: uidValue
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/resource.k8s.io.v1beta1.ResourceClaimTemplate.json b/staging/src/k8s.io/api/testdata/v1.32.0/resource.k8s.io.v1beta1.ResourceClaimTemplate.json
deleted file mode 100644
index 9342cb4faa037..0000000000000
--- a/staging/src/k8s.io/api/testdata/v1.32.0/resource.k8s.io.v1beta1.ResourceClaimTemplate.json
+++ /dev/null
@@ -1,138 +0,0 @@
-{
-  "kind": "ResourceClaimTemplate",
-  "apiVersion": "resource.k8s.io/v1beta1",
-  "metadata": {
-    "name": "nameValue",
-    "generateName": "generateNameValue",
-    "namespace": "namespaceValue",
-    "selfLink": "selfLinkValue",
-    "uid": "uidValue",
-    "resourceVersion": "resourceVersionValue",
-    "generation": 7,
-    "creationTimestamp": "2008-01-01T01:01:01Z",
-    "deletionTimestamp": "2009-01-01T01:01:01Z",
-    "deletionGracePeriodSeconds": 10,
-    "labels": {
-      "labelsKey": "labelsValue"
-    },
-    "annotations": {
-      "annotationsKey": "annotationsValue"
-    },
-    "ownerReferences": [
-      {
-        "apiVersion": "apiVersionValue",
-        "kind": "kindValue",
-        "name": "nameValue",
-        "uid": "uidValue",
-        "controller": true,
-        "blockOwnerDeletion": true
-      }
-    ],
-    "finalizers": [
-      "finalizersValue"
-    ],
-    "managedFields": [
-      {
-        "manager": "managerValue",
-        "operation": "operationValue",
-        "apiVersion": "apiVersionValue",
-        "time": "2004-01-01T01:01:01Z",
-        "fieldsType": "fieldsTypeValue",
-        "fieldsV1": {},
-        "subresource": "subresourceValue"
-      }
-    ]
-  },
-  "spec": {
-    "metadata": {
-      "name": "nameValue",
-      "generateName": "generateNameValue",
-      "namespace": "namespaceValue",
-      "selfLink": "selfLinkValue",
-      "uid": "uidValue",
-      "resourceVersion": "resourceVersionValue",
-      "generation": 7,
-      "creationTimestamp": "2008-01-01T01:01:01Z",
-      "deletionTimestamp": "2009-01-01T01:01:01Z",
-      "deletionGracePeriodSeconds": 10,
-      "labels": {
-        "labelsKey": "labelsValue"
-      },
-      "annotations": {
-        "annotationsKey": "annotationsValue"
-      },
-      "ownerReferences": [
-        {
-          "apiVersion": "apiVersionValue",
-          "kind": "kindValue",
-          "name": "nameValue",
-          "uid": "uidValue",
-          "controller": true,
-          "blockOwnerDeletion": true
-        }
-      ],
-      "finalizers": [
-        "finalizersValue"
-      ],
-      "managedFields": [
-        {
-          "manager": "managerValue",
-          "operation": "operationValue",
-          "apiVersion": "apiVersionValue",
-          "time": "2004-01-01T01:01:01Z",
-          "fieldsType": "fieldsTypeValue",
-          "fieldsV1": {},
-          "subresource": "subresourceValue"
-        }
-      ]
-    },
-    "spec": {
-      "devices": {
-        "requests": [
-          {
-            "name": "nameValue",
-            "deviceClassName": "deviceClassNameValue",
-            "selectors": [
-              {
-                "cel": {
-                  "expression": "expressionValue"
-                }
-              }
-            ],
-            "allocationMode": "allocationModeValue",
-            "count": 5,
-            "adminAccess": true
-          }
-        ],
-        "constraints": [
-          {
-            "requests": [
-              "requestsValue"
-            ],
-            "matchAttribute": "matchAttributeValue"
-          }
-        ],
-        "config": [
-          {
-            "requests": [
-              "requestsValue"
-            ],
-            "opaque": {
-              "driver": "driverValue",
-              "parameters": {
-                "apiVersion": "example.com/v1",
-                "kind": "CustomType",
-                "spec": {
-                  "replicas": 1
-                },
-                "status": {
-                  "available": 1
-                }
-              }
-            }
-          }
-        ]
-      }
-    }
-  }
-}
\ No newline at end of file
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/resource.k8s.io.v1beta1.ResourceClaimTemplate.pb b/staging/src/k8s.io/api/testdata/v1.32.0/resource.k8s.io.v1beta1.ResourceClaimTemplate.pb
deleted file mode 100644
index af0631e6030b6..0000000000000
Binary files a/staging/src/k8s.io/api/testdata/v1.32.0/resource.k8s.io.v1beta1.ResourceClaimTemplate.pb and /dev/null differ
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/resource.k8s.io.v1beta1.ResourceClaimTemplate.yaml b/staging/src/k8s.io/api/testdata/v1.32.0/resource.k8s.io.v1beta1.ResourceClaimTemplate.yaml
deleted file mode 100644
index 3d2209315d1a1..0000000000000
--- a/staging/src/k8s.io/api/testdata/v1.32.0/resource.k8s.io.v1beta1.ResourceClaimTemplate.yaml
+++ /dev/null
@@ -1,94 +0,0 @@
-apiVersion: resource.k8s.io/v1beta1
-kind: ResourceClaimTemplate
-metadata:
-  annotations:
-    annotationsKey: annotationsValue
-  creationTimestamp: "2008-01-01T01:01:01Z"
-  deletionGracePeriodSeconds: 10
-  deletionTimestamp: "2009-01-01T01:01:01Z"
-  finalizers:
-  - finalizersValue
-  generateName: generateNameValue
-  generation: 7
-  labels:
-    labelsKey: labelsValue
-  managedFields:
-  - apiVersion: apiVersionValue
-    fieldsType: fieldsTypeValue
-    fieldsV1: {}
-    manager: managerValue
-    operation: operationValue
-    subresource: subresourceValue
-    time: "2004-01-01T01:01:01Z"
-  name: nameValue
-  namespace: namespaceValue
-  ownerReferences:
-  - apiVersion: apiVersionValue
-    blockOwnerDeletion: true
-    controller: true
-    kind: kindValue
-    name: nameValue
-    uid: uidValue
-  resourceVersion: resourceVersionValue
-  selfLink: selfLinkValue
-  uid: uidValue
-spec:
-  metadata:
-    annotations:
-      annotationsKey: annotationsValue
-    creationTimestamp: "2008-01-01T01:01:01Z"
-    deletionGracePeriodSeconds: 10
-    deletionTimestamp: "2009-01-01T01:01:01Z"
-    finalizers:
-    - finalizersValue
-    generateName: generateNameValue
-    generation: 7
-    labels:
-      labelsKey: labelsValue
-    managedFields:
-    - apiVersion: apiVersionValue
-      fieldsType: fieldsTypeValue
-      fieldsV1: {}
-      manager: managerValue
-      operation: operationValue
-      subresource: subresourceValue
-      time: "2004-01-01T01:01:01Z"
-    name: nameValue
-    namespace: namespaceValue
-    ownerReferences:
-    - apiVersion: apiVersionValue
-      blockOwnerDeletion: true
-      controller: true
-      kind: kindValue
-      name: nameValue
-      uid: uidValue
-    resourceVersion: resourceVersionValue
-    selfLink: selfLinkValue
-    uid: uidValue
-  spec:
-    devices:
-      config:
-      - opaque:
-          driver: driverValue
-          parameters:
-            apiVersion: example.com/v1
-            kind: CustomType
-            spec:
-              replicas: 1
-            status:
-              available: 1
-        requests:
-        - requestsValue
-      constraints:
-      - matchAttribute: matchAttributeValue
-        requests:
-        - requestsValue
-      requests:
-      - adminAccess: true
-        allocationMode: allocationModeValue
-        count: 5
-        deviceClassName: deviceClassNameValue
-        name: nameValue
-        selectors:
-        - cel:
-            expression: expressionValue
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/resource.k8s.io.v1beta1.ResourceSlice.json b/staging/src/k8s.io/api/testdata/v1.32.0/resource.k8s.io.v1beta1.ResourceSlice.json
deleted file mode 100644
index 06b650026d802..0000000000000
--- a/staging/src/k8s.io/api/testdata/v1.32.0/resource.k8s.io.v1beta1.ResourceSlice.json
+++ /dev/null
@@ -1,100 +0,0 @@
-{
-  "kind": "ResourceSlice",
-  "apiVersion": "resource.k8s.io/v1beta1",
-  "metadata": {
-    "name": "nameValue",
-    "generateName": "generateNameValue",
-    "namespace": "namespaceValue",
-    "selfLink": "selfLinkValue",
-    "uid": "uidValue",
-    "resourceVersion": "resourceVersionValue",
-    "generation": 7,
-    "creationTimestamp": "2008-01-01T01:01:01Z",
-    "deletionTimestamp": "2009-01-01T01:01:01Z",
-    "deletionGracePeriodSeconds": 10,
-    "labels": {
-      "labelsKey": "labelsValue"
-    },
-    "annotations": {
-      "annotationsKey": "annotationsValue"
-    },
-    "ownerReferences": [
-      {
-        "apiVersion": "apiVersionValue",
-        "kind": "kindValue",
-        "name": "nameValue",
-        "uid": "uidValue",
-        "controller": true,
-        "blockOwnerDeletion": true
-      }
-    ],
-    "finalizers": [
-      "finalizersValue"
-    ],
-    "managedFields": [
-      {
-        "manager": "managerValue",
-        "operation": "operationValue",
-        "apiVersion": "apiVersionValue",
-        "time": "2004-01-01T01:01:01Z",
-        "fieldsType": "fieldsTypeValue",
-        "fieldsV1": {},
-        "subresource": "subresourceValue"
-      }
-    ]
-  },
-  "spec": {
-    "driver": "driverValue",
-    "pool": {
-      "name": "nameValue",
-      "generation": 2,
-      "resourceSliceCount": 3
-    },
-    "nodeName": "nodeNameValue",
-    "nodeSelector": {
-      "nodeSelectorTerms": [
-        {
-          "matchExpressions": [
-            {
-              "key": "keyValue",
-              "operator": "operatorValue",
-              "values": [
-                "valuesValue"
-              ]
-            }
-          ],
-          "matchFields": [
-            {
-              "key": "keyValue",
-              "operator": "operatorValue",
-              "values": [
-                "valuesValue"
-              ]
-            }
-          ]
-        }
-      ]
-    },
-    "allNodes": true,
-    "devices": [
-      {
-        "name": "nameValue",
-        "basic": {
-          "attributes": {
-            "attributesKey": {
-              "int": 2,
-              "bool": true,
-              "string": "stringValue",
-              "version": "versionValue"
-            }
-          },
-          "capacity": {
-            "capacityKey": {
-              "value": "0"
-            }
-          }
-        }
-      }
-    ]
-  }
-}
\ No newline at end of file
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/resource.k8s.io.v1beta1.ResourceSlice.pb b/staging/src/k8s.io/api/testdata/v1.32.0/resource.k8s.io.v1beta1.ResourceSlice.pb
deleted file mode 100644
index 3f467050c4462..0000000000000
Binary files a/staging/src/k8s.io/api/testdata/v1.32.0/resource.k8s.io.v1beta1.ResourceSlice.pb and /dev/null differ
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/resource.k8s.io.v1beta1.ResourceSlice.yaml b/staging/src/k8s.io/api/testdata/v1.32.0/resource.k8s.io.v1beta1.ResourceSlice.yaml
deleted file mode 100644
index f4515c37df694..0000000000000
--- a/staging/src/k8s.io/api/testdata/v1.32.0/resource.k8s.io.v1beta1.ResourceSlice.yaml
+++ /dev/null
@@ -1,66 +0,0 @@
-apiVersion: resource.k8s.io/v1beta1
-kind: ResourceSlice
-metadata:
-  annotations:
-    annotationsKey: annotationsValue
-  creationTimestamp: "2008-01-01T01:01:01Z"
-  deletionGracePeriodSeconds: 10
-  deletionTimestamp: "2009-01-01T01:01:01Z"
-  finalizers:
-  - finalizersValue
-  generateName: generateNameValue
-  generation: 7
-  labels:
-    labelsKey: labelsValue
-  managedFields:
-  - apiVersion: apiVersionValue
-    fieldsType: fieldsTypeValue
-    fieldsV1: {}
-    manager: managerValue
-    operation: operationValue
-    subresource: subresourceValue
-    time: "2004-01-01T01:01:01Z"
-  name: nameValue
-  namespace: namespaceValue
-  ownerReferences:
-  - apiVersion: apiVersionValue
-    blockOwnerDeletion: true
-    controller: true
-    kind: kindValue
-    name: nameValue
-    uid: uidValue
-  resourceVersion: resourceVersionValue
-  selfLink: selfLinkValue
-  uid: uidValue
-spec:
-  allNodes: true
-  devices:
-  - basic:
-      attributes:
-        attributesKey:
-          bool: true
-          int: 2
-          string: stringValue
-          version: versionValue
-      capacity:
-        capacityKey:
-          value: "0"
-    name: nameValue
-  driver: driverValue
-  nodeName: nodeNameValue
-  nodeSelector:
-    nodeSelectorTerms:
-    - matchExpressions:
-      - key: keyValue
-        operator: operatorValue
-        values:
-        - valuesValue
-      matchFields:
-      - key: keyValue
-        operator: operatorValue
-        values:
-        - valuesValue
-  pool:
-    generation: 2
-    name: nameValue
-    resourceSliceCount: 3
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/storage.k8s.io.v1.CSIDriver.pb b/staging/src/k8s.io/api/testdata/v1.32.0/storage.k8s.io.v1.CSIDriver.pb
deleted file mode 100644
index 6b6621c28b86b..0000000000000
Binary files a/staging/src/k8s.io/api/testdata/v1.32.0/storage.k8s.io.v1.CSIDriver.pb and /dev/null differ
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/storage.k8s.io.v1beta1.CSIDriver.pb b/staging/src/k8s.io/api/testdata/v1.32.0/storage.k8s.io.v1beta1.CSIDriver.pb
deleted file mode 100644
index 17b4b4a0a4635..0000000000000
Binary files a/staging/src/k8s.io/api/testdata/v1.32.0/storage.k8s.io.v1beta1.CSIDriver.pb and /dev/null differ
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/storagemigration.k8s.io.v1alpha1.StorageVersionMigration.json b/staging/src/k8s.io/api/testdata/v1.32.0/storagemigration.k8s.io.v1alpha1.StorageVersionMigration.json
deleted file mode 100644
index 77ce9bf4513d4..0000000000000
--- a/staging/src/k8s.io/api/testdata/v1.32.0/storagemigration.k8s.io.v1alpha1.StorageVersionMigration.json
+++ /dev/null
@@ -1,66 +0,0 @@
-{
-  "kind": "StorageVersionMigration",
-  "apiVersion": "storagemigration.k8s.io/v1alpha1",
-  "metadata": {
-    "name": "nameValue",
-    "generateName": "generateNameValue",
-    "namespace": "namespaceValue",
-    "selfLink": "selfLinkValue",
-    "uid": "uidValue",
-    "resourceVersion": "resourceVersionValue",
-    "generation": 7,
-    "creationTimestamp": "2008-01-01T01:01:01Z",
-    "deletionTimestamp": "2009-01-01T01:01:01Z",
-    "deletionGracePeriodSeconds": 10,
-    "labels": {
-      "labelsKey": "labelsValue"
-    },
-    "annotations": {
-      "annotationsKey": "annotationsValue"
-    },
-    "ownerReferences": [
-      {
-        "apiVersion": "apiVersionValue",
-        "kind": "kindValue",
-        "name": "nameValue",
-        "uid": "uidValue",
-        "controller": true,
-        "blockOwnerDeletion": true
-      }
-    ],
-    "finalizers": [
-      "finalizersValue"
-    ],
-    "managedFields": [
-      {
-        "manager": "managerValue",
-        "operation": "operationValue",
-        "apiVersion": "apiVersionValue",
-        "time": "2004-01-01T01:01:01Z",
-        "fieldsType": "fieldsTypeValue",
-        "fieldsV1": {},
-        "subresource": "subresourceValue"
-      }
-    ]
-  },
-  "spec": {
-    "resource": {
-      "group": "groupValue",
-      "version": "versionValue",
-      "resource": "resourceValue"
-    },
-    "continueToken": "continueTokenValue"
-  },
-  "status": {
-    "conditions": [
-      {
-        "type": "typeValue",
-        "status": "statusValue",
-        "lastUpdateTime": "2003-01-01T01:01:01Z",
-        "reason": "reasonValue",
-        "message": "messageValue"
-      }
-    ],
-    "resourceVersion": "resourceVersionValue"
-  }
-}
\ No newline at end of file
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/storagemigration.k8s.io.v1alpha1.StorageVersionMigration.pb b/staging/src/k8s.io/api/testdata/v1.32.0/storagemigration.k8s.io.v1alpha1.StorageVersionMigration.pb
deleted file mode 100644
index 59b8eca2ec5cd..0000000000000
Binary files a/staging/src/k8s.io/api/testdata/v1.32.0/storagemigration.k8s.io.v1alpha1.StorageVersionMigration.pb and /dev/null differ
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/storagemigration.k8s.io.v1alpha1.StorageVersionMigration.yaml b/staging/src/k8s.io/api/testdata/v1.32.0/storagemigration.k8s.io.v1alpha1.StorageVersionMigration.yaml
deleted file mode 100644
index 577d619c12625..0000000000000
--- a/staging/src/k8s.io/api/testdata/v1.32.0/storagemigration.k8s.io.v1alpha1.StorageVersionMigration.yaml
+++ /dev/null
@@ -1,48 +0,0 @@
-apiVersion: storagemigration.k8s.io/v1alpha1
-kind: StorageVersionMigration
-metadata:
-  annotations:
-    annotationsKey: annotationsValue
-  creationTimestamp: "2008-01-01T01:01:01Z"
-  deletionGracePeriodSeconds: 10
-  deletionTimestamp: "2009-01-01T01:01:01Z"
-  finalizers:
-  - finalizersValue
-  generateName: generateNameValue
-  generation: 7
-  labels:
-    labelsKey: labelsValue
-  managedFields:
-  - apiVersion: apiVersionValue
-    fieldsType: fieldsTypeValue
-    fieldsV1: {}
-    manager: managerValue
-    operation: operationValue
-    subresource: subresourceValue
-    time: "2004-01-01T01:01:01Z"
-  name: nameValue
-  namespace: namespaceValue
-  ownerReferences:
-  - apiVersion: apiVersionValue
-    blockOwnerDeletion: true
-    controller: true
-    kind: kindValue
-    name: nameValue
-    uid: uidValue
-  resourceVersion: resourceVersionValue
-  selfLink: selfLinkValue
-  uid: uidValue
-spec:
-  continueToken: continueTokenValue
-  resource:
-    group: groupValue
-    resource: resourceValue
-    version: versionValue
-status:
-  conditions:
-  - lastUpdateTime: "2003-01-01T01:01:01Z"
-    message: messageValue
-    reason: reasonValue
-    status: statusValue
-    type: typeValue
-  resourceVersion: resourceVersionValue
diff --git a/staging/src/k8s.io/api/testdata/v1.33.0/resource.k8s.io.v1alpha3.DeviceTaintRule.after_roundtrip.json b/staging/src/k8s.io/api/testdata/v1.33.0/resource.k8s.io.v1alpha3.DeviceTaintRule.after_roundtrip.json
new file mode 100644
index 0000000000000..55fd38b03b6c2
--- /dev/null
+++ b/staging/src/k8s.io/api/testdata/v1.33.0/resource.k8s.io.v1alpha3.DeviceTaintRule.after_roundtrip.json
@@ -0,0 +1,60 @@
+{
+  "kind": "DeviceTaintRule",
+  "apiVersion": "resource.k8s.io/v1alpha3",
+  "metadata": {
+    "name": "nameValue",
+    "generateName": "generateNameValue",
+    "namespace": "namespaceValue",
+    "selfLink": "selfLinkValue",
+    "uid": "uidValue",
+    "resourceVersion": "resourceVersionValue",
+    "generation": 7,
+    "creationTimestamp": "2008-01-01T01:01:01Z",
+    "deletionTimestamp": "2009-01-01T01:01:01Z",
+    "deletionGracePeriodSeconds": 10,
+    "labels": {
+      "labelsKey": "labelsValue"
+    },
+    "annotations": {
+      "annotationsKey": "annotationsValue"
+    },
+    "ownerReferences": [
+      {
+        "apiVersion": "apiVersionValue",
+        "kind": "kindValue",
+        "name": "nameValue",
+        "uid": "uidValue",
+        "controller": true,
+        "blockOwnerDeletion": true
+      }
+    ],
+    "finalizers": [
+      "finalizersValue"
+    ],
+    "managedFields": [
+      {
+        "manager": "managerValue",
+        "operation": "operationValue",
+        "apiVersion": "apiVersionValue",
+        "time": "2004-01-01T01:01:01Z",
+        "fieldsType": "fieldsTypeValue",
+        "fieldsV1": {},
+        "subresource": "subresourceValue"
+      }
+    ]
+  },
+  "spec": {
+    "deviceSelector": {
+      "driver": "driverValue",
+      "pool": "poolValue",
+      "device": "deviceValue"
+    },
+    "taint": {
+      "key": "keyValue",
+      "value": "valueValue",
+      "effect": "effectValue",
+      "timeAdded": "2004-01-01T01:01:01Z"
+    }
+  },
+  "status": {}
+}
\ No newline at end of file
diff --git a/staging/src/k8s.io/api/testdata/v1.33.0/resource.k8s.io.v1alpha3.DeviceTaintRule.after_roundtrip.pb b/staging/src/k8s.io/api/testdata/v1.33.0/resource.k8s.io.v1alpha3.DeviceTaintRule.after_roundtrip.pb
new file mode 100644
index 0000000000000..ff8debd3e4d20
Binary files /dev/null and b/staging/src/k8s.io/api/testdata/v1.33.0/resource.k8s.io.v1alpha3.DeviceTaintRule.after_roundtrip.pb differ
diff --git a/staging/src/k8s.io/api/testdata/v1.33.0/resource.k8s.io.v1alpha3.DeviceTaintRule.after_roundtrip.yaml b/staging/src/k8s.io/api/testdata/v1.33.0/resource.k8s.io.v1alpha3.DeviceTaintRule.after_roundtrip.yaml
new file mode 100644
index 0000000000000..78823c8e90bce
--- /dev/null
+++ b/staging/src/k8s.io/api/testdata/v1.33.0/resource.k8s.io.v1alpha3.DeviceTaintRule.after_roundtrip.yaml
@@ -0,0 +1,45 @@
+apiVersion: resource.k8s.io/v1alpha3
+kind: DeviceTaintRule
+metadata:
+  annotations:
+    annotationsKey: annotationsValue
+  creationTimestamp: "2008-01-01T01:01:01Z"
+  deletionGracePeriodSeconds: 10
+  deletionTimestamp: "2009-01-01T01:01:01Z"
+  finalizers:
+  - finalizersValue
+  generateName: generateNameValue
+  generation: 7
+  labels:
+    labelsKey: labelsValue
+  managedFields:
+  - apiVersion: apiVersionValue
+    fieldsType: fieldsTypeValue
+    fieldsV1: {}
+    manager: managerValue
+    operation: operationValue
+    subresource: subresourceValue
+    time: "2004-01-01T01:01:01Z"
+  name: nameValue
+  namespace: namespaceValue
+  ownerReferences:
+  - apiVersion: apiVersionValue
+    blockOwnerDeletion: true
+    controller: true
+    kind: kindValue
+    name: nameValue
+    uid: uidValue
+  resourceVersion: resourceVersionValue
+  selfLink: selfLinkValue
+  uid: uidValue
+spec:
+  deviceSelector:
+    device: deviceValue
+    driver: driverValue
+    pool: poolValue
+  taint:
+    effect: effectValue
+    key: keyValue
+    timeAdded: "2004-01-01T01:01:01Z"
+    value: valueValue
+status: {}
diff --git a/staging/src/k8s.io/api/testdata/v1.33.0/storagemigration.k8s.io.v1alpha1.StorageVersionMigration.json b/staging/src/k8s.io/api/testdata/v1.33.0/storagemigration.k8s.io.v1alpha1.StorageVersionMigration.json
deleted file mode 100644
index 77ce9bf4513d4..0000000000000
--- a/staging/src/k8s.io/api/testdata/v1.33.0/storagemigration.k8s.io.v1alpha1.StorageVersionMigration.json
+++ /dev/null
@@ -1,66 +0,0 @@
-{
-  "kind": "StorageVersionMigration",
-  "apiVersion": "storagemigration.k8s.io/v1alpha1",
-  "metadata": {
-    "name": "nameValue",
-    "generateName": "generateNameValue",
-    "namespace": "namespaceValue",
-    "selfLink": "selfLinkValue",
-    "uid": "uidValue",
-    "resourceVersion": "resourceVersionValue",
-    "generation": 7,
-    "creationTimestamp": "2008-01-01T01:01:01Z",
-    "deletionTimestamp": "2009-01-01T01:01:01Z",
-    "deletionGracePeriodSeconds": 10,
-    "labels": {
-      "labelsKey": "labelsValue"
-    },
-    "annotations": {
-      "annotationsKey": "annotationsValue"
-    },
-    "ownerReferences": [
-      {
-        "apiVersion": "apiVersionValue",
-        "kind": "kindValue",
-        "name": "nameValue",
-        "uid": "uidValue",
-        "controller": true,
-        "blockOwnerDeletion": true
-      }
-    ],
-    "finalizers": [
-      "finalizersValue"
-    ],
-    "managedFields": [
-      {
-        "manager": "managerValue",
-        "operation": "operationValue",
-        "apiVersion": "apiVersionValue",
-        "time": "2004-01-01T01:01:01Z",
-        "fieldsType": "fieldsTypeValue",
-        "fieldsV1": {},
-        "subresource": "subresourceValue"
-      }
-    ]
-  },
-  "spec": {
-    "resource": {
-      "group": "groupValue",
-      "version": "versionValue",
-      "resource": "resourceValue"
-    },
-    "continueToken": "continueTokenValue"
-  },
-  "status": {
-    "conditions": [
-      {
-        "type": "typeValue",
-        "status": "statusValue",
-        "lastUpdateTime": "2003-01-01T01:01:01Z",
-        "reason": "reasonValue",
-        "message": "messageValue"
-      }
-    ],
-    "resourceVersion": "resourceVersionValue"
-  }
-}
\ No newline at end of file
diff --git a/staging/src/k8s.io/api/testdata/v1.33.0/storagemigration.k8s.io.v1alpha1.StorageVersionMigration.pb b/staging/src/k8s.io/api/testdata/v1.33.0/storagemigration.k8s.io.v1alpha1.StorageVersionMigration.pb
deleted file mode 100644
index 59b8eca2ec5cd..0000000000000
Binary files a/staging/src/k8s.io/api/testdata/v1.33.0/storagemigration.k8s.io.v1alpha1.StorageVersionMigration.pb and /dev/null differ
diff --git a/staging/src/k8s.io/api/testdata/v1.33.0/storagemigration.k8s.io.v1alpha1.StorageVersionMigration.yaml b/staging/src/k8s.io/api/testdata/v1.33.0/storagemigration.k8s.io.v1alpha1.StorageVersionMigration.yaml
deleted file mode 100644
index 577d619c12625..0000000000000
--- a/staging/src/k8s.io/api/testdata/v1.33.0/storagemigration.k8s.io.v1alpha1.StorageVersionMigration.yaml
+++ /dev/null
@@ -1,48 +0,0 @@
-apiVersion: storagemigration.k8s.io/v1alpha1
-kind: StorageVersionMigration
-metadata:
-  annotations:
-    annotationsKey: annotationsValue
-  creationTimestamp: "2008-01-01T01:01:01Z"
-  deletionGracePeriodSeconds: 10
-  deletionTimestamp: "2009-01-01T01:01:01Z"
-  finalizers:
-  - finalizersValue
-  generateName: generateNameValue
-  generation: 7
-  labels:
-    labelsKey: labelsValue
-  managedFields:
-  - apiVersion: apiVersionValue
-    fieldsType: fieldsTypeValue
-    fieldsV1: {}
-    manager: managerValue
-    operation: operationValue
-    subresource: subresourceValue
-    time: "2004-01-01T01:01:01Z"
-  name: nameValue
-  namespace: namespaceValue
-  ownerReferences:
-  - apiVersion: apiVersionValue
-    blockOwnerDeletion: true
-    controller: true
-    kind: kindValue
-    name: nameValue
-    uid: uidValue
-  resourceVersion: resourceVersionValue
-  selfLink: selfLinkValue
-  uid: uidValue
-spec:
-  continueToken: continueTokenValue
-  resource:
-    group: groupValue
-    resource: resourceValue
-    version: versionValue
-status:
-  conditions:
-  - lastUpdateTime: "2003-01-01T01:01:01Z"
-    message: messageValue
-    reason: reasonValue
-    status: statusValue
-    type: typeValue
-  resourceVersion: resourceVersionValue
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/admission.k8s.io.v1.AdmissionReview.json b/staging/src/k8s.io/api/testdata/v1.34.0/admission.k8s.io.v1.AdmissionReview.json
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/admission.k8s.io.v1.AdmissionReview.json
rename to staging/src/k8s.io/api/testdata/v1.34.0/admission.k8s.io.v1.AdmissionReview.json
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/admission.k8s.io.v1.AdmissionReview.pb b/staging/src/k8s.io/api/testdata/v1.34.0/admission.k8s.io.v1.AdmissionReview.pb
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/admission.k8s.io.v1.AdmissionReview.pb
rename to staging/src/k8s.io/api/testdata/v1.34.0/admission.k8s.io.v1.AdmissionReview.pb
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/admission.k8s.io.v1.AdmissionReview.yaml b/staging/src/k8s.io/api/testdata/v1.34.0/admission.k8s.io.v1.AdmissionReview.yaml
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/admission.k8s.io.v1.AdmissionReview.yaml
rename to staging/src/k8s.io/api/testdata/v1.34.0/admission.k8s.io.v1.AdmissionReview.yaml
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/admission.k8s.io.v1beta1.AdmissionReview.json b/staging/src/k8s.io/api/testdata/v1.34.0/admission.k8s.io.v1beta1.AdmissionReview.json
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/admission.k8s.io.v1beta1.AdmissionReview.json
rename to staging/src/k8s.io/api/testdata/v1.34.0/admission.k8s.io.v1beta1.AdmissionReview.json
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/admission.k8s.io.v1beta1.AdmissionReview.pb b/staging/src/k8s.io/api/testdata/v1.34.0/admission.k8s.io.v1beta1.AdmissionReview.pb
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/admission.k8s.io.v1beta1.AdmissionReview.pb
rename to staging/src/k8s.io/api/testdata/v1.34.0/admission.k8s.io.v1beta1.AdmissionReview.pb
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/admission.k8s.io.v1beta1.AdmissionReview.yaml b/staging/src/k8s.io/api/testdata/v1.34.0/admission.k8s.io.v1beta1.AdmissionReview.yaml
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/admission.k8s.io.v1beta1.AdmissionReview.yaml
rename to staging/src/k8s.io/api/testdata/v1.34.0/admission.k8s.io.v1beta1.AdmissionReview.yaml
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/admissionregistration.k8s.io.v1.MutatingWebhookConfiguration.json b/staging/src/k8s.io/api/testdata/v1.34.0/admissionregistration.k8s.io.v1.MutatingWebhookConfiguration.json
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/admissionregistration.k8s.io.v1.MutatingWebhookConfiguration.json
rename to staging/src/k8s.io/api/testdata/v1.34.0/admissionregistration.k8s.io.v1.MutatingWebhookConfiguration.json
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/admissionregistration.k8s.io.v1.MutatingWebhookConfiguration.pb b/staging/src/k8s.io/api/testdata/v1.34.0/admissionregistration.k8s.io.v1.MutatingWebhookConfiguration.pb
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/admissionregistration.k8s.io.v1.MutatingWebhookConfiguration.pb
rename to staging/src/k8s.io/api/testdata/v1.34.0/admissionregistration.k8s.io.v1.MutatingWebhookConfiguration.pb
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/admissionregistration.k8s.io.v1.MutatingWebhookConfiguration.yaml b/staging/src/k8s.io/api/testdata/v1.34.0/admissionregistration.k8s.io.v1.MutatingWebhookConfiguration.yaml
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/admissionregistration.k8s.io.v1.MutatingWebhookConfiguration.yaml
rename to staging/src/k8s.io/api/testdata/v1.34.0/admissionregistration.k8s.io.v1.MutatingWebhookConfiguration.yaml
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/admissionregistration.k8s.io.v1.ValidatingAdmissionPolicy.json b/staging/src/k8s.io/api/testdata/v1.34.0/admissionregistration.k8s.io.v1.ValidatingAdmissionPolicy.json
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/admissionregistration.k8s.io.v1.ValidatingAdmissionPolicy.json
rename to staging/src/k8s.io/api/testdata/v1.34.0/admissionregistration.k8s.io.v1.ValidatingAdmissionPolicy.json
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/admissionregistration.k8s.io.v1.ValidatingAdmissionPolicy.pb b/staging/src/k8s.io/api/testdata/v1.34.0/admissionregistration.k8s.io.v1.ValidatingAdmissionPolicy.pb
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/admissionregistration.k8s.io.v1.ValidatingAdmissionPolicy.pb
rename to staging/src/k8s.io/api/testdata/v1.34.0/admissionregistration.k8s.io.v1.ValidatingAdmissionPolicy.pb
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/admissionregistration.k8s.io.v1.ValidatingAdmissionPolicy.yaml b/staging/src/k8s.io/api/testdata/v1.34.0/admissionregistration.k8s.io.v1.ValidatingAdmissionPolicy.yaml
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/admissionregistration.k8s.io.v1.ValidatingAdmissionPolicy.yaml
rename to staging/src/k8s.io/api/testdata/v1.34.0/admissionregistration.k8s.io.v1.ValidatingAdmissionPolicy.yaml
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/admissionregistration.k8s.io.v1.ValidatingAdmissionPolicyBinding.json b/staging/src/k8s.io/api/testdata/v1.34.0/admissionregistration.k8s.io.v1.ValidatingAdmissionPolicyBinding.json
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/admissionregistration.k8s.io.v1.ValidatingAdmissionPolicyBinding.json
rename to staging/src/k8s.io/api/testdata/v1.34.0/admissionregistration.k8s.io.v1.ValidatingAdmissionPolicyBinding.json
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/admissionregistration.k8s.io.v1.ValidatingAdmissionPolicyBinding.pb b/staging/src/k8s.io/api/testdata/v1.34.0/admissionregistration.k8s.io.v1.ValidatingAdmissionPolicyBinding.pb
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/admissionregistration.k8s.io.v1.ValidatingAdmissionPolicyBinding.pb
rename to staging/src/k8s.io/api/testdata/v1.34.0/admissionregistration.k8s.io.v1.ValidatingAdmissionPolicyBinding.pb
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/admissionregistration.k8s.io.v1.ValidatingAdmissionPolicyBinding.yaml b/staging/src/k8s.io/api/testdata/v1.34.0/admissionregistration.k8s.io.v1.ValidatingAdmissionPolicyBinding.yaml
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/admissionregistration.k8s.io.v1.ValidatingAdmissionPolicyBinding.yaml
rename to staging/src/k8s.io/api/testdata/v1.34.0/admissionregistration.k8s.io.v1.ValidatingAdmissionPolicyBinding.yaml
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/admissionregistration.k8s.io.v1.ValidatingWebhookConfiguration.json b/staging/src/k8s.io/api/testdata/v1.34.0/admissionregistration.k8s.io.v1.ValidatingWebhookConfiguration.json
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/admissionregistration.k8s.io.v1.ValidatingWebhookConfiguration.json
rename to staging/src/k8s.io/api/testdata/v1.34.0/admissionregistration.k8s.io.v1.ValidatingWebhookConfiguration.json
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/admissionregistration.k8s.io.v1.ValidatingWebhookConfiguration.pb b/staging/src/k8s.io/api/testdata/v1.34.0/admissionregistration.k8s.io.v1.ValidatingWebhookConfiguration.pb
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/admissionregistration.k8s.io.v1.ValidatingWebhookConfiguration.pb
rename to staging/src/k8s.io/api/testdata/v1.34.0/admissionregistration.k8s.io.v1.ValidatingWebhookConfiguration.pb
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/admissionregistration.k8s.io.v1.ValidatingWebhookConfiguration.yaml b/staging/src/k8s.io/api/testdata/v1.34.0/admissionregistration.k8s.io.v1.ValidatingWebhookConfiguration.yaml
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/admissionregistration.k8s.io.v1.ValidatingWebhookConfiguration.yaml
rename to staging/src/k8s.io/api/testdata/v1.34.0/admissionregistration.k8s.io.v1.ValidatingWebhookConfiguration.yaml
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/admissionregistration.k8s.io.v1alpha1.MutatingAdmissionPolicy.json b/staging/src/k8s.io/api/testdata/v1.34.0/admissionregistration.k8s.io.v1alpha1.MutatingAdmissionPolicy.json
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/admissionregistration.k8s.io.v1alpha1.MutatingAdmissionPolicy.json
rename to staging/src/k8s.io/api/testdata/v1.34.0/admissionregistration.k8s.io.v1alpha1.MutatingAdmissionPolicy.json
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/admissionregistration.k8s.io.v1alpha1.MutatingAdmissionPolicy.pb b/staging/src/k8s.io/api/testdata/v1.34.0/admissionregistration.k8s.io.v1alpha1.MutatingAdmissionPolicy.pb
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/admissionregistration.k8s.io.v1alpha1.MutatingAdmissionPolicy.pb
rename to staging/src/k8s.io/api/testdata/v1.34.0/admissionregistration.k8s.io.v1alpha1.MutatingAdmissionPolicy.pb
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/admissionregistration.k8s.io.v1alpha1.MutatingAdmissionPolicy.yaml b/staging/src/k8s.io/api/testdata/v1.34.0/admissionregistration.k8s.io.v1alpha1.MutatingAdmissionPolicy.yaml
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/admissionregistration.k8s.io.v1alpha1.MutatingAdmissionPolicy.yaml
rename to staging/src/k8s.io/api/testdata/v1.34.0/admissionregistration.k8s.io.v1alpha1.MutatingAdmissionPolicy.yaml
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/admissionregistration.k8s.io.v1alpha1.MutatingAdmissionPolicyBinding.json b/staging/src/k8s.io/api/testdata/v1.34.0/admissionregistration.k8s.io.v1alpha1.MutatingAdmissionPolicyBinding.json
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/admissionregistration.k8s.io.v1alpha1.MutatingAdmissionPolicyBinding.json
rename to staging/src/k8s.io/api/testdata/v1.34.0/admissionregistration.k8s.io.v1alpha1.MutatingAdmissionPolicyBinding.json
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/admissionregistration.k8s.io.v1alpha1.MutatingAdmissionPolicyBinding.pb b/staging/src/k8s.io/api/testdata/v1.34.0/admissionregistration.k8s.io.v1alpha1.MutatingAdmissionPolicyBinding.pb
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/admissionregistration.k8s.io.v1alpha1.MutatingAdmissionPolicyBinding.pb
rename to staging/src/k8s.io/api/testdata/v1.34.0/admissionregistration.k8s.io.v1alpha1.MutatingAdmissionPolicyBinding.pb
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/admissionregistration.k8s.io.v1alpha1.MutatingAdmissionPolicyBinding.yaml b/staging/src/k8s.io/api/testdata/v1.34.0/admissionregistration.k8s.io.v1alpha1.MutatingAdmissionPolicyBinding.yaml
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/admissionregistration.k8s.io.v1alpha1.MutatingAdmissionPolicyBinding.yaml
rename to staging/src/k8s.io/api/testdata/v1.34.0/admissionregistration.k8s.io.v1alpha1.MutatingAdmissionPolicyBinding.yaml
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/admissionregistration.k8s.io.v1alpha1.ValidatingAdmissionPolicy.json b/staging/src/k8s.io/api/testdata/v1.34.0/admissionregistration.k8s.io.v1alpha1.ValidatingAdmissionPolicy.json
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/admissionregistration.k8s.io.v1alpha1.ValidatingAdmissionPolicy.json
rename to staging/src/k8s.io/api/testdata/v1.34.0/admissionregistration.k8s.io.v1alpha1.ValidatingAdmissionPolicy.json
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/admissionregistration.k8s.io.v1alpha1.ValidatingAdmissionPolicy.pb b/staging/src/k8s.io/api/testdata/v1.34.0/admissionregistration.k8s.io.v1alpha1.ValidatingAdmissionPolicy.pb
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/admissionregistration.k8s.io.v1alpha1.ValidatingAdmissionPolicy.pb
rename to staging/src/k8s.io/api/testdata/v1.34.0/admissionregistration.k8s.io.v1alpha1.ValidatingAdmissionPolicy.pb
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/admissionregistration.k8s.io.v1alpha1.ValidatingAdmissionPolicy.yaml b/staging/src/k8s.io/api/testdata/v1.34.0/admissionregistration.k8s.io.v1alpha1.ValidatingAdmissionPolicy.yaml
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/admissionregistration.k8s.io.v1alpha1.ValidatingAdmissionPolicy.yaml
rename to staging/src/k8s.io/api/testdata/v1.34.0/admissionregistration.k8s.io.v1alpha1.ValidatingAdmissionPolicy.yaml
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/admissionregistration.k8s.io.v1alpha1.ValidatingAdmissionPolicyBinding.json b/staging/src/k8s.io/api/testdata/v1.34.0/admissionregistration.k8s.io.v1alpha1.ValidatingAdmissionPolicyBinding.json
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/admissionregistration.k8s.io.v1alpha1.ValidatingAdmissionPolicyBinding.json
rename to staging/src/k8s.io/api/testdata/v1.34.0/admissionregistration.k8s.io.v1alpha1.ValidatingAdmissionPolicyBinding.json
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/admissionregistration.k8s.io.v1alpha1.ValidatingAdmissionPolicyBinding.pb b/staging/src/k8s.io/api/testdata/v1.34.0/admissionregistration.k8s.io.v1alpha1.ValidatingAdmissionPolicyBinding.pb
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/admissionregistration.k8s.io.v1alpha1.ValidatingAdmissionPolicyBinding.pb
rename to staging/src/k8s.io/api/testdata/v1.34.0/admissionregistration.k8s.io.v1alpha1.ValidatingAdmissionPolicyBinding.pb
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/admissionregistration.k8s.io.v1alpha1.ValidatingAdmissionPolicyBinding.yaml b/staging/src/k8s.io/api/testdata/v1.34.0/admissionregistration.k8s.io.v1alpha1.ValidatingAdmissionPolicyBinding.yaml
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/admissionregistration.k8s.io.v1alpha1.ValidatingAdmissionPolicyBinding.yaml
rename to staging/src/k8s.io/api/testdata/v1.34.0/admissionregistration.k8s.io.v1alpha1.ValidatingAdmissionPolicyBinding.yaml
diff --git a/staging/src/k8s.io/api/testdata/v1.34.0/admissionregistration.k8s.io.v1beta1.MutatingAdmissionPolicy.json b/staging/src/k8s.io/api/testdata/v1.34.0/admissionregistration.k8s.io.v1beta1.MutatingAdmissionPolicy.json
new file mode 100644
index 0000000000000..937fa114f5ffa
--- /dev/null
+++ b/staging/src/k8s.io/api/testdata/v1.34.0/admissionregistration.k8s.io.v1beta1.MutatingAdmissionPolicy.json
@@ -0,0 +1,148 @@
+{
+  "kind": "MutatingAdmissionPolicy",
+  "apiVersion": "admissionregistration.k8s.io/v1beta1",
+  "metadata": {
+    "name": "nameValue",
+    "generateName": "generateNameValue",
+    "namespace": "namespaceValue",
+    "selfLink": "selfLinkValue",
+    "uid": "uidValue",
+    "resourceVersion": "resourceVersionValue",
+    "generation": 7,
+    "creationTimestamp": "2008-01-01T01:01:01Z",
+    "deletionTimestamp": "2009-01-01T01:01:01Z",
+    "deletionGracePeriodSeconds": 10,
+    "labels": {
+      "labelsKey": "labelsValue"
+    },
+    "annotations": {
+      "annotationsKey": "annotationsValue"
+    },
+    "ownerReferences": [
+      {
+        "apiVersion": "apiVersionValue",
+        "kind": "kindValue",
+        "name": "nameValue",
+        "uid": "uidValue",
+        "controller": true,
+        "blockOwnerDeletion": true
+      }
+    ],
+    "finalizers": [
+      "finalizersValue"
+    ],
+    "managedFields": [
+      {
+        "manager": "managerValue",
+        "operation": "operationValue",
+        "apiVersion": "apiVersionValue",
+        "time": "2004-01-01T01:01:01Z",
+        "fieldsType": "fieldsTypeValue",
+        "fieldsV1": {},
+        "subresource": "subresourceValue"
+      }
+    ]
+  },
+  "spec": {
+    "paramKind": {
+      "apiVersion": "apiVersionValue",
+      "kind": "kindValue"
+    },
+    "matchConstraints": {
+      "namespaceSelector": {
+        "matchLabels": {
+          "matchLabelsKey": "matchLabelsValue"
+        },
+        "matchExpressions": [
+          {
+            "key": "keyValue",
+            "operator": "operatorValue",
+            "values": [
+              "valuesValue"
+            ]
+          }
+        ]
+      },
+      "objectSelector": {
+        "matchLabels": {
+          "matchLabelsKey": "matchLabelsValue"
+        },
+        "matchExpressions": [
+          {
+            "key": "keyValue",
+            "operator": "operatorValue",
+            "values": [
+              "valuesValue"
+            ]
+          }
+        ]
+      },
+      "resourceRules": [
+        {
+          "resourceNames": [
+            "resourceNamesValue"
+          ],
+          "operations": [
+            "operationsValue"
+          ],
+          "apiGroups": [
+            "apiGroupsValue"
+          ],
+          "apiVersions": [
+            "apiVersionsValue"
+          ],
+          "resources": [
+            "resourcesValue"
+          ],
+          "scope": "scopeValue"
+        }
+      ],
+      "excludeResourceRules": [
+        {
+          "resourceNames": [
+            "resourceNamesValue"
+          ],
+          "operations": [
+            "operationsValue"
+          ],
+          "apiGroups": [
+            "apiGroupsValue"
+          ],
+          "apiVersions": [
+            "apiVersionsValue"
+          ],
+          "resources": [
+            "resourcesValue"
+          ],
+          "scope": "scopeValue"
+        }
+      ],
+      "matchPolicy": "matchPolicyValue"
+    },
+    "variables": [
+      {
+        "name": "nameValue",
+        "expression": "expressionValue"
+      }
+    ],
+    "mutations": [
+      {
+        "patchType": "patchTypeValue",
+        "applyConfiguration": {
+          "expression": "expressionValue"
+        },
+        "jsonPatch": {
+          "expression": "expressionValue"
+        }
+      }
+    ],
+    "failurePolicy": "failurePolicyValue",
+    "matchConditions": [
+      {
+        "name": "nameValue",
+        "expression": "expressionValue"
+      }
+    ],
+    "reinvocationPolicy": "reinvocationPolicyValue"
+  }
+}
\ No newline at end of file
diff --git a/staging/src/k8s.io/api/testdata/v1.34.0/admissionregistration.k8s.io.v1beta1.MutatingAdmissionPolicy.pb b/staging/src/k8s.io/api/testdata/v1.34.0/admissionregistration.k8s.io.v1beta1.MutatingAdmissionPolicy.pb
new file mode 100644
index 0000000000000..34793ae99580c
Binary files /dev/null and b/staging/src/k8s.io/api/testdata/v1.34.0/admissionregistration.k8s.io.v1beta1.MutatingAdmissionPolicy.pb differ
diff --git a/staging/src/k8s.io/api/testdata/v1.34.0/admissionregistration.k8s.io.v1beta1.MutatingAdmissionPolicy.yaml b/staging/src/k8s.io/api/testdata/v1.34.0/admissionregistration.k8s.io.v1beta1.MutatingAdmissionPolicy.yaml
new file mode 100644
index 0000000000000..c32d9a29a5f11
--- /dev/null
+++ b/staging/src/k8s.io/api/testdata/v1.34.0/admissionregistration.k8s.io.v1beta1.MutatingAdmissionPolicy.yaml
@@ -0,0 +1,94 @@
+apiVersion: admissionregistration.k8s.io/v1beta1
+kind: MutatingAdmissionPolicy
+metadata:
+  annotations:
+    annotationsKey: annotationsValue
+  creationTimestamp: "2008-01-01T01:01:01Z"
+  deletionGracePeriodSeconds: 10
+  deletionTimestamp: "2009-01-01T01:01:01Z"
+  finalizers:
+  - finalizersValue
+  generateName: generateNameValue
+  generation: 7
+  labels:
+    labelsKey: labelsValue
+  managedFields:
+  - apiVersion: apiVersionValue
+    fieldsType: fieldsTypeValue
+    fieldsV1: {}
+    manager: managerValue
+    operation: operationValue
+    subresource: subresourceValue
+    time: "2004-01-01T01:01:01Z"
+  name: nameValue
+  namespace: namespaceValue
+  ownerReferences:
+  - apiVersion: apiVersionValue
+    blockOwnerDeletion: true
+    controller: true
+    kind: kindValue
+    name: nameValue
+    uid: uidValue
+  resourceVersion: resourceVersionValue
+  selfLink: selfLinkValue
+  uid: uidValue
+spec:
+  failurePolicy: failurePolicyValue
+  matchConditions:
+  - expression: expressionValue
+    name: nameValue
+  matchConstraints:
+    excludeResourceRules:
+    - apiGroups:
+      - apiGroupsValue
+      apiVersions:
+      - apiVersionsValue
+      operations:
+      - operationsValue
+      resourceNames:
+      - resourceNamesValue
+      resources:
+      - resourcesValue
+      scope: scopeValue
+    matchPolicy: matchPolicyValue
+    namespaceSelector:
+      matchExpressions:
+      - key: keyValue
+        operator: operatorValue
+        values:
+        - valuesValue
+      matchLabels:
+        matchLabelsKey: matchLabelsValue
+    objectSelector:
+      matchExpressions:
+      - key: keyValue
+        operator: operatorValue
+        values:
+        - valuesValue
+      matchLabels:
+        matchLabelsKey: matchLabelsValue
+    resourceRules:
+    - apiGroups:
+      - apiGroupsValue
+      apiVersions:
+      - apiVersionsValue
+      operations:
+      - operationsValue
+      resourceNames:
+      - resourceNamesValue
+      resources:
+      - resourcesValue
+      scope: scopeValue
+  mutations:
+  - applyConfiguration:
+      expression: expressionValue
+    jsonPatch:
+      expression: expressionValue
+    patchType: patchTypeValue
+  paramKind:
+    apiVersion: apiVersionValue
+    kind: kindValue
+  reinvocationPolicy: reinvocationPolicyValue
+  variables:
+  - expression: expressionValue
+    name: nameValue
diff --git a/staging/src/k8s.io/api/testdata/v1.34.0/admissionregistration.k8s.io.v1beta1.MutatingAdmissionPolicyBinding.json b/staging/src/k8s.io/api/testdata/v1.34.0/admissionregistration.k8s.io.v1beta1.MutatingAdmissionPolicyBinding.json
new file mode 100644
index 0000000000000..70fb8eb402dcd
--- /dev/null
+++ b/staging/src/k8s.io/api/testdata/v1.34.0/admissionregistration.k8s.io.v1beta1.MutatingAdmissionPolicyBinding.json
@@ -0,0 +1,139 @@
+{
+  "kind": "MutatingAdmissionPolicyBinding",
+  "apiVersion": "admissionregistration.k8s.io/v1beta1",
+  "metadata": {
+    "name": "nameValue",
+    "generateName": "generateNameValue",
+    "namespace": "namespaceValue",
+    "selfLink": "selfLinkValue",
+    "uid": "uidValue",
+    "resourceVersion": "resourceVersionValue",
+    "generation": 7,
+    "creationTimestamp": "2008-01-01T01:01:01Z",
+    "deletionTimestamp": "2009-01-01T01:01:01Z",
+    "deletionGracePeriodSeconds": 10,
+    "labels": {
+      "labelsKey": "labelsValue"
+    },
+    "annotations": {
+      "annotationsKey": "annotationsValue"
+    },
+    "ownerReferences": [
+      {
+        "apiVersion": "apiVersionValue",
+        "kind": "kindValue",
+        "name": "nameValue",
+        "uid": "uidValue",
+        "controller": true,
+        "blockOwnerDeletion": true
+      }
+    ],
+    "finalizers": [
+      "finalizersValue"
+    ],
+    "managedFields": [
+      {
+        "manager": "managerValue",
+        "operation": "operationValue",
+        "apiVersion": "apiVersionValue",
+        "time": "2004-01-01T01:01:01Z",
+        "fieldsType": "fieldsTypeValue",
+        "fieldsV1": {},
+        "subresource": "subresourceValue"
+      }
+    ]
+  },
+  "spec": {
+    "policyName": "policyNameValue",
+    "paramRef": {
+      "name": "nameValue",
+      "namespace": "namespaceValue",
+      "selector": {
+        "matchLabels": {
+          "matchLabelsKey": "matchLabelsValue"
+        },
+        "matchExpressions": [
+          {
+            "key": "keyValue",
+            "operator": "operatorValue",
+            "values": [
+              "valuesValue"
+            ]
+          }
+        ]
+      },
+      "parameterNotFoundAction": "parameterNotFoundActionValue"
+    },
+    "matchResources": {
+      "namespaceSelector": {
+        "matchLabels": {
+          "matchLabelsKey": "matchLabelsValue"
+        },
+        "matchExpressions": [
+          {
+            "key": "keyValue",
+            "operator": "operatorValue",
+            "values": [
+              "valuesValue"
+            ]
+          }
+        ]
+      },
+      "objectSelector": {
+        "matchLabels": {
+          "matchLabelsKey": "matchLabelsValue"
+        },
+        "matchExpressions": [
+          {
+            "key": "keyValue",
+            "operator": "operatorValue",
+            "values": [
+              "valuesValue"
+            ]
+          }
+        ]
+      },
+      "resourceRules": [
+        {
+          "resourceNames": [
+            "resourceNamesValue"
+          ],
+          "operations": [
+            "operationsValue"
+          ],
+          "apiGroups": [
+            "apiGroupsValue"
+          ],
+          "apiVersions": [
+            "apiVersionsValue"
+          ],
+          "resources": [
+            "resourcesValue"
+          ],
+          "scope": "scopeValue"
+        }
+      ],
+      "excludeResourceRules": [
+        {
+          "resourceNames": [
+            "resourceNamesValue"
+          ],
+          "operations": [
+            "operationsValue"
+          ],
+          "apiGroups": [
+            "apiGroupsValue"
+          ],
+          "apiVersions": [
+            "apiVersionsValue"
+          ],
+          "resources": [
+            "resourcesValue"
+          ],
+          "scope": "scopeValue"
+        }
+      ],
+      "matchPolicy": "matchPolicyValue"
+    }
+  }
+}
\ No newline at end of file
diff --git a/staging/src/k8s.io/api/testdata/v1.34.0/admissionregistration.k8s.io.v1beta1.MutatingAdmissionPolicyBinding.pb b/staging/src/k8s.io/api/testdata/v1.34.0/admissionregistration.k8s.io.v1beta1.MutatingAdmissionPolicyBinding.pb
new file mode 100644
index 0000000000000..2297f5ce744dd
Binary files /dev/null and b/staging/src/k8s.io/api/testdata/v1.34.0/admissionregistration.k8s.io.v1beta1.MutatingAdmissionPolicyBinding.pb differ
diff --git a/staging/src/k8s.io/api/testdata/v1.34.0/admissionregistration.k8s.io.v1beta1.MutatingAdmissionPolicyBinding.yaml b/staging/src/k8s.io/api/testdata/v1.34.0/admissionregistration.k8s.io.v1beta1.MutatingAdmissionPolicyBinding.yaml
new file mode 100644
index 0000000000000..e14c99958938b
--- /dev/null
+++ b/staging/src/k8s.io/api/testdata/v1.34.0/admissionregistration.k8s.io.v1beta1.MutatingAdmissionPolicyBinding.yaml
@@ -0,0 +1,90 @@
+apiVersion: admissionregistration.k8s.io/v1beta1
+kind: MutatingAdmissionPolicyBinding
+metadata:
+  annotations:
+    annotationsKey: annotationsValue
+  creationTimestamp: "2008-01-01T01:01:01Z"
+  deletionGracePeriodSeconds: 10
+  deletionTimestamp: "2009-01-01T01:01:01Z"
+  finalizers:
+  - finalizersValue
+  generateName: generateNameValue
+  generation: 7
+  labels:
+    labelsKey: labelsValue
+  managedFields:
+  - apiVersion: apiVersionValue
+    fieldsType: fieldsTypeValue
+    fieldsV1: {}
+    manager: managerValue
+    operation: operationValue
+    subresource: subresourceValue
+    time: "2004-01-01T01:01:01Z"
+  name: nameValue
+  namespace: namespaceValue
+  ownerReferences:
+  - apiVersion: apiVersionValue
+    blockOwnerDeletion: true
+    controller: true
+    kind: kindValue
+    name: nameValue
+    uid: uidValue
+  resourceVersion: resourceVersionValue
+  selfLink: selfLinkValue
+  uid: uidValue
+spec:
+  matchResources:
+    excludeResourceRules:
+    - apiGroups:
+      - apiGroupsValue
+      apiVersions:
+      - apiVersionsValue
+      operations:
+      - operationsValue
+      resourceNames:
+      - resourceNamesValue
+      resources:
+      - resourcesValue
+      scope: scopeValue
+    matchPolicy: matchPolicyValue
+    namespaceSelector:
+      matchExpressions:
+      - key: keyValue
+        operator: operatorValue
+        values:
+        - valuesValue
+      matchLabels:
+        matchLabelsKey: matchLabelsValue
+    objectSelector:
+      matchExpressions:
+      - key: keyValue
+        operator: operatorValue
+        values:
+        - valuesValue
+      matchLabels:
+        matchLabelsKey: matchLabelsValue
+    resourceRules:
+    - apiGroups:
+      - apiGroupsValue
+      apiVersions:
+      - apiVersionsValue
+      operations:
+      - operationsValue
+      resourceNames:
+      - resourceNamesValue
+      resources:
+      - resourcesValue
+      scope: scopeValue
+  paramRef:
+    name: nameValue
+    namespace: namespaceValue
+    parameterNotFoundAction: parameterNotFoundActionValue
+    selector:
+      matchExpressions:
+      - key: keyValue
+        operator: operatorValue
+        values:
+        - valuesValue
+      matchLabels:
+        matchLabelsKey: matchLabelsValue
+  policyName: policyNameValue
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/admissionregistration.k8s.io.v1beta1.MutatingWebhookConfiguration.json b/staging/src/k8s.io/api/testdata/v1.34.0/admissionregistration.k8s.io.v1beta1.MutatingWebhookConfiguration.json
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/admissionregistration.k8s.io.v1beta1.MutatingWebhookConfiguration.json
rename to staging/src/k8s.io/api/testdata/v1.34.0/admissionregistration.k8s.io.v1beta1.MutatingWebhookConfiguration.json
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/admissionregistration.k8s.io.v1beta1.MutatingWebhookConfiguration.pb b/staging/src/k8s.io/api/testdata/v1.34.0/admissionregistration.k8s.io.v1beta1.MutatingWebhookConfiguration.pb
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/admissionregistration.k8s.io.v1beta1.MutatingWebhookConfiguration.pb
rename to staging/src/k8s.io/api/testdata/v1.34.0/admissionregistration.k8s.io.v1beta1.MutatingWebhookConfiguration.pb
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/admissionregistration.k8s.io.v1beta1.MutatingWebhookConfiguration.yaml b/staging/src/k8s.io/api/testdata/v1.34.0/admissionregistration.k8s.io.v1beta1.MutatingWebhookConfiguration.yaml
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/admissionregistration.k8s.io.v1beta1.MutatingWebhookConfiguration.yaml
rename to staging/src/k8s.io/api/testdata/v1.34.0/admissionregistration.k8s.io.v1beta1.MutatingWebhookConfiguration.yaml
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/admissionregistration.k8s.io.v1beta1.ValidatingAdmissionPolicy.json b/staging/src/k8s.io/api/testdata/v1.34.0/admissionregistration.k8s.io.v1beta1.ValidatingAdmissionPolicy.json
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/admissionregistration.k8s.io.v1beta1.ValidatingAdmissionPolicy.json
rename to staging/src/k8s.io/api/testdata/v1.34.0/admissionregistration.k8s.io.v1beta1.ValidatingAdmissionPolicy.json
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/admissionregistration.k8s.io.v1beta1.ValidatingAdmissionPolicy.pb b/staging/src/k8s.io/api/testdata/v1.34.0/admissionregistration.k8s.io.v1beta1.ValidatingAdmissionPolicy.pb
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/admissionregistration.k8s.io.v1beta1.ValidatingAdmissionPolicy.pb
rename to staging/src/k8s.io/api/testdata/v1.34.0/admissionregistration.k8s.io.v1beta1.ValidatingAdmissionPolicy.pb
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/admissionregistration.k8s.io.v1beta1.ValidatingAdmissionPolicy.yaml b/staging/src/k8s.io/api/testdata/v1.34.0/admissionregistration.k8s.io.v1beta1.ValidatingAdmissionPolicy.yaml
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/admissionregistration.k8s.io.v1beta1.ValidatingAdmissionPolicy.yaml
rename to staging/src/k8s.io/api/testdata/v1.34.0/admissionregistration.k8s.io.v1beta1.ValidatingAdmissionPolicy.yaml
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/admissionregistration.k8s.io.v1beta1.ValidatingAdmissionPolicyBinding.json b/staging/src/k8s.io/api/testdata/v1.34.0/admissionregistration.k8s.io.v1beta1.ValidatingAdmissionPolicyBinding.json
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/admissionregistration.k8s.io.v1beta1.ValidatingAdmissionPolicyBinding.json
rename to staging/src/k8s.io/api/testdata/v1.34.0/admissionregistration.k8s.io.v1beta1.ValidatingAdmissionPolicyBinding.json
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/admissionregistration.k8s.io.v1beta1.ValidatingAdmissionPolicyBinding.pb b/staging/src/k8s.io/api/testdata/v1.34.0/admissionregistration.k8s.io.v1beta1.ValidatingAdmissionPolicyBinding.pb
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/admissionregistration.k8s.io.v1beta1.ValidatingAdmissionPolicyBinding.pb
rename to staging/src/k8s.io/api/testdata/v1.34.0/admissionregistration.k8s.io.v1beta1.ValidatingAdmissionPolicyBinding.pb
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/admissionregistration.k8s.io.v1beta1.ValidatingAdmissionPolicyBinding.yaml b/staging/src/k8s.io/api/testdata/v1.34.0/admissionregistration.k8s.io.v1beta1.ValidatingAdmissionPolicyBinding.yaml
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/admissionregistration.k8s.io.v1beta1.ValidatingAdmissionPolicyBinding.yaml
rename to staging/src/k8s.io/api/testdata/v1.34.0/admissionregistration.k8s.io.v1beta1.ValidatingAdmissionPolicyBinding.yaml
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/admissionregistration.k8s.io.v1beta1.ValidatingWebhookConfiguration.json b/staging/src/k8s.io/api/testdata/v1.34.0/admissionregistration.k8s.io.v1beta1.ValidatingWebhookConfiguration.json
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/admissionregistration.k8s.io.v1beta1.ValidatingWebhookConfiguration.json
rename to staging/src/k8s.io/api/testdata/v1.34.0/admissionregistration.k8s.io.v1beta1.ValidatingWebhookConfiguration.json
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/admissionregistration.k8s.io.v1beta1.ValidatingWebhookConfiguration.pb b/staging/src/k8s.io/api/testdata/v1.34.0/admissionregistration.k8s.io.v1beta1.ValidatingWebhookConfiguration.pb
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/admissionregistration.k8s.io.v1beta1.ValidatingWebhookConfiguration.pb
rename to staging/src/k8s.io/api/testdata/v1.34.0/admissionregistration.k8s.io.v1beta1.ValidatingWebhookConfiguration.pb
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/admissionregistration.k8s.io.v1beta1.ValidatingWebhookConfiguration.yaml b/staging/src/k8s.io/api/testdata/v1.34.0/admissionregistration.k8s.io.v1beta1.ValidatingWebhookConfiguration.yaml
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/admissionregistration.k8s.io.v1beta1.ValidatingWebhookConfiguration.yaml
rename to staging/src/k8s.io/api/testdata/v1.34.0/admissionregistration.k8s.io.v1beta1.ValidatingWebhookConfiguration.yaml
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/apidiscovery.k8s.io.v2.APIGroupDiscovery.json b/staging/src/k8s.io/api/testdata/v1.34.0/apidiscovery.k8s.io.v2.APIGroupDiscovery.json
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/apidiscovery.k8s.io.v2.APIGroupDiscovery.json
rename to staging/src/k8s.io/api/testdata/v1.34.0/apidiscovery.k8s.io.v2.APIGroupDiscovery.json
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/apidiscovery.k8s.io.v2.APIGroupDiscovery.pb b/staging/src/k8s.io/api/testdata/v1.34.0/apidiscovery.k8s.io.v2.APIGroupDiscovery.pb
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/apidiscovery.k8s.io.v2.APIGroupDiscovery.pb
rename to staging/src/k8s.io/api/testdata/v1.34.0/apidiscovery.k8s.io.v2.APIGroupDiscovery.pb
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/apidiscovery.k8s.io.v2.APIGroupDiscovery.yaml b/staging/src/k8s.io/api/testdata/v1.34.0/apidiscovery.k8s.io.v2.APIGroupDiscovery.yaml
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/apidiscovery.k8s.io.v2.APIGroupDiscovery.yaml
rename to staging/src/k8s.io/api/testdata/v1.34.0/apidiscovery.k8s.io.v2.APIGroupDiscovery.yaml
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/apidiscovery.k8s.io.v2beta1.APIGroupDiscovery.json b/staging/src/k8s.io/api/testdata/v1.34.0/apidiscovery.k8s.io.v2beta1.APIGroupDiscovery.json
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/apidiscovery.k8s.io.v2beta1.APIGroupDiscovery.json
rename to staging/src/k8s.io/api/testdata/v1.34.0/apidiscovery.k8s.io.v2beta1.APIGroupDiscovery.json
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/apidiscovery.k8s.io.v2beta1.APIGroupDiscovery.pb b/staging/src/k8s.io/api/testdata/v1.34.0/apidiscovery.k8s.io.v2beta1.APIGroupDiscovery.pb
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/apidiscovery.k8s.io.v2beta1.APIGroupDiscovery.pb
rename to staging/src/k8s.io/api/testdata/v1.34.0/apidiscovery.k8s.io.v2beta1.APIGroupDiscovery.pb
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/apidiscovery.k8s.io.v2beta1.APIGroupDiscovery.yaml b/staging/src/k8s.io/api/testdata/v1.34.0/apidiscovery.k8s.io.v2beta1.APIGroupDiscovery.yaml
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/apidiscovery.k8s.io.v2beta1.APIGroupDiscovery.yaml
rename to staging/src/k8s.io/api/testdata/v1.34.0/apidiscovery.k8s.io.v2beta1.APIGroupDiscovery.yaml
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/apps.v1.ControllerRevision.json b/staging/src/k8s.io/api/testdata/v1.34.0/apps.v1.ControllerRevision.json
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/apps.v1.ControllerRevision.json
rename to staging/src/k8s.io/api/testdata/v1.34.0/apps.v1.ControllerRevision.json
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/apps.v1.ControllerRevision.pb b/staging/src/k8s.io/api/testdata/v1.34.0/apps.v1.ControllerRevision.pb
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/apps.v1.ControllerRevision.pb
rename to staging/src/k8s.io/api/testdata/v1.34.0/apps.v1.ControllerRevision.pb
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/apps.v1.ControllerRevision.yaml b/staging/src/k8s.io/api/testdata/v1.34.0/apps.v1.ControllerRevision.yaml
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/apps.v1.ControllerRevision.yaml
rename to staging/src/k8s.io/api/testdata/v1.34.0/apps.v1.ControllerRevision.yaml
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/apps.v1.DaemonSet.json b/staging/src/k8s.io/api/testdata/v1.34.0/apps.v1.DaemonSet.json
similarity index 96%
rename from staging/src/k8s.io/api/testdata/v1.32.0/apps.v1.DaemonSet.json
rename to staging/src/k8s.io/api/testdata/v1.34.0/apps.v1.DaemonSet.json
index 433aa5674064c..6d0dcb9035de6 100644
--- a/staging/src/k8s.io/api/testdata/v1.32.0/apps.v1.DaemonSet.json
+++ b/staging/src/k8s.io/api/testdata/v1.34.0/apps.v1.DaemonSet.json
@@ -360,6 +360,14 @@
                     },
                     "optional": true,
                     "path": "pathValue"
+                  },
+                  "podCertificate": {
+                    "signerName": "signerNameValue",
+                    "keyType": "keyTypeValue",
+                    "maxExpirationSeconds": 3,
+                    "credentialBundlePath": "credentialBundlePathValue",
+                    "keyPath": "keyPathValue",
+                    "certificateChainPath": "certificateChainPathValue"
                   }
                 }
               ],
@@ -554,6 +562,12 @@
                     "name": "nameValue",
                     "key": "keyValue",
                     "optional": true
+                  },
+                  "fileKeyRef": {
+                    "volumeName": "volumeNameValue",
+                    "path": "pathValue",
+                    "key": "keyValue",
+                    "optional": true
                   }
                 }
               }
@@ -579,6 +593,17 @@
               }
             ],
             "restartPolicy": "restartPolicyValue",
+            "restartPolicyRules": [
+              {
+                "action": "actionValue",
+                "exitCodes": {
+                  "operator": "operatorValue",
+                  "values": [
+                    2
+                  ]
+                }
+              }
+            ],
             "volumeMounts": [
               {
                 "name": "nameValue",
@@ -747,7 +772,8 @@
                 "sleep": {
                   "seconds": 1
                 }
-              }
+              },
+              "stopSignal": "stopSignalValue"
             },
             "terminationMessagePath": "terminationMessagePathValue",
             "terminationMessagePolicy": "terminationMessagePolicyValue",
@@ -850,6 +876,12 @@
                     "name": "nameValue",
                     "key": "keyValue",
                     "optional": true
+                  },
+                  "fileKeyRef": {
+                    "volumeName": "volumeNameValue",
+                    "path": "pathValue",
+                    "key": "keyValue",
+                    "optional": true
                   }
                 }
               }
@@ -875,6 +907,17 @@
               }
             ],
             "restartPolicy": "restartPolicyValue",
+            "restartPolicyRules": [
+              {
+                "action": "actionValue",
+                "exitCodes": {
+                  "operator": "operatorValue",
+                  "values": [
+                    2
+                  ]
+                }
+              }
+            ],
             "volumeMounts": [
               {
                 "name": "nameValue",
@@ -1043,7 +1086,8 @@
                 "sleep": {
                   "seconds": 1
                 }
-              }
+              },
+              "stopSignal": "stopSignalValue"
             },
             "terminationMessagePath": "terminationMessagePathValue",
             "terminationMessagePolicy": "terminationMessagePolicyValue",
@@ -1146,6 +1190,12 @@
                     "name": "nameValue",
                     "key": "keyValue",
                     "optional": true
+                  },
+                  "fileKeyRef": {
+                    "volumeName": "volumeNameValue",
+                    "path": "pathValue",
+                    "key": "keyValue",
+                    "optional": true
                   }
                 }
               }
@@ -1171,6 +1221,17 @@
               }
             ],
             "restartPolicy": "restartPolicyValue",
+            "restartPolicyRules": [
+              {
+                "action": "actionValue",
+                "exitCodes": {
+                  "operator": "operatorValue",
+                  "values": [
+                    2
+                  ]
+                }
+              }
+            ],
             "volumeMounts": [
               {
                 "name": "nameValue",
@@ -1339,7 +1400,8 @@
                 "sleep": {
                   "seconds": 1
                 }
-              }
+              },
+              "stopSignal": "stopSignalValue"
             },
             "terminationMessagePath": "terminationMessagePathValue",
             "terminationMessagePolicy": "terminationMessagePolicyValue",
@@ -1780,7 +1842,8 @@
               "request": "requestValue"
             }
           ]
-        }
+        },
+        "hostnameOverride": "hostnameOverrideValue"
       }
     },
     "updateStrategy": {
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/apps.v1.DaemonSet.pb b/staging/src/k8s.io/api/testdata/v1.34.0/apps.v1.DaemonSet.pb
similarity index 84%
rename from staging/src/k8s.io/api/testdata/v1.32.0/apps.v1.DaemonSet.pb
rename to staging/src/k8s.io/api/testdata/v1.34.0/apps.v1.DaemonSet.pb
index b9aaa8c0cfdd7..5ce7c1d6fa7b3 100644
Binary files a/staging/src/k8s.io/api/testdata/v1.32.0/apps.v1.DaemonSet.pb and b/staging/src/k8s.io/api/testdata/v1.34.0/apps.v1.DaemonSet.pb differ
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/apps.v1.DaemonSet.yaml b/staging/src/k8s.io/api/testdata/v1.34.0/apps.v1.DaemonSet.yaml
similarity index 96%
rename from staging/src/k8s.io/api/testdata/v1.32.0/apps.v1.DaemonSet.yaml
rename to staging/src/k8s.io/api/testdata/v1.34.0/apps.v1.DaemonSet.yaml
index cf27e24793bd0..1180b32af982e 100644
--- a/staging/src/k8s.io/api/testdata/v1.32.0/apps.v1.DaemonSet.yaml
+++ b/staging/src/k8s.io/api/testdata/v1.34.0/apps.v1.DaemonSet.yaml
@@ -224,6 +224,11 @@ spec:
             fieldRef:
               apiVersion: apiVersionValue
               fieldPath: fieldPathValue
+            fileKeyRef:
+              key: keyValue
+              optional: true
+              path: pathValue
+              volumeName: volumeNameValue
             resourceFieldRef:
               containerName: containerNameValue
               divisor: "0"
@@ -277,6 +282,7 @@ spec:
             tcpSocket:
               host: hostValue
               port: portValue
+          stopSignal: stopSignalValue
         livenessProbe:
           exec:
             command:
@@ -344,6 +350,12 @@ spec:
           requests:
             requestsKey: "0"
         restartPolicy: restartPolicyValue
+        restartPolicyRules:
+        - action: actionValue
+          exitCodes:
+            operator: operatorValue
+            values:
+            - 2
         securityContext:
           allowPrivilegeEscalation: true
           appArmorProfile:
@@ -440,6 +452,11 @@ spec:
             fieldRef:
               apiVersion: apiVersionValue
               fieldPath: fieldPathValue
+            fileKeyRef:
+              key: keyValue
+              optional: true
+              path: pathValue
+              volumeName: volumeNameValue
             resourceFieldRef:
               containerName: containerNameValue
               divisor: "0"
@@ -493,6 +510,7 @@ spec:
             tcpSocket:
               host: hostValue
               port: portValue
+          stopSignal: stopSignalValue
         livenessProbe:
           exec:
             command:
@@ -560,6 +578,12 @@ spec:
           requests:
             requestsKey: "0"
         restartPolicy: restartPolicyValue
+        restartPolicyRules:
+        - action: actionValue
+          exitCodes:
+            operator: operatorValue
+            values:
+            - 2
         securityContext:
           allowPrivilegeEscalation: true
           appArmorProfile:
@@ -640,6 +664,7 @@ spec:
       hostPID: true
       hostUsers: true
       hostname: hostnameValue
+      hostnameOverride: hostnameOverrideValue
       imagePullSecrets:
       - name: nameValue
       initContainers:
@@ -658,6 +683,11 @@ spec:
             fieldRef:
               apiVersion: apiVersionValue
               fieldPath: fieldPathValue
+            fileKeyRef:
+              key: keyValue
+              optional: true
+              path: pathValue
+              volumeName: volumeNameValue
             resourceFieldRef:
               containerName: containerNameValue
               divisor: "0"
@@ -711,6 +741,7 @@ spec:
             tcpSocket:
               host: hostValue
               port: portValue
+          stopSignal: stopSignalValue
         livenessProbe:
           exec:
             command:
@@ -778,6 +809,12 @@ spec:
           requests:
             requestsKey: "0"
         restartPolicy: restartPolicyValue
+        restartPolicyRules:
+        - action: actionValue
+          exitCodes:
+            operator: operatorValue
+            values:
+            - 2
         securityContext:
           allowPrivilegeEscalation: true
           appArmorProfile:
@@ -1162,6 +1199,13 @@ spec:
                   containerName: containerNameValue
                   divisor: "0"
                   resource: resourceValue
+            podCertificate:
+              certificateChainPath: certificateChainPathValue
+              credentialBundlePath: credentialBundlePathValue
+              keyPath: keyPathValue
+              keyType: keyTypeValue
+              maxExpirationSeconds: 3
+              signerName: signerNameValue
             secret:
               items:
               - key: keyValue
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/apps.v1.Deployment.json b/staging/src/k8s.io/api/testdata/v1.34.0/apps.v1.Deployment.json
similarity index 96%
rename from staging/src/k8s.io/api/testdata/v1.32.0/apps.v1.Deployment.json
rename to staging/src/k8s.io/api/testdata/v1.34.0/apps.v1.Deployment.json
index 6e68ee719130f..d2a93e6cc9a91 100644
--- a/staging/src/k8s.io/api/testdata/v1.32.0/apps.v1.Deployment.json
+++ b/staging/src/k8s.io/api/testdata/v1.34.0/apps.v1.Deployment.json
@@ -361,6 +361,14 @@
                     },
                     "optional": true,
                     "path": "pathValue"
+                  },
+                  "podCertificate": {
+                    "signerName": "signerNameValue",
+                    "keyType": "keyTypeValue",
+                    "maxExpirationSeconds": 3,
+                    "credentialBundlePath": "credentialBundlePathValue",
+                    "keyPath": "keyPathValue",
+                    "certificateChainPath": "certificateChainPathValue"
                   }
                 }
               ],
@@ -555,6 +563,12 @@
                     "name": "nameValue",
                     "key": "keyValue",
                     "optional": true
+                  },
+                  "fileKeyRef": {
+                    "volumeName": "volumeNameValue",
+                    "path": "pathValue",
+                    "key": "keyValue",
+                    "optional": true
                   }
                 }
               }
@@ -580,6 +594,17 @@
               }
             ],
             "restartPolicy": "restartPolicyValue",
+            "restartPolicyRules": [
+              {
+                "action": "actionValue",
+                "exitCodes": {
+                  "operator": "operatorValue",
+                  "values": [
+                    2
+                  ]
+                }
+              }
+            ],
             "volumeMounts": [
               {
                 "name": "nameValue",
@@ -748,7 +773,8 @@
                 "sleep": {
                   "seconds": 1
                 }
-              }
+              },
+              "stopSignal": "stopSignalValue"
             },
             "terminationMessagePath": "terminationMessagePathValue",
             "terminationMessagePolicy": "terminationMessagePolicyValue",
@@ -851,6 +877,12 @@
                     "name": "nameValue",
                     "key": "keyValue",
                     "optional": true
+                  },
+                  "fileKeyRef": {
+                    "volumeName": "volumeNameValue",
+                    "path": "pathValue",
+                    "key": "keyValue",
+                    "optional": true
                   }
                 }
               }
@@ -876,6 +908,17 @@
               }
             ],
             "restartPolicy": "restartPolicyValue",
+            "restartPolicyRules": [
+              {
+                "action": "actionValue",
+                "exitCodes": {
+                  "operator": "operatorValue",
+                  "values": [
+                    2
+                  ]
+                }
+              }
+            ],
             "volumeMounts": [
               {
                 "name": "nameValue",
@@ -1044,7 +1087,8 @@
                 "sleep": {
                   "seconds": 1
                 }
-              }
+              },
+              "stopSignal": "stopSignalValue"
             },
             "terminationMessagePath": "terminationMessagePathValue",
             "terminationMessagePolicy": "terminationMessagePolicyValue",
@@ -1147,6 +1191,12 @@
                     "name": "nameValue",
                     "key": "keyValue",
                     "optional": true
+                  },
+                  "fileKeyRef": {
+                    "volumeName": "volumeNameValue",
+                    "path": "pathValue",
+                    "key": "keyValue",
+                    "optional": true
                   }
                 }
               }
@@ -1172,6 +1222,17 @@
               }
             ],
             "restartPolicy": "restartPolicyValue",
+            "restartPolicyRules": [
+              {
+                "action": "actionValue",
+                "exitCodes": {
+                  "operator": "operatorValue",
+                  "values": [
+                    2
+                  ]
+                }
+              }
+            ],
             "volumeMounts": [
               {
                 "name": "nameValue",
@@ -1340,7 +1401,8 @@
                 "sleep": {
                   "seconds": 1
                 }
-              }
+              },
+              "stopSignal": "stopSignalValue"
             },
             "terminationMessagePath": "terminationMessagePathValue",
             "terminationMessagePolicy": "terminationMessagePolicyValue",
@@ -1781,7 +1843,8 @@
               "request": "requestValue"
             }
           ]
-        }
+        },
+        "hostnameOverride": "hostnameOverrideValue"
       }
     },
     "strategy": {
@@ -1803,6 +1866,7 @@
     "readyReplicas": 7,
     "availableReplicas": 4,
     "unavailableReplicas": 5,
+    "terminatingReplicas": 9,
     "conditions": [
       {
         "type": "typeValue",
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/apps.v1.Deployment.pb b/staging/src/k8s.io/api/testdata/v1.34.0/apps.v1.Deployment.pb
similarity index 83%
rename from staging/src/k8s.io/api/testdata/v1.32.0/apps.v1.Deployment.pb
rename to staging/src/k8s.io/api/testdata/v1.34.0/apps.v1.Deployment.pb
index e51e1c32335c3..1cde4fc61f19b 100644
Binary files a/staging/src/k8s.io/api/testdata/v1.32.0/apps.v1.Deployment.pb and b/staging/src/k8s.io/api/testdata/v1.34.0/apps.v1.Deployment.pb differ
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/apps.v1.Deployment.yaml b/staging/src/k8s.io/api/testdata/v1.34.0/apps.v1.Deployment.yaml
similarity index 96%
rename from staging/src/k8s.io/api/testdata/v1.32.0/apps.v1.Deployment.yaml
rename to staging/src/k8s.io/api/testdata/v1.34.0/apps.v1.Deployment.yaml
index 8952251956633..558ece9a5a776 100644
--- a/staging/src/k8s.io/api/testdata/v1.32.0/apps.v1.Deployment.yaml
+++ b/staging/src/k8s.io/api/testdata/v1.34.0/apps.v1.Deployment.yaml
@@ -232,6 +232,11 @@ spec:
             fieldRef:
               apiVersion: apiVersionValue
               fieldPath: fieldPathValue
+            fileKeyRef:
+              key: keyValue
+              optional: true
+              path: pathValue
+              volumeName: volumeNameValue
             resourceFieldRef:
               containerName: containerNameValue
               divisor: "0"
@@ -285,6 +290,7 @@ spec:
             tcpSocket:
               host: hostValue
               port: portValue
+          stopSignal: stopSignalValue
         livenessProbe:
           exec:
             command:
@@ -352,6 +358,12 @@ spec:
           requests:
             requestsKey: "0"
         restartPolicy: restartPolicyValue
+        restartPolicyRules:
+        - action: actionValue
+          exitCodes:
+            operator: operatorValue
+            values:
+            - 2
         securityContext:
           allowPrivilegeEscalation: true
           appArmorProfile:
@@ -448,6 +460,11 @@ spec:
             fieldRef:
               apiVersion: apiVersionValue
               fieldPath: fieldPathValue
+            fileKeyRef:
+              key: keyValue
+              optional: true
+              path: pathValue
+              volumeName: volumeNameValue
             resourceFieldRef:
               containerName: containerNameValue
               divisor: "0"
@@ -501,6 +518,7 @@ spec:
             tcpSocket:
               host: hostValue
               port: portValue
+          stopSignal: stopSignalValue
         livenessProbe:
           exec:
             command:
@@ -568,6 +586,12 @@ spec:
           requests:
             requestsKey: "0"
         restartPolicy: restartPolicyValue
+        restartPolicyRules:
+        - action: actionValue
+          exitCodes:
+            operator: operatorValue
+            values:
+            - 2
         securityContext:
           allowPrivilegeEscalation: true
           appArmorProfile:
@@ -648,6 +672,7 @@ spec:
       hostPID: true
       hostUsers: true
       hostname: hostnameValue
+      hostnameOverride: hostnameOverrideValue
       imagePullSecrets:
       - name: nameValue
       initContainers:
@@ -666,6 +691,11 @@ spec:
             fieldRef:
               apiVersion: apiVersionValue
               fieldPath: fieldPathValue
+            fileKeyRef:
+              key: keyValue
+              optional: true
+              path: pathValue
+              volumeName: volumeNameValue
             resourceFieldRef:
               containerName: containerNameValue
               divisor: "0"
@@ -719,6 +749,7 @@ spec:
             tcpSocket:
               host: hostValue
               port: portValue
+          stopSignal: stopSignalValue
         livenessProbe:
           exec:
             command:
@@ -786,6 +817,12 @@ spec:
           requests:
             requestsKey: "0"
         restartPolicy: restartPolicyValue
+        restartPolicyRules:
+        - action: actionValue
+          exitCodes:
+            operator: operatorValue
+            values:
+            - 2
         securityContext:
           allowPrivilegeEscalation: true
           appArmorProfile:
@@ -1170,6 +1207,13 @@ spec:
                   containerName: containerNameValue
                   divisor: "0"
                   resource: resourceValue
+            podCertificate:
+              certificateChainPath: certificateChainPathValue
+              credentialBundlePath: credentialBundlePathValue
+              keyPath: keyPathValue
+              keyType: keyTypeValue
+              maxExpirationSeconds: 3
+              signerName: signerNameValue
             secret:
               items:
               - key: keyValue
@@ -1244,5 +1288,6 @@ status:
   observedGeneration: 1
   readyReplicas: 7
   replicas: 2
+  terminatingReplicas: 9
   unavailableReplicas: 5
   updatedReplicas: 3
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/apps.v1.ReplicaSet.json b/staging/src/k8s.io/api/testdata/v1.34.0/apps.v1.ReplicaSet.json
similarity index 96%
rename from staging/src/k8s.io/api/testdata/v1.32.0/apps.v1.ReplicaSet.json
rename to staging/src/k8s.io/api/testdata/v1.34.0/apps.v1.ReplicaSet.json
index a9dfb08a3224d..6b2ef0f61af3e 100644
--- a/staging/src/k8s.io/api/testdata/v1.32.0/apps.v1.ReplicaSet.json
+++ b/staging/src/k8s.io/api/testdata/v1.34.0/apps.v1.ReplicaSet.json
@@ -362,6 +362,14 @@
                     },
                     "optional": true,
                     "path": "pathValue"
+                  },
+                  "podCertificate": {
+                    "signerName": "signerNameValue",
+                    "keyType": "keyTypeValue",
+                    "maxExpirationSeconds": 3,
+                    "credentialBundlePath": "credentialBundlePathValue",
+                    "keyPath": "keyPathValue",
+                    "certificateChainPath": "certificateChainPathValue"
                   }
                 }
               ],
@@ -556,6 +564,12 @@
                     "name": "nameValue",
                     "key": "keyValue",
                     "optional": true
+                  },
+                  "fileKeyRef": {
+                    "volumeName": "volumeNameValue",
+                    "path": "pathValue",
+                    "key": "keyValue",
+                    "optional": true
                   }
                 }
               }
@@ -581,6 +595,17 @@
               }
             ],
             "restartPolicy": "restartPolicyValue",
+            "restartPolicyRules": [
+              {
+                "action": "actionValue",
+                "exitCodes": {
+                  "operator": "operatorValue",
+                  "values": [
+                    2
+                  ]
+                }
+              }
+            ],
             "volumeMounts": [
               {
                 "name": "nameValue",
@@ -749,7 +774,8 @@
                 "sleep": {
                   "seconds": 1
                 }
-              }
+              },
+              "stopSignal": "stopSignalValue"
             },
             "terminationMessagePath": "terminationMessagePathValue",
             "terminationMessagePolicy": "terminationMessagePolicyValue",
@@ -852,6 +878,12 @@
                     "name": "nameValue",
                     "key": "keyValue",
                     "optional": true
+                  },
+                  "fileKeyRef": {
+                    "volumeName": "volumeNameValue",
+                    "path": "pathValue",
+                    "key": "keyValue",
+                    "optional": true
                   }
                 }
               }
@@ -877,6 +909,17 @@
               }
             ],
             "restartPolicy": "restartPolicyValue",
+            "restartPolicyRules": [
+              {
+                "action": "actionValue",
+                "exitCodes": {
+                  "operator": "operatorValue",
+                  "values": [
+                    2
+                  ]
+                }
+              }
+            ],
             "volumeMounts": [
               {
                 "name": "nameValue",
@@ -1045,7 +1088,8 @@
                 "sleep": {
                   "seconds": 1
                 }
-              }
+              },
+              "stopSignal": "stopSignalValue"
             },
             "terminationMessagePath": "terminationMessagePathValue",
             "terminationMessagePolicy": "terminationMessagePolicyValue",
@@ -1148,6 +1192,12 @@
                     "name": "nameValue",
                     "key": "keyValue",
                     "optional": true
+                  },
+                  "fileKeyRef": {
+                    "volumeName": "volumeNameValue",
+                    "path": "pathValue",
+                    "key": "keyValue",
+                    "optional": true
                   }
                 }
               }
@@ -1173,6 +1223,17 @@
               }
             ],
             "restartPolicy": "restartPolicyValue",
+            "restartPolicyRules": [
+              {
+                "action": "actionValue",
+                "exitCodes": {
+                  "operator": "operatorValue",
+                  "values": [
+                    2
+                  ]
+                }
+              }
+            ],
             "volumeMounts": [
               {
                 "name": "nameValue",
@@ -1341,7 +1402,8 @@
                 "sleep": {
                   "seconds": 1
                 }
-              }
+              },
+              "stopSignal": "stopSignalValue"
             },
             "terminationMessagePath": "terminationMessagePathValue",
             "terminationMessagePolicy": "terminationMessagePolicyValue",
@@ -1782,7 +1844,8 @@
               "request": "requestValue"
             }
           ]
-        }
+        },
+        "hostnameOverride": "hostnameOverrideValue"
       }
     }
   },
@@ -1791,6 +1854,7 @@
     "fullyLabeledReplicas": 2,
     "readyReplicas": 4,
     "availableReplicas": 5,
+    "terminatingReplicas": 7,
     "observedGeneration": 3,
     "conditions": [
       {
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/apps.v1.ReplicaSet.pb b/staging/src/k8s.io/api/testdata/v1.34.0/apps.v1.ReplicaSet.pb
similarity index 83%
rename from staging/src/k8s.io/api/testdata/v1.32.0/apps.v1.ReplicaSet.pb
rename to staging/src/k8s.io/api/testdata/v1.34.0/apps.v1.ReplicaSet.pb
index a5ff7dd066d0d..21dce4311f643 100644
Binary files a/staging/src/k8s.io/api/testdata/v1.32.0/apps.v1.ReplicaSet.pb and b/staging/src/k8s.io/api/testdata/v1.34.0/apps.v1.ReplicaSet.pb differ
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/apps.v1.ReplicaSet.yaml b/staging/src/k8s.io/api/testdata/v1.34.0/apps.v1.ReplicaSet.yaml
similarity index 96%
rename from staging/src/k8s.io/api/testdata/v1.32.0/apps.v1.ReplicaSet.yaml
rename to staging/src/k8s.io/api/testdata/v1.34.0/apps.v1.ReplicaSet.yaml
index 42fba0088fda1..9939c9cdd25e5 100644
--- a/staging/src/k8s.io/api/testdata/v1.32.0/apps.v1.ReplicaSet.yaml
+++ b/staging/src/k8s.io/api/testdata/v1.34.0/apps.v1.ReplicaSet.yaml
@@ -224,6 +224,11 @@ spec:
             fieldRef:
               apiVersion: apiVersionValue
               fieldPath: fieldPathValue
+            fileKeyRef:
+              key: keyValue
+              optional: true
+              path: pathValue
+              volumeName: volumeNameValue
             resourceFieldRef:
               containerName: containerNameValue
               divisor: "0"
@@ -277,6 +282,7 @@ spec:
             tcpSocket:
               host: hostValue
               port: portValue
+          stopSignal: stopSignalValue
         livenessProbe:
           exec:
             command:
@@ -344,6 +350,12 @@ spec:
           requests:
             requestsKey: "0"
         restartPolicy: restartPolicyValue
+        restartPolicyRules:
+        - action: actionValue
+          exitCodes:
+            operator: operatorValue
+            values:
+            - 2
         securityContext:
           allowPrivilegeEscalation: true
           appArmorProfile:
@@ -440,6 +452,11 @@ spec:
             fieldRef:
               apiVersion: apiVersionValue
               fieldPath: fieldPathValue
+            fileKeyRef:
+              key: keyValue
+              optional: true
+              path: pathValue
+              volumeName: volumeNameValue
             resourceFieldRef:
               containerName: containerNameValue
               divisor: "0"
@@ -493,6 +510,7 @@ spec:
             tcpSocket:
               host: hostValue
               port: portValue
+          stopSignal: stopSignalValue
         livenessProbe:
           exec:
             command:
@@ -560,6 +578,12 @@ spec:
           requests:
             requestsKey: "0"
         restartPolicy: restartPolicyValue
+        restartPolicyRules:
+        - action: actionValue
+          exitCodes:
+            operator: operatorValue
+            values:
+            - 2
         securityContext:
           allowPrivilegeEscalation: true
           appArmorProfile:
@@ -640,6 +664,7 @@ spec:
       hostPID: true
       hostUsers: true
       hostname: hostnameValue
+      hostnameOverride: hostnameOverrideValue
       imagePullSecrets:
       - name: nameValue
       initContainers:
@@ -658,6 +683,11 @@ spec:
             fieldRef:
               apiVersion: apiVersionValue
               fieldPath: fieldPathValue
+            fileKeyRef:
+              key: keyValue
+              optional: true
+              path: pathValue
+              volumeName: volumeNameValue
             resourceFieldRef:
               containerName: containerNameValue
               divisor: "0"
@@ -711,6 +741,7 @@ spec:
             tcpSocket:
               host: hostValue
               port: portValue
+          stopSignal: stopSignalValue
         livenessProbe:
           exec:
             command:
@@ -778,6 +809,12 @@ spec:
           requests:
             requestsKey: "0"
         restartPolicy: restartPolicyValue
+        restartPolicyRules:
+        - action: actionValue
+          exitCodes:
+            operator: operatorValue
+            values:
+            - 2
         securityContext:
           allowPrivilegeEscalation: true
           appArmorProfile:
@@ -1162,6 +1199,13 @@ spec:
                   containerName: containerNameValue
                   divisor: "0"
                   resource: resourceValue
+            podCertificate:
+              certificateChainPath: certificateChainPathValue
+              credentialBundlePath: credentialBundlePathValue
+              keyPath: keyPathValue
+              keyType: keyTypeValue
+              maxExpirationSeconds: 3
+              signerName: signerNameValue
             secret:
               items:
               - key: keyValue
@@ -1235,3 +1279,4 @@ status:
   observedGeneration: 3
   readyReplicas: 4
   replicas: 1
+  terminatingReplicas: 7
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/apps.v1.StatefulSet.json b/staging/src/k8s.io/api/testdata/v1.34.0/apps.v1.StatefulSet.json
similarity index 96%
rename from staging/src/k8s.io/api/testdata/v1.32.0/apps.v1.StatefulSet.json
rename to staging/src/k8s.io/api/testdata/v1.34.0/apps.v1.StatefulSet.json
index d72a8ead26141..0158c869ecf35 100644
--- a/staging/src/k8s.io/api/testdata/v1.32.0/apps.v1.StatefulSet.json
+++ b/staging/src/k8s.io/api/testdata/v1.34.0/apps.v1.StatefulSet.json
@@ -361,6 +361,14 @@
                     },
                     "optional": true,
                     "path": "pathValue"
+                  },
+                  "podCertificate": {
+                    "signerName": "signerNameValue",
+                    "keyType": "keyTypeValue",
+                    "maxExpirationSeconds": 3,
+                    "credentialBundlePath": "credentialBundlePathValue",
+                    "keyPath": "keyPathValue",
+                    "certificateChainPath": "certificateChainPathValue"
                   }
                 }
               ],
@@ -555,6 +563,12 @@
                     "name": "nameValue",
                     "key": "keyValue",
                     "optional": true
+                  },
+                  "fileKeyRef": {
+                    "volumeName": "volumeNameValue",
+                    "path": "pathValue",
+                    "key": "keyValue",
+                    "optional": true
                   }
                 }
               }
@@ -580,6 +594,17 @@
               }
             ],
             "restartPolicy": "restartPolicyValue",
+            "restartPolicyRules": [
+              {
+                "action": "actionValue",
+                "exitCodes": {
+                  "operator": "operatorValue",
+                  "values": [
+                    2
+                  ]
+                }
+              }
+            ],
             "volumeMounts": [
               {
                 "name": "nameValue",
@@ -748,7 +773,8 @@
                 "sleep": {
                   "seconds": 1
                 }
-              }
+              },
+              "stopSignal": "stopSignalValue"
             },
             "terminationMessagePath": "terminationMessagePathValue",
             "terminationMessagePolicy": "terminationMessagePolicyValue",
@@ -851,6 +877,12 @@
                     "name": "nameValue",
                     "key": "keyValue",
                     "optional": true
+                  },
+                  "fileKeyRef": {
+                    "volumeName": "volumeNameValue",
+                    "path": "pathValue",
+                    "key": "keyValue",
+                    "optional": true
                   }
                 }
               }
@@ -876,6 +908,17 @@
               }
             ],
             "restartPolicy": "restartPolicyValue",
+            "restartPolicyRules": [
+              {
+                "action": "actionValue",
+                "exitCodes": {
+                  "operator": "operatorValue",
+                  "values": [
+                    2
+                  ]
+                }
+              }
+            ],
             "volumeMounts": [
               {
                 "name": "nameValue",
@@ -1044,7 +1087,8 @@
                 "sleep": {
                   "seconds": 1
                 }
-              }
+              },
+              "stopSignal": "stopSignalValue"
             },
             "terminationMessagePath": "terminationMessagePathValue",
             "terminationMessagePolicy": "terminationMessagePolicyValue",
@@ -1147,6 +1191,12 @@
                     "name": "nameValue",
                     "key": "keyValue",
                     "optional": true
+                  },
+                  "fileKeyRef": {
+                    "volumeName": "volumeNameValue",
+                    "path": "pathValue",
+                    "key": "keyValue",
+                    "optional": true
                   }
                 }
               }
@@ -1172,6 +1222,17 @@
               }
             ],
             "restartPolicy": "restartPolicyValue",
+            "restartPolicyRules": [
+              {
+                "action": "actionValue",
+                "exitCodes": {
+                  "operator": "operatorValue",
+                  "values": [
+                    2
+                  ]
+                }
+              }
+            ],
             "volumeMounts": [
               {
                 "name": "nameValue",
@@ -1340,7 +1401,8 @@
                 "sleep": {
                   "seconds": 1
                 }
-              }
+              },
+              "stopSignal": "stopSignalValue"
             },
             "terminationMessagePath": "terminationMessagePathValue",
             "terminationMessagePolicy": "terminationMessagePolicyValue",
@@ -1781,7 +1843,8 @@
               "request": "requestValue"
             }
           ]
-        }
+        },
+        "hostnameOverride": "hostnameOverrideValue"
       }
     },
     "volumeClaimTemplates": [
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/apps.v1.StatefulSet.pb b/staging/src/k8s.io/api/testdata/v1.34.0/apps.v1.StatefulSet.pb
similarity index 85%
rename from staging/src/k8s.io/api/testdata/v1.32.0/apps.v1.StatefulSet.pb
rename to staging/src/k8s.io/api/testdata/v1.34.0/apps.v1.StatefulSet.pb
index 070fc0a6c6e28..080ea19af8787 100644
Binary files a/staging/src/k8s.io/api/testdata/v1.32.0/apps.v1.StatefulSet.pb and b/staging/src/k8s.io/api/testdata/v1.34.0/apps.v1.StatefulSet.pb differ
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/apps.v1.StatefulSet.yaml b/staging/src/k8s.io/api/testdata/v1.34.0/apps.v1.StatefulSet.yaml
similarity index 96%
rename from staging/src/k8s.io/api/testdata/v1.32.0/apps.v1.StatefulSet.yaml
rename to staging/src/k8s.io/api/testdata/v1.34.0/apps.v1.StatefulSet.yaml
index ce0f847f4c9ab..052f5013f71b6 100644
--- a/staging/src/k8s.io/api/testdata/v1.32.0/apps.v1.StatefulSet.yaml
+++ b/staging/src/k8s.io/api/testdata/v1.34.0/apps.v1.StatefulSet.yaml
@@ -232,6 +232,11 @@ spec:
             fieldRef:
               apiVersion: apiVersionValue
               fieldPath: fieldPathValue
+            fileKeyRef:
+              key: keyValue
+              optional: true
+              path: pathValue
+              volumeName: volumeNameValue
             resourceFieldRef:
               containerName: containerNameValue
               divisor: "0"
@@ -285,6 +290,7 @@ spec:
             tcpSocket:
               host: hostValue
               port: portValue
+          stopSignal: stopSignalValue
         livenessProbe:
           exec:
             command:
@@ -352,6 +358,12 @@ spec:
           requests:
             requestsKey: "0"
         restartPolicy: restartPolicyValue
+        restartPolicyRules:
+        - action: actionValue
+          exitCodes:
+            operator: operatorValue
+            values:
+            - 2
         securityContext:
           allowPrivilegeEscalation: true
           appArmorProfile:
@@ -448,6 +460,11 @@ spec:
             fieldRef:
               apiVersion: apiVersionValue
               fieldPath: fieldPathValue
+            fileKeyRef:
+              key: keyValue
+              optional: true
+              path: pathValue
+              volumeName: volumeNameValue
             resourceFieldRef:
               containerName: containerNameValue
               divisor: "0"
@@ -501,6 +518,7 @@ spec:
             tcpSocket:
               host: hostValue
               port: portValue
+          stopSignal: stopSignalValue
         livenessProbe:
           exec:
             command:
@@ -568,6 +586,12 @@ spec:
           requests:
             requestsKey: "0"
         restartPolicy: restartPolicyValue
+        restartPolicyRules:
+        - action: actionValue
+          exitCodes:
+            operator: operatorValue
+            values:
+            - 2
         securityContext:
           allowPrivilegeEscalation: true
           appArmorProfile:
@@ -648,6 +672,7 @@ spec:
       hostPID: true
       hostUsers: true
       hostname: hostnameValue
+      hostnameOverride: hostnameOverrideValue
       imagePullSecrets:
       - name: nameValue
       initContainers:
@@ -666,6 +691,11 @@ spec:
             fieldRef:
               apiVersion: apiVersionValue
               fieldPath: fieldPathValue
+            fileKeyRef:
+              key: keyValue
+              optional: true
+              path: pathValue
+              volumeName: volumeNameValue
             resourceFieldRef:
               containerName: containerNameValue
               divisor: "0"
@@ -719,6 +749,7 @@ spec:
             tcpSocket:
               host: hostValue
               port: portValue
+          stopSignal: stopSignalValue
         livenessProbe:
           exec:
             command:
@@ -786,6 +817,12 @@ spec:
           requests:
             requestsKey: "0"
         restartPolicy: restartPolicyValue
+        restartPolicyRules:
+        - action: actionValue
+          exitCodes:
+            operator: operatorValue
+            values:
+            - 2
         securityContext:
           allowPrivilegeEscalation: true
           appArmorProfile:
@@ -1170,6 +1207,13 @@ spec:
                   containerName: containerNameValue
                   divisor: "0"
                   resource: resourceValue
+            podCertificate:
+              certificateChainPath: certificateChainPathValue
+              credentialBundlePath: credentialBundlePathValue
+              keyPath: keyPathValue
+              keyType: keyTypeValue
+              maxExpirationSeconds: 3
+              signerName: signerNameValue
             secret:
               items:
               - key: keyValue
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/apps.v1beta1.ControllerRevision.json b/staging/src/k8s.io/api/testdata/v1.34.0/apps.v1beta1.ControllerRevision.json
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/apps.v1beta1.ControllerRevision.json
rename to staging/src/k8s.io/api/testdata/v1.34.0/apps.v1beta1.ControllerRevision.json
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/apps.v1beta1.ControllerRevision.pb b/staging/src/k8s.io/api/testdata/v1.34.0/apps.v1beta1.ControllerRevision.pb
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/apps.v1beta1.ControllerRevision.pb
rename to staging/src/k8s.io/api/testdata/v1.34.0/apps.v1beta1.ControllerRevision.pb
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/apps.v1beta1.ControllerRevision.yaml b/staging/src/k8s.io/api/testdata/v1.34.0/apps.v1beta1.ControllerRevision.yaml
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/apps.v1beta1.ControllerRevision.yaml
rename to staging/src/k8s.io/api/testdata/v1.34.0/apps.v1beta1.ControllerRevision.yaml
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/apps.v1beta1.Deployment.json b/staging/src/k8s.io/api/testdata/v1.34.0/apps.v1beta1.Deployment.json
similarity index 96%
rename from staging/src/k8s.io/api/testdata/v1.32.0/apps.v1beta1.Deployment.json
rename to staging/src/k8s.io/api/testdata/v1.34.0/apps.v1beta1.Deployment.json
index 715007f246f94..44a1fa56abcab 100644
--- a/staging/src/k8s.io/api/testdata/v1.32.0/apps.v1beta1.Deployment.json
+++ b/staging/src/k8s.io/api/testdata/v1.34.0/apps.v1beta1.Deployment.json
@@ -361,6 +361,14 @@
                     },
                     "optional": true,
                     "path": "pathValue"
+                  },
+                  "podCertificate": {
+                    "signerName": "signerNameValue",
+                    "keyType": "keyTypeValue",
+                    "maxExpirationSeconds": 3,
+                    "credentialBundlePath": "credentialBundlePathValue",
+                    "keyPath": "keyPathValue",
+                    "certificateChainPath": "certificateChainPathValue"
                   }
                 }
               ],
@@ -555,6 +563,12 @@
                     "name": "nameValue",
                     "key": "keyValue",
                     "optional": true
+                  },
+                  "fileKeyRef": {
+                    "volumeName": "volumeNameValue",
+                    "path": "pathValue",
+                    "key": "keyValue",
+                    "optional": true
                   }
                 }
               }
@@ -580,6 +594,17 @@
               }
             ],
             "restartPolicy": "restartPolicyValue",
+            "restartPolicyRules": [
+              {
+                "action": "actionValue",
+                "exitCodes": {
+                  "operator": "operatorValue",
+                  "values": [
+                    2
+                  ]
+                }
+              }
+            ],
             "volumeMounts": [
               {
                 "name": "nameValue",
@@ -748,7 +773,8 @@
                 "sleep": {
                   "seconds": 1
                 }
-              }
+              },
+              "stopSignal": "stopSignalValue"
             },
             "terminationMessagePath": "terminationMessagePathValue",
             "terminationMessagePolicy": "terminationMessagePolicyValue",
@@ -851,6 +877,12 @@
                     "name": "nameValue",
                     "key": "keyValue",
                     "optional": true
+                  },
+                  "fileKeyRef": {
+                    "volumeName": "volumeNameValue",
+                    "path": "pathValue",
+                    "key": "keyValue",
+                    "optional": true
                   }
                 }
               }
@@ -876,6 +908,17 @@
               }
             ],
             "restartPolicy": "restartPolicyValue",
+            "restartPolicyRules": [
+              {
+                "action": "actionValue",
+                "exitCodes": {
+                  "operator": "operatorValue",
+                  "values": [
+                    2
+                  ]
+                }
+              }
+            ],
             "volumeMounts": [
               {
                 "name": "nameValue",
@@ -1044,7 +1087,8 @@
                 "sleep": {
                   "seconds": 1
                 }
-              }
+              },
+              "stopSignal": "stopSignalValue"
             },
             "terminationMessagePath": "terminationMessagePathValue",
             "terminationMessagePolicy": "terminationMessagePolicyValue",
@@ -1147,6 +1191,12 @@
                     "name": "nameValue",
                     "key": "keyValue",
                     "optional": true
+                  },
+                  "fileKeyRef": {
+                    "volumeName": "volumeNameValue",
+                    "path": "pathValue",
+                    "key": "keyValue",
+                    "optional": true
                   }
                 }
               }
@@ -1172,6 +1222,17 @@
               }
             ],
             "restartPolicy": "restartPolicyValue",
+            "restartPolicyRules": [
+              {
+                "action": "actionValue",
+                "exitCodes": {
+                  "operator": "operatorValue",
+                  "values": [
+                    2
+                  ]
+                }
+              }
+            ],
             "volumeMounts": [
               {
                 "name": "nameValue",
@@ -1340,7 +1401,8 @@
                 "sleep": {
                   "seconds": 1
                 }
-              }
+              },
+              "stopSignal": "stopSignalValue"
             },
             "terminationMessagePath": "terminationMessagePathValue",
             "terminationMessagePolicy": "terminationMessagePolicyValue",
@@ -1781,7 +1843,8 @@
               "request": "requestValue"
             }
           ]
-        }
+        },
+        "hostnameOverride": "hostnameOverrideValue"
       }
     },
     "strategy": {
@@ -1806,6 +1869,7 @@
     "readyReplicas": 7,
     "availableReplicas": 4,
     "unavailableReplicas": 5,
+    "terminatingReplicas": 9,
     "conditions": [
       {
         "type": "typeValue",
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/apps.v1beta1.Deployment.pb b/staging/src/k8s.io/api/testdata/v1.34.0/apps.v1beta1.Deployment.pb
similarity index 83%
rename from staging/src/k8s.io/api/testdata/v1.32.0/apps.v1beta1.Deployment.pb
rename to staging/src/k8s.io/api/testdata/v1.34.0/apps.v1beta1.Deployment.pb
index 4ea65f9027edb..45a8516719012 100644
Binary files a/staging/src/k8s.io/api/testdata/v1.32.0/apps.v1beta1.Deployment.pb and b/staging/src/k8s.io/api/testdata/v1.34.0/apps.v1beta1.Deployment.pb differ
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/apps.v1beta1.Deployment.yaml b/staging/src/k8s.io/api/testdata/v1.34.0/apps.v1beta1.Deployment.yaml
similarity index 96%
rename from staging/src/k8s.io/api/testdata/v1.32.0/apps.v1beta1.Deployment.yaml
rename to staging/src/k8s.io/api/testdata/v1.34.0/apps.v1beta1.Deployment.yaml
index 10b6d3d87cf1a..69f5ebcbe91ab 100644
--- a/staging/src/k8s.io/api/testdata/v1.32.0/apps.v1beta1.Deployment.yaml
+++ b/staging/src/k8s.io/api/testdata/v1.34.0/apps.v1beta1.Deployment.yaml
@@ -234,6 +234,11 @@ spec:
             fieldRef:
               apiVersion: apiVersionValue
               fieldPath: fieldPathValue
+            fileKeyRef:
+              key: keyValue
+              optional: true
+              path: pathValue
+              volumeName: volumeNameValue
             resourceFieldRef:
               containerName: containerNameValue
               divisor: "0"
@@ -287,6 +292,7 @@ spec:
             tcpSocket:
               host: hostValue
               port: portValue
+          stopSignal: stopSignalValue
         livenessProbe:
           exec:
             command:
@@ -354,6 +360,12 @@ spec:
           requests:
             requestsKey: "0"
         restartPolicy: restartPolicyValue
+        restartPolicyRules:
+        - action: actionValue
+          exitCodes:
+            operator: operatorValue
+            values:
+            - 2
         securityContext:
           allowPrivilegeEscalation: true
           appArmorProfile:
@@ -450,6 +462,11 @@ spec:
             fieldRef:
               apiVersion: apiVersionValue
               fieldPath: fieldPathValue
+            fileKeyRef:
+              key: keyValue
+              optional: true
+              path: pathValue
+              volumeName: volumeNameValue
             resourceFieldRef:
               containerName: containerNameValue
               divisor: "0"
@@ -503,6 +520,7 @@ spec:
             tcpSocket:
               host: hostValue
               port: portValue
+          stopSignal: stopSignalValue
         livenessProbe:
           exec:
             command:
@@ -570,6 +588,12 @@ spec:
           requests:
             requestsKey: "0"
         restartPolicy: restartPolicyValue
+        restartPolicyRules:
+        - action: actionValue
+          exitCodes:
+            operator: operatorValue
+            values:
+            - 2
         securityContext:
           allowPrivilegeEscalation: true
           appArmorProfile:
@@ -650,6 +674,7 @@ spec:
       hostPID: true
       hostUsers: true
       hostname: hostnameValue
+      hostnameOverride: hostnameOverrideValue
       imagePullSecrets:
       - name: nameValue
       initContainers:
@@ -668,6 +693,11 @@ spec:
             fieldRef:
               apiVersion: apiVersionValue
               fieldPath: fieldPathValue
+            fileKeyRef:
+              key: keyValue
+              optional: true
+              path: pathValue
+              volumeName: volumeNameValue
             resourceFieldRef:
               containerName: containerNameValue
               divisor: "0"
@@ -721,6 +751,7 @@ spec:
             tcpSocket:
               host: hostValue
               port: portValue
+          stopSignal: stopSignalValue
         livenessProbe:
           exec:
             command:
@@ -788,6 +819,12 @@ spec:
           requests:
             requestsKey: "0"
         restartPolicy: restartPolicyValue
+        restartPolicyRules:
+        - action: actionValue
+          exitCodes:
+            operator: operatorValue
+            values:
+            - 2
         securityContext:
           allowPrivilegeEscalation: true
           appArmorProfile:
@@ -1172,6 +1209,13 @@ spec:
                   containerName: containerNameValue
                   divisor: "0"
                   resource: resourceValue
+            podCertificate:
+              certificateChainPath: certificateChainPathValue
+              credentialBundlePath: credentialBundlePathValue
+              keyPath: keyPathValue
+              keyType: keyTypeValue
+              maxExpirationSeconds: 3
+              signerName: signerNameValue
             secret:
               items:
               - key: keyValue
@@ -1246,5 +1290,6 @@ status:
   observedGeneration: 1
   readyReplicas: 7
   replicas: 2
+  terminatingReplicas: 9
   unavailableReplicas: 5
   updatedReplicas: 3
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/apps.v1beta1.DeploymentRollback.json b/staging/src/k8s.io/api/testdata/v1.34.0/apps.v1beta1.DeploymentRollback.json
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/apps.v1beta1.DeploymentRollback.json
rename to staging/src/k8s.io/api/testdata/v1.34.0/apps.v1beta1.DeploymentRollback.json
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/apps.v1beta1.DeploymentRollback.pb b/staging/src/k8s.io/api/testdata/v1.34.0/apps.v1beta1.DeploymentRollback.pb
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/apps.v1beta1.DeploymentRollback.pb
rename to staging/src/k8s.io/api/testdata/v1.34.0/apps.v1beta1.DeploymentRollback.pb
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/apps.v1beta1.DeploymentRollback.yaml b/staging/src/k8s.io/api/testdata/v1.34.0/apps.v1beta1.DeploymentRollback.yaml
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/apps.v1beta1.DeploymentRollback.yaml
rename to staging/src/k8s.io/api/testdata/v1.34.0/apps.v1beta1.DeploymentRollback.yaml
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/apps.v1beta1.Scale.json b/staging/src/k8s.io/api/testdata/v1.34.0/apps.v1beta1.Scale.json
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/apps.v1beta1.Scale.json
rename to staging/src/k8s.io/api/testdata/v1.34.0/apps.v1beta1.Scale.json
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/apps.v1beta1.Scale.pb b/staging/src/k8s.io/api/testdata/v1.34.0/apps.v1beta1.Scale.pb
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/apps.v1beta1.Scale.pb
rename to staging/src/k8s.io/api/testdata/v1.34.0/apps.v1beta1.Scale.pb
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/apps.v1beta1.Scale.yaml b/staging/src/k8s.io/api/testdata/v1.34.0/apps.v1beta1.Scale.yaml
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/apps.v1beta1.Scale.yaml
rename to staging/src/k8s.io/api/testdata/v1.34.0/apps.v1beta1.Scale.yaml
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/apps.v1beta1.StatefulSet.json b/staging/src/k8s.io/api/testdata/v1.34.0/apps.v1beta1.StatefulSet.json
similarity index 96%
rename from staging/src/k8s.io/api/testdata/v1.32.0/apps.v1beta1.StatefulSet.json
rename to staging/src/k8s.io/api/testdata/v1.34.0/apps.v1beta1.StatefulSet.json
index 78802d9ddc496..2952aff2de268 100644
--- a/staging/src/k8s.io/api/testdata/v1.32.0/apps.v1beta1.StatefulSet.json
+++ b/staging/src/k8s.io/api/testdata/v1.34.0/apps.v1beta1.StatefulSet.json
@@ -361,6 +361,14 @@
                     },
                     "optional": true,
                     "path": "pathValue"
+                  },
+                  "podCertificate": {
+                    "signerName": "signerNameValue",
+                    "keyType": "keyTypeValue",
+                    "maxExpirationSeconds": 3,
+                    "credentialBundlePath": "credentialBundlePathValue",
+                    "keyPath": "keyPathValue",
+                    "certificateChainPath": "certificateChainPathValue"
                   }
                 }
               ],
@@ -555,6 +563,12 @@
                     "name": "nameValue",
                     "key": "keyValue",
                     "optional": true
+                  },
+                  "fileKeyRef": {
+                    "volumeName": "volumeNameValue",
+                    "path": "pathValue",
+                    "key": "keyValue",
+                    "optional": true
                   }
                 }
               }
@@ -580,6 +594,17 @@
               }
             ],
             "restartPolicy": "restartPolicyValue",
+            "restartPolicyRules": [
+              {
+                "action": "actionValue",
+                "exitCodes": {
+                  "operator": "operatorValue",
+                  "values": [
+                    2
+                  ]
+                }
+              }
+            ],
             "volumeMounts": [
               {
                 "name": "nameValue",
@@ -748,7 +773,8 @@
                 "sleep": {
                   "seconds": 1
                 }
-              }
+              },
+              "stopSignal": "stopSignalValue"
             },
             "terminationMessagePath": "terminationMessagePathValue",
             "terminationMessagePolicy": "terminationMessagePolicyValue",
@@ -851,6 +877,12 @@
                     "name": "nameValue",
                     "key": "keyValue",
                     "optional": true
+                  },
+                  "fileKeyRef": {
+                    "volumeName": "volumeNameValue",
+                    "path": "pathValue",
+                    "key": "keyValue",
+                    "optional": true
                   }
                 }
               }
@@ -876,6 +908,17 @@
               }
             ],
             "restartPolicy": "restartPolicyValue",
+            "restartPolicyRules": [
+              {
+                "action": "actionValue",
+                "exitCodes": {
+                  "operator": "operatorValue",
+                  "values": [
+                    2
+                  ]
+                }
+              }
+            ],
             "volumeMounts": [
               {
                 "name": "nameValue",
@@ -1044,7 +1087,8 @@
                 "sleep": {
                   "seconds": 1
                 }
-              }
+              },
+              "stopSignal": "stopSignalValue"
             },
             "terminationMessagePath": "terminationMessagePathValue",
             "terminationMessagePolicy": "terminationMessagePolicyValue",
@@ -1147,6 +1191,12 @@
                     "name": "nameValue",
                     "key": "keyValue",
                     "optional": true
+                  },
+                  "fileKeyRef": {
+                    "volumeName": "volumeNameValue",
+                    "path": "pathValue",
+                    "key": "keyValue",
+                    "optional": true
                   }
                 }
               }
@@ -1172,6 +1222,17 @@
               }
             ],
             "restartPolicy": "restartPolicyValue",
+            "restartPolicyRules": [
+              {
+                "action": "actionValue",
+                "exitCodes": {
+                  "operator": "operatorValue",
+                  "values": [
+                    2
+                  ]
+                }
+              }
+            ],
             "volumeMounts": [
               {
                 "name": "nameValue",
@@ -1340,7 +1401,8 @@
                 "sleep": {
                   "seconds": 1
                 }
-              }
+              },
+              "stopSignal": "stopSignalValue"
             },
             "terminationMessagePath": "terminationMessagePathValue",
             "terminationMessagePolicy": "terminationMessagePolicyValue",
@@ -1781,7 +1843,8 @@
               "request": "requestValue"
             }
           ]
-        }
+        },
+        "hostnameOverride": "hostnameOverrideValue"
       }
     },
     "volumeClaimTemplates": [
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/apps.v1beta1.StatefulSet.pb b/staging/src/k8s.io/api/testdata/v1.34.0/apps.v1beta1.StatefulSet.pb
similarity index 85%
rename from staging/src/k8s.io/api/testdata/v1.32.0/apps.v1beta1.StatefulSet.pb
rename to staging/src/k8s.io/api/testdata/v1.34.0/apps.v1beta1.StatefulSet.pb
index 6525f9a3d8b05..f531b98d8331c 100644
Binary files a/staging/src/k8s.io/api/testdata/v1.32.0/apps.v1beta1.StatefulSet.pb and b/staging/src/k8s.io/api/testdata/v1.34.0/apps.v1beta1.StatefulSet.pb differ
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/apps.v1beta1.StatefulSet.yaml b/staging/src/k8s.io/api/testdata/v1.34.0/apps.v1beta1.StatefulSet.yaml
similarity index 96%
rename from staging/src/k8s.io/api/testdata/v1.32.0/apps.v1beta1.StatefulSet.yaml
rename to staging/src/k8s.io/api/testdata/v1.34.0/apps.v1beta1.StatefulSet.yaml
index aa3096aeec20e..6362cf5a04a50 100644
--- a/staging/src/k8s.io/api/testdata/v1.32.0/apps.v1beta1.StatefulSet.yaml
+++ b/staging/src/k8s.io/api/testdata/v1.34.0/apps.v1beta1.StatefulSet.yaml
@@ -232,6 +232,11 @@ spec:
             fieldRef:
               apiVersion: apiVersionValue
               fieldPath: fieldPathValue
+            fileKeyRef:
+              key: keyValue
+              optional: true
+              path: pathValue
+              volumeName: volumeNameValue
             resourceFieldRef:
               containerName: containerNameValue
               divisor: "0"
@@ -285,6 +290,7 @@ spec:
             tcpSocket:
               host: hostValue
               port: portValue
+          stopSignal: stopSignalValue
         livenessProbe:
           exec:
             command:
@@ -352,6 +358,12 @@ spec:
           requests:
             requestsKey: "0"
         restartPolicy: restartPolicyValue
+        restartPolicyRules:
+        - action: actionValue
+          exitCodes:
+            operator: operatorValue
+            values:
+            - 2
         securityContext:
           allowPrivilegeEscalation: true
           appArmorProfile:
@@ -448,6 +460,11 @@ spec:
             fieldRef:
               apiVersion: apiVersionValue
               fieldPath: fieldPathValue
+            fileKeyRef:
+              key: keyValue
+              optional: true
+              path: pathValue
+              volumeName: volumeNameValue
             resourceFieldRef:
               containerName: containerNameValue
               divisor: "0"
@@ -501,6 +518,7 @@ spec:
             tcpSocket:
               host: hostValue
               port: portValue
+          stopSignal: stopSignalValue
         livenessProbe:
           exec:
             command:
@@ -568,6 +586,12 @@ spec:
           requests:
             requestsKey: "0"
         restartPolicy: restartPolicyValue
+        restartPolicyRules:
+        - action: actionValue
+          exitCodes:
+            operator: operatorValue
+            values:
+            - 2
         securityContext:
           allowPrivilegeEscalation: true
           appArmorProfile:
@@ -648,6 +672,7 @@ spec:
       hostPID: true
       hostUsers: true
       hostname: hostnameValue
+      hostnameOverride: hostnameOverrideValue
       imagePullSecrets:
       - name: nameValue
       initContainers:
@@ -666,6 +691,11 @@ spec:
             fieldRef:
               apiVersion: apiVersionValue
               fieldPath: fieldPathValue
+            fileKeyRef:
+              key: keyValue
+              optional: true
+              path: pathValue
+              volumeName: volumeNameValue
             resourceFieldRef:
               containerName: containerNameValue
               divisor: "0"
@@ -719,6 +749,7 @@ spec:
             tcpSocket:
               host: hostValue
               port: portValue
+          stopSignal: stopSignalValue
         livenessProbe:
           exec:
             command:
@@ -786,6 +817,12 @@ spec:
           requests:
             requestsKey: "0"
         restartPolicy: restartPolicyValue
+        restartPolicyRules:
+        - action: actionValue
+          exitCodes:
+            operator: operatorValue
+            values:
+            - 2
         securityContext:
           allowPrivilegeEscalation: true
           appArmorProfile:
@@ -1170,6 +1207,13 @@ spec:
                   containerName: containerNameValue
                   divisor: "0"
                   resource: resourceValue
+            podCertificate:
+              certificateChainPath: certificateChainPathValue
+              credentialBundlePath: credentialBundlePathValue
+              keyPath: keyPathValue
+              keyType: keyTypeValue
+              maxExpirationSeconds: 3
+              signerName: signerNameValue
             secret:
               items:
               - key: keyValue
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/apps.v1beta2.ControllerRevision.json b/staging/src/k8s.io/api/testdata/v1.34.0/apps.v1beta2.ControllerRevision.json
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/apps.v1beta2.ControllerRevision.json
rename to staging/src/k8s.io/api/testdata/v1.34.0/apps.v1beta2.ControllerRevision.json
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/apps.v1beta2.ControllerRevision.pb b/staging/src/k8s.io/api/testdata/v1.34.0/apps.v1beta2.ControllerRevision.pb
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/apps.v1beta2.ControllerRevision.pb
rename to staging/src/k8s.io/api/testdata/v1.34.0/apps.v1beta2.ControllerRevision.pb
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/apps.v1beta2.ControllerRevision.yaml b/staging/src/k8s.io/api/testdata/v1.34.0/apps.v1beta2.ControllerRevision.yaml
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/apps.v1beta2.ControllerRevision.yaml
rename to staging/src/k8s.io/api/testdata/v1.34.0/apps.v1beta2.ControllerRevision.yaml
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/apps.v1beta2.DaemonSet.json b/staging/src/k8s.io/api/testdata/v1.34.0/apps.v1beta2.DaemonSet.json
similarity index 96%
rename from staging/src/k8s.io/api/testdata/v1.32.0/apps.v1beta2.DaemonSet.json
rename to staging/src/k8s.io/api/testdata/v1.34.0/apps.v1beta2.DaemonSet.json
index 4e74dd3716dbe..f018c09bb142a 100644
--- a/staging/src/k8s.io/api/testdata/v1.32.0/apps.v1beta2.DaemonSet.json
+++ b/staging/src/k8s.io/api/testdata/v1.34.0/apps.v1beta2.DaemonSet.json
@@ -360,6 +360,14 @@
                     },
                     "optional": true,
                     "path": "pathValue"
+                  },
+                  "podCertificate": {
+                    "signerName": "signerNameValue",
+                    "keyType": "keyTypeValue",
+                    "maxExpirationSeconds": 3,
+                    "credentialBundlePath": "credentialBundlePathValue",
+                    "keyPath": "keyPathValue",
+                    "certificateChainPath": "certificateChainPathValue"
                   }
                 }
               ],
@@ -554,6 +562,12 @@
                     "name": "nameValue",
                     "key": "keyValue",
                     "optional": true
+                  },
+                  "fileKeyRef": {
+                    "volumeName": "volumeNameValue",
+                    "path": "pathValue",
+                    "key": "keyValue",
+                    "optional": true
                   }
                 }
               }
@@ -579,6 +593,17 @@
               }
             ],
             "restartPolicy": "restartPolicyValue",
+            "restartPolicyRules": [
+              {
+                "action": "actionValue",
+                "exitCodes": {
+                  "operator": "operatorValue",
+                  "values": [
+                    2
+                  ]
+                }
+              }
+            ],
             "volumeMounts": [
               {
                 "name": "nameValue",
@@ -747,7 +772,8 @@
                 "sleep": {
                   "seconds": 1
                 }
-              }
+              },
+              "stopSignal": "stopSignalValue"
             },
             "terminationMessagePath": "terminationMessagePathValue",
             "terminationMessagePolicy": "terminationMessagePolicyValue",
@@ -850,6 +876,12 @@
                     "name": "nameValue",
                     "key": "keyValue",
                     "optional": true
+                  },
+                  "fileKeyRef": {
+                    "volumeName": "volumeNameValue",
+                    "path": "pathValue",
+                    "key": "keyValue",
+                    "optional": true
                   }
                 }
               }
@@ -875,6 +907,17 @@
               }
             ],
             "restartPolicy": "restartPolicyValue",
+            "restartPolicyRules": [
+              {
+                "action": "actionValue",
+                "exitCodes": {
+                  "operator": "operatorValue",
+                  "values": [
+                    2
+                  ]
+                }
+              }
+            ],
             "volumeMounts": [
               {
                 "name": "nameValue",
@@ -1043,7 +1086,8 @@
                 "sleep": {
                   "seconds": 1
                 }
-              }
+              },
+              "stopSignal": "stopSignalValue"
             },
             "terminationMessagePath": "terminationMessagePathValue",
             "terminationMessagePolicy": "terminationMessagePolicyValue",
@@ -1146,6 +1190,12 @@
                     "name": "nameValue",
                     "key": "keyValue",
                     "optional": true
+                  },
+                  "fileKeyRef": {
+                    "volumeName": "volumeNameValue",
+                    "path": "pathValue",
+                    "key": "keyValue",
+                    "optional": true
                   }
                 }
               }
@@ -1171,6 +1221,17 @@
               }
             ],
             "restartPolicy": "restartPolicyValue",
+            "restartPolicyRules": [
+              {
+                "action": "actionValue",
+                "exitCodes": {
+                  "operator": "operatorValue",
+                  "values": [
+                    2
+                  ]
+                }
+              }
+            ],
             "volumeMounts": [
               {
                 "name": "nameValue",
@@ -1339,7 +1400,8 @@
                 "sleep": {
                   "seconds": 1
                 }
-              }
+              },
+              "stopSignal": "stopSignalValue"
             },
             "terminationMessagePath": "terminationMessagePathValue",
             "terminationMessagePolicy": "terminationMessagePolicyValue",
@@ -1780,7 +1842,8 @@
               "request": "requestValue"
             }
           ]
-        }
+        },
+        "hostnameOverride": "hostnameOverrideValue"
       }
     },
     "updateStrategy": {
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/apps.v1beta2.DaemonSet.pb b/staging/src/k8s.io/api/testdata/v1.34.0/apps.v1beta2.DaemonSet.pb
similarity index 84%
rename from staging/src/k8s.io/api/testdata/v1.32.0/apps.v1beta2.DaemonSet.pb
rename to staging/src/k8s.io/api/testdata/v1.34.0/apps.v1beta2.DaemonSet.pb
index f7f0a63e26c58..666b353abfba8 100644
Binary files a/staging/src/k8s.io/api/testdata/v1.32.0/apps.v1beta2.DaemonSet.pb and b/staging/src/k8s.io/api/testdata/v1.34.0/apps.v1beta2.DaemonSet.pb differ
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/apps.v1beta2.DaemonSet.yaml b/staging/src/k8s.io/api/testdata/v1.34.0/apps.v1beta2.DaemonSet.yaml
similarity index 96%
rename from staging/src/k8s.io/api/testdata/v1.32.0/apps.v1beta2.DaemonSet.yaml
rename to staging/src/k8s.io/api/testdata/v1.34.0/apps.v1beta2.DaemonSet.yaml
index 040450a2f10f8..2481149fcade6 100644
--- a/staging/src/k8s.io/api/testdata/v1.32.0/apps.v1beta2.DaemonSet.yaml
+++ b/staging/src/k8s.io/api/testdata/v1.34.0/apps.v1beta2.DaemonSet.yaml
@@ -224,6 +224,11 @@ spec:
             fieldRef:
               apiVersion: apiVersionValue
               fieldPath: fieldPathValue
+            fileKeyRef:
+              key: keyValue
+              optional: true
+              path: pathValue
+              volumeName: volumeNameValue
             resourceFieldRef:
               containerName: containerNameValue
               divisor: "0"
@@ -277,6 +282,7 @@ spec:
             tcpSocket:
               host: hostValue
               port: portValue
+          stopSignal: stopSignalValue
         livenessProbe:
           exec:
             command:
@@ -344,6 +350,12 @@ spec:
           requests:
             requestsKey: "0"
         restartPolicy: restartPolicyValue
+        restartPolicyRules:
+        - action: actionValue
+          exitCodes:
+            operator: operatorValue
+            values:
+            - 2
         securityContext:
           allowPrivilegeEscalation: true
           appArmorProfile:
@@ -440,6 +452,11 @@ spec:
             fieldRef:
               apiVersion: apiVersionValue
               fieldPath: fieldPathValue
+            fileKeyRef:
+              key: keyValue
+              optional: true
+              path: pathValue
+              volumeName: volumeNameValue
             resourceFieldRef:
               containerName: containerNameValue
               divisor: "0"
@@ -493,6 +510,7 @@ spec:
             tcpSocket:
               host: hostValue
               port: portValue
+          stopSignal: stopSignalValue
         livenessProbe:
           exec:
             command:
@@ -560,6 +578,12 @@ spec:
           requests:
             requestsKey: "0"
         restartPolicy: restartPolicyValue
+        restartPolicyRules:
+        - action: actionValue
+          exitCodes:
+            operator: operatorValue
+            values:
+            - 2
         securityContext:
           allowPrivilegeEscalation: true
           appArmorProfile:
@@ -640,6 +664,7 @@ spec:
       hostPID: true
       hostUsers: true
       hostname: hostnameValue
+      hostnameOverride: hostnameOverrideValue
       imagePullSecrets:
       - name: nameValue
       initContainers:
@@ -658,6 +683,11 @@ spec:
             fieldRef:
               apiVersion: apiVersionValue
               fieldPath: fieldPathValue
+            fileKeyRef:
+              key: keyValue
+              optional: true
+              path: pathValue
+              volumeName: volumeNameValue
             resourceFieldRef:
               containerName: containerNameValue
               divisor: "0"
@@ -711,6 +741,7 @@ spec:
             tcpSocket:
               host: hostValue
               port: portValue
+          stopSignal: stopSignalValue
         livenessProbe:
           exec:
             command:
@@ -778,6 +809,12 @@ spec:
           requests:
             requestsKey: "0"
         restartPolicy: restartPolicyValue
+        restartPolicyRules:
+        - action: actionValue
+          exitCodes:
+            operator: operatorValue
+            values:
+            - 2
         securityContext:
           allowPrivilegeEscalation: true
           appArmorProfile:
@@ -1162,6 +1199,13 @@ spec:
                   containerName: containerNameValue
                   divisor: "0"
                   resource: resourceValue
+            podCertificate:
+              certificateChainPath: certificateChainPathValue
+              credentialBundlePath: credentialBundlePathValue
+              keyPath: keyPathValue
+              keyType: keyTypeValue
+              maxExpirationSeconds: 3
+              signerName: signerNameValue
             secret:
               items:
               - key: keyValue
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/apps.v1beta2.Deployment.json b/staging/src/k8s.io/api/testdata/v1.34.0/apps.v1beta2.Deployment.json
similarity index 96%
rename from staging/src/k8s.io/api/testdata/v1.32.0/apps.v1beta2.Deployment.json
rename to staging/src/k8s.io/api/testdata/v1.34.0/apps.v1beta2.Deployment.json
index 4b0e0e3e50278..cf90eceac494b 100644
--- a/staging/src/k8s.io/api/testdata/v1.32.0/apps.v1beta2.Deployment.json
+++ b/staging/src/k8s.io/api/testdata/v1.34.0/apps.v1beta2.Deployment.json
@@ -361,6 +361,14 @@
                     },
                     "optional": true,
                     "path": "pathValue"
+                  },
+                  "podCertificate": {
+                    "signerName": "signerNameValue",
+                    "keyType": "keyTypeValue",
+                    "maxExpirationSeconds": 3,
+                    "credentialBundlePath": "credentialBundlePathValue",
+                    "keyPath": "keyPathValue",
+                    "certificateChainPath": "certificateChainPathValue"
                   }
                 }
               ],
@@ -555,6 +563,12 @@
                     "name": "nameValue",
                     "key": "keyValue",
                     "optional": true
+                  },
+                  "fileKeyRef": {
+                    "volumeName": "volumeNameValue",
+                    "path": "pathValue",
+                    "key": "keyValue",
+                    "optional": true
                   }
                 }
               }
@@ -580,6 +594,17 @@
               }
             ],
             "restartPolicy": "restartPolicyValue",
+            "restartPolicyRules": [
+              {
+                "action": "actionValue",
+                "exitCodes": {
+                  "operator": "operatorValue",
+                  "values": [
+                    2
+                  ]
+                }
+              }
+            ],
             "volumeMounts": [
               {
                 "name": "nameValue",
@@ -748,7 +773,8 @@
                 "sleep": {
                   "seconds": 1
                 }
-              }
+              },
+              "stopSignal": "stopSignalValue"
             },
             "terminationMessagePath": "terminationMessagePathValue",
             "terminationMessagePolicy": "terminationMessagePolicyValue",
@@ -851,6 +877,12 @@
                     "name": "nameValue",
                     "key": "keyValue",
                     "optional": true
+                  },
+                  "fileKeyRef": {
+                    "volumeName": "volumeNameValue",
+                    "path": "pathValue",
+                    "key": "keyValue",
+                    "optional": true
                   }
                 }
               }
@@ -876,6 +908,17 @@
               }
             ],
             "restartPolicy": "restartPolicyValue",
+            "restartPolicyRules": [
+              {
+                "action": "actionValue",
+                "exitCodes": {
+                  "operator": "operatorValue",
+                  "values": [
+                    2
+                  ]
+                }
+              }
+            ],
             "volumeMounts": [
               {
                 "name": "nameValue",
@@ -1044,7 +1087,8 @@
                 "sleep": {
                   "seconds": 1
                 }
-              }
+              },
+              "stopSignal": "stopSignalValue"
             },
             "terminationMessagePath": "terminationMessagePathValue",
             "terminationMessagePolicy": "terminationMessagePolicyValue",
@@ -1147,6 +1191,12 @@
                     "name": "nameValue",
                     "key": "keyValue",
                     "optional": true
+                  },
+                  "fileKeyRef": {
+                    "volumeName": "volumeNameValue",
+                    "path": "pathValue",
+                    "key": "keyValue",
+                    "optional": true
                   }
                 }
               }
@@ -1172,6 +1222,17 @@
               }
             ],
             "restartPolicy": "restartPolicyValue",
+            "restartPolicyRules": [
+              {
+                "action": "actionValue",
+                "exitCodes": {
+                  "operator": "operatorValue",
+                  "values": [
+                    2
+                  ]
+                }
+              }
+            ],
             "volumeMounts": [
               {
                 "name": "nameValue",
@@ -1340,7 +1401,8 @@
                 "sleep": {
                   "seconds": 1
                 }
-              }
+              },
+              "stopSignal": "stopSignalValue"
             },
             "terminationMessagePath": "terminationMessagePathValue",
             "terminationMessagePolicy": "terminationMessagePolicyValue",
@@ -1781,7 +1843,8 @@
               "request": "requestValue"
             }
           ]
-        }
+        },
+        "hostnameOverride": "hostnameOverrideValue"
       }
     },
     "strategy": {
@@ -1803,6 +1866,7 @@
     "readyReplicas": 7,
     "availableReplicas": 4,
     "unavailableReplicas": 5,
+    "terminatingReplicas": 9,
     "conditions": [
       {
         "type": "typeValue",
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/apps.v1beta2.Deployment.pb b/staging/src/k8s.io/api/testdata/v1.34.0/apps.v1beta2.Deployment.pb
similarity index 83%
rename from staging/src/k8s.io/api/testdata/v1.32.0/apps.v1beta2.Deployment.pb
rename to staging/src/k8s.io/api/testdata/v1.34.0/apps.v1beta2.Deployment.pb
index f46ae2c4c8d34..4dcc3e56a9c63 100644
Binary files a/staging/src/k8s.io/api/testdata/v1.32.0/apps.v1beta2.Deployment.pb and b/staging/src/k8s.io/api/testdata/v1.34.0/apps.v1beta2.Deployment.pb differ
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/apps.v1beta2.Deployment.yaml b/staging/src/k8s.io/api/testdata/v1.34.0/apps.v1beta2.Deployment.yaml
similarity index 96%
rename from staging/src/k8s.io/api/testdata/v1.32.0/apps.v1beta2.Deployment.yaml
rename to staging/src/k8s.io/api/testdata/v1.34.0/apps.v1beta2.Deployment.yaml
index 0ae783fea37cd..8eba35a2b83c8 100644
--- a/staging/src/k8s.io/api/testdata/v1.32.0/apps.v1beta2.Deployment.yaml
+++ b/staging/src/k8s.io/api/testdata/v1.34.0/apps.v1beta2.Deployment.yaml
@@ -232,6 +232,11 @@ spec:
             fieldRef:
               apiVersion: apiVersionValue
               fieldPath: fieldPathValue
+            fileKeyRef:
+              key: keyValue
+              optional: true
+              path: pathValue
+              volumeName: volumeNameValue
             resourceFieldRef:
               containerName: containerNameValue
               divisor: "0"
@@ -285,6 +290,7 @@ spec:
             tcpSocket:
               host: hostValue
               port: portValue
+          stopSignal: stopSignalValue
         livenessProbe:
           exec:
             command:
@@ -352,6 +358,12 @@ spec:
           requests:
             requestsKey: "0"
         restartPolicy: restartPolicyValue
+        restartPolicyRules:
+        - action: actionValue
+          exitCodes:
+            operator: operatorValue
+            values:
+            - 2
         securityContext:
           allowPrivilegeEscalation: true
           appArmorProfile:
@@ -448,6 +460,11 @@ spec:
             fieldRef:
               apiVersion: apiVersionValue
               fieldPath: fieldPathValue
+            fileKeyRef:
+              key: keyValue
+              optional: true
+              path: pathValue
+              volumeName: volumeNameValue
             resourceFieldRef:
               containerName: containerNameValue
               divisor: "0"
@@ -501,6 +518,7 @@ spec:
             tcpSocket:
               host: hostValue
               port: portValue
+          stopSignal: stopSignalValue
         livenessProbe:
           exec:
             command:
@@ -568,6 +586,12 @@ spec:
           requests:
             requestsKey: "0"
         restartPolicy: restartPolicyValue
+        restartPolicyRules:
+        - action: actionValue
+          exitCodes:
+            operator: operatorValue
+            values:
+            - 2
         securityContext:
           allowPrivilegeEscalation: true
           appArmorProfile:
@@ -648,6 +672,7 @@ spec:
       hostPID: true
       hostUsers: true
       hostname: hostnameValue
+      hostnameOverride: hostnameOverrideValue
       imagePullSecrets:
       - name: nameValue
       initContainers:
@@ -666,6 +691,11 @@ spec:
             fieldRef:
               apiVersion: apiVersionValue
               fieldPath: fieldPathValue
+            fileKeyRef:
+              key: keyValue
+              optional: true
+              path: pathValue
+              volumeName: volumeNameValue
             resourceFieldRef:
               containerName: containerNameValue
               divisor: "0"
@@ -719,6 +749,7 @@ spec:
             tcpSocket:
               host: hostValue
               port: portValue
+          stopSignal: stopSignalValue
         livenessProbe:
           exec:
             command:
@@ -786,6 +817,12 @@ spec:
           requests:
             requestsKey: "0"
         restartPolicy: restartPolicyValue
+        restartPolicyRules:
+        - action: actionValue
+          exitCodes:
+            operator: operatorValue
+            values:
+            - 2
         securityContext:
           allowPrivilegeEscalation: true
           appArmorProfile:
@@ -1170,6 +1207,13 @@ spec:
                   containerName: containerNameValue
                   divisor: "0"
                   resource: resourceValue
+            podCertificate:
+              certificateChainPath: certificateChainPathValue
+              credentialBundlePath: credentialBundlePathValue
+              keyPath: keyPathValue
+              keyType: keyTypeValue
+              maxExpirationSeconds: 3
+              signerName: signerNameValue
             secret:
               items:
               - key: keyValue
@@ -1244,5 +1288,6 @@ status:
   observedGeneration: 1
   readyReplicas: 7
   replicas: 2
+  terminatingReplicas: 9
   unavailableReplicas: 5
   updatedReplicas: 3
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/apps.v1beta2.ReplicaSet.json b/staging/src/k8s.io/api/testdata/v1.34.0/apps.v1beta2.ReplicaSet.json
similarity index 96%
rename from staging/src/k8s.io/api/testdata/v1.32.0/apps.v1beta2.ReplicaSet.json
rename to staging/src/k8s.io/api/testdata/v1.34.0/apps.v1beta2.ReplicaSet.json
index ccd899cc25962..53d19e86b0b5a 100644
--- a/staging/src/k8s.io/api/testdata/v1.32.0/apps.v1beta2.ReplicaSet.json
+++ b/staging/src/k8s.io/api/testdata/v1.34.0/apps.v1beta2.ReplicaSet.json
@@ -362,6 +362,14 @@
                     },
                     "optional": true,
                     "path": "pathValue"
+                  },
+                  "podCertificate": {
+                    "signerName": "signerNameValue",
+                    "keyType": "keyTypeValue",
+                    "maxExpirationSeconds": 3,
+                    "credentialBundlePath": "credentialBundlePathValue",
+                    "keyPath": "keyPathValue",
+                    "certificateChainPath": "certificateChainPathValue"
                   }
                 }
               ],
@@ -556,6 +564,12 @@
                     "name": "nameValue",
                     "key": "keyValue",
                     "optional": true
+                  },
+                  "fileKeyRef": {
+                    "volumeName": "volumeNameValue",
+                    "path": "pathValue",
+                    "key": "keyValue",
+                    "optional": true
                   }
                 }
               }
@@ -581,6 +595,17 @@
               }
             ],
             "restartPolicy": "restartPolicyValue",
+            "restartPolicyRules": [
+              {
+                "action": "actionValue",
+                "exitCodes": {
+                  "operator": "operatorValue",
+                  "values": [
+                    2
+                  ]
+                }
+              }
+            ],
             "volumeMounts": [
               {
                 "name": "nameValue",
@@ -749,7 +774,8 @@
                 "sleep": {
                   "seconds": 1
                 }
-              }
+              },
+              "stopSignal": "stopSignalValue"
             },
             "terminationMessagePath": "terminationMessagePathValue",
             "terminationMessagePolicy": "terminationMessagePolicyValue",
@@ -852,6 +878,12 @@
                     "name": "nameValue",
                     "key": "keyValue",
                     "optional": true
+                  },
+                  "fileKeyRef": {
+                    "volumeName": "volumeNameValue",
+                    "path": "pathValue",
+                    "key": "keyValue",
+                    "optional": true
                   }
                 }
               }
@@ -877,6 +909,17 @@
               }
             ],
             "restartPolicy": "restartPolicyValue",
+            "restartPolicyRules": [
+              {
+                "action": "actionValue",
+                "exitCodes": {
+                  "operator": "operatorValue",
+                  "values": [
+                    2
+                  ]
+                }
+              }
+            ],
             "volumeMounts": [
               {
                 "name": "nameValue",
@@ -1045,7 +1088,8 @@
                 "sleep": {
                   "seconds": 1
                 }
-              }
+              },
+              "stopSignal": "stopSignalValue"
             },
             "terminationMessagePath": "terminationMessagePathValue",
             "terminationMessagePolicy": "terminationMessagePolicyValue",
@@ -1148,6 +1192,12 @@
                     "name": "nameValue",
                     "key": "keyValue",
                     "optional": true
+                  },
+                  "fileKeyRef": {
+                    "volumeName": "volumeNameValue",
+                    "path": "pathValue",
+                    "key": "keyValue",
+                    "optional": true
                   }
                 }
               }
@@ -1173,6 +1223,17 @@
               }
             ],
             "restartPolicy": "restartPolicyValue",
+            "restartPolicyRules": [
+              {
+                "action": "actionValue",
+                "exitCodes": {
+                  "operator": "operatorValue",
+                  "values": [
+                    2
+                  ]
+                }
+              }
+            ],
             "volumeMounts": [
               {
                 "name": "nameValue",
@@ -1341,7 +1402,8 @@
                 "sleep": {
                   "seconds": 1
                 }
-              }
+              },
+              "stopSignal": "stopSignalValue"
             },
             "terminationMessagePath": "terminationMessagePathValue",
             "terminationMessagePolicy": "terminationMessagePolicyValue",
@@ -1782,7 +1844,8 @@
               "request": "requestValue"
             }
           ]
-        }
+        },
+        "hostnameOverride": "hostnameOverrideValue"
       }
     }
   },
@@ -1791,6 +1854,7 @@
     "fullyLabeledReplicas": 2,
     "readyReplicas": 4,
     "availableReplicas": 5,
+    "terminatingReplicas": 7,
     "observedGeneration": 3,
     "conditions": [
       {
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/apps.v1beta2.ReplicaSet.pb b/staging/src/k8s.io/api/testdata/v1.34.0/apps.v1beta2.ReplicaSet.pb
similarity index 83%
rename from staging/src/k8s.io/api/testdata/v1.32.0/apps.v1beta2.ReplicaSet.pb
rename to staging/src/k8s.io/api/testdata/v1.34.0/apps.v1beta2.ReplicaSet.pb
index b069aa0705ace..8d1be4d0b5630 100644
Binary files a/staging/src/k8s.io/api/testdata/v1.32.0/apps.v1beta2.ReplicaSet.pb and b/staging/src/k8s.io/api/testdata/v1.34.0/apps.v1beta2.ReplicaSet.pb differ
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/apps.v1beta2.ReplicaSet.yaml b/staging/src/k8s.io/api/testdata/v1.34.0/apps.v1beta2.ReplicaSet.yaml
similarity index 96%
rename from staging/src/k8s.io/api/testdata/v1.32.0/apps.v1beta2.ReplicaSet.yaml
rename to staging/src/k8s.io/api/testdata/v1.34.0/apps.v1beta2.ReplicaSet.yaml
index 4e4211c1da7d4..1cf516f35cc9b 100644
--- a/staging/src/k8s.io/api/testdata/v1.32.0/apps.v1beta2.ReplicaSet.yaml
+++ b/staging/src/k8s.io/api/testdata/v1.34.0/apps.v1beta2.ReplicaSet.yaml
@@ -224,6 +224,11 @@ spec:
             fieldRef:
               apiVersion: apiVersionValue
               fieldPath: fieldPathValue
+            fileKeyRef:
+              key: keyValue
+              optional: true
+              path: pathValue
+              volumeName: volumeNameValue
             resourceFieldRef:
               containerName: containerNameValue
               divisor: "0"
@@ -277,6 +282,7 @@ spec:
             tcpSocket:
               host: hostValue
               port: portValue
+          stopSignal: stopSignalValue
         livenessProbe:
           exec:
             command:
@@ -344,6 +350,12 @@ spec:
           requests:
             requestsKey: "0"
         restartPolicy: restartPolicyValue
+        restartPolicyRules:
+        - action: actionValue
+          exitCodes:
+            operator: operatorValue
+            values:
+            - 2
         securityContext:
           allowPrivilegeEscalation: true
           appArmorProfile:
@@ -440,6 +452,11 @@ spec:
             fieldRef:
               apiVersion: apiVersionValue
               fieldPath: fieldPathValue
+            fileKeyRef:
+              key: keyValue
+              optional: true
+              path: pathValue
+              volumeName: volumeNameValue
             resourceFieldRef:
               containerName: containerNameValue
               divisor: "0"
@@ -493,6 +510,7 @@ spec:
             tcpSocket:
               host: hostValue
               port: portValue
+          stopSignal: stopSignalValue
         livenessProbe:
           exec:
             command:
@@ -560,6 +578,12 @@ spec:
           requests:
             requestsKey: "0"
         restartPolicy: restartPolicyValue
+        restartPolicyRules:
+        - action: actionValue
+          exitCodes:
+            operator: operatorValue
+            values:
+            - 2
         securityContext:
           allowPrivilegeEscalation: true
           appArmorProfile:
@@ -640,6 +664,7 @@ spec:
       hostPID: true
       hostUsers: true
       hostname: hostnameValue
+      hostnameOverride: hostnameOverrideValue
       imagePullSecrets:
       - name: nameValue
       initContainers:
@@ -658,6 +683,11 @@ spec:
             fieldRef:
               apiVersion: apiVersionValue
               fieldPath: fieldPathValue
+            fileKeyRef:
+              key: keyValue
+              optional: true
+              path: pathValue
+              volumeName: volumeNameValue
             resourceFieldRef:
               containerName: containerNameValue
               divisor: "0"
@@ -711,6 +741,7 @@ spec:
             tcpSocket:
               host: hostValue
               port: portValue
+          stopSignal: stopSignalValue
         livenessProbe:
           exec:
             command:
@@ -778,6 +809,12 @@ spec:
           requests:
             requestsKey: "0"
         restartPolicy: restartPolicyValue
+        restartPolicyRules:
+        - action: actionValue
+          exitCodes:
+            operator: operatorValue
+            values:
+            - 2
         securityContext:
           allowPrivilegeEscalation: true
           appArmorProfile:
@@ -1162,6 +1199,13 @@ spec:
                   containerName: containerNameValue
                   divisor: "0"
                   resource: resourceValue
+            podCertificate:
+              certificateChainPath: certificateChainPathValue
+              credentialBundlePath: credentialBundlePathValue
+              keyPath: keyPathValue
+              keyType: keyTypeValue
+              maxExpirationSeconds: 3
+              signerName: signerNameValue
             secret:
               items:
               - key: keyValue
@@ -1235,3 +1279,4 @@ status:
   observedGeneration: 3
   readyReplicas: 4
   replicas: 1
+  terminatingReplicas: 7
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/apps.v1beta2.Scale.json b/staging/src/k8s.io/api/testdata/v1.34.0/apps.v1beta2.Scale.json
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/apps.v1beta2.Scale.json
rename to staging/src/k8s.io/api/testdata/v1.34.0/apps.v1beta2.Scale.json
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/apps.v1beta2.Scale.pb b/staging/src/k8s.io/api/testdata/v1.34.0/apps.v1beta2.Scale.pb
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/apps.v1beta2.Scale.pb
rename to staging/src/k8s.io/api/testdata/v1.34.0/apps.v1beta2.Scale.pb
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/apps.v1beta2.Scale.yaml b/staging/src/k8s.io/api/testdata/v1.34.0/apps.v1beta2.Scale.yaml
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/apps.v1beta2.Scale.yaml
rename to staging/src/k8s.io/api/testdata/v1.34.0/apps.v1beta2.Scale.yaml
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/apps.v1beta2.StatefulSet.json b/staging/src/k8s.io/api/testdata/v1.34.0/apps.v1beta2.StatefulSet.json
similarity index 96%
rename from staging/src/k8s.io/api/testdata/v1.32.0/apps.v1beta2.StatefulSet.json
rename to staging/src/k8s.io/api/testdata/v1.34.0/apps.v1beta2.StatefulSet.json
index d3f43b082b407..f281b75d16364 100644
--- a/staging/src/k8s.io/api/testdata/v1.32.0/apps.v1beta2.StatefulSet.json
+++ b/staging/src/k8s.io/api/testdata/v1.34.0/apps.v1beta2.StatefulSet.json
@@ -361,6 +361,14 @@
                     },
                     "optional": true,
                     "path": "pathValue"
+                  },
+                  "podCertificate": {
+                    "signerName": "signerNameValue",
+                    "keyType": "keyTypeValue",
+                    "maxExpirationSeconds": 3,
+                    "credentialBundlePath": "credentialBundlePathValue",
+                    "keyPath": "keyPathValue",
+                    "certificateChainPath": "certificateChainPathValue"
                   }
                 }
               ],
@@ -555,6 +563,12 @@
                     "name": "nameValue",
                     "key": "keyValue",
                     "optional": true
+                  },
+                  "fileKeyRef": {
+                    "volumeName": "volumeNameValue",
+                    "path": "pathValue",
+                    "key": "keyValue",
+                    "optional": true
                   }
                 }
               }
@@ -580,6 +594,17 @@
               }
             ],
             "restartPolicy": "restartPolicyValue",
+            "restartPolicyRules": [
+              {
+                "action": "actionValue",
+                "exitCodes": {
+                  "operator": "operatorValue",
+                  "values": [
+                    2
+                  ]
+                }
+              }
+            ],
             "volumeMounts": [
               {
                 "name": "nameValue",
@@ -748,7 +773,8 @@
                 "sleep": {
                   "seconds": 1
                 }
-              }
+              },
+              "stopSignal": "stopSignalValue"
             },
             "terminationMessagePath": "terminationMessagePathValue",
             "terminationMessagePolicy": "terminationMessagePolicyValue",
@@ -851,6 +877,12 @@
                     "name": "nameValue",
                     "key": "keyValue",
                     "optional": true
+                  },
+                  "fileKeyRef": {
+                    "volumeName": "volumeNameValue",
+                    "path": "pathValue",
+                    "key": "keyValue",
+                    "optional": true
                   }
                 }
               }
@@ -876,6 +908,17 @@
               }
             ],
             "restartPolicy": "restartPolicyValue",
+            "restartPolicyRules": [
+              {
+                "action": "actionValue",
+                "exitCodes": {
+                  "operator": "operatorValue",
+                  "values": [
+                    2
+                  ]
+                }
+              }
+            ],
             "volumeMounts": [
               {
                 "name": "nameValue",
@@ -1044,7 +1087,8 @@
                 "sleep": {
                   "seconds": 1
                 }
-              }
+              },
+              "stopSignal": "stopSignalValue"
             },
             "terminationMessagePath": "terminationMessagePathValue",
             "terminationMessagePolicy": "terminationMessagePolicyValue",
@@ -1147,6 +1191,12 @@
                     "name": "nameValue",
                     "key": "keyValue",
                     "optional": true
+                  },
+                  "fileKeyRef": {
+                    "volumeName": "volumeNameValue",
+                    "path": "pathValue",
+                    "key": "keyValue",
+                    "optional": true
                   }
                 }
               }
@@ -1172,6 +1222,17 @@
               }
             ],
             "restartPolicy": "restartPolicyValue",
+            "restartPolicyRules": [
+              {
+                "action": "actionValue",
+                "exitCodes": {
+                  "operator": "operatorValue",
+                  "values": [
+                    2
+                  ]
+                }
+              }
+            ],
             "volumeMounts": [
               {
                 "name": "nameValue",
@@ -1340,7 +1401,8 @@
                 "sleep": {
                   "seconds": 1
                 }
-              }
+              },
+              "stopSignal": "stopSignalValue"
             },
             "terminationMessagePath": "terminationMessagePathValue",
             "terminationMessagePolicy": "terminationMessagePolicyValue",
@@ -1781,7 +1843,8 @@
               "request": "requestValue"
             }
           ]
-        }
+        },
+        "hostnameOverride": "hostnameOverrideValue"
       }
     },
     "volumeClaimTemplates": [
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/apps.v1beta2.StatefulSet.pb b/staging/src/k8s.io/api/testdata/v1.34.0/apps.v1beta2.StatefulSet.pb
similarity index 85%
rename from staging/src/k8s.io/api/testdata/v1.32.0/apps.v1beta2.StatefulSet.pb
rename to staging/src/k8s.io/api/testdata/v1.34.0/apps.v1beta2.StatefulSet.pb
index f4bd66e9e7267..840dcc0a21f43 100644
Binary files a/staging/src/k8s.io/api/testdata/v1.32.0/apps.v1beta2.StatefulSet.pb and b/staging/src/k8s.io/api/testdata/v1.34.0/apps.v1beta2.StatefulSet.pb differ
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/apps.v1beta2.StatefulSet.yaml b/staging/src/k8s.io/api/testdata/v1.34.0/apps.v1beta2.StatefulSet.yaml
similarity index 96%
rename from staging/src/k8s.io/api/testdata/v1.32.0/apps.v1beta2.StatefulSet.yaml
rename to staging/src/k8s.io/api/testdata/v1.34.0/apps.v1beta2.StatefulSet.yaml
index 9f6105ed55b80..726b114d7a2ff 100644
--- a/staging/src/k8s.io/api/testdata/v1.32.0/apps.v1beta2.StatefulSet.yaml
+++ b/staging/src/k8s.io/api/testdata/v1.34.0/apps.v1beta2.StatefulSet.yaml
@@ -232,6 +232,11 @@ spec:
             fieldRef:
               apiVersion: apiVersionValue
               fieldPath: fieldPathValue
+            fileKeyRef:
+              key: keyValue
+              optional: true
+              path: pathValue
+              volumeName: volumeNameValue
             resourceFieldRef:
               containerName: containerNameValue
               divisor: "0"
@@ -285,6 +290,7 @@ spec:
             tcpSocket:
               host: hostValue
               port: portValue
+          stopSignal: stopSignalValue
         livenessProbe:
           exec:
             command:
@@ -352,6 +358,12 @@ spec:
           requests:
             requestsKey: "0"
         restartPolicy: restartPolicyValue
+        restartPolicyRules:
+        - action: actionValue
+          exitCodes:
+            operator: operatorValue
+            values:
+            - 2
         securityContext:
           allowPrivilegeEscalation: true
           appArmorProfile:
@@ -448,6 +460,11 @@ spec:
             fieldRef:
               apiVersion: apiVersionValue
               fieldPath: fieldPathValue
+            fileKeyRef:
+              key: keyValue
+              optional: true
+              path: pathValue
+              volumeName: volumeNameValue
             resourceFieldRef:
               containerName: containerNameValue
               divisor: "0"
@@ -501,6 +518,7 @@ spec:
             tcpSocket:
               host: hostValue
               port: portValue
+          stopSignal: stopSignalValue
         livenessProbe:
           exec:
             command:
@@ -568,6 +586,12 @@ spec:
           requests:
             requestsKey: "0"
         restartPolicy: restartPolicyValue
+        restartPolicyRules:
+        - action: actionValue
+          exitCodes:
+            operator: operatorValue
+            values:
+            - 2
         securityContext:
           allowPrivilegeEscalation: true
           appArmorProfile:
@@ -648,6 +672,7 @@ spec:
       hostPID: true
       hostUsers: true
       hostname: hostnameValue
+      hostnameOverride: hostnameOverrideValue
       imagePullSecrets:
       - name: nameValue
       initContainers:
@@ -666,6 +691,11 @@ spec:
             fieldRef:
               apiVersion: apiVersionValue
               fieldPath: fieldPathValue
+            fileKeyRef:
+              key: keyValue
+              optional: true
+              path: pathValue
+              volumeName: volumeNameValue
             resourceFieldRef:
               containerName: containerNameValue
               divisor: "0"
@@ -719,6 +749,7 @@ spec:
             tcpSocket:
               host: hostValue
               port: portValue
+          stopSignal: stopSignalValue
         livenessProbe:
           exec:
             command:
@@ -786,6 +817,12 @@ spec:
           requests:
             requestsKey: "0"
         restartPolicy: restartPolicyValue
+        restartPolicyRules:
+        - action: actionValue
+          exitCodes:
+            operator: operatorValue
+            values:
+            - 2
         securityContext:
           allowPrivilegeEscalation: true
           appArmorProfile:
@@ -1170,6 +1207,13 @@ spec:
                   containerName: containerNameValue
                   divisor: "0"
                   resource: resourceValue
+            podCertificate:
+              certificateChainPath: certificateChainPathValue
+              credentialBundlePath: credentialBundlePathValue
+              keyPath: keyPathValue
+              keyType: keyTypeValue
+              maxExpirationSeconds: 3
+              signerName: signerNameValue
             secret:
               items:
               - key: keyValue
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/authentication.k8s.io.v1.SelfSubjectReview.json b/staging/src/k8s.io/api/testdata/v1.34.0/authentication.k8s.io.v1.SelfSubjectReview.json
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/authentication.k8s.io.v1.SelfSubjectReview.json
rename to staging/src/k8s.io/api/testdata/v1.34.0/authentication.k8s.io.v1.SelfSubjectReview.json
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/authentication.k8s.io.v1.SelfSubjectReview.pb b/staging/src/k8s.io/api/testdata/v1.34.0/authentication.k8s.io.v1.SelfSubjectReview.pb
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/authentication.k8s.io.v1.SelfSubjectReview.pb
rename to staging/src/k8s.io/api/testdata/v1.34.0/authentication.k8s.io.v1.SelfSubjectReview.pb
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/authentication.k8s.io.v1.SelfSubjectReview.yaml b/staging/src/k8s.io/api/testdata/v1.34.0/authentication.k8s.io.v1.SelfSubjectReview.yaml
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/authentication.k8s.io.v1.SelfSubjectReview.yaml
rename to staging/src/k8s.io/api/testdata/v1.34.0/authentication.k8s.io.v1.SelfSubjectReview.yaml
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/authentication.k8s.io.v1.TokenRequest.json b/staging/src/k8s.io/api/testdata/v1.34.0/authentication.k8s.io.v1.TokenRequest.json
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/authentication.k8s.io.v1.TokenRequest.json
rename to staging/src/k8s.io/api/testdata/v1.34.0/authentication.k8s.io.v1.TokenRequest.json
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/authentication.k8s.io.v1.TokenRequest.pb b/staging/src/k8s.io/api/testdata/v1.34.0/authentication.k8s.io.v1.TokenRequest.pb
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/authentication.k8s.io.v1.TokenRequest.pb
rename to staging/src/k8s.io/api/testdata/v1.34.0/authentication.k8s.io.v1.TokenRequest.pb
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/authentication.k8s.io.v1.TokenRequest.yaml b/staging/src/k8s.io/api/testdata/v1.34.0/authentication.k8s.io.v1.TokenRequest.yaml
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/authentication.k8s.io.v1.TokenRequest.yaml
rename to staging/src/k8s.io/api/testdata/v1.34.0/authentication.k8s.io.v1.TokenRequest.yaml
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/authentication.k8s.io.v1.TokenReview.json b/staging/src/k8s.io/api/testdata/v1.34.0/authentication.k8s.io.v1.TokenReview.json
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/authentication.k8s.io.v1.TokenReview.json
rename to staging/src/k8s.io/api/testdata/v1.34.0/authentication.k8s.io.v1.TokenReview.json
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/authentication.k8s.io.v1.TokenReview.pb b/staging/src/k8s.io/api/testdata/v1.34.0/authentication.k8s.io.v1.TokenReview.pb
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/authentication.k8s.io.v1.TokenReview.pb
rename to staging/src/k8s.io/api/testdata/v1.34.0/authentication.k8s.io.v1.TokenReview.pb
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/authentication.k8s.io.v1.TokenReview.yaml b/staging/src/k8s.io/api/testdata/v1.34.0/authentication.k8s.io.v1.TokenReview.yaml
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/authentication.k8s.io.v1.TokenReview.yaml
rename to staging/src/k8s.io/api/testdata/v1.34.0/authentication.k8s.io.v1.TokenReview.yaml
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/authentication.k8s.io.v1beta1.SelfSubjectReview.json b/staging/src/k8s.io/api/testdata/v1.34.0/authentication.k8s.io.v1beta1.SelfSubjectReview.json
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/authentication.k8s.io.v1beta1.SelfSubjectReview.json
rename to staging/src/k8s.io/api/testdata/v1.34.0/authentication.k8s.io.v1beta1.SelfSubjectReview.json
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/authentication.k8s.io.v1beta1.SelfSubjectReview.pb b/staging/src/k8s.io/api/testdata/v1.34.0/authentication.k8s.io.v1beta1.SelfSubjectReview.pb
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/authentication.k8s.io.v1beta1.SelfSubjectReview.pb
rename to staging/src/k8s.io/api/testdata/v1.34.0/authentication.k8s.io.v1beta1.SelfSubjectReview.pb
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/authentication.k8s.io.v1beta1.SelfSubjectReview.yaml b/staging/src/k8s.io/api/testdata/v1.34.0/authentication.k8s.io.v1beta1.SelfSubjectReview.yaml
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/authentication.k8s.io.v1beta1.SelfSubjectReview.yaml
rename to staging/src/k8s.io/api/testdata/v1.34.0/authentication.k8s.io.v1beta1.SelfSubjectReview.yaml
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/authentication.k8s.io.v1beta1.TokenReview.json b/staging/src/k8s.io/api/testdata/v1.34.0/authentication.k8s.io.v1beta1.TokenReview.json
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/authentication.k8s.io.v1beta1.TokenReview.json
rename to staging/src/k8s.io/api/testdata/v1.34.0/authentication.k8s.io.v1beta1.TokenReview.json
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/authentication.k8s.io.v1beta1.TokenReview.pb b/staging/src/k8s.io/api/testdata/v1.34.0/authentication.k8s.io.v1beta1.TokenReview.pb
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/authentication.k8s.io.v1beta1.TokenReview.pb
rename to staging/src/k8s.io/api/testdata/v1.34.0/authentication.k8s.io.v1beta1.TokenReview.pb
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/authentication.k8s.io.v1beta1.TokenReview.yaml b/staging/src/k8s.io/api/testdata/v1.34.0/authentication.k8s.io.v1beta1.TokenReview.yaml
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/authentication.k8s.io.v1beta1.TokenReview.yaml
rename to staging/src/k8s.io/api/testdata/v1.34.0/authentication.k8s.io.v1beta1.TokenReview.yaml
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/authorization.k8s.io.v1.LocalSubjectAccessReview.json b/staging/src/k8s.io/api/testdata/v1.34.0/authorization.k8s.io.v1.LocalSubjectAccessReview.json
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/authorization.k8s.io.v1.LocalSubjectAccessReview.json
rename to staging/src/k8s.io/api/testdata/v1.34.0/authorization.k8s.io.v1.LocalSubjectAccessReview.json
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/authorization.k8s.io.v1.LocalSubjectAccessReview.pb b/staging/src/k8s.io/api/testdata/v1.34.0/authorization.k8s.io.v1.LocalSubjectAccessReview.pb
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/authorization.k8s.io.v1.LocalSubjectAccessReview.pb
rename to staging/src/k8s.io/api/testdata/v1.34.0/authorization.k8s.io.v1.LocalSubjectAccessReview.pb
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/authorization.k8s.io.v1.LocalSubjectAccessReview.yaml b/staging/src/k8s.io/api/testdata/v1.34.0/authorization.k8s.io.v1.LocalSubjectAccessReview.yaml
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/authorization.k8s.io.v1.LocalSubjectAccessReview.yaml
rename to staging/src/k8s.io/api/testdata/v1.34.0/authorization.k8s.io.v1.LocalSubjectAccessReview.yaml
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/authorization.k8s.io.v1.SelfSubjectAccessReview.json b/staging/src/k8s.io/api/testdata/v1.34.0/authorization.k8s.io.v1.SelfSubjectAccessReview.json
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/authorization.k8s.io.v1.SelfSubjectAccessReview.json
rename to staging/src/k8s.io/api/testdata/v1.34.0/authorization.k8s.io.v1.SelfSubjectAccessReview.json
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/authorization.k8s.io.v1.SelfSubjectAccessReview.pb b/staging/src/k8s.io/api/testdata/v1.34.0/authorization.k8s.io.v1.SelfSubjectAccessReview.pb
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/authorization.k8s.io.v1.SelfSubjectAccessReview.pb
rename to staging/src/k8s.io/api/testdata/v1.34.0/authorization.k8s.io.v1.SelfSubjectAccessReview.pb
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/authorization.k8s.io.v1.SelfSubjectAccessReview.yaml b/staging/src/k8s.io/api/testdata/v1.34.0/authorization.k8s.io.v1.SelfSubjectAccessReview.yaml
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/authorization.k8s.io.v1.SelfSubjectAccessReview.yaml
rename to staging/src/k8s.io/api/testdata/v1.34.0/authorization.k8s.io.v1.SelfSubjectAccessReview.yaml
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/authorization.k8s.io.v1.SelfSubjectRulesReview.json b/staging/src/k8s.io/api/testdata/v1.34.0/authorization.k8s.io.v1.SelfSubjectRulesReview.json
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/authorization.k8s.io.v1.SelfSubjectRulesReview.json
rename to staging/src/k8s.io/api/testdata/v1.34.0/authorization.k8s.io.v1.SelfSubjectRulesReview.json
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/authorization.k8s.io.v1.SelfSubjectRulesReview.pb b/staging/src/k8s.io/api/testdata/v1.34.0/authorization.k8s.io.v1.SelfSubjectRulesReview.pb
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/authorization.k8s.io.v1.SelfSubjectRulesReview.pb
rename to staging/src/k8s.io/api/testdata/v1.34.0/authorization.k8s.io.v1.SelfSubjectRulesReview.pb
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/authorization.k8s.io.v1.SelfSubjectRulesReview.yaml b/staging/src/k8s.io/api/testdata/v1.34.0/authorization.k8s.io.v1.SelfSubjectRulesReview.yaml
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/authorization.k8s.io.v1.SelfSubjectRulesReview.yaml
rename to staging/src/k8s.io/api/testdata/v1.34.0/authorization.k8s.io.v1.SelfSubjectRulesReview.yaml
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/authorization.k8s.io.v1.SubjectAccessReview.json b/staging/src/k8s.io/api/testdata/v1.34.0/authorization.k8s.io.v1.SubjectAccessReview.json
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/authorization.k8s.io.v1.SubjectAccessReview.json
rename to staging/src/k8s.io/api/testdata/v1.34.0/authorization.k8s.io.v1.SubjectAccessReview.json
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/authorization.k8s.io.v1.SubjectAccessReview.pb b/staging/src/k8s.io/api/testdata/v1.34.0/authorization.k8s.io.v1.SubjectAccessReview.pb
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/authorization.k8s.io.v1.SubjectAccessReview.pb
rename to staging/src/k8s.io/api/testdata/v1.34.0/authorization.k8s.io.v1.SubjectAccessReview.pb
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/authorization.k8s.io.v1.SubjectAccessReview.yaml b/staging/src/k8s.io/api/testdata/v1.34.0/authorization.k8s.io.v1.SubjectAccessReview.yaml
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/authorization.k8s.io.v1.SubjectAccessReview.yaml
rename to staging/src/k8s.io/api/testdata/v1.34.0/authorization.k8s.io.v1.SubjectAccessReview.yaml
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/authorization.k8s.io.v1beta1.LocalSubjectAccessReview.json b/staging/src/k8s.io/api/testdata/v1.34.0/authorization.k8s.io.v1beta1.LocalSubjectAccessReview.json
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/authorization.k8s.io.v1beta1.LocalSubjectAccessReview.json
rename to staging/src/k8s.io/api/testdata/v1.34.0/authorization.k8s.io.v1beta1.LocalSubjectAccessReview.json
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/authorization.k8s.io.v1beta1.LocalSubjectAccessReview.pb b/staging/src/k8s.io/api/testdata/v1.34.0/authorization.k8s.io.v1beta1.LocalSubjectAccessReview.pb
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/authorization.k8s.io.v1beta1.LocalSubjectAccessReview.pb
rename to staging/src/k8s.io/api/testdata/v1.34.0/authorization.k8s.io.v1beta1.LocalSubjectAccessReview.pb
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/authorization.k8s.io.v1beta1.LocalSubjectAccessReview.yaml b/staging/src/k8s.io/api/testdata/v1.34.0/authorization.k8s.io.v1beta1.LocalSubjectAccessReview.yaml
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/authorization.k8s.io.v1beta1.LocalSubjectAccessReview.yaml
rename to staging/src/k8s.io/api/testdata/v1.34.0/authorization.k8s.io.v1beta1.LocalSubjectAccessReview.yaml
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/authorization.k8s.io.v1beta1.SelfSubjectAccessReview.json b/staging/src/k8s.io/api/testdata/v1.34.0/authorization.k8s.io.v1beta1.SelfSubjectAccessReview.json
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/authorization.k8s.io.v1beta1.SelfSubjectAccessReview.json
rename to staging/src/k8s.io/api/testdata/v1.34.0/authorization.k8s.io.v1beta1.SelfSubjectAccessReview.json
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/authorization.k8s.io.v1beta1.SelfSubjectAccessReview.pb b/staging/src/k8s.io/api/testdata/v1.34.0/authorization.k8s.io.v1beta1.SelfSubjectAccessReview.pb
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/authorization.k8s.io.v1beta1.SelfSubjectAccessReview.pb
rename to staging/src/k8s.io/api/testdata/v1.34.0/authorization.k8s.io.v1beta1.SelfSubjectAccessReview.pb
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/authorization.k8s.io.v1beta1.SelfSubjectAccessReview.yaml b/staging/src/k8s.io/api/testdata/v1.34.0/authorization.k8s.io.v1beta1.SelfSubjectAccessReview.yaml
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/authorization.k8s.io.v1beta1.SelfSubjectAccessReview.yaml
rename to staging/src/k8s.io/api/testdata/v1.34.0/authorization.k8s.io.v1beta1.SelfSubjectAccessReview.yaml
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/authorization.k8s.io.v1beta1.SelfSubjectRulesReview.json b/staging/src/k8s.io/api/testdata/v1.34.0/authorization.k8s.io.v1beta1.SelfSubjectRulesReview.json
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/authorization.k8s.io.v1beta1.SelfSubjectRulesReview.json
rename to staging/src/k8s.io/api/testdata/v1.34.0/authorization.k8s.io.v1beta1.SelfSubjectRulesReview.json
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/authorization.k8s.io.v1beta1.SelfSubjectRulesReview.pb b/staging/src/k8s.io/api/testdata/v1.34.0/authorization.k8s.io.v1beta1.SelfSubjectRulesReview.pb
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/authorization.k8s.io.v1beta1.SelfSubjectRulesReview.pb
rename to staging/src/k8s.io/api/testdata/v1.34.0/authorization.k8s.io.v1beta1.SelfSubjectRulesReview.pb
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/authorization.k8s.io.v1beta1.SelfSubjectRulesReview.yaml b/staging/src/k8s.io/api/testdata/v1.34.0/authorization.k8s.io.v1beta1.SelfSubjectRulesReview.yaml
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/authorization.k8s.io.v1beta1.SelfSubjectRulesReview.yaml
rename to staging/src/k8s.io/api/testdata/v1.34.0/authorization.k8s.io.v1beta1.SelfSubjectRulesReview.yaml
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/authorization.k8s.io.v1beta1.SubjectAccessReview.json b/staging/src/k8s.io/api/testdata/v1.34.0/authorization.k8s.io.v1beta1.SubjectAccessReview.json
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/authorization.k8s.io.v1beta1.SubjectAccessReview.json
rename to staging/src/k8s.io/api/testdata/v1.34.0/authorization.k8s.io.v1beta1.SubjectAccessReview.json
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/authorization.k8s.io.v1beta1.SubjectAccessReview.pb b/staging/src/k8s.io/api/testdata/v1.34.0/authorization.k8s.io.v1beta1.SubjectAccessReview.pb
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/authorization.k8s.io.v1beta1.SubjectAccessReview.pb
rename to staging/src/k8s.io/api/testdata/v1.34.0/authorization.k8s.io.v1beta1.SubjectAccessReview.pb
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/authorization.k8s.io.v1beta1.SubjectAccessReview.yaml b/staging/src/k8s.io/api/testdata/v1.34.0/authorization.k8s.io.v1beta1.SubjectAccessReview.yaml
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/authorization.k8s.io.v1beta1.SubjectAccessReview.yaml
rename to staging/src/k8s.io/api/testdata/v1.34.0/authorization.k8s.io.v1beta1.SubjectAccessReview.yaml
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/autoscaling.v1.HorizontalPodAutoscaler.json b/staging/src/k8s.io/api/testdata/v1.34.0/autoscaling.v1.HorizontalPodAutoscaler.json
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/autoscaling.v1.HorizontalPodAutoscaler.json
rename to staging/src/k8s.io/api/testdata/v1.34.0/autoscaling.v1.HorizontalPodAutoscaler.json
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/autoscaling.v1.HorizontalPodAutoscaler.pb b/staging/src/k8s.io/api/testdata/v1.34.0/autoscaling.v1.HorizontalPodAutoscaler.pb
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/autoscaling.v1.HorizontalPodAutoscaler.pb
rename to staging/src/k8s.io/api/testdata/v1.34.0/autoscaling.v1.HorizontalPodAutoscaler.pb
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/autoscaling.v1.HorizontalPodAutoscaler.yaml b/staging/src/k8s.io/api/testdata/v1.34.0/autoscaling.v1.HorizontalPodAutoscaler.yaml
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/autoscaling.v1.HorizontalPodAutoscaler.yaml
rename to staging/src/k8s.io/api/testdata/v1.34.0/autoscaling.v1.HorizontalPodAutoscaler.yaml
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/autoscaling.v1.Scale.json b/staging/src/k8s.io/api/testdata/v1.34.0/autoscaling.v1.Scale.json
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/autoscaling.v1.Scale.json
rename to staging/src/k8s.io/api/testdata/v1.34.0/autoscaling.v1.Scale.json
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/autoscaling.v1.Scale.pb b/staging/src/k8s.io/api/testdata/v1.34.0/autoscaling.v1.Scale.pb
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/autoscaling.v1.Scale.pb
rename to staging/src/k8s.io/api/testdata/v1.34.0/autoscaling.v1.Scale.pb
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/autoscaling.v1.Scale.yaml b/staging/src/k8s.io/api/testdata/v1.34.0/autoscaling.v1.Scale.yaml
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/autoscaling.v1.Scale.yaml
rename to staging/src/k8s.io/api/testdata/v1.34.0/autoscaling.v1.Scale.yaml
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/autoscaling.v2.HorizontalPodAutoscaler.json b/staging/src/k8s.io/api/testdata/v1.34.0/autoscaling.v2.HorizontalPodAutoscaler.json
similarity index 99%
rename from staging/src/k8s.io/api/testdata/v1.32.0/autoscaling.v2.HorizontalPodAutoscaler.json
rename to staging/src/k8s.io/api/testdata/v1.34.0/autoscaling.v2.HorizontalPodAutoscaler.json
index f03e36623e879..4bc9fceaf70fd 100644
--- a/staging/src/k8s.io/api/testdata/v1.32.0/autoscaling.v2.HorizontalPodAutoscaler.json
+++ b/staging/src/k8s.io/api/testdata/v1.34.0/autoscaling.v2.HorizontalPodAutoscaler.json
@@ -165,7 +165,8 @@
             "value": 2,
             "periodSeconds": 3
           }
-        ]
+        ],
+        "tolerance": "0"
       },
       "scaleDown": {
         "stabilizationWindowSeconds": 3,
@@ -176,7 +177,8 @@
             "value": 2,
             "periodSeconds": 3
           }
-        ]
+        ],
+        "tolerance": "0"
       }
     }
   },
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/autoscaling.v2.HorizontalPodAutoscaler.pb b/staging/src/k8s.io/api/testdata/v1.34.0/autoscaling.v2.HorizontalPodAutoscaler.pb
similarity index 89%
rename from staging/src/k8s.io/api/testdata/v1.32.0/autoscaling.v2.HorizontalPodAutoscaler.pb
rename to staging/src/k8s.io/api/testdata/v1.34.0/autoscaling.v2.HorizontalPodAutoscaler.pb
index 3d1507519883e..0d57f89ae3c65 100644
Binary files a/staging/src/k8s.io/api/testdata/v1.32.0/autoscaling.v2.HorizontalPodAutoscaler.pb and b/staging/src/k8s.io/api/testdata/v1.34.0/autoscaling.v2.HorizontalPodAutoscaler.pb differ
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/autoscaling.v2.HorizontalPodAutoscaler.yaml b/staging/src/k8s.io/api/testdata/v1.34.0/autoscaling.v2.HorizontalPodAutoscaler.yaml
similarity index 99%
rename from staging/src/k8s.io/api/testdata/v1.32.0/autoscaling.v2.HorizontalPodAutoscaler.yaml
rename to staging/src/k8s.io/api/testdata/v1.34.0/autoscaling.v2.HorizontalPodAutoscaler.yaml
index 78ce5ba9136a3..463936eeba013 100644
--- a/staging/src/k8s.io/api/testdata/v1.32.0/autoscaling.v2.HorizontalPodAutoscaler.yaml
+++ b/staging/src/k8s.io/api/testdata/v1.34.0/autoscaling.v2.HorizontalPodAutoscaler.yaml
@@ -41,6 +41,7 @@ spec:
         value: 2
       selectPolicy: selectPolicyValue
       stabilizationWindowSeconds: 3
+      tolerance: "0"
     scaleUp:
       policies:
       - periodSeconds: 3
@@ -48,6 +49,7 @@ spec:
         value: 2
       selectPolicy: selectPolicyValue
       stabilizationWindowSeconds: 3
+      tolerance: "0"
   maxReplicas: 3
   metrics:
   - containerResource:
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/autoscaling.v2beta1.HorizontalPodAutoscaler.json b/staging/src/k8s.io/api/testdata/v1.34.0/autoscaling.v2beta1.HorizontalPodAutoscaler.json
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/autoscaling.v2beta1.HorizontalPodAutoscaler.json
rename to staging/src/k8s.io/api/testdata/v1.34.0/autoscaling.v2beta1.HorizontalPodAutoscaler.json
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/autoscaling.v2beta1.HorizontalPodAutoscaler.pb b/staging/src/k8s.io/api/testdata/v1.34.0/autoscaling.v2beta1.HorizontalPodAutoscaler.pb
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/autoscaling.v2beta1.HorizontalPodAutoscaler.pb
rename to staging/src/k8s.io/api/testdata/v1.34.0/autoscaling.v2beta1.HorizontalPodAutoscaler.pb
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/autoscaling.v2beta1.HorizontalPodAutoscaler.yaml b/staging/src/k8s.io/api/testdata/v1.34.0/autoscaling.v2beta1.HorizontalPodAutoscaler.yaml
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/autoscaling.v2beta1.HorizontalPodAutoscaler.yaml
rename to staging/src/k8s.io/api/testdata/v1.34.0/autoscaling.v2beta1.HorizontalPodAutoscaler.yaml
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/autoscaling.v2beta2.HorizontalPodAutoscaler.json b/staging/src/k8s.io/api/testdata/v1.34.0/autoscaling.v2beta2.HorizontalPodAutoscaler.json
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/autoscaling.v2beta2.HorizontalPodAutoscaler.json
rename to staging/src/k8s.io/api/testdata/v1.34.0/autoscaling.v2beta2.HorizontalPodAutoscaler.json
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/autoscaling.v2beta2.HorizontalPodAutoscaler.pb b/staging/src/k8s.io/api/testdata/v1.34.0/autoscaling.v2beta2.HorizontalPodAutoscaler.pb
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/autoscaling.v2beta2.HorizontalPodAutoscaler.pb
rename to staging/src/k8s.io/api/testdata/v1.34.0/autoscaling.v2beta2.HorizontalPodAutoscaler.pb
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/autoscaling.v2beta2.HorizontalPodAutoscaler.yaml b/staging/src/k8s.io/api/testdata/v1.34.0/autoscaling.v2beta2.HorizontalPodAutoscaler.yaml
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/autoscaling.v2beta2.HorizontalPodAutoscaler.yaml
rename to staging/src/k8s.io/api/testdata/v1.34.0/autoscaling.v2beta2.HorizontalPodAutoscaler.yaml
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/batch.v1.CronJob.json b/staging/src/k8s.io/api/testdata/v1.34.0/batch.v1.CronJob.json
similarity index 96%
rename from staging/src/k8s.io/api/testdata/v1.32.0/batch.v1.CronJob.json
rename to staging/src/k8s.io/api/testdata/v1.34.0/batch.v1.CronJob.json
index cb46e57e4455c..f6aafb1835bea 100644
--- a/staging/src/k8s.io/api/testdata/v1.32.0/batch.v1.CronJob.json
+++ b/staging/src/k8s.io/api/testdata/v1.34.0/batch.v1.CronJob.json
@@ -444,6 +444,14 @@
                         },
                         "optional": true,
                         "path": "pathValue"
+                      },
+                      "podCertificate": {
+                        "signerName": "signerNameValue",
+                        "keyType": "keyTypeValue",
+                        "maxExpirationSeconds": 3,
+                        "credentialBundlePath": "credentialBundlePathValue",
+                        "keyPath": "keyPathValue",
+                        "certificateChainPath": "certificateChainPathValue"
                       }
                     }
                   ],
@@ -638,6 +646,12 @@
                         "name": "nameValue",
                         "key": "keyValue",
                         "optional": true
+                      },
+                      "fileKeyRef": {
+                        "volumeName": "volumeNameValue",
+                        "path": "pathValue",
+                        "key": "keyValue",
+                        "optional": true
                       }
                     }
                   }
@@ -663,6 +677,17 @@
                   }
                 ],
                 "restartPolicy": "restartPolicyValue",
+                "restartPolicyRules": [
+                  {
+                    "action": "actionValue",
+                    "exitCodes": {
+                      "operator": "operatorValue",
+                      "values": [
+                        2
+                      ]
+                    }
+                  }
+                ],
                 "volumeMounts": [
                   {
                     "name": "nameValue",
@@ -831,7 +856,8 @@
                     "sleep": {
                       "seconds": 1
                     }
-                  }
+                  },
+                  "stopSignal": "stopSignalValue"
                 },
                 "terminationMessagePath": "terminationMessagePathValue",
                 "terminationMessagePolicy": "terminationMessagePolicyValue",
@@ -934,6 +960,12 @@
                         "name": "nameValue",
                         "key": "keyValue",
                         "optional": true
+                      },
+                      "fileKeyRef": {
+                        "volumeName": "volumeNameValue",
+                        "path": "pathValue",
+                        "key": "keyValue",
+                        "optional": true
                       }
                     }
                   }
@@ -959,6 +991,17 @@
                   }
                 ],
                 "restartPolicy": "restartPolicyValue",
+                "restartPolicyRules": [
+                  {
+                    "action": "actionValue",
+                    "exitCodes": {
+                      "operator": "operatorValue",
+                      "values": [
+                        2
+                      ]
+                    }
+                  }
+                ],
                 "volumeMounts": [
                   {
                     "name": "nameValue",
@@ -1127,7 +1170,8 @@
                     "sleep": {
                       "seconds": 1
                     }
-                  }
+                  },
+                  "stopSignal": "stopSignalValue"
                 },
                 "terminationMessagePath": "terminationMessagePathValue",
                 "terminationMessagePolicy": "terminationMessagePolicyValue",
@@ -1230,6 +1274,12 @@
                         "name": "nameValue",
                         "key": "keyValue",
                         "optional": true
+                      },
+                      "fileKeyRef": {
+                        "volumeName": "volumeNameValue",
+                        "path": "pathValue",
+                        "key": "keyValue",
+                        "optional": true
                       }
                     }
                   }
@@ -1255,6 +1305,17 @@
                   }
                 ],
                 "restartPolicy": "restartPolicyValue",
+                "restartPolicyRules": [
+                  {
+                    "action": "actionValue",
+                    "exitCodes": {
+                      "operator": "operatorValue",
+                      "values": [
+                        2
+                      ]
+                    }
+                  }
+                ],
                 "volumeMounts": [
                   {
                     "name": "nameValue",
@@ -1423,7 +1484,8 @@
                     "sleep": {
                       "seconds": 1
                     }
-                  }
+                  },
+                  "stopSignal": "stopSignalValue"
                 },
                 "terminationMessagePath": "terminationMessagePathValue",
                 "terminationMessagePolicy": "terminationMessagePolicyValue",
@@ -1864,7 +1926,8 @@
                   "request": "requestValue"
                 }
               ]
-            }
+            },
+            "hostnameOverride": "hostnameOverrideValue"
           }
         },
         "ttlSecondsAfterFinished": 8,
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/batch.v1.CronJob.pb b/staging/src/k8s.io/api/testdata/v1.34.0/batch.v1.CronJob.pb
similarity index 84%
rename from staging/src/k8s.io/api/testdata/v1.32.0/batch.v1.CronJob.pb
rename to staging/src/k8s.io/api/testdata/v1.34.0/batch.v1.CronJob.pb
index ff6c0f89782c1..4889e68bcc8f3 100644
Binary files a/staging/src/k8s.io/api/testdata/v1.32.0/batch.v1.CronJob.pb and b/staging/src/k8s.io/api/testdata/v1.34.0/batch.v1.CronJob.pb differ
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/batch.v1.CronJob.yaml b/staging/src/k8s.io/api/testdata/v1.34.0/batch.v1.CronJob.yaml
similarity index 96%
rename from staging/src/k8s.io/api/testdata/v1.32.0/batch.v1.CronJob.yaml
rename to staging/src/k8s.io/api/testdata/v1.34.0/batch.v1.CronJob.yaml
index 773dce02c6676..cf1b872a50c8b 100644
--- a/staging/src/k8s.io/api/testdata/v1.32.0/batch.v1.CronJob.yaml
+++ b/staging/src/k8s.io/api/testdata/v1.34.0/batch.v1.CronJob.yaml
@@ -284,6 +284,11 @@ spec:
                 fieldRef:
                   apiVersion: apiVersionValue
                   fieldPath: fieldPathValue
+                fileKeyRef:
+                  key: keyValue
+                  optional: true
+                  path: pathValue
+                  volumeName: volumeNameValue
                 resourceFieldRef:
                   containerName: containerNameValue
                   divisor: "0"
@@ -337,6 +342,7 @@ spec:
                 tcpSocket:
                   host: hostValue
                   port: portValue
+              stopSignal: stopSignalValue
             livenessProbe:
               exec:
                 command:
@@ -404,6 +410,12 @@ spec:
               requests:
                 requestsKey: "0"
             restartPolicy: restartPolicyValue
+            restartPolicyRules:
+            - action: actionValue
+              exitCodes:
+                operator: operatorValue
+                values:
+                - 2
             securityContext:
               allowPrivilegeEscalation: true
               appArmorProfile:
@@ -500,6 +512,11 @@ spec:
                 fieldRef:
                   apiVersion: apiVersionValue
                   fieldPath: fieldPathValue
+                fileKeyRef:
+                  key: keyValue
+                  optional: true
+                  path: pathValue
+                  volumeName: volumeNameValue
                 resourceFieldRef:
                   containerName: containerNameValue
                   divisor: "0"
@@ -553,6 +570,7 @@ spec:
                 tcpSocket:
                   host: hostValue
                   port: portValue
+              stopSignal: stopSignalValue
             livenessProbe:
               exec:
                 command:
@@ -620,6 +638,12 @@ spec:
               requests:
                 requestsKey: "0"
             restartPolicy: restartPolicyValue
+            restartPolicyRules:
+            - action: actionValue
+              exitCodes:
+                operator: operatorValue
+                values:
+                - 2
             securityContext:
               allowPrivilegeEscalation: true
               appArmorProfile:
@@ -700,6 +724,7 @@ spec:
           hostPID: true
           hostUsers: true
           hostname: hostnameValue
+          hostnameOverride: hostnameOverrideValue
           imagePullSecrets:
           - name: nameValue
           initContainers:
@@ -718,6 +743,11 @@ spec:
                 fieldRef:
                   apiVersion: apiVersionValue
                   fieldPath: fieldPathValue
+                fileKeyRef:
+                  key: keyValue
+                  optional: true
+                  path: pathValue
+                  volumeName: volumeNameValue
                 resourceFieldRef:
                   containerName: containerNameValue
                   divisor: "0"
@@ -771,6 +801,7 @@ spec:
                 tcpSocket:
                   host: hostValue
                   port: portValue
+              stopSignal: stopSignalValue
             livenessProbe:
               exec:
                 command:
@@ -838,6 +869,12 @@ spec:
               requests:
                 requestsKey: "0"
             restartPolicy: restartPolicyValue
+            restartPolicyRules:
+            - action: actionValue
+              exitCodes:
+                operator: operatorValue
+                values:
+                - 2
             securityContext:
               allowPrivilegeEscalation: true
               appArmorProfile:
@@ -1222,6 +1259,13 @@ spec:
                       containerName: containerNameValue
                       divisor: "0"
                       resource: resourceValue
+                podCertificate:
+                  certificateChainPath: certificateChainPathValue
+                  credentialBundlePath: credentialBundlePathValue
+                  keyPath: keyPathValue
+                  keyType: keyTypeValue
+                  maxExpirationSeconds: 3
+                  signerName: signerNameValue
                 secret:
                   items:
                   - key: keyValue
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/batch.v1.Job.json b/staging/src/k8s.io/api/testdata/v1.34.0/batch.v1.Job.json
similarity index 96%
rename from staging/src/k8s.io/api/testdata/v1.32.0/batch.v1.Job.json
rename to staging/src/k8s.io/api/testdata/v1.34.0/batch.v1.Job.json
index ce6f5c104110d..8996a2246df45 100644
--- a/staging/src/k8s.io/api/testdata/v1.32.0/batch.v1.Job.json
+++ b/staging/src/k8s.io/api/testdata/v1.34.0/batch.v1.Job.json
@@ -395,6 +395,14 @@
                     },
                     "optional": true,
                     "path": "pathValue"
+                  },
+                  "podCertificate": {
+                    "signerName": "signerNameValue",
+                    "keyType": "keyTypeValue",
+                    "maxExpirationSeconds": 3,
+                    "credentialBundlePath": "credentialBundlePathValue",
+                    "keyPath": "keyPathValue",
+                    "certificateChainPath": "certificateChainPathValue"
                   }
                 }
               ],
@@ -589,6 +597,12 @@
                     "name": "nameValue",
                     "key": "keyValue",
                     "optional": true
+                  },
+                  "fileKeyRef": {
+                    "volumeName": "volumeNameValue",
+                    "path": "pathValue",
+                    "key": "keyValue",
+                    "optional": true
                   }
                 }
               }
@@ -614,6 +628,17 @@
               }
             ],
             "restartPolicy": "restartPolicyValue",
+            "restartPolicyRules": [
+              {
+                "action": "actionValue",
+                "exitCodes": {
+                  "operator": "operatorValue",
+                  "values": [
+                    2
+                  ]
+                }
+              }
+            ],
             "volumeMounts": [
               {
                 "name": "nameValue",
@@ -782,7 +807,8 @@
                 "sleep": {
                   "seconds": 1
                 }
-              }
+              },
+              "stopSignal": "stopSignalValue"
             },
             "terminationMessagePath": "terminationMessagePathValue",
             "terminationMessagePolicy": "terminationMessagePolicyValue",
@@ -885,6 +911,12 @@
                     "name": "nameValue",
                     "key": "keyValue",
                     "optional": true
+                  },
+                  "fileKeyRef": {
+                    "volumeName": "volumeNameValue",
+                    "path": "pathValue",
+                    "key": "keyValue",
+                    "optional": true
                   }
                 }
               }
@@ -910,6 +942,17 @@
               }
             ],
             "restartPolicy": "restartPolicyValue",
+            "restartPolicyRules": [
+              {
+                "action": "actionValue",
+                "exitCodes": {
+                  "operator": "operatorValue",
+                  "values": [
+                    2
+                  ]
+                }
+              }
+            ],
             "volumeMounts": [
               {
                 "name": "nameValue",
@@ -1078,7 +1121,8 @@
                 "sleep": {
                   "seconds": 1
                 }
-              }
+              },
+              "stopSignal": "stopSignalValue"
             },
             "terminationMessagePath": "terminationMessagePathValue",
             "terminationMessagePolicy": "terminationMessagePolicyValue",
@@ -1181,6 +1225,12 @@
                     "name": "nameValue",
                     "key": "keyValue",
                     "optional": true
+                  },
+                  "fileKeyRef": {
+                    "volumeName": "volumeNameValue",
+                    "path": "pathValue",
+                    "key": "keyValue",
+                    "optional": true
                   }
                 }
               }
@@ -1206,6 +1256,17 @@
               }
             ],
             "restartPolicy": "restartPolicyValue",
+            "restartPolicyRules": [
+              {
+                "action": "actionValue",
+                "exitCodes": {
+                  "operator": "operatorValue",
+                  "values": [
+                    2
+                  ]
+                }
+              }
+            ],
             "volumeMounts": [
               {
                 "name": "nameValue",
@@ -1374,7 +1435,8 @@
                 "sleep": {
                   "seconds": 1
                 }
-              }
+              },
+              "stopSignal": "stopSignalValue"
             },
             "terminationMessagePath": "terminationMessagePathValue",
             "terminationMessagePolicy": "terminationMessagePolicyValue",
@@ -1815,7 +1877,8 @@
               "request": "requestValue"
             }
           ]
-        }
+        },
+        "hostnameOverride": "hostnameOverrideValue"
       }
     },
     "ttlSecondsAfterFinished": 8,
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/batch.v1.Job.pb b/staging/src/k8s.io/api/testdata/v1.34.0/batch.v1.Job.pb
similarity index 84%
rename from staging/src/k8s.io/api/testdata/v1.32.0/batch.v1.Job.pb
rename to staging/src/k8s.io/api/testdata/v1.34.0/batch.v1.Job.pb
index 0ea948f1f7279..5395e9eddb5ce 100644
Binary files a/staging/src/k8s.io/api/testdata/v1.32.0/batch.v1.Job.pb and b/staging/src/k8s.io/api/testdata/v1.34.0/batch.v1.Job.pb differ
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/batch.v1.Job.yaml b/staging/src/k8s.io/api/testdata/v1.34.0/batch.v1.Job.yaml
similarity index 96%
rename from staging/src/k8s.io/api/testdata/v1.32.0/batch.v1.Job.yaml
rename to staging/src/k8s.io/api/testdata/v1.34.0/batch.v1.Job.yaml
index b5c1219e2b08a..301e24af34f5d 100644
--- a/staging/src/k8s.io/api/testdata/v1.32.0/batch.v1.Job.yaml
+++ b/staging/src/k8s.io/api/testdata/v1.34.0/batch.v1.Job.yaml
@@ -248,6 +248,11 @@ spec:
             fieldRef:
               apiVersion: apiVersionValue
               fieldPath: fieldPathValue
+            fileKeyRef:
+              key: keyValue
+              optional: true
+              path: pathValue
+              volumeName: volumeNameValue
             resourceFieldRef:
               containerName: containerNameValue
               divisor: "0"
@@ -301,6 +306,7 @@ spec:
             tcpSocket:
               host: hostValue
               port: portValue
+          stopSignal: stopSignalValue
         livenessProbe:
           exec:
             command:
@@ -368,6 +374,12 @@ spec:
           requests:
             requestsKey: "0"
         restartPolicy: restartPolicyValue
+        restartPolicyRules:
+        - action: actionValue
+          exitCodes:
+            operator: operatorValue
+            values:
+            - 2
         securityContext:
           allowPrivilegeEscalation: true
           appArmorProfile:
@@ -464,6 +476,11 @@ spec:
             fieldRef:
               apiVersion: apiVersionValue
               fieldPath: fieldPathValue
+            fileKeyRef:
+              key: keyValue
+              optional: true
+              path: pathValue
+              volumeName: volumeNameValue
             resourceFieldRef:
               containerName: containerNameValue
               divisor: "0"
@@ -517,6 +534,7 @@ spec:
             tcpSocket:
               host: hostValue
               port: portValue
+          stopSignal: stopSignalValue
         livenessProbe:
           exec:
             command:
@@ -584,6 +602,12 @@ spec:
           requests:
             requestsKey: "0"
         restartPolicy: restartPolicyValue
+        restartPolicyRules:
+        - action: actionValue
+          exitCodes:
+            operator: operatorValue
+            values:
+            - 2
         securityContext:
           allowPrivilegeEscalation: true
           appArmorProfile:
@@ -664,6 +688,7 @@ spec:
       hostPID: true
       hostUsers: true
       hostname: hostnameValue
+      hostnameOverride: hostnameOverrideValue
       imagePullSecrets:
       - name: nameValue
       initContainers:
@@ -682,6 +707,11 @@ spec:
             fieldRef:
               apiVersion: apiVersionValue
               fieldPath: fieldPathValue
+            fileKeyRef:
+              key: keyValue
+              optional: true
+              path: pathValue
+              volumeName: volumeNameValue
             resourceFieldRef:
               containerName: containerNameValue
               divisor: "0"
@@ -735,6 +765,7 @@ spec:
             tcpSocket:
               host: hostValue
               port: portValue
+          stopSignal: stopSignalValue
         livenessProbe:
           exec:
             command:
@@ -802,6 +833,12 @@ spec:
           requests:
             requestsKey: "0"
         restartPolicy: restartPolicyValue
+        restartPolicyRules:
+        - action: actionValue
+          exitCodes:
+            operator: operatorValue
+            values:
+            - 2
         securityContext:
           allowPrivilegeEscalation: true
           appArmorProfile:
@@ -1186,6 +1223,13 @@ spec:
                   containerName: containerNameValue
                   divisor: "0"
                   resource: resourceValue
+            podCertificate:
+              certificateChainPath: certificateChainPathValue
+              credentialBundlePath: credentialBundlePathValue
+              keyPath: keyPathValue
+              keyType: keyTypeValue
+              maxExpirationSeconds: 3
+              signerName: signerNameValue
             secret:
               items:
               - key: keyValue
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/batch.v1beta1.CronJob.json b/staging/src/k8s.io/api/testdata/v1.34.0/batch.v1beta1.CronJob.json
similarity index 96%
rename from staging/src/k8s.io/api/testdata/v1.32.0/batch.v1beta1.CronJob.json
rename to staging/src/k8s.io/api/testdata/v1.34.0/batch.v1beta1.CronJob.json
index 4b1b0704bbb9d..dc6ace974dce6 100644
--- a/staging/src/k8s.io/api/testdata/v1.32.0/batch.v1beta1.CronJob.json
+++ b/staging/src/k8s.io/api/testdata/v1.34.0/batch.v1beta1.CronJob.json
@@ -444,6 +444,14 @@
                         },
                         "optional": true,
                         "path": "pathValue"
+                      },
+                      "podCertificate": {
+                        "signerName": "signerNameValue",
+                        "keyType": "keyTypeValue",
+                        "maxExpirationSeconds": 3,
+                        "credentialBundlePath": "credentialBundlePathValue",
+                        "keyPath": "keyPathValue",
+                        "certificateChainPath": "certificateChainPathValue"
                       }
                     }
                   ],
@@ -638,6 +646,12 @@
                         "name": "nameValue",
                         "key": "keyValue",
                         "optional": true
+                      },
+                      "fileKeyRef": {
+                        "volumeName": "volumeNameValue",
+                        "path": "pathValue",
+                        "key": "keyValue",
+                        "optional": true
                       }
                     }
                   }
@@ -663,6 +677,17 @@
                   }
                 ],
                 "restartPolicy": "restartPolicyValue",
+                "restartPolicyRules": [
+                  {
+                    "action": "actionValue",
+                    "exitCodes": {
+                      "operator": "operatorValue",
+                      "values": [
+                        2
+                      ]
+                    }
+                  }
+                ],
                 "volumeMounts": [
                   {
                     "name": "nameValue",
@@ -831,7 +856,8 @@
                     "sleep": {
                       "seconds": 1
                     }
-                  }
+                  },
+                  "stopSignal": "stopSignalValue"
                 },
                 "terminationMessagePath": "terminationMessagePathValue",
                 "terminationMessagePolicy": "terminationMessagePolicyValue",
@@ -934,6 +960,12 @@
                         "name": "nameValue",
                         "key": "keyValue",
                         "optional": true
+                      },
+                      "fileKeyRef": {
+                        "volumeName": "volumeNameValue",
+                        "path": "pathValue",
+                        "key": "keyValue",
+                        "optional": true
                       }
                     }
                   }
@@ -959,6 +991,17 @@
                   }
                 ],
                 "restartPolicy": "restartPolicyValue",
+                "restartPolicyRules": [
+                  {
+                    "action": "actionValue",
+                    "exitCodes": {
+                      "operator": "operatorValue",
+                      "values": [
+                        2
+                      ]
+                    }
+                  }
+                ],
                 "volumeMounts": [
                   {
                     "name": "nameValue",
@@ -1127,7 +1170,8 @@
                     "sleep": {
                       "seconds": 1
                     }
-                  }
+                  },
+                  "stopSignal": "stopSignalValue"
                 },
                 "terminationMessagePath": "terminationMessagePathValue",
                 "terminationMessagePolicy": "terminationMessagePolicyValue",
@@ -1230,6 +1274,12 @@
                         "name": "nameValue",
                         "key": "keyValue",
                         "optional": true
+                      },
+                      "fileKeyRef": {
+                        "volumeName": "volumeNameValue",
+                        "path": "pathValue",
+                        "key": "keyValue",
+                        "optional": true
                       }
                     }
                   }
@@ -1255,6 +1305,17 @@
                   }
                 ],
                 "restartPolicy": "restartPolicyValue",
+                "restartPolicyRules": [
+                  {
+                    "action": "actionValue",
+                    "exitCodes": {
+                      "operator": "operatorValue",
+                      "values": [
+                        2
+                      ]
+                    }
+                  }
+                ],
                 "volumeMounts": [
                   {
                     "name": "nameValue",
@@ -1423,7 +1484,8 @@
                     "sleep": {
                       "seconds": 1
                     }
-                  }
+                  },
+                  "stopSignal": "stopSignalValue"
                 },
                 "terminationMessagePath": "terminationMessagePathValue",
                 "terminationMessagePolicy": "terminationMessagePolicyValue",
@@ -1864,7 +1926,8 @@
                   "request": "requestValue"
                 }
               ]
-            }
+            },
+            "hostnameOverride": "hostnameOverrideValue"
           }
         },
         "ttlSecondsAfterFinished": 8,
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/batch.v1beta1.CronJob.pb b/staging/src/k8s.io/api/testdata/v1.34.0/batch.v1beta1.CronJob.pb
similarity index 84%
rename from staging/src/k8s.io/api/testdata/v1.32.0/batch.v1beta1.CronJob.pb
rename to staging/src/k8s.io/api/testdata/v1.34.0/batch.v1beta1.CronJob.pb
index abe891dbe0f49..a6776263a4dc2 100644
Binary files a/staging/src/k8s.io/api/testdata/v1.32.0/batch.v1beta1.CronJob.pb and b/staging/src/k8s.io/api/testdata/v1.34.0/batch.v1beta1.CronJob.pb differ
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/batch.v1beta1.CronJob.yaml b/staging/src/k8s.io/api/testdata/v1.34.0/batch.v1beta1.CronJob.yaml
similarity index 96%
rename from staging/src/k8s.io/api/testdata/v1.32.0/batch.v1beta1.CronJob.yaml
rename to staging/src/k8s.io/api/testdata/v1.34.0/batch.v1beta1.CronJob.yaml
index 2a6e4e78b6e74..90eb8120b3ff8 100644
--- a/staging/src/k8s.io/api/testdata/v1.32.0/batch.v1beta1.CronJob.yaml
+++ b/staging/src/k8s.io/api/testdata/v1.34.0/batch.v1beta1.CronJob.yaml
@@ -284,6 +284,11 @@ spec:
                 fieldRef:
                   apiVersion: apiVersionValue
                   fieldPath: fieldPathValue
+                fileKeyRef:
+                  key: keyValue
+                  optional: true
+                  path: pathValue
+                  volumeName: volumeNameValue
                 resourceFieldRef:
                   containerName: containerNameValue
                   divisor: "0"
@@ -337,6 +342,7 @@ spec:
                 tcpSocket:
                   host: hostValue
                   port: portValue
+              stopSignal: stopSignalValue
             livenessProbe:
               exec:
                 command:
@@ -404,6 +410,12 @@ spec:
               requests:
                 requestsKey: "0"
             restartPolicy: restartPolicyValue
+            restartPolicyRules:
+            - action: actionValue
+              exitCodes:
+                operator: operatorValue
+                values:
+                - 2
             securityContext:
               allowPrivilegeEscalation: true
               appArmorProfile:
@@ -500,6 +512,11 @@ spec:
                 fieldRef:
                   apiVersion: apiVersionValue
                   fieldPath: fieldPathValue
+                fileKeyRef:
+                  key: keyValue
+                  optional: true
+                  path: pathValue
+                  volumeName: volumeNameValue
                 resourceFieldRef:
                   containerName: containerNameValue
                   divisor: "0"
@@ -553,6 +570,7 @@ spec:
                 tcpSocket:
                   host: hostValue
                   port: portValue
+              stopSignal: stopSignalValue
             livenessProbe:
               exec:
                 command:
@@ -620,6 +638,12 @@ spec:
               requests:
                 requestsKey: "0"
             restartPolicy: restartPolicyValue
+            restartPolicyRules:
+            - action: actionValue
+              exitCodes:
+                operator: operatorValue
+                values:
+                - 2
             securityContext:
               allowPrivilegeEscalation: true
               appArmorProfile:
@@ -700,6 +724,7 @@ spec:
           hostPID: true
           hostUsers: true
           hostname: hostnameValue
+          hostnameOverride: hostnameOverrideValue
           imagePullSecrets:
           - name: nameValue
           initContainers:
@@ -718,6 +743,11 @@ spec:
                 fieldRef:
                   apiVersion: apiVersionValue
                   fieldPath: fieldPathValue
+                fileKeyRef:
+                  key: keyValue
+                  optional: true
+                  path: pathValue
+                  volumeName: volumeNameValue
                 resourceFieldRef:
                   containerName: containerNameValue
                   divisor: "0"
@@ -771,6 +801,7 @@ spec:
                 tcpSocket:
                   host: hostValue
                   port: portValue
+              stopSignal: stopSignalValue
             livenessProbe:
               exec:
                 command:
@@ -838,6 +869,12 @@ spec:
               requests:
                 requestsKey: "0"
             restartPolicy: restartPolicyValue
+            restartPolicyRules:
+            - action: actionValue
+              exitCodes:
+                operator: operatorValue
+                values:
+                - 2
             securityContext:
               allowPrivilegeEscalation: true
               appArmorProfile:
@@ -1222,6 +1259,13 @@ spec:
                       containerName: containerNameValue
                       divisor: "0"
                       resource: resourceValue
+                podCertificate:
+                  certificateChainPath: certificateChainPathValue
+                  credentialBundlePath: credentialBundlePathValue
+                  keyPath: keyPathValue
+                  keyType: keyTypeValue
+                  maxExpirationSeconds: 3
+                  signerName: signerNameValue
                 secret:
                   items:
                   - key: keyValue
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/certificates.k8s.io.v1.CertificateSigningRequest.json b/staging/src/k8s.io/api/testdata/v1.34.0/certificates.k8s.io.v1.CertificateSigningRequest.json
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/certificates.k8s.io.v1.CertificateSigningRequest.json
rename to staging/src/k8s.io/api/testdata/v1.34.0/certificates.k8s.io.v1.CertificateSigningRequest.json
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/certificates.k8s.io.v1.CertificateSigningRequest.pb b/staging/src/k8s.io/api/testdata/v1.34.0/certificates.k8s.io.v1.CertificateSigningRequest.pb
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/certificates.k8s.io.v1.CertificateSigningRequest.pb
rename to staging/src/k8s.io/api/testdata/v1.34.0/certificates.k8s.io.v1.CertificateSigningRequest.pb
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/certificates.k8s.io.v1.CertificateSigningRequest.yaml b/staging/src/k8s.io/api/testdata/v1.34.0/certificates.k8s.io.v1.CertificateSigningRequest.yaml
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/certificates.k8s.io.v1.CertificateSigningRequest.yaml
rename to staging/src/k8s.io/api/testdata/v1.34.0/certificates.k8s.io.v1.CertificateSigningRequest.yaml
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/certificates.k8s.io.v1alpha1.ClusterTrustBundle.json b/staging/src/k8s.io/api/testdata/v1.34.0/certificates.k8s.io.v1alpha1.ClusterTrustBundle.json
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/certificates.k8s.io.v1alpha1.ClusterTrustBundle.json
rename to staging/src/k8s.io/api/testdata/v1.34.0/certificates.k8s.io.v1alpha1.ClusterTrustBundle.json
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/certificates.k8s.io.v1alpha1.ClusterTrustBundle.pb b/staging/src/k8s.io/api/testdata/v1.34.0/certificates.k8s.io.v1alpha1.ClusterTrustBundle.pb
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/certificates.k8s.io.v1alpha1.ClusterTrustBundle.pb
rename to staging/src/k8s.io/api/testdata/v1.34.0/certificates.k8s.io.v1alpha1.ClusterTrustBundle.pb
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/certificates.k8s.io.v1alpha1.ClusterTrustBundle.yaml b/staging/src/k8s.io/api/testdata/v1.34.0/certificates.k8s.io.v1alpha1.ClusterTrustBundle.yaml
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/certificates.k8s.io.v1alpha1.ClusterTrustBundle.yaml
rename to staging/src/k8s.io/api/testdata/v1.34.0/certificates.k8s.io.v1alpha1.ClusterTrustBundle.yaml
diff --git a/staging/src/k8s.io/api/testdata/HEAD/certificates.k8s.io.v1alpha1.PodCertificateRequest.json b/staging/src/k8s.io/api/testdata/v1.34.0/certificates.k8s.io.v1alpha1.PodCertificateRequest.json
similarity index 100%
rename from staging/src/k8s.io/api/testdata/HEAD/certificates.k8s.io.v1alpha1.PodCertificateRequest.json
rename to staging/src/k8s.io/api/testdata/v1.34.0/certificates.k8s.io.v1alpha1.PodCertificateRequest.json
diff --git a/staging/src/k8s.io/api/testdata/HEAD/certificates.k8s.io.v1alpha1.PodCertificateRequest.pb b/staging/src/k8s.io/api/testdata/v1.34.0/certificates.k8s.io.v1alpha1.PodCertificateRequest.pb
similarity index 100%
rename from staging/src/k8s.io/api/testdata/HEAD/certificates.k8s.io.v1alpha1.PodCertificateRequest.pb
rename to staging/src/k8s.io/api/testdata/v1.34.0/certificates.k8s.io.v1alpha1.PodCertificateRequest.pb
diff --git a/staging/src/k8s.io/api/testdata/HEAD/certificates.k8s.io.v1alpha1.PodCertificateRequest.yaml b/staging/src/k8s.io/api/testdata/v1.34.0/certificates.k8s.io.v1alpha1.PodCertificateRequest.yaml
similarity index 100%
rename from staging/src/k8s.io/api/testdata/HEAD/certificates.k8s.io.v1alpha1.PodCertificateRequest.yaml
rename to staging/src/k8s.io/api/testdata/v1.34.0/certificates.k8s.io.v1alpha1.PodCertificateRequest.yaml
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/certificates.k8s.io.v1beta1.CertificateSigningRequest.json b/staging/src/k8s.io/api/testdata/v1.34.0/certificates.k8s.io.v1beta1.CertificateSigningRequest.json
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/certificates.k8s.io.v1beta1.CertificateSigningRequest.json
rename to staging/src/k8s.io/api/testdata/v1.34.0/certificates.k8s.io.v1beta1.CertificateSigningRequest.json
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/certificates.k8s.io.v1beta1.CertificateSigningRequest.pb b/staging/src/k8s.io/api/testdata/v1.34.0/certificates.k8s.io.v1beta1.CertificateSigningRequest.pb
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/certificates.k8s.io.v1beta1.CertificateSigningRequest.pb
rename to staging/src/k8s.io/api/testdata/v1.34.0/certificates.k8s.io.v1beta1.CertificateSigningRequest.pb
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/certificates.k8s.io.v1beta1.CertificateSigningRequest.yaml b/staging/src/k8s.io/api/testdata/v1.34.0/certificates.k8s.io.v1beta1.CertificateSigningRequest.yaml
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/certificates.k8s.io.v1beta1.CertificateSigningRequest.yaml
rename to staging/src/k8s.io/api/testdata/v1.34.0/certificates.k8s.io.v1beta1.CertificateSigningRequest.yaml
diff --git a/staging/src/k8s.io/api/testdata/v1.34.0/certificates.k8s.io.v1beta1.ClusterTrustBundle.json b/staging/src/k8s.io/api/testdata/v1.34.0/certificates.k8s.io.v1beta1.ClusterTrustBundle.json
new file mode 100644
index 0000000000000..d578d21e89adb
--- /dev/null
+++ b/staging/src/k8s.io/api/testdata/v1.34.0/certificates.k8s.io.v1beta1.ClusterTrustBundle.json
@@ -0,0 +1,50 @@
+{
+  "kind": "ClusterTrustBundle",
+  "apiVersion": "certificates.k8s.io/v1beta1",
+  "metadata": {
+    "name": "nameValue",
+    "generateName": "generateNameValue",
+    "namespace": "namespaceValue",
+    "selfLink": "selfLinkValue",
+    "uid": "uidValue",
+    "resourceVersion": "resourceVersionValue",
+    "generation": 7,
+    "creationTimestamp": "2008-01-01T01:01:01Z",
+    "deletionTimestamp": "2009-01-01T01:01:01Z",
+    "deletionGracePeriodSeconds": 10,
+    "labels": {
+      "labelsKey": "labelsValue"
+    },
+    "annotations": {
+      "annotationsKey": "annotationsValue"
+    },
+    "ownerReferences": [
+      {
+        "apiVersion": "apiVersionValue",
+        "kind": "kindValue",
+        "name": "nameValue",
+        "uid": "uidValue",
+        "controller": true,
+        "blockOwnerDeletion": true
+      }
+    ],
+    "finalizers": [
+      "finalizersValue"
+    ],
+    "managedFields": [
+      {
+        "manager": "managerValue",
+        "operation": "operationValue",
+        "apiVersion": "apiVersionValue",
+        "time": "2004-01-01T01:01:01Z",
+        "fieldsType": "fieldsTypeValue",
+        "fieldsV1": {},
+        "subresource": "subresourceValue"
+      }
+    ]
+  },
+  "spec": {
+    "signerName": "signerNameValue",
+    "trustBundle": "trustBundleValue"
+  }
+}
\ No newline at end of file
diff --git a/staging/src/k8s.io/api/testdata/v1.34.0/certificates.k8s.io.v1beta1.ClusterTrustBundle.pb b/staging/src/k8s.io/api/testdata/v1.34.0/certificates.k8s.io.v1beta1.ClusterTrustBundle.pb
new file mode 100644
index 0000000000000..1b405ba9d8824
Binary files /dev/null and b/staging/src/k8s.io/api/testdata/v1.34.0/certificates.k8s.io.v1beta1.ClusterTrustBundle.pb differ
diff --git a/staging/src/k8s.io/api/testdata/v1.34.0/certificates.k8s.io.v1beta1.ClusterTrustBundle.yaml b/staging/src/k8s.io/api/testdata/v1.34.0/certificates.k8s.io.v1beta1.ClusterTrustBundle.yaml
new file mode 100644
index 0000000000000..8102689219020
--- /dev/null
+++ b/staging/src/k8s.io/api/testdata/v1.34.0/certificates.k8s.io.v1beta1.ClusterTrustBundle.yaml
@@ -0,0 +1,37 @@
+apiVersion: certificates.k8s.io/v1beta1
+kind: ClusterTrustBundle
+metadata:
+  annotations:
+    annotationsKey: annotationsValue
+  creationTimestamp: "2008-01-01T01:01:01Z"
+  deletionGracePeriodSeconds: 10
+  deletionTimestamp: "2009-01-01T01:01:01Z"
+  finalizers:
+  - finalizersValue
+  generateName: generateNameValue
+  generation: 7
+  labels:
+    labelsKey: labelsValue
+  managedFields:
+  - apiVersion: apiVersionValue
+    fieldsType: fieldsTypeValue
+    fieldsV1: {}
+    manager: managerValue
+    operation: operationValue
+    subresource: subresourceValue
+    time: "2004-01-01T01:01:01Z"
+  name: nameValue
+  namespace: namespaceValue
+  ownerReferences:
+  - apiVersion: apiVersionValue
+    blockOwnerDeletion: true
+    controller: true
+    kind: kindValue
+    name: nameValue
+    uid: uidValue
+  resourceVersion: resourceVersionValue
+  selfLink: selfLinkValue
+  uid: uidValue
+spec:
+  signerName: signerNameValue
+  trustBundle: trustBundleValue
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/coordination.k8s.io.v1.Lease.json b/staging/src/k8s.io/api/testdata/v1.34.0/coordination.k8s.io.v1.Lease.json
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/coordination.k8s.io.v1.Lease.json
rename to staging/src/k8s.io/api/testdata/v1.34.0/coordination.k8s.io.v1.Lease.json
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/coordination.k8s.io.v1.Lease.pb b/staging/src/k8s.io/api/testdata/v1.34.0/coordination.k8s.io.v1.Lease.pb
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/coordination.k8s.io.v1.Lease.pb
rename to staging/src/k8s.io/api/testdata/v1.34.0/coordination.k8s.io.v1.Lease.pb
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/coordination.k8s.io.v1.Lease.yaml b/staging/src/k8s.io/api/testdata/v1.34.0/coordination.k8s.io.v1.Lease.yaml
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/coordination.k8s.io.v1.Lease.yaml
rename to staging/src/k8s.io/api/testdata/v1.34.0/coordination.k8s.io.v1.Lease.yaml
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/coordination.k8s.io.v1alpha2.LeaseCandidate.json b/staging/src/k8s.io/api/testdata/v1.34.0/coordination.k8s.io.v1alpha2.LeaseCandidate.json
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/coordination.k8s.io.v1alpha2.LeaseCandidate.json
rename to staging/src/k8s.io/api/testdata/v1.34.0/coordination.k8s.io.v1alpha2.LeaseCandidate.json
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/coordination.k8s.io.v1alpha2.LeaseCandidate.pb b/staging/src/k8s.io/api/testdata/v1.34.0/coordination.k8s.io.v1alpha2.LeaseCandidate.pb
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/coordination.k8s.io.v1alpha2.LeaseCandidate.pb
rename to staging/src/k8s.io/api/testdata/v1.34.0/coordination.k8s.io.v1alpha2.LeaseCandidate.pb
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/coordination.k8s.io.v1alpha2.LeaseCandidate.yaml b/staging/src/k8s.io/api/testdata/v1.34.0/coordination.k8s.io.v1alpha2.LeaseCandidate.yaml
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/coordination.k8s.io.v1alpha2.LeaseCandidate.yaml
rename to staging/src/k8s.io/api/testdata/v1.34.0/coordination.k8s.io.v1alpha2.LeaseCandidate.yaml
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/coordination.k8s.io.v1beta1.Lease.json b/staging/src/k8s.io/api/testdata/v1.34.0/coordination.k8s.io.v1beta1.Lease.json
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/coordination.k8s.io.v1beta1.Lease.json
rename to staging/src/k8s.io/api/testdata/v1.34.0/coordination.k8s.io.v1beta1.Lease.json
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/coordination.k8s.io.v1beta1.Lease.pb b/staging/src/k8s.io/api/testdata/v1.34.0/coordination.k8s.io.v1beta1.Lease.pb
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/coordination.k8s.io.v1beta1.Lease.pb
rename to staging/src/k8s.io/api/testdata/v1.34.0/coordination.k8s.io.v1beta1.Lease.pb
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/coordination.k8s.io.v1beta1.Lease.yaml b/staging/src/k8s.io/api/testdata/v1.34.0/coordination.k8s.io.v1beta1.Lease.yaml
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/coordination.k8s.io.v1beta1.Lease.yaml
rename to staging/src/k8s.io/api/testdata/v1.34.0/coordination.k8s.io.v1beta1.Lease.yaml
diff --git a/staging/src/k8s.io/api/testdata/v1.34.0/coordination.k8s.io.v1beta1.LeaseCandidate.json b/staging/src/k8s.io/api/testdata/v1.34.0/coordination.k8s.io.v1beta1.LeaseCandidate.json
new file mode 100644
index 0000000000000..42baac728a09c
--- /dev/null
+++ b/staging/src/k8s.io/api/testdata/v1.34.0/coordination.k8s.io.v1beta1.LeaseCandidate.json
@@ -0,0 +1,54 @@
+{
+  "kind": "LeaseCandidate",
+  "apiVersion": "coordination.k8s.io/v1beta1",
+  "metadata": {
+    "name": "nameValue",
+    "generateName": "generateNameValue",
+    "namespace": "namespaceValue",
+    "selfLink": "selfLinkValue",
+    "uid": "uidValue",
+    "resourceVersion": "resourceVersionValue",
+    "generation": 7,
+    "creationTimestamp": "2008-01-01T01:01:01Z",
+    "deletionTimestamp": "2009-01-01T01:01:01Z",
+    "deletionGracePeriodSeconds": 10,
+    "labels": {
+      "labelsKey": "labelsValue"
+    },
+    "annotations": {
+      "annotationsKey": "annotationsValue"
+    },
+    "ownerReferences": [
+      {
+        "apiVersion": "apiVersionValue",
+        "kind": "kindValue",
+        "name": "nameValue",
+        "uid": "uidValue",
+        "controller": true,
+        "blockOwnerDeletion": true
+      }
+    ],
+    "finalizers": [
+      "finalizersValue"
+    ],
+    "managedFields": [
+      {
+        "manager": "managerValue",
+        "operation": "operationValue",
+        "apiVersion": "apiVersionValue",
+        "time": "2004-01-01T01:01:01Z",
+        "fieldsType": "fieldsTypeValue",
+        "fieldsV1": {},
+        "subresource": "subresourceValue"
+      }
+    ]
+  },
+  "spec": {
+    "leaseName": "leaseNameValue",
+    "pingTime": "2002-01-01T01:01:01.000002Z",
+    "renewTime": "2003-01-01T01:01:01.000003Z",
+    "binaryVersion": "binaryVersionValue",
+    "emulationVersion": "emulationVersionValue",
+    "strategy": "strategyValue"
+  }
+}
\ No newline at end of file
diff --git a/staging/src/k8s.io/api/testdata/v1.34.0/coordination.k8s.io.v1beta1.LeaseCandidate.pb b/staging/src/k8s.io/api/testdata/v1.34.0/coordination.k8s.io.v1beta1.LeaseCandidate.pb
new file mode 100644
index 0000000000000..a72e9476af735
Binary files /dev/null and b/staging/src/k8s.io/api/testdata/v1.34.0/coordination.k8s.io.v1beta1.LeaseCandidate.pb differ
diff --git a/staging/src/k8s.io/api/testdata/v1.34.0/coordination.k8s.io.v1beta1.LeaseCandidate.yaml b/staging/src/k8s.io/api/testdata/v1.34.0/coordination.k8s.io.v1beta1.LeaseCandidate.yaml
new file mode 100644
index 0000000000000..bc2e58690dcee
--- /dev/null
+++ b/staging/src/k8s.io/api/testdata/v1.34.0/coordination.k8s.io.v1beta1.LeaseCandidate.yaml
@@ -0,0 +1,41 @@
+apiVersion: coordination.k8s.io/v1beta1
+kind: LeaseCandidate
+metadata:
+  annotations:
+    annotationsKey: annotationsValue
+  creationTimestamp: "2008-01-01T01:01:01Z"
+  deletionGracePeriodSeconds: 10
+  deletionTimestamp: "2009-01-01T01:01:01Z"
+  finalizers:
+  - finalizersValue
+  generateName: generateNameValue
+  generation: 7
+  labels:
+    labelsKey: labelsValue
+  managedFields:
+  - apiVersion: apiVersionValue
+    fieldsType: fieldsTypeValue
+    fieldsV1: {}
+    manager: managerValue
+    operation: operationValue
+    subresource: subresourceValue
+    time: "2004-01-01T01:01:01Z"
+  name: nameValue
+  namespace: namespaceValue
+  ownerReferences:
+  - apiVersion: apiVersionValue
+    blockOwnerDeletion: true
+    controller: true
+    kind: kindValue
+    name: nameValue
+    uid: uidValue
+  resourceVersion: resourceVersionValue
+  selfLink: selfLinkValue
+  uid: uidValue
+spec:
+  binaryVersion: binaryVersionValue
+  emulationVersion: emulationVersionValue
+  leaseName: leaseNameValue
+  pingTime: "2002-01-01T01:01:01.000002Z"
+  renewTime: "2003-01-01T01:01:01.000003Z"
+  strategy: strategyValue
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/core.v1.APIGroup.json b/staging/src/k8s.io/api/testdata/v1.34.0/core.v1.APIGroup.json
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/core.v1.APIGroup.json
rename to staging/src/k8s.io/api/testdata/v1.34.0/core.v1.APIGroup.json
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/core.v1.APIGroup.pb b/staging/src/k8s.io/api/testdata/v1.34.0/core.v1.APIGroup.pb
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/core.v1.APIGroup.pb
rename to staging/src/k8s.io/api/testdata/v1.34.0/core.v1.APIGroup.pb
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/core.v1.APIGroup.yaml b/staging/src/k8s.io/api/testdata/v1.34.0/core.v1.APIGroup.yaml
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/core.v1.APIGroup.yaml
rename to staging/src/k8s.io/api/testdata/v1.34.0/core.v1.APIGroup.yaml
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/core.v1.APIVersions.json b/staging/src/k8s.io/api/testdata/v1.34.0/core.v1.APIVersions.json
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/core.v1.APIVersions.json
rename to staging/src/k8s.io/api/testdata/v1.34.0/core.v1.APIVersions.json
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/core.v1.APIVersions.pb b/staging/src/k8s.io/api/testdata/v1.34.0/core.v1.APIVersions.pb
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/core.v1.APIVersions.pb
rename to staging/src/k8s.io/api/testdata/v1.34.0/core.v1.APIVersions.pb
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/core.v1.APIVersions.yaml b/staging/src/k8s.io/api/testdata/v1.34.0/core.v1.APIVersions.yaml
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/core.v1.APIVersions.yaml
rename to staging/src/k8s.io/api/testdata/v1.34.0/core.v1.APIVersions.yaml
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/core.v1.Binding.json b/staging/src/k8s.io/api/testdata/v1.34.0/core.v1.Binding.json
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/core.v1.Binding.json
rename to staging/src/k8s.io/api/testdata/v1.34.0/core.v1.Binding.json
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/core.v1.Binding.pb b/staging/src/k8s.io/api/testdata/v1.34.0/core.v1.Binding.pb
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/core.v1.Binding.pb
rename to staging/src/k8s.io/api/testdata/v1.34.0/core.v1.Binding.pb
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/core.v1.Binding.yaml b/staging/src/k8s.io/api/testdata/v1.34.0/core.v1.Binding.yaml
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/core.v1.Binding.yaml
rename to staging/src/k8s.io/api/testdata/v1.34.0/core.v1.Binding.yaml
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/core.v1.ComponentStatus.json b/staging/src/k8s.io/api/testdata/v1.34.0/core.v1.ComponentStatus.json
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/core.v1.ComponentStatus.json
rename to staging/src/k8s.io/api/testdata/v1.34.0/core.v1.ComponentStatus.json
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/core.v1.ComponentStatus.pb b/staging/src/k8s.io/api/testdata/v1.34.0/core.v1.ComponentStatus.pb
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/core.v1.ComponentStatus.pb
rename to staging/src/k8s.io/api/testdata/v1.34.0/core.v1.ComponentStatus.pb
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/core.v1.ComponentStatus.yaml b/staging/src/k8s.io/api/testdata/v1.34.0/core.v1.ComponentStatus.yaml
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/core.v1.ComponentStatus.yaml
rename to staging/src/k8s.io/api/testdata/v1.34.0/core.v1.ComponentStatus.yaml
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/core.v1.ConfigMap.json b/staging/src/k8s.io/api/testdata/v1.34.0/core.v1.ConfigMap.json
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/core.v1.ConfigMap.json
rename to staging/src/k8s.io/api/testdata/v1.34.0/core.v1.ConfigMap.json
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/core.v1.ConfigMap.pb b/staging/src/k8s.io/api/testdata/v1.34.0/core.v1.ConfigMap.pb
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/core.v1.ConfigMap.pb
rename to staging/src/k8s.io/api/testdata/v1.34.0/core.v1.ConfigMap.pb
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/core.v1.ConfigMap.yaml b/staging/src/k8s.io/api/testdata/v1.34.0/core.v1.ConfigMap.yaml
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/core.v1.ConfigMap.yaml
rename to staging/src/k8s.io/api/testdata/v1.34.0/core.v1.ConfigMap.yaml
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/core.v1.CreateOptions.json b/staging/src/k8s.io/api/testdata/v1.34.0/core.v1.CreateOptions.json
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/core.v1.CreateOptions.json
rename to staging/src/k8s.io/api/testdata/v1.34.0/core.v1.CreateOptions.json
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/core.v1.CreateOptions.pb b/staging/src/k8s.io/api/testdata/v1.34.0/core.v1.CreateOptions.pb
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/core.v1.CreateOptions.pb
rename to staging/src/k8s.io/api/testdata/v1.34.0/core.v1.CreateOptions.pb
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/core.v1.CreateOptions.yaml b/staging/src/k8s.io/api/testdata/v1.34.0/core.v1.CreateOptions.yaml
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/core.v1.CreateOptions.yaml
rename to staging/src/k8s.io/api/testdata/v1.34.0/core.v1.CreateOptions.yaml
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/core.v1.DeleteOptions.json b/staging/src/k8s.io/api/testdata/v1.34.0/core.v1.DeleteOptions.json
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/core.v1.DeleteOptions.json
rename to staging/src/k8s.io/api/testdata/v1.34.0/core.v1.DeleteOptions.json
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/core.v1.DeleteOptions.pb b/staging/src/k8s.io/api/testdata/v1.34.0/core.v1.DeleteOptions.pb
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/core.v1.DeleteOptions.pb
rename to staging/src/k8s.io/api/testdata/v1.34.0/core.v1.DeleteOptions.pb
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/core.v1.DeleteOptions.yaml b/staging/src/k8s.io/api/testdata/v1.34.0/core.v1.DeleteOptions.yaml
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/core.v1.DeleteOptions.yaml
rename to staging/src/k8s.io/api/testdata/v1.34.0/core.v1.DeleteOptions.yaml
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/core.v1.Endpoints.json b/staging/src/k8s.io/api/testdata/v1.34.0/core.v1.Endpoints.json
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/core.v1.Endpoints.json
rename to staging/src/k8s.io/api/testdata/v1.34.0/core.v1.Endpoints.json
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/core.v1.Endpoints.pb b/staging/src/k8s.io/api/testdata/v1.34.0/core.v1.Endpoints.pb
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/core.v1.Endpoints.pb
rename to staging/src/k8s.io/api/testdata/v1.34.0/core.v1.Endpoints.pb
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/core.v1.Endpoints.yaml b/staging/src/k8s.io/api/testdata/v1.34.0/core.v1.Endpoints.yaml
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/core.v1.Endpoints.yaml
rename to staging/src/k8s.io/api/testdata/v1.34.0/core.v1.Endpoints.yaml
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/core.v1.Event.json b/staging/src/k8s.io/api/testdata/v1.34.0/core.v1.Event.json
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/core.v1.Event.json
rename to staging/src/k8s.io/api/testdata/v1.34.0/core.v1.Event.json
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/core.v1.Event.pb b/staging/src/k8s.io/api/testdata/v1.34.0/core.v1.Event.pb
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/core.v1.Event.pb
rename to staging/src/k8s.io/api/testdata/v1.34.0/core.v1.Event.pb
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/core.v1.Event.yaml b/staging/src/k8s.io/api/testdata/v1.34.0/core.v1.Event.yaml
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/core.v1.Event.yaml
rename to staging/src/k8s.io/api/testdata/v1.34.0/core.v1.Event.yaml
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/core.v1.GetOptions.json b/staging/src/k8s.io/api/testdata/v1.34.0/core.v1.GetOptions.json
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/core.v1.GetOptions.json
rename to staging/src/k8s.io/api/testdata/v1.34.0/core.v1.GetOptions.json
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/core.v1.GetOptions.pb b/staging/src/k8s.io/api/testdata/v1.34.0/core.v1.GetOptions.pb
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/core.v1.GetOptions.pb
rename to staging/src/k8s.io/api/testdata/v1.34.0/core.v1.GetOptions.pb
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/core.v1.GetOptions.yaml b/staging/src/k8s.io/api/testdata/v1.34.0/core.v1.GetOptions.yaml
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/core.v1.GetOptions.yaml
rename to staging/src/k8s.io/api/testdata/v1.34.0/core.v1.GetOptions.yaml
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/core.v1.LimitRange.json b/staging/src/k8s.io/api/testdata/v1.34.0/core.v1.LimitRange.json
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/core.v1.LimitRange.json
rename to staging/src/k8s.io/api/testdata/v1.34.0/core.v1.LimitRange.json
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/core.v1.LimitRange.pb b/staging/src/k8s.io/api/testdata/v1.34.0/core.v1.LimitRange.pb
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/core.v1.LimitRange.pb
rename to staging/src/k8s.io/api/testdata/v1.34.0/core.v1.LimitRange.pb
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/core.v1.LimitRange.yaml b/staging/src/k8s.io/api/testdata/v1.34.0/core.v1.LimitRange.yaml
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/core.v1.LimitRange.yaml
rename to staging/src/k8s.io/api/testdata/v1.34.0/core.v1.LimitRange.yaml
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/core.v1.ListOptions.json b/staging/src/k8s.io/api/testdata/v1.34.0/core.v1.ListOptions.json
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/core.v1.ListOptions.json
rename to staging/src/k8s.io/api/testdata/v1.34.0/core.v1.ListOptions.json
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/core.v1.ListOptions.pb b/staging/src/k8s.io/api/testdata/v1.34.0/core.v1.ListOptions.pb
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/core.v1.ListOptions.pb
rename to staging/src/k8s.io/api/testdata/v1.34.0/core.v1.ListOptions.pb
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/core.v1.ListOptions.yaml b/staging/src/k8s.io/api/testdata/v1.34.0/core.v1.ListOptions.yaml
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/core.v1.ListOptions.yaml
rename to staging/src/k8s.io/api/testdata/v1.34.0/core.v1.ListOptions.yaml
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/core.v1.Namespace.json b/staging/src/k8s.io/api/testdata/v1.34.0/core.v1.Namespace.json
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/core.v1.Namespace.json
rename to staging/src/k8s.io/api/testdata/v1.34.0/core.v1.Namespace.json
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/core.v1.Namespace.pb b/staging/src/k8s.io/api/testdata/v1.34.0/core.v1.Namespace.pb
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/core.v1.Namespace.pb
rename to staging/src/k8s.io/api/testdata/v1.34.0/core.v1.Namespace.pb
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/core.v1.Namespace.yaml b/staging/src/k8s.io/api/testdata/v1.34.0/core.v1.Namespace.yaml
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/core.v1.Namespace.yaml
rename to staging/src/k8s.io/api/testdata/v1.34.0/core.v1.Namespace.yaml
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/core.v1.Node.json b/staging/src/k8s.io/api/testdata/v1.34.0/core.v1.Node.json
similarity index 97%
rename from staging/src/k8s.io/api/testdata/v1.32.0/core.v1.Node.json
rename to staging/src/k8s.io/api/testdata/v1.34.0/core.v1.Node.json
index fcdcb34979e84..81dae37e4c40d 100644
--- a/staging/src/k8s.io/api/testdata/v1.32.0/core.v1.Node.json
+++ b/staging/src/k8s.io/api/testdata/v1.34.0/core.v1.Node.json
@@ -108,7 +108,10 @@
       "kubeletVersion": "kubeletVersionValue",
       "kubeProxyVersion": "kubeProxyVersionValue",
       "operatingSystem": "operatingSystemValue",
-      "architecture": "architectureValue"
+      "architecture": "architectureValue",
+      "swap": {
+        "capacity": 1
+      }
     },
     "images": [
       {
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/core.v1.Node.pb b/staging/src/k8s.io/api/testdata/v1.34.0/core.v1.Node.pb
similarity index 95%
rename from staging/src/k8s.io/api/testdata/v1.32.0/core.v1.Node.pb
rename to staging/src/k8s.io/api/testdata/v1.34.0/core.v1.Node.pb
index 27820021d0baf..86cc18929fa4a 100644
Binary files a/staging/src/k8s.io/api/testdata/v1.32.0/core.v1.Node.pb and b/staging/src/k8s.io/api/testdata/v1.34.0/core.v1.Node.pb differ
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/core.v1.Node.yaml b/staging/src/k8s.io/api/testdata/v1.34.0/core.v1.Node.yaml
similarity index 99%
rename from staging/src/k8s.io/api/testdata/v1.32.0/core.v1.Node.yaml
rename to staging/src/k8s.io/api/testdata/v1.34.0/core.v1.Node.yaml
index 1d10847dfe8bb..0d2da7a4bb9ef 100644
--- a/staging/src/k8s.io/api/testdata/v1.32.0/core.v1.Node.yaml
+++ b/staging/src/k8s.io/api/testdata/v1.34.0/core.v1.Node.yaml
@@ -108,6 +108,8 @@ status:
     machineID: machineIDValue
     operatingSystem: operatingSystemValue
     osImage: osImageValue
+    swap:
+      capacity: 1
     systemUUID: systemUUIDValue
   phase: phaseValue
   runtimeHandlers:
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/core.v1.NodeProxyOptions.json b/staging/src/k8s.io/api/testdata/v1.34.0/core.v1.NodeProxyOptions.json
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/core.v1.NodeProxyOptions.json
rename to staging/src/k8s.io/api/testdata/v1.34.0/core.v1.NodeProxyOptions.json
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/core.v1.NodeProxyOptions.pb b/staging/src/k8s.io/api/testdata/v1.34.0/core.v1.NodeProxyOptions.pb
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/core.v1.NodeProxyOptions.pb
rename to staging/src/k8s.io/api/testdata/v1.34.0/core.v1.NodeProxyOptions.pb
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/core.v1.NodeProxyOptions.yaml b/staging/src/k8s.io/api/testdata/v1.34.0/core.v1.NodeProxyOptions.yaml
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/core.v1.NodeProxyOptions.yaml
rename to staging/src/k8s.io/api/testdata/v1.34.0/core.v1.NodeProxyOptions.yaml
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/core.v1.PatchOptions.json b/staging/src/k8s.io/api/testdata/v1.34.0/core.v1.PatchOptions.json
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/core.v1.PatchOptions.json
rename to staging/src/k8s.io/api/testdata/v1.34.0/core.v1.PatchOptions.json
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/core.v1.PatchOptions.pb b/staging/src/k8s.io/api/testdata/v1.34.0/core.v1.PatchOptions.pb
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/core.v1.PatchOptions.pb
rename to staging/src/k8s.io/api/testdata/v1.34.0/core.v1.PatchOptions.pb
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/core.v1.PatchOptions.yaml b/staging/src/k8s.io/api/testdata/v1.34.0/core.v1.PatchOptions.yaml
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/core.v1.PatchOptions.yaml
rename to staging/src/k8s.io/api/testdata/v1.34.0/core.v1.PatchOptions.yaml
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/core.v1.PersistentVolume.json b/staging/src/k8s.io/api/testdata/v1.34.0/core.v1.PersistentVolume.json
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/core.v1.PersistentVolume.json
rename to staging/src/k8s.io/api/testdata/v1.34.0/core.v1.PersistentVolume.json
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/core.v1.PersistentVolume.pb b/staging/src/k8s.io/api/testdata/v1.34.0/core.v1.PersistentVolume.pb
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/core.v1.PersistentVolume.pb
rename to staging/src/k8s.io/api/testdata/v1.34.0/core.v1.PersistentVolume.pb
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/core.v1.PersistentVolume.yaml b/staging/src/k8s.io/api/testdata/v1.34.0/core.v1.PersistentVolume.yaml
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/core.v1.PersistentVolume.yaml
rename to staging/src/k8s.io/api/testdata/v1.34.0/core.v1.PersistentVolume.yaml
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/core.v1.PersistentVolumeClaim.json b/staging/src/k8s.io/api/testdata/v1.34.0/core.v1.PersistentVolumeClaim.json
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/core.v1.PersistentVolumeClaim.json
rename to staging/src/k8s.io/api/testdata/v1.34.0/core.v1.PersistentVolumeClaim.json
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/core.v1.PersistentVolumeClaim.pb b/staging/src/k8s.io/api/testdata/v1.34.0/core.v1.PersistentVolumeClaim.pb
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/core.v1.PersistentVolumeClaim.pb
rename to staging/src/k8s.io/api/testdata/v1.34.0/core.v1.PersistentVolumeClaim.pb
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/core.v1.PersistentVolumeClaim.yaml b/staging/src/k8s.io/api/testdata/v1.34.0/core.v1.PersistentVolumeClaim.yaml
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/core.v1.PersistentVolumeClaim.yaml
rename to staging/src/k8s.io/api/testdata/v1.34.0/core.v1.PersistentVolumeClaim.yaml
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/core.v1.Pod.json b/staging/src/k8s.io/api/testdata/v1.34.0/core.v1.Pod.json
similarity index 95%
rename from staging/src/k8s.io/api/testdata/v1.32.0/core.v1.Pod.json
rename to staging/src/k8s.io/api/testdata/v1.34.0/core.v1.Pod.json
index aedd4a22dc09d..2badc35f477a5 100644
--- a/staging/src/k8s.io/api/testdata/v1.32.0/core.v1.Pod.json
+++ b/staging/src/k8s.io/api/testdata/v1.34.0/core.v1.Pod.json
@@ -302,6 +302,14 @@
                 },
                 "optional": true,
                 "path": "pathValue"
+              },
+              "podCertificate": {
+                "signerName": "signerNameValue",
+                "keyType": "keyTypeValue",
+                "maxExpirationSeconds": 3,
+                "credentialBundlePath": "credentialBundlePathValue",
+                "keyPath": "keyPathValue",
+                "certificateChainPath": "certificateChainPathValue"
               }
             }
           ],
@@ -496,6 +504,12 @@
                 "name": "nameValue",
                 "key": "keyValue",
                 "optional": true
+              },
+              "fileKeyRef": {
+                "volumeName": "volumeNameValue",
+                "path": "pathValue",
+                "key": "keyValue",
+                "optional": true
               }
             }
           }
@@ -521,6 +535,17 @@
           }
         ],
         "restartPolicy": "restartPolicyValue",
+        "restartPolicyRules": [
+          {
+            "action": "actionValue",
+            "exitCodes": {
+              "operator": "operatorValue",
+              "values": [
+                2
+              ]
+            }
+          }
+        ],
         "volumeMounts": [
           {
             "name": "nameValue",
@@ -689,7 +714,8 @@
             "sleep": {
               "seconds": 1
             }
-          }
+          },
+          "stopSignal": "stopSignalValue"
         },
         "terminationMessagePath": "terminationMessagePathValue",
         "terminationMessagePolicy": "terminationMessagePolicyValue",
@@ -792,6 +818,12 @@
                 "name": "nameValue",
                 "key": "keyValue",
                 "optional": true
+              },
+              "fileKeyRef": {
+                "volumeName": "volumeNameValue",
+                "path": "pathValue",
+                "key": "keyValue",
+                "optional": true
               }
             }
           }
@@ -817,6 +849,17 @@
           }
         ],
         "restartPolicy": "restartPolicyValue",
+        "restartPolicyRules": [
+          {
+            "action": "actionValue",
+            "exitCodes": {
+              "operator": "operatorValue",
+              "values": [
+                2
+              ]
+            }
+          }
+        ],
         "volumeMounts": [
           {
             "name": "nameValue",
@@ -985,7 +1028,8 @@
             "sleep": {
               "seconds": 1
             }
-          }
+          },
+          "stopSignal": "stopSignalValue"
         },
         "terminationMessagePath": "terminationMessagePathValue",
         "terminationMessagePolicy": "terminationMessagePolicyValue",
@@ -1088,6 +1132,12 @@
                 "name": "nameValue",
                 "key": "keyValue",
                 "optional": true
+              },
+              "fileKeyRef": {
+                "volumeName": "volumeNameValue",
+                "path": "pathValue",
+                "key": "keyValue",
+                "optional": true
               }
             }
           }
@@ -1113,6 +1163,17 @@
           }
         ],
         "restartPolicy": "restartPolicyValue",
+        "restartPolicyRules": [
+          {
+            "action": "actionValue",
+            "exitCodes": {
+              "operator": "operatorValue",
+              "values": [
+                2
+              ]
+            }
+          }
+        ],
         "volumeMounts": [
           {
             "name": "nameValue",
@@ -1281,7 +1342,8 @@
             "sleep": {
               "seconds": 1
             }
-          }
+          },
+          "stopSignal": "stopSignalValue"
         },
         "terminationMessagePath": "terminationMessagePathValue",
         "terminationMessagePolicy": "terminationMessagePolicyValue",
@@ -1722,13 +1784,16 @@
           "request": "requestValue"
         }
       ]
-    }
+    },
+    "hostnameOverride": "hostnameOverrideValue"
   },
   "status": {
+    "observedGeneration": 17,
     "phase": "phaseValue",
     "conditions": [
       {
         "type": "typeValue",
+        "observedGeneration": 7,
         "status": "statusValue",
         "lastProbeTime": "2003-01-01T01:01:01Z",
         "lastTransitionTime": "2004-01-01T01:01:01Z",
@@ -1841,7 +1906,8 @@
               }
             ]
           }
-        ]
+        ],
+        "stopSignal": "stopSignalValue"
       }
     ],
     "containerStatuses": [
@@ -1933,7 +1999,8 @@
               }
             ]
           }
-        ]
+        ],
+        "stopSignal": "stopSignalValue"
       }
     ],
     "qosClass": "qosClassValue",
@@ -2026,7 +2093,8 @@
               }
             ]
           }
-        ]
+        ],
+        "stopSignal": "stopSignalValue"
       }
     ],
     "resize": "resizeValue",
@@ -2035,6 +2103,16 @@
         "name": "nameValue",
         "resourceClaimName": "resourceClaimNameValue"
       }
-    ]
+    ],
+    "extendedResourceClaimStatus": {
+      "requestMappings": [
+        {
+          "containerName": "containerNameValue",
+          "resourceName": "resourceNameValue",
+          "requestName": "requestNameValue"
+        }
+      ],
+      "resourceClaimName": "resourceClaimNameValue"
+    }
   }
 }
\ No newline at end of file
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/core.v1.Pod.pb b/staging/src/k8s.io/api/testdata/v1.34.0/core.v1.Pod.pb
similarity index 83%
rename from staging/src/k8s.io/api/testdata/v1.32.0/core.v1.Pod.pb
rename to staging/src/k8s.io/api/testdata/v1.34.0/core.v1.Pod.pb
index 9b44310ba3474..41e3958fcc61d 100644
Binary files a/staging/src/k8s.io/api/testdata/v1.32.0/core.v1.Pod.pb and b/staging/src/k8s.io/api/testdata/v1.34.0/core.v1.Pod.pb differ
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/core.v1.Pod.yaml b/staging/src/k8s.io/api/testdata/v1.34.0/core.v1.Pod.yaml
similarity index 95%
rename from staging/src/k8s.io/api/testdata/v1.32.0/core.v1.Pod.yaml
rename to staging/src/k8s.io/api/testdata/v1.34.0/core.v1.Pod.yaml
index 31532e145a2f8..36d9a59473971 100644
--- a/staging/src/k8s.io/api/testdata/v1.32.0/core.v1.Pod.yaml
+++ b/staging/src/k8s.io/api/testdata/v1.34.0/core.v1.Pod.yaml
@@ -180,6 +180,11 @@ spec:
         fieldRef:
           apiVersion: apiVersionValue
           fieldPath: fieldPathValue
+        fileKeyRef:
+          key: keyValue
+          optional: true
+          path: pathValue
+          volumeName: volumeNameValue
         resourceFieldRef:
           containerName: containerNameValue
           divisor: "0"
@@ -233,6 +238,7 @@ spec:
         tcpSocket:
           host: hostValue
           port: portValue
+      stopSignal: stopSignalValue
     livenessProbe:
       exec:
         command:
@@ -300,6 +306,12 @@ spec:
       requests:
         requestsKey: "0"
     restartPolicy: restartPolicyValue
+    restartPolicyRules:
+    - action: actionValue
+      exitCodes:
+        operator: operatorValue
+        values:
+        - 2
     securityContext:
       allowPrivilegeEscalation: true
       appArmorProfile:
@@ -396,6 +408,11 @@ spec:
         fieldRef:
           apiVersion: apiVersionValue
           fieldPath: fieldPathValue
+        fileKeyRef:
+          key: keyValue
+          optional: true
+          path: pathValue
+          volumeName: volumeNameValue
         resourceFieldRef:
           containerName: containerNameValue
           divisor: "0"
@@ -449,6 +466,7 @@ spec:
         tcpSocket:
           host: hostValue
           port: portValue
+      stopSignal: stopSignalValue
     livenessProbe:
       exec:
         command:
@@ -516,6 +534,12 @@ spec:
       requests:
         requestsKey: "0"
     restartPolicy: restartPolicyValue
+    restartPolicyRules:
+    - action: actionValue
+      exitCodes:
+        operator: operatorValue
+        values:
+        - 2
     securityContext:
       allowPrivilegeEscalation: true
       appArmorProfile:
@@ -596,6 +620,7 @@ spec:
   hostPID: true
   hostUsers: true
   hostname: hostnameValue
+  hostnameOverride: hostnameOverrideValue
   imagePullSecrets:
   - name: nameValue
   initContainers:
@@ -614,6 +639,11 @@ spec:
         fieldRef:
           apiVersion: apiVersionValue
           fieldPath: fieldPathValue
+        fileKeyRef:
+          key: keyValue
+          optional: true
+          path: pathValue
+          volumeName: volumeNameValue
         resourceFieldRef:
           containerName: containerNameValue
           divisor: "0"
@@ -667,6 +697,7 @@ spec:
         tcpSocket:
           host: hostValue
           port: portValue
+      stopSignal: stopSignalValue
     livenessProbe:
       exec:
         command:
@@ -734,6 +765,12 @@ spec:
       requests:
         requestsKey: "0"
     restartPolicy: restartPolicyValue
+    restartPolicyRules:
+    - action: actionValue
+      exitCodes:
+        operator: operatorValue
+        values:
+        - 2
     securityContext:
       allowPrivilegeEscalation: true
       appArmorProfile:
@@ -1118,6 +1155,13 @@ spec:
               containerName: containerNameValue
               divisor: "0"
               resource: resourceValue
+        podCertificate:
+          certificateChainPath: certificateChainPathValue
+          credentialBundlePath: credentialBundlePathValue
+          keyPath: keyPathValue
+          keyType: keyTypeValue
+          maxExpirationSeconds: 3
+          signerName: signerNameValue
         secret:
           items:
           - key: keyValue
@@ -1184,6 +1228,7 @@ status:
   - lastProbeTime: "2003-01-01T01:01:01Z"
     lastTransitionTime: "2004-01-01T01:01:01Z"
     message: messageValue
+    observedGeneration: 7
     reason: reasonValue
     status: statusValue
     type: typeValue
@@ -1238,6 +1283,7 @@ status:
       waiting:
         message: messageValue
         reason: reasonValue
+    stopSignal: stopSignalValue
     user:
       linux:
         gid: 2
@@ -1300,6 +1346,7 @@ status:
       waiting:
         message: messageValue
         reason: reasonValue
+    stopSignal: stopSignalValue
     user:
       linux:
         gid: 2
@@ -1311,6 +1358,12 @@ status:
       name: nameValue
       readOnly: true
       recursiveReadOnly: recursiveReadOnlyValue
+  extendedResourceClaimStatus:
+    requestMappings:
+    - containerName: containerNameValue
+      requestName: requestNameValue
+      resourceName: resourceNameValue
+    resourceClaimName: resourceClaimNameValue
   hostIP: hostIPValue
   hostIPs:
   - ip: ipValue
@@ -1365,6 +1418,7 @@ status:
       waiting:
         message: messageValue
         reason: reasonValue
+    stopSignal: stopSignalValue
     user:
       linux:
         gid: 2
@@ -1378,6 +1432,7 @@ status:
       recursiveReadOnly: recursiveReadOnlyValue
   message: messageValue
   nominatedNodeName: nominatedNodeNameValue
+  observedGeneration: 17
   phase: phaseValue
   podIP: podIPValue
   podIPs:
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/core.v1.PodAttachOptions.json b/staging/src/k8s.io/api/testdata/v1.34.0/core.v1.PodAttachOptions.json
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/core.v1.PodAttachOptions.json
rename to staging/src/k8s.io/api/testdata/v1.34.0/core.v1.PodAttachOptions.json
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/core.v1.PodAttachOptions.pb b/staging/src/k8s.io/api/testdata/v1.34.0/core.v1.PodAttachOptions.pb
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/core.v1.PodAttachOptions.pb
rename to staging/src/k8s.io/api/testdata/v1.34.0/core.v1.PodAttachOptions.pb
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/core.v1.PodAttachOptions.yaml b/staging/src/k8s.io/api/testdata/v1.34.0/core.v1.PodAttachOptions.yaml
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/core.v1.PodAttachOptions.yaml
rename to staging/src/k8s.io/api/testdata/v1.34.0/core.v1.PodAttachOptions.yaml
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/core.v1.PodExecOptions.json b/staging/src/k8s.io/api/testdata/v1.34.0/core.v1.PodExecOptions.json
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/core.v1.PodExecOptions.json
rename to staging/src/k8s.io/api/testdata/v1.34.0/core.v1.PodExecOptions.json
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/core.v1.PodExecOptions.pb b/staging/src/k8s.io/api/testdata/v1.34.0/core.v1.PodExecOptions.pb
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/core.v1.PodExecOptions.pb
rename to staging/src/k8s.io/api/testdata/v1.34.0/core.v1.PodExecOptions.pb
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/core.v1.PodExecOptions.yaml b/staging/src/k8s.io/api/testdata/v1.34.0/core.v1.PodExecOptions.yaml
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/core.v1.PodExecOptions.yaml
rename to staging/src/k8s.io/api/testdata/v1.34.0/core.v1.PodExecOptions.yaml
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/core.v1.PodLogOptions.json b/staging/src/k8s.io/api/testdata/v1.34.0/core.v1.PodLogOptions.json
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/core.v1.PodLogOptions.json
rename to staging/src/k8s.io/api/testdata/v1.34.0/core.v1.PodLogOptions.json
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/core.v1.PodLogOptions.pb b/staging/src/k8s.io/api/testdata/v1.34.0/core.v1.PodLogOptions.pb
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/core.v1.PodLogOptions.pb
rename to staging/src/k8s.io/api/testdata/v1.34.0/core.v1.PodLogOptions.pb
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/core.v1.PodLogOptions.yaml b/staging/src/k8s.io/api/testdata/v1.34.0/core.v1.PodLogOptions.yaml
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/core.v1.PodLogOptions.yaml
rename to staging/src/k8s.io/api/testdata/v1.34.0/core.v1.PodLogOptions.yaml
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/core.v1.PodPortForwardOptions.json b/staging/src/k8s.io/api/testdata/v1.34.0/core.v1.PodPortForwardOptions.json
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/core.v1.PodPortForwardOptions.json
rename to staging/src/k8s.io/api/testdata/v1.34.0/core.v1.PodPortForwardOptions.json
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/core.v1.PodPortForwardOptions.pb b/staging/src/k8s.io/api/testdata/v1.34.0/core.v1.PodPortForwardOptions.pb
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/core.v1.PodPortForwardOptions.pb
rename to staging/src/k8s.io/api/testdata/v1.34.0/core.v1.PodPortForwardOptions.pb
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/core.v1.PodPortForwardOptions.yaml b/staging/src/k8s.io/api/testdata/v1.34.0/core.v1.PodPortForwardOptions.yaml
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/core.v1.PodPortForwardOptions.yaml
rename to staging/src/k8s.io/api/testdata/v1.34.0/core.v1.PodPortForwardOptions.yaml
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/core.v1.PodProxyOptions.json b/staging/src/k8s.io/api/testdata/v1.34.0/core.v1.PodProxyOptions.json
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/core.v1.PodProxyOptions.json
rename to staging/src/k8s.io/api/testdata/v1.34.0/core.v1.PodProxyOptions.json
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/core.v1.PodProxyOptions.pb b/staging/src/k8s.io/api/testdata/v1.34.0/core.v1.PodProxyOptions.pb
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/core.v1.PodProxyOptions.pb
rename to staging/src/k8s.io/api/testdata/v1.34.0/core.v1.PodProxyOptions.pb
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/core.v1.PodProxyOptions.yaml b/staging/src/k8s.io/api/testdata/v1.34.0/core.v1.PodProxyOptions.yaml
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/core.v1.PodProxyOptions.yaml
rename to staging/src/k8s.io/api/testdata/v1.34.0/core.v1.PodProxyOptions.yaml
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/core.v1.PodStatusResult.json b/staging/src/k8s.io/api/testdata/v1.34.0/core.v1.PodStatusResult.json
similarity index 94%
rename from staging/src/k8s.io/api/testdata/v1.32.0/core.v1.PodStatusResult.json
rename to staging/src/k8s.io/api/testdata/v1.34.0/core.v1.PodStatusResult.json
index 7b09b5176d9d0..e65f3718c292c 100644
--- a/staging/src/k8s.io/api/testdata/v1.32.0/core.v1.PodStatusResult.json
+++ b/staging/src/k8s.io/api/testdata/v1.34.0/core.v1.PodStatusResult.json
@@ -44,10 +44,12 @@
     ]
   },
   "status": {
+    "observedGeneration": 17,
     "phase": "phaseValue",
     "conditions": [
       {
         "type": "typeValue",
+        "observedGeneration": 7,
         "status": "statusValue",
         "lastProbeTime": "2003-01-01T01:01:01Z",
         "lastTransitionTime": "2004-01-01T01:01:01Z",
@@ -160,7 +162,8 @@
               }
             ]
           }
-        ]
+        ],
+        "stopSignal": "stopSignalValue"
       }
     ],
     "containerStatuses": [
@@ -252,7 +255,8 @@
               }
             ]
           }
-        ]
+        ],
+        "stopSignal": "stopSignalValue"
       }
     ],
     "qosClass": "qosClassValue",
@@ -345,7 +349,8 @@
               }
             ]
           }
-        ]
+        ],
+        "stopSignal": "stopSignalValue"
       }
     ],
     "resize": "resizeValue",
@@ -354,6 +359,16 @@
         "name": "nameValue",
         "resourceClaimName": "resourceClaimNameValue"
       }
-    ]
+    ],
+    "extendedResourceClaimStatus": {
+      "requestMappings": [
+        {
+          "containerName": "containerNameValue",
+          "resourceName": "resourceNameValue",
+          "requestName": "requestNameValue"
+        }
+      ],
+      "resourceClaimName": "resourceClaimNameValue"
+    }
   }
 }
\ No newline at end of file
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/core.v1.PodStatusResult.pb b/staging/src/k8s.io/api/testdata/v1.34.0/core.v1.PodStatusResult.pb
similarity index 80%
rename from staging/src/k8s.io/api/testdata/v1.32.0/core.v1.PodStatusResult.pb
rename to staging/src/k8s.io/api/testdata/v1.34.0/core.v1.PodStatusResult.pb
index 53312203d77e9..82f5a5c5c5c73 100644
Binary files a/staging/src/k8s.io/api/testdata/v1.32.0/core.v1.PodStatusResult.pb and b/staging/src/k8s.io/api/testdata/v1.34.0/core.v1.PodStatusResult.pb differ
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/core.v1.PodStatusResult.yaml b/staging/src/k8s.io/api/testdata/v1.34.0/core.v1.PodStatusResult.yaml
similarity index 94%
rename from staging/src/k8s.io/api/testdata/v1.32.0/core.v1.PodStatusResult.yaml
rename to staging/src/k8s.io/api/testdata/v1.34.0/core.v1.PodStatusResult.yaml
index 2bd9570b69464..96fbedba0809f 100644
--- a/staging/src/k8s.io/api/testdata/v1.32.0/core.v1.PodStatusResult.yaml
+++ b/staging/src/k8s.io/api/testdata/v1.34.0/core.v1.PodStatusResult.yaml
@@ -37,6 +37,7 @@ status:
   - lastProbeTime: "2003-01-01T01:01:01Z"
     lastTransitionTime: "2004-01-01T01:01:01Z"
     message: messageValue
+    observedGeneration: 7
     reason: reasonValue
     status: statusValue
     type: typeValue
@@ -91,6 +92,7 @@ status:
       waiting:
         message: messageValue
         reason: reasonValue
+    stopSignal: stopSignalValue
     user:
       linux:
         gid: 2
@@ -153,6 +155,7 @@ status:
       waiting:
         message: messageValue
         reason: reasonValue
+    stopSignal: stopSignalValue
     user:
       linux:
         gid: 2
@@ -164,6 +167,12 @@ status:
       name: nameValue
       readOnly: true
       recursiveReadOnly: recursiveReadOnlyValue
+  extendedResourceClaimStatus:
+    requestMappings:
+    - containerName: containerNameValue
+      requestName: requestNameValue
+      resourceName: resourceNameValue
+    resourceClaimName: resourceClaimNameValue
   hostIP: hostIPValue
   hostIPs:
   - ip: ipValue
@@ -218,6 +227,7 @@ status:
       waiting:
         message: messageValue
         reason: reasonValue
+    stopSignal: stopSignalValue
     user:
       linux:
         gid: 2
@@ -231,6 +241,7 @@ status:
       recursiveReadOnly: recursiveReadOnlyValue
   message: messageValue
   nominatedNodeName: nominatedNodeNameValue
+  observedGeneration: 17
   phase: phaseValue
   podIP: podIPValue
   podIPs:
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/core.v1.PodTemplate.json b/staging/src/k8s.io/api/testdata/v1.34.0/core.v1.PodTemplate.json
similarity index 96%
rename from staging/src/k8s.io/api/testdata/v1.32.0/core.v1.PodTemplate.json
rename to staging/src/k8s.io/api/testdata/v1.34.0/core.v1.PodTemplate.json
index 7ab8ec402b795..b665fdd23c209 100644
--- a/staging/src/k8s.io/api/testdata/v1.32.0/core.v1.PodTemplate.json
+++ b/staging/src/k8s.io/api/testdata/v1.34.0/core.v1.PodTemplate.json
@@ -345,6 +345,14 @@
                   },
                   "optional": true,
                   "path": "pathValue"
+                },
+                "podCertificate": {
+                  "signerName": "signerNameValue",
+                  "keyType": "keyTypeValue",
+                  "maxExpirationSeconds": 3,
+                  "credentialBundlePath": "credentialBundlePathValue",
+                  "keyPath": "keyPathValue",
+                  "certificateChainPath": "certificateChainPathValue"
                 }
               }
             ],
@@ -539,6 +547,12 @@
                   "name": "nameValue",
                   "key": "keyValue",
                   "optional": true
+                },
+                "fileKeyRef": {
+                  "volumeName": "volumeNameValue",
+                  "path": "pathValue",
+                  "key": "keyValue",
+                  "optional": true
                 }
               }
             }
@@ -564,6 +578,17 @@
             }
           ],
           "restartPolicy": "restartPolicyValue",
+          "restartPolicyRules": [
+            {
+              "action": "actionValue",
+              "exitCodes": {
+                "operator": "operatorValue",
+                "values": [
+                  2
+                ]
+              }
+            }
+          ],
           "volumeMounts": [
             {
               "name": "nameValue",
@@ -732,7 +757,8 @@
               "sleep": {
                 "seconds": 1
               }
-            }
+            },
+            "stopSignal": "stopSignalValue"
           },
           "terminationMessagePath": "terminationMessagePathValue",
           "terminationMessagePolicy": "terminationMessagePolicyValue",
@@ -835,6 +861,12 @@
                   "name": "nameValue",
                   "key": "keyValue",
                   "optional": true
+                },
+                "fileKeyRef": {
+                  "volumeName": "volumeNameValue",
+                  "path": "pathValue",
+                  "key": "keyValue",
+                  "optional": true
                 }
               }
             }
@@ -860,6 +892,17 @@
             }
           ],
           "restartPolicy": "restartPolicyValue",
+          "restartPolicyRules": [
+            {
+              "action": "actionValue",
+              "exitCodes": {
+                "operator": "operatorValue",
+                "values": [
+                  2
+                ]
+              }
+            }
+          ],
           "volumeMounts": [
             {
               "name": "nameValue",
@@ -1028,7 +1071,8 @@
               "sleep": {
                 "seconds": 1
               }
-            }
+            },
+            "stopSignal": "stopSignalValue"
           },
           "terminationMessagePath": "terminationMessagePathValue",
           "terminationMessagePolicy": "terminationMessagePolicyValue",
@@ -1131,6 +1175,12 @@
                   "name": "nameValue",
                   "key": "keyValue",
                   "optional": true
+                },
+                "fileKeyRef": {
+                  "volumeName": "volumeNameValue",
+                  "path": "pathValue",
+                  "key": "keyValue",
+                  "optional": true
                 }
               }
             }
@@ -1156,6 +1206,17 @@
             }
           ],
           "restartPolicy": "restartPolicyValue",
+          "restartPolicyRules": [
+            {
+              "action": "actionValue",
+              "exitCodes": {
+                "operator": "operatorValue",
+                "values": [
+                  2
+                ]
+              }
+            }
+          ],
           "volumeMounts": [
             {
               "name": "nameValue",
@@ -1324,7 +1385,8 @@
               "sleep": {
                 "seconds": 1
               }
-            }
+            },
+            "stopSignal": "stopSignalValue"
           },
           "terminationMessagePath": "terminationMessagePathValue",
           "terminationMessagePolicy": "terminationMessagePolicyValue",
@@ -1765,7 +1827,8 @@
             "request": "requestValue"
           }
         ]
-      }
+      },
+      "hostnameOverride": "hostnameOverrideValue"
     }
   }
 }
\ No newline at end of file
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/core.v1.PodTemplate.pb b/staging/src/k8s.io/api/testdata/v1.34.0/core.v1.PodTemplate.pb
similarity index 84%
rename from staging/src/k8s.io/api/testdata/v1.32.0/core.v1.PodTemplate.pb
rename to staging/src/k8s.io/api/testdata/v1.34.0/core.v1.PodTemplate.pb
index 8efa534315afd..eac7bca891351 100644
Binary files a/staging/src/k8s.io/api/testdata/v1.32.0/core.v1.PodTemplate.pb and b/staging/src/k8s.io/api/testdata/v1.34.0/core.v1.PodTemplate.pb differ
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/core.v1.PodTemplate.yaml b/staging/src/k8s.io/api/testdata/v1.34.0/core.v1.PodTemplate.yaml
similarity index 96%
rename from staging/src/k8s.io/api/testdata/v1.32.0/core.v1.PodTemplate.yaml
rename to staging/src/k8s.io/api/testdata/v1.34.0/core.v1.PodTemplate.yaml
index 8c3494faa7aa3..5edb7f29b6de3 100644
--- a/staging/src/k8s.io/api/testdata/v1.32.0/core.v1.PodTemplate.yaml
+++ b/staging/src/k8s.io/api/testdata/v1.34.0/core.v1.PodTemplate.yaml
@@ -213,6 +213,11 @@ template:
           fieldRef:
             apiVersion: apiVersionValue
             fieldPath: fieldPathValue
+          fileKeyRef:
+            key: keyValue
+            optional: true
+            path: pathValue
+            volumeName: volumeNameValue
           resourceFieldRef:
             containerName: containerNameValue
             divisor: "0"
@@ -266,6 +271,7 @@ template:
           tcpSocket:
             host: hostValue
             port: portValue
+        stopSignal: stopSignalValue
       livenessProbe:
         exec:
           command:
@@ -333,6 +339,12 @@ template:
         requests:
           requestsKey: "0"
       restartPolicy: restartPolicyValue
+      restartPolicyRules:
+      - action: actionValue
+        exitCodes:
+          operator: operatorValue
+          values:
+          - 2
       securityContext:
         allowPrivilegeEscalation: true
         appArmorProfile:
@@ -429,6 +441,11 @@ template:
           fieldRef:
             apiVersion: apiVersionValue
             fieldPath: fieldPathValue
+          fileKeyRef:
+            key: keyValue
+            optional: true
+            path: pathValue
+            volumeName: volumeNameValue
           resourceFieldRef:
             containerName: containerNameValue
             divisor: "0"
@@ -482,6 +499,7 @@ template:
           tcpSocket:
             host: hostValue
             port: portValue
+        stopSignal: stopSignalValue
       livenessProbe:
         exec:
           command:
@@ -549,6 +567,12 @@ template:
         requests:
           requestsKey: "0"
       restartPolicy: restartPolicyValue
+      restartPolicyRules:
+      - action: actionValue
+        exitCodes:
+          operator: operatorValue
+          values:
+          - 2
       securityContext:
         allowPrivilegeEscalation: true
         appArmorProfile:
@@ -629,6 +653,7 @@ template:
     hostPID: true
     hostUsers: true
     hostname: hostnameValue
+    hostnameOverride: hostnameOverrideValue
     imagePullSecrets:
     - name: nameValue
     initContainers:
@@ -647,6 +672,11 @@ template:
           fieldRef:
             apiVersion: apiVersionValue
             fieldPath: fieldPathValue
+          fileKeyRef:
+            key: keyValue
+            optional: true
+            path: pathValue
+            volumeName: volumeNameValue
           resourceFieldRef:
             containerName: containerNameValue
             divisor: "0"
@@ -700,6 +730,7 @@ template:
           tcpSocket:
             host: hostValue
             port: portValue
+        stopSignal: stopSignalValue
       livenessProbe:
         exec:
           command:
@@ -767,6 +798,12 @@ template:
         requests:
           requestsKey: "0"
       restartPolicy: restartPolicyValue
+      restartPolicyRules:
+      - action: actionValue
+        exitCodes:
+          operator: operatorValue
+          values:
+          - 2
       securityContext:
         allowPrivilegeEscalation: true
         appArmorProfile:
@@ -1151,6 +1188,13 @@ template:
                 containerName: containerNameValue
                 divisor: "0"
                 resource: resourceValue
+          podCertificate:
+            certificateChainPath: certificateChainPathValue
+            credentialBundlePath: credentialBundlePathValue
+            keyPath: keyPathValue
+            keyType: keyTypeValue
+            maxExpirationSeconds: 3
+            signerName: signerNameValue
           secret:
             items:
             - key: keyValue
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/core.v1.RangeAllocation.json b/staging/src/k8s.io/api/testdata/v1.34.0/core.v1.RangeAllocation.json
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/core.v1.RangeAllocation.json
rename to staging/src/k8s.io/api/testdata/v1.34.0/core.v1.RangeAllocation.json
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/core.v1.RangeAllocation.pb b/staging/src/k8s.io/api/testdata/v1.34.0/core.v1.RangeAllocation.pb
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/core.v1.RangeAllocation.pb
rename to staging/src/k8s.io/api/testdata/v1.34.0/core.v1.RangeAllocation.pb
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/core.v1.RangeAllocation.yaml b/staging/src/k8s.io/api/testdata/v1.34.0/core.v1.RangeAllocation.yaml
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/core.v1.RangeAllocation.yaml
rename to staging/src/k8s.io/api/testdata/v1.34.0/core.v1.RangeAllocation.yaml
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/core.v1.ReplicationController.json b/staging/src/k8s.io/api/testdata/v1.34.0/core.v1.ReplicationController.json
similarity index 96%
rename from staging/src/k8s.io/api/testdata/v1.32.0/core.v1.ReplicationController.json
rename to staging/src/k8s.io/api/testdata/v1.34.0/core.v1.ReplicationController.json
index e267b1ef2cde9..09d3e9f2331dc 100644
--- a/staging/src/k8s.io/api/testdata/v1.32.0/core.v1.ReplicationController.json
+++ b/staging/src/k8s.io/api/testdata/v1.34.0/core.v1.ReplicationController.json
@@ -351,6 +351,14 @@
                     },
                     "optional": true,
                     "path": "pathValue"
+                  },
+                  "podCertificate": {
+                    "signerName": "signerNameValue",
+                    "keyType": "keyTypeValue",
+                    "maxExpirationSeconds": 3,
+                    "credentialBundlePath": "credentialBundlePathValue",
+                    "keyPath": "keyPathValue",
+                    "certificateChainPath": "certificateChainPathValue"
                   }
                 }
               ],
@@ -545,6 +553,12 @@
                     "name": "nameValue",
                     "key": "keyValue",
                     "optional": true
+                  },
+                  "fileKeyRef": {
+                    "volumeName": "volumeNameValue",
+                    "path": "pathValue",
+                    "key": "keyValue",
+                    "optional": true
                   }
                 }
               }
@@ -570,6 +584,17 @@
               }
             ],
             "restartPolicy": "restartPolicyValue",
+            "restartPolicyRules": [
+              {
+                "action": "actionValue",
+                "exitCodes": {
+                  "operator": "operatorValue",
+                  "values": [
+                    2
+                  ]
+                }
+              }
+            ],
             "volumeMounts": [
               {
                 "name": "nameValue",
@@ -738,7 +763,8 @@
                 "sleep": {
                   "seconds": 1
                 }
-              }
+              },
+              "stopSignal": "stopSignalValue"
             },
             "terminationMessagePath": "terminationMessagePathValue",
             "terminationMessagePolicy": "terminationMessagePolicyValue",
@@ -841,6 +867,12 @@
                     "name": "nameValue",
                     "key": "keyValue",
                     "optional": true
+                  },
+                  "fileKeyRef": {
+                    "volumeName": "volumeNameValue",
+                    "path": "pathValue",
+                    "key": "keyValue",
+                    "optional": true
                   }
                 }
               }
@@ -866,6 +898,17 @@
               }
             ],
             "restartPolicy": "restartPolicyValue",
+            "restartPolicyRules": [
+              {
+                "action": "actionValue",
+                "exitCodes": {
+                  "operator": "operatorValue",
+                  "values": [
+                    2
+                  ]
+                }
+              }
+            ],
             "volumeMounts": [
               {
                 "name": "nameValue",
@@ -1034,7 +1077,8 @@
                 "sleep": {
                   "seconds": 1
                 }
-              }
+              },
+              "stopSignal": "stopSignalValue"
             },
             "terminationMessagePath": "terminationMessagePathValue",
             "terminationMessagePolicy": "terminationMessagePolicyValue",
@@ -1137,6 +1181,12 @@
                     "name": "nameValue",
                     "key": "keyValue",
                     "optional": true
+                  },
+                  "fileKeyRef": {
+                    "volumeName": "volumeNameValue",
+                    "path": "pathValue",
+                    "key": "keyValue",
+                    "optional": true
                   }
                 }
               }
@@ -1162,6 +1212,17 @@
               }
             ],
             "restartPolicy": "restartPolicyValue",
+            "restartPolicyRules": [
+              {
+                "action": "actionValue",
+                "exitCodes": {
+                  "operator": "operatorValue",
+                  "values": [
+                    2
+                  ]
+                }
+              }
+            ],
             "volumeMounts": [
               {
                 "name": "nameValue",
@@ -1330,7 +1391,8 @@
                 "sleep": {
                   "seconds": 1
                 }
-              }
+              },
+              "stopSignal": "stopSignalValue"
             },
             "terminationMessagePath": "terminationMessagePathValue",
             "terminationMessagePolicy": "terminationMessagePolicyValue",
@@ -1771,7 +1833,8 @@
               "request": "requestValue"
             }
           ]
-        }
+        },
+        "hostnameOverride": "hostnameOverrideValue"
       }
     }
   },
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/core.v1.ReplicationController.pb b/staging/src/k8s.io/api/testdata/v1.34.0/core.v1.ReplicationController.pb
similarity index 84%
rename from staging/src/k8s.io/api/testdata/v1.32.0/core.v1.ReplicationController.pb
rename to staging/src/k8s.io/api/testdata/v1.34.0/core.v1.ReplicationController.pb
index 1610a0c31d2fc..9476529df60e5 100644
Binary files a/staging/src/k8s.io/api/testdata/v1.32.0/core.v1.ReplicationController.pb and b/staging/src/k8s.io/api/testdata/v1.34.0/core.v1.ReplicationController.pb differ
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/core.v1.ReplicationController.yaml b/staging/src/k8s.io/api/testdata/v1.34.0/core.v1.ReplicationController.yaml
similarity index 96%
rename from staging/src/k8s.io/api/testdata/v1.32.0/core.v1.ReplicationController.yaml
rename to staging/src/k8s.io/api/testdata/v1.34.0/core.v1.ReplicationController.yaml
index ffa315e641d14..205da180c964d 100644
--- a/staging/src/k8s.io/api/testdata/v1.32.0/core.v1.ReplicationController.yaml
+++ b/staging/src/k8s.io/api/testdata/v1.34.0/core.v1.ReplicationController.yaml
@@ -218,6 +218,11 @@ spec:
             fieldRef:
               apiVersion: apiVersionValue
               fieldPath: fieldPathValue
+            fileKeyRef:
+              key: keyValue
+              optional: true
+              path: pathValue
+              volumeName: volumeNameValue
             resourceFieldRef:
               containerName: containerNameValue
               divisor: "0"
@@ -271,6 +276,7 @@ spec:
             tcpSocket:
               host: hostValue
               port: portValue
+          stopSignal: stopSignalValue
         livenessProbe:
           exec:
             command:
@@ -338,6 +344,12 @@ spec:
           requests:
             requestsKey: "0"
         restartPolicy: restartPolicyValue
+        restartPolicyRules:
+        - action: actionValue
+          exitCodes:
+            operator: operatorValue
+            values:
+            - 2
         securityContext:
           allowPrivilegeEscalation: true
           appArmorProfile:
@@ -434,6 +446,11 @@ spec:
             fieldRef:
               apiVersion: apiVersionValue
               fieldPath: fieldPathValue
+            fileKeyRef:
+              key: keyValue
+              optional: true
+              path: pathValue
+              volumeName: volumeNameValue
             resourceFieldRef:
               containerName: containerNameValue
               divisor: "0"
@@ -487,6 +504,7 @@ spec:
             tcpSocket:
               host: hostValue
               port: portValue
+          stopSignal: stopSignalValue
         livenessProbe:
           exec:
             command:
@@ -554,6 +572,12 @@ spec:
           requests:
             requestsKey: "0"
         restartPolicy: restartPolicyValue
+        restartPolicyRules:
+        - action: actionValue
+          exitCodes:
+            operator: operatorValue
+            values:
+            - 2
         securityContext:
           allowPrivilegeEscalation: true
           appArmorProfile:
@@ -634,6 +658,7 @@ spec:
       hostPID: true
       hostUsers: true
       hostname: hostnameValue
+      hostnameOverride: hostnameOverrideValue
       imagePullSecrets:
       - name: nameValue
       initContainers:
@@ -652,6 +677,11 @@ spec:
             fieldRef:
               apiVersion: apiVersionValue
               fieldPath: fieldPathValue
+            fileKeyRef:
+              key: keyValue
+              optional: true
+              path: pathValue
+              volumeName: volumeNameValue
             resourceFieldRef:
               containerName: containerNameValue
               divisor: "0"
@@ -705,6 +735,7 @@ spec:
             tcpSocket:
               host: hostValue
               port: portValue
+          stopSignal: stopSignalValue
         livenessProbe:
           exec:
             command:
@@ -772,6 +803,12 @@ spec:
           requests:
             requestsKey: "0"
         restartPolicy: restartPolicyValue
+        restartPolicyRules:
+        - action: actionValue
+          exitCodes:
+            operator: operatorValue
+            values:
+            - 2
         securityContext:
           allowPrivilegeEscalation: true
           appArmorProfile:
@@ -1156,6 +1193,13 @@ spec:
                   containerName: containerNameValue
                   divisor: "0"
                   resource: resourceValue
+            podCertificate:
+              certificateChainPath: certificateChainPathValue
+              credentialBundlePath: credentialBundlePathValue
+              keyPath: keyPathValue
+              keyType: keyTypeValue
+              maxExpirationSeconds: 3
+              signerName: signerNameValue
             secret:
               items:
               - key: keyValue
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/core.v1.ResourceQuota.json b/staging/src/k8s.io/api/testdata/v1.34.0/core.v1.ResourceQuota.json
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/core.v1.ResourceQuota.json
rename to staging/src/k8s.io/api/testdata/v1.34.0/core.v1.ResourceQuota.json
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/core.v1.ResourceQuota.pb b/staging/src/k8s.io/api/testdata/v1.34.0/core.v1.ResourceQuota.pb
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/core.v1.ResourceQuota.pb
rename to staging/src/k8s.io/api/testdata/v1.34.0/core.v1.ResourceQuota.pb
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/core.v1.ResourceQuota.yaml b/staging/src/k8s.io/api/testdata/v1.34.0/core.v1.ResourceQuota.yaml
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/core.v1.ResourceQuota.yaml
rename to staging/src/k8s.io/api/testdata/v1.34.0/core.v1.ResourceQuota.yaml
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/core.v1.Secret.json b/staging/src/k8s.io/api/testdata/v1.34.0/core.v1.Secret.json
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/core.v1.Secret.json
rename to staging/src/k8s.io/api/testdata/v1.34.0/core.v1.Secret.json
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/core.v1.Secret.pb b/staging/src/k8s.io/api/testdata/v1.34.0/core.v1.Secret.pb
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/core.v1.Secret.pb
rename to staging/src/k8s.io/api/testdata/v1.34.0/core.v1.Secret.pb
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/core.v1.Secret.yaml b/staging/src/k8s.io/api/testdata/v1.34.0/core.v1.Secret.yaml
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/core.v1.Secret.yaml
rename to staging/src/k8s.io/api/testdata/v1.34.0/core.v1.Secret.yaml
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/core.v1.SerializedReference.json b/staging/src/k8s.io/api/testdata/v1.34.0/core.v1.SerializedReference.json
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/core.v1.SerializedReference.json
rename to staging/src/k8s.io/api/testdata/v1.34.0/core.v1.SerializedReference.json
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/core.v1.SerializedReference.pb b/staging/src/k8s.io/api/testdata/v1.34.0/core.v1.SerializedReference.pb
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/core.v1.SerializedReference.pb
rename to staging/src/k8s.io/api/testdata/v1.34.0/core.v1.SerializedReference.pb
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/core.v1.SerializedReference.yaml b/staging/src/k8s.io/api/testdata/v1.34.0/core.v1.SerializedReference.yaml
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/core.v1.SerializedReference.yaml
rename to staging/src/k8s.io/api/testdata/v1.34.0/core.v1.SerializedReference.yaml
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/core.v1.Service.json b/staging/src/k8s.io/api/testdata/v1.34.0/core.v1.Service.json
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/core.v1.Service.json
rename to staging/src/k8s.io/api/testdata/v1.34.0/core.v1.Service.json
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/core.v1.Service.pb b/staging/src/k8s.io/api/testdata/v1.34.0/core.v1.Service.pb
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/core.v1.Service.pb
rename to staging/src/k8s.io/api/testdata/v1.34.0/core.v1.Service.pb
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/core.v1.Service.yaml b/staging/src/k8s.io/api/testdata/v1.34.0/core.v1.Service.yaml
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/core.v1.Service.yaml
rename to staging/src/k8s.io/api/testdata/v1.34.0/core.v1.Service.yaml
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/core.v1.ServiceAccount.json b/staging/src/k8s.io/api/testdata/v1.34.0/core.v1.ServiceAccount.json
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/core.v1.ServiceAccount.json
rename to staging/src/k8s.io/api/testdata/v1.34.0/core.v1.ServiceAccount.json
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/core.v1.ServiceAccount.pb b/staging/src/k8s.io/api/testdata/v1.34.0/core.v1.ServiceAccount.pb
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/core.v1.ServiceAccount.pb
rename to staging/src/k8s.io/api/testdata/v1.34.0/core.v1.ServiceAccount.pb
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/core.v1.ServiceAccount.yaml b/staging/src/k8s.io/api/testdata/v1.34.0/core.v1.ServiceAccount.yaml
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/core.v1.ServiceAccount.yaml
rename to staging/src/k8s.io/api/testdata/v1.34.0/core.v1.ServiceAccount.yaml
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/core.v1.ServiceProxyOptions.json b/staging/src/k8s.io/api/testdata/v1.34.0/core.v1.ServiceProxyOptions.json
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/core.v1.ServiceProxyOptions.json
rename to staging/src/k8s.io/api/testdata/v1.34.0/core.v1.ServiceProxyOptions.json
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/core.v1.ServiceProxyOptions.pb b/staging/src/k8s.io/api/testdata/v1.34.0/core.v1.ServiceProxyOptions.pb
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/core.v1.ServiceProxyOptions.pb
rename to staging/src/k8s.io/api/testdata/v1.34.0/core.v1.ServiceProxyOptions.pb
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/core.v1.ServiceProxyOptions.yaml b/staging/src/k8s.io/api/testdata/v1.34.0/core.v1.ServiceProxyOptions.yaml
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/core.v1.ServiceProxyOptions.yaml
rename to staging/src/k8s.io/api/testdata/v1.34.0/core.v1.ServiceProxyOptions.yaml
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/core.v1.Status.json b/staging/src/k8s.io/api/testdata/v1.34.0/core.v1.Status.json
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/core.v1.Status.json
rename to staging/src/k8s.io/api/testdata/v1.34.0/core.v1.Status.json
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/core.v1.Status.pb b/staging/src/k8s.io/api/testdata/v1.34.0/core.v1.Status.pb
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/core.v1.Status.pb
rename to staging/src/k8s.io/api/testdata/v1.34.0/core.v1.Status.pb
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/core.v1.Status.yaml b/staging/src/k8s.io/api/testdata/v1.34.0/core.v1.Status.yaml
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/core.v1.Status.yaml
rename to staging/src/k8s.io/api/testdata/v1.34.0/core.v1.Status.yaml
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/core.v1.UpdateOptions.json b/staging/src/k8s.io/api/testdata/v1.34.0/core.v1.UpdateOptions.json
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/core.v1.UpdateOptions.json
rename to staging/src/k8s.io/api/testdata/v1.34.0/core.v1.UpdateOptions.json
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/core.v1.UpdateOptions.pb b/staging/src/k8s.io/api/testdata/v1.34.0/core.v1.UpdateOptions.pb
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/core.v1.UpdateOptions.pb
rename to staging/src/k8s.io/api/testdata/v1.34.0/core.v1.UpdateOptions.pb
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/core.v1.UpdateOptions.yaml b/staging/src/k8s.io/api/testdata/v1.34.0/core.v1.UpdateOptions.yaml
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/core.v1.UpdateOptions.yaml
rename to staging/src/k8s.io/api/testdata/v1.34.0/core.v1.UpdateOptions.yaml
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/core.v1.WatchEvent.json b/staging/src/k8s.io/api/testdata/v1.34.0/core.v1.WatchEvent.json
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/core.v1.WatchEvent.json
rename to staging/src/k8s.io/api/testdata/v1.34.0/core.v1.WatchEvent.json
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/core.v1.WatchEvent.pb b/staging/src/k8s.io/api/testdata/v1.34.0/core.v1.WatchEvent.pb
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/core.v1.WatchEvent.pb
rename to staging/src/k8s.io/api/testdata/v1.34.0/core.v1.WatchEvent.pb
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/core.v1.WatchEvent.yaml b/staging/src/k8s.io/api/testdata/v1.34.0/core.v1.WatchEvent.yaml
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/core.v1.WatchEvent.yaml
rename to staging/src/k8s.io/api/testdata/v1.34.0/core.v1.WatchEvent.yaml
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/discovery.k8s.io.v1.EndpointSlice.json b/staging/src/k8s.io/api/testdata/v1.34.0/discovery.k8s.io.v1.EndpointSlice.json
similarity index 96%
rename from staging/src/k8s.io/api/testdata/v1.32.0/discovery.k8s.io.v1.EndpointSlice.json
rename to staging/src/k8s.io/api/testdata/v1.34.0/discovery.k8s.io.v1.EndpointSlice.json
index 37944092e1821..640c6842a9df1 100644
--- a/staging/src/k8s.io/api/testdata/v1.32.0/discovery.k8s.io.v1.EndpointSlice.json
+++ b/staging/src/k8s.io/api/testdata/v1.34.0/discovery.k8s.io.v1.EndpointSlice.json
@@ -74,6 +74,11 @@
           {
             "name": "nameValue"
           }
+        ],
+        "forNodes": [
+          {
+            "name": "nameValue"
+          }
         ]
       }
     }
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/discovery.k8s.io.v1.EndpointSlice.pb b/staging/src/k8s.io/api/testdata/v1.34.0/discovery.k8s.io.v1.EndpointSlice.pb
similarity index 87%
rename from staging/src/k8s.io/api/testdata/v1.32.0/discovery.k8s.io.v1.EndpointSlice.pb
rename to staging/src/k8s.io/api/testdata/v1.34.0/discovery.k8s.io.v1.EndpointSlice.pb
index 6ba3d21b3b52d..a4ff78a321415 100644
Binary files a/staging/src/k8s.io/api/testdata/v1.32.0/discovery.k8s.io.v1.EndpointSlice.pb and b/staging/src/k8s.io/api/testdata/v1.34.0/discovery.k8s.io.v1.EndpointSlice.pb differ
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/discovery.k8s.io.v1.EndpointSlice.yaml b/staging/src/k8s.io/api/testdata/v1.34.0/discovery.k8s.io.v1.EndpointSlice.yaml
similarity index 97%
rename from staging/src/k8s.io/api/testdata/v1.32.0/discovery.k8s.io.v1.EndpointSlice.yaml
rename to staging/src/k8s.io/api/testdata/v1.34.0/discovery.k8s.io.v1.EndpointSlice.yaml
index 4f396707cd47b..db95f61cad5a6 100644
--- a/staging/src/k8s.io/api/testdata/v1.32.0/discovery.k8s.io.v1.EndpointSlice.yaml
+++ b/staging/src/k8s.io/api/testdata/v1.34.0/discovery.k8s.io.v1.EndpointSlice.yaml
@@ -10,6 +10,8 @@ endpoints:
   deprecatedTopology:
     deprecatedTopologyKey: deprecatedTopologyValue
   hints:
+    forNodes:
+    - name: nameValue
     forZones:
     - name: nameValue
   hostname: hostnameValue
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/discovery.k8s.io.v1beta1.EndpointSlice.json b/staging/src/k8s.io/api/testdata/v1.34.0/discovery.k8s.io.v1beta1.EndpointSlice.json
similarity index 95%
rename from staging/src/k8s.io/api/testdata/v1.32.0/discovery.k8s.io.v1beta1.EndpointSlice.json
rename to staging/src/k8s.io/api/testdata/v1.34.0/discovery.k8s.io.v1beta1.EndpointSlice.json
index 50d012652ca7d..87dac1aa951d6 100644
--- a/staging/src/k8s.io/api/testdata/v1.32.0/discovery.k8s.io.v1beta1.EndpointSlice.json
+++ b/staging/src/k8s.io/api/testdata/v1.34.0/discovery.k8s.io.v1beta1.EndpointSlice.json
@@ -73,6 +73,11 @@
           {
             "name": "nameValue"
           }
+        ],
+        "forNodes": [
+          {
+            "name": "nameValue"
+          }
         ]
       }
     }
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/discovery.k8s.io.v1beta1.EndpointSlice.pb b/staging/src/k8s.io/api/testdata/v1.34.0/discovery.k8s.io.v1beta1.EndpointSlice.pb
similarity index 81%
rename from staging/src/k8s.io/api/testdata/v1.32.0/discovery.k8s.io.v1beta1.EndpointSlice.pb
rename to staging/src/k8s.io/api/testdata/v1.34.0/discovery.k8s.io.v1beta1.EndpointSlice.pb
index 0dc5eec875879..0bb8fa81af94f 100644
Binary files a/staging/src/k8s.io/api/testdata/v1.32.0/discovery.k8s.io.v1beta1.EndpointSlice.pb and b/staging/src/k8s.io/api/testdata/v1.34.0/discovery.k8s.io.v1beta1.EndpointSlice.pb differ
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/discovery.k8s.io.v1beta1.EndpointSlice.yaml b/staging/src/k8s.io/api/testdata/v1.34.0/discovery.k8s.io.v1beta1.EndpointSlice.yaml
similarity index 97%
rename from staging/src/k8s.io/api/testdata/v1.32.0/discovery.k8s.io.v1beta1.EndpointSlice.yaml
rename to staging/src/k8s.io/api/testdata/v1.34.0/discovery.k8s.io.v1beta1.EndpointSlice.yaml
index c9d67a57feade..f5901ad8e4811 100644
--- a/staging/src/k8s.io/api/testdata/v1.32.0/discovery.k8s.io.v1beta1.EndpointSlice.yaml
+++ b/staging/src/k8s.io/api/testdata/v1.34.0/discovery.k8s.io.v1beta1.EndpointSlice.yaml
@@ -8,6 +8,8 @@ endpoints:
     serving: true
     terminating: true
   hints:
+    forNodes:
+    - name: nameValue
     forZones:
     - name: nameValue
   hostname: hostnameValue
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/events.k8s.io.v1.Event.json b/staging/src/k8s.io/api/testdata/v1.34.0/events.k8s.io.v1.Event.json
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/events.k8s.io.v1.Event.json
rename to staging/src/k8s.io/api/testdata/v1.34.0/events.k8s.io.v1.Event.json
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/events.k8s.io.v1.Event.pb b/staging/src/k8s.io/api/testdata/v1.34.0/events.k8s.io.v1.Event.pb
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/events.k8s.io.v1.Event.pb
rename to staging/src/k8s.io/api/testdata/v1.34.0/events.k8s.io.v1.Event.pb
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/events.k8s.io.v1.Event.yaml b/staging/src/k8s.io/api/testdata/v1.34.0/events.k8s.io.v1.Event.yaml
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/events.k8s.io.v1.Event.yaml
rename to staging/src/k8s.io/api/testdata/v1.34.0/events.k8s.io.v1.Event.yaml
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/events.k8s.io.v1beta1.Event.json b/staging/src/k8s.io/api/testdata/v1.34.0/events.k8s.io.v1beta1.Event.json
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/events.k8s.io.v1beta1.Event.json
rename to staging/src/k8s.io/api/testdata/v1.34.0/events.k8s.io.v1beta1.Event.json
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/events.k8s.io.v1beta1.Event.pb b/staging/src/k8s.io/api/testdata/v1.34.0/events.k8s.io.v1beta1.Event.pb
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/events.k8s.io.v1beta1.Event.pb
rename to staging/src/k8s.io/api/testdata/v1.34.0/events.k8s.io.v1beta1.Event.pb
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/events.k8s.io.v1beta1.Event.yaml b/staging/src/k8s.io/api/testdata/v1.34.0/events.k8s.io.v1beta1.Event.yaml
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/events.k8s.io.v1beta1.Event.yaml
rename to staging/src/k8s.io/api/testdata/v1.34.0/events.k8s.io.v1beta1.Event.yaml
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/extensions.v1beta1.DaemonSet.json b/staging/src/k8s.io/api/testdata/v1.34.0/extensions.v1beta1.DaemonSet.json
similarity index 96%
rename from staging/src/k8s.io/api/testdata/v1.32.0/extensions.v1beta1.DaemonSet.json
rename to staging/src/k8s.io/api/testdata/v1.34.0/extensions.v1beta1.DaemonSet.json
index df154fa098ff1..93d20033ba04e 100644
--- a/staging/src/k8s.io/api/testdata/v1.32.0/extensions.v1beta1.DaemonSet.json
+++ b/staging/src/k8s.io/api/testdata/v1.34.0/extensions.v1beta1.DaemonSet.json
@@ -360,6 +360,14 @@
                     },
                     "optional": true,
                     "path": "pathValue"
+                  },
+                  "podCertificate": {
+                    "signerName": "signerNameValue",
+                    "keyType": "keyTypeValue",
+                    "maxExpirationSeconds": 3,
+                    "credentialBundlePath": "credentialBundlePathValue",
+                    "keyPath": "keyPathValue",
+                    "certificateChainPath": "certificateChainPathValue"
                   }
                 }
               ],
@@ -554,6 +562,12 @@
                     "name": "nameValue",
                     "key": "keyValue",
                     "optional": true
+                  },
+                  "fileKeyRef": {
+                    "volumeName": "volumeNameValue",
+                    "path": "pathValue",
+                    "key": "keyValue",
+                    "optional": true
                   }
                 }
               }
@@ -579,6 +593,17 @@
               }
             ],
             "restartPolicy": "restartPolicyValue",
+            "restartPolicyRules": [
+              {
+                "action": "actionValue",
+                "exitCodes": {
+                  "operator": "operatorValue",
+                  "values": [
+                    2
+                  ]
+                }
+              }
+            ],
             "volumeMounts": [
               {
                 "name": "nameValue",
@@ -747,7 +772,8 @@
                 "sleep": {
                   "seconds": 1
                 }
-              }
+              },
+              "stopSignal": "stopSignalValue"
             },
             "terminationMessagePath": "terminationMessagePathValue",
             "terminationMessagePolicy": "terminationMessagePolicyValue",
@@ -850,6 +876,12 @@
                     "name": "nameValue",
                     "key": "keyValue",
                     "optional": true
+                  },
+                  "fileKeyRef": {
+                    "volumeName": "volumeNameValue",
+                    "path": "pathValue",
+                    "key": "keyValue",
+                    "optional": true
                   }
                 }
               }
@@ -875,6 +907,17 @@
               }
             ],
             "restartPolicy": "restartPolicyValue",
+            "restartPolicyRules": [
+              {
+                "action": "actionValue",
+                "exitCodes": {
+                  "operator": "operatorValue",
+                  "values": [
+                    2
+                  ]
+                }
+              }
+            ],
             "volumeMounts": [
               {
                 "name": "nameValue",
@@ -1043,7 +1086,8 @@
                 "sleep": {
                   "seconds": 1
                 }
-              }
+              },
+              "stopSignal": "stopSignalValue"
             },
             "terminationMessagePath": "terminationMessagePathValue",
             "terminationMessagePolicy": "terminationMessagePolicyValue",
@@ -1146,6 +1190,12 @@
                     "name": "nameValue",
                     "key": "keyValue",
                     "optional": true
+                  },
+                  "fileKeyRef": {
+                    "volumeName": "volumeNameValue",
+                    "path": "pathValue",
+                    "key": "keyValue",
+                    "optional": true
                   }
                 }
               }
@@ -1171,6 +1221,17 @@
               }
             ],
             "restartPolicy": "restartPolicyValue",
+            "restartPolicyRules": [
+              {
+                "action": "actionValue",
+                "exitCodes": {
+                  "operator": "operatorValue",
+                  "values": [
+                    2
+                  ]
+                }
+              }
+            ],
             "volumeMounts": [
               {
                 "name": "nameValue",
@@ -1339,7 +1400,8 @@
                 "sleep": {
                   "seconds": 1
                 }
-              }
+              },
+              "stopSignal": "stopSignalValue"
             },
             "terminationMessagePath": "terminationMessagePathValue",
             "terminationMessagePolicy": "terminationMessagePolicyValue",
@@ -1780,7 +1842,8 @@
               "request": "requestValue"
             }
           ]
-        }
+        },
+        "hostnameOverride": "hostnameOverrideValue"
       }
     },
     "updateStrategy": {
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/extensions.v1beta1.DaemonSet.pb b/staging/src/k8s.io/api/testdata/v1.34.0/extensions.v1beta1.DaemonSet.pb
similarity index 84%
rename from staging/src/k8s.io/api/testdata/v1.32.0/extensions.v1beta1.DaemonSet.pb
rename to staging/src/k8s.io/api/testdata/v1.34.0/extensions.v1beta1.DaemonSet.pb
index 2155f9e55ecce..fc8e2a557a213 100644
Binary files a/staging/src/k8s.io/api/testdata/v1.32.0/extensions.v1beta1.DaemonSet.pb and b/staging/src/k8s.io/api/testdata/v1.34.0/extensions.v1beta1.DaemonSet.pb differ
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/extensions.v1beta1.DaemonSet.yaml b/staging/src/k8s.io/api/testdata/v1.34.0/extensions.v1beta1.DaemonSet.yaml
similarity index 96%
rename from staging/src/k8s.io/api/testdata/v1.32.0/extensions.v1beta1.DaemonSet.yaml
rename to staging/src/k8s.io/api/testdata/v1.34.0/extensions.v1beta1.DaemonSet.yaml
index ca7ee89373608..7bdf4a9a41d51 100644
--- a/staging/src/k8s.io/api/testdata/v1.32.0/extensions.v1beta1.DaemonSet.yaml
+++ b/staging/src/k8s.io/api/testdata/v1.34.0/extensions.v1beta1.DaemonSet.yaml
@@ -224,6 +224,11 @@ spec:
             fieldRef:
               apiVersion: apiVersionValue
               fieldPath: fieldPathValue
+            fileKeyRef:
+              key: keyValue
+              optional: true
+              path: pathValue
+              volumeName: volumeNameValue
             resourceFieldRef:
               containerName: containerNameValue
               divisor: "0"
@@ -277,6 +282,7 @@ spec:
             tcpSocket:
               host: hostValue
               port: portValue
+          stopSignal: stopSignalValue
         livenessProbe:
           exec:
             command:
@@ -344,6 +350,12 @@ spec:
           requests:
             requestsKey: "0"
         restartPolicy: restartPolicyValue
+        restartPolicyRules:
+        - action: actionValue
+          exitCodes:
+            operator: operatorValue
+            values:
+            - 2
         securityContext:
           allowPrivilegeEscalation: true
           appArmorProfile:
@@ -440,6 +452,11 @@ spec:
             fieldRef:
               apiVersion: apiVersionValue
               fieldPath: fieldPathValue
+            fileKeyRef:
+              key: keyValue
+              optional: true
+              path: pathValue
+              volumeName: volumeNameValue
             resourceFieldRef:
               containerName: containerNameValue
               divisor: "0"
@@ -493,6 +510,7 @@ spec:
             tcpSocket:
               host: hostValue
               port: portValue
+          stopSignal: stopSignalValue
         livenessProbe:
           exec:
             command:
@@ -560,6 +578,12 @@ spec:
           requests:
             requestsKey: "0"
         restartPolicy: restartPolicyValue
+        restartPolicyRules:
+        - action: actionValue
+          exitCodes:
+            operator: operatorValue
+            values:
+            - 2
         securityContext:
           allowPrivilegeEscalation: true
           appArmorProfile:
@@ -640,6 +664,7 @@ spec:
       hostPID: true
       hostUsers: true
       hostname: hostnameValue
+      hostnameOverride: hostnameOverrideValue
       imagePullSecrets:
       - name: nameValue
       initContainers:
@@ -658,6 +683,11 @@ spec:
             fieldRef:
               apiVersion: apiVersionValue
               fieldPath: fieldPathValue
+            fileKeyRef:
+              key: keyValue
+              optional: true
+              path: pathValue
+              volumeName: volumeNameValue
             resourceFieldRef:
               containerName: containerNameValue
               divisor: "0"
@@ -711,6 +741,7 @@ spec:
             tcpSocket:
               host: hostValue
               port: portValue
+          stopSignal: stopSignalValue
         livenessProbe:
           exec:
             command:
@@ -778,6 +809,12 @@ spec:
           requests:
             requestsKey: "0"
         restartPolicy: restartPolicyValue
+        restartPolicyRules:
+        - action: actionValue
+          exitCodes:
+            operator: operatorValue
+            values:
+            - 2
         securityContext:
           allowPrivilegeEscalation: true
           appArmorProfile:
@@ -1162,6 +1199,13 @@ spec:
                   containerName: containerNameValue
                   divisor: "0"
                   resource: resourceValue
+            podCertificate:
+              certificateChainPath: certificateChainPathValue
+              credentialBundlePath: credentialBundlePathValue
+              keyPath: keyPathValue
+              keyType: keyTypeValue
+              maxExpirationSeconds: 3
+              signerName: signerNameValue
             secret:
               items:
               - key: keyValue
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/extensions.v1beta1.Deployment.json b/staging/src/k8s.io/api/testdata/v1.34.0/extensions.v1beta1.Deployment.json
similarity index 96%
rename from staging/src/k8s.io/api/testdata/v1.32.0/extensions.v1beta1.Deployment.json
rename to staging/src/k8s.io/api/testdata/v1.34.0/extensions.v1beta1.Deployment.json
index 5a6cbb46e2376..b352d70c394b1 100644
--- a/staging/src/k8s.io/api/testdata/v1.32.0/extensions.v1beta1.Deployment.json
+++ b/staging/src/k8s.io/api/testdata/v1.34.0/extensions.v1beta1.Deployment.json
@@ -361,6 +361,14 @@
                     },
                     "optional": true,
                     "path": "pathValue"
+                  },
+                  "podCertificate": {
+                    "signerName": "signerNameValue",
+                    "keyType": "keyTypeValue",
+                    "maxExpirationSeconds": 3,
+                    "credentialBundlePath": "credentialBundlePathValue",
+                    "keyPath": "keyPathValue",
+                    "certificateChainPath": "certificateChainPathValue"
                   }
                 }
               ],
@@ -555,6 +563,12 @@
                     "name": "nameValue",
                     "key": "keyValue",
                     "optional": true
+                  },
+                  "fileKeyRef": {
+                    "volumeName": "volumeNameValue",
+                    "path": "pathValue",
+                    "key": "keyValue",
+                    "optional": true
                   }
                 }
               }
@@ -580,6 +594,17 @@
               }
             ],
             "restartPolicy": "restartPolicyValue",
+            "restartPolicyRules": [
+              {
+                "action": "actionValue",
+                "exitCodes": {
+                  "operator": "operatorValue",
+                  "values": [
+                    2
+                  ]
+                }
+              }
+            ],
             "volumeMounts": [
               {
                 "name": "nameValue",
@@ -748,7 +773,8 @@
                 "sleep": {
                   "seconds": 1
                 }
-              }
+              },
+              "stopSignal": "stopSignalValue"
             },
             "terminationMessagePath": "terminationMessagePathValue",
             "terminationMessagePolicy": "terminationMessagePolicyValue",
@@ -851,6 +877,12 @@
                     "name": "nameValue",
                     "key": "keyValue",
                     "optional": true
+                  },
+                  "fileKeyRef": {
+                    "volumeName": "volumeNameValue",
+                    "path": "pathValue",
+                    "key": "keyValue",
+                    "optional": true
                   }
                 }
               }
@@ -876,6 +908,17 @@
               }
             ],
             "restartPolicy": "restartPolicyValue",
+            "restartPolicyRules": [
+              {
+                "action": "actionValue",
+                "exitCodes": {
+                  "operator": "operatorValue",
+                  "values": [
+                    2
+                  ]
+                }
+              }
+            ],
             "volumeMounts": [
               {
                 "name": "nameValue",
@@ -1044,7 +1087,8 @@
                 "sleep": {
                   "seconds": 1
                 }
-              }
+              },
+              "stopSignal": "stopSignalValue"
             },
             "terminationMessagePath": "terminationMessagePathValue",
             "terminationMessagePolicy": "terminationMessagePolicyValue",
@@ -1147,6 +1191,12 @@
                     "name": "nameValue",
                     "key": "keyValue",
                     "optional": true
+                  },
+                  "fileKeyRef": {
+                    "volumeName": "volumeNameValue",
+                    "path": "pathValue",
+                    "key": "keyValue",
+                    "optional": true
                   }
                 }
               }
@@ -1172,6 +1222,17 @@
               }
             ],
             "restartPolicy": "restartPolicyValue",
+            "restartPolicyRules": [
+              {
+                "action": "actionValue",
+                "exitCodes": {
+                  "operator": "operatorValue",
+                  "values": [
+                    2
+                  ]
+                }
+              }
+            ],
             "volumeMounts": [
               {
                 "name": "nameValue",
@@ -1340,7 +1401,8 @@
                 "sleep": {
                   "seconds": 1
                 }
-              }
+              },
+              "stopSignal": "stopSignalValue"
             },
             "terminationMessagePath": "terminationMessagePathValue",
             "terminationMessagePolicy": "terminationMessagePolicyValue",
@@ -1781,7 +1843,8 @@
               "request": "requestValue"
             }
           ]
-        }
+        },
+        "hostnameOverride": "hostnameOverrideValue"
       }
     },
     "strategy": {
@@ -1806,6 +1869,7 @@
     "readyReplicas": 7,
     "availableReplicas": 4,
     "unavailableReplicas": 5,
+    "terminatingReplicas": 9,
     "conditions": [
       {
         "type": "typeValue",
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/extensions.v1beta1.Deployment.pb b/staging/src/k8s.io/api/testdata/v1.34.0/extensions.v1beta1.Deployment.pb
similarity index 83%
rename from staging/src/k8s.io/api/testdata/v1.32.0/extensions.v1beta1.Deployment.pb
rename to staging/src/k8s.io/api/testdata/v1.34.0/extensions.v1beta1.Deployment.pb
index 480fc47fdb99f..cebc6f20c5ac0 100644
Binary files a/staging/src/k8s.io/api/testdata/v1.32.0/extensions.v1beta1.Deployment.pb and b/staging/src/k8s.io/api/testdata/v1.34.0/extensions.v1beta1.Deployment.pb differ
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/extensions.v1beta1.Deployment.yaml b/staging/src/k8s.io/api/testdata/v1.34.0/extensions.v1beta1.Deployment.yaml
similarity index 96%
rename from staging/src/k8s.io/api/testdata/v1.32.0/extensions.v1beta1.Deployment.yaml
rename to staging/src/k8s.io/api/testdata/v1.34.0/extensions.v1beta1.Deployment.yaml
index b3f5eb3209aa2..7a42f9927a7d3 100644
--- a/staging/src/k8s.io/api/testdata/v1.32.0/extensions.v1beta1.Deployment.yaml
+++ b/staging/src/k8s.io/api/testdata/v1.34.0/extensions.v1beta1.Deployment.yaml
@@ -234,6 +234,11 @@ spec:
             fieldRef:
               apiVersion: apiVersionValue
               fieldPath: fieldPathValue
+            fileKeyRef:
+              key: keyValue
+              optional: true
+              path: pathValue
+              volumeName: volumeNameValue
             resourceFieldRef:
               containerName: containerNameValue
               divisor: "0"
@@ -287,6 +292,7 @@ spec:
             tcpSocket:
               host: hostValue
               port: portValue
+          stopSignal: stopSignalValue
         livenessProbe:
           exec:
             command:
@@ -354,6 +360,12 @@ spec:
           requests:
             requestsKey: "0"
         restartPolicy: restartPolicyValue
+        restartPolicyRules:
+        - action: actionValue
+          exitCodes:
+            operator: operatorValue
+            values:
+            - 2
         securityContext:
           allowPrivilegeEscalation: true
           appArmorProfile:
@@ -450,6 +462,11 @@ spec:
             fieldRef:
               apiVersion: apiVersionValue
               fieldPath: fieldPathValue
+            fileKeyRef:
+              key: keyValue
+              optional: true
+              path: pathValue
+              volumeName: volumeNameValue
             resourceFieldRef:
               containerName: containerNameValue
               divisor: "0"
@@ -503,6 +520,7 @@ spec:
             tcpSocket:
               host: hostValue
               port: portValue
+          stopSignal: stopSignalValue
         livenessProbe:
           exec:
             command:
@@ -570,6 +588,12 @@ spec:
           requests:
             requestsKey: "0"
         restartPolicy: restartPolicyValue
+        restartPolicyRules:
+        - action: actionValue
+          exitCodes:
+            operator: operatorValue
+            values:
+            - 2
         securityContext:
           allowPrivilegeEscalation: true
           appArmorProfile:
@@ -650,6 +674,7 @@ spec:
       hostPID: true
       hostUsers: true
       hostname: hostnameValue
+      hostnameOverride: hostnameOverrideValue
       imagePullSecrets:
       - name: nameValue
       initContainers:
@@ -668,6 +693,11 @@ spec:
             fieldRef:
               apiVersion: apiVersionValue
               fieldPath: fieldPathValue
+            fileKeyRef:
+              key: keyValue
+              optional: true
+              path: pathValue
+              volumeName: volumeNameValue
             resourceFieldRef:
               containerName: containerNameValue
               divisor: "0"
@@ -721,6 +751,7 @@ spec:
             tcpSocket:
               host: hostValue
               port: portValue
+          stopSignal: stopSignalValue
         livenessProbe:
           exec:
             command:
@@ -788,6 +819,12 @@ spec:
           requests:
             requestsKey: "0"
         restartPolicy: restartPolicyValue
+        restartPolicyRules:
+        - action: actionValue
+          exitCodes:
+            operator: operatorValue
+            values:
+            - 2
         securityContext:
           allowPrivilegeEscalation: true
           appArmorProfile:
@@ -1172,6 +1209,13 @@ spec:
                   containerName: containerNameValue
                   divisor: "0"
                   resource: resourceValue
+            podCertificate:
+              certificateChainPath: certificateChainPathValue
+              credentialBundlePath: credentialBundlePathValue
+              keyPath: keyPathValue
+              keyType: keyTypeValue
+              maxExpirationSeconds: 3
+              signerName: signerNameValue
             secret:
               items:
               - key: keyValue
@@ -1246,5 +1290,6 @@ status:
   observedGeneration: 1
   readyReplicas: 7
   replicas: 2
+  terminatingReplicas: 9
   unavailableReplicas: 5
   updatedReplicas: 3
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/extensions.v1beta1.DeploymentRollback.json b/staging/src/k8s.io/api/testdata/v1.34.0/extensions.v1beta1.DeploymentRollback.json
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/extensions.v1beta1.DeploymentRollback.json
rename to staging/src/k8s.io/api/testdata/v1.34.0/extensions.v1beta1.DeploymentRollback.json
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/extensions.v1beta1.DeploymentRollback.pb b/staging/src/k8s.io/api/testdata/v1.34.0/extensions.v1beta1.DeploymentRollback.pb
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/extensions.v1beta1.DeploymentRollback.pb
rename to staging/src/k8s.io/api/testdata/v1.34.0/extensions.v1beta1.DeploymentRollback.pb
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/extensions.v1beta1.DeploymentRollback.yaml b/staging/src/k8s.io/api/testdata/v1.34.0/extensions.v1beta1.DeploymentRollback.yaml
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/extensions.v1beta1.DeploymentRollback.yaml
rename to staging/src/k8s.io/api/testdata/v1.34.0/extensions.v1beta1.DeploymentRollback.yaml
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/extensions.v1beta1.Ingress.json b/staging/src/k8s.io/api/testdata/v1.34.0/extensions.v1beta1.Ingress.json
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/extensions.v1beta1.Ingress.json
rename to staging/src/k8s.io/api/testdata/v1.34.0/extensions.v1beta1.Ingress.json
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/extensions.v1beta1.Ingress.pb b/staging/src/k8s.io/api/testdata/v1.34.0/extensions.v1beta1.Ingress.pb
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/extensions.v1beta1.Ingress.pb
rename to staging/src/k8s.io/api/testdata/v1.34.0/extensions.v1beta1.Ingress.pb
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/extensions.v1beta1.Ingress.yaml b/staging/src/k8s.io/api/testdata/v1.34.0/extensions.v1beta1.Ingress.yaml
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/extensions.v1beta1.Ingress.yaml
rename to staging/src/k8s.io/api/testdata/v1.34.0/extensions.v1beta1.Ingress.yaml
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/extensions.v1beta1.NetworkPolicy.json b/staging/src/k8s.io/api/testdata/v1.34.0/extensions.v1beta1.NetworkPolicy.json
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/extensions.v1beta1.NetworkPolicy.json
rename to staging/src/k8s.io/api/testdata/v1.34.0/extensions.v1beta1.NetworkPolicy.json
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/extensions.v1beta1.NetworkPolicy.pb b/staging/src/k8s.io/api/testdata/v1.34.0/extensions.v1beta1.NetworkPolicy.pb
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/extensions.v1beta1.NetworkPolicy.pb
rename to staging/src/k8s.io/api/testdata/v1.34.0/extensions.v1beta1.NetworkPolicy.pb
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/extensions.v1beta1.NetworkPolicy.yaml b/staging/src/k8s.io/api/testdata/v1.34.0/extensions.v1beta1.NetworkPolicy.yaml
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/extensions.v1beta1.NetworkPolicy.yaml
rename to staging/src/k8s.io/api/testdata/v1.34.0/extensions.v1beta1.NetworkPolicy.yaml
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/extensions.v1beta1.ReplicaSet.json b/staging/src/k8s.io/api/testdata/v1.34.0/extensions.v1beta1.ReplicaSet.json
similarity index 96%
rename from staging/src/k8s.io/api/testdata/v1.32.0/extensions.v1beta1.ReplicaSet.json
rename to staging/src/k8s.io/api/testdata/v1.34.0/extensions.v1beta1.ReplicaSet.json
index 32e8468ec422f..7a31a72303124 100644
--- a/staging/src/k8s.io/api/testdata/v1.32.0/extensions.v1beta1.ReplicaSet.json
+++ b/staging/src/k8s.io/api/testdata/v1.34.0/extensions.v1beta1.ReplicaSet.json
@@ -362,6 +362,14 @@
                     },
                     "optional": true,
                     "path": "pathValue"
+                  },
+                  "podCertificate": {
+                    "signerName": "signerNameValue",
+                    "keyType": "keyTypeValue",
+                    "maxExpirationSeconds": 3,
+                    "credentialBundlePath": "credentialBundlePathValue",
+                    "keyPath": "keyPathValue",
+                    "certificateChainPath": "certificateChainPathValue"
                   }
                 }
               ],
@@ -556,6 +564,12 @@
                     "name": "nameValue",
                     "key": "keyValue",
                     "optional": true
+                  },
+                  "fileKeyRef": {
+                    "volumeName": "volumeNameValue",
+                    "path": "pathValue",
+                    "key": "keyValue",
+                    "optional": true
                   }
                 }
               }
@@ -581,6 +595,17 @@
               }
             ],
             "restartPolicy": "restartPolicyValue",
+            "restartPolicyRules": [
+              {
+                "action": "actionValue",
+                "exitCodes": {
+                  "operator": "operatorValue",
+                  "values": [
+                    2
+                  ]
+                }
+              }
+            ],
             "volumeMounts": [
               {
                 "name": "nameValue",
@@ -749,7 +774,8 @@
                 "sleep": {
                   "seconds": 1
                 }
-              }
+              },
+              "stopSignal": "stopSignalValue"
             },
             "terminationMessagePath": "terminationMessagePathValue",
             "terminationMessagePolicy": "terminationMessagePolicyValue",
@@ -852,6 +878,12 @@
                     "name": "nameValue",
                     "key": "keyValue",
                     "optional": true
+                  },
+                  "fileKeyRef": {
+                    "volumeName": "volumeNameValue",
+                    "path": "pathValue",
+                    "key": "keyValue",
+                    "optional": true
                   }
                 }
               }
@@ -877,6 +909,17 @@
               }
             ],
             "restartPolicy": "restartPolicyValue",
+            "restartPolicyRules": [
+              {
+                "action": "actionValue",
+                "exitCodes": {
+                  "operator": "operatorValue",
+                  "values": [
+                    2
+                  ]
+                }
+              }
+            ],
             "volumeMounts": [
               {
                 "name": "nameValue",
@@ -1045,7 +1088,8 @@
                 "sleep": {
                   "seconds": 1
                 }
-              }
+              },
+              "stopSignal": "stopSignalValue"
             },
             "terminationMessagePath": "terminationMessagePathValue",
             "terminationMessagePolicy": "terminationMessagePolicyValue",
@@ -1148,6 +1192,12 @@
                     "name": "nameValue",
                     "key": "keyValue",
                     "optional": true
+                  },
+                  "fileKeyRef": {
+                    "volumeName": "volumeNameValue",
+                    "path": "pathValue",
+                    "key": "keyValue",
+                    "optional": true
                   }
                 }
               }
@@ -1173,6 +1223,17 @@
               }
             ],
             "restartPolicy": "restartPolicyValue",
+            "restartPolicyRules": [
+              {
+                "action": "actionValue",
+                "exitCodes": {
+                  "operator": "operatorValue",
+                  "values": [
+                    2
+                  ]
+                }
+              }
+            ],
             "volumeMounts": [
               {
                 "name": "nameValue",
@@ -1341,7 +1402,8 @@
                 "sleep": {
                   "seconds": 1
                 }
-              }
+              },
+              "stopSignal": "stopSignalValue"
             },
             "terminationMessagePath": "terminationMessagePathValue",
             "terminationMessagePolicy": "terminationMessagePolicyValue",
@@ -1782,7 +1844,8 @@
               "request": "requestValue"
             }
           ]
-        }
+        },
+        "hostnameOverride": "hostnameOverrideValue"
       }
     }
   },
@@ -1791,6 +1854,7 @@
     "fullyLabeledReplicas": 2,
     "readyReplicas": 4,
     "availableReplicas": 5,
+    "terminatingReplicas": 7,
     "observedGeneration": 3,
     "conditions": [
       {
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/extensions.v1beta1.ReplicaSet.pb b/staging/src/k8s.io/api/testdata/v1.34.0/extensions.v1beta1.ReplicaSet.pb
similarity index 83%
rename from staging/src/k8s.io/api/testdata/v1.32.0/extensions.v1beta1.ReplicaSet.pb
rename to staging/src/k8s.io/api/testdata/v1.34.0/extensions.v1beta1.ReplicaSet.pb
index 1e4a88f2df508..89749c919c7dc 100644
Binary files a/staging/src/k8s.io/api/testdata/v1.32.0/extensions.v1beta1.ReplicaSet.pb and b/staging/src/k8s.io/api/testdata/v1.34.0/extensions.v1beta1.ReplicaSet.pb differ
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/extensions.v1beta1.ReplicaSet.yaml b/staging/src/k8s.io/api/testdata/v1.34.0/extensions.v1beta1.ReplicaSet.yaml
similarity index 96%
rename from staging/src/k8s.io/api/testdata/v1.32.0/extensions.v1beta1.ReplicaSet.yaml
rename to staging/src/k8s.io/api/testdata/v1.34.0/extensions.v1beta1.ReplicaSet.yaml
index 75188bb3f4a5c..1bd12ba887a88 100644
--- a/staging/src/k8s.io/api/testdata/v1.32.0/extensions.v1beta1.ReplicaSet.yaml
+++ b/staging/src/k8s.io/api/testdata/v1.34.0/extensions.v1beta1.ReplicaSet.yaml
@@ -224,6 +224,11 @@ spec:
             fieldRef:
               apiVersion: apiVersionValue
               fieldPath: fieldPathValue
+            fileKeyRef:
+              key: keyValue
+              optional: true
+              path: pathValue
+              volumeName: volumeNameValue
             resourceFieldRef:
               containerName: containerNameValue
               divisor: "0"
@@ -277,6 +282,7 @@ spec:
             tcpSocket:
               host: hostValue
               port: portValue
+          stopSignal: stopSignalValue
         livenessProbe:
           exec:
             command:
@@ -344,6 +350,12 @@ spec:
           requests:
             requestsKey: "0"
         restartPolicy: restartPolicyValue
+        restartPolicyRules:
+        - action: actionValue
+          exitCodes:
+            operator: operatorValue
+            values:
+            - 2
         securityContext:
           allowPrivilegeEscalation: true
           appArmorProfile:
@@ -440,6 +452,11 @@ spec:
             fieldRef:
               apiVersion: apiVersionValue
               fieldPath: fieldPathValue
+            fileKeyRef:
+              key: keyValue
+              optional: true
+              path: pathValue
+              volumeName: volumeNameValue
             resourceFieldRef:
               containerName: containerNameValue
               divisor: "0"
@@ -493,6 +510,7 @@ spec:
             tcpSocket:
               host: hostValue
               port: portValue
+          stopSignal: stopSignalValue
         livenessProbe:
           exec:
             command:
@@ -560,6 +578,12 @@ spec:
           requests:
             requestsKey: "0"
         restartPolicy: restartPolicyValue
+        restartPolicyRules:
+        - action: actionValue
+          exitCodes:
+            operator: operatorValue
+            values:
+            - 2
         securityContext:
           allowPrivilegeEscalation: true
           appArmorProfile:
@@ -640,6 +664,7 @@ spec:
       hostPID: true
       hostUsers: true
       hostname: hostnameValue
+      hostnameOverride: hostnameOverrideValue
       imagePullSecrets:
       - name: nameValue
       initContainers:
@@ -658,6 +683,11 @@ spec:
             fieldRef:
               apiVersion: apiVersionValue
               fieldPath: fieldPathValue
+            fileKeyRef:
+              key: keyValue
+              optional: true
+              path: pathValue
+              volumeName: volumeNameValue
             resourceFieldRef:
               containerName: containerNameValue
               divisor: "0"
@@ -711,6 +741,7 @@ spec:
             tcpSocket:
               host: hostValue
               port: portValue
+          stopSignal: stopSignalValue
         livenessProbe:
           exec:
             command:
@@ -778,6 +809,12 @@ spec:
           requests:
             requestsKey: "0"
         restartPolicy: restartPolicyValue
+        restartPolicyRules:
+        - action: actionValue
+          exitCodes:
+            operator: operatorValue
+            values:
+            - 2
         securityContext:
           allowPrivilegeEscalation: true
           appArmorProfile:
@@ -1162,6 +1199,13 @@ spec:
                   containerName: containerNameValue
                   divisor: "0"
                   resource: resourceValue
+            podCertificate:
+              certificateChainPath: certificateChainPathValue
+              credentialBundlePath: credentialBundlePathValue
+              keyPath: keyPathValue
+              keyType: keyTypeValue
+              maxExpirationSeconds: 3
+              signerName: signerNameValue
             secret:
               items:
               - key: keyValue
@@ -1235,3 +1279,4 @@ status:
   observedGeneration: 3
   readyReplicas: 4
   replicas: 1
+  terminatingReplicas: 7
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/extensions.v1beta1.Scale.json b/staging/src/k8s.io/api/testdata/v1.34.0/extensions.v1beta1.Scale.json
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/extensions.v1beta1.Scale.json
rename to staging/src/k8s.io/api/testdata/v1.34.0/extensions.v1beta1.Scale.json
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/extensions.v1beta1.Scale.pb b/staging/src/k8s.io/api/testdata/v1.34.0/extensions.v1beta1.Scale.pb
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/extensions.v1beta1.Scale.pb
rename to staging/src/k8s.io/api/testdata/v1.34.0/extensions.v1beta1.Scale.pb
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/extensions.v1beta1.Scale.yaml b/staging/src/k8s.io/api/testdata/v1.34.0/extensions.v1beta1.Scale.yaml
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/extensions.v1beta1.Scale.yaml
rename to staging/src/k8s.io/api/testdata/v1.34.0/extensions.v1beta1.Scale.yaml
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/flowcontrol.apiserver.k8s.io.v1.FlowSchema.json b/staging/src/k8s.io/api/testdata/v1.34.0/flowcontrol.apiserver.k8s.io.v1.FlowSchema.json
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/flowcontrol.apiserver.k8s.io.v1.FlowSchema.json
rename to staging/src/k8s.io/api/testdata/v1.34.0/flowcontrol.apiserver.k8s.io.v1.FlowSchema.json
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/flowcontrol.apiserver.k8s.io.v1.FlowSchema.pb b/staging/src/k8s.io/api/testdata/v1.34.0/flowcontrol.apiserver.k8s.io.v1.FlowSchema.pb
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/flowcontrol.apiserver.k8s.io.v1.FlowSchema.pb
rename to staging/src/k8s.io/api/testdata/v1.34.0/flowcontrol.apiserver.k8s.io.v1.FlowSchema.pb
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/flowcontrol.apiserver.k8s.io.v1.FlowSchema.yaml b/staging/src/k8s.io/api/testdata/v1.34.0/flowcontrol.apiserver.k8s.io.v1.FlowSchema.yaml
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/flowcontrol.apiserver.k8s.io.v1.FlowSchema.yaml
rename to staging/src/k8s.io/api/testdata/v1.34.0/flowcontrol.apiserver.k8s.io.v1.FlowSchema.yaml
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/flowcontrol.apiserver.k8s.io.v1.PriorityLevelConfiguration.json b/staging/src/k8s.io/api/testdata/v1.34.0/flowcontrol.apiserver.k8s.io.v1.PriorityLevelConfiguration.json
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/flowcontrol.apiserver.k8s.io.v1.PriorityLevelConfiguration.json
rename to staging/src/k8s.io/api/testdata/v1.34.0/flowcontrol.apiserver.k8s.io.v1.PriorityLevelConfiguration.json
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/flowcontrol.apiserver.k8s.io.v1.PriorityLevelConfiguration.pb b/staging/src/k8s.io/api/testdata/v1.34.0/flowcontrol.apiserver.k8s.io.v1.PriorityLevelConfiguration.pb
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/flowcontrol.apiserver.k8s.io.v1.PriorityLevelConfiguration.pb
rename to staging/src/k8s.io/api/testdata/v1.34.0/flowcontrol.apiserver.k8s.io.v1.PriorityLevelConfiguration.pb
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/flowcontrol.apiserver.k8s.io.v1.PriorityLevelConfiguration.yaml b/staging/src/k8s.io/api/testdata/v1.34.0/flowcontrol.apiserver.k8s.io.v1.PriorityLevelConfiguration.yaml
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/flowcontrol.apiserver.k8s.io.v1.PriorityLevelConfiguration.yaml
rename to staging/src/k8s.io/api/testdata/v1.34.0/flowcontrol.apiserver.k8s.io.v1.PriorityLevelConfiguration.yaml
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/flowcontrol.apiserver.k8s.io.v1beta1.FlowSchema.json b/staging/src/k8s.io/api/testdata/v1.34.0/flowcontrol.apiserver.k8s.io.v1beta1.FlowSchema.json
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/flowcontrol.apiserver.k8s.io.v1beta1.FlowSchema.json
rename to staging/src/k8s.io/api/testdata/v1.34.0/flowcontrol.apiserver.k8s.io.v1beta1.FlowSchema.json
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/flowcontrol.apiserver.k8s.io.v1beta1.FlowSchema.pb b/staging/src/k8s.io/api/testdata/v1.34.0/flowcontrol.apiserver.k8s.io.v1beta1.FlowSchema.pb
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/flowcontrol.apiserver.k8s.io.v1beta1.FlowSchema.pb
rename to staging/src/k8s.io/api/testdata/v1.34.0/flowcontrol.apiserver.k8s.io.v1beta1.FlowSchema.pb
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/flowcontrol.apiserver.k8s.io.v1beta1.FlowSchema.yaml b/staging/src/k8s.io/api/testdata/v1.34.0/flowcontrol.apiserver.k8s.io.v1beta1.FlowSchema.yaml
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/flowcontrol.apiserver.k8s.io.v1beta1.FlowSchema.yaml
rename to staging/src/k8s.io/api/testdata/v1.34.0/flowcontrol.apiserver.k8s.io.v1beta1.FlowSchema.yaml
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/flowcontrol.apiserver.k8s.io.v1beta1.PriorityLevelConfiguration.json b/staging/src/k8s.io/api/testdata/v1.34.0/flowcontrol.apiserver.k8s.io.v1beta1.PriorityLevelConfiguration.json
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/flowcontrol.apiserver.k8s.io.v1beta1.PriorityLevelConfiguration.json
rename to staging/src/k8s.io/api/testdata/v1.34.0/flowcontrol.apiserver.k8s.io.v1beta1.PriorityLevelConfiguration.json
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/flowcontrol.apiserver.k8s.io.v1beta1.PriorityLevelConfiguration.pb b/staging/src/k8s.io/api/testdata/v1.34.0/flowcontrol.apiserver.k8s.io.v1beta1.PriorityLevelConfiguration.pb
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/flowcontrol.apiserver.k8s.io.v1beta1.PriorityLevelConfiguration.pb
rename to staging/src/k8s.io/api/testdata/v1.34.0/flowcontrol.apiserver.k8s.io.v1beta1.PriorityLevelConfiguration.pb
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/flowcontrol.apiserver.k8s.io.v1beta1.PriorityLevelConfiguration.yaml b/staging/src/k8s.io/api/testdata/v1.34.0/flowcontrol.apiserver.k8s.io.v1beta1.PriorityLevelConfiguration.yaml
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/flowcontrol.apiserver.k8s.io.v1beta1.PriorityLevelConfiguration.yaml
rename to staging/src/k8s.io/api/testdata/v1.34.0/flowcontrol.apiserver.k8s.io.v1beta1.PriorityLevelConfiguration.yaml
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/flowcontrol.apiserver.k8s.io.v1beta2.FlowSchema.json b/staging/src/k8s.io/api/testdata/v1.34.0/flowcontrol.apiserver.k8s.io.v1beta2.FlowSchema.json
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/flowcontrol.apiserver.k8s.io.v1beta2.FlowSchema.json
rename to staging/src/k8s.io/api/testdata/v1.34.0/flowcontrol.apiserver.k8s.io.v1beta2.FlowSchema.json
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/flowcontrol.apiserver.k8s.io.v1beta2.FlowSchema.pb b/staging/src/k8s.io/api/testdata/v1.34.0/flowcontrol.apiserver.k8s.io.v1beta2.FlowSchema.pb
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/flowcontrol.apiserver.k8s.io.v1beta2.FlowSchema.pb
rename to staging/src/k8s.io/api/testdata/v1.34.0/flowcontrol.apiserver.k8s.io.v1beta2.FlowSchema.pb
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/flowcontrol.apiserver.k8s.io.v1beta2.FlowSchema.yaml b/staging/src/k8s.io/api/testdata/v1.34.0/flowcontrol.apiserver.k8s.io.v1beta2.FlowSchema.yaml
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/flowcontrol.apiserver.k8s.io.v1beta2.FlowSchema.yaml
rename to staging/src/k8s.io/api/testdata/v1.34.0/flowcontrol.apiserver.k8s.io.v1beta2.FlowSchema.yaml
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/flowcontrol.apiserver.k8s.io.v1beta2.PriorityLevelConfiguration.json b/staging/src/k8s.io/api/testdata/v1.34.0/flowcontrol.apiserver.k8s.io.v1beta2.PriorityLevelConfiguration.json
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/flowcontrol.apiserver.k8s.io.v1beta2.PriorityLevelConfiguration.json
rename to staging/src/k8s.io/api/testdata/v1.34.0/flowcontrol.apiserver.k8s.io.v1beta2.PriorityLevelConfiguration.json
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/flowcontrol.apiserver.k8s.io.v1beta2.PriorityLevelConfiguration.pb b/staging/src/k8s.io/api/testdata/v1.34.0/flowcontrol.apiserver.k8s.io.v1beta2.PriorityLevelConfiguration.pb
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/flowcontrol.apiserver.k8s.io.v1beta2.PriorityLevelConfiguration.pb
rename to staging/src/k8s.io/api/testdata/v1.34.0/flowcontrol.apiserver.k8s.io.v1beta2.PriorityLevelConfiguration.pb
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/flowcontrol.apiserver.k8s.io.v1beta2.PriorityLevelConfiguration.yaml b/staging/src/k8s.io/api/testdata/v1.34.0/flowcontrol.apiserver.k8s.io.v1beta2.PriorityLevelConfiguration.yaml
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/flowcontrol.apiserver.k8s.io.v1beta2.PriorityLevelConfiguration.yaml
rename to staging/src/k8s.io/api/testdata/v1.34.0/flowcontrol.apiserver.k8s.io.v1beta2.PriorityLevelConfiguration.yaml
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/flowcontrol.apiserver.k8s.io.v1beta3.FlowSchema.json b/staging/src/k8s.io/api/testdata/v1.34.0/flowcontrol.apiserver.k8s.io.v1beta3.FlowSchema.json
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/flowcontrol.apiserver.k8s.io.v1beta3.FlowSchema.json
rename to staging/src/k8s.io/api/testdata/v1.34.0/flowcontrol.apiserver.k8s.io.v1beta3.FlowSchema.json
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/flowcontrol.apiserver.k8s.io.v1beta3.FlowSchema.pb b/staging/src/k8s.io/api/testdata/v1.34.0/flowcontrol.apiserver.k8s.io.v1beta3.FlowSchema.pb
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/flowcontrol.apiserver.k8s.io.v1beta3.FlowSchema.pb
rename to staging/src/k8s.io/api/testdata/v1.34.0/flowcontrol.apiserver.k8s.io.v1beta3.FlowSchema.pb
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/flowcontrol.apiserver.k8s.io.v1beta3.FlowSchema.yaml b/staging/src/k8s.io/api/testdata/v1.34.0/flowcontrol.apiserver.k8s.io.v1beta3.FlowSchema.yaml
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/flowcontrol.apiserver.k8s.io.v1beta3.FlowSchema.yaml
rename to staging/src/k8s.io/api/testdata/v1.34.0/flowcontrol.apiserver.k8s.io.v1beta3.FlowSchema.yaml
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/flowcontrol.apiserver.k8s.io.v1beta3.PriorityLevelConfiguration.json b/staging/src/k8s.io/api/testdata/v1.34.0/flowcontrol.apiserver.k8s.io.v1beta3.PriorityLevelConfiguration.json
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/flowcontrol.apiserver.k8s.io.v1beta3.PriorityLevelConfiguration.json
rename to staging/src/k8s.io/api/testdata/v1.34.0/flowcontrol.apiserver.k8s.io.v1beta3.PriorityLevelConfiguration.json
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/flowcontrol.apiserver.k8s.io.v1beta3.PriorityLevelConfiguration.pb b/staging/src/k8s.io/api/testdata/v1.34.0/flowcontrol.apiserver.k8s.io.v1beta3.PriorityLevelConfiguration.pb
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/flowcontrol.apiserver.k8s.io.v1beta3.PriorityLevelConfiguration.pb
rename to staging/src/k8s.io/api/testdata/v1.34.0/flowcontrol.apiserver.k8s.io.v1beta3.PriorityLevelConfiguration.pb
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/flowcontrol.apiserver.k8s.io.v1beta3.PriorityLevelConfiguration.yaml b/staging/src/k8s.io/api/testdata/v1.34.0/flowcontrol.apiserver.k8s.io.v1beta3.PriorityLevelConfiguration.yaml
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/flowcontrol.apiserver.k8s.io.v1beta3.PriorityLevelConfiguration.yaml
rename to staging/src/k8s.io/api/testdata/v1.34.0/flowcontrol.apiserver.k8s.io.v1beta3.PriorityLevelConfiguration.yaml
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/imagepolicy.k8s.io.v1alpha1.ImageReview.json b/staging/src/k8s.io/api/testdata/v1.34.0/imagepolicy.k8s.io.v1alpha1.ImageReview.json
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/imagepolicy.k8s.io.v1alpha1.ImageReview.json
rename to staging/src/k8s.io/api/testdata/v1.34.0/imagepolicy.k8s.io.v1alpha1.ImageReview.json
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/imagepolicy.k8s.io.v1alpha1.ImageReview.pb b/staging/src/k8s.io/api/testdata/v1.34.0/imagepolicy.k8s.io.v1alpha1.ImageReview.pb
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/imagepolicy.k8s.io.v1alpha1.ImageReview.pb
rename to staging/src/k8s.io/api/testdata/v1.34.0/imagepolicy.k8s.io.v1alpha1.ImageReview.pb
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/imagepolicy.k8s.io.v1alpha1.ImageReview.yaml b/staging/src/k8s.io/api/testdata/v1.34.0/imagepolicy.k8s.io.v1alpha1.ImageReview.yaml
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/imagepolicy.k8s.io.v1alpha1.ImageReview.yaml
rename to staging/src/k8s.io/api/testdata/v1.34.0/imagepolicy.k8s.io.v1alpha1.ImageReview.yaml
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/internal.apiserver.k8s.io.v1alpha1.StorageVersion.json b/staging/src/k8s.io/api/testdata/v1.34.0/internal.apiserver.k8s.io.v1alpha1.StorageVersion.json
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/internal.apiserver.k8s.io.v1alpha1.StorageVersion.json
rename to staging/src/k8s.io/api/testdata/v1.34.0/internal.apiserver.k8s.io.v1alpha1.StorageVersion.json
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/internal.apiserver.k8s.io.v1alpha1.StorageVersion.pb b/staging/src/k8s.io/api/testdata/v1.34.0/internal.apiserver.k8s.io.v1alpha1.StorageVersion.pb
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/internal.apiserver.k8s.io.v1alpha1.StorageVersion.pb
rename to staging/src/k8s.io/api/testdata/v1.34.0/internal.apiserver.k8s.io.v1alpha1.StorageVersion.pb
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/internal.apiserver.k8s.io.v1alpha1.StorageVersion.yaml b/staging/src/k8s.io/api/testdata/v1.34.0/internal.apiserver.k8s.io.v1alpha1.StorageVersion.yaml
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/internal.apiserver.k8s.io.v1alpha1.StorageVersion.yaml
rename to staging/src/k8s.io/api/testdata/v1.34.0/internal.apiserver.k8s.io.v1alpha1.StorageVersion.yaml
diff --git a/staging/src/k8s.io/api/testdata/v1.34.0/networking.k8s.io.v1.IPAddress.json b/staging/src/k8s.io/api/testdata/v1.34.0/networking.k8s.io.v1.IPAddress.json
new file mode 100644
index 0000000000000..f1c898e3afbf4
--- /dev/null
+++ b/staging/src/k8s.io/api/testdata/v1.34.0/networking.k8s.io.v1.IPAddress.json
@@ -0,0 +1,54 @@
+{
+  "kind": "IPAddress",
+  "apiVersion": "networking.k8s.io/v1",
+  "metadata": {
+    "name": "nameValue",
+    "generateName": "generateNameValue",
+    "namespace": "namespaceValue",
+    "selfLink": "selfLinkValue",
+    "uid": "uidValue",
+    "resourceVersion": "resourceVersionValue",
+    "generation": 7,
+    "creationTimestamp": "2008-01-01T01:01:01Z",
+    "deletionTimestamp": "2009-01-01T01:01:01Z",
+    "deletionGracePeriodSeconds": 10,
+    "labels": {
+      "labelsKey": "labelsValue"
+    },
+    "annotations": {
+      "annotationsKey": "annotationsValue"
+    },
+    "ownerReferences": [
+      {
+        "apiVersion": "apiVersionValue",
+        "kind": "kindValue",
+        "name": "nameValue",
+        "uid": "uidValue",
+        "controller": true,
+        "blockOwnerDeletion": true
+      }
+    ],
+    "finalizers": [
+      "finalizersValue"
+    ],
+    "managedFields": [
+      {
+        "manager": "managerValue",
+        "operation": "operationValue",
+        "apiVersion": "apiVersionValue",
+        "time": "2004-01-01T01:01:01Z",
+        "fieldsType": "fieldsTypeValue",
+        "fieldsV1": {},
+        "subresource": "subresourceValue"
+      }
+    ]
+  },
+  "spec": {
+    "parentRef": {
+      "group": "groupValue",
+      "resource": "resourceValue",
+      "namespace": "namespaceValue",
+      "name": "nameValue"
+    }
+  }
+}
\ No newline at end of file
diff --git a/staging/src/k8s.io/api/testdata/v1.34.0/networking.k8s.io.v1.IPAddress.pb b/staging/src/k8s.io/api/testdata/v1.34.0/networking.k8s.io.v1.IPAddress.pb
new file mode 100644
index 0000000000000..786612311229d
Binary files /dev/null and b/staging/src/k8s.io/api/testdata/v1.34.0/networking.k8s.io.v1.IPAddress.pb differ
diff --git a/staging/src/k8s.io/api/testdata/v1.34.0/networking.k8s.io.v1.IPAddress.yaml b/staging/src/k8s.io/api/testdata/v1.34.0/networking.k8s.io.v1.IPAddress.yaml
new file mode 100644
index 0000000000000..29c5e6908803b
--- /dev/null
+++ b/staging/src/k8s.io/api/testdata/v1.34.0/networking.k8s.io.v1.IPAddress.yaml
@@ -0,0 +1,40 @@
+apiVersion: networking.k8s.io/v1
+kind: IPAddress
+metadata:
+  annotations:
+    annotationsKey: annotationsValue
+  creationTimestamp: "2008-01-01T01:01:01Z"
+  deletionGracePeriodSeconds: 10
+  deletionTimestamp: "2009-01-01T01:01:01Z"
+  finalizers:
+  - finalizersValue
+  generateName: generateNameValue
+  generation: 7
+  labels:
+    labelsKey: labelsValue
+  managedFields:
+  - apiVersion: apiVersionValue
+    fieldsType: fieldsTypeValue
+    fieldsV1: {}
+    manager: managerValue
+    operation: operationValue
+    subresource: subresourceValue
+    time: "2004-01-01T01:01:01Z"
+  name: nameValue
+  namespace: namespaceValue
+  ownerReferences:
+  - apiVersion: apiVersionValue
+    blockOwnerDeletion: true
+    controller: true
+    kind: kindValue
+    name: nameValue
+    uid: uidValue
+  resourceVersion: resourceVersionValue
+  selfLink: selfLinkValue
+  uid: uidValue
+spec:
+  parentRef:
+    group: groupValue
+    name: nameValue
+    namespace: namespaceValue
+    resource: resourceValue
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/networking.k8s.io.v1.Ingress.json b/staging/src/k8s.io/api/testdata/v1.34.0/networking.k8s.io.v1.Ingress.json
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/networking.k8s.io.v1.Ingress.json
rename to staging/src/k8s.io/api/testdata/v1.34.0/networking.k8s.io.v1.Ingress.json
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/networking.k8s.io.v1.Ingress.pb b/staging/src/k8s.io/api/testdata/v1.34.0/networking.k8s.io.v1.Ingress.pb
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/networking.k8s.io.v1.Ingress.pb
rename to staging/src/k8s.io/api/testdata/v1.34.0/networking.k8s.io.v1.Ingress.pb
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/networking.k8s.io.v1.Ingress.yaml b/staging/src/k8s.io/api/testdata/v1.34.0/networking.k8s.io.v1.Ingress.yaml
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/networking.k8s.io.v1.Ingress.yaml
rename to staging/src/k8s.io/api/testdata/v1.34.0/networking.k8s.io.v1.Ingress.yaml
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/networking.k8s.io.v1.IngressClass.json b/staging/src/k8s.io/api/testdata/v1.34.0/networking.k8s.io.v1.IngressClass.json
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/networking.k8s.io.v1.IngressClass.json
rename to staging/src/k8s.io/api/testdata/v1.34.0/networking.k8s.io.v1.IngressClass.json
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/networking.k8s.io.v1.IngressClass.pb b/staging/src/k8s.io/api/testdata/v1.34.0/networking.k8s.io.v1.IngressClass.pb
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/networking.k8s.io.v1.IngressClass.pb
rename to staging/src/k8s.io/api/testdata/v1.34.0/networking.k8s.io.v1.IngressClass.pb
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/networking.k8s.io.v1.IngressClass.yaml b/staging/src/k8s.io/api/testdata/v1.34.0/networking.k8s.io.v1.IngressClass.yaml
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/networking.k8s.io.v1.IngressClass.yaml
rename to staging/src/k8s.io/api/testdata/v1.34.0/networking.k8s.io.v1.IngressClass.yaml
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/networking.k8s.io.v1.NetworkPolicy.json b/staging/src/k8s.io/api/testdata/v1.34.0/networking.k8s.io.v1.NetworkPolicy.json
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/networking.k8s.io.v1.NetworkPolicy.json
rename to staging/src/k8s.io/api/testdata/v1.34.0/networking.k8s.io.v1.NetworkPolicy.json
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/networking.k8s.io.v1.NetworkPolicy.pb b/staging/src/k8s.io/api/testdata/v1.34.0/networking.k8s.io.v1.NetworkPolicy.pb
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/networking.k8s.io.v1.NetworkPolicy.pb
rename to staging/src/k8s.io/api/testdata/v1.34.0/networking.k8s.io.v1.NetworkPolicy.pb
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/networking.k8s.io.v1.NetworkPolicy.yaml b/staging/src/k8s.io/api/testdata/v1.34.0/networking.k8s.io.v1.NetworkPolicy.yaml
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/networking.k8s.io.v1.NetworkPolicy.yaml
rename to staging/src/k8s.io/api/testdata/v1.34.0/networking.k8s.io.v1.NetworkPolicy.yaml
diff --git a/staging/src/k8s.io/api/testdata/v1.34.0/networking.k8s.io.v1.ServiceCIDR.json b/staging/src/k8s.io/api/testdata/v1.34.0/networking.k8s.io.v1.ServiceCIDR.json
new file mode 100644
index 0000000000000..929b8afb43e5f
--- /dev/null
+++ b/staging/src/k8s.io/api/testdata/v1.34.0/networking.k8s.io.v1.ServiceCIDR.json
@@ -0,0 +1,63 @@
+{
+  "kind": "ServiceCIDR",
+  "apiVersion": "networking.k8s.io/v1",
+  "metadata": {
+    "name": "nameValue",
+    "generateName": "generateNameValue",
+    "namespace": "namespaceValue",
+    "selfLink": "selfLinkValue",
+    "uid": "uidValue",
+    "resourceVersion": "resourceVersionValue",
+    "generation": 7,
+    "creationTimestamp": "2008-01-01T01:01:01Z",
+    "deletionTimestamp": "2009-01-01T01:01:01Z",
+    "deletionGracePeriodSeconds": 10,
+    "labels": {
+      "labelsKey": "labelsValue"
+    },
+    "annotations": {
+      "annotationsKey": "annotationsValue"
+    },
+    "ownerReferences": [
+      {
+        "apiVersion": "apiVersionValue",
+        "kind": "kindValue",
+        "name": "nameValue",
+        "uid": "uidValue",
+        "controller": true,
+        "blockOwnerDeletion": true
+      }
+    ],
+    "finalizers": [
+      "finalizersValue"
+    ],
+    "managedFields": [
+      {
+        "manager": "managerValue",
+        "operation": "operationValue",
+        "apiVersion": "apiVersionValue",
+        "time": "2004-01-01T01:01:01Z",
+        "fieldsType": "fieldsTypeValue",
+        "fieldsV1": {},
+        "subresource": "subresourceValue"
+      }
+    ]
+  },
+  "spec": {
+    "cidrs": [
+      "cidrsValue"
+    ]
+  },
+  "status": {
+    "conditions": [
+      {
+        "type": "typeValue",
+        "status": "statusValue",
+        "observedGeneration": 3,
+        "lastTransitionTime": "2004-01-01T01:01:01Z",
+        "reason": "reasonValue",
+        "message": "messageValue"
+      }
+    ]
+  }
+}
\ No newline at end of file
diff --git a/staging/src/k8s.io/api/testdata/v1.34.0/networking.k8s.io.v1.ServiceCIDR.pb b/staging/src/k8s.io/api/testdata/v1.34.0/networking.k8s.io.v1.ServiceCIDR.pb
new file mode 100644
index 0000000000000..c221a66e3ec36
Binary files /dev/null and b/staging/src/k8s.io/api/testdata/v1.34.0/networking.k8s.io.v1.ServiceCIDR.pb differ
diff --git a/staging/src/k8s.io/api/testdata/v1.34.0/networking.k8s.io.v1.ServiceCIDR.yaml b/staging/src/k8s.io/api/testdata/v1.34.0/networking.k8s.io.v1.ServiceCIDR.yaml
new file mode 100644
index 0000000000000..347f5763d2167
--- /dev/null
+++ b/staging/src/k8s.io/api/testdata/v1.34.0/networking.k8s.io.v1.ServiceCIDR.yaml
@@ -0,0 +1,45 @@
+apiVersion: networking.k8s.io/v1
+kind: ServiceCIDR
+metadata:
+  annotations:
+    annotationsKey: annotationsValue
+  creationTimestamp: "2008-01-01T01:01:01Z"
+  deletionGracePeriodSeconds: 10
+  deletionTimestamp: "2009-01-01T01:01:01Z"
+  finalizers:
+  - finalizersValue
+  generateName: generateNameValue
+  generation: 7
+  labels:
+    labelsKey: labelsValue
+  managedFields:
+  - apiVersion: apiVersionValue
+    fieldsType: fieldsTypeValue
+    fieldsV1: {}
+    manager: managerValue
+    operation: operationValue
+    subresource: subresourceValue
+    time: "2004-01-01T01:01:01Z"
+  name: nameValue
+  namespace: namespaceValue
+  ownerReferences:
+  - apiVersion: apiVersionValue
+    blockOwnerDeletion: true
+    controller: true
+    kind: kindValue
+    name: nameValue
+    uid: uidValue
+  resourceVersion: resourceVersionValue
+  selfLink: selfLinkValue
+  uid: uidValue
+spec:
+  cidrs:
+  - cidrsValue
+status:
+  conditions:
+  - lastTransitionTime: "2004-01-01T01:01:01Z"
+    message: messageValue
+    observedGeneration: 3
+    reason: reasonValue
+    status: statusValue
+    type: typeValue
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/networking.k8s.io.v1beta1.IPAddress.json b/staging/src/k8s.io/api/testdata/v1.34.0/networking.k8s.io.v1beta1.IPAddress.json
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/networking.k8s.io.v1beta1.IPAddress.json
rename to staging/src/k8s.io/api/testdata/v1.34.0/networking.k8s.io.v1beta1.IPAddress.json
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/networking.k8s.io.v1beta1.IPAddress.pb b/staging/src/k8s.io/api/testdata/v1.34.0/networking.k8s.io.v1beta1.IPAddress.pb
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/networking.k8s.io.v1beta1.IPAddress.pb
rename to staging/src/k8s.io/api/testdata/v1.34.0/networking.k8s.io.v1beta1.IPAddress.pb
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/networking.k8s.io.v1beta1.IPAddress.yaml b/staging/src/k8s.io/api/testdata/v1.34.0/networking.k8s.io.v1beta1.IPAddress.yaml
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/networking.k8s.io.v1beta1.IPAddress.yaml
rename to staging/src/k8s.io/api/testdata/v1.34.0/networking.k8s.io.v1beta1.IPAddress.yaml
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/networking.k8s.io.v1beta1.Ingress.json b/staging/src/k8s.io/api/testdata/v1.34.0/networking.k8s.io.v1beta1.Ingress.json
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/networking.k8s.io.v1beta1.Ingress.json
rename to staging/src/k8s.io/api/testdata/v1.34.0/networking.k8s.io.v1beta1.Ingress.json
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/networking.k8s.io.v1beta1.Ingress.pb b/staging/src/k8s.io/api/testdata/v1.34.0/networking.k8s.io.v1beta1.Ingress.pb
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/networking.k8s.io.v1beta1.Ingress.pb
rename to staging/src/k8s.io/api/testdata/v1.34.0/networking.k8s.io.v1beta1.Ingress.pb
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/networking.k8s.io.v1beta1.Ingress.yaml b/staging/src/k8s.io/api/testdata/v1.34.0/networking.k8s.io.v1beta1.Ingress.yaml
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/networking.k8s.io.v1beta1.Ingress.yaml
rename to staging/src/k8s.io/api/testdata/v1.34.0/networking.k8s.io.v1beta1.Ingress.yaml
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/networking.k8s.io.v1beta1.IngressClass.json b/staging/src/k8s.io/api/testdata/v1.34.0/networking.k8s.io.v1beta1.IngressClass.json
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/networking.k8s.io.v1beta1.IngressClass.json
rename to staging/src/k8s.io/api/testdata/v1.34.0/networking.k8s.io.v1beta1.IngressClass.json
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/networking.k8s.io.v1beta1.IngressClass.pb b/staging/src/k8s.io/api/testdata/v1.34.0/networking.k8s.io.v1beta1.IngressClass.pb
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/networking.k8s.io.v1beta1.IngressClass.pb
rename to staging/src/k8s.io/api/testdata/v1.34.0/networking.k8s.io.v1beta1.IngressClass.pb
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/networking.k8s.io.v1beta1.IngressClass.yaml b/staging/src/k8s.io/api/testdata/v1.34.0/networking.k8s.io.v1beta1.IngressClass.yaml
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/networking.k8s.io.v1beta1.IngressClass.yaml
rename to staging/src/k8s.io/api/testdata/v1.34.0/networking.k8s.io.v1beta1.IngressClass.yaml
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/networking.k8s.io.v1beta1.ServiceCIDR.json b/staging/src/k8s.io/api/testdata/v1.34.0/networking.k8s.io.v1beta1.ServiceCIDR.json
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/networking.k8s.io.v1beta1.ServiceCIDR.json
rename to staging/src/k8s.io/api/testdata/v1.34.0/networking.k8s.io.v1beta1.ServiceCIDR.json
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/networking.k8s.io.v1beta1.ServiceCIDR.pb b/staging/src/k8s.io/api/testdata/v1.34.0/networking.k8s.io.v1beta1.ServiceCIDR.pb
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/networking.k8s.io.v1beta1.ServiceCIDR.pb
rename to staging/src/k8s.io/api/testdata/v1.34.0/networking.k8s.io.v1beta1.ServiceCIDR.pb
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/networking.k8s.io.v1beta1.ServiceCIDR.yaml b/staging/src/k8s.io/api/testdata/v1.34.0/networking.k8s.io.v1beta1.ServiceCIDR.yaml
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/networking.k8s.io.v1beta1.ServiceCIDR.yaml
rename to staging/src/k8s.io/api/testdata/v1.34.0/networking.k8s.io.v1beta1.ServiceCIDR.yaml
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/node.k8s.io.v1.RuntimeClass.json b/staging/src/k8s.io/api/testdata/v1.34.0/node.k8s.io.v1.RuntimeClass.json
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/node.k8s.io.v1.RuntimeClass.json
rename to staging/src/k8s.io/api/testdata/v1.34.0/node.k8s.io.v1.RuntimeClass.json
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/node.k8s.io.v1.RuntimeClass.pb b/staging/src/k8s.io/api/testdata/v1.34.0/node.k8s.io.v1.RuntimeClass.pb
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/node.k8s.io.v1.RuntimeClass.pb
rename to staging/src/k8s.io/api/testdata/v1.34.0/node.k8s.io.v1.RuntimeClass.pb
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/node.k8s.io.v1.RuntimeClass.yaml b/staging/src/k8s.io/api/testdata/v1.34.0/node.k8s.io.v1.RuntimeClass.yaml
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/node.k8s.io.v1.RuntimeClass.yaml
rename to staging/src/k8s.io/api/testdata/v1.34.0/node.k8s.io.v1.RuntimeClass.yaml
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/node.k8s.io.v1alpha1.RuntimeClass.json b/staging/src/k8s.io/api/testdata/v1.34.0/node.k8s.io.v1alpha1.RuntimeClass.json
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/node.k8s.io.v1alpha1.RuntimeClass.json
rename to staging/src/k8s.io/api/testdata/v1.34.0/node.k8s.io.v1alpha1.RuntimeClass.json
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/node.k8s.io.v1alpha1.RuntimeClass.pb b/staging/src/k8s.io/api/testdata/v1.34.0/node.k8s.io.v1alpha1.RuntimeClass.pb
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/node.k8s.io.v1alpha1.RuntimeClass.pb
rename to staging/src/k8s.io/api/testdata/v1.34.0/node.k8s.io.v1alpha1.RuntimeClass.pb
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/node.k8s.io.v1alpha1.RuntimeClass.yaml b/staging/src/k8s.io/api/testdata/v1.34.0/node.k8s.io.v1alpha1.RuntimeClass.yaml
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/node.k8s.io.v1alpha1.RuntimeClass.yaml
rename to staging/src/k8s.io/api/testdata/v1.34.0/node.k8s.io.v1alpha1.RuntimeClass.yaml
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/node.k8s.io.v1beta1.RuntimeClass.json b/staging/src/k8s.io/api/testdata/v1.34.0/node.k8s.io.v1beta1.RuntimeClass.json
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/node.k8s.io.v1beta1.RuntimeClass.json
rename to staging/src/k8s.io/api/testdata/v1.34.0/node.k8s.io.v1beta1.RuntimeClass.json
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/node.k8s.io.v1beta1.RuntimeClass.pb b/staging/src/k8s.io/api/testdata/v1.34.0/node.k8s.io.v1beta1.RuntimeClass.pb
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/node.k8s.io.v1beta1.RuntimeClass.pb
rename to staging/src/k8s.io/api/testdata/v1.34.0/node.k8s.io.v1beta1.RuntimeClass.pb
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/node.k8s.io.v1beta1.RuntimeClass.yaml b/staging/src/k8s.io/api/testdata/v1.34.0/node.k8s.io.v1beta1.RuntimeClass.yaml
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/node.k8s.io.v1beta1.RuntimeClass.yaml
rename to staging/src/k8s.io/api/testdata/v1.34.0/node.k8s.io.v1beta1.RuntimeClass.yaml
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/policy.v1.Eviction.json b/staging/src/k8s.io/api/testdata/v1.34.0/policy.v1.Eviction.json
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/policy.v1.Eviction.json
rename to staging/src/k8s.io/api/testdata/v1.34.0/policy.v1.Eviction.json
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/policy.v1.Eviction.pb b/staging/src/k8s.io/api/testdata/v1.34.0/policy.v1.Eviction.pb
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/policy.v1.Eviction.pb
rename to staging/src/k8s.io/api/testdata/v1.34.0/policy.v1.Eviction.pb
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/policy.v1.Eviction.yaml b/staging/src/k8s.io/api/testdata/v1.34.0/policy.v1.Eviction.yaml
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/policy.v1.Eviction.yaml
rename to staging/src/k8s.io/api/testdata/v1.34.0/policy.v1.Eviction.yaml
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/policy.v1.PodDisruptionBudget.json b/staging/src/k8s.io/api/testdata/v1.34.0/policy.v1.PodDisruptionBudget.json
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/policy.v1.PodDisruptionBudget.json
rename to staging/src/k8s.io/api/testdata/v1.34.0/policy.v1.PodDisruptionBudget.json
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/policy.v1.PodDisruptionBudget.pb b/staging/src/k8s.io/api/testdata/v1.34.0/policy.v1.PodDisruptionBudget.pb
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/policy.v1.PodDisruptionBudget.pb
rename to staging/src/k8s.io/api/testdata/v1.34.0/policy.v1.PodDisruptionBudget.pb
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/policy.v1.PodDisruptionBudget.yaml b/staging/src/k8s.io/api/testdata/v1.34.0/policy.v1.PodDisruptionBudget.yaml
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/policy.v1.PodDisruptionBudget.yaml
rename to staging/src/k8s.io/api/testdata/v1.34.0/policy.v1.PodDisruptionBudget.yaml
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/policy.v1beta1.Eviction.json b/staging/src/k8s.io/api/testdata/v1.34.0/policy.v1beta1.Eviction.json
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/policy.v1beta1.Eviction.json
rename to staging/src/k8s.io/api/testdata/v1.34.0/policy.v1beta1.Eviction.json
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/policy.v1beta1.Eviction.pb b/staging/src/k8s.io/api/testdata/v1.34.0/policy.v1beta1.Eviction.pb
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/policy.v1beta1.Eviction.pb
rename to staging/src/k8s.io/api/testdata/v1.34.0/policy.v1beta1.Eviction.pb
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/policy.v1beta1.Eviction.yaml b/staging/src/k8s.io/api/testdata/v1.34.0/policy.v1beta1.Eviction.yaml
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/policy.v1beta1.Eviction.yaml
rename to staging/src/k8s.io/api/testdata/v1.34.0/policy.v1beta1.Eviction.yaml
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/policy.v1beta1.PodDisruptionBudget.json b/staging/src/k8s.io/api/testdata/v1.34.0/policy.v1beta1.PodDisruptionBudget.json
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/policy.v1beta1.PodDisruptionBudget.json
rename to staging/src/k8s.io/api/testdata/v1.34.0/policy.v1beta1.PodDisruptionBudget.json
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/policy.v1beta1.PodDisruptionBudget.pb b/staging/src/k8s.io/api/testdata/v1.34.0/policy.v1beta1.PodDisruptionBudget.pb
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/policy.v1beta1.PodDisruptionBudget.pb
rename to staging/src/k8s.io/api/testdata/v1.34.0/policy.v1beta1.PodDisruptionBudget.pb
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/policy.v1beta1.PodDisruptionBudget.yaml b/staging/src/k8s.io/api/testdata/v1.34.0/policy.v1beta1.PodDisruptionBudget.yaml
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/policy.v1beta1.PodDisruptionBudget.yaml
rename to staging/src/k8s.io/api/testdata/v1.34.0/policy.v1beta1.PodDisruptionBudget.yaml
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/rbac.authorization.k8s.io.v1.ClusterRole.json b/staging/src/k8s.io/api/testdata/v1.34.0/rbac.authorization.k8s.io.v1.ClusterRole.json
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/rbac.authorization.k8s.io.v1.ClusterRole.json
rename to staging/src/k8s.io/api/testdata/v1.34.0/rbac.authorization.k8s.io.v1.ClusterRole.json
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/rbac.authorization.k8s.io.v1.ClusterRole.pb b/staging/src/k8s.io/api/testdata/v1.34.0/rbac.authorization.k8s.io.v1.ClusterRole.pb
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/rbac.authorization.k8s.io.v1.ClusterRole.pb
rename to staging/src/k8s.io/api/testdata/v1.34.0/rbac.authorization.k8s.io.v1.ClusterRole.pb
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/rbac.authorization.k8s.io.v1.ClusterRole.yaml b/staging/src/k8s.io/api/testdata/v1.34.0/rbac.authorization.k8s.io.v1.ClusterRole.yaml
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/rbac.authorization.k8s.io.v1.ClusterRole.yaml
rename to staging/src/k8s.io/api/testdata/v1.34.0/rbac.authorization.k8s.io.v1.ClusterRole.yaml
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/rbac.authorization.k8s.io.v1.ClusterRoleBinding.json b/staging/src/k8s.io/api/testdata/v1.34.0/rbac.authorization.k8s.io.v1.ClusterRoleBinding.json
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/rbac.authorization.k8s.io.v1.ClusterRoleBinding.json
rename to staging/src/k8s.io/api/testdata/v1.34.0/rbac.authorization.k8s.io.v1.ClusterRoleBinding.json
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/rbac.authorization.k8s.io.v1.ClusterRoleBinding.pb b/staging/src/k8s.io/api/testdata/v1.34.0/rbac.authorization.k8s.io.v1.ClusterRoleBinding.pb
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/rbac.authorization.k8s.io.v1.ClusterRoleBinding.pb
rename to staging/src/k8s.io/api/testdata/v1.34.0/rbac.authorization.k8s.io.v1.ClusterRoleBinding.pb
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/rbac.authorization.k8s.io.v1.ClusterRoleBinding.yaml b/staging/src/k8s.io/api/testdata/v1.34.0/rbac.authorization.k8s.io.v1.ClusterRoleBinding.yaml
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/rbac.authorization.k8s.io.v1.ClusterRoleBinding.yaml
rename to staging/src/k8s.io/api/testdata/v1.34.0/rbac.authorization.k8s.io.v1.ClusterRoleBinding.yaml
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/rbac.authorization.k8s.io.v1.Role.json b/staging/src/k8s.io/api/testdata/v1.34.0/rbac.authorization.k8s.io.v1.Role.json
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/rbac.authorization.k8s.io.v1.Role.json
rename to staging/src/k8s.io/api/testdata/v1.34.0/rbac.authorization.k8s.io.v1.Role.json
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/rbac.authorization.k8s.io.v1.Role.pb b/staging/src/k8s.io/api/testdata/v1.34.0/rbac.authorization.k8s.io.v1.Role.pb
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/rbac.authorization.k8s.io.v1.Role.pb
rename to staging/src/k8s.io/api/testdata/v1.34.0/rbac.authorization.k8s.io.v1.Role.pb
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/rbac.authorization.k8s.io.v1.Role.yaml b/staging/src/k8s.io/api/testdata/v1.34.0/rbac.authorization.k8s.io.v1.Role.yaml
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/rbac.authorization.k8s.io.v1.Role.yaml
rename to staging/src/k8s.io/api/testdata/v1.34.0/rbac.authorization.k8s.io.v1.Role.yaml
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/rbac.authorization.k8s.io.v1.RoleBinding.json b/staging/src/k8s.io/api/testdata/v1.34.0/rbac.authorization.k8s.io.v1.RoleBinding.json
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/rbac.authorization.k8s.io.v1.RoleBinding.json
rename to staging/src/k8s.io/api/testdata/v1.34.0/rbac.authorization.k8s.io.v1.RoleBinding.json
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/rbac.authorization.k8s.io.v1.RoleBinding.pb b/staging/src/k8s.io/api/testdata/v1.34.0/rbac.authorization.k8s.io.v1.RoleBinding.pb
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/rbac.authorization.k8s.io.v1.RoleBinding.pb
rename to staging/src/k8s.io/api/testdata/v1.34.0/rbac.authorization.k8s.io.v1.RoleBinding.pb
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/rbac.authorization.k8s.io.v1.RoleBinding.yaml b/staging/src/k8s.io/api/testdata/v1.34.0/rbac.authorization.k8s.io.v1.RoleBinding.yaml
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/rbac.authorization.k8s.io.v1.RoleBinding.yaml
rename to staging/src/k8s.io/api/testdata/v1.34.0/rbac.authorization.k8s.io.v1.RoleBinding.yaml
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/rbac.authorization.k8s.io.v1alpha1.ClusterRole.json b/staging/src/k8s.io/api/testdata/v1.34.0/rbac.authorization.k8s.io.v1alpha1.ClusterRole.json
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/rbac.authorization.k8s.io.v1alpha1.ClusterRole.json
rename to staging/src/k8s.io/api/testdata/v1.34.0/rbac.authorization.k8s.io.v1alpha1.ClusterRole.json
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/rbac.authorization.k8s.io.v1alpha1.ClusterRole.pb b/staging/src/k8s.io/api/testdata/v1.34.0/rbac.authorization.k8s.io.v1alpha1.ClusterRole.pb
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/rbac.authorization.k8s.io.v1alpha1.ClusterRole.pb
rename to staging/src/k8s.io/api/testdata/v1.34.0/rbac.authorization.k8s.io.v1alpha1.ClusterRole.pb
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/rbac.authorization.k8s.io.v1alpha1.ClusterRole.yaml b/staging/src/k8s.io/api/testdata/v1.34.0/rbac.authorization.k8s.io.v1alpha1.ClusterRole.yaml
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/rbac.authorization.k8s.io.v1alpha1.ClusterRole.yaml
rename to staging/src/k8s.io/api/testdata/v1.34.0/rbac.authorization.k8s.io.v1alpha1.ClusterRole.yaml
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/rbac.authorization.k8s.io.v1alpha1.ClusterRoleBinding.json b/staging/src/k8s.io/api/testdata/v1.34.0/rbac.authorization.k8s.io.v1alpha1.ClusterRoleBinding.json
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/rbac.authorization.k8s.io.v1alpha1.ClusterRoleBinding.json
rename to staging/src/k8s.io/api/testdata/v1.34.0/rbac.authorization.k8s.io.v1alpha1.ClusterRoleBinding.json
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/rbac.authorization.k8s.io.v1alpha1.ClusterRoleBinding.pb b/staging/src/k8s.io/api/testdata/v1.34.0/rbac.authorization.k8s.io.v1alpha1.ClusterRoleBinding.pb
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/rbac.authorization.k8s.io.v1alpha1.ClusterRoleBinding.pb
rename to staging/src/k8s.io/api/testdata/v1.34.0/rbac.authorization.k8s.io.v1alpha1.ClusterRoleBinding.pb
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/rbac.authorization.k8s.io.v1alpha1.ClusterRoleBinding.yaml b/staging/src/k8s.io/api/testdata/v1.34.0/rbac.authorization.k8s.io.v1alpha1.ClusterRoleBinding.yaml
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/rbac.authorization.k8s.io.v1alpha1.ClusterRoleBinding.yaml
rename to staging/src/k8s.io/api/testdata/v1.34.0/rbac.authorization.k8s.io.v1alpha1.ClusterRoleBinding.yaml
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/rbac.authorization.k8s.io.v1alpha1.Role.json b/staging/src/k8s.io/api/testdata/v1.34.0/rbac.authorization.k8s.io.v1alpha1.Role.json
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/rbac.authorization.k8s.io.v1alpha1.Role.json
rename to staging/src/k8s.io/api/testdata/v1.34.0/rbac.authorization.k8s.io.v1alpha1.Role.json
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/rbac.authorization.k8s.io.v1alpha1.Role.pb b/staging/src/k8s.io/api/testdata/v1.34.0/rbac.authorization.k8s.io.v1alpha1.Role.pb
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/rbac.authorization.k8s.io.v1alpha1.Role.pb
rename to staging/src/k8s.io/api/testdata/v1.34.0/rbac.authorization.k8s.io.v1alpha1.Role.pb
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/rbac.authorization.k8s.io.v1alpha1.Role.yaml b/staging/src/k8s.io/api/testdata/v1.34.0/rbac.authorization.k8s.io.v1alpha1.Role.yaml
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/rbac.authorization.k8s.io.v1alpha1.Role.yaml
rename to staging/src/k8s.io/api/testdata/v1.34.0/rbac.authorization.k8s.io.v1alpha1.Role.yaml
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/rbac.authorization.k8s.io.v1alpha1.RoleBinding.json b/staging/src/k8s.io/api/testdata/v1.34.0/rbac.authorization.k8s.io.v1alpha1.RoleBinding.json
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/rbac.authorization.k8s.io.v1alpha1.RoleBinding.json
rename to staging/src/k8s.io/api/testdata/v1.34.0/rbac.authorization.k8s.io.v1alpha1.RoleBinding.json
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/rbac.authorization.k8s.io.v1alpha1.RoleBinding.pb b/staging/src/k8s.io/api/testdata/v1.34.0/rbac.authorization.k8s.io.v1alpha1.RoleBinding.pb
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/rbac.authorization.k8s.io.v1alpha1.RoleBinding.pb
rename to staging/src/k8s.io/api/testdata/v1.34.0/rbac.authorization.k8s.io.v1alpha1.RoleBinding.pb
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/rbac.authorization.k8s.io.v1alpha1.RoleBinding.yaml b/staging/src/k8s.io/api/testdata/v1.34.0/rbac.authorization.k8s.io.v1alpha1.RoleBinding.yaml
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/rbac.authorization.k8s.io.v1alpha1.RoleBinding.yaml
rename to staging/src/k8s.io/api/testdata/v1.34.0/rbac.authorization.k8s.io.v1alpha1.RoleBinding.yaml
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/rbac.authorization.k8s.io.v1beta1.ClusterRole.json b/staging/src/k8s.io/api/testdata/v1.34.0/rbac.authorization.k8s.io.v1beta1.ClusterRole.json
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/rbac.authorization.k8s.io.v1beta1.ClusterRole.json
rename to staging/src/k8s.io/api/testdata/v1.34.0/rbac.authorization.k8s.io.v1beta1.ClusterRole.json
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/rbac.authorization.k8s.io.v1beta1.ClusterRole.pb b/staging/src/k8s.io/api/testdata/v1.34.0/rbac.authorization.k8s.io.v1beta1.ClusterRole.pb
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/rbac.authorization.k8s.io.v1beta1.ClusterRole.pb
rename to staging/src/k8s.io/api/testdata/v1.34.0/rbac.authorization.k8s.io.v1beta1.ClusterRole.pb
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/rbac.authorization.k8s.io.v1beta1.ClusterRole.yaml b/staging/src/k8s.io/api/testdata/v1.34.0/rbac.authorization.k8s.io.v1beta1.ClusterRole.yaml
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/rbac.authorization.k8s.io.v1beta1.ClusterRole.yaml
rename to staging/src/k8s.io/api/testdata/v1.34.0/rbac.authorization.k8s.io.v1beta1.ClusterRole.yaml
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/rbac.authorization.k8s.io.v1beta1.ClusterRoleBinding.json b/staging/src/k8s.io/api/testdata/v1.34.0/rbac.authorization.k8s.io.v1beta1.ClusterRoleBinding.json
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/rbac.authorization.k8s.io.v1beta1.ClusterRoleBinding.json
rename to staging/src/k8s.io/api/testdata/v1.34.0/rbac.authorization.k8s.io.v1beta1.ClusterRoleBinding.json
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/rbac.authorization.k8s.io.v1beta1.ClusterRoleBinding.pb b/staging/src/k8s.io/api/testdata/v1.34.0/rbac.authorization.k8s.io.v1beta1.ClusterRoleBinding.pb
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/rbac.authorization.k8s.io.v1beta1.ClusterRoleBinding.pb
rename to staging/src/k8s.io/api/testdata/v1.34.0/rbac.authorization.k8s.io.v1beta1.ClusterRoleBinding.pb
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/rbac.authorization.k8s.io.v1beta1.ClusterRoleBinding.yaml b/staging/src/k8s.io/api/testdata/v1.34.0/rbac.authorization.k8s.io.v1beta1.ClusterRoleBinding.yaml
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/rbac.authorization.k8s.io.v1beta1.ClusterRoleBinding.yaml
rename to staging/src/k8s.io/api/testdata/v1.34.0/rbac.authorization.k8s.io.v1beta1.ClusterRoleBinding.yaml
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/rbac.authorization.k8s.io.v1beta1.Role.json b/staging/src/k8s.io/api/testdata/v1.34.0/rbac.authorization.k8s.io.v1beta1.Role.json
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/rbac.authorization.k8s.io.v1beta1.Role.json
rename to staging/src/k8s.io/api/testdata/v1.34.0/rbac.authorization.k8s.io.v1beta1.Role.json
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/rbac.authorization.k8s.io.v1beta1.Role.pb b/staging/src/k8s.io/api/testdata/v1.34.0/rbac.authorization.k8s.io.v1beta1.Role.pb
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/rbac.authorization.k8s.io.v1beta1.Role.pb
rename to staging/src/k8s.io/api/testdata/v1.34.0/rbac.authorization.k8s.io.v1beta1.Role.pb
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/rbac.authorization.k8s.io.v1beta1.Role.yaml b/staging/src/k8s.io/api/testdata/v1.34.0/rbac.authorization.k8s.io.v1beta1.Role.yaml
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/rbac.authorization.k8s.io.v1beta1.Role.yaml
rename to staging/src/k8s.io/api/testdata/v1.34.0/rbac.authorization.k8s.io.v1beta1.Role.yaml
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/rbac.authorization.k8s.io.v1beta1.RoleBinding.json b/staging/src/k8s.io/api/testdata/v1.34.0/rbac.authorization.k8s.io.v1beta1.RoleBinding.json
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/rbac.authorization.k8s.io.v1beta1.RoleBinding.json
rename to staging/src/k8s.io/api/testdata/v1.34.0/rbac.authorization.k8s.io.v1beta1.RoleBinding.json
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/rbac.authorization.k8s.io.v1beta1.RoleBinding.pb b/staging/src/k8s.io/api/testdata/v1.34.0/rbac.authorization.k8s.io.v1beta1.RoleBinding.pb
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/rbac.authorization.k8s.io.v1beta1.RoleBinding.pb
rename to staging/src/k8s.io/api/testdata/v1.34.0/rbac.authorization.k8s.io.v1beta1.RoleBinding.pb
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/rbac.authorization.k8s.io.v1beta1.RoleBinding.yaml b/staging/src/k8s.io/api/testdata/v1.34.0/rbac.authorization.k8s.io.v1beta1.RoleBinding.yaml
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/rbac.authorization.k8s.io.v1beta1.RoleBinding.yaml
rename to staging/src/k8s.io/api/testdata/v1.34.0/rbac.authorization.k8s.io.v1beta1.RoleBinding.yaml
diff --git a/staging/src/k8s.io/api/testdata/v1.34.0/resource.k8s.io.v1.DeviceClass.json b/staging/src/k8s.io/api/testdata/v1.34.0/resource.k8s.io.v1.DeviceClass.json
new file mode 100644
index 0000000000000..8fd86ddef7314
--- /dev/null
+++ b/staging/src/k8s.io/api/testdata/v1.34.0/resource.k8s.io.v1.DeviceClass.json
@@ -0,0 +1,73 @@
+{
+  "kind": "DeviceClass",
+  "apiVersion": "resource.k8s.io/v1",
+  "metadata": {
+    "name": "nameValue",
+    "generateName": "generateNameValue",
+    "namespace": "namespaceValue",
+    "selfLink": "selfLinkValue",
+    "uid": "uidValue",
+    "resourceVersion": "resourceVersionValue",
+    "generation": 7,
+    "creationTimestamp": "2008-01-01T01:01:01Z",
+    "deletionTimestamp": "2009-01-01T01:01:01Z",
+    "deletionGracePeriodSeconds": 10,
+    "labels": {
+      "labelsKey": "labelsValue"
+    },
+    "annotations": {
+      "annotationsKey": "annotationsValue"
+    },
+    "ownerReferences": [
+      {
+        "apiVersion": "apiVersionValue",
+        "kind": "kindValue",
+        "name": "nameValue",
+        "uid": "uidValue",
+        "controller": true,
+        "blockOwnerDeletion": true
+      }
+    ],
+    "finalizers": [
+      "finalizersValue"
+    ],
+    "managedFields": [
+      {
+        "manager": "managerValue",
+        "operation": "operationValue",
+        "apiVersion": "apiVersionValue",
+        "time": "2004-01-01T01:01:01Z",
+        "fieldsType": "fieldsTypeValue",
+        "fieldsV1": {},
+        "subresource": "subresourceValue"
+      }
+    ]
+  },
+  "spec": {
+    "selectors": [
+      {
+        "cel": {
+          "expression": "expressionValue"
+        }
+      }
+    ],
+    "config": [
+      {
+        "opaque": {
+          "driver": "driverValue",
+          "parameters": {
+            "apiVersion": "example.com/v1",
+            "kind": "CustomType",
+            "spec": {
+              "replicas": 1
+            },
+            "status": {
+              "available": 1
+            }
+          }
+        }
+      }
+    ],
+    "extendedResourceName": "extendedResourceNameValue"
+  }
+}
\ No newline at end of file
diff --git a/staging/src/k8s.io/api/testdata/v1.34.0/resource.k8s.io.v1.DeviceClass.pb b/staging/src/k8s.io/api/testdata/v1.34.0/resource.k8s.io.v1.DeviceClass.pb
new file mode 100644
index 0000000000000..1b1c76ceaf6c1
Binary files /dev/null and b/staging/src/k8s.io/api/testdata/v1.34.0/resource.k8s.io.v1.DeviceClass.pb differ
diff --git a/staging/src/k8s.io/api/testdata/v1.34.0/resource.k8s.io.v1.DeviceClass.yaml b/staging/src/k8s.io/api/testdata/v1.34.0/resource.k8s.io.v1.DeviceClass.yaml
new file mode 100644
index 0000000000000..36f958f33d22c
--- /dev/null
+++ b/staging/src/k8s.io/api/testdata/v1.34.0/resource.k8s.io.v1.DeviceClass.yaml
@@ -0,0 +1,49 @@
+apiVersion: resource.k8s.io/v1
+kind: DeviceClass
+metadata:
+  annotations:
+    annotationsKey: annotationsValue
+  creationTimestamp: "2008-01-01T01:01:01Z"
+  deletionGracePeriodSeconds: 10
+  deletionTimestamp: "2009-01-01T01:01:01Z"
+  finalizers:
+  - finalizersValue
+  generateName: generateNameValue
+  generation: 7
+  labels:
+    labelsKey: labelsValue
+  managedFields:
+  - apiVersion: apiVersionValue
+    fieldsType: fieldsTypeValue
+    fieldsV1: {}
+    manager: managerValue
+    operation: operationValue
+    subresource: subresourceValue
+    time: "2004-01-01T01:01:01Z"
+  name: nameValue
+  namespace: namespaceValue
+  ownerReferences:
+  - apiVersion: apiVersionValue
+    blockOwnerDeletion: true
+    controller: true
+    kind: kindValue
+    name: nameValue
+    uid: uidValue
+  resourceVersion: resourceVersionValue
+  selfLink: selfLinkValue
+  uid: uidValue
+spec:
+  config:
+  - opaque:
+      driver: driverValue
+      parameters:
+        apiVersion: example.com/v1
+        kind: CustomType
+        spec:
+          replicas: 1
+        status:
+          available: 1
+  extendedResourceName: extendedResourceNameValue
+  selectors:
+  - cel:
+      expression: expressionValue
diff --git a/staging/src/k8s.io/api/testdata/v1.34.0/resource.k8s.io.v1.ResourceClaim.json b/staging/src/k8s.io/api/testdata/v1.34.0/resource.k8s.io.v1.ResourceClaim.json
new file mode 100644
index 0000000000000..a67a53104130e
--- /dev/null
+++ b/staging/src/k8s.io/api/testdata/v1.34.0/resource.k8s.io.v1.ResourceClaim.json
@@ -0,0 +1,263 @@
+{
+  "kind": "ResourceClaim",
+  "apiVersion": "resource.k8s.io/v1",
+  "metadata": {
+    "name": "nameValue",
+    "generateName": "generateNameValue",
+    "namespace": "namespaceValue",
+    "selfLink": "selfLinkValue",
+    "uid": "uidValue",
+    "resourceVersion": "resourceVersionValue",
+    "generation": 7,
+    "creationTimestamp": "2008-01-01T01:01:01Z",
+    "deletionTimestamp": "2009-01-01T01:01:01Z",
+    "deletionGracePeriodSeconds": 10,
+    "labels": {
+      "labelsKey": "labelsValue"
+    },
+    "annotations": {
+      "annotationsKey": "annotationsValue"
+    },
+    "ownerReferences": [
+      {
+        "apiVersion": "apiVersionValue",
+        "kind": "kindValue",
+        "name": "nameValue",
+        "uid": "uidValue",
+        "controller": true,
+        "blockOwnerDeletion": true
+      }
+    ],
+    "finalizers": [
+      "finalizersValue"
+    ],
+    "managedFields": [
+      {
+        "manager": "managerValue",
+        "operation": "operationValue",
+        "apiVersion": "apiVersionValue",
+        "time": "2004-01-01T01:01:01Z",
+        "fieldsType": "fieldsTypeValue",
+        "fieldsV1": {},
+        "subresource": "subresourceValue"
+      }
+    ]
+  },
+  "spec": {
+    "devices": {
+      "requests": [
+        {
+          "name": "nameValue",
+          "exactly": {
+            "deviceClassName": "deviceClassNameValue",
+            "selectors": [
+              {
+                "cel": {
+                  "expression": "expressionValue"
+                }
+              }
+            ],
+            "allocationMode": "allocationModeValue",
+            "count": 4,
+            "adminAccess": true,
+            "tolerations": [
+              {
+                "key": "keyValue",
+                "operator": "operatorValue",
+                "value": "valueValue",
+                "effect": "effectValue",
+                "tolerationSeconds": 5
+              }
+            ],
+            "capacity": {
+              "requests": {
+                "requestsKey": "0"
+              }
+            }
+          },
+          "firstAvailable": [
+            {
+              "name": "nameValue",
+              "deviceClassName": "deviceClassNameValue",
+              "selectors": [
+                {
+                  "cel": {
+                    "expression": "expressionValue"
+                  }
+                }
+              ],
+              "allocationMode": "allocationModeValue",
+              "count": 5,
+              "tolerations": [
+                {
+                  "key": "keyValue",
+                  "operator": "operatorValue",
+                  "value": "valueValue",
+                  "effect": "effectValue",
+                  "tolerationSeconds": 5
+                }
+              ],
+              "capacity": {
+                "requests": {
+                  "requestsKey": "0"
+                }
+              }
+            }
+          ]
+        }
+      ],
+      "constraints": [
+        {
+          "requests": [
+            "requestsValue"
+          ],
+          "matchAttribute": "matchAttributeValue",
+          "distinctAttribute": "distinctAttributeValue"
+        }
+      ],
+      "config": [
+        {
+          "requests": [
+            "requestsValue"
+          ],
+          "opaque": {
+            "driver": "driverValue",
+            "parameters": {
+              "apiVersion": "example.com/v1",
+              "kind": "CustomType",
+              "spec": {
+                "replicas": 1
+              },
+              "status": {
+                "available": 1
+              }
+            }
+          }
+        }
+      ]
+    }
+  },
+  "status": {
+    "allocation": {
+      "devices": {
+        "results": [
+          {
+            "request": "requestValue",
+            "driver": "driverValue",
+            "pool": "poolValue",
+            "device": "deviceValue",
+            "adminAccess": true,
+            "tolerations": [
+              {
+                "key": "keyValue",
+                "operator": "operatorValue",
+                "value": "valueValue",
+                "effect": "effectValue",
+                "tolerationSeconds": 5
+              }
+            ],
+            "bindingConditions": [
+              "bindingConditionsValue"
+            ],
+            "bindingFailureConditions": [
+              "bindingFailureConditionsValue"
+            ],
+            "shareID": "shareIDValue",
+            "consumedCapacity": {
+              "consumedCapacityKey": "0"
+            }
+          }
+        ],
+        "config": [
+          {
+            "source": "sourceValue",
+            "requests": [
+              "requestsValue"
+            ],
+            "opaque": {
+              "driver": "driverValue",
+              "parameters": {
+                "apiVersion": "example.com/v1",
+                "kind": "CustomType",
+                "spec": {
+                  "replicas": 1
+                },
+                "status": {
+                  "available": 1
+                }
+              }
+            }
+          }
+        ]
+      },
+      "nodeSelector": {
+        "nodeSelectorTerms": [
+          {
+            "matchExpressions": [
+              {
+                "key": "keyValue",
+                "operator": "operatorValue",
+                "values": [
+                  "valuesValue"
+                ]
+              }
+            ],
+            "matchFields": [
+              {
+                "key": "keyValue",
+                "operator": "operatorValue",
+                "values": [
+                  "valuesValue"
+                ]
+              }
+            ]
+          }
+        ]
+      },
+      "allocationTimestamp": "2005-01-01T01:01:01Z"
+    },
+    "reservedFor": [
+      {
+        "apiGroup": "apiGroupValue",
+        "resource": "resourceValue",
+        "name": "nameValue",
+        "uid": "uidValue"
+      }
+    ],
+    "devices": [
+      {
+        "driver": "driverValue",
+        "pool": "poolValue",
+        "device": "deviceValue",
+        "shareID": "shareIDValue",
+        "conditions": [
+          {
+            "type": "typeValue",
+            "status": "statusValue",
+            "observedGeneration": 3,
+            "lastTransitionTime": "2004-01-01T01:01:01Z",
+            "reason": "reasonValue",
+            "message": "messageValue"
+          }
+        ],
+        "data": {
+          "apiVersion": "example.com/v1",
+          "kind": "CustomType",
+          "spec": {
+            "replicas": 1
+          },
+          "status": {
+            "available": 1
+          }
+        },
+        "networkData": {
+          "interfaceName": "interfaceNameValue",
+          "ips": [
+            "ipsValue"
+          ],
+          "hardwareAddress": "hardwareAddressValue"
+        }
+      }
+    ]
+  }
+}
\ No newline at end of file
diff --git a/staging/src/k8s.io/api/testdata/v1.34.0/resource.k8s.io.v1.ResourceClaim.pb b/staging/src/k8s.io/api/testdata/v1.34.0/resource.k8s.io.v1.ResourceClaim.pb
new file mode 100644
index 0000000000000..4a5f34d71c5cd
Binary files /dev/null and b/staging/src/k8s.io/api/testdata/v1.34.0/resource.k8s.io.v1.ResourceClaim.pb differ
diff --git a/staging/src/k8s.io/api/testdata/v1.34.0/resource.k8s.io.v1.ResourceClaim.yaml b/staging/src/k8s.io/api/testdata/v1.34.0/resource.k8s.io.v1.ResourceClaim.yaml
new file mode 100644
index 0000000000000..db448e861fdeb
--- /dev/null
+++ b/staging/src/k8s.io/api/testdata/v1.34.0/resource.k8s.io.v1.ResourceClaim.yaml
@@ -0,0 +1,166 @@
+apiVersion: resource.k8s.io/v1
+kind: ResourceClaim
+metadata:
+  annotations:
+    annotationsKey: annotationsValue
+  creationTimestamp: "2008-01-01T01:01:01Z"
+  deletionGracePeriodSeconds: 10
+  deletionTimestamp: "2009-01-01T01:01:01Z"
+  finalizers:
+  - finalizersValue
+  generateName: generateNameValue
+  generation: 7
+  labels:
+    labelsKey: labelsValue
+  managedFields:
+  - apiVersion: apiVersionValue
+    fieldsType: fieldsTypeValue
+    fieldsV1: {}
+    manager: managerValue
+    operation: operationValue
+    subresource: subresourceValue
+    time: "2004-01-01T01:01:01Z"
+  name: nameValue
+  namespace: namespaceValue
+  ownerReferences:
+  - apiVersion: apiVersionValue
+    blockOwnerDeletion: true
+    controller: true
+    kind: kindValue
+    name: nameValue
+    uid: uidValue
+  resourceVersion: resourceVersionValue
+  selfLink: selfLinkValue
+  uid: uidValue
+spec:
+  devices:
+    config:
+    - opaque:
+        driver: driverValue
+        parameters:
+          apiVersion: example.com/v1
+          kind: CustomType
+          spec:
+            replicas: 1
+          status:
+            available: 1
+      requests:
+      - requestsValue
+    constraints:
+    - distinctAttribute: distinctAttributeValue
+      matchAttribute: matchAttributeValue
+      requests:
+      - requestsValue
+    requests:
+    - exactly:
+        adminAccess: true
+        allocationMode: allocationModeValue
+        capacity:
+          requests:
+            requestsKey: "0"
+        count: 4
+        deviceClassName: deviceClassNameValue
+        selectors:
+        - cel:
+            expression: expressionValue
+        tolerations:
+        - effect: effectValue
+          key: keyValue
+          operator: operatorValue
+          tolerationSeconds: 5
+          value: valueValue
+      firstAvailable:
+      - allocationMode: allocationModeValue
+        capacity:
+          requests:
+            requestsKey: "0"
+        count: 5
+        deviceClassName: deviceClassNameValue
+        name: nameValue
+        selectors:
+        - cel:
+            expression: expressionValue
+        tolerations:
+        - effect: effectValue
+          key: keyValue
+          operator: operatorValue
+          tolerationSeconds: 5
+          value: valueValue
+      name: nameValue
+status:
+  allocation:
+    allocationTimestamp: "2005-01-01T01:01:01Z"
+    devices:
+      config:
+      - opaque:
+          driver: driverValue
+          parameters:
+            apiVersion: example.com/v1
+            kind: CustomType
+            spec:
+              replicas: 1
+            status:
+              available: 1
+        requests:
+        - requestsValue
+        source: sourceValue
+      results:
+      - adminAccess: true
+        bindingConditions:
+        - bindingConditionsValue
+        bindingFailureConditions:
+        - bindingFailureConditionsValue
+        consumedCapacity:
+          consumedCapacityKey: "0"
+        device: deviceValue
+        driver: driverValue
+        pool: poolValue
+        request: requestValue
+        shareID: shareIDValue
+        tolerations:
+        - effect: effectValue
+          key: keyValue
+          operator: operatorValue
+          tolerationSeconds: 5
+          value: valueValue
+    nodeSelector:
+      nodeSelectorTerms:
+      - matchExpressions:
+        - key: keyValue
+          operator: operatorValue
+          values:
+          - valuesValue
+        matchFields:
+        - key: keyValue
+          operator: operatorValue
+          values:
+          - valuesValue
+  devices:
+  - conditions:
+    - lastTransitionTime: "2004-01-01T01:01:01Z"
+      message: messageValue
+      observedGeneration: 3
+      reason: reasonValue
+      status: statusValue
+      type: typeValue
+    data:
+      apiVersion: example.com/v1
+      kind: CustomType
+      spec:
+        replicas: 1
+      status:
+        available: 1
+    device: deviceValue
+    driver: driverValue
+    networkData:
+      hardwareAddress: hardwareAddressValue
+      interfaceName: interfaceNameValue
+      ips:
+      - ipsValue
+    pool: poolValue
+    shareID: shareIDValue
+  reservedFor:
+  - apiGroup: apiGroupValue
+    name: nameValue
+    resource: resourceValue
+    uid: uidValue
diff --git a/staging/src/k8s.io/api/testdata/v1.34.0/resource.k8s.io.v1.ResourceClaimTemplate.json b/staging/src/k8s.io/api/testdata/v1.34.0/resource.k8s.io.v1.ResourceClaimTemplate.json
new file mode 100644
index 0000000000000..c7f2c88974e2c
--- /dev/null
+++ b/staging/src/k8s.io/api/testdata/v1.34.0/resource.k8s.io.v1.ResourceClaimTemplate.json
@@ -0,0 +1,184 @@
+{
+  "kind": "ResourceClaimTemplate",
+  "apiVersion": "resource.k8s.io/v1",
+  "metadata": {
+    "name": "nameValue",
+    "generateName": "generateNameValue",
+    "namespace": "namespaceValue",
+    "selfLink": "selfLinkValue",
+    "uid": "uidValue",
+    "resourceVersion": "resourceVersionValue",
+    "generation": 7,
+    "creationTimestamp": "2008-01-01T01:01:01Z",
+    "deletionTimestamp": "2009-01-01T01:01:01Z",
+    "deletionGracePeriodSeconds": 10,
+    "labels": {
+      "labelsKey": "labelsValue"
+    },
+    "annotations": {
+      "annotationsKey": "annotationsValue"
+    },
+    "ownerReferences": [
+      {
+        "apiVersion": "apiVersionValue",
+        "kind": "kindValue",
+        "name": "nameValue",
+        "uid": "uidValue",
+        "controller": true,
+        "blockOwnerDeletion": true
+      }
+    ],
+    "finalizers": [
+      "finalizersValue"
+    ],
+    "managedFields": [
+      {
+        "manager": "managerValue",
+        "operation": "operationValue",
+        "apiVersion": "apiVersionValue",
+        "time": "2004-01-01T01:01:01Z",
+        "fieldsType": "fieldsTypeValue",
+        "fieldsV1": {},
+        "subresource": "subresourceValue"
+      }
+    ]
+  },
+  "spec": {
+    "metadata": {
+      "name": "nameValue",
+      "generateName": "generateNameValue",
+      "namespace": "namespaceValue",
+      "selfLink": "selfLinkValue",
+      "uid": "uidValue",
+      "resourceVersion": "resourceVersionValue",
+      "generation": 7,
+      "creationTimestamp": "2008-01-01T01:01:01Z",
+      "deletionTimestamp": "2009-01-01T01:01:01Z",
+      "deletionGracePeriodSeconds": 10,
+      "labels": {
+        "labelsKey": "labelsValue"
+      },
+      "annotations": {
+        "annotationsKey": "annotationsValue"
+      },
+      "ownerReferences": [
+        {
+          "apiVersion": "apiVersionValue",
+          "kind": "kindValue",
+          "name": "nameValue",
+          "uid": "uidValue",
+          "controller": true,
+          "blockOwnerDeletion": true
+        }
+      ],
+      "finalizers": [
+        "finalizersValue"
+      ],
+      "managedFields": [
+        {
+          "manager": "managerValue",
+          "operation": "operationValue",
+          "apiVersion": "apiVersionValue",
+          "time": "2004-01-01T01:01:01Z",
+          "fieldsType": "fieldsTypeValue",
+          "fieldsV1": {},
+          "subresource": "subresourceValue"
+        }
+      ]
+    },
+    "spec": {
+      "devices": {
+        "requests": [
+          {
+            "name": "nameValue",
+            "exactly": {
+              "deviceClassName": "deviceClassNameValue",
+              "selectors": [
+                {
+                  "cel": {
+                    "expression": "expressionValue"
+                  }
+                }
+              ],
+              "allocationMode": "allocationModeValue",
+              "count": 4,
+              "adminAccess": true,
+              "tolerations": [
+                {
+                  "key": "keyValue",
+                  "operator": "operatorValue",
+                  "value": "valueValue",
+                  "effect": "effectValue",
+                  "tolerationSeconds": 5
+                }
+              ],
+              "capacity": {
+                "requests": {
+                  "requestsKey": "0"
+                }
+              }
+            },
+            "firstAvailable": [
+              {
+                "name": "nameValue",
+                "deviceClassName": "deviceClassNameValue",
+                "selectors": [
+                  {
+                    "cel": {
+                      "expression": "expressionValue"
+                    }
+                  }
+                ],
+                "allocationMode": "allocationModeValue",
+                "count": 5,
+                "tolerations": [
+                  {
+                    "key": "keyValue",
+                    "operator": "operatorValue",
+                    "value": "valueValue",
+                    "effect": "effectValue",
+                    "tolerationSeconds": 5
+                  }
+                ],
+                "capacity": {
+                  "requests": {
+                    "requestsKey": "0"
+                  }
+                }
+              }
+            ]
+          }
+        ],
+        "constraints": [
+          {
+            "requests": [
+              "requestsValue"
+            ],
+            "matchAttribute": "matchAttributeValue",
+            "distinctAttribute": "distinctAttributeValue"
+          }
+        ],
+        "config": [
+          {
+            "requests": [
+              "requestsValue"
+            ],
+            "opaque": {
+              "driver": "driverValue",
+              "parameters": {
+                "apiVersion": "example.com/v1",
+                "kind": "CustomType",
+                "spec": {
+                  "replicas": 1
+                },
+                "status": {
+                  "available": 1
+                }
+              }
+            }
+          }
+        ]
+      }
+    }
+  }
+}
\ No newline at end of file
diff --git a/staging/src/k8s.io/api/testdata/v1.34.0/resource.k8s.io.v1.ResourceClaimTemplate.pb b/staging/src/k8s.io/api/testdata/v1.34.0/resource.k8s.io.v1.ResourceClaimTemplate.pb
new file mode 100644
index 0000000000000..db1f0ee449c48
Binary files /dev/null and b/staging/src/k8s.io/api/testdata/v1.34.0/resource.k8s.io.v1.ResourceClaimTemplate.pb differ
diff --git a/staging/src/k8s.io/api/testdata/v1.34.0/resource.k8s.io.v1.ResourceClaimTemplate.yaml b/staging/src/k8s.io/api/testdata/v1.34.0/resource.k8s.io.v1.ResourceClaimTemplate.yaml
new file mode 100644
index 0000000000000..a29821f1c1c08
--- /dev/null
+++ b/staging/src/k8s.io/api/testdata/v1.34.0/resource.k8s.io.v1.ResourceClaimTemplate.yaml
@@ -0,0 +1,122 @@
+apiVersion: resource.k8s.io/v1
+kind: ResourceClaimTemplate
+metadata:
+  annotations:
+    annotationsKey: annotationsValue
+  creationTimestamp: "2008-01-01T01:01:01Z"
+  deletionGracePeriodSeconds: 10
+  deletionTimestamp: "2009-01-01T01:01:01Z"
+  finalizers:
+  - finalizersValue
+  generateName: generateNameValue
+  generation: 7
+  labels:
+    labelsKey: labelsValue
+  managedFields:
+  - apiVersion: apiVersionValue
+    fieldsType: fieldsTypeValue
+    fieldsV1: {}
+    manager: managerValue
+    operation: operationValue
+    subresource: subresourceValue
+    time: "2004-01-01T01:01:01Z"
+  name: nameValue
+  namespace: namespaceValue
+  ownerReferences:
+  - apiVersion: apiVersionValue
+    blockOwnerDeletion: true
+    controller: true
+    kind: kindValue
+    name: nameValue
+    uid: uidValue
+  resourceVersion: resourceVersionValue
+  selfLink: selfLinkValue
+  uid: uidValue
+spec:
+  metadata:
+    annotations:
+      annotationsKey: annotationsValue
+    creationTimestamp: "2008-01-01T01:01:01Z"
+    deletionGracePeriodSeconds: 10
+    deletionTimestamp: "2009-01-01T01:01:01Z"
+    finalizers:
+    - finalizersValue
+    generateName: generateNameValue
+    generation: 7
+    labels:
+      labelsKey: labelsValue
+    managedFields:
+    - apiVersion: apiVersionValue
+      fieldsType: fieldsTypeValue
+      fieldsV1: {}
+      manager: managerValue
+      operation: operationValue
+      subresource: subresourceValue
+      time: "2004-01-01T01:01:01Z"
+    name: nameValue
+    namespace: namespaceValue
+    ownerReferences:
+    - apiVersion: apiVersionValue
+      blockOwnerDeletion: true
+      controller: true
+      kind: kindValue
+      name: nameValue
+      uid: uidValue
+    resourceVersion: resourceVersionValue
+    selfLink: selfLinkValue
+    uid: uidValue
+  spec:
+    devices:
+      config:
+      - opaque:
+          driver: driverValue
+          parameters:
+            apiVersion: example.com/v1
+            kind: CustomType
+            spec:
+              replicas: 1
+            status:
+              available: 1
+        requests:
+        - requestsValue
+      constraints:
+      - distinctAttribute: distinctAttributeValue
+        matchAttribute: matchAttributeValue
+        requests:
+        - requestsValue
+      requests:
+      - exactly:
+          adminAccess: true
+          allocationMode: allocationModeValue
+          capacity:
+            requests:
+              requestsKey: "0"
+          count: 4
+          deviceClassName: deviceClassNameValue
+          selectors:
+          - cel:
+              expression: expressionValue
+          tolerations:
+          - effect: effectValue
+            key: keyValue
+            operator: operatorValue
+            tolerationSeconds: 5
+            value: valueValue
+        firstAvailable:
+        - allocationMode: allocationModeValue
+          capacity:
+            requests:
+              requestsKey: "0"
+          count: 5
+          deviceClassName: deviceClassNameValue
+          name: nameValue
+          selectors:
+          - cel:
+              expression: expressionValue
+          tolerations:
+          - effect: effectValue
+            key: keyValue
+            operator: operatorValue
+            tolerationSeconds: 5
+            value: valueValue
+        name: nameValue
diff --git a/staging/src/k8s.io/api/testdata/v1.34.0/resource.k8s.io.v1.ResourceSlice.json b/staging/src/k8s.io/api/testdata/v1.34.0/resource.k8s.io.v1.ResourceSlice.json
new file mode 100644
index 0000000000000..71a2a34646581
--- /dev/null
+++ b/staging/src/k8s.io/api/testdata/v1.34.0/resource.k8s.io.v1.ResourceSlice.json
@@ -0,0 +1,172 @@
+{
+  "kind": "ResourceSlice",
+  "apiVersion": "resource.k8s.io/v1",
+  "metadata": {
+    "name": "nameValue",
+    "generateName": "generateNameValue",
+    "namespace": "namespaceValue",
+    "selfLink": "selfLinkValue",
+    "uid": "uidValue",
+    "resourceVersion": "resourceVersionValue",
+    "generation": 7,
+    "creationTimestamp": "2008-01-01T01:01:01Z",
+    "deletionTimestamp": "2009-01-01T01:01:01Z",
+    "deletionGracePeriodSeconds": 10,
+    "labels": {
+      "labelsKey": "labelsValue"
+    },
+    "annotations": {
+      "annotationsKey": "annotationsValue"
+    },
+    "ownerReferences": [
+      {
+        "apiVersion": "apiVersionValue",
+        "kind": "kindValue",
+        "name": "nameValue",
+        "uid": "uidValue",
+        "controller": true,
+        "blockOwnerDeletion": true
+      }
+    ],
+    "finalizers": [
+      "finalizersValue"
+    ],
+    "managedFields": [
+      {
+        "manager": "managerValue",
+        "operation": "operationValue",
+        "apiVersion": "apiVersionValue",
+        "time": "2004-01-01T01:01:01Z",
+        "fieldsType": "fieldsTypeValue",
+        "fieldsV1": {},
+        "subresource": "subresourceValue"
+      }
+    ]
+  },
+  "spec": {
+    "driver": "driverValue",
+    "pool": {
+      "name": "nameValue",
+      "generation": 2,
+      "resourceSliceCount": 3
+    },
+    "nodeName": "nodeNameValue",
+    "nodeSelector": {
+      "nodeSelectorTerms": [
+        {
+          "matchExpressions": [
+            {
+              "key": "keyValue",
+              "operator": "operatorValue",
+              "values": [
+                "valuesValue"
+              ]
+            }
+          ],
+          "matchFields": [
+            {
+              "key": "keyValue",
+              "operator": "operatorValue",
+              "values": [
+                "valuesValue"
+              ]
+            }
+          ]
+        }
+      ]
+    },
+    "allNodes": true,
+    "devices": [
+      {
+        "name": "nameValue",
+        "attributes": {
+          "attributesKey": {
+            "int": 2,
+            "bool": true,
+            "string": "stringValue",
+            "version": "versionValue"
+          }
+        },
+        "capacity": {
+          "capacityKey": {
+            "value": "0",
+            "requestPolicy": {
+              "default": "0",
+              "validValues": [
+                "0"
+              ],
+              "validRange": {
+                "min": "0",
+                "max": "0",
+                "step": "0"
+              }
+            }
+          }
+        },
+        "consumesCounters": [
+          {
+            "counterSet": "counterSetValue",
+            "counters": {
+              "countersKey": {
+                "value": "0"
+              }
+            }
+          }
+        ],
+        "nodeName": "nodeNameValue",
+        "nodeSelector": {
+          "nodeSelectorTerms": [
+            {
+              "matchExpressions": [
+                {
+                  "key": "keyValue",
+                  "operator": "operatorValue",
+                  "values": [
+                    "valuesValue"
+                  ]
+                }
+              ],
+              "matchFields": [
+                {
+                  "key": "keyValue",
+                  "operator": "operatorValue",
+                  "values": [
+                    "valuesValue"
+                  ]
+                }
+              ]
+            }
+          ]
+        },
+        "allNodes": true,
+        "taints": [
+          {
+            "key": "keyValue",
+            "value": "valueValue",
+            "effect": "effectValue",
+            "timeAdded": "2004-01-01T01:01:01Z"
+          }
+        ],
+        "bindsToNode": true,
+        "bindingConditions": [
+          "bindingConditionsValue"
+        ],
+        "bindingFailureConditions": [
+          "bindingFailureConditionsValue"
+        ],
+        "allowMultipleAllocations": true
+      }
+    ],
+    "perDeviceNodeSelection": true,
+    "sharedCounters": [
+      {
+        "name": "nameValue",
+        "counters": {
+          "countersKey": {
+            "value": "0"
+          }
+        }
+      }
+    ]
+  }
+}
\ No newline at end of file
diff --git a/staging/src/k8s.io/api/testdata/v1.34.0/resource.k8s.io.v1.ResourceSlice.pb b/staging/src/k8s.io/api/testdata/v1.34.0/resource.k8s.io.v1.ResourceSlice.pb
new file mode 100644
index 0000000000000..3dcb6b97c1e2c
Binary files /dev/null and b/staging/src/k8s.io/api/testdata/v1.34.0/resource.k8s.io.v1.ResourceSlice.pb differ
diff --git a/staging/src/k8s.io/api/testdata/v1.34.0/resource.k8s.io.v1.ResourceSlice.yaml b/staging/src/k8s.io/api/testdata/v1.34.0/resource.k8s.io.v1.ResourceSlice.yaml
new file mode 100644
index 0000000000000..f39b9ce2a3055
--- /dev/null
+++ b/staging/src/k8s.io/api/testdata/v1.34.0/resource.k8s.io.v1.ResourceSlice.yaml
@@ -0,0 +1,109 @@
+apiVersion: resource.k8s.io/v1
+kind: ResourceSlice
+metadata:
+  annotations:
+    annotationsKey: annotationsValue
+  creationTimestamp: "2008-01-01T01:01:01Z"
+  deletionGracePeriodSeconds: 10
+  deletionTimestamp: "2009-01-01T01:01:01Z"
+  finalizers:
+  - finalizersValue
+  generateName: generateNameValue
+  generation: 7
+  labels:
+    labelsKey: labelsValue
+  managedFields:
+  - apiVersion: apiVersionValue
+    fieldsType: fieldsTypeValue
+    fieldsV1: {}
+    manager: managerValue
+    operation: operationValue
+    subresource: subresourceValue
+    time: "2004-01-01T01:01:01Z"
+  name: nameValue
+  namespace: namespaceValue
+  ownerReferences:
+  - apiVersion: apiVersionValue
+    blockOwnerDeletion: true
+    controller: true
+    kind: kindValue
+    name: nameValue
+    uid: uidValue
+  resourceVersion: resourceVersionValue
+  selfLink: selfLinkValue
+  uid: uidValue
+spec:
+  allNodes: true
+  devices:
+  - allNodes: true
+    allowMultipleAllocations: true
+    attributes:
+      attributesKey:
+        bool: true
+        int: 2
+        string: stringValue
+        version: versionValue
+    bindingConditions:
+    - bindingConditionsValue
+    bindingFailureConditions:
+    - bindingFailureConditionsValue
+    bindsToNode: true
+    capacity:
+      capacityKey:
+        requestPolicy:
+          default: "0"
+          validRange:
+            max: "0"
+            min: "0"
+            step: "0"
+          validValues:
+          - "0"
+        value: "0"
+    consumesCounters:
+    - counterSet: counterSetValue
+      counters:
+        countersKey:
+          value: "0"
+    name: nameValue
+    nodeName: nodeNameValue
+    nodeSelector:
+      nodeSelectorTerms:
+      - matchExpressions:
+        - key: keyValue
+          operator: operatorValue
+          values:
+          - valuesValue
+        matchFields:
+        - key: keyValue
+          operator: operatorValue
+          values:
+          - valuesValue
+    taints:
+    - effect: effectValue
+      key: keyValue
+      timeAdded: "2004-01-01T01:01:01Z"
+      value: valueValue
+  driver: driverValue
+  nodeName: nodeNameValue
+  nodeSelector:
+    nodeSelectorTerms:
+    - matchExpressions:
+      - key: keyValue
+        operator: operatorValue
+        values:
+        - valuesValue
+      matchFields:
+      - key: keyValue
+        operator: operatorValue
+        values:
+        - valuesValue
+  perDeviceNodeSelection: true
+  pool:
+    generation: 2
+    name: nameValue
+    resourceSliceCount: 3
+  sharedCounters:
+  - counters:
+      countersKey:
+        value: "0"
+    name: nameValue
diff --git a/staging/src/k8s.io/api/testdata/v1.34.0/resource.k8s.io.v1alpha3.DeviceTaintRule.after_roundtrip.json b/staging/src/k8s.io/api/testdata/v1.34.0/resource.k8s.io.v1alpha3.DeviceTaintRule.after_roundtrip.json
new file mode 100644
index 0000000000000..55fd38b03b6c2
--- /dev/null
+++ b/staging/src/k8s.io/api/testdata/v1.34.0/resource.k8s.io.v1alpha3.DeviceTaintRule.after_roundtrip.json
@@ -0,0 +1,60 @@
+{
+  "kind": "DeviceTaintRule",
+  "apiVersion": "resource.k8s.io/v1alpha3",
+  "metadata": {
+    "name": "nameValue",
+    "generateName": "generateNameValue",
+    "namespace": "namespaceValue",
+    "selfLink": "selfLinkValue",
+    "uid": "uidValue",
+    "resourceVersion": "resourceVersionValue",
+    "generation": 7,
+    "creationTimestamp": "2008-01-01T01:01:01Z",
+    "deletionTimestamp": "2009-01-01T01:01:01Z",
+    "deletionGracePeriodSeconds": 10,
+    "labels": {
+      "labelsKey": "labelsValue"
+    },
+    "annotations": {
+      "annotationsKey": "annotationsValue"
+    },
+    "ownerReferences": [
+      {
+        "apiVersion": "apiVersionValue",
+        "kind": "kindValue",
+        "name": "nameValue",
+        "uid": "uidValue",
+        "controller": true,
+        "blockOwnerDeletion": true
+      }
+    ],
+    "finalizers": [
+      "finalizersValue"
+    ],
+    "managedFields": [
+      {
+        "manager": "managerValue",
+        "operation": "operationValue",
+        "apiVersion": "apiVersionValue",
+        "time": "2004-01-01T01:01:01Z",
+        "fieldsType": "fieldsTypeValue",
+        "fieldsV1": {},
+        "subresource": "subresourceValue"
+      }
+    ]
+  },
+  "spec": {
+    "deviceSelector": {
+      "driver": "driverValue",
+      "pool": "poolValue",
+      "device": "deviceValue"
+    },
+    "taint": {
+      "key": "keyValue",
+      "value": "valueValue",
+      "effect": "effectValue",
+      "timeAdded": "2004-01-01T01:01:01Z"
+    }
+  },
+  "status": {}
+}
\ No newline at end of file
diff --git a/staging/src/k8s.io/api/testdata/v1.34.0/resource.k8s.io.v1alpha3.DeviceTaintRule.after_roundtrip.pb b/staging/src/k8s.io/api/testdata/v1.34.0/resource.k8s.io.v1alpha3.DeviceTaintRule.after_roundtrip.pb
new file mode 100644
index 0000000000000..ff8debd3e4d20
Binary files /dev/null and b/staging/src/k8s.io/api/testdata/v1.34.0/resource.k8s.io.v1alpha3.DeviceTaintRule.after_roundtrip.pb differ
diff --git a/staging/src/k8s.io/api/testdata/v1.34.0/resource.k8s.io.v1alpha3.DeviceTaintRule.after_roundtrip.yaml b/staging/src/k8s.io/api/testdata/v1.34.0/resource.k8s.io.v1alpha3.DeviceTaintRule.after_roundtrip.yaml
new file mode 100644
index 0000000000000..78823c8e90bce
--- /dev/null
+++ b/staging/src/k8s.io/api/testdata/v1.34.0/resource.k8s.io.v1alpha3.DeviceTaintRule.after_roundtrip.yaml
@@ -0,0 +1,45 @@
+apiVersion: resource.k8s.io/v1alpha3
+kind: DeviceTaintRule
+metadata:
+  annotations:
+    annotationsKey: annotationsValue
+  creationTimestamp: "2008-01-01T01:01:01Z"
+  deletionGracePeriodSeconds: 10
+  deletionTimestamp: "2009-01-01T01:01:01Z"
+  finalizers:
+  - finalizersValue
+  generateName: generateNameValue
+  generation: 7
+  labels:
+    labelsKey: labelsValue
+  managedFields:
+  - apiVersion: apiVersionValue
+    fieldsType: fieldsTypeValue
+    fieldsV1: {}
+    manager: managerValue
+    operation: operationValue
+    subresource: subresourceValue
+    time: "2004-01-01T01:01:01Z"
+  name: nameValue
+  namespace: namespaceValue
+  ownerReferences:
+  - apiVersion: apiVersionValue
+    blockOwnerDeletion: true
+    controller: true
+    kind: kindValue
+    name: nameValue
+    uid: uidValue
+  resourceVersion: resourceVersionValue
+  selfLink: selfLinkValue
+  uid: uidValue
+spec:
+  deviceSelector:
+    device: deviceValue
+    driver: driverValue
+    pool: poolValue
+  taint:
+    effect: effectValue
+    key: keyValue
+    timeAdded: "2004-01-01T01:01:01Z"
+    value: valueValue
+status: {}
diff --git a/staging/src/k8s.io/api/testdata/v1.34.0/resource.k8s.io.v1alpha3.DeviceTaintRule.json b/staging/src/k8s.io/api/testdata/v1.34.0/resource.k8s.io.v1alpha3.DeviceTaintRule.json
new file mode 100644
index 0000000000000..84ad149568007
--- /dev/null
+++ b/staging/src/k8s.io/api/testdata/v1.34.0/resource.k8s.io.v1alpha3.DeviceTaintRule.json
@@ -0,0 +1,67 @@
+{
+  "kind": "DeviceTaintRule",
+  "apiVersion": "resource.k8s.io/v1alpha3",
+  "metadata": {
+    "name": "nameValue",
+    "generateName": "generateNameValue",
+    "namespace": "namespaceValue",
+    "selfLink": "selfLinkValue",
+    "uid": "uidValue",
+    "resourceVersion": "resourceVersionValue",
+    "generation": 7,
+    "creationTimestamp": "2008-01-01T01:01:01Z",
+    "deletionTimestamp": "2009-01-01T01:01:01Z",
+    "deletionGracePeriodSeconds": 10,
+    "labels": {
+      "labelsKey": "labelsValue"
+    },
+    "annotations": {
+      "annotationsKey": "annotationsValue"
+    },
+    "ownerReferences": [
+      {
+        "apiVersion": "apiVersionValue",
+        "kind": "kindValue",
+        "name": "nameValue",
+        "uid": "uidValue",
+        "controller": true,
+        "blockOwnerDeletion": true
+      }
+    ],
+    "finalizers": [
+      "finalizersValue"
+    ],
+    "managedFields": [
+      {
+        "manager": "managerValue",
+        "operation": "operationValue",
+        "apiVersion": "apiVersionValue",
+        "time": "2004-01-01T01:01:01Z",
+        "fieldsType": "fieldsTypeValue",
+        "fieldsV1": {},
+        "subresource": "subresourceValue"
+      }
+    ]
+  },
+  "spec": {
+    "deviceSelector": {
+      "deviceClassName": "deviceClassNameValue",
+      "driver": "driverValue",
+      "pool": "poolValue",
+      "device": "deviceValue",
+      "selectors": [
+        {
+          "cel": {
+            "expression": "expressionValue"
+          }
+        }
+      ]
+    },
+    "taint": {
+      "key": "keyValue",
+      "value": "valueValue",
+      "effect": "effectValue",
+      "timeAdded": "2004-01-01T01:01:01Z"
+    }
+  }
+}
\ No newline at end of file
diff --git a/staging/src/k8s.io/api/testdata/v1.34.0/resource.k8s.io.v1alpha3.DeviceTaintRule.pb b/staging/src/k8s.io/api/testdata/v1.34.0/resource.k8s.io.v1alpha3.DeviceTaintRule.pb
new file mode 100644
index 0000000000000..60244465bfcc2
Binary files /dev/null and b/staging/src/k8s.io/api/testdata/v1.34.0/resource.k8s.io.v1alpha3.DeviceTaintRule.pb differ
diff --git a/staging/src/k8s.io/api/testdata/v1.34.0/resource.k8s.io.v1alpha3.DeviceTaintRule.yaml b/staging/src/k8s.io/api/testdata/v1.34.0/resource.k8s.io.v1alpha3.DeviceTaintRule.yaml
new file mode 100644
index 0000000000000..8d06614b992c9
--- /dev/null
+++ b/staging/src/k8s.io/api/testdata/v1.34.0/resource.k8s.io.v1alpha3.DeviceTaintRule.yaml
@@ -0,0 +1,48 @@
+apiVersion: resource.k8s.io/v1alpha3
+kind: DeviceTaintRule
+metadata:
+  annotations:
+    annotationsKey: annotationsValue
+  creationTimestamp: "2008-01-01T01:01:01Z"
+  deletionGracePeriodSeconds: 10
+  deletionTimestamp: "2009-01-01T01:01:01Z"
+  finalizers:
+  - finalizersValue
+  generateName: generateNameValue
+  generation: 7
+  labels:
+    labelsKey: labelsValue
+  managedFields:
+  - apiVersion: apiVersionValue
+    fieldsType: fieldsTypeValue
+    fieldsV1: {}
+    manager: managerValue
+    operation: operationValue
+    subresource: subresourceValue
+    time: "2004-01-01T01:01:01Z"
+  name: nameValue
+  namespace: namespaceValue
+  ownerReferences:
+  - apiVersion: apiVersionValue
+    blockOwnerDeletion: true
+    controller: true
+    kind: kindValue
+    name: nameValue
+    uid: uidValue
+  resourceVersion: resourceVersionValue
+  selfLink: selfLinkValue
+  uid: uidValue
+spec:
+  deviceSelector:
+    device: deviceValue
+    deviceClassName: deviceClassNameValue
+    driver: driverValue
+    pool: poolValue
+    selectors:
+    - cel:
+        expression: expressionValue
+  taint:
+    effect: effectValue
+    key: keyValue
+    timeAdded: "2004-01-01T01:01:01Z"
+    value: valueValue
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/resource.k8s.io.v1beta1.DeviceClass.json b/staging/src/k8s.io/api/testdata/v1.34.0/resource.k8s.io.v1beta1.DeviceClass.json
similarity index 96%
rename from staging/src/k8s.io/api/testdata/v1.32.0/resource.k8s.io.v1beta1.DeviceClass.json
rename to staging/src/k8s.io/api/testdata/v1.34.0/resource.k8s.io.v1beta1.DeviceClass.json
index 2b6e04b3b9cbe..82ed74a32c393 100644
--- a/staging/src/k8s.io/api/testdata/v1.32.0/resource.k8s.io.v1beta1.DeviceClass.json
+++ b/staging/src/k8s.io/api/testdata/v1.34.0/resource.k8s.io.v1beta1.DeviceClass.json
@@ -67,6 +67,7 @@
           }
         }
       }
-    ]
+    ],
+    "extendedResourceName": "extendedResourceNameValue"
   }
 }
\ No newline at end of file
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/resource.k8s.io.v1beta1.DeviceClass.pb b/staging/src/k8s.io/api/testdata/v1.34.0/resource.k8s.io.v1beta1.DeviceClass.pb
similarity index 77%
rename from staging/src/k8s.io/api/testdata/v1.32.0/resource.k8s.io.v1beta1.DeviceClass.pb
rename to staging/src/k8s.io/api/testdata/v1.34.0/resource.k8s.io.v1beta1.DeviceClass.pb
index be0ebc6f8afa0..a60344d077565 100644
Binary files a/staging/src/k8s.io/api/testdata/v1.32.0/resource.k8s.io.v1beta1.DeviceClass.pb and b/staging/src/k8s.io/api/testdata/v1.34.0/resource.k8s.io.v1beta1.DeviceClass.pb differ
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/resource.k8s.io.v1beta1.DeviceClass.yaml b/staging/src/k8s.io/api/testdata/v1.34.0/resource.k8s.io.v1beta1.DeviceClass.yaml
similarity index 95%
rename from staging/src/k8s.io/api/testdata/v1.32.0/resource.k8s.io.v1beta1.DeviceClass.yaml
rename to staging/src/k8s.io/api/testdata/v1.34.0/resource.k8s.io.v1beta1.DeviceClass.yaml
index 8cbd63240cc0c..9390e676b428b 100644
--- a/staging/src/k8s.io/api/testdata/v1.32.0/resource.k8s.io.v1beta1.DeviceClass.yaml
+++ b/staging/src/k8s.io/api/testdata/v1.34.0/resource.k8s.io.v1beta1.DeviceClass.yaml
@@ -43,6 +43,7 @@ spec:
           replicas: 1
         status:
           available: 1
+  extendedResourceName: extendedResourceNameValue
   selectors:
   - cel:
       expression: expressionValue
diff --git a/staging/src/k8s.io/api/testdata/v1.34.0/resource.k8s.io.v1beta1.ResourceClaim.json b/staging/src/k8s.io/api/testdata/v1.34.0/resource.k8s.io.v1beta1.ResourceClaim.json
new file mode 100644
index 0000000000000..74e5b53ce8a6c
--- /dev/null
+++ b/staging/src/k8s.io/api/testdata/v1.34.0/resource.k8s.io.v1beta1.ResourceClaim.json
@@ -0,0 +1,261 @@
+{
+  "kind": "ResourceClaim",
+  "apiVersion": "resource.k8s.io/v1beta1",
+  "metadata": {
+    "name": "nameValue",
+    "generateName": "generateNameValue",
+    "namespace": "namespaceValue",
+    "selfLink": "selfLinkValue",
+    "uid": "uidValue",
+    "resourceVersion": "resourceVersionValue",
+    "generation": 7,
+    "creationTimestamp": "2008-01-01T01:01:01Z",
+    "deletionTimestamp": "2009-01-01T01:01:01Z",
+    "deletionGracePeriodSeconds": 10,
+    "labels": {
+      "labelsKey": "labelsValue"
+    },
+    "annotations": {
+      "annotationsKey": "annotationsValue"
+    },
+    "ownerReferences": [
+      {
+        "apiVersion": "apiVersionValue",
+        "kind": "kindValue",
+        "name": "nameValue",
+        "uid": "uidValue",
+        "controller": true,
+        "blockOwnerDeletion": true
+      }
+    ],
+    "finalizers": [
+      "finalizersValue"
+    ],
+    "managedFields": [
+      {
+        "manager": "managerValue",
+        "operation": "operationValue",
+        "apiVersion": "apiVersionValue",
+        "time": "2004-01-01T01:01:01Z",
+        "fieldsType": "fieldsTypeValue",
+        "fieldsV1": {},
+        "subresource": "subresourceValue"
+      }
+    ]
+  },
+  "spec": {
+    "devices": {
+      "requests": [
+        {
+          "name": "nameValue",
+          "deviceClassName": "deviceClassNameValue",
+          "selectors": [
+            {
+              "cel": {
+                "expression": "expressionValue"
+              }
+            }
+          ],
+          "allocationMode": "allocationModeValue",
+          "count": 5,
+          "adminAccess": true,
+          "firstAvailable": [
+            {
+              "name": "nameValue",
+              "deviceClassName": "deviceClassNameValue",
+              "selectors": [
+                {
+                  "cel": {
+                    "expression": "expressionValue"
+                  }
+                }
+              ],
+              "allocationMode": "allocationModeValue",
+              "count": 5,
+              "tolerations": [
+                {
+                  "key": "keyValue",
+                  "operator": "operatorValue",
+                  "value": "valueValue",
+                  "effect": "effectValue",
+                  "tolerationSeconds": 5
+                }
+              ],
+              "capacity": {
+                "requests": {
+                  "requestsKey": "0"
+                }
+              }
+            }
+          ],
+          "tolerations": [
+            {
+              "key": "keyValue",
+              "operator": "operatorValue",
+              "value": "valueValue",
+              "effect": "effectValue",
+              "tolerationSeconds": 5
+            }
+          ],
+          "capacity": {
+            "requests": {
+              "requestsKey": "0"
+            }
+          }
+        }
+      ],
+      "constraints": [
+        {
+          "requests": [
+            "requestsValue"
+          ],
+          "matchAttribute": "matchAttributeValue",
+          "distinctAttribute": "distinctAttributeValue"
+        }
+      ],
+      "config": [
+        {
+          "requests": [
+            "requestsValue"
+          ],
+          "opaque": {
+            "driver": "driverValue",
+            "parameters": {
+              "apiVersion": "example.com/v1",
+              "kind": "CustomType",
+              "spec": {
+                "replicas": 1
+              },
+              "status": {
+                "available": 1
+              }
+            }
+          }
+        }
+      ]
+    }
+  },
+  "status": {
+    "allocation": {
+      "devices": {
+        "results": [
+          {
+            "request": "requestValue",
+            "driver": "driverValue",
+            "pool": "poolValue",
+            "device": "deviceValue",
+            "adminAccess": true,
+            "tolerations": [
+              {
+                "key": "keyValue",
+                "operator": "operatorValue",
+                "value": "valueValue",
+                "effect": "effectValue",
+                "tolerationSeconds": 5
+              }
+            ],
+            "bindingConditions": [
+              "bindingConditionsValue"
+            ],
+            "bindingFailureConditions": [
+              "bindingFailureConditionsValue"
+            ],
+            "shareID": "shareIDValue",
+            "consumedCapacity": {
+              "consumedCapacityKey": "0"
+            }
+          }
+        ],
+        "config": [
+          {
+            "source": "sourceValue",
+            "requests": [
+              "requestsValue"
+            ],
+            "opaque": {
+              "driver": "driverValue",
+              "parameters": {
+                "apiVersion": "example.com/v1",
+                "kind": "CustomType",
+                "spec": {
+                  "replicas": 1
+                },
+                "status": {
+                  "available": 1
+                }
+              }
+            }
+          }
+        ]
+      },
+      "nodeSelector": {
+        "nodeSelectorTerms": [
+          {
+            "matchExpressions": [
+              {
+                "key": "keyValue",
+                "operator": "operatorValue",
+                "values": [
+                  "valuesValue"
+                ]
+              }
+            ],
+            "matchFields": [
+              {
+                "key": "keyValue",
+                "operator": "operatorValue",
+                "values": [
+                  "valuesValue"
+                ]
+              }
+            ]
+          }
+        ]
+      },
+      "allocationTimestamp": "2005-01-01T01:01:01Z"
+    },
+    "reservedFor": [
+      {
+        "apiGroup": "apiGroupValue",
+        "resource": "resourceValue",
+        "name": "nameValue",
+        "uid": "uidValue"
+      }
+    ],
+    "devices": [
+      {
+        "driver": "driverValue",
+        "pool": "poolValue",
+        "device": "deviceValue",
+        "shareID": "shareIDValue",
+        "conditions": [
+          {
+            "type": "typeValue",
+            "status": "statusValue",
+            "observedGeneration": 3,
+            "lastTransitionTime": "2004-01-01T01:01:01Z",
+            "reason": "reasonValue",
+            "message": "messageValue"
+          }
+        ],
+        "data": {
+          "apiVersion": "example.com/v1",
+          "kind": "CustomType",
+          "spec": {
+            "replicas": 1
+          },
+          "status": {
+            "available": 1
+          }
+        },
+        "networkData": {
+          "interfaceName": "interfaceNameValue",
+          "ips": [
+            "ipsValue"
+          ],
+          "hardwareAddress": "hardwareAddressValue"
+        }
+      }
+    ]
+  }
+}
\ No newline at end of file
diff --git a/staging/src/k8s.io/api/testdata/v1.34.0/resource.k8s.io.v1beta1.ResourceClaim.pb b/staging/src/k8s.io/api/testdata/v1.34.0/resource.k8s.io.v1beta1.ResourceClaim.pb
new file mode 100644
index 0000000000000..8a0697d2ab34a
Binary files /dev/null and b/staging/src/k8s.io/api/testdata/v1.34.0/resource.k8s.io.v1beta1.ResourceClaim.pb differ
diff --git a/staging/src/k8s.io/api/testdata/v1.34.0/resource.k8s.io.v1beta1.ResourceClaim.yaml b/staging/src/k8s.io/api/testdata/v1.34.0/resource.k8s.io.v1beta1.ResourceClaim.yaml
new file mode 100644
index 0000000000000..ccb2b63c3622d
--- /dev/null
+++ b/staging/src/k8s.io/api/testdata/v1.34.0/resource.k8s.io.v1beta1.ResourceClaim.yaml
@@ -0,0 +1,165 @@
+apiVersion: resource.k8s.io/v1beta1
+kind: ResourceClaim
+metadata:
+  annotations:
+    annotationsKey: annotationsValue
+  creationTimestamp: "2008-01-01T01:01:01Z"
+  deletionGracePeriodSeconds: 10
+  deletionTimestamp: "2009-01-01T01:01:01Z"
+  finalizers:
+  - finalizersValue
+  generateName: generateNameValue
+  generation: 7
+  labels:
+    labelsKey: labelsValue
+  managedFields:
+  - apiVersion: apiVersionValue
+    fieldsType: fieldsTypeValue
+    fieldsV1: {}
+    manager: managerValue
+    operation: operationValue
+    subresource: subresourceValue
+    time: "2004-01-01T01:01:01Z"
+  name: nameValue
+  namespace: namespaceValue
+  ownerReferences:
+  - apiVersion: apiVersionValue
+    blockOwnerDeletion: true
+    controller: true
+    kind: kindValue
+    name: nameValue
+    uid: uidValue
+  resourceVersion: resourceVersionValue
+  selfLink: selfLinkValue
+  uid: uidValue
+spec:
+  devices:
+    config:
+    - opaque:
+        driver: driverValue
+        parameters:
+          apiVersion: example.com/v1
+          kind: CustomType
+          spec:
+            replicas: 1
+          status:
+            available: 1
+      requests:
+      - requestsValue
+    constraints:
+    - distinctAttribute: distinctAttributeValue
+      matchAttribute: matchAttributeValue
+      requests:
+      - requestsValue
+    requests:
+    - adminAccess: true
+      allocationMode: allocationModeValue
+      capacity:
+        requests:
+          requestsKey: "0"
+      count: 5
+      deviceClassName: deviceClassNameValue
+      firstAvailable:
+      - allocationMode: allocationModeValue
+        capacity:
+          requests:
+            requestsKey: "0"
+        count: 5
+        deviceClassName: deviceClassNameValue
+        name: nameValue
+        selectors:
+        - cel:
+            expression: expressionValue
+        tolerations:
+        - effect: effectValue
+          key: keyValue
+          operator: operatorValue
+          tolerationSeconds: 5
+          value: valueValue
+      name: nameValue
+      selectors:
+      - cel:
+          expression: expressionValue
+      tolerations:
+      - effect: effectValue
+        key: keyValue
+        operator: operatorValue
+        tolerationSeconds: 5
+        value: valueValue
+status:
+  allocation:
+    allocationTimestamp: "2005-01-01T01:01:01Z"
+    devices:
+      config:
+      - opaque:
+          driver: driverValue
+          parameters:
+            apiVersion: example.com/v1
+            kind: CustomType
+            spec:
+              replicas: 1
+            status:
+              available: 1
+        requests:
+        - requestsValue
+        source: sourceValue
+      results:
+      - adminAccess: true
+        bindingConditions:
+        - bindingConditionsValue
+        bindingFailureConditions:
+        - bindingFailureConditionsValue
+        consumedCapacity:
+          consumedCapacityKey: "0"
+        device: deviceValue
+        driver: driverValue
+        pool: poolValue
+        request: requestValue
+        shareID: shareIDValue
+        tolerations:
+        - effect: effectValue
+          key: keyValue
+          operator: operatorValue
+          tolerationSeconds: 5
+          value: valueValue
+    nodeSelector:
+      nodeSelectorTerms:
+      - matchExpressions:
+        - key: keyValue
+          operator: operatorValue
+          values:
+          - valuesValue
+        matchFields:
+        - key: keyValue
+          operator: operatorValue
+          values:
+          - valuesValue
+  devices:
+  - conditions:
+    - lastTransitionTime: "2004-01-01T01:01:01Z"
+      message: messageValue
+      observedGeneration: 3
+      reason: reasonValue
+      status: statusValue
+      type: typeValue
+    data:
+      apiVersion: example.com/v1
+      kind: CustomType
+      spec:
+        replicas: 1
+      status:
+        available: 1
+    device: deviceValue
+    driver: driverValue
+    networkData:
+      hardwareAddress: hardwareAddressValue
+      interfaceName: interfaceNameValue
+      ips:
+      - ipsValue
+    pool: poolValue
+    shareID: shareIDValue
+  reservedFor:
+  - apiGroup: apiGroupValue
+    name: nameValue
+    resource: resourceValue
+    uid: uidValue
diff --git a/staging/src/k8s.io/api/testdata/v1.34.0/resource.k8s.io.v1beta1.ResourceClaimTemplate.json b/staging/src/k8s.io/api/testdata/v1.34.0/resource.k8s.io.v1beta1.ResourceClaimTemplate.json
new file mode 100644
index 0000000000000..9f40b834f072d
--- /dev/null
+++ b/staging/src/k8s.io/api/testdata/v1.34.0/resource.k8s.io.v1beta1.ResourceClaimTemplate.json
@@ -0,0 +1,182 @@
+{
+  "kind": "ResourceClaimTemplate",
+  "apiVersion": "resource.k8s.io/v1beta1",
+  "metadata": {
+    "name": "nameValue",
+    "generateName": "generateNameValue",
+    "namespace": "namespaceValue",
+    "selfLink": "selfLinkValue",
+    "uid": "uidValue",
+    "resourceVersion": "resourceVersionValue",
+    "generation": 7,
+    "creationTimestamp": "2008-01-01T01:01:01Z",
+    "deletionTimestamp": "2009-01-01T01:01:01Z",
+    "deletionGracePeriodSeconds": 10,
+    "labels": {
+      "labelsKey": "labelsValue"
+    },
+    "annotations": {
+      "annotationsKey": "annotationsValue"
+    },
+    "ownerReferences": [
+      {
+        "apiVersion": "apiVersionValue",
+        "kind": "kindValue",
+        "name": "nameValue",
+        "uid": "uidValue",
+        "controller": true,
+        "blockOwnerDeletion": true
+      }
+    ],
+    "finalizers": [
+      "finalizersValue"
+    ],
+    "managedFields": [
+      {
+        "manager": "managerValue",
+        "operation": "operationValue",
+        "apiVersion": "apiVersionValue",
+        "time": "2004-01-01T01:01:01Z",
+        "fieldsType": "fieldsTypeValue",
+        "fieldsV1": {},
+        "subresource": "subresourceValue"
+      }
+    ]
+  },
+  "spec": {
+    "metadata": {
+      "name": "nameValue",
+      "generateName": "generateNameValue",
+      "namespace": "namespaceValue",
+      "selfLink": "selfLinkValue",
+      "uid": "uidValue",
+      "resourceVersion": "resourceVersionValue",
+      "generation": 7,
+      "creationTimestamp": "2008-01-01T01:01:01Z",
+      "deletionTimestamp": "2009-01-01T01:01:01Z",
+      "deletionGracePeriodSeconds": 10,
+      "labels": {
+        "labelsKey": "labelsValue"
+      },
+      "annotations": {
+        "annotationsKey": "annotationsValue"
+      },
+      "ownerReferences": [
+        {
+          "apiVersion": "apiVersionValue",
+          "kind": "kindValue",
+          "name": "nameValue",
+          "uid": "uidValue",
+          "controller": true,
+          "blockOwnerDeletion": true
+        }
+      ],
+      "finalizers": [
+        "finalizersValue"
+      ],
+      "managedFields": [
+        {
+          "manager": "managerValue",
+          "operation": "operationValue",
+          "apiVersion": "apiVersionValue",
+          "time": "2004-01-01T01:01:01Z",
+          "fieldsType": "fieldsTypeValue",
+          "fieldsV1": {},
+          "subresource": "subresourceValue"
+        }
+      ]
+    },
+    "spec": {
+      "devices": {
+        "requests": [
+          {
+            "name": "nameValue",
+            "deviceClassName": "deviceClassNameValue",
+            "selectors": [
+              {
+                "cel": {
+                  "expression": "expressionValue"
+                }
+              }
+            ],
+            "allocationMode": "allocationModeValue",
+            "count": 5,
+            "adminAccess": true,
+            "firstAvailable": [
+              {
+                "name": "nameValue",
+                "deviceClassName": "deviceClassNameValue",
+                "selectors": [
+                  {
+                    "cel": {
+                      "expression": "expressionValue"
+                    }
+                  }
+                ],
+                "allocationMode": "allocationModeValue",
+                "count": 5,
+                "tolerations": [
+                  {
+                    "key": "keyValue",
+                    "operator": "operatorValue",
+                    "value": "valueValue",
+                    "effect": "effectValue",
+                    "tolerationSeconds": 5
+                  }
+                ],
+                "capacity": {
+                  "requests": {
+                    "requestsKey": "0"
+                  }
+                }
+              }
+            ],
+            "tolerations": [
+              {
+                "key": "keyValue",
+                "operator": "operatorValue",
+                "value": "valueValue",
+                "effect": "effectValue",
+                "tolerationSeconds": 5
+              }
+            ],
+            "capacity": {
+              "requests": {
+                "requestsKey": "0"
+              }
+            }
+          }
+        ],
+        "constraints": [
+          {
+            "requests": [
+              "requestsValue"
+            ],
+            "matchAttribute": "matchAttributeValue",
+            "distinctAttribute": "distinctAttributeValue"
+          }
+        ],
+        "config": [
+          {
+            "requests": [
+              "requestsValue"
+            ],
+            "opaque": {
+              "driver": "driverValue",
+              "parameters": {
+                "apiVersion": "example.com/v1",
+                "kind": "CustomType",
+                "spec": {
+                  "replicas": 1
+                },
+                "status": {
+                  "available": 1
+                }
+              }
+            }
+          }
+        ]
+      }
+    }
+  }
+}
\ No newline at end of file
diff --git a/staging/src/k8s.io/api/testdata/v1.34.0/resource.k8s.io.v1beta1.ResourceClaimTemplate.pb b/staging/src/k8s.io/api/testdata/v1.34.0/resource.k8s.io.v1beta1.ResourceClaimTemplate.pb
new file mode 100644
index 0000000000000..344bd3899f378
Binary files /dev/null and b/staging/src/k8s.io/api/testdata/v1.34.0/resource.k8s.io.v1beta1.ResourceClaimTemplate.pb differ
diff --git a/staging/src/k8s.io/api/testdata/v1.34.0/resource.k8s.io.v1beta1.ResourceClaimTemplate.yaml b/staging/src/k8s.io/api/testdata/v1.34.0/resource.k8s.io.v1beta1.ResourceClaimTemplate.yaml
new file mode 100644
index 0000000000000..ca60241548004
--- /dev/null
+++ b/staging/src/k8s.io/api/testdata/v1.34.0/resource.k8s.io.v1beta1.ResourceClaimTemplate.yaml
@@ -0,0 +1,121 @@
+apiVersion: resource.k8s.io/v1beta1
+kind: ResourceClaimTemplate
+metadata:
+  annotations:
+    annotationsKey: annotationsValue
+  creationTimestamp: "2008-01-01T01:01:01Z"
+  deletionGracePeriodSeconds: 10
+  deletionTimestamp: "2009-01-01T01:01:01Z"
+  finalizers:
+  - finalizersValue
+  generateName: generateNameValue
+  generation: 7
+  labels:
+    labelsKey: labelsValue
+  managedFields:
+  - apiVersion: apiVersionValue
+    fieldsType: fieldsTypeValue
+    fieldsV1: {}
+    manager: managerValue
+    operation: operationValue
+    subresource: subresourceValue
+    time: "2004-01-01T01:01:01Z"
+  name: nameValue
+  namespace: namespaceValue
+  ownerReferences:
+  - apiVersion: apiVersionValue
+    blockOwnerDeletion: true
+    controller: true
+    kind: kindValue
+    name: nameValue
+    uid: uidValue
+  resourceVersion: resourceVersionValue
+  selfLink: selfLinkValue
+  uid: uidValue
+spec:
+  metadata:
+    annotations:
+      annotationsKey: annotationsValue
+    creationTimestamp: "2008-01-01T01:01:01Z"
+    deletionGracePeriodSeconds: 10
+    deletionTimestamp: "2009-01-01T01:01:01Z"
+    finalizers:
+    - finalizersValue
+    generateName: generateNameValue
+    generation: 7
+    labels:
+      labelsKey: labelsValue
+    managedFields:
+    - apiVersion: apiVersionValue
+      fieldsType: fieldsTypeValue
+      fieldsV1: {}
+      manager: managerValue
+      operation: operationValue
+      subresource: subresourceValue
+      time: "2004-01-01T01:01:01Z"
+    name: nameValue
+    namespace: namespaceValue
+    ownerReferences:
+    - apiVersion: apiVersionValue
+      blockOwnerDeletion: true
+      controller: true
+      kind: kindValue
+      name: nameValue
+      uid: uidValue
+    resourceVersion: resourceVersionValue
+    selfLink: selfLinkValue
+    uid: uidValue
+  spec:
+    devices:
+      config:
+      - opaque:
+          driver: driverValue
+          parameters:
+            apiVersion: example.com/v1
+            kind: CustomType
+            spec:
+              replicas: 1
+            status:
+              available: 1
+        requests:
+        - requestsValue
+      constraints:
+      - distinctAttribute: distinctAttributeValue
+        matchAttribute: matchAttributeValue
+        requests:
+        - requestsValue
+      requests:
+      - adminAccess: true
+        allocationMode: allocationModeValue
+        capacity:
+          requests:
+            requestsKey: "0"
+        count: 5
+        deviceClassName: deviceClassNameValue
+        firstAvailable:
+        - allocationMode: allocationModeValue
+          capacity:
+            requests:
+              requestsKey: "0"
+          count: 5
+          deviceClassName: deviceClassNameValue
+          name: nameValue
+          selectors:
+          - cel:
+              expression: expressionValue
+          tolerations:
+          - effect: effectValue
+            key: keyValue
+            operator: operatorValue
+            tolerationSeconds: 5
+            value: valueValue
+        name: nameValue
+        selectors:
+        - cel:
+            expression: expressionValue
+        tolerations:
+        - effect: effectValue
+          key: keyValue
+          operator: operatorValue
+          tolerationSeconds: 5
+          value: valueValue
diff --git a/staging/src/k8s.io/api/testdata/v1.34.0/resource.k8s.io.v1beta1.ResourceSlice.json b/staging/src/k8s.io/api/testdata/v1.34.0/resource.k8s.io.v1beta1.ResourceSlice.json
new file mode 100644
index 0000000000000..eb2879fa0a4d2
--- /dev/null
+++ b/staging/src/k8s.io/api/testdata/v1.34.0/resource.k8s.io.v1beta1.ResourceSlice.json
@@ -0,0 +1,174 @@
+{
+  "kind": "ResourceSlice",
+  "apiVersion": "resource.k8s.io/v1beta1",
+  "metadata": {
+    "name": "nameValue",
+    "generateName": "generateNameValue",
+    "namespace": "namespaceValue",
+    "selfLink": "selfLinkValue",
+    "uid": "uidValue",
+    "resourceVersion": "resourceVersionValue",
+    "generation": 7,
+    "creationTimestamp": "2008-01-01T01:01:01Z",
+    "deletionTimestamp": "2009-01-01T01:01:01Z",
+    "deletionGracePeriodSeconds": 10,
+    "labels": {
+      "labelsKey": "labelsValue"
+    },
+    "annotations": {
+      "annotationsKey": "annotationsValue"
+    },
+    "ownerReferences": [
+      {
+        "apiVersion": "apiVersionValue",
+        "kind": "kindValue",
+        "name": "nameValue",
+        "uid": "uidValue",
+        "controller": true,
+        "blockOwnerDeletion": true
+      }
+    ],
+    "finalizers": [
+      "finalizersValue"
+    ],
+    "managedFields": [
+      {
+        "manager": "managerValue",
+        "operation": "operationValue",
+        "apiVersion": "apiVersionValue",
+        "time": "2004-01-01T01:01:01Z",
+        "fieldsType": "fieldsTypeValue",
+        "fieldsV1": {},
+        "subresource": "subresourceValue"
+      }
+    ]
+  },
+  "spec": {
+    "driver": "driverValue",
+    "pool": {
+      "name": "nameValue",
+      "generation": 2,
+      "resourceSliceCount": 3
+    },
+    "nodeName": "nodeNameValue",
+    "nodeSelector": {
+      "nodeSelectorTerms": [
+        {
+          "matchExpressions": [
+            {
+              "key": "keyValue",
+              "operator": "operatorValue",
+              "values": [
+                "valuesValue"
+              ]
+            }
+          ],
+          "matchFields": [
+            {
+              "key": "keyValue",
+              "operator": "operatorValue",
+              "values": [
+                "valuesValue"
+              ]
+            }
+          ]
+        }
+      ]
+    },
+    "allNodes": true,
+    "devices": [
+      {
+        "name": "nameValue",
+        "basic": {
+          "attributes": {
+            "attributesKey": {
+              "int": 2,
+              "bool": true,
+              "string": "stringValue",
+              "version": "versionValue"
+            }
+          },
+          "capacity": {
+            "capacityKey": {
+              "value": "0",
+              "requestPolicy": {
+                "default": "0",
+                "validValues": [
+                  "0"
+                ],
+                "validRange": {
+                  "min": "0",
+                  "max": "0",
+                  "step": "0"
+                }
+              }
+            }
+          },
+          "consumesCounters": [
+            {
+              "counterSet": "counterSetValue",
+              "counters": {
+                "countersKey": {
+                  "value": "0"
+                }
+              }
+            }
+          ],
+          "nodeName": "nodeNameValue",
+          "nodeSelector": {
+            "nodeSelectorTerms": [
+              {
+                "matchExpressions": [
+                  {
+                    "key": "keyValue",
+                    "operator": "operatorValue",
+                    "values": [
+                      "valuesValue"
+                    ]
+                  }
+                ],
+                "matchFields": [
+                  {
+                    "key": "keyValue",
+                    "operator": "operatorValue",
+                    "values": [
+                      "valuesValue"
+                    ]
+                  }
+                ]
+              }
+            ]
+          },
+          "allNodes": true,
+          "taints": [
+            {
+              "key": "keyValue",
+              "value": "valueValue",
+              "effect": "effectValue",
+              "timeAdded": "2004-01-01T01:01:01Z"
+            }
+          ],
+          "bindsToNode": true,
+          "bindingConditions": [
+            "bindingConditionsValue"
+          ],
+          "bindingFailureConditions": [
+            "bindingFailureConditionsValue"
+          ],
+          "allowMultipleAllocations": true
+        }
+      }
+    ],
+    "perDeviceNodeSelection": true,
+    "sharedCounters": [
+      {
+        "name": "nameValue",
+        "counters": {
+          "countersKey": {
+            "value": "0"
+          }
+        }
+      }
+    ]
+  }
+}
\ No newline at end of file
diff --git a/staging/src/k8s.io/api/testdata/v1.34.0/resource.k8s.io.v1beta1.ResourceSlice.pb b/staging/src/k8s.io/api/testdata/v1.34.0/resource.k8s.io.v1beta1.ResourceSlice.pb
new file mode 100644
index 0000000000000..248a5d59e7555
Binary files /dev/null and b/staging/src/k8s.io/api/testdata/v1.34.0/resource.k8s.io.v1beta1.ResourceSlice.pb differ
diff --git a/staging/src/k8s.io/api/testdata/v1.34.0/resource.k8s.io.v1beta1.ResourceSlice.yaml b/staging/src/k8s.io/api/testdata/v1.34.0/resource.k8s.io.v1beta1.ResourceSlice.yaml
new file mode 100644
index 0000000000000..dea39fec6203a
--- /dev/null
+++ b/staging/src/k8s.io/api/testdata/v1.34.0/resource.k8s.io.v1beta1.ResourceSlice.yaml
@@ -0,0 +1,110 @@
+apiVersion: resource.k8s.io/v1beta1
+kind: ResourceSlice
+metadata:
+  annotations:
+    annotationsKey: annotationsValue
+  creationTimestamp: "2008-01-01T01:01:01Z"
+  deletionGracePeriodSeconds: 10
+  deletionTimestamp: "2009-01-01T01:01:01Z"
+  finalizers:
+  - finalizersValue
+  generateName: generateNameValue
+  generation: 7
+  labels:
+    labelsKey: labelsValue
+  managedFields:
+  - apiVersion: apiVersionValue
+    fieldsType: fieldsTypeValue
+    fieldsV1: {}
+    manager: managerValue
+    operation: operationValue
+    subresource: subresourceValue
+    time: "2004-01-01T01:01:01Z"
+  name: nameValue
+  namespace: namespaceValue
+  ownerReferences:
+  - apiVersion: apiVersionValue
+    blockOwnerDeletion: true
+    controller: true
+    kind: kindValue
+    name: nameValue
+    uid: uidValue
+  resourceVersion: resourceVersionValue
+  selfLink: selfLinkValue
+  uid: uidValue
+spec:
+  allNodes: true
+  devices:
+  - basic:
+      allNodes: true
+      allowMultipleAllocations: true
+      attributes:
+        attributesKey:
+          bool: true
+          int: 2
+          string: stringValue
+          version: versionValue
+      bindingConditions:
+      - bindingConditionsValue
+      bindingFailureConditions:
+      - bindingFailureConditionsValue
+      bindsToNode: true
+      capacity:
+        capacityKey:
+          requestPolicy:
+            default: "0"
+            validRange:
+              max: "0"
+              min: "0"
+              step: "0"
+            validValues:
+            - "0"
+          value: "0"
+      consumesCounters:
+      - counterSet: counterSetValue
+        counters:
+          countersKey:
+            value: "0"
+      nodeName: nodeNameValue
+      nodeSelector:
+        nodeSelectorTerms:
+        - matchExpressions:
+          - key: keyValue
+            operator: operatorValue
+            values:
+            - valuesValue
+          matchFields:
+          - key: keyValue
+            operator: operatorValue
+            values:
+            - valuesValue
+      taints:
+      - effect: effectValue
+        key: keyValue
+        timeAdded: "2004-01-01T01:01:01Z"
+        value: valueValue
+    name: nameValue
+  driver: driverValue
+  nodeName: nodeNameValue
+  nodeSelector:
+    nodeSelectorTerms:
+    - matchExpressions:
+      - key: keyValue
+        operator: operatorValue
+        values:
+        - valuesValue
+      matchFields:
+      - key: keyValue
+        operator: operatorValue
+        values:
+        - valuesValue
+  perDeviceNodeSelection: true
+  pool:
+    generation: 2
+    name: nameValue
+    resourceSliceCount: 3
+  sharedCounters:
+  - counters:
+      countersKey:
+        value: "0"
+    name: nameValue
diff --git a/staging/src/k8s.io/api/testdata/v1.34.0/resource.k8s.io.v1beta2.DeviceClass.json b/staging/src/k8s.io/api/testdata/v1.34.0/resource.k8s.io.v1beta2.DeviceClass.json
new file mode 100644
index 0000000000000..2cc62c50c4a3e
--- /dev/null
+++ b/staging/src/k8s.io/api/testdata/v1.34.0/resource.k8s.io.v1beta2.DeviceClass.json
@@ -0,0 +1,73 @@
+{
+  "kind": "DeviceClass",
+  "apiVersion": "resource.k8s.io/v1beta2",
+  "metadata": {
+    "name": "nameValue",
+    "generateName": "generateNameValue",
+    "namespace": "namespaceValue",
+    "selfLink": "selfLinkValue",
+    "uid": "uidValue",
+    "resourceVersion": "resourceVersionValue",
+    "generation": 7,
+    "creationTimestamp": "2008-01-01T01:01:01Z",
+    "deletionTimestamp": "2009-01-01T01:01:01Z",
+    "deletionGracePeriodSeconds": 10,
+    "labels": {
+      "labelsKey": "labelsValue"
+    },
+    "annotations": {
+      "annotationsKey": "annotationsValue"
+    },
+    "ownerReferences": [
+      {
+        "apiVersion": "apiVersionValue",
+        "kind": "kindValue",
+        "name": "nameValue",
+        "uid": "uidValue",
+        "controller": true,
+        "blockOwnerDeletion": true
+      }
+    ],
+    "finalizers": [
+      "finalizersValue"
+    ],
+    "managedFields": [
+      {
+        "manager": "managerValue",
+        "operation": "operationValue",
+        "apiVersion": "apiVersionValue",
+        "time": "2004-01-01T01:01:01Z",
+        "fieldsType": "fieldsTypeValue",
+        "fieldsV1": {},
+        "subresource": "subresourceValue"
+      }
+    ]
+  },
+  "spec": {
+    "selectors": [
+      {
+        "cel": {
+          "expression": "expressionValue"
+        }
+      }
+    ],
+    "config": [
+      {
+        "opaque": {
+          "driver": "driverValue",
+          "parameters": {
+            "apiVersion": "example.com/v1",
+            "kind": "CustomType",
+            "spec": {
+              "replicas": 1
+            },
+            "status": {
+              "available": 1
+            }
+          }
+        }
+      }
+    ],
+    "extendedResourceName": "extendedResourceNameValue"
+  }
+}
\ No newline at end of file
diff --git a/staging/src/k8s.io/api/testdata/v1.34.0/resource.k8s.io.v1beta2.DeviceClass.pb b/staging/src/k8s.io/api/testdata/v1.34.0/resource.k8s.io.v1beta2.DeviceClass.pb
new file mode 100644
index 0000000000000..0ca74192a08e8
Binary files /dev/null and b/staging/src/k8s.io/api/testdata/v1.34.0/resource.k8s.io.v1beta2.DeviceClass.pb differ
diff --git a/staging/src/k8s.io/api/testdata/v1.34.0/resource.k8s.io.v1beta2.DeviceClass.yaml b/staging/src/k8s.io/api/testdata/v1.34.0/resource.k8s.io.v1beta2.DeviceClass.yaml
new file mode 100644
index 0000000000000..c307342cacc09
--- /dev/null
+++ b/staging/src/k8s.io/api/testdata/v1.34.0/resource.k8s.io.v1beta2.DeviceClass.yaml
@@ -0,0 +1,49 @@
+apiVersion: resource.k8s.io/v1beta2
+kind: DeviceClass
+metadata:
+  annotations:
+    annotationsKey: annotationsValue
+  creationTimestamp: "2008-01-01T01:01:01Z"
+  deletionGracePeriodSeconds: 10
+  deletionTimestamp: "2009-01-01T01:01:01Z"
+  finalizers:
+  - finalizersValue
+  generateName: generateNameValue
+  generation: 7
+  labels:
+    labelsKey: labelsValue
+  managedFields:
+  - apiVersion: apiVersionValue
+    fieldsType: fieldsTypeValue
+    fieldsV1: {}
+    manager: managerValue
+    operation: operationValue
+    subresource: subresourceValue
+    time: "2004-01-01T01:01:01Z"
+  name: nameValue
+  namespace: namespaceValue
+  ownerReferences:
+  - apiVersion: apiVersionValue
+    blockOwnerDeletion: true
+    controller: true
+    kind: kindValue
+    name: nameValue
+    uid: uidValue
+  resourceVersion: resourceVersionValue
+  selfLink: selfLinkValue
+  uid: uidValue
+spec:
+  config:
+  - opaque:
+      driver: driverValue
+      parameters:
+        apiVersion: example.com/v1
+        kind: CustomType
+        spec:
+          replicas: 1
+        status:
+          available: 1
+  extendedResourceName: extendedResourceNameValue
+  selectors:
+  - cel:
+      expression: expressionValue
diff --git a/staging/src/k8s.io/api/testdata/v1.34.0/resource.k8s.io.v1beta2.ResourceClaim.json b/staging/src/k8s.io/api/testdata/v1.34.0/resource.k8s.io.v1beta2.ResourceClaim.json
new file mode 100644
index 0000000000000..4036029512f2f
--- /dev/null
+++ b/staging/src/k8s.io/api/testdata/v1.34.0/resource.k8s.io.v1beta2.ResourceClaim.json
@@ -0,0 +1,263 @@
+{
+  "kind": "ResourceClaim",
+  "apiVersion": "resource.k8s.io/v1beta2",
+  "metadata": {
+    "name": "nameValue",
+    "generateName": "generateNameValue",
+    "namespace": "namespaceValue",
+    "selfLink": "selfLinkValue",
+    "uid": "uidValue",
+    "resourceVersion": "resourceVersionValue",
+    "generation": 7,
+    "creationTimestamp": "2008-01-01T01:01:01Z",
+    "deletionTimestamp": "2009-01-01T01:01:01Z",
+    "deletionGracePeriodSeconds": 10,
+    "labels": {
+      "labelsKey": "labelsValue"
+    },
+    "annotations": {
+      "annotationsKey": "annotationsValue"
+    },
+    "ownerReferences": [
+      {
+        "apiVersion": "apiVersionValue",
+        "kind": "kindValue",
+        "name": "nameValue",
+        "uid": "uidValue",
+        "controller": true,
+        "blockOwnerDeletion": true
+      }
+    ],
+    "finalizers": [
+      "finalizersValue"
+    ],
+    "managedFields": [
+      {
+        "manager": "managerValue",
+        "operation": "operationValue",
+        "apiVersion": "apiVersionValue",
+        "time": "2004-01-01T01:01:01Z",
+        "fieldsType": "fieldsTypeValue",
+        "fieldsV1": {},
+        "subresource": "subresourceValue"
+      }
+    ]
+  },
+  "spec": {
+    "devices": {
+      "requests": [
+        {
+          "name": "nameValue",
+          "exactly": {
+            "deviceClassName": "deviceClassNameValue",
+            "selectors": [
+              {
+                "cel": {
+                  "expression": "expressionValue"
+                }
+              }
+            ],
+            "allocationMode": "allocationModeValue",
+            "count": 4,
+            "adminAccess": true,
+            "tolerations": [
+              {
+                "key": "keyValue",
+                "operator": "operatorValue",
+                "value": "valueValue",
+                "effect": "effectValue",
+                "tolerationSeconds": 5
+              }
+            ],
+            "capacity": {
+              "requests": {
+                "requestsKey": "0"
+              }
+            }
+          },
+          "firstAvailable": [
+            {
+              "name": "nameValue",
+              "deviceClassName": "deviceClassNameValue",
+              "selectors": [
+                {
+                  "cel": {
+                    "expression": "expressionValue"
+                  }
+                }
+              ],
+              "allocationMode": "allocationModeValue",
+              "count": 5,
+              "tolerations": [
+                {
+                  "key": "keyValue",
+                  "operator": "operatorValue",
+                  "value": "valueValue",
+                  "effect": "effectValue",
+                  "tolerationSeconds": 5
+                }
+              ],
+              "capacity": {
+                "requests": {
+                  "requestsKey": "0"
+                }
+              }
+            }
+          ]
+        }
+      ],
+      "constraints": [
+        {
+          "requests": [
+            "requestsValue"
+          ],
+          "matchAttribute": "matchAttributeValue",
+          "distinctAttribute": "distinctAttributeValue"
+        }
+      ],
+      "config": [
+        {
+          "requests": [
+            "requestsValue"
+          ],
+          "opaque": {
+            "driver": "driverValue",
+            "parameters": {
+              "apiVersion": "example.com/v1",
+              "kind": "CustomType",
+              "spec": {
+                "replicas": 1
+              },
+              "status": {
+                "available": 1
+              }
+            }
+          }
+        }
+      ]
+    }
+  },
+  "status": {
+    "allocation": {
+      "devices": {
+        "results": [
+          {
+            "request": "requestValue",
+            "driver": "driverValue",
+            "pool": "poolValue",
+            "device": "deviceValue",
+            "adminAccess": true,
+            "tolerations": [
+              {
+                "key": "keyValue",
+                "operator": "operatorValue",
+                "value": "valueValue",
+                "effect": "effectValue",
+                "tolerationSeconds": 5
+              }
+            ],
+            "bindingConditions": [
+              "bindingConditionsValue"
+            ],
+            "bindingFailureConditions": [
+              "bindingFailureConditionsValue"
+            ],
+            "shareID": "shareIDValue",
+            "consumedCapacity": {
+              "consumedCapacityKey": "0"
+            }
+          }
+        ],
+        "config": [
+          {
+            "source": "sourceValue",
+            "requests": [
+              "requestsValue"
+            ],
+            "opaque": {
+              "driver": "driverValue",
+              "parameters": {
+                "apiVersion": "example.com/v1",
+                "kind": "CustomType",
+                "spec": {
+                  "replicas": 1
+                },
+                "status": {
+                  "available": 1
+                }
+              }
+            }
+          }
+        ]
+      },
+      "nodeSelector": {
+        "nodeSelectorTerms": [
+          {
+            "matchExpressions": [
+              {
+                "key": "keyValue",
+                "operator": "operatorValue",
+                "values": [
+                  "valuesValue"
+                ]
+              }
+            ],
+            "matchFields": [
+              {
+                "key": "keyValue",
+                "operator": "operatorValue",
+                "values": [
+                  "valuesValue"
+                ]
+              }
+            ]
+          }
+        ]
+      },
+      "allocationTimestamp": "2005-01-01T01:01:01Z"
+    },
+    "reservedFor": [
+      {
+        "apiGroup": "apiGroupValue",
+        "resource": "resourceValue",
+        "name": "nameValue",
+        "uid": "uidValue"
+      }
+    ],
+    "devices": [
+      {
+        "driver": "driverValue",
+        "pool": "poolValue",
+        "device": "deviceValue",
+        "shareID": "shareIDValue",
+        "conditions": [
+          {
+            "type": "typeValue",
+            "status": "statusValue",
+            "observedGeneration": 3,
+            "lastTransitionTime": "2004-01-01T01:01:01Z",
+            "reason": "reasonValue",
+            "message": "messageValue"
+          }
+        ],
+        "data": {
+          "apiVersion": "example.com/v1",
+          "kind": "CustomType",
+          "spec": {
+            "replicas": 1
+          },
+          "status": {
+            "available": 1
+          }
+        },
+        "networkData": {
+          "interfaceName": "interfaceNameValue",
+          "ips": [
+            "ipsValue"
+          ],
+          "hardwareAddress": "hardwareAddressValue"
+        }
+      }
+    ]
+  }
+}
\ No newline at end of file
diff --git a/staging/src/k8s.io/api/testdata/v1.34.0/resource.k8s.io.v1beta2.ResourceClaim.pb b/staging/src/k8s.io/api/testdata/v1.34.0/resource.k8s.io.v1beta2.ResourceClaim.pb
new file mode 100644
index 0000000000000..6dcae3edcf99b
Binary files /dev/null and b/staging/src/k8s.io/api/testdata/v1.34.0/resource.k8s.io.v1beta2.ResourceClaim.pb differ
diff --git a/staging/src/k8s.io/api/testdata/v1.34.0/resource.k8s.io.v1beta2.ResourceClaim.yaml b/staging/src/k8s.io/api/testdata/v1.34.0/resource.k8s.io.v1beta2.ResourceClaim.yaml
new file mode 100644
index 0000000000000..3dc7772bfb3f2
--- /dev/null
+++ b/staging/src/k8s.io/api/testdata/v1.34.0/resource.k8s.io.v1beta2.ResourceClaim.yaml
@@ -0,0 +1,166 @@
+apiVersion: resource.k8s.io/v1beta2
+kind: ResourceClaim
+metadata:
+  annotations:
+    annotationsKey: annotationsValue
+  creationTimestamp: "2008-01-01T01:01:01Z"
+  deletionGracePeriodSeconds: 10
+  deletionTimestamp: "2009-01-01T01:01:01Z"
+  finalizers:
+  - finalizersValue
+  generateName: generateNameValue
+  generation: 7
+  labels:
+    labelsKey: labelsValue
+  managedFields:
+  - apiVersion: apiVersionValue
+    fieldsType: fieldsTypeValue
+    fieldsV1: {}
+    manager: managerValue
+    operation: operationValue
+    subresource: subresourceValue
+    time: "2004-01-01T01:01:01Z"
+  name: nameValue
+  namespace: namespaceValue
+  ownerReferences:
+  - apiVersion: apiVersionValue
+    blockOwnerDeletion: true
+    controller: true
+    kind: kindValue
+    name: nameValue
+    uid: uidValue
+  resourceVersion: resourceVersionValue
+  selfLink: selfLinkValue
+  uid: uidValue
+spec:
+  devices:
+    config:
+    - opaque:
+        driver: driverValue
+        parameters:
+          apiVersion: example.com/v1
+          kind: CustomType
+          spec:
+            replicas: 1
+          status:
+            available: 1
+      requests:
+      - requestsValue
+    constraints:
+    - distinctAttribute: distinctAttributeValue
+      matchAttribute: matchAttributeValue
+      requests:
+      - requestsValue
+    requests:
+    - exactly:
+        adminAccess: true
+        allocationMode: allocationModeValue
+        capacity:
+          requests:
+            requestsKey: "0"
+        count: 4
+        deviceClassName: deviceClassNameValue
+        selectors:
+        - cel:
+            expression: expressionValue
+        tolerations:
+        - effect: effectValue
+          key: keyValue
+          operator: operatorValue
+          tolerationSeconds: 5
+          value: valueValue
+      firstAvailable:
+      - allocationMode: allocationModeValue
+        capacity:
+          requests:
+            requestsKey: "0"
+        count: 5
+        deviceClassName: deviceClassNameValue
+        name: nameValue
+        selectors:
+        - cel:
+            expression: expressionValue
+        tolerations:
+        - effect: effectValue
+          key: keyValue
+          operator: operatorValue
+          tolerationSeconds: 5
+          value: valueValue
+      name: nameValue
+status:
+  allocation:
+    allocationTimestamp: "2005-01-01T01:01:01Z"
+    devices:
+      config:
+      - opaque:
+          driver: driverValue
+          parameters:
+            apiVersion: example.com/v1
+            kind: CustomType
+            spec:
+              replicas: 1
+            status:
+              available: 1
+        requests:
+        - requestsValue
+        source: sourceValue
+      results:
+      - adminAccess: true
+        bindingConditions:
+        - bindingConditionsValue
+        bindingFailureConditions:
+        - bindingFailureConditionsValue
+        consumedCapacity:
+          consumedCapacityKey: "0"
+        device: deviceValue
+        driver: driverValue
+        pool: poolValue
+        request: requestValue
+        shareID: shareIDValue
+        tolerations:
+        - effect: effectValue
+          key: keyValue
+          operator: operatorValue
+          tolerationSeconds: 5
+          value: valueValue
+    nodeSelector:
+      nodeSelectorTerms:
+      - matchExpressions:
+        - key: keyValue
+          operator: operatorValue
+          values:
+          - valuesValue
+        matchFields:
+        - key: keyValue
+          operator: operatorValue
+          values:
+          - valuesValue
+  devices:
+  - conditions:
+    - lastTransitionTime: "2004-01-01T01:01:01Z"
+      message: messageValue
+      observedGeneration: 3
+      reason: reasonValue
+      status: statusValue
+      type: typeValue
+    data:
+      apiVersion: example.com/v1
+      kind: CustomType
+      spec:
+        replicas: 1
+      status:
+        available: 1
+    device: deviceValue
+    driver: driverValue
+    networkData:
+      hardwareAddress: hardwareAddressValue
+      interfaceName: interfaceNameValue
+      ips:
+      - ipsValue
+    pool: poolValue
+    shareID: shareIDValue
+  reservedFor:
+  - apiGroup: apiGroupValue
+    name: nameValue
+    resource: resourceValue
+    uid: uidValue
diff --git a/staging/src/k8s.io/api/testdata/v1.34.0/resource.k8s.io.v1beta2.ResourceClaimTemplate.json b/staging/src/k8s.io/api/testdata/v1.34.0/resource.k8s.io.v1beta2.ResourceClaimTemplate.json
new file mode 100644
index 0000000000000..9633ebb2c7d32
--- /dev/null
+++ b/staging/src/k8s.io/api/testdata/v1.34.0/resource.k8s.io.v1beta2.ResourceClaimTemplate.json
@@ -0,0 +1,184 @@
+{
+  "kind": "ResourceClaimTemplate",
+  "apiVersion": "resource.k8s.io/v1beta2",
+  "metadata": {
+    "name": "nameValue",
+    "generateName": "generateNameValue",
+    "namespace": "namespaceValue",
+    "selfLink": "selfLinkValue",
+    "uid": "uidValue",
+    "resourceVersion": "resourceVersionValue",
+    "generation": 7,
+    "creationTimestamp": "2008-01-01T01:01:01Z",
+    "deletionTimestamp": "2009-01-01T01:01:01Z",
+    "deletionGracePeriodSeconds": 10,
+    "labels": {
+      "labelsKey": "labelsValue"
+    },
+    "annotations": {
+      "annotationsKey": "annotationsValue"
+    },
+    "ownerReferences": [
+      {
+        "apiVersion": "apiVersionValue",
+        "kind": "kindValue",
+        "name": "nameValue",
+        "uid": "uidValue",
+        "controller": true,
+        "blockOwnerDeletion": true
+      }
+    ],
+    "finalizers": [
+      "finalizersValue"
+    ],
+    "managedFields": [
+      {
+        "manager": "managerValue",
+        "operation": "operationValue",
+        "apiVersion": "apiVersionValue",
+        "time": "2004-01-01T01:01:01Z",
+        "fieldsType": "fieldsTypeValue",
+        "fieldsV1": {},
+        "subresource": "subresourceValue"
+      }
+    ]
+  },
+  "spec": {
+    "metadata": {
+      "name": "nameValue",
+      "generateName": "generateNameValue",
+      "namespace": "namespaceValue",
+      "selfLink": "selfLinkValue",
+      "uid": "uidValue",
+      "resourceVersion": "resourceVersionValue",
+      "generation": 7,
+      "creationTimestamp": "2008-01-01T01:01:01Z",
+      "deletionTimestamp": "2009-01-01T01:01:01Z",
+      "deletionGracePeriodSeconds": 10,
+      "labels": {
+        "labelsKey": "labelsValue"
+      },
+      "annotations": {
+        "annotationsKey": "annotationsValue"
+      },
+      "ownerReferences": [
+        {
+          "apiVersion": "apiVersionValue",
+          "kind": "kindValue",
+          "name": "nameValue",
+          "uid": "uidValue",
+          "controller": true,
+          "blockOwnerDeletion": true
+        }
+      ],
+      "finalizers": [
+        "finalizersValue"
+      ],
+      "managedFields": [
+        {
+          "manager": "managerValue",
+          "operation": "operationValue",
+          "apiVersion": "apiVersionValue",
+          "time": "2004-01-01T01:01:01Z",
+          "fieldsType": "fieldsTypeValue",
+          "fieldsV1": {},
+          "subresource": "subresourceValue"
+        }
+      ]
+    },
+    "spec": {
+      "devices": {
+        "requests": [
+          {
+            "name": "nameValue",
+            "exactly": {
+              "deviceClassName": "deviceClassNameValue",
+              "selectors": [
+                {
+                  "cel": {
+                    "expression": "expressionValue"
+                  }
+                }
+              ],
+              "allocationMode": "allocationModeValue",
+              "count": 4,
+              "adminAccess": true,
+              "tolerations": [
+                {
+                  "key": "keyValue",
+                  "operator": "operatorValue",
+                  "value": "valueValue",
+                  "effect": "effectValue",
+                  "tolerationSeconds": 5
+                }
+              ],
+              "capacity": {
+                "requests": {
+                  "requestsKey": "0"
+                }
+              }
+            },
+            "firstAvailable": [
+              {
+                "name": "nameValue",
+                "deviceClassName": "deviceClassNameValue",
+                "selectors": [
+                  {
+                    "cel": {
+                      "expression": "expressionValue"
+                    }
+                  }
+                ],
+                "allocationMode": "allocationModeValue",
+                "count": 5,
+                "tolerations": [
+                  {
+                    "key": "keyValue",
+                    "operator": "operatorValue",
+                    "value": "valueValue",
+                    "effect": "effectValue",
+                    "tolerationSeconds": 5
+                  }
+                ],
+                "capacity": {
+                  "requests": {
+                    "requestsKey": "0"
+                  }
+                }
+              }
+            ]
+          }
+        ],
+        "constraints": [
+          {
+            "requests": [
+              "requestsValue"
+            ],
+            "matchAttribute": "matchAttributeValue",
+            "distinctAttribute": "distinctAttributeValue"
+          }
+        ],
+        "config": [
+          {
+            "requests": [
+              "requestsValue"
+            ],
+            "opaque": {
+              "driver": "driverValue",
+              "parameters": {
+                "apiVersion": "example.com/v1",
+                "kind": "CustomType",
+                "spec": {
+                  "replicas": 1
+                },
+                "status": {
+                  "available": 1
+                }
+              }
+            }
+          }
+        ]
+      }
+    }
+  }
+}
\ No newline at end of file
diff --git a/staging/src/k8s.io/api/testdata/v1.34.0/resource.k8s.io.v1beta2.ResourceClaimTemplate.pb b/staging/src/k8s.io/api/testdata/v1.34.0/resource.k8s.io.v1beta2.ResourceClaimTemplate.pb
new file mode 100644
index 0000000000000..1fff455fdeb5d
Binary files /dev/null and b/staging/src/k8s.io/api/testdata/v1.34.0/resource.k8s.io.v1beta2.ResourceClaimTemplate.pb differ
diff --git a/staging/src/k8s.io/api/testdata/v1.34.0/resource.k8s.io.v1beta2.ResourceClaimTemplate.yaml b/staging/src/k8s.io/api/testdata/v1.34.0/resource.k8s.io.v1beta2.ResourceClaimTemplate.yaml
new file mode 100644
index 0000000000000..1cc17c3612370
--- /dev/null
+++ b/staging/src/k8s.io/api/testdata/v1.34.0/resource.k8s.io.v1beta2.ResourceClaimTemplate.yaml
@@ -0,0 +1,122 @@
+apiVersion: resource.k8s.io/v1beta2
+kind: ResourceClaimTemplate
+metadata:
+  annotations:
+    annotationsKey: annotationsValue
+  creationTimestamp: "2008-01-01T01:01:01Z"
+  deletionGracePeriodSeconds: 10
+  deletionTimestamp: "2009-01-01T01:01:01Z"
+  finalizers:
+  - finalizersValue
+  generateName: generateNameValue
+  generation: 7
+  labels:
+    labelsKey: labelsValue
+  managedFields:
+  - apiVersion: apiVersionValue
+    fieldsType: fieldsTypeValue
+    fieldsV1: {}
+    manager: managerValue
+    operation: operationValue
+    subresource: subresourceValue
+    time: "2004-01-01T01:01:01Z"
+  name: nameValue
+  namespace: namespaceValue
+  ownerReferences:
+  - apiVersion: apiVersionValue
+    blockOwnerDeletion: true
+    controller: true
+    kind: kindValue
+    name: nameValue
+    uid: uidValue
+  resourceVersion: resourceVersionValue
+  selfLink: selfLinkValue
+  uid: uidValue
+spec:
+  metadata:
+    annotations:
+      annotationsKey: annotationsValue
+    creationTimestamp: "2008-01-01T01:01:01Z"
+    deletionGracePeriodSeconds: 10
+    deletionTimestamp: "2009-01-01T01:01:01Z"
+    finalizers:
+    - finalizersValue
+    generateName: generateNameValue
+    generation: 7
+    labels:
+      labelsKey: labelsValue
+    managedFields:
+    - apiVersion: apiVersionValue
+      fieldsType: fieldsTypeValue
+      fieldsV1: {}
+      manager: managerValue
+      operation: operationValue
+      subresource: subresourceValue
+      time: "2004-01-01T01:01:01Z"
+    name: nameValue
+    namespace: namespaceValue
+    ownerReferences:
+    - apiVersion: apiVersionValue
+      blockOwnerDeletion: true
+      controller: true
+      kind: kindValue
+      name: nameValue
+      uid: uidValue
+    resourceVersion: resourceVersionValue
+    selfLink: selfLinkValue
+    uid: uidValue
+  spec:
+    devices:
+      config:
+      - opaque:
+          driver: driverValue
+          parameters:
+            apiVersion: example.com/v1
+            kind: CustomType
+            spec:
+              replicas: 1
+            status:
+              available: 1
+        requests:
+        - requestsValue
+      constraints:
+      - distinctAttribute: distinctAttributeValue
+        matchAttribute: matchAttributeValue
+        requests:
+        - requestsValue
+      requests:
+      - exactly:
+          adminAccess: true
+          allocationMode: allocationModeValue
+          capacity:
+            requests:
+              requestsKey: "0"
+          count: 4
+          deviceClassName: deviceClassNameValue
+          selectors:
+          - cel:
+              expression: expressionValue
+          tolerations:
+          - effect: effectValue
+            key: keyValue
+            operator: operatorValue
+            tolerationSeconds: 5
+            value: valueValue
+        firstAvailable:
+        - allocationMode: allocationModeValue
+          capacity:
+            requests:
+              requestsKey: "0"
+          count: 5
+          deviceClassName: deviceClassNameValue
+          name: nameValue
+          selectors:
+          - cel:
+              expression: expressionValue
+          tolerations:
+          - effect: effectValue
+            key: keyValue
+            operator: operatorValue
+            tolerationSeconds: 5
+            value: valueValue
+        name: nameValue
diff --git a/staging/src/k8s.io/api/testdata/v1.34.0/resource.k8s.io.v1beta2.ResourceSlice.json b/staging/src/k8s.io/api/testdata/v1.34.0/resource.k8s.io.v1beta2.ResourceSlice.json
new file mode 100644
index 0000000000000..4d80e7cfe726a
--- /dev/null
+++ b/staging/src/k8s.io/api/testdata/v1.34.0/resource.k8s.io.v1beta2.ResourceSlice.json
@@ -0,0 +1,172 @@
+{
+  "kind": "ResourceSlice",
+  "apiVersion": "resource.k8s.io/v1beta2",
+  "metadata": {
+    "name": "nameValue",
+    "generateName": "generateNameValue",
+    "namespace": "namespaceValue",
+    "selfLink": "selfLinkValue",
+    "uid": "uidValue",
+    "resourceVersion": "resourceVersionValue",
+    "generation": 7,
+    "creationTimestamp": "2008-01-01T01:01:01Z",
+    "deletionTimestamp": "2009-01-01T01:01:01Z",
+    "deletionGracePeriodSeconds": 10,
+    "labels": {
+      "labelsKey": "labelsValue"
+    },
+    "annotations": {
+      "annotationsKey": "annotationsValue"
+    },
+    "ownerReferences": [
+      {
+        "apiVersion": "apiVersionValue",
+        "kind": "kindValue",
+        "name": "nameValue",
+        "uid": "uidValue",
+        "controller": true,
+        "blockOwnerDeletion": true
+      }
+    ],
+    "finalizers": [
+      "finalizersValue"
+    ],
+    "managedFields": [
+      {
+        "manager": "managerValue",
+        "operation": "operationValue",
+        "apiVersion": "apiVersionValue",
+        "time": "2004-01-01T01:01:01Z",
+        "fieldsType": "fieldsTypeValue",
+        "fieldsV1": {},
+        "subresource": "subresourceValue"
+      }
+    ]
+  },
+  "spec": {
+    "driver": "driverValue",
+    "pool": {
+      "name": "nameValue",
+      "generation": 2,
+      "resourceSliceCount": 3
+    },
+    "nodeName": "nodeNameValue",
+    "nodeSelector": {
+      "nodeSelectorTerms": [
+        {
+          "matchExpressions": [
+            {
+              "key": "keyValue",
+              "operator": "operatorValue",
+              "values": [
+                "valuesValue"
+              ]
+            }
+          ],
+          "matchFields": [
+            {
+              "key": "keyValue",
+              "operator": "operatorValue",
+              "values": [
+                "valuesValue"
+              ]
+            }
+          ]
+        }
+      ]
+    },
+    "allNodes": true,
+    "devices": [
+      {
+        "name": "nameValue",
+        "attributes": {
+          "attributesKey": {
+            "int": 2,
+            "bool": true,
+            "string": "stringValue",
+            "version": "versionValue"
+          }
+        },
+        "capacity": {
+          "capacityKey": {
+            "value": "0",
+            "requestPolicy": {
+              "default": "0",
+              "validValues": [
+                "0"
+              ],
+              "validRange": {
+                "min": "0",
+                "max": "0",
+                "step": "0"
+              }
+            }
+          }
+        },
+        "consumesCounters": [
+          {
+            "counterSet": "counterSetValue",
+            "counters": {
+              "countersKey": {
+                "value": "0"
+              }
+            }
+          }
+        ],
+        "nodeName": "nodeNameValue",
+        "nodeSelector": {
+          "nodeSelectorTerms": [
+            {
+              "matchExpressions": [
+                {
+                  "key": "keyValue",
+                  "operator": "operatorValue",
+                  "values": [
+                    "valuesValue"
+                  ]
+                }
+              ],
+              "matchFields": [
+                {
+                  "key": "keyValue",
+                  "operator": "operatorValue",
+                  "values": [
+                    "valuesValue"
+                  ]
+                }
+              ]
+            }
+          ]
+        },
+        "allNodes": true,
+        "taints": [
+          {
+            "key": "keyValue",
+            "value": "valueValue",
+            "effect": "effectValue",
+            "timeAdded": "2004-01-01T01:01:01Z"
+          }
+        ],
+        "bindsToNode": true,
+        "bindingConditions": [
+          "bindingConditionsValue"
+        ],
+        "bindingFailureConditions": [
+          "bindingFailureConditionsValue"
+        ],
+        "allowMultipleAllocations": true
+      }
+    ],
+    "perDeviceNodeSelection": true,
+    "sharedCounters": [
+      {
+        "name": "nameValue",
+        "counters": {
+          "countersKey": {
+            "value": "0"
+          }
+        }
+      }
+    ]
+  }
+}
\ No newline at end of file
diff --git a/staging/src/k8s.io/api/testdata/v1.34.0/resource.k8s.io.v1beta2.ResourceSlice.pb b/staging/src/k8s.io/api/testdata/v1.34.0/resource.k8s.io.v1beta2.ResourceSlice.pb
new file mode 100644
index 0000000000000..a81ae25142726
Binary files /dev/null and b/staging/src/k8s.io/api/testdata/v1.34.0/resource.k8s.io.v1beta2.ResourceSlice.pb differ
diff --git a/staging/src/k8s.io/api/testdata/v1.34.0/resource.k8s.io.v1beta2.ResourceSlice.yaml b/staging/src/k8s.io/api/testdata/v1.34.0/resource.k8s.io.v1beta2.ResourceSlice.yaml
new file mode 100644
index 0000000000000..73881c40d3cb4
--- /dev/null
+++ b/staging/src/k8s.io/api/testdata/v1.34.0/resource.k8s.io.v1beta2.ResourceSlice.yaml
@@ -0,0 +1,109 @@
+apiVersion: resource.k8s.io/v1beta2
+kind: ResourceSlice
+metadata:
+  annotations:
+    annotationsKey: annotationsValue
+  creationTimestamp: "2008-01-01T01:01:01Z"
+  deletionGracePeriodSeconds: 10
+  deletionTimestamp: "2009-01-01T01:01:01Z"
+  finalizers:
+  - finalizersValue
+  generateName: generateNameValue
+  generation: 7
+  labels:
+    labelsKey: labelsValue
+  managedFields:
+  - apiVersion: apiVersionValue
+    fieldsType: fieldsTypeValue
+    fieldsV1: {}
+    manager: managerValue
+    operation: operationValue
+    subresource: subresourceValue
+    time: "2004-01-01T01:01:01Z"
+  name: nameValue
+  namespace: namespaceValue
+  ownerReferences:
+  - apiVersion: apiVersionValue
+    blockOwnerDeletion: true
+    controller: true
+    kind: kindValue
+    name: nameValue
+    uid: uidValue
+  resourceVersion: resourceVersionValue
+  selfLink: selfLinkValue
+  uid: uidValue
+spec:
+  allNodes: true
+  devices:
+  - allNodes: true
+    allowMultipleAllocations: true
+    attributes:
+      attributesKey:
+        bool: true
+        int: 2
+        string: stringValue
+        version: versionValue
+    bindingConditions:
+    - bindingConditionsValue
+    bindingFailureConditions:
+    - bindingFailureConditionsValue
+    bindsToNode: true
+    capacity:
+      capacityKey:
+        requestPolicy:
+          default: "0"
+          validRange:
+            max: "0"
+            min: "0"
+            step: "0"
+          validValues:
+          - "0"
+        value: "0"
+    consumesCounters:
+    - counterSet: counterSetValue
+      counters:
+        countersKey:
+          value: "0"
+    name: nameValue
+    nodeName: nodeNameValue
+    nodeSelector:
+      nodeSelectorTerms:
+      - matchExpressions:
+        - key: keyValue
+          operator: operatorValue
+          values:
+          - valuesValue
+        matchFields:
+        - key: keyValue
+          operator: operatorValue
+          values:
+          - valuesValue
+    taints:
+    - effect: effectValue
+      key: keyValue
+      timeAdded: "2004-01-01T01:01:01Z"
+      value: valueValue
+  driver: driverValue
+  nodeName: nodeNameValue
+  nodeSelector:
+    nodeSelectorTerms:
+    - matchExpressions:
+      - key: keyValue
+        operator: operatorValue
+        values:
+        - valuesValue
+      matchFields:
+      - key: keyValue
+        operator: operatorValue
+        values:
+        - valuesValue
+  perDeviceNodeSelection: true
+  pool:
+    generation: 2
+    name: nameValue
+    resourceSliceCount: 3
+  sharedCounters:
+  - counters:
+      countersKey:
+        value: "0"
+    name: nameValue
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/scheduling.k8s.io.v1.PriorityClass.json b/staging/src/k8s.io/api/testdata/v1.34.0/scheduling.k8s.io.v1.PriorityClass.json
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/scheduling.k8s.io.v1.PriorityClass.json
rename to staging/src/k8s.io/api/testdata/v1.34.0/scheduling.k8s.io.v1.PriorityClass.json
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/scheduling.k8s.io.v1.PriorityClass.pb b/staging/src/k8s.io/api/testdata/v1.34.0/scheduling.k8s.io.v1.PriorityClass.pb
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/scheduling.k8s.io.v1.PriorityClass.pb
rename to staging/src/k8s.io/api/testdata/v1.34.0/scheduling.k8s.io.v1.PriorityClass.pb
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/scheduling.k8s.io.v1.PriorityClass.yaml b/staging/src/k8s.io/api/testdata/v1.34.0/scheduling.k8s.io.v1.PriorityClass.yaml
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/scheduling.k8s.io.v1.PriorityClass.yaml
rename to staging/src/k8s.io/api/testdata/v1.34.0/scheduling.k8s.io.v1.PriorityClass.yaml
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/scheduling.k8s.io.v1alpha1.PriorityClass.json b/staging/src/k8s.io/api/testdata/v1.34.0/scheduling.k8s.io.v1alpha1.PriorityClass.json
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/scheduling.k8s.io.v1alpha1.PriorityClass.json
rename to staging/src/k8s.io/api/testdata/v1.34.0/scheduling.k8s.io.v1alpha1.PriorityClass.json
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/scheduling.k8s.io.v1alpha1.PriorityClass.pb b/staging/src/k8s.io/api/testdata/v1.34.0/scheduling.k8s.io.v1alpha1.PriorityClass.pb
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/scheduling.k8s.io.v1alpha1.PriorityClass.pb
rename to staging/src/k8s.io/api/testdata/v1.34.0/scheduling.k8s.io.v1alpha1.PriorityClass.pb
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/scheduling.k8s.io.v1alpha1.PriorityClass.yaml b/staging/src/k8s.io/api/testdata/v1.34.0/scheduling.k8s.io.v1alpha1.PriorityClass.yaml
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/scheduling.k8s.io.v1alpha1.PriorityClass.yaml
rename to staging/src/k8s.io/api/testdata/v1.34.0/scheduling.k8s.io.v1alpha1.PriorityClass.yaml
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/scheduling.k8s.io.v1beta1.PriorityClass.json b/staging/src/k8s.io/api/testdata/v1.34.0/scheduling.k8s.io.v1beta1.PriorityClass.json
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/scheduling.k8s.io.v1beta1.PriorityClass.json
rename to staging/src/k8s.io/api/testdata/v1.34.0/scheduling.k8s.io.v1beta1.PriorityClass.json
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/scheduling.k8s.io.v1beta1.PriorityClass.pb b/staging/src/k8s.io/api/testdata/v1.34.0/scheduling.k8s.io.v1beta1.PriorityClass.pb
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/scheduling.k8s.io.v1beta1.PriorityClass.pb
rename to staging/src/k8s.io/api/testdata/v1.34.0/scheduling.k8s.io.v1beta1.PriorityClass.pb
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/scheduling.k8s.io.v1beta1.PriorityClass.yaml b/staging/src/k8s.io/api/testdata/v1.34.0/scheduling.k8s.io.v1beta1.PriorityClass.yaml
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/scheduling.k8s.io.v1beta1.PriorityClass.yaml
rename to staging/src/k8s.io/api/testdata/v1.34.0/scheduling.k8s.io.v1beta1.PriorityClass.yaml
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/storage.k8s.io.v1.CSIDriver.json b/staging/src/k8s.io/api/testdata/v1.34.0/storage.k8s.io.v1.CSIDriver.json
similarity index 95%
rename from staging/src/k8s.io/api/testdata/v1.32.0/storage.k8s.io.v1.CSIDriver.json
rename to staging/src/k8s.io/api/testdata/v1.34.0/storage.k8s.io.v1.CSIDriver.json
index 3acd8ccac4da0..84efb979be320 100644
--- a/staging/src/k8s.io/api/testdata/v1.32.0/storage.k8s.io.v1.CSIDriver.json
+++ b/staging/src/k8s.io/api/testdata/v1.34.0/storage.k8s.io.v1.CSIDriver.json
@@ -58,6 +58,7 @@
       }
     ],
     "requiresRepublish": true,
-    "seLinuxMount": true
+    "seLinuxMount": true,
+    "nodeAllocatableUpdatePeriodSeconds": 9
   }
 }
\ No newline at end of file
diff --git a/staging/src/k8s.io/api/testdata/v1.34.0/storage.k8s.io.v1.CSIDriver.pb b/staging/src/k8s.io/api/testdata/v1.34.0/storage.k8s.io.v1.CSIDriver.pb
new file mode 100644
index 0000000000000..07aeaa7f75626
Binary files /dev/null and b/staging/src/k8s.io/api/testdata/v1.34.0/storage.k8s.io.v1.CSIDriver.pb differ
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/storage.k8s.io.v1.CSIDriver.yaml b/staging/src/k8s.io/api/testdata/v1.34.0/storage.k8s.io.v1.CSIDriver.yaml
similarity index 96%
rename from staging/src/k8s.io/api/testdata/v1.32.0/storage.k8s.io.v1.CSIDriver.yaml
rename to staging/src/k8s.io/api/testdata/v1.34.0/storage.k8s.io.v1.CSIDriver.yaml
index b787db002e069..748c7614a9e8f 100644
--- a/staging/src/k8s.io/api/testdata/v1.32.0/storage.k8s.io.v1.CSIDriver.yaml
+++ b/staging/src/k8s.io/api/testdata/v1.34.0/storage.k8s.io.v1.CSIDriver.yaml
@@ -35,6 +35,7 @@ metadata:
 spec:
   attachRequired: true
   fsGroupPolicy: fsGroupPolicyValue
+  nodeAllocatableUpdatePeriodSeconds: 9
   podInfoOnMount: true
   requiresRepublish: true
   seLinuxMount: true
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/storage.k8s.io.v1.CSINode.json b/staging/src/k8s.io/api/testdata/v1.34.0/storage.k8s.io.v1.CSINode.json
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/storage.k8s.io.v1.CSINode.json
rename to staging/src/k8s.io/api/testdata/v1.34.0/storage.k8s.io.v1.CSINode.json
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/storage.k8s.io.v1.CSINode.pb b/staging/src/k8s.io/api/testdata/v1.34.0/storage.k8s.io.v1.CSINode.pb
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/storage.k8s.io.v1.CSINode.pb
rename to staging/src/k8s.io/api/testdata/v1.34.0/storage.k8s.io.v1.CSINode.pb
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/storage.k8s.io.v1.CSINode.yaml b/staging/src/k8s.io/api/testdata/v1.34.0/storage.k8s.io.v1.CSINode.yaml
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/storage.k8s.io.v1.CSINode.yaml
rename to staging/src/k8s.io/api/testdata/v1.34.0/storage.k8s.io.v1.CSINode.yaml
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/storage.k8s.io.v1.CSIStorageCapacity.json b/staging/src/k8s.io/api/testdata/v1.34.0/storage.k8s.io.v1.CSIStorageCapacity.json
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/storage.k8s.io.v1.CSIStorageCapacity.json
rename to staging/src/k8s.io/api/testdata/v1.34.0/storage.k8s.io.v1.CSIStorageCapacity.json
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/storage.k8s.io.v1.CSIStorageCapacity.pb b/staging/src/k8s.io/api/testdata/v1.34.0/storage.k8s.io.v1.CSIStorageCapacity.pb
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/storage.k8s.io.v1.CSIStorageCapacity.pb
rename to staging/src/k8s.io/api/testdata/v1.34.0/storage.k8s.io.v1.CSIStorageCapacity.pb
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/storage.k8s.io.v1.CSIStorageCapacity.yaml b/staging/src/k8s.io/api/testdata/v1.34.0/storage.k8s.io.v1.CSIStorageCapacity.yaml
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/storage.k8s.io.v1.CSIStorageCapacity.yaml
rename to staging/src/k8s.io/api/testdata/v1.34.0/storage.k8s.io.v1.CSIStorageCapacity.yaml
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/storage.k8s.io.v1.StorageClass.json b/staging/src/k8s.io/api/testdata/v1.34.0/storage.k8s.io.v1.StorageClass.json
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/storage.k8s.io.v1.StorageClass.json
rename to staging/src/k8s.io/api/testdata/v1.34.0/storage.k8s.io.v1.StorageClass.json
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/storage.k8s.io.v1.StorageClass.pb b/staging/src/k8s.io/api/testdata/v1.34.0/storage.k8s.io.v1.StorageClass.pb
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/storage.k8s.io.v1.StorageClass.pb
rename to staging/src/k8s.io/api/testdata/v1.34.0/storage.k8s.io.v1.StorageClass.pb
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/storage.k8s.io.v1.StorageClass.yaml b/staging/src/k8s.io/api/testdata/v1.34.0/storage.k8s.io.v1.StorageClass.yaml
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/storage.k8s.io.v1.StorageClass.yaml
rename to staging/src/k8s.io/api/testdata/v1.34.0/storage.k8s.io.v1.StorageClass.yaml
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/storage.k8s.io.v1.VolumeAttachment.json b/staging/src/k8s.io/api/testdata/v1.34.0/storage.k8s.io.v1.VolumeAttachment.json
similarity index 98%
rename from staging/src/k8s.io/api/testdata/v1.32.0/storage.k8s.io.v1.VolumeAttachment.json
rename to staging/src/k8s.io/api/testdata/v1.34.0/storage.k8s.io.v1.VolumeAttachment.json
index 8589231efb9d6..2ae5ba4606e64 100644
--- a/staging/src/k8s.io/api/testdata/v1.32.0/storage.k8s.io.v1.VolumeAttachment.json
+++ b/staging/src/k8s.io/api/testdata/v1.34.0/storage.k8s.io.v1.VolumeAttachment.json
@@ -316,11 +316,13 @@
     },
     "attachError": {
       "time": "2001-01-01T01:01:01Z",
-      "message": "messageValue"
+      "message": "messageValue",
+      "errorCode": 3
     },
     "detachError": {
       "time": "2001-01-01T01:01:01Z",
-      "message": "messageValue"
+      "message": "messageValue",
+      "errorCode": 3
     }
   }
 }
\ No newline at end of file
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/storage.k8s.io.v1.VolumeAttachment.pb b/staging/src/k8s.io/api/testdata/v1.34.0/storage.k8s.io.v1.VolumeAttachment.pb
similarity index 93%
rename from staging/src/k8s.io/api/testdata/v1.32.0/storage.k8s.io.v1.VolumeAttachment.pb
rename to staging/src/k8s.io/api/testdata/v1.34.0/storage.k8s.io.v1.VolumeAttachment.pb
index e167dcd124957..3bd058574449f 100644
Binary files a/staging/src/k8s.io/api/testdata/v1.32.0/storage.k8s.io.v1.VolumeAttachment.pb and b/staging/src/k8s.io/api/testdata/v1.34.0/storage.k8s.io.v1.VolumeAttachment.pb differ
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/storage.k8s.io.v1.VolumeAttachment.yaml b/staging/src/k8s.io/api/testdata/v1.34.0/storage.k8s.io.v1.VolumeAttachment.yaml
similarity index 99%
rename from staging/src/k8s.io/api/testdata/v1.32.0/storage.k8s.io.v1.VolumeAttachment.yaml
rename to staging/src/k8s.io/api/testdata/v1.34.0/storage.k8s.io.v1.VolumeAttachment.yaml
index 29acbbfe569b6..8e6f6f227aa61 100644
--- a/staging/src/k8s.io/api/testdata/v1.32.0/storage.k8s.io.v1.VolumeAttachment.yaml
+++ b/staging/src/k8s.io/api/testdata/v1.34.0/storage.k8s.io.v1.VolumeAttachment.yaml
@@ -239,11 +239,13 @@ spec:
     persistentVolumeName: persistentVolumeNameValue
 status:
   attachError:
+    errorCode: 3
     message: messageValue
     time: "2001-01-01T01:01:01Z"
   attached: true
   attachmentMetadata:
     attachmentMetadataKey: attachmentMetadataValue
   detachError:
+    errorCode: 3
     message: messageValue
     time: "2001-01-01T01:01:01Z"
diff --git a/staging/src/k8s.io/api/testdata/v1.34.0/storage.k8s.io.v1.VolumeAttributesClass.json b/staging/src/k8s.io/api/testdata/v1.34.0/storage.k8s.io.v1.VolumeAttributesClass.json
new file mode 100644
index 0000000000000..b2ac8688bd4f2
--- /dev/null
+++ b/staging/src/k8s.io/api/testdata/v1.34.0/storage.k8s.io.v1.VolumeAttributesClass.json
@@ -0,0 +1,50 @@
+{
+  "kind": "VolumeAttributesClass",
+  "apiVersion": "storage.k8s.io/v1",
+  "metadata": {
+    "name": "nameValue",
+    "generateName": "generateNameValue",
+    "namespace": "namespaceValue",
+    "selfLink": "selfLinkValue",
+    "uid": "uidValue",
+    "resourceVersion": "resourceVersionValue",
+    "generation": 7,
+    "creationTimestamp": "2008-01-01T01:01:01Z",
+    "deletionTimestamp": "2009-01-01T01:01:01Z",
+    "deletionGracePeriodSeconds": 10,
+    "labels": {
+      "labelsKey": "labelsValue"
+    },
+    "annotations": {
+      "annotationsKey": "annotationsValue"
+    },
+    "ownerReferences": [
+      {
+        "apiVersion": "apiVersionValue",
+        "kind": "kindValue",
+        "name": "nameValue",
+        "uid": "uidValue",
+        "controller": true,
+        "blockOwnerDeletion": true
+      }
+    ],
+    "finalizers": [
+      "finalizersValue"
+    ],
+    "managedFields": [
+      {
+        "manager": "managerValue",
+        "operation": "operationValue",
+        "apiVersion": "apiVersionValue",
+        "time": "2004-01-01T01:01:01Z",
+        "fieldsType": "fieldsTypeValue",
+        "fieldsV1": {},
+        "subresource": "subresourceValue"
+      }
+    ]
+  },
+  "driverName": "driverNameValue",
+  "parameters": {
+    "parametersKey": "parametersValue"
+  }
+}
\ No newline at end of file
diff --git a/staging/src/k8s.io/api/testdata/v1.34.0/storage.k8s.io.v1.VolumeAttributesClass.pb b/staging/src/k8s.io/api/testdata/v1.34.0/storage.k8s.io.v1.VolumeAttributesClass.pb
new file mode 100644
index 0000000000000..8e8ab76b9d9a6
Binary files /dev/null and b/staging/src/k8s.io/api/testdata/v1.34.0/storage.k8s.io.v1.VolumeAttributesClass.pb differ
diff --git a/staging/src/k8s.io/api/testdata/v1.34.0/storage.k8s.io.v1.VolumeAttributesClass.yaml b/staging/src/k8s.io/api/testdata/v1.34.0/storage.k8s.io.v1.VolumeAttributesClass.yaml
new file mode 100644
index 0000000000000..95e68ff5861e9
--- /dev/null
+++ b/staging/src/k8s.io/api/testdata/v1.34.0/storage.k8s.io.v1.VolumeAttributesClass.yaml
@@ -0,0 +1,37 @@
+apiVersion: storage.k8s.io/v1
+driverName: driverNameValue
+kind: VolumeAttributesClass
+metadata:
+  annotations:
+    annotationsKey: annotationsValue
+  creationTimestamp: "2008-01-01T01:01:01Z"
+  deletionGracePeriodSeconds: 10
+  deletionTimestamp: "2009-01-01T01:01:01Z"
+  finalizers:
+  - finalizersValue
+  generateName: generateNameValue
+  generation: 7
+  labels:
+    labelsKey: labelsValue
+  managedFields:
+  - apiVersion: apiVersionValue
+    fieldsType: fieldsTypeValue
+    fieldsV1: {}
+    manager: managerValue
+    operation: operationValue
+    subresource: subresourceValue
+    time: "2004-01-01T01:01:01Z"
+  name: nameValue
+  namespace: namespaceValue
+  ownerReferences:
+  - apiVersion: apiVersionValue
+    blockOwnerDeletion: true
+    controller: true
+    kind: kindValue
+    name: nameValue
+    uid: uidValue
+  resourceVersion: resourceVersionValue
+  selfLink: selfLinkValue
+  uid: uidValue
+parameters:
+  parametersKey: parametersValue
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/storage.k8s.io.v1alpha1.CSIStorageCapacity.json b/staging/src/k8s.io/api/testdata/v1.34.0/storage.k8s.io.v1alpha1.CSIStorageCapacity.json
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/storage.k8s.io.v1alpha1.CSIStorageCapacity.json
rename to staging/src/k8s.io/api/testdata/v1.34.0/storage.k8s.io.v1alpha1.CSIStorageCapacity.json
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/storage.k8s.io.v1alpha1.CSIStorageCapacity.pb b/staging/src/k8s.io/api/testdata/v1.34.0/storage.k8s.io.v1alpha1.CSIStorageCapacity.pb
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/storage.k8s.io.v1alpha1.CSIStorageCapacity.pb
rename to staging/src/k8s.io/api/testdata/v1.34.0/storage.k8s.io.v1alpha1.CSIStorageCapacity.pb
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/storage.k8s.io.v1alpha1.CSIStorageCapacity.yaml b/staging/src/k8s.io/api/testdata/v1.34.0/storage.k8s.io.v1alpha1.CSIStorageCapacity.yaml
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/storage.k8s.io.v1alpha1.CSIStorageCapacity.yaml
rename to staging/src/k8s.io/api/testdata/v1.34.0/storage.k8s.io.v1alpha1.CSIStorageCapacity.yaml
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/storage.k8s.io.v1alpha1.VolumeAttachment.json b/staging/src/k8s.io/api/testdata/v1.34.0/storage.k8s.io.v1alpha1.VolumeAttachment.json
similarity index 98%
rename from staging/src/k8s.io/api/testdata/v1.32.0/storage.k8s.io.v1alpha1.VolumeAttachment.json
rename to staging/src/k8s.io/api/testdata/v1.34.0/storage.k8s.io.v1alpha1.VolumeAttachment.json
index 6bcf594d03390..473d4f31a3419 100644
--- a/staging/src/k8s.io/api/testdata/v1.32.0/storage.k8s.io.v1alpha1.VolumeAttachment.json
+++ b/staging/src/k8s.io/api/testdata/v1.34.0/storage.k8s.io.v1alpha1.VolumeAttachment.json
@@ -316,11 +316,13 @@
     },
     "attachError": {
       "time": "2001-01-01T01:01:01Z",
-      "message": "messageValue"
+      "message": "messageValue",
+      "errorCode": 3
     },
     "detachError": {
       "time": "2001-01-01T01:01:01Z",
-      "message": "messageValue"
+      "message": "messageValue",
+      "errorCode": 3
     }
   }
 }
\ No newline at end of file
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/storage.k8s.io.v1alpha1.VolumeAttachment.pb b/staging/src/k8s.io/api/testdata/v1.34.0/storage.k8s.io.v1alpha1.VolumeAttachment.pb
similarity index 93%
rename from staging/src/k8s.io/api/testdata/v1.32.0/storage.k8s.io.v1alpha1.VolumeAttachment.pb
rename to staging/src/k8s.io/api/testdata/v1.34.0/storage.k8s.io.v1alpha1.VolumeAttachment.pb
index 33c4c310e8dff..2dac24f387414 100644
Binary files a/staging/src/k8s.io/api/testdata/v1.32.0/storage.k8s.io.v1alpha1.VolumeAttachment.pb and b/staging/src/k8s.io/api/testdata/v1.34.0/storage.k8s.io.v1alpha1.VolumeAttachment.pb differ
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/storage.k8s.io.v1alpha1.VolumeAttachment.yaml b/staging/src/k8s.io/api/testdata/v1.34.0/storage.k8s.io.v1alpha1.VolumeAttachment.yaml
similarity index 99%
rename from staging/src/k8s.io/api/testdata/v1.32.0/storage.k8s.io.v1alpha1.VolumeAttachment.yaml
rename to staging/src/k8s.io/api/testdata/v1.34.0/storage.k8s.io.v1alpha1.VolumeAttachment.yaml
index fc8fa35579bc9..22a9ab208d9e8 100644
--- a/staging/src/k8s.io/api/testdata/v1.32.0/storage.k8s.io.v1alpha1.VolumeAttachment.yaml
+++ b/staging/src/k8s.io/api/testdata/v1.34.0/storage.k8s.io.v1alpha1.VolumeAttachment.yaml
@@ -239,11 +239,13 @@ spec:
     persistentVolumeName: persistentVolumeNameValue
 status:
   attachError:
+    errorCode: 3
     message: messageValue
     time: "2001-01-01T01:01:01Z"
   attached: true
   attachmentMetadata:
     attachmentMetadataKey: attachmentMetadataValue
   detachError:
+    errorCode: 3
     message: messageValue
     time: "2001-01-01T01:01:01Z"
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/storage.k8s.io.v1alpha1.VolumeAttributesClass.json b/staging/src/k8s.io/api/testdata/v1.34.0/storage.k8s.io.v1alpha1.VolumeAttributesClass.json
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/storage.k8s.io.v1alpha1.VolumeAttributesClass.json
rename to staging/src/k8s.io/api/testdata/v1.34.0/storage.k8s.io.v1alpha1.VolumeAttributesClass.json
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/storage.k8s.io.v1alpha1.VolumeAttributesClass.pb b/staging/src/k8s.io/api/testdata/v1.34.0/storage.k8s.io.v1alpha1.VolumeAttributesClass.pb
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/storage.k8s.io.v1alpha1.VolumeAttributesClass.pb
rename to staging/src/k8s.io/api/testdata/v1.34.0/storage.k8s.io.v1alpha1.VolumeAttributesClass.pb
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/storage.k8s.io.v1alpha1.VolumeAttributesClass.yaml b/staging/src/k8s.io/api/testdata/v1.34.0/storage.k8s.io.v1alpha1.VolumeAttributesClass.yaml
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/storage.k8s.io.v1alpha1.VolumeAttributesClass.yaml
rename to staging/src/k8s.io/api/testdata/v1.34.0/storage.k8s.io.v1alpha1.VolumeAttributesClass.yaml
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/storage.k8s.io.v1beta1.CSIDriver.json b/staging/src/k8s.io/api/testdata/v1.34.0/storage.k8s.io.v1beta1.CSIDriver.json
similarity index 95%
rename from staging/src/k8s.io/api/testdata/v1.32.0/storage.k8s.io.v1beta1.CSIDriver.json
rename to staging/src/k8s.io/api/testdata/v1.34.0/storage.k8s.io.v1beta1.CSIDriver.json
index f3d7b2be85553..0953f5e354d9c 100644
--- a/staging/src/k8s.io/api/testdata/v1.32.0/storage.k8s.io.v1beta1.CSIDriver.json
+++ b/staging/src/k8s.io/api/testdata/v1.34.0/storage.k8s.io.v1beta1.CSIDriver.json
@@ -58,6 +58,7 @@
       }
     ],
     "requiresRepublish": true,
-    "seLinuxMount": true
+    "seLinuxMount": true,
+    "nodeAllocatableUpdatePeriodSeconds": 9
   }
 }
\ No newline at end of file
diff --git a/staging/src/k8s.io/api/testdata/v1.34.0/storage.k8s.io.v1beta1.CSIDriver.pb b/staging/src/k8s.io/api/testdata/v1.34.0/storage.k8s.io.v1beta1.CSIDriver.pb
new file mode 100644
index 0000000000000..7cd87c4455469
Binary files /dev/null and b/staging/src/k8s.io/api/testdata/v1.34.0/storage.k8s.io.v1beta1.CSIDriver.pb differ
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/storage.k8s.io.v1beta1.CSIDriver.yaml b/staging/src/k8s.io/api/testdata/v1.34.0/storage.k8s.io.v1beta1.CSIDriver.yaml
similarity index 96%
rename from staging/src/k8s.io/api/testdata/v1.32.0/storage.k8s.io.v1beta1.CSIDriver.yaml
rename to staging/src/k8s.io/api/testdata/v1.34.0/storage.k8s.io.v1beta1.CSIDriver.yaml
index 5fd85ceaaebe6..82e08fa9fc081 100644
--- a/staging/src/k8s.io/api/testdata/v1.32.0/storage.k8s.io.v1beta1.CSIDriver.yaml
+++ b/staging/src/k8s.io/api/testdata/v1.34.0/storage.k8s.io.v1beta1.CSIDriver.yaml
@@ -35,6 +35,7 @@ metadata:
 spec:
   attachRequired: true
   fsGroupPolicy: fsGroupPolicyValue
+  nodeAllocatableUpdatePeriodSeconds: 9
   podInfoOnMount: true
   requiresRepublish: true
   seLinuxMount: true
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/storage.k8s.io.v1beta1.CSINode.json b/staging/src/k8s.io/api/testdata/v1.34.0/storage.k8s.io.v1beta1.CSINode.json
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/storage.k8s.io.v1beta1.CSINode.json
rename to staging/src/k8s.io/api/testdata/v1.34.0/storage.k8s.io.v1beta1.CSINode.json
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/storage.k8s.io.v1beta1.CSINode.pb b/staging/src/k8s.io/api/testdata/v1.34.0/storage.k8s.io.v1beta1.CSINode.pb
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/storage.k8s.io.v1beta1.CSINode.pb
rename to staging/src/k8s.io/api/testdata/v1.34.0/storage.k8s.io.v1beta1.CSINode.pb
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/storage.k8s.io.v1beta1.CSINode.yaml b/staging/src/k8s.io/api/testdata/v1.34.0/storage.k8s.io.v1beta1.CSINode.yaml
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/storage.k8s.io.v1beta1.CSINode.yaml
rename to staging/src/k8s.io/api/testdata/v1.34.0/storage.k8s.io.v1beta1.CSINode.yaml
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/storage.k8s.io.v1beta1.CSIStorageCapacity.json b/staging/src/k8s.io/api/testdata/v1.34.0/storage.k8s.io.v1beta1.CSIStorageCapacity.json
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/storage.k8s.io.v1beta1.CSIStorageCapacity.json
rename to staging/src/k8s.io/api/testdata/v1.34.0/storage.k8s.io.v1beta1.CSIStorageCapacity.json
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/storage.k8s.io.v1beta1.CSIStorageCapacity.pb b/staging/src/k8s.io/api/testdata/v1.34.0/storage.k8s.io.v1beta1.CSIStorageCapacity.pb
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/storage.k8s.io.v1beta1.CSIStorageCapacity.pb
rename to staging/src/k8s.io/api/testdata/v1.34.0/storage.k8s.io.v1beta1.CSIStorageCapacity.pb
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/storage.k8s.io.v1beta1.CSIStorageCapacity.yaml b/staging/src/k8s.io/api/testdata/v1.34.0/storage.k8s.io.v1beta1.CSIStorageCapacity.yaml
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/storage.k8s.io.v1beta1.CSIStorageCapacity.yaml
rename to staging/src/k8s.io/api/testdata/v1.34.0/storage.k8s.io.v1beta1.CSIStorageCapacity.yaml
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/storage.k8s.io.v1beta1.StorageClass.json b/staging/src/k8s.io/api/testdata/v1.34.0/storage.k8s.io.v1beta1.StorageClass.json
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/storage.k8s.io.v1beta1.StorageClass.json
rename to staging/src/k8s.io/api/testdata/v1.34.0/storage.k8s.io.v1beta1.StorageClass.json
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/storage.k8s.io.v1beta1.StorageClass.pb b/staging/src/k8s.io/api/testdata/v1.34.0/storage.k8s.io.v1beta1.StorageClass.pb
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/storage.k8s.io.v1beta1.StorageClass.pb
rename to staging/src/k8s.io/api/testdata/v1.34.0/storage.k8s.io.v1beta1.StorageClass.pb
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/storage.k8s.io.v1beta1.StorageClass.yaml b/staging/src/k8s.io/api/testdata/v1.34.0/storage.k8s.io.v1beta1.StorageClass.yaml
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/storage.k8s.io.v1beta1.StorageClass.yaml
rename to staging/src/k8s.io/api/testdata/v1.34.0/storage.k8s.io.v1beta1.StorageClass.yaml
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/storage.k8s.io.v1beta1.VolumeAttachment.json b/staging/src/k8s.io/api/testdata/v1.34.0/storage.k8s.io.v1beta1.VolumeAttachment.json
similarity index 98%
rename from staging/src/k8s.io/api/testdata/v1.32.0/storage.k8s.io.v1beta1.VolumeAttachment.json
rename to staging/src/k8s.io/api/testdata/v1.34.0/storage.k8s.io.v1beta1.VolumeAttachment.json
index b1fe6b3049436..b153d0b643784 100644
--- a/staging/src/k8s.io/api/testdata/v1.32.0/storage.k8s.io.v1beta1.VolumeAttachment.json
+++ b/staging/src/k8s.io/api/testdata/v1.34.0/storage.k8s.io.v1beta1.VolumeAttachment.json
@@ -316,11 +316,13 @@
     },
     "attachError": {
       "time": "2001-01-01T01:01:01Z",
-      "message": "messageValue"
+      "message": "messageValue",
+      "errorCode": 3
     },
     "detachError": {
       "time": "2001-01-01T01:01:01Z",
-      "message": "messageValue"
+      "message": "messageValue",
+      "errorCode": 3
     }
   }
 }
\ No newline at end of file
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/storage.k8s.io.v1beta1.VolumeAttachment.pb b/staging/src/k8s.io/api/testdata/v1.34.0/storage.k8s.io.v1beta1.VolumeAttachment.pb
similarity index 93%
rename from staging/src/k8s.io/api/testdata/v1.32.0/storage.k8s.io.v1beta1.VolumeAttachment.pb
rename to staging/src/k8s.io/api/testdata/v1.34.0/storage.k8s.io.v1beta1.VolumeAttachment.pb
index bfd4e9e47d94a..2f900531c59a7 100644
Binary files a/staging/src/k8s.io/api/testdata/v1.32.0/storage.k8s.io.v1beta1.VolumeAttachment.pb and b/staging/src/k8s.io/api/testdata/v1.34.0/storage.k8s.io.v1beta1.VolumeAttachment.pb differ
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/storage.k8s.io.v1beta1.VolumeAttachment.yaml b/staging/src/k8s.io/api/testdata/v1.34.0/storage.k8s.io.v1beta1.VolumeAttachment.yaml
similarity index 99%
rename from staging/src/k8s.io/api/testdata/v1.32.0/storage.k8s.io.v1beta1.VolumeAttachment.yaml
rename to staging/src/k8s.io/api/testdata/v1.34.0/storage.k8s.io.v1beta1.VolumeAttachment.yaml
index d9ca40ad39858..f4cf507f6e4c0 100644
--- a/staging/src/k8s.io/api/testdata/v1.32.0/storage.k8s.io.v1beta1.VolumeAttachment.yaml
+++ b/staging/src/k8s.io/api/testdata/v1.34.0/storage.k8s.io.v1beta1.VolumeAttachment.yaml
@@ -239,11 +239,13 @@ spec:
     persistentVolumeName: persistentVolumeNameValue
 status:
   attachError:
+    errorCode: 3
     message: messageValue
     time: "2001-01-01T01:01:01Z"
   attached: true
   attachmentMetadata:
     attachmentMetadataKey: attachmentMetadataValue
   detachError:
+    errorCode: 3
     message: messageValue
     time: "2001-01-01T01:01:01Z"
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/storage.k8s.io.v1beta1.VolumeAttributesClass.json b/staging/src/k8s.io/api/testdata/v1.34.0/storage.k8s.io.v1beta1.VolumeAttributesClass.json
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/storage.k8s.io.v1beta1.VolumeAttributesClass.json
rename to staging/src/k8s.io/api/testdata/v1.34.0/storage.k8s.io.v1beta1.VolumeAttributesClass.json
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/storage.k8s.io.v1beta1.VolumeAttributesClass.pb b/staging/src/k8s.io/api/testdata/v1.34.0/storage.k8s.io.v1beta1.VolumeAttributesClass.pb
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/storage.k8s.io.v1beta1.VolumeAttributesClass.pb
rename to staging/src/k8s.io/api/testdata/v1.34.0/storage.k8s.io.v1beta1.VolumeAttributesClass.pb
diff --git a/staging/src/k8s.io/api/testdata/v1.32.0/storage.k8s.io.v1beta1.VolumeAttributesClass.yaml b/staging/src/k8s.io/api/testdata/v1.34.0/storage.k8s.io.v1beta1.VolumeAttributesClass.yaml
similarity index 100%
rename from staging/src/k8s.io/api/testdata/v1.32.0/storage.k8s.io.v1beta1.VolumeAttributesClass.yaml
rename to staging/src/k8s.io/api/testdata/v1.34.0/storage.k8s.io.v1beta1.VolumeAttributesClass.yaml
diff --git a/staging/src/k8s.io/apiextensions-apiserver/examples/client-go/pkg/client/applyconfiguration/cr/v1/example.go b/staging/src/k8s.io/apiextensions-apiserver/examples/client-go/pkg/client/applyconfiguration/cr/v1/example.go
index f6be3de7327cd..4d85b1b7abfe9 100644
--- a/staging/src/k8s.io/apiextensions-apiserver/examples/client-go/pkg/client/applyconfiguration/cr/v1/example.go
+++ b/staging/src/k8s.io/apiextensions-apiserver/examples/client-go/pkg/client/applyconfiguration/cr/v1/example.go
@@ -26,6 +26,8 @@ import (
 
 // ExampleApplyConfiguration represents a declarative configuration of the Example type for use
 // with apply.
+//
+// Example is a specification for an Example resource
 type ExampleApplyConfiguration struct {
 	metav1.TypeMetaApplyConfiguration    `json:",inline"`
 	*metav1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
@@ -43,6 +45,7 @@ func Example(name, namespace string) *ExampleApplyConfiguration {
 	b.WithAPIVersion("cr.example.apiextensions.k8s.io/v1")
 	return b
 }
+
 func (b ExampleApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/staging/src/k8s.io/apiextensions-apiserver/examples/client-go/pkg/client/applyconfiguration/cr/v1/examplespec.go b/staging/src/k8s.io/apiextensions-apiserver/examples/client-go/pkg/client/applyconfiguration/cr/v1/examplespec.go
index 5335ff4f3b486..88b8b462b1da1 100644
--- a/staging/src/k8s.io/apiextensions-apiserver/examples/client-go/pkg/client/applyconfiguration/cr/v1/examplespec.go
+++ b/staging/src/k8s.io/apiextensions-apiserver/examples/client-go/pkg/client/applyconfiguration/cr/v1/examplespec.go
@@ -20,6 +20,8 @@ package v1
 
 // ExampleSpecApplyConfiguration represents a declarative configuration of the ExampleSpec type for use
 // with apply.
+//
+// ExampleSpec is the spec for an Example resource
 type ExampleSpecApplyConfiguration struct {
 	Foo *string `json:"foo,omitempty"`
 	Bar *bool   `json:"bar,omitempty"`
diff --git a/staging/src/k8s.io/apiextensions-apiserver/examples/client-go/pkg/client/applyconfiguration/cr/v1/examplestatus.go b/staging/src/k8s.io/apiextensions-apiserver/examples/client-go/pkg/client/applyconfiguration/cr/v1/examplestatus.go
index 8ed38736a5334..886548d2edf42 100644
--- a/staging/src/k8s.io/apiextensions-apiserver/examples/client-go/pkg/client/applyconfiguration/cr/v1/examplestatus.go
+++ b/staging/src/k8s.io/apiextensions-apiserver/examples/client-go/pkg/client/applyconfiguration/cr/v1/examplestatus.go
@@ -24,6 +24,8 @@ import (
 
 // ExampleStatusApplyConfiguration represents a declarative configuration of the ExampleStatus type for use
 // with apply.
+//
+// ExampleStatus is the status for an Example resource
 type ExampleStatusApplyConfiguration struct {
 	State   *crv1.ExampleState `json:"state,omitempty"`
 	Message *string            `json:"message,omitempty"`
diff --git a/staging/src/k8s.io/apiextensions-apiserver/examples/client-go/pkg/client/clientset/versioned/fake/clientset_generated.go b/staging/src/k8s.io/apiextensions-apiserver/examples/client-go/pkg/client/clientset/versioned/fake/clientset_generated.go
index a15f7acf4f99c..cfddc15ac9674 100644
--- a/staging/src/k8s.io/apiextensions-apiserver/examples/client-go/pkg/client/clientset/versioned/fake/clientset_generated.go
+++ b/staging/src/k8s.io/apiextensions-apiserver/examples/client-go/pkg/client/clientset/versioned/fake/clientset_generated.go
@@ -36,7 +36,7 @@ import (
 // without applying any field management, validations and/or defaults. It shouldn't be considered a replacement
 // for a real clientset and is mostly useful in simple unit tests.
 //
-// DEPRECATED: NewClientset replaces this with support for field management, which significantly improves
+// Deprecated: NewClientset replaces this with support for field management, which significantly improves
 // server side apply testing. NewClientset is only available when apply configurations are generated (e.g.
 // via --with-applyconfig).
 func NewSimpleClientset(objects ...runtime.Object) *Clientset {
@@ -52,8 +52,8 @@ func NewSimpleClientset(objects ...runtime.Object) *Clientset {
 	cs.AddReactor("*", "*", testing.ObjectReaction(o))
 	cs.AddWatchReactor("*", func(action testing.Action) (handled bool, ret watch.Interface, err error) {
 		var opts metav1.ListOptions
-		if watchActcion, ok := action.(testing.WatchActionImpl); ok {
-			opts = watchActcion.ListOptions
+		if watchAction, ok := action.(testing.WatchActionImpl); ok {
+			opts = watchAction.ListOptions
 		}
 		gvr := action.GetResource()
 		ns := action.GetNamespace()
@@ -84,6 +84,17 @@ func (c *Clientset) Tracker() testing.ObjectTracker {
 	return c.tracker
 }
 
+// IsWatchListSemanticsSupported informs the reflector that this client
+// doesn't support WatchList semantics.
+//
+// This is a synthetic method whose sole purpose is to satisfy the optional
+// interface check performed by the reflector.
+// Returning true signals that WatchList can NOT be used.
+// No additional logic is implemented here.
+func (c *Clientset) IsWatchListSemanticsUnSupported() bool {
+	return true
+}
+
 // NewClientset returns a clientset that will respond with the provided objects.
 // It's backed by a very simple object tracker that processes creates, updates and deletions as-is,
 // without applying any validations and/or defaults. It shouldn't be considered a replacement
diff --git a/staging/src/k8s.io/apiextensions-apiserver/examples/client-go/pkg/client/informers/externalversions/cr/v1/example.go b/staging/src/k8s.io/apiextensions-apiserver/examples/client-go/pkg/client/informers/externalversions/cr/v1/example.go
index 3982c17ce5e1c..b3c461ecfb9d1 100644
--- a/staging/src/k8s.io/apiextensions-apiserver/examples/client-go/pkg/client/informers/externalversions/cr/v1/example.go
+++ b/staging/src/k8s.io/apiextensions-apiserver/examples/client-go/pkg/client/informers/externalversions/cr/v1/example.go
@@ -57,7 +57,7 @@ func NewExampleInformer(client versioned.Interface, namespace string, resyncPeri
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredExampleInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options metav1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -82,7 +82,7 @@ func NewFilteredExampleInformer(client versioned.Interface, namespace string, re
 				}
 				return client.CrV1().Examples(namespace).Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apiscrv1.Example{},
 		resyncPeriod,
 		indexers,
diff --git a/staging/src/k8s.io/apiextensions-apiserver/examples/client-go/pkg/client/informers/externalversions/factory.go b/staging/src/k8s.io/apiextensions-apiserver/examples/client-go/pkg/client/informers/externalversions/factory.go
index 4ee8e863aa1d3..1fe528901b30a 100644
--- a/staging/src/k8s.io/apiextensions-apiserver/examples/client-go/pkg/client/informers/externalversions/factory.go
+++ b/staging/src/k8s.io/apiextensions-apiserver/examples/client-go/pkg/client/informers/externalversions/factory.go
@@ -97,6 +97,7 @@ func NewSharedInformerFactory(client versioned.Interface, defaultResync time.Dur
 // NewFilteredSharedInformerFactory constructs a new instance of sharedInformerFactory.
 // Listers obtained via this SharedInformerFactory will be subject to the same filters
 // as specified here.
+//
 // Deprecated: Please use NewSharedInformerFactoryWithOptions instead
 func NewFilteredSharedInformerFactory(client versioned.Interface, defaultResync time.Duration, namespace string, tweakListOptions internalinterfaces.TweakListOptionsFunc) SharedInformerFactory {
 	return NewSharedInformerFactoryWithOptions(client, defaultResync, WithNamespace(namespace), WithTweakListOptions(tweakListOptions))
@@ -204,7 +205,7 @@ func (f *sharedInformerFactory) InformerFor(obj runtime.Object, newFunc internal
 //
 // It is typically used like this:
 //
-//	ctx, cancel := context.Background()
+//	ctx, cancel := context.WithCancel(context.Background())
 //	defer cancel()
 //	factory := NewSharedInformerFactory(client, resyncPeriod)
 //	defer factory.WaitForStop()    // Returns immediately if nothing was started.
diff --git a/staging/src/k8s.io/apiextensions-apiserver/go.mod b/staging/src/k8s.io/apiextensions-apiserver/go.mod
index 96cf1328288d7..90a402ff8b34e 100644
--- a/staging/src/k8s.io/apiextensions-apiserver/go.mod
+++ b/staging/src/k8s.io/apiextensions-apiserver/go.mod
@@ -2,41 +2,41 @@
 
 module k8s.io/apiextensions-apiserver
 
-go 1.24.0
+go 1.25.0
 
-godebug default=go1.24
+godebug default=go1.25
 
 require (
 	github.com/emicklei/go-restful/v3 v3.12.2
 	github.com/fxamacker/cbor/v2 v2.9.0
-	github.com/gogo/protobuf v1.3.2
 	github.com/google/cel-go v0.26.0
 	github.com/google/gnostic-models v0.7.0
 	github.com/google/go-cmp v0.7.0
 	github.com/google/uuid v1.6.0
-	github.com/openshift/api v0.0.0-20251214014457-bfa868a22401
-	github.com/spf13/cobra v1.9.1
-	github.com/spf13/pflag v1.0.6
-	github.com/stretchr/testify v1.10.0
-	go.etcd.io/etcd/client/pkg/v3 v3.6.4
-	go.etcd.io/etcd/client/v3 v3.6.4
-	go.opentelemetry.io/otel v1.35.0
-	go.opentelemetry.io/otel/trace v1.35.0
-	go.yaml.in/yaml/v2 v2.4.2
-	golang.org/x/sync v0.17.0
-	google.golang.org/grpc v1.72.1
-	google.golang.org/protobuf v1.36.5
-	gopkg.in/evanphx/json-patch.v4 v4.12.0
-	k8s.io/api v0.34.1
-	k8s.io/apimachinery v0.34.1
-	k8s.io/apiserver v0.34.1
-	k8s.io/client-go v0.34.1
+	github.com/openshift/api v0.0.0-20260211194905-f62f47eaf03d
+	github.com/spf13/cobra v1.10.0
+	github.com/spf13/pflag v1.0.9
+	github.com/stretchr/testify v1.11.1
+	go.etcd.io/etcd/client/pkg/v3 v3.6.5
+	go.etcd.io/etcd/client/v3 v3.6.5
+	go.opentelemetry.io/otel v1.36.0
+	go.opentelemetry.io/otel/trace v1.36.0
+	go.yaml.in/yaml/v2 v2.4.3
+	golang.org/x/sync v0.18.0
+	golang.org/x/text v0.31.0
+	google.golang.org/grpc v1.72.2
+	google.golang.org/protobuf v1.36.8
+	gopkg.in/evanphx/json-patch.v4 v4.13.0
+	k8s.io/api v0.35.1
+	k8s.io/apimachinery v0.35.1
+	k8s.io/apiserver v0.35.1
+	k8s.io/client-go v0.35.1
 	k8s.io/code-generator v0.0.0
-	k8s.io/component-base v0.34.1
+	k8s.io/component-base v0.35.1
 	k8s.io/klog/v2 v2.130.1
-	k8s.io/kube-openapi v0.0.0-20250710124328-f3f2b991d03b
-	k8s.io/utils v0.0.0-20250604170112-4c0f3b243397
-	sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8
+	k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912
+	k8s.io/utils v0.0.0-20251002143259-bc988d571ff4
+	sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730
 	sigs.k8s.io/randfill v1.0.0
 	sigs.k8s.io/structured-merge-diff/v6 v6.3.0
 	sigs.k8s.io/yaml v1.6.0
@@ -56,11 +56,12 @@ require (
 	github.com/dustin/go-humanize v1.0.1 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
 	github.com/fsnotify/fsnotify v1.9.0 // indirect
-	github.com/go-logr/logr v1.4.2 // indirect
+	github.com/go-logr/logr v1.4.3 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-openapi/jsonpointer v0.21.0 // indirect
 	github.com/go-openapi/jsonreference v0.20.2 // indirect
 	github.com/go-openapi/swag v0.23.0 // indirect
+	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang-jwt/jwt/v5 v5.2.2 // indirect
 	github.com/golang/protobuf v1.5.4 // indirect
 	github.com/google/btree v1.1.3 // indirect
@@ -80,59 +81,59 @@ require (
 	github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
 	github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f // indirect
-	github.com/openshift/library-go v0.0.0-20251015151611-6fc7a74b67c5 // indirect
-	github.com/pkg/errors v0.9.1 // indirect
+	github.com/openshift/library-go v0.0.0-20260211202355-e615a1f60a34 // indirect
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
-	github.com/prometheus/client_golang v1.22.0 // indirect
-	github.com/prometheus/client_model v0.6.1 // indirect
-	github.com/prometheus/common v0.62.0 // indirect
-	github.com/prometheus/procfs v0.15.1 // indirect
+	github.com/prometheus/client_golang v1.23.2 // indirect
+	github.com/prometheus/client_model v0.6.2 // indirect
+	github.com/prometheus/common v0.66.1 // indirect
+	github.com/prometheus/procfs v0.16.1 // indirect
 	github.com/sirupsen/logrus v1.9.3 // indirect
 	github.com/soheilhy/cmux v0.1.5 // indirect
 	github.com/stoewer/go-strcase v1.3.0 // indirect
 	github.com/tmc/grpc-websocket-proxy v0.0.0-20220101234140-673ab2c3ae75 // indirect
 	github.com/x448/float16 v0.8.4 // indirect
 	github.com/xiang90/probing v0.0.0-20221125231312-a49e3df8f510 // indirect
-	go.etcd.io/bbolt v1.4.2 // indirect
-	go.etcd.io/etcd/api/v3 v3.6.4 // indirect
-	go.etcd.io/etcd/pkg/v3 v3.6.4 // indirect
-	go.etcd.io/etcd/server/v3 v3.6.4 // indirect
+	go.etcd.io/bbolt v1.4.3 // indirect
+	go.etcd.io/etcd/api/v3 v3.6.5 // indirect
+	go.etcd.io/etcd/pkg/v3 v3.6.5 // indirect
+	go.etcd.io/etcd/server/v3 v3.6.5 // indirect
 	go.etcd.io/raft/v3 v3.6.0 // indirect
 	go.opentelemetry.io/auto/sdk v1.1.0 // indirect
 	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.60.0 // indirect
-	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.58.0 // indirect
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.61.0 // indirect
 	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.34.0 // indirect
 	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.34.0 // indirect
-	go.opentelemetry.io/otel/metric v1.35.0 // indirect
-	go.opentelemetry.io/otel/sdk v1.34.0 // indirect
+	go.opentelemetry.io/otel/metric v1.36.0 // indirect
+	go.opentelemetry.io/otel/sdk v1.36.0 // indirect
 	go.opentelemetry.io/proto/otlp v1.5.0 // indirect
 	go.uber.org/atomic v1.11.0 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
 	go.uber.org/zap v1.27.0 // indirect
 	go.yaml.in/yaml/v3 v3.0.4 // indirect
-	golang.org/x/crypto v0.42.0 // indirect
+	golang.org/x/crypto v0.45.0 // indirect
 	golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 // indirect
-	golang.org/x/mod v0.27.0 // indirect
-	golang.org/x/net v0.43.0 // indirect
-	golang.org/x/oauth2 v0.27.0 // indirect
-	golang.org/x/sys v0.36.0 // indirect
-	golang.org/x/term v0.35.0 // indirect
-	golang.org/x/text v0.29.0 // indirect
+	golang.org/x/mod v0.29.0 // indirect
+	golang.org/x/net v0.47.0 // indirect
+	golang.org/x/oauth2 v0.30.0 // indirect
+	golang.org/x/sys v0.38.0 // indirect
+	golang.org/x/term v0.37.0 // indirect
 	golang.org/x/time v0.9.0 // indirect
-	golang.org/x/tools v0.36.0 // indirect
-	golang.org/x/tools/go/expect v0.1.0-deprecated // indirect
+	golang.org/x/tools v0.38.0 // indirect
 	google.golang.org/genproto/googleapis/api v0.0.0-20250303144028-a0af3efb3deb // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20250303144028-a0af3efb3deb // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20250528174236-200df99c418a // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/natefinch/lumberjack.v2 v2.2.1 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
-	k8s.io/gengo/v2 v2.0.0-20250604051438-85fd79dbfd9f // indirect
-	k8s.io/kms v0.34.1 // indirect
+	k8s.io/gengo/v2 v2.0.0-20250922181213-ec3ebc5fd46b // indirect
+	k8s.io/kms v0.35.1 // indirect
 	sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.31.2 // indirect
 )
 
 replace (
-	github.com/onsi/ginkgo/v2 => github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251001123353-fd5b1fb35db1
+	github.com/onsi/ginkgo/v2 => github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251120221002-696928a6a0d7
+	github.com/openshift/api => github.com/jacobsee/openshift-api v0.0.0-20260211194905-f62f47eaf03d
+	github.com/openshift/client-go => github.com/jacobsee/client-go v0.0.0-20260211200652-3585e10bcc17
+	github.com/openshift/library-go => github.com/jacobsee/library-go v0.0.0-20260211202355-e615a1f60a34
 	k8s.io/api => ../api
 	k8s.io/apimachinery => ../apimachinery
 	k8s.io/apiserver => ../apiserver
diff --git a/staging/src/k8s.io/apiextensions-apiserver/go.sum b/staging/src/k8s.io/apiextensions-apiserver/go.sum
index c3ebfca2d0cb9..e614448793682 100644
--- a/staging/src/k8s.io/apiextensions-apiserver/go.sum
+++ b/staging/src/k8s.io/apiextensions-apiserver/go.sum
@@ -2,9 +2,12 @@ buf.build/gen/go/bufbuild/protovalidate/protocolbuffers/go v1.36.4-2025013020111
 cel.dev/expr v0.24.0 h1:56OvJKSH3hDGL0ml5uSxZmz3/3Pq4tJ+fb1unVLAFcY=
 cel.dev/expr v0.24.0/go.mod h1:hLPLo1W4QUmuYdA72RBX06QTs6MXw941piREPl3Yfiw=
 cloud.google.com/go/compute/metadata v0.6.0/go.mod h1:FjyFAW1MW0C203CEOMDTu3Dk1FlqW3Rga40jzHL4hfg=
+cyphar.com/go-pathrs v0.2.1/go.mod h1:y8f1EMG7r+hCuFf/rXsKqMJrJAUoADZGNh5/vZPKcGc=
 github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E=
 github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358/go.mod h1:chxPXzSsl7ZWRAuOIE23GDNzjWuZquvFlgA8xmpunjU=
 github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp v1.26.0/go.mod h1:2bIszWvQRlJVmJLiuLhukLImRjKPcYdzzsx6darK02A=
+github.com/Masterminds/semver/v3 v3.4.0 h1:Zog+i5UMtVoCU8oKka5P7i9q9HgrJeGzI9SA1Xbatp0=
+github.com/Masterminds/semver/v3 v3.4.0/go.mod h1:4V+yj/TJE1HU9XfppCwVMZq3I84lprf4nC11bSS5beM=
 github.com/NYTimes/gziphandler v1.1.1 h1:ZUDjpQae29j0ryrS0u/B8HZfJBtBQHjqw2rQ2cqUQ3I=
 github.com/NYTimes/gziphandler v1.1.1/go.mod h1:n/CVRwUEOgIxrgPvAQhUUr9oeUtvrhMomdKFjzJNB0c=
 github.com/RangelReale/osincli v0.0.0-20160924135400-fababb0555f2/go.mod h1:XyjUkMA8GN+tOOPXvnbi3XuRxWFvTJntqvTFnjmhzbk=
@@ -35,6 +38,7 @@ github.com/coreos/go-systemd/v22 v22.5.0/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSV
 github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g=
 github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
 github.com/creack/pty v1.1.18/go.mod h1:MOBLtS5ELjhRRrroQr9kyvTxUAFNvYEK993ew/Vr4O4=
+github.com/cyphar/filepath-securejoin v0.6.0/go.mod h1:A8hd4EnAeyujCJRrICiOWqjS1AX0a9kM5XL+NwKoYSc=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM=
@@ -62,8 +66,8 @@ github.com/go-asn1-ber/asn1-ber v1.5.8-0.20250403174932-29230038a667/go.mod h1:h
 github.com/go-jose/go-jose/v4 v4.0.4/go.mod h1:NKb5HO1EZccyMpiZNbdUw/14tiXNyUJh188dfnMCAfc=
 github.com/go-ldap/ldap/v3 v3.4.11/go.mod h1:bY7t0FLK8OAVpp/vV6sSlpz3EQDGcQwc8pF0ujLgKvM=
 github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
-github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY=
-github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
+github.com/go-logr/logr v1.4.3 h1:CjnDlHq8ikf6E492q6eKboGOC0T8CDaOvkHCIg8idEI=
+github.com/go-logr/logr v1.4.3/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
 github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
 github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE=
 github.com/go-logr/zapr v1.3.0 h1:XGdV8XW8zdwFiwOA2Dryh1gj2KRQyOOoNmBy4EplIcQ=
@@ -102,8 +106,8 @@ github.com/google/gnostic-models v0.7.0/go.mod h1:whL5G0m6dmc5cPxKc5bdKdEN3UjI7O
 github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
 github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
-github.com/google/pprof v0.0.0-20241029153458-d1b30febd7db h1:097atOisP2aRj7vFgYQBbFN4U4JNXUNYpxael3UzMyo=
-github.com/google/pprof v0.0.0-20241029153458-d1b30febd7db/go.mod h1:vavhavw2zAxS5dIdcRluK6cSGGPlZynqzFM8NdvU144=
+github.com/google/pprof v0.0.0-20250403155104-27863c87afa6 h1:BHT72Gu3keYf3ZEu2J0b1vyeLSOYI8bm5wbJM/8yDe8=
+github.com/google/pprof v0.0.0-20250403155104-27863c87afa6/go.mod h1:boTsfXsheKC2y+lKOCMpSfarhxDeIzfZG1jqGcPl3cA=
 github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/gorilla/mux v1.8.1/go.mod h1:AKf9I4AEqPTmMytcMc0KkNouC66V3BtZ4qD5fmWSiMQ=
@@ -124,6 +128,11 @@ github.com/hashicorp/golang-lru v0.5.4/go.mod h1:iADmTwqILo4mZ8BN3D2Q6+9jd8WM5uG
 github.com/imdario/mergo v0.3.7/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA=
 github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
 github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
+github.com/jacobsee/client-go v0.0.0-20260211200652-3585e10bcc17/go.mod h1:mCcIpR1nUVJvuLFKl7etbRLixUhJn4XjufJdfzv8Xsc=
+github.com/jacobsee/library-go v0.0.0-20260211202355-e615a1f60a34 h1:iCDeH9PliuQ4IL5NhQhZ1GcXxdlIiuiIed7hK5d5shw=
+github.com/jacobsee/library-go v0.0.0-20260211202355-e615a1f60a34/go.mod h1:mp92ELYoE9GHXRj+jJhp4I9KsFfS5c7WIi5k4RmkPYY=
+github.com/jacobsee/openshift-api v0.0.0-20260211194905-f62f47eaf03d h1:kqSuLRGP/BS1qyFXP8X9t+aZehk/yF853PFu2e1og0U=
+github.com/jacobsee/openshift-api v0.0.0-20260211194905-f62f47eaf03d/go.mod h1:u/qMsjN4RliFQwfk4bMEdF1lTjkagrlxPcZ/G9KIVuE=
 github.com/jonboulle/clockwork v0.5.0 h1:Hyh9A8u51kptdkR+cqRpT1EebBwTn1oK9YfGYbdFz6I=
 github.com/jonboulle/clockwork v0.5.0/go.mod h1:3mZlmanh0g2NDKO5TWZVJAfofYk64M7XN3SzBPjZF60=
 github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY=
@@ -163,21 +172,15 @@ github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8m
 github.com/mwitkow/go-conntrack v0.0.0-20190716064945-2f068394615f/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U=
 github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f h1:y5//uYreIhSUg3J1GEMiLbxo1LJaP8RfCpH6pymGZus=
 github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+o7JKHSa8/e818NopupXU1YMK5fe1lsApnBw=
-github.com/onsi/gomega v1.35.1 h1:Cwbd75ZBPxFSuZ6T+rN/WCb/gOc6YgFBXLlZLhC7Ds4=
-github.com/onsi/gomega v1.35.1/go.mod h1:PvZbdDc8J6XJEpDK4HCuRBm8a6Fzp9/DmhC9C7yFlog=
+github.com/onsi/gomega v1.38.2 h1:eZCjf2xjZAqe+LeWvKb5weQ+NcPwX84kqJ0cZNxok2A=
+github.com/onsi/gomega v1.38.2/go.mod h1:W2MJcYxRGV63b418Ai34Ud0hEdTVXq9NW9+Sx6uXf3k=
 github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
 github.com/opencontainers/image-spec v1.0.2/go.mod h1:BtxoFyWECRxE4U/7sNtV5W15zMzWCbyJoFRP3s7yZA0=
-github.com/opencontainers/selinux v1.11.0/go.mod h1:E5dMC3VPuVvVHDYmi78qvhJp8+M586T4DlDRYpFkyec=
-github.com/openshift/api v0.0.0-20251214014457-bfa868a22401 h1:goMf6pBtRFSQaVElFk6K+GIAqnv7O84p7PJHH6pDz/E=
-github.com/openshift/api v0.0.0-20251214014457-bfa868a22401/go.mod h1:d5uzF0YN2nQQFA0jIEWzzOZ+edmo6wzlGLvx5Fhz4uY=
+github.com/opencontainers/selinux v1.13.0/go.mod h1:XxWTed+A/s5NNq4GmYScVy+9jzXhGBVEOAyucdRUY8s=
 github.com/openshift/build-machinery-go v0.0.0-20250530140348-dc5b2804eeee/go.mod h1:8jcm8UPtg2mCAsxfqKil1xrmRMI3a+XU2TZ9fF8A7TE=
-github.com/openshift/client-go v0.0.0-20251015124057-db0dee36e235/go.mod h1:L49W6pfrZkfOE5iC1PqEkuLkXG4W0BX4w8b+L2Bv7fM=
-github.com/openshift/library-go v0.0.0-20251015151611-6fc7a74b67c5 h1:bANtDc8SgetSK4nQehf59x3+H9FqVJCprgjs49/OTg0=
-github.com/openshift/library-go v0.0.0-20251015151611-6fc7a74b67c5/go.mod h1:OlFFws1AO51uzfc48MsStGE4SFMWlMZD0+f5a/zCtKI=
-github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251001123353-fd5b1fb35db1 h1:PMTgifBcBRLJJiM+LgSzPDTk9/Rx4qS09OUrfpY6GBQ=
-github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251001123353-fd5b1fb35db1/go.mod h1:7Du3c42kxCUegi0IImZ1wUQzMBVecgIHjR1C+NkhLQo=
+github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251120221002-696928a6a0d7 h1:02E4Ttpu+7yCQLQxtY42JfcfHU7TBGnje6uB2ytBSdU=
+github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251120221002-696928a6a0d7/go.mod h1:ArE1D/XhNXBXCBkKOLkbsb2c81dQHCRcF5zwn/ykDRo=
 github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU=
-github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/profile v1.7.0/go.mod h1:8Uer0jas47ZQMJ7VD+OHknK4YDY07LPUC6dEvqDjvNo=
 github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10/go.mod h1:t/avpk3KcrXxUnYOhZhMXJlSEyie6gQbtLq5NM3loB8=
@@ -186,28 +189,29 @@ github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRI
 github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/pquerna/cachecontrol v0.1.0/go.mod h1:NrUG3Z7Rdu85UNR3vm7SOsl1nFIeSiQnrHV5K9mBcUI=
 github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring v0.74.0/go.mod h1:wAR5JopumPtAZnu0Cjv2PSqV4p4QB09LMhc6fZZTXuA=
-github.com/prometheus/client_golang v1.22.0 h1:rb93p9lokFEsctTys46VnV1kLCDpVZ0a/Y92Vm0Zc6Q=
-github.com/prometheus/client_golang v1.22.0/go.mod h1:R7ljNsLXhuQXYZYtw6GAE9AZg8Y7vEW5scdCXrWRXC0=
-github.com/prometheus/client_model v0.6.1 h1:ZKSh/rekM+n3CeS952MLRAdFwIKqeY8b62p8ais2e9E=
-github.com/prometheus/client_model v0.6.1/go.mod h1:OrxVMOVHjw3lKMa8+x6HeMGkHMQyHDk9E3jmP2AmGiY=
-github.com/prometheus/common v0.62.0 h1:xasJaQlnWAeyHdUBeGjXmutelfJHWMRr+Fg4QszZ2Io=
-github.com/prometheus/common v0.62.0/go.mod h1:vyBcEuLSvWos9B1+CyL7JZ2up+uFzXhkqml0W5zIY1I=
-github.com/prometheus/procfs v0.15.1 h1:YagwOFzUgYfKKHX6Dr+sHT7km/hxC76UB0learggepc=
-github.com/prometheus/procfs v0.15.1/go.mod h1:fB45yRUv8NstnjriLhBQLuOUt+WW4BsoGhij/e3PBqk=
+github.com/prometheus/client_golang v1.23.2 h1:Je96obch5RDVy3FDMndoUsjAhG5Edi49h0RJWRi/o0o=
+github.com/prometheus/client_golang v1.23.2/go.mod h1:Tb1a6LWHB3/SPIzCoaDXI4I8UHKeFTEQ1YCr+0Gyqmg=
+github.com/prometheus/client_model v0.6.2 h1:oBsgwpGs7iVziMvrGhE53c/GrLUsZdHnqNwqPLxwZyk=
+github.com/prometheus/client_model v0.6.2/go.mod h1:y3m2F6Gdpfy6Ut/GBsUqTWZqCUvMVzSfMLjcu6wAwpE=
+github.com/prometheus/common v0.66.1 h1:h5E0h5/Y8niHc5DlaLlWLArTQI7tMrsfQjHV+d9ZoGs=
+github.com/prometheus/common v0.66.1/go.mod h1:gcaUsgf3KfRSwHY4dIMXLPV0K/Wg1oZ8+SbZk/HH/dA=
+github.com/prometheus/procfs v0.16.1 h1:hZ15bTNuirocR6u0JZ6BAHHmwS1p8B4P6MRqxtzMyRg=
+github.com/prometheus/procfs v0.16.1/go.mod h1:teAbpZRB1iIAJYREa1LsoWUXykVXA1KlTmWl8x/U+Is=
 github.com/robfig/cron v1.2.0/go.mod h1:JGuDeoQd7Z6yL4zQhZ3OPEVHB7fL6Ka6skscFHfmt2k=
 github.com/rogpeppe/fastuuid v1.2.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6LYCDYWNEvQ=
-github.com/rogpeppe/go-internal v1.13.1 h1:KvO1DLK/DRN07sQ1LQKScxyZJuNnedQ5/wKSR38lUII=
-github.com/rogpeppe/go-internal v1.13.1/go.mod h1:uMEvuHeurkdAXX61udpOXGD/AzZDWNMNyH2VO9fmH0o=
+github.com/rogpeppe/go-internal v1.14.1 h1:UQB4HGPB6osV0SQTLymcB4TgvyWu6ZyliaW0tI/otEQ=
+github.com/rogpeppe/go-internal v1.14.1/go.mod h1:MaRKkUm5W0goXpeCfT7UZI6fk/L7L7so1lCWt35ZSgc=
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
 github.com/sirupsen/logrus v1.8.1/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0=
 github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ=
 github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
 github.com/soheilhy/cmux v0.1.5 h1:jjzc5WVemNEDTLwv9tlmemhC73tI08BNOIGwBOo10Js=
 github.com/soheilhy/cmux v0.1.5/go.mod h1:T7TcVDs9LWfQgPlPsdngu6I6QIoyIFZDDC6sNE1GqG0=
-github.com/spf13/cobra v1.9.1 h1:CXSaggrXdbHK9CF+8ywj8Amf7PBRmPCOJugH954Nnlo=
-github.com/spf13/cobra v1.9.1/go.mod h1:nDyEzZ8ogv936Cinf6g1RU9MRY64Ir93oCnqb9wxYW0=
-github.com/spf13/pflag v1.0.6 h1:jFzHGLGAlb3ruxLB8MhbI6A8+AQX/2eW4qeyNZXNp2o=
-github.com/spf13/pflag v1.0.6/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
+github.com/spf13/cobra v1.10.0 h1:a5/WeUlSDCvV5a45ljW2ZFtV0bTDpkfSAj3uqB6Sc+0=
+github.com/spf13/cobra v1.10.0/go.mod h1:9dhySC7dnTtEiqzmqfkLj47BslqLCUPMXjG2lj/NgoE=
+github.com/spf13/pflag v1.0.8/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
+github.com/spf13/pflag v1.0.9 h1:9exaQaMOCwffKiiiYk6/BndUBv+iRViNW+4lEMi0PvY=
+github.com/spf13/pflag v1.0.9/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/spiffe/go-spiffe/v2 v2.5.0/go.mod h1:P+NxobPc6wXhVtINNtFjNWGBTreew1GBUCwT2wPmb7g=
 github.com/stoewer/go-strcase v1.3.0 h1:g0eASXYtp+yvN9fK8sH94oCIk0fau9uV1/ZdJ0AVEzs=
 github.com/stoewer/go-strcase v1.3.0/go.mod h1:fAH5hQ5pehh+j3nZfvwdk2RgEgQjAoM8wodgtPmh1xo=
@@ -222,8 +226,8 @@ github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/
 github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
 github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
-github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
-github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
+github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
+github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
 github.com/tmc/grpc-websocket-proxy v0.0.0-20220101234140-673ab2c3ae75 h1:6fotK7otjonDflCTK0BCfls4SPy3NcCVb5dqqmbRknE=
 github.com/tmc/grpc-websocket-proxy v0.0.0-20220101234140-673ab2c3ae75/go.mod h1:KO6IkyS8Y3j8OdNO85qEYBsRPuteD+YciPomcXdrMnk=
 github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM=
@@ -235,18 +239,18 @@ github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9de
 github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
 github.com/zeebo/errs v1.4.0/go.mod h1:sgbWHsvVuTPHcqJJGQ1WhI5KbWlHYz+2+2C/LSEtCw4=
-go.etcd.io/bbolt v1.4.2 h1:IrUHp260R8c+zYx/Tm8QZr04CX+qWS5PGfPdevhdm1I=
-go.etcd.io/bbolt v1.4.2/go.mod h1:Is8rSHO/b4f3XigBC0lL0+4FwAQv3HXEEIgFMuKHceM=
-go.etcd.io/etcd/api/v3 v3.6.4 h1:7F6N7toCKcV72QmoUKa23yYLiiljMrT4xCeBL9BmXdo=
-go.etcd.io/etcd/api/v3 v3.6.4/go.mod h1:eFhhvfR8Px1P6SEuLT600v+vrhdDTdcfMzmnxVXXSbk=
-go.etcd.io/etcd/client/pkg/v3 v3.6.4 h1:9HBYrjppeOfFjBjaMTRxT3R7xT0GLK8EJMVC4xg6ok0=
-go.etcd.io/etcd/client/pkg/v3 v3.6.4/go.mod h1:sbdzr2cl3HzVmxNw//PH7aLGVtY4QySjQFuaCgcRFAI=
-go.etcd.io/etcd/client/v3 v3.6.4 h1:YOMrCfMhRzY8NgtzUsHl8hC2EBSnuqbR3dh84Uryl7A=
-go.etcd.io/etcd/client/v3 v3.6.4/go.mod h1:jaNNHCyg2FdALyKWnd7hxZXZxZANb0+KGY+YQaEMISo=
-go.etcd.io/etcd/pkg/v3 v3.6.4 h1:fy8bmXIec1Q35/jRZ0KOes8vuFxbvdN0aAFqmEfJZWA=
-go.etcd.io/etcd/pkg/v3 v3.6.4/go.mod h1:kKcYWP8gHuBRcteyv6MXWSN0+bVMnfgqiHueIZnKMtE=
-go.etcd.io/etcd/server/v3 v3.6.4 h1:LsCA7CzjVt+8WGrdsnh6RhC0XqCsLkBly3ve5rTxMAU=
-go.etcd.io/etcd/server/v3 v3.6.4/go.mod h1:aYCL/h43yiONOv0QIR82kH/2xZ7m+IWYjzRmyQfnCAg=
+go.etcd.io/bbolt v1.4.3 h1:dEadXpI6G79deX5prL3QRNP6JB8UxVkqo4UPnHaNXJo=
+go.etcd.io/bbolt v1.4.3/go.mod h1:tKQlpPaYCVFctUIgFKFnAlvbmB3tpy1vkTnDWohtc0E=
+go.etcd.io/etcd/api/v3 v3.6.5 h1:pMMc42276sgR1j1raO/Qv3QI9Af/AuyQUW6CBAWuntA=
+go.etcd.io/etcd/api/v3 v3.6.5/go.mod h1:ob0/oWA/UQQlT1BmaEkWQzI0sJ1M0Et0mMpaABxguOQ=
+go.etcd.io/etcd/client/pkg/v3 v3.6.5 h1:Duz9fAzIZFhYWgRjp/FgNq2gO1jId9Yae/rLn3RrBP8=
+go.etcd.io/etcd/client/pkg/v3 v3.6.5/go.mod h1:8Wx3eGRPiy0qOFMZT/hfvdos+DjEaPxdIDiCDUv/FQk=
+go.etcd.io/etcd/client/v3 v3.6.5 h1:yRwZNFBx/35VKHTcLDeO7XVLbCBFbPi+XV4OC3QJf2U=
+go.etcd.io/etcd/client/v3 v3.6.5/go.mod h1:ZqwG/7TAFZ0BJ0jXRPoJjKQJtbFo/9NIY8uoFFKcCyo=
+go.etcd.io/etcd/pkg/v3 v3.6.5 h1:byxWB4AqIKI4SBmquZUG1WGtvMfMaorXFoCcFbVeoxM=
+go.etcd.io/etcd/pkg/v3 v3.6.5/go.mod h1:uqrXrzmMIJDEy5j00bCqhVLzR5jEJIwDp5wTlLwPGOU=
+go.etcd.io/etcd/server/v3 v3.6.5 h1:4RbUb1Bd4y1WkBHmuF+cZII83JNQMuNXzyjwigQ06y0=
+go.etcd.io/etcd/server/v3 v3.6.5/go.mod h1:PLuhyVXz8WWRhzXDsl3A3zv/+aK9e4A9lpQkqawIaH0=
 go.etcd.io/gofail v0.2.0/go.mod h1:nL3ILMGfkXTekKI3clMBNazKnjUZjYLKmBHzsVAnC1o=
 go.etcd.io/raft/v3 v3.6.0 h1:5NtvbDVYpnfZWcIHgGRk9DyzkBIXOi8j+DDp1IcnUWQ=
 go.etcd.io/raft/v3 v3.6.0/go.mod h1:nLvLevg6+xrVtHUmVaTcTz603gQPHfh7kUAwV6YpfGo=
@@ -255,22 +259,22 @@ go.opentelemetry.io/auto/sdk v1.1.0/go.mod h1:3wSPjt5PWp2RhlCcmmOial7AvC4DQqZb7a
 go.opentelemetry.io/contrib/detectors/gcp v1.34.0/go.mod h1:cV4BMFcscUR/ckqLkbfQmF0PRsq8w/lMGzdbCSveBHo=
 go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.60.0 h1:x7wzEgXfnzJcHDwStJT+mxOz4etr2EcexjqhBvmoakw=
 go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.60.0/go.mod h1:rg+RlpR5dKwaS95IyyZqj5Wd4E13lk/msnTS0Xl9lJM=
-go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.58.0 h1:yd02MEjBdJkG3uabWP9apV+OuWRIXGDuJEUJbOHmCFU=
-go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.58.0/go.mod h1:umTcuxiv1n/s/S6/c2AT/g2CQ7u5C59sHDNmfSwgz7Q=
-go.opentelemetry.io/otel v1.35.0 h1:xKWKPxrxB6OtMCbmMY021CqC45J+3Onta9MqjhnusiQ=
-go.opentelemetry.io/otel v1.35.0/go.mod h1:UEqy8Zp11hpkUrL73gSlELM0DupHoiq72dR+Zqel/+Y=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.61.0 h1:F7Jx+6hwnZ41NSFTO5q4LYDtJRXBf2PD0rNBkeB/lus=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.61.0/go.mod h1:UHB22Z8QsdRDrnAtX4PntOl36ajSxcdUMt1sF7Y6E7Q=
+go.opentelemetry.io/otel v1.36.0 h1:UumtzIklRBY6cI/lllNZlALOF5nNIzJVb16APdvgTXg=
+go.opentelemetry.io/otel v1.36.0/go.mod h1:/TcFMXYjyRNh8khOAO9ybYkqaDBb/70aVwkNML4pP8E=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.34.0 h1:OeNbIYk/2C15ckl7glBlOBp5+WlYsOElzTNmiPW/x60=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.34.0/go.mod h1:7Bept48yIeqxP2OZ9/AqIpYS94h2or0aB4FypJTc8ZM=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.34.0 h1:tgJ0uaNS4c98WRNUEx5U3aDlrDOI5Rs+1Vifcw4DJ8U=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.34.0/go.mod h1:U7HYyW0zt/a9x5J1Kjs+r1f/d4ZHnYFclhYY2+YbeoE=
-go.opentelemetry.io/otel/metric v1.35.0 h1:0znxYu2SNyuMSQT4Y9WDWej0VpcsxkuklLa4/siN90M=
-go.opentelemetry.io/otel/metric v1.35.0/go.mod h1:nKVFgxBZ2fReX6IlyW28MgZojkoAkJGaE8CpgeAU3oE=
-go.opentelemetry.io/otel/sdk v1.34.0 h1:95zS4k/2GOy069d321O8jWgYsW3MzVV+KuSPKp7Wr1A=
-go.opentelemetry.io/otel/sdk v1.34.0/go.mod h1:0e/pNiaMAqaykJGKbi+tSjWfNNHMTxoC9qANsCzbyxU=
-go.opentelemetry.io/otel/sdk/metric v1.34.0 h1:5CeK9ujjbFVL5c1PhLuStg1wxA7vQv7ce1EK0Gyvahk=
-go.opentelemetry.io/otel/sdk/metric v1.34.0/go.mod h1:jQ/r8Ze28zRKoNRdkjCZxfs6YvBTG1+YIqyFVFYec5w=
-go.opentelemetry.io/otel/trace v1.35.0 h1:dPpEfJu1sDIqruz7BHFG3c7528f6ddfSWfFDVt/xgMs=
-go.opentelemetry.io/otel/trace v1.35.0/go.mod h1:WUk7DtFp1Aw2MkvqGdwiXYDZZNvA/1J8o6xRXLrIkyc=
+go.opentelemetry.io/otel/metric v1.36.0 h1:MoWPKVhQvJ+eeXWHFBOPoBOi20jh6Iq2CcCREuTYufE=
+go.opentelemetry.io/otel/metric v1.36.0/go.mod h1:zC7Ks+yeyJt4xig9DEw9kuUFe5C3zLbVjV2PzT6qzbs=
+go.opentelemetry.io/otel/sdk v1.36.0 h1:b6SYIuLRs88ztox4EyrvRti80uXIFy+Sqzoh9kFULbs=
+go.opentelemetry.io/otel/sdk v1.36.0/go.mod h1:+lC+mTgD+MUWfjJubi2vvXWcVxyr9rmlshZni72pXeY=
+go.opentelemetry.io/otel/sdk/metric v1.36.0 h1:r0ntwwGosWGaa0CrSt8cuNuTcccMXERFwHX4dThiPis=
+go.opentelemetry.io/otel/sdk/metric v1.36.0/go.mod h1:qTNOhFDfKRwX0yXOqJYegL5WRaW376QbB7P4Pb0qva4=
+go.opentelemetry.io/otel/trace v1.36.0 h1:ahxWNuqZjpdiFAyrIoQ4GIiAIhxAunQR6MUoKrsNd4w=
+go.opentelemetry.io/otel/trace v1.36.0/go.mod h1:gQ+OnDZzrybY4k4seLzPAWNwVBBVlF2szhehOBB/tGA=
 go.opentelemetry.io/proto/otlp v1.5.0 h1:xJvq7gMzB31/d406fB8U5CBdyQGw4P399D1aQWU/3i4=
 go.opentelemetry.io/proto/otlp v1.5.0/go.mod h1:keN8WnHxOy8PG0rQZjJJ5A2ebUoafqWp0eVQ4yIXvJ4=
 go.uber.org/atomic v1.11.0 h1:ZvwS0R+56ePWxUNi+Atn9dWONBPp/AUETXlHW0DxSjE=
@@ -281,36 +285,36 @@ go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0=
 go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y=
 go.uber.org/zap v1.27.0 h1:aJMhYGrd5QSmlpLMr2MftRKl7t8J8PTZPA732ud/XR8=
 go.uber.org/zap v1.27.0/go.mod h1:GB2qFLM7cTU87MWRP2mPIjqfIDnGu+VIO4V/SdhGo2E=
-go.yaml.in/yaml/v2 v2.4.2 h1:DzmwEr2rDGHl7lsFgAHxmNz/1NlQ7xLIrlN2h5d1eGI=
-go.yaml.in/yaml/v2 v2.4.2/go.mod h1:081UH+NErpNdqlCXm3TtEran0rJZGxAYx9hb/ELlsPU=
+go.yaml.in/yaml/v2 v2.4.3 h1:6gvOSjQoTB3vt1l+CU+tSyi/HOjfOjRLJ4YwYZGwRO0=
+go.yaml.in/yaml/v2 v2.4.3/go.mod h1:zSxWcmIDjOzPXpjlTTbAsKokqkDNAVtZO0WOMiT90s8=
 go.yaml.in/yaml/v3 v3.0.4 h1:tfq32ie2Jv2UxXFdLJdh3jXuOzWiL1fo0bu/FbuKpbc=
 go.yaml.in/yaml/v3 v3.0.4/go.mod h1:DhzuOOF2ATzADvBadXxruRBLzYTpT36CKvDb3+aBEFg=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
-golang.org/x/crypto v0.42.0 h1:chiH31gIWm57EkTXpwnqf8qeuMUi0yekh6mT2AvFlqI=
-golang.org/x/crypto v0.42.0/go.mod h1:4+rDnOTJhQCx2q7/j6rAN5XDw8kPjeaXEUR2eL94ix8=
+golang.org/x/crypto v0.45.0 h1:jMBrvKuj23MTlT0bQEOBcAE0mjg8mK9RXFhRH6nyF3Q=
+golang.org/x/crypto v0.45.0/go.mod h1:XTGrrkGJve7CYK7J8PEww4aY7gM3qMCElcJQ8n8JdX4=
 golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 h1:2dVuKD2vS7b0QIHQbpyTISPd0LeHDbnYEryqj5Q1ug8=
 golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56/go.mod h1:M4RDyNAINzryxdtnbRXRL/OHtkFuWGRjvuhBJpk2IlY=
 golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.27.0 h1:kb+q2PyFnEADO2IEF935ehFUXlWiNjJWtRNgBLSfbxQ=
-golang.org/x/mod v0.27.0/go.mod h1:rWI627Fq0DEoudcK+MBkNkCe0EetEaDSwJJkCcjpazc=
+golang.org/x/mod v0.29.0 h1:HV8lRxZC4l2cr3Zq1LvtOsi/ThTgWnUk/y64QSs8GwA=
+golang.org/x/mod v0.29.0/go.mod h1:NyhrlYXJ2H4eJiRy/WDBO6HMqZQ6q9nk4JzS3NuCK+w=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
 golang.org/x/net v0.0.0-20201202161906-c7110b5ffcbb/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
 golang.org/x/net v0.0.0-20211123203042-d83791d6bcd9/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
-golang.org/x/net v0.43.0 h1:lat02VYK2j4aLzMzecihNvTlJNQUq316m2Mr9rnM6YE=
-golang.org/x/net v0.43.0/go.mod h1:vhO1fvI4dGsIjh73sWfUVjj3N7CA9WkKJNQm2svM6Jg=
-golang.org/x/oauth2 v0.27.0 h1:da9Vo7/tDv5RH/7nZDz1eMGS/q1Vv1N/7FCrBhI9I3M=
-golang.org/x/oauth2 v0.27.0/go.mod h1:onh5ek6nERTohokkhCD/y2cV4Do3fxFHFuAejCkRWT8=
+golang.org/x/net v0.47.0 h1:Mx+4dIFzqraBXUugkia1OOvlD6LemFo1ALMHjrXDOhY=
+golang.org/x/net v0.47.0/go.mod h1:/jNxtkgq5yWUGYkaZGqo27cfGZ1c5Nen03aYrrKpVRU=
+golang.org/x/oauth2 v0.30.0 h1:dnDm7JmhM45NNpd8FDDeLhK6FwqbOf4MLCM9zb1BOHI=
+golang.org/x/oauth2 v0.30.0/go.mod h1:B++QgG3ZKulg6sRPGD/mqlHQs5rB3Ml9erfeDY7xKlU=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.17.0 h1:l60nONMj9l5drqw6jlhIELNv9I0A4OFgRsG9k2oT9Ug=
-golang.org/x/sync v0.17.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
+golang.org/x/sync v0.18.0 h1:kr88TuHDroi+UVf+0hZnirlk8o8T+4MrK6mr60WkH/I=
+golang.org/x/sync v0.18.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -319,27 +323,27 @@ golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.36.0 h1:KVRy2GtZBrk1cBYA7MKu5bEZFxQk4NIDV6RLVcC8o0k=
-golang.org/x/sys v0.36.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
-golang.org/x/telemetry v0.0.0-20250807160809-1a19826ec488/go.mod h1:fGb/2+tgXXjhjHsTNdVEEMZNWA0quBnfrO+AfoDSAKw=
+golang.org/x/sys v0.38.0 h1:3yZWxaJjBmCWXqhN1qh02AkOnCQ1poK6oF+a7xWL6Gc=
+golang.org/x/sys v0.38.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
+golang.org/x/telemetry v0.0.0-20251008203120-078029d740a8/go.mod h1:Pi4ztBfryZoJEkyFTI5/Ocsu2jXyDr6iSdgJiYE/uwE=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
-golang.org/x/term v0.35.0 h1:bZBVKBudEyhRcajGcNc3jIfWPqV4y/Kt2XcoigOWtDQ=
-golang.org/x/term v0.35.0/go.mod h1:TPGtkTLesOwf2DE8CgVYiZinHAOuy5AYUYT1lENIZnA=
+golang.org/x/term v0.37.0 h1:8EGAD0qCmHYZg6J17DvsMy9/wJ7/D/4pV/wfnld5lTU=
+golang.org/x/term v0.37.0/go.mod h1:5pB4lxRNYYVZuTLmy8oR2BH8dflOR+IbTYFD8fi3254=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.29.0 h1:1neNs90w9YzJ9BocxfsQNHKuAT4pkghyXc4nhZ6sJvk=
-golang.org/x/text v0.29.0/go.mod h1:7MhJOA9CD2qZyOKYazxdYMF85OwPdEr9jTtBpO7ydH4=
+golang.org/x/text v0.31.0 h1:aC8ghyu4JhP8VojJ2lEHBnochRno1sgL6nEi9WGFGMM=
+golang.org/x/text v0.31.0/go.mod h1:tKRAlv61yKIjGGHX/4tP1LTbc13YSec1pxVEWXzfoeM=
 golang.org/x/time v0.9.0 h1:EsRrnYcQiGH+5FfbgvV4AP7qEZstoyrHB0DzarOQ4ZY=
 golang.org/x/time v0.9.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
 golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
-golang.org/x/tools v0.36.0 h1:kWS0uv/zsvHEle1LbV5LE8QujrxB3wfQyxHfhOk0Qkg=
-golang.org/x/tools v0.36.0/go.mod h1:WBDiHKJK8YgLHlcQPYQzNCkUxUypCaa5ZegCVutKm+s=
-golang.org/x/tools/go/expect v0.1.0-deprecated h1:jY2C5HGYR5lqex3gEniOQL0r7Dq5+VGVgY1nudX5lXY=
-golang.org/x/tools/go/expect v0.1.0-deprecated/go.mod h1:eihoPOH+FgIqa3FpoTwguz/bVUSGBlGQU67vpBeOrBY=
+golang.org/x/tools v0.38.0 h1:Hx2Xv8hISq8Lm16jvBZ2VQf+RLmbd7wVUsALibYI/IQ=
+golang.org/x/tools v0.38.0/go.mod h1:yEsQ/d/YK8cjh0L6rZlY8tgtlKiBNTL14pGDJPJpYQs=
+golang.org/x/tools/go/expect v0.1.1-deprecated h1:jpBZDwmgPhXsKZC6WhL20P4b/wmnpsEAGHaNy0n/rJM=
+golang.org/x/tools/go/expect v0.1.1-deprecated/go.mod h1:eihoPOH+FgIqa3FpoTwguz/bVUSGBlGQU67vpBeOrBY=
 golang.org/x/tools/go/packages/packagestest v0.1.1-deprecated h1:1h2MnaIAIXISqTFKdENegdpAgUXz6NrPEsbIeWaBRvM=
 golang.org/x/tools/go/packages/packagestest v0.1.1-deprecated/go.mod h1:RVAQXBGNv1ib0J382/DPCRS/BPnsGebyM1Gj5VSDpG8=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
@@ -348,38 +352,37 @@ golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8T
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 google.golang.org/genproto/googleapis/api v0.0.0-20250303144028-a0af3efb3deb h1:p31xT4yrYrSM/G4Sn2+TNUkVhFCbG9y8itM2S6Th950=
 google.golang.org/genproto/googleapis/api v0.0.0-20250303144028-a0af3efb3deb/go.mod h1:jbe3Bkdp+Dh2IrslsFCklNhweNTBgSYanP1UXhJDhKg=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20250303144028-a0af3efb3deb h1:TLPQVbx1GJ8VKZxz52VAxl1EBgKXXbTiU9Fc5fZeLn4=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20250303144028-a0af3efb3deb/go.mod h1:LuRYeWDFV6WOn90g357N17oMCaxpgCnbi/44qJvDn2I=
-google.golang.org/grpc v1.72.1 h1:HR03wO6eyZ7lknl75XlxABNVLLFc2PAb6mHlYh756mA=
-google.golang.org/grpc v1.72.1/go.mod h1:wH5Aktxcg25y1I3w7H69nHfXdOG3UiadoBtjh3izSDM=
-google.golang.org/protobuf v1.36.5 h1:tPhr+woSbjfYvY6/GPufUoYizxw1cF/yFoxJ2fmpwlM=
-google.golang.org/protobuf v1.36.5/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20250528174236-200df99c418a h1:v2PbRU4K3llS09c7zodFpNePeamkAwG3mPrAery9VeE=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20250528174236-200df99c418a/go.mod h1:qQ0YXyHHx3XkvlzUtpXDkS29lDSafHMZBAZDc03LQ3A=
+google.golang.org/grpc v1.72.2 h1:TdbGzwb82ty4OusHWepvFWGLgIbNo1/SUynEN0ssqv8=
+google.golang.org/grpc v1.72.2/go.mod h1:wH5Aktxcg25y1I3w7H69nHfXdOG3UiadoBtjh3izSDM=
+google.golang.org/protobuf v1.36.8 h1:xHScyCOEuuwZEc6UtSOvPbAT4zRh0xcNRYekJwfqyMc=
+google.golang.org/protobuf v1.36.8/go.mod h1:fuxRtAxBytpl4zzqUh6/eyUujkJdNiuEkXntxiD/uRU=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
-gopkg.in/evanphx/json-patch.v4 v4.12.0 h1:n6jtcsulIzXPJaxegRbvFNNrZDjbij7ny3gmSPG+6V4=
-gopkg.in/evanphx/json-patch.v4 v4.12.0/go.mod h1:p8EYWUEYMpynmqDbY58zCKCFZw8pRWMG4EsWvDvM72M=
+gopkg.in/evanphx/json-patch.v4 v4.13.0 h1:czT3CmqEaQ1aanPc5SdlgQrrEIb8w/wwCvWWnfEbYzo=
+gopkg.in/evanphx/json-patch.v4 v4.13.0/go.mod h1:p8EYWUEYMpynmqDbY58zCKCFZw8pRWMG4EsWvDvM72M=
 gopkg.in/go-jose/go-jose.v2 v2.6.3/go.mod h1:zzZDPkNNw/c9IE7Z9jr11mBZQhKQTMzoEEIoEdZlFBI=
 gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc=
 gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
 gopkg.in/natefinch/lumberjack.v2 v2.2.1 h1:bBRl1b0OH9s/DuPhuXpNl+VtCaJXFZ5/uEFST95x9zc=
 gopkg.in/natefinch/lumberjack.v2 v2.2.1/go.mod h1:YD8tP3GAjkrDg1eZH7EGmyESg/lsYskCTPBJVb9jqSc=
-gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
-k8s.io/gengo/v2 v2.0.0-20250604051438-85fd79dbfd9f h1:SLb+kxmzfA87x4E4brQzB33VBbT2+x7Zq9ROIHmGn9Q=
-k8s.io/gengo/v2 v2.0.0-20250604051438-85fd79dbfd9f/go.mod h1:EJykeLsmFC60UQbYJezXkEsG2FLrt0GPNkU5iK5GWxU=
+k8s.io/gengo/v2 v2.0.0-20250922181213-ec3ebc5fd46b h1:gMplByicHV/TJBizHd9aVEsTYoJBnnUAT5MHlTkbjhQ=
+k8s.io/gengo/v2 v2.0.0-20250922181213-ec3ebc5fd46b/go.mod h1:CgujABENc3KuTrcsdpGmrrASjtQsWCT7R99mEV4U/fM=
 k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk=
 k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE=
-k8s.io/kube-openapi v0.0.0-20250710124328-f3f2b991d03b h1:MloQ9/bdJyIu9lb1PzujOPolHyvO06MXG5TUIj2mNAA=
-k8s.io/kube-openapi v0.0.0-20250710124328-f3f2b991d03b/go.mod h1:UZ2yyWbFTpuhSbFhv24aGNOdoRdJZgsIObGBUaYVsts=
-k8s.io/utils v0.0.0-20250604170112-4c0f3b243397 h1:hwvWFiBzdWw1FhfY1FooPn3kzWuJ8tmbZBHi4zVsl1Y=
-k8s.io/utils v0.0.0-20250604170112-4c0f3b243397/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
+k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912 h1:Y3gxNAuB0OBLImH611+UDZcmKS3g6CthxToOb37KgwE=
+k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912/go.mod h1:kdmbQkyfwUagLfXIad1y2TdrjPFWp2Q89B3qkRwf/pQ=
+k8s.io/utils v0.0.0-20251002143259-bc988d571ff4 h1:SjGebBtkBqHFOli+05xYbK8YF1Dzkbzn+gDM4X9T4Ck=
+k8s.io/utils v0.0.0-20251002143259-bc988d571ff4/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
 sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.31.2 h1:jpcvIRr3GLoUoEKRkHKSmGjxb6lWwrBlJsXc+eUYQHM=
 sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.31.2/go.mod h1:Ve9uj1L+deCXFrPOk1LpFXqTg7LCFzFso6PA48q/XZw=
-sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 h1:gBQPwqORJ8d8/YNZWEjoZs7npUVDpVXUUOFfW6CgAqE=
-sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8/go.mod h1:mdzfpAEoE6DHQEN0uh9ZbOCuHbLK5wOm7dK4ctXE9Tg=
+sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 h1:IpInykpT6ceI+QxKBbEflcR5EXP7sU1kvOlxwZh5txg=
+sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730/go.mod h1:mdzfpAEoE6DHQEN0uh9ZbOCuHbLK5wOm7dK4ctXE9Tg=
 sigs.k8s.io/kube-storage-version-migrator v0.0.6-0.20230721195810-5c8923c5ff96/go.mod h1:EOBQyBowOUsd7U4CJnMHNE0ri+zCXyouGdLwC/jZU+I=
 sigs.k8s.io/randfill v1.0.0 h1:JfjMILfT8A6RbawdsK2JXGBR5AQVfd+9TbzrlneTyrU=
 sigs.k8s.io/randfill v1.0.0/go.mod h1:XeLlZ/jmk4i1HRopwe7/aU3H5n1zNUcX6TM94b3QxOY=
diff --git a/staging/src/k8s.io/apiextensions-apiserver/hack/update-codegen.sh b/staging/src/k8s.io/apiextensions-apiserver/hack/update-codegen.sh
index 93a25e2dc72e9..c60bcdefd7ee5 100755
--- a/staging/src/k8s.io/apiextensions-apiserver/hack/update-codegen.sh
+++ b/staging/src/k8s.io/apiextensions-apiserver/hack/update-codegen.sh
@@ -41,6 +41,7 @@ kube::codegen::gen_openapi \
     --output-dir "${SCRIPT_ROOT}/pkg/generated/openapi" \
     --output-pkg "${THIS_PKG}/pkg/generated/openapi" \
     --report-filename "${report_filename:-"/dev/null"}" \
+    --output-model-name-file "zz_generated.model_name.go" \
     ${update_report:+"${update_report}"} \
     --boilerplate "${SCRIPT_ROOT}/hack/boilerplate.go.txt" \
     "${SCRIPT_ROOT}/pkg"
diff --git a/staging/src/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/types.go b/staging/src/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/types.go
index 6556eda65d57c..631f55d68c312 100644
--- a/staging/src/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/types.go
+++ b/staging/src/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/types.go
@@ -346,6 +346,12 @@ type CustomResourceDefinitionCondition struct {
 	// Human-readable message indicating details about last transition.
 	// +optional
 	Message string
+	// observedGeneration represents the .metadata.generation that the condition was set based upon.
+	// For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+	// with respect to the current state of the instance.
+	// +featureGate=CRDObservedGenerationTracking
+	// +optional
+	ObservedGeneration int64
 }
 
 // CustomResourceDefinitionStatus indicates the state of the CustomResourceDefinition
@@ -366,6 +372,11 @@ type CustomResourceDefinitionStatus struct {
 	// versions from this list.
 	// None of the versions in this list can be removed from the spec.Versions field.
 	StoredVersions []string
+
+	// The generation observed by the CRD controller.
+	// +featureGate=CRDObservedGenerationTracking
+	// +optional
+	ObservedGeneration int64
 }
 
 // CustomResourceCleanupFinalizer is the name of the finalizer which will delete instances of
diff --git a/staging/src/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1/doc.go b/staging/src/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1/doc.go
index 39e70bb035a82..ed2a855d1ae21 100644
--- a/staging/src/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1/doc.go
+++ b/staging/src/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1/doc.go
@@ -20,6 +20,8 @@ limitations under the License.
 // +k8s:defaulter-gen=TypeMeta
 // +k8s:openapi-gen=true
 // +k8s:prerelease-lifecycle-gen=true
+// +k8s:openapi-model-package=io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1
+
 // +groupName=apiextensions.k8s.io
 
 // Package v1 is the v1 version of the API.
diff --git a/staging/src/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1/generated.pb.go b/staging/src/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1/generated.pb.go
index 8e081e4b1c516..cf9d745a9fdcb 100644
--- a/staging/src/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1/generated.pb.go
+++ b/staging/src/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1/generated.pb.go
@@ -24,9 +24,8 @@ import (
 	fmt "fmt"
 
 	io "io"
+	"sort"
 
-	proto "github.com/gogo/protobuf/proto"
-	github_com_gogo_protobuf_sortkeys "github.com/gogo/protobuf/sortkeys"
 	runtime "k8s.io/apimachinery/pkg/runtime"
 
 	math "math"
@@ -37,1012 +36,59 @@ import (
 	k8s_io_apimachinery_pkg_types "k8s.io/apimachinery/pkg/types"
 )
 
-// Reference imports to suppress errors if they are not otherwise used.
-var _ = proto.Marshal
-var _ = fmt.Errorf
-var _ = math.Inf
+func (m *ConversionRequest) Reset() { *m = ConversionRequest{} }
 
-// This is a compile-time assertion to ensure that this generated file
-// is compatible with the proto package it is being compiled against.
-// A compilation error at this line likely means your copy of the
-// proto package needs to be updated.
-const _ = proto.GoGoProtoPackageIsVersion3 // please upgrade the proto package
+func (m *ConversionResponse) Reset() { *m = ConversionResponse{} }
 
-func (m *ConversionRequest) Reset()      { *m = ConversionRequest{} }
-func (*ConversionRequest) ProtoMessage() {}
-func (*ConversionRequest) Descriptor() ([]byte, []int) {
-	return fileDescriptor_c5e101a0235c8c62, []int{0}
-}
-func (m *ConversionRequest) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ConversionRequest) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ConversionRequest) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ConversionRequest.Merge(m, src)
-}
-func (m *ConversionRequest) XXX_Size() int {
-	return m.Size()
-}
-func (m *ConversionRequest) XXX_DiscardUnknown() {
-	xxx_messageInfo_ConversionRequest.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_ConversionRequest proto.InternalMessageInfo
-
-func (m *ConversionResponse) Reset()      { *m = ConversionResponse{} }
-func (*ConversionResponse) ProtoMessage() {}
-func (*ConversionResponse) Descriptor() ([]byte, []int) {
-	return fileDescriptor_c5e101a0235c8c62, []int{1}
-}
-func (m *ConversionResponse) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ConversionResponse) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ConversionResponse) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ConversionResponse.Merge(m, src)
-}
-func (m *ConversionResponse) XXX_Size() int {
-	return m.Size()
-}
-func (m *ConversionResponse) XXX_DiscardUnknown() {
-	xxx_messageInfo_ConversionResponse.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_ConversionResponse proto.InternalMessageInfo
-
-func (m *ConversionReview) Reset()      { *m = ConversionReview{} }
-func (*ConversionReview) ProtoMessage() {}
-func (*ConversionReview) Descriptor() ([]byte, []int) {
-	return fileDescriptor_c5e101a0235c8c62, []int{2}
-}
-func (m *ConversionReview) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ConversionReview) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ConversionReview) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ConversionReview.Merge(m, src)
-}
-func (m *ConversionReview) XXX_Size() int {
-	return m.Size()
-}
-func (m *ConversionReview) XXX_DiscardUnknown() {
-	xxx_messageInfo_ConversionReview.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_ConversionReview proto.InternalMessageInfo
-
-func (m *CustomResourceColumnDefinition) Reset()      { *m = CustomResourceColumnDefinition{} }
-func (*CustomResourceColumnDefinition) ProtoMessage() {}
-func (*CustomResourceColumnDefinition) Descriptor() ([]byte, []int) {
-	return fileDescriptor_c5e101a0235c8c62, []int{3}
-}
-func (m *CustomResourceColumnDefinition) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *CustomResourceColumnDefinition) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *CustomResourceColumnDefinition) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_CustomResourceColumnDefinition.Merge(m, src)
-}
-func (m *CustomResourceColumnDefinition) XXX_Size() int {
-	return m.Size()
-}
-func (m *CustomResourceColumnDefinition) XXX_DiscardUnknown() {
-	xxx_messageInfo_CustomResourceColumnDefinition.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_CustomResourceColumnDefinition proto.InternalMessageInfo
-
-func (m *CustomResourceConversion) Reset()      { *m = CustomResourceConversion{} }
-func (*CustomResourceConversion) ProtoMessage() {}
-func (*CustomResourceConversion) Descriptor() ([]byte, []int) {
-	return fileDescriptor_c5e101a0235c8c62, []int{4}
-}
-func (m *CustomResourceConversion) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *CustomResourceConversion) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *CustomResourceConversion) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_CustomResourceConversion.Merge(m, src)
-}
-func (m *CustomResourceConversion) XXX_Size() int {
-	return m.Size()
-}
-func (m *CustomResourceConversion) XXX_DiscardUnknown() {
-	xxx_messageInfo_CustomResourceConversion.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_CustomResourceConversion proto.InternalMessageInfo
-
-func (m *CustomResourceDefinition) Reset()      { *m = CustomResourceDefinition{} }
-func (*CustomResourceDefinition) ProtoMessage() {}
-func (*CustomResourceDefinition) Descriptor() ([]byte, []int) {
-	return fileDescriptor_c5e101a0235c8c62, []int{5}
-}
-func (m *CustomResourceDefinition) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *CustomResourceDefinition) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *CustomResourceDefinition) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_CustomResourceDefinition.Merge(m, src)
-}
-func (m *CustomResourceDefinition) XXX_Size() int {
-	return m.Size()
-}
-func (m *CustomResourceDefinition) XXX_DiscardUnknown() {
-	xxx_messageInfo_CustomResourceDefinition.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_CustomResourceDefinition proto.InternalMessageInfo
-
-func (m *CustomResourceDefinitionCondition) Reset()      { *m = CustomResourceDefinitionCondition{} }
-func (*CustomResourceDefinitionCondition) ProtoMessage() {}
-func (*CustomResourceDefinitionCondition) Descriptor() ([]byte, []int) {
-	return fileDescriptor_c5e101a0235c8c62, []int{6}
-}
-func (m *CustomResourceDefinitionCondition) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *CustomResourceDefinitionCondition) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *CustomResourceDefinitionCondition) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_CustomResourceDefinitionCondition.Merge(m, src)
-}
-func (m *CustomResourceDefinitionCondition) XXX_Size() int {
-	return m.Size()
-}
-func (m *CustomResourceDefinitionCondition) XXX_DiscardUnknown() {
-	xxx_messageInfo_CustomResourceDefinitionCondition.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_CustomResourceDefinitionCondition proto.InternalMessageInfo
-
-func (m *CustomResourceDefinitionList) Reset()      { *m = CustomResourceDefinitionList{} }
-func (*CustomResourceDefinitionList) ProtoMessage() {}
-func (*CustomResourceDefinitionList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_c5e101a0235c8c62, []int{7}
-}
-func (m *CustomResourceDefinitionList) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *CustomResourceDefinitionList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *CustomResourceDefinitionList) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_CustomResourceDefinitionList.Merge(m, src)
-}
-func (m *CustomResourceDefinitionList) XXX_Size() int {
-	return m.Size()
-}
-func (m *CustomResourceDefinitionList) XXX_DiscardUnknown() {
-	xxx_messageInfo_CustomResourceDefinitionList.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_CustomResourceDefinitionList proto.InternalMessageInfo
-
-func (m *CustomResourceDefinitionNames) Reset()      { *m = CustomResourceDefinitionNames{} }
-func (*CustomResourceDefinitionNames) ProtoMessage() {}
-func (*CustomResourceDefinitionNames) Descriptor() ([]byte, []int) {
-	return fileDescriptor_c5e101a0235c8c62, []int{8}
-}
-func (m *CustomResourceDefinitionNames) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *CustomResourceDefinitionNames) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *CustomResourceDefinitionNames) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_CustomResourceDefinitionNames.Merge(m, src)
-}
-func (m *CustomResourceDefinitionNames) XXX_Size() int {
-	return m.Size()
-}
-func (m *CustomResourceDefinitionNames) XXX_DiscardUnknown() {
-	xxx_messageInfo_CustomResourceDefinitionNames.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_CustomResourceDefinitionNames proto.InternalMessageInfo
-
-func (m *CustomResourceDefinitionSpec) Reset()      { *m = CustomResourceDefinitionSpec{} }
-func (*CustomResourceDefinitionSpec) ProtoMessage() {}
-func (*CustomResourceDefinitionSpec) Descriptor() ([]byte, []int) {
-	return fileDescriptor_c5e101a0235c8c62, []int{9}
-}
-func (m *CustomResourceDefinitionSpec) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *CustomResourceDefinitionSpec) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *CustomResourceDefinitionSpec) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_CustomResourceDefinitionSpec.Merge(m, src)
-}
-func (m *CustomResourceDefinitionSpec) XXX_Size() int {
-	return m.Size()
-}
-func (m *CustomResourceDefinitionSpec) XXX_DiscardUnknown() {
-	xxx_messageInfo_CustomResourceDefinitionSpec.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_CustomResourceDefinitionSpec proto.InternalMessageInfo
-
-func (m *CustomResourceDefinitionStatus) Reset()      { *m = CustomResourceDefinitionStatus{} }
-func (*CustomResourceDefinitionStatus) ProtoMessage() {}
-func (*CustomResourceDefinitionStatus) Descriptor() ([]byte, []int) {
-	return fileDescriptor_c5e101a0235c8c62, []int{10}
-}
-func (m *CustomResourceDefinitionStatus) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *CustomResourceDefinitionStatus) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *CustomResourceDefinitionStatus) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_CustomResourceDefinitionStatus.Merge(m, src)
-}
-func (m *CustomResourceDefinitionStatus) XXX_Size() int {
-	return m.Size()
-}
-func (m *CustomResourceDefinitionStatus) XXX_DiscardUnknown() {
-	xxx_messageInfo_CustomResourceDefinitionStatus.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_CustomResourceDefinitionStatus proto.InternalMessageInfo
-
-func (m *CustomResourceDefinitionVersion) Reset()      { *m = CustomResourceDefinitionVersion{} }
-func (*CustomResourceDefinitionVersion) ProtoMessage() {}
-func (*CustomResourceDefinitionVersion) Descriptor() ([]byte, []int) {
-	return fileDescriptor_c5e101a0235c8c62, []int{11}
-}
-func (m *CustomResourceDefinitionVersion) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *CustomResourceDefinitionVersion) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *CustomResourceDefinitionVersion) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_CustomResourceDefinitionVersion.Merge(m, src)
-}
-func (m *CustomResourceDefinitionVersion) XXX_Size() int {
-	return m.Size()
-}
-func (m *CustomResourceDefinitionVersion) XXX_DiscardUnknown() {
-	xxx_messageInfo_CustomResourceDefinitionVersion.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_CustomResourceDefinitionVersion proto.InternalMessageInfo
-
-func (m *CustomResourceSubresourceScale) Reset()      { *m = CustomResourceSubresourceScale{} }
-func (*CustomResourceSubresourceScale) ProtoMessage() {}
-func (*CustomResourceSubresourceScale) Descriptor() ([]byte, []int) {
-	return fileDescriptor_c5e101a0235c8c62, []int{12}
-}
-func (m *CustomResourceSubresourceScale) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *CustomResourceSubresourceScale) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *CustomResourceSubresourceScale) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_CustomResourceSubresourceScale.Merge(m, src)
-}
-func (m *CustomResourceSubresourceScale) XXX_Size() int {
-	return m.Size()
-}
-func (m *CustomResourceSubresourceScale) XXX_DiscardUnknown() {
-	xxx_messageInfo_CustomResourceSubresourceScale.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_CustomResourceSubresourceScale proto.InternalMessageInfo
-
-func (m *CustomResourceSubresourceStatus) Reset()      { *m = CustomResourceSubresourceStatus{} }
-func (*CustomResourceSubresourceStatus) ProtoMessage() {}
-func (*CustomResourceSubresourceStatus) Descriptor() ([]byte, []int) {
-	return fileDescriptor_c5e101a0235c8c62, []int{13}
-}
-func (m *CustomResourceSubresourceStatus) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *CustomResourceSubresourceStatus) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *CustomResourceSubresourceStatus) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_CustomResourceSubresourceStatus.Merge(m, src)
-}
-func (m *CustomResourceSubresourceStatus) XXX_Size() int {
-	return m.Size()
-}
-func (m *CustomResourceSubresourceStatus) XXX_DiscardUnknown() {
-	xxx_messageInfo_CustomResourceSubresourceStatus.DiscardUnknown(m)
-}
+func (m *ConversionReview) Reset() { *m = ConversionReview{} }
 
-var xxx_messageInfo_CustomResourceSubresourceStatus proto.InternalMessageInfo
+func (m *CustomResourceColumnDefinition) Reset() { *m = CustomResourceColumnDefinition{} }
 
-func (m *CustomResourceSubresources) Reset()      { *m = CustomResourceSubresources{} }
-func (*CustomResourceSubresources) ProtoMessage() {}
-func (*CustomResourceSubresources) Descriptor() ([]byte, []int) {
-	return fileDescriptor_c5e101a0235c8c62, []int{14}
-}
-func (m *CustomResourceSubresources) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *CustomResourceSubresources) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *CustomResourceSubresources) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_CustomResourceSubresources.Merge(m, src)
-}
-func (m *CustomResourceSubresources) XXX_Size() int {
-	return m.Size()
-}
-func (m *CustomResourceSubresources) XXX_DiscardUnknown() {
-	xxx_messageInfo_CustomResourceSubresources.DiscardUnknown(m)
-}
+func (m *CustomResourceConversion) Reset() { *m = CustomResourceConversion{} }
 
-var xxx_messageInfo_CustomResourceSubresources proto.InternalMessageInfo
+func (m *CustomResourceDefinition) Reset() { *m = CustomResourceDefinition{} }
 
-func (m *CustomResourceValidation) Reset()      { *m = CustomResourceValidation{} }
-func (*CustomResourceValidation) ProtoMessage() {}
-func (*CustomResourceValidation) Descriptor() ([]byte, []int) {
-	return fileDescriptor_c5e101a0235c8c62, []int{15}
-}
-func (m *CustomResourceValidation) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *CustomResourceValidation) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *CustomResourceValidation) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_CustomResourceValidation.Merge(m, src)
-}
-func (m *CustomResourceValidation) XXX_Size() int {
-	return m.Size()
-}
-func (m *CustomResourceValidation) XXX_DiscardUnknown() {
-	xxx_messageInfo_CustomResourceValidation.DiscardUnknown(m)
-}
+func (m *CustomResourceDefinitionCondition) Reset() { *m = CustomResourceDefinitionCondition{} }
 
-var xxx_messageInfo_CustomResourceValidation proto.InternalMessageInfo
+func (m *CustomResourceDefinitionList) Reset() { *m = CustomResourceDefinitionList{} }
 
-func (m *ExternalDocumentation) Reset()      { *m = ExternalDocumentation{} }
-func (*ExternalDocumentation) ProtoMessage() {}
-func (*ExternalDocumentation) Descriptor() ([]byte, []int) {
-	return fileDescriptor_c5e101a0235c8c62, []int{16}
-}
-func (m *ExternalDocumentation) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ExternalDocumentation) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ExternalDocumentation) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ExternalDocumentation.Merge(m, src)
-}
-func (m *ExternalDocumentation) XXX_Size() int {
-	return m.Size()
-}
-func (m *ExternalDocumentation) XXX_DiscardUnknown() {
-	xxx_messageInfo_ExternalDocumentation.DiscardUnknown(m)
-}
+func (m *CustomResourceDefinitionNames) Reset() { *m = CustomResourceDefinitionNames{} }
 
-var xxx_messageInfo_ExternalDocumentation proto.InternalMessageInfo
+func (m *CustomResourceDefinitionSpec) Reset() { *m = CustomResourceDefinitionSpec{} }
 
-func (m *JSON) Reset()      { *m = JSON{} }
-func (*JSON) ProtoMessage() {}
-func (*JSON) Descriptor() ([]byte, []int) {
-	return fileDescriptor_c5e101a0235c8c62, []int{17}
-}
-func (m *JSON) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *JSON) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *JSON) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_JSON.Merge(m, src)
-}
-func (m *JSON) XXX_Size() int {
-	return m.Size()
-}
-func (m *JSON) XXX_DiscardUnknown() {
-	xxx_messageInfo_JSON.DiscardUnknown(m)
-}
+func (m *CustomResourceDefinitionStatus) Reset() { *m = CustomResourceDefinitionStatus{} }
 
-var xxx_messageInfo_JSON proto.InternalMessageInfo
+func (m *CustomResourceDefinitionVersion) Reset() { *m = CustomResourceDefinitionVersion{} }
 
-func (m *JSONSchemaProps) Reset()      { *m = JSONSchemaProps{} }
-func (*JSONSchemaProps) ProtoMessage() {}
-func (*JSONSchemaProps) Descriptor() ([]byte, []int) {
-	return fileDescriptor_c5e101a0235c8c62, []int{18}
-}
-func (m *JSONSchemaProps) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *JSONSchemaProps) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *JSONSchemaProps) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_JSONSchemaProps.Merge(m, src)
-}
-func (m *JSONSchemaProps) XXX_Size() int {
-	return m.Size()
-}
-func (m *JSONSchemaProps) XXX_DiscardUnknown() {
-	xxx_messageInfo_JSONSchemaProps.DiscardUnknown(m)
-}
+func (m *CustomResourceSubresourceScale) Reset() { *m = CustomResourceSubresourceScale{} }
 
-var xxx_messageInfo_JSONSchemaProps proto.InternalMessageInfo
+func (m *CustomResourceSubresourceStatus) Reset() { *m = CustomResourceSubresourceStatus{} }
 
-func (m *JSONSchemaPropsOrArray) Reset()      { *m = JSONSchemaPropsOrArray{} }
-func (*JSONSchemaPropsOrArray) ProtoMessage() {}
-func (*JSONSchemaPropsOrArray) Descriptor() ([]byte, []int) {
-	return fileDescriptor_c5e101a0235c8c62, []int{19}
-}
-func (m *JSONSchemaPropsOrArray) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *JSONSchemaPropsOrArray) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *JSONSchemaPropsOrArray) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_JSONSchemaPropsOrArray.Merge(m, src)
-}
-func (m *JSONSchemaPropsOrArray) XXX_Size() int {
-	return m.Size()
-}
-func (m *JSONSchemaPropsOrArray) XXX_DiscardUnknown() {
-	xxx_messageInfo_JSONSchemaPropsOrArray.DiscardUnknown(m)
-}
+func (m *CustomResourceSubresources) Reset() { *m = CustomResourceSubresources{} }
 
-var xxx_messageInfo_JSONSchemaPropsOrArray proto.InternalMessageInfo
+func (m *CustomResourceValidation) Reset() { *m = CustomResourceValidation{} }
 
-func (m *JSONSchemaPropsOrBool) Reset()      { *m = JSONSchemaPropsOrBool{} }
-func (*JSONSchemaPropsOrBool) ProtoMessage() {}
-func (*JSONSchemaPropsOrBool) Descriptor() ([]byte, []int) {
-	return fileDescriptor_c5e101a0235c8c62, []int{20}
-}
-func (m *JSONSchemaPropsOrBool) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *JSONSchemaPropsOrBool) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *JSONSchemaPropsOrBool) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_JSONSchemaPropsOrBool.Merge(m, src)
-}
-func (m *JSONSchemaPropsOrBool) XXX_Size() int {
-	return m.Size()
-}
-func (m *JSONSchemaPropsOrBool) XXX_DiscardUnknown() {
-	xxx_messageInfo_JSONSchemaPropsOrBool.DiscardUnknown(m)
-}
+func (m *ExternalDocumentation) Reset() { *m = ExternalDocumentation{} }
 
-var xxx_messageInfo_JSONSchemaPropsOrBool proto.InternalMessageInfo
+func (m *JSON) Reset() { *m = JSON{} }
 
-func (m *JSONSchemaPropsOrStringArray) Reset()      { *m = JSONSchemaPropsOrStringArray{} }
-func (*JSONSchemaPropsOrStringArray) ProtoMessage() {}
-func (*JSONSchemaPropsOrStringArray) Descriptor() ([]byte, []int) {
-	return fileDescriptor_c5e101a0235c8c62, []int{21}
-}
-func (m *JSONSchemaPropsOrStringArray) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *JSONSchemaPropsOrStringArray) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *JSONSchemaPropsOrStringArray) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_JSONSchemaPropsOrStringArray.Merge(m, src)
-}
-func (m *JSONSchemaPropsOrStringArray) XXX_Size() int {
-	return m.Size()
-}
-func (m *JSONSchemaPropsOrStringArray) XXX_DiscardUnknown() {
-	xxx_messageInfo_JSONSchemaPropsOrStringArray.DiscardUnknown(m)
-}
+func (m *JSONSchemaProps) Reset() { *m = JSONSchemaProps{} }
 
-var xxx_messageInfo_JSONSchemaPropsOrStringArray proto.InternalMessageInfo
+func (m *JSONSchemaPropsOrArray) Reset() { *m = JSONSchemaPropsOrArray{} }
 
-func (m *SelectableField) Reset()      { *m = SelectableField{} }
-func (*SelectableField) ProtoMessage() {}
-func (*SelectableField) Descriptor() ([]byte, []int) {
-	return fileDescriptor_c5e101a0235c8c62, []int{22}
-}
-func (m *SelectableField) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *SelectableField) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *SelectableField) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_SelectableField.Merge(m, src)
-}
-func (m *SelectableField) XXX_Size() int {
-	return m.Size()
-}
-func (m *SelectableField) XXX_DiscardUnknown() {
-	xxx_messageInfo_SelectableField.DiscardUnknown(m)
-}
+func (m *JSONSchemaPropsOrBool) Reset() { *m = JSONSchemaPropsOrBool{} }
 
-var xxx_messageInfo_SelectableField proto.InternalMessageInfo
+func (m *JSONSchemaPropsOrStringArray) Reset() { *m = JSONSchemaPropsOrStringArray{} }
 
-func (m *ServiceReference) Reset()      { *m = ServiceReference{} }
-func (*ServiceReference) ProtoMessage() {}
-func (*ServiceReference) Descriptor() ([]byte, []int) {
-	return fileDescriptor_c5e101a0235c8c62, []int{23}
-}
-func (m *ServiceReference) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ServiceReference) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ServiceReference) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ServiceReference.Merge(m, src)
-}
-func (m *ServiceReference) XXX_Size() int {
-	return m.Size()
-}
-func (m *ServiceReference) XXX_DiscardUnknown() {
-	xxx_messageInfo_ServiceReference.DiscardUnknown(m)
-}
+func (m *SelectableField) Reset() { *m = SelectableField{} }
 
-var xxx_messageInfo_ServiceReference proto.InternalMessageInfo
-
-func (m *ValidationRule) Reset()      { *m = ValidationRule{} }
-func (*ValidationRule) ProtoMessage() {}
-func (*ValidationRule) Descriptor() ([]byte, []int) {
-	return fileDescriptor_c5e101a0235c8c62, []int{24}
-}
-func (m *ValidationRule) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ValidationRule) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ValidationRule) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ValidationRule.Merge(m, src)
-}
-func (m *ValidationRule) XXX_Size() int {
-	return m.Size()
-}
-func (m *ValidationRule) XXX_DiscardUnknown() {
-	xxx_messageInfo_ValidationRule.DiscardUnknown(m)
-}
+func (m *ServiceReference) Reset() { *m = ServiceReference{} }
 
-var xxx_messageInfo_ValidationRule proto.InternalMessageInfo
+func (m *ValidationRule) Reset() { *m = ValidationRule{} }
 
-func (m *WebhookClientConfig) Reset()      { *m = WebhookClientConfig{} }
-func (*WebhookClientConfig) ProtoMessage() {}
-func (*WebhookClientConfig) Descriptor() ([]byte, []int) {
-	return fileDescriptor_c5e101a0235c8c62, []int{25}
-}
-func (m *WebhookClientConfig) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *WebhookClientConfig) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *WebhookClientConfig) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_WebhookClientConfig.Merge(m, src)
-}
-func (m *WebhookClientConfig) XXX_Size() int {
-	return m.Size()
-}
-func (m *WebhookClientConfig) XXX_DiscardUnknown() {
-	xxx_messageInfo_WebhookClientConfig.DiscardUnknown(m)
-}
+func (m *WebhookClientConfig) Reset() { *m = WebhookClientConfig{} }
 
-var xxx_messageInfo_WebhookClientConfig proto.InternalMessageInfo
-
-func (m *WebhookConversion) Reset()      { *m = WebhookConversion{} }
-func (*WebhookConversion) ProtoMessage() {}
-func (*WebhookConversion) Descriptor() ([]byte, []int) {
-	return fileDescriptor_c5e101a0235c8c62, []int{26}
-}
-func (m *WebhookConversion) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *WebhookConversion) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *WebhookConversion) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_WebhookConversion.Merge(m, src)
-}
-func (m *WebhookConversion) XXX_Size() int {
-	return m.Size()
-}
-func (m *WebhookConversion) XXX_DiscardUnknown() {
-	xxx_messageInfo_WebhookConversion.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_WebhookConversion proto.InternalMessageInfo
-
-func init() {
-	proto.RegisterType((*ConversionRequest)(nil), "k8s.io.apiextensions_apiserver.pkg.apis.apiextensions.v1.ConversionRequest")
-	proto.RegisterType((*ConversionResponse)(nil), "k8s.io.apiextensions_apiserver.pkg.apis.apiextensions.v1.ConversionResponse")
-	proto.RegisterType((*ConversionReview)(nil), "k8s.io.apiextensions_apiserver.pkg.apis.apiextensions.v1.ConversionReview")
-	proto.RegisterType((*CustomResourceColumnDefinition)(nil), "k8s.io.apiextensions_apiserver.pkg.apis.apiextensions.v1.CustomResourceColumnDefinition")
-	proto.RegisterType((*CustomResourceConversion)(nil), "k8s.io.apiextensions_apiserver.pkg.apis.apiextensions.v1.CustomResourceConversion")
-	proto.RegisterType((*CustomResourceDefinition)(nil), "k8s.io.apiextensions_apiserver.pkg.apis.apiextensions.v1.CustomResourceDefinition")
-	proto.RegisterType((*CustomResourceDefinitionCondition)(nil), "k8s.io.apiextensions_apiserver.pkg.apis.apiextensions.v1.CustomResourceDefinitionCondition")
-	proto.RegisterType((*CustomResourceDefinitionList)(nil), "k8s.io.apiextensions_apiserver.pkg.apis.apiextensions.v1.CustomResourceDefinitionList")
-	proto.RegisterType((*CustomResourceDefinitionNames)(nil), "k8s.io.apiextensions_apiserver.pkg.apis.apiextensions.v1.CustomResourceDefinitionNames")
-	proto.RegisterType((*CustomResourceDefinitionSpec)(nil), "k8s.io.apiextensions_apiserver.pkg.apis.apiextensions.v1.CustomResourceDefinitionSpec")
-	proto.RegisterType((*CustomResourceDefinitionStatus)(nil), "k8s.io.apiextensions_apiserver.pkg.apis.apiextensions.v1.CustomResourceDefinitionStatus")
-	proto.RegisterType((*CustomResourceDefinitionVersion)(nil), "k8s.io.apiextensions_apiserver.pkg.apis.apiextensions.v1.CustomResourceDefinitionVersion")
-	proto.RegisterType((*CustomResourceSubresourceScale)(nil), "k8s.io.apiextensions_apiserver.pkg.apis.apiextensions.v1.CustomResourceSubresourceScale")
-	proto.RegisterType((*CustomResourceSubresourceStatus)(nil), "k8s.io.apiextensions_apiserver.pkg.apis.apiextensions.v1.CustomResourceSubresourceStatus")
-	proto.RegisterType((*CustomResourceSubresources)(nil), "k8s.io.apiextensions_apiserver.pkg.apis.apiextensions.v1.CustomResourceSubresources")
-	proto.RegisterType((*CustomResourceValidation)(nil), "k8s.io.apiextensions_apiserver.pkg.apis.apiextensions.v1.CustomResourceValidation")
-	proto.RegisterType((*ExternalDocumentation)(nil), "k8s.io.apiextensions_apiserver.pkg.apis.apiextensions.v1.ExternalDocumentation")
-	proto.RegisterType((*JSON)(nil), "k8s.io.apiextensions_apiserver.pkg.apis.apiextensions.v1.JSON")
-	proto.RegisterType((*JSONSchemaProps)(nil), "k8s.io.apiextensions_apiserver.pkg.apis.apiextensions.v1.JSONSchemaProps")
-	proto.RegisterMapType((JSONSchemaDefinitions)(nil), "k8s.io.apiextensions_apiserver.pkg.apis.apiextensions.v1.JSONSchemaProps.DefinitionsEntry")
-	proto.RegisterMapType((JSONSchemaDependencies)(nil), "k8s.io.apiextensions_apiserver.pkg.apis.apiextensions.v1.JSONSchemaProps.DependenciesEntry")
-	proto.RegisterMapType((map[string]JSONSchemaProps)(nil), "k8s.io.apiextensions_apiserver.pkg.apis.apiextensions.v1.JSONSchemaProps.PatternPropertiesEntry")
-	proto.RegisterMapType((map[string]JSONSchemaProps)(nil), "k8s.io.apiextensions_apiserver.pkg.apis.apiextensions.v1.JSONSchemaProps.PropertiesEntry")
-	proto.RegisterType((*JSONSchemaPropsOrArray)(nil), "k8s.io.apiextensions_apiserver.pkg.apis.apiextensions.v1.JSONSchemaPropsOrArray")
-	proto.RegisterType((*JSONSchemaPropsOrBool)(nil), "k8s.io.apiextensions_apiserver.pkg.apis.apiextensions.v1.JSONSchemaPropsOrBool")
-	proto.RegisterType((*JSONSchemaPropsOrStringArray)(nil), "k8s.io.apiextensions_apiserver.pkg.apis.apiextensions.v1.JSONSchemaPropsOrStringArray")
-	proto.RegisterType((*SelectableField)(nil), "k8s.io.apiextensions_apiserver.pkg.apis.apiextensions.v1.SelectableField")
-	proto.RegisterType((*ServiceReference)(nil), "k8s.io.apiextensions_apiserver.pkg.apis.apiextensions.v1.ServiceReference")
-	proto.RegisterType((*ValidationRule)(nil), "k8s.io.apiextensions_apiserver.pkg.apis.apiextensions.v1.ValidationRule")
-	proto.RegisterType((*WebhookClientConfig)(nil), "k8s.io.apiextensions_apiserver.pkg.apis.apiextensions.v1.WebhookClientConfig")
-	proto.RegisterType((*WebhookConversion)(nil), "k8s.io.apiextensions_apiserver.pkg.apis.apiextensions.v1.WebhookConversion")
-}
-
-func init() {
-	proto.RegisterFile("k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1/generated.proto", fileDescriptor_c5e101a0235c8c62)
-}
-
-var fileDescriptor_c5e101a0235c8c62 = []byte{
-	// 3166 bytes of a gzipped FileDescriptorProto
-	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xc4, 0x5a, 0xdb, 0x6f, 0x1b, 0xc7,
-	0xd5, 0xf7, 0x52, 0x37, 0x6a, 0x24, 0x59, 0xd2, 0xd8, 0xd2, 0xb7, 0x56, 0x6c, 0x51, 0xa6, 0xbf,
-	0xf8, 0x53, 0x12, 0x87, 0x4a, 0xf4, 0x25, 0x8d, 0x9b, 0x5e, 0x02, 0x51, 0x92, 0x13, 0xc5, 0x92,
-	0x25, 0x0c, 0x6d, 0x47, 0x49, 0x8a, 0x26, 0x2b, 0xee, 0x90, 0xda, 0x68, 0xb9, 0xbb, 0x9e, 0xd9,
-	0xd5, 0x05, 0x68, 0x81, 0xa0, 0x45, 0xd0, 0x36, 0x40, 0x9b, 0x3e, 0x14, 0xe9, 0x53, 0x51, 0x14,
-	0x45, 0x1e, 0xda, 0x87, 0xf6, 0xad, 0xfd, 0x17, 0xf2, 0x52, 0x20, 0x40, 0x81, 0x22, 0x40, 0x01,
-	0xa2, 0x61, 0xff, 0x81, 0x02, 0x6d, 0x51, 0x54, 0x0f, 0x45, 0x31, 0x97, 0x9d, 0x9d, 0x5d, 0x92,
-	0xb6, 0x61, 0x51, 0xc9, 0x1b, 0x79, 0xce, 0x99, 0xf3, 0x3b, 0x73, 0xe6, 0xcc, 0x99, 0x33, 0x67,
-	0x07, 0xbc, 0xb2, 0x77, 0x9d, 0x96, 0x1c, 0x7f, 0xc1, 0x0a, 0x1c, 0x7c, 0x18, 0x62, 0x8f, 0x3a,
-	0xbe, 0x47, 0x9f, 0xb6, 0x02, 0x87, 0x62, 0xb2, 0x8f, 0xc9, 0x42, 0xb0, 0x57, 0x67, 0x3c, 0x9a,
-	0x16, 0x58, 0xd8, 0x7f, 0x76, 0xa1, 0x8e, 0x3d, 0x4c, 0xac, 0x10, 0xdb, 0xa5, 0x80, 0xf8, 0xa1,
-	0x0f, 0xaf, 0x0b, 0x4d, 0xa5, 0x94, 0xe0, 0x5b, 0x4a, 0x53, 0x29, 0xd8, 0xab, 0x33, 0x1e, 0x4d,
-	0x0b, 0x94, 0xf6, 0x9f, 0x9d, 0x79, 0xba, 0xee, 0x84, 0xbb, 0xd1, 0x4e, 0xa9, 0xea, 0x37, 0x16,
-	0xea, 0x7e, 0xdd, 0x5f, 0xe0, 0x0a, 0x77, 0xa2, 0x1a, 0xff, 0xc7, 0xff, 0xf0, 0x5f, 0x02, 0x68,
-	0xe6, 0xb9, 0xc4, 0xe4, 0x86, 0x55, 0xdd, 0x75, 0x3c, 0x4c, 0x8e, 0x12, 0x3b, 0x1b, 0x38, 0xb4,
-	0x3a, 0x98, 0x37, 0xb3, 0xd0, 0x6d, 0x14, 0x89, 0xbc, 0xd0, 0x69, 0xe0, 0xb6, 0x01, 0x5f, 0x7a,
-	0xd0, 0x00, 0x5a, 0xdd, 0xc5, 0x0d, 0x2b, 0x3b, 0xae, 0x78, 0x6c, 0x80, 0xc9, 0x65, 0xdf, 0xdb,
-	0xc7, 0x84, 0x4d, 0x10, 0xe1, 0x7b, 0x11, 0xa6, 0x21, 0x2c, 0x83, 0xbe, 0xc8, 0xb1, 0x4d, 0x63,
-	0xce, 0x98, 0x1f, 0x2e, 0x3f, 0xf3, 0x71, 0xb3, 0x70, 0xa6, 0xd5, 0x2c, 0xf4, 0xdd, 0x59, 0x5b,
-	0x39, 0x6e, 0x16, 0x2e, 0x77, 0x43, 0x0a, 0x8f, 0x02, 0x4c, 0x4b, 0x77, 0xd6, 0x56, 0x10, 0x1b,
-	0x0c, 0x5f, 0x06, 0x93, 0x36, 0xa6, 0x0e, 0xc1, 0xf6, 0xd2, 0xd6, 0xda, 0x5d, 0xa1, 0xdf, 0xcc,
-	0x71, 0x8d, 0x17, 0xa4, 0xc6, 0xc9, 0x95, 0xac, 0x00, 0x6a, 0x1f, 0x03, 0xb7, 0xc1, 0x90, 0xbf,
-	0xf3, 0x0e, 0xae, 0x86, 0xd4, 0xec, 0x9b, 0xeb, 0x9b, 0x1f, 0x59, 0x7c, 0xba, 0x94, 0x2c, 0x9e,
-	0x32, 0x81, 0xaf, 0x98, 0x9c, 0x6c, 0x09, 0x59, 0x07, 0xab, 0xf1, 0xa2, 0x95, 0xc7, 0x25, 0xda,
-	0xd0, 0xa6, 0xd0, 0x82, 0x62, 0x75, 0xc5, 0x5f, 0xe6, 0x00, 0xd4, 0x27, 0x4f, 0x03, 0xdf, 0xa3,
-	0xb8, 0x27, 0xb3, 0xa7, 0x60, 0xa2, 0xca, 0x35, 0x87, 0xd8, 0x96, 0xb8, 0x66, 0xee, 0x51, 0xac,
-	0x37, 0x25, 0xfe, 0xc4, 0x72, 0x46, 0x1d, 0x6a, 0x03, 0x80, 0xb7, 0xc1, 0x20, 0xc1, 0x34, 0x72,
-	0x43, 0xb3, 0x6f, 0xce, 0x98, 0x1f, 0x59, 0xbc, 0xd6, 0x15, 0x8a, 0x87, 0x36, 0x0b, 0xbe, 0xd2,
-	0xfe, 0xb3, 0xa5, 0x4a, 0x68, 0x85, 0x11, 0x2d, 0x9f, 0x95, 0x48, 0x83, 0x88, 0xeb, 0x40, 0x52,
-	0x57, 0xf1, 0x3f, 0x06, 0x98, 0xd0, 0xbd, 0xb4, 0xef, 0xe0, 0x03, 0x48, 0xc0, 0x10, 0x11, 0xc1,
-	0xc2, 0xfd, 0x34, 0xb2, 0x78, 0xb3, 0xf4, 0xa8, 0x3b, 0xaa, 0xd4, 0x16, 0x7f, 0xe5, 0x11, 0xb6,
-	0x5c, 0xf2, 0x0f, 0x8a, 0x81, 0xe0, 0x3e, 0xc8, 0x13, 0xb9, 0x46, 0x3c, 0x90, 0x46, 0x16, 0xd7,
-	0x7b, 0x03, 0x2a, 0x74, 0x96, 0x47, 0x5b, 0xcd, 0x42, 0x3e, 0xfe, 0x87, 0x14, 0x56, 0xf1, 0xe7,
-	0x39, 0x30, 0xbb, 0x1c, 0xd1, 0xd0, 0x6f, 0x20, 0x4c, 0xfd, 0x88, 0x54, 0xf1, 0xb2, 0xef, 0x46,
-	0x0d, 0x6f, 0x05, 0xd7, 0x1c, 0xcf, 0x09, 0x59, 0x8c, 0xce, 0x81, 0x7e, 0xcf, 0x6a, 0x60, 0x19,
-	0x33, 0xa3, 0xd2, 0x93, 0xfd, 0xb7, 0xac, 0x06, 0x46, 0x9c, 0xc3, 0x24, 0x58, 0x88, 0xc8, 0x1d,
-	0xa0, 0x24, 0x6e, 0x1f, 0x05, 0x18, 0x71, 0x0e, 0xbc, 0x0a, 0x06, 0x6b, 0x3e, 0x69, 0x58, 0x62,
-	0xf5, 0x86, 0x93, 0xf5, 0xb8, 0xc1, 0xa9, 0x48, 0x72, 0xe1, 0xf3, 0x60, 0xc4, 0xc6, 0xb4, 0x4a,
-	0x9c, 0x80, 0x41, 0x9b, 0xfd, 0x5c, 0xf8, 0x9c, 0x14, 0x1e, 0x59, 0x49, 0x58, 0x48, 0x97, 0x83,
-	0xd7, 0x40, 0x3e, 0x20, 0x8e, 0x4f, 0x9c, 0xf0, 0xc8, 0x1c, 0x98, 0x33, 0xe6, 0x07, 0xca, 0x13,
-	0x72, 0x4c, 0x7e, 0x4b, 0xd2, 0x91, 0x92, 0x60, 0xd2, 0xef, 0x50, 0xdf, 0xdb, 0xb2, 0xc2, 0x5d,
-	0x73, 0x90, 0x23, 0x28, 0xe9, 0x57, 0x2b, 0x9b, 0xb7, 0x18, 0x1d, 0x29, 0x89, 0xe2, 0x9f, 0x0c,
-	0x60, 0x66, 0x3d, 0x14, 0xbb, 0x17, 0xde, 0x00, 0x79, 0x1a, 0xb2, 0x9c, 0x53, 0x3f, 0x92, 0xfe,
-	0x79, 0x32, 0x56, 0x55, 0x91, 0xf4, 0xe3, 0x66, 0x61, 0x3a, 0x19, 0x11, 0x53, 0xb9, 0x6f, 0xd4,
-	0x58, 0x16, 0x72, 0x07, 0x78, 0x67, 0xd7, 0xf7, 0xf7, 0xe4, 0xea, 0x9f, 0x20, 0xe4, 0x5e, 0x13,
-	0x8a, 0x12, 0x4c, 0x11, 0x72, 0x92, 0x8c, 0x62, 0xa0, 0xe2, 0xbf, 0x73, 0xd9, 0x89, 0x69, 0x8b,
-	0xfe, 0x36, 0xc8, 0xb3, 0x2d, 0x64, 0x5b, 0xa1, 0x25, 0x37, 0xc1, 0x33, 0x0f, 0xb7, 0xe1, 0xc4,
-	0x7e, 0xdd, 0xc0, 0xa1, 0x55, 0x86, 0xd2, 0x15, 0x20, 0xa1, 0x21, 0xa5, 0x15, 0x1e, 0x82, 0x7e,
-	0x1a, 0xe0, 0xaa, 0x9c, 0xef, 0xdd, 0x13, 0x44, 0x7b, 0x97, 0x39, 0x54, 0x02, 0x5c, 0x4d, 0x82,
-	0x91, 0xfd, 0x43, 0x1c, 0x11, 0xbe, 0x6b, 0x80, 0x41, 0xca, 0xf3, 0x82, 0xcc, 0x25, 0xdb, 0xa7,
-	0x00, 0x9e, 0xc9, 0x3b, 0xe2, 0x3f, 0x92, 0xb8, 0xc5, 0x7f, 0xe4, 0xc0, 0xe5, 0x6e, 0x43, 0x97,
-	0x7d, 0xcf, 0x16, 0x8b, 0xb0, 0x26, 0xf7, 0x95, 0x88, 0xac, 0xe7, 0xf5, 0x7d, 0x75, 0xdc, 0x2c,
-	0x3c, 0xfe, 0x40, 0x05, 0xda, 0x06, 0xfc, 0xb2, 0x9a, 0xb2, 0xd8, 0xa4, 0x97, 0xd3, 0x86, 0x1d,
-	0x37, 0x0b, 0xe3, 0x6a, 0x58, 0xda, 0x56, 0xb8, 0x0f, 0xa0, 0x6b, 0xd1, 0xf0, 0x36, 0xb1, 0x3c,
-	0x2a, 0xd4, 0x3a, 0x0d, 0x2c, 0x3d, 0xf7, 0xe4, 0xc3, 0x05, 0x05, 0x1b, 0x51, 0x9e, 0x91, 0x90,
-	0x70, 0xbd, 0x4d, 0x1b, 0xea, 0x80, 0xc0, 0x72, 0x06, 0xc1, 0x16, 0x55, 0x69, 0x40, 0xcb, 0xe1,
-	0x8c, 0x8a, 0x24, 0x17, 0x3e, 0x01, 0x86, 0x1a, 0x98, 0x52, 0xab, 0x8e, 0xf9, 0xde, 0x1f, 0x4e,
-	0x0e, 0xc5, 0x0d, 0x41, 0x46, 0x31, 0xbf, 0xf8, 0x4f, 0x03, 0x5c, 0xec, 0xe6, 0xb5, 0x75, 0x87,
-	0x86, 0xf0, 0x1b, 0x6d, 0x61, 0x5f, 0x7a, 0xb8, 0x19, 0xb2, 0xd1, 0x3c, 0xe8, 0x55, 0x2a, 0x89,
-	0x29, 0x5a, 0xc8, 0x1f, 0x80, 0x01, 0x27, 0xc4, 0x8d, 0xf8, 0xb4, 0x44, 0xbd, 0x0f, 0xbb, 0xf2,
-	0x98, 0x84, 0x1f, 0x58, 0x63, 0x40, 0x48, 0xe0, 0x15, 0x3f, 0xca, 0x81, 0x4b, 0xdd, 0x86, 0xb0,
-	0x3c, 0x4e, 0x99, 0xb3, 0x03, 0x37, 0x22, 0x96, 0x2b, 0x83, 0x4d, 0x39, 0x7b, 0x8b, 0x53, 0x91,
-	0xe4, 0xb2, 0xdc, 0x49, 0x1d, 0xaf, 0x1e, 0xb9, 0x16, 0x91, 0x91, 0xa4, 0x26, 0x5c, 0x91, 0x74,
-	0xa4, 0x24, 0x60, 0x09, 0x00, 0xba, 0xeb, 0x93, 0x90, 0x63, 0xf0, 0x0a, 0x67, 0xb8, 0x7c, 0x96,
-	0x65, 0x84, 0x8a, 0xa2, 0x22, 0x4d, 0x82, 0x1d, 0x24, 0x7b, 0x8e, 0x67, 0xcb, 0x05, 0x57, 0x7b,
-	0xf7, 0xa6, 0xe3, 0xd9, 0x88, 0x73, 0x18, 0xbe, 0xeb, 0xd0, 0x90, 0x51, 0xe4, 0x6a, 0xa7, 0x1c,
-	0xce, 0x25, 0x95, 0x04, 0xc3, 0xaf, 0xb2, 0x04, 0xeb, 0x13, 0x07, 0x53, 0x73, 0x30, 0xc1, 0x5f,
-	0x56, 0x54, 0xa4, 0x49, 0x14, 0xff, 0xdc, 0xdf, 0x3d, 0x3e, 0x58, 0x02, 0x81, 0x57, 0xc0, 0x40,
-	0x9d, 0xf8, 0x51, 0x20, 0xbd, 0xa4, 0xbc, 0xfd, 0x32, 0x23, 0x22, 0xc1, 0x83, 0xdf, 0x02, 0x03,
-	0x9e, 0x9c, 0x30, 0x8b, 0xa0, 0xd7, 0x7a, 0xbf, 0xcc, 0xdc, 0x5b, 0x09, 0xba, 0x70, 0xa4, 0x00,
-	0x85, 0xcf, 0x81, 0x01, 0x5a, 0xf5, 0x03, 0x2c, 0x9d, 0x38, 0x1b, 0x0b, 0x55, 0x18, 0xf1, 0xb8,
-	0x59, 0x18, 0x8b, 0xd5, 0x71, 0x02, 0x12, 0xc2, 0xf0, 0x7b, 0x06, 0xc8, 0xcb, 0xe3, 0x82, 0x9a,
-	0x43, 0x3c, 0x3c, 0x5f, 0xef, 0xbd, 0xdd, 0xb2, 0xec, 0x4d, 0xd6, 0x4c, 0x12, 0x28, 0x52, 0xe0,
-	0xf0, 0x3b, 0x06, 0x00, 0x55, 0x75, 0x76, 0x99, 0xc3, 0xdc, 0x87, 0x3d, 0xdb, 0x2a, 0xda, 0xa9,
-	0x28, 0x02, 0x21, 0x29, 0x95, 0x34, 0x54, 0x58, 0x01, 0x53, 0x01, 0xc1, 0x5c, 0xf7, 0x1d, 0x6f,
-	0xcf, 0xf3, 0x0f, 0xbc, 0x1b, 0x0e, 0x76, 0x6d, 0x6a, 0x82, 0x39, 0x63, 0x3e, 0x5f, 0xbe, 0x24,
-	0xed, 0x9f, 0xda, 0xea, 0x24, 0x84, 0x3a, 0x8f, 0x2d, 0xbe, 0xd7, 0x97, 0xad, 0xb5, 0xb2, 0xe7,
-	0x05, 0xfc, 0x40, 0x4c, 0x5e, 0xe4, 0x61, 0x6a, 0x1a, 0x7c, 0x21, 0xde, 0xec, 0xfd, 0x42, 0xa8,
-	0x5c, 0x9f, 0x1c, 0xd2, 0x8a, 0x44, 0x91, 0x66, 0x02, 0xfc, 0x89, 0x01, 0xc6, 0xac, 0x6a, 0x15,
-	0x07, 0x21, 0xb6, 0xc5, 0x36, 0xce, 0x9d, 0x6e, 0x54, 0x4f, 0x49, 0x83, 0xc6, 0x96, 0x74, 0x54,
-	0x94, 0x36, 0x02, 0xbe, 0x08, 0xce, 0xd2, 0xd0, 0x27, 0xd8, 0x8e, 0x23, 0x48, 0x66, 0x17, 0xd8,
-	0x6a, 0x16, 0xce, 0x56, 0x52, 0x1c, 0x94, 0x91, 0x2c, 0xb6, 0x06, 0x41, 0xe1, 0x01, 0x11, 0xfa,
-	0x10, 0x45, 0xef, 0x55, 0x30, 0xc8, 0x67, 0x6a, 0x73, 0x87, 0xe4, 0xb5, 0xa3, 0x9e, 0x53, 0x91,
-	0xe4, 0xb2, 0xe3, 0x89, 0xe1, 0xb3, 0xe3, 0xa9, 0x8f, 0x0b, 0xaa, 0xe3, 0xa9, 0x22, 0xc8, 0x28,
-	0xe6, 0xc3, 0x45, 0x00, 0x6c, 0x1c, 0x10, 0xcc, 0x32, 0x92, 0x6d, 0x0e, 0x71, 0x69, 0xb5, 0x3e,
-	0x2b, 0x8a, 0x83, 0x34, 0x29, 0x78, 0x03, 0xc0, 0xf8, 0x9f, 0xe3, 0x7b, 0xaf, 0x59, 0xc4, 0x73,
-	0xbc, 0xba, 0x99, 0xe7, 0x66, 0x4f, 0xb3, 0xd3, 0x76, 0xa5, 0x8d, 0x8b, 0x3a, 0x8c, 0x80, 0xfb,
-	0x60, 0x50, 0x5c, 0xa3, 0x79, 0xde, 0xe8, 0xe1, 0x8e, 0xbb, 0x6b, 0xb9, 0x8e, 0xcd, 0xa1, 0xca,
-	0x80, 0xbb, 0x87, 0xa3, 0x20, 0x89, 0x06, 0xdf, 0x37, 0xc0, 0x28, 0x8d, 0x76, 0x88, 0x94, 0xa6,
-	0x3c, 0xab, 0x8f, 0x2c, 0xde, 0xee, 0x15, 0x7c, 0x45, 0xd3, 0x5d, 0x9e, 0x68, 0x35, 0x0b, 0xa3,
-	0x3a, 0x05, 0xa5, 0xb0, 0xe1, 0xef, 0x0c, 0x60, 0x5a, 0xb6, 0x08, 0x7d, 0xcb, 0xdd, 0x22, 0x8e,
-	0x17, 0x62, 0x22, 0x2e, 0x44, 0xe2, 0xf8, 0xe8, 0x61, 0xad, 0x98, 0xbd, 0x67, 0x95, 0xe7, 0xe4,
-	0x4a, 0x9b, 0x4b, 0x5d, 0x2c, 0x40, 0x5d, 0x6d, 0x63, 0x79, 0x63, 0x82, 0x62, 0x17, 0x57, 0x43,
-	0x6b, 0xc7, 0xc5, 0x32, 0x57, 0x0d, 0x73, 0x83, 0xd7, 0x1e, 0xdd, 0xe0, 0x4a, 0x5a, 0x63, 0x72,
-	0x5f, 0xcf, 0x30, 0x28, 0x6a, 0x03, 0x2f, 0xfe, 0xcb, 0xc8, 0x26, 0x3b, 0xcd, 0xef, 0x95, 0xaa,
-	0xe5, 0x62, 0xb8, 0x02, 0x26, 0x58, 0x3d, 0x8e, 0x70, 0xe0, 0x3a, 0x55, 0x8b, 0xf2, 0xfb, 0x98,
-	0xd8, 0x6f, 0x09, 0x50, 0x86, 0x8f, 0xda, 0x46, 0xc0, 0x57, 0x01, 0x14, 0x85, 0x6a, 0x4a, 0x8f,
-	0xa8, 0x4d, 0x54, 0xc9, 0x59, 0x69, 0x93, 0x40, 0x1d, 0x46, 0xc1, 0x65, 0x30, 0xe9, 0x5a, 0x3b,
-	0xd8, 0x15, 0xf3, 0xf3, 0x09, 0x57, 0x25, 0x6e, 0xac, 0x53, 0xad, 0x66, 0x61, 0x72, 0x3d, 0xcb,
-	0x44, 0xed, 0xf2, 0xc5, 0xcb, 0xd9, 0xec, 0xa2, 0x4f, 0x5c, 0x94, 0xff, 0x1f, 0xe6, 0xc0, 0x4c,
-	0xf7, 0x30, 0x85, 0xdf, 0x56, 0xc5, 0xba, 0xa8, 0x41, 0x5f, 0x3f, 0x85, 0xcd, 0x20, 0x2f, 0x28,
-	0xa0, 0xfd, 0x72, 0x02, 0x8f, 0x58, 0x05, 0x61, 0xb9, 0x71, 0x23, 0x62, 0xfb, 0x34, 0xd0, 0x99,
-	0xfe, 0xf2, 0xb0, 0xa8, 0x4b, 0x2c, 0x97, 0x97, 0x21, 0x96, 0x8b, 0x8b, 0x1f, 0xb5, 0x5d, 0xb6,
-	0x93, 0xf4, 0x01, 0xbf, 0x6f, 0x80, 0x71, 0x3f, 0xc0, 0xde, 0xd2, 0xd6, 0xda, 0xdd, 0xff, 0x17,
-	0x69, 0x44, 0x3a, 0xe8, 0x04, 0x31, 0xce, 0x6e, 0xfc, 0x42, 0xd7, 0x16, 0xf1, 0x03, 0x5a, 0x3e,
-	0xd7, 0x6a, 0x16, 0xc6, 0x37, 0xd3, 0x28, 0x28, 0x0b, 0x5b, 0x6c, 0x80, 0xa9, 0xd5, 0xc3, 0x10,
-	0x13, 0xcf, 0x72, 0x57, 0xfc, 0x6a, 0xd4, 0xc0, 0x5e, 0x28, 0x6c, 0xcc, 0x34, 0x30, 0x8c, 0x87,
-	0x6c, 0x60, 0x5c, 0x02, 0x7d, 0x11, 0x71, 0x65, 0xd4, 0x8e, 0xa8, 0xb6, 0x1c, 0x5a, 0x47, 0x8c,
-	0x5e, 0xbc, 0x0c, 0xfa, 0x99, 0x9d, 0xf0, 0x02, 0xe8, 0x23, 0xd6, 0x01, 0xd7, 0x3a, 0x5a, 0x1e,
-	0x62, 0x22, 0xc8, 0x3a, 0x40, 0x8c, 0x56, 0xfc, 0xdb, 0x1c, 0x18, 0xcf, 0xcc, 0x05, 0xce, 0x80,
-	0x9c, 0xea, 0xf5, 0x01, 0xa9, 0x34, 0xb7, 0xb6, 0x82, 0x72, 0x8e, 0x0d, 0x5f, 0x50, 0xf9, 0x5e,
-	0x80, 0x16, 0xd4, 0xf1, 0xc5, 0xa9, 0xac, 0x50, 0x4c, 0xd4, 0x31, 0x43, 0xe2, 0x84, 0xcd, 0x6c,
-	0xc0, 0x35, 0xb9, 0x2b, 0x84, 0x0d, 0xb8, 0x86, 0x18, 0xed, 0x51, 0xbb, 0x37, 0x71, 0xfb, 0x68,
-	0xe0, 0x21, 0xda, 0x47, 0x83, 0xf7, 0x6d, 0x1f, 0x5d, 0x01, 0x03, 0xa1, 0x13, 0xba, 0x98, 0x9f,
-	0x9d, 0x5a, 0x79, 0x7e, 0x9b, 0x11, 0x91, 0xe0, 0x41, 0x0c, 0x86, 0x6c, 0x5c, 0xb3, 0x22, 0x37,
-	0xe4, 0xc7, 0xe4, 0xc8, 0xe2, 0xd7, 0x4f, 0x16, 0x3d, 0xa2, 0xbd, 0xb2, 0x22, 0x54, 0xa2, 0x58,
-	0x37, 0x7c, 0x1c, 0x0c, 0x35, 0xac, 0x43, 0xa7, 0x11, 0x35, 0x78, 0x0d, 0x6b, 0x08, 0xb1, 0x0d,
-	0x41, 0x42, 0x31, 0x8f, 0x25, 0x41, 0x7c, 0x58, 0x75, 0x23, 0xea, 0xec, 0x63, 0xc9, 0x94, 0x45,
-	0xa6, 0x4a, 0x82, 0xab, 0x19, 0x3e, 0x6a, 0x1b, 0xc1, 0xc1, 0x1c, 0x8f, 0x0f, 0x1e, 0xd1, 0xc0,
-	0x04, 0x09, 0xc5, 0xbc, 0x34, 0x98, 0x94, 0x1f, 0xed, 0x06, 0x26, 0x07, 0xb7, 0x8d, 0x80, 0x4f,
-	0x81, 0xe1, 0x86, 0x75, 0xb8, 0x8e, 0xbd, 0x7a, 0xb8, 0x6b, 0x8e, 0xcd, 0x19, 0xf3, 0x7d, 0xe5,
-	0xb1, 0x56, 0xb3, 0x30, 0xbc, 0x11, 0x13, 0x51, 0xc2, 0xe7, 0xc2, 0x8e, 0x27, 0x85, 0xcf, 0x6a,
-	0xc2, 0x31, 0x11, 0x25, 0x7c, 0x56, 0x2b, 0x05, 0x56, 0xc8, 0xf6, 0x95, 0x39, 0x9e, 0xbe, 0xca,
-	0x6f, 0x09, 0x32, 0x8a, 0xf9, 0x70, 0x1e, 0xe4, 0x1b, 0xd6, 0x21, 0xbf, 0xe5, 0x9a, 0x13, 0x5c,
-	0x2d, 0x6f, 0x71, 0x6e, 0x48, 0x1a, 0x52, 0x5c, 0x2e, 0xe9, 0x78, 0x42, 0x72, 0x52, 0x93, 0x94,
-	0x34, 0xa4, 0xb8, 0x2c, 0x7e, 0x23, 0xcf, 0xb9, 0x17, 0x61, 0x21, 0x0c, 0xb9, 0x67, 0x54, 0xfc,
-	0xde, 0x49, 0x58, 0x48, 0x97, 0x63, 0xb7, 0xcc, 0x46, 0xe4, 0x86, 0x4e, 0xe0, 0xe2, 0xcd, 0x9a,
-	0x79, 0x8e, 0xfb, 0x9f, 0x5f, 0x2e, 0x36, 0x14, 0x15, 0x69, 0x12, 0xf0, 0x6d, 0xd0, 0x8f, 0xbd,
-	0xa8, 0x61, 0x9e, 0xe7, 0xe7, 0xf3, 0x49, 0xa3, 0x4f, 0xed, 0x97, 0x55, 0x2f, 0x6a, 0x20, 0xae,
-	0x19, 0xbe, 0x00, 0xc6, 0x1a, 0xd6, 0x21, 0x4b, 0x02, 0x98, 0x84, 0xec, 0xea, 0x3b, 0xc5, 0xe7,
-	0x3d, 0xc9, 0xca, 0xea, 0x0d, 0x9d, 0x81, 0xd2, 0x72, 0x7c, 0xa0, 0xe3, 0x69, 0x03, 0xa7, 0xb5,
-	0x81, 0x3a, 0x03, 0xa5, 0xe5, 0x98, 0x93, 0x09, 0xbe, 0x17, 0x39, 0x04, 0xdb, 0xe6, 0xff, 0xf0,
-	0x4a, 0x5c, 0x76, 0x9c, 0x05, 0x0d, 0x29, 0x2e, 0xbc, 0x17, 0x37, 0x41, 0x4c, 0xbe, 0xf9, 0xb6,
-	0x7a, 0x96, 0xba, 0x37, 0xc9, 0x12, 0x21, 0xd6, 0x91, 0x38, 0x55, 0xf4, 0xf6, 0x07, 0xf4, 0xc0,
-	0x80, 0xe5, 0xba, 0x9b, 0x35, 0xf3, 0xc2, 0x49, 0x2b, 0xa2, 0xec, 0x69, 0xa1, 0x32, 0xcc, 0x12,
-	0xd3, 0x8f, 0x04, 0x0c, 0xc3, 0xf3, 0x3d, 0x16, 0x0b, 0x33, 0xa7, 0x86, 0xb7, 0xc9, 0xf4, 0x23,
-	0x01, 0xc3, 0xe7, 0xe7, 0x1d, 0x6d, 0xd6, 0xcc, 0xc7, 0x4e, 0x6f, 0x7e, 0x4c, 0x3f, 0x12, 0x30,
-	0xd0, 0x06, 0x7d, 0x9e, 0x1f, 0x9a, 0x17, 0x7b, 0x7d, 0xf6, 0xf2, 0xd3, 0xe4, 0x96, 0x1f, 0x22,
-	0xa6, 0x1e, 0xfe, 0xd0, 0x00, 0x20, 0x48, 0x22, 0xf1, 0xd2, 0x49, 0x9b, 0x12, 0x19, 0xb4, 0x52,
-	0x12, 0xbd, 0xab, 0x5e, 0x48, 0x8e, 0x92, 0x9b, 0x96, 0x16, 0xe5, 0x9a, 0x01, 0xf0, 0x67, 0x06,
-	0x38, 0xaf, 0x17, 0xe0, 0xca, 0xb2, 0x59, 0xee, 0x87, 0xcd, 0x1e, 0x06, 0x72, 0xd9, 0xf7, 0xdd,
-	0xb2, 0xd9, 0x6a, 0x16, 0xce, 0x2f, 0x75, 0x00, 0x44, 0x1d, 0xcd, 0x80, 0xbf, 0x32, 0xc0, 0xa4,
-	0xcc, 0x8e, 0x9a, 0x71, 0x05, 0xee, 0xb6, 0xb7, 0x7b, 0xe8, 0xb6, 0x2c, 0x84, 0xf0, 0x9e, 0xfa,
-	0xee, 0xd9, 0xc6, 0x47, 0xed, 0x56, 0xc1, 0xdf, 0x1a, 0x60, 0xd4, 0xc6, 0x01, 0xf6, 0x6c, 0xec,
-	0x55, 0x99, 0x99, 0x73, 0x27, 0xed, 0x74, 0x64, 0xcd, 0x5c, 0xd1, 0xb4, 0x0b, 0x0b, 0x4b, 0xd2,
-	0xc2, 0x51, 0x9d, 0x75, 0xdc, 0x2c, 0x4c, 0x27, 0x43, 0x75, 0x0e, 0x4a, 0x19, 0x08, 0x7f, 0x64,
-	0x80, 0xf1, 0xc4, 0xed, 0xe2, 0x80, 0xb8, 0x7c, 0x3a, 0x0b, 0xcf, 0x4b, 0xd0, 0xa5, 0x34, 0x16,
-	0xca, 0x82, 0xc3, 0x5f, 0x1b, 0xac, 0xda, 0x8a, 0x6f, 0x8f, 0xd4, 0x2c, 0x72, 0x0f, 0xbe, 0xd1,
-	0x4b, 0x0f, 0x2a, 0xe5, 0xc2, 0x81, 0xd7, 0x92, 0x4a, 0x4e, 0x71, 0x8e, 0x9b, 0x85, 0x29, 0xdd,
-	0x7f, 0x8a, 0x81, 0x74, 0xe3, 0xe0, 0x7b, 0x06, 0x18, 0xc5, 0x49, 0xc1, 0x4c, 0xcd, 0x2b, 0x27,
-	0x75, 0x5d, 0xc7, 0xf2, 0x5b, 0x5c, 0xf0, 0x35, 0x16, 0x45, 0x29, 0x58, 0x56, 0xfb, 0xe1, 0x43,
-	0xab, 0x11, 0xb8, 0xd8, 0xfc, 0xdf, 0xde, 0xd5, 0x7e, 0xab, 0x42, 0x25, 0x8a, 0x75, 0xc3, 0x6b,
-	0x20, 0xef, 0x45, 0xae, 0xcb, 0xae, 0xc3, 0xe6, 0xe3, 0xbc, 0x8a, 0x50, 0x1d, 0xcf, 0x5b, 0x92,
-	0x8e, 0x94, 0x04, 0xac, 0x81, 0xb9, 0xc3, 0x9b, 0xd1, 0x0e, 0x26, 0x1e, 0x0e, 0x31, 0xed, 0xd8,
-	0x52, 0x34, 0xaf, 0x72, 0x2d, 0x33, 0xad, 0x66, 0x61, 0x7a, 0xbb, 0x73, 0xd3, 0xf1, 0x81, 0x3a,
-	0xe0, 0x9b, 0xe0, 0x31, 0x4d, 0x66, 0xb5, 0xb1, 0x83, 0x6d, 0x1b, 0xdb, 0xf1, 0x45, 0xcb, 0xfc,
-	0x3f, 0x0e, 0xa1, 0xf6, 0xf1, 0x76, 0x56, 0x00, 0xdd, 0x6f, 0x34, 0x5c, 0x07, 0xd3, 0x1a, 0x7b,
-	0xcd, 0x0b, 0x37, 0x49, 0x25, 0x24, 0x8e, 0x57, 0x37, 0xe7, 0xb9, 0xde, 0xf3, 0xf1, 0xee, 0xdb,
-	0xd6, 0x78, 0xa8, 0xcb, 0x18, 0xf8, 0x4a, 0x4a, 0x1b, 0xff, 0x94, 0x62, 0x05, 0x37, 0xf1, 0x11,
-	0x35, 0x9f, 0xe0, 0xc5, 0x05, 0x5f, 0xe7, 0x6d, 0x8d, 0x8e, 0xba, 0xc8, 0xc3, 0x97, 0xc0, 0xb9,
-	0x0c, 0x87, 0xdd, 0x2b, 0xcc, 0x27, 0xc5, 0x05, 0x81, 0x55, 0xa2, 0xdb, 0x31, 0x11, 0x75, 0x92,
-	0x84, 0x5f, 0x05, 0x50, 0x23, 0x6f, 0x58, 0x01, 0x1f, 0xff, 0x94, 0xb8, 0xab, 0xb0, 0x15, 0xdd,
-	0x96, 0x34, 0xd4, 0x41, 0x0e, 0x7e, 0x68, 0xa4, 0x66, 0x92, 0xdc, 0x66, 0xa9, 0x79, 0x8d, 0x6f,
-	0xd8, 0x57, 0x1e, 0x3d, 0x00, 0x13, 0x65, 0x28, 0x72, 0xb1, 0xe6, 0x61, 0x0d, 0x05, 0x75, 0x41,
-	0x9f, 0x61, 0x97, 0xe9, 0x4c, 0x0e, 0x87, 0x13, 0xa0, 0x6f, 0x0f, 0xcb, 0x0f, 0xd9, 0x88, 0xfd,
-	0x84, 0x6f, 0x81, 0x81, 0x7d, 0xcb, 0x8d, 0xe2, 0x56, 0x40, 0xef, 0xce, 0x7a, 0x24, 0xf4, 0xbe,
-	0x98, 0xbb, 0x6e, 0xcc, 0x7c, 0x60, 0x80, 0xe9, 0xce, 0xa7, 0xca, 0x17, 0x65, 0xd1, 0x4f, 0x0d,
-	0x30, 0xd9, 0x76, 0x80, 0x74, 0x30, 0xc6, 0x4d, 0x1b, 0x73, 0xb7, 0x87, 0x27, 0x81, 0xd8, 0x08,
-	0xbc, 0xa2, 0xd5, 0x2d, 0xfb, 0x81, 0x01, 0x26, 0xb2, 0x89, 0xf9, 0x0b, 0xf2, 0x52, 0xf1, 0xfd,
-	0x1c, 0x98, 0xee, 0x5c, 0x83, 0xc3, 0x86, 0xea, 0x2e, 0xf4, 0xbc, 0x41, 0xd3, 0xa9, 0x89, 0xfc,
-	0xae, 0x01, 0x46, 0xde, 0x51, 0x72, 0xf1, 0xf7, 0xd5, 0x5e, 0x76, 0x85, 0xe2, 0xa3, 0x2f, 0x61,
-	0x50, 0xa4, 0x43, 0x16, 0x7f, 0x63, 0x80, 0xa9, 0x8e, 0xc7, 0x39, 0xbc, 0x0a, 0x06, 0x2d, 0xd7,
-	0xf5, 0x0f, 0x44, 0x37, 0x4f, 0xfb, 0x50, 0xb0, 0xc4, 0xa9, 0x48, 0x72, 0x35, 0x9f, 0xe5, 0x3e,
-	0x07, 0x9f, 0x15, 0x7f, 0x6f, 0x80, 0x8b, 0xf7, 0x8b, 0xba, 0xcf, 0x7b, 0x0d, 0xe7, 0x41, 0x5e,
-	0x16, 0xdb, 0x47, 0x7c, 0xfd, 0x64, 0x76, 0x95, 0x19, 0x81, 0xbf, 0xdf, 0x11, 0xbf, 0x8a, 0x2f,
-	0x81, 0xf1, 0x4c, 0x03, 0x3a, 0xf5, 0xa4, 0xc7, 0x78, 0xe0, 0x93, 0x9e, 0x5f, 0x18, 0x60, 0xa2,
-	0x82, 0xc9, 0xbe, 0x53, 0xc5, 0x08, 0xd7, 0x30, 0xc1, 0x5e, 0x15, 0xc3, 0x05, 0x30, 0xcc, 0x3f,
-	0xa0, 0x06, 0x56, 0x35, 0xfe, 0xec, 0x33, 0x29, 0x75, 0x0c, 0xdf, 0x8a, 0x19, 0x28, 0x91, 0x51,
-	0x9f, 0x88, 0x72, 0x5d, 0x3f, 0x11, 0x5d, 0x04, 0xfd, 0x41, 0xd2, 0x41, 0xce, 0x33, 0x2e, 0xb7,
-	0x84, 0x53, 0x39, 0xd7, 0x27, 0x21, 0x6f, 0x93, 0x0d, 0x48, 0xae, 0x4f, 0x42, 0xc4, 0xa9, 0xc5,
-	0x3f, 0xe6, 0xc0, 0xd9, 0x74, 0x82, 0x67, 0x80, 0x24, 0x72, 0xdb, 0xbe, 0x49, 0x31, 0x1e, 0xe2,
-	0x1c, 0xfd, 0x29, 0x44, 0xee, 0xfe, 0x4f, 0x21, 0xe0, 0xcb, 0x60, 0x52, 0xfe, 0x5c, 0x3d, 0x0c,
-	0x08, 0xa6, 0xfc, 0x63, 0x6b, 0x5f, 0xfa, 0x09, 0xe3, 0x46, 0x56, 0x00, 0xb5, 0x8f, 0x81, 0x5f,
-	0xc9, 0x3c, 0xd3, 0xb8, 0x92, 0x3c, 0xd1, 0x60, 0xc5, 0x21, 0x5f, 0x9f, 0xbb, 0x2c, 0x67, 0xac,
-	0x12, 0xe2, 0x93, 0xcc, 0xdb, 0x8d, 0x05, 0x30, 0x5c, 0x63, 0x02, 0x7c, 0xe1, 0x06, 0xd2, 0x4e,
-	0xbf, 0x11, 0x33, 0x50, 0x22, 0x03, 0xbf, 0x06, 0xc6, 0xfd, 0x40, 0x94, 0xc1, 0x9b, 0xae, 0x5d,
-	0xc1, 0x6e, 0x8d, 0xb7, 0x04, 0xf3, 0x71, 0xdf, 0x36, 0xc5, 0x42, 0x59, 0xd9, 0xe2, 0x1f, 0x0c,
-	0x70, 0x2e, 0x7e, 0x1f, 0xe5, 0x3a, 0xd8, 0x0b, 0x97, 0x7d, 0xaf, 0xe6, 0xd4, 0xe1, 0x05, 0xd1,
-	0x7f, 0xd5, 0x9a, 0x9a, 0x71, 0xef, 0x15, 0xde, 0x03, 0x43, 0x54, 0xc4, 0x8a, 0xdc, 0x07, 0xaf,
-	0x9e, 0xe4, 0x83, 0x4a, 0x3a, 0xe8, 0x44, 0xf9, 0x18, 0x53, 0x63, 0x1c, 0xb6, 0x15, 0xaa, 0x56,
-	0x39, 0xf2, 0x6c, 0xd9, 0x83, 0x1f, 0x15, 0x5b, 0x61, 0x79, 0x49, 0xd0, 0x90, 0xe2, 0x16, 0xff,
-	0x6e, 0x80, 0xc9, 0xb6, 0xf7, 0x5e, 0xf0, 0xbb, 0x06, 0x18, 0xad, 0x6a, 0xd3, 0x93, 0x09, 0x65,
-	0xe3, 0xe4, 0x6f, 0xca, 0x34, 0xa5, 0xa2, 0x06, 0xd3, 0x29, 0x28, 0x05, 0x0a, 0xb7, 0x81, 0x59,
-	0xcd, 0x3c, 0xad, 0xcc, 0x7c, 0xac, 0xbd, 0xd8, 0x6a, 0x16, 0xcc, 0xe5, 0x2e, 0x32, 0xa8, 0xeb,
-	0xe8, 0xf2, 0x37, 0x3f, 0xfe, 0x6c, 0xf6, 0xcc, 0x27, 0x9f, 0xcd, 0x9e, 0xf9, 0xf4, 0xb3, 0xd9,
-	0x33, 0xef, 0xb6, 0x66, 0x8d, 0x8f, 0x5b, 0xb3, 0xc6, 0x27, 0xad, 0x59, 0xe3, 0xd3, 0xd6, 0xac,
-	0xf1, 0x97, 0xd6, 0xac, 0xf1, 0xe3, 0xbf, 0xce, 0x9e, 0x79, 0xe3, 0xfa, 0xa3, 0x3e, 0xa8, 0xfe,
-	0x6f, 0x00, 0x00, 0x00, 0xff, 0xff, 0xa3, 0x1c, 0x7a, 0x10, 0x8b, 0x2d, 0x00, 0x00,
-}
+func (m *WebhookConversion) Reset() { *m = WebhookConversion{} }
 
 func (m *ConversionRequest) Marshal() (dAtA []byte, err error) {
 	size := m.Size()
@@ -1354,6 +400,9 @@ func (m *CustomResourceDefinitionCondition) MarshalToSizedBuffer(dAtA []byte) (i
 	_ = i
 	var l int
 	_ = l
+	i = encodeVarintGenerated(dAtA, i, uint64(m.ObservedGeneration))
+	i--
+	dAtA[i] = 0x30
 	i -= len(m.Message)
 	copy(dAtA[i:], m.Message)
 	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Message)))
@@ -1592,6 +641,9 @@ func (m *CustomResourceDefinitionStatus) MarshalToSizedBuffer(dAtA []byte) (int,
 	_ = i
 	var l int
 	_ = l
+	i = encodeVarintGenerated(dAtA, i, uint64(m.ObservedGeneration))
+	i--
+	dAtA[i] = 0x20
 	if len(m.StoredVersions) > 0 {
 		for iNdEx := len(m.StoredVersions) - 1; iNdEx >= 0; iNdEx-- {
 			i -= len(m.StoredVersions[iNdEx])
@@ -2087,7 +1139,7 @@ func (m *JSONSchemaProps) MarshalToSizedBuffer(dAtA []byte) (int, error) {
 		for k := range m.Definitions {
 			keysForDefinitions = append(keysForDefinitions, string(k))
 		}
-		github_com_gogo_protobuf_sortkeys.Strings(keysForDefinitions)
+		sort.Strings(keysForDefinitions)
 		for iNdEx := len(keysForDefinitions) - 1; iNdEx >= 0; iNdEx-- {
 			v := m.Definitions[string(keysForDefinitions[iNdEx])]
 			baseI := i
@@ -2132,7 +1184,7 @@ func (m *JSONSchemaProps) MarshalToSizedBuffer(dAtA []byte) (int, error) {
 		for k := range m.Dependencies {
 			keysForDependencies = append(keysForDependencies, string(k))
 		}
-		github_com_gogo_protobuf_sortkeys.Strings(keysForDependencies)
+		sort.Strings(keysForDependencies)
 		for iNdEx := len(keysForDependencies) - 1; iNdEx >= 0; iNdEx-- {
 			v := m.Dependencies[string(keysForDependencies[iNdEx])]
 			baseI := i
@@ -2163,7 +1215,7 @@ func (m *JSONSchemaProps) MarshalToSizedBuffer(dAtA []byte) (int, error) {
 		for k := range m.PatternProperties {
 			keysForPatternProperties = append(keysForPatternProperties, string(k))
 		}
-		github_com_gogo_protobuf_sortkeys.Strings(keysForPatternProperties)
+		sort.Strings(keysForPatternProperties)
 		for iNdEx := len(keysForPatternProperties) - 1; iNdEx >= 0; iNdEx-- {
 			v := m.PatternProperties[string(keysForPatternProperties[iNdEx])]
 			baseI := i
@@ -2208,7 +1260,7 @@ func (m *JSONSchemaProps) MarshalToSizedBuffer(dAtA []byte) (int, error) {
 		for k := range m.Properties {
 			keysForProperties = append(keysForProperties, string(k))
 		}
-		github_com_gogo_protobuf_sortkeys.Strings(keysForProperties)
+		sort.Strings(keysForProperties)
 		for iNdEx := len(keysForProperties) - 1; iNdEx >= 0; iNdEx-- {
 			v := m.Properties[string(keysForProperties[iNdEx])]
 			baseI := i
@@ -2972,6 +2024,7 @@ func (m *CustomResourceDefinitionCondition) Size() (n int) {
 	n += 1 + l + sovGenerated(uint64(l))
 	l = len(m.Message)
 	n += 1 + l + sovGenerated(uint64(l))
+	n += 1 + sovGenerated(uint64(m.ObservedGeneration))
 	return n
 }
 
@@ -3067,6 +2120,7 @@ func (m *CustomResourceDefinitionStatus) Size() (n int) {
 			n += 1 + l + sovGenerated(uint64(l))
 		}
 	}
+	n += 1 + sovGenerated(uint64(m.ObservedGeneration))
 	return n
 }
 
@@ -3613,6 +2667,7 @@ func (this *CustomResourceDefinitionCondition) String() string {
 		`LastTransitionTime:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.LastTransitionTime), "Time", "v1.Time", 1), `&`, ``, 1) + `,`,
 		`Reason:` + fmt.Sprintf("%v", this.Reason) + `,`,
 		`Message:` + fmt.Sprintf("%v", this.Message) + `,`,
+		`ObservedGeneration:` + fmt.Sprintf("%v", this.ObservedGeneration) + `,`,
 		`}`,
 	}, "")
 	return s
@@ -3681,6 +2736,7 @@ func (this *CustomResourceDefinitionStatus) String() string {
 		`Conditions:` + repeatedStringForConditions + `,`,
 		`AcceptedNames:` + strings.Replace(strings.Replace(this.AcceptedNames.String(), "CustomResourceDefinitionNames", "CustomResourceDefinitionNames", 1), `&`, ``, 1) + `,`,
 		`StoredVersions:` + fmt.Sprintf("%v", this.StoredVersions) + `,`,
+		`ObservedGeneration:` + fmt.Sprintf("%v", this.ObservedGeneration) + `,`,
 		`}`,
 	}, "")
 	return s
@@ -3809,7 +2865,7 @@ func (this *JSONSchemaProps) String() string {
 	for k := range this.Properties {
 		keysForProperties = append(keysForProperties, k)
 	}
-	github_com_gogo_protobuf_sortkeys.Strings(keysForProperties)
+	sort.Strings(keysForProperties)
 	mapStringForProperties := "map[string]JSONSchemaProps{"
 	for _, k := range keysForProperties {
 		mapStringForProperties += fmt.Sprintf("%v: %v,", k, this.Properties[k])
@@ -3819,7 +2875,7 @@ func (this *JSONSchemaProps) String() string {
 	for k := range this.PatternProperties {
 		keysForPatternProperties = append(keysForPatternProperties, k)
 	}
-	github_com_gogo_protobuf_sortkeys.Strings(keysForPatternProperties)
+	sort.Strings(keysForPatternProperties)
 	mapStringForPatternProperties := "map[string]JSONSchemaProps{"
 	for _, k := range keysForPatternProperties {
 		mapStringForPatternProperties += fmt.Sprintf("%v: %v,", k, this.PatternProperties[k])
@@ -3829,7 +2885,7 @@ func (this *JSONSchemaProps) String() string {
 	for k := range this.Dependencies {
 		keysForDependencies = append(keysForDependencies, k)
 	}
-	github_com_gogo_protobuf_sortkeys.Strings(keysForDependencies)
+	sort.Strings(keysForDependencies)
 	mapStringForDependencies := "JSONSchemaDependencies{"
 	for _, k := range keysForDependencies {
 		mapStringForDependencies += fmt.Sprintf("%v: %v,", k, this.Dependencies[k])
@@ -3839,7 +2895,7 @@ func (this *JSONSchemaProps) String() string {
 	for k := range this.Definitions {
 		keysForDefinitions = append(keysForDefinitions, k)
 	}
-	github_com_gogo_protobuf_sortkeys.Strings(keysForDefinitions)
+	sort.Strings(keysForDefinitions)
 	mapStringForDefinitions := "JSONSchemaDefinitions{"
 	for _, k := range keysForDefinitions {
 		mapStringForDefinitions += fmt.Sprintf("%v: %v,", k, this.Definitions[k])
@@ -5106,6 +4162,25 @@ func (m *CustomResourceDefinitionCondition) Unmarshal(dAtA []byte) error {
 			}
 			m.Message = string(dAtA[iNdEx:postIndex])
 			iNdEx = postIndex
+		case 6:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ObservedGeneration", wireType)
+			}
+			m.ObservedGeneration = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.ObservedGeneration |= int64(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
 		default:
 			iNdEx = preIndex
 			skippy, err := skipGenerated(dAtA[iNdEx:])
@@ -5851,6 +4926,25 @@ func (m *CustomResourceDefinitionStatus) Unmarshal(dAtA []byte) error {
 			}
 			m.StoredVersions = append(m.StoredVersions, string(dAtA[iNdEx:postIndex]))
 			iNdEx = postIndex
+		case 4:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ObservedGeneration", wireType)
+			}
+			m.ObservedGeneration = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.ObservedGeneration |= int64(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
 		default:
 			iNdEx = preIndex
 			skippy, err := skipGenerated(dAtA[iNdEx:])
diff --git a/staging/src/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1/generated.proto b/staging/src/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1/generated.proto
index 1bbd0ce13e155..83b50127c7163 100644
--- a/staging/src/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1/generated.proto
+++ b/staging/src/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1/generated.proto
@@ -155,6 +155,13 @@ message CustomResourceDefinitionCondition {
   // message is a human-readable message indicating details about last transition.
   // +optional
   optional string message = 5;
+
+  // observedGeneration represents the .metadata.generation that the condition was set based upon.
+  // For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+  // with respect to the current state of the instance.
+  // +featureGate=CRDObservedGenerationTracking
+  // +optional
+  optional int64 observedGeneration = 6;
 }
 
 // CustomResourceDefinitionList is a list of CustomResourceDefinition objects.
@@ -263,6 +270,11 @@ message CustomResourceDefinitionStatus {
   // +optional
   // +listType=atomic
   repeated string storedVersions = 3;
+
+  // The generation observed by the CRD controller.
+  // +featureGate=CRDObservedGenerationTracking
+  // +optional
+  optional int64 observedGeneration = 4;
 }
 
 // CustomResourceDefinitionVersion describes a version for CRD.
diff --git a/staging/src/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1/generated.protomessage.pb.go b/staging/src/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1/generated.protomessage.pb.go
new file mode 100644
index 0000000000000..7dc6ed2bc584b
--- /dev/null
+++ b/staging/src/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1/generated.protomessage.pb.go
@@ -0,0 +1,76 @@
+//go:build kubernetes_protomessage_one_more_release
+// +build kubernetes_protomessage_one_more_release
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by go-to-protobuf. DO NOT EDIT.
+
+package v1
+
+func (*ConversionRequest) ProtoMessage() {}
+
+func (*ConversionResponse) ProtoMessage() {}
+
+func (*ConversionReview) ProtoMessage() {}
+
+func (*CustomResourceColumnDefinition) ProtoMessage() {}
+
+func (*CustomResourceConversion) ProtoMessage() {}
+
+func (*CustomResourceDefinition) ProtoMessage() {}
+
+func (*CustomResourceDefinitionCondition) ProtoMessage() {}
+
+func (*CustomResourceDefinitionList) ProtoMessage() {}
+
+func (*CustomResourceDefinitionNames) ProtoMessage() {}
+
+func (*CustomResourceDefinitionSpec) ProtoMessage() {}
+
+func (*CustomResourceDefinitionStatus) ProtoMessage() {}
+
+func (*CustomResourceDefinitionVersion) ProtoMessage() {}
+
+func (*CustomResourceSubresourceScale) ProtoMessage() {}
+
+func (*CustomResourceSubresourceStatus) ProtoMessage() {}
+
+func (*CustomResourceSubresources) ProtoMessage() {}
+
+func (*CustomResourceValidation) ProtoMessage() {}
+
+func (*ExternalDocumentation) ProtoMessage() {}
+
+func (*JSON) ProtoMessage() {}
+
+func (*JSONSchemaProps) ProtoMessage() {}
+
+func (*JSONSchemaPropsOrArray) ProtoMessage() {}
+
+func (*JSONSchemaPropsOrBool) ProtoMessage() {}
+
+func (*JSONSchemaPropsOrStringArray) ProtoMessage() {}
+
+func (*SelectableField) ProtoMessage() {}
+
+func (*ServiceReference) ProtoMessage() {}
+
+func (*ValidationRule) ProtoMessage() {}
+
+func (*WebhookClientConfig) ProtoMessage() {}
+
+func (*WebhookConversion) ProtoMessage() {}
diff --git a/staging/src/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1/types.go b/staging/src/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1/types.go
index 212cea6f6960d..764726b6e9a6b 100644
--- a/staging/src/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1/types.go
+++ b/staging/src/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1/types.go
@@ -350,6 +350,12 @@ type CustomResourceDefinitionCondition struct {
 	// message is a human-readable message indicating details about last transition.
 	// +optional
 	Message string `json:"message,omitempty" protobuf:"bytes,5,opt,name=message"`
+	// observedGeneration represents the .metadata.generation that the condition was set based upon.
+	// For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+	// with respect to the current state of the instance.
+	// +featureGate=CRDObservedGenerationTracking
+	// +optional
+	ObservedGeneration int64 `json:"observedGeneration,omitempty" protobuf:"varint,6,opt,name=observedGeneration"`
 }
 
 // CustomResourceDefinitionStatus indicates the state of the CustomResourceDefinition
@@ -374,6 +380,11 @@ type CustomResourceDefinitionStatus struct {
 	// +optional
 	// +listType=atomic
 	StoredVersions []string `json:"storedVersions" protobuf:"bytes,3,rep,name=storedVersions"`
+
+	// The generation observed by the CRD controller.
+	// +featureGate=CRDObservedGenerationTracking
+	// +optional
+	ObservedGeneration int64 `json:"observedGeneration,omitempty" protobuf:"varint,4,opt,name=observedGeneration"`
 }
 
 // CustomResourceCleanupFinalizer is the name of the finalizer which will delete instances of
diff --git a/staging/src/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1/zz_generated.conversion.go b/staging/src/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1/zz_generated.conversion.go
index bb1d7e01429ec..4d02c8df03d42 100644
--- a/staging/src/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1/zz_generated.conversion.go
+++ b/staging/src/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1/zz_generated.conversion.go
@@ -356,6 +356,7 @@ func autoConvert_v1_CustomResourceDefinitionCondition_To_apiextensions_CustomRes
 	out.LastTransitionTime = in.LastTransitionTime
 	out.Reason = in.Reason
 	out.Message = in.Message
+	out.ObservedGeneration = in.ObservedGeneration
 	return nil
 }
 
@@ -370,6 +371,7 @@ func autoConvert_apiextensions_CustomResourceDefinitionCondition_To_v1_CustomRes
 	out.LastTransitionTime = in.LastTransitionTime
 	out.Reason = in.Reason
 	out.Message = in.Message
+	out.ObservedGeneration = in.ObservedGeneration
 	return nil
 }
 
@@ -525,6 +527,7 @@ func autoConvert_v1_CustomResourceDefinitionStatus_To_apiextensions_CustomResour
 		return err
 	}
 	out.StoredVersions = *(*[]string)(unsafe.Pointer(&in.StoredVersions))
+	out.ObservedGeneration = in.ObservedGeneration
 	return nil
 }
 
@@ -539,6 +542,7 @@ func autoConvert_apiextensions_CustomResourceDefinitionStatus_To_v1_CustomResour
 		return err
 	}
 	out.StoredVersions = *(*[]string)(unsafe.Pointer(&in.StoredVersions))
+	out.ObservedGeneration = in.ObservedGeneration
 	return nil
 }
 
diff --git a/staging/src/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1/zz_generated.model_name.go b/staging/src/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1/zz_generated.model_name.go
new file mode 100644
index 0000000000000..285fdd9fad271
--- /dev/null
+++ b/staging/src/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1/zz_generated.model_name.go
@@ -0,0 +1,157 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by openapi-gen. DO NOT EDIT.
+
+package v1
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ConversionRequest) OpenAPIModelName() string {
+	return "io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.ConversionRequest"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ConversionResponse) OpenAPIModelName() string {
+	return "io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.ConversionResponse"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ConversionReview) OpenAPIModelName() string {
+	return "io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.ConversionReview"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in CustomResourceColumnDefinition) OpenAPIModelName() string {
+	return "io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceColumnDefinition"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in CustomResourceConversion) OpenAPIModelName() string {
+	return "io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceConversion"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in CustomResourceDefinition) OpenAPIModelName() string {
+	return "io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceDefinition"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in CustomResourceDefinitionCondition) OpenAPIModelName() string {
+	return "io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceDefinitionCondition"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in CustomResourceDefinitionList) OpenAPIModelName() string {
+	return "io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceDefinitionList"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in CustomResourceDefinitionNames) OpenAPIModelName() string {
+	return "io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceDefinitionNames"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in CustomResourceDefinitionSpec) OpenAPIModelName() string {
+	return "io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceDefinitionSpec"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in CustomResourceDefinitionStatus) OpenAPIModelName() string {
+	return "io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceDefinitionStatus"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in CustomResourceDefinitionVersion) OpenAPIModelName() string {
+	return "io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceDefinitionVersion"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in CustomResourceSubresourceScale) OpenAPIModelName() string {
+	return "io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceSubresourceScale"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in CustomResourceSubresourceStatus) OpenAPIModelName() string {
+	return "io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceSubresourceStatus"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in CustomResourceSubresources) OpenAPIModelName() string {
+	return "io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceSubresources"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in CustomResourceValidation) OpenAPIModelName() string {
+	return "io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceValidation"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ExternalDocumentation) OpenAPIModelName() string {
+	return "io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.ExternalDocumentation"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in JSON) OpenAPIModelName() string {
+	return "io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.JSON"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in JSONSchemaProps) OpenAPIModelName() string {
+	return "io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.JSONSchemaProps"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in JSONSchemaPropsOrArray) OpenAPIModelName() string {
+	return "io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.JSONSchemaPropsOrArray"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in JSONSchemaPropsOrBool) OpenAPIModelName() string {
+	return "io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.JSONSchemaPropsOrBool"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in JSONSchemaPropsOrStringArray) OpenAPIModelName() string {
+	return "io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.JSONSchemaPropsOrStringArray"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in SelectableField) OpenAPIModelName() string {
+	return "io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.SelectableField"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ServiceReference) OpenAPIModelName() string {
+	return "io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.ServiceReference"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ValidationRule) OpenAPIModelName() string {
+	return "io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.ValidationRule"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in WebhookClientConfig) OpenAPIModelName() string {
+	return "io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.WebhookClientConfig"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in WebhookConversion) OpenAPIModelName() string {
+	return "io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.WebhookConversion"
+}
diff --git a/staging/src/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1/doc.go b/staging/src/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1/doc.go
index 6ddea3e0140d5..ccf0a36a4a861 100644
--- a/staging/src/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1/doc.go
+++ b/staging/src/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1/doc.go
@@ -20,6 +20,8 @@ limitations under the License.
 // +k8s:defaulter-gen=TypeMeta
 // +k8s:openapi-gen=true
 // +k8s:prerelease-lifecycle-gen=true
+// +k8s:openapi-model-package=io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1beta1
+
 // +groupName=apiextensions.k8s.io
 
 // Package v1beta1 is the v1beta1 version of the API.
diff --git a/staging/src/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1/generated.pb.go b/staging/src/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1/generated.pb.go
index 32e58324071ec..ef4fba8505398 100644
--- a/staging/src/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1/generated.pb.go
+++ b/staging/src/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1/generated.pb.go
@@ -24,9 +24,8 @@ import (
 	fmt "fmt"
 
 	io "io"
+	"sort"
 
-	proto "github.com/gogo/protobuf/proto"
-	github_com_gogo_protobuf_sortkeys "github.com/gogo/protobuf/sortkeys"
 	runtime "k8s.io/apimachinery/pkg/runtime"
 
 	math "math"
@@ -37,986 +36,57 @@ import (
 	k8s_io_apimachinery_pkg_types "k8s.io/apimachinery/pkg/types"
 )
 
-// Reference imports to suppress errors if they are not otherwise used.
-var _ = proto.Marshal
-var _ = fmt.Errorf
-var _ = math.Inf
+func (m *ConversionRequest) Reset() { *m = ConversionRequest{} }
 
-// This is a compile-time assertion to ensure that this generated file
-// is compatible with the proto package it is being compiled against.
-// A compilation error at this line likely means your copy of the
-// proto package needs to be updated.
-const _ = proto.GoGoProtoPackageIsVersion3 // please upgrade the proto package
+func (m *ConversionResponse) Reset() { *m = ConversionResponse{} }
 
-func (m *ConversionRequest) Reset()      { *m = ConversionRequest{} }
-func (*ConversionRequest) ProtoMessage() {}
-func (*ConversionRequest) Descriptor() ([]byte, []int) {
-	return fileDescriptor_3623d6c0bd238430, []int{0}
-}
-func (m *ConversionRequest) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ConversionRequest) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ConversionRequest) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ConversionRequest.Merge(m, src)
-}
-func (m *ConversionRequest) XXX_Size() int {
-	return m.Size()
-}
-func (m *ConversionRequest) XXX_DiscardUnknown() {
-	xxx_messageInfo_ConversionRequest.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_ConversionRequest proto.InternalMessageInfo
-
-func (m *ConversionResponse) Reset()      { *m = ConversionResponse{} }
-func (*ConversionResponse) ProtoMessage() {}
-func (*ConversionResponse) Descriptor() ([]byte, []int) {
-	return fileDescriptor_3623d6c0bd238430, []int{1}
-}
-func (m *ConversionResponse) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ConversionResponse) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ConversionResponse) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ConversionResponse.Merge(m, src)
-}
-func (m *ConversionResponse) XXX_Size() int {
-	return m.Size()
-}
-func (m *ConversionResponse) XXX_DiscardUnknown() {
-	xxx_messageInfo_ConversionResponse.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_ConversionResponse proto.InternalMessageInfo
-
-func (m *ConversionReview) Reset()      { *m = ConversionReview{} }
-func (*ConversionReview) ProtoMessage() {}
-func (*ConversionReview) Descriptor() ([]byte, []int) {
-	return fileDescriptor_3623d6c0bd238430, []int{2}
-}
-func (m *ConversionReview) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ConversionReview) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ConversionReview) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ConversionReview.Merge(m, src)
-}
-func (m *ConversionReview) XXX_Size() int {
-	return m.Size()
-}
-func (m *ConversionReview) XXX_DiscardUnknown() {
-	xxx_messageInfo_ConversionReview.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_ConversionReview proto.InternalMessageInfo
-
-func (m *CustomResourceColumnDefinition) Reset()      { *m = CustomResourceColumnDefinition{} }
-func (*CustomResourceColumnDefinition) ProtoMessage() {}
-func (*CustomResourceColumnDefinition) Descriptor() ([]byte, []int) {
-	return fileDescriptor_3623d6c0bd238430, []int{3}
-}
-func (m *CustomResourceColumnDefinition) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *CustomResourceColumnDefinition) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *CustomResourceColumnDefinition) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_CustomResourceColumnDefinition.Merge(m, src)
-}
-func (m *CustomResourceColumnDefinition) XXX_Size() int {
-	return m.Size()
-}
-func (m *CustomResourceColumnDefinition) XXX_DiscardUnknown() {
-	xxx_messageInfo_CustomResourceColumnDefinition.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_CustomResourceColumnDefinition proto.InternalMessageInfo
-
-func (m *CustomResourceConversion) Reset()      { *m = CustomResourceConversion{} }
-func (*CustomResourceConversion) ProtoMessage() {}
-func (*CustomResourceConversion) Descriptor() ([]byte, []int) {
-	return fileDescriptor_3623d6c0bd238430, []int{4}
-}
-func (m *CustomResourceConversion) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *CustomResourceConversion) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *CustomResourceConversion) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_CustomResourceConversion.Merge(m, src)
-}
-func (m *CustomResourceConversion) XXX_Size() int {
-	return m.Size()
-}
-func (m *CustomResourceConversion) XXX_DiscardUnknown() {
-	xxx_messageInfo_CustomResourceConversion.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_CustomResourceConversion proto.InternalMessageInfo
-
-func (m *CustomResourceDefinition) Reset()      { *m = CustomResourceDefinition{} }
-func (*CustomResourceDefinition) ProtoMessage() {}
-func (*CustomResourceDefinition) Descriptor() ([]byte, []int) {
-	return fileDescriptor_3623d6c0bd238430, []int{5}
-}
-func (m *CustomResourceDefinition) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *CustomResourceDefinition) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *CustomResourceDefinition) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_CustomResourceDefinition.Merge(m, src)
-}
-func (m *CustomResourceDefinition) XXX_Size() int {
-	return m.Size()
-}
-func (m *CustomResourceDefinition) XXX_DiscardUnknown() {
-	xxx_messageInfo_CustomResourceDefinition.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_CustomResourceDefinition proto.InternalMessageInfo
-
-func (m *CustomResourceDefinitionCondition) Reset()      { *m = CustomResourceDefinitionCondition{} }
-func (*CustomResourceDefinitionCondition) ProtoMessage() {}
-func (*CustomResourceDefinitionCondition) Descriptor() ([]byte, []int) {
-	return fileDescriptor_3623d6c0bd238430, []int{6}
-}
-func (m *CustomResourceDefinitionCondition) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *CustomResourceDefinitionCondition) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *CustomResourceDefinitionCondition) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_CustomResourceDefinitionCondition.Merge(m, src)
-}
-func (m *CustomResourceDefinitionCondition) XXX_Size() int {
-	return m.Size()
-}
-func (m *CustomResourceDefinitionCondition) XXX_DiscardUnknown() {
-	xxx_messageInfo_CustomResourceDefinitionCondition.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_CustomResourceDefinitionCondition proto.InternalMessageInfo
-
-func (m *CustomResourceDefinitionList) Reset()      { *m = CustomResourceDefinitionList{} }
-func (*CustomResourceDefinitionList) ProtoMessage() {}
-func (*CustomResourceDefinitionList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_3623d6c0bd238430, []int{7}
-}
-func (m *CustomResourceDefinitionList) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *CustomResourceDefinitionList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *CustomResourceDefinitionList) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_CustomResourceDefinitionList.Merge(m, src)
-}
-func (m *CustomResourceDefinitionList) XXX_Size() int {
-	return m.Size()
-}
-func (m *CustomResourceDefinitionList) XXX_DiscardUnknown() {
-	xxx_messageInfo_CustomResourceDefinitionList.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_CustomResourceDefinitionList proto.InternalMessageInfo
-
-func (m *CustomResourceDefinitionNames) Reset()      { *m = CustomResourceDefinitionNames{} }
-func (*CustomResourceDefinitionNames) ProtoMessage() {}
-func (*CustomResourceDefinitionNames) Descriptor() ([]byte, []int) {
-	return fileDescriptor_3623d6c0bd238430, []int{8}
-}
-func (m *CustomResourceDefinitionNames) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *CustomResourceDefinitionNames) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *CustomResourceDefinitionNames) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_CustomResourceDefinitionNames.Merge(m, src)
-}
-func (m *CustomResourceDefinitionNames) XXX_Size() int {
-	return m.Size()
-}
-func (m *CustomResourceDefinitionNames) XXX_DiscardUnknown() {
-	xxx_messageInfo_CustomResourceDefinitionNames.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_CustomResourceDefinitionNames proto.InternalMessageInfo
-
-func (m *CustomResourceDefinitionSpec) Reset()      { *m = CustomResourceDefinitionSpec{} }
-func (*CustomResourceDefinitionSpec) ProtoMessage() {}
-func (*CustomResourceDefinitionSpec) Descriptor() ([]byte, []int) {
-	return fileDescriptor_3623d6c0bd238430, []int{9}
-}
-func (m *CustomResourceDefinitionSpec) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *CustomResourceDefinitionSpec) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *CustomResourceDefinitionSpec) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_CustomResourceDefinitionSpec.Merge(m, src)
-}
-func (m *CustomResourceDefinitionSpec) XXX_Size() int {
-	return m.Size()
-}
-func (m *CustomResourceDefinitionSpec) XXX_DiscardUnknown() {
-	xxx_messageInfo_CustomResourceDefinitionSpec.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_CustomResourceDefinitionSpec proto.InternalMessageInfo
-
-func (m *CustomResourceDefinitionStatus) Reset()      { *m = CustomResourceDefinitionStatus{} }
-func (*CustomResourceDefinitionStatus) ProtoMessage() {}
-func (*CustomResourceDefinitionStatus) Descriptor() ([]byte, []int) {
-	return fileDescriptor_3623d6c0bd238430, []int{10}
-}
-func (m *CustomResourceDefinitionStatus) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *CustomResourceDefinitionStatus) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *CustomResourceDefinitionStatus) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_CustomResourceDefinitionStatus.Merge(m, src)
-}
-func (m *CustomResourceDefinitionStatus) XXX_Size() int {
-	return m.Size()
-}
-func (m *CustomResourceDefinitionStatus) XXX_DiscardUnknown() {
-	xxx_messageInfo_CustomResourceDefinitionStatus.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_CustomResourceDefinitionStatus proto.InternalMessageInfo
-
-func (m *CustomResourceDefinitionVersion) Reset()      { *m = CustomResourceDefinitionVersion{} }
-func (*CustomResourceDefinitionVersion) ProtoMessage() {}
-func (*CustomResourceDefinitionVersion) Descriptor() ([]byte, []int) {
-	return fileDescriptor_3623d6c0bd238430, []int{11}
-}
-func (m *CustomResourceDefinitionVersion) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *CustomResourceDefinitionVersion) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *CustomResourceDefinitionVersion) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_CustomResourceDefinitionVersion.Merge(m, src)
-}
-func (m *CustomResourceDefinitionVersion) XXX_Size() int {
-	return m.Size()
-}
-func (m *CustomResourceDefinitionVersion) XXX_DiscardUnknown() {
-	xxx_messageInfo_CustomResourceDefinitionVersion.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_CustomResourceDefinitionVersion proto.InternalMessageInfo
-
-func (m *CustomResourceSubresourceScale) Reset()      { *m = CustomResourceSubresourceScale{} }
-func (*CustomResourceSubresourceScale) ProtoMessage() {}
-func (*CustomResourceSubresourceScale) Descriptor() ([]byte, []int) {
-	return fileDescriptor_3623d6c0bd238430, []int{12}
-}
-func (m *CustomResourceSubresourceScale) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *CustomResourceSubresourceScale) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *CustomResourceSubresourceScale) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_CustomResourceSubresourceScale.Merge(m, src)
-}
-func (m *CustomResourceSubresourceScale) XXX_Size() int {
-	return m.Size()
-}
-func (m *CustomResourceSubresourceScale) XXX_DiscardUnknown() {
-	xxx_messageInfo_CustomResourceSubresourceScale.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_CustomResourceSubresourceScale proto.InternalMessageInfo
-
-func (m *CustomResourceSubresourceStatus) Reset()      { *m = CustomResourceSubresourceStatus{} }
-func (*CustomResourceSubresourceStatus) ProtoMessage() {}
-func (*CustomResourceSubresourceStatus) Descriptor() ([]byte, []int) {
-	return fileDescriptor_3623d6c0bd238430, []int{13}
-}
-func (m *CustomResourceSubresourceStatus) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *CustomResourceSubresourceStatus) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *CustomResourceSubresourceStatus) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_CustomResourceSubresourceStatus.Merge(m, src)
-}
-func (m *CustomResourceSubresourceStatus) XXX_Size() int {
-	return m.Size()
-}
-func (m *CustomResourceSubresourceStatus) XXX_DiscardUnknown() {
-	xxx_messageInfo_CustomResourceSubresourceStatus.DiscardUnknown(m)
-}
+func (m *ConversionReview) Reset() { *m = ConversionReview{} }
 
-var xxx_messageInfo_CustomResourceSubresourceStatus proto.InternalMessageInfo
+func (m *CustomResourceColumnDefinition) Reset() { *m = CustomResourceColumnDefinition{} }
 
-func (m *CustomResourceSubresources) Reset()      { *m = CustomResourceSubresources{} }
-func (*CustomResourceSubresources) ProtoMessage() {}
-func (*CustomResourceSubresources) Descriptor() ([]byte, []int) {
-	return fileDescriptor_3623d6c0bd238430, []int{14}
-}
-func (m *CustomResourceSubresources) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *CustomResourceSubresources) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *CustomResourceSubresources) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_CustomResourceSubresources.Merge(m, src)
-}
-func (m *CustomResourceSubresources) XXX_Size() int {
-	return m.Size()
-}
-func (m *CustomResourceSubresources) XXX_DiscardUnknown() {
-	xxx_messageInfo_CustomResourceSubresources.DiscardUnknown(m)
-}
+func (m *CustomResourceConversion) Reset() { *m = CustomResourceConversion{} }
 
-var xxx_messageInfo_CustomResourceSubresources proto.InternalMessageInfo
+func (m *CustomResourceDefinition) Reset() { *m = CustomResourceDefinition{} }
 
-func (m *CustomResourceValidation) Reset()      { *m = CustomResourceValidation{} }
-func (*CustomResourceValidation) ProtoMessage() {}
-func (*CustomResourceValidation) Descriptor() ([]byte, []int) {
-	return fileDescriptor_3623d6c0bd238430, []int{15}
-}
-func (m *CustomResourceValidation) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *CustomResourceValidation) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *CustomResourceValidation) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_CustomResourceValidation.Merge(m, src)
-}
-func (m *CustomResourceValidation) XXX_Size() int {
-	return m.Size()
-}
-func (m *CustomResourceValidation) XXX_DiscardUnknown() {
-	xxx_messageInfo_CustomResourceValidation.DiscardUnknown(m)
-}
+func (m *CustomResourceDefinitionCondition) Reset() { *m = CustomResourceDefinitionCondition{} }
 
-var xxx_messageInfo_CustomResourceValidation proto.InternalMessageInfo
+func (m *CustomResourceDefinitionList) Reset() { *m = CustomResourceDefinitionList{} }
 
-func (m *ExternalDocumentation) Reset()      { *m = ExternalDocumentation{} }
-func (*ExternalDocumentation) ProtoMessage() {}
-func (*ExternalDocumentation) Descriptor() ([]byte, []int) {
-	return fileDescriptor_3623d6c0bd238430, []int{16}
-}
-func (m *ExternalDocumentation) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ExternalDocumentation) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ExternalDocumentation) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ExternalDocumentation.Merge(m, src)
-}
-func (m *ExternalDocumentation) XXX_Size() int {
-	return m.Size()
-}
-func (m *ExternalDocumentation) XXX_DiscardUnknown() {
-	xxx_messageInfo_ExternalDocumentation.DiscardUnknown(m)
-}
+func (m *CustomResourceDefinitionNames) Reset() { *m = CustomResourceDefinitionNames{} }
 
-var xxx_messageInfo_ExternalDocumentation proto.InternalMessageInfo
+func (m *CustomResourceDefinitionSpec) Reset() { *m = CustomResourceDefinitionSpec{} }
 
-func (m *JSON) Reset()      { *m = JSON{} }
-func (*JSON) ProtoMessage() {}
-func (*JSON) Descriptor() ([]byte, []int) {
-	return fileDescriptor_3623d6c0bd238430, []int{17}
-}
-func (m *JSON) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *JSON) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *JSON) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_JSON.Merge(m, src)
-}
-func (m *JSON) XXX_Size() int {
-	return m.Size()
-}
-func (m *JSON) XXX_DiscardUnknown() {
-	xxx_messageInfo_JSON.DiscardUnknown(m)
-}
+func (m *CustomResourceDefinitionStatus) Reset() { *m = CustomResourceDefinitionStatus{} }
 
-var xxx_messageInfo_JSON proto.InternalMessageInfo
-
-func (m *JSONSchemaProps) Reset()      { *m = JSONSchemaProps{} }
-func (*JSONSchemaProps) ProtoMessage() {}
-func (*JSONSchemaProps) Descriptor() ([]byte, []int) {
-	return fileDescriptor_3623d6c0bd238430, []int{18}
-}
-func (m *JSONSchemaProps) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *JSONSchemaProps) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *JSONSchemaProps) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_JSONSchemaProps.Merge(m, src)
-}
-func (m *JSONSchemaProps) XXX_Size() int {
-	return m.Size()
-}
-func (m *JSONSchemaProps) XXX_DiscardUnknown() {
-	xxx_messageInfo_JSONSchemaProps.DiscardUnknown(m)
-}
+func (m *CustomResourceDefinitionVersion) Reset() { *m = CustomResourceDefinitionVersion{} }
 
-var xxx_messageInfo_JSONSchemaProps proto.InternalMessageInfo
+func (m *CustomResourceSubresourceScale) Reset() { *m = CustomResourceSubresourceScale{} }
 
-func (m *JSONSchemaPropsOrArray) Reset()      { *m = JSONSchemaPropsOrArray{} }
-func (*JSONSchemaPropsOrArray) ProtoMessage() {}
-func (*JSONSchemaPropsOrArray) Descriptor() ([]byte, []int) {
-	return fileDescriptor_3623d6c0bd238430, []int{19}
-}
-func (m *JSONSchemaPropsOrArray) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *JSONSchemaPropsOrArray) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *JSONSchemaPropsOrArray) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_JSONSchemaPropsOrArray.Merge(m, src)
-}
-func (m *JSONSchemaPropsOrArray) XXX_Size() int {
-	return m.Size()
-}
-func (m *JSONSchemaPropsOrArray) XXX_DiscardUnknown() {
-	xxx_messageInfo_JSONSchemaPropsOrArray.DiscardUnknown(m)
-}
+func (m *CustomResourceSubresourceStatus) Reset() { *m = CustomResourceSubresourceStatus{} }
 
-var xxx_messageInfo_JSONSchemaPropsOrArray proto.InternalMessageInfo
+func (m *CustomResourceSubresources) Reset() { *m = CustomResourceSubresources{} }
 
-func (m *JSONSchemaPropsOrBool) Reset()      { *m = JSONSchemaPropsOrBool{} }
-func (*JSONSchemaPropsOrBool) ProtoMessage() {}
-func (*JSONSchemaPropsOrBool) Descriptor() ([]byte, []int) {
-	return fileDescriptor_3623d6c0bd238430, []int{20}
-}
-func (m *JSONSchemaPropsOrBool) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *JSONSchemaPropsOrBool) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *JSONSchemaPropsOrBool) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_JSONSchemaPropsOrBool.Merge(m, src)
-}
-func (m *JSONSchemaPropsOrBool) XXX_Size() int {
-	return m.Size()
-}
-func (m *JSONSchemaPropsOrBool) XXX_DiscardUnknown() {
-	xxx_messageInfo_JSONSchemaPropsOrBool.DiscardUnknown(m)
-}
+func (m *CustomResourceValidation) Reset() { *m = CustomResourceValidation{} }
 
-var xxx_messageInfo_JSONSchemaPropsOrBool proto.InternalMessageInfo
+func (m *ExternalDocumentation) Reset() { *m = ExternalDocumentation{} }
 
-func (m *JSONSchemaPropsOrStringArray) Reset()      { *m = JSONSchemaPropsOrStringArray{} }
-func (*JSONSchemaPropsOrStringArray) ProtoMessage() {}
-func (*JSONSchemaPropsOrStringArray) Descriptor() ([]byte, []int) {
-	return fileDescriptor_3623d6c0bd238430, []int{21}
-}
-func (m *JSONSchemaPropsOrStringArray) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *JSONSchemaPropsOrStringArray) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *JSONSchemaPropsOrStringArray) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_JSONSchemaPropsOrStringArray.Merge(m, src)
-}
-func (m *JSONSchemaPropsOrStringArray) XXX_Size() int {
-	return m.Size()
-}
-func (m *JSONSchemaPropsOrStringArray) XXX_DiscardUnknown() {
-	xxx_messageInfo_JSONSchemaPropsOrStringArray.DiscardUnknown(m)
-}
+func (m *JSON) Reset() { *m = JSON{} }
 
-var xxx_messageInfo_JSONSchemaPropsOrStringArray proto.InternalMessageInfo
+func (m *JSONSchemaProps) Reset() { *m = JSONSchemaProps{} }
 
-func (m *SelectableField) Reset()      { *m = SelectableField{} }
-func (*SelectableField) ProtoMessage() {}
-func (*SelectableField) Descriptor() ([]byte, []int) {
-	return fileDescriptor_3623d6c0bd238430, []int{22}
-}
-func (m *SelectableField) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *SelectableField) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *SelectableField) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_SelectableField.Merge(m, src)
-}
-func (m *SelectableField) XXX_Size() int {
-	return m.Size()
-}
-func (m *SelectableField) XXX_DiscardUnknown() {
-	xxx_messageInfo_SelectableField.DiscardUnknown(m)
-}
+func (m *JSONSchemaPropsOrArray) Reset() { *m = JSONSchemaPropsOrArray{} }
 
-var xxx_messageInfo_SelectableField proto.InternalMessageInfo
+func (m *JSONSchemaPropsOrBool) Reset() { *m = JSONSchemaPropsOrBool{} }
 
-func (m *ServiceReference) Reset()      { *m = ServiceReference{} }
-func (*ServiceReference) ProtoMessage() {}
-func (*ServiceReference) Descriptor() ([]byte, []int) {
-	return fileDescriptor_3623d6c0bd238430, []int{23}
-}
-func (m *ServiceReference) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ServiceReference) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ServiceReference) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ServiceReference.Merge(m, src)
-}
-func (m *ServiceReference) XXX_Size() int {
-	return m.Size()
-}
-func (m *ServiceReference) XXX_DiscardUnknown() {
-	xxx_messageInfo_ServiceReference.DiscardUnknown(m)
-}
+func (m *JSONSchemaPropsOrStringArray) Reset() { *m = JSONSchemaPropsOrStringArray{} }
 
-var xxx_messageInfo_ServiceReference proto.InternalMessageInfo
+func (m *SelectableField) Reset() { *m = SelectableField{} }
 
-func (m *ValidationRule) Reset()      { *m = ValidationRule{} }
-func (*ValidationRule) ProtoMessage() {}
-func (*ValidationRule) Descriptor() ([]byte, []int) {
-	return fileDescriptor_3623d6c0bd238430, []int{24}
-}
-func (m *ValidationRule) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ValidationRule) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ValidationRule) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ValidationRule.Merge(m, src)
-}
-func (m *ValidationRule) XXX_Size() int {
-	return m.Size()
-}
-func (m *ValidationRule) XXX_DiscardUnknown() {
-	xxx_messageInfo_ValidationRule.DiscardUnknown(m)
-}
+func (m *ServiceReference) Reset() { *m = ServiceReference{} }
 
-var xxx_messageInfo_ValidationRule proto.InternalMessageInfo
+func (m *ValidationRule) Reset() { *m = ValidationRule{} }
 
-func (m *WebhookClientConfig) Reset()      { *m = WebhookClientConfig{} }
-func (*WebhookClientConfig) ProtoMessage() {}
-func (*WebhookClientConfig) Descriptor() ([]byte, []int) {
-	return fileDescriptor_3623d6c0bd238430, []int{25}
-}
-func (m *WebhookClientConfig) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *WebhookClientConfig) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *WebhookClientConfig) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_WebhookClientConfig.Merge(m, src)
-}
-func (m *WebhookClientConfig) XXX_Size() int {
-	return m.Size()
-}
-func (m *WebhookClientConfig) XXX_DiscardUnknown() {
-	xxx_messageInfo_WebhookClientConfig.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_WebhookClientConfig proto.InternalMessageInfo
-
-func init() {
-	proto.RegisterType((*ConversionRequest)(nil), "k8s.io.apiextensions_apiserver.pkg.apis.apiextensions.v1beta1.ConversionRequest")
-	proto.RegisterType((*ConversionResponse)(nil), "k8s.io.apiextensions_apiserver.pkg.apis.apiextensions.v1beta1.ConversionResponse")
-	proto.RegisterType((*ConversionReview)(nil), "k8s.io.apiextensions_apiserver.pkg.apis.apiextensions.v1beta1.ConversionReview")
-	proto.RegisterType((*CustomResourceColumnDefinition)(nil), "k8s.io.apiextensions_apiserver.pkg.apis.apiextensions.v1beta1.CustomResourceColumnDefinition")
-	proto.RegisterType((*CustomResourceConversion)(nil), "k8s.io.apiextensions_apiserver.pkg.apis.apiextensions.v1beta1.CustomResourceConversion")
-	proto.RegisterType((*CustomResourceDefinition)(nil), "k8s.io.apiextensions_apiserver.pkg.apis.apiextensions.v1beta1.CustomResourceDefinition")
-	proto.RegisterType((*CustomResourceDefinitionCondition)(nil), "k8s.io.apiextensions_apiserver.pkg.apis.apiextensions.v1beta1.CustomResourceDefinitionCondition")
-	proto.RegisterType((*CustomResourceDefinitionList)(nil), "k8s.io.apiextensions_apiserver.pkg.apis.apiextensions.v1beta1.CustomResourceDefinitionList")
-	proto.RegisterType((*CustomResourceDefinitionNames)(nil), "k8s.io.apiextensions_apiserver.pkg.apis.apiextensions.v1beta1.CustomResourceDefinitionNames")
-	proto.RegisterType((*CustomResourceDefinitionSpec)(nil), "k8s.io.apiextensions_apiserver.pkg.apis.apiextensions.v1beta1.CustomResourceDefinitionSpec")
-	proto.RegisterType((*CustomResourceDefinitionStatus)(nil), "k8s.io.apiextensions_apiserver.pkg.apis.apiextensions.v1beta1.CustomResourceDefinitionStatus")
-	proto.RegisterType((*CustomResourceDefinitionVersion)(nil), "k8s.io.apiextensions_apiserver.pkg.apis.apiextensions.v1beta1.CustomResourceDefinitionVersion")
-	proto.RegisterType((*CustomResourceSubresourceScale)(nil), "k8s.io.apiextensions_apiserver.pkg.apis.apiextensions.v1beta1.CustomResourceSubresourceScale")
-	proto.RegisterType((*CustomResourceSubresourceStatus)(nil), "k8s.io.apiextensions_apiserver.pkg.apis.apiextensions.v1beta1.CustomResourceSubresourceStatus")
-	proto.RegisterType((*CustomResourceSubresources)(nil), "k8s.io.apiextensions_apiserver.pkg.apis.apiextensions.v1beta1.CustomResourceSubresources")
-	proto.RegisterType((*CustomResourceValidation)(nil), "k8s.io.apiextensions_apiserver.pkg.apis.apiextensions.v1beta1.CustomResourceValidation")
-	proto.RegisterType((*ExternalDocumentation)(nil), "k8s.io.apiextensions_apiserver.pkg.apis.apiextensions.v1beta1.ExternalDocumentation")
-	proto.RegisterType((*JSON)(nil), "k8s.io.apiextensions_apiserver.pkg.apis.apiextensions.v1beta1.JSON")
-	proto.RegisterType((*JSONSchemaProps)(nil), "k8s.io.apiextensions_apiserver.pkg.apis.apiextensions.v1beta1.JSONSchemaProps")
-	proto.RegisterMapType((JSONSchemaDefinitions)(nil), "k8s.io.apiextensions_apiserver.pkg.apis.apiextensions.v1beta1.JSONSchemaProps.DefinitionsEntry")
-	proto.RegisterMapType((JSONSchemaDependencies)(nil), "k8s.io.apiextensions_apiserver.pkg.apis.apiextensions.v1beta1.JSONSchemaProps.DependenciesEntry")
-	proto.RegisterMapType((map[string]JSONSchemaProps)(nil), "k8s.io.apiextensions_apiserver.pkg.apis.apiextensions.v1beta1.JSONSchemaProps.PatternPropertiesEntry")
-	proto.RegisterMapType((map[string]JSONSchemaProps)(nil), "k8s.io.apiextensions_apiserver.pkg.apis.apiextensions.v1beta1.JSONSchemaProps.PropertiesEntry")
-	proto.RegisterType((*JSONSchemaPropsOrArray)(nil), "k8s.io.apiextensions_apiserver.pkg.apis.apiextensions.v1beta1.JSONSchemaPropsOrArray")
-	proto.RegisterType((*JSONSchemaPropsOrBool)(nil), "k8s.io.apiextensions_apiserver.pkg.apis.apiextensions.v1beta1.JSONSchemaPropsOrBool")
-	proto.RegisterType((*JSONSchemaPropsOrStringArray)(nil), "k8s.io.apiextensions_apiserver.pkg.apis.apiextensions.v1beta1.JSONSchemaPropsOrStringArray")
-	proto.RegisterType((*SelectableField)(nil), "k8s.io.apiextensions_apiserver.pkg.apis.apiextensions.v1beta1.SelectableField")
-	proto.RegisterType((*ServiceReference)(nil), "k8s.io.apiextensions_apiserver.pkg.apis.apiextensions.v1beta1.ServiceReference")
-	proto.RegisterType((*ValidationRule)(nil), "k8s.io.apiextensions_apiserver.pkg.apis.apiextensions.v1beta1.ValidationRule")
-	proto.RegisterType((*WebhookClientConfig)(nil), "k8s.io.apiextensions_apiserver.pkg.apis.apiextensions.v1beta1.WebhookClientConfig")
-}
-
-func init() {
-	proto.RegisterFile("k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1/generated.proto", fileDescriptor_3623d6c0bd238430)
-}
-
-var fileDescriptor_3623d6c0bd238430 = []byte{
-	// 3214 bytes of a gzipped FileDescriptorProto
-	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xd4, 0x5b, 0xcf, 0x73, 0x1c, 0x57,
-	0xf1, 0xf7, 0xac, 0xb4, 0xd2, 0xaa, 0x25, 0x5b, 0xd2, 0xb3, 0xa5, 0x8c, 0x15, 0x47, 0x2b, 0xaf,
-	0xbf, 0xf1, 0x57, 0x49, 0x9c, 0x55, 0xe2, 0x6f, 0xf2, 0x4d, 0x08, 0xa4, 0x52, 0x5a, 0x49, 0x0e,
-	0x4a, 0x2c, 0x4b, 0xbc, 0xb5, 0x1d, 0x41, 0x7e, 0x8e, 0x76, 0x9e, 0xd6, 0x63, 0xcf, 0xce, 0x8c,
-	0xe7, 0xcd, 0xac, 0xa4, 0x0a, 0x50, 0x40, 0x2a, 0x05, 0x45, 0x01, 0xa1, 0x48, 0x2e, 0x14, 0x70,
-	0x08, 0x14, 0x17, 0x0e, 0x70, 0x80, 0x1b, 0xfc, 0x01, 0x39, 0xa6, 0x80, 0x43, 0x0e, 0xd4, 0x16,
-	0x59, 0xfe, 0x05, 0x0a, 0xaa, 0x74, 0xa2, 0xde, 0x8f, 0x99, 0x79, 0x33, 0xbb, 0x6b, 0xbb, 0xa2,
-	0xdd, 0xb8, 0xb8, 0x69, 0xbb, 0xfb, 0xf5, 0xa7, 0xa7, 0x5f, 0xbf, 0xee, 0x7e, 0x3d, 0x23, 0xd8,
-	0xb8, 0xf5, 0x2c, 0x2d, 0x5b, 0xee, 0x92, 0xe1, 0x59, 0x64, 0x3f, 0x20, 0x0e, 0xb5, 0x5c, 0x87,
-	0x3e, 0x6e, 0x78, 0x16, 0x25, 0x7e, 0x93, 0xf8, 0x4b, 0xde, 0xad, 0x3a, 0xe3, 0xd1, 0xb4, 0xc0,
-	0x52, 0xf3, 0xc9, 0x1d, 0x12, 0x18, 0x4f, 0x2e, 0xd5, 0x89, 0x43, 0x7c, 0x23, 0x20, 0x66, 0xd9,
-	0xf3, 0xdd, 0xc0, 0x45, 0xcf, 0x0b, 0x75, 0xe5, 0x94, 0xf4, 0x9b, 0xb1, 0xba, 0xb2, 0x77, 0xab,
-	0xce, 0x78, 0x34, 0x2d, 0x50, 0x96, 0xea, 0xe6, 0x1e, 0xaf, 0x5b, 0xc1, 0x8d, 0x70, 0xa7, 0x5c,
-	0x73, 0x1b, 0x4b, 0x75, 0xb7, 0xee, 0x2e, 0x71, 0xad, 0x3b, 0xe1, 0x2e, 0xff, 0xc5, 0x7f, 0xf0,
-	0xbf, 0x04, 0xda, 0xdc, 0x53, 0x89, 0xf1, 0x0d, 0xa3, 0x76, 0xc3, 0x72, 0x88, 0x7f, 0x90, 0x58,
-	0xdc, 0x20, 0x81, 0xb1, 0xd4, 0xec, 0xb0, 0x71, 0x6e, 0xa9, 0xd7, 0x2a, 0x3f, 0x74, 0x02, 0xab,
-	0x41, 0x3a, 0x16, 0xfc, 0xff, 0xdd, 0x16, 0xd0, 0xda, 0x0d, 0xd2, 0x30, 0xb2, 0xeb, 0x4a, 0x87,
-	0x1a, 0x4c, 0xaf, 0xb8, 0x4e, 0x93, 0xf8, 0xec, 0x29, 0x31, 0xb9, 0x1d, 0x12, 0x1a, 0xa0, 0x0a,
-	0x0c, 0x85, 0x96, 0xa9, 0x6b, 0x0b, 0xda, 0xe2, 0x58, 0xe5, 0x89, 0x8f, 0x5a, 0xc5, 0x63, 0xed,
-	0x56, 0x71, 0xe8, 0xda, 0xfa, 0xea, 0x61, 0xab, 0x78, 0xb6, 0x17, 0x52, 0x70, 0xe0, 0x11, 0x5a,
-	0xbe, 0xb6, 0xbe, 0x8a, 0xd9, 0x62, 0xf4, 0x22, 0x4c, 0x9b, 0x84, 0x5a, 0x3e, 0x31, 0x97, 0xb7,
-	0xd6, 0xaf, 0x0b, 0xfd, 0x7a, 0x8e, 0x6b, 0x3c, 0x2d, 0x35, 0x4e, 0xaf, 0x66, 0x05, 0x70, 0xe7,
-	0x1a, 0xb4, 0x0d, 0xa3, 0xee, 0xce, 0x4d, 0x52, 0x0b, 0xa8, 0x3e, 0xb4, 0x30, 0xb4, 0x38, 0x7e,
-	0xf1, 0xf1, 0x72, 0xb2, 0x83, 0xb1, 0x09, 0x7c, 0xdb, 0xe4, 0xc3, 0x96, 0xb1, 0xb1, 0xb7, 0x16,
-	0xed, 0x5c, 0x65, 0x52, 0xa2, 0x8d, 0x6e, 0x0a, 0x2d, 0x38, 0x52, 0x57, 0xfa, 0x55, 0x0e, 0x90,
-	0xfa, 0xf0, 0xd4, 0x73, 0x1d, 0x4a, 0xfa, 0xf2, 0xf4, 0x14, 0xa6, 0x6a, 0x5c, 0x73, 0x40, 0x4c,
-	0x89, 0xab, 0xe7, 0x3e, 0x8b, 0xf5, 0xba, 0xc4, 0x9f, 0x5a, 0xc9, 0xa8, 0xc3, 0x1d, 0x00, 0xe8,
-	0x2a, 0x8c, 0xf8, 0x84, 0x86, 0x76, 0xa0, 0x0f, 0x2d, 0x68, 0x8b, 0xe3, 0x17, 0x2f, 0xf4, 0x84,
-	0xe2, 0xf1, 0xcd, 0x82, 0xaf, 0xdc, 0x7c, 0xb2, 0x5c, 0x0d, 0x8c, 0x20, 0xa4, 0x95, 0x13, 0x12,
-	0x69, 0x04, 0x73, 0x1d, 0x58, 0xea, 0x2a, 0x7d, 0x2f, 0x07, 0x53, 0xaa, 0x97, 0x9a, 0x16, 0xd9,
-	0x43, 0x7b, 0x30, 0xea, 0x8b, 0x60, 0xe1, 0x7e, 0x1a, 0xbf, 0xb8, 0x55, 0x3e, 0xd2, 0xb1, 0x2a,
-	0x77, 0x04, 0x61, 0x65, 0x9c, 0xed, 0x99, 0xfc, 0x81, 0x23, 0x34, 0xf4, 0x36, 0x14, 0x7c, 0xb9,
-	0x51, 0x3c, 0x9a, 0xc6, 0x2f, 0x7e, 0xa5, 0x8f, 0xc8, 0x42, 0x71, 0x65, 0xa2, 0xdd, 0x2a, 0x16,
-	0xa2, 0x5f, 0x38, 0x06, 0x2c, 0xbd, 0x9f, 0x83, 0xf9, 0x95, 0x90, 0x06, 0x6e, 0x03, 0x13, 0xea,
-	0x86, 0x7e, 0x8d, 0xac, 0xb8, 0x76, 0xd8, 0x70, 0x56, 0xc9, 0xae, 0xe5, 0x58, 0x01, 0x8b, 0xd6,
-	0x05, 0x18, 0x76, 0x8c, 0x06, 0x91, 0xd1, 0x33, 0x21, 0x7d, 0x3a, 0x7c, 0xc5, 0x68, 0x10, 0xcc,
-	0x39, 0x4c, 0x82, 0x05, 0x8b, 0x3c, 0x0b, 0xb1, 0xc4, 0xd5, 0x03, 0x8f, 0x60, 0xce, 0x41, 0xe7,
-	0x61, 0x64, 0xd7, 0xf5, 0x1b, 0x86, 0xd8, 0xc7, 0xb1, 0x64, 0x67, 0x2e, 0x71, 0x2a, 0x96, 0x5c,
-	0xf4, 0x34, 0x8c, 0x9b, 0x84, 0xd6, 0x7c, 0xcb, 0x63, 0xd0, 0xfa, 0x30, 0x17, 0x3e, 0x29, 0x85,
-	0xc7, 0x57, 0x13, 0x16, 0x56, 0xe5, 0xd0, 0x05, 0x28, 0x78, 0xbe, 0xe5, 0xfa, 0x56, 0x70, 0xa0,
-	0xe7, 0x17, 0xb4, 0xc5, 0x7c, 0x65, 0x4a, 0xae, 0x29, 0x6c, 0x49, 0x3a, 0x8e, 0x25, 0xd0, 0x02,
-	0x14, 0x5e, 0xaa, 0x6e, 0x5e, 0xd9, 0x32, 0x82, 0x1b, 0xfa, 0x08, 0x47, 0x18, 0x66, 0xd2, 0x38,
-	0xa6, 0x96, 0xfe, 0x96, 0x03, 0x3d, 0xeb, 0x95, 0xc8, 0xa5, 0xe8, 0x12, 0x14, 0x68, 0xc0, 0x32,
-	0x4e, 0xfd, 0x40, 0xfa, 0xe4, 0xd1, 0x08, 0xac, 0x2a, 0xe9, 0x87, 0xad, 0xe2, 0x6c, 0xb2, 0x22,
-	0xa2, 0x72, 0x7f, 0xc4, 0x6b, 0xd1, 0x2f, 0x34, 0x38, 0xb9, 0x47, 0x76, 0x6e, 0xb8, 0xee, 0xad,
-	0x15, 0xdb, 0x22, 0x4e, 0xb0, 0xe2, 0x3a, 0xbb, 0x56, 0x5d, 0xc6, 0x00, 0x3e, 0x62, 0x0c, 0xbc,
-	0xd2, 0xa9, 0xb9, 0xf2, 0x40, 0xbb, 0x55, 0x3c, 0xd9, 0x85, 0x81, 0xbb, 0xd9, 0x81, 0xb6, 0x41,
-	0xaf, 0x65, 0x0e, 0x89, 0x4c, 0x60, 0x22, 0x6d, 0x8d, 0x55, 0xce, 0xb4, 0x5b, 0x45, 0x7d, 0xa5,
-	0x87, 0x0c, 0xee, 0xb9, 0xba, 0xf4, 0xce, 0x50, 0xd6, 0xbd, 0x4a, 0xb8, 0xbd, 0x05, 0x05, 0x76,
-	0x8c, 0x4d, 0x23, 0x30, 0xe4, 0x41, 0x7c, 0xe2, 0xde, 0x0e, 0xbd, 0xc8, 0x19, 0x1b, 0x24, 0x30,
-	0x2a, 0x48, 0x6e, 0x08, 0x24, 0x34, 0x1c, 0x6b, 0x45, 0xdf, 0x80, 0x61, 0xea, 0x91, 0x9a, 0x74,
-	0xf4, 0xab, 0x47, 0x3d, 0x6c, 0x3d, 0x1e, 0xa4, 0xea, 0x91, 0x5a, 0x72, 0x16, 0xd8, 0x2f, 0xcc,
-	0x61, 0xd1, 0xbb, 0x1a, 0x8c, 0x50, 0x9e, 0xa0, 0x64, 0x52, 0x7b, 0x7d, 0x50, 0x16, 0x64, 0xb2,
-	0xa0, 0xf8, 0x8d, 0x25, 0x78, 0xe9, 0x9f, 0x39, 0x38, 0xdb, 0x6b, 0xe9, 0x8a, 0xeb, 0x98, 0x62,
-	0x3b, 0xd6, 0xe5, 0xd9, 0x16, 0x91, 0xfe, 0xb4, 0x7a, 0xb6, 0x0f, 0x5b, 0xc5, 0x87, 0xef, 0xaa,
-	0x40, 0x49, 0x02, 0x5f, 0x88, 0x9f, 0x5b, 0x24, 0x8a, 0xb3, 0x69, 0xc3, 0x0e, 0x5b, 0xc5, 0xc9,
-	0x78, 0x59, 0xda, 0x56, 0xd4, 0x04, 0x64, 0x1b, 0x34, 0xb8, 0xea, 0x1b, 0x0e, 0x15, 0x6a, 0xad,
-	0x06, 0x91, 0xee, 0x7b, 0xf4, 0xde, 0xc2, 0x83, 0xad, 0xa8, 0xcc, 0x49, 0x48, 0x74, 0xb9, 0x43,
-	0x1b, 0xee, 0x82, 0xc0, 0xf2, 0x96, 0x4f, 0x0c, 0x1a, 0xa7, 0x22, 0xa5, 0xa2, 0x30, 0x2a, 0x96,
-	0x5c, 0xf4, 0x08, 0x8c, 0x36, 0x08, 0xa5, 0x46, 0x9d, 0xf0, 0xfc, 0x33, 0x96, 0x94, 0xe8, 0x0d,
-	0x41, 0xc6, 0x11, 0x9f, 0xf5, 0x27, 0x67, 0x7a, 0x79, 0xed, 0xb2, 0x45, 0x03, 0xf4, 0x5a, 0xc7,
-	0x01, 0x28, 0xdf, 0xdb, 0x13, 0xb2, 0xd5, 0x3c, 0xfc, 0xe3, 0xe4, 0x17, 0x51, 0x94, 0xe0, 0xff,
-	0x3a, 0xe4, 0xad, 0x80, 0x34, 0xa2, 0xda, 0xfd, 0xca, 0x80, 0x62, 0xaf, 0x72, 0x5c, 0xda, 0x90,
-	0x5f, 0x67, 0x68, 0x58, 0x80, 0x96, 0x7e, 0x9d, 0x83, 0x87, 0x7a, 0x2d, 0x61, 0x05, 0x85, 0x32,
-	0x8f, 0x7b, 0x76, 0xe8, 0x1b, 0xb6, 0x8c, 0xb8, 0xd8, 0xe3, 0x5b, 0x9c, 0x8a, 0x25, 0x97, 0xa5,
-	0x7c, 0x6a, 0x39, 0xf5, 0xd0, 0x36, 0x7c, 0x19, 0x4e, 0xf1, 0x53, 0x57, 0x25, 0x1d, 0xc7, 0x12,
-	0xa8, 0x0c, 0x40, 0x6f, 0xb8, 0x7e, 0xc0, 0x31, 0x64, 0xf6, 0x3a, 0xc1, 0x12, 0x44, 0x35, 0xa6,
-	0x62, 0x45, 0x82, 0x55, 0xb4, 0x5b, 0x96, 0x63, 0xca, 0x5d, 0x8f, 0x4f, 0xf1, 0xcb, 0x96, 0x63,
-	0x62, 0xce, 0x61, 0xf8, 0xb6, 0x45, 0x03, 0x46, 0x91, 0x5b, 0x9e, 0xf2, 0x3a, 0x97, 0x8c, 0x25,
-	0x18, 0x7e, 0x8d, 0x65, 0x7d, 0xd7, 0xb7, 0x08, 0xd5, 0x47, 0x12, 0xfc, 0x95, 0x98, 0x8a, 0x15,
-	0x89, 0xd2, 0x3b, 0xd0, 0x3b, 0x48, 0x58, 0x2a, 0x41, 0xe7, 0x20, 0x5f, 0xf7, 0xdd, 0xd0, 0x93,
-	0x5e, 0x8a, 0xbd, 0xfd, 0x22, 0x23, 0x62, 0xc1, 0x63, 0x51, 0xd9, 0x4c, 0xb5, 0xa9, 0x71, 0x54,
-	0x46, 0xcd, 0x69, 0xc4, 0x47, 0xdf, 0xd6, 0x20, 0xef, 0x48, 0xe7, 0xb0, 0x90, 0x7b, 0x6d, 0x40,
-	0x71, 0xc1, 0xdd, 0x9b, 0x98, 0x2b, 0x3c, 0x2f, 0x90, 0xd1, 0x53, 0x90, 0xa7, 0x35, 0xd7, 0x23,
-	0xd2, 0xeb, 0xf3, 0x91, 0x50, 0x95, 0x11, 0x0f, 0x5b, 0xc5, 0xe3, 0x91, 0x3a, 0x4e, 0xc0, 0x42,
-	0x18, 0x7d, 0x57, 0x03, 0x68, 0x1a, 0xb6, 0x65, 0x1a, 0xbc, 0x65, 0xc8, 0x73, 0xf3, 0xfb, 0x1b,
-	0xd6, 0xd7, 0x63, 0xf5, 0x62, 0xd3, 0x92, 0xdf, 0x58, 0x81, 0x46, 0xef, 0x69, 0x30, 0x41, 0xc3,
-	0x1d, 0x5f, 0xae, 0xa2, 0xbc, 0xb9, 0x18, 0xbf, 0xf8, 0xd5, 0xbe, 0xda, 0x52, 0x55, 0x00, 0x2a,
-	0x53, 0xed, 0x56, 0x71, 0x42, 0xa5, 0xe0, 0x94, 0x01, 0xe8, 0x07, 0x1a, 0x14, 0x9a, 0x51, 0xcd,
-	0x1e, 0xe5, 0x07, 0xfe, 0x8d, 0x01, 0x6d, 0xac, 0x8c, 0xa8, 0xe4, 0x14, 0xc4, 0x7d, 0x40, 0x6c,
-	0x01, 0xfa, 0xa3, 0x06, 0xba, 0x61, 0x8a, 0x04, 0x6f, 0xd8, 0x5b, 0xbe, 0xe5, 0x04, 0xc4, 0x17,
-	0xfd, 0x26, 0xd5, 0x0b, 0xdc, 0xbc, 0xfe, 0xd6, 0xc2, 0x6c, 0x2f, 0x5b, 0x59, 0x90, 0xd6, 0xe9,
-	0xcb, 0x3d, 0xcc, 0xc0, 0x3d, 0x0d, 0x44, 0x1f, 0x68, 0x30, 0x45, 0x89, 0x4d, 0x6a, 0x81, 0xb1,
-	0x63, 0x93, 0x4b, 0x16, 0xb1, 0x4d, 0xaa, 0x8f, 0x73, 0xab, 0xaf, 0x1c, 0xd1, 0xea, 0x6a, 0x5a,
-	0x6d, 0x72, 0x45, 0xca, 0x30, 0x28, 0xee, 0xb0, 0x80, 0xc7, 0x7f, 0xd2, 0x69, 0xe9, 0x63, 0x03,
-	0x88, 0xff, 0xa4, 0xc5, 0x93, 0x49, 0x2b, 0x69, 0xec, 0x14, 0x68, 0xb4, 0x09, 0x33, 0x9e, 0x4f,
-	0x38, 0xc0, 0x35, 0xe7, 0x96, 0xe3, 0xee, 0x39, 0xd2, 0x49, 0xb0, 0xa0, 0x2d, 0x16, 0x2a, 0xa7,
-	0xdb, 0xad, 0xe2, 0xcc, 0x56, 0x37, 0x01, 0xdc, 0x7d, 0x5d, 0xe9, 0xbd, 0xa1, 0xec, 0xe5, 0x24,
-	0xdb, 0xdc, 0xb0, 0x4d, 0x61, 0x26, 0x88, 0x2d, 0xa3, 0xba, 0xc6, 0xb7, 0xe3, 0xad, 0x01, 0xc5,
-	0x78, 0xdc, 0x9d, 0x24, 0x0d, 0x66, 0x4c, 0xa2, 0x58, 0xb1, 0x03, 0xfd, 0x54, 0x83, 0xe3, 0x46,
-	0xad, 0x46, 0xbc, 0x80, 0x98, 0xa2, 0xe6, 0xe4, 0x3e, 0x87, 0xb4, 0x3a, 0x23, 0xad, 0x3a, 0xbe,
-	0xac, 0x42, 0xe3, 0xb4, 0x25, 0xe8, 0x39, 0x38, 0x41, 0x03, 0xd7, 0x27, 0x66, 0xa6, 0x9b, 0x47,
-	0xed, 0x56, 0xf1, 0x44, 0x35, 0xc5, 0xc1, 0x19, 0xc9, 0xd2, 0xbf, 0x46, 0xa0, 0x78, 0x97, 0x0c,
-	0x70, 0x0f, 0xf7, 0xc5, 0xf3, 0x30, 0xc2, 0x1f, 0xd7, 0xe4, 0x5e, 0x29, 0x28, 0x1d, 0x2a, 0xa7,
-	0x62, 0xc9, 0x65, 0xf5, 0x8b, 0xe1, 0xb3, 0xae, 0x6a, 0x88, 0x0b, 0xc6, 0xf5, 0xab, 0x2a, 0xc8,
-	0x38, 0xe2, 0xa3, 0x8b, 0x00, 0x26, 0xf1, 0x7c, 0xc2, 0x6a, 0xa8, 0xa9, 0x8f, 0x72, 0xe9, 0x78,
-	0x93, 0x56, 0x63, 0x0e, 0x56, 0xa4, 0xd0, 0x25, 0x40, 0xd1, 0x2f, 0xcb, 0x75, 0x5e, 0x31, 0x7c,
-	0xc7, 0x72, 0xea, 0x7a, 0x81, 0x9b, 0x3d, 0xcb, 0x9a, 0xc4, 0xd5, 0x0e, 0x2e, 0xee, 0xb2, 0x02,
-	0xbd, 0x0d, 0x23, 0x62, 0x16, 0xc5, 0x0b, 0xd7, 0x00, 0x8b, 0x0f, 0x70, 0x1f, 0x71, 0x28, 0x2c,
-	0x21, 0x3b, 0x8b, 0x4e, 0xfe, 0x7e, 0x17, 0x9d, 0x3b, 0x66, 0xf9, 0x91, 0xff, 0xca, 0x2c, 0x3f,
-	0x76, 0xbf, 0xb3, 0x7c, 0xe9, 0xdf, 0x5a, 0x36, 0x15, 0x2a, 0x3b, 0x50, 0xad, 0x19, 0x36, 0x41,
-	0xab, 0x30, 0xc5, 0xee, 0x97, 0x98, 0x78, 0xb6, 0x55, 0x33, 0x28, 0x1f, 0x6f, 0x88, 0x33, 0x98,
-	0x00, 0x65, 0xf8, 0xb8, 0x63, 0x05, 0x7a, 0x09, 0x90, 0xb8, 0x73, 0xa5, 0xf4, 0x88, 0xf6, 0x31,
-	0xbe, 0x3d, 0x55, 0x3b, 0x24, 0x70, 0x97, 0x55, 0x68, 0x05, 0xa6, 0x6d, 0x63, 0x87, 0xd8, 0xe2,
-	0xf9, 0x5c, 0x9f, 0xab, 0x12, 0x03, 0xa0, 0x99, 0x76, 0xab, 0x38, 0x7d, 0x39, 0xcb, 0xc4, 0x9d,
-	0xf2, 0xa5, 0xb3, 0xd9, 0x8c, 0xa3, 0x3e, 0xb8, 0xb8, 0xc9, 0x7e, 0x98, 0x83, 0xb9, 0xde, 0x01,
-	0x8b, 0xbe, 0x93, 0x5c, 0xb8, 0xc5, 0x7d, 0xea, 0x8d, 0x41, 0x1d, 0x0e, 0x79, 0xe3, 0x86, 0xce,
-	0xdb, 0x36, 0xfa, 0x26, 0x6b, 0x6e, 0x0d, 0x3b, 0x1a, 0xf1, 0xbd, 0x3e, 0x30, 0x13, 0x18, 0x48,
-	0x65, 0x4c, 0xf4, 0xcd, 0x86, 0xcd, 0xdb, 0x64, 0xc3, 0x26, 0xa5, 0xdf, 0x68, 0xd9, 0x99, 0x4b,
-	0x92, 0x58, 0xd0, 0x0f, 0x35, 0x98, 0x74, 0x3d, 0xe2, 0x2c, 0x6f, 0xad, 0x5f, 0xff, 0x3f, 0x91,
-	0x60, 0xa4, 0xab, 0x8e, 0x1a, 0xf3, 0x2f, 0x55, 0x37, 0xaf, 0x08, 0x85, 0x5b, 0xbe, 0xeb, 0xd1,
-	0xca, 0xc9, 0x76, 0xab, 0x38, 0xb9, 0x99, 0x86, 0xc2, 0x59, 0xec, 0x52, 0x03, 0x66, 0xd6, 0xf6,
-	0x03, 0xe2, 0x3b, 0x86, 0xbd, 0xea, 0xd6, 0xc2, 0x06, 0x71, 0x02, 0x61, 0x68, 0x66, 0x3e, 0xa8,
-	0xdd, 0xe3, 0x7c, 0xf0, 0x21, 0x18, 0x0a, 0x7d, 0x5b, 0x46, 0xf1, 0x78, 0x3c, 0xff, 0xc6, 0x97,
-	0x31, 0xa3, 0x97, 0xce, 0xc2, 0x30, 0xb3, 0x13, 0x9d, 0x86, 0x21, 0xdf, 0xd8, 0xe3, 0x5a, 0x27,
-	0x2a, 0xa3, 0x4c, 0x04, 0x1b, 0x7b, 0x98, 0xd1, 0x4a, 0x7f, 0x3d, 0x0b, 0x93, 0x99, 0x67, 0x41,
-	0x73, 0x90, 0x8b, 0x87, 0xea, 0x20, 0x95, 0xe6, 0xd6, 0x57, 0x71, 0xce, 0x32, 0xd1, 0x33, 0x71,
-	0x4d, 0x10, 0xa0, 0xc5, 0xb8, 0xc4, 0x71, 0x2a, 0xbb, 0xcd, 0x24, 0xea, 0x98, 0x21, 0x51, 0x3e,
-	0x67, 0x36, 0x90, 0x5d, 0x79, 0x4a, 0x84, 0x0d, 0x64, 0x17, 0x33, 0xda, 0x67, 0x1d, 0x8e, 0x46,
-	0xd3, 0xd9, 0xfc, 0x3d, 0x4c, 0x67, 0x47, 0xee, 0x38, 0x9d, 0x3d, 0x07, 0xf9, 0xc0, 0x0a, 0x6c,
-	0xc2, 0xeb, 0xab, 0x72, 0xe9, 0xbc, 0xca, 0x88, 0x58, 0xf0, 0xd0, 0x4d, 0x18, 0x35, 0xc9, 0xae,
-	0x11, 0xda, 0x01, 0x2f, 0xa5, 0xe3, 0x17, 0x57, 0xfa, 0x10, 0x42, 0x62, 0x74, 0xbe, 0x2a, 0xf4,
-	0xe2, 0x08, 0x00, 0x3d, 0x0c, 0xa3, 0x0d, 0x63, 0xdf, 0x6a, 0x84, 0x0d, 0xde, 0xf7, 0x6a, 0x42,
-	0x6c, 0x43, 0x90, 0x70, 0xc4, 0x63, 0x99, 0x91, 0xec, 0xd7, 0xec, 0x90, 0x5a, 0x4d, 0x22, 0x99,
-	0xb2, 0x27, 0x8d, 0x33, 0xe3, 0x5a, 0x86, 0x8f, 0x3b, 0x56, 0x70, 0x30, 0xcb, 0xe1, 0x8b, 0xc7,
-	0x15, 0x30, 0x41, 0xc2, 0x11, 0x2f, 0x0d, 0x26, 0xe5, 0x27, 0x7a, 0x81, 0xc9, 0xc5, 0x1d, 0x2b,
-	0xd0, 0x63, 0x30, 0xd6, 0x30, 0xf6, 0x2f, 0x13, 0xa7, 0x1e, 0xdc, 0xd0, 0x8f, 0x2f, 0x68, 0x8b,
-	0x43, 0x95, 0xe3, 0xed, 0x56, 0x71, 0x6c, 0x23, 0x22, 0xe2, 0x84, 0xcf, 0x85, 0x2d, 0x47, 0x0a,
-	0x9f, 0x50, 0x84, 0x23, 0x22, 0x4e, 0xf8, 0xac, 0xa9, 0xf2, 0x8c, 0x80, 0x1d, 0x2e, 0x7d, 0x32,
-	0x3d, 0x14, 0xd8, 0x12, 0x64, 0x1c, 0xf1, 0xd1, 0x22, 0x14, 0x1a, 0xc6, 0x3e, 0x1f, 0xe0, 0xe8,
-	0x53, 0x5c, 0x2d, 0x7f, 0x8d, 0xb0, 0x21, 0x69, 0x38, 0xe6, 0x72, 0x49, 0xcb, 0x11, 0x92, 0xd3,
-	0x8a, 0xa4, 0xa4, 0xe1, 0x98, 0xcb, 0x82, 0x38, 0x74, 0xac, 0xdb, 0x21, 0x11, 0xc2, 0x88, 0x7b,
-	0x26, 0x0e, 0xe2, 0x6b, 0x09, 0x0b, 0xab, 0x72, 0xa8, 0x0c, 0xd0, 0x08, 0xed, 0xc0, 0xf2, 0x6c,
-	0xb2, 0xb9, 0xab, 0x9f, 0xe4, 0xfe, 0xe7, 0x77, 0x91, 0x8d, 0x98, 0x8a, 0x15, 0x09, 0x44, 0x60,
-	0x98, 0x38, 0x61, 0x43, 0x3f, 0xc5, 0x2b, 0x77, 0x5f, 0x42, 0x30, 0x3e, 0x39, 0x6b, 0x4e, 0xd8,
-	0xc0, 0x5c, 0x3d, 0x7a, 0x06, 0x8e, 0x37, 0x8c, 0x7d, 0x96, 0x0e, 0x88, 0x1f, 0x58, 0x84, 0xea,
-	0x33, 0xfc, 0xe1, 0xa7, 0x59, 0x13, 0xbe, 0xa1, 0x32, 0x70, 0x5a, 0x8e, 0x2f, 0xb4, 0x1c, 0x65,
-	0xe1, 0xac, 0xb2, 0x50, 0x65, 0xe0, 0xb4, 0x1c, 0xf3, 0xb4, 0x4f, 0x6e, 0x87, 0x96, 0x4f, 0x4c,
-	0xfd, 0x01, 0xde, 0xb7, 0xcb, 0x57, 0x3b, 0x82, 0x86, 0x63, 0x2e, 0x6a, 0x46, 0x93, 0x3e, 0x9d,
-	0x1f, 0xc3, 0x6b, 0xfd, 0xcd, 0xe4, 0x9b, 0xfe, 0xb2, 0xef, 0x1b, 0x07, 0xa2, 0xd2, 0xa8, 0x33,
-	0x3e, 0x44, 0x21, 0x6f, 0xd8, 0xf6, 0xe6, 0xae, 0x7e, 0xba, 0x2f, 0x5d, 0x53, 0xb6, 0x82, 0xc4,
-	0x59, 0x67, 0x99, 0x81, 0x60, 0x81, 0xc5, 0x40, 0x5d, 0x87, 0x85, 0xc6, 0xdc, 0x60, 0x41, 0x37,
-	0x19, 0x08, 0x16, 0x58, 0xfc, 0x49, 0x9d, 0x83, 0xcd, 0x5d, 0xfd, 0xc1, 0x01, 0x3f, 0x29, 0x03,
-	0xc1, 0x02, 0x0b, 0x59, 0x30, 0xe4, 0xb8, 0x81, 0x7e, 0x66, 0x20, 0xe5, 0x99, 0x17, 0x9c, 0x2b,
-	0x6e, 0x80, 0x19, 0x06, 0xfa, 0x89, 0x06, 0xe0, 0x25, 0x21, 0xfa, 0x50, 0x5f, 0x06, 0x48, 0x19,
-	0xc8, 0x72, 0x12, 0xdb, 0x6b, 0x4e, 0xe0, 0x1f, 0x24, 0xb7, 0x36, 0xe5, 0x0c, 0x28, 0x56, 0xa0,
-	0x5f, 0x6a, 0x70, 0x4a, 0xed, 0xde, 0x63, 0xf3, 0xe6, 0xb9, 0x47, 0xae, 0xf6, 0x3b, 0xcc, 0x2b,
-	0xae, 0x6b, 0x57, 0xf4, 0x76, 0xab, 0x78, 0x6a, 0xb9, 0x0b, 0x2a, 0xee, 0x6a, 0x0b, 0xfa, 0xad,
-	0x06, 0xd3, 0x32, 0x8b, 0x2a, 0x16, 0x16, 0xb9, 0x03, 0x49, 0xbf, 0x1d, 0x98, 0xc5, 0x11, 0x7e,
-	0x8c, 0x3f, 0x49, 0xe8, 0xe0, 0xe3, 0x4e, 0xd3, 0xd0, 0x1f, 0x34, 0x98, 0x30, 0x89, 0x47, 0x1c,
-	0x93, 0x38, 0x35, 0x66, 0xeb, 0x42, 0x5f, 0x26, 0x29, 0x59, 0x5b, 0x57, 0x15, 0x08, 0x61, 0x66,
-	0x59, 0x9a, 0x39, 0xa1, 0xb2, 0x0e, 0x5b, 0xc5, 0xd9, 0x64, 0xa9, 0xca, 0xc1, 0x29, 0x2b, 0xd1,
-	0xfb, 0x1a, 0x4c, 0x26, 0x1b, 0x20, 0x4a, 0xca, 0xd9, 0x01, 0xc6, 0x01, 0x6f, 0x5f, 0x97, 0xd3,
-	0x80, 0x38, 0x6b, 0x01, 0xfa, 0x9d, 0xc6, 0x3a, 0xb5, 0xe8, 0x3a, 0x4a, 0xf5, 0x12, 0xf7, 0xe5,
-	0x9b, 0x7d, 0xf7, 0x65, 0x8c, 0x20, 0x5c, 0x79, 0x21, 0x69, 0x05, 0x63, 0xce, 0x61, 0xab, 0x38,
-	0xa3, 0x7a, 0x32, 0x66, 0x60, 0xd5, 0x42, 0xf4, 0x7d, 0x0d, 0x26, 0x48, 0xd2, 0x71, 0x53, 0xfd,
-	0x5c, 0x5f, 0x9c, 0xd8, 0xb5, 0x89, 0x17, 0x03, 0x04, 0x85, 0x45, 0x71, 0x0a, 0x9b, 0x75, 0x90,
-	0x64, 0xdf, 0x68, 0x78, 0x36, 0xd1, 0xff, 0xa7, 0xcf, 0x1d, 0xe4, 0x9a, 0xd0, 0x8b, 0x23, 0x00,
-	0x74, 0x01, 0x0a, 0x4e, 0x68, 0xdb, 0xec, 0xa6, 0xad, 0x3f, 0xcc, 0x7b, 0x91, 0x78, 0x80, 0x7d,
-	0x45, 0xd2, 0x71, 0x2c, 0x81, 0x76, 0x61, 0x61, 0xff, 0xe5, 0x70, 0x87, 0xf8, 0x0e, 0x09, 0x08,
-	0xed, 0x3a, 0xcb, 0xd4, 0xcf, 0x73, 0x2d, 0x73, 0xed, 0x56, 0x71, 0x76, 0xbb, 0xfb, 0xb4, 0xf3,
-	0xae, 0x3a, 0xd0, 0xab, 0xf0, 0xa0, 0x22, 0xb3, 0xd6, 0xd8, 0x21, 0xa6, 0x49, 0xcc, 0xe8, 0xe2,
-	0xa6, 0xff, 0xaf, 0x98, 0xa7, 0x46, 0x07, 0x7c, 0x3b, 0x2b, 0x80, 0xef, 0xb4, 0x1a, 0x5d, 0x86,
-	0x59, 0x85, 0xbd, 0xee, 0x04, 0x9b, 0x7e, 0x35, 0xf0, 0x2d, 0xa7, 0xae, 0x2f, 0x72, 0xbd, 0xa7,
-	0xa2, 0x13, 0xb9, 0xad, 0xf0, 0x70, 0x8f, 0x35, 0xe8, 0xcb, 0x29, 0x6d, 0xfc, 0x85, 0xa3, 0xe1,
-	0xbd, 0x4c, 0x0e, 0xa8, 0xfe, 0x08, 0xef, 0x4e, 0xf8, 0x66, 0x6f, 0x2b, 0x74, 0xdc, 0x43, 0x1e,
-	0xbd, 0x00, 0x27, 0x33, 0x1c, 0x76, 0x45, 0xd1, 0x1f, 0x15, 0x77, 0x0d, 0xd6, 0xcf, 0x6e, 0x47,
-	0x44, 0xdc, 0x4d, 0x12, 0x7d, 0x09, 0x90, 0x42, 0xde, 0x30, 0x3c, 0xbe, 0xfe, 0x31, 0x71, 0xed,
-	0x61, 0x3b, 0xba, 0x2d, 0x69, 0xb8, 0x8b, 0x1c, 0xfa, 0x99, 0x96, 0x7a, 0x92, 0xe4, 0x76, 0x4c,
-	0xf5, 0x0b, 0xfc, 0xfc, 0x6e, 0x1c, 0x31, 0x0a, 0x95, 0xb7, 0x46, 0xa1, 0x4d, 0x14, 0x37, 0x2b,
-	0x50, 0xb8, 0x87, 0x09, 0x73, 0xec, 0x86, 0x9e, 0xc9, 0xf0, 0x68, 0x0a, 0x86, 0x6e, 0x11, 0xf9,
-	0x0d, 0x0a, 0x66, 0x7f, 0x22, 0x13, 0xf2, 0x4d, 0xc3, 0x0e, 0xa3, 0x21, 0x43, 0x9f, 0xbb, 0x03,
-	0x2c, 0x94, 0x3f, 0x97, 0x7b, 0x56, 0x9b, 0xfb, 0x40, 0x83, 0xd9, 0xee, 0x85, 0xe7, 0xbe, 0x9a,
-	0xf5, 0x73, 0x0d, 0xa6, 0x3b, 0x6a, 0x4c, 0x17, 0x8b, 0x6e, 0xa7, 0x2d, 0x7a, 0xb5, 0xdf, 0xc5,
-	0x42, 0x1c, 0x0e, 0xde, 0x21, 0xab, 0xe6, 0xfd, 0x48, 0x83, 0xa9, 0x6c, 0xda, 0xbe, 0x9f, 0xfe,
-	0x2a, 0x7d, 0x90, 0x83, 0xd9, 0xee, 0x8d, 0x3d, 0xf2, 0xe3, 0x09, 0xc6, 0x60, 0x26, 0x41, 0xdd,
-	0x86, 0xd9, 0xef, 0x6a, 0x30, 0x7e, 0x33, 0x96, 0x8b, 0xbe, 0x51, 0xe8, 0xfb, 0x0c, 0x2a, 0xaa,
-	0x93, 0x09, 0x83, 0x62, 0x15, 0xb7, 0xf4, 0x7b, 0x0d, 0x66, 0xba, 0x36, 0x00, 0xe8, 0x3c, 0x8c,
-	0x18, 0xb6, 0xed, 0xee, 0x89, 0x51, 0xa2, 0xf2, 0xea, 0x62, 0x99, 0x53, 0xb1, 0xe4, 0x2a, 0xde,
-	0xcb, 0x7d, 0x5e, 0xde, 0x2b, 0xfd, 0x49, 0x83, 0x33, 0x77, 0x8a, 0xc4, 0xfb, 0xb2, 0xa5, 0x8b,
-	0x50, 0x90, 0xcd, 0xfb, 0x01, 0xdf, 0x4e, 0x99, 0x8a, 0x65, 0xd2, 0xe0, 0x9f, 0xe5, 0x89, 0xbf,
-	0x4a, 0x2f, 0xc0, 0x64, 0x66, 0x10, 0xce, 0xaa, 0xf3, 0x4d, 0xea, 0x3a, 0xca, 0x28, 0x3b, 0xae,
-	0xce, 0xd1, 0xb7, 0x7a, 0x38, 0x96, 0x28, 0x7d, 0xa8, 0xc1, 0x54, 0x95, 0xf8, 0x4d, 0xab, 0x46,
-	0x30, 0xd9, 0x25, 0x3e, 0x71, 0x6a, 0x04, 0x2d, 0xc1, 0x18, 0xff, 0xba, 0xc0, 0x33, 0x6a, 0xd1,
-	0x2b, 0xa9, 0x69, 0xa9, 0x63, 0xec, 0x4a, 0xc4, 0xc0, 0x89, 0x4c, 0xfc, 0xfa, 0x2a, 0xd7, 0xf3,
-	0xf5, 0xd5, 0x19, 0x18, 0xf6, 0x92, 0x49, 0x76, 0x81, 0x71, 0xb9, 0x25, 0x9c, 0xca, 0xb9, 0xae,
-	0x1f, 0xf0, 0xf1, 0x5c, 0x5e, 0x72, 0x5d, 0x3f, 0xc0, 0x9c, 0x5a, 0xfa, 0x4b, 0x0e, 0x4e, 0xa4,
-	0x0b, 0x01, 0x03, 0xf4, 0x43, 0xbb, 0xe3, 0x7d, 0x19, 0xe3, 0x61, 0xce, 0x51, 0xbf, 0x2e, 0xca,
-	0xdd, 0xf9, 0xeb, 0x22, 0xf4, 0x22, 0x4c, 0xcb, 0x3f, 0xd7, 0xf6, 0x3d, 0x9f, 0x50, 0xfe, 0x4e,
-	0x78, 0x28, 0xfd, 0x8d, 0xf2, 0x46, 0x56, 0x00, 0x77, 0xae, 0x41, 0x5f, 0xcc, 0x7c, 0xf9, 0x74,
-	0x2e, 0xf9, 0xea, 0x89, 0xf5, 0x94, 0x7c, 0x7f, 0xae, 0xb3, 0x3c, 0xb2, 0xe6, 0xfb, 0xae, 0x9f,
-	0xf9, 0x1c, 0x6a, 0x09, 0xc6, 0x76, 0x99, 0x00, 0xdf, 0xb8, 0x7c, 0xda, 0xe9, 0x97, 0x22, 0x06,
-	0x4e, 0x64, 0xd0, 0xf3, 0x30, 0xe9, 0x7a, 0xa2, 0x85, 0xde, 0xb4, 0xcd, 0x2a, 0xb1, 0x77, 0xf9,
-	0x28, 0xb2, 0x10, 0xcd, 0x8b, 0x53, 0x2c, 0x9c, 0x95, 0x2d, 0xfd, 0x59, 0x83, 0x6e, 0xdf, 0x35,
-	0xa2, 0xd3, 0x62, 0xee, 0xab, 0x0c, 0x53, 0xa3, 0x99, 0x2f, 0x6a, 0xc2, 0x28, 0x15, 0xb1, 0x22,
-	0x0f, 0xc3, 0xe6, 0x91, 0xdf, 0xee, 0xa4, 0x23, 0x4f, 0x34, 0x9c, 0x11, 0x35, 0x02, 0x63, 0xe7,
-	0xa1, 0x66, 0x54, 0x42, 0xc7, 0x94, 0xaf, 0x02, 0x26, 0xc4, 0x79, 0x58, 0x59, 0x16, 0x34, 0x1c,
-	0x73, 0x2b, 0xb5, 0x8f, 0x3e, 0x9d, 0x3f, 0xf6, 0xf1, 0xa7, 0xf3, 0xc7, 0x3e, 0xf9, 0x74, 0xfe,
-	0xd8, 0xb7, 0xda, 0xf3, 0xda, 0x47, 0xed, 0x79, 0xed, 0xe3, 0xf6, 0xbc, 0xf6, 0x49, 0x7b, 0x5e,
-	0xfb, 0x7b, 0x7b, 0x5e, 0xfb, 0xf1, 0x3f, 0xe6, 0x8f, 0x7d, 0xed, 0xf9, 0x23, 0xfd, 0x2b, 0xc1,
-	0x7f, 0x02, 0x00, 0x00, 0xff, 0xff, 0xdf, 0xe3, 0x03, 0xa1, 0x8a, 0x30, 0x00, 0x00,
-}
+func (m *WebhookClientConfig) Reset() { *m = WebhookClientConfig{} }
 
 func (m *ConversionRequest) Marshal() (dAtA []byte, err error) {
 	size := m.Size()
@@ -1337,6 +407,9 @@ func (m *CustomResourceDefinitionCondition) MarshalToSizedBuffer(dAtA []byte) (i
 	_ = i
 	var l int
 	_ = l
+	i = encodeVarintGenerated(dAtA, i, uint64(m.ObservedGeneration))
+	i--
+	dAtA[i] = 0x30
 	i -= len(m.Message)
 	copy(dAtA[i:], m.Message)
 	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Message)))
@@ -1634,6 +707,9 @@ func (m *CustomResourceDefinitionStatus) MarshalToSizedBuffer(dAtA []byte) (int,
 	_ = i
 	var l int
 	_ = l
+	i = encodeVarintGenerated(dAtA, i, uint64(m.ObservedGeneration))
+	i--
+	dAtA[i] = 0x20
 	if len(m.StoredVersions) > 0 {
 		for iNdEx := len(m.StoredVersions) - 1; iNdEx >= 0; iNdEx-- {
 			i -= len(m.StoredVersions[iNdEx])
@@ -2129,7 +1205,7 @@ func (m *JSONSchemaProps) MarshalToSizedBuffer(dAtA []byte) (int, error) {
 		for k := range m.Definitions {
 			keysForDefinitions = append(keysForDefinitions, string(k))
 		}
-		github_com_gogo_protobuf_sortkeys.Strings(keysForDefinitions)
+		sort.Strings(keysForDefinitions)
 		for iNdEx := len(keysForDefinitions) - 1; iNdEx >= 0; iNdEx-- {
 			v := m.Definitions[string(keysForDefinitions[iNdEx])]
 			baseI := i
@@ -2174,7 +1250,7 @@ func (m *JSONSchemaProps) MarshalToSizedBuffer(dAtA []byte) (int, error) {
 		for k := range m.Dependencies {
 			keysForDependencies = append(keysForDependencies, string(k))
 		}
-		github_com_gogo_protobuf_sortkeys.Strings(keysForDependencies)
+		sort.Strings(keysForDependencies)
 		for iNdEx := len(keysForDependencies) - 1; iNdEx >= 0; iNdEx-- {
 			v := m.Dependencies[string(keysForDependencies[iNdEx])]
 			baseI := i
@@ -2205,7 +1281,7 @@ func (m *JSONSchemaProps) MarshalToSizedBuffer(dAtA []byte) (int, error) {
 		for k := range m.PatternProperties {
 			keysForPatternProperties = append(keysForPatternProperties, string(k))
 		}
-		github_com_gogo_protobuf_sortkeys.Strings(keysForPatternProperties)
+		sort.Strings(keysForPatternProperties)
 		for iNdEx := len(keysForPatternProperties) - 1; iNdEx >= 0; iNdEx-- {
 			v := m.PatternProperties[string(keysForPatternProperties[iNdEx])]
 			baseI := i
@@ -2250,7 +1326,7 @@ func (m *JSONSchemaProps) MarshalToSizedBuffer(dAtA []byte) (int, error) {
 		for k := range m.Properties {
 			keysForProperties = append(keysForProperties, string(k))
 		}
-		github_com_gogo_protobuf_sortkeys.Strings(keysForProperties)
+		sort.Strings(keysForProperties)
 		for iNdEx := len(keysForProperties) - 1; iNdEx >= 0; iNdEx-- {
 			v := m.Properties[string(keysForProperties[iNdEx])]
 			baseI := i
@@ -2976,6 +2052,7 @@ func (m *CustomResourceDefinitionCondition) Size() (n int) {
 	n += 1 + l + sovGenerated(uint64(l))
 	l = len(m.Message)
 	n += 1 + l + sovGenerated(uint64(l))
+	n += 1 + sovGenerated(uint64(m.ObservedGeneration))
 	return n
 }
 
@@ -3095,6 +2172,7 @@ func (m *CustomResourceDefinitionStatus) Size() (n int) {
 			n += 1 + l + sovGenerated(uint64(l))
 		}
 	}
+	n += 1 + sovGenerated(uint64(m.ObservedGeneration))
 	return n
 }
 
@@ -3623,6 +2701,7 @@ func (this *CustomResourceDefinitionCondition) String() string {
 		`LastTransitionTime:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.LastTransitionTime), "Time", "v1.Time", 1), `&`, ``, 1) + `,`,
 		`Reason:` + fmt.Sprintf("%v", this.Reason) + `,`,
 		`Message:` + fmt.Sprintf("%v", this.Message) + `,`,
+		`ObservedGeneration:` + fmt.Sprintf("%v", this.ObservedGeneration) + `,`,
 		`}`,
 	}, "")
 	return s
@@ -3706,6 +2785,7 @@ func (this *CustomResourceDefinitionStatus) String() string {
 		`Conditions:` + repeatedStringForConditions + `,`,
 		`AcceptedNames:` + strings.Replace(strings.Replace(this.AcceptedNames.String(), "CustomResourceDefinitionNames", "CustomResourceDefinitionNames", 1), `&`, ``, 1) + `,`,
 		`StoredVersions:` + fmt.Sprintf("%v", this.StoredVersions) + `,`,
+		`ObservedGeneration:` + fmt.Sprintf("%v", this.ObservedGeneration) + `,`,
 		`}`,
 	}, "")
 	return s
@@ -3834,7 +2914,7 @@ func (this *JSONSchemaProps) String() string {
 	for k := range this.Properties {
 		keysForProperties = append(keysForProperties, k)
 	}
-	github_com_gogo_protobuf_sortkeys.Strings(keysForProperties)
+	sort.Strings(keysForProperties)
 	mapStringForProperties := "map[string]JSONSchemaProps{"
 	for _, k := range keysForProperties {
 		mapStringForProperties += fmt.Sprintf("%v: %v,", k, this.Properties[k])
@@ -3844,7 +2924,7 @@ func (this *JSONSchemaProps) String() string {
 	for k := range this.PatternProperties {
 		keysForPatternProperties = append(keysForPatternProperties, k)
 	}
-	github_com_gogo_protobuf_sortkeys.Strings(keysForPatternProperties)
+	sort.Strings(keysForPatternProperties)
 	mapStringForPatternProperties := "map[string]JSONSchemaProps{"
 	for _, k := range keysForPatternProperties {
 		mapStringForPatternProperties += fmt.Sprintf("%v: %v,", k, this.PatternProperties[k])
@@ -3854,7 +2934,7 @@ func (this *JSONSchemaProps) String() string {
 	for k := range this.Dependencies {
 		keysForDependencies = append(keysForDependencies, k)
 	}
-	github_com_gogo_protobuf_sortkeys.Strings(keysForDependencies)
+	sort.Strings(keysForDependencies)
 	mapStringForDependencies := "JSONSchemaDependencies{"
 	for _, k := range keysForDependencies {
 		mapStringForDependencies += fmt.Sprintf("%v: %v,", k, this.Dependencies[k])
@@ -3864,7 +2944,7 @@ func (this *JSONSchemaProps) String() string {
 	for k := range this.Definitions {
 		keysForDefinitions = append(keysForDefinitions, k)
 	}
-	github_com_gogo_protobuf_sortkeys.Strings(keysForDefinitions)
+	sort.Strings(keysForDefinitions)
 	mapStringForDefinitions := "JSONSchemaDefinitions{"
 	for _, k := range keysForDefinitions {
 		mapStringForDefinitions += fmt.Sprintf("%v: %v,", k, this.Definitions[k])
@@ -5152,6 +4232,25 @@ func (m *CustomResourceDefinitionCondition) Unmarshal(dAtA []byte) error {
 			}
 			m.Message = string(dAtA[iNdEx:postIndex])
 			iNdEx = postIndex
+		case 6:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ObservedGeneration", wireType)
+			}
+			m.ObservedGeneration = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.ObservedGeneration |= int64(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
 		default:
 			iNdEx = preIndex
 			skippy, err := skipGenerated(dAtA[iNdEx:])
@@ -6070,6 +5169,25 @@ func (m *CustomResourceDefinitionStatus) Unmarshal(dAtA []byte) error {
 			}
 			m.StoredVersions = append(m.StoredVersions, string(dAtA[iNdEx:postIndex]))
 			iNdEx = postIndex
+		case 4:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ObservedGeneration", wireType)
+			}
+			m.ObservedGeneration = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.ObservedGeneration |= int64(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
 		default:
 			iNdEx = preIndex
 			skippy, err := skipGenerated(dAtA[iNdEx:])
diff --git a/staging/src/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1/generated.proto b/staging/src/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1/generated.proto
index f9e5600345ab6..bc9594992fe76 100644
--- a/staging/src/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1/generated.proto
+++ b/staging/src/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1/generated.proto
@@ -168,6 +168,13 @@ message CustomResourceDefinitionCondition {
   // message is a human-readable message indicating details about last transition.
   // +optional
   optional string message = 5;
+
+  // observedGeneration represents the .metadata.generation that the condition was set based upon.
+  // For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+  // with respect to the current state of the instance.
+  // +featureGate=CRDObservedGenerationTracking
+  // +optional
+  optional int64 observedGeneration = 6;
 }
 
 // CustomResourceDefinitionList is a list of CustomResourceDefinition objects.
@@ -319,6 +326,11 @@ message CustomResourceDefinitionStatus {
   // +optional
   // +listType=atomic
   repeated string storedVersions = 3;
+
+  // The generation observed by the CRD controller.
+  // +featureGate=CRDObservedGenerationTracking
+  // +optional
+  optional int64 observedGeneration = 4;
 }
 
 // CustomResourceDefinitionVersion describes a version for CRD.
diff --git a/staging/src/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1/generated.protomessage.pb.go b/staging/src/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1/generated.protomessage.pb.go
new file mode 100644
index 0000000000000..997d32f31e1e4
--- /dev/null
+++ b/staging/src/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1/generated.protomessage.pb.go
@@ -0,0 +1,74 @@
+//go:build kubernetes_protomessage_one_more_release
+// +build kubernetes_protomessage_one_more_release
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by go-to-protobuf. DO NOT EDIT.
+
+package v1beta1
+
+func (*ConversionRequest) ProtoMessage() {}
+
+func (*ConversionResponse) ProtoMessage() {}
+
+func (*ConversionReview) ProtoMessage() {}
+
+func (*CustomResourceColumnDefinition) ProtoMessage() {}
+
+func (*CustomResourceConversion) ProtoMessage() {}
+
+func (*CustomResourceDefinition) ProtoMessage() {}
+
+func (*CustomResourceDefinitionCondition) ProtoMessage() {}
+
+func (*CustomResourceDefinitionList) ProtoMessage() {}
+
+func (*CustomResourceDefinitionNames) ProtoMessage() {}
+
+func (*CustomResourceDefinitionSpec) ProtoMessage() {}
+
+func (*CustomResourceDefinitionStatus) ProtoMessage() {}
+
+func (*CustomResourceDefinitionVersion) ProtoMessage() {}
+
+func (*CustomResourceSubresourceScale) ProtoMessage() {}
+
+func (*CustomResourceSubresourceStatus) ProtoMessage() {}
+
+func (*CustomResourceSubresources) ProtoMessage() {}
+
+func (*CustomResourceValidation) ProtoMessage() {}
+
+func (*ExternalDocumentation) ProtoMessage() {}
+
+func (*JSON) ProtoMessage() {}
+
+func (*JSONSchemaProps) ProtoMessage() {}
+
+func (*JSONSchemaPropsOrArray) ProtoMessage() {}
+
+func (*JSONSchemaPropsOrBool) ProtoMessage() {}
+
+func (*JSONSchemaPropsOrStringArray) ProtoMessage() {}
+
+func (*SelectableField) ProtoMessage() {}
+
+func (*ServiceReference) ProtoMessage() {}
+
+func (*ValidationRule) ProtoMessage() {}
+
+func (*WebhookClientConfig) ProtoMessage() {}
diff --git a/staging/src/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1/types.go b/staging/src/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1/types.go
index 153f72337758f..fb844903ed52d 100644
--- a/staging/src/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1/types.go
+++ b/staging/src/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1/types.go
@@ -390,6 +390,12 @@ type CustomResourceDefinitionCondition struct {
 	// message is a human-readable message indicating details about last transition.
 	// +optional
 	Message string `json:"message,omitempty" protobuf:"bytes,5,opt,name=message"`
+	// observedGeneration represents the .metadata.generation that the condition was set based upon.
+	// For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+	// with respect to the current state of the instance.
+	// +featureGate=CRDObservedGenerationTracking
+	// +optional
+	ObservedGeneration int64 `json:"observedGeneration,omitempty" protobuf:"varint,6,opt,name=observedGeneration"`
 }
 
 // CustomResourceDefinitionStatus indicates the state of the CustomResourceDefinition
@@ -414,6 +420,10 @@ type CustomResourceDefinitionStatus struct {
 	// +optional
 	// +listType=atomic
 	StoredVersions []string `json:"storedVersions" protobuf:"bytes,3,rep,name=storedVersions"`
+	// The generation observed by the CRD controller.
+	// +featureGate=CRDObservedGenerationTracking
+	// +optional
+	ObservedGeneration int64 `json:"observedGeneration,omitempty" protobuf:"varint,4,opt,name=observedGeneration"`
 }
 
 // CustomResourceCleanupFinalizer is the name of the finalizer which will delete instances of
diff --git a/staging/src/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1/zz_generated.conversion.go b/staging/src/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1/zz_generated.conversion.go
index d59274e8da6cf..5e388dc69bbcf 100644
--- a/staging/src/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1/zz_generated.conversion.go
+++ b/staging/src/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1/zz_generated.conversion.go
@@ -378,6 +378,7 @@ func autoConvert_v1beta1_CustomResourceDefinitionCondition_To_apiextensions_Cust
 	out.LastTransitionTime = in.LastTransitionTime
 	out.Reason = in.Reason
 	out.Message = in.Message
+	out.ObservedGeneration = in.ObservedGeneration
 	return nil
 }
 
@@ -392,6 +393,7 @@ func autoConvert_apiextensions_CustomResourceDefinitionCondition_To_v1beta1_Cust
 	out.LastTransitionTime = in.LastTransitionTime
 	out.Reason = in.Reason
 	out.Message = in.Message
+	out.ObservedGeneration = in.ObservedGeneration
 	return nil
 }
 
@@ -574,6 +576,7 @@ func autoConvert_v1beta1_CustomResourceDefinitionStatus_To_apiextensions_CustomR
 		return err
 	}
 	out.StoredVersions = *(*[]string)(unsafe.Pointer(&in.StoredVersions))
+	out.ObservedGeneration = in.ObservedGeneration
 	return nil
 }
 
@@ -588,6 +591,7 @@ func autoConvert_apiextensions_CustomResourceDefinitionStatus_To_v1beta1_CustomR
 		return err
 	}
 	out.StoredVersions = *(*[]string)(unsafe.Pointer(&in.StoredVersions))
+	out.ObservedGeneration = in.ObservedGeneration
 	return nil
 }
 
diff --git a/staging/src/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1/zz_generated.model_name.go b/staging/src/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1/zz_generated.model_name.go
new file mode 100644
index 0000000000000..b346b010978d8
--- /dev/null
+++ b/staging/src/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1/zz_generated.model_name.go
@@ -0,0 +1,152 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by openapi-gen. DO NOT EDIT.
+
+package v1beta1
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ConversionRequest) OpenAPIModelName() string {
+	return "io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1beta1.ConversionRequest"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ConversionResponse) OpenAPIModelName() string {
+	return "io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1beta1.ConversionResponse"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ConversionReview) OpenAPIModelName() string {
+	return "io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1beta1.ConversionReview"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in CustomResourceColumnDefinition) OpenAPIModelName() string {
+	return "io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1beta1.CustomResourceColumnDefinition"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in CustomResourceConversion) OpenAPIModelName() string {
+	return "io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1beta1.CustomResourceConversion"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in CustomResourceDefinition) OpenAPIModelName() string {
+	return "io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1beta1.CustomResourceDefinition"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in CustomResourceDefinitionCondition) OpenAPIModelName() string {
+	return "io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1beta1.CustomResourceDefinitionCondition"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in CustomResourceDefinitionList) OpenAPIModelName() string {
+	return "io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1beta1.CustomResourceDefinitionList"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in CustomResourceDefinitionNames) OpenAPIModelName() string {
+	return "io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1beta1.CustomResourceDefinitionNames"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in CustomResourceDefinitionSpec) OpenAPIModelName() string {
+	return "io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1beta1.CustomResourceDefinitionSpec"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in CustomResourceDefinitionStatus) OpenAPIModelName() string {
+	return "io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1beta1.CustomResourceDefinitionStatus"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in CustomResourceDefinitionVersion) OpenAPIModelName() string {
+	return "io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1beta1.CustomResourceDefinitionVersion"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in CustomResourceSubresourceScale) OpenAPIModelName() string {
+	return "io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1beta1.CustomResourceSubresourceScale"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in CustomResourceSubresourceStatus) OpenAPIModelName() string {
+	return "io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1beta1.CustomResourceSubresourceStatus"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in CustomResourceSubresources) OpenAPIModelName() string {
+	return "io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1beta1.CustomResourceSubresources"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in CustomResourceValidation) OpenAPIModelName() string {
+	return "io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1beta1.CustomResourceValidation"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ExternalDocumentation) OpenAPIModelName() string {
+	return "io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1beta1.ExternalDocumentation"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in JSON) OpenAPIModelName() string {
+	return "io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1beta1.JSON"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in JSONSchemaProps) OpenAPIModelName() string {
+	return "io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1beta1.JSONSchemaProps"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in JSONSchemaPropsOrArray) OpenAPIModelName() string {
+	return "io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1beta1.JSONSchemaPropsOrArray"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in JSONSchemaPropsOrBool) OpenAPIModelName() string {
+	return "io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1beta1.JSONSchemaPropsOrBool"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in JSONSchemaPropsOrStringArray) OpenAPIModelName() string {
+	return "io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1beta1.JSONSchemaPropsOrStringArray"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in SelectableField) OpenAPIModelName() string {
+	return "io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1beta1.SelectableField"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ServiceReference) OpenAPIModelName() string {
+	return "io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1beta1.ServiceReference"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ValidationRule) OpenAPIModelName() string {
+	return "io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1beta1.ValidationRule"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in WebhookClientConfig) OpenAPIModelName() string {
+	return "io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1beta1.WebhookClientConfig"
+}
diff --git a/staging/src/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/validation/validation.go b/staging/src/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/validation/validation.go
index 18cd5a8c2464b..89051e2af7660 100644
--- a/staging/src/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/validation/validation.go
+++ b/staging/src/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/validation/validation.go
@@ -92,8 +92,7 @@ func ValidateCustomResourceDefinition(ctx context.Context, obj *apiextensions.Cu
 		requirePrunedDefaults:                    true,
 		requireAtomicSetType:                     true,
 		requireMapListKeysMapSetValidation:       true,
-		// strictCost is always true to enforce cost limits.
-		celEnvironmentSet: environment.MustBaseEnvSet(environment.DefaultCompatibilityVersion(), true),
+		celEnvironmentSet:                        environment.MustBaseEnvSet(environment.DefaultCompatibilityVersion()),
 		// allowInvalidCABundle is set to true since the CRD is not established yet.
 		allowInvalidCABundle: true,
 	}
@@ -145,6 +144,10 @@ type validationOptions struct {
 	// allowInvalidCABundle allows an invalid conversion webhook CABundle on update only if the existing CABundle is invalid.
 	// An invalid CABundle is also permitted on create and before a CRD is in an Established=True condition.
 	allowInvalidCABundle bool
+
+	// allowTooManySelectableFields allows more than the MaxSelectableFields on update only if the existing
+	// selectable field count is more than the max selectable fields and the selectable fields are unchanged.
+	allowTooManySelectableFields map[string]bool
 }
 
 type preexistingExpressions struct {
@@ -237,9 +240,9 @@ func ValidateCustomResourceDefinitionUpdate(ctx context.Context, obj, oldObj *ap
 		requireMapListKeysMapSetValidation:       requireMapListKeysMapSetValidation(&oldObj.Spec),
 		preexistingExpressions:                   findPreexistingExpressions(&oldObj.Spec),
 		versionsWithUnchangedSchemas:             findVersionsWithUnchangedSchemas(obj, oldObj),
-		// strictCost is always true to enforce cost limits.
-		celEnvironmentSet:    environment.MustBaseEnvSet(environment.DefaultCompatibilityVersion(), true),
-		allowInvalidCABundle: allowInvalidCABundle(oldObj),
+		celEnvironmentSet:                        environment.MustBaseEnvSet(environment.DefaultCompatibilityVersion()),
+		allowInvalidCABundle:                     allowInvalidCABundle(oldObj),
+		allowTooManySelectableFields:             findTooManySelectableFieldsAllowed(obj, oldObj),
 	}
 	return validateCustomResourceDefinitionUpdate(ctx, obj, oldObj, opts)
 }
@@ -310,7 +313,7 @@ func validateCustomResourceDefinitionVersion(ctx context.Context, version *apiex
 			if err != nil {
 				allErrs = append(allErrs, field.Invalid(fldPath.Child("schema.openAPIV3Schema"), "", err.Error()))
 			}
-			allErrs = append(allErrs, ValidateCustomResourceSelectableFields(version.SelectableFields, schema, fldPath.Child("selectableFields"))...)
+			allErrs = append(allErrs, ValidateCustomResourceSelectableFields(version.SelectableFields, schema, fldPath.Child("selectableFields"), opts, version.Name)...)
 		}
 	}
 	return allErrs
@@ -484,7 +487,7 @@ func validateCustomResourceDefinitionSpec(ctx context.Context, spec *apiextensio
 				allErrs = append(allErrs, field.Invalid(fldPath.Child("schema.openAPIV3Schema"), "", err.Error()))
 			}
 
-			allErrs = append(allErrs, ValidateCustomResourceSelectableFields(spec.SelectableFields, schema, fldPath.Child("selectableFields"))...)
+			allErrs = append(allErrs, ValidateCustomResourceSelectableFields(spec.SelectableFields, schema, fldPath.Child("selectableFields"), opts, "")...)
 		}
 	}
 
@@ -565,6 +568,34 @@ func allowInvalidCABundle(oldCRD *apiextensions.CustomResourceDefinition) bool {
 	return len(webhook.ValidateCABundle(field.NewPath("caBundle"), oldConversion.WebhookClientConfig.CABundle)) > 0
 }
 
+// findTooManySelectableFieldsAllowed returns a struct indicating which selectable field sets are allowed to be invalid.
+// A set of selectable fields is allowed to be invalid if the existing custom resource definition has more
+// selectable fields than MaxSelectableFields and the selectable fields are unchanged.
+func findTooManySelectableFieldsAllowed(obj *apiextensions.CustomResourceDefinition, oldCRD *apiextensions.CustomResourceDefinition) map[string]bool {
+	result := map[string]bool{}
+
+	if len(oldCRD.Spec.SelectableFields) > MaxSelectableFields && apiequality.Semantic.DeepEqual(obj.Spec.SelectableFields, oldCRD.Spec.SelectableFields) {
+		result[""] = true
+	}
+
+	oldVersions := make(map[string]*apiextensions.CustomResourceDefinitionVersion, len(oldCRD.Spec.Versions))
+	for _, v := range oldCRD.Spec.Versions {
+		oldVersions[v.Name] = &v // +k8s:verify-mutation:reason=clone
+	}
+
+	for _, v := range obj.Spec.Versions {
+		oldV, ok := oldVersions[v.Name]
+		if !ok {
+			continue
+		}
+		if len(oldV.SelectableFields) > MaxSelectableFields && apiequality.Semantic.DeepEqual(v.SelectableFields, oldV.SelectableFields) {
+			result[v.Name] = true
+		}
+	}
+
+	return result
+}
+
 // hasValidConversionReviewVersion return true if there is a valid version or if the list is empty.
 func hasValidConversionReviewVersionOrEmpty(versions []string) bool {
 	if len(versions) < 1 {
@@ -813,7 +844,7 @@ func ValidateCustomResourceColumnDefinition(col *apiextensions.CustomResourceCol
 	return allErrs
 }
 
-func ValidateCustomResourceSelectableFields(selectableFields []apiextensions.SelectableField, schema *structuralschema.Structural, fldPath *field.Path) (allErrs field.ErrorList) {
+func ValidateCustomResourceSelectableFields(selectableFields []apiextensions.SelectableField, schema *structuralschema.Structural, fldPath *field.Path, opts validationOptions, version string) (allErrs field.ErrorList) {
 	uniqueSelectableFields := sets.New[string]()
 	for i, selectableField := range selectableFields {
 		indexFldPath := fldPath.Index(i)
@@ -840,7 +871,7 @@ func ValidateCustomResourceSelectableFields(selectableFields []apiextensions.Sel
 		}
 	}
 	uniqueSelectableFieldCount := uniqueSelectableFields.Len()
-	if uniqueSelectableFieldCount > MaxSelectableFields {
+	if uniqueSelectableFieldCount > MaxSelectableFields && !opts.allowTooManySelectableFields[version] {
 		allErrs = append(allErrs, field.TooMany(fldPath, uniqueSelectableFieldCount, MaxSelectableFields))
 	}
 	return allErrs
diff --git a/staging/src/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/validation/validation_test.go b/staging/src/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/validation/validation_test.go
index 97b00926ae427..a52d0166e0dc6 100644
--- a/staging/src/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/validation/validation_test.go
+++ b/staging/src/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/validation/validation_test.go
@@ -121,9 +121,10 @@ func TestValidateCustomResourceDefinition(t *testing.T) {
 		},
 	}
 	tests := []struct {
-		name     string
-		resource *apiextensions.CustomResourceDefinition
-		errors   []validationMatch
+		name        string
+		resource    *apiextensions.CustomResourceDefinition
+		oldResource *apiextensions.CustomResourceDefinition
+		errors      []validationMatch
 	}{
 		{
 			name: "invalid types disallowed",
@@ -5069,6 +5070,14 @@ func TestValidateFieldPath(t *testing.T) {
 }
 
 func TestValidateCustomResourceDefinitionUpdate(t *testing.T) {
+	singleVersionList := []apiextensions.CustomResourceDefinitionVersion{
+		{
+			Name:    "version",
+			Served:  true,
+			Storage: true,
+		},
+	}
+
 	tests := []struct {
 		name     string
 		old      *apiextensions.CustomResourceDefinition
@@ -7773,6 +7782,350 @@ func TestValidateCustomResourceDefinitionUpdate(t *testing.T) {
 				forbidden("spec", "versions[1]", "schema", "openAPIV3Schema", "properties[f]", "x-kubernetes-validations[0]", "messageExpression"),
 			},
 		},
+		{
+			name: "ratcheting: too many selectableFields are not allowed if existing CRD has different selectableFields",
+			old: &apiextensions.CustomResourceDefinition{
+				ObjectMeta: metav1.ObjectMeta{Name: "plural.group.com"},
+				Spec: apiextensions.CustomResourceDefinitionSpec{
+					Group:   "group.com",
+					Version: "version",
+					Versions: []apiextensions.CustomResourceDefinitionVersion{
+						{Name: "version", Served: true, Storage: true,
+							Schema: &apiextensions.CustomResourceValidation{
+								OpenAPIV3Schema: &apiextensions.JSONSchemaProps{
+									Type: "object",
+									Properties: map[string]apiextensions.JSONSchemaProps{
+										"a1": {Type: "string"}, "a2": {Type: "string"}, "a3": {Type: "string"},
+										"a4": {Type: "string"}, "a5": {Type: "string"}, "a6": {Type: "string"},
+										"a7": {Type: "string"}, "a8": {Type: "string"}, "different": {Type: "string"},
+									},
+									Required: []string{"a1", "a2", "a3", "a4", "a5", "a6", "a7", "a8", "different"},
+								},
+							},
+							SelectableFields: []apiextensions.SelectableField{
+								{JSONPath: ".a1"}, {JSONPath: ".a2"}, {JSONPath: ".a3"},
+								{JSONPath: ".a4"}, {JSONPath: ".a5"}, {JSONPath: ".a6"},
+								{JSONPath: ".a7"}, {JSONPath: ".a8"}, {JSONPath: ".different"},
+							},
+						},
+						{Name: "version2", Served: true, Storage: false,
+							Schema: &apiextensions.CustomResourceValidation{
+								OpenAPIV3Schema: &apiextensions.JSONSchemaProps{
+									Type:       "object",
+									Properties: map[string]apiextensions.JSONSchemaProps{"foo": {Type: "integer"}},
+								},
+							},
+						},
+					},
+					Scope: apiextensions.NamespaceScoped,
+					Names: apiextensions.CustomResourceDefinitionNames{
+						Plural:   "plural",
+						Singular: "singular",
+						Kind:     "Plural",
+						ListKind: "PluralList",
+					},
+					PreserveUnknownFields: ptr.To(false),
+				},
+				Status: apiextensions.CustomResourceDefinitionStatus{
+					StoredVersions: []string{"version"},
+				},
+			},
+			resource: &apiextensions.CustomResourceDefinition{
+				ObjectMeta: metav1.ObjectMeta{Name: "plural.group.com", ResourceVersion: "1"},
+				Spec: apiextensions.CustomResourceDefinitionSpec{
+					Group:   "group.com",
+					Version: "version",
+					Versions: []apiextensions.CustomResourceDefinitionVersion{
+						{Name: "version", Served: true, Storage: true,
+							Schema: &apiextensions.CustomResourceValidation{
+								OpenAPIV3Schema: &apiextensions.JSONSchemaProps{
+									Type: "object",
+									Properties: map[string]apiextensions.JSONSchemaProps{
+										"a1": {Type: "string"}, "a2": {Type: "string"}, "a3": {Type: "string"},
+										"a4": {Type: "string"}, "a5": {Type: "string"}, "a6": {Type: "string"},
+										"a7": {Type: "string"}, "a8": {Type: "string"}, "a9": {Type: "string"},
+									},
+									Required: []string{"a1", "a2", "a3", "a4", "a5", "a6", "a7", "a8", "a9"},
+								},
+							},
+							SelectableFields: []apiextensions.SelectableField{
+								{JSONPath: ".a1"}, {JSONPath: ".a2"}, {JSONPath: ".a3"},
+								{JSONPath: ".a4"}, {JSONPath: ".a5"}, {JSONPath: ".a6"},
+								{JSONPath: ".a7"}, {JSONPath: ".a8"}, {JSONPath: ".a9"},
+							},
+						},
+						{Name: "version2", Served: true, Storage: false,
+							Schema: &apiextensions.CustomResourceValidation{
+								OpenAPIV3Schema: &apiextensions.JSONSchemaProps{
+									Type:       "object",
+									Properties: map[string]apiextensions.JSONSchemaProps{"foo": {Type: "integer"}},
+								},
+							},
+						},
+					},
+					Scope: apiextensions.NamespaceScoped,
+					Names: apiextensions.CustomResourceDefinitionNames{
+						Plural:   "plural",
+						Singular: "singular",
+						Kind:     "Plural",
+						ListKind: "PluralList",
+					},
+					PreserveUnknownFields: ptr.To(false),
+				},
+				Status: apiextensions.CustomResourceDefinitionStatus{
+					StoredVersions: []string{"version"},
+				},
+			},
+			errors: []validationMatch{
+				tooMany("spec", "versions[0]", "selectableFields"),
+			},
+		},
+		{
+			name: "ratcheting: too many selectableFields are allowed if existing CRD has same selectableFields",
+			old: &apiextensions.CustomResourceDefinition{
+				ObjectMeta: metav1.ObjectMeta{Name: "plural.group.com"},
+				Spec: apiextensions.CustomResourceDefinitionSpec{
+					Group:   "group.com",
+					Version: "version",
+					Versions: []apiextensions.CustomResourceDefinitionVersion{
+						{Name: "version", Served: true, Storage: true,
+							Schema: &apiextensions.CustomResourceValidation{
+								OpenAPIV3Schema: &apiextensions.JSONSchemaProps{
+									Type: "object",
+									Properties: map[string]apiextensions.JSONSchemaProps{
+										"a1": {Type: "string"}, "a2": {Type: "string"}, "a3": {Type: "string"},
+										"a4": {Type: "string"}, "a5": {Type: "string"}, "a6": {Type: "string"},
+										"a7": {Type: "string"}, "a8": {Type: "string"}, "a9": {Type: "string"},
+									},
+									Required: []string{"a1", "a2", "a3", "a4", "a5", "a6", "a7", "a8", "a9"},
+								},
+							},
+							SelectableFields: []apiextensions.SelectableField{
+								{JSONPath: ".a1"}, {JSONPath: ".a2"}, {JSONPath: ".a3"},
+								{JSONPath: ".a4"}, {JSONPath: ".a5"}, {JSONPath: ".a6"},
+								{JSONPath: ".a7"}, {JSONPath: ".a8"}, {JSONPath: ".a9"},
+							},
+						},
+						{Name: "version2", Served: true, Storage: false,
+							Schema: &apiextensions.CustomResourceValidation{
+								OpenAPIV3Schema: &apiextensions.JSONSchemaProps{
+									Type:       "object",
+									Properties: map[string]apiextensions.JSONSchemaProps{"foo": {Type: "integer"}},
+								},
+							},
+						},
+					},
+					Scope: apiextensions.NamespaceScoped,
+					Names: apiextensions.CustomResourceDefinitionNames{
+						Plural:   "plural",
+						Singular: "singular",
+						Kind:     "Plural",
+						ListKind: "PluralList",
+					},
+					PreserveUnknownFields: ptr.To(false),
+				},
+				Status: apiextensions.CustomResourceDefinitionStatus{
+					StoredVersions: []string{"version"},
+				},
+			},
+			resource: &apiextensions.CustomResourceDefinition{
+				ObjectMeta: metav1.ObjectMeta{Name: "plural.group.com", ResourceVersion: "1"},
+				Spec: apiextensions.CustomResourceDefinitionSpec{
+					Group:   "group.com",
+					Version: "version",
+					Versions: []apiextensions.CustomResourceDefinitionVersion{
+						{Name: "version", Served: true, Storage: true,
+							Schema: &apiextensions.CustomResourceValidation{
+								OpenAPIV3Schema: &apiextensions.JSONSchemaProps{
+									Type: "object",
+									Properties: map[string]apiextensions.JSONSchemaProps{
+										"a1": {Type: "string"}, "a2": {Type: "string"}, "a3": {Type: "string"},
+										"a4": {Type: "string"}, "a5": {Type: "string"}, "a6": {Type: "string"},
+										"a7": {Type: "string"}, "a8": {Type: "string"}, "a9": {Type: "string"},
+									},
+									Required: []string{"a1", "a2", "a3", "a4", "a5", "a6", "a7", "a8", "a9"},
+								},
+							},
+							SelectableFields: []apiextensions.SelectableField{
+								{JSONPath: ".a1"}, {JSONPath: ".a2"}, {JSONPath: ".a3"},
+								{JSONPath: ".a4"}, {JSONPath: ".a5"}, {JSONPath: ".a6"},
+								{JSONPath: ".a7"}, {JSONPath: ".a8"}, {JSONPath: ".a9"},
+							},
+						},
+						{Name: "version2", Served: true, Storage: false,
+							Schema: &apiextensions.CustomResourceValidation{
+								OpenAPIV3Schema: &apiextensions.JSONSchemaProps{
+									Type:       "object",
+									Properties: map[string]apiextensions.JSONSchemaProps{"foo": {Type: "integer"}},
+								},
+							},
+						},
+					},
+					Scope: apiextensions.NamespaceScoped,
+					Names: apiextensions.CustomResourceDefinitionNames{
+						Plural:   "plural",
+						Singular: "singular",
+						Kind:     "Plural",
+						ListKind: "PluralList",
+					},
+					PreserveUnknownFields: ptr.To(false),
+				},
+				Status: apiextensions.CustomResourceDefinitionStatus{
+					StoredVersions: []string{"version"},
+				},
+			},
+			errors: []validationMatch{},
+		},
+		{
+			name: "ratcheting: top level schema: too many selectableFields are not allowed if existing CRD has different selectableFields",
+			old: &apiextensions.CustomResourceDefinition{
+				ObjectMeta: metav1.ObjectMeta{Name: "plural.group.com"},
+				Spec: apiextensions.CustomResourceDefinitionSpec{
+					Group:    "group.com",
+					Version:  "version",
+					Versions: singleVersionList,
+					Validation: &apiextensions.CustomResourceValidation{
+						OpenAPIV3Schema: &apiextensions.JSONSchemaProps{
+							Type: "object",
+							Properties: map[string]apiextensions.JSONSchemaProps{
+								"a1": {Type: "string"}, "a2": {Type: "string"}, "a3": {Type: "string"},
+								"a4": {Type: "string"}, "a5": {Type: "string"}, "a6": {Type: "string"},
+								"a7": {Type: "string"}, "a8": {Type: "string"}, "different": {Type: "string"},
+							},
+							Required: []string{"a1", "a2", "a3", "a4", "a5", "a6", "a7", "a8", "different"},
+						},
+					},
+					SelectableFields: []apiextensions.SelectableField{
+						{JSONPath: ".a1"}, {JSONPath: ".a2"}, {JSONPath: ".a3"},
+						{JSONPath: ".a4"}, {JSONPath: ".a5"}, {JSONPath: ".a6"},
+						{JSONPath: ".a7"}, {JSONPath: ".a8"}, {JSONPath: ".different"},
+					},
+					Scope: apiextensions.NamespaceScoped,
+					Names: apiextensions.CustomResourceDefinitionNames{
+						Plural:   "plural",
+						Singular: "singular",
+						Kind:     "Plural",
+						ListKind: "PluralList",
+					},
+					PreserveUnknownFields: ptr.To(false),
+				},
+				Status: apiextensions.CustomResourceDefinitionStatus{
+					StoredVersions: []string{"version"},
+				},
+			},
+			resource: &apiextensions.CustomResourceDefinition{
+				ObjectMeta: metav1.ObjectMeta{Name: "plural.group.com", ResourceVersion: "1"},
+				Spec: apiextensions.CustomResourceDefinitionSpec{
+					Group:    "group.com",
+					Version:  "version",
+					Versions: singleVersionList,
+					Validation: &apiextensions.CustomResourceValidation{
+						OpenAPIV3Schema: &apiextensions.JSONSchemaProps{
+							Type: "object",
+							Properties: map[string]apiextensions.JSONSchemaProps{
+								"a1": {Type: "string"}, "a2": {Type: "string"}, "a3": {Type: "string"},
+								"a4": {Type: "string"}, "a5": {Type: "string"}, "a6": {Type: "string"},
+								"a7": {Type: "string"}, "a8": {Type: "string"}, "a9": {Type: "string"},
+							},
+							Required: []string{"a1", "a2", "a3", "a4", "a5", "a6", "a7", "a8", "a9"},
+						},
+					},
+					SelectableFields: []apiextensions.SelectableField{
+						{JSONPath: ".a1"}, {JSONPath: ".a2"}, {JSONPath: ".a3"},
+						{JSONPath: ".a4"}, {JSONPath: ".a5"}, {JSONPath: ".a6"},
+						{JSONPath: ".a7"}, {JSONPath: ".a8"}, {JSONPath: ".a9"},
+					},
+					Scope: apiextensions.NamespaceScoped,
+					Names: apiextensions.CustomResourceDefinitionNames{
+						Plural:   "plural",
+						Singular: "singular",
+						Kind:     "Plural",
+						ListKind: "PluralList",
+					},
+					PreserveUnknownFields: ptr.To(false),
+				},
+				Status: apiextensions.CustomResourceDefinitionStatus{
+					StoredVersions: []string{"version"},
+				},
+			},
+			errors: []validationMatch{
+				tooMany("spec", "selectableFields"),
+			},
+		},
+		{
+			name: "ratcheting: top level schema: too many selectableFields are allowed if existing CRD has same selectableFields",
+			old: &apiextensions.CustomResourceDefinition{
+				ObjectMeta: metav1.ObjectMeta{Name: "plural.group.com"},
+				Spec: apiextensions.CustomResourceDefinitionSpec{
+					Group:    "group.com",
+					Version:  "version",
+					Versions: singleVersionList,
+					Validation: &apiextensions.CustomResourceValidation{
+						OpenAPIV3Schema: &apiextensions.JSONSchemaProps{
+							Type: "object",
+							Properties: map[string]apiextensions.JSONSchemaProps{
+								"a1": {Type: "string"}, "a2": {Type: "string"}, "a3": {Type: "string"},
+								"a4": {Type: "string"}, "a5": {Type: "string"}, "a6": {Type: "string"},
+								"a7": {Type: "string"}, "a8": {Type: "string"}, "a9": {Type: "string"},
+							},
+							Required: []string{"a1", "a2", "a3", "a4", "a5", "a6", "a7", "a8", "a9"},
+						},
+					},
+					SelectableFields: []apiextensions.SelectableField{
+						{JSONPath: ".a1"}, {JSONPath: ".a2"}, {JSONPath: ".a3"},
+						{JSONPath: ".a4"}, {JSONPath: ".a5"}, {JSONPath: ".a6"},
+						{JSONPath: ".a7"}, {JSONPath: ".a8"}, {JSONPath: ".a9"},
+					},
+					Scope: apiextensions.NamespaceScoped,
+					Names: apiextensions.CustomResourceDefinitionNames{
+						Plural:   "plural",
+						Singular: "singular",
+						Kind:     "Plural",
+						ListKind: "PluralList",
+					},
+					PreserveUnknownFields: ptr.To(false),
+				},
+				Status: apiextensions.CustomResourceDefinitionStatus{
+					StoredVersions: []string{"version"},
+				},
+			},
+			resource: &apiextensions.CustomResourceDefinition{
+				ObjectMeta: metav1.ObjectMeta{Name: "plural.group.com", ResourceVersion: "1"},
+				Spec: apiextensions.CustomResourceDefinitionSpec{
+					Group:    "group.com",
+					Version:  "version",
+					Versions: singleVersionList,
+					Validation: &apiextensions.CustomResourceValidation{
+						OpenAPIV3Schema: &apiextensions.JSONSchemaProps{
+							Type: "object",
+							Properties: map[string]apiextensions.JSONSchemaProps{
+								"a1": {Type: "string"}, "a2": {Type: "string"}, "a3": {Type: "string"},
+								"a4": {Type: "string"}, "a5": {Type: "string"}, "a6": {Type: "string"},
+								"a7": {Type: "string"}, "a8": {Type: "string"}, "a9": {Type: "string"},
+							},
+							Required: []string{"a1", "a2", "a3", "a4", "a5", "a6", "a7", "a8", "a9"},
+						},
+					},
+					SelectableFields: []apiextensions.SelectableField{
+						{JSONPath: ".a1"}, {JSONPath: ".a2"}, {JSONPath: ".a3"},
+						{JSONPath: ".a4"}, {JSONPath: ".a5"}, {JSONPath: ".a6"},
+						{JSONPath: ".a7"}, {JSONPath: ".a8"}, {JSONPath: ".a9"},
+					},
+					Scope: apiextensions.NamespaceScoped,
+					Names: apiextensions.CustomResourceDefinitionNames{
+						Plural:   "plural",
+						Singular: "singular",
+						Kind:     "Plural",
+						ListKind: "PluralList",
+					},
+					PreserveUnknownFields: ptr.To(false),
+				},
+				Status: apiextensions.CustomResourceDefinitionStatus{
+					StoredVersions: []string{"version"},
+				},
+			},
+			errors: []validationMatch{},
+		},
 	}
 
 	for _, tc := range tests {
@@ -7859,7 +8212,7 @@ func TestValidateCustomResourceDefinitionValidationRuleCompatibility(t *testing.
 	}
 
 	// Include the test library, which includes the test() function in the storage environment during test
-	base := environment.MustBaseEnvSet(version.MajorMinor(1, 998), true)
+	base := environment.MustBaseEnvSet(version.MajorMinor(1, 998))
 	envSet, err := base.Extend(environment.VersionedOptions{
 		IntroducedVersion: version.MajorMinor(1, 999),
 		EnvOptions:        []cel.EnvOption{library.Test()},
@@ -9213,7 +9566,7 @@ func TestValidateCustomResourceDefinitionValidation(t *testing.T) {
 			},
 			opts: validationOptions{
 				requireStructuralSchema: true,
-				celEnvironmentSet:       environment.MustBaseEnvSet(version.MajorMinor(1, 30), true),
+				celEnvironmentSet:       environment.MustBaseEnvSet(version.MajorMinor(1, 30)),
 			},
 			expectedErrors: []validationMatch{
 				invalid("spec.validation.openAPIV3Schema.x-kubernetes-validations[2].rule"),
@@ -9397,7 +9750,7 @@ func TestValidateCustomResourceDefinitionValidation(t *testing.T) {
 			},
 			opts: validationOptions{
 				requireStructuralSchema: true,
-				celEnvironmentSet:       environment.MustBaseEnvSet(version.MajorMinor(1, 31), true),
+				celEnvironmentSet:       environment.MustBaseEnvSet(version.MajorMinor(1, 31)),
 			},
 			expectedErrors: []validationMatch{
 				invalid("spec.validation.openAPIV3Schema.x-kubernetes-validations[21].rule"),
@@ -10947,7 +11300,7 @@ func TestValidateCustomResourceDefinitionValidation(t *testing.T) {
 		t.Run(tt.name, func(t *testing.T) {
 			ctx := context.TODO()
 			if tt.opts.celEnvironmentSet == nil {
-				tt.opts.celEnvironmentSet = environment.MustBaseEnvSet(environment.DefaultCompatibilityVersion(), true)
+				tt.opts.celEnvironmentSet = environment.MustBaseEnvSet(environment.DefaultCompatibilityVersion())
 			}
 			got := validateCustomResourceDefinitionValidation(ctx, &tt.input, tt.statusEnabled, tt.opts, field.NewPath("spec", "validation"))
 
@@ -11470,7 +11823,7 @@ func TestCelContext(t *testing.T) {
 			celContext := RootCELContext(tt.schema)
 			celContext.converter = converter
 			opts := validationOptions{
-				celEnvironmentSet: environment.MustBaseEnvSet(environment.DefaultCompatibilityVersion(), true),
+				celEnvironmentSet: environment.MustBaseEnvSet(environment.DefaultCompatibilityVersion()),
 			}
 			openAPIV3Schema := &specStandardValidatorV3{
 				allowDefaults:            opts.allowDefaults,
diff --git a/staging/src/k8s.io/apiextensions-apiserver/pkg/apis/openapi_models_test.go b/staging/src/k8s.io/apiextensions-apiserver/pkg/apis/openapi_models_test.go
new file mode 100644
index 0000000000000..d30671b1195bc
--- /dev/null
+++ b/staging/src/k8s.io/apiextensions-apiserver/pkg/apis/openapi_models_test.go
@@ -0,0 +1,60 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package api
+
+import (
+	"reflect"
+	"testing"
+
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/kube-openapi/pkg/util"
+)
+
+func TestOpenAPIDefinitionNames(t *testing.T) {
+	scheme := runtime.NewScheme()
+	for _, builder := range groups {
+		if err := builder.AddToScheme(scheme); err != nil {
+			t.Fatalf("unexpected error adding to scheme: %v", err)
+		}
+	}
+
+	kinds := scheme.AllKnownTypes()
+	for gvk := range kinds {
+		if gvk.Version == runtime.APIVersionInternal {
+			continue
+		}
+		t.Run(gvk.String(), func(t *testing.T) {
+			example, err := scheme.New(gvk)
+			if err != nil {
+				t.Fatalf("unexpected error creating example: %v", err)
+			}
+
+			namer, ok := example.(util.OpenAPIModelNamer)
+			if !ok {
+				t.Fatalf("type %v does not implement OpenAPICanonicalTypeName\n", gvk)
+			}
+			lookupName := namer.OpenAPIModelName()
+
+			rtype := reflect.TypeOf(example).Elem()
+			reflectName := util.ToRESTFriendlyName(rtype.PkgPath() + "." + rtype.Name())
+
+			if lookupName != reflectName {
+				t.Errorf("expected %v, got %v", reflectName, lookupName)
+			}
+		})
+	}
+}
diff --git a/staging/src/k8s.io/apiextensions-apiserver/pkg/apis/testdata/HEAD/apiextensions.k8s.io.v1.CustomResourceDefinition.json b/staging/src/k8s.io/apiextensions-apiserver/pkg/apis/testdata/HEAD/apiextensions.k8s.io.v1.CustomResourceDefinition.json
index 6a7d0af89ef04..d9df97c608571 100644
--- a/staging/src/k8s.io/apiextensions-apiserver/pkg/apis/testdata/HEAD/apiextensions.k8s.io.v1.CustomResourceDefinition.json
+++ b/staging/src/k8s.io/apiextensions-apiserver/pkg/apis/testdata/HEAD/apiextensions.k8s.io.v1.CustomResourceDefinition.json
@@ -200,7 +200,8 @@
         "status": "statusValue",
         "lastTransitionTime": "2003-01-01T01:01:01Z",
         "reason": "reasonValue",
-        "message": "messageValue"
+        "message": "messageValue",
+        "observedGeneration": 6
       }
     ],
     "acceptedNames": {
@@ -217,6 +218,7 @@
     },
     "storedVersions": [
       "storedVersionsValue"
-    ]
+    ],
+    "observedGeneration": 4
   }
 }
\ No newline at end of file
diff --git a/staging/src/k8s.io/apiextensions-apiserver/pkg/apis/testdata/HEAD/apiextensions.k8s.io.v1.CustomResourceDefinition.pb b/staging/src/k8s.io/apiextensions-apiserver/pkg/apis/testdata/HEAD/apiextensions.k8s.io.v1.CustomResourceDefinition.pb
index 1d29cdca75122..0581c6381cb31 100644
Binary files a/staging/src/k8s.io/apiextensions-apiserver/pkg/apis/testdata/HEAD/apiextensions.k8s.io.v1.CustomResourceDefinition.pb and b/staging/src/k8s.io/apiextensions-apiserver/pkg/apis/testdata/HEAD/apiextensions.k8s.io.v1.CustomResourceDefinition.pb differ
diff --git a/staging/src/k8s.io/apiextensions-apiserver/pkg/apis/testdata/HEAD/apiextensions.k8s.io.v1.CustomResourceDefinition.yaml b/staging/src/k8s.io/apiextensions-apiserver/pkg/apis/testdata/HEAD/apiextensions.k8s.io.v1.CustomResourceDefinition.yaml
index 0a10a99c1d1fa..fe044a14d17c9 100644
--- a/staging/src/k8s.io/apiextensions-apiserver/pkg/apis/testdata/HEAD/apiextensions.k8s.io.v1.CustomResourceDefinition.yaml
+++ b/staging/src/k8s.io/apiextensions-apiserver/pkg/apis/testdata/HEAD/apiextensions.k8s.io.v1.CustomResourceDefinition.yaml
@@ -157,8 +157,10 @@ status:
   conditions:
   - lastTransitionTime: "2003-01-01T01:01:01Z"
     message: messageValue
+    observedGeneration: 6
     reason: reasonValue
     status: statusValue
     type: typeValue
+  observedGeneration: 4
   storedVersions:
   - storedVersionsValue
diff --git a/staging/src/k8s.io/apiextensions-apiserver/pkg/apis/testdata/HEAD/apiextensions.k8s.io.v1beta1.CustomResourceDefinition.json b/staging/src/k8s.io/apiextensions-apiserver/pkg/apis/testdata/HEAD/apiextensions.k8s.io.v1beta1.CustomResourceDefinition.json
index d8c945fc6ed72..4c63959d12548 100644
--- a/staging/src/k8s.io/apiextensions-apiserver/pkg/apis/testdata/HEAD/apiextensions.k8s.io.v1beta1.CustomResourceDefinition.json
+++ b/staging/src/k8s.io/apiextensions-apiserver/pkg/apis/testdata/HEAD/apiextensions.k8s.io.v1beta1.CustomResourceDefinition.json
@@ -305,7 +305,8 @@
         "status": "statusValue",
         "lastTransitionTime": "2003-01-01T01:01:01Z",
         "reason": "reasonValue",
-        "message": "messageValue"
+        "message": "messageValue",
+        "observedGeneration": 6
       }
     ],
     "acceptedNames": {
@@ -322,6 +323,7 @@
     },
     "storedVersions": [
       "storedVersionsValue"
-    ]
+    ],
+    "observedGeneration": 4
   }
 }
\ No newline at end of file
diff --git a/staging/src/k8s.io/apiextensions-apiserver/pkg/apis/testdata/HEAD/apiextensions.k8s.io.v1beta1.CustomResourceDefinition.pb b/staging/src/k8s.io/apiextensions-apiserver/pkg/apis/testdata/HEAD/apiextensions.k8s.io.v1beta1.CustomResourceDefinition.pb
index fd44628b79451..04726f31ca603 100644
Binary files a/staging/src/k8s.io/apiextensions-apiserver/pkg/apis/testdata/HEAD/apiextensions.k8s.io.v1beta1.CustomResourceDefinition.pb and b/staging/src/k8s.io/apiextensions-apiserver/pkg/apis/testdata/HEAD/apiextensions.k8s.io.v1beta1.CustomResourceDefinition.pb differ
diff --git a/staging/src/k8s.io/apiextensions-apiserver/pkg/apis/testdata/HEAD/apiextensions.k8s.io.v1beta1.CustomResourceDefinition.yaml b/staging/src/k8s.io/apiextensions-apiserver/pkg/apis/testdata/HEAD/apiextensions.k8s.io.v1beta1.CustomResourceDefinition.yaml
index b0abff167c09e..93c1cfd0fd842 100644
--- a/staging/src/k8s.io/apiextensions-apiserver/pkg/apis/testdata/HEAD/apiextensions.k8s.io.v1beta1.CustomResourceDefinition.yaml
+++ b/staging/src/k8s.io/apiextensions-apiserver/pkg/apis/testdata/HEAD/apiextensions.k8s.io.v1beta1.CustomResourceDefinition.yaml
@@ -237,8 +237,10 @@ status:
   conditions:
   - lastTransitionTime: "2003-01-01T01:01:01Z"
     message: messageValue
+    observedGeneration: 6
     reason: reasonValue
     status: statusValue
     type: typeValue
+  observedGeneration: 4
   storedVersions:
   - storedVersionsValue
diff --git a/staging/src/k8s.io/apiextensions-apiserver/pkg/apiserver/apiserver.go b/staging/src/k8s.io/apiextensions-apiserver/pkg/apiserver/apiserver.go
index 1a730d3310cdd..e27495de54e2a 100644
--- a/staging/src/k8s.io/apiextensions-apiserver/pkg/apiserver/apiserver.go
+++ b/staging/src/k8s.io/apiextensions-apiserver/pkg/apiserver/apiserver.go
@@ -242,10 +242,10 @@ func (c completedConfig) New(delegationTarget genericapiserver.DelegationTarget)
 			}
 		}
 
-		go namingController.Run(hookContext.Done())
-		go establishingController.Run(hookContext.Done())
-		go nonStructuralSchemaController.Run(5, hookContext.Done())
-		go apiApprovalController.Run(5, hookContext.Done())
+		go namingController.RunWithContext(hookContext)
+		go establishingController.RunWithContext(hookContext)
+		go nonStructuralSchemaController.RunWithContext(5, hookContext)
+		go apiApprovalController.RunWithContext(5, hookContext)
 		go finalizingController.Run(5, hookContext.Done())
 
 		discoverySyncedCh := make(chan struct{})
diff --git a/staging/src/k8s.io/apiextensions-apiserver/pkg/apiserver/customresource_handler.go b/staging/src/k8s.io/apiextensions-apiserver/pkg/apiserver/customresource_handler.go
index 5252db43cd577..74707e9403180 100644
--- a/staging/src/k8s.io/apiextensions-apiserver/pkg/apiserver/customresource_handler.go
+++ b/staging/src/k8s.io/apiextensions-apiserver/pkg/apiserver/customresource_handler.go
@@ -724,7 +724,58 @@ func (r *crdHandler) getOrCreateServingInfoFor(uid types.UID, name string) (*crd
 		replicasPathInCustomResource[schema.GroupVersion{Group: crd.Spec.Group, Version: v.Name}.String()] = path
 	}
 
+	// ensure accepted names are valid
+	if len(crd.Status.AcceptedNames.Plural) == 0 {
+		utilruntime.HandleError(fmt.Errorf("CustomResourceDefinition %s has unexpected empty status.acceptedNames.plural", crd.Name))
+		return nil, fmt.Errorf("the server could not properly serve the resource")
+	}
+	if len(crd.Status.AcceptedNames.Singular) == 0 {
+		utilruntime.HandleError(fmt.Errorf("CustomResourceDefinition %s has unexpected empty status.acceptedNames.singular", crd.Name))
+		return nil, fmt.Errorf("the server could not properly serve the resource")
+	}
+	if len(crd.Status.AcceptedNames.Kind) == 0 {
+		utilruntime.HandleError(fmt.Errorf("CustomResourceDefinition %s has unexpected empty status.acceptedNames.kind", crd.Name))
+		return nil, fmt.Errorf("the server could not properly serve the kind")
+	}
+	if len(crd.Status.AcceptedNames.ListKind) == 0 {
+		utilruntime.HandleError(fmt.Errorf("CustomResourceDefinition %s has unexpected empty status.acceptedNames.listKind", crd.Name))
+		return nil, fmt.Errorf("the server could not properly serve the list kind")
+	}
+
+	var (
+		versionToResource         = map[string]schema.GroupVersionResource{}
+		versionToSingularResource = map[string]schema.GroupVersionResource{}
+		versionToKind             = map[string]schema.GroupVersionKind{}
+		versionToSubresources     = map[string]*apiextensionsv1.CustomResourceSubresources{}
+	)
+	for _, v := range crd.Spec.Versions {
+		versionToResource[v.Name] = schema.GroupVersionResource{Group: crd.Spec.Group, Version: v.Name, Resource: crd.Status.AcceptedNames.Plural}
+		versionToSingularResource[v.Name] = schema.GroupVersionResource{Group: crd.Spec.Group, Version: v.Name, Resource: crd.Status.AcceptedNames.Singular}
+		versionToKind[v.Name] = schema.GroupVersionKind{Group: crd.Spec.Group, Version: v.Name, Kind: crd.Status.AcceptedNames.Kind}
+		versionToSubresources[v.Name], err = apiextensionshelpers.GetSubresourcesForVersion(crd, v.Name)
+		if err != nil {
+			utilruntime.HandleError(err)
+			return nil, fmt.Errorf("the server could not properly serve the CR subresources")
+		}
+
+		// Register equivalent kinds
+		equivalentResourceRegistry.RegisterKindFor(versionToResource[v.Name], "", versionToKind[v.Name])
+		if versionToSubresources[v.Name] != nil {
+			if versionToSubresources[v.Name].Status != nil {
+				equivalentResourceRegistry.RegisterKindFor(versionToResource[v.Name], "status", versionToKind[v.Name])
+			}
+			if versionToSubresources[v.Name].Scale != nil {
+				equivalentResourceRegistry.RegisterKindFor(versionToResource[v.Name], "scale", autoscalingv1.SchemeGroupVersion.WithKind("Scale"))
+			}
+		}
+	}
+
 	for _, v := range crd.Spec.Versions {
+		// Do not construct storage if version is neither served nor stored
+		if !v.Storage && !v.Served {
+			continue
+		}
+
 		// In addition to Unstructured objects (Custom Resources), we also may sometimes need to
 		// decode unversioned Options objects, so we delegate to parameterScheme for such types.
 		parameterScheme := runtime.NewScheme()
@@ -735,22 +786,9 @@ func (r *crdHandler) getOrCreateServingInfoFor(uid types.UID, name string) (*crd
 		)
 		parameterCodec := runtime.NewParameterCodec(parameterScheme)
 
-		resource := schema.GroupVersionResource{Group: crd.Spec.Group, Version: v.Name, Resource: crd.Status.AcceptedNames.Plural}
-		if len(resource.Resource) == 0 {
-			utilruntime.HandleError(fmt.Errorf("CustomResourceDefinition %s has unexpected empty status.acceptedNames.plural", crd.Name))
-			return nil, fmt.Errorf("the server could not properly serve the resource")
-		}
-		singularResource := schema.GroupVersionResource{Group: crd.Spec.Group, Version: v.Name, Resource: crd.Status.AcceptedNames.Singular}
-		if len(singularResource.Resource) == 0 {
-			utilruntime.HandleError(fmt.Errorf("CustomResourceDefinition %s has unexpected empty status.acceptedNames.singular", crd.Name))
-			return nil, fmt.Errorf("the server could not properly serve the resource")
-		}
-		kind := schema.GroupVersionKind{Group: crd.Spec.Group, Version: v.Name, Kind: crd.Status.AcceptedNames.Kind}
-		if len(kind.Kind) == 0 {
-			utilruntime.HandleError(fmt.Errorf("CustomResourceDefinition %s has unexpected empty status.acceptedNames.kind", crd.Name))
-			return nil, fmt.Errorf("the server could not properly serve the kind")
-		}
-		equivalentResourceRegistry.RegisterKindFor(resource, "", kind)
+		singularResource := versionToSingularResource[v.Name]
+		resource := versionToResource[v.Name]
+		kind := versionToKind[v.Name]
 
 		typer := newUnstructuredObjectTyper(parameterScheme)
 		creator := unstructuredCreator{}
@@ -776,13 +814,9 @@ func (r *crdHandler) getOrCreateServingInfoFor(uid types.UID, name string) (*crd
 
 		var statusSpec *apiextensionsinternal.CustomResourceSubresourceStatus
 		var statusValidator apiservervalidation.SchemaValidator
-		subresources, err := apiextensionshelpers.GetSubresourcesForVersion(crd, v.Name)
-		if err != nil {
-			utilruntime.HandleError(err)
-			return nil, fmt.Errorf("the server could not properly serve the CR subresources")
-		}
+		subresources := versionToSubresources[v.Name]
+
 		if subresources != nil && subresources.Status != nil {
-			equivalentResourceRegistry.RegisterKindFor(resource, "status", kind)
 			statusSpec = &apiextensionsinternal.CustomResourceSubresourceStatus{}
 			if err := apiextensionsv1.Convert_v1_CustomResourceSubresourceStatus_To_apiextensions_CustomResourceSubresourceStatus(subresources.Status, statusSpec, nil); err != nil {
 				return nil, fmt.Errorf("failed converting CRD status subresource to internal version: %v", err)
@@ -800,7 +834,6 @@ func (r *crdHandler) getOrCreateServingInfoFor(uid types.UID, name string) (*crd
 
 		var scaleSpec *apiextensionsinternal.CustomResourceSubresourceScale
 		if subresources != nil && subresources.Scale != nil {
-			equivalentResourceRegistry.RegisterKindFor(resource, "scale", autoscalingv1.SchemeGroupVersion.WithKind("Scale"))
 			scaleSpec = &apiextensionsinternal.CustomResourceSubresourceScale{}
 			if err := apiextensionsv1.Convert_v1_CustomResourceSubresourceScale_To_apiextensions_CustomResourceSubresourceScale(subresources.Scale, scaleSpec, nil); err != nil {
 				return nil, fmt.Errorf("failed converting CRD status subresource to internal version: %v", err)
@@ -818,10 +851,6 @@ func (r *crdHandler) getOrCreateServingInfoFor(uid types.UID, name string) (*crd
 		}
 
 		listKind := schema.GroupVersionKind{Group: crd.Spec.Group, Version: v.Name, Kind: crd.Status.AcceptedNames.ListKind}
-		if len(listKind.Kind) == 0 {
-			utilruntime.HandleError(fmt.Errorf("CustomResourceDefinition %s has unexpected empty status.acceptedNames.listKind", crd.Name))
-			return nil, fmt.Errorf("the server could not properly serve the list kind")
-		}
 
 		storages[v.Name], err = customresource.NewStorage(
 			resource.GroupResource(),
@@ -1010,30 +1039,6 @@ func (r *crdHandler) getOrCreateServingInfoFor(uid types.UID, name string) (*crd
 
 		scaleScopes[v.Name] = &scaleScope
 
-		// override status subresource values
-		// shallow copy
-		statusScope := *requestScopes[v.Name]
-		statusScope.Subresource = "status"
-		statusScope.Namer = handlers.ContextBasedNaming{
-			Namer:         meta.NewAccessor(),
-			ClusterScoped: clusterScoped,
-		}
-
-		if subresources != nil && subresources.Status != nil {
-			resetFields := storages[v.Name].Status.GetResetFields()
-			statusScope, err = scopeWithFieldManager(
-				typeConverter,
-				statusScope,
-				resetFields,
-				"status",
-			)
-			if err != nil {
-				return nil, err
-			}
-		}
-
-		statusScopes[v.Name] = &statusScope
-
 		if v.Deprecated {
 			deprecated[v.Name] = true
 			if v.DeprecationWarning != nil {
@@ -1044,6 +1049,12 @@ func (r *crdHandler) getOrCreateServingInfoFor(uid types.UID, name string) (*crd
 		}
 	}
 
+	statusResetFields := getStatusResetFields(crd, storages)
+	statusScopes, err = setStatusScope(crd, requestScopes, typeConverter, statusResetFields, statusScopes)
+	if err != nil {
+		return nil, err
+	}
+
 	ret := &crdInfo{
 		spec:                &crd.Spec,
 		acceptedNames:       &crd.Status.AcceptedNames,
@@ -1067,6 +1078,57 @@ func (r *crdHandler) getOrCreateServingInfoFor(uid types.UID, name string) (*crd
 	return ret, nil
 }
 
+// getStatusResetFields returns the reset fields which include all versions for the status subresource of the CRD.
+func getStatusResetFields(crd *apiextensionsv1.CustomResourceDefinition, storages map[string]customresource.CustomResourceStorage) map[fieldpath.APIVersion]*fieldpath.Set {
+	var statusResetFields = make(map[fieldpath.APIVersion]*fieldpath.Set)
+	for _, value := range crd.Spec.Versions {
+		if storages[value.Name].Status == nil {
+			continue
+		}
+		resetField := storages[value.Name].Status.GetResetFields()
+		for apiVersion, set := range resetField {
+			statusResetFields[apiVersion] = set
+		}
+	}
+	return statusResetFields
+}
+
+// setStatusScope sets the status scope for each version of the CRD.
+func setStatusScope(crd *apiextensionsv1.CustomResourceDefinition, requestScopes map[string]*handlers.RequestScope, typeConverter managedfields.TypeConverter, resetFields map[fieldpath.APIVersion]*fieldpath.Set, statusScopes map[string]*handlers.RequestScope) (map[string]*handlers.RequestScope, error) {
+	for _, v := range crd.Spec.Versions {
+		clusterScoped := crd.Spec.Scope == apiextensionsv1.ClusterScoped
+		if requestScopes[v.Name] == nil {
+			continue
+		}
+		statusScope := *requestScopes[v.Name]
+		statusScope.Subresource = "status"
+		statusScope.Namer = handlers.ContextBasedNaming{
+			Namer:         meta.NewAccessor(),
+			ClusterScoped: clusterScoped,
+		}
+
+		subresources, err := apiextensionshelpers.GetSubresourcesForVersion(crd, v.Name)
+		if err != nil {
+			utilruntime.HandleError(err)
+			return nil, fmt.Errorf("the server could not properly serve the CR subresources")
+		}
+		if subresources != nil && subresources.Status != nil {
+			statusScope, err = scopeWithFieldManager(
+				typeConverter,
+				statusScope,
+				resetFields,
+				"status",
+			)
+			if err != nil {
+				return nil, err
+			}
+		}
+		statusScopes[v.Name] = &statusScope
+	}
+	return statusScopes, nil
+
+}
+
 func scopeWithFieldManager(typeConverter managedfields.TypeConverter, reqScope handlers.RequestScope, resetFields map[fieldpath.APIVersion]*fieldpath.Set, subresource string) (handlers.RequestScope, error) {
 	fieldManager, err := managedfields.NewDefaultCRDFieldManager(
 		typeConverter,
diff --git a/staging/src/k8s.io/apiextensions-apiserver/pkg/apiserver/schema/cel/compilation_test.go b/staging/src/k8s.io/apiextensions-apiserver/pkg/apiserver/schema/cel/compilation_test.go
index 70aa2ea266daa..d7ceafcf97a43 100644
--- a/staging/src/k8s.io/apiextensions-apiserver/pkg/apiserver/schema/cel/compilation_test.go
+++ b/staging/src/k8s.io/apiextensions-apiserver/pkg/apiserver/schema/cel/compilation_test.go
@@ -851,7 +851,7 @@ func TestCelCompilation(t *testing.T) {
 
 	for _, tt := range cases {
 		t.Run(tt.name, func(t *testing.T) {
-			env, err := environment.MustBaseEnvSet(environment.DefaultCompatibilityVersion(), true).Extend(
+			env, err := environment.MustBaseEnvSet(environment.DefaultCompatibilityVersion()).Extend(
 				environment.VersionedOptions{
 					IntroducedVersion: version.MajorMinor(1, 999),
 					EnvOptions:        []celgo.EnvOption{celgo.Lib(&fakeLib{})},
@@ -1328,7 +1328,7 @@ func genMapWithCustomItemRule(item *schema.Structural, rule string) func(maxProp
 // if expectedCostExceedsLimit is non-zero. Typically, only expectedCost or expectedCostExceedsLimit is non-zero, not both.
 func schemaChecker(schema *schema.Structural, expectedCost uint64, expectedCostExceedsLimit uint64, t *testing.T) func(t *testing.T) {
 	return func(t *testing.T) {
-		compilationResults, err := Compile(schema, model.SchemaDeclType(schema, false), celconfig.PerCallLimit, environment.MustBaseEnvSet(environment.DefaultCompatibilityVersion(), true), NewExpressionsEnvLoader())
+		compilationResults, err := Compile(schema, model.SchemaDeclType(schema, false), celconfig.PerCallLimit, environment.MustBaseEnvSet(environment.DefaultCompatibilityVersion()), NewExpressionsEnvLoader())
 		if err != nil {
 			t.Fatalf("Expected no error, got: %v", err)
 		}
@@ -1898,7 +1898,7 @@ func TestCostEstimation(t *testing.T) {
 }
 
 func BenchmarkCompile(b *testing.B) {
-	env := environment.MustBaseEnvSet(environment.DefaultCompatibilityVersion(), true) // prepare the environment
+	env := environment.MustBaseEnvSet(environment.DefaultCompatibilityVersion()) // prepare the environment
 	s := genArrayWithRule("number", "true")(nil)
 	b.ReportAllocs()
 	b.ResetTimer()
diff --git a/staging/src/k8s.io/apiextensions-apiserver/pkg/apiserver/schema/cel/validation.go b/staging/src/k8s.io/apiextensions-apiserver/pkg/apiserver/schema/cel/validation.go
index 575fd5e2e9a57..a8ba937224c40 100644
--- a/staging/src/k8s.io/apiextensions-apiserver/pkg/apiserver/schema/cel/validation.go
+++ b/staging/src/k8s.io/apiextensions-apiserver/pkg/apiserver/schema/cel/validation.go
@@ -95,7 +95,7 @@ func NewValidator(s *schema.Structural, isResourceRoot bool, perCallLimit uint64
 func validator(validationSchema, nodeSchema *schema.Structural, isResourceRoot bool, declType *cel.DeclType, perCallLimit uint64) *Validator {
 	compilationSchema := *nodeSchema
 	compilationSchema.XValidations = validationSchema.XValidations
-	compiledRules, err := Compile(&compilationSchema, declType, perCallLimit, environment.MustBaseEnvSet(environment.DefaultCompatibilityVersion(), true), StoredExpressionsEnvLoader())
+	compiledRules, err := Compile(&compilationSchema, declType, perCallLimit, environment.MustBaseEnvSet(environment.DefaultCompatibilityVersion()), StoredExpressionsEnvLoader())
 
 	var itemsValidator, additionalPropertiesValidator *Validator
 	var propertiesValidators map[string]Validator
@@ -451,42 +451,54 @@ func (s *Validator) validateExpressions(ctx context.Context, fldPath *field.Path
 			}
 			continue
 		}
-		if evalResult != types.True {
-			currentFldPath := fldPath
-			if len(compiled.NormalizedRuleFieldPath) > 0 {
-				currentFldPath = currentFldPath.Child(compiled.NormalizedRuleFieldPath)
-			}
 
-			addErr := func(e *field.Error) {
-				if !compiled.UsesOldSelf && correlation.shouldRatchetError() {
-					warning.AddWarning(ctx, "", e.Error())
-				} else {
-					errs = append(errs, e)
-				}
+		if evalResult == types.True {
+			continue
+		}
+
+		// Prepare a field error describing why the expression evaluated to False.
+		// Its detail may come from another expression that might fail to evaluate or exceed the budget.
+
+		currentFldPath := fldPath
+		if len(compiled.NormalizedRuleFieldPath) > 0 {
+			currentFldPath = currentFldPath.Child(compiled.NormalizedRuleFieldPath)
+		}
+
+		addErr := func(e *field.Error) {
+			if !compiled.UsesOldSelf && correlation.shouldRatchetError() {
+				warning.AddWarning(ctx, "", e.Error())
+			} else {
+				errs = append(errs, e)
 			}
+		}
 
-			if compiled.MessageExpression != nil {
-				messageExpression, newRemainingBudget, msgErr := evalMessageExpression(ctx, compiled.MessageExpression, rule.MessageExpression, activation, remainingBudget)
-				if msgErr != nil {
-					if msgErr.Type == cel.ErrorTypeInternal {
-						addErr(field.InternalError(currentFldPath, msgErr))
-						return errs, -1
-					} else if msgErr.Type == cel.ErrorTypeInvalid {
-						addErr(field.Invalid(currentFldPath, sts.Type, msgErr.Error()))
-						return errs, -1
-					} else {
-						klog.V(2).ErrorS(msgErr, "messageExpression evaluation failed")
-						addErr(fieldErrorForReason(currentFldPath, sts.Type, ruleMessageOrDefault(rule), rule.Reason))
-						remainingBudget = newRemainingBudget
-					}
-				} else {
-					addErr(fieldErrorForReason(currentFldPath, sts.Type, messageExpression, rule.Reason))
-					remainingBudget = newRemainingBudget
-				}
+		detail, ok := "", false
+		if compiled.MessageExpression != nil {
+			messageExpression, newRemainingBudget, msgErr := evalMessageExpression(ctx, compiled.MessageExpression, rule.MessageExpression, activation, remainingBudget)
+			if msgErr == nil {
+				detail, ok = messageExpression, true
+				remainingBudget = newRemainingBudget
+			} else if msgErr.Type == cel.ErrorTypeInternal {
+				addErr(field.InternalError(currentFldPath, msgErr))
+				return errs, -1
+			} else if msgErr.Type == cel.ErrorTypeInvalid {
+				addErr(field.Invalid(currentFldPath, sts.Type, msgErr.Error()))
+				return errs, -1
 			} else {
-				addErr(fieldErrorForReason(currentFldPath, sts.Type, ruleMessageOrDefault(rule), rule.Reason))
+				klog.V(2).ErrorS(msgErr, "messageExpression evaluation failed")
+				remainingBudget = newRemainingBudget
 			}
 		}
+		if !ok {
+			detail = ruleMessageOrDefault(rule)
+		}
+
+		value := obj
+		if sts.Type == "object" || sts.Type == "array" {
+			value = field.OmitValueType{}
+		}
+
+		addErr(fieldErrorForReason(currentFldPath, value, detail, rule.Reason))
 	}
 	return errs, remainingBudget
 }
diff --git a/staging/src/k8s.io/apiextensions-apiserver/pkg/apiserver/schema/cel/validation_test.go b/staging/src/k8s.io/apiextensions-apiserver/pkg/apiserver/schema/cel/validation_test.go
index ea82e9a4fb086..006db6f149ef9 100644
--- a/staging/src/k8s.io/apiextensions-apiserver/pkg/apiserver/schema/cel/validation_test.go
+++ b/staging/src/k8s.io/apiextensions-apiserver/pkg/apiserver/schema/cel/validation_test.go
@@ -2363,7 +2363,7 @@ func TestValidationExpressionsAtSchemaLevels(t *testing.T) {
 			schema: objectTypePtr(map[string]schema.Structural{
 				"f/2": withRule(objectType(map[string]schema.Structural{"m": integerType}), "self.m == 2"),
 			}),
-			errors: []string{"Invalid value: \"object\": failed rule: self.m == 2"},
+			errors: []string{"Invalid value: failed rule: self.m == 2"},
 		},
 		// unescapable field names that are not accessed by the CEL rule are allowed and should not impact CEL rule validation
 		{name: "invalid rule under unescapable field name",
@@ -2397,7 +2397,7 @@ func TestValidationExpressionsAtSchemaLevels(t *testing.T) {
 			schema: objectTypePtr(map[string]schema.Structural{
 				"a@b": withRule(objectType(map[string]schema.Structural{"m": integerType}), "self.m == 2"),
 			}),
-			errors: []string{"Invalid value: \"object\": failed rule: self.m == 2"},
+			errors: []string{"Invalid value: failed rule: self.m == 2"},
 		},
 		{name: "matchExpressions - 'values' must be specified when 'operator' is 'In' or 'NotIn'",
 			obj: map[string]interface{}{
@@ -2696,8 +2696,8 @@ func TestValidationExpressionsAtSchemaLevels(t *testing.T) {
 				},
 			},
 			errors: []string{
-				`root.myProperty[key]: Invalid value: "string": must be value2 or not value`,
-				`root.myProperty[key2]: Invalid value: "string": len must be 5`,
+				`root.myProperty[key]: Invalid value: "value": must be value2 or not value`,
+				`root.myProperty[key2]: Invalid value: "value2": len must be 5`,
 			},
 			schema: &schema.Structural{
 				Generic: schema.Generic{
@@ -2742,8 +2742,8 @@ func TestValidationExpressionsAtSchemaLevels(t *testing.T) {
 				"key2": "value2",
 			},
 			errors: []string{
-				`root.key: Invalid value: "string": must be value2 or not value`,
-				`root.key2: Invalid value: "string": len must be 5`,
+				`root.key: Invalid value: "value": must be value2 or not value`,
+				`root.key2: Invalid value: "value2": len must be 5`,
 			},
 			schema: &schema.Structural{
 				Generic: schema.Generic{
@@ -3924,7 +3924,7 @@ func TestRatcheting(t *testing.T) {
 						type: string
 						x-kubernetes-validations:
 						- rule: self == "bar"
-						  message: "gotta be baz"
+						  message: "gotta be bar"
 				`),
 			oldObj: mustUnstructured(`
 				foo: baz
@@ -3933,7 +3933,7 @@ func TestRatcheting(t *testing.T) {
 				foo: baz
 			`),
 			warnings: []string{
-				`root.foo: Invalid value: "string": gotta be baz`,
+				`root.foo: Invalid value: "baz": gotta be bar`,
 			},
 		},
 		{
@@ -3960,7 +3960,7 @@ func TestRatcheting(t *testing.T) {
 				- bar: bar
 			`),
 			warnings: []string{
-				`root[0].bar: Invalid value: "string": gotta be baz`,
+				`root[0].bar: Invalid value: "bar": gotta be baz`,
 			},
 		},
 		{
@@ -3986,7 +3986,7 @@ func TestRatcheting(t *testing.T) {
 				- 2
 			`),
 			warnings: []string{
-				`root[1]: Invalid value: "number": gotta be odd`,
+				`root[1]: Invalid value: 2: gotta be odd`,
 			},
 		},
 		{
@@ -4020,7 +4020,7 @@ func TestRatcheting(t *testing.T) {
 				- 2
 			`),
 			warnings: []string{
-				`root.setArray[2]: Invalid value: "number": gotta be odd`,
+				`root.setArray[2]: Invalid value: 2: gotta be odd`,
 			},
 		},
 		{
@@ -4055,8 +4055,8 @@ func TestRatcheting(t *testing.T) {
 				  value: baz
 			`),
 			warnings: []string{
-				`root[0].value: Invalid value: "string": gotta be baz`,
-				`root[1].value: Invalid value: "string": gotta be baz`,
+				`root[0].value: Invalid value: "notbaz": gotta be baz`,
+				`root[1].value: Invalid value: "notbaz": gotta be baz`,
 			},
 		},
 		{
@@ -4089,7 +4089,7 @@ func TestRatcheting(t *testing.T) {
 				  value: notbaz
 			`),
 			warnings: []string{
-				`root[1].value: Invalid value: "string": gotta be baz`,
+				`root[1].value: Invalid value: "notbaz": gotta be baz`,
 			},
 		},
 		{
@@ -4131,8 +4131,8 @@ func TestRatcheting(t *testing.T) {
 						bar: notbaz
 			`),
 			warnings: []string{
-				`root.mapField.foo: Invalid value: "string": gotta be baz`,
-				`root.mapField.mapField.bar: Invalid value: "string": gotta be nested baz`,
+				`root.mapField.foo: Invalid value: "notbaz": gotta be baz`,
+				`root.mapField.mapField.bar: Invalid value: "notbaz": gotta be nested baz`,
 			},
 		},
 		{
@@ -4182,11 +4182,11 @@ func TestRatcheting(t *testing.T) {
 			`),
 			errors: []string{
 				// Didn't get ratcheted because we changed its value from baz to notbaz
-				`root.mapField.foo: Invalid value: "string": gotta be baz`,
+				`root.mapField.foo: Invalid value: "notbaz": gotta be baz`,
 			},
 			warnings: []string{
 				// Ratcheted because its value remained the same, even though it is invalid
-				`root.mapField.mapField.bar: Invalid value: "string": gotta be baz`,
+				`root.mapField.mapField.bar: Invalid value: "notbaz": gotta be baz`,
 			},
 		},
 		{
@@ -4219,7 +4219,7 @@ func TestRatcheting(t *testing.T) {
 				- bar: bar
 			`),
 			warnings: []string{
-				`root.atomicArray[0].bar: Invalid value: "string": gotta be baz`,
+				`root.atomicArray[0].bar: Invalid value: "bar": gotta be baz`,
 			},
 		},
 		{
@@ -4247,7 +4247,7 @@ func TestRatcheting(t *testing.T) {
 				- bar: baz
 			`),
 			errors: []string{
-				`root[0].bar: Invalid value: "string": gotta be baz`,
+				`root[0].bar: Invalid value: "bar": gotta be baz`,
 			},
 		},
 		{
@@ -4268,7 +4268,7 @@ func TestRatcheting(t *testing.T) {
 				foo: bar
 			`),
 			errors: []string{
-				`root.foo: Invalid value: "string": gotta be baz`,
+				`root.foo: Invalid value: "bar": gotta be baz`,
 			},
 		},
 		{
@@ -4295,7 +4295,7 @@ func TestRatcheting(t *testing.T) {
 				bar: invalid
 			`),
 			errors: []string{
-				`root.foo: Invalid value: "object": gotta be baz`,
+				`root.foo: Invalid value: gotta be baz`,
 			},
 		},
 		{
@@ -4351,8 +4351,8 @@ func TestRatcheting(t *testing.T) {
 				kind: Baz
 			`),
 			errors: []string{
-				`root.apiVersion: Invalid value: "string": failed rule: self == "v1"`,
-				`root.kind: Invalid value: "string": failed rule: self == "Pod"`,
+				`root.apiVersion: Invalid value: "v2": failed rule: self == "v1"`,
+				`root.kind: Invalid value: "Baz": failed rule: self == "Pod"`,
 			},
 		},
 		{
@@ -4420,12 +4420,12 @@ func TestRatcheting(t *testing.T) {
 				  otherField: newValue3
 			`),
 			warnings: []string{
-				`root.subField.apiVersion: Invalid value: "string": failed rule: self == "v1"`,
-				`root.subField.kind: Invalid value: "string": failed rule: self == "Pod"`,
-				`root.list[0].apiVersion: Invalid value: "string": failed rule: self == "v1"`,
-				`root.list[0].kind: Invalid value: "string": failed rule: self == "Pod"`,
-				`root.list[1].apiVersion: Invalid value: "string": failed rule: self == "v1"`,
-				`root.list[1].kind: Invalid value: "string": failed rule: self == "Pod"`,
+				`root.subField.apiVersion: Invalid value: "v2": failed rule: self == "v1"`,
+				`root.subField.kind: Invalid value: "Baz": failed rule: self == "Pod"`,
+				`root.list[0].apiVersion: Invalid value: "v2": failed rule: self == "v1"`,
+				`root.list[0].kind: Invalid value: "Baz": failed rule: self == "Pod"`,
+				`root.list[1].apiVersion: Invalid value: "v3": failed rule: self == "v1"`,
+				`root.list[1].kind: Invalid value: "Bar": failed rule: self == "Pod"`,
 			},
 		},
 	}
diff --git a/staging/src/k8s.io/apiextensions-apiserver/pkg/apiserver/validation/validation_test.go b/staging/src/k8s.io/apiextensions-apiserver/pkg/apiserver/validation/validation_test.go
index a35496b00f1a1..ff324c270533b 100644
--- a/staging/src/k8s.io/apiextensions-apiserver/pkg/apiserver/validation/validation_test.go
+++ b/staging/src/k8s.io/apiextensions-apiserver/pkg/apiserver/validation/validation_test.go
@@ -463,7 +463,7 @@ func TestValidateCustomResource(t *testing.T) {
 					object:    map[string]interface{}{"field": "y"},
 					oldObject: map[string]interface{}{"field": "x"},
 					expectErrs: []string{
-						`field: Invalid value: "string": failed rule: self == oldSelf`,
+						`field: Invalid value: "y": failed rule: self == oldSelf`,
 					}},
 			},
 		},
@@ -511,7 +511,7 @@ func TestValidateCustomResource(t *testing.T) {
 					object:    map[string]interface{}{"field": []interface{}{map[string]interface{}{"k1": "a", "k2": "b", "v1": 0.9}}},
 					oldObject: map[string]interface{}{"field": []interface{}{map[string]interface{}{"k1": "a", "k2": "b", "v1": 1.0}}},
 					expectErrs: []string{
-						`field[0].v1: Invalid value: "number": failed rule: self >= oldSelf`,
+						`field[0].v1: Invalid value: 0.9: failed rule: self >= oldSelf`,
 					}},
 			},
 		},
@@ -550,7 +550,7 @@ func TestValidateCustomResource(t *testing.T) {
 				{
 					object: map[string]interface{}{"field": []interface{}{map[string]interface{}{"x": "y"}}},
 					expectErrs: []string{
-						`field[0].x: Invalid value: "string": failed rule: self == 'x'`,
+						`field[0].x: Invalid value: "y": failed rule: self == 'x'`,
 					}},
 			},
 		},
diff --git a/staging/src/k8s.io/apiextensions-apiserver/pkg/client/applyconfiguration/apiextensions/v1/customresourcecolumndefinition.go b/staging/src/k8s.io/apiextensions-apiserver/pkg/client/applyconfiguration/apiextensions/v1/customresourcecolumndefinition.go
index eb77daba353e8..3c14acfc2ef7d 100644
--- a/staging/src/k8s.io/apiextensions-apiserver/pkg/client/applyconfiguration/apiextensions/v1/customresourcecolumndefinition.go
+++ b/staging/src/k8s.io/apiextensions-apiserver/pkg/client/applyconfiguration/apiextensions/v1/customresourcecolumndefinition.go
@@ -20,13 +20,27 @@ package v1
 
 // CustomResourceColumnDefinitionApplyConfiguration represents a declarative configuration of the CustomResourceColumnDefinition type for use
 // with apply.
+//
+// CustomResourceColumnDefinition specifies a column for server side printing.
 type CustomResourceColumnDefinitionApplyConfiguration struct {
-	Name        *string `json:"name,omitempty"`
-	Type        *string `json:"type,omitempty"`
-	Format      *string `json:"format,omitempty"`
+	// name is a human readable name for the column.
+	Name *string `json:"name,omitempty"`
+	// type is an OpenAPI type definition for this column.
+	// See https://github.com/OAI/OpenAPI-Specification/blob/master/versions/2.0.md#data-types for details.
+	Type *string `json:"type,omitempty"`
+	// format is an optional OpenAPI type definition for this column. The 'name' format is applied
+	// to the primary identifier column to assist in clients identifying column is the resource name.
+	// See https://github.com/OAI/OpenAPI-Specification/blob/master/versions/2.0.md#data-types for details.
+	Format *string `json:"format,omitempty"`
+	// description is a human readable description of this column.
 	Description *string `json:"description,omitempty"`
-	Priority    *int32  `json:"priority,omitempty"`
-	JSONPath    *string `json:"jsonPath,omitempty"`
+	// priority is an integer defining the relative importance of this column compared to others. Lower
+	// numbers are considered higher priority. Columns that may be omitted in limited space scenarios
+	// should be given a priority greater than 0.
+	Priority *int32 `json:"priority,omitempty"`
+	// jsonPath is a simple JSON path (i.e. with array notation) which is evaluated against
+	// each custom resource to produce the value for this column.
+	JSONPath *string `json:"jsonPath,omitempty"`
 }
 
 // CustomResourceColumnDefinitionApplyConfiguration constructs a declarative configuration of the CustomResourceColumnDefinition type for use with
diff --git a/staging/src/k8s.io/apiextensions-apiserver/pkg/client/applyconfiguration/apiextensions/v1/customresourceconversion.go b/staging/src/k8s.io/apiextensions-apiserver/pkg/client/applyconfiguration/apiextensions/v1/customresourceconversion.go
index 25e43cc00c3c8..f2d1853366be2 100644
--- a/staging/src/k8s.io/apiextensions-apiserver/pkg/client/applyconfiguration/apiextensions/v1/customresourceconversion.go
+++ b/staging/src/k8s.io/apiextensions-apiserver/pkg/client/applyconfiguration/apiextensions/v1/customresourceconversion.go
@@ -24,9 +24,16 @@ import (
 
 // CustomResourceConversionApplyConfiguration represents a declarative configuration of the CustomResourceConversion type for use
 // with apply.
+//
+// CustomResourceConversion describes how to convert different versions of a CR.
 type CustomResourceConversionApplyConfiguration struct {
+	// strategy specifies how custom resources are converted between versions. Allowed values are:
+	// - `"None"`: The converter only change the apiVersion and would not touch any other field in the custom resource.
+	// - `"Webhook"`: API Server will call to an external webhook to do the conversion. Additional information
+	// is needed for this option. This requires spec.preserveUnknownFields to be false, and spec.conversion.webhook to be set.
 	Strategy *apiextensionsv1.ConversionStrategyType `json:"strategy,omitempty"`
-	Webhook  *WebhookConversionApplyConfiguration    `json:"webhook,omitempty"`
+	// webhook describes how to call the conversion webhook. Required when `strategy` is set to `"Webhook"`.
+	Webhook *WebhookConversionApplyConfiguration `json:"webhook,omitempty"`
 }
 
 // CustomResourceConversionApplyConfiguration constructs a declarative configuration of the CustomResourceConversion type for use with
diff --git a/staging/src/k8s.io/apiextensions-apiserver/pkg/client/applyconfiguration/apiextensions/v1/customresourcedefinition.go b/staging/src/k8s.io/apiextensions-apiserver/pkg/client/applyconfiguration/apiextensions/v1/customresourcedefinition.go
index 742af4ad81130..4884c25237279 100644
--- a/staging/src/k8s.io/apiextensions-apiserver/pkg/client/applyconfiguration/apiextensions/v1/customresourcedefinition.go
+++ b/staging/src/k8s.io/apiextensions-apiserver/pkg/client/applyconfiguration/apiextensions/v1/customresourcedefinition.go
@@ -26,11 +26,18 @@ import (
 
 // CustomResourceDefinitionApplyConfiguration represents a declarative configuration of the CustomResourceDefinition type for use
 // with apply.
+//
+// CustomResourceDefinition represents a resource that should be exposed on the API server.  Its name MUST be in the format
+// <.spec.name>.<.spec.group>.
 type CustomResourceDefinitionApplyConfiguration struct {
-	metav1.TypeMetaApplyConfiguration    `json:",inline"`
+	metav1.TypeMetaApplyConfiguration `json:",inline"`
+	// Standard object's metadata
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	*metav1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Spec                                 *CustomResourceDefinitionSpecApplyConfiguration   `json:"spec,omitempty"`
-	Status                               *CustomResourceDefinitionStatusApplyConfiguration `json:"status,omitempty"`
+	// spec describes how the user wants the resources to appear
+	Spec *CustomResourceDefinitionSpecApplyConfiguration `json:"spec,omitempty"`
+	// status indicates the actual state of the CustomResourceDefinition
+	Status *CustomResourceDefinitionStatusApplyConfiguration `json:"status,omitempty"`
 }
 
 // CustomResourceDefinition constructs a declarative configuration of the CustomResourceDefinition type for use with
@@ -42,6 +49,7 @@ func CustomResourceDefinition(name string) *CustomResourceDefinitionApplyConfigu
 	b.WithAPIVersion("apiextensions.k8s.io/v1")
 	return b
 }
+
 func (b CustomResourceDefinitionApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/staging/src/k8s.io/apiextensions-apiserver/pkg/client/applyconfiguration/apiextensions/v1/customresourcedefinitioncondition.go b/staging/src/k8s.io/apiextensions-apiserver/pkg/client/applyconfiguration/apiextensions/v1/customresourcedefinitioncondition.go
index 228120520c590..54f7d2d7b7d60 100644
--- a/staging/src/k8s.io/apiextensions-apiserver/pkg/client/applyconfiguration/apiextensions/v1/customresourcedefinitioncondition.go
+++ b/staging/src/k8s.io/apiextensions-apiserver/pkg/client/applyconfiguration/apiextensions/v1/customresourcedefinitioncondition.go
@@ -25,12 +25,24 @@ import (
 
 // CustomResourceDefinitionConditionApplyConfiguration represents a declarative configuration of the CustomResourceDefinitionCondition type for use
 // with apply.
+//
+// CustomResourceDefinitionCondition contains details for the current condition of this pod.
 type CustomResourceDefinitionConditionApplyConfiguration struct {
-	Type               *apiextensionsv1.CustomResourceDefinitionConditionType `json:"type,omitempty"`
-	Status             *apiextensionsv1.ConditionStatus                       `json:"status,omitempty"`
-	LastTransitionTime *metav1.Time                                           `json:"lastTransitionTime,omitempty"`
-	Reason             *string                                                `json:"reason,omitempty"`
-	Message            *string                                                `json:"message,omitempty"`
+	// type is the type of the condition. Types include Established, NamesAccepted and Terminating.
+	Type *apiextensionsv1.CustomResourceDefinitionConditionType `json:"type,omitempty"`
+	// status is the status of the condition.
+	// Can be True, False, Unknown.
+	Status *apiextensionsv1.ConditionStatus `json:"status,omitempty"`
+	// lastTransitionTime last time the condition transitioned from one status to another.
+	LastTransitionTime *metav1.Time `json:"lastTransitionTime,omitempty"`
+	// reason is a unique, one-word, CamelCase reason for the condition's last transition.
+	Reason *string `json:"reason,omitempty"`
+	// message is a human-readable message indicating details about last transition.
+	Message *string `json:"message,omitempty"`
+	// observedGeneration represents the .metadata.generation that the condition was set based upon.
+	// For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+	// with respect to the current state of the instance.
+	ObservedGeneration *int64 `json:"observedGeneration,omitempty"`
 }
 
 // CustomResourceDefinitionConditionApplyConfiguration constructs a declarative configuration of the CustomResourceDefinitionCondition type for use with
@@ -78,3 +90,11 @@ func (b *CustomResourceDefinitionConditionApplyConfiguration) WithMessage(value
 	b.Message = &value
 	return b
 }
+
+// WithObservedGeneration sets the ObservedGeneration field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the ObservedGeneration field is set to the value of the last call.
+func (b *CustomResourceDefinitionConditionApplyConfiguration) WithObservedGeneration(value int64) *CustomResourceDefinitionConditionApplyConfiguration {
+	b.ObservedGeneration = &value
+	return b
+}
diff --git a/staging/src/k8s.io/apiextensions-apiserver/pkg/client/applyconfiguration/apiextensions/v1/customresourcedefinitionnames.go b/staging/src/k8s.io/apiextensions-apiserver/pkg/client/applyconfiguration/apiextensions/v1/customresourcedefinitionnames.go
index ca0c02f0e0964..d6558eec85753 100644
--- a/staging/src/k8s.io/apiextensions-apiserver/pkg/client/applyconfiguration/apiextensions/v1/customresourcedefinitionnames.go
+++ b/staging/src/k8s.io/apiextensions-apiserver/pkg/client/applyconfiguration/apiextensions/v1/customresourcedefinitionnames.go
@@ -20,12 +20,28 @@ package v1
 
 // CustomResourceDefinitionNamesApplyConfiguration represents a declarative configuration of the CustomResourceDefinitionNames type for use
 // with apply.
+//
+// CustomResourceDefinitionNames indicates the names to serve this CustomResourceDefinition
 type CustomResourceDefinitionNamesApplyConfiguration struct {
-	Plural     *string  `json:"plural,omitempty"`
-	Singular   *string  `json:"singular,omitempty"`
+	// plural is the plural name of the resource to serve.
+	// The custom resources are served under `/apis/<group>/<version>/.../<plural>`.
+	// Must match the name of the CustomResourceDefinition (in the form `<names.plural>.<group>`).
+	// Must be all lowercase.
+	Plural *string `json:"plural,omitempty"`
+	// singular is the singular name of the resource. It must be all lowercase. Defaults to lowercased `kind`.
+	Singular *string `json:"singular,omitempty"`
+	// shortNames are short names for the resource, exposed in API discovery documents,
+	// and used by clients to support invocations like `kubectl get <shortname>`.
+	// It must be all lowercase.
 	ShortNames []string `json:"shortNames,omitempty"`
-	Kind       *string  `json:"kind,omitempty"`
-	ListKind   *string  `json:"listKind,omitempty"`
+	// kind is the serialized kind of the resource. It is normally CamelCase and singular.
+	// Custom resource instances will use this value as the `kind` attribute in API calls.
+	Kind *string `json:"kind,omitempty"`
+	// listKind is the serialized kind of the list for this resource. Defaults to "`kind`List".
+	ListKind *string `json:"listKind,omitempty"`
+	// categories is a list of grouped resources this custom resource belongs to (e.g. 'all').
+	// This is published in API discovery documents, and used by clients to support invocations like
+	// `kubectl get all`.
 	Categories []string `json:"categories,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/apiextensions-apiserver/pkg/client/applyconfiguration/apiextensions/v1/customresourcedefinitionspec.go b/staging/src/k8s.io/apiextensions-apiserver/pkg/client/applyconfiguration/apiextensions/v1/customresourcedefinitionspec.go
index 9d0573f44be23..b33a8241846d2 100644
--- a/staging/src/k8s.io/apiextensions-apiserver/pkg/client/applyconfiguration/apiextensions/v1/customresourcedefinitionspec.go
+++ b/staging/src/k8s.io/apiextensions-apiserver/pkg/client/applyconfiguration/apiextensions/v1/customresourcedefinitionspec.go
@@ -24,13 +24,35 @@ import (
 
 // CustomResourceDefinitionSpecApplyConfiguration represents a declarative configuration of the CustomResourceDefinitionSpec type for use
 // with apply.
+//
+// CustomResourceDefinitionSpec describes how a user wants their resource to appear
 type CustomResourceDefinitionSpecApplyConfiguration struct {
-	Group                 *string                                             `json:"group,omitempty"`
-	Names                 *CustomResourceDefinitionNamesApplyConfiguration    `json:"names,omitempty"`
-	Scope                 *apiextensionsv1.ResourceScope                      `json:"scope,omitempty"`
-	Versions              []CustomResourceDefinitionVersionApplyConfiguration `json:"versions,omitempty"`
-	Conversion            *CustomResourceConversionApplyConfiguration         `json:"conversion,omitempty"`
-	PreserveUnknownFields *bool                                               `json:"preserveUnknownFields,omitempty"`
+	// group is the API group of the defined custom resource.
+	// The custom resources are served under `/apis/<group>/...`.
+	// Must match the name of the CustomResourceDefinition (in the form `<names.plural>.<group>`).
+	Group *string `json:"group,omitempty"`
+	// names specify the resource and kind names for the custom resource.
+	Names *CustomResourceDefinitionNamesApplyConfiguration `json:"names,omitempty"`
+	// scope indicates whether the defined custom resource is cluster- or namespace-scoped.
+	// Allowed values are `Cluster` and `Namespaced`.
+	Scope *apiextensionsv1.ResourceScope `json:"scope,omitempty"`
+	// versions is the list of all API versions of the defined custom resource.
+	// Version names are used to compute the order in which served versions are listed in API discovery.
+	// If the version string is "kube-like", it will sort above non "kube-like" version strings, which are ordered
+	// lexicographically. "Kube-like" versions start with a "v", then are followed by a number (the major version),
+	// then optionally the string "alpha" or "beta" and another number (the minor version). These are sorted first
+	// by GA > beta > alpha (where GA is a version with no suffix such as beta or alpha), and then by comparing
+	// major version, then minor version. An example sorted list of versions:
+	// v10, v2, v1, v11beta2, v10beta3, v3beta1, v12alpha1, v11alpha2, foo1, foo10.
+	Versions []CustomResourceDefinitionVersionApplyConfiguration `json:"versions,omitempty"`
+	// conversion defines conversion settings for the CRD.
+	Conversion *CustomResourceConversionApplyConfiguration `json:"conversion,omitempty"`
+	// preserveUnknownFields indicates that object fields which are not specified
+	// in the OpenAPI schema should be preserved when persisting to storage.
+	// apiVersion, kind, metadata and known fields inside metadata are always preserved.
+	// This field is deprecated in favor of setting `x-preserve-unknown-fields` to true in `spec.versions[*].schema.openAPIV3Schema`.
+	// See https://kubernetes.io/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definitions/#field-pruning for details.
+	PreserveUnknownFields *bool `json:"preserveUnknownFields,omitempty"`
 }
 
 // CustomResourceDefinitionSpecApplyConfiguration constructs a declarative configuration of the CustomResourceDefinitionSpec type for use with
diff --git a/staging/src/k8s.io/apiextensions-apiserver/pkg/client/applyconfiguration/apiextensions/v1/customresourcedefinitionstatus.go b/staging/src/k8s.io/apiextensions-apiserver/pkg/client/applyconfiguration/apiextensions/v1/customresourcedefinitionstatus.go
index 4fd09be5a0e1e..8a590de96b940 100644
--- a/staging/src/k8s.io/apiextensions-apiserver/pkg/client/applyconfiguration/apiextensions/v1/customresourcedefinitionstatus.go
+++ b/staging/src/k8s.io/apiextensions-apiserver/pkg/client/applyconfiguration/apiextensions/v1/customresourcedefinitionstatus.go
@@ -20,10 +20,23 @@ package v1
 
 // CustomResourceDefinitionStatusApplyConfiguration represents a declarative configuration of the CustomResourceDefinitionStatus type for use
 // with apply.
+//
+// CustomResourceDefinitionStatus indicates the state of the CustomResourceDefinition
 type CustomResourceDefinitionStatusApplyConfiguration struct {
-	Conditions     []CustomResourceDefinitionConditionApplyConfiguration `json:"conditions,omitempty"`
-	AcceptedNames  *CustomResourceDefinitionNamesApplyConfiguration      `json:"acceptedNames,omitempty"`
-	StoredVersions []string                                              `json:"storedVersions,omitempty"`
+	// conditions indicate state for particular aspects of a CustomResourceDefinition
+	Conditions []CustomResourceDefinitionConditionApplyConfiguration `json:"conditions,omitempty"`
+	// acceptedNames are the names that are actually being used to serve discovery.
+	// They may be different than the names in spec.
+	AcceptedNames *CustomResourceDefinitionNamesApplyConfiguration `json:"acceptedNames,omitempty"`
+	// storedVersions lists all versions of CustomResources that were ever persisted. Tracking these
+	// versions allows a migration path for stored versions in etcd. The field is mutable
+	// so a migration controller can finish a migration to another version (ensuring
+	// no old objects are left in storage), and then remove the rest of the
+	// versions from this list.
+	// Versions may not be removed from `spec.versions` while they exist in this list.
+	StoredVersions []string `json:"storedVersions,omitempty"`
+	// The generation observed by the CRD controller.
+	ObservedGeneration *int64 `json:"observedGeneration,omitempty"`
 }
 
 // CustomResourceDefinitionStatusApplyConfiguration constructs a declarative configuration of the CustomResourceDefinitionStatus type for use with
@@ -62,3 +75,11 @@ func (b *CustomResourceDefinitionStatusApplyConfiguration) WithStoredVersions(va
 	}
 	return b
 }
+
+// WithObservedGeneration sets the ObservedGeneration field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the ObservedGeneration field is set to the value of the last call.
+func (b *CustomResourceDefinitionStatusApplyConfiguration) WithObservedGeneration(value int64) *CustomResourceDefinitionStatusApplyConfiguration {
+	b.ObservedGeneration = &value
+	return b
+}
diff --git a/staging/src/k8s.io/apiextensions-apiserver/pkg/client/applyconfiguration/apiextensions/v1/customresourcedefinitionversion.go b/staging/src/k8s.io/apiextensions-apiserver/pkg/client/applyconfiguration/apiextensions/v1/customresourcedefinitionversion.go
index f96ba88f467db..0362753e81c47 100644
--- a/staging/src/k8s.io/apiextensions-apiserver/pkg/client/applyconfiguration/apiextensions/v1/customresourcedefinitionversion.go
+++ b/staging/src/k8s.io/apiextensions-apiserver/pkg/client/applyconfiguration/apiextensions/v1/customresourcedefinitionversion.go
@@ -20,16 +20,38 @@ package v1
 
 // CustomResourceDefinitionVersionApplyConfiguration represents a declarative configuration of the CustomResourceDefinitionVersion type for use
 // with apply.
+//
+// CustomResourceDefinitionVersion describes a version for CRD.
 type CustomResourceDefinitionVersionApplyConfiguration struct {
-	Name                     *string                                            `json:"name,omitempty"`
-	Served                   *bool                                              `json:"served,omitempty"`
-	Storage                  *bool                                              `json:"storage,omitempty"`
-	Deprecated               *bool                                              `json:"deprecated,omitempty"`
-	DeprecationWarning       *string                                            `json:"deprecationWarning,omitempty"`
-	Schema                   *CustomResourceValidationApplyConfiguration        `json:"schema,omitempty"`
-	Subresources             *CustomResourceSubresourcesApplyConfiguration      `json:"subresources,omitempty"`
+	// name is the version name, e.g. “v1”, “v2beta1”, etc.
+	// The custom resources are served under this version at `/apis/<group>/<version>/...` if `served` is true.
+	Name *string `json:"name,omitempty"`
+	// served is a flag enabling/disabling this version from being served via REST APIs
+	Served *bool `json:"served,omitempty"`
+	// storage indicates this version should be used when persisting custom resources to storage.
+	// There must be exactly one version with storage=true.
+	Storage *bool `json:"storage,omitempty"`
+	// deprecated indicates this version of the custom resource API is deprecated.
+	// When set to true, API requests to this version receive a warning header in the server response.
+	// Defaults to false.
+	Deprecated *bool `json:"deprecated,omitempty"`
+	// deprecationWarning overrides the default warning returned to API clients.
+	// May only be set when `deprecated` is true.
+	// The default warning indicates this version is deprecated and recommends use
+	// of the newest served version of equal or greater stability, if one exists.
+	DeprecationWarning *string `json:"deprecationWarning,omitempty"`
+	// schema describes the schema used for validation, pruning, and defaulting of this version of the custom resource.
+	Schema *CustomResourceValidationApplyConfiguration `json:"schema,omitempty"`
+	// subresources specify what subresources this version of the defined custom resource have.
+	Subresources *CustomResourceSubresourcesApplyConfiguration `json:"subresources,omitempty"`
+	// additionalPrinterColumns specifies additional columns returned in Table output.
+	// See https://kubernetes.io/docs/reference/using-api/api-concepts/#receiving-resources-as-tables for details.
+	// If no columns are specified, a single column displaying the age of the custom resource is used.
 	AdditionalPrinterColumns []CustomResourceColumnDefinitionApplyConfiguration `json:"additionalPrinterColumns,omitempty"`
-	SelectableFields         []SelectableFieldApplyConfiguration                `json:"selectableFields,omitempty"`
+	// selectableFields specifies paths to fields that may be used as field selectors.
+	// A maximum of 8 selectable fields are allowed.
+	// See https://kubernetes.io/docs/concepts/overview/working-with-objects/field-selectors
+	SelectableFields []SelectableFieldApplyConfiguration `json:"selectableFields,omitempty"`
 }
 
 // CustomResourceDefinitionVersionApplyConfiguration constructs a declarative configuration of the CustomResourceDefinitionVersion type for use with
diff --git a/staging/src/k8s.io/apiextensions-apiserver/pkg/client/applyconfiguration/apiextensions/v1/customresourcesubresources.go b/staging/src/k8s.io/apiextensions-apiserver/pkg/client/applyconfiguration/apiextensions/v1/customresourcesubresources.go
index f8d5be3c7f3e8..77307d9af039c 100644
--- a/staging/src/k8s.io/apiextensions-apiserver/pkg/client/applyconfiguration/apiextensions/v1/customresourcesubresources.go
+++ b/staging/src/k8s.io/apiextensions-apiserver/pkg/client/applyconfiguration/apiextensions/v1/customresourcesubresources.go
@@ -24,9 +24,16 @@ import (
 
 // CustomResourceSubresourcesApplyConfiguration represents a declarative configuration of the CustomResourceSubresources type for use
 // with apply.
+//
+// CustomResourceSubresources defines the status and scale subresources for CustomResources.
 type CustomResourceSubresourcesApplyConfiguration struct {
-	Status *apiextensionsv1.CustomResourceSubresourceStatus  `json:"status,omitempty"`
-	Scale  *CustomResourceSubresourceScaleApplyConfiguration `json:"scale,omitempty"`
+	// status indicates the custom resource should serve a `/status` subresource.
+	// When enabled:
+	// 1. requests to the custom resource primary endpoint ignore changes to the `status` stanza of the object.
+	// 2. requests to the custom resource `/status` subresource ignore changes to anything other than the `status` stanza of the object.
+	Status *apiextensionsv1.CustomResourceSubresourceStatus `json:"status,omitempty"`
+	// scale indicates the custom resource should serve a `/scale` subresource that returns an `autoscaling/v1` Scale object.
+	Scale *CustomResourceSubresourceScaleApplyConfiguration `json:"scale,omitempty"`
 }
 
 // CustomResourceSubresourcesApplyConfiguration constructs a declarative configuration of the CustomResourceSubresources type for use with
diff --git a/staging/src/k8s.io/apiextensions-apiserver/pkg/client/applyconfiguration/apiextensions/v1/customresourcesubresourcescale.go b/staging/src/k8s.io/apiextensions-apiserver/pkg/client/applyconfiguration/apiextensions/v1/customresourcesubresourcescale.go
index 7859675fdd18e..61743e236a024 100644
--- a/staging/src/k8s.io/apiextensions-apiserver/pkg/client/applyconfiguration/apiextensions/v1/customresourcesubresourcescale.go
+++ b/staging/src/k8s.io/apiextensions-apiserver/pkg/client/applyconfiguration/apiextensions/v1/customresourcesubresourcescale.go
@@ -20,10 +20,30 @@ package v1
 
 // CustomResourceSubresourceScaleApplyConfiguration represents a declarative configuration of the CustomResourceSubresourceScale type for use
 // with apply.
+//
+// CustomResourceSubresourceScale defines how to serve the scale subresource for CustomResources.
 type CustomResourceSubresourceScaleApplyConfiguration struct {
-	SpecReplicasPath   *string `json:"specReplicasPath,omitempty"`
+	// specReplicasPath defines the JSON path inside of a custom resource that corresponds to Scale `spec.replicas`.
+	// Only JSON paths without the array notation are allowed.
+	// Must be a JSON Path under `.spec`.
+	// If there is no value under the given path in the custom resource, the `/scale` subresource will return an error on GET.
+	SpecReplicasPath *string `json:"specReplicasPath,omitempty"`
+	// statusReplicasPath defines the JSON path inside of a custom resource that corresponds to Scale `status.replicas`.
+	// Only JSON paths without the array notation are allowed.
+	// Must be a JSON Path under `.status`.
+	// If there is no value under the given path in the custom resource, the `status.replicas` value in the `/scale` subresource
+	// will default to 0.
 	StatusReplicasPath *string `json:"statusReplicasPath,omitempty"`
-	LabelSelectorPath  *string `json:"labelSelectorPath,omitempty"`
+	// labelSelectorPath defines the JSON path inside of a custom resource that corresponds to Scale `status.selector`.
+	// Only JSON paths without the array notation are allowed.
+	// Must be a JSON Path under `.status` or `.spec`.
+	// Must be set to work with HorizontalPodAutoscaler.
+	// The field pointed by this JSON path must be a string field (not a complex selector struct)
+	// which contains a serialized label selector in string form.
+	// More info: https://kubernetes.io/docs/tasks/access-kubernetes-api/custom-resources/custom-resource-definitions#scale-subresource
+	// If there is no value under the given path in the custom resource, the `status.selector` value in the `/scale`
+	// subresource will default to the empty string.
+	LabelSelectorPath *string `json:"labelSelectorPath,omitempty"`
 }
 
 // CustomResourceSubresourceScaleApplyConfiguration constructs a declarative configuration of the CustomResourceSubresourceScale type for use with
diff --git a/staging/src/k8s.io/apiextensions-apiserver/pkg/client/applyconfiguration/apiextensions/v1/customresourcevalidation.go b/staging/src/k8s.io/apiextensions-apiserver/pkg/client/applyconfiguration/apiextensions/v1/customresourcevalidation.go
index 6a8cf17d55107..459ea7e69d7d9 100644
--- a/staging/src/k8s.io/apiextensions-apiserver/pkg/client/applyconfiguration/apiextensions/v1/customresourcevalidation.go
+++ b/staging/src/k8s.io/apiextensions-apiserver/pkg/client/applyconfiguration/apiextensions/v1/customresourcevalidation.go
@@ -20,7 +20,10 @@ package v1
 
 // CustomResourceValidationApplyConfiguration represents a declarative configuration of the CustomResourceValidation type for use
 // with apply.
+//
+// CustomResourceValidation is a list of validation methods for CustomResources.
 type CustomResourceValidationApplyConfiguration struct {
+	// openAPIV3Schema is the OpenAPI v3 schema to use for validation and pruning.
 	OpenAPIV3Schema *JSONSchemaPropsApplyConfiguration `json:"openAPIV3Schema,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/apiextensions-apiserver/pkg/client/applyconfiguration/apiextensions/v1/externaldocumentation.go b/staging/src/k8s.io/apiextensions-apiserver/pkg/client/applyconfiguration/apiextensions/v1/externaldocumentation.go
index 761a957a02578..907f2ae7e3193 100644
--- a/staging/src/k8s.io/apiextensions-apiserver/pkg/client/applyconfiguration/apiextensions/v1/externaldocumentation.go
+++ b/staging/src/k8s.io/apiextensions-apiserver/pkg/client/applyconfiguration/apiextensions/v1/externaldocumentation.go
@@ -20,6 +20,8 @@ package v1
 
 // ExternalDocumentationApplyConfiguration represents a declarative configuration of the ExternalDocumentation type for use
 // with apply.
+//
+// ExternalDocumentation allows referencing an external resource for extended documentation.
 type ExternalDocumentationApplyConfiguration struct {
 	Description *string `json:"description,omitempty"`
 	URL         *string `json:"url,omitempty"`
diff --git a/staging/src/k8s.io/apiextensions-apiserver/pkg/client/applyconfiguration/apiextensions/v1/jsonschemaprops.go b/staging/src/k8s.io/apiextensions-apiserver/pkg/client/applyconfiguration/apiextensions/v1/jsonschemaprops.go
index d6595ce1d5e3c..8441405281d27 100644
--- a/staging/src/k8s.io/apiextensions-apiserver/pkg/client/applyconfiguration/apiextensions/v1/jsonschemaprops.go
+++ b/staging/src/k8s.io/apiextensions-apiserver/pkg/client/applyconfiguration/apiextensions/v1/jsonschemaprops.go
@@ -24,51 +24,142 @@ import (
 
 // JSONSchemaPropsApplyConfiguration represents a declarative configuration of the JSONSchemaProps type for use
 // with apply.
+//
+// JSONSchemaProps is a JSON-Schema following Specification Draft 4 (http://json-schema.org/).
 type JSONSchemaPropsApplyConfiguration struct {
-	ID                     *string                                      `json:"id,omitempty"`
-	Schema                 *apiextensionsv1.JSONSchemaURL               `json:"$schema,omitempty"`
-	Ref                    *string                                      `json:"$ref,omitempty"`
-	Description            *string                                      `json:"description,omitempty"`
-	Type                   *string                                      `json:"type,omitempty"`
-	Format                 *string                                      `json:"format,omitempty"`
-	Title                  *string                                      `json:"title,omitempty"`
-	Default                *apiextensionsv1.JSON                        `json:"default,omitempty"`
-	Maximum                *float64                                     `json:"maximum,omitempty"`
-	ExclusiveMaximum       *bool                                        `json:"exclusiveMaximum,omitempty"`
-	Minimum                *float64                                     `json:"minimum,omitempty"`
-	ExclusiveMinimum       *bool                                        `json:"exclusiveMinimum,omitempty"`
-	MaxLength              *int64                                       `json:"maxLength,omitempty"`
-	MinLength              *int64                                       `json:"minLength,omitempty"`
-	Pattern                *string                                      `json:"pattern,omitempty"`
-	MaxItems               *int64                                       `json:"maxItems,omitempty"`
-	MinItems               *int64                                       `json:"minItems,omitempty"`
-	UniqueItems            *bool                                        `json:"uniqueItems,omitempty"`
-	MultipleOf             *float64                                     `json:"multipleOf,omitempty"`
-	Enum                   []apiextensionsv1.JSON                       `json:"enum,omitempty"`
-	MaxProperties          *int64                                       `json:"maxProperties,omitempty"`
-	MinProperties          *int64                                       `json:"minProperties,omitempty"`
-	Required               []string                                     `json:"required,omitempty"`
-	Items                  *apiextensionsv1.JSONSchemaPropsOrArray      `json:"items,omitempty"`
-	AllOf                  []JSONSchemaPropsApplyConfiguration          `json:"allOf,omitempty"`
-	OneOf                  []JSONSchemaPropsApplyConfiguration          `json:"oneOf,omitempty"`
-	AnyOf                  []JSONSchemaPropsApplyConfiguration          `json:"anyOf,omitempty"`
-	Not                    *JSONSchemaPropsApplyConfiguration           `json:"not,omitempty"`
-	Properties             map[string]JSONSchemaPropsApplyConfiguration `json:"properties,omitempty"`
-	AdditionalProperties   *apiextensionsv1.JSONSchemaPropsOrBool       `json:"additionalProperties,omitempty"`
-	PatternProperties      map[string]JSONSchemaPropsApplyConfiguration `json:"patternProperties,omitempty"`
-	Dependencies           *apiextensionsv1.JSONSchemaDependencies      `json:"dependencies,omitempty"`
-	AdditionalItems        *apiextensionsv1.JSONSchemaPropsOrBool       `json:"additionalItems,omitempty"`
-	Definitions            *apiextensionsv1.JSONSchemaDefinitions       `json:"definitions,omitempty"`
-	ExternalDocs           *ExternalDocumentationApplyConfiguration     `json:"externalDocs,omitempty"`
-	Example                *apiextensionsv1.JSON                        `json:"example,omitempty"`
-	Nullable               *bool                                        `json:"nullable,omitempty"`
-	XPreserveUnknownFields *bool                                        `json:"x-kubernetes-preserve-unknown-fields,omitempty"`
-	XEmbeddedResource      *bool                                        `json:"x-kubernetes-embedded-resource,omitempty"`
-	XIntOrString           *bool                                        `json:"x-kubernetes-int-or-string,omitempty"`
-	XListMapKeys           []string                                     `json:"x-kubernetes-list-map-keys,omitempty"`
-	XListType              *string                                      `json:"x-kubernetes-list-type,omitempty"`
-	XMapType               *string                                      `json:"x-kubernetes-map-type,omitempty"`
-	XValidations           *apiextensionsv1.ValidationRules             `json:"x-kubernetes-validations,omitempty"`
+	ID          *string                        `json:"id,omitempty"`
+	Schema      *apiextensionsv1.JSONSchemaURL `json:"$schema,omitempty"`
+	Ref         *string                        `json:"$ref,omitempty"`
+	Description *string                        `json:"description,omitempty"`
+	Type        *string                        `json:"type,omitempty"`
+	// format is an OpenAPI v3 format string. Unknown formats are ignored. The following formats are validated:
+	//
+	// - bsonobjectid: a bson object ID, i.e. a 24 characters hex string
+	// - uri: an URI as parsed by Golang net/url.ParseRequestURI
+	// - email: an email address as parsed by Golang net/mail.ParseAddress
+	// - hostname: a valid representation for an Internet host name, as defined by RFC 1034, section 3.1 [RFC1034].
+	// - ipv4: an IPv4 IP as parsed by Golang net.ParseIP
+	// - ipv6: an IPv6 IP as parsed by Golang net.ParseIP
+	// - cidr: a CIDR as parsed by Golang net.ParseCIDR
+	// - mac: a MAC address as parsed by Golang net.ParseMAC
+	// - uuid: an UUID that allows uppercase defined by the regex (?i)^[0-9a-f]{8}-?[0-9a-f]{4}-?[0-9a-f]{4}-?[0-9a-f]{4}-?[0-9a-f]{12}$
+	// - uuid3: an UUID3 that allows uppercase defined by the regex (?i)^[0-9a-f]{8}-?[0-9a-f]{4}-?3[0-9a-f]{3}-?[0-9a-f]{4}-?[0-9a-f]{12}$
+	// - uuid4: an UUID4 that allows uppercase defined by the regex (?i)^[0-9a-f]{8}-?[0-9a-f]{4}-?4[0-9a-f]{3}-?[89ab][0-9a-f]{3}-?[0-9a-f]{12}$
+	// - uuid5: an UUID5 that allows uppercase defined by the regex (?i)^[0-9a-f]{8}-?[0-9a-f]{4}-?5[0-9a-f]{3}-?[89ab][0-9a-f]{3}-?[0-9a-f]{12}$
+	// - isbn: an ISBN10 or ISBN13 number string like "0321751043" or "978-0321751041"
+	// - isbn10: an ISBN10 number string like "0321751043"
+	// - isbn13: an ISBN13 number string like "978-0321751041"
+	// - creditcard: a credit card number defined by the regex ^(?:4[0-9]{12}(?:[0-9]{3})?|5[1-5][0-9]{14}|6(?:011|5[0-9][0-9])[0-9]{12}|3[47][0-9]{13}|3(?:0[0-5]|[68][0-9])[0-9]{11}|(?:2131|1800|35\\d{3})\\d{11})$ with any non digit characters mixed in
+	// - ssn: a U.S. social security number following the regex ^\\d{3}[- ]?\\d{2}[- ]?\\d{4}$
+	// - hexcolor: an hexadecimal color code like "#FFFFFF: following the regex ^#?([0-9a-fA-F]{3}|[0-9a-fA-F]{6})$
+	// - rgbcolor: an RGB color code like rgb like "rgb(255,255,2559"
+	// - byte: base64 encoded binary data
+	// - password: any kind of string
+	// - date: a date string like "2006-01-02" as defined by full-date in RFC3339
+	// - duration: a duration string like "22 ns" as parsed by Golang time.ParseDuration or compatible with Scala duration format
+	// - datetime: a date time string like "2014-12-15T19:30:20.000Z" as defined by date-time in RFC3339.
+	Format *string `json:"format,omitempty"`
+	Title  *string `json:"title,omitempty"`
+	// default is a default value for undefined object fields.
+	// Defaulting is a beta feature under the CustomResourceDefaulting feature gate.
+	// Defaulting requires spec.preserveUnknownFields to be false.
+	Default              *apiextensionsv1.JSON                        `json:"default,omitempty"`
+	Maximum              *float64                                     `json:"maximum,omitempty"`
+	ExclusiveMaximum     *bool                                        `json:"exclusiveMaximum,omitempty"`
+	Minimum              *float64                                     `json:"minimum,omitempty"`
+	ExclusiveMinimum     *bool                                        `json:"exclusiveMinimum,omitempty"`
+	MaxLength            *int64                                       `json:"maxLength,omitempty"`
+	MinLength            *int64                                       `json:"minLength,omitempty"`
+	Pattern              *string                                      `json:"pattern,omitempty"`
+	MaxItems             *int64                                       `json:"maxItems,omitempty"`
+	MinItems             *int64                                       `json:"minItems,omitempty"`
+	UniqueItems          *bool                                        `json:"uniqueItems,omitempty"`
+	MultipleOf           *float64                                     `json:"multipleOf,omitempty"`
+	Enum                 []apiextensionsv1.JSON                       `json:"enum,omitempty"`
+	MaxProperties        *int64                                       `json:"maxProperties,omitempty"`
+	MinProperties        *int64                                       `json:"minProperties,omitempty"`
+	Required             []string                                     `json:"required,omitempty"`
+	Items                *apiextensionsv1.JSONSchemaPropsOrArray      `json:"items,omitempty"`
+	AllOf                []JSONSchemaPropsApplyConfiguration          `json:"allOf,omitempty"`
+	OneOf                []JSONSchemaPropsApplyConfiguration          `json:"oneOf,omitempty"`
+	AnyOf                []JSONSchemaPropsApplyConfiguration          `json:"anyOf,omitempty"`
+	Not                  *JSONSchemaPropsApplyConfiguration           `json:"not,omitempty"`
+	Properties           map[string]JSONSchemaPropsApplyConfiguration `json:"properties,omitempty"`
+	AdditionalProperties *apiextensionsv1.JSONSchemaPropsOrBool       `json:"additionalProperties,omitempty"`
+	PatternProperties    map[string]JSONSchemaPropsApplyConfiguration `json:"patternProperties,omitempty"`
+	Dependencies         *apiextensionsv1.JSONSchemaDependencies      `json:"dependencies,omitempty"`
+	AdditionalItems      *apiextensionsv1.JSONSchemaPropsOrBool       `json:"additionalItems,omitempty"`
+	Definitions          *apiextensionsv1.JSONSchemaDefinitions       `json:"definitions,omitempty"`
+	ExternalDocs         *ExternalDocumentationApplyConfiguration     `json:"externalDocs,omitempty"`
+	Example              *apiextensionsv1.JSON                        `json:"example,omitempty"`
+	Nullable             *bool                                        `json:"nullable,omitempty"`
+	// x-kubernetes-preserve-unknown-fields stops the API server
+	// decoding step from pruning fields which are not specified
+	// in the validation schema. This affects fields recursively,
+	// but switches back to normal pruning behaviour if nested
+	// properties or additionalProperties are specified in the schema.
+	// This can either be true or undefined. False is forbidden.
+	XPreserveUnknownFields *bool `json:"x-kubernetes-preserve-unknown-fields,omitempty"`
+	// x-kubernetes-embedded-resource defines that the value is an
+	// embedded Kubernetes runtime.Object, with TypeMeta and
+	// ObjectMeta. The type must be object. It is allowed to further
+	// restrict the embedded object. kind, apiVersion and metadata
+	// are validated automatically. x-kubernetes-preserve-unknown-fields
+	// is allowed to be true, but does not have to be if the object
+	// is fully specified (up to kind, apiVersion, metadata).
+	XEmbeddedResource *bool `json:"x-kubernetes-embedded-resource,omitempty"`
+	// x-kubernetes-int-or-string specifies that this value is
+	// either an integer or a string. If this is true, an empty
+	// type is allowed and type as child of anyOf is permitted
+	// if following one of the following patterns:
+	//
+	// 1) anyOf:
+	// - type: integer
+	// - type: string
+	// 2) allOf:
+	// - anyOf:
+	// - type: integer
+	// - type: string
+	// - ... zero or more
+	XIntOrString *bool `json:"x-kubernetes-int-or-string,omitempty"`
+	// x-kubernetes-list-map-keys annotates an array with the x-kubernetes-list-type `map` by specifying the keys used
+	// as the index of the map.
+	//
+	// This tag MUST only be used on lists that have the "x-kubernetes-list-type"
+	// extension set to "map". Also, the values specified for this attribute must
+	// be a scalar typed field of the child structure (no nesting is supported).
+	//
+	// The properties specified must either be required or have a default value,
+	// to ensure those properties are present for all list items.
+	XListMapKeys []string `json:"x-kubernetes-list-map-keys,omitempty"`
+	// x-kubernetes-list-type annotates an array to further describe its topology.
+	// This extension must only be used on lists and may have 3 possible values:
+	//
+	// 1) `atomic`: the list is treated as a single entity, like a scalar.
+	// Atomic lists will be entirely replaced when updated. This extension
+	// may be used on any type of list (struct, scalar, ...).
+	// 2) `set`:
+	// Sets are lists that must not have multiple items with the same value. Each
+	// value must be a scalar, an object with x-kubernetes-map-type `atomic` or an
+	// array with x-kubernetes-list-type `atomic`.
+	// 3) `map`:
+	// These lists are like maps in that their elements have a non-index key
+	// used to identify them. Order is preserved upon merge. The map tag
+	// must only be used on a list with elements of type object.
+	// Defaults to atomic for arrays.
+	XListType *string `json:"x-kubernetes-list-type,omitempty"`
+	// x-kubernetes-map-type annotates an object to further describe its topology.
+	// This extension must only be used when type is object and may have 2 possible values:
+	//
+	// 1) `granular`:
+	// These maps are actual maps (key-value pairs) and each fields are independent
+	// from each other (they can each be manipulated by separate actors). This is
+	// the default behaviour for all maps.
+	// 2) `atomic`: the list is treated as a single entity, like a scalar.
+	// Atomic maps will be entirely replaced when updated.
+	XMapType *string `json:"x-kubernetes-map-type,omitempty"`
+	// x-kubernetes-validations describes a list of validation rules written in the CEL expression language.
+	XValidations *apiextensionsv1.ValidationRules `json:"x-kubernetes-validations,omitempty"`
 }
 
 // JSONSchemaPropsApplyConfiguration constructs a declarative configuration of the JSONSchemaProps type for use with
diff --git a/staging/src/k8s.io/apiextensions-apiserver/pkg/client/applyconfiguration/apiextensions/v1/selectablefield.go b/staging/src/k8s.io/apiextensions-apiserver/pkg/client/applyconfiguration/apiextensions/v1/selectablefield.go
index 33f655a764867..b1edc643fd37d 100644
--- a/staging/src/k8s.io/apiextensions-apiserver/pkg/client/applyconfiguration/apiextensions/v1/selectablefield.go
+++ b/staging/src/k8s.io/apiextensions-apiserver/pkg/client/applyconfiguration/apiextensions/v1/selectablefield.go
@@ -20,7 +20,17 @@ package v1
 
 // SelectableFieldApplyConfiguration represents a declarative configuration of the SelectableField type for use
 // with apply.
+//
+// SelectableField specifies the JSON path of a field that may be used with field selectors.
 type SelectableFieldApplyConfiguration struct {
+	// jsonPath is a simple JSON path which is evaluated against each custom resource to produce a
+	// field selector value.
+	// Only JSON paths without the array notation are allowed.
+	// Must point to a field of type string, boolean or integer. Types with enum values
+	// and strings with formats are allowed.
+	// If jsonPath refers to absent field in a resource, the jsonPath evaluates to an empty string.
+	// Must not point to metdata fields.
+	// Required.
 	JSONPath *string `json:"jsonPath,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/apiextensions-apiserver/pkg/client/applyconfiguration/apiextensions/v1/servicereference.go b/staging/src/k8s.io/apiextensions-apiserver/pkg/client/applyconfiguration/apiextensions/v1/servicereference.go
index 239780664df53..215bc3a14e130 100644
--- a/staging/src/k8s.io/apiextensions-apiserver/pkg/client/applyconfiguration/apiextensions/v1/servicereference.go
+++ b/staging/src/k8s.io/apiextensions-apiserver/pkg/client/applyconfiguration/apiextensions/v1/servicereference.go
@@ -20,11 +20,21 @@ package v1
 
 // ServiceReferenceApplyConfiguration represents a declarative configuration of the ServiceReference type for use
 // with apply.
+//
+// ServiceReference holds a reference to Service.legacy.k8s.io
 type ServiceReferenceApplyConfiguration struct {
+	// namespace is the namespace of the service.
+	// Required
 	Namespace *string `json:"namespace,omitempty"`
-	Name      *string `json:"name,omitempty"`
-	Path      *string `json:"path,omitempty"`
-	Port      *int32  `json:"port,omitempty"`
+	// name is the name of the service.
+	// Required
+	Name *string `json:"name,omitempty"`
+	// path is an optional URL path at which the webhook will be contacted.
+	Path *string `json:"path,omitempty"`
+	// port is an optional service port at which the webhook will be contacted.
+	// `port` should be a valid port number (1-65535, inclusive).
+	// Defaults to 443 for backward compatibility.
+	Port *int32 `json:"port,omitempty"`
 }
 
 // ServiceReferenceApplyConfiguration constructs a declarative configuration of the ServiceReference type for use with
diff --git a/staging/src/k8s.io/apiextensions-apiserver/pkg/client/applyconfiguration/apiextensions/v1/validationrule.go b/staging/src/k8s.io/apiextensions-apiserver/pkg/client/applyconfiguration/apiextensions/v1/validationrule.go
index 5ee4149284817..4f2278bf22057 100644
--- a/staging/src/k8s.io/apiextensions-apiserver/pkg/client/applyconfiguration/apiextensions/v1/validationrule.go
+++ b/staging/src/k8s.io/apiextensions-apiserver/pkg/client/applyconfiguration/apiextensions/v1/validationrule.go
@@ -24,13 +24,121 @@ import (
 
 // ValidationRuleApplyConfiguration represents a declarative configuration of the ValidationRule type for use
 // with apply.
+//
+// ValidationRule describes a validation rule written in the CEL expression language.
 type ValidationRuleApplyConfiguration struct {
-	Rule              *string                                `json:"rule,omitempty"`
-	Message           *string                                `json:"message,omitempty"`
-	MessageExpression *string                                `json:"messageExpression,omitempty"`
-	Reason            *apiextensionsv1.FieldValueErrorReason `json:"reason,omitempty"`
-	FieldPath         *string                                `json:"fieldPath,omitempty"`
-	OptionalOldSelf   *bool                                  `json:"optionalOldSelf,omitempty"`
+	// Rule represents the expression which will be evaluated by CEL.
+	// ref: https://github.com/google/cel-spec
+	// The Rule is scoped to the location of the x-kubernetes-validations extension in the schema.
+	// The `self` variable in the CEL expression is bound to the scoped value.
+	// Example:
+	// - Rule scoped to the root of a resource with a status subresource: {"rule": "self.status.actual <= self.spec.maxDesired"}
+	//
+	// If the Rule is scoped to an object with properties, the accessible properties of the object are field selectable
+	// via `self.field` and field presence can be checked via `has(self.field)`. Null valued fields are treated as
+	// absent fields in CEL expressions.
+	// If the Rule is scoped to an object with additionalProperties (i.e. a map) the value of the map
+	// are accessible via `self[mapKey]`, map containment can be checked via `mapKey in self` and all entries of the map
+	// are accessible via CEL macros and functions such as `self.all(...)`.
+	// If the Rule is scoped to an array, the elements of the array are accessible via `self[i]` and also by macros and
+	// functions.
+	// If the Rule is scoped to a scalar, `self` is bound to the scalar value.
+	// Examples:
+	// - Rule scoped to a map of objects: {"rule": "self.components['Widget'].priority < 10"}
+	// - Rule scoped to a list of integers: {"rule": "self.values.all(value, value >= 0 && value < 100)"}
+	// - Rule scoped to a string value: {"rule": "self.startsWith('kube')"}
+	//
+	// The `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` are always accessible from the root of the
+	// object and from any x-kubernetes-embedded-resource annotated objects. No other metadata properties are accessible.
+	//
+	// Unknown data preserved in custom resources via x-kubernetes-preserve-unknown-fields is not accessible in CEL
+	// expressions. This includes:
+	// - Unknown field values that are preserved by object schemas with x-kubernetes-preserve-unknown-fields.
+	// - Object properties where the property schema is of an "unknown type". An "unknown type" is recursively defined as:
+	// - A schema with no type and x-kubernetes-preserve-unknown-fields set to true
+	// - An array where the items schema is of an "unknown type"
+	// - An object where the additionalProperties schema is of an "unknown type"
+	//
+	// Only property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible.
+	// Accessible property names are escaped according to the following rules when accessed in the expression:
+	// - '__' escapes to '__underscores__'
+	// - '.' escapes to '__dot__'
+	// - '-' escapes to '__dash__'
+	// - '/' escapes to '__slash__'
+	// - Property names that exactly match a CEL RESERVED keyword escape to '__{keyword}__'. The keywords are:
+	// "true", "false", "null", "in", "as", "break", "const", "continue", "else", "for", "function", "if",
+	// "import", "let", "loop", "package", "namespace", "return".
+	// Examples:
+	// - Rule accessing a property named "namespace": {"rule": "self.__namespace__ > 0"}
+	// - Rule accessing a property named "x-prop": {"rule": "self.x__dash__prop > 0"}
+	// - Rule accessing a property named "redact__d": {"rule": "self.redact__underscores__d > 0"}
+	//
+	// Equality on arrays with x-kubernetes-list-type of 'set' or 'map' ignores element order, i.e. [1, 2] == [2, 1].
+	// Concatenation on arrays with x-kubernetes-list-type use the semantics of the list type:
+	// - 'set': `X + Y` performs a union where the array positions of all elements in `X` are preserved and
+	// non-intersecting elements in `Y` are appended, retaining their partial order.
+	// - 'map': `X + Y` performs a merge where the array positions of all keys in `X` are preserved but the values
+	// are overwritten by values in `Y` when the key sets of `X` and `Y` intersect. Elements in `Y` with
+	// non-intersecting keys are appended, retaining their partial order.
+	//
+	// If `rule` makes use of the `oldSelf` variable it is implicitly a
+	// `transition rule`.
+	//
+	// By default, the `oldSelf` variable is the same type as `self`.
+	// When `optionalOldSelf` is true, the `oldSelf` variable is a CEL optional
+	// variable whose value() is the same type as `self`.
+	// See the documentation for the `optionalOldSelf` field for details.
+	//
+	// Transition rules by default are applied only on UPDATE requests and are
+	// skipped if an old value could not be found. You can opt a transition
+	// rule into unconditional evaluation by setting `optionalOldSelf` to true.
+	Rule *string `json:"rule,omitempty"`
+	// Message represents the message displayed when validation fails. The message is required if the Rule contains
+	// line breaks. The message must not contain line breaks.
+	// If unset, the message is "failed rule: {Rule}".
+	// e.g. "must be a URL with the host matching spec.host"
+	Message *string `json:"message,omitempty"`
+	// MessageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails.
+	// Since messageExpression is used as a failure message, it must evaluate to a string.
+	// If both message and messageExpression are present on a rule, then messageExpression will be used if validation
+	// fails. If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced
+	// as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string
+	// that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and
+	// the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged.
+	// messageExpression has access to all the same variables as the rule; the only difference is the return type.
+	// Example:
+	// "x must be less than max ("+string(self.max)+")"
+	MessageExpression *string `json:"messageExpression,omitempty"`
+	// reason provides a machine-readable validation failure reason that is returned to the caller when a request fails this validation rule.
+	// The HTTP status code returned to the caller will match the reason of the reason of the first failed validation rule.
+	// The currently supported reasons are: "FieldValueInvalid", "FieldValueForbidden", "FieldValueRequired", "FieldValueDuplicate".
+	// If not set, default to use "FieldValueInvalid".
+	// All future added reasons must be accepted by clients when reading this value and unknown reasons should be treated as FieldValueInvalid.
+	Reason *apiextensionsv1.FieldValueErrorReason `json:"reason,omitempty"`
+	// fieldPath represents the field path returned when the validation fails.
+	// It must be a relative JSON path (i.e. with array notation) scoped to the location of this x-kubernetes-validations extension in the schema and refer to an existing field.
+	// e.g. when validation checks if a specific attribute `foo` under a map `testMap`, the fieldPath could be set to `.testMap.foo`
+	// If the validation checks two lists must have unique attributes, the fieldPath could be set to either of the list: e.g. `.testList`
+	// It does not support list numeric index.
+	// It supports child operation to refer to an existing field currently. Refer to [JSONPath support in Kubernetes](https://kubernetes.io/docs/reference/kubectl/jsonpath/) for more info.
+	// Numeric index of array is not supported.
+	// For field name which contains special characters, use `['specialName']` to refer the field name.
+	// e.g. for attribute `foo.34$` appears in a list `testList`, the fieldPath could be set to `.testList['foo.34$']`
+	FieldPath *string `json:"fieldPath,omitempty"`
+	// optionalOldSelf is used to opt a transition rule into evaluation
+	// even when the object is first created, or if the old object is
+	// missing the value.
+	//
+	// When enabled `oldSelf` will be a CEL optional whose value will be
+	// `None` if there is no old value, or when the object is initially created.
+	//
+	// You may check for presence of oldSelf using `oldSelf.hasValue()` and
+	// unwrap it after checking using `oldSelf.value()`. Check the CEL
+	// documentation for Optional types for more information:
+	// https://pkg.go.dev/github.com/google/cel-go/cel#OptionalTypes
+	//
+	// May not be set unless `oldSelf` is used in `rule`.
+	OptionalOldSelf *bool `json:"optionalOldSelf,omitempty"`
 }
 
 // ValidationRuleApplyConfiguration constructs a declarative configuration of the ValidationRule type for use with
diff --git a/staging/src/k8s.io/apiextensions-apiserver/pkg/client/applyconfiguration/apiextensions/v1/webhookclientconfig.go b/staging/src/k8s.io/apiextensions-apiserver/pkg/client/applyconfiguration/apiextensions/v1/webhookclientconfig.go
index 77f2227b95ce0..c984e1dc8e796 100644
--- a/staging/src/k8s.io/apiextensions-apiserver/pkg/client/applyconfiguration/apiextensions/v1/webhookclientconfig.go
+++ b/staging/src/k8s.io/apiextensions-apiserver/pkg/client/applyconfiguration/apiextensions/v1/webhookclientconfig.go
@@ -20,10 +20,43 @@ package v1
 
 // WebhookClientConfigApplyConfiguration represents a declarative configuration of the WebhookClientConfig type for use
 // with apply.
+//
+// WebhookClientConfig contains the information to make a TLS connection with the webhook.
 type WebhookClientConfigApplyConfiguration struct {
-	URL      *string                             `json:"url,omitempty"`
-	Service  *ServiceReferenceApplyConfiguration `json:"service,omitempty"`
-	CABundle []byte                              `json:"caBundle,omitempty"`
+	// url gives the location of the webhook, in standard URL form
+	// (`scheme://host:port/path`). Exactly one of `url` or `service`
+	// must be specified.
+	//
+	// The `host` should not refer to a service running in the cluster; use
+	// the `service` field instead. The host might be resolved via external
+	// DNS in some apiservers (e.g., `kube-apiserver` cannot resolve
+	// in-cluster DNS as that would be a layering violation). `host` may
+	// also be an IP address.
+	//
+	// Please note that using `localhost` or `127.0.0.1` as a `host` is
+	// risky unless you take great care to run this webhook on all hosts
+	// which run an apiserver which might need to make calls to this
+	// webhook. Such installs are likely to be non-portable, i.e., not easy
+	// to turn up in a new cluster.
+	//
+	// The scheme must be "https"; the URL must begin with "https://".
+	//
+	// A path is optional, and if present may be any string permissible in
+	// a URL. You may use the path to pass an arbitrary string to the
+	// webhook, for example, a cluster identifier.
+	//
+	// Attempting to use a user or basic auth e.g. "user:password@" is not
+	// allowed. Fragments ("#...") and query parameters ("?...") are not
+	// allowed, either.
+	URL *string `json:"url,omitempty"`
+	// service is a reference to the service for this webhook. Either
+	// service or url must be specified.
+	//
+	// If the webhook is running within the cluster, then you should use `service`.
+	Service *ServiceReferenceApplyConfiguration `json:"service,omitempty"`
+	// caBundle is a PEM encoded CA bundle which will be used to validate the webhook's server certificate.
+	// If unspecified, system trust roots on the apiserver are used.
+	CABundle []byte `json:"caBundle,omitempty"`
 }
 
 // WebhookClientConfigApplyConfiguration constructs a declarative configuration of the WebhookClientConfig type for use with
diff --git a/staging/src/k8s.io/apiextensions-apiserver/pkg/client/applyconfiguration/apiextensions/v1/webhookconversion.go b/staging/src/k8s.io/apiextensions-apiserver/pkg/client/applyconfiguration/apiextensions/v1/webhookconversion.go
index 884fbc5fa859c..6daf74eac0c44 100644
--- a/staging/src/k8s.io/apiextensions-apiserver/pkg/client/applyconfiguration/apiextensions/v1/webhookconversion.go
+++ b/staging/src/k8s.io/apiextensions-apiserver/pkg/client/applyconfiguration/apiextensions/v1/webhookconversion.go
@@ -20,9 +20,18 @@ package v1
 
 // WebhookConversionApplyConfiguration represents a declarative configuration of the WebhookConversion type for use
 // with apply.
+//
+// WebhookConversion describes how to call a conversion webhook
 type WebhookConversionApplyConfiguration struct {
-	ClientConfig             *WebhookClientConfigApplyConfiguration `json:"clientConfig,omitempty"`
-	ConversionReviewVersions []string                               `json:"conversionReviewVersions,omitempty"`
+	// clientConfig is the instructions for how to call the webhook if strategy is `Webhook`.
+	ClientConfig *WebhookClientConfigApplyConfiguration `json:"clientConfig,omitempty"`
+	// conversionReviewVersions is an ordered list of preferred `ConversionReview`
+	// versions the Webhook expects. The API server will use the first version in
+	// the list which it supports. If none of the versions specified in this list
+	// are supported by API server, conversion will fail for the custom resource.
+	// If a persisted Webhook configuration specifies allowed versions and does not
+	// include any versions known to the API Server, calls to the webhook will fail.
+	ConversionReviewVersions []string `json:"conversionReviewVersions,omitempty"`
 }
 
 // WebhookConversionApplyConfiguration constructs a declarative configuration of the WebhookConversion type for use with
diff --git a/staging/src/k8s.io/apiextensions-apiserver/pkg/client/applyconfiguration/apiextensions/v1beta1/customresourcecolumndefinition.go b/staging/src/k8s.io/apiextensions-apiserver/pkg/client/applyconfiguration/apiextensions/v1beta1/customresourcecolumndefinition.go
index 9ee2318d1a500..ea6f783babc8c 100644
--- a/staging/src/k8s.io/apiextensions-apiserver/pkg/client/applyconfiguration/apiextensions/v1beta1/customresourcecolumndefinition.go
+++ b/staging/src/k8s.io/apiextensions-apiserver/pkg/client/applyconfiguration/apiextensions/v1beta1/customresourcecolumndefinition.go
@@ -20,13 +20,27 @@ package v1beta1
 
 // CustomResourceColumnDefinitionApplyConfiguration represents a declarative configuration of the CustomResourceColumnDefinition type for use
 // with apply.
+//
+// CustomResourceColumnDefinition specifies a column for server side printing.
 type CustomResourceColumnDefinitionApplyConfiguration struct {
-	Name        *string `json:"name,omitempty"`
-	Type        *string `json:"type,omitempty"`
-	Format      *string `json:"format,omitempty"`
+	// name is a human readable name for the column.
+	Name *string `json:"name,omitempty"`
+	// type is an OpenAPI type definition for this column.
+	// See https://github.com/OAI/OpenAPI-Specification/blob/master/versions/2.0.md#data-types for details.
+	Type *string `json:"type,omitempty"`
+	// format is an optional OpenAPI type definition for this column. The 'name' format is applied
+	// to the primary identifier column to assist in clients identifying column is the resource name.
+	// See https://github.com/OAI/OpenAPI-Specification/blob/master/versions/2.0.md#data-types for details.
+	Format *string `json:"format,omitempty"`
+	// description is a human readable description of this column.
 	Description *string `json:"description,omitempty"`
-	Priority    *int32  `json:"priority,omitempty"`
-	JSONPath    *string `json:"JSONPath,omitempty"`
+	// priority is an integer defining the relative importance of this column compared to others. Lower
+	// numbers are considered higher priority. Columns that may be omitted in limited space scenarios
+	// should be given a priority greater than 0.
+	Priority *int32 `json:"priority,omitempty"`
+	// JSONPath is a simple JSON path (i.e. with array notation) which is evaluated against
+	// each custom resource to produce the value for this column.
+	JSONPath *string `json:"JSONPath,omitempty"`
 }
 
 // CustomResourceColumnDefinitionApplyConfiguration constructs a declarative configuration of the CustomResourceColumnDefinition type for use with
diff --git a/staging/src/k8s.io/apiextensions-apiserver/pkg/client/applyconfiguration/apiextensions/v1beta1/customresourceconversion.go b/staging/src/k8s.io/apiextensions-apiserver/pkg/client/applyconfiguration/apiextensions/v1beta1/customresourceconversion.go
index f652c96d52592..8cc99f2eb15d4 100644
--- a/staging/src/k8s.io/apiextensions-apiserver/pkg/client/applyconfiguration/apiextensions/v1beta1/customresourceconversion.go
+++ b/staging/src/k8s.io/apiextensions-apiserver/pkg/client/applyconfiguration/apiextensions/v1beta1/customresourceconversion.go
@@ -24,10 +24,25 @@ import (
 
 // CustomResourceConversionApplyConfiguration represents a declarative configuration of the CustomResourceConversion type for use
 // with apply.
+//
+// CustomResourceConversion describes how to convert different versions of a CR.
 type CustomResourceConversionApplyConfiguration struct {
-	Strategy                 *apiextensionsv1beta1.ConversionStrategyType `json:"strategy,omitempty"`
-	WebhookClientConfig      *WebhookClientConfigApplyConfiguration       `json:"webhookClientConfig,omitempty"`
-	ConversionReviewVersions []string                                     `json:"conversionReviewVersions,omitempty"`
+	// strategy specifies how custom resources are converted between versions. Allowed values are:
+	// - `None`: The converter only change the apiVersion and would not touch any other field in the custom resource.
+	// - `Webhook`: API Server will call to an external webhook to do the conversion. Additional information
+	// is needed for this option. This requires spec.preserveUnknownFields to be false, and spec.conversion.webhookClientConfig to be set.
+	Strategy *apiextensionsv1beta1.ConversionStrategyType `json:"strategy,omitempty"`
+	// webhookClientConfig is the instructions for how to call the webhook if strategy is `Webhook`.
+	// Required when `strategy` is set to `Webhook`.
+	WebhookClientConfig *WebhookClientConfigApplyConfiguration `json:"webhookClientConfig,omitempty"`
+	// conversionReviewVersions is an ordered list of preferred `ConversionReview`
+	// versions the Webhook expects. The API server will use the first version in
+	// the list which it supports. If none of the versions specified in this list
+	// are supported by API server, conversion will fail for the custom resource.
+	// If a persisted Webhook configuration specifies allowed versions and does not
+	// include any versions known to the API Server, calls to the webhook will fail.
+	// Defaults to `["v1beta1"]`.
+	ConversionReviewVersions []string `json:"conversionReviewVersions,omitempty"`
 }
 
 // CustomResourceConversionApplyConfiguration constructs a declarative configuration of the CustomResourceConversion type for use with
diff --git a/staging/src/k8s.io/apiextensions-apiserver/pkg/client/applyconfiguration/apiextensions/v1beta1/customresourcedefinition.go b/staging/src/k8s.io/apiextensions-apiserver/pkg/client/applyconfiguration/apiextensions/v1beta1/customresourcedefinition.go
index 8df22620d6a82..4838dafcb6d2c 100644
--- a/staging/src/k8s.io/apiextensions-apiserver/pkg/client/applyconfiguration/apiextensions/v1beta1/customresourcedefinition.go
+++ b/staging/src/k8s.io/apiextensions-apiserver/pkg/client/applyconfiguration/apiextensions/v1beta1/customresourcedefinition.go
@@ -26,11 +26,19 @@ import (
 
 // CustomResourceDefinitionApplyConfiguration represents a declarative configuration of the CustomResourceDefinition type for use
 // with apply.
+//
+// CustomResourceDefinition represents a resource that should be exposed on the API server.  Its name MUST be in the format
+// <.spec.name>.<.spec.group>.
+// Deprecated in v1.16, planned for removal in v1.22. Use apiextensions.k8s.io/v1 CustomResourceDefinition instead.
 type CustomResourceDefinitionApplyConfiguration struct {
-	v1.TypeMetaApplyConfiguration    `json:",inline"`
+	v1.TypeMetaApplyConfiguration `json:",inline"`
+	// Standard object's metadata
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	*v1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Spec                             *CustomResourceDefinitionSpecApplyConfiguration   `json:"spec,omitempty"`
-	Status                           *CustomResourceDefinitionStatusApplyConfiguration `json:"status,omitempty"`
+	// spec describes how the user wants the resources to appear
+	Spec *CustomResourceDefinitionSpecApplyConfiguration `json:"spec,omitempty"`
+	// status indicates the actual state of the CustomResourceDefinition
+	Status *CustomResourceDefinitionStatusApplyConfiguration `json:"status,omitempty"`
 }
 
 // CustomResourceDefinition constructs a declarative configuration of the CustomResourceDefinition type for use with
@@ -42,6 +50,7 @@ func CustomResourceDefinition(name string) *CustomResourceDefinitionApplyConfigu
 	b.WithAPIVersion("apiextensions.k8s.io/v1beta1")
 	return b
 }
+
 func (b CustomResourceDefinitionApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/staging/src/k8s.io/apiextensions-apiserver/pkg/client/applyconfiguration/apiextensions/v1beta1/customresourcedefinitioncondition.go b/staging/src/k8s.io/apiextensions-apiserver/pkg/client/applyconfiguration/apiextensions/v1beta1/customresourcedefinitioncondition.go
index 4d19e1b5b6a85..ce0577234ca94 100644
--- a/staging/src/k8s.io/apiextensions-apiserver/pkg/client/applyconfiguration/apiextensions/v1beta1/customresourcedefinitioncondition.go
+++ b/staging/src/k8s.io/apiextensions-apiserver/pkg/client/applyconfiguration/apiextensions/v1beta1/customresourcedefinitioncondition.go
@@ -25,12 +25,24 @@ import (
 
 // CustomResourceDefinitionConditionApplyConfiguration represents a declarative configuration of the CustomResourceDefinitionCondition type for use
 // with apply.
+//
+// CustomResourceDefinitionCondition contains details for the current condition of this pod.
 type CustomResourceDefinitionConditionApplyConfiguration struct {
-	Type               *apiextensionsv1beta1.CustomResourceDefinitionConditionType `json:"type,omitempty"`
-	Status             *apiextensionsv1beta1.ConditionStatus                       `json:"status,omitempty"`
-	LastTransitionTime *v1.Time                                                    `json:"lastTransitionTime,omitempty"`
-	Reason             *string                                                     `json:"reason,omitempty"`
-	Message            *string                                                     `json:"message,omitempty"`
+	// type is the type of the condition. Types include Established, NamesAccepted and Terminating.
+	Type *apiextensionsv1beta1.CustomResourceDefinitionConditionType `json:"type,omitempty"`
+	// status is the status of the condition.
+	// Can be True, False, Unknown.
+	Status *apiextensionsv1beta1.ConditionStatus `json:"status,omitempty"`
+	// lastTransitionTime last time the condition transitioned from one status to another.
+	LastTransitionTime *v1.Time `json:"lastTransitionTime,omitempty"`
+	// reason is a unique, one-word, CamelCase reason for the condition's last transition.
+	Reason *string `json:"reason,omitempty"`
+	// message is a human-readable message indicating details about last transition.
+	Message *string `json:"message,omitempty"`
+	// observedGeneration represents the .metadata.generation that the condition was set based upon.
+	// For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+	// with respect to the current state of the instance.
+	ObservedGeneration *int64 `json:"observedGeneration,omitempty"`
 }
 
 // CustomResourceDefinitionConditionApplyConfiguration constructs a declarative configuration of the CustomResourceDefinitionCondition type for use with
@@ -78,3 +90,11 @@ func (b *CustomResourceDefinitionConditionApplyConfiguration) WithMessage(value
 	b.Message = &value
 	return b
 }
+
+// WithObservedGeneration sets the ObservedGeneration field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the ObservedGeneration field is set to the value of the last call.
+func (b *CustomResourceDefinitionConditionApplyConfiguration) WithObservedGeneration(value int64) *CustomResourceDefinitionConditionApplyConfiguration {
+	b.ObservedGeneration = &value
+	return b
+}
diff --git a/staging/src/k8s.io/apiextensions-apiserver/pkg/client/applyconfiguration/apiextensions/v1beta1/customresourcedefinitionnames.go b/staging/src/k8s.io/apiextensions-apiserver/pkg/client/applyconfiguration/apiextensions/v1beta1/customresourcedefinitionnames.go
index 44b49bcbbeb0a..4ad23b7b291ff 100644
--- a/staging/src/k8s.io/apiextensions-apiserver/pkg/client/applyconfiguration/apiextensions/v1beta1/customresourcedefinitionnames.go
+++ b/staging/src/k8s.io/apiextensions-apiserver/pkg/client/applyconfiguration/apiextensions/v1beta1/customresourcedefinitionnames.go
@@ -20,12 +20,28 @@ package v1beta1
 
 // CustomResourceDefinitionNamesApplyConfiguration represents a declarative configuration of the CustomResourceDefinitionNames type for use
 // with apply.
+//
+// CustomResourceDefinitionNames indicates the names to serve this CustomResourceDefinition
 type CustomResourceDefinitionNamesApplyConfiguration struct {
-	Plural     *string  `json:"plural,omitempty"`
-	Singular   *string  `json:"singular,omitempty"`
+	// plural is the plural name of the resource to serve.
+	// The custom resources are served under `/apis/<group>/<version>/.../<plural>`.
+	// Must match the name of the CustomResourceDefinition (in the form `<names.plural>.<group>`).
+	// Must be all lowercase.
+	Plural *string `json:"plural,omitempty"`
+	// singular is the singular name of the resource. It must be all lowercase. Defaults to lowercased `kind`.
+	Singular *string `json:"singular,omitempty"`
+	// shortNames are short names for the resource, exposed in API discovery documents,
+	// and used by clients to support invocations like `kubectl get <shortname>`.
+	// It must be all lowercase.
 	ShortNames []string `json:"shortNames,omitempty"`
-	Kind       *string  `json:"kind,omitempty"`
-	ListKind   *string  `json:"listKind,omitempty"`
+	// kind is the serialized kind of the resource. It is normally CamelCase and singular.
+	// Custom resource instances will use this value as the `kind` attribute in API calls.
+	Kind *string `json:"kind,omitempty"`
+	// listKind is the serialized kind of the list for this resource. Defaults to "`kind`List".
+	ListKind *string `json:"listKind,omitempty"`
+	// categories is a list of grouped resources this custom resource belongs to (e.g. 'all').
+	// This is published in API discovery documents, and used by clients to support invocations like
+	// `kubectl get all`.
 	Categories []string `json:"categories,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/apiextensions-apiserver/pkg/client/applyconfiguration/apiextensions/v1beta1/customresourcedefinitionspec.go b/staging/src/k8s.io/apiextensions-apiserver/pkg/client/applyconfiguration/apiextensions/v1beta1/customresourcedefinitionspec.go
index 5046882ae10fb..12e24ba2faef6 100644
--- a/staging/src/k8s.io/apiextensions-apiserver/pkg/client/applyconfiguration/apiextensions/v1beta1/customresourcedefinitionspec.go
+++ b/staging/src/k8s.io/apiextensions-apiserver/pkg/client/applyconfiguration/apiextensions/v1beta1/customresourcedefinitionspec.go
@@ -24,18 +24,63 @@ import (
 
 // CustomResourceDefinitionSpecApplyConfiguration represents a declarative configuration of the CustomResourceDefinitionSpec type for use
 // with apply.
+//
+// CustomResourceDefinitionSpec describes how a user wants their resource to appear
 type CustomResourceDefinitionSpecApplyConfiguration struct {
-	Group                    *string                                             `json:"group,omitempty"`
-	Version                  *string                                             `json:"version,omitempty"`
-	Names                    *CustomResourceDefinitionNamesApplyConfiguration    `json:"names,omitempty"`
-	Scope                    *apiextensionsv1beta1.ResourceScope                 `json:"scope,omitempty"`
-	Validation               *CustomResourceValidationApplyConfiguration         `json:"validation,omitempty"`
-	Subresources             *CustomResourceSubresourcesApplyConfiguration       `json:"subresources,omitempty"`
-	Versions                 []CustomResourceDefinitionVersionApplyConfiguration `json:"versions,omitempty"`
-	AdditionalPrinterColumns []CustomResourceColumnDefinitionApplyConfiguration  `json:"additionalPrinterColumns,omitempty"`
-	SelectableFields         []SelectableFieldApplyConfiguration                 `json:"selectableFields,omitempty"`
-	Conversion               *CustomResourceConversionApplyConfiguration         `json:"conversion,omitempty"`
-	PreserveUnknownFields    *bool                                               `json:"preserveUnknownFields,omitempty"`
+	// group is the API group of the defined custom resource.
+	// The custom resources are served under `/apis/<group>/...`.
+	// Must match the name of the CustomResourceDefinition (in the form `<names.plural>.<group>`).
+	Group *string `json:"group,omitempty"`
+	// version is the API version of the defined custom resource.
+	// The custom resources are served under `/apis/<group>/<version>/...`.
+	// Must match the name of the first item in the `versions` list if `version` and `versions` are both specified.
+	// Optional if `versions` is specified.
+	// Deprecated: use `versions` instead.
+	Version *string `json:"version,omitempty"`
+	// names specify the resource and kind names for the custom resource.
+	Names *CustomResourceDefinitionNamesApplyConfiguration `json:"names,omitempty"`
+	// scope indicates whether the defined custom resource is cluster- or namespace-scoped.
+	// Allowed values are `Cluster` and `Namespaced`. Default is `Namespaced`.
+	Scope *apiextensionsv1beta1.ResourceScope `json:"scope,omitempty"`
+	// validation describes the schema used for validation and pruning of the custom resource.
+	// If present, this validation schema is used to validate all versions.
+	// Top-level and per-version schemas are mutually exclusive.
+	Validation *CustomResourceValidationApplyConfiguration `json:"validation,omitempty"`
+	// subresources specify what subresources the defined custom resource has.
+	// If present, this field configures subresources for all versions.
+	// Top-level and per-version subresources are mutually exclusive.
+	Subresources *CustomResourceSubresourcesApplyConfiguration `json:"subresources,omitempty"`
+	// versions is the list of all API versions of the defined custom resource.
+	// Optional if `version` is specified.
+	// The name of the first item in the `versions` list must match the `version` field if `version` and `versions` are both specified.
+	// Version names are used to compute the order in which served versions are listed in API discovery.
+	// If the version string is "kube-like", it will sort above non "kube-like" version strings, which are ordered
+	// lexicographically. "Kube-like" versions start with a "v", then are followed by a number (the major version),
+	// then optionally the string "alpha" or "beta" and another number (the minor version). These are sorted first
+	// by GA > beta > alpha (where GA is a version with no suffix such as beta or alpha), and then by comparing
+	// major version, then minor version. An example sorted list of versions:
+	// v10, v2, v1, v11beta2, v10beta3, v3beta1, v12alpha1, v11alpha2, foo1, foo10.
+	Versions []CustomResourceDefinitionVersionApplyConfiguration `json:"versions,omitempty"`
+	// additionalPrinterColumns specifies additional columns returned in Table output.
+	// See https://kubernetes.io/docs/reference/using-api/api-concepts/#receiving-resources-as-tables for details.
+	// If present, this field configures columns for all versions.
+	// Top-level and per-version columns are mutually exclusive.
+	// If no top-level or per-version columns are specified, a single column displaying the age of the custom resource is used.
+	AdditionalPrinterColumns []CustomResourceColumnDefinitionApplyConfiguration `json:"additionalPrinterColumns,omitempty"`
+	// selectableFields specifies paths to fields that may be used as field selectors.
+	// See https://kubernetes.io/docs/concepts/overview/working-with-objects/field-selectors
+	SelectableFields []SelectableFieldApplyConfiguration `json:"selectableFields,omitempty"`
+	// conversion defines conversion settings for the CRD.
+	Conversion *CustomResourceConversionApplyConfiguration `json:"conversion,omitempty"`
+	// preserveUnknownFields indicates that object fields which are not specified
+	// in the OpenAPI schema should be preserved when persisting to storage.
+	// apiVersion, kind, metadata and known fields inside metadata are always preserved.
+	// If false, schemas must be defined for all versions.
+	// Defaults to true in v1beta for backwards compatibility.
+	// Deprecated: will be required to be false in v1. Preservation of unknown fields can be specified
+	// in the validation schema using the `x-kubernetes-preserve-unknown-fields: true` extension.
+	// See https://kubernetes.io/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definitions/#field-pruning for details.
+	PreserveUnknownFields *bool `json:"preserveUnknownFields,omitempty"`
 }
 
 // CustomResourceDefinitionSpecApplyConfiguration constructs a declarative configuration of the CustomResourceDefinitionSpec type for use with
diff --git a/staging/src/k8s.io/apiextensions-apiserver/pkg/client/applyconfiguration/apiextensions/v1beta1/customresourcedefinitionstatus.go b/staging/src/k8s.io/apiextensions-apiserver/pkg/client/applyconfiguration/apiextensions/v1beta1/customresourcedefinitionstatus.go
index 2c9c5e23c1a8b..e0107b3a782cf 100644
--- a/staging/src/k8s.io/apiextensions-apiserver/pkg/client/applyconfiguration/apiextensions/v1beta1/customresourcedefinitionstatus.go
+++ b/staging/src/k8s.io/apiextensions-apiserver/pkg/client/applyconfiguration/apiextensions/v1beta1/customresourcedefinitionstatus.go
@@ -20,10 +20,23 @@ package v1beta1
 
 // CustomResourceDefinitionStatusApplyConfiguration represents a declarative configuration of the CustomResourceDefinitionStatus type for use
 // with apply.
+//
+// CustomResourceDefinitionStatus indicates the state of the CustomResourceDefinition
 type CustomResourceDefinitionStatusApplyConfiguration struct {
-	Conditions     []CustomResourceDefinitionConditionApplyConfiguration `json:"conditions,omitempty"`
-	AcceptedNames  *CustomResourceDefinitionNamesApplyConfiguration      `json:"acceptedNames,omitempty"`
-	StoredVersions []string                                              `json:"storedVersions,omitempty"`
+	// conditions indicate state for particular aspects of a CustomResourceDefinition
+	Conditions []CustomResourceDefinitionConditionApplyConfiguration `json:"conditions,omitempty"`
+	// acceptedNames are the names that are actually being used to serve discovery.
+	// They may be different than the names in spec.
+	AcceptedNames *CustomResourceDefinitionNamesApplyConfiguration `json:"acceptedNames,omitempty"`
+	// storedVersions lists all versions of CustomResources that were ever persisted. Tracking these
+	// versions allows a migration path for stored versions in etcd. The field is mutable
+	// so a migration controller can finish a migration to another version (ensuring
+	// no old objects are left in storage), and then remove the rest of the
+	// versions from this list.
+	// Versions may not be removed from `spec.versions` while they exist in this list.
+	StoredVersions []string `json:"storedVersions,omitempty"`
+	// The generation observed by the CRD controller.
+	ObservedGeneration *int64 `json:"observedGeneration,omitempty"`
 }
 
 // CustomResourceDefinitionStatusApplyConfiguration constructs a declarative configuration of the CustomResourceDefinitionStatus type for use with
@@ -62,3 +75,11 @@ func (b *CustomResourceDefinitionStatusApplyConfiguration) WithStoredVersions(va
 	}
 	return b
 }
+
+// WithObservedGeneration sets the ObservedGeneration field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the ObservedGeneration field is set to the value of the last call.
+func (b *CustomResourceDefinitionStatusApplyConfiguration) WithObservedGeneration(value int64) *CustomResourceDefinitionStatusApplyConfiguration {
+	b.ObservedGeneration = &value
+	return b
+}
diff --git a/staging/src/k8s.io/apiextensions-apiserver/pkg/client/applyconfiguration/apiextensions/v1beta1/customresourcedefinitionversion.go b/staging/src/k8s.io/apiextensions-apiserver/pkg/client/applyconfiguration/apiextensions/v1beta1/customresourcedefinitionversion.go
index 19ac26b039ab4..f26bfd4a660fb 100644
--- a/staging/src/k8s.io/apiextensions-apiserver/pkg/client/applyconfiguration/apiextensions/v1beta1/customresourcedefinitionversion.go
+++ b/staging/src/k8s.io/apiextensions-apiserver/pkg/client/applyconfiguration/apiextensions/v1beta1/customresourcedefinitionversion.go
@@ -20,16 +20,43 @@ package v1beta1
 
 // CustomResourceDefinitionVersionApplyConfiguration represents a declarative configuration of the CustomResourceDefinitionVersion type for use
 // with apply.
+//
+// CustomResourceDefinitionVersion describes a version for CRD.
 type CustomResourceDefinitionVersionApplyConfiguration struct {
-	Name                     *string                                            `json:"name,omitempty"`
-	Served                   *bool                                              `json:"served,omitempty"`
-	Storage                  *bool                                              `json:"storage,omitempty"`
-	Deprecated               *bool                                              `json:"deprecated,omitempty"`
-	DeprecationWarning       *string                                            `json:"deprecationWarning,omitempty"`
-	Schema                   *CustomResourceValidationApplyConfiguration        `json:"schema,omitempty"`
-	Subresources             *CustomResourceSubresourcesApplyConfiguration      `json:"subresources,omitempty"`
+	// name is the version name, e.g. “v1”, “v2beta1”, etc.
+	// The custom resources are served under this version at `/apis/<group>/<version>/...` if `served` is true.
+	Name *string `json:"name,omitempty"`
+	// served is a flag enabling/disabling this version from being served via REST APIs
+	Served *bool `json:"served,omitempty"`
+	// storage indicates this version should be used when persisting custom resources to storage.
+	// There must be exactly one version with storage=true.
+	Storage *bool `json:"storage,omitempty"`
+	// deprecated indicates this version of the custom resource API is deprecated.
+	// When set to true, API requests to this version receive a warning header in the server response.
+	// Defaults to false.
+	Deprecated *bool `json:"deprecated,omitempty"`
+	// deprecationWarning overrides the default warning returned to API clients.
+	// May only be set when `deprecated` is true.
+	// The default warning indicates this version is deprecated and recommends use
+	// of the newest served version of equal or greater stability, if one exists.
+	DeprecationWarning *string `json:"deprecationWarning,omitempty"`
+	// schema describes the schema used for validation and pruning of this version of the custom resource.
+	// Top-level and per-version schemas are mutually exclusive.
+	// Per-version schemas must not all be set to identical values (top-level validation schema should be used instead).
+	Schema *CustomResourceValidationApplyConfiguration `json:"schema,omitempty"`
+	// subresources specify what subresources this version of the defined custom resource have.
+	// Top-level and per-version subresources are mutually exclusive.
+	// Per-version subresources must not all be set to identical values (top-level subresources should be used instead).
+	Subresources *CustomResourceSubresourcesApplyConfiguration `json:"subresources,omitempty"`
+	// additionalPrinterColumns specifies additional columns returned in Table output.
+	// See https://kubernetes.io/docs/reference/using-api/api-concepts/#receiving-resources-as-tables for details.
+	// Top-level and per-version columns are mutually exclusive.
+	// Per-version columns must not all be set to identical values (top-level columns should be used instead).
+	// If no top-level or per-version columns are specified, a single column displaying the age of the custom resource is used.
 	AdditionalPrinterColumns []CustomResourceColumnDefinitionApplyConfiguration `json:"additionalPrinterColumns,omitempty"`
-	SelectableFields         []SelectableFieldApplyConfiguration                `json:"selectableFields,omitempty"`
+	// selectableFields specifies paths to fields that may be used as field selectors.
+	// See https://kubernetes.io/docs/concepts/overview/working-with-objects/field-selectors
+	SelectableFields []SelectableFieldApplyConfiguration `json:"selectableFields,omitempty"`
 }
 
 // CustomResourceDefinitionVersionApplyConfiguration constructs a declarative configuration of the CustomResourceDefinitionVersion type for use with
diff --git a/staging/src/k8s.io/apiextensions-apiserver/pkg/client/applyconfiguration/apiextensions/v1beta1/customresourcesubresources.go b/staging/src/k8s.io/apiextensions-apiserver/pkg/client/applyconfiguration/apiextensions/v1beta1/customresourcesubresources.go
index 3ee82a0377c8d..6b92eb1fcddc6 100644
--- a/staging/src/k8s.io/apiextensions-apiserver/pkg/client/applyconfiguration/apiextensions/v1beta1/customresourcesubresources.go
+++ b/staging/src/k8s.io/apiextensions-apiserver/pkg/client/applyconfiguration/apiextensions/v1beta1/customresourcesubresources.go
@@ -24,9 +24,16 @@ import (
 
 // CustomResourceSubresourcesApplyConfiguration represents a declarative configuration of the CustomResourceSubresources type for use
 // with apply.
+//
+// CustomResourceSubresources defines the status and scale subresources for CustomResources.
 type CustomResourceSubresourcesApplyConfiguration struct {
+	// status indicates the custom resource should serve a `/status` subresource.
+	// When enabled:
+	// 1. requests to the custom resource primary endpoint ignore changes to the `status` stanza of the object.
+	// 2. requests to the custom resource `/status` subresource ignore changes to anything other than the `status` stanza of the object.
 	Status *apiextensionsv1beta1.CustomResourceSubresourceStatus `json:"status,omitempty"`
-	Scale  *CustomResourceSubresourceScaleApplyConfiguration     `json:"scale,omitempty"`
+	// scale indicates the custom resource should serve a `/scale` subresource that returns an `autoscaling/v1` Scale object.
+	Scale *CustomResourceSubresourceScaleApplyConfiguration `json:"scale,omitempty"`
 }
 
 // CustomResourceSubresourcesApplyConfiguration constructs a declarative configuration of the CustomResourceSubresources type for use with
diff --git a/staging/src/k8s.io/apiextensions-apiserver/pkg/client/applyconfiguration/apiextensions/v1beta1/customresourcesubresourcescale.go b/staging/src/k8s.io/apiextensions-apiserver/pkg/client/applyconfiguration/apiextensions/v1beta1/customresourcesubresourcescale.go
index b94d0e6685f74..4141699c4df87 100644
--- a/staging/src/k8s.io/apiextensions-apiserver/pkg/client/applyconfiguration/apiextensions/v1beta1/customresourcesubresourcescale.go
+++ b/staging/src/k8s.io/apiextensions-apiserver/pkg/client/applyconfiguration/apiextensions/v1beta1/customresourcesubresourcescale.go
@@ -20,10 +20,30 @@ package v1beta1
 
 // CustomResourceSubresourceScaleApplyConfiguration represents a declarative configuration of the CustomResourceSubresourceScale type for use
 // with apply.
+//
+// CustomResourceSubresourceScale defines how to serve the scale subresource for CustomResources.
 type CustomResourceSubresourceScaleApplyConfiguration struct {
-	SpecReplicasPath   *string `json:"specReplicasPath,omitempty"`
+	// specReplicasPath defines the JSON path inside of a custom resource that corresponds to Scale `spec.replicas`.
+	// Only JSON paths without the array notation are allowed.
+	// Must be a JSON Path under `.spec`.
+	// If there is no value under the given path in the custom resource, the `/scale` subresource will return an error on GET.
+	SpecReplicasPath *string `json:"specReplicasPath,omitempty"`
+	// statusReplicasPath defines the JSON path inside of a custom resource that corresponds to Scale `status.replicas`.
+	// Only JSON paths without the array notation are allowed.
+	// Must be a JSON Path under `.status`.
+	// If there is no value under the given path in the custom resource, the `status.replicas` value in the `/scale` subresource
+	// will default to 0.
 	StatusReplicasPath *string `json:"statusReplicasPath,omitempty"`
-	LabelSelectorPath  *string `json:"labelSelectorPath,omitempty"`
+	// labelSelectorPath defines the JSON path inside of a custom resource that corresponds to Scale `status.selector`.
+	// Only JSON paths without the array notation are allowed.
+	// Must be a JSON Path under `.status` or `.spec`.
+	// Must be set to work with HorizontalPodAutoscaler.
+	// The field pointed by this JSON path must be a string field (not a complex selector struct)
+	// which contains a serialized label selector in string form.
+	// More info: https://kubernetes.io/docs/tasks/access-kubernetes-api/custom-resources/custom-resource-definitions#scale-subresource
+	// If there is no value under the given path in the custom resource, the `status.selector` value in the `/scale`
+	// subresource will default to the empty string.
+	LabelSelectorPath *string `json:"labelSelectorPath,omitempty"`
 }
 
 // CustomResourceSubresourceScaleApplyConfiguration constructs a declarative configuration of the CustomResourceSubresourceScale type for use with
diff --git a/staging/src/k8s.io/apiextensions-apiserver/pkg/client/applyconfiguration/apiextensions/v1beta1/customresourcevalidation.go b/staging/src/k8s.io/apiextensions-apiserver/pkg/client/applyconfiguration/apiextensions/v1beta1/customresourcevalidation.go
index a5cf3c096b654..64007c709a062 100644
--- a/staging/src/k8s.io/apiextensions-apiserver/pkg/client/applyconfiguration/apiextensions/v1beta1/customresourcevalidation.go
+++ b/staging/src/k8s.io/apiextensions-apiserver/pkg/client/applyconfiguration/apiextensions/v1beta1/customresourcevalidation.go
@@ -20,7 +20,10 @@ package v1beta1
 
 // CustomResourceValidationApplyConfiguration represents a declarative configuration of the CustomResourceValidation type for use
 // with apply.
+//
+// CustomResourceValidation is a list of validation methods for CustomResources.
 type CustomResourceValidationApplyConfiguration struct {
+	// openAPIV3Schema is the OpenAPI v3 schema to use for validation and pruning.
 	OpenAPIV3Schema *JSONSchemaPropsApplyConfiguration `json:"openAPIV3Schema,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/apiextensions-apiserver/pkg/client/applyconfiguration/apiextensions/v1beta1/externaldocumentation.go b/staging/src/k8s.io/apiextensions-apiserver/pkg/client/applyconfiguration/apiextensions/v1beta1/externaldocumentation.go
index 5140d66ceb98d..42f7ace15f32e 100644
--- a/staging/src/k8s.io/apiextensions-apiserver/pkg/client/applyconfiguration/apiextensions/v1beta1/externaldocumentation.go
+++ b/staging/src/k8s.io/apiextensions-apiserver/pkg/client/applyconfiguration/apiextensions/v1beta1/externaldocumentation.go
@@ -20,6 +20,8 @@ package v1beta1
 
 // ExternalDocumentationApplyConfiguration represents a declarative configuration of the ExternalDocumentation type for use
 // with apply.
+//
+// ExternalDocumentation allows referencing an external resource for extended documentation.
 type ExternalDocumentationApplyConfiguration struct {
 	Description *string `json:"description,omitempty"`
 	URL         *string `json:"url,omitempty"`
diff --git a/staging/src/k8s.io/apiextensions-apiserver/pkg/client/applyconfiguration/apiextensions/v1beta1/jsonschemaprops.go b/staging/src/k8s.io/apiextensions-apiserver/pkg/client/applyconfiguration/apiextensions/v1beta1/jsonschemaprops.go
index b90b9281c8d44..4997d47e6095b 100644
--- a/staging/src/k8s.io/apiextensions-apiserver/pkg/client/applyconfiguration/apiextensions/v1beta1/jsonschemaprops.go
+++ b/staging/src/k8s.io/apiextensions-apiserver/pkg/client/applyconfiguration/apiextensions/v1beta1/jsonschemaprops.go
@@ -24,51 +24,142 @@ import (
 
 // JSONSchemaPropsApplyConfiguration represents a declarative configuration of the JSONSchemaProps type for use
 // with apply.
+//
+// JSONSchemaProps is a JSON-Schema following Specification Draft 4 (http://json-schema.org/).
 type JSONSchemaPropsApplyConfiguration struct {
-	ID                     *string                                      `json:"id,omitempty"`
-	Schema                 *apiextensionsv1beta1.JSONSchemaURL          `json:"$schema,omitempty"`
-	Ref                    *string                                      `json:"$ref,omitempty"`
-	Description            *string                                      `json:"description,omitempty"`
-	Type                   *string                                      `json:"type,omitempty"`
-	Format                 *string                                      `json:"format,omitempty"`
-	Title                  *string                                      `json:"title,omitempty"`
-	Default                *apiextensionsv1beta1.JSON                   `json:"default,omitempty"`
-	Maximum                *float64                                     `json:"maximum,omitempty"`
-	ExclusiveMaximum       *bool                                        `json:"exclusiveMaximum,omitempty"`
-	Minimum                *float64                                     `json:"minimum,omitempty"`
-	ExclusiveMinimum       *bool                                        `json:"exclusiveMinimum,omitempty"`
-	MaxLength              *int64                                       `json:"maxLength,omitempty"`
-	MinLength              *int64                                       `json:"minLength,omitempty"`
-	Pattern                *string                                      `json:"pattern,omitempty"`
-	MaxItems               *int64                                       `json:"maxItems,omitempty"`
-	MinItems               *int64                                       `json:"minItems,omitempty"`
-	UniqueItems            *bool                                        `json:"uniqueItems,omitempty"`
-	MultipleOf             *float64                                     `json:"multipleOf,omitempty"`
-	Enum                   []apiextensionsv1beta1.JSON                  `json:"enum,omitempty"`
-	MaxProperties          *int64                                       `json:"maxProperties,omitempty"`
-	MinProperties          *int64                                       `json:"minProperties,omitempty"`
-	Required               []string                                     `json:"required,omitempty"`
-	Items                  *apiextensionsv1beta1.JSONSchemaPropsOrArray `json:"items,omitempty"`
-	AllOf                  []JSONSchemaPropsApplyConfiguration          `json:"allOf,omitempty"`
-	OneOf                  []JSONSchemaPropsApplyConfiguration          `json:"oneOf,omitempty"`
-	AnyOf                  []JSONSchemaPropsApplyConfiguration          `json:"anyOf,omitempty"`
-	Not                    *JSONSchemaPropsApplyConfiguration           `json:"not,omitempty"`
-	Properties             map[string]JSONSchemaPropsApplyConfiguration `json:"properties,omitempty"`
-	AdditionalProperties   *apiextensionsv1beta1.JSONSchemaPropsOrBool  `json:"additionalProperties,omitempty"`
-	PatternProperties      map[string]JSONSchemaPropsApplyConfiguration `json:"patternProperties,omitempty"`
-	Dependencies           *apiextensionsv1beta1.JSONSchemaDependencies `json:"dependencies,omitempty"`
-	AdditionalItems        *apiextensionsv1beta1.JSONSchemaPropsOrBool  `json:"additionalItems,omitempty"`
-	Definitions            *apiextensionsv1beta1.JSONSchemaDefinitions  `json:"definitions,omitempty"`
-	ExternalDocs           *ExternalDocumentationApplyConfiguration     `json:"externalDocs,omitempty"`
-	Example                *apiextensionsv1beta1.JSON                   `json:"example,omitempty"`
-	Nullable               *bool                                        `json:"nullable,omitempty"`
-	XPreserveUnknownFields *bool                                        `json:"x-kubernetes-preserve-unknown-fields,omitempty"`
-	XEmbeddedResource      *bool                                        `json:"x-kubernetes-embedded-resource,omitempty"`
-	XIntOrString           *bool                                        `json:"x-kubernetes-int-or-string,omitempty"`
-	XListMapKeys           []string                                     `json:"x-kubernetes-list-map-keys,omitempty"`
-	XListType              *string                                      `json:"x-kubernetes-list-type,omitempty"`
-	XMapType               *string                                      `json:"x-kubernetes-map-type,omitempty"`
-	XValidations           *apiextensionsv1beta1.ValidationRules        `json:"x-kubernetes-validations,omitempty"`
+	ID          *string                             `json:"id,omitempty"`
+	Schema      *apiextensionsv1beta1.JSONSchemaURL `json:"$schema,omitempty"`
+	Ref         *string                             `json:"$ref,omitempty"`
+	Description *string                             `json:"description,omitempty"`
+	Type        *string                             `json:"type,omitempty"`
+	// format is an OpenAPI v3 format string. Unknown formats are ignored. The following formats are validated:
+	//
+	// - bsonobjectid: a bson object ID, i.e. a 24 characters hex string
+	// - uri: an URI as parsed by Golang net/url.ParseRequestURI
+	// - email: an email address as parsed by Golang net/mail.ParseAddress
+	// - hostname: a valid representation for an Internet host name, as defined by RFC 1034, section 3.1 [RFC1034].
+	// - ipv4: an IPv4 IP as parsed by Golang net.ParseIP
+	// - ipv6: an IPv6 IP as parsed by Golang net.ParseIP
+	// - cidr: a CIDR as parsed by Golang net.ParseCIDR
+	// - mac: a MAC address as parsed by Golang net.ParseMAC
+	// - uuid: an UUID that allows uppercase defined by the regex (?i)^[0-9a-f]{8}-?[0-9a-f]{4}-?[0-9a-f]{4}-?[0-9a-f]{4}-?[0-9a-f]{12}$
+	// - uuid3: an UUID3 that allows uppercase defined by the regex (?i)^[0-9a-f]{8}-?[0-9a-f]{4}-?3[0-9a-f]{3}-?[0-9a-f]{4}-?[0-9a-f]{12}$
+	// - uuid4: an UUID4 that allows uppercase defined by the regex (?i)^[0-9a-f]{8}-?[0-9a-f]{4}-?4[0-9a-f]{3}-?[89ab][0-9a-f]{3}-?[0-9a-f]{12}$
+	// - uuid5: an UUID5 that allows uppercase defined by the regex (?i)^[0-9a-f]{8}-?[0-9a-f]{4}-?5[0-9a-f]{3}-?[89ab][0-9a-f]{3}-?[0-9a-f]{12}$
+	// - isbn: an ISBN10 or ISBN13 number string like "0321751043" or "978-0321751041"
+	// - isbn10: an ISBN10 number string like "0321751043"
+	// - isbn13: an ISBN13 number string like "978-0321751041"
+	// - creditcard: a credit card number defined by the regex ^(?:4[0-9]{12}(?:[0-9]{3})?|5[1-5][0-9]{14}|6(?:011|5[0-9][0-9])[0-9]{12}|3[47][0-9]{13}|3(?:0[0-5]|[68][0-9])[0-9]{11}|(?:2131|1800|35\\d{3})\\d{11})$ with any non digit characters mixed in
+	// - ssn: a U.S. social security number following the regex ^\\d{3}[- ]?\\d{2}[- ]?\\d{4}$
+	// - hexcolor: an hexadecimal color code like "#FFFFFF: following the regex ^#?([0-9a-fA-F]{3}|[0-9a-fA-F]{6})$
+	// - rgbcolor: an RGB color code like rgb like "rgb(255,255,2559"
+	// - byte: base64 encoded binary data
+	// - password: any kind of string
+	// - date: a date string like "2006-01-02" as defined by full-date in RFC3339
+	// - duration: a duration string like "22 ns" as parsed by Golang time.ParseDuration or compatible with Scala duration format
+	// - datetime: a date time string like "2014-12-15T19:30:20.000Z" as defined by date-time in RFC3339.
+	Format *string `json:"format,omitempty"`
+	Title  *string `json:"title,omitempty"`
+	// default is a default value for undefined object fields.
+	// Defaulting is a beta feature under the CustomResourceDefaulting feature gate.
+	// CustomResourceDefinitions with defaults must be created using the v1 (or newer) CustomResourceDefinition API.
+	Default              *apiextensionsv1beta1.JSON                   `json:"default,omitempty"`
+	Maximum              *float64                                     `json:"maximum,omitempty"`
+	ExclusiveMaximum     *bool                                        `json:"exclusiveMaximum,omitempty"`
+	Minimum              *float64                                     `json:"minimum,omitempty"`
+	ExclusiveMinimum     *bool                                        `json:"exclusiveMinimum,omitempty"`
+	MaxLength            *int64                                       `json:"maxLength,omitempty"`
+	MinLength            *int64                                       `json:"minLength,omitempty"`
+	Pattern              *string                                      `json:"pattern,omitempty"`
+	MaxItems             *int64                                       `json:"maxItems,omitempty"`
+	MinItems             *int64                                       `json:"minItems,omitempty"`
+	UniqueItems          *bool                                        `json:"uniqueItems,omitempty"`
+	MultipleOf           *float64                                     `json:"multipleOf,omitempty"`
+	Enum                 []apiextensionsv1beta1.JSON                  `json:"enum,omitempty"`
+	MaxProperties        *int64                                       `json:"maxProperties,omitempty"`
+	MinProperties        *int64                                       `json:"minProperties,omitempty"`
+	Required             []string                                     `json:"required,omitempty"`
+	Items                *apiextensionsv1beta1.JSONSchemaPropsOrArray `json:"items,omitempty"`
+	AllOf                []JSONSchemaPropsApplyConfiguration          `json:"allOf,omitempty"`
+	OneOf                []JSONSchemaPropsApplyConfiguration          `json:"oneOf,omitempty"`
+	AnyOf                []JSONSchemaPropsApplyConfiguration          `json:"anyOf,omitempty"`
+	Not                  *JSONSchemaPropsApplyConfiguration           `json:"not,omitempty"`
+	Properties           map[string]JSONSchemaPropsApplyConfiguration `json:"properties,omitempty"`
+	AdditionalProperties *apiextensionsv1beta1.JSONSchemaPropsOrBool  `json:"additionalProperties,omitempty"`
+	PatternProperties    map[string]JSONSchemaPropsApplyConfiguration `json:"patternProperties,omitempty"`
+	Dependencies         *apiextensionsv1beta1.JSONSchemaDependencies `json:"dependencies,omitempty"`
+	AdditionalItems      *apiextensionsv1beta1.JSONSchemaPropsOrBool  `json:"additionalItems,omitempty"`
+	Definitions          *apiextensionsv1beta1.JSONSchemaDefinitions  `json:"definitions,omitempty"`
+	ExternalDocs         *ExternalDocumentationApplyConfiguration     `json:"externalDocs,omitempty"`
+	Example              *apiextensionsv1beta1.JSON                   `json:"example,omitempty"`
+	Nullable             *bool                                        `json:"nullable,omitempty"`
+	// x-kubernetes-preserve-unknown-fields stops the API server
+	// decoding step from pruning fields which are not specified
+	// in the validation schema. This affects fields recursively,
+	// but switches back to normal pruning behaviour if nested
+	// properties or additionalProperties are specified in the schema.
+	// This can either be true or undefined. False is forbidden.
+	XPreserveUnknownFields *bool `json:"x-kubernetes-preserve-unknown-fields,omitempty"`
+	// x-kubernetes-embedded-resource defines that the value is an
+	// embedded Kubernetes runtime.Object, with TypeMeta and
+	// ObjectMeta. The type must be object. It is allowed to further
+	// restrict the embedded object. kind, apiVersion and metadata
+	// are validated automatically. x-kubernetes-preserve-unknown-fields
+	// is allowed to be true, but does not have to be if the object
+	// is fully specified (up to kind, apiVersion, metadata).
+	XEmbeddedResource *bool `json:"x-kubernetes-embedded-resource,omitempty"`
+	// x-kubernetes-int-or-string specifies that this value is
+	// either an integer or a string. If this is true, an empty
+	// type is allowed and type as child of anyOf is permitted
+	// if following one of the following patterns:
+	//
+	// 1) anyOf:
+	// - type: integer
+	// - type: string
+	// 2) allOf:
+	// - anyOf:
+	// - type: integer
+	// - type: string
+	// - ... zero or more
+	XIntOrString *bool `json:"x-kubernetes-int-or-string,omitempty"`
+	// x-kubernetes-list-map-keys annotates an array with the x-kubernetes-list-type `map` by specifying the keys used
+	// as the index of the map.
+	//
+	// This tag MUST only be used on lists that have the "x-kubernetes-list-type"
+	// extension set to "map". Also, the values specified for this attribute must
+	// be a scalar typed field of the child structure (no nesting is supported).
+	//
+	// The properties specified must either be required or have a default value,
+	// to ensure those properties are present for all list items.
+	XListMapKeys []string `json:"x-kubernetes-list-map-keys,omitempty"`
+	// x-kubernetes-list-type annotates an array to further describe its topology.
+	// This extension must only be used on lists and may have 3 possible values:
+	//
+	// 1) `atomic`: the list is treated as a single entity, like a scalar.
+	// Atomic lists will be entirely replaced when updated. This extension
+	// may be used on any type of list (struct, scalar, ...).
+	// 2) `set`:
+	// Sets are lists that must not have multiple items with the same value. Each
+	// value must be a scalar, an object with x-kubernetes-map-type `atomic` or an
+	// array with x-kubernetes-list-type `atomic`.
+	// 3) `map`:
+	// These lists are like maps in that their elements have a non-index key
+	// used to identify them. Order is preserved upon merge. The map tag
+	// must only be used on a list with elements of type object.
+	// Defaults to atomic for arrays.
+	XListType *string `json:"x-kubernetes-list-type,omitempty"`
+	// x-kubernetes-map-type annotates an object to further describe its topology.
+	// This extension must only be used when type is object and may have 2 possible values:
+	//
+	// 1) `granular`:
+	// These maps are actual maps (key-value pairs) and each fields are independent
+	// from each other (they can each be manipulated by separate actors). This is
+	// the default behaviour for all maps.
+	// 2) `atomic`: the list is treated as a single entity, like a scalar.
+	// Atomic maps will be entirely replaced when updated.
+	XMapType *string `json:"x-kubernetes-map-type,omitempty"`
+	// x-kubernetes-validations describes a list of validation rules written in the CEL expression language.
+	XValidations *apiextensionsv1beta1.ValidationRules `json:"x-kubernetes-validations,omitempty"`
 }
 
 // JSONSchemaPropsApplyConfiguration constructs a declarative configuration of the JSONSchemaProps type for use with
diff --git a/staging/src/k8s.io/apiextensions-apiserver/pkg/client/applyconfiguration/apiextensions/v1beta1/selectablefield.go b/staging/src/k8s.io/apiextensions-apiserver/pkg/client/applyconfiguration/apiextensions/v1beta1/selectablefield.go
index 1a372e6fafdcd..a216cd886d998 100644
--- a/staging/src/k8s.io/apiextensions-apiserver/pkg/client/applyconfiguration/apiextensions/v1beta1/selectablefield.go
+++ b/staging/src/k8s.io/apiextensions-apiserver/pkg/client/applyconfiguration/apiextensions/v1beta1/selectablefield.go
@@ -20,7 +20,17 @@ package v1beta1
 
 // SelectableFieldApplyConfiguration represents a declarative configuration of the SelectableField type for use
 // with apply.
+//
+// SelectableField specifies the JSON path of a field that may be used with field selectors.
 type SelectableFieldApplyConfiguration struct {
+	// jsonPath is a simple JSON path which is evaluated against each custom resource to produce a
+	// field selector value.
+	// Only JSON paths without the array notation are allowed.
+	// Must point to a field of type string, boolean or integer. Types with enum values
+	// and strings with formats are allowed.
+	// If jsonPath refers to absent field in a resource, the jsonPath evaluates to an empty string.
+	// Must not point to metdata fields.
+	// Required.
 	JSONPath *string `json:"jsonPath,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/apiextensions-apiserver/pkg/client/applyconfiguration/apiextensions/v1beta1/servicereference.go b/staging/src/k8s.io/apiextensions-apiserver/pkg/client/applyconfiguration/apiextensions/v1beta1/servicereference.go
index 70cc6b5b27198..2d2ef35f69e96 100644
--- a/staging/src/k8s.io/apiextensions-apiserver/pkg/client/applyconfiguration/apiextensions/v1beta1/servicereference.go
+++ b/staging/src/k8s.io/apiextensions-apiserver/pkg/client/applyconfiguration/apiextensions/v1beta1/servicereference.go
@@ -20,11 +20,21 @@ package v1beta1
 
 // ServiceReferenceApplyConfiguration represents a declarative configuration of the ServiceReference type for use
 // with apply.
+//
+// ServiceReference holds a reference to Service.legacy.k8s.io
 type ServiceReferenceApplyConfiguration struct {
+	// namespace is the namespace of the service.
+	// Required
 	Namespace *string `json:"namespace,omitempty"`
-	Name      *string `json:"name,omitempty"`
-	Path      *string `json:"path,omitempty"`
-	Port      *int32  `json:"port,omitempty"`
+	// name is the name of the service.
+	// Required
+	Name *string `json:"name,omitempty"`
+	// path is an optional URL path at which the webhook will be contacted.
+	Path *string `json:"path,omitempty"`
+	// port is an optional service port at which the webhook will be contacted.
+	// `port` should be a valid port number (1-65535, inclusive).
+	// Defaults to 443 for backward compatibility.
+	Port *int32 `json:"port,omitempty"`
 }
 
 // ServiceReferenceApplyConfiguration constructs a declarative configuration of the ServiceReference type for use with
diff --git a/staging/src/k8s.io/apiextensions-apiserver/pkg/client/applyconfiguration/apiextensions/v1beta1/validationrule.go b/staging/src/k8s.io/apiextensions-apiserver/pkg/client/applyconfiguration/apiextensions/v1beta1/validationrule.go
index c9b3da89ba581..4e1c108fa0b86 100644
--- a/staging/src/k8s.io/apiextensions-apiserver/pkg/client/applyconfiguration/apiextensions/v1beta1/validationrule.go
+++ b/staging/src/k8s.io/apiextensions-apiserver/pkg/client/applyconfiguration/apiextensions/v1beta1/validationrule.go
@@ -24,13 +24,121 @@ import (
 
 // ValidationRuleApplyConfiguration represents a declarative configuration of the ValidationRule type for use
 // with apply.
+//
+// ValidationRule describes a validation rule written in the CEL expression language.
 type ValidationRuleApplyConfiguration struct {
-	Rule              *string                                     `json:"rule,omitempty"`
-	Message           *string                                     `json:"message,omitempty"`
-	MessageExpression *string                                     `json:"messageExpression,omitempty"`
-	Reason            *apiextensionsv1beta1.FieldValueErrorReason `json:"reason,omitempty"`
-	FieldPath         *string                                     `json:"fieldPath,omitempty"`
-	OptionalOldSelf   *bool                                       `json:"optionalOldSelf,omitempty"`
+	// Rule represents the expression which will be evaluated by CEL.
+	// ref: https://github.com/google/cel-spec
+	// The Rule is scoped to the location of the x-kubernetes-validations extension in the schema.
+	// The `self` variable in the CEL expression is bound to the scoped value.
+	// Example:
+	// - Rule scoped to the root of a resource with a status subresource: {"rule": "self.status.actual <= self.spec.maxDesired"}
+	//
+	// If the Rule is scoped to an object with properties, the accessible properties of the object are field selectable
+	// via `self.field` and field presence can be checked via `has(self.field)`. Null valued fields are treated as
+	// absent fields in CEL expressions.
+	// If the Rule is scoped to an object with additionalProperties (i.e. a map) the value of the map
+	// are accessible via `self[mapKey]`, map containment can be checked via `mapKey in self` and all entries of the map
+	// are accessible via CEL macros and functions such as `self.all(...)`.
+	// If the Rule is scoped to an array, the elements of the array are accessible via `self[i]` and also by macros and
+	// functions.
+	// If the Rule is scoped to a scalar, `self` is bound to the scalar value.
+	// Examples:
+	// - Rule scoped to a map of objects: {"rule": "self.components['Widget'].priority < 10"}
+	// - Rule scoped to a list of integers: {"rule": "self.values.all(value, value >= 0 && value < 100)"}
+	// - Rule scoped to a string value: {"rule": "self.startsWith('kube')"}
+	//
+	// The `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` are always accessible from the root of the
+	// object and from any x-kubernetes-embedded-resource annotated objects. No other metadata properties are accessible.
+	//
+	// Unknown data preserved in custom resources via x-kubernetes-preserve-unknown-fields is not accessible in CEL
+	// expressions. This includes:
+	// - Unknown field values that are preserved by object schemas with x-kubernetes-preserve-unknown-fields.
+	// - Object properties where the property schema is of an "unknown type". An "unknown type" is recursively defined as:
+	// - A schema with no type and x-kubernetes-preserve-unknown-fields set to true
+	// - An array where the items schema is of an "unknown type"
+	// - An object where the additionalProperties schema is of an "unknown type"
+	//
+	// Only property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible.
+	// Accessible property names are escaped according to the following rules when accessed in the expression:
+	// - '__' escapes to '__underscores__'
+	// - '.' escapes to '__dot__'
+	// - '-' escapes to '__dash__'
+	// - '/' escapes to '__slash__'
+	// - Property names that exactly match a CEL RESERVED keyword escape to '__{keyword}__'. The keywords are:
+	// "true", "false", "null", "in", "as", "break", "const", "continue", "else", "for", "function", "if",
+	// "import", "let", "loop", "package", "namespace", "return".
+	// Examples:
+	// - Rule accessing a property named "namespace": {"rule": "self.__namespace__ > 0"}
+	// - Rule accessing a property named "x-prop": {"rule": "self.x__dash__prop > 0"}
+	// - Rule accessing a property named "redact__d": {"rule": "self.redact__underscores__d > 0"}
+	//
+	// Equality on arrays with x-kubernetes-list-type of 'set' or 'map' ignores element order, i.e. [1, 2] == [2, 1].
+	// Concatenation on arrays with x-kubernetes-list-type use the semantics of the list type:
+	// - 'set': `X + Y` performs a union where the array positions of all elements in `X` are preserved and
+	// non-intersecting elements in `Y` are appended, retaining their partial order.
+	// - 'map': `X + Y` performs a merge where the array positions of all keys in `X` are preserved but the values
+	// are overwritten by values in `Y` when the key sets of `X` and `Y` intersect. Elements in `Y` with
+	// non-intersecting keys are appended, retaining their partial order.
+	//
+	// If `rule` makes use of the `oldSelf` variable it is implicitly a
+	// `transition rule`.
+	//
+	// By default, the `oldSelf` variable is the same type as `self`.
+	// When `optionalOldSelf` is true, the `oldSelf` variable is a CEL optional
+	// variable whose value() is the same type as `self`.
+	// See the documentation for the `optionalOldSelf` field for details.
+	//
+	// Transition rules by default are applied only on UPDATE requests and are
+	// skipped if an old value could not be found. You can opt a transition
+	// rule into unconditional evaluation by setting `optionalOldSelf` to true.
+	Rule *string `json:"rule,omitempty"`
+	// Message represents the message displayed when validation fails. The message is required if the Rule contains
+	// line breaks. The message must not contain line breaks.
+	// If unset, the message is "failed rule: {Rule}".
+	// e.g. "must be a URL with the host matching spec.host"
+	Message *string `json:"message,omitempty"`
+	// MessageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails.
+	// Since messageExpression is used as a failure message, it must evaluate to a string.
+	// If both message and messageExpression are present on a rule, then messageExpression will be used if validation
+	// fails. If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced
+	// as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string
+	// that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and
+	// the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged.
+	// messageExpression has access to all the same variables as the rule; the only difference is the return type.
+	// Example:
+	// "x must be less than max ("+string(self.max)+")"
+	MessageExpression *string `json:"messageExpression,omitempty"`
+	// reason provides a machine-readable validation failure reason that is returned to the caller when a request fails this validation rule.
+	// The HTTP status code returned to the caller will match the reason of the reason of the first failed validation rule.
+	// The currently supported reasons are: "FieldValueInvalid", "FieldValueForbidden", "FieldValueRequired", "FieldValueDuplicate".
+	// If not set, default to use "FieldValueInvalid".
+	// All future added reasons must be accepted by clients when reading this value and unknown reasons should be treated as FieldValueInvalid.
+	Reason *apiextensionsv1beta1.FieldValueErrorReason `json:"reason,omitempty"`
+	// fieldPath represents the field path returned when the validation fails.
+	// It must be a relative JSON path (i.e. with array notation) scoped to the location of this x-kubernetes-validations extension in the schema and refer to an existing field.
+	// e.g. when validation checks if a specific attribute `foo` under a map `testMap`, the fieldPath could be set to `.testMap.foo`
+	// If the validation checks two lists must have unique attributes, the fieldPath could be set to either of the list: e.g. `.testList`
+	// It does not support list numeric index.
+	// It supports child operation to refer to an existing field currently. Refer to [JSONPath support in Kubernetes](https://kubernetes.io/docs/reference/kubectl/jsonpath/) for more info.
+	// Numeric index of array is not supported.
+	// For field name which contains special characters, use `['specialName']` to refer the field name.
+	// e.g. for attribute `foo.34$` appears in a list `testList`, the fieldPath could be set to `.testList['foo.34$']`
+	FieldPath *string `json:"fieldPath,omitempty"`
+	// optionalOldSelf is used to opt a transition rule into evaluation
+	// even when the object is first created, or if the old object is
+	// missing the value.
+	//
+	// When enabled `oldSelf` will be a CEL optional whose value will be
+	// `None` if there is no old value, or when the object is initially created.
+	//
+	// You may check for presence of oldSelf using `oldSelf.hasValue()` and
+	// unwrap it after checking using `oldSelf.value()`. Check the CEL
+	// documentation for Optional types for more information:
+	// https://pkg.go.dev/github.com/google/cel-go/cel#OptionalTypes
+	//
+	// May not be set unless `oldSelf` is used in `rule`.
+	OptionalOldSelf *bool `json:"optionalOldSelf,omitempty"`
 }
 
 // ValidationRuleApplyConfiguration constructs a declarative configuration of the ValidationRule type for use with
diff --git a/staging/src/k8s.io/apiextensions-apiserver/pkg/client/applyconfiguration/apiextensions/v1beta1/webhookclientconfig.go b/staging/src/k8s.io/apiextensions-apiserver/pkg/client/applyconfiguration/apiextensions/v1beta1/webhookclientconfig.go
index 76ff71b4aec3f..67b7fcb09d952 100644
--- a/staging/src/k8s.io/apiextensions-apiserver/pkg/client/applyconfiguration/apiextensions/v1beta1/webhookclientconfig.go
+++ b/staging/src/k8s.io/apiextensions-apiserver/pkg/client/applyconfiguration/apiextensions/v1beta1/webhookclientconfig.go
@@ -20,10 +20,43 @@ package v1beta1
 
 // WebhookClientConfigApplyConfiguration represents a declarative configuration of the WebhookClientConfig type for use
 // with apply.
+//
+// WebhookClientConfig contains the information to make a TLS connection with the webhook.
 type WebhookClientConfigApplyConfiguration struct {
-	URL      *string                             `json:"url,omitempty"`
-	Service  *ServiceReferenceApplyConfiguration `json:"service,omitempty"`
-	CABundle []byte                              `json:"caBundle,omitempty"`
+	// url gives the location of the webhook, in standard URL form
+	// (`scheme://host:port/path`). Exactly one of `url` or `service`
+	// must be specified.
+	//
+	// The `host` should not refer to a service running in the cluster; use
+	// the `service` field instead. The host might be resolved via external
+	// DNS in some apiservers (e.g., `kube-apiserver` cannot resolve
+	// in-cluster DNS as that would be a layering violation). `host` may
+	// also be an IP address.
+	//
+	// Please note that using `localhost` or `127.0.0.1` as a `host` is
+	// risky unless you take great care to run this webhook on all hosts
+	// which run an apiserver which might need to make calls to this
+	// webhook. Such installs are likely to be non-portable, i.e., not easy
+	// to turn up in a new cluster.
+	//
+	// The scheme must be "https"; the URL must begin with "https://".
+	//
+	// A path is optional, and if present may be any string permissible in
+	// a URL. You may use the path to pass an arbitrary string to the
+	// webhook, for example, a cluster identifier.
+	//
+	// Attempting to use a user or basic auth e.g. "user:password@" is not
+	// allowed. Fragments ("#...") and query parameters ("?...") are not
+	// allowed, either.
+	URL *string `json:"url,omitempty"`
+	// service is a reference to the service for this webhook. Either
+	// service or url must be specified.
+	//
+	// If the webhook is running within the cluster, then you should use `service`.
+	Service *ServiceReferenceApplyConfiguration `json:"service,omitempty"`
+	// caBundle is a PEM encoded CA bundle which will be used to validate the webhook's server certificate.
+	// If unspecified, system trust roots on the apiserver are used.
+	CABundle []byte `json:"caBundle,omitempty"`
 }
 
 // WebhookClientConfigApplyConfiguration constructs a declarative configuration of the WebhookClientConfig type for use with
diff --git a/staging/src/k8s.io/apiextensions-apiserver/pkg/client/clientset/clientset/fake/clientset_generated.go b/staging/src/k8s.io/apiextensions-apiserver/pkg/client/clientset/clientset/fake/clientset_generated.go
index 0ac62fa71a464..76295e745ea1c 100644
--- a/staging/src/k8s.io/apiextensions-apiserver/pkg/client/clientset/clientset/fake/clientset_generated.go
+++ b/staging/src/k8s.io/apiextensions-apiserver/pkg/client/clientset/clientset/fake/clientset_generated.go
@@ -38,7 +38,7 @@ import (
 // without applying any field management, validations and/or defaults. It shouldn't be considered a replacement
 // for a real clientset and is mostly useful in simple unit tests.
 //
-// DEPRECATED: NewClientset replaces this with support for field management, which significantly improves
+// Deprecated: NewClientset replaces this with support for field management, which significantly improves
 // server side apply testing. NewClientset is only available when apply configurations are generated (e.g.
 // via --with-applyconfig).
 func NewSimpleClientset(objects ...runtime.Object) *Clientset {
@@ -54,8 +54,8 @@ func NewSimpleClientset(objects ...runtime.Object) *Clientset {
 	cs.AddReactor("*", "*", testing.ObjectReaction(o))
 	cs.AddWatchReactor("*", func(action testing.Action) (handled bool, ret watch.Interface, err error) {
 		var opts metav1.ListOptions
-		if watchActcion, ok := action.(testing.WatchActionImpl); ok {
-			opts = watchActcion.ListOptions
+		if watchAction, ok := action.(testing.WatchActionImpl); ok {
+			opts = watchAction.ListOptions
 		}
 		gvr := action.GetResource()
 		ns := action.GetNamespace()
@@ -86,6 +86,17 @@ func (c *Clientset) Tracker() testing.ObjectTracker {
 	return c.tracker
 }
 
+// IsWatchListSemanticsSupported informs the reflector that this client
+// doesn't support WatchList semantics.
+//
+// This is a synthetic method whose sole purpose is to satisfy the optional
+// interface check performed by the reflector.
+// Returning true signals that WatchList can NOT be used.
+// No additional logic is implemented here.
+func (c *Clientset) IsWatchListSemanticsUnSupported() bool {
+	return true
+}
+
 // NewClientset returns a clientset that will respond with the provided objects.
 // It's backed by a very simple object tracker that processes creates, updates and deletions as-is,
 // without applying any validations and/or defaults. It shouldn't be considered a replacement
diff --git a/staging/src/k8s.io/apiextensions-apiserver/pkg/client/informers/externalversions/apiextensions/v1/customresourcedefinition.go b/staging/src/k8s.io/apiextensions-apiserver/pkg/client/informers/externalversions/apiextensions/v1/customresourcedefinition.go
index 9655df7553530..7f9c9137e9823 100644
--- a/staging/src/k8s.io/apiextensions-apiserver/pkg/client/informers/externalversions/apiextensions/v1/customresourcedefinition.go
+++ b/staging/src/k8s.io/apiextensions-apiserver/pkg/client/informers/externalversions/apiextensions/v1/customresourcedefinition.go
@@ -56,7 +56,7 @@ func NewCustomResourceDefinitionInformer(client clientset.Interface, resyncPerio
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredCustomResourceDefinitionInformer(client clientset.Interface, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options metav1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -81,7 +81,7 @@ func NewFilteredCustomResourceDefinitionInformer(client clientset.Interface, res
 				}
 				return client.ApiextensionsV1().CustomResourceDefinitions().Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apisapiextensionsv1.CustomResourceDefinition{},
 		resyncPeriod,
 		indexers,
diff --git a/staging/src/k8s.io/apiextensions-apiserver/pkg/client/informers/externalversions/apiextensions/v1beta1/customresourcedefinition.go b/staging/src/k8s.io/apiextensions-apiserver/pkg/client/informers/externalversions/apiextensions/v1beta1/customresourcedefinition.go
index 27c23629597ee..140998152c28f 100644
--- a/staging/src/k8s.io/apiextensions-apiserver/pkg/client/informers/externalversions/apiextensions/v1beta1/customresourcedefinition.go
+++ b/staging/src/k8s.io/apiextensions-apiserver/pkg/client/informers/externalversions/apiextensions/v1beta1/customresourcedefinition.go
@@ -56,7 +56,7 @@ func NewCustomResourceDefinitionInformer(client clientset.Interface, resyncPerio
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredCustomResourceDefinitionInformer(client clientset.Interface, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -81,7 +81,7 @@ func NewFilteredCustomResourceDefinitionInformer(client clientset.Interface, res
 				}
 				return client.ApiextensionsV1beta1().CustomResourceDefinitions().Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apisapiextensionsv1beta1.CustomResourceDefinition{},
 		resyncPeriod,
 		indexers,
diff --git a/staging/src/k8s.io/apiextensions-apiserver/pkg/client/informers/externalversions/factory.go b/staging/src/k8s.io/apiextensions-apiserver/pkg/client/informers/externalversions/factory.go
index a22336a31f64c..e8d6e5b2644f2 100644
--- a/staging/src/k8s.io/apiextensions-apiserver/pkg/client/informers/externalversions/factory.go
+++ b/staging/src/k8s.io/apiextensions-apiserver/pkg/client/informers/externalversions/factory.go
@@ -97,6 +97,7 @@ func NewSharedInformerFactory(client clientset.Interface, defaultResync time.Dur
 // NewFilteredSharedInformerFactory constructs a new instance of sharedInformerFactory.
 // Listers obtained via this SharedInformerFactory will be subject to the same filters
 // as specified here.
+//
 // Deprecated: Please use NewSharedInformerFactoryWithOptions instead
 func NewFilteredSharedInformerFactory(client clientset.Interface, defaultResync time.Duration, namespace string, tweakListOptions internalinterfaces.TweakListOptionsFunc) SharedInformerFactory {
 	return NewSharedInformerFactoryWithOptions(client, defaultResync, WithNamespace(namespace), WithTweakListOptions(tweakListOptions))
@@ -204,7 +205,7 @@ func (f *sharedInformerFactory) InformerFor(obj runtime.Object, newFunc internal
 //
 // It is typically used like this:
 //
-//	ctx, cancel := context.Background()
+//	ctx, cancel := context.WithCancel(context.Background())
 //	defer cancel()
 //	factory := NewSharedInformerFactory(client, resyncPeriod)
 //	defer factory.WaitForStop()    // Returns immediately if nothing was started.
diff --git a/staging/src/k8s.io/apiextensions-apiserver/pkg/cmd/server/testing/testserver.go b/staging/src/k8s.io/apiextensions-apiserver/pkg/cmd/server/testing/testserver.go
index 46a68e29da25d..bacc3d70626d9 100644
--- a/staging/src/k8s.io/apiextensions-apiserver/pkg/cmd/server/testing/testserver.go
+++ b/staging/src/k8s.io/apiextensions-apiserver/pkg/cmd/server/testing/testserver.go
@@ -41,6 +41,7 @@ import (
 	"k8s.io/client-go/kubernetes"
 	restclient "k8s.io/client-go/rest"
 	basecompatibility "k8s.io/component-base/compatibility"
+	"k8s.io/component-base/featuregate"
 	featuregatetesting "k8s.io/component-base/featuregate/testing"
 	logsapi "k8s.io/component-base/logs/api/v1"
 	"k8s.io/klog/v2"
@@ -162,14 +163,18 @@ func StartTestServer(t Logger, _ *TestServerInstanceOptions, customFlags []strin
 	}
 	// If the local ComponentGlobalsRegistry is changed by the flags,
 	// we need to copy the new feature values back to the DefaultFeatureGate because most feature checks still use the DefaultFeatureGate.
-	if !featureGate.EmulationVersion().EqualTo(utilfeature.DefaultMutableFeatureGate.EmulationVersion()) {
-		featuregatetesting.SetFeatureGateEmulationVersionDuringTest(t.(featuregatetesting.TB), utilfeature.DefaultMutableFeatureGate, effectiveVersion.EmulationVersion())
+	if !featureGate.EmulationVersion().EqualTo(utilfeature.DefaultMutableFeatureGate.EmulationVersion()) || !featureGate.MinCompatibilityVersion().EqualTo(utilfeature.DefaultMutableFeatureGate.MinCompatibilityVersion()) {
+		featuregatetesting.SetFeatureGateVersionsDuringTest(t.(featuregatetesting.TB), utilfeature.DefaultMutableFeatureGate, effectiveVersion.EmulationVersion(), effectiveVersion.MinCompatibilityVersion())
 	}
+	featureOverrides := map[featuregate.Feature]bool{}
 	for f := range utilfeature.DefaultMutableFeatureGate.GetAll() {
 		if featureGate.Enabled(f) != utilfeature.DefaultFeatureGate.Enabled(f) {
-			featuregatetesting.SetFeatureGateDuringTest(t.(featuregatetesting.TB), utilfeature.DefaultFeatureGate, f, featureGate.Enabled(f))
+			featureOverrides[f] = featureGate.Enabled(f)
 		}
 	}
+	if len(featureOverrides) > 0 {
+		featuregatetesting.SetFeatureGatesDuringTest(t.(featuregatetesting.TB), utilfeature.DefaultFeatureGate, featureOverrides)
+	}
 
 	if err := s.Complete(); err != nil {
 		return result, fmt.Errorf("failed to set default options: %v", err)
diff --git a/staging/src/k8s.io/apiextensions-apiserver/pkg/controller/apiapproval/apiapproval_controller.go b/staging/src/k8s.io/apiextensions-apiserver/pkg/controller/apiapproval/apiapproval_controller.go
index ac1d46e4db85a..6ea0d74d0f83f 100644
--- a/staging/src/k8s.io/apiextensions-apiserver/pkg/controller/apiapproval/apiapproval_controller.go
+++ b/staging/src/k8s.io/apiextensions-apiserver/pkg/controller/apiapproval/apiapproval_controller.go
@@ -44,7 +44,7 @@ type KubernetesAPIApprovalPolicyConformantConditionController struct {
 	crdSynced cache.InformerSynced
 
 	// To allow injection for testing.
-	syncFn func(key string) error
+	syncFn func(ctx context.Context, key string) error
 
 	queue workqueue.TypedRateLimitingInterface[string]
 
@@ -127,7 +127,7 @@ func calculateCondition(crd *apiextensionsv1.CustomResourceDefinition) *apiexten
 	}
 }
 
-func (c *KubernetesAPIApprovalPolicyConformantConditionController) sync(key string) error {
+func (c *KubernetesAPIApprovalPolicyConformantConditionController) sync(ctx context.Context, key string) error {
 	inCustomResourceDefinition, err := c.crdLister.Get(key)
 	if apierrors.IsNotFound(err) {
 		return nil
@@ -163,7 +163,7 @@ func (c *KubernetesAPIApprovalPolicyConformantConditionController) sync(key stri
 	crd := inCustomResourceDefinition.DeepCopy()
 	apihelpers.SetCRDCondition(crd, *cond)
 
-	_, err = c.crdClient.CustomResourceDefinitions().UpdateStatus(context.TODO(), crd, metav1.UpdateOptions{})
+	_, err = c.crdClient.CustomResourceDefinitions().UpdateStatus(ctx, crd, metav1.UpdateOptions{})
 	if apierrors.IsNotFound(err) || apierrors.IsConflict(err) {
 		// deleted or changed in the meantime, we'll get called again
 		return nil
@@ -183,37 +183,44 @@ func (c *KubernetesAPIApprovalPolicyConformantConditionController) sync(key stri
 
 // Run starts the controller.
 func (c *KubernetesAPIApprovalPolicyConformantConditionController) Run(workers int, stopCh <-chan struct{}) {
+	c.RunWithContext(workers, wait.ContextForChannel(stopCh))
+}
+
+// RunWithContext starts the controller with a context.
+//
+//logcheck:context // RunWithContext should be used instead of Run in code which supports contextual logging.
+func (c *KubernetesAPIApprovalPolicyConformantConditionController) RunWithContext(workers int, ctx context.Context) {
 	defer utilruntime.HandleCrash()
 	defer c.queue.ShutDown()
 
 	klog.Infof("Starting KubernetesAPIApprovalPolicyConformantConditionController")
 	defer klog.Infof("Shutting down KubernetesAPIApprovalPolicyConformantConditionController")
 
-	if !cache.WaitForCacheSync(stopCh, c.crdSynced) {
+	if !cache.WaitForCacheSync(ctx.Done(), c.crdSynced) {
 		return
 	}
 
 	for i := 0; i < workers; i++ {
-		go wait.Until(c.runWorker, time.Second, stopCh)
+		go wait.UntilWithContext(ctx, c.runWorker, time.Second)
 	}
 
-	<-stopCh
+	<-ctx.Done()
 }
 
-func (c *KubernetesAPIApprovalPolicyConformantConditionController) runWorker() {
-	for c.processNextWorkItem() {
+func (c *KubernetesAPIApprovalPolicyConformantConditionController) runWorker(ctx context.Context) {
+	for c.processNextWorkItem(ctx) {
 	}
 }
 
 // processNextWorkItem deals with one key off the queue.  It returns false when it's time to quit.
-func (c *KubernetesAPIApprovalPolicyConformantConditionController) processNextWorkItem() bool {
+func (c *KubernetesAPIApprovalPolicyConformantConditionController) processNextWorkItem(ctx context.Context) bool {
 	key, quit := c.queue.Get()
 	if quit {
 		return false
 	}
 	defer c.queue.Done(key)
 
-	err := c.syncFn(key)
+	err := c.syncFn(ctx, key)
 	if err == nil {
 		c.queue.Forget(key)
 		return true
diff --git a/staging/src/k8s.io/apiextensions-apiserver/pkg/controller/establish/establishing_controller.go b/staging/src/k8s.io/apiextensions-apiserver/pkg/controller/establish/establishing_controller.go
index 65eb247e5601d..917309b73c4a0 100644
--- a/staging/src/k8s.io/apiextensions-apiserver/pkg/controller/establish/establishing_controller.go
+++ b/staging/src/k8s.io/apiextensions-apiserver/pkg/controller/establish/establishing_controller.go
@@ -45,7 +45,7 @@ type EstablishingController struct {
 	crdSynced cache.InformerSynced
 
 	// To allow injection for testing.
-	syncFn func(key string) error
+	syncFn func(ctx context.Context, key string) error
 
 	queue workqueue.TypedRateLimitingInterface[string]
 }
@@ -73,39 +73,45 @@ func (ec *EstablishingController) QueueCRD(key string, timeout time.Duration) {
 	ec.queue.AddAfter(key, timeout)
 }
 
-// Run starts the EstablishingController.
-func (ec *EstablishingController) Run(stopCh <-chan struct{}) {
+// RunWithContext starts the EstablishingController.
+func (ec *EstablishingController) RunWithContext(ctx context.Context) {
 	defer utilruntime.HandleCrash()
 	defer ec.queue.ShutDown()
 
-	klog.Info("Starting EstablishingController")
-	defer klog.Info("Shutting down EstablishingController")
+	logger := klog.FromContext(ctx)
+	logger.V(2).Info("Starting EstablishingController")
+	defer logger.V(2).Info("Shutting down EstablishingController")
 
-	if !cache.WaitForCacheSync(stopCh, ec.crdSynced) {
+	if !cache.WaitForCacheSync(ctx.Done(), ec.crdSynced) {
 		return
 	}
 
-	// only start one worker thread since its a slow moving API
-	go wait.Until(ec.runWorker, time.Second, stopCh)
+	// only start one worker thread since the EstablishingController is not a bottleneck
+	go wait.UntilWithContext(ctx, ec.runWorker, time.Second)
+
+	<-ctx.Done()
+}
 
-	<-stopCh
+//logcheck:context // RunWithContext should be used instead of Run in code which supports contextual logging.
+func (ec *EstablishingController) Run(stopCh <-chan struct{}) {
+	ec.RunWithContext(wait.ContextForChannel(stopCh))
 }
 
-func (ec *EstablishingController) runWorker() {
-	for ec.processNextWorkItem() {
+func (ec *EstablishingController) runWorker(ctx context.Context) {
+	for ec.processNextWorkItem(ctx) {
 	}
 }
 
 // processNextWorkItem deals with one key off the queue.
 // It returns false when it's time to quit.
-func (ec *EstablishingController) processNextWorkItem() bool {
+func (ec *EstablishingController) processNextWorkItem(ctx context.Context) bool {
 	key, quit := ec.queue.Get()
 	if quit {
 		return false
 	}
 	defer ec.queue.Done(key)
 
-	err := ec.syncFn(key)
+	err := ec.syncFn(ctx, key)
 	if err == nil {
 		ec.queue.Forget(key)
 		return true
@@ -118,7 +124,7 @@ func (ec *EstablishingController) processNextWorkItem() bool {
 }
 
 // sync is used to turn CRDs into the Established state.
-func (ec *EstablishingController) sync(key string) error {
+func (ec *EstablishingController) sync(ctx context.Context, key string) error {
 	cachedCRD, err := ec.crdLister.Get(key)
 	if apierrors.IsNotFound(err) {
 		return nil
@@ -158,7 +164,7 @@ func (ec *EstablishingController) sync(key string) error {
 	}
 
 	// Update server with new CRD condition.
-	_, err = ec.crdClient.CustomResourceDefinitions().UpdateStatus(context.TODO(), crd, metav1.UpdateOptions{})
+	_, err = ec.crdClient.CustomResourceDefinitions().UpdateStatus(ctx, crd, metav1.UpdateOptions{})
 	if apierrors.IsNotFound(err) || apierrors.IsConflict(err) {
 		// deleted or changed in the meantime, we'll get called again
 		return nil
diff --git a/staging/src/k8s.io/apiextensions-apiserver/pkg/controller/finalizer/crd_finalizer.go b/staging/src/k8s.io/apiextensions-apiserver/pkg/controller/finalizer/crd_finalizer.go
index c569642d95338..e3354f336a7c7 100644
--- a/staging/src/k8s.io/apiextensions-apiserver/pkg/controller/finalizer/crd_finalizer.go
+++ b/staging/src/k8s.io/apiextensions-apiserver/pkg/controller/finalizer/crd_finalizer.go
@@ -64,7 +64,7 @@ type CRDFinalizer struct {
 	crdSynced cache.InformerSynced
 
 	// To allow injection for testing.
-	syncFn func(key string) error
+	syncFn func(ctx context.Context, key string) error
 
 	queue workqueue.TypedRateLimitingInterface[string]
 }
@@ -109,7 +109,7 @@ func NewCRDFinalizer(
 	return c
 }
 
-func (c *CRDFinalizer) sync(key string) error {
+func (c *CRDFinalizer) sync(ctx context.Context, key string) error {
 	cachedCRD, err := c.crdLister.Get(key)
 	if apierrors.IsNotFound(err) {
 		return nil
@@ -132,7 +132,7 @@ func (c *CRDFinalizer) sync(key string) error {
 		Reason:  "InstanceDeletionInProgress",
 		Message: "CustomResource deletion is in progress",
 	})
-	crd, err = c.crdClient.CustomResourceDefinitions().UpdateStatus(context.TODO(), crd, metav1.UpdateOptions{})
+	crd, err = c.crdClient.CustomResourceDefinitions().UpdateStatus(ctx, crd, metav1.UpdateOptions{})
 	if apierrors.IsNotFound(err) || apierrors.IsConflict(err) {
 		// deleted or changed in the meantime, we'll get called again
 		return nil
@@ -152,10 +152,10 @@ func (c *CRDFinalizer) sync(key string) error {
 			Message: "instances overlap with built-in resources in storage",
 		})
 	} else if apiextensionshelpers.IsCRDConditionTrue(crd, apiextensionsv1.Established) {
-		cond, deleteErr := c.deleteInstances(crd)
+		cond, deleteErr := c.deleteInstances(ctx, crd)
 		apiextensionshelpers.SetCRDCondition(crd, cond)
 		if deleteErr != nil {
-			if _, err = c.crdClient.CustomResourceDefinitions().UpdateStatus(context.TODO(), crd, metav1.UpdateOptions{}); err != nil {
+			if _, err = c.crdClient.CustomResourceDefinitions().UpdateStatus(ctx, crd, metav1.UpdateOptions{}); err != nil {
 				utilruntime.HandleError(err)
 			}
 			return deleteErr
@@ -170,7 +170,7 @@ func (c *CRDFinalizer) sync(key string) error {
 	}
 
 	apiextensionshelpers.CRDRemoveFinalizer(crd, apiextensionsv1.CustomResourceCleanupFinalizer)
-	_, err = c.crdClient.CustomResourceDefinitions().UpdateStatus(context.TODO(), crd, metav1.UpdateOptions{})
+	_, err = c.crdClient.CustomResourceDefinitions().UpdateStatus(ctx, crd, metav1.UpdateOptions{})
 	if apierrors.IsNotFound(err) || apierrors.IsConflict(err) {
 		// deleted or changed in the meantime, we'll get called again
 		return nil
@@ -178,7 +178,7 @@ func (c *CRDFinalizer) sync(key string) error {
 	return err
 }
 
-func (c *CRDFinalizer) deleteInstances(crd *apiextensionsv1.CustomResourceDefinition) (apiextensionsv1.CustomResourceDefinitionCondition, error) {
+func (c *CRDFinalizer) deleteInstances(ctx context.Context, crd *apiextensionsv1.CustomResourceDefinition) (apiextensionsv1.CustomResourceDefinitionCondition, error) {
 	// Now we can start deleting items. While it would be ideal to use a REST API client, doing so
 	// could incorrectly delete a ThirdPartyResource with the same URL as the CustomResource, so we go
 	// directly to the storage instead. Since we control the storage, we know that delete collection works.
@@ -193,7 +193,6 @@ func (c *CRDFinalizer) deleteInstances(crd *apiextensionsv1.CustomResourceDefini
 		}, err
 	}
 
-	ctx := genericapirequest.NewContext()
 	allResources, err := crClient.List(ctx, nil)
 	if err != nil {
 		return apiextensionsv1.CustomResourceDefinitionCondition{
@@ -263,37 +262,42 @@ func (c *CRDFinalizer) deleteInstances(crd *apiextensionsv1.CustomResourceDefini
 }
 
 func (c *CRDFinalizer) Run(workers int, stopCh <-chan struct{}) {
+	c.RunWithContext(workers, wait.ContextForChannel(stopCh))
+}
+
+//logcheck:context // RunWithContext should be used instead of Run in code which supports contextual logging.
+func (c *CRDFinalizer) RunWithContext(workers int, ctx context.Context) {
 	defer utilruntime.HandleCrash()
 	defer c.queue.ShutDown()
 
 	klog.Info("Starting CRDFinalizer")
 	defer klog.Info("Shutting down CRDFinalizer")
 
-	if !cache.WaitForCacheSync(stopCh, c.crdSynced) {
+	if !cache.WaitForCacheSync(ctx.Done(), c.crdSynced) {
 		return
 	}
 
 	for i := 0; i < workers; i++ {
-		go wait.Until(c.runWorker, time.Second, stopCh)
+		go wait.UntilWithContext(ctx, c.runWorker, time.Second)
 	}
 
-	<-stopCh
+	<-ctx.Done()
 }
 
-func (c *CRDFinalizer) runWorker() {
-	for c.processNextWorkItem() {
+func (c *CRDFinalizer) runWorker(ctx context.Context) {
+	for c.processNextWorkItem(ctx) {
 	}
 }
 
 // processNextWorkItem deals with one key off the queue.  It returns false when it's time to quit.
-func (c *CRDFinalizer) processNextWorkItem() bool {
+func (c *CRDFinalizer) processNextWorkItem(ctx context.Context) bool {
 	key, quit := c.queue.Get()
 	if quit {
 		return false
 	}
 	defer c.queue.Done(key)
 
-	err := c.syncFn(key)
+	err := c.syncFn(ctx, key)
 	if err == nil {
 		c.queue.Forget(key)
 		return true
diff --git a/staging/src/k8s.io/apiextensions-apiserver/pkg/controller/nonstructuralschema/nonstructuralschema_controller.go b/staging/src/k8s.io/apiextensions-apiserver/pkg/controller/nonstructuralschema/nonstructuralschema_controller.go
index 55e467d9c0549..57eb1686a5d08 100644
--- a/staging/src/k8s.io/apiextensions-apiserver/pkg/controller/nonstructuralschema/nonstructuralschema_controller.go
+++ b/staging/src/k8s.io/apiextensions-apiserver/pkg/controller/nonstructuralschema/nonstructuralschema_controller.go
@@ -48,7 +48,7 @@ type ConditionController struct {
 	crdSynced cache.InformerSynced
 
 	// To allow injection for testing.
-	syncFn func(key string) error
+	syncFn func(ctx context.Context, key string) error
 
 	queue workqueue.TypedRateLimitingInterface[string]
 
@@ -132,7 +132,7 @@ func calculateCondition(in *apiextensionsv1.CustomResourceDefinition) *apiextens
 	return cond
 }
 
-func (c *ConditionController) sync(key string) error {
+func (c *ConditionController) sync(ctx context.Context, key string) error {
 	inCustomResourceDefinition, err := c.crdLister.Get(key)
 	if apierrors.IsNotFound(err) {
 		return nil
@@ -169,7 +169,7 @@ func (c *ConditionController) sync(key string) error {
 		apiextensionshelpers.SetCRDCondition(crd, *cond)
 	}
 
-	_, err = c.crdClient.CustomResourceDefinitions().UpdateStatus(context.TODO(), crd, metav1.UpdateOptions{})
+	_, err = c.crdClient.CustomResourceDefinitions().UpdateStatus(ctx, crd, metav1.UpdateOptions{})
 	if apierrors.IsNotFound(err) || apierrors.IsConflict(err) {
 		// deleted or changed in the meantime, we'll get called again
 		return nil
@@ -188,38 +188,45 @@ func (c *ConditionController) sync(key string) error {
 }
 
 // Run starts the controller.
+//
+//logcheck:context // RunWithContext should be used instead of Run in code which supports contextual logging.
 func (c *ConditionController) Run(workers int, stopCh <-chan struct{}) {
+	c.RunWithContext(workers, wait.ContextForChannel(stopCh))
+}
+
+// RunWithContext is a context-aware version of Run.
+func (c *ConditionController) RunWithContext(workers int, ctx context.Context) {
 	defer utilruntime.HandleCrash()
 	defer c.queue.ShutDown()
 
 	klog.Infof("Starting NonStructuralSchemaConditionController")
 	defer klog.Infof("Shutting down NonStructuralSchemaConditionController")
 
-	if !cache.WaitForCacheSync(stopCh, c.crdSynced) {
+	if !cache.WaitForCacheSync(ctx.Done(), c.crdSynced) {
 		return
 	}
 
 	for i := 0; i < workers; i++ {
-		go wait.Until(c.runWorker, time.Second, stopCh)
+		go wait.UntilWithContext(ctx, c.runWorker, time.Second)
 	}
 
-	<-stopCh
+	<-ctx.Done()
 }
 
-func (c *ConditionController) runWorker() {
-	for c.processNextWorkItem() {
+func (c *ConditionController) runWorker(ctx context.Context) {
+	for c.processNextWorkItem(ctx) {
 	}
 }
 
 // processNextWorkItem deals with one key off the queue.  It returns false when it's time to quit.
-func (c *ConditionController) processNextWorkItem() bool {
+func (c *ConditionController) processNextWorkItem(ctx context.Context) bool {
 	key, quit := c.queue.Get()
 	if quit {
 		return false
 	}
 	defer c.queue.Done(key)
 
-	err := c.syncFn(key)
+	err := c.syncFn(ctx, key)
 	if err == nil {
 		c.queue.Forget(key)
 		return true
diff --git a/staging/src/k8s.io/apiextensions-apiserver/pkg/controller/openapi/builder/builder.go b/staging/src/k8s.io/apiextensions-apiserver/pkg/controller/openapi/builder/builder.go
index 51cde0cac154d..f598be356ba0f 100644
--- a/staging/src/k8s.io/apiextensions-apiserver/pkg/controller/openapi/builder/builder.go
+++ b/staging/src/k8s.io/apiextensions-apiserver/pkg/controller/openapi/builder/builder.go
@@ -19,11 +19,15 @@ package builder
 import (
 	"fmt"
 	"net/http"
+	"slices"
 	"strings"
 	"sync"
 
 	"github.com/emicklei/go-restful/v3"
 
+	"golang.org/x/text/cases"
+	"golang.org/x/text/language"
+
 	v1 "k8s.io/api/autoscaling/v1"
 	apiextensionshelpers "k8s.io/apiextensions-apiserver/pkg/apihelpers"
 	apiextensionsinternal "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions"
@@ -55,8 +59,8 @@ const (
 	objectMetaSchemaRef = "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"
 	listMetaSchemaRef   = "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"
 
-	typeMetaType   = "k8s.io/apimachinery/pkg/apis/meta/v1.TypeMeta"
-	objectMetaType = "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"
+	typeMetaType   = "io.k8s.apimachinery.pkg.apis.meta.v1.TypeMeta"
+	objectMetaType = "io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"
 
 	definitionPrefix   = "#/definitions/"
 	v3DefinitionPrefix = "#/components/schemas/"
@@ -223,7 +227,7 @@ type CRDCanonicalTypeNamer struct {
 
 // OpenAPICanonicalTypeName returns canonical type name for given CRD
 func (c *CRDCanonicalTypeNamer) OpenAPICanonicalTypeName() string {
-	return fmt.Sprintf("%s/%s.%s", c.group, c.version, c.kind)
+	return gvkToModelName(c.group, c.version, c.kind)
 }
 
 // builder contains validation schema and basic naming information for a CRD in
@@ -314,7 +318,7 @@ func (b *builder) buildRoute(root, path, httpMethod, actionVerb, operationVerb s
 		To(func(req *restful.Request, res *restful.Response) {}).
 		Doc(b.descriptionFor(path, operationVerb)).
 		Param(b.ws.QueryParameter("pretty", "If 'true', then the output is pretty printed. Defaults to 'false' unless the user-agent indicates a browser or command-line HTTP tool (curl and wget).")).
-		Operation(operationVerb+namespaced+b.kind+strings.Title(subresource(path))).
+		Operation(operationVerb+namespaced+b.kind+cases.Title(language.English).String(subresource(path))).
 		Metadata(endpoints.RouteMetaGVK, metav1.GroupVersionKind{
 			Group:   b.group,
 			Version: b.version,
@@ -381,7 +385,11 @@ func (b *builder) buildKubeNative(crd *apiextensionsv1.CustomResourceDefinition,
 	// and forbid anything outside of apiVersion, kind and metadata. We have to fix kubectl to stop doing this, e.g. by
 	// adding additionalProperties=true support to explicitly allow additional fields.
 	// TODO: fix kubectl to understand additionalProperties=true
-	if schema == nil || (opts.V2 && (schema.XPreserveUnknownFields || crdPreserveUnknownFields)) {
+	if schema == nil {
+		ret = &spec.Schema{
+			SchemaProps: spec.SchemaProps{Type: []string{"object"}},
+		}
+	} else if opts.V2 && (schema.XPreserveUnknownFields || crdPreserveUnknownFields) {
 		ret = &spec.Schema{
 			SchemaProps: spec.SchemaProps{Type: []string{"object"}},
 		}
@@ -495,7 +503,7 @@ func addTypeMetaProperties(s *spec.Schema, v2 bool) {
 
 // buildListSchema builds the list kind schema for the CRD
 func (b *builder) buildListSchema(crd *apiextensionsv1.CustomResourceDefinition, opts Options) *spec.Schema {
-	name := definitionPrefix + util.ToRESTFriendlyName(fmt.Sprintf("%s/%s/%s", b.group, b.version, b.kind))
+	name := definitionPrefix + gvkToModelName(b.group, b.version, b.kind)
 	doc := fmt.Sprintf("List of %s. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md", b.plural)
 	s := new(spec.Schema).
 		Typed("object", "").
@@ -520,6 +528,13 @@ func (b *builder) buildListSchema(crd *apiextensionsv1.CustomResourceDefinition,
 	return s
 }
 
+func gvkToModelName(g, v, k string) string {
+	groupParts := strings.Split(g, ".")
+	slices.Reverse(groupParts)
+	g = strings.Join(groupParts, ".")
+	return fmt.Sprintf("%s.%s.%s", g, v, k)
+}
+
 // getOpenAPIConfig builds config which wires up generated definitions for kube-openapi to consume
 func (b *builder) getOpenAPIConfig() *common.Config {
 	return &common.Config{
@@ -544,11 +559,11 @@ func (b *builder) getOpenAPIConfig() *common.Config {
 		},
 		GetDefinitions: func(ref common.ReferenceCallback) map[string]common.OpenAPIDefinition {
 			def := utilopenapi.GetOpenAPIDefinitionsWithoutDisabledFeatures(generatedopenapi.GetOpenAPIDefinitions)(ref)
-			def[fmt.Sprintf("%s/%s.%s", b.group, b.version, b.kind)] = common.OpenAPIDefinition{
+			def[gvkToModelName(b.group, b.version, b.kind)] = common.OpenAPIDefinition{
 				Schema:       *b.schema,
 				Dependencies: []string{objectMetaType},
 			}
-			def[fmt.Sprintf("%s/%s.%s", b.group, b.version, b.listKind)] = common.OpenAPIDefinition{
+			def[gvkToModelName(b.group, b.version, b.listKind)] = common.OpenAPIDefinition{
 				Schema: *b.listSchema,
 			}
 			return def
@@ -578,11 +593,11 @@ func (b *builder) getOpenAPIV3Config() *common.OpenAPIV3Config {
 		},
 		GetDefinitions: func(ref common.ReferenceCallback) map[string]common.OpenAPIDefinition {
 			def := utilopenapi.GetOpenAPIDefinitionsWithoutDisabledFeatures(generatedopenapi.GetOpenAPIDefinitions)(ref)
-			def[fmt.Sprintf("%s/%s.%s", b.group, b.version, b.kind)] = common.OpenAPIDefinition{
+			def[gvkToModelName(b.group, b.version, b.kind)] = common.OpenAPIDefinition{
 				Schema:       *b.schema,
 				Dependencies: []string{objectMetaType},
 			}
-			def[fmt.Sprintf("%s/%s.%s", b.group, b.version, b.listKind)] = common.OpenAPIDefinition{
+			def[gvkToModelName(b.group, b.version, b.listKind)] = common.OpenAPIDefinition{
 				Schema: *b.listSchema,
 			}
 			return def
diff --git a/staging/src/k8s.io/apiextensions-apiserver/pkg/controller/openapi/builder/builder_test.go b/staging/src/k8s.io/apiextensions-apiserver/pkg/controller/openapi/builder/builder_test.go
index 5dbc35b0c6db6..d662600a5cd2f 100644
--- a/staging/src/k8s.io/apiextensions-apiserver/pkg/controller/openapi/builder/builder_test.go
+++ b/staging/src/k8s.io/apiextensions-apiserver/pkg/controller/openapi/builder/builder_test.go
@@ -656,7 +656,7 @@ func TestGetDefinitionRefPrefix(t *testing.T) {
 	// the first call to getDefinition
 
 	// ManagedFieldsEntry's Time field is known to use arefs
-	managedFieldsTypePath := "k8s.io/apimachinery/pkg/apis/meta/v1.ManagedFieldsEntry"
+	managedFieldsTypePath := "io.k8s.apimachinery.pkg.apis.meta.v1.ManagedFieldsEntry"
 
 	v2Ref := getDefinition(managedFieldsTypePath, true).SchemaProps.Properties["time"].SchemaProps.Ref
 	v3Ref := getDefinition(managedFieldsTypePath, false).SchemaProps.Properties["time"].SchemaProps.Ref
diff --git a/staging/src/k8s.io/apiextensions-apiserver/pkg/controller/openapi/controller_test.go b/staging/src/k8s.io/apiextensions-apiserver/pkg/controller/openapi/controller_test.go
index e3204c766977f..76f288ace8b15 100644
--- a/staging/src/k8s.io/apiextensions-apiserver/pkg/controller/openapi/controller_test.go
+++ b/staging/src/k8s.io/apiextensions-apiserver/pkg/controller/openapi/controller_test.go
@@ -414,12 +414,14 @@ func (t *testEnv) fetchOpenAPIOrDie() *spec.Swagger {
 }
 
 func (t *testEnv) expectPath(swagger *spec.Swagger, path string) {
+	t.t.Helper()
 	if _, ok := swagger.Paths.Paths[path]; !ok {
 		t.t.Errorf("Expected path %s to exist in OpenAPI", path)
 	}
 }
 
 func (t *testEnv) expectNoPath(swagger *spec.Swagger, path string) {
+	t.t.Helper()
 	if _, ok := swagger.Paths.Paths[path]; ok {
 		t.t.Errorf("Expected path %s to not exist in OpenAPI", path)
 	}
diff --git a/staging/src/k8s.io/apiextensions-apiserver/pkg/controller/status/naming_controller.go b/staging/src/k8s.io/apiextensions-apiserver/pkg/controller/status/naming_controller.go
index ba448a150cf73..518237c3ebb2d 100644
--- a/staging/src/k8s.io/apiextensions-apiserver/pkg/controller/status/naming_controller.go
+++ b/staging/src/k8s.io/apiextensions-apiserver/pkg/controller/status/naming_controller.go
@@ -56,7 +56,7 @@ type NamingConditionController struct {
 	crdMutationCache cache.MutationCache
 
 	// To allow injection for testing.
-	syncFn func(key string) error
+	syncFn func(ctx context.Context, key string) error
 
 	queue workqueue.TypedRateLimitingInterface[string]
 }
@@ -239,7 +239,7 @@ func equalToAcceptedOrFresh(requestedName, acceptedName string, usedNames sets.S
 	return fmt.Errorf("%q is already in use", requestedName)
 }
 
-func (c *NamingConditionController) sync(key string) error {
+func (c *NamingConditionController) sync(ctx context.Context, key string) error {
 	inCustomResourceDefinition, err := c.crdLister.Get(key)
 	if apierrors.IsNotFound(err) {
 		// CRD was deleted and has freed its names.
@@ -271,7 +271,7 @@ func (c *NamingConditionController) sync(key string) error {
 	apiextensionshelpers.SetCRDCondition(crd, namingCondition)
 	apiextensionshelpers.SetCRDCondition(crd, establishedCondition)
 
-	updatedObj, err := c.crdClient.CustomResourceDefinitions().UpdateStatus(context.TODO(), crd, metav1.UpdateOptions{})
+	updatedObj, err := c.crdClient.CustomResourceDefinitions().UpdateStatus(ctx, crd, metav1.UpdateOptions{})
 	if apierrors.IsNotFound(err) || apierrors.IsConflict(err) {
 		// deleted or changed in the meantime, we'll get called again
 		return nil
@@ -292,37 +292,43 @@ func (c *NamingConditionController) sync(key string) error {
 	return nil
 }
 
+//logcheck:context // RunWithContext should be used instead of Run in code which supports contextual logging.
 func (c *NamingConditionController) Run(stopCh <-chan struct{}) {
+	c.RunWithContext(wait.ContextForChannel(stopCh))
+}
+
+// RunWithContext is a context-aware version of Run.
+func (c *NamingConditionController) RunWithContext(ctx context.Context) {
 	defer utilruntime.HandleCrash()
 	defer c.queue.ShutDown()
 
 	klog.Info("Starting NamingConditionController")
 	defer klog.Info("Shutting down NamingConditionController")
 
-	if !cache.WaitForCacheSync(stopCh, c.crdSynced) {
+	if !cache.WaitForCacheSync(ctx.Done(), c.crdSynced) {
 		return
 	}
 
 	// only start one worker thread since its a slow moving API and the naming conflict resolution bits aren't thread-safe
-	go wait.Until(c.runWorker, time.Second, stopCh)
+	go wait.UntilWithContext(ctx, c.runWorker, time.Second)
 
-	<-stopCh
+	<-ctx.Done()
 }
 
-func (c *NamingConditionController) runWorker() {
-	for c.processNextWorkItem() {
+func (c *NamingConditionController) runWorker(ctx context.Context) {
+	for c.processNextWorkItem(ctx) {
 	}
 }
 
 // processNextWorkItem deals with one key off the queue.  It returns false when it's time to quit.
-func (c *NamingConditionController) processNextWorkItem() bool {
+func (c *NamingConditionController) processNextWorkItem(ctx context.Context) bool {
 	key, quit := c.queue.Get()
 	if quit {
 		return false
 	}
 	defer c.queue.Done(key)
 
-	err := c.syncFn(key)
+	err := c.syncFn(ctx, key)
 	if err == nil {
 		c.queue.Forget(key)
 		return true
diff --git a/staging/src/k8s.io/apiextensions-apiserver/pkg/features/kube_features.go b/staging/src/k8s.io/apiextensions-apiserver/pkg/features/kube_features.go
index 5e20fc10c54f3..e59d6213f6199 100644
--- a/staging/src/k8s.io/apiextensions-apiserver/pkg/features/kube_features.go
+++ b/staging/src/k8s.io/apiextensions-apiserver/pkg/features/kube_features.go
@@ -33,6 +33,12 @@ import (
 // of code conflicts because changes are more likely to be scattered
 // across the file.
 const (
+	// owner: @michaelasp
+	// kep: https://kep.k8s.io/4192
+	//
+	// Enables the tracking of observed generation in CRD status and conditions.
+	CRDObservedGenerationTracking featuregate.Feature = "CRDObservedGenerationTracking"
+
 	// owner: @alexzielenski
 	//
 	// Ignores errors raised on unchanged fields of Custom Resources
@@ -57,6 +63,9 @@ func init() {
 //
 // Entries are alphabetized.
 var defaultVersionedKubernetesFeatureGates = map[featuregate.Feature]featuregate.VersionedSpecs{
+	CRDObservedGenerationTracking: {
+		{Version: version.MustParse("1.35"), PreRelease: featuregate.Beta, Default: false},
+	},
 	CRDValidationRatcheting: {
 		{Version: version.MustParse("1.28"), Default: false, PreRelease: featuregate.Alpha},
 		{Version: version.MustParse("1.30"), Default: true, PreRelease: featuregate.Beta},
diff --git a/staging/src/k8s.io/apiextensions-apiserver/pkg/generated/openapi/zz_generated.openapi.go b/staging/src/k8s.io/apiextensions-apiserver/pkg/generated/openapi/zz_generated.openapi.go
index d6467e8229213..065019b5ebe11 100644
--- a/staging/src/k8s.io/apiextensions-apiserver/pkg/generated/openapi/zz_generated.openapi.go
+++ b/staging/src/k8s.io/apiextensions-apiserver/pkg/generated/openapi/zz_generated.openapi.go
@@ -22,142 +22,147 @@ limitations under the License.
 package openapi
 
 import (
-	v1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
+	v1 "k8s.io/api/autoscaling/v1"
+	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 	v1beta1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1"
+	resource "k8s.io/apimachinery/pkg/api/resource"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	runtime "k8s.io/apimachinery/pkg/runtime"
+	version "k8s.io/apimachinery/pkg/version"
 	common "k8s.io/kube-openapi/pkg/common"
 	spec "k8s.io/kube-openapi/pkg/validation/spec"
 )
 
 func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenAPIDefinition {
 	return map[string]common.OpenAPIDefinition{
-		"k8s.io/api/autoscaling/v1.ContainerResourceMetricSource":                                         schema_k8sio_api_autoscaling_v1_ContainerResourceMetricSource(ref),
-		"k8s.io/api/autoscaling/v1.ContainerResourceMetricStatus":                                         schema_k8sio_api_autoscaling_v1_ContainerResourceMetricStatus(ref),
-		"k8s.io/api/autoscaling/v1.CrossVersionObjectReference":                                           schema_k8sio_api_autoscaling_v1_CrossVersionObjectReference(ref),
-		"k8s.io/api/autoscaling/v1.ExternalMetricSource":                                                  schema_k8sio_api_autoscaling_v1_ExternalMetricSource(ref),
-		"k8s.io/api/autoscaling/v1.ExternalMetricStatus":                                                  schema_k8sio_api_autoscaling_v1_ExternalMetricStatus(ref),
-		"k8s.io/api/autoscaling/v1.HorizontalPodAutoscaler":                                               schema_k8sio_api_autoscaling_v1_HorizontalPodAutoscaler(ref),
-		"k8s.io/api/autoscaling/v1.HorizontalPodAutoscalerCondition":                                      schema_k8sio_api_autoscaling_v1_HorizontalPodAutoscalerCondition(ref),
-		"k8s.io/api/autoscaling/v1.HorizontalPodAutoscalerList":                                           schema_k8sio_api_autoscaling_v1_HorizontalPodAutoscalerList(ref),
-		"k8s.io/api/autoscaling/v1.HorizontalPodAutoscalerSpec":                                           schema_k8sio_api_autoscaling_v1_HorizontalPodAutoscalerSpec(ref),
-		"k8s.io/api/autoscaling/v1.HorizontalPodAutoscalerStatus":                                         schema_k8sio_api_autoscaling_v1_HorizontalPodAutoscalerStatus(ref),
-		"k8s.io/api/autoscaling/v1.MetricSpec":                                                            schema_k8sio_api_autoscaling_v1_MetricSpec(ref),
-		"k8s.io/api/autoscaling/v1.MetricStatus":                                                          schema_k8sio_api_autoscaling_v1_MetricStatus(ref),
-		"k8s.io/api/autoscaling/v1.ObjectMetricSource":                                                    schema_k8sio_api_autoscaling_v1_ObjectMetricSource(ref),
-		"k8s.io/api/autoscaling/v1.ObjectMetricStatus":                                                    schema_k8sio_api_autoscaling_v1_ObjectMetricStatus(ref),
-		"k8s.io/api/autoscaling/v1.PodsMetricSource":                                                      schema_k8sio_api_autoscaling_v1_PodsMetricSource(ref),
-		"k8s.io/api/autoscaling/v1.PodsMetricStatus":                                                      schema_k8sio_api_autoscaling_v1_PodsMetricStatus(ref),
-		"k8s.io/api/autoscaling/v1.ResourceMetricSource":                                                  schema_k8sio_api_autoscaling_v1_ResourceMetricSource(ref),
-		"k8s.io/api/autoscaling/v1.ResourceMetricStatus":                                                  schema_k8sio_api_autoscaling_v1_ResourceMetricStatus(ref),
-		"k8s.io/api/autoscaling/v1.Scale":                                                                 schema_k8sio_api_autoscaling_v1_Scale(ref),
-		"k8s.io/api/autoscaling/v1.ScaleSpec":                                                             schema_k8sio_api_autoscaling_v1_ScaleSpec(ref),
-		"k8s.io/api/autoscaling/v1.ScaleStatus":                                                           schema_k8sio_api_autoscaling_v1_ScaleStatus(ref),
-		"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.ConversionRequest":                      schema_pkg_apis_apiextensions_v1_ConversionRequest(ref),
-		"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.ConversionResponse":                     schema_pkg_apis_apiextensions_v1_ConversionResponse(ref),
-		"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.ConversionReview":                       schema_pkg_apis_apiextensions_v1_ConversionReview(ref),
-		"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.CustomResourceColumnDefinition":         schema_pkg_apis_apiextensions_v1_CustomResourceColumnDefinition(ref),
-		"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.CustomResourceConversion":               schema_pkg_apis_apiextensions_v1_CustomResourceConversion(ref),
-		"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.CustomResourceDefinition":               schema_pkg_apis_apiextensions_v1_CustomResourceDefinition(ref),
-		"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.CustomResourceDefinitionCondition":      schema_pkg_apis_apiextensions_v1_CustomResourceDefinitionCondition(ref),
-		"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.CustomResourceDefinitionList":           schema_pkg_apis_apiextensions_v1_CustomResourceDefinitionList(ref),
-		"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.CustomResourceDefinitionNames":          schema_pkg_apis_apiextensions_v1_CustomResourceDefinitionNames(ref),
-		"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.CustomResourceDefinitionSpec":           schema_pkg_apis_apiextensions_v1_CustomResourceDefinitionSpec(ref),
-		"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.CustomResourceDefinitionStatus":         schema_pkg_apis_apiextensions_v1_CustomResourceDefinitionStatus(ref),
-		"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.CustomResourceDefinitionVersion":        schema_pkg_apis_apiextensions_v1_CustomResourceDefinitionVersion(ref),
-		"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.CustomResourceSubresourceScale":         schema_pkg_apis_apiextensions_v1_CustomResourceSubresourceScale(ref),
-		"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.CustomResourceSubresourceStatus":        schema_pkg_apis_apiextensions_v1_CustomResourceSubresourceStatus(ref),
-		"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.CustomResourceSubresources":             schema_pkg_apis_apiextensions_v1_CustomResourceSubresources(ref),
-		"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.CustomResourceValidation":               schema_pkg_apis_apiextensions_v1_CustomResourceValidation(ref),
-		"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.ExternalDocumentation":                  schema_pkg_apis_apiextensions_v1_ExternalDocumentation(ref),
-		"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.JSON":                                   schema_pkg_apis_apiextensions_v1_JSON(ref),
-		"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.JSONSchemaProps":                        schema_pkg_apis_apiextensions_v1_JSONSchemaProps(ref),
-		"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.JSONSchemaPropsOrArray":                 schema_pkg_apis_apiextensions_v1_JSONSchemaPropsOrArray(ref),
-		"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.JSONSchemaPropsOrBool":                  schema_pkg_apis_apiextensions_v1_JSONSchemaPropsOrBool(ref),
-		"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.JSONSchemaPropsOrStringArray":           schema_pkg_apis_apiextensions_v1_JSONSchemaPropsOrStringArray(ref),
-		"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.SelectableField":                        schema_pkg_apis_apiextensions_v1_SelectableField(ref),
-		"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.ServiceReference":                       schema_pkg_apis_apiextensions_v1_ServiceReference(ref),
-		"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.ValidationRule":                         schema_pkg_apis_apiextensions_v1_ValidationRule(ref),
-		"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.WebhookClientConfig":                    schema_pkg_apis_apiextensions_v1_WebhookClientConfig(ref),
-		"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.WebhookConversion":                      schema_pkg_apis_apiextensions_v1_WebhookConversion(ref),
-		"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1.ConversionRequest":                 schema_pkg_apis_apiextensions_v1beta1_ConversionRequest(ref),
-		"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1.ConversionResponse":                schema_pkg_apis_apiextensions_v1beta1_ConversionResponse(ref),
-		"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1.ConversionReview":                  schema_pkg_apis_apiextensions_v1beta1_ConversionReview(ref),
-		"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1.CustomResourceColumnDefinition":    schema_pkg_apis_apiextensions_v1beta1_CustomResourceColumnDefinition(ref),
-		"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1.CustomResourceConversion":          schema_pkg_apis_apiextensions_v1beta1_CustomResourceConversion(ref),
-		"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1.CustomResourceDefinition":          schema_pkg_apis_apiextensions_v1beta1_CustomResourceDefinition(ref),
-		"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1.CustomResourceDefinitionCondition": schema_pkg_apis_apiextensions_v1beta1_CustomResourceDefinitionCondition(ref),
-		"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1.CustomResourceDefinitionList":      schema_pkg_apis_apiextensions_v1beta1_CustomResourceDefinitionList(ref),
-		"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1.CustomResourceDefinitionNames":     schema_pkg_apis_apiextensions_v1beta1_CustomResourceDefinitionNames(ref),
-		"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1.CustomResourceDefinitionSpec":      schema_pkg_apis_apiextensions_v1beta1_CustomResourceDefinitionSpec(ref),
-		"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1.CustomResourceDefinitionStatus":    schema_pkg_apis_apiextensions_v1beta1_CustomResourceDefinitionStatus(ref),
-		"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1.CustomResourceDefinitionVersion":   schema_pkg_apis_apiextensions_v1beta1_CustomResourceDefinitionVersion(ref),
-		"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1.CustomResourceSubresourceScale":    schema_pkg_apis_apiextensions_v1beta1_CustomResourceSubresourceScale(ref),
-		"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1.CustomResourceSubresourceStatus":   schema_pkg_apis_apiextensions_v1beta1_CustomResourceSubresourceStatus(ref),
-		"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1.CustomResourceSubresources":        schema_pkg_apis_apiextensions_v1beta1_CustomResourceSubresources(ref),
-		"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1.CustomResourceValidation":          schema_pkg_apis_apiextensions_v1beta1_CustomResourceValidation(ref),
-		"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1.ExternalDocumentation":             schema_pkg_apis_apiextensions_v1beta1_ExternalDocumentation(ref),
-		"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1.JSON":                              schema_pkg_apis_apiextensions_v1beta1_JSON(ref),
-		"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1.JSONSchemaProps":                   schema_pkg_apis_apiextensions_v1beta1_JSONSchemaProps(ref),
-		"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1.JSONSchemaPropsOrArray":            schema_pkg_apis_apiextensions_v1beta1_JSONSchemaPropsOrArray(ref),
-		"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1.JSONSchemaPropsOrBool":             schema_pkg_apis_apiextensions_v1beta1_JSONSchemaPropsOrBool(ref),
-		"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1.JSONSchemaPropsOrStringArray":      schema_pkg_apis_apiextensions_v1beta1_JSONSchemaPropsOrStringArray(ref),
-		"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1.SelectableField":                   schema_pkg_apis_apiextensions_v1beta1_SelectableField(ref),
-		"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1.ServiceReference":                  schema_pkg_apis_apiextensions_v1beta1_ServiceReference(ref),
-		"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1.ValidationRule":                    schema_pkg_apis_apiextensions_v1beta1_ValidationRule(ref),
-		"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1.WebhookClientConfig":               schema_pkg_apis_apiextensions_v1beta1_WebhookClientConfig(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.APIGroup":                                                   schema_pkg_apis_meta_v1_APIGroup(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.APIGroupList":                                               schema_pkg_apis_meta_v1_APIGroupList(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.APIResource":                                                schema_pkg_apis_meta_v1_APIResource(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.APIResourceList":                                            schema_pkg_apis_meta_v1_APIResourceList(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.APIVersions":                                                schema_pkg_apis_meta_v1_APIVersions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.ApplyOptions":                                               schema_pkg_apis_meta_v1_ApplyOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Condition":                                                  schema_pkg_apis_meta_v1_Condition(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.CreateOptions":                                              schema_pkg_apis_meta_v1_CreateOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.DeleteOptions":                                              schema_pkg_apis_meta_v1_DeleteOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Duration":                                                   schema_pkg_apis_meta_v1_Duration(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.FieldSelectorRequirement":                                   schema_pkg_apis_meta_v1_FieldSelectorRequirement(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.FieldsV1":                                                   schema_pkg_apis_meta_v1_FieldsV1(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GetOptions":                                                 schema_pkg_apis_meta_v1_GetOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupKind":                                                  schema_pkg_apis_meta_v1_GroupKind(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupResource":                                              schema_pkg_apis_meta_v1_GroupResource(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersion":                                               schema_pkg_apis_meta_v1_GroupVersion(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionForDiscovery":                                   schema_pkg_apis_meta_v1_GroupVersionForDiscovery(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionKind":                                           schema_pkg_apis_meta_v1_GroupVersionKind(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionResource":                                       schema_pkg_apis_meta_v1_GroupVersionResource(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.InternalEvent":                                              schema_pkg_apis_meta_v1_InternalEvent(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector":                                              schema_pkg_apis_meta_v1_LabelSelector(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelectorRequirement":                                   schema_pkg_apis_meta_v1_LabelSelectorRequirement(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.List":                                                       schema_pkg_apis_meta_v1_List(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta":                                                   schema_pkg_apis_meta_v1_ListMeta(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.ListOptions":                                                schema_pkg_apis_meta_v1_ListOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.ManagedFieldsEntry":                                         schema_pkg_apis_meta_v1_ManagedFieldsEntry(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.MicroTime":                                                  schema_pkg_apis_meta_v1_MicroTime(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta":                                                 schema_pkg_apis_meta_v1_ObjectMeta(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.OwnerReference":                                             schema_pkg_apis_meta_v1_OwnerReference(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.PartialObjectMetadata":                                      schema_pkg_apis_meta_v1_PartialObjectMetadata(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.PartialObjectMetadataList":                                  schema_pkg_apis_meta_v1_PartialObjectMetadataList(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Patch":                                                      schema_pkg_apis_meta_v1_Patch(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.PatchOptions":                                               schema_pkg_apis_meta_v1_PatchOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Preconditions":                                              schema_pkg_apis_meta_v1_Preconditions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.RootPaths":                                                  schema_pkg_apis_meta_v1_RootPaths(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.ServerAddressByClientCIDR":                                  schema_pkg_apis_meta_v1_ServerAddressByClientCIDR(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Status":                                                     schema_pkg_apis_meta_v1_Status(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.StatusCause":                                                schema_pkg_apis_meta_v1_StatusCause(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.StatusDetails":                                              schema_pkg_apis_meta_v1_StatusDetails(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Table":                                                      schema_pkg_apis_meta_v1_Table(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.TableColumnDefinition":                                      schema_pkg_apis_meta_v1_TableColumnDefinition(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.TableOptions":                                               schema_pkg_apis_meta_v1_TableOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.TableRow":                                                   schema_pkg_apis_meta_v1_TableRow(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.TableRowCondition":                                          schema_pkg_apis_meta_v1_TableRowCondition(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Time":                                                       schema_pkg_apis_meta_v1_Time(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Timestamp":                                                  schema_pkg_apis_meta_v1_Timestamp(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.TypeMeta":                                                   schema_pkg_apis_meta_v1_TypeMeta(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.UpdateOptions":                                              schema_pkg_apis_meta_v1_UpdateOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.WatchEvent":                                                 schema_pkg_apis_meta_v1_WatchEvent(ref),
-		"k8s.io/apimachinery/pkg/runtime.RawExtension":                                                    schema_k8sio_apimachinery_pkg_runtime_RawExtension(ref),
-		"k8s.io/apimachinery/pkg/runtime.TypeMeta":                                                        schema_k8sio_apimachinery_pkg_runtime_TypeMeta(ref),
-		"k8s.io/apimachinery/pkg/runtime.Unknown":                                                         schema_k8sio_apimachinery_pkg_runtime_Unknown(ref),
-		"k8s.io/apimachinery/pkg/version.Info":                                                            schema_k8sio_apimachinery_pkg_version_Info(ref),
+		v1.ContainerResourceMetricSource{}.OpenAPIModelName():                  schema_k8sio_api_autoscaling_v1_ContainerResourceMetricSource(ref),
+		v1.ContainerResourceMetricStatus{}.OpenAPIModelName():                  schema_k8sio_api_autoscaling_v1_ContainerResourceMetricStatus(ref),
+		v1.CrossVersionObjectReference{}.OpenAPIModelName():                    schema_k8sio_api_autoscaling_v1_CrossVersionObjectReference(ref),
+		v1.ExternalMetricSource{}.OpenAPIModelName():                           schema_k8sio_api_autoscaling_v1_ExternalMetricSource(ref),
+		v1.ExternalMetricStatus{}.OpenAPIModelName():                           schema_k8sio_api_autoscaling_v1_ExternalMetricStatus(ref),
+		v1.HorizontalPodAutoscaler{}.OpenAPIModelName():                        schema_k8sio_api_autoscaling_v1_HorizontalPodAutoscaler(ref),
+		v1.HorizontalPodAutoscalerCondition{}.OpenAPIModelName():               schema_k8sio_api_autoscaling_v1_HorizontalPodAutoscalerCondition(ref),
+		v1.HorizontalPodAutoscalerList{}.OpenAPIModelName():                    schema_k8sio_api_autoscaling_v1_HorizontalPodAutoscalerList(ref),
+		v1.HorizontalPodAutoscalerSpec{}.OpenAPIModelName():                    schema_k8sio_api_autoscaling_v1_HorizontalPodAutoscalerSpec(ref),
+		v1.HorizontalPodAutoscalerStatus{}.OpenAPIModelName():                  schema_k8sio_api_autoscaling_v1_HorizontalPodAutoscalerStatus(ref),
+		v1.MetricSpec{}.OpenAPIModelName():                                     schema_k8sio_api_autoscaling_v1_MetricSpec(ref),
+		v1.MetricStatus{}.OpenAPIModelName():                                   schema_k8sio_api_autoscaling_v1_MetricStatus(ref),
+		v1.ObjectMetricSource{}.OpenAPIModelName():                             schema_k8sio_api_autoscaling_v1_ObjectMetricSource(ref),
+		v1.ObjectMetricStatus{}.OpenAPIModelName():                             schema_k8sio_api_autoscaling_v1_ObjectMetricStatus(ref),
+		v1.PodsMetricSource{}.OpenAPIModelName():                               schema_k8sio_api_autoscaling_v1_PodsMetricSource(ref),
+		v1.PodsMetricStatus{}.OpenAPIModelName():                               schema_k8sio_api_autoscaling_v1_PodsMetricStatus(ref),
+		v1.ResourceMetricSource{}.OpenAPIModelName():                           schema_k8sio_api_autoscaling_v1_ResourceMetricSource(ref),
+		v1.ResourceMetricStatus{}.OpenAPIModelName():                           schema_k8sio_api_autoscaling_v1_ResourceMetricStatus(ref),
+		v1.Scale{}.OpenAPIModelName():                                          schema_k8sio_api_autoscaling_v1_Scale(ref),
+		v1.ScaleSpec{}.OpenAPIModelName():                                      schema_k8sio_api_autoscaling_v1_ScaleSpec(ref),
+		v1.ScaleStatus{}.OpenAPIModelName():                                    schema_k8sio_api_autoscaling_v1_ScaleStatus(ref),
+		apiextensionsv1.ConversionRequest{}.OpenAPIModelName():                 schema_pkg_apis_apiextensions_v1_ConversionRequest(ref),
+		apiextensionsv1.ConversionResponse{}.OpenAPIModelName():                schema_pkg_apis_apiextensions_v1_ConversionResponse(ref),
+		apiextensionsv1.ConversionReview{}.OpenAPIModelName():                  schema_pkg_apis_apiextensions_v1_ConversionReview(ref),
+		apiextensionsv1.CustomResourceColumnDefinition{}.OpenAPIModelName():    schema_pkg_apis_apiextensions_v1_CustomResourceColumnDefinition(ref),
+		apiextensionsv1.CustomResourceConversion{}.OpenAPIModelName():          schema_pkg_apis_apiextensions_v1_CustomResourceConversion(ref),
+		apiextensionsv1.CustomResourceDefinition{}.OpenAPIModelName():          schema_pkg_apis_apiextensions_v1_CustomResourceDefinition(ref),
+		apiextensionsv1.CustomResourceDefinitionCondition{}.OpenAPIModelName(): schema_pkg_apis_apiextensions_v1_CustomResourceDefinitionCondition(ref),
+		apiextensionsv1.CustomResourceDefinitionList{}.OpenAPIModelName():      schema_pkg_apis_apiextensions_v1_CustomResourceDefinitionList(ref),
+		apiextensionsv1.CustomResourceDefinitionNames{}.OpenAPIModelName():     schema_pkg_apis_apiextensions_v1_CustomResourceDefinitionNames(ref),
+		apiextensionsv1.CustomResourceDefinitionSpec{}.OpenAPIModelName():      schema_pkg_apis_apiextensions_v1_CustomResourceDefinitionSpec(ref),
+		apiextensionsv1.CustomResourceDefinitionStatus{}.OpenAPIModelName():    schema_pkg_apis_apiextensions_v1_CustomResourceDefinitionStatus(ref),
+		apiextensionsv1.CustomResourceDefinitionVersion{}.OpenAPIModelName():   schema_pkg_apis_apiextensions_v1_CustomResourceDefinitionVersion(ref),
+		apiextensionsv1.CustomResourceSubresourceScale{}.OpenAPIModelName():    schema_pkg_apis_apiextensions_v1_CustomResourceSubresourceScale(ref),
+		apiextensionsv1.CustomResourceSubresourceStatus{}.OpenAPIModelName():   schema_pkg_apis_apiextensions_v1_CustomResourceSubresourceStatus(ref),
+		apiextensionsv1.CustomResourceSubresources{}.OpenAPIModelName():        schema_pkg_apis_apiextensions_v1_CustomResourceSubresources(ref),
+		apiextensionsv1.CustomResourceValidation{}.OpenAPIModelName():          schema_pkg_apis_apiextensions_v1_CustomResourceValidation(ref),
+		apiextensionsv1.ExternalDocumentation{}.OpenAPIModelName():             schema_pkg_apis_apiextensions_v1_ExternalDocumentation(ref),
+		apiextensionsv1.JSON{}.OpenAPIModelName():                              schema_pkg_apis_apiextensions_v1_JSON(ref),
+		apiextensionsv1.JSONSchemaProps{}.OpenAPIModelName():                   schema_pkg_apis_apiextensions_v1_JSONSchemaProps(ref),
+		apiextensionsv1.JSONSchemaPropsOrArray{}.OpenAPIModelName():            schema_pkg_apis_apiextensions_v1_JSONSchemaPropsOrArray(ref),
+		apiextensionsv1.JSONSchemaPropsOrBool{}.OpenAPIModelName():             schema_pkg_apis_apiextensions_v1_JSONSchemaPropsOrBool(ref),
+		apiextensionsv1.JSONSchemaPropsOrStringArray{}.OpenAPIModelName():      schema_pkg_apis_apiextensions_v1_JSONSchemaPropsOrStringArray(ref),
+		apiextensionsv1.SelectableField{}.OpenAPIModelName():                   schema_pkg_apis_apiextensions_v1_SelectableField(ref),
+		apiextensionsv1.ServiceReference{}.OpenAPIModelName():                  schema_pkg_apis_apiextensions_v1_ServiceReference(ref),
+		apiextensionsv1.ValidationRule{}.OpenAPIModelName():                    schema_pkg_apis_apiextensions_v1_ValidationRule(ref),
+		apiextensionsv1.WebhookClientConfig{}.OpenAPIModelName():               schema_pkg_apis_apiextensions_v1_WebhookClientConfig(ref),
+		apiextensionsv1.WebhookConversion{}.OpenAPIModelName():                 schema_pkg_apis_apiextensions_v1_WebhookConversion(ref),
+		v1beta1.ConversionRequest{}.OpenAPIModelName():                         schema_pkg_apis_apiextensions_v1beta1_ConversionRequest(ref),
+		v1beta1.ConversionResponse{}.OpenAPIModelName():                        schema_pkg_apis_apiextensions_v1beta1_ConversionResponse(ref),
+		v1beta1.ConversionReview{}.OpenAPIModelName():                          schema_pkg_apis_apiextensions_v1beta1_ConversionReview(ref),
+		v1beta1.CustomResourceColumnDefinition{}.OpenAPIModelName():            schema_pkg_apis_apiextensions_v1beta1_CustomResourceColumnDefinition(ref),
+		v1beta1.CustomResourceConversion{}.OpenAPIModelName():                  schema_pkg_apis_apiextensions_v1beta1_CustomResourceConversion(ref),
+		v1beta1.CustomResourceDefinition{}.OpenAPIModelName():                  schema_pkg_apis_apiextensions_v1beta1_CustomResourceDefinition(ref),
+		v1beta1.CustomResourceDefinitionCondition{}.OpenAPIModelName():         schema_pkg_apis_apiextensions_v1beta1_CustomResourceDefinitionCondition(ref),
+		v1beta1.CustomResourceDefinitionList{}.OpenAPIModelName():              schema_pkg_apis_apiextensions_v1beta1_CustomResourceDefinitionList(ref),
+		v1beta1.CustomResourceDefinitionNames{}.OpenAPIModelName():             schema_pkg_apis_apiextensions_v1beta1_CustomResourceDefinitionNames(ref),
+		v1beta1.CustomResourceDefinitionSpec{}.OpenAPIModelName():              schema_pkg_apis_apiextensions_v1beta1_CustomResourceDefinitionSpec(ref),
+		v1beta1.CustomResourceDefinitionStatus{}.OpenAPIModelName():            schema_pkg_apis_apiextensions_v1beta1_CustomResourceDefinitionStatus(ref),
+		v1beta1.CustomResourceDefinitionVersion{}.OpenAPIModelName():           schema_pkg_apis_apiextensions_v1beta1_CustomResourceDefinitionVersion(ref),
+		v1beta1.CustomResourceSubresourceScale{}.OpenAPIModelName():            schema_pkg_apis_apiextensions_v1beta1_CustomResourceSubresourceScale(ref),
+		v1beta1.CustomResourceSubresourceStatus{}.OpenAPIModelName():           schema_pkg_apis_apiextensions_v1beta1_CustomResourceSubresourceStatus(ref),
+		v1beta1.CustomResourceSubresources{}.OpenAPIModelName():                schema_pkg_apis_apiextensions_v1beta1_CustomResourceSubresources(ref),
+		v1beta1.CustomResourceValidation{}.OpenAPIModelName():                  schema_pkg_apis_apiextensions_v1beta1_CustomResourceValidation(ref),
+		v1beta1.ExternalDocumentation{}.OpenAPIModelName():                     schema_pkg_apis_apiextensions_v1beta1_ExternalDocumentation(ref),
+		v1beta1.JSON{}.OpenAPIModelName():                                      schema_pkg_apis_apiextensions_v1beta1_JSON(ref),
+		v1beta1.JSONSchemaProps{}.OpenAPIModelName():                           schema_pkg_apis_apiextensions_v1beta1_JSONSchemaProps(ref),
+		v1beta1.JSONSchemaPropsOrArray{}.OpenAPIModelName():                    schema_pkg_apis_apiextensions_v1beta1_JSONSchemaPropsOrArray(ref),
+		v1beta1.JSONSchemaPropsOrBool{}.OpenAPIModelName():                     schema_pkg_apis_apiextensions_v1beta1_JSONSchemaPropsOrBool(ref),
+		v1beta1.JSONSchemaPropsOrStringArray{}.OpenAPIModelName():              schema_pkg_apis_apiextensions_v1beta1_JSONSchemaPropsOrStringArray(ref),
+		v1beta1.SelectableField{}.OpenAPIModelName():                           schema_pkg_apis_apiextensions_v1beta1_SelectableField(ref),
+		v1beta1.ServiceReference{}.OpenAPIModelName():                          schema_pkg_apis_apiextensions_v1beta1_ServiceReference(ref),
+		v1beta1.ValidationRule{}.OpenAPIModelName():                            schema_pkg_apis_apiextensions_v1beta1_ValidationRule(ref),
+		v1beta1.WebhookClientConfig{}.OpenAPIModelName():                       schema_pkg_apis_apiextensions_v1beta1_WebhookClientConfig(ref),
+		resource.Quantity{}.OpenAPIModelName():                                 schema_apimachinery_pkg_api_resource_Quantity(ref),
+		metav1.APIGroup{}.OpenAPIModelName():                                   schema_pkg_apis_meta_v1_APIGroup(ref),
+		metav1.APIGroupList{}.OpenAPIModelName():                               schema_pkg_apis_meta_v1_APIGroupList(ref),
+		metav1.APIResource{}.OpenAPIModelName():                                schema_pkg_apis_meta_v1_APIResource(ref),
+		metav1.APIResourceList{}.OpenAPIModelName():                            schema_pkg_apis_meta_v1_APIResourceList(ref),
+		metav1.APIVersions{}.OpenAPIModelName():                                schema_pkg_apis_meta_v1_APIVersions(ref),
+		metav1.ApplyOptions{}.OpenAPIModelName():                               schema_pkg_apis_meta_v1_ApplyOptions(ref),
+		metav1.Condition{}.OpenAPIModelName():                                  schema_pkg_apis_meta_v1_Condition(ref),
+		metav1.CreateOptions{}.OpenAPIModelName():                              schema_pkg_apis_meta_v1_CreateOptions(ref),
+		metav1.DeleteOptions{}.OpenAPIModelName():                              schema_pkg_apis_meta_v1_DeleteOptions(ref),
+		metav1.Duration{}.OpenAPIModelName():                                   schema_pkg_apis_meta_v1_Duration(ref),
+		metav1.FieldSelectorRequirement{}.OpenAPIModelName():                   schema_pkg_apis_meta_v1_FieldSelectorRequirement(ref),
+		metav1.FieldsV1{}.OpenAPIModelName():                                   schema_pkg_apis_meta_v1_FieldsV1(ref),
+		metav1.GetOptions{}.OpenAPIModelName():                                 schema_pkg_apis_meta_v1_GetOptions(ref),
+		metav1.GroupKind{}.OpenAPIModelName():                                  schema_pkg_apis_meta_v1_GroupKind(ref),
+		metav1.GroupResource{}.OpenAPIModelName():                              schema_pkg_apis_meta_v1_GroupResource(ref),
+		metav1.GroupVersion{}.OpenAPIModelName():                               schema_pkg_apis_meta_v1_GroupVersion(ref),
+		metav1.GroupVersionForDiscovery{}.OpenAPIModelName():                   schema_pkg_apis_meta_v1_GroupVersionForDiscovery(ref),
+		metav1.GroupVersionKind{}.OpenAPIModelName():                           schema_pkg_apis_meta_v1_GroupVersionKind(ref),
+		metav1.GroupVersionResource{}.OpenAPIModelName():                       schema_pkg_apis_meta_v1_GroupVersionResource(ref),
+		metav1.InternalEvent{}.OpenAPIModelName():                              schema_pkg_apis_meta_v1_InternalEvent(ref),
+		metav1.LabelSelector{}.OpenAPIModelName():                              schema_pkg_apis_meta_v1_LabelSelector(ref),
+		metav1.LabelSelectorRequirement{}.OpenAPIModelName():                   schema_pkg_apis_meta_v1_LabelSelectorRequirement(ref),
+		metav1.List{}.OpenAPIModelName():                                       schema_pkg_apis_meta_v1_List(ref),
+		metav1.ListMeta{}.OpenAPIModelName():                                   schema_pkg_apis_meta_v1_ListMeta(ref),
+		metav1.ListOptions{}.OpenAPIModelName():                                schema_pkg_apis_meta_v1_ListOptions(ref),
+		metav1.ManagedFieldsEntry{}.OpenAPIModelName():                         schema_pkg_apis_meta_v1_ManagedFieldsEntry(ref),
+		metav1.MicroTime{}.OpenAPIModelName():                                  schema_pkg_apis_meta_v1_MicroTime(ref),
+		metav1.ObjectMeta{}.OpenAPIModelName():                                 schema_pkg_apis_meta_v1_ObjectMeta(ref),
+		metav1.OwnerReference{}.OpenAPIModelName():                             schema_pkg_apis_meta_v1_OwnerReference(ref),
+		metav1.PartialObjectMetadata{}.OpenAPIModelName():                      schema_pkg_apis_meta_v1_PartialObjectMetadata(ref),
+		metav1.PartialObjectMetadataList{}.OpenAPIModelName():                  schema_pkg_apis_meta_v1_PartialObjectMetadataList(ref),
+		metav1.Patch{}.OpenAPIModelName():                                      schema_pkg_apis_meta_v1_Patch(ref),
+		metav1.PatchOptions{}.OpenAPIModelName():                               schema_pkg_apis_meta_v1_PatchOptions(ref),
+		metav1.Preconditions{}.OpenAPIModelName():                              schema_pkg_apis_meta_v1_Preconditions(ref),
+		metav1.RootPaths{}.OpenAPIModelName():                                  schema_pkg_apis_meta_v1_RootPaths(ref),
+		metav1.ServerAddressByClientCIDR{}.OpenAPIModelName():                  schema_pkg_apis_meta_v1_ServerAddressByClientCIDR(ref),
+		metav1.Status{}.OpenAPIModelName():                                     schema_pkg_apis_meta_v1_Status(ref),
+		metav1.StatusCause{}.OpenAPIModelName():                                schema_pkg_apis_meta_v1_StatusCause(ref),
+		metav1.StatusDetails{}.OpenAPIModelName():                              schema_pkg_apis_meta_v1_StatusDetails(ref),
+		metav1.Table{}.OpenAPIModelName():                                      schema_pkg_apis_meta_v1_Table(ref),
+		metav1.TableColumnDefinition{}.OpenAPIModelName():                      schema_pkg_apis_meta_v1_TableColumnDefinition(ref),
+		metav1.TableOptions{}.OpenAPIModelName():                               schema_pkg_apis_meta_v1_TableOptions(ref),
+		metav1.TableRow{}.OpenAPIModelName():                                   schema_pkg_apis_meta_v1_TableRow(ref),
+		metav1.TableRowCondition{}.OpenAPIModelName():                          schema_pkg_apis_meta_v1_TableRowCondition(ref),
+		metav1.Time{}.OpenAPIModelName():                                       schema_pkg_apis_meta_v1_Time(ref),
+		metav1.Timestamp{}.OpenAPIModelName():                                  schema_pkg_apis_meta_v1_Timestamp(ref),
+		metav1.TypeMeta{}.OpenAPIModelName():                                   schema_pkg_apis_meta_v1_TypeMeta(ref),
+		metav1.UpdateOptions{}.OpenAPIModelName():                              schema_pkg_apis_meta_v1_UpdateOptions(ref),
+		metav1.WatchEvent{}.OpenAPIModelName():                                 schema_pkg_apis_meta_v1_WatchEvent(ref),
+		runtime.RawExtension{}.OpenAPIModelName():                              schema_k8sio_apimachinery_pkg_runtime_RawExtension(ref),
+		runtime.TypeMeta{}.OpenAPIModelName():                                  schema_k8sio_apimachinery_pkg_runtime_TypeMeta(ref),
+		runtime.Unknown{}.OpenAPIModelName():                                   schema_k8sio_apimachinery_pkg_runtime_Unknown(ref),
+		version.Info{}.OpenAPIModelName():                                      schema_k8sio_apimachinery_pkg_version_Info(ref),
 	}
 }
 
@@ -186,7 +191,7 @@ func schema_k8sio_api_autoscaling_v1_ContainerResourceMetricSource(ref common.Re
 					"targetAverageValue": {
 						SchemaProps: spec.SchemaProps{
 							Description: "targetAverageValue is the target value of the average of the resource metric across all relevant pods, as a raw value (instead of as a percentage of the request), similar to the \"pods\" metric source type.",
-							Ref:         ref("k8s.io/apimachinery/pkg/api/resource.Quantity"),
+							Ref:         ref(resource.Quantity{}.OpenAPIModelName()),
 						},
 					},
 					"container": {
@@ -202,7 +207,7 @@ func schema_k8sio_api_autoscaling_v1_ContainerResourceMetricSource(ref common.Re
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/api/resource.Quantity"},
+			resource.Quantity{}.OpenAPIModelName()},
 	}
 }
 
@@ -231,7 +236,7 @@ func schema_k8sio_api_autoscaling_v1_ContainerResourceMetricStatus(ref common.Re
 					"currentAverageValue": {
 						SchemaProps: spec.SchemaProps{
 							Description: "currentAverageValue is the current value of the average of the resource metric across all relevant pods, as a raw value (instead of as a percentage of the request), similar to the \"pods\" metric source type. It will always be set, regardless of the corresponding metric specification.",
-							Ref:         ref("k8s.io/apimachinery/pkg/api/resource.Quantity"),
+							Ref:         ref(resource.Quantity{}.OpenAPIModelName()),
 						},
 					},
 					"container": {
@@ -247,7 +252,7 @@ func schema_k8sio_api_autoscaling_v1_ContainerResourceMetricStatus(ref common.Re
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/api/resource.Quantity"},
+			resource.Quantity{}.OpenAPIModelName()},
 	}
 }
 
@@ -311,19 +316,19 @@ func schema_k8sio_api_autoscaling_v1_ExternalMetricSource(ref common.ReferenceCa
 					"metricSelector": {
 						SchemaProps: spec.SchemaProps{
 							Description: "metricSelector is used to identify a specific time series within a given metric.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector"),
+							Ref:         ref(metav1.LabelSelector{}.OpenAPIModelName()),
 						},
 					},
 					"targetValue": {
 						SchemaProps: spec.SchemaProps{
 							Description: "targetValue is the target value of the metric (as a quantity). Mutually exclusive with TargetAverageValue.",
-							Ref:         ref("k8s.io/apimachinery/pkg/api/resource.Quantity"),
+							Ref:         ref(resource.Quantity{}.OpenAPIModelName()),
 						},
 					},
 					"targetAverageValue": {
 						SchemaProps: spec.SchemaProps{
 							Description: "targetAverageValue is the target per-pod value of global metric (as a quantity). Mutually exclusive with TargetValue.",
-							Ref:         ref("k8s.io/apimachinery/pkg/api/resource.Quantity"),
+							Ref:         ref(resource.Quantity{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -331,7 +336,7 @@ func schema_k8sio_api_autoscaling_v1_ExternalMetricSource(ref common.ReferenceCa
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/api/resource.Quantity", "k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector"},
+			resource.Quantity{}.OpenAPIModelName(), metav1.LabelSelector{}.OpenAPIModelName()},
 	}
 }
 
@@ -353,19 +358,19 @@ func schema_k8sio_api_autoscaling_v1_ExternalMetricStatus(ref common.ReferenceCa
 					"metricSelector": {
 						SchemaProps: spec.SchemaProps{
 							Description: "metricSelector is used to identify a specific time series within a given metric.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector"),
+							Ref:         ref(metav1.LabelSelector{}.OpenAPIModelName()),
 						},
 					},
 					"currentValue": {
 						SchemaProps: spec.SchemaProps{
 							Description: "currentValue is the current value of the metric (as a quantity)",
-							Ref:         ref("k8s.io/apimachinery/pkg/api/resource.Quantity"),
+							Ref:         ref(resource.Quantity{}.OpenAPIModelName()),
 						},
 					},
 					"currentAverageValue": {
 						SchemaProps: spec.SchemaProps{
 							Description: "currentAverageValue is the current value of metric averaged over autoscaled pods.",
-							Ref:         ref("k8s.io/apimachinery/pkg/api/resource.Quantity"),
+							Ref:         ref(resource.Quantity{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -373,7 +378,7 @@ func schema_k8sio_api_autoscaling_v1_ExternalMetricStatus(ref common.ReferenceCa
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/api/resource.Quantity", "k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector"},
+			resource.Quantity{}.OpenAPIModelName(), metav1.LabelSelector{}.OpenAPIModelName()},
 	}
 }
 
@@ -402,28 +407,28 @@ func schema_k8sio_api_autoscaling_v1_HorizontalPodAutoscaler(ref common.Referenc
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard object metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Ref:         ref(metav1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 					"spec": {
 						SchemaProps: spec.SchemaProps{
 							Description: "spec defines the behaviour of autoscaler. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/autoscaling/v1.HorizontalPodAutoscalerSpec"),
+							Ref:         ref(v1.HorizontalPodAutoscalerSpec{}.OpenAPIModelName()),
 						},
 					},
 					"status": {
 						SchemaProps: spec.SchemaProps{
 							Description: "status is the current information about the autoscaler.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/autoscaling/v1.HorizontalPodAutoscalerStatus"),
+							Ref:         ref(v1.HorizontalPodAutoscalerStatus{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/autoscaling/v1.HorizontalPodAutoscalerSpec", "k8s.io/api/autoscaling/v1.HorizontalPodAutoscalerStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			v1.HorizontalPodAutoscalerSpec{}.OpenAPIModelName(), v1.HorizontalPodAutoscalerStatus{}.OpenAPIModelName(), metav1.ObjectMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -453,7 +458,7 @@ func schema_k8sio_api_autoscaling_v1_HorizontalPodAutoscalerCondition(ref common
 					"lastTransitionTime": {
 						SchemaProps: spec.SchemaProps{
 							Description: "lastTransitionTime is the last time the condition transitioned from one status to another",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Time"),
+							Ref:         ref(metav1.Time{}.OpenAPIModelName()),
 						},
 					},
 					"reason": {
@@ -475,7 +480,7 @@ func schema_k8sio_api_autoscaling_v1_HorizontalPodAutoscalerCondition(ref common
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.Time"},
+			metav1.Time{}.OpenAPIModelName()},
 	}
 }
 
@@ -504,7 +509,7 @@ func schema_k8sio_api_autoscaling_v1_HorizontalPodAutoscalerList(ref common.Refe
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard list metadata.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+							Ref:         ref(metav1.ListMeta{}.OpenAPIModelName()),
 						},
 					},
 					"items": {
@@ -515,7 +520,7 @@ func schema_k8sio_api_autoscaling_v1_HorizontalPodAutoscalerList(ref common.Refe
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/api/autoscaling/v1.HorizontalPodAutoscaler"),
+										Ref:     ref(v1.HorizontalPodAutoscaler{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -526,7 +531,7 @@ func schema_k8sio_api_autoscaling_v1_HorizontalPodAutoscalerList(ref common.Refe
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/autoscaling/v1.HorizontalPodAutoscaler", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
+			v1.HorizontalPodAutoscaler{}.OpenAPIModelName(), metav1.ListMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -541,7 +546,7 @@ func schema_k8sio_api_autoscaling_v1_HorizontalPodAutoscalerSpec(ref common.Refe
 						SchemaProps: spec.SchemaProps{
 							Description: "reference to scaled resource; horizontal pod autoscaler will learn the current resource consumption and will set the desired number of pods by using its Scale subresource.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/autoscaling/v1.CrossVersionObjectReference"),
+							Ref:         ref(v1.CrossVersionObjectReference{}.OpenAPIModelName()),
 						},
 					},
 					"minReplicas": {
@@ -571,7 +576,7 @@ func schema_k8sio_api_autoscaling_v1_HorizontalPodAutoscalerSpec(ref common.Refe
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/autoscaling/v1.CrossVersionObjectReference"},
+			v1.CrossVersionObjectReference{}.OpenAPIModelName()},
 	}
 }
 
@@ -592,7 +597,7 @@ func schema_k8sio_api_autoscaling_v1_HorizontalPodAutoscalerStatus(ref common.Re
 					"lastScaleTime": {
 						SchemaProps: spec.SchemaProps{
 							Description: "lastScaleTime is the last time the HorizontalPodAutoscaler scaled the number of pods; used by the autoscaler to control how often the number of pods is changed.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Time"),
+							Ref:         ref(metav1.Time{}.OpenAPIModelName()),
 						},
 					},
 					"currentReplicas": {
@@ -623,7 +628,7 @@ func schema_k8sio_api_autoscaling_v1_HorizontalPodAutoscalerStatus(ref common.Re
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.Time"},
+			metav1.Time{}.OpenAPIModelName()},
 	}
 }
 
@@ -646,31 +651,31 @@ func schema_k8sio_api_autoscaling_v1_MetricSpec(ref common.ReferenceCallback) co
 					"object": {
 						SchemaProps: spec.SchemaProps{
 							Description: "object refers to a metric describing a single kubernetes object (for example, hits-per-second on an Ingress object).",
-							Ref:         ref("k8s.io/api/autoscaling/v1.ObjectMetricSource"),
+							Ref:         ref(v1.ObjectMetricSource{}.OpenAPIModelName()),
 						},
 					},
 					"pods": {
 						SchemaProps: spec.SchemaProps{
 							Description: "pods refers to a metric describing each pod in the current scale target (for example, transactions-processed-per-second).  The values will be averaged together before being compared to the target value.",
-							Ref:         ref("k8s.io/api/autoscaling/v1.PodsMetricSource"),
+							Ref:         ref(v1.PodsMetricSource{}.OpenAPIModelName()),
 						},
 					},
 					"resource": {
 						SchemaProps: spec.SchemaProps{
 							Description: "resource refers to a resource metric (such as those specified in requests and limits) known to Kubernetes describing each pod in the current scale target (e.g. CPU or memory). Such metrics are built in to Kubernetes, and have special scaling options on top of those available to normal per-pod metrics using the \"pods\" source.",
-							Ref:         ref("k8s.io/api/autoscaling/v1.ResourceMetricSource"),
+							Ref:         ref(v1.ResourceMetricSource{}.OpenAPIModelName()),
 						},
 					},
 					"containerResource": {
 						SchemaProps: spec.SchemaProps{
 							Description: "containerResource refers to a resource metric (such as those specified in requests and limits) known to Kubernetes describing a single container in each pod of the current scale target (e.g. CPU or memory). Such metrics are built in to Kubernetes, and have special scaling options on top of those available to normal per-pod metrics using the \"pods\" source.",
-							Ref:         ref("k8s.io/api/autoscaling/v1.ContainerResourceMetricSource"),
+							Ref:         ref(v1.ContainerResourceMetricSource{}.OpenAPIModelName()),
 						},
 					},
 					"external": {
 						SchemaProps: spec.SchemaProps{
 							Description: "external refers to a global metric that is not associated with any Kubernetes object. It allows autoscaling based on information coming from components running outside of cluster (for example length of queue in cloud messaging service, or QPS from loadbalancer running outside of cluster).",
-							Ref:         ref("k8s.io/api/autoscaling/v1.ExternalMetricSource"),
+							Ref:         ref(v1.ExternalMetricSource{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -678,7 +683,7 @@ func schema_k8sio_api_autoscaling_v1_MetricSpec(ref common.ReferenceCallback) co
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/autoscaling/v1.ContainerResourceMetricSource", "k8s.io/api/autoscaling/v1.ExternalMetricSource", "k8s.io/api/autoscaling/v1.ObjectMetricSource", "k8s.io/api/autoscaling/v1.PodsMetricSource", "k8s.io/api/autoscaling/v1.ResourceMetricSource"},
+			v1.ContainerResourceMetricSource{}.OpenAPIModelName(), v1.ExternalMetricSource{}.OpenAPIModelName(), v1.ObjectMetricSource{}.OpenAPIModelName(), v1.PodsMetricSource{}.OpenAPIModelName(), v1.ResourceMetricSource{}.OpenAPIModelName()},
 	}
 }
 
@@ -701,31 +706,31 @@ func schema_k8sio_api_autoscaling_v1_MetricStatus(ref common.ReferenceCallback)
 					"object": {
 						SchemaProps: spec.SchemaProps{
 							Description: "object refers to a metric describing a single kubernetes object (for example, hits-per-second on an Ingress object).",
-							Ref:         ref("k8s.io/api/autoscaling/v1.ObjectMetricStatus"),
+							Ref:         ref(v1.ObjectMetricStatus{}.OpenAPIModelName()),
 						},
 					},
 					"pods": {
 						SchemaProps: spec.SchemaProps{
 							Description: "pods refers to a metric describing each pod in the current scale target (for example, transactions-processed-per-second).  The values will be averaged together before being compared to the target value.",
-							Ref:         ref("k8s.io/api/autoscaling/v1.PodsMetricStatus"),
+							Ref:         ref(v1.PodsMetricStatus{}.OpenAPIModelName()),
 						},
 					},
 					"resource": {
 						SchemaProps: spec.SchemaProps{
 							Description: "resource refers to a resource metric (such as those specified in requests and limits) known to Kubernetes describing each pod in the current scale target (e.g. CPU or memory). Such metrics are built in to Kubernetes, and have special scaling options on top of those available to normal per-pod metrics using the \"pods\" source.",
-							Ref:         ref("k8s.io/api/autoscaling/v1.ResourceMetricStatus"),
+							Ref:         ref(v1.ResourceMetricStatus{}.OpenAPIModelName()),
 						},
 					},
 					"containerResource": {
 						SchemaProps: spec.SchemaProps{
 							Description: "containerResource refers to a resource metric (such as those specified in requests and limits) known to Kubernetes describing a single container in each pod in the current scale target (e.g. CPU or memory). Such metrics are built in to Kubernetes, and have special scaling options on top of those available to normal per-pod metrics using the \"pods\" source.",
-							Ref:         ref("k8s.io/api/autoscaling/v1.ContainerResourceMetricStatus"),
+							Ref:         ref(v1.ContainerResourceMetricStatus{}.OpenAPIModelName()),
 						},
 					},
 					"external": {
 						SchemaProps: spec.SchemaProps{
 							Description: "external refers to a global metric that is not associated with any Kubernetes object. It allows autoscaling based on information coming from components running outside of cluster (for example length of queue in cloud messaging service, or QPS from loadbalancer running outside of cluster).",
-							Ref:         ref("k8s.io/api/autoscaling/v1.ExternalMetricStatus"),
+							Ref:         ref(v1.ExternalMetricStatus{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -733,7 +738,7 @@ func schema_k8sio_api_autoscaling_v1_MetricStatus(ref common.ReferenceCallback)
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/autoscaling/v1.ContainerResourceMetricStatus", "k8s.io/api/autoscaling/v1.ExternalMetricStatus", "k8s.io/api/autoscaling/v1.ObjectMetricStatus", "k8s.io/api/autoscaling/v1.PodsMetricStatus", "k8s.io/api/autoscaling/v1.ResourceMetricStatus"},
+			v1.ContainerResourceMetricStatus{}.OpenAPIModelName(), v1.ExternalMetricStatus{}.OpenAPIModelName(), v1.ObjectMetricStatus{}.OpenAPIModelName(), v1.PodsMetricStatus{}.OpenAPIModelName(), v1.ResourceMetricStatus{}.OpenAPIModelName()},
 	}
 }
 
@@ -748,7 +753,7 @@ func schema_k8sio_api_autoscaling_v1_ObjectMetricSource(ref common.ReferenceCall
 						SchemaProps: spec.SchemaProps{
 							Description: "target is the described Kubernetes object.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/autoscaling/v1.CrossVersionObjectReference"),
+							Ref:         ref(v1.CrossVersionObjectReference{}.OpenAPIModelName()),
 						},
 					},
 					"metricName": {
@@ -762,19 +767,19 @@ func schema_k8sio_api_autoscaling_v1_ObjectMetricSource(ref common.ReferenceCall
 					"targetValue": {
 						SchemaProps: spec.SchemaProps{
 							Description: "targetValue is the target value of the metric (as a quantity).",
-							Ref:         ref("k8s.io/apimachinery/pkg/api/resource.Quantity"),
+							Ref:         ref(resource.Quantity{}.OpenAPIModelName()),
 						},
 					},
 					"selector": {
 						SchemaProps: spec.SchemaProps{
 							Description: "selector is the string-encoded form of a standard kubernetes label selector for the given metric. When set, it is passed as an additional parameter to the metrics server for more specific metrics scoping When unset, just the metricName will be used to gather metrics.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector"),
+							Ref:         ref(metav1.LabelSelector{}.OpenAPIModelName()),
 						},
 					},
 					"averageValue": {
 						SchemaProps: spec.SchemaProps{
 							Description: "averageValue is the target value of the average of the metric across all relevant pods (as a quantity)",
-							Ref:         ref("k8s.io/apimachinery/pkg/api/resource.Quantity"),
+							Ref:         ref(resource.Quantity{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -782,7 +787,7 @@ func schema_k8sio_api_autoscaling_v1_ObjectMetricSource(ref common.ReferenceCall
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/autoscaling/v1.CrossVersionObjectReference", "k8s.io/apimachinery/pkg/api/resource.Quantity", "k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector"},
+			v1.CrossVersionObjectReference{}.OpenAPIModelName(), resource.Quantity{}.OpenAPIModelName(), metav1.LabelSelector{}.OpenAPIModelName()},
 	}
 }
 
@@ -797,7 +802,7 @@ func schema_k8sio_api_autoscaling_v1_ObjectMetricStatus(ref common.ReferenceCall
 						SchemaProps: spec.SchemaProps{
 							Description: "target is the described Kubernetes object.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/autoscaling/v1.CrossVersionObjectReference"),
+							Ref:         ref(v1.CrossVersionObjectReference{}.OpenAPIModelName()),
 						},
 					},
 					"metricName": {
@@ -811,19 +816,19 @@ func schema_k8sio_api_autoscaling_v1_ObjectMetricStatus(ref common.ReferenceCall
 					"currentValue": {
 						SchemaProps: spec.SchemaProps{
 							Description: "currentValue is the current value of the metric (as a quantity).",
-							Ref:         ref("k8s.io/apimachinery/pkg/api/resource.Quantity"),
+							Ref:         ref(resource.Quantity{}.OpenAPIModelName()),
 						},
 					},
 					"selector": {
 						SchemaProps: spec.SchemaProps{
 							Description: "selector is the string-encoded form of a standard kubernetes label selector for the given metric When set in the ObjectMetricSource, it is passed as an additional parameter to the metrics server for more specific metrics scoping. When unset, just the metricName will be used to gather metrics.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector"),
+							Ref:         ref(metav1.LabelSelector{}.OpenAPIModelName()),
 						},
 					},
 					"averageValue": {
 						SchemaProps: spec.SchemaProps{
 							Description: "averageValue is the current value of the average of the metric across all relevant pods (as a quantity)",
-							Ref:         ref("k8s.io/apimachinery/pkg/api/resource.Quantity"),
+							Ref:         ref(resource.Quantity{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -831,7 +836,7 @@ func schema_k8sio_api_autoscaling_v1_ObjectMetricStatus(ref common.ReferenceCall
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/autoscaling/v1.CrossVersionObjectReference", "k8s.io/apimachinery/pkg/api/resource.Quantity", "k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector"},
+			v1.CrossVersionObjectReference{}.OpenAPIModelName(), resource.Quantity{}.OpenAPIModelName(), metav1.LabelSelector{}.OpenAPIModelName()},
 	}
 }
 
@@ -853,13 +858,13 @@ func schema_k8sio_api_autoscaling_v1_PodsMetricSource(ref common.ReferenceCallba
 					"targetAverageValue": {
 						SchemaProps: spec.SchemaProps{
 							Description: "targetAverageValue is the target value of the average of the metric across all relevant pods (as a quantity)",
-							Ref:         ref("k8s.io/apimachinery/pkg/api/resource.Quantity"),
+							Ref:         ref(resource.Quantity{}.OpenAPIModelName()),
 						},
 					},
 					"selector": {
 						SchemaProps: spec.SchemaProps{
 							Description: "selector is the string-encoded form of a standard kubernetes label selector for the given metric When set, it is passed as an additional parameter to the metrics server for more specific metrics scoping When unset, just the metricName will be used to gather metrics.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector"),
+							Ref:         ref(metav1.LabelSelector{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -867,7 +872,7 @@ func schema_k8sio_api_autoscaling_v1_PodsMetricSource(ref common.ReferenceCallba
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/api/resource.Quantity", "k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector"},
+			resource.Quantity{}.OpenAPIModelName(), metav1.LabelSelector{}.OpenAPIModelName()},
 	}
 }
 
@@ -889,13 +894,13 @@ func schema_k8sio_api_autoscaling_v1_PodsMetricStatus(ref common.ReferenceCallba
 					"currentAverageValue": {
 						SchemaProps: spec.SchemaProps{
 							Description: "currentAverageValue is the current value of the average of the metric across all relevant pods (as a quantity)",
-							Ref:         ref("k8s.io/apimachinery/pkg/api/resource.Quantity"),
+							Ref:         ref(resource.Quantity{}.OpenAPIModelName()),
 						},
 					},
 					"selector": {
 						SchemaProps: spec.SchemaProps{
 							Description: "selector is the string-encoded form of a standard kubernetes label selector for the given metric When set in the PodsMetricSource, it is passed as an additional parameter to the metrics server for more specific metrics scoping. When unset, just the metricName will be used to gather metrics.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector"),
+							Ref:         ref(metav1.LabelSelector{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -903,7 +908,7 @@ func schema_k8sio_api_autoscaling_v1_PodsMetricStatus(ref common.ReferenceCallba
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/api/resource.Quantity", "k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector"},
+			resource.Quantity{}.OpenAPIModelName(), metav1.LabelSelector{}.OpenAPIModelName()},
 	}
 }
 
@@ -932,7 +937,7 @@ func schema_k8sio_api_autoscaling_v1_ResourceMetricSource(ref common.ReferenceCa
 					"targetAverageValue": {
 						SchemaProps: spec.SchemaProps{
 							Description: "targetAverageValue is the target value of the average of the resource metric across all relevant pods, as a raw value (instead of as a percentage of the request), similar to the \"pods\" metric source type.",
-							Ref:         ref("k8s.io/apimachinery/pkg/api/resource.Quantity"),
+							Ref:         ref(resource.Quantity{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -940,7 +945,7 @@ func schema_k8sio_api_autoscaling_v1_ResourceMetricSource(ref common.ReferenceCa
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/api/resource.Quantity"},
+			resource.Quantity{}.OpenAPIModelName()},
 	}
 }
 
@@ -969,7 +974,7 @@ func schema_k8sio_api_autoscaling_v1_ResourceMetricStatus(ref common.ReferenceCa
 					"currentAverageValue": {
 						SchemaProps: spec.SchemaProps{
 							Description: "currentAverageValue is the current value of the average of the resource metric across all relevant pods, as a raw value (instead of as a percentage of the request), similar to the \"pods\" metric source type. It will always be set, regardless of the corresponding metric specification.",
-							Ref:         ref("k8s.io/apimachinery/pkg/api/resource.Quantity"),
+							Ref:         ref(resource.Quantity{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -977,7 +982,7 @@ func schema_k8sio_api_autoscaling_v1_ResourceMetricStatus(ref common.ReferenceCa
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/api/resource.Quantity"},
+			resource.Quantity{}.OpenAPIModelName()},
 	}
 }
 
@@ -1006,28 +1011,28 @@ func schema_k8sio_api_autoscaling_v1_Scale(ref common.ReferenceCallback) common.
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Ref:         ref(metav1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 					"spec": {
 						SchemaProps: spec.SchemaProps{
 							Description: "spec defines the behavior of the scale. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/autoscaling/v1.ScaleSpec"),
+							Ref:         ref(v1.ScaleSpec{}.OpenAPIModelName()),
 						},
 					},
 					"status": {
 						SchemaProps: spec.SchemaProps{
 							Description: "status is the current status of the scale. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status. Read-only.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/api/autoscaling/v1.ScaleStatus"),
+							Ref:         ref(v1.ScaleStatus{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/autoscaling/v1.ScaleSpec", "k8s.io/api/autoscaling/v1.ScaleStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			v1.ScaleSpec{}.OpenAPIModelName(), v1.ScaleStatus{}.OpenAPIModelName(), metav1.ObjectMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -1116,7 +1121,7 @@ func schema_pkg_apis_apiextensions_v1_ConversionRequest(ref common.ReferenceCall
 							Items: &spec.SchemaOrArray{
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
-										Ref: ref("k8s.io/apimachinery/pkg/runtime.RawExtension"),
+										Ref: ref(runtime.RawExtension{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -1127,7 +1132,7 @@ func schema_pkg_apis_apiextensions_v1_ConversionRequest(ref common.ReferenceCall
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/runtime.RawExtension"},
+			runtime.RawExtension{}.OpenAPIModelName()},
 	}
 }
 
@@ -1158,7 +1163,7 @@ func schema_pkg_apis_apiextensions_v1_ConversionResponse(ref common.ReferenceCal
 							Items: &spec.SchemaOrArray{
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
-										Ref: ref("k8s.io/apimachinery/pkg/runtime.RawExtension"),
+										Ref: ref(runtime.RawExtension{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -1168,7 +1173,7 @@ func schema_pkg_apis_apiextensions_v1_ConversionResponse(ref common.ReferenceCal
 						SchemaProps: spec.SchemaProps{
 							Description: "result contains the result of conversion with extra details if the conversion failed. `result.status` determines if the conversion failed or succeeded. The `result.status` field is required and represents the success or failure of the conversion. A successful conversion must set `result.status` to `Success`. A failed conversion must set `result.status` to `Failure` and provide more details in `result.message` and return http status 200. The `result.message` will be used to construct an error message for the end user.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Status"),
+							Ref:         ref(metav1.Status{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -1176,7 +1181,7 @@ func schema_pkg_apis_apiextensions_v1_ConversionResponse(ref common.ReferenceCal
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.Status", "k8s.io/apimachinery/pkg/runtime.RawExtension"},
+			metav1.Status{}.OpenAPIModelName(), runtime.RawExtension{}.OpenAPIModelName()},
 	}
 }
 
@@ -1204,20 +1209,20 @@ func schema_pkg_apis_apiextensions_v1_ConversionReview(ref common.ReferenceCallb
 					"request": {
 						SchemaProps: spec.SchemaProps{
 							Description: "request describes the attributes for the conversion request.",
-							Ref:         ref("k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.ConversionRequest"),
+							Ref:         ref(apiextensionsv1.ConversionRequest{}.OpenAPIModelName()),
 						},
 					},
 					"response": {
 						SchemaProps: spec.SchemaProps{
 							Description: "response describes the attributes for the conversion response.",
-							Ref:         ref("k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.ConversionResponse"),
+							Ref:         ref(apiextensionsv1.ConversionResponse{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.ConversionRequest", "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.ConversionResponse"},
+			apiextensionsv1.ConversionRequest{}.OpenAPIModelName(), apiextensionsv1.ConversionResponse{}.OpenAPIModelName()},
 	}
 }
 
@@ -1298,7 +1303,7 @@ func schema_pkg_apis_apiextensions_v1_CustomResourceConversion(ref common.Refere
 					"webhook": {
 						SchemaProps: spec.SchemaProps{
 							Description: "webhook describes how to call the conversion webhook. Required when `strategy` is set to `\"Webhook\"`.",
-							Ref:         ref("k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.WebhookConversion"),
+							Ref:         ref(apiextensionsv1.WebhookConversion{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -1306,7 +1311,7 @@ func schema_pkg_apis_apiextensions_v1_CustomResourceConversion(ref common.Refere
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.WebhookConversion"},
+			apiextensionsv1.WebhookConversion{}.OpenAPIModelName()},
 	}
 }
 
@@ -1335,21 +1340,21 @@ func schema_pkg_apis_apiextensions_v1_CustomResourceDefinition(ref common.Refere
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard object's metadata More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Ref:         ref(metav1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 					"spec": {
 						SchemaProps: spec.SchemaProps{
 							Description: "spec describes how the user wants the resources to appear",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.CustomResourceDefinitionSpec"),
+							Ref:         ref(apiextensionsv1.CustomResourceDefinitionSpec{}.OpenAPIModelName()),
 						},
 					},
 					"status": {
 						SchemaProps: spec.SchemaProps{
 							Description: "status indicates the actual state of the CustomResourceDefinition",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.CustomResourceDefinitionStatus"),
+							Ref:         ref(apiextensionsv1.CustomResourceDefinitionStatus{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -1357,7 +1362,7 @@ func schema_pkg_apis_apiextensions_v1_CustomResourceDefinition(ref common.Refere
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.CustomResourceDefinitionSpec", "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.CustomResourceDefinitionStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			apiextensionsv1.CustomResourceDefinitionSpec{}.OpenAPIModelName(), apiextensionsv1.CustomResourceDefinitionStatus{}.OpenAPIModelName(), metav1.ObjectMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -1387,7 +1392,7 @@ func schema_pkg_apis_apiextensions_v1_CustomResourceDefinitionCondition(ref comm
 					"lastTransitionTime": {
 						SchemaProps: spec.SchemaProps{
 							Description: "lastTransitionTime last time the condition transitioned from one status to another.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Time"),
+							Ref:         ref(metav1.Time{}.OpenAPIModelName()),
 						},
 					},
 					"reason": {
@@ -1404,12 +1409,19 @@ func schema_pkg_apis_apiextensions_v1_CustomResourceDefinitionCondition(ref comm
 							Format:      "",
 						},
 					},
+					"observedGeneration": {
+						SchemaProps: spec.SchemaProps{
+							Description: "observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.",
+							Type:        []string{"integer"},
+							Format:      "int64",
+						},
+					},
 				},
 				Required: []string{"type", "status"},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.Time"},
+			metav1.Time{}.OpenAPIModelName()},
 	}
 }
 
@@ -1438,7 +1450,7 @@ func schema_pkg_apis_apiextensions_v1_CustomResourceDefinitionList(ref common.Re
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard object's metadata More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+							Ref:         ref(metav1.ListMeta{}.OpenAPIModelName()),
 						},
 					},
 					"items": {
@@ -1449,7 +1461,7 @@ func schema_pkg_apis_apiextensions_v1_CustomResourceDefinitionList(ref common.Re
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.CustomResourceDefinition"),
+										Ref:     ref(apiextensionsv1.CustomResourceDefinition{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -1460,7 +1472,7 @@ func schema_pkg_apis_apiextensions_v1_CustomResourceDefinitionList(ref common.Re
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.CustomResourceDefinition", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
+			apiextensionsv1.CustomResourceDefinition{}.OpenAPIModelName(), metav1.ListMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -1567,7 +1579,7 @@ func schema_pkg_apis_apiextensions_v1_CustomResourceDefinitionSpec(ref common.Re
 						SchemaProps: spec.SchemaProps{
 							Description: "names specify the resource and kind names for the custom resource.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.CustomResourceDefinitionNames"),
+							Ref:         ref(apiextensionsv1.CustomResourceDefinitionNames{}.OpenAPIModelName()),
 						},
 					},
 					"scope": {
@@ -1591,7 +1603,7 @@ func schema_pkg_apis_apiextensions_v1_CustomResourceDefinitionSpec(ref common.Re
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.CustomResourceDefinitionVersion"),
+										Ref:     ref(apiextensionsv1.CustomResourceDefinitionVersion{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -1600,7 +1612,7 @@ func schema_pkg_apis_apiextensions_v1_CustomResourceDefinitionSpec(ref common.Re
 					"conversion": {
 						SchemaProps: spec.SchemaProps{
 							Description: "conversion defines conversion settings for the CRD.",
-							Ref:         ref("k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.CustomResourceConversion"),
+							Ref:         ref(apiextensionsv1.CustomResourceConversion{}.OpenAPIModelName()),
 						},
 					},
 					"preserveUnknownFields": {
@@ -1615,7 +1627,7 @@ func schema_pkg_apis_apiextensions_v1_CustomResourceDefinitionSpec(ref common.Re
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.CustomResourceConversion", "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.CustomResourceDefinitionNames", "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.CustomResourceDefinitionVersion"},
+			apiextensionsv1.CustomResourceConversion{}.OpenAPIModelName(), apiextensionsv1.CustomResourceDefinitionNames{}.OpenAPIModelName(), apiextensionsv1.CustomResourceDefinitionVersion{}.OpenAPIModelName()},
 	}
 }
 
@@ -1642,7 +1654,7 @@ func schema_pkg_apis_apiextensions_v1_CustomResourceDefinitionStatus(ref common.
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.CustomResourceDefinitionCondition"),
+										Ref:     ref(apiextensionsv1.CustomResourceDefinitionCondition{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -1652,7 +1664,7 @@ func schema_pkg_apis_apiextensions_v1_CustomResourceDefinitionStatus(ref common.
 						SchemaProps: spec.SchemaProps{
 							Description: "acceptedNames are the names that are actually being used to serve discovery. They may be different than the names in spec.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.CustomResourceDefinitionNames"),
+							Ref:         ref(apiextensionsv1.CustomResourceDefinitionNames{}.OpenAPIModelName()),
 						},
 					},
 					"storedVersions": {
@@ -1675,11 +1687,18 @@ func schema_pkg_apis_apiextensions_v1_CustomResourceDefinitionStatus(ref common.
 							},
 						},
 					},
+					"observedGeneration": {
+						SchemaProps: spec.SchemaProps{
+							Description: "The generation observed by the CRD controller.",
+							Type:        []string{"integer"},
+							Format:      "int64",
+						},
+					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.CustomResourceDefinitionCondition", "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.CustomResourceDefinitionNames"},
+			apiextensionsv1.CustomResourceDefinitionCondition{}.OpenAPIModelName(), apiextensionsv1.CustomResourceDefinitionNames{}.OpenAPIModelName()},
 	}
 }
 
@@ -1731,13 +1750,13 @@ func schema_pkg_apis_apiextensions_v1_CustomResourceDefinitionVersion(ref common
 					"schema": {
 						SchemaProps: spec.SchemaProps{
 							Description: "schema describes the schema used for validation, pruning, and defaulting of this version of the custom resource.",
-							Ref:         ref("k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.CustomResourceValidation"),
+							Ref:         ref(apiextensionsv1.CustomResourceValidation{}.OpenAPIModelName()),
 						},
 					},
 					"subresources": {
 						SchemaProps: spec.SchemaProps{
 							Description: "subresources specify what subresources this version of the defined custom resource have.",
-							Ref:         ref("k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.CustomResourceSubresources"),
+							Ref:         ref(apiextensionsv1.CustomResourceSubresources{}.OpenAPIModelName()),
 						},
 					},
 					"additionalPrinterColumns": {
@@ -1753,7 +1772,7 @@ func schema_pkg_apis_apiextensions_v1_CustomResourceDefinitionVersion(ref common
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.CustomResourceColumnDefinition"),
+										Ref:     ref(apiextensionsv1.CustomResourceColumnDefinition{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -1772,7 +1791,7 @@ func schema_pkg_apis_apiextensions_v1_CustomResourceDefinitionVersion(ref common
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.SelectableField"),
+										Ref:     ref(apiextensionsv1.SelectableField{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -1783,7 +1802,7 @@ func schema_pkg_apis_apiextensions_v1_CustomResourceDefinitionVersion(ref common
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.CustomResourceColumnDefinition", "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.CustomResourceSubresources", "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.CustomResourceValidation", "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.SelectableField"},
+			apiextensionsv1.CustomResourceColumnDefinition{}.OpenAPIModelName(), apiextensionsv1.CustomResourceSubresources{}.OpenAPIModelName(), apiextensionsv1.CustomResourceValidation{}.OpenAPIModelName(), apiextensionsv1.SelectableField{}.OpenAPIModelName()},
 	}
 }
 
@@ -1845,20 +1864,20 @@ func schema_pkg_apis_apiextensions_v1_CustomResourceSubresources(ref common.Refe
 					"status": {
 						SchemaProps: spec.SchemaProps{
 							Description: "status indicates the custom resource should serve a `/status` subresource. When enabled: 1. requests to the custom resource primary endpoint ignore changes to the `status` stanza of the object. 2. requests to the custom resource `/status` subresource ignore changes to anything other than the `status` stanza of the object.",
-							Ref:         ref("k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.CustomResourceSubresourceStatus"),
+							Ref:         ref(apiextensionsv1.CustomResourceSubresourceStatus{}.OpenAPIModelName()),
 						},
 					},
 					"scale": {
 						SchemaProps: spec.SchemaProps{
 							Description: "scale indicates the custom resource should serve a `/scale` subresource that returns an `autoscaling/v1` Scale object.",
-							Ref:         ref("k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.CustomResourceSubresourceScale"),
+							Ref:         ref(apiextensionsv1.CustomResourceSubresourceScale{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.CustomResourceSubresourceScale", "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.CustomResourceSubresourceStatus"},
+			apiextensionsv1.CustomResourceSubresourceScale{}.OpenAPIModelName(), apiextensionsv1.CustomResourceSubresourceStatus{}.OpenAPIModelName()},
 	}
 }
 
@@ -1872,14 +1891,14 @@ func schema_pkg_apis_apiextensions_v1_CustomResourceValidation(ref common.Refere
 					"openAPIV3Schema": {
 						SchemaProps: spec.SchemaProps{
 							Description: "openAPIV3Schema is the OpenAPI v3 schema to use for validation and pruning.",
-							Ref:         ref("k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.JSONSchemaProps"),
+							Ref:         ref(apiextensionsv1.JSONSchemaProps{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.JSONSchemaProps"},
+			apiextensionsv1.JSONSchemaProps{}.OpenAPIModelName()},
 	}
 }
 
@@ -1913,8 +1932,8 @@ func schema_pkg_apis_apiextensions_v1_JSON(ref common.ReferenceCallback) common.
 		Schema: spec.Schema{
 			SchemaProps: spec.SchemaProps{
 				Description: "JSON represents any valid JSON value. These types are supported: bool, int64, float64, string, []interface{}, map[string]interface{} and nil.",
-				Type:        v1.JSON{}.OpenAPISchemaType(),
-				Format:      v1.JSON{}.OpenAPISchemaFormat(),
+				Type:        apiextensionsv1.JSON{}.OpenAPISchemaType(),
+				Format:      apiextensionsv1.JSON{}.OpenAPISchemaFormat(),
 			},
 		},
 	}
@@ -1973,7 +1992,7 @@ func schema_pkg_apis_apiextensions_v1_JSONSchemaProps(ref common.ReferenceCallba
 					"default": {
 						SchemaProps: spec.SchemaProps{
 							Description: "default is a default value for undefined object fields. Defaulting is a beta feature under the CustomResourceDefaulting feature gate. Defaulting requires spec.preserveUnknownFields to be false.",
-							Ref:         ref("k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.JSON"),
+							Ref:         ref(apiextensionsv1.JSON{}.OpenAPIModelName()),
 						},
 					},
 					"maximum": {
@@ -2053,7 +2072,7 @@ func schema_pkg_apis_apiextensions_v1_JSONSchemaProps(ref common.ReferenceCallba
 							Items: &spec.SchemaOrArray{
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
-										Ref: ref("k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.JSON"),
+										Ref: ref(apiextensionsv1.JSON{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -2092,7 +2111,7 @@ func schema_pkg_apis_apiextensions_v1_JSONSchemaProps(ref common.ReferenceCallba
 					},
 					"items": {
 						SchemaProps: spec.SchemaProps{
-							Ref: ref("k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.JSONSchemaPropsOrArray"),
+							Ref: ref(apiextensionsv1.JSONSchemaPropsOrArray{}.OpenAPIModelName()),
 						},
 					},
 					"allOf": {
@@ -2107,7 +2126,7 @@ func schema_pkg_apis_apiextensions_v1_JSONSchemaProps(ref common.ReferenceCallba
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.JSONSchemaProps"),
+										Ref:     ref(apiextensionsv1.JSONSchemaProps{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -2125,7 +2144,7 @@ func schema_pkg_apis_apiextensions_v1_JSONSchemaProps(ref common.ReferenceCallba
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.JSONSchemaProps"),
+										Ref:     ref(apiextensionsv1.JSONSchemaProps{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -2143,7 +2162,7 @@ func schema_pkg_apis_apiextensions_v1_JSONSchemaProps(ref common.ReferenceCallba
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.JSONSchemaProps"),
+										Ref:     ref(apiextensionsv1.JSONSchemaProps{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -2151,7 +2170,7 @@ func schema_pkg_apis_apiextensions_v1_JSONSchemaProps(ref common.ReferenceCallba
 					},
 					"not": {
 						SchemaProps: spec.SchemaProps{
-							Ref: ref("k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.JSONSchemaProps"),
+							Ref: ref(apiextensionsv1.JSONSchemaProps{}.OpenAPIModelName()),
 						},
 					},
 					"properties": {
@@ -2162,7 +2181,7 @@ func schema_pkg_apis_apiextensions_v1_JSONSchemaProps(ref common.ReferenceCallba
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.JSONSchemaProps"),
+										Ref:     ref(apiextensionsv1.JSONSchemaProps{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -2170,7 +2189,7 @@ func schema_pkg_apis_apiextensions_v1_JSONSchemaProps(ref common.ReferenceCallba
 					},
 					"additionalProperties": {
 						SchemaProps: spec.SchemaProps{
-							Ref: ref("k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.JSONSchemaPropsOrBool"),
+							Ref: ref(apiextensionsv1.JSONSchemaPropsOrBool{}.OpenAPIModelName()),
 						},
 					},
 					"patternProperties": {
@@ -2181,7 +2200,7 @@ func schema_pkg_apis_apiextensions_v1_JSONSchemaProps(ref common.ReferenceCallba
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.JSONSchemaProps"),
+										Ref:     ref(apiextensionsv1.JSONSchemaProps{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -2194,7 +2213,7 @@ func schema_pkg_apis_apiextensions_v1_JSONSchemaProps(ref common.ReferenceCallba
 								Allows: true,
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
-										Ref: ref("k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.JSONSchemaPropsOrStringArray"),
+										Ref: ref(apiextensionsv1.JSONSchemaPropsOrStringArray{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -2202,7 +2221,7 @@ func schema_pkg_apis_apiextensions_v1_JSONSchemaProps(ref common.ReferenceCallba
 					},
 					"additionalItems": {
 						SchemaProps: spec.SchemaProps{
-							Ref: ref("k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.JSONSchemaPropsOrBool"),
+							Ref: ref(apiextensionsv1.JSONSchemaPropsOrBool{}.OpenAPIModelName()),
 						},
 					},
 					"definitions": {
@@ -2213,7 +2232,7 @@ func schema_pkg_apis_apiextensions_v1_JSONSchemaProps(ref common.ReferenceCallba
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.JSONSchemaProps"),
+										Ref:     ref(apiextensionsv1.JSONSchemaProps{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -2221,12 +2240,12 @@ func schema_pkg_apis_apiextensions_v1_JSONSchemaProps(ref common.ReferenceCallba
 					},
 					"externalDocs": {
 						SchemaProps: spec.SchemaProps{
-							Ref: ref("k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.ExternalDocumentation"),
+							Ref: ref(apiextensionsv1.ExternalDocumentation{}.OpenAPIModelName()),
 						},
 					},
 					"example": {
 						SchemaProps: spec.SchemaProps{
-							Ref: ref("k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.JSON"),
+							Ref: ref(apiextensionsv1.JSON{}.OpenAPIModelName()),
 						},
 					},
 					"nullable": {
@@ -2308,7 +2327,7 @@ func schema_pkg_apis_apiextensions_v1_JSONSchemaProps(ref common.ReferenceCallba
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.ValidationRule"),
+										Ref:     ref(apiextensionsv1.ValidationRule{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -2318,7 +2337,7 @@ func schema_pkg_apis_apiextensions_v1_JSONSchemaProps(ref common.ReferenceCallba
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.ExternalDocumentation", "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.JSON", "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.JSONSchemaProps", "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.JSONSchemaPropsOrArray", "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.JSONSchemaPropsOrBool", "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.JSONSchemaPropsOrStringArray", "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.ValidationRule"},
+			apiextensionsv1.ExternalDocumentation{}.OpenAPIModelName(), apiextensionsv1.JSON{}.OpenAPIModelName(), apiextensionsv1.JSONSchemaProps{}.OpenAPIModelName(), apiextensionsv1.JSONSchemaPropsOrArray{}.OpenAPIModelName(), apiextensionsv1.JSONSchemaPropsOrBool{}.OpenAPIModelName(), apiextensionsv1.JSONSchemaPropsOrStringArray{}.OpenAPIModelName(), apiextensionsv1.ValidationRule{}.OpenAPIModelName()},
 	}
 }
 
@@ -2327,8 +2346,8 @@ func schema_pkg_apis_apiextensions_v1_JSONSchemaPropsOrArray(ref common.Referenc
 		Schema: spec.Schema{
 			SchemaProps: spec.SchemaProps{
 				Description: "JSONSchemaPropsOrArray represents a value that can either be a JSONSchemaProps or an array of JSONSchemaProps. Mainly here for serialization purposes.",
-				Type:        v1.JSONSchemaPropsOrArray{}.OpenAPISchemaType(),
-				Format:      v1.JSONSchemaPropsOrArray{}.OpenAPISchemaFormat(),
+				Type:        apiextensionsv1.JSONSchemaPropsOrArray{}.OpenAPISchemaType(),
+				Format:      apiextensionsv1.JSONSchemaPropsOrArray{}.OpenAPISchemaFormat(),
 			},
 		},
 	}
@@ -2339,8 +2358,8 @@ func schema_pkg_apis_apiextensions_v1_JSONSchemaPropsOrBool(ref common.Reference
 		Schema: spec.Schema{
 			SchemaProps: spec.SchemaProps{
 				Description: "JSONSchemaPropsOrBool represents JSONSchemaProps or a boolean value. Defaults to true for the boolean property.",
-				Type:        v1.JSONSchemaPropsOrBool{}.OpenAPISchemaType(),
-				Format:      v1.JSONSchemaPropsOrBool{}.OpenAPISchemaFormat(),
+				Type:        apiextensionsv1.JSONSchemaPropsOrBool{}.OpenAPISchemaType(),
+				Format:      apiextensionsv1.JSONSchemaPropsOrBool{}.OpenAPISchemaFormat(),
 			},
 		},
 	}
@@ -2351,8 +2370,8 @@ func schema_pkg_apis_apiextensions_v1_JSONSchemaPropsOrStringArray(ref common.Re
 		Schema: spec.Schema{
 			SchemaProps: spec.SchemaProps{
 				Description: "JSONSchemaPropsOrStringArray represents a JSONSchemaProps or a string array.",
-				Type:        v1.JSONSchemaPropsOrStringArray{}.OpenAPISchemaType(),
-				Format:      v1.JSONSchemaPropsOrStringArray{}.OpenAPISchemaFormat(),
+				Type:        apiextensionsv1.JSONSchemaPropsOrStringArray{}.OpenAPISchemaType(),
+				Format:      apiextensionsv1.JSONSchemaPropsOrStringArray{}.OpenAPISchemaFormat(),
 			},
 		},
 	}
@@ -2499,7 +2518,7 @@ func schema_pkg_apis_apiextensions_v1_WebhookClientConfig(ref common.ReferenceCa
 					"service": {
 						SchemaProps: spec.SchemaProps{
 							Description: "service is a reference to the service for this webhook. Either service or url must be specified.\n\nIf the webhook is running within the cluster, then you should use `service`.",
-							Ref:         ref("k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.ServiceReference"),
+							Ref:         ref(apiextensionsv1.ServiceReference{}.OpenAPIModelName()),
 						},
 					},
 					"caBundle": {
@@ -2513,7 +2532,7 @@ func schema_pkg_apis_apiextensions_v1_WebhookClientConfig(ref common.ReferenceCa
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.ServiceReference"},
+			apiextensionsv1.ServiceReference{}.OpenAPIModelName()},
 	}
 }
 
@@ -2527,7 +2546,7 @@ func schema_pkg_apis_apiextensions_v1_WebhookConversion(ref common.ReferenceCall
 					"clientConfig": {
 						SchemaProps: spec.SchemaProps{
 							Description: "clientConfig is the instructions for how to call the webhook if strategy is `Webhook`.",
-							Ref:         ref("k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.WebhookClientConfig"),
+							Ref:         ref(apiextensionsv1.WebhookClientConfig{}.OpenAPIModelName()),
 						},
 					},
 					"conversionReviewVersions": {
@@ -2555,7 +2574,7 @@ func schema_pkg_apis_apiextensions_v1_WebhookConversion(ref common.ReferenceCall
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.WebhookClientConfig"},
+			apiextensionsv1.WebhookClientConfig{}.OpenAPIModelName()},
 	}
 }
 
@@ -2594,7 +2613,7 @@ func schema_pkg_apis_apiextensions_v1beta1_ConversionRequest(ref common.Referenc
 							Items: &spec.SchemaOrArray{
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
-										Ref: ref("k8s.io/apimachinery/pkg/runtime.RawExtension"),
+										Ref: ref(runtime.RawExtension{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -2605,7 +2624,7 @@ func schema_pkg_apis_apiextensions_v1beta1_ConversionRequest(ref common.Referenc
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/runtime.RawExtension"},
+			runtime.RawExtension{}.OpenAPIModelName()},
 	}
 }
 
@@ -2636,7 +2655,7 @@ func schema_pkg_apis_apiextensions_v1beta1_ConversionResponse(ref common.Referen
 							Items: &spec.SchemaOrArray{
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
-										Ref: ref("k8s.io/apimachinery/pkg/runtime.RawExtension"),
+										Ref: ref(runtime.RawExtension{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -2646,7 +2665,7 @@ func schema_pkg_apis_apiextensions_v1beta1_ConversionResponse(ref common.Referen
 						SchemaProps: spec.SchemaProps{
 							Description: "result contains the result of conversion with extra details if the conversion failed. `result.status` determines if the conversion failed or succeeded. The `result.status` field is required and represents the success or failure of the conversion. A successful conversion must set `result.status` to `Success`. A failed conversion must set `result.status` to `Failure` and provide more details in `result.message` and return http status 200. The `result.message` will be used to construct an error message for the end user.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Status"),
+							Ref:         ref(metav1.Status{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -2654,7 +2673,7 @@ func schema_pkg_apis_apiextensions_v1beta1_ConversionResponse(ref common.Referen
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.Status", "k8s.io/apimachinery/pkg/runtime.RawExtension"},
+			metav1.Status{}.OpenAPIModelName(), runtime.RawExtension{}.OpenAPIModelName()},
 	}
 }
 
@@ -2682,20 +2701,20 @@ func schema_pkg_apis_apiextensions_v1beta1_ConversionReview(ref common.Reference
 					"request": {
 						SchemaProps: spec.SchemaProps{
 							Description: "request describes the attributes for the conversion request.",
-							Ref:         ref("k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1.ConversionRequest"),
+							Ref:         ref(v1beta1.ConversionRequest{}.OpenAPIModelName()),
 						},
 					},
 					"response": {
 						SchemaProps: spec.SchemaProps{
 							Description: "response describes the attributes for the conversion response.",
-							Ref:         ref("k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1.ConversionResponse"),
+							Ref:         ref(v1beta1.ConversionResponse{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1.ConversionRequest", "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1.ConversionResponse"},
+			v1beta1.ConversionRequest{}.OpenAPIModelName(), v1beta1.ConversionResponse{}.OpenAPIModelName()},
 	}
 }
 
@@ -2776,7 +2795,7 @@ func schema_pkg_apis_apiextensions_v1beta1_CustomResourceConversion(ref common.R
 					"webhookClientConfig": {
 						SchemaProps: spec.SchemaProps{
 							Description: "webhookClientConfig is the instructions for how to call the webhook if strategy is `Webhook`. Required when `strategy` is set to `Webhook`.",
-							Ref:         ref("k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1.WebhookClientConfig"),
+							Ref:         ref(v1beta1.WebhookClientConfig{}.OpenAPIModelName()),
 						},
 					},
 					"conversionReviewVersions": {
@@ -2804,7 +2823,7 @@ func schema_pkg_apis_apiextensions_v1beta1_CustomResourceConversion(ref common.R
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1.WebhookClientConfig"},
+			v1beta1.WebhookClientConfig{}.OpenAPIModelName()},
 	}
 }
 
@@ -2833,21 +2852,21 @@ func schema_pkg_apis_apiextensions_v1beta1_CustomResourceDefinition(ref common.R
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard object's metadata More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Ref:         ref(metav1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 					"spec": {
 						SchemaProps: spec.SchemaProps{
 							Description: "spec describes how the user wants the resources to appear",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1.CustomResourceDefinitionSpec"),
+							Ref:         ref(v1beta1.CustomResourceDefinitionSpec{}.OpenAPIModelName()),
 						},
 					},
 					"status": {
 						SchemaProps: spec.SchemaProps{
 							Description: "status indicates the actual state of the CustomResourceDefinition",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1.CustomResourceDefinitionStatus"),
+							Ref:         ref(v1beta1.CustomResourceDefinitionStatus{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -2855,7 +2874,7 @@ func schema_pkg_apis_apiextensions_v1beta1_CustomResourceDefinition(ref common.R
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1.CustomResourceDefinitionSpec", "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1.CustomResourceDefinitionStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			v1beta1.CustomResourceDefinitionSpec{}.OpenAPIModelName(), v1beta1.CustomResourceDefinitionStatus{}.OpenAPIModelName(), metav1.ObjectMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -2885,7 +2904,7 @@ func schema_pkg_apis_apiextensions_v1beta1_CustomResourceDefinitionCondition(ref
 					"lastTransitionTime": {
 						SchemaProps: spec.SchemaProps{
 							Description: "lastTransitionTime last time the condition transitioned from one status to another.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Time"),
+							Ref:         ref(metav1.Time{}.OpenAPIModelName()),
 						},
 					},
 					"reason": {
@@ -2902,12 +2921,19 @@ func schema_pkg_apis_apiextensions_v1beta1_CustomResourceDefinitionCondition(ref
 							Format:      "",
 						},
 					},
+					"observedGeneration": {
+						SchemaProps: spec.SchemaProps{
+							Description: "observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.",
+							Type:        []string{"integer"},
+							Format:      "int64",
+						},
+					},
 				},
 				Required: []string{"type", "status"},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.Time"},
+			metav1.Time{}.OpenAPIModelName()},
 	}
 }
 
@@ -2936,7 +2962,7 @@ func schema_pkg_apis_apiextensions_v1beta1_CustomResourceDefinitionList(ref comm
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard object's metadata More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+							Ref:         ref(metav1.ListMeta{}.OpenAPIModelName()),
 						},
 					},
 					"items": {
@@ -2947,7 +2973,7 @@ func schema_pkg_apis_apiextensions_v1beta1_CustomResourceDefinitionList(ref comm
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1.CustomResourceDefinition"),
+										Ref:     ref(v1beta1.CustomResourceDefinition{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -2958,7 +2984,7 @@ func schema_pkg_apis_apiextensions_v1beta1_CustomResourceDefinitionList(ref comm
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1.CustomResourceDefinition", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
+			v1beta1.CustomResourceDefinition{}.OpenAPIModelName(), metav1.ListMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -3072,7 +3098,7 @@ func schema_pkg_apis_apiextensions_v1beta1_CustomResourceDefinitionSpec(ref comm
 						SchemaProps: spec.SchemaProps{
 							Description: "names specify the resource and kind names for the custom resource.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1.CustomResourceDefinitionNames"),
+							Ref:         ref(v1beta1.CustomResourceDefinitionNames{}.OpenAPIModelName()),
 						},
 					},
 					"scope": {
@@ -3086,13 +3112,13 @@ func schema_pkg_apis_apiextensions_v1beta1_CustomResourceDefinitionSpec(ref comm
 					"validation": {
 						SchemaProps: spec.SchemaProps{
 							Description: "validation describes the schema used for validation and pruning of the custom resource. If present, this validation schema is used to validate all versions. Top-level and per-version schemas are mutually exclusive.",
-							Ref:         ref("k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1.CustomResourceValidation"),
+							Ref:         ref(v1beta1.CustomResourceValidation{}.OpenAPIModelName()),
 						},
 					},
 					"subresources": {
 						SchemaProps: spec.SchemaProps{
 							Description: "subresources specify what subresources the defined custom resource has. If present, this field configures subresources for all versions. Top-level and per-version subresources are mutually exclusive.",
-							Ref:         ref("k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1.CustomResourceSubresources"),
+							Ref:         ref(v1beta1.CustomResourceSubresources{}.OpenAPIModelName()),
 						},
 					},
 					"versions": {
@@ -3108,7 +3134,7 @@ func schema_pkg_apis_apiextensions_v1beta1_CustomResourceDefinitionSpec(ref comm
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1.CustomResourceDefinitionVersion"),
+										Ref:     ref(v1beta1.CustomResourceDefinitionVersion{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -3127,7 +3153,7 @@ func schema_pkg_apis_apiextensions_v1beta1_CustomResourceDefinitionSpec(ref comm
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1.CustomResourceColumnDefinition"),
+										Ref:     ref(v1beta1.CustomResourceColumnDefinition{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -3146,7 +3172,7 @@ func schema_pkg_apis_apiextensions_v1beta1_CustomResourceDefinitionSpec(ref comm
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1.SelectableField"),
+										Ref:     ref(v1beta1.SelectableField{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -3155,7 +3181,7 @@ func schema_pkg_apis_apiextensions_v1beta1_CustomResourceDefinitionSpec(ref comm
 					"conversion": {
 						SchemaProps: spec.SchemaProps{
 							Description: "conversion defines conversion settings for the CRD.",
-							Ref:         ref("k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1.CustomResourceConversion"),
+							Ref:         ref(v1beta1.CustomResourceConversion{}.OpenAPIModelName()),
 						},
 					},
 					"preserveUnknownFields": {
@@ -3170,7 +3196,7 @@ func schema_pkg_apis_apiextensions_v1beta1_CustomResourceDefinitionSpec(ref comm
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1.CustomResourceColumnDefinition", "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1.CustomResourceConversion", "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1.CustomResourceDefinitionNames", "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1.CustomResourceDefinitionVersion", "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1.CustomResourceSubresources", "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1.CustomResourceValidation", "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1.SelectableField"},
+			v1beta1.CustomResourceColumnDefinition{}.OpenAPIModelName(), v1beta1.CustomResourceConversion{}.OpenAPIModelName(), v1beta1.CustomResourceDefinitionNames{}.OpenAPIModelName(), v1beta1.CustomResourceDefinitionVersion{}.OpenAPIModelName(), v1beta1.CustomResourceSubresources{}.OpenAPIModelName(), v1beta1.CustomResourceValidation{}.OpenAPIModelName(), v1beta1.SelectableField{}.OpenAPIModelName()},
 	}
 }
 
@@ -3197,7 +3223,7 @@ func schema_pkg_apis_apiextensions_v1beta1_CustomResourceDefinitionStatus(ref co
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1.CustomResourceDefinitionCondition"),
+										Ref:     ref(v1beta1.CustomResourceDefinitionCondition{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -3207,7 +3233,7 @@ func schema_pkg_apis_apiextensions_v1beta1_CustomResourceDefinitionStatus(ref co
 						SchemaProps: spec.SchemaProps{
 							Description: "acceptedNames are the names that are actually being used to serve discovery. They may be different than the names in spec.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1.CustomResourceDefinitionNames"),
+							Ref:         ref(v1beta1.CustomResourceDefinitionNames{}.OpenAPIModelName()),
 						},
 					},
 					"storedVersions": {
@@ -3230,11 +3256,18 @@ func schema_pkg_apis_apiextensions_v1beta1_CustomResourceDefinitionStatus(ref co
 							},
 						},
 					},
+					"observedGeneration": {
+						SchemaProps: spec.SchemaProps{
+							Description: "The generation observed by the CRD controller.",
+							Type:        []string{"integer"},
+							Format:      "int64",
+						},
+					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1.CustomResourceDefinitionCondition", "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1.CustomResourceDefinitionNames"},
+			v1beta1.CustomResourceDefinitionCondition{}.OpenAPIModelName(), v1beta1.CustomResourceDefinitionNames{}.OpenAPIModelName()},
 	}
 }
 
@@ -3286,13 +3319,13 @@ func schema_pkg_apis_apiextensions_v1beta1_CustomResourceDefinitionVersion(ref c
 					"schema": {
 						SchemaProps: spec.SchemaProps{
 							Description: "schema describes the schema used for validation and pruning of this version of the custom resource. Top-level and per-version schemas are mutually exclusive. Per-version schemas must not all be set to identical values (top-level validation schema should be used instead).",
-							Ref:         ref("k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1.CustomResourceValidation"),
+							Ref:         ref(v1beta1.CustomResourceValidation{}.OpenAPIModelName()),
 						},
 					},
 					"subresources": {
 						SchemaProps: spec.SchemaProps{
 							Description: "subresources specify what subresources this version of the defined custom resource have. Top-level and per-version subresources are mutually exclusive. Per-version subresources must not all be set to identical values (top-level subresources should be used instead).",
-							Ref:         ref("k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1.CustomResourceSubresources"),
+							Ref:         ref(v1beta1.CustomResourceSubresources{}.OpenAPIModelName()),
 						},
 					},
 					"additionalPrinterColumns": {
@@ -3308,7 +3341,7 @@ func schema_pkg_apis_apiextensions_v1beta1_CustomResourceDefinitionVersion(ref c
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1.CustomResourceColumnDefinition"),
+										Ref:     ref(v1beta1.CustomResourceColumnDefinition{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -3327,7 +3360,7 @@ func schema_pkg_apis_apiextensions_v1beta1_CustomResourceDefinitionVersion(ref c
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1.SelectableField"),
+										Ref:     ref(v1beta1.SelectableField{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -3338,7 +3371,7 @@ func schema_pkg_apis_apiextensions_v1beta1_CustomResourceDefinitionVersion(ref c
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1.CustomResourceColumnDefinition", "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1.CustomResourceSubresources", "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1.CustomResourceValidation", "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1.SelectableField"},
+			v1beta1.CustomResourceColumnDefinition{}.OpenAPIModelName(), v1beta1.CustomResourceSubresources{}.OpenAPIModelName(), v1beta1.CustomResourceValidation{}.OpenAPIModelName(), v1beta1.SelectableField{}.OpenAPIModelName()},
 	}
 }
 
@@ -3400,20 +3433,20 @@ func schema_pkg_apis_apiextensions_v1beta1_CustomResourceSubresources(ref common
 					"status": {
 						SchemaProps: spec.SchemaProps{
 							Description: "status indicates the custom resource should serve a `/status` subresource. When enabled: 1. requests to the custom resource primary endpoint ignore changes to the `status` stanza of the object. 2. requests to the custom resource `/status` subresource ignore changes to anything other than the `status` stanza of the object.",
-							Ref:         ref("k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1.CustomResourceSubresourceStatus"),
+							Ref:         ref(v1beta1.CustomResourceSubresourceStatus{}.OpenAPIModelName()),
 						},
 					},
 					"scale": {
 						SchemaProps: spec.SchemaProps{
 							Description: "scale indicates the custom resource should serve a `/scale` subresource that returns an `autoscaling/v1` Scale object.",
-							Ref:         ref("k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1.CustomResourceSubresourceScale"),
+							Ref:         ref(v1beta1.CustomResourceSubresourceScale{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1.CustomResourceSubresourceScale", "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1.CustomResourceSubresourceStatus"},
+			v1beta1.CustomResourceSubresourceScale{}.OpenAPIModelName(), v1beta1.CustomResourceSubresourceStatus{}.OpenAPIModelName()},
 	}
 }
 
@@ -3427,14 +3460,14 @@ func schema_pkg_apis_apiextensions_v1beta1_CustomResourceValidation(ref common.R
 					"openAPIV3Schema": {
 						SchemaProps: spec.SchemaProps{
 							Description: "openAPIV3Schema is the OpenAPI v3 schema to use for validation and pruning.",
-							Ref:         ref("k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1.JSONSchemaProps"),
+							Ref:         ref(v1beta1.JSONSchemaProps{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1.JSONSchemaProps"},
+			v1beta1.JSONSchemaProps{}.OpenAPIModelName()},
 	}
 }
 
@@ -3528,7 +3561,7 @@ func schema_pkg_apis_apiextensions_v1beta1_JSONSchemaProps(ref common.ReferenceC
 					"default": {
 						SchemaProps: spec.SchemaProps{
 							Description: "default is a default value for undefined object fields. Defaulting is a beta feature under the CustomResourceDefaulting feature gate. CustomResourceDefinitions with defaults must be created using the v1 (or newer) CustomResourceDefinition API.",
-							Ref:         ref("k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1.JSON"),
+							Ref:         ref(v1beta1.JSON{}.OpenAPIModelName()),
 						},
 					},
 					"maximum": {
@@ -3608,7 +3641,7 @@ func schema_pkg_apis_apiextensions_v1beta1_JSONSchemaProps(ref common.ReferenceC
 							Items: &spec.SchemaOrArray{
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
-										Ref: ref("k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1.JSON"),
+										Ref: ref(v1beta1.JSON{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -3647,7 +3680,7 @@ func schema_pkg_apis_apiextensions_v1beta1_JSONSchemaProps(ref common.ReferenceC
 					},
 					"items": {
 						SchemaProps: spec.SchemaProps{
-							Ref: ref("k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1.JSONSchemaPropsOrArray"),
+							Ref: ref(v1beta1.JSONSchemaPropsOrArray{}.OpenAPIModelName()),
 						},
 					},
 					"allOf": {
@@ -3662,7 +3695,7 @@ func schema_pkg_apis_apiextensions_v1beta1_JSONSchemaProps(ref common.ReferenceC
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1.JSONSchemaProps"),
+										Ref:     ref(v1beta1.JSONSchemaProps{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -3680,7 +3713,7 @@ func schema_pkg_apis_apiextensions_v1beta1_JSONSchemaProps(ref common.ReferenceC
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1.JSONSchemaProps"),
+										Ref:     ref(v1beta1.JSONSchemaProps{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -3698,7 +3731,7 @@ func schema_pkg_apis_apiextensions_v1beta1_JSONSchemaProps(ref common.ReferenceC
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1.JSONSchemaProps"),
+										Ref:     ref(v1beta1.JSONSchemaProps{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -3706,7 +3739,7 @@ func schema_pkg_apis_apiextensions_v1beta1_JSONSchemaProps(ref common.ReferenceC
 					},
 					"not": {
 						SchemaProps: spec.SchemaProps{
-							Ref: ref("k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1.JSONSchemaProps"),
+							Ref: ref(v1beta1.JSONSchemaProps{}.OpenAPIModelName()),
 						},
 					},
 					"properties": {
@@ -3717,7 +3750,7 @@ func schema_pkg_apis_apiextensions_v1beta1_JSONSchemaProps(ref common.ReferenceC
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1.JSONSchemaProps"),
+										Ref:     ref(v1beta1.JSONSchemaProps{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -3725,7 +3758,7 @@ func schema_pkg_apis_apiextensions_v1beta1_JSONSchemaProps(ref common.ReferenceC
 					},
 					"additionalProperties": {
 						SchemaProps: spec.SchemaProps{
-							Ref: ref("k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1.JSONSchemaPropsOrBool"),
+							Ref: ref(v1beta1.JSONSchemaPropsOrBool{}.OpenAPIModelName()),
 						},
 					},
 					"patternProperties": {
@@ -3736,7 +3769,7 @@ func schema_pkg_apis_apiextensions_v1beta1_JSONSchemaProps(ref common.ReferenceC
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1.JSONSchemaProps"),
+										Ref:     ref(v1beta1.JSONSchemaProps{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -3749,7 +3782,7 @@ func schema_pkg_apis_apiextensions_v1beta1_JSONSchemaProps(ref common.ReferenceC
 								Allows: true,
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
-										Ref: ref("k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1.JSONSchemaPropsOrStringArray"),
+										Ref: ref(v1beta1.JSONSchemaPropsOrStringArray{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -3757,7 +3790,7 @@ func schema_pkg_apis_apiextensions_v1beta1_JSONSchemaProps(ref common.ReferenceC
 					},
 					"additionalItems": {
 						SchemaProps: spec.SchemaProps{
-							Ref: ref("k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1.JSONSchemaPropsOrBool"),
+							Ref: ref(v1beta1.JSONSchemaPropsOrBool{}.OpenAPIModelName()),
 						},
 					},
 					"definitions": {
@@ -3768,7 +3801,7 @@ func schema_pkg_apis_apiextensions_v1beta1_JSONSchemaProps(ref common.ReferenceC
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1.JSONSchemaProps"),
+										Ref:     ref(v1beta1.JSONSchemaProps{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -3776,12 +3809,12 @@ func schema_pkg_apis_apiextensions_v1beta1_JSONSchemaProps(ref common.ReferenceC
 					},
 					"externalDocs": {
 						SchemaProps: spec.SchemaProps{
-							Ref: ref("k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1.ExternalDocumentation"),
+							Ref: ref(v1beta1.ExternalDocumentation{}.OpenAPIModelName()),
 						},
 					},
 					"example": {
 						SchemaProps: spec.SchemaProps{
-							Ref: ref("k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1.JSON"),
+							Ref: ref(v1beta1.JSON{}.OpenAPIModelName()),
 						},
 					},
 					"nullable": {
@@ -3863,7 +3896,7 @@ func schema_pkg_apis_apiextensions_v1beta1_JSONSchemaProps(ref common.ReferenceC
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1.ValidationRule"),
+										Ref:     ref(v1beta1.ValidationRule{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -3873,7 +3906,7 @@ func schema_pkg_apis_apiextensions_v1beta1_JSONSchemaProps(ref common.ReferenceC
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1.ExternalDocumentation", "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1.JSON", "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1.JSONSchemaProps", "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1.JSONSchemaPropsOrArray", "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1.JSONSchemaPropsOrBool", "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1.JSONSchemaPropsOrStringArray", "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1.ValidationRule"},
+			v1beta1.ExternalDocumentation{}.OpenAPIModelName(), v1beta1.JSON{}.OpenAPIModelName(), v1beta1.JSONSchemaProps{}.OpenAPIModelName(), v1beta1.JSONSchemaPropsOrArray{}.OpenAPIModelName(), v1beta1.JSONSchemaPropsOrBool{}.OpenAPIModelName(), v1beta1.JSONSchemaPropsOrStringArray{}.OpenAPIModelName(), v1beta1.ValidationRule{}.OpenAPIModelName()},
 	}
 }
 
@@ -4054,7 +4087,7 @@ func schema_pkg_apis_apiextensions_v1beta1_WebhookClientConfig(ref common.Refere
 					"service": {
 						SchemaProps: spec.SchemaProps{
 							Description: "service is a reference to the service for this webhook. Either service or url must be specified.\n\nIf the webhook is running within the cluster, then you should use `service`.",
-							Ref:         ref("k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1.ServiceReference"),
+							Ref:         ref(v1beta1.ServiceReference{}.OpenAPIModelName()),
 						},
 					},
 					"caBundle": {
@@ -4068,7 +4101,55 @@ func schema_pkg_apis_apiextensions_v1beta1_WebhookClientConfig(ref common.Refere
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1.ServiceReference"},
+			v1beta1.ServiceReference{}.OpenAPIModelName()},
+	}
+}
+
+func schema_apimachinery_pkg_api_resource_Quantity(ref common.ReferenceCallback) common.OpenAPIDefinition {
+	return common.EmbedOpenAPIDefinitionIntoV2Extension(common.OpenAPIDefinition{
+		Schema: spec.Schema{
+			SchemaProps: spec.SchemaProps{
+				Description: "Quantity is a fixed-point representation of a number. It provides convenient marshaling/unmarshaling in JSON and YAML, in addition to String() and AsInt64() accessors.\n\nThe serialization format is:\n\n``` <quantity>        ::= <signedNumber><suffix>\n\n\t(Note that <suffix> may be empty, from the \"\" case in <decimalSI>.)\n\n<digit>           ::= 0 | 1 | ... | 9 <digits>          ::= <digit> | <digit><digits> <number>          ::= <digits> | <digits>.<digits> | <digits>. | .<digits> <sign>            ::= \"+\" | \"-\" <signedNumber>    ::= <number> | <sign><number> <suffix>          ::= <binarySI> | <decimalExponent> | <decimalSI> <binarySI>        ::= Ki | Mi | Gi | Ti | Pi | Ei\n\n\t(International System of units; See: http://physics.nist.gov/cuu/Units/binary.html)\n\n<decimalSI>       ::= m | \"\" | k | M | G | T | P | E\n\n\t(Note that 1024 = 1Ki but 1000 = 1k; I didn't choose the capitalization.)\n\n<decimalExponent> ::= \"e\" <signedNumber> | \"E\" <signedNumber> ```\n\nNo matter which of the three exponent forms is used, no quantity may represent a number greater than 2^63-1 in magnitude, nor may it have more than 3 decimal places. Numbers larger or more precise will be capped or rounded up. (E.g.: 0.1m will rounded up to 1m.) This may be extended in the future if we require larger or smaller quantities.\n\nWhen a Quantity is parsed from a string, it will remember the type of suffix it had, and will use the same type again when it is serialized.\n\nBefore serializing, Quantity will be put in \"canonical form\". This means that Exponent/suffix will be adjusted up or down (with a corresponding increase or decrease in Mantissa) such that:\n\n- No precision is lost - No fractional digits will be emitted - The exponent (or suffix) is as large as possible.\n\nThe sign will be omitted unless the number is negative.\n\nExamples:\n\n- 1.5 will be serialized as \"1500m\" - 1.5Gi will be serialized as \"1536Mi\"\n\nNote that the quantity will NEVER be internally represented by a floating point number. That is the whole point of this exercise.\n\nNon-canonical values will still parse as long as they are well formed, but will be re-emitted in their canonical form. (So always use canonical form, or don't diff.)\n\nThis format is intended to make it difficult to use these numbers without writing some sort of special handling code in the hopes that that will cause implementors to also use a fixed point implementation.",
+				OneOf:       common.GenerateOpenAPIV3OneOfSchema(resource.Quantity{}.OpenAPIV3OneOfTypes()),
+				Format:      resource.Quantity{}.OpenAPISchemaFormat(),
+			},
+		},
+	}, common.OpenAPIDefinition{
+		Schema: spec.Schema{
+			SchemaProps: spec.SchemaProps{
+				Description: "Quantity is a fixed-point representation of a number. It provides convenient marshaling/unmarshaling in JSON and YAML, in addition to String() and AsInt64() accessors.\n\nThe serialization format is:\n\n``` <quantity>        ::= <signedNumber><suffix>\n\n\t(Note that <suffix> may be empty, from the \"\" case in <decimalSI>.)\n\n<digit>           ::= 0 | 1 | ... | 9 <digits>          ::= <digit> | <digit><digits> <number>          ::= <digits> | <digits>.<digits> | <digits>. | .<digits> <sign>            ::= \"+\" | \"-\" <signedNumber>    ::= <number> | <sign><number> <suffix>          ::= <binarySI> | <decimalExponent> | <decimalSI> <binarySI>        ::= Ki | Mi | Gi | Ti | Pi | Ei\n\n\t(International System of units; See: http://physics.nist.gov/cuu/Units/binary.html)\n\n<decimalSI>       ::= m | \"\" | k | M | G | T | P | E\n\n\t(Note that 1024 = 1Ki but 1000 = 1k; I didn't choose the capitalization.)\n\n<decimalExponent> ::= \"e\" <signedNumber> | \"E\" <signedNumber> ```\n\nNo matter which of the three exponent forms is used, no quantity may represent a number greater than 2^63-1 in magnitude, nor may it have more than 3 decimal places. Numbers larger or more precise will be capped or rounded up. (E.g.: 0.1m will rounded up to 1m.) This may be extended in the future if we require larger or smaller quantities.\n\nWhen a Quantity is parsed from a string, it will remember the type of suffix it had, and will use the same type again when it is serialized.\n\nBefore serializing, Quantity will be put in \"canonical form\". This means that Exponent/suffix will be adjusted up or down (with a corresponding increase or decrease in Mantissa) such that:\n\n- No precision is lost - No fractional digits will be emitted - The exponent (or suffix) is as large as possible.\n\nThe sign will be omitted unless the number is negative.\n\nExamples:\n\n- 1.5 will be serialized as \"1500m\" - 1.5Gi will be serialized as \"1536Mi\"\n\nNote that the quantity will NEVER be internally represented by a floating point number. That is the whole point of this exercise.\n\nNon-canonical values will still parse as long as they are well formed, but will be re-emitted in their canonical form. (So always use canonical form, or don't diff.)\n\nThis format is intended to make it difficult to use these numbers without writing some sort of special handling code in the hopes that that will cause implementors to also use a fixed point implementation.",
+				Type:        resource.Quantity{}.OpenAPISchemaType(),
+				Format:      resource.Quantity{}.OpenAPISchemaFormat(),
+			},
+		},
+	})
+}
+
+func schema_apimachinery_pkg_api_resource_int64Amount(ref common.ReferenceCallback) common.OpenAPIDefinition {
+	return common.OpenAPIDefinition{
+		Schema: spec.Schema{
+			SchemaProps: spec.SchemaProps{
+				Description: "int64Amount represents a fixed precision numerator and arbitrary scale exponent. It is faster than operations on inf.Dec for values that can be represented as int64.",
+				Type:        []string{"object"},
+				Properties: map[string]spec.Schema{
+					"value": {
+						SchemaProps: spec.SchemaProps{
+							Default: 0,
+							Type:    []string{"integer"},
+							Format:  "int64",
+						},
+					},
+					"scale": {
+						SchemaProps: spec.SchemaProps{
+							Default: 0,
+							Type:    []string{"integer"},
+							Format:  "int32",
+						},
+					},
+				},
+				Required: []string{"value", "scale"},
+			},
+		},
 	}
 }
 
@@ -4114,7 +4195,7 @@ func schema_pkg_apis_meta_v1_APIGroup(ref common.ReferenceCallback) common.OpenA
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionForDiscovery"),
+										Ref:     ref(metav1.GroupVersionForDiscovery{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -4124,7 +4205,7 @@ func schema_pkg_apis_meta_v1_APIGroup(ref common.ReferenceCallback) common.OpenA
 						SchemaProps: spec.SchemaProps{
 							Description: "preferredVersion is the version preferred by the API server, which probably is the storage version.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionForDiscovery"),
+							Ref:         ref(metav1.GroupVersionForDiscovery{}.OpenAPIModelName()),
 						},
 					},
 					"serverAddressByClientCIDRs": {
@@ -4140,7 +4221,7 @@ func schema_pkg_apis_meta_v1_APIGroup(ref common.ReferenceCallback) common.OpenA
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/apimachinery/pkg/apis/meta/v1.ServerAddressByClientCIDR"),
+										Ref:     ref(metav1.ServerAddressByClientCIDR{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -4151,7 +4232,7 @@ func schema_pkg_apis_meta_v1_APIGroup(ref common.ReferenceCallback) common.OpenA
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionForDiscovery", "k8s.io/apimachinery/pkg/apis/meta/v1.ServerAddressByClientCIDR"},
+			metav1.GroupVersionForDiscovery{}.OpenAPIModelName(), metav1.ServerAddressByClientCIDR{}.OpenAPIModelName()},
 	}
 }
 
@@ -4189,7 +4270,7 @@ func schema_pkg_apis_meta_v1_APIGroupList(ref common.ReferenceCallback) common.O
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/apimachinery/pkg/apis/meta/v1.APIGroup"),
+										Ref:     ref(metav1.APIGroup{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -4200,7 +4281,7 @@ func schema_pkg_apis_meta_v1_APIGroupList(ref common.ReferenceCallback) common.O
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.APIGroup"},
+			metav1.APIGroup{}.OpenAPIModelName()},
 	}
 }
 
@@ -4368,7 +4449,7 @@ func schema_pkg_apis_meta_v1_APIResourceList(ref common.ReferenceCallback) commo
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/apimachinery/pkg/apis/meta/v1.APIResource"),
+										Ref:     ref(metav1.APIResource{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -4379,7 +4460,7 @@ func schema_pkg_apis_meta_v1_APIResourceList(ref common.ReferenceCallback) commo
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.APIResource"},
+			metav1.APIResource{}.OpenAPIModelName()},
 	}
 }
 
@@ -4437,7 +4518,7 @@ func schema_pkg_apis_meta_v1_APIVersions(ref common.ReferenceCallback) common.Op
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/apimachinery/pkg/apis/meta/v1.ServerAddressByClientCIDR"),
+										Ref:     ref(metav1.ServerAddressByClientCIDR{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -4448,7 +4529,7 @@ func schema_pkg_apis_meta_v1_APIVersions(ref common.ReferenceCallback) common.Op
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.ServerAddressByClientCIDR"},
+			metav1.ServerAddressByClientCIDR{}.OpenAPIModelName()},
 	}
 }
 
@@ -4549,7 +4630,7 @@ func schema_pkg_apis_meta_v1_Condition(ref common.ReferenceCallback) common.Open
 					"lastTransitionTime": {
 						SchemaProps: spec.SchemaProps{
 							Description: "lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Time"),
+							Ref:         ref(metav1.Time{}.OpenAPIModelName()),
 						},
 					},
 					"reason": {
@@ -4573,7 +4654,7 @@ func schema_pkg_apis_meta_v1_Condition(ref common.ReferenceCallback) common.Open
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.Time"},
+			metav1.Time{}.OpenAPIModelName()},
 	}
 }
 
@@ -4669,7 +4750,7 @@ func schema_pkg_apis_meta_v1_DeleteOptions(ref common.ReferenceCallback) common.
 					"preconditions": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Must be fulfilled before a deletion is carried out. If not possible, a 409 Conflict status will be returned.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Preconditions"),
+							Ref:         ref(metav1.Preconditions{}.OpenAPIModelName()),
 						},
 					},
 					"orphanDependents": {
@@ -4717,7 +4798,7 @@ func schema_pkg_apis_meta_v1_DeleteOptions(ref common.ReferenceCallback) common.
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.Preconditions"},
+			metav1.Preconditions{}.OpenAPIModelName()},
 	}
 }
 
@@ -5029,15 +5110,12 @@ func schema_pkg_apis_meta_v1_InternalEvent(ref common.ReferenceCallback) common.
 					"Object": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Object is:\n * If Type is Added or Modified: the new state of the object.\n * If Type is Deleted: the state of the object immediately before deletion.\n * If Type is Bookmark: the object (instance of a type being watched) where\n   only ResourceVersion field is set. On successful restart of watch from a\n   bookmark resourceVersion, client is guaranteed to not get repeat event\n   nor miss any events.\n * If Type is Error: *api.Status is recommended; other types may make sense\n   depending on context.",
-							Ref:         ref("k8s.io/apimachinery/pkg/runtime.Object"),
 						},
 					},
 				},
 				Required: []string{"Type", "Object"},
 			},
 		},
-		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/runtime.Object"},
 	}
 }
 
@@ -5077,7 +5155,7 @@ func schema_pkg_apis_meta_v1_LabelSelector(ref common.ReferenceCallback) common.
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelectorRequirement"),
+										Ref:     ref(metav1.LabelSelectorRequirement{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -5092,7 +5170,7 @@ func schema_pkg_apis_meta_v1_LabelSelector(ref common.ReferenceCallback) common.
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelectorRequirement"},
+			metav1.LabelSelectorRequirement{}.OpenAPIModelName()},
 	}
 }
 
@@ -5171,7 +5249,7 @@ func schema_pkg_apis_meta_v1_List(ref common.ReferenceCallback) common.OpenAPIDe
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+							Ref:         ref(metav1.ListMeta{}.OpenAPIModelName()),
 						},
 					},
 					"items": {
@@ -5181,7 +5259,7 @@ func schema_pkg_apis_meta_v1_List(ref common.ReferenceCallback) common.OpenAPIDe
 							Items: &spec.SchemaOrArray{
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
-										Ref: ref("k8s.io/apimachinery/pkg/runtime.RawExtension"),
+										Ref: ref(runtime.RawExtension{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -5192,7 +5270,7 @@ func schema_pkg_apis_meta_v1_List(ref common.ReferenceCallback) common.OpenAPIDe
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta", "k8s.io/apimachinery/pkg/runtime.RawExtension"},
+			metav1.ListMeta{}.OpenAPIModelName(), runtime.RawExtension{}.OpenAPIModelName()},
 	}
 }
 
@@ -5365,7 +5443,7 @@ func schema_pkg_apis_meta_v1_ManagedFieldsEntry(ref common.ReferenceCallback) co
 					"time": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Time is the timestamp of when the ManagedFields entry was added. The timestamp will also be updated if a field is added, the manager changes any of the owned fields value or removes a field. The timestamp does not update when a field is removed from the entry because another manager took it over.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Time"),
+							Ref:         ref(metav1.Time{}.OpenAPIModelName()),
 						},
 					},
 					"fieldsType": {
@@ -5378,7 +5456,7 @@ func schema_pkg_apis_meta_v1_ManagedFieldsEntry(ref common.ReferenceCallback) co
 					"fieldsV1": {
 						SchemaProps: spec.SchemaProps{
 							Description: "FieldsV1 holds the first JSON version format as described in the \"FieldsV1\" type.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.FieldsV1"),
+							Ref:         ref(metav1.FieldsV1{}.OpenAPIModelName()),
 						},
 					},
 					"subresource": {
@@ -5392,7 +5470,7 @@ func schema_pkg_apis_meta_v1_ManagedFieldsEntry(ref common.ReferenceCallback) co
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.FieldsV1", "k8s.io/apimachinery/pkg/apis/meta/v1.Time"},
+			metav1.FieldsV1{}.OpenAPIModelName(), metav1.Time{}.OpenAPIModelName()},
 	}
 }
 
@@ -5467,13 +5545,13 @@ func schema_pkg_apis_meta_v1_ObjectMeta(ref common.ReferenceCallback) common.Ope
 					"creationTimestamp": {
 						SchemaProps: spec.SchemaProps{
 							Description: "CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.\n\nPopulated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Time"),
+							Ref:         ref(metav1.Time{}.OpenAPIModelName()),
 						},
 					},
 					"deletionTimestamp": {
 						SchemaProps: spec.SchemaProps{
 							Description: "DeletionTimestamp is RFC 3339 date and time at which this resource will be deleted. This field is set by the server when a graceful deletion is requested by the user, and is not directly settable by a client. The resource is expected to be deleted (no longer visible from resource lists, and not reachable by name) after the time in this field, once the finalizers list is empty. As long as the finalizers list contains items, deletion is blocked. Once the deletionTimestamp is set, this value may not be unset or be set further into the future, although it may be shortened or the resource may be deleted prior to this time. For example, a user may request that a pod is deleted in 30 seconds. The Kubelet will react by sending a graceful termination signal to the containers in the pod. After that 30 seconds, the Kubelet will send a hard termination signal (SIGKILL) to the container and after cleanup, remove the pod from the API. In the presence of network partitions, this object may still exist after this timestamp, until an administrator or automated process can determine the resource is fully terminated. If not set, graceful deletion of the object has not been requested.\n\nPopulated by the system when a graceful deletion is requested. Read-only. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Time"),
+							Ref:         ref(metav1.Time{}.OpenAPIModelName()),
 						},
 					},
 					"deletionGracePeriodSeconds": {
@@ -5533,7 +5611,7 @@ func schema_pkg_apis_meta_v1_ObjectMeta(ref common.ReferenceCallback) common.Ope
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/apimachinery/pkg/apis/meta/v1.OwnerReference"),
+										Ref:     ref(metav1.OwnerReference{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -5573,7 +5651,7 @@ func schema_pkg_apis_meta_v1_ObjectMeta(ref common.ReferenceCallback) common.Ope
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/apimachinery/pkg/apis/meta/v1.ManagedFieldsEntry"),
+										Ref:     ref(metav1.ManagedFieldsEntry{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -5583,7 +5661,7 @@ func schema_pkg_apis_meta_v1_ObjectMeta(ref common.ReferenceCallback) common.Ope
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.ManagedFieldsEntry", "k8s.io/apimachinery/pkg/apis/meta/v1.OwnerReference", "k8s.io/apimachinery/pkg/apis/meta/v1.Time"},
+			metav1.ManagedFieldsEntry{}.OpenAPIModelName(), metav1.OwnerReference{}.OpenAPIModelName(), metav1.Time{}.OpenAPIModelName()},
 	}
 }
 
@@ -5677,14 +5755,14 @@ func schema_pkg_apis_meta_v1_PartialObjectMetadata(ref common.ReferenceCallback)
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Ref:         ref(metav1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			metav1.ObjectMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -5713,7 +5791,7 @@ func schema_pkg_apis_meta_v1_PartialObjectMetadataList(ref common.ReferenceCallb
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+							Ref:         ref(metav1.ListMeta{}.OpenAPIModelName()),
 						},
 					},
 					"items": {
@@ -5724,7 +5802,7 @@ func schema_pkg_apis_meta_v1_PartialObjectMetadataList(ref common.ReferenceCallb
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/apimachinery/pkg/apis/meta/v1.PartialObjectMetadata"),
+										Ref:     ref(metav1.PartialObjectMetadata{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -5735,7 +5813,7 @@ func schema_pkg_apis_meta_v1_PartialObjectMetadataList(ref common.ReferenceCallb
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta", "k8s.io/apimachinery/pkg/apis/meta/v1.PartialObjectMetadata"},
+			metav1.ListMeta{}.OpenAPIModelName(), metav1.PartialObjectMetadata{}.OpenAPIModelName()},
 	}
 }
 
@@ -5934,7 +6012,7 @@ func schema_pkg_apis_meta_v1_Status(ref common.ReferenceCallback) common.OpenAPI
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+							Ref:         ref(metav1.ListMeta{}.OpenAPIModelName()),
 						},
 					},
 					"status": {
@@ -5959,14 +6037,9 @@ func schema_pkg_apis_meta_v1_Status(ref common.ReferenceCallback) common.OpenAPI
 						},
 					},
 					"details": {
-						VendorExtensible: spec.VendorExtensible{
-							Extensions: spec.Extensions{
-								"x-kubernetes-list-type": "atomic",
-							},
-						},
 						SchemaProps: spec.SchemaProps{
 							Description: "Extended data associated with the reason.  Each reason may define its own extended details. This field is optional and the data returned is not guaranteed to conform to any schema except that defined by the reason type.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.StatusDetails"),
+							Ref:         ref(metav1.StatusDetails{}.OpenAPIModelName()),
 						},
 					},
 					"code": {
@@ -5980,7 +6053,7 @@ func schema_pkg_apis_meta_v1_Status(ref common.ReferenceCallback) common.OpenAPI
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta", "k8s.io/apimachinery/pkg/apis/meta/v1.StatusDetails"},
+			metav1.ListMeta{}.OpenAPIModelName(), metav1.StatusDetails{}.OpenAPIModelName()},
 	}
 }
 
@@ -6066,7 +6139,7 @@ func schema_pkg_apis_meta_v1_StatusDetails(ref common.ReferenceCallback) common.
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/apimachinery/pkg/apis/meta/v1.StatusCause"),
+										Ref:     ref(metav1.StatusCause{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -6083,7 +6156,7 @@ func schema_pkg_apis_meta_v1_StatusDetails(ref common.ReferenceCallback) common.
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.StatusCause"},
+			metav1.StatusCause{}.OpenAPIModelName()},
 	}
 }
 
@@ -6112,7 +6185,7 @@ func schema_pkg_apis_meta_v1_Table(ref common.ReferenceCallback) common.OpenAPID
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+							Ref:         ref(metav1.ListMeta{}.OpenAPIModelName()),
 						},
 					},
 					"columnDefinitions": {
@@ -6128,7 +6201,7 @@ func schema_pkg_apis_meta_v1_Table(ref common.ReferenceCallback) common.OpenAPID
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/apimachinery/pkg/apis/meta/v1.TableColumnDefinition"),
+										Ref:     ref(metav1.TableColumnDefinition{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -6147,7 +6220,7 @@ func schema_pkg_apis_meta_v1_Table(ref common.ReferenceCallback) common.OpenAPID
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/apimachinery/pkg/apis/meta/v1.TableRow"),
+										Ref:     ref(metav1.TableRow{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -6158,7 +6231,7 @@ func schema_pkg_apis_meta_v1_Table(ref common.ReferenceCallback) common.OpenAPID
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta", "k8s.io/apimachinery/pkg/apis/meta/v1.TableColumnDefinition", "k8s.io/apimachinery/pkg/apis/meta/v1.TableRow"},
+			metav1.ListMeta{}.OpenAPIModelName(), metav1.TableColumnDefinition{}.OpenAPIModelName(), metav1.TableRow{}.OpenAPIModelName()},
 	}
 }
 
@@ -6289,7 +6362,7 @@ func schema_pkg_apis_meta_v1_TableRow(ref common.ReferenceCallback) common.OpenA
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/apimachinery/pkg/apis/meta/v1.TableRowCondition"),
+										Ref:     ref(metav1.TableRowCondition{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -6298,7 +6371,7 @@ func schema_pkg_apis_meta_v1_TableRow(ref common.ReferenceCallback) common.OpenA
 					"object": {
 						SchemaProps: spec.SchemaProps{
 							Description: "This field contains the requested additional information about each object based on the includeObject policy when requesting the Table. If \"None\", this field is empty, if \"Object\" this will be the default serialization of the object for the current API version, and if \"Metadata\" (the default) will contain the object metadata. Check the returned kind and apiVersion of the object before parsing. The media type of the object will always match the enclosing list - if this as a JSON table, these will be JSON encoded objects.",
-							Ref:         ref("k8s.io/apimachinery/pkg/runtime.RawExtension"),
+							Ref:         ref(runtime.RawExtension{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -6306,7 +6379,7 @@ func schema_pkg_apis_meta_v1_TableRow(ref common.ReferenceCallback) common.OpenA
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.TableRowCondition", "k8s.io/apimachinery/pkg/runtime.RawExtension"},
+			metav1.TableRowCondition{}.OpenAPIModelName(), runtime.RawExtension{}.OpenAPIModelName()},
 	}
 }
 
@@ -6501,7 +6574,7 @@ func schema_pkg_apis_meta_v1_WatchEvent(ref common.ReferenceCallback) common.Ope
 					"object": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Object is:\n * If Type is Added or Modified: the new state of the object.\n * If Type is Deleted: the state of the object immediately before deletion.\n * If Type is Error: *Status is recommended; other types may make sense\n   depending on context.",
-							Ref:         ref("k8s.io/apimachinery/pkg/runtime.RawExtension"),
+							Ref:         ref(runtime.RawExtension{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -6509,7 +6582,7 @@ func schema_pkg_apis_meta_v1_WatchEvent(ref common.ReferenceCallback) common.Ope
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/runtime.RawExtension"},
+			runtime.RawExtension{}.OpenAPIModelName()},
 	}
 }
 
diff --git a/staging/src/k8s.io/apiextensions-apiserver/pkg/registry/customresource/status_strategy.go b/staging/src/k8s.io/apiextensions-apiserver/pkg/registry/customresource/status_strategy.go
index b51b94f7274c1..b89e42db167fb 100644
--- a/staging/src/k8s.io/apiextensions-apiserver/pkg/registry/customresource/status_strategy.go
+++ b/staging/src/k8s.io/apiextensions-apiserver/pkg/registry/customresource/status_strategy.go
@@ -105,7 +105,9 @@ func (a statusStrategy) ValidateUpdate(ctx context.Context, obj, old runtime.Obj
 	var correlatedObject *common.CorrelatedObject
 	if utilfeature.DefaultFeatureGate.Enabled(apiextensionsfeatures.CRDValidationRatcheting) {
 		correlatedObject = common.NewCorrelatedObject(uNew.Object, uOld.Object, &model.Structural{Structural: a.structuralSchema})
-		options = append(options, validation.WithRatcheting(correlatedObject.Key("status")))
+		if a.structuralSchema != nil {
+			options = append(options, validation.WithRatcheting(correlatedObject.Key("status")))
+		}
 		celOptions = append(celOptions, cel.WithRatcheting(correlatedObject))
 	}
 
diff --git a/staging/src/k8s.io/apiextensions-apiserver/pkg/registry/customresource/status_strategy_test.go b/staging/src/k8s.io/apiextensions-apiserver/pkg/registry/customresource/status_strategy_test.go
index 97538054286cd..c0c521ccae604 100644
--- a/staging/src/k8s.io/apiextensions-apiserver/pkg/registry/customresource/status_strategy_test.go
+++ b/staging/src/k8s.io/apiextensions-apiserver/pkg/registry/customresource/status_strategy_test.go
@@ -23,6 +23,7 @@ import (
 
 	"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions"
 	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
+	apiextensionsv1beta1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1"
 	structuralschema "k8s.io/apiextensions-apiserver/pkg/apiserver/schema"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"k8s.io/apimachinery/pkg/runtime/schema"
@@ -244,3 +245,142 @@ func TestStatusStrategyValidateUpdate(t *testing.T) {
 		}
 	}
 }
+
+const listTypeResourceSchemaForLegacyV1beta1 = `
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  name: foos.test
+spec:
+  group: test
+  names:
+    kind: Foo
+    listKind: FooList
+    plural: foos
+    singular: foo
+  scope: Cluster
+  versions:
+  - name: v1
+    served: true
+    storage: true
+  - name: v2
+    served: true
+    storage: true
+    subresources:
+      status: {}
+  - name: v3
+    served: true
+    storage: true
+    schema:
+      openAPIV3Schema:
+        type: object
+        properties:
+          spec:
+            type: object
+            properties:
+              data:
+                type: string
+  - name: v4
+    served: true
+    storage: true
+    schema:
+      openAPIV3Schema:
+        type: object
+        properties:
+          spec:
+            type: object
+            properties:
+              data:
+                type: string
+    subresources:
+      status: {}
+`
+
+// TestStatusStrategyValidateUpdateForLegacyV1beta1 legacy test the crd with subresource and without .Schema.OpenAPIV3Schema,
+func TestStatusStrategyValidateUpdateForLegacyV1beta1(t *testing.T) {
+	crdV1beta1 := &apiextensionsv1beta1.CustomResourceDefinition{}
+	err := yaml.Unmarshal([]byte(listTypeResourceSchemaForLegacyV1beta1), &crdV1beta1)
+	if err != nil {
+		t.Fatalf("unexpected decoding error: %v", err)
+	}
+	t.Logf("crd details: %v", crdV1beta1)
+	crd := &apiextensions.CustomResourceDefinition{}
+	if err = apiextensionsv1beta1.Convert_v1beta1_CustomResourceDefinition_To_apiextensions_CustomResourceDefinition(crdV1beta1, crd, nil); err != nil {
+		t.Fatalf("unexpected convert error: %v", err)
+	}
+	t.Logf("crd details: %v", crd)
+
+	ctx := context.TODO()
+
+	tcs := []struct {
+		name                string
+		old                 *unstructured.Unstructured
+		obj                 *unstructured.Unstructured
+		version             int
+		hasStructuralSchema bool
+		isValid             bool
+	}{
+		{
+			name:                "the CRD does not have a schema at all",
+			old:                 &unstructured.Unstructured{Object: map[string]interface{}{"apiVersion": "test/v1", "kind": "Foo", "numArray": []interface{}{1, 2}, "status": map[string]interface{}{}, "metadata": map[string]interface{}{"resourceVersion": "1"}}},
+			obj:                 &unstructured.Unstructured{Object: map[string]interface{}{"apiVersion": "test/v1", "kind": "Foo", "numArray": []interface{}{1, 2}, "status": map[string]interface{}{"phase": "ready"}, "metadata": map[string]interface{}{"resourceVersion": "1"}}},
+			version:             0,
+			hasStructuralSchema: false,
+			isValid:             true,
+		},
+		{
+			name:                "the CRD does not have a schema at all but declares the status property",
+			old:                 &unstructured.Unstructured{Object: map[string]interface{}{"apiVersion": "test/v2", "kind": "Foo", "numArray": []interface{}{1, 2}, "status": map[string]interface{}{}, "metadata": map[string]interface{}{"resourceVersion": "1"}}},
+			obj:                 &unstructured.Unstructured{Object: map[string]interface{}{"apiVersion": "test/v2", "kind": "Foo", "numArray": []interface{}{1, 2}, "status": map[string]interface{}{"phase": "ready"}, "metadata": map[string]interface{}{"resourceVersion": "1"}}},
+			version:             1,
+			hasStructuralSchema: false,
+			isValid:             true,
+		},
+		{
+			name:                "the CRD has a schema",
+			old:                 &unstructured.Unstructured{Object: map[string]interface{}{"apiVersion": "test/v3", "kind": "Foo", "numArray": []interface{}{1, 2}, "status": map[string]interface{}{}, "metadata": map[string]interface{}{"resourceVersion": "1"}}},
+			obj:                 &unstructured.Unstructured{Object: map[string]interface{}{"apiVersion": "test/v3", "kind": "Foo", "numArray": []interface{}{1, 2}, "status": map[string]interface{}{"phase": "ready"}, "metadata": map[string]interface{}{"resourceVersion": "1"}}},
+			version:             2,
+			hasStructuralSchema: true,
+			isValid:             true,
+		},
+		{
+			name:                "the CRD has a schema and has declares the status property",
+			old:                 &unstructured.Unstructured{Object: map[string]interface{}{"apiVersion": "test/v4", "kind": "Foo", "numArray": []interface{}{1, 2}, "status": map[string]interface{}{}, "metadata": map[string]interface{}{"resourceVersion": "1"}}},
+			obj:                 &unstructured.Unstructured{Object: map[string]interface{}{"apiVersion": "test/v4", "kind": "Foo", "numArray": []interface{}{1, 2}, "status": map[string]interface{}{"phase": "ready"}, "metadata": map[string]interface{}{"resourceVersion": "1"}}},
+			version:             3,
+			hasStructuralSchema: true,
+			isValid:             true,
+		},
+		{
+			name:                "the CRD has a schema but it not being structural",
+			old:                 &unstructured.Unstructured{Object: map[string]interface{}{"apiVersion": "test/v4", "kind": "Foo", "numArray": []interface{}{1, 2}, "status": map[string]interface{}{}, "metadata": map[string]interface{}{"resourceVersion": "1"}}},
+			obj:                 &unstructured.Unstructured{Object: map[string]interface{}{"apiVersion": "test/v4", "kind": "Foo", "numArray": []interface{}{1, 2}, "status": map[string]interface{}{"phase": "ready"}, "metadata": map[string]interface{}{"resourceVersion": "1"}}},
+			version:             3,
+			hasStructuralSchema: false,
+			isValid:             true,
+		},
+	}
+
+	for _, tc := range tcs {
+		strategy := statusStrategy{}
+		kind := schema.GroupVersionKind{
+			Version: crd.Spec.Versions[tc.version].Name,
+			Kind:    crd.Spec.Names.Kind,
+			Group:   crd.Spec.Group,
+		}
+		strategy.customResourceStrategy.validator.kind = kind
+		if tc.hasStructuralSchema {
+			ss, _ := structuralschema.NewStructural(crd.Spec.Versions[tc.version].Schema.OpenAPIV3Schema)
+			strategy.structuralSchema = ss
+		}
+		t.Logf("case: %v", tc.name)
+		errs := strategy.ValidateUpdate(ctx, tc.obj, tc.old)
+		if tc.isValid && len(errs) > 0 {
+			t.Errorf("%v: unexpected error: %v", tc.name, errs)
+		}
+		if !tc.isValid && len(errs) == 0 {
+			t.Errorf("%v: unexpected non-error", tc.name)
+		}
+	}
+}
diff --git a/staging/src/k8s.io/apiextensions-apiserver/pkg/registry/customresourcedefinition/strategy.go b/staging/src/k8s.io/apiextensions-apiserver/pkg/registry/customresourcedefinition/strategy.go
index fba3c43311b1c..8713b8ec5b688 100644
--- a/staging/src/k8s.io/apiextensions-apiserver/pkg/registry/customresourcedefinition/strategy.go
+++ b/staging/src/k8s.io/apiextensions-apiserver/pkg/registry/customresourcedefinition/strategy.go
@@ -334,6 +334,9 @@ func dropDisabledFields(newCRD *apiextensions.CustomResourceDefinition, oldCRD *
 	if !utilfeature.DefaultFeatureGate.Enabled(apiextensionsfeatures.CustomResourceFieldSelectors) && (oldCRD == nil || (oldCRD != nil && !specHasSelectableFields(&oldCRD.Spec))) {
 		dropSelectableFields(&newCRD.Spec)
 	}
+	if !utilfeature.DefaultFeatureGate.Enabled(apiextensionsfeatures.CRDObservedGenerationTracking) && (oldCRD == nil || !observedGenerationTrackingInUse(&oldCRD.Status)) {
+		dropObservedGeneration(&newCRD.Status)
+	}
 }
 
 // dropOptionalOldSelfField drops field optionalOldSelf from CRD schema
@@ -384,6 +387,25 @@ func dropSelectableFields(spec *apiextensions.CustomResourceDefinitionSpec) {
 	}
 }
 
+func dropObservedGeneration(status *apiextensions.CustomResourceDefinitionStatus) {
+	status.ObservedGeneration = 0
+	for i := range status.Conditions {
+		status.Conditions[i].ObservedGeneration = 0
+	}
+}
+
+func observedGenerationTrackingInUse(status *apiextensions.CustomResourceDefinitionStatus) bool {
+	if status.ObservedGeneration != 0 {
+		return true
+	}
+	for i := range status.Conditions {
+		if status.Conditions[i].ObservedGeneration != 0 {
+			return true
+		}
+	}
+	return false
+}
+
 func specHasSelectableFields(spec *apiextensions.CustomResourceDefinitionSpec) bool {
 	if spec.SelectableFields != nil {
 		return true
diff --git a/staging/src/k8s.io/apiextensions-apiserver/pkg/registry/customresourcedefinition/strategy_test.go b/staging/src/k8s.io/apiextensions-apiserver/pkg/registry/customresourcedefinition/strategy_test.go
index 17abd2374eb46..ce54bd7ef60c0 100644
--- a/staging/src/k8s.io/apiextensions-apiserver/pkg/registry/customresourcedefinition/strategy_test.go
+++ b/staging/src/k8s.io/apiextensions-apiserver/pkg/registry/customresourcedefinition/strategy_test.go
@@ -212,12 +212,14 @@ func TestValidateAPIApproval(t *testing.T) {
 // TestDropDisabledFields tests if the drop functionality is working fine or not with feature gate switch
 func TestDropDisabledFields(t *testing.T) {
 	testCases := []struct {
-		name                   string
-		enableRatcheting       bool
-		enableSelectableFields bool
-		crd                    *apiextensions.CustomResourceDefinition
-		oldCRD                 *apiextensions.CustomResourceDefinition
-		expectedCRD            *apiextensions.CustomResourceDefinition
+		name                     string
+		overrideEmulatedVersion  string
+		enableRatcheting         bool
+		enableSelectableFields   bool
+		enableObservedGeneration bool
+		crd                      *apiextensions.CustomResourceDefinition
+		oldCRD                   *apiextensions.CustomResourceDefinition
+		expectedCRD              *apiextensions.CustomResourceDefinition
 	}{
 		{
 			name:             "Ratcheting, For creation, FG disabled, no OptionalOldSelf, no field drop",
@@ -1309,12 +1311,104 @@ func TestDropDisabledFields(t *testing.T) {
 				},
 			},
 		},
+		{
+			name:                     "Drop observed generation while feature gate is not set",
+			enableObservedGeneration: false,
+			enableSelectableFields:   true, // Features are enabled by default since we use 1.35
+			enableRatcheting:         true,
+			overrideEmulatedVersion:  "1.35", // Pre-alpha before 1.35
+			crd: &apiextensions.CustomResourceDefinition{
+				Status: apiextensions.CustomResourceDefinitionStatus{
+					ObservedGeneration: 123,
+					Conditions: []apiextensions.CustomResourceDefinitionCondition{{
+						ObservedGeneration: 123,
+						Type:               apiextensions.Established,
+					}},
+				},
+			},
+			oldCRD: nil,
+			expectedCRD: &apiextensions.CustomResourceDefinition{
+				Status: apiextensions.CustomResourceDefinitionStatus{
+					Conditions: []apiextensions.CustomResourceDefinitionCondition{{
+						Type: apiextensions.Established,
+					}},
+				},
+			},
+		},
+		{
+			name:                     "Keep observed generation while feature gate is not set",
+			enableObservedGeneration: true,
+			enableSelectableFields:   true, // Features are enabled by default since we use 1.35
+			enableRatcheting:         true,
+			overrideEmulatedVersion:  "1.35", // Pre-alpha before 1.35
+			crd: &apiextensions.CustomResourceDefinition{
+				Status: apiextensions.CustomResourceDefinitionStatus{
+					ObservedGeneration: 123,
+					Conditions: []apiextensions.CustomResourceDefinitionCondition{{
+						ObservedGeneration: 123,
+						Type:               apiextensions.Established,
+					}},
+				},
+			},
+			oldCRD: nil,
+			expectedCRD: &apiextensions.CustomResourceDefinition{
+				Status: apiextensions.CustomResourceDefinitionStatus{
+					ObservedGeneration: 123,
+					Conditions: []apiextensions.CustomResourceDefinitionCondition{{
+						ObservedGeneration: 123,
+						Type:               apiextensions.Established,
+					}},
+				},
+			},
+		},
+		{
+			name:                     "Persists generation if previously set while feature gate is not set",
+			enableObservedGeneration: false,
+			enableSelectableFields:   true, // Features are enabled by default since we use 1.35
+			enableRatcheting:         true,
+			overrideEmulatedVersion:  "1.35", // Pre-alpha before 1.35
+			crd: &apiextensions.CustomResourceDefinition{
+				Status: apiextensions.CustomResourceDefinitionStatus{
+					ObservedGeneration: 123,
+					Conditions: []apiextensions.CustomResourceDefinitionCondition{{
+						ObservedGeneration: 123,
+						Type:               apiextensions.Established,
+					}},
+				},
+			},
+			oldCRD: &apiextensions.CustomResourceDefinition{
+				Status: apiextensions.CustomResourceDefinitionStatus{
+					ObservedGeneration: 123,
+					Conditions: []apiextensions.CustomResourceDefinitionCondition{{
+						ObservedGeneration: 123,
+						Type:               apiextensions.Established,
+					}},
+				},
+			},
+			expectedCRD: &apiextensions.CustomResourceDefinition{
+				Status: apiextensions.CustomResourceDefinitionStatus{
+					ObservedGeneration: 123,
+					Conditions: []apiextensions.CustomResourceDefinitionCondition{{
+						ObservedGeneration: 123,
+						Type:               apiextensions.Established,
+					}},
+				},
+			},
+		},
 	}
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
-			featuregatetesting.SetFeatureGateEmulationVersionDuringTest(t, utilfeature.DefaultFeatureGate, version.MustParse("1.31"))
-			featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, apiextensionsfeatures.CRDValidationRatcheting, tc.enableRatcheting)
-			featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, apiextensionsfeatures.CustomResourceFieldSelectors, tc.enableSelectableFields)
+			fg := featuregatetesting.FeatureOverrides{
+				apiextensionsfeatures.CRDValidationRatcheting:      tc.enableRatcheting,
+				apiextensionsfeatures.CustomResourceFieldSelectors: tc.enableSelectableFields,
+			}
+			if tc.overrideEmulatedVersion == "" {
+				featuregatetesting.SetFeatureGateEmulationVersionDuringTest(t, utilfeature.DefaultFeatureGate, version.MustParse("1.31"))
+			} else {
+				featuregatetesting.SetFeatureGateEmulationVersionDuringTest(t, utilfeature.DefaultFeatureGate, version.MustParse(tc.overrideEmulatedVersion))
+				fg[apiextensionsfeatures.CRDObservedGenerationTracking] = tc.enableObservedGeneration
+			}
+			featuregatetesting.SetFeatureGatesDuringTest(t, utilfeature.DefaultFeatureGate, fg)
 			old := tc.oldCRD.DeepCopy()
 
 			dropDisabledFields(tc.crd, tc.oldCRD)
diff --git a/staging/src/k8s.io/apiextensions-apiserver/pkg/test/example/apiexports_test.go b/staging/src/k8s.io/apiextensions-apiserver/pkg/test/example/apiexports_test.go
index 830ce6fb71236..3dc136071391c 100644
--- a/staging/src/k8s.io/apiextensions-apiserver/pkg/test/example/apiexports_test.go
+++ b/staging/src/k8s.io/apiextensions-apiserver/pkg/test/example/apiexports_test.go
@@ -35,7 +35,7 @@ func TestAPIExportPermissionClaimCELValidation(t *testing.T) {
 			name:    "nothing is set",
 			current: map[string]interface{}{},
 			wantErrs: []string{
-				"openAPIV3Schema.properties.spec.properties.permissionClaims.items: Invalid value: \"object\": either \"all\" or \"resourceSelector\" must be set",
+				"openAPIV3Schema.properties.spec.properties.permissionClaims.items: Invalid value: either \"all\" or \"resourceSelector\" must be set",
 			},
 		},
 		{
@@ -67,7 +67,7 @@ func TestAPIExportPermissionClaimCELValidation(t *testing.T) {
 				},
 			},
 			wantErrs: []string{
-				"openAPIV3Schema.properties.spec.properties.permissionClaims.items: Invalid value: \"object\": either \"all\" or \"resourceSelector\" must be set",
+				"openAPIV3Schema.properties.spec.properties.permissionClaims.items: Invalid value: either \"all\" or \"resourceSelector\" must be set",
 			},
 		},
 		{
@@ -76,7 +76,7 @@ func TestAPIExportPermissionClaimCELValidation(t *testing.T) {
 				"resourceSelector": nil,
 			},
 			wantErrs: []string{
-				"openAPIV3Schema.properties.spec.properties.permissionClaims.items: Invalid value: \"object\": either \"all\" or \"resourceSelector\" must be set",
+				"openAPIV3Schema.properties.spec.properties.permissionClaims.items: Invalid value: either \"all\" or \"resourceSelector\" must be set",
 			},
 		},
 		{
@@ -85,7 +85,7 @@ func TestAPIExportPermissionClaimCELValidation(t *testing.T) {
 				"resourceSelector": []interface{}{},
 			},
 			wantErrs: []string{
-				"openAPIV3Schema.properties.spec.properties.permissionClaims.items: Invalid value: \"object\": either \"all\" or \"resourceSelector\" must be set",
+				"openAPIV3Schema.properties.spec.properties.permissionClaims.items: Invalid value: either \"all\" or \"resourceSelector\" must be set",
 			},
 		},
 		{
@@ -103,7 +103,7 @@ func TestAPIExportPermissionClaimCELValidation(t *testing.T) {
 				"resourceSelector": nil,
 			},
 			wantErrs: []string{
-				"openAPIV3Schema.properties.spec.properties.permissionClaims.items: Invalid value: \"object\": either \"all\" or \"resourceSelector\" must be set",
+				"openAPIV3Schema.properties.spec.properties.permissionClaims.items: Invalid value: either \"all\" or \"resourceSelector\" must be set",
 			},
 		},
 		{
@@ -113,7 +113,7 @@ func TestAPIExportPermissionClaimCELValidation(t *testing.T) {
 				"resourceSelector": []interface{}{},
 			},
 			wantErrs: []string{
-				"openAPIV3Schema.properties.spec.properties.permissionClaims.items: Invalid value: \"object\": either \"all\" or \"resourceSelector\" must be set",
+				"openAPIV3Schema.properties.spec.properties.permissionClaims.items: Invalid value: either \"all\" or \"resourceSelector\" must be set",
 			},
 		},
 		{
@@ -166,7 +166,7 @@ func TestResourceSelectorCELValidation(t *testing.T) {
 				"namespace": nil,
 			},
 			wantErrs: []string{
-				"openAPIV3Schema.properties.spec.properties.permissionClaims.items.properties.resourceSelector.items: Invalid value: \"object\": at least one field must be set",
+				"openAPIV3Schema.properties.spec.properties.permissionClaims.items.properties.resourceSelector.items: Invalid value: at least one field must be set",
 			},
 		},
 		{
diff --git a/staging/src/k8s.io/apiextensions-apiserver/test/integration/conversion/conversion_test.go b/staging/src/k8s.io/apiextensions-apiserver/test/integration/conversion/conversion_test.go
index e24b504f7283f..f2abe7bd30e8d 100644
--- a/staging/src/k8s.io/apiextensions-apiserver/test/integration/conversion/conversion_test.go
+++ b/staging/src/k8s.io/apiextensions-apiserver/test/integration/conversion/conversion_test.go
@@ -63,6 +63,112 @@ func TestWebhookConverterWithoutWatchCache(t *testing.T) {
 	testWebhookConverter(t, false)
 }
 
+// TestWebhookNotCalledForUnusedVersions tests scenario where conversion webhook could be called for
+// versions that are nor served or nor stored.
+// Described in detail in https://github.com/kubernetes/kubernetes/issues/129979
+func TestWebhookNotCalledForUnusedVersions(t *testing.T) {
+	ctx := context.Background()
+
+	etcd3watcher.TestOnlySetFatalOnDecodeError(false)
+	defer etcd3watcher.TestOnlySetFatalOnDecodeError(true)
+
+	tearDown, config, options, err := fixtures.StartDefaultServer(t, "--watch-cache=true")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	apiExtensionsClient, err := clientset.NewForConfig(config)
+	if err != nil {
+		tearDown()
+		t.Fatal(err)
+	}
+
+	dynamicClient, err := dynamic.NewForConfig(config)
+	if err != nil {
+		tearDown()
+		t.Fatal(err)
+	}
+	defer tearDown()
+
+	crd := multiVersionFixture.DeepCopy()
+	crd.Spec.Versions[0].Storage = false
+	crd.Spec.Versions[3].Served = true
+	crd.Spec.Versions[3].Storage = true
+
+	RESTOptionsGetter := serveroptions.NewCRDRESTOptionsGetter(*options.RecommendedOptions.Etcd, nil, nil)
+	restOptions, err := RESTOptionsGetter.GetRESTOptions(schema.GroupResource{Group: crd.Spec.Group, Resource: crd.Spec.Names.Plural}, nil)
+	if err != nil {
+		t.Fatal(err)
+	}
+	etcdClient, _, err := storage.GetEtcdClients(restOptions.StorageConfig.Transport)
+	if err != nil {
+		t.Fatal(err)
+	}
+	// nolint:errcheck
+	defer etcdClient.Close()
+
+	etcdObjectReader := storage.NewEtcdObjectReader(etcdClient, &restOptions, crd)
+	ctcTearDown, ctc := newConversionTestContext(t, apiExtensionsClient, dynamicClient, etcdObjectReader, crd)
+	defer ctcTearDown()
+
+	marker, err := ctc.versionedClient("marker", "v1alpha2").Create(ctx, newConversionMultiVersionFixture("marker", "marker", "v1alpha2"), metav1.CreateOptions{})
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// Update CRD to stop serving v1alpha2 version
+	ctc.setStorageVersion(t, "v1beta1")
+	ctc.setServed(t, "v1alpha2", false)
+
+	// Clear managed fields to avoid known problem: https://github.com/kubernetes/kubernetes/issues/111937
+	v1alpha1marker := newConversionMultiVersionFixture("marker", "marker", "v1alpha1")
+	v1alpha1marker.SetResourceVersion(marker.GetResourceVersion())
+	v1alpha1marker.SetManagedFields([]metav1.ManagedFieldsEntry{{}})
+	marker, err = ctc.versionedClient(marker.GetNamespace(), "v1alpha1").Update(ctx, v1alpha1marker, metav1.UpdateOptions{})
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// Setup webhook that checks that it's never called with v1alpha2 version
+	upCh, handler := closeOnCall(NewObjectConverterWebhookHandler(t, getUnexpectedVersionCheckConverter(t, "v1alpha2")))
+	tearDown, webhookClientConfig, err := StartConversionWebhookServer(handler)
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer tearDown()
+
+	ctc.setConversionWebhook(t, webhookClientConfig, []string{"v1alpha1", "v1beta1", "v1beta2"})
+	defer ctc.removeConversionWebhook(t)
+
+	// wait until new webhook is called the first time
+	if err := wait.PollUntilContextTimeout(ctx, time.Millisecond*100, wait.ForeverTestTimeout, true, func(ctx context.Context) (done bool, err error) {
+		_, getErr := ctc.versionedClient(marker.GetNamespace(), "v1alpha1").Get(ctx, marker.GetName(), metav1.GetOptions{})
+		select {
+		case <-upCh:
+			return true, nil
+		default:
+			t.Logf("Waiting for webhook to become effective, getting marker object: %v", getErr)
+			return false, nil
+		}
+	}); err != nil {
+		t.Fatal(err)
+	}
+
+	// Check that marker can be read in all served versions
+	for _, v := range servedVersions(ctc.crd.Spec.Versions) {
+		if _, err := ctc.versionedClient(marker.GetNamespace(), v.Name).Get(ctx, marker.GetName(), metav1.GetOptions{}); err != nil {
+			t.Fatal(err)
+		}
+	}
+
+	// Check that it's possible to update marker via a different API versions using server-side apply
+	for _, v := range servedVersions(ctc.crd.Spec.Versions) {
+		if _, err := ctc.versionedClient(marker.GetNamespace(), v.Name).Apply(ctx, marker.GetName(), newConversionMultiVersionFixture("marker", "marker", v.Name), metav1.ApplyOptions{FieldManager: "application/apply-patch"}); err != nil {
+			t.Fatal(err)
+		}
+	}
+}
+
 func testWebhookConverter(t *testing.T, watchCache bool) {
 	tests := []struct {
 		group          string
@@ -165,6 +271,28 @@ func testWebhookConverter(t *testing.T, watchCache bool) {
 	etcd3watcher.TestOnlySetFatalOnDecodeError(false)
 	defer etcd3watcher.TestOnlySetFatalOnDecodeError(true)
 
+	// To avoid the high cost of restarting the API server for every test case, we start
+	// the infrastructure (API Server + Webhook Server) ONCE at the beginning of the test.
+	//
+	// We use a 'dynamicWebhookHandler' to swap the conversion logic (the handler)
+	// for each test case without restarting the actual HTTP server.
+	//
+	// This allows us to start the webhook server ONCE at the beginning of the test.
+	// Crucially, this allows us to enforce teardown order: API Server stops -> Webhook Server stops.
+
+	// Create the mutable handler.
+	proxyHandler := &dynamicWebhookHandler{}
+
+	// Start Webhook Server FIRST.
+	// This ensures its deferred teardown runs LAST (after API server stop).
+	webhookTearDown, webhookClientConfig, err := StartConversionWebhookServer(proxyHandler)
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer webhookTearDown()
+
+	// Start API Server SECOND.
+	// This ensures its deferred teardown runs FIRST.
 	tearDown, config, options, err := fixtures.StartDefaultServer(t, fmt.Sprintf("--watch-cache=%v", watchCache))
 	if err != nil {
 		t.Fatal(err)
@@ -209,12 +337,12 @@ func testWebhookConverter(t *testing.T, watchCache bool) {
 	for _, test := range tests {
 		t.Run(test.group, func(t *testing.T) {
 			upCh, handler := closeOnCall(test.handler)
-			tearDown, webhookClientConfig, err := StartConversionWebhookServer(handler)
-			if err != nil {
-				t.Fatal(err)
-			}
-			defer tearDown()
 
+			// Inject the logic for this specific test case
+			proxyHandler.set(handler)
+			defer proxyHandler.set(nil)
+
+			// Configure the CRD to use the shared webhook server
 			ctc.setConversionWebhook(t, webhookClientConfig, test.reviewVersions)
 			defer ctc.removeConversionWebhook(t)
 
@@ -247,7 +375,7 @@ func testWebhookConverter(t *testing.T, watchCache bool) {
 func validateStorageVersion(t *testing.T, ctc *conversionTestContext) {
 	ns := ctc.namespace
 
-	for _, version := range ctc.crd.Spec.Versions {
+	for _, version := range servedVersions(ctc.crd.Spec.Versions) {
 		t.Run(version.Name, func(t *testing.T) {
 			name := "storageversion-" + version.Name
 			client := ctc.versionedClient(ns, version.Name)
@@ -314,7 +442,7 @@ func validateMixedStorageVersions(versions ...string) func(t *testing.T, ctc *co
 func validateServed(t *testing.T, ctc *conversionTestContext) {
 	ns := ctc.namespace
 
-	for _, version := range ctc.crd.Spec.Versions {
+	for _, version := range servedVersions(ctc.crd.Spec.Versions) {
 		t.Run(version.Name, func(t *testing.T) {
 			name := "served-" + version.Name
 			client := ctc.versionedClient(ns, version.Name)
@@ -333,7 +461,7 @@ func validateServed(t *testing.T, ctc *conversionTestContext) {
 func validateNonTrivialConverted(t *testing.T, ctc *conversionTestContext) {
 	ns := ctc.namespace
 
-	for _, createVersion := range ctc.crd.Spec.Versions {
+	for _, createVersion := range servedVersions(ctc.crd.Spec.Versions) {
 		t.Run(fmt.Sprintf("getting objects created as %s", createVersion.Name), func(t *testing.T) {
 			name := "converted-" + createVersion.Name
 			client := ctc.versionedClient(ns, createVersion.Name)
@@ -353,7 +481,7 @@ func validateNonTrivialConverted(t *testing.T, ctc *conversionTestContext) {
 			}
 			verifyMultiVersionObject(t, "v1beta1", obj)
 
-			for _, getVersion := range ctc.crd.Spec.Versions {
+			for _, getVersion := range servedVersions(ctc.crd.Spec.Versions) {
 				client := ctc.versionedClient(ns, getVersion.Name)
 				obj, err := client.Get(context.TODO(), name, metav1.GetOptions{})
 				if err != nil {
@@ -391,7 +519,8 @@ func validateNonTrivialConvertedList(t *testing.T, ctc *conversionTestContext) {
 	ns := ctc.namespace + "-list"
 
 	names := sets.String{}
-	for _, createVersion := range ctc.crd.Spec.Versions {
+	versions := servedVersions(ctc.crd.Spec.Versions)
+	for _, createVersion := range versions {
 		name := "converted-" + createVersion.Name
 		client := ctc.versionedClient(ns, createVersion.Name)
 		fixture := newConversionMultiVersionFixture(ns, name, createVersion.Name)
@@ -405,14 +534,14 @@ func validateNonTrivialConvertedList(t *testing.T, ctc *conversionTestContext) {
 		names.Insert(name)
 	}
 
-	for _, listVersion := range ctc.crd.Spec.Versions {
+	for _, listVersion := range versions {
 		t.Run(fmt.Sprintf("listing objects as %s", listVersion.Name), func(t *testing.T) {
 			client := ctc.versionedClient(ns, listVersion.Name)
 			obj, err := client.List(context.TODO(), metav1.ListOptions{})
 			if err != nil {
 				t.Fatal(err)
 			}
-			if len(obj.Items) != len(ctc.crd.Spec.Versions) {
+			if len(obj.Items) != len(versions) {
 				t.Fatal("unexpected number of items")
 			}
 			foundNames := sets.String{}
@@ -430,7 +559,7 @@ func validateNonTrivialConvertedList(t *testing.T, ctc *conversionTestContext) {
 func validateStoragePruning(t *testing.T, ctc *conversionTestContext) {
 	ns := ctc.namespace
 
-	for _, createVersion := range ctc.crd.Spec.Versions {
+	for _, createVersion := range servedVersions(ctc.crd.Spec.Versions) {
 		t.Run(fmt.Sprintf("getting objects created as %s", createVersion.Name), func(t *testing.T) {
 			name := "storagepruning-" + createVersion.Name
 			client := ctc.versionedClient(ns, createVersion.Name)
@@ -465,7 +594,7 @@ func validateStoragePruning(t *testing.T, ctc *conversionTestContext) {
 				t.Fatal(err)
 			}
 
-			for _, getVersion := range ctc.crd.Spec.Versions {
+			for _, getVersion := range servedVersions(ctc.crd.Spec.Versions) {
 				client := ctc.versionedClient(ns, getVersion.Name)
 				obj, err := client.Get(context.TODO(), name, metav1.GetOptions{})
 				if err != nil {
@@ -594,7 +723,7 @@ func validateDefaulting(t *testing.T, ctc *conversionTestContext) {
 	ns := ctc.namespace
 	storageVersion := "v1beta1"
 
-	for _, createVersion := range ctc.crd.Spec.Versions {
+	for _, createVersion := range servedVersions(ctc.crd.Spec.Versions) {
 		t.Run(fmt.Sprintf("getting objects created as %s", createVersion.Name), func(t *testing.T) {
 			name := "defaulting-" + createVersion.Name
 			client := ctc.versionedClient(ns, createVersion.Name)
@@ -644,7 +773,7 @@ func validateDefaulting(t *testing.T, ctc *conversionTestContext) {
 			}
 
 			// check that when reading any other version, we do not default that version, but only the (non-persisted) storage version default
-			for _, v := range ctc.crd.Spec.Versions {
+			for _, v := range servedVersions(ctc.crd.Spec.Versions) {
 				if v.Name == createVersion.Name {
 					// create version is persisted anyway, nothing to verify
 					continue
@@ -921,6 +1050,16 @@ func uidMutatingConverter(desiredAPIVersion string, obj runtime.RawExtension) (r
 	return runtime.RawExtension{Raw: raw}, nil
 }
 
+func getUnexpectedVersionCheckConverter(t *testing.T, version string) ObjectConverterFunc {
+	return func(desiredAPIVersion string, obj runtime.RawExtension) (runtime.RawExtension, error) {
+		if desiredAPIVersion == "stable.example.com/"+version {
+			t.Fatalf("webhook received unexpected version: %s", version)
+		}
+
+		return nontrivialConverter(desiredAPIVersion, obj)
+	}
+}
+
 func newConversionTestContext(t *testing.T, apiExtensionsClient clientset.Interface, dynamicClient dynamic.Interface, etcdObjectReader *storage.EtcdObjectReader, v1CRD *apiextensionsv1.CustomResourceDefinition) (func(), *conversionTestContext) {
 	v1CRD, err := fixtures.CreateNewV1CustomResourceDefinition(v1CRD, apiExtensionsClient, dynamicClient)
 	if err != nil {
@@ -958,7 +1097,7 @@ func (c *conversionTestContext) versionedClient(ns string, version string) dynam
 
 func (c *conversionTestContext) versionedClients(ns string) map[string]dynamic.ResourceInterface {
 	ret := map[string]dynamic.ResourceInterface{}
-	for _, v := range c.crd.Spec.Versions {
+	for _, v := range servedVersions(c.crd.Spec.Versions) {
 		ret[v.Name] = c.versionedClient(ns, v.Name)
 	}
 	return ret
@@ -1129,6 +1268,7 @@ var multiVersionFixture = &apiextensionsv1.CustomResourceDefinition{
 								Type: "object",
 								Properties: map[string]apiextensionsv1.JSONSchemaProps{
 									"v1alpha1": {Type: "boolean"},
+									"v1alpha2": {Type: "boolean"},
 									"v1beta1":  {Type: "boolean", Default: jsonPtr(true)},
 									"v1beta2":  {Type: "boolean"},
 								},
@@ -1170,6 +1310,7 @@ var multiVersionFixture = &apiextensionsv1.CustomResourceDefinition{
 								Type: "object",
 								Properties: map[string]apiextensionsv1.JSONSchemaProps{
 									"v1alpha1": {Type: "boolean", Default: jsonPtr(true)},
+									"v1alpha2": {Type: "boolean"},
 									"v1beta1":  {Type: "boolean"},
 									"v1beta2":  {Type: "boolean"},
 								},
@@ -1211,6 +1352,7 @@ var multiVersionFixture = &apiextensionsv1.CustomResourceDefinition{
 								Type: "object",
 								Properties: map[string]apiextensionsv1.JSONSchemaProps{
 									"v1alpha1": {Type: "boolean"},
+									"v1alpha2": {Type: "boolean"},
 									"v1beta1":  {Type: "boolean"},
 									"v1beta2":  {Type: "boolean", Default: jsonPtr(true)},
 								},
@@ -1219,6 +1361,48 @@ var multiVersionFixture = &apiextensionsv1.CustomResourceDefinition{
 					},
 				},
 			},
+			{
+				// same schema as v1beta1, but not served
+				Name:    "v1alpha2",
+				Served:  false,
+				Storage: false,
+				Subresources: &apiextensionsv1.CustomResourceSubresources{
+					Status: &apiextensionsv1.CustomResourceSubresourceStatus{},
+					Scale: &apiextensionsv1.CustomResourceSubresourceScale{
+						SpecReplicasPath:   ".spec.num.num1",
+						StatusReplicasPath: ".status.num.num2",
+					},
+				},
+				Schema: &apiextensionsv1.CustomResourceValidation{
+					OpenAPIV3Schema: &apiextensionsv1.JSONSchemaProps{
+						Type: "object",
+						Properties: map[string]apiextensionsv1.JSONSchemaProps{
+							"content": {
+								Type: "object",
+								Properties: map[string]apiextensionsv1.JSONSchemaProps{
+									"key": {Type: "string"},
+								},
+							},
+							"num": {
+								Type: "object",
+								Properties: map[string]apiextensionsv1.JSONSchemaProps{
+									"num1": {Type: "integer"},
+									"num2": {Type: "integer"},
+								},
+							},
+							"defaults": {
+								Type: "object",
+								Properties: map[string]apiextensionsv1.JSONSchemaProps{
+									"v1alpha1": {Type: "boolean"},
+									"v1alpha2": {Type: "boolean", Default: jsonPtr(true)},
+									"v1beta1":  {Type: "boolean"},
+									"v1beta2":  {Type: "boolean"},
+								},
+							},
+						},
+					},
+				},
+			},
 		},
 	},
 }
@@ -1244,6 +1428,14 @@ func newConversionMultiVersionFixture(namespace, name, version string) *unstruct
 			"num1": int64(1),
 			"num2": int64(1000000),
 		}
+	case "v1alpha2":
+		u.Object["content"] = map[string]interface{}{
+			"key": "value",
+		}
+		u.Object["num"] = map[string]interface{}{
+			"num1": int64(1),
+			"num2": int64(1000000),
+		}
 	case "v1beta1":
 		u.Object["content"] = map[string]interface{}{
 			"key": "value",
@@ -1337,6 +1529,16 @@ func jsonPtr(x interface{}) *apiextensionsv1.JSON {
 	return &ret
 }
 
+func servedVersions(versions []apiextensionsv1.CustomResourceDefinitionVersion) (served []apiextensionsv1.CustomResourceDefinitionVersion) {
+	for _, v := range versions {
+		if v.Served {
+			served = append(served, v)
+		}
+	}
+
+	return served
+}
+
 func TestWebhookConversion_WhitespaceCABundleEtcdBypass(t *testing.T) {
 	// Setup server and clients
 	tearDown, config, options, err := fixtures.StartDefaultServer(t)
@@ -1435,3 +1637,30 @@ func TestWebhookConversion_WhitespaceCABundleEtcdBypass(t *testing.T) {
 	verifyMultiVersionObject(t, "v1beta1", obj)
 
 }
+
+// dynamicWebhookHandler is a thread-safe http. Handler that allows swapping
+// the underlying delegate handler at runtime. This is useful for sharing a single
+// server instance across multiple test cases that require different behaviors.
+type dynamicWebhookHandler struct {
+	mu       sync.RWMutex
+	delegate http.Handler
+}
+
+// ServeHTTP implements http.Handler. It delegates the request to the currently
+// configured handler. If no handler is set, it returns an internal server error.
+func (h *dynamicWebhookHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
+	h.mu.RLock()
+	defer h.mu.RUnlock()
+	if h.delegate != nil {
+		h.delegate.ServeHTTP(w, r)
+	} else {
+		http.Error(w, "unexpected call", http.StatusInternalServerError)
+	}
+}
+
+// set safely swaps the underlying delegate handler.
+func (h *dynamicWebhookHandler) set(delegate http.Handler) {
+	h.mu.Lock()
+	defer h.mu.Unlock()
+	h.delegate = delegate
+}
diff --git a/staging/src/k8s.io/apimachinery/go.mod b/staging/src/k8s.io/apimachinery/go.mod
index 2fc7dbdc3d39c..cfdee0381b755 100644
--- a/staging/src/k8s.io/apimachinery/go.mod
+++ b/staging/src/k8s.io/apimachinery/go.mod
@@ -2,38 +2,37 @@
 
 module k8s.io/apimachinery
 
-go 1.24.0
+go 1.25.0
 
-godebug default=go1.24
+godebug default=go1.25
 
 require (
 	github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc
 	github.com/fxamacker/cbor/v2 v2.9.0
-	github.com/gogo/protobuf v1.3.2
 	github.com/google/gnostic-models v0.7.0
 	github.com/google/go-cmp v0.7.0
 	github.com/google/uuid v1.6.0
 	github.com/moby/spdystream v0.5.0
 	github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2
-	github.com/spf13/pflag v1.0.6
-	github.com/stretchr/testify v1.10.0
-	golang.org/x/net v0.43.0
+	github.com/spf13/pflag v1.0.9
+	github.com/stretchr/testify v1.11.1
+	golang.org/x/net v0.47.0
 	golang.org/x/time v0.9.0
-	gopkg.in/evanphx/json-patch.v4 v4.12.0
+	gopkg.in/evanphx/json-patch.v4 v4.13.0
 	gopkg.in/inf.v0 v0.9.1
 	k8s.io/klog/v2 v2.130.1
-	k8s.io/kube-openapi v0.0.0-20250710124328-f3f2b991d03b
-	k8s.io/utils v0.0.0-20250604170112-4c0f3b243397
-	sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8
+	k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912
+	k8s.io/utils v0.0.0-20251002143259-bc988d571ff4
+	sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730
 	sigs.k8s.io/randfill v1.0.0
 	sigs.k8s.io/structured-merge-diff/v6 v6.3.0
 	sigs.k8s.io/yaml v1.6.0
 )
 
 require (
-	github.com/go-logr/logr v1.4.2 // indirect
+	github.com/go-logr/logr v1.4.3 // indirect
 	github.com/go-openapi/jsonpointer v0.21.0 // indirect
 	github.com/go-openapi/jsonreference v0.20.2 // indirect
 	github.com/go-openapi/swag v0.23.0 // indirect
@@ -42,17 +41,15 @@ require (
 	github.com/mailru/easyjson v0.7.7 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee // indirect
-	github.com/onsi/ginkgo/v2 v2.21.0 // indirect
-	github.com/onsi/gomega v1.35.1 // indirect
-	github.com/pkg/errors v0.9.1 // indirect
-	github.com/rogpeppe/go-internal v1.13.1 // indirect
+	github.com/onsi/ginkgo/v2 v2.25.1 // indirect
+	github.com/onsi/gomega v1.38.2 // indirect
+	github.com/rogpeppe/go-internal v1.14.1 // indirect
 	github.com/x448/float16 v0.8.4 // indirect
-	go.yaml.in/yaml/v2 v2.4.2 // indirect
+	go.yaml.in/yaml/v2 v2.4.3 // indirect
 	go.yaml.in/yaml/v3 v3.0.4 // indirect
-	golang.org/x/sys v0.36.0 // indirect
-	golang.org/x/text v0.29.0 // indirect
-	google.golang.org/protobuf v1.36.5 // indirect
+	golang.org/x/text v0.31.0 // indirect
+	google.golang.org/protobuf v1.36.8 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )
 
-replace github.com/onsi/ginkgo/v2 => github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251001123353-fd5b1fb35db1
+replace github.com/onsi/ginkgo/v2 => github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251120221002-696928a6a0d7
diff --git a/staging/src/k8s.io/apimachinery/go.sum b/staging/src/k8s.io/apimachinery/go.sum
index 56ccefd08139a..b096b58bf2d2e 100644
--- a/staging/src/k8s.io/apimachinery/go.sum
+++ b/staging/src/k8s.io/apimachinery/go.sum
@@ -1,3 +1,5 @@
+github.com/Masterminds/semver/v3 v3.4.0 h1:Zog+i5UMtVoCU8oKka5P7i9q9HgrJeGzI9SA1Xbatp0=
+github.com/Masterminds/semver/v3 v3.4.0/go.mod h1:4V+yj/TJE1HU9XfppCwVMZq3I84lprf4nC11bSS5beM=
 github.com/NYTimes/gziphandler v1.1.1/go.mod h1:n/CVRwUEOgIxrgPvAQhUUr9oeUtvrhMomdKFjzJNB0c=
 github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5 h1:0CwZNZbxp69SHPdPJAN/hZIm0C4OItdklCFmMRWYpio=
 github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkYZB8zMSxRWpUBQtwG5a7fFgvEO+odwuTv2gs=
@@ -9,8 +11,11 @@ github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8Yc
 github.com/emicklei/go-restful/v3 v3.11.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc=
 github.com/fxamacker/cbor/v2 v2.9.0 h1:NpKPmjDBgUfBms6tr6JZkTHtfFGcMKsw3eGcmD/sapM=
 github.com/fxamacker/cbor/v2 v2.9.0/go.mod h1:vM4b+DJCtHn+zz7h3FFp/hDAI9WNWCsZj23V5ytsSxQ=
-github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY=
-github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
+github.com/gkampitakis/ciinfo v0.3.2/go.mod h1:1NIwaOcFChN4fa/B0hEBdAb6npDlFL8Bwx4dfRLRqAo=
+github.com/gkampitakis/go-diff v1.3.2/go.mod h1:LLgOrpqleQe26cte8s36HTWcTmMEur6OPYerdAAS9tk=
+github.com/gkampitakis/go-snaps v0.5.15/go.mod h1:HNpx/9GoKisdhw9AFOBT1N7DBs9DiHo/hGheFGBZ+mc=
+github.com/go-logr/logr v1.4.3 h1:CjnDlHq8ikf6E492q6eKboGOC0T8CDaOvkHCIg8idEI=
+github.com/go-logr/logr v1.4.3/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
 github.com/go-openapi/jsonpointer v0.19.6/go.mod h1:osyAmYz/mB/C3I+WsTTSgw1ONzaLJoLCyoi6/zppojs=
 github.com/go-openapi/jsonpointer v0.21.0 h1:YgdVicSA9vH5RiHs9TZW5oyafXZFc6+2Vc1rr/O9oNQ=
 github.com/go-openapi/jsonpointer v0.21.0/go.mod h1:IUyH9l/+uyhIYQ/PXVA41Rexl+kOkAPDdXEYns6fzUY=
@@ -21,24 +26,22 @@ github.com/go-openapi/swag v0.23.0 h1:vsEVJDUo2hPJ2tu0/Xc+4noaxyEffXNIs3cOULZ+Gr
 github.com/go-openapi/swag v0.23.0/go.mod h1:esZ8ITTYEsH1V2trKHjAN8Ai7xHb8RV+YSZ577vPjgQ=
 github.com/go-task/slim-sprig/v3 v3.0.0 h1:sUs3vkvUymDpBKi3qH1YSqBQk9+9D/8M2mN1vB6EwHI=
 github.com/go-task/slim-sprig/v3 v3.0.0/go.mod h1:W848ghGpv3Qj3dhTPRyJypKRiqCdHZiAzKg9hl15HA8=
-github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
-github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
+github.com/goccy/go-yaml v1.18.0/go.mod h1:XBurs7gK8ATbW4ZPGKgcbrY1Br56PdM69F7LkFRi1kA=
 github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk=
 github.com/google/gnostic-models v0.7.0 h1:qwTtogB15McXDaNqTZdzPJRHvaVJlAl+HVQnLmJEJxo=
 github.com/google/gnostic-models v0.7.0/go.mod h1:whL5G0m6dmc5cPxKc5bdKdEN3UjI7OUGxBlw57miDrQ=
 github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
 github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
-github.com/google/pprof v0.0.0-20241029153458-d1b30febd7db h1:097atOisP2aRj7vFgYQBbFN4U4JNXUNYpxael3UzMyo=
-github.com/google/pprof v0.0.0-20241029153458-d1b30febd7db/go.mod h1:vavhavw2zAxS5dIdcRluK6cSGGPlZynqzFM8NdvU144=
+github.com/google/pprof v0.0.0-20250403155104-27863c87afa6 h1:BHT72Gu3keYf3ZEu2J0b1vyeLSOYI8bm5wbJM/8yDe8=
+github.com/google/pprof v0.0.0-20250403155104-27863c87afa6/go.mod h1:boTsfXsheKC2y+lKOCMpSfarhxDeIzfZG1jqGcPl3cA=
 github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY=
 github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y=
+github.com/joshdk/go-junit v1.0.0/go.mod h1:TiiV0PqkaNfFXjEiyjWM3XXrhVyCa1K4Zfga6W52ung=
 github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM=
 github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo=
-github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
-github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
 github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
 github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
 github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
@@ -48,6 +51,8 @@ github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
 github.com/mailru/easyjson v0.7.7 h1:UGYAvKxe3sBsEDzO8ZeWOSlIQfWFlxbzLZe7hwFURr0=
 github.com/mailru/easyjson v0.7.7/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc=
+github.com/maruel/natural v1.1.1/go.mod h1:v+Rfd79xlw1AgVBjbO0BEQmptqb5HvL/k9GRHB7ZKEg=
+github.com/mfridman/tparse v0.18.0/go.mod h1:gEvqZTuCgEhPbYk/2lS3Kcxg1GmTxxU7kTC8DvP0i/A=
 github.com/moby/spdystream v0.5.0 h1:7r0J1Si3QO/kjRitvSLVVFUjxMEb/YLj6S9FF62JBCU=
 github.com/moby/spdystream v0.5.0/go.mod h1:xBAYlnt/ay+11ShkdFKNAG7LsyK/tmNBVvVOwrfMgdI=
 github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
@@ -59,19 +64,17 @@ github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee/go.mod h1:yWu
 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
 github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f h1:y5//uYreIhSUg3J1GEMiLbxo1LJaP8RfCpH6pymGZus=
 github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+o7JKHSa8/e818NopupXU1YMK5fe1lsApnBw=
-github.com/onsi/gomega v1.35.1 h1:Cwbd75ZBPxFSuZ6T+rN/WCb/gOc6YgFBXLlZLhC7Ds4=
-github.com/onsi/gomega v1.35.1/go.mod h1:PvZbdDc8J6XJEpDK4HCuRBm8a6Fzp9/DmhC9C7yFlog=
-github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251001123353-fd5b1fb35db1 h1:PMTgifBcBRLJJiM+LgSzPDTk9/Rx4qS09OUrfpY6GBQ=
-github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251001123353-fd5b1fb35db1/go.mod h1:7Du3c42kxCUegi0IImZ1wUQzMBVecgIHjR1C+NkhLQo=
-github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
-github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
+github.com/onsi/gomega v1.38.2 h1:eZCjf2xjZAqe+LeWvKb5weQ+NcPwX84kqJ0cZNxok2A=
+github.com/onsi/gomega v1.38.2/go.mod h1:W2MJcYxRGV63b418Ai34Ud0hEdTVXq9NW9+Sx6uXf3k=
+github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251120221002-696928a6a0d7 h1:02E4Ttpu+7yCQLQxtY42JfcfHU7TBGnje6uB2ytBSdU=
+github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251120221002-696928a6a0d7/go.mod h1:ArE1D/XhNXBXCBkKOLkbsb2c81dQHCRcF5zwn/ykDRo=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U=
 github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/rogpeppe/go-internal v1.13.1 h1:KvO1DLK/DRN07sQ1LQKScxyZJuNnedQ5/wKSR38lUII=
-github.com/rogpeppe/go-internal v1.13.1/go.mod h1:uMEvuHeurkdAXX61udpOXGD/AzZDWNMNyH2VO9fmH0o=
-github.com/spf13/pflag v1.0.6 h1:jFzHGLGAlb3ruxLB8MhbI6A8+AQX/2eW4qeyNZXNp2o=
-github.com/spf13/pflag v1.0.6/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
+github.com/rogpeppe/go-internal v1.14.1 h1:UQB4HGPB6osV0SQTLymcB4TgvyWu6ZyliaW0tI/otEQ=
+github.com/rogpeppe/go-internal v1.14.1/go.mod h1:MaRKkUm5W0goXpeCfT7UZI6fk/L7L7so1lCWt35ZSgc=
+github.com/spf13/pflag v1.0.9 h1:9exaQaMOCwffKiiiYk6/BndUBv+iRViNW+4lEMi0PvY=
+github.com/spf13/pflag v1.0.9/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
 github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
@@ -80,62 +83,45 @@ github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UV
 github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
 github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
-github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
-github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
+github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
+github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
+github.com/tidwall/gjson v1.18.0/go.mod h1:/wbyibRr2FHMks5tjHJ5F8dMZh3AcwJEMf5vlfC0lxk=
+github.com/tidwall/match v1.1.1/go.mod h1:eRSPERbgtNPcGhD8UCthc6PmLEQXEWd3PRB5JTxsfmM=
+github.com/tidwall/pretty v1.2.1/go.mod h1:ITEVvHYasfjBbM0u2Pg8T2nJnzm8xPwvNhhsoaGGjNU=
+github.com/tidwall/sjson v1.2.5/go.mod h1:Fvgq9kS/6ociJEDnK0Fk1cpYF4FIW6ZF7LAe+6jwd28=
 github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM=
 github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg=
-github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
-github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
-go.yaml.in/yaml/v2 v2.4.2 h1:DzmwEr2rDGHl7lsFgAHxmNz/1NlQ7xLIrlN2h5d1eGI=
-go.yaml.in/yaml/v2 v2.4.2/go.mod h1:081UH+NErpNdqlCXm3TtEran0rJZGxAYx9hb/ELlsPU=
+go.uber.org/automaxprocs v1.6.0/go.mod h1:ifeIMSnPZuznNm6jmdzmU3/bfk01Fe2fotchwEFJ8r8=
+go.yaml.in/yaml/v2 v2.4.3 h1:6gvOSjQoTB3vt1l+CU+tSyi/HOjfOjRLJ4YwYZGwRO0=
+go.yaml.in/yaml/v2 v2.4.3/go.mod h1:zSxWcmIDjOzPXpjlTTbAsKokqkDNAVtZO0WOMiT90s8=
 go.yaml.in/yaml/v3 v3.0.4 h1:tfq32ie2Jv2UxXFdLJdh3jXuOzWiL1fo0bu/FbuKpbc=
 go.yaml.in/yaml/v3 v3.0.4/go.mod h1:DhzuOOF2ATzADvBadXxruRBLzYTpT36CKvDb3+aBEFg=
-golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
-golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
-golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
-golang.org/x/crypto v0.41.0/go.mod h1:pO5AFd7FA68rFak7rOAGVuygIISepHftHnr8dr6+sUc=
-golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.27.0/go.mod h1:rWI627Fq0DEoudcK+MBkNkCe0EetEaDSwJJkCcjpazc=
-golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
-golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
-golang.org/x/net v0.43.0 h1:lat02VYK2j4aLzMzecihNvTlJNQUq316m2Mr9rnM6YE=
-golang.org/x/net v0.43.0/go.mod h1:vhO1fvI4dGsIjh73sWfUVjj3N7CA9WkKJNQm2svM6Jg=
-golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.17.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
-golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.36.0 h1:KVRy2GtZBrk1cBYA7MKu5bEZFxQk4NIDV6RLVcC8o0k=
-golang.org/x/sys v0.36.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
-golang.org/x/term v0.34.0/go.mod h1:5jC53AEywhIVebHgPVeg0mj8OD3VO9OzclacVrqpaAw=
-golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
-golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.29.0 h1:1neNs90w9YzJ9BocxfsQNHKuAT4pkghyXc4nhZ6sJvk=
-golang.org/x/text v0.29.0/go.mod h1:7MhJOA9CD2qZyOKYazxdYMF85OwPdEr9jTtBpO7ydH4=
+golang.org/x/crypto v0.44.0/go.mod h1:013i+Nw79BMiQiMsOPcVCB5ZIJbYkerPrGnOa00tvmc=
+golang.org/x/mod v0.29.0 h1:HV8lRxZC4l2cr3Zq1LvtOsi/ThTgWnUk/y64QSs8GwA=
+golang.org/x/mod v0.29.0/go.mod h1:NyhrlYXJ2H4eJiRy/WDBO6HMqZQ6q9nk4JzS3NuCK+w=
+golang.org/x/net v0.47.0 h1:Mx+4dIFzqraBXUugkia1OOvlD6LemFo1ALMHjrXDOhY=
+golang.org/x/net v0.47.0/go.mod h1:/jNxtkgq5yWUGYkaZGqo27cfGZ1c5Nen03aYrrKpVRU=
+golang.org/x/sync v0.18.0 h1:kr88TuHDroi+UVf+0hZnirlk8o8T+4MrK6mr60WkH/I=
+golang.org/x/sync v0.18.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
+golang.org/x/sys v0.38.0 h1:3yZWxaJjBmCWXqhN1qh02AkOnCQ1poK6oF+a7xWL6Gc=
+golang.org/x/sys v0.38.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
+golang.org/x/term v0.37.0/go.mod h1:5pB4lxRNYYVZuTLmy8oR2BH8dflOR+IbTYFD8fi3254=
+golang.org/x/text v0.31.0 h1:aC8ghyu4JhP8VojJ2lEHBnochRno1sgL6nEi9WGFGMM=
+golang.org/x/text v0.31.0/go.mod h1:tKRAlv61yKIjGGHX/4tP1LTbc13YSec1pxVEWXzfoeM=
 golang.org/x/time v0.9.0 h1:EsRrnYcQiGH+5FfbgvV4AP7qEZstoyrHB0DzarOQ4ZY=
 golang.org/x/time v0.9.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
-golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
-golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
-golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
-golang.org/x/tools v0.36.0 h1:kWS0uv/zsvHEle1LbV5LE8QujrxB3wfQyxHfhOk0Qkg=
-golang.org/x/tools v0.36.0/go.mod h1:WBDiHKJK8YgLHlcQPYQzNCkUxUypCaa5ZegCVutKm+s=
-golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/tools v0.38.0 h1:Hx2Xv8hISq8Lm16jvBZ2VQf+RLmbd7wVUsALibYI/IQ=
+golang.org/x/tools v0.38.0/go.mod h1:yEsQ/d/YK8cjh0L6rZlY8tgtlKiBNTL14pGDJPJpYQs=
+golang.org/x/tools/go/expect v0.1.0-deprecated/go.mod h1:eihoPOH+FgIqa3FpoTwguz/bVUSGBlGQU67vpBeOrBY=
+golang.org/x/tools/go/packages/packagestest v0.1.1-deprecated/go.mod h1:RVAQXBGNv1ib0J382/DPCRS/BPnsGebyM1Gj5VSDpG8=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-google.golang.org/protobuf v1.36.5 h1:tPhr+woSbjfYvY6/GPufUoYizxw1cF/yFoxJ2fmpwlM=
-google.golang.org/protobuf v1.36.5/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE=
+google.golang.org/protobuf v1.36.8 h1:xHScyCOEuuwZEc6UtSOvPbAT4zRh0xcNRYekJwfqyMc=
+google.golang.org/protobuf v1.36.8/go.mod h1:fuxRtAxBytpl4zzqUh6/eyUujkJdNiuEkXntxiD/uRU=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
-gopkg.in/evanphx/json-patch.v4 v4.12.0 h1:n6jtcsulIzXPJaxegRbvFNNrZDjbij7ny3gmSPG+6V4=
-gopkg.in/evanphx/json-patch.v4 v4.12.0/go.mod h1:p8EYWUEYMpynmqDbY58zCKCFZw8pRWMG4EsWvDvM72M=
+gopkg.in/evanphx/json-patch.v4 v4.13.0 h1:czT3CmqEaQ1aanPc5SdlgQrrEIb8w/wwCvWWnfEbYzo=
+gopkg.in/evanphx/json-patch.v4 v4.13.0/go.mod h1:p8EYWUEYMpynmqDbY58zCKCFZw8pRWMG4EsWvDvM72M=
 gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc=
 gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
@@ -144,12 +130,12 @@ gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 k8s.io/gengo/v2 v2.0.0-20250604051438-85fd79dbfd9f/go.mod h1:EJykeLsmFC60UQbYJezXkEsG2FLrt0GPNkU5iK5GWxU=
 k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk=
 k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE=
-k8s.io/kube-openapi v0.0.0-20250710124328-f3f2b991d03b h1:MloQ9/bdJyIu9lb1PzujOPolHyvO06MXG5TUIj2mNAA=
-k8s.io/kube-openapi v0.0.0-20250710124328-f3f2b991d03b/go.mod h1:UZ2yyWbFTpuhSbFhv24aGNOdoRdJZgsIObGBUaYVsts=
-k8s.io/utils v0.0.0-20250604170112-4c0f3b243397 h1:hwvWFiBzdWw1FhfY1FooPn3kzWuJ8tmbZBHi4zVsl1Y=
-k8s.io/utils v0.0.0-20250604170112-4c0f3b243397/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
-sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 h1:gBQPwqORJ8d8/YNZWEjoZs7npUVDpVXUUOFfW6CgAqE=
-sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8/go.mod h1:mdzfpAEoE6DHQEN0uh9ZbOCuHbLK5wOm7dK4ctXE9Tg=
+k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912 h1:Y3gxNAuB0OBLImH611+UDZcmKS3g6CthxToOb37KgwE=
+k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912/go.mod h1:kdmbQkyfwUagLfXIad1y2TdrjPFWp2Q89B3qkRwf/pQ=
+k8s.io/utils v0.0.0-20251002143259-bc988d571ff4 h1:SjGebBtkBqHFOli+05xYbK8YF1Dzkbzn+gDM4X9T4Ck=
+k8s.io/utils v0.0.0-20251002143259-bc988d571ff4/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
+sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 h1:IpInykpT6ceI+QxKBbEflcR5EXP7sU1kvOlxwZh5txg=
+sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730/go.mod h1:mdzfpAEoE6DHQEN0uh9ZbOCuHbLK5wOm7dK4ctXE9Tg=
 sigs.k8s.io/randfill v1.0.0 h1:JfjMILfT8A6RbawdsK2JXGBR5AQVfd+9TbzrlneTyrU=
 sigs.k8s.io/randfill v1.0.0/go.mod h1:XeLlZ/jmk4i1HRopwe7/aU3H5n1zNUcX6TM94b3QxOY=
 sigs.k8s.io/structured-merge-diff/v6 v6.3.0 h1:jTijUJbW353oVOd9oTlifJqOGEkUw2jB/fXCbTiQEco=
diff --git a/staging/src/k8s.io/apimachinery/pkg/api/errors/errors.go b/staging/src/k8s.io/apimachinery/pkg/api/errors/errors.go
index 2c101ab39e569..7b57a9eb6cabe 100644
--- a/staging/src/k8s.io/apimachinery/pkg/api/errors/errors.go
+++ b/staging/src/k8s.io/apimachinery/pkg/api/errors/errors.go
@@ -258,7 +258,8 @@ func NewApplyConflict(causes []metav1.StatusCause, message string) *StatusError
 }
 
 // NewGone returns an error indicating the item no longer available at the server and no forwarding address is known.
-// DEPRECATED: Please use NewResourceExpired instead.
+//
+// Deprecated: Please use NewResourceExpired instead.
 func NewGone(message string) *StatusError {
 	return &StatusError{metav1.Status{
 		Status:  metav1.StatusFailure,
diff --git a/staging/src/k8s.io/apimachinery/pkg/api/resource/generated.pb.go b/staging/src/k8s.io/apimachinery/pkg/api/resource/generated.pb.go
index c3a272168e861..9e1a5c0e1fe94 100644
--- a/staging/src/k8s.io/apimachinery/pkg/api/resource/generated.pb.go
+++ b/staging/src/k8s.io/apimachinery/pkg/api/resource/generated.pb.go
@@ -19,95 +19,6 @@ limitations under the License.
 
 package resource
 
-import (
-	fmt "fmt"
+func (m *Quantity) Reset() { *m = Quantity{} }
 
-	math "math"
-
-	proto "github.com/gogo/protobuf/proto"
-)
-
-// Reference imports to suppress errors if they are not otherwise used.
-var _ = proto.Marshal
-var _ = fmt.Errorf
-var _ = math.Inf
-
-// This is a compile-time assertion to ensure that this generated file
-// is compatible with the proto package it is being compiled against.
-// A compilation error at this line likely means your copy of the
-// proto package needs to be updated.
-const _ = proto.GoGoProtoPackageIsVersion3 // please upgrade the proto package
-
-func (m *Quantity) Reset()      { *m = Quantity{} }
-func (*Quantity) ProtoMessage() {}
-func (*Quantity) Descriptor() ([]byte, []int) {
-	return fileDescriptor_7288c78ff45111e9, []int{0}
-}
-func (m *Quantity) XXX_Unmarshal(b []byte) error {
-	return xxx_messageInfo_Quantity.Unmarshal(m, b)
-}
-func (m *Quantity) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	return xxx_messageInfo_Quantity.Marshal(b, m, deterministic)
-}
-func (m *Quantity) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_Quantity.Merge(m, src)
-}
-func (m *Quantity) XXX_Size() int {
-	return xxx_messageInfo_Quantity.Size(m)
-}
-func (m *Quantity) XXX_DiscardUnknown() {
-	xxx_messageInfo_Quantity.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_Quantity proto.InternalMessageInfo
-
-func (m *QuantityValue) Reset()      { *m = QuantityValue{} }
-func (*QuantityValue) ProtoMessage() {}
-func (*QuantityValue) Descriptor() ([]byte, []int) {
-	return fileDescriptor_7288c78ff45111e9, []int{1}
-}
-func (m *QuantityValue) XXX_Unmarshal(b []byte) error {
-	return xxx_messageInfo_QuantityValue.Unmarshal(m, b)
-}
-func (m *QuantityValue) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	return xxx_messageInfo_QuantityValue.Marshal(b, m, deterministic)
-}
-func (m *QuantityValue) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_QuantityValue.Merge(m, src)
-}
-func (m *QuantityValue) XXX_Size() int {
-	return xxx_messageInfo_QuantityValue.Size(m)
-}
-func (m *QuantityValue) XXX_DiscardUnknown() {
-	xxx_messageInfo_QuantityValue.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_QuantityValue proto.InternalMessageInfo
-
-func init() {
-	proto.RegisterType((*Quantity)(nil), "k8s.io.apimachinery.pkg.api.resource.Quantity")
-	proto.RegisterType((*QuantityValue)(nil), "k8s.io.apimachinery.pkg.api.resource.QuantityValue")
-}
-
-func init() {
-	proto.RegisterFile("k8s.io/apimachinery/pkg/api/resource/generated.proto", fileDescriptor_7288c78ff45111e9)
-}
-
-var fileDescriptor_7288c78ff45111e9 = []byte{
-	// 234 bytes of a gzipped FileDescriptorProto
-	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xe2, 0x32, 0xc9, 0xb6, 0x28, 0xd6,
-	0xcb, 0xcc, 0xd7, 0x4f, 0x2c, 0xc8, 0xcc, 0x4d, 0x4c, 0xce, 0xc8, 0xcc, 0x4b, 0x2d, 0xaa, 0xd4,
-	0x2f, 0xc8, 0x4e, 0x07, 0x09, 0xe8, 0x17, 0xa5, 0x16, 0xe7, 0x97, 0x16, 0x25, 0xa7, 0xea, 0xa7,
-	0xa7, 0xe6, 0xa5, 0x16, 0x25, 0x96, 0xa4, 0xa6, 0xe8, 0x15, 0x14, 0xe5, 0x97, 0xe4, 0x0b, 0xa9,
-	0x40, 0x74, 0xe9, 0x21, 0xeb, 0xd2, 0x2b, 0xc8, 0x4e, 0x07, 0x09, 0xe8, 0xc1, 0x74, 0x49, 0xe9,
-	0xa6, 0x67, 0x96, 0x64, 0x94, 0x26, 0xe9, 0x25, 0xe7, 0xe7, 0xea, 0xa7, 0xe7, 0xa7, 0xe7, 0xeb,
-	0x83, 0x35, 0x27, 0x95, 0xa6, 0x81, 0x79, 0x60, 0x0e, 0x98, 0x05, 0x31, 0x54, 0xc9, 0x82, 0x8b,
-	0x23, 0xb0, 0x34, 0x31, 0xaf, 0x24, 0xb3, 0xa4, 0x52, 0x48, 0x8c, 0x8b, 0xad, 0xb8, 0xa4, 0x28,
-	0x33, 0x2f, 0x5d, 0x82, 0x51, 0x81, 0x51, 0x83, 0x33, 0x08, 0xca, 0xb3, 0x12, 0x99, 0xb1, 0x40,
-	0x9e, 0xa1, 0x63, 0xa1, 0x3c, 0xc3, 0x84, 0x85, 0xf2, 0x0c, 0x0b, 0x16, 0xca, 0x33, 0x34, 0xdc,
-	0x51, 0x60, 0x50, 0xb2, 0xe5, 0xe2, 0x85, 0xe9, 0x0c, 0x4b, 0xcc, 0x29, 0x4d, 0x25, 0x4d, 0xbb,
-	0x93, 0xd7, 0x89, 0x87, 0x72, 0x0c, 0x17, 0x1e, 0xca, 0x31, 0xdc, 0x78, 0x28, 0xc7, 0xd0, 0xf0,
-	0x48, 0x8e, 0xf1, 0xc4, 0x23, 0x39, 0xc6, 0x0b, 0x8f, 0xe4, 0x18, 0x6f, 0x3c, 0x92, 0x63, 0x7c,
-	0xf0, 0x48, 0x8e, 0x71, 0xc2, 0x63, 0x39, 0x86, 0x28, 0x15, 0x62, 0x42, 0x0a, 0x10, 0x00, 0x00,
-	0xff, 0xff, 0x50, 0x91, 0xd0, 0x9c, 0x50, 0x01, 0x00, 0x00,
-}
+func (m *QuantityValue) Reset() { *m = QuantityValue{} }
diff --git a/staging/src/k8s.io/apimachinery/pkg/api/resource/generated.proto b/staging/src/k8s.io/apimachinery/pkg/api/resource/generated.proto
index ddd0db8fbd1be..875ad8577af0b 100644
--- a/staging/src/k8s.io/apimachinery/pkg/api/resource/generated.proto
+++ b/staging/src/k8s.io/apimachinery/pkg/api/resource/generated.proto
@@ -93,6 +93,7 @@ option go_package = "k8s.io/apimachinery/pkg/api/resource";
 // +protobuf.options.(gogoproto.goproto_stringer)=false
 // +k8s:deepcopy-gen=true
 // +k8s:openapi-gen=true
+// +k8s:openapi-model-package=io.k8s.apimachinery.pkg.api.resource
 message Quantity {
   optional string string = 1;
 }
@@ -105,6 +106,7 @@ message Quantity {
 // +protobuf.options.marshal=false
 // +protobuf.options.(gogoproto.goproto_stringer)=false
 // +k8s:deepcopy-gen=true
+// +k8s:openapi-model-package=io.k8s.apimachinery.pkg.api.resource
 message QuantityValue {
   optional string string = 1;
 }
diff --git a/staging/src/k8s.io/apimachinery/pkg/api/resource/generated.protomessage.pb.go b/staging/src/k8s.io/apimachinery/pkg/api/resource/generated.protomessage.pb.go
new file mode 100644
index 0000000000000..712e155c3e5ed
--- /dev/null
+++ b/staging/src/k8s.io/apimachinery/pkg/api/resource/generated.protomessage.pb.go
@@ -0,0 +1,26 @@
+//go:build kubernetes_protomessage_one_more_release
+// +build kubernetes_protomessage_one_more_release
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by go-to-protobuf. DO NOT EDIT.
+
+package resource
+
+func (*Quantity) ProtoMessage() {}
+
+func (*QuantityValue) ProtoMessage() {}
diff --git a/staging/src/k8s.io/apimachinery/pkg/api/resource/quantity.go b/staging/src/k8s.io/apimachinery/pkg/api/resource/quantity.go
index d0aada9dd753e..f3cd60060491d 100644
--- a/staging/src/k8s.io/apimachinery/pkg/api/resource/quantity.go
+++ b/staging/src/k8s.io/apimachinery/pkg/api/resource/quantity.go
@@ -99,6 +99,7 @@ import (
 // +protobuf.options.(gogoproto.goproto_stringer)=false
 // +k8s:deepcopy-gen=true
 // +k8s:openapi-gen=true
+// +k8s:openapi-model-package=io.k8s.apimachinery.pkg.api.resource
 type Quantity struct {
 	// i is the quantity in int64 scaled form, if d.Dec == nil
 	i int64Amount
@@ -858,6 +859,7 @@ func (q *Quantity) SetScaled(value int64, scale Scale) {
 // +protobuf.options.marshal=false
 // +protobuf.options.(gogoproto.goproto_stringer)=false
 // +k8s:deepcopy-gen=true
+// +k8s:openapi-model-package=io.k8s.apimachinery.pkg.api.resource
 type QuantityValue struct {
 	Quantity
 }
diff --git a/staging/src/k8s.io/apimachinery/pkg/api/resource/quantity_proto.go b/staging/src/k8s.io/apimachinery/pkg/api/resource/quantity_proto.go
index 3e0cdb10d4090..364ec80da229b 100644
--- a/staging/src/k8s.io/apimachinery/pkg/api/resource/quantity_proto.go
+++ b/staging/src/k8s.io/apimachinery/pkg/api/resource/quantity_proto.go
@@ -20,12 +20,8 @@ import (
 	"fmt"
 	"io"
 	"math/bits"
-
-	"github.com/gogo/protobuf/proto"
 )
 
-var _ proto.Sizer = &Quantity{}
-
 func (m *Quantity) Marshal() (data []byte, err error) {
 	size := m.Size()
 	data = make([]byte, size)
diff --git a/staging/src/k8s.io/apimachinery/pkg/api/resource/zz_generated.model_name.go b/staging/src/k8s.io/apimachinery/pkg/api/resource/zz_generated.model_name.go
new file mode 100644
index 0000000000000..2575a2e8c88d6
--- /dev/null
+++ b/staging/src/k8s.io/apimachinery/pkg/api/resource/zz_generated.model_name.go
@@ -0,0 +1,32 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by openapi-gen. DO NOT EDIT.
+
+package resource
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in Quantity) OpenAPIModelName() string {
+	return "io.k8s.apimachinery.pkg.api.resource.Quantity"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in QuantityValue) OpenAPIModelName() string {
+	return "io.k8s.apimachinery.pkg.api.resource.QuantityValue"
+}
diff --git a/staging/src/k8s.io/apimachinery/pkg/api/validate/content/decimal_int.go b/staging/src/k8s.io/apimachinery/pkg/api/validate/content/decimal_int.go
new file mode 100644
index 0000000000000..5622ca15a872f
--- /dev/null
+++ b/staging/src/k8s.io/apimachinery/pkg/api/validate/content/decimal_int.go
@@ -0,0 +1,62 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package content
+
+const decimalIntegerErrMsg string = "must be a valid decimal integer in canonical form"
+
+// IsDecimalInteger validates that a string represents a decimal integer in strict canonical form.
+// This means the string must be formatted exactly as a human would naturally write an integer,
+// without any programming language conventions like leading zeros, plus signs, or alternate bases.
+//
+// valid values:"0" or Non-zero integers (i.e., "123", "-456") where the first digit is 1-9,
+// followed by any digits 0-9.
+//
+// This validator is stricter than strconv.ParseInt, which accepts leading zeros values (i.e, "0700")
+// and interprets them as decimal 700, potentially causing confusion with octal notation.
+func IsDecimalInteger(value string) []string {
+	n := len(value)
+	if n == 0 {
+		return []string{EmptyError()}
+	}
+
+	i := 0
+	if value[0] == '-' {
+		if n == 1 {
+			return []string{decimalIntegerErrMsg}
+		}
+		i = 1
+	}
+
+	if value[i] == '0' {
+		if n == 1 && i == 0 {
+			return nil
+		}
+		return []string{decimalIntegerErrMsg}
+	}
+
+	if value[i] < '1' || value[i] > '9' {
+		return []string{decimalIntegerErrMsg}
+	}
+
+	for i++; i < n; i++ {
+		if value[i] < '0' || value[i] > '9' {
+			return []string{decimalIntegerErrMsg}
+		}
+	}
+
+	return nil
+}
diff --git a/staging/src/k8s.io/apimachinery/pkg/api/validate/content/decimal_int_test.go b/staging/src/k8s.io/apimachinery/pkg/api/validate/content/decimal_int_test.go
new file mode 100644
index 0000000000000..369417d26a81b
--- /dev/null
+++ b/staging/src/k8s.io/apimachinery/pkg/api/validate/content/decimal_int_test.go
@@ -0,0 +1,234 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package content
+
+import (
+	"strconv"
+	"strings"
+	"testing"
+)
+
+func TestIsDecimalInteger(t *testing.T) {
+	testCases := []struct {
+		name        string
+		input       string
+		shouldPass  bool
+		errContains string
+	}{
+		// valid
+		{name: "zero", input: "0", shouldPass: true},
+		{name: "positive single digit 1", input: "1", shouldPass: true},
+		{name: "positive single digit 2", input: "2", shouldPass: true},
+		{name: "positive single digit 5", input: "5", shouldPass: true},
+		{name: "positive single digit 9", input: "9", shouldPass: true},
+		{name: "negative single digit", input: "-5", shouldPass: true},
+		{name: "negative single digit 1", input: "-1", shouldPass: true},
+		{name: "negative single digit 9", input: "-9", shouldPass: true},
+
+		{name: "number starting with 1", input: "100", shouldPass: true},
+		{name: "number starting with 2", input: "234", shouldPass: true},
+		{name: "number starting with 3", input: "345", shouldPass: true},
+		{name: "number starting with 4", input: "456", shouldPass: true},
+		{name: "number starting with 5", input: "567", shouldPass: true},
+		{name: "number starting with 6", input: "678", shouldPass: true},
+		{name: "number starting with 7", input: "789", shouldPass: true},
+		{name: "number starting with 8", input: "890", shouldPass: true},
+		{name: "number starting with 9", input: "999", shouldPass: true},
+
+		{name: "positive multi-digit", input: "123", shouldPass: true},
+		{name: "negative multi-digit", input: "-456", shouldPass: true},
+		{name: "negative starting with 1", input: "-100", shouldPass: true},
+		{name: "negative starting with 9", input: "-987", shouldPass: true},
+		{name: "large positive number", input: "9223372036854775807", shouldPass: true},  // max int64
+		{name: "large negative number", input: "-9223372036854775808", shouldPass: true}, // min int64
+		{name: "very long valid number", input: "12345678901234567890", shouldPass: true},
+		{name: "all nines", input: "999999999999", shouldPass: true},
+
+		// invalid
+		{name: "negative zero", input: "-0", shouldPass: false},
+		{name: "double zero", input: "00", shouldPass: false},
+		{name: "triple zero", input: "000", shouldPass: false},
+		{name: "many zeros", input: "0000000", shouldPass: false},
+		{name: "leading zero single digit", input: "01", shouldPass: false},
+		{name: "leading zero digit 2", input: "02", shouldPass: false},
+		{name: "leading zero digit 9", input: "09", shouldPass: false},
+		{name: "leading zero multi-digit", input: "0123", shouldPass: false},
+		{name: "octal-like format", input: "0700", shouldPass: false},
+		{name: "octal-like format 2", input: "0950", shouldPass: false},
+		{name: "multiple leading zeros", input: "00123", shouldPass: false},
+		{name: "negative with leading zero", input: "-01", shouldPass: false},
+		{name: "negative with leading zeros", input: "-0123", shouldPass: false},
+		{name: "negative double zero", input: "-00", shouldPass: false},
+		{name: "plus sign", input: "+123", shouldPass: false},
+		{name: "positive plus sign", input: "+5", shouldPass: false},
+		{name: "plus zero", input: "+0", shouldPass: false},
+
+		// Invalid cases - empty and whitespace
+		{name: "empty string", input: "", shouldPass: false, errContains: "non-empty"},
+		{name: "just minus sign", input: "-", shouldPass: false},
+		{name: "just plus sign", input: "+", shouldPass: false},
+		{name: "single space", input: " ", shouldPass: false},
+		{name: "multiple spaces", input: "   ", shouldPass: false},
+		{name: "leading space", input: " 123", shouldPass: false},
+		{name: "trailing space", input: "123 ", shouldPass: false},
+		{name: "space in middle", input: "12 3", shouldPass: false},
+		{name: "spaces around", input: " 123 ", shouldPass: false},
+
+		{name: "decimal number", input: "12.3", shouldPass: false},
+		{name: "decimal zero", input: "0.0", shouldPass: false},
+		{name: "negative decimal", input: "-12.5", shouldPass: false},
+		{name: "trailing dot", input: "123.", shouldPass: false},
+		{name: "leading dot", input: ".123", shouldPass: false},
+
+		{name: "alphabetic", input: "abc", shouldPass: false},
+		{name: "alphanumeric", input: "12a3", shouldPass: false},
+		{name: "letter at start", input: "a123", shouldPass: false},
+		{name: "letter at end", input: "123a", shouldPass: false},
+		{name: "uppercase letters", input: "ABC", shouldPass: false},
+		{name: "mixed case", input: "12A3", shouldPass: false},
+
+		{name: "hexadecimal", input: "0x123", shouldPass: false},
+		{name: "hex uppercase", input: "0X123", shouldPass: false},
+		{name: "octal prefix", input: "0o777", shouldPass: false},
+		{name: "binary prefix", input: "0b101", shouldPass: false},
+		{name: "scientific notation", input: "1e5", shouldPass: false},
+		{name: "scientific negative exp", input: "1e-5", shouldPass: false},
+		{name: "scientific uppercase", input: "1E5", shouldPass: false},
+
+		{name: "underscore separator", input: "1_000", shouldPass: false},
+		{name: "comma separator", input: "1,000", shouldPass: false},
+		{name: "period separator", input: "1.000", shouldPass: false},
+		{name: "apostrophe separator", input: "1'000", shouldPass: false},
+
+		{name: "double minus", input: "--123", shouldPass: false},
+		{name: "double plus", input: "++123", shouldPass: false},
+		{name: "plus minus", input: "+-123", shouldPass: false},
+		{name: "minus plus", input: "-+123", shouldPass: false},
+		{name: "minus at end", input: "123-", shouldPass: false},
+		{name: "minus in middle", input: "12-3", shouldPass: false},
+		{name: "plus at end", input: "123+", shouldPass: false},
+		{name: "plus in middle", input: "12+3", shouldPass: false},
+
+		{name: "tab character at start", input: "\t123", shouldPass: false},
+		{name: "tab character at end", input: "123\t", shouldPass: false},
+		{name: "newline character", input: "123\n", shouldPass: false},
+		{name: "carriage return", input: "123\r", shouldPass: false},
+		{name: "null character", input: "123\x00", shouldPass: false},
+		{name: "vertical tab", input: "123\v", shouldPass: false},
+		{name: "form feed", input: "123\f", shouldPass: false},
+
+		{name: "parentheses", input: "(123)", shouldPass: false},
+		{name: "brackets", input: "[123]", shouldPass: false},
+		{name: "braces", input: "{123}", shouldPass: false},
+		{name: "dollar sign", input: "$123", shouldPass: false},
+		{name: "percent sign", input: "123%", shouldPass: false},
+		{name: "hash", input: "#123", shouldPass: false},
+		{name: "at sign", input: "@123", shouldPass: false},
+		{name: "ampersand", input: "&123", shouldPass: false},
+		{name: "asterisk", input: "*123", shouldPass: false},
+		{name: "slash", input: "12/3", shouldPass: false},
+		{name: "backslash", input: "12\\3", shouldPass: false},
+		{name: "pipe", input: "12|3", shouldPass: false},
+		{name: "semicolon", input: "12;3", shouldPass: false},
+		{name: "colon", input: "12:3", shouldPass: false},
+		{name: "question mark", input: "12?3", shouldPass: false},
+		{name: "exclamation", input: "12!3", shouldPass: false},
+		{name: "tilde", input: "~123", shouldPass: false},
+		{name: "backtick", input: "`123", shouldPass: false},
+		{name: "single quote", input: "'123'", shouldPass: false},
+		{name: "double quote", input: "\"123\"", shouldPass: false},
+
+		{name: "unicode minus", input: "−123", shouldPass: false}, // U+2212 minus sign
+		{name: "unicode digit", input: "１２３", shouldPass: false},  // fullwidth digits
+		{name: "arabic digits", input: "١٢٣", shouldPass: false},  // Arabic-Indic digits
+		{name: "chinese characters", input: "一二三", shouldPass: false},
+		{name: "superscript", input: "123⁴", shouldPass: false},
+		{name: "subscript", input: "123₄", shouldPass: false},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			errs := IsDecimalInteger(tc.input)
+			if tc.shouldPass {
+				if len(errs) != 0 {
+					t.Errorf("IsDecimalInteger(%q) = %v, want no errors", tc.input, errs)
+				}
+			} else {
+				if len(errs) == 0 {
+					t.Errorf("IsDecimalInteger(%q) = no errors, want errors", tc.input)
+				} else if tc.errContains != "" {
+					found := false
+					for _, err := range errs {
+						if strings.Contains(err, tc.errContains) {
+							found = true
+							break
+						}
+					}
+					if !found {
+						t.Errorf("IsDecimalInteger(%q) errors %v should contain %q", tc.input, errs, tc.errContains)
+					}
+				}
+			}
+		})
+	}
+
+	// Additional verification: valid strings should parse with strconv.ParseInt
+	validCases := []string{
+		"0", "1", "2", "5", "9",
+		"-1", "-5", "-9",
+		"123", "-456", "100", "999",
+		"9223372036854775807", "-9223372036854775808",
+		"12345678901234567890",
+	}
+	for _, validCase := range validCases {
+		if errs := IsDecimalInteger(validCase); len(errs) != 0 {
+			t.Errorf("Valid case %q should return no errors, got: %v", validCase, errs)
+		}
+		// Verify it can also be parsed by strconv.ParseInt (within range)
+		if len(validCase) <= 19 { // Only test cases that fit in int64
+			if _, err := strconv.ParseInt(validCase, 10, 64); err != nil {
+				t.Errorf("Valid case %q should be parseable by strconv.ParseInt: %v", validCase, err)
+			}
+		}
+	}
+
+	// Verify that our function rejects what we intend to reject (even if strconv.ParseInt accepts it)
+	rejectedCases := []string{
+		"0700", "0950", "01", "02", "09",
+		"+123", "+5", "+0",
+		"-0", "00", "000",
+		"-01", "-00",
+	}
+	for _, rejectedCase := range rejectedCases {
+		if errs := IsDecimalInteger(rejectedCase); len(errs) == 0 {
+			t.Errorf("Case %q should be rejected by strict validation", rejectedCase)
+		}
+	}
+
+	// Edge case: verify strconv.ParseInt accepts things we reject (proving we're stricter)
+	strconvAcceptsButWeReject := []string{"+123", "0700", "01"}
+	for _, case_ := range strconvAcceptsButWeReject {
+		// strconv.ParseInt should accept it
+		if _, err := strconv.ParseInt(case_, 10, 64); err != nil {
+			t.Errorf("strconv.ParseInt should accept %q but got error: %v", case_, err)
+		}
+		// But our function should reject it
+		if errs := IsDecimalInteger(case_); len(errs) == 0 {
+			t.Errorf("IsDecimalInteger should reject %q (stricter than strconv)", case_)
+		}
+	}
+}
diff --git a/staging/src/k8s.io/apimachinery/pkg/api/validate/content/dns.go b/staging/src/k8s.io/apimachinery/pkg/api/validate/content/dns.go
new file mode 100644
index 0000000000000..bd20720794c4c
--- /dev/null
+++ b/staging/src/k8s.io/apimachinery/pkg/api/validate/content/dns.go
@@ -0,0 +1,101 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package content
+
+import (
+	"regexp"
+)
+
+const dns1123LabelFmt string = "[a-z0-9]([-a-z0-9]*[a-z0-9])?"
+
+const dns1123LabelErrMsg string = "a lowercase RFC 1123 label must consist of lower case alphanumeric characters or '-', and must start and end with an alphanumeric character"
+
+// DNS1123LabelMaxLength is a label's max length in DNS (RFC 1123)
+const DNS1123LabelMaxLength int = 63
+
+var dns1123LabelRegexp = regexp.MustCompile("^" + dns1123LabelFmt + "$")
+
+// IsDNS1123Label tests for a string that conforms to the definition of a label in
+// DNS (RFC 1123).
+func IsDNS1123Label(value string) []string {
+	var errs []string
+	if len(value) > DNS1123LabelMaxLength {
+		errs = append(errs, MaxLenError(DNS1123LabelMaxLength))
+	}
+	if !dns1123LabelRegexp.MatchString(value) {
+		if dns1123SubdomainRegexp.MatchString(value) {
+			// It was a valid subdomain and not a valid label.  Since we
+			// already checked length, it must be dots.
+			errs = append(errs, "must not contain dots")
+		} else {
+			errs = append(errs, RegexError(dns1123LabelErrMsg, dns1123LabelFmt, "my-name", "123-abc"))
+		}
+	}
+	return errs
+}
+
+const dns1123SubdomainFmt string = dns1123LabelFmt + "(\\." + dns1123LabelFmt + ")*"
+const dns1123SubdomainFmtCaseless string = "(?i)" + dns1123SubdomainFmt
+const dns1123SubdomainErrorMsg string = "a lowercase RFC 1123 subdomain must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character"
+const dns1123SubdomainCaselessErrorMsg string = "an RFC 1123 subdomain must consist of alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character"
+
+// DNS1123SubdomainMaxLength is a subdomain's max length in DNS (RFC 1123)
+const DNS1123SubdomainMaxLength int = 253
+
+var dns1123SubdomainRegexp = regexp.MustCompile("^" + dns1123SubdomainFmt + "$")
+var dns1123SubdomainCaselessRegexp = regexp.MustCompile("^" + dns1123SubdomainFmtCaseless + "$")
+
+// IsDNS1123Subdomain tests for a string that conforms to the definition of a
+// subdomain in DNS (RFC 1123) lowercase.
+func IsDNS1123Subdomain(value string) []string {
+	return isDNS1123Subdomain(value, false)
+}
+
+// IsDNS1123SubdomainCaseless tests for a string that conforms to the definition of a
+// subdomain in DNS (RFC 1123).
+//
+// Deprecated: API validation should never be caseless. Caseless validation is a vector
+// for bugs and failed uniqueness assumptions. For example, names like "foo.com" and
+// "FOO.COM" are both accepted as valid, but they are typically not treated as equal by
+// consumers (e.g. CSI and DRA driver names). This fails the "least surprise" principle and
+// can cause inconsistent behaviors.
+//
+// Note: This allows uppercase names but is not caseless — uppercase and lowercase are
+// treated as different values. Use IsDNS1123Subdomain for strict, lowercase validation
+// instead.
+func IsDNS1123SubdomainCaseless(value string) []string {
+	return isDNS1123Subdomain(value, true)
+}
+
+func isDNS1123Subdomain(value string, caseless bool) []string {
+	var errs []string
+	if len(value) > DNS1123SubdomainMaxLength {
+		errs = append(errs, MaxLenError(DNS1123SubdomainMaxLength))
+	}
+	errorMsg := dns1123SubdomainErrorMsg
+	example := "example.com"
+	regexp := dns1123SubdomainRegexp
+	if caseless {
+		errorMsg = dns1123SubdomainCaselessErrorMsg
+		example = "Example.com"
+		regexp = dns1123SubdomainCaselessRegexp
+	}
+	if !regexp.MatchString(value) {
+		errs = append(errs, RegexError(errorMsg, dns1123SubdomainFmt, example))
+	}
+	return errs
+}
diff --git a/staging/src/k8s.io/apimachinery/pkg/api/validate/content/dns_test.go b/staging/src/k8s.io/apimachinery/pkg/api/validate/content/dns_test.go
new file mode 100644
index 0000000000000..c241d722c1e7f
--- /dev/null
+++ b/staging/src/k8s.io/apimachinery/pkg/api/validate/content/dns_test.go
@@ -0,0 +1,126 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package content
+
+import (
+	"strings"
+	"testing"
+)
+
+func TestIsDNS1123Label(t *testing.T) {
+	goodValues := []string{
+		"a", "ab", "abc", "a1", "a-1", "a--1--2--b",
+		"0", "01", "012", "1a", "1-a", "1--a--b--2",
+		strings.Repeat("a", 63),
+	}
+	for _, val := range goodValues {
+		if msgs := IsDNS1123Label(val); len(msgs) != 0 {
+			t.Errorf("expected true for '%s': %v", val, msgs)
+		}
+	}
+
+	badValues := []string{
+		"", "A", "ABC", "aBc", "A1", "A-1", "1-A",
+		"-", "a-", "-a", "1-", "-1",
+		"_", "a_", "_a", "a_b", "1_", "_1", "1_2",
+		".", "a.", ".a", "a.b", "1.", ".1", "1.2",
+		" ", "a ", " a", "a b", "1 ", " 1", "1 2",
+		strings.Repeat("a", 64),
+	}
+	for _, val := range badValues {
+		if msgs := IsDNS1123Label(val); len(msgs) == 0 {
+			t.Errorf("expected false for '%s'", val)
+		}
+	}
+}
+
+func TestIsDNS1123Subdomain(t *testing.T) {
+	goodValues := []string{
+		"a", "ab", "abc", "a1", "a-1", "a--1--2--b",
+		"0", "01", "012", "1a", "1-a", "1--a--b--2",
+		"a.a", "ab.a", "abc.a", "a1.a", "a-1.a", "a--1--2--b.a",
+		"a.1", "ab.1", "abc.1", "a1.1", "a-1.1", "a--1--2--b.1",
+		"0.a", "01.a", "012.a", "1a.a", "1-a.a", "1--a--b--2",
+		"0.1", "01.1", "012.1", "1a.1", "1-a.1", "1--a--b--2.1",
+		"a.b.c.d.e", "aa.bb.cc.dd.ee", "1.2.3.4.5", "11.22.33.44.55",
+		strings.Repeat("a", 253),
+	}
+	for _, val := range goodValues {
+		if msgs := IsDNS1123Subdomain(val); len(msgs) != 0 {
+			t.Errorf("expected true for '%s': %v", val, msgs)
+		}
+	}
+
+	badValues := []string{
+		"", "A", "ABC", "aBc", "A1", "A-1", "1-A",
+		"-", "a-", "-a", "1-", "-1",
+		"_", "a_", "_a", "a_b", "1_", "_1", "1_2",
+		".", "a.", ".a", "a..b", "1.", ".1", "1..2",
+		" ", "a ", " a", "a b", "1 ", " 1", "1 2",
+		"A.a", "aB.a", "ab.A", "A1.a", "a1.A",
+		"A.1", "aB.1", "A1.1", "1A.1",
+		"0.A", "01.A", "012.A", "1A.a", "1a.A",
+		"A.B.C.D.E", "AA.BB.CC.DD.EE", "a.B.c.d.e", "aa.bB.cc.dd.ee",
+		"a@b", "a,b", "a_b", "a;b",
+		"a:b", "a%b", "a?b", "a$b",
+		strings.Repeat("a", 254),
+	}
+	for _, val := range badValues {
+		if msgs := IsDNS1123Subdomain(val); len(msgs) == 0 {
+			t.Errorf("expected false for '%s'", val)
+		}
+	}
+}
+
+func TestIsDNS1123SubdomainCaseless(t *testing.T) {
+	goodValues := []string{
+		"a", "ab", "abc", "a1", "a-1", "a--1--2--b",
+		"0", "01", "012", "1a", "1-a", "1--a--b--2",
+		"a.a", "ab.a", "abc.a", "a1.a", "a-1.a", "a--1--2--b.a",
+		"a.1", "ab.1", "abc.1", "a1.1", "a-1.1", "a--1--2--b.1",
+		"0.a", "01.a", "012.a", "1a.a", "1-a.a", "1--a--b--2",
+		"0.1", "01.1", "012.1", "1a.1", "1-a.1", "1--a--b--2.1",
+		"a.b.c.d.e", "aa.bb.cc.dd.ee", "1.2.3.4.5", "11.22.33.44.55",
+		"A", "AB", "ABC", "A1", "A-1",
+		"A.A", "AB.A", "ABC.A", "A1.A", "A-1.A",
+		"A.B.C.D.E", "AA.BB.CC.DD.EE",
+		"a.B.c.d.e", "aa.bB.cc.dd.ee",
+		strings.Repeat("a", 253),
+		strings.Repeat("A", 253),
+	}
+	for _, val := range goodValues {
+		if msgs := IsDNS1123SubdomainCaseless(val); len(msgs) != 0 {
+			t.Errorf("expected true for '%s': %v", val, msgs)
+		}
+	}
+
+	badValues := []string{
+		"",
+		"-", "a-", "-a", "1-", "-1",
+		"_", "a_", "_a", "a_b", "1_", "_1", "1_2",
+		".", "a.", ".a", "a..b", "1.", ".1", "1..2",
+		" ", "a ", " a", "a b", "1 ", " 1", "1 2",
+		"a@b", "a,b", "a_b", "a;b",
+		"a:b", "a%b", "a?b", "a$b",
+		strings.Repeat("a", 254),
+	}
+	for _, val := range badValues {
+		if msgs := IsDNS1123SubdomainCaseless(val); len(msgs) == 0 {
+			t.Errorf("expected false for '%s'", val)
+		}
+	}
+}
diff --git a/staging/src/k8s.io/apimachinery/pkg/api/validate/content/errors.go b/staging/src/k8s.io/apimachinery/pkg/api/validate/content/errors.go
index 3370df48b9c13..a4a1b5574c6ef 100644
--- a/staging/src/k8s.io/apimachinery/pkg/api/validate/content/errors.go
+++ b/staging/src/k8s.io/apimachinery/pkg/api/validate/content/errors.go
@@ -29,6 +29,33 @@ func MinError[T constraints.Integer](min T) string {
 	return fmt.Sprintf("must be greater than or equal to %d", min)
 }
 
+// MaxLenError returns a string explanation of a "string too long" validation
+// failure.
+func MaxLenError(length int) string {
+	return fmt.Sprintf("must be no more than %d bytes", length)
+}
+
+// EmptyError returns a string explanation of an "empty string" validation.
+func EmptyError() string {
+	return "must be non-empty"
+}
+
+// RegexError returns a string explanation of a regex validation failure.
+func RegexError(msg string, re string, examples ...string) string {
+	if len(examples) == 0 {
+		return msg + " (regex used for validation is '" + re + "')"
+	}
+	msg += " (e.g. "
+	for i := range examples {
+		if i > 0 {
+			msg += " or "
+		}
+		msg += "'" + examples[i] + "', "
+	}
+	msg += "regex used for validation is '" + re + "')"
+	return msg
+}
+
 // NEQError returns a string explanation of a "must not be equal to" validation failure.
 func NEQError[T any](disallowed T) string {
 	format := "%v"
diff --git a/staging/src/k8s.io/apimachinery/pkg/api/validate/content/identifier.go b/staging/src/k8s.io/apimachinery/pkg/api/validate/content/identifier.go
new file mode 100644
index 0000000000000..3913ec99163ad
--- /dev/null
+++ b/staging/src/k8s.io/apimachinery/pkg/api/validate/content/identifier.go
@@ -0,0 +1,35 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package content
+
+import (
+	"regexp"
+)
+
+const cIdentifierFmt string = "[A-Za-z_][A-Za-z0-9_]*"
+const identifierErrMsg string = "a valid C identifier must start with alphabetic character or '_', followed by a string of alphanumeric characters or '_'"
+
+var cIdentifierRegexp = regexp.MustCompile("^" + cIdentifierFmt + "$")
+
+// IsCIdentifier tests for a string that conforms the definition of an identifier
+// in C. This checks the format, but not the length.
+func IsCIdentifier(value string) []string {
+	if !cIdentifierRegexp.MatchString(value) {
+		return []string{RegexError(identifierErrMsg, cIdentifierFmt, "my_name", "MY_NAME", "MyName")}
+	}
+	return nil
+}
diff --git a/staging/src/k8s.io/apimachinery/pkg/api/validate/content/identifier_test.go b/staging/src/k8s.io/apimachinery/pkg/api/validate/content/identifier_test.go
new file mode 100644
index 0000000000000..e5c1bf84ab224
--- /dev/null
+++ b/staging/src/k8s.io/apimachinery/pkg/api/validate/content/identifier_test.go
@@ -0,0 +1,46 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package content
+
+import (
+	"testing"
+)
+
+func TestIsCIdentifier(t *testing.T) {
+	goodValues := []string{
+		"a", "ab", "abc", "a1", "_a", "a_", "a_b", "a_1", "a__1__2__b", "__abc_123",
+		"A", "AB", "AbC", "A1", "_A", "A_", "A_B", "A_1", "A__1__2__B", "__123_ABC",
+	}
+	for _, val := range goodValues {
+		if msgs := IsCIdentifier(val); len(msgs) != 0 {
+			t.Errorf("expected true for '%s': %v", val, msgs)
+		}
+	}
+
+	badValues := []string{
+		"", "1", "123", "1a",
+		"-", "a-", "-a", "1-", "-1", "1_", "1_2",
+		".", "a.", ".a", "a.b", "1.", ".1", "1.2",
+		" ", "a ", " a", "a b", "1 ", " 1", "1 2",
+		"#a#",
+	}
+	for _, val := range badValues {
+		if msgs := IsCIdentifier(val); len(msgs) == 0 {
+			t.Errorf("expected false for '%s'", val)
+		}
+	}
+}
diff --git a/staging/src/k8s.io/apimachinery/pkg/api/validate/content/kube.go b/staging/src/k8s.io/apimachinery/pkg/api/validate/content/kube.go
new file mode 100644
index 0000000000000..44e82eefd33ee
--- /dev/null
+++ b/staging/src/k8s.io/apimachinery/pkg/api/validate/content/kube.go
@@ -0,0 +1,101 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package content
+
+import (
+	"regexp"
+	"strings"
+)
+
+const labelKeyCharFmt string = "[A-Za-z0-9]"
+const labelKeyExtCharFmt string = "[-A-Za-z0-9_.]"
+const labelKeyFmt string = "(" + labelKeyCharFmt + labelKeyExtCharFmt + "*)?" + labelKeyCharFmt
+const labelKeyErrMsg string = "must consist of alphanumeric characters, '-', '_' or '.', and must start and end with an alphanumeric character"
+const labelKeyMaxLength int = 63
+
+var labelKeyRegexp = regexp.MustCompile("^" + labelKeyFmt + "$")
+
+// IsQualifiedName tests whether the value passed is what Kubernetes calls a
+// "qualified name", which is the same as a label key.
+//
+// Deprecated: use IsLabelKey instead.
+var IsQualifiedName = IsLabelKey
+
+// IsLabelKey tests whether the value passed is a valid label key. This format
+// is used to validate many fields in the Kubernetes API.
+// Label keys consist of an optional prefix and a name, separated by a '/'.
+// If the value is not valid, a list of error strings is returned. Otherwise, an
+// empty list (or nil) is returned.
+func IsLabelKey(value string) []string {
+	var errs []string
+	parts := strings.Split(value, "/")
+	var name string
+	switch len(parts) {
+	case 1:
+		name = parts[0]
+	case 2:
+		var prefix string
+		prefix, name = parts[0], parts[1]
+		if len(prefix) == 0 {
+			errs = append(errs, "prefix part "+EmptyError())
+		} else if msgs := IsDNS1123Subdomain(prefix); len(msgs) != 0 {
+			errs = append(errs, prefixEach(msgs, "prefix part ")...)
+		}
+	default:
+		return append(errs, "a valid label key "+RegexError(labelKeyErrMsg, labelKeyFmt, "MyName", "my.name", "123-abc")+
+			" with an optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')")
+	}
+
+	if len(name) == 0 {
+		errs = append(errs, "name part "+EmptyError())
+	} else if len(name) > labelKeyMaxLength {
+		errs = append(errs, "name part "+MaxLenError(labelKeyMaxLength))
+	}
+	if !labelKeyRegexp.MatchString(name) {
+		errs = append(errs, "name part "+RegexError(labelKeyErrMsg, labelKeyFmt, "MyName", "my.name", "123-abc"))
+	}
+	return errs
+}
+
+const labelValueFmt string = "(" + labelKeyFmt + ")?"
+const labelValueErrMsg string = "a valid label must be an empty string or consist of alphanumeric characters, '-', '_' or '.', and must start and end with an alphanumeric character"
+
+// LabelValueMaxLength is a label's max length
+const LabelValueMaxLength int = 63
+
+var labelValueRegexp = regexp.MustCompile("^" + labelValueFmt + "$")
+
+// IsLabelValue tests whether the value passed is a valid label value.  If
+// the value is not valid, a list of error strings is returned.  Otherwise an
+// empty list (or nil) is returned.
+func IsLabelValue(value string) []string {
+	var errs []string
+	if len(value) > LabelValueMaxLength {
+		errs = append(errs, MaxLenError(LabelValueMaxLength))
+	}
+	if !labelValueRegexp.MatchString(value) {
+		errs = append(errs, RegexError(labelValueErrMsg, labelValueFmt, "MyValue", "my_value", "12345"))
+	}
+	return errs
+}
+
+func prefixEach(msgs []string, prefix string) []string {
+	for i := range msgs {
+		msgs[i] = prefix + msgs[i]
+	}
+	return msgs
+}
diff --git a/staging/src/k8s.io/apimachinery/pkg/api/validate/content/kube_test.go b/staging/src/k8s.io/apimachinery/pkg/api/validate/content/kube_test.go
new file mode 100644
index 0000000000000..efa08f41712e7
--- /dev/null
+++ b/staging/src/k8s.io/apimachinery/pkg/api/validate/content/kube_test.go
@@ -0,0 +1,100 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package content
+
+import (
+	"strings"
+	"testing"
+)
+
+func TestIsLabelKey(t *testing.T) {
+	successCases := []string{
+		"simple",
+		"now-with-dashes",
+		"1-starts-with-num",
+		"1234",
+		"simple/simple",
+		"now-with-dashes/simple",
+		"now-with-dashes/now-with-dashes",
+		"now.with.dots/simple",
+		"now-with.dashes-and.dots/simple",
+		"1-num.2-num/3-num",
+		"1234/5678",
+		"1.2.3.4/5678",
+		"Uppercase_Is_OK_123",
+		"example.com/Uppercase_Is_OK_123",
+		"requests.storage-foo",
+		strings.Repeat("a", 63),
+		strings.Repeat("a", 253) + "/" + strings.Repeat("b", 63),
+	}
+	for i := range successCases {
+		if errs := IsLabelKey(successCases[i]); len(errs) != 0 {
+			t.Errorf("case[%d]: %q: expected success: %v", i, successCases[i], errs)
+		}
+	}
+
+	errorCases := []string{
+		"nospecialchars%^=@",
+		"cantendwithadash-",
+		"-cantstartwithadash-",
+		"only/one/slash",
+		"Example.com/abc",
+		"example_com/abc",
+		"example.com/",
+		"/simple",
+		strings.Repeat("a", 64),
+		strings.Repeat("a", 254) + "/abc",
+	}
+	for i := range errorCases {
+		if errs := IsLabelKey(errorCases[i]); len(errs) == 0 {
+			t.Errorf("case[%d]: %q: expected failure", i, errorCases[i])
+		}
+	}
+}
+
+func TestIsLabelValue(t *testing.T) {
+	successCases := []string{
+		"simple",
+		"now-with-dashes",
+		"1-starts-with-num",
+		"end-with-num-1",
+		"1234",                  // only num
+		strings.Repeat("a", 63), // to the limit
+		"",                      // empty value
+	}
+	for i := range successCases {
+		if errs := IsLabelValue(successCases[i]); len(errs) != 0 {
+			t.Errorf("case %s expected success: %v", successCases[i], errs)
+		}
+	}
+
+	errorCases := []string{
+		"nospecialchars%^=@",
+		"Tama-nui-te-rā.is.Māori.sun",
+		"\\backslashes\\are\\bad",
+		"-starts-with-dash",
+		"ends-with-dash-",
+		".starts.with.dot",
+		"ends.with.dot.",
+		strings.Repeat("a", 64), // over the limit
+	}
+	for i := range errorCases {
+		if errs := IsLabelValue(errorCases[i]); len(errs) == 0 {
+			t.Errorf("case[%d] expected failure", i)
+		}
+	}
+}
diff --git a/staging/src/k8s.io/apimachinery/pkg/api/validate/each.go b/staging/src/k8s.io/apimachinery/pkg/api/validate/each.go
index 3d5bd3c1e70af..c815d6d913720 100644
--- a/staging/src/k8s.io/apimachinery/pkg/api/validate/each.go
+++ b/staging/src/k8s.io/apimachinery/pkg/api/validate/each.go
@@ -169,3 +169,18 @@ func SemanticDeepEqual[T any](a, b T) bool {
 func DirectEqual[T comparable](a, b T) bool {
 	return a == b
 }
+
+// DirectEqualPtr is a MatchFunc that dereferences two pointers and uses the ==
+// operator to compare the values. If both pointers are nil, it returns true.
+// If one pointer is nil and the other is not, it returns false.
+// It can be used by any other function that needs to compare two pointees
+// directly.
+func DirectEqualPtr[T comparable](a, b *T) bool {
+	if a == b {
+		return true
+	}
+	if a == nil || b == nil {
+		return false
+	}
+	return *a == *b
+}
diff --git a/staging/src/k8s.io/apimachinery/pkg/api/validate/enum.go b/staging/src/k8s.io/apimachinery/pkg/api/validate/enum.go
index fc2167a410e06..6e5bcf373b8fc 100644
--- a/staging/src/k8s.io/apimachinery/pkg/api/validate/enum.go
+++ b/staging/src/k8s.io/apimachinery/pkg/api/validate/enum.go
@@ -25,16 +25,50 @@ import (
 	"k8s.io/apimachinery/pkg/util/validation/field"
 )
 
-// Enum verifies that the specified value is one of the valid symbols.
-// This is for string enums only.
-func Enum[T ~string](_ context.Context, op operation.Operation, fldPath *field.Path, value, _ *T, symbols sets.Set[T]) field.ErrorList {
+// Enum verifies that a given value is a member of a set of enum values.
+// Exclude Rules that apply when options are enabled or disabled are also considered.
+// If ANY exclude rule matches for a value, that value is excluded from the enum when validating.
+func Enum[T ~string](_ context.Context, op operation.Operation, fldPath *field.Path, value, _ *T, validValues sets.Set[T], exclusions []EnumExclusion[T]) field.ErrorList {
 	if value == nil {
 		return nil
 	}
-	if !symbols.Has(*value) {
-		symbolList := symbols.UnsortedList()
-		slices.Sort(symbolList)
-		return field.ErrorList{field.NotSupported[T](fldPath, *value, symbolList)}
+	if !validValues.Has(*value) || isExcluded(op, exclusions, *value) {
+		return field.ErrorList{field.NotSupported[T](fldPath, *value, supportedValues(op, validValues, exclusions))}
 	}
 	return nil
 }
+
+// supportedValues returns a sorted list of supported values.
+// Excluded enum values are not included in the list.
+func supportedValues[T ~string](op operation.Operation, values sets.Set[T], exclusions []EnumExclusion[T]) []T {
+	res := make([]T, 0, len(values))
+	for key := range values {
+		if isExcluded(op, exclusions, key) {
+			continue
+		}
+		res = append(res, key)
+	}
+	slices.Sort(res)
+	return res
+}
+
+// EnumExclusion represents a single enum exclusion rule.
+type EnumExclusion[T ~string] struct {
+	// Value specifies the enum value to be conditionally excluded.
+	Value T
+	// ExcludeWhen determines the condition for exclusion.
+	// If true, the value is excluded if the option is present.
+	// If false, the value is excluded if the option is NOT present.
+	ExcludeWhen bool
+	// Option is the name of the feature option that controls the exclusion.
+	Option string
+}
+
+func isExcluded[T ~string](op operation.Operation, exclusions []EnumExclusion[T], value T) bool {
+	for _, rule := range exclusions {
+		if rule.Value == value && rule.ExcludeWhen == op.HasOption(rule.Option) {
+			return true
+		}
+	}
+	return false
+}
diff --git a/staging/src/k8s.io/apimachinery/pkg/api/validate/enum_test.go b/staging/src/k8s.io/apimachinery/pkg/api/validate/enum_test.go
index c392aac7cb67e..a42f00ce9201e 100644
--- a/staging/src/k8s.io/apimachinery/pkg/api/validate/enum_test.go
+++ b/staging/src/k8s.io/apimachinery/pkg/api/validate/enum_test.go
@@ -27,38 +27,43 @@ import (
 
 func TestEnum(t *testing.T) {
 	cases := []struct {
-		value string
-		valid sets.Set[string]
-		err   bool
+		name      string
+		value     string
+		valid     sets.Set[string]
+		expectErr string
 	}{{
-		value: "a",
-		valid: sets.New("a", "b", "c"),
-		err:   false,
+		name:      "valid value",
+		value:     "a",
+		valid:     sets.New("a", "b", "c"),
+		expectErr: "",
 	}, {
-		value: "x",
-		valid: sets.New("c", "a", "b"),
-		err:   true,
+		name:      "invalid value",
+		value:     "x",
+		valid:     sets.New("a", "b", "c"),
+		expectErr: `fldpath: Unsupported value: "x": supported values: "a", "b", "c"`,
 	}}
 
-	for i, tc := range cases {
-		result := Enum(context.Background(), operation.Operation{}, field.NewPath("fldpath"), &tc.value, nil, tc.valid)
-		if len(result) > 0 && !tc.err {
-			t.Errorf("case %d: unexpected failure: %v", i, fmtErrs(result))
-			continue
-		}
-		if len(result) == 0 && tc.err {
-			t.Errorf("case %d: unexpected success", i)
-			continue
-		}
-		if len(result) > 0 {
-			if len(result) > 1 {
-				t.Errorf("case %d: unexepected multi-error: %v", i, fmtErrs(result))
-				continue
-			}
-			if want, got := `supported values: "a", "b", "c"`, result[0].Detail; got != want {
-				t.Errorf("case %d: wrong error, expected: %q, got: %q", i, want, got)
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			op := operation.Operation{Type: operation.Create}
+			errs := Enum(context.Background(), op, field.NewPath("fldpath"), &tc.value, nil, tc.valid, nil)
+
+			if tc.expectErr == "" {
+				if len(errs) > 0 {
+					t.Fatalf("expected no error, but got: %v", errs)
+				}
+			} else {
+				if len(errs) == 0 {
+					t.Fatal("expected an error, but got none")
+				}
+				if len(errs) > 1 {
+					t.Fatalf("expected a single error, but got: %v", errs)
+				}
+				if errs[0].Error() != tc.expectErr {
+					t.Errorf("expected error %q, but got %q", tc.expectErr, errs[0].Error())
+				}
 			}
-		}
+		})
 	}
 }
 
@@ -71,37 +76,149 @@ func TestEnumTypedef(t *testing.T) {
 	)
 
 	cases := []struct {
-		value StringType
-		valid sets.Set[StringType]
-		err   bool
+		name      string
+		value     StringType
+		valid     sets.Set[StringType]
+		expectErr string
 	}{{
-		value: "foo",
-		valid: sets.New(NotStringFoo, NotStringBar, NotStringQux),
-		err:   false,
+		name:      "valid value",
+		value:     "foo",
+		valid:     sets.New(NotStringFoo, NotStringBar, NotStringQux),
+		expectErr: "",
 	}, {
-		value: "x",
-		valid: sets.New(NotStringFoo, NotStringBar, NotStringQux),
-		err:   true,
+		name:      "invalid value",
+		value:     "x",
+		valid:     sets.New(NotStringFoo, NotStringBar, NotStringQux),
+		expectErr: `fldpath: Unsupported value: "x": supported values: "bar", "foo", "qux"`,
 	}}
 
-	for i, tc := range cases {
-		result := Enum(context.Background(), operation.Operation{}, field.NewPath("fldpath"), &tc.value, nil, tc.valid)
-		if len(result) > 0 && !tc.err {
-			t.Errorf("case %d: unexpected failure: %v", i, fmtErrs(result))
-			continue
-		}
-		if len(result) == 0 && tc.err {
-			t.Errorf("case %d: unexpected success", i)
-			continue
-		}
-		if len(result) > 0 {
-			if len(result) > 1 {
-				t.Errorf("case %d: unexepected multi-error: %v", i, fmtErrs(result))
-				continue
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			op := operation.Operation{Type: operation.Create}
+			errs := Enum(context.Background(), op, field.NewPath("fldpath"), &tc.value, nil, tc.valid, nil)
+
+			if tc.expectErr == "" {
+				if len(errs) > 0 {
+					t.Fatalf("expected no error, but got: %v", errs)
+				}
+			} else {
+				if len(errs) == 0 {
+					t.Fatal("expected an error, but got none")
+				}
+				if len(errs) > 1 {
+					t.Fatalf("expected a single error, but got: %v", errs)
+				}
+				if errs[0].Error() != tc.expectErr {
+					t.Errorf("expected error %q, but got %q", tc.expectErr, errs[0].Error())
+				}
 			}
-			if want, got := `supported values: "bar", "foo", "qux"`, result[0].Detail; got != want {
-				t.Errorf("case %d: wrong error, expected: %q, got: %q", i, want, got)
+		})
+	}
+}
+
+func TestEnumExclude(t *testing.T) {
+	type TestEnum string
+	const (
+		ValueA TestEnum = "A"
+		ValueB TestEnum = "B"
+		ValueC TestEnum = "C"
+		ValueD TestEnum = "D"
+	)
+
+	const (
+		FeatureA = "FeatureA"
+		FeatureB = "FeatureB"
+	)
+
+	testEnumValues := sets.New(ValueA, ValueB, ValueC, ValueD)
+	testEnumExclusions := []EnumExclusion[TestEnum]{
+		{Value: ValueA, Option: FeatureA, ExcludeWhen: true},
+		{Value: ValueB, Option: FeatureB, ExcludeWhen: false},
+		{Value: ValueD, Option: FeatureA, ExcludeWhen: true},
+		{Value: ValueD, Option: FeatureB, ExcludeWhen: false},
+	}
+
+	testCases := []struct {
+		name      string
+		value     TestEnum
+		opts      []string
+		expectErr string
+	}{
+		{
+			name:  "no options, A is valid",
+			value: ValueA,
+		},
+		{
+			name:      "no options, B is invalid",
+			value:     ValueB,
+			expectErr: `fld: Unsupported value: "B": supported values: "A", "C"`,
+		},
+		{
+			name:      "no options, D is invalid",
+			value:     ValueD,
+			expectErr: `fld: Unsupported value: "D": supported values: "A", "C"`,
+		},
+		{
+			name:      "FeatureA enabled, A is invalid",
+			value:     ValueA,
+			opts:      []string{FeatureA},
+			expectErr: `fld: Unsupported value: "A": supported values: "C"`,
+		},
+		{
+			name:      "FeatureA enabled, B is invalid",
+			value:     ValueB,
+			opts:      []string{FeatureA},
+			expectErr: `fld: Unsupported value: "B": supported values: "C"`,
+		},
+		{
+			name:  "FeatureB enabled, A is valid",
+			value: ValueA,
+			opts:  []string{FeatureB},
+		},
+		{
+			name:  "FeatureB enabled, B is valid",
+			value: ValueB,
+			opts:  []string{FeatureB},
+		},
+		{
+			name:      "FeatureA and FeatureB enabled, A is invalid",
+			value:     ValueA,
+			opts:      []string{FeatureA, FeatureB},
+			expectErr: `fld: Unsupported value: "A": supported values: "B", "C"`,
+		},
+		{
+			name:  "FeatureA and FeatureB enabled, B is valid",
+			value: ValueB,
+			opts:  []string{FeatureA, FeatureB},
+		},
+		{
+			name:      "FeatureA and FeatureB enabled, D is invalid",
+			value:     ValueD,
+			opts:      []string{FeatureA, FeatureB},
+			expectErr: `fld: Unsupported value: "D": supported values: "B", "C"`,
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			op := operation.Operation{Type: operation.Create, Options: tc.opts}
+			errs := Enum(context.Background(), op, field.NewPath("fld"), &tc.value, nil, testEnumValues, testEnumExclusions)
+
+			if tc.expectErr == "" {
+				if len(errs) > 0 {
+					t.Fatalf("expected no error, but got: %v", errs)
+				}
+			} else {
+				if len(errs) == 0 {
+					t.Fatal("expected an error, but got none")
+				}
+				if len(errs) > 1 {
+					t.Fatalf("expected a single error, but got: %v", errs)
+				}
+				if errs[0].Error() != tc.expectErr {
+					t.Errorf("expected error %q, but got %q", tc.expectErr, errs[0].Error())
+				}
 			}
-		}
+		})
 	}
 }
diff --git a/staging/src/k8s.io/apimachinery/pkg/api/validate/immutable.go b/staging/src/k8s.io/apimachinery/pkg/api/validate/immutable.go
index 5a9d3da2ec240..01a879c98f630 100644
--- a/staging/src/k8s.io/apimachinery/pkg/api/validate/immutable.go
+++ b/staging/src/k8s.io/apimachinery/pkg/api/validate/immutable.go
@@ -19,46 +19,22 @@ package validate
 import (
 	"context"
 
-	"k8s.io/apimachinery/pkg/api/equality"
 	"k8s.io/apimachinery/pkg/api/operation"
 	"k8s.io/apimachinery/pkg/util/validation/field"
 )
 
-// ImmutableByCompare verifies that the specified value has not changed in the
-// course of an update operation.  It does nothing if the old value is not
-// provided. If the caller needs to compare types that are not trivially
-// comparable, they should use ImmutableByReflect instead.
+// Immutable verifies that the specified value has not changed in the course of
+// an update operation. It does nothing if the old value is not provided.
 //
-// Caution: structs with pointer fields satisfy comparable, but this function
-// will only compare pointer values.  It does not compare the pointed-to
-// values.
-func ImmutableByCompare[T comparable](_ context.Context, op operation.Operation, fldPath *field.Path, value, oldValue *T) field.ErrorList {
+// This function unconditionally returns a validation error as it
+// relies on the default ratcheting mechanism to only be called when a
+// change to the field has already been detected.  This avoids a redundant
+// equivalence check across ratcheting and this function.
+func Immutable[T any](_ context.Context, op operation.Operation, fldPath *field.Path, _, _ T) field.ErrorList {
 	if op.Type != operation.Update {
 		return nil
 	}
-	if value == nil && oldValue == nil {
-		return nil
-	}
-	if value == nil || oldValue == nil || *value != *oldValue {
-		return field.ErrorList{
-			field.Forbidden(fldPath, "field is immutable"),
-		}
-	}
-	return nil
-}
-
-// ImmutableByReflect verifies that the specified value has not changed in
-// the course of an update operation.  It does nothing if the old value is not
-// provided. Unlike ImmutableByCompare, this function can be used with types that are
-// not directly comparable, at the cost of performance.
-func ImmutableByReflect[T any](_ context.Context, op operation.Operation, fldPath *field.Path, value, oldValue T) field.ErrorList {
-	if op.Type != operation.Update {
-		return nil
-	}
-	if !equality.Semantic.DeepEqual(value, oldValue) {
-		return field.ErrorList{
-			field.Forbidden(fldPath, "field is immutable"),
-		}
+	return field.ErrorList{
+		field.Invalid(fldPath, nil, "field is immutable").WithOrigin("immutable"),
 	}
-	return nil
 }
diff --git a/staging/src/k8s.io/apimachinery/pkg/api/validate/immutable_test.go b/staging/src/k8s.io/apimachinery/pkg/api/validate/immutable_test.go
index c9edece284275..60396b0cc647d 100644
--- a/staging/src/k8s.io/apimachinery/pkg/api/validate/immutable_test.go
+++ b/staging/src/k8s.io/apimachinery/pkg/api/validate/immutable_test.go
@@ -25,225 +25,51 @@ import (
 	"k8s.io/utils/ptr"
 )
 
-type StructComparable struct {
-	S string
-	I int
-	B bool
-}
-
-func TestImmutableByCompare(t *testing.T) {
-	structA := StructComparable{"abc", 123, true}
-	structA2 := structA
-	structB := StructComparable{"xyz", 456, false}
+func TestImmutable(t *testing.T) {
+	// The Immutable function relies on validation ratcheting to avoid being
+	// called when old and new values are equivalent. This unit test only needs
+	// to confirm two behaviors:
+	// 1. The function does nothing for non-update operations (e.g., create).
+	// 2. The function *always* returns an error for update operations, since
+	//    ratcheting should have prevented the call if the values were unchanged.
 
-	for _, tc := range []struct {
-		name string
-		fn   func(operation.Operation, *field.Path) field.ErrorList
-		fail bool
-	}{{
-		name: "nil both values",
-		fn: func(op operation.Operation, fld *field.Path) field.ErrorList {
-			return ImmutableByCompare[int](context.Background(), op, fld, nil, nil)
-		},
-	}, {
-		name: "nil value",
-		fn: func(op operation.Operation, fld *field.Path) field.ErrorList {
-			return ImmutableByCompare(context.Background(), op, fld, nil, ptr.To(123))
-		},
-		fail: true,
-	}, {
-		name: "nil oldValue",
-		fn: func(op operation.Operation, fld *field.Path) field.ErrorList {
-			return ImmutableByCompare(context.Background(), op, fld, ptr.To(123), nil)
-		},
-		fail: true,
-	}, {
-		name: "int",
-		fn: func(op operation.Operation, fld *field.Path) field.ErrorList {
-			return ImmutableByCompare(context.Background(), op, fld, ptr.To(123), ptr.To(123))
-		},
-	}, {
-		name: "int fail",
-		fn: func(op operation.Operation, fld *field.Path) field.ErrorList {
-			return ImmutableByCompare(context.Background(), op, fld, ptr.To(123), ptr.To(456))
-		},
-		fail: true,
-	}, {
-		name: "string",
-		fn: func(op operation.Operation, fld *field.Path) field.ErrorList {
-			return ImmutableByCompare(context.Background(), op, fld, ptr.To("abc"), ptr.To("abc"))
-		},
-	}, {
-		name: "string fail",
-		fn: func(op operation.Operation, fld *field.Path) field.ErrorList {
-			return ImmutableByCompare(context.Background(), op, fld, ptr.To("abc"), ptr.To("xyz"))
-		},
-		fail: true,
-	}, {
-		name: "bool",
-		fn: func(op operation.Operation, fld *field.Path) field.ErrorList {
-			return ImmutableByCompare(context.Background(), op, fld, ptr.To(true), ptr.To(true))
-		},
-	}, {
-		name: "bool fail",
-		fn: func(op operation.Operation, fld *field.Path) field.ErrorList {
-			return ImmutableByCompare(context.Background(), op, fld, ptr.To(true), ptr.To(false))
-		},
-		fail: true,
-	}, {
-		name: "same struct",
-		fn: func(op operation.Operation, fld *field.Path) field.ErrorList {
-			return ImmutableByCompare(context.Background(), op, fld, ptr.To(structA), ptr.To(structA))
-		},
-	}, {
-		name: "equal struct",
-		fn: func(op operation.Operation, fld *field.Path) field.ErrorList {
-			return ImmutableByCompare(context.Background(), op, fld, ptr.To(structA), ptr.To(structA2))
-		},
-	}, {
-		name: "struct fail",
-		fn: func(op operation.Operation, fld *field.Path) field.ErrorList {
-			return ImmutableByCompare(context.Background(), op, fld, ptr.To(structA), ptr.To(structB))
-		},
-		fail: true,
-	}} {
-		t.Run(tc.name, func(t *testing.T) {
-			errs := tc.fn(operation.Operation{Type: operation.Create}, field.NewPath(""))
-			if len(errs) != 0 { // Create should always succeed
-				t.Errorf("case %q (create): expected success: %v", tc.name, errs)
-			}
-			errs = tc.fn(operation.Operation{Type: operation.Update}, field.NewPath(""))
-			if tc.fail && len(errs) == 0 {
-				t.Errorf("case %q (update): expected failure", tc.name)
-			} else if !tc.fail && len(errs) != 0 {
-				t.Errorf("case %q (update): expected success: %v", tc.name, errs)
-			}
-		})
-	}
-}
-
-type StructNonComparable struct {
-	S   string
-	SP  *string
-	I   int
-	IP  *int
-	B   bool
-	BP  *bool
-	SS  []string
-	MSS map[string]string
-}
-
-func TestImmutableByReflect(t *testing.T) {
-	structA := StructNonComparable{
-		S:   "abc",
-		SP:  ptr.To("abc"),
-		I:   123,
-		IP:  ptr.To(123),
-		B:   true,
-		BP:  ptr.To(true),
-		SS:  []string{"a", "b", "c"},
-		MSS: map[string]string{"a": "b", "c": "d"},
-	}
-
-	structA2 := structA
-	structA2.SP = ptr.To("abc")
-	structA2.IP = ptr.To(123)
-	structA2.BP = ptr.To(true)
-	structA2.SS = []string{"a", "b", "c"}
-	structA2.MSS = map[string]string{"a": "b", "c": "d"}
-
-	structB := StructNonComparable{
-		S:   "xyz",
-		SP:  ptr.To("xyz"),
-		I:   456,
-		IP:  ptr.To(456),
-		B:   false,
-		BP:  ptr.To(false),
-		SS:  []string{"x", "y", "z"},
-		MSS: map[string]string{"x": "X", "y": "Y"},
+	type simpleStruct struct {
+		S string
 	}
 
 	for _, tc := range []struct {
 		name string
-		fn   func(operation.Operation, *field.Path) field.ErrorList
-		fail bool
+		fn   func(op operation.Operation, fldPath *field.Path) field.ErrorList
 	}{{
-		name: "nil both values",
-		fn: func(op operation.Operation, fld *field.Path) field.ErrorList {
-			return ImmutableByReflect[*int](context.Background(), op, fld, nil, nil)
-		},
-	}, {
-		name: "nil value",
-		fn: func(op operation.Operation, fld *field.Path) field.ErrorList {
-			return ImmutableByReflect(context.Background(), op, fld, nil, ptr.To(123))
-		},
-		fail: true,
-	}, {
-		name: "nil oldValue",
-		fn: func(op operation.Operation, fld *field.Path) field.ErrorList {
-			return ImmutableByReflect(context.Background(), op, fld, ptr.To(123), nil)
-		},
-		fail: true,
-	}, {
-		name: "int",
-		fn: func(op operation.Operation, fld *field.Path) field.ErrorList {
-			return ImmutableByReflect(context.Background(), op, fld, ptr.To(123), ptr.To(123))
-		},
-	}, {
-		name: "int fail",
-		fn: func(op operation.Operation, fld *field.Path) field.ErrorList {
-			return ImmutableByReflect(context.Background(), op, fld, ptr.To(123), ptr.To(456))
-		},
-		fail: true,
-	}, {
-		name: "string",
-		fn: func(op operation.Operation, fld *field.Path) field.ErrorList {
-			return ImmutableByReflect(context.Background(), op, fld, ptr.To("abc"), ptr.To("abc"))
-		},
-	}, {
-		name: "string fail",
+		name: "with primitive type",
 		fn: func(op operation.Operation, fld *field.Path) field.ErrorList {
-			return ImmutableByReflect(context.Background(), op, fld, ptr.To("abc"), ptr.To("xyz"))
+			return Immutable(context.Background(), op, fld, ptr.To(123), ptr.To(456))
 		},
-		fail: true,
 	}, {
-		name: "bool",
+		name: "with struct type",
 		fn: func(op operation.Operation, fld *field.Path) field.ErrorList {
-			return ImmutableByReflect(context.Background(), op, fld, ptr.To(true), ptr.To(true))
+			return Immutable(context.Background(), op, fld, &simpleStruct{S: "a"}, &simpleStruct{S: "b"})
 		},
 	}, {
-		name: "bool fail",
+		name: "with nil values",
 		fn: func(op operation.Operation, fld *field.Path) field.ErrorList {
-			return ImmutableByReflect(context.Background(), op, fld, ptr.To(true), ptr.To(false))
+			// Explicitly type the nil to satisfy the generic function signature.
+			return Immutable[*int](context.Background(), op, fld, nil, nil)
 		},
-		fail: true,
-	}, {
-		name: "same struct",
-		fn: func(op operation.Operation, fld *field.Path) field.ErrorList {
-			return ImmutableByReflect(context.Background(), op, fld, ptr.To(structA), ptr.To(structA))
-		},
-	}, {
-		name: "equal struct",
-		fn: func(op operation.Operation, fld *field.Path) field.ErrorList {
-			return ImmutableByReflect(context.Background(), op, fld, ptr.To(structA), ptr.To(structA2))
-		},
-	}, {
-		name: "struct fail",
-		fn: func(op operation.Operation, fld *field.Path) field.ErrorList {
-			return ImmutableByReflect(context.Background(), op, fld, ptr.To(structA), ptr.To(structB))
-		},
-		fail: true,
 	}} {
 		t.Run(tc.name, func(t *testing.T) {
-			errs := tc.fn(operation.Operation{Type: operation.Create}, field.NewPath(""))
-			if len(errs) != 0 { // Create should always succeed
-				t.Errorf("case %q (create): expected success: %v", tc.name, errs)
+			// Create operations should never return an error.
+			errs := tc.fn(operation.Operation{Type: operation.Create}, field.NewPath("field"))
+			if len(errs) != 0 {
+				t.Errorf("expected success for create operation, but got errors: %v", errs)
 			}
-			errs = tc.fn(operation.Operation{Type: operation.Update}, field.NewPath(""))
-			if tc.fail && len(errs) == 0 {
-				t.Errorf("case %q (update): expected failure", tc.name)
-			} else if !tc.fail && len(errs) != 0 {
-				t.Errorf("case %q (update): expected success: %v", tc.name, errs)
+
+			// Update operations should always return exactly one error.
+			errs = tc.fn(operation.Operation{Type: operation.Update}, field.NewPath("field"))
+			if len(errs) == 0 {
+				t.Errorf("expected a failure for update operation, but got success")
+			} else if len(errs) > 1 {
+				t.Errorf("expected exactly one error for update operation, but got %d: %v", len(errs), errs)
 			}
 		})
 	}
diff --git a/staging/src/k8s.io/apimachinery/pkg/api/validate/item.go b/staging/src/k8s.io/apimachinery/pkg/api/validate/item.go
index 9cc61dd3de27b..aba417fa1d4c7 100644
--- a/staging/src/k8s.io/apimachinery/pkg/api/validate/item.go
+++ b/staging/src/k8s.io/apimachinery/pkg/api/validate/item.go
@@ -26,16 +26,21 @@ import (
 // MatchItemFn takes a pointer to an item and returns true if it matches the criteria.
 type MatchItemFn[T any] func(*T) bool
 
-// SliceItem finds the first item in newList that satisfies the 'matches' predicate,
-// and if found, also looks for a matching item in oldList. It then invokes
-// 'itemValidator' on these items.
-// The fldPath passed to itemValidator is indexed to the matched item's position in newList.
-// This function processes only the *first* matching item found in newList.
-// It assumes that the 'matches' predicate targets a unique identifier (primary key) and
-// will match at most one element per list.
-// If this assumption is violated, changes in list order can lead this function
-// to have inconsistent behavior.
-// This function does not validate items that were removed (present in oldList but not in newList).
+// SliceItem finds the first item in newList that satisfies the match function,
+// and if found, also looks for a matching item in oldList. If the value of the
+// item is the same as the previous value, as per the equiv function, then no
+// validation is performed. Otherwise, it invokes 'itemValidator' on these items.
+//
+// This function processes only the *first* matching item found in newList. It
+// assumes that the match functions targets a unique identifier (primary key)
+// and will match at most one element per list. If this assumption is violated,
+// changes in list order can lead this function to have inconsistent behavior.
+//
+// The fldPath passed to itemValidator is indexed to the matched item's
+// position in newList.
+//
+// This function does not validate items that were removed (present in oldList
+// but not in newList).
 func SliceItem[TList ~[]TItem, TItem any](
 	ctx context.Context, op operation.Operation, fldPath *field.Path,
 	newList, oldList TList,
diff --git a/staging/src/k8s.io/apimachinery/pkg/api/validate/limits.go b/staging/src/k8s.io/apimachinery/pkg/api/validate/limits.go
index 5f5fe83a4dfea..b6db5e08cbe6a 100644
--- a/staging/src/k8s.io/apimachinery/pkg/api/validate/limits.go
+++ b/staging/src/k8s.io/apimachinery/pkg/api/validate/limits.go
@@ -25,6 +25,26 @@ import (
 	"k8s.io/apimachinery/pkg/util/validation/field"
 )
 
+// MaxLength verifies that the specified value is not longer than max
+// characters.
+func MaxLength[T ~string](_ context.Context, _ operation.Operation, fldPath *field.Path, value, _ *T, max int) field.ErrorList {
+	if value == nil {
+		return nil
+	}
+	if len(*value) > max {
+		return field.ErrorList{field.TooLong(fldPath, *value, max).WithOrigin("maxLength")}
+	}
+	return nil
+}
+
+// MaxItems verifies that the specified slice is not longer than max items.
+func MaxItems[T any](_ context.Context, _ operation.Operation, fldPath *field.Path, value, _ []T, max int) field.ErrorList {
+	if len(value) > max {
+		return field.ErrorList{field.TooMany(fldPath, len(value), max).WithOrigin("maxItems")}
+	}
+	return nil
+}
+
 // Minimum verifies that the specified value is greater than or equal to min.
 func Minimum[T constraints.Integer](_ context.Context, _ operation.Operation, fldPath *field.Path, value, _ *T, min T) field.ErrorList {
 	if value == nil {
diff --git a/staging/src/k8s.io/apimachinery/pkg/api/validate/limits_test.go b/staging/src/k8s.io/apimachinery/pkg/api/validate/limits_test.go
index 60b785b758d3e..f17937c691306 100644
--- a/staging/src/k8s.io/apimachinery/pkg/api/validate/limits_test.go
+++ b/staging/src/k8s.io/apimachinery/pkg/api/validate/limits_test.go
@@ -26,6 +26,110 @@ import (
 	"k8s.io/apimachinery/pkg/util/validation/field"
 )
 
+func TestMaxLength(t *testing.T) {
+	cases := []struct {
+		name     string
+		value    string
+		max      int
+		wantErrs field.ErrorList // regex
+	}{{
+		name:     "empty string",
+		value:    "",
+		max:      0,
+		wantErrs: nil,
+	}, {
+		name:  "zero length",
+		value: "0",
+		max:   0,
+		wantErrs: field.ErrorList{
+			field.TooLong(field.NewPath("fldpath"), nil, 0).WithOrigin("maxLength"),
+		},
+	}, {
+		name:     "one character",
+		value:    "0",
+		max:      1,
+		wantErrs: nil,
+	}, {
+		name:  "two characters",
+		value: "01",
+		max:   1,
+		wantErrs: field.ErrorList{
+			field.TooLong(field.NewPath("fldpath"), nil, 1).WithOrigin("maxLength"),
+		},
+	}, {
+		value: "",
+		max:   -1,
+		wantErrs: field.ErrorList{
+			field.TooLong(field.NewPath("fldpath"), nil, -1).WithOrigin("maxLength"),
+		},
+	}}
+
+	matcher := field.ErrorMatcher{}.ByOrigin().ByDetailSubstring().ByField().ByType()
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			v := tc.value
+			gotErrs := MaxLength(context.Background(), operation.Operation{}, field.NewPath("fldpath"), &v, nil, tc.max)
+			matcher.Test(t, tc.wantErrs, gotErrs)
+		})
+	}
+}
+
+func TestMaxItems(t *testing.T) {
+	cases := []struct {
+		name  string
+		items int
+		max   int
+		err   string // regex
+	}{{
+		name:  "0 items, max 0",
+		items: 0,
+		max:   0,
+	}, {
+		name:  "1 item, max 0",
+		items: 1,
+		max:   0,
+		err:   "fldpath: Too many.*must have at most",
+	}, {
+		name:  "1 item, max 1",
+		items: 1,
+		max:   1,
+	}, {
+		name:  "2 items, max 1",
+		items: 2,
+		max:   1,
+		err:   "fldpath: Too many.*must have at most",
+	}, {
+		name:  "0 items, max -1",
+		items: 0,
+		max:   -1,
+		err:   "fldpath: Too many.*too many items",
+	}}
+
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			value := make([]bool, tc.items)
+			result := MaxItems(context.Background(), operation.Operation{}, field.NewPath("fldpath"), value, nil, tc.max)
+			if len(result) > 0 && tc.err == "" {
+				t.Errorf("unexpected failure: %v", fmtErrs(result))
+				return
+			}
+			if len(result) == 0 && tc.err != "" {
+				t.Errorf("unexpected success: expected %q", tc.err)
+				return
+			}
+			if len(result) > 0 {
+				if len(result) > 1 {
+					t.Errorf("unexepected multi-error: %v", fmtErrs(result))
+					return
+				}
+				if re := regexp.MustCompile(tc.err); !re.MatchString(result[0].Error()) {
+					t.Errorf("wrong error\nexpected: %q\n     got: %v", tc.err, fmtErrs(result))
+				}
+			}
+		})
+	}
+}
+
 func TestMinimum(t *testing.T) {
 	testMinimumPositive[int](t)
 	testMinimumNegative[int](t)
diff --git a/staging/src/k8s.io/apimachinery/pkg/api/validate/options.go b/staging/src/k8s.io/apimachinery/pkg/api/validate/options.go
new file mode 100644
index 0000000000000..44236550b71bb
--- /dev/null
+++ b/staging/src/k8s.io/apimachinery/pkg/api/validate/options.go
@@ -0,0 +1,35 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package validate
+
+import (
+	"context"
+
+	"k8s.io/apimachinery/pkg/api/operation"
+	"k8s.io/apimachinery/pkg/util/validation/field"
+)
+
+// IfOption conditionally evaluates a validation function. If the option and enabled are both true the validator
+// is called. If the option and enabled are both false the validator is called. Otherwise, the validator is not called.
+func IfOption[T any](ctx context.Context, op operation.Operation, fldPath *field.Path, value, oldValue *T,
+	optionName string, enabled bool, validator func(context.Context, operation.Operation, *field.Path, *T, *T) field.ErrorList,
+) field.ErrorList {
+	if op.HasOption(optionName) == enabled {
+		return validator(ctx, op, fldPath, value, oldValue)
+	}
+	return nil
+}
diff --git a/staging/src/k8s.io/apimachinery/pkg/api/validate/strfmt.go b/staging/src/k8s.io/apimachinery/pkg/api/validate/strfmt.go
new file mode 100644
index 0000000000000..9a21473055fda
--- /dev/null
+++ b/staging/src/k8s.io/apimachinery/pkg/api/validate/strfmt.go
@@ -0,0 +1,290 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package validate
+
+import (
+	"context"
+	"fmt"
+	"strings"
+
+	"k8s.io/apimachinery/pkg/api/operation"
+	"k8s.io/apimachinery/pkg/api/validate/content"
+	"k8s.io/apimachinery/pkg/util/validation/field"
+)
+
+const (
+	uuidErrorMessage              = "must be a lowercase UUID in 8-4-4-4-12 format"
+	defaultResourceRequestsPrefix = "requests."
+	// Default namespace prefix.
+	resourceDefaultNamespacePrefix = "kubernetes.io/"
+	resourceDeviceMaxLength        = 32
+)
+
+// ShortName verifies that the specified value is a valid "short name"
+// (sometimes known as a "DNS label").
+//   - must not be empty
+//   - must be less than 64 characters long
+//   - must start and end with lower-case alphanumeric characters
+//   - must contain only lower-case alphanumeric characters or dashes
+//
+// All errors returned by this function will be "invalid" type errors. If the
+// caller wants better errors, it must take responsibility for checking things
+// like required/optional and max-length.
+func ShortName[T ~string](_ context.Context, op operation.Operation, fldPath *field.Path, value, _ *T) field.ErrorList {
+	if value == nil {
+		return nil
+	}
+	var allErrs field.ErrorList
+	for _, msg := range content.IsDNS1123Label((string)(*value)) {
+		allErrs = append(allErrs, field.Invalid(fldPath, *value, msg).WithOrigin("format=k8s-short-name"))
+	}
+	return allErrs
+}
+
+// LongName verifies that the specified value is a valid "long name"
+// (sometimes known as a "DNS subdomain").
+//   - must not be empty
+//   - must be less than 254 characters long
+//   - each element must start and end with lower-case alphanumeric characters
+//   - each element must contain only lower-case alphanumeric characters or dashes
+//
+// All errors returned by this function will be "invalid" type errors. If the
+// caller wants better errors, it must take responsibility for checking things
+// like required/optional and max-length.
+func LongName[T ~string](_ context.Context, op operation.Operation, fldPath *field.Path, value, _ *T) field.ErrorList {
+	if value == nil {
+		return nil
+	}
+	var allErrs field.ErrorList
+	for _, msg := range content.IsDNS1123Subdomain((string)(*value)) {
+		allErrs = append(allErrs, field.Invalid(fldPath, *value, msg).WithOrigin("format=k8s-long-name"))
+	}
+	return allErrs
+}
+
+// LabelKey verifies that the specified value is a valid label key.
+// A label key is composed of an optional prefix and a name, separated by a '/'.
+// The name part is required and must:
+//   - be 63 characters or less
+//   - begin and end with an alphanumeric character ([a-z0-9A-Z])
+//   - contain only alphanumeric characters, dashes (-), underscores (_), or dots (.)
+//
+// The prefix is optional and must:
+//   - be a DNS subdomain
+//   - be no more than 253 characters
+func LabelKey[T ~string](_ context.Context, op operation.Operation, fldPath *field.Path, value, _ *T) field.ErrorList {
+	if value == nil {
+		return nil
+	}
+	var allErrs field.ErrorList
+	for _, msg := range content.IsLabelKey((string)(*value)) {
+		allErrs = append(allErrs, field.Invalid(fldPath, *value, msg).WithOrigin("format=k8s-label-key"))
+	}
+	return allErrs
+}
+
+// LongNameCaseless verifies that the specified value is a valid "long name"
+// (sometimes known as a "DNS subdomain"), but is case-insensitive.
+//   - must not be empty
+//   - must be less than 254 characters long
+//   - each element must start and end with alphanumeric characters
+//   - each element must contain only alphanumeric characters or dashes
+//
+// Deprecated: Case-insensitive names are not recommended as they can lead to ambiguity
+// (e.g., 'Foo', 'FOO', and 'foo' would be allowed names for foo). Use LongName for strict, lowercase validation.
+func LongNameCaseless[T ~string](_ context.Context, op operation.Operation, fldPath *field.Path, value, _ *T) field.ErrorList {
+	if value == nil {
+		return nil
+	}
+	var allErrs field.ErrorList
+	for _, msg := range content.IsDNS1123SubdomainCaseless((string)(*value)) {
+		allErrs = append(allErrs, field.Invalid(fldPath, *value, msg).WithOrigin("format=k8s-long-name-caseless"))
+	}
+	return allErrs
+}
+
+// LabelValue verifies that the specified value is a valid label value.
+//   - can be empty
+//   - must be no more than 63 characters
+//   - must start and end with alphanumeric characters
+//   - must contain only alphanumeric characters, dashes, underscores, or dots
+func LabelValue[T ~string](_ context.Context, op operation.Operation, fldPath *field.Path, value, _ *T) field.ErrorList {
+	if value == nil {
+		return nil
+	}
+	var allErrs field.ErrorList
+	for _, msg := range content.IsLabelValue((string)(*value)) {
+		allErrs = append(allErrs, field.Invalid(fldPath, *value, msg).WithOrigin("format=k8s-label-value"))
+	}
+	return allErrs
+}
+
+// UUID verifies that the specified value is a valid UUID (RFC 4122).
+//   - must be 36 characters long
+//   - must be in the normalized form `xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx`
+//   - must use only lowercase hexadecimal characters
+func UUID[T ~string](_ context.Context, op operation.Operation, fldPath *field.Path, value, _ *T) field.ErrorList {
+	if value == nil {
+		return nil
+	}
+	val := (string)(*value)
+	if len(val) != 36 {
+		return field.ErrorList{field.Invalid(fldPath, val, uuidErrorMessage).WithOrigin("format=k8s-uuid")}
+	}
+	for idx := 0; idx < len(val); idx++ {
+		character := val[idx]
+		switch idx {
+		case 8, 13, 18, 23:
+			if character != '-' {
+				return field.ErrorList{field.Invalid(fldPath, val, uuidErrorMessage).WithOrigin("format=k8s-uuid")}
+			}
+		default:
+			// should be lower case hexadecimal.
+			if (character < '0' || character > '9') && (character < 'a' || character > 'f') {
+				return field.ErrorList{field.Invalid(fldPath, val, uuidErrorMessage).WithOrigin("format=k8s-uuid")}
+			}
+		}
+	}
+	return nil
+}
+
+// ResourcePoolName verifies that the specified value is one or more valid "long name"
+// parts separated by a '/' and no longer than 253 characters.
+func ResourcePoolName[T ~string](ctx context.Context, op operation.Operation, fldPath *field.Path, value, _ *T) field.ErrorList {
+	if value == nil {
+		return nil
+	}
+	val := (string)(*value)
+	var allErrs field.ErrorList
+	if len(val) > 253 {
+		allErrs = append(allErrs, field.TooLong(fldPath, val, 253))
+	}
+	parts := strings.Split(val, "/")
+	for i, part := range parts {
+		if len(part) == 0 {
+			allErrs = append(allErrs, field.Invalid(fldPath, val, fmt.Sprintf("segment %d: must not be empty", i)))
+			continue
+		}
+		// Note that we are overwriting the origin from the underlying LongName validation.
+		allErrs = append(allErrs, LongName(ctx, op, fldPath, &part, nil).PrefixDetail(fmt.Sprintf("segment %d: ", i))...)
+	}
+	return allErrs.WithOrigin("format=k8s-resource-pool-name")
+}
+
+// ExtendedResourceName verifies that the specified value is a valid extended resource name.
+// An extended resource name is a domain-prefixed name that does not use the "kubernetes.io"
+// or "requests." prefixes. Must be a valid label key when appended to "requests.", as in quota.
+//
+//   - must have slash domain and name.
+//   - must not have the "kubernetes.io" domain
+//   - must not have the "requests." prefix
+//   - name must be 63 characters or less
+//   - must be a valid label key when appended to "requests.", as in quota
+//     -- must contain only alphanumeric characters, dashes, underscores, or dots
+//     -- must end with an alphanumeric character
+func ExtendedResourceName[T ~string](_ context.Context, op operation.Operation, fldPath *field.Path, value, _ *T) field.ErrorList {
+	if value == nil {
+		return nil
+	}
+	val := string(*value)
+	allErrs := field.ErrorList{}
+	if !strings.Contains(val, "/") {
+		allErrs = append(allErrs, field.Invalid(fldPath, val, "a name must be a domain-prefixed path, such as 'example.com/my-prop'"))
+	} else if strings.Contains(val, resourceDefaultNamespacePrefix) {
+		allErrs = append(allErrs, field.Invalid(fldPath, val, fmt.Sprintf("must not have %q domain", resourceDefaultNamespacePrefix)))
+	}
+	// Ensure extended resource is not type of quota.
+	if strings.HasPrefix(val, defaultResourceRequestsPrefix) {
+		allErrs = append(allErrs, field.Invalid(fldPath, val, fmt.Sprintf("must not have %q prefix", defaultResourceRequestsPrefix)))
+	}
+
+	// Ensure it satisfies the rules in IsLabelKey() after converted into quota resource name
+	nameForQuota := fmt.Sprintf("%s%s", defaultResourceRequestsPrefix, val)
+	for _, msg := range content.IsLabelKey(nameForQuota) {
+		allErrs = append(allErrs, field.Invalid(fldPath, val, msg))
+	}
+	return allErrs.WithOrigin("format=k8s-extended-resource-name")
+}
+
+// resourcesQualifiedName verifies that the specified value is a valid Kubernetes resources
+// qualified name.
+//   - must not be empty
+//   - must be composed of an optional prefix and a name, separated by a slash (e.g., "prefix/name")
+//   - the prefix, if specified, must be a DNS subdomain
+//   - the name part must be a C identifier
+//   - the name part must be no more than 32 characters
+func resourcesQualifiedName[T ~string](ctx context.Context, op operation.Operation, fldPath *field.Path, value, _ *T) field.ErrorList {
+	if value == nil {
+		return nil
+	}
+	var allErrs field.ErrorList
+	s := string(*value)
+	parts := strings.Split(s, "/")
+	// TODO: This validation and the corresponding handwritten validation validateQualifiedName in
+	// pkg/apis/resource/validation/validation.go are not validating whether there are more than 1
+	// slash. This should be fixed in both places.
+	switch len(parts) {
+	case 1:
+		allErrs = append(allErrs, validateCIdentifier(parts[0], resourceDeviceMaxLength, fldPath)...)
+	case 2:
+		if len(parts[0]) == 0 {
+			allErrs = append(allErrs, field.Invalid(fldPath, "", "prefix must not be empty"))
+		} else {
+			if len(parts[0]) > 63 {
+				allErrs = append(allErrs, field.TooLong(fldPath, parts[0], 63))
+			}
+			allErrs = append(allErrs, LongName(ctx, op, fldPath, &parts[0], nil).PrefixDetail("prefix: ")...)
+		}
+		if len(parts[1]) == 0 {
+			allErrs = append(allErrs, field.Invalid(fldPath, "", "name must not be empty"))
+		} else {
+			allErrs = append(allErrs, validateCIdentifier(parts[1], resourceDeviceMaxLength, fldPath)...)
+		}
+	}
+	return allErrs
+}
+
+// ResourceFullyQualifiedName verifies that the specified value is a valid Kubernetes
+// fully qualified name.
+//   - must not be empty
+//   - must be composed of a prefix and a name, separated by a slash (e.g., "prefix/name")
+//   - the prefix must be a DNS subdomain
+//   - the name part must be a C identifier
+//   - the name part must be no more than 32 characters
+func ResourceFullyQualifiedName[T ~string](ctx context.Context, op operation.Operation, fldPath *field.Path, value, _ *T) field.ErrorList {
+	if value == nil {
+		return nil
+	}
+	var allErrs field.ErrorList
+	s := string(*value)
+	allErrs = append(allErrs, resourcesQualifiedName(ctx, op, fldPath, &s, nil)...)
+	if !strings.Contains(s, "/") {
+		allErrs = append(allErrs, field.Invalid(fldPath, s, "a fully qualified name must be a domain and a name separated by a slash"))
+	}
+	return allErrs.WithOrigin("format=k8s-resource-fully-qualified-name")
+}
+
+func validateCIdentifier(id string, length int, fldPath *field.Path) field.ErrorList {
+	var allErrs field.ErrorList
+	if len(id) > length {
+		allErrs = append(allErrs, field.TooLong(fldPath, id, length))
+	}
+	for _, msg := range content.IsCIdentifier(id) {
+		allErrs = append(allErrs, field.Invalid(fldPath, id, msg))
+	}
+	return allErrs
+}
diff --git a/staging/src/k8s.io/apimachinery/pkg/api/validate/strfmt_test.go b/staging/src/k8s.io/apimachinery/pkg/api/validate/strfmt_test.go
new file mode 100644
index 0000000000000..a3c209265304a
--- /dev/null
+++ b/staging/src/k8s.io/apimachinery/pkg/api/validate/strfmt_test.go
@@ -0,0 +1,753 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package validate
+
+import (
+	"context"
+	"strings"
+	"testing"
+
+	"k8s.io/apimachinery/pkg/api/operation"
+	"k8s.io/apimachinery/pkg/util/validation/field"
+)
+
+func TestShortName(t *testing.T) {
+	ctx := context.Background()
+	fldPath := field.NewPath("test")
+
+	testCases := []struct {
+		name     string
+		input    string
+		wantErrs field.ErrorList
+	}{{
+		name:     "valid",
+		input:    "abc-123",
+		wantErrs: nil,
+	}, {
+		name:  "invalid: empty",
+		input: "",
+		wantErrs: field.ErrorList{
+			field.Invalid(fldPath, "", "a lowercase RFC 1123 label must consist of lower case alphanumeric characters or '-', and must start and end with an alphanumeric character").WithOrigin("format=k8s-short-name"),
+		},
+	}, {
+		name:  "invalid: too long",
+		input: "01234567890123456789012345678901234567890123456789012345678901234",
+		wantErrs: field.ErrorList{
+			field.Invalid(fldPath, "01234567890123456789012345678901234567890123456789012345678901234", "must be no more than 63 bytes").WithOrigin("format=k8s-short-name"),
+		},
+	}, {
+		name:  "invalid: starts with dash",
+		input: "-abc-123",
+		wantErrs: field.ErrorList{
+			field.Invalid(fldPath, "-abc-123", "a lowercase RFC 1123 label must consist of lower case alphanumeric characters or '-', and must start and end with an alphanumeric character").WithOrigin("format=k8s-short-name"),
+		},
+	}, {
+		name:  "invalid: ends with dash",
+		input: "abc-123-",
+		wantErrs: field.ErrorList{
+			field.Invalid(fldPath, "abc-123-", "a lowercase RFC 1123 label must consist of lower case alphanumeric characters or '-', and must start and end with an alphanumeric character").WithOrigin("format=k8s-short-name"),
+		},
+	}, {
+		name:  "invalid: upper-case",
+		input: "ABC-123",
+		wantErrs: field.ErrorList{
+			field.Invalid(fldPath, "ABC-123", "a lowercase RFC 1123 label must consist of lower case alphanumeric characters or '-', and must start and end with an alphanumeric character").WithOrigin("format=k8s-short-name"),
+		},
+	}, {
+		name:  "invalid: other chars",
+		input: "abc_123",
+		wantErrs: field.ErrorList{
+			field.Invalid(fldPath, "abc_123", "a lowercase RFC 1123 label must consist of lower case alphanumeric characters or '-', and must start and end with an alphanumeric character").WithOrigin("format=k8s-short-name"),
+		},
+	}}
+
+	matcher := field.ErrorMatcher{}.ByType().ByField().ByOrigin().ByDetailSubstring()
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			value := tc.input
+			gotErrs := ShortName(ctx, operation.Operation{}, fldPath, &value, nil)
+			matcher.Test(t, tc.wantErrs, gotErrs)
+		})
+	}
+}
+
+func TestLongName(t *testing.T) {
+	ctx := context.Background()
+	fldPath := field.NewPath("test")
+
+	testCases := []struct {
+		name     string
+		input    string
+		wantErrs field.ErrorList
+	}{{
+		name:     "valid",
+		input:    "a.b.c",
+		wantErrs: nil,
+	}, {
+		name:  "invalid: empty",
+		input: "",
+		wantErrs: field.ErrorList{
+			field.Invalid(fldPath, "", "a lowercase RFC 1123 subdomain must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character").WithOrigin("format=k8s-long-name"),
+		},
+	}, {
+		name:  "invalid: too long",
+		input: strings.Repeat("a", 254),
+		wantErrs: field.ErrorList{
+			field.Invalid(fldPath, strings.Repeat("a", 254), "must be no more than 253 bytes").WithOrigin("format=k8s-long-name"),
+		},
+	}, {
+		name:  "invalid: starts with dash",
+		input: "-a.b.c",
+		wantErrs: field.ErrorList{
+			field.Invalid(fldPath, "-a.b.c", "a lowercase RFC 1123 subdomain must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character").WithOrigin("format=k8s-long-name"),
+		},
+	}, {
+		name:  "invalid: ends with dash",
+		input: "a.b.c-",
+		wantErrs: field.ErrorList{
+			field.Invalid(fldPath, "a.b.c-", "a lowercase RFC 1123 subdomain must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character").WithOrigin("format=k8s-long-name"),
+		},
+	}, {
+		name:  "invalid: upper-case",
+		input: "A.b.c",
+		wantErrs: field.ErrorList{
+			field.Invalid(fldPath, "A.b.c", "a lowercase RFC 1123 subdomain must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character").WithOrigin("format=k8s-long-name"),
+		},
+	}, {
+		name:  "invalid: other chars",
+		input: "a_b.c",
+		wantErrs: field.ErrorList{
+			field.Invalid(fldPath, "a_b.c", "a lowercase RFC 1123 subdomain must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character").WithOrigin("format=k8s-long-name"),
+		},
+	}}
+
+	matcher := field.ErrorMatcher{}.ByType().ByField().ByOrigin().ByDetailSubstring()
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			value := tc.input
+			gotErrs := LongName(ctx, operation.Operation{}, fldPath, &value, nil)
+			matcher.Test(t, tc.wantErrs, gotErrs)
+		})
+	}
+}
+
+func TestLabelKey(t *testing.T) {
+	ctx := context.Background()
+	fldPath := field.NewPath("test")
+
+	testCases := []struct {
+		name     string
+		input    string
+		wantErrs field.ErrorList
+	}{{
+		name:     "valid key",
+		input:    "app",
+		wantErrs: nil,
+	}, {
+		name:     "valid key with dash",
+		input:    "app-name",
+		wantErrs: nil,
+	}, {
+		name:     "valid key with dot",
+		input:    "app.name",
+		wantErrs: nil,
+	}, {
+		name:     "valid key with underscore",
+		input:    "app_name",
+		wantErrs: nil,
+	}, {
+		name:     "valid key with prefix",
+		input:    "example.com/app",
+		wantErrs: nil,
+	}, {
+		name:     "valid key with long prefix",
+		input:    strings.Repeat("a", 63) + "." + strings.Repeat("b", 63) + "." + strings.Repeat("c", 63) + "." + strings.Repeat("d", 55) + "/app",
+		wantErrs: nil,
+	}, {
+		name:  "invalid: empty string",
+		input: "",
+		wantErrs: field.ErrorList{
+			field.Invalid(fldPath, nil, "").WithOrigin("format=k8s-label-key"),
+		},
+	}, {
+		name:  "invalid: starts with dash",
+		input: "-app",
+		wantErrs: field.ErrorList{
+			field.Invalid(fldPath, nil, "").WithOrigin("format=k8s-label-key"),
+		},
+	}, {
+		name:  "invalid: ends with dash",
+		input: "app-",
+		wantErrs: field.ErrorList{
+			field.Invalid(fldPath, nil, "").WithOrigin("format=k8s-label-key"),
+		},
+	}, {
+		name:  "invalid: contains invalid characters",
+		input: "app^",
+		wantErrs: field.ErrorList{
+			field.Invalid(fldPath, nil, "").WithOrigin("format=k8s-label-key"),
+		},
+	}, {
+		name:  "invalid: name too long",
+		input: strings.Repeat("a", 64),
+		wantErrs: field.ErrorList{
+			field.Invalid(fldPath, nil, "").WithOrigin("format=k8s-label-key"),
+		},
+	}, {
+		name:  "invalid: prefix too long",
+		input: strings.Repeat("a", 254) + "/app",
+		wantErrs: field.ErrorList{
+			field.Invalid(fldPath, nil, "").WithOrigin("format=k8s-label-key"),
+		},
+	}, {
+		name:  "invalid: prefix is not a DNS subdomain",
+		input: "example-.com/app",
+		wantErrs: field.ErrorList{
+			field.Invalid(fldPath, nil, "").WithOrigin("format=k8s-label-key"),
+		},
+	}, {
+		name:     "nil value",
+		input:    "", // This will be handled by setting value to nil in the test runner
+		wantErrs: nil,
+	}}
+
+	matcher := field.ErrorMatcher{}.ByType().ByField().ByOrigin()
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			var value *string
+			if tc.name != "nil value" {
+				v := tc.input
+				value = &v
+			}
+			gotErrs := LabelKey(ctx, operation.Operation{}, fldPath, value, nil)
+			matcher.Test(t, tc.wantErrs, gotErrs)
+		})
+	}
+}
+
+func TestK8sUUID(t *testing.T) {
+	ctx := context.Background()
+	fldPath := field.NewPath("test")
+
+	testCases := []struct {
+		name     string
+		input    string
+		wantErrs field.ErrorList
+	}{{
+		name:     "valid uuid with hyphens",
+		input:    "123e4567-e89b-12d3-a456-426614174000",
+		wantErrs: nil,
+	}, {
+		name:  "invalid uuid with hyphens uppercase",
+		input: "123E4567-E89B-12D3-A456-426614174000",
+		wantErrs: field.ErrorList{
+			field.Invalid(fldPath, "123E4567-E89B-12D3-A456-426614174000", "must be a lowercase UUID in 8-4-4-4-12 format").WithOrigin("format=k8s-uuid"),
+		},
+	}, {
+		name:  "invalid uuid with urn prefix",
+		input: "urn:uuid:123e4567-e89b-12d3-a456-426614174000",
+		wantErrs: field.ErrorList{
+			field.Invalid(fldPath, "urn:uuid:123e4567-e89b-12d3-a456-426614174000", "must be a lowercase UUID in 8-4-4-4-12 format").WithOrigin("format=k8s-uuid"),
+		},
+	}, {
+		name:  "invalid uuid without hyphens",
+		input: "123e4567e89b12d3a456426614174000",
+		wantErrs: field.ErrorList{
+			field.Invalid(fldPath, "123e4567e89b12d3a456426614174000", "must be a lowercase UUID in 8-4-4-4-12 format").WithOrigin("format=k8s-uuid"),
+		},
+	}, {
+		name:  "invalid: wrong length",
+		input: "123e4567-e89b-12d3-a456-42661417400",
+		wantErrs: field.ErrorList{
+			field.Invalid(fldPath, "123e4567-e89b-12d3-a456-42661417400", "must be a lowercase UUID in 8-4-4-4-12 format").WithOrigin("format=k8s-uuid"),
+		},
+	}, {
+		name:  "invalid: wrong characters",
+		input: "123e4567-e89b-12d3-a456-42661417400g",
+		wantErrs: field.ErrorList{
+			field.Invalid(fldPath, "123e4567-e89b-12d3-a456-42661417400g", "must be a lowercase UUID in 8-4-4-4-12 format").WithOrigin("format=k8s-uuid"),
+		},
+	}, {
+		name:  "invalid: misplaced hyphens",
+		input: "123e4567-e89b-12d3-a4564-26614174000",
+		wantErrs: field.ErrorList{
+			field.Invalid(fldPath, "123e4567-e89b-12d3-a4564-26614174000", "must be a lowercase UUID in 8-4-4-4-12 format").WithOrigin("format=k8s-uuid"),
+		},
+	}, {
+		name:  "empty string",
+		input: "",
+		wantErrs: field.ErrorList{
+			field.Invalid(fldPath, "", "must be a lowercase UUID in 8-4-4-4-12 format").WithOrigin("format=k8s-uuid"),
+		},
+	}, {
+		name:  "not a uuid",
+		input: "not-a-uuid",
+		wantErrs: field.ErrorList{
+			field.Invalid(fldPath, "not-a-uuid", "must be a lowercase UUID in 8-4-4-4-12 format").WithOrigin("format=k8s-uuid"),
+		},
+	}}
+
+	matcher := field.ErrorMatcher{}.ByType().ByField().ByOrigin().ByDetailExact()
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			value := tc.input
+			gotErrs := UUID(ctx, operation.Operation{}, fldPath, &value, nil)
+			matcher.Test(t, tc.wantErrs, gotErrs)
+		})
+	}
+}
+
+func TestLabelValue(t *testing.T) {
+	ctx := context.Background()
+	fldPath := field.NewPath("test")
+
+	testCases := []struct {
+		name     string
+		input    string
+		wantErrs field.ErrorList
+	}{{
+		name:     "valid value",
+		input:    "valid-value",
+		wantErrs: nil,
+	}, {
+		name:     "valid value with dots",
+		input:    "valid.value",
+		wantErrs: nil,
+	}, {
+		name:     "valid value with underscores",
+		input:    "valid_value",
+		wantErrs: nil,
+	}, {
+		name:     "valid single character value",
+		input:    "a",
+		wantErrs: nil,
+	}, {
+		name:     "valid value with numbers",
+		input:    "123-abc",
+		wantErrs: nil,
+	}, {
+		name:     "valid uppercase characters",
+		input:    "Valid-Value",
+		wantErrs: nil,
+	}, {
+		name:  "invalid: starts with dash",
+		input: "-invalid-value",
+		wantErrs: field.ErrorList{
+			field.Invalid(fldPath, nil, "").WithOrigin("format=k8s-label-value"),
+		},
+	}, {
+		name:  "invalid: ends with dash",
+		input: "invalid-value-",
+		wantErrs: field.ErrorList{
+			field.Invalid(fldPath, nil, "").WithOrigin("format=k8s-label-value"),
+		},
+	}, {
+		name:  "invalid: starts with dot",
+		input: ".invalid.value",
+		wantErrs: field.ErrorList{
+			field.Invalid(fldPath, nil, "").WithOrigin("format=k8s-label-value"),
+		},
+	}, {
+		name:  "invalid: ends with dot",
+		input: "invalid.value.",
+		wantErrs: field.ErrorList{
+			field.Invalid(fldPath, nil, "").WithOrigin("format=k8s-label-value"),
+		},
+	}, {
+		name:  "invalid: starts with underscore",
+		input: "_invalid_value",
+		wantErrs: field.ErrorList{
+			field.Invalid(fldPath, nil, "").WithOrigin("format=k8s-label-value"),
+		},
+	}, {
+		name:  "invalid: ends with underscore",
+		input: "invalid_value_",
+		wantErrs: field.ErrorList{
+			field.Invalid(fldPath, nil, "").WithOrigin("format=k8s-label-value"),
+		},
+	}, {
+		name:  "invalid: contains special characters",
+		input: "invalid@value",
+		wantErrs: field.ErrorList{
+			field.Invalid(fldPath, nil, "").WithOrigin("format=k8s-label-value"),
+		},
+	}, {
+		name:  "invalid: too long",
+		input: "a" + strings.Repeat("b", 62) + "c", // 64 characters
+		wantErrs: field.ErrorList{
+			field.Invalid(fldPath, nil, "").WithOrigin("format=k8s-label-value"),
+		},
+	}, {
+		name:     "valid: max length",
+		input:    "a" + strings.Repeat("b", 61) + "c", // 63 characters
+		wantErrs: nil,
+	}, {
+		name:     "valid: empty string",
+		input:    "",
+		wantErrs: nil,
+	}}
+
+	matcher := field.ErrorMatcher{}.ByType().ByField().ByOrigin()
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			value := tc.input
+			gotErrs := LabelValue(ctx, operation.Operation{}, fldPath, &value, nil)
+
+			matcher.Test(t, tc.wantErrs, gotErrs)
+		})
+	}
+}
+
+func TestLongNameCaseless(t *testing.T) {
+	ctx := context.Background()
+	fldPath := field.NewPath("test")
+
+	testCases := []struct {
+		name     string
+		input    string
+		wantErrs field.ErrorList
+	}{{
+		name:     "valid",
+		input:    "A.b.C",
+		wantErrs: nil,
+	}, {
+		name:  "invalid: empty",
+		input: "",
+		wantErrs: field.ErrorList{
+			field.Invalid(fldPath, "", "an RFC 1123 subdomain must consist of alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character").WithOrigin("format=k8s-long-name-caseless"),
+		},
+	}, {
+		name:  "invalid: too long",
+		input: strings.Repeat("a", 254),
+		wantErrs: field.ErrorList{
+			field.Invalid(fldPath, strings.Repeat("a", 254), "must be no more than 253 bytes").WithOrigin("format=k8s-long-name-caseless"),
+		},
+	}, {
+		name:  "invalid: starts with dash",
+		input: "-A.b.C",
+		wantErrs: field.ErrorList{
+			field.Invalid(fldPath, "-A.b.C", "an RFC 1123 subdomain must consist of alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character").WithOrigin("format=k8s-long-name-caseless"),
+		},
+	},
+		{
+			name:  "invalid: ends with dash",
+			input: "A.b.C-",
+			wantErrs: field.ErrorList{
+				field.Invalid(fldPath, "A.b.C-", "an RFC 1123 subdomain must consist of alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character").WithOrigin("format=k8s-long-name-caseless"),
+			},
+		},
+		{
+			name:  "invalid: other chars",
+			input: "A_b.C",
+			wantErrs: field.ErrorList{
+				field.Invalid(fldPath, "A_b.C", "an RFC 1123 subdomain must consist of alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character").WithOrigin("format=k8s-long-name-caseless"),
+			},
+		},
+	}
+
+	matcher := field.ErrorMatcher{}.ByType().ByField().ByOrigin()
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			value := tc.input
+			gotErrs := LongNameCaseless(ctx, operation.Operation{}, fldPath, &value, nil)
+
+			matcher.Test(t, tc.wantErrs, gotErrs)
+		})
+	}
+}
+
+func TestResourcePoolName(t *testing.T) {
+	ctx := context.Background()
+	fldPath := field.NewPath("test")
+
+	testCases := []struct {
+		name     string
+		input    string
+		wantErrs field.ErrorList
+	}{{
+		name:  "valid: single segment",
+		input: "a.valid.long-name",
+	}, {
+		name:  "valid: two segments",
+		input: "a.valid.long-name/another.one",
+	}, {
+		name:  "valid: multiple segments",
+		input: "a/b/c.d.e",
+	}, {
+		name:  "valid: segments with numbers",
+		input: "1.2.3/4.5.6",
+	}, {
+		name:  "invalid: empty string",
+		input: "",
+		wantErrs: field.ErrorList{
+			field.Invalid(fldPath, "", "segment 0: must not be empty").WithOrigin("format=k8s-resource-pool-name"),
+		},
+	}, {
+		name:  "invalid: leading slash",
+		input: "/a.b.c",
+		wantErrs: field.ErrorList{
+			field.Invalid(fldPath, nil, "").WithOrigin("format=k8s-resource-pool-name"),
+		},
+	}, {
+		name:  "invalid: trailing slash",
+		input: "a.b.c/",
+		wantErrs: field.ErrorList{
+			field.Invalid(fldPath, nil, "").WithOrigin("format=k8s-resource-pool-name"),
+		},
+	}, {
+		name:  "invalid: double slash",
+		input: "a.b.c//d.e.f",
+		wantErrs: field.ErrorList{
+			field.Invalid(fldPath, nil, "").WithOrigin("format=k8s-resource-pool-name"),
+		},
+	}, {
+		name:  "invalid: one segment has uppercase",
+		input: "a.valid.name/Not.Valid",
+		wantErrs: field.ErrorList{
+			field.Invalid(fldPath, nil, "segment 1: a lowercase RFC 1123").WithOrigin("format=k8s-resource-pool-name"),
+		},
+	}, {
+		name:  "invalid: one segment starts with dash",
+		input: "a.valid.name/-not-valid",
+		wantErrs: field.ErrorList{
+			field.Invalid(fldPath, nil, "segment 1: a lowercase RFC 1123").WithOrigin("format=k8s-resource-pool-name"),
+		},
+	}, {
+		name:  "invalid: one segment has special characters",
+		input: "a.valid.name/not_valid",
+		wantErrs: field.ErrorList{
+			field.Invalid(fldPath, nil, "segment 1: a lowercase RFC 1123").WithOrigin("format=k8s-resource-pool-name"),
+		},
+	}, {
+		name:  "invalid: too long",
+		input: "a.valid.name/" + strings.Repeat("b", 253),
+		wantErrs: field.ErrorList{
+			field.TooLong(fldPath, nil, 253).WithOrigin("format=k8s-resource-pool-name"),
+		},
+	}, {
+		name:  "invalid: segment too long",
+		input: strings.Repeat("b", 254),
+		wantErrs: field.ErrorList{
+			field.TooLong(fldPath, nil, 253).WithOrigin("format=k8s-resource-pool-name"),
+			field.Invalid(fldPath, nil, "segment 0: must be no more than 253 bytes").WithOrigin("format=k8s-resource-pool-name"),
+		},
+	}, {
+		name:  "invalid: multiple invalid segments",
+		input: "Not/Valid/Either",
+		wantErrs: field.ErrorList{
+			field.Invalid(fldPath, nil, "segment 0: a lowercase RFC 1123").WithOrigin("format=k8s-resource-pool-name"),
+			field.Invalid(fldPath, nil, "segment 1: a lowercase RFC 1123").WithOrigin("format=k8s-resource-pool-name"),
+			field.Invalid(fldPath, nil, "segment 2: a lowercase RFC 1123").WithOrigin("format=k8s-resource-pool-name"),
+		},
+	}, {
+		name:  "invalid: just a slash",
+		input: "/",
+		wantErrs: field.ErrorList{
+			field.Invalid(fldPath, nil, "segment 0: must not be empty").WithOrigin("format=k8s-resource-pool-name"),
+			field.Invalid(fldPath, nil, "segment 1: must not be empty").WithOrigin("format=k8s-resource-pool-name"),
+		},
+	}}
+
+	exactMatcher := field.ErrorMatcher{}.ByType().ByField().ByOrigin().ByDetailSubstring()
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			value := &tc.input
+			gotErrs := ResourcePoolName(ctx, operation.Operation{}, fldPath, value, nil)
+			exactMatcher.Test(t, tc.wantErrs, gotErrs)
+		})
+	}
+}
+
+func TestExtendedResourceName(t *testing.T) {
+	ctx := context.Background()
+	fldPath := field.NewPath("test")
+
+	testCases := []struct {
+		name     string
+		input    string
+		wantErrs field.ErrorList
+	}{
+		{
+			name:     "valid",
+			input:    "example-kub.io/foo",
+			wantErrs: nil,
+		},
+		{
+			name:  "invalid: name too long",
+			input: strings.Repeat("a", 64),
+			wantErrs: field.ErrorList{
+				field.Invalid(fldPath, strings.Repeat("a", 64), "a name must be a domain-prefixed path, such as 'example.com/my-prop").WithOrigin("format=k8s-extended-resource-name"),
+				field.Invalid(fldPath, strings.Repeat("a", 64), "name part must be no more than 63 bytes").WithOrigin("format=k8s-extended-resource-name"),
+			},
+		},
+		{
+			name:  "invalid: empty",
+			input: "",
+			wantErrs: field.ErrorList{
+				field.Invalid(fldPath, "", "a name must be a domain-prefixed path, such as 'example.com/my-prop").WithOrigin("format=k8s-extended-resource-name"),
+				field.Invalid(fldPath, "", "name part must consist of alphanumeric characters, '-', '_' or '.', and must start and end with an alphanumeric character (e.g. 'MyName',  or 'my.name',  or '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]')").WithOrigin("format=k8s-extended-resource-name"),
+			},
+		},
+		{
+			name:  "invalid: no domain",
+			input: "foo",
+			wantErrs: field.ErrorList{
+				field.Invalid(fldPath, "foo", "a name must be a domain-prefixed path, such as 'example.com/my-prop'").WithOrigin("format=k8s-extended-resource-name"),
+			},
+		},
+		{
+			name:  "invalid: no domain and no name",
+			input: "/",
+			wantErrs: field.ErrorList{
+				field.Invalid(fldPath, "/", "name part must be non-empty").WithOrigin("format=k8s-extended-resource-name"),
+				field.Invalid(fldPath, "/", "name part must consist of alphanumeric characters, '-', '_' or '.', and must start and end with an alphanumeric character (e.g. 'MyName',  or 'my.name',  or '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]')").WithOrigin("format=k8s-extended-resource-name"),
+				field.Invalid(fldPath, "/", "prefix part a lowercase RFC 1123 subdomain must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character (e.g. 'example.com', regex used for validation is '[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*')").WithOrigin("format=k8s-extended-resource-name"),
+			},
+		},
+		{
+			name:  "invalid: something.kubernetes.io domain",
+			input: "something.kubernetes.io/foo",
+			wantErrs: field.ErrorList{
+				field.Invalid(fldPath, "something.kubernetes.io/foo", "must not have \"kubernetes.io/\" domain").WithOrigin("format=k8s-extended-resource-name"),
+			},
+		},
+		{
+			name:  "invalid: kubernetes.io domain",
+			input: "kubernetes.io/foo",
+			wantErrs: field.ErrorList{
+				field.Invalid(fldPath, "kubernetes.io/foo", "must not have \"kubernetes.io/\" domain").WithOrigin("format=k8s-extended-resource-name"),
+			},
+		},
+		{
+			name:  "invalid: requests prefix",
+			input: "requests.example.com/foo",
+			wantErrs: field.ErrorList{
+				field.Invalid(fldPath, "requests.example.com/foo", "must not have \"requests.\" prefix").WithOrigin("format=k8s-extended-resource-name"),
+			},
+		},
+		{
+			name:  "invalid: name too long",
+			input: "example.com/" + strings.Repeat("a", 64),
+			wantErrs: field.ErrorList{
+				field.Invalid(fldPath, "example.com/"+strings.Repeat("a", 64), "name part must be no more than 63 bytes").WithOrigin("format=k8s-extended-resource-name"),
+			},
+		},
+	}
+
+	exactMatcher := field.ErrorMatcher{}.ByType().ByField().ByOrigin().ByDetailSubstring()
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			value := &tc.input
+			gotErrs := ExtendedResourceName(ctx, operation.Operation{}, fldPath, value, nil)
+			exactMatcher.Test(t, tc.wantErrs, gotErrs)
+		})
+	}
+}
+
+func TestResourceFullyQualifiedName(t *testing.T) {
+	ctx := context.Background()
+	fldPath := field.NewPath("test")
+
+	testCases := []struct {
+		name     string
+		input    string
+		wantErrs field.ErrorList
+	}{{
+		name:     "valid name with prefix",
+		input:    "prefix.com/name",
+		wantErrs: nil,
+	}, {
+		name:     "valid name with complex prefix",
+		input:    "my-subdomain.example.com/name",
+		wantErrs: nil,
+	}, {
+		name:  "invalid name with dots",
+		input: "prefix.com/name.with.dots",
+		wantErrs: field.ErrorList{
+			field.Invalid(fldPath, "name.with.dots", "a valid C identifier must start with alphabetic character").WithOrigin("format=k8s-resource-fully-qualified-name"),
+		},
+	}, {
+		name:  "invalid name with dashes",
+		input: "prefix.com/name-with-dashes",
+		wantErrs: field.ErrorList{
+			field.Invalid(fldPath, "name-with-dashes", "a valid C identifier must start with alphabetic character").WithOrigin("format=k8s-resource-fully-qualified-name"),
+		},
+	}, {
+		name:  "invalid: no prefix",
+		input: "name",
+		wantErrs: field.ErrorList{
+			field.Invalid(fldPath, "name", "a fully qualified name must be a domain and a name separated by a slash").WithOrigin("format=k8s-resource-fully-qualified-name"),
+		},
+	}, {
+		name:  "invalid: empty",
+		input: "",
+		wantErrs: field.ErrorList{
+			field.Invalid(fldPath, "", "a fully qualified name must be a domain and a name separated by a slash").WithOrigin("format=k8s-resource-fully-qualified-name"),
+			field.Invalid(fldPath, "", "a valid C identifier must start with alphabetic character").WithOrigin("format=k8s-resource-fully-qualified-name"),
+		},
+	}, {
+		name:  "invalid: prefix too long",
+		input: strings.Repeat("a", 254) + "/name",
+		wantErrs: field.ErrorList{
+			field.Invalid(fldPath, strings.Repeat("a", 254), "prefix: must be no more than 253 bytes").WithOrigin("format=k8s-resource-fully-qualified-name"),
+			field.TooLong(fldPath, strings.Repeat("a", 254), 63).WithOrigin("format=k8s-resource-fully-qualified-name"),
+		},
+	}, {
+		name:  "invalid: name too long",
+		input: "prefix.com/" + strings.Repeat("a", 64),
+		wantErrs: field.ErrorList{
+			field.TooLong(fldPath, strings.Repeat("a", 64), 32).WithOrigin("format=k8s-resource-fully-qualified-name"),
+		},
+	}, {
+		name:  "invalid: prefix is not a valid DNS subdomain",
+		input: "Prefix.com/name",
+		wantErrs: field.ErrorList{
+			field.Invalid(fldPath, "Prefix.com", "prefix: a lowercase RFC 1123 subdomain must consist of lower case alphanumeric characters").WithOrigin("format=k8s-resource-fully-qualified-name"),
+		},
+	}, {
+		name:     "invalid: name is not a valid RFC 1123 label",
+		input:    "prefix.com/Name",
+		wantErrs: nil, // no errors, C-identifiers can have uppercase letters
+	}, {
+		name:     "invalid: more than one slash",
+		input:    "prefix.com/name/extra",
+		wantErrs: nil, // This is not validated, yet.
+	}, {
+		name:  "invalid: empty name",
+		input: "prefix.com/",
+		wantErrs: field.ErrorList{
+			field.Invalid(fldPath, "", "name must not be empty").WithOrigin("format=k8s-resource-fully-qualified-name"),
+		},
+	}, {
+		name:  "invalid: empty prefix",
+		input: "/name",
+		wantErrs: field.ErrorList{
+			field.Invalid(fldPath, "", "prefix must not be empty").WithOrigin("format=k8s-resource-fully-qualified-name"),
+		},
+	}}
+
+	matcher := field.ErrorMatcher{}.ByType().ByField().ByDetailSubstring().ByOrigin()
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			value := tc.input
+			gotErrs := ResourceFullyQualifiedName(ctx, operation.Operation{}, fldPath, &value, nil)
+			matcher.Test(t, tc.wantErrs, gotErrs)
+		})
+	}
+}
diff --git a/staging/src/k8s.io/apimachinery/pkg/api/validate/subfield.go b/staging/src/k8s.io/apimachinery/pkg/api/validate/subfield.go
index 844a28901bcf3..896f3c3f36970 100644
--- a/staging/src/k8s.io/apimachinery/pkg/api/validate/subfield.go
+++ b/staging/src/k8s.io/apimachinery/pkg/api/validate/subfield.go
@@ -27,18 +27,25 @@ import (
 // nilable value.
 type GetFieldFunc[Tstruct any, Tfield any] func(*Tstruct) Tfield
 
-// Subfield validates a subfield of a struct against a validator function.
-func Subfield[Tstruct any, Tfield any](ctx context.Context, op operation.Operation, fldPath *field.Path, newStruct, oldStruct *Tstruct,
-	fldName string, getField GetFieldFunc[Tstruct, Tfield], validator ValidateFunc[Tfield]) field.ErrorList {
+// Subfield validates a subfield of a struct against a validator function. If
+// the value of the subfield is the same as the previous value, as per the
+// equiv function, then no validation is performed.
+//
+// The fldPath passed to the validator includes the subfield name.
+func Subfield[Tstruct any, Tfield any](
+	ctx context.Context, op operation.Operation, fldPath *field.Path,
+	newStruct, oldStruct *Tstruct,
+	fldName string, getField GetFieldFunc[Tstruct, Tfield],
+	equiv MatchFunc[Tfield],
+	validator ValidateFunc[Tfield],
+) field.ErrorList {
 	var errs field.ErrorList
 	newVal := getField(newStruct)
 	var oldVal Tfield
 	if oldStruct != nil {
 		oldVal = getField(oldStruct)
 	}
-	// TODO: passing an equiv function to Subfield for direct comparison instead of
-	// SemanticDeepEqual if fields can be compared directly, to improve performance.
-	if op.Type == operation.Update && SemanticDeepEqual(newVal, oldVal) {
+	if op.Type == operation.Update && oldStruct != nil && equiv(newVal, oldVal) {
 		return nil
 	}
 	errs = append(errs, validator(ctx, op, fldPath.Child(fldName), newVal, oldVal)...)
diff --git a/staging/src/k8s.io/apimachinery/pkg/api/validate/union.go b/staging/src/k8s.io/apimachinery/pkg/api/validate/union.go
index af5e933e9d397..03f45f8661dea 100644
--- a/staging/src/k8s.io/apimachinery/pkg/api/validate/union.go
+++ b/staging/src/k8s.io/apimachinery/pkg/api/validate/union.go
@@ -47,11 +47,15 @@ type UnionValidationOptions struct {
 //
 // For example:
 //
-//	var UnionMembershipForABC := validate.NewUnionMembership([2]string{"a", "A"}, [2]string{"b", "B"}, [2]string{"c", "C"})
-//	func ValidateABC(ctx context.Context, op operation.Operation, fldPath *field.Path, in *ABC) (errs fields.ErrorList) {
+//	var UnionMembershipForABC := validate.NewUnionMembership(
+//	 	validate.NewUnionMember("a"),
+//	 	validate.NewUnionMember("b"),
+//	 	validate.NewUnionMember("c"),
+//	 )
+//	func ValidateABC(ctx context.Context, op operation.Operation, fldPath *field.Path, in *ABC) (errs field.ErrorList) {
 //		errs = append(errs, Union(ctx, op, fldPath, in, oldIn, UnionMembershipForABC,
 //			func(in *ABC) bool { return in.A != nil },
-//			func(in *ABC) bool { return in.B != ""},
+//			func(in *ABC) bool { return in.B != "" },
 //			func(in *ABC) bool { return in.C != 0 },
 //		)...)
 //		return errs
@@ -77,12 +81,16 @@ func Union[T any](_ context.Context, op operation.Operation, fldPath *field.Path
 //
 // For example:
 //
-//	var UnionMembershipForABC = validate.NewDiscriminatedUnionMembership("type", [2]string{"a", "A"}, [2]string{"b", "B"}, [2]string{"c", "C"})
+//	var UnionMembershipForABC = validate.NewDiscriminatedUnionMembership("type",
+//	 	validate.NewDiscriminatedUnionMember("a", "A"),
+//	 	validate.NewDiscriminatedUnionMember("b", "B"),
+//	 	validate.NewDiscriminatedUnionMember("c", "C"),
+//	)
 //	func ValidateABC(ctx context.Context, op operation.Operation, fldPath *field.Path, in *ABC) (errs field.ErrorList) {
 //		errs = append(errs, DiscriminatedUnion(ctx, op, fldPath, in, oldIn, UnionMembershipForABC,
 //			func(in *ABC) string { return string(in.Type) },
 //			func(in *ABC) bool { return in.A != nil },
-//			func(in *ABC) bool { return in.B != ""},
+//			func(in *ABC) bool { return in.B != "" },
 //			func(in *ABC) bool { return in.C != 0 },
 //		)...)
 //		return errs
@@ -129,35 +137,42 @@ func DiscriminatedUnion[T any, D ~string](_ context.Context, op operation.Operat
 	return errs
 }
 
-type member struct {
-	fieldName, discriminatorValue string
+// UnionMember represents a member of a union.
+type UnionMember struct {
+	fieldName          string
+	discriminatorValue string
+}
+
+// NewUnionMember returns a new UnionMember for the given field name.
+func NewUnionMember(fieldName string) UnionMember {
+	return UnionMember{fieldName: fieldName}
+}
+
+// NewDiscriminatedUnionMember returns a new UnionMember for the given field
+// name and discriminator value.
+func NewDiscriminatedUnionMember(fieldName, discriminatorValue string) UnionMember {
+	return UnionMember{fieldName: fieldName, discriminatorValue: discriminatorValue}
 }
 
 // UnionMembership represents an ordered list of field union memberships.
 type UnionMembership struct {
 	discriminatorName string
-	members           []member
+	members           []UnionMember
 }
 
 // NewUnionMembership returns a new UnionMembership for the given list of members.
-//
-// Each member is a [2]string to provide a fieldName and discriminatorValue pair, where
-// [0] identifies the field name and [1] identifies the union member Name.
-//
-// Field names must be unique.
-func NewUnionMembership(member ...[2]string) *UnionMembership {
+// Member names must be unique.
+func NewUnionMembership(member ...UnionMember) *UnionMembership {
 	return NewDiscriminatedUnionMembership("", member...)
 }
 
 // NewDiscriminatedUnionMembership returns a new UnionMembership for the given discriminator field and list of members.
 // members are provided in the same way as for NewUnionMembership.
-func NewDiscriminatedUnionMembership(discriminatorFieldName string, members ...[2]string) *UnionMembership {
-	u := &UnionMembership{}
-	u.discriminatorName = discriminatorFieldName
-	for _, fieldName := range members {
-		u.members = append(u.members, member{fieldName: fieldName[0], discriminatorValue: fieldName[1]})
+func NewDiscriminatedUnionMembership(discriminatorFieldName string, members ...UnionMember) *UnionMembership {
+	return &UnionMembership{
+		discriminatorName: discriminatorFieldName,
+		members:           members,
 	}
-	return u
 }
 
 // allFields returns a string listing all the field names of the member of a union for use in error reporting.
diff --git a/staging/src/k8s.io/apimachinery/pkg/api/validate/union_test.go b/staging/src/k8s.io/apimachinery/pkg/api/validate/union_test.go
index ab374d885228c..db9fb7231e42b 100644
--- a/staging/src/k8s.io/apimachinery/pkg/api/validate/union_test.go
+++ b/staging/src/k8s.io/apimachinery/pkg/api/validate/union_test.go
@@ -30,31 +30,31 @@ type testMember struct{}
 func TestUnion(t *testing.T) {
 	testCases := []struct {
 		name        string
-		fields      [][2]string
+		fields      []string
 		fieldValues []bool
 		expected    field.ErrorList
 	}{
 		{
 			name:        "one member set",
-			fields:      [][2]string{{"a", "A"}, {"b", "B"}, {"c", "C"}, {"d", "D"}},
+			fields:      []string{"a", "b", "c", "d"},
 			fieldValues: []bool{false, false, false, true},
 			expected:    nil,
 		},
 		{
 			name:        "two members set",
-			fields:      [][2]string{{"a", "A"}, {"b", "B"}, {"c", "C"}, {"d", "D"}},
+			fields:      []string{"a", "b", "c", "d"},
 			fieldValues: []bool{false, true, false, true},
 			expected:    field.ErrorList{field.Invalid(nil, "{b, d}", "must specify exactly one of: `a`, `b`, `c`, `d`")},
 		},
 		{
 			name:        "all members set",
-			fields:      [][2]string{{"a", "A"}, {"b", "B"}, {"c", "C"}, {"d", "D"}},
+			fields:      []string{"a", "b", "c", "d"},
 			fieldValues: []bool{true, true, true, true},
 			expected:    field.ErrorList{field.Invalid(nil, "{a, b, c, d}", "must specify exactly one of: `a`, `b`, `c`, `d`")},
 		},
 		{
 			name:        "no member set",
-			fields:      [][2]string{{"a", "A"}, {"b", "B"}, {"c", "C"}, {"d", "D"}},
+			fields:      []string{"a", "b", "c", "d"},
 			fieldValues: []bool{false, false, false, false},
 			expected:    field.ErrorList{field.Invalid(nil, "", "must specify one of: `a`, `b`, `c`, `d`")},
 		},
@@ -62,6 +62,11 @@ func TestUnion(t *testing.T) {
 
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
+			members := []UnionMember{}
+			for _, f := range tc.fields {
+				members = append(members, NewUnionMember(f))
+			}
+
 			// Create mock extractors that return predefined values instead of
 			// actually extracting from the object.
 			extractors := make([]ExtractorFn[*testMember, bool], len(tc.fieldValues))
@@ -69,7 +74,8 @@ func TestUnion(t *testing.T) {
 				extractors[i] = func(_ *testMember) bool { return val }
 			}
 
-			got := Union(context.Background(), operation.Operation{}, nil, &testMember{}, nil, NewUnionMembership(tc.fields...), extractors...)
+			got := Union(context.Background(), operation.Operation{}, nil, &testMember{}, nil,
+				NewUnionMembership(members...), extractors...)
 			if !reflect.DeepEqual(got, tc.expected) {
 				t.Errorf("got %v want %v", got, tc.expected)
 			}
@@ -126,6 +132,11 @@ func TestDiscriminatedUnion(t *testing.T) {
 
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
+			members := []UnionMember{}
+			for _, f := range tc.fields {
+				members = append(members, NewDiscriminatedUnionMember(f[0], f[1]))
+			}
+
 			discriminatorExtractor := func(_ *testMember) string { return tc.discriminatorValue }
 
 			// Create mock extractors that return predefined values instead of
@@ -135,7 +146,8 @@ func TestDiscriminatedUnion(t *testing.T) {
 				extractors[i] = func(_ *testMember) bool { return val }
 			}
 
-			got := DiscriminatedUnion(context.Background(), operation.Operation{}, nil, &testMember{}, nil, NewDiscriminatedUnionMembership(tc.discriminatorField, tc.fields...), discriminatorExtractor, extractors...)
+			got := DiscriminatedUnion(context.Background(), operation.Operation{}, nil, &testMember{}, nil,
+				NewDiscriminatedUnionMembership(tc.discriminatorField, members...), discriminatorExtractor, extractors...)
 			if !reflect.DeepEqual(got, tc.expected) {
 				t.Errorf("got %v want %v", got.ToAggregate(), tc.expected.ToAggregate())
 			}
@@ -211,7 +223,9 @@ func TestUnionRatcheting(t *testing.T) {
 
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
-			got := Union(context.Background(), operation.Operation{Type: operation.Update}, nil, tc.newStruct, tc.oldStruct, NewUnionMembership([][2]string{{"m1", "m1"}, {"m2", "m2"}}...), extractors...)
+			members := []UnionMember{NewUnionMember("m1"), NewUnionMember("m2")}
+			got := Union(context.Background(), operation.Operation{Type: operation.Update}, nil, tc.newStruct, tc.oldStruct,
+				NewUnionMembership(members...), extractors...)
 			if !reflect.DeepEqual(got, tc.expected) {
 				t.Errorf("got %v want %v", got, tc.expected)
 			}
@@ -319,7 +333,9 @@ func TestDiscriminatedUnionRatcheting(t *testing.T) {
 
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
-			got := DiscriminatedUnion(context.Background(), operation.Operation{Type: operation.Update}, nil, tc.newStruct, tc.oldStruct, NewDiscriminatedUnionMembership("d", [][2]string{{"m1", "m1"}, {"m2", "m2"}}...), testDiscriminatorExtractor, testDiscriminatedExtractors...)
+			members := []UnionMember{NewDiscriminatedUnionMember("m1", "m1"), NewDiscriminatedUnionMember("m2", "m2")}
+			got := DiscriminatedUnion(context.Background(), operation.Operation{Type: operation.Update}, nil, tc.newStruct, tc.oldStruct,
+				NewDiscriminatedUnionMembership("d", members...), testDiscriminatorExtractor, testDiscriminatedExtractors...)
 			if !reflect.DeepEqual(got, tc.expected) {
 				t.Errorf("got %v want %v", got, tc.expected)
 			}
diff --git a/staging/src/k8s.io/apimachinery/pkg/api/validate/update.go b/staging/src/k8s.io/apimachinery/pkg/api/validate/update.go
new file mode 100644
index 0000000000000..e67ee28ded3d4
--- /dev/null
+++ b/staging/src/k8s.io/apimachinery/pkg/api/validate/update.go
@@ -0,0 +1,160 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package validate
+
+import (
+	"context"
+
+	"k8s.io/apimachinery/pkg/api/equality"
+	"k8s.io/apimachinery/pkg/api/operation"
+	"k8s.io/apimachinery/pkg/util/validation/field"
+)
+
+// UpdateConstraint represents a constraint on update operations
+type UpdateConstraint int
+
+const (
+	// NoSet prevents unset->set transitions
+	NoSet UpdateConstraint = iota
+	// NoUnset prevents set->unset transitions
+	NoUnset
+	// NoModify prevents value changes but allows set/unset transitions
+	NoModify
+)
+
+// UpdateValueByCompare verifies update constraints for comparable value types.
+func UpdateValueByCompare[T comparable](_ context.Context, op operation.Operation, fldPath *field.Path, value, oldValue *T, constraints ...UpdateConstraint) field.ErrorList {
+	if op.Type != operation.Update {
+		return nil
+	}
+
+	var errs field.ErrorList
+	var zero T
+
+	for _, constraint := range constraints {
+		switch constraint {
+		case NoSet:
+			if *oldValue == zero && *value != zero {
+				errs = append(errs, field.Invalid(fldPath, nil, "field cannot be set once created").WithOrigin("update"))
+			}
+		case NoUnset:
+			if *oldValue != zero && *value == zero {
+				errs = append(errs, field.Invalid(fldPath, nil, "field cannot be cleared once set").WithOrigin("update"))
+			}
+		case NoModify:
+			// Rely on validation ratcheting to detect that the value has changed.
+			// This check only verifies that the field was set in both the old and
+			// new objects, confirming it was a modification, not a set/unset.
+			if *oldValue != zero && *value != zero {
+				errs = append(errs, field.Invalid(fldPath, nil, "field cannot be modified once set").WithOrigin("update"))
+			}
+		}
+	}
+
+	return errs
+}
+
+// UpdatePointer verifies update constraints for pointer types.
+func UpdatePointer[T any](_ context.Context, op operation.Operation, fldPath *field.Path, value, oldValue *T, constraints ...UpdateConstraint) field.ErrorList {
+	if op.Type != operation.Update {
+		return nil
+	}
+
+	var errs field.ErrorList
+
+	for _, constraint := range constraints {
+		switch constraint {
+		case NoSet:
+			if oldValue == nil && value != nil {
+				errs = append(errs, field.Invalid(fldPath, nil, "field cannot be set once created").WithOrigin("update"))
+			}
+		case NoUnset:
+			if oldValue != nil && value == nil {
+				errs = append(errs, field.Invalid(fldPath, nil, "field cannot be cleared once set").WithOrigin("update"))
+			}
+		case NoModify:
+			// Rely on validation ratcheting to detect that the value has changed.
+			// This check only verifies that the field was non-nil in both the old
+			// and new objects, confirming it was a modification, not a set/unset.
+			if oldValue != nil && value != nil {
+				errs = append(errs, field.Invalid(fldPath, nil, "field cannot be modified once set").WithOrigin("update"))
+			}
+		}
+	}
+
+	return errs
+}
+
+// UpdateValueByReflect verifies update constraints for non-comparable value types using reflection.
+func UpdateValueByReflect[T any](_ context.Context, op operation.Operation, fldPath *field.Path, value, oldValue *T, constraints ...UpdateConstraint) field.ErrorList {
+	if op.Type != operation.Update {
+		return nil
+	}
+
+	var errs field.ErrorList
+	var zero T
+	valueIsZero := equality.Semantic.DeepEqual(*value, zero)
+	oldValueIsZero := equality.Semantic.DeepEqual(*oldValue, zero)
+
+	for _, constraint := range constraints {
+		switch constraint {
+		case NoSet:
+			if oldValueIsZero && !valueIsZero {
+				errs = append(errs, field.Invalid(fldPath, nil, "field cannot be set once created").WithOrigin("update"))
+			}
+		case NoUnset:
+			if !oldValueIsZero && valueIsZero {
+				errs = append(errs, field.Invalid(fldPath, nil, "field cannot be cleared once set").WithOrigin("update"))
+			}
+		case NoModify:
+			// Rely on validation ratcheting to detect that the value has changed.
+			// This check only verifies that the field was set in both the old and
+			// new objects, confirming it was a modification, not a set/unset.
+			if !oldValueIsZero && !valueIsZero {
+				errs = append(errs, field.Invalid(fldPath, nil, "field cannot be modified once set").WithOrigin("update"))
+			}
+		}
+	}
+
+	return errs
+}
+
+// UpdateStruct verifies update constraints for non-pointer struct types.
+// Non-pointer structs are always considered "set" and never "unset".
+func UpdateStruct[T any](_ context.Context, op operation.Operation, fldPath *field.Path, value, oldValue *T, constraints ...UpdateConstraint) field.ErrorList {
+	if op.Type != operation.Update {
+		return nil
+	}
+
+	var errs field.ErrorList
+
+	for _, constraint := range constraints {
+		switch constraint {
+		case NoSet, NoUnset:
+			// These constraints don't apply to non-pointer structs
+			// as they can't be unset. This should be caught at generation time.
+			continue
+		case NoModify:
+			// Non-pointer structs are always considered "set". Therefore, any
+			// change detected by validation ratcheting is a modification.
+			// The deep equality check is redundant and has been removed.
+			errs = append(errs, field.Invalid(fldPath, nil, "field cannot be modified once set").WithOrigin("update"))
+		}
+	}
+
+	return errs
+}
diff --git a/staging/src/k8s.io/apimachinery/pkg/api/validate/update_test.go b/staging/src/k8s.io/apimachinery/pkg/api/validate/update_test.go
new file mode 100644
index 0000000000000..369da702c8011
--- /dev/null
+++ b/staging/src/k8s.io/apimachinery/pkg/api/validate/update_test.go
@@ -0,0 +1,430 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package validate
+
+import (
+	"context"
+	"testing"
+
+	"k8s.io/apimachinery/pkg/api/operation"
+	"k8s.io/apimachinery/pkg/util/validation/field"
+)
+
+func TestUpdateValue(t *testing.T) {
+	tests := []struct {
+		name        string
+		op          operation.Type
+		value       string
+		oldValue    string
+		constraints []UpdateConstraint
+		wantErrs    int
+		wantMsgs    []string
+	}{
+		{
+			name:        "create operation - no validation",
+			op:          operation.Create,
+			value:       "value",
+			oldValue:    "",
+			constraints: []UpdateConstraint{NoSet, NoUnset, NoModify},
+			wantErrs:    0,
+		},
+		{
+			name:        "NoSet - unset to set transition (forbidden)",
+			op:          operation.Update,
+			value:       "value",
+			oldValue:    "",
+			constraints: []UpdateConstraint{NoSet},
+			wantErrs:    1,
+			wantMsgs:    []string{"field cannot be set once created"},
+		},
+		{
+			name:        "NoSet - set to set transition (allowed)",
+			op:          operation.Update,
+			value:       "value2",
+			oldValue:    "value1",
+			constraints: []UpdateConstraint{NoSet},
+			wantErrs:    0,
+		},
+		{
+			name:        "NoUnset - set to unset transition (forbidden)",
+			op:          operation.Update,
+			value:       "",
+			oldValue:    "value",
+			constraints: []UpdateConstraint{NoUnset},
+			wantErrs:    1,
+			wantMsgs:    []string{"field cannot be cleared once set"},
+		},
+		{
+			name:        "NoUnset - unset to set transition (allowed)",
+			op:          operation.Update,
+			value:       "value",
+			oldValue:    "",
+			constraints: []UpdateConstraint{NoUnset},
+			wantErrs:    0,
+		},
+		{
+			name:        "NoModify - set to different value (forbidden)",
+			op:          operation.Update,
+			value:       "value2",
+			oldValue:    "value1",
+			constraints: []UpdateConstraint{NoModify},
+			wantErrs:    1,
+			wantMsgs:    []string{"field cannot be modified once set"},
+		},
+		{
+			name:        "NoModify - unset to set transition (allowed)",
+			op:          operation.Update,
+			value:       "value",
+			oldValue:    "",
+			constraints: []UpdateConstraint{NoModify},
+			wantErrs:    0,
+		},
+		{
+			name:        "NoModify - set to unset transition (allowed)",
+			op:          operation.Update,
+			value:       "",
+			oldValue:    "value",
+			constraints: []UpdateConstraint{NoModify},
+			wantErrs:    0,
+		},
+		{
+			name:        "Multiple constraints - NoSet and NoUnset",
+			op:          operation.Update,
+			value:       "value",
+			oldValue:    "",
+			constraints: []UpdateConstraint{NoSet, NoUnset},
+			wantErrs:    1,
+			wantMsgs:    []string{"field cannot be set once created"},
+		},
+		{
+			name:        "Multiple constraints - NoUnset and NoModify",
+			op:          operation.Update,
+			value:       "",
+			oldValue:    "value",
+			constraints: []UpdateConstraint{NoUnset, NoModify},
+			wantErrs:    1,
+			wantMsgs:    []string{"field cannot be cleared once set"},
+		},
+		{
+			name:        "Multiple constraints - NoSet, NoUnset, NoModify - modify attempt",
+			op:          operation.Update,
+			value:       "value2",
+			oldValue:    "value1",
+			constraints: []UpdateConstraint{NoSet, NoUnset, NoModify},
+			wantErrs:    1,
+			wantMsgs:    []string{"field cannot be modified once set"},
+		},
+		{
+			name:        "No constraints",
+			op:          operation.Update,
+			value:       "value2",
+			oldValue:    "value1",
+			constraints: []UpdateConstraint{},
+			wantErrs:    0,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			op := operation.Operation{Type: tt.op}
+			errs := UpdateValueByCompare(context.TODO(), op, field.NewPath("test"), &tt.value, &tt.oldValue, tt.constraints...)
+			if len(errs) != tt.wantErrs {
+				t.Errorf("UpdateValue() returned %d errors, want %d: %v", len(errs), tt.wantErrs, errs)
+			}
+			for i, msg := range tt.wantMsgs {
+				if i >= len(errs) {
+					t.Errorf("Expected error message %q not found", msg)
+					continue
+				}
+				if errs[i].Detail != msg {
+					t.Errorf("UpdateValue() error message = %q, want %q", errs[i].Detail, msg)
+				}
+			}
+		})
+	}
+}
+
+func TestUpdatePointer(t *testing.T) {
+	stringPtr := func(s string) *string { return &s }
+
+	tests := []struct {
+		name        string
+		op          operation.Type
+		value       *string
+		oldValue    *string
+		constraints []UpdateConstraint
+		wantErrs    int
+		wantMsgs    []string
+	}{
+		{
+			name:        "create operation - no validation",
+			op:          operation.Create,
+			value:       stringPtr("value"),
+			oldValue:    nil,
+			constraints: []UpdateConstraint{NoSet, NoUnset, NoModify},
+			wantErrs:    0,
+		},
+		{
+			name:        "NoSet - nil to non-nil transition (forbidden)",
+			op:          operation.Update,
+			value:       stringPtr("value"),
+			oldValue:    nil,
+			constraints: []UpdateConstraint{NoSet},
+			wantErrs:    1,
+			wantMsgs:    []string{"field cannot be set once created"},
+		},
+		{
+			name:        "NoSet - non-nil to non-nil transition (allowed)",
+			op:          operation.Update,
+			value:       stringPtr("value2"),
+			oldValue:    stringPtr("value1"),
+			constraints: []UpdateConstraint{NoSet},
+			wantErrs:    0,
+		},
+		{
+			name:        "NoUnset - non-nil to nil transition (forbidden)",
+			op:          operation.Update,
+			value:       nil,
+			oldValue:    stringPtr("value"),
+			constraints: []UpdateConstraint{NoUnset},
+			wantErrs:    1,
+			wantMsgs:    []string{"field cannot be cleared once set"},
+		},
+		{
+			name:        "NoUnset - nil to non-nil transition (allowed)",
+			op:          operation.Update,
+			value:       stringPtr("value"),
+			oldValue:    nil,
+			constraints: []UpdateConstraint{NoUnset},
+			wantErrs:    0,
+		},
+		{
+			name:        "NoModify - different values (forbidden)",
+			op:          operation.Update,
+			value:       stringPtr("value2"),
+			oldValue:    stringPtr("value1"),
+			constraints: []UpdateConstraint{NoModify},
+			wantErrs:    1,
+			wantMsgs:    []string{"field cannot be modified once set"},
+		},
+		{
+			name:        "NoModify - nil to non-nil transition (allowed)",
+			op:          operation.Update,
+			value:       stringPtr("value"),
+			oldValue:    nil,
+			constraints: []UpdateConstraint{NoModify},
+			wantErrs:    0,
+		},
+		{
+			name:        "NoModify - non-nil to nil transition (allowed)",
+			op:          operation.Update,
+			value:       nil,
+			oldValue:    stringPtr("value"),
+			constraints: []UpdateConstraint{NoModify},
+			wantErrs:    0,
+		},
+		{
+			name:        "Multiple constraints - all three",
+			op:          operation.Update,
+			value:       stringPtr("value2"),
+			oldValue:    stringPtr("value1"),
+			constraints: []UpdateConstraint{NoSet, NoUnset, NoModify},
+			wantErrs:    1,
+			wantMsgs:    []string{"field cannot be modified once set"},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			op := operation.Operation{Type: tt.op}
+			errs := UpdatePointer(context.TODO(), op, field.NewPath("test"), tt.value, tt.oldValue, tt.constraints...)
+			if len(errs) != tt.wantErrs {
+				t.Errorf("UpdatePointer() returned %d errors, want %d: %v", len(errs), tt.wantErrs, errs)
+			}
+			for i, msg := range tt.wantMsgs {
+				if i >= len(errs) {
+					t.Errorf("Expected error message %q not found", msg)
+					continue
+				}
+				if errs[i].Detail != msg {
+					t.Errorf("UpdatePointer() error message = %q, want %q", errs[i].Detail, msg)
+				}
+			}
+		})
+	}
+}
+
+func TestUpdateValueByReflect(t *testing.T) {
+	type CustomStruct struct {
+		Field1 string
+		Field2 int
+	}
+
+	tests := []struct {
+		name        string
+		op          operation.Type
+		value       CustomStruct
+		oldValue    CustomStruct
+		constraints []UpdateConstraint
+		wantErrs    int
+		wantMsgs    []string
+	}{
+		{
+			name:        "NoModify - zero to non-zero transition (allowed)",
+			op:          operation.Update,
+			value:       CustomStruct{Field1: "test", Field2: 42},
+			oldValue:    CustomStruct{},
+			constraints: []UpdateConstraint{NoModify},
+			wantErrs:    0,
+		},
+		{
+			name:        "NoModify - non-zero to zero transition (allowed)",
+			op:          operation.Update,
+			value:       CustomStruct{},
+			oldValue:    CustomStruct{Field1: "test", Field2: 42},
+			constraints: []UpdateConstraint{NoModify},
+			wantErrs:    0,
+		},
+		{
+			name:        "NoModify - different values (forbidden)",
+			op:          operation.Update,
+			value:       CustomStruct{Field1: "test2", Field2: 100},
+			oldValue:    CustomStruct{Field1: "test1", Field2: 42},
+			constraints: []UpdateConstraint{NoModify},
+			wantErrs:    1,
+			wantMsgs:    []string{"field cannot be modified once set"},
+		},
+		{
+			name:        "NoSet - zero to non-zero (forbidden)",
+			op:          operation.Update,
+			value:       CustomStruct{Field1: "test", Field2: 42},
+			oldValue:    CustomStruct{},
+			constraints: []UpdateConstraint{NoSet},
+			wantErrs:    1,
+			wantMsgs:    []string{"field cannot be set once created"},
+		},
+		{
+			name:        "NoUnset - non-zero to zero (forbidden)",
+			op:          operation.Update,
+			value:       CustomStruct{},
+			oldValue:    CustomStruct{Field1: "test", Field2: 42},
+			constraints: []UpdateConstraint{NoUnset},
+			wantErrs:    1,
+			wantMsgs:    []string{"field cannot be cleared once set"},
+		},
+		{
+			name:        "Multiple constraints",
+			op:          operation.Update,
+			value:       CustomStruct{Field1: "test", Field2: 42},
+			oldValue:    CustomStruct{},
+			constraints: []UpdateConstraint{NoSet, NoModify},
+			wantErrs:    1,
+			wantMsgs:    []string{"field cannot be set once created"},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			op := operation.Operation{Type: tt.op}
+			errs := UpdateValueByReflect(context.TODO(), op, field.NewPath("test"), &tt.value, &tt.oldValue, tt.constraints...)
+			if len(errs) != tt.wantErrs {
+				t.Errorf("UpdateValueByReflect() returned %d errors, want %d: %v", len(errs), tt.wantErrs, errs)
+			}
+			for i, msg := range tt.wantMsgs {
+				if i >= len(errs) {
+					t.Errorf("Expected error message %q not found", msg)
+					continue
+				}
+				if errs[i].Detail != msg {
+					t.Errorf("UpdateValueByReflect() error message = %q, want %q", errs[i].Detail, msg)
+				}
+			}
+		})
+	}
+}
+
+func TestUpdateStruct(t *testing.T) {
+	type TestStruct struct {
+		Field1 string
+		Field2 int
+	}
+
+	tests := []struct {
+		name        string
+		op          operation.Type
+		value       TestStruct
+		oldValue    TestStruct
+		constraints []UpdateConstraint
+		wantErrs    int
+		wantMsgs    []string
+	}{
+		{
+			name:        "create operation - no validation",
+			op:          operation.Create,
+			value:       TestStruct{Field1: "test", Field2: 42},
+			oldValue:    TestStruct{},
+			constraints: []UpdateConstraint{NoModify},
+			wantErrs:    0,
+		},
+		{
+			name:        "NoModify - different values (forbidden)",
+			op:          operation.Update,
+			value:       TestStruct{Field1: "test2", Field2: 100},
+			oldValue:    TestStruct{Field1: "test1", Field2: 42},
+			constraints: []UpdateConstraint{NoModify},
+			wantErrs:    1,
+			wantMsgs:    []string{"field cannot be modified once set"},
+		},
+		{
+			name:        "NoModify - zero value to non-zero (forbidden)",
+			op:          operation.Update,
+			value:       TestStruct{Field1: "test", Field2: 42},
+			oldValue:    TestStruct{},
+			constraints: []UpdateConstraint{NoModify},
+			wantErrs:    1,
+			wantMsgs:    []string{"field cannot be modified once set"},
+		},
+		{
+			name:        "NoSet and NoUnset with modification - only NoModify triggers",
+			op:          operation.Update,
+			value:       TestStruct{Field1: "test2", Field2: 100},
+			oldValue:    TestStruct{Field1: "test1", Field2: 42},
+			constraints: []UpdateConstraint{NoSet, NoUnset, NoModify},
+			wantErrs:    1,
+			wantMsgs:    []string{"field cannot be modified once set"},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			op := operation.Operation{Type: tt.op}
+			errs := UpdateStruct(context.TODO(), op, field.NewPath("test"), &tt.value, &tt.oldValue, tt.constraints...)
+			if len(errs) != tt.wantErrs {
+				t.Errorf("UpdateStruct() returned %d errors, want %d: %v", len(errs), tt.wantErrs, errs)
+			}
+			for i, msg := range tt.wantMsgs {
+				if i >= len(errs) {
+					t.Errorf("Expected error message %q not found", msg)
+					continue
+				}
+				if errs[i].Detail != msg {
+					t.Errorf("UpdateStruct() error message = %q, want %q", errs[i].Detail, msg)
+				}
+			}
+		})
+	}
+}
diff --git a/staging/src/k8s.io/apimachinery/pkg/api/validate/zeroorone.go b/staging/src/k8s.io/apimachinery/pkg/api/validate/zeroorone.go
index 81cef54ab4755..6a5df4ca3422d 100644
--- a/staging/src/k8s.io/apimachinery/pkg/api/validate/zeroorone.go
+++ b/staging/src/k8s.io/apimachinery/pkg/api/validate/zeroorone.go
@@ -31,9 +31,14 @@ import (
 //
 // For example:
 //
-//	var ZeroOrOneOfMembershipForABC = validate.NewUnionMembership([2]string{"a", "A"}, [2]string{"b", "B"}, [2]string{"c", "C"})
+//	var ZeroOrOneOfMembershipForABC = validate.NewUnionMembership(
+//		validate.NewUnionMember("a"),
+//		validate.NewUnionMember("b"),
+//		validate.NewUnionMember("c"),
+//	)
 //	func ValidateABC(ctx context.Context, op operation.Operation, fldPath *field.Path, in *ABC) (errs field.ErrorList) {
-//		errs = append(errs, ZeroOrOneOfUnion(ctx, op, fldPath, in, oldIn, UnionMembershipForABC,
+//		errs = append(errs, validate.ZeroOrOneOfUnion(ctx, op, fldPath, in, oldIn,
+//			ZeroOrOneOfMembershipForABC,
 //			func(in *ABC) bool { return in.A != nil },
 //			func(in *ABC) bool { return in.B != ""},
 //			func(in *ABC) bool { return in.C != 0 },
diff --git a/staging/src/k8s.io/apimachinery/pkg/api/validate/zeroorone_test.go b/staging/src/k8s.io/apimachinery/pkg/api/validate/zeroorone_test.go
index b9264be050f89..7222c5cd7a2e4 100644
--- a/staging/src/k8s.io/apimachinery/pkg/api/validate/zeroorone_test.go
+++ b/staging/src/k8s.io/apimachinery/pkg/api/validate/zeroorone_test.go
@@ -28,31 +28,31 @@ import (
 func TestZeroOrOneOfUnion(t *testing.T) {
 	testCases := []struct {
 		name        string
-		fields      [][2]string
+		fields      []string
 		fieldValues []bool
 		expected    field.ErrorList
 	}{
 		{
 			name:        "one member set",
-			fields:      [][2]string{{"a", "A"}, {"b", "B"}, {"c", "C"}, {"d", "D"}},
+			fields:      []string{"a", "b", "c", "d"},
 			fieldValues: []bool{false, false, false, true},
 			expected:    nil,
 		},
 		{
 			name:        "two members set",
-			fields:      [][2]string{{"a", "A"}, {"b", "B"}, {"c", "C"}, {"d", "D"}},
+			fields:      []string{"a", "b", "c", "d"},
 			fieldValues: []bool{false, true, false, true},
 			expected:    field.ErrorList{field.Invalid(nil, "{b, d}", "must specify at most one of: `a`, `b`, `c`, `d`").WithOrigin("zeroOrOneOf")},
 		},
 		{
 			name:        "all members set",
-			fields:      [][2]string{{"a", "A"}, {"b", "B"}, {"c", "C"}, {"d", "D"}},
+			fields:      []string{"a", "b", "c", "d"},
 			fieldValues: []bool{true, true, true, true},
 			expected:    field.ErrorList{field.Invalid(nil, "{a, b, c, d}", "must specify at most one of: `a`, `b`, `c`, `d`").WithOrigin("zeroOrOneOf")},
 		},
 		{
 			name:        "no member set - allowed for ZeroOrOneOf",
-			fields:      [][2]string{{"a", "A"}, {"b", "B"}, {"c", "C"}, {"d", "D"}},
+			fields:      []string{"a", "b", "c", "d"},
 			fieldValues: []bool{false, false, false, false},
 			expected:    nil, // This is the key difference from Union
 		},
@@ -60,6 +60,11 @@ func TestZeroOrOneOfUnion(t *testing.T) {
 
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
+			members := []UnionMember{}
+			for _, f := range tc.fields {
+				members = append(members, NewUnionMember(f))
+			}
+
 			// Create mock extractors that return predefined values instead of
 			// actually extracting from the object.
 			extractors := make([]ExtractorFn[*testMember, bool], len(tc.fieldValues))
@@ -67,7 +72,8 @@ func TestZeroOrOneOfUnion(t *testing.T) {
 				extractors[i] = func(_ *testMember) bool { return val }
 			}
 
-			got := ZeroOrOneOfUnion(context.Background(), operation.Operation{}, nil, &testMember{}, nil, NewUnionMembership(tc.fields...), extractors...)
+			got := ZeroOrOneOfUnion(context.Background(), operation.Operation{}, nil, &testMember{}, nil,
+				NewUnionMembership(members...), extractors...)
 			if !reflect.DeepEqual(got, tc.expected) {
 				t.Errorf("got %v want %v", got, tc.expected)
 			}
@@ -136,7 +142,9 @@ func TestZeroOrOneOfUnionRatcheting(t *testing.T) {
 
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
-			got := ZeroOrOneOfUnion(context.Background(), operation.Operation{Type: operation.Update}, nil, tc.newStruct, tc.oldStruct, NewUnionMembership([][2]string{{"m1", "m1"}, {"m2", "m2"}}...), extractors...)
+			members := []UnionMember{NewUnionMember("m1"), NewUnionMember("m2")}
+			got := ZeroOrOneOfUnion(context.Background(), operation.Operation{Type: operation.Update}, nil, tc.newStruct, tc.oldStruct,
+				NewUnionMembership(members...), extractors...)
 			if !reflect.DeepEqual(got, tc.expected) {
 				t.Errorf("got %v want %v", got, tc.expected)
 			}
diff --git a/staging/src/k8s.io/apimachinery/pkg/api/validation/generic.go b/staging/src/k8s.io/apimachinery/pkg/api/validation/generic.go
index f9cada1f0f1bd..35ea723a0fd7a 100644
--- a/staging/src/k8s.io/apimachinery/pkg/api/validation/generic.go
+++ b/staging/src/k8s.io/apimachinery/pkg/api/validation/generic.go
@@ -33,6 +33,12 @@ const IsNegativeErrorMsg string = `must be greater than or equal to 0`
 // value that were not valid.  Otherwise this returns an empty list or nil.
 type ValidateNameFunc func(name string, prefix bool) []string
 
+// ValidateNameFuncWithErrors validates that the provided name is valid for a
+// given resource type.
+//
+// This is similar to ValidateNameFunc, except that it produces an ErrorList.
+type ValidateNameFuncWithErrors func(fldPath *field.Path, name string) field.ErrorList
+
 // NameIsDNSSubdomain is a ValidateNameFunc for names that must be a DNS subdomain.
 func NameIsDNSSubdomain(name string, prefix bool) []string {
 	if prefix {
diff --git a/staging/src/k8s.io/apimachinery/pkg/api/validation/objectmeta.go b/staging/src/k8s.io/apimachinery/pkg/api/validation/objectmeta.go
index 7e891fdf3ebb2..839fcbc2c17b0 100644
--- a/staging/src/k8s.io/apimachinery/pkg/api/validation/objectmeta.go
+++ b/staging/src/k8s.io/apimachinery/pkg/api/validation/objectmeta.go
@@ -46,7 +46,7 @@ func ValidateAnnotations(annotations map[string]string, fldPath *field.Path) fie
 	for k := range annotations {
 		// The rule is QualifiedName except that case doesn't matter, so convert to lowercase before checking.
 		for _, msg := range validation.IsQualifiedName(strings.ToLower(k)) {
-			allErrs = append(allErrs, field.Invalid(fldPath, k, msg))
+			allErrs = append(allErrs, field.Invalid(fldPath, k, msg)).WithOrigin("format=k8s-label-key")
 		}
 	}
 	if err := ValidateAnnotationsSize(annotations); err != nil {
@@ -138,7 +138,6 @@ func ValidateImmutableField(newVal, oldVal interface{}, fldPath *field.Path) fie
 
 // ValidateObjectMeta validates an object's metadata on creation. It expects that name generation has already
 // been performed.
-// It doesn't return an error for rootscoped resources with namespace, because namespace should already be cleared before.
 func ValidateObjectMeta(objMeta *metav1.ObjectMeta, requiresNamespace bool, nameFn ValidateNameFunc, fldPath *field.Path) field.ErrorList {
 	metadata, err := meta.Accessor(objMeta)
 	if err != nil {
@@ -149,9 +148,37 @@ func ValidateObjectMeta(objMeta *metav1.ObjectMeta, requiresNamespace bool, name
 	return ValidateObjectMetaAccessor(metadata, requiresNamespace, nameFn, fldPath)
 }
 
+// objectMetaValidationOptions defines behavioral modifications for validating
+// an ObjectMeta.
+type objectMetaValidationOptions struct {
+	/* nothing here yet */
+}
+
+// ObjectMetaValidationOption specifies a behavioral modifier for
+// ValidateObjectMetaWithOpts and ValidateObjectMetaAccessorWithOpts.
+type ObjectMetaValidationOption func(opts *objectMetaValidationOptions)
+
+// ValidateObjectMetaWithOpts validates an object's metadata on creation. It
+// expects that name generation has already been performed, so name validation
+// is always executed.
+//
+// This is similar to ValidateObjectMeta, but uses options to buy future-safety
+// and uses different signature for the name validation function.  It also does
+// not directly validate the generateName field, because name generation
+// should have already been performed and it is the result of that generastion
+// that must conform to the nameFn.
+func ValidateObjectMetaWithOpts(objMeta *metav1.ObjectMeta, isNamespaced bool, nameFn ValidateNameFuncWithErrors, fldPath *field.Path, options ...ObjectMetaValidationOption) field.ErrorList {
+	metadata, err := meta.Accessor(objMeta)
+	if err != nil {
+		var allErrs field.ErrorList
+		allErrs = append(allErrs, field.InternalError(fldPath, err))
+		return allErrs
+	}
+	return ValidateObjectMetaAccessorWithOpts(metadata, isNamespaced, nameFn, fldPath, options...)
+}
+
 // ValidateObjectMetaAccessor validates an object's metadata on creation. It expects that name generation has already
 // been performed.
-// It doesn't return an error for rootscoped resources with namespace, because namespace should already be cleared before.
 func ValidateObjectMetaAccessor(meta metav1.Object, requiresNamespace bool, nameFn ValidateNameFunc, fldPath *field.Path) field.ErrorList {
 	var allErrs field.ErrorList
 
@@ -170,7 +197,57 @@ func ValidateObjectMetaAccessor(meta metav1.Object, requiresNamespace bool, name
 			allErrs = append(allErrs, field.Invalid(fldPath.Child("name"), meta.GetName(), msg))
 		}
 	}
-	if requiresNamespace {
+
+	return append(allErrs, validateObjectMetaAccessorWithOptsCommon(meta, requiresNamespace, fldPath, nil)...)
+}
+
+// ValidateObjectMetaAccessorWithOpts validates an object's metadata on
+// creation. It expects that name generation has already been performed, so
+// name validation is always executed.
+//
+// This is similar to ValidateObjectMetaAccessor, but uses options to buy
+// future-safety and uses different signature for the name validation function.
+// It also does not directly validate the generateName field, because name
+// generation should have already been performed and it is the result of that
+// generastion that must conform to the nameFn.
+func ValidateObjectMetaAccessorWithOpts(meta metav1.Object, isNamespaced bool, nameFn ValidateNameFuncWithErrors, fldPath *field.Path, options ...ObjectMetaValidationOption) field.ErrorList {
+	opts := objectMetaValidationOptions{}
+	for _, opt := range options {
+		opt(&opts)
+	}
+
+	var allErrs field.ErrorList
+
+	// generateName is not directly validated here. Types can have
+	// different rules for name generation, and the nameFn is for validating
+	// the post-generation data, not the input. In the past we assumed that
+	// name generation was always "append 5 random characters", but that's not
+	// NECESSARILY true. Also, the nameFn should always be considering the max
+	// length of the name, and it doesn't know enough about the name generation
+	// to do that. Also, given a bad generateName, the user will get errors
+	// for both the generateName and name fields. We will focus validation on
+	// the name field, which should give a better UX overall.
+	// TODO(thockin): should we do a max-length check here? e.g. 1K or 4K?
+
+	if len(meta.GetGenerateName()) != 0 && len(meta.GetName()) == 0 {
+		allErrs = append(allErrs,
+			field.InternalError(fldPath.Child("name"), fmt.Errorf("generateName was specified (%q), but no name was generated", meta.GetGenerateName())))
+	}
+	if len(meta.GetName()) == 0 {
+		allErrs = append(allErrs, field.Required(fldPath.Child("name"), "name or generateName is required"))
+	} else {
+		allErrs = append(allErrs, nameFn(fldPath.Child("name"), meta.GetName())...)
+	}
+
+	return append(allErrs, validateObjectMetaAccessorWithOptsCommon(meta, isNamespaced, fldPath, &opts)...)
+}
+
+// validateObjectMetaAccessorWithOptsCommon is a shared function for validating
+// the parts of an ObjectMeta with are handled the same in both paths..
+func validateObjectMetaAccessorWithOptsCommon(meta metav1.Object, isNamespaced bool, fldPath *field.Path, _ *objectMetaValidationOptions) field.ErrorList {
+	var allErrs field.ErrorList
+
+	if isNamespaced {
 		if len(meta.GetNamespace()) == 0 {
 			allErrs = append(allErrs, field.Required(fldPath.Child("namespace"), ""))
 		} else {
@@ -180,6 +257,7 @@ func ValidateObjectMetaAccessor(meta metav1.Object, requiresNamespace bool, name
 		}
 	} else {
 		if len(meta.GetNamespace()) != 0 {
+			// TODO(thockin): change to "may not be specified on this type" or something
 			allErrs = append(allErrs, field.Forbidden(fldPath.Child("namespace"), "not allowed on this type"))
 		}
 	}
diff --git a/staging/src/k8s.io/apimachinery/pkg/api/validation/objectmeta_test.go b/staging/src/k8s.io/apimachinery/pkg/api/validation/objectmeta_test.go
index e4d50f41e1241..2edeea8fc06d4 100644
--- a/staging/src/k8s.io/apimachinery/pkg/api/validation/objectmeta_test.go
+++ b/staging/src/k8s.io/apimachinery/pkg/api/validation/objectmeta_test.go
@@ -30,38 +30,129 @@ import (
 const (
 	maxLengthErrMsg = "must be no more than"
 	namePartErrMsg  = "name part must consist of"
-	nameErrMsg      = "a qualified name must consist of"
+	nameErrMsg      = "a valid label key must consist of"
 )
 
 // Ensure custom name functions are allowed
 func TestValidateObjectMetaCustomName(t *testing.T) {
-	errs := ValidateObjectMeta(
-		&metav1.ObjectMeta{Name: "test", GenerateName: "foo"},
-		false,
-		func(s string, prefix bool) []string {
-			if s == "test" {
-				return nil
+	testCases := []struct {
+		name   string
+		input  metav1.ObjectMeta
+		nErrs  int
+		errStr string
+	}{{
+		name:  "valid name, empty generateName",
+		input: metav1.ObjectMeta{Name: "test", GenerateName: ""},
+	}, {
+		name:  "valid name and generateName",
+		input: metav1.ObjectMeta{Name: "test", GenerateName: "test"},
+	}, {
+		name:   "invalid name, empty generateName",
+		input:  metav1.ObjectMeta{Name: "invalid", GenerateName: ""},
+		nErrs:  1,
+		errStr: "wrong value",
+	}, {
+		name:   "invalid name, valid generateName",
+		input:  metav1.ObjectMeta{Name: "invalid", GenerateName: "test"},
+		nErrs:  1,
+		errStr: "wrong value",
+	}, {
+		name:   "invalid name, invalid generateName",
+		input:  metav1.ObjectMeta{Name: "invalid", GenerateName: "invalid"},
+		nErrs:  2,
+		errStr: "wrong value",
+	}}
+
+	fn := func(s string, prefix bool) []string {
+		// Note: this is called on both name and generateName
+		if s == "test" {
+			return nil
+		}
+		return []string{"wrong value"}
+	}
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			errs := ValidateObjectMeta(&tc.input, false, fn, field.NewPath("field"))
+
+			if len(errs) == 0 {
+				if len(tc.errStr) != 0 {
+					t.Fatalf("expected 1 error, got none")
+				}
+			} else {
+				if len(tc.errStr) == 0 {
+					t.Fatalf("expected no errors, got: %v", errs)
+				}
+				if len(errs) != tc.nErrs {
+					t.Fatalf("expected %d errors, got %d: %q", tc.nErrs, len(errs), errs)
+				}
+				if !strings.Contains(errs[0].Error(), "wrong value") {
+					t.Errorf("unexpected error message: %v", errs[0].Error())
+				}
 			}
-			return []string{"name-gen"}
-		},
-		field.NewPath("field"))
-	if len(errs) != 1 {
-		t.Fatalf("unexpected errors: %v", errs)
+		})
 	}
-	if !strings.Contains(errs[0].Error(), "name-gen") {
-		t.Errorf("unexpected error message: %v", errs)
+}
+
+// Ensure custom name functions work
+func TestValidateObjectMetaWithOptsName(t *testing.T) {
+	testCases := []struct {
+		name   string
+		input  metav1.ObjectMeta
+		errStr string
+	}{{
+		name:  "valid name, empty generateName",
+		input: metav1.ObjectMeta{Name: "test", GenerateName: ""},
+	}, {
+		name:  "valid name and generateName",
+		input: metav1.ObjectMeta{Name: "test", GenerateName: "test"},
+	}, {
+		name:   "invalid name, empty generateName",
+		input:  metav1.ObjectMeta{Name: "invalid", GenerateName: ""},
+		errStr: "wrong value",
+	}, {
+		name:   "invalid name, valid generateName",
+		input:  metav1.ObjectMeta{Name: "invalid", GenerateName: "test"},
+		errStr: "wrong value",
+	}, {
+		name:   "invalid name, invalid generateName",
+		input:  metav1.ObjectMeta{Name: "invalid", GenerateName: "invalid"},
+		errStr: "wrong value",
+	}}
+
+	fn := func(fldPath *field.Path, s string) field.ErrorList {
+		if s == "test" {
+			return nil
+		}
+		return field.ErrorList{field.Invalid(fldPath, s, "wrong value")}
+	}
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			errs := ValidateObjectMetaWithOpts(&tc.input, false, fn, field.NewPath("field"))
+
+			if len(errs) == 0 {
+				if len(tc.errStr) != 0 {
+					t.Fatalf("expected 1 error, got none")
+				}
+			} else {
+				if len(tc.errStr) == 0 {
+					t.Fatalf("expected no errors, got: %v", errs)
+				}
+				if len(errs) != 1 {
+					t.Fatalf("expected 1 error, got %d: %q", len(errs), errs)
+				}
+				if !strings.Contains(errs[0].Error(), "wrong value") {
+					t.Errorf("unexpected error message: %v", errs[0].Error())
+				}
+			}
+		})
 	}
 }
 
 // Ensure namespace names follow dns label format
 func TestValidateObjectMetaNamespaces(t *testing.T) {
-	errs := ValidateObjectMeta(
+	errs := validateObjectMetaAccessorWithOptsCommon(
 		&metav1.ObjectMeta{Name: "test", Namespace: "foo.bar"},
-		true,
-		func(s string, prefix bool) []string {
-			return nil
-		},
-		field.NewPath("field"))
+		true, field.NewPath("field"), nil)
 	if len(errs) != 1 {
 		t.Fatalf("unexpected errors: %v", errs)
 	}
@@ -74,13 +165,9 @@ func TestValidateObjectMetaNamespaces(t *testing.T) {
 	for i := range b {
 		b[i] = letters[rand.Intn(len(letters))]
 	}
-	errs = ValidateObjectMeta(
+	errs = validateObjectMetaAccessorWithOptsCommon(
 		&metav1.ObjectMeta{Name: "test", Namespace: string(b)},
-		true,
-		func(s string, prefix bool) []string {
-			return nil
-		},
-		field.NewPath("field"))
+		true, field.NewPath("field"), nil)
 	if len(errs) != 2 {
 		t.Fatalf("unexpected errors: %v", errs)
 	}
@@ -195,13 +282,9 @@ func TestValidateObjectMetaOwnerReferences(t *testing.T) {
 	}
 
 	for _, tc := range testCases {
-		errs := ValidateObjectMeta(
+		errs := validateObjectMetaAccessorWithOptsCommon(
 			&metav1.ObjectMeta{Name: "test", Namespace: "test", OwnerReferences: tc.ownerReferences},
-			true,
-			func(s string, prefix bool) []string {
-				return nil
-			},
-			field.NewPath("field"))
+			true, field.NewPath("field"), nil)
 		if len(errs) != 0 && !tc.expectError {
 			t.Errorf("unexpected error: %v in test case %v", errs, tc.description)
 		}
@@ -288,7 +371,7 @@ func TestValidateFinalizersPreventConflictingFinalizers(t *testing.T) {
 		},
 	}
 	for name, tc := range testcases {
-		errs := ValidateObjectMeta(&tc.ObjectMeta, false, NameIsDNSSubdomain, field.NewPath("field"))
+		errs := validateObjectMetaAccessorWithOptsCommon(&tc.ObjectMeta, false, field.NewPath("field"), nil)
 		if len(errs) == 0 {
 			if len(tc.ExpectedErr) != 0 {
 				t.Errorf("case: %q, expected error to contain %q", name, tc.ExpectedErr)
@@ -425,8 +508,8 @@ func TestObjectMetaGenerationUpdate(t *testing.T) {
 	}
 }
 
-// Ensure trailing slash is allowed in generate name
-func TestValidateObjectMetaTrimsTrailingSlash(t *testing.T) {
+// Ensure trailing dash is allowed in generate name
+func TestValidateObjectMetaTrimsTrailingDash(t *testing.T) {
 	errs := ValidateObjectMeta(
 		&metav1.ObjectMeta{Name: "test", GenerateName: "foo-"},
 		false,
diff --git a/staging/src/k8s.io/apimachinery/pkg/apis/meta/v1/doc.go b/staging/src/k8s.io/apimachinery/pkg/apis/meta/v1/doc.go
index 617b9a5d30f5f..31c87361f63b4 100644
--- a/staging/src/k8s.io/apimachinery/pkg/apis/meta/v1/doc.go
+++ b/staging/src/k8s.io/apimachinery/pkg/apis/meta/v1/doc.go
@@ -18,6 +18,7 @@ limitations under the License.
 // +k8s:deepcopy-gen=package
 // +k8s:openapi-gen=true
 // +k8s:defaulter-gen=TypeMeta
+// +k8s:openapi-model-package=io.k8s.apimachinery.pkg.apis.meta.v1
 
 // +groupName=meta.k8s.io
 
diff --git a/staging/src/k8s.io/apimachinery/pkg/apis/meta/v1/generated.pb.go b/staging/src/k8s.io/apimachinery/pkg/apis/meta/v1/generated.pb.go
index 9ee6c05918537..f6b1a6a4e06bb 100644
--- a/staging/src/k8s.io/apimachinery/pkg/apis/meta/v1/generated.pb.go
+++ b/staging/src/k8s.io/apimachinery/pkg/apis/meta/v1/generated.pb.go
@@ -23,12 +23,10 @@ import (
 	fmt "fmt"
 
 	io "io"
+	"sort"
 
-	proto "github.com/gogo/protobuf/proto"
-	github_com_gogo_protobuf_sortkeys "github.com/gogo/protobuf/sortkeys"
 	runtime "k8s.io/apimachinery/pkg/runtime"
 
-	math "math"
 	math_bits "math/bits"
 	reflect "reflect"
 	strings "strings"
@@ -37,1509 +35,95 @@ import (
 	k8s_io_apimachinery_pkg_types "k8s.io/apimachinery/pkg/types"
 )
 
-// Reference imports to suppress errors if they are not otherwise used.
-var _ = proto.Marshal
-var _ = fmt.Errorf
-var _ = math.Inf
-var _ = time.Kitchen
-
-// This is a compile-time assertion to ensure that this generated file
-// is compatible with the proto package it is being compiled against.
-// A compilation error at this line likely means your copy of the
-// proto package needs to be updated.
-const _ = proto.GoGoProtoPackageIsVersion3 // please upgrade the proto package
-
-func (m *APIGroup) Reset()      { *m = APIGroup{} }
-func (*APIGroup) ProtoMessage() {}
-func (*APIGroup) Descriptor() ([]byte, []int) {
-	return fileDescriptor_a8431b6e0aeeb761, []int{0}
-}
-func (m *APIGroup) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *APIGroup) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *APIGroup) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_APIGroup.Merge(m, src)
-}
-func (m *APIGroup) XXX_Size() int {
-	return m.Size()
-}
-func (m *APIGroup) XXX_DiscardUnknown() {
-	xxx_messageInfo_APIGroup.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_APIGroup proto.InternalMessageInfo
-
-func (m *APIGroupList) Reset()      { *m = APIGroupList{} }
-func (*APIGroupList) ProtoMessage() {}
-func (*APIGroupList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_a8431b6e0aeeb761, []int{1}
-}
-func (m *APIGroupList) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *APIGroupList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *APIGroupList) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_APIGroupList.Merge(m, src)
-}
-func (m *APIGroupList) XXX_Size() int {
-	return m.Size()
-}
-func (m *APIGroupList) XXX_DiscardUnknown() {
-	xxx_messageInfo_APIGroupList.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_APIGroupList proto.InternalMessageInfo
-
-func (m *APIResource) Reset()      { *m = APIResource{} }
-func (*APIResource) ProtoMessage() {}
-func (*APIResource) Descriptor() ([]byte, []int) {
-	return fileDescriptor_a8431b6e0aeeb761, []int{2}
-}
-func (m *APIResource) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *APIResource) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *APIResource) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_APIResource.Merge(m, src)
-}
-func (m *APIResource) XXX_Size() int {
-	return m.Size()
-}
-func (m *APIResource) XXX_DiscardUnknown() {
-	xxx_messageInfo_APIResource.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_APIResource proto.InternalMessageInfo
-
-func (m *APIResourceList) Reset()      { *m = APIResourceList{} }
-func (*APIResourceList) ProtoMessage() {}
-func (*APIResourceList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_a8431b6e0aeeb761, []int{3}
-}
-func (m *APIResourceList) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *APIResourceList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *APIResourceList) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_APIResourceList.Merge(m, src)
-}
-func (m *APIResourceList) XXX_Size() int {
-	return m.Size()
-}
-func (m *APIResourceList) XXX_DiscardUnknown() {
-	xxx_messageInfo_APIResourceList.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_APIResourceList proto.InternalMessageInfo
-
-func (m *APIVersions) Reset()      { *m = APIVersions{} }
-func (*APIVersions) ProtoMessage() {}
-func (*APIVersions) Descriptor() ([]byte, []int) {
-	return fileDescriptor_a8431b6e0aeeb761, []int{4}
-}
-func (m *APIVersions) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *APIVersions) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *APIVersions) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_APIVersions.Merge(m, src)
-}
-func (m *APIVersions) XXX_Size() int {
-	return m.Size()
-}
-func (m *APIVersions) XXX_DiscardUnknown() {
-	xxx_messageInfo_APIVersions.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_APIVersions proto.InternalMessageInfo
-
-func (m *ApplyOptions) Reset()      { *m = ApplyOptions{} }
-func (*ApplyOptions) ProtoMessage() {}
-func (*ApplyOptions) Descriptor() ([]byte, []int) {
-	return fileDescriptor_a8431b6e0aeeb761, []int{5}
-}
-func (m *ApplyOptions) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ApplyOptions) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ApplyOptions) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ApplyOptions.Merge(m, src)
-}
-func (m *ApplyOptions) XXX_Size() int {
-	return m.Size()
-}
-func (m *ApplyOptions) XXX_DiscardUnknown() {
-	xxx_messageInfo_ApplyOptions.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_ApplyOptions proto.InternalMessageInfo
-
-func (m *Condition) Reset()      { *m = Condition{} }
-func (*Condition) ProtoMessage() {}
-func (*Condition) Descriptor() ([]byte, []int) {
-	return fileDescriptor_a8431b6e0aeeb761, []int{6}
-}
-func (m *Condition) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *Condition) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *Condition) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_Condition.Merge(m, src)
-}
-func (m *Condition) XXX_Size() int {
-	return m.Size()
-}
-func (m *Condition) XXX_DiscardUnknown() {
-	xxx_messageInfo_Condition.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_Condition proto.InternalMessageInfo
-
-func (m *CreateOptions) Reset()      { *m = CreateOptions{} }
-func (*CreateOptions) ProtoMessage() {}
-func (*CreateOptions) Descriptor() ([]byte, []int) {
-	return fileDescriptor_a8431b6e0aeeb761, []int{7}
-}
-func (m *CreateOptions) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *CreateOptions) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *CreateOptions) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_CreateOptions.Merge(m, src)
-}
-func (m *CreateOptions) XXX_Size() int {
-	return m.Size()
-}
-func (m *CreateOptions) XXX_DiscardUnknown() {
-	xxx_messageInfo_CreateOptions.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_CreateOptions proto.InternalMessageInfo
-
-func (m *DeleteOptions) Reset()      { *m = DeleteOptions{} }
-func (*DeleteOptions) ProtoMessage() {}
-func (*DeleteOptions) Descriptor() ([]byte, []int) {
-	return fileDescriptor_a8431b6e0aeeb761, []int{8}
-}
-func (m *DeleteOptions) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *DeleteOptions) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *DeleteOptions) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_DeleteOptions.Merge(m, src)
-}
-func (m *DeleteOptions) XXX_Size() int {
-	return m.Size()
-}
-func (m *DeleteOptions) XXX_DiscardUnknown() {
-	xxx_messageInfo_DeleteOptions.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_DeleteOptions proto.InternalMessageInfo
-
-func (m *Duration) Reset()      { *m = Duration{} }
-func (*Duration) ProtoMessage() {}
-func (*Duration) Descriptor() ([]byte, []int) {
-	return fileDescriptor_a8431b6e0aeeb761, []int{9}
-}
-func (m *Duration) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *Duration) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *Duration) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_Duration.Merge(m, src)
-}
-func (m *Duration) XXX_Size() int {
-	return m.Size()
-}
-func (m *Duration) XXX_DiscardUnknown() {
-	xxx_messageInfo_Duration.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_Duration proto.InternalMessageInfo
-
-func (m *FieldSelectorRequirement) Reset()      { *m = FieldSelectorRequirement{} }
-func (*FieldSelectorRequirement) ProtoMessage() {}
-func (*FieldSelectorRequirement) Descriptor() ([]byte, []int) {
-	return fileDescriptor_a8431b6e0aeeb761, []int{10}
-}
-func (m *FieldSelectorRequirement) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *FieldSelectorRequirement) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *FieldSelectorRequirement) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_FieldSelectorRequirement.Merge(m, src)
-}
-func (m *FieldSelectorRequirement) XXX_Size() int {
-	return m.Size()
-}
-func (m *FieldSelectorRequirement) XXX_DiscardUnknown() {
-	xxx_messageInfo_FieldSelectorRequirement.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_FieldSelectorRequirement proto.InternalMessageInfo
-
-func (m *FieldsV1) Reset()      { *m = FieldsV1{} }
-func (*FieldsV1) ProtoMessage() {}
-func (*FieldsV1) Descriptor() ([]byte, []int) {
-	return fileDescriptor_a8431b6e0aeeb761, []int{11}
-}
-func (m *FieldsV1) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *FieldsV1) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *FieldsV1) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_FieldsV1.Merge(m, src)
-}
-func (m *FieldsV1) XXX_Size() int {
-	return m.Size()
-}
-func (m *FieldsV1) XXX_DiscardUnknown() {
-	xxx_messageInfo_FieldsV1.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_FieldsV1 proto.InternalMessageInfo
-
-func (m *GetOptions) Reset()      { *m = GetOptions{} }
-func (*GetOptions) ProtoMessage() {}
-func (*GetOptions) Descriptor() ([]byte, []int) {
-	return fileDescriptor_a8431b6e0aeeb761, []int{12}
-}
-func (m *GetOptions) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *GetOptions) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *GetOptions) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_GetOptions.Merge(m, src)
-}
-func (m *GetOptions) XXX_Size() int {
-	return m.Size()
-}
-func (m *GetOptions) XXX_DiscardUnknown() {
-	xxx_messageInfo_GetOptions.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_GetOptions proto.InternalMessageInfo
-
-func (m *GroupKind) Reset()      { *m = GroupKind{} }
-func (*GroupKind) ProtoMessage() {}
-func (*GroupKind) Descriptor() ([]byte, []int) {
-	return fileDescriptor_a8431b6e0aeeb761, []int{13}
-}
-func (m *GroupKind) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *GroupKind) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *GroupKind) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_GroupKind.Merge(m, src)
-}
-func (m *GroupKind) XXX_Size() int {
-	return m.Size()
-}
-func (m *GroupKind) XXX_DiscardUnknown() {
-	xxx_messageInfo_GroupKind.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_GroupKind proto.InternalMessageInfo
-
-func (m *GroupResource) Reset()      { *m = GroupResource{} }
-func (*GroupResource) ProtoMessage() {}
-func (*GroupResource) Descriptor() ([]byte, []int) {
-	return fileDescriptor_a8431b6e0aeeb761, []int{14}
-}
-func (m *GroupResource) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *GroupResource) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *GroupResource) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_GroupResource.Merge(m, src)
-}
-func (m *GroupResource) XXX_Size() int {
-	return m.Size()
-}
-func (m *GroupResource) XXX_DiscardUnknown() {
-	xxx_messageInfo_GroupResource.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_GroupResource proto.InternalMessageInfo
-
-func (m *GroupVersion) Reset()      { *m = GroupVersion{} }
-func (*GroupVersion) ProtoMessage() {}
-func (*GroupVersion) Descriptor() ([]byte, []int) {
-	return fileDescriptor_a8431b6e0aeeb761, []int{15}
-}
-func (m *GroupVersion) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *GroupVersion) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *GroupVersion) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_GroupVersion.Merge(m, src)
-}
-func (m *GroupVersion) XXX_Size() int {
-	return m.Size()
-}
-func (m *GroupVersion) XXX_DiscardUnknown() {
-	xxx_messageInfo_GroupVersion.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_GroupVersion proto.InternalMessageInfo
-
-func (m *GroupVersionForDiscovery) Reset()      { *m = GroupVersionForDiscovery{} }
-func (*GroupVersionForDiscovery) ProtoMessage() {}
-func (*GroupVersionForDiscovery) Descriptor() ([]byte, []int) {
-	return fileDescriptor_a8431b6e0aeeb761, []int{16}
-}
-func (m *GroupVersionForDiscovery) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *GroupVersionForDiscovery) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *GroupVersionForDiscovery) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_GroupVersionForDiscovery.Merge(m, src)
-}
-func (m *GroupVersionForDiscovery) XXX_Size() int {
-	return m.Size()
-}
-func (m *GroupVersionForDiscovery) XXX_DiscardUnknown() {
-	xxx_messageInfo_GroupVersionForDiscovery.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_GroupVersionForDiscovery proto.InternalMessageInfo
-
-func (m *GroupVersionKind) Reset()      { *m = GroupVersionKind{} }
-func (*GroupVersionKind) ProtoMessage() {}
-func (*GroupVersionKind) Descriptor() ([]byte, []int) {
-	return fileDescriptor_a8431b6e0aeeb761, []int{17}
-}
-func (m *GroupVersionKind) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *GroupVersionKind) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *GroupVersionKind) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_GroupVersionKind.Merge(m, src)
-}
-func (m *GroupVersionKind) XXX_Size() int {
-	return m.Size()
-}
-func (m *GroupVersionKind) XXX_DiscardUnknown() {
-	xxx_messageInfo_GroupVersionKind.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_GroupVersionKind proto.InternalMessageInfo
-
-func (m *GroupVersionResource) Reset()      { *m = GroupVersionResource{} }
-func (*GroupVersionResource) ProtoMessage() {}
-func (*GroupVersionResource) Descriptor() ([]byte, []int) {
-	return fileDescriptor_a8431b6e0aeeb761, []int{18}
-}
-func (m *GroupVersionResource) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *GroupVersionResource) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *GroupVersionResource) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_GroupVersionResource.Merge(m, src)
-}
-func (m *GroupVersionResource) XXX_Size() int {
-	return m.Size()
-}
-func (m *GroupVersionResource) XXX_DiscardUnknown() {
-	xxx_messageInfo_GroupVersionResource.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_GroupVersionResource proto.InternalMessageInfo
-
-func (m *LabelSelector) Reset()      { *m = LabelSelector{} }
-func (*LabelSelector) ProtoMessage() {}
-func (*LabelSelector) Descriptor() ([]byte, []int) {
-	return fileDescriptor_a8431b6e0aeeb761, []int{19}
-}
-func (m *LabelSelector) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *LabelSelector) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *LabelSelector) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_LabelSelector.Merge(m, src)
-}
-func (m *LabelSelector) XXX_Size() int {
-	return m.Size()
-}
-func (m *LabelSelector) XXX_DiscardUnknown() {
-	xxx_messageInfo_LabelSelector.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_LabelSelector proto.InternalMessageInfo
-
-func (m *LabelSelectorRequirement) Reset()      { *m = LabelSelectorRequirement{} }
-func (*LabelSelectorRequirement) ProtoMessage() {}
-func (*LabelSelectorRequirement) Descriptor() ([]byte, []int) {
-	return fileDescriptor_a8431b6e0aeeb761, []int{20}
-}
-func (m *LabelSelectorRequirement) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *LabelSelectorRequirement) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *LabelSelectorRequirement) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_LabelSelectorRequirement.Merge(m, src)
-}
-func (m *LabelSelectorRequirement) XXX_Size() int {
-	return m.Size()
-}
-func (m *LabelSelectorRequirement) XXX_DiscardUnknown() {
-	xxx_messageInfo_LabelSelectorRequirement.DiscardUnknown(m)
-}
+func (m *APIGroup) Reset() { *m = APIGroup{} }
 
-var xxx_messageInfo_LabelSelectorRequirement proto.InternalMessageInfo
+func (m *APIGroupList) Reset() { *m = APIGroupList{} }
 
-func (m *List) Reset()      { *m = List{} }
-func (*List) ProtoMessage() {}
-func (*List) Descriptor() ([]byte, []int) {
-	return fileDescriptor_a8431b6e0aeeb761, []int{21}
-}
-func (m *List) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *List) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *List) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_List.Merge(m, src)
-}
-func (m *List) XXX_Size() int {
-	return m.Size()
-}
-func (m *List) XXX_DiscardUnknown() {
-	xxx_messageInfo_List.DiscardUnknown(m)
-}
+func (m *APIResource) Reset() { *m = APIResource{} }
 
-var xxx_messageInfo_List proto.InternalMessageInfo
+func (m *APIResourceList) Reset() { *m = APIResourceList{} }
 
-func (m *ListMeta) Reset()      { *m = ListMeta{} }
-func (*ListMeta) ProtoMessage() {}
-func (*ListMeta) Descriptor() ([]byte, []int) {
-	return fileDescriptor_a8431b6e0aeeb761, []int{22}
-}
-func (m *ListMeta) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ListMeta) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ListMeta) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ListMeta.Merge(m, src)
-}
-func (m *ListMeta) XXX_Size() int {
-	return m.Size()
-}
-func (m *ListMeta) XXX_DiscardUnknown() {
-	xxx_messageInfo_ListMeta.DiscardUnknown(m)
-}
+func (m *APIVersions) Reset() { *m = APIVersions{} }
 
-var xxx_messageInfo_ListMeta proto.InternalMessageInfo
+func (m *ApplyOptions) Reset() { *m = ApplyOptions{} }
 
-func (m *ListOptions) Reset()      { *m = ListOptions{} }
-func (*ListOptions) ProtoMessage() {}
-func (*ListOptions) Descriptor() ([]byte, []int) {
-	return fileDescriptor_a8431b6e0aeeb761, []int{23}
-}
-func (m *ListOptions) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ListOptions) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ListOptions) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ListOptions.Merge(m, src)
-}
-func (m *ListOptions) XXX_Size() int {
-	return m.Size()
-}
-func (m *ListOptions) XXX_DiscardUnknown() {
-	xxx_messageInfo_ListOptions.DiscardUnknown(m)
-}
+func (m *Condition) Reset() { *m = Condition{} }
 
-var xxx_messageInfo_ListOptions proto.InternalMessageInfo
+func (m *CreateOptions) Reset() { *m = CreateOptions{} }
 
-func (m *ManagedFieldsEntry) Reset()      { *m = ManagedFieldsEntry{} }
-func (*ManagedFieldsEntry) ProtoMessage() {}
-func (*ManagedFieldsEntry) Descriptor() ([]byte, []int) {
-	return fileDescriptor_a8431b6e0aeeb761, []int{24}
-}
-func (m *ManagedFieldsEntry) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ManagedFieldsEntry) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ManagedFieldsEntry) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ManagedFieldsEntry.Merge(m, src)
-}
-func (m *ManagedFieldsEntry) XXX_Size() int {
-	return m.Size()
-}
-func (m *ManagedFieldsEntry) XXX_DiscardUnknown() {
-	xxx_messageInfo_ManagedFieldsEntry.DiscardUnknown(m)
-}
+func (m *DeleteOptions) Reset() { *m = DeleteOptions{} }
 
-var xxx_messageInfo_ManagedFieldsEntry proto.InternalMessageInfo
+func (m *Duration) Reset() { *m = Duration{} }
 
-func (m *MicroTime) Reset()      { *m = MicroTime{} }
-func (*MicroTime) ProtoMessage() {}
-func (*MicroTime) Descriptor() ([]byte, []int) {
-	return fileDescriptor_a8431b6e0aeeb761, []int{25}
-}
-func (m *MicroTime) XXX_Unmarshal(b []byte) error {
-	return xxx_messageInfo_MicroTime.Unmarshal(m, b)
-}
-func (m *MicroTime) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	return xxx_messageInfo_MicroTime.Marshal(b, m, deterministic)
-}
-func (m *MicroTime) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_MicroTime.Merge(m, src)
-}
-func (m *MicroTime) XXX_Size() int {
-	return xxx_messageInfo_MicroTime.Size(m)
-}
-func (m *MicroTime) XXX_DiscardUnknown() {
-	xxx_messageInfo_MicroTime.DiscardUnknown(m)
-}
+func (m *FieldSelectorRequirement) Reset() { *m = FieldSelectorRequirement{} }
 
-var xxx_messageInfo_MicroTime proto.InternalMessageInfo
+func (m *FieldsV1) Reset() { *m = FieldsV1{} }
 
-func (m *ObjectMeta) Reset()      { *m = ObjectMeta{} }
-func (*ObjectMeta) ProtoMessage() {}
-func (*ObjectMeta) Descriptor() ([]byte, []int) {
-	return fileDescriptor_a8431b6e0aeeb761, []int{26}
-}
-func (m *ObjectMeta) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ObjectMeta) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ObjectMeta) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ObjectMeta.Merge(m, src)
-}
-func (m *ObjectMeta) XXX_Size() int {
-	return m.Size()
-}
-func (m *ObjectMeta) XXX_DiscardUnknown() {
-	xxx_messageInfo_ObjectMeta.DiscardUnknown(m)
-}
+func (m *GetOptions) Reset() { *m = GetOptions{} }
 
-var xxx_messageInfo_ObjectMeta proto.InternalMessageInfo
+func (m *GroupKind) Reset() { *m = GroupKind{} }
 
-func (m *OwnerReference) Reset()      { *m = OwnerReference{} }
-func (*OwnerReference) ProtoMessage() {}
-func (*OwnerReference) Descriptor() ([]byte, []int) {
-	return fileDescriptor_a8431b6e0aeeb761, []int{27}
-}
-func (m *OwnerReference) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *OwnerReference) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *OwnerReference) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_OwnerReference.Merge(m, src)
-}
-func (m *OwnerReference) XXX_Size() int {
-	return m.Size()
-}
-func (m *OwnerReference) XXX_DiscardUnknown() {
-	xxx_messageInfo_OwnerReference.DiscardUnknown(m)
-}
+func (m *GroupResource) Reset() { *m = GroupResource{} }
 
-var xxx_messageInfo_OwnerReference proto.InternalMessageInfo
+func (m *GroupVersion) Reset() { *m = GroupVersion{} }
 
-func (m *PartialObjectMetadata) Reset()      { *m = PartialObjectMetadata{} }
-func (*PartialObjectMetadata) ProtoMessage() {}
-func (*PartialObjectMetadata) Descriptor() ([]byte, []int) {
-	return fileDescriptor_a8431b6e0aeeb761, []int{28}
-}
-func (m *PartialObjectMetadata) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *PartialObjectMetadata) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *PartialObjectMetadata) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_PartialObjectMetadata.Merge(m, src)
-}
-func (m *PartialObjectMetadata) XXX_Size() int {
-	return m.Size()
-}
-func (m *PartialObjectMetadata) XXX_DiscardUnknown() {
-	xxx_messageInfo_PartialObjectMetadata.DiscardUnknown(m)
-}
+func (m *GroupVersionForDiscovery) Reset() { *m = GroupVersionForDiscovery{} }
 
-var xxx_messageInfo_PartialObjectMetadata proto.InternalMessageInfo
+func (m *GroupVersionKind) Reset() { *m = GroupVersionKind{} }
 
-func (m *PartialObjectMetadataList) Reset()      { *m = PartialObjectMetadataList{} }
-func (*PartialObjectMetadataList) ProtoMessage() {}
-func (*PartialObjectMetadataList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_a8431b6e0aeeb761, []int{29}
-}
-func (m *PartialObjectMetadataList) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *PartialObjectMetadataList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *PartialObjectMetadataList) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_PartialObjectMetadataList.Merge(m, src)
-}
-func (m *PartialObjectMetadataList) XXX_Size() int {
-	return m.Size()
-}
-func (m *PartialObjectMetadataList) XXX_DiscardUnknown() {
-	xxx_messageInfo_PartialObjectMetadataList.DiscardUnknown(m)
-}
+func (m *GroupVersionResource) Reset() { *m = GroupVersionResource{} }
 
-var xxx_messageInfo_PartialObjectMetadataList proto.InternalMessageInfo
+func (m *LabelSelector) Reset() { *m = LabelSelector{} }
 
-func (m *Patch) Reset()      { *m = Patch{} }
-func (*Patch) ProtoMessage() {}
-func (*Patch) Descriptor() ([]byte, []int) {
-	return fileDescriptor_a8431b6e0aeeb761, []int{30}
-}
-func (m *Patch) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *Patch) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *Patch) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_Patch.Merge(m, src)
-}
-func (m *Patch) XXX_Size() int {
-	return m.Size()
-}
-func (m *Patch) XXX_DiscardUnknown() {
-	xxx_messageInfo_Patch.DiscardUnknown(m)
-}
+func (m *LabelSelectorRequirement) Reset() { *m = LabelSelectorRequirement{} }
 
-var xxx_messageInfo_Patch proto.InternalMessageInfo
+func (m *List) Reset() { *m = List{} }
 
-func (m *PatchOptions) Reset()      { *m = PatchOptions{} }
-func (*PatchOptions) ProtoMessage() {}
-func (*PatchOptions) Descriptor() ([]byte, []int) {
-	return fileDescriptor_a8431b6e0aeeb761, []int{31}
-}
-func (m *PatchOptions) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *PatchOptions) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *PatchOptions) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_PatchOptions.Merge(m, src)
-}
-func (m *PatchOptions) XXX_Size() int {
-	return m.Size()
-}
-func (m *PatchOptions) XXX_DiscardUnknown() {
-	xxx_messageInfo_PatchOptions.DiscardUnknown(m)
-}
+func (m *ListMeta) Reset() { *m = ListMeta{} }
 
-var xxx_messageInfo_PatchOptions proto.InternalMessageInfo
+func (m *ListOptions) Reset() { *m = ListOptions{} }
 
-func (m *Preconditions) Reset()      { *m = Preconditions{} }
-func (*Preconditions) ProtoMessage() {}
-func (*Preconditions) Descriptor() ([]byte, []int) {
-	return fileDescriptor_a8431b6e0aeeb761, []int{32}
-}
-func (m *Preconditions) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *Preconditions) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *Preconditions) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_Preconditions.Merge(m, src)
-}
-func (m *Preconditions) XXX_Size() int {
-	return m.Size()
-}
-func (m *Preconditions) XXX_DiscardUnknown() {
-	xxx_messageInfo_Preconditions.DiscardUnknown(m)
-}
+func (m *ManagedFieldsEntry) Reset() { *m = ManagedFieldsEntry{} }
 
-var xxx_messageInfo_Preconditions proto.InternalMessageInfo
+func (m *MicroTime) Reset() { *m = MicroTime{} }
 
-func (m *RootPaths) Reset()      { *m = RootPaths{} }
-func (*RootPaths) ProtoMessage() {}
-func (*RootPaths) Descriptor() ([]byte, []int) {
-	return fileDescriptor_a8431b6e0aeeb761, []int{33}
-}
-func (m *RootPaths) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *RootPaths) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *RootPaths) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_RootPaths.Merge(m, src)
-}
-func (m *RootPaths) XXX_Size() int {
-	return m.Size()
-}
-func (m *RootPaths) XXX_DiscardUnknown() {
-	xxx_messageInfo_RootPaths.DiscardUnknown(m)
-}
+func (m *ObjectMeta) Reset() { *m = ObjectMeta{} }
 
-var xxx_messageInfo_RootPaths proto.InternalMessageInfo
+func (m *OwnerReference) Reset() { *m = OwnerReference{} }
 
-func (m *ServerAddressByClientCIDR) Reset()      { *m = ServerAddressByClientCIDR{} }
-func (*ServerAddressByClientCIDR) ProtoMessage() {}
-func (*ServerAddressByClientCIDR) Descriptor() ([]byte, []int) {
-	return fileDescriptor_a8431b6e0aeeb761, []int{34}
-}
-func (m *ServerAddressByClientCIDR) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ServerAddressByClientCIDR) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ServerAddressByClientCIDR) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ServerAddressByClientCIDR.Merge(m, src)
-}
-func (m *ServerAddressByClientCIDR) XXX_Size() int {
-	return m.Size()
-}
-func (m *ServerAddressByClientCIDR) XXX_DiscardUnknown() {
-	xxx_messageInfo_ServerAddressByClientCIDR.DiscardUnknown(m)
-}
+func (m *PartialObjectMetadata) Reset() { *m = PartialObjectMetadata{} }
 
-var xxx_messageInfo_ServerAddressByClientCIDR proto.InternalMessageInfo
+func (m *PartialObjectMetadataList) Reset() { *m = PartialObjectMetadataList{} }
 
-func (m *Status) Reset()      { *m = Status{} }
-func (*Status) ProtoMessage() {}
-func (*Status) Descriptor() ([]byte, []int) {
-	return fileDescriptor_a8431b6e0aeeb761, []int{35}
-}
-func (m *Status) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *Status) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *Status) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_Status.Merge(m, src)
-}
-func (m *Status) XXX_Size() int {
-	return m.Size()
-}
-func (m *Status) XXX_DiscardUnknown() {
-	xxx_messageInfo_Status.DiscardUnknown(m)
-}
+func (m *Patch) Reset() { *m = Patch{} }
 
-var xxx_messageInfo_Status proto.InternalMessageInfo
+func (m *PatchOptions) Reset() { *m = PatchOptions{} }
 
-func (m *StatusCause) Reset()      { *m = StatusCause{} }
-func (*StatusCause) ProtoMessage() {}
-func (*StatusCause) Descriptor() ([]byte, []int) {
-	return fileDescriptor_a8431b6e0aeeb761, []int{36}
-}
-func (m *StatusCause) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *StatusCause) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *StatusCause) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_StatusCause.Merge(m, src)
-}
-func (m *StatusCause) XXX_Size() int {
-	return m.Size()
-}
-func (m *StatusCause) XXX_DiscardUnknown() {
-	xxx_messageInfo_StatusCause.DiscardUnknown(m)
-}
+func (m *Preconditions) Reset() { *m = Preconditions{} }
 
-var xxx_messageInfo_StatusCause proto.InternalMessageInfo
+func (m *RootPaths) Reset() { *m = RootPaths{} }
 
-func (m *StatusDetails) Reset()      { *m = StatusDetails{} }
-func (*StatusDetails) ProtoMessage() {}
-func (*StatusDetails) Descriptor() ([]byte, []int) {
-	return fileDescriptor_a8431b6e0aeeb761, []int{37}
-}
-func (m *StatusDetails) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *StatusDetails) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *StatusDetails) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_StatusDetails.Merge(m, src)
-}
-func (m *StatusDetails) XXX_Size() int {
-	return m.Size()
-}
-func (m *StatusDetails) XXX_DiscardUnknown() {
-	xxx_messageInfo_StatusDetails.DiscardUnknown(m)
-}
+func (m *ServerAddressByClientCIDR) Reset() { *m = ServerAddressByClientCIDR{} }
 
-var xxx_messageInfo_StatusDetails proto.InternalMessageInfo
+func (m *Status) Reset() { *m = Status{} }
 
-func (m *TableOptions) Reset()      { *m = TableOptions{} }
-func (*TableOptions) ProtoMessage() {}
-func (*TableOptions) Descriptor() ([]byte, []int) {
-	return fileDescriptor_a8431b6e0aeeb761, []int{38}
-}
-func (m *TableOptions) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *TableOptions) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *TableOptions) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_TableOptions.Merge(m, src)
-}
-func (m *TableOptions) XXX_Size() int {
-	return m.Size()
-}
-func (m *TableOptions) XXX_DiscardUnknown() {
-	xxx_messageInfo_TableOptions.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_TableOptions proto.InternalMessageInfo
-
-func (m *Time) Reset()      { *m = Time{} }
-func (*Time) ProtoMessage() {}
-func (*Time) Descriptor() ([]byte, []int) {
-	return fileDescriptor_a8431b6e0aeeb761, []int{39}
-}
-func (m *Time) XXX_Unmarshal(b []byte) error {
-	return xxx_messageInfo_Time.Unmarshal(m, b)
-}
-func (m *Time) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	return xxx_messageInfo_Time.Marshal(b, m, deterministic)
-}
-func (m *Time) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_Time.Merge(m, src)
-}
-func (m *Time) XXX_Size() int {
-	return xxx_messageInfo_Time.Size(m)
-}
-func (m *Time) XXX_DiscardUnknown() {
-	xxx_messageInfo_Time.DiscardUnknown(m)
-}
+func (m *StatusCause) Reset() { *m = StatusCause{} }
 
-var xxx_messageInfo_Time proto.InternalMessageInfo
+func (m *StatusDetails) Reset() { *m = StatusDetails{} }
 
-func (m *Timestamp) Reset()      { *m = Timestamp{} }
-func (*Timestamp) ProtoMessage() {}
-func (*Timestamp) Descriptor() ([]byte, []int) {
-	return fileDescriptor_a8431b6e0aeeb761, []int{40}
-}
-func (m *Timestamp) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *Timestamp) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *Timestamp) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_Timestamp.Merge(m, src)
-}
-func (m *Timestamp) XXX_Size() int {
-	return m.Size()
-}
-func (m *Timestamp) XXX_DiscardUnknown() {
-	xxx_messageInfo_Timestamp.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_Timestamp proto.InternalMessageInfo
-
-func (m *TypeMeta) Reset()      { *m = TypeMeta{} }
-func (*TypeMeta) ProtoMessage() {}
-func (*TypeMeta) Descriptor() ([]byte, []int) {
-	return fileDescriptor_a8431b6e0aeeb761, []int{41}
-}
-func (m *TypeMeta) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *TypeMeta) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *TypeMeta) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_TypeMeta.Merge(m, src)
-}
-func (m *TypeMeta) XXX_Size() int {
-	return m.Size()
-}
-func (m *TypeMeta) XXX_DiscardUnknown() {
-	xxx_messageInfo_TypeMeta.DiscardUnknown(m)
-}
+func (m *TableOptions) Reset() { *m = TableOptions{} }
 
-var xxx_messageInfo_TypeMeta proto.InternalMessageInfo
+func (m *Time) Reset() { *m = Time{} }
 
-func (m *UpdateOptions) Reset()      { *m = UpdateOptions{} }
-func (*UpdateOptions) ProtoMessage() {}
-func (*UpdateOptions) Descriptor() ([]byte, []int) {
-	return fileDescriptor_a8431b6e0aeeb761, []int{42}
-}
-func (m *UpdateOptions) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *UpdateOptions) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *UpdateOptions) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_UpdateOptions.Merge(m, src)
-}
-func (m *UpdateOptions) XXX_Size() int {
-	return m.Size()
-}
-func (m *UpdateOptions) XXX_DiscardUnknown() {
-	xxx_messageInfo_UpdateOptions.DiscardUnknown(m)
-}
+func (m *Timestamp) Reset() { *m = Timestamp{} }
 
-var xxx_messageInfo_UpdateOptions proto.InternalMessageInfo
+func (m *TypeMeta) Reset() { *m = TypeMeta{} }
 
-func (m *Verbs) Reset()      { *m = Verbs{} }
-func (*Verbs) ProtoMessage() {}
-func (*Verbs) Descriptor() ([]byte, []int) {
-	return fileDescriptor_a8431b6e0aeeb761, []int{43}
-}
-func (m *Verbs) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *Verbs) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *Verbs) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_Verbs.Merge(m, src)
-}
-func (m *Verbs) XXX_Size() int {
-	return m.Size()
-}
-func (m *Verbs) XXX_DiscardUnknown() {
-	xxx_messageInfo_Verbs.DiscardUnknown(m)
-}
+func (m *UpdateOptions) Reset() { *m = UpdateOptions{} }
 
-var xxx_messageInfo_Verbs proto.InternalMessageInfo
+func (m *Verbs) Reset() { *m = Verbs{} }
 
-func (m *WatchEvent) Reset()      { *m = WatchEvent{} }
-func (*WatchEvent) ProtoMessage() {}
-func (*WatchEvent) Descriptor() ([]byte, []int) {
-	return fileDescriptor_a8431b6e0aeeb761, []int{44}
-}
-func (m *WatchEvent) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *WatchEvent) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *WatchEvent) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_WatchEvent.Merge(m, src)
-}
-func (m *WatchEvent) XXX_Size() int {
-	return m.Size()
-}
-func (m *WatchEvent) XXX_DiscardUnknown() {
-	xxx_messageInfo_WatchEvent.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_WatchEvent proto.InternalMessageInfo
-
-func init() {
-	proto.RegisterType((*APIGroup)(nil), "k8s.io.apimachinery.pkg.apis.meta.v1.APIGroup")
-	proto.RegisterType((*APIGroupList)(nil), "k8s.io.apimachinery.pkg.apis.meta.v1.APIGroupList")
-	proto.RegisterType((*APIResource)(nil), "k8s.io.apimachinery.pkg.apis.meta.v1.APIResource")
-	proto.RegisterType((*APIResourceList)(nil), "k8s.io.apimachinery.pkg.apis.meta.v1.APIResourceList")
-	proto.RegisterType((*APIVersions)(nil), "k8s.io.apimachinery.pkg.apis.meta.v1.APIVersions")
-	proto.RegisterType((*ApplyOptions)(nil), "k8s.io.apimachinery.pkg.apis.meta.v1.ApplyOptions")
-	proto.RegisterType((*Condition)(nil), "k8s.io.apimachinery.pkg.apis.meta.v1.Condition")
-	proto.RegisterType((*CreateOptions)(nil), "k8s.io.apimachinery.pkg.apis.meta.v1.CreateOptions")
-	proto.RegisterType((*DeleteOptions)(nil), "k8s.io.apimachinery.pkg.apis.meta.v1.DeleteOptions")
-	proto.RegisterType((*Duration)(nil), "k8s.io.apimachinery.pkg.apis.meta.v1.Duration")
-	proto.RegisterType((*FieldSelectorRequirement)(nil), "k8s.io.apimachinery.pkg.apis.meta.v1.FieldSelectorRequirement")
-	proto.RegisterType((*FieldsV1)(nil), "k8s.io.apimachinery.pkg.apis.meta.v1.FieldsV1")
-	proto.RegisterType((*GetOptions)(nil), "k8s.io.apimachinery.pkg.apis.meta.v1.GetOptions")
-	proto.RegisterType((*GroupKind)(nil), "k8s.io.apimachinery.pkg.apis.meta.v1.GroupKind")
-	proto.RegisterType((*GroupResource)(nil), "k8s.io.apimachinery.pkg.apis.meta.v1.GroupResource")
-	proto.RegisterType((*GroupVersion)(nil), "k8s.io.apimachinery.pkg.apis.meta.v1.GroupVersion")
-	proto.RegisterType((*GroupVersionForDiscovery)(nil), "k8s.io.apimachinery.pkg.apis.meta.v1.GroupVersionForDiscovery")
-	proto.RegisterType((*GroupVersionKind)(nil), "k8s.io.apimachinery.pkg.apis.meta.v1.GroupVersionKind")
-	proto.RegisterType((*GroupVersionResource)(nil), "k8s.io.apimachinery.pkg.apis.meta.v1.GroupVersionResource")
-	proto.RegisterType((*LabelSelector)(nil), "k8s.io.apimachinery.pkg.apis.meta.v1.LabelSelector")
-	proto.RegisterMapType((map[string]string)(nil), "k8s.io.apimachinery.pkg.apis.meta.v1.LabelSelector.MatchLabelsEntry")
-	proto.RegisterType((*LabelSelectorRequirement)(nil), "k8s.io.apimachinery.pkg.apis.meta.v1.LabelSelectorRequirement")
-	proto.RegisterType((*List)(nil), "k8s.io.apimachinery.pkg.apis.meta.v1.List")
-	proto.RegisterType((*ListMeta)(nil), "k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta")
-	proto.RegisterType((*ListOptions)(nil), "k8s.io.apimachinery.pkg.apis.meta.v1.ListOptions")
-	proto.RegisterType((*ManagedFieldsEntry)(nil), "k8s.io.apimachinery.pkg.apis.meta.v1.ManagedFieldsEntry")
-	proto.RegisterType((*MicroTime)(nil), "k8s.io.apimachinery.pkg.apis.meta.v1.MicroTime")
-	proto.RegisterType((*ObjectMeta)(nil), "k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta")
-	proto.RegisterMapType((map[string]string)(nil), "k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta.AnnotationsEntry")
-	proto.RegisterMapType((map[string]string)(nil), "k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta.LabelsEntry")
-	proto.RegisterType((*OwnerReference)(nil), "k8s.io.apimachinery.pkg.apis.meta.v1.OwnerReference")
-	proto.RegisterType((*PartialObjectMetadata)(nil), "k8s.io.apimachinery.pkg.apis.meta.v1.PartialObjectMetadata")
-	proto.RegisterType((*PartialObjectMetadataList)(nil), "k8s.io.apimachinery.pkg.apis.meta.v1.PartialObjectMetadataList")
-	proto.RegisterType((*Patch)(nil), "k8s.io.apimachinery.pkg.apis.meta.v1.Patch")
-	proto.RegisterType((*PatchOptions)(nil), "k8s.io.apimachinery.pkg.apis.meta.v1.PatchOptions")
-	proto.RegisterType((*Preconditions)(nil), "k8s.io.apimachinery.pkg.apis.meta.v1.Preconditions")
-	proto.RegisterType((*RootPaths)(nil), "k8s.io.apimachinery.pkg.apis.meta.v1.RootPaths")
-	proto.RegisterType((*ServerAddressByClientCIDR)(nil), "k8s.io.apimachinery.pkg.apis.meta.v1.ServerAddressByClientCIDR")
-	proto.RegisterType((*Status)(nil), "k8s.io.apimachinery.pkg.apis.meta.v1.Status")
-	proto.RegisterType((*StatusCause)(nil), "k8s.io.apimachinery.pkg.apis.meta.v1.StatusCause")
-	proto.RegisterType((*StatusDetails)(nil), "k8s.io.apimachinery.pkg.apis.meta.v1.StatusDetails")
-	proto.RegisterType((*TableOptions)(nil), "k8s.io.apimachinery.pkg.apis.meta.v1.TableOptions")
-	proto.RegisterType((*Time)(nil), "k8s.io.apimachinery.pkg.apis.meta.v1.Time")
-	proto.RegisterType((*Timestamp)(nil), "k8s.io.apimachinery.pkg.apis.meta.v1.Timestamp")
-	proto.RegisterType((*TypeMeta)(nil), "k8s.io.apimachinery.pkg.apis.meta.v1.TypeMeta")
-	proto.RegisterType((*UpdateOptions)(nil), "k8s.io.apimachinery.pkg.apis.meta.v1.UpdateOptions")
-	proto.RegisterType((*Verbs)(nil), "k8s.io.apimachinery.pkg.apis.meta.v1.Verbs")
-	proto.RegisterType((*WatchEvent)(nil), "k8s.io.apimachinery.pkg.apis.meta.v1.WatchEvent")
-}
-
-func init() {
-	proto.RegisterFile("k8s.io/apimachinery/pkg/apis/meta/v1/generated.proto", fileDescriptor_a8431b6e0aeeb761)
-}
-
-var fileDescriptor_a8431b6e0aeeb761 = []byte{
-	// 2928 bytes of a gzipped FileDescriptorProto
-	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xcc, 0x3a, 0x4d, 0x6c, 0x24, 0x47,
-	0xd5, 0xee, 0xf9, 0xb1, 0x67, 0xde, 0x78, 0xfc, 0x53, 0xeb, 0xfd, 0xbe, 0x59, 0x23, 0x3c, 0x4e,
-	0x27, 0x8a, 0x36, 0x90, 0x8c, 0x77, 0x97, 0x25, 0xda, 0x6c, 0x48, 0xc0, 0xe3, 0x59, 0x6f, 0x9c,
-	0xac, 0x63, 0xab, 0xbc, 0xbb, 0x81, 0x10, 0xa1, 0x94, 0xa7, 0xcb, 0xe3, 0xc6, 0x3d, 0xdd, 0x93,
-	0xaa, 0x1e, 0x6f, 0x06, 0x0e, 0xe4, 0x00, 0x12, 0x48, 0x28, 0x0a, 0x37, 0x4e, 0x28, 0x11, 0x9c,
-	0x38, 0x21, 0x4e, 0xdc, 0x41, 0x22, 0xc7, 0x20, 0x2e, 0x91, 0x40, 0xa3, 0xac, 0x39, 0x70, 0x44,
-	0x5c, 0x2d, 0x24, 0x50, 0xfd, 0xf4, 0xdf, 0xfc, 0xac, 0x7b, 0x76, 0x97, 0x88, 0xdb, 0xf4, 0xfb,
-	0xaf, 0xaa, 0xf7, 0x5e, 0xbd, 0xf7, 0x6a, 0xe0, 0xea, 0xd1, 0x35, 0x5e, 0xb3, 0xbd, 0x35, 0xd2,
-	0xb1, 0xdb, 0xa4, 0x79, 0x68, 0xbb, 0x94, 0xf5, 0xd6, 0x3a, 0x47, 0x2d, 0x01, 0xe0, 0x6b, 0x6d,
-	0xea, 0x93, 0xb5, 0xe3, 0xcb, 0x6b, 0x2d, 0xea, 0x52, 0x46, 0x7c, 0x6a, 0xd5, 0x3a, 0xcc, 0xf3,
-	0x3d, 0xf4, 0x94, 0xe2, 0xaa, 0xc5, 0xb9, 0x6a, 0x9d, 0xa3, 0x96, 0x00, 0xf0, 0x9a, 0xe0, 0xaa,
-	0x1d, 0x5f, 0x5e, 0x7e, 0xae, 0x65, 0xfb, 0x87, 0xdd, 0xfd, 0x5a, 0xd3, 0x6b, 0xaf, 0xb5, 0xbc,
-	0x96, 0xb7, 0x26, 0x99, 0xf7, 0xbb, 0x07, 0xf2, 0x4b, 0x7e, 0xc8, 0x5f, 0x4a, 0xe8, 0xf2, 0xda,
-	0x38, 0x53, 0x58, 0xd7, 0xf5, 0xed, 0x36, 0x1d, 0xb4, 0x62, 0xf9, 0xf9, 0xb3, 0x18, 0x78, 0xf3,
-	0x90, 0xb6, 0xc9, 0x20, 0x9f, 0xf9, 0xc7, 0x2c, 0x14, 0xd6, 0x77, 0xb7, 0x6e, 0x32, 0xaf, 0xdb,
-	0x41, 0xab, 0x90, 0x73, 0x49, 0x9b, 0x56, 0x8c, 0x55, 0xe3, 0x62, 0xb1, 0x3e, 0xfb, 0x71, 0xbf,
-	0x3a, 0x75, 0xd2, 0xaf, 0xe6, 0x5e, 0x27, 0x6d, 0x8a, 0x25, 0x06, 0x39, 0x50, 0x38, 0xa6, 0x8c,
-	0xdb, 0x9e, 0xcb, 0x2b, 0x99, 0xd5, 0xec, 0xc5, 0xd2, 0x95, 0x97, 0x6b, 0x69, 0xd6, 0x5f, 0x93,
-	0x0a, 0xee, 0x2a, 0xd6, 0x4d, 0x8f, 0x35, 0x6c, 0xde, 0xf4, 0x8e, 0x29, 0xeb, 0xd5, 0x17, 0xb4,
-	0x96, 0x82, 0x46, 0x72, 0x1c, 0x6a, 0x40, 0x3f, 0x34, 0x60, 0xa1, 0xc3, 0xe8, 0x01, 0x65, 0x8c,
-	0x5a, 0x1a, 0x5f, 0xc9, 0xae, 0x1a, 0x8f, 0x41, 0x6d, 0x45, 0xab, 0x5d, 0xd8, 0x1d, 0x90, 0x8f,
-	0x87, 0x34, 0xa2, 0x5f, 0x1a, 0xb0, 0xcc, 0x29, 0x3b, 0xa6, 0x6c, 0xdd, 0xb2, 0x18, 0xe5, 0xbc,
-	0xde, 0xdb, 0x70, 0x6c, 0xea, 0xfa, 0x1b, 0x5b, 0x0d, 0xcc, 0x2b, 0x39, 0xb9, 0x0f, 0x5f, 0x4f,
-	0x67, 0xd0, 0xde, 0x38, 0x39, 0x75, 0x53, 0x5b, 0xb4, 0x3c, 0x96, 0x84, 0xe3, 0x07, 0x98, 0x61,
-	0x1e, 0xc0, 0x6c, 0x70, 0x90, 0xb7, 0x6c, 0xee, 0xa3, 0xbb, 0x30, 0xdd, 0x12, 0x1f, 0xbc, 0x62,
-	0x48, 0x03, 0x6b, 0xe9, 0x0c, 0x0c, 0x64, 0xd4, 0xe7, 0xb4, 0x3d, 0xd3, 0xf2, 0x93, 0x63, 0x2d,
-	0xcd, 0xfc, 0x49, 0x0e, 0x4a, 0xeb, 0xbb, 0x5b, 0x98, 0x72, 0xaf, 0xcb, 0x9a, 0x34, 0x85, 0xd3,
-	0x5c, 0x83, 0x59, 0x6e, 0xbb, 0xad, 0xae, 0x43, 0x98, 0x80, 0x56, 0xa6, 0x25, 0xe5, 0x92, 0xa6,
-	0x9c, 0xdd, 0x8b, 0xe1, 0x70, 0x82, 0x12, 0x5d, 0x01, 0x10, 0x12, 0x78, 0x87, 0x34, 0xa9, 0x55,
-	0xc9, 0xac, 0x1a, 0x17, 0x0b, 0x75, 0xa4, 0xf9, 0xe0, 0xf5, 0x10, 0x83, 0x63, 0x54, 0xe8, 0x49,
-	0xc8, 0x4b, 0x4b, 0x2b, 0x05, 0xa9, 0xa6, 0xac, 0xc9, 0xf3, 0x72, 0x19, 0x58, 0xe1, 0xd0, 0x33,
-	0x30, 0xa3, 0xbd, 0xac, 0x52, 0x94, 0x64, 0xf3, 0x9a, 0x6c, 0x26, 0x70, 0x83, 0x00, 0x2f, 0xd6,
-	0x77, 0x64, 0xbb, 0x96, 0xf4, 0xbb, 0xd8, 0xfa, 0x5e, 0xb3, 0x5d, 0x0b, 0x4b, 0x0c, 0xba, 0x05,
-	0xf9, 0x63, 0xca, 0xf6, 0x85, 0x27, 0x08, 0xd7, 0xfc, 0x72, 0xba, 0x8d, 0xbe, 0x2b, 0x58, 0xea,
-	0x45, 0x61, 0x9a, 0xfc, 0x89, 0x95, 0x10, 0x54, 0x03, 0xe0, 0x87, 0x1e, 0xf3, 0xe5, 0xf2, 0x2a,
-	0xf9, 0xd5, 0xec, 0xc5, 0x62, 0x7d, 0x4e, 0xac, 0x77, 0x2f, 0x84, 0xe2, 0x18, 0x85, 0xa0, 0x6f,
-	0x12, 0x9f, 0xb6, 0x3c, 0x66, 0x53, 0x5e, 0x99, 0x89, 0xe8, 0x37, 0x42, 0x28, 0x8e, 0x51, 0xa0,
-	0x57, 0x01, 0x71, 0xdf, 0x63, 0xa4, 0x45, 0xf5, 0x52, 0x5f, 0x21, 0xfc, 0xb0, 0x02, 0x72, 0x75,
-	0xcb, 0x7a, 0x75, 0x68, 0x6f, 0x88, 0x02, 0x8f, 0xe0, 0x32, 0x7f, 0x6b, 0xc0, 0x7c, 0xcc, 0x17,
-	0xa4, 0xdf, 0x5d, 0x83, 0xd9, 0x56, 0x2c, 0xea, 0xb4, 0x5f, 0x84, 0xa7, 0x1d, 0x8f, 0x48, 0x9c,
-	0xa0, 0x44, 0x14, 0x8a, 0x4c, 0x4b, 0x0a, 0xb2, 0xcb, 0xe5, 0xd4, 0x4e, 0x1b, 0xd8, 0x10, 0x69,
-	0x8a, 0x01, 0x39, 0x8e, 0x24, 0x9b, 0x7f, 0x37, 0xa4, 0x03, 0x07, 0xf9, 0x06, 0x5d, 0x8c, 0xe5,
-	0x34, 0x43, 0x6e, 0xdf, 0xec, 0x98, 0x7c, 0x74, 0x46, 0x22, 0xc8, 0xfc, 0x4f, 0x24, 0x82, 0xeb,
-	0x85, 0x9f, 0x7f, 0x58, 0x9d, 0x7a, 0xef, 0xaf, 0xab, 0x53, 0xe6, 0xcf, 0x0c, 0x98, 0x5d, 0xef,
-	0x74, 0x9c, 0xde, 0x4e, 0xc7, 0x97, 0x0b, 0x30, 0x61, 0xda, 0x62, 0x3d, 0xdc, 0x75, 0xf5, 0x42,
-	0x41, 0xc4, 0x77, 0x43, 0x42, 0xb0, 0xc6, 0x88, 0xf8, 0x39, 0xf0, 0x58, 0x93, 0xea, 0x70, 0x0b,
-	0xe3, 0x67, 0x53, 0x00, 0xb1, 0xc2, 0x89, 0x43, 0x3e, 0xb0, 0xa9, 0x63, 0x6d, 0x13, 0x97, 0xb4,
-	0x28, 0xd3, 0xc1, 0x11, 0x6e, 0xfd, 0x66, 0x0c, 0x87, 0x13, 0x94, 0xe6, 0xbf, 0x33, 0x50, 0xdc,
-	0xf0, 0x5c, 0xcb, 0xf6, 0x75, 0x70, 0xf9, 0xbd, 0xce, 0x50, 0xf2, 0xb8, 0xdd, 0xeb, 0x50, 0x2c,
-	0x31, 0xe8, 0x05, 0x98, 0xe6, 0x3e, 0xf1, 0xbb, 0x5c, 0xda, 0x53, 0xac, 0x3f, 0x11, 0xa4, 0xa5,
-	0x3d, 0x09, 0x3d, 0xed, 0x57, 0xe7, 0x43, 0x71, 0x0a, 0x84, 0x35, 0x83, 0xf0, 0x74, 0x6f, 0x5f,
-	0x6e, 0x94, 0x75, 0x53, 0x5d, 0x7b, 0xc1, 0xfd, 0x91, 0x8d, 0x3c, 0x7d, 0x67, 0x88, 0x02, 0x8f,
-	0xe0, 0x42, 0xc7, 0x80, 0x1c, 0xc2, 0xfd, 0xdb, 0x8c, 0xb8, 0x5c, 0xea, 0xba, 0x6d, 0xb7, 0xa9,
-	0x0e, 0xf8, 0x2f, 0xa5, 0x3b, 0x71, 0xc1, 0x11, 0xe9, 0xbd, 0x35, 0x24, 0x0d, 0x8f, 0xd0, 0x80,
-	0x9e, 0x86, 0x69, 0x46, 0x09, 0xf7, 0xdc, 0x4a, 0x5e, 0x2e, 0x3f, 0xcc, 0xca, 0x58, 0x42, 0xb1,
-	0xc6, 0x8a, 0x84, 0xd6, 0xa6, 0x9c, 0x93, 0x56, 0x90, 0x5e, 0xc3, 0x84, 0xb6, 0xad, 0xc0, 0x38,
-	0xc0, 0x9b, 0xbf, 0x31, 0xa0, 0xbc, 0xc1, 0x28, 0xf1, 0xe9, 0x24, 0x6e, 0xf1, 0xd0, 0x27, 0x8e,
-	0xd6, 0x61, 0x5e, 0x7e, 0xdf, 0x25, 0x8e, 0x6d, 0xa9, 0x33, 0xc8, 0x49, 0xe6, 0xff, 0xd7, 0xcc,
-	0xf3, 0x9b, 0x49, 0x34, 0x1e, 0xa4, 0x37, 0x7f, 0x9d, 0x83, 0x72, 0x83, 0x3a, 0x34, 0x32, 0x79,
-	0x13, 0x50, 0x8b, 0x91, 0x26, 0xdd, 0xa5, 0xcc, 0xf6, 0xac, 0x3d, 0xda, 0xf4, 0x5c, 0x8b, 0x4b,
-	0x37, 0xca, 0xd6, 0xff, 0x4f, 0xec, 0xef, 0xcd, 0x21, 0x2c, 0x1e, 0xc1, 0x81, 0x1c, 0x28, 0x77,
-	0x98, 0xfc, 0x2d, 0xf7, 0x5c, 0x79, 0x59, 0xe9, 0xca, 0x57, 0xd2, 0x1d, 0xe9, 0x6e, 0x9c, 0xb5,
-	0xbe, 0x78, 0xd2, 0xaf, 0x96, 0x13, 0x20, 0x9c, 0x14, 0x8e, 0xbe, 0x01, 0x0b, 0x1e, 0xeb, 0x1c,
-	0x12, 0xb7, 0x41, 0x3b, 0xd4, 0xb5, 0xa8, 0xeb, 0x73, 0xb9, 0x91, 0x85, 0xfa, 0x92, 0xa8, 0x45,
-	0x76, 0x06, 0x70, 0x78, 0x88, 0x1a, 0xbd, 0x09, 0x8b, 0x1d, 0xe6, 0x75, 0x48, 0x4b, 0x6e, 0xcc,
-	0xae, 0xe7, 0xd8, 0xcd, 0x9e, 0xde, 0xce, 0x67, 0x4f, 0xfa, 0xd5, 0xc5, 0xdd, 0x41, 0xe4, 0x69,
-	0xbf, 0x7a, 0x4e, 0x6e, 0x9d, 0x80, 0x44, 0x48, 0x3c, 0x2c, 0x26, 0xe6, 0x06, 0xf9, 0xb1, 0x6e,
-	0xf0, 0xa1, 0x01, 0x97, 0xec, 0x96, 0xeb, 0x31, 0x2a, 0xae, 0x08, 0x8a, 0x29, 0xb1, 0x6e, 0x30,
-	0xe6, 0xb1, 0x37, 0x6c, 0xff, 0x70, 0xc3, 0xe9, 0x72, 0x9f, 0xb2, 0x3a, 0xa3, 0xe4, 0xc8, 0x76,
-	0x5b, 0xbb, 0x9e, 0x4f, 0x5d, 0xdf, 0x26, 0x8e, 0xf4, 0xc8, 0x42, 0xfd, 0xea, 0x49, 0xbf, 0x7a,
-	0x69, 0x6b, 0x42, 0x5e, 0x3c, 0xb1, 0x36, 0x73, 0x0b, 0x0a, 0x8d, 0xae, 0x0e, 0xdb, 0x97, 0xa0,
-	0x60, 0xe9, 0xdf, 0xda, 0x39, 0x82, 0xfc, 0x11, 0xd2, 0x9c, 0xf6, 0xab, 0x65, 0x51, 0x21, 0xd7,
-	0x02, 0x00, 0x0e, 0x59, 0xcc, 0x5f, 0x19, 0x50, 0x91, 0xce, 0xb9, 0x47, 0x1d, 0xda, 0xf4, 0x3d,
-	0x86, 0xe9, 0x3b, 0x5d, 0x9b, 0xd1, 0x36, 0x75, 0x7d, 0xf4, 0x45, 0xc8, 0x1e, 0xd1, 0x9e, 0x4e,
-	0x5d, 0x25, 0x2d, 0x36, 0xfb, 0x1a, 0xed, 0x61, 0x01, 0x47, 0x37, 0xa0, 0xe0, 0x75, 0x44, 0xfa,
-	0xf0, 0x98, 0x4e, 0x5d, 0xcf, 0x04, 0xaa, 0x77, 0x34, 0xfc, 0xb4, 0x5f, 0x3d, 0x9f, 0x10, 0x1f,
-	0x20, 0x70, 0xc8, 0x2a, 0x0e, 0xe5, 0x98, 0x38, 0x5d, 0x2a, 0x1c, 0x25, 0x3c, 0x94, 0xbb, 0x12,
-	0x82, 0x35, 0xc6, 0x7c, 0x1a, 0x0a, 0x52, 0x0c, 0xbf, 0x7b, 0x19, 0x2d, 0x40, 0x16, 0x93, 0x7b,
-	0xd2, 0xaa, 0x59, 0x2c, 0x7e, 0xc6, 0xee, 0x83, 0x1d, 0x80, 0x9b, 0xd4, 0x0f, 0x42, 0x68, 0x1d,
-	0xe6, 0x83, 0x4b, 0x31, 0x79, 0x57, 0x87, 0x71, 0x89, 0x93, 0x68, 0x3c, 0x48, 0x6f, 0xbe, 0x05,
-	0x45, 0x79, 0x9f, 0x8b, 0x62, 0x28, 0x2a, 0xbc, 0x8c, 0x07, 0x14, 0x5e, 0x41, 0x35, 0x95, 0x19,
-	0x57, 0x4d, 0xc5, 0xcc, 0x75, 0xa0, 0xac, 0x78, 0x83, 0x52, 0x33, 0x95, 0x86, 0x67, 0xa1, 0x10,
-	0x98, 0xa9, 0xb5, 0x84, 0x2d, 0x46, 0x20, 0x08, 0x87, 0x14, 0x31, 0x6d, 0x87, 0x90, 0xa8, 0x4d,
-	0xd2, 0x29, 0x8b, 0xd5, 0x91, 0x99, 0x07, 0xd7, 0x91, 0x31, 0x4d, 0x3f, 0x80, 0xca, 0xb8, 0xbe,
-	0xe4, 0x11, 0xaa, 0xa7, 0xf4, 0xa6, 0x98, 0xef, 0x1b, 0xb0, 0x10, 0x97, 0x94, 0xfe, 0xf8, 0xd2,
-	0x2b, 0x39, 0xbb, 0x6e, 0x8e, 0xed, 0xc8, 0x2f, 0x0c, 0x58, 0x4a, 0x2c, 0x6d, 0xa2, 0x13, 0x9f,
-	0xc0, 0xa8, 0xb8, 0x73, 0x64, 0x27, 0x70, 0x8e, 0x3f, 0x67, 0xa0, 0x7c, 0x8b, 0xec, 0x53, 0x27,
-	0x88, 0x54, 0xf4, 0x7d, 0x28, 0xb5, 0x89, 0xdf, 0x3c, 0x94, 0xd0, 0xa0, 0xc7, 0x6a, 0xa4, 0xbb,
-	0x36, 0x12, 0x92, 0x6a, 0xdb, 0x91, 0x98, 0x1b, 0xae, 0xcf, 0x7a, 0xf5, 0x73, 0xda, 0xa4, 0x52,
-	0x0c, 0x83, 0xe3, 0xda, 0x64, 0x63, 0x2c, 0xbf, 0x6f, 0xbc, 0xdb, 0x11, 0x05, 0xe0, 0xe4, 0xfd,
-	0x78, 0xc2, 0x84, 0x58, 0x56, 0x8b, 0x1a, 0xe3, 0xed, 0x01, 0xf9, 0x78, 0x48, 0xe3, 0xf2, 0xcb,
-	0xb0, 0x30, 0x68, 0xbc, 0xc8, 0x3f, 0x61, 0x56, 0x54, 0x89, 0x70, 0x09, 0xf2, 0x32, 0x4f, 0xa9,
-	0xc3, 0xc1, 0xea, 0xe3, 0x7a, 0xe6, 0x9a, 0x21, 0xd3, 0xeb, 0x38, 0x43, 0x1e, 0x53, 0x7a, 0x4d,
-	0x88, 0x7f, 0xc8, 0xf4, 0xfa, 0x3b, 0x03, 0x72, 0xb2, 0xb5, 0x79, 0x0b, 0x0a, 0x62, 0xff, 0x2c,
-	0xe2, 0x13, 0x69, 0x57, 0xea, 0xa6, 0x5a, 0x70, 0x6f, 0x53, 0x9f, 0x44, 0xde, 0x16, 0x40, 0x70,
-	0x28, 0x11, 0x61, 0xc8, 0xdb, 0x3e, 0x6d, 0x07, 0x07, 0xf9, 0xdc, 0x58, 0xd1, 0x7a, 0xa4, 0x53,
-	0xc3, 0xe4, 0xde, 0x8d, 0x77, 0x7d, 0xea, 0x8a, 0xc3, 0x88, 0x42, 0x63, 0x4b, 0xc8, 0xc0, 0x4a,
-	0x94, 0xf9, 0x4f, 0x03, 0x42, 0x55, 0xc2, 0xf9, 0x39, 0x75, 0x0e, 0x6e, 0xd9, 0xee, 0x91, 0xde,
-	0xd6, 0xd0, 0x9c, 0x3d, 0x0d, 0xc7, 0x21, 0xc5, 0xa8, 0xeb, 0x21, 0x33, 0xd9, 0xf5, 0x20, 0x14,
-	0x36, 0x3d, 0xd7, 0xb7, 0xdd, 0xee, 0x50, 0xb4, 0x6d, 0x68, 0x38, 0x0e, 0x29, 0x44, 0x49, 0xc7,
-	0x68, 0x9b, 0xd8, 0xae, 0xed, 0xb6, 0xc4, 0x22, 0x36, 0xbc, 0xae, 0xeb, 0xcb, 0xda, 0x46, 0x97,
-	0x74, 0x78, 0x08, 0x8b, 0x47, 0x70, 0x98, 0xff, 0xca, 0x41, 0x49, 0xac, 0x39, 0xb8, 0xe7, 0x5e,
-	0x84, 0xb2, 0x13, 0xf7, 0x02, 0xbd, 0xf6, 0xf3, 0xda, 0x94, 0x64, 0x5c, 0xe3, 0x24, 0xad, 0x60,
-	0x3e, 0x88, 0xdf, 0xd0, 0x7a, 0x0f, 0x42, 0xe6, 0x64, 0x75, 0x90, 0xa4, 0x15, 0xd9, 0xeb, 0x9e,
-	0x88, 0x0f, 0x5d, 0xe3, 0x85, 0x47, 0xf4, 0x86, 0x00, 0x62, 0x85, 0x43, 0xdb, 0x70, 0x8e, 0x38,
-	0x8e, 0x77, 0x4f, 0x02, 0xeb, 0x9e, 0x77, 0xd4, 0x26, 0xec, 0x88, 0xcb, 0xb1, 0x44, 0xa1, 0xfe,
-	0x05, 0xcd, 0x72, 0x6e, 0x7d, 0x98, 0x04, 0x8f, 0xe2, 0x1b, 0x75, 0x6c, 0xb9, 0x09, 0x8f, 0xed,
-	0x10, 0x96, 0x06, 0x40, 0x32, 0xca, 0xf5, 0x8c, 0xe0, 0xaa, 0x96, 0xb3, 0x84, 0x47, 0xd0, 0x9c,
-	0x8e, 0x81, 0xe3, 0x91, 0x12, 0xd1, 0x75, 0x98, 0x13, 0x9e, 0xec, 0x75, 0xfd, 0xa0, 0x82, 0xcf,
-	0xcb, 0xe3, 0x46, 0x27, 0xfd, 0xea, 0xdc, 0xed, 0x04, 0x06, 0x0f, 0x50, 0x8a, 0xcd, 0x75, 0xec,
-	0xb6, 0xed, 0x57, 0x66, 0x24, 0x4b, 0xb8, 0xb9, 0xb7, 0x04, 0x10, 0x2b, 0x5c, 0xc2, 0x03, 0x0b,
-	0x67, 0x7a, 0xe0, 0x06, 0x2c, 0x72, 0xea, 0x5a, 0x5b, 0xae, 0x2d, 0x0a, 0xc9, 0x1b, 0xc7, 0xb2,
-	0x3e, 0x2f, 0xc9, 0x83, 0x38, 0x2f, 0x8a, 0xeb, 0xbd, 0x41, 0x24, 0x1e, 0xa6, 0x37, 0xff, 0x94,
-	0x05, 0xa4, 0x5a, 0x1f, 0x4b, 0x15, 0x65, 0x2a, 0x2f, 0x8a, 0x06, 0x4d, 0xb7, 0x4e, 0xc6, 0x40,
-	0x83, 0xa6, 0xbb, 0xa6, 0x00, 0x8f, 0xb6, 0xa1, 0xa8, 0xf2, 0x53, 0x14, 0x73, 0x6b, 0x9a, 0xb8,
-	0xb8, 0x13, 0x20, 0x4e, 0xfb, 0xd5, 0xe5, 0x84, 0x9a, 0x10, 0x23, 0x9b, 0xe7, 0x48, 0x02, 0xba,
-	0x02, 0x40, 0x3a, 0x76, 0x7c, 0x7c, 0x5a, 0x8c, 0x86, 0x68, 0xd1, 0x20, 0x04, 0xc7, 0xa8, 0xd0,
-	0x2b, 0x90, 0xf3, 0x1f, 0xae, 0xc1, 0x2d, 0xc8, 0xfe, 0x5d, 0xb4, 0xb3, 0x52, 0x82, 0xd0, 0x2e,
-	0x83, 0x82, 0x0b, 0xb3, 0x74, 0x6f, 0x1a, 0x6a, 0xdf, 0x0c, 0x31, 0x38, 0x46, 0x85, 0xbe, 0x09,
-	0x85, 0x03, 0x5d, 0xcf, 0xca, 0xd3, 0x4d, 0x9d, 0x67, 0x83, 0x2a, 0x58, 0x4d, 0x70, 0x82, 0x2f,
-	0x1c, 0x4a, 0x43, 0x5f, 0x85, 0x12, 0xef, 0xee, 0x87, 0x25, 0x80, 0x72, 0x89, 0xf0, 0xbe, 0xdd,
-	0x8b, 0x50, 0x38, 0x4e, 0x67, 0xbe, 0x03, 0xc5, 0x6d, 0xbb, 0xc9, 0x3c, 0xd9, 0x92, 0x3f, 0x03,
-	0x33, 0x3c, 0xd1, 0x6f, 0x86, 0x27, 0x19, 0xb8, 0x6a, 0x80, 0x17, 0x3e, 0xea, 0x12, 0xd7, 0x53,
-	0x5d, 0x65, 0x3e, 0xf2, 0xd1, 0xd7, 0x05, 0x10, 0x2b, 0xdc, 0xf5, 0x25, 0x51, 0x65, 0xfc, 0xf8,
-	0xa3, 0xea, 0xd4, 0x07, 0x1f, 0x55, 0xa7, 0x3e, 0xfc, 0x48, 0x57, 0x1c, 0xbf, 0x07, 0x80, 0x9d,
-	0xfd, 0xef, 0xd2, 0xa6, 0xca, 0xdd, 0xa9, 0xa6, 0xac, 0xc1, 0x70, 0x5f, 0x4e, 0x59, 0x33, 0x03,
-	0x95, 0x63, 0x0c, 0x87, 0x13, 0x94, 0x68, 0x0d, 0x8a, 0xe1, 0xfc, 0x54, 0xfb, 0xc7, 0x62, 0xe0,
-	0x6f, 0xe1, 0x90, 0x15, 0x47, 0x34, 0x89, 0x8b, 0x24, 0x77, 0xe6, 0x45, 0x52, 0x87, 0x6c, 0xd7,
-	0xb6, 0xf4, 0xfc, 0xe2, 0x52, 0x70, 0x91, 0xdf, 0xd9, 0x6a, 0x9c, 0xf6, 0xab, 0x4f, 0x8c, 0x7b,
-	0xb6, 0xf0, 0x7b, 0x1d, 0xca, 0x6b, 0x77, 0xb6, 0x1a, 0x58, 0x30, 0x8f, 0xca, 0x6a, 0xd3, 0x13,
-	0x66, 0xb5, 0x2b, 0x00, 0xad, 0x68, 0x0a, 0xa4, 0x92, 0x46, 0xe8, 0x88, 0xb1, 0xe9, 0x4f, 0x8c,
-	0x0a, 0x71, 0x58, 0x6c, 0x32, 0x4a, 0x82, 0x69, 0x0c, 0xf7, 0x49, 0x5b, 0xcd, 0x95, 0x27, 0x8b,
-	0x89, 0x0b, 0x5a, 0xcd, 0xe2, 0xc6, 0xa0, 0x30, 0x3c, 0x2c, 0x1f, 0x79, 0xb0, 0x68, 0xe9, 0x86,
-	0x3d, 0x52, 0x5a, 0x9c, 0x58, 0xa9, 0xcc, 0x58, 0x8d, 0x41, 0x41, 0x78, 0x58, 0x36, 0xfa, 0x0e,
-	0x2c, 0x07, 0xc0, 0xe1, 0xa9, 0x89, 0xcc, 0xfa, 0xd9, 0xfa, 0xca, 0x49, 0xbf, 0xba, 0xdc, 0x18,
-	0x4b, 0x85, 0x1f, 0x20, 0x01, 0x59, 0x30, 0xed, 0xa8, 0x2a, 0xb9, 0x24, 0x2b, 0x9b, 0xaf, 0xa5,
-	0x5b, 0x45, 0xe4, 0xfd, 0xb5, 0x78, 0x75, 0x1c, 0x4e, 0xc0, 0x74, 0x61, 0xac, 0x65, 0xa3, 0x77,
-	0xa1, 0x44, 0x5c, 0xd7, 0xf3, 0x89, 0x9a, 0xe3, 0xcc, 0x4a, 0x55, 0xeb, 0x13, 0xab, 0x5a, 0x8f,
-	0x64, 0x0c, 0x54, 0xe3, 0x31, 0x0c, 0x8e, 0xab, 0x42, 0xf7, 0x60, 0xde, 0xbb, 0xe7, 0x52, 0x86,
-	0xe9, 0x01, 0x65, 0xd4, 0x6d, 0x52, 0x5e, 0x29, 0x4b, 0xed, 0x57, 0x53, 0x6a, 0x4f, 0x30, 0x47,
-	0x2e, 0x9d, 0x84, 0x73, 0x3c, 0xa8, 0x05, 0xd5, 0x44, 0x6e, 0x75, 0x89, 0x63, 0x7f, 0x8f, 0x32,
-	0x5e, 0x99, 0x8b, 0x46, 0xff, 0x9b, 0x21, 0x14, 0xc7, 0x28, 0x50, 0x17, 0xca, 0xed, 0xf8, 0x95,
-	0x51, 0x59, 0x94, 0x66, 0x5e, 0x4b, 0x67, 0xe6, 0xf0, 0xa5, 0x16, 0x95, 0x41, 0x09, 0x1c, 0x4e,
-	0x6a, 0x59, 0x7e, 0x01, 0x4a, 0x0f, 0xd9, 0x21, 0x88, 0x0e, 0x63, 0xf0, 0x40, 0x26, 0xea, 0x30,
-	0xfe, 0x90, 0x81, 0xb9, 0xe4, 0x36, 0x0e, 0x5c, 0x87, 0xf9, 0x54, 0xd7, 0x61, 0xd0, 0xcb, 0x1a,
-	0x63, 0xdf, 0x80, 0x82, 0xfc, 0x9c, 0x1d, 0x9b, 0x9f, 0x75, 0x1a, 0xcc, 0x3d, 0x4a, 0x1a, 0xac,
-	0x01, 0x88, 0x62, 0x85, 0x79, 0x8e, 0x43, 0x99, 0x1e, 0xab, 0xa9, 0xb7, 0x9e, 0x10, 0x8a, 0x63,
-	0x14, 0xa2, 0xa4, 0xde, 0x77, 0xbc, 0xe6, 0x91, 0xdc, 0x82, 0x20, 0x7a, 0x65, 0xee, 0x2b, 0xa8,
-	0x92, 0xba, 0x3e, 0x84, 0xc5, 0x23, 0x38, 0xcc, 0x1e, 0x9c, 0xdf, 0x25, 0x4c, 0x14, 0x39, 0x51,
-	0xa4, 0xc8, 0x9e, 0xe5, 0xed, 0xa1, 0x8e, 0xe8, 0xd2, 0xa4, 0x11, 0x17, 0x6d, 0x7e, 0x04, 0x8b,
-	0xba, 0x22, 0xf3, 0x2f, 0x06, 0x5c, 0x18, 0xa9, 0xfb, 0x73, 0xe8, 0xc8, 0xde, 0x4e, 0x76, 0x64,
-	0x2f, 0xa6, 0x1c, 0x0a, 0x8f, 0xb2, 0x76, 0x4c, 0x7f, 0x36, 0x03, 0xf9, 0x5d, 0x51, 0x09, 0x9b,
-	0x9f, 0x18, 0x30, 0x2b, 0x7f, 0x4d, 0x32, 0x93, 0xaf, 0x26, 0x9f, 0x6a, 0x8a, 0x8f, 0xef, 0x99,
-	0xe6, 0x71, 0x0c, 0xed, 0xdf, 0x37, 0x20, 0x39, 0x0d, 0x47, 0x2f, 0xab, 0x10, 0x30, 0xc2, 0x71,
-	0xf5, 0x84, 0xee, 0xff, 0xd2, 0xb8, 0x96, 0xf4, 0x5c, 0xaa, 0x69, 0xe5, 0xb3, 0x50, 0xc4, 0x9e,
-	0xe7, 0xef, 0x12, 0xff, 0x90, 0x8b, 0xbd, 0xeb, 0x88, 0x1f, 0x7a, 0x7b, 0xe5, 0xde, 0x49, 0x0c,
-	0x56, 0x70, 0xf3, 0xa7, 0x06, 0x5c, 0x18, 0xfb, 0x02, 0x27, 0xb2, 0x48, 0x33, 0xfc, 0xd2, 0x2b,
-	0x0a, 0x1d, 0x39, 0xa2, 0xc3, 0x31, 0x2a, 0xd1, 0x4b, 0x26, 0x9e, 0xed, 0x06, 0x7b, 0xc9, 0x84,
-	0x36, 0x9c, 0xa4, 0x35, 0xff, 0x91, 0x01, 0xfd, 0xe4, 0xf5, 0x5f, 0x76, 0xfa, 0xa7, 0x07, 0x1e,
-	0xdc, 0xe6, 0x92, 0x0f, 0x6e, 0xe1, 0xeb, 0x5a, 0xec, 0xc5, 0x29, 0xfb, 0xe0, 0x17, 0x27, 0xf4,
-	0x7c, 0xf8, 0x88, 0xa5, 0x7c, 0x68, 0x25, 0xf9, 0x88, 0x75, 0xda, 0xaf, 0xce, 0x6a, 0xe1, 0xc9,
-	0x47, 0xad, 0x37, 0x61, 0xc6, 0xa2, 0x3e, 0xb1, 0x1d, 0xd5, 0x17, 0xa6, 0x7e, 0x96, 0x51, 0xc2,
-	0x1a, 0x8a, 0xb5, 0x5e, 0x12, 0x36, 0xe9, 0x0f, 0x1c, 0x08, 0x14, 0x09, 0xbb, 0xe9, 0x59, 0xaa,
-	0x23, 0xc9, 0x47, 0x09, 0x7b, 0xc3, 0xb3, 0x28, 0x96, 0x18, 0xf3, 0x03, 0x03, 0x4a, 0x4a, 0xd2,
-	0x06, 0xe9, 0x72, 0x8a, 0x2e, 0x87, 0xab, 0x50, 0xc7, 0x7d, 0x21, 0xfe, 0x5a, 0x79, 0xda, 0xaf,
-	0x16, 0x25, 0x99, 0x6c, 0x66, 0x46, 0xbc, 0xca, 0x65, 0xce, 0xd8, 0xa3, 0x27, 0x21, 0x2f, 0x03,
-	0x48, 0x6f, 0x66, 0xf4, 0xec, 0x2a, 0x80, 0x58, 0xe1, 0xcc, 0xcf, 0x32, 0x50, 0x4e, 0x2c, 0x2e,
-	0x45, 0x5f, 0x10, 0x8e, 0x50, 0x33, 0x29, 0xc6, 0xf2, 0xe3, 0xff, 0xe4, 0xa0, 0xaf, 0xaf, 0xe9,
-	0x47, 0xb9, 0xbe, 0xbe, 0x05, 0xd3, 0x4d, 0xb1, 0x47, 0xc1, 0x7f, 0x66, 0x2e, 0x4f, 0x72, 0x9c,
-	0x72, 0x77, 0x23, 0x6f, 0x94, 0x9f, 0x1c, 0x6b, 0x81, 0xe8, 0x26, 0x2c, 0x32, 0xea, 0xb3, 0xde,
-	0xfa, 0x81, 0x4f, 0x59, 0x7c, 0x98, 0x90, 0x8f, 0xaa, 0x6f, 0x3c, 0x48, 0x80, 0x87, 0x79, 0xcc,
-	0x7d, 0x98, 0xbd, 0x4d, 0xf6, 0x9d, 0xf0, 0xa1, 0x11, 0x43, 0xd9, 0x76, 0x9b, 0x4e, 0xd7, 0xa2,
-	0x2a, 0xa1, 0x07, 0xd9, 0x2b, 0x08, 0xda, 0xad, 0x38, 0xf2, 0xb4, 0x5f, 0x3d, 0x97, 0x00, 0xa8,
-	0x97, 0x35, 0x9c, 0x14, 0x61, 0x3a, 0x90, 0xfb, 0x1c, 0x3b, 0xc9, 0x6f, 0x43, 0x31, 0xaa, 0xf5,
-	0x1f, 0xb3, 0x4a, 0xf3, 0x6d, 0x28, 0x08, 0x8f, 0x0f, 0x7a, 0xd4, 0x33, 0xaa, 0xa4, 0x64, 0xed,
-	0x95, 0x49, 0x53, 0x7b, 0xc9, 0xe7, 0xea, 0x3b, 0x1d, 0xeb, 0x11, 0x9f, 0xab, 0x33, 0x8f, 0x72,
-	0xf3, 0x65, 0x27, 0xbc, 0xf9, 0xae, 0x80, 0xfa, 0x4b, 0x8f, 0xb8, 0x64, 0x54, 0x01, 0x11, 0xbb,
-	0x64, 0xe2, 0xf7, 0x7f, 0xec, 0x85, 0xe1, 0x47, 0x06, 0x80, 0x1c, 0xe5, 0xc9, 0x31, 0x52, 0x8a,
-	0x3f, 0x46, 0xdc, 0x81, 0x69, 0x4f, 0x79, 0xa4, 0x7a, 0xb2, 0x9e, 0x70, 0x5e, 0x1c, 0x06, 0x92,
-	0xf2, 0x49, 0xac, 0x85, 0xd5, 0x5f, 0xfd, 0xf8, 0xfe, 0xca, 0xd4, 0x27, 0xf7, 0x57, 0xa6, 0x3e,
-	0xbd, 0xbf, 0x32, 0xf5, 0xde, 0xc9, 0x8a, 0xf1, 0xf1, 0xc9, 0x8a, 0xf1, 0xc9, 0xc9, 0x8a, 0xf1,
-	0xe9, 0xc9, 0x8a, 0xf1, 0xd9, 0xc9, 0x8a, 0xf1, 0xc1, 0xdf, 0x56, 0xa6, 0xde, 0x7c, 0x2a, 0xcd,
-	0x5f, 0x25, 0xff, 0x13, 0x00, 0x00, 0xff, 0xff, 0xf8, 0xda, 0x63, 0x4c, 0x51, 0x29, 0x00, 0x00,
-}
+func (m *WatchEvent) Reset() { *m = WatchEvent{} }
 
 func (m *APIGroup) Marshal() (dAtA []byte, err error) {
 	size := m.Size()
@@ -2415,7 +999,7 @@ func (m *LabelSelector) MarshalToSizedBuffer(dAtA []byte) (int, error) {
 		for k := range m.MatchLabels {
 			keysForMatchLabels = append(keysForMatchLabels, string(k))
 		}
-		github_com_gogo_protobuf_sortkeys.Strings(keysForMatchLabels)
+		sort.Strings(keysForMatchLabels)
 		for iNdEx := len(keysForMatchLabels) - 1; iNdEx >= 0; iNdEx-- {
 			v := m.MatchLabels[string(keysForMatchLabels[iNdEx])]
 			baseI := i
@@ -2787,7 +1371,7 @@ func (m *ObjectMeta) MarshalToSizedBuffer(dAtA []byte) (int, error) {
 		for k := range m.Annotations {
 			keysForAnnotations = append(keysForAnnotations, string(k))
 		}
-		github_com_gogo_protobuf_sortkeys.Strings(keysForAnnotations)
+		sort.Strings(keysForAnnotations)
 		for iNdEx := len(keysForAnnotations) - 1; iNdEx >= 0; iNdEx-- {
 			v := m.Annotations[string(keysForAnnotations[iNdEx])]
 			baseI := i
@@ -2811,7 +1395,7 @@ func (m *ObjectMeta) MarshalToSizedBuffer(dAtA []byte) (int, error) {
 		for k := range m.Labels {
 			keysForLabels = append(keysForLabels, string(k))
 		}
-		github_com_gogo_protobuf_sortkeys.Strings(keysForLabels)
+		sort.Strings(keysForLabels)
 		for iNdEx := len(keysForLabels) - 1; iNdEx >= 0; iNdEx-- {
 			v := m.Labels[string(keysForLabels[iNdEx])]
 			baseI := i
@@ -4583,7 +3167,7 @@ func (this *LabelSelector) String() string {
 	for k := range this.MatchLabels {
 		keysForMatchLabels = append(keysForMatchLabels, k)
 	}
-	github_com_gogo_protobuf_sortkeys.Strings(keysForMatchLabels)
+	sort.Strings(keysForMatchLabels)
 	mapStringForMatchLabels := "map[string]string{"
 	for _, k := range keysForMatchLabels {
 		mapStringForMatchLabels += fmt.Sprintf("%v: %v,", k, this.MatchLabels[k])
@@ -4690,7 +3274,7 @@ func (this *ObjectMeta) String() string {
 	for k := range this.Labels {
 		keysForLabels = append(keysForLabels, k)
 	}
-	github_com_gogo_protobuf_sortkeys.Strings(keysForLabels)
+	sort.Strings(keysForLabels)
 	mapStringForLabels := "map[string]string{"
 	for _, k := range keysForLabels {
 		mapStringForLabels += fmt.Sprintf("%v: %v,", k, this.Labels[k])
@@ -4700,7 +3284,7 @@ func (this *ObjectMeta) String() string {
 	for k := range this.Annotations {
 		keysForAnnotations = append(keysForAnnotations, k)
 	}
-	github_com_gogo_protobuf_sortkeys.Strings(keysForAnnotations)
+	sort.Strings(keysForAnnotations)
 	mapStringForAnnotations := "map[string]string{"
 	for _, k := range keysForAnnotations {
 		mapStringForAnnotations += fmt.Sprintf("%v: %v,", k, this.Annotations[k])
diff --git a/staging/src/k8s.io/apimachinery/pkg/apis/meta/v1/generated.proto b/staging/src/k8s.io/apimachinery/pkg/apis/meta/v1/generated.proto
index 865d3e7caacbd..fb21b72368683 100644
--- a/staging/src/k8s.io/apimachinery/pkg/apis/meta/v1/generated.proto
+++ b/staging/src/k8s.io/apimachinery/pkg/apis/meta/v1/generated.proto
@@ -1038,7 +1038,6 @@ message Status {
   // is not guaranteed to conform to any schema except that defined by
   // the reason type.
   // +optional
-  // +listType=atomic
   optional StatusDetails details = 5;
 
   // Suggested HTTP return code for this status, 0 if not set.
@@ -1114,6 +1113,7 @@ message StatusDetails {
 }
 
 // TableOptions are used when a Table is requested by the caller.
+// +k8s:conversion-gen:explicit-from=net/url.Values
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
 message TableOptions {
   // includeObject decides whether to include each object along with its columnar information.
diff --git a/staging/src/k8s.io/apimachinery/pkg/apis/meta/v1/generated.protomessage.pb.go b/staging/src/k8s.io/apimachinery/pkg/apis/meta/v1/generated.protomessage.pb.go
new file mode 100644
index 0000000000000..459ae1ad873d3
--- /dev/null
+++ b/staging/src/k8s.io/apimachinery/pkg/apis/meta/v1/generated.protomessage.pb.go
@@ -0,0 +1,112 @@
+//go:build kubernetes_protomessage_one_more_release
+// +build kubernetes_protomessage_one_more_release
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by go-to-protobuf. DO NOT EDIT.
+
+package v1
+
+func (*APIGroup) ProtoMessage() {}
+
+func (*APIGroupList) ProtoMessage() {}
+
+func (*APIResource) ProtoMessage() {}
+
+func (*APIResourceList) ProtoMessage() {}
+
+func (*APIVersions) ProtoMessage() {}
+
+func (*ApplyOptions) ProtoMessage() {}
+
+func (*Condition) ProtoMessage() {}
+
+func (*CreateOptions) ProtoMessage() {}
+
+func (*DeleteOptions) ProtoMessage() {}
+
+func (*Duration) ProtoMessage() {}
+
+func (*FieldSelectorRequirement) ProtoMessage() {}
+
+func (*FieldsV1) ProtoMessage() {}
+
+func (*GetOptions) ProtoMessage() {}
+
+func (*GroupKind) ProtoMessage() {}
+
+func (*GroupResource) ProtoMessage() {}
+
+func (*GroupVersion) ProtoMessage() {}
+
+func (*GroupVersionForDiscovery) ProtoMessage() {}
+
+func (*GroupVersionKind) ProtoMessage() {}
+
+func (*GroupVersionResource) ProtoMessage() {}
+
+func (*LabelSelector) ProtoMessage() {}
+
+func (*LabelSelectorRequirement) ProtoMessage() {}
+
+func (*List) ProtoMessage() {}
+
+func (*ListMeta) ProtoMessage() {}
+
+func (*ListOptions) ProtoMessage() {}
+
+func (*ManagedFieldsEntry) ProtoMessage() {}
+
+func (*MicroTime) ProtoMessage() {}
+
+func (*ObjectMeta) ProtoMessage() {}
+
+func (*OwnerReference) ProtoMessage() {}
+
+func (*PartialObjectMetadata) ProtoMessage() {}
+
+func (*PartialObjectMetadataList) ProtoMessage() {}
+
+func (*Patch) ProtoMessage() {}
+
+func (*PatchOptions) ProtoMessage() {}
+
+func (*Preconditions) ProtoMessage() {}
+
+func (*RootPaths) ProtoMessage() {}
+
+func (*ServerAddressByClientCIDR) ProtoMessage() {}
+
+func (*Status) ProtoMessage() {}
+
+func (*StatusCause) ProtoMessage() {}
+
+func (*StatusDetails) ProtoMessage() {}
+
+func (*TableOptions) ProtoMessage() {}
+
+func (*Time) ProtoMessage() {}
+
+func (*Timestamp) ProtoMessage() {}
+
+func (*TypeMeta) ProtoMessage() {}
+
+func (*UpdateOptions) ProtoMessage() {}
+
+func (*Verbs) ProtoMessage() {}
+
+func (*WatchEvent) ProtoMessage() {}
diff --git a/staging/src/k8s.io/apimachinery/pkg/apis/meta/v1/types.go b/staging/src/k8s.io/apimachinery/pkg/apis/meta/v1/types.go
index 2a669062cabea..9970e877d096d 100644
--- a/staging/src/k8s.io/apimachinery/pkg/apis/meta/v1/types.go
+++ b/staging/src/k8s.io/apimachinery/pkg/apis/meta/v1/types.go
@@ -784,7 +784,6 @@ type Status struct {
 	// is not guaranteed to conform to any schema except that defined by
 	// the reason type.
 	// +optional
-	// +listType=atomic
 	Details *StatusDetails `json:"details,omitempty" protobuf:"bytes,5,opt,name=details"`
 	// Suggested HTTP return code for this status, 0 if not set.
 	// +optional
diff --git a/staging/src/k8s.io/apimachinery/pkg/apis/meta/v1/validation/validation.go b/staging/src/k8s.io/apimachinery/pkg/apis/meta/v1/validation/validation.go
index 4dedec4b3fce5..d0ca20013adf4 100644
--- a/staging/src/k8s.io/apimachinery/pkg/apis/meta/v1/validation/validation.go
+++ b/staging/src/k8s.io/apimachinery/pkg/apis/meta/v1/validation/validation.go
@@ -104,7 +104,7 @@ func ValidateLabelSelectorRequirement(sr metav1.LabelSelectorRequirement, opts L
 func ValidateLabelName(labelName string, fldPath *field.Path) field.ErrorList {
 	allErrs := field.ErrorList{}
 	for _, msg := range validation.IsQualifiedName(labelName) {
-		allErrs = append(allErrs, field.Invalid(fldPath, labelName, msg).WithOrigin("labelKey"))
+		allErrs = append(allErrs, field.Invalid(fldPath, labelName, msg).WithOrigin("format=k8s-label-key"))
 	}
 	return allErrs
 }
@@ -115,7 +115,7 @@ func ValidateLabels(labels map[string]string, fldPath *field.Path) field.ErrorLi
 	for k, v := range labels {
 		allErrs = append(allErrs, ValidateLabelName(k, fldPath)...)
 		for _, msg := range validation.IsValidLabelValue(v) {
-			allErrs = append(allErrs, field.Invalid(fldPath, v, msg))
+			allErrs = append(allErrs, field.Invalid(fldPath, v, msg).WithOrigin("format=k8s-label-value"))
 		}
 	}
 	return allErrs
diff --git a/staging/src/k8s.io/apimachinery/pkg/apis/meta/v1/validation/validation_test.go b/staging/src/k8s.io/apimachinery/pkg/apis/meta/v1/validation/validation_test.go
index 5bb363d3a68d9..c1e4371a3382a 100644
--- a/staging/src/k8s.io/apimachinery/pkg/apis/meta/v1/validation/validation_test.go
+++ b/staging/src/k8s.io/apimachinery/pkg/apis/meta/v1/validation/validation_test.go
@@ -55,7 +55,7 @@ func TestValidateLabels(t *testing.T) {
 	}
 
 	namePartErrMsg := "name part must consist of"
-	nameErrMsg := "a qualified name must consist of"
+	nameErrMsg := "a valid label key must consist of"
 	labelErrMsg := "a valid label must be an empty string or consist of"
 	maxLengthErrMsg := "must be no more than"
 
diff --git a/staging/src/k8s.io/apimachinery/pkg/apis/meta/v1/zz_generated.model_name.go b/staging/src/k8s.io/apimachinery/pkg/apis/meta/v1/zz_generated.model_name.go
new file mode 100644
index 0000000000000..fd6e876ece286
--- /dev/null
+++ b/staging/src/k8s.io/apimachinery/pkg/apis/meta/v1/zz_generated.model_name.go
@@ -0,0 +1,267 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by openapi-gen. DO NOT EDIT.
+
+package v1
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in APIGroup) OpenAPIModelName() string {
+	return "io.k8s.apimachinery.pkg.apis.meta.v1.APIGroup"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in APIGroupList) OpenAPIModelName() string {
+	return "io.k8s.apimachinery.pkg.apis.meta.v1.APIGroupList"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in APIResource) OpenAPIModelName() string {
+	return "io.k8s.apimachinery.pkg.apis.meta.v1.APIResource"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in APIResourceList) OpenAPIModelName() string {
+	return "io.k8s.apimachinery.pkg.apis.meta.v1.APIResourceList"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in APIVersions) OpenAPIModelName() string {
+	return "io.k8s.apimachinery.pkg.apis.meta.v1.APIVersions"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ApplyOptions) OpenAPIModelName() string {
+	return "io.k8s.apimachinery.pkg.apis.meta.v1.ApplyOptions"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in Condition) OpenAPIModelName() string {
+	return "io.k8s.apimachinery.pkg.apis.meta.v1.Condition"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in CreateOptions) OpenAPIModelName() string {
+	return "io.k8s.apimachinery.pkg.apis.meta.v1.CreateOptions"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in DeleteOptions) OpenAPIModelName() string {
+	return "io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptions"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in Duration) OpenAPIModelName() string {
+	return "io.k8s.apimachinery.pkg.apis.meta.v1.Duration"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in FieldSelectorRequirement) OpenAPIModelName() string {
+	return "io.k8s.apimachinery.pkg.apis.meta.v1.FieldSelectorRequirement"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in FieldsV1) OpenAPIModelName() string {
+	return "io.k8s.apimachinery.pkg.apis.meta.v1.FieldsV1"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in GetOptions) OpenAPIModelName() string {
+	return "io.k8s.apimachinery.pkg.apis.meta.v1.GetOptions"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in GroupKind) OpenAPIModelName() string {
+	return "io.k8s.apimachinery.pkg.apis.meta.v1.GroupKind"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in GroupResource) OpenAPIModelName() string {
+	return "io.k8s.apimachinery.pkg.apis.meta.v1.GroupResource"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in GroupVersion) OpenAPIModelName() string {
+	return "io.k8s.apimachinery.pkg.apis.meta.v1.GroupVersion"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in GroupVersionForDiscovery) OpenAPIModelName() string {
+	return "io.k8s.apimachinery.pkg.apis.meta.v1.GroupVersionForDiscovery"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in GroupVersionKind) OpenAPIModelName() string {
+	return "io.k8s.apimachinery.pkg.apis.meta.v1.GroupVersionKind"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in GroupVersionResource) OpenAPIModelName() string {
+	return "io.k8s.apimachinery.pkg.apis.meta.v1.GroupVersionResource"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in InternalEvent) OpenAPIModelName() string {
+	return "io.k8s.apimachinery.pkg.apis.meta.v1.InternalEvent"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in LabelSelector) OpenAPIModelName() string {
+	return "io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in LabelSelectorRequirement) OpenAPIModelName() string {
+	return "io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelectorRequirement"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in List) OpenAPIModelName() string {
+	return "io.k8s.apimachinery.pkg.apis.meta.v1.List"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ListMeta) OpenAPIModelName() string {
+	return "io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ListOptions) OpenAPIModelName() string {
+	return "io.k8s.apimachinery.pkg.apis.meta.v1.ListOptions"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ManagedFieldsEntry) OpenAPIModelName() string {
+	return "io.k8s.apimachinery.pkg.apis.meta.v1.ManagedFieldsEntry"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in MicroTime) OpenAPIModelName() string {
+	return "io.k8s.apimachinery.pkg.apis.meta.v1.MicroTime"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ObjectMeta) OpenAPIModelName() string {
+	return "io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in OwnerReference) OpenAPIModelName() string {
+	return "io.k8s.apimachinery.pkg.apis.meta.v1.OwnerReference"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in PartialObjectMetadata) OpenAPIModelName() string {
+	return "io.k8s.apimachinery.pkg.apis.meta.v1.PartialObjectMetadata"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in PartialObjectMetadataList) OpenAPIModelName() string {
+	return "io.k8s.apimachinery.pkg.apis.meta.v1.PartialObjectMetadataList"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in Patch) OpenAPIModelName() string {
+	return "io.k8s.apimachinery.pkg.apis.meta.v1.Patch"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in PatchOptions) OpenAPIModelName() string {
+	return "io.k8s.apimachinery.pkg.apis.meta.v1.PatchOptions"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in Preconditions) OpenAPIModelName() string {
+	return "io.k8s.apimachinery.pkg.apis.meta.v1.Preconditions"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in RootPaths) OpenAPIModelName() string {
+	return "io.k8s.apimachinery.pkg.apis.meta.v1.RootPaths"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ServerAddressByClientCIDR) OpenAPIModelName() string {
+	return "io.k8s.apimachinery.pkg.apis.meta.v1.ServerAddressByClientCIDR"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in Status) OpenAPIModelName() string {
+	return "io.k8s.apimachinery.pkg.apis.meta.v1.Status"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in StatusCause) OpenAPIModelName() string {
+	return "io.k8s.apimachinery.pkg.apis.meta.v1.StatusCause"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in StatusDetails) OpenAPIModelName() string {
+	return "io.k8s.apimachinery.pkg.apis.meta.v1.StatusDetails"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in Table) OpenAPIModelName() string {
+	return "io.k8s.apimachinery.pkg.apis.meta.v1.Table"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in TableColumnDefinition) OpenAPIModelName() string {
+	return "io.k8s.apimachinery.pkg.apis.meta.v1.TableColumnDefinition"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in TableOptions) OpenAPIModelName() string {
+	return "io.k8s.apimachinery.pkg.apis.meta.v1.TableOptions"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in TableRow) OpenAPIModelName() string {
+	return "io.k8s.apimachinery.pkg.apis.meta.v1.TableRow"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in TableRowCondition) OpenAPIModelName() string {
+	return "io.k8s.apimachinery.pkg.apis.meta.v1.TableRowCondition"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in Time) OpenAPIModelName() string {
+	return "io.k8s.apimachinery.pkg.apis.meta.v1.Time"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in Timestamp) OpenAPIModelName() string {
+	return "io.k8s.apimachinery.pkg.apis.meta.v1.Timestamp"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in TypeMeta) OpenAPIModelName() string {
+	return "io.k8s.apimachinery.pkg.apis.meta.v1.TypeMeta"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in UpdateOptions) OpenAPIModelName() string {
+	return "io.k8s.apimachinery.pkg.apis.meta.v1.UpdateOptions"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in WatchEvent) OpenAPIModelName() string {
+	return "io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"
+}
diff --git a/staging/src/k8s.io/apimachinery/pkg/apis/meta/v1beta1/doc.go b/staging/src/k8s.io/apimachinery/pkg/apis/meta/v1beta1/doc.go
index 46b0e133c37c2..159ca0573fb32 100644
--- a/staging/src/k8s.io/apimachinery/pkg/apis/meta/v1beta1/doc.go
+++ b/staging/src/k8s.io/apimachinery/pkg/apis/meta/v1beta1/doc.go
@@ -17,6 +17,7 @@ limitations under the License.
 // +k8s:deepcopy-gen=package
 // +k8s:openapi-gen=true
 // +k8s:defaulter-gen=TypeMeta
+// +k8s:openapi-model-package=io.k8s.apimachinery.pkg.apis.meta.v1beta1
 
 // +groupName=meta.k8s.io
 
diff --git a/staging/src/k8s.io/apimachinery/pkg/apis/meta/v1beta1/generated.pb.go b/staging/src/k8s.io/apimachinery/pkg/apis/meta/v1beta1/generated.pb.go
index 819d936fe5bc2..3c763898e76f1 100644
--- a/staging/src/k8s.io/apimachinery/pkg/apis/meta/v1beta1/generated.pb.go
+++ b/staging/src/k8s.io/apimachinery/pkg/apis/meta/v1beta1/generated.pb.go
@@ -24,84 +24,14 @@ import (
 
 	io "io"
 
-	proto "github.com/gogo/protobuf/proto"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
-	math "math"
 	math_bits "math/bits"
 	reflect "reflect"
 	strings "strings"
 )
 
-// Reference imports to suppress errors if they are not otherwise used.
-var _ = proto.Marshal
-var _ = fmt.Errorf
-var _ = math.Inf
-
-// This is a compile-time assertion to ensure that this generated file
-// is compatible with the proto package it is being compiled against.
-// A compilation error at this line likely means your copy of the
-// proto package needs to be updated.
-const _ = proto.GoGoProtoPackageIsVersion3 // please upgrade the proto package
-
-func (m *PartialObjectMetadataList) Reset()      { *m = PartialObjectMetadataList{} }
-func (*PartialObjectMetadataList) ProtoMessage() {}
-func (*PartialObjectMetadataList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_39237a8d8061b52f, []int{0}
-}
-func (m *PartialObjectMetadataList) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *PartialObjectMetadataList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *PartialObjectMetadataList) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_PartialObjectMetadataList.Merge(m, src)
-}
-func (m *PartialObjectMetadataList) XXX_Size() int {
-	return m.Size()
-}
-func (m *PartialObjectMetadataList) XXX_DiscardUnknown() {
-	xxx_messageInfo_PartialObjectMetadataList.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_PartialObjectMetadataList proto.InternalMessageInfo
-
-func init() {
-	proto.RegisterType((*PartialObjectMetadataList)(nil), "k8s.io.apimachinery.pkg.apis.meta.v1beta1.PartialObjectMetadataList")
-}
-
-func init() {
-	proto.RegisterFile("k8s.io/apimachinery/pkg/apis/meta/v1beta1/generated.proto", fileDescriptor_39237a8d8061b52f)
-}
-
-var fileDescriptor_39237a8d8061b52f = []byte{
-	// 303 bytes of a gzipped FileDescriptorProto
-	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x8c, 0x92, 0x41, 0x4b, 0xf3, 0x30,
-	0x1c, 0xc6, 0x9b, 0xf7, 0x65, 0x30, 0x3a, 0x04, 0xd9, 0x69, 0xee, 0x90, 0x0d, 0x4f, 0xdb, 0xc1,
-	0x84, 0x0d, 0x11, 0xc5, 0xdb, 0x6e, 0x82, 0x32, 0xd9, 0x51, 0x3c, 0x98, 0x76, 0x31, 0x8b, 0x35,
-	0x4d, 0x69, 0xfe, 0x15, 0xbc, 0xf9, 0x11, 0xfc, 0x58, 0x3d, 0xee, 0x38, 0x10, 0x86, 0x8d, 0x5f,
-	0x44, 0xd2, 0x56, 0x91, 0xa1, 0xd0, 0x5b, 0x9e, 0x07, 0x7e, 0xbf, 0x3c, 0x81, 0xf8, 0x67, 0xd1,
-	0xa9, 0x21, 0x52, 0x53, 0x96, 0x48, 0xc5, 0xc2, 0x95, 0x8c, 0x79, 0xfa, 0x4c, 0x93, 0x48, 0xb8,
-	0xc2, 0x50, 0xc5, 0x81, 0xd1, 0xa7, 0x49, 0xc0, 0x81, 0x4d, 0xa8, 0xe0, 0x31, 0x4f, 0x19, 0xf0,
-	0x25, 0x49, 0x52, 0x0d, 0xba, 0x3b, 0xae, 0x50, 0xf2, 0x13, 0x25, 0x49, 0x24, 0x5c, 0x61, 0x88,
-	0x43, 0x49, 0x8d, 0xf6, 0x8f, 0x84, 0x84, 0x55, 0x16, 0x90, 0x50, 0x2b, 0x2a, 0xb4, 0xd0, 0xb4,
-	0x34, 0x04, 0xd9, 0x7d, 0x99, 0xca, 0x50, 0x9e, 0x2a, 0x73, 0xff, 0xb8, 0xc9, 0xa8, 0xdd, 0x3d,
-	0xfd, 0x93, 0xbf, 0xa8, 0x34, 0x8b, 0x41, 0x2a, 0x4e, 0x4d, 0xb8, 0xe2, 0x8a, 0xed, 0x72, 0x87,
-	0x6f, 0xc8, 0x3f, 0xb8, 0x66, 0x29, 0x48, 0xf6, 0x38, 0x0f, 0x1e, 0x78, 0x08, 0x57, 0x1c, 0xd8,
-	0x92, 0x01, 0xbb, 0x94, 0x06, 0xba, 0xb7, 0x7e, 0x5b, 0xd5, 0xb9, 0xf7, 0x6f, 0x88, 0x46, 0x9d,
-	0x29, 0x21, 0x4d, 0x1e, 0x4e, 0x1c, 0xed, 0x4c, 0xb3, 0xfd, 0x7c, 0x3b, 0xf0, 0xec, 0x76, 0xd0,
-	0xfe, 0x6a, 0x16, 0xdf, 0xc6, 0xee, 0x9d, 0xdf, 0x92, 0xc0, 0x95, 0xe9, 0xa1, 0xe1, 0xff, 0x51,
-	0x67, 0x7a, 0xde, 0x4c, 0xfd, 0xeb, 0xda, 0xd9, 0x5e, 0x7d, 0x4f, 0xeb, 0xc2, 0x19, 0x17, 0x95,
-	0x78, 0x36, 0xcf, 0x0b, 0xec, 0xad, 0x0b, 0xec, 0x6d, 0x0a, 0xec, 0xbd, 0x58, 0x8c, 0x72, 0x8b,
-	0xd1, 0xda, 0x62, 0xb4, 0xb1, 0x18, 0xbd, 0x5b, 0x8c, 0x5e, 0x3f, 0xb0, 0x77, 0x33, 0x6e, 0xfc,
-	0x0d, 0x3e, 0x03, 0x00, 0x00, 0xff, 0xff, 0xfe, 0x0f, 0xd7, 0x36, 0x32, 0x02, 0x00, 0x00,
-}
+func (m *PartialObjectMetadataList) Reset() { *m = PartialObjectMetadataList{} }
 
 func (m *PartialObjectMetadataList) Marshal() (dAtA []byte, err error) {
 	size := m.Size()
diff --git a/staging/src/k8s.io/apimachinery/pkg/apis/meta/v1beta1/generated.protomessage.pb.go b/staging/src/k8s.io/apimachinery/pkg/apis/meta/v1beta1/generated.protomessage.pb.go
new file mode 100644
index 0000000000000..a782b1d8f05c8
--- /dev/null
+++ b/staging/src/k8s.io/apimachinery/pkg/apis/meta/v1beta1/generated.protomessage.pb.go
@@ -0,0 +1,24 @@
+//go:build kubernetes_protomessage_one_more_release
+// +build kubernetes_protomessage_one_more_release
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by go-to-protobuf. DO NOT EDIT.
+
+package v1beta1
+
+func (*PartialObjectMetadataList) ProtoMessage() {}
diff --git a/staging/src/k8s.io/apimachinery/pkg/apis/meta/v1beta1/types.go b/staging/src/k8s.io/apimachinery/pkg/apis/meta/v1beta1/types.go
index f16170a37b2e7..68f261cc14eac 100644
--- a/staging/src/k8s.io/apimachinery/pkg/apis/meta/v1beta1/types.go
+++ b/staging/src/k8s.io/apimachinery/pkg/apis/meta/v1beta1/types.go
@@ -46,6 +46,7 @@ type ConditionStatus = v1.ConditionStatus
 type IncludeObjectPolicy = v1.IncludeObjectPolicy
 
 // TableOptions are used when a Table is requested by the caller.
+// +k8s:conversion-gen:explicit-from=net/url.Values
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
 type TableOptions = v1.TableOptions
 
diff --git a/staging/src/k8s.io/apimachinery/pkg/apis/meta/v1beta1/zz_generated.model_name.go b/staging/src/k8s.io/apimachinery/pkg/apis/meta/v1beta1/zz_generated.model_name.go
new file mode 100644
index 0000000000000..9c3600119a533
--- /dev/null
+++ b/staging/src/k8s.io/apimachinery/pkg/apis/meta/v1beta1/zz_generated.model_name.go
@@ -0,0 +1,27 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by openapi-gen. DO NOT EDIT.
+
+package v1beta1
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in PartialObjectMetadataList) OpenAPIModelName() string {
+	return "io.k8s.apimachinery.pkg.apis.meta.v1beta1.PartialObjectMetadataList"
+}
diff --git a/staging/src/k8s.io/apimachinery/pkg/apis/testapigroup/v1/doc.go b/staging/src/k8s.io/apimachinery/pkg/apis/testapigroup/v1/doc.go
index c76c2b994d160..35bdf7c7cfdbe 100644
--- a/staging/src/k8s.io/apimachinery/pkg/apis/testapigroup/v1/doc.go
+++ b/staging/src/k8s.io/apimachinery/pkg/apis/testapigroup/v1/doc.go
@@ -19,6 +19,7 @@ limitations under the License.
 // +k8s:conversion-gen=k8s.io/apimachinery/pkg/apis/testapigroup
 // +k8s:openapi-gen=false
 // +k8s:defaulter-gen=TypeMeta
+// +k8s:openapi-model-package=io.k8s.apimachinery.pkg.apis.testapigroup.v1
 
 // +k8s:prerelease-lifecycle-gen=true
 // +groupName=testapigroup.apimachinery.k8s.io
diff --git a/staging/src/k8s.io/apimachinery/pkg/apis/testapigroup/v1/generated.pb.go b/staging/src/k8s.io/apimachinery/pkg/apis/testapigroup/v1/generated.pb.go
index a8b7d2643fa3c..b1af782b02d8a 100644
--- a/staging/src/k8s.io/apimachinery/pkg/apis/testapigroup/v1/generated.pb.go
+++ b/staging/src/k8s.io/apimachinery/pkg/apis/testapigroup/v1/generated.pb.go
@@ -23,283 +23,26 @@ import (
 	fmt "fmt"
 
 	io "io"
+	"sort"
 
-	proto "github.com/gogo/protobuf/proto"
-	github_com_gogo_protobuf_sortkeys "github.com/gogo/protobuf/sortkeys"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
-	math "math"
 	math_bits "math/bits"
 	reflect "reflect"
 	strings "strings"
 )
 
-// Reference imports to suppress errors if they are not otherwise used.
-var _ = proto.Marshal
-var _ = fmt.Errorf
-var _ = math.Inf
+func (m *Carp) Reset() { *m = Carp{} }
 
-// This is a compile-time assertion to ensure that this generated file
-// is compatible with the proto package it is being compiled against.
-// A compilation error at this line likely means your copy of the
-// proto package needs to be updated.
-const _ = proto.GoGoProtoPackageIsVersion3 // please upgrade the proto package
+func (m *CarpCondition) Reset() { *m = CarpCondition{} }
 
-func (m *Carp) Reset()      { *m = Carp{} }
-func (*Carp) ProtoMessage() {}
-func (*Carp) Descriptor() ([]byte, []int) {
-	return fileDescriptor_83e19b543dd132db, []int{0}
-}
-func (m *Carp) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *Carp) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *Carp) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_Carp.Merge(m, src)
-}
-func (m *Carp) XXX_Size() int {
-	return m.Size()
-}
-func (m *Carp) XXX_DiscardUnknown() {
-	xxx_messageInfo_Carp.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_Carp proto.InternalMessageInfo
-
-func (m *CarpCondition) Reset()      { *m = CarpCondition{} }
-func (*CarpCondition) ProtoMessage() {}
-func (*CarpCondition) Descriptor() ([]byte, []int) {
-	return fileDescriptor_83e19b543dd132db, []int{1}
-}
-func (m *CarpCondition) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *CarpCondition) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *CarpCondition) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_CarpCondition.Merge(m, src)
-}
-func (m *CarpCondition) XXX_Size() int {
-	return m.Size()
-}
-func (m *CarpCondition) XXX_DiscardUnknown() {
-	xxx_messageInfo_CarpCondition.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_CarpCondition proto.InternalMessageInfo
-
-func (m *CarpInfo) Reset()      { *m = CarpInfo{} }
-func (*CarpInfo) ProtoMessage() {}
-func (*CarpInfo) Descriptor() ([]byte, []int) {
-	return fileDescriptor_83e19b543dd132db, []int{2}
-}
-func (m *CarpInfo) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *CarpInfo) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *CarpInfo) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_CarpInfo.Merge(m, src)
-}
-func (m *CarpInfo) XXX_Size() int {
-	return m.Size()
-}
-func (m *CarpInfo) XXX_DiscardUnknown() {
-	xxx_messageInfo_CarpInfo.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_CarpInfo proto.InternalMessageInfo
-
-func (m *CarpList) Reset()      { *m = CarpList{} }
-func (*CarpList) ProtoMessage() {}
-func (*CarpList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_83e19b543dd132db, []int{3}
-}
-func (m *CarpList) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *CarpList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *CarpList) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_CarpList.Merge(m, src)
-}
-func (m *CarpList) XXX_Size() int {
-	return m.Size()
-}
-func (m *CarpList) XXX_DiscardUnknown() {
-	xxx_messageInfo_CarpList.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_CarpList proto.InternalMessageInfo
-
-func (m *CarpSpec) Reset()      { *m = CarpSpec{} }
-func (*CarpSpec) ProtoMessage() {}
-func (*CarpSpec) Descriptor() ([]byte, []int) {
-	return fileDescriptor_83e19b543dd132db, []int{4}
-}
-func (m *CarpSpec) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *CarpSpec) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *CarpSpec) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_CarpSpec.Merge(m, src)
-}
-func (m *CarpSpec) XXX_Size() int {
-	return m.Size()
-}
-func (m *CarpSpec) XXX_DiscardUnknown() {
-	xxx_messageInfo_CarpSpec.DiscardUnknown(m)
-}
+func (m *CarpInfo) Reset() { *m = CarpInfo{} }
 
-var xxx_messageInfo_CarpSpec proto.InternalMessageInfo
+func (m *CarpList) Reset() { *m = CarpList{} }
 
-func (m *CarpStatus) Reset()      { *m = CarpStatus{} }
-func (*CarpStatus) ProtoMessage() {}
-func (*CarpStatus) Descriptor() ([]byte, []int) {
-	return fileDescriptor_83e19b543dd132db, []int{5}
-}
-func (m *CarpStatus) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *CarpStatus) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *CarpStatus) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_CarpStatus.Merge(m, src)
-}
-func (m *CarpStatus) XXX_Size() int {
-	return m.Size()
-}
-func (m *CarpStatus) XXX_DiscardUnknown() {
-	xxx_messageInfo_CarpStatus.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_CarpStatus proto.InternalMessageInfo
-
-func init() {
-	proto.RegisterType((*Carp)(nil), "k8s.io.apimachinery.pkg.apis.testapigroup.v1.Carp")
-	proto.RegisterType((*CarpCondition)(nil), "k8s.io.apimachinery.pkg.apis.testapigroup.v1.CarpCondition")
-	proto.RegisterType((*CarpInfo)(nil), "k8s.io.apimachinery.pkg.apis.testapigroup.v1.CarpInfo")
-	proto.RegisterType((*CarpList)(nil), "k8s.io.apimachinery.pkg.apis.testapigroup.v1.CarpList")
-	proto.RegisterType((*CarpSpec)(nil), "k8s.io.apimachinery.pkg.apis.testapigroup.v1.CarpSpec")
-	proto.RegisterMapType((map[string]string)(nil), "k8s.io.apimachinery.pkg.apis.testapigroup.v1.CarpSpec.NodeSelectorEntry")
-	proto.RegisterType((*CarpStatus)(nil), "k8s.io.apimachinery.pkg.apis.testapigroup.v1.CarpStatus")
-}
-
-func init() {
-	proto.RegisterFile("k8s.io/apimachinery/pkg/apis/testapigroup/v1/generated.proto", fileDescriptor_83e19b543dd132db)
-}
+func (m *CarpSpec) Reset() { *m = CarpSpec{} }
 
-var fileDescriptor_83e19b543dd132db = []byte{
-	// 1115 bytes of a gzipped FileDescriptorProto
-	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x9c, 0x56, 0x41, 0x4f, 0x1b, 0x47,
-	0x14, 0x66, 0xb1, 0x0d, 0xf6, 0x80, 0x1b, 0x18, 0x82, 0xba, 0x45, 0x8a, 0x4d, 0x7c, 0x40, 0xb4,
-	0xa2, 0xeb, 0x80, 0x9a, 0x88, 0x36, 0x95, 0x2a, 0x16, 0xaa, 0x42, 0x45, 0x88, 0x35, 0x46, 0x4a,
-	0xd5, 0xe6, 0x90, 0xf1, 0xee, 0xb0, 0x6c, 0xf1, 0xee, 0xac, 0x66, 0xc6, 0xae, 0x7c, 0xab, 0x7a,
-	0xea, 0xb1, 0x3f, 0xa2, 0x7f, 0xa1, 0x3f, 0xa0, 0x37, 0x8e, 0x39, 0xa6, 0x17, 0xab, 0xb8, 0xff,
-	0x82, 0x53, 0x35, 0xb3, 0xb3, 0xeb, 0x35, 0x06, 0x27, 0xe6, 0xe6, 0x79, 0xef, 0xfb, 0xbe, 0xf7,
-	0xf6, 0xcd, 0x9b, 0xf7, 0x0c, 0xbe, 0xbe, 0xd8, 0xe5, 0x96, 0x4f, 0xeb, 0x38, 0xf2, 0x03, 0xec,
-	0x9c, 0xfb, 0x21, 0x61, 0xbd, 0x7a, 0x74, 0xe1, 0x49, 0x03, 0xaf, 0x0b, 0xc2, 0x05, 0x8e, 0x7c,
-	0x8f, 0xd1, 0x4e, 0x54, 0xef, 0x6e, 0xd7, 0x3d, 0x12, 0x12, 0x86, 0x05, 0x71, 0xad, 0x88, 0x51,
-	0x41, 0xe1, 0x56, 0xcc, 0xb6, 0xb2, 0x6c, 0x2b, 0xba, 0xf0, 0xa4, 0x81, 0x5b, 0x59, 0xb6, 0xd5,
-	0xdd, 0x5e, 0xfb, 0xdc, 0xf3, 0xc5, 0x79, 0xa7, 0x65, 0x39, 0x34, 0xa8, 0x7b, 0xd4, 0xa3, 0x75,
-	0x25, 0xd2, 0xea, 0x9c, 0xa9, 0x93, 0x3a, 0xa8, 0x5f, 0xb1, 0xf8, 0xda, 0x17, 0x13, 0x53, 0x0b,
-	0x88, 0xc0, 0xb7, 0xa4, 0xb4, 0x56, 0xbf, 0x8b, 0xc5, 0x3a, 0xa1, 0xf0, 0x03, 0x32, 0x46, 0x78,
-	0xf6, 0x3e, 0x02, 0x77, 0xce, 0x49, 0x80, 0x6f, 0xf2, 0x6a, 0x7f, 0xce, 0x82, 0xfc, 0x3e, 0x66,
-	0x11, 0x7c, 0x03, 0x8a, 0x32, 0x19, 0x17, 0x0b, 0x6c, 0x1a, 0xeb, 0xc6, 0xe6, 0xc2, 0xce, 0x13,
-	0x6b, 0x62, 0x5d, 0x24, 0xda, 0xea, 0x6e, 0x5b, 0x2f, 0x5b, 0x3f, 0x13, 0x47, 0xbc, 0x20, 0x02,
-	0xdb, 0xf0, 0xb2, 0x5f, 0x9d, 0x19, 0xf4, 0xab, 0x60, 0x68, 0x43, 0xa9, 0x2a, 0xfc, 0x01, 0xe4,
-	0x79, 0x44, 0x1c, 0x73, 0x56, 0xa9, 0x3f, 0xb3, 0xa6, 0xa9, 0xba, 0x25, 0x73, 0x6c, 0x46, 0xc4,
-	0xb1, 0x17, 0x75, 0x8c, 0xbc, 0x3c, 0x21, 0xa5, 0x08, 0xdf, 0x80, 0x39, 0x2e, 0xb0, 0xe8, 0x70,
-	0x33, 0xa7, 0xb4, 0x77, 0xef, 0xa1, 0xad, 0xf8, 0xf6, 0x47, 0x5a, 0x7d, 0x2e, 0x3e, 0x23, 0xad,
-	0x5b, 0xfb, 0x2b, 0x07, 0xca, 0x12, 0xb6, 0x4f, 0x43, 0xd7, 0x17, 0x3e, 0x0d, 0xe1, 0x53, 0x90,
-	0x17, 0xbd, 0x88, 0xa8, 0x5a, 0x95, 0xec, 0xc7, 0x49, 0x56, 0xa7, 0xbd, 0x88, 0x5c, 0xf7, 0xab,
-	0xcb, 0x23, 0x60, 0x69, 0x44, 0x0a, 0x0e, 0xbf, 0x4c, 0x53, 0x9d, 0x1d, 0x21, 0xea, 0x80, 0xd7,
-	0xfd, 0xea, 0x83, 0x94, 0x36, 0x9a, 0x03, 0xf4, 0x40, 0xb9, 0x8d, 0xb9, 0x68, 0x30, 0xda, 0x22,
-	0xa7, 0x7e, 0x40, 0xf4, 0xc7, 0x7e, 0xf6, 0x61, 0xd7, 0x24, 0x19, 0xf6, 0xaa, 0x8e, 0x56, 0x3e,
-	0xce, 0x0a, 0xa1, 0x51, 0x5d, 0xd8, 0x05, 0x50, 0x1a, 0x4e, 0x19, 0x0e, 0x79, 0x9c, 0xbf, 0x8c,
-	0x96, 0x9f, 0x3a, 0xda, 0x9a, 0x8e, 0x06, 0x8f, 0xc7, 0xd4, 0xd0, 0x2d, 0x11, 0xe0, 0x06, 0x98,
-	0x63, 0x04, 0x73, 0x1a, 0x9a, 0x05, 0x55, 0x9b, 0xf4, 0x32, 0x90, 0xb2, 0x22, 0xed, 0x85, 0x9f,
-	0x82, 0xf9, 0x80, 0x70, 0x8e, 0x3d, 0x62, 0xce, 0x29, 0xe0, 0x03, 0x0d, 0x9c, 0x7f, 0x11, 0x9b,
-	0x51, 0xe2, 0xaf, 0x71, 0x50, 0x94, 0x37, 0x71, 0x14, 0x9e, 0x51, 0xf8, 0x31, 0x30, 0xe2, 0xd6,
-	0xce, 0xd9, 0x25, 0x4d, 0x30, 0xf6, 0x90, 0x81, 0xa5, 0xa3, 0xa5, 0xaf, 0x23, 0x75, 0xd8, 0xc8,
-	0x68, 0xc1, 0x15, 0x60, 0x38, 0xea, 0xbb, 0x4b, 0x76, 0x41, 0x1a, 0xf7, 0x91, 0xe1, 0xc0, 0x75,
-	0x90, 0x57, 0x8f, 0x24, 0xa7, 0xec, 0x69, 0x3b, 0x1e, 0x60, 0x81, 0x91, 0xf2, 0xd4, 0xfe, 0x36,
-	0xe2, 0xa8, 0xc7, 0x3e, 0x17, 0xf0, 0xf5, 0xd8, 0xbb, 0xb2, 0x3e, 0xac, 0x84, 0x92, 0xad, 0x5e,
-	0xd5, 0x92, 0x0e, 0x51, 0x4c, 0x2c, 0x99, 0x37, 0xf5, 0x0a, 0x14, 0x7c, 0x41, 0x02, 0xd9, 0x4d,
-	0xb9, 0xcd, 0x85, 0x9d, 0x9d, 0xe9, 0x1b, 0xdf, 0x2e, 0x6b, 0xf9, 0xc2, 0x91, 0x14, 0x42, 0xb1,
-	0x5e, 0xed, 0x9f, 0xf9, 0xf8, 0x1b, 0xe4, 0x2b, 0x83, 0xc7, 0xa0, 0xcc, 0x24, 0x95, 0x89, 0x06,
-	0x6d, 0xfb, 0x4e, 0x4f, 0x7f, 0xfb, 0x46, 0xd2, 0x4d, 0x28, 0xeb, 0xbc, 0xbe, 0x69, 0x40, 0xa3,
-	0x64, 0xe8, 0x81, 0x47, 0x82, 0xb0, 0xc0, 0x0f, 0xb1, 0xbc, 0xf9, 0xef, 0x18, 0x76, 0x48, 0x83,
-	0x30, 0x9f, 0xba, 0x4d, 0xe2, 0xd0, 0xd0, 0xe5, 0xaa, 0xe2, 0x39, 0xfb, 0xf1, 0xa0, 0x5f, 0x7d,
-	0x74, 0x3a, 0x09, 0x88, 0x26, 0xeb, 0xc0, 0x97, 0x60, 0x15, 0x3b, 0xc2, 0xef, 0x92, 0x03, 0x82,
-	0xdd, 0xb6, 0x1f, 0x92, 0x24, 0x40, 0x41, 0x05, 0xf8, 0x64, 0xd0, 0xaf, 0xae, 0xee, 0xdd, 0x06,
-	0x40, 0xb7, 0xf3, 0xe0, 0x6f, 0x06, 0x58, 0x0c, 0xa9, 0x4b, 0x9a, 0xa4, 0x4d, 0x1c, 0x41, 0x99,
-	0x39, 0xaf, 0xaa, 0x7e, 0x78, 0xbf, 0x51, 0x66, 0x9d, 0x64, 0xa4, 0xbe, 0x0d, 0x05, 0xeb, 0xd9,
-	0x0f, 0x75, 0x45, 0x17, 0xb3, 0x2e, 0x34, 0x12, 0x13, 0x7e, 0x0f, 0x20, 0x27, 0xac, 0xeb, 0x3b,
-	0x64, 0xcf, 0x71, 0x68, 0x27, 0x14, 0x27, 0x38, 0x20, 0x66, 0x51, 0xdd, 0x48, 0xfa, 0xe2, 0x9a,
-	0x63, 0x08, 0x74, 0x0b, 0x0b, 0xbe, 0x06, 0xa6, 0x4b, 0x22, 0x46, 0x1c, 0xb9, 0x11, 0x46, 0x39,
-	0x66, 0x49, 0x29, 0xae, 0x6b, 0x45, 0xf3, 0xe0, 0x0e, 0x1c, 0xba, 0x53, 0x01, 0x6e, 0x81, 0xa2,
-	0xcc, 0x5c, 0xe5, 0x07, 0x94, 0x5a, 0xda, 0xca, 0x27, 0xda, 0x8e, 0x52, 0x04, 0x7c, 0x0a, 0x16,
-	0xce, 0x29, 0x17, 0x27, 0x44, 0xfc, 0x42, 0xd9, 0x85, 0xb9, 0xb0, 0x6e, 0x6c, 0x16, 0xed, 0x15,
-	0x4d, 0x58, 0x38, 0x1c, 0xba, 0x50, 0x16, 0x27, 0x87, 0x81, 0x3c, 0x36, 0x8e, 0x0e, 0xcc, 0x45,
-	0x45, 0x49, 0x87, 0xc1, 0x61, 0x6c, 0x46, 0x89, 0x3f, 0x81, 0x1e, 0x35, 0xf6, 0xcd, 0xf2, 0x38,
-	0xf4, 0xa8, 0xb1, 0x8f, 0x12, 0xbf, 0x4c, 0x5d, 0xfe, 0x0c, 0x65, 0xea, 0x4b, 0xa3, 0xa9, 0x1f,
-	0x6a, 0x3b, 0x4a, 0x11, 0xb0, 0x0e, 0x4a, 0xbc, 0xd3, 0x72, 0x69, 0x80, 0xfd, 0xd0, 0x5c, 0x56,
-	0xf0, 0x65, 0x0d, 0x2f, 0x35, 0x13, 0x07, 0x1a, 0x62, 0xe0, 0x73, 0x50, 0x96, 0xfb, 0xd8, 0xed,
-	0xb4, 0x09, 0x53, 0xe5, 0x59, 0x51, 0xa4, 0x74, 0x3c, 0x37, 0xb3, 0x4e, 0x34, 0x8a, 0x5d, 0xfb,
-	0x06, 0x2c, 0x8f, 0x75, 0x0e, 0x5c, 0x02, 0xb9, 0x0b, 0xd2, 0x8b, 0xb7, 0x11, 0x92, 0x3f, 0xe1,
-	0x43, 0x50, 0xe8, 0xe2, 0x76, 0x87, 0xc4, 0x93, 0x0d, 0xc5, 0x87, 0xaf, 0x66, 0x77, 0x8d, 0xda,
-	0xef, 0x79, 0x00, 0x86, 0x3b, 0x0f, 0x3e, 0x01, 0x85, 0xe8, 0x1c, 0xf3, 0x64, 0x95, 0x25, 0x3d,
-	0x54, 0x68, 0x48, 0xe3, 0x75, 0xbf, 0x5a, 0x92, 0x58, 0x75, 0x40, 0x31, 0x10, 0x52, 0x00, 0x9c,
-	0x64, 0x49, 0x25, 0xa3, 0xe7, 0xf9, 0xf4, 0x8f, 0x20, 0x5d, 0x74, 0xc3, 0x3f, 0x0e, 0xa9, 0x89,
-	0xa3, 0x4c, 0x88, 0xec, 0xc4, 0xcf, 0x4d, 0x9e, 0xf8, 0x99, 0x25, 0x92, 0x9f, 0xb8, 0x44, 0x36,
-	0xc0, 0x5c, 0x7c, 0xd9, 0x37, 0x97, 0x4d, 0xdc, 0x0b, 0x48, 0x7b, 0x25, 0xce, 0x91, 0x1b, 0xa4,
-	0xa1, 0x77, 0x4d, 0x8a, 0x53, 0x7b, 0xa5, 0x81, 0xb4, 0x17, 0xbe, 0x02, 0x25, 0x35, 0xe4, 0xd4,
-	0xae, 0x9c, 0x9f, 0x7a, 0x57, 0x96, 0x55, 0xaf, 0x24, 0x02, 0x68, 0xa8, 0x05, 0x7f, 0x02, 0x05,
-	0x3f, 0x3c, 0xa3, 0xdc, 0x2c, 0xaa, 0x3a, 0xdf, 0xe3, 0x7f, 0x93, 0xdc, 0x7e, 0x99, 0x31, 0x2f,
-	0xc5, 0x50, 0xac, 0x69, 0xa3, 0xcb, 0xab, 0xca, 0xcc, 0xdb, 0xab, 0xca, 0xcc, 0xbb, 0xab, 0xca,
-	0xcc, 0xaf, 0x83, 0x8a, 0x71, 0x39, 0xa8, 0x18, 0x6f, 0x07, 0x15, 0xe3, 0xdd, 0xa0, 0x62, 0xfc,
-	0x3b, 0xa8, 0x18, 0x7f, 0xfc, 0x57, 0x99, 0xf9, 0x71, 0x6b, 0x9a, 0xbf, 0xd7, 0xff, 0x07, 0x00,
-	0x00, 0xff, 0xff, 0xa8, 0x1e, 0x19, 0x20, 0x8d, 0x0b, 0x00, 0x00,
-}
+func (m *CarpStatus) Reset() { *m = CarpStatus{} }
 
 func (m *Carp) Marshal() (dAtA []byte, err error) {
 	size := m.Size()
@@ -592,7 +335,7 @@ func (m *CarpSpec) MarshalToSizedBuffer(dAtA []byte) (int, error) {
 		for k := range m.NodeSelector {
 			keysForNodeSelector = append(keysForNodeSelector, string(k))
 		}
-		github_com_gogo_protobuf_sortkeys.Strings(keysForNodeSelector)
+		sort.Strings(keysForNodeSelector)
 		for iNdEx := len(keysForNodeSelector) - 1; iNdEx >= 0; iNdEx-- {
 			v := m.NodeSelector[string(keysForNodeSelector[iNdEx])]
 			baseI := i
@@ -944,7 +687,7 @@ func (this *CarpSpec) String() string {
 	for k := range this.NodeSelector {
 		keysForNodeSelector = append(keysForNodeSelector, k)
 	}
-	github_com_gogo_protobuf_sortkeys.Strings(keysForNodeSelector)
+	sort.Strings(keysForNodeSelector)
 	mapStringForNodeSelector := "map[string]string{"
 	for _, k := range keysForNodeSelector {
 		mapStringForNodeSelector += fmt.Sprintf("%v: %v,", k, this.NodeSelector[k])
diff --git a/staging/src/k8s.io/apimachinery/pkg/apis/testapigroup/v1/generated.protomessage.pb.go b/staging/src/k8s.io/apimachinery/pkg/apis/testapigroup/v1/generated.protomessage.pb.go
new file mode 100644
index 0000000000000..2c3fcb5e9555d
--- /dev/null
+++ b/staging/src/k8s.io/apimachinery/pkg/apis/testapigroup/v1/generated.protomessage.pb.go
@@ -0,0 +1,34 @@
+//go:build kubernetes_protomessage_one_more_release
+// +build kubernetes_protomessage_one_more_release
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by go-to-protobuf. DO NOT EDIT.
+
+package v1
+
+func (*Carp) ProtoMessage() {}
+
+func (*CarpCondition) ProtoMessage() {}
+
+func (*CarpInfo) ProtoMessage() {}
+
+func (*CarpList) ProtoMessage() {}
+
+func (*CarpSpec) ProtoMessage() {}
+
+func (*CarpStatus) ProtoMessage() {}
diff --git a/staging/src/k8s.io/apimachinery/pkg/apis/testapigroup/v1/zz_generated.model_name.go b/staging/src/k8s.io/apimachinery/pkg/apis/testapigroup/v1/zz_generated.model_name.go
new file mode 100644
index 0000000000000..38ee899cb9326
--- /dev/null
+++ b/staging/src/k8s.io/apimachinery/pkg/apis/testapigroup/v1/zz_generated.model_name.go
@@ -0,0 +1,52 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by openapi-gen. DO NOT EDIT.
+
+package v1
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in Carp) OpenAPIModelName() string {
+	return "io.k8s.apimachinery.pkg.apis.testapigroup.v1.Carp"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in CarpCondition) OpenAPIModelName() string {
+	return "io.k8s.apimachinery.pkg.apis.testapigroup.v1.CarpCondition"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in CarpInfo) OpenAPIModelName() string {
+	return "io.k8s.apimachinery.pkg.apis.testapigroup.v1.CarpInfo"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in CarpList) OpenAPIModelName() string {
+	return "io.k8s.apimachinery.pkg.apis.testapigroup.v1.CarpList"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in CarpSpec) OpenAPIModelName() string {
+	return "io.k8s.apimachinery.pkg.apis.testapigroup.v1.CarpSpec"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in CarpStatus) OpenAPIModelName() string {
+	return "io.k8s.apimachinery.pkg.apis.testapigroup.v1.CarpStatus"
+}
diff --git a/staging/src/k8s.io/apimachinery/pkg/labels/selector.go b/staging/src/k8s.io/apimachinery/pkg/labels/selector.go
index 067bcac0a0db7..031dcd21be465 100644
--- a/staging/src/k8s.io/apimachinery/pkg/labels/selector.go
+++ b/staging/src/k8s.io/apimachinery/pkg/labels/selector.go
@@ -25,6 +25,7 @@ import (
 
 	"k8s.io/klog/v2"
 
+	"k8s.io/apimachinery/pkg/api/validate/content"
 	"k8s.io/apimachinery/pkg/selection"
 	"k8s.io/apimachinery/pkg/util/sets"
 	"k8s.io/apimachinery/pkg/util/validation"
@@ -848,7 +849,6 @@ func (p *Parser) parseIdentifiersList() (sets.String, error) {
 				return s, nil
 			}
 			if tok2 == CommaToken {
-				p.consume(Values)
 				s.Insert("") // to handle ,, Double "" removed by StringSet
 			}
 		default: // it can be operator
@@ -927,7 +927,7 @@ func parse(selector string, path *field.Path) (internalSelector, error) {
 }
 
 func validateLabelKey(k string, path *field.Path) *field.Error {
-	if errs := validation.IsQualifiedName(k); len(errs) != 0 {
+	if errs := content.IsLabelKey(k); len(errs) != 0 {
 		return field.Invalid(path, k, strings.Join(errs, "; "))
 	}
 	return nil
diff --git a/staging/src/k8s.io/apimachinery/pkg/labels/selector_test.go b/staging/src/k8s.io/apimachinery/pkg/labels/selector_test.go
index 91dfd51d56ca5..abe066154d17f 100644
--- a/staging/src/k8s.io/apimachinery/pkg/labels/selector_test.go
+++ b/staging/src/k8s.io/apimachinery/pkg/labels/selector_test.go
@@ -636,9 +636,24 @@ func TestSetSelectorParser(t *testing.T) {
 		{"x in (abc,)", internalSelector{
 			getRequirement("x", selection.In, sets.NewString("abc", ""), t),
 		}, true, true},
+		{"x in (abc,abc)", internalSelector{
+			getRequirement("x", selection.In, sets.NewString("abc"), t),
+		}, true, true},
 		{"x in ()", internalSelector{
 			getRequirement("x", selection.In, sets.NewString(""), t),
 		}, true, true},
+		{"x in (a,,)", internalSelector{
+			getRequirement("x", selection.In, sets.NewString("a", ""), t),
+		}, true, true},
+		{"x in (a,,,)", internalSelector{
+			getRequirement("x", selection.In, sets.NewString("a", ""), t),
+		}, true, true},
+		{"x in (a,,,,,,)", internalSelector{
+			getRequirement("x", selection.In, sets.NewString("a", ""), t),
+		}, true, true},
+		{"x in (a,,a,,a,,a,,)", internalSelector{
+			getRequirement("x", selection.In, sets.NewString("a", ""), t),
+		}, true, true},
 		{"x notin (abc,,def),bar,z in (),w", internalSelector{
 			getRequirement("bar", selection.Exists, nil, t),
 			getRequirement("w", selection.Exists, nil, t),
diff --git a/staging/src/k8s.io/apimachinery/pkg/runtime/doc.go b/staging/src/k8s.io/apimachinery/pkg/runtime/doc.go
index b54429bd89c14..fd012dbc7973a 100644
--- a/staging/src/k8s.io/apimachinery/pkg/runtime/doc.go
+++ b/staging/src/k8s.io/apimachinery/pkg/runtime/doc.go
@@ -14,6 +14,8 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
+// +k8s:openapi-model-package=io.k8s.apimachinery.pkg.runtime
+
 // Package runtime includes helper functions for working with API objects
 // that follow the kubernetes API object conventions, which are:
 //
diff --git a/staging/src/k8s.io/apimachinery/pkg/runtime/generated.pb.go b/staging/src/k8s.io/apimachinery/pkg/runtime/generated.pb.go
index 2e40e140aec4b..f5e78d4b36261 100644
--- a/staging/src/k8s.io/apimachinery/pkg/runtime/generated.pb.go
+++ b/staging/src/k8s.io/apimachinery/pkg/runtime/generated.pb.go
@@ -23,145 +23,16 @@ import (
 	fmt "fmt"
 
 	io "io"
-	math "math"
 	math_bits "math/bits"
 	reflect "reflect"
 	strings "strings"
-
-	proto "github.com/gogo/protobuf/proto"
 )
 
-// Reference imports to suppress errors if they are not otherwise used.
-var _ = proto.Marshal
-var _ = fmt.Errorf
-var _ = math.Inf
-
-// This is a compile-time assertion to ensure that this generated file
-// is compatible with the proto package it is being compiled against.
-// A compilation error at this line likely means your copy of the
-// proto package needs to be updated.
-const _ = proto.GoGoProtoPackageIsVersion3 // please upgrade the proto package
-
-func (m *RawExtension) Reset()      { *m = RawExtension{} }
-func (*RawExtension) ProtoMessage() {}
-func (*RawExtension) Descriptor() ([]byte, []int) {
-	return fileDescriptor_2e0e4b920403a48c, []int{0}
-}
-func (m *RawExtension) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *RawExtension) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *RawExtension) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_RawExtension.Merge(m, src)
-}
-func (m *RawExtension) XXX_Size() int {
-	return m.Size()
-}
-func (m *RawExtension) XXX_DiscardUnknown() {
-	xxx_messageInfo_RawExtension.DiscardUnknown(m)
-}
+func (m *RawExtension) Reset() { *m = RawExtension{} }
 
-var xxx_messageInfo_RawExtension proto.InternalMessageInfo
+func (m *TypeMeta) Reset() { *m = TypeMeta{} }
 
-func (m *TypeMeta) Reset()      { *m = TypeMeta{} }
-func (*TypeMeta) ProtoMessage() {}
-func (*TypeMeta) Descriptor() ([]byte, []int) {
-	return fileDescriptor_2e0e4b920403a48c, []int{1}
-}
-func (m *TypeMeta) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *TypeMeta) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *TypeMeta) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_TypeMeta.Merge(m, src)
-}
-func (m *TypeMeta) XXX_Size() int {
-	return m.Size()
-}
-func (m *TypeMeta) XXX_DiscardUnknown() {
-	xxx_messageInfo_TypeMeta.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_TypeMeta proto.InternalMessageInfo
-
-func (m *Unknown) Reset()      { *m = Unknown{} }
-func (*Unknown) ProtoMessage() {}
-func (*Unknown) Descriptor() ([]byte, []int) {
-	return fileDescriptor_2e0e4b920403a48c, []int{2}
-}
-func (m *Unknown) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *Unknown) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *Unknown) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_Unknown.Merge(m, src)
-}
-func (m *Unknown) XXX_Size() int {
-	return m.Size()
-}
-func (m *Unknown) XXX_DiscardUnknown() {
-	xxx_messageInfo_Unknown.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_Unknown proto.InternalMessageInfo
-
-func init() {
-	proto.RegisterType((*RawExtension)(nil), "k8s.io.apimachinery.pkg.runtime.RawExtension")
-	proto.RegisterType((*TypeMeta)(nil), "k8s.io.apimachinery.pkg.runtime.TypeMeta")
-	proto.RegisterType((*Unknown)(nil), "k8s.io.apimachinery.pkg.runtime.Unknown")
-}
-
-func init() {
-	proto.RegisterFile("k8s.io/apimachinery/pkg/runtime/generated.proto", fileDescriptor_2e0e4b920403a48c)
-}
-
-var fileDescriptor_2e0e4b920403a48c = []byte{
-	// 365 bytes of a gzipped FileDescriptorProto
-	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x84, 0x92, 0x4f, 0x6b, 0x22, 0x31,
-	0x18, 0xc6, 0x27, 0x2a, 0xe8, 0x46, 0xc1, 0x25, 0x7b, 0xd8, 0xd9, 0x3d, 0x64, 0xc4, 0xd3, 0x7a,
-	0xd8, 0x0c, 0x08, 0x85, 0x5e, 0x1d, 0xf1, 0x50, 0x4a, 0xa1, 0x84, 0xfe, 0x81, 0x9e, 0x1a, 0x67,
-	0xd2, 0x31, 0x0c, 0x26, 0xc3, 0x18, 0x99, 0x7a, 0xeb, 0x47, 0xe8, 0xc7, 0xf2, 0xe8, 0xd1, 0x93,
-	0xd4, 0xe9, 0x87, 0xe8, 0xb5, 0x18, 0xa3, 0xb5, 0xed, 0xc1, 0x5b, 0xde, 0xf7, 0x79, 0x7e, 0xcf,
-	0xfb, 0xbe, 0x10, 0xe8, 0x27, 0xa7, 0x13, 0x22, 0x94, 0xcf, 0x52, 0x31, 0x66, 0xe1, 0x48, 0x48,
-	0x9e, 0xcd, 0xfc, 0x34, 0x89, 0xfd, 0x6c, 0x2a, 0xb5, 0x18, 0x73, 0x3f, 0xe6, 0x92, 0x67, 0x4c,
-	0xf3, 0x88, 0xa4, 0x99, 0xd2, 0x0a, 0x79, 0x5b, 0x80, 0x1c, 0x02, 0x24, 0x4d, 0x62, 0x62, 0x81,
-	0xbf, 0xff, 0x63, 0xa1, 0x47, 0xd3, 0x21, 0x09, 0xd5, 0xd8, 0x8f, 0x55, 0xac, 0x7c, 0xc3, 0x0d,
-	0xa7, 0x0f, 0xa6, 0x32, 0x85, 0x79, 0x6d, 0xf3, 0xda, 0x1d, 0xd8, 0xa0, 0x2c, 0x1f, 0x3c, 0x6a,
-	0x2e, 0x27, 0x42, 0x49, 0xf4, 0x07, 0x96, 0x33, 0x96, 0xbb, 0xa0, 0x05, 0xfe, 0x35, 0x82, 0x6a,
-	0xb1, 0xf2, 0xca, 0x94, 0xe5, 0x74, 0xd3, 0x6b, 0xdf, 0xc3, 0xda, 0xd5, 0x2c, 0xe5, 0x17, 0x5c,
-	0x33, 0xd4, 0x85, 0x90, 0xa5, 0xe2, 0x86, 0x67, 0x1b, 0xc8, 0xb8, 0x7f, 0x04, 0x68, 0xbe, 0xf2,
-	0x9c, 0x62, 0xe5, 0xc1, 0xde, 0xe5, 0x99, 0x55, 0xe8, 0x81, 0x0b, 0xb5, 0x60, 0x25, 0x11, 0x32,
-	0x72, 0x4b, 0xc6, 0xdd, 0xb0, 0xee, 0xca, 0xb9, 0x90, 0x11, 0x35, 0x4a, 0xfb, 0x0d, 0xc0, 0xea,
-	0xb5, 0x4c, 0xa4, 0xca, 0x25, 0xba, 0x85, 0x35, 0x6d, 0xa7, 0x99, 0xfc, 0x7a, 0xb7, 0x43, 0x8e,
-	0xdc, 0x4e, 0x76, 0xeb, 0x05, 0x3f, 0x6d, 0xf8, 0x7e, 0x61, 0xba, 0x0f, 0xdb, 0x5d, 0x58, 0xfa,
-	0x7e, 0x21, 0xea, 0xc1, 0x66, 0xa8, 0xa4, 0xe6, 0x52, 0x0f, 0x64, 0xa8, 0x22, 0x21, 0x63, 0xb7,
-	0x6c, 0x96, 0xfd, 0x6d, 0xf3, 0x9a, 0xfd, 0xcf, 0x32, 0xfd, 0xea, 0x47, 0x27, 0xb0, 0x6e, 0x5b,
-	0x9b, 0xd1, 0x6e, 0xc5, 0xe0, 0xbf, 0x2c, 0x5e, 0xef, 0x7f, 0x48, 0xf4, 0xd0, 0x17, 0x0c, 0xe6,
-	0x6b, 0xec, 0x2c, 0xd6, 0xd8, 0x59, 0xae, 0xb1, 0xf3, 0x54, 0x60, 0x30, 0x2f, 0x30, 0x58, 0x14,
-	0x18, 0x2c, 0x0b, 0x0c, 0x5e, 0x0a, 0x0c, 0x9e, 0x5f, 0xb1, 0x73, 0xe7, 0x1d, 0xf9, 0x2d, 0xef,
-	0x01, 0x00, 0x00, 0xff, 0xff, 0x2a, 0x9b, 0x09, 0xb3, 0x4f, 0x02, 0x00, 0x00,
-}
+func (m *Unknown) Reset() { *m = Unknown{} }
 
 func (m *RawExtension) Marshal() (dAtA []byte, err error) {
 	size := m.Size()
diff --git a/staging/src/k8s.io/apimachinery/pkg/runtime/generated.protomessage.pb.go b/staging/src/k8s.io/apimachinery/pkg/runtime/generated.protomessage.pb.go
new file mode 100644
index 0000000000000..1716853ff17cb
--- /dev/null
+++ b/staging/src/k8s.io/apimachinery/pkg/runtime/generated.protomessage.pb.go
@@ -0,0 +1,28 @@
+//go:build kubernetes_protomessage_one_more_release
+// +build kubernetes_protomessage_one_more_release
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by go-to-protobuf. DO NOT EDIT.
+
+package runtime
+
+func (*RawExtension) ProtoMessage() {}
+
+func (*TypeMeta) ProtoMessage() {}
+
+func (*Unknown) ProtoMessage() {}
diff --git a/staging/src/k8s.io/apimachinery/pkg/runtime/schema/generated.pb.go b/staging/src/k8s.io/apimachinery/pkg/runtime/schema/generated.pb.go
index 7a26d2798ed7a..ed57e08afe92a 100644
--- a/staging/src/k8s.io/apimachinery/pkg/runtime/schema/generated.pb.go
+++ b/staging/src/k8s.io/apimachinery/pkg/runtime/schema/generated.pb.go
@@ -18,41 +18,3 @@ limitations under the License.
 // source: k8s.io/apimachinery/pkg/runtime/schema/generated.proto
 
 package schema
-
-import (
-	fmt "fmt"
-
-	math "math"
-
-	proto "github.com/gogo/protobuf/proto"
-)
-
-// Reference imports to suppress errors if they are not otherwise used.
-var _ = proto.Marshal
-var _ = fmt.Errorf
-var _ = math.Inf
-
-// This is a compile-time assertion to ensure that this generated file
-// is compatible with the proto package it is being compiled against.
-// A compilation error at this line likely means your copy of the
-// proto package needs to be updated.
-const _ = proto.GoGoProtoPackageIsVersion3 // please upgrade the proto package
-
-func init() {
-	proto.RegisterFile("k8s.io/apimachinery/pkg/runtime/schema/generated.proto", fileDescriptor_25f8f0eed21c6089)
-}
-
-var fileDescriptor_25f8f0eed21c6089 = []byte{
-	// 170 bytes of a gzipped FileDescriptorProto
-	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x8c, 0xce, 0xa1, 0x0e, 0xc2, 0x30,
-	0x10, 0xc6, 0xf1, 0xd6, 0x22, 0x91, 0x88, 0x93, 0x73, 0xdc, 0x39, 0x82, 0x46, 0xf3, 0x04, 0xb8,
-	0x6e, 0x94, 0xae, 0x59, 0xba, 0x6b, 0xba, 0x4e, 0xe0, 0x78, 0x04, 0x1e, 0x6b, 0x72, 0x72, 0x92,
-	0x95, 0x17, 0x21, 0x69, 0x11, 0x48, 0xdc, 0xfd, 0xc5, 0xef, 0xf2, 0x6d, 0x0e, 0xdd, 0x71, 0x40,
-	0xcb, 0xa4, 0xbc, 0x75, 0xaa, 0x69, 0x6d, 0xaf, 0xc3, 0x9d, 0x7c, 0x67, 0x28, 0x8c, 0x7d, 0xb4,
-	0x4e, 0xd3, 0xd0, 0xb4, 0xda, 0x29, 0x32, 0xba, 0xd7, 0x41, 0x45, 0x7d, 0x45, 0x1f, 0x38, 0xf2,
-	0xb6, 0x2a, 0x0e, 0x7f, 0x1d, 0xfa, 0xce, 0xe0, 0xd7, 0x61, 0x71, 0xbb, 0xbd, 0xb1, 0xb1, 0x1d,
-	0x6b, 0x6c, 0xd8, 0x91, 0x61, 0xc3, 0x94, 0x79, 0x3d, 0xde, 0x72, 0xe5, 0xc8, 0x57, 0x79, 0x7b,
-	0x3a, 0x4f, 0x2b, 0x88, 0x79, 0x05, 0xb1, 0xac, 0x20, 0x1e, 0x09, 0xe4, 0x94, 0x40, 0xce, 0x09,
-	0xe4, 0x92, 0x40, 0xbe, 0x12, 0xc8, 0xe7, 0x1b, 0xc4, 0xa5, 0xfa, 0x6f, 0xf4, 0x27, 0x00, 0x00,
-	0xff, 0xff, 0x97, 0xb8, 0x4d, 0x1f, 0xdd, 0x00, 0x00, 0x00,
-}
diff --git a/staging/src/k8s.io/apimachinery/pkg/runtime/schema/generated.protomessage.pb.go b/staging/src/k8s.io/apimachinery/pkg/runtime/schema/generated.protomessage.pb.go
new file mode 100644
index 0000000000000..047437377fb33
--- /dev/null
+++ b/staging/src/k8s.io/apimachinery/pkg/runtime/schema/generated.protomessage.pb.go
@@ -0,0 +1,22 @@
+//go:build kubernetes_protomessage_one_more_release
+// +build kubernetes_protomessage_one_more_release
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by go-to-protobuf. DO NOT EDIT.
+
+package schema
diff --git a/staging/src/k8s.io/apimachinery/pkg/runtime/scheme.go b/staging/src/k8s.io/apimachinery/pkg/runtime/scheme.go
index b0e22c5e30c0d..e2fbeabdd0dd7 100644
--- a/staging/src/k8s.io/apimachinery/pkg/runtime/scheme.go
+++ b/staging/src/k8s.io/apimachinery/pkg/runtime/scheme.go
@@ -29,6 +29,7 @@ import (
 	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
 	"k8s.io/apimachinery/pkg/util/sets"
 	"k8s.io/apimachinery/pkg/util/validation/field"
+	"k8s.io/kube-openapi/pkg/util"
 )
 
 // Scheme defines methods for serializing and deserializing API objects, a type
@@ -752,6 +753,9 @@ var internalPackages = []string{"k8s.io/apimachinery/pkg/runtime/scheme.go"}
 // The OpenAPI definition name is the canonical name of the type, with the group and version removed.
 // For example, the OpenAPI definition name of Pod is `io.k8s.api.core.v1.Pod`.
 //
+// This respects the util.OpenAPIModelNamer interface and will return the name returned by
+// OpenAPIModelName() if it is defined on the type.
+//
 // A known type that is registered as an unstructured.Unstructured type is treated as a custom resource and
 // which has an OpenAPI definition name of the form `<reversed-group>.<version.<kind>`.
 // For example, the OpenAPI definition name of `group: stable.example.com, version: v1, kind: Pod` is
@@ -764,6 +768,12 @@ func (s *Scheme) ToOpenAPIDefinitionName(groupVersionKind schema.GroupVersionKin
 	if err != nil {
 		return "", err
 	}
+
+	// Use a namer if provided
+	if namer, ok := example.(util.OpenAPIModelNamer); ok {
+		return namer.OpenAPIModelName(), nil
+	}
+
 	if _, ok := example.(Unstructured); ok {
 		if groupVersionKind.Group == "" || groupVersionKind.Kind == "" {
 			return "", fmt.Errorf("unable to convert GroupVersionKind with empty fields to unstructured type to an OpenAPI definition name: %v", groupVersionKind)
diff --git a/staging/src/k8s.io/apimachinery/pkg/runtime/serializer/protobuf/collections.go b/staging/src/k8s.io/apimachinery/pkg/runtime/serializer/protobuf/collections.go
index 754a80820b06c..afac03e9da4e6 100644
--- a/staging/src/k8s.io/apimachinery/pkg/runtime/serializer/protobuf/collections.go
+++ b/staging/src/k8s.io/apimachinery/pkg/runtime/serializer/protobuf/collections.go
@@ -21,8 +21,6 @@ import (
 	"io"
 	"math/bits"
 
-	"github.com/gogo/protobuf/proto"
-
 	"k8s.io/apimachinery/pkg/api/meta"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/conversion"
@@ -98,6 +96,10 @@ type streamingListData struct {
 	items      []runtime.Object
 }
 
+type sizer interface {
+	Size() int
+}
+
 // listSize return size of ListMeta and items to be later used for preallocations.
 // listMetaSize and itemSizes do not include header bytes (field identifier, size).
 func listSize(listMeta metav1.ListMeta, items []runtime.Object) (totalSize, listMetaSize int, itemSizes []int, err error) {
@@ -107,7 +109,7 @@ func listSize(listMeta metav1.ListMeta, items []runtime.Object) (totalSize, list
 	// Items
 	itemSizes = make([]int, len(items))
 	for i, item := range items {
-		sizer, ok := item.(proto.Sizer)
+		sizer, ok := item.(sizer)
 		if !ok {
 			return totalSize, listMetaSize, nil, errItemsSizer
 		}
diff --git a/staging/src/k8s.io/apimachinery/pkg/runtime/serializer/protobuf/collections_test.go b/staging/src/k8s.io/apimachinery/pkg/runtime/serializer/protobuf/collections_test.go
index c48d416b5dc53..2ff5b5ca38718 100644
--- a/staging/src/k8s.io/apimachinery/pkg/runtime/serializer/protobuf/collections_test.go
+++ b/staging/src/k8s.io/apimachinery/pkg/runtime/serializer/protobuf/collections_test.go
@@ -23,7 +23,6 @@ import (
 	"os/exec"
 	"testing"
 
-	"github.com/gogo/protobuf/proto"
 	"github.com/google/go-cmp/cmp"
 	"sigs.k8s.io/randfill"
 
@@ -313,7 +312,6 @@ type countingSizer struct {
 	count int
 }
 
-var _ proto.Sizer = (*countingSizer)(nil)
 var _ runtime.ProtobufMarshaller = (*countingSizer)(nil)
 
 func (s *countingSizer) MarshalTo(data []byte) (int, error) {
diff --git a/staging/src/k8s.io/apimachinery/pkg/runtime/serializer/protobuf/protobuf.go b/staging/src/k8s.io/apimachinery/pkg/runtime/serializer/protobuf/protobuf.go
index c66c49ac4c2d2..67a2d124745fd 100644
--- a/staging/src/k8s.io/apimachinery/pkg/runtime/serializer/protobuf/protobuf.go
+++ b/staging/src/k8s.io/apimachinery/pkg/runtime/serializer/protobuf/protobuf.go
@@ -23,8 +23,6 @@ import (
 	"net/http"
 	"reflect"
 
-	"github.com/gogo/protobuf/proto"
-
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/runtime/schema"
@@ -148,11 +146,13 @@ func (s *Serializer) Decode(originalData []byte, gvk *schema.GroupVersionKind, i
 		types, _, err := s.typer.ObjectKinds(into)
 		switch {
 		case runtime.IsNotRegisteredError(err):
-			pb, ok := into.(proto.Message)
+			unmarshaler, ok := into.(unmarshaler)
 			if !ok {
 				return nil, &actual, errNotMarshalable{reflect.TypeOf(into)}
 			}
-			if err := proto.Unmarshal(unk.Raw, pb); err != nil {
+			// top-level unmarshal resets before delegating unmarshaling to the object
+			unmarshaler.Reset()
+			if err := unmarshaler.Unmarshal(unk.Raw); err != nil {
 				return nil, &actual, err
 			}
 			return into, &actual, nil
@@ -251,7 +251,7 @@ func (s *Serializer) doEncode(obj runtime.Object, w io.Writer, memAlloc runtime.
 		_, err = w.Write(data[:prefixSize+uint64(i)])
 		return err
 
-	case proto.Marshaler:
+	case unbufferedMarshaller:
 		// this path performs extra allocations
 		data, err := t.Marshal()
 		if err != nil {
@@ -306,16 +306,27 @@ func copyKindDefaults(dst, src *schema.GroupVersionKind) {
 // bufferedMarshaller describes a more efficient marshalling interface that can avoid allocating multiple
 // byte buffers by pre-calculating the size of the final buffer needed.
 type bufferedMarshaller interface {
-	proto.Sizer
 	runtime.ProtobufMarshaller
 }
 
 // Like bufferedMarshaller, but is able to marshal backwards, which is more efficient since it doesn't call Size() as frequently.
 type bufferedReverseMarshaller interface {
-	proto.Sizer
 	runtime.ProtobufReverseMarshaller
 }
 
+type unbufferedMarshaller interface {
+	Marshal() ([]byte, error)
+}
+
+// unmarshaler is the subset of gogo Message and Unmarshaler used by unmarshal
+type unmarshaler interface {
+	// Reset() is called on the top-level message before unmarshaling,
+	// and clears all existing data from the message instance.
+	Reset()
+	// Unmarshal decodes from the start of the data into the message.
+	Unmarshal([]byte) error
+}
+
 // estimateUnknownSize returns the expected bytes consumed by a given runtime.Unknown
 // object with a nil RawJSON struct and the expected size of the provided buffer. The
 // returned size will not be correct if RawJSOn is set on unk.
@@ -381,11 +392,13 @@ func (s *RawSerializer) Decode(originalData []byte, gvk *schema.GroupVersionKind
 	types, _, err := s.typer.ObjectKinds(into)
 	switch {
 	case runtime.IsNotRegisteredError(err):
-		pb, ok := into.(proto.Message)
+		unmarshaler, ok := into.(unmarshaler)
 		if !ok {
 			return nil, actual, errNotMarshalable{reflect.TypeOf(into)}
 		}
-		if err := proto.Unmarshal(data, pb); err != nil {
+		// top-level unmarshal resets before delegating unmarshaling to the object
+		unmarshaler.Reset()
+		if err := unmarshaler.Unmarshal(data); err != nil {
 			return nil, actual, err
 		}
 		return into, actual, nil
@@ -419,11 +432,13 @@ func unmarshalToObject(typer runtime.ObjectTyper, creater runtime.ObjectCreater,
 		return nil, actual, err
 	}
 
-	pb, ok := obj.(proto.Message)
+	unmarshaler, ok := obj.(unmarshaler)
 	if !ok {
 		return nil, actual, errNotMarshalable{reflect.TypeOf(obj)}
 	}
-	if err := proto.Unmarshal(data, pb); err != nil {
+	// top-level unmarshal resets before delegating unmarshaling to the object
+	unmarshaler.Reset()
+	if err := unmarshaler.Unmarshal(data); err != nil {
 		return nil, actual, err
 	}
 	if actual != nil {
@@ -519,7 +534,7 @@ func doEncode(obj any, w io.Writer, precomputedObjSize *int, memAlloc runtime.Me
 		}
 		return w.Write(data[:n])
 
-	case proto.Marshaler:
+	case unbufferedMarshaller:
 		// this path performs extra allocations
 		data, err := t.Marshal()
 		if err != nil {
diff --git a/staging/src/k8s.io/apimachinery/pkg/runtime/types_proto.go b/staging/src/k8s.io/apimachinery/pkg/runtime/types_proto.go
index 27a2064c4163e..70c4ea8c56d1c 100644
--- a/staging/src/k8s.io/apimachinery/pkg/runtime/types_proto.go
+++ b/staging/src/k8s.io/apimachinery/pkg/runtime/types_proto.go
@@ -21,11 +21,21 @@ import (
 	"io"
 )
 
+// ProtobufReverseMarshaller can precompute size, and marshals to the start of the provided data buffer.
 type ProtobufMarshaller interface {
+	// Size returns the number of bytes a call to MarshalTo would consume.
+	Size() int
+	// MarshalTo marshals to the start of the data buffer, which must be at least as big as Size(),
+	// and returns the number of bytes written, which must be identical to the return value of Size().
 	MarshalTo(data []byte) (int, error)
 }
 
+// ProtobufReverseMarshaller can precompute size, and marshals to the end of the provided data buffer.
 type ProtobufReverseMarshaller interface {
+	// Size returns the number of bytes a call to MarshalToSizedBuffer would consume.
+	Size() int
+	// MarshalToSizedBuffer marshals to the end of the data buffer, which must be at least as big as Size(),
+	// and returns the number of bytes written, which must be identical to the return value of Size().
 	MarshalToSizedBuffer(data []byte) (int, error)
 }
 
diff --git a/staging/src/k8s.io/apimachinery/pkg/runtime/types_proto_test.go b/staging/src/k8s.io/apimachinery/pkg/runtime/types_proto_test.go
index 39fb709426dcc..50535f041769c 100644
--- a/staging/src/k8s.io/apimachinery/pkg/runtime/types_proto_test.go
+++ b/staging/src/k8s.io/apimachinery/pkg/runtime/types_proto_test.go
@@ -101,6 +101,10 @@ func TestNestedMarshalToWriter(t *testing.T) {
 
 type copyMarshaler []byte
 
+func (c copyMarshaler) Size() int {
+	return len(c)
+}
+
 func (c copyMarshaler) MarshalTo(dest []byte) (int, error) {
 	n := copy(dest, []byte(c))
 	return n, nil
diff --git a/staging/src/k8s.io/apimachinery/pkg/runtime/zz_generated.model_name.go b/staging/src/k8s.io/apimachinery/pkg/runtime/zz_generated.model_name.go
new file mode 100644
index 0000000000000..cf3ec4dcebba6
--- /dev/null
+++ b/staging/src/k8s.io/apimachinery/pkg/runtime/zz_generated.model_name.go
@@ -0,0 +1,92 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by openapi-gen. DO NOT EDIT.
+
+package runtime
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in Allocator) OpenAPIModelName() string {
+	return "io.k8s.apimachinery.pkg.runtime.Allocator"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in NegotiateError) OpenAPIModelName() string {
+	return "io.k8s.apimachinery.pkg.runtime.NegotiateError"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in NoopDecoder) OpenAPIModelName() string {
+	return "io.k8s.apimachinery.pkg.runtime.NoopDecoder"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in NoopEncoder) OpenAPIModelName() string {
+	return "io.k8s.apimachinery.pkg.runtime.NoopEncoder"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in Pair) OpenAPIModelName() string {
+	return "io.k8s.apimachinery.pkg.runtime.Pair"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in RawExtension) OpenAPIModelName() string {
+	return "io.k8s.apimachinery.pkg.runtime.RawExtension"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in Scheme) OpenAPIModelName() string {
+	return "io.k8s.apimachinery.pkg.runtime.Scheme"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in SerializerInfo) OpenAPIModelName() string {
+	return "io.k8s.apimachinery.pkg.runtime.SerializerInfo"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in SimpleAllocator) OpenAPIModelName() string {
+	return "io.k8s.apimachinery.pkg.runtime.SimpleAllocator"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in StreamSerializerInfo) OpenAPIModelName() string {
+	return "io.k8s.apimachinery.pkg.runtime.StreamSerializerInfo"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in TypeMeta) OpenAPIModelName() string {
+	return "io.k8s.apimachinery.pkg.runtime.TypeMeta"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in Unknown) OpenAPIModelName() string {
+	return "io.k8s.apimachinery.pkg.runtime.Unknown"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in WithVersionEncoder) OpenAPIModelName() string {
+	return "io.k8s.apimachinery.pkg.runtime.WithVersionEncoder"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in WithoutVersionDecoder) OpenAPIModelName() string {
+	return "io.k8s.apimachinery.pkg.runtime.WithoutVersionDecoder"
+}
diff --git a/staging/src/k8s.io/apimachinery/pkg/util/httpstream/httpstream.go b/staging/src/k8s.io/apimachinery/pkg/util/httpstream/httpstream.go
index 8054b98676b82..a7c8d897dc81d 100644
--- a/staging/src/k8s.io/apimachinery/pkg/util/httpstream/httpstream.go
+++ b/staging/src/k8s.io/apimachinery/pkg/util/httpstream/httpstream.go
@@ -160,19 +160,31 @@ func commaSeparatedHeaderValues(header []string) []string {
 
 // Handshake performs a subprotocol negotiation. If the client did request a
 // subprotocol, Handshake will select the first common value found in
-// serverProtocols. If a match is found, Handshake adds a response header
-// indicating the chosen subprotocol. If no match is found, HTTP forbidden is
-// returned, along with a response header containing the list of protocols the
-// server can accept.
+// serverProtocols, otherwise it will return an error and write an HTTP BadRequest to the response.
+// If a match is found, Handshake adds a response header indicating the chosen subprotocol.
+// If no match is found, HTTP forbidden is returned, along with a response header containing
+// the list of protocols the server can accept.
 func Handshake(req *http.Request, w http.ResponseWriter, serverProtocols []string) (string, error) {
-	clientProtocols := commaSeparatedHeaderValues(req.Header[http.CanonicalHeaderKey(HeaderProtocolVersion)])
-	if len(clientProtocols) == 0 {
-		return "", fmt.Errorf("unable to upgrade: %s is required", HeaderProtocolVersion)
-	}
-
 	if len(serverProtocols) == 0 {
 		panic(fmt.Errorf("unable to upgrade: serverProtocols is required"))
 	}
+	values, ok := req.Header[http.CanonicalHeaderKey(HeaderProtocolVersion)]
+	if !ok {
+		err := fmt.Errorf("unable to upgrade: header %s does not exist in request with %d headers", HeaderProtocolVersion, len(req.Header))
+		http.Error(w, err.Error(), http.StatusBadRequest)
+		return "", err
+	}
+	if len(values) == 0 {
+		err := fmt.Errorf("unable to upgrade: header %s is empty", HeaderProtocolVersion)
+		http.Error(w, err.Error(), http.StatusBadRequest)
+		return "", err
+	}
+	clientProtocols := commaSeparatedHeaderValues(values)
+	if len(clientProtocols) == 0 {
+		err := fmt.Errorf("unable to upgrade: header %s contains %s, but no valid protocols", HeaderProtocolVersion, values)
+		http.Error(w, err.Error(), http.StatusBadRequest)
+		return "", err
+	}
 
 	negotiatedProtocol := negotiateProtocol(clientProtocols, serverProtocols)
 	if len(negotiatedProtocol) == 0 {
diff --git a/staging/src/k8s.io/apimachinery/pkg/util/httpstream/httpstream_test.go b/staging/src/k8s.io/apimachinery/pkg/util/httpstream/httpstream_test.go
index f81e12b9cda5c..04cf200d57a31 100644
--- a/staging/src/k8s.io/apimachinery/pkg/util/httpstream/httpstream_test.go
+++ b/staging/src/k8s.io/apimachinery/pkg/util/httpstream/httpstream_test.go
@@ -49,22 +49,39 @@ func (r *responseWriter) Write([]byte) (int, error) {
 
 func TestHandshake(t *testing.T) {
 	tests := map[string]struct {
-		clientProtocols  []string
-		serverProtocols  []string
-		expectedProtocol string
-		expectError      bool
+		clientProtocols    []string
+		serverProtocols    []string
+		expectedProtocol   string
+		expectError        bool
+		expectedStatusCode int
 	}{
+		"no protocol": {
+			clientProtocols:    []string{},
+			serverProtocols:    []string{"a", "b"},
+			expectedProtocol:   "",
+			expectError:        true,
+			expectedStatusCode: http.StatusBadRequest,
+		},
+		"empty client protocol header": {
+			clientProtocols:    []string{",, "},
+			serverProtocols:    []string{"a", "b"},
+			expectedProtocol:   "",
+			expectError:        true,
+			expectedStatusCode: http.StatusBadRequest,
+		},
 		"no common protocol": {
-			clientProtocols:  []string{"c"},
-			serverProtocols:  []string{"a", "b"},
-			expectedProtocol: "",
-			expectError:      true,
+			clientProtocols:    []string{"c"},
+			serverProtocols:    []string{"a", "b"},
+			expectedProtocol:   "",
+			expectError:        true,
+			expectedStatusCode: http.StatusForbidden,
 		},
 		"no common protocol with comma separated list": {
-			clientProtocols:  []string{"c, d"},
-			serverProtocols:  []string{"a", "b"},
-			expectedProtocol: "",
-			expectError:      true,
+			clientProtocols:    []string{"c, d"},
+			serverProtocols:    []string{"a", "b"},
+			expectedProtocol:   "",
+			expectError:        true,
+			expectedStatusCode: http.StatusForbidden,
 		},
 		"common protocol": {
 			clientProtocols:  []string{"b"},
@@ -79,57 +96,72 @@ func TestHandshake(t *testing.T) {
 	}
 
 	for name, test := range tests {
-		req, err := http.NewRequest(http.MethodGet, "http://www.example.com/", nil)
-		if err != nil {
-			t.Fatalf("%s: error creating request: %v", name, err)
-		}
+		t.Run(name, func(t *testing.T) {
+			req, err := http.NewRequest(http.MethodGet, "http://www.example.com/", nil)
+			if err != nil {
+				t.Fatalf("%s: error creating request: %v", name, err)
+			}
 
-		for _, p := range test.clientProtocols {
-			req.Header.Add(HeaderProtocolVersion, p)
-		}
+			for _, p := range test.clientProtocols {
+				req.Header.Add(HeaderProtocolVersion, p)
+			}
 
-		w := newResponseWriter()
-		negotiated, err := Handshake(req, w, test.serverProtocols)
+			w := newResponseWriter()
+			negotiated, err := Handshake(req, w, test.serverProtocols)
 
-		// verify negotiated protocol
-		if e, a := test.expectedProtocol, negotiated; e != a {
-			t.Errorf("%s: protocol: expected %q, got %q", name, e, a)
-		}
+			// verify negotiated protocol
+			if e, a := test.expectedProtocol, negotiated; e != a {
+				t.Fatalf("%s: protocol: expected %q, got %q", name, e, a)
+			}
 
-		if test.expectError {
-			if err == nil {
-				t.Errorf("%s: expected error but did not get one", name)
+			if test.expectError {
+				if err == nil {
+					t.Fatalf("%s: expected error but did not get one", name)
+				}
+				if w.statusCode == nil {
+					t.Fatalf("%s: expected w.statusCode to be set", name)
+				} else if e, a := test.expectedStatusCode, *w.statusCode; e != a {
+					t.Fatalf("%s: w.statusCode: expected %d, got %d", name, e, a)
+				}
+				if test.expectedStatusCode == http.StatusForbidden {
+					if e, a := test.serverProtocols, w.Header()[HeaderAcceptedProtocolVersions]; !reflect.DeepEqual(e, a) {
+						t.Fatalf("%s: accepted server protocols: expected %v, got %v", name, e, a)
+					}
+				}
+				return
 			}
-			if w.statusCode == nil {
-				t.Errorf("%s: expected w.statusCode to be set", name)
-			} else if e, a := http.StatusForbidden, *w.statusCode; e != a {
-				t.Errorf("%s: w.statusCode: expected %d, got %d", name, e, a)
+			if !test.expectError && err != nil {
+				t.Fatalf("%s: unexpected error: %v", name, err)
 			}
-			if e, a := test.serverProtocols, w.Header()[HeaderAcceptedProtocolVersions]; !reflect.DeepEqual(e, a) {
-				t.Errorf("%s: accepted server protocols: expected %v, got %v", name, e, a)
+			if w.statusCode != nil {
+				t.Fatalf("%s: unexpected non-nil w.statusCode: %d", name, w.statusCode)
 			}
-			continue
-		}
-		if !test.expectError && err != nil {
-			t.Errorf("%s: unexpected error: %v", name, err)
-			continue
-		}
-		if w.statusCode != nil {
-			t.Errorf("%s: unexpected non-nil w.statusCode: %d", name, w.statusCode)
-		}
-
-		if len(test.expectedProtocol) == 0 {
-			if len(w.Header()[HeaderProtocolVersion]) > 0 {
-				t.Errorf("%s: unexpected protocol version response header: %s", name, w.Header()[HeaderProtocolVersion])
+
+			if len(test.expectedProtocol) == 0 {
+				if len(w.Header()[HeaderProtocolVersion]) > 0 {
+					t.Fatalf("%s: unexpected protocol version response header: %s", name, w.Header()[HeaderProtocolVersion])
+				}
+				return
 			}
-			continue
-		}
 
-		// verify response headers
-		if e, a := []string{test.expectedProtocol}, w.Header()[HeaderProtocolVersion]; !reflect.DeepEqual(e, a) {
-			t.Errorf("%s: protocol response header: expected %v, got %v", name, e, a)
-		}
+			// verify response headers
+			if e, a := []string{test.expectedProtocol}, w.Header()[HeaderProtocolVersion]; !reflect.DeepEqual(e, a) {
+				t.Fatalf("%s: protocol response header: expected %v, got %v", name, e, a)
+			}
+		})
 	}
+
+	t.Run("empty server protocols should panic", func(t *testing.T) {
+		defer func() {
+			if r := recover(); r == nil {
+				t.Errorf("The code did not panic")
+			}
+		}()
+		req, _ := http.NewRequest(http.MethodGet, "http://www.example.com/", nil)
+		req.Header.Add(HeaderProtocolVersion, "a")
+		w := newResponseWriter()
+		_, _ = Handshake(req, w, []string{})
+	})
 }
 
 func TestIsUpgradeFailureError(t *testing.T) {
diff --git a/staging/src/k8s.io/apimachinery/pkg/util/intstr/generated.pb.go b/staging/src/k8s.io/apimachinery/pkg/util/intstr/generated.pb.go
index 1f2877399fc1b..5be552e1eb6c4 100644
--- a/staging/src/k8s.io/apimachinery/pkg/util/intstr/generated.pb.go
+++ b/staging/src/k8s.io/apimachinery/pkg/util/intstr/generated.pb.go
@@ -23,80 +23,10 @@ import (
 	fmt "fmt"
 
 	io "io"
-	math "math"
 	math_bits "math/bits"
-
-	proto "github.com/gogo/protobuf/proto"
 )
 
-// Reference imports to suppress errors if they are not otherwise used.
-var _ = proto.Marshal
-var _ = fmt.Errorf
-var _ = math.Inf
-
-// This is a compile-time assertion to ensure that this generated file
-// is compatible with the proto package it is being compiled against.
-// A compilation error at this line likely means your copy of the
-// proto package needs to be updated.
-const _ = proto.GoGoProtoPackageIsVersion3 // please upgrade the proto package
-
-func (m *IntOrString) Reset()      { *m = IntOrString{} }
-func (*IntOrString) ProtoMessage() {}
-func (*IntOrString) Descriptor() ([]byte, []int) {
-	return fileDescriptor_771bacc35a5ec189, []int{0}
-}
-func (m *IntOrString) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *IntOrString) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *IntOrString) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_IntOrString.Merge(m, src)
-}
-func (m *IntOrString) XXX_Size() int {
-	return m.Size()
-}
-func (m *IntOrString) XXX_DiscardUnknown() {
-	xxx_messageInfo_IntOrString.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_IntOrString proto.InternalMessageInfo
-
-func init() {
-	proto.RegisterType((*IntOrString)(nil), "k8s.io.apimachinery.pkg.util.intstr.IntOrString")
-}
-
-func init() {
-	proto.RegisterFile("k8s.io/apimachinery/pkg/util/intstr/generated.proto", fileDescriptor_771bacc35a5ec189)
-}
-
-var fileDescriptor_771bacc35a5ec189 = []byte{
-	// 277 bytes of a gzipped FileDescriptorProto
-	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xe2, 0x32, 0xce, 0xb6, 0x28, 0xd6,
-	0xcb, 0xcc, 0xd7, 0x4f, 0x2c, 0xc8, 0xcc, 0x4d, 0x4c, 0xce, 0xc8, 0xcc, 0x4b, 0x2d, 0xaa, 0xd4,
-	0x2f, 0xc8, 0x4e, 0xd7, 0x2f, 0x2d, 0xc9, 0xcc, 0xd1, 0xcf, 0xcc, 0x2b, 0x29, 0x2e, 0x29, 0xd2,
-	0x4f, 0x4f, 0xcd, 0x4b, 0x2d, 0x4a, 0x2c, 0x49, 0x4d, 0xd1, 0x2b, 0x28, 0xca, 0x2f, 0xc9, 0x17,
-	0x52, 0x86, 0x68, 0xd2, 0x43, 0xd6, 0xa4, 0x57, 0x90, 0x9d, 0xae, 0x07, 0xd2, 0xa4, 0x07, 0xd1,
-	0x24, 0xa5, 0x9b, 0x9e, 0x59, 0x92, 0x51, 0x9a, 0xa4, 0x97, 0x9c, 0x9f, 0xab, 0x9f, 0x9e, 0x9f,
-	0x9e, 0xaf, 0x0f, 0xd6, 0x9b, 0x54, 0x9a, 0x06, 0xe6, 0x81, 0x39, 0x60, 0x16, 0xc4, 0x4c, 0xa5,
-	0x89, 0x8c, 0x5c, 0xdc, 0x9e, 0x79, 0x25, 0xfe, 0x45, 0xc1, 0x25, 0x45, 0x99, 0x79, 0xe9, 0x42,
-	0x1a, 0x5c, 0x2c, 0x25, 0x95, 0x05, 0xa9, 0x12, 0x8c, 0x0a, 0x8c, 0x1a, 0xcc, 0x4e, 0x22, 0x27,
-	0xee, 0xc9, 0x33, 0x3c, 0xba, 0x27, 0xcf, 0x12, 0x52, 0x59, 0x90, 0xfa, 0x0b, 0x4a, 0x07, 0x81,
-	0x55, 0x08, 0xa9, 0x71, 0xb1, 0x65, 0xe6, 0x95, 0x84, 0x25, 0xe6, 0x48, 0x30, 0x29, 0x30, 0x6a,
-	0xb0, 0x3a, 0xf1, 0x41, 0xd5, 0xb2, 0x79, 0x82, 0x45, 0x83, 0xa0, 0xb2, 0x20, 0x75, 0xc5, 0x25,
-	0x45, 0x20, 0x75, 0xcc, 0x0a, 0x8c, 0x1a, 0x9c, 0x08, 0x75, 0xc1, 0x60, 0xd1, 0x20, 0xa8, 0xac,
-	0x15, 0xc7, 0x8c, 0x05, 0xf2, 0x0c, 0x0d, 0x77, 0x14, 0x18, 0x9c, 0x3c, 0x4f, 0x3c, 0x94, 0x63,
-	0xb8, 0xf0, 0x50, 0x8e, 0xe1, 0xc6, 0x43, 0x39, 0x86, 0x86, 0x47, 0x72, 0x8c, 0x27, 0x1e, 0xc9,
-	0x31, 0x5e, 0x78, 0x24, 0xc7, 0x78, 0xe3, 0x91, 0x1c, 0xe3, 0x83, 0x47, 0x72, 0x8c, 0x13, 0x1e,
-	0xcb, 0x31, 0x44, 0x29, 0x13, 0x11, 0x84, 0x80, 0x00, 0x00, 0x00, 0xff, 0xff, 0x63, 0xa1, 0x0b,
-	0x1e, 0x68, 0x01, 0x00, 0x00,
-}
+func (m *IntOrString) Reset() { *m = IntOrString{} }
 
 func (m *IntOrString) Marshal() (dAtA []byte, err error) {
 	size := m.Size()
diff --git a/staging/src/k8s.io/apimachinery/pkg/util/intstr/generated.proto b/staging/src/k8s.io/apimachinery/pkg/util/intstr/generated.proto
index 7c63c5e45af5f..e3d26a59a589e 100644
--- a/staging/src/k8s.io/apimachinery/pkg/util/intstr/generated.proto
+++ b/staging/src/k8s.io/apimachinery/pkg/util/intstr/generated.proto
@@ -33,6 +33,7 @@ option go_package = "k8s.io/apimachinery/pkg/util/intstr";
 // +protobuf=true
 // +protobuf.options.(gogoproto.goproto_stringer)=false
 // +k8s:openapi-gen=true
+// +k8s:openapi-model-package=io.k8s.apimachinery.pkg.util.intstr
 message IntOrString {
   optional int64 type = 1;
 
diff --git a/staging/src/k8s.io/apimachinery/pkg/util/intstr/generated.protomessage.pb.go b/staging/src/k8s.io/apimachinery/pkg/util/intstr/generated.protomessage.pb.go
new file mode 100644
index 0000000000000..2853a01830047
--- /dev/null
+++ b/staging/src/k8s.io/apimachinery/pkg/util/intstr/generated.protomessage.pb.go
@@ -0,0 +1,24 @@
+//go:build kubernetes_protomessage_one_more_release
+// +build kubernetes_protomessage_one_more_release
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by go-to-protobuf. DO NOT EDIT.
+
+package intstr
+
+func (*IntOrString) ProtoMessage() {}
diff --git a/staging/src/k8s.io/apimachinery/pkg/util/intstr/intstr.go b/staging/src/k8s.io/apimachinery/pkg/util/intstr/intstr.go
index 5fd2e16c842f6..f372ae589c0f0 100644
--- a/staging/src/k8s.io/apimachinery/pkg/util/intstr/intstr.go
+++ b/staging/src/k8s.io/apimachinery/pkg/util/intstr/intstr.go
@@ -38,6 +38,7 @@ import (
 // +protobuf=true
 // +protobuf.options.(gogoproto.goproto_stringer)=false
 // +k8s:openapi-gen=true
+// +k8s:openapi-model-package=io.k8s.apimachinery.pkg.util.intstr
 type IntOrString struct {
 	Type   Type   `protobuf:"varint,1,opt,name=type,casttype=Type"`
 	IntVal int32  `protobuf:"varint,2,opt,name=intVal"`
diff --git a/staging/src/k8s.io/apimachinery/pkg/util/intstr/zz_generated.model_name.go b/staging/src/k8s.io/apimachinery/pkg/util/intstr/zz_generated.model_name.go
new file mode 100644
index 0000000000000..b2d6e0ae3c877
--- /dev/null
+++ b/staging/src/k8s.io/apimachinery/pkg/util/intstr/zz_generated.model_name.go
@@ -0,0 +1,27 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by openapi-gen. DO NOT EDIT.
+
+package intstr
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in IntOrString) OpenAPIModelName() string {
+	return "io.k8s.apimachinery.pkg.util.intstr.IntOrString"
+}
diff --git a/staging/src/k8s.io/apimachinery/pkg/util/net/util_test.go b/staging/src/k8s.io/apimachinery/pkg/util/net/util_test.go
index 561fe4eebe7e4..90b14a864c0a8 100644
--- a/staging/src/k8s.io/apimachinery/pkg/util/net/util_test.go
+++ b/staging/src/k8s.io/apimachinery/pkg/util/net/util_test.go
@@ -24,7 +24,6 @@ import (
 	"net/http/httptest"
 	"net/url"
 	"os"
-	"sync/atomic"
 	"syscall"
 	"testing"
 	"time"
@@ -109,7 +108,6 @@ type tcpLB struct {
 	t         *testing.T
 	ln        net.Listener
 	serverURL string
-	dials     int32
 }
 
 func (lb *tcpLB) handleConnection(in net.Conn, stopCh chan struct{}) {
@@ -131,8 +129,7 @@ func (lb *tcpLB) serve(stopCh chan struct{}) {
 	if err != nil {
 		lb.t.Fatalf("failed to accept: %v", err)
 	}
-	atomic.AddInt32(&lb.dials, 1)
-	go lb.handleConnection(conn, stopCh)
+	lb.handleConnection(conn, stopCh)
 }
 
 func newLB(t *testing.T, serverURL string) *tcpLB {
@@ -162,8 +159,11 @@ func TestIsConnectionReset(t *testing.T) {
 	}
 	lb := newLB(t, u.Host)
 	defer lb.ln.Close()
-	stopCh := make(chan struct{})
-	go lb.serve(stopCh)
+	stopCh, stoppedCh := make(chan struct{}), make(chan struct{})
+	go func() {
+		defer close(stoppedCh)
+		lb.serve(stopCh)
+	}()
 
 	c := ts.Client()
 	transport, ok := ts.Client().Transport.(*http.Transport)
@@ -176,7 +176,6 @@ func TestIsConnectionReset(t *testing.T) {
 	}
 	t2.ReadIdleTimeout = time.Second
 	t2.PingTimeout = time.Second
-	// Create an HTTP2 connection to reuse later
 	resp, err := c.Get("https://" + lb.ln.Addr().String())
 	if err != nil {
 		t.Fatalf("unexpected error: %+v", err)
@@ -194,6 +193,7 @@ func TestIsConnectionReset(t *testing.T) {
 	// connection. This mimics a broken TCP connection that's not properly
 	// closed.
 	close(stopCh)
+	<-stoppedCh
 	_, err = c.Get("https://" + lb.ln.Addr().String())
 	if !IsHTTP2ConnectionLost(err) {
 		t.Fatalf("expected HTTP2ConnectionLost error, got %v", err)
diff --git a/staging/src/k8s.io/apimachinery/pkg/util/resourceversion/resourceversion.go b/staging/src/k8s.io/apimachinery/pkg/util/resourceversion/resourceversion.go
new file mode 100644
index 0000000000000..6f672c4b46041
--- /dev/null
+++ b/staging/src/k8s.io/apimachinery/pkg/util/resourceversion/resourceversion.go
@@ -0,0 +1,85 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package resourceversion
+
+import (
+	"fmt"
+	"strings"
+)
+
+type InvalidResourceVersion struct {
+	rv string
+}
+
+func (i InvalidResourceVersion) Error() string {
+	return fmt.Sprintf("resource version is not well formed: %s", i.rv)
+}
+
+// CompareResourceVersion runs a comparison between two ResourceVersions. This
+// only has semantic meaning when the comparison is done on two objects of the
+// same resource. The return values are:
+//
+//	-1: If RV a < RV b
+//	 0: If RV a == RV b
+//	+1: If RV a > RV b
+//
+// The function will return an error if the resource version is not a properly
+// formatted positive integer, but has no restriction on length. A properly
+// formatted integer will not contain leading zeros or non integer characters.
+// Zero is also considered an invalid value as it is used as a special value in
+// list/watch events and will never be a live resource version.
+func CompareResourceVersion(a, b string) (int, error) {
+	if !isWellFormed(a) {
+		return 0, InvalidResourceVersion{rv: a}
+	}
+	if !isWellFormed(b) {
+		return 0, InvalidResourceVersion{rv: b}
+	}
+	// both are well-formed integer strings with no leading zeros
+	aLen := len(a)
+	bLen := len(b)
+	switch {
+	case aLen < bLen:
+		// shorter is less
+		return -1, nil
+	case aLen > bLen:
+		// longer is greater
+		return 1, nil
+	default:
+		// equal-length compares lexically
+		return strings.Compare(a, b), nil
+	}
+}
+
+func isWellFormed(s string) bool {
+	if len(s) == 0 {
+		return false
+	}
+	if s[0] == '0' {
+		return false
+	}
+	for i := range s {
+		if !isDigit(s[i]) {
+			return false
+		}
+	}
+	return true
+}
+
+func isDigit(b byte) bool {
+	return b >= '0' && b <= '9'
+}
diff --git a/staging/src/k8s.io/apimachinery/pkg/util/resourceversion/resourceversion_test.go b/staging/src/k8s.io/apimachinery/pkg/util/resourceversion/resourceversion_test.go
new file mode 100644
index 0000000000000..dd3785e9ac980
--- /dev/null
+++ b/staging/src/k8s.io/apimachinery/pkg/util/resourceversion/resourceversion_test.go
@@ -0,0 +1,162 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package resourceversion
+
+import (
+	"testing"
+)
+
+func TestCompareResourceVersion(t *testing.T) {
+	testCases := []struct {
+		name     string
+		a        string
+		b        string
+		expected int
+		err      bool
+	}{
+		{
+			name:     "a less than b",
+			a:        "100",
+			b:        "200",
+			expected: -1,
+		},
+		{
+			name: "a is zero, invalid",
+			a:    "0",
+			b:    "1",
+			err:  true,
+		},
+		{
+			name: "both zero",
+			a:    "0",
+			b:    "0",
+			err:  true,
+		},
+		{
+			name:     "a greater than b",
+			a:        "200",
+			b:        "100",
+			expected: 1,
+		},
+		{
+			name: "b is 0, invalid",
+			a:    "1",
+			b:    "0",
+			err:  true,
+		},
+		{
+			name:     "a equal to b small",
+			a:        "1",
+			b:        "1",
+			expected: 0,
+		},
+		{
+			name:     "a equal to b",
+			a:        "100",
+			b:        "100",
+			expected: 0,
+		},
+		{
+			name:     "a shorter than b",
+			a:        "99",
+			b:        "100",
+			expected: -1,
+		},
+		{
+			name:     "a longer than b",
+			a:        "100",
+			b:        "99",
+			expected: 1,
+		},
+		{
+			name:     "a with leading zero",
+			a:        "0100",
+			b:        "100",
+			expected: 0,
+			err:      true,
+		},
+		{
+			name:     "b with leading zero",
+			a:        "100",
+			b:        "0100",
+			expected: 0,
+			err:      true,
+		},
+		{
+			name:     "a empty",
+			a:        "",
+			b:        "100",
+			expected: 0,
+			err:      true,
+		},
+		{
+			name:     "b empty",
+			a:        "100",
+			b:        "",
+			expected: 0,
+			err:      true,
+		},
+		{
+			name: "a non-digit",
+			a:    "100a",
+			b:    "100",
+			err:  true,
+		},
+		{
+			name: "b non-digit",
+			a:    "100",
+			b:    "100a",
+			err:  true,
+		},
+		{
+			name:     "large int a less than b",
+			a:        "99999999999999999999999999999999999999999999999999",
+			b:        "100000000000000000000000000000000000000000000000000",
+			expected: -1,
+		},
+		{
+			name:     "large int a greater than b",
+			a:        "100000000000000000000000000000000000000000000000000",
+			b:        "99999999999999999999999999999999999999999999999999",
+			expected: 1,
+		},
+		{
+			name:     "large int a equal to b",
+			a:        "12345678901234567890123456789012345678901234567890",
+			b:        "12345678901234567890123456789012345678901234567890",
+			expected: 0,
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			actual, err := CompareResourceVersion(tc.a, tc.b)
+			if tc.err {
+				if err == nil {
+					t.Fatalf("expected error, but got none")
+				}
+				return
+			}
+			if err != nil {
+				t.Fatalf("unexpected error: %v", err)
+			}
+			if actual != tc.expected {
+				t.Errorf("expected %d, got %d", tc.expected, actual)
+			}
+		})
+	}
+}
diff --git a/staging/src/k8s.io/apimachinery/pkg/util/sets/set.go b/staging/src/k8s.io/apimachinery/pkg/util/sets/set.go
index cd961c8c5939c..ae3d15eb25f12 100644
--- a/staging/src/k8s.io/apimachinery/pkg/util/sets/set.go
+++ b/staging/src/k8s.io/apimachinery/pkg/util/sets/set.go
@@ -18,7 +18,7 @@ package sets
 
 import (
 	"cmp"
-	"sort"
+	"slices"
 )
 
 // Set is a set of the same type elements, implemented via map[comparable]struct{} for minimal memory consumption.
@@ -188,22 +188,13 @@ func (s1 Set[T]) Equal(s2 Set[T]) bool {
 	return len(s1) == len(s2) && s1.IsSuperset(s2)
 }
 
-type sortableSliceOfGeneric[T cmp.Ordered] []T
-
-func (g sortableSliceOfGeneric[T]) Len() int           { return len(g) }
-func (g sortableSliceOfGeneric[T]) Less(i, j int) bool { return less[T](g[i], g[j]) }
-func (g sortableSliceOfGeneric[T]) Swap(i, j int)      { g[i], g[j] = g[j], g[i] }
-
 // List returns the contents as a sorted T slice.
 //
 // This is a separate function and not a method because not all types supported
 // by Generic are ordered and only those can be sorted.
 func List[T cmp.Ordered](s Set[T]) []T {
-	res := make(sortableSliceOfGeneric[T], 0, len(s))
-	for key := range s {
-		res = append(res, key)
-	}
-	sort.Sort(res)
+	res := s.UnsortedList()
+	slices.Sort(res)
 	return res
 }
 
@@ -230,7 +221,3 @@ func (s Set[T]) PopAny() (T, bool) {
 func (s Set[T]) Len() int {
 	return len(s)
 }
-
-func less[T cmp.Ordered](lhs, rhs T) bool {
-	return lhs < rhs
-}
diff --git a/staging/src/k8s.io/apimachinery/pkg/util/sets/set_generic_test.go b/staging/src/k8s.io/apimachinery/pkg/util/sets/set_generic_test.go
index 53f3383def764..e439a553d0433 100644
--- a/staging/src/k8s.io/apimachinery/pkg/util/sets/set_generic_test.go
+++ b/staging/src/k8s.io/apimachinery/pkg/util/sets/set_generic_test.go
@@ -356,3 +356,20 @@ func TestIntersection(t *testing.T) {
 		}
 	}
 }
+
+func BenchmarkListSmall(b *testing.B) {
+	s := sets.New("a", "b", "c", "d", "e", "f", "g", "h", "i", "j")
+	for b.Loop() {
+		sets.List(s)
+	}
+}
+
+func BenchmarkListLarge(b *testing.B) {
+	s := make(sets.Set[int], 12345)
+	for i := range 12345 {
+		s.Insert(i * 7)
+	}
+	for b.Loop() {
+		sets.List(s)
+	}
+}
diff --git a/staging/src/k8s.io/apimachinery/pkg/util/sort/sort.go b/staging/src/k8s.io/apimachinery/pkg/util/sort/sort.go
new file mode 100644
index 0000000000000..6c2e0eb7a5a17
--- /dev/null
+++ b/staging/src/k8s.io/apimachinery/pkg/util/sort/sort.go
@@ -0,0 +1,191 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package sort
+
+import (
+	"container/heap"
+	"fmt"
+	"sort"
+
+	"k8s.io/apimachinery/pkg/util/sets"
+)
+
+// MergePreservingRelativeOrder performs a topological consensus sort of items from multiple sources.
+// It merges multiple lists of strings into a single list, preserving the relative order of
+// elements within each source list.
+//
+// For any two items, if one appears before the other in any of the input lists,
+// that relative order will be preserved in the output. If no relative ordering is
+// defined between two items, they are sorted lexicographically.
+//
+// The function uses Kahn's algorithm for topological sorting with a min-heap to ensure
+// deterministic output. Items with no dependencies are processed in lexicographic order,
+// guaranteeing consistent results across multiple invocations with the same input.
+//
+// This function contains a shortcut optimization that returns an input list directly
+// if it already contains all unique items. This provides O(n) performance in the best case.
+//
+// Example:
+//   - Input: {{"a", "b", "c"}, {"b", "c"}} returns {"a", "b", "c"}
+//   - Input: {{"a", "c"}, {"b", "c"}} returns {"a", "b", "c"} (lexicographic tie-breaking)
+//   - Input: {{"a", "b"}, {"b", "a"}} returns error (cycle detected)
+//
+// Complexity: O(L*n + V*log(V) + E) where L is the number of lists, n is the average
+// list size, V is the number of unique items, and E is the number of precedence edges.
+//
+// This is useful for creating a stable, consistent ordering when merging data from
+// multiple sources that may have partial but not conflicting orderings.
+func MergePreservingRelativeOrder(inputLists [][]string) []string {
+	if len(inputLists) == 0 {
+		return nil
+	}
+
+	// Build a directed graph of precedence relationships
+	graph := make(map[string]*graphNode)
+	for _, list := range inputLists {
+		for i, item := range list {
+			node := getOrCreateNode(graph, item)
+
+			// Add edge from current item to next item in list
+			if i < len(list)-1 {
+				nextItem := list[i+1]
+				nextNode := getOrCreateNode(graph, nextItem)
+
+				// Only add edge if not already present (avoid incrementing in-degree multiple times)
+				if !node.outEdges.Has(nextItem) {
+					node.outEdges.Insert(nextItem)
+					nextNode.inDegree++
+				}
+			}
+		}
+	}
+
+	// Shortcut: if any input list contains all items (no duplicates), use it
+	allItems := sets.New[string]()
+	for name := range graph {
+		allItems.Insert(name)
+	}
+	for _, list := range inputLists {
+		if len(list) == allItems.Len() && isUnique(list) {
+			return list
+		}
+	}
+
+	// Perform topological sort using Kahn's algorithm with min-heap for determinism
+	result, err := topologicalSort(graph)
+	if err != nil {
+		// This should not happen with valid input, but if it does,
+		// fall back to lexicographic sort to provide some result
+		items := make([]string, 0, len(graph))
+		for name := range graph {
+			items = append(items, name)
+		}
+		sort.Strings(items)
+		return items
+	}
+
+	return result
+}
+
+// getOrCreateNode retrieves or creates a graph node for the given name
+func getOrCreateNode(graph map[string]*graphNode, name string) *graphNode {
+	if graph[name] == nil {
+		graph[name] = &graphNode{
+			outEdges: sets.New[string](),
+			inDegree: 0,
+		}
+	}
+	return graph[name]
+}
+
+// isUnique checks if a list contains no duplicate items
+func isUnique(list []string) bool {
+	seen := make(map[string]bool, len(list))
+	for _, item := range list {
+		if seen[item] {
+			return false
+		}
+		seen[item] = true
+	}
+	return true
+}
+
+// topologicalSort performs Kahn's algorithm with a min-heap for deterministic ordering
+func topologicalSort(graph map[string]*graphNode) ([]string, error) {
+	// Initialize min-heap with all nodes that have no incoming edges
+	pq := &stringMinHeap{}
+	heap.Init(pq)
+
+	for name, node := range graph {
+		if node.inDegree == 0 {
+			heap.Push(pq, name)
+		}
+	}
+
+	result := make([]string, 0, len(graph))
+
+	for pq.Len() > 0 {
+		// Pop item with lowest lexicographic value
+		current := heap.Pop(pq).(string)
+		result = append(result, current)
+
+		currentNode := graph[current]
+
+		// Reduce in-degree for all neighbors
+		for neighbor := range currentNode.outEdges {
+			neighborNode := graph[neighbor]
+			neighborNode.inDegree--
+
+			// If in-degree becomes 0, add to heap
+			if neighborNode.inDegree == 0 {
+				heap.Push(pq, neighbor)
+			}
+		}
+	}
+
+	// Check for cycles
+	if len(result) != len(graph) {
+		return nil, fmt.Errorf("cycle detected in precedence graph: sorted %d items but graph has %d items", len(result), len(graph))
+	}
+
+	return result, nil
+}
+
+// graphNode represents a node in the precedence graph
+type graphNode struct {
+	// Items that should come after this item
+	outEdges sets.Set[string]
+	// Number of items that should come before this item
+	inDegree int
+}
+
+// stringMinHeap implements heap.Interface for strings (min-heap with lexicographic ordering)
+type stringMinHeap []string
+
+func (h stringMinHeap) Len() int           { return len(h) }
+func (h stringMinHeap) Less(i, j int) bool { return h[i] < h[j] }
+func (h stringMinHeap) Swap(i, j int)      { h[i], h[j] = h[j], h[i] }
+func (h *stringMinHeap) Push(x interface{}) {
+	*h = append(*h, x.(string))
+}
+func (h *stringMinHeap) Pop() interface{} {
+	old := *h
+	n := len(old)
+	x := old[n-1]
+	*h = old[0 : n-1]
+	return x
+}
diff --git a/staging/src/k8s.io/apimachinery/pkg/util/sort/sort_test.go b/staging/src/k8s.io/apimachinery/pkg/util/sort/sort_test.go
new file mode 100644
index 0000000000000..a21b97b5abd6e
--- /dev/null
+++ b/staging/src/k8s.io/apimachinery/pkg/util/sort/sort_test.go
@@ -0,0 +1,148 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package sort
+
+import (
+	"testing"
+)
+
+func TestSortDiscoveryGroupsTopo(t *testing.T) {
+	cases := []struct {
+		name  string
+		input [][]string
+		want  []string
+	}{
+		{
+			name: "consensus ordering",
+			input: [][]string{
+				{"A", "B", "C", "D"},
+				{"A", "B", "C", "D"},
+				{"A", "X", "Z", "D"},
+				{"Z", "Y"},
+				{"Q"},
+			},
+			want: []string{"A", "B", "C", "Q", "X", "Z", "D", "Y"},
+		},
+		{
+			name:  "empty input",
+			input: [][]string{},
+			want:  []string{},
+		},
+		{
+			name:  "single peer",
+			input: [][]string{{"foo", "bar", "baz"}},
+			want:  []string{"foo", "bar", "baz"},
+		},
+		{
+			name:  "conflicting orderings",
+			input: [][]string{{"A", "B"}, {"B", "A"}},
+			want:  []string{"A", "B"},
+		},
+		{
+			name:  "empty list merged with non-empty list",
+			input: [][]string{{}, {"A", "B", "C"}},
+			want:  []string{"A", "B", "C"},
+		},
+		{
+			name:  "multiple empty lists merged",
+			input: [][]string{{}, {}, {}},
+			want:  []string{},
+		},
+		{
+			name: "lexical tiebreak at beginning",
+			input: [][]string{
+				{"C", "D", "E"},
+				{"B", "D", "E"},
+				{"A", "D", "E"},
+			},
+			// A, B, C have no precedence constraints, so lexical order
+			want: []string{"A", "B", "C", "D", "E"},
+		},
+		{
+			name: "lexical tiebreak in middle",
+			input: [][]string{
+				{"A", "D", "E"},
+				{"A", "C", "E"},
+				{"A", "B", "E"},
+			},
+			// A comes first (consensus), then B, C, D (lexical), then E (consensus)
+			want: []string{"A", "B", "C", "D", "E"},
+		},
+		{
+			name: "conflicting orderings of 3 lists",
+			input: [][]string{
+				{"A", "B", "C"},
+				{"B", "C", "A"},
+				{"C", "A", "B"},
+			},
+			// Creates cycle: A->B, B->C, C->A
+			// Fallback to lexicographic sort
+			want: []string{"A", "B", "C"},
+		},
+		{
+			name: "conflicting ordering with different list lengths",
+			input: [][]string{
+				{"A", "B", "C", "D"},
+				{"B", "A"},
+				{"C", "D"},
+			},
+			// A->B->C->D from first list, but B->A from second
+			// Creates cycle between A and B
+			// Fallback to lexicographic sort
+			want: []string{"A", "B", "C", "D"},
+		},
+		{
+			name: "conflicting partial lists",
+			input: [][]string{
+				{"A", "B"},
+				{"C", "D"},
+				{"B", "A"},
+			},
+			// A->B from first, B->A from third (cycle)
+			// C->D is independent
+			// Fallback to lexicographic sort
+			want: []string{"A", "B", "C", "D"},
+		},
+		{
+			name: "cycle",
+			input: [][]string{
+				{"A", "B"},
+				{"B", "C"},
+				{"C", "A"},
+			},
+			// Creates cycle: A->B->C->A
+			// Fallback to lexicographic sort
+			want: []string{"A", "B", "C"},
+		},
+	}
+
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			got := MergePreservingRelativeOrder(tc.input)
+			if len(got) != len(tc.want) {
+				t.Errorf("length mismatch:\n  got: %d\n  want: %d", len(got), len(tc.want))
+				return
+			}
+			for i := range got {
+				if got[i] != tc.want[i] {
+					t.Errorf("mismatch got: %v\n  want: %v", got, tc.want)
+					return
+				}
+			}
+		})
+	}
+}
diff --git a/staging/src/k8s.io/apimachinery/pkg/util/strategicpatch/meta.go b/staging/src/k8s.io/apimachinery/pkg/util/strategicpatch/meta.go
index 85b0cfc0728f1..1bfed1c2ec7ac 100644
--- a/staging/src/k8s.io/apimachinery/pkg/util/strategicpatch/meta.go
+++ b/staging/src/k8s.io/apimachinery/pkg/util/strategicpatch/meta.go
@@ -249,7 +249,7 @@ var _ LookupPatchMeta = PatchMetaFromOpenAPI{}
 
 func (s PatchMetaFromOpenAPI) LookupPatchMetadataForStruct(key string) (LookupPatchMeta, PatchMeta, error) {
 	if s.Schema == nil {
-		return nil, PatchMeta{}, nil
+		return &PatchMetaFromOpenAPI{}, PatchMeta{}, nil
 	}
 	kindItem := NewKindItem(key, s.Schema.GetPath())
 	s.Schema.Accept(kindItem)
diff --git a/staging/src/k8s.io/apimachinery/pkg/util/strategicpatch/patch_test.go b/staging/src/k8s.io/apimachinery/pkg/util/strategicpatch/patch_test.go
index 0192a2e934e5c..d18217fcafc05 100644
--- a/staging/src/k8s.io/apimachinery/pkg/util/strategicpatch/patch_test.go
+++ b/staging/src/k8s.io/apimachinery/pkg/util/strategicpatch/patch_test.go
@@ -107,6 +107,7 @@ type MergeItem struct {
 	MergeItemPtr          *MergeItem           `json:"mergeItemPtr,omitempty" patchStrategy:"merge" patchMergeKey:"name"`
 	SimpleMap             map[string]string    `json:"simpleMap,omitempty"`
 	ReplacingItem         runtime.RawExtension `json:"replacingItem,omitempty" patchStrategy:"replace"`
+	JSONItem              struct{ Raw []byte } `json:"jsonItem,omitempty"`
 	RetainKeysMap         RetainKeysMergeItem  `json:"retainKeysMap,omitempty" patchStrategy:"retainKeys"`
 	RetainKeysMergingList []MergeItem          `json:"retainKeysMergingList,omitempty" patchStrategy:"merge,retainKeys" patchMergeKey:"name"`
 }
@@ -6969,6 +6970,19 @@ func TestUnknownField(t *testing.T) {
 			ExpectedTwoWayErr:   `unable to find api field`,
 			ExpectedThreeWayErr: `unable to find api field`,
 		},
+
+		"json": {
+			Original: `{"name":"foo","jsonItem":{"nested":{"nested2":{"nested3":{}}}}}`,
+			Current:  `{"name":"foo","jsonItem":{"nested":{"nested2":{"nested3":{}}}}}`,
+			Modified: `{"name":"foo","jsonItem":{"nested":{"nested2":{"nested3":{"a":"b"}}}}}`,
+
+			ExpectedTwoWay:         `{"jsonItem":{"nested":{"nested2":{"nested3":{"a":"b"}}}}}`,
+			ExpectedTwoWayResult:   `{"jsonItem":{"nested":{"nested2":{"nested3":{"a":"b"}}}},"name":"foo"}`,
+			ExpectedThreeWay:       `{"jsonItem":{"nested":{"nested2":{"nested3":{"a":"b"}}}}}`,
+			ExpectedThreeWayResult: `{"jsonItem":{"nested":{"nested2":{"nested3":{"a":"b"}}}},"name":"foo"}`,
+			ExpectedTwoWayErr:      `unable to find api field`,
+			ExpectedThreeWayErr:    `unable to find api field`,
+		},
 	}
 
 	mergeItemOpenapiSchema := PatchMetaFromOpenAPI{
@@ -7032,7 +7046,7 @@ func TestUnknownField(t *testing.T) {
 						return
 					}
 
-					threeWayResult, err := StrategicMergePatch([]byte(tc.Current), threeWay, schema)
+					threeWayResult, err := StrategicMergePatchUsingLookupPatchMeta([]byte(tc.Current), threeWay, schema)
 					if err != nil {
 						t.Errorf("using %s in testcase %s: error applying three-way patch: %v", getSchemaType(schema), k, err)
 						return
diff --git a/staging/src/k8s.io/apimachinery/pkg/util/strategicpatch/testdata/swagger-merge-item-v3.json b/staging/src/k8s.io/apimachinery/pkg/util/strategicpatch/testdata/swagger-merge-item-v3.json
index 7c66ba8131d02..f5178156e2719 100644
--- a/staging/src/k8s.io/apimachinery/pkg/util/strategicpatch/testdata/swagger-merge-item-v3.json
+++ b/staging/src/k8s.io/apimachinery/pkg/util/strategicpatch/testdata/swagger-merge-item-v3.json
@@ -96,6 +96,9 @@
             },
             "x-kubernetes-patch-merge-key": "name",
             "x-kubernetes-patch-strategy": "merge,retainKeys"
+          },
+          "jsonItem": {
+            "description": "Values are the chart values."
           }
         },
         "x-kubernetes-group-version-kind": [
diff --git a/staging/src/k8s.io/apimachinery/pkg/util/strategicpatch/testdata/swagger-merge-item.json b/staging/src/k8s.io/apimachinery/pkg/util/strategicpatch/testdata/swagger-merge-item.json
index 1d06b699c4310..c5abe757ec889 100644
--- a/staging/src/k8s.io/apimachinery/pkg/util/strategicpatch/testdata/swagger-merge-item.json
+++ b/staging/src/k8s.io/apimachinery/pkg/util/strategicpatch/testdata/swagger-merge-item.json
@@ -86,6 +86,9 @@
           },
           "x-kubernetes-patch-merge-key": "name",
           "x-kubernetes-patch-strategy": "merge,retainKeys"
+        },
+        "jsonItem": {
+          "description": "JSON field",
         }
       },
       "x-kubernetes-group-version-kind": [
diff --git a/staging/src/k8s.io/apimachinery/pkg/util/validation/field/error_matcher.go b/staging/src/k8s.io/apimachinery/pkg/util/validation/field/error_matcher.go
index afb5f1b07b309..f0264e50c7dff 100644
--- a/staging/src/k8s.io/apimachinery/pkg/util/validation/field/error_matcher.go
+++ b/staging/src/k8s.io/apimachinery/pkg/util/validation/field/error_matcher.go
@@ -23,6 +23,13 @@ import (
 	"strings"
 )
 
+// NormalizationRule holds a pre-compiled regular expression and its replacement string
+// for normalizing field paths.
+type NormalizationRule struct {
+	Regexp      *regexp.Regexp
+	Replacement string
+}
+
 // ErrorMatcher is a helper for comparing Error objects.
 type ErrorMatcher struct {
 	// TODO(thockin): consider whether type is ever NOT required, maybe just
@@ -32,22 +39,37 @@ type ErrorMatcher struct {
 	// "want" error has a nil field, don't match on field.
 	matchField bool
 	// TODO(thockin): consider whether value could be assumed - if the
-	// "want" error has a nil value, don't match on field.
+	// "want" error has a nil value, don't match on value.
 	matchValue               bool
 	matchOrigin              bool
 	matchDetail              func(want, got string) bool
 	requireOriginWhenInvalid bool
+	// normalizationRules holds the pre-compiled regex patterns for path normalization.
+	normalizationRules []NormalizationRule
 }
 
 // Matches returns true if the two Error objects match according to the
-// configured criteria.
+// configured criteria. When field normalization is configured, only the
+// "got" error's field path is normalized (to bring older API versions up
+// to the internal/latest format), while "want" is assumed to already be
+// in the canonical internal API format.
 func (m ErrorMatcher) Matches(want, got *Error) bool {
 	if m.matchType && want.Type != got.Type {
 		return false
 	}
-	if m.matchField && want.Field != got.Field {
-		return false
+	if m.matchField {
+		// Try direct match first (common case)
+		if want.Field != got.Field {
+			// Fields don't match, try normalization if rules are configured.
+			// Only normalize "got" - it may be from an older API version that
+			// needs to be brought up to the internal/latest format that "want"
+			// is already in.
+			if want.Field != m.normalizePath(got.Field) {
+				return false
+			}
+		}
 	}
+
 	if m.matchValue && !reflect.DeepEqual(want.BadValue, got.BadValue) {
 		return false
 	}
@@ -67,6 +89,18 @@ func (m ErrorMatcher) Matches(want, got *Error) bool {
 	return true
 }
 
+// normalizePath applies configured path normalization rules.
+func (m ErrorMatcher) normalizePath(path string) string {
+	for _, rule := range m.normalizationRules {
+		normalized := rule.Regexp.ReplaceAllString(path, rule.Replacement)
+		if normalized != path {
+			// Only apply the first matching rule.
+			return normalized
+		}
+	}
+	return path
+}
+
 // Render returns a string representation of the specified Error object,
 // according to the criteria configured in the ErrorMatcher.
 func (m ErrorMatcher) Render(e *Error) string {
@@ -84,7 +118,11 @@ func (m ErrorMatcher) Render(e *Error) string {
 	}
 	if m.matchField {
 		comma()
-		buf.WriteString(fmt.Sprintf("Field=%q", e.Field))
+		if normalized := m.normalizePath(e.Field); normalized != e.Field {
+			buf.WriteString(fmt.Sprintf("Field=%q (aka %q)", normalized, e.Field))
+		} else {
+			buf.WriteString(fmt.Sprintf("Field=%q", e.Field))
+		}
 	}
 	if m.matchValue {
 		comma()
@@ -125,11 +163,39 @@ func (m ErrorMatcher) ByType() ErrorMatcher {
 }
 
 // ByField returns a derived ErrorMatcher which also matches by field path.
+// If you need to mutate the field path (e.g. to normalize across versions),
+// see ByFieldNormalized.
 func (m ErrorMatcher) ByField() ErrorMatcher {
 	m.matchField = true
 	return m
 }
 
+// ByFieldNormalized returns a derived ErrorMatcher which also matches by field path
+// after applying normalization rules to the actual (got) error's field path.
+// This allows matching field paths from older API versions against the canonical
+// internal API format.
+//
+// The normalization rules are applied ONLY to the "got" error's field path, bringing
+// older API version field paths up to the latest/internal format. The "want" error
+// is assumed to always be in the internal API format (latest).
+//
+// The rules slice holds pre-compiled regular expressions and their replacement strings.
+//
+// Example:
+//
+//	rules := []NormalizationRule{
+//	  {
+//	    Regexp:      regexp.MustCompile(`spec\.devices\.requests\[(\d+)\]\.allocationMode`),
+//	    Replacement: "spec.devices.requests[$1].exactly.allocationMode",
+//	  },
+//	}
+//	matcher := ErrorMatcher{}.ByFieldNormalized(rules)
+func (m ErrorMatcher) ByFieldNormalized(rules []NormalizationRule) ErrorMatcher {
+	m.matchField = true
+	m.normalizationRules = rules
+	return m
+}
+
 // ByValue returns a derived ErrorMatcher which also matches by the errant
 // value.
 func (m ErrorMatcher) ByValue() ErrorMatcher {
@@ -138,6 +204,13 @@ func (m ErrorMatcher) ByValue() ErrorMatcher {
 }
 
 // ByOrigin returns a derived ErrorMatcher which also matches by the origin.
+// When this is used and an origin is set in the error, the matcher will
+// consider all expected errors with the same origin to be a match. The only
+// expception to this is when it finds two errors which are exactly identical,
+// which is too suspicious to ignore. This multi-matching allows tests to
+// express a single expectation ("I set the X field to an invalid value, and I
+// expect an error from origin Y") without having to know exactly how many
+// errors might be returned, or in what order, or with what wording.
 func (m ErrorMatcher) ByOrigin() ErrorMatcher {
 	m.matchOrigin = true
 	return m
@@ -184,40 +257,64 @@ func (m ErrorMatcher) ByDetailRegexp() ErrorMatcher {
 type TestIntf interface {
 	Helper()
 	Errorf(format string, args ...any)
-	Logf(format string, args ...any)
 }
 
 // Test compares two ErrorLists by the criteria configured in this matcher, and
-// fails the test if they don't match. If a given "want" error matches multiple
-// "got" errors, they will all be consumed. This might be OK (e.g. if there are
-// multiple errors on the same field from the same origin) or it might be an
-// insufficiently specific matcher, so these will be logged.
+// fails the test if they don't match. The "want" errors are expected to be in
+// the internal API format (latest), while "got" errors may be from any API version
+// and will be normalized if field normalization rules are configured.
+//
+// If matching by origin is enabled and the error has a non-empty origin, a given
+// "want" error can match multiple "got" errors, and they will all be consumed.
+// The only exception to this is if the matcher got multiple identical (in every way,
+// even those not being matched on) errors, which is likely to indicate a bug.
 func (m ErrorMatcher) Test(tb TestIntf, want, got ErrorList) {
 	tb.Helper()
 
+	exactly := m.Exactly() // makes a copy
+
+	// If we ever find an EXACT duplicate error, it's almost certainly a bug
+	// worth reporting. If we ever find a use-case where this is not a bug, we
+	// can revisit this assumption.
+	seen := map[string]bool{}
+	for _, g := range got {
+		key := exactly.Render(g)
+		if seen[key] {
+			tb.Errorf("exact duplicate error:\n%s", key)
+		}
+		seen[key] = true
+	}
+
 	remaining := got
 	for _, w := range want {
 		tmp := make(ErrorList, 0, len(remaining))
-		n := 0
-		for _, g := range remaining {
+		matched := false
+		for i, g := range remaining {
 			if m.Matches(w, g) {
-				n++
+				matched = true
+				if m.matchOrigin && w.Origin != "" {
+					// When origin is included in the match, we allow multiple
+					// matches against the same wanted error, so that tests
+					// can be insulated from the exact number, order, and
+					// wording of cases that might return more than one error.
+					continue
+				} else {
+					// Single-match, save the rest of the "got" errors and move
+					// on to the next "want" error.
+					tmp = append(tmp, remaining[i+1:]...)
+					break
+				}
 			} else {
 				tmp = append(tmp, g)
 			}
 		}
-		if n == 0 {
+		if !matched {
 			tb.Errorf("expected an error matching:\n%s", m.Render(w))
-		} else if n > 1 {
-			// This is not necessarily and error, but it's worth logging in
-			// case it's not what the test author intended.
-			tb.Logf("multiple errors matched:\n%s", m.Render(w))
 		}
 		remaining = tmp
 	}
 	if len(remaining) > 0 {
 		for _, e := range remaining {
-			exactly := m.Exactly() // makes a copy
 			tb.Errorf("unmatched error:\n%s", exactly.Render(e))
 		}
 	}
diff --git a/staging/src/k8s.io/apimachinery/pkg/util/validation/field/error_matcher_test.go b/staging/src/k8s.io/apimachinery/pkg/util/validation/field/error_matcher_test.go
index 4271cd6337382..45a477ce2a24b 100644
--- a/staging/src/k8s.io/apimachinery/pkg/util/validation/field/error_matcher_test.go
+++ b/staging/src/k8s.io/apimachinery/pkg/util/validation/field/error_matcher_test.go
@@ -17,11 +17,456 @@ limitations under the License.
 package field
 
 import (
+	"fmt"
+	"regexp"
+	"strings"
 	"testing"
 )
 
-func TestErrorMatcherRender(t *testing.T) {
-	tests := []struct {
+func TestErrorMatcher_Matches(t *testing.T) {
+	baseErr := func() *Error {
+		return &Error{
+			Type:     ErrorTypeInvalid,
+			Field:    "field",
+			BadValue: "value",
+			Detail:   "detail",
+			Origin:   "origin",
+		}
+	}
+
+	testCases := []struct {
+		name      string
+		matcher   ErrorMatcher
+		wantedErr func() *Error
+		actualErr *Error
+		matches   bool
+	}{{
+		name:      "ByType: match",
+		matcher:   ErrorMatcher{}.ByType(),
+		wantedErr: baseErr,
+		actualErr: &Error{Type: ErrorTypeInvalid},
+		matches:   true,
+	}, {
+		name:      "ByType: no match",
+		matcher:   ErrorMatcher{}.ByType(),
+		wantedErr: baseErr,
+		actualErr: &Error{Type: ErrorTypeRequired},
+		matches:   false,
+	}, {
+		name:      "ByField: match",
+		matcher:   ErrorMatcher{}.ByField(),
+		wantedErr: baseErr,
+		actualErr: &Error{Field: "field"},
+		matches:   true,
+	}, {
+		name:      "ByField: no match",
+		matcher:   ErrorMatcher{}.ByField(),
+		wantedErr: baseErr,
+		actualErr: &Error{Field: "other"},
+		matches:   false,
+	}, {
+		name: "ByFieldNormalized: older API to latest",
+		matcher: ErrorMatcher{}.ByFieldNormalized([]NormalizationRule{
+			{Regexp: regexp.MustCompile(`f\[(\d+)\]\.a`), Replacement: "f[$1].x.a"},
+		}),
+		wantedErr: func() *Error {
+			e := baseErr()
+			e.Field = "f[0].x.a"
+			return e
+		},
+		actualErr: &Error{Field: "f[0].a"},
+		matches:   true,
+	}, {
+		name: "ByFieldNormalized: both latest format",
+		matcher: ErrorMatcher{}.ByFieldNormalized([]NormalizationRule{
+			{Regexp: regexp.MustCompile(`f\[(\d+)\]\.a`), Replacement: "f[$1].x.a"},
+		}),
+		wantedErr: func() *Error {
+			e := baseErr()
+			e.Field = "f[0].x.a"
+			return e
+		},
+		actualErr: &Error{Field: "f[0].x.a"},
+		matches:   true,
+	}, {
+		name: "ByFieldNormalized: different index",
+		matcher: ErrorMatcher{}.ByFieldNormalized([]NormalizationRule{
+			{Regexp: regexp.MustCompile(`f\[(\d+)\]\.a`), Replacement: "f[$1].x.a"},
+		}),
+		wantedErr: func() *Error {
+			e := baseErr()
+			e.Field = "f[0].x.a"
+			return e
+		},
+		actualErr: &Error{Field: "f[1].a"},
+		matches:   false,
+	}, {
+		name: "ByFieldNormalized: multiple patterns",
+		matcher: ErrorMatcher{}.ByFieldNormalized([]NormalizationRule{
+			{Regexp: regexp.MustCompile(`f\[(\d+)\]\.a`), Replacement: "f[$1].x.a"},
+			{Regexp: regexp.MustCompile(`f\[(\d+)\]\.b`), Replacement: "f[$1].x.b"},
+		}),
+		wantedErr: func() *Error {
+			e := baseErr()
+			e.Field = "f[2].x.b"
+			return e
+		},
+		actualErr: &Error{Field: "f[2].b"},
+		matches:   true,
+	}, {
+		name: "ByFieldNormalized: no normalization needed",
+		matcher: ErrorMatcher{}.ByFieldNormalized([]NormalizationRule{
+			{Regexp: regexp.MustCompile(`f\[(\d+)\]\.a`), Replacement: "f[$1].x.a"},
+		}),
+		wantedErr: func() *Error {
+			e := baseErr()
+			e.Field = "other.field"
+			return e
+		},
+		actualErr: &Error{Field: "other.field"},
+		matches:   true,
+	}, {
+		name:      "ByValue: match",
+		matcher:   ErrorMatcher{}.ByValue(),
+		wantedErr: baseErr,
+		actualErr: &Error{BadValue: "value"},
+		matches:   true,
+	}, {
+		name:      "ByValue: no match",
+		matcher:   ErrorMatcher{}.ByValue(),
+		wantedErr: baseErr,
+		actualErr: &Error{BadValue: "other"},
+		matches:   false,
+	}, {
+		name:      "ByOrigin: match",
+		matcher:   ErrorMatcher{}.ByOrigin(),
+		wantedErr: baseErr,
+		actualErr: &Error{Origin: "origin"},
+		matches:   true,
+	}, {
+		name:      "ByOrigin: no match",
+		matcher:   ErrorMatcher{}.ByOrigin(),
+		wantedErr: baseErr,
+		actualErr: &Error{Origin: "other"},
+		matches:   false,
+	}, {
+		name:      "ByDetailExact: match",
+		matcher:   ErrorMatcher{}.ByDetailExact(),
+		wantedErr: baseErr,
+		actualErr: &Error{Detail: "detail"},
+		matches:   true,
+	}, {
+		name:      "ByDetailExact: no match",
+		matcher:   ErrorMatcher{}.ByDetailExact(),
+		wantedErr: baseErr,
+		actualErr: &Error{Detail: "other"},
+		matches:   false,
+	}, {
+		name:    "ByDetailSubstring: match empty",
+		matcher: ErrorMatcher{}.ByDetailSubstring(),
+		wantedErr: func() *Error {
+			e := baseErr()
+			e.Detail = ""
+			return e
+		},
+		actualErr: &Error{Detail: "this is the detail"},
+		matches:   true,
+	}, {
+		name:    "ByDetailSubstring: match full",
+		matcher: ErrorMatcher{}.ByDetailSubstring(),
+		wantedErr: func() *Error {
+			e := baseErr()
+			e.Detail = "is the"
+			return e
+		},
+		actualErr: &Error{Detail: "this is the detail"},
+		matches:   true,
+	}, {
+		name:    "ByDetailSubstring: match start",
+		matcher: ErrorMatcher{}.ByDetailSubstring(),
+		wantedErr: func() *Error {
+			e := baseErr()
+			e.Detail = "this is"
+			return e
+		},
+		actualErr: &Error{Detail: "this is the detail"},
+		matches:   true,
+	}, {
+		name:    "ByDetailSubstring: match middle",
+		matcher: ErrorMatcher{}.ByDetailSubstring(),
+		wantedErr: func() *Error {
+			e := baseErr()
+			e.Detail = "is the"
+			return e
+		},
+		actualErr: &Error{Detail: "this is the detail"},
+		matches:   true,
+	}, {
+		name:    "ByDetailSubstring: match end",
+		matcher: ErrorMatcher{}.ByDetailSubstring(),
+		wantedErr: func() *Error {
+			e := baseErr()
+			e.Detail = "the detail"
+			return e
+		},
+		actualErr: &Error{Detail: "this is the detail"},
+		matches:   true,
+	}, {
+		name:    "ByDetailSubstring: no match",
+		matcher: ErrorMatcher{}.ByDetailSubstring(),
+		wantedErr: func() *Error {
+			e := baseErr()
+			e.Detail = "is not the"
+			return e
+		},
+		actualErr: &Error{Detail: "this is the detail"},
+		matches:   false,
+	}, {
+		name:    "ByDetailRegexp: match empty",
+		matcher: ErrorMatcher{}.ByDetailRegexp(),
+		wantedErr: func() *Error {
+			e := baseErr()
+			e.Detail = ".*"
+			return e
+		},
+		actualErr: &Error{Detail: "this is the detail"},
+		matches:   true,
+	}, {
+		name:    "ByDetailRegexp: match full",
+		matcher: ErrorMatcher{}.ByDetailRegexp(),
+		wantedErr: func() *Error {
+			e := baseErr()
+			e.Detail = "^this is the detail$"
+			return e
+		},
+		actualErr: &Error{Detail: "this is the detail"},
+		matches:   true,
+	}, {
+		name:    "ByDetailRegexp: match start",
+		matcher: ErrorMatcher{}.ByDetailRegexp(),
+		wantedErr: func() *Error {
+			e := baseErr()
+			e.Detail = "^this is"
+			return e
+		},
+		actualErr: &Error{Detail: "this is the detail"},
+		matches:   true,
+	}, {
+		name:    "ByDetailRegexp: match middle",
+		matcher: ErrorMatcher{}.ByDetailRegexp(),
+		wantedErr: func() *Error {
+			e := baseErr()
+			e.Detail = "is the"
+			return e
+		},
+		actualErr: &Error{Detail: "this is the detail"},
+		matches:   true,
+	}, {
+		name:    "ByDetailRegexp: match end",
+		matcher: ErrorMatcher{}.ByDetailRegexp(),
+		wantedErr: func() *Error {
+			e := baseErr()
+			e.Detail = "the detail$"
+			return e
+		},
+		actualErr: &Error{Detail: "this is the detail"},
+		matches:   true,
+	}, {
+		name:    "ByDetailRegexp: match parts",
+		matcher: ErrorMatcher{}.ByDetailRegexp(),
+		wantedErr: func() *Error {
+			e := baseErr()
+			e.Detail = "^this .* .* detail$"
+			return e
+		},
+		actualErr: &Error{Detail: "this is the detail"},
+		matches:   true,
+	}, {
+		name:    "ByDetailRegexp: no match",
+		matcher: ErrorMatcher{}.ByDetailRegexp(),
+		wantedErr: func() *Error {
+			e := baseErr()
+			e.Detail = "is not the"
+			return e
+		},
+		actualErr: &Error{Detail: "this is the detail"},
+		matches:   false,
+	}, {
+		name:      "Exactly: match",
+		matcher:   ErrorMatcher{}.Exactly(),
+		wantedErr: baseErr,
+		actualErr: baseErr(),
+		matches:   true,
+	}, {
+		name:      "Exactly: no match (type)",
+		matcher:   ErrorMatcher{}.Exactly(),
+		wantedErr: baseErr,
+		actualErr: &Error{Type: ErrorTypeRequired, Field: "field", BadValue: "value", Detail: "detail", Origin: "origin"},
+		matches:   false,
+	}, {
+		name:      "RequireOriginWhenInvalid: match",
+		matcher:   ErrorMatcher{}.ByOrigin().RequireOriginWhenInvalid(),
+		wantedErr: baseErr,
+		actualErr: &Error{Type: ErrorTypeInvalid, Origin: "origin"},
+		matches:   true,
+	}, {
+		name:      "RequireOriginWhenInvalid: no match (missing origin)",
+		matcher:   ErrorMatcher{}.ByOrigin().RequireOriginWhenInvalid(),
+		wantedErr: baseErr,
+		actualErr: &Error{Type: ErrorTypeInvalid},
+		matches:   false,
+	}}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			if tc.matcher.Matches(tc.wantedErr(), tc.actualErr) != tc.matches {
+				t.Errorf("Matches() = %v, want %v", !tc.matches, tc.matches)
+			}
+		})
+	}
+}
+
+// fakeTestIntf is used to test the testing support.
+type fakeTestIntf struct {
+	errs []string
+}
+
+var _ TestIntf = &fakeTestIntf{}
+
+func (*fakeTestIntf) Helper() {}
+
+func (ft *fakeTestIntf) Errorf(format string, args ...any) {
+	ft.errs = append(ft.errs, fmt.Sprintf(format, args...))
+}
+
+func TestErrorMatcher_Test(t *testing.T) {
+	testCases := []struct {
+		name           string
+		matcher        ErrorMatcher
+		want           ErrorList
+		got            ErrorList
+		expectedErrors []string
+		expectedLogs   []string
+	}{{
+		name:    "no origin: perfect match",
+		matcher: ErrorMatcher{}.ByField(),
+		want:    ErrorList{Invalid(NewPath("f"), nil, "")},
+		got:     ErrorList{Invalid(NewPath("f"), "v", "d")},
+	}, {
+		name:           "no origin: got too few errors",
+		matcher:        ErrorMatcher{}.ByField(),
+		want:           ErrorList{Invalid(NewPath("f"), nil, "")},
+		got:            ErrorList{},
+		expectedErrors: []string{"expected an error matching:"},
+	}, {
+		name:           "no origin: got too many errors",
+		matcher:        ErrorMatcher{}.ByField(),
+		want:           ErrorList{},
+		got:            ErrorList{Invalid(NewPath("f"), "v", "d")},
+		expectedErrors: []string{"unmatched error:"},
+	}, {
+		name:           "no origin: got wrong errors",
+		matcher:        ErrorMatcher{}.ByField(),
+		want:           ErrorList{Invalid(NewPath("f1"), nil, "")},
+		got:            ErrorList{Invalid(NewPath("f2"), "v", "d")},
+		expectedErrors: []string{"expected an error matching:", "unmatched error:"},
+	}, {
+		name: "with normalization: older API to latest",
+		matcher: ErrorMatcher{}.ByFieldNormalized([]NormalizationRule{
+			{Regexp: regexp.MustCompile(`f\[(\d+)\]\.a`), Replacement: "f[$1].x.a"},
+		}),
+		want: ErrorList{Invalid(NewPath("f").Index(0).Child("x", "a"), nil, "")},
+		got:  ErrorList{Invalid(NewPath("f").Index(0).Child("a"), "v", "d")},
+	}, {
+		name: "with normalization: both latest",
+		matcher: ErrorMatcher{}.ByFieldNormalized([]NormalizationRule{
+			{Regexp: regexp.MustCompile(`f\[(\d+)\]\.a`), Replacement: "f[$1].x.a"},
+		}),
+		want: ErrorList{Invalid(NewPath("f").Index(0).Child("x", "a"), nil, "")},
+		got:  ErrorList{Invalid(NewPath("f").Index(0).Child("x", "a"), "v", "d")},
+	}, {
+		name: "with normalization: multiple",
+		matcher: ErrorMatcher{}.ByFieldNormalized([]NormalizationRule{
+			{Regexp: regexp.MustCompile(`f\[(\d+)\]\.a`), Replacement: "f[$1].x.a"},
+			{Regexp: regexp.MustCompile(`f\[(\d+)\]\.b`), Replacement: "f[$1].x.b"},
+		}),
+		want: ErrorList{
+			Invalid(NewPath("f").Index(0).Child("x", "a"), nil, ""),
+			Invalid(NewPath("f").Index(1).Child("x", "b"), nil, ""),
+		},
+		got: ErrorList{
+			Invalid(NewPath("f").Index(0).Child("a"), "v1", "d1"),
+			Invalid(NewPath("f").Index(1).Child("b"), "v2", "d2"),
+		},
+	}, {
+		name: "with normalization: no match",
+		matcher: ErrorMatcher{}.ByFieldNormalized([]NormalizationRule{
+			{Regexp: regexp.MustCompile(`f\[(\d+)\]\.a`), Replacement: "f[$1].x.a"},
+		}),
+		want:           ErrorList{Invalid(NewPath("f").Index(0).Child("x", "a"), nil, "")},
+		got:            ErrorList{Invalid(NewPath("f").Index(1).Child("a"), "v", "d")},
+		expectedErrors: []string{"expected an error matching:", "unmatched error:"},
+	}, {
+		name:    "with origin: single match",
+		matcher: ErrorMatcher{}.ByField().ByOrigin(),
+		want:    ErrorList{Invalid(NewPath("f"), nil, "").WithOrigin("o")},
+		got:     ErrorList{Invalid(NewPath("f"), "v", "d").WithOrigin("o")},
+	}, {
+		name:    "with origin: multiple matches, different details",
+		matcher: ErrorMatcher{}.ByField().ByOrigin(),
+		want: ErrorList{
+			Invalid(NewPath("f1"), nil, "").WithOrigin("o"),
+			Invalid(NewPath("f2"), nil, "").WithOrigin("o"),
+		},
+		got: ErrorList{
+			Invalid(NewPath("f1"), "v", "d1").WithOrigin("o"),
+			Invalid(NewPath("f2"), "v", "d1").WithOrigin("o"),
+			Invalid(NewPath("f1"), "v", "d2").WithOrigin("o"),
+			Invalid(NewPath("f2"), "v", "d2").WithOrigin("o"),
+		},
+	}, {
+		name:    "with origin: multiple matches, same exact error",
+		matcher: ErrorMatcher{}.ByField().ByOrigin(),
+		want: ErrorList{
+			Invalid(NewPath("f1"), nil, "").WithOrigin("o"),
+			Invalid(NewPath("f2"), nil, "").WithOrigin("o"),
+		},
+		got: ErrorList{
+			Invalid(NewPath("f1"), "v", "d").WithOrigin("o"),
+			Invalid(NewPath("f1"), "v", "d").WithOrigin("o"),
+			Invalid(NewPath("f2"), "v", "d").WithOrigin("o"),
+			Invalid(NewPath("f2"), "v", "d").WithOrigin("o"),
+		},
+		expectedErrors: []string{"exact duplicate error:", "exact duplicate error:"},
+	}}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			fakeT := &fakeTestIntf{}
+			tc.matcher.Test(fakeT, tc.want, tc.got)
+			if want, got := len(tc.expectedErrors), len(fakeT.errs); got != want {
+				if got == 0 {
+					t.Errorf("expected %d errors, got %d", want, got)
+				} else {
+					q := make([]string, len(fakeT.errs))
+					for i, err := range fakeT.errs {
+						q[i] = fmt.Sprintf("%q", err)
+					}
+					t.Errorf("expected %d errors, got %d:\n%s", want, got, strings.Join(q, "\n"))
+				}
+			} else {
+				for i := range tc.expectedErrors {
+					if !strings.HasPrefix(fakeT.errs[i], tc.expectedErrors[i]) {
+						t.Errorf("error %d: expected prefix %q, got %q", i, tc.expectedErrors[i], fakeT.errs[i])
+					}
+				}
+			}
+		})
+	}
+}
+
+func TestErrorMatcher_Render(t *testing.T) {
+	testCases := []struct {
 		name     string
 		matcher  ErrorMatcher
 		err      *Error
@@ -63,6 +508,30 @@ func TestErrorMatcherRender(t *testing.T) {
 			err:      Invalid(NewPath("field"), "value", "detail").WithOrigin("origin"),
 			expected: `{Type="Invalid value", Field="field", Value="value", Origin="origin", Detail="detail"}`,
 		},
+		{
+			name: "with normalization: normalized",
+			matcher: ErrorMatcher{}.ByFieldNormalized([]NormalizationRule{
+				{Regexp: regexp.MustCompile(`f\[(\d+)\]\.a`), Replacement: "f[$1].x.a"},
+			}),
+			err:      Invalid(NewPath("f").Index(0).Child("a"), "value", "detail"),
+			expected: `{Field="f[0].x.a" (aka "f[0].a")}`,
+		},
+		{
+			name: "with normalization: no normalization",
+			matcher: ErrorMatcher{}.ByFieldNormalized([]NormalizationRule{
+				{Regexp: regexp.MustCompile(`f\[(\d+)\]\.a`), Replacement: "f[$1].x.a"},
+			}),
+			err:      Invalid(NewPath("other", "field"), "value", "detail"),
+			expected: `{Field="other.field"}`,
+		},
+		{
+			name: "with normalization: already normalized",
+			matcher: ErrorMatcher{}.ByFieldNormalized([]NormalizationRule{
+				{Regexp: regexp.MustCompile(`f\[(\d+)\]\.a`), Replacement: "f[$1].x.a"},
+			}),
+			err:      Invalid(NewPath("f").Index(0).Child("x", "a"), "value", "detail"),
+			expected: `{Field="f[0].x.a"}`,
+		},
 		{
 			name:     "requireOriginWhenInvalid with origin",
 			matcher:  ErrorMatcher{}.ByOrigin().RequireOriginWhenInvalid(),
@@ -77,11 +546,11 @@ func TestErrorMatcherRender(t *testing.T) {
 		},
 	}
 
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			result := tt.matcher.Render(tt.err)
-			if result != tt.expected {
-				t.Errorf("Render() = %v, want %v", result, tt.expected)
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			result := tc.matcher.Render(tc.err)
+			if result != tc.expected {
+				t.Errorf("Render() = %v, want %v", result, tc.expected)
 			}
 		})
 	}
diff --git a/staging/src/k8s.io/apimachinery/pkg/util/validation/field/errors.go b/staging/src/k8s.io/apimachinery/pkg/util/validation/field/errors.go
index f2a983aebf669..950d838682346 100644
--- a/staging/src/k8s.io/apimachinery/pkg/util/validation/field/errors.go
+++ b/staging/src/k8s.io/apimachinery/pkg/util/validation/field/errors.go
@@ -341,6 +341,14 @@ func (list ErrorList) MarkCoveredByDeclarative() ErrorList {
 	return list
 }
 
+// PrefixDetail adds a prefix to the Detail for all errors in the list and returns the updated list.
+func (list ErrorList) PrefixDetail(prefix string) ErrorList {
+	for _, err := range list {
+		err.Detail = prefix + err.Detail
+	}
+	return list
+}
+
 // ToAggregate converts the ErrorList into an errors.Aggregate.
 func (list ErrorList) ToAggregate() utilerrors.Aggregate {
 	if len(list) == 0 {
diff --git a/staging/src/k8s.io/apimachinery/pkg/util/validation/validation.go b/staging/src/k8s.io/apimachinery/pkg/util/validation/validation.go
index bc4521c392bf7..352ff19ae5c20 100644
--- a/staging/src/k8s.io/apimachinery/pkg/util/validation/validation.go
+++ b/staging/src/k8s.io/apimachinery/pkg/util/validation/validation.go
@@ -23,51 +23,17 @@ import (
 	"strings"
 	"unicode"
 
+	"k8s.io/apimachinery/pkg/api/validate/content"
+
 	"k8s.io/apimachinery/pkg/util/validation/field"
 )
 
-const qnameCharFmt string = "[A-Za-z0-9]"
-const qnameExtCharFmt string = "[-A-Za-z0-9_.]"
-const qualifiedNameFmt string = "(" + qnameCharFmt + qnameExtCharFmt + "*)?" + qnameCharFmt
-const qualifiedNameErrMsg string = "must consist of alphanumeric characters, '-', '_' or '.', and must start and end with an alphanumeric character"
-const qualifiedNameMaxLength int = 63
-
-var qualifiedNameRegexp = regexp.MustCompile("^" + qualifiedNameFmt + "$")
-
 // IsQualifiedName tests whether the value passed is what Kubernetes calls a
 // "qualified name".  This is a format used in various places throughout the
 // system.  If the value is not valid, a list of error strings is returned.
 // Otherwise an empty list (or nil) is returned.
-func IsQualifiedName(value string) []string {
-	var errs []string
-	parts := strings.Split(value, "/")
-	var name string
-	switch len(parts) {
-	case 1:
-		name = parts[0]
-	case 2:
-		var prefix string
-		prefix, name = parts[0], parts[1]
-		if len(prefix) == 0 {
-			errs = append(errs, "prefix part "+EmptyError())
-		} else if msgs := IsDNS1123Subdomain(prefix); len(msgs) != 0 {
-			errs = append(errs, prefixEach(msgs, "prefix part ")...)
-		}
-	default:
-		return append(errs, "a qualified name "+RegexError(qualifiedNameErrMsg, qualifiedNameFmt, "MyName", "my.name", "123-abc")+
-			" with an optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')")
-	}
-
-	if len(name) == 0 {
-		errs = append(errs, "name part "+EmptyError())
-	} else if len(name) > qualifiedNameMaxLength {
-		errs = append(errs, "name part "+MaxLenError(qualifiedNameMaxLength))
-	}
-	if !qualifiedNameRegexp.MatchString(name) {
-		errs = append(errs, "name part "+RegexError(qualifiedNameErrMsg, qualifiedNameFmt, "MyName", "my.name", "123-abc"))
-	}
-	return errs
-}
+// Deprecated: Use k8s.io/apimachinery/pkg/api/validate/content.IsQualifiedName instead.
+var IsQualifiedName = content.IsLabelKey
 
 // IsFullyQualifiedName checks if the name is fully qualified. This is similar
 // to IsFullyQualifiedDomainName but requires a minimum of 3 segments instead of
@@ -151,27 +117,40 @@ func IsDomainPrefixedPath(fldPath *field.Path, dpPath string) field.ErrorList {
 	return allErrs
 }
 
-const labelValueFmt string = "(" + qualifiedNameFmt + ")?"
-const labelValueErrMsg string = "a valid label must be an empty string or consist of alphanumeric characters, '-', '_' or '.', and must start and end with an alphanumeric character"
+// IsDomainPrefixedKey checks if the given key string is a domain-prefixed key
+// (e.g. acme.io/foo). All characters before the first "/" must be a valid
+// subdomain as defined by RFC 1123. All characters trailing the first "/" must
+// be non-empty and match the regex ^([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]$.
+func IsDomainPrefixedKey(fldPath *field.Path, key string) field.ErrorList {
+	var allErrs field.ErrorList
+	if len(key) == 0 {
+		return append(allErrs, field.Required(fldPath, ""))
+	}
+	for _, errMessages := range content.IsLabelKey(key) {
+		allErrs = append(allErrs, field.Invalid(fldPath, key, errMessages))
+	}
 
-// LabelValueMaxLength is a label's max length
-const LabelValueMaxLength int = 63
+	if len(allErrs) > 0 {
+		return allErrs
+	}
 
-var labelValueRegexp = regexp.MustCompile("^" + labelValueFmt + "$")
+	segments := strings.Split(key, "/")
+	if len(segments) != 2 {
+		return append(allErrs, field.Invalid(fldPath, key, "must be a domain-prefixed key (such as \"acme.io/foo\")"))
+	}
+
+	return allErrs
+}
+
+// LabelValueMaxLength is a label's max length
+// Deprecated: Use k8s.io/apimachinery/pkg/api/validate/content.LabelValueMaxLength instead.
+const LabelValueMaxLength int = content.LabelValueMaxLength
 
 // IsValidLabelValue tests whether the value passed is a valid label value.  If
 // the value is not valid, a list of error strings is returned.  Otherwise an
 // empty list (or nil) is returned.
-func IsValidLabelValue(value string) []string {
-	var errs []string
-	if len(value) > LabelValueMaxLength {
-		errs = append(errs, MaxLenError(LabelValueMaxLength))
-	}
-	if !labelValueRegexp.MatchString(value) {
-		errs = append(errs, RegexError(labelValueErrMsg, labelValueFmt, "MyValue", "my_value", "12345"))
-	}
-	return errs
-}
+// Deprecated: Use k8s.io/apimachinery/pkg/api/validate/content.IsLabelValue instead.
+var IsValidLabelValue = content.IsLabelValue
 
 const dns1123LabelFmt string = "[a-z0-9]([-a-z0-9]*[a-z0-9])?"
 const dns1123LabelFmtWithUnderscore string = "_?[a-z0-9]([-_a-z0-9]*[a-z0-9])?"
@@ -283,19 +262,10 @@ func IsWildcardDNS1123Subdomain(value string) []string {
 	return errs
 }
 
-const cIdentifierFmt string = "[A-Za-z_][A-Za-z0-9_]*"
-const identifierErrMsg string = "a valid C identifier must start with alphabetic character or '_', followed by a string of alphanumeric characters or '_'"
-
-var cIdentifierRegexp = regexp.MustCompile("^" + cIdentifierFmt + "$")
-
 // IsCIdentifier tests for a string that conforms the definition of an identifier
 // in C. This checks the format, but not the length.
-func IsCIdentifier(value string) []string {
-	if !cIdentifierRegexp.MatchString(value) {
-		return []string{RegexError(identifierErrMsg, cIdentifierFmt, "my_name", "MY_NAME", "MyName")}
-	}
-	return nil
-}
+// Deprecated: Use k8s.io/apimachinery/pkg/api/validate/content.IsCIdentifier instead.
+var IsCIdentifier = content.IsCIdentifier
 
 // IsValidPortNum tests that the argument is a valid, non-zero port number.
 func IsValidPortNum(port int) []string {
@@ -478,13 +448,6 @@ func EmptyError() string {
 	return "must be non-empty"
 }
 
-func prefixEach(msgs []string, prefix string) []string {
-	for i := range msgs {
-		msgs[i] = prefix + msgs[i]
-	}
-	return msgs
-}
-
 // InclusiveRangeError returns a string explanation of a numeric "must be
 // between" validation failure.
 func InclusiveRangeError(lo, hi int) string {
diff --git a/staging/src/k8s.io/apimachinery/pkg/util/validation/validation_test.go b/staging/src/k8s.io/apimachinery/pkg/util/validation/validation_test.go
index acfe2cb768709..7affccfb29998 100644
--- a/staging/src/k8s.io/apimachinery/pkg/util/validation/validation_test.go
+++ b/staging/src/k8s.io/apimachinery/pkg/util/validation/validation_test.go
@@ -116,31 +116,6 @@ func TestIsDNS1035Label(t *testing.T) {
 	}
 }
 
-func TestIsCIdentifier(t *testing.T) {
-	goodValues := []string{
-		"a", "ab", "abc", "a1", "_a", "a_", "a_b", "a_1", "a__1__2__b", "__abc_123",
-		"A", "AB", "AbC", "A1", "_A", "A_", "A_B", "A_1", "A__1__2__B", "__123_ABC",
-	}
-	for _, val := range goodValues {
-		if msgs := IsCIdentifier(val); len(msgs) != 0 {
-			t.Errorf("expected true for '%s': %v", val, msgs)
-		}
-	}
-
-	badValues := []string{
-		"", "1", "123", "1a",
-		"-", "a-", "-a", "1-", "-1", "1_", "1_2",
-		".", "a.", ".a", "a.b", "1.", ".1", "1.2",
-		" ", "a ", " a", "a b", "1 ", " 1", "1 2",
-		"#a#",
-	}
-	for _, val := range badValues {
-		if msgs := IsCIdentifier(val); len(msgs) == 0 {
-			t.Errorf("expected false for '%s'", val)
-		}
-	}
-}
-
 func TestIsValidPortNum(t *testing.T) {
 	goodValues := []int{1, 2, 1000, 16384, 32768, 65535}
 	for _, val := range goodValues {
@@ -719,3 +694,71 @@ func TestIsDNS1123SubdomainWithUnderscore(t *testing.T) {
 		})
 	}
 }
+
+func TestIsDomainPrefixedKey(t *testing.T) {
+	tests := []struct {
+		name     string
+		value    string
+		expected field.ErrorList
+	}{
+		{
+			name:     "valid domain-prefixed key 1",
+			value:    "example.com/foo",
+			expected: nil,
+		},
+		{
+			name:     "valid domain-prefixed key  2",
+			value:    "example/com",
+			expected: nil,
+		},
+		{
+			name:     "invalid key 1",
+			value:    "example",
+			expected: field.ErrorList{field.Invalid(field.NewPath("test"), "example", "must be a domain-prefixed key (such as \"acme.io/foo\")")},
+		},
+		{
+			name:     "invalid key 2",
+			value:    "example/foo/bar",
+			expected: field.ErrorList{field.Invalid(field.NewPath("test"), "example/foo/bar", "a valid label key must consist of alphanumeric characters, '-', '_' or '.', and must start and end with an alphanumeric character (e.g. 'MyName',  or 'my.name',  or '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')")},
+		},
+		{
+			name:     "invalid key 3",
+			value:    "/example/foo",
+			expected: field.ErrorList{field.Invalid(field.NewPath("test"), "/example/foo", "a valid label key must consist of alphanumeric characters, '-', '_' or '.', and must start and end with an alphanumeric character (e.g. 'MyName',  or 'my.name',  or '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')")},
+		},
+		{
+			name:     "invalid key 4",
+			value:    "",
+			expected: field.ErrorList{field.Required(field.NewPath("test"), "")},
+		},
+		{
+			name:     "invalid key 5",
+			value:    "example.com/_e",
+			expected: field.ErrorList{field.Invalid(field.NewPath("test"), "example.com/_e", "name part must consist of alphanumeric characters, '-', '_' or '.', and must start and end with an alphanumeric character (e.g. 'MyName',  or 'my.name',  or '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]')")},
+		},
+		{
+			name:     "invalid key 6",
+			value:    "example.com/e_",
+			expected: field.ErrorList{field.Invalid(field.NewPath("test"), "example.com/e_", "name part must consist of alphanumeric characters, '-', '_' or '.', and must start and end with an alphanumeric character (e.g. 'MyName',  or 'my.name',  or '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]')")},
+		},
+		{
+			name:     "invalid key 7",
+			value:    "example.com/e?",
+			expected: field.ErrorList{field.Invalid(field.NewPath("test"), "example.com/e?", "name part must consist of alphanumeric characters, '-', '_' or '.', and must start and end with an alphanumeric character (e.g. 'MyName',  or 'my.name',  or '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]')")},
+		},
+		{
+			name:     "invalid key 8",
+			value:    "example.com/e_$",
+			expected: field.ErrorList{field.Invalid(field.NewPath("test"), "example.com/e_$", "name part must consist of alphanumeric characters, '-', '_' or '.', and must start and end with an alphanumeric character (e.g. 'MyName',  or 'my.name',  or '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]')")},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			result := IsDomainPrefixedKey(field.NewPath("test"), tt.value)
+			if !reflect.DeepEqual(result, tt.expected) {
+				t.Errorf("IsDomainPrefixedKey(%q) = %v; want %v", tt.value, result, tt.expected)
+			}
+		})
+	}
+}
diff --git a/staging/src/k8s.io/apimachinery/pkg/version/doc.go b/staging/src/k8s.io/apimachinery/pkg/version/doc.go
index 5f446a4f4af52..70e3f76b23e11 100644
--- a/staging/src/k8s.io/apimachinery/pkg/version/doc.go
+++ b/staging/src/k8s.io/apimachinery/pkg/version/doc.go
@@ -15,6 +15,8 @@ limitations under the License.
 */
 
 // +k8s:openapi-gen=true
+// +k8s:openapi-model-package=io.k8s.apimachinery.pkg.version
+//
 
 // Package version supplies the type for version information.
 package version
diff --git a/staging/src/k8s.io/apimachinery/pkg/version/zz_generated.model_name.go b/staging/src/k8s.io/apimachinery/pkg/version/zz_generated.model_name.go
new file mode 100644
index 0000000000000..e5a6d395ad543
--- /dev/null
+++ b/staging/src/k8s.io/apimachinery/pkg/version/zz_generated.model_name.go
@@ -0,0 +1,27 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by openapi-gen. DO NOT EDIT.
+
+package version
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in Info) OpenAPIModelName() string {
+	return "io.k8s.apimachinery.pkg.version.Info"
+}
diff --git a/staging/src/k8s.io/apiserver/ARCHITECTURE.md b/staging/src/k8s.io/apiserver/ARCHITECTURE.md
new file mode 100644
index 0000000000000..e9b8af6834eb4
--- /dev/null
+++ b/staging/src/k8s.io/apiserver/ARCHITECTURE.md
@@ -0,0 +1,259 @@
+# apiserver Architecture
+
+## 1. Server Composition
+
+The `kube-apiserver` binary is not one server, but a **server chain** of three distinct
+`GenericAPIServer` instances: the core Kubernetes API, API extensions (CRDs), and the aggregation
+layer.
+
+This composition is managed by a layered configuration system, starting with command-line
+flags parsed by `options` structs (e.g., `RecommendedOptions` in `pkg/server/options`), which
+populate a `Config` object that is then used to instantiate the `GenericAPIServer`
+instances. The construction of this delegation chain can be found in the `CreateServerChain`
+function in `cmd/kube-apiserver/app/server.go`.
+
+```mermaid
+graph TD
+    subgraph Incoming Request
+        direction LR
+        A[User/Client] --> B{/apis/apps/v1/deployments};
+    end
+
+    subgraph kube-apiserver process
+        direction LR
+        B --> C[Aggregator Server];
+        C -- Not an APIService --> D[Kube API Server];
+        D -- Handles Request --> E[REST Storage];
+        C -- Is an APIService --> F[Proxy to Extension API Server];
+        D -- Not a Core API --> G[API Extensions Server];
+        G -- Handles CRD --> E;
+    end
+```
+
+1.  **Aggregator Server (`kube-aggregator`):**
+    *   **Purpose:** Handles the `apiregistration.k8s.io` API and acts as a reverse proxy for
+        extension API servers. This functionality was designed to allow third-party APIs to be
+        "aggregated" into the main Kubernetes API server seamlessly.
+    *   **Mechanism:** It watches `APIService` objects. When a request arrives (e.g., for
+        `/apis/mycompany.com/v1/myresources`), it checks if an `APIService` has "claimed"
+        that path. If so, it uses a `ServiceResolver` to find the IP of the backing
+        `Service` and proxies the request.
+    *   **Use Case:** This pattern is for programmatic, high-control extensions that require
+        custom business logic (e.g., non-CRUD subresources like `/logs`) or alternative
+        storage backends.
+    *   **Delegation:** If no `APIService` matches, it delegates the request to the next
+        server in the chain.
+
+2.  **Kube API Server (Core):**
+    *   **Purpose:** Serves all the built-in Kubernetes APIs (`core/v1`, `apps/v1`, etc.).
+    *   **Mechanism:** This is the main server, configured with all the core REST storage
+        strategies.
+    *   **Delegation:** If a request is for a path that is not a core API (e.g., for a CRD),
+        it delegates the request to the next server in the chain.
+
+3.  **API Extensions Server (`apiextensions-apiserver`):**
+    *   **Purpose:** Handles the `apiextensions.k8s.io` API, which manages
+        `CustomResourceDefinition` objects (CRDs). The evolution of CRDs from a simple extension
+        mechanism to a feature-rich system with validation, versioning, and defaulting is
+        documented in a series of KEPs, starting with the graduation to GA in Kubernetes v1.16.
+    *   **Mechanism:** When a CRD is created, this server dynamically creates and installs a
+        new REST storage handler for the new resource, making it immediately available.
+    *   **Use Case:** CRDs are the most common extension pattern, offering a declarative,
+        schema-based way to define new resource types that are stored in etcd and require no
+        custom API server code.
+    *   **Delegation:** It is the end of the chain. If it cannot handle a request, a `404 Not
+        Found` is returned.
+
+## 2. Handler Chain
+
+Every request flows through a standard chain of HTTP handlers (filters). The request body
+is not deserialized until it has passed authentication and authorization. The default handler
+chain is constructed by the `DefaultBuildHandlerChain` function in
+`staging/src/k8s.io/apiserver/pkg/server/config.go`.
+
+```mermaid
+sequenceDiagram
+    participant Client
+    participant Handler Chain
+    participant Authentication
+    participant Authorization
+    participant Priority and Fairness
+    participant Admission Control
+    participant REST Endpoint
+
+    Client->>Handler Chain: Request
+    Handler Chain->>Authentication: Authenticate
+    Authentication-->>Handler Chain: User Info
+    Handler Chain->>Authorization: Authorize
+    Authorization-->>Handler Chain: Allowed/Denied
+    Handler Chain->>Priority and Fairness: Classify & Queue
+    Priority and Fairness-->>Handler Chain: Proceed
+    Handler Chain->>Admission Control: Mutate & Validate
+    Admission Control-->>Handler Chain: Object OK
+    Handler Chain->>REST Endpoint: Handle
+    REST Endpoint-->>Handler Chain: Response
+    Handler Chain-->>Client: Response
+```
+
+The handler chain consists of the following stages:
+
+1.  **Authentication (`pkg/authentication`):** This filter identifies the user. The system is
+    pluggable and composed of multiple authenticators (e.g., client certs, bearer tokens, OIDC).
+    The identity of the user is determined by the first authenticator in the chain that successfully
+    identifies the user.
+2.  **Authorization (`pkg/authorization`):** This filter checks if the user is permitted to
+    perform the action. This system is also pluggable and composed of multiple authorizers
+    (e.g., RBAC, Node, Webhook). Each authorizer may respond with either allow, deny, or no opinion.
+    If the response is no opinion, the request is passed to the next authorizer in the chain.
+3.  **Priority and Fairness (`pkg/util/flowcontrol`):** This subsystem manages request
+    concurrency, classifying requests into `FlowSchema`s and `PriorityLevel`s to prevent
+    overload. This feature was introduced to prevent high traffic from overwhelming the API
+    server and to ensure that critical cluster operations are not starved.
+4.  **Admission Control (`pkg/admission`):** This is the primary mechanism for policy
+    enforcement. It is only at this stage that the request body is deserialized into an
+    object. It is a chain of plugins that can mutate or validate an object. The built-in Pod
+    Security admission controller is a key example of this, enforcing Pod Security Standards
+    at the namespace level.
+5.  **REST Endpoint Handling (`pkg/endpoints`):** The request is finally dispatched to the
+    appropriate REST handler, which is installed by the `APIInstaller`.
+
+## 3. API Group Registration
+
+The high-level steps for introducing an API are:
+
+1.  **Define Types:** Create or modify the Go structs in the `types.go` file for the API group.
+2.  **Generate Code:** Use the code generators provided by the Kubernetes project to create the required
+    boilerplate methods for deep-copy, conversion, and defaulting.
+3.  **Implement the `Strategy`:** Write the custom business logic and validation for the
+    resource in its `Strategy` object.
+4.  **Register and Install:** Create the `APIGroupInfo` struct, bundling the `Scheme` and the
+    `Strategy`-configured storage, and pass it to the `GenericAPIServer`'s `InstallAPIGroup`
+    method.
+
+### The API Group Registry
+
+The `runtime.Scheme` acts as a central registry for an API group's type information. A single
+`Scheme` object is created for each API group and is responsible for the following key
+capabilities:
+
+*   **Type Registration and Mapping:** The `Scheme`'s primary role is to map a GroupVersionKind
+    (GVK) to its corresponding Go type and back. This process also relies on the `deepcopy-gen`
+    tool to create `DeepCopy()` methods for each type, which is critical for ensuring that
+    objects returned from caches are never modified directly.
+
+*   **API Conversion:** The `Scheme` stores the conversion functions that translate objects
+    between different API versions. These functions are typically generated by the
+    `conversion-gen` tool and enable the **hub-and-spoke** model.
+
+*   **Defaulting:** The `Scheme` registers defaulting functions that populate optional fields in
+    an object. These are usually generated by the `defaulter-gen` tool.
+
+*   **Declarative Validation:** The `Scheme` can store and execute code-generated validation
+    functions, providing a baseline level of validation. This is distinct from the primary,
+    handwritten business logic validation, which is handled by the `Strategy` object.
+
+### The `APIGroupInfo` Struct and `Strategy` Object
+
+With a populated `Scheme`, the API group is registered with the `GenericAPIServer` by bundling
+the `Scheme` with the storage backend and versioning information into an `APIGroupInfo` struct.
+
+```mermaid
+graph TD
+    subgraph Server Configuration
+        A[APIGroupInfo for apps v1];
+        A --> B{Scheme: Knows Deployment v1};
+        A --> C{Storage: deployments RESTStorage};
+        A --> D{Version Priority: v1, v1beta1};
+    end
+
+    subgraph RESTStorage Implementation
+        C --> E[genericregistry.Store];
+        E --> F[etcd client];
+        E --> G[Deployment Strategy];
+    end
+
+    subgraph Server Runtime
+        H[GenericAPIServer] -- InstallAPIGroup --> I[APIInstaller];
+        I -- Uses --> A;
+        I --> J{Register /apis/apps/v1/deployments};
+        J --> K[HTTP Handler];
+        K -- On Request --> C;
+    end
+```
+
+The registration process follows these steps:
+
+1.  **`APIGroupInfo` Construction:** For each API group, an `APIGroupInfo` struct is created,
+    which contains the populated `Scheme`, a map of resources to their storage
+    implementations, and an ordered list of **Version Priority**.
+
+2.  **REST Storage Instantiation:** For each resource, a `genericregistry.Store` is created. It
+    is configured with a resource-specific `Strategy` object that contains the core business
+    logic (e.g., handwritten validation).
+
+3.  **API Group Installation:** The `GenericAPIServer`'s `InstallAPIGroup` method takes the
+    `APIGroupInfo` and uses an `APIInstaller` to expose the resources as HTTP endpoints.
+
+## 4. Watch Cache
+
+To handle the high volume of watch requests from controllers without overwhelming etcd, the
+apiserver uses a **watch cache**. The implementation can be found in
+`staging/src/k8s.io/apiserver/pkg/storage/cacher/`.
+
+*   **Initialization:** The cacher first performs a `LIST` to get the current state of all
+    objects and a `ResourceVersion` for that point-in-time. It then starts a `WATCH` from
+    that version to ensure a consistent stream of events.
+*   **Serving from Cache:** Most list and watch requests are served from this in-memory cache, which
+    dramatically reduces the load on etcd. Consistent reads are also served from the
+    cache. This is achieved by first fetching the revision number of the latest write from
+    etcd. The server then ensures the cache is at least that recent—waiting for it to
+    refresh if necessary—before serving the request.
+*   **Fallback to Storage:** If a client request cannot be served from the
+    cache's buffer, the request "falls through" to the underlying etcd storage.
+*   **Bookmarks:** The cacher uses bookmark events to track the latest `ResourceVersion` for
+    unchanged objects. This prevents the cache's `ResourceVersion` from becoming too old,
+    which avoids the need for expensive relist operations from etcd when the objects have
+    not been modified.
+
+## 5. Conflict Resolution
+
+*   **Optimistic Concurrency via `resourceVersion`:** Clients are expected to perform updates using a
+    read-modify-write workflow. The apiserver uses the `resourceVersion` field of every
+    object to enforce optimistic concurrency. This `resourceVersion` is not an arbitrary number;
+    it maps directly to etcd's globally consistent `mod_revision`. When a client submits an
+    update (`PUT` or `PATCH`), it must provide the `resourceVersion` of the object it based its
+    modifications on. If the `resourceVersion` on the server does not match the current
+    `mod_revision` in etcd, the server rejects the request with a `409 Conflict` error. This
+    forces the client to re-read the object, resolve the conflict, and resubmit with the new
+    `resourceVersion`.
+*   **Server-Side Apply:** A declarative, "intent-based" patch. The server maintains a
+    `managedFields` section in the object's metadata to track which "manager" (e.g., a
+    controller) owns each field. This allows multiple actors to manage different parts of the
+    same object without overwriting each other's changes.
+
+## 6. Discovery and OpenAPI
+
+Apiservers serve the `/apis` discovery endpoints and the `/openapi/v2` and `/openapi/v3`
+specifications. The generation of the OpenAPI specification is a multi-stage process.
+
+*   **`openapi-gen`**: This tool reflects on Go structs, reads godoc comments, and looks at
+    validation struct tags to generate a map of all API definitions.
+*   **`zz_generated.openapi.go`**: The output is a large Go file containing a
+    `GetOpenAPIDefinitions` function.
+*   **Runtime**: The `GenericAPIServer` calls this generated function to build the final OpenAPI
+    JSON spec that it serves to clients.
+
+## 7. Security & Observability
+
+*   **Audit (`pkg/audit`):** The apiserver has a policy-driven event logging pipeline. The audit
+    policy controls what is logged and at which stage of a request.
+*   **Security:**
+    *   **mTLS:** The primary authentication mechanism for system components.
+    *   **Service Account Token Issuance:** The `kube-apiserver` acts as an OIDC provider,
+        issuing and validating JWTs for `ServiceAccount`s.
+
+## 8. Streaming Protocols
+
+*   **Websockets:** The apiserver uses websockets to upgrade HTTP
+    connections for interactive, streaming protocols like `exec`, `attach`, and
+    `port-forward`. The `UpgradeAwareProxyHandler` manages this process.
diff --git a/staging/src/k8s.io/apiserver/doc.go b/staging/src/k8s.io/apiserver/doc.go
index 573d9e39b7cd5..78b4becd734e7 100644
--- a/staging/src/k8s.io/apiserver/doc.go
+++ b/staging/src/k8s.io/apiserver/doc.go
@@ -14,4 +14,61 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
+// Package apiserver provides the machinery for building Kubernetes-style API servers.
+//
+// This library is the foundation for the Kubernetes API server (`kube-apiserver`),
+// and is also the primary framework for developers building custom API servers to extend
+// the Kubernetes API.
+//
+// An extension API server is a user-provided, standalone web server that registers itself
+// with the main kube-apiserver to handle specific API groups. This allows developers to
+// extend Kubernetes with their own APIs that behave like core Kubernetes APIs, complete
+// with typed clients, authentication, authorization, and discovery.
+//
+// # Key Packages
+//
+// The `apiserver` library is composed of several key packages:
+//
+//   - `pkg/server`: This is the core of the library, providing the `GenericAPIServer`
+//     and the main machinery for building the server.
+//   - `pkg/admission`: This package contains the admission control framework. Developers
+//     can use this to build custom admission plugins that can validate or mutate
+//     requests to enforce custom policies. This is a common way to extend Kubernetes
+//     behavior without adding a full API server.
+//   - `pkg/authentication`: This package provides the framework for authenticating
+//     requests.
+//   - `pkg/authorization`: This package provides the framework for authorizing
+//     requests.
+//   - `pkg/endpoints`: This package contains the machinery for building the REST
+//     endpoints for the API server.
+//   - `pkg/registry`: This package provides the storage interface for the API server.
+//
+// # Instantiating a GenericAPIServer
+//
+// The `GenericAPIServer` struct is the heart of any extension server. It is responsible
+// for assembling and running the HTTP serving stack. See the runnable example for a
+// demonstration of how to instantiate a `GenericAPIServer`.
+//
+// # Building an Extension API Server (API Aggregation)
+//
+// The mechanism that enables extension API servers is API aggregation. The
+// primary apiserver (typically the kube-apiserver) acts as a proxy, forwarding
+// requests for a specific API group (e.g., /apis/myextension.io/v1) to a
+// registered extension server. The apiserver is configured using
+// APIService objects.
+//
+// For most use cases, custom resources (CustomResourceDefinitions) are the
+// preferred way to extend the Kubernetes API.
+//
+// # Building an Admission Plugin
+//
+// The `pkg/admission` package provides a way to add admission policies directly
+// into an apiserver. Admission plugins can be used to validate or mutate objects
+// during write operations. The kube-apiserver uses admission plugins to provide
+// a variety of core system capabilities.
+//
+// For most extension use cases dynamic admission control using policies
+// (ValidatingAdmissionPolicies or MutatingAdmissionPolicies) or
+// webhooks (ValidatingWebhookConfiguration and MutatingWebhookConfiguration) are the
+// preferred way to extend admission control.
 package apiserver
diff --git a/staging/src/k8s.io/apiserver/go.mod b/staging/src/k8s.io/apiserver/go.mod
index 7485165d2730c..97f853715dddb 100644
--- a/staging/src/k8s.io/apiserver/go.mod
+++ b/staging/src/k8s.io/apiserver/go.mod
@@ -2,9 +2,9 @@
 
 module k8s.io/apiserver
 
-go 1.24.0
+go 1.25.0
 
-godebug default=go1.24
+godebug default=go1.25
 
 require (
 	github.com/blang/semver/v4 v4.0.0
@@ -12,8 +12,7 @@ require (
 	github.com/coreos/go-systemd/v22 v22.5.0
 	github.com/emicklei/go-restful/v3 v3.12.2
 	github.com/fsnotify/fsnotify v1.9.0
-	github.com/go-logr/logr v1.4.2
-	github.com/gogo/protobuf v1.3.2
+	github.com/go-logr/logr v1.4.3
 	github.com/google/btree v1.1.3
 	github.com/google/cel-go v0.26.0
 	github.com/google/gnostic-models v0.7.0
@@ -23,43 +22,44 @@ require (
 	github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822
 	github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f
-	github.com/openshift/library-go v0.0.0-20251015151611-6fc7a74b67c5
-	github.com/spf13/pflag v1.0.6
-	github.com/stretchr/testify v1.10.0
-	go.etcd.io/etcd/api/v3 v3.6.4
-	go.etcd.io/etcd/client/pkg/v3 v3.6.4
-	go.etcd.io/etcd/client/v3 v3.6.4
-	go.etcd.io/etcd/server/v3 v3.6.4
+	github.com/openshift/library-go v0.0.0-20260211202355-e615a1f60a34
+	github.com/spf13/pflag v1.0.9
+	github.com/stretchr/testify v1.11.1
+	go.etcd.io/etcd/api/v3 v3.6.5
+	go.etcd.io/etcd/client/pkg/v3 v3.6.5
+	go.etcd.io/etcd/client/v3 v3.6.5
+	go.etcd.io/etcd/server/v3 v3.6.5
 	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.60.0
-	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.58.0
-	go.opentelemetry.io/otel v1.35.0
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.61.0
+	go.opentelemetry.io/otel v1.36.0
 	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.34.0
-	go.opentelemetry.io/otel/metric v1.35.0
-	go.opentelemetry.io/otel/sdk v1.34.0
-	go.opentelemetry.io/otel/trace v1.35.0
+	go.opentelemetry.io/otel/metric v1.36.0
+	go.opentelemetry.io/otel/sdk v1.36.0
+	go.opentelemetry.io/otel/trace v1.36.0
 	go.uber.org/atomic v1.11.0
 	go.uber.org/zap v1.27.0
-	golang.org/x/crypto v0.42.0
-	golang.org/x/net v0.43.0
-	golang.org/x/sync v0.17.0
-	golang.org/x/sys v0.36.0
+	golang.org/x/crypto v0.45.0
+	golang.org/x/net v0.47.0
+	golang.org/x/sync v0.18.0
+	golang.org/x/sys v0.38.0
+	golang.org/x/text v0.31.0
 	golang.org/x/time v0.9.0
 	google.golang.org/genproto/googleapis/api v0.0.0-20250303144028-a0af3efb3deb
-	google.golang.org/grpc v1.72.1
-	google.golang.org/protobuf v1.36.5
-	gopkg.in/evanphx/json-patch.v4 v4.12.0
+	google.golang.org/grpc v1.72.2
+	google.golang.org/protobuf v1.36.8
+	gopkg.in/evanphx/json-patch.v4 v4.13.0
 	gopkg.in/go-jose/go-jose.v2 v2.6.3
 	gopkg.in/natefinch/lumberjack.v2 v2.2.1
-	k8s.io/api v0.34.1
-	k8s.io/apimachinery v0.34.1
-	k8s.io/client-go v0.34.1
-	k8s.io/component-base v0.34.1
+	k8s.io/api v0.35.1
+	k8s.io/apimachinery v0.35.1
+	k8s.io/client-go v0.35.1
+	k8s.io/component-base v0.35.1
 	k8s.io/klog/v2 v2.130.1
-	k8s.io/kms v0.34.1
-	k8s.io/kube-openapi v0.0.0-20250710124328-f3f2b991d03b
-	k8s.io/utils v0.0.0-20250604170112-4c0f3b243397
+	k8s.io/kms v0.35.1
+	k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912
+	k8s.io/utils v0.0.0-20251002143259-bc988d571ff4
 	sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.31.2
-	sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8
+	sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730
 	sigs.k8s.io/randfill v1.0.0
 	sigs.k8s.io/structured-merge-diff/v6 v6.3.0
 	sigs.k8s.io/yaml v1.6.0
@@ -81,6 +81,7 @@ require (
 	github.com/go-openapi/jsonpointer v0.21.0 // indirect
 	github.com/go-openapi/jsonreference v0.20.2 // indirect
 	github.com/go-openapi/swag v0.23.0 // indirect
+	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang-jwt/jwt/v5 v5.2.2 // indirect
 	github.com/golang/protobuf v1.5.4 // indirect
 	github.com/grpc-ecosystem/go-grpc-middleware/providers/prometheus v1.0.1 // indirect
@@ -95,40 +96,41 @@ require (
 	github.com/moby/spdystream v0.5.0 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee // indirect
-	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
 	github.com/pquerna/cachecontrol v0.1.0 // indirect
-	github.com/prometheus/client_golang v1.22.0 // indirect
-	github.com/prometheus/client_model v0.6.1 // indirect
-	github.com/prometheus/common v0.62.0 // indirect
-	github.com/prometheus/procfs v0.15.1 // indirect
+	github.com/prometheus/client_golang v1.23.2 // indirect
+	github.com/prometheus/client_model v0.6.2 // indirect
+	github.com/prometheus/common v0.66.1 // indirect
+	github.com/prometheus/procfs v0.16.1 // indirect
 	github.com/sirupsen/logrus v1.9.3 // indirect
 	github.com/soheilhy/cmux v0.1.5 // indirect
-	github.com/spf13/cobra v1.9.1 // indirect
+	github.com/spf13/cobra v1.10.0 // indirect
 	github.com/stoewer/go-strcase v1.3.0 // indirect
 	github.com/tmc/grpc-websocket-proxy v0.0.0-20220101234140-673ab2c3ae75 // indirect
 	github.com/x448/float16 v0.8.4 // indirect
 	github.com/xiang90/probing v0.0.0-20221125231312-a49e3df8f510 // indirect
-	go.etcd.io/bbolt v1.4.2 // indirect
-	go.etcd.io/etcd/pkg/v3 v3.6.4 // indirect
+	go.etcd.io/bbolt v1.4.3 // indirect
+	go.etcd.io/etcd/pkg/v3 v3.6.5 // indirect
 	go.etcd.io/raft/v3 v3.6.0 // indirect
 	go.opentelemetry.io/auto/sdk v1.1.0 // indirect
 	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.34.0 // indirect
 	go.opentelemetry.io/proto/otlp v1.5.0 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
-	go.yaml.in/yaml/v2 v2.4.2 // indirect
+	go.yaml.in/yaml/v2 v2.4.3 // indirect
 	go.yaml.in/yaml/v3 v3.0.4 // indirect
 	golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 // indirect
-	golang.org/x/oauth2 v0.27.0 // indirect
-	golang.org/x/term v0.35.0 // indirect
-	golang.org/x/text v0.29.0 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20250303144028-a0af3efb3deb // indirect
+	golang.org/x/oauth2 v0.30.0 // indirect
+	golang.org/x/term v0.37.0 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20250528174236-200df99c418a // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )
 
 replace (
-	github.com/onsi/ginkgo/v2 => github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251001123353-fd5b1fb35db1
+	github.com/onsi/ginkgo/v2 => github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251120221002-696928a6a0d7
+	github.com/openshift/api => github.com/jacobsee/openshift-api v0.0.0-20260211194905-f62f47eaf03d
+	github.com/openshift/client-go => github.com/jacobsee/client-go v0.0.0-20260211200652-3585e10bcc17
+	github.com/openshift/library-go => github.com/jacobsee/library-go v0.0.0-20260211202355-e615a1f60a34
 	k8s.io/api => ../api
 	k8s.io/apiextensions-apiserver => ../apiextensions-apiserver
 	k8s.io/apimachinery => ../apimachinery
diff --git a/staging/src/k8s.io/apiserver/go.sum b/staging/src/k8s.io/apiserver/go.sum
index 9a6f36e337317..02ffdba056edc 100644
--- a/staging/src/k8s.io/apiserver/go.sum
+++ b/staging/src/k8s.io/apiserver/go.sum
@@ -2,9 +2,12 @@ buf.build/gen/go/bufbuild/protovalidate/protocolbuffers/go v1.36.4-2025013020111
 cel.dev/expr v0.24.0 h1:56OvJKSH3hDGL0ml5uSxZmz3/3Pq4tJ+fb1unVLAFcY=
 cel.dev/expr v0.24.0/go.mod h1:hLPLo1W4QUmuYdA72RBX06QTs6MXw941piREPl3Yfiw=
 cloud.google.com/go/compute/metadata v0.6.0/go.mod h1:FjyFAW1MW0C203CEOMDTu3Dk1FlqW3Rga40jzHL4hfg=
+cyphar.com/go-pathrs v0.2.1/go.mod h1:y8f1EMG7r+hCuFf/rXsKqMJrJAUoADZGNh5/vZPKcGc=
 github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E=
 github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358/go.mod h1:chxPXzSsl7ZWRAuOIE23GDNzjWuZquvFlgA8xmpunjU=
 github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp v1.26.0/go.mod h1:2bIszWvQRlJVmJLiuLhukLImRjKPcYdzzsx6darK02A=
+github.com/Masterminds/semver/v3 v3.4.0 h1:Zog+i5UMtVoCU8oKka5P7i9q9HgrJeGzI9SA1Xbatp0=
+github.com/Masterminds/semver/v3 v3.4.0/go.mod h1:4V+yj/TJE1HU9XfppCwVMZq3I84lprf4nC11bSS5beM=
 github.com/NYTimes/gziphandler v1.1.1 h1:ZUDjpQae29j0ryrS0u/B8HZfJBtBQHjqw2rQ2cqUQ3I=
 github.com/NYTimes/gziphandler v1.1.1/go.mod h1:n/CVRwUEOgIxrgPvAQhUUr9oeUtvrhMomdKFjzJNB0c=
 github.com/RangelReale/osincli v0.0.0-20160924135400-fababb0555f2/go.mod h1:XyjUkMA8GN+tOOPXvnbi3XuRxWFvTJntqvTFnjmhzbk=
@@ -36,6 +39,7 @@ github.com/coreos/go-systemd/v22 v22.5.0/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSV
 github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g=
 github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
 github.com/creack/pty v1.1.18/go.mod h1:MOBLtS5ELjhRRrroQr9kyvTxUAFNvYEK993ew/Vr4O4=
+github.com/cyphar/filepath-securejoin v0.6.0/go.mod h1:A8hd4EnAeyujCJRrICiOWqjS1AX0a9kM5XL+NwKoYSc=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM=
@@ -63,8 +67,8 @@ github.com/go-asn1-ber/asn1-ber v1.5.8-0.20250403174932-29230038a667/go.mod h1:h
 github.com/go-jose/go-jose/v4 v4.0.4/go.mod h1:NKb5HO1EZccyMpiZNbdUw/14tiXNyUJh188dfnMCAfc=
 github.com/go-ldap/ldap/v3 v3.4.11/go.mod h1:bY7t0FLK8OAVpp/vV6sSlpz3EQDGcQwc8pF0ujLgKvM=
 github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
-github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY=
-github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
+github.com/go-logr/logr v1.4.3 h1:CjnDlHq8ikf6E492q6eKboGOC0T8CDaOvkHCIg8idEI=
+github.com/go-logr/logr v1.4.3/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
 github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
 github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE=
 github.com/go-logr/zapr v1.3.0 h1:XGdV8XW8zdwFiwOA2Dryh1gj2KRQyOOoNmBy4EplIcQ=
@@ -103,8 +107,8 @@ github.com/google/gnostic-models v0.7.0/go.mod h1:whL5G0m6dmc5cPxKc5bdKdEN3UjI7O
 github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
 github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
-github.com/google/pprof v0.0.0-20241029153458-d1b30febd7db h1:097atOisP2aRj7vFgYQBbFN4U4JNXUNYpxael3UzMyo=
-github.com/google/pprof v0.0.0-20241029153458-d1b30febd7db/go.mod h1:vavhavw2zAxS5dIdcRluK6cSGGPlZynqzFM8NdvU144=
+github.com/google/pprof v0.0.0-20250403155104-27863c87afa6 h1:BHT72Gu3keYf3ZEu2J0b1vyeLSOYI8bm5wbJM/8yDe8=
+github.com/google/pprof v0.0.0-20250403155104-27863c87afa6/go.mod h1:boTsfXsheKC2y+lKOCMpSfarhxDeIzfZG1jqGcPl3cA=
 github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/gorilla/mux v1.8.1/go.mod h1:AKf9I4AEqPTmMytcMc0KkNouC66V3BtZ4qD5fmWSiMQ=
@@ -125,6 +129,10 @@ github.com/hashicorp/golang-lru v0.5.4/go.mod h1:iADmTwqILo4mZ8BN3D2Q6+9jd8WM5uG
 github.com/imdario/mergo v0.3.7/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA=
 github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
 github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
+github.com/jacobsee/client-go v0.0.0-20260211200652-3585e10bcc17/go.mod h1:mCcIpR1nUVJvuLFKl7etbRLixUhJn4XjufJdfzv8Xsc=
+github.com/jacobsee/library-go v0.0.0-20260211202355-e615a1f60a34 h1:iCDeH9PliuQ4IL5NhQhZ1GcXxdlIiuiIed7hK5d5shw=
+github.com/jacobsee/library-go v0.0.0-20260211202355-e615a1f60a34/go.mod h1:mp92ELYoE9GHXRj+jJhp4I9KsFfS5c7WIi5k4RmkPYY=
+github.com/jacobsee/openshift-api v0.0.0-20260211194905-f62f47eaf03d/go.mod h1:u/qMsjN4RliFQwfk4bMEdF1lTjkagrlxPcZ/G9KIVuE=
 github.com/jonboulle/clockwork v0.5.0 h1:Hyh9A8u51kptdkR+cqRpT1EebBwTn1oK9YfGYbdFz6I=
 github.com/jonboulle/clockwork v0.5.0/go.mod h1:3mZlmanh0g2NDKO5TWZVJAfofYk64M7XN3SzBPjZF60=
 github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY=
@@ -164,20 +172,15 @@ github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8m
 github.com/mwitkow/go-conntrack v0.0.0-20190716064945-2f068394615f/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U=
 github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f h1:y5//uYreIhSUg3J1GEMiLbxo1LJaP8RfCpH6pymGZus=
 github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+o7JKHSa8/e818NopupXU1YMK5fe1lsApnBw=
-github.com/onsi/gomega v1.35.1 h1:Cwbd75ZBPxFSuZ6T+rN/WCb/gOc6YgFBXLlZLhC7Ds4=
-github.com/onsi/gomega v1.35.1/go.mod h1:PvZbdDc8J6XJEpDK4HCuRBm8a6Fzp9/DmhC9C7yFlog=
+github.com/onsi/gomega v1.38.2 h1:eZCjf2xjZAqe+LeWvKb5weQ+NcPwX84kqJ0cZNxok2A=
+github.com/onsi/gomega v1.38.2/go.mod h1:W2MJcYxRGV63b418Ai34Ud0hEdTVXq9NW9+Sx6uXf3k=
 github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
 github.com/opencontainers/image-spec v1.0.2/go.mod h1:BtxoFyWECRxE4U/7sNtV5W15zMzWCbyJoFRP3s7yZA0=
-github.com/opencontainers/selinux v1.11.0/go.mod h1:E5dMC3VPuVvVHDYmi78qvhJp8+M586T4DlDRYpFkyec=
-github.com/openshift/api v0.0.0-20251015095338-264e80a2b6e7/go.mod h1:d5uzF0YN2nQQFA0jIEWzzOZ+edmo6wzlGLvx5Fhz4uY=
+github.com/opencontainers/selinux v1.13.0/go.mod h1:XxWTed+A/s5NNq4GmYScVy+9jzXhGBVEOAyucdRUY8s=
 github.com/openshift/build-machinery-go v0.0.0-20250530140348-dc5b2804eeee/go.mod h1:8jcm8UPtg2mCAsxfqKil1xrmRMI3a+XU2TZ9fF8A7TE=
-github.com/openshift/client-go v0.0.0-20251015124057-db0dee36e235/go.mod h1:L49W6pfrZkfOE5iC1PqEkuLkXG4W0BX4w8b+L2Bv7fM=
-github.com/openshift/library-go v0.0.0-20251015151611-6fc7a74b67c5 h1:bANtDc8SgetSK4nQehf59x3+H9FqVJCprgjs49/OTg0=
-github.com/openshift/library-go v0.0.0-20251015151611-6fc7a74b67c5/go.mod h1:OlFFws1AO51uzfc48MsStGE4SFMWlMZD0+f5a/zCtKI=
-github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251001123353-fd5b1fb35db1 h1:PMTgifBcBRLJJiM+LgSzPDTk9/Rx4qS09OUrfpY6GBQ=
-github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251001123353-fd5b1fb35db1/go.mod h1:7Du3c42kxCUegi0IImZ1wUQzMBVecgIHjR1C+NkhLQo=
+github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251120221002-696928a6a0d7 h1:02E4Ttpu+7yCQLQxtY42JfcfHU7TBGnje6uB2ytBSdU=
+github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251120221002-696928a6a0d7/go.mod h1:ArE1D/XhNXBXCBkKOLkbsb2c81dQHCRcF5zwn/ykDRo=
 github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU=
-github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/profile v1.7.0/go.mod h1:8Uer0jas47ZQMJ7VD+OHknK4YDY07LPUC6dEvqDjvNo=
 github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10/go.mod h1:t/avpk3KcrXxUnYOhZhMXJlSEyie6gQbtLq5NM3loB8=
@@ -187,28 +190,29 @@ github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH
 github.com/pquerna/cachecontrol v0.1.0 h1:yJMy84ti9h/+OEWa752kBTKv4XC30OtVVHYv/8cTqKc=
 github.com/pquerna/cachecontrol v0.1.0/go.mod h1:NrUG3Z7Rdu85UNR3vm7SOsl1nFIeSiQnrHV5K9mBcUI=
 github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring v0.74.0/go.mod h1:wAR5JopumPtAZnu0Cjv2PSqV4p4QB09LMhc6fZZTXuA=
-github.com/prometheus/client_golang v1.22.0 h1:rb93p9lokFEsctTys46VnV1kLCDpVZ0a/Y92Vm0Zc6Q=
-github.com/prometheus/client_golang v1.22.0/go.mod h1:R7ljNsLXhuQXYZYtw6GAE9AZg8Y7vEW5scdCXrWRXC0=
-github.com/prometheus/client_model v0.6.1 h1:ZKSh/rekM+n3CeS952MLRAdFwIKqeY8b62p8ais2e9E=
-github.com/prometheus/client_model v0.6.1/go.mod h1:OrxVMOVHjw3lKMa8+x6HeMGkHMQyHDk9E3jmP2AmGiY=
-github.com/prometheus/common v0.62.0 h1:xasJaQlnWAeyHdUBeGjXmutelfJHWMRr+Fg4QszZ2Io=
-github.com/prometheus/common v0.62.0/go.mod h1:vyBcEuLSvWos9B1+CyL7JZ2up+uFzXhkqml0W5zIY1I=
-github.com/prometheus/procfs v0.15.1 h1:YagwOFzUgYfKKHX6Dr+sHT7km/hxC76UB0learggepc=
-github.com/prometheus/procfs v0.15.1/go.mod h1:fB45yRUv8NstnjriLhBQLuOUt+WW4BsoGhij/e3PBqk=
+github.com/prometheus/client_golang v1.23.2 h1:Je96obch5RDVy3FDMndoUsjAhG5Edi49h0RJWRi/o0o=
+github.com/prometheus/client_golang v1.23.2/go.mod h1:Tb1a6LWHB3/SPIzCoaDXI4I8UHKeFTEQ1YCr+0Gyqmg=
+github.com/prometheus/client_model v0.6.2 h1:oBsgwpGs7iVziMvrGhE53c/GrLUsZdHnqNwqPLxwZyk=
+github.com/prometheus/client_model v0.6.2/go.mod h1:y3m2F6Gdpfy6Ut/GBsUqTWZqCUvMVzSfMLjcu6wAwpE=
+github.com/prometheus/common v0.66.1 h1:h5E0h5/Y8niHc5DlaLlWLArTQI7tMrsfQjHV+d9ZoGs=
+github.com/prometheus/common v0.66.1/go.mod h1:gcaUsgf3KfRSwHY4dIMXLPV0K/Wg1oZ8+SbZk/HH/dA=
+github.com/prometheus/procfs v0.16.1 h1:hZ15bTNuirocR6u0JZ6BAHHmwS1p8B4P6MRqxtzMyRg=
+github.com/prometheus/procfs v0.16.1/go.mod h1:teAbpZRB1iIAJYREa1LsoWUXykVXA1KlTmWl8x/U+Is=
 github.com/robfig/cron v1.2.0/go.mod h1:JGuDeoQd7Z6yL4zQhZ3OPEVHB7fL6Ka6skscFHfmt2k=
 github.com/rogpeppe/fastuuid v1.2.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6LYCDYWNEvQ=
-github.com/rogpeppe/go-internal v1.13.1 h1:KvO1DLK/DRN07sQ1LQKScxyZJuNnedQ5/wKSR38lUII=
-github.com/rogpeppe/go-internal v1.13.1/go.mod h1:uMEvuHeurkdAXX61udpOXGD/AzZDWNMNyH2VO9fmH0o=
+github.com/rogpeppe/go-internal v1.14.1 h1:UQB4HGPB6osV0SQTLymcB4TgvyWu6ZyliaW0tI/otEQ=
+github.com/rogpeppe/go-internal v1.14.1/go.mod h1:MaRKkUm5W0goXpeCfT7UZI6fk/L7L7so1lCWt35ZSgc=
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
 github.com/sirupsen/logrus v1.8.1/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0=
 github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ=
 github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
 github.com/soheilhy/cmux v0.1.5 h1:jjzc5WVemNEDTLwv9tlmemhC73tI08BNOIGwBOo10Js=
 github.com/soheilhy/cmux v0.1.5/go.mod h1:T7TcVDs9LWfQgPlPsdngu6I6QIoyIFZDDC6sNE1GqG0=
-github.com/spf13/cobra v1.9.1 h1:CXSaggrXdbHK9CF+8ywj8Amf7PBRmPCOJugH954Nnlo=
-github.com/spf13/cobra v1.9.1/go.mod h1:nDyEzZ8ogv936Cinf6g1RU9MRY64Ir93oCnqb9wxYW0=
-github.com/spf13/pflag v1.0.6 h1:jFzHGLGAlb3ruxLB8MhbI6A8+AQX/2eW4qeyNZXNp2o=
-github.com/spf13/pflag v1.0.6/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
+github.com/spf13/cobra v1.10.0 h1:a5/WeUlSDCvV5a45ljW2ZFtV0bTDpkfSAj3uqB6Sc+0=
+github.com/spf13/cobra v1.10.0/go.mod h1:9dhySC7dnTtEiqzmqfkLj47BslqLCUPMXjG2lj/NgoE=
+github.com/spf13/pflag v1.0.8/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
+github.com/spf13/pflag v1.0.9 h1:9exaQaMOCwffKiiiYk6/BndUBv+iRViNW+4lEMi0PvY=
+github.com/spf13/pflag v1.0.9/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/spiffe/go-spiffe/v2 v2.5.0/go.mod h1:P+NxobPc6wXhVtINNtFjNWGBTreew1GBUCwT2wPmb7g=
 github.com/stoewer/go-strcase v1.3.0 h1:g0eASXYtp+yvN9fK8sH94oCIk0fau9uV1/ZdJ0AVEzs=
 github.com/stoewer/go-strcase v1.3.0/go.mod h1:fAH5hQ5pehh+j3nZfvwdk2RgEgQjAoM8wodgtPmh1xo=
@@ -224,8 +228,8 @@ github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/
 github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
 github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
-github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
-github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
+github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
+github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
 github.com/tmc/grpc-websocket-proxy v0.0.0-20220101234140-673ab2c3ae75 h1:6fotK7otjonDflCTK0BCfls4SPy3NcCVb5dqqmbRknE=
 github.com/tmc/grpc-websocket-proxy v0.0.0-20220101234140-673ab2c3ae75/go.mod h1:KO6IkyS8Y3j8OdNO85qEYBsRPuteD+YciPomcXdrMnk=
 github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM=
@@ -236,18 +240,18 @@ github.com/xiang90/probing v0.0.0-20221125231312-a49e3df8f510/go.mod h1:UETIi67q
 github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/zeebo/errs v1.4.0/go.mod h1:sgbWHsvVuTPHcqJJGQ1WhI5KbWlHYz+2+2C/LSEtCw4=
-go.etcd.io/bbolt v1.4.2 h1:IrUHp260R8c+zYx/Tm8QZr04CX+qWS5PGfPdevhdm1I=
-go.etcd.io/bbolt v1.4.2/go.mod h1:Is8rSHO/b4f3XigBC0lL0+4FwAQv3HXEEIgFMuKHceM=
-go.etcd.io/etcd/api/v3 v3.6.4 h1:7F6N7toCKcV72QmoUKa23yYLiiljMrT4xCeBL9BmXdo=
-go.etcd.io/etcd/api/v3 v3.6.4/go.mod h1:eFhhvfR8Px1P6SEuLT600v+vrhdDTdcfMzmnxVXXSbk=
-go.etcd.io/etcd/client/pkg/v3 v3.6.4 h1:9HBYrjppeOfFjBjaMTRxT3R7xT0GLK8EJMVC4xg6ok0=
-go.etcd.io/etcd/client/pkg/v3 v3.6.4/go.mod h1:sbdzr2cl3HzVmxNw//PH7aLGVtY4QySjQFuaCgcRFAI=
-go.etcd.io/etcd/client/v3 v3.6.4 h1:YOMrCfMhRzY8NgtzUsHl8hC2EBSnuqbR3dh84Uryl7A=
-go.etcd.io/etcd/client/v3 v3.6.4/go.mod h1:jaNNHCyg2FdALyKWnd7hxZXZxZANb0+KGY+YQaEMISo=
-go.etcd.io/etcd/pkg/v3 v3.6.4 h1:fy8bmXIec1Q35/jRZ0KOes8vuFxbvdN0aAFqmEfJZWA=
-go.etcd.io/etcd/pkg/v3 v3.6.4/go.mod h1:kKcYWP8gHuBRcteyv6MXWSN0+bVMnfgqiHueIZnKMtE=
-go.etcd.io/etcd/server/v3 v3.6.4 h1:LsCA7CzjVt+8WGrdsnh6RhC0XqCsLkBly3ve5rTxMAU=
-go.etcd.io/etcd/server/v3 v3.6.4/go.mod h1:aYCL/h43yiONOv0QIR82kH/2xZ7m+IWYjzRmyQfnCAg=
+go.etcd.io/bbolt v1.4.3 h1:dEadXpI6G79deX5prL3QRNP6JB8UxVkqo4UPnHaNXJo=
+go.etcd.io/bbolt v1.4.3/go.mod h1:tKQlpPaYCVFctUIgFKFnAlvbmB3tpy1vkTnDWohtc0E=
+go.etcd.io/etcd/api/v3 v3.6.5 h1:pMMc42276sgR1j1raO/Qv3QI9Af/AuyQUW6CBAWuntA=
+go.etcd.io/etcd/api/v3 v3.6.5/go.mod h1:ob0/oWA/UQQlT1BmaEkWQzI0sJ1M0Et0mMpaABxguOQ=
+go.etcd.io/etcd/client/pkg/v3 v3.6.5 h1:Duz9fAzIZFhYWgRjp/FgNq2gO1jId9Yae/rLn3RrBP8=
+go.etcd.io/etcd/client/pkg/v3 v3.6.5/go.mod h1:8Wx3eGRPiy0qOFMZT/hfvdos+DjEaPxdIDiCDUv/FQk=
+go.etcd.io/etcd/client/v3 v3.6.5 h1:yRwZNFBx/35VKHTcLDeO7XVLbCBFbPi+XV4OC3QJf2U=
+go.etcd.io/etcd/client/v3 v3.6.5/go.mod h1:ZqwG/7TAFZ0BJ0jXRPoJjKQJtbFo/9NIY8uoFFKcCyo=
+go.etcd.io/etcd/pkg/v3 v3.6.5 h1:byxWB4AqIKI4SBmquZUG1WGtvMfMaorXFoCcFbVeoxM=
+go.etcd.io/etcd/pkg/v3 v3.6.5/go.mod h1:uqrXrzmMIJDEy5j00bCqhVLzR5jEJIwDp5wTlLwPGOU=
+go.etcd.io/etcd/server/v3 v3.6.5 h1:4RbUb1Bd4y1WkBHmuF+cZII83JNQMuNXzyjwigQ06y0=
+go.etcd.io/etcd/server/v3 v3.6.5/go.mod h1:PLuhyVXz8WWRhzXDsl3A3zv/+aK9e4A9lpQkqawIaH0=
 go.etcd.io/gofail v0.2.0/go.mod h1:nL3ILMGfkXTekKI3clMBNazKnjUZjYLKmBHzsVAnC1o=
 go.etcd.io/raft/v3 v3.6.0 h1:5NtvbDVYpnfZWcIHgGRk9DyzkBIXOi8j+DDp1IcnUWQ=
 go.etcd.io/raft/v3 v3.6.0/go.mod h1:nLvLevg6+xrVtHUmVaTcTz603gQPHfh7kUAwV6YpfGo=
@@ -256,22 +260,22 @@ go.opentelemetry.io/auto/sdk v1.1.0/go.mod h1:3wSPjt5PWp2RhlCcmmOial7AvC4DQqZb7a
 go.opentelemetry.io/contrib/detectors/gcp v1.34.0/go.mod h1:cV4BMFcscUR/ckqLkbfQmF0PRsq8w/lMGzdbCSveBHo=
 go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.60.0 h1:x7wzEgXfnzJcHDwStJT+mxOz4etr2EcexjqhBvmoakw=
 go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.60.0/go.mod h1:rg+RlpR5dKwaS95IyyZqj5Wd4E13lk/msnTS0Xl9lJM=
-go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.58.0 h1:yd02MEjBdJkG3uabWP9apV+OuWRIXGDuJEUJbOHmCFU=
-go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.58.0/go.mod h1:umTcuxiv1n/s/S6/c2AT/g2CQ7u5C59sHDNmfSwgz7Q=
-go.opentelemetry.io/otel v1.35.0 h1:xKWKPxrxB6OtMCbmMY021CqC45J+3Onta9MqjhnusiQ=
-go.opentelemetry.io/otel v1.35.0/go.mod h1:UEqy8Zp11hpkUrL73gSlELM0DupHoiq72dR+Zqel/+Y=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.61.0 h1:F7Jx+6hwnZ41NSFTO5q4LYDtJRXBf2PD0rNBkeB/lus=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.61.0/go.mod h1:UHB22Z8QsdRDrnAtX4PntOl36ajSxcdUMt1sF7Y6E7Q=
+go.opentelemetry.io/otel v1.36.0 h1:UumtzIklRBY6cI/lllNZlALOF5nNIzJVb16APdvgTXg=
+go.opentelemetry.io/otel v1.36.0/go.mod h1:/TcFMXYjyRNh8khOAO9ybYkqaDBb/70aVwkNML4pP8E=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.34.0 h1:OeNbIYk/2C15ckl7glBlOBp5+WlYsOElzTNmiPW/x60=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.34.0/go.mod h1:7Bept48yIeqxP2OZ9/AqIpYS94h2or0aB4FypJTc8ZM=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.34.0 h1:tgJ0uaNS4c98WRNUEx5U3aDlrDOI5Rs+1Vifcw4DJ8U=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.34.0/go.mod h1:U7HYyW0zt/a9x5J1Kjs+r1f/d4ZHnYFclhYY2+YbeoE=
-go.opentelemetry.io/otel/metric v1.35.0 h1:0znxYu2SNyuMSQT4Y9WDWej0VpcsxkuklLa4/siN90M=
-go.opentelemetry.io/otel/metric v1.35.0/go.mod h1:nKVFgxBZ2fReX6IlyW28MgZojkoAkJGaE8CpgeAU3oE=
-go.opentelemetry.io/otel/sdk v1.34.0 h1:95zS4k/2GOy069d321O8jWgYsW3MzVV+KuSPKp7Wr1A=
-go.opentelemetry.io/otel/sdk v1.34.0/go.mod h1:0e/pNiaMAqaykJGKbi+tSjWfNNHMTxoC9qANsCzbyxU=
-go.opentelemetry.io/otel/sdk/metric v1.34.0 h1:5CeK9ujjbFVL5c1PhLuStg1wxA7vQv7ce1EK0Gyvahk=
-go.opentelemetry.io/otel/sdk/metric v1.34.0/go.mod h1:jQ/r8Ze28zRKoNRdkjCZxfs6YvBTG1+YIqyFVFYec5w=
-go.opentelemetry.io/otel/trace v1.35.0 h1:dPpEfJu1sDIqruz7BHFG3c7528f6ddfSWfFDVt/xgMs=
-go.opentelemetry.io/otel/trace v1.35.0/go.mod h1:WUk7DtFp1Aw2MkvqGdwiXYDZZNvA/1J8o6xRXLrIkyc=
+go.opentelemetry.io/otel/metric v1.36.0 h1:MoWPKVhQvJ+eeXWHFBOPoBOi20jh6Iq2CcCREuTYufE=
+go.opentelemetry.io/otel/metric v1.36.0/go.mod h1:zC7Ks+yeyJt4xig9DEw9kuUFe5C3zLbVjV2PzT6qzbs=
+go.opentelemetry.io/otel/sdk v1.36.0 h1:b6SYIuLRs88ztox4EyrvRti80uXIFy+Sqzoh9kFULbs=
+go.opentelemetry.io/otel/sdk v1.36.0/go.mod h1:+lC+mTgD+MUWfjJubi2vvXWcVxyr9rmlshZni72pXeY=
+go.opentelemetry.io/otel/sdk/metric v1.36.0 h1:r0ntwwGosWGaa0CrSt8cuNuTcccMXERFwHX4dThiPis=
+go.opentelemetry.io/otel/sdk/metric v1.36.0/go.mod h1:qTNOhFDfKRwX0yXOqJYegL5WRaW376QbB7P4Pb0qva4=
+go.opentelemetry.io/otel/trace v1.36.0 h1:ahxWNuqZjpdiFAyrIoQ4GIiAIhxAunQR6MUoKrsNd4w=
+go.opentelemetry.io/otel/trace v1.36.0/go.mod h1:gQ+OnDZzrybY4k4seLzPAWNwVBBVlF2szhehOBB/tGA=
 go.opentelemetry.io/proto/otlp v1.5.0 h1:xJvq7gMzB31/d406fB8U5CBdyQGw4P399D1aQWU/3i4=
 go.opentelemetry.io/proto/otlp v1.5.0/go.mod h1:keN8WnHxOy8PG0rQZjJJ5A2ebUoafqWp0eVQ4yIXvJ4=
 go.uber.org/atomic v1.11.0 h1:ZvwS0R+56ePWxUNi+Atn9dWONBPp/AUETXlHW0DxSjE=
@@ -282,35 +286,36 @@ go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0=
 go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y=
 go.uber.org/zap v1.27.0 h1:aJMhYGrd5QSmlpLMr2MftRKl7t8J8PTZPA732ud/XR8=
 go.uber.org/zap v1.27.0/go.mod h1:GB2qFLM7cTU87MWRP2mPIjqfIDnGu+VIO4V/SdhGo2E=
-go.yaml.in/yaml/v2 v2.4.2 h1:DzmwEr2rDGHl7lsFgAHxmNz/1NlQ7xLIrlN2h5d1eGI=
-go.yaml.in/yaml/v2 v2.4.2/go.mod h1:081UH+NErpNdqlCXm3TtEran0rJZGxAYx9hb/ELlsPU=
+go.yaml.in/yaml/v2 v2.4.3 h1:6gvOSjQoTB3vt1l+CU+tSyi/HOjfOjRLJ4YwYZGwRO0=
+go.yaml.in/yaml/v2 v2.4.3/go.mod h1:zSxWcmIDjOzPXpjlTTbAsKokqkDNAVtZO0WOMiT90s8=
 go.yaml.in/yaml/v3 v3.0.4 h1:tfq32ie2Jv2UxXFdLJdh3jXuOzWiL1fo0bu/FbuKpbc=
 go.yaml.in/yaml/v3 v3.0.4/go.mod h1:DhzuOOF2ATzADvBadXxruRBLzYTpT36CKvDb3+aBEFg=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
-golang.org/x/crypto v0.42.0 h1:chiH31gIWm57EkTXpwnqf8qeuMUi0yekh6mT2AvFlqI=
-golang.org/x/crypto v0.42.0/go.mod h1:4+rDnOTJhQCx2q7/j6rAN5XDw8kPjeaXEUR2eL94ix8=
+golang.org/x/crypto v0.45.0 h1:jMBrvKuj23MTlT0bQEOBcAE0mjg8mK9RXFhRH6nyF3Q=
+golang.org/x/crypto v0.45.0/go.mod h1:XTGrrkGJve7CYK7J8PEww4aY7gM3qMCElcJQ8n8JdX4=
 golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 h1:2dVuKD2vS7b0QIHQbpyTISPd0LeHDbnYEryqj5Q1ug8=
 golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56/go.mod h1:M4RDyNAINzryxdtnbRXRL/OHtkFuWGRjvuhBJpk2IlY=
 golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.27.0/go.mod h1:rWI627Fq0DEoudcK+MBkNkCe0EetEaDSwJJkCcjpazc=
+golang.org/x/mod v0.29.0 h1:HV8lRxZC4l2cr3Zq1LvtOsi/ThTgWnUk/y64QSs8GwA=
+golang.org/x/mod v0.29.0/go.mod h1:NyhrlYXJ2H4eJiRy/WDBO6HMqZQ6q9nk4JzS3NuCK+w=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
 golang.org/x/net v0.0.0-20201202161906-c7110b5ffcbb/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
 golang.org/x/net v0.0.0-20211123203042-d83791d6bcd9/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
-golang.org/x/net v0.43.0 h1:lat02VYK2j4aLzMzecihNvTlJNQUq316m2Mr9rnM6YE=
-golang.org/x/net v0.43.0/go.mod h1:vhO1fvI4dGsIjh73sWfUVjj3N7CA9WkKJNQm2svM6Jg=
-golang.org/x/oauth2 v0.27.0 h1:da9Vo7/tDv5RH/7nZDz1eMGS/q1Vv1N/7FCrBhI9I3M=
-golang.org/x/oauth2 v0.27.0/go.mod h1:onh5ek6nERTohokkhCD/y2cV4Do3fxFHFuAejCkRWT8=
+golang.org/x/net v0.47.0 h1:Mx+4dIFzqraBXUugkia1OOvlD6LemFo1ALMHjrXDOhY=
+golang.org/x/net v0.47.0/go.mod h1:/jNxtkgq5yWUGYkaZGqo27cfGZ1c5Nen03aYrrKpVRU=
+golang.org/x/oauth2 v0.30.0 h1:dnDm7JmhM45NNpd8FDDeLhK6FwqbOf4MLCM9zb1BOHI=
+golang.org/x/oauth2 v0.30.0/go.mod h1:B++QgG3ZKulg6sRPGD/mqlHQs5rB3Ml9erfeDY7xKlU=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.17.0 h1:l60nONMj9l5drqw6jlhIELNv9I0A4OFgRsG9k2oT9Ug=
-golang.org/x/sync v0.17.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
+golang.org/x/sync v0.18.0 h1:kr88TuHDroi+UVf+0hZnirlk8o8T+4MrK6mr60WkH/I=
+golang.org/x/sync v0.18.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -319,62 +324,63 @@ golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.36.0 h1:KVRy2GtZBrk1cBYA7MKu5bEZFxQk4NIDV6RLVcC8o0k=
-golang.org/x/sys v0.36.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
+golang.org/x/sys v0.38.0 h1:3yZWxaJjBmCWXqhN1qh02AkOnCQ1poK6oF+a7xWL6Gc=
+golang.org/x/sys v0.38.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
-golang.org/x/term v0.35.0 h1:bZBVKBudEyhRcajGcNc3jIfWPqV4y/Kt2XcoigOWtDQ=
-golang.org/x/term v0.35.0/go.mod h1:TPGtkTLesOwf2DE8CgVYiZinHAOuy5AYUYT1lENIZnA=
+golang.org/x/term v0.37.0 h1:8EGAD0qCmHYZg6J17DvsMy9/wJ7/D/4pV/wfnld5lTU=
+golang.org/x/term v0.37.0/go.mod h1:5pB4lxRNYYVZuTLmy8oR2BH8dflOR+IbTYFD8fi3254=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.29.0 h1:1neNs90w9YzJ9BocxfsQNHKuAT4pkghyXc4nhZ6sJvk=
-golang.org/x/text v0.29.0/go.mod h1:7MhJOA9CD2qZyOKYazxdYMF85OwPdEr9jTtBpO7ydH4=
+golang.org/x/text v0.31.0 h1:aC8ghyu4JhP8VojJ2lEHBnochRno1sgL6nEi9WGFGMM=
+golang.org/x/text v0.31.0/go.mod h1:tKRAlv61yKIjGGHX/4tP1LTbc13YSec1pxVEWXzfoeM=
 golang.org/x/time v0.9.0 h1:EsRrnYcQiGH+5FfbgvV4AP7qEZstoyrHB0DzarOQ4ZY=
 golang.org/x/time v0.9.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
 golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
-golang.org/x/tools v0.36.0 h1:kWS0uv/zsvHEle1LbV5LE8QujrxB3wfQyxHfhOk0Qkg=
-golang.org/x/tools v0.36.0/go.mod h1:WBDiHKJK8YgLHlcQPYQzNCkUxUypCaa5ZegCVutKm+s=
+golang.org/x/tools v0.38.0 h1:Hx2Xv8hISq8Lm16jvBZ2VQf+RLmbd7wVUsALibYI/IQ=
+golang.org/x/tools v0.38.0/go.mod h1:yEsQ/d/YK8cjh0L6rZlY8tgtlKiBNTL14pGDJPJpYQs=
+golang.org/x/tools/go/expect v0.1.0-deprecated/go.mod h1:eihoPOH+FgIqa3FpoTwguz/bVUSGBlGQU67vpBeOrBY=
+golang.org/x/tools/go/packages/packagestest v0.1.1-deprecated/go.mod h1:RVAQXBGNv1ib0J382/DPCRS/BPnsGebyM1Gj5VSDpG8=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 google.golang.org/genproto/googleapis/api v0.0.0-20250303144028-a0af3efb3deb h1:p31xT4yrYrSM/G4Sn2+TNUkVhFCbG9y8itM2S6Th950=
 google.golang.org/genproto/googleapis/api v0.0.0-20250303144028-a0af3efb3deb/go.mod h1:jbe3Bkdp+Dh2IrslsFCklNhweNTBgSYanP1UXhJDhKg=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20250303144028-a0af3efb3deb h1:TLPQVbx1GJ8VKZxz52VAxl1EBgKXXbTiU9Fc5fZeLn4=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20250303144028-a0af3efb3deb/go.mod h1:LuRYeWDFV6WOn90g357N17oMCaxpgCnbi/44qJvDn2I=
-google.golang.org/grpc v1.72.1 h1:HR03wO6eyZ7lknl75XlxABNVLLFc2PAb6mHlYh756mA=
-google.golang.org/grpc v1.72.1/go.mod h1:wH5Aktxcg25y1I3w7H69nHfXdOG3UiadoBtjh3izSDM=
-google.golang.org/protobuf v1.36.5 h1:tPhr+woSbjfYvY6/GPufUoYizxw1cF/yFoxJ2fmpwlM=
-google.golang.org/protobuf v1.36.5/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20250528174236-200df99c418a h1:v2PbRU4K3llS09c7zodFpNePeamkAwG3mPrAery9VeE=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20250528174236-200df99c418a/go.mod h1:qQ0YXyHHx3XkvlzUtpXDkS29lDSafHMZBAZDc03LQ3A=
+google.golang.org/grpc v1.72.2 h1:TdbGzwb82ty4OusHWepvFWGLgIbNo1/SUynEN0ssqv8=
+google.golang.org/grpc v1.72.2/go.mod h1:wH5Aktxcg25y1I3w7H69nHfXdOG3UiadoBtjh3izSDM=
+google.golang.org/protobuf v1.36.8 h1:xHScyCOEuuwZEc6UtSOvPbAT4zRh0xcNRYekJwfqyMc=
+google.golang.org/protobuf v1.36.8/go.mod h1:fuxRtAxBytpl4zzqUh6/eyUujkJdNiuEkXntxiD/uRU=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
-gopkg.in/evanphx/json-patch.v4 v4.12.0 h1:n6jtcsulIzXPJaxegRbvFNNrZDjbij7ny3gmSPG+6V4=
-gopkg.in/evanphx/json-patch.v4 v4.12.0/go.mod h1:p8EYWUEYMpynmqDbY58zCKCFZw8pRWMG4EsWvDvM72M=
+gopkg.in/evanphx/json-patch.v4 v4.13.0 h1:czT3CmqEaQ1aanPc5SdlgQrrEIb8w/wwCvWWnfEbYzo=
+gopkg.in/evanphx/json-patch.v4 v4.13.0/go.mod h1:p8EYWUEYMpynmqDbY58zCKCFZw8pRWMG4EsWvDvM72M=
 gopkg.in/go-jose/go-jose.v2 v2.6.3 h1:nt80fvSDlhKWQgSWyHyy5CfmlQr+asih51R8PTWNKKs=
 gopkg.in/go-jose/go-jose.v2 v2.6.3/go.mod h1:zzZDPkNNw/c9IE7Z9jr11mBZQhKQTMzoEEIoEdZlFBI=
 gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc=
 gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
 gopkg.in/natefinch/lumberjack.v2 v2.2.1 h1:bBRl1b0OH9s/DuPhuXpNl+VtCaJXFZ5/uEFST95x9zc=
 gopkg.in/natefinch/lumberjack.v2 v2.2.1/go.mod h1:YD8tP3GAjkrDg1eZH7EGmyESg/lsYskCTPBJVb9jqSc=
-gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 k8s.io/gengo/v2 v2.0.0-20250604051438-85fd79dbfd9f/go.mod h1:EJykeLsmFC60UQbYJezXkEsG2FLrt0GPNkU5iK5GWxU=
 k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk=
 k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE=
-k8s.io/kube-openapi v0.0.0-20250710124328-f3f2b991d03b h1:MloQ9/bdJyIu9lb1PzujOPolHyvO06MXG5TUIj2mNAA=
-k8s.io/kube-openapi v0.0.0-20250710124328-f3f2b991d03b/go.mod h1:UZ2yyWbFTpuhSbFhv24aGNOdoRdJZgsIObGBUaYVsts=
-k8s.io/utils v0.0.0-20250604170112-4c0f3b243397 h1:hwvWFiBzdWw1FhfY1FooPn3kzWuJ8tmbZBHi4zVsl1Y=
-k8s.io/utils v0.0.0-20250604170112-4c0f3b243397/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
+k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912 h1:Y3gxNAuB0OBLImH611+UDZcmKS3g6CthxToOb37KgwE=
+k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912/go.mod h1:kdmbQkyfwUagLfXIad1y2TdrjPFWp2Q89B3qkRwf/pQ=
+k8s.io/utils v0.0.0-20251002143259-bc988d571ff4 h1:SjGebBtkBqHFOli+05xYbK8YF1Dzkbzn+gDM4X9T4Ck=
+k8s.io/utils v0.0.0-20251002143259-bc988d571ff4/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
 sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.31.2 h1:jpcvIRr3GLoUoEKRkHKSmGjxb6lWwrBlJsXc+eUYQHM=
 sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.31.2/go.mod h1:Ve9uj1L+deCXFrPOk1LpFXqTg7LCFzFso6PA48q/XZw=
-sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 h1:gBQPwqORJ8d8/YNZWEjoZs7npUVDpVXUUOFfW6CgAqE=
-sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8/go.mod h1:mdzfpAEoE6DHQEN0uh9ZbOCuHbLK5wOm7dK4ctXE9Tg=
+sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 h1:IpInykpT6ceI+QxKBbEflcR5EXP7sU1kvOlxwZh5txg=
+sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730/go.mod h1:mdzfpAEoE6DHQEN0uh9ZbOCuHbLK5wOm7dK4ctXE9Tg=
 sigs.k8s.io/kube-storage-version-migrator v0.0.6-0.20230721195810-5c8923c5ff96/go.mod h1:EOBQyBowOUsd7U4CJnMHNE0ri+zCXyouGdLwC/jZU+I=
 sigs.k8s.io/randfill v1.0.0 h1:JfjMILfT8A6RbawdsK2JXGBR5AQVfd+9TbzrlneTyrU=
 sigs.k8s.io/randfill v1.0.0/go.mod h1:XeLlZ/jmk4i1HRopwe7/aU3H5n1zNUcX6TM94b3QxOY=
diff --git a/staging/src/k8s.io/apiserver/pkg/admission/initializer/initializer.go b/staging/src/k8s.io/apiserver/pkg/admission/initializer/initializer.go
index 21ee8c801219b..b7880296896f2 100644
--- a/staging/src/k8s.io/apiserver/pkg/admission/initializer/initializer.go
+++ b/staging/src/k8s.io/apiserver/pkg/admission/initializer/initializer.go
@@ -23,6 +23,7 @@ import (
 	"k8s.io/client-go/dynamic"
 	"k8s.io/client-go/informers"
 	"k8s.io/client-go/kubernetes"
+	"k8s.io/component-base/compatibility"
 	"k8s.io/component-base/featuregate"
 )
 
@@ -32,6 +33,7 @@ type pluginInitializer struct {
 	externalInformers informers.SharedInformerFactory
 	authorizer        authorizer.Authorizer
 	featureGates      featuregate.FeatureGate
+	effectiveVersion  compatibility.EffectiveVersion
 	stopCh            <-chan struct{}
 	restMapper        meta.RESTMapper
 }
@@ -45,6 +47,7 @@ func New(
 	extInformers informers.SharedInformerFactory,
 	authz authorizer.Authorizer,
 	featureGates featuregate.FeatureGate,
+	effectiveVersion compatibility.EffectiveVersion,
 	stopCh <-chan struct{},
 	restMapper meta.RESTMapper,
 ) pluginInitializer {
@@ -54,6 +57,7 @@ func New(
 		externalInformers: extInformers,
 		authorizer:        authz,
 		featureGates:      featureGates,
+		effectiveVersion:  effectiveVersion,
 		stopCh:            stopCh,
 		restMapper:        restMapper,
 	}
@@ -68,6 +72,9 @@ func (i pluginInitializer) Initialize(plugin admission.Interface) {
 	}
 
 	// Second tell the plugin about enabled features, so it can decide whether to start informers or not
+	if wants, ok := plugin.(WantsEffectiveVersion); ok {
+		wants.InspectEffectiveVersion(i.effectiveVersion)
+	}
 	if wants, ok := plugin.(WantsFeatures); ok {
 		wants.InspectFeatureGates(i.featureGates)
 	}
diff --git a/staging/src/k8s.io/apiserver/pkg/admission/initializer/initializer_test.go b/staging/src/k8s.io/apiserver/pkg/admission/initializer/initializer_test.go
index d80ce6dd431f5..d503001d650b6 100644
--- a/staging/src/k8s.io/apiserver/pkg/admission/initializer/initializer_test.go
+++ b/staging/src/k8s.io/apiserver/pkg/admission/initializer/initializer_test.go
@@ -34,7 +34,7 @@ import (
 // TestWantsAuthorizer ensures that the authorizer is injected
 // when the WantsAuthorizer interface is implemented by a plugin.
 func TestWantsAuthorizer(t *testing.T) {
-	target := initializer.New(nil, nil, nil, &TestAuthorizer{}, nil, nil, nil)
+	target := initializer.New(nil, nil, nil, &TestAuthorizer{}, nil, nil, nil, nil)
 	wantAuthorizerAdmission := &WantAuthorizerAdmission{}
 	target.Initialize(wantAuthorizerAdmission)
 	if wantAuthorizerAdmission.auth == nil {
@@ -46,7 +46,7 @@ func TestWantsAuthorizer(t *testing.T) {
 // when the WantsExternalKubeClientSet interface is implemented by a plugin.
 func TestWantsExternalKubeClientSet(t *testing.T) {
 	cs := &fake.Clientset{}
-	target := initializer.New(cs, nil, nil, &TestAuthorizer{}, nil, nil, nil)
+	target := initializer.New(cs, nil, nil, &TestAuthorizer{}, nil, nil, nil, nil)
 	wantExternalKubeClientSet := &WantExternalKubeClientSet{}
 	target.Initialize(wantExternalKubeClientSet)
 	if wantExternalKubeClientSet.cs != cs {
@@ -59,7 +59,7 @@ func TestWantsExternalKubeClientSet(t *testing.T) {
 func TestWantsExternalKubeInformerFactory(t *testing.T) {
 	cs := &fake.Clientset{}
 	sf := informers.NewSharedInformerFactory(cs, time.Duration(1)*time.Second)
-	target := initializer.New(cs, nil, sf, &TestAuthorizer{}, nil, nil, nil)
+	target := initializer.New(cs, nil, sf, &TestAuthorizer{}, nil, nil, nil, nil)
 	wantExternalKubeInformerFactory := &WantExternalKubeInformerFactory{}
 	target.Initialize(wantExternalKubeInformerFactory)
 	if wantExternalKubeInformerFactory.sf != sf {
@@ -71,7 +71,7 @@ func TestWantsExternalKubeInformerFactory(t *testing.T) {
 // when the WantsShutdownSignal interface is implemented by a plugin.
 func TestWantsShutdownNotification(t *testing.T) {
 	stopCh := make(chan struct{})
-	target := initializer.New(nil, nil, nil, &TestAuthorizer{}, nil, stopCh, nil)
+	target := initializer.New(nil, nil, nil, &TestAuthorizer{}, nil, nil, stopCh, nil)
 	wantDrainedNotification := &WantDrainedNotification{}
 	target.Initialize(wantDrainedNotification)
 	if wantDrainedNotification.stopCh == nil {
@@ -153,7 +153,7 @@ func (t *TestAuthorizer) Authorize(ctx context.Context, a authorizer.Attributes)
 }
 
 func TestRESTMapperAdmissionPlugin(t *testing.T) {
-	initializer := initializer.New(nil, nil, nil, &TestAuthorizer{}, nil, nil, &doNothingRESTMapper{})
+	initializer := initializer.New(nil, nil, nil, &TestAuthorizer{}, nil, nil, nil, &doNothingRESTMapper{})
 	wantsRESTMapperAdmission := &WantsRESTMapperAdmissionPlugin{}
 	initializer.Initialize(wantsRESTMapperAdmission)
 
diff --git a/staging/src/k8s.io/apiserver/pkg/admission/initializer/interfaces.go b/staging/src/k8s.io/apiserver/pkg/admission/initializer/interfaces.go
index 21202bd7920d4..a66d62dff06ba 100644
--- a/staging/src/k8s.io/apiserver/pkg/admission/initializer/interfaces.go
+++ b/staging/src/k8s.io/apiserver/pkg/admission/initializer/interfaces.go
@@ -26,6 +26,7 @@ import (
 	"k8s.io/client-go/dynamic"
 	"k8s.io/client-go/informers"
 	"k8s.io/client-go/kubernetes"
+	"k8s.io/component-base/compatibility"
 	"k8s.io/component-base/featuregate"
 )
 
@@ -73,6 +74,12 @@ type WantsFeatures interface {
 	admission.InitializationValidator
 }
 
+// WantsEffectiveVersion defines a function which passes the effective version for inspection by an admission plugin.
+type WantsEffectiveVersion interface {
+	InspectEffectiveVersion(compatibility.EffectiveVersion)
+	admission.InitializationValidator
+}
+
 type WantsDynamicClient interface {
 	SetDynamicClient(dynamic.Interface)
 	admission.InitializationValidator
diff --git a/staging/src/k8s.io/apiserver/pkg/admission/plugin/cel/compile.go b/staging/src/k8s.io/apiserver/pkg/admission/plugin/cel/compile.go
index f0fff13046b31..fb5dd825227e3 100644
--- a/staging/src/k8s.io/apiserver/pkg/admission/plugin/cel/compile.go
+++ b/staging/src/k8s.io/apiserver/pkg/admission/plugin/cel/compile.go
@@ -229,18 +229,19 @@ func mustBuildEnvs(baseEnv *environment.EnvSet) variableDeclEnvs {
 	for _, hasParams := range []bool{false, true} {
 		for _, hasAuthorizer := range []bool{false, true} {
 			var err error
-			for _, strictCost := range []bool{false, true} {
-				decl := OptionalVariableDeclarations{HasParams: hasParams, HasAuthorizer: hasAuthorizer, StrictCost: strictCost}
+			{
+				decl := OptionalVariableDeclarations{HasParams: hasParams, HasAuthorizer: hasAuthorizer}
 				envs[decl], err = createEnvForOpts(baseEnv, namespaceType, requestType, decl)
 				if err != nil {
 					panic(err)
 				}
 			}
-			// We only need this ObjectTypes where strict cost is true
-			decl := OptionalVariableDeclarations{HasParams: hasParams, HasAuthorizer: hasAuthorizer, StrictCost: true, HasPatchTypes: true}
-			envs[decl], err = createEnvForOpts(baseEnv, namespaceType, requestType, decl)
-			if err != nil {
-				panic(err)
+			{
+				decl := OptionalVariableDeclarations{HasParams: hasParams, HasAuthorizer: hasAuthorizer, HasPatchTypes: true}
+				envs[decl], err = createEnvForOpts(baseEnv, namespaceType, requestType, decl)
+				if err != nil {
+					panic(err)
+				}
 			}
 		}
 	}
@@ -274,16 +275,11 @@ func createEnvForOpts(baseEnv *environment.EnvSet, namespaceType *apiservercel.D
 				requestType,
 			},
 		},
+		environment.StrictCostOpt,
 	)
 	if err != nil {
 		return nil, fmt.Errorf("environment misconfigured: %w", err)
 	}
-	if opts.StrictCost {
-		extended, err = extended.Extend(environment.StrictCostOpt)
-		if err != nil {
-			return nil, fmt.Errorf("environment misconfigured: %w", err)
-		}
-	}
 
 	if opts.HasPatchTypes {
 		extended, err = extended.Extend(hasPatchTypes)
diff --git a/staging/src/k8s.io/apiserver/pkg/admission/plugin/cel/compile_test.go b/staging/src/k8s.io/apiserver/pkg/admission/plugin/cel/compile_test.go
index 2059cc5248611..5caf82858a493 100644
--- a/staging/src/k8s.io/apiserver/pkg/admission/plugin/cel/compile_test.go
+++ b/staging/src/k8s.io/apiserver/pkg/admission/plugin/cel/compile_test.go
@@ -178,7 +178,7 @@ func TestCompileValidatingPolicyExpression(t *testing.T) {
 	}
 
 	// Include the test library, which includes the test() function in the storage environment during test
-	base := environment.MustBaseEnvSet(environment.DefaultCompatibilityVersion(), true)
+	base := environment.MustBaseEnvSet(environment.DefaultCompatibilityVersion())
 	extended, err := base.Extend(environment.VersionedOptions{
 		IntroducedVersion: version.MajorMinor(1, 999),
 		EnvOptions:        []celgo.EnvOption{library.Test()},
@@ -254,7 +254,7 @@ func TestCompileValidatingPolicyExpression(t *testing.T) {
 }
 
 func BenchmarkCompile(b *testing.B) {
-	compiler := NewCompiler(environment.MustBaseEnvSet(environment.DefaultCompatibilityVersion(), true))
+	compiler := NewCompiler(environment.MustBaseEnvSet(environment.DefaultCompatibilityVersion()))
 	b.ResetTimer()
 	for i := 0; i < b.N; i++ {
 		options := OptionalVariableDeclarations{HasParams: rand.Int()%2 == 0, HasAuthorizer: rand.Int()%2 == 0}
diff --git a/staging/src/k8s.io/apiserver/pkg/admission/plugin/cel/composition_test.go b/staging/src/k8s.io/apiserver/pkg/admission/plugin/cel/composition_test.go
index 13a373faabf8c..fb46f218503cb 100644
--- a/staging/src/k8s.io/apiserver/pkg/admission/plugin/cel/composition_test.go
+++ b/staging/src/k8s.io/apiserver/pkg/admission/plugin/cel/composition_test.go
@@ -48,15 +48,14 @@ func (t *testVariable) GetName() string {
 
 func TestCompositedPolicies(t *testing.T) {
 	cases := []struct {
-		name                  string
-		variables             []NamedExpressionAccessor
-		expression            string
-		attributes            admission.Attributes
-		expectedResult        any
-		expectErr             bool
-		expectedErrorMessage  string
-		runtimeCostBudget     int64
-		strictCostEnforcement bool
+		name                 string
+		variables            []NamedExpressionAccessor
+		expression           string
+		attributes           admission.Attributes
+		expectedResult       any
+		expectErr            bool
+		expectedErrorMessage string
+		runtimeCostBudget    int64
 	}{
 		{
 			name: "simple",
@@ -187,44 +186,29 @@ func TestCompositedPolicies(t *testing.T) {
 			expectedErrorMessage: "found no matching overload for '_==_' applied to '(string, int)'",
 		},
 		{
-			name: "with strictCostEnforcement on: exceeds cost budget",
+			name: "exceeds cost budget",
 			variables: []NamedExpressionAccessor{
 				&testVariable{
 					name:       "dict",
 					expression: "'abc 123 def 123'.split(' ')",
 				},
 			},
-			attributes:            endpointCreateAttributes(),
-			expression:            "size(variables.dict) > 0",
-			expectErr:             true,
-			expectedErrorMessage:  "validation failed due to running out of cost budget, no further validation rules will be run",
-			runtimeCostBudget:     5,
-			strictCostEnforcement: true,
-		},
-		{
-			name: "with strictCostEnforcement off: not exceed cost budget",
-			variables: []NamedExpressionAccessor{
-				&testVariable{
-					name:       "dict",
-					expression: "'abc 123 def 123'.split(' ')",
-				},
-			},
-			attributes:            endpointCreateAttributes(),
-			expression:            "size(variables.dict) > 0",
-			expectedResult:        true,
-			runtimeCostBudget:     5,
-			strictCostEnforcement: false,
+			attributes:           endpointCreateAttributes(),
+			expression:           "size(variables.dict) > 0",
+			expectErr:            true,
+			expectedErrorMessage: "validation failed due to running out of cost budget, no further validation rules will be run",
+			runtimeCostBudget:    5,
 		},
 	}
 	for _, tc := range cases {
 		t.Run(tc.name, func(t *testing.T) {
-			compiler, err := NewCompositedCompiler(environment.MustBaseEnvSet(environment.DefaultCompatibilityVersion(), tc.strictCostEnforcement))
+			compiler, err := NewCompositedCompiler(environment.MustBaseEnvSet(environment.DefaultCompatibilityVersion()))
 			if err != nil {
 				t.Fatal(err)
 			}
-			compiler.CompileAndStoreVariables(tc.variables, OptionalVariableDeclarations{HasParams: false, HasAuthorizer: false, StrictCost: tc.strictCostEnforcement}, environment.NewExpressions)
+			compiler.CompileAndStoreVariables(tc.variables, OptionalVariableDeclarations{HasParams: false, HasAuthorizer: false}, environment.NewExpressions)
 			validations := []ExpressionAccessor{&testCondition{Expression: tc.expression}}
-			f := compiler.CompileCondition(validations, OptionalVariableDeclarations{HasParams: false, HasAuthorizer: false, StrictCost: tc.strictCostEnforcement}, environment.NewExpressions)
+			f := compiler.CompileCondition(validations, OptionalVariableDeclarations{HasParams: false, HasAuthorizer: false}, environment.NewExpressions)
 			versionedAttr, err := admission.NewVersionedAttributes(tc.attributes, tc.attributes.GetKind(), newObjectInterfacesForTest())
 			if err != nil {
 				t.Fatal(err)
diff --git a/staging/src/k8s.io/apiserver/pkg/admission/plugin/cel/condition_test.go b/staging/src/k8s.io/apiserver/pkg/admission/plugin/cel/condition_test.go
index 046a0db38061d..e9a851ad9e493 100644
--- a/staging/src/k8s.io/apiserver/pkg/admission/plugin/cel/condition_test.go
+++ b/staging/src/k8s.io/apiserver/pkg/admission/plugin/cel/condition_test.go
@@ -99,8 +99,8 @@ func TestCompile(t *testing.T) {
 
 	for _, tc := range cases {
 		t.Run(tc.name, func(t *testing.T) {
-			c := conditionCompiler{compiler: NewCompiler(environment.MustBaseEnvSet(environment.DefaultCompatibilityVersion(), true))}
-			e := c.CompileCondition(tc.validation, OptionalVariableDeclarations{HasParams: false, HasAuthorizer: false, StrictCost: true}, environment.NewExpressions)
+			c := conditionCompiler{compiler: NewCompiler(environment.MustBaseEnvSet(environment.DefaultCompatibilityVersion()))}
+			e := c.CompileCondition(tc.validation, OptionalVariableDeclarations{HasParams: false, HasAuthorizer: false}, environment.NewExpressions)
 			if e == nil {
 				t.Fatalf("unexpected nil validator")
 			}
@@ -197,7 +197,6 @@ func TestCondition(t *testing.T) {
 		authorizer       authorizer.Authorizer
 		testPerCallLimit uint64
 		namespaceObject  *corev1.Namespace
-		strictCost       bool
 		enableSelectors  bool
 
 		compatibilityVersion *version.Version
@@ -932,7 +931,7 @@ func TestCondition(t *testing.T) {
 			if compatibilityVersion == nil {
 				compatibilityVersion = environment.DefaultCompatibilityVersion()
 			}
-			env, err := environment.MustBaseEnvSet(compatibilityVersion, tc.strictCost).Extend(
+			env, err := environment.MustBaseEnvSet(compatibilityVersion).Extend(
 				environment.VersionedOptions{
 					IntroducedVersion: compatibilityVersion,
 					ProgramOptions:    []celgo.ProgramOption{celgo.CostLimit(tc.testPerCallLimit)},
@@ -946,7 +945,7 @@ func TestCondition(t *testing.T) {
 			if envType == "" {
 				envType = environment.NewExpressions
 			}
-			f := c.CompileCondition(tc.validations, OptionalVariableDeclarations{HasParams: tc.hasParamKind, HasAuthorizer: tc.authorizer != nil, StrictCost: tc.strictCost}, envType)
+			f := c.CompileCondition(tc.validations, OptionalVariableDeclarations{HasParams: tc.hasParamKind, HasAuthorizer: tc.authorizer != nil}, envType)
 			if f == nil {
 				t.Fatalf("unexpected nil validator")
 			}
@@ -989,6 +988,8 @@ func TestCondition(t *testing.T) {
 }
 
 func TestRuntimeCELCostBudget(t *testing.T) {
+	checkCost := int64(350000)
+
 	configMapParams := &corev1.ConfigMap{
 		ObjectMeta: metav1.ObjectMeta{
 			Name: "foo",
@@ -999,17 +1000,16 @@ func TestRuntimeCELCostBudget(t *testing.T) {
 	}
 
 	cases := []struct {
-		name                        string
-		attributes                  admission.Attributes
-		params                      runtime.Object
-		validations                 []ExpressionAccessor
-		hasParamKind                bool
-		authorizer                  authorizer.Authorizer
-		testRuntimeCELCostBudget    int64
-		exceedBudget                bool
-		expectRemainingBudget       *int64
-		enableStrictCostEnforcement bool
-		exceedPerCallLimit          bool
+		name                     string
+		attributes               admission.Attributes
+		params                   runtime.Object
+		validations              []ExpressionAccessor
+		hasParamKind             bool
+		authorizer               authorizer.Authorizer
+		testRuntimeCELCostBudget int64
+		exceedBudget             bool
+		expectRemainingBudget    *int64
+		exceedPerCallLimit       bool
 	}{
 		{
 			name: "expression exceed RuntimeCELCostBudget at fist expression",
@@ -1106,7 +1106,7 @@ func TestRuntimeCELCostBudget(t *testing.T) {
 			attributes:               newValidAttribute(nil, false),
 			hasParamKind:             false,
 			exceedBudget:             false,
-			testRuntimeCELCostBudget: 6,
+			testRuntimeCELCostBudget: checkCost + 5,
 			expectRemainingBudget:    pointer.To(int64(0)),
 			authorizer:               denyAll,
 		},
@@ -1120,7 +1120,7 @@ func TestRuntimeCELCostBudget(t *testing.T) {
 			attributes:               newValidAttribute(nil, false),
 			hasParamKind:             false,
 			exceedBudget:             false,
-			testRuntimeCELCostBudget: 1,
+			testRuntimeCELCostBudget: 4,
 			expectRemainingBudget:    pointer.To(int64(0)),
 		},
 		{
@@ -1133,7 +1133,7 @@ func TestRuntimeCELCostBudget(t *testing.T) {
 			attributes:               newValidAttribute(nil, false),
 			hasParamKind:             false,
 			exceedBudget:             false,
-			testRuntimeCELCostBudget: 2,
+			testRuntimeCELCostBudget: 4,
 			expectRemainingBudget:    pointer.To(int64(0)),
 		},
 		{
@@ -1146,7 +1146,7 @@ func TestRuntimeCELCostBudget(t *testing.T) {
 			attributes:               newValidAttribute(nil, false),
 			hasParamKind:             false,
 			exceedBudget:             false,
-			testRuntimeCELCostBudget: 3,
+			testRuntimeCELCostBudget: 5,
 			expectRemainingBudget:    pointer.To(int64(0)),
 		},
 		{
@@ -1159,7 +1159,7 @@ func TestRuntimeCELCostBudget(t *testing.T) {
 			attributes:               newValidAttribute(nil, false),
 			hasParamKind:             false,
 			exceedBudget:             false,
-			testRuntimeCELCostBudget: 3,
+			testRuntimeCELCostBudget: 7,
 			expectRemainingBudget:    pointer.To(int64(0)),
 		},
 		{
@@ -1172,7 +1172,7 @@ func TestRuntimeCELCostBudget(t *testing.T) {
 			attributes:               newValidAttribute(nil, false),
 			hasParamKind:             false,
 			exceedBudget:             false,
-			testRuntimeCELCostBudget: 3,
+			testRuntimeCELCostBudget: 4,
 			expectRemainingBudget:    pointer.To(int64(0)),
 		},
 		{
@@ -1198,12 +1198,11 @@ func TestRuntimeCELCostBudget(t *testing.T) {
 					Expression: "has(object.subsets)",
 				},
 			},
-			attributes:                  newValidAttribute(nil, false),
-			hasParamKind:                false,
-			testRuntimeCELCostBudget:    35000,
-			exceedBudget:                true,
-			authorizer:                  denyAll,
-			enableStrictCostEnforcement: true,
+			attributes:               newValidAttribute(nil, false),
+			hasParamKind:             false,
+			testRuntimeCELCostBudget: 35000,
+			exceedBudget:             true,
+			authorizer:               denyAll,
 		},
 		{
 			name: "With StrictCostEnforcementForVAP enabled: expression exceed RuntimeCELCostBudget at last expression",
@@ -1215,12 +1214,11 @@ func TestRuntimeCELCostBudget(t *testing.T) {
 					Expression: "!authorizer.group('').resource('endpoints').check('create').allowed()",
 				},
 			},
-			attributes:                  newValidAttribute(nil, false),
-			hasParamKind:                false,
-			testRuntimeCELCostBudget:    700000,
-			exceedBudget:                true,
-			authorizer:                  denyAll,
-			enableStrictCostEnforcement: true,
+			attributes:               newValidAttribute(nil, false),
+			hasParamKind:             false,
+			testRuntimeCELCostBudget: 700000,
+			exceedBudget:             true,
+			authorizer:               denyAll,
 		},
 		{
 			name: "With StrictCostEnforcementForVAP enabled: test RuntimeCELCostBudge is not exceed",
@@ -1232,14 +1230,13 @@ func TestRuntimeCELCostBudget(t *testing.T) {
 					Expression: "!authorizer.group('').resource('endpoints').check('create').allowed()",
 				},
 			},
-			attributes:                  newValidAttribute(nil, false),
-			hasParamKind:                true,
-			params:                      configMapParams,
-			exceedBudget:                false,
-			testRuntimeCELCostBudget:    700011,
-			expectRemainingBudget:       pointer.To(int64(1)), // 700011 - 700010
-			authorizer:                  denyAll,
-			enableStrictCostEnforcement: true,
+			attributes:               newValidAttribute(nil, false),
+			hasParamKind:             true,
+			params:                   configMapParams,
+			exceedBudget:             false,
+			testRuntimeCELCostBudget: 700011,
+			expectRemainingBudget:    pointer.To(int64(1)), // 700011 - 700010
+			authorizer:               denyAll,
 		},
 		{
 			name: "With StrictCostEnforcementForVAP enabled: test RuntimeCELCostBudge exactly covers",
@@ -1251,14 +1248,13 @@ func TestRuntimeCELCostBudget(t *testing.T) {
 					Expression: "!authorizer.group('').resource('endpoints').check('create').allowed()",
 				},
 			},
-			attributes:                  newValidAttribute(nil, false),
-			hasParamKind:                true,
-			params:                      configMapParams,
-			exceedBudget:                false,
-			testRuntimeCELCostBudget:    700010,
-			expectRemainingBudget:       pointer.To(int64(0)),
-			authorizer:                  denyAll,
-			enableStrictCostEnforcement: true,
+			attributes:               newValidAttribute(nil, false),
+			hasParamKind:             true,
+			params:                   configMapParams,
+			exceedBudget:             false,
+			testRuntimeCELCostBudget: 700010,
+			expectRemainingBudget:    pointer.To(int64(0)),
+			authorizer:               denyAll,
 		},
 		{
 			name: "With StrictCostEnforcementForVAP enabled: per call limit exceeds",
@@ -1267,13 +1263,12 @@ func TestRuntimeCELCostBudget(t *testing.T) {
 					Expression: "!authorizer.group('').resource('endpoints').check('create').allowed() && !authorizer.group('').resource('endpoints').check('create').allowed() && !authorizer.group('').resource('endpoints').check('create').allowed()",
 				},
 			},
-			attributes:                  newValidAttribute(nil, false),
-			hasParamKind:                true,
-			params:                      configMapParams,
-			authorizer:                  denyAll,
-			exceedPerCallLimit:          true,
-			testRuntimeCELCostBudget:    -1,
-			enableStrictCostEnforcement: true,
+			attributes:               newValidAttribute(nil, false),
+			hasParamKind:             true,
+			params:                   configMapParams,
+			authorizer:               denyAll,
+			exceedPerCallLimit:       true,
+			testRuntimeCELCostBudget: -1,
 		},
 		{
 			name: "With StrictCostEnforcementForVAP enabled: Extended library cost: isSorted()",
@@ -1282,12 +1277,11 @@ func TestRuntimeCELCostBudget(t *testing.T) {
 					Expression: "[1,2,3,4].isSorted()",
 				},
 			},
-			attributes:                  newValidAttribute(nil, false),
-			hasParamKind:                false,
-			exceedBudget:                false,
-			testRuntimeCELCostBudget:    4,
-			expectRemainingBudget:       pointer.To(int64(0)),
-			enableStrictCostEnforcement: true,
+			attributes:               newValidAttribute(nil, false),
+			hasParamKind:             false,
+			exceedBudget:             false,
+			testRuntimeCELCostBudget: 4,
+			expectRemainingBudget:    pointer.To(int64(0)),
 		},
 		{
 			name: "With StrictCostEnforcementForVAP enabled: Extended library cost: url",
@@ -1296,12 +1290,11 @@ func TestRuntimeCELCostBudget(t *testing.T) {
 					Expression: "url('https:://kubernetes.io/').getHostname() == 'kubernetes.io'",
 				},
 			},
-			attributes:                  newValidAttribute(nil, false),
-			hasParamKind:                false,
-			exceedBudget:                false,
-			testRuntimeCELCostBudget:    4,
-			expectRemainingBudget:       pointer.To(int64(0)),
-			enableStrictCostEnforcement: true,
+			attributes:               newValidAttribute(nil, false),
+			hasParamKind:             false,
+			exceedBudget:             false,
+			testRuntimeCELCostBudget: 4,
+			expectRemainingBudget:    pointer.To(int64(0)),
 		},
 		{
 			name: "With StrictCostEnforcementForVAP enabled: Extended library cost: split",
@@ -1310,12 +1303,11 @@ func TestRuntimeCELCostBudget(t *testing.T) {
 					Expression: "size('abc 123 def 123'.split(' ')) > 0",
 				},
 			},
-			attributes:                  newValidAttribute(nil, false),
-			hasParamKind:                false,
-			exceedBudget:                false,
-			testRuntimeCELCostBudget:    5,
-			expectRemainingBudget:       pointer.To(int64(0)),
-			enableStrictCostEnforcement: true,
+			attributes:               newValidAttribute(nil, false),
+			hasParamKind:             false,
+			exceedBudget:             false,
+			testRuntimeCELCostBudget: 5,
+			expectRemainingBudget:    pointer.To(int64(0)),
 		},
 		{
 			name: "With StrictCostEnforcementForVAP enabled: Extended library cost: join",
@@ -1324,12 +1316,11 @@ func TestRuntimeCELCostBudget(t *testing.T) {
 					Expression: "size(['aa', 'bb', 'cc', 'd', 'e', 'f', 'g', 'h', 'i', 'j'].join(' ')) > 0",
 				},
 			},
-			attributes:                  newValidAttribute(nil, false),
-			hasParamKind:                false,
-			exceedBudget:                false,
-			testRuntimeCELCostBudget:    7,
-			expectRemainingBudget:       pointer.To(int64(0)),
-			enableStrictCostEnforcement: true,
+			attributes:               newValidAttribute(nil, false),
+			hasParamKind:             false,
+			exceedBudget:             false,
+			testRuntimeCELCostBudget: 7,
+			expectRemainingBudget:    pointer.To(int64(0)),
 		},
 		{
 			name: "With StrictCostEnforcementForVAP enabled: Extended library cost: find",
@@ -1338,12 +1329,11 @@ func TestRuntimeCELCostBudget(t *testing.T) {
 					Expression: "size('abc 123 def 123'.find('123')) > 0",
 				},
 			},
-			attributes:                  newValidAttribute(nil, false),
-			hasParamKind:                false,
-			exceedBudget:                false,
-			testRuntimeCELCostBudget:    4,
-			expectRemainingBudget:       pointer.To(int64(0)),
-			enableStrictCostEnforcement: true,
+			attributes:               newValidAttribute(nil, false),
+			hasParamKind:             false,
+			exceedBudget:             false,
+			testRuntimeCELCostBudget: 4,
+			expectRemainingBudget:    pointer.To(int64(0)),
 		},
 		{
 			name: "With StrictCostEnforcementForVAP enabled: Extended library cost: quantity",
@@ -1352,19 +1342,18 @@ func TestRuntimeCELCostBudget(t *testing.T) {
 					Expression: "quantity(\"200M\") == quantity(\"0.2G\") && quantity(\"0.2G\") == quantity(\"200M\")",
 				},
 			},
-			attributes:                  newValidAttribute(nil, false),
-			hasParamKind:                false,
-			exceedBudget:                false,
-			testRuntimeCELCostBudget:    6,
-			expectRemainingBudget:       pointer.To(int64(0)),
-			enableStrictCostEnforcement: true,
+			attributes:               newValidAttribute(nil, false),
+			hasParamKind:             false,
+			exceedBudget:             false,
+			testRuntimeCELCostBudget: 6,
+			expectRemainingBudget:    pointer.To(int64(0)),
 		},
 	}
 
 	for _, tc := range cases {
 		t.Run(tc.name, func(t *testing.T) {
-			c := conditionCompiler{compiler: NewCompiler(environment.MustBaseEnvSet(environment.DefaultCompatibilityVersion(), tc.enableStrictCostEnforcement))}
-			f := c.CompileCondition(tc.validations, OptionalVariableDeclarations{HasParams: tc.hasParamKind, HasAuthorizer: true, StrictCost: tc.enableStrictCostEnforcement}, environment.NewExpressions)
+			c := conditionCompiler{compiler: NewCompiler(environment.MustBaseEnvSet(environment.DefaultCompatibilityVersion()))}
+			f := c.CompileCondition(tc.validations, OptionalVariableDeclarations{HasParams: tc.hasParamKind, HasAuthorizer: true}, environment.NewExpressions)
 			if f == nil {
 				t.Fatalf("unexpected nil validator")
 			}
diff --git a/staging/src/k8s.io/apiserver/pkg/admission/plugin/cel/interface.go b/staging/src/k8s.io/apiserver/pkg/admission/plugin/cel/interface.go
index a9e35a226f18f..55faa34ec619c 100644
--- a/staging/src/k8s.io/apiserver/pkg/admission/plugin/cel/interface.go
+++ b/staging/src/k8s.io/apiserver/pkg/admission/plugin/cel/interface.go
@@ -61,8 +61,6 @@ type OptionalVariableDeclarations struct {
 	// variables are declared. When declared, the authorizer variables are
 	// expected to be non-null.
 	HasAuthorizer bool
-	// StrictCost specifies if the CEL cost limitation is strict for extended libraries as well as native libraries.
-	StrictCost bool
 	// HasPatchTypes specifies if JSONPatch, Object, Object.metadata and similar types are available in CEL. These can be used
 	// to initialize the typed objects in CEL required to create patches.
 	HasPatchTypes bool
diff --git a/staging/src/k8s.io/apiserver/pkg/admission/plugin/namespace/lifecycle/admission_test.go b/staging/src/k8s.io/apiserver/pkg/admission/plugin/namespace/lifecycle/admission_test.go
index 22c693d2dd133..ea6a10218d64d 100644
--- a/staging/src/k8s.io/apiserver/pkg/admission/plugin/namespace/lifecycle/admission_test.go
+++ b/staging/src/k8s.io/apiserver/pkg/admission/plugin/namespace/lifecycle/admission_test.go
@@ -24,6 +24,7 @@ import (
 	"time"
 
 	"github.com/google/go-cmp/cmp"
+
 	v1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -53,7 +54,7 @@ func newHandlerForTestWithClock(c clientset.Interface, cacheClock clock.Clock) (
 	if err != nil {
 		return nil, f, err
 	}
-	pluginInitializer := kubeadmission.New(c, nil, f, nil, nil, nil, nil)
+	pluginInitializer := kubeadmission.New(c, nil, f, nil, nil, nil, nil, nil)
 	pluginInitializer.Initialize(handler)
 	err = admission.ValidateInitialization(handler)
 	return handler, f, err
diff --git a/staging/src/k8s.io/apiserver/pkg/admission/plugin/policy/generic/policy_matcher.go b/staging/src/k8s.io/apiserver/pkg/admission/plugin/policy/generic/policy_matcher.go
index d243b0710bc95..782b6f1f483bf 100644
--- a/staging/src/k8s.io/apiserver/pkg/admission/plugin/policy/generic/policy_matcher.go
+++ b/staging/src/k8s.io/apiserver/pkg/admission/plugin/policy/generic/policy_matcher.go
@@ -17,6 +17,7 @@ limitations under the License.
 package generic
 
 import (
+	"context"
 	"fmt"
 
 	admissionregistrationv1 "k8s.io/api/admissionregistration/v1"
@@ -41,10 +42,12 @@ type PolicyMatcher interface {
 	BindingMatches(a admission.Attributes, o admission.ObjectInterfaces, binding BindingAccessor) (bool, error)
 
 	// GetNamespace retrieves the Namespace resource by the given name. The name may be empty, in which case
-	// GetNamespace must return nil, nil
-	GetNamespace(name string) (*corev1.Namespace, error)
+	// GetNamespace must return nil, NotFound
+	GetNamespace(ctx context.Context, name string) (*corev1.Namespace, error)
 }
 
+var errNilSelector = "a nil %s selector was passed, please ensure selectors are initialized properly"
+
 type matcher struct {
 	Matcher *matching.Matcher
 }
@@ -66,6 +69,13 @@ func (c *matcher) DefinitionMatches(a admission.Attributes, o admission.ObjectIn
 	if constraints == nil {
 		return false, schema.GroupVersionResource{}, schema.GroupVersionKind{}, fmt.Errorf("policy contained no match constraints, a required field")
 	}
+	if constraints.NamespaceSelector == nil {
+		return false, schema.GroupVersionResource{}, schema.GroupVersionKind{}, fmt.Errorf(errNilSelector, "namespace")
+	}
+	if constraints.ObjectSelector == nil {
+		return false, schema.GroupVersionResource{}, schema.GroupVersionKind{}, fmt.Errorf(errNilSelector, "object")
+	}
+
 	criteria := matchCriteria{constraints: constraints}
 	return c.Matcher.Matches(a, o, &criteria)
 }
@@ -76,14 +86,20 @@ func (c *matcher) BindingMatches(a admission.Attributes, o admission.ObjectInter
 	if matchResources == nil {
 		return true, nil
 	}
+	if matchResources.NamespaceSelector == nil {
+		return false, fmt.Errorf(errNilSelector, "namespace")
+	}
+	if matchResources.ObjectSelector == nil {
+		return false, fmt.Errorf(errNilSelector, "object")
+	}
 
 	criteria := matchCriteria{constraints: matchResources}
 	isMatch, _, _, err := c.Matcher.Matches(a, o, &criteria)
 	return isMatch, err
 }
 
-func (c *matcher) GetNamespace(name string) (*corev1.Namespace, error) {
-	return c.Matcher.GetNamespace(name)
+func (c *matcher) GetNamespace(ctx context.Context, name string) (*corev1.Namespace, error) {
+	return c.Matcher.GetNamespace(ctx, name)
 }
 
 var _ matching.MatchCriteria = &matchCriteria{}
diff --git a/staging/src/k8s.io/apiserver/pkg/admission/plugin/policy/generic/policy_source.go b/staging/src/k8s.io/apiserver/pkg/admission/plugin/policy/generic/policy_source.go
index ca6cdc884fc77..09e4895e93385 100644
--- a/staging/src/k8s.io/apiserver/pkg/admission/plugin/policy/generic/policy_source.go
+++ b/staging/src/k8s.io/apiserver/pkg/admission/plugin/policy/generic/policy_source.go
@@ -47,6 +47,7 @@ import (
 const policyRefreshIntervalDefault = 1 * time.Second
 
 var policyRefreshInterval = policyRefreshIntervalDefault
+var policyRefreshIntervalLock sync.Mutex
 
 type policySource[P runtime.Object, B runtime.Object, E Evaluator] struct {
 	ctx                context.Context
@@ -132,8 +133,12 @@ func NewPolicySource[P runtime.Object, B runtime.Object, E Evaluator](
 // SetPolicyRefreshIntervalForTests allows the refresh interval to be overridden during tests.
 // This should only be called from tests.
 func SetPolicyRefreshIntervalForTests(interval time.Duration) func() {
+	policyRefreshIntervalLock.Lock()
+	defer policyRefreshIntervalLock.Unlock()
 	policyRefreshInterval = interval
 	return func() {
+		policyRefreshIntervalLock.Lock()
+		defer policyRefreshIntervalLock.Unlock()
 		policyRefreshInterval = policyRefreshIntervalDefault
 	}
 }
@@ -145,7 +150,7 @@ func (s *policySource[P, B, E]) Run(ctx context.Context) error {
 
 	// Wait for initial cache sync of policies and informers before reconciling
 	// any
-	if !cache.WaitForNamedCacheSync(fmt.Sprintf("%T", s), ctx.Done(), s.UpstreamHasSynced) {
+	if !cache.WaitForNamedCacheSyncWithContext(ctx, s.UpstreamHasSynced) {
 		err := ctx.Err()
 		if err == nil {
 			err = fmt.Errorf("initial cache sync for %T failed", s)
@@ -194,7 +199,10 @@ func (s *policySource[P, B, E]) Run(ctx context.Context) error {
 	// and needs to be recompiled
 	go func() {
 		// Loop every 1 second until context is cancelled, refreshing policies
-		wait.Until(s.refreshPolicies, policyRefreshInterval, ctx.Done())
+		policyRefreshIntervalLock.Lock()
+		interval := policyRefreshInterval
+		policyRefreshIntervalLock.Unlock()
+		wait.Until(s.refreshPolicies, interval, ctx.Done())
 	}()
 
 	<-ctx.Done()
diff --git a/staging/src/k8s.io/apiserver/pkg/admission/plugin/policy/generic/policy_test_context.go b/staging/src/k8s.io/apiserver/pkg/admission/plugin/policy/generic/policy_test_context.go
index d9a737a60ae70..b98c10e705036 100644
--- a/staging/src/k8s.io/apiserver/pkg/admission/plugin/policy/generic/policy_test_context.go
+++ b/staging/src/k8s.io/apiserver/pkg/admission/plugin/policy/generic/policy_test_context.go
@@ -45,6 +45,7 @@ import (
 	"k8s.io/apiserver/pkg/admission"
 	"k8s.io/apiserver/pkg/admission/initializer"
 	"k8s.io/apiserver/pkg/authorization/authorizer"
+	"k8s.io/apiserver/pkg/util/compatibility"
 )
 
 // Logger allows t.Testing and b.Testing to be passed to PolicyTestContext
@@ -158,27 +159,27 @@ func NewPolicyTestContext[P, B runtime.Object, E Evaluator](
 	// Make an informer for our policies and bindings
 
 	policyInformer := cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options metav1.ListOptions) (runtime.Object, error) {
 				return policiesAndBindingsTracker.List(fakePolicyGVR, fakePolicyGVK, "")
 			},
 			WatchFunc: func(options metav1.ListOptions) (watch.Interface, error) {
 				return policiesAndBindingsTracker.Watch(fakePolicyGVR, "")
 			},
-		},
+		}, policiesAndBindingsTracker),
 		Pexample,
 		30*time.Second,
 		cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc},
 	)
 	bindingInformer := cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options metav1.ListOptions) (runtime.Object, error) {
 				return policiesAndBindingsTracker.List(fakeBindingGVR, fakeBindingGVK, "")
 			},
 			WatchFunc: func(options metav1.ListOptions) (watch.Interface, error) {
 				return policiesAndBindingsTracker.Watch(fakeBindingGVR, "")
 			},
-		},
+		}, policiesAndBindingsTracker),
 		Bexample,
 		30*time.Second,
 		cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc},
@@ -203,6 +204,7 @@ func NewPolicyTestContext[P, B runtime.Object, E Evaluator](
 	plugin.SetEnabled(true)
 
 	featureGate := featuregate.NewFeatureGate()
+	effectiveVersion := compatibility.DefaultBuildEffectiveVersion()
 	testContext, testCancel := context.WithCancel(context.Background())
 	genericInitializer := initializer.New(
 		nativeClient,
@@ -210,6 +212,7 @@ func NewPolicyTestContext[P, B runtime.Object, E Evaluator](
 		fakeInformerFactory,
 		fakeAuthorizer{},
 		featureGate,
+		effectiveVersion,
 		testContext.Done(),
 		fakeRestMapper,
 	)
diff --git a/staging/src/k8s.io/apiserver/pkg/admission/plugin/policy/internal/generic/controller.go b/staging/src/k8s.io/apiserver/pkg/admission/plugin/policy/internal/generic/controller.go
index f08e1cc559837..a94004c272dff 100644
--- a/staging/src/k8s.io/apiserver/pkg/admission/plugin/policy/internal/generic/controller.go
+++ b/staging/src/k8s.io/apiserver/pkg/admission/plugin/policy/internal/generic/controller.go
@@ -174,7 +174,7 @@ func (c *controller[T]) Run(ctx context.Context) error {
 
 	// Wait for initial cache list to complete before beginning to reconcile
 	// objects.
-	if !cache.WaitForNamedCacheSync(c.options.Name, ctx.Done(), c.informer.HasSynced) {
+	if !cache.WaitForNamedCacheSyncWithContext(ctx, c.informer.HasSynced) {
 		// ctx cancelled during cache sync. return early
 		err := ctx.Err()
 		if err == nil {
diff --git a/staging/src/k8s.io/apiserver/pkg/admission/plugin/policy/internal/generic/controller_test.go b/staging/src/k8s.io/apiserver/pkg/admission/plugin/policy/internal/generic/controller_test.go
index 9942391047a9b..9ccaffad25d25 100644
--- a/staging/src/k8s.io/apiserver/pkg/admission/plugin/policy/internal/generic/controller_test.go
+++ b/staging/src/k8s.io/apiserver/pkg/admission/plugin/policy/internal/generic/controller_test.go
@@ -38,7 +38,6 @@ import (
 	"k8s.io/apimachinery/pkg/runtime/serializer"
 	"k8s.io/apimachinery/pkg/util/wait"
 	"k8s.io/apimachinery/pkg/watch"
-
 	"k8s.io/apiserver/pkg/admission/plugin/policy/internal/generic"
 
 	clienttesting "k8s.io/client-go/testing"
@@ -113,14 +112,14 @@ func setupTest(ctx context.Context, customReconciler func(string, string, runtim
 
 	// Set up fake informers that return instances of mock Policy definitoins
 	// and mock policy bindings
-	informer = &testInformer{SharedIndexInformer: cache.NewSharedIndexInformer(&cache.ListWatch{
+	informer = &testInformer{SharedIndexInformer: cache.NewSharedIndexInformer(cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 		ListFunc: func(options metav1.ListOptions) (runtime.Object, error) {
 			return tracker.List(fakeGVR, fakeGVK, "")
 		},
 		WatchFunc: func(options metav1.ListOptions) (watch.Interface, error) {
 			return tracker.Watch(fakeGVR, "")
 		},
-	}, &unstructured.Unstructured{}, 30*time.Second, nil)}
+	}, tracker), &unstructured.Unstructured{}, 30*time.Second, nil)}
 
 	reconciler := func(namespace, name string, newObj *unstructured.Unstructured) error {
 		var err error
diff --git a/staging/src/k8s.io/apiserver/pkg/admission/plugin/policy/matching/matching.go b/staging/src/k8s.io/apiserver/pkg/admission/plugin/policy/matching/matching.go
index eebe7694340d4..30a6cbebe9793 100644
--- a/staging/src/k8s.io/apiserver/pkg/admission/plugin/policy/matching/matching.go
+++ b/staging/src/k8s.io/apiserver/pkg/admission/plugin/policy/matching/matching.go
@@ -17,6 +17,7 @@ limitations under the License.
 package matching
 
 import (
+	"context"
 	"fmt"
 
 	v1 "k8s.io/api/admissionregistration/v1"
@@ -44,8 +45,8 @@ type Matcher struct {
 	objectMatcher    *object.Matcher
 }
 
-func (m *Matcher) GetNamespace(name string) (*corev1.Namespace, error) {
-	return m.namespaceMatcher.GetNamespace(name)
+func (m *Matcher) GetNamespace(ctx context.Context, name string) (*corev1.Namespace, error) {
+	return m.namespaceMatcher.GetNamespace(ctx, name)
 }
 
 // NewMatcher initialize the matcher with dependencies requires
diff --git a/staging/src/k8s.io/apiserver/pkg/admission/plugin/policy/mutating/compilation.go b/staging/src/k8s.io/apiserver/pkg/admission/plugin/policy/mutating/compilation.go
index d8b5c11a57636..121c3b4004f7e 100644
--- a/staging/src/k8s.io/apiserver/pkg/admission/plugin/policy/mutating/compilation.go
+++ b/staging/src/k8s.io/apiserver/pkg/admission/plugin/policy/mutating/compilation.go
@@ -33,8 +33,8 @@ import (
 // Each individual mutation is compiled into MutationEvaluationFunc and
 // returned is a PolicyEvaluator in the same order as the mutations appeared in the policy.
 func compilePolicy(policy *Policy) PolicyEvaluator {
-	opts := plugincel.OptionalVariableDeclarations{HasParams: policy.Spec.ParamKind != nil, StrictCost: true, HasAuthorizer: true}
-	compiler, err := plugincel.NewCompositedCompiler(environment.MustBaseEnvSet(environment.DefaultCompatibilityVersion(), true))
+	opts := plugincel.OptionalVariableDeclarations{HasParams: policy.Spec.ParamKind != nil, HasAuthorizer: true}
+	compiler, err := plugincel.NewCompositedCompiler(environment.MustBaseEnvSet(environment.DefaultCompatibilityVersion()))
 	if err != nil {
 		return PolicyEvaluator{Error: &apiservercel.Error{
 			Type:   apiservercel.ErrorTypeInternal,
diff --git a/staging/src/k8s.io/apiserver/pkg/admission/plugin/policy/mutating/dispatcher.go b/staging/src/k8s.io/apiserver/pkg/admission/plugin/policy/mutating/dispatcher.go
index 153b268d6718b..53dbd6486f08a 100644
--- a/staging/src/k8s.io/apiserver/pkg/admission/plugin/policy/mutating/dispatcher.go
+++ b/staging/src/k8s.io/apiserver/pkg/admission/plugin/policy/mutating/dispatcher.go
@@ -122,8 +122,12 @@ func (d *dispatcher) dispatchInvocations(
 	// if it is cluster scoped, namespaceName will be empty
 	// Otherwise, get the Namespace resource.
 	if namespaceName != "" {
-		namespace, err = d.matcher.GetNamespace(namespaceName)
+		namespace, err = d.matcher.GetNamespace(ctx, namespaceName)
 		if err != nil {
+			var statusError *k8serrors.StatusError
+			if errors.As(err, &statusError) {
+				return nil, statusError
+			}
 			return nil, k8serrors.NewNotFound(schema.GroupResource{Group: "", Resource: "namespaces"}, namespaceName)
 		}
 	}
diff --git a/staging/src/k8s.io/apiserver/pkg/admission/plugin/policy/mutating/patch/json_patch_test.go b/staging/src/k8s.io/apiserver/pkg/admission/plugin/policy/mutating/patch/json_patch_test.go
index 121ff4bba6d23..15171998093b8 100644
--- a/staging/src/k8s.io/apiserver/pkg/admission/plugin/policy/mutating/patch/json_patch_test.go
+++ b/staging/src/k8s.io/apiserver/pkg/admission/plugin/policy/mutating/patch/json_patch_test.go
@@ -18,10 +18,11 @@ package patch
 
 import (
 	"context"
-	"github.com/google/go-cmp/cmp"
 	"strings"
 	"testing"
 
+	"github.com/google/go-cmp/cmp"
+
 	appsv1 "k8s.io/api/apps/v1"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/equality"
@@ -403,7 +404,7 @@ func TestJSONPatch(t *testing.T) {
 		},
 	}
 
-	compiler, err := cel.NewCompositedCompiler(environment.MustBaseEnvSet(environment.DefaultCompatibilityVersion(), true))
+	compiler, err := cel.NewCompositedCompiler(environment.MustBaseEnvSet(environment.DefaultCompatibilityVersion()))
 
 	if err != nil {
 		t.Fatal(err)
@@ -411,7 +412,7 @@ func TestJSONPatch(t *testing.T) {
 	for _, tc := range tests {
 		t.Run(tc.name, func(t *testing.T) {
 			accessor := &JSONPatchCondition{Expression: tc.expression}
-			compileResult := compiler.CompileMutatingEvaluator(accessor, cel.OptionalVariableDeclarations{StrictCost: true, HasPatchTypes: true}, environment.StoredExpressions)
+			compileResult := compiler.CompileMutatingEvaluator(accessor, cel.OptionalVariableDeclarations{HasPatchTypes: true}, environment.StoredExpressions)
 
 			patcher := jsonPatcher{PatchEvaluator: compileResult}
 
diff --git a/staging/src/k8s.io/apiserver/pkg/admission/plugin/policy/mutating/patch/smd.go b/staging/src/k8s.io/apiserver/pkg/admission/plugin/policy/mutating/patch/smd.go
index 3be79df54ea17..7135aca3a254a 100644
--- a/staging/src/k8s.io/apiserver/pkg/admission/plugin/policy/mutating/patch/smd.go
+++ b/staging/src/k8s.io/apiserver/pkg/admission/plugin/policy/mutating/patch/smd.go
@@ -138,7 +138,7 @@ func ApplyStructuredMergeDiff(
 		return nil, fmt.Errorf("invalid ApplyConfiguration: %w", err)
 	}
 
-	liveObjTyped, err := typeConverter.ObjectToTyped(originalObject)
+	liveObjTyped, err := typeConverter.ObjectToTyped(originalObject, typed.AllowDuplicates)
 	if err != nil {
 		return nil, fmt.Errorf("failed to convert original object to typed object: %w", err)
 	}
diff --git a/staging/src/k8s.io/apiserver/pkg/admission/plugin/policy/mutating/patch/smd_test.go b/staging/src/k8s.io/apiserver/pkg/admission/plugin/policy/mutating/patch/smd_test.go
index 9ad483b3c695a..3f0b87233dcfd 100644
--- a/staging/src/k8s.io/apiserver/pkg/admission/plugin/policy/mutating/patch/smd_test.go
+++ b/staging/src/k8s.io/apiserver/pkg/admission/plugin/policy/mutating/patch/smd_test.go
@@ -18,11 +18,12 @@ package patch
 
 import (
 	"context"
-	"github.com/google/go-cmp/cmp"
 	"strings"
 	"testing"
 	"time"
 
+	"github.com/google/go-cmp/cmp"
+
 	appsv1 "k8s.io/api/apps/v1"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/equality"
@@ -232,9 +233,110 @@ func TestApplyConfiguration(t *testing.T) {
 			object:      &appsv1.Deployment{Spec: appsv1.DeploymentSpec{Replicas: ptr.To[int32](1)}},
 			expectedErr: "must evaluate to Object but got Object.spec.metadata",
 		},
+		{
+			name: "apply configuration with duplicate env vars in original object",
+			expression: `Object{
+					spec: Object.spec{
+						replicas: 3
+					}
+				}`,
+			gvr: deploymentGVR,
+			object: &appsv1.Deployment{
+				Spec: appsv1.DeploymentSpec{
+					Replicas: ptr.To[int32](1),
+					Template: corev1.PodTemplateSpec{
+						Spec: corev1.PodSpec{
+							Containers: []corev1.Container{{
+								Name: "nginx",
+								Env: []corev1.EnvVar{
+									{Name: "test", Value: "a"},
+									{Name: "test", Value: "b"},
+								},
+							}},
+						},
+					},
+				},
+			},
+			expectedResult: &appsv1.Deployment{
+				Spec: appsv1.DeploymentSpec{
+					Replicas: ptr.To[int32](3),
+					Template: corev1.PodTemplateSpec{
+						Spec: corev1.PodSpec{
+							Containers: []corev1.Container{{
+								Name: "nginx",
+								Env: []corev1.EnvVar{
+									{Name: "test", Value: "a"},
+									{Name: "test", Value: "b"},
+								},
+							}},
+						},
+					},
+				},
+			},
+		},
+		// This test verifies that modifying an existing environment variable works correctly,
+		// even if the original object contains duplicates.
+		// Because 'env' is defined with `listType=map` and `listMapKey=name` in the schema,
+		// Structured Merge Diff (SMD) treats 'name' as the unique key.
+		// When the patch updates the entry with name="test", SMD merges the changes.
+		// As a side effect of the merge process on a map-type list, duplicate entries for the
+		// same key in the original object are consolidated into a single entry in the result.
+		// This matches the behavior of Server-Side Apply (SSA) and kubectl apply.
+		{
+			name: "apply configuration modify existing env variable",
+			expression: `Object{
+					spec: Object.spec{
+						template: Object.spec.template{
+							spec: Object.spec.template.spec{
+								containers: [Object.spec.template.spec.containers{
+									name: "nginx",
+									env: [Object.spec.template.spec.containers.env{
+										name: "test",
+										value: "c"
+									}]
+								}]
+							}
+						}
+					}
+				}`,
+			gvr: deploymentGVR,
+			object: &appsv1.Deployment{
+				Spec: appsv1.DeploymentSpec{
+					Replicas: ptr.To[int32](1),
+					Template: corev1.PodTemplateSpec{
+						Spec: corev1.PodSpec{
+							Containers: []corev1.Container{{
+								Name: "nginx",
+								Env: []corev1.EnvVar{
+									{Name: "test", Value: "a"},
+									{Name: "test", Value: "b"},
+									{Name: "foo", Value: "bar"},
+								},
+							}},
+						},
+					},
+				},
+			},
+			expectedResult: &appsv1.Deployment{
+				Spec: appsv1.DeploymentSpec{
+					Replicas: ptr.To[int32](1),
+					Template: corev1.PodTemplateSpec{
+						Spec: corev1.PodSpec{
+							Containers: []corev1.Container{{
+								Name: "nginx",
+								Env: []corev1.EnvVar{
+									{Name: "test", Value: "c"},
+									{Name: "foo", Value: "bar"},
+								},
+							}},
+						},
+					},
+				},
+			},
+		},
 	}
 
-	compiler, err := cel.NewCompositedCompiler(environment.MustBaseEnvSet(environment.DefaultCompatibilityVersion(), true))
+	compiler, err := cel.NewCompositedCompiler(environment.MustBaseEnvSet(environment.DefaultCompatibilityVersion()))
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -255,7 +357,7 @@ func TestApplyConfiguration(t *testing.T) {
 	for _, tc := range tests {
 		t.Run(tc.name, func(t *testing.T) {
 			accessor := &ApplyConfigurationCondition{Expression: tc.expression}
-			compileResult := compiler.CompileMutatingEvaluator(accessor, cel.OptionalVariableDeclarations{StrictCost: true, HasPatchTypes: true}, environment.StoredExpressions)
+			compileResult := compiler.CompileMutatingEvaluator(accessor, cel.OptionalVariableDeclarations{HasPatchTypes: true}, environment.StoredExpressions)
 
 			patcher := applyConfigPatcher{expressionEvaluator: compileResult}
 
diff --git a/staging/src/k8s.io/apiserver/pkg/admission/plugin/policy/validating/admission_test.go b/staging/src/k8s.io/apiserver/pkg/admission/plugin/policy/validating/admission_test.go
index 04ade16d145b4..baad6a9d9f204 100644
--- a/staging/src/k8s.io/apiserver/pkg/admission/plugin/policy/validating/admission_test.go
+++ b/staging/src/k8s.io/apiserver/pkg/admission/plugin/policy/validating/admission_test.go
@@ -269,7 +269,7 @@ func (f *fakeMatcher) ValidateInitialization() error {
 	return nil
 }
 
-func (f *fakeMatcher) GetNamespace(name string) (*v1.Namespace, error) {
+func (f *fakeMatcher) GetNamespace(ctx context.Context, name string) (*v1.Namespace, error) {
 	return nil, nil
 }
 
@@ -360,6 +360,7 @@ func setupTestCommon(
 	matcher generic.PolicyMatcher,
 	shouldStartInformers bool,
 ) *generic.PolicyTestContext[*validating.Policy, *validating.PolicyBinding, validating.Validator] {
+	t.Cleanup(generic.SetPolicyRefreshIntervalForTests(10 * time.Millisecond))
 	testContext, testContextCancel, err := generic.NewPolicyTestContext(
 		t,
 		validating.NewValidatingAdmissionPolicyAccessor,
@@ -1508,7 +1509,6 @@ func TestParamRef(t *testing.T) {
 						}
 
 						t.Run(name, func(t *testing.T) {
-							t.Parallel()
 							// Test creating a policy with a cluster or namesapce-scoped param
 							// and binding with the provided configuration. Test will ensure
 							// that the provided configuration is capable of matching
diff --git a/staging/src/k8s.io/apiserver/pkg/admission/plugin/policy/validating/dispatcher.go b/staging/src/k8s.io/apiserver/pkg/admission/plugin/policy/validating/dispatcher.go
index 8f3e22f64dc28..0b5474b756422 100644
--- a/staging/src/k8s.io/apiserver/pkg/admission/plugin/policy/validating/dispatcher.go
+++ b/staging/src/k8s.io/apiserver/pkg/admission/plugin/policy/validating/dispatcher.go
@@ -189,7 +189,7 @@ func (c *dispatcher) Dispatch(ctx context.Context, a admission.Attributes, o adm
 			// if it is cluster scoped, namespaceName will be empty
 			// Otherwise, get the Namespace resource.
 			if namespaceName != "" {
-				namespace, err = c.matcher.GetNamespace(namespaceName)
+				namespace, err = c.matcher.GetNamespace(ctx, namespaceName)
 				if err != nil {
 					return err
 				}
diff --git a/staging/src/k8s.io/apiserver/pkg/admission/plugin/policy/validating/plugin.go b/staging/src/k8s.io/apiserver/pkg/admission/plugin/policy/validating/plugin.go
index 85db23cd8a67c..bdca01e691a73 100644
--- a/staging/src/k8s.io/apiserver/pkg/admission/plugin/policy/validating/plugin.go
+++ b/staging/src/k8s.io/apiserver/pkg/admission/plugin/policy/validating/plugin.go
@@ -31,8 +31,6 @@ import (
 	"k8s.io/apiserver/pkg/admission/plugin/webhook/matchconditions"
 	"k8s.io/apiserver/pkg/authorization/authorizer"
 	"k8s.io/apiserver/pkg/cel/environment"
-	"k8s.io/apiserver/pkg/features"
-	utilfeature "k8s.io/apiserver/pkg/util/feature"
 	"k8s.io/client-go/dynamic"
 	"k8s.io/client-go/informers"
 	"k8s.io/client-go/kubernetes"
@@ -46,14 +44,11 @@ const (
 var (
 	lazyCompositionEnvTemplateWithStrictCostInit sync.Once
 	lazyCompositionEnvTemplateWithStrictCost     *cel.CompositionEnv
-
-	lazyCompositionEnvTemplateWithoutStrictCostInit sync.Once
-	lazyCompositionEnvTemplateWithoutStrictCost     *cel.CompositionEnv
 )
 
 func getCompositionEnvTemplateWithStrictCost() *cel.CompositionEnv {
 	lazyCompositionEnvTemplateWithStrictCostInit.Do(func() {
-		env, err := cel.NewCompositionEnv(cel.VariablesTypeName, environment.MustBaseEnvSet(environment.DefaultCompatibilityVersion(), true))
+		env, err := cel.NewCompositionEnv(cel.VariablesTypeName, environment.MustBaseEnvSet(environment.DefaultCompatibilityVersion()))
 		if err != nil {
 			panic(err)
 		}
@@ -62,17 +57,6 @@ func getCompositionEnvTemplateWithStrictCost() *cel.CompositionEnv {
 	return lazyCompositionEnvTemplateWithStrictCost
 }
 
-func getCompositionEnvTemplateWithoutStrictCost() *cel.CompositionEnv {
-	lazyCompositionEnvTemplateWithoutStrictCostInit.Do(func() {
-		env, err := cel.NewCompositionEnv(cel.VariablesTypeName, environment.MustBaseEnvSet(environment.DefaultCompatibilityVersion(), false))
-		if err != nil {
-			panic(err)
-		}
-		lazyCompositionEnvTemplateWithoutStrictCost = env
-	})
-	return lazyCompositionEnvTemplateWithoutStrictCost
-}
-
 // Register registers a plugin
 func Register(plugins *admission.Plugins) {
 	plugins.Register(PluginName, func(configFile io.Reader) (admission.Interface, error) {
@@ -131,18 +115,13 @@ func compilePolicy(policy *Policy) Validator {
 	if policy.Spec.ParamKind != nil {
 		hasParam = true
 	}
-	strictCost := utilfeature.DefaultFeatureGate.Enabled(features.StrictCostEnforcementForVAP)
-	optionalVars := cel.OptionalVariableDeclarations{HasParams: hasParam, HasAuthorizer: true, StrictCost: strictCost}
-	expressionOptionalVars := cel.OptionalVariableDeclarations{HasParams: hasParam, HasAuthorizer: false, StrictCost: strictCost}
+	optionalVars := cel.OptionalVariableDeclarations{HasParams: hasParam, HasAuthorizer: true}
+	expressionOptionalVars := cel.OptionalVariableDeclarations{HasParams: hasParam, HasAuthorizer: false}
 	failurePolicy := policy.Spec.FailurePolicy
 	var matcher matchconditions.Matcher = nil
 	matchConditions := policy.Spec.MatchConditions
 	var compositionEnvTemplate *cel.CompositionEnv
-	if strictCost {
-		compositionEnvTemplate = getCompositionEnvTemplateWithStrictCost()
-	} else {
-		compositionEnvTemplate = getCompositionEnvTemplateWithoutStrictCost()
-	}
+	compositionEnvTemplate = getCompositionEnvTemplateWithStrictCost()
 	filterCompiler := cel.NewCompositedCompilerFromTemplate(compositionEnvTemplate)
 	filterCompiler.CompileAndStoreVariables(convertv1beta1Variables(policy.Spec.Variables), optionalVars, environment.StoredExpressions)
 
diff --git a/staging/src/k8s.io/apiserver/pkg/admission/plugin/policy/validating/typechecking.go b/staging/src/k8s.io/apiserver/pkg/admission/plugin/policy/validating/typechecking.go
index 192be9621bde8..6a284e6de950c 100644
--- a/staging/src/k8s.io/apiserver/pkg/admission/plugin/policy/validating/typechecking.go
+++ b/staging/src/k8s.io/apiserver/pkg/admission/plugin/policy/validating/typechecking.go
@@ -25,7 +25,7 @@ import (
 
 	"github.com/google/cel-go/cel"
 
-	"k8s.io/api/admissionregistration/v1"
+	v1 "k8s.io/api/admissionregistration/v1"
 	"k8s.io/apimachinery/pkg/api/meta"
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
@@ -39,8 +39,6 @@ import (
 	"k8s.io/apiserver/pkg/cel/library"
 	"k8s.io/apiserver/pkg/cel/openapi"
 	"k8s.io/apiserver/pkg/cel/openapi/resolver"
-	"k8s.io/apiserver/pkg/features"
-	utilfeature "k8s.io/apiserver/pkg/util/feature"
 	"k8s.io/klog/v2"
 )
 
@@ -212,7 +210,6 @@ func (c *TypeChecker) CheckExpression(ctx *TypeCheckingContext, expression strin
 		options := plugincel.OptionalVariableDeclarations{
 			HasParams:     ctx.paramDeclType != nil,
 			HasAuthorizer: true,
-			StrictCost:    utilfeature.DefaultFeatureGate.Enabled(features.StrictCostEnforcementForVAP),
 		}
 		compiler.CompileAndStoreVariables(convertv1beta1Variables(ctx.variables), options, environment.StoredExpressions)
 		result := compiler.CompileCELExpression(celExpression(expression), options, environment.StoredExpressions)
@@ -394,7 +391,7 @@ func (c *TypeChecker) tryRefreshRESTMapper() {
 }
 
 func buildEnvSet(hasParams bool, hasAuthorizer bool, types typeOverwrite) (*environment.EnvSet, error) {
-	baseEnv := environment.MustBaseEnvSet(environment.DefaultCompatibilityVersion(), utilfeature.DefaultFeatureGate.Enabled(features.StrictCostEnforcementForVAP))
+	baseEnv := environment.MustBaseEnvSet(environment.DefaultCompatibilityVersion())
 	requestType := plugincel.BuildRequestType()
 	namespaceType := plugincel.BuildNamespaceType()
 
diff --git a/staging/src/k8s.io/apiserver/pkg/admission/plugin/policy/validating/typechecking_test.go b/staging/src/k8s.io/apiserver/pkg/admission/plugin/policy/validating/typechecking_test.go
index 4da14b9291253..2a78ac6284790 100644
--- a/staging/src/k8s.io/apiserver/pkg/admission/plugin/policy/validating/typechecking_test.go
+++ b/staging/src/k8s.io/apiserver/pkg/admission/plugin/policy/validating/typechecking_test.go
@@ -297,6 +297,26 @@ func TestTypeCheck(t *testing.T) {
 			},
 		}},
 	}}
+
+	reproducerPolicy := &v1.ValidatingAdmissionPolicy{Spec: v1.ValidatingAdmissionPolicySpec{
+		Validations: []v1.Validation{
+			{
+				Expression: "has(object.spec.text)",
+			},
+		},
+		MatchConstraints: &v1.MatchResources{ResourceRules: []v1.NamedRuleWithOperations{
+			{
+				RuleWithOperations: v1.RuleWithOperations{
+					Rule: v1.Rule{
+						APIGroups:   []string{"example.com"},
+						APIVersions: []string{"v1alpha1"},
+						Resources:   []string{"reproducers"},
+					},
+				},
+			},
+		}},
+	}}
+
 	for _, tc := range []struct {
 		name           string
 		schemaToReturn *spec.Schema
@@ -437,6 +457,39 @@ func TestTypeCheck(t *testing.T) {
 				toContain("found no matching overload for 'allowed' applied to 'kubernetes.authorization.Authorizer"),
 			},
 		},
+		{
+			name:   "additionalProperties: true",
+			policy: reproducerPolicy,
+			schemaToReturn: &spec.Schema{
+				SchemaProps: spec.SchemaProps{
+					Type: []string{"object"},
+					Properties: map[string]spec.Schema{
+						"spec": {
+							SchemaProps: spec.SchemaProps{
+								Type: []string{"object"},
+								Properties: map[string]spec.Schema{
+									"text": *spec.StringProperty(),
+								},
+							},
+						},
+						"status": {
+							SchemaProps: spec.SchemaProps{
+								Type: []string{"object"},
+								Properties: map[string]spec.Schema{
+									"problematicProperty": {
+										SchemaProps: spec.SchemaProps{
+											Type:                 []string{"object"},
+											AdditionalProperties: &spec.SchemaOrBool{Allows: true},
+										},
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+			assertions: []assertionFunc{toBeEmpty},
+		},
 		{
 			name: "variables valid",
 			policy: &v1.ValidatingAdmissionPolicy{Spec: v1.ValidatingAdmissionPolicySpec{
diff --git a/staging/src/k8s.io/apiserver/pkg/admission/plugin/policy/validating/validator_test.go b/staging/src/k8s.io/apiserver/pkg/admission/plugin/policy/validating/validator_test.go
index db75afd71ed31..5100d00777975 100644
--- a/staging/src/k8s.io/apiserver/pkg/admission/plugin/policy/validating/validator_test.go
+++ b/staging/src/k8s.io/apiserver/pkg/admission/plugin/policy/validating/validator_test.go
@@ -1035,7 +1035,7 @@ func TestContextCanceled(t *testing.T) {
 
 	fakeAttr := admission.NewAttributesRecord(nil, nil, schema.GroupVersionKind{}, "default", "foo", schema.GroupVersionResource{}, "", admission.Create, nil, false, nil)
 	fakeVersionedAttr, _ := admission.NewVersionedAttributes(fakeAttr, schema.GroupVersionKind{}, nil)
-	fc := cel.NewConditionCompiler(environment.MustBaseEnvSet(environment.DefaultCompatibilityVersion(), true))
+	fc := cel.NewConditionCompiler(environment.MustBaseEnvSet(environment.DefaultCompatibilityVersion()))
 	f := fc.CompileCondition([]cel.ExpressionAccessor{&ValidationCondition{Expression: "[1,2,3,4,5,6,7,8,9,10].map(x, [1,2,3,4,5,6,7,8,9,10].map(y, x*y)) == []"}}, cel.OptionalVariableDeclarations{HasParams: false, HasAuthorizer: false}, environment.StoredExpressions)
 	v := validator{
 		failPolicy:       &fail,
diff --git a/staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/accessors.go b/staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/accessors.go
index 7ae29d5bb4418..f4e33730273de 100644
--- a/staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/accessors.go
+++ b/staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/accessors.go
@@ -27,8 +27,6 @@ import (
 	"k8s.io/apiserver/pkg/admission/plugin/webhook/predicates/namespace"
 	"k8s.io/apiserver/pkg/admission/plugin/webhook/predicates/object"
 	"k8s.io/apiserver/pkg/cel/environment"
-	"k8s.io/apiserver/pkg/features"
-	utilfeature "k8s.io/apiserver/pkg/util/feature"
 	webhookutil "k8s.io/apiserver/pkg/util/webhook"
 	"k8s.io/client-go/rest"
 )
@@ -141,16 +139,11 @@ func (m *mutatingWebhookAccessor) GetCompiledMatcher(compiler cel.ConditionCompi
 				Expression: matchCondition.Expression,
 			}
 		}
-		strictCost := false
-		if utilfeature.DefaultFeatureGate.Enabled(features.StrictCostEnforcementForWebhooks) {
-			strictCost = true
-		}
 		m.compiledMatcher = matchconditions.NewMatcher(compiler.CompileCondition(
 			expressions,
 			cel.OptionalVariableDeclarations{
 				HasParams:     false,
 				HasAuthorizer: true,
-				StrictCost:    strictCost,
 			},
 			environment.StoredExpressions,
 		), m.FailurePolicy, "webhook", "admit", m.Name)
@@ -274,16 +267,11 @@ func (v *validatingWebhookAccessor) GetCompiledMatcher(compiler cel.ConditionCom
 				Expression: matchCondition.Expression,
 			}
 		}
-		strictCost := false
-		if utilfeature.DefaultFeatureGate.Enabled(features.StrictCostEnforcementForWebhooks) {
-			strictCost = true
-		}
 		v.compiledMatcher = matchconditions.NewMatcher(compiler.CompileCondition(
 			expressions,
 			cel.OptionalVariableDeclarations{
 				HasParams:     false,
 				HasAuthorizer: true,
-				StrictCost:    strictCost,
 			},
 			environment.StoredExpressions,
 		), v.FailurePolicy, "webhook", "validating", v.Name)
diff --git a/staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/generic/webhook.go b/staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/generic/webhook.go
index 8db7d3ced94bf..bf646d0080198 100644
--- a/staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/generic/webhook.go
+++ b/staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/generic/webhook.go
@@ -22,8 +22,6 @@ import (
 	"io"
 
 	"k8s.io/apiserver/pkg/cel/environment"
-	"k8s.io/apiserver/pkg/features"
-	utilfeature "k8s.io/apiserver/pkg/util/feature"
 	"k8s.io/klog/v2"
 
 	admissionv1 "k8s.io/api/admission/v1"
@@ -102,7 +100,7 @@ func NewWebhook(handler *admission.Handler, configFile io.Reader, sourceFactory
 		namespaceMatcher: &namespace.Matcher{},
 		objectMatcher:    &object.Matcher{},
 		dispatcher:       dispatcherFactory(&cm),
-		filterCompiler:   cel.NewConditionCompiler(environment.MustBaseEnvSet(environment.DefaultCompatibilityVersion(), utilfeature.DefaultFeatureGate.Enabled(features.StrictCostEnforcementForWebhooks))),
+		filterCompiler:   cel.NewConditionCompiler(environment.MustBaseEnvSet(environment.DefaultCompatibilityVersion())),
 	}, nil
 }
 
diff --git a/staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/predicates/namespace/matcher.go b/staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/predicates/namespace/matcher.go
index 7817cb17725c2..d73c69bbab150 100644
--- a/staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/predicates/namespace/matcher.go
+++ b/staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/predicates/namespace/matcher.go
@@ -44,8 +44,13 @@ type Matcher struct {
 	Client          clientset.Interface
 }
 
-func (m *Matcher) GetNamespace(name string) (*v1.Namespace, error) {
-	return m.NamespaceLister.Get(name)
+func (m *Matcher) GetNamespace(ctx context.Context, name string) (*v1.Namespace, error) {
+	ns, err := m.NamespaceLister.Get(name)
+	if apierrors.IsNotFound(err) && len(name) > 0 {
+		// in case of latency in our caches, make a call direct to storage to verify that it truly exists or not
+		ns, err = m.Client.CoreV1().Namespaces().Get(ctx, name, metav1.GetOptions{})
+	}
+	return ns, err
 }
 
 // Validate checks if the Matcher has a NamespaceLister and Client.
diff --git a/staging/src/k8s.io/apiserver/pkg/apis/apiserver/validation/validation.go b/staging/src/k8s.io/apiserver/pkg/apis/apiserver/validation/validation.go
index c81faca78ce65..be85d4f3d714d 100644
--- a/staging/src/k8s.io/apiserver/pkg/apis/apiserver/validation/validation.go
+++ b/staging/src/k8s.io/apiserver/pkg/apis/apiserver/validation/validation.go
@@ -79,7 +79,7 @@ func ValidateAuthenticationConfiguration(compiler authenticationcel.Compiler, c
 
 	if c.Anonymous != nil {
 		if !utilfeature.DefaultFeatureGate.Enabled(features.AnonymousAuthConfigurableEndpoints) {
-			allErrs = append(allErrs, field.Forbidden(field.NewPath("anonymous"), "anonymous is not supported when AnonymousAuthConfigurableEnpoints feature gate is disabled"))
+			allErrs = append(allErrs, field.Forbidden(field.NewPath("anonymous"), "anonymous is not supported when AnonymousAuthConfigurableEndpoints feature gate is disabled"))
 		}
 		if !c.Anonymous.Enabled && len(c.Anonymous.Conditions) > 0 {
 			allErrs = append(allErrs, field.Invalid(field.NewPath("anonymous", "conditions"), c.Anonymous.Conditions, "enabled should be set to true when conditions are defined"))
diff --git a/staging/src/k8s.io/apiserver/pkg/apis/apiserver/validation/validation_test.go b/staging/src/k8s.io/apiserver/pkg/apis/apiserver/validation/validation_test.go
index 70b22998f0620..e0ad15521bf38 100644
--- a/staging/src/k8s.io/apiserver/pkg/apis/apiserver/validation/validation_test.go
+++ b/staging/src/k8s.io/apiserver/pkg/apis/apiserver/validation/validation_test.go
@@ -828,8 +828,10 @@ func TestValidateAuthenticationConfiguration(t *testing.T) {
 				featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.StructuredAuthenticationConfigurationEgressSelector, *tt.structuredAuthnEgressSelectorFeatureOverride)
 			}
 			if tt.gaOnly {
-				featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, "AllAlpha", false)
-				featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, "AllBeta", false)
+				featuregatetesting.SetFeatureGatesDuringTest(t, utilfeature.DefaultFeatureGate, featuregatetesting.FeatureOverrides{
+					"AllAlpha": false,
+					"AllBeta":  false,
+				})
 			}
 			got := ValidateAuthenticationConfiguration(authenticationcel.NewDefaultCompiler(), tt.in, tt.disallowedIssuers).ToAggregate()
 			if d := cmp.Diff(tt.want, errString(got)); d != "" {
diff --git a/staging/src/k8s.io/apiserver/pkg/apis/audit/types.go b/staging/src/k8s.io/apiserver/pkg/apis/audit/types.go
index 17a398ed8a40d..dfc9c4fd23c71 100644
--- a/staging/src/k8s.io/apiserver/pkg/apis/audit/types.go
+++ b/staging/src/k8s.io/apiserver/pkg/apis/audit/types.go
@@ -97,6 +97,10 @@ type Event struct {
 	// Impersonated user information.
 	// +optional
 	ImpersonatedUser *authnv1.UserInfo
+	// AuthenticationMetadata contains details about how the request was authenticated.
+	// +optional
+	AuthenticationMetadata *AuthenticationMetadata
+
 	// Source IPs, from where the request originated and intermediate proxies.
 	// The source IPs are listed from (in order):
 	// 1. X-Forwarded-For request header IPs
@@ -147,6 +151,13 @@ type Event struct {
 	Annotations map[string]string
 }
 
+type AuthenticationMetadata struct {
+	// ImpersonationConstraint is the verb associated with the constrained impersonation mode that was used to authorize
+	// the ImpersonatedUser associated with this audit event.  It is only set when constrained impersonation was used.
+	// +optional
+	ImpersonationConstraint string
+}
+
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
 
 // EventList is a list of audit Events.
diff --git a/staging/src/k8s.io/apiserver/pkg/apis/audit/v1/doc.go b/staging/src/k8s.io/apiserver/pkg/apis/audit/v1/doc.go
index 6c719b8472948..7e4e08af12466 100644
--- a/staging/src/k8s.io/apiserver/pkg/apis/audit/v1/doc.go
+++ b/staging/src/k8s.io/apiserver/pkg/apis/audit/v1/doc.go
@@ -19,6 +19,7 @@ limitations under the License.
 // +k8s:conversion-gen=k8s.io/apiserver/pkg/apis/audit
 // +k8s:openapi-gen=true
 // +k8s:defaulter-gen=TypeMeta
+// +k8s:openapi-model-package=io.k8s.apiserver.pkg.apis.audit.v1
 
 // +groupName=audit.k8s.io
 
diff --git a/staging/src/k8s.io/apiserver/pkg/apis/audit/v1/generated.pb.go b/staging/src/k8s.io/apiserver/pkg/apis/audit/v1/generated.pb.go
index 27dab8c09ba1b..9b6bb0a26309e 100644
--- a/staging/src/k8s.io/apiserver/pkg/apis/audit/v1/generated.pb.go
+++ b/staging/src/k8s.io/apiserver/pkg/apis/audit/v1/generated.pb.go
@@ -23,14 +23,12 @@ import (
 	fmt "fmt"
 
 	io "io"
+	"sort"
 
-	proto "github.com/gogo/protobuf/proto"
-	github_com_gogo_protobuf_sortkeys "github.com/gogo/protobuf/sortkeys"
 	v1 "k8s.io/api/authentication/v1"
 	v11 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	runtime "k8s.io/apimachinery/pkg/runtime"
 
-	math "math"
 	math_bits "math/bits"
 	reflect "reflect"
 	strings "strings"
@@ -38,310 +36,48 @@ import (
 	k8s_io_apimachinery_pkg_types "k8s.io/apimachinery/pkg/types"
 )
 
-// Reference imports to suppress errors if they are not otherwise used.
-var _ = proto.Marshal
-var _ = fmt.Errorf
-var _ = math.Inf
+func (m *AuthenticationMetadata) Reset() { *m = AuthenticationMetadata{} }
 
-// This is a compile-time assertion to ensure that this generated file
-// is compatible with the proto package it is being compiled against.
-// A compilation error at this line likely means your copy of the
-// proto package needs to be updated.
-const _ = proto.GoGoProtoPackageIsVersion3 // please upgrade the proto package
+func (m *Event) Reset() { *m = Event{} }
 
-func (m *Event) Reset()      { *m = Event{} }
-func (*Event) ProtoMessage() {}
-func (*Event) Descriptor() ([]byte, []int) {
-	return fileDescriptor_62937bb89ca7b6dd, []int{0}
-}
-func (m *Event) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *Event) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *Event) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_Event.Merge(m, src)
-}
-func (m *Event) XXX_Size() int {
-	return m.Size()
-}
-func (m *Event) XXX_DiscardUnknown() {
-	xxx_messageInfo_Event.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_Event proto.InternalMessageInfo
-
-func (m *EventList) Reset()      { *m = EventList{} }
-func (*EventList) ProtoMessage() {}
-func (*EventList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_62937bb89ca7b6dd, []int{1}
-}
-func (m *EventList) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *EventList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *EventList) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_EventList.Merge(m, src)
-}
-func (m *EventList) XXX_Size() int {
-	return m.Size()
-}
-func (m *EventList) XXX_DiscardUnknown() {
-	xxx_messageInfo_EventList.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_EventList proto.InternalMessageInfo
-
-func (m *GroupResources) Reset()      { *m = GroupResources{} }
-func (*GroupResources) ProtoMessage() {}
-func (*GroupResources) Descriptor() ([]byte, []int) {
-	return fileDescriptor_62937bb89ca7b6dd, []int{2}
-}
-func (m *GroupResources) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *GroupResources) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *GroupResources) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_GroupResources.Merge(m, src)
-}
-func (m *GroupResources) XXX_Size() int {
-	return m.Size()
-}
-func (m *GroupResources) XXX_DiscardUnknown() {
-	xxx_messageInfo_GroupResources.DiscardUnknown(m)
-}
+func (m *EventList) Reset() { *m = EventList{} }
 
-var xxx_messageInfo_GroupResources proto.InternalMessageInfo
+func (m *GroupResources) Reset() { *m = GroupResources{} }
 
-func (m *ObjectReference) Reset()      { *m = ObjectReference{} }
-func (*ObjectReference) ProtoMessage() {}
-func (*ObjectReference) Descriptor() ([]byte, []int) {
-	return fileDescriptor_62937bb89ca7b6dd, []int{3}
-}
-func (m *ObjectReference) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ObjectReference) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ObjectReference) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ObjectReference.Merge(m, src)
-}
-func (m *ObjectReference) XXX_Size() int {
-	return m.Size()
-}
-func (m *ObjectReference) XXX_DiscardUnknown() {
-	xxx_messageInfo_ObjectReference.DiscardUnknown(m)
-}
+func (m *ObjectReference) Reset() { *m = ObjectReference{} }
 
-var xxx_messageInfo_ObjectReference proto.InternalMessageInfo
+func (m *Policy) Reset() { *m = Policy{} }
 
-func (m *Policy) Reset()      { *m = Policy{} }
-func (*Policy) ProtoMessage() {}
-func (*Policy) Descriptor() ([]byte, []int) {
-	return fileDescriptor_62937bb89ca7b6dd, []int{4}
-}
-func (m *Policy) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *Policy) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *Policy) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_Policy.Merge(m, src)
-}
-func (m *Policy) XXX_Size() int {
-	return m.Size()
-}
-func (m *Policy) XXX_DiscardUnknown() {
-	xxx_messageInfo_Policy.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_Policy proto.InternalMessageInfo
-
-func (m *PolicyList) Reset()      { *m = PolicyList{} }
-func (*PolicyList) ProtoMessage() {}
-func (*PolicyList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_62937bb89ca7b6dd, []int{5}
-}
-func (m *PolicyList) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *PolicyList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *PolicyList) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_PolicyList.Merge(m, src)
-}
-func (m *PolicyList) XXX_Size() int {
-	return m.Size()
-}
-func (m *PolicyList) XXX_DiscardUnknown() {
-	xxx_messageInfo_PolicyList.DiscardUnknown(m)
-}
+func (m *PolicyList) Reset() { *m = PolicyList{} }
 
-var xxx_messageInfo_PolicyList proto.InternalMessageInfo
+func (m *PolicyRule) Reset() { *m = PolicyRule{} }
 
-func (m *PolicyRule) Reset()      { *m = PolicyRule{} }
-func (*PolicyRule) ProtoMessage() {}
-func (*PolicyRule) Descriptor() ([]byte, []int) {
-	return fileDescriptor_62937bb89ca7b6dd, []int{6}
-}
-func (m *PolicyRule) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *PolicyRule) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
+func (m *AuthenticationMetadata) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalToSizedBuffer(dAtA[:size])
 	if err != nil {
 		return nil, err
 	}
-	return b[:n], nil
-}
-func (m *PolicyRule) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_PolicyRule.Merge(m, src)
-}
-func (m *PolicyRule) XXX_Size() int {
-	return m.Size()
-}
-func (m *PolicyRule) XXX_DiscardUnknown() {
-	xxx_messageInfo_PolicyRule.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_PolicyRule proto.InternalMessageInfo
-
-func init() {
-	proto.RegisterType((*Event)(nil), "k8s.io.apiserver.pkg.apis.audit.v1.Event")
-	proto.RegisterMapType((map[string]string)(nil), "k8s.io.apiserver.pkg.apis.audit.v1.Event.AnnotationsEntry")
-	proto.RegisterType((*EventList)(nil), "k8s.io.apiserver.pkg.apis.audit.v1.EventList")
-	proto.RegisterType((*GroupResources)(nil), "k8s.io.apiserver.pkg.apis.audit.v1.GroupResources")
-	proto.RegisterType((*ObjectReference)(nil), "k8s.io.apiserver.pkg.apis.audit.v1.ObjectReference")
-	proto.RegisterType((*Policy)(nil), "k8s.io.apiserver.pkg.apis.audit.v1.Policy")
-	proto.RegisterType((*PolicyList)(nil), "k8s.io.apiserver.pkg.apis.audit.v1.PolicyList")
-	proto.RegisterType((*PolicyRule)(nil), "k8s.io.apiserver.pkg.apis.audit.v1.PolicyRule")
+	return dAtA[:n], nil
 }
 
-func init() {
-	proto.RegisterFile("k8s.io/apiserver/pkg/apis/audit/v1/generated.proto", fileDescriptor_62937bb89ca7b6dd)
+func (m *AuthenticationMetadata) MarshalTo(dAtA []byte) (int, error) {
+	size := m.Size()
+	return m.MarshalToSizedBuffer(dAtA[:size])
 }
 
-var fileDescriptor_62937bb89ca7b6dd = []byte{
-	// 1275 bytes of a gzipped FileDescriptorProto
-	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xbc, 0x57, 0xcf, 0x6f, 0x1b, 0xd5,
-	0x13, 0xcf, 0xc6, 0x71, 0x63, 0x8f, 0x1b, 0xc7, 0x79, 0xed, 0xf7, 0xdb, 0x25, 0x07, 0xdb, 0x18,
-	0x09, 0x05, 0x08, 0xeb, 0xd6, 0x14, 0x5a, 0x55, 0x02, 0xc9, 0xa6, 0xa5, 0xb5, 0xd4, 0xa6, 0xd1,
-	0x33, 0xee, 0x01, 0x71, 0xe8, 0x7a, 0x3d, 0xb5, 0x97, 0xd8, 0xbb, 0xdb, 0x7d, 0x6f, 0x8d, 0x72,
-	0xe3, 0x1f, 0x40, 0xe2, 0xce, 0x7f, 0xc1, 0x0d, 0x71, 0xe2, 0x96, 0x63, 0x8f, 0x3d, 0x59, 0xc4,
-	0xf0, 0x57, 0xe4, 0x80, 0xd0, 0x7b, 0xfb, 0xf6, 0x87, 0x9d, 0x58, 0x71, 0x38, 0x70, 0xf3, 0x9b,
-	0xf9, 0x7c, 0x3e, 0x33, 0x3b, 0x3b, 0x33, 0x6f, 0x0d, 0x8d, 0xa3, 0xfb, 0xcc, 0xb0, 0xdd, 0xba,
-	0xe9, 0xd9, 0x0c, 0xfd, 0x09, 0xfa, 0x75, 0xef, 0x68, 0x20, 0x4f, 0x75, 0x33, 0xe8, 0xdb, 0xbc,
-	0x3e, 0xb9, 0x53, 0x1f, 0xa0, 0x83, 0xbe, 0xc9, 0xb1, 0x6f, 0x78, 0xbe, 0xcb, 0x5d, 0x52, 0x0b,
-	0x39, 0x46, 0xcc, 0x31, 0xbc, 0xa3, 0x81, 0x3c, 0x19, 0x92, 0x63, 0x4c, 0xee, 0xec, 0x7e, 0x3c,
-	0xb0, 0xf9, 0x30, 0xe8, 0x19, 0x96, 0x3b, 0xae, 0x0f, 0xdc, 0x81, 0x5b, 0x97, 0xd4, 0x5e, 0xf0,
-	0x4a, 0x9e, 0xe4, 0x41, 0xfe, 0x0a, 0x25, 0x77, 0xf7, 0x93, 0x34, 0xea, 0x66, 0xc0, 0x87, 0xe8,
-	0x70, 0xdb, 0x32, 0xb9, 0xed, 0x3a, 0x17, 0x24, 0xb0, 0x7b, 0x37, 0x41, 0x8f, 0x4d, 0x6b, 0x68,
-	0x3b, 0xe8, 0x1f, 0x27, 0x79, 0x8f, 0x91, 0x9b, 0x17, 0xb1, 0xea, 0xcb, 0x58, 0x7e, 0xe0, 0x70,
-	0x7b, 0x8c, 0xe7, 0x08, 0x9f, 0x5d, 0x46, 0x60, 0xd6, 0x10, 0xc7, 0xe6, 0x22, 0xaf, 0xf6, 0x17,
-	0x40, 0xf6, 0xd1, 0x04, 0x1d, 0x4e, 0xf6, 0x21, 0x3b, 0xc2, 0x09, 0x8e, 0x74, 0xad, 0xaa, 0xed,
-	0xe5, 0x5b, 0xff, 0x3f, 0x99, 0x56, 0xd6, 0x66, 0xd3, 0x4a, 0xf6, 0xa9, 0x30, 0x9e, 0x45, 0x3f,
-	0x68, 0x08, 0x22, 0x07, 0xb0, 0x29, 0xeb, 0xd7, 0x7e, 0xa8, 0xaf, 0x4b, 0xfc, 0x5d, 0x85, 0xdf,
-	0x6c, 0x86, 0xe6, 0xb3, 0x69, 0xe5, 0xdd, 0x65, 0x39, 0xf1, 0x63, 0x0f, 0x99, 0xd1, 0x6d, 0x3f,
-	0xa4, 0x91, 0x88, 0x88, 0xce, 0xb8, 0x39, 0x40, 0x3d, 0x33, 0x1f, 0xbd, 0x23, 0x8c, 0x67, 0xd1,
-	0x0f, 0x1a, 0x82, 0x48, 0x03, 0xc0, 0xc7, 0xd7, 0x01, 0x32, 0xde, 0xa5, 0x6d, 0x7d, 0x43, 0x52,
-	0x88, 0xa2, 0x00, 0x8d, 0x3d, 0x34, 0x85, 0x22, 0x55, 0xd8, 0x98, 0xa0, 0xdf, 0xd3, 0xb3, 0x12,
-	0x7d, 0x5d, 0xa1, 0x37, 0x5e, 0xa0, 0xdf, 0xa3, 0xd2, 0x43, 0x9e, 0xc0, 0x46, 0xc0, 0xd0, 0xd7,
-	0xaf, 0x55, 0xb5, 0xbd, 0x42, 0xe3, 0x7d, 0x23, 0x69, 0x1d, 0x63, 0xfe, 0x3d, 0x1b, 0x93, 0x3b,
-	0x46, 0x97, 0xa1, 0xdf, 0x76, 0x5e, 0xb9, 0x89, 0x92, 0xb0, 0x50, 0xa9, 0x40, 0x86, 0x50, 0xb2,
-	0xc7, 0x1e, 0xfa, 0xcc, 0x75, 0x44, 0xad, 0x85, 0x47, 0xdf, 0xbc, 0x92, 0xea, 0xcd, 0xd9, 0xb4,
-	0x52, 0x6a, 0x2f, 0x68, 0xd0, 0x73, 0xaa, 0xe4, 0x23, 0xc8, 0x33, 0x37, 0xf0, 0x2d, 0x6c, 0x1f,
-	0x32, 0x3d, 0x57, 0xcd, 0xec, 0xe5, 0x5b, 0x5b, 0xb3, 0x69, 0x25, 0xdf, 0x89, 0x8c, 0x34, 0xf1,
-	0x93, 0x3a, 0xe4, 0x45, 0x7a, 0xcd, 0x01, 0x3a, 0x5c, 0x2f, 0xc9, 0x3a, 0xec, 0xa8, 0xec, 0xf3,
-	0xdd, 0xc8, 0x41, 0x13, 0x0c, 0x79, 0x09, 0x79, 0xb7, 0xf7, 0x1d, 0x5a, 0x9c, 0xe2, 0x2b, 0x3d,
-	0x2f, 0x1f, 0xe0, 0x13, 0xe3, 0xf2, 0x89, 0x32, 0x9e, 0x47, 0x24, 0xf4, 0xd1, 0xb1, 0x30, 0x4c,
-	0x29, 0x36, 0xd2, 0x44, 0x94, 0x0c, 0xa1, 0xe8, 0x23, 0xf3, 0x5c, 0x87, 0x61, 0x87, 0x9b, 0x3c,
-	0x60, 0x3a, 0xc8, 0x30, 0xfb, 0xa9, 0x30, 0x71, 0xf3, 0x24, 0x91, 0xc4, 0xdc, 0x88, 0x40, 0x21,
-	0xa7, 0x45, 0x66, 0xd3, 0x4a, 0x91, 0xce, 0xe9, 0xd0, 0x05, 0x5d, 0x62, 0xc2, 0x96, 0xea, 0x86,
-	0x30, 0x11, 0xbd, 0x20, 0x03, 0xed, 0x2d, 0x0d, 0xa4, 0x26, 0xc7, 0xe8, 0x3a, 0x47, 0x8e, 0xfb,
-	0xbd, 0xd3, 0xda, 0x99, 0x4d, 0x2b, 0x5b, 0x34, 0x2d, 0x41, 0xe7, 0x15, 0x49, 0x3f, 0x79, 0x18,
-	0x15, 0xe3, 0xfa, 0x15, 0x63, 0xcc, 0x3d, 0x88, 0x0a, 0xb2, 0xa0, 0x49, 0x7e, 0xd4, 0x40, 0x57,
-	0x71, 0x29, 0x5a, 0x68, 0x4f, 0xb0, 0xff, 0xb5, 0x3d, 0x46, 0xc6, 0xcd, 0xb1, 0xa7, 0x6f, 0xc9,
-	0x80, 0xf5, 0xd5, 0xaa, 0xf7, 0xcc, 0xb6, 0x7c, 0x57, 0x70, 0x5b, 0x55, 0xd5, 0x06, 0x3a, 0x5d,
-	0x22, 0x4c, 0x97, 0x86, 0x24, 0x2e, 0x14, 0xe5, 0x54, 0x26, 0x49, 0x14, 0xff, 0x5d, 0x12, 0xd1,
-	0xd0, 0x17, 0x3b, 0x73, 0x72, 0x74, 0x41, 0x9e, 0xbc, 0x86, 0x82, 0xe9, 0x38, 0x2e, 0x97, 0x53,
-	0xc3, 0xf4, 0xed, 0x6a, 0x66, 0xaf, 0xd0, 0x78, 0xb0, 0x4a, 0x5f, 0xca, 0x4d, 0x67, 0x34, 0x13,
-	0xf2, 0x23, 0x87, 0xfb, 0xc7, 0xad, 0x1b, 0x2a, 0x70, 0x21, 0xe5, 0xa1, 0xe9, 0x18, 0xbb, 0x5f,
-	0x40, 0x69, 0x91, 0x45, 0x4a, 0x90, 0x39, 0xc2, 0xe3, 0x70, 0x5d, 0x52, 0xf1, 0x93, 0xdc, 0x84,
-	0xec, 0xc4, 0x1c, 0x05, 0x18, 0xae, 0x44, 0x1a, 0x1e, 0x1e, 0xac, 0xdf, 0xd7, 0x6a, 0xbf, 0x6a,
-	0x90, 0x97, 0xc1, 0x9f, 0xda, 0x8c, 0x93, 0x6f, 0x21, 0x27, 0x9e, 0xbe, 0x6f, 0x72, 0x53, 0xd2,
-	0x0b, 0x0d, 0x63, 0xb5, 0x5a, 0x09, 0xf6, 0x33, 0xe4, 0x66, 0xab, 0xa4, 0x32, 0xce, 0x45, 0x16,
-	0x1a, 0x2b, 0x92, 0x03, 0xc8, 0xda, 0x1c, 0xc7, 0x4c, 0x5f, 0x97, 0x85, 0xf9, 0x60, 0xe5, 0xc2,
-	0xb4, 0xb6, 0xa2, 0xad, 0xdb, 0x16, 0x7c, 0x1a, 0xca, 0xd4, 0x7e, 0xd6, 0xa0, 0xf8, 0xd8, 0x77,
-	0x03, 0x8f, 0x62, 0xb8, 0x4a, 0x18, 0x79, 0x0f, 0xb2, 0x03, 0x61, 0x51, 0x77, 0x45, 0xcc, 0x0b,
-	0x61, 0xa1, 0x4f, 0xac, 0x26, 0x3f, 0x62, 0xc8, 0x5c, 0xd4, 0x6a, 0x8a, 0x65, 0x68, 0xe2, 0x27,
-	0xf7, 0xc4, 0x74, 0x86, 0x87, 0x03, 0x73, 0x8c, 0x4c, 0xcf, 0x48, 0x82, 0x9a, 0xb9, 0x94, 0x83,
-	0xce, 0xe3, 0x6a, 0xbf, 0x64, 0x60, 0x7b, 0x61, 0xdd, 0x90, 0x7d, 0xc8, 0x45, 0x20, 0x95, 0x61,
-	0x5c, 0xaf, 0x48, 0x8b, 0xc6, 0x08, 0xb1, 0x15, 0x1d, 0x21, 0xe5, 0x99, 0x96, 0x7a, 0x73, 0xc9,
-	0x56, 0x3c, 0x88, 0x1c, 0x34, 0xc1, 0x88, 0x9b, 0x44, 0x1c, 0xd4, 0x55, 0x15, 0xef, 0x7f, 0x81,
-	0xa5, 0xd2, 0x43, 0x5a, 0x90, 0x09, 0xec, 0xbe, 0xba, 0x98, 0x6e, 0x2b, 0x40, 0xa6, 0xbb, 0xea,
-	0xad, 0x28, 0xc8, 0xe2, 0x21, 0x4c, 0xcf, 0x96, 0x15, 0x55, 0x77, 0x56, 0xfc, 0x10, 0xcd, 0xc3,
-	0x76, 0x58, 0xe9, 0x18, 0x21, 0x6e, 0x44, 0xd3, 0xb3, 0x5f, 0xa0, 0xcf, 0x6c, 0xd7, 0x91, 0x37,
-	0x58, 0xea, 0x46, 0x6c, 0x1e, 0xb6, 0x95, 0x87, 0xa6, 0x50, 0xa4, 0x09, 0xdb, 0x51, 0x11, 0x22,
-	0xe2, 0xa6, 0x24, 0xde, 0x52, 0xc4, 0x6d, 0x3a, 0xef, 0xa6, 0x8b, 0x78, 0xf2, 0x29, 0x14, 0x58,
-	0xd0, 0x8b, 0x8b, 0x9d, 0x93, 0xf4, 0x78, 0x9c, 0x3a, 0x89, 0x8b, 0xa6, 0x71, 0xb5, 0xdf, 0xd7,
-	0xe1, 0xda, 0xa1, 0x3b, 0xb2, 0xad, 0x63, 0xf2, 0xf2, 0xdc, 0x2c, 0xdc, 0x5e, 0x6d, 0x16, 0xc2,
-	0x97, 0x2e, 0xa7, 0x21, 0x7e, 0xd0, 0xc4, 0x96, 0x9a, 0x87, 0x0e, 0x64, 0xfd, 0x60, 0x84, 0xd1,
-	0x3c, 0x18, 0xab, 0xcc, 0x43, 0x98, 0x1c, 0x0d, 0x46, 0x98, 0x34, 0xb7, 0x38, 0x31, 0x1a, 0x6a,
-	0x91, 0x7b, 0x00, 0xee, 0xd8, 0xe6, 0x72, 0x53, 0x45, 0xcd, 0x7a, 0x4b, 0xa6, 0x10, 0x5b, 0x93,
-	0xaf, 0x96, 0x14, 0x94, 0x3c, 0x86, 0x1d, 0x71, 0x7a, 0x66, 0x3a, 0xe6, 0x00, 0xfb, 0x5f, 0xd9,
-	0x38, 0xea, 0x33, 0xd9, 0x28, 0xb9, 0xd6, 0x3b, 0x2a, 0xd2, 0xce, 0xf3, 0x45, 0x00, 0x3d, 0xcf,
-	0xa9, 0xfd, 0xa6, 0x01, 0x84, 0x69, 0xfe, 0x07, 0x3b, 0xe5, 0xf9, 0xfc, 0x4e, 0xf9, 0x70, 0xf5,
-	0x1a, 0x2e, 0x59, 0x2a, 0x7f, 0x67, 0xa2, 0xec, 0x45, 0x59, 0xaf, 0xf8, 0xf1, 0x59, 0x81, 0xac,
-	0xf8, 0x46, 0x89, 0xb6, 0x4a, 0x5e, 0x20, 0xc5, 0xf7, 0x0b, 0xa3, 0xa1, 0x9d, 0x18, 0x00, 0xe2,
-	0x87, 0x1c, 0x8d, 0xe8, 0xed, 0x14, 0xc5, 0xdb, 0xe9, 0xc6, 0x56, 0x9a, 0x42, 0x08, 0x41, 0xf1,
-	0x05, 0x28, 0x5e, 0x44, 0x2c, 0x28, 0x3e, 0x0c, 0x19, 0x0d, 0xed, 0xc4, 0x4a, 0xef, 0xb2, 0xac,
-	0xac, 0x41, 0x63, 0x95, 0x1a, 0xcc, 0xef, 0xcd, 0x64, 0xaf, 0x5c, 0xb8, 0x03, 0x0d, 0x80, 0x78,
-	0xc9, 0x30, 0xfd, 0x5a, 0x92, 0x75, 0xbc, 0x85, 0x18, 0x4d, 0x21, 0xc8, 0xe7, 0xb0, 0xed, 0xb8,
-	0x4e, 0x24, 0xd5, 0xa5, 0x4f, 0x99, 0xbe, 0x29, 0x49, 0x37, 0xc4, 0xec, 0x1e, 0xcc, 0xbb, 0xe8,
-	0x22, 0x76, 0xa1, 0x85, 0x73, 0xab, 0xb7, 0xf0, 0x97, 0x17, 0xb5, 0x70, 0x5e, 0xb6, 0xf0, 0xff,
-	0x56, 0x6d, 0xdf, 0xd6, 0x93, 0x93, 0xd3, 0xf2, 0xda, 0x9b, 0xd3, 0xf2, 0xda, 0xdb, 0xd3, 0xf2,
-	0xda, 0x0f, 0xb3, 0xb2, 0x76, 0x32, 0x2b, 0x6b, 0x6f, 0x66, 0x65, 0xed, 0xed, 0xac, 0xac, 0xfd,
-	0x31, 0x2b, 0x6b, 0x3f, 0xfd, 0x59, 0x5e, 0xfb, 0xa6, 0x76, 0xf9, 0x5f, 0xbe, 0x7f, 0x02, 0x00,
-	0x00, 0xff, 0xff, 0x81, 0x06, 0x4f, 0x58, 0x17, 0x0e, 0x00, 0x00,
+func (m *AuthenticationMetadata) MarshalToSizedBuffer(dAtA []byte) (int, error) {
+	i := len(dAtA)
+	_ = i
+	var l int
+	_ = l
+	i -= len(m.ImpersonationConstraint)
+	copy(dAtA[i:], m.ImpersonationConstraint)
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.ImpersonationConstraint)))
+	i--
+	dAtA[i] = 0xa
+	return len(dAtA) - i, nil
 }
 
 func (m *Event) Marshal() (dAtA []byte, err error) {
@@ -364,6 +100,20 @@ func (m *Event) MarshalToSizedBuffer(dAtA []byte) (int, error) {
 	_ = i
 	var l int
 	_ = l
+	if m.AuthenticationMetadata != nil {
+		{
+			size, err := m.AuthenticationMetadata.MarshalToSizedBuffer(dAtA[:i])
+			if err != nil {
+				return 0, err
+			}
+			i -= size
+			i = encodeVarintGenerated(dAtA, i, uint64(size))
+		}
+		i--
+		dAtA[i] = 0x1
+		i--
+		dAtA[i] = 0x8a
+	}
 	i -= len(m.UserAgent)
 	copy(dAtA[i:], m.UserAgent)
 	i = encodeVarintGenerated(dAtA, i, uint64(len(m.UserAgent)))
@@ -376,7 +126,7 @@ func (m *Event) MarshalToSizedBuffer(dAtA []byte) (int, error) {
 		for k := range m.Annotations {
 			keysForAnnotations = append(keysForAnnotations, string(k))
 		}
-		github_com_gogo_protobuf_sortkeys.Strings(keysForAnnotations)
+		sort.Strings(keysForAnnotations)
 		for iNdEx := len(keysForAnnotations) - 1; iNdEx >= 0; iNdEx-- {
 			v := m.Annotations[string(keysForAnnotations[iNdEx])]
 			baseI := i
@@ -906,6 +656,17 @@ func encodeVarintGenerated(dAtA []byte, offset int, v uint64) int {
 	dAtA[offset] = uint8(v)
 	return base
 }
+func (m *AuthenticationMetadata) Size() (n int) {
+	if m == nil {
+		return 0
+	}
+	var l int
+	_ = l
+	l = len(m.ImpersonationConstraint)
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
 func (m *Event) Size() (n int) {
 	if m == nil {
 		return 0
@@ -964,6 +725,10 @@ func (m *Event) Size() (n int) {
 	}
 	l = len(m.UserAgent)
 	n += 2 + l + sovGenerated(uint64(l))
+	if m.AuthenticationMetadata != nil {
+		l = m.AuthenticationMetadata.Size()
+		n += 2 + l + sovGenerated(uint64(l))
+	}
 	return n
 }
 
@@ -1135,6 +900,16 @@ func sovGenerated(x uint64) (n int) {
 func sozGenerated(x uint64) (n int) {
 	return sovGenerated(uint64((x << 1) ^ uint64((int64(x) >> 63))))
 }
+func (this *AuthenticationMetadata) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&AuthenticationMetadata{`,
+		`ImpersonationConstraint:` + fmt.Sprintf("%v", this.ImpersonationConstraint) + `,`,
+		`}`,
+	}, "")
+	return s
+}
 func (this *Event) String() string {
 	if this == nil {
 		return "nil"
@@ -1143,7 +918,7 @@ func (this *Event) String() string {
 	for k := range this.Annotations {
 		keysForAnnotations = append(keysForAnnotations, k)
 	}
-	github_com_gogo_protobuf_sortkeys.Strings(keysForAnnotations)
+	sort.Strings(keysForAnnotations)
 	mapStringForAnnotations := "map[string]string{"
 	for _, k := range keysForAnnotations {
 		mapStringForAnnotations += fmt.Sprintf("%v: %v,", k, this.Annotations[k])
@@ -1166,6 +941,7 @@ func (this *Event) String() string {
 		`StageTimestamp:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.StageTimestamp), "MicroTime", "v11.MicroTime", 1), `&`, ``, 1) + `,`,
 		`Annotations:` + mapStringForAnnotations + `,`,
 		`UserAgent:` + fmt.Sprintf("%v", this.UserAgent) + `,`,
+		`AuthenticationMetadata:` + strings.Replace(this.AuthenticationMetadata.String(), "AuthenticationMetadata", "AuthenticationMetadata", 1) + `,`,
 		`}`,
 	}, "")
 	return s
@@ -1280,6 +1056,88 @@ func valueToStringGenerated(v interface{}) string {
 	pv := reflect.Indirect(rv).Interface()
 	return fmt.Sprintf("*%v", pv)
 }
+func (m *AuthenticationMetadata) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= uint64(b&0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: AuthenticationMetadata: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: AuthenticationMetadata: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ImpersonationConstraint", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= uint64(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.ImpersonationConstraint = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if (skippy < 0) || (iNdEx+skippy) < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
 func (m *Event) Unmarshal(dAtA []byte) error {
 	l := len(dAtA)
 	iNdEx := 0
@@ -1939,6 +1797,42 @@ func (m *Event) Unmarshal(dAtA []byte) error {
 			}
 			m.UserAgent = string(dAtA[iNdEx:postIndex])
 			iNdEx = postIndex
+		case 17:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field AuthenticationMetadata", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= int(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.AuthenticationMetadata == nil {
+				m.AuthenticationMetadata = &AuthenticationMetadata{}
+			}
+			if err := m.AuthenticationMetadata.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
 		default:
 			iNdEx = preIndex
 			skippy, err := skipGenerated(dAtA[iNdEx:])
diff --git a/staging/src/k8s.io/apiserver/pkg/apis/audit/v1/generated.proto b/staging/src/k8s.io/apiserver/pkg/apis/audit/v1/generated.proto
index 032c5869139a1..632db99862e81 100644
--- a/staging/src/k8s.io/apiserver/pkg/apis/audit/v1/generated.proto
+++ b/staging/src/k8s.io/apiserver/pkg/apis/audit/v1/generated.proto
@@ -29,6 +29,13 @@ import "k8s.io/apimachinery/pkg/runtime/schema/generated.proto";
 // Package-wide variables from generator "generated".
 option go_package = "k8s.io/apiserver/pkg/apis/audit/v1";
 
+message AuthenticationMetadata {
+  // ImpersonationConstraint is the verb associated with the constrained impersonation mode that was used to authorize
+  // the ImpersonatedUser associated with this audit event.  It is only set when constrained impersonation was used.
+  // +optional
+  optional string impersonationConstraint = 1;
+}
+
 // Event captures all the information that can be included in an API audit log.
 message Event {
   // AuditLevel at which event was generated
@@ -54,6 +61,10 @@ message Event {
   // +optional
   optional .k8s.io.api.authentication.v1.UserInfo impersonatedUser = 7;
 
+  // AuthenticationMetadata contains details about how the request was authenticated.
+  // +optional
+  optional AuthenticationMetadata authenticationMetadata = 17;
+
   // Source IPs, from where the request originated and intermediate proxies.
   // The source IPs are listed from (in order):
   // 1. X-Forwarded-For request header IPs
diff --git a/staging/src/k8s.io/apiserver/pkg/apis/audit/v1/generated.protomessage.pb.go b/staging/src/k8s.io/apiserver/pkg/apis/audit/v1/generated.protomessage.pb.go
new file mode 100644
index 0000000000000..93920227e1f25
--- /dev/null
+++ b/staging/src/k8s.io/apiserver/pkg/apis/audit/v1/generated.protomessage.pb.go
@@ -0,0 +1,38 @@
+//go:build kubernetes_protomessage_one_more_release
+// +build kubernetes_protomessage_one_more_release
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by go-to-protobuf. DO NOT EDIT.
+
+package v1
+
+func (*AuthenticationMetadata) ProtoMessage() {}
+
+func (*Event) ProtoMessage() {}
+
+func (*EventList) ProtoMessage() {}
+
+func (*GroupResources) ProtoMessage() {}
+
+func (*ObjectReference) ProtoMessage() {}
+
+func (*Policy) ProtoMessage() {}
+
+func (*PolicyList) ProtoMessage() {}
+
+func (*PolicyRule) ProtoMessage() {}
diff --git a/staging/src/k8s.io/apiserver/pkg/apis/audit/v1/types.go b/staging/src/k8s.io/apiserver/pkg/apis/audit/v1/types.go
index ae122d6c4db29..28d3f2ace370d 100644
--- a/staging/src/k8s.io/apiserver/pkg/apis/audit/v1/types.go
+++ b/staging/src/k8s.io/apiserver/pkg/apis/audit/v1/types.go
@@ -90,6 +90,9 @@ type Event struct {
 	// Impersonated user information.
 	// +optional
 	ImpersonatedUser *authnv1.UserInfo `json:"impersonatedUser,omitempty" protobuf:"bytes,7,opt,name=impersonatedUser"`
+	// AuthenticationMetadata contains details about how the request was authenticated.
+	// +optional
+	AuthenticationMetadata *AuthenticationMetadata `json:"authenticationMetadata,omitempty" protobuf:"bytes,17,opt,name=authenticationMetadata"`
 	// Source IPs, from where the request originated and intermediate proxies.
 	// The source IPs are listed from (in order):
 	// 1. X-Forwarded-For request header IPs
@@ -142,6 +145,13 @@ type Event struct {
 	Annotations map[string]string `json:"annotations,omitempty" protobuf:"bytes,15,rep,name=annotations"`
 }
 
+type AuthenticationMetadata struct {
+	// ImpersonationConstraint is the verb associated with the constrained impersonation mode that was used to authorize
+	// the ImpersonatedUser associated with this audit event.  It is only set when constrained impersonation was used.
+	// +optional
+	ImpersonationConstraint string `json:"impersonationConstraint,omitempty" protobuf:"bytes,1,opt,name=impersonationConstraint"`
+}
+
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
 
 // EventList is a list of audit Events.
diff --git a/staging/src/k8s.io/apiserver/pkg/apis/audit/v1/zz_generated.conversion.go b/staging/src/k8s.io/apiserver/pkg/apis/audit/v1/zz_generated.conversion.go
index 53cbb02084efe..904d9c12bc420 100644
--- a/staging/src/k8s.io/apiserver/pkg/apis/audit/v1/zz_generated.conversion.go
+++ b/staging/src/k8s.io/apiserver/pkg/apis/audit/v1/zz_generated.conversion.go
@@ -39,6 +39,16 @@ func init() {
 // RegisterConversions adds conversion functions to the given scheme.
 // Public to allow building arbitrary schemes.
 func RegisterConversions(s *runtime.Scheme) error {
+	if err := s.AddGeneratedConversionFunc((*AuthenticationMetadata)(nil), (*audit.AuthenticationMetadata)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_v1_AuthenticationMetadata_To_audit_AuthenticationMetadata(a.(*AuthenticationMetadata), b.(*audit.AuthenticationMetadata), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddGeneratedConversionFunc((*audit.AuthenticationMetadata)(nil), (*AuthenticationMetadata)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_audit_AuthenticationMetadata_To_v1_AuthenticationMetadata(a.(*audit.AuthenticationMetadata), b.(*AuthenticationMetadata), scope)
+	}); err != nil {
+		return err
+	}
 	if err := s.AddGeneratedConversionFunc((*Event)(nil), (*audit.Event)(nil), func(a, b interface{}, scope conversion.Scope) error {
 		return Convert_v1_Event_To_audit_Event(a.(*Event), b.(*audit.Event), scope)
 	}); err != nil {
@@ -112,6 +122,26 @@ func RegisterConversions(s *runtime.Scheme) error {
 	return nil
 }
 
+func autoConvert_v1_AuthenticationMetadata_To_audit_AuthenticationMetadata(in *AuthenticationMetadata, out *audit.AuthenticationMetadata, s conversion.Scope) error {
+	out.ImpersonationConstraint = in.ImpersonationConstraint
+	return nil
+}
+
+// Convert_v1_AuthenticationMetadata_To_audit_AuthenticationMetadata is an autogenerated conversion function.
+func Convert_v1_AuthenticationMetadata_To_audit_AuthenticationMetadata(in *AuthenticationMetadata, out *audit.AuthenticationMetadata, s conversion.Scope) error {
+	return autoConvert_v1_AuthenticationMetadata_To_audit_AuthenticationMetadata(in, out, s)
+}
+
+func autoConvert_audit_AuthenticationMetadata_To_v1_AuthenticationMetadata(in *audit.AuthenticationMetadata, out *AuthenticationMetadata, s conversion.Scope) error {
+	out.ImpersonationConstraint = in.ImpersonationConstraint
+	return nil
+}
+
+// Convert_audit_AuthenticationMetadata_To_v1_AuthenticationMetadata is an autogenerated conversion function.
+func Convert_audit_AuthenticationMetadata_To_v1_AuthenticationMetadata(in *audit.AuthenticationMetadata, out *AuthenticationMetadata, s conversion.Scope) error {
+	return autoConvert_audit_AuthenticationMetadata_To_v1_AuthenticationMetadata(in, out, s)
+}
+
 func autoConvert_v1_Event_To_audit_Event(in *Event, out *audit.Event, s conversion.Scope) error {
 	out.Level = audit.Level(in.Level)
 	out.AuditID = types.UID(in.AuditID)
@@ -120,6 +150,7 @@ func autoConvert_v1_Event_To_audit_Event(in *Event, out *audit.Event, s conversi
 	out.Verb = in.Verb
 	out.User = in.User
 	out.ImpersonatedUser = (*authenticationv1.UserInfo)(unsafe.Pointer(in.ImpersonatedUser))
+	out.AuthenticationMetadata = (*audit.AuthenticationMetadata)(unsafe.Pointer(in.AuthenticationMetadata))
 	out.SourceIPs = *(*[]string)(unsafe.Pointer(&in.SourceIPs))
 	out.UserAgent = in.UserAgent
 	out.ObjectRef = (*audit.ObjectReference)(unsafe.Pointer(in.ObjectRef))
@@ -145,6 +176,7 @@ func autoConvert_audit_Event_To_v1_Event(in *audit.Event, out *Event, s conversi
 	out.Verb = in.Verb
 	out.User = in.User
 	out.ImpersonatedUser = (*authenticationv1.UserInfo)(unsafe.Pointer(in.ImpersonatedUser))
+	out.AuthenticationMetadata = (*AuthenticationMetadata)(unsafe.Pointer(in.AuthenticationMetadata))
 	out.SourceIPs = *(*[]string)(unsafe.Pointer(&in.SourceIPs))
 	out.UserAgent = in.UserAgent
 	out.ObjectRef = (*ObjectReference)(unsafe.Pointer(in.ObjectRef))
diff --git a/staging/src/k8s.io/apiserver/pkg/apis/audit/v1/zz_generated.deepcopy.go b/staging/src/k8s.io/apiserver/pkg/apis/audit/v1/zz_generated.deepcopy.go
index 0b1b0052d5872..5b0c1fe1a9051 100644
--- a/staging/src/k8s.io/apiserver/pkg/apis/audit/v1/zz_generated.deepcopy.go
+++ b/staging/src/k8s.io/apiserver/pkg/apis/audit/v1/zz_generated.deepcopy.go
@@ -27,6 +27,22 @@ import (
 	runtime "k8s.io/apimachinery/pkg/runtime"
 )
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *AuthenticationMetadata) DeepCopyInto(out *AuthenticationMetadata) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthenticationMetadata.
+func (in *AuthenticationMetadata) DeepCopy() *AuthenticationMetadata {
+	if in == nil {
+		return nil
+	}
+	out := new(AuthenticationMetadata)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *Event) DeepCopyInto(out *Event) {
 	*out = *in
@@ -37,6 +53,11 @@ func (in *Event) DeepCopyInto(out *Event) {
 		*out = new(authenticationv1.UserInfo)
 		(*in).DeepCopyInto(*out)
 	}
+	if in.AuthenticationMetadata != nil {
+		in, out := &in.AuthenticationMetadata, &out.AuthenticationMetadata
+		*out = new(AuthenticationMetadata)
+		**out = **in
+	}
 	if in.SourceIPs != nil {
 		in, out := &in.SourceIPs, &out.SourceIPs
 		*out = make([]string, len(*in))
diff --git a/staging/src/k8s.io/apiserver/pkg/apis/audit/v1/zz_generated.model_name.go b/staging/src/k8s.io/apiserver/pkg/apis/audit/v1/zz_generated.model_name.go
new file mode 100644
index 0000000000000..b4f3d3823363a
--- /dev/null
+++ b/staging/src/k8s.io/apiserver/pkg/apis/audit/v1/zz_generated.model_name.go
@@ -0,0 +1,62 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by openapi-gen. DO NOT EDIT.
+
+package v1
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in AuthenticationMetadata) OpenAPIModelName() string {
+	return "io.k8s.apiserver.pkg.apis.audit.v1.AuthenticationMetadata"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in Event) OpenAPIModelName() string {
+	return "io.k8s.apiserver.pkg.apis.audit.v1.Event"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in EventList) OpenAPIModelName() string {
+	return "io.k8s.apiserver.pkg.apis.audit.v1.EventList"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in GroupResources) OpenAPIModelName() string {
+	return "io.k8s.apiserver.pkg.apis.audit.v1.GroupResources"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ObjectReference) OpenAPIModelName() string {
+	return "io.k8s.apiserver.pkg.apis.audit.v1.ObjectReference"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in Policy) OpenAPIModelName() string {
+	return "io.k8s.apiserver.pkg.apis.audit.v1.Policy"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in PolicyList) OpenAPIModelName() string {
+	return "io.k8s.apiserver.pkg.apis.audit.v1.PolicyList"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in PolicyRule) OpenAPIModelName() string {
+	return "io.k8s.apiserver.pkg.apis.audit.v1.PolicyRule"
+}
diff --git a/staging/src/k8s.io/apiserver/pkg/apis/audit/zz_generated.deepcopy.go b/staging/src/k8s.io/apiserver/pkg/apis/audit/zz_generated.deepcopy.go
index 81d5add47d71e..f8edfca4912c2 100644
--- a/staging/src/k8s.io/apiserver/pkg/apis/audit/zz_generated.deepcopy.go
+++ b/staging/src/k8s.io/apiserver/pkg/apis/audit/zz_generated.deepcopy.go
@@ -27,6 +27,22 @@ import (
 	runtime "k8s.io/apimachinery/pkg/runtime"
 )
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *AuthenticationMetadata) DeepCopyInto(out *AuthenticationMetadata) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthenticationMetadata.
+func (in *AuthenticationMetadata) DeepCopy() *AuthenticationMetadata {
+	if in == nil {
+		return nil
+	}
+	out := new(AuthenticationMetadata)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *Event) DeepCopyInto(out *Event) {
 	*out = *in
@@ -37,6 +53,11 @@ func (in *Event) DeepCopyInto(out *Event) {
 		*out = new(v1.UserInfo)
 		(*in).DeepCopyInto(*out)
 	}
+	if in.AuthenticationMetadata != nil {
+		in, out := &in.AuthenticationMetadata, &out.AuthenticationMetadata
+		*out = new(AuthenticationMetadata)
+		**out = **in
+	}
 	if in.SourceIPs != nil {
 		in, out := &in.SourceIPs, &out.SourceIPs
 		*out = make([]string, len(*in))
diff --git a/staging/src/k8s.io/apiserver/pkg/apis/example/v1/generated.pb.go b/staging/src/k8s.io/apiserver/pkg/apis/example/v1/generated.pb.go
index 494413a146b4c..15e75a3921936 100644
--- a/staging/src/k8s.io/apiserver/pkg/apis/example/v1/generated.pb.go
+++ b/staging/src/k8s.io/apiserver/pkg/apis/example/v1/generated.pb.go
@@ -23,249 +23,24 @@ import (
 	fmt "fmt"
 
 	io "io"
+	"sort"
 
-	proto "github.com/gogo/protobuf/proto"
-	github_com_gogo_protobuf_sortkeys "github.com/gogo/protobuf/sortkeys"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
-	math "math"
 	math_bits "math/bits"
 	reflect "reflect"
 	strings "strings"
 )
 
-// Reference imports to suppress errors if they are not otherwise used.
-var _ = proto.Marshal
-var _ = fmt.Errorf
-var _ = math.Inf
+func (m *Pod) Reset() { *m = Pod{} }
 
-// This is a compile-time assertion to ensure that this generated file
-// is compatible with the proto package it is being compiled against.
-// A compilation error at this line likely means your copy of the
-// proto package needs to be updated.
-const _ = proto.GoGoProtoPackageIsVersion3 // please upgrade the proto package
+func (m *PodCondition) Reset() { *m = PodCondition{} }
 
-func (m *Pod) Reset()      { *m = Pod{} }
-func (*Pod) ProtoMessage() {}
-func (*Pod) Descriptor() ([]byte, []int) {
-	return fileDescriptor_c0604dbfc428ecfb, []int{0}
-}
-func (m *Pod) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *Pod) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *Pod) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_Pod.Merge(m, src)
-}
-func (m *Pod) XXX_Size() int {
-	return m.Size()
-}
-func (m *Pod) XXX_DiscardUnknown() {
-	xxx_messageInfo_Pod.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_Pod proto.InternalMessageInfo
-
-func (m *PodCondition) Reset()      { *m = PodCondition{} }
-func (*PodCondition) ProtoMessage() {}
-func (*PodCondition) Descriptor() ([]byte, []int) {
-	return fileDescriptor_c0604dbfc428ecfb, []int{1}
-}
-func (m *PodCondition) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *PodCondition) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *PodCondition) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_PodCondition.Merge(m, src)
-}
-func (m *PodCondition) XXX_Size() int {
-	return m.Size()
-}
-func (m *PodCondition) XXX_DiscardUnknown() {
-	xxx_messageInfo_PodCondition.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_PodCondition proto.InternalMessageInfo
-
-func (m *PodList) Reset()      { *m = PodList{} }
-func (*PodList) ProtoMessage() {}
-func (*PodList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_c0604dbfc428ecfb, []int{2}
-}
-func (m *PodList) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *PodList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *PodList) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_PodList.Merge(m, src)
-}
-func (m *PodList) XXX_Size() int {
-	return m.Size()
-}
-func (m *PodList) XXX_DiscardUnknown() {
-	xxx_messageInfo_PodList.DiscardUnknown(m)
-}
+func (m *PodList) Reset() { *m = PodList{} }
 
-var xxx_messageInfo_PodList proto.InternalMessageInfo
+func (m *PodSpec) Reset() { *m = PodSpec{} }
 
-func (m *PodSpec) Reset()      { *m = PodSpec{} }
-func (*PodSpec) ProtoMessage() {}
-func (*PodSpec) Descriptor() ([]byte, []int) {
-	return fileDescriptor_c0604dbfc428ecfb, []int{3}
-}
-func (m *PodSpec) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *PodSpec) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *PodSpec) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_PodSpec.Merge(m, src)
-}
-func (m *PodSpec) XXX_Size() int {
-	return m.Size()
-}
-func (m *PodSpec) XXX_DiscardUnknown() {
-	xxx_messageInfo_PodSpec.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_PodSpec proto.InternalMessageInfo
-
-func (m *PodStatus) Reset()      { *m = PodStatus{} }
-func (*PodStatus) ProtoMessage() {}
-func (*PodStatus) Descriptor() ([]byte, []int) {
-	return fileDescriptor_c0604dbfc428ecfb, []int{4}
-}
-func (m *PodStatus) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *PodStatus) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *PodStatus) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_PodStatus.Merge(m, src)
-}
-func (m *PodStatus) XXX_Size() int {
-	return m.Size()
-}
-func (m *PodStatus) XXX_DiscardUnknown() {
-	xxx_messageInfo_PodStatus.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_PodStatus proto.InternalMessageInfo
-
-func init() {
-	proto.RegisterType((*Pod)(nil), "k8s.io.apiserver.pkg.apis.example.v1.Pod")
-	proto.RegisterType((*PodCondition)(nil), "k8s.io.apiserver.pkg.apis.example.v1.PodCondition")
-	proto.RegisterType((*PodList)(nil), "k8s.io.apiserver.pkg.apis.example.v1.PodList")
-	proto.RegisterType((*PodSpec)(nil), "k8s.io.apiserver.pkg.apis.example.v1.PodSpec")
-	proto.RegisterMapType((map[string]string)(nil), "k8s.io.apiserver.pkg.apis.example.v1.PodSpec.NodeSelectorEntry")
-	proto.RegisterType((*PodStatus)(nil), "k8s.io.apiserver.pkg.apis.example.v1.PodStatus")
-}
-
-func init() {
-	proto.RegisterFile("k8s.io/apiserver/pkg/apis/example/v1/generated.proto", fileDescriptor_c0604dbfc428ecfb)
-}
-
-var fileDescriptor_c0604dbfc428ecfb = []byte{
-	// 1039 bytes of a gzipped FileDescriptorProto
-	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x94, 0x56, 0xcf, 0x6e, 0xdb, 0xc6,
-	0x13, 0x36, 0x2d, 0xcb, 0x92, 0xd6, 0x56, 0x62, 0x6f, 0x62, 0x80, 0x31, 0x10, 0xc9, 0xd1, 0x2f,
-	0x30, 0x9c, 0x1f, 0x1a, 0xb2, 0x36, 0xd2, 0x22, 0x6d, 0x0f, 0x41, 0x68, 0x17, 0xb5, 0x02, 0x47,
-	0x26, 0x56, 0x06, 0x02, 0x14, 0x3d, 0x74, 0x45, 0x4e, 0x24, 0x56, 0x22, 0x97, 0x20, 0x57, 0x6a,
-	0x75, 0xeb, 0x23, 0xb4, 0x0f, 0xd0, 0xa7, 0xe8, 0xa1, 0x40, 0x9f, 0xc0, 0xc7, 0x1c, 0x73, 0x12,
-	0x6a, 0xf5, 0x2d, 0x7c, 0x2a, 0x76, 0xf9, 0x47, 0xa4, 0xa5, 0xba, 0xf2, 0x6d, 0x77, 0xe6, 0xfb,
-	0xbe, 0x19, 0xcd, 0x0e, 0x67, 0x84, 0x5e, 0xf4, 0x5f, 0x86, 0x9a, 0xc3, 0x74, 0xea, 0x3b, 0x21,
-	0x04, 0x23, 0x08, 0x74, 0xbf, 0xdf, 0x95, 0x37, 0x1d, 0x7e, 0xa2, 0xae, 0x3f, 0x00, 0x7d, 0x74,
-	0xa8, 0x77, 0xc1, 0x83, 0x80, 0x72, 0xb0, 0x35, 0x3f, 0x60, 0x9c, 0xe1, 0xa7, 0x11, 0x4b, 0x4b,
-	0x59, 0x9a, 0xdf, 0xef, 0xca, 0x9b, 0x16, 0xb3, 0xb4, 0xd1, 0xe1, 0xee, 0xf3, 0xae, 0xc3, 0x7b,
-	0xc3, 0x8e, 0x66, 0x31, 0x57, 0xef, 0xb2, 0x2e, 0xd3, 0x25, 0xb9, 0x33, 0x7c, 0x2f, 0x6f, 0xf2,
-	0x22, 0x4f, 0x91, 0xe8, 0x6e, 0x26, 0x15, 0x97, 0x5a, 0x3d, 0xc7, 0x83, 0x60, 0x3c, 0xcb, 0xc6,
-	0x05, 0x4e, 0x17, 0xa4, 0xb2, 0xab, 0xff, 0x1b, 0x2b, 0x18, 0x7a, 0xdc, 0x71, 0x61, 0x8e, 0xf0,
-	0xf9, 0x7f, 0x11, 0x42, 0xab, 0x07, 0x2e, 0xbd, 0xc9, 0x6b, 0xfc, 0xba, 0x8a, 0x0a, 0x26, 0xb3,
-	0xf1, 0xf7, 0xa8, 0x2c, 0x72, 0xb1, 0x29, 0xa7, 0xaa, 0xb2, 0xa7, 0x1c, 0x6c, 0x1c, 0x7d, 0xaa,
-	0xcd, 0xca, 0x91, 0x4a, 0xce, 0x2a, 0x22, 0xd0, 0xda, 0xe8, 0x50, 0x3b, 0xef, 0xfc, 0x00, 0x16,
-	0x7f, 0x0b, 0x9c, 0x1a, 0xf8, 0x72, 0x52, 0x5f, 0x99, 0x4e, 0xea, 0x68, 0x66, 0x23, 0xa9, 0x2a,
-	0x3e, 0x47, 0x6b, 0xa1, 0x0f, 0x96, 0xba, 0x2a, 0xd5, 0x9f, 0x6b, 0xcb, 0x14, 0x5b, 0x33, 0x99,
-	0xdd, 0xf6, 0xc1, 0x32, 0x36, 0x63, 0xe9, 0x35, 0x71, 0x23, 0x52, 0x08, 0xbf, 0x43, 0xeb, 0x21,
-	0xa7, 0x7c, 0x18, 0xaa, 0x05, 0x29, 0xa9, 0x2f, 0x2f, 0x29, 0x69, 0xc6, 0xbd, 0x58, 0x74, 0x3d,
-	0xba, 0x93, 0x58, 0xae, 0xf1, 0x7b, 0x01, 0x6d, 0x9a, 0xcc, 0x3e, 0x66, 0x9e, 0xed, 0x70, 0x87,
-	0x79, 0xf8, 0x05, 0x5a, 0xe3, 0x63, 0x1f, 0x64, 0x61, 0x2a, 0xc6, 0x5e, 0x92, 0xcb, 0xc5, 0xd8,
-	0x87, 0xeb, 0x49, 0x7d, 0x2b, 0x8b, 0x15, 0x36, 0x22, 0xd1, 0xf8, 0x8b, 0x34, 0xbf, 0x55, 0xc9,
-	0x7b, 0x92, 0x0f, 0x77, 0x3d, 0xa9, 0xdf, 0x4f, 0x69, 0xf9, 0x0c, 0x70, 0x17, 0x55, 0x07, 0x34,
-	0xe4, 0x66, 0xc0, 0x3a, 0x70, 0xe1, 0xb8, 0x10, 0xff, 0xc2, 0xff, 0x2f, 0xf7, 0x24, 0x82, 0x61,
-	0xec, 0xc4, 0xd1, 0xaa, 0x67, 0x59, 0x21, 0x92, 0xd7, 0xc5, 0x23, 0x84, 0x85, 0xe1, 0x22, 0xa0,
-	0x5e, 0x18, 0xe5, 0x2f, 0xa2, 0xad, 0xdd, 0x39, 0xda, 0x6e, 0x1c, 0x0d, 0x9f, 0xcd, 0xa9, 0x91,
-	0x05, 0x11, 0xf0, 0x3e, 0x5a, 0x0f, 0x80, 0x86, 0xcc, 0x53, 0x8b, 0xb2, 0x36, 0xe9, 0x53, 0x10,
-	0x69, 0x25, 0xb1, 0x17, 0x3f, 0x43, 0x25, 0x17, 0xc2, 0x90, 0x76, 0x41, 0x5d, 0x97, 0xc0, 0xfb,
-	0x31, 0xb0, 0xf4, 0x36, 0x32, 0x93, 0xc4, 0xdf, 0xf8, 0x43, 0x41, 0x25, 0x93, 0xd9, 0x67, 0x4e,
-	0xc8, 0xf1, 0x77, 0x73, 0xdd, 0xac, 0x2d, 0xf7, 0x63, 0x04, 0x5b, 0xf6, 0xf2, 0x56, 0x1c, 0xa7,
-	0x9c, 0x58, 0x32, 0x9d, 0xdc, 0x42, 0x45, 0x87, 0x83, 0x2b, 0xde, 0xb5, 0x70, 0xb0, 0x71, 0xf4,
-	0x6c, 0xe9, 0xbe, 0x33, 0xaa, 0xb1, 0x6a, 0xb1, 0x29, 0xf8, 0x24, 0x92, 0x69, 0xfc, 0x59, 0x92,
-	0x99, 0x8b, 0xd6, 0xc6, 0x67, 0xa8, 0x1a, 0x40, 0xc8, 0x69, 0xc0, 0x4d, 0x36, 0x70, 0xac, 0xb1,
-	0x7c, 0xf9, 0x8a, 0xb1, 0x9f, 0xbc, 0x26, 0xc9, 0x3a, 0xaf, 0x6f, 0x1a, 0x48, 0x9e, 0x8c, 0xbb,
-	0xe8, 0x31, 0x87, 0xc0, 0x75, 0x3c, 0x2a, 0x2a, 0xff, 0x4d, 0x40, 0x2d, 0x30, 0x21, 0x70, 0x98,
-	0xdd, 0x06, 0x8b, 0x79, 0x76, 0x28, 0x5f, 0xba, 0x60, 0x3c, 0x99, 0x4e, 0xea, 0x8f, 0x2f, 0x6e,
-	0x03, 0x92, 0xdb, 0x75, 0xf0, 0x39, 0xda, 0xa1, 0x16, 0x77, 0x46, 0x70, 0x02, 0xd4, 0x1e, 0x38,
-	0x1e, 0x24, 0x01, 0x8a, 0x32, 0xc0, 0xa3, 0xe9, 0xa4, 0xbe, 0xf3, 0x7a, 0x11, 0x80, 0x2c, 0xe6,
-	0xe1, 0x31, 0xda, 0xf4, 0x98, 0x0d, 0x6d, 0x18, 0x80, 0xc5, 0x59, 0xa0, 0x96, 0x64, 0xa9, 0x5f,
-	0xdd, 0x69, 0x6a, 0x68, 0xad, 0x8c, 0xc2, 0xd7, 0x1e, 0x0f, 0xc6, 0xc6, 0xc3, 0xb8, 0x8e, 0x9b,
-	0x59, 0x17, 0xc9, 0x85, 0xc2, 0x6f, 0x10, 0x16, 0xda, 0x8e, 0x05, 0xaf, 0x2d, 0x8b, 0x0d, 0x3d,
-	0xde, 0xa2, 0x2e, 0xa8, 0x65, 0xf9, 0x0e, 0x69, 0x9f, 0xb7, 0xe7, 0x10, 0x64, 0x01, 0x0b, 0x9f,
-	0xa2, 0x7b, 0x79, 0xab, 0x5a, 0xc9, 0xcd, 0x10, 0xf5, 0x04, 0xfc, 0x00, 0x2c, 0x31, 0x90, 0xf3,
-	0x8a, 0xe4, 0x06, 0x0f, 0x7f, 0x82, 0xca, 0x22, 0x4b, 0x99, 0x0b, 0x92, 0x1a, 0x69, 0x8b, 0xb6,
-	0x62, 0x3b, 0x49, 0x11, 0xf8, 0x33, 0xb4, 0xd1, 0x63, 0x21, 0x6f, 0x01, 0xff, 0x91, 0x05, 0x7d,
-	0x75, 0x63, 0x4f, 0x39, 0x28, 0x1b, 0x0f, 0x62, 0xc2, 0xc6, 0xe9, 0xcc, 0x45, 0xb2, 0x38, 0xf1,
-	0xb9, 0x89, 0xab, 0xd9, 0x3c, 0x51, 0x37, 0x25, 0x25, 0xfd, 0xdc, 0x4e, 0x23, 0x33, 0x49, 0xfc,
-	0x09, 0xb4, 0x69, 0x1e, 0xab, 0xd5, 0x79, 0x68, 0xd3, 0x3c, 0x26, 0x89, 0x5f, 0xa4, 0x2e, 0x8e,
-	0x9e, 0x48, 0x7d, 0x2b, 0x9f, 0xfa, 0x69, 0x6c, 0x27, 0x29, 0x02, 0xeb, 0xa8, 0x12, 0x0e, 0x3b,
-	0x36, 0x73, 0xa9, 0xe3, 0xa9, 0xdb, 0x12, 0xbe, 0x1d, 0xc3, 0x2b, 0xed, 0xc4, 0x41, 0x66, 0x18,
-	0xfc, 0x15, 0xaa, 0x8a, 0xe5, 0x66, 0x0f, 0x07, 0x10, 0xc8, 0x18, 0x0f, 0x24, 0x29, 0x1d, 0x80,
-	0xed, 0xc4, 0x29, 0x6b, 0x94, 0xc7, 0xee, 0xbe, 0x42, 0xdb, 0x73, 0x5d, 0x82, 0xb7, 0x50, 0xa1,
-	0x0f, 0xe3, 0x68, 0xdc, 0x13, 0x71, 0xc4, 0x0f, 0x51, 0x71, 0x44, 0x07, 0x43, 0x88, 0x46, 0x39,
-	0x89, 0x2e, 0x5f, 0xae, 0xbe, 0x54, 0x1a, 0xbf, 0x15, 0x50, 0x25, 0x5d, 0x29, 0x58, 0x47, 0x45,
-	0xbf, 0x47, 0xc3, 0x64, 0x55, 0x3c, 0x4a, 0xbe, 0x77, 0x53, 0x18, 0xaf, 0x27, 0xf5, 0xb2, 0xc9,
-	0x6c, 0x79, 0x26, 0x11, 0x0e, 0xbf, 0x47, 0xc8, 0x4a, 0x96, 0x40, 0x32, 0x50, 0x8e, 0x96, 0xee,
-	0xf2, 0x74, 0x7f, 0xcc, 0x76, 0x6f, 0x6a, 0x0a, 0x49, 0x46, 0x39, 0x3b, 0x48, 0x0b, 0xb7, 0x0f,
-	0xd2, 0xcc, 0x6c, 0x5e, 0xbb, 0x75, 0x36, 0xef, 0xa3, 0xf5, 0xe8, 0x85, 0x6f, 0xce, 0xf0, 0xa8,
-	0x01, 0x48, 0xec, 0xc5, 0xff, 0x43, 0x45, 0x9f, 0xd9, 0x4d, 0x33, 0x9e, 0xe0, 0xe9, 0x0c, 0x34,
-	0x85, 0x91, 0x44, 0x3e, 0xfc, 0x0e, 0x55, 0xe4, 0xe0, 0x92, 0xfb, 0xa7, 0x74, 0xe7, 0xfd, 0x53,
-	0x95, 0xdd, 0x91, 0x08, 0x90, 0x99, 0x96, 0xf1, 0xe6, 0xf2, 0xaa, 0xb6, 0xf2, 0xe1, 0xaa, 0xb6,
-	0xf2, 0xf1, 0xaa, 0xb6, 0xf2, 0xf3, 0xb4, 0xa6, 0x5c, 0x4e, 0x6b, 0xca, 0x87, 0x69, 0x4d, 0xf9,
-	0x38, 0xad, 0x29, 0x7f, 0x4d, 0x6b, 0xca, 0x2f, 0x7f, 0xd7, 0x56, 0xbe, 0x7d, 0xba, 0xcc, 0x1f,
-	0xc6, 0x7f, 0x02, 0x00, 0x00, 0xff, 0xff, 0xfb, 0x77, 0xce, 0x8b, 0x57, 0x0a, 0x00, 0x00,
-}
+func (m *PodStatus) Reset() { *m = PodStatus{} }
 
 func (m *Pod) Marshal() (dAtA []byte, err error) {
 	size := m.Size()
@@ -515,7 +290,7 @@ func (m *PodSpec) MarshalToSizedBuffer(dAtA []byte) (int, error) {
 		for k := range m.NodeSelector {
 			keysForNodeSelector = append(keysForNodeSelector, string(k))
 		}
-		github_com_gogo_protobuf_sortkeys.Strings(keysForNodeSelector)
+		sort.Strings(keysForNodeSelector)
 		for iNdEx := len(keysForNodeSelector) - 1; iNdEx >= 0; iNdEx-- {
 			v := m.NodeSelector[string(keysForNodeSelector[iNdEx])]
 			baseI := i
@@ -816,7 +591,7 @@ func (this *PodSpec) String() string {
 	for k := range this.NodeSelector {
 		keysForNodeSelector = append(keysForNodeSelector, k)
 	}
-	github_com_gogo_protobuf_sortkeys.Strings(keysForNodeSelector)
+	sort.Strings(keysForNodeSelector)
 	mapStringForNodeSelector := "map[string]string{"
 	for _, k := range keysForNodeSelector {
 		mapStringForNodeSelector += fmt.Sprintf("%v: %v,", k, this.NodeSelector[k])
diff --git a/staging/src/k8s.io/apiserver/pkg/apis/example/v1/generated.protomessage.pb.go b/staging/src/k8s.io/apiserver/pkg/apis/example/v1/generated.protomessage.pb.go
new file mode 100644
index 0000000000000..199fc9b637a74
--- /dev/null
+++ b/staging/src/k8s.io/apiserver/pkg/apis/example/v1/generated.protomessage.pb.go
@@ -0,0 +1,32 @@
+//go:build kubernetes_protomessage_one_more_release
+// +build kubernetes_protomessage_one_more_release
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by go-to-protobuf. DO NOT EDIT.
+
+package v1
+
+func (*Pod) ProtoMessage() {}
+
+func (*PodCondition) ProtoMessage() {}
+
+func (*PodList) ProtoMessage() {}
+
+func (*PodSpec) ProtoMessage() {}
+
+func (*PodStatus) ProtoMessage() {}
diff --git a/staging/src/k8s.io/apiserver/pkg/apis/example2/v1/generated.pb.go b/staging/src/k8s.io/apiserver/pkg/apis/example2/v1/generated.pb.go
index 69e0826a7d809..1c3fa6b21a690 100644
--- a/staging/src/k8s.io/apiserver/pkg/apis/example2/v1/generated.pb.go
+++ b/staging/src/k8s.io/apiserver/pkg/apis/example2/v1/generated.pb.go
@@ -24,147 +24,16 @@ import (
 
 	io "io"
 
-	proto "github.com/gogo/protobuf/proto"
-
-	math "math"
 	math_bits "math/bits"
 	reflect "reflect"
 	strings "strings"
 )
 
-// Reference imports to suppress errors if they are not otherwise used.
-var _ = proto.Marshal
-var _ = fmt.Errorf
-var _ = math.Inf
-
-// This is a compile-time assertion to ensure that this generated file
-// is compatible with the proto package it is being compiled against.
-// A compilation error at this line likely means your copy of the
-// proto package needs to be updated.
-const _ = proto.GoGoProtoPackageIsVersion3 // please upgrade the proto package
-
-func (m *ReplicaSet) Reset()      { *m = ReplicaSet{} }
-func (*ReplicaSet) ProtoMessage() {}
-func (*ReplicaSet) Descriptor() ([]byte, []int) {
-	return fileDescriptor_c0d8f6d73eb5bf83, []int{0}
-}
-func (m *ReplicaSet) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ReplicaSet) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ReplicaSet) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ReplicaSet.Merge(m, src)
-}
-func (m *ReplicaSet) XXX_Size() int {
-	return m.Size()
-}
-func (m *ReplicaSet) XXX_DiscardUnknown() {
-	xxx_messageInfo_ReplicaSet.DiscardUnknown(m)
-}
+func (m *ReplicaSet) Reset() { *m = ReplicaSet{} }
 
-var xxx_messageInfo_ReplicaSet proto.InternalMessageInfo
+func (m *ReplicaSetSpec) Reset() { *m = ReplicaSetSpec{} }
 
-func (m *ReplicaSetSpec) Reset()      { *m = ReplicaSetSpec{} }
-func (*ReplicaSetSpec) ProtoMessage() {}
-func (*ReplicaSetSpec) Descriptor() ([]byte, []int) {
-	return fileDescriptor_c0d8f6d73eb5bf83, []int{1}
-}
-func (m *ReplicaSetSpec) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ReplicaSetSpec) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ReplicaSetSpec) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ReplicaSetSpec.Merge(m, src)
-}
-func (m *ReplicaSetSpec) XXX_Size() int {
-	return m.Size()
-}
-func (m *ReplicaSetSpec) XXX_DiscardUnknown() {
-	xxx_messageInfo_ReplicaSetSpec.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_ReplicaSetSpec proto.InternalMessageInfo
-
-func (m *ReplicaSetStatus) Reset()      { *m = ReplicaSetStatus{} }
-func (*ReplicaSetStatus) ProtoMessage() {}
-func (*ReplicaSetStatus) Descriptor() ([]byte, []int) {
-	return fileDescriptor_c0d8f6d73eb5bf83, []int{2}
-}
-func (m *ReplicaSetStatus) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ReplicaSetStatus) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ReplicaSetStatus) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ReplicaSetStatus.Merge(m, src)
-}
-func (m *ReplicaSetStatus) XXX_Size() int {
-	return m.Size()
-}
-func (m *ReplicaSetStatus) XXX_DiscardUnknown() {
-	xxx_messageInfo_ReplicaSetStatus.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_ReplicaSetStatus proto.InternalMessageInfo
-
-func init() {
-	proto.RegisterType((*ReplicaSet)(nil), "k8s.io.apiserver.pkg.apis.example2.v1.ReplicaSet")
-	proto.RegisterType((*ReplicaSetSpec)(nil), "k8s.io.apiserver.pkg.apis.example2.v1.ReplicaSetSpec")
-	proto.RegisterType((*ReplicaSetStatus)(nil), "k8s.io.apiserver.pkg.apis.example2.v1.ReplicaSetStatus")
-}
-
-func init() {
-	proto.RegisterFile("k8s.io/apiserver/pkg/apis/example2/v1/generated.proto", fileDescriptor_c0d8f6d73eb5bf83)
-}
-
-var fileDescriptor_c0d8f6d73eb5bf83 = []byte{
-	// 388 bytes of a gzipped FileDescriptorProto
-	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x94, 0x92, 0xc1, 0x6a, 0xe2, 0x40,
-	0x18, 0xc7, 0x13, 0xd7, 0x15, 0x99, 0x15, 0x91, 0x9c, 0xc4, 0xc3, 0xb8, 0x08, 0x82, 0x87, 0xdd,
-	0x99, 0x55, 0xd6, 0xdd, 0xd2, 0x53, 0xc9, 0xb5, 0x94, 0x42, 0x3c, 0x14, 0x7a, 0x69, 0xc7, 0xf8,
-	0x35, 0xa6, 0x1a, 0x33, 0x64, 0x26, 0xa1, 0xbd, 0xf5, 0x11, 0xfa, 0x18, 0x7d, 0x14, 0x8f, 0x1e,
-	0x3d, 0x49, 0x4d, 0x5f, 0xa4, 0x38, 0x49, 0x13, 0xaa, 0x96, 0xda, 0x5b, 0xfe, 0x93, 0xf9, 0xfd,
-	0xbe, 0x3f, 0x1f, 0x83, 0xfa, 0x93, 0x23, 0x41, 0x5c, 0x9f, 0x32, 0xee, 0x0a, 0x08, 0x22, 0x08,
-	0x28, 0x9f, 0x38, 0x2a, 0x51, 0xb8, 0x63, 0x1e, 0x9f, 0x42, 0x8f, 0x46, 0x5d, 0xea, 0xc0, 0x0c,
-	0x02, 0x26, 0x61, 0x44, 0x78, 0xe0, 0x4b, 0xdf, 0x68, 0x27, 0x18, 0xc9, 0x30, 0xc2, 0x27, 0x8e,
-	0x4a, 0xe4, 0x0d, 0x23, 0x51, 0xb7, 0xf1, 0xdb, 0x71, 0xe5, 0x38, 0x1c, 0x12, 0xdb, 0xf7, 0xa8,
-	0xe3, 0x3b, 0x3e, 0x55, 0xf4, 0x30, 0xbc, 0x51, 0x49, 0x05, 0xf5, 0x95, 0x58, 0x1b, 0x7f, 0xf3,
-	0x32, 0x1e, 0xb3, 0xc7, 0xee, 0x0c, 0x82, 0xfb, 0xbc, 0x8f, 0x07, 0x92, 0xed, 0xe9, 0xd2, 0xa0,
-	0x1f, 0x51, 0x41, 0x38, 0x93, 0xae, 0x07, 0x3b, 0xc0, 0xbf, 0xcf, 0x00, 0x61, 0x8f, 0xc1, 0x63,
-	0xdb, 0x5c, 0xeb, 0xa9, 0x80, 0x90, 0x05, 0x7c, 0xea, 0xda, 0x6c, 0x00, 0xd2, 0xb8, 0x46, 0xe5,
-	0x4d, 0xa5, 0x11, 0x93, 0xac, 0xae, 0xff, 0xd4, 0x3b, 0x3f, 0x7a, 0x7f, 0x48, 0xbe, 0x96, 0xcc,
-	0x9c, 0x6f, 0x66, 0x73, 0x9b, 0x44, 0x5d, 0x72, 0x3e, 0xbc, 0x05, 0x5b, 0x9e, 0x81, 0x64, 0xa6,
-	0x31, 0x5f, 0x35, 0xb5, 0x78, 0xd5, 0x44, 0xf9, 0x99, 0x95, 0x59, 0x8d, 0x0b, 0x54, 0x14, 0x1c,
-	0xec, 0x7a, 0x41, 0xd9, 0xfb, 0xe4, 0xa0, 0xa5, 0x93, 0xbc, 0xe2, 0x80, 0x83, 0x6d, 0x56, 0xd2,
-	0x11, 0xc5, 0x4d, 0xb2, 0x94, 0xd0, 0xb8, 0x42, 0x25, 0x21, 0x99, 0x0c, 0x45, 0xfd, 0x9b, 0x52,
-	0xff, 0xff, 0xba, 0x5a, 0xe1, 0x66, 0x35, 0x95, 0x97, 0x92, 0x6c, 0xa5, 0xda, 0xd6, 0x31, 0xaa,
-	0xbe, 0xaf, 0x61, 0x74, 0x50, 0x39, 0x48, 0x4e, 0x84, 0xda, 0xd6, 0x77, 0xb3, 0x12, 0xaf, 0x9a,
-	0xe5, 0xf4, 0x96, 0xb0, 0xb2, 0xbf, 0xad, 0x13, 0x54, 0xdb, 0x9e, 0x63, 0xfc, 0xda, 0xa1, 0x6b,
-	0xe9, 0xe4, 0x3d, 0x06, 0xf3, 0x74, 0xbe, 0xc6, 0xda, 0x62, 0x8d, 0xb5, 0xe5, 0x1a, 0x6b, 0x0f,
-	0x31, 0xd6, 0xe7, 0x31, 0xd6, 0x17, 0x31, 0xd6, 0x97, 0x31, 0xd6, 0x9f, 0x63, 0xac, 0x3f, 0xbe,
-	0x60, 0xed, 0xb2, 0x7d, 0xd0, 0xd3, 0x7f, 0x0d, 0x00, 0x00, 0xff, 0xff, 0xf4, 0xd7, 0x7c, 0xa3,
-	0x22, 0x03, 0x00, 0x00,
-}
+func (m *ReplicaSetStatus) Reset() { *m = ReplicaSetStatus{} }
 
 func (m *ReplicaSet) Marshal() (dAtA []byte, err error) {
 	size := m.Size()
diff --git a/staging/src/k8s.io/apiserver/pkg/apis/example2/v1/generated.protomessage.pb.go b/staging/src/k8s.io/apiserver/pkg/apis/example2/v1/generated.protomessage.pb.go
new file mode 100644
index 0000000000000..95b07e12c76db
--- /dev/null
+++ b/staging/src/k8s.io/apiserver/pkg/apis/example2/v1/generated.protomessage.pb.go
@@ -0,0 +1,28 @@
+//go:build kubernetes_protomessage_one_more_release
+// +build kubernetes_protomessage_one_more_release
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by go-to-protobuf. DO NOT EDIT.
+
+package v1
+
+func (*ReplicaSet) ProtoMessage() {}
+
+func (*ReplicaSetSpec) ProtoMessage() {}
+
+func (*ReplicaSetStatus) ProtoMessage() {}
diff --git a/staging/src/k8s.io/apiserver/pkg/audit/context.go b/staging/src/k8s.io/apiserver/pkg/audit/context.go
index 5b93d594bffa8..61d6ff5ef93f0 100644
--- a/staging/src/k8s.io/apiserver/pkg/audit/context.go
+++ b/staging/src/k8s.io/apiserver/pkg/audit/context.go
@@ -132,7 +132,7 @@ func (ac *AuditContext) ProcessEventStage(ctx context.Context, stage auditintern
 	return processed
 }
 
-func (ac *AuditContext) LogImpersonatedUser(user user.Info) {
+func (ac *AuditContext) LogImpersonatedUser(user user.Info, constraint string) {
 	ac.visitEvent(func(ev *auditinternal.Event) {
 		if ev == nil || ev.Level.Less(auditinternal.LevelMetadata) {
 			return
@@ -146,6 +146,12 @@ func (ac *AuditContext) LogImpersonatedUser(user user.Info) {
 		for k, v := range user.GetExtra() {
 			ev.ImpersonatedUser.Extra[k] = authnv1.ExtraValue(v)
 		}
+		if len(constraint) > 0 {
+			if ev.AuthenticationMetadata == nil {
+				ev.AuthenticationMetadata = &auditinternal.AuthenticationMetadata{}
+			}
+			ev.AuthenticationMetadata.ImpersonationConstraint = constraint
+		}
 	})
 }
 
@@ -178,6 +184,25 @@ func (ac *AuditContext) LogRequestPatch(patch []byte) {
 	})
 }
 
+// GetEventUser returns a copy of the User associated with the audit Event.
+func (ac *AuditContext) GetEventUser() authnv1.UserInfo {
+	var val *authnv1.UserInfo
+	ac.visitEvent(func(ev *auditinternal.Event) {
+		val = ev.User.DeepCopy()
+	})
+	return *val
+}
+
+// GetEventImpersonatedUser returns a copy of the ImpersonatedUser associated with the audit Event,
+// or returns nil when there is no ImpersonatedUser.
+func (ac *AuditContext) GetEventImpersonatedUser() *authnv1.UserInfo {
+	var val *authnv1.UserInfo
+	ac.visitEvent(func(ev *auditinternal.Event) {
+		val = ev.ImpersonatedUser.DeepCopy()
+	})
+	return val
+}
+
 func (ac *AuditContext) GetEventAnnotation(key string) (string, bool) {
 	var val string
 	var ok bool
diff --git a/staging/src/k8s.io/apiserver/pkg/audit/context_test.go b/staging/src/k8s.io/apiserver/pkg/audit/context_test.go
index 9606d395cdbf4..83753ade17f01 100644
--- a/staging/src/k8s.io/apiserver/pkg/audit/context_test.go
+++ b/staging/src/k8s.io/apiserver/pkg/audit/context_test.go
@@ -22,9 +22,11 @@ import (
 	"sync"
 	"testing"
 
+	authnv1 "k8s.io/api/authentication/v1"
 	auditinternal "k8s.io/apiserver/pkg/apis/audit"
 
 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 )
 
 func TestEnabled(t *testing.T) {
@@ -175,6 +177,159 @@ func TestAuditAnnotationsWithAuditLoggingSetup(t *testing.T) {
 	assert.Equal(t, expected, actual)
 }
 
+func TestGetEventUser(t *testing.T) {
+	tests := []struct {
+		name           string
+		auditEventUser authnv1.UserInfo
+		wantUser       authnv1.UserInfo
+	}{
+		{
+			name:           "fields with zero values are returned as fields with zero values",
+			auditEventUser: authnv1.UserInfo{},
+			wantUser:       authnv1.UserInfo{},
+		},
+		{
+			name: "fields with non-zero values are returned as copies",
+			auditEventUser: authnv1.UserInfo{
+				Username: "test-user",
+				UID:      "test-uid",
+				Groups:   []string{"test-group1", "test-group2"},
+				Extra: map[string]authnv1.ExtraValue{
+					"test-extra1": {"test-extra1-val1", "test-extra1-val2"},
+					"test-extra2": {"test-extra2-val1", "test-extra2-val2"},
+				},
+			},
+			wantUser: authnv1.UserInfo{
+				Username: "test-user",
+				UID:      "test-uid",
+				Groups:   []string{"test-group1", "test-group2"},
+				Extra: map[string]authnv1.ExtraValue{
+					"test-extra1": {"test-extra1-val1", "test-extra1-val2"},
+					"test-extra2": {"test-extra2-val1", "test-extra2-val2"},
+				},
+			},
+		},
+	}
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			ac := AuditContext{event: auditinternal.Event{User: test.auditEventUser}}
+			got := ac.GetEventUser()
+			require.Equal(t, test.wantUser, got)
+		})
+	}
+
+	t.Run("mutating the returned groups does not change the audit event's User's groups", func(t *testing.T) {
+		ac := AuditContext{
+			event: auditinternal.Event{
+				User: authnv1.UserInfo{
+					Groups: []string{"test-group1", "test-group2"},
+				},
+			},
+		}
+		got := ac.GetEventUser()
+		require.Equal(t, []string{"test-group1", "test-group2"}, got.Groups)
+		got.Groups[0] = "mutated group"
+		require.Equal(t, []string{"mutated group", "test-group2"}, got.Groups)
+		// The event's groups are not changed.
+		require.Equal(t, []string{"test-group1", "test-group2"}, ac.event.User.Groups)
+	})
+
+	t.Run("mutating the returned extras does not change the audit event's User's extras", func(t *testing.T) {
+		ac := AuditContext{
+			event: auditinternal.Event{
+				User: authnv1.UserInfo{
+					Extra: map[string]authnv1.ExtraValue{"test-extra": {"test-extra-val"}},
+				},
+			},
+		}
+		got := ac.GetEventUser()
+		require.Equal(t, map[string]authnv1.ExtraValue{"test-extra": {"test-extra-val"}}, got.Extra)
+		got.Extra["test-extra"] = authnv1.ExtraValue{"mutated value"}
+		require.Equal(t, map[string]authnv1.ExtraValue{"test-extra": {"mutated value"}}, got.Extra)
+		// The event's extras are not changed.
+		require.Equal(t, map[string]authnv1.ExtraValue{"test-extra": {"test-extra-val"}}, ac.event.User.Extra)
+	})
+}
+
+func TestGetEventImpersonatedUser(t *testing.T) {
+	tests := []struct {
+		name                       string
+		auditEventImpersonatedUser *authnv1.UserInfo
+		wantUser                   *authnv1.UserInfo
+	}{
+		{
+			name:                       "nil ImpersonatedUser returns nil",
+			auditEventImpersonatedUser: nil,
+			wantUser:                   nil,
+		},
+		{
+			name:                       "fields with zero values are returned as fields with zero values",
+			auditEventImpersonatedUser: &authnv1.UserInfo{},
+			wantUser:                   &authnv1.UserInfo{},
+		},
+		{
+			name: "fields with non-zero values are returned as copies",
+			auditEventImpersonatedUser: &authnv1.UserInfo{
+				Username: "test-user",
+				UID:      "test-uid",
+				Groups:   []string{"test-group1", "test-group2"},
+				Extra: map[string]authnv1.ExtraValue{
+					"test-extra1": {"test-extra1-val1", "test-extra1-val2"},
+					"test-extra2": {"test-extra2-val1", "test-extra2-val2"},
+				},
+			},
+			wantUser: &authnv1.UserInfo{
+				Username: "test-user",
+				UID:      "test-uid",
+				Groups:   []string{"test-group1", "test-group2"},
+				Extra: map[string]authnv1.ExtraValue{
+					"test-extra1": {"test-extra1-val1", "test-extra1-val2"},
+					"test-extra2": {"test-extra2-val1", "test-extra2-val2"},
+				},
+			},
+		},
+	}
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			ac := AuditContext{event: auditinternal.Event{ImpersonatedUser: test.auditEventImpersonatedUser}}
+			got := ac.GetEventImpersonatedUser()
+			require.Equal(t, test.wantUser, got)
+		})
+	}
+
+	t.Run("mutating the returned groups does not change the audit event's ImpersonatedUser's groups", func(t *testing.T) {
+		ac := AuditContext{
+			event: auditinternal.Event{
+				ImpersonatedUser: &authnv1.UserInfo{
+					Groups: []string{"test-group1", "test-group2"},
+				},
+			},
+		}
+		got := ac.GetEventImpersonatedUser()
+		require.Equal(t, []string{"test-group1", "test-group2"}, got.Groups)
+		got.Groups[0] = "mutated group"
+		require.Equal(t, []string{"mutated group", "test-group2"}, got.Groups)
+		// The event's groups are not changed.
+		require.Equal(t, []string{"test-group1", "test-group2"}, ac.event.ImpersonatedUser.Groups)
+	})
+
+	t.Run("mutating the returned extras does not change the audit event's ImpersonatedUser's extras", func(t *testing.T) {
+		ac := AuditContext{
+			event: auditinternal.Event{
+				ImpersonatedUser: &authnv1.UserInfo{
+					Extra: map[string]authnv1.ExtraValue{"test-extra": {"test-extra-val"}},
+				},
+			},
+		}
+		got := ac.GetEventImpersonatedUser()
+		require.Equal(t, map[string]authnv1.ExtraValue{"test-extra": {"test-extra-val"}}, got.Extra)
+		got.Extra["test-extra"] = authnv1.ExtraValue{"mutated value"}
+		require.Equal(t, map[string]authnv1.ExtraValue{"test-extra": {"mutated value"}}, got.Extra)
+		// The event's extras are not changed.
+		require.Equal(t, map[string]authnv1.ExtraValue{"test-extra": {"test-extra-val"}}, ac.event.ImpersonatedUser.Extra)
+	})
+}
+
 func withAuditContextAndLevel(ctx context.Context, t *testing.T, l auditinternal.Level) context.Context {
 	ctx = WithAuditContext(ctx)
 	if err := AuditContextFrom(ctx).Init(RequestAuditConfig{Level: l}, nil); err != nil {
diff --git a/staging/src/k8s.io/apiserver/pkg/audit/request.go b/staging/src/k8s.io/apiserver/pkg/audit/request.go
index d5f9c730f518e..4b076b0906755 100644
--- a/staging/src/k8s.io/apiserver/pkg/audit/request.go
+++ b/staging/src/k8s.io/apiserver/pkg/audit/request.go
@@ -82,12 +82,12 @@ func LogRequestMetadata(ctx context.Context, req *http.Request, requestReceivedT
 }
 
 // LogImpersonatedUser fills in the impersonated user attributes into an audit event.
-func LogImpersonatedUser(ctx context.Context, user user.Info) {
+func LogImpersonatedUser(ctx context.Context, user user.Info, constraint string) {
 	ac := AuditContextFrom(ctx)
 	if !ac.Enabled() {
 		return
 	}
-	ac.LogImpersonatedUser(user)
+	ac.LogImpersonatedUser(user, constraint)
 }
 
 // LogRequestObject fills in the request object into an audit event. The passed runtime.Object
diff --git a/staging/src/k8s.io/apiserver/pkg/authentication/cel/compile.go b/staging/src/k8s.io/apiserver/pkg/authentication/cel/compile.go
index 8c74e7ad4de86..6f25353cc9820 100644
--- a/staging/src/k8s.io/apiserver/pkg/authentication/cel/compile.go
+++ b/staging/src/k8s.io/apiserver/pkg/authentication/cel/compile.go
@@ -42,7 +42,7 @@ type compiler struct {
 // NewDefaultCompiler returns a new Compiler following the default compatibility version.
 // Note: the compiler construction depends on feature gates and the compatibility version to be initialized.
 func NewDefaultCompiler() Compiler {
-	return NewCompiler(environment.MustBaseEnvSet(environment.DefaultCompatibilityVersion(), true))
+	return NewCompiler(environment.MustBaseEnvSet(environment.DefaultCompatibilityVersion()))
 }
 
 // NewCompiler returns a new Compiler.
diff --git a/staging/src/k8s.io/apiserver/pkg/authentication/request/headerrequest/requestheader_controller.go b/staging/src/k8s.io/apiserver/pkg/authentication/request/headerrequest/requestheader_controller.go
index 38d6cbe71a1a8..a9e76fe011896 100644
--- a/staging/src/k8s.io/apiserver/pkg/authentication/request/headerrequest/requestheader_controller.go
+++ b/staging/src/k8s.io/apiserver/pkg/authentication/request/headerrequest/requestheader_controller.go
@@ -183,7 +183,7 @@ func (c *RequestHeaderAuthRequestController) Run(ctx context.Context, workers in
 	go c.configmapInformer.Run(ctx.Done())
 
 	// wait for caches to fill before starting your work
-	if !cache.WaitForNamedCacheSync(c.name, ctx.Done(), c.configmapInformerSynced) {
+	if !cache.WaitForNamedCacheSyncWithContext(ctx, c.configmapInformerSynced) {
 		return
 	}
 
diff --git a/staging/src/k8s.io/apiserver/pkg/authorization/authorizer/interfaces.go b/staging/src/k8s.io/apiserver/pkg/authorization/authorizer/interfaces.go
index 2f5f65e228839..09000a1a59199 100644
--- a/staging/src/k8s.io/apiserver/pkg/authorization/authorizer/interfaces.go
+++ b/staging/src/k8s.io/apiserver/pkg/authorization/authorizer/interfaces.go
@@ -18,6 +18,7 @@ package authorizer
 
 import (
 	"context"
+	"fmt"
 	"net/http"
 
 	"k8s.io/apimachinery/pkg/fields"
@@ -182,3 +183,16 @@ const (
 	// to allow or deny an action.
 	DecisionNoOpinion
 )
+
+func (d Decision) String() string {
+	switch d {
+	case DecisionDeny:
+		return "Deny"
+	case DecisionAllow:
+		return "Allow"
+	case DecisionNoOpinion:
+		return "NoOpinion"
+	default:
+		return fmt.Sprintf("Unknown (%d)", int(d))
+	}
+}
diff --git a/staging/src/k8s.io/apiserver/pkg/authorization/cel/compile.go b/staging/src/k8s.io/apiserver/pkg/authorization/cel/compile.go
index 765864846c1a6..04acda157b79f 100644
--- a/staging/src/k8s.io/apiserver/pkg/authorization/cel/compile.go
+++ b/staging/src/k8s.io/apiserver/pkg/authorization/cel/compile.go
@@ -68,7 +68,7 @@ type compiler struct {
 // NewDefaultCompiler returns a new Compiler following the default compatibility version.
 // Note: the compiler construction depends on feature gates and the compatibility version to be initialized.
 func NewDefaultCompiler() Compiler {
-	return NewCompiler(environment.MustBaseEnvSet(environment.DefaultCompatibilityVersion(), true))
+	return NewCompiler(environment.MustBaseEnvSet(environment.DefaultCompatibilityVersion()))
 }
 
 // NewCompiler returns a new Compiler.
diff --git a/staging/src/k8s.io/apiserver/pkg/cel/common/typeprovider_test.go b/staging/src/k8s.io/apiserver/pkg/cel/common/typeprovider_test.go
index 8e3d6e937f723..932b469b12be1 100644
--- a/staging/src/k8s.io/apiserver/pkg/cel/common/typeprovider_test.go
+++ b/staging/src/k8s.io/apiserver/pkg/cel/common/typeprovider_test.go
@@ -17,13 +17,14 @@ limitations under the License.
 package common
 
 import (
-	"github.com/google/cel-go/cel"
-	"github.com/google/cel-go/common/types"
-	"github.com/google/cel-go/common/types/ref"
 	"reflect"
 	"strings"
 	"testing"
 
+	"github.com/google/cel-go/cel"
+	"github.com/google/cel-go/common/types"
+	"github.com/google/cel-go/common/types/ref"
+
 	"k8s.io/apimachinery/pkg/util/version"
 	"k8s.io/apiserver/pkg/cel/environment"
 	"k8s.io/apiserver/pkg/cel/mutation/dynamic"
@@ -154,7 +155,7 @@ func (m *mockResolvedType) Val(fields map[string]ref.Val) ref.Val {
 // mustCreateEnv creates the default env for testing, with given option.
 // it fatally fails the test if the env fails to set up.
 func mustCreateEnv(t testing.TB, envOptions ...cel.EnvOption) *cel.Env {
-	envSet, err := environment.MustBaseEnvSet(environment.DefaultCompatibilityVersion(), true).
+	envSet, err := environment.MustBaseEnvSet(environment.DefaultCompatibilityVersion()).
 		Extend(environment.VersionedOptions{
 			IntroducedVersion: version.MajorMinor(1, 30),
 			EnvOptions:        envOptions,
diff --git a/staging/src/k8s.io/apiserver/pkg/cel/environment/base.go b/staging/src/k8s.io/apiserver/pkg/cel/environment/base.go
index 4b0e7265ff603..91bdc6cb10868 100644
--- a/staging/src/k8s.io/apiserver/pkg/cel/environment/base.go
+++ b/staging/src/k8s.io/apiserver/pkg/cel/environment/base.go
@@ -57,9 +57,7 @@ func DefaultCompatibilityVersion() *version.Version {
 	return effectiveVer.MinCompatibilityVersion()
 }
 
-var baseOpts = append(baseOptsWithoutStrictCost, StrictCostOpt)
-
-var baseOptsWithoutStrictCost = []VersionedOptions{
+var baseOpts = []VersionedOptions{
 	{
 		// CEL epoch was actually 1.23, but we artificially set it to 1.0 because these
 		// options should always be present.
@@ -190,6 +188,7 @@ var baseOptsWithoutStrictCost = []VersionedOptions{
 			ext.Lists(ext.ListsVersion(3)),
 		},
 	},
+	StrictCostOpt,
 }
 
 var (
@@ -223,7 +222,6 @@ var cacheBaseEnvs = true
 func DisableBaseEnvSetCachingForTests() {
 	cacheBaseEnvs = false
 	baseEnvs.Clear()
-	baseEnvsWithOption.Clear()
 }
 
 // MustBaseEnvSet returns the common CEL base environments for Kubernetes for Version, or panics
@@ -235,8 +233,7 @@ func DisableBaseEnvSetCachingForTests() {
 // The returned environment contains no CEL variable definitions or custom type declarations and
 // should be extended to construct environments with the appropriate variable definitions,
 // type declarations and any other needed configuration.
-// strictCost is used to determine whether to enforce strict cost calculation for CEL expressions.
-func MustBaseEnvSet(ver *version.Version, strictCost bool) *EnvSet {
+func MustBaseEnvSet(ver *version.Version) *EnvSet {
 	if ver == nil {
 		panic("version must be non-nil")
 	}
@@ -245,38 +242,23 @@ func MustBaseEnvSet(ver *version.Version, strictCost bool) *EnvSet {
 	}
 	key := strconv.FormatUint(uint64(ver.Major()), 10) + "." + strconv.FormatUint(uint64(ver.Minor()), 10)
 	var entry interface{}
-	if strictCost {
-		if entry, ok := baseEnvs.Load(key); ok {
-			return entry.(*EnvSet)
-		}
-		entry, _, _ = baseEnvsSingleflight.Do(key, func() (interface{}, error) {
-			entry := mustNewEnvSet(ver, baseOpts)
-			if cacheBaseEnvs {
-				baseEnvs.Store(key, entry)
-			}
-			return entry, nil
-		})
-	} else {
-		if entry, ok := baseEnvsWithOption.Load(key); ok {
-			return entry.(*EnvSet)
-		}
-		entry, _, _ = baseEnvsWithOptionSingleflight.Do(key, func() (interface{}, error) {
-			entry := mustNewEnvSet(ver, baseOptsWithoutStrictCost)
-			if cacheBaseEnvs {
-				baseEnvsWithOption.Store(key, entry)
-			}
-			return entry, nil
-		})
+	if entry, ok := baseEnvs.Load(key); ok {
+		return entry.(*EnvSet)
 	}
+	entry, _, _ = baseEnvsSingleflight.Do(key, func() (interface{}, error) {
+		entry := mustNewEnvSet(ver, baseOpts)
+		if cacheBaseEnvs {
+			baseEnvs.Store(key, entry)
+		}
+		return entry, nil
+	})
 
 	return entry.(*EnvSet)
 }
 
 var (
-	baseEnvs                       = sync.Map{}
-	baseEnvsWithOption             = sync.Map{}
-	baseEnvsSingleflight           = &singleflight.Group{}
-	baseEnvsWithOptionSingleflight = &singleflight.Group{}
+	baseEnvs             = sync.Map{}
+	baseEnvsSingleflight = &singleflight.Group{}
 )
 
 // UnversionedLib wraps library initialization calls like ext.Sets() or library.IP()
diff --git a/staging/src/k8s.io/apiserver/pkg/cel/environment/base_test.go b/staging/src/k8s.io/apiserver/pkg/cel/environment/base_test.go
index 2b68f6b26176a..a0644454aa83f 100644
--- a/staging/src/k8s.io/apiserver/pkg/cel/environment/base_test.go
+++ b/staging/src/k8s.io/apiserver/pkg/cel/environment/base_test.go
@@ -32,10 +32,10 @@ import (
 // a cached environment is loaded for each MustBaseEnvSet call.
 func BenchmarkLoadBaseEnv(b *testing.B) {
 	ver := DefaultCompatibilityVersion()
-	MustBaseEnvSet(ver, true)
+	MustBaseEnvSet(ver)
 	b.ResetTimer()
 	for i := 0; i < b.N; i++ {
-		MustBaseEnvSet(ver, true)
+		MustBaseEnvSet(ver)
 	}
 }
 
@@ -44,7 +44,7 @@ func BenchmarkLoadBaseEnv(b *testing.B) {
 func BenchmarkLoadBaseEnvDifferentVersions(b *testing.B) {
 	b.ResetTimer()
 	for i := 0; i < b.N; i++ {
-		MustBaseEnvSet(version.MajorMinor(1, uint(i)), true)
+		MustBaseEnvSet(version.MajorMinor(1, uint(i)))
 	}
 }
 
@@ -124,7 +124,7 @@ func TestKnownLibraries(t *testing.T) {
 	for _, lib := range library.KnownLibraries() {
 		known.Insert(lib.LibraryName())
 	}
-	for _, libName := range MustBaseEnvSet(version.MajorMinor(1, 0), true).storedExpressions.Libraries() {
+	for _, libName := range MustBaseEnvSet(version.MajorMinor(1, 0)).storedExpressions.Libraries() {
 		if strings.HasPrefix(libName, "cel.lib") { // ignore core libs
 			continue
 		}
diff --git a/staging/src/k8s.io/apiserver/pkg/cel/environment/environment_test.go b/staging/src/k8s.io/apiserver/pkg/cel/environment/environment_test.go
index 6a1f917d32c45..db351850c12f2 100644
--- a/staging/src/k8s.io/apiserver/pkg/cel/environment/environment_test.go
+++ b/staging/src/k8s.io/apiserver/pkg/cel/environment/environment_test.go
@@ -307,7 +307,7 @@ func TestBaseEnvironment(t *testing.T) {
 			for _, tv := range tc.typeVersionCombinations {
 				t.Run(fmt.Sprintf("version=%s,envType=%s", tv.version.String(), tv.envType), func(t *testing.T) {
 
-					envSet := MustBaseEnvSet(tv.version, true)
+					envSet := MustBaseEnvSet(tv.version)
 					if tc.opts != nil {
 						var err error
 						envSet, err = envSet.Extend(tc.opts...)
diff --git a/staging/src/k8s.io/apiserver/pkg/cel/lazy/lazy_test.go b/staging/src/k8s.io/apiserver/pkg/cel/lazy/lazy_test.go
index dffbb393dbc1a..01fc725e7e90e 100644
--- a/staging/src/k8s.io/apiserver/pkg/cel/lazy/lazy_test.go
+++ b/staging/src/k8s.io/apiserver/pkg/cel/lazy/lazy_test.go
@@ -129,7 +129,7 @@ func compileAndRun(env *cel.Env, activation *testActivation, exp string) (ref.Va
 func buildTestEnv() (*cel.Env, *apiservercel.DeclType, error) {
 	variablesType := apiservercel.NewMapType(apiservercel.StringType, apiservercel.AnyType, 0)
 	variablesType.Fields = make(map[string]*apiservercel.DeclField)
-	envSet, err := environment.MustBaseEnvSet(environment.DefaultCompatibilityVersion(), true).Extend(
+	envSet, err := environment.MustBaseEnvSet(environment.DefaultCompatibilityVersion()).Extend(
 		environment.VersionedOptions{
 			IntroducedVersion: version.MajorMinor(1, 28),
 			EnvOptions: []cel.EnvOption{
diff --git a/staging/src/k8s.io/apiserver/pkg/cel/library/quantity.go b/staging/src/k8s.io/apiserver/pkg/cel/library/quantity.go
index 236b366b465b3..f9036a47c7990 100644
--- a/staging/src/k8s.io/apiserver/pkg/cel/library/quantity.go
+++ b/staging/src/k8s.io/apiserver/pkg/cel/library/quantity.go
@@ -70,7 +70,7 @@ import (
 //
 //   - asInteger: returns a representation of the current value as an int64 if
 //     possible or results in an error if conversion would result in overflow
-//	   or loss of precision.
+//     or loss of precision.
 //
 //   - asApproximateFloat: returns a float64 representation of the quantity which may
 //     lose precision. If the value of the quantity is outside the range of a float64
@@ -119,7 +119,6 @@ import (
 //
 //   - compareTo: Compares receiver to operand and returns 0 if they are equal, 1 if the receiver is greater, or -1 if the receiver is less than the operand
 //
-//
 //     <Quantity>.isLessThan(<quantity>) <bool>
 //     <Quantity>.isGreaterThan(<quantity>) <bool>
 //     <Quantity>.compareTo(<quantity>) <int>
@@ -133,7 +132,6 @@ import (
 // quantity("50Mi").isGreaterThan(quantity("100Mi")) // returns false
 // quantity("50M").isLessThan(quantity("100M")) // returns true
 // quantity("100M").isLessThan(quantity("50M")) // returns false
-
 func Quantity() cel.EnvOption {
 	return cel.Lib(quantityLib)
 }
diff --git a/staging/src/k8s.io/apiserver/pkg/cel/library/semverlib.go b/staging/src/k8s.io/apiserver/pkg/cel/library/semverlib.go
index 93614f849a333..e7193c2a707ee 100644
--- a/staging/src/k8s.io/apiserver/pkg/cel/library/semverlib.go
+++ b/staging/src/k8s.io/apiserver/pkg/cel/library/semverlib.go
@@ -37,6 +37,7 @@ import (
 // to semver.org documentation for information on accepted patterns.
 // An optional "normalize" argument can be passed to enable normalization. Normalization removes any "v" prefix, adds a
 // 0 minor and patch numbers to versions with only major or major.minor components specified, and removes any leading 0s.
+//
 //	semver(<string>) <Semver>
 //	semver(<string>, <bool>) <Semver>
 //
@@ -65,7 +66,7 @@ import (
 //
 //	isSemver('1.0.0') // returns true
 //	isSemver('hello') // returns false
-//  isSemver('v1.0')  // returns false (leading "v" is not allowed unless normalization is enabled)
+//	isSemver('v1.0')  // returns false (leading "v" is not allowed unless normalization is enabled)
 //	isSemver('v1.0', true) // Applies normalization to remove leading "v". returns true
 //	semver('1.0', true) // Applies normalization to add the missing patch version. Returns true
 //	semver('01.01.01', true) // Applies normalization to remove leading zeros. Returns true
@@ -88,7 +89,6 @@ import (
 //
 //   - compareTo: Compares receiver to operand and returns 0 if they are equal, 1 if the receiver is greater, or -1 if the receiver is less than the operand
 //
-//
 //     <Semver>.isLessThan(<semver>) <bool>
 //     <Semver>.isGreaterThan(<semver>) <bool>
 //     <Semver>.compareTo(<semver>) <int>
@@ -98,7 +98,6 @@ import (
 // semver("1.2.3").compareTo(semver("1.2.3")) // returns 0
 // semver("1.2.3").compareTo(semver("2.0.0")) // returns -1
 // semver("1.2.3").compareTo(semver("0.1.2")) // returns 1
-
 func SemverLib(options ...SemverOption) cel.EnvOption {
 	semverLib := &semverLibType{}
 	for _, o := range options {
diff --git a/staging/src/k8s.io/apiserver/pkg/cel/mutation/typeresolver_test.go b/staging/src/k8s.io/apiserver/pkg/cel/mutation/typeresolver_test.go
index 0338fb10fa82f..f871e18a43a38 100644
--- a/staging/src/k8s.io/apiserver/pkg/cel/mutation/typeresolver_test.go
+++ b/staging/src/k8s.io/apiserver/pkg/cel/mutation/typeresolver_test.go
@@ -340,7 +340,7 @@ func TestCELOptional(t *testing.T) {
 // mustCreateEnv creates the default env for testing, with given option.
 // it fatally fails the test if the env fails to set up.
 func mustCreateEnv(t testing.TB, envOptions ...cel.EnvOption) *cel.Env {
-	envSet, err := environment.MustBaseEnvSet(environment.DefaultCompatibilityVersion(), true).
+	envSet, err := environment.MustBaseEnvSet(environment.DefaultCompatibilityVersion()).
 		Extend(environment.VersionedOptions{
 			IntroducedVersion: version.MajorMinor(1, 0), // Always enabled. This is just for test.
 			EnvOptions:        envOptions,
diff --git a/staging/src/k8s.io/apiserver/pkg/cel/openapi/adaptor.go b/staging/src/k8s.io/apiserver/pkg/cel/openapi/adaptor.go
index bc7b0d8c9590b..f95ec2a372234 100644
--- a/staging/src/k8s.io/apiserver/pkg/cel/openapi/adaptor.go
+++ b/staging/src/k8s.io/apiserver/pkg/cel/openapi/adaptor.go
@@ -36,6 +36,9 @@ type SchemaOrBool struct {
 }
 
 func (sb *SchemaOrBool) Schema() common.Schema {
+	if sb.SchemaOrBool.Schema == nil {
+		return nil
+	}
 	return &Schema{Schema: sb.SchemaOrBool.Schema}
 }
 
diff --git a/staging/src/k8s.io/apiserver/pkg/cel/openapi/compiling_test.go b/staging/src/k8s.io/apiserver/pkg/cel/openapi/compiling_test.go
index ca6db71a4276a..1799c2b0da744 100644
--- a/staging/src/k8s.io/apiserver/pkg/cel/openapi/compiling_test.go
+++ b/staging/src/k8s.io/apiserver/pkg/cel/openapi/compiling_test.go
@@ -106,7 +106,7 @@ func buildTestEnv() (*cel.Env, error) {
 	fooType := common.SchemaDeclType(simpleMapSchema("foo", spec.StringProperty()), true).MaybeAssignTypeName("fooType")
 	barType := common.SchemaDeclType(simpleMapSchema("bar", spec.Int64Property()), true).MaybeAssignTypeName("barType")
 
-	env, err := environment.MustBaseEnvSet(environment.DefaultCompatibilityVersion(), true).Extend(
+	env, err := environment.MustBaseEnvSet(environment.DefaultCompatibilityVersion()).Extend(
 		environment.VersionedOptions{
 			IntroducedVersion: version.MajorMinor(1, 26),
 			EnvOptions: []cel.EnvOption{
diff --git a/staging/src/k8s.io/apiserver/pkg/cel/openapi/resolver/definitions.go b/staging/src/k8s.io/apiserver/pkg/cel/openapi/resolver/definitions.go
index 12b353b0bcc51..10b28a58b8075 100644
--- a/staging/src/k8s.io/apiserver/pkg/cel/openapi/resolver/definitions.go
+++ b/staging/src/k8s.io/apiserver/pkg/cel/openapi/resolver/definitions.go
@@ -40,9 +40,7 @@ type DefinitionsSchemaResolver struct {
 func NewDefinitionsSchemaResolver(getDefinitions common.GetOpenAPIDefinitions, schemes ...*runtime.Scheme) *DefinitionsSchemaResolver {
 	gvkToRef := make(map[schema.GroupVersionKind]string)
 	namer := openapi.NewDefinitionNamer(schemes...)
-	defs := getDefinitions(func(path string) spec.Ref {
-		return spec.MustCreateRef(path)
-	})
+	defs := getDefinitions(spec.MustCreateRef)
 	for name := range defs {
 		_, e := namer.GetDefinitionName(name)
 		gvks := extensionsToGVKs(e)
diff --git a/staging/src/k8s.io/apiserver/pkg/cel/openapi/schemas_test.go b/staging/src/k8s.io/apiserver/pkg/cel/openapi/schemas_test.go
index 5851a65f7f764..80499c54b57a1 100644
--- a/staging/src/k8s.io/apiserver/pkg/cel/openapi/schemas_test.go
+++ b/staging/src/k8s.io/apiserver/pkg/cel/openapi/schemas_test.go
@@ -30,6 +30,33 @@ import (
 )
 
 func TestSchemaDeclType(t *testing.T) {
+	t.Run("a schema with additionalProperties: true should be an valid object type", func(t *testing.T) {
+		schema := &spec.Schema{
+			SchemaProps: spec.SchemaProps{
+				Type: []string{"object"},
+				Properties: map[string]spec.Schema{
+					"foo": {
+						SchemaProps: spec.SchemaProps{
+							Type:                 []string{"object"},
+							AdditionalProperties: &spec.SchemaOrBool{Allows: true},
+						},
+					},
+				},
+			},
+		}
+		declType := SchemaDeclType(schema, false)
+		if declType == nil {
+			t.Fatal("SchemaDeclType returned nil")
+		}
+		fooField, found := declType.FindField("foo")
+		if !found {
+			t.Fatal("field 'foo' not found")
+		}
+		fooType := fooField.Type
+		if fooType.TypeName() != "object" {
+			t.Fatalf("expected foo to be a object, but got %s", fooType.TypeName())
+		}
+	})
 	ts := testSchema()
 	cust := SchemaDeclType(ts, false)
 	if cust.TypeName() != "object" {
diff --git a/staging/src/k8s.io/apiserver/pkg/endpoints/discovery/aggregated/fake.go b/staging/src/k8s.io/apiserver/pkg/endpoints/discovery/aggregated/fake.go
index 8cf0bb0b0ef2c..0cded481d415a 100644
--- a/staging/src/k8s.io/apiserver/pkg/endpoints/discovery/aggregated/fake.go
+++ b/staging/src/k8s.io/apiserver/pkg/endpoints/discovery/aggregated/fake.go
@@ -122,6 +122,18 @@ func (f *recorderResourceManager) SetGroupVersionPriority(gv metav1.GroupVersion
 	})
 }
 
+func (f *recorderResourceManager) SetPeerDiscoveryProvider(provider PeerDiscoveryProvider) {
+	f.lock.Lock()
+	defer f.lock.Unlock()
+
+	f.Actions = append(f.Actions, recorderResourceManagerAction{
+		Type:    "SetPeerDiscoveryProvider",
+		Group:   "",
+		Version: "",
+		Value:   provider,
+	})
+}
+
 func (f *recorderResourceManager) AddGroupVersion(groupName string, value apidiscoveryv2.APIVersionDiscovery) {
 	f.lock.Lock()
 	defer f.lock.Unlock()
@@ -173,3 +185,7 @@ func (f *recorderResourceManager) ServeHTTP(http.ResponseWriter, *http.Request)
 func (f *recorderResourceManager) WithSource(source Source) ResourceManager {
 	panic("unimplemented")
 }
+
+func (f *recorderResourceManager) AddInvalidationCallback(callback func()) {
+	panic("unimplemented")
+}
diff --git a/staging/src/k8s.io/apiserver/pkg/endpoints/discovery/aggregated/handler.go b/staging/src/k8s.io/apiserver/pkg/endpoints/discovery/aggregated/handler.go
index 8b2d37d97b267..5e325ba447d1f 100644
--- a/staging/src/k8s.io/apiserver/pkg/endpoints/discovery/aggregated/handler.go
+++ b/staging/src/k8s.io/apiserver/pkg/endpoints/discovery/aggregated/handler.go
@@ -85,6 +85,9 @@ type ResourceManager interface {
 	// The group from the least-numbered source is used
 	WithSource(source Source) ResourceManager
 
+	// AddInvalidationCallback adds a callback to be called when the discovery cache is invalidated.
+	AddInvalidationCallback(callback func())
+
 	http.Handler
 }
 
@@ -116,6 +119,10 @@ func (rm resourceManager) WithSource(source Source) ResourceManager {
 	}
 }
 
+func (rm resourceManager) AddInvalidationCallback(callback func()) {
+	rm.resourceDiscoveryManager.AddInvalidationCallback(callback)
+}
+
 type groupKey struct {
 	name string
 
@@ -138,9 +145,10 @@ type resourceDiscoveryManager struct {
 
 	// Writes protected by the lock.
 	// List of all apigroups & resources indexed by the resource manager
-	lock              sync.RWMutex
-	apiGroups         map[groupKey]*apidiscoveryv2.APIGroupDiscovery
-	versionPriorities map[groupVersionKey]priorityInfo
+	lock                 sync.RWMutex
+	apiGroups            map[groupKey]*apidiscoveryv2.APIGroupDiscovery
+	versionPriorities    map[groupVersionKey]priorityInfo
+	invalidationCallback atomic.Pointer[func()]
 }
 
 type priorityInfo struct {
@@ -148,6 +156,17 @@ type priorityInfo struct {
 	VersionPriority      int
 }
 
+func (rdm *resourceDiscoveryManager) AddInvalidationCallback(callback func()) {
+	rdm.invalidationCallback.Store(&callback)
+}
+
+func (rdm *resourceDiscoveryManager) invalidateCacheLocked() {
+	rdm.cache.Store(nil)
+	if callback := rdm.invalidationCallback.Load(); callback != nil {
+		(*callback)()
+	}
+}
+
 func NewResourceManager(path string) ResourceManager {
 	scheme := runtime.NewScheme()
 	utilruntime.Must(apidiscoveryv2.AddToScheme(scheme))
@@ -188,7 +207,7 @@ func (rdm *resourceDiscoveryManager) SetGroupVersionPriority(source Source, gv m
 		GroupPriorityMinimum: groupPriorityMinimum,
 		VersionPriority:      versionPriority,
 	}
-	rdm.cache.Store(nil)
+	rdm.invalidateCacheLocked()
 }
 
 func (rdm *resourceDiscoveryManager) SetGroups(source Source, groups []apidiscoveryv2.APIGroupDiscovery) {
@@ -196,7 +215,7 @@ func (rdm *resourceDiscoveryManager) SetGroups(source Source, groups []apidiscov
 	defer rdm.lock.Unlock()
 
 	rdm.apiGroups = nil
-	rdm.cache.Store(nil)
+	rdm.invalidateCacheLocked()
 
 	for _, group := range groups {
 		for _, version := range group.Versions {
@@ -297,7 +316,7 @@ func (rdm *resourceDiscoveryManager) addGroupVersionLocked(source Source, groupN
 	}
 
 	// Reset response document so it is recreated lazily
-	rdm.cache.Store(nil)
+	rdm.invalidateCacheLocked()
 }
 
 func (rdm *resourceDiscoveryManager) RemoveGroupVersion(source Source, apiGroup metav1.GroupVersion) {
@@ -338,7 +357,7 @@ func (rdm *resourceDiscoveryManager) RemoveGroupVersion(source Source, apiGroup
 	}
 
 	// Reset response document so it is recreated lazily
-	rdm.cache.Store(nil)
+	rdm.invalidateCacheLocked()
 }
 
 func (rdm *resourceDiscoveryManager) RemoveGroup(source Source, groupName string) {
@@ -490,7 +509,7 @@ func (rdm *resourceDiscoveryManager) fetchFromCache() *cachedGroupList {
 	}
 	etag, err := calculateETag(response)
 	if err != nil {
-		klog.Errorf("failed to calculate etag for discovery document: %s", etag)
+		klog.Errorf("failed to calculate etag for discovery document: %v", err)
 		etag = ""
 	}
 	cached := &cachedGroupList{
@@ -521,12 +540,22 @@ func (rdm *resourceDiscoveryManager) serveHTTP(resp http.ResponseWriter, req *ht
 	response := cache.cachedResponse
 	etag := cache.cachedResponseETag
 
-	mediaType, _, err := negotiation.NegotiateOutputMediaType(req, rdm.serializer, DiscoveryEndpointRestrictions)
+	writeDiscoveryResponse(&response, etag, rdm.serializer, resp, req)
+}
+
+func writeDiscoveryResponse(
+	resp *apidiscoveryv2.APIGroupDiscoveryList,
+	etag string,
+	serializer runtime.NegotiatedSerializer,
+	w http.ResponseWriter,
+	req *http.Request,
+) {
+	mediaType, _, err := negotiation.NegotiateOutputMediaType(req, serializer, DiscoveryEndpointRestrictions)
 	if err != nil {
 		// Should never happen. wrapper.go will only proxy requests to this
 		// handler if the media type passes DiscoveryEndpointRestrictions
 		utilruntime.HandleError(err)
-		resp.WriteHeader(http.StatusInternalServerError)
+		w.WriteHeader(http.StatusInternalServerError)
 		return
 	}
 	var targetGV schema.GroupVersion
@@ -534,40 +563,39 @@ func (rdm *resourceDiscoveryManager) serveHTTP(resp http.ResponseWriter, req *ht
 		(mediaType.Convert.GroupVersion() != apidiscoveryv2.SchemeGroupVersion &&
 			mediaType.Convert.GroupVersion() != apidiscoveryv2beta1.SchemeGroupVersion) {
 		utilruntime.HandleError(fmt.Errorf("expected aggregated discovery group version, got group: %s, version %s", mediaType.Convert.Group, mediaType.Convert.Version))
-		resp.WriteHeader(http.StatusInternalServerError)
+		w.WriteHeader(http.StatusInternalServerError)
 		return
 	}
 
 	if mediaType.Convert.GroupVersion() == apidiscoveryv2beta1.SchemeGroupVersion &&
 		utilfeature.DefaultFeatureGate.Enabled(genericfeatures.AggregatedDiscoveryRemoveBetaType) {
 		klog.Errorf("aggregated discovery version v2beta1 is removed. Please update to use v2")
-		resp.WriteHeader(http.StatusNotFound)
+		w.WriteHeader(http.StatusNotFound)
 		return
 	}
-
 	targetGV = mediaType.Convert.GroupVersion()
 
 	if len(etag) > 0 {
 		// Use proper e-tag headers if one is available
 		ServeHTTPWithETag(
-			&response,
+			resp,
 			etag,
 			targetGV,
-			rdm.serializer,
-			resp,
+			serializer,
+			w,
 			req,
 		)
 	} else {
 		// Default to normal response in rare case etag is
 		// not cached with the object for some reason.
 		responsewriters.WriteObjectNegotiated(
-			rdm.serializer,
+			serializer,
 			DiscoveryEndpointRestrictions,
 			targetGV,
-			resp,
+			w,
 			req,
 			http.StatusOK,
-			&response,
+			resp,
 			true,
 		)
 	}
diff --git a/staging/src/k8s.io/apiserver/pkg/endpoints/discovery/aggregated/handler_test.go b/staging/src/k8s.io/apiserver/pkg/endpoints/discovery/aggregated/handler_test.go
index 4eb8e123b47ad..f707808f156cc 100644
--- a/staging/src/k8s.io/apiserver/pkg/endpoints/discovery/aggregated/handler_test.go
+++ b/staging/src/k8s.io/apiserver/pkg/endpoints/discovery/aggregated/handler_test.go
@@ -39,6 +39,7 @@ import (
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	runtimeserializer "k8s.io/apimachinery/pkg/runtime/serializer"
 	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
+	utilversion "k8s.io/apimachinery/pkg/util/version"
 	"k8s.io/apimachinery/pkg/version"
 	apidiscoveryv2conversion "k8s.io/apiserver/pkg/apis/apidiscovery/v2"
 	discoveryendpoint "k8s.io/apiserver/pkg/endpoints/discovery/aggregated"
@@ -133,7 +134,7 @@ func fetchPath(handler http.Handler, acceptPrefix string, path string, etag stri
 func fetchPathHelper(handler http.Handler, accept string, path string, etag string) (*http.Response, []byte) {
 	// Expect json-formatted apis group list
 	w := httptest.NewRecorder()
-	req := httptest.NewRequest(request.MethodGet, discoveryPath, nil)
+	req := httptest.NewRequest(request.MethodGet, path, nil)
 
 	// Ask for JSON response
 	req.Header.Set("Accept", accept)
@@ -190,6 +191,7 @@ func TestBasicResponseProtobuf(t *testing.T) {
 
 // V2Beta1 should still be served
 func TestV2Beta1SkewSupport(t *testing.T) {
+	featuregatetesting.SetFeatureGateEmulationVersionDuringTest(t, utilfeature.DefaultFeatureGate, utilversion.MustParse("1.34"))
 	featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, genericfeatures.AggregatedDiscoveryRemoveBetaType, false)
 	manager := discoveryendpoint.NewResourceManager("apis")
 
diff --git a/staging/src/k8s.io/apiserver/pkg/endpoints/discovery/aggregated/metrics.go b/staging/src/k8s.io/apiserver/pkg/endpoints/discovery/aggregated/metrics.go
index 816cf177ff6c8..a94cd588b2047 100644
--- a/staging/src/k8s.io/apiserver/pkg/endpoints/discovery/aggregated/metrics.go
+++ b/staging/src/k8s.io/apiserver/pkg/endpoints/discovery/aggregated/metrics.go
@@ -17,20 +17,57 @@ limitations under the License.
 package aggregated
 
 import (
+	genericfeatures "k8s.io/apiserver/pkg/features"
+	utilfeature "k8s.io/apiserver/pkg/util/feature"
 	"k8s.io/component-base/metrics"
 	"k8s.io/component-base/metrics/legacyregistry"
 )
 
+const subsystem = "aggregator_discovery"
+
 var (
 	regenerationCounter = metrics.NewCounter(
 		&metrics.CounterOpts{
-			Name:           "aggregator_discovery_aggregation_count_total",
+			Name:           "aggregation_count_total",
+			Subsystem:      subsystem,
 			Help:           "Counter of number of times discovery was aggregated",
 			StabilityLevel: metrics.ALPHA,
 		},
 	)
+
+	PeerAggregatedCacheHitsCounter = metrics.NewCounter(
+		&metrics.CounterOpts{
+			Name:           "peer_aggregated_cache_hits_total",
+			Subsystem:      subsystem,
+			Help:           "Counter of number of times discovery was served from peer-aggregated cache",
+			StabilityLevel: metrics.ALPHA,
+		},
+	)
+
+	PeerAggregatedCacheMissesCounter = metrics.NewCounter(
+		&metrics.CounterOpts{
+			Name:           "peer_aggregated_cache_misses_total",
+			Subsystem:      subsystem,
+			Help:           "Counter of number of times discovery was aggregated across all API servers",
+			StabilityLevel: metrics.ALPHA,
+		},
+	)
+
+	NoPeerDiscoveryRequestCounter = metrics.NewCounter(
+		&metrics.CounterOpts{
+			Name:           "nopeer_requests_total",
+			Subsystem:      subsystem,
+			Help:           "Counter of number of times no-peer (non peer-aggregated) discovery was requested",
+			StabilityLevel: metrics.ALPHA,
+		},
+	)
 )
 
 func init() {
 	legacyregistry.MustRegister(regenerationCounter)
+	if utilfeature.DefaultFeatureGate.Enabled(genericfeatures.UnknownVersionInteroperabilityProxy) {
+		legacyregistry.MustRegister(PeerAggregatedCacheHitsCounter)
+		legacyregistry.MustRegister(PeerAggregatedCacheMissesCounter)
+		legacyregistry.MustRegister(NoPeerDiscoveryRequestCounter)
+	}
 }
diff --git a/staging/src/k8s.io/apiserver/pkg/endpoints/discovery/aggregated/metrics_test.go b/staging/src/k8s.io/apiserver/pkg/endpoints/discovery/aggregated/metrics_test.go
index 0fb69f5351953..e5a420b51d092 100644
--- a/staging/src/k8s.io/apiserver/pkg/endpoints/discovery/aggregated/metrics_test.go
+++ b/staging/src/k8s.io/apiserver/pkg/endpoints/discovery/aggregated/metrics_test.go
@@ -25,7 +25,11 @@ import (
 	"k8s.io/component-base/metrics/legacyregistry"
 	"k8s.io/component-base/metrics/testutil"
 
+	apidiscoveryv2 "k8s.io/api/apidiscovery/v2"
 	discoveryendpoint "k8s.io/apiserver/pkg/endpoints/discovery/aggregated"
+	genericfeatures "k8s.io/apiserver/pkg/features"
+	utilfeature "k8s.io/apiserver/pkg/util/feature"
+	featuregatetesting "k8s.io/component-base/featuregate/testing"
 )
 
 func formatExpectedMetrics(aggregationCount int) io.Reader {
@@ -87,3 +91,64 @@ func TestMetricsModified(t *testing.T) {
 		t.Fatal(err)
 	}
 }
+
+func TestPeerAggregatedDiscoveryMetrics(t *testing.T) {
+	featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, genericfeatures.UnknownVersionInteroperabilityProxy, true)
+	manager := discoveryendpoint.NewResourceManager("apis")
+	localGroup := newAPIGroup("local.example.com", "v1", "local-resource")
+	manager.AddGroupVersion(localGroup.Name, localGroup.Versions[0])
+	peerProvider := &mockPeerDiscoveryProvider{
+		resources: map[string][]apidiscoveryv2.APIGroupDiscovery{
+			"peer-server-1": {
+				newAPIGroup("peer.example.com", "v2", "peer-resource"),
+			},
+		},
+	}
+	peerAggregatedDiscoveryManager := discoveryendpoint.NewPeerAggregatedDiscoveryHandler("test-server", manager, peerProvider, "apis")
+	wrapped := discoveryendpoint.WrapAggregatedDiscoveryToHandler(manager, manager, peerAggregatedDiscoveryManager)
+
+	legacyregistry.MustRegister(discoveryendpoint.PeerAggregatedCacheHitsCounter)
+	legacyregistry.MustRegister(discoveryendpoint.PeerAggregatedCacheMissesCounter)
+	legacyregistry.MustRegister(discoveryendpoint.NoPeerDiscoveryRequestCounter)
+
+	// Make 3 peer-aggregated requests.
+	fetchPath(wrapped, "application/json", "/apis", "")
+	fetchPath(wrapped, "application/json;profile=foo", "/apis", "")
+	fetchPath(wrapped, "application/json;g=apidiscovery.k8s.io;v=v2;as=APIGroupDiscoveryList", "/apis", "")
+
+	// Make 2 no-peer discovery requests.
+	fetchPath(wrapped, "application/json;profile=nopeer", "/apis", "")
+	peerAggregatedDiscoveryManager.InvalidateCache()
+	fetchPath(wrapped, "application/json;profile=nopeer", "/apis", "")
+	peerAggregatedDiscoveryManager.InvalidateCache()
+
+	cacheHitsTotalMetric := `
+# HELP aggregator_discovery_peer_aggregated_cache_hits_total [ALPHA] Counter of number of times discovery was served from peer-aggregated cache
+# TYPE aggregator_discovery_peer_aggregated_cache_hits_total counter
+aggregator_discovery_peer_aggregated_cache_hits_total 2
+`
+
+	cacheMissesTotalMetric := `
+# HELP aggregator_discovery_peer_aggregated_cache_misses_total [ALPHA] Counter of number of times discovery was aggregated across all API servers
+# TYPE aggregator_discovery_peer_aggregated_cache_misses_total counter
+aggregator_discovery_peer_aggregated_cache_misses_total 1
+`
+
+	noPeerDiscoveryTotalMetric := `
+# HELP aggregator_discovery_nopeer_requests_total [ALPHA] Counter of number of times no-peer (non peer-aggregated) discovery was requested
+# TYPE aggregator_discovery_nopeer_requests_total counter
+aggregator_discovery_nopeer_requests_total 2
+`
+
+	if err := testutil.GatherAndCompare(legacyregistry.DefaultGatherer, strings.NewReader(cacheHitsTotalMetric), "aggregator_discovery_peer_aggregated_cache_hits_total"); err != nil {
+		t.Errorf("unexpected metrics output: %v", err)
+	}
+
+	if err := testutil.GatherAndCompare(legacyregistry.DefaultGatherer, strings.NewReader(cacheMissesTotalMetric), "aggregator_discovery_peer_aggregated_cache_misses_total"); err != nil {
+		t.Errorf("unexpected metrics output: %v", err)
+	}
+
+	if err := testutil.GatherAndCompare(legacyregistry.DefaultGatherer, strings.NewReader(noPeerDiscoveryTotalMetric), "aggregator_discovery_nopeer_requests_total"); err != nil {
+		t.Errorf("unexpected metrics output: %v", err)
+	}
+}
diff --git a/staging/src/k8s.io/apiserver/pkg/endpoints/discovery/aggregated/peer_aggregated_handler.go b/staging/src/k8s.io/apiserver/pkg/endpoints/discovery/aggregated/peer_aggregated_handler.go
new file mode 100644
index 0000000000000..c7f54376c1e15
--- /dev/null
+++ b/staging/src/k8s.io/apiserver/pkg/endpoints/discovery/aggregated/peer_aggregated_handler.go
@@ -0,0 +1,495 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package aggregated
+
+import (
+	"net/http"
+	"reflect"
+	"sort"
+	"sync/atomic"
+
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/serializer"
+	"k8s.io/apiserver/pkg/endpoints/metrics"
+	"k8s.io/apiserver/pkg/endpoints/request"
+	"k8s.io/klog/v2"
+
+	apidiscoveryv2 "k8s.io/api/apidiscovery/v2"
+	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
+	utilsort "k8s.io/apimachinery/pkg/util/sort"
+)
+
+// PeerDiscoveryProvider defines an interface to get peer resources for peer-aggregated discovery.
+type PeerDiscoveryProvider interface {
+	GetPeerResources() map[string][]apidiscoveryv2.APIGroupDiscovery
+}
+
+// PeerAggregatedResourceManager defines the interface for managing peer-aggregated discovery resources
+// that combines both local and peer server resources.
+type PeerAggregatedResourceManager interface {
+	// InvalidateCache invalidates the peer-aggregated discovery caches
+	// This should be called when peer discovery data changes.
+	InvalidateCache()
+
+	// ServeHTTP handles peer-aggregated discovery HTTP requests.
+	http.Handler
+}
+
+type peerAggregatedDiscoveryHandler struct {
+	serverID              string
+	localResourceManager  ResourceManager
+	peerDiscoveryProvider PeerDiscoveryProvider
+	serializer            runtime.NegotiatedSerializer
+	cache                 atomic.Pointer[cachedGroupList]
+	serveHTTPFunc         func(http.ResponseWriter, *http.Request)
+}
+
+// NewPeerAggregatedDiscoveryHandler creates a new handler for peer-aggregated discovery.
+func NewPeerAggregatedDiscoveryHandler(serverID string, localDiscoveryProvider ResourceManager, peerDiscoveryProvider PeerDiscoveryProvider, path string) PeerAggregatedResourceManager {
+	scheme := runtime.NewScheme()
+	utilruntime.Must(apidiscoveryv2.AddToScheme(scheme))
+	codecs := serializer.NewCodecFactory(scheme)
+
+	h := &peerAggregatedDiscoveryHandler{
+		serverID:              serverID,
+		localResourceManager:  localDiscoveryProvider,
+		peerDiscoveryProvider: peerDiscoveryProvider,
+		serializer:            codecs,
+	}
+
+	h.localResourceManager.AddInvalidationCallback(func() {
+		h.InvalidateCache()
+	})
+
+	// Instrumentation wrapper for serveHTTP
+	h.serveHTTPFunc = metrics.InstrumentHandlerFunc(request.MethodGet,
+		"", "", "", path, "", metrics.APIServerComponent, false, "",
+		h.serveHTTP)
+
+	return h
+}
+
+// InvalidateCache invalidates the peer-aggregated discovery caches.
+// This should be called when peer discovery data changes.
+func (h *peerAggregatedDiscoveryHandler) InvalidateCache() {
+	h.cache.Store(nil)
+	klog.V(4).Info("Invalidated peer-aggregated discovery caches")
+}
+
+func (h *peerAggregatedDiscoveryHandler) ServeHTTP(resp http.ResponseWriter, req *http.Request) {
+	h.serveHTTPFunc(resp, req)
+}
+
+func (h *peerAggregatedDiscoveryHandler) serveHTTP(resp http.ResponseWriter, req *http.Request) {
+	cache := h.fetchFromCache()
+	response := cache.cachedResponse
+	etag := cache.cachedResponseETag
+
+	writeDiscoveryResponse(&response, etag, h.serializer, resp, req)
+}
+
+func (h *peerAggregatedDiscoveryHandler) fetchFromCache() *cachedGroupList {
+	cacheLoad := h.cache.Load()
+	if cacheLoad != nil {
+		PeerAggregatedCacheHitsCounter.Inc()
+		return cacheLoad
+	}
+
+	PeerAggregatedCacheMissesCounter.Inc()
+
+	// Get local groups
+	var localGroups []apidiscoveryv2.APIGroupDiscovery
+	if rdm, ok := h.localResourceManager.(resourceManager); ok {
+		localCache := rdm.fetchFromCache()
+		if localCache != nil {
+			localGroups = localCache.cachedResponse.Items
+		}
+	}
+
+	// Get peer resources if provider is set
+	var mergedGroups []apidiscoveryv2.APIGroupDiscovery
+	if h.peerDiscoveryProvider != nil {
+		peerResources := h.peerDiscoveryProvider.GetPeerResources()
+		mergedGroups = h.mergeResources(localGroups, peerResources)
+	} else {
+		mergedGroups = localGroups
+	}
+
+	response := apidiscoveryv2.APIGroupDiscoveryList{
+		Items: mergedGroups,
+	}
+	etag, err := calculateETag(response)
+	if err != nil {
+		klog.Errorf("failed to calculate etag for discovery document: %v", err)
+		etag = ""
+	}
+
+	cached := &cachedGroupList{
+		cachedResponse:     response,
+		cachedResponseETag: etag,
+	}
+	h.cache.Store(cached)
+	return cached
+}
+
+// mergeResources merges local and peer APIGroupDiscovery lists, preserving relative order as much as possible.
+// localGroups is a list of APIGroupDiscovery objects from the local server.
+// peerGroupDiscovery is a map of peer server IDs to their APIGroupDiscovery lists.
+func (h *peerAggregatedDiscoveryHandler) mergeResources(
+	localGroups []apidiscoveryv2.APIGroupDiscovery,
+	peerGroupDiscovery map[string][]apidiscoveryv2.APIGroupDiscovery,
+) []apidiscoveryv2.APIGroupDiscovery {
+	discoveryByServerID := h.combineServerDiscoveryLists(localGroups, peerGroupDiscovery)
+	if len(discoveryByServerID) <= 1 {
+		// No merging or sorting needed.
+		return localGroups
+	}
+
+	mergedGroupMap := make(map[string]apidiscoveryv2.APIGroupDiscovery)
+	allGroupNames := make([][]string, 0, len(discoveryByServerID))
+	sortedServerIDs := sortServerIDs(discoveryByServerID)
+
+	// contentChanged tracks if any new groups/versions/resources were added in a peer.
+	contentChanged := false
+	// groupNameListsAreIdentical tracks if all peers have the exact same group names as local.
+	groupNameListsAreIdentical := true
+	localGroupNames := localGroupNames(localGroups)
+	for _, serverID := range sortedServerIDs {
+		discoveryGroups := discoveryByServerID[serverID]
+		groupNames, didThisServerMerge := h.processServerGroups(discoveryGroups, mergedGroupMap)
+		if didThisServerMerge {
+			contentChanged = true
+		}
+		allGroupNames = append(allGroupNames, groupNames)
+		// Check if this server's group order differs from local.
+		// 1. It catches simple re-orderings (e.g., ["g1", "g2"] vs ["g2", "g1"]).
+		// 2. It catches new or removed groups (e.g., ["g1"] vs ["g1", "g2"]).
+		// In either case, the list is not identical, and we must fall through
+		// to the full merge to ensure a deterministic result.
+		if !reflect.DeepEqual(localGroupNames, groupNames) {
+			groupNameListsAreIdentical = false
+		}
+	}
+
+	// Case 1: Total short-circuit.
+	// Nothing changed (no new content AND no order change).
+	if !contentChanged && groupNameListsAreIdentical {
+		return localGroups
+	}
+
+	var finalGroupOrder []string
+	// Case 2: Content changed, but group order didn't.
+	// We must return the new content, but we can skip the expensive sort.
+	if contentChanged && groupNameListsAreIdentical {
+		finalGroupOrder = localGroupNames
+	} else {
+		// Case 3: Group lists were different (new groups, different order, or both).
+		// We have no choice but to run the full topological sort.
+		finalGroupOrder = utilsort.MergePreservingRelativeOrder(allGroupNames)
+	}
+
+	return assembleGroups(mergedGroupMap, finalGroupOrder)
+}
+
+func (h *peerAggregatedDiscoveryHandler) processServerGroups(
+	discoveryGroups []apidiscoveryv2.APIGroupDiscovery,
+	mergedGroupMap map[string]apidiscoveryv2.APIGroupDiscovery,
+) (groupNames []string, contentMerged bool) {
+	groupNames = make([]string, 0, len(discoveryGroups))
+	contentMerged = false
+
+	for _, group := range discoveryGroups {
+		if existing, ok := mergedGroupMap[group.Name]; ok {
+			// Merge versions and resources.
+			mergedG, didMerge := mergeVersionsAcrossGroup(existing, group)
+			mergedGroupMap[group.Name] = mergedG
+			if didMerge {
+				contentMerged = true
+			}
+		} else {
+			mergedGroupMap[group.Name] = group
+		}
+		groupNames = append(groupNames, group.Name)
+	}
+
+	return groupNames, contentMerged
+}
+
+// mergeVersionsAcrossGroup merges two APIGroupDiscovery objects.
+// It returns a new merged object and a boolean indicating if the result differs from a.
+// The result may differ if any new versions/resources were added or if the order was different.
+func mergeVersionsAcrossGroup(a, b apidiscoveryv2.APIGroupDiscovery) (apidiscoveryv2.APIGroupDiscovery, bool) {
+	versionOrder := [][]string{}
+	mergedVersionMap := make(map[string]apidiscoveryv2.APIVersionDiscovery)
+
+	aVersionNames := make([]string, 0, len(a.Versions))
+	bVersionNames := make([]string, 0, len(b.Versions))
+	// This flag tracks if 'b' modified existing versions.
+	contentMerged := false
+
+	for _, v := range a.Versions {
+		aVersionNames = append(aVersionNames, v.Version)
+		mergedVersionMap[v.Version] = v
+	}
+	versionOrder = append(versionOrder, aVersionNames)
+
+	for _, v := range b.Versions {
+		bVersionNames = append(bVersionNames, v.Version)
+		if existing, ok := mergedVersionMap[v.Version]; !ok {
+			mergedVersionMap[v.Version] = v
+		} else {
+			// Version exists in both, must merge their resources
+			mergedV, didMerge := mergeResourcesAcrossVersion(existing, v)
+			mergedVersionMap[v.Version] = mergedV
+			if didMerge {
+				contentMerged = true
+			}
+		}
+	}
+	versionOrder = append(versionOrder, bVersionNames)
+
+	// Case 1: Total short-circuit.
+	// No new versions/resources were added and order is the same.
+	versionNamesAreIdentical := reflect.DeepEqual(aVersionNames, bVersionNames)
+	if !contentMerged && versionNamesAreIdentical {
+		return a, false
+	}
+
+	var finalVersionOrder []string
+	if versionNamesAreIdentical {
+		// Case 2: Content changed, but version order didn't.
+		// We can skip the expensive sort and just use the known order.
+		finalVersionOrder = aVersionNames
+	} else {
+		// Case 3: Version lists were different (new versions, different order, or both).
+		// Must perform topological sort.
+		finalVersionOrder = utilsort.MergePreservingRelativeOrder(versionOrder)
+	}
+
+	mergedVersions := orderedAPIVersionList(mergedVersionMap, finalVersionOrder)
+	return apidiscoveryv2.APIGroupDiscovery{
+		ObjectMeta: *a.ObjectMeta.DeepCopy(),
+		TypeMeta:   a.TypeMeta,
+		Versions:   mergedVersions,
+	}, true
+}
+
+// mergeResourcesAcrossVersion merges two APIVersionDiscovery objects.
+// It returns a new merged object and a boolean indicating if the result differs from a.
+// The result may differ if any new resources were added or if the order was different.
+func mergeResourcesAcrossVersion(a, b apidiscoveryv2.APIVersionDiscovery) (apidiscoveryv2.APIVersionDiscovery, bool) {
+	resourceOrder := [][]string{}
+	mergedResourceMap := make(map[string]apidiscoveryv2.APIResourceDiscovery)
+
+	aResourceNames := make([]string, 0, len(a.Resources))
+	bResourceNames := make([]string, 0, len(b.Resources))
+	// This flag tracks if 'b' modified existing resources.
+	contentChanged := false
+
+	for _, r := range a.Resources {
+		aResourceNames = append(aResourceNames, r.Resource)
+		mergedResourceMap[r.Resource] = r
+	}
+	resourceOrder = append(resourceOrder, aResourceNames)
+
+	for _, r := range b.Resources {
+		bResourceNames = append(bResourceNames, r.Resource)
+		if existing, ok := mergedResourceMap[r.Resource]; !ok {
+			mergedResourceMap[r.Resource] = r
+		} else {
+			if reflect.DeepEqual(existing, r) {
+				continue
+			}
+			contentChanged = true
+			mergedR := mergeResourceCapabilities(existing, r)
+			mergedResourceMap[r.Resource] = mergedR
+		}
+	}
+	resourceOrder = append(resourceOrder, bResourceNames)
+
+	// Case 1: Total short-circuit.
+	// 'b' didn't add any new resources AND the resource order is the same.
+	resourceNameListIsIdentical := reflect.DeepEqual(aResourceNames, bResourceNames)
+	if !contentChanged && resourceNameListIsIdentical {
+		return a, false
+	}
+
+	var finalResourceOrder []string
+	if resourceNameListIsIdentical {
+		// Case 2: Content changed, but resource order didn't.
+		// We can skip the expensive sort and just use the known order.
+		finalResourceOrder = aResourceNames
+	} else {
+		// Case 3: Resource lists were different (new resources, different order, or both).
+		// Must perform topological sort.
+		finalResourceOrder = utilsort.MergePreservingRelativeOrder(resourceOrder)
+	}
+
+	mergedResources := orderedAPIResourceList(mergedResourceMap, finalResourceOrder)
+	return apidiscoveryv2.APIVersionDiscovery{
+		Version:   a.Version,
+		Resources: mergedResources,
+		Freshness: a.Freshness,
+	}, true
+}
+
+// mergeResourceCapabilities takes two resources and returns a new one
+// containing the union of their verbs and subresources.
+// The resulting slices are sorted to ensure the merge is deterministic.
+func mergeResourceCapabilities(a, b apidiscoveryv2.APIResourceDiscovery) apidiscoveryv2.APIResourceDiscovery {
+	// 1. Merge Verbs
+	verbSet := make(map[string]struct{})
+	for _, v := range a.Verbs {
+		verbSet[v] = struct{}{}
+	}
+	for _, v := range b.Verbs {
+		verbSet[v] = struct{}{}
+	}
+
+	var newVerbs []string
+	if len(verbSet) > 0 {
+		newVerbs = make([]string, 0, len(verbSet))
+		for v := range verbSet {
+			newVerbs = append(newVerbs, v)
+		}
+		// Sort for deterministic ETag
+		sort.Strings(newVerbs)
+	}
+
+	// 2. Merge Subresources
+	subresourceSet := make(map[string]apidiscoveryv2.APISubresourceDiscovery)
+	for _, s := range a.Subresources {
+		subresourceSet[s.Subresource] = s
+	}
+	for _, s := range b.Subresources {
+		subresourceSet[s.Subresource] = s
+	}
+
+	var newSubresources []apidiscoveryv2.APISubresourceDiscovery
+	if len(subresourceSet) > 0 {
+		newSubresources = make([]apidiscoveryv2.APISubresourceDiscovery, 0, len(subresourceSet))
+		for _, s := range subresourceSet {
+			newSubresources = append(newSubresources, s)
+		}
+		// Sort for deterministic ETag
+		sort.Slice(newSubresources, func(i, j int) bool {
+			return newSubresources[i].Subresource < newSubresources[j].Subresource
+		})
+	}
+
+	// 3. Return the new, merged object
+	// We prefer 'a's metadata (like ResponseKind) but 'b's could be used if 'a' is empty.
+	mergedResource := a
+	if len(mergedResource.Resource) == 0 {
+		mergedResource = b
+	}
+	mergedResource.Verbs = newVerbs
+	mergedResource.Subresources = newSubresources
+
+	return mergedResource
+}
+
+// assembleGroups builds the final slice from the merged map and ordered list.
+func assembleGroups(
+	groupMap map[string]apidiscoveryv2.APIGroupDiscovery,
+	orderedGroups []string,
+) []apidiscoveryv2.APIGroupDiscovery {
+	result := make([]apidiscoveryv2.APIGroupDiscovery, 0, len(orderedGroups))
+	for _, groupName := range orderedGroups {
+		if group, ok := groupMap[groupName]; ok {
+			result = append(result, group)
+		}
+	}
+	return result
+}
+
+// orderedAPIVersionList builds the final APIGroupDiscovery struct.
+func orderedAPIVersionList(
+	versionMap map[string]apidiscoveryv2.APIVersionDiscovery,
+	orderedVersions []string,
+) []apidiscoveryv2.APIVersionDiscovery {
+	mergedVersions := make([]apidiscoveryv2.APIVersionDiscovery, 0, len(orderedVersions))
+	for _, vName := range orderedVersions {
+		if v, ok := versionMap[vName]; ok {
+			mergedVersions = append(mergedVersions, v)
+			delete(versionMap, vName) // Avoid duplicates
+		}
+	}
+
+	return mergedVersions
+}
+
+// orderedAPIResourceList builds the final APIVersionDiscovery struct.
+func orderedAPIResourceList(
+	resourceMap map[string]apidiscoveryv2.APIResourceDiscovery,
+	orderedResources []string,
+) []apidiscoveryv2.APIResourceDiscovery {
+	mergedResources := make([]apidiscoveryv2.APIResourceDiscovery, 0, len(orderedResources))
+	for _, rName := range orderedResources {
+		if r, ok := resourceMap[rName]; ok {
+			mergedResources = append(mergedResources, r)
+			delete(resourceMap, rName)
+		}
+	}
+
+	return mergedResources
+}
+
+func (h *peerAggregatedDiscoveryHandler) combineServerDiscoveryLists(localGroups []apidiscoveryv2.APIGroupDiscovery, peerGroupDiscovery map[string][]apidiscoveryv2.APIGroupDiscovery,
+) map[string][]apidiscoveryv2.APIGroupDiscovery {
+	allServerLists := make(map[string][]apidiscoveryv2.APIGroupDiscovery, len(peerGroupDiscovery)+1)
+	allServerLists[h.serverID] = localGroups
+	for peerID, peerList := range peerGroupDiscovery {
+		allServerLists[peerID] = peerList
+	}
+	return allServerLists
+}
+
+func sortServerIDs(allServerLists map[string][]apidiscoveryv2.APIGroupDiscovery) []string {
+	allServerIDs := make([]string, 0, len(allServerLists))
+	for serverID := range allServerLists {
+		allServerIDs = append(allServerIDs, serverID)
+	}
+	sort.Strings(allServerIDs)
+	return allServerIDs
+}
+
+func localGroupNames(localGroups []apidiscoveryv2.APIGroupDiscovery) []string {
+	localGroupNames := make([]string, 0, len(localGroups))
+	for _, g := range localGroups {
+		localGroupNames = append(localGroupNames, g.Name)
+	}
+	return localGroupNames
+}
+
+// TestMergeResources is for testing only. It allows tests to call MergeResources without exporting peerAggregatedDiscoveryHandler.
+func TestMergeResources(serverID string, localGroups []apidiscoveryv2.APIGroupDiscovery, peerGroupDiscovery map[string][]apidiscoveryv2.APIGroupDiscovery) []apidiscoveryv2.APIGroupDiscovery {
+	h := &peerAggregatedDiscoveryHandler{serverID: serverID}
+	return h.mergeResources(localGroups, peerGroupDiscovery)
+}
+
+// TestFetchFromCache is for testing only. It allows tests to call fetchFromCache without exporting peerAggregatedDiscoveryHandler.
+// Returns the cached response and ETag.
+func TestFetchFromCache(serverID string, localResourceManager ResourceManager, peerDiscoveryProvider PeerDiscoveryProvider) (apidiscoveryv2.APIGroupDiscoveryList, string) {
+	h := &peerAggregatedDiscoveryHandler{
+		serverID:              serverID,
+		localResourceManager:  localResourceManager,
+		peerDiscoveryProvider: peerDiscoveryProvider,
+	}
+	cached := h.fetchFromCache()
+	return cached.cachedResponse, cached.cachedResponseETag
+}
diff --git a/staging/src/k8s.io/apiserver/pkg/endpoints/discovery/aggregated/peer_aggregated_handler_test.go b/staging/src/k8s.io/apiserver/pkg/endpoints/discovery/aggregated/peer_aggregated_handler_test.go
new file mode 100644
index 0000000000000..9dcf34e37719d
--- /dev/null
+++ b/staging/src/k8s.io/apiserver/pkg/endpoints/discovery/aggregated/peer_aggregated_handler_test.go
@@ -0,0 +1,490 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package aggregated_test
+
+import (
+	"net/http"
+	"reflect"
+	"strings"
+	"testing"
+
+	"github.com/google/go-cmp/cmp"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	"k8s.io/apimachinery/pkg/runtime/schema"
+
+	apidiscoveryv2 "k8s.io/api/apidiscovery/v2"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	discoveryendpoint "k8s.io/apiserver/pkg/endpoints/discovery/aggregated"
+	genericfeatures "k8s.io/apiserver/pkg/features"
+	utilfeature "k8s.io/apiserver/pkg/util/feature"
+	featuregatetesting "k8s.io/component-base/featuregate/testing"
+)
+
+func TestPeerAggregatedDiscovery(t *testing.T) {
+	manager := discoveryendpoint.NewResourceManager("apis")
+	localGroup := newAPIGroup("local.example.com", "v1", "local-resource")
+	manager.AddGroupVersion(localGroup.Name, localGroup.Versions[0])
+
+	peerProvider := &mockPeerDiscoveryProvider{
+		resources: map[string][]apidiscoveryv2.APIGroupDiscovery{
+			"peer-server-1": {
+				newAPIGroup("peer.example.com", "v2", "peer-resource"),
+			},
+		},
+	}
+
+	testCases := []struct {
+		name                          string
+		enablePeerAggregatedDiscovery bool
+		acceptHeader                  string
+		peerProvider                  discoveryendpoint.PeerDiscoveryProvider
+		wantGroupNames                []string
+	}{
+		{
+			name:                          "Peer aggregated discovery disabled (should get local discovery)",
+			enablePeerAggregatedDiscovery: false,
+			acceptHeader:                  "application/json;g=apidiscovery.k8s.io;v=v2;as=APIGroupDiscoveryList;profile=nopeer",
+			wantGroupNames:                []string{"local.example.com"},
+		},
+		{
+			name:                          "Request without profile (should default to peer-aggregated)",
+			enablePeerAggregatedDiscovery: true,
+			acceptHeader:                  "application/json;g=apidiscovery.k8s.io;v=v2;as=APIGroupDiscoveryList",
+			peerProvider:                  peerProvider,
+			wantGroupNames:                []string{"local.example.com", "peer.example.com"},
+		},
+		{
+			name:                          "Request with unknown profile (should default to peer-aggregated)",
+			enablePeerAggregatedDiscovery: true,
+			acceptHeader:                  "application/json;g=apidiscovery.k8s.io;v=v2;as=APIGroupDiscoveryList;profile=foo",
+			peerProvider:                  peerProvider,
+			wantGroupNames:                []string{"local.example.com", "peer.example.com"},
+		},
+		{
+			name:                          "Request with profile=nopeer (should get no-peer discovery)",
+			enablePeerAggregatedDiscovery: true,
+			acceptHeader:                  "application/json;g=apidiscovery.k8s.io;v=v2;as=APIGroupDiscoveryList;profile=nopeer",
+			peerProvider:                  peerProvider,
+			wantGroupNames:                []string{"local.example.com"},
+		},
+		{
+			name:                          "Peer provider nil (should get local discovery)",
+			enablePeerAggregatedDiscovery: true,
+			acceptHeader:                  "application/json;g=apidiscovery.k8s.io;v=v2;as=APIGroupDiscoveryList",
+			peerProvider:                  nil,
+			wantGroupNames:                []string{"local.example.com"},
+		},
+		{
+			name:                          "Multiple peer resources (should return all)",
+			enablePeerAggregatedDiscovery: true,
+			acceptHeader:                  "application/json;g=apidiscovery.k8s.io;v=v2;as=APIGroupDiscoveryList",
+			peerProvider: &mockPeerDiscoveryProvider{
+				resources: map[string][]apidiscoveryv2.APIGroupDiscovery{
+					"peer-server-1": {
+						newAPIGroup("peer.example.com", "v2", "peer-resource"),
+					},
+					"peer-server-2": {
+						newAPIGroup("peer2.example.com", "v1", "peer2-resource"),
+					},
+				},
+			},
+			wantGroupNames: []string{
+				"local.example.com", "peer.example.com", "peer2.example.com",
+			},
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, genericfeatures.UnknownVersionInteroperabilityProxy, tc.enablePeerAggregatedDiscovery)
+
+			peerAggregatedDiscoveryManager := discoveryendpoint.NewPeerAggregatedDiscoveryHandler("test-server", manager, tc.peerProvider, "apis")
+			wrapped := discoveryendpoint.WrapAggregatedDiscoveryToHandler(manager, manager, peerAggregatedDiscoveryManager)
+
+			resp, _, decoded := fetchPath(wrapped, tc.acceptHeader, "/apis", "")
+			require.Equal(t, http.StatusOK, resp.StatusCode)
+			require.NotNil(t, decoded)
+			gotGroupNames := make([]string, 0, len(decoded.Items))
+			for _, group := range decoded.Items {
+				gotGroupNames = append(gotGroupNames, group.Name)
+			}
+			assert.ElementsMatch(t, tc.wantGroupNames, gotGroupNames, "group names mismatch")
+		})
+	}
+}
+
+func TestPeerAggregatedDiscovery_ETagHandling(t *testing.T) {
+	featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, genericfeatures.UnknownVersionInteroperabilityProxy, true)
+	manager := discoveryendpoint.NewResourceManager("apis")
+	localGroup := newAPIGroup("local.example.com", "v1", "local-resource")
+	manager.AddGroupVersion(localGroup.Name, localGroup.Versions[0])
+	peerProvider := &mockPeerDiscoveryProvider{
+		resources: map[string][]apidiscoveryv2.APIGroupDiscovery{
+			"peer-server-1": {
+				newAPIGroup("peer.example.com", "v2", "peer-resource"),
+			},
+		},
+	}
+
+	peerAggregatedDiscoveryManager := discoveryendpoint.NewPeerAggregatedDiscoveryHandler("test-server", manager, peerProvider, "apis")
+	wrapped := discoveryendpoint.WrapAggregatedDiscoveryToHandler(manager, manager, peerAggregatedDiscoveryManager)
+
+	// First request, get ETag
+	rr1 := &responseRecorder{header: make(http.Header)}
+	req1, _ := http.NewRequest(http.MethodGet, "/apis", nil)
+	req1.Header.Set("Accept", "application/json;g=apidiscovery.k8s.io;v=v2;as=APIGroupDiscoveryList")
+	wrapped.ServeHTTP(rr1, req1)
+	etag1 := rr1.header.Get("ETag")
+	assert.NotEmpty(t, etag1, "ETag should be set on first response")
+
+	// Second request, ETag should be the same (cache hit)
+	rr2 := &responseRecorder{header: make(http.Header)}
+	req2, _ := http.NewRequest(http.MethodGet, "/apis", nil)
+	req2.Header.Set("Accept", "application/json;g=apidiscovery.k8s.io;v=v2;as=APIGroupDiscoveryList")
+	wrapped.ServeHTTP(rr2, req2)
+	etag2 := rr2.header.Get("ETag")
+	assert.Equal(t, etag1, etag2, "ETag should be the same for cached response")
+
+	// Invalidate cache and add a new peer resource
+	peerAggregatedDiscoveryManager.InvalidateCache()
+	gvr := schema.GroupVersionResource{Group: "peer.example.com", Version: "v2", Resource: "peer-resource2"}
+	peerProvider.addResource("peer-server-3", gvr, newAPIGroup(gvr.Group, gvr.Version, "peer-resource2"))
+
+	// Third request, ETag should change
+	rr3 := &responseRecorder{header: make(http.Header)}
+	req3, _ := http.NewRequest(http.MethodGet, "/apis", nil)
+	req3.Header.Set("Accept", "application/json;g=apidiscovery.k8s.io;v=v2;as=APIGroupDiscoveryList")
+	wrapped.ServeHTTP(rr3, req3)
+	etag3 := rr3.header.Get("ETag")
+	assert.NotEmpty(t, etag3, "ETag should be set after resource change")
+	assert.NotEqual(t, etag1, etag3, "ETag should change when resources change")
+}
+
+func TestFetchFromCache(t *testing.T) {
+	testCases := []struct {
+		name         string
+		localGroups  []apidiscoveryv2.APIGroupDiscovery
+		peerProvider discoveryendpoint.PeerDiscoveryProvider
+		wantGroups   []string
+	}{
+		{
+			name: "local only - no peer provider",
+			localGroups: []apidiscoveryv2.APIGroupDiscovery{
+				newAPIGroup("local.example.com", "v1", "local-resource"),
+			},
+			peerProvider: nil,
+			wantGroups:   []string{"local.example.com"},
+		},
+		{
+			name: "local and peer resources",
+			localGroups: []apidiscoveryv2.APIGroupDiscovery{
+				newAPIGroup("local.example.com", "v1", "local-resource"),
+			},
+			peerProvider: &mockPeerDiscoveryProvider{
+				resources: map[string][]apidiscoveryv2.APIGroupDiscovery{
+					"peer-server-1": {
+						newAPIGroup("peer1.example.com", "v1", "peer1-resource"),
+					},
+					"peer-server-2": {
+						newAPIGroup("peer2.example.com", "v1", "peer2-resource"),
+					},
+				},
+			},
+			wantGroups: []string{"local.example.com", "peer1.example.com", "peer2.example.com"},
+		},
+		{
+			name:        "no local resources, only peer",
+			localGroups: []apidiscoveryv2.APIGroupDiscovery{},
+			peerProvider: &mockPeerDiscoveryProvider{
+				resources: map[string][]apidiscoveryv2.APIGroupDiscovery{
+					"peer-server-1": {
+						newAPIGroup("peer.example.com", "v1", "peer-resource"),
+					},
+				},
+			},
+			wantGroups: []string{"peer.example.com"},
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			manager := discoveryendpoint.NewResourceManager("apis")
+			for _, group := range tc.localGroups {
+				for _, version := range group.Versions {
+					manager.AddGroupVersion(group.Name, version)
+				}
+			}
+
+			response, etag := discoveryendpoint.TestFetchFromCache("test-server", manager, tc.peerProvider)
+			gotGroupNames := make([]string, 0, len(response.Items))
+			for _, group := range response.Items {
+				gotGroupNames = append(gotGroupNames, group.Name)
+			}
+
+			assert.ElementsMatch(t, tc.wantGroups, gotGroupNames, "group names mismatch")
+			assert.NotEmpty(t, etag, "ETag should be set")
+		})
+	}
+}
+
+func TestMergeResources(t *testing.T) {
+	r1 := apidiscoveryv2.APIResourceDiscovery{Resource: "r1"}
+	r2 := apidiscoveryv2.APIResourceDiscovery{Resource: "r2"}
+
+	v1r1 := apidiscoveryv2.APIVersionDiscovery{Version: "v1", Resources: []apidiscoveryv2.APIResourceDiscovery{r1}}
+	v1r2 := apidiscoveryv2.APIVersionDiscovery{Version: "v1", Resources: []apidiscoveryv2.APIResourceDiscovery{r2}}
+	v2r1 := apidiscoveryv2.APIVersionDiscovery{Version: "v2", Resources: []apidiscoveryv2.APIResourceDiscovery{r1}}
+
+	serverA := "serverA"
+	serverB := "serverB"
+
+	// Local versions/resources
+	g1v1r1 := apidiscoveryv2.APIGroupDiscovery{
+		ObjectMeta: metav1.ObjectMeta{Name: "g1", UID: "g1-uid"},
+		Versions:   []apidiscoveryv2.APIVersionDiscovery{v1r1},
+	}
+	g2v1r1 := apidiscoveryv2.APIGroupDiscovery{
+		ObjectMeta: metav1.ObjectMeta{Name: "g2", UID: "g2-uid"},
+		Versions:   []apidiscoveryv2.APIVersionDiscovery{v1r1},
+	}
+
+	// Peer versions/resources
+	g1v1r2 := apidiscoveryv2.APIGroupDiscovery{
+		ObjectMeta: metav1.ObjectMeta{Name: "g1", UID: "g1-peer-uid"}, // Different UID
+		Versions:   []apidiscoveryv2.APIVersionDiscovery{v1r2},
+	}
+	g1v2r1 := apidiscoveryv2.APIGroupDiscovery{
+		ObjectMeta: metav1.ObjectMeta{Name: "g1", UID: "g1-peer-uid"},
+		Versions:   []apidiscoveryv2.APIVersionDiscovery{v2r1},
+	}
+
+	// g1v1r1 + g1v1r2 = g1v1(r1,r2)
+	g1v1r1r2Merged := apidiscoveryv2.APIGroupDiscovery{
+		// Meta is copied from first server in the sorted list of serverIDs
+		ObjectMeta: metav1.ObjectMeta{Name: "g1", UID: "g1-uid"}, // Meta from g1v1r1
+		Versions: []apidiscoveryv2.APIVersionDiscovery{
+			{Version: "v1", Resources: []apidiscoveryv2.APIResourceDiscovery{r1, r2}},
+		},
+	}
+
+	// g1v1r1 + g1v2r1 = g1(v1r1, v2r1)
+	g1v1r1v2r1Merged := apidiscoveryv2.APIGroupDiscovery{
+		ObjectMeta: metav1.ObjectMeta{Name: "g1", UID: "g1-uid"}, // Meta from g1v1r1
+		Versions: []apidiscoveryv2.APIVersionDiscovery{
+			{Version: "v1", Resources: []apidiscoveryv2.APIResourceDiscovery{r1}},
+			{Version: "v2", Resources: []apidiscoveryv2.APIResourceDiscovery{r1}},
+		},
+	}
+
+	// verbs test data
+	rVerbs1 := apidiscoveryv2.APIResourceDiscovery{Resource: "pods", Verbs: []string{"get", "list"}}
+	rVerbs2 := apidiscoveryv2.APIResourceDiscovery{Resource: "pods", Verbs: []string{"get", "watch"}}
+	rVerbsMerged := apidiscoveryv2.APIResourceDiscovery{Resource: "pods", Verbs: []string{"get", "list", "watch"}} // Verbs are sorted by helper
+
+	vVerbs1 := apidiscoveryv2.APIVersionDiscovery{Version: "v1", Resources: []apidiscoveryv2.APIResourceDiscovery{rVerbs1}}
+	vVerbs2 := apidiscoveryv2.APIVersionDiscovery{Version: "v1", Resources: []apidiscoveryv2.APIResourceDiscovery{rVerbs2}}
+	vVerbsMerged := apidiscoveryv2.APIVersionDiscovery{Version: "v1", Resources: []apidiscoveryv2.APIResourceDiscovery{rVerbsMerged}}
+
+	gVerbs1 := apidiscoveryv2.APIGroupDiscovery{
+		ObjectMeta: metav1.ObjectMeta{Name: "g1", UID: "g1-uid-a"},
+		Versions:   []apidiscoveryv2.APIVersionDiscovery{vVerbs1},
+	}
+	gVerbs2 := apidiscoveryv2.APIGroupDiscovery{
+		ObjectMeta: metav1.ObjectMeta{Name: "g1", UID: "g1-uid-b"},
+		Versions:   []apidiscoveryv2.APIVersionDiscovery{vVerbs2},
+	}
+	gVerbsMerged := apidiscoveryv2.APIGroupDiscovery{
+		ObjectMeta: metav1.ObjectMeta{Name: "g1", UID: "g1-uid-a"}, // Metadata from serverA (alphabetical first)
+		Versions:   []apidiscoveryv2.APIVersionDiscovery{vVerbsMerged},
+	}
+
+	// subresource test data
+	rSub1 := apidiscoveryv2.APIResourceDiscovery{Resource: "pods", Subresources: []apidiscoveryv2.APISubresourceDiscovery{{Subresource: "status"}}}
+	rSub2 := apidiscoveryv2.APIResourceDiscovery{Resource: "pods", Subresources: []apidiscoveryv2.APISubresourceDiscovery{{Subresource: "log"}}}
+	rSubMerged := apidiscoveryv2.APIResourceDiscovery{Resource: "pods", Subresources: []apidiscoveryv2.APISubresourceDiscovery{{Subresource: "log"}, {Subresource: "status"}}} // Sorted by helper
+
+	vSub1 := apidiscoveryv2.APIVersionDiscovery{Version: "v1", Resources: []apidiscoveryv2.APIResourceDiscovery{rSub1}}
+	vSub2 := apidiscoveryv2.APIVersionDiscovery{Version: "v1", Resources: []apidiscoveryv2.APIResourceDiscovery{rSub2}}
+	vSubMerged := apidiscoveryv2.APIVersionDiscovery{Version: "v1", Resources: []apidiscoveryv2.APIResourceDiscovery{rSubMerged}}
+
+	gSub1 := apidiscoveryv2.APIGroupDiscovery{
+		ObjectMeta: metav1.ObjectMeta{Name: "g1", UID: "g1-uid-a"},
+		Versions:   []apidiscoveryv2.APIVersionDiscovery{vSub1},
+	}
+	gSub2 := apidiscoveryv2.APIGroupDiscovery{
+		ObjectMeta: metav1.ObjectMeta{Name: "g1", UID: "g1-uid-b"},
+		Versions:   []apidiscoveryv2.APIVersionDiscovery{vSub2},
+	}
+	gSubMerged := apidiscoveryv2.APIGroupDiscovery{
+		ObjectMeta: metav1.ObjectMeta{Name: "g1", UID: "g1-uid-a"}, // Metadata from serverA
+		Versions:   []apidiscoveryv2.APIVersionDiscovery{vSubMerged},
+	}
+
+	tests := []struct {
+		name                 string
+		localServerID        string
+		localGroups          []apidiscoveryv2.APIGroupDiscovery
+		peerGroupDiscovery   map[string][]apidiscoveryv2.APIGroupDiscovery
+		wantResult           []apidiscoveryv2.APIGroupDiscovery
+		validateShortCircuit bool
+	}{
+		{
+			name:                 "no peers, just local resources",
+			localServerID:        serverA,
+			localGroups:          []apidiscoveryv2.APIGroupDiscovery{g1v1r1, g2v1r1},
+			peerGroupDiscovery:   map[string][]apidiscoveryv2.APIGroupDiscovery{},
+			wantResult:           []apidiscoveryv2.APIGroupDiscovery{g1v1r1, g2v1r1},
+			validateShortCircuit: true,
+		},
+		{
+			name:                 "peer adds no new g/v/r",
+			localServerID:        serverA,
+			localGroups:          []apidiscoveryv2.APIGroupDiscovery{g1v1r1, g2v1r1},
+			peerGroupDiscovery:   map[string][]apidiscoveryv2.APIGroupDiscovery{"serverB": {g1v1r1, g2v1r1}},
+			wantResult:           []apidiscoveryv2.APIGroupDiscovery{g1v1r1, g2v1r1},
+			validateShortCircuit: true,
+		},
+		{
+			name:               "peer adds a new resource to existing g/v",
+			localServerID:      serverA,
+			localGroups:        []apidiscoveryv2.APIGroupDiscovery{g1v1r1},
+			peerGroupDiscovery: map[string][]apidiscoveryv2.APIGroupDiscovery{"serverB": {g1v1r2}},
+			wantResult:         []apidiscoveryv2.APIGroupDiscovery{g1v1r1r2Merged},
+		},
+		{
+			name:               "peer adds a new version to existing group",
+			localServerID:      serverA,
+			localGroups:        []apidiscoveryv2.APIGroupDiscovery{g1v1r1},
+			peerGroupDiscovery: map[string][]apidiscoveryv2.APIGroupDiscovery{"serverB": {g1v2r1}},
+			wantResult:         []apidiscoveryv2.APIGroupDiscovery{g1v1r1v2r1Merged},
+		},
+		{
+			name:               "peer adds a completely new group",
+			localServerID:      serverA,
+			localGroups:        []apidiscoveryv2.APIGroupDiscovery{g1v1r1},
+			peerGroupDiscovery: map[string][]apidiscoveryv2.APIGroupDiscovery{"serverB": {g2v1r1}},
+			wantResult:         []apidiscoveryv2.APIGroupDiscovery{g1v1r1, g2v1r1},
+		},
+		{
+			name:               "peer has same data but different group order",
+			localServerID:      serverA,
+			localGroups:        []apidiscoveryv2.APIGroupDiscovery{g1v1r1, g2v1r1},                         // g1, g2
+			peerGroupDiscovery: map[string][]apidiscoveryv2.APIGroupDiscovery{"serverB": {g2v1r1, g1v1r1}}, // g2, g1
+			wantResult:         []apidiscoveryv2.APIGroupDiscovery{g1v1r1, g2v1r1},                         // Final order is [g1, g2] due to topo-sort
+		},
+		{
+			name:               "deterministic merge (Server A's view)",
+			localServerID:      serverA,
+			localGroups:        []apidiscoveryv2.APIGroupDiscovery{g1v1r1},                         // A has g1
+			peerGroupDiscovery: map[string][]apidiscoveryv2.APIGroupDiscovery{"serverB": {g2v1r1}}, // B has g2
+			wantResult:         []apidiscoveryv2.APIGroupDiscovery{g1v1r1, g2v1r1},                 // Sorted order is [g1, g2]
+		},
+		{
+			name:               "deterministic merge (Server B's view)",
+			localServerID:      serverB,
+			localGroups:        []apidiscoveryv2.APIGroupDiscovery{g2v1r1},                         // B has g2
+			peerGroupDiscovery: map[string][]apidiscoveryv2.APIGroupDiscovery{"serverA": {g1v1r1}}, // A has g1
+			wantResult:         []apidiscoveryv2.APIGroupDiscovery{g1v1r1, g2v1r1},                 // Sorted order is [g1, g2]
+		},
+		{
+			name:               "peer adds a new verb to existing resource (triggers Case 2)",
+			localServerID:      serverA,
+			localGroups:        []apidiscoveryv2.APIGroupDiscovery{gVerbs1},
+			peerGroupDiscovery: map[string][]apidiscoveryv2.APIGroupDiscovery{serverB: {gVerbs2}},
+			wantResult:         []apidiscoveryv2.APIGroupDiscovery{gVerbsMerged},
+		},
+		{
+			name:               "peer adds a new subresource to existing resource (triggers Case 2)",
+			localServerID:      serverA,
+			localGroups:        []apidiscoveryv2.APIGroupDiscovery{gSub1},
+			peerGroupDiscovery: map[string][]apidiscoveryv2.APIGroupDiscovery{serverB: {gSub2}},
+			wantResult:         []apidiscoveryv2.APIGroupDiscovery{gSubMerged},
+		},
+		{
+			name:               "empty local, non-empty peer (triggers Case 3)",
+			localServerID:      serverA,
+			localGroups:        []apidiscoveryv2.APIGroupDiscovery{},
+			peerGroupDiscovery: map[string][]apidiscoveryv2.APIGroupDiscovery{serverB: {g1v1r1}},
+			wantResult:         []apidiscoveryv2.APIGroupDiscovery{g1v1r1},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			result := discoveryendpoint.TestMergeResources(tt.localServerID, tt.localGroups, tt.peerGroupDiscovery)
+			if !reflect.DeepEqual(result, tt.wantResult) {
+				t.Errorf("mergeResources() mismatch (-want +got):\n%s", cmp.Diff(tt.wantResult, result))
+			}
+
+			// Test the short-circuit case specifically if requested
+			if tt.validateShortCircuit {
+				// reflect.ValueOf(slice).Pointer() gives the address of the underlying array.
+				// If the short-circuit worked, the result slice should be the *exact same*
+				// slice (same pointer) as localGroups, not just DeepEqual.
+				if reflect.ValueOf(result).Pointer() != reflect.ValueOf(tt.localGroups).Pointer() {
+					t.Errorf("Short-circuit failed: function returned a new slice instead of the original localGroups")
+				}
+			}
+		})
+	}
+}
+
+type mockPeerDiscoveryProvider struct {
+	resources map[string][]apidiscoveryv2.APIGroupDiscovery
+}
+
+// responseRecorder is a minimal http.ResponseWriter for testing status codes and headers
+type responseRecorder struct {
+	header     http.Header
+	statusCode int
+	body       strings.Builder
+}
+
+func (r *responseRecorder) Header() http.Header         { return r.header }
+func (r *responseRecorder) Write(b []byte) (int, error) { return r.body.Write(b) }
+func (r *responseRecorder) WriteHeader(statusCode int)  { r.statusCode = statusCode }
+
+func (m *mockPeerDiscoveryProvider) GetPeerResources() map[string][]apidiscoveryv2.APIGroupDiscovery {
+	return m.resources
+}
+
+func (m *mockPeerDiscoveryProvider) addResource(serverID string, gvr schema.GroupVersionResource, groupDiscovery apidiscoveryv2.APIGroupDiscovery) {
+	if m.resources == nil {
+		m.resources = make(map[string][]apidiscoveryv2.APIGroupDiscovery)
+	}
+
+	if _, exists := m.resources[serverID]; !exists {
+		m.resources[serverID] = []apidiscoveryv2.APIGroupDiscovery{}
+	}
+	m.resources[serverID] = append(m.resources[serverID], groupDiscovery)
+}
+
+func newAPIGroup(groupName, versionName, resourceName string) apidiscoveryv2.APIGroupDiscovery {
+	return apidiscoveryv2.APIGroupDiscovery{
+		ObjectMeta: metav1.ObjectMeta{Name: groupName},
+		Versions: []apidiscoveryv2.APIVersionDiscovery{
+			{
+				Version: versionName,
+				Resources: []apidiscoveryv2.APIResourceDiscovery{
+					{Resource: resourceName},
+				},
+			},
+		},
+	}
+}
diff --git a/staging/src/k8s.io/apiserver/pkg/endpoints/discovery/aggregated/wrapper.go b/staging/src/k8s.io/apiserver/pkg/endpoints/discovery/aggregated/wrapper.go
index c9f0907e7d186..dc098c81bf4e6 100644
--- a/staging/src/k8s.io/apiserver/pkg/endpoints/discovery/aggregated/wrapper.go
+++ b/staging/src/k8s.io/apiserver/pkg/endpoints/discovery/aggregated/wrapper.go
@@ -28,18 +28,33 @@ import (
 	"k8s.io/apimachinery/pkg/runtime"
 
 	"k8s.io/apiserver/pkg/endpoints/handlers/negotiation"
+	genericfeatures "k8s.io/apiserver/pkg/features"
+	utilfeature "k8s.io/apiserver/pkg/util/feature"
 )
 
 type WrappedHandler struct {
-	s          runtime.NegotiatedSerializer
-	handler    http.Handler
-	aggHandler http.Handler
+	s                     runtime.NegotiatedSerializer
+	handler               http.Handler
+	aggHandler            http.Handler
+	peerAggregatedHandler http.Handler
 }
 
 func (wrapped *WrappedHandler) ServeHTTP(resp http.ResponseWriter, req *http.Request) {
-	mediaType, _ := negotiation.NegotiateMediaTypeOptions(req.Header.Get("Accept"), wrapped.s.SupportedMediaTypes(), DiscoveryEndpointRestrictions)
 	// mediaType.Convert looks at the request accept headers and is used to control whether the discovery document will be aggregated.
+	mediaType, _ := negotiation.NegotiateMediaTypeOptions(req.Header.Get("Accept"), wrapped.s.SupportedMediaTypes(), DiscoveryEndpointRestrictions)
 	if IsAggregatedDiscoveryGVK(mediaType.Convert) {
+		if utilfeature.DefaultFeatureGate.Enabled(genericfeatures.UnknownVersionInteroperabilityProxy) && mediaType.Convert.Version == "v2" {
+			if mediaType.Profile == "nopeer" {
+				NoPeerDiscoveryRequestCounter.Inc()
+				wrapped.aggHandler.ServeHTTP(resp, req)
+				return
+			}
+			if wrapped.peerAggregatedHandler != nil {
+				// Serve peer-aggregated discovery by default if provided.
+				wrapped.peerAggregatedHandler.ServeHTTP(resp, req)
+				return
+			}
+		}
 		wrapped.aggHandler.ServeHTTP(resp, req)
 		return
 	}
@@ -68,10 +83,15 @@ func (wrapped *WrappedHandler) GenerateWebService(prefix string, returnType inte
 // emit the aggregated discovery by passing in the aggregated
 // discovery type in content negotiation headers: eg: (Accept:
 // application/json;v=v2;g=apidiscovery.k8s.io;as=APIGroupDiscoveryList)
-func WrapAggregatedDiscoveryToHandler(handler http.Handler, aggHandler http.Handler) *WrappedHandler {
+//
+// If peerAggregatedHandler is non-nil, it will be used to serve peer-aggregated
+// discovery requests which aggregate discovery information from peer API servers.
+// To request a no-peer aggregation, the client must include the "profile=nopeer" parameter in the
+// Accept header eg: (Accept: application/json;g=apidiscovery.k8s.io;v=v2;as=APIGroupDiscoveryList;profile=nopeer).
+func WrapAggregatedDiscoveryToHandler(handler, aggHandler, peerAggregatedHandler http.Handler) *WrappedHandler {
 	scheme := runtime.NewScheme()
 	utilruntime.Must(apidiscoveryv2.AddToScheme(scheme))
 	utilruntime.Must(apidiscoveryv2beta1.AddToScheme(scheme))
 	codecs := serializer.NewCodecFactory(scheme)
-	return &WrappedHandler{codecs, handler, aggHandler}
+	return &WrappedHandler{codecs, handler, aggHandler, peerAggregatedHandler}
 }
diff --git a/staging/src/k8s.io/apiserver/pkg/endpoints/discovery/aggregated/wrapper_test.go b/staging/src/k8s.io/apiserver/pkg/endpoints/discovery/aggregated/wrapper_test.go
index 5e25438c29e40..871ba565a0cc9 100644
--- a/staging/src/k8s.io/apiserver/pkg/endpoints/discovery/aggregated/wrapper_test.go
+++ b/staging/src/k8s.io/apiserver/pkg/endpoints/discovery/aggregated/wrapper_test.go
@@ -24,6 +24,7 @@ import (
 	"testing"
 
 	"github.com/stretchr/testify/assert"
+	"k8s.io/apimachinery/pkg/util/version"
 	"k8s.io/apiserver/pkg/endpoints/request"
 	genericfeatures "k8s.io/apiserver/pkg/features"
 	utilfeature "k8s.io/apiserver/pkg/util/feature"
@@ -40,6 +41,8 @@ const aggregatedV2Beta1JSONAccept = jsonAccept + aggregatedV2Beta1AcceptSuffix
 const aggregatedV2Beta1ProtoAccept = protobufAccept + aggregatedV2Beta1AcceptSuffix
 const aggregatedJSONAccept = jsonAccept + aggregatedAcceptSuffix
 const aggregatedProtoAccept = protobufAccept + aggregatedAcceptSuffix
+const aggregatedNoPeerJSONAccept = jsonAccept + aggregatedAcceptSuffix + ";profile=nopeer"
+const aggregatedNoPeerProtoAccept = protobufAccept + aggregatedAcceptSuffix + ";profile=nopeer"
 
 func fetchPath(handler http.Handler, path, accept string) string {
 	w := httptest.NewRecorder()
@@ -49,7 +52,7 @@ func fetchPath(handler http.Handler, path, accept string) string {
 	req.Header.Set("Accept", accept)
 
 	handler.ServeHTTP(w, req)
-	return string(w.Body.Bytes())
+	return w.Body.String()
 }
 
 type fakeHTTPHandler struct {
@@ -61,13 +64,16 @@ func (f fakeHTTPHandler) ServeHTTP(resp http.ResponseWriter, req *http.Request)
 }
 
 func TestAggregationEnabled(t *testing.T) {
+	featuregatetesting.SetFeatureGateEmulationVersionDuringTest(t, utilfeature.DefaultFeatureGate, version.MustParse("1.34"))
 	unaggregated := fakeHTTPHandler{data: "unaggregated"}
-	aggregated := fakeHTTPHandler{data: "aggregated"}
-	wrapped := WrapAggregatedDiscoveryToHandler(unaggregated, aggregated)
+	aggregated := fakeHTTPHandler{data: "nopeer-aggregated"}
+	peerAggregated := fakeHTTPHandler{data: "peer-aggregated"}
+	wrapped := WrapAggregatedDiscoveryToHandler(unaggregated, aggregated, peerAggregated)
 
 	testCases := []struct {
-		accept   string
-		expected string
+		accept               string
+		expected             string
+		enablePeerAggregated bool
 	}{
 		{
 			// Misconstructed/incorrect accept headers should be passed to the unaggregated handler to return an error
@@ -79,16 +85,16 @@ func TestAggregationEnabled(t *testing.T) {
 			expected: "unaggregated",
 		}, {
 			accept:   aggregatedV2Beta1JSONAccept,
-			expected: "aggregated",
+			expected: "nopeer-aggregated",
 		}, {
 			accept:   aggregatedV2Beta1ProtoAccept,
-			expected: "aggregated",
+			expected: "nopeer-aggregated",
 		}, {
 			accept:   aggregatedJSONAccept,
-			expected: "aggregated",
+			expected: "nopeer-aggregated",
 		}, {
 			accept:   aggregatedProtoAccept,
-			expected: "aggregated",
+			expected: "nopeer-aggregated",
 		}, {
 			accept:   jsonAccept,
 			expected: "unaggregated",
@@ -98,11 +104,38 @@ func TestAggregationEnabled(t *testing.T) {
 		}, {
 			// Server should return the first accepted type
 			accept:   aggregatedJSONAccept + "," + jsonAccept,
-			expected: "aggregated",
+			expected: "nopeer-aggregated",
 		}, {
 			// Server should return the first accepted type
 			accept:   aggregatedProtoAccept + "," + protobufAccept,
-			expected: "aggregated",
+			expected: "nopeer-aggregated",
+		},
+		// Peer Agg discovery cases.
+		// profile is not set (should default to peer-aggregated)
+		{
+			accept:               aggregatedJSONAccept,
+			expected:             "peer-aggregated",
+			enablePeerAggregated: true,
+		}, {
+			accept:               aggregatedProtoAccept,
+			expected:             "peer-aggregated",
+			enablePeerAggregated: true,
+		},
+		// profile=nopeer (should return no-peer)
+		{
+			accept:               aggregatedNoPeerJSONAccept,
+			expected:             "nopeer-aggregated",
+			enablePeerAggregated: true,
+		}, {
+			accept:               aggregatedNoPeerProtoAccept,
+			expected:             "nopeer-aggregated",
+			enablePeerAggregated: true,
+		},
+		// profile is set to something other than no-peer (should default to peer-aggregated)
+		{
+			accept:               aggregatedJSONAccept + ";profile=foo",
+			expected:             "peer-aggregated",
+			enablePeerAggregated: true,
 		},
 	}
 
@@ -110,6 +143,9 @@ func TestAggregationEnabled(t *testing.T) {
 		if tc.accept == aggregatedV2Beta1JSONAccept || tc.accept == aggregatedV2Beta1ProtoAccept {
 			featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, genericfeatures.AggregatedDiscoveryRemoveBetaType, false)
 		}
+		if tc.enablePeerAggregated {
+			featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, genericfeatures.UnknownVersionInteroperabilityProxy, true)
+		}
 		body := fetchPath(wrapped, discoveryPath, tc.accept)
 		assert.Equal(t, tc.expected, body)
 	}
diff --git a/staging/src/k8s.io/apiserver/pkg/endpoints/filters/authorization.go b/staging/src/k8s.io/apiserver/pkg/endpoints/filters/authorization.go
index 6c6c94ba718bb..439696d07abd6 100644
--- a/staging/src/k8s.io/apiserver/pkg/endpoints/filters/authorization.go
+++ b/staging/src/k8s.io/apiserver/pkg/endpoints/filters/authorization.go
@@ -94,7 +94,7 @@ func withAuthorization(handler http.Handler, a authorizer.Authorizer, s runtime.
 		audit.AddAuditAnnotations(ctx,
 			decisionAnnotationKey, decisionForbid,
 			reasonAnnotationKey, reason)
-		responsewriters.Forbidden(ctx, attributes, w, req, reason, s)
+		responsewriters.Forbidden(attributes, w, req, reason, s)
 	})
 }
 
diff --git a/staging/src/k8s.io/apiserver/pkg/endpoints/filters/impersonation/OWNERS b/staging/src/k8s.io/apiserver/pkg/endpoints/filters/impersonation/OWNERS
new file mode 100644
index 0000000000000..c4ea6463df4d0
--- /dev/null
+++ b/staging/src/k8s.io/apiserver/pkg/endpoints/filters/impersonation/OWNERS
@@ -0,0 +1,8 @@
+# See the OWNERS docs at https://go.k8s.io/owners
+
+approvers:
+  - sig-auth-authenticators-approvers
+reviewers:
+  - sig-auth-authenticators-reviewers
+labels:
+  - sig/auth
diff --git a/staging/src/k8s.io/apiserver/pkg/endpoints/filters/impersonation/cache.go b/staging/src/k8s.io/apiserver/pkg/endpoints/filters/impersonation/cache.go
new file mode 100644
index 0000000000000..cf73107896a87
--- /dev/null
+++ b/staging/src/k8s.io/apiserver/pkg/endpoints/filters/impersonation/cache.go
@@ -0,0 +1,320 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package impersonation
+
+import (
+	"crypto/sha256"
+	"fmt"
+	"hash/fnv"
+	"time"
+
+	"golang.org/x/crypto/cryptobyte"
+
+	"k8s.io/apimachinery/pkg/fields"
+	"k8s.io/apimachinery/pkg/labels"
+	"k8s.io/apimachinery/pkg/util/cache"
+	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
+	"k8s.io/apimachinery/pkg/util/sets"
+	"k8s.io/apiserver/pkg/authentication/user"
+	"k8s.io/apiserver/pkg/authorization/authorizer"
+	"k8s.io/utils/lru"
+)
+
+// modeIndexCache is a simple username -> impersonation mode cache that is based on the assumption
+// that a particular user is likely to use a single mode of impersonation for all impersonated requests
+// that they make.  it remembers which impersonation mode was last successful for a username, and tries
+// that mode first for future impersonation checks.  this makes it so that the amortized cost of legacy
+// impersonation remains the same, and the cost of constrained impersonation is one extra authorization
+// check in additional to the existing checks of regular impersonation.
+type modeIndexCache struct {
+	cache *lru.Cache
+}
+
+func (c *modeIndexCache) get(attributes authorizer.Attributes) (int, bool) {
+	idx, ok := c.cache.Get(modeIndexCacheKey(attributes))
+	if !ok {
+		return 0, false
+	}
+	return idx.(int), true
+}
+
+func (c *modeIndexCache) set(attributes authorizer.Attributes, idx int) {
+	c.cache.Add(modeIndexCacheKey(attributes), idx)
+}
+
+func modeIndexCacheKey(attributes authorizer.Attributes) string {
+	key := attributes.GetUser().GetName()
+	// hash the name so our cache size is predicable regardless of the size of usernames
+	// collisions do not matter for this logic as it simply changes the ordering of the modes used
+	hash := fnvSum128a([]byte(key))
+	return fmt.Sprintf("%x", hash)
+}
+
+func fnvSum128a(data []byte) []byte {
+	h := fnv.New128a()
+	h.Write(data)
+	var sum [16]byte
+	return h.Sum(sum[:0])
+}
+
+func newModeIndexCache() *modeIndexCache {
+	return &modeIndexCache{
+		// each entry is roughly ~24 bytes (16 bytes for the hashed key, 8 bytes for value)
+		// thus at even 10k entries, we should use less than 1 MB memory
+		// this hardcoded size allows us to remember many users without leaking memory
+		cache: lru.New(10_000),
+	}
+}
+
+// impersonationCache tracks successful impersonation attempts for a given mode with a short TTL.
+//
+// when skipAttributes is false, it maps [wantedUser, attributes] -> impersonatedUserInfo
+// when skipAttributes is true, it maps [wantedUser, requestor] -> impersonatedUserInfo
+//
+// thus each constrained impersonation mode needs two of these caches:
+// the outer cache sets skipAttributes to false and thus covers the overall impersonation attempt, see constrainedImpersonationModeState.check.
+// the inner cache sets skipAttributes to true and only covers the authorization checks that
+// are not dependent on the specific request being made, see impersonationModeState.check.
+type impersonationCache struct {
+	cache          *cache.Expiring
+	skipAttributes bool
+}
+
+func (c *impersonationCache) get(k *impersonationCacheKey) *impersonatedUserInfo {
+	key, err := k.key(c.skipAttributes)
+	if err != nil {
+		utilruntime.HandleError(fmt.Errorf("failed to build impersonation cache key: %w", err))
+		return nil
+	}
+	impersonatedUser, ok := c.cache.Get(key)
+	if !ok {
+		return nil
+	}
+	return impersonatedUser.(*impersonatedUserInfo)
+}
+
+func (c *impersonationCache) set(k *impersonationCacheKey, impersonatedUser *impersonatedUserInfo) {
+	key, err := k.key(c.skipAttributes)
+	if err != nil {
+		utilruntime.HandleError(fmt.Errorf("failed to build impersonation cache key: %w", err))
+		return
+	}
+	c.cache.Set(key, impersonatedUser, 10*time.Second) // hardcode the same short TTL as used by TokenSuccessCacheTTL
+}
+
+func newImpersonationCache(skipAttributes bool) *impersonationCache {
+	return &impersonationCache{
+		cache:          cache.NewExpiring(),
+		skipAttributes: skipAttributes,
+	}
+}
+
+// The attribute accessors known to cache key construction. If this fails to compile, the cache
+// implementation may need to be updated.
+var _ authorizer.Attributes = (interface {
+	GetUser() user.Info
+	GetVerb() string
+	IsReadOnly() bool
+	GetNamespace() string
+	GetResource() string
+	GetSubresource() string
+	GetName() string
+	GetAPIGroup() string
+	GetAPIVersion() string
+	IsResourceRequest() bool
+	GetPath() string
+	GetFieldSelector() (fields.Requirements, error)
+	GetLabelSelector() (labels.Requirements, error)
+})(nil)
+
+// The user info accessors known to cache key construction. If this fails to compile, the cache
+// implementation may need to be updated.
+var _ user.Info = (interface {
+	GetName() string
+	GetUID() string
+	GetGroups() []string
+	GetExtra() map[string][]string
+})(nil)
+
+// impersonationCacheKey allows for lazy building of string cache keys based on the inputs.
+// See impersonationCache details above for the semantics around skipAttributes.
+// Note that the same impersonationCacheKey can be used with any value for skipAttributes.
+type impersonationCacheKey struct {
+	wantedUser *user.DefaultInfo
+	attributes authorizer.Attributes
+
+	// lazily calculated values at point of use
+	keyAttr string
+	errAttr error
+	keyUser string
+	errUser error
+}
+
+func (k *impersonationCacheKey) key(skipAttributes bool) (string, error) {
+	if skipAttributes {
+		return k.keyWithoutAttributes()
+	}
+	return k.keyWithAttributes()
+}
+
+func (k *impersonationCacheKey) keyWithAttributes() (string, error) {
+	if len(k.keyAttr) != 0 || k.errAttr != nil {
+		return k.keyAttr, k.errAttr
+	}
+
+	k.keyAttr, k.errAttr = buildKey(k.wantedUser, k.attributes)
+	return k.keyAttr, k.errAttr
+}
+
+func (k *impersonationCacheKey) keyWithoutAttributes() (string, error) {
+	if len(k.keyUser) != 0 || k.errUser != nil {
+		return k.keyUser, k.errUser
+	}
+
+	// fake attributes that just contain the requestor to allow us to reuse buildKey
+	requestor := k.attributes.GetUser()
+	attributes := authorizer.AttributesRecord{User: requestor}
+
+	k.keyUser, k.errUser = buildKey(k.wantedUser, attributes)
+	return k.keyUser, k.errUser
+}
+
+// buildKey creates a hashed string key based on the inputs that is namespaced to the requestor.
+// A cryptographically secure hash is used to minimize the chance of collisions.
+func buildKey(wantedUser *user.DefaultInfo, attributes authorizer.Attributes) (string, error) {
+	fieldSelector, err := attributes.GetFieldSelector()
+	if err != nil {
+		return "", err // if we do not fully understand the attributes, just skip caching altogether
+	}
+
+	labelSelector, err := attributes.GetLabelSelector()
+	if err != nil {
+		return "", err // if we do not fully understand the attributes, just skip caching altogether
+	}
+
+	requestor := attributes.GetUser()
+
+	// the chance of a hash collision is impractically small, but the only way that would lead to a
+	// privilege escalation is if you could get the cache key of a different user.  if you somehow
+	// get a collision with your own username, you already have that permission since we only set
+	// values in the cache after a successful impersonation.  Thus, we include the requestor
+	// username in the cache key.  It is safe to assume that a user has no control over their own
+	// username since that is controlled by the authenticator.  Even though many of the other inputs
+	// are under the control of the requestor, they cannot explode the cache due to the hashing.
+	b := newCacheKeyBuilder(requestor.GetName())
+
+	addUser(b, wantedUser)
+	addUser(b, requestor)
+
+	b.addLengthPrefixed(func(b *cacheKeyBuilder) {
+		b.
+			addString(attributes.GetVerb()).
+			addBool(attributes.IsReadOnly()).
+			addString(attributes.GetNamespace()).
+			addString(attributes.GetResource()).
+			addString(attributes.GetSubresource()).
+			addString(attributes.GetName()).
+			addString(attributes.GetAPIGroup()).
+			addString(attributes.GetAPIVersion()).
+			addBool(attributes.IsResourceRequest()).
+			addString(attributes.GetPath())
+	})
+
+	b.addLengthPrefixed(func(b *cacheKeyBuilder) {
+		for _, req := range fieldSelector {
+			b.addStringSlice([]string{req.Field, string(req.Operator), req.Value})
+		}
+	})
+
+	b.addLengthPrefixed(func(b *cacheKeyBuilder) {
+		for _, req := range labelSelector {
+			b.addString(req.String())
+		}
+	})
+
+	return b.build()
+}
+
+func addUser(b *cacheKeyBuilder, u user.Info) {
+	b.addLengthPrefixed(func(b *cacheKeyBuilder) {
+		b.
+			addString(u.GetName()).
+			addString(u.GetUID()).
+			addStringSlice(u.GetGroups()).
+			addLengthPrefixed(func(b *cacheKeyBuilder) {
+				extra := u.GetExtra()
+				for _, key := range sets.StringKeySet(extra).List() {
+					b.addString(key)
+					b.addStringSlice(extra[key])
+				}
+			})
+	})
+}
+
+// cacheKeyBuilder adds syntactic sugar on top of cryptobyte.Builder to make it easier to use for complex inputs.
+type cacheKeyBuilder struct {
+	namespace string // in the programming sense, not the Kubernetes concept
+	builder   *cryptobyte.Builder
+}
+
+func newCacheKeyBuilder(namespace string) *cacheKeyBuilder {
+	// start with a reasonable size to avoid too many allocations
+	return &cacheKeyBuilder{namespace: namespace, builder: cryptobyte.NewBuilder(make([]byte, 0, 384))}
+}
+
+func (c *cacheKeyBuilder) addString(value string) *cacheKeyBuilder {
+	c.addLengthPrefixed(func(c *cacheKeyBuilder) {
+		c.builder.AddBytes([]byte(value))
+	})
+	return c
+}
+
+func (c *cacheKeyBuilder) addStringSlice(values []string) *cacheKeyBuilder {
+	c.addLengthPrefixed(func(c *cacheKeyBuilder) {
+		for _, v := range values {
+			c.addString(v)
+		}
+	})
+	return c
+}
+
+func (c *cacheKeyBuilder) addBool(value bool) *cacheKeyBuilder {
+	var b byte
+	if value {
+		b = 1
+	}
+	c.builder.AddUint8(b)
+	return c
+}
+
+type builderContinuation func(child *cacheKeyBuilder)
+
+func (c *cacheKeyBuilder) addLengthPrefixed(f builderContinuation) {
+	c.builder.AddUint32LengthPrefixed(func(b *cryptobyte.Builder) {
+		c := &cacheKeyBuilder{namespace: c.namespace, builder: b}
+		f(c)
+	})
+}
+
+func (c *cacheKeyBuilder) build() (string, error) {
+	key, err := c.builder.Bytes()
+	if err != nil {
+		return "", err
+	}
+	hash := sha256.Sum256(key) // reduce the size of the cache key to keep the overall cache size small
+	return fmt.Sprintf("%x/%s", hash[:], c.namespace), nil
+}
diff --git a/staging/src/k8s.io/apiserver/pkg/endpoints/filters/impersonation/constrained_impersonation.go b/staging/src/k8s.io/apiserver/pkg/endpoints/filters/impersonation/constrained_impersonation.go
new file mode 100644
index 0000000000000..861e6d69904d3
--- /dev/null
+++ b/staging/src/k8s.io/apiserver/pkg/endpoints/filters/impersonation/constrained_impersonation.go
@@ -0,0 +1,251 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package impersonation
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"net/http"
+	"strings"
+
+	authenticationv1 "k8s.io/api/authentication/v1"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apiserver/pkg/audit"
+	"k8s.io/apiserver/pkg/authentication/user"
+	"k8s.io/apiserver/pkg/authorization/authorizer"
+	"k8s.io/apiserver/pkg/endpoints/filters"
+	"k8s.io/apiserver/pkg/endpoints/handlers/responsewriters"
+	"k8s.io/apiserver/pkg/endpoints/request"
+	"k8s.io/apiserver/pkg/server/httplog"
+	"k8s.io/klog/v2"
+)
+
+// WithConstrainedImpersonation implements constrained impersonation as described in https://kep.k8s.io/5284
+// It also includes a complete reimplementation of legacy impersonation for backwards compatibility.
+// At a high level, constrained impersonation uses multiple authorization checks to allow for the granular
+// expression of impersonation access.  For example, a service account may be authorized to impersonate the
+// node that it is associated with but only when listing pods.  See the linked KEP for further details.
+func WithConstrainedImpersonation(handler http.Handler, a authorizer.Authorizer, s runtime.NegotiatedSerializer) http.Handler {
+	return &constrainedImpersonationHandler{
+		handler: handler,
+		tracker: newImpersonationModesTracker(a),
+		s:       s,
+	}
+}
+
+type constrainedImpersonationHandler struct {
+	handler http.Handler
+	tracker *impersonationModesTracker
+	s       runtime.NegotiatedSerializer
+}
+
+func (c *constrainedImpersonationHandler) ServeHTTP(w http.ResponseWriter, req *http.Request) {
+	ctx := req.Context()
+
+	wantedUser, err := processImpersonationHeaders(req.Header)
+	if err != nil {
+		responsewriters.RespondWithError(w, req, err, c.s)
+		return
+	}
+	if wantedUser == nil { // impersonation was not attempted so skip to the next handler
+		c.handler.ServeHTTP(w, req)
+		return
+	}
+	attributes, err := filters.GetAuthorizerAttributes(ctx)
+	if err != nil {
+		responsewriters.InternalError(w, req, err)
+		return
+	}
+	requestor := attributes.GetUser()
+	if requestor == nil {
+		responsewriters.InternalError(w, req, errors.New("no User found in the context"))
+		return
+	}
+
+	impersonatedUser, err := c.tracker.getImpersonatedUser(ctx, wantedUser, attributes)
+	if err != nil {
+		klog.V(4).InfoS("Forbidden", "URI", req.RequestURI, "err", err)
+		responsewriters.RespondWithError(w, req, err, c.s)
+		return
+	}
+
+	req = req.WithContext(request.WithUser(ctx, impersonatedUser.user))
+	httplog.LogOf(req, w).Addf("%v is impersonating %v", userString(requestor), userString(impersonatedUser.user))
+	audit.LogImpersonatedUser(ctx, impersonatedUser.user, impersonatedUser.constraint)
+
+	c.handler.ServeHTTP(w, req)
+}
+
+// processImpersonationHeaders converts the impersonation headers in the given input headers
+// into the equivalent user.DefaultInfo.  The resulting user is a raw representation of the
+// input headers, that is, no defaulting or other mutations have been applied to it.
+func processImpersonationHeaders(headers http.Header) (*user.DefaultInfo, error) {
+	wantedUser := &user.DefaultInfo{}
+
+	wantedUser.Name = headers.Get(authenticationv1.ImpersonateUserHeader)
+	hasUser := len(wantedUser.Name) > 0
+
+	wantedUser.UID = headers.Get(authenticationv1.ImpersonateUIDHeader)
+	hasUID := len(wantedUser.UID) > 0
+
+	hasGroups := false
+	for _, group := range headers[authenticationv1.ImpersonateGroupHeader] {
+		hasGroups = true
+		wantedUser.Groups = append(wantedUser.Groups, group)
+	}
+
+	hasUserExtra := false
+	for headerName, values := range headers {
+		if !strings.HasPrefix(headerName, authenticationv1.ImpersonateUserExtraHeaderPrefix) {
+			continue
+		}
+
+		hasUserExtra = true
+
+		if len(values) == 0 {
+			// this looks a little strange but matches the behavior of buildImpersonationRequests from legacy impersonation
+			// http1 uses textproto.Reader#ReadMIMEHeader which does seem to allow an empty slice for values
+			// http2 uses http.Header#Add which will cause the values slice to always be non-empty
+			continue
+		}
+
+		extraKey := unescapeExtraKey(strings.ToLower(headerName[len(authenticationv1.ImpersonateUserExtraHeaderPrefix):]))
+
+		if wantedUser.Extra == nil {
+			wantedUser.Extra = map[string][]string{}
+		}
+		wantedUser.Extra[extraKey] = append(wantedUser.Extra[extraKey], values...)
+	}
+
+	if !hasUser && (hasUID || hasGroups || hasUserExtra) {
+		return nil, apierrors.NewBadRequest(fmt.Sprintf("requested %#v without impersonating a user name", wantedUser))
+	}
+
+	if !hasUser {
+		return nil, nil
+	}
+
+	// clear all the impersonation headers from the request to prevent downstream layers from knowing that impersonation was used
+	// we do not want anything outside of this package trying to behave differently based on if impersonation was used
+	headers.Del(authenticationv1.ImpersonateUserHeader)
+	headers.Del(authenticationv1.ImpersonateUIDHeader)
+	headers.Del(authenticationv1.ImpersonateGroupHeader)
+	for headerName := range headers {
+		if strings.HasPrefix(headerName, authenticationv1.ImpersonateUserExtraHeaderPrefix) {
+			headers.Del(headerName)
+		}
+	}
+
+	return wantedUser, nil
+}
+
+// impersonationModesTracker records which impersonation mode was last successful for a given requestor user.
+// this allows us to check for the more secure constrained impersonation modes first while keeping the overall
+// cost of legacy impersonation unchanged (as we will support legacy impersonation forever).
+type impersonationModesTracker struct {
+	modes    []impersonationMode
+	idxCache *modeIndexCache
+}
+
+func newImpersonationModesTracker(a authorizer.Authorizer) *impersonationModesTracker {
+	loggingAuthorizer := authorizer.AuthorizerFunc(func(ctx context.Context, attributes authorizer.Attributes) (authorizer.Decision, string, error) {
+		decision, reason, err := a.Authorize(ctx, attributes)
+		// build a detailed log of the authorization
+		// make the whole block conditional so we do not do a lot of string-building we will not use
+		if klogV := klog.V(5); klogV.Enabled() { // same log level that the RBAC authorizer uses for verbose logging
+			u := attributes.GetUser()
+			fieldSelector, _ := attributes.GetFieldSelector()
+			labelSelector, _ := attributes.GetLabelSelector()
+			klogV.InfoSDepth(3, "Impersonation authorization check",
+				// we cannot just pass attributes to the logger as that will not capture the actual result of calling these methods
+				// impersonation makes heavy use of wrapping these methods to add extra logic
+				"username", u.GetName(),
+				"uid", u.GetUID(),
+				"groups", u.GetGroups(),
+				"extra", u.GetExtra(),
+
+				"isResourceRequest", attributes.IsResourceRequest(),
+
+				"namespace", attributes.GetNamespace(),
+				"verb", attributes.GetVerb(),
+				"group", attributes.GetAPIGroup(),
+				"version", attributes.GetAPIVersion(),
+				"resource", attributes.GetResource(),
+				"subresource", attributes.GetSubresource(),
+				"name", attributes.GetName(),
+				"fieldSelector", fieldSelector,
+				"labelSelector", labelSelector,
+
+				"path", attributes.GetPath(),
+
+				"decision", decision,
+				"reason", reason,
+				"err", err,
+			)
+		}
+		return decision, reason, err
+	})
+	return &impersonationModesTracker{
+		modes:    allImpersonationModes(loggingAuthorizer),
+		idxCache: newModeIndexCache(),
+	}
+}
+
+func (t *impersonationModesTracker) getImpersonatedUser(ctx context.Context, wantedUser *user.DefaultInfo, attributes authorizer.Attributes) (*impersonatedUserInfo, error) {
+	// share a single cache key across all modes so that we only lazily build it once
+	key := &impersonationCacheKey{wantedUser: wantedUser, attributes: attributes}
+	var firstErr error
+
+	// try the last successful mode first to reduce the amortized cost of impersonation
+	// we attempt all modes unless we short-circuit due to a successful impersonation
+	modeIdx, modeIdxOk := t.idxCache.get(attributes)
+	if modeIdxOk {
+		impersonatedUser, err := t.modes[modeIdx].check(ctx, key, wantedUser, attributes)
+		if err == nil && impersonatedUser != nil {
+			return impersonatedUser, nil
+		}
+		firstErr = err
+	}
+
+	for i, mode := range t.modes {
+		if modeIdxOk && i == modeIdx {
+			continue // skip already attempted mode
+		}
+
+		impersonatedUser, err := mode.check(ctx, key, wantedUser, attributes)
+		if err != nil {
+			if firstErr == nil {
+				firstErr = err
+			}
+			continue
+		}
+		if impersonatedUser == nil {
+			continue
+		}
+		t.idxCache.set(attributes, i)
+		return impersonatedUser, nil
+	}
+
+	if firstErr != nil {
+		return nil, firstErr
+	}
+
+	// this should not happen, but make sure we fail closed when no impersonation mode succeeded
+	return nil, errors.New("all impersonation modes failed")
+}
diff --git a/staging/src/k8s.io/apiserver/pkg/endpoints/filters/impersonation/constrained_impersonation_test.go b/staging/src/k8s.io/apiserver/pkg/endpoints/filters/impersonation/constrained_impersonation_test.go
new file mode 100644
index 0000000000000..361e662f67f41
--- /dev/null
+++ b/staging/src/k8s.io/apiserver/pkg/endpoints/filters/impersonation/constrained_impersonation_test.go
@@ -0,0 +1,1088 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package impersonation
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"io"
+	"net/http"
+	"net/http/httptest"
+	"strconv"
+	"strings"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+
+	authenticationv1 "k8s.io/api/authentication/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/serializer"
+	"k8s.io/apiserver/pkg/authentication/authenticator"
+	"k8s.io/apiserver/pkg/authentication/serviceaccount"
+	"k8s.io/apiserver/pkg/authentication/user"
+	"k8s.io/apiserver/pkg/authorization/authorizer"
+	"k8s.io/apiserver/pkg/endpoints/filters"
+	"k8s.io/apiserver/pkg/endpoints/request"
+	"k8s.io/client-go/transport"
+)
+
+type constrainedImpersonationTest struct {
+	t *testing.T
+
+	constrainedImpersonationHandler *constrainedImpersonationHandler
+	checkedAttrs                    []authorizer.Attributes
+	echoCalled                      bool
+}
+
+func (c *constrainedImpersonationTest) Authorize(ctx context.Context, a authorizer.Attributes) (authorizer.Decision, string, error) {
+	c.checkedAttrs = append(c.checkedAttrs, a)
+
+	u := a.GetUser()
+
+	if u.GetName() == "sa-impersonater" && a.GetVerb() == "impersonate:serviceaccount" && a.GetResource() == "serviceaccounts" {
+		return authorizer.DecisionAllow, "", nil
+	}
+
+	if u.GetName() == "system:serviceaccount:default:node" && a.GetVerb() == "impersonate:arbitrary-node" && a.GetResource() == "nodes" {
+		return authorizer.DecisionAllow, "", nil
+	}
+
+	if u.GetName() == "node-impersonater" && a.GetVerb() == "impersonate:arbitrary-node" && a.GetResource() == "nodes" {
+		return authorizer.DecisionAllow, "", nil
+	}
+
+	if len(u.GetGroups()) > 0 && u.GetGroups()[0] == "associate-node-impersonater" && a.GetVerb() == "impersonate:associated-node" && a.GetResource() == "nodes" {
+		return authorizer.DecisionAllow, "", nil
+	}
+
+	if u.GetName() == "user-impersonater" && a.GetVerb() == "impersonate:user-info" && a.GetResource() == "users" {
+		return authorizer.DecisionAllow, "", nil
+	}
+
+	if len(u.GetGroups()) > 0 && u.GetGroups()[0] == "group-impersonater" && a.GetVerb() == "impersonate:user-info" && a.GetResource() == "groups" {
+		return authorizer.DecisionAllow, "", nil
+	}
+
+	if len(u.GetGroups()) > 0 && u.GetGroups()[0] == "extra-setter-scopes" && a.GetVerb() == "impersonate:user-info" && a.GetResource() == "userextras" && a.GetSubresource() == "pandas.io/scopes" {
+		return authorizer.DecisionAllow, "", nil
+	}
+
+	if u.GetName() == "legacy-impersonater" && a.GetVerb() == "impersonate" {
+		return authorizer.DecisionAllow, "", nil
+	}
+
+	if u.GetName() != "legacy-impersonator" &&
+		strings.HasPrefix(a.GetVerb(), "impersonate-on:") &&
+		(strings.HasSuffix(a.GetVerb(), "list") || strings.HasSuffix(a.GetVerb(), "get")) {
+		return authorizer.DecisionAllow, "", nil
+	}
+
+	return authorizer.DecisionNoOpinion, "deny by default", nil
+}
+
+func (c *constrainedImpersonationTest) echoUserInfoHandler() http.HandlerFunc {
+	return func(w http.ResponseWriter, req *http.Request) {
+		c.echoCalled = true
+
+		u, ok := request.UserFrom(req.Context())
+		if !ok {
+			c.t.Fatal("user not found in request")
+		}
+
+		_ = json.NewEncoder(w).Encode(comparableUser(u))
+
+		if _, ok := req.Header[authenticationv1.ImpersonateUserHeader]; ok {
+			c.t.Fatal("user header still present")
+		}
+		if _, ok := req.Header[authenticationv1.ImpersonateUIDHeader]; ok {
+			c.t.Fatal("uid header still present")
+		}
+		if _, ok := req.Header[authenticationv1.ImpersonateGroupHeader]; ok {
+			c.t.Fatal("group header still present")
+		}
+		for key := range req.Header {
+			if strings.HasPrefix(key, authenticationv1.ImpersonateUserExtraHeaderPrefix) {
+				c.t.Fatalf("extra header still present: %v", key)
+			}
+		}
+	}
+}
+
+func (c *constrainedImpersonationTest) authenticationHandler(handler http.Handler) http.Handler {
+	return filters.WithAuthentication(handler, authenticator.RequestFunc(func(req *http.Request) (*authenticator.Response, bool, error) {
+		userData := req.Header.Get(testUserHeader)
+		if len(userData) == 0 {
+			c.t.Fatal("missing user header")
+		}
+		var u user.DefaultInfo
+		if err := json.Unmarshal([]byte(userData), &u); err != nil {
+			c.t.Fatal(err)
+		}
+		return &authenticator.Response{User: &u}, true, nil
+	}), nil, nil, nil)
+}
+
+func (c *constrainedImpersonationTest) requestInfoHandler(handler http.Handler) http.Handler {
+	return filters.WithRequestInfo(handler, requestInfoFunc(func(req *http.Request) (*request.RequestInfo, error) {
+		requestInfoData := req.Header.Get(testRequestInfoHeader)
+		if len(requestInfoData) == 0 {
+			c.t.Fatal("missing request info header")
+		}
+		var r request.RequestInfo
+		if err := json.Unmarshal([]byte(requestInfoData), &r); err != nil {
+			c.t.Fatal(err)
+		}
+		return &r, nil
+	}))
+}
+
+type requestInfoFunc func(*http.Request) (*request.RequestInfo, error)
+
+func (f requestInfoFunc) NewRequestInfo(req *http.Request) (*request.RequestInfo, error) {
+	return f(req)
+}
+
+const (
+	testUserHeader        = "insecure-test-user-json"
+	testRequestInfoHeader = "insecure-test-request-info-json"
+)
+
+func (c *constrainedImpersonationTest) handler() http.Handler {
+	s := runtime.NewScheme()
+	metav1.AddToGroupVersion(s, metav1.SchemeGroupVersion)
+	addImpersonation := WithConstrainedImpersonation(c.echoUserInfoHandler(), c, serializer.NewCodecFactory(s))
+	c.constrainedImpersonationHandler = addImpersonation.(*constrainedImpersonationHandler)
+
+	addAuthentication := c.authenticationHandler(addImpersonation)
+	addRequestInfo := c.requestInfoHandler(addAuthentication)
+	return addRequestInfo
+}
+
+type testRoundTripper struct {
+	user        *user.DefaultInfo
+	requestInfo *request.RequestInfo
+	delegate    http.RoundTripper
+}
+
+func (t *testRoundTripper) RoundTrip(r *http.Request) (*http.Response, error) {
+	userData, err := json.Marshal(t.user)
+	if err != nil {
+		return nil, err
+	}
+	requestInfoData, err := json.Marshal(t.requestInfo)
+	if err != nil {
+		return nil, err
+	}
+	r.Header.Set(testUserHeader, string(userData))
+	r.Header.Set(testRequestInfoHeader, string(requestInfoData))
+	return t.delegate.RoundTrip(r)
+}
+
+func (c *constrainedImpersonationTest) assertAttributes(r testRequest) {
+	checkedAttrs := c.checkedAttrs
+	c.checkedAttrs = nil
+
+	require.Equal(c.t, len(r.expectedAttributes), len(checkedAttrs))
+
+	// normally all authorization checks are done against the requestor
+	// but in some cases such as associated-node, we check against a slightly different user
+	expectedAttributesUser := r.expectedAttributesUser
+	if expectedAttributesUser == nil {
+		expectedAttributesUser = r.requestor
+	}
+
+	for i := range len(r.expectedAttributes) {
+		expectedAttributes := withUser(r.expectedAttributes[i], expectedAttributesUser)
+		require.Equal(c.t, expectedAttributes, comparableAttributes(checkedAttrs[i]))
+	}
+}
+
+func comparableAttributes(attributes authorizer.Attributes) authorizer.AttributesRecord {
+	fs, errFS := attributes.GetFieldSelector()
+	ls, errLS := attributes.GetLabelSelector()
+	return authorizer.AttributesRecord{
+		User:                      comparableUser(attributes.GetUser()),
+		Verb:                      attributes.GetVerb(),
+		Namespace:                 attributes.GetNamespace(),
+		APIGroup:                  attributes.GetAPIGroup(),
+		APIVersion:                attributes.GetAPIVersion(),
+		Resource:                  attributes.GetResource(),
+		Subresource:               attributes.GetSubresource(),
+		Name:                      attributes.GetName(),
+		ResourceRequest:           attributes.IsResourceRequest(),
+		Path:                      attributes.GetPath(),
+		FieldSelectorRequirements: fs,
+		FieldSelectorParsingErr:   errFS,
+		LabelSelectorRequirements: ls,
+		LabelSelectorParsingErr:   errLS,
+	}
+}
+
+func comparableUser(u user.Info) *user.DefaultInfo {
+	return &user.DefaultInfo{
+		Name:   u.GetName(),
+		UID:    u.GetUID(),
+		Groups: u.GetGroups(),
+		Extra:  u.GetExtra(),
+	}
+}
+
+func (c *constrainedImpersonationTest) assertEchoCalled(expectedCalled bool) {
+	called := c.echoCalled
+	c.echoCalled = false
+	require.Equal(c.t, expectedCalled, called)
+}
+
+func (c *constrainedImpersonationTest) assertCache(r testRequest) {
+	rr := require.New(c.t)
+
+	tracker := c.constrainedImpersonationHandler.tracker
+	idxCacheInternals := tracker.idxCache.cache
+
+	if r.expectedCache == nil {
+		rr.Zero(idxCacheInternals.Len())
+		for _, mode := range tracker.modes {
+			outer, inner := mode.cachesForTests()
+			rr.Zero(outer.cache.Len())
+			rr.Zero(inner.cache.Len())
+		}
+		return
+	}
+
+	rr.Equal(len(r.expectedCache.modeIdx), idxCacheInternals.Len())
+	for username, expectedVerb := range r.expectedCache.modeIdx {
+		modeIdx, ok := idxCacheInternals.Get(usernameHash(username))
+		rr.True(ok)
+		actualVerb := tracker.modes[modeIdx.(int)].verbForTests()
+		rr.Equal(expectedVerb, actualVerb)
+	}
+
+	for _, mode := range tracker.modes {
+		verb := mode.verbForTests()
+		outer, inner := mode.cachesForTests()
+		expectedMode, ok := r.expectedCache.modes[verb]
+		if !ok {
+			rr.Zero(outer.cache.Len())
+			rr.Zero(inner.cache.Len())
+			continue
+		}
+		rr.Equal(len(expectedMode.outer), outer.cache.Len())
+		for expectedKey, expectedUser := range expectedMode.outer {
+			c.checkCacheEntry(outer, expectedKey.wantedUser, expectedKey.attributes, expectedUser, verb)
+		}
+
+		rr.Equal(len(expectedMode.inner), inner.cache.Len())
+		for expectedKey, expectedUser := range expectedMode.inner {
+			c.checkCacheEntry(inner, expectedKey.wantedUser, authorizer.AttributesRecord{User: expectedKey.requestor}, expectedUser, verb)
+		}
+	}
+}
+
+func usernameHash(username string) string {
+	hash := fnvSum128a([]byte(username))
+	return fmt.Sprintf("%x", hash)
+}
+
+func (c *constrainedImpersonationTest) checkCacheEntry(cache *impersonationCache, wantedUser *user.DefaultInfo, attributes authorizer.Attributes, expectedUser *user.DefaultInfo, expectedVerb string) {
+	rr := require.New(c.t)
+	keyString, err := buildKey(wantedUser, attributes)
+	rr.NoError(err)
+	val, ok := cache.cache.Get(keyString)
+	rr.True(ok)
+	impersonatedUser := val.(*impersonatedUserInfo)
+	rr.Equal(expectedVerb, impersonatedUser.constraint)
+	rr.Equal(expectedUser, impersonatedUser.user)
+	rr.True(strings.HasSuffix(keyString, "/"+attributes.GetUser().GetName()))
+}
+
+func withConstrainedImpersonationAttributes(a authorizer.AttributesRecord, mode string) authorizer.AttributesRecord {
+	a.Verb = "impersonate:" + mode
+	a.APIGroup = "authentication.k8s.io"
+	a.APIVersion = "v1"
+	a.ResourceRequest = true
+	return a
+}
+
+func withImpersonateOnAttributes(requestInfo *request.RequestInfo, mode string) authorizer.AttributesRecord {
+	a := requestInfoToAttributes(requestInfo)
+	a.Verb = "impersonate-on:" + mode + ":" + a.Verb
+	return a
+}
+
+func requestInfoToAttributes(requestInfo *request.RequestInfo) authorizer.AttributesRecord {
+	requestCtx := request.WithRequestInfo(context.Background(), requestInfo)
+	attrs, err := filters.GetAuthorizerAttributes(requestCtx)
+	if err != nil {
+		panic(err)
+	}
+	return *(attrs.(*authorizer.AttributesRecord))
+}
+
+func withLegacyImpersonateAttributes(a authorizer.AttributesRecord) authorizer.AttributesRecord {
+	a.Verb = "impersonate"
+	a.APIVersion = "v1"
+	a.ResourceRequest = true
+	return a
+}
+
+func withUser(a authorizer.AttributesRecord, u *user.DefaultInfo) authorizer.AttributesRecord {
+	a.User = u
+	return a
+}
+
+func outerCacheKey(wantedUser, requestor *user.DefaultInfo, req *request.RequestInfo) impersonationCacheKey {
+	attributes := withUser(requestInfoToAttributes(req), requestor)
+	return impersonationCacheKey{
+		wantedUser: wantedUser,
+		attributes: &attributes, // use a *authorizer.AttributesRecord so that it can be used in a map key
+	}
+}
+
+type expectedCache struct {
+	modeIdx map[string]string            // username -> mode verb
+	modes   map[string]expectedModeCache // mode verb -> cache
+}
+
+type expectedModeCache struct {
+	outer map[impersonationCacheKey]*user.DefaultInfo
+	inner map[innerKey]*user.DefaultInfo
+}
+
+type innerKey struct {
+	wantedUser, requestor *user.DefaultInfo
+}
+
+type testRequest struct {
+	request          *request.RequestInfo
+	requestor        *user.DefaultInfo
+	impersonatedUser *user.DefaultInfo
+
+	expectedImpersonatedUser *user.DefaultInfo
+	expectedMessage          string
+
+	expectedAttributesUser *user.DefaultInfo // nil means use requestor
+	expectedAttributes     []authorizer.AttributesRecord
+	expectedCache          *expectedCache
+	expectedCode           int
+}
+
+func associatedNodeTestCase() []testRequest {
+	getSecretRequest := &request.RequestInfo{
+		IsResourceRequest: true,
+		Verb:              "get",
+		APIVersion:        "v1",
+		Resource:          "secrets",
+		Name:              "foo",
+		Namespace:         "bar",
+	}
+	getPodRequest := &request.RequestInfo{
+		IsResourceRequest: true,
+		Verb:              "get",
+		APIVersion:        "v1",
+		Resource:          "pods",
+		Name:              "foo",
+		Namespace:         "bar",
+	}
+	saDefaultOnNode1 := &user.DefaultInfo{
+		Name:   "system:serviceaccount:default:default",
+		Groups: []string{"associate-node-impersonater"},
+		Extra: map[string][]string{
+			serviceaccount.NodeNameKey: {"node1"},
+		},
+	}
+	saDefaultOnNode2 := &user.DefaultInfo{
+		Name:   "system:serviceaccount:default:default",
+		Groups: []string{"associate-node-impersonater"},
+		Extra: map[string][]string{
+			serviceaccount.NodeNameKey: {"node2"},
+		},
+	}
+	saDefaultOnAnyNode := &user.DefaultInfo{
+		Name:   "system:serviceaccount:default:default",
+		Groups: []string{"associate-node-impersonater"},
+		Extra: map[string][]string{
+			"authentication.kubernetes.io/associated-node-keys": {"authentication.kubernetes.io/node-name"},
+		},
+	}
+	node1FullUserInfo := &user.DefaultInfo{
+		Name:   "system:node:node1",
+		Groups: []string{user.NodesGroup, "system:authenticated"},
+	}
+	node2FullUserInfo := &user.DefaultInfo{
+		Name:   "system:node:node2",
+		Groups: []string{user.NodesGroup, "system:authenticated"},
+	}
+	cacheWithOnlyNode1Data := &expectedCache{
+		modeIdx: map[string]string{
+			"system:serviceaccount:default:default": "impersonate:associated-node",
+		},
+		modes: map[string]expectedModeCache{
+			"impersonate:associated-node": {
+				outer: map[impersonationCacheKey]*user.DefaultInfo{
+					outerCacheKey(&user.DefaultInfo{Name: "system:node:*"}, saDefaultOnAnyNode, getSecretRequest): node1FullUserInfo,
+				},
+				inner: map[innerKey]*user.DefaultInfo{
+					{
+						wantedUser: &user.DefaultInfo{Name: "system:node:*"},
+						requestor:  saDefaultOnAnyNode,
+					}: node1FullUserInfo,
+				},
+			},
+		},
+	}
+	cacheWithMultipleRequests := &expectedCache{
+		modeIdx: cacheWithOnlyNode1Data.modeIdx,
+		modes: map[string]expectedModeCache{
+			"impersonate:associated-node": {
+				outer: map[impersonationCacheKey]*user.DefaultInfo{
+					outerCacheKey(&user.DefaultInfo{Name: "system:node:*"}, saDefaultOnAnyNode, getSecretRequest): node1FullUserInfo,
+					// even though this request was made on node2, since the inner cache matched it returned a value for node1
+					outerCacheKey(&user.DefaultInfo{Name: "system:node:*"}, saDefaultOnAnyNode, getPodRequest): node1FullUserInfo,
+				},
+				inner: cacheWithOnlyNode1Data.modes["impersonate:associated-node"].inner,
+			},
+		},
+	}
+	return []testRequest{
+		{
+			request:                  getSecretRequest,
+			requestor:                saDefaultOnNode1,
+			impersonatedUser:         &user.DefaultInfo{Name: "system:node:node1"}, // node matches
+			expectedImpersonatedUser: node1FullUserInfo,
+			expectedAttributesUser:   saDefaultOnAnyNode,
+			expectedAttributes: []authorizer.AttributesRecord{
+				withImpersonateOnAttributes(getSecretRequest, "associated-node"),
+				withConstrainedImpersonationAttributes(authorizer.AttributesRecord{Resource: "nodes", Name: "*"}, "associated-node"),
+			},
+			expectedCache: cacheWithOnlyNode1Data,
+			expectedCode:  http.StatusOK,
+		},
+		{
+			request:                  getSecretRequest,
+			requestor:                saDefaultOnNode2,
+			impersonatedUser:         &user.DefaultInfo{Name: "system:node:node2"}, // node matches
+			expectedImpersonatedUser: node2FullUserInfo,
+			expectedAttributesUser:   saDefaultOnAnyNode,
+			expectedAttributes:       nil, // no authz checks for the second request
+			expectedCache:            cacheWithOnlyNode1Data,
+			expectedCode:             http.StatusOK,
+		},
+		{
+			request:                getSecretRequest,
+			requestor:              saDefaultOnNode2,
+			impersonatedUser:       &user.DefaultInfo{Name: "system:node:node1"}, // node does not match
+			expectedMessage:        `nodes.authentication.k8s.io "node1" is forbidden: User "system:serviceaccount:default:default" cannot impersonate:arbitrary-node resource "nodes" in API group "authentication.k8s.io" at the cluster scope: deny by default`,
+			expectedAttributesUser: nil,
+			expectedAttributes: []authorizer.AttributesRecord{
+				withImpersonateOnAttributes(getSecretRequest, "arbitrary-node"),
+				withConstrainedImpersonationAttributes(authorizer.AttributesRecord{Resource: "nodes", Name: "node1"}, "arbitrary-node"),
+				withLegacyImpersonateAttributes(authorizer.AttributesRecord{Resource: "users", Name: "system:node:node1"}),
+			},
+			expectedCache: cacheWithOnlyNode1Data,
+			expectedCode:  http.StatusForbidden,
+		},
+		{
+			request:                  getPodRequest,
+			requestor:                saDefaultOnNode2,
+			impersonatedUser:         &user.DefaultInfo{Name: "system:node:node2"}, // node matches
+			expectedImpersonatedUser: node2FullUserInfo,
+			expectedAttributesUser:   saDefaultOnAnyNode,
+			expectedAttributes: []authorizer.AttributesRecord{
+				withImpersonateOnAttributes(getPodRequest, "associated-node"), // one authz check because different request info
+			},
+			expectedCache: cacheWithMultipleRequests,
+			expectedCode:  http.StatusOK,
+		},
+		{
+			request:                  getPodRequest,
+			requestor:                saDefaultOnNode1,
+			impersonatedUser:         &user.DefaultInfo{Name: "system:node:node1"}, // node matches
+			expectedImpersonatedUser: node1FullUserInfo,
+			expectedAttributesUser:   nil,
+			expectedAttributes:       nil, // no authz checks for pod request via node1
+			expectedCache:            cacheWithMultipleRequests,
+			expectedCode:             http.StatusOK,
+		},
+	}
+}
+
+func TestConstrainedImpersonationFilter(t *testing.T) {
+	getPodRequest := &request.RequestInfo{
+		IsResourceRequest: true,
+		Verb:              "get",
+		APIVersion:        "v1",
+		Resource:          "pods",
+		Name:              "foo",
+		Namespace:         "bar",
+	}
+
+	getAnotherPodRequest := &request.RequestInfo{
+		IsResourceRequest: true,
+		Verb:              "get",
+		APIVersion:        "v1",
+		Resource:          "pods",
+		Name:              "foo1",
+		Namespace:         "bar1",
+	}
+
+	createPodRequest := &request.RequestInfo{
+		IsResourceRequest: true,
+		Verb:              "create",
+		APIVersion:        "v1",
+		Resource:          "pods",
+		Name:              "foo",
+		Namespace:         "bar",
+	}
+
+	getDeploymentRequest := &request.RequestInfo{
+		IsResourceRequest: true,
+		Verb:              "get",
+		APIVersion:        "v1",
+		APIGroup:          "apps",
+		Resource:          "deployments",
+		Name:              "foo",
+		Namespace:         "bar",
+	}
+
+	anyone := &user.DefaultInfo{Name: "anyone"}
+	anyoneAuthenticated := &user.DefaultInfo{Name: "anyone", Groups: []string{"system:authenticated"}}
+	saUser := &user.DefaultInfo{Name: "system:serviceaccount:default:default"}
+	saUserAuthenticated := &user.DefaultInfo{
+		Name:   "system:serviceaccount:default:default",
+		Groups: []string{"system:serviceaccounts", "system:serviceaccounts:default", "system:authenticated"}}
+	nodeUser := &user.DefaultInfo{Name: "system:node:node1"}
+	nodeUserAuthenticated := &user.DefaultInfo{
+		Name:   "system:node:node1",
+		Groups: []string{user.NodesGroup, "system:authenticated"},
+	}
+
+	userImpersonator := &user.DefaultInfo{Name: "user-impersonater"}
+	saImpersonator := &user.DefaultInfo{Name: "sa-impersonater"}
+	nodeImpersonator := &user.DefaultInfo{Name: "node-impersonater"}
+
+	testCases := []struct {
+		name     string
+		requests []testRequest
+	}{
+		{
+			name: "impersonating-error",
+			requests: []testRequest{
+				{
+					request:          getPodRequest,
+					requestor:        &user.DefaultInfo{Name: "tester"},
+					impersonatedUser: anyone,
+					expectedAttributes: []authorizer.AttributesRecord{
+						withImpersonateOnAttributes(getPodRequest, "user-info"),
+						withConstrainedImpersonationAttributes(authorizer.AttributesRecord{Resource: "users", Name: "anyone"}, "user-info"),
+						withLegacyImpersonateAttributes(authorizer.AttributesRecord{Resource: "users", Name: "anyone"}),
+					},
+					expectedCache:   nil,
+					expectedCode:    http.StatusForbidden,
+					expectedMessage: `users.authentication.k8s.io "anyone" is forbidden: User "tester" cannot impersonate:user-info resource "users" in API group "authentication.k8s.io" at the cluster scope: deny by default`,
+				},
+			},
+		},
+		{
+			name: "impersonating-user-get-allowed-create-disallowed",
+			requests: []testRequest{
+				{
+					request:                  getPodRequest,
+					requestor:                userImpersonator,
+					impersonatedUser:         anyone,
+					expectedImpersonatedUser: anyoneAuthenticated,
+					expectedAttributes: []authorizer.AttributesRecord{
+						withImpersonateOnAttributes(getPodRequest, "user-info"),
+						withConstrainedImpersonationAttributes(authorizer.AttributesRecord{Resource: "users", Name: "anyone"}, "user-info"),
+					},
+					expectedCache: &expectedCache{
+						modeIdx: map[string]string{
+							userImpersonator.Name: "impersonate:user-info",
+						},
+						modes: map[string]expectedModeCache{
+							"impersonate:user-info": {
+								outer: map[impersonationCacheKey]*user.DefaultInfo{
+									outerCacheKey(anyone, userImpersonator, getPodRequest): anyoneAuthenticated,
+								},
+								inner: map[innerKey]*user.DefaultInfo{
+									{wantedUser: anyone, requestor: userImpersonator}: anyoneAuthenticated,
+								},
+							},
+						},
+					},
+					expectedCode: http.StatusOK,
+				},
+				{
+					request:                  getAnotherPodRequest,
+					requestor:                userImpersonator,
+					impersonatedUser:         anyone,
+					expectedImpersonatedUser: anyoneAuthenticated,
+					expectedAttributes: []authorizer.AttributesRecord{
+						withImpersonateOnAttributes(getAnotherPodRequest, "user-info"),
+					},
+					expectedCache: &expectedCache{
+						modeIdx: map[string]string{
+							userImpersonator.Name: "impersonate:user-info",
+						},
+						modes: map[string]expectedModeCache{
+							"impersonate:user-info": {
+								outer: map[impersonationCacheKey]*user.DefaultInfo{
+									outerCacheKey(anyone, userImpersonator, getPodRequest):        anyoneAuthenticated,
+									outerCacheKey(anyone, userImpersonator, getAnotherPodRequest): anyoneAuthenticated,
+								},
+								inner: map[innerKey]*user.DefaultInfo{
+									{wantedUser: anyone, requestor: userImpersonator}: anyoneAuthenticated,
+								},
+							},
+						},
+					},
+					expectedCode: http.StatusOK,
+				},
+				{
+					request:          createPodRequest,
+					requestor:        userImpersonator,
+					impersonatedUser: anyone,
+					expectedAttributes: []authorizer.AttributesRecord{
+						withImpersonateOnAttributes(createPodRequest, "user-info"),
+						withLegacyImpersonateAttributes(authorizer.AttributesRecord{Resource: "users", Name: "anyone"}),
+					},
+					expectedCache: &expectedCache{
+						modeIdx: map[string]string{
+							userImpersonator.Name: "impersonate:user-info",
+						},
+						modes: map[string]expectedModeCache{
+							"impersonate:user-info": {
+								outer: map[impersonationCacheKey]*user.DefaultInfo{
+									outerCacheKey(anyone, userImpersonator, getPodRequest):        anyoneAuthenticated,
+									outerCacheKey(anyone, userImpersonator, getAnotherPodRequest): anyoneAuthenticated,
+								},
+								inner: map[innerKey]*user.DefaultInfo{
+									{wantedUser: anyone, requestor: userImpersonator}: anyoneAuthenticated,
+								},
+							},
+						},
+					},
+					expectedCode:    http.StatusForbidden,
+					expectedMessage: `pods "foo" is forbidden: User "user-impersonater" cannot impersonate-on:user-info:create resource "pods" in API group "" in the namespace "bar": deny by default`,
+				},
+			},
+		},
+		{
+			name: "impersonating-sa-allowed",
+			requests: []testRequest{
+				{
+					request:                  getPodRequest,
+					requestor:                saImpersonator,
+					impersonatedUser:         saUser,
+					expectedImpersonatedUser: saUserAuthenticated,
+					expectedAttributes: []authorizer.AttributesRecord{
+						withImpersonateOnAttributes(getPodRequest, "serviceaccount"),
+						withConstrainedImpersonationAttributes(authorizer.AttributesRecord{Resource: "serviceaccounts", Namespace: "default", Name: "default"}, "serviceaccount"),
+					},
+					expectedCache: &expectedCache{
+						modeIdx: map[string]string{
+							saImpersonator.Name: "impersonate:serviceaccount",
+						},
+						modes: map[string]expectedModeCache{
+							"impersonate:serviceaccount": {
+								outer: map[impersonationCacheKey]*user.DefaultInfo{
+									outerCacheKey(saUser, saImpersonator, getPodRequest): saUserAuthenticated,
+								},
+								inner: map[innerKey]*user.DefaultInfo{
+									{
+										wantedUser: saUser,
+										requestor:  saImpersonator,
+									}: saUserAuthenticated,
+								},
+							},
+						},
+					},
+					expectedCode: http.StatusOK,
+				},
+			},
+		},
+		{
+			name: "impersonating-node-not-allowed",
+			requests: []testRequest{
+				{
+					request:          getPodRequest,
+					requestor:        saImpersonator,
+					impersonatedUser: nodeUser,
+					expectedAttributes: []authorizer.AttributesRecord{
+						withImpersonateOnAttributes(getPodRequest, "arbitrary-node"),
+						withConstrainedImpersonationAttributes(authorizer.AttributesRecord{Resource: "nodes", Name: "node1"}, "arbitrary-node"),
+						withLegacyImpersonateAttributes(authorizer.AttributesRecord{Resource: "users", Name: "system:node:node1"}),
+					},
+					expectedCache:   nil,
+					expectedCode:    http.StatusForbidden,
+					expectedMessage: `nodes.authentication.k8s.io "node1" is forbidden: User "sa-impersonater" cannot impersonate:arbitrary-node resource "nodes" in API group "authentication.k8s.io" at the cluster scope: deny by default`,
+				},
+			},
+		},
+		{
+			name: "impersonating-node-not-allowed-action",
+			requests: []testRequest{
+				{
+					request:          createPodRequest,
+					requestor:        nodeImpersonator,
+					impersonatedUser: nodeUser,
+					expectedAttributes: []authorizer.AttributesRecord{
+						withImpersonateOnAttributes(createPodRequest, "arbitrary-node"),
+						withLegacyImpersonateAttributes(authorizer.AttributesRecord{Resource: "users", Name: "system:node:node1"}),
+					},
+					expectedCache:   nil,
+					expectedCode:    http.StatusForbidden,
+					expectedMessage: `pods "foo" is forbidden: User "node-impersonater" cannot impersonate-on:arbitrary-node:create resource "pods" in API group "" in the namespace "bar": deny by default`,
+				},
+			},
+		},
+		{
+			name: "impersonating-node-allowed",
+			requests: []testRequest{
+				{
+					request:                  getPodRequest,
+					requestor:                nodeImpersonator,
+					impersonatedUser:         nodeUser,
+					expectedImpersonatedUser: nodeUserAuthenticated,
+					expectedAttributes: []authorizer.AttributesRecord{
+						withImpersonateOnAttributes(getPodRequest, "arbitrary-node"),
+						withConstrainedImpersonationAttributes(authorizer.AttributesRecord{Resource: "nodes", Name: "node1"}, "arbitrary-node"),
+					},
+					expectedCache: &expectedCache{
+						modeIdx: map[string]string{
+							nodeImpersonator.Name: "impersonate:arbitrary-node",
+						},
+						modes: map[string]expectedModeCache{
+							"impersonate:arbitrary-node": {
+								outer: map[impersonationCacheKey]*user.DefaultInfo{
+									outerCacheKey(nodeUser, nodeImpersonator, getPodRequest): nodeUserAuthenticated,
+								},
+								inner: map[innerKey]*user.DefaultInfo{
+									{wantedUser: nodeUser, requestor: nodeImpersonator}: nodeUserAuthenticated,
+								},
+							},
+						},
+					},
+					expectedCode: http.StatusOK,
+				},
+			},
+		},
+		{
+			name: "disallowed-userextra-3",
+			requests: []testRequest{
+				{
+					request: getPodRequest,
+					requestor: &user.DefaultInfo{
+						Name:   "user-impersonater",
+						Groups: []string{"group-impersonater"},
+					},
+					impersonatedUser: &user.DefaultInfo{
+						Name:   "system:admin",
+						Groups: []string{"extra-setter-scopes"},
+						Extra:  map[string][]string{"pandas.io/scopes": {"scope-a", "scope-b"}},
+					},
+					expectedAttributes: []authorizer.AttributesRecord{
+						withImpersonateOnAttributes(getPodRequest, "user-info"),
+						withConstrainedImpersonationAttributes(authorizer.AttributesRecord{Resource: "users", Name: "system:admin"}, "user-info"),
+						withConstrainedImpersonationAttributes(authorizer.AttributesRecord{Resource: "groups", Name: "extra-setter-scopes"}, "user-info"),
+						withConstrainedImpersonationAttributes(authorizer.AttributesRecord{Resource: "userextras", Subresource: "pandas.io/scopes", Name: "scope-a"}, "user-info"),
+						withLegacyImpersonateAttributes(authorizer.AttributesRecord{Resource: "users", Name: "system:admin"}),
+					},
+					expectedCache:   nil,
+					expectedCode:    http.StatusForbidden,
+					expectedMessage: `userextras.authentication.k8s.io "scope-a" is forbidden: User "user-impersonater" cannot impersonate:user-info resource "userextras/pandas.io/scopes" in API group "authentication.k8s.io" at the cluster scope: deny by default`,
+				},
+			},
+		},
+		{
+			name: "allowed-userextras",
+			requests: []testRequest{
+				{
+					request: getPodRequest,
+					requestor: &user.DefaultInfo{
+						Name:   "user-impersonater",
+						Groups: []string{"extra-setter-scopes"},
+					},
+					impersonatedUser: &user.DefaultInfo{
+						Name:  "system:admin",
+						Extra: map[string][]string{"pandas.io/scopes": {"scope-a", "scope-b", "5", "4", "3", "2", "1"}},
+					},
+					expectedImpersonatedUser: &user.DefaultInfo{
+						Name:   "system:admin",
+						Groups: []string{"system:authenticated"},
+						Extra:  map[string][]string{"pandas.io/scopes": {"scope-a", "scope-b", "5", "4", "3", "2", "1"}},
+					},
+					expectedAttributes: []authorizer.AttributesRecord{
+						withImpersonateOnAttributes(getPodRequest, "user-info"),
+						withConstrainedImpersonationAttributes(authorizer.AttributesRecord{Resource: "users", Name: "system:admin"}, "user-info"),
+						withConstrainedImpersonationAttributes(authorizer.AttributesRecord{Resource: "userextras", Subresource: "*", Name: "*"}, "user-info"),
+						withConstrainedImpersonationAttributes(authorizer.AttributesRecord{Resource: "userextras", Subresource: "pandas.io/scopes", Name: "scope-a"}, "user-info"),
+						withConstrainedImpersonationAttributes(authorizer.AttributesRecord{Resource: "userextras", Subresource: "pandas.io/scopes", Name: "scope-b"}, "user-info"),
+						withConstrainedImpersonationAttributes(authorizer.AttributesRecord{Resource: "userextras", Subresource: "pandas.io/scopes", Name: "5"}, "user-info"),
+						withConstrainedImpersonationAttributes(authorizer.AttributesRecord{Resource: "userextras", Subresource: "pandas.io/scopes", Name: "4"}, "user-info"),
+						withConstrainedImpersonationAttributes(authorizer.AttributesRecord{Resource: "userextras", Subresource: "pandas.io/scopes", Name: "3"}, "user-info"),
+						withConstrainedImpersonationAttributes(authorizer.AttributesRecord{Resource: "userextras", Subresource: "pandas.io/scopes", Name: "2"}, "user-info"),
+						withConstrainedImpersonationAttributes(authorizer.AttributesRecord{Resource: "userextras", Subresource: "pandas.io/scopes", Name: "1"}, "user-info"),
+					},
+					expectedCache: &expectedCache{
+						modeIdx: map[string]string{
+							userImpersonator.Name: "impersonate:user-info",
+						},
+						modes: map[string]expectedModeCache{
+							"impersonate:user-info": {
+								outer: map[impersonationCacheKey]*user.DefaultInfo{
+									outerCacheKey(
+										&user.DefaultInfo{
+											Name:  "system:admin",
+											Extra: map[string][]string{"pandas.io/scopes": {"scope-a", "scope-b", "5", "4", "3", "2", "1"}},
+										},
+										&user.DefaultInfo{
+											Name:   "user-impersonater",
+											Groups: []string{"extra-setter-scopes"},
+										},
+										getPodRequest): {
+										Name:   "system:admin",
+										Groups: []string{"system:authenticated"},
+										Extra:  map[string][]string{"pandas.io/scopes": {"scope-a", "scope-b", "5", "4", "3", "2", "1"}},
+									},
+								},
+								inner: map[innerKey]*user.DefaultInfo{
+									{
+										wantedUser: &user.DefaultInfo{
+											Name:  "system:admin",
+											Extra: map[string][]string{"pandas.io/scopes": {"scope-a", "scope-b", "5", "4", "3", "2", "1"}},
+										},
+										requestor: &user.DefaultInfo{
+											Name:   "user-impersonater",
+											Groups: []string{"extra-setter-scopes"},
+										},
+									}: {
+										Name:   "system:admin",
+										Groups: []string{"system:authenticated"},
+										Extra:  map[string][]string{"pandas.io/scopes": {"scope-a", "scope-b", "5", "4", "3", "2", "1"}},
+									},
+								},
+							},
+						},
+					},
+					expectedCode: http.StatusOK,
+				},
+			},
+		},
+		{
+			name:     "allowed-associate-node",
+			requests: associatedNodeTestCase(),
+		},
+		{
+			name: "disallowed-associate-node-without-sa",
+			requests: []testRequest{
+				{
+					request: getPodRequest,
+					requestor: &user.DefaultInfo{
+						Name:   "user-impersonater",
+						Groups: []string{"associate-node-impersonater"},
+						Extra: map[string][]string{
+							serviceaccount.NodeNameKey: {"node1"},
+						},
+					},
+					impersonatedUser: &user.DefaultInfo{Name: "system:node:node1"},
+					expectedAttributes: []authorizer.AttributesRecord{
+						withImpersonateOnAttributes(getPodRequest, "arbitrary-node"),
+						withConstrainedImpersonationAttributes(authorizer.AttributesRecord{Resource: "nodes", Name: "node1"}, "arbitrary-node"),
+						withLegacyImpersonateAttributes(authorizer.AttributesRecord{Resource: "users", Name: "system:node:node1"}),
+					},
+					expectedCache:   nil,
+					expectedCode:    http.StatusForbidden,
+					expectedMessage: `nodes.authentication.k8s.io "node1" is forbidden: User "user-impersonater" cannot impersonate:arbitrary-node resource "nodes" in API group "authentication.k8s.io" at the cluster scope: deny by default`,
+				},
+			},
+		},
+		{
+			name: "allowed-legacy-impersonator",
+			requests: []testRequest{
+				{
+					request:          getPodRequest,
+					requestor:        &user.DefaultInfo{Name: "legacy-impersonater"},
+					impersonatedUser: &user.DefaultInfo{Name: "system:admin"},
+					expectedImpersonatedUser: &user.DefaultInfo{
+						Name:   "system:admin",
+						Groups: []string{"system:authenticated"},
+					},
+					expectedAttributes: []authorizer.AttributesRecord{
+						withImpersonateOnAttributes(getPodRequest, "user-info"),
+						withConstrainedImpersonationAttributes(authorizer.AttributesRecord{Resource: "users", Name: "system:admin"}, "user-info"),
+						withLegacyImpersonateAttributes(authorizer.AttributesRecord{Resource: "users", Name: "system:admin"}),
+					},
+					expectedCache: &expectedCache{
+						modeIdx: map[string]string{
+							"legacy-impersonater": "impersonate",
+						},
+						modes: nil, // legacy impersonation does not cache
+					},
+					expectedCode: http.StatusOK,
+				},
+			},
+		},
+		{
+			name: "continuous-same-allowed-user-requests",
+			requests: []testRequest{
+				{
+					request:          getDeploymentRequest,
+					requestor:        userImpersonator,
+					impersonatedUser: &user.DefaultInfo{Name: "bob"},
+					expectedImpersonatedUser: &user.DefaultInfo{
+						Name:   "bob",
+						Groups: []string{"system:authenticated"},
+					},
+					expectedAttributes: []authorizer.AttributesRecord{
+						withImpersonateOnAttributes(getDeploymentRequest, "user-info"),
+						withConstrainedImpersonationAttributes(authorizer.AttributesRecord{Resource: "users", Name: "bob"}, "user-info"),
+					},
+					expectedCache: &expectedCache{
+						modeIdx: map[string]string{
+							userImpersonator.Name: "impersonate:user-info",
+						},
+						modes: map[string]expectedModeCache{
+							"impersonate:user-info": {
+								outer: map[impersonationCacheKey]*user.DefaultInfo{
+									outerCacheKey(&user.DefaultInfo{Name: "bob"}, userImpersonator, getDeploymentRequest): {
+										Name:   "bob",
+										Groups: []string{"system:authenticated"},
+									},
+								},
+								inner: map[innerKey]*user.DefaultInfo{
+									{wantedUser: &user.DefaultInfo{Name: "bob"}, requestor: userImpersonator}: {
+										Name:   "bob",
+										Groups: []string{"system:authenticated"},
+									},
+								},
+							},
+						},
+					},
+					expectedCode: http.StatusOK,
+				},
+				{
+					request:          getDeploymentRequest,
+					requestor:        userImpersonator,
+					impersonatedUser: &user.DefaultInfo{Name: "bob"},
+					expectedImpersonatedUser: &user.DefaultInfo{
+						Name:   "bob",
+						Groups: []string{"system:authenticated"},
+					},
+					expectedCode: http.StatusOK,
+					expectedCache: &expectedCache{
+						modeIdx: map[string]string{
+							userImpersonator.Name: "impersonate:user-info",
+						},
+						modes: map[string]expectedModeCache{
+							"impersonate:user-info": {
+								outer: map[impersonationCacheKey]*user.DefaultInfo{
+									outerCacheKey(&user.DefaultInfo{Name: "bob"}, userImpersonator, getDeploymentRequest): {
+										Name:   "bob",
+										Groups: []string{"system:authenticated"},
+									},
+								},
+								inner: map[innerKey]*user.DefaultInfo{
+									{wantedUser: &user.DefaultInfo{Name: "bob"}, requestor: userImpersonator}: {
+										Name:   "bob",
+										Groups: []string{"system:authenticated"},
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+		},
+	}
+
+	var mux http.ServeMux
+	tests := make([]*constrainedImpersonationTest, len(testCases))
+	handlers := make([]http.Handler, len(testCases))
+	for i := range len(testCases) {
+		mux.Handle("/"+strconv.Itoa(i), http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
+			handlers[i].ServeHTTP(w, req)
+		}))
+	}
+
+	server := httptest.NewServer(&mux)
+	t.Cleanup(server.Close)
+
+	for i, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+
+			test := &constrainedImpersonationTest{t: t}
+			tests[i] = test
+			handlers[i] = test.handler()
+
+			for _, r := range tc.requests {
+				client := &http.Client{
+					Transport: &testRoundTripper{
+						user:        r.requestor,
+						requestInfo: r.request,
+						delegate: transport.NewImpersonatingRoundTripper(
+							transport.ImpersonationConfig{
+								UserName: r.impersonatedUser.Name,
+								UID:      r.impersonatedUser.UID,
+								Groups:   r.impersonatedUser.Groups,
+								Extra:    r.impersonatedUser.Extra,
+							},
+							http.DefaultTransport,
+						),
+					},
+				}
+
+				req, err := http.NewRequestWithContext(t.Context(), http.MethodGet, server.URL+"/"+strconv.Itoa(i), nil)
+				require.NoError(t, err)
+
+				resp, err := client.Do(req)
+				require.NoError(t, err)
+				require.Equal(t, r.expectedCode, resp.StatusCode)
+
+				body, err := io.ReadAll(resp.Body)
+				require.NoError(t, err)
+				_ = resp.Body.Close()
+
+				if r.expectedCode == http.StatusOK {
+					var actualUser user.DefaultInfo
+					if err := json.Unmarshal(body, &actualUser); err != nil {
+						t.Errorf("unexpected error: %v, body=\n%s", err, string(body))
+					}
+
+					require.Equal(t, r.expectedImpersonatedUser, &actualUser)
+					test.assertEchoCalled(true)
+					require.NotNil(t, r.expectedImpersonatedUser) // sanity check test data
+					require.Empty(t, r.expectedMessage)           // sanity check test data
+				} else {
+					var status metav1.Status
+					if err := json.Unmarshal(body, &status); err != nil {
+						t.Errorf("unexpected error: %v, body=\n%s", err, string(body))
+					}
+					require.Equal(t, r.expectedMessage, status.Message)
+					test.assertEchoCalled(false)
+					require.NotEmpty(t, r.expectedMessage)     // sanity check test data
+					require.Nil(t, r.expectedImpersonatedUser) // sanity check test data
+				}
+
+				test.assertAttributes(r)
+				test.assertCache(r)
+			}
+		})
+	}
+}
diff --git a/staging/src/k8s.io/apiserver/pkg/endpoints/filters/impersonation.go b/staging/src/k8s.io/apiserver/pkg/endpoints/filters/impersonation/impersonation.go
similarity index 95%
rename from staging/src/k8s.io/apiserver/pkg/endpoints/filters/impersonation.go
rename to staging/src/k8s.io/apiserver/pkg/endpoints/filters/impersonation/impersonation.go
index aa47a7536d016..f0f7512c72581 100644
--- a/staging/src/k8s.io/apiserver/pkg/endpoints/filters/impersonation.go
+++ b/staging/src/k8s.io/apiserver/pkg/endpoints/filters/impersonation/impersonation.go
@@ -14,7 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
-package filters
+package impersonation
 
 import (
 	"errors"
@@ -27,6 +27,7 @@ import (
 
 	authenticationv1 "k8s.io/api/authentication/v1"
 	"k8s.io/api/core/v1"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apiserver/pkg/audit"
 	"k8s.io/apiserver/pkg/authentication/serviceaccount"
@@ -43,7 +44,7 @@ func WithImpersonation(handler http.Handler, a authorizer.Authorizer, s runtime.
 		impersonationRequests, err := buildImpersonationRequests(req.Header)
 		if err != nil {
 			klog.V(4).Infof("%v", err)
-			responsewriters.InternalError(w, req, err)
+			responsewriters.RespondWithError(w, req, err, s)
 			return
 		}
 		if len(impersonationRequests) == 0 {
@@ -110,14 +111,14 @@ func WithImpersonation(handler http.Handler, a authorizer.Authorizer, s runtime.
 
 			default:
 				klog.V(4).InfoS("unknown impersonation request type", "request", impersonationRequest)
-				responsewriters.Forbidden(ctx, actingAsAttributes, w, req, fmt.Sprintf("unknown impersonation request type: %v", impersonationRequest), s)
+				responsewriters.Forbidden(actingAsAttributes, w, req, fmt.Sprintf("unknown impersonation request type: %v", impersonationRequest), s)
 				return
 			}
 
 			decision, reason, err := a.Authorize(ctx, actingAsAttributes)
 			if err != nil || decision != authorizer.DecisionAllow {
 				klog.V(4).InfoS("Forbidden", "URI", req.RequestURI, "reason", reason, "err", err)
-				responsewriters.Forbidden(ctx, actingAsAttributes, w, req, reason, s)
+				responsewriters.Forbidden(actingAsAttributes, w, req, reason, s)
 				return
 			}
 		}
@@ -166,7 +167,7 @@ func WithImpersonation(handler http.Handler, a authorizer.Authorizer, s runtime.
 		oldUser, _ := request.UserFrom(ctx)
 		httplog.LogOf(req, w).Addf("%v is impersonating %v", userString(oldUser), userString(newUser))
 
-		audit.LogImpersonatedUser(audit.WithAuditContext(ctx), newUser)
+		audit.LogImpersonatedUser(audit.WithAuditContext(ctx), newUser, "")
 
 		// clear all the impersonation headers from the request
 		req.Header.Del(authenticationv1.ImpersonateUserHeader)
@@ -266,7 +267,7 @@ func buildImpersonationRequests(headers http.Header) ([]v1.ObjectReference, erro
 	}
 
 	if (hasGroups || hasUserExtra || hasUID) && !hasUser {
-		return nil, fmt.Errorf("requested %v without impersonating a user", impersonationRequests)
+		return nil, apierrors.NewBadRequest(fmt.Sprintf("requested %v without impersonating a user", impersonationRequests))
 	}
 
 	return impersonationRequests, nil
diff --git a/staging/src/k8s.io/apiserver/pkg/endpoints/filters/impersonation_test.go b/staging/src/k8s.io/apiserver/pkg/endpoints/filters/impersonation/impersonation_test.go
similarity index 87%
rename from staging/src/k8s.io/apiserver/pkg/endpoints/filters/impersonation_test.go
rename to staging/src/k8s.io/apiserver/pkg/endpoints/filters/impersonation/impersonation_test.go
index 24148692660c7..1d586d64eae71 100644
--- a/staging/src/k8s.io/apiserver/pkg/endpoints/filters/impersonation_test.go
+++ b/staging/src/k8s.io/apiserver/pkg/endpoints/filters/impersonation/impersonation_test.go
@@ -14,19 +14,19 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
-package filters
+package impersonation
 
 import (
 	"context"
 	"fmt"
 	"net/http"
 	"net/http/httptest"
-	"reflect"
 	"strings"
 	"sync"
 	"testing"
 
 	authenticationapi "k8s.io/api/authentication/v1"
+	apiequality "k8s.io/apimachinery/pkg/api/equality"
 	"k8s.io/apimachinery/pkg/runtime"
 	serializer "k8s.io/apimachinery/pkg/runtime/serializer"
 	"k8s.io/apiserver/pkg/authentication/user"
@@ -143,7 +143,7 @@ func TestImpersonationFilter(t *testing.T) {
 			expectedUser: &user.DefaultInfo{
 				Name: "tester",
 			},
-			expectedCode: http.StatusInternalServerError,
+			expectedCode: http.StatusBadRequest,
 		},
 		{
 			name: "impersonating-extra-without-user",
@@ -154,7 +154,7 @@ func TestImpersonationFilter(t *testing.T) {
 			expectedUser: &user.DefaultInfo{
 				Name: "tester",
 			},
-			expectedCode: http.StatusInternalServerError,
+			expectedCode: http.StatusBadRequest,
 		},
 		{
 			name: "impersonating-uid-without-user",
@@ -165,7 +165,7 @@ func TestImpersonationFilter(t *testing.T) {
 			expectedUser: &user.DefaultInfo{
 				Name: "tester",
 			},
-			expectedCode: http.StatusInternalServerError,
+			expectedCode: http.StatusBadRequest,
 		},
 		{
 			name: "disallowed-group",
@@ -497,7 +497,7 @@ func TestImpersonationFilter(t *testing.T) {
 		}
 
 	})
-	handler := func(delegate http.Handler) http.Handler {
+	delegateHandler := func(delegate http.Handler) http.Handler {
 		return http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
 			defer func() {
 				if r := recover(); r != nil {
@@ -519,53 +519,66 @@ func TestImpersonationFilter(t *testing.T) {
 
 			delegate.ServeHTTP(w, req)
 		})
-	}(WithImpersonation(doNothingHandler, impersonateAuthorizer{}, serializer.NewCodecFactory(runtime.NewScheme())))
-
-	server := httptest.NewServer(handler)
-	defer server.Close()
+	}
 
-	for _, tc := range testCases {
-		t.Run(tc.name, func(t *testing.T) {
-			func() {
-				lock.Lock()
-				defer lock.Unlock()
-				ctx = request.WithUser(request.NewContext(), tc.user)
-			}()
+	handlersToTest := map[string]http.Handler{
+		"impersonation":            delegateHandler(WithImpersonation(doNothingHandler, impersonateAuthorizer{}, serializer.NewCodecFactory(runtime.NewScheme()))),
+		"constrainedImpersonation": delegateHandler(WithConstrainedImpersonation(doNothingHandler, impersonateAuthorizer{}, serializer.NewCodecFactory(runtime.NewScheme()))),
+	}
 
-			req, err := http.NewRequestWithContext(ctx, http.MethodGet, server.URL, nil)
-			if err != nil {
-				t.Errorf("%s: unexpected error: %v", tc.name, err)
-				return
-			}
-			if len(tc.impersonationUser) > 0 {
-				req.Header.Add(authenticationapi.ImpersonateUserHeader, tc.impersonationUser)
-			}
-			for _, group := range tc.impersonationGroups {
-				req.Header.Add(authenticationapi.ImpersonateGroupHeader, group)
-			}
-			for extraKey, values := range tc.impersonationUserExtras {
-				for _, value := range values {
-					req.Header.Add(authenticationapi.ImpersonateUserExtraHeaderPrefix+extraKey, value)
+	for name, handler := range handlersToTest {
+		server := httptest.NewServer(handler)
+
+		for _, tc := range testCases {
+			t.Run(name+"/"+tc.name, func(t *testing.T) {
+				func() {
+					lock.Lock()
+					defer lock.Unlock()
+					ctx = request.WithUser(request.NewContext(), tc.user)
+					ctx = request.WithRequestInfo(ctx, &request.RequestInfo{
+						IsResourceRequest: true,
+						Verb:              "get",
+						APIVersion:        "v1",
+						Resource:          "pods",
+					})
+				}()
+
+				req, err := http.NewRequestWithContext(ctx, http.MethodGet, server.URL, nil)
+				if err != nil {
+					t.Errorf("%s: unexpected error: %v", tc.name, err)
+					return
+				}
+				if len(tc.impersonationUser) > 0 {
+					req.Header.Add(authenticationapi.ImpersonateUserHeader, tc.impersonationUser)
+				}
+				for _, group := range tc.impersonationGroups {
+					req.Header.Add(authenticationapi.ImpersonateGroupHeader, group)
+				}
+				for extraKey, values := range tc.impersonationUserExtras {
+					for _, value := range values {
+						req.Header.Add(authenticationapi.ImpersonateUserExtraHeaderPrefix+extraKey, value)
+					}
+				}
+				if len(tc.impersonationUid) > 0 {
+					req.Header.Add(authenticationapi.ImpersonateUIDHeader, tc.impersonationUid)
 				}
-			}
-			if len(tc.impersonationUid) > 0 {
-				req.Header.Add(authenticationapi.ImpersonateUIDHeader, tc.impersonationUid)
-			}
 
-			resp, err := http.DefaultClient.Do(req)
-			if err != nil {
-				t.Errorf("%s: unexpected error: %v", tc.name, err)
-				return
-			}
-			if resp.StatusCode != tc.expectedCode {
-				t.Errorf("%s: expected %v, actual %v", tc.name, tc.expectedCode, resp.StatusCode)
-				return
-			}
+				resp, err := http.DefaultClient.Do(req)
+				if err != nil {
+					t.Errorf("%s: unexpected error: %v", tc.name, err)
+					return
+				}
+				if resp.StatusCode != tc.expectedCode {
+					t.Errorf("%s: expected %v, actual %v", tc.name, tc.expectedCode, resp.StatusCode)
+					return
+				}
 
-			if !reflect.DeepEqual(actualUser, tc.expectedUser) {
-				t.Errorf("%s: expected %#v, actual %#v", tc.name, tc.expectedUser, actualUser)
-				return
-			}
-		})
+				if !apiequality.Semantic.DeepEqual(actualUser, tc.expectedUser) {
+					t.Errorf("%s: expected %#v, actual %#v", tc.name, tc.expectedUser, actualUser)
+					return
+				}
+			})
+		}
+		server.Close()
 	}
 }
diff --git a/staging/src/k8s.io/apiserver/pkg/endpoints/filters/impersonation/mode.go b/staging/src/k8s.io/apiserver/pkg/endpoints/filters/impersonation/mode.go
new file mode 100644
index 0000000000000..cdcb02ada7669
--- /dev/null
+++ b/staging/src/k8s.io/apiserver/pkg/endpoints/filters/impersonation/mode.go
@@ -0,0 +1,637 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package impersonation
+
+import (
+	"context"
+	"fmt"
+	"slices"
+	"strings"
+
+	authenticationv1 "k8s.io/api/authentication/v1"
+	corev1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/api/errors"
+	"k8s.io/apimachinery/pkg/api/validation"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/apimachinery/pkg/util/sets"
+	utilvalidation "k8s.io/apimachinery/pkg/util/validation"
+	"k8s.io/apimachinery/pkg/util/validation/field"
+	"k8s.io/apiserver/pkg/authentication/serviceaccount"
+	"k8s.io/apiserver/pkg/authentication/user"
+	"k8s.io/apiserver/pkg/authorization/authorizer"
+	"k8s.io/apiserver/pkg/endpoints/handlers/responsewriters"
+)
+
+type impersonatedUserInfo struct {
+	user       user.Info
+	constraint string // the verb used in impersonationModeState.check that allowed this user to be impersonated
+}
+
+// impersonationMode is a type that represents a specific impersonation mode
+// it checks if a requester is allowed to make an API request (the attributes) while impersonating a user (the wantedUser)
+// a mode may return a cached result if it supports caching (using the input cache key if appropriate)
+// a nil impersonatedUserInfo is returned if the mode does not support impersonating the wantedUser
+type impersonationMode interface {
+	check(ctx context.Context, key *impersonationCacheKey, wantedUser *user.DefaultInfo, attributes authorizer.Attributes) (*impersonatedUserInfo, error)
+
+	// all methods below are only used in unit tests
+	verbForTests() string
+	cachesForTests() (outer, inner *impersonationCache)
+}
+
+// constrainedImpersonationModeFilter is a function that defines if a specific constrained impersonation mode
+// supports the requestor impersonating the wantedUser.  It serves as a sudo authorization check for the mode.
+type constrainedImpersonationModeFilter func(wantedUser *user.DefaultInfo, requestor user.Info) bool
+
+func allImpersonationModes(a authorizer.Authorizer) []impersonationMode {
+	return []impersonationMode{
+		associatedNodeImpersonationMode(a),
+		arbitraryNodeImpersonationMode(a),
+		serviceAccountImpersonationMode(a),
+		userInfoImpersonationMode(a),
+		legacyImpersonationMode(a),
+	}
+}
+
+// associatedNodeImpersonationMode allows a requestor service account to impersonate the node that it is
+// associated with.  this is by far the most complex impersonation mode because it caches successful
+// impersonation attempts in a way that results in a high cache hit ratio even when the same service account
+// is used across different pods running on different nodes (i.e. a node agent running as a daemonset).
+// only the username can be specified by the requester.  all other fields in user.Info are controlled by the API server.
+func associatedNodeImpersonationMode(a authorizer.Authorizer) impersonationMode {
+	// we wrap the authorizer so that we can override the requestor service account's extra values
+	// and the node name used in the authorization check.  this makes our authorization checks match
+	// the exact semantics of our cache key which prevents unexpected privilege escalation on a cache
+	// hit.  see the comment below for the cache key details.
+	wrappedAuthorizer := authorizer.AuthorizerFunc(func(ctx context.Context, attributes authorizer.Attributes) (authorizer.Decision, string, error) {
+		// we use checkAuthorization instead of directly calling the authorizer so we can
+		// make the error message line up with the actual attributes authorized against
+		if err := checkAuthorization(ctx, a, &associatedNodeImpersonationAttributes{Attributes: attributes}); err != nil {
+			return authorizer.DecisionDeny, "", err
+		}
+		return authorizer.DecisionAllow, "", nil
+	})
+	mode := newConstrainedImpersonationMode(wrappedAuthorizer, "associated-node",
+		func(wantedUser *user.DefaultInfo, requestor user.Info) bool {
+			wantedNodeName := wantedUser.Name
+			return onlyUsernameSet(wantedUser) && requesterAssociatedWithRequestedNodeUsername(requestor, wantedNodeName)
+		},
+	)
+	return &associatedNodeImpersonationCheck{mode: mode}
+}
+
+type associatedNodeImpersonationCheck struct {
+	mode impersonationMode
+}
+
+func (a *associatedNodeImpersonationCheck) check(ctx context.Context, _ *impersonationCacheKey, wantedUser *user.DefaultInfo, attributes authorizer.Attributes) (*impersonatedUserInfo, error) {
+	wantedNodeName := wantedUser.Name
+	// ignore the input cache key because the cache semantics for associated-node require custom logic.
+	// we know that by the time this key is used, the filter has already verified that the requestor is
+	// a service account with a node ref that matches the node it is trying to impersonate.
+	// the actual node being impersonated is not relevant to the cache key, so we just use a static wantedUser.
+	// we wrap the attributes so that we can drop the requestor service account's extra values.
+	// this results in the cache key being the same for the same service account across all nodes.
+	// this is only safe because of the aforementioned filter running before the cache lookup happens.
+	key := &impersonationCacheKey{wantedUser: &user.DefaultInfo{Name: "system:node:*"}, attributes: &associatedNodeImpersonationAttributes{Attributes: attributes}}
+	impersonatedNodeWithMaybeIncorrectUsername, err := a.mode.check(ctx, key, wantedUser, attributes)
+	if err != nil || impersonatedNodeWithMaybeIncorrectUsername == nil {
+		return nil, err
+	}
+	// at this point, we know that we have a successful associated-node impersonation.
+	// the value could have come from the cache and thus could be for any node, so we wrap the result
+	// here so that the username matches the node associated with the requestor service account.
+	return &impersonatedUserInfo{
+		user: &associatedNodeImpersonationWantedUserInfo{
+			Info: impersonatedNodeWithMaybeIncorrectUsername.user,
+			name: wantedNodeName,
+		},
+		constraint: impersonatedNodeWithMaybeIncorrectUsername.constraint,
+	}, nil
+}
+
+func (a *associatedNodeImpersonationCheck) verbForTests() string {
+	return a.mode.verbForTests()
+}
+
+func (a *associatedNodeImpersonationCheck) cachesForTests() (*impersonationCache, *impersonationCache) {
+	return a.mode.cachesForTests()
+}
+
+type associatedNodeImpersonationAttributes struct {
+	authorizer.Attributes
+}
+
+func (a *associatedNodeImpersonationAttributes) GetUser() user.Info {
+	return &associatedNodeImpersonationRequestorUserInfo{Info: a.Attributes.GetUser()}
+}
+
+func (a *associatedNodeImpersonationAttributes) GetName() string {
+	if a.GetVerb() == "impersonate:associated-node" {
+		return "*" // our cache key ignores the node name, so our authorization check needs to be valid for all node names
+	}
+	return a.Attributes.GetName()
+}
+
+type associatedNodeImpersonationRequestorUserInfo struct {
+	user.Info
+}
+
+func (a *associatedNodeImpersonationRequestorUserInfo) GetExtra() map[string][]string {
+	return map[string][]string{
+		// we know the requestor is a service account with a node ref that matches the node it is trying to impersonate
+		// basically all the extra values would cause cache misses (for example, the node name itself)
+		// so we drop all the extra values but keep the associated key names
+		// the authorizer can trust that we have performed the node association check correctly
+		// the audit log will still contain the full requestor extra fields
+		// different bound object ref types can result in different extra keys, and thus a different cache key
+		"authentication.kubernetes.io/associated-node-keys": sets.StringKeySet(a.Info.GetExtra()).List(),
+	}
+}
+
+type associatedNodeImpersonationWantedUserInfo struct {
+	user.Info
+	name string
+}
+
+func (a *associatedNodeImpersonationWantedUserInfo) GetName() string {
+	return a.name
+}
+
+// arbitraryNodeImpersonationMode implements constrained impersonation for nodes.
+// Only the username can be specified by the requester.  All other fields in user.Info are controlled by the API server.
+func arbitraryNodeImpersonationMode(a authorizer.Authorizer) impersonationMode {
+	return newConstrainedImpersonationMode(a, "arbitrary-node",
+		func(wantedUser *user.DefaultInfo, _ user.Info) bool {
+			if !onlyUsernameSet(wantedUser) {
+				return false
+			}
+			_, ok := isNodeUsername(wantedUser.Name)
+			return ok
+		},
+	)
+}
+
+// serviceAccountImpersonationMode implements constrained impersonation for service accounts.
+// Only the username can be specified by the requester.  All other fields in user.Info are controlled by the API server.
+func serviceAccountImpersonationMode(a authorizer.Authorizer) impersonationMode {
+	return newConstrainedImpersonationMode(a, "serviceaccount",
+		func(wantedUser *user.DefaultInfo, _ user.Info) bool {
+			if !onlyUsernameSet(wantedUser) {
+				return false
+			}
+			_, _, ok := isServiceAccountUsername(wantedUser.Name)
+			return ok
+		},
+	)
+}
+
+// userInfoImpersonationMode implements constrained impersonation for non-node and non-service account users.
+// Unlike the other constrained impersonation modes, it supports impersonating all fields of user.Info.
+func userInfoImpersonationMode(a authorizer.Authorizer) impersonationMode {
+	return newConstrainedImpersonationMode(a, "user-info",
+		func(wantedUser *user.DefaultInfo, _ user.Info) bool {
+			// nodes and service accounts cannot be impersonated in this mode.
+			// the user-info bucket is reserved for the "other" users, that is,
+			// users that do not have an explicit schema defined by Kube.
+			if _, ok := isNodeUsername(wantedUser.Name); ok {
+				return false
+			}
+			if _, _, ok := isServiceAccountUsername(wantedUser.Name); ok {
+				return false
+			}
+			return true
+		},
+	)
+}
+
+// legacyImpersonationMode is a complete reimplementation of the original impersonation mode that has
+// existed in kube since v1.3.  The behavior is expected to be identical to the original implementation.
+func legacyImpersonationMode(a authorizer.Authorizer) impersonationMode {
+	return &legacyImpersonationCheck{m: newImpersonationModeState(a, "impersonate", false)}
+}
+
+type legacyImpersonationCheck struct {
+	m *impersonationModeState
+}
+
+func (l *legacyImpersonationCheck) check(ctx context.Context, key *impersonationCacheKey, wantedUser *user.DefaultInfo, attributes authorizer.Attributes) (*impersonatedUserInfo, error) {
+	requestor := attributes.GetUser()
+	return l.m.check(ctx, key, wantedUser, requestor)
+}
+
+func (l *legacyImpersonationCheck) verbForTests() string {
+	return l.m.verb
+}
+
+func (l *legacyImpersonationCheck) cachesForTests() (*impersonationCache, *impersonationCache) {
+	// legacy impersonation has no outer layer so just return an empty cache
+	// though an inner cache is present, it is unused
+	return newImpersonationCache(false), l.m.cache
+}
+
+func newConstrainedImpersonationMode(a authorizer.Authorizer, mode string, filter constrainedImpersonationModeFilter) impersonationMode {
+	return &constrainedImpersonationModeState{
+		state:      newImpersonationModeState(a, "impersonate:"+mode, true),
+		cache:      newImpersonationCache(false),
+		authorizer: a,
+		mode:       mode,
+		filter:     filter,
+	}
+}
+
+// constrainedImpersonationModeState implements the secondary authorization check via impersonate-on:<mode>:<verb> to
+// determine if the requestor is authorized to perform the specific verb when impersonating the wantedUser via mode.
+// if this check succeeds, the primary authorization checks are run, see impersonationModeState for details.
+// if the mode's filter does not match the inputs, the impersonation automatically fails and returns a nil impersonatedUserInfo.
+type constrainedImpersonationModeState struct {
+	state *impersonationModeState
+	// this outer cache covers the overall impersonation for this mode, i.e. a cache hit here short-circuits all checks
+	// skipAttributes is false, i.e. this cache depends on the request being made, not just the user being impersonated by the requestor
+	// it is expected to have a low hit ratio because the requestor is unlikely to make the same request multiple times in a short period
+	cache      *impersonationCache
+	authorizer authorizer.Authorizer
+	mode       string
+	filter     constrainedImpersonationModeFilter
+}
+
+func (c *constrainedImpersonationModeState) check(ctx context.Context, key *impersonationCacheKey, wantedUser *user.DefaultInfo, attributes authorizer.Attributes) (*impersonatedUserInfo, error) {
+	requestor := attributes.GetUser()
+	// we must call the filter before doing anything because this serves as a sudo authorization check to say "does this mode even apply?"
+	// also the cache key is not always a direct match with wantedUser+attributes, so again, we must call the filter first
+	if !c.filter(wantedUser, requestor) {
+		return nil, nil
+	}
+
+	if impersonatedUser := c.cache.get(key); impersonatedUser != nil {
+		return impersonatedUser, nil
+	}
+
+	if err := checkAuthorization(ctx, c.authorizer, &impersonateOnAttributes{mode: c.mode, Attributes: attributes}); err != nil {
+		return nil, err
+	}
+
+	impersonatedUser, err := c.state.check(ctx, key, wantedUser, requestor)
+	if err != nil || impersonatedUser == nil {
+		return nil, err
+	}
+	c.cache.set(key, impersonatedUser)
+	return impersonatedUser, nil
+}
+
+func (c *constrainedImpersonationModeState) verbForTests() string {
+	return c.state.verb
+}
+
+func (c *constrainedImpersonationModeState) cachesForTests() (*impersonationCache, *impersonationCache) {
+	return c.cache, c.state.cache
+}
+
+// impersonationModeState implements the primary authorization checks via the impersonate:<mode> verb for constrained
+// impersonation and the impersonate verb for legacy impersonation.  each field that is set in the wantedUser
+// results in one or more authorization checks to determine if the requestor has access to impersonate that value.
+type impersonationModeState struct {
+	authorizer                 authorizer.Authorizer
+	verb                       string
+	isConstrainedImpersonation bool
+
+	usernameAndGroupGV schema.GroupVersion
+	constraint         string
+
+	// this inner cache covers the checks related to the specific fields set in wantedUser
+	// skipAttributes is true, i.e. this cache only depends on the user being impersonated by the requestor
+	// it is expected to have a high hit ratio because the requestor may impersonate the same user for many different requests
+	cache *impersonationCache
+}
+
+func newImpersonationModeState(a authorizer.Authorizer, verb string, isConstrainedImpersonation bool) *impersonationModeState {
+	usernameAndGroupGV := authenticationv1.SchemeGroupVersion
+	constraint := verb
+	if !isConstrainedImpersonation {
+		usernameAndGroupGV = corev1.SchemeGroupVersion
+		constraint = ""
+	}
+	return &impersonationModeState{
+		authorizer:                 a,
+		verb:                       verb,
+		isConstrainedImpersonation: isConstrainedImpersonation,
+
+		usernameAndGroupGV: usernameAndGroupGV,
+		constraint:         constraint,
+		cache:              newImpersonationCache(true),
+	}
+}
+
+func (m *impersonationModeState) check(ctx context.Context, key *impersonationCacheKey, wantedUser *user.DefaultInfo, requestor user.Info) (*impersonatedUserInfo, error) {
+	// we only use caching in constrained impersonation mode to avoid any behavioral changes with legacy impersonation
+	if m.isConstrainedImpersonation {
+		if impersonatedUser := m.cache.get(key); impersonatedUser != nil {
+			return impersonatedUser, nil
+		}
+	}
+
+	actualUser := *wantedUser
+
+	if err := m.authorizeUsername(ctx, requestor, wantedUser.Name, wantedUser.Groups, &actualUser); err != nil {
+		return nil, err
+	}
+
+	if err := m.authorizeUID(ctx, requestor, wantedUser.UID); err != nil {
+		return nil, err
+	}
+
+	if err := m.authorizeGroups(ctx, requestor, wantedUser.Groups); err != nil {
+		return nil, err
+	}
+
+	if err := m.authorizeExtra(ctx, requestor, wantedUser.Extra); err != nil {
+		return nil, err
+	}
+
+	if actualUser.Name == user.Anonymous {
+		ensureGroup(&actualUser, user.AllUnauthenticated)
+	} else if !slices.Contains(actualUser.Groups, user.AllUnauthenticated) {
+		ensureGroup(&actualUser, user.AllAuthenticated)
+	}
+
+	impersonatedUser := &impersonatedUserInfo{user: &actualUser, constraint: m.constraint}
+	if m.isConstrainedImpersonation {
+		m.cache.set(key, impersonatedUser)
+	}
+	return impersonatedUser, nil
+}
+
+func (m *impersonationModeState) authorizeUsername(ctx context.Context, requestor user.Info, username string, wantedUserGroups []string, actualUser *user.DefaultInfo) error {
+	usernameAttributes := impersonationAttributes(requestor, m.usernameAndGroupGV, m.verb, "users", username)
+
+	if m.isConstrainedImpersonation {
+		if name, ok := isNodeUsername(username); ok {
+			usernameAttributes.Resource = "nodes"
+			usernameAttributes.Name = name
+
+			// this should be impossible to reach but check just in case
+			if len(wantedUserGroups) != 0 {
+				return responsewriters.ForbiddenStatusError(usernameAttributes, fmt.Sprintf("when impersonating a node, cannot impersonate groups %q", wantedUserGroups))
+			}
+
+			actualUser.Groups = []string{user.NodesGroup} // all nodes have a fixed group list in constrained impersonation
+		}
+	}
+
+	if namespace, name, ok := isServiceAccountUsername(username); ok {
+		usernameAttributes.Resource = "serviceaccounts"
+		usernameAttributes.Namespace = namespace
+		usernameAttributes.Name = name
+
+		// this should be impossible to reach but check just in case
+		if m.isConstrainedImpersonation && len(wantedUserGroups) != 0 {
+			return responsewriters.ForbiddenStatusError(usernameAttributes, fmt.Sprintf("when impersonating a service account, cannot impersonate groups %q", wantedUserGroups))
+		}
+
+		if len(wantedUserGroups) == 0 {
+			// if groups are not specified for a service account, we know the groups because it is a fixed mapping.  Add them
+			actualUser.Groups = serviceaccount.MakeGroupNames(namespace)
+		}
+	}
+
+	return checkAuthorization(ctx, m.authorizer, usernameAttributes)
+}
+
+func (m *impersonationModeState) authorizeUID(ctx context.Context, requestor user.Info, uid string) error {
+	if len(uid) == 0 {
+		return nil
+	}
+	uidAttributes := impersonationAttributes(requestor, authenticationv1.SchemeGroupVersion, m.verb, "uids", uid)
+	return checkAuthorization(ctx, m.authorizer, uidAttributes)
+}
+
+// manyAuthorizationChecksInLoop is an arbitrary value used in constrained impersonation modes to decide if they
+// should try to perform a single wildcard authorization check before making many individual checks in a loop.
+const manyAuthorizationChecksInLoop = 4
+
+func (m *impersonationModeState) authorizeGroups(ctx context.Context, requestor user.Info, groups []string) error {
+	if len(groups) == 0 {
+		return nil
+	}
+
+	groupAttributes := impersonationAttributes(requestor, m.usernameAndGroupGV, m.verb, "groups", "")
+
+	// perform extra sanity checks that would be backwards incompatible with legacy impersonation
+	if m.isConstrainedImpersonation {
+		if slices.Contains(groups, "") {
+			return responsewriters.ForbiddenStatusError(groupAttributes, "impersonating the empty string group is not allowed")
+		}
+		if slices.Contains(groups, user.SystemPrivilegedGroup) {
+			groupAttributes.Name = user.SystemPrivilegedGroup
+			return responsewriters.ForbiddenStatusError(groupAttributes, "impersonating the system:masters group is not allowed")
+		}
+	}
+
+	// if the requestor is trying to impersonate many groups at once, see if they are authorized to impersonate all groups
+	// we only do this in constrained impersonation mode to avoid any behavioral changes with legacy impersonation
+	if m.isConstrainedImpersonation && len(groups) >= manyAuthorizationChecksInLoop {
+		groupAttributes.Name = "*"
+		if err := checkAuthorization(ctx, m.authorizer, groupAttributes); err == nil {
+			return nil
+		}
+	}
+
+	for _, group := range groups {
+		groupAttributes.Name = group
+		if err := checkAuthorization(ctx, m.authorizer, groupAttributes); err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+func (m *impersonationModeState) authorizeExtra(ctx context.Context, requestor user.Info, extra map[string][]string) error {
+	if len(extra) == 0 {
+		return nil
+	}
+
+	extraAttributes := impersonationAttributes(requestor, authenticationv1.SchemeGroupVersion, m.verb, "userextras", "")
+
+	// perform extra sanity checks that would be backwards incompatible with legacy impersonation
+	if m.isConstrainedImpersonation {
+		if err := validateExtra(extra); err != nil {
+			return responsewriters.ForbiddenStatusError(extraAttributes, err.Error())
+		}
+	}
+
+	// if the requestor is trying to impersonate many extras at once, see if they are authorized to impersonate all extras
+	// we only do this in constrained impersonation mode to avoid any behavioral changes with legacy impersonation
+	if m.isConstrainedImpersonation && isLargeExtra(extra) {
+		extraAttributes.Subresource = "*"
+		extraAttributes.Name = "*"
+		if err := checkAuthorization(ctx, m.authorizer, extraAttributes); err == nil {
+			return nil
+		}
+	}
+
+	for key, values := range extra {
+		extraAttributes.Subresource = key
+		for _, value := range values {
+			extraAttributes.Name = value
+			if err := checkAuthorization(ctx, m.authorizer, extraAttributes); err != nil {
+				return err
+			}
+		}
+	}
+
+	return nil
+}
+
+func validateExtra(extra map[string][]string) error {
+	fp := field.NewPath("extra", "key")
+	for key, values := range extra {
+		if len(key) == 0 {
+			return fmt.Errorf("impersonating the empty string key in extra is not allowed")
+		}
+		if err := utilvalidation.IsDomainPrefixedPath(fp, key).ToAggregate(); err != nil {
+			return fmt.Errorf("impersonating an invalid key in extra is not allowed: %w", err)
+		}
+		if key != strings.ToLower(key) {
+			return fmt.Errorf("impersonating a non-lowercase key in extra is not allowed: %q", key)
+		}
+		if len(values) == 0 {
+			return fmt.Errorf("impersonating empty values in extra is not allowed")
+		}
+		if slices.Contains(values, "") {
+			return fmt.Errorf("impersonating the empty string value in extra is not allowed")
+		}
+	}
+	return nil
+}
+
+func isLargeExtra(extra map[string][]string) bool {
+	if len(extra) >= manyAuthorizationChecksInLoop {
+		return true
+	}
+	var count int
+	for _, values := range extra {
+		count += len(values)
+		if count >= manyAuthorizationChecksInLoop {
+			return true
+		}
+	}
+	return false
+}
+
+func impersonationAttributes(requestor user.Info, gv schema.GroupVersion, verb, resource, name string) authorizer.AttributesRecord {
+	return authorizer.AttributesRecord{
+		User:            requestor,
+		Verb:            verb,
+		APIGroup:        gv.Group,
+		APIVersion:      gv.Version,
+		Resource:        resource,
+		Name:            name,
+		ResourceRequest: true,
+	}
+}
+
+// impersonateOnAttributes is a simple wrapper that updates the verb of the attributes to impersonate-on:<mode>:<verb>
+// This allows the expression of "a subject can perform this verb while using this impersonation mode"
+type impersonateOnAttributes struct {
+	mode string
+	authorizer.Attributes
+}
+
+func (i *impersonateOnAttributes) GetVerb() string {
+	return "impersonate-on:" + i.mode + ":" + i.Attributes.GetVerb()
+}
+
+func checkAuthorization(ctx context.Context, a authorizer.Authorizer, attributes authorizer.Attributes) error {
+	authorized, reason, err := a.Authorize(ctx, attributes)
+
+	// an authorizer like RBAC could encounter evaluation errors and still allow the request, so authorizer decision is checked before error here.
+	if authorized == authorizer.DecisionAllow {
+		return nil
+	}
+
+	// if the authorizer gave us a forbidden error, do not wrap it again
+	if errors.IsForbidden(err) {
+		return err
+	}
+
+	msg := reason
+	switch {
+	case err != nil && len(reason) > 0:
+		msg = fmt.Sprintf("%v: %s", err, reason)
+	case err != nil:
+		msg = err.Error()
+	}
+
+	return responsewriters.ForbiddenStatusError(attributes, msg)
+}
+
+func ensureGroup(u *user.DefaultInfo, group string) {
+	if slices.Contains(u.Groups, group) {
+		return
+	}
+
+	// do not mutate a slice that we did not create
+	groups := make([]string, 0, len(u.Groups)+1)
+	groups = append(groups, u.Groups...)
+	groups = append(groups, group)
+	u.Groups = groups
+}
+
+func isServiceAccountUsername(username string) (namespace, name string, ok bool) {
+	namespace, name, err := serviceaccount.SplitUsername(username)
+	return namespace, name, err == nil
+}
+
+// matches the real ValidateNodeName from k8s.io/kubernetes/pkg/apis/core/validation
+// which we are not allowed to import here
+var validateNodeName = validation.NameIsDNSSubdomain
+
+func isNodeUsername(username string) (string, bool) {
+	const nodeUsernamePrefix = "system:node:"
+	if !strings.HasPrefix(username, nodeUsernamePrefix) {
+		return "", false
+	}
+	name := strings.TrimPrefix(username, nodeUsernamePrefix)
+	if len(validateNodeName(name, false)) != 0 {
+		return "", false
+	}
+	return name, true
+}
+
+func requesterAssociatedWithRequestedNodeUsername(requestor user.Info, username string) bool {
+	nodeName, ok := isNodeUsername(username)
+	if !ok {
+		return false
+	}
+	if _, _, ok := isServiceAccountUsername(requestor.GetName()); !ok {
+		return false
+	}
+	return getExtraValue(requestor, serviceaccount.NodeNameKey) == nodeName
+}
+
+func getExtraValue(u user.Info, key string) string {
+	values := u.GetExtra()[key]
+	if len(values) != 1 {
+		return ""
+	}
+	return values[0]
+}
+
+func onlyUsernameSet(u user.Info) bool {
+	return len(u.GetUID()) == 0 && len(u.GetGroups()) == 0 && len(u.GetExtra()) == 0
+}
diff --git a/staging/src/k8s.io/apiserver/pkg/endpoints/handlers/delete.go b/staging/src/k8s.io/apiserver/pkg/endpoints/handlers/delete.go
index e8b74c8a913e8..2efd08d25a8ef 100644
--- a/staging/src/k8s.io/apiserver/pkg/endpoints/handlers/delete.go
+++ b/staging/src/k8s.io/apiserver/pkg/endpoints/handlers/delete.go
@@ -103,11 +103,13 @@ func DeleteResource(r rest.GracefulDeleter, allowsOptions bool, scope *RequestSc
 				defaultGVK := scope.MetaGroupVersion.WithKind("DeleteOptions")
 				obj, gvk, err := apihelpers.GetMetaInternalVersionCodecs().DecoderToVersion(s.Serializer, defaultGVK.GroupVersion()).Decode(body, &defaultGVK, options)
 				if err != nil {
+					err = errors.NewBadRequest(err.Error())
 					scope.err(err, w, req)
 					return
 				}
 				if obj != options {
-					scope.err(fmt.Errorf("decoded object cannot be converted to DeleteOptions"), w, req)
+					err = errors.NewBadRequest("decoded object cannot be converted to DeleteOptions")
+					scope.err(err, w, req)
 					return
 				}
 				span.AddEvent("Decoded delete options")
@@ -278,11 +280,13 @@ func DeleteCollection(r rest.CollectionDeleter, checkBody bool, scope *RequestSc
 				defaultGVK := scope.MetaGroupVersion.WithKind("DeleteOptions")
 				obj, gvk, err := apihelpers.GetMetaInternalVersionCodecs().DecoderToVersion(s.Serializer, defaultGVK.GroupVersion()).Decode(body, &defaultGVK, options)
 				if err != nil {
+					err = errors.NewBadRequest(err.Error())
 					scope.err(err, w, req)
 					return
 				}
 				if obj != options {
-					scope.err(fmt.Errorf("decoded object cannot be converted to DeleteOptions"), w, req)
+					err = errors.NewBadRequest("decoded object cannot be converted to DeleteOptions")
+					scope.err(err, w, req)
 					return
 				}
 
diff --git a/staging/src/k8s.io/apiserver/pkg/endpoints/handlers/delete_test.go b/staging/src/k8s.io/apiserver/pkg/endpoints/handlers/delete_test.go
index c0396ee4aecf6..3fbeef7f63e59 100644
--- a/staging/src/k8s.io/apiserver/pkg/endpoints/handlers/delete_test.go
+++ b/staging/src/k8s.io/apiserver/pkg/endpoints/handlers/delete_test.go
@@ -33,6 +33,7 @@ import (
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/apimachinery/pkg/runtime/serializer"
+	jsonserializer "k8s.io/apimachinery/pkg/runtime/serializer/json"
 	"k8s.io/apiserver/pkg/admission"
 	auditinternal "k8s.io/apiserver/pkg/apis/audit"
 	"k8s.io/apiserver/pkg/audit"
@@ -147,6 +148,73 @@ func TestDeleteResourceAuditLogRequestObject(t *testing.T) {
 	}
 }
 
+// For issue https://github.com/kubernetes/kubernetes/issues/132359
+func TestDeleteResourceDeleteOptions(t *testing.T) {
+	ctx := t.Context()
+	fakeDeleterFn := func(ctx context.Context, _ rest.ValidateObjectFunc, _ *metav1.DeleteOptions) (runtime.Object, bool, error) {
+		return nil, false, nil
+	}
+	js := jsonserializer.NewSerializerWithOptions(jsonserializer.DefaultMetaFactory, nil, nil, jsonserializer.SerializerOptions{})
+	scope := &RequestScope{
+		Namer: &mockNamer{},
+		Serializer: &fakeSerializer{
+			serializer: runtime.NewCodec(js, js),
+		},
+	}
+	handler := DeleteResource(fakeDeleterFunc(fakeDeleterFn), true, scope, nil)
+
+	tests := []struct {
+		name       string
+		body       string
+		expectCode int
+	}{
+		{
+			name:       "valid delete options",
+			body:       "{}",
+			expectCode: 200,
+		},
+		{
+			name:       "orphanDependents invalid Go type",
+			body:       `{"orphanDependents": "randomString"}`,
+			expectCode: 400,
+		},
+		{
+			name:       "apiVersion/kind mismatch",
+			body:       `{ "apiVersion": "v1", "kind": "APIResourceList" }`,
+			expectCode: 400,
+		},
+		{
+			name:       "apiVersion invalid type",
+			body:       `{ "apiVersion": false, "kind": "DeleteOptions" }`,
+			expectCode: 400,
+		},
+	}
+
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			req, err := http.NewRequestWithContext(ctx, request.MethodDelete, "/api/v1/namespaces/default/pods/testpod", strings.NewReader(test.body))
+			if err != nil {
+				t.Fatalf("unexpected error: %v", err)
+			}
+			req.Header.Set("Content-Type", "application/json")
+			req.Header.Set("Accept", "*/*")
+
+			recorder := httptest.NewRecorder()
+			handler.ServeHTTP(recorder, req)
+			gotCode := recorder.Code
+			if gotCode != test.expectCode {
+				t.Fatalf("expected status %v but got %v", test.expectCode, gotCode)
+			}
+		})
+	}
+}
+
+type fakeDeleterFunc func(ctx context.Context, deleteValidation rest.ValidateObjectFunc, options *metav1.DeleteOptions) (runtime.Object, bool, error)
+
+func (f fakeDeleterFunc) Delete(ctx context.Context, name string, deleteValidation rest.ValidateObjectFunc, options *metav1.DeleteOptions) (runtime.Object, bool, error) {
+	return f(ctx, deleteValidation, options)
+}
+
 func TestDeleteCollection(t *testing.T) {
 	req := &http.Request{
 		Header: http.Header{},
@@ -216,6 +284,67 @@ func TestDeleteCollection(t *testing.T) {
 	}
 }
 
+// For issue https://github.com/kubernetes/kubernetes/issues/132359
+func TestDeleteCollectionDeleteOptions(t *testing.T) {
+	ctx := t.Context()
+	fakeDeleterFn := func(ctx context.Context, _ rest.ValidateObjectFunc, _ *metav1.DeleteOptions, _ *metainternalversion.ListOptions) (runtime.Object, error) {
+		return nil, nil
+	}
+	js := jsonserializer.NewSerializerWithOptions(jsonserializer.DefaultMetaFactory, nil, nil, jsonserializer.SerializerOptions{})
+	scope := &RequestScope{
+		Namer: &mockNamer{},
+		Serializer: &fakeSerializer{
+			serializer: runtime.NewCodec(js, js),
+		},
+	}
+	handler := DeleteCollection(fakeCollectionDeleterFunc(fakeDeleterFn), true, scope, nil)
+
+	tests := []struct {
+		name       string
+		body       string
+		expectCode int
+	}{
+		{
+			name:       "valid delete options",
+			body:       "{}",
+			expectCode: 200,
+		},
+		{
+			name:       "orphanDependents invalid Go type",
+			body:       `{"orphanDependents": "randomString"}`,
+			expectCode: 400,
+		},
+		{
+			name:       "apiVersion/kind mismatch",
+			body:       `{ "apiVersion": "v1", "kind": "APIResourceList" }`,
+			expectCode: 400,
+		},
+		{
+			name:       "apiVersion invalid type",
+			body:       `{ "apiVersion": false, "kind": "DeleteOptions" }`,
+			expectCode: 400,
+		},
+	}
+
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			req, err := http.NewRequestWithContext(ctx, request.MethodDelete, "/api/v1/namespaces/default/pods/testpod", strings.NewReader(test.body))
+			if err != nil {
+				t.Fatalf("unexpected error: %v", err)
+			}
+			req.Header.Set("Content-Type", "application/json")
+			req.Header.Set("Accept", "*/*")
+
+			recorder := httptest.NewRecorder()
+			handler.ServeHTTP(recorder, req)
+			gotCode := recorder.Code
+			if gotCode != test.expectCode {
+				t.Fatalf("expected status %v but got %v", test.expectCode, gotCode)
+			}
+		})
+	}
+}
+
 func TestDeleteCollectionWithNoContextDeadlineEnforced(t *testing.T) {
 	ctx := t.Context()
 	var invokedGot, hasDeadlineGot int32
diff --git a/staging/src/k8s.io/apiserver/pkg/endpoints/handlers/negotiation/negotiate.go b/staging/src/k8s.io/apiserver/pkg/endpoints/handlers/negotiation/negotiate.go
index 7667e6639c236..d97dda575cdeb 100644
--- a/staging/src/k8s.io/apiserver/pkg/endpoints/handlers/negotiation/negotiate.go
+++ b/staging/src/k8s.io/apiserver/pkg/endpoints/handlers/negotiation/negotiate.go
@@ -168,6 +168,9 @@ type MediaTypeOptions struct {
 	// has set
 	Export bool
 
+	// profile controls the discovery profile (e.g., "local" for local (non peer-aggregated) discovery)
+	Profile string
+
 	// unrecognized is a list of all unrecognized keys
 	Unrecognized []string
 
@@ -227,6 +230,10 @@ func acceptMediaTypeOptions(params map[string]string, accepts *runtime.Serialize
 		case "pretty":
 			options.Pretty = v == "1"
 
+		// controls the discovery profile (eg local vs peer-aggregated)
+		case "profile":
+			options.Profile = v
+
 		default:
 			options.Unrecognized = append(options.Unrecognized, k)
 		}
diff --git a/staging/src/k8s.io/apiserver/pkg/endpoints/handlers/response.go b/staging/src/k8s.io/apiserver/pkg/endpoints/handlers/response.go
index c34c6edd53509..f36bb403909d1 100644
--- a/staging/src/k8s.io/apiserver/pkg/endpoints/handlers/response.go
+++ b/staging/src/k8s.io/apiserver/pkg/endpoints/handlers/response.go
@@ -36,7 +36,6 @@ import (
 	"k8s.io/apimachinery/pkg/watch"
 	"k8s.io/apiserver/pkg/endpoints/handlers/negotiation"
 	"k8s.io/apiserver/pkg/endpoints/handlers/responsewriters"
-	"k8s.io/apiserver/pkg/endpoints/metrics"
 	endpointsrequest "k8s.io/apiserver/pkg/endpoints/request"
 	"k8s.io/apiserver/pkg/storage"
 	"k8s.io/apiserver/pkg/util/apihelpers"
@@ -193,7 +192,6 @@ func (e *watchEncoder) doEncode(obj runtime.Object, event watch.Event, w io.Writ
 		Type:   string(event.Type),
 		Object: runtime.RawExtension{Raw: e.buffer.Bytes()},
 	}
-	metrics.WatchEventsSizes.WithContext(e.ctx).WithLabelValues(e.groupVersionResource.Group, e.groupVersionResource.Version, e.groupVersionResource.Resource).Observe(float64(len(outEvent.Object.Raw)))
 
 	defer e.eventBuffer.Reset()
 	if err := e.encoder.Encode(outEvent, e.eventBuffer); err != nil {
diff --git a/staging/src/k8s.io/apiserver/pkg/endpoints/handlers/responsewriters/errors.go b/staging/src/k8s.io/apiserver/pkg/endpoints/handlers/responsewriters/errors.go
index 07316e802a950..cdf77ef63afd8 100644
--- a/staging/src/k8s.io/apiserver/pkg/endpoints/handlers/responsewriters/errors.go
+++ b/staging/src/k8s.io/apiserver/pkg/endpoints/handlers/responsewriters/errors.go
@@ -17,12 +17,12 @@ limitations under the License.
 package responsewriters
 
 import (
-	"context"
 	"fmt"
 	"net/http"
 	"strings"
 
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
@@ -33,10 +33,13 @@ import (
 var sanitizer = strings.NewReplacer(`&`, "&amp;", `<`, "&lt;", `>`, "&gt;")
 
 // Forbidden renders a simple forbidden error
-func Forbidden(ctx context.Context, attributes authorizer.Attributes, w http.ResponseWriter, req *http.Request, reason string, s runtime.NegotiatedSerializer) {
+func Forbidden(attributes authorizer.Attributes, w http.ResponseWriter, req *http.Request, reason string, s runtime.NegotiatedSerializer) {
+	RespondWithError(w, req, ForbiddenStatusError(attributes, reason), s)
+}
+
+func RespondWithError(w http.ResponseWriter, req *http.Request, err error, s runtime.NegotiatedSerializer) {
 	w.Header().Set("X-Content-Type-Options", "nosniff")
-	gv := schema.GroupVersion{Group: attributes.GetAPIGroup(), Version: attributes.GetAPIVersion()}
-	ErrorNegotiated(ForbiddenStatusError(attributes, reason), s, gv, w, req)
+	ErrorNegotiated(err, s, metav1.Unversioned, w, req)
 }
 
 func ForbiddenStatusError(attributes authorizer.Attributes, reason string) *apierrors.StatusError {
diff --git a/staging/src/k8s.io/apiserver/pkg/endpoints/handlers/responsewriters/errors_test.go b/staging/src/k8s.io/apiserver/pkg/endpoints/handlers/responsewriters/errors_test.go
index f21582ae18849..ff87308608775 100644
--- a/staging/src/k8s.io/apiserver/pkg/endpoints/handlers/responsewriters/errors_test.go
+++ b/staging/src/k8s.io/apiserver/pkg/endpoints/handlers/responsewriters/errors_test.go
@@ -78,7 +78,7 @@ func TestForbidden(t *testing.T) {
 		observer := httptest.NewRecorder()
 		scheme := runtime.NewScheme()
 		negotiatedSerializer := serializer.NewCodecFactory(scheme).WithoutConversion()
-		Forbidden(request.NewDefaultContext(), test.attributes, observer, &http.Request{URL: &url.URL{Path: "/path"}}, test.reason, negotiatedSerializer)
+		Forbidden(test.attributes, observer, &http.Request{URL: &url.URL{Path: "/path"}}, test.reason, negotiatedSerializer)
 		result := observer.Body.String()
 		if result != test.expected {
 			t.Errorf("Forbidden response body(%#v...)\n expected: %v\ngot:       %v", test.attributes, test.expected, result)
diff --git a/staging/src/k8s.io/apiserver/pkg/endpoints/handlers/responsewriters/writers_test.go b/staging/src/k8s.io/apiserver/pkg/endpoints/handlers/responsewriters/writers_test.go
index 555478a615d77..10bd42fcd9347 100644
--- a/staging/src/k8s.io/apiserver/pkg/endpoints/handlers/responsewriters/writers_test.go
+++ b/staging/src/k8s.io/apiserver/pkg/endpoints/handlers/responsewriters/writers_test.go
@@ -709,16 +709,16 @@ func toJSON(b *testing.B, list *v1.PodList) []byte {
 	return out
 }
 
-func benchmarkSerializeObject(b *testing.B, payload []byte) {
-	input, output := len(payload), len(gzipContent(payload, defaultGzipContentEncodingLevel))
-	b.Logf("Payload size: %d, expected output size: %d, ratio: %.2f", input, output, float64(output)/float64(input))
-
+func benchmarkSerializeObject(b *testing.B, payload []byte, gzip bool) {
 	req := &http.Request{
-		Header: http.Header{
-			"Accept-Encoding": []string{"gzip"},
-		},
 		URL: &url.URL{Path: "/path"},
 	}
+	if gzip {
+		req.Header = http.Header{
+			"Accept-Encoding": []string{"gzip"},
+		}
+	}
+
 	featuregatetesting.SetFeatureGateDuringTest(b, utilfeature.DefaultFeatureGate, features.APIResponseCompression, true)
 
 	encoder := &fakeEncoder{
@@ -726,34 +726,42 @@ func benchmarkSerializeObject(b *testing.B, payload []byte) {
 	}
 
 	b.ResetTimer()
-	for i := 0; i < b.N; i++ {
+	responseBytesTotal := 0
+	for b.Loop() {
 		recorder := httptest.NewRecorder()
 		SerializeObject("application/json", encoder, recorder, req, http.StatusOK, nil /* object */)
 		result := recorder.Result()
 		if result.StatusCode != http.StatusOK {
 			b.Fatalf("incorrect status code: got %v;  want: %v", result.StatusCode, http.StatusOK)
 		}
+		responseBytesTotal += recorder.Body.Len()
 	}
+	b.ReportMetric(float64(responseBytesTotal/b.N), "writtenBytes/op")
 }
 
-func BenchmarkSerializeObject1000PodsPB(b *testing.B) {
-	benchmarkSerializeObject(b, toProtoBuf(b, benchmarkItems(b, "testdata/pod.json", 1000)))
-}
-func BenchmarkSerializeObject10000PodsPB(b *testing.B) {
-	benchmarkSerializeObject(b, toProtoBuf(b, benchmarkItems(b, "testdata/pod.json", 10000)))
-}
-func BenchmarkSerializeObject100000PodsPB(b *testing.B) {
-	benchmarkSerializeObject(b, toProtoBuf(b, benchmarkItems(b, "testdata/pod.json", 100000)))
-}
-
-func BenchmarkSerializeObject1000PodsJSON(b *testing.B) {
-	benchmarkSerializeObject(b, toJSON(b, benchmarkItems(b, "testdata/pod.json", 1000)))
-}
-func BenchmarkSerializeObject10000PodsJSON(b *testing.B) {
-	benchmarkSerializeObject(b, toJSON(b, benchmarkItems(b, "testdata/pod.json", 10000)))
-}
-func BenchmarkSerializeObject100000PodsJSON(b *testing.B) {
-	benchmarkSerializeObject(b, toJSON(b, benchmarkItems(b, "testdata/pod.json", 100000)))
+func BenchmarkSerializeObject(b *testing.B) {
+	for _, count := range []int{1_000, 10_000, 100_000} {
+		b.Run(fmt.Sprintf("Count=%d", count), func(b *testing.B) {
+			medias := []struct {
+				name    string
+				convert func(*testing.B, *v1.PodList) []byte
+			}{
+				{"Json", toJSON},
+				{"Protobuf", toProtoBuf},
+			}
+			podList := benchmarkItems(b, "testdata/pod.json", count)
+			for _, media := range medias {
+				b.Run(fmt.Sprintf("MediaType=%s", media.name), func(b *testing.B) {
+					payload := media.convert(b, podList)
+					for _, gzip := range []bool{true, false} {
+						b.Run(fmt.Sprintf("Compression=%v", gzip), func(b *testing.B) {
+							benchmarkSerializeObject(b, payload, gzip)
+						})
+					}
+				})
+			}
+		})
+	}
 }
 
 type fakeResponseRecorder struct {
diff --git a/staging/src/k8s.io/apiserver/pkg/endpoints/handlers/watch.go b/staging/src/k8s.io/apiserver/pkg/endpoints/handlers/watch.go
index 7bf702c6188ec..822e56288940e 100644
--- a/staging/src/k8s.io/apiserver/pkg/endpoints/handlers/watch.go
+++ b/staging/src/k8s.io/apiserver/pkg/endpoints/handlers/watch.go
@@ -21,6 +21,7 @@ import (
 	"fmt"
 	"io"
 	"net/http"
+	"sync/atomic"
 	"time"
 
 	"golang.org/x/net/websocket"
@@ -37,11 +38,9 @@ import (
 	"k8s.io/apiserver/pkg/features"
 	"k8s.io/apiserver/pkg/storage"
 	utilfeature "k8s.io/apiserver/pkg/util/feature"
+	compbasemetrics "k8s.io/component-base/metrics"
 )
 
-// nothing will ever be sent down this channel
-var neverExitWatch <-chan time.Time = make(chan time.Time)
-
 // timeoutFactory abstracts watch timeout logic for testing
 type TimeoutFactory interface {
 	TimeoutCh() (<-chan time.Time, func() bool)
@@ -56,7 +55,8 @@ type realTimeoutFactory struct {
 // and a cleanup function to call when this happens.
 func (w *realTimeoutFactory) TimeoutCh() (<-chan time.Time, func() bool) {
 	if w.timeout == 0 {
-		return neverExitWatch, func() bool { return false }
+		// nothing will ever be sent down this channel
+		return nil, func() bool { return false }
 	}
 	t := time.NewTimer(w.timeout)
 	return t.C, t.Stop
@@ -204,6 +204,29 @@ type WatchServer struct {
 	metricsScope string
 }
 
+// watchEventMetricsRecorder allows the caller to count bytes written and report the size of the event.
+// It is thread-safe, as long as underlying io.Writer is thread-safe.
+// Once all Write calls for a given watch event have finished, RecordEvent must be called.
+type watchEventMetricsRecorder struct {
+	writer      io.Writer
+	countMetric compbasemetrics.CounterMetric
+	sizeMetric  compbasemetrics.ObserverMetric
+	byteCount   atomic.Int64
+}
+
+// Write implements io.Writer.
+func (c *watchEventMetricsRecorder) Write(p []byte) (n int, err error) {
+	n, err = c.writer.Write(p)
+	c.byteCount.Add(int64(n))
+	return
+}
+
+// Record reports the metrics and resets the byte count.
+func (c *watchEventMetricsRecorder) RecordEvent() {
+	c.countMetric.Inc()
+	c.sizeMetric.Observe(float64(c.byteCount.Swap(0)))
+}
+
 // HandleHTTP serves a series of encoded events via HTTP with Transfer-Encoding: chunked.
 // or over a websocket connection.
 func (s *WatchServer) HandleHTTP(w http.ResponseWriter, req *http.Request) {
@@ -241,7 +264,14 @@ func (s *WatchServer) HandleHTTP(w http.ResponseWriter, req *http.Request) {
 	flusher.Flush()
 
 	gvr := s.Scope.Resource
-	watchEncoder := newWatchEncoder(req.Context(), gvr, s.EmbeddedEncoder, s.Encoder, framer)
+
+	recorder := &watchEventMetricsRecorder{
+		writer:      framer,
+		countMetric: metrics.WatchEvents.WithContext(req.Context()).WithLabelValues(gvr.Group, gvr.Version, gvr.Resource),
+		sizeMetric:  metrics.WatchEventsSizes.WithContext(req.Context()).WithLabelValues(gvr.Group, gvr.Version, gvr.Resource),
+	}
+
+	watchEncoder := newWatchEncoder(req.Context(), gvr, s.EmbeddedEncoder, s.Encoder, recorder)
 	ch := s.Watching.ResultChan()
 	done := req.Context().Done()
 
@@ -265,7 +295,6 @@ func (s *WatchServer) HandleHTTP(w http.ResponseWriter, req *http.Request) {
 				// End of results.
 				return
 			}
-			metrics.WatchEvents.WithContext(req.Context()).WithLabelValues(gvr.Group, gvr.Version, gvr.Resource).Inc()
 			isWatchListLatencyRecordingRequired := shouldRecordWatchListLatency(event)
 
 			if err := watchEncoder.Encode(event); err != nil {
@@ -273,6 +302,7 @@ func (s *WatchServer) HandleHTTP(w http.ResponseWriter, req *http.Request) {
 				// client disconnect.
 				return
 			}
+			recorder.RecordEvent()
 
 			if len(ch) == 0 {
 				flusher.Flush()
diff --git a/staging/src/k8s.io/apiserver/pkg/endpoints/handlers/watch_test.go b/staging/src/k8s.io/apiserver/pkg/endpoints/handlers/watch_test.go
index e9277c250c7d7..1e5784e322c58 100644
--- a/staging/src/k8s.io/apiserver/pkg/endpoints/handlers/watch_test.go
+++ b/staging/src/k8s.io/apiserver/pkg/endpoints/handlers/watch_test.go
@@ -17,6 +17,7 @@ limitations under the License.
 package handlers
 
 import (
+	"bytes"
 	"context"
 	"encoding/json"
 	"fmt"
@@ -24,6 +25,8 @@ import (
 	"net/http"
 	"net/http/httptest"
 	"net/url"
+	"strings"
+	"sync"
 	"testing"
 	"time"
 
@@ -36,9 +39,12 @@ import (
 	"k8s.io/apimachinery/pkg/util/wait"
 	"k8s.io/apimachinery/pkg/watch"
 	"k8s.io/apiserver/pkg/endpoints/handlers/responsewriters"
+	"k8s.io/apiserver/pkg/endpoints/metrics"
 	endpointstesting "k8s.io/apiserver/pkg/endpoints/testing"
 	"k8s.io/client-go/dynamic"
 	restclient "k8s.io/client-go/rest"
+	"k8s.io/component-base/metrics/legacyregistry"
+	metricstestutil "k8s.io/component-base/metrics/testutil"
 )
 
 // Fake API versions, similar to api/latest.go
@@ -341,3 +347,143 @@ func serveWatch(watcher watch.Interface, watchServer *WatchServer, preServeErr e
 		watchServer.HandleHTTP(w, req)
 	}
 }
+
+type fakeCachingObject struct {
+	obj runtime.Object
+
+	once sync.Once
+	raw  []byte
+	err  error
+}
+
+func (f *fakeCachingObject) CacheEncode(_ runtime.Identifier, encode func(runtime.Object, io.Writer) error, w io.Writer) error {
+	f.once.Do(func() {
+		buffer := bytes.NewBuffer(nil)
+		f.err = encode(f.obj, buffer)
+		f.raw = buffer.Bytes()
+	})
+
+	if f.err != nil {
+		return f.err
+	}
+
+	_, err := w.Write(f.raw)
+	return err
+}
+
+func (f *fakeCachingObject) GetObject() runtime.Object {
+	return f.obj
+}
+
+func (f *fakeCachingObject) GetObjectKind() schema.ObjectKind {
+	return f.obj.GetObjectKind()
+}
+
+func (f *fakeCachingObject) DeepCopyObject() runtime.Object {
+	return &fakeCachingObject{obj: f.obj.DeepCopyObject()}
+}
+
+var _ runtime.CacheableObject = &fakeCachingObject{}
+var _ runtime.Object = &fakeCachingObject{}
+
+func TestWatchEventSizes(t *testing.T) {
+	metrics.Register()
+	gvr := schema.GroupVersionResource{Group: "group", Version: "version", Resource: "resource"}
+	testCases := []struct {
+		name     string
+		event    watch.Event
+		wantSize int64
+	}{
+		{
+			name: "regular object",
+			event: watch.Event{
+				Type:   watch.Added,
+				Object: &endpointstesting.Simple{ObjectMeta: metav1.ObjectMeta{Name: "foo"}},
+			},
+			wantSize: 2 * 98,
+		},
+		{
+			name: "cached object",
+			event: watch.Event{
+				Type: watch.Added,
+				Object: &fakeCachingObject{obj: &runtime.Unknown{
+					Raw:         []byte(`{"kind":"Simple","apiVersion":"v1","metadata":{"name":"foo"}}`),
+					ContentType: runtime.ContentTypeJSON,
+				}},
+			},
+			wantSize: 2 * 88,
+		},
+	}
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			ctx := t.Context()
+
+			metrics.WatchEventsSizes.Reset()
+			metrics.WatchEvents.Reset()
+
+			watcher := watch.NewFake()
+			timeoutCh := make(chan time.Time)
+			doneCh := make(chan struct{})
+
+			info, ok := runtime.SerializerInfoForMediaType(codecs.SupportedMediaTypes(), runtime.ContentTypeJSON)
+			require.True(t, ok)
+			require.NotNil(t, info.StreamSerializer)
+			serializer := info.StreamSerializer
+
+			watchServer := &WatchServer{
+				Scope: &RequestScope{
+					Resource: gvr,
+				},
+				Watching:        watcher,
+				MediaType:       "application/json",
+				Framer:          serializer.Framer,
+				Encoder:         testCodecV2,
+				EmbeddedEncoder: testCodecV2,
+				TimeoutFactory:  &fakeTimeoutFactory{timeoutCh: timeoutCh, done: doneCh},
+			}
+
+			s := httptest.NewServer(serveWatch(watcher, watchServer, nil))
+			defer s.Close()
+
+			// Setup a client
+			dest, _ := url.Parse(s.URL)
+			dest.Path = "/" + namedGroupPrefix + "/" + testGroupV2.Group + "/" + testGroupV2.Version + "/simple"
+			dest.RawQuery = "watch=true"
+
+			req, _ := http.NewRequestWithContext(ctx, http.MethodGet, dest.String(), nil)
+			client := http.Client{}
+			resp, err := client.Do(req)
+			require.NoError(t, err)
+			defer apitesting.Close(t, resp.Body)
+
+			// Send object twice so that in case of caching the cached version is used.
+			watcher.Action(tc.event.Type, tc.event.Object)
+			watcher.Action(tc.event.Type, tc.event.Object)
+
+			close(timeoutCh)
+			<-doneCh
+
+			expected := fmt.Sprintf(`# HELP apiserver_watch_events_sizes [ALPHA] Watch event size distribution in bytes
+# TYPE apiserver_watch_events_sizes histogram
+apiserver_watch_events_sizes_bucket{group="group",resource="resource",version="version",le="1024"} 2
+apiserver_watch_events_sizes_bucket{group="group",resource="resource",version="version",le="2048"} 2
+apiserver_watch_events_sizes_bucket{group="group",resource="resource",version="version",le="4096"} 2
+apiserver_watch_events_sizes_bucket{group="group",resource="resource",version="version",le="8192"} 2
+apiserver_watch_events_sizes_bucket{group="group",resource="resource",version="version",le="16384"} 2
+apiserver_watch_events_sizes_bucket{group="group",resource="resource",version="version",le="32768"} 2
+apiserver_watch_events_sizes_bucket{group="group",resource="resource",version="version",le="65536"} 2
+apiserver_watch_events_sizes_bucket{group="group",resource="resource",version="version",le="131072"} 2
+apiserver_watch_events_sizes_bucket{group="group",resource="resource",version="version",le="+Inf"} 2
+apiserver_watch_events_sizes_sum{group="group",resource="resource",version="version"} %d
+apiserver_watch_events_sizes_count{group="group",resource="resource",version="version"} 2
+
+# HELP apiserver_watch_events_total [ALPHA] Number of events sent in watch clients
+# TYPE apiserver_watch_events_total counter
+apiserver_watch_events_total{group="group",resource="resource",version="version"} 2
+`, tc.wantSize)
+
+			err = metricstestutil.GatherAndCompare(legacyregistry.DefaultGatherer, strings.NewReader(expected), "apiserver_watch_events_sizes", "apiserver_watch_events_total")
+			require.NoError(t, err)
+		})
+	}
+}
diff --git a/staging/src/k8s.io/apiserver/pkg/endpoints/installer.go b/staging/src/k8s.io/apiserver/pkg/endpoints/installer.go
index 2a5900a8341fe..56c392fd057b6 100644
--- a/staging/src/k8s.io/apiserver/pkg/endpoints/installer.go
+++ b/staging/src/k8s.io/apiserver/pkg/endpoints/installer.go
@@ -28,6 +28,8 @@ import (
 	restful "github.com/emicklei/go-restful/v3"
 	"sigs.k8s.io/structured-merge-diff/v6/fieldpath"
 
+	"golang.org/x/text/cases"
+	"golang.org/x/text/language"
 	apidiscoveryv2 "k8s.io/api/apidiscovery/v2"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/conversion"
@@ -818,7 +820,7 @@ func (a *APIInstaller) registerResourceHandlers(path string, storage rest.Storag
 			route := ws.GET(action.Path).To(handler).
 				Doc(doc).
 				Param(ws.QueryParameter("pretty", "If 'true', then the output is pretty printed. Defaults to 'false' unless the user-agent indicates a browser or command-line HTTP tool (curl and wget).")).
-				Operation("read"+namespaced+kind+strings.Title(subresource)+operationSuffix).
+				Operation("read"+namespaced+kind+cases.Title(language.English).String(subresource)+operationSuffix).
 				Produces(append(storageMeta.ProducesMIMETypes(action.Verb), mediaTypes...)...).
 				Returns(http.StatusOK, "OK", producedObject).
 				Writes(producedObject)
@@ -839,7 +841,7 @@ func (a *APIInstaller) registerResourceHandlers(path string, storage rest.Storag
 			route := ws.GET(action.Path).To(handler).
 				Doc(doc).
 				Param(ws.QueryParameter("pretty", "If 'true', then the output is pretty printed. Defaults to 'false' unless the user-agent indicates a browser or command-line HTTP tool (curl and wget).")).
-				Operation("list"+namespaced+kind+strings.Title(subresource)+operationSuffix).
+				Operation("list"+namespaced+kind+cases.Title(language.English).String(subresource)+operationSuffix).
 				Produces(append(storageMeta.ProducesMIMETypes(action.Verb), allMediaTypes...)...).
 				Returns(http.StatusOK, "OK", versionedList).
 				Writes(versionedList)
@@ -872,7 +874,7 @@ func (a *APIInstaller) registerResourceHandlers(path string, storage rest.Storag
 			route := ws.PUT(action.Path).To(handler).
 				Doc(doc).
 				Param(ws.QueryParameter("pretty", "If 'true', then the output is pretty printed. Defaults to 'false' unless the user-agent indicates a browser or command-line HTTP tool (curl and wget).")).
-				Operation("replace"+namespaced+kind+strings.Title(subresource)+operationSuffix).
+				Operation("replace"+namespaced+kind+cases.Title(language.English).String(subresource)+operationSuffix).
 				Produces(append(storageMeta.ProducesMIMETypes(action.Verb), mediaTypes...)...).
 				Returns(http.StatusOK, "OK", producedObject).
 				// TODO: in some cases, the API may return a v1.Status instead of the versioned object
@@ -905,7 +907,7 @@ func (a *APIInstaller) registerResourceHandlers(path string, storage rest.Storag
 				Doc(doc).
 				Param(ws.QueryParameter("pretty", "If 'true', then the output is pretty printed. Defaults to 'false' unless the user-agent indicates a browser or command-line HTTP tool (curl and wget).")).
 				Consumes(supportedTypes...).
-				Operation("patch"+namespaced+kind+strings.Title(subresource)+operationSuffix).
+				Operation("patch"+namespaced+kind+cases.Title(language.English).String(subresource)+operationSuffix).
 				Produces(append(storageMeta.ProducesMIMETypes(action.Verb), mediaTypes...)...).
 				Returns(http.StatusOK, "OK", producedObject).
 				// Patch can return 201 when a server side apply is requested
@@ -934,7 +936,7 @@ func (a *APIInstaller) registerResourceHandlers(path string, storage rest.Storag
 			route := ws.POST(action.Path).To(handler).
 				Doc(doc).
 				Param(ws.QueryParameter("pretty", "If 'true', then the output is pretty printed. Defaults to 'false' unless the user-agent indicates a browser or command-line HTTP tool (curl and wget).")).
-				Operation("create"+namespaced+kind+strings.Title(subresource)+operationSuffix).
+				Operation("create"+namespaced+kind+cases.Title(language.English).String(subresource)+operationSuffix).
 				Produces(append(storageMeta.ProducesMIMETypes(action.Verb), mediaTypes...)...).
 				Returns(http.StatusOK, "OK", producedObject).
 				// TODO: in some cases, the API may return a v1.Status instead of the versioned object
@@ -963,7 +965,7 @@ func (a *APIInstaller) registerResourceHandlers(path string, storage rest.Storag
 			route := ws.DELETE(action.Path).To(handler).
 				Doc(doc).
 				Param(ws.QueryParameter("pretty", "If 'true', then the output is pretty printed. Defaults to 'false' unless the user-agent indicates a browser or command-line HTTP tool (curl and wget).")).
-				Operation("delete"+namespaced+kind+strings.Title(subresource)+operationSuffix).
+				Operation("delete"+namespaced+kind+cases.Title(language.English).String(subresource)+operationSuffix).
 				Produces(append(storageMeta.ProducesMIMETypes(action.Verb), mediaTypes...)...).
 				Writes(deleteReturnType).
 				Returns(http.StatusOK, "OK", deleteReturnType).
@@ -987,7 +989,7 @@ func (a *APIInstaller) registerResourceHandlers(path string, storage rest.Storag
 			route := ws.DELETE(action.Path).To(handler).
 				Doc(doc).
 				Param(ws.QueryParameter("pretty", "If 'true', then the output is pretty printed. Defaults to 'false' unless the user-agent indicates a browser or command-line HTTP tool (curl and wget).")).
-				Operation("deletecollection"+namespaced+kind+strings.Title(subresource)+operationSuffix).
+				Operation("deletecollection"+namespaced+kind+cases.Title(language.English).String(subresource)+operationSuffix).
 				Produces(append(storageMeta.ProducesMIMETypes(action.Verb), mediaTypes...)...).
 				Writes(versionedStatus).
 				Returns(http.StatusOK, "OK", versionedStatus)
@@ -1015,7 +1017,7 @@ func (a *APIInstaller) registerResourceHandlers(path string, storage rest.Storag
 			route := ws.GET(action.Path).To(handler).
 				Doc(doc).
 				Param(ws.QueryParameter("pretty", "If 'true', then the output is pretty printed. Defaults to 'false' unless the user-agent indicates a browser or command-line HTTP tool (curl and wget).")).
-				Operation("watch"+namespaced+kind+strings.Title(subresource)+operationSuffix).
+				Operation("watch"+namespaced+kind+cases.Title(language.English).String(subresource)+operationSuffix).
 				Produces(allMediaTypes...).
 				Returns(http.StatusOK, "OK", versionedWatchEvent).
 				Writes(versionedWatchEvent)
@@ -1036,7 +1038,7 @@ func (a *APIInstaller) registerResourceHandlers(path string, storage rest.Storag
 			route := ws.GET(action.Path).To(handler).
 				Doc(doc).
 				Param(ws.QueryParameter("pretty", "If 'true', then the output is pretty printed. Defaults to 'false' unless the user-agent indicates a browser or command-line HTTP tool (curl and wget).")).
-				Operation("watch"+namespaced+kind+strings.Title(subresource)+"List"+operationSuffix).
+				Operation("watch"+namespaced+kind+cases.Title(language.English).String(subresource)+"List"+operationSuffix).
 				Produces(allMediaTypes...).
 				Returns(http.StatusOK, "OK", versionedWatchEvent).
 				Writes(versionedWatchEvent)
@@ -1060,7 +1062,7 @@ func (a *APIInstaller) registerResourceHandlers(path string, storage rest.Storag
 				route := ws.Method(method).Path(action.Path).
 					To(handler).
 					Doc(doc).
-					Operation("connect" + strings.Title(strings.ToLower(method)) + namespaced + kind + strings.Title(subresource) + operationSuffix).
+					Operation("connect" + cases.Title(language.English).String(strings.ToLower(method)) + namespaced + kind + cases.Title(language.English).String(subresource) + operationSuffix).
 					Produces("*/*").
 					Consumes("*/*").
 					Writes(connectProducedObject)
diff --git a/staging/src/k8s.io/apiserver/pkg/endpoints/metrics/metrics.go b/staging/src/k8s.io/apiserver/pkg/endpoints/metrics/metrics.go
index 2d7ea57ee6ba5..c0fe2bd411dfe 100644
--- a/staging/src/k8s.io/apiserver/pkg/endpoints/metrics/metrics.go
+++ b/staging/src/k8s.io/apiserver/pkg/endpoints/metrics/metrics.go
@@ -623,7 +623,7 @@ func MonitorRequest(req *http.Request, verb, group, version, resource, subresour
 	fieldValidation := cleanFieldValidation(req.URL)
 	fieldValidationRequestLatencies.WithContext(req.Context()).WithLabelValues(fieldValidation)
 
-	if wd, ok := request.LatencyTrackersFrom(req.Context()); ok {
+	if wd, ok := request.LatencyTrackersFrom(req.Context()); ok && dryRun == "" {
 		sliLatency := elapsedSeconds - (wd.MutatingWebhookTracker.GetLatency() + wd.ValidatingWebhookTracker.GetLatency() + wd.APFQueueWaitTracker.GetLatency()).Seconds()
 		requestSloLatencies.WithContext(req.Context()).WithLabelValues(reportedVerb, group, version, resource, subresource, scope, component).Observe(sliLatency)
 		requestSliLatencies.WithContext(req.Context()).WithLabelValues(reportedVerb, group, version, resource, subresource, scope, component).Observe(sliLatency)
diff --git a/staging/src/k8s.io/apiserver/pkg/endpoints/openapi/openapi.go b/staging/src/k8s.io/apiserver/pkg/endpoints/openapi/openapi.go
index 0da1ab05cda4e..75fbc6abc9137 100644
--- a/staging/src/k8s.io/apiserver/pkg/endpoints/openapi/openapi.go
+++ b/staging/src/k8s.io/apiserver/pkg/endpoints/openapi/openapi.go
@@ -19,7 +19,6 @@ package openapi
 import (
 	"bytes"
 	"fmt"
-	"reflect"
 	"sort"
 	"strings"
 	"unicode"
@@ -29,6 +28,7 @@ import (
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/klog/v2"
 	"k8s.io/kube-openapi/pkg/util"
 	"k8s.io/kube-openapi/pkg/validation/spec"
 )
@@ -133,31 +133,28 @@ func gvkConvert(gvk schema.GroupVersionKind) v1.GroupVersionKind {
 	}
 }
 
-func typeName(t reflect.Type) string {
-	path := t.PkgPath()
-	if strings.Contains(path, "/vendor/") {
-		path = path[strings.Index(path, "/vendor/")+len("/vendor/"):]
-	}
-	return fmt.Sprintf("%s.%s", path, t.Name())
-}
-
 // NewDefinitionNamer constructs a new DefinitionNamer to be used to customize OpenAPI spec.
 func NewDefinitionNamer(schemes ...*runtime.Scheme) *DefinitionNamer {
 	ret := &DefinitionNamer{
 		typeGroupVersionKinds: map[string]groupVersionKinds{},
 	}
 	for _, s := range schemes {
-		for gvk, rtype := range s.AllKnownTypes() {
+		for gvk := range s.AllKnownTypes() {
 			newGVK := gvkConvert(gvk)
 			exists := false
-			for _, existingGVK := range ret.typeGroupVersionKinds[typeName(rtype)] {
+			name, err := s.ToOpenAPIDefinitionName(gvk)
+			if err != nil {
+				klog.Fatalf("failed to get OpenAPI definition name for %v: %v", gvk, err)
+				continue
+			}
+			for _, existingGVK := range ret.typeGroupVersionKinds[name] {
 				if newGVK == existingGVK {
 					exists = true
 					break
 				}
 			}
 			if !exists {
-				ret.typeGroupVersionKinds[typeName(rtype)] = append(ret.typeGroupVersionKinds[typeName(rtype)], newGVK)
+				ret.typeGroupVersionKinds[name] = append(ret.typeGroupVersionKinds[name], newGVK)
 			}
 		}
 	}
@@ -170,9 +167,9 @@ func NewDefinitionNamer(schemes ...*runtime.Scheme) *DefinitionNamer {
 // GetDefinitionName returns the name and tags for a given definition
 func (d *DefinitionNamer) GetDefinitionName(name string) (string, spec.Extensions) {
 	if groupVersionKinds, ok := d.typeGroupVersionKinds[name]; ok {
-		return util.ToRESTFriendlyName(name), spec.Extensions{
+		return name, spec.Extensions{
 			extensionGVK: groupVersionKinds.JSON(),
 		}
 	}
-	return util.ToRESTFriendlyName(name), nil
+	return name, nil
 }
diff --git a/staging/src/k8s.io/apiserver/pkg/endpoints/openapi/openapi_test.go b/staging/src/k8s.io/apiserver/pkg/endpoints/openapi/openapi_test.go
index 6e6c4387cbe9e..ca9a6a4c2cd73 100644
--- a/staging/src/k8s.io/apiserver/pkg/endpoints/openapi/openapi_test.go
+++ b/staging/src/k8s.io/apiserver/pkg/endpoints/openapi/openapi_test.go
@@ -42,12 +42,11 @@ func TestGetDefinitionName(t *testing.T) {
 	// in production, the name is stripped of ".*vendor/" prefix before passed
 	// to GetDefinitionName, so here typePkgName does not have the
 	// "k8s.io/kubernetes/vendor" prefix.
-	typePkgName := "k8s.io/apiserver/pkg/endpoints/openapi/testing.TestType"
 	typeFriendlyName := "io.k8s.apiserver.pkg.endpoints.openapi.testing.TestType"
 	s := runtime.NewScheme()
 	s.AddKnownTypeWithName(testType.GroupVersionKind(), &testType)
 	namer := NewDefinitionNamer(s)
-	n, e := namer.GetDefinitionName(typePkgName)
+	n, e := namer.GetDefinitionName(typeFriendlyName)
 	assertEqual(t, typeFriendlyName, n)
 	assertEqual(t, []interface{}{
 		map[string]interface{}{
@@ -56,7 +55,7 @@ func TestGetDefinitionName(t *testing.T) {
 			"kind":    "TestType",
 		},
 	}, e["x-kubernetes-group-version-kind"])
-	n, e2 := namer.GetDefinitionName("test.com/another.Type")
+	n, e2 := namer.GetDefinitionName("com.test.another.Type")
 	assertEqual(t, "com.test.another.Type", n)
 	assertEqual(t, e2, spec.Extensions(nil))
 }
diff --git a/staging/src/k8s.io/apiserver/pkg/features/kube_features.go b/staging/src/k8s.io/apiserver/pkg/features/kube_features.go
index e04f1d4681948..3c9a799a58706 100644
--- a/staging/src/k8s.io/apiserver/pkg/features/kube_features.go
+++ b/staging/src/k8s.io/apiserver/pkg/features/kube_features.go
@@ -109,12 +109,40 @@ const (
 	// Allow the API server to serve consistent lists from cache
 	ConsistentListFromCache featuregate.Feature = "ConsistentListFromCache"
 
+	// owner: @enj @qiujian16
+	// kep: https://kep.k8s.io/5284
+	//
+	// Enables impersonation that is constrained to specific requests instead of being all or nothing.
+	ConstrainedImpersonation featuregate.Feature = "ConstrainedImpersonation"
+
 	// owner: @jefftree
 	// kep: https://kep.k8s.io/4355
 	//
 	// Enables coordinated leader election in the API server
 	CoordinatedLeaderElection featuregate.Feature = "CoordinatedLeaderElection"
 
+	// owner: @jpbetz @aaron-prindle @yongruilin
+	// kep: http://kep.k8s.io/5073
+	// beta: v1.33
+	//
+	// Enables running declarative validation of APIs, where declared. When enabled, APIs with
+	// declarative validation rules will validate objects using the generated
+	// declarative validation code and compare the results to the regular imperative validation.
+	// See DeclarativeValidationTakeover for more.
+	DeclarativeValidation featuregate.Feature = "DeclarativeValidation"
+
+	// owner: @jpbetz @aaron-prindle @yongruilin
+	// kep: http://kep.k8s.io/5073
+	// beta: v1.33
+	//
+	// When enabled, declarative validation errors are returned directly to the caller,
+	// replacing hand-written validation errors for rules that have declarative implementations.
+	// When disabled, hand-written validation errors are always returned, effectively putting
+	// declarative validation in a "shadow mode" that monitors but does not affect API responses.
+	// Note: Although declarative validation aims for functional equivalence with hand-written validation,
+	// the exact number, format, and content of error messages may differ between the two approaches.
+	DeclarativeValidationTakeover featuregate.Feature = "DeclarativeValidationTakeover"
+
 	// owner: @serathius
 	// kep: https://kep.k8s.io/4988
 	//
@@ -195,22 +223,6 @@ const (
 	// Allow API server Protobuf encoder to encode collections item by item, instead of all at once.
 	StreamingCollectionEncodingToProtobuf featuregate.Feature = "StreamingCollectionEncodingToProtobuf"
 
-	// owner: @cici37
-	//
-	// StrictCostEnforcementForVAP is used to apply strict CEL cost validation for ValidatingAdmissionPolicy.
-	// It will be set to off by default for certain time of period to prevent the impact on the existing users.
-	// It is strongly recommended to enable this feature gate as early as possible.
-	// The strict cost is specific for the extended libraries whose cost defined under k8s/apiserver/pkg/cel/library.
-	StrictCostEnforcementForVAP featuregate.Feature = "StrictCostEnforcementForVAP"
-
-	// owner: @cici37
-	//
-	// StrictCostEnforcementForWebhooks is used to apply strict CEL cost validation for matchConditions in Webhooks.
-	// It will be set to off by default for certain time of period to prevent the impact on the existing users.
-	// It is strongly recommended to enable this feature gate as early as possible.
-	// The strict cost is specific for the extended libraries whose cost defined under k8s/apiserver/pkg/cel/library.
-	StrictCostEnforcementForWebhooks featuregate.Feature = "StrictCostEnforcementForWebhooks"
-
 	// owner: @aramase, @enj, @nabokihms
 	// kep: https://kep.k8s.io/3331
 	//
@@ -223,6 +235,12 @@ const (
 	// Enables Egress Selector in Structured Authentication Configuration
 	StructuredAuthenticationConfigurationEgressSelector featuregate.Feature = "StructuredAuthenticationConfigurationEgressSelector"
 
+	// owner: @aramase, @enj, @nabokihms
+	// kep: https://kep.k8s.io/3331
+	//
+	// Enables JWKs metrics for Structured Authentication Configuration
+	StructuredAuthenticationConfigurationJWKSMetrics featuregate.Feature = "StructuredAuthenticationConfigurationJWKSMetrics"
+
 	// owner: @palnabarun
 	// kep: https://kep.k8s.io/3221
 	//
@@ -256,6 +274,11 @@ const (
 	// clients.
 	UnauthenticatedHTTP2DOSMitigation featuregate.Feature = "UnauthenticatedHTTP2DOSMitigation"
 
+	// owner: @richabanker
+	//
+	// Proxies client to an apiserver capable of serving the request in the event of version skew.
+	UnknownVersionInteroperabilityProxy featuregate.Feature = "UnknownVersionInteroperabilityProxy"
+
 	// owner: @wojtek-t
 	//
 	// Enables post-start-hook for storage readiness
@@ -307,6 +330,7 @@ var defaultVersionedKubernetesFeatureGates = map[featuregate.Feature]featuregate
 	AggregatedDiscoveryRemoveBetaType: {
 		{Version: version.MustParse("1.0"), Default: false, PreRelease: featuregate.GA},
 		{Version: version.MustParse("1.33"), Default: true, PreRelease: featuregate.Deprecated},
+		{Version: version.MustParse("1.35"), Default: true, PreRelease: featuregate.Deprecated, LockToDefault: true},
 	},
 
 	AllowParsingUserUIDFromCertAuth: {
@@ -348,11 +372,23 @@ var defaultVersionedKubernetesFeatureGates = map[featuregate.Feature]featuregate
 		{Version: version.MustParse("1.34"), Default: true, PreRelease: featuregate.GA, LockToDefault: true},
 	},
 
+	ConstrainedImpersonation: {
+		{Version: version.MustParse("1.35"), Default: false, PreRelease: featuregate.Alpha},
+	},
+
 	CoordinatedLeaderElection: {
 		{Version: version.MustParse("1.31"), Default: false, PreRelease: featuregate.Alpha},
 		{Version: version.MustParse("1.33"), Default: false, PreRelease: featuregate.Beta},
 	},
 
+	DeclarativeValidation: {
+		{Version: version.MustParse("1.33"), Default: true, PreRelease: featuregate.Beta},
+	},
+
+	DeclarativeValidationTakeover: {
+		{Version: version.MustParse("1.33"), Default: false, PreRelease: featuregate.Beta},
+	},
+
 	DetectCacheInconsistency: {
 		{Version: version.MustParse("1.34"), Default: true, PreRelease: featuregate.Beta},
 	},
@@ -422,16 +458,6 @@ var defaultVersionedKubernetesFeatureGates = map[featuregate.Feature]featuregate
 		{Version: version.MustParse("1.34"), Default: true, PreRelease: featuregate.GA, LockToDefault: true},
 	},
 
-	StrictCostEnforcementForVAP: {
-		{Version: version.MustParse("1.30"), Default: false, PreRelease: featuregate.Beta},
-		{Version: version.MustParse("1.32"), Default: true, PreRelease: featuregate.GA, LockToDefault: true},
-	},
-
-	StrictCostEnforcementForWebhooks: {
-		{Version: version.MustParse("1.30"), Default: false, PreRelease: featuregate.Beta},
-		{Version: version.MustParse("1.32"), Default: true, PreRelease: featuregate.GA, LockToDefault: true},
-	},
-
 	StructuredAuthenticationConfiguration: {
 		{Version: version.MustParse("1.29"), Default: false, PreRelease: featuregate.Alpha},
 		{Version: version.MustParse("1.30"), Default: true, PreRelease: featuregate.Beta},
@@ -442,6 +468,10 @@ var defaultVersionedKubernetesFeatureGates = map[featuregate.Feature]featuregate
 		{Version: version.MustParse("1.34"), Default: true, PreRelease: featuregate.Beta},
 	},
 
+	StructuredAuthenticationConfigurationJWKSMetrics: {
+		{Version: version.MustParse("1.35"), Default: true, PreRelease: featuregate.Beta},
+	},
+
 	StructuredAuthorizationConfiguration: {
 		{Version: version.MustParse("1.29"), Default: false, PreRelease: featuregate.Alpha},
 		{Version: version.MustParse("1.30"), Default: true, PreRelease: featuregate.Beta},
@@ -457,6 +487,10 @@ var defaultVersionedKubernetesFeatureGates = map[featuregate.Feature]featuregate
 		{Version: version.MustParse("1.29"), Default: true, PreRelease: featuregate.Beta},
 	},
 
+	UnknownVersionInteroperabilityProxy: {
+		{Version: version.MustParse("1.28"), Default: false, PreRelease: featuregate.Alpha},
+	},
+
 	WatchCacheInitializationPostStartHook: {
 		{Version: version.MustParse("1.31"), Default: false, PreRelease: featuregate.Beta},
 	},
diff --git a/staging/src/k8s.io/apiserver/pkg/reconcilers/peer_endpoint_lease.go b/staging/src/k8s.io/apiserver/pkg/reconcilers/peer_endpoint_lease.go
index 5d2e73b5467c0..450a6e5ec4241 100644
--- a/staging/src/k8s.io/apiserver/pkg/reconcilers/peer_endpoint_lease.go
+++ b/staging/src/k8s.io/apiserver/pkg/reconcilers/peer_endpoint_lease.go
@@ -78,9 +78,9 @@ type peerEndpointLeaseReconciler struct {
 
 // NewPeerEndpointLeaseReconciler creates a new peer endpoint lease reconciler
 func NewPeerEndpointLeaseReconciler(config *storagebackend.ConfigForResource, baseKey string, leaseTime time.Duration) (PeerEndpointLeaseReconciler, error) {
-	// note that newFunc, newListFunc and resourcePrefix
+	// note that newFunc, newListFunc
 	// can be left blank unless the storage.Watch method is used
-	leaseStorage, destroyFn, err := storagefactory.Create(*config, nil, nil, "")
+	leaseStorage, destroyFn, err := storagefactory.Create(*config, nil, nil, baseKey)
 	if err != nil {
 		return nil, fmt.Errorf("error creating storage factory: %v", err)
 	}
diff --git a/staging/src/k8s.io/apiserver/pkg/reconcilers/peer_endpoint_lease_test.go b/staging/src/k8s.io/apiserver/pkg/reconcilers/peer_endpoint_lease_test.go
index 242cadb603641..c4ac0bad30e89 100644
--- a/staging/src/k8s.io/apiserver/pkg/reconcilers/peer_endpoint_lease_test.go
+++ b/staging/src/k8s.io/apiserver/pkg/reconcilers/peer_endpoint_lease_test.go
@@ -59,14 +59,11 @@ type serverInfo struct {
 	expectEndpoint string
 }
 
-func NewFakePeerEndpointReconciler(t *testing.T, s storage.Interface) peerEndpointLeaseReconciler {
-	// use the same base key used by the controlplane, but add a random
-	// prefix so we can reuse the etcd instance for subtests independently.
-	base := "/" + uuid.New().String() + "/peerserverleases/"
+func NewFakePeerEndpointReconciler(t *testing.T, baseKey string, s storage.Interface) peerEndpointLeaseReconciler {
 	return peerEndpointLeaseReconciler{serverLeases: &peerEndpointLeases{
 		storage:   s,
 		destroyFn: func() {},
-		baseKey:   base,
+		baseKey:   baseKey,
 		leaseTime: 1 * time.Minute, // avoid the lease to timeout on tests
 	}}
 }
@@ -82,8 +79,10 @@ func (f *peerEndpointLeaseReconciler) SetKeys(servers []serverInfo) error {
 
 func TestPeerEndpointLeaseReconciler(t *testing.T) {
 	// enable feature flags
-	featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.APIServerIdentity, true)
-	featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.StorageVersionAPI, true)
+	featuregatetesting.SetFeatureGatesDuringTest(t, utilfeature.DefaultFeatureGate, featuregatetesting.FeatureOverrides{
+		features.APIServerIdentity: true,
+		features.StorageVersionAPI: true,
+	})
 
 	server, sc := etcd3testing.NewUnsecuredEtcd3TestClientServer(t)
 	t.Cleanup(func() { server.Terminate(t) })
@@ -92,12 +91,6 @@ func TestPeerEndpointLeaseReconciler(t *testing.T) {
 	newListFunc := func() runtime.Object { return &corev1.EndpointsList{} }
 	sc.Codec = apitesting.TestStorageCodec(codecs, corev1.SchemeGroupVersion)
 
-	s, dFunc, err := factory.Create(*sc.ForResource(schema.GroupResource{Resource: "endpoints"}), newFunc, newListFunc, "")
-	if err != nil {
-		t.Fatalf("Error creating storage: %v", err)
-	}
-	t.Cleanup(dFunc)
-
 	tests := []struct {
 		testName     string
 		servers      []serverInfo
@@ -148,8 +141,17 @@ func TestPeerEndpointLeaseReconciler(t *testing.T) {
 	}
 	for _, test := range tests {
 		t.Run(test.testName, func(t *testing.T) {
-			fakeReconciler := NewFakePeerEndpointReconciler(t, s)
-			err := fakeReconciler.SetKeys(test.servers)
+			// use the same base key used by the controlplane, but add a random
+			// prefix so we can reuse the etcd instance for subtests independently.
+			baseKey := "/" + uuid.New().String() + "/peerserverleases/"
+			s, dFunc, err := factory.Create(*sc.ForResource(schema.GroupResource{Resource: "endpoints"}), newFunc, newListFunc, baseKey)
+			if err != nil {
+				t.Fatalf("Error creating storage: %v", err)
+			}
+			t.Cleanup(dFunc)
+
+			fakeReconciler := NewFakePeerEndpointReconciler(t, baseKey, s)
+			err = fakeReconciler.SetKeys(test.servers)
 			if err != nil {
 				t.Errorf("unexpected error creating keys: %v", err)
 			}
@@ -189,8 +191,10 @@ func TestPeerEndpointLeaseReconciler(t *testing.T) {
 
 func TestPeerLeaseRemoveEndpoints(t *testing.T) {
 	// enable feature flags
-	featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.APIServerIdentity, true)
-	featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.StorageVersionAPI, true)
+	featuregatetesting.SetFeatureGatesDuringTest(t, utilfeature.DefaultFeatureGate, featuregatetesting.FeatureOverrides{
+		features.APIServerIdentity: true,
+		features.StorageVersionAPI: true,
+	})
 
 	server, sc := etcd3testing.NewUnsecuredEtcd3TestClientServer(t)
 	t.Cleanup(func() { server.Terminate(t) })
@@ -199,12 +203,6 @@ func TestPeerLeaseRemoveEndpoints(t *testing.T) {
 	newListFunc := func() runtime.Object { return &corev1.EndpointsList{} }
 	sc.Codec = apitesting.TestStorageCodec(codecs, corev1.SchemeGroupVersion)
 
-	s, dFunc, err := factory.Create(*sc.ForResource(schema.GroupResource{Resource: "pods"}), newFunc, newListFunc, "")
-	if err != nil {
-		t.Fatalf("Error creating storage: %v", err)
-	}
-	t.Cleanup(dFunc)
-
 	stopTests := []struct {
 		testName         string
 		servers          []serverInfo
@@ -247,8 +245,17 @@ func TestPeerLeaseRemoveEndpoints(t *testing.T) {
 	}
 	for _, test := range stopTests {
 		t.Run(test.testName, func(t *testing.T) {
-			fakeReconciler := NewFakePeerEndpointReconciler(t, s)
-			err := fakeReconciler.SetKeys(test.servers)
+			// use the same base key used by the controlplane, but add a random
+			// prefix so we can reuse the etcd instance for subtests independently.
+			baseKey := "/" + uuid.New().String() + "/peerserverleases/"
+			s, dFunc, err := factory.Create(*sc.ForResource(schema.GroupResource{Resource: "pods"}), newFunc, newListFunc, baseKey)
+			if err != nil {
+				t.Fatalf("Error creating storage: %v", err)
+			}
+			t.Cleanup(dFunc)
+
+			fakeReconciler := NewFakePeerEndpointReconciler(t, baseKey, s)
+			err = fakeReconciler.SetKeys(test.servers)
 			if err != nil {
 				t.Errorf("unexpected error creating keys: %v", err)
 			}
diff --git a/staging/src/k8s.io/apiserver/pkg/registry/generic/registry/dryrun_test.go b/staging/src/k8s.io/apiserver/pkg/registry/generic/registry/dryrun_test.go
index ba0dcaaf10cd7..7692add2fca64 100644
--- a/staging/src/k8s.io/apiserver/pkg/registry/generic/registry/dryrun_test.go
+++ b/staging/src/k8s.io/apiserver/pkg/registry/generic/registry/dryrun_test.go
@@ -39,7 +39,7 @@ import (
 func NewDryRunnableTestStorage(t *testing.T) (DryRunnableStorage, func()) {
 	server, sc := etcd3testing.NewUnsecuredEtcd3TestClientServer(t)
 	sc.Codec = apitesting.TestStorageCodec(codecs, examplev1.SchemeGroupVersion)
-	s, destroy, err := factory.Create(*sc.ForResource(schema.GroupResource{Resource: "pods"}), nil, nil, "")
+	s, destroy, err := factory.Create(*sc.ForResource(schema.GroupResource{Resource: "pods"}), nil, nil, "/pods")
 	if err != nil {
 		t.Fatalf("Error creating storage: %v", err)
 	}
@@ -65,12 +65,12 @@ func TestDryRunCreateDoesntCreate(t *testing.T) {
 	obj := UnstructuredOrDie(`{"kind": "Pod"}`)
 	out := UnstructuredOrDie(`{}`)
 
-	err := s.Create(context.Background(), "key", obj, out, 0, true)
+	err := s.Create(context.Background(), "/pods/key", obj, out, 0, true)
 	if err != nil {
 		t.Fatalf("Failed to create new dry-run object: %v", err)
 	}
 
-	err = s.Get(context.Background(), "key", storage.GetOptions{}, out)
+	err = s.Get(context.Background(), "/pods/key", storage.GetOptions{}, out)
 	if e, ok := err.(*storage.StorageError); !ok || e.Code != storage.ErrCodeKeyNotFound {
 		t.Errorf("Expected key to be not found, error: %v", err)
 	}
@@ -83,7 +83,7 @@ func TestDryRunCreateReturnsObject(t *testing.T) {
 	obj := UnstructuredOrDie(`{"kind": "Pod"}`)
 	out := UnstructuredOrDie(`{}`)
 
-	err := s.Create(context.Background(), "key", obj, out, 0, true)
+	err := s.Create(context.Background(), "/pods/key", obj, out, 0, true)
 	if err != nil {
 		t.Fatalf("Failed to create new dry-run object: %v", err)
 	}
@@ -100,12 +100,12 @@ func TestDryRunCreateExistingObjectFails(t *testing.T) {
 	obj := UnstructuredOrDie(`{"kind": "Pod"}`)
 	out := UnstructuredOrDie(`{}`)
 
-	err := s.Create(context.Background(), "key", obj, out, 0, false)
+	err := s.Create(context.Background(), "/pods/key", obj, out, 0, false)
 	if err != nil {
 		t.Fatalf("Failed to create new object: %v", err)
 	}
 
-	err = s.Create(context.Background(), "key", obj, out, 0, true)
+	err = s.Create(context.Background(), "/pods/key", obj, out, 0, true)
 	if e, ok := err.(*storage.StorageError); !ok || e.Code != storage.ErrCodeKeyExists {
 		t.Errorf("Expected KeyExists error: %v", err)
 	}
@@ -122,7 +122,7 @@ func TestDryRunUpdateMissingObjectFails(t *testing.T) {
 		return input, nil, errors.New("UpdateFunction shouldn't be called")
 	}
 
-	err := s.GuaranteedUpdate(context.Background(), "key", obj, false, nil, updateFunc, true, nil)
+	err := s.GuaranteedUpdate(context.Background(), "/pods/key", obj, false, nil, updateFunc, true, nil)
 	if e, ok := err.(*storage.StorageError); !ok || e.Code != storage.ErrCodeKeyNotFound {
 		t.Errorf("Expected key to be not found, error: %v", err)
 	}
@@ -134,7 +134,7 @@ func TestDryRunUpdatePreconditions(t *testing.T) {
 
 	obj := UnstructuredOrDie(`{"kind": "Pod", "metadata": {"uid": "my-uid"}}`)
 	out := UnstructuredOrDie(`{}`)
-	err := s.Create(context.Background(), "key", obj, out, 0, false)
+	err := s.Create(context.Background(), "/pods/key", obj, out, 0, false)
 	if err != nil {
 		t.Fatalf("Failed to create new object: %v", err)
 	}
@@ -149,12 +149,12 @@ func TestDryRunUpdatePreconditions(t *testing.T) {
 	}
 	wrongID := types.UID("wrong-uid")
 	myID := types.UID("my-uid")
-	err = s.GuaranteedUpdate(context.Background(), "key", obj, false, &storage.Preconditions{UID: &wrongID}, updateFunc, true, nil)
+	err = s.GuaranteedUpdate(context.Background(), "/pods/key", obj, false, &storage.Preconditions{UID: &wrongID}, updateFunc, true, nil)
 	if e, ok := err.(*storage.StorageError); !ok || e.Code != storage.ErrCodeInvalidObj {
 		t.Errorf("Expected invalid object, error: %v", err)
 	}
 
-	err = s.GuaranteedUpdate(context.Background(), "key", obj, false, &storage.Preconditions{UID: &myID}, updateFunc, true, nil)
+	err = s.GuaranteedUpdate(context.Background(), "/pods/key", obj, false, &storage.Preconditions{UID: &myID}, updateFunc, true, nil)
 	if err != nil {
 		t.Fatalf("Failed to update with valid precondition: %v", err)
 	}
@@ -167,7 +167,7 @@ func TestDryRunUpdateDoesntUpdate(t *testing.T) {
 	obj := UnstructuredOrDie(`{"kind": "Pod"}`)
 	created := UnstructuredOrDie(`{}`)
 
-	err := s.Create(context.Background(), "key", obj, created, 0, false)
+	err := s.Create(context.Background(), "/pods/key", obj, created, 0, false)
 	if err != nil {
 		t.Fatalf("Failed to create new object: %v", err)
 	}
@@ -181,12 +181,12 @@ func TestDryRunUpdateDoesntUpdate(t *testing.T) {
 		return u, nil, nil
 	}
 
-	err = s.GuaranteedUpdate(context.Background(), "key", obj, false, nil, updateFunc, true, nil)
+	err = s.GuaranteedUpdate(context.Background(), "/pods/key", obj, false, nil, updateFunc, true, nil)
 	if err != nil {
 		t.Fatalf("Failed to dry-run update: %v", err)
 	}
 	out := UnstructuredOrDie(`{}`)
-	err = s.Get(context.Background(), "key", storage.GetOptions{}, out)
+	err = s.Get(context.Background(), "/pods/key", storage.GetOptions{}, out)
 	if err != nil {
 		t.Fatalf("Failed to get storage: %v", err)
 	}
@@ -202,7 +202,7 @@ func TestDryRunUpdateReturnsObject(t *testing.T) {
 	obj := UnstructuredOrDie(`{"kind": "Pod"}`)
 	out := UnstructuredOrDie(`{}`)
 
-	err := s.Create(context.Background(), "key", obj, out, 0, false)
+	err := s.Create(context.Background(), "/pods/key", obj, out, 0, false)
 	if err != nil {
 		t.Fatalf("Failed to create new object: %v", err)
 	}
@@ -216,7 +216,7 @@ func TestDryRunUpdateReturnsObject(t *testing.T) {
 		return u, nil, nil
 	}
 
-	err = s.GuaranteedUpdate(context.Background(), "key", obj, false, nil, updateFunc, true, nil)
+	err = s.GuaranteedUpdate(context.Background(), "/pods/key", obj, false, nil, updateFunc, true, nil)
 	if err != nil {
 		t.Fatalf("Failed to dry-run update: %v", err)
 	}
@@ -233,17 +233,17 @@ func TestDryRunDeleteDoesntDelete(t *testing.T) {
 	obj := UnstructuredOrDie(`{"kind": "Pod"}`)
 	out := UnstructuredOrDie(`{}`)
 
-	err := s.Create(context.Background(), "key", obj, out, 0, false)
+	err := s.Create(context.Background(), "/pods/key", obj, out, 0, false)
 	if err != nil {
 		t.Fatalf("Failed to create new object: %v", err)
 	}
 
-	err = s.Delete(context.Background(), "key", out, nil, rest.ValidateAllObjectFunc, true, nil, storage.DeleteOptions{})
+	err = s.Delete(context.Background(), "/pods/key", out, nil, rest.ValidateAllObjectFunc, true, nil, storage.DeleteOptions{})
 	if err != nil {
 		t.Fatalf("Failed to dry-run delete the object: %v", err)
 	}
 
-	err = s.Get(context.Background(), "key", storage.GetOptions{}, out)
+	err = s.Get(context.Background(), "/pods/key", storage.GetOptions{}, out)
 	if err != nil {
 		t.Fatalf("Failed to retrieve dry-run deleted object: %v", err)
 	}
@@ -254,7 +254,7 @@ func TestDryRunDeleteMissingObjectFails(t *testing.T) {
 	defer destroy()
 
 	out := UnstructuredOrDie(`{}`)
-	err := s.Delete(context.Background(), "key", out, nil, rest.ValidateAllObjectFunc, true, nil, storage.DeleteOptions{})
+	err := s.Delete(context.Background(), "/pods/key", out, nil, rest.ValidateAllObjectFunc, true, nil, storage.DeleteOptions{})
 	if e, ok := err.(*storage.StorageError); !ok || e.Code != storage.ErrCodeKeyNotFound {
 		t.Errorf("Expected key to be not found, error: %v", err)
 	}
@@ -267,14 +267,14 @@ func TestDryRunDeleteReturnsObject(t *testing.T) {
 	obj := UnstructuredOrDie(`{"kind": "Pod"}`)
 	out := UnstructuredOrDie(`{}`)
 
-	err := s.Create(context.Background(), "key", obj, out, 0, false)
+	err := s.Create(context.Background(), "/pods/key", obj, out, 0, false)
 	if err != nil {
 		t.Fatalf("Failed to create new object: %v", err)
 	}
 
 	out = UnstructuredOrDie(`{}`)
 	expected := UnstructuredOrDie(`{"kind": "Pod", "metadata": {"resourceVersion": "2"}}`)
-	err = s.Delete(context.Background(), "key", out, nil, rest.ValidateAllObjectFunc, true, nil, storage.DeleteOptions{})
+	err = s.Delete(context.Background(), "/pods/key", out, nil, rest.ValidateAllObjectFunc, true, nil, storage.DeleteOptions{})
 	if err != nil {
 		t.Fatalf("Failed to delete with valid precondition: %v", err)
 	}
@@ -290,19 +290,19 @@ func TestDryRunDeletePreconditions(t *testing.T) {
 	obj := UnstructuredOrDie(`{"kind": "Pod", "metadata": {"uid": "my-uid"}}`)
 	out := UnstructuredOrDie(`{}`)
 
-	err := s.Create(context.Background(), "key", obj, out, 0, false)
+	err := s.Create(context.Background(), "/pods/key", obj, out, 0, false)
 	if err != nil {
 		t.Fatalf("Failed to create new object: %v", err)
 	}
 
 	wrongID := types.UID("wrong-uid")
 	myID := types.UID("my-uid")
-	err = s.Delete(context.Background(), "key", out, &storage.Preconditions{UID: &wrongID}, rest.ValidateAllObjectFunc, true, nil, storage.DeleteOptions{})
+	err = s.Delete(context.Background(), "/pods/key", out, &storage.Preconditions{UID: &wrongID}, rest.ValidateAllObjectFunc, true, nil, storage.DeleteOptions{})
 	if e, ok := err.(*storage.StorageError); !ok || e.Code != storage.ErrCodeInvalidObj {
 		t.Errorf("Expected invalid object, error: %v", err)
 	}
 
-	err = s.Delete(context.Background(), "key", out, &storage.Preconditions{UID: &myID}, rest.ValidateAllObjectFunc, true, nil, storage.DeleteOptions{})
+	err = s.Delete(context.Background(), "/pods/key", out, &storage.Preconditions{UID: &myID}, rest.ValidateAllObjectFunc, true, nil, storage.DeleteOptions{})
 	if err != nil {
 		t.Fatalf("Failed to delete with valid precondition: %v", err)
 	}
diff --git a/staging/src/k8s.io/apiserver/pkg/registry/generic/registry/store_test.go b/staging/src/k8s.io/apiserver/pkg/registry/generic/registry/store_test.go
index cc50afede2aba..bb90542a4f360 100644
--- a/staging/src/k8s.io/apiserver/pkg/registry/generic/registry/store_test.go
+++ b/staging/src/k8s.io/apiserver/pkg/registry/generic/registry/store_test.go
@@ -2427,7 +2427,7 @@ func TestStoreWatch(t *testing.T) {
 }
 
 func newTestGenericStoreRegistry(t *testing.T, scheme *runtime.Scheme, hasCacheEnabled bool) (factory.DestroyFunc, *Store) {
-	podPrefix := "/pods"
+	podPrefix := "/pods/"
 	server, sc := etcd3testing.NewUnsecuredEtcd3TestClientServer(t)
 	strategy := &testRESTStrategy{scheme, names.SimpleNameGenerator, true, false, true}
 
diff --git a/staging/src/k8s.io/apiserver/pkg/registry/rest/meta.go b/staging/src/k8s.io/apiserver/pkg/registry/rest/meta.go
index fc4fc81e13845..47f7f83b7b436 100644
--- a/staging/src/k8s.io/apiserver/pkg/registry/rest/meta.go
+++ b/staging/src/k8s.io/apiserver/pkg/registry/rest/meta.go
@@ -24,7 +24,7 @@ import (
 )
 
 // metav1Now returns metav1.Now(), but allows override for unit testing
-var metav1Now = func() metav1.Time { return metav1.Now() }
+var metav1Now = metav1.Now
 
 // WipeObjectMetaSystemFields erases fields that are managed by the system on ObjectMeta.
 func WipeObjectMetaSystemFields(meta metav1.Object) {
diff --git a/staging/src/k8s.io/apiserver/pkg/registry/rest/update.go b/staging/src/k8s.io/apiserver/pkg/registry/rest/update.go
index dc63caf0b5cbc..00f42cfe7c7a2 100644
--- a/staging/src/k8s.io/apiserver/pkg/registry/rest/update.go
+++ b/staging/src/k8s.io/apiserver/pkg/registry/rest/update.go
@@ -153,6 +153,7 @@ func BeforeUpdate(strategy RESTUpdateStrategy, ctx context.Context, obj, old run
 
 	errs = append(errs, strategy.ValidateUpdate(ctx, obj, old)...)
 	if len(errs) > 0 {
+		RecordDuplicateValidationErrors(ctx, kind.GroupKind(), errs)
 		return errors.NewInvalid(kind.GroupKind(), objectMeta.GetName(), errs)
 	}
 
diff --git a/staging/src/k8s.io/apiserver/pkg/registry/rest/validate.go b/staging/src/k8s.io/apiserver/pkg/registry/rest/validate.go
index 2235a47601192..65ffdd4f16df6 100644
--- a/staging/src/k8s.io/apiserver/pkg/registry/rest/validate.go
+++ b/staging/src/k8s.io/apiserver/pkg/registry/rest/validate.go
@@ -18,15 +18,18 @@ package rest
 
 import (
 	"context"
+	"errors"
 	"fmt"
+	"slices"
 	"strings"
 
 	"k8s.io/apimachinery/pkg/api/operation"
-
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/apimachinery/pkg/util/validation/field"
 	genericapirequest "k8s.io/apiserver/pkg/endpoints/request"
+	"k8s.io/apiserver/pkg/features"
+	utilfeature "k8s.io/apiserver/pkg/util/feature"
 	validationmetrics "k8s.io/apiserver/pkg/validation"
 	"k8s.io/klog/v2"
 )
@@ -43,13 +46,6 @@ func WithOptions(options []string) ValidationConfig {
 	}
 }
 
-// WithTakeover sets the takeover flag for validation.
-func WithTakeover(takeover bool) ValidationConfig {
-	return func(config *validationConfigOption) {
-		config.takeover = takeover
-	}
-}
-
 // WithSubresourceMapper sets the subresource mapper for validation.
 // This should be used when registering validation for polymorphic subresources like /scale.
 //
@@ -73,35 +69,23 @@ func WithSubresourceMapper(subresourceMapper GroupVersionKindProvider) Validatio
 	}
 }
 
+// WithNormalizationRules sets the normalization rules for validation.
+func WithNormalizationRules(rules []field.NormalizationRule) ValidationConfig {
+	return func(config *validationConfigOption) {
+		config.normalizationRules = rules
+	}
+}
+
 type validationConfigOption struct {
 	opType               operation.Type
 	options              []string
 	takeover             bool
 	subresourceGVKMapper GroupVersionKindProvider
+	validationIdentifier string
+	normalizationRules   []field.NormalizationRule
 }
 
-// ValidateDeclaratively validates obj against declarative validation tags
-// defined in its Go type. It uses the API version extracted from ctx and the
-// provided scheme for validation.
-//
-// The ctx MUST contain requestInfo, which determines the target API for
-// validation. The obj is converted to the API version using the provided scheme
-// before validation occurs. The scheme MUST have the declarative validation
-// registered for the requested resource/subresource.
-//
-// Returns a field.ErrorList containing any validation errors. An internal error
-// is included if requestInfo is missing from the context or if version
-// conversion fails.
-func ValidateDeclaratively(ctx context.Context, scheme *runtime.Scheme, obj runtime.Object, configOpts ...ValidationConfig) field.ErrorList {
-	cfg := &validationConfigOption{opType: operation.Create}
-	for _, o := range configOpts {
-		o(cfg)
-	}
-
-	return panicSafeValidateFunc(validateDeclaratively, cfg.takeover)(ctx, scheme, obj, nil, cfg)
-}
-
-// ValidateUpdateDeclaratively validates obj and oldObj against declarative
+// validateDeclaratively validates obj and oldObj against declarative
 // validation tags defined in its Go type. It uses the API version extracted from
 // ctx and the provided scheme for validation.
 //
@@ -113,14 +97,6 @@ func ValidateDeclaratively(ctx context.Context, scheme *runtime.Scheme, obj runt
 // Returns a field.ErrorList containing any validation errors. An internal error
 // is included if requestInfo is missing from the context or if version
 // conversion fails.
-func ValidateUpdateDeclaratively(ctx context.Context, scheme *runtime.Scheme, obj, oldObj runtime.Object, configOpts ...ValidationConfig) field.ErrorList {
-	cfg := &validationConfigOption{opType: operation.Update}
-	for _, o := range configOpts {
-		o(cfg)
-	}
-	return panicSafeValidateFunc(validateDeclaratively, cfg.takeover)(ctx, scheme, obj, oldObj, cfg)
-}
-
 func validateDeclaratively(ctx context.Context, scheme *runtime.Scheme, obj, oldObj runtime.Object, o *validationConfigOption) field.ErrorList {
 	// Find versionedGroupVersion, which identifies the API version to use for declarative validation.
 	versionedGroupVersion, subresources, err := requestInfo(ctx, o.subresourceGVKMapper)
@@ -177,23 +153,23 @@ func parseSubresourcePath(subresourcePath string) ([]string, error) {
 	return parts, nil
 }
 
-// CompareDeclarativeErrorsAndEmitMismatches checks for mismatches between imperative and declarative validation
+// compareDeclarativeErrorsAndEmitMismatches checks for mismatches between imperative and declarative validation
 // and logs + emits metrics when inconsistencies are found
-func CompareDeclarativeErrorsAndEmitMismatches(ctx context.Context, imperativeErrs, declarativeErrs field.ErrorList, takeover bool) {
+func compareDeclarativeErrorsAndEmitMismatches(ctx context.Context, imperativeErrs, declarativeErrs field.ErrorList, takeover bool, validationIdentifier string, normalizationRules []field.NormalizationRule) {
 	logger := klog.FromContext(ctx)
-	mismatchDetails := gatherDeclarativeValidationMismatches(imperativeErrs, declarativeErrs, takeover)
+	mismatchDetails := gatherDeclarativeValidationMismatches(imperativeErrs, declarativeErrs, takeover, normalizationRules)
 	for _, detail := range mismatchDetails {
 		// Log information about the mismatch using contextual logger
 		logger.Error(nil, detail)
 
 		// Increment the metric for the mismatch
-		validationmetrics.Metrics.IncDeclarativeValidationMismatchMetric()
+		validationmetrics.Metrics.IncDeclarativeValidationMismatchMetric(validationIdentifier)
 	}
 }
 
 // gatherDeclarativeValidationMismatches compares imperative and declarative validation errors
 // and returns detailed information about any mismatches found. Errors are compared via type, field, and origin
-func gatherDeclarativeValidationMismatches(imperativeErrs, declarativeErrs field.ErrorList, takeover bool) []string {
+func gatherDeclarativeValidationMismatches(imperativeErrs, declarativeErrs field.ErrorList, takeover bool, normalizationRules []field.NormalizationRule) []string {
 	var mismatchDetails []string
 	// short circuit here to minimize allocs for usual case of 0 validation errors
 	if len(imperativeErrs) == 0 && len(declarativeErrs) == 0 {
@@ -204,7 +180,7 @@ func gatherDeclarativeValidationMismatches(imperativeErrs, declarativeErrs field
 	if takeover {
 		recommendation = "Consider disabling the DeclarativeValidationTakeover feature gate to keep data persisted in etcd consistent with prior versions of Kubernetes."
 	}
-	fuzzyMatcher := field.ErrorMatcher{}.ByType().ByField().ByOrigin().RequireOriginWhenInvalid()
+	fuzzyMatcher := field.ErrorMatcher{}.ByType().ByOrigin().RequireOriginWhenInvalid().ByFieldNormalized(normalizationRules)
 	exactMatcher := field.ErrorMatcher{}.Exactly()
 
 	// Dedupe imperative errors of exact error matches as they are
@@ -287,12 +263,12 @@ func gatherDeclarativeValidationMismatches(imperativeErrs, declarativeErrs field
 
 // createDeclarativeValidationPanicHandler returns a function with panic recovery logic
 // that will increment the panic metric and either log or append errors based on the takeover parameter.
-func createDeclarativeValidationPanicHandler(ctx context.Context, errs *field.ErrorList, takeover bool) func() {
+func createDeclarativeValidationPanicHandler(ctx context.Context, errs *field.ErrorList, takeover bool, validationIdentifier string) func() {
 	logger := klog.FromContext(ctx)
 	return func() {
 		if r := recover(); r != nil {
 			// Increment the panic metric counter
-			validationmetrics.Metrics.IncDeclarativeValidationPanicMetric()
+			validationmetrics.Metrics.IncDeclarativeValidationPanicMetric(validationIdentifier)
 
 			const errorFmt = "panic during declarative validation: %v"
 			if takeover {
@@ -312,11 +288,102 @@ func createDeclarativeValidationPanicHandler(ctx context.Context, errs *field.Er
 // if takeover=false, and adding a validation error if takeover=true.
 func panicSafeValidateFunc(
 	validateUpdateFunc func(ctx context.Context, scheme *runtime.Scheme, obj, oldObj runtime.Object, o *validationConfigOption) field.ErrorList,
-	takeover bool,
+	takeover bool, validationIdentifier string,
 ) func(ctx context.Context, scheme *runtime.Scheme, obj, oldObj runtime.Object, o *validationConfigOption) field.ErrorList {
 	return func(ctx context.Context, scheme *runtime.Scheme, obj, oldObj runtime.Object, o *validationConfigOption) (errs field.ErrorList) {
-		defer createDeclarativeValidationPanicHandler(ctx, &errs, takeover)()
+		defer createDeclarativeValidationPanicHandler(ctx, &errs, takeover, validationIdentifier)()
 
 		return validateUpdateFunc(ctx, scheme, obj, oldObj, o)
 	}
 }
+
+func metricIdentifier(ctx context.Context, scheme *runtime.Scheme, obj runtime.Object, opType operation.Type) (string, error) {
+	var errs error
+	var identifier string
+
+	identifier = "unknown_resource"
+	// Use kind for identifier.
+	if obj != nil && scheme != nil {
+		gvks, _, err := scheme.ObjectKinds(obj)
+		if err != nil {
+			errs = errors.Join(errs, err)
+		}
+		if len(gvks) > 0 {
+			identifier = strings.ToLower(gvks[0].Kind)
+		}
+	}
+
+	// Use requestInfo for subresource.
+	requestInfo, found := genericapirequest.RequestInfoFrom(ctx)
+	if !found {
+		errs = errors.Join(errs, fmt.Errorf("could not find requestInfo in context"))
+	} else if len(requestInfo.Subresource) > 0 {
+		// subresource can be a path, so replace '/' with '_'
+		identifier += "_" + strings.ReplaceAll(requestInfo.Subresource, "/", "_")
+	}
+
+	switch opType {
+	case operation.Create:
+		identifier += "_create"
+	case operation.Update:
+		identifier += "_update"
+	default:
+		errs = errors.Join(errs, fmt.Errorf("unknown operation type: %v", opType))
+		identifier += "_unknown_op"
+	}
+	return identifier, errs
+}
+
+// ValidateDeclarativelyWithMigrationChecks is a helper function that encapsulates the logic for running declarative validation.
+// It checks if the DeclarativeValidation feature gate is enabled, generates a validation identifier,
+// runs declarative validation, compares the results with imperative validation, and merges the errors if takeover is enabled.
+func ValidateDeclarativelyWithMigrationChecks(ctx context.Context, scheme *runtime.Scheme, obj, oldObj runtime.Object, errs field.ErrorList, opType operation.Type, configOpts ...ValidationConfig) field.ErrorList {
+	if !utilfeature.DefaultFeatureGate.Enabled(features.DeclarativeValidation) {
+		return errs
+	}
+
+	takeover := utilfeature.DefaultFeatureGate.Enabled(features.DeclarativeValidationTakeover)
+
+	validationIdentifier, err := metricIdentifier(ctx, scheme, obj, opType)
+	if err != nil {
+		// Log the error, but continue with the best-effort identifier.
+		klog.FromContext(ctx).Error(err, "failed to generate complete validation identifier for declarative validation")
+	}
+
+	// Directly create the config and call the core validation logic.
+	cfg := &validationConfigOption{
+		opType:               opType,
+		takeover:             takeover,
+		validationIdentifier: validationIdentifier,
+	}
+	for _, opt := range configOpts {
+		opt(cfg)
+	}
+
+	// Call the panic-safe wrapper with the real validation function.
+	declarativeErrs := panicSafeValidateFunc(validateDeclaratively, cfg.takeover, cfg.validationIdentifier)(ctx, scheme, obj, oldObj, cfg)
+
+	compareDeclarativeErrorsAndEmitMismatches(ctx, errs, declarativeErrs, takeover, validationIdentifier, cfg.normalizationRules)
+	if takeover {
+		errs = append(errs.RemoveCoveredByDeclarative(), declarativeErrs...)
+	}
+
+	return errs
+}
+
+// RecordDuplicateValidationErrors increments a metric and log the error when duplicate validation errors are found.
+func RecordDuplicateValidationErrors(ctx context.Context, qualifiedKind schema.GroupKind, errs field.ErrorList) {
+	logger := klog.FromContext(ctx)
+	seenErrs := make([]string, 0, len(errs))
+
+	for _, err := range errs {
+		errStr := fmt.Sprintf("%v", err)
+
+		if slices.Contains(seenErrs, errStr) {
+			logger.Info("Found duplicate validation error", "kind", qualifiedKind.String(), "error", errStr)
+			validationmetrics.Metrics.IncDuplicateValidationErrorMetric()
+		} else {
+			seenErrs = append(seenErrs, errStr)
+		}
+	}
+}
diff --git a/staging/src/k8s.io/apiserver/pkg/registry/rest/validate_test.go b/staging/src/k8s.io/apiserver/pkg/registry/rest/validate_test.go
index 194471929638e..b1218e0191879 100644
--- a/staging/src/k8s.io/apiserver/pkg/registry/rest/validate_test.go
+++ b/staging/src/k8s.io/apiserver/pkg/registry/rest/validate_test.go
@@ -34,6 +34,9 @@ import (
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/apimachinery/pkg/util/validation/field"
 	genericapirequest "k8s.io/apiserver/pkg/endpoints/request"
+	"k8s.io/apiserver/pkg/validation"
+	"k8s.io/component-base/metrics/legacyregistry"
+	"k8s.io/component-base/metrics/testutil"
 	"k8s.io/klog/v2"
 )
 
@@ -122,7 +125,7 @@ func TestValidateDeclaratively(t *testing.T) {
 	scheme.AddKnownTypes(internalGV, &Pod{})
 	scheme.AddKnownTypes(v1GV, &v1.Pod{})
 
-	scheme.AddValidationFunc(&v1.Pod{}, func(ctx context.Context, op operation.Operation, object, oldObject interface{}) field.ErrorList {
+	scheme.AddValidationFunc(&v1.Pod{}, func(ctx context.Context, op operation.Operation, object, oldObject any) field.ErrorList {
 		results := field.ErrorList{}
 		if op.HasOption("option1") {
 			results = append(results, invalidIfOptionErr)
@@ -159,12 +162,16 @@ func TestValidateDeclaratively(t *testing.T) {
 			Subresource: tc.subresource,
 		})
 		t.Run(tc.name, func(t *testing.T) {
-			var results field.ErrorList
+
+			cfg := &validationConfigOption{
+				options: tc.options,
+			}
 			if tc.oldObject == nil {
-				results = ValidateDeclaratively(ctx, scheme, tc.object, WithOptions(tc.options))
+				cfg.opType = operation.Create
 			} else {
-				results = ValidateUpdateDeclaratively(ctx, scheme, tc.object, tc.oldObject, WithOptions(tc.options))
+				cfg.opType = operation.Update
 			}
+			results := panicSafeValidateFunc(validateDeclaratively, cfg.takeover, cfg.validationIdentifier)(ctx, scheme, tc.object, tc.oldObject, cfg)
 			matcher := field.ErrorMatcher{}.ByType().ByField().ByOrigin()
 			matcher.Test(t, tc.expected, results)
 		})
@@ -206,6 +213,7 @@ func TestGatherDeclarativeValidationMismatches(t *testing.T) {
 	errB := field.Invalid(minReadySecondsPath, -1, "covered error B").WithOrigin("minimum")
 	coveredErrB := field.Invalid(minReadySecondsPath, -1, "covered error B").WithOrigin("minimum")
 	errBWithDiffDetail := field.Invalid(minReadySecondsPath, -1, "covered error B - different detail").WithOrigin("minimum")
+	errBWithDiffPath := field.Invalid(field.NewPath("spec").Child("fakeminReadySeconds"), -1, "covered error B").WithOrigin("minimum")
 	coveredErrB.CoveredByDeclarative = true
 	errC := field.Invalid(replicasPath, nil, "covered error C").WithOrigin("minimum")
 	coveredErrC := field.Invalid(replicasPath, nil, "covered error C").WithOrigin("minimum")
@@ -220,6 +228,7 @@ func TestGatherDeclarativeValidationMismatches(t *testing.T) {
 		takeover                bool
 		expectMismatches        bool
 		expectDetailsContaining []string
+		normalizedRules         []field.NormalizationRule
 	}{
 		{
 			name:                    "Declarative and imperative return 0 errors - no mismatch",
@@ -351,11 +360,29 @@ func TestGatherDeclarativeValidationMismatches(t *testing.T) {
 			expectMismatches:        false,
 			expectDetailsContaining: []string{},
 		},
+		{
+			name: "Field normalization, errors don't match - mismatch",
+			imperativeErrors: field.ErrorList{
+				coveredErrB,
+			},
+			declarativeErrors: field.ErrorList{
+				errBWithDiffPath,
+			},
+			normalizedRules: []field.NormalizationRule{
+				{
+					Regexp:      regexp.MustCompile(`spec.fakeminReadySeconds`),
+					Replacement: "spec.minReadySeconds",
+				},
+			},
+			takeover:                false,
+			expectMismatches:        false,
+			expectDetailsContaining: []string{},
+		},
 	}
 
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
-			details := gatherDeclarativeValidationMismatches(tc.imperativeErrors, tc.declarativeErrors, tc.takeover)
+			details := gatherDeclarativeValidationMismatches(tc.imperativeErrors, tc.declarativeErrors, tc.takeover, tc.normalizedRules)
 			// Check if mismatches were found if expected
 			if tc.expectMismatches && len(details) == 0 {
 				t.Errorf("Expected mismatches but got none")
@@ -422,7 +449,7 @@ func TestCompareDeclarativeErrorsAndEmitMismatches(t *testing.T) {
 			defer klog.LogToStderr(true)
 			ctx := context.Background()
 
-			CompareDeclarativeErrorsAndEmitMismatches(ctx, tc.imperativeErrs, tc.declarativeErrs, tc.takeover)
+			compareDeclarativeErrorsAndEmitMismatches(ctx, tc.imperativeErrs, tc.declarativeErrs, tc.takeover, "test_validationIdentifier", nil)
 
 			klog.Flush()
 			logOutput := buf.String()
@@ -508,7 +535,7 @@ func TestWithRecover(t *testing.T) {
 			defer klog.LogToStderr(true)
 
 			// Pass the takeover flag to panicSafeValidateFunc instead of relying on the feature gate
-			wrapped := panicSafeValidateFunc(tc.validateFn, tc.takeoverEnabled)
+			wrapped := panicSafeValidateFunc(tc.validateFn, tc.takeoverEnabled, "test_validationIdentifier")
 			gotErrs := wrapped(ctx, scheme, obj, nil, &validationConfigOption{opType: operation.Create, options: options, takeover: tc.takeoverEnabled})
 
 			klog.Flush()
@@ -602,7 +629,7 @@ func TestWithRecoverUpdate(t *testing.T) {
 			defer klog.LogToStderr(true)
 
 			// Pass the takeover flag to panicSafeValidateUpdateFunc instead of relying on the feature gate
-			wrapped := panicSafeValidateFunc(tc.validateFn, tc.takeoverEnabled)
+			wrapped := panicSafeValidateFunc(tc.validateFn, tc.takeoverEnabled, "test_validationIdentifier")
 			gotErrs := wrapped(ctx, scheme, obj, oldObj, &validationConfigOption{opType: operation.Update, options: options, takeover: tc.takeoverEnabled})
 
 			klog.Flush()
@@ -629,53 +656,69 @@ func TestWithRecoverUpdate(t *testing.T) {
 	}
 }
 
-func TestValidateDeclarativelyWithRecovery(t *testing.T) {
+func TestRecordDuplicateValidationErrors(t *testing.T) {
 	ctx := context.Background()
-	scheme := runtime.NewScheme()
-	var options []string
-	obj := &runtime.Unknown{}
-
-	// Simple test for the ValidateDeclarativelyWithRecovery function
-	t.Run("with takeover disabled", func(t *testing.T) {
-		errs := ValidateDeclaratively(ctx, scheme, obj, WithOptions(options), WithTakeover(false))
-		if errs == nil {
-			// This is expected to error since the request info is missing
-			t.Errorf("Expected errors but got nil")
-		}
-	})
-
-	t.Run("with takeover enabled", func(t *testing.T) {
-		errs := ValidateDeclaratively(ctx, scheme, obj, WithOptions(options), WithTakeover(true))
-		if errs == nil {
-			// This is expected to error since the request info is missioptionsng
-			t.Errorf("Expected errors but got nil")
-		}
-	})
-}
 
-func TestValidateUpdateDeclarativelyWithRecovery(t *testing.T) {
-	ctx := context.Background()
-	scheme := runtime.NewScheme()
-	var options []string
-	obj := &runtime.Unknown{}
-	oldObj := &runtime.Unknown{}
+	testCases := []struct {
+		name           string
+		qualifiedKind  schema.GroupKind
+		errs           field.ErrorList
+		expectedMetric string
+	}{
+		{
+			name:          "detect duplicates and increment metric",
+			qualifiedKind: schema.GroupKind{Group: "apps", Kind: "ReplicaSet"},
+			errs: field.ErrorList{
+				field.Invalid(field.NewPath("spec").Child("replicas"), -1, "must be greater than or equal to 0").WithOrigin("minimum"),
+				field.Invalid(field.NewPath("spec").Child("replicas"), -1, "must be greater than or equal to 0").WithOrigin("minimum"),
+				field.Invalid(field.NewPath("spec").Child("selector"), &metav1.LabelSelector{MatchLabels: map[string]string{}, MatchExpressions: []metav1.LabelSelectorRequirement{}}, "empty selector is invalid for deployment"),
+				field.Invalid(field.NewPath("spec").Child("selector"), &metav1.LabelSelector{MatchLabels: map[string]string{}, MatchExpressions: []metav1.LabelSelectorRequirement{}}, "empty selector is invalid for deployment"),
+			},
+			expectedMetric: `
+			# HELP apiserver_validation_duplicate_validation_error_total [INTERNAL] Number of duplicate validation errors during validation.
+			# TYPE apiserver_validation_duplicate_validation_error_total counter
+			apiserver_validation_duplicate_validation_error_total 2
+			`,
+		},
+		{
+			name:          "detect duplicates with all fields but origin being equal",
+			qualifiedKind: schema.GroupKind{Group: "apps", Kind: "ReplicaSet"},
+			errs: field.ErrorList{
+				field.Invalid(field.NewPath("spec").Child("replicas"), -1, "must be greater than or equal to 0").WithOrigin("minimum"),
+				field.Invalid(field.NewPath("spec").Child("replicas"), -1, "must be greater than or equal to 0").WithOrigin("min"),
+			},
+			expectedMetric: `
+			# HELP apiserver_validation_duplicate_validation_error_total [INTERNAL] Number of duplicate validation errors during validation.
+			# TYPE apiserver_validation_duplicate_validation_error_total counter
+			apiserver_validation_duplicate_validation_error_total 1
+			`,
+		},
+		{
+			name:          "no duplicates",
+			qualifiedKind: schema.GroupKind{Group: "apps", Kind: "ReplicaSet"},
+			errs: field.ErrorList{
+				field.Invalid(field.NewPath("spec").Child("replicas"), -1, "must be greater than or equal to 0").WithOrigin("minimum"),
+				field.Invalid(field.NewPath("spec").Child("selector"), &metav1.LabelSelector{MatchLabels: map[string]string{}, MatchExpressions: []metav1.LabelSelectorRequirement{}}, "empty selector is invalid for deployment"),
+			},
+			expectedMetric: `
+			# HELP apiserver_validation_duplicate_validation_error_total [INTERNAL] Number of duplicate validation errors during validation.
+			# TYPE apiserver_validation_duplicate_validation_error_total counter
+			apiserver_validation_duplicate_validation_error_total 0
+			`,
+		},
+	}
 
-	// Simple test for the ValidateUpdateDeclarativelyWithRecovery function
-	t.Run("with takeover disabled", func(t *testing.T) {
-		errs := ValidateUpdateDeclaratively(ctx, scheme, obj, oldObj, WithOptions(options), WithTakeover(false))
-		if errs == nil {
-			// This is expected to error since the request info is missing
-			t.Errorf("Expected errors but got nil")
-		}
-	})
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			defer legacyregistry.Reset()
+			defer validation.ResetValidationMetricsInstance()
+			RecordDuplicateValidationErrors(ctx, tc.qualifiedKind, tc.errs)
 
-	t.Run("with takeover enabled", func(t *testing.T) {
-		errs := ValidateUpdateDeclaratively(ctx, scheme, obj, oldObj, WithOptions(options), WithTakeover(true))
-		if errs == nil {
-			// This is expected to error since the request info is missing
-			t.Errorf("Expected errors but got nil")
-		}
-	})
+			if err := testutil.GatherAndCompare(legacyregistry.DefaultGatherer, strings.NewReader(tc.expectedMetric), "apiserver_validation_duplicate_validation_error_total"); err != nil {
+				t.Fatal(err)
+			}
+		})
+	}
 }
 
 func equalErrorLists(a, b field.ErrorList) bool {
@@ -690,3 +733,93 @@ func equalErrorLists(a, b field.ErrorList) bool {
 	// Both non-nil: do a normal DeepEqual
 	return reflect.DeepEqual(a, b)
 }
+
+func TestMetricIdentifier(t *testing.T) {
+	scheme := runtime.NewScheme()
+	scheme.AddKnownTypes(schema.GroupVersion{Version: "v1"}, &v1.Pod{})
+
+	testCases := []struct {
+		name        string
+		opType      operation.Type
+		obj         runtime.Object
+		scheme      *runtime.Scheme
+		subresource string
+		expected    string
+		expectErr   bool
+	}{
+		{
+			name:        "with subresource",
+			opType:      operation.Create,
+			obj:         &v1.Pod{TypeMeta: metav1.TypeMeta{Kind: "Pod"}},
+			scheme:      scheme,
+			subresource: "status",
+			expected:    "pod_status_create",
+			expectErr:   false,
+		},
+		{
+			name:      "without subresource",
+			opType:    operation.Update,
+			obj:       &v1.Pod{TypeMeta: metav1.TypeMeta{Kind: "Pod"}},
+			scheme:    scheme,
+			expected:  "pod_update",
+			expectErr: false,
+		},
+		{
+			name:      "unknown operation",
+			opType:    3, // not a valid operation.Type
+			obj:       &v1.Pod{TypeMeta: metav1.TypeMeta{Kind: "Pod"}},
+			scheme:    scheme,
+			expected:  "pod_unknown_op",
+			expectErr: true,
+		},
+		{
+			name:      "no request info and no kind",
+			opType:    operation.Create,
+			obj:       nil,
+			expected:  "unknown_resource_create",
+			expectErr: true,
+		},
+		{
+			name:      "known type without kind",
+			opType:    operation.Update,
+			obj:       &v1.Pod{},
+			scheme:    scheme,
+			expected:  "pod_update",
+			expectErr: false,
+		},
+		{
+			name:      "unknown type with scheme",
+			opType:    operation.Create,
+			obj:       &runtime.Unknown{}, // Not registered in the scheme
+			scheme:    scheme,
+			expected:  "unknown_resource_create",
+			expectErr: true,
+		},
+		{
+			name:      "unknown type without scheme",
+			opType:    operation.Type(4),
+			obj:       &runtime.Unknown{}, // Not registered in the scheme
+			expected:  "unknown_resource_unknown_op",
+			expectErr: true,
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			ctx := context.Background()
+			if tc.obj != nil {
+				ctx = genericapirequest.WithRequestInfo(ctx, &genericapirequest.RequestInfo{
+					Subresource: tc.subresource,
+				})
+			}
+
+			result, err := metricIdentifier(ctx, tc.scheme, tc.obj, tc.opType)
+			if (err != nil) != tc.expectErr {
+				t.Errorf("expected error: %v, got: %v", tc.expectErr, err)
+			}
+			if result != tc.expected {
+				t.Errorf("expected: %s, got: %s", tc.expected, result)
+			}
+		})
+	}
+}
diff --git a/staging/src/k8s.io/apiserver/pkg/server/config.go b/staging/src/k8s.io/apiserver/pkg/server/config.go
index a13e1384c5c91..efe10e81a696f 100644
--- a/staging/src/k8s.io/apiserver/pkg/server/config.go
+++ b/staging/src/k8s.io/apiserver/pkg/server/config.go
@@ -55,6 +55,7 @@ import (
 	discoveryendpoint "k8s.io/apiserver/pkg/endpoints/discovery/aggregated"
 	"k8s.io/apiserver/pkg/endpoints/filterlatency"
 	genericapifilters "k8s.io/apiserver/pkg/endpoints/filters"
+	"k8s.io/apiserver/pkg/endpoints/filters/impersonation"
 	apiopenapi "k8s.io/apiserver/pkg/endpoints/openapi"
 	apirequest "k8s.io/apiserver/pkg/endpoints/request"
 	genericfeatures "k8s.io/apiserver/pkg/features"
@@ -62,6 +63,7 @@ import (
 	"k8s.io/apiserver/pkg/server/dynamiccertificates"
 	"k8s.io/apiserver/pkg/server/egressselector"
 	genericfilters "k8s.io/apiserver/pkg/server/filters"
+	"k8s.io/apiserver/pkg/server/flagz"
 	"k8s.io/apiserver/pkg/server/healthz"
 	"k8s.io/apiserver/pkg/server/routes"
 	"k8s.io/apiserver/pkg/server/routine"
@@ -81,7 +83,6 @@ import (
 	"k8s.io/component-base/metrics/features"
 	"k8s.io/component-base/metrics/prometheus/slis"
 	"k8s.io/component-base/tracing"
-	"k8s.io/component-base/zpages/flagz"
 	"k8s.io/klog/v2"
 	openapicommon "k8s.io/kube-openapi/pkg/common"
 	"k8s.io/kube-openapi/pkg/spec3"
@@ -1102,8 +1103,13 @@ func DefaultBuildHandlerChain(apiHandler http.Handler, c *Config) http.Handler {
 	}
 
 	handler = filterlatency.TrackCompleted(handler)
-	handler = genericapifilters.WithImpersonation(handler, c.Authorization.Authorizer, c.Serializer)
-	handler = filterlatency.TrackStarted(handler, c.TracerProvider, "impersonation")
+	if c.FeatureGate.Enabled(genericfeatures.ConstrainedImpersonation) {
+		handler = impersonation.WithConstrainedImpersonation(handler, c.Authorization.Authorizer, c.Serializer)
+		handler = filterlatency.TrackStarted(handler, c.TracerProvider, "constrainedimpersonation")
+	} else {
+		handler = impersonation.WithImpersonation(handler, c.Authorization.Authorizer, c.Serializer)
+		handler = filterlatency.TrackStarted(handler, c.TracerProvider, "impersonation")
+	}
 
 	handler = filterlatency.TrackCompleted(handler)
 	handler = genericapifilters.WithAudit(handler, c.AuditBackend, c.AuditPolicyRuleEvaluator, c.LongRunningFunc)
@@ -1201,7 +1207,7 @@ func installAPI(name string, s *GenericAPIServer, c *Config) {
 	routes.Version{Version: c.EffectiveVersion.Info()}.Install(s.Handler.GoRestfulContainer)
 
 	if c.EnableDiscovery {
-		wrapped := discoveryendpoint.WrapAggregatedDiscoveryToHandler(s.DiscoveryGroupManager, s.AggregatedDiscoveryGroupManager)
+		wrapped := discoveryendpoint.WrapAggregatedDiscoveryToHandler(s.DiscoveryGroupManager, s.AggregatedDiscoveryGroupManager, s.PeerAggregatedDiscoveryManager)
 		s.Handler.GoRestfulContainer.Add(wrapped.GenerateWebService("/apis", metav1.APIGroupList{}))
 	}
 	if c.FlowControl != nil {
diff --git a/staging/src/k8s.io/apiserver/pkg/server/dynamiccertificates/configmap_cafile_content.go b/staging/src/k8s.io/apiserver/pkg/server/dynamiccertificates/configmap_cafile_content.go
index 845a45fab312a..dbe9e375f26c8 100644
--- a/staging/src/k8s.io/apiserver/pkg/server/dynamiccertificates/configmap_cafile_content.go
+++ b/staging/src/k8s.io/apiserver/pkg/server/dynamiccertificates/configmap_cafile_content.go
@@ -209,7 +209,7 @@ func (c *ConfigMapCAController) Run(ctx context.Context, workers int) {
 	go c.configMapInformer.Run(ctx.Done())
 
 	// wait for your secondary caches to fill before starting your work
-	if !cache.WaitForNamedCacheSync(c.name, ctx.Done(), c.preRunCaches...) {
+	if !cache.WaitForNamedCacheSyncWithContext(ctx, c.preRunCaches...) {
 		return
 	}
 
diff --git a/staging/src/k8s.io/apiserver/pkg/server/egressselector/egress_selector.go b/staging/src/k8s.io/apiserver/pkg/server/egressselector/egress_selector.go
index a38ef64649822..27408fe15825d 100644
--- a/staging/src/k8s.io/apiserver/pkg/server/egressselector/egress_selector.go
+++ b/staging/src/k8s.io/apiserver/pkg/server/egressselector/egress_selector.go
@@ -22,6 +22,7 @@ import (
 	"crypto/tls"
 	"crypto/x509"
 	"fmt"
+	"io"
 	"net"
 	"net/http"
 	"net/url"
@@ -110,7 +111,14 @@ func lookupServiceName(name string) (EgressType, error) {
 
 func tunnelHTTPConnect(proxyConn net.Conn, proxyAddress, addr string) (net.Conn, error) {
 	fmt.Fprintf(proxyConn, "CONNECT %s HTTP/1.1\r\nHost: %s\r\n\r\n", addr, "127.0.0.1")
-	br := bufio.NewReader(proxyConn)
+
+	// As described in https://go.dev/issue/74633 a misbehaving proxy server
+	// can cause memory exhaustion in the client. The fix in https://go.dev/cl/698915
+	// only covers http.Transport users. Apply the same limit here.
+	//
+	// Limit the size of the response headers the proxy server can send us.
+	br := bufio.NewReader(io.LimitReader(proxyConn, http.DefaultMaxHeaderBytes))
+
 	res, err := http.ReadResponse(br, nil)
 	if err != nil {
 		proxyConn.Close()
diff --git a/staging/src/k8s.io/apiserver/pkg/server/flagz/OWNERS b/staging/src/k8s.io/apiserver/pkg/server/flagz/OWNERS
new file mode 100644
index 0000000000000..01225cdf85dda
--- /dev/null
+++ b/staging/src/k8s.io/apiserver/pkg/server/flagz/OWNERS
@@ -0,0 +1,7 @@
+approvers:
+  - sig-instrumentation-approvers
+  - sig-api-machinery-approvers
+reviewers:
+  - sig-instrumentation-reviewers
+labels:
+  - sig/instrumentation
diff --git a/staging/src/k8s.io/apiserver/pkg/server/flagz/api/OWNERS b/staging/src/k8s.io/apiserver/pkg/server/flagz/api/OWNERS
new file mode 100644
index 0000000000000..0cd610188ae4f
--- /dev/null
+++ b/staging/src/k8s.io/apiserver/pkg/server/flagz/api/OWNERS
@@ -0,0 +1,11 @@
+# Disable inheritance as this is an api owners file
+options:
+  no_parent_owners: true
+approvers:
+  - api-approvers
+reviewers:
+  - api-reviewers
+  - sig-instrumentation-reviewers
+labels:
+  - kind/api-change
+  - sig/instrumentation
diff --git a/staging/src/k8s.io/apiserver/pkg/server/flagz/api/v1alpha1/doc.go b/staging/src/k8s.io/apiserver/pkg/server/flagz/api/v1alpha1/doc.go
new file mode 100644
index 0000000000000..ab7a48c210653
--- /dev/null
+++ b/staging/src/k8s.io/apiserver/pkg/server/flagz/api/v1alpha1/doc.go
@@ -0,0 +1,22 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// +k8s:deepcopy-gen=package
+// +k8s:openapi-gen=true
+// +k8s:openapi-model-package=io.k8s.apiserver.pkg.server.flagz.api.v1alpha1
+
+// Package v1alpha1 contains API Schema definitions for the zpages v1alpha1 API group
+package v1alpha1
diff --git a/staging/src/k8s.io/apiserver/pkg/server/flagz/api/v1alpha1/register.go b/staging/src/k8s.io/apiserver/pkg/server/flagz/api/v1alpha1/register.go
new file mode 100644
index 0000000000000..d2a1f08bce991
--- /dev/null
+++ b/staging/src/k8s.io/apiserver/pkg/server/flagz/api/v1alpha1/register.go
@@ -0,0 +1,47 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha1
+
+import (
+	"k8s.io/apimachinery/pkg/runtime/schema"
+
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	runtime "k8s.io/apimachinery/pkg/runtime"
+)
+
+const (
+	GroupName = "config.k8s.io"
+	Version   = "v1alpha1"
+)
+
+// SchemeGroupVersion is group version used to register these objects
+var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: Version}
+
+var (
+	// SchemeBuilder initializes a scheme builder
+	SchemeBuilder = runtime.NewSchemeBuilder(addKnownTypes)
+	// AddToScheme is a global function that adds this group's types to a scheme
+	AddToScheme = SchemeBuilder.AddToScheme
+)
+
+func addKnownTypes(scheme *runtime.Scheme) error {
+	scheme.AddKnownTypes(SchemeGroupVersion,
+		&Flagz{},
+	)
+	metav1.AddToGroupVersion(scheme, SchemeGroupVersion)
+	return nil
+}
diff --git a/staging/src/k8s.io/apiserver/pkg/server/flagz/api/v1alpha1/types.go b/staging/src/k8s.io/apiserver/pkg/server/flagz/api/v1alpha1/types.go
new file mode 100644
index 0000000000000..c0ce9736994a9
--- /dev/null
+++ b/staging/src/k8s.io/apiserver/pkg/server/flagz/api/v1alpha1/types.go
@@ -0,0 +1,37 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+// Flagz is the structured response for the /flagz endpoint.
+type Flagz struct {
+	// TypeMeta is the type metadata for the object.
+	metav1.TypeMeta `json:",inline"`
+	// Standard object's metadata.
+	// +optional
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	// Flags contains the command-line flags and their values.
+	// The keys are the flag names and the values are the flag values,
+	// possibly with confidential values redacted.
+	// +optional
+	Flags map[string]string `json:"flags,omitempty"`
+}
diff --git a/staging/src/k8s.io/apiserver/pkg/server/flagz/api/v1alpha1/zz_generated.deepcopy.go b/staging/src/k8s.io/apiserver/pkg/server/flagz/api/v1alpha1/zz_generated.deepcopy.go
new file mode 100644
index 0000000000000..b32aabef6ae9f
--- /dev/null
+++ b/staging/src/k8s.io/apiserver/pkg/server/flagz/api/v1alpha1/zz_generated.deepcopy.go
@@ -0,0 +1,59 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by deepcopy-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	runtime "k8s.io/apimachinery/pkg/runtime"
+)
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *Flagz) DeepCopyInto(out *Flagz) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	if in.Flags != nil {
+		in, out := &in.Flags, &out.Flags
+		*out = make(map[string]string, len(*in))
+		for key, val := range *in {
+			(*out)[key] = val
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Flagz.
+func (in *Flagz) DeepCopy() *Flagz {
+	if in == nil {
+		return nil
+	}
+	out := new(Flagz)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *Flagz) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
diff --git a/staging/src/k8s.io/apiserver/pkg/server/flagz/api/v1alpha1/zz_generated.model_name.go b/staging/src/k8s.io/apiserver/pkg/server/flagz/api/v1alpha1/zz_generated.model_name.go
new file mode 100644
index 0000000000000..d953fff3cbcbe
--- /dev/null
+++ b/staging/src/k8s.io/apiserver/pkg/server/flagz/api/v1alpha1/zz_generated.model_name.go
@@ -0,0 +1,27 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by openapi-gen. DO NOT EDIT.
+
+package v1alpha1
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in Flagz) OpenAPIModelName() string {
+	return "io.k8s.apiserver.pkg.server.flagz.api.v1alpha1.Flagz"
+}
diff --git a/staging/src/k8s.io/component-base/zpages/flagz/flagreader.go b/staging/src/k8s.io/apiserver/pkg/server/flagz/flagreader.go
similarity index 100%
rename from staging/src/k8s.io/component-base/zpages/flagz/flagreader.go
rename to staging/src/k8s.io/apiserver/pkg/server/flagz/flagreader.go
diff --git a/staging/src/k8s.io/component-base/zpages/flagz/flagreader_test.go b/staging/src/k8s.io/apiserver/pkg/server/flagz/flagreader_test.go
similarity index 100%
rename from staging/src/k8s.io/component-base/zpages/flagz/flagreader_test.go
rename to staging/src/k8s.io/apiserver/pkg/server/flagz/flagreader_test.go
diff --git a/staging/src/k8s.io/apiserver/pkg/server/flagz/flagz.go b/staging/src/k8s.io/apiserver/pkg/server/flagz/flagz.go
new file mode 100644
index 0000000000000..de5dfe79fee56
--- /dev/null
+++ b/staging/src/k8s.io/apiserver/pkg/server/flagz/flagz.go
@@ -0,0 +1,198 @@
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package flagz
+
+import (
+	"fmt"
+	"net/http"
+	"strings"
+
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/apimachinery/pkg/runtime/serializer"
+	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
+	"k8s.io/apiserver/pkg/endpoints/handlers/negotiation"
+	"k8s.io/apiserver/pkg/endpoints/handlers/responsewriters"
+	v1alpha1 "k8s.io/apiserver/pkg/server/flagz/api/v1alpha1"
+	"k8s.io/apiserver/pkg/server/flagz/negotiate"
+)
+
+const (
+	DefaultFlagzPath = "/flagz"
+	Kind             = "Flagz"
+	GroupName        = "config.k8s.io"
+	Version          = "v1alpha1"
+)
+
+type mux interface {
+	Handle(path string, handler http.Handler)
+}
+
+// Install installs the flagz endpoint to the given mux.
+func Install(m mux, componentName string, flagReader Reader, opts ...Option) {
+	reg := &registry{
+		reader:                flagReader,
+		deprecatedVersionsMap: map[string]bool{},
+	}
+	for _, opt := range opts {
+		opt(reg)
+	}
+
+	scheme := runtime.NewScheme()
+	utilruntime.Must(v1alpha1.AddToScheme(scheme))
+	codecFactory := serializer.NewCodecFactory(
+		scheme,
+		serializer.WithSerializer(func(_ runtime.ObjectCreater, _ runtime.ObjectTyper) runtime.SerializerInfo {
+			textSerializer := flagzTextSerializer{componentName, reg.reader}
+			return runtime.SerializerInfo{
+				MediaType:        "text/plain",
+				MediaTypeType:    "text",
+				MediaTypeSubType: "plain",
+				EncodesAsText:    true,
+				Serializer:       textSerializer,
+				PrettySerializer: textSerializer,
+			}
+		}),
+	)
+	m.Handle(DefaultFlagzPath, handleFlagz(componentName, reg, codecFactory, negotiate.FlagzEndpointRestrictions{}))
+}
+
+func handleFlagz(componentName string, reg *registry, serializer runtime.NegotiatedSerializer, restrictions negotiate.FlagzEndpointRestrictions) http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		obj := flagz(componentName, reg.reader)
+		acceptHeader := r.Header.Get("Accept")
+		if strings.TrimSpace(acceptHeader) == "" {
+			writePlainTextResponse(obj, serializer, w, reg)
+			return
+		}
+
+		mediaType, serializerInfo, err := negotiation.NegotiateOutputMediaType(r, serializer, restrictions)
+		if err != nil {
+			utilruntime.HandleError(err)
+			responsewriters.ErrorNegotiated(
+				err,
+				serializer,
+				schema.GroupVersion{},
+				w,
+				r,
+			)
+			return
+		}
+
+		var targetGV schema.GroupVersion
+		switch serializerInfo.MediaType {
+		case "application/json":
+			if mediaType.Convert == nil {
+				err := fmt.Errorf("content negotiation failed: mediaType.Convert is nil for application/json")
+				utilruntime.HandleError(err)
+				responsewriters.ErrorNegotiated(
+					err,
+					serializer,
+					schema.GroupVersion{},
+					w,
+					r,
+				)
+				return
+			}
+			targetGV = mediaType.Convert.GroupVersion()
+			if reg.deprecatedVersions()[targetGV.Version] {
+				w.Header().Set("Warning", `299 - "This version of the flagz endpoint is deprecated. Please use a newer version."`)
+			}
+		case "text/plain":
+			writePlainTextResponse(obj, serializer, w, reg)
+			return
+		default:
+			err = fmt.Errorf("content negotiation failed: unsupported media type '%s'", serializerInfo.MediaType)
+			utilruntime.HandleError(err)
+			responsewriters.ErrorNegotiated(
+				err,
+				serializer,
+				schema.GroupVersion{},
+				w,
+				r,
+			)
+			return
+		}
+
+		writeResponse(obj, serializer, targetGV, restrictions, w, r)
+	}
+}
+
+func writePlainTextResponse(obj runtime.Object, serializer runtime.NegotiatedSerializer, w http.ResponseWriter, reg *registry) {
+	reg.cachedPlainTextResponseLock.Lock()
+	defer reg.cachedPlainTextResponseLock.Unlock()
+	if reg.cachedPlainTextResponse != nil {
+		w.Header().Set("Content-Type", "text/plain; charset=utf-8")
+		if _, err := w.Write(reg.cachedPlainTextResponse); err != nil {
+			utilruntime.HandleError(fmt.Errorf("error writing cached flagz as text/plain: %w", err))
+		}
+		return
+	}
+
+	w.Header().Set("Content-Type", "text/plain; charset=utf-8")
+	var textSerializer runtime.Serializer
+	for _, info := range serializer.SupportedMediaTypes() {
+		if info.MediaType == "text/plain" {
+			textSerializer = info.Serializer
+			break
+		}
+	}
+	if textSerializer == nil {
+		utilruntime.HandleError(fmt.Errorf("text/plain serializer not available"))
+		w.WriteHeader(http.StatusInternalServerError)
+		return
+	}
+
+	var buf strings.Builder
+	if err := textSerializer.Encode(obj, &buf); err != nil {
+		utilruntime.HandleError(fmt.Errorf("error encoding flagz as text/plain: %w", err))
+		w.WriteHeader(http.StatusInternalServerError)
+		return
+	}
+	reg.cachedPlainTextResponse = []byte(buf.String())
+	if _, err := w.Write(reg.cachedPlainTextResponse); err != nil {
+		utilruntime.HandleError(fmt.Errorf("error writing flagz as text/plain: %w", err))
+	}
+}
+
+func writeResponse(obj runtime.Object, serializer runtime.NegotiatedSerializer, targetGV schema.GroupVersion, restrictions negotiate.FlagzEndpointRestrictions, w http.ResponseWriter, r *http.Request) {
+	responsewriters.WriteObjectNegotiated(
+		serializer,
+		restrictions,
+		targetGV,
+		w,
+		r,
+		http.StatusOK,
+		obj,
+		true,
+	)
+}
+
+func flagz(componentName string, flagReader Reader) *v1alpha1.Flagz {
+	flags := flagReader.GetFlagz()
+	return &v1alpha1.Flagz{
+		TypeMeta: metav1.TypeMeta{
+			Kind:       Kind,
+			APIVersion: fmt.Sprintf("%s/%s", GroupName, Version),
+		},
+		ObjectMeta: metav1.ObjectMeta{
+			Name: componentName,
+		},
+		Flags: flags,
+	}
+}
diff --git a/staging/src/k8s.io/apiserver/pkg/server/flagz/flagz_test.go b/staging/src/k8s.io/apiserver/pkg/server/flagz/flagz_test.go
new file mode 100644
index 0000000000000..4f6e61484921c
--- /dev/null
+++ b/staging/src/k8s.io/apiserver/pkg/server/flagz/flagz_test.go
@@ -0,0 +1,293 @@
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package flagz
+
+import (
+	"encoding/json"
+	"fmt"
+	"net/http"
+	"net/http/httptest"
+	"strings"
+	"testing"
+
+	"github.com/google/go-cmp/cmp"
+	"github.com/spf13/pflag"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	v1alpha1 "k8s.io/apiserver/pkg/server/flagz/api/v1alpha1"
+	cliflag "k8s.io/component-base/cli/flag"
+)
+
+const wantTmpl = `
+%s flagz
+Warning: This endpoint is not meant to be machine parseable, has no formatting compatibility guarantees and is for debugging purposes only.
+`
+
+func TestHandleFlagz(t *testing.T) {
+	fakeFlagName := "test-flag"
+	fakeFlagValue := "test-value"
+	fs := pflag.NewFlagSet("test", pflag.ContinueOnError)
+	fs.String(fakeFlagName, fakeFlagValue, "usage")
+	fakeReader := NamedFlagSetsReader{
+		FlagSets: cliflag.NamedFlagSets{
+			FlagSets: map[string]*pflag.FlagSet{
+				"test": fs,
+			},
+		},
+	}
+
+	tests := []struct {
+		name           string
+		acceptHeader   string
+		componentName  string
+		registry       *registry
+		wantStatusCode int
+		wantBody       string
+		wantJSONBody   *v1alpha1.Flagz
+		wantWarning    bool
+	}{
+		{
+			name:          "valid request for text/plain",
+			acceptHeader:  "text/plain",
+			componentName: "test-server",
+			registry: &registry{
+				reader:                fakeReader,
+				deprecatedVersionsMap: map[string]bool{},
+			},
+			wantStatusCode: http.StatusOK,
+			wantBody: fmt.Sprintf(
+				wantTmpl,
+				"test-server",
+			),
+		},
+		{
+			name:          "valid request for v1alpha1",
+			acceptHeader:  "application/json;v=v1alpha1;g=config.k8s.io;as=Flagz",
+			componentName: "test-server",
+			registry: &registry{
+				reader:                fakeReader,
+				deprecatedVersionsMap: map[string]bool{},
+			},
+			wantStatusCode: http.StatusOK,
+			wantJSONBody: &v1alpha1.Flagz{
+				TypeMeta: metav1.TypeMeta{
+					Kind:       Kind,
+					APIVersion: fmt.Sprintf("%s/%s", GroupName, Version),
+				},
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "test-server",
+				},
+				Flags: map[string]string{
+					fakeFlagName: fakeFlagValue,
+				},
+			},
+		},
+		{
+			name:          "deprecated version request",
+			acceptHeader:  "application/json;v=v1alpha1;g=config.k8s.io;as=Flagz",
+			componentName: "test-server",
+			registry: &registry{
+				reader:                fakeReader,
+				deprecatedVersionsMap: map[string]bool{"v1alpha1": true},
+			},
+			wantStatusCode: http.StatusOK,
+			wantJSONBody: &v1alpha1.Flagz{
+				TypeMeta: metav1.TypeMeta{
+					Kind:       Kind,
+					APIVersion: fmt.Sprintf("%s/%s", GroupName, Version),
+				},
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "test-server",
+				},
+				Flags: map[string]string{
+					fakeFlagName: fakeFlagValue,
+				},
+			},
+			wantWarning: true,
+		},
+		{
+			name:          "no accept header falls back to text/plain",
+			acceptHeader:  "",
+			componentName: "test-server",
+			registry: &registry{
+				reader:                fakeReader,
+				deprecatedVersionsMap: map[string]bool{},
+			},
+			wantStatusCode: http.StatusOK,
+			wantBody: fmt.Sprintf(
+				wantTmpl,
+				"test-server",
+			),
+		},
+		{
+			name:          "wildcard accept header falls back to text/plain",
+			acceptHeader:  "*/*",
+			componentName: "test-server",
+			registry: &registry{
+				reader:                fakeReader,
+				deprecatedVersionsMap: map[string]bool{},
+			},
+			wantStatusCode: http.StatusOK,
+			wantBody: fmt.Sprintf(
+				wantTmpl,
+				"test-server",
+			),
+		},
+		{
+			name:          "bad json header falls back to text/plain with wildcard",
+			acceptHeader:  "application/json;v=foo;g=config.k8s.io;as=Flagz,*/*",
+			componentName: "test-server",
+			registry: &registry{
+				reader:                fakeReader,
+				deprecatedVersionsMap: map[string]bool{},
+			},
+			wantStatusCode: http.StatusOK,
+			wantBody: fmt.Sprintf(
+				wantTmpl,
+				"test-server",
+			),
+		},
+		{
+			name:          "unsupported accept header",
+			acceptHeader:  "application/xml",
+			componentName: "test-server",
+			registry: &registry{
+				reader:                fakeReader,
+				deprecatedVersionsMap: map[string]bool{},
+			},
+			wantStatusCode: http.StatusNotAcceptable,
+		},
+		{
+			name:          "unsupported application/json without params",
+			acceptHeader:  "application/json",
+			componentName: "test-server",
+			registry: &registry{
+				reader:                fakeReader,
+				deprecatedVersionsMap: map[string]bool{},
+			},
+			wantStatusCode: http.StatusNotAcceptable,
+		},
+		{
+			name:          "unsupported application/json with missing params",
+			acceptHeader:  "application/json;v=v1alpha1;g=config.k8s.io",
+			componentName: "test-server",
+			registry: &registry{
+				reader:                fakeReader,
+				deprecatedVersionsMap: map[string]bool{},
+			},
+			wantStatusCode: http.StatusNotAcceptable,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			mux := http.NewServeMux()
+			var opts []Option
+			var capturedReg *registry
+			opts = append(opts, func(reg *registry) {
+				capturedReg = reg
+				if tt.registry != nil {
+					reg.deprecatedVersionsMap = tt.registry.deprecatedVersionsMap
+				}
+			})
+			Install(mux, tt.componentName, fakeReader, opts...)
+			// Assign the captured registry to tt.registry for consistency with existing test logic
+			tt.registry = capturedReg
+
+			path := "/flagz"
+			req, err := http.NewRequest(http.MethodGet, fmt.Sprintf("http://example.com%s", path), nil)
+			if err != nil {
+				t.Fatalf("unexpected error while creating request: %v", err)
+			}
+			if tt.acceptHeader != "" {
+				req.Header.Set("Accept", tt.acceptHeader)
+			}
+
+			w := httptest.NewRecorder()
+			mux.ServeHTTP(w, req)
+
+			if w.Code != tt.wantStatusCode {
+				t.Fatalf("want status code: %v, got: %v", tt.wantStatusCode, w.Code)
+			}
+
+			if tt.wantStatusCode == http.StatusOK {
+				if tt.wantJSONBody != nil {
+					var got v1alpha1.Flagz
+					if err := json.Unmarshal(w.Body.Bytes(), &got); err != nil {
+						t.Fatalf("unexpected error while unmarshalling response: %v", err)
+					}
+					if diff := cmp.Diff(*tt.wantJSONBody, got); diff != "" {
+						t.Errorf("Unexpected diff on response (-want,+got):\n%s", diff)
+					}
+					if tt.wantWarning {
+						if !strings.Contains(w.Header().Get("Warning"), "deprecated") {
+							t.Errorf("expected deprecation warning in header, but got: %s", w.Header().Get("Warning"))
+						}
+					}
+				} else if !strings.Contains(string(w.Body.String()), tt.wantBody) {
+					t.Errorf("Unexpected response body:\n- want: %s\n- got:  %s", tt.wantBody, string(w.Body.String()))
+				}
+			}
+		})
+	}
+}
+
+func TestCache(t *testing.T) {
+	fakeFlagName := "test-flag"
+	fakeFlagValue := "test-value"
+	fs := pflag.NewFlagSet("test", pflag.ContinueOnError)
+	fs.String(fakeFlagName, fakeFlagValue, "usage")
+	fakeReader := NamedFlagSetsReader{
+		FlagSets: cliflag.NamedFlagSets{
+			FlagSets: map[string]*pflag.FlagSet{
+				"test": fs,
+			},
+		},
+	}
+	mux := http.NewServeMux()
+	var capturedReg *registry
+	Install(mux, "test-server", fakeReader, func(reg *registry) {
+		capturedReg = reg
+	})
+
+	path := "/flagz"
+	req, err := http.NewRequest(http.MethodGet, fmt.Sprintf("http://example.com%s", path), nil)
+	if err != nil {
+		t.Fatalf("unexpected error while creating request: %v", err)
+	}
+	req.Header.Set("Accept", "text/plain")
+
+	w := httptest.NewRecorder()
+	mux.ServeHTTP(w, req)
+
+	if w.Code != http.StatusOK {
+		t.Fatalf("want status code: %v, got: %v", http.StatusOK, w.Code)
+	}
+	if capturedReg.cachedPlainTextResponse == nil {
+		t.Fatalf("cached response should not be nil")
+	}
+	cached := capturedReg.cachedPlainTextResponse
+	fs.String("new-flag", "new-value", "usage")
+
+	w = httptest.NewRecorder()
+	mux.ServeHTTP(w, req)
+	if w.Code != http.StatusOK {
+		t.Fatalf("want status code: %v, got: %v", http.StatusOK, w.Code)
+	}
+	if diff := cmp.Diff(cached, capturedReg.cachedPlainTextResponse); diff != "" {
+		t.Errorf("Unexpected diff on cached response (-want,+got):\n%s", diff)
+	}
+}
diff --git a/staging/src/k8s.io/apiserver/pkg/server/flagz/negotiate/negotiation.go b/staging/src/k8s.io/apiserver/pkg/server/flagz/negotiate/negotiation.go
new file mode 100644
index 0000000000000..f3edc8f3c1ada
--- /dev/null
+++ b/staging/src/k8s.io/apiserver/pkg/server/flagz/negotiate/negotiation.go
@@ -0,0 +1,53 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package negotiate
+
+import (
+	"k8s.io/apimachinery/pkg/runtime/schema"
+)
+
+// FlagzEndpointRestrictions implements content negotiation restrictions for the z-pages.
+// It is used to validate and restrict which GroupVersionKinds are allowed for structured responses.
+type FlagzEndpointRestrictions struct{}
+
+// AllowsMediaTypeTransform checks if the provided GVK is supported for structured z-page responses.
+func (FlagzEndpointRestrictions) AllowsMediaTypeTransform(mimeType string, mimeSubType string, gvk *schema.GroupVersionKind) bool {
+	if mimeType == "text" && mimeSubType == "plain" {
+		return gvk == nil
+	}
+	return isStructured(gvk)
+}
+
+func (FlagzEndpointRestrictions) AllowsServerVersion(string) bool {
+	return false
+}
+
+func (FlagzEndpointRestrictions) AllowsStreamSchema(s string) bool {
+	return false
+}
+
+func isStructured(gvk *schema.GroupVersionKind) bool {
+	if gvk != nil {
+		if gvk.Group == "config.k8s.io" && gvk.Version == "v1alpha1" {
+			if gvk.Kind == "Flagz" {
+				return true
+			}
+		}
+	}
+
+	return false
+}
diff --git a/staging/src/k8s.io/apiserver/pkg/server/flagz/registry.go b/staging/src/k8s.io/apiserver/pkg/server/flagz/registry.go
new file mode 100644
index 0000000000000..7fe489a183e02
--- /dev/null
+++ b/staging/src/k8s.io/apiserver/pkg/server/flagz/registry.go
@@ -0,0 +1,39 @@
+/*
+Copyright 2024 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package flagz
+
+import (
+	"sync"
+)
+
+type registry struct {
+	// reader is a Reader where we can get the flags.
+	reader Reader
+	// deprecatedVersionsMap is a map of deprecated flagz versions.
+	deprecatedVersionsMap map[string]bool
+	// cachedPlainTextResponse is a cached response of the flagz endpoint.
+	cachedPlainTextResponse []byte
+	// cachedPlainTextResponseLock is a lock for the cachedPlainTextResponse.
+	cachedPlainTextResponseLock sync.Mutex
+}
+
+// Option is a function to configure registry.
+type Option func(reg *registry)
+
+func (r *registry) deprecatedVersions() map[string]bool {
+	return r.deprecatedVersionsMap
+}
diff --git a/staging/src/k8s.io/apiserver/pkg/server/flagz/textserializer.go b/staging/src/k8s.io/apiserver/pkg/server/flagz/textserializer.go
new file mode 100644
index 0000000000000..ee9f72edd6352
--- /dev/null
+++ b/staging/src/k8s.io/apiserver/pkg/server/flagz/textserializer.go
@@ -0,0 +1,77 @@
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package flagz
+
+import (
+	"fmt"
+	"io"
+	"math/rand"
+	"sort"
+
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+)
+
+var (
+	delimiters = []string{":", ": ", "=", " "}
+)
+
+const headerFmt = `
+%s flagz
+Warning: This endpoint is not meant to be machine parseable, has no formatting compatibility guarantees and is for debugging purposes only.
+`
+
+// flagzTextSerializer implements runtime.Serializer for text/plain output.
+type flagzTextSerializer struct {
+	componentName string
+	flagReader    Reader
+}
+
+// Encode writes the flagz information in plain text format to the given writer, using the provided obj.
+func (s flagzTextSerializer) Encode(obj runtime.Object, w io.Writer) error {
+	if _, err := fmt.Fprintf(w, headerFmt, s.componentName); err != nil {
+		return err
+	}
+
+	randomIndex := rand.Intn(len(delimiters))
+	separator := delimiters[randomIndex]
+
+	flags := s.flagReader.GetFlagz()
+	var sortedKeys []string
+	for key := range flags {
+		sortedKeys = append(sortedKeys, key)
+	}
+
+	sort.Strings(sortedKeys)
+	for _, key := range sortedKeys {
+		if _, err := fmt.Fprintf(w, "%s%s%s\n", key, separator, flags[key]); err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+// Decode is not supported for text/plain serialization.
+func (s flagzTextSerializer) Decode(data []byte, gvk *schema.GroupVersionKind, into runtime.Object) (runtime.Object, *schema.GroupVersionKind, error) {
+	return nil, nil, fmt.Errorf("decode not supported for text/plain")
+}
+
+// Identifier returns a unique identifier for this serializer.
+func (s flagzTextSerializer) Identifier() runtime.Identifier {
+	return runtime.Identifier("flagzTextSerializer")
+}
diff --git a/staging/src/k8s.io/apiserver/pkg/server/genericapiserver.go b/staging/src/k8s.io/apiserver/pkg/server/genericapiserver.go
index 4d5967b0f1b1c..0cb1007495741 100644
--- a/staging/src/k8s.io/apiserver/pkg/server/genericapiserver.go
+++ b/staging/src/k8s.io/apiserver/pkg/server/genericapiserver.go
@@ -52,13 +52,13 @@ import (
 	"k8s.io/apiserver/pkg/registry/rest"
 	"k8s.io/apiserver/pkg/server/healthz"
 	"k8s.io/apiserver/pkg/server/routes"
+	"k8s.io/apiserver/pkg/server/statusz"
 	"k8s.io/apiserver/pkg/storageversion"
 	utilfeature "k8s.io/apiserver/pkg/util/feature"
 	restclient "k8s.io/client-go/rest"
 	basecompatibility "k8s.io/component-base/compatibility"
 	"k8s.io/component-base/featuregate"
 	zpagesfeatures "k8s.io/component-base/zpages/features"
-	"k8s.io/component-base/zpages/statusz"
 	"k8s.io/klog/v2"
 	openapibuilder3 "k8s.io/kube-openapi/pkg/builder3"
 	openapicommon "k8s.io/kube-openapi/pkg/common"
@@ -156,6 +156,9 @@ type GenericAPIServer struct {
 	// AggregatedDiscoveryGroupManager serves /apis in an aggregated form.
 	AggregatedDiscoveryGroupManager discoveryendpoint.ResourceManager
 
+	// PeerAggregatedDiscoveryManager serves /apis aggregated from all peer apiservers.
+	PeerAggregatedDiscoveryManager discoveryendpoint.PeerAggregatedResourceManager
+
 	// AggregatedLegacyDiscoveryGroupManager serves /api in an aggregated form.
 	AggregatedLegacyDiscoveryGroupManager discoveryendpoint.ResourceManager
 
@@ -535,7 +538,7 @@ func (s preparedGenericAPIServer) RunWithContext(ctx context.Context) error {
 	if s.UnprotectedDebugSocket != nil {
 		go func() {
 			defer utilruntime.HandleCrash()
-			klog.Error(s.UnprotectedDebugSocket.Run(stopCh))
+			klog.Error(s.UnprotectedDebugSocket.RunWithContext(ctx))
 		}()
 	}
 
@@ -891,7 +894,8 @@ func (s *GenericAPIServer) InstallLegacyAPIGroup(apiPrefix string, apiGroupInfo
 	// Install the version handler.
 	// Add a handler at /<apiPrefix> to enumerate the supported api versions.
 	legacyRootAPIHandler := discovery.NewLegacyRootAPIHandler(s.discoveryAddresses, s.Serializer, apiPrefix)
-	wrapped := discoveryendpoint.WrapAggregatedDiscoveryToHandler(legacyRootAPIHandler, s.AggregatedLegacyDiscoveryGroupManager)
+	// No peer-to-peer discovery for legacy API group.
+	wrapped := discoveryendpoint.WrapAggregatedDiscoveryToHandler(legacyRootAPIHandler, s.AggregatedLegacyDiscoveryGroupManager, s.AggregatedLegacyDiscoveryGroupManager)
 	s.Handler.GoRestfulContainer.Add(wrapped.GenerateWebService("/api", metav1.APIVersions{}))
 	s.registerStorageReadinessCheck("", apiGroupInfo)
 
diff --git a/staging/src/k8s.io/apiserver/pkg/server/genericapiserver_graceful_termination_test.go b/staging/src/k8s.io/apiserver/pkg/server/genericapiserver_graceful_termination_test.go
index 39079c616a64e..24d918ebf97f6 100644
--- a/staging/src/k8s.io/apiserver/pkg/server/genericapiserver_graceful_termination_test.go
+++ b/staging/src/k8s.io/apiserver/pkg/server/genericapiserver_graceful_termination_test.go
@@ -39,10 +39,13 @@ import (
 	auditinternal "k8s.io/apiserver/pkg/apis/audit"
 	"k8s.io/apiserver/pkg/audit"
 	"k8s.io/apiserver/pkg/authorization/authorizer"
+	"k8s.io/apiserver/pkg/endpoints/openapi"
 	apirequest "k8s.io/apiserver/pkg/endpoints/request"
 	"k8s.io/apiserver/pkg/server/dynamiccertificates"
+	clientscheme "k8s.io/client-go/kubernetes/scheme"
 	"k8s.io/klog/v2"
 	"k8s.io/klog/v2/ktesting"
+	kubeopenapi "k8s.io/kube-openapi/pkg/common"
 
 	"github.com/google/go-cmp/cmp"
 	"golang.org/x/net/http2"
@@ -1024,6 +1027,12 @@ func newClient(useNewConnection bool) *http.Client {
 	}
 }
 
+func getOpenAPIDefinitionsForTest(_ kubeopenapi.ReferenceCallback) map[string]kubeopenapi.OpenAPIDefinition {
+	return map[string]kubeopenapi.OpenAPIDefinition{
+		"io.k8s.apimachinery.pkg.apis.meta.v1.APIGroupList": {},
+	}
+}
+
 func newGenericAPIServer(t *testing.T, fAudit *fakeAudit, keepListening bool) *GenericAPIServer {
 	config, _ := setUp(t)
 	config.ShutdownDelayDuration = 100 * time.Millisecond
@@ -1032,6 +1041,9 @@ func newGenericAPIServer(t *testing.T, fAudit *fakeAudit, keepListening bool) *G
 	config.ShutdownWatchTerminationGracePeriod = 2 * time.Second
 	config.AuditPolicyRuleEvaluator = fAudit
 	config.AuditBackend = fAudit
+	namer := openapi.NewDefinitionNamer(clientscheme.Scheme)
+	config.OpenAPIConfig = DefaultOpenAPIConfig(getOpenAPIDefinitionsForTest, namer)
+	config.OpenAPIV3Config = DefaultOpenAPIV3Config(getOpenAPIDefinitionsForTest, namer)
 
 	s, err := config.Complete(nil).New("test", NewEmptyDelegate())
 	if err != nil {
diff --git a/staging/src/k8s.io/apiserver/pkg/server/genericapiserver_test.go b/staging/src/k8s.io/apiserver/pkg/server/genericapiserver_test.go
index d3457cf34a112..7c60c7d8b186c 100644
--- a/staging/src/k8s.io/apiserver/pkg/server/genericapiserver_test.go
+++ b/staging/src/k8s.io/apiserver/pkg/server/genericapiserver_test.go
@@ -119,11 +119,11 @@ func buildTestOpenAPIDefinition() kubeopenapi.OpenAPIDefinition {
 
 func testGetOpenAPIDefinitions(_ kubeopenapi.ReferenceCallback) map[string]kubeopenapi.OpenAPIDefinition {
 	return map[string]kubeopenapi.OpenAPIDefinition{
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Status":          {},
-		"k8s.io/apimachinery/pkg/apis/meta/v1.APIVersions":     {},
-		"k8s.io/apimachinery/pkg/apis/meta/v1.APIGroupList":    {},
-		"k8s.io/apimachinery/pkg/apis/meta/v1.APIGroup":        buildTestOpenAPIDefinition(),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.APIResourceList": {},
+		"io.k8s.apimachinery.pkg.apis.meta.v1.Status":          {},
+		"io.k8s.apimachinery.pkg.apis.meta.v1.APIVersions":     {},
+		"io.k8s.apimachinery.pkg.apis.meta.v1.APIGroupList":    {},
+		"io.k8s.apimachinery.pkg.apis.meta.v1.APIGroup":        buildTestOpenAPIDefinition(),
+		"io.k8s.apimachinery.pkg.apis.meta.v1.APIResourceList": {},
 	}
 }
 
diff --git a/staging/src/k8s.io/apiserver/pkg/server/options/admission.go b/staging/src/k8s.io/apiserver/pkg/server/options/admission.go
index f10e5ed5f380a..b41f97ec968ab 100644
--- a/staging/src/k8s.io/apiserver/pkg/server/options/admission.go
+++ b/staging/src/k8s.io/apiserver/pkg/server/options/admission.go
@@ -44,6 +44,7 @@ import (
 	"k8s.io/client-go/informers"
 	"k8s.io/client-go/kubernetes"
 	"k8s.io/client-go/restmapper"
+	"k8s.io/component-base/compatibility"
 	"k8s.io/component-base/featuregate"
 )
 
@@ -130,6 +131,7 @@ func (a *AdmissionOptions) ApplyTo(
 	kubeClient kubernetes.Interface,
 	dynamicClient dynamic.Interface,
 	features featuregate.FeatureGate,
+	effectiveVersion compatibility.EffectiveVersion,
 	pluginInitializers ...admission.PluginInitializer,
 ) error {
 	if a == nil {
@@ -154,7 +156,7 @@ func (a *AdmissionOptions) ApplyTo(
 	discoveryClient := cacheddiscovery.NewMemCacheClient(kubeClient.Discovery())
 	discoveryRESTMapper := restmapper.NewDeferredDiscoveryRESTMapper(discoveryClient)
 	genericInitializer := initializer.New(kubeClient, dynamicClient, informers, c.Authorization.Authorizer, features,
-		c.DrainedNotify(), NewAdmissionRESTMapper(discoveryRESTMapper))
+		effectiveVersion, c.DrainedNotify(), NewAdmissionRESTMapper(discoveryRESTMapper))
 	initializersChain := admission.PluginInitializers{genericInitializer}
 	initializersChain = append(initializersChain, pluginInitializers...)
 
diff --git a/staging/src/k8s.io/apiserver/pkg/server/options/api_enablement.go b/staging/src/k8s.io/apiserver/pkg/server/options/api_enablement.go
index 44a5ddcc5e417..81e4899f0850d 100644
--- a/staging/src/k8s.io/apiserver/pkg/server/options/api_enablement.go
+++ b/staging/src/k8s.io/apiserver/pkg/server/options/api_enablement.go
@@ -106,10 +106,22 @@ func (s *APIEnablementOptions) ApplyTo(c *server.Config, defaultResourceConfig *
 
 	c.MergedResourceConfig = mergedResourceConfig
 
-	if binVersion, emulatedVersion := c.EffectiveVersion.BinaryVersion(), c.EffectiveVersion.EmulationVersion(); !binVersion.EqualTo(emulatedVersion) {
+	binVersion, emulatedVersion := c.EffectiveVersion.BinaryVersion(), c.EffectiveVersion.EmulationVersion()
+	if binVersion != nil && emulatedVersion != nil && (binVersion.Major() != emulatedVersion.Major() || binVersion.Minor() != emulatedVersion.Minor()) {
 		for _, version := range registry.PrioritizedVersionsAllGroups() {
 			if strings.Contains(version.Version, "alpha") {
-				klog.Warningf("alpha api enabled with emulated version %s instead of the binary's version %s, this is unsupported, proceed at your own risk: api=%s", emulatedVersion, binVersion, version.String())
+				// Check if this alpha API is actually enabled before warning
+				entireVersionEnabled := c.MergedResourceConfig.ExplicitGroupVersionConfigs[version]
+				individualResourceEnabled := false
+				for resource, enabled := range c.MergedResourceConfig.ExplicitResourceConfigs {
+					if enabled && resource.Group == version.Group && resource.Version == version.Version {
+						individualResourceEnabled = true
+						break
+					}
+				}
+				if entireVersionEnabled || individualResourceEnabled {
+					klog.Warningf("alpha api enabled with emulated version %s instead of the binary's version %s, this is unsupported, proceed at your own risk: api=%s", emulatedVersion, binVersion, version.String())
+				}
 			}
 		}
 	}
diff --git a/staging/src/k8s.io/apiserver/pkg/server/options/api_enablement_test.go b/staging/src/k8s.io/apiserver/pkg/server/options/api_enablement_test.go
index a14319e537358..b93771633f1ae 100644
--- a/staging/src/k8s.io/apiserver/pkg/server/options/api_enablement_test.go
+++ b/staging/src/k8s.io/apiserver/pkg/server/options/api_enablement_test.go
@@ -17,11 +17,19 @@ limitations under the License.
 package options
 
 import (
+	"bytes"
 	"strings"
 	"testing"
 
+	"k8s.io/apimachinery/pkg/runtime/schema"
 	utilerrors "k8s.io/apimachinery/pkg/util/errors"
+	"k8s.io/apimachinery/pkg/util/version"
+	apimachineryversion "k8s.io/apimachinery/pkg/version"
+	"k8s.io/apiserver/pkg/server"
+	serverstore "k8s.io/apiserver/pkg/server/storage"
 	cliflag "k8s.io/component-base/cli/flag"
+	"k8s.io/component-base/compatibility"
+	"k8s.io/klog/v2"
 )
 
 type fakeGroupRegistry struct{}
@@ -77,3 +85,292 @@ func TestAPIEnablementOptionsValidate(t *testing.T) {
 		})
 	}
 }
+
+type fakeGroupVersionRegistry struct {
+	versions []schema.GroupVersion
+}
+
+func (f fakeGroupVersionRegistry) PrioritizedVersionsAllGroups() []schema.GroupVersion {
+	return f.versions
+}
+
+func (f fakeGroupVersionRegistry) PrioritizedVersionsForGroup(group string) []schema.GroupVersion {
+	var result []schema.GroupVersion
+	for _, gv := range f.versions {
+		if gv.Group == group {
+			result = append(result, gv)
+		}
+	}
+	return result
+}
+
+func (f fakeGroupVersionRegistry) IsGroupRegistered(group string) bool {
+	for _, gv := range f.versions {
+		if gv.Group == group {
+			return true
+		}
+	}
+	return false
+}
+
+func (f fakeGroupVersionRegistry) IsVersionRegistered(gv schema.GroupVersion) bool {
+	for _, version := range f.versions {
+		if version == gv {
+			return true
+		}
+	}
+	return false
+}
+
+func (f fakeGroupVersionRegistry) GroupVersions() []schema.GroupVersion {
+	return f.versions
+}
+
+type fakeEffectiveVersion struct {
+	binaryVersion    *version.Version
+	emulationVersion *version.Version
+}
+
+func (f fakeEffectiveVersion) BinaryVersion() *version.Version {
+	return f.binaryVersion
+}
+
+func (f fakeEffectiveVersion) EmulationVersion() *version.Version {
+	return f.emulationVersion
+}
+
+func (f fakeEffectiveVersion) MinCompatibilityVersion() *version.Version {
+	return nil
+}
+
+func (f fakeEffectiveVersion) EqualTo(other compatibility.EffectiveVersion) bool {
+	return f.binaryVersion.EqualTo(other.BinaryVersion()) && f.emulationVersion.EqualTo(other.EmulationVersion())
+}
+
+func (f fakeEffectiveVersion) String() string {
+	return "fake"
+}
+
+func (f fakeEffectiveVersion) Info() *apimachineryversion.Info {
+	return nil
+}
+
+func (f fakeEffectiveVersion) AllowedEmulationVersionRange() string {
+	return "fake range"
+}
+
+func (f fakeEffectiveVersion) AllowedMinCompatibilityVersionRange() string {
+	return "fake range"
+}
+
+func (f fakeEffectiveVersion) Validate() []error {
+	return nil
+}
+
+func TestAPIEnablementOptionsApplyToVersionComparison(t *testing.T) {
+	// Helper function to capture klog output
+	captureKlogOutput := func(fn func()) string {
+		var buf bytes.Buffer
+		klog.SetOutput(&buf)
+		klog.LogToStderr(false)
+		defer func() {
+			klog.SetOutput(nil)
+			klog.LogToStderr(true)
+		}()
+
+		fn()
+		klog.Flush()
+		return buf.String()
+	}
+
+	testCases := []struct {
+		name                 string
+		binaryVersion        string
+		emulationVersion     string
+		alphaAPIsPresent     bool
+		versionEnabled       bool
+		expectWarning        bool
+		expectWarningContent string
+	}{
+		{
+			name:             "same major.minor versions, different patch - no warning",
+			binaryVersion:    "1.34.1",
+			emulationVersion: "1.34.0",
+			alphaAPIsPresent: true,
+			versionEnabled:   true,
+			expectWarning:    false,
+		},
+		{
+			name:             "same major.minor versions, no patch in emulation - no warning",
+			binaryVersion:    "1.34.1",
+			emulationVersion: "1.34",
+			alphaAPIsPresent: true,
+			versionEnabled:   true,
+			expectWarning:    false,
+		},
+		{
+			name:             "identical versions - no warning",
+			binaryVersion:    "1.34.1",
+			emulationVersion: "1.34.1",
+			alphaAPIsPresent: true,
+			versionEnabled:   true,
+			expectWarning:    false,
+		},
+		{
+			name:             "different major versions but not enabled - should not warn",
+			binaryVersion:    "1.34.1",
+			emulationVersion: "1.33.0",
+			alphaAPIsPresent: true,
+			expectWarning:    false,
+		},
+		{
+			name:                 "different major versions - should warn",
+			binaryVersion:        "1.34.1",
+			emulationVersion:     "1.33.0",
+			alphaAPIsPresent:     true,
+			expectWarning:        true,
+			versionEnabled:       true,
+			expectWarningContent: "alpha api enabled with emulated version",
+		},
+		{
+			name:                 "different minor versions - should warn",
+			binaryVersion:        "1.34.1",
+			emulationVersion:     "1.33.5",
+			alphaAPIsPresent:     true,
+			expectWarning:        true,
+			versionEnabled:       true,
+			expectWarningContent: "alpha api enabled with emulated version",
+		},
+		{
+			name:             "different major.minor but no alpha APIs - no warning",
+			binaryVersion:    "1.34.1",
+			emulationVersion: "1.33.0",
+			alphaAPIsPresent: false,
+			expectWarning:    false,
+			versionEnabled:   true,
+		},
+		{
+			name:             "same major.minor with alpha APIs - no warning",
+			binaryVersion:    "1.34.5",
+			emulationVersion: "1.34.0",
+			alphaAPIsPresent: true,
+			expectWarning:    false,
+			versionEnabled:   true,
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			binaryVer := version.MustParse(tc.binaryVersion)
+			emulationVer := version.MustParse(tc.emulationVersion)
+
+			effectiveVersion := fakeEffectiveVersion{
+				binaryVersion:    binaryVer,
+				emulationVersion: emulationVer,
+			}
+
+			var versions []schema.GroupVersion
+			if tc.alphaAPIsPresent {
+				versions = []schema.GroupVersion{
+					{Group: "rbac.authorization.k8s.io", Version: "v1alpha1"},
+					{Group: "storage.k8s.io", Version: "v1alpha1"},
+				}
+			} else {
+				versions = []schema.GroupVersion{
+					{Group: "rbac.authorization.k8s.io", Version: "v1"},
+					{Group: "storage.k8s.io", Version: "v1beta1"},
+				}
+			}
+
+			registry := fakeGroupVersionRegistry{versions: versions}
+			config := &server.Config{EffectiveVersion: effectiveVersion}
+			options := &APIEnablementOptions{RuntimeConfig: make(cliflag.ConfigurationMap)}
+
+			// Enable the API
+			resourceConfig := serverstore.NewResourceConfig()
+			if tc.versionEnabled {
+				resourceConfig.ExplicitGroupVersionConfigs[schema.GroupVersion{Group: "rbac.authorization.k8s.io", Version: "v1alpha1"}] = true
+			}
+
+			// Capture log output during ApplyTo execution
+			logOutput := captureKlogOutput(func() {
+				err := options.ApplyTo(config, resourceConfig, registry)
+				if err != nil {
+					t.Errorf("ApplyTo failed: %v", err)
+				}
+			})
+
+			// Verify warning expectations
+			if tc.expectWarning {
+				if !strings.Contains(logOutput, tc.expectWarningContent) {
+					t.Errorf("Expected warning containing '%s', but got log output: %s", tc.expectWarningContent, logOutput)
+				}
+				if !strings.Contains(logOutput, "W") { // klog warning prefix
+					t.Errorf("Expected warning log level, but got log output: %s", logOutput)
+				}
+			} else if strings.Contains(logOutput, "alpha api enabled") {
+				t.Errorf("Expected no warning, but got log output: %s", logOutput)
+			}
+		})
+	}
+}
+
+func TestAPIEnablementOptionsApplyToErrorCases(t *testing.T) {
+	// Create a default effective version for test configs
+	defaultEffectiveVersion := fakeEffectiveVersion{
+		binaryVersion:    version.MustParse("1.34.0"),
+		emulationVersion: version.MustParse("1.34.0"),
+	}
+
+	testCases := []struct {
+		name          string
+		options       *APIEnablementOptions
+		config        *server.Config
+		expectError   bool
+		errorContains string
+	}{
+		{
+			name:    "nil options should not error",
+			options: nil,
+			config: &server.Config{
+				EffectiveVersion: defaultEffectiveVersion,
+			},
+			expectError: false,
+		},
+		{
+			name: "invalid runtime config value should error",
+			options: &APIEnablementOptions{
+				RuntimeConfig: cliflag.ConfigurationMap{
+					"api/all": "invalid-value", // Must be "true" or "false"
+				},
+			},
+			config: &server.Config{
+				EffectiveVersion: defaultEffectiveVersion,
+			},
+			expectError:   true,
+			errorContains: "invalid value",
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			registry := fakeGroupVersionRegistry{versions: []schema.GroupVersion{
+				{Group: "rbac.authorization.k8s.io", Version: "v1"},
+			}}
+
+			err := tc.options.ApplyTo(tc.config, serverstore.NewResourceConfig(), registry)
+
+			if tc.expectError {
+				if err == nil {
+					t.Errorf("Expected error but got none")
+				} else if tc.errorContains != "" && !strings.Contains(err.Error(), tc.errorContains) {
+					t.Errorf("Expected error containing '%s', but got: %v", tc.errorContains, err)
+				}
+			} else {
+				if err != nil {
+					t.Errorf("Expected no error but got: %v", err)
+				}
+			}
+		})
+	}
+}
diff --git a/staging/src/k8s.io/apiserver/pkg/server/options/encryptionconfig/config.go b/staging/src/k8s.io/apiserver/pkg/server/options/encryptionconfig/config.go
index 6d0e28428e705..e340c9d2ce562 100644
--- a/staging/src/k8s.io/apiserver/pkg/server/options/encryptionconfig/config.go
+++ b/staging/src/k8s.io/apiserver/pkg/server/options/encryptionconfig/config.go
@@ -395,7 +395,7 @@ func (h *kmsv2PluginProbe) rotateDEKOnKeyIDChange(ctx context.Context, statusKey
 	// allow writes indefinitely as long as there is no error
 	// allow writes for only up to kmsv2PluginWriteDEKSourceMaxTTL from now when there are errors
 	// we start the timer before we make the network call because kmsv2PluginWriteDEKSourceMaxTTL is meant to be the upper bound
-	expirationTimestamp := envelopekmsv2.NowFunc().Add(kmsv2PluginWriteDEKSourceMaxTTL)
+	expirationTimestamp := envelopekmsv2.GetNowFunc(h.name)().Add(kmsv2PluginWriteDEKSourceMaxTTL)
 
 	// dynamically check if we want to use KDF seed to derive DEKs or just a single DEK
 	// this gate can only change during tests, but the check is cheap enough to always make
@@ -431,6 +431,7 @@ func (h *kmsv2PluginProbe) rotateDEKOnKeyIDChange(ctx context.Context, statusKey
 			UID:                                   uid,
 			ExpirationTimestamp:                   expirationTimestamp,
 			CacheKey:                              cacheKey,
+			KMSProviderName:                       h.name,
 		})
 
 		// it should be logically impossible for the new state to be invalid but check just in case
@@ -792,7 +793,9 @@ func kmsPrefixTransformer(ctx context.Context, config *apiserver.KMSConfiguratio
 			apiServerID:  apiServerID,
 		}
 		// initialize state so that Load always works
-		probe.state.Store(&envelopekmsv2.State{})
+		probe.state.Store(&envelopekmsv2.State{
+			KMSProviderName: kmsName,
+		})
 
 		primeAndProbeKMSv2(ctx, probe, kmsName)
 		transformer := storagevalue.PrefixTransformer{
diff --git a/staging/src/k8s.io/apiserver/pkg/server/options/encryptionconfig/config_test.go b/staging/src/k8s.io/apiserver/pkg/server/options/encryptionconfig/config_test.go
index 125d43ef93e10..f509b989660c9 100644
--- a/staging/src/k8s.io/apiserver/pkg/server/options/encryptionconfig/config_test.go
+++ b/staging/src/k8s.io/apiserver/pkg/server/options/encryptionconfig/config_test.go
@@ -1853,10 +1853,8 @@ func TestComputeEncryptionConfigHash(t *testing.T) {
 func Test_kmsv2PluginProbe_rotateDEKOnKeyIDChange(t *testing.T) {
 	defaultUseSeed := GetKDF("")
 
-	origNowFunc := envelopekmsv2.NowFunc
+	origNowFunc := envelopekmsv2.GetNowFunc("")
 	now := origNowFunc() // freeze time
-	t.Cleanup(func() { envelopekmsv2.NowFunc = origNowFunc })
-	envelopekmsv2.NowFunc = func() time.Time { return now }
 
 	klog.LogToStderr(false)
 	var level klog.Level
@@ -2083,6 +2081,9 @@ func Test_kmsv2PluginProbe_rotateDEKOnKeyIDChange(t *testing.T) {
 			kmsName := fmt.Sprintf("panda-%d", i)
 			defer SetKDFForTests(kmsName, tt.useSeed)()
 
+			resetNowFunc := envelopekmsv2.SetNowFuncForTests(kmsName, func() time.Time { return now })
+			t.Cleanup(resetNowFunc)
+
 			var buf bytes.Buffer
 			klog.SetOutput(&buf)
 
@@ -2092,6 +2093,7 @@ func Test_kmsv2PluginProbe_rotateDEKOnKeyIDChange(t *testing.T) {
 				name:    kmsName,
 				service: tt.service,
 			}
+			tt.state.KMSProviderName = kmsName
 			h.state.Store(&tt.state)
 
 			err := h.rotateDEKOnKeyIDChange(ctx, tt.statusKeyID, "panda")
@@ -2106,6 +2108,8 @@ func Test_kmsv2PluginProbe_rotateDEKOnKeyIDChange(t *testing.T) {
 			ignoredFields := sets.NewString("Transformer", "EncryptedObjectEncryptedDEKSource", "UID", "CacheKey")
 
 			gotState := *h.state.Load()
+			gotState.KMSProviderName = kmsName
+			tt.wantState.KMSProviderName = kmsName
 
 			if diff := cmp.Diff(tt.wantState, gotState,
 				cmp.FilterPath(func(path cmp.Path) bool { return ignoredFields.Has(path.String()) }, cmp.Ignore()),
diff --git a/staging/src/k8s.io/apiserver/pkg/server/options/recommended.go b/staging/src/k8s.io/apiserver/pkg/server/options/recommended.go
index 2ead600f83c19..a80c3f9ed42f9 100644
--- a/staging/src/k8s.io/apiserver/pkg/server/options/recommended.go
+++ b/staging/src/k8s.io/apiserver/pkg/server/options/recommended.go
@@ -141,6 +141,7 @@ func (o *RecommendedOptions) ApplyTo(config *server.RecommendedConfig) error {
 		return err
 	}
 	if err := o.Admission.ApplyTo(&config.Config, config.SharedInformerFactory, kubeClient, dynamicClient, o.FeatureGate,
+		config.EffectiveVersion,
 		initializers...); err != nil {
 		return err
 	}
diff --git a/staging/src/k8s.io/apiserver/pkg/server/routes/debugsocket.go b/staging/src/k8s.io/apiserver/pkg/server/routes/debugsocket.go
index e7297b35f33f2..4deed5a5c23c9 100644
--- a/staging/src/k8s.io/apiserver/pkg/server/routes/debugsocket.go
+++ b/staging/src/k8s.io/apiserver/pkg/server/routes/debugsocket.go
@@ -17,12 +17,15 @@ limitations under the License.
 package routes
 
 import (
+	"context"
 	"fmt"
 	"net"
 	"net/http"
 	"net/http/pprof"
 	"os"
 	"path"
+
+	"k8s.io/apimachinery/pkg/util/wait"
 )
 
 // DebugSocket installs profiling and debugflag as a Unix-Domain socket.
@@ -62,7 +65,14 @@ func (s *DebugSocket) InstallDebugFlag(flag string, handler func(http.ResponseWr
 }
 
 // Run starts the server and waits for stopCh to be closed to close the server.
+//
+//logcheck:context // RunWithContext should be used instead of Run in code which supports contextual logging.
 func (s *DebugSocket) Run(stopCh <-chan struct{}) error {
+	return s.RunWithContext(wait.ContextForChannel(stopCh))
+}
+
+// RunWithContext starts the server and waits for the context to be cancelled to close the server.
+func (s *DebugSocket) RunWithContext(ctx context.Context) error {
 	if err := os.Remove(s.path); err != nil && !os.IsNotExist(err) {
 		return fmt.Errorf("failed to remove (%v): %v", s.path, err)
 	}
@@ -75,7 +85,7 @@ func (s *DebugSocket) Run(stopCh <-chan struct{}) error {
 
 	srv := http.Server{Handler: s.mux}
 	go func() {
-		<-stopCh
+		<-ctx.Done()
 		srv.Close()
 	}()
 	return srv.Serve(l)
diff --git a/staging/src/k8s.io/apiserver/pkg/server/statusz/OWNERS b/staging/src/k8s.io/apiserver/pkg/server/statusz/OWNERS
new file mode 100644
index 0000000000000..01225cdf85dda
--- /dev/null
+++ b/staging/src/k8s.io/apiserver/pkg/server/statusz/OWNERS
@@ -0,0 +1,7 @@
+approvers:
+  - sig-instrumentation-approvers
+  - sig-api-machinery-approvers
+reviewers:
+  - sig-instrumentation-reviewers
+labels:
+  - sig/instrumentation
diff --git a/staging/src/k8s.io/apiserver/pkg/server/statusz/api/OWNERS b/staging/src/k8s.io/apiserver/pkg/server/statusz/api/OWNERS
new file mode 100644
index 0000000000000..0cd610188ae4f
--- /dev/null
+++ b/staging/src/k8s.io/apiserver/pkg/server/statusz/api/OWNERS
@@ -0,0 +1,11 @@
+# Disable inheritance as this is an api owners file
+options:
+  no_parent_owners: true
+approvers:
+  - api-approvers
+reviewers:
+  - api-reviewers
+  - sig-instrumentation-reviewers
+labels:
+  - kind/api-change
+  - sig/instrumentation
diff --git a/staging/src/k8s.io/apiserver/pkg/server/statusz/api/v1alpha1/doc.go b/staging/src/k8s.io/apiserver/pkg/server/statusz/api/v1alpha1/doc.go
new file mode 100644
index 0000000000000..aa0fdaed0b622
--- /dev/null
+++ b/staging/src/k8s.io/apiserver/pkg/server/statusz/api/v1alpha1/doc.go
@@ -0,0 +1,22 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// +k8s:deepcopy-gen=package
+// +k8s:openapi-gen=true
+// +k8s:openapi-model-package=io.k8s.apiserver.pkg.server.statusz.api.v1alpha1
+
+// Package v1alpha1 contains API Schema definitions for the zpages v1alpha1 API group
+package v1alpha1
diff --git a/staging/src/k8s.io/apiserver/pkg/server/statusz/api/v1alpha1/register.go b/staging/src/k8s.io/apiserver/pkg/server/statusz/api/v1alpha1/register.go
new file mode 100644
index 0000000000000..6a64dc21b44ca
--- /dev/null
+++ b/staging/src/k8s.io/apiserver/pkg/server/statusz/api/v1alpha1/register.go
@@ -0,0 +1,47 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha1
+
+import (
+	"k8s.io/apimachinery/pkg/runtime/schema"
+
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	runtime "k8s.io/apimachinery/pkg/runtime"
+)
+
+const (
+	GroupName = "config.k8s.io"
+	Version   = "v1alpha1"
+)
+
+// SchemeGroupVersion is group version used to register these objects
+var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: Version}
+
+var (
+	// SchemeBuilder initializes a scheme builder
+	SchemeBuilder = runtime.NewSchemeBuilder(addKnownTypes)
+	// AddToScheme is a global function that adds this group's types to a scheme
+	AddToScheme = SchemeBuilder.AddToScheme
+)
+
+func addKnownTypes(scheme *runtime.Scheme) error {
+	scheme.AddKnownTypes(SchemeGroupVersion,
+		&Statusz{},
+	)
+	metav1.AddToGroupVersion(scheme, SchemeGroupVersion)
+	return nil
+}
diff --git a/staging/src/k8s.io/apiserver/pkg/server/statusz/api/v1alpha1/types.go b/staging/src/k8s.io/apiserver/pkg/server/statusz/api/v1alpha1/types.go
new file mode 100644
index 0000000000000..ccbe05cb8f429
--- /dev/null
+++ b/staging/src/k8s.io/apiserver/pkg/server/statusz/api/v1alpha1/types.go
@@ -0,0 +1,50 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+// Statusz is a struct used for versioned statusz endpoint.
+type Statusz struct {
+	// TypeMeta is the type metadata for the object.
+	metav1.TypeMeta `json:",inline"`
+	// Standard object's metadata.
+	// +optional
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+	// StartTime is the time the component process was initiated.
+	StartTime metav1.Time `json:"startTime"`
+	// UptimeSeconds is the duration in seconds for which the component has been running continuously.
+	UptimeSeconds int64 `json:"uptimeSeconds"`
+	// GoVersion is the version of the Go programming language used to build the binary.
+	// The format is not guaranteed to be consistent across different Go builds.
+	// +optional
+	GoVersion string `json:"goVersion"`
+	// BinaryVersion is the version of the component's binary.
+	// The format is not guaranteed to be semantic versioning and may be an arbitrary string.
+	BinaryVersion string `json:"binaryVersion"`
+	// EmulationVersion is the Kubernetes API version which this component is emulating.
+	// if present, formatted as "<major>.<minor>"
+	// +optional
+	EmulationVersion string `json:"emulationVersion,omitempty"`
+	// Paths contains relative URLs to other essential read-only endpoints for debugging and troubleshooting.
+	// +optional
+	// +listType=set
+	Paths []string `json:"paths"`
+}
diff --git a/staging/src/k8s.io/apiserver/pkg/server/statusz/api/v1alpha1/zz_generated.deepcopy.go b/staging/src/k8s.io/apiserver/pkg/server/statusz/api/v1alpha1/zz_generated.deepcopy.go
new file mode 100644
index 0000000000000..e36206ae44171
--- /dev/null
+++ b/staging/src/k8s.io/apiserver/pkg/server/statusz/api/v1alpha1/zz_generated.deepcopy.go
@@ -0,0 +1,58 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by deepcopy-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	runtime "k8s.io/apimachinery/pkg/runtime"
+)
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *Statusz) DeepCopyInto(out *Statusz) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.StartTime.DeepCopyInto(&out.StartTime)
+	if in.Paths != nil {
+		in, out := &in.Paths, &out.Paths
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Statusz.
+func (in *Statusz) DeepCopy() *Statusz {
+	if in == nil {
+		return nil
+	}
+	out := new(Statusz)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *Statusz) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
diff --git a/staging/src/k8s.io/apiserver/pkg/server/statusz/api/v1alpha1/zz_generated.model_name.go b/staging/src/k8s.io/apiserver/pkg/server/statusz/api/v1alpha1/zz_generated.model_name.go
new file mode 100644
index 0000000000000..8f2bca4ce3ce0
--- /dev/null
+++ b/staging/src/k8s.io/apiserver/pkg/server/statusz/api/v1alpha1/zz_generated.model_name.go
@@ -0,0 +1,27 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by openapi-gen. DO NOT EDIT.
+
+package v1alpha1
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in Statusz) OpenAPIModelName() string {
+	return "io.k8s.apiserver.pkg.server.statusz.api.v1alpha1.Statusz"
+}
diff --git a/staging/src/k8s.io/apiserver/pkg/server/statusz/negotiate/negotiation.go b/staging/src/k8s.io/apiserver/pkg/server/statusz/negotiate/negotiation.go
new file mode 100644
index 0000000000000..04c6943774faa
--- /dev/null
+++ b/staging/src/k8s.io/apiserver/pkg/server/statusz/negotiate/negotiation.go
@@ -0,0 +1,53 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package negotiate
+
+import (
+	"k8s.io/apimachinery/pkg/runtime/schema"
+)
+
+// StatuszEndpointRestrictions implements content negotiation restrictions for the z-pages.
+// It is used to validate and restrict which GroupVersionKinds are allowed for structured responses.
+type StatuszEndpointRestrictions struct{}
+
+// AllowsMediaTypeTransform checks if the provided GVK is supported for structured z-page responses.
+func (StatuszEndpointRestrictions) AllowsMediaTypeTransform(mimeType string, mimeSubType string, gvk *schema.GroupVersionKind) bool {
+	if mimeType == "text" && mimeSubType == "plain" {
+		return gvk == nil
+	}
+	return isStructured(gvk)
+}
+
+func (StatuszEndpointRestrictions) AllowsServerVersion(string) bool {
+	return false
+}
+
+func (StatuszEndpointRestrictions) AllowsStreamSchema(s string) bool {
+	return false
+}
+
+func isStructured(gvk *schema.GroupVersionKind) bool {
+	if gvk != nil {
+		if gvk.Group == "config.k8s.io" && gvk.Version == "v1alpha1" {
+			if gvk.Kind == "Statusz" {
+				return true
+			}
+		}
+	}
+
+	return false
+}
diff --git a/staging/src/k8s.io/apiserver/pkg/server/statusz/registry.go b/staging/src/k8s.io/apiserver/pkg/server/statusz/registry.go
new file mode 100644
index 0000000000000..d27cb9400d27e
--- /dev/null
+++ b/staging/src/k8s.io/apiserver/pkg/server/statusz/registry.go
@@ -0,0 +1,97 @@
+/*
+Copyright 2024 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package statusz
+
+import (
+	"time"
+
+	"k8s.io/apimachinery/pkg/util/version"
+	"k8s.io/component-base/compatibility"
+	"k8s.io/klog/v2"
+
+	compbasemetrics "k8s.io/component-base/metrics"
+	utilversion "k8s.io/component-base/version"
+)
+
+type statuszRegistry interface {
+	processStartTime() time.Time
+	goVersion() string
+	binaryVersion() *version.Version
+	emulationVersion() *version.Version
+	paths() []string
+	deprecatedVersions() map[string]bool
+}
+
+type registry struct {
+	// componentGlobalsRegistry compatibility.ComponentGlobalsRegistry
+	effectiveVersion compatibility.EffectiveVersion
+	// listedPaths is an alphabetically sorted list of paths to be reported at /.
+	listedPaths []string
+	// deprecatedVersionsMap is a map of deprecated statusz versions.
+	deprecatedVersionsMap map[string]bool
+}
+
+// Option is a function to configure registry.
+type Option func(reg *registry)
+
+// WithListedPaths returns an Option to configure the ListedPaths.
+func WithListedPaths(listedPaths []string) Option {
+	cpyListedPaths := make([]string, len(listedPaths))
+	copy(cpyListedPaths, listedPaths)
+
+	return func(reg *registry) { reg.listedPaths = cpyListedPaths }
+}
+
+func (*registry) processStartTime() time.Time {
+	start, err := compbasemetrics.GetProcessStart()
+	if err != nil {
+		klog.Errorf("Could not get process start time, %v", err)
+	}
+
+	return time.Unix(int64(start), 0)
+}
+
+func (*registry) goVersion() string {
+	return utilversion.Get().GoVersion
+}
+
+func (r *registry) binaryVersion() *version.Version {
+	if r.effectiveVersion != nil {
+		return r.effectiveVersion.BinaryVersion()
+	}
+	return version.MustParse(utilversion.Get().String())
+}
+
+func (r *registry) emulationVersion() *version.Version {
+	if r.effectiveVersion != nil {
+		return r.effectiveVersion.EmulationVersion()
+	}
+
+	return nil
+}
+
+func (r *registry) paths() []string {
+	if r.listedPaths != nil {
+		return r.listedPaths
+	}
+
+	return nil
+}
+
+func (r *registry) deprecatedVersions() map[string]bool {
+	return r.deprecatedVersionsMap
+}
diff --git a/staging/src/k8s.io/component-base/zpages/statusz/registry_test.go b/staging/src/k8s.io/apiserver/pkg/server/statusz/registry_test.go
similarity index 100%
rename from staging/src/k8s.io/component-base/zpages/statusz/registry_test.go
rename to staging/src/k8s.io/apiserver/pkg/server/statusz/registry_test.go
diff --git a/staging/src/k8s.io/apiserver/pkg/server/statusz/statusz.go b/staging/src/k8s.io/apiserver/pkg/server/statusz/statusz.go
new file mode 100644
index 0000000000000..f9f24dfbd7f8e
--- /dev/null
+++ b/staging/src/k8s.io/apiserver/pkg/server/statusz/statusz.go
@@ -0,0 +1,257 @@
+/*
+Copyright 2024 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package statusz
+
+import (
+	"fmt"
+	"net/http"
+	"sort"
+	"strings"
+	"time"
+
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/apimachinery/pkg/runtime/serializer"
+	"k8s.io/component-base/compatibility"
+
+	"k8s.io/apiserver/pkg/endpoints/handlers/negotiation"
+	"k8s.io/apiserver/pkg/endpoints/handlers/responsewriters"
+	"k8s.io/apiserver/pkg/server/statusz/negotiate"
+
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
+	v1alpha1 "k8s.io/apiserver/pkg/server/statusz/api/v1alpha1"
+)
+
+var (
+	delimiters            = []string{":", ": ", "=", " "}
+	nonDebuggingEndpoints = map[string]bool{
+		"/apis":        true,
+		"/api":         true,
+		"/openid":      true,
+		"/openapi":     true,
+		"/.well-known": true,
+	}
+)
+
+const (
+	DefaultStatuszPath = "/statusz"
+	Kind               = "Statusz"
+	GroupName          = "config.k8s.io"
+	Version            = "v1alpha1"
+)
+
+const headerFmt = `
+%s statusz
+Warning: This endpoint is not meant to be machine parseable, has no formatting compatibility guarantees and is for debugging purposes only.
+`
+
+var schemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: Version}
+
+type mux interface {
+	Handle(path string, handler http.Handler)
+}
+
+type ListedPathsOption []string
+
+func NewRegistry(effectiveVersion compatibility.EffectiveVersion, opts ...Option) statuszRegistry {
+	r := &registry{
+		effectiveVersion: effectiveVersion,
+	}
+	for _, opt := range opts {
+		opt(r)
+	}
+
+	return r
+}
+
+func Install(m mux, componentName string, reg statuszRegistry) {
+	scheme := runtime.NewScheme()
+	utilruntime.Must(v1alpha1.AddToScheme(scheme))
+	codecFactory := serializer.NewCodecFactory(
+		scheme,
+		serializer.WithSerializer(func(_ runtime.ObjectCreater, _ runtime.ObjectTyper) runtime.SerializerInfo {
+			textSerializer := statuszTextSerializer{componentName, reg}
+			return runtime.SerializerInfo{
+				MediaType:        "text/plain",
+				MediaTypeType:    "text",
+				MediaTypeSubType: "plain",
+				EncodesAsText:    true,
+				Serializer:       textSerializer,
+				PrettySerializer: textSerializer,
+			}
+		}),
+	)
+	m.Handle(DefaultStatuszPath, handleStatusz(componentName, reg, codecFactory, negotiate.StatuszEndpointRestrictions{}))
+}
+
+func handleStatusz(componentName string, reg statuszRegistry, serializer runtime.NegotiatedSerializer, restrictions negotiate.StatuszEndpointRestrictions) http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		obj := statusz(componentName, reg)
+		acceptHeader := r.Header.Get("Accept")
+		if strings.TrimSpace(acceptHeader) == "" {
+			writePlainTextResponse(obj, serializer, w)
+			return
+		}
+
+		mediaType, serializerInfo, err := negotiation.NegotiateOutputMediaType(r, serializer, restrictions)
+		if err != nil {
+			utilruntime.HandleError(err)
+			responsewriters.ErrorNegotiated(
+				err,
+				serializer,
+				schema.GroupVersion{},
+				w,
+				r,
+			)
+			return
+		}
+
+		var targetGV schema.GroupVersion
+		switch serializerInfo.MediaType {
+		case "application/json":
+			if mediaType.Convert == nil {
+				err := fmt.Errorf("content negotiation failed: mediaType.Convert is nil for application/json")
+				utilruntime.HandleError(err)
+				responsewriters.ErrorNegotiated(
+					err,
+					serializer,
+					schema.GroupVersion{},
+					w,
+					r,
+				)
+				return
+			}
+			targetGV = mediaType.Convert.GroupVersion()
+			deprecated := reg.deprecatedVersions()[targetGV.Version]
+			if deprecated {
+				w.Header().Set("Warning", `299 - "This version of the statusz endpoint is deprecated. Please use a newer version."`)
+			}
+		case "text/plain":
+			// Even though text/plain serialization does not use the group/version,
+			// the serialization machinery expects a non-zero schema.GroupVersion to be passed.
+			// Passing the zero value can cause errors or unexpected behavior in the negotiation logic.
+			targetGV = schemeGroupVersion
+		default:
+			err = fmt.Errorf("content negotiation failed: unsupported media type '%s'", serializerInfo.MediaType)
+			utilruntime.HandleError(err)
+			responsewriters.ErrorNegotiated(
+				err,
+				serializer,
+				schema.GroupVersion{},
+				w,
+				r,
+			)
+			return
+		}
+
+		writeResponse(obj, serializer, targetGV, restrictions, w, r)
+	}
+}
+
+// writePlainTextResponse writes the statusz response as text/plain using the registered serializer.
+func writePlainTextResponse(obj runtime.Object, serializer runtime.NegotiatedSerializer, w http.ResponseWriter) {
+	w.Header().Set("Content-Type", "text/plain; charset=utf-8")
+	// Find the text/plain serializer
+	var textSerializer runtime.Serializer
+	for _, info := range serializer.SupportedMediaTypes() {
+		if info.MediaType == "text/plain" {
+			textSerializer = info.Serializer
+			break
+		}
+	}
+	if textSerializer == nil {
+		utilruntime.HandleError(fmt.Errorf("text/plain serializer not available"))
+		w.WriteHeader(http.StatusInternalServerError)
+		return
+	}
+	if err := textSerializer.Encode(obj, w); err != nil {
+		utilruntime.HandleError(fmt.Errorf("error encoding statusz as text/plain: %w", err))
+		w.WriteHeader(http.StatusInternalServerError)
+	}
+}
+
+func writeResponse(obj runtime.Object, serializer runtime.NegotiatedSerializer, targetGV schema.GroupVersion, restrictions negotiate.StatuszEndpointRestrictions, w http.ResponseWriter, r *http.Request) {
+	responsewriters.WriteObjectNegotiated(
+		serializer,
+		restrictions,
+		targetGV,
+		w,
+		r,
+		http.StatusOK,
+		obj,
+		true,
+	)
+}
+
+func statusz(componentName string, reg statuszRegistry) *v1alpha1.Statusz {
+	startTime := reg.processStartTime()
+	upTimeSeconds := max(0, int64(time.Since(startTime).Seconds()))
+	goVersion := reg.goVersion()
+	binaryVersion := reg.binaryVersion().String()
+	var emulationVersion string
+	if reg.emulationVersion() != nil {
+		emulationVersion = reg.emulationVersion().String()
+	}
+
+	paths := aggregatePaths(reg.paths())
+	data := &v1alpha1.Statusz{
+		TypeMeta: metav1.TypeMeta{
+			Kind:       Kind,
+			APIVersion: fmt.Sprintf("%s/%s", GroupName, Version),
+		},
+		ObjectMeta: metav1.ObjectMeta{
+			Name: componentName,
+		},
+		StartTime:        metav1.Time{Time: startTime},
+		UptimeSeconds:    upTimeSeconds,
+		GoVersion:        goVersion,
+		BinaryVersion:    binaryVersion,
+		EmulationVersion: emulationVersion,
+		Paths:            paths,
+	}
+
+	return data
+}
+
+func uptime(t time.Time) string {
+	upSince := int64(time.Since(t).Seconds())
+	return fmt.Sprintf("%d hr %02d min %02d sec",
+		upSince/3600, (upSince/60)%60, upSince%60)
+}
+
+func aggregatePaths(listedPaths []string) []string {
+	paths := make(map[string]bool)
+	for _, listedPath := range listedPaths {
+		parts := strings.Split(listedPath, "/")
+		if len(parts) < 2 || parts[1] == "" {
+			continue
+		}
+		folder := "/" + parts[1]
+		if !paths[folder] && !nonDebuggingEndpoints[folder] {
+			paths[folder] = true
+		}
+	}
+
+	var sortedPaths []string
+	for p := range paths {
+		sortedPaths = append(sortedPaths, p)
+	}
+	sort.Strings(sortedPaths)
+
+	return sortedPaths
+}
diff --git a/staging/src/k8s.io/apiserver/pkg/server/statusz/statusz_test.go b/staging/src/k8s.io/apiserver/pkg/server/statusz/statusz_test.go
new file mode 100644
index 0000000000000..cd0b2a17d458c
--- /dev/null
+++ b/staging/src/k8s.io/apiserver/pkg/server/statusz/statusz_test.go
@@ -0,0 +1,361 @@
+/*
+Copyright 2024 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package statusz
+
+import (
+	"encoding/json"
+	"fmt"
+	"net/http"
+	"net/http/httptest"
+	"strings"
+	"testing"
+	"time"
+
+	"github.com/google/go-cmp/cmp"
+
+	"k8s.io/apimachinery/pkg/util/version"
+
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	v1alpha1 "k8s.io/apiserver/pkg/server/statusz/api/v1alpha1"
+)
+
+const wantTmpl = `
+%s statusz
+Warning: This endpoint is not meant to be machine parseable, has no formatting compatibility guarantees and is for debugging purposes only.
+
+Started: %v
+Up: %s
+Go version: %s
+Binary version: %v
+Emulation version: %v
+Paths: /livez /readyz
+`
+
+const wantTmplWithoutEmulation = `
+%s statusz
+Warning: This endpoint is not meant to be machine parseable, has no formatting compatibility guarantees and is for debugging purposes only.
+
+Started: %v
+Up: %s
+Go version: %s
+Binary version: %v
+
+Paths: /livez /readyz
+`
+
+func TestHandleStatusz(t *testing.T) {
+	delimiters = []string{":"}
+	fakeStartTime := time.Now()
+	fakeUptime := uptime(fakeStartTime)
+	fakeGoVersion := "1.21"
+	fakeBvStr := "1.31"
+	fakeEvStr := "1.30"
+	fakeBinaryVersion := parseVersion(t, fakeBvStr)
+	fakeEmulationVersion := parseVersion(t, fakeEvStr)
+	fakeListedPaths := []string{"/livez/poststarthook/peer-discovery-cache-sync", "/livez/post", "/readyz/informer-sync", "/readyz/log", "/readyz/ping"}
+	tests := []struct {
+		name           string
+		acceptHeader   string
+		componentName  string
+		registry       fakeRegistry
+		wantStatusCode int
+		wantBody       string
+		wantJSONBody   *v1alpha1.Statusz
+		wantWarning    bool
+	}{
+		{
+			name:          "valid request for text/plain",
+			acceptHeader:  "text/plain",
+			componentName: "test-server",
+			registry: fakeRegistry{
+				startTime:    fakeStartTime,
+				goVer:        fakeGoVersion,
+				binaryVer:    fakeBinaryVersion,
+				emulationVer: fakeEmulationVersion,
+				listedPaths:  fakeListedPaths,
+			},
+			wantStatusCode: http.StatusOK,
+			wantBody: fmt.Sprintf(
+				wantTmpl,
+				"test-server",
+				fakeStartTime.Format(time.UnixDate),
+				fakeUptime,
+				fakeGoVersion,
+				fakeBinaryVersion,
+				fakeEmulationVersion,
+			),
+		},
+		{
+			name:          "valid request for v1alpha1",
+			acceptHeader:  "application/json;v=v1alpha1;g=config.k8s.io;as=Statusz",
+			componentName: "test-server",
+			registry: fakeRegistry{
+				startTime:    fakeStartTime,
+				goVer:        fakeGoVersion,
+				binaryVer:    fakeBinaryVersion,
+				emulationVer: fakeEmulationVersion,
+				listedPaths:  fakeListedPaths,
+				deprecated:   map[string]bool{},
+			},
+			wantStatusCode: http.StatusOK,
+			wantJSONBody: &v1alpha1.Statusz{
+				TypeMeta: metav1.TypeMeta{
+					Kind:       Kind,
+					APIVersion: fmt.Sprintf("%s/%s", GroupName, Version),
+				},
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "test-server",
+				},
+				StartTime:        metav1.Time{Time: fakeStartTime},
+				UptimeSeconds:    int64(time.Since(fakeStartTime).Seconds()),
+				GoVersion:        fakeGoVersion,
+				BinaryVersion:    fakeBvStr,
+				EmulationVersion: fakeEvStr,
+				Paths:            []string{"/livez", "/readyz"},
+			},
+		},
+		{
+			name:          "no accept header",
+			acceptHeader:  "",
+			componentName: "test-server",
+			registry: fakeRegistry{
+				startTime:    fakeStartTime,
+				goVer:        fakeGoVersion,
+				binaryVer:    fakeBinaryVersion,
+				emulationVer: fakeEmulationVersion,
+				listedPaths:  fakeListedPaths,
+			},
+			wantStatusCode: http.StatusOK,
+			wantBody: fmt.Sprintf(
+				wantTmpl,
+				"test-server",
+				fakeStartTime.Format(time.UnixDate),
+				fakeUptime,
+				fakeGoVersion,
+				fakeBinaryVersion,
+				fakeEmulationVersion,
+			),
+		},
+		{
+			name:           "invalid accept header",
+			acceptHeader:   "application/xml",
+			componentName:  "test-server",
+			wantStatusCode: http.StatusNotAcceptable,
+		},
+		{
+			name:          "missing emulation version",
+			acceptHeader:  "text/plain",
+			componentName: "test-server",
+			registry: fakeRegistry{
+				startTime:    fakeStartTime,
+				goVer:        fakeGoVersion,
+				binaryVer:    fakeBinaryVersion,
+				emulationVer: nil,
+				listedPaths:  fakeListedPaths,
+			},
+			wantStatusCode: http.StatusOK,
+			wantBody: fmt.Sprintf(
+				wantTmplWithoutEmulation,
+				"test-server",
+				fakeStartTime.Format(time.UnixDate),
+				fakeUptime,
+				fakeGoVersion,
+				fakeBinaryVersion,
+			),
+		},
+		{
+			name:           "application/json without params",
+			acceptHeader:   "application/json",
+			componentName:  "test-server",
+			wantStatusCode: http.StatusNotAcceptable,
+		},
+		{
+			name:           "application/json with missing as",
+			acceptHeader:   "application/json;v=v1alpha1;g=config.k8s.io",
+			componentName:  "test-server",
+			wantStatusCode: http.StatusNotAcceptable,
+		},
+		{
+			name:          "wildcard accept header",
+			acceptHeader:  "*/*",
+			componentName: "test-server",
+			registry: fakeRegistry{
+				startTime:    fakeStartTime,
+				goVer:        fakeGoVersion,
+				binaryVer:    fakeBinaryVersion,
+				emulationVer: fakeEmulationVersion,
+				listedPaths:  fakeListedPaths,
+			},
+			wantStatusCode: http.StatusOK,
+			wantBody: fmt.Sprintf(
+				wantTmpl,
+				"test-server",
+				fakeStartTime.Format(time.UnixDate),
+				fakeUptime,
+				fakeGoVersion,
+				fakeBinaryVersion,
+				fakeEmulationVersion,
+			),
+		},
+		{
+			name:          "bad json header fall back wildcard",
+			acceptHeader:  "application/json;v=foo;g=config.k8s.io;as=Statusz,*/*",
+			componentName: "test-server",
+			registry: fakeRegistry{
+				startTime:    fakeStartTime,
+				goVer:        fakeGoVersion,
+				binaryVer:    fakeBinaryVersion,
+				emulationVer: fakeEmulationVersion,
+				listedPaths:  fakeListedPaths,
+			},
+			wantStatusCode: http.StatusOK,
+			wantBody: fmt.Sprintf(
+				wantTmpl,
+				"test-server",
+				fakeStartTime.Format(time.UnixDate),
+				fakeUptime,
+				fakeGoVersion,
+				fakeBinaryVersion,
+				fakeEmulationVersion,
+			),
+		},
+		{
+			name:          "deprecated version request",
+			acceptHeader:  "application/json;v=v1alpha1;g=config.k8s.io;as=Statusz",
+			componentName: "test-server",
+			registry: fakeRegistry{
+				startTime:    fakeStartTime,
+				goVer:        fakeGoVersion,
+				binaryVer:    fakeBinaryVersion,
+				emulationVer: fakeEmulationVersion,
+				listedPaths:  fakeListedPaths,
+				deprecated: map[string]bool{
+					"v1alpha1": true,
+				},
+			},
+			wantStatusCode: http.StatusOK,
+			wantJSONBody: &v1alpha1.Statusz{
+				TypeMeta: metav1.TypeMeta{
+					Kind:       Kind,
+					APIVersion: fmt.Sprintf("%s/%s", GroupName, Version),
+				},
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "test-server",
+				},
+				StartTime:        metav1.Time{Time: fakeStartTime},
+				UptimeSeconds:    int64(time.Since(fakeStartTime).Seconds()),
+				GoVersion:        fakeGoVersion,
+				BinaryVersion:    fakeBvStr,
+				EmulationVersion: fakeEvStr,
+				Paths:            []string{"/livez", "/readyz"},
+			},
+			wantWarning: true,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			mux := http.NewServeMux()
+			Install(mux, tt.componentName, tt.registry)
+
+			path := "/statusz"
+			req, err := http.NewRequest(http.MethodGet, fmt.Sprintf("http://example.com%s", path), nil)
+			if err != nil {
+				t.Fatalf("unexpected error while creating request: %v", err)
+			}
+			if tt.acceptHeader != "" {
+				req.Header.Set("Accept", tt.acceptHeader)
+			}
+
+			w := httptest.NewRecorder()
+			mux.ServeHTTP(w, req)
+
+			if w.Code != tt.wantStatusCode {
+				t.Fatalf("want status code: %v, got: %v", tt.wantStatusCode, w.Code)
+			}
+
+			if tt.wantStatusCode == http.StatusOK {
+				if tt.wantJSONBody != nil {
+					var got v1alpha1.Statusz
+					if err := json.Unmarshal(w.Body.Bytes(), &got); err != nil {
+						t.Fatalf("unexpected error while unmarshalling response: %v", err)
+					}
+					if diff := cmp.Diff(*tt.wantJSONBody, got, timeEqual()); diff != "" {
+						t.Errorf("Unexpected diff on response (-want,+got):\n%s", diff)
+					}
+					if tt.wantWarning {
+						if !strings.Contains(w.Header().Get("Warning"), "deprecated") {
+							t.Errorf("expected deprecation warning in header, but got: %s", w.Header().Get("Warning"))
+						}
+					}
+				} else {
+					if diff := cmp.Diff(tt.wantBody, string(w.Body.String())); diff != "" {
+						t.Errorf("Unexpected diff on response (-want,+got):\n%s", diff)
+					}
+				}
+			}
+		})
+	}
+}
+
+func parseVersion(t *testing.T, v string) *version.Version {
+	parsed, err := version.ParseMajorMinor(v)
+	if err != nil {
+		t.Fatalf("error parsing binary version: %s", v)
+	}
+
+	return parsed
+}
+
+type fakeRegistry struct {
+	startTime    time.Time
+	goVer        string
+	binaryVer    *version.Version
+	emulationVer *version.Version
+	listedPaths  []string
+	deprecated   map[string]bool
+}
+
+func (f fakeRegistry) deprecatedVersions() map[string]bool {
+	return f.deprecated
+}
+
+func (f fakeRegistry) processStartTime() time.Time {
+	return f.startTime
+}
+
+func (f fakeRegistry) goVersion() string {
+	return f.goVer
+}
+
+func (f fakeRegistry) binaryVersion() *version.Version {
+	return f.binaryVer
+}
+
+func (f fakeRegistry) emulationVersion() *version.Version {
+	return f.emulationVer
+}
+
+func (f fakeRegistry) paths() []string {
+	return f.listedPaths
+}
+
+func timeEqual() cmp.Option {
+	return cmp.Comparer(func(expectedTime, actualTime metav1.Time) bool {
+		return expectedTime.Truncate(time.Second).Equal(actualTime.Truncate(time.Second))
+	})
+}
diff --git a/staging/src/k8s.io/apiserver/pkg/server/statusz/textserializer.go b/staging/src/k8s.io/apiserver/pkg/server/statusz/textserializer.go
new file mode 100644
index 0000000000000..c8bdc2c72a135
--- /dev/null
+++ b/staging/src/k8s.io/apiserver/pkg/server/statusz/textserializer.go
@@ -0,0 +1,88 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package statusz
+
+import (
+	"fmt"
+	"html"
+	"io"
+	"math/rand"
+	"strings"
+	"time"
+
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+
+	v1alpha1 "k8s.io/apiserver/pkg/server/statusz/api/v1alpha1"
+)
+
+// statuszTextSerializer implements runtime.Serializer for text/plain output.
+type statuszTextSerializer struct {
+	componentName string
+	reg           statuszRegistry
+}
+
+// Encode writes the statusz information in plain text format to the given writer, using the provided obj.
+func (s statuszTextSerializer) Encode(obj runtime.Object, w io.Writer) error {
+	if _, err := fmt.Fprintf(w, headerFmt, s.componentName); err != nil {
+		return err
+	}
+
+	randomIndex := rand.Intn(len(delimiters))
+	delim := html.EscapeString(delimiters[randomIndex])
+
+	statuszObj, ok := obj.(*v1alpha1.Statusz)
+	if !ok {
+		return fmt.Errorf("expected *v1alpha1.Statusz, got %T", obj)
+	}
+
+	startTime := html.EscapeString(statuszObj.StartTime.Time.Format(time.UnixDate))
+	uptimeStr := html.EscapeString(uptime(statuszObj.StartTime.Time))
+	goVersion := html.EscapeString(statuszObj.GoVersion)
+	binaryVersion := html.EscapeString(statuszObj.BinaryVersion)
+
+	var emulationVersion string
+	if statuszObj.EmulationVersion != "" {
+		emulationVersion = fmt.Sprintf(`Emulation version%s %s`, delim, html.EscapeString(statuszObj.EmulationVersion))
+	}
+
+	paths := strings.Join(statuszObj.Paths, " ")
+	if paths != "" {
+		paths = fmt.Sprintf(`Paths%s %s`, delim, html.EscapeString(paths))
+	}
+
+	status := fmt.Sprintf(`
+Started%[1]s %[2]s
+Up%[1]s %[3]s
+Go version%[1]s %[4]s
+Binary version%[1]s %[5]s
+%[6]s
+%[7]s
+`, delim, startTime, uptimeStr, goVersion, binaryVersion, emulationVersion, paths)
+	_, err := fmt.Fprint(w, status)
+	return err
+}
+
+// Decode is not supported for text/plain serialization.
+func (s statuszTextSerializer) Decode(data []byte, gvk *schema.GroupVersionKind, into runtime.Object) (runtime.Object, *schema.GroupVersionKind, error) {
+	return nil, nil, fmt.Errorf("decode not supported for text/plain")
+}
+
+// Identifier returns a unique identifier for this serializer.
+func (s statuszTextSerializer) Identifier() runtime.Identifier {
+	return runtime.Identifier("statuszTextSerializer")
+}
diff --git a/staging/src/k8s.io/apiserver/pkg/server/storage/resource_encoding_config.go b/staging/src/k8s.io/apiserver/pkg/server/storage/resource_encoding_config.go
index 142240b8a3728..981326666215a 100644
--- a/staging/src/k8s.io/apiserver/pkg/server/storage/resource_encoding_config.go
+++ b/staging/src/k8s.io/apiserver/pkg/server/storage/resource_encoding_config.go
@@ -122,10 +122,6 @@ type introducedInterface interface {
 	APILifecycleIntroduced() (major, minor int)
 }
 
-type replacementInterface interface {
-	APILifecycleReplacement() schema.GroupVersionKind
-}
-
 func emulatedStorageVersion(binaryVersionOfResource schema.GroupVersion, example runtime.Object, effectiveVersion basecompatibility.EffectiveVersion, scheme *runtime.Scheme) (schema.GroupVersion, error) {
 	if example == nil || effectiveVersion == nil {
 		return binaryVersionOfResource, nil
@@ -179,14 +175,6 @@ func emulatedStorageVersion(binaryVersionOfResource schema.GroupVersion, example
 		// If it was introduced after current compatibility version, don't use it
 		// skip the introduced check for test when current compatibility version is 0.0 to test all apis
 		if introduced, hasIntroduced := exampleOfGVK.(introducedInterface); hasIntroduced && (compatibilityVersion.Major() > 0 || compatibilityVersion.Minor() > 0) {
-
-			// Skip versions that have a replacement.
-			// This can be used to override this storage version selection by
-			// marking a storage version has having a replacement and preventing a
-			// that storage version from being selected.
-			if _, hasReplacement := exampleOfGVK.(replacementInterface); hasReplacement {
-				continue
-			}
 			// API resource lifecycles should be relative to k8s api version
 			majorIntroduced, minorIntroduced := introduced.APILifecycleIntroduced()
 			introducedVer := apimachineryversion.MajorMinor(uint(majorIntroduced), uint(minorIntroduced))
diff --git a/staging/src/k8s.io/apiserver/pkg/server/storage/resource_encoding_config_test.go b/staging/src/k8s.io/apiserver/pkg/server/storage/resource_encoding_config_test.go
deleted file mode 100644
index a6984deed2645..0000000000000
--- a/staging/src/k8s.io/apiserver/pkg/server/storage/resource_encoding_config_test.go
+++ /dev/null
@@ -1,135 +0,0 @@
-/*
-Copyright 2024 The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package storage
-
-import (
-	"testing"
-
-	"k8s.io/apimachinery/pkg/runtime"
-	"k8s.io/apimachinery/pkg/runtime/schema"
-	runtimetesting "k8s.io/apimachinery/pkg/runtime/testing"
-	"k8s.io/apimachinery/pkg/test"
-	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
-	utilversion "k8s.io/apimachinery/pkg/util/version"
-	basecompatibility "k8s.io/component-base/compatibility"
-)
-
-func TestEmulatedStorageVersion(t *testing.T) {
-	cases := []struct {
-		name             string
-		scheme           *runtime.Scheme
-		binaryVersion    schema.GroupVersion
-		effectiveVersion basecompatibility.EffectiveVersion
-		want             schema.GroupVersion
-	}{
-		{
-			name:             "pick compatible",
-			scheme:           AlphaBetaScheme(utilversion.MustParse("1.31"), utilversion.MustParse("1.32")),
-			binaryVersion:    v1beta1,
-			effectiveVersion: basecompatibility.NewEffectiveVersionFromString("1.32", "", ""),
-			want:             v1alpha1,
-		},
-		{
-			name:             "alpha has been replaced, pick binary version",
-			scheme:           AlphaReplacedBetaScheme(utilversion.MustParse("1.31"), utilversion.MustParse("1.32")),
-			binaryVersion:    v1beta1,
-			effectiveVersion: basecompatibility.NewEffectiveVersionFromString("1.32", "", ""),
-			want:             v1beta1,
-		},
-	}
-
-	for _, tc := range cases {
-		test.TestScheme()
-		t.Run(tc.name, func(t *testing.T) {
-			found, err := emulatedStorageVersion(tc.binaryVersion, &CronJob{}, tc.effectiveVersion, tc.scheme)
-			if err != nil {
-				t.Fatalf("unexpected error: %v", err)
-			}
-			if found != tc.want {
-				t.Errorf("got %v; want %v", found, tc.want)
-			}
-		})
-	}
-}
-
-var internalGV = schema.GroupVersion{Group: "workload.example.com", Version: runtime.APIVersionInternal}
-var v1alpha1 = schema.GroupVersion{Group: "workload.example.com", Version: "v1alpha1"}
-var v1beta1 = schema.GroupVersion{Group: "workload.example.com", Version: "v1beta1"}
-
-type CronJobWithReplacement struct {
-	introduced *utilversion.Version
-	A          string `json:"A,omitempty"`
-	B          int    `json:"B,omitempty"`
-}
-
-func (*CronJobWithReplacement) GetObjectKind() schema.ObjectKind { panic("not implemented") }
-func (*CronJobWithReplacement) DeepCopyObject() runtime.Object {
-	panic("not implemented")
-}
-
-func (in *CronJobWithReplacement) APILifecycleIntroduced() (major, minor int) {
-	if in.introduced == nil {
-		return 0, 0
-	}
-	return int(in.introduced.Major()), int(in.introduced.Minor())
-}
-
-func (in *CronJobWithReplacement) APILifecycleReplacement() schema.GroupVersionKind {
-	return schema.GroupVersionKind{Group: "rbac.authorization.k8s.io", Version: "v1", Kind: "ClusterRole"}
-}
-
-type CronJob struct {
-	introduced *utilversion.Version
-	A          string `json:"A,omitempty"`
-	B          int    `json:"B,omitempty"`
-}
-
-func (*CronJob) GetObjectKind() schema.ObjectKind { panic("not implemented") }
-func (*CronJob) DeepCopyObject() runtime.Object {
-	panic("not implemented")
-}
-
-func (in *CronJob) APILifecycleIntroduced() (major, minor int) {
-	if in.introduced == nil {
-		return 0, 0
-	}
-	return int(in.introduced.Major()), int(in.introduced.Minor())
-}
-
-func AlphaBetaScheme(alphaVersion, betaVersion *utilversion.Version) *runtime.Scheme {
-	s := runtime.NewScheme()
-	s.AddKnownTypes(internalGV, &CronJob{})
-	s.AddKnownTypes(v1alpha1, &CronJob{introduced: alphaVersion})
-	s.AddKnownTypes(v1beta1, &CronJob{introduced: betaVersion})
-	s.AddKnownTypeWithName(internalGV.WithKind("CronJob"), &CronJob{})
-	s.AddKnownTypeWithName(v1alpha1.WithKind("CronJob"), &CronJob{introduced: alphaVersion})
-	s.AddKnownTypeWithName(v1beta1.WithKind("CronJob"), &CronJob{introduced: betaVersion})
-	utilruntime.Must(runtimetesting.RegisterConversions(s))
-	return s
-}
-
-func AlphaReplacedBetaScheme(alphaVersion, betaVersion *utilversion.Version) *runtime.Scheme {
-	s := runtime.NewScheme()
-	s.AddKnownTypes(internalGV, &CronJob{})
-	s.AddKnownTypes(v1alpha1, &CronJobWithReplacement{introduced: alphaVersion})
-	s.AddKnownTypes(v1beta1, &CronJob{introduced: betaVersion})
-	s.AddKnownTypeWithName(internalGV.WithKind("CronJob"), &CronJob{})
-	s.AddKnownTypeWithName(v1alpha1.WithKind("CronJob"), &CronJobWithReplacement{introduced: alphaVersion})
-	s.AddKnownTypeWithName(v1beta1.WithKind("CronJob"), &CronJob{introduced: betaVersion})
-	utilruntime.Must(runtimetesting.RegisterConversions(s))
-	return s
-}
diff --git a/staging/src/k8s.io/apiserver/pkg/storage/cacher/cache_watcher_test.go b/staging/src/k8s.io/apiserver/pkg/storage/cacher/cache_watcher_test.go
index 85d44df528e83..80d1b59657edc 100644
--- a/staging/src/k8s.io/apiserver/pkg/storage/cacher/cache_watcher_test.go
+++ b/staging/src/k8s.io/apiserver/pkg/storage/cacher/cache_watcher_test.go
@@ -258,7 +258,7 @@ func TestCacheWatcherStoppedOnDestroy(t *testing.T) {
 		t.Fatalf("unexpected error waiting for the cache to be ready")
 	}
 
-	w, err := cacher.Watch(context.Background(), "pods/ns", storage.ListOptions{ResourceVersion: "0", Predicate: storage.Everything})
+	w, err := cacher.Watch(context.Background(), "/pods/ns", storage.ListOptions{ResourceVersion: "0", Predicate: storage.Everything})
 	if err != nil {
 		t.Fatalf("Failed to create watch: %v", err)
 	}
diff --git a/staging/src/k8s.io/apiserver/pkg/storage/cacher/cacher.go b/staging/src/k8s.io/apiserver/pkg/storage/cacher/cacher.go
index 3770bc8370333..a5f7ab6d692ad 100644
--- a/staging/src/k8s.io/apiserver/pkg/storage/cacher/cacher.go
+++ b/staging/src/k8s.io/apiserver/pkg/storage/cacher/cacher.go
@@ -374,8 +374,18 @@ func NewCacherFromConfig(config Config) (*Cacher, error) {
 		config.Clock = clock.RealClock{}
 	}
 	objType := reflect.TypeOf(obj)
+	resourcePrefix := config.ResourcePrefix
+	if resourcePrefix == "" {
+		return nil, fmt.Errorf("resourcePrefix cannot be empty")
+	}
+	if resourcePrefix == "/" {
+		return nil, fmt.Errorf("resourcePrefix cannot be /")
+	}
+	if !strings.HasPrefix(resourcePrefix, "/") {
+		return nil, fmt.Errorf("resourcePrefix needs to start from /")
+	}
 	cacher := &Cacher{
-		resourcePrefix: config.ResourcePrefix,
+		resourcePrefix: resourcePrefix,
 		ready:          newReady(config.Clock),
 		storage:        config.Storage,
 		objectType:     objType,
@@ -426,8 +436,8 @@ func NewCacherFromConfig(config Config) (*Cacher, error) {
 	watchCache := newWatchCache(
 		config.KeyFunc, cacher.processEvent, config.GetAttrsFunc, config.Versioner, config.Indexers,
 		config.Clock, eventFreshDuration, config.GroupResource, progressRequester, config.Storage.GetCurrentResourceVersion)
-	listerWatcher := NewListerWatcher(config.Storage, config.ResourcePrefix, config.NewListFunc, contextMetadata)
-	reflectorName := "storage/cacher.go:" + config.ResourcePrefix
+	listerWatcher := NewListerWatcher(config.Storage, resourcePrefix, config.NewListFunc, contextMetadata)
+	reflectorName := "storage/cacher.go:" + resourcePrefix
 
 	reflector := cache.NewNamedReflector(reflectorName, listerWatcher, obj, watchCache, 0)
 	// Configure reflector's pager to for an appropriate pagination chunk size for fetching data from
@@ -441,6 +451,13 @@ func NewCacherFromConfig(config Config) (*Cacher, error) {
 	cacher.watchCache = watchCache
 	cacher.reflector = reflector
 
+	if utilfeature.DefaultFeatureGate.Enabled(features.SizeBasedListCostEstimate) {
+		err := config.Storage.EnableResourceSizeEstimation(cacher.getKeys)
+		if err != nil {
+			return nil, fmt.Errorf("failed to enable resource size estimation: %w", err)
+		}
+	}
+
 	if utilfeature.DefaultFeatureGate.Enabled(features.ListFromCacheSnapshot) {
 		cacher.compactor = newCompactor(config.Storage, watchCache, config.Clock)
 		go cacher.compactor.Run(stopCh)
@@ -461,7 +478,6 @@ func NewCacherFromConfig(config Config) (*Cacher, error) {
 			}, time.Second, stopCh,
 		)
 	}()
-	config.Storage.SetKeysFunc(cacher.getKeys)
 	return cacher, nil
 }
 
@@ -489,6 +505,10 @@ type namespacedName struct {
 }
 
 func (c *Cacher) Watch(ctx context.Context, key string, opts storage.ListOptions) (watch.Interface, error) {
+	key, err := c.prepareKey(key, opts.Recursive)
+	if err != nil {
+		return nil, err
+	}
 	pred := opts.Predicate
 	requestedWatchRV, err := c.versioner.ParseResourceVersion(opts.ResourceVersion)
 	if err != nil {
@@ -656,6 +676,10 @@ func (c *Cacher) Watch(ctx context.Context, key string, opts storage.ListOptions
 }
 
 func (c *Cacher) Get(ctx context.Context, key string, opts storage.GetOptions, objPtr runtime.Object) error {
+	key, err := c.prepareKey(key, false)
+	if err != nil {
+		return err
+	}
 	getRV, err := c.versioner.ParseResourceVersion(opts.ResourceVersion)
 	if err != nil {
 		return err
@@ -707,15 +731,11 @@ type listResp struct {
 
 // GetList implements storage.Interface
 func (c *Cacher) GetList(ctx context.Context, key string, opts storage.ListOptions, listObj runtime.Object) error {
-	// For recursive lists, we need to make sure the key ended with "/" so that we only
-	// get children "directories". e.g. if we have key "/a", "/a/b", "/ab", getting keys
-	// with prefix "/a" will return all three, while with prefix "/a/" will return only
-	// "/a/b" which is the correct answer.
-	preparedKey := key
-	if opts.Recursive && !strings.HasSuffix(key, "/") {
-		preparedKey += "/"
-	}
-	_, err := c.versioner.ParseResourceVersion(opts.ResourceVersion)
+	preparedKey, err := c.prepareKey(key, opts.Recursive)
+	if err != nil {
+		return err
+	}
+	_, err = c.versioner.ParseResourceVersion(opts.ResourceVersion)
 	if err != nil {
 		return err
 	}
@@ -1159,6 +1179,10 @@ func (c *Cacher) Stop() {
 	c.stopWg.Wait()
 }
 
+func (c *Cacher) prepareKey(key string, recursive bool) (string, error) {
+	return storage.PrepareKey(c.resourcePrefix, key, recursive)
+}
+
 func forgetWatcher(c *Cacher, w *cacheWatcher, index int, scope namespacedName, triggerValue string, triggerSupported bool) func(bool) {
 	return func(drainWatcher bool) {
 		c.Lock()
diff --git a/staging/src/k8s.io/apiserver/pkg/storage/cacher/cacher_test.go b/staging/src/k8s.io/apiserver/pkg/storage/cacher/cacher_test.go
index 309851f5c7e70..52d079fc8558a 100644
--- a/staging/src/k8s.io/apiserver/pkg/storage/cacher/cacher_test.go
+++ b/staging/src/k8s.io/apiserver/pkg/storage/cacher/cacher_test.go
@@ -42,6 +42,7 @@ import (
 	storagetesting "k8s.io/apiserver/pkg/storage/testing"
 	"k8s.io/apiserver/pkg/storage/value/encrypt/identity"
 	utilfeature "k8s.io/apiserver/pkg/util/feature"
+	clientfeatures "k8s.io/client-go/features"
 	"k8s.io/client-go/tools/cache"
 	featuregatetesting "k8s.io/component-base/featuregate/testing"
 	"k8s.io/klog/v2"
@@ -199,14 +200,14 @@ func TestLists(t *testing.T) {
 					t.Parallel()
 					ctx, cacher, server, terminate := testSetupWithEtcdServer(t)
 					t.Cleanup(terminate)
-					storagetesting.RunTestConsistentList(ctx, t, cacher, increaseRV(server.V3Client.Client), true, consistentRead, listFromCacheSnapshot)
+					storagetesting.RunTestConsistentList(ctx, t, cacher, increaseRVFunc(server.V3Client.Client), true, consistentRead, listFromCacheSnapshot)
 				})
 
 				t.Run("GetListNonRecursive", func(t *testing.T) {
 					t.Parallel()
 					ctx, cacher, server, terminate := testSetupWithEtcdServer(t)
 					t.Cleanup(terminate)
-					storagetesting.RunTestGetListNonRecursive(ctx, t, increaseRV(server.V3Client.Client), cacher)
+					storagetesting.RunTestGetListNonRecursive(ctx, t, increaseRVFunc(server.V3Client.Client), cacher)
 				})
 			})
 		}
@@ -218,7 +219,7 @@ func TestCompactRevision(t *testing.T) {
 	featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.ListFromCacheSnapshot, true)
 	ctx, cacher, server, terminate := testSetupWithEtcdServer(t)
 	t.Cleanup(terminate)
-	storagetesting.RunTestCompactRevision(ctx, t, cacher, increaseRV(server.V3Client.Client), compactStore(cacher, server.V3Client.Client))
+	storagetesting.RunTestCompactRevision(ctx, t, cacher, increaseRVFunc(server.V3Client.Client), compactStore(cacher, server.V3Client.Client))
 }
 
 func TestMarkConsistent(t *testing.T) {
@@ -303,7 +304,7 @@ func etcdListRequests(t *testing.T, ctx context.Context, store storage.Interface
 	key := rand.String(10)
 	listCtx := context.WithValue(ctx, storagetesting.RecorderContextKey, key)
 	listOut := &example.PodList{}
-	if err := store.GetList(listCtx, "/pods", opts, listOut); err != nil {
+	if err := store.GetList(listCtx, "/pods/", opts, listOut); err != nil {
 		t.Fatalf("Unexpected error: %v", err)
 	}
 	return recorder.ListRequestForKey(key)
@@ -391,6 +392,11 @@ func TestStats(t *testing.T) {
 		})
 	}
 }
+func TestKeySchema(t *testing.T) {
+	ctx, cacher, terminate := testSetup(t)
+	t.Cleanup(terminate)
+	storagetesting.RunTestKeySchema(ctx, t, cacher)
+}
 
 func TestWatch(t *testing.T) {
 	ctx, cacher, terminate := testSetup(t)
@@ -513,7 +519,7 @@ type setupOptions struct {
 type setupOption func(*setupOptions)
 
 func withDefaults(options *setupOptions) {
-	prefix := "/pods"
+	prefix := "/pods/"
 
 	options.resourcePrefix = prefix
 	options.keyFunc = func(obj runtime.Object) (string, error) { return storage.NamespaceKeyFunc(prefix, obj) }
@@ -563,9 +569,15 @@ func testSetupWithEtcdServer(t testing.TB, opts ...setupOption) (context.Context
 
 	server, etcdStorage := newEtcdTestStorage(t, etcd3testing.PathPrefix())
 	// Inject one list error to make sure we test the relist case.
+	listErrors := 1
+	if clientfeatures.FeatureGates().Enabled(clientfeatures.WatchListClient) {
+		// The WatchListClient feature changes the reflector to use WATCH
+		// instead of LIST, therefore we don't expect any errors
+		listErrors = 0
+	}
 	wrappedStorage := &storagetesting.StorageInjectingListErrors{
 		Interface: etcdStorage,
-		Errors:    1,
+		Errors:    listErrors,
 	}
 
 	config := Config{
diff --git a/staging/src/k8s.io/apiserver/pkg/storage/cacher/cacher_testing_utils_test.go b/staging/src/k8s.io/apiserver/pkg/storage/cacher/cacher_testing_utils_test.go
index 8c08f777d5f9e..245e9a0b99f30 100644
--- a/staging/src/k8s.io/apiserver/pkg/storage/cacher/cacher_testing_utils_test.go
+++ b/staging/src/k8s.io/apiserver/pkg/storage/cacher/cacher_testing_utils_test.go
@@ -63,19 +63,22 @@ func newEtcdTestStorage(t testing.TB, prefix string) (*etcd3testing.EtcdTestServ
 	codec := apitesting.TestCodec(codecs, examplev1.SchemeGroupVersion)
 	compactor := etcd3.NewCompactor(server.V3Client.Client, 0, clock.RealClock{}, nil)
 	t.Cleanup(compactor.Stop)
-	storage := etcd3.New(
+	storage, err := etcd3.New(
 		server.V3Client,
 		compactor,
 		codec,
 		newPod,
 		newPodList,
 		prefix,
-		"/pods",
+		"/pods/",
 		schema.GroupResource{Resource: "pods"},
 		identity.NewEncryptCheckTransformer(),
 		etcd3.NewDefaultLeaseManagerConfig(),
 		etcd3.NewDefaultDecoder(codec, versioner),
 		versioner)
+	if err != nil {
+		t.Fatal(err)
+	}
 	t.Cleanup(storage.Close)
 	return server, storage
 }
@@ -162,10 +165,12 @@ func compactStore(c *CacheDelegator, client *clientv3.Client) storagetesting.Com
 	}
 }
 
-func increaseRV(client *clientv3.Client) storagetesting.IncreaseRVFunc {
-	return func(ctx context.Context, t *testing.T) {
-		if _, err := client.KV.Put(ctx, "increaseRV", "ok"); err != nil {
+func increaseRVFunc(client *clientv3.Client) storagetesting.IncreaseRVFunc {
+	return func(ctx context.Context, t *testing.T) int64 {
+		resp, err := client.KV.Put(ctx, "increaseRV", "ok")
+		if err != nil {
 			t.Fatalf("Could not update increaseRV: %v", err)
 		}
+		return resp.Header.Revision
 	}
 }
diff --git a/staging/src/k8s.io/apiserver/pkg/storage/cacher/cacher_whitebox_test.go b/staging/src/k8s.io/apiserver/pkg/storage/cacher/cacher_whitebox_test.go
index bd3ce3237e4f2..215fc13ac6038 100644
--- a/staging/src/k8s.io/apiserver/pkg/storage/cacher/cacher_whitebox_test.go
+++ b/staging/src/k8s.io/apiserver/pkg/storage/cacher/cacher_whitebox_test.go
@@ -30,13 +30,12 @@ import (
 	"time"
 
 	"github.com/stretchr/testify/require"
-	"google.golang.org/grpc/metadata"
-	"k8s.io/apimachinery/pkg/apis/meta/internalversion"
-	"k8s.io/apimachinery/pkg/apis/meta/internalversion/validation"
 
 	apiequality "k8s.io/apimachinery/pkg/api/equality"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/api/meta"
+	"k8s.io/apimachinery/pkg/apis/meta/internalversion"
+	"k8s.io/apimachinery/pkg/apis/meta/internalversion/validation"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/fields"
 	"k8s.io/apimachinery/pkg/labels"
@@ -55,6 +54,8 @@ import (
 	etcdfeature "k8s.io/apiserver/pkg/storage/feature"
 	storagetesting "k8s.io/apiserver/pkg/storage/testing"
 	utilfeature "k8s.io/apiserver/pkg/util/feature"
+	clientfeatures "k8s.io/client-go/features"
+	clientfeaturestesting "k8s.io/client-go/features/testing"
 	featuregatetesting "k8s.io/component-base/featuregate/testing"
 	k8smetrics "k8s.io/component-base/metrics"
 	"k8s.io/component-base/metrics/testutil"
@@ -64,7 +65,7 @@ import (
 )
 
 func newTestCacherWithoutSyncing(s storage.Interface, c clock.WithTicker) (*Cacher, storage.Versioner, error) {
-	prefix := "pods"
+	prefix := "/pods/"
 	config := Config{
 		Storage:             s,
 		Versioner:           storage.APIObjectVersioner{},
@@ -141,6 +142,10 @@ func (d *dummyStorage) CompactRevision() int64 {
 	return 0
 }
 
+func (d *dummyStorage) IsWatchListSemanticsUnSupported() bool {
+	return true
+}
+
 type dummyWatch struct {
 	ch chan watch.Event
 }
@@ -196,7 +201,8 @@ func (d *dummyStorage) GuaranteedUpdate(_ context.Context, _ string, _ runtime.O
 func (d *dummyStorage) Stats(_ context.Context) (storage.Stats, error) {
 	return storage.Stats{}, fmt.Errorf("unimplemented")
 }
-func (d *dummyStorage) SetKeysFunc(storage.KeysFunc) {
+func (d *dummyStorage) EnableResourceSizeEstimation(storage.KeysFunc) error {
+	return nil
 }
 func (d *dummyStorage) ReadinessCheck() error {
 	return nil
@@ -625,7 +631,7 @@ apiserver_watch_cache_consistent_read_total{fallback="true", group="", resource=
 			}
 
 			start := cacher.clock.Now()
-			err = delegator.GetList(context.TODO(), "pods/ns", storage.ListOptions{ResourceVersion: "", Recursive: true}, result)
+			err = delegator.GetList(context.TODO(), "/pods/ns", storage.ListOptions{ResourceVersion: "", Recursive: true}, result)
 			clockStepCancelFn()
 			duration := cacher.clock.Since(start)
 			if (err != nil) != tc.expectError {
@@ -717,7 +723,7 @@ func TestMatchExactResourceVersionFallback(t *testing.T) {
 			delegator := NewCacheDelegator(cacher, backingStorage)
 
 			result := &example.PodList{}
-			err = delegator.GetList(context.TODO(), "pods/ns", storage.ListOptions{ResourceVersion: "20", ResourceVersionMatch: metav1.ResourceVersionMatchExact, Recursive: true}, result)
+			err = delegator.GetList(context.TODO(), "/pods/ns", storage.ListOptions{ResourceVersion: "20", ResourceVersionMatch: metav1.ResourceVersionMatchExact, Recursive: true}, result)
 			if err != nil {
 				t.Fatalf("Unexpected error: %v", err)
 			}
@@ -760,7 +766,7 @@ func TestGetListNonRecursiveCacheBypass(t *testing.T) {
 
 	// Inject error to underlying layer and check if cacher is not bypassed.
 	backingStorage.injectGetListError(errDummy)
-	err = delegator.GetList(context.TODO(), "pods/ns", storage.ListOptions{
+	err = delegator.GetList(context.TODO(), "/pods/ns", storage.ListOptions{
 		ResourceVersion: "0",
 		Predicate:       pred,
 	}, result)
@@ -768,7 +774,7 @@ func TestGetListNonRecursiveCacheBypass(t *testing.T) {
 		t.Errorf("GetList with Limit and RV=0 should be served from cache: %v", err)
 	}
 
-	err = delegator.GetList(context.TODO(), "pods/ns", storage.ListOptions{
+	err = delegator.GetList(context.TODO(), "/pods/ns", storage.ListOptions{
 		ResourceVersion: "",
 		Predicate:       pred,
 	}, result)
@@ -779,8 +785,10 @@ func TestGetListNonRecursiveCacheBypass(t *testing.T) {
 
 func TestGetListNonRecursiveCacheWithConsistentListFromCache(t *testing.T) {
 	// Set feature gates once at the beginning since we only care about ConsistentListFromCache=true and ListFromCacheSnapshot=false
-	featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.ConsistentListFromCache, true)
-	featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.ListFromCacheSnapshot, false)
+	featuregatetesting.SetFeatureGatesDuringTest(t, utilfeature.DefaultFeatureGate, featuregatetesting.FeatureOverrides{
+		features.ConsistentListFromCache: true,
+		features.ListFromCacheSnapshot:   false,
+	})
 	forceRequestWatchProgressSupport(t)
 
 	tests := []struct {
@@ -841,7 +849,7 @@ func TestGetListNonRecursiveCacheWithConsistentListFromCache(t *testing.T) {
 			defer delegator.Stop()
 
 			// Setup test object
-			key := "pods/ns"
+			key := "/pods/ns"
 			input := &example.Pod{ObjectMeta: metav1.ObjectMeta{Name: "foo", Namespace: "ns"}}
 			if err := v.UpdateObject(input, 100); err != nil {
 				t.Fatalf("Unexpected error: %v", err)
@@ -916,7 +924,7 @@ func TestGetCacheBypass(t *testing.T) {
 
 	// Inject error to underlying layer and check if cacher is not bypassed.
 	backingStorage.injectGetListError(errDummy)
-	err = delegator.Get(context.TODO(), "pods/ns/pod-0", storage.GetOptions{
+	err = delegator.Get(context.TODO(), "/pods/ns/pod-0", storage.GetOptions{
 		IgnoreNotFound:  true,
 		ResourceVersion: "0",
 	}, result)
@@ -924,7 +932,7 @@ func TestGetCacheBypass(t *testing.T) {
 		t.Errorf("Get with RV=0 should be served from cache: %v", err)
 	}
 
-	err = delegator.Get(context.TODO(), "pods/ns/pod-0", storage.GetOptions{
+	err = delegator.Get(context.TODO(), "/pods/ns/pod-0", storage.GetOptions{
 		IgnoreNotFound:  true,
 		ResourceVersion: "",
 	}, result)
@@ -949,7 +957,7 @@ func TestWatchCacheBypass(t *testing.T) {
 		}
 	}
 
-	_, err = delegator.Watch(context.TODO(), "pod/ns", storage.ListOptions{
+	_, err = delegator.Watch(context.TODO(), "/pods/ns", storage.ListOptions{
 		ResourceVersion: "0",
 		Predicate:       storage.Everything,
 	})
@@ -957,7 +965,7 @@ func TestWatchCacheBypass(t *testing.T) {
 		t.Errorf("Watch with RV=0 should be served from cache: %v", err)
 	}
 
-	_, err = delegator.Watch(context.TODO(), "pod/ns", storage.ListOptions{
+	_, err = delegator.Watch(context.TODO(), "/pods/ns", storage.ListOptions{
 		ResourceVersion: "",
 		Predicate:       storage.Everything,
 	})
@@ -1119,7 +1127,7 @@ func TestWatchNotHangingOnStartupFailure(t *testing.T) {
 	// Watch hangs waiting on watchcache being initialized.
 	// Ensure that it terminates when its context is cancelled
 	// (e.g. the request is terminated for whatever reason).
-	_, err = cacher.Watch(ctx, "pods/ns", storage.ListOptions{ResourceVersion: "0"})
+	_, err = cacher.Watch(ctx, "/pods/ns", storage.ListOptions{ResourceVersion: "0"})
 	if !utilfeature.DefaultFeatureGate.Enabled(features.ResilientWatchCacheInitialization) {
 		if err == nil || err.Error() != apierrors.NewServiceUnavailable(context.Canceled.Error()).Error() {
 			t.Errorf("Unexpected error: %#v", err)
@@ -1164,7 +1172,7 @@ func TestWatcherNotGoingBackInTime(t *testing.T) {
 	totalPods := 100
 
 	// Create watcher that will be slowing down reading.
-	w1, err := cacher.Watch(context.TODO(), "pods/ns", storage.ListOptions{
+	w1, err := cacher.Watch(context.TODO(), "/pods/ns", storage.ListOptions{
 		ResourceVersion: "999",
 		Predicate:       storage.Everything,
 	})
@@ -1189,7 +1197,7 @@ func TestWatcherNotGoingBackInTime(t *testing.T) {
 	}
 
 	// Create fast watcher and ensure it will get each object exactly once.
-	w2, err := cacher.Watch(context.TODO(), "pods/ns", storage.ListOptions{ResourceVersion: "999", Predicate: storage.Everything})
+	w2, err := cacher.Watch(context.TODO(), "/pods/ns", storage.ListOptions{ResourceVersion: "999", Predicate: storage.Everything})
 	if err != nil {
 		t.Fatalf("Failed to create watch: %v", err)
 	}
@@ -1234,7 +1242,7 @@ func TestCacherDontAcceptRequestsStopped(t *testing.T) {
 		}
 	}
 
-	w, err := delegator.Watch(context.Background(), "pods/ns", storage.ListOptions{ResourceVersion: "0", Predicate: storage.Everything})
+	w, err := delegator.Watch(context.Background(), "/pods/ns", storage.ListOptions{ResourceVersion: "0", Predicate: storage.Everything})
 	if err != nil {
 		t.Fatalf("Failed to create watch: %v", err)
 	}
@@ -1254,13 +1262,13 @@ func TestCacherDontAcceptRequestsStopped(t *testing.T) {
 
 	cacher.Stop()
 
-	_, err = delegator.Watch(context.Background(), "pods/ns", storage.ListOptions{ResourceVersion: "0", Predicate: storage.Everything})
+	_, err = delegator.Watch(context.Background(), "/pods/ns", storage.ListOptions{ResourceVersion: "0", Predicate: storage.Everything})
 	if err == nil {
 		t.Fatalf("Success to create Watch: %v", err)
 	}
 
 	result := &example.Pod{}
-	err = delegator.Get(context.TODO(), "pods/ns/pod-0", storage.GetOptions{
+	err = delegator.Get(context.TODO(), "/pods/ns/pod-0", storage.GetOptions{
 		IgnoreNotFound:  true,
 		ResourceVersion: "1",
 	}, result)
@@ -1275,7 +1283,7 @@ func TestCacherDontAcceptRequestsStopped(t *testing.T) {
 	}
 
 	listResult := &example.PodList{}
-	err = delegator.GetList(context.TODO(), "pods/ns", storage.ListOptions{
+	err = delegator.GetList(context.TODO(), "/pods/ns", storage.ListOptions{
 		ResourceVersion: "1",
 		Recursive:       true,
 		Predicate: storage.SelectionPredicate{
@@ -1373,7 +1381,7 @@ func TestCacherDontMissEventsOnReinitialization(t *testing.T) {
 	for i := 0; i < concurrency; i++ {
 		go func() {
 			defer wg.Done()
-			w, err := cacher.Watch(ctx, "pods", storage.ListOptions{ResourceVersion: "1", Predicate: storage.Everything})
+			w, err := cacher.Watch(ctx, "/pods/", storage.ListOptions{ResourceVersion: "1", Predicate: storage.Everything})
 			if err != nil {
 				// Watch failed to initialize (this most probably means that cacher
 				// already moved back to Pending state before watch initialized.
@@ -1442,7 +1450,7 @@ func TestCacherNoLeakWithMultipleWatchers(t *testing.T) {
 			default:
 				ctx, cancel := context.WithTimeout(context.Background(), 3*time.Second)
 				defer cancel()
-				w, err := cacher.Watch(ctx, "pods/ns", storage.ListOptions{ResourceVersion: "0", Predicate: pred})
+				w, err := cacher.Watch(ctx, "/pods/ns", storage.ListOptions{ResourceVersion: "0", Predicate: pred})
 				if err != nil {
 					watchErr = fmt.Errorf("Failed to create watch: %v", err)
 					return
@@ -1507,7 +1515,7 @@ func testCacherSendBookmarkEvents(t *testing.T, allowWatchBookmarks, expectedBoo
 
 	ctx, cancel := context.WithTimeout(context.Background(), 3*time.Second)
 	defer cancel()
-	w, err := cacher.Watch(ctx, "pods/ns", storage.ListOptions{ResourceVersion: "0", Predicate: pred})
+	w, err := cacher.Watch(ctx, "/pods/ns", storage.ListOptions{ResourceVersion: "0", Predicate: pred})
 	if err != nil {
 		t.Fatalf("Failed to create watch: %v", err)
 	}
@@ -1676,7 +1684,7 @@ func TestInitialEventsEndBookmark(t *testing.T) {
 			pred.AllowWatchBookmarks = scenario.allowWatchBookmarks
 			ctx, cancel := context.WithTimeout(context.Background(), 10*time.Minute)
 			defer cancel()
-			w, err := cacher.Watch(ctx, "pods/ns", storage.ListOptions{ResourceVersion: "100", SendInitialEvents: scenario.sendInitialEvents, Predicate: pred})
+			w, err := cacher.Watch(ctx, "/pods/ns", storage.ListOptions{ResourceVersion: "100", SendInitialEvents: scenario.sendInitialEvents, Predicate: pred})
 			if err != nil {
 				t.Fatalf("Failed to create watch: %v", err)
 			}
@@ -1723,7 +1731,7 @@ func TestCacherSendsMultipleWatchBookmarks(t *testing.T) {
 
 	ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
 	defer cancel()
-	w, err := cacher.Watch(ctx, "pods/ns", storage.ListOptions{ResourceVersion: "100", Predicate: pred})
+	w, err := cacher.Watch(ctx, "/pods/ns", storage.ListOptions{ResourceVersion: "100", Predicate: pred})
 	if err != nil {
 		t.Fatalf("Failed to create watch: %v", err)
 	}
@@ -1794,7 +1802,7 @@ func TestDispatchingBookmarkEventsWithConcurrentStop(t *testing.T) {
 		pred.AllowWatchBookmarks = true
 		ctx, cancel := context.WithTimeout(context.Background(), time.Second)
 		defer cancel()
-		w, err := cacher.Watch(ctx, "pods/ns", storage.ListOptions{ResourceVersion: "999", Predicate: pred})
+		w, err := cacher.Watch(ctx, "/pods/ns", storage.ListOptions{ResourceVersion: "999", Predicate: pred})
 		if err != nil {
 			t.Fatalf("Failed to create watch: %v", err)
 		}
@@ -1968,7 +1976,7 @@ func TestStartingResourceVersion(t *testing.T) {
 	// Advance RV by 10.
 	startVersion := uint64(1010)
 
-	watcher, err := cacher.Watch(context.TODO(), "pods/ns/foo", storage.ListOptions{ResourceVersion: strconv.FormatUint(startVersion, 10), Predicate: storage.Everything})
+	watcher, err := cacher.Watch(context.TODO(), "/pods/ns/foo", storage.ListOptions{ResourceVersion: strconv.FormatUint(startVersion, 10), Predicate: storage.Everything})
 	if err != nil {
 		t.Fatalf("Unexpected error: %v", err)
 	}
@@ -2045,14 +2053,14 @@ func TestDispatchEventWillNotBeBlockedByTimedOutWatcher(t *testing.T) {
 	totalPods := 50
 
 	// Create watcher that will be blocked.
-	w1, err := cacher.Watch(context.TODO(), "pods/ns", storage.ListOptions{ResourceVersion: "999", Predicate: storage.Everything})
+	w1, err := cacher.Watch(context.TODO(), "/pods/ns", storage.ListOptions{ResourceVersion: "999", Predicate: storage.Everything})
 	if err != nil {
 		t.Fatalf("Failed to create watch: %v", err)
 	}
 	defer w1.Stop()
 
 	// Create fast watcher and ensure it will get all objects.
-	w2, err := cacher.Watch(context.TODO(), "pods/ns", storage.ListOptions{ResourceVersion: "999", Predicate: storage.Everything})
+	w2, err := cacher.Watch(context.TODO(), "/pods/ns", storage.ListOptions{ResourceVersion: "999", Predicate: storage.Everything})
 	if err != nil {
 		t.Fatalf("Failed to create watch: %v", err)
 	}
@@ -2167,7 +2175,7 @@ func TestCachingDeleteEvents(t *testing.T) {
 	}
 
 	createWatch := func(pred storage.SelectionPredicate) watch.Interface {
-		w, err := cacher.Watch(context.TODO(), "pods/ns", storage.ListOptions{ResourceVersion: "999", Predicate: pred})
+		w, err := cacher.Watch(context.TODO(), "/pods/ns", storage.ListOptions{ResourceVersion: "999", Predicate: pred})
 		if err != nil {
 			t.Fatalf("Failed to create watch: %v", err)
 		}
@@ -2248,7 +2256,7 @@ func testCachingObjects(t *testing.T, watchersCount int) {
 
 	watchers := make([]watch.Interface, 0, watchersCount)
 	for i := 0; i < watchersCount; i++ {
-		w, err := cacher.Watch(context.TODO(), "pods/ns", storage.ListOptions{ResourceVersion: "1000", Predicate: storage.Everything})
+		w, err := cacher.Watch(context.TODO(), "/pods/ns", storage.ListOptions{ResourceVersion: "1000", Predicate: storage.Everything})
 		if err != nil {
 			t.Fatalf("Failed to create watch: %v", err)
 		}
@@ -2384,7 +2392,7 @@ func TestCacheIntervalInvalidationStopsWatch(t *testing.T) {
 	ctx, cancel := context.WithCancel(context.Background())
 	defer cancel()
 
-	w, err := cacher.Watch(ctx, "pods/ns", storage.ListOptions{
+	w, err := cacher.Watch(ctx, "/pods/ns", storage.ListOptions{
 		ResourceVersion: "999",
 		Predicate:       storage.Everything,
 	})
@@ -2410,8 +2418,10 @@ func TestCacheIntervalInvalidationStopsWatch(t *testing.T) {
 }
 
 func TestWaitUntilWatchCacheFreshAndForceAllEvents(t *testing.T) {
-	featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.WatchList, true)
-	featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.ConsistentListFromCache, true)
+	featuregatetesting.SetFeatureGatesDuringTest(t, utilfeature.DefaultFeatureGate, featuregatetesting.FeatureOverrides{
+		features.WatchList:               true,
+		features.ConsistentListFromCache: true,
+	})
 	forceRequestWatchProgressSupport(t)
 
 	scenarios := []struct {
@@ -2546,7 +2556,7 @@ func TestWaitUntilWatchCacheFreshAndForceAllEvents(t *testing.T) {
 				}
 			}
 
-			w, err := cacher.Watch(context.Background(), "pods/ns", scenario.opts)
+			w, err := cacher.Watch(context.Background(), "/pods/ns", scenario.opts)
 			require.NoError(t, err, "failed to create watch: %v")
 			defer w.Stop()
 			var expectedErr *apierrors.StatusError
@@ -2572,7 +2582,7 @@ func TestWaitUntilWatchCacheFreshAndForceAllEvents(t *testing.T) {
 					t.Errorf("failed adding a pod to the watchCache %v", err)
 				}
 			}(t)
-			w, err = cacher.Watch(context.Background(), "pods/ns", scenario.opts)
+			w, err = cacher.Watch(context.Background(), "/pods/ns", scenario.opts)
 			require.NoError(t, err, "failed to create watch: %v")
 			defer w.Stop()
 			verifyEvents(t, w, []watch.Event{
@@ -2679,7 +2689,7 @@ func BenchmarkCacher_GetList(b *testing.B) {
 				b.ResetTimer()
 				for i := 0; i < b.N; i++ {
 					result := &example.PodList{}
-					err = delegator.GetList(context.TODO(), "pods", storage.ListOptions{
+					err = delegator.GetList(context.TODO(), "/pods/", storage.ListOptions{
 						Predicate:       pred,
 						Recursive:       true,
 						ResourceVersion: "12345",
@@ -2716,7 +2726,7 @@ func TestWatchListIsSynchronisedWhenNoEventsFromStoreReceived(t *testing.T) {
 		Predicate:         pred,
 		SendInitialEvents: ptr.To(true),
 	}
-	w, err := cacher.Watch(context.Background(), "pods/ns", opts)
+	w, err := cacher.Watch(context.Background(), "/pods/ns", opts)
 	require.NoError(t, err, "failed to create watch: %v")
 	defer w.Stop()
 
@@ -3153,122 +3163,6 @@ func TestGetBookmarkAfterResourceVersionLockedFunc(t *testing.T) {
 	}
 }
 
-func TestWatchStreamSeparation(t *testing.T) {
-	server, etcdStorage := newEtcdTestStorage(t, etcd3testing.PathPrefix())
-	t.Cleanup(func() {
-		server.Terminate(t)
-	})
-	setupOpts := &setupOptions{}
-	withDefaults(setupOpts)
-	config := Config{
-		Storage:             etcdStorage,
-		Versioner:           storage.APIObjectVersioner{},
-		GroupResource:       schema.GroupResource{Resource: "pods"},
-		EventsHistoryWindow: DefaultEventFreshDuration,
-		ResourcePrefix:      setupOpts.resourcePrefix,
-		KeyFunc:             setupOpts.keyFunc,
-		GetAttrsFunc:        GetPodAttrs,
-		NewFunc:             newPod,
-		NewListFunc:         newPodList,
-		IndexerFuncs:        setupOpts.indexerFuncs,
-		Codec:               codecs.LegacyCodec(examplev1.SchemeGroupVersion),
-		Clock:               setupOpts.clock,
-	}
-	tcs := []struct {
-		name                         string
-		separateCacheWatchRPC        bool
-		useWatchCacheContextMetadata bool
-		expectBookmarkOnWatchCache   bool
-		expectBookmarkOnEtcd         bool
-	}{
-		{
-			name:                       "common RPC > both get bookmarks",
-			separateCacheWatchRPC:      false,
-			expectBookmarkOnEtcd:       true,
-			expectBookmarkOnWatchCache: true,
-		},
-		{
-			name:                       "separate RPC > only etcd gets bookmarks",
-			separateCacheWatchRPC:      true,
-			expectBookmarkOnEtcd:       true,
-			expectBookmarkOnWatchCache: false,
-		},
-		{
-			name:                         "separate RPC & watch cache context > only watch cache gets bookmarks",
-			separateCacheWatchRPC:        true,
-			useWatchCacheContextMetadata: true,
-			expectBookmarkOnEtcd:         false,
-			expectBookmarkOnWatchCache:   true,
-		},
-	}
-	for _, tc := range tcs {
-		t.Run(tc.name, func(t *testing.T) {
-			featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.SeparateCacheWatchRPC, tc.separateCacheWatchRPC)
-			cacher, err := NewCacherFromConfig(config)
-			if err != nil {
-				t.Fatalf("Failed to initialize cacher: %v", err)
-			}
-			defer cacher.Stop()
-
-			if !utilfeature.DefaultFeatureGate.Enabled(features.ResilientWatchCacheInitialization) {
-				if err := cacher.ready.wait(context.TODO()); err != nil {
-					t.Fatalf("unexpected error waiting for the cache to be ready")
-				}
-			}
-
-			getCacherRV := func() uint64 {
-				cacher.watchCache.RLock()
-				defer cacher.watchCache.RUnlock()
-				return cacher.watchCache.resourceVersion
-			}
-			waitContext, cancel := context.WithTimeout(context.Background(), 2*time.Second)
-			defer cancel()
-			waitForEtcdBookmark := watchAndWaitForBookmark(t, waitContext, cacher.storage)
-
-			var out example.Pod
-			err = cacher.storage.Create(context.Background(), "foo", &example.Pod{}, &out, 0)
-			if err != nil {
-				t.Fatal(err)
-			}
-			err = cacher.storage.Delete(context.Background(), "foo", &out, nil, storage.ValidateAllObjectFunc, &example.Pod{}, storage.DeleteOptions{})
-			if err != nil {
-				t.Fatal(err)
-			}
-			versioner := storage.APIObjectVersioner{}
-			var lastResourceVersion uint64
-			lastResourceVersion, err = versioner.ObjectResourceVersion(&out)
-			if err != nil {
-				t.Fatal(err)
-			}
-
-			var contextMetadata metadata.MD
-			if tc.useWatchCacheContextMetadata {
-				contextMetadata = metadata.New(map[string]string{"source": "cache"})
-			}
-			// For the first 100ms from watch creation, watch progress requests are ignored.
-			time.Sleep(200 * time.Millisecond)
-			err = cacher.storage.RequestWatchProgress(metadata.NewOutgoingContext(context.Background(), contextMetadata))
-			if err != nil {
-				t.Fatal(err)
-			}
-			// Give time for bookmark to arrive
-			time.Sleep(time.Second)
-
-			etcdWatchResourceVersion := waitForEtcdBookmark()
-			gotEtcdWatchBookmark := etcdWatchResourceVersion == lastResourceVersion
-			if gotEtcdWatchBookmark != tc.expectBookmarkOnEtcd {
-				t.Errorf("Unexpected etcd bookmark check result, rv: %d, lastRV: %d, wantMatching: %v", etcdWatchResourceVersion, lastResourceVersion, tc.expectBookmarkOnEtcd)
-			}
-
-			watchCacheResourceVersion := getCacherRV()
-			cacherGotBookmark := watchCacheResourceVersion == lastResourceVersion
-			if cacherGotBookmark != tc.expectBookmarkOnWatchCache {
-				t.Errorf("Unexpected watch cache bookmark check result, rv: %d, lastRV: %d, wantMatching: %v", watchCacheResourceVersion, lastResourceVersion, tc.expectBookmarkOnWatchCache)
-			}
-		})
-	}
-}
-
 func TestComputeListLimit(t *testing.T) {
 	scenarios := []struct {
 		name          string
@@ -3326,37 +3220,6 @@ func TestComputeListLimit(t *testing.T) {
 	}
 }
 
-func watchAndWaitForBookmark(t *testing.T, ctx context.Context, etcdStorage storage.Interface) func() (resourceVersion uint64) {
-	opts := storage.ListOptions{ResourceVersion: "", Predicate: storage.Everything, Recursive: true}
-	opts.Predicate.AllowWatchBookmarks = true
-	w, err := etcdStorage.Watch(ctx, "/pods/", opts)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	versioner := storage.APIObjectVersioner{}
-	var rv uint64
-	var wg sync.WaitGroup
-	wg.Add(1)
-	go func() {
-		defer wg.Done()
-		for event := range w.ResultChan() {
-			if event.Type == watch.Bookmark {
-				rv, err = versioner.ObjectResourceVersion(event.Object)
-				break
-			}
-		}
-	}()
-	return func() (resourceVersion uint64) {
-		defer w.Stop()
-		wg.Wait()
-		if err != nil {
-			t.Fatal(err)
-		}
-		return rv
-	}
-}
-
 // TODO(p0lyn0mial): forceRequestWatchProgressSupport inits the storage layer
 // so that tests that require storage.RequestWatchProgress pass
 //
@@ -3563,3 +3426,23 @@ func TestRetryAfterForUnreadyCache(t *testing.T) {
 		t.Fatalf("Unexpected retry after: %v", statusError.Status().Details.RetryAfterSeconds)
 	}
 }
+
+func TestWatchListSemanticsSimple(t *testing.T) {
+	featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.WatchList, true)
+	clientfeaturestesting.SetFeatureDuringTest(t, clientfeatures.WatchListClient, true)
+
+	// The dummyStore doesn’t support WatchList semantics,
+	// so we don’t need to prepare a response.
+	backingStorage := &dummyStorage{}
+	clock := testingclock.NewFakeClock(time.Now())
+	cacher, _, err := newTestCacherWithoutSyncing(backingStorage, clock)
+	if err != nil {
+		t.Fatalf("couldn't create cacher: %v", err)
+	}
+	defer cacher.Stop()
+	ctx, cancel := context.WithTimeout(context.TODO(), 5*time.Second)
+	defer cancel()
+	if err = cacher.ready.wait(ctx); err != nil {
+		t.Fatalf("error waiting for the cache to be ready, err: %v", err)
+	}
+}
diff --git a/staging/src/k8s.io/apiserver/pkg/storage/cacher/delegator.go b/staging/src/k8s.io/apiserver/pkg/storage/cacher/delegator.go
index 68d269ca35e9c..b08c1fd5a4edd 100644
--- a/staging/src/k8s.io/apiserver/pkg/storage/cacher/delegator.go
+++ b/staging/src/k8s.io/apiserver/pkg/storage/cacher/delegator.go
@@ -99,8 +99,8 @@ func (c *CacheDelegator) GetCurrentResourceVersion(ctx context.Context) (uint64,
 	return c.storage.GetCurrentResourceVersion(ctx)
 }
 
-func (c *CacheDelegator) SetKeysFunc(keys storage.KeysFunc) {
-	c.storage.SetKeysFunc(keys)
+func (c *CacheDelegator) EnableResourceSizeEstimation(keys storage.KeysFunc) error {
+	return c.storage.EnableResourceSizeEstimation(keys)
 }
 
 func (c *CacheDelegator) Delete(ctx context.Context, key string, out runtime.Object, preconditions *storage.Preconditions, validateDeletion storage.ValidateObjectFunc, cachedExistingObject runtime.Object, opts storage.DeleteOptions) error {
diff --git a/staging/src/k8s.io/apiserver/pkg/storage/cacher/delegator_test.go b/staging/src/k8s.io/apiserver/pkg/storage/cacher/delegator_test.go
index 8fd01d6f1deb7..b10aab4ddeaaa 100644
--- a/staging/src/k8s.io/apiserver/pkg/storage/cacher/delegator_test.go
+++ b/staging/src/k8s.io/apiserver/pkg/storage/cacher/delegator_test.go
@@ -287,7 +287,7 @@ func TestConsistencyCheckerDigestMatches(t *testing.T) {
 
 	t.Log("Execute list to ensure cache is up to date")
 	outList := &example.PodList{}
-	err := store.cacher.GetList(ctx, "/pods", storage.ListOptions{ResourceVersion: resourceVersion, Recursive: true, Predicate: storage.Everything, ResourceVersionMatch: metav1.ResourceVersionMatchNotOlderThan}, outList)
+	err := store.cacher.GetList(ctx, "/pods/", storage.ListOptions{ResourceVersion: resourceVersion, Recursive: true, Predicate: storage.Everything, ResourceVersionMatch: metav1.ResourceVersionMatchNotOlderThan}, outList)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -295,7 +295,7 @@ func TestConsistencyCheckerDigestMatches(t *testing.T) {
 		t.Errorf("Expect to get %d pods, got %d", storageWatchListPageSize+1, len(outList.Items))
 	}
 
-	checker := newConsistencyChecker("/pods", schema.GroupResource{}, store.cacher.newListFunc, store.cacher, store.storage)
+	checker := newConsistencyChecker("/pods/", schema.GroupResource{}, store.cacher.newListFunc, store.cacher, store.storage)
 	digest, err := checker.calculateDigests(ctx)
 	if err != nil {
 		t.Fatal(err)
diff --git a/staging/src/k8s.io/apiserver/pkg/storage/cacher/lister_watcher.go b/staging/src/k8s.io/apiserver/pkg/storage/cacher/lister_watcher.go
index d5ac30152b6ac..e037ed4ab8df2 100644
--- a/staging/src/k8s.io/apiserver/pkg/storage/cacher/lister_watcher.go
+++ b/staging/src/k8s.io/apiserver/pkg/storage/cacher/lister_watcher.go
@@ -31,6 +31,8 @@ import (
 	"k8s.io/apiserver/pkg/storage"
 	utilfeature "k8s.io/apiserver/pkg/util/feature"
 	"k8s.io/client-go/tools/cache"
+	"k8s.io/client-go/util/consistencydetector"
+	"k8s.io/client-go/util/watchlist"
 )
 
 // listerWatcher opaques storage.Interface to expose cache.ListerWatcher.
@@ -39,15 +41,20 @@ type listerWatcher struct {
 	resourcePrefix  string
 	newListFunc     func() runtime.Object
 	contextMetadata metadata.MD
+
+	unsupportedWatchListSemantics    bool
+	watchListConsistencyCheckEnabled bool
 }
 
 // NewListerWatcher returns a storage.Interface backed ListerWatcher.
 func NewListerWatcher(storage storage.Interface, resourcePrefix string, newListFunc func() runtime.Object, contextMetadata metadata.MD) cache.ListerWatcher {
 	return &listerWatcher{
-		storage:         storage,
-		resourcePrefix:  resourcePrefix,
-		newListFunc:     newListFunc,
-		contextMetadata: contextMetadata,
+		storage:                          storage,
+		resourcePrefix:                   resourcePrefix,
+		newListFunc:                      newListFunc,
+		contextMetadata:                  contextMetadata,
+		unsupportedWatchListSemantics:    watchlist.DoesClientNotSupportWatchListSemantics(storage),
+		watchListConsistencyCheckEnabled: consistencydetector.IsDataConsistencyDetectionForWatchListEnabled(),
 	}
 }
 
@@ -66,6 +73,27 @@ func (lw *listerWatcher) List(options metav1.ListOptions) (runtime.Object, error
 		Predicate:            pred,
 		Recursive:            true,
 	}
+
+	// The ConsistencyChecker built into reflectors for the WatchList feature is responsible
+	// for verifying that the data received from the server (potentially from the watch cache)
+	// is consistent with the data stored in etcd.
+	//
+	// To perform this verification, the checker uses the ResourceVersion obtained from the initial request
+	// and sets the ResourceVersionMatch so that it retrieves exactly the same data directly from etcd.
+	// This allows comparing both data sources and confirming their consistency.
+	//
+	// The code below checks whether the incoming request originates from the ConsistencyChecker.
+	// If so, it allows explicitly setting the ResourceVersion.
+	//
+	// As of Oct 2025, reflector on its own is not setting RVM=Exact.
+	// However, even if that changes in the meantime, we would have to propagate that
+	// down to storage to ensure the correct semantics of the request.
+	watchListEnabled := utilfeature.DefaultFeatureGate.Enabled(features.WatchList)
+	supportedRVM := options.ResourceVersionMatch == metav1.ResourceVersionMatchExact
+	if watchListEnabled && lw.watchListConsistencyCheckEnabled && supportedRVM {
+		storageOpts.ResourceVersion = options.ResourceVersion
+	}
+
 	ctx := context.Background()
 	if lw.contextMetadata != nil {
 		ctx = metadata.NewOutgoingContext(ctx, lw.contextMetadata)
@@ -105,3 +133,7 @@ func (lw *listerWatcher) Watch(options metav1.ListOptions) (watch.Interface, err
 
 	return lw.storage.Watch(ctx, lw.resourcePrefix, opts)
 }
+
+func (lw *listerWatcher) IsWatchListSemanticsUnSupported() bool {
+	return lw.unsupportedWatchListSemantics
+}
diff --git a/staging/src/k8s.io/apiserver/pkg/storage/cacher/lister_watcher_test.go b/staging/src/k8s.io/apiserver/pkg/storage/cacher/lister_watcher_test.go
index 247fd85cc4d3f..ec4317a254771 100644
--- a/staging/src/k8s.io/apiserver/pkg/storage/cacher/lister_watcher_test.go
+++ b/staging/src/k8s.io/apiserver/pkg/storage/cacher/lister_watcher_test.go
@@ -25,15 +25,31 @@ import (
 	"k8s.io/apimachinery/pkg/watch"
 	"k8s.io/apiserver/pkg/apis/example"
 	"k8s.io/apiserver/pkg/features"
+	"k8s.io/apiserver/pkg/storage"
 	storagetesting "k8s.io/apiserver/pkg/storage/testing"
 	utilfeature "k8s.io/apiserver/pkg/util/feature"
 	"k8s.io/client-go/tools/cache"
+	"k8s.io/client-go/util/watchlist"
 	featuregatetesting "k8s.io/component-base/featuregate/testing"
 	"k8s.io/utils/ptr"
 )
 
+func TestDoesClientSupportWatchListSemanticsForKubeClient(t *testing.T) {
+	target1 := &dummyStorage{}
+	if !watchlist.DoesClientNotSupportWatchListSemantics(target1) {
+		t.Fatalf("dummyStorage should NOT support WatchList semantics")
+	}
+
+	server, target2 := newEtcdTestStorage(t, "/pods/")
+	defer server.Terminate(t)
+
+	if watchlist.DoesClientNotSupportWatchListSemantics(target2) {
+		t.Fatalf("etcd should support WatchList semantics")
+	}
+}
+
 func TestCacherListerWatcher(t *testing.T) {
-	prefix := "pods"
+	prefix := "/pods/"
 	fn := func() runtime.Object { return &example.PodList{} }
 	server, store := newEtcdTestStorage(t, prefix)
 	defer server.Terminate(t)
@@ -67,7 +83,7 @@ func TestCacherListerWatcher(t *testing.T) {
 }
 
 func TestCacherListerWatcherPagination(t *testing.T) {
-	prefix := "pods"
+	prefix := "/pods/"
 	fn := func() runtime.Object { return &example.PodList{} }
 	server, store := newEtcdTestStorage(t, prefix)
 	defer server.Terminate(t)
@@ -130,7 +146,7 @@ func TestCacherListerWatcherPagination(t *testing.T) {
 func TestCacherListerWatcherListWatch(t *testing.T) {
 	featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.WatchList, true)
 
-	prefix := "pods"
+	prefix := "/pods/"
 	fn := func() runtime.Object { return &example.PodList{} }
 	server, store := newEtcdTestStorage(t, prefix)
 	defer server.Terminate(t)
@@ -181,7 +197,7 @@ func TestCacherListerWatcherListWatch(t *testing.T) {
 func TestCacherListerWatcherWhenListWatchDisabled(t *testing.T) {
 	featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.WatchList, false)
 
-	prefix := "pods"
+	prefix := "/pods/"
 	fn := func() runtime.Object { return &example.PodList{} }
 	server, store := newEtcdTestStorage(t, prefix)
 	defer server.Terminate(t)
@@ -203,3 +219,79 @@ func TestCacherListerWatcherWhenListWatchDisabled(t *testing.T) {
 		t.Fatalf("Expected error %q, but got %q", expectedErrMsg, err.Error())
 	}
 }
+
+func TestListerWatcherListResourceVersionPropagation(t *testing.T) {
+	scenarios := []struct {
+		name                             string
+		options                          metav1.ListOptions
+		watchListEnabled                 bool
+		watchListConsistencyCheckEnabled bool
+		expectedStorageResourceVer       string
+	}{
+		{
+			name: "WatchList FG disabled - RV not propagated",
+			options: metav1.ListOptions{
+				ResourceVersion:      "123",
+				ResourceVersionMatch: metav1.ResourceVersionMatchExact,
+			},
+			watchListEnabled:                 false,
+			watchListConsistencyCheckEnabled: true,
+			expectedStorageResourceVer:       "",
+		},
+		{
+			name: "WatchList consistency check disabled - RV not propagated",
+			options: metav1.ListOptions{
+				ResourceVersion:      "123",
+				ResourceVersionMatch: metav1.ResourceVersionMatchExact,
+			},
+			watchListEnabled:                 true,
+			watchListConsistencyCheckEnabled: false,
+			expectedStorageResourceVer:       "",
+		},
+		{
+			name: "Unsupported RVM - RV not propagated",
+			options: metav1.ListOptions{
+				ResourceVersion:      "123",
+				ResourceVersionMatch: metav1.ResourceVersionMatchNotOlderThan,
+			},
+			watchListEnabled:                 true,
+			watchListConsistencyCheckEnabled: true,
+			expectedStorageResourceVer:       "",
+		},
+		{
+			name: "all conditions satisfied - RV propagated",
+			options: metav1.ListOptions{
+				ResourceVersion:      "123",
+				ResourceVersionMatch: metav1.ResourceVersionMatchExact,
+			},
+			watchListEnabled:                 true,
+			watchListConsistencyCheckEnabled: true,
+			expectedStorageResourceVer:       "123",
+		},
+	}
+
+	for _, scenario := range scenarios {
+		t.Run(scenario.name, func(t *testing.T) {
+			featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.WatchList, scenario.watchListEnabled)
+
+			backingStorage := &dummyStorage{}
+			var capturedOpts storage.ListOptions
+			backingStorage.getListFn = func(ctx context.Context, resPrefix string, opts storage.ListOptions, listObj runtime.Object) error {
+				capturedOpts = opts
+				return nil
+			}
+
+			targetInterface := NewListerWatcher(backingStorage, "/pods/", func() runtime.Object { return &example.PodList{} }, nil)
+			target := targetInterface.(*listerWatcher)
+			target.watchListConsistencyCheckEnabled = scenario.watchListConsistencyCheckEnabled
+
+			if _, err := target.List(scenario.options); err != nil {
+				t.Fatalf("List returned error: %v", err)
+			}
+
+			if capturedOpts.ResourceVersion != scenario.expectedStorageResourceVer {
+				t.Fatalf("expected storage ResourceVersion %q, got %q", scenario.expectedStorageResourceVer, capturedOpts.ResourceVersion)
+			}
+		})
+	}
+}
diff --git a/staging/src/k8s.io/apiserver/pkg/storage/cacher/watch_cache_test.go b/staging/src/k8s.io/apiserver/pkg/storage/cacher/watch_cache_test.go
index 520bdcdfd3d2d..1c090269c55af 100644
--- a/staging/src/k8s.io/apiserver/pkg/storage/cacher/watch_cache_test.go
+++ b/staging/src/k8s.io/apiserver/pkg/storage/cacher/watch_cache_test.go
@@ -71,7 +71,7 @@ func makeTestPodDetails(name string, resourceVersion uint64, nodeName string, la
 
 func makeTestStoreElement(pod *v1.Pod) *storeElement {
 	return &storeElement{
-		Key:    "prefix/ns/" + pod.Name,
+		Key:    "/prefix/ns/" + pod.Name,
 		Object: pod,
 		Labels: labels.Set(pod.Labels),
 		Fields: fields.Set{"spec.nodeName": pod.Spec.NodeName},
@@ -116,7 +116,7 @@ func (w *testWatchCache) getCacheIntervalForEvents(resourceVersion uint64, opts
 // newTestWatchCache just adds a fake clock.
 func newTestWatchCache(capacity int, eventFreshDuration time.Duration, indexers *cache.Indexers) *testWatchCache {
 	keyFunc := func(obj runtime.Object) (string, error) {
-		return storage.NamespaceKeyFunc("prefix", obj)
+		return storage.NamespaceKeyFunc("/prefix/", obj)
 	}
 	getAttrsFunc := func(obj runtime.Object) (labels.Set, fields.Set, error) {
 		pod, ok := obj.(*v1.Pod)
@@ -244,9 +244,9 @@ func TestWatchCacheBasic(t *testing.T) {
 	store.Add(makeTestPod("pod3", 6))
 	{
 		expected := map[string]storeElement{
-			"prefix/ns/pod1": *makeTestStoreElement(makeTestPod("pod1", 4)),
-			"prefix/ns/pod2": *makeTestStoreElement(makeTestPod("pod2", 5)),
-			"prefix/ns/pod3": *makeTestStoreElement(makeTestPod("pod3", 6)),
+			"/prefix/ns/pod1": *makeTestStoreElement(makeTestPod("pod1", 4)),
+			"/prefix/ns/pod2": *makeTestStoreElement(makeTestPod("pod2", 5)),
+			"/prefix/ns/pod3": *makeTestStoreElement(makeTestPod("pod3", 6)),
 		}
 		items := make(map[string]storeElement)
 		for _, item := range store.List() {
@@ -265,8 +265,8 @@ func TestWatchCacheBasic(t *testing.T) {
 	}, "8")
 	{
 		expected := map[string]storeElement{
-			"prefix/ns/pod4": *makeTestStoreElement(makeTestPod("pod4", 7)),
-			"prefix/ns/pod5": *makeTestStoreElement(makeTestPod("pod5", 8)),
+			"/prefix/ns/pod4": *makeTestStoreElement(makeTestPod("pod4", 7)),
+			"/prefix/ns/pod5": *makeTestStoreElement(makeTestPod("pod5", 8)),
 		}
 		items := make(map[string]storeElement)
 		for _, item := range store.List() {
@@ -470,7 +470,7 @@ func TestWaitUntilFreshAndGetList(t *testing.T) {
 	}()
 
 	// list by empty MatchValues.
-	resp, indexUsed, err := store.WaitUntilFreshAndGetList(ctx, "prefix/", storage.ListOptions{ResourceVersion: "5", Recursive: true, Predicate: storage.Everything})
+	resp, indexUsed, err := store.WaitUntilFreshAndGetList(ctx, "/prefix/", storage.ListOptions{ResourceVersion: "5", Recursive: true, Predicate: storage.Everything})
 	if err != nil {
 		t.Fatalf("unexpected error: %v", err)
 	}
@@ -485,7 +485,7 @@ func TestWaitUntilFreshAndGetList(t *testing.T) {
 	}
 
 	// list by label index.
-	resp, indexUsed, err = store.WaitUntilFreshAndGetList(ctx, "prefix/", storage.ListOptions{ResourceVersion: "5", Recursive: true, Predicate: storage.SelectionPredicate{
+	resp, indexUsed, err = store.WaitUntilFreshAndGetList(ctx, "/prefix/", storage.ListOptions{ResourceVersion: "5", Recursive: true, Predicate: storage.SelectionPredicate{
 		Label: labels.SelectorFromSet(map[string]string{
 			"label": "value1",
 		}),
@@ -508,7 +508,7 @@ func TestWaitUntilFreshAndGetList(t *testing.T) {
 	}
 
 	// list with spec.nodeName index.
-	resp, indexUsed, err = store.WaitUntilFreshAndGetList(ctx, "prefix/", storage.ListOptions{ResourceVersion: "5", Recursive: true, Predicate: storage.SelectionPredicate{
+	resp, indexUsed, err = store.WaitUntilFreshAndGetList(ctx, "/prefix/", storage.ListOptions{ResourceVersion: "5", Recursive: true, Predicate: storage.SelectionPredicate{
 		Label: labels.SelectorFromSet(map[string]string{
 			"not-exist-label": "whatever",
 		}),
@@ -531,7 +531,7 @@ func TestWaitUntilFreshAndGetList(t *testing.T) {
 	}
 
 	// list with index not exists.
-	resp, indexUsed, err = store.WaitUntilFreshAndGetList(ctx, "prefix/", storage.ListOptions{ResourceVersion: "5", Recursive: true, Predicate: storage.SelectionPredicate{
+	resp, indexUsed, err = store.WaitUntilFreshAndGetList(ctx, "/prefix/", storage.ListOptions{ResourceVersion: "5", Recursive: true, Predicate: storage.SelectionPredicate{
 		Label: labels.SelectorFromSet(map[string]string{
 			"not-exist-label": "whatever",
 		}),
@@ -565,7 +565,7 @@ func TestWaitUntilFreshAndListFromCache(t *testing.T) {
 	}()
 
 	// list from future revision. Requires watch cache to request bookmark to get it.
-	resp, indexUsed, err := store.WaitUntilFreshAndGetList(ctx, "prefix/", storage.ListOptions{ResourceVersion: "3", Recursive: true, Predicate: storage.Everything})
+	resp, indexUsed, err := store.WaitUntilFreshAndGetList(ctx, "/prefix/", storage.ListOptions{ResourceVersion: "3", Recursive: true, Predicate: storage.Everything})
 	if err != nil {
 		t.Fatalf("unexpected error: %v", err)
 	}
@@ -591,7 +591,7 @@ func TestWaitUntilFreshAndGet(t *testing.T) {
 		store.Add(makeTestPod("bar", 5))
 	}()
 
-	obj, exists, resourceVersion, err := store.WaitUntilFreshAndGet(ctx, 5, "prefix/ns/bar")
+	obj, exists, resourceVersion, err := store.WaitUntilFreshAndGet(ctx, 5, "/prefix/ns/bar")
 	if err != nil {
 		t.Fatalf("unexpected error: %v", err)
 	}
diff --git a/staging/src/k8s.io/apiserver/pkg/storage/etcd3/etcd3retry/retry_etcdclient.go b/staging/src/k8s.io/apiserver/pkg/storage/etcd3/etcd3retry/retry_etcdclient.go
index cee4009c14090..36d28bbf422b7 100644
--- a/staging/src/k8s.io/apiserver/pkg/storage/etcd3/etcd3retry/retry_etcdclient.go
+++ b/staging/src/k8s.io/apiserver/pkg/storage/etcd3/etcd3retry/retry_etcdclient.go
@@ -37,8 +37,8 @@ func (c *retryClient) Stats(ctx context.Context) (storage.Stats, error) {
 	return c.delegate.Stats(ctx)
 }
 
-func (c *retryClient) SetKeysFunc(f storage.KeysFunc) {
-	c.delegate.SetKeysFunc(f)
+func (c *retryClient) EnableResourceSizeEstimation(f storage.KeysFunc) error {
+	return c.delegate.EnableResourceSizeEstimation(f)
 }
 
 func (c *retryClient) CompactRevision() int64 {
diff --git a/staging/src/k8s.io/apiserver/pkg/storage/etcd3/linearized_read_test.go b/staging/src/k8s.io/apiserver/pkg/storage/etcd3/linearized_read_test.go
index 7331c8245ad68..879647977ff98 100644
--- a/staging/src/k8s.io/apiserver/pkg/storage/etcd3/linearized_read_test.go
+++ b/staging/src/k8s.io/apiserver/pkg/storage/etcd3/linearized_read_test.go
@@ -37,7 +37,7 @@ func TestLinearizedReadRevisionInvariant(t *testing.T) {
 	// [1] https://etcd.io/docs/v3.5/learning/api_guarantees/#isolation-level-and-consistency-of-replicas
 	ctx, store, etcdClient := testSetup(t)
 
-	dir := "/testing"
+	dir := "/pods/"
 	key := dir + "/testkey"
 	out := &example.Pod{}
 	obj := &example.Pod{ObjectMeta: metav1.ObjectMeta{Name: "foo", SelfLink: "testlink"}}
diff --git a/staging/src/k8s.io/apiserver/pkg/storage/etcd3/metrics/OWNERS b/staging/src/k8s.io/apiserver/pkg/storage/etcd3/metrics/OWNERS
index 433e84aa3e43e..3578939e02960 100644
--- a/staging/src/k8s.io/apiserver/pkg/storage/etcd3/metrics/OWNERS
+++ b/staging/src/k8s.io/apiserver/pkg/storage/etcd3/metrics/OWNERS
@@ -1,4 +1,9 @@
 # See the OWNERS docs at https://go.k8s.io/owners
 
 approvers:
-  - logicalhan
+  - sig-instrumentation-approvers
+reviewers:
+  - sig-instrumentation-reviewers
+labels:
+  - sig/etcd
+  - sig/instrumentation
diff --git a/staging/src/k8s.io/apiserver/pkg/storage/etcd3/metrics/metrics.go b/staging/src/k8s.io/apiserver/pkg/storage/etcd3/metrics/metrics.go
index 7219aba3d65ca..263c04ec02e21 100644
--- a/staging/src/k8s.io/apiserver/pkg/storage/etcd3/metrics/metrics.go
+++ b/staging/src/k8s.io/apiserver/pkg/storage/etcd3/metrics/metrics.go
@@ -72,9 +72,10 @@ var (
 	)
 	objectCounts = compbasemetrics.NewGaugeVec(
 		&compbasemetrics.GaugeOpts{
-			Name:           "apiserver_storage_objects",
-			Help:           "[DEPRECATED, consider using apiserver_resource_objects instead] Number of stored objects at the time of last check split by kind. In case of a fetching error, the value will be -1.",
-			StabilityLevel: compbasemetrics.STABLE,
+			Name:              "apiserver_storage_objects",
+			Help:              "[DEPRECATED, consider using apiserver_resource_objects instead] Number of stored objects at the time of last check split by kind. In case of a fetching error, the value will be -1.",
+			StabilityLevel:    compbasemetrics.STABLE,
+			DeprecatedVersion: "1.34.0",
 		},
 		[]string{"resource"},
 	)
diff --git a/staging/src/k8s.io/apiserver/pkg/storage/etcd3/metrics/metrics_test.go b/staging/src/k8s.io/apiserver/pkg/storage/etcd3/metrics/metrics_test.go
index 200739b1bd779..3c8a33d49c58a 100644
--- a/staging/src/k8s.io/apiserver/pkg/storage/etcd3/metrics/metrics_test.go
+++ b/staging/src/k8s.io/apiserver/pkg/storage/etcd3/metrics/metrics_test.go
@@ -316,6 +316,7 @@ apiserver_resource_size_estimate_bytes{group="foo",resource="bar"} -1
 func TestDeleteStoreStats(t *testing.T) {
 	registry := metrics.NewKubeRegistry()
 	registry.MustRegister(objectCounts)
+	registry.MustRegister(newObjectCounts)
 	registry.MustRegister(resourceSizeEstimate)
 
 	UpdateStoreStats(schema.GroupResource{Group: "foo1", Resource: "bar1"}, storage.Stats{ObjectCount: 10}, nil)
@@ -325,12 +326,16 @@ func TestDeleteStoreStats(t *testing.T) {
 # TYPE apiserver_resource_size_estimate_bytes gauge
 apiserver_resource_size_estimate_bytes{group="foo1",resource="bar1"} -1
 apiserver_resource_size_estimate_bytes{group="foo2",resource="bar2"} 200
+# HELP apiserver_resource_objects [ALPHA] Number of stored objects at the time of last check split by kind. In case of a fetching error, the value will be -1.
+# TYPE apiserver_resource_objects gauge
+apiserver_resource_objects{group="foo1",resource="bar1"} 10
+apiserver_resource_objects{group="foo2",resource="bar2"} 20
 # HELP apiserver_storage_objects [STABLE] [DEPRECATED, consider using apiserver_resource_objects instead] Number of stored objects at the time of last check split by kind. In case of a fetching error, the value will be -1.
 # TYPE apiserver_storage_objects gauge
 apiserver_storage_objects{resource="bar1.foo1"} 10
 apiserver_storage_objects{resource="bar2.foo2"} 20
 `
-	if err := testutil.GatherAndCompare(registry, strings.NewReader(expectedMetrics), "apiserver_storage_objects", "apiserver_resource_size_estimate_bytes"); err != nil {
+	if err := testutil.GatherAndCompare(registry, strings.NewReader(expectedMetrics), "apiserver_storage_objects", "apiserver_resource_objects", "apiserver_resource_size_estimate_bytes"); err != nil {
 		t.Fatal(err)
 	}
 
@@ -339,19 +344,24 @@ apiserver_storage_objects{resource="bar2.foo2"} 20
 	expectedMetrics = `# HELP apiserver_resource_size_estimate_bytes [ALPHA] Estimated size of stored objects in database. Estimate is based on sum of last observed sizes of serialized objects. In case of a fetching error, the value will be -1.
 # TYPE apiserver_resource_size_estimate_bytes gauge
 apiserver_resource_size_estimate_bytes{group="foo2",resource="bar2"} 200
+# HELP apiserver_resource_objects [ALPHA] Number of stored objects at the time of last check split by kind. In case of a fetching error, the value will be -1.
+# TYPE apiserver_resource_objects gauge
+apiserver_resource_objects{group="foo2",resource="bar2"} 20
 # HELP apiserver_storage_objects [STABLE] [DEPRECATED, consider using apiserver_resource_objects instead] Number of stored objects at the time of last check split by kind. In case of a fetching error, the value will be -1.
 # TYPE apiserver_storage_objects gauge
 apiserver_storage_objects{resource="bar2.foo2"} 20
 `
-	if err := testutil.GatherAndCompare(registry, strings.NewReader(expectedMetrics), "apiserver_storage_objects", "apiserver_resource_size_estimate_bytes"); err != nil {
+	if err := testutil.GatherAndCompare(registry, strings.NewReader(expectedMetrics), "apiserver_storage_objects", "apiserver_resource_objects", "apiserver_resource_size_estimate_bytes"); err != nil {
 		t.Fatal(err)
 	}
 
 	DeleteStoreStats(schema.GroupResource{Group: "foo2", Resource: "bar2"})
 	expectedMetrics = `# HELP apiserver_storage_objects [STABLE] [DEPRECATED, consider using apiserver_resource_objects instead] Number of stored objects at the time of last check split by kind. In case of a fetching error, the value will be -1.
 # TYPE apiserver_storage_objects gauge
+# HELP apiserver_resource_size_estimate_bytes [ALPHA] Estimated size of stored objects in database. Estimate is based on sum of last observed sizes of serialized objects. In case of a fetching error, the value will be -1.
+# TYPE apiserver_resource_size_estimate_bytes gauge
 `
-	if err := testutil.GatherAndCompare(registry, strings.NewReader(expectedMetrics), "apiserver_storage_objects", "apiserver_resource_size_estimate_bytes"); err != nil {
+	if err := testutil.GatherAndCompare(registry, strings.NewReader(expectedMetrics), "apiserver_storage_objects", "apiserver_resource_objects", "apiserver_resource_size_estimate_bytes"); err != nil {
 		t.Fatal(err)
 	}
 }
diff --git a/staging/src/k8s.io/apiserver/pkg/storage/etcd3/stats.go b/staging/src/k8s.io/apiserver/pkg/storage/etcd3/stats.go
index 9f0b3f78e45a9..dcddab373b736 100644
--- a/staging/src/k8s.io/apiserver/pkg/storage/etcd3/stats.go
+++ b/staging/src/k8s.io/apiserver/pkg/storage/etcd3/stats.go
@@ -18,7 +18,6 @@ package etcd3
 
 import (
 	"context"
-	"errors"
 	"strings"
 	"sync"
 
@@ -34,11 +33,11 @@ import (
 
 const sizerRefreshInterval = time.Minute
 
-func newStatsCache(prefix string, getKeys storage.KeysFunc) *statsCache {
+func newResourceSizeEstimator(prefix string, getKeys storage.KeysFunc) *resourceSizeEstimator {
 	if prefix[len(prefix)-1] != '/' {
 		prefix += "/"
 	}
-	sc := &statsCache{
+	sc := &resourceSizeEstimator{
 		prefix:  prefix,
 		getKeys: getKeys,
 		stop:    make(chan struct{}),
@@ -52,23 +51,21 @@ func newStatsCache(prefix string, getKeys storage.KeysFunc) *statsCache {
 	return sc
 }
 
-// statsCache efficiently estimates the average object size
+// resourceSizeEstimator efficiently estimates the average object size
 // based on the last observed state of individual keys.
-// By plugging statsCache into GetList and Watch functions,
+// By plugging resourceSizeEstimator into GetList and Watch functions,
 // a fairly accurate estimate of object sizes can be maintained
 // without additional requests to the underlying storage.
 // To handle potential out-of-order or incomplete data,
 // it uses a per-key revision to identify the newer state.
 // This approach may leak keys if delete events are not observed,
 // thus we run a background goroutine to periodically cleanup keys if needed.
-type statsCache struct {
+type resourceSizeEstimator struct {
 	prefix         string
 	stop           chan struct{}
 	wg             sync.WaitGroup
 	lastKeyCleanup atomic.Pointer[time.Time]
-
-	getKeysLock sync.Mutex
-	getKeys     storage.KeysFunc
+	getKeys        storage.KeysFunc
 
 	keysLock sync.Mutex
 	keys     map[string]sizeRevision
@@ -79,10 +76,8 @@ type sizeRevision struct {
 	revision  int64
 }
 
-var errStatsDisabled = errors.New("key size stats disabled")
-
-func (sc *statsCache) Stats(ctx context.Context) (storage.Stats, error) {
-	keys, err := sc.GetKeys(ctx)
+func (sc *resourceSizeEstimator) Stats(ctx context.Context) (storage.Stats, error) {
+	keys, err := sc.getKeys(ctx)
 	if err != nil {
 		return storage.Stats{}, err
 	}
@@ -98,30 +93,12 @@ func (sc *statsCache) Stats(ctx context.Context) (storage.Stats, error) {
 	return stats, nil
 }
 
-func (sc *statsCache) GetKeys(ctx context.Context) ([]string, error) {
-	sc.getKeysLock.Lock()
-	getKeys := sc.getKeys
-	sc.getKeysLock.Unlock()
-
-	if getKeys == nil {
-		return nil, errStatsDisabled
-	}
-	// Don't execute getKeys under lock.
-	return getKeys(ctx)
-}
-
-func (sc *statsCache) SetKeysFunc(keys storage.KeysFunc) {
-	sc.getKeysLock.Lock()
-	defer sc.getKeysLock.Unlock()
-	sc.getKeys = keys
-}
-
-func (sc *statsCache) Close() {
+func (sc *resourceSizeEstimator) Close() {
 	close(sc.stop)
 	sc.wg.Wait()
 }
 
-func (sc *statsCache) run() {
+func (sc *resourceSizeEstimator) run() {
 	jitter := 0.5 // Period between [interval, interval * (1.0 + jitter)]
 	sliding := true
 	// wait.JitterUntilWithContext starts work immediately, so wait first.
@@ -132,16 +109,14 @@ func (sc *statsCache) run() {
 	wait.JitterUntilWithContext(wait.ContextForChannel(sc.stop), sc.cleanKeysIfNeeded, sizerRefreshInterval, jitter, sliding)
 }
 
-func (sc *statsCache) cleanKeysIfNeeded(ctx context.Context) {
+func (sc *resourceSizeEstimator) cleanKeysIfNeeded(ctx context.Context) {
 	lastKeyCleanup := sc.lastKeyCleanup.Load()
 	if lastKeyCleanup != nil && time.Since(*lastKeyCleanup) < sizerRefreshInterval {
 		return
 	}
-	keys, err := sc.GetKeys(ctx)
+	keys, err := sc.getKeys(ctx)
 	if err != nil {
-		if !errors.Is(err, errStatsDisabled) {
-			klog.InfoS("Error getting keys", "err", err)
-		}
+		klog.InfoS("Error getting keys", "err", err)
 		return
 	}
 	sc.keysLock.Lock()
@@ -149,7 +124,7 @@ func (sc *statsCache) cleanKeysIfNeeded(ctx context.Context) {
 	sc.cleanKeys(keys)
 }
 
-func (sc *statsCache) cleanKeys(keepKeys []string) {
+func (sc *resourceSizeEstimator) cleanKeys(keepKeys []string) {
 	newKeys := make(map[string]sizeRevision, len(keepKeys))
 	for _, key := range keepKeys {
 		// Handle cacher keys not having prefix.
@@ -171,14 +146,14 @@ func (sc *statsCache) cleanKeys(keepKeys []string) {
 	sc.lastKeyCleanup.Store(&now)
 }
 
-func (sc *statsCache) keySizes() (totalSize int64) {
+func (sc *resourceSizeEstimator) keySizes() (totalSize int64) {
 	for _, sizeRevision := range sc.keys {
 		totalSize += sizeRevision.sizeBytes
 	}
 	return totalSize
 }
 
-func (sc *statsCache) Update(kvs []*mvccpb.KeyValue) {
+func (sc *resourceSizeEstimator) Update(kvs []*mvccpb.KeyValue) {
 	sc.keysLock.Lock()
 	defer sc.keysLock.Unlock()
 	for _, kv := range kvs {
@@ -186,14 +161,14 @@ func (sc *statsCache) Update(kvs []*mvccpb.KeyValue) {
 	}
 }
 
-func (sc *statsCache) UpdateKey(kv *mvccpb.KeyValue) {
+func (sc *resourceSizeEstimator) UpdateKey(kv *mvccpb.KeyValue) {
 	sc.keysLock.Lock()
 	defer sc.keysLock.Unlock()
 
 	sc.updateKey(kv)
 }
 
-func (sc *statsCache) updateKey(kv *mvccpb.KeyValue) {
+func (sc *resourceSizeEstimator) updateKey(kv *mvccpb.KeyValue) {
 	key := string(kv.Key)
 	keySizeRevision := sc.keys[key]
 	if keySizeRevision.revision >= kv.ModRevision {
@@ -206,7 +181,7 @@ func (sc *statsCache) updateKey(kv *mvccpb.KeyValue) {
 	}
 }
 
-func (sc *statsCache) DeleteKey(kv *mvccpb.KeyValue) {
+func (sc *resourceSizeEstimator) DeleteKey(kv *mvccpb.KeyValue) {
 	sc.keysLock.Lock()
 	defer sc.keysLock.Unlock()
 
diff --git a/staging/src/k8s.io/apiserver/pkg/storage/etcd3/stats_test.go b/staging/src/k8s.io/apiserver/pkg/storage/etcd3/stats_test.go
index e67436f83262c..dabd141fa041b 100644
--- a/staging/src/k8s.io/apiserver/pkg/storage/etcd3/stats_test.go
+++ b/staging/src/k8s.io/apiserver/pkg/storage/etcd3/stats_test.go
@@ -27,7 +27,7 @@ import (
 
 func TestStatsCache(t *testing.T) {
 	ctx := t.Context()
-	store := newStatsCache("/prefix", func(ctx context.Context) ([]string, error) { return []string{}, nil })
+	store := newResourceSizeEstimator("/prefix", func(ctx context.Context) ([]string, error) { return []string{}, nil })
 	defer store.Close()
 
 	stats, err := store.Stats(ctx)
diff --git a/staging/src/k8s.io/apiserver/pkg/storage/etcd3/store.go b/staging/src/k8s.io/apiserver/pkg/storage/etcd3/store.go
index d8b7a00a2b9fe..798567d1cd16c 100644
--- a/staging/src/k8s.io/apiserver/pkg/storage/etcd3/store.go
+++ b/staging/src/k8s.io/apiserver/pkg/storage/etcd3/store.go
@@ -25,6 +25,7 @@ import (
 	"reflect"
 	"strconv"
 	"strings"
+	"sync"
 	"time"
 
 	"go.etcd.io/etcd/api/v3/mvccpb"
@@ -90,8 +91,10 @@ type store struct {
 
 	resourcePrefix string
 	newListFunc    func() runtime.Object
-	stats          *statsCache
 	compactor      Compactor
+
+	collectorMux          sync.RWMutex
+	resourceSizeEstimator *resourceSizeEstimator
 }
 
 var _ storage.Interface = (*store)(nil)
@@ -142,7 +145,7 @@ func (a *abortOnFirstError) Aggregate(key string, err error) bool {
 func (a *abortOnFirstError) Err() error { return a.err }
 
 // New returns an etcd3 implementation of storage.Interface.
-func New(c *kubernetes.Client, compactor Compactor, codec runtime.Codec, newFunc, newListFunc func() runtime.Object, prefix, resourcePrefix string, groupResource schema.GroupResource, transformer value.Transformer, leaseManagerConfig LeaseManagerConfig, decoder Decoder, versioner storage.Versioner) *store {
+func New(c *kubernetes.Client, compactor Compactor, codec runtime.Codec, newFunc, newListFunc func() runtime.Object, prefix, resourcePrefix string, groupResource schema.GroupResource, transformer value.Transformer, leaseManagerConfig LeaseManagerConfig, decoder Decoder, versioner storage.Versioner) (*store, error) {
 	// for compatibility with etcd2 impl.
 	// no-op for default prefix of '/registry'.
 	// keeps compatibility with etcd2 impl for custom prefixes that don't start with '/'
@@ -151,6 +154,15 @@ func New(c *kubernetes.Client, compactor Compactor, codec runtime.Codec, newFunc
 		// Ensure the pathPrefix ends in "/" here to simplify key concatenation later.
 		pathPrefix += "/"
 	}
+	if resourcePrefix == "" {
+		return nil, fmt.Errorf("resourcePrefix cannot be empty")
+	}
+	if resourcePrefix == "/" {
+		return nil, fmt.Errorf("resourcePrefix cannot be /")
+	}
+	if !strings.HasPrefix(resourcePrefix, "/") {
+		return nil, fmt.Errorf("resourcePrefix needs to start from /")
+	}
 
 	listErrAggrFactory := defaultListErrorAggregatorFactory
 	if utilfeature.DefaultFeatureGate.Enabled(features.AllowUnsafeMalformedObjectDeletion) {
@@ -186,20 +198,15 @@ func New(c *kubernetes.Client, compactor Compactor, codec runtime.Codec, newFunc
 		newListFunc:    newListFunc,
 		compactor:      compactor,
 	}
-	// Collecting stats requires properly set resourcePrefix to call getKeys.
-	if resourcePrefix != "" && utilfeature.DefaultFeatureGate.Enabled(features.SizeBasedListCostEstimate) {
-		stats := newStatsCache(pathPrefix, nil)
-		s.stats = stats
-		w.stats = stats
-	}
 
+	w.getResourceSizeEstimator = s.getResourceSizeEstimator
 	w.getCurrentStorageRV = func(ctx context.Context) (uint64, error) {
 		return s.GetCurrentResourceVersion(ctx)
 	}
 	if utilfeature.DefaultFeatureGate.Enabled(features.ConsistentListFromCache) || utilfeature.DefaultFeatureGate.Enabled(features.WatchList) {
 		etcdfeature.DefaultFeatureSupportChecker.CheckClient(c.Ctx(), c, storage.RequestWatchProgress)
 	}
-	return s
+	return s, nil
 }
 
 func (s *store) CompactRevision() int64 {
@@ -215,14 +222,21 @@ func (s *store) Versioner() storage.Versioner {
 }
 
 func (s *store) Close() {
-	if s.stats != nil {
-		s.stats.Close()
+	stats := s.getResourceSizeEstimator()
+	if stats != nil {
+		stats.Close()
 	}
 }
 
+func (s *store) getResourceSizeEstimator() *resourceSizeEstimator {
+	s.collectorMux.RLock()
+	defer s.collectorMux.RUnlock()
+	return s.resourceSizeEstimator
+}
+
 // Get implements storage.Interface.Get.
 func (s *store) Get(ctx context.Context, key string, opts storage.GetOptions, out runtime.Object) error {
-	preparedKey, err := s.prepareKey(key)
+	preparedKey, err := s.prepareKey(key, false)
 	if err != nil {
 		return err
 	}
@@ -258,7 +272,7 @@ func (s *store) Get(ctx context.Context, key string, opts storage.GetOptions, ou
 
 // Create implements storage.Interface.Create.
 func (s *store) Create(ctx context.Context, key string, obj, out runtime.Object, ttl uint64) error {
-	preparedKey, err := s.prepareKey(key)
+	preparedKey, err := s.prepareKey(key, false)
 	if err != nil {
 		return err
 	}
@@ -328,7 +342,7 @@ func (s *store) Create(ctx context.Context, key string, obj, out runtime.Object,
 func (s *store) Delete(
 	ctx context.Context, key string, out runtime.Object, preconditions *storage.Preconditions,
 	validateDeletion storage.ValidateObjectFunc, cachedExistingObject runtime.Object, opts storage.DeleteOptions) error {
-	preparedKey, err := s.prepareKey(key)
+	preparedKey, err := s.prepareKey(key, false)
 	if err != nil {
 		return err
 	}
@@ -449,7 +463,7 @@ func (s *store) conditionalDelete(
 func (s *store) GuaranteedUpdate(
 	ctx context.Context, key string, destination runtime.Object, ignoreNotFound bool,
 	preconditions *storage.Preconditions, tryUpdate storage.UpdateFunc, cachedExistingObject runtime.Object) error {
-	preparedKey, err := s.prepareKey(key)
+	preparedKey, err := s.prepareKey(key, false)
 	if err != nil {
 		return err
 	}
@@ -630,21 +644,17 @@ func getNewItemFunc(listObj runtime.Object, v reflect.Value) func() runtime.Obje
 	}
 }
 
-func (s *store) Stats(ctx context.Context) (stats storage.Stats, err error) {
-	if s.stats != nil {
-		stats, err := s.stats.Stats(ctx)
-		if !errors.Is(err, errStatsDisabled) {
-			return stats, err
-		}
+func (s *store) Stats(ctx context.Context) (storage.Stats, error) {
+	if collector := s.getResourceSizeEstimator(); collector != nil {
+		return collector.Stats(ctx)
 	}
+	// returning stats without resource size
+
 	startTime := time.Now()
-	prefix, err := s.prepareKey(s.resourcePrefix)
+	prefix, err := s.prepareKey(s.resourcePrefix, true)
 	if err != nil {
 		return storage.Stats{}, err
 	}
-	if !strings.HasSuffix(prefix, "/") {
-		prefix += "/"
-	}
 	count, err := s.client.Kubernetes.Count(ctx, prefix, kubernetes.CountOptions{})
 	metrics.RecordEtcdRequest("listWithCount", s.groupResource, err, startTime)
 	if err != nil {
@@ -655,21 +665,25 @@ func (s *store) Stats(ctx context.Context) (stats storage.Stats, err error) {
 	}, nil
 }
 
-func (s *store) SetKeysFunc(keys storage.KeysFunc) {
-	if s.stats != nil {
-		s.stats.SetKeysFunc(keys)
+func (s *store) EnableResourceSizeEstimation(getKeys storage.KeysFunc) error {
+	if getKeys == nil {
+		return errors.New("KeysFunc cannot be nil")
+	}
+	s.collectorMux.Lock()
+	defer s.collectorMux.Unlock()
+	if s.resourceSizeEstimator != nil {
+		return errors.New("resourceSizeEstimator already enabled")
 	}
+	s.resourceSizeEstimator = newResourceSizeEstimator(s.pathPrefix, getKeys)
+	return nil
 }
 
 func (s *store) getKeys(ctx context.Context) ([]string, error) {
 	startTime := time.Now()
-	prefix, err := s.prepareKey(s.resourcePrefix)
+	prefix, err := s.prepareKey(s.resourcePrefix, true)
 	if err != nil {
 		return nil, err
 	}
-	if !strings.HasSuffix(prefix, "/") {
-		prefix += "/"
-	}
 	resp, err := s.client.KV.Get(ctx, prefix, clientv3.WithPrefix(), clientv3.WithKeysOnly())
 	metrics.RecordEtcdRequest("listOnlyKeys", s.groupResource, err, startTime)
 	if err != nil {
@@ -720,7 +734,7 @@ func (s *store) GetCurrentResourceVersion(ctx context.Context) (uint64, error) {
 
 // GetList implements storage.Interface.
 func (s *store) GetList(ctx context.Context, key string, opts storage.ListOptions, listObj runtime.Object) error {
-	keyPrefix, err := s.prepareKey(key)
+	keyPrefix, err := s.prepareKey(key, opts.Recursive)
 	if err != nil {
 		return err
 	}
@@ -741,14 +755,6 @@ func (s *store) GetList(ctx context.Context, key string, opts storage.ListOption
 		return fmt.Errorf("need ptr to slice: %v", err)
 	}
 
-	// For recursive lists, we need to make sure the key ended with "/" so that we only
-	// get children "directories". e.g. if we have key "/a", "/a/b", "/ab", getting keys
-	// with prefix "/a" will return all three, while with prefix "/a/" will return only
-	// "/a/b" which is the correct answer.
-	if opts.Recursive && !strings.HasSuffix(keyPrefix, "/") {
-		keyPrefix += "/"
-	}
-
 	// set the appropriate clientv3 options to filter the returned data set
 	limit := opts.Predicate.Limit
 	paging := opts.Predicate.Limit > 0
@@ -772,20 +778,13 @@ func (s *store) GetList(ctx context.Context, key string, opts storage.ListOption
 		metrics.RecordStorageListMetrics(s.groupResource, numFetched, numEvald, numReturn)
 	}()
 
-	metricsOp := "get"
-	if opts.Recursive {
-		metricsOp = "list"
-	}
-
 	aggregator := s.listErrAggrFactory()
 	for {
-		startTime := time.Now()
 		getResp, err = s.getList(ctx, keyPrefix, opts.Recursive, kubernetes.ListOptions{
 			Revision: withRev,
 			Limit:    limit,
 			Continue: continueKey,
 		})
-		metrics.RecordEtcdRequest(metricsOp, s.groupResource, err, startTime)
 		if err != nil {
 			if errors.Is(err, etcdrpc.ErrFutureRev) {
 				currentRV, getRVErr := s.GetCurrentResourceVersion(ctx)
@@ -818,9 +817,6 @@ func (s *store) GetList(ctx context.Context, key string, opts storage.ListOption
 		} else {
 			growSlice(v, 2048, len(getResp.Kvs))
 		}
-		if s.stats != nil {
-			s.stats.Update(getResp.Kvs)
-		}
 
 		// take items from the response until the bucket is full, filtering as we go
 		for i, kv := range getResp.Kvs {
@@ -902,22 +898,31 @@ func (s *store) GetList(ctx context.Context, key string, opts storage.ListOption
 	return s.versioner.UpdateList(listObj, uint64(withRev), continueValue, remainingItemCount)
 }
 
-func (s *store) getList(ctx context.Context, keyPrefix string, recursive bool, options kubernetes.ListOptions) (kubernetes.ListResponse, error) {
+func (s *store) getList(ctx context.Context, keyPrefix string, recursive bool, options kubernetes.ListOptions) (resp kubernetes.ListResponse, err error) {
+	startTime := time.Now()
 	if recursive {
-		return s.client.Kubernetes.List(ctx, keyPrefix, options)
-	}
-	getResp, err := s.client.Kubernetes.Get(ctx, keyPrefix, kubernetes.GetOptions{
-		Revision: options.Revision,
-	})
-	var resp kubernetes.ListResponse
-	if getResp.KV != nil {
-		resp.Kvs = []*mvccpb.KeyValue{getResp.KV}
-		resp.Count = 1
-		resp.Revision = getResp.Revision
+		resp, err = s.client.Kubernetes.List(ctx, keyPrefix, options)
+		metrics.RecordEtcdRequest("list", s.groupResource, err, startTime)
 	} else {
-		resp.Kvs = []*mvccpb.KeyValue{}
-		resp.Count = 0
-		resp.Revision = getResp.Revision
+		var getResp kubernetes.GetResponse
+		getResp, err = s.client.Kubernetes.Get(ctx, keyPrefix, kubernetes.GetOptions{
+			Revision: options.Revision,
+		})
+		metrics.RecordEtcdRequest("get", s.groupResource, err, startTime)
+		if getResp.KV != nil {
+			resp.Kvs = []*mvccpb.KeyValue{getResp.KV}
+			resp.Count = 1
+			resp.Revision = getResp.Revision
+		} else {
+			resp.Kvs = []*mvccpb.KeyValue{}
+			resp.Count = 0
+			resp.Revision = getResp.Revision
+		}
+	}
+
+	stats := s.getResourceSizeEstimator()
+	if len(resp.Kvs) > 0 && stats != nil {
+		stats.Update(resp.Kvs)
 	}
 	return resp, err
 }
@@ -955,7 +960,7 @@ func growSlice(v reflect.Value, maxCapacity int, sizes ...int) {
 
 // Watch implements storage.Interface.Watch.
 func (s *store) Watch(ctx context.Context, key string, opts storage.ListOptions) (watch.Interface, error) {
-	preparedKey, err := s.prepareKey(key)
+	preparedKey, err := s.prepareKey(key, opts.Recursive)
 	if err != nil {
 		return nil, err
 	}
@@ -1102,21 +1107,10 @@ func (s *store) validateMinimumResourceVersion(minimumResourceVersion string, ac
 	return nil
 }
 
-func (s *store) prepareKey(key string) (string, error) {
-	if key == ".." ||
-		strings.HasPrefix(key, "../") ||
-		strings.HasSuffix(key, "/..") ||
-		strings.Contains(key, "/../") {
-		return "", fmt.Errorf("invalid key: %q", key)
-	}
-	if key == "." ||
-		strings.HasPrefix(key, "./") ||
-		strings.HasSuffix(key, "/.") ||
-		strings.Contains(key, "/./") {
-		return "", fmt.Errorf("invalid key: %q", key)
-	}
-	if key == "" || key == "/" {
-		return "", fmt.Errorf("empty key: %q", key)
+func (s *store) prepareKey(key string, recursive bool) (string, error) {
+	key, err := storage.PrepareKey(s.resourcePrefix, key, recursive)
+	if err != nil {
+		return "", err
 	}
 	// We ensured that pathPrefix ends in '/' in construction, so skip any leading '/' in the key now.
 	startIndex := 0
diff --git a/staging/src/k8s.io/apiserver/pkg/storage/etcd3/store_test.go b/staging/src/k8s.io/apiserver/pkg/storage/etcd3/store_test.go
index 3c01fd158832f..04e9f64df4b8e 100644
--- a/staging/src/k8s.io/apiserver/pkg/storage/etcd3/store_test.go
+++ b/staging/src/k8s.io/apiserver/pkg/storage/etcd3/store_test.go
@@ -177,7 +177,7 @@ func TestListPaging(t *testing.T) {
 
 func TestGetListNonRecursive(t *testing.T) {
 	ctx, store, client := testSetup(t)
-	storagetesting.RunTestGetListNonRecursive(ctx, t, increaseRV(client.Client), store)
+	storagetesting.RunTestGetListNonRecursive(ctx, t, increaseRVFunc(client.Client), store)
 }
 
 func TestGetListRecursivePrefix(t *testing.T) {
@@ -185,6 +185,11 @@ func TestGetListRecursivePrefix(t *testing.T) {
 	storagetesting.RunTestGetListRecursivePrefix(ctx, t, store)
 }
 
+func TestKeySchema(t *testing.T) {
+	ctx, store, _ := testSetup(t)
+	storagetesting.RunTestKeySchema(ctx, t, store)
+}
+
 type storeWithPrefixTransformer struct {
 	*store
 }
@@ -259,14 +264,14 @@ func TestList(t *testing.T) {
 
 func TestConsistentList(t *testing.T) {
 	ctx, store, client := testSetup(t)
-	storagetesting.RunTestConsistentList(ctx, t, store, increaseRV(client.Client), false, true, false)
+	storagetesting.RunTestConsistentList(ctx, t, store, increaseRVFunc(client.Client), false, true, false)
 }
 
 func TestCompactRevision(t *testing.T) {
 	// Test requires store to observe extenal changes to compaction revision, requiring dedicated watch on compact key which is enabled by ListFromCacheSnapshot.
 	featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.ListFromCacheSnapshot, true)
 	ctx, store, client := testSetup(t)
-	storagetesting.RunTestCompactRevision(ctx, t, store, increaseRV(client.Client), compactStorage(store, client.Client))
+	storagetesting.RunTestCompactRevision(ctx, t, store, increaseRVFunc(client.Client), compactStorage(store, client.Client))
 }
 
 func checkStorageCallsInvariants(transformer *storagetesting.PrefixTransformer, recorder *storagetesting.KVRecorder) storagetesting.CallsValidation {
@@ -360,11 +365,13 @@ func compactStorage(s *store, client *clientv3.Client) storagetesting.Compaction
 	}
 }
 
-func increaseRV(client *clientv3.Client) storagetesting.IncreaseRVFunc {
-	return func(ctx context.Context, t *testing.T) {
-		if _, err := client.KV.Put(ctx, "increaseRV", "ok"); err != nil {
+func increaseRVFunc(client *clientv3.Client) storagetesting.IncreaseRVFunc {
+	return func(ctx context.Context, t *testing.T) int64 {
+		resp, err := client.KV.Put(ctx, "increaseRV", "ok")
+		if err != nil {
 			t.Fatalf("Could not update increaseRV: %v", err)
 		}
+		return resp.Header.Revision
 	}
 }
 
@@ -381,10 +388,13 @@ func TestListResourceVersionMatch(t *testing.T) {
 func TestStats(t *testing.T) {
 	for _, sizeBasedListCostEstimate := range []bool{true, false} {
 		t.Run(fmt.Sprintf("SizeBasedListCostEstimate=%v", sizeBasedListCostEstimate), func(t *testing.T) {
-			featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.SizeBasedListCostEstimate, sizeBasedListCostEstimate)
-			// Match transformer with cacher tests.
 			ctx, store, _ := testSetup(t)
-			store.SetKeysFunc(store.getKeys)
+			if sizeBasedListCostEstimate {
+				err := store.EnableResourceSizeEstimation(store.getKeys)
+				if err != nil {
+					t.Fatal(err)
+				}
+			}
 			storagetesting.RunTestStats(ctx, t, store, store.codec, store.transformer, sizeBasedListCostEstimate)
 		})
 	}
@@ -519,15 +529,15 @@ func TestLeaseMaxObjectCount(t *testing.T) {
 		expectAttachedCount int64
 	}{
 		{
-			key:                 "testkey1",
+			key:                 "/pods/testkey1",
 			expectAttachedCount: 1,
 		},
 		{
-			key:                 "testkey2",
+			key:                 "/pods/testkey2",
 			expectAttachedCount: 2,
 		},
 		{
-			key: "testkey3",
+			key: "/pods/testkey3",
 			// We assume each time has 1 object attached to the lease
 			// so after granting a new lease, the recorded count is set to 1
 			expectAttachedCount: 1,
@@ -610,7 +620,7 @@ func withDefaults(options *setupOptions) {
 	options.newFunc = newPod
 	options.newListFunc = newPodList
 	options.prefix = ""
-	options.resourcePrefix = "/pods"
+	options.resourcePrefix = "/pods/"
 	options.groupResource = schema.GroupResource{Resource: "pods"}
 	options.transformer = newTestTransformer()
 	options.leaseConfig = newTestLeaseManagerConfig()
@@ -628,7 +638,7 @@ func testSetup(t testing.TB, opts ...setupOption) (context.Context, *store, *kub
 	versioner := storage.APIObjectVersioner{}
 	compactor := NewCompactor(client.Client, 0, clock.RealClock{}, nil)
 	t.Cleanup(compactor.Stop)
-	store := New(
+	store, err := New(
 		client,
 		compactor,
 		setupOpts.codec,
@@ -642,23 +652,40 @@ func testSetup(t testing.TB, opts ...setupOption) (context.Context, *store, *kub
 		NewDefaultDecoder(setupOpts.codec, versioner),
 		versioner,
 	)
+	if err != nil {
+		t.Fatal(err)
+	}
 	t.Cleanup(store.Close)
 	ctx := context.Background()
 	return ctx, store, client
 }
 
-func TestValidateKey(t *testing.T) {
+func TestPrepareKey(t *testing.T) {
 	validKeys := []string{
-		"/foo/bar/baz/a.b.c/",
-		"/foo",
-		"foo/bar/baz",
-		"/foo/bar..baz/",
-		"/foo/bar..",
-		"foo",
-		"foo/bar",
-		"/foo/bar/",
+		"/pods/foo/bar/baz/a.b.c/",
+		"/pods/foo",
+		"/pods/foo/bar/baz",
+		"/pods/foo/bar..baz/",
+		"/pods/foo/bar..",
+		"/pods/foo",
+		"/pods/foo/bar",
+		"/pods/foo/bar/",
+		"/pods/",
 	}
 	invalidKeys := []string{
+		"/pods",
+		"/pods/foo/bar/../a.b.c/",
+		"/pods/..",
+		"/pods/../",
+		"/pods/foo/bar/..",
+		"/pods/../foo/bar",
+		"/pods/../foo",
+		"/pods/foo/bar/../",
+		"/pods/.",
+		"/pods/./",
+		"/pods/foo/.",
+		"/pods/./bar",
+		"/pods/foo/./bar/",
 		"/foo/bar/../a.b.c/",
 		"..",
 		"/..",
@@ -681,21 +708,46 @@ func TestValidateKey(t *testing.T) {
 	)
 	_, store, _ := testSetup(t, withPrefix(pathPrefix))
 
-	for _, key := range validKeys {
-		k, err := store.prepareKey(key)
-		if err != nil {
-			t.Errorf("key %q should be valid; unexpected error: %v", key, err)
-		} else if !strings.HasPrefix(k, expectPrefix) {
-			t.Errorf("key %q should have prefix %q", k, expectPrefix)
+	t.Run("Non-recursive", func(t *testing.T) {
+		for _, key := range validKeys {
+			preparedKey, err := store.prepareKey(key, false)
+			if err != nil {
+				t.Errorf("preparing key %q should be valid; unexpected error: %v", key, err)
+				continue
+			}
+			if !strings.HasPrefix(preparedKey, expectPrefix) {
+				t.Errorf("prepared key %q should have prefix %q", preparedKey, expectPrefix)
+			}
+			if !strings.HasSuffix(preparedKey, key) {
+				t.Errorf("Prepared non-recursive key %q should have suffix %q", preparedKey, key)
+			}
 		}
-	}
+	})
 
-	for _, key := range invalidKeys {
-		_, err := store.prepareKey(key)
-		if err == nil {
-			t.Errorf("key %q should be invalid", key)
+	t.Run("Recursive", func(t *testing.T) {
+		for _, key := range validKeys {
+			preparedKey, err := store.prepareKey(key, true)
+			if err != nil {
+				t.Errorf("preparing key %q should be valid; unexpected error: %v", key, err)
+				continue
+			}
+			if !strings.HasPrefix(preparedKey, expectPrefix) {
+				t.Errorf("prepared key %q should have prefix %q", preparedKey, expectPrefix)
+			}
+			if !strings.HasSuffix(preparedKey, "/") {
+				t.Errorf("Prepared non-recursive key %q should have suffix '/'", preparedKey)
+			}
 		}
-	}
+	})
+
+	t.Run("Invalid", func(t *testing.T) {
+		for _, key := range invalidKeys {
+			_, err := store.prepareKey(key, false)
+			if err == nil {
+				t.Errorf("key %q should be invalid", key)
+			}
+		}
+	})
 }
 
 func TestInvalidKeys(t *testing.T) {
@@ -917,14 +969,14 @@ func TestGetCurrentResourceVersion(t *testing.T) {
 		}
 	}
 	createPod := func(obj *example.Pod) *example.Pod {
-		key := "pods/" + obj.Namespace + "/" + obj.Name
+		key := "/pods/" + obj.Namespace + "/" + obj.Name
 		out := &example.Pod{}
 		err := store.Create(context.TODO(), key, obj, out, 0)
 		require.NoError(t, err)
 		return out
 	}
 	getPod := func(name, ns string) *example.Pod {
-		key := "pods/" + ns + "/" + name
+		key := "/pods/" + ns + "/" + name
 		out := &example.Pod{}
 		err := store.Get(context.TODO(), key, storage.GetOptions{}, out)
 		require.NoError(t, err)
@@ -988,8 +1040,8 @@ func BenchmarkStatsCacheCleanKeys(b *testing.B) {
 	if err != nil {
 		b.Fatal(err)
 	}
-	if len(store.stats.keys) < namespaceCount*podPerNamespaceCount {
-		b.Fatalf("Unexpected number of keys in stats, want: %d, got: %d", namespaceCount*podPerNamespaceCount, len(store.stats.keys))
+	if len(store.resourceSizeEstimator.keys) < namespaceCount*podPerNamespaceCount {
+		b.Fatalf("Unexpected number of keys in stats, want: %d, got: %d", namespaceCount*podPerNamespaceCount, len(store.resourceSizeEstimator.keys))
 	}
 	// Get keys to measure only cleanupKeys time
 	keys, err := store.getKeys(ctx)
@@ -998,15 +1050,15 @@ func BenchmarkStatsCacheCleanKeys(b *testing.B) {
 	}
 	b.ResetTimer()
 	for i := 0; i < b.N; i++ {
-		store.stats.cleanKeys(keys)
+		store.resourceSizeEstimator.cleanKeys(keys)
 	}
-	if len(store.stats.keys) < namespaceCount*podPerNamespaceCount {
-		b.Fatalf("Unexpected number of keys in stats, want: %d, got: %d", namespaceCount*podPerNamespaceCount, len(store.stats.keys))
+	if len(store.resourceSizeEstimator.keys) < namespaceCount*podPerNamespaceCount {
+		b.Fatalf("Unexpected number of keys in stats, want: %d, got: %d", namespaceCount*podPerNamespaceCount, len(store.resourceSizeEstimator.keys))
 	}
 }
 
 func TestPrefixGetKeys(t *testing.T) {
-	ctx, store, c := testSetup(t, withPrefix("/registry"), withResourcePrefix("pods"))
+	ctx, store, c := testSetup(t, withPrefix("/registry"), withResourcePrefix("/pods"))
 	_, err := c.KV.Put(ctx, "key", "a")
 	if err != nil {
 		t.Fatal(err)
@@ -1042,40 +1094,27 @@ func TestPrefixStats(t *testing.T) {
 	tcs := []struct {
 		name        string
 		estimate    bool
-		setKeys     bool
 		expectStats storage.Stats
 	}{
 		{
-			name:        "SizeBasedListCostEstimate=false,SetKeys=false",
-			setKeys:     false,
+			name:        "Estimate=false",
 			estimate:    false,
 			expectStats: storage.Stats{ObjectCount: 1},
 		},
 		{
-			name:        "SizeBasedListCostEstimate=false,SetKeys=true",
-			setKeys:     true,
-			estimate:    false,
-			expectStats: storage.Stats{ObjectCount: 1},
-		},
-		{
-			name:        "SizeBasedListCostEstimate=true,SetKeys=false",
-			setKeys:     false,
-			estimate:    true,
-			expectStats: storage.Stats{ObjectCount: 1},
-		},
-		{
-			name:        "SizeBasedListCostEstimate=true,SetKeys=true",
-			setKeys:     true,
+			name:        "Estimate=true",
 			estimate:    true,
 			expectStats: storage.Stats{ObjectCount: 1, EstimatedAverageObjectSizeBytes: 3},
 		},
 	}
 	for _, tc := range tcs {
 		t.Run(tc.name, func(t *testing.T) {
-			featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.SizeBasedListCostEstimate, tc.estimate)
-			ctx, store, c := testSetup(t, withPrefix("/registry"), withResourcePrefix("pods"))
-			if tc.setKeys {
-				store.SetKeysFunc(store.getKeys)
+			ctx, store, c := testSetup(t, withPrefix("/registry"), withResourcePrefix("/pods/"))
+			if tc.estimate {
+				err := store.EnableResourceSizeEstimation(store.getKeys)
+				if err != nil {
+					t.Fatal(err)
+				}
 			}
 			_, err := c.KV.Put(ctx, "key", "a")
 			if err != nil {
@@ -1099,7 +1138,7 @@ func TestPrefixStats(t *testing.T) {
 
 			listOut := &example.PodList{}
 			// Ignore error as decode is expected to fail
-			_ = store.GetList(ctx, "pods", storage.ListOptions{Predicate: storage.Everything, Recursive: true}, listOut)
+			_ = store.GetList(ctx, "/pods/", storage.ListOptions{Predicate: storage.Everything, Recursive: true}, listOut)
 
 			gotStats, err := store.Stats(ctx)
 			if err != nil {
diff --git a/staging/src/k8s.io/apiserver/pkg/storage/etcd3/watcher.go b/staging/src/k8s.io/apiserver/pkg/storage/etcd3/watcher.go
index 76f65f160eb04..cf16606bc512a 100644
--- a/staging/src/k8s.io/apiserver/pkg/storage/etcd3/watcher.go
+++ b/staging/src/k8s.io/apiserver/pkg/storage/etcd3/watcher.go
@@ -69,30 +69,30 @@ func TestOnlySetFatalOnDecodeError(b bool) {
 }
 
 type watcher struct {
-	client              *clientv3.Client
-	codec               runtime.Codec
-	newFunc             func() runtime.Object
-	objectType          string
-	groupResource       schema.GroupResource
-	versioner           storage.Versioner
-	transformer         value.Transformer
-	getCurrentStorageRV func(context.Context) (uint64, error)
-	stats               *statsCache
+	client                   *clientv3.Client
+	codec                    runtime.Codec
+	newFunc                  func() runtime.Object
+	objectType               string
+	groupResource            schema.GroupResource
+	versioner                storage.Versioner
+	transformer              value.Transformer
+	getCurrentStorageRV      func(context.Context) (uint64, error)
+	getResourceSizeEstimator func() *resourceSizeEstimator
 }
 
 // watchChan implements watch.Interface.
 type watchChan struct {
-	watcher           *watcher
-	key               string
-	initialRev        int64
-	recursive         bool
-	progressNotify    bool
-	internalPred      storage.SelectionPredicate
-	ctx               context.Context
-	cancel            context.CancelFunc
-	incomingEventChan chan *event
-	resultChan        chan watch.Event
-	stats             *statsCache
+	watcher                  *watcher
+	key                      string
+	initialRev               int64
+	recursive                bool
+	progressNotify           bool
+	internalPred             storage.SelectionPredicate
+	ctx                      context.Context
+	cancel                   context.CancelFunc
+	incomingEventChan        chan *event
+	resultChan               chan watch.Event
+	getResourceSizeEstimator func() *resourceSizeEstimator
 }
 
 // Watch watches on a key and returns a watch.Interface that transfers relevant notifications.
@@ -104,7 +104,7 @@ type watchChan struct {
 // pred must be non-nil. Only if opts.Predicate matches the change, it will be returned.
 func (w *watcher) Watch(ctx context.Context, key string, rev int64, opts storage.ListOptions) (watch.Interface, error) {
 	if opts.Recursive && !strings.HasSuffix(key, "/") {
-		key += "/"
+		return nil, fmt.Errorf(`recursive key needs to end with "/"`)
 	}
 	if opts.ProgressNotify && w.newFunc == nil {
 		return nil, apierrors.NewInternalError(errors.New("progressNotify for watch is unsupported by the etcd storage because no newFunc was provided"))
@@ -128,15 +128,15 @@ func (w *watcher) Watch(ctx context.Context, key string, rev int64, opts storage
 
 func (w *watcher) createWatchChan(ctx context.Context, key string, rev int64, recursive, progressNotify bool, pred storage.SelectionPredicate) *watchChan {
 	wc := &watchChan{
-		watcher:           w,
-		key:               key,
-		initialRev:        rev,
-		recursive:         recursive,
-		progressNotify:    progressNotify,
-		internalPred:      pred,
-		incomingEventChan: make(chan *event, incomingBufSize),
-		resultChan:        make(chan watch.Event, outgoingBufSize),
-		stats:             w.stats,
+		watcher:                  w,
+		key:                      key,
+		initialRev:               rev,
+		recursive:                recursive,
+		progressNotify:           progressNotify,
+		internalPred:             pred,
+		incomingEventChan:        make(chan *event, incomingBufSize),
+		resultChan:               make(chan watch.Event, outgoingBufSize),
+		getResourceSizeEstimator: w.getResourceSizeEstimator,
 	}
 	if pred.Empty() {
 		// The filter doesn't filter out any object.
@@ -385,6 +385,7 @@ func (wc *watchChan) startWatching(watchClosedCh chan struct{}, initialEventsEnd
 		opts = append(opts, clientv3.WithProgressNotify())
 	}
 	wch := wc.watcher.client.Watch(wc.ctx, wc.key, opts...)
+	estimator := wc.getResourceSizeEstimator()
 	for wres := range wch {
 		if wres.Err() != nil {
 			err := wres.Err()
@@ -405,12 +406,12 @@ func (wc *watchChan) startWatching(watchClosedCh chan struct{}, initialEventsEnd
 		}
 
 		for _, e := range wres.Events {
-			if wc.stats != nil {
+			if estimator != nil {
 				switch e.Type {
 				case clientv3.EventTypePut:
-					wc.stats.UpdateKey(e.Kv)
+					estimator.UpdateKey(e.Kv)
 				case clientv3.EventTypeDelete:
-					wc.stats.DeleteKey(e.Kv)
+					estimator.DeleteKey(e.Kv)
 				}
 			}
 			metrics.RecordEtcdEvent(wc.watcher.groupResource)
diff --git a/staging/src/k8s.io/apiserver/pkg/storage/etcd3/watcher_test.go b/staging/src/k8s.io/apiserver/pkg/storage/etcd3/watcher_test.go
index 88fcd656cd299..8321867217a26 100644
--- a/staging/src/k8s.io/apiserver/pkg/storage/etcd3/watcher_test.go
+++ b/staging/src/k8s.io/apiserver/pkg/storage/etcd3/watcher_test.go
@@ -108,7 +108,7 @@ func TestProgressNotify(t *testing.T) {
 	clusterConfig.WatchProgressNotifyInterval = time.Second
 	ctx, store, client := testSetup(t, withClientConfig(clusterConfig))
 
-	storagetesting.RunOptionalTestProgressNotify(ctx, t, store, increaseRV(client.Client))
+	storagetesting.RunOptionalTestProgressNotify(ctx, t, store, increaseRVFunc(client.Client))
 }
 
 func TestWatchWithUnsafeDelete(t *testing.T) {
@@ -227,7 +227,7 @@ func TestTooLargeResourceVersionErrorForWatchList(t *testing.T) {
 		t.Fatalf("Unable to convert NewTooLargeResourceVersionError to apierrors.StatusError")
 	}
 
-	w, err := store.watcher.Watch(ctx, "/abc", int64(102), requestOpts)
+	w, err := store.watcher.Watch(ctx, "/abc/", int64(102), requestOpts)
 	if err != nil {
 		t.Fatal(err)
 	}
diff --git a/staging/src/k8s.io/apiserver/pkg/storage/interfaces.go b/staging/src/k8s.io/apiserver/pkg/storage/interfaces.go
index a07dda56208c0..be9980cfc7cff 100644
--- a/staging/src/k8s.io/apiserver/pkg/storage/interfaces.go
+++ b/staging/src/k8s.io/apiserver/pkg/storage/interfaces.go
@@ -19,6 +19,7 @@ package storage
 import (
 	"context"
 	"fmt"
+	"strings"
 
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/api/meta"
@@ -268,9 +269,8 @@ type Interface interface {
 	// This method issues an empty list request and reads only the ResourceVersion from the object metadata
 	GetCurrentResourceVersion(ctx context.Context) (uint64, error)
 
-	// SetKeysFunc allows to override the function used to get keys from storage.
-	// This allows to replace default function that fetches keys from storage with one using cache.
-	SetKeysFunc(KeysFunc)
+	// EnableResourceSizeEstimation enables estimating resource size by providing function get keys from storage.
+	EnableResourceSizeEstimation(KeysFunc) error
 
 	// CompactRevision returns latest observed revision that was compacted.
 	// Without ListFromCacheSnapshot enabled only locally executed compaction will be observed.
@@ -391,3 +391,32 @@ type Stats struct {
 	// Value is an estimate, meaning it doesn't need to provide accurate nor consistent.
 	EstimatedAverageObjectSizeBytes int64
 }
+
+func PrepareKey(resourcePrefix, key string, recursive bool) (string, error) {
+	if key == ".." ||
+		strings.HasPrefix(key, "../") ||
+		strings.HasSuffix(key, "/..") ||
+		strings.Contains(key, "/../") {
+		return "", fmt.Errorf("invalid key: %q", key)
+	}
+	if key == "." ||
+		strings.HasPrefix(key, "./") ||
+		strings.HasSuffix(key, "/.") ||
+		strings.Contains(key, "/./") {
+		return "", fmt.Errorf("invalid key: %q", key)
+	}
+	if key == "" || key == "/" {
+		return "", fmt.Errorf("empty key: %q", key)
+	}
+	// For recursive requests, we need to make sure the key ended with "/" so that we only
+	// get children "directories". e.g. if we have key "/a", "/a/b", "/ab", getting keys
+	// with prefix "/a" will return all three, while with prefix "/a/" will return only
+	// "/a/b" which is the correct answer.
+	if recursive && !strings.HasSuffix(key, "/") {
+		key += "/"
+	}
+	if !strings.HasPrefix(key, resourcePrefix) {
+		return "", fmt.Errorf("invalid key: %q lacks resource prefix: %q", key, resourcePrefix)
+	}
+	return key, nil
+}
diff --git a/staging/src/k8s.io/apiserver/pkg/storage/storagebackend/factory/etcd3.go b/staging/src/k8s.io/apiserver/pkg/storage/storagebackend/factory/etcd3.go
index a97e8a537fe81..c6598d7cf237e 100644
--- a/staging/src/k8s.io/apiserver/pkg/storage/storagebackend/factory/etcd3.go
+++ b/staging/src/k8s.io/apiserver/pkg/storage/storagebackend/factory/etcd3.go
@@ -441,6 +441,8 @@ func newETCD3Storage(c storagebackend.ConfigForResource, newFunc, newListFunc fu
 
 	stopDBSizeMonitor, err := startDBSizeMonitorPerEndpoint(client.Client, c.DBMetricPollInterval)
 	if err != nil {
+		stopCompactor()
+		_ = client.Close()
 		return nil, nil, err
 	}
 
@@ -456,7 +458,13 @@ func newETCD3Storage(c storagebackend.ConfigForResource, newFunc, newListFunc fu
 		transformer = etcd3.WithCorruptObjErrorHandlingTransformer(transformer)
 		decoder = etcd3.WithCorruptObjErrorHandlingDecoder(decoder)
 	}
-	etcd3StorageInterface := etcd3.New(client, compactor, c.Codec, newFunc, newListFunc, c.Prefix, resourcePrefix, c.GroupResource, transformer, c.LeaseManagerConfig, decoder, versioner)
+	etcd3StorageInterface, err := etcd3.New(client, compactor, c.Codec, newFunc, newListFunc, c.Prefix, resourcePrefix, c.GroupResource, transformer, c.LeaseManagerConfig, decoder, versioner)
+	if err != nil {
+		stopCompactor()
+		stopDBSizeMonitor()
+		_ = client.Close()
+		return nil, nil, err
+	}
 	store := etcd3retry.NewRetryingEtcdStorage(etcd3StorageInterface)
 	var once sync.Once
 	destroyFunc := func() {
diff --git a/staging/src/k8s.io/apiserver/pkg/storage/storagebackend/factory/tls_test.go b/staging/src/k8s.io/apiserver/pkg/storage/storagebackend/factory/tls_test.go
index 2a93747f41410..a095edf650576 100644
--- a/staging/src/k8s.io/apiserver/pkg/storage/storagebackend/factory/tls_test.go
+++ b/staging/src/k8s.io/apiserver/pkg/storage/storagebackend/factory/tls_test.go
@@ -80,12 +80,12 @@ func TestTLSConnection(t *testing.T) {
 		},
 		Codec: codec,
 	}
-	storage, destroyFunc, err := newETCD3Storage(*cfg.ForResource(schema.GroupResource{Resource: "pods"}), nil, nil, "")
+	storage, destroyFunc, err := newETCD3Storage(*cfg.ForResource(schema.GroupResource{Resource: "pods"}), nil, nil, "/pods")
 	defer destroyFunc()
 	if err != nil {
 		t.Fatal(err)
 	}
-	err = storage.Create(context.TODO(), "/abc", &example.Pod{}, nil, 0)
+	err = storage.Create(context.TODO(), "/pods/abc", &example.Pod{}, nil, 0)
 	if err != nil {
 		t.Fatalf("Create failed: %v", err)
 	}
diff --git a/staging/src/k8s.io/apiserver/pkg/storage/testing/store_benchmarks.go b/staging/src/k8s.io/apiserver/pkg/storage/testing/store_benchmarks.go
index 6bb4acdee38f3..a919546fe071e 100644
--- a/staging/src/k8s.io/apiserver/pkg/storage/testing/store_benchmarks.go
+++ b/staging/src/k8s.io/apiserver/pkg/storage/testing/store_benchmarks.go
@@ -57,7 +57,7 @@ func RunBenchmarkStoreListCreate(ctx context.Context, b *testing.B, store storag
 			panic(fmt.Sprintf("Unexpected error %s", err))
 		}
 		listOut := &example.PodList{}
-		err = store.GetList(ctx, "/pods", storage.ListOptions{
+		err = store.GetList(ctx, "/pods/", storage.ListOptions{
 			Recursive:            true,
 			ResourceVersion:      podOut.ResourceVersion,
 			ResourceVersionMatch: match,
diff --git a/staging/src/k8s.io/apiserver/pkg/storage/testing/store_tests.go b/staging/src/k8s.io/apiserver/pkg/storage/testing/store_tests.go
index 196b637f91f3e..23e30eb45d491 100644
--- a/staging/src/k8s.io/apiserver/pkg/storage/testing/store_tests.go
+++ b/staging/src/k8s.io/apiserver/pkg/storage/testing/store_tests.go
@@ -193,12 +193,12 @@ func RunTestGet(ctx context.Context, t *testing.T, store storage.Interface) {
 		rv:               strconv.FormatInt(math.MaxInt64, 10),
 	}, {
 		name:              "get non-existing",
-		key:               "/non-existing",
+		key:               "/pods/non-existing",
 		ignoreNotFound:    false,
 		expectNotFoundErr: true,
 	}, {
 		name:              "get non-existing, ignore not found",
-		key:               "/non-existing",
+		key:               "/pods/non-existing",
 		ignoreNotFound:    true,
 		expectNotFoundErr: false,
 		expectedOut:       &example.Pod{},
@@ -258,7 +258,7 @@ func RunTestUnconditionalDelete(ctx context.Context, t *testing.T, store storage
 		expectNotFoundErr: false,
 	}, {
 		name:              "non-existing key",
-		key:               "/non-existing",
+		key:               "/pods/non-existing",
 		expectedObj:       nil,
 		expectNotFoundErr: true,
 	}}
@@ -640,17 +640,15 @@ func RunTestList(ctx context.Context, t *testing.T, store storage.Interface, com
 		Predicate:       storage.Everything,
 		Recursive:       true,
 	}
-	if err := store.GetList(ctx, "/second", storageOpts, list); err != nil {
+	if err := store.GetList(ctx, "/pods/second", storageOpts, list); err != nil {
 		t.Errorf("Unexpected error: %v", err)
 	}
-	continueRV, _ := strconv.Atoi(list.ResourceVersion)
-	secondContinuation, err := storage.EncodeContinue("/second/foo", "/second/", int64(continueRV))
+	continueRV := mustParseResourceVersion(t, list.ResourceVersion)
+	secondContinuation, err := storage.EncodeContinue("/pods/second/foo", "/pods/second/", int64(continueRV))
 	if err != nil {
 		t.Fatal(err)
 	}
 
-	initialRV2, _ := strconv.Atoi(initialRV)
-
 	getAttrs := func(obj runtime.Object) (labels.Set, fields.Set, error) {
 		pod := obj.(*example.Pod)
 		return nil, fields.Set{"metadata.name": pod.Name, "spec.nodeName": pod.Spec.NodeName}, nil
@@ -677,18 +675,18 @@ func RunTestList(ctx context.Context, t *testing.T, store storage.Interface, com
 		expectContinueTooOld       bool
 		expectRV                   string
 		expectRVFunc               func(string) error
-		expectEtcdRequest          func() []RecordedList
+		expectCacherRequestsToEtcd func() []RecordedList
 	}{
 		{
 			name:        "rejects invalid resource version",
-			prefix:      "/pods",
+			prefix:      "/pods/",
 			pred:        storage.Everything,
 			rv:          "abc",
 			expectError: true,
 		},
 		{
 			name:   "rejects resource version and continue token",
-			prefix: "/pods",
+			prefix: "/pods/",
 			pred: storage.SelectionPredicate{
 				Label:    labels.Everything(),
 				Field:    fields.Everything(),
@@ -700,7 +698,7 @@ func RunTestList(ctx context.Context, t *testing.T, store storage.Interface, com
 		},
 		{
 			name:             "rejects resource version set too high",
-			prefix:           "/pods",
+			prefix:           "/pods/",
 			pred:             storage.Everything,
 			rv:               strconv.FormatInt(math.MaxInt64, 10),
 			expectRVTooLarge: true,
@@ -710,6 +708,16 @@ func RunTestList(ctx context.Context, t *testing.T, store storage.Interface, com
 			prefix:      "/pods/first/",
 			pred:        storage.Everything,
 			expectedOut: []example.Pod{*updatedPod},
+			expectCacherRequestsToEtcd: func() []RecordedList {
+				if utilfeature.DefaultFeatureGate.Enabled(features.ConsistentListFromCache) {
+					return nil
+				}
+				return []RecordedList{
+					{
+						Key: "/registry/pods/first/",
+					},
+				}
+			},
 		},
 		{
 			name:                 "test List on existing key with resource version set to 0",
@@ -726,6 +734,17 @@ func RunTestList(ctx context.Context, t *testing.T, store storage.Interface, com
 			rv:          createdPods[0].ResourceVersion,
 			rvMatch:     metav1.ResourceVersionMatchExact,
 			expectRV:    createdPods[0].ResourceVersion,
+			expectCacherRequestsToEtcd: func() []RecordedList {
+				if utilfeature.DefaultFeatureGate.Enabled(features.ListFromCacheSnapshot) {
+					return nil
+				}
+				return []RecordedList{
+					{
+						Key:         "/registry/pods/first/",
+						ListOptions: kubernetes.ListOptions{Revision: mustParseResourceVersion(t, createdPods[0].ResourceVersion)},
+					},
+				}
+			},
 		},
 		{
 			name:        "test List on existing key with resource version set before creation, match=Exact",
@@ -735,6 +754,17 @@ func RunTestList(ctx context.Context, t *testing.T, store storage.Interface, com
 			rv:          createdPods[0].ResourceVersion,
 			rvMatch:     metav1.ResourceVersionMatchExact,
 			expectRV:    createdPods[0].ResourceVersion,
+			expectCacherRequestsToEtcd: func() []RecordedList {
+				if utilfeature.DefaultFeatureGate.Enabled(features.ListFromCacheSnapshot) {
+					return nil
+				}
+				return []RecordedList{
+					{
+						Key:         "/registry/pods/second/",
+						ListOptions: kubernetes.ListOptions{Revision: mustParseResourceVersion(t, createdPods[0].ResourceVersion)},
+					},
+				}
+			},
 		},
 		{
 			name:        "test List on existing key with resource version set after creation, match=Exact",
@@ -744,6 +774,17 @@ func RunTestList(ctx context.Context, t *testing.T, store storage.Interface, com
 			rv:          createdPods[1].ResourceVersion,
 			rvMatch:     metav1.ResourceVersionMatchExact,
 			expectRV:    createdPods[1].ResourceVersion,
+			expectCacherRequestsToEtcd: func() []RecordedList {
+				if utilfeature.DefaultFeatureGate.Enabled(features.ListFromCacheSnapshot) {
+					return nil
+				}
+				return []RecordedList{
+					{
+						Key:         "/registry/pods/second/",
+						ListOptions: kubernetes.ListOptions{Revision: mustParseResourceVersion(t, createdPods[1].ResourceVersion)},
+					},
+				}
+			},
 		},
 		{
 			name:           "test List on existing key with resource version set before first write, match=Exact",
@@ -752,6 +793,17 @@ func RunTestList(ctx context.Context, t *testing.T, store storage.Interface, com
 			rv:             initialRV,
 			rvMatch:        metav1.ResourceVersionMatchExact,
 			expectRVTooOld: true,
+			expectCacherRequestsToEtcd: func() []RecordedList {
+				if utilfeature.DefaultFeatureGate.Enabled(features.ListFromCacheSnapshot) {
+					return nil
+				}
+				return []RecordedList{
+					{
+						Key:         "/registry/pods/first/",
+						ListOptions: kubernetes.ListOptions{Revision: mustParseResourceVersion(t, initialRV)},
+					},
+				}
+			},
 		},
 		{
 			name:                 "test List on existing key with resource version set to 0, match=NotOlderThan",
@@ -800,6 +852,17 @@ func RunTestList(ctx context.Context, t *testing.T, store storage.Interface, com
 			rv:          list.ResourceVersion,
 			rvMatch:     metav1.ResourceVersionMatchExact,
 			expectRV:    list.ResourceVersion,
+			expectCacherRequestsToEtcd: func() []RecordedList {
+				if utilfeature.DefaultFeatureGate.Enabled(features.ListFromCacheSnapshot) {
+					return nil
+				}
+				return []RecordedList{
+					{
+						Key:         "/registry/pods/first/",
+						ListOptions: kubernetes.ListOptions{Revision: int64(continueRV)},
+					},
+				}
+			},
 		},
 		{
 			name:        "test List on existing key with resource version set to current resource version, match=NotOlderThan",
@@ -814,6 +877,16 @@ func RunTestList(ctx context.Context, t *testing.T, store storage.Interface, com
 			prefix:      "/pods/non-existing/",
 			pred:        storage.Everything,
 			expectedOut: []example.Pod{},
+			expectCacherRequestsToEtcd: func() []RecordedList {
+				if utilfeature.DefaultFeatureGate.Enabled(features.ConsistentListFromCache) {
+					return nil
+				}
+				return []RecordedList{
+					{
+						Key: "/registry/pods/non-existing/",
+					},
+				}
+			},
 		},
 		{
 			name:   "test List with pod name matching",
@@ -823,6 +896,16 @@ func RunTestList(ctx context.Context, t *testing.T, store storage.Interface, com
 				Field: fields.ParseSelectorOrDie("metadata.name!=bar"),
 			},
 			expectedOut: []example.Pod{},
+			expectCacherRequestsToEtcd: func() []RecordedList {
+				if utilfeature.DefaultFeatureGate.Enabled(features.ConsistentListFromCache) {
+					return nil
+				}
+				return []RecordedList{
+					{
+						Key: "/registry/pods/first/",
+					},
+				}
+			},
 		},
 		{
 			name:   "test List with pod name matching with resource version set to current resource version, match=NotOlderThan",
@@ -848,7 +931,7 @@ func RunTestList(ctx context.Context, t *testing.T, store storage.Interface, com
 			expectContinue:             true,
 			expectContinueExact:        encodeContinueOrDie(createdPods[1].Name+"\x00", int64(mustAtoi(currentRV))),
 			expectedRemainingItemCount: ptr.To[int64](1),
-			expectEtcdRequest: func() []RecordedList {
+			expectCacherRequestsToEtcd: func() []RecordedList {
 				if utilfeature.DefaultFeatureGate.Enabled(features.ConsistentListFromCache) {
 					return nil
 				}
@@ -874,6 +957,17 @@ func RunTestList(ctx context.Context, t *testing.T, store storage.Interface, com
 			expectedRemainingItemCount: ptr.To[int64](1),
 			rv:                         list.ResourceVersion,
 			expectRV:                   list.ResourceVersion,
+			expectCacherRequestsToEtcd: func() []RecordedList {
+				if utilfeature.DefaultFeatureGate.Enabled(features.ListFromCacheSnapshot) {
+					return nil
+				}
+				return []RecordedList{
+					{
+						Key:         "/registry/pods/second/",
+						ListOptions: kubernetes.ListOptions{Revision: int64(continueRV), Limit: 1},
+					},
+				}
+			},
 		},
 		{
 			name:   "test List with limit at current resource version and match=Exact",
@@ -890,6 +984,17 @@ func RunTestList(ctx context.Context, t *testing.T, store storage.Interface, com
 			rv:                         list.ResourceVersion,
 			rvMatch:                    metav1.ResourceVersionMatchExact,
 			expectRV:                   list.ResourceVersion,
+			expectCacherRequestsToEtcd: func() []RecordedList {
+				if utilfeature.DefaultFeatureGate.Enabled(features.ListFromCacheSnapshot) {
+					return nil
+				}
+				return []RecordedList{
+					{
+						Key:         "/registry/pods/second/",
+						ListOptions: kubernetes.ListOptions{Revision: int64(continueRV), Limit: 1},
+					},
+				}
+			},
 		},
 		{
 			name:   "test List with limit at current resource version and match=NotOlderThan",
@@ -958,6 +1063,17 @@ func RunTestList(ctx context.Context, t *testing.T, store storage.Interface, com
 			rv:             createdPods[0].ResourceVersion,
 			rvMatch:        metav1.ResourceVersionMatchExact,
 			expectRV:       createdPods[0].ResourceVersion,
+			expectCacherRequestsToEtcd: func() []RecordedList {
+				if utilfeature.DefaultFeatureGate.Enabled(features.ListFromCacheSnapshot) {
+					return nil
+				}
+				return []RecordedList{
+					{
+						Key:         "/registry/pods/second/",
+						ListOptions: kubernetes.ListOptions{Revision: mustParseResourceVersion(t, createdPods[0].ResourceVersion), Limit: 1},
+					},
+				}
+			},
 		},
 		{
 			name:   "test List with limit at resource version after created and match=Exact",
@@ -972,6 +1088,17 @@ func RunTestList(ctx context.Context, t *testing.T, store storage.Interface, com
 			rv:             createdPods[1].ResourceVersion,
 			rvMatch:        metav1.ResourceVersionMatchExact,
 			expectRV:       createdPods[1].ResourceVersion,
+			expectCacherRequestsToEtcd: func() []RecordedList {
+				if utilfeature.DefaultFeatureGate.Enabled(features.ListFromCacheSnapshot) {
+					return nil
+				}
+				return []RecordedList{
+					{
+						Key:         "/registry/pods/second/",
+						ListOptions: kubernetes.ListOptions{Revision: mustParseResourceVersion(t, createdPods[1].ResourceVersion), Limit: 1},
+					},
+				}
+			},
 		},
 		{
 			name:   "test List with pregenerated continue token",
@@ -983,6 +1110,17 @@ func RunTestList(ctx context.Context, t *testing.T, store storage.Interface, com
 				Continue: secondContinuation,
 			},
 			expectedOut: []example.Pod{*createdPods[2]},
+			expectCacherRequestsToEtcd: func() []RecordedList {
+				if utilfeature.DefaultFeatureGate.Enabled(features.ListFromCacheSnapshot) {
+					return nil
+				}
+				return []RecordedList{
+					{
+						Key:         "/registry/pods/second/",
+						ListOptions: kubernetes.ListOptions{Revision: int64(continueRV), Limit: 1, Continue: "/registry/pods/second/foo"},
+					},
+				}
+			},
 		},
 		{
 			name:   "ignores resource version 0 for List with pregenerated continue token",
@@ -995,12 +1133,33 @@ func RunTestList(ctx context.Context, t *testing.T, store storage.Interface, com
 			},
 			rv:          "0",
 			expectedOut: []example.Pod{*createdPods[2]},
+			expectCacherRequestsToEtcd: func() []RecordedList {
+				if utilfeature.DefaultFeatureGate.Enabled(features.ListFromCacheSnapshot) {
+					return nil
+				}
+				return []RecordedList{
+					{
+						Key:         "/registry/pods/second/",
+						ListOptions: kubernetes.ListOptions{Revision: int64(continueRV), Limit: 1, Continue: "/registry/pods/second/foo"},
+					},
+				}
+			},
 		},
 		{
 			name:        "test List with multiple levels of directories and expect flattened result",
 			prefix:      "/pods/second/",
 			pred:        storage.Everything,
 			expectedOut: []example.Pod{*createdPods[1], *createdPods[2]},
+			expectCacherRequestsToEtcd: func() []RecordedList {
+				if utilfeature.DefaultFeatureGate.Enabled(features.ConsistentListFromCache) {
+					return nil
+				}
+				return []RecordedList{
+					{
+						Key: "/registry/pods/second/",
+					},
+				}
+			},
 		},
 		{
 			name:        "test List with multiple levels of directories and expect flattened result with current resource version and match=NotOlderThan",
@@ -1012,7 +1171,7 @@ func RunTestList(ctx context.Context, t *testing.T, store storage.Interface, com
 		},
 		{
 			name:   "test List with filter returning only one item, ensure only a single page returned",
-			prefix: "/pods",
+			prefix: "/pods/",
 			pred: storage.SelectionPredicate{
 				Field: fields.OneTermEqualSelector("metadata.name", "barfoo"),
 				Label: labels.Everything(),
@@ -1020,10 +1179,29 @@ func RunTestList(ctx context.Context, t *testing.T, store storage.Interface, com
 			},
 			expectedOut:    []example.Pod{*createdPods[3]},
 			expectContinue: true,
+			expectCacherRequestsToEtcd: func() []RecordedList {
+				if utilfeature.DefaultFeatureGate.Enabled(features.ConsistentListFromCache) {
+					return nil
+				}
+				return []RecordedList{
+					{
+						Key:         "/registry/pods/",
+						ListOptions: kubernetes.ListOptions{Limit: 1},
+					},
+					{
+						Key:         "/registry/pods/",
+						ListOptions: kubernetes.ListOptions{Revision: int64(continueRV) + 1, Limit: 2, Continue: "/registry/pods/first/bar\x00"},
+					},
+					{
+						Key:         "/registry/pods/",
+						ListOptions: kubernetes.ListOptions{Revision: int64(continueRV) + 1, Limit: 4, Continue: "/registry/pods/second/foo\x00"},
+					},
+				}
+			},
 		},
 		{
 			name:   "test List with filter returning only one item, ensure only a single page returned with current resource version and match=NotOlderThan",
-			prefix: "/pods",
+			prefix: "/pods/",
 			pred: storage.SelectionPredicate{
 				Field: fields.OneTermEqualSelector("metadata.name", "barfoo"),
 				Label: labels.Everything(),
@@ -1037,7 +1215,7 @@ func RunTestList(ctx context.Context, t *testing.T, store storage.Interface, com
 		},
 		{
 			name:   "test List with filter returning only one item, covers the entire list",
-			prefix: "/pods",
+			prefix: "/pods/",
 			pred: storage.SelectionPredicate{
 				Field: fields.OneTermEqualSelector("metadata.name", "barfoo"),
 				Label: labels.Everything(),
@@ -1045,10 +1223,25 @@ func RunTestList(ctx context.Context, t *testing.T, store storage.Interface, com
 			},
 			expectedOut:    []example.Pod{*createdPods[3]},
 			expectContinue: false,
+			expectCacherRequestsToEtcd: func() []RecordedList {
+				if utilfeature.DefaultFeatureGate.Enabled(features.ConsistentListFromCache) {
+					return nil
+				}
+				return []RecordedList{
+					{
+						Key:         "/registry/pods/",
+						ListOptions: kubernetes.ListOptions{Revision: 0, Limit: 2},
+					},
+					{
+						Key:         "/registry/pods/",
+						ListOptions: kubernetes.ListOptions{Revision: int64(continueRV) + 1, Limit: 4, Continue: "/registry/pods/second/bar\x00"},
+					},
+				}
+			},
 		},
 		{
 			name:   "test List with filter returning only one item, covers the entire list with current resource version and match=NotOlderThan",
-			prefix: "/pods",
+			prefix: "/pods/",
 			pred: storage.SelectionPredicate{
 				Field: fields.OneTermEqualSelector("metadata.name", "barfoo"),
 				Label: labels.Everything(),
@@ -1062,7 +1255,7 @@ func RunTestList(ctx context.Context, t *testing.T, store storage.Interface, com
 		},
 		{
 			name:   "test List with filter returning only one item, covers the entire list, with resource version 0",
-			prefix: "/pods",
+			prefix: "/pods/",
 			pred: storage.SelectionPredicate{
 				Field: fields.OneTermEqualSelector("metadata.name", "barfoo"),
 				Label: labels.Everything(),
@@ -1074,7 +1267,7 @@ func RunTestList(ctx context.Context, t *testing.T, store storage.Interface, com
 		},
 		{
 			name:   "test List with filter returning two items, more pages possible",
-			prefix: "/pods",
+			prefix: "/pods/",
 			pred: storage.SelectionPredicate{
 				Field: fields.OneTermEqualSelector("metadata.name", "bar"),
 				Label: labels.Everything(),
@@ -1082,10 +1275,21 @@ func RunTestList(ctx context.Context, t *testing.T, store storage.Interface, com
 			},
 			expectContinue: true,
 			expectedOut:    []example.Pod{*updatedPod, *createdPods[1]},
+			expectCacherRequestsToEtcd: func() []RecordedList {
+				if utilfeature.DefaultFeatureGate.Enabled(features.ConsistentListFromCache) {
+					return nil
+				}
+				return []RecordedList{
+					{
+						Key:         "/registry/pods/",
+						ListOptions: kubernetes.ListOptions{Revision: 0, Limit: 2},
+					},
+				}
+			},
 		},
 		{
 			name:   "test List with filter returning two items, more pages possible with current resource version and match=NotOlderThan",
-			prefix: "/pods",
+			prefix: "/pods/",
 			pred: storage.SelectionPredicate{
 				Field: fields.OneTermEqualSelector("metadata.name", "bar"),
 				Label: labels.Everything(),
@@ -1098,17 +1302,32 @@ func RunTestList(ctx context.Context, t *testing.T, store storage.Interface, com
 		},
 		{
 			name:   "filter returns two items split across multiple pages",
-			prefix: "/pods",
+			prefix: "/pods/",
 			pred: storage.SelectionPredicate{
 				Field: fields.OneTermEqualSelector("metadata.name", "foo"),
 				Label: labels.Everything(),
 				Limit: 2,
 			},
 			expectedOut: []example.Pod{*createdPods[2], *createdPods[4]},
+			expectCacherRequestsToEtcd: func() []RecordedList {
+				if utilfeature.DefaultFeatureGate.Enabled(features.ConsistentListFromCache) {
+					return nil
+				}
+				return []RecordedList{
+					{
+						Key:         "/registry/pods/",
+						ListOptions: kubernetes.ListOptions{Revision: 0, Limit: 2},
+					},
+					{
+						Key:         "/registry/pods/",
+						ListOptions: kubernetes.ListOptions{Revision: int64(continueRV) + 1, Limit: 4, Continue: "/registry/pods/second/bar\x00"},
+					},
+				}
+			},
 		},
 		{
 			name:   "filter returns two items split across multiple pages with current resource version and match=NotOlderThan",
-			prefix: "/pods",
+			prefix: "/pods/",
 			pred: storage.SelectionPredicate{
 				Field: fields.OneTermEqualSelector("metadata.name", "foo"),
 				Label: labels.Everything(),
@@ -1120,7 +1339,7 @@ func RunTestList(ctx context.Context, t *testing.T, store storage.Interface, com
 		},
 		{
 			name:   "filter returns one item for last page, ends on last item, not full",
-			prefix: "/pods",
+			prefix: "/pods/",
 			pred: storage.SelectionPredicate{
 				Field:    fields.OneTermEqualSelector("metadata.name", "foo"),
 				Label:    labels.Everything(),
@@ -1128,10 +1347,21 @@ func RunTestList(ctx context.Context, t *testing.T, store storage.Interface, com
 				Continue: encodeContinueOrDie("third/barfoo", int64(continueRV)),
 			},
 			expectedOut: []example.Pod{*createdPods[4]},
+			expectCacherRequestsToEtcd: func() []RecordedList {
+				if utilfeature.DefaultFeatureGate.Enabled(features.ListFromCacheSnapshot) {
+					return nil
+				}
+				return []RecordedList{
+					{
+						Key:         "/registry/pods/",
+						ListOptions: kubernetes.ListOptions{Revision: int64(continueRV), Limit: 2, Continue: "/registry/pods/third/barfoo"},
+					},
+				}
+			},
 		},
 		{
 			name:   "filter returns one item for last page, starts on last item, full",
-			prefix: "/pods",
+			prefix: "/pods/",
 			pred: storage.SelectionPredicate{
 				Field:    fields.OneTermEqualSelector("metadata.name", "foo"),
 				Label:    labels.Everything(),
@@ -1139,10 +1369,25 @@ func RunTestList(ctx context.Context, t *testing.T, store storage.Interface, com
 				Continue: encodeContinueOrDie("third/barfoo", int64(continueRV)),
 			},
 			expectedOut: []example.Pod{*createdPods[4]},
+			expectCacherRequestsToEtcd: func() []RecordedList {
+				if utilfeature.DefaultFeatureGate.Enabled(features.ListFromCacheSnapshot) {
+					return nil
+				}
+				return []RecordedList{
+					{
+						Key:         "/registry/pods/",
+						ListOptions: kubernetes.ListOptions{Revision: int64(continueRV), Limit: 1, Continue: "/registry/pods/third/barfoo"},
+					},
+					{
+						Key:         "/registry/pods/",
+						ListOptions: kubernetes.ListOptions{Revision: int64(continueRV), Limit: 2, Continue: "/registry/pods/third/barfoo\x00"},
+					},
+				}
+			},
 		},
 		{
 			name:   "filter returns one item for last page, starts on last item, partial page",
-			prefix: "/pods",
+			prefix: "/pods/",
 			pred: storage.SelectionPredicate{
 				Field:    fields.OneTermEqualSelector("metadata.name", "foo"),
 				Label:    labels.Everything(),
@@ -1150,20 +1395,42 @@ func RunTestList(ctx context.Context, t *testing.T, store storage.Interface, com
 				Continue: encodeContinueOrDie("third/barfoo", int64(continueRV)),
 			},
 			expectedOut: []example.Pod{*createdPods[4]},
+			expectCacherRequestsToEtcd: func() []RecordedList {
+				if utilfeature.DefaultFeatureGate.Enabled(features.ListFromCacheSnapshot) {
+					return nil
+				}
+				return []RecordedList{
+					{
+						Key:         "/registry/pods/",
+						ListOptions: kubernetes.ListOptions{Revision: int64(continueRV), Limit: 2, Continue: "/registry/pods/third/barfoo"},
+					},
+				}
+			},
 		},
 		{
 			name:   "filter returns two items, page size equal to total list size",
-			prefix: "/pods",
+			prefix: "/pods/",
 			pred: storage.SelectionPredicate{
 				Field: fields.OneTermEqualSelector("metadata.name", "foo"),
 				Label: labels.Everything(),
 				Limit: 5,
 			},
 			expectedOut: []example.Pod{*createdPods[2], *createdPods[4]},
+			expectCacherRequestsToEtcd: func() []RecordedList {
+				if utilfeature.DefaultFeatureGate.Enabled(features.ConsistentListFromCache) {
+					return nil
+				}
+				return []RecordedList{
+					{
+						Key:         "/registry/pods/",
+						ListOptions: kubernetes.ListOptions{Revision: 0, Limit: 5},
+					},
+				}
+			},
 		},
 		{
 			name:   "filter returns two items, page size equal to total list size with current resource version and match=NotOlderThan",
-			prefix: "/pods",
+			prefix: "/pods/",
 			pred: storage.SelectionPredicate{
 				Field: fields.OneTermEqualSelector("metadata.name", "foo"),
 				Label: labels.Everything(),
@@ -1175,17 +1442,28 @@ func RunTestList(ctx context.Context, t *testing.T, store storage.Interface, com
 		},
 		{
 			name:   "filter returns one item, page size equal to total list size",
-			prefix: "/pods",
+			prefix: "/pods/",
 			pred: storage.SelectionPredicate{
 				Field: fields.OneTermEqualSelector("metadata.name", "barfoo"),
 				Label: labels.Everything(),
 				Limit: 5,
 			},
 			expectedOut: []example.Pod{*createdPods[3]},
+			expectCacherRequestsToEtcd: func() []RecordedList {
+				if utilfeature.DefaultFeatureGate.Enabled(features.ConsistentListFromCache) {
+					return nil
+				}
+				return []RecordedList{
+					{
+						Key:         "/registry/pods/",
+						ListOptions: kubernetes.ListOptions{Revision: 0, Limit: 5},
+					},
+				}
+			},
 		},
 		{
 			name:   "filter returns one item, page size equal to total list size with current resource version and match=NotOlderThan",
-			prefix: "/pods",
+			prefix: "/pods/",
 			pred: storage.SelectionPredicate{
 				Field: fields.OneTermEqualSelector("metadata.name", "barfoo"),
 				Label: labels.Everything(),
@@ -1197,13 +1475,23 @@ func RunTestList(ctx context.Context, t *testing.T, store storage.Interface, com
 		},
 		{
 			name:        "list all items",
-			prefix:      "/pods",
+			prefix:      "/pods/",
 			pred:        storage.Everything,
 			expectedOut: []example.Pod{*updatedPod, *createdPods[1], *createdPods[2], *createdPods[3], *createdPods[4]},
+			expectCacherRequestsToEtcd: func() []RecordedList {
+				if utilfeature.DefaultFeatureGate.Enabled(features.ConsistentListFromCache) {
+					return nil
+				}
+				return []RecordedList{
+					{
+						Key: "/registry/pods/",
+					},
+				}
+			},
 		},
 		{
 			name:        "list all items with current resource version and match=NotOlderThan",
-			prefix:      "/pods",
+			prefix:      "/pods/",
 			pred:        storage.Everything,
 			rv:          list.ResourceVersion,
 			rvMatch:     metav1.ResourceVersionMatchNotOlderThan,
@@ -1211,7 +1499,7 @@ func RunTestList(ctx context.Context, t *testing.T, store storage.Interface, com
 		},
 		{
 			name:   "verify list returns updated version of object; filter returns one item, page size equal to total list size with current resource version and match=NotOlderThan",
-			prefix: "/pods",
+			prefix: "/pods/",
 			pred: storage.SelectionPredicate{
 				Field: fields.OneTermEqualSelector("spec.nodeName", "fakeNode"),
 				Label: labels.Everything(),
@@ -1223,7 +1511,7 @@ func RunTestList(ctx context.Context, t *testing.T, store storage.Interface, com
 		},
 		{
 			name:   "verify list does not return deleted object; filter for deleted object, page size equal to total list size with current resource version and match=NotOlderThan",
-			prefix: "/pods",
+			prefix: "/pods/",
 			pred: storage.SelectionPredicate{
 				Field: fields.OneTermEqualSelector("metadata.name", "baz"),
 				Label: labels.Everything(),
@@ -1240,6 +1528,16 @@ func RunTestList(ctx context.Context, t *testing.T, store storage.Interface, com
 			rv:          "",
 			expectRV:    currentRV,
 			expectedOut: []example.Pod{},
+			expectCacherRequestsToEtcd: func() []RecordedList {
+				if utilfeature.DefaultFeatureGate.Enabled(features.ConsistentListFromCache) {
+					return nil
+				}
+				return []RecordedList{
+					{
+						Key: "/registry/pods/empty/",
+					},
+				}
+			},
 		},
 		{
 			name:         "test non-consistent List",
@@ -1266,6 +1564,17 @@ func RunTestList(ctx context.Context, t *testing.T, store storage.Interface, com
 			rv:          createdPods[0].ResourceVersion,
 			rvMatch:     metav1.ResourceVersionMatchExact,
 			expectRV:    createdPods[0].ResourceVersion,
+			expectCacherRequestsToEtcd: func() []RecordedList {
+				if utilfeature.DefaultFeatureGate.Enabled(features.ListFromCacheSnapshot) {
+					return nil
+				}
+				return []RecordedList{
+					{
+						Key:         "/registry/pods/",
+						ListOptions: kubernetes.ListOptions{Revision: 2},
+					},
+				}
+			},
 		},
 		{
 			name:        "test List with resource version of second write, match=Exact",
@@ -1275,6 +1584,17 @@ func RunTestList(ctx context.Context, t *testing.T, store storage.Interface, com
 			rv:          createdPods[1].ResourceVersion,
 			rvMatch:     metav1.ResourceVersionMatchExact,
 			expectRV:    createdPods[1].ResourceVersion,
+			expectCacherRequestsToEtcd: func() []RecordedList {
+				if utilfeature.DefaultFeatureGate.Enabled(features.ListFromCacheSnapshot) {
+					return nil
+				}
+				return []RecordedList{
+					{
+						Key:         "/registry/pods/",
+						ListOptions: kubernetes.ListOptions{Revision: 3},
+					},
+				}
+			},
 		},
 		{
 			name:        "test List with resource version of third write, match=Exact",
@@ -1284,6 +1604,17 @@ func RunTestList(ctx context.Context, t *testing.T, store storage.Interface, com
 			rv:          createdPods[2].ResourceVersion,
 			rvMatch:     metav1.ResourceVersionMatchExact,
 			expectRV:    createdPods[2].ResourceVersion,
+			expectCacherRequestsToEtcd: func() []RecordedList {
+				if utilfeature.DefaultFeatureGate.Enabled(features.ListFromCacheSnapshot) {
+					return nil
+				}
+				return []RecordedList{
+					{
+						Key:         "/registry/pods/",
+						ListOptions: kubernetes.ListOptions{Revision: 4},
+					},
+				}
+			},
 		},
 		{
 			name:        "test List with resource version of fourth write, match=Exact",
@@ -1293,6 +1624,17 @@ func RunTestList(ctx context.Context, t *testing.T, store storage.Interface, com
 			rv:          createdPods[3].ResourceVersion,
 			rvMatch:     metav1.ResourceVersionMatchExact,
 			expectRV:    createdPods[3].ResourceVersion,
+			expectCacherRequestsToEtcd: func() []RecordedList {
+				if utilfeature.DefaultFeatureGate.Enabled(features.ListFromCacheSnapshot) {
+					return nil
+				}
+				return []RecordedList{
+					{
+						Key:         "/registry/pods/",
+						ListOptions: kubernetes.ListOptions{Revision: 5},
+					},
+				}
+			},
 		},
 		{
 			name:        "test List with resource version of fifth write, match=Exact",
@@ -1302,6 +1644,17 @@ func RunTestList(ctx context.Context, t *testing.T, store storage.Interface, com
 			rv:          createdPods[4].ResourceVersion,
 			rvMatch:     metav1.ResourceVersionMatchExact,
 			expectRV:    createdPods[4].ResourceVersion,
+			expectCacherRequestsToEtcd: func() []RecordedList {
+				if utilfeature.DefaultFeatureGate.Enabled(features.ListFromCacheSnapshot) {
+					return nil
+				}
+				return []RecordedList{
+					{
+						Key:         "/registry/pods/",
+						ListOptions: kubernetes.ListOptions{Revision: 6},
+					},
+				}
+			},
 		},
 		{
 			name:        "test List with resource version of six write, match=Exact",
@@ -1311,6 +1664,17 @@ func RunTestList(ctx context.Context, t *testing.T, store storage.Interface, com
 			rv:          createdPods[5].ResourceVersion,
 			rvMatch:     metav1.ResourceVersionMatchExact,
 			expectRV:    createdPods[5].ResourceVersion,
+			expectCacherRequestsToEtcd: func() []RecordedList {
+				if utilfeature.DefaultFeatureGate.Enabled(features.ListFromCacheSnapshot) {
+					return nil
+				}
+				return []RecordedList{
+					{
+						Key:         "/registry/pods/",
+						ListOptions: kubernetes.ListOptions{Revision: 7},
+					},
+				}
+			},
 		},
 		{
 			name:        "test List with resource version of seventh write, match=Exact",
@@ -1320,6 +1684,17 @@ func RunTestList(ctx context.Context, t *testing.T, store storage.Interface, com
 			rv:          updatedPod.ResourceVersion,
 			rvMatch:     metav1.ResourceVersionMatchExact,
 			expectRV:    updatedPod.ResourceVersion,
+			expectCacherRequestsToEtcd: func() []RecordedList {
+				if utilfeature.DefaultFeatureGate.Enabled(features.ListFromCacheSnapshot) {
+					return nil
+				}
+				return []RecordedList{
+					{
+						Key:         "/registry/pods/",
+						ListOptions: kubernetes.ListOptions{Revision: 8},
+					},
+				}
+			},
 		},
 		{
 			name:        "test List with resource version of eight write, match=Exact",
@@ -1329,6 +1704,17 @@ func RunTestList(ctx context.Context, t *testing.T, store storage.Interface, com
 			rv:          fmt.Sprint(continueRV),
 			rvMatch:     metav1.ResourceVersionMatchExact,
 			expectRV:    fmt.Sprint(continueRV),
+			expectCacherRequestsToEtcd: func() []RecordedList {
+				if utilfeature.DefaultFeatureGate.Enabled(features.ListFromCacheSnapshot) {
+					return nil
+				}
+				return []RecordedList{
+					{
+						Key:         "/registry/pods/",
+						ListOptions: kubernetes.ListOptions{Revision: int64(continueRV)},
+					},
+				}
+			},
 		},
 		{
 			name:        "test List with resource version after writes, match=Exact",
@@ -1338,6 +1724,17 @@ func RunTestList(ctx context.Context, t *testing.T, store storage.Interface, com
 			rv:          fmt.Sprint(continueRV + 1),
 			rvMatch:     metav1.ResourceVersionMatchExact,
 			expectRV:    fmt.Sprint(continueRV + 1),
+			expectCacherRequestsToEtcd: func() []RecordedList {
+				if utilfeature.DefaultFeatureGate.Enabled(features.ConsistentListFromCache) && utilfeature.DefaultFeatureGate.Enabled(features.ListFromCacheSnapshot) {
+					return nil
+				}
+				return []RecordedList{
+					{
+						Key:         "/registry/pods/",
+						ListOptions: kubernetes.ListOptions{Revision: int64(continueRV) + 1},
+					},
+				}
+			},
 		},
 		{
 			name:             "test List with future resource version, match=Exact",
@@ -1346,6 +1743,17 @@ func RunTestList(ctx context.Context, t *testing.T, store storage.Interface, com
 			rv:               fmt.Sprint(continueRV + 2),
 			rvMatch:          metav1.ResourceVersionMatchExact,
 			expectRVTooLarge: true,
+			expectCacherRequestsToEtcd: func() []RecordedList {
+				if utilfeature.DefaultFeatureGate.Enabled(features.ListFromCacheSnapshot) {
+					return nil
+				}
+				return []RecordedList{
+					{
+						Key:         "/registry/pods/",
+						ListOptions: kubernetes.ListOptions{Revision: int64(continueRV) + 2},
+					},
+				}
+			},
 		},
 		// limit, match=Exact
 		{
@@ -1363,6 +1771,17 @@ func RunTestList(ctx context.Context, t *testing.T, store storage.Interface, com
 			rvMatch:                    metav1.ResourceVersionMatchExact,
 			expectRV:                   createdPods[1].ResourceVersion,
 			expectedRemainingItemCount: ptr.To[int64](1),
+			expectCacherRequestsToEtcd: func() []RecordedList {
+				if utilfeature.DefaultFeatureGate.Enabled(features.ListFromCacheSnapshot) {
+					return nil
+				}
+				return []RecordedList{
+					{
+						Key:         "/registry/pods/",
+						ListOptions: kubernetes.ListOptions{Revision: mustParseResourceVersion(t, createdPods[1].ResourceVersion), Limit: 1},
+					},
+				}
+			},
 		},
 		{
 			name:   "test List with limit, resource version of third write, match=Exact",
@@ -1379,6 +1798,17 @@ func RunTestList(ctx context.Context, t *testing.T, store storage.Interface, com
 			expectContinueExact:        encodeContinueOrDie(createdPods[1].Namespace+"/"+createdPods[1].Name+"\x00", int64(mustAtoi(createdPods[2].ResourceVersion))),
 			expectRV:                   createdPods[2].ResourceVersion,
 			expectedRemainingItemCount: ptr.To[int64](1),
+			expectCacherRequestsToEtcd: func() []RecordedList {
+				if utilfeature.DefaultFeatureGate.Enabled(features.ListFromCacheSnapshot) {
+					return nil
+				}
+				return []RecordedList{
+					{
+						Key:         "/registry/pods/",
+						ListOptions: kubernetes.ListOptions{Revision: mustParseResourceVersion(t, createdPods[2].ResourceVersion), Limit: 2},
+					},
+				}
+			},
 		},
 		{
 			name:   "test List with limit, resource version of fourth write, match=Exact",
@@ -1392,6 +1822,17 @@ func RunTestList(ctx context.Context, t *testing.T, store storage.Interface, com
 			rvMatch:     metav1.ResourceVersionMatchExact,
 			expectedOut: []example.Pod{*createdPods[0], *createdPods[1], *createdPods[2], *createdPods[3]},
 			expectRV:    createdPods[3].ResourceVersion,
+			expectCacherRequestsToEtcd: func() []RecordedList {
+				if utilfeature.DefaultFeatureGate.Enabled(features.ListFromCacheSnapshot) {
+					return nil
+				}
+				return []RecordedList{
+					{
+						Key:         "/registry/pods/",
+						ListOptions: kubernetes.ListOptions{Revision: mustParseResourceVersion(t, createdPods[3].ResourceVersion), Limit: 4},
+					},
+				}
+			},
 		},
 		{
 			name:   "test List with limit, resource version of fifth write, match=Exact",
@@ -1408,6 +1849,17 @@ func RunTestList(ctx context.Context, t *testing.T, store storage.Interface, com
 			expectContinue:             true,
 			expectContinueExact:        encodeContinueOrDie(createdPods[0].Namespace+"/"+createdPods[0].Name+"\x00", int64(mustAtoi(createdPods[4].ResourceVersion))),
 			expectedRemainingItemCount: ptr.To[int64](4),
+			expectCacherRequestsToEtcd: func() []RecordedList {
+				if utilfeature.DefaultFeatureGate.Enabled(features.ListFromCacheSnapshot) {
+					return nil
+				}
+				return []RecordedList{
+					{
+						Key:         "/registry/pods/",
+						ListOptions: kubernetes.ListOptions{Revision: mustParseResourceVersion(t, createdPods[4].ResourceVersion), Limit: 1},
+					},
+				}
+			},
 		},
 		{
 			name:   "test List with limit, resource version of six write, match=Exact",
@@ -1424,6 +1876,17 @@ func RunTestList(ctx context.Context, t *testing.T, store storage.Interface, com
 			expectContinue:             true,
 			expectContinueExact:        encodeContinueOrDie(createdPods[1].Namespace+"/"+createdPods[1].Name+"\x00", int64(mustAtoi(createdPods[5].ResourceVersion))),
 			expectedRemainingItemCount: ptr.To[int64](4),
+			expectCacherRequestsToEtcd: func() []RecordedList {
+				if utilfeature.DefaultFeatureGate.Enabled(features.ListFromCacheSnapshot) {
+					return nil
+				}
+				return []RecordedList{
+					{
+						Key:         "/registry/pods/",
+						ListOptions: kubernetes.ListOptions{Revision: mustParseResourceVersion(t, createdPods[5].ResourceVersion), Limit: 2},
+					},
+				}
+			},
 		},
 		{
 			name:   "test List with limit, resource version of seventh write, match=Exact",
@@ -1440,6 +1903,17 @@ func RunTestList(ctx context.Context, t *testing.T, store storage.Interface, com
 			expectContinue:             true,
 			expectContinueExact:        encodeContinueOrDie(createdPods[2].Namespace+"/"+createdPods[2].Name+"\x00", int64(mustAtoi(updatedPod.ResourceVersion))),
 			expectedRemainingItemCount: ptr.To[int64](2),
+			expectCacherRequestsToEtcd: func() []RecordedList {
+				if utilfeature.DefaultFeatureGate.Enabled(features.ListFromCacheSnapshot) {
+					return nil
+				}
+				return []RecordedList{
+					{
+						Key:         "/registry/pods/",
+						ListOptions: kubernetes.ListOptions{Revision: mustParseResourceVersion(t, updatedPod.ResourceVersion), Limit: 4},
+					},
+				}
+			},
 		},
 		{
 			name:   "test List with limit, resource version of eight write, match=Exact",
@@ -1453,6 +1927,17 @@ func RunTestList(ctx context.Context, t *testing.T, store storage.Interface, com
 			rv:          fmt.Sprint(continueRV),
 			rvMatch:     metav1.ResourceVersionMatchExact,
 			expectRV:    fmt.Sprint(continueRV),
+			expectCacherRequestsToEtcd: func() []RecordedList {
+				if utilfeature.DefaultFeatureGate.Enabled(features.ListFromCacheSnapshot) {
+					return nil
+				}
+				return []RecordedList{
+					{
+						Key:         "/registry/pods/",
+						ListOptions: kubernetes.ListOptions{Revision: int64(continueRV), Limit: 8},
+					},
+				}
+			},
 		},
 		{
 			name:   "test List with limit, resource version after writes, match=Exact",
@@ -1469,6 +1954,17 @@ func RunTestList(ctx context.Context, t *testing.T, store storage.Interface, com
 			expectContinue:             true,
 			expectContinueExact:        encodeContinueOrDie(updatedPod.Namespace+"/"+updatedPod.Name+"\x00", int64(continueRV+1)),
 			expectedRemainingItemCount: ptr.To[int64](4),
+			expectCacherRequestsToEtcd: func() []RecordedList {
+				if utilfeature.DefaultFeatureGate.Enabled(features.ConsistentListFromCache) && utilfeature.DefaultFeatureGate.Enabled(features.ListFromCacheSnapshot) {
+					return nil
+				}
+				return []RecordedList{
+					{
+						Key:         "/registry/pods/",
+						ListOptions: kubernetes.ListOptions{Revision: int64(continueRV) + 1, Limit: 1},
+					},
+				}
+			},
 		},
 		// Continue
 		{
@@ -1478,9 +1974,20 @@ func RunTestList(ctx context.Context, t *testing.T, store storage.Interface, com
 				Label:    labels.Everything(),
 				Field:    fields.Everything(),
 				Limit:    1,
-				Continue: encodeContinueOrDie(createdPods[0].Namespace+"/"+createdPods[0].Name+"\x00", int64(initialRV2)),
+				Continue: encodeContinueOrDie(createdPods[0].Namespace+"/"+createdPods[0].Name+"\x00", mustParseResourceVersion(t, initialRV)),
 			},
 			expectContinueTooOld: true,
+			expectCacherRequestsToEtcd: func() []RecordedList {
+				if utilfeature.DefaultFeatureGate.Enabled(features.ListFromCacheSnapshot) {
+					return nil
+				}
+				return []RecordedList{
+					{
+						Key:         "/registry/pods/",
+						ListOptions: kubernetes.ListOptions{Revision: mustParseResourceVersion(t, initialRV), Limit: 4},
+					},
+				}
+			},
 		},
 		{
 			name:   "test List with continue, resource version of first write",
@@ -1493,6 +2000,17 @@ func RunTestList(ctx context.Context, t *testing.T, store storage.Interface, com
 			},
 			expectedOut: []example.Pod{},
 			expectRV:    createdPods[0].ResourceVersion,
+			expectCacherRequestsToEtcd: func() []RecordedList {
+				if utilfeature.DefaultFeatureGate.Enabled(features.ListFromCacheSnapshot) {
+					return nil
+				}
+				return []RecordedList{
+					{
+						Key:         "/registry/pods/",
+						ListOptions: kubernetes.ListOptions{Revision: mustParseResourceVersion(t, createdPods[0].ResourceVersion), Limit: 1, Continue: "/registry/pods/first/bar\x00"},
+					},
+				}
+			},
 		},
 		{
 			name:   "test List with continue, resource version of second write",
@@ -1505,6 +2023,17 @@ func RunTestList(ctx context.Context, t *testing.T, store storage.Interface, com
 			},
 			expectedOut: []example.Pod{*createdPods[1]},
 			expectRV:    createdPods[1].ResourceVersion,
+			expectCacherRequestsToEtcd: func() []RecordedList {
+				if utilfeature.DefaultFeatureGate.Enabled(features.ListFromCacheSnapshot) {
+					return nil
+				}
+				return []RecordedList{
+					{
+						Key:         "/registry/pods/",
+						ListOptions: kubernetes.ListOptions{Revision: mustParseResourceVersion(t, createdPods[1].ResourceVersion), Limit: 1, Continue: "/registry/pods/first/bar\x00"},
+					},
+				}
+			},
 		},
 		{
 			name:   "test List with continue, resource version of third write",
@@ -1517,6 +2046,17 @@ func RunTestList(ctx context.Context, t *testing.T, store storage.Interface, com
 			},
 			expectedOut: []example.Pod{*createdPods[2]},
 			expectRV:    createdPods[2].ResourceVersion,
+			expectCacherRequestsToEtcd: func() []RecordedList {
+				if utilfeature.DefaultFeatureGate.Enabled(features.ListFromCacheSnapshot) {
+					return nil
+				}
+				return []RecordedList{
+					{
+						Key:         "/registry/pods/",
+						ListOptions: kubernetes.ListOptions{Revision: mustParseResourceVersion(t, createdPods[2].ResourceVersion), Limit: 2, Continue: "/registry/pods/second/bar\x00"},
+					},
+				}
+			},
 		},
 		{
 			name:   "test List with continue, resource version of fifth write",
@@ -1532,6 +2072,17 @@ func RunTestList(ctx context.Context, t *testing.T, store storage.Interface, com
 			expectContinue:             true,
 			expectContinueExact:        encodeContinueOrDie(createdPods[1].Namespace+"/"+createdPods[1].Name+"\x00", int64(mustAtoi(createdPods[4].ResourceVersion))),
 			expectedRemainingItemCount: ptr.To[int64](3),
+			expectCacherRequestsToEtcd: func() []RecordedList {
+				if utilfeature.DefaultFeatureGate.Enabled(features.ListFromCacheSnapshot) {
+					return nil
+				}
+				return []RecordedList{
+					{
+						Key:         "/registry/pods/",
+						ListOptions: kubernetes.ListOptions{Revision: mustParseResourceVersion(t, createdPods[4].ResourceVersion), Limit: 1, Continue: "/registry/pods/first/bar\x00"},
+					},
+				}
+			},
 		},
 		{
 			name:   "test List with continue, resource version of six write",
@@ -1547,6 +2098,17 @@ func RunTestList(ctx context.Context, t *testing.T, store storage.Interface, com
 			expectContinue:             true,
 			expectContinueExact:        encodeContinueOrDie(createdPods[2].Namespace+"/"+createdPods[2].Name+"\x00", int64(mustAtoi(createdPods[5].ResourceVersion))),
 			expectedRemainingItemCount: ptr.To[int64](2),
+			expectCacherRequestsToEtcd: func() []RecordedList {
+				if utilfeature.DefaultFeatureGate.Enabled(features.ListFromCacheSnapshot) {
+					return nil
+				}
+				return []RecordedList{
+					{
+						Key:         "/registry/pods/",
+						ListOptions: kubernetes.ListOptions{Revision: mustParseResourceVersion(t, createdPods[5].ResourceVersion), Limit: 2, Continue: "/registry/pods/second/bar\x00"},
+					},
+				}
+			},
 		},
 		{
 			name:   "test List with continue, resource version of seventh write",
@@ -1559,6 +2121,17 @@ func RunTestList(ctx context.Context, t *testing.T, store storage.Interface, com
 			},
 			expectedOut: []example.Pod{*createdPods[3], *createdPods[4]},
 			expectRV:    updatedPod.ResourceVersion,
+			expectCacherRequestsToEtcd: func() []RecordedList {
+				if utilfeature.DefaultFeatureGate.Enabled(features.ListFromCacheSnapshot) {
+					return nil
+				}
+				return []RecordedList{
+					{
+						Key:         "/registry/pods/",
+						ListOptions: kubernetes.ListOptions{Revision: mustParseResourceVersion(t, updatedPod.ResourceVersion), Limit: 4, Continue: "/registry/pods/second/foo\x00"},
+					},
+				}
+			},
 		},
 		{
 			name:   "test List with continue, resource version after writes",
@@ -1574,6 +2147,17 @@ func RunTestList(ctx context.Context, t *testing.T, store storage.Interface, com
 			expectContinue:             true,
 			expectContinueExact:        encodeContinueOrDie(createdPods[1].Namespace+"/"+createdPods[1].Name+"\x00", int64(continueRV+1)),
 			expectedRemainingItemCount: ptr.To[int64](3),
+			expectCacherRequestsToEtcd: func() []RecordedList {
+				if utilfeature.DefaultFeatureGate.Enabled(features.ConsistentListFromCache) && utilfeature.DefaultFeatureGate.Enabled(features.ListFromCacheSnapshot) {
+					return nil
+				}
+				return []RecordedList{
+					{
+						Key:         "/registry/pods/",
+						ListOptions: kubernetes.ListOptions{Revision: int64(continueRV) + 1, Limit: 1, Continue: "/registry/pods/first/bar\x00"},
+					},
+				}
+			},
 		},
 		{
 			name:   "test List with continue from second pod, negative resource version gives consistent read",
@@ -1585,6 +2169,17 @@ func RunTestList(ctx context.Context, t *testing.T, store storage.Interface, com
 			},
 			expectedOut: []example.Pod{*createdPods[1], *createdPods[2], *createdPods[3], *createdPods[4]},
 			expectRV:    currentRV,
+			expectCacherRequestsToEtcd: func() []RecordedList {
+				if utilfeature.DefaultFeatureGate.Enabled(features.ConsistentListFromCache) && utilfeature.DefaultFeatureGate.Enabled(features.ListFromCacheSnapshot) {
+					return nil
+				}
+				return []RecordedList{
+					{
+						Key:         "/registry/pods/",
+						ListOptions: kubernetes.ListOptions{Continue: "/registry/pods/first/bar\x00"},
+					},
+				}
+			},
 		},
 		{
 			name:   "test List with continue from second pod and limit, negative resource version gives consistent read",
@@ -1600,6 +2195,17 @@ func RunTestList(ctx context.Context, t *testing.T, store storage.Interface, com
 			expectContinueExact:        encodeContinueOrDie(createdPods[2].Namespace+"/"+createdPods[2].Name+"\x00", int64(continueRV+1)),
 			expectRV:                   currentRV,
 			expectedRemainingItemCount: ptr.To[int64](2),
+			expectCacherRequestsToEtcd: func() []RecordedList {
+				if utilfeature.DefaultFeatureGate.Enabled(features.ConsistentListFromCache) && utilfeature.DefaultFeatureGate.Enabled(features.ListFromCacheSnapshot) {
+					return nil
+				}
+				return []RecordedList{
+					{
+						Key:         "/registry/pods/",
+						ListOptions: kubernetes.ListOptions{Continue: "/registry/pods/first/bar\x00", Limit: 2},
+					},
+				}
+			},
 		},
 		{
 			name:   "test List with continue from third pod, negative resource version gives consistent read",
@@ -1611,6 +2217,17 @@ func RunTestList(ctx context.Context, t *testing.T, store storage.Interface, com
 			},
 			expectedOut: []example.Pod{*createdPods[3], *createdPods[4]},
 			expectRV:    currentRV,
+			expectCacherRequestsToEtcd: func() []RecordedList {
+				if utilfeature.DefaultFeatureGate.Enabled(features.ConsistentListFromCache) && utilfeature.DefaultFeatureGate.Enabled(features.ListFromCacheSnapshot) {
+					return nil
+				}
+				return []RecordedList{
+					{
+						Key:         "/registry/pods/",
+						ListOptions: kubernetes.ListOptions{Continue: "/registry/pods/second/foo\x00"},
+					},
+				}
+			},
 		},
 		{
 			name:   "test List with continue from empty fails",
@@ -1731,11 +2348,14 @@ func RunTestList(ctx context.Context, t *testing.T, store storage.Interface, com
 			if !cmp.Equal(tt.expectedRemainingItemCount, out.RemainingItemCount) {
 				t.Fatalf("unexpected remainingItemCount, diff: %s", cmp.Diff(tt.expectedRemainingItemCount, out.RemainingItemCount))
 			}
-			if watchCacheEnabled && tt.expectEtcdRequest != nil {
-				expectEtcdLists := tt.expectEtcdRequest()
-				etcdLists := recorder.ListRequestForKey(recorderKey)
-				if !cmp.Equal(expectEtcdLists, etcdLists) {
-					t.Fatalf("unexpected etcd requests, diff: %s", cmp.Diff(expectEtcdLists, etcdLists))
+			if watchCacheEnabled {
+				var expectedListRequests []RecordedList
+				if tt.expectCacherRequestsToEtcd != nil {
+					expectedListRequests = tt.expectCacherRequestsToEtcd()
+				}
+				gotListRequests := recorder.ListRequestForKey(recorderKey)
+				if !cmp.Equal(expectedListRequests, gotListRequests) {
+					t.Fatalf("unexpected etcd list requests, diff: %s", cmp.Diff(expectedListRequests, gotListRequests))
 				}
 			}
 		})
@@ -1909,7 +2529,7 @@ func seedMultiLevelData(ctx context.Context, store storage.Interface) (initialRV
 
 	// we want to figure out the resourceVersion before we create anything
 	initialList := &example.PodList{}
-	if err := store.GetList(ctx, "/pods", storage.ListOptions{Predicate: storage.Everything, Recursive: true}, initialList); err != nil {
+	if err := store.GetList(ctx, "/pods/", storage.ListOptions{Predicate: storage.Everything, Recursive: true}, initialList); err != nil {
 		return "", nil, nil, fmt.Errorf("failed to determine starting resourceVersion: %w", err)
 	}
 	initialRV = initialList.ResourceVersion
@@ -2037,12 +2657,12 @@ func RunTestGetListNonRecursive(ctx context.Context, t *testing.T, increaseRV In
 		expectRVTooLarge: true,
 	}, {
 		name:        "non-existing key",
-		key:         "/non-existing",
+		key:         "/pods/non-existing",
 		pred:        storage.Everything,
 		expectedOut: []example.Pod{},
 	}, {
 		name: "with matching pod name",
-		key:  "/non-existing",
+		key:  "/pods/non-existing",
 		pred: storage.SelectionPredicate{
 			Label: labels.Everything(),
 			Field: fields.ParseSelectorOrDie("metadata.name!=" + storedObj.Name),
@@ -2283,7 +2903,7 @@ func RunTestListContinuation(ctx context.Context, t *testing.T, store storage.In
 		Predicate:       pred(1, ""),
 		Recursive:       true,
 	}
-	if err := store.GetList(ctx, "/pods", options, out); err != nil {
+	if err := store.GetList(ctx, "/pods/", options, out); err != nil {
 		t.Fatalf("Unable to get initial list: %v", err)
 	}
 	if len(out.Continue) == 0 {
@@ -2307,13 +2927,13 @@ func RunTestListContinuation(ctx context.Context, t *testing.T, store storage.In
 		Predicate:       pred(0, continueFromSecondItem),
 		Recursive:       true,
 	}
-	if err := store.GetList(ctx, "/pods", options, out); err != nil {
+	if err := store.GetList(ctx, "/pods/", options, out); err != nil {
 		t.Fatalf("Unable to get second page: %v", err)
 	}
 	if len(out.Continue) != 0 {
 		t.Fatalf("Unexpected continuation token set")
 	}
-	key, rv, err := storage.DecodeContinue(continueFromSecondItem, "/pods")
+	key, rv, err := storage.DecodeContinue(continueFromSecondItem, "/pods/")
 	t.Logf("continue token was %d %s %v", rv, key, err)
 	expectNoDiff(t, "incorrect second page", []example.Pod{*preset[1].storedObj, *preset[2].storedObj}, out.Items)
 	if out.ResourceVersion != currentRV {
@@ -2331,7 +2951,7 @@ func RunTestListContinuation(ctx context.Context, t *testing.T, store storage.In
 		Predicate:       pred(1, continueFromSecondItem),
 		Recursive:       true,
 	}
-	if err := store.GetList(ctx, "/pods", options, out); err != nil {
+	if err := store.GetList(ctx, "/pods/", options, out); err != nil {
 		t.Fatalf("Unable to get second page: %v", err)
 	}
 	if len(out.Continue) == 0 {
@@ -2354,7 +2974,7 @@ func RunTestListContinuation(ctx context.Context, t *testing.T, store storage.In
 		Predicate:       pred(1, continueFromThirdItem),
 		Recursive:       true,
 	}
-	if err := store.GetList(ctx, "/pods", options, out); err != nil {
+	if err := store.GetList(ctx, "/pods/", options, out); err != nil {
 		t.Fatalf("Unable to get second page: %v", err)
 	}
 	if len(out.Continue) != 0 {
@@ -2396,7 +3016,7 @@ func RunTestListPaginationRareObject(ctx context.Context, t *testing.T, store st
 		},
 		Recursive: true,
 	}
-	if err := store.GetList(ctx, "/pods", options, out); err != nil {
+	if err := store.GetList(ctx, "/pods/", options, out); err != nil {
 		t.Fatalf("Unable to get initial list: %v", err)
 	}
 	if len(out.Continue) != 0 {
@@ -2472,7 +3092,7 @@ func RunTestListContinuationWithFilter(ctx context.Context, t *testing.T, store
 		Predicate:       pred(2, ""),
 		Recursive:       true,
 	}
-	if err := store.GetList(ctx, "/pods", options, out); err != nil {
+	if err := store.GetList(ctx, "/pods/", options, out); err != nil {
 		t.Errorf("Unable to get initial list: %v", err)
 	}
 	if len(out.Continue) == 0 {
@@ -2503,7 +3123,7 @@ func RunTestListContinuationWithFilter(ctx context.Context, t *testing.T, store
 		Predicate:       pred(2, cont),
 		Recursive:       true,
 	}
-	if err := store.GetList(ctx, "/pods", options, out); err != nil {
+	if err := store.GetList(ctx, "/pods/", options, out); err != nil {
 		t.Errorf("Unable to get second page: %v", err)
 	}
 	if len(out.Continue) != 0 {
@@ -2519,7 +3139,7 @@ func RunTestListContinuationWithFilter(ctx context.Context, t *testing.T, store
 }
 
 type Compaction func(ctx context.Context, t *testing.T, resourceVersion string)
-type IncreaseRVFunc func(ctx context.Context, t *testing.T)
+type IncreaseRVFunc func(ctx context.Context, t *testing.T) (revision int64)
 
 func RunTestListInconsistentContinuation(ctx context.Context, t *testing.T, store storage.Interface, compaction Compaction) {
 	// Setup storage with the following structure:
@@ -2578,7 +3198,7 @@ func RunTestListInconsistentContinuation(ctx context.Context, t *testing.T, stor
 		Predicate:       pred(1, ""),
 		Recursive:       true,
 	}
-	if err := store.GetList(ctx, "/pods", options, out); err != nil {
+	if err := store.GetList(ctx, "/pods/", options, out); err != nil {
 		t.Fatalf("Unable to get initial list: %v", err)
 	}
 	if len(out.Continue) == 0 {
@@ -2615,7 +3235,7 @@ func RunTestListInconsistentContinuation(ctx context.Context, t *testing.T, stor
 		Predicate:       pred(0, continueFromSecondItem),
 		Recursive:       true,
 	}
-	err := store.GetList(ctx, "/pods", options, out)
+	err := store.GetList(ctx, "/pods/", options, out)
 	if err == nil {
 		t.Fatalf("unexpected no error")
 	}
@@ -2637,7 +3257,7 @@ func RunTestListInconsistentContinuation(ctx context.Context, t *testing.T, stor
 		Predicate:       pred(1, inconsistentContinueFromSecondItem),
 		Recursive:       true,
 	}
-	if err := store.GetList(ctx, "/pods", options, out); err != nil {
+	if err := store.GetList(ctx, "/pods/", options, out); err != nil {
 		t.Fatalf("Unable to get second page: %v", err)
 	}
 	if len(out.Continue) == 0 {
@@ -2656,7 +3276,7 @@ func RunTestListInconsistentContinuation(ctx context.Context, t *testing.T, stor
 		Predicate:       pred(1, continueFromThirdItem),
 		Recursive:       true,
 	}
-	if err := store.GetList(ctx, "/pods", options, out); err != nil {
+	if err := store.GetList(ctx, "/pods/", options, out); err != nil {
 		t.Fatalf("Unable to get second page: %v", err)
 	}
 	if len(out.Continue) != 0 {
@@ -2730,7 +3350,7 @@ func RunTestListResourceVersionMatch(ctx context.Context, t *testing.T, store In
 		Predicate: predicate,
 		Recursive: true,
 	}
-	if err := store.GetList(ctx, "/pods", options, &result1); err != nil {
+	if err := store.GetList(ctx, "/pods/", options, &result1); err != nil {
 		t.Fatalf("failed to list objects: %v", err)
 	}
 
@@ -2743,7 +3363,7 @@ func RunTestListResourceVersionMatch(ctx context.Context, t *testing.T, store In
 	}
 
 	result2 := example.PodList{}
-	if err := store.GetList(ctx, "/pods", options, &result2); err != nil {
+	if err := store.GetList(ctx, "/pods/", options, &result2); err != nil {
 		t.Fatalf("failed to list objects: %v", err)
 	}
 
@@ -2753,7 +3373,7 @@ func RunTestListResourceVersionMatch(ctx context.Context, t *testing.T, store In
 	options.ResourceVersionMatch = metav1.ResourceVersionMatchNotOlderThan
 
 	result3 := example.PodList{}
-	if err := store.GetList(ctx, "/pods", options, &result3); err != nil {
+	if err := store.GetList(ctx, "/pods/", options, &result3); err != nil {
 		t.Fatalf("failed to list objects: %v", err)
 	}
 
@@ -2761,7 +3381,7 @@ func RunTestListResourceVersionMatch(ctx context.Context, t *testing.T, store In
 	options.ResourceVersionMatch = metav1.ResourceVersionMatchExact
 
 	result4 := example.PodList{}
-	if err := store.GetList(ctx, "/pods", options, &result4); err != nil {
+	if err := store.GetList(ctx, "/pods/", options, &result4); err != nil {
 		t.Fatalf("failed to list objects: %v", err)
 	}
 
@@ -2784,7 +3404,7 @@ func RunTestGuaranteedUpdate(ctx context.Context, t *testing.T, store InterfaceW
 		hasSelfLink         bool
 	}{{
 		name:                "non-existing key, ignoreNotFound=false",
-		key:                 "/non-existing",
+		key:                 "/pods/non-existing",
 		ignoreNotFound:      false,
 		precondition:        nil,
 		expectNotFoundErr:   true,
@@ -2792,7 +3412,7 @@ func RunTestGuaranteedUpdate(ctx context.Context, t *testing.T, store InterfaceW
 		expectNoUpdate:      false,
 	}, {
 		name:                "non-existing key, ignoreNotFound=true",
-		key:                 "/non-existing",
+		key:                 "/pods/non-existing",
 		ignoreNotFound:      true,
 		precondition:        nil,
 		expectNotFoundErr:   false,
@@ -3175,7 +3795,7 @@ func RunTestTransformationFailure(ctx context.Context, t *testing.T, store Inter
 		Predicate: storage.Everything,
 		Recursive: true,
 	}
-	if err := store.GetList(ctx, "/pods", storageOpts, &got); !storage.IsInternalError(err) {
+	if err := store.GetList(ctx, "/pods/", storageOpts, &got); !storage.IsInternalError(err) {
 		t.Errorf("Unexpected error %v", err)
 	}
 
@@ -3256,7 +3876,7 @@ func RunTestStats(ctx context.Context, t *testing.T, store storage.Interface, co
 func assertStats(t *testing.T, store storage.Interface, sizeEnabled bool, expectStats storage.Stats) {
 	t.Helper()
 	// Execute consistent LIST to refresh state of cache.
-	err := store.GetList(t.Context(), "/pods", storage.ListOptions{Recursive: true, Predicate: storage.Everything}, &example.PodList{})
+	err := store.GetList(t.Context(), "/pods/", storage.ListOptions{Recursive: true, Predicate: storage.Everything}, &example.PodList{})
 	if err != nil {
 		t.Fatalf("GetList failed: %v", err)
 	}
@@ -3309,7 +3929,7 @@ func RunTestListPaging(ctx context.Context, t *testing.T, store storage.Interfac
 	for {
 		calls++
 		listOut := &example.PodList{}
-		err := store.GetList(ctx, "/pods", opts, listOut)
+		err := store.GetList(ctx, "/pods/", opts, listOut)
 		if err != nil {
 			t.Fatalf("Unexpected error %s", err)
 		}
@@ -3739,7 +4359,7 @@ func RunTestNamespaceScopedList(ctx context.Context, t *testing.T, store storage
 
 func RunTestCompactRevision(ctx context.Context, t *testing.T, store storage.Interface, increaseRV IncreaseRVFunc, compact Compaction) {
 	listOut := &example.PodList{}
-	if err := store.GetList(ctx, "/pods", storage.ListOptions{
+	if err := store.GetList(ctx, "/pods/", storage.ListOptions{
 		Predicate: storage.Everything,
 		Recursive: true,
 	}, listOut); err != nil {
@@ -3753,7 +4373,7 @@ func RunTestCompactRevision(ctx context.Context, t *testing.T, store storage.Int
 	if compactedRV >= int64(currentRV) {
 		t.Fatalf("Expected current RV not be compacted, current: %d, compacted: %d", currentRV, compactedRV)
 	}
-	if err := store.GetList(ctx, "/pods", storage.ListOptions{
+	if err := store.GetList(ctx, "/pods/", storage.ListOptions{
 		Predicate:            storage.Everything,
 		Recursive:            true,
 		ResourceVersion:      listOut.ResourceVersion,
@@ -3764,7 +4384,7 @@ func RunTestCompactRevision(ctx context.Context, t *testing.T, store storage.Int
 	increaseRV(ctx, t)
 	expectCompactedRV := currentRV + 1
 	compact(ctx, t, fmt.Sprintf("%d", expectCompactedRV))
-	if err := store.GetList(ctx, "/pods", storage.ListOptions{
+	if err := store.GetList(ctx, "/pods/", storage.ListOptions{
 		Predicate:            storage.Everything,
 		Recursive:            true,
 		ResourceVersion:      listOut.ResourceVersion,
@@ -3777,3 +4397,122 @@ func RunTestCompactRevision(ctx context.Context, t *testing.T, store storage.Int
 		t.Errorf("CompactRevision()=%d, expected: %d", store.CompactRevision(), expectCompactedRV)
 	}
 }
+
+func RunTestKeySchema(ctx context.Context, t *testing.T, store storage.Interface) {
+	createObj := &example.Pod{}
+	createOut := &example.Pod{}
+	require.ErrorContains(t, store.Create(ctx, "", createObj, createOut, 0), "empty key")
+	require.ErrorContains(t, store.Create(ctx, "/", createObj, createOut, 0), "empty key")
+	require.ErrorContains(t, store.Create(ctx, ".", createObj, createOut, 0), "invalid key")
+	require.ErrorContains(t, store.Create(ctx, "..", createObj, createOut, 0), "invalid key")
+	require.ErrorContains(t, store.Create(ctx, "pods", createObj, createOut, 0), "lacks resource prefix")
+	require.ErrorContains(t, store.Create(ctx, "/pods", createObj, createOut, 0), "lacks resource prefix")
+	require.ErrorContains(t, store.Create(ctx, "/pods.apps", createObj, createOut, 0), "lacks resource prefix")
+	require.ErrorContains(t, store.Create(ctx, "/foo/", createObj, createOut, 0), "lacks resource prefix")
+	require.NoError(t, store.Create(ctx, "/pods/", createObj, createOut, 0))
+	require.NoError(t, store.Create(ctx, "/pods/name", createObj, createOut, 0))
+	require.NoError(t, store.Create(ctx, "/pods/namespace", createObj, createOut, 0))
+	require.NoError(t, store.Create(ctx, "/pods/namespace/name", createObj, createOut, 0))
+
+	listOut := &example.PodList{}
+	recursiveListOpts := storage.ListOptions{Predicate: storage.Everything, Recursive: true}
+	nonRecursiveListOpts := storage.ListOptions{Predicate: storage.Everything, Recursive: false}
+	require.ErrorContains(t, store.GetList(ctx, "", recursiveListOpts, listOut), "empty key")
+	require.ErrorContains(t, store.GetList(ctx, "/", recursiveListOpts, listOut), "empty key")
+	require.ErrorContains(t, store.GetList(ctx, ".", recursiveListOpts, listOut), "invalid key")
+	require.ErrorContains(t, store.GetList(ctx, "..", recursiveListOpts, listOut), "invalid key")
+	require.ErrorContains(t, store.GetList(ctx, "pods", recursiveListOpts, listOut), "lacks resource prefix")
+	require.ErrorContains(t, store.GetList(ctx, "/pods.apps", recursiveListOpts, listOut), "lacks resource prefix")
+	require.ErrorContains(t, store.GetList(ctx, "/foo/", recursiveListOpts, listOut), "lacks resource prefix")
+	require.ErrorContains(t, store.GetList(ctx, "/pods", nonRecursiveListOpts, listOut), "lacks resource prefix")
+	require.NoError(t, store.GetList(ctx, "/pods", recursiveListOpts, listOut))
+	require.NoError(t, store.GetList(ctx, "/pods/", recursiveListOpts, listOut))
+	require.NoError(t, store.GetList(ctx, "/pods/namespace", recursiveListOpts, listOut))
+	require.NoError(t, store.GetList(ctx, "/pods/namespace/name", recursiveListOpts, listOut))
+
+	getOut := &example.Pod{}
+	getOpts := storage.GetOptions{}
+	require.ErrorContains(t, store.Get(ctx, "", getOpts, getOut), "empty key")
+	require.ErrorContains(t, store.Get(ctx, "/", getOpts, getOut), "empty key")
+	require.ErrorContains(t, store.Get(ctx, ".", getOpts, getOut), "invalid key")
+	require.ErrorContains(t, store.Get(ctx, "..", getOpts, getOut), "invalid key")
+	require.ErrorContains(t, store.Get(ctx, "pods", getOpts, getOut), "lacks resource prefix")
+	require.ErrorContains(t, store.Get(ctx, "/pods", getOpts, getOut), "lacks resource prefix")
+	require.ErrorContains(t, store.Get(ctx, "/pods.apps", getOpts, getOut), "lacks resource prefix")
+	require.ErrorContains(t, store.Get(ctx, "/foo/", getOpts, getOut), "lacks resource prefix")
+	require.NoError(t, store.Get(ctx, "/pods/", getOpts, getOut))
+	require.NoError(t, store.Get(ctx, "/pods/namespace", getOpts, getOut))
+	require.NoError(t, store.Get(ctx, "/pods/namespace/name", getOpts, getOut))
+
+	_, err := store.Watch(ctx, "", recursiveListOpts)
+	require.ErrorContains(t, err, "empty key")
+	_, err = store.Watch(ctx, "/", recursiveListOpts)
+	require.ErrorContains(t, err, "empty key")
+	_, err = store.Watch(ctx, ".", recursiveListOpts)
+	require.ErrorContains(t, err, "invalid key")
+	_, err = store.Watch(ctx, "..", recursiveListOpts)
+	require.ErrorContains(t, err, "invalid key")
+	_, err = store.Watch(ctx, "pods", recursiveListOpts)
+	require.ErrorContains(t, err, "lacks resource prefix")
+	_, err = store.Watch(ctx, "/pods.apps", recursiveListOpts)
+	require.ErrorContains(t, err, "lacks resource prefix")
+	_, err = store.Watch(ctx, "/foo/", recursiveListOpts)
+	require.ErrorContains(t, err, "lacks resource prefix")
+	_, err = store.Watch(ctx, "/pods", nonRecursiveListOpts)
+	require.ErrorContains(t, err, "lacks resource prefix")
+	w, err := store.Watch(ctx, "/pods", recursiveListOpts)
+	require.NoError(t, err)
+	w.Stop()
+	require.NoError(t, err)
+	w.Stop()
+	w, err = store.Watch(ctx, "/pods/namespace", recursiveListOpts)
+	require.NoError(t, err)
+	w.Stop()
+	w, err = store.Watch(ctx, "/pods/namespace/name", recursiveListOpts)
+	require.NoError(t, err)
+	w.Stop()
+
+	updateIn := &example.Pod{}
+	updateOut := &example.Pod{}
+	updateFunc := func(input runtime.Object, res storage.ResponseMeta) (output runtime.Object, ttl *uint64, err error) {
+		return updateIn, nil, nil
+	}
+	require.ErrorContains(t, store.GuaranteedUpdate(ctx, "", updateOut, false, nil, updateFunc, nil), "empty key")
+	require.ErrorContains(t, store.GuaranteedUpdate(ctx, "/", updateOut, false, nil, updateFunc, nil), "empty key")
+	require.ErrorContains(t, store.GuaranteedUpdate(ctx, ".", updateOut, false, nil, updateFunc, nil), "invalid key")
+	require.ErrorContains(t, store.GuaranteedUpdate(ctx, "..", updateOut, false, nil, updateFunc, nil), "invalid key")
+	require.ErrorContains(t, store.GuaranteedUpdate(ctx, "pods", updateOut, false, nil, updateFunc, nil), "lacks resource prefix")
+	require.ErrorContains(t, store.GuaranteedUpdate(ctx, "/pods", updateOut, false, nil, updateFunc, nil), "lacks resource prefix")
+	require.ErrorContains(t, store.GuaranteedUpdate(ctx, "/pods.apps", updateOut, false, nil, updateFunc, nil), "lacks resource prefix")
+	require.ErrorContains(t, store.GuaranteedUpdate(ctx, "/foo/", updateOut, false, nil, updateFunc, nil), "lacks resource prefix")
+	require.NoError(t, store.GuaranteedUpdate(ctx, "/pods/", updateOut, false, nil, updateFunc, nil))
+	require.NoError(t, store.GuaranteedUpdate(ctx, "/pods/namespace", updateOut, false, nil, updateFunc, nil))
+	require.NoError(t, store.GuaranteedUpdate(ctx, "/pods/namespace/name", updateOut, false, nil, updateFunc, nil))
+
+	deleteOut := &example.Pod{}
+	deleteFunc := func(ctx context.Context, obj runtime.Object) error {
+		return nil
+	}
+	deleteOpts := storage.DeleteOptions{}
+	require.ErrorContains(t, store.Delete(ctx, "", deleteOut, nil, deleteFunc, nil, deleteOpts), "empty key")
+	require.ErrorContains(t, store.Delete(ctx, "/", deleteOut, nil, deleteFunc, nil, deleteOpts), "empty key")
+	require.ErrorContains(t, store.Delete(ctx, ".", deleteOut, nil, deleteFunc, nil, deleteOpts), "invalid key")
+	require.ErrorContains(t, store.Delete(ctx, "..", deleteOut, nil, deleteFunc, nil, deleteOpts), "invalid key")
+	require.ErrorContains(t, store.Delete(ctx, "pods", deleteOut, nil, deleteFunc, nil, deleteOpts), "lacks resource prefix")
+	require.ErrorContains(t, store.Delete(ctx, "/pods", deleteOut, nil, deleteFunc, nil, deleteOpts), "lacks resource prefix")
+	require.ErrorContains(t, store.Delete(ctx, "/pods.apps", deleteOut, nil, deleteFunc, nil, deleteOpts), "lacks resource prefix")
+	require.ErrorContains(t, store.Delete(ctx, "/foo", deleteOut, nil, deleteFunc, nil, deleteOpts), "lacks resource prefix")
+	require.NoError(t, store.Delete(ctx, "/pods/", deleteOut, nil, deleteFunc, nil, deleteOpts))
+	require.NoError(t, store.Delete(ctx, "/pods/namespace", deleteOut, nil, deleteFunc, nil, deleteOpts))
+	require.NoError(t, store.Delete(ctx, "/pods/namespace/name", deleteOut, nil, deleteFunc, nil, deleteOpts))
+}
+
+func mustParseResourceVersion(t *testing.T, resourceVersion string) int64 {
+	t.Helper()
+	versioner := storage.APIObjectVersioner{}
+	rv, err := versioner.ParseResourceVersion(resourceVersion)
+	if err != nil {
+		t.Fatal(err)
+	}
+	return int64(rv)
+}
diff --git a/staging/src/k8s.io/apiserver/pkg/storage/testing/watcher_tests.go b/staging/src/k8s.io/apiserver/pkg/storage/testing/watcher_tests.go
index 567e247557164..e57a99d3dd072 100644
--- a/staging/src/k8s.io/apiserver/pkg/storage/testing/watcher_tests.go
+++ b/staging/src/k8s.io/apiserver/pkg/storage/testing/watcher_tests.go
@@ -347,9 +347,6 @@ func RunTestDelayedWatchDelivery(ctx context.Context, t *testing.T, store storag
 		}
 	}
 
-	// Now stop the watcher and check if the consecutive events are being delivered.
-	watcher.Stop()
-
 	watched := 0
 	for {
 		event, ok := <-watcher.ResultChan()
@@ -364,11 +361,19 @@ func RunTestDelayedWatchDelivery(ctx context.Context, t *testing.T, store storag
 			t.Errorf("Unexpected object watched: %s, expected %s", a, e)
 		}
 		watched++
+		// Before stopping watcher wait for an event to arrive and give them some time to fill the queue.
+		if watched == 1 {
+			time.Sleep(time.Second)
+			// Stop the watcher to check if the consecutive events will be delivered.
+			watcher.Stop()
+		}
 	}
 	// We expect at least N events to be delivered, depending on the implementation.
 	// For now, this number is smallest for Cacher and it equals 10 (size of the out buffer).
-	if watched < 10 {
-		t.Errorf("Unexpected number of events: %v, expected: %v", watched, totalPods)
+	outBufferSize := 10
+	expectWatched := outBufferSize + 1 // initial event
+	if watched < expectWatched {
+		t.Errorf("Unexpected number of events: %v, expected at least: %v", watched, expectWatched)
 	}
 }
 
@@ -383,7 +388,7 @@ func RunTestWatchError(ctx context.Context, t *testing.T, store InterfaceWithPre
 		Predicate:       storage.Everything,
 		Recursive:       true,
 	}
-	if err := store.GetList(ctx, "/pods", storageOpts, list); err != nil {
+	if err := store.GetList(ctx, "/pods/", storageOpts, list); err != nil {
 		t.Errorf("Unexpected error: %v", err)
 	}
 
@@ -424,7 +429,7 @@ func RunTestWatchWithUnsafeDelete(ctx context.Context, t *testing.T, store Inter
 		Predicate:       storage.Everything,
 		Recursive:       true,
 	}
-	if err := store.GetList(ctx, "/pods", storageOpts, list); err != nil {
+	if err := store.GetList(ctx, "/pods/", storageOpts, list); err != nil {
 		t.Errorf("Unexpected error: %v", err)
 	}
 
@@ -493,7 +498,7 @@ func RunTestWatcherTimeout(ctx context.Context, t *testing.T, store storage.Inte
 		Predicate: storage.Everything,
 		Recursive: true,
 	}
-	if err := store.GetList(ctx, "/pods", options, &podList); err != nil {
+	if err := store.GetList(ctx, "/pods/", options, &podList); err != nil {
 		t.Fatalf("Failed to list pods: %v", err)
 	}
 	initialRV := podList.ResourceVersion
@@ -734,9 +739,9 @@ func RunTestClusterScopedWatch(ctx context.Context, t *testing.T, store storage.
 			ctx = genericapirequest.WithRequestInfo(ctx, requestInfo)
 			ctx = genericapirequest.WithNamespace(ctx, "")
 
-			watchKey := "/pods"
+			watchKey := "/pods/"
 			if tt.requestedName != "" {
-				watchKey += "/" + tt.requestedName
+				watchKey += tt.requestedName
 			}
 
 			predicate := CreatePodPredicate(tt.fieldSelector, false, tt.indexFields)
@@ -747,7 +752,7 @@ func RunTestClusterScopedWatch(ctx context.Context, t *testing.T, store storage.
 				Predicate:       predicate,
 				Recursive:       true,
 			}
-			if err := store.GetList(ctx, "/pods", opts, list); err != nil {
+			if err := store.GetList(ctx, "/pods/", opts, list); err != nil {
 				t.Errorf("Unexpected error: %v", err)
 			}
 
@@ -762,7 +767,7 @@ func RunTestClusterScopedWatch(ctx context.Context, t *testing.T, store storage.
 			currentObjs := map[string]*example.Pod{}
 			for _, watchTest := range tt.watchTests {
 				out := &example.Pod{}
-				key := "pods/" + watchTest.obj.Name
+				key := "/pods/" + watchTest.obj.Name
 				err := store.GuaranteedUpdate(ctx, key, out, true, nil, storage.SimpleUpdate(
 					func(runtime.Object) (runtime.Object, error) {
 						obj := watchTest.obj.DeepCopy()
@@ -1045,11 +1050,11 @@ func RunTestNamespaceScopedWatch(ctx context.Context, t *testing.T, store storag
 			ctx = genericapirequest.WithRequestInfo(ctx, requestInfo)
 			ctx = genericapirequest.WithNamespace(ctx, tt.requestedNamespace)
 
-			watchKey := "/pods"
+			watchKey := "/pods/"
 			if tt.requestedNamespace != "" {
-				watchKey += "/" + tt.requestedNamespace
+				watchKey += tt.requestedNamespace + "/"
 				if tt.requestedName != "" {
-					watchKey += "/" + tt.requestedName
+					watchKey += tt.requestedName
 				}
 			}
 
@@ -1061,7 +1066,7 @@ func RunTestNamespaceScopedWatch(ctx context.Context, t *testing.T, store storag
 				Predicate:       predicate,
 				Recursive:       true,
 			}
-			if err := store.GetList(ctx, "/pods", opts, list); err != nil {
+			if err := store.GetList(ctx, "/pods/", opts, list); err != nil {
 				t.Errorf("Unexpected error: %v", err)
 			}
 
@@ -1076,7 +1081,7 @@ func RunTestNamespaceScopedWatch(ctx context.Context, t *testing.T, store storag
 			currentObjs := map[string]*example.Pod{}
 			for _, watchTest := range tt.watchTests {
 				out := &example.Pod{}
-				key := "pods/" + watchTest.obj.Namespace + "/" + watchTest.obj.Name
+				key := "/pods/" + watchTest.obj.Namespace + "/" + watchTest.obj.Name
 				err := store.GuaranteedUpdate(ctx, key, out, true, nil, storage.SimpleUpdate(
 					func(runtime.Object) (runtime.Object, error) {
 						obj := watchTest.obj.DeepCopy()
@@ -1189,7 +1194,7 @@ func RunTestOptionalWatchBookmarksWithCorrectResourceVersion(ctx context.Context
 		Predicate: storage.Everything,
 		Recursive: true,
 	}
-	if err := store.GetList(ctx, "/pods", storageOpts, list); err != nil {
+	if err := store.GetList(ctx, "/pods/", storageOpts, list); err != nil {
 		t.Errorf("Unexpected error: %v", err)
 	}
 	startRV := list.ResourceVersion
@@ -1283,7 +1288,7 @@ func RunTestOptionalWatchBookmarksWithCorrectResourceVersion(ctx context.Context
 func RunSendInitialEventsBackwardCompatibility(ctx context.Context, t *testing.T, store storage.Interface) {
 	opts := storage.ListOptions{Predicate: storage.Everything}
 	opts.SendInitialEvents = ptr.To(true)
-	w, err := store.Watch(ctx, "/pods", opts)
+	w, err := store.Watch(ctx, "/pods/", opts)
 	require.NoError(t, err)
 	w.Stop()
 }
@@ -1697,7 +1702,7 @@ func RunWatchListMatchSingle(ctx context.Context, t *testing.T, store storage.In
 	opts.SendInitialEvents = &trueVal
 	opts.Predicate.AllowWatchBookmarks = true
 
-	w, err := store.Watch(context.Background(), "/pods", opts)
+	w, err := store.Watch(context.Background(), "/pods/", opts)
 	require.NoError(t, err, "failed to create watch: %v")
 	defer w.Stop()
 
@@ -1750,7 +1755,7 @@ func RunWatchErrorIsBlockingFurtherEvents(ctx context.Context, t *testing.T, sto
 		wg.Add(1)
 		go func() {
 			defer wg.Done()
-			w, err := store.Watch(ctx, "/pods", opts)
+			w, err := store.Watch(ctx, "/pods/", opts)
 			if err != nil {
 				t.Errorf("failed to create watch: %v", err)
 				return
diff --git a/staging/src/k8s.io/apiserver/pkg/storage/util.go b/staging/src/k8s.io/apiserver/pkg/storage/util.go
index bb231df30380a..3ca9acf3bd235 100644
--- a/staging/src/k8s.io/apiserver/pkg/storage/util.go
+++ b/staging/src/k8s.io/apiserver/pkg/storage/util.go
@@ -18,6 +18,7 @@ package storage
 
 import (
 	"fmt"
+	"strings"
 	"sync/atomic"
 
 	"k8s.io/apimachinery/pkg/api/meta"
@@ -37,6 +38,9 @@ func SimpleUpdate(fn SimpleUpdateFunc) UpdateFunc {
 }
 
 func NamespaceKeyFunc(prefix string, obj runtime.Object) (string, error) {
+	if !strings.HasSuffix(prefix, "/") {
+		return "", fmt.Errorf("prefix should have '/' suffix")
+	}
 	meta, err := meta.Accessor(obj)
 	if err != nil {
 		return "", err
@@ -45,10 +49,13 @@ func NamespaceKeyFunc(prefix string, obj runtime.Object) (string, error) {
 	if msgs := path.IsValidPathSegmentName(name); len(msgs) != 0 {
 		return "", fmt.Errorf("invalid name: %v", msgs)
 	}
-	return prefix + "/" + meta.GetNamespace() + "/" + name, nil
+	return prefix + meta.GetNamespace() + "/" + name, nil
 }
 
 func NoNamespaceKeyFunc(prefix string, obj runtime.Object) (string, error) {
+	if !strings.HasSuffix(prefix, "/") {
+		return "", fmt.Errorf("prefix should have '/' suffix")
+	}
 	meta, err := meta.Accessor(obj)
 	if err != nil {
 		return "", err
@@ -57,7 +64,7 @@ func NoNamespaceKeyFunc(prefix string, obj runtime.Object) (string, error) {
 	if msgs := path.IsValidPathSegmentName(name); len(msgs) != 0 {
 		return "", fmt.Errorf("invalid name: %v", msgs)
 	}
-	return prefix + "/" + name, nil
+	return prefix + name, nil
 }
 
 // HighWaterMark is a thread-safe object for tracking the maximum value seen
diff --git a/staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/kmsv2/envelope.go b/staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/kmsv2/envelope.go
index b12f8a3d2726d..4549257a0340f 100644
--- a/staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/kmsv2/envelope.go
+++ b/staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/kmsv2/envelope.go
@@ -24,6 +24,7 @@ import (
 	"crypto/sha256"
 	"fmt"
 	"sort"
+	"sync"
 	"time"
 	"unsafe"
 
@@ -51,6 +52,29 @@ func init() {
 	metrics.RegisterMetrics()
 }
 
+// nowFuncPerKMS allows us to swap the NowFunc for KMS providers in tests
+// Note: it cannot be set by an end user
+var nowFuncPerKMS sync.Map // map[string]func() time.Time, KMS name -> NowFunc
+
+// SetNowFuncForTests should only be called in tests to swap the NowFunc for KMS providers
+// Caller must guarantee that all KMS providers have distinct names across all tests.
+func SetNowFuncForTests(kmsName string, fn func() time.Time) func() {
+	if len(kmsName) == 0 { // guarantee that GetNowFunc("") returns the default value
+		panic("empty KMS name used in test")
+	}
+	nowFuncPerKMS.Store(kmsName, fn)
+	return func() { nowFuncPerKMS.Delete(kmsName) }
+}
+
+// GetNowFunc returns the time function for the given KMS provider name
+func GetNowFunc(kmsName string) func() time.Time {
+	nowFunc, ok := nowFuncPerKMS.Load(kmsName)
+	if !ok {
+		return time.Now
+	}
+	return nowFunc.(func() time.Time)
+}
+
 const (
 	// KMSAPIVersionv2 is a version of the KMS API.
 	KMSAPIVersionv2 = "v2"
@@ -81,9 +105,6 @@ const (
 	errKeyIDTooLongCode ErrCodeKeyID = "too_long"
 )
 
-// NowFunc is exported so tests can override it.
-var NowFunc = time.Now
-
 type StateFunc func() (State, error)
 type ErrCodeKeyID string
 
@@ -101,10 +122,14 @@ type State struct {
 
 	// CacheKey is the key used to cache the DEK/seed in envelopeTransformer.cache.
 	CacheKey []byte
+
+	// KMSProviderName is used to dynamically look up the time function for tests
+	KMSProviderName string
 }
 
 func (s *State) ValidateEncryptCapability() error {
-	if now := NowFunc(); now.After(s.ExpirationTimestamp) {
+	nowFunc := GetNowFunc(s.KMSProviderName)
+	if now := nowFunc(); now.After(s.ExpirationTimestamp) {
 		return fmt.Errorf("encryptedDEKSource with keyID hash %q expired at %s (current time is %s)",
 			GetHashIfNotEmpty(s.EncryptedObjectKeyID), s.ExpirationTimestamp.Format(time.RFC3339), now.Format(time.RFC3339))
 	}
diff --git a/staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/kmsv2/grpc_service.go b/staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/kmsv2/grpc_service.go
index 09a2a76df50e3..78cc02e57a6c6 100644
--- a/staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/kmsv2/grpc_service.go
+++ b/staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/kmsv2/grpc_service.go
@@ -145,9 +145,10 @@ func (g *gRPCService) Status(ctx context.Context) (*kmsservice.StatusResponse, e
 
 func recordMetricsInterceptor(providerName string) grpc.UnaryClientInterceptor {
 	return func(ctx context.Context, method string, req, reply interface{}, cc *grpc.ClientConn, invoker grpc.UnaryInvoker, opts ...grpc.CallOption) error {
-		start := NowFunc()
+		nowFunc := GetNowFunc(providerName)
+		start := nowFunc()
 		respErr := invoker(ctx, method, req, reply, cc, opts...)
-		elapsed := NowFunc().Sub(start)
+		elapsed := nowFunc().Sub(start)
 		metrics.RecordKMSOperationLatency(providerName, method, elapsed, respErr)
 		return respErr
 	}
diff --git a/staging/src/k8s.io/apiserver/pkg/util/flowcontrol/request/list_work_estimator.go b/staging/src/k8s.io/apiserver/pkg/util/flowcontrol/request/list_work_estimator.go
index 8c84f20c82502..c78a50cdd7af7 100644
--- a/staging/src/k8s.io/apiserver/pkg/util/flowcontrol/request/list_work_estimator.go
+++ b/staging/src/k8s.io/apiserver/pkg/util/flowcontrol/request/list_work_estimator.go
@@ -86,10 +86,12 @@ func (e *listWorkEstimator) estimate(r *http.Request, flowSchemaName, priorityLe
 		return WorkEstimate{InitialSeats: maxSeats}
 	}
 
-	// For watch requests, we want to adjust the cost only if they explicitly request
-	// sending initial events.
+	// For watch requests we want to set the cost low if they aren't requesting for init events,
+	// either via the explicit SendInitialEvents param or via legacy watches that have RV=0 or unset.
 	if requestInfo.Verb == "watch" {
-		if listOptions.SendInitialEvents == nil || !*listOptions.SendInitialEvents {
+		sendInitEvents := listOptions.SendInitialEvents != nil && *listOptions.SendInitialEvents
+		legacyWatch := listOptions.ResourceVersion == "" || listOptions.ResourceVersion == "0"
+		if !sendInitEvents && !legacyWatch {
 			return WorkEstimate{InitialSeats: e.config.MinimumSeats}
 		}
 	}
diff --git a/staging/src/k8s.io/apiserver/pkg/util/flowcontrol/request/width_test.go b/staging/src/k8s.io/apiserver/pkg/util/flowcontrol/request/width_test.go
index 01dadab76ac32..8c51aea802335 100644
--- a/staging/src/k8s.io/apiserver/pkg/util/flowcontrol/request/width_test.go
+++ b/staging/src/k8s.io/apiserver/pkg/util/flowcontrol/request/width_test.go
@@ -598,30 +598,79 @@ func TestWorkEstimator(t *testing.T) {
 			initialSeatsExpected: 3,
 		},
 		{
-			name:       "request verb is watch, sendInitialEvents is nil",
+			name:       "request verb is watch, sendInitialEvents is nil and RV unset (legacy watch with init events)",
 			requestURI: "http://server/apis/foo.bar/v1/events?watch=true",
 			requestInfo: &apirequest.RequestInfo{
 				Verb:     "watch",
 				APIGroup: "foo.bar",
 				Resource: "events",
 			},
-			stats:                storage.Stats{ObjectCount: 799, EstimatedAverageObjectSizeBytes: 10_000},
+			stats:                storage.Stats{ObjectCount: 799, EstimatedAverageObjectSizeBytes: 1_000},
+			maxSeats:             100,
+			initialSeatsExpected: 8,
+		},
+		{
+			name:       "request verb is watch, sendInitialEvents is nil and RV set to 0 (legacy watch with init events)",
+			requestURI: "http://server/apis/foo.bar/v1/events?watch=true&resourceVersion=0",
+			requestInfo: &apirequest.RequestInfo{
+				Verb:     "watch",
+				APIGroup: "foo.bar",
+				Resource: "events",
+			},
+			stats:                storage.Stats{ObjectCount: 799, EstimatedAverageObjectSizeBytes: 1_000},
+			maxSeats:             100,
+			initialSeatsExpected: 8,
+		},
+		{
+			name:       "request verb is watch, sendInitialEvents is nil and RV set to non-zero (legacy watch without init events)",
+			requestURI: "http://server/apis/foo.bar/v1/events?watch=true&resourceVersion=1",
+			requestInfo: &apirequest.RequestInfo{
+				Verb:     "watch",
+				APIGroup: "foo.bar",
+				Resource: "events",
+			},
+			stats:                storage.Stats{ObjectCount: 799, EstimatedAverageObjectSizeBytes: 1_000},
+			maxSeats:             100,
 			initialSeatsExpected: 1,
 		},
 		{
-			name:       "request verb is watch, sendInitialEvents is false",
+			name:       "request verb is watch, sendInitialEvents is false and RV unset (legacy watch with init events)",
 			requestURI: "http://server/apis/foo.bar/v1/events?watch=true&sendInitialEvents=false",
 			requestInfo: &apirequest.RequestInfo{
 				Verb:     "watch",
 				APIGroup: "foo.bar",
 				Resource: "events",
 			},
-			stats:                storage.Stats{ObjectCount: 799, EstimatedAverageObjectSizeBytes: 10_000},
+			stats:                storage.Stats{ObjectCount: 799, EstimatedAverageObjectSizeBytes: 1_000},
+			maxSeats:             100,
+			initialSeatsExpected: 8,
+		},
+		{
+			name:       "request verb is watch, sendInitialEvents is false and RV set to 0 (legacy watch with init events)",
+			requestURI: "http://server/apis/foo.bar/v1/events?watch=true&sendInitialEvents=false&resourceVersion=0",
+			requestInfo: &apirequest.RequestInfo{
+				Verb:     "watch",
+				APIGroup: "foo.bar",
+				Resource: "events",
+			},
+			stats:                storage.Stats{ObjectCount: 799, EstimatedAverageObjectSizeBytes: 1_000},
+			maxSeats:             100,
+			initialSeatsExpected: 8,
+		},
+		{
+			name:       "request verb is watch, sendInitialEvents is false and RV set to non-zero (legacy watch without init events))",
+			requestURI: "http://server/apis/foo.bar/v1/events?watch=true&sendInitialEvents=false&resourceVersion=1",
+			requestInfo: &apirequest.RequestInfo{
+				Verb:     "watch",
+				APIGroup: "foo.bar",
+				Resource: "events",
+			},
+			stats:                storage.Stats{ObjectCount: 799, EstimatedAverageObjectSizeBytes: 1_000},
 			maxSeats:             100,
 			initialSeatsExpected: 1,
 		},
 		{
-			name:       "request verb is watch, sendInitialEvents is true",
+			name:       "request verb is watch, sendInitialEvents is true and RV unset (streaming list with init events)",
 			requestURI: "http://server/apis/foo.bar/v1/events?watch=true&sendInitialEvents=true",
 			requestInfo: &apirequest.RequestInfo{
 				Verb:     "watch",
@@ -632,6 +681,30 @@ func TestWorkEstimator(t *testing.T) {
 			maxSeats:             100,
 			initialSeatsExpected: 8,
 		},
+		{
+			name:       "request verb is watch, sendInitialEvents is true and RV set to 0 (streaming list with init events)",
+			requestURI: "http://server/apis/foo.bar/v1/events?watch=true&sendInitialEvents=true&resourceVersion=0",
+			requestInfo: &apirequest.RequestInfo{
+				Verb:     "watch",
+				APIGroup: "foo.bar",
+				Resource: "events",
+			},
+			stats:                storage.Stats{ObjectCount: 799, EstimatedAverageObjectSizeBytes: 1_000},
+			maxSeats:             100,
+			initialSeatsExpected: 8,
+		},
+		{
+			name:       "request verb is watch, sendInitialEvents is true and RV set to non-zero (streaming list with init events)",
+			requestURI: "http://server/apis/foo.bar/v1/events?watch=true&sendInitialEvents=true&resourceVersion=0",
+			requestInfo: &apirequest.RequestInfo{
+				Verb:     "watch",
+				APIGroup: "foo.bar",
+				Resource: "events",
+			},
+			stats:                storage.Stats{ObjectCount: 799, EstimatedAverageObjectSizeBytes: 1_000},
+			maxSeats:             100,
+			initialSeatsExpected: 8,
+		},
 		{
 			name:       "request verb is create, no watches",
 			requestURI: "http://server/apis/foo.bar/v1/foos",
diff --git a/staging/src/k8s.io/apiserver/pkg/util/peerproxy/exclusion_filter.go b/staging/src/k8s.io/apiserver/pkg/util/peerproxy/exclusion_filter.go
new file mode 100644
index 0000000000000..a808d06157a04
--- /dev/null
+++ b/staging/src/k8s.io/apiserver/pkg/util/peerproxy/exclusion_filter.go
@@ -0,0 +1,368 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package peerproxy
+
+import (
+	"context"
+	"time"
+
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/client-go/tools/cache"
+	"k8s.io/klog/v2"
+
+	apidiscoveryv2 "k8s.io/api/apidiscovery/v2"
+)
+
+// GVExtractor is a function that extracts group-versions from an object.
+// It returns a slice of GroupVersions belonging to CRDs or aggregated APIs that
+// should be excluded from peer-discovery to avoid advertising stale CRDs/aggregated APIs
+// in peer-aggregated discovery that were deleted but still appear in a peer's discovery.
+type GVExtractor func(obj interface{}) []schema.GroupVersion
+
+// RegisterCRDInformerHandlers registers event handlers for CRD informer using a custom extractor.
+// The extractor function is responsible for extracting GroupVersions from CRD objects.
+func (h *peerProxyHandler) RegisterCRDInformerHandlers(crdInformer cache.SharedIndexInformer, extractor GVExtractor) error {
+	h.crdInformer = crdInformer
+	h.crdExtractor = extractor
+	_, err := h.crdInformer.AddEventHandler(cache.ResourceEventHandlerFuncs{
+		AddFunc: func(obj interface{}) {
+			gvs := extractor(obj)
+			if gvs == nil {
+				return
+			}
+			h.addExcludedGVs(gvs)
+		},
+		UpdateFunc: func(oldObj, newObj interface{}) {
+			gvs := extractor(newObj)
+			if gvs == nil {
+				return
+			}
+			h.addExcludedGVs(gvs)
+		},
+		DeleteFunc: func(obj interface{}) {
+			// Handle tombstone objects
+			if tombstone, ok := obj.(cache.DeletedFinalStateUnknown); ok {
+				obj = tombstone.Obj
+			}
+			gvs := extractor(obj)
+			if gvs == nil {
+				return
+			}
+			for _, gv := range gvs {
+				h.gvDeletionQueue.Add(gv.String())
+			}
+		},
+	})
+	return err
+}
+
+// RegisterAPIServiceInformerHandlers registers event handlers for APIService informer using a custom extractor.
+// The extractor function is responsible for extracting GroupVersions from APIService objects
+// and determining if they represent aggregated APIs.
+func (h *peerProxyHandler) RegisterAPIServiceInformerHandlers(apiServiceInformer cache.SharedIndexInformer, extractor GVExtractor) error {
+	h.apiServiceInformer = apiServiceInformer
+	h.apiServiceExtractor = extractor
+	_, err := h.apiServiceInformer.AddEventHandler(cache.ResourceEventHandlerFuncs{
+		AddFunc: func(obj interface{}) {
+			gvs := extractor(obj)
+			if gvs == nil {
+				return
+			}
+			h.addExcludedGVs(gvs)
+		},
+		UpdateFunc: func(oldObj, newObj interface{}) {
+			gvs := extractor(newObj)
+			if gvs == nil {
+				return
+			}
+			h.addExcludedGVs(gvs)
+		},
+		DeleteFunc: func(obj interface{}) {
+			// Handle tombstone objects
+			if tombstone, ok := obj.(cache.DeletedFinalStateUnknown); ok {
+				obj = tombstone.Obj
+			}
+
+			gvs := extractor(obj)
+			if gvs == nil {
+				return
+			}
+			for _, gv := range gvs {
+				h.gvDeletionQueue.Add(gv.String())
+			}
+		},
+	})
+	return err
+}
+
+// addExcludedGVs adds group-versions to the exclusion set, filters them from the peer discovery cache,
+// and triggers invalidation callbacks if the cache changed.
+func (h *peerProxyHandler) addExcludedGVs(gvs []schema.GroupVersion) {
+	if len(gvs) == 0 {
+		return
+	}
+
+	h.excludedGVsMu.Lock()
+	for _, gv := range gvs {
+		h.excludedGVs[gv] = nil
+	}
+	h.excludedGVsMu.Unlock()
+
+	// Load current peer cache and filter it
+	cache := h.peerDiscoveryInfoCache.Load()
+	if cache == nil {
+		return
+	}
+
+	cacheMap, ok := cache.(map[string]PeerDiscoveryCacheEntry)
+	if !ok {
+		klog.Warning("Invalid cache type in peerDiscoveryInfoCache")
+		return
+	}
+
+	// Always trigger filter and callbacks, to ensure late-appearing GVs are filtered.
+	if peerDiscovery, peerDiscoveryChanged := h.filterPeerDiscoveryCache(cacheMap); peerDiscoveryChanged {
+		h.storePeerDiscoveryCacheAndInvalidate(peerDiscovery)
+	}
+}
+
+// filterPeerDiscoveryCache filters the provided peer discovery cache,
+// excluding GVs in h.excludedGVs.
+func (h *peerProxyHandler) filterPeerDiscoveryCache(cacheMap map[string]PeerDiscoveryCacheEntry) (map[string]PeerDiscoveryCacheEntry, bool) {
+	h.excludedGVsMu.RLock()
+	if len(h.excludedGVs) == 0 {
+		// No exclusions, no filtering needed.
+		h.excludedGVsMu.RUnlock()
+		return cacheMap, false
+	}
+
+	excludedCloned := make(map[schema.GroupVersion]struct{}, len(h.excludedGVs))
+	for gv := range h.excludedGVs {
+		excludedCloned[gv] = struct{}{}
+	}
+	h.excludedGVsMu.RUnlock()
+
+	filtered := make(map[string]PeerDiscoveryCacheEntry, len(cacheMap))
+	peerDiscoveryChanged := false
+	for peerID, entry := range cacheMap {
+		newEntry, peerChanged := h.filterPeerCacheEntry(entry, excludedCloned)
+		filtered[peerID] = newEntry
+		if peerChanged {
+			peerDiscoveryChanged = true
+		}
+	}
+
+	return filtered, peerDiscoveryChanged
+}
+
+// filterPeerCacheEntry filters a single peer's cache entry for excluded groups.
+// Returns the filtered entry and whether any excluded group was present.
+func (h *peerProxyHandler) filterPeerCacheEntry(entry PeerDiscoveryCacheEntry, excluded map[schema.GroupVersion]struct{}) (PeerDiscoveryCacheEntry, bool) {
+	filteredGVRs := make(map[schema.GroupVersionResource]bool, len(entry.GVRs))
+	peerDiscoveryChanged := false
+
+	for existingGVR, v := range entry.GVRs {
+		gv := schema.GroupVersion{Group: existingGVR.Group, Version: existingGVR.Version}
+		if _, skip := excluded[gv]; skip {
+			peerDiscoveryChanged = true
+			continue
+		}
+		filteredGVRs[existingGVR] = v
+	}
+
+	if !peerDiscoveryChanged {
+		return entry, false
+	}
+
+	// Filter the group discovery list
+	filteredGroups := h.filterGroupDiscovery(entry.GroupDiscovery, excluded)
+	return PeerDiscoveryCacheEntry{
+		GVRs:           filteredGVRs,
+		GroupDiscovery: filteredGroups,
+	}, true
+}
+
+func (h *peerProxyHandler) filterGroupDiscovery(groupDiscoveries []apidiscoveryv2.APIGroupDiscovery, excluded map[schema.GroupVersion]struct{}) []apidiscoveryv2.APIGroupDiscovery {
+	var filteredDiscovery []apidiscoveryv2.APIGroupDiscovery
+	for _, groupDiscovery := range groupDiscoveries {
+		filteredGroup := apidiscoveryv2.APIGroupDiscovery{
+			ObjectMeta: groupDiscovery.ObjectMeta,
+		}
+
+		for _, version := range groupDiscovery.Versions {
+			gv := schema.GroupVersion{Group: groupDiscovery.Name, Version: version.Version}
+			if _, found := excluded[gv]; found {
+				// This version is excluded, skip it
+				continue
+			}
+			filteredGroup.Versions = append(filteredGroup.Versions, version)
+		}
+
+		// Only add the group to the final list if it still has any versions left
+		if len(filteredGroup.Versions) > 0 {
+			filteredDiscovery = append(filteredDiscovery, filteredGroup)
+		}
+	}
+	return filteredDiscovery
+}
+
+// RunGVDeletionWorkers starts workers to process GroupVersions from deleted CRDs and APIServices.
+// When a GV is processed, it is checked for usage by other resources. If no longer in use,
+// it is marked with a deletion timestamp, initiating a grace period. After this period,
+// the RunExcludedGVsReaper is responsible for removing the GV from the exclusion set.
+func (h *peerProxyHandler) RunGVDeletionWorkers(ctx context.Context, workers int) {
+	defer func() {
+		klog.Info("Shutting down GV deletion workers")
+		h.gvDeletionQueue.ShutDown()
+	}()
+	klog.Infof("Starting %d GV deletion worker(s)", workers)
+	for i := 0; i < workers; i++ {
+		go func(workerID int) {
+			for h.processNextGVDeletion() {
+				select {
+				case <-ctx.Done():
+					klog.Infof("GV deletion worker %d shutting down", workerID)
+					return
+				default:
+				}
+			}
+		}(i)
+	}
+
+	<-ctx.Done() // Wait till context is done to call deferred shutdown function
+}
+
+// processNextGVDeletion processes a single item from the GV deletion queue.
+func (h *peerProxyHandler) processNextGVDeletion() bool {
+	gvString, shutdown := h.gvDeletionQueue.Get()
+	if shutdown {
+		return false
+	}
+	defer h.gvDeletionQueue.Done(gvString)
+
+	gv, err := schema.ParseGroupVersion(gvString)
+	if err != nil {
+		klog.Errorf("Failed to parse GroupVersion %q: %v", gvString, err)
+		return true
+	}
+
+	h.markGVForDeletionIfUnused(gv)
+	return true
+}
+
+// markGVForDeletionIfUnused checks if a group-version is still in use.
+// If not, it marks it for deletion by setting a timestamp.
+func (h *peerProxyHandler) markGVForDeletionIfUnused(gv schema.GroupVersion) {
+	// Best-effort check if GV is still in use. This is racy - a new CRD/APIService could be
+	// created after this check completes and returns false.
+	if h.isGVUsed(gv) {
+		return
+	}
+
+	h.excludedGVsMu.Lock()
+	defer h.excludedGVsMu.Unlock()
+
+	// Only mark if it's currently active (nil timestamp)
+	if ts, exists := h.excludedGVs[gv]; exists && ts == nil {
+		now := time.Now()
+		h.excludedGVs[gv] = &now
+		klog.V(4).Infof("Marking group-version %q for deletion, grace period started", gv)
+	}
+}
+
+// isGVUsed checks the informer stores to see if any CRD or APIService
+// is still using the given group-version.
+//
+// This is necessary because multiple CRDs or aggregated APIs can share the same group-version,
+// but define different resources (kinds) or versions. Deleting one CRD or APIService
+// for a group-version does not mean the group-version is entirely gone—other CRDs or APIs in that group-version
+// may still exist. We must only remove a group-version from the exclusion set when there are
+// no remaining CRDs or APIService objects for that group-version, to ensure we do not prematurely
+// allow peer-aggregated discovery or proxying for APIs that are still served locally.
+func (h *peerProxyHandler) isGVUsed(gv schema.GroupVersion) bool {
+	// Check CRD informer store for the specific group-version
+	if h.crdInformer != nil && h.crdExtractor != nil {
+		crdList := h.crdInformer.GetStore().List()
+		for _, item := range crdList {
+			gvs := h.crdExtractor(item)
+			if gvs == nil {
+				continue
+			}
+			for _, extractedGV := range gvs {
+				if extractedGV == gv {
+					return true
+				}
+			}
+		}
+	}
+
+	// Check APIService informer store for the specific group-version
+	if h.apiServiceInformer != nil && h.apiServiceExtractor != nil {
+		apiSvcList := h.apiServiceInformer.GetStore().List()
+		for _, item := range apiSvcList {
+			gvs := h.apiServiceExtractor(item)
+			if gvs == nil {
+				continue
+			}
+			for _, extractedGV := range gvs {
+				if extractedGV == gv {
+					return true
+				}
+			}
+		}
+	}
+
+	return false
+}
+
+// RunExcludedGVsReaper starts a goroutine that periodically cleans up
+// excluded group-versions that have passed their grace period.
+func (h *peerProxyHandler) RunExcludedGVsReaper(stopCh <-chan struct{}) {
+	klog.Infof("Starting excluded group-versions reaper with %s interval", h.reaperCheckInterval)
+	ticker := time.NewTicker(h.reaperCheckInterval)
+	defer ticker.Stop()
+
+	for {
+		select {
+		case <-ticker.C:
+			h.reapExcludedGVs()
+		case <-stopCh:
+			klog.Info("Shutting down excluded group-versions reaper")
+			return
+		}
+	}
+}
+
+// reapExcludedGVs is the garbage collector function.
+// It removes group-versions from excludedGVs if their grace period has expired.
+func (h *peerProxyHandler) reapExcludedGVs() {
+	h.excludedGVsMu.Lock()
+	defer h.excludedGVsMu.Unlock()
+
+	now := time.Now()
+	for gv, deletionTime := range h.excludedGVs {
+		if deletionTime == nil {
+			// Still actively excluded
+			continue
+		}
+
+		if now.Sub(*deletionTime) > h.exclusionGracePeriod {
+			klog.V(4).Infof("Reaping excluded group-version %q (grace period expired)", gv)
+			delete(h.excludedGVs, gv)
+		}
+	}
+}
diff --git a/staging/src/k8s.io/apiserver/pkg/util/peerproxy/exclusion_filter_test.go b/staging/src/k8s.io/apiserver/pkg/util/peerproxy/exclusion_filter_test.go
new file mode 100644
index 0000000000000..bafa19341bad7
--- /dev/null
+++ b/staging/src/k8s.io/apiserver/pkg/util/peerproxy/exclusion_filter_test.go
@@ -0,0 +1,132 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package peerproxy
+
+import (
+	"reflect"
+	"testing"
+
+	"k8s.io/apimachinery/pkg/runtime/schema"
+
+	apidiscoveryv2 "k8s.io/api/apidiscovery/v2"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+func TestFilteringLogic(t *testing.T) {
+	gvr := func(g, v, r string) schema.GroupVersionResource {
+		return schema.GroupVersionResource{Group: g, Version: v, Resource: r}
+	}
+	gv := func(g, v string) schema.GroupVersion {
+		return schema.GroupVersion{Group: g, Version: v}
+	}
+
+	testCases := []struct {
+		name               string
+		initialPeerCache   PeerDiscoveryCacheEntry
+		excludedGVs        map[schema.GroupVersion]struct{}
+		wantFilteredGVRs   map[schema.GroupVersionResource]bool
+		wantFilteredGroups []apidiscoveryv2.APIGroupDiscovery
+		wantChange         bool
+	}{
+		{
+			name: "no exclusions",
+			initialPeerCache: PeerDiscoveryCacheEntry{
+				GVRs: map[schema.GroupVersionResource]bool{gvr("apps", "v1", "deployments"): true},
+				GroupDiscovery: []apidiscoveryv2.APIGroupDiscovery{{
+					ObjectMeta: metav1.ObjectMeta{Name: "apps"},
+					Versions:   []apidiscoveryv2.APIVersionDiscovery{{Version: "v1"}},
+				}},
+			},
+			excludedGVs:      map[schema.GroupVersion]struct{}{},
+			wantFilteredGVRs: map[schema.GroupVersionResource]bool{gvr("apps", "v1", "deployments"): true},
+			wantFilteredGroups: []apidiscoveryv2.APIGroupDiscovery{{
+				ObjectMeta: metav1.ObjectMeta{Name: "apps"},
+				Versions:   []apidiscoveryv2.APIVersionDiscovery{{Version: "v1"}},
+			}},
+			wantChange: false,
+		},
+		{
+			name: "exclude one GV that exists",
+			initialPeerCache: PeerDiscoveryCacheEntry{
+				GVRs: map[schema.GroupVersionResource]bool{
+					gvr("apps", "v1", "deployments"):  true,
+					gvr("apps", "v1", "statefulsets"): true,
+					gvr("batch", "v1", "jobs"):        true,
+				},
+				GroupDiscovery: []apidiscoveryv2.APIGroupDiscovery{
+					{
+						ObjectMeta: metav1.ObjectMeta{Name: "apps"},
+						Versions:   []apidiscoveryv2.APIVersionDiscovery{{Version: "v1"}},
+					},
+					{
+						ObjectMeta: metav1.ObjectMeta{Name: "batch"},
+						Versions:   []apidiscoveryv2.APIVersionDiscovery{{Version: "v1"}},
+					},
+				},
+			},
+			excludedGVs: map[schema.GroupVersion]struct{}{
+				gv("apps", "v1"): {},
+			},
+			wantFilteredGVRs: map[schema.GroupVersionResource]bool{gvr("batch", "v1", "jobs"): true},
+			wantFilteredGroups: []apidiscoveryv2.APIGroupDiscovery{
+				{
+					ObjectMeta: metav1.ObjectMeta{Name: "batch"},
+					Versions:   []apidiscoveryv2.APIVersionDiscovery{{Version: "v1"}},
+				},
+			},
+			wantChange: true,
+		},
+		{
+			name: "exclude a GV that does not exist",
+			initialPeerCache: PeerDiscoveryCacheEntry{
+				GVRs: map[schema.GroupVersionResource]bool{gvr("apps", "v1", "deployments"): true},
+				GroupDiscovery: []apidiscoveryv2.APIGroupDiscovery{{
+					ObjectMeta: metav1.ObjectMeta{Name: "apps"},
+					Versions:   []apidiscoveryv2.APIVersionDiscovery{{Version: "v1"}},
+				}},
+			},
+			excludedGVs: map[schema.GroupVersion]struct{}{
+				gv("foo", "v1"): {},
+			},
+			wantFilteredGVRs: map[schema.GroupVersionResource]bool{gvr("apps", "v1", "deployments"): true},
+			wantFilteredGroups: []apidiscoveryv2.APIGroupDiscovery{{
+				ObjectMeta: metav1.ObjectMeta{Name: "apps"},
+				Versions:   []apidiscoveryv2.APIVersionDiscovery{{Version: "v1"}},
+			}},
+			wantChange: false,
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			h := &peerProxyHandler{}
+			filteredEntry, changed := h.filterPeerCacheEntry(tc.initialPeerCache, tc.excludedGVs)
+
+			if changed != tc.wantChange {
+				t.Errorf("want change to be %v, got %v", tc.wantChange, changed)
+			}
+
+			if !reflect.DeepEqual(filteredEntry.GVRs, tc.wantFilteredGVRs) {
+				t.Errorf("filtered GVRs mismatch: got %v, want %v", filteredEntry.GVRs, tc.wantFilteredGVRs)
+			}
+
+			if !reflect.DeepEqual(filteredEntry.GroupDiscovery, tc.wantFilteredGroups) {
+				t.Errorf("filtered GroupDiscovery mismatch: got %v, want %v", filteredEntry.GroupDiscovery, tc.wantFilteredGroups)
+			}
+		})
+	}
+}
diff --git a/staging/src/k8s.io/apiserver/pkg/util/peerproxy/local_discovery.go b/staging/src/k8s.io/apiserver/pkg/util/peerproxy/local_discovery.go
new file mode 100644
index 0000000000000..51ca2c6d171b0
--- /dev/null
+++ b/staging/src/k8s.io/apiserver/pkg/util/peerproxy/local_discovery.go
@@ -0,0 +1,100 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package peerproxy
+
+import (
+	"fmt"
+
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/klog/v2"
+)
+
+// RunLocalDiscoveryCacheSync populated the localDiscoveryInfoCache and
+// starts a goroutine to periodically refresh the local discovery cache.
+func (h *peerProxyHandler) RunLocalDiscoveryCacheSync(stopCh <-chan struct{}) error {
+	klog.Info("localDiscoveryCacheInvalidation goroutine started")
+	// Populate the cache initially.
+	if err := h.populateLocalDiscoveryCache(); err != nil {
+		return fmt.Errorf("failed to populate initial local discovery cache: %w", err)
+	}
+
+	go func() {
+		for {
+			select {
+			case <-h.localDiscoveryCacheTicker.C:
+				klog.V(4).Infof("Invalidating local discovery cache")
+				if err := h.populateLocalDiscoveryCache(); err != nil {
+					klog.Errorf("Failed to repopulate local discovery cache: %v", err)
+				}
+			case <-stopCh:
+				klog.Info("localDiscoveryCacheInvalidation goroutine received stop signal")
+				if h.localDiscoveryCacheTicker != nil {
+					h.localDiscoveryCacheTicker.Stop()
+					klog.Info("localDiscoveryCacheTicker stopped")
+				}
+				klog.Info("localDiscoveryCacheInvalidation goroutine exiting")
+				return
+			}
+		}
+	}()
+	return nil
+}
+
+func (h *peerProxyHandler) populateLocalDiscoveryCache() error {
+	_, resourcesByGV, _, err := h.discoveryClient.GroupsAndMaybeResources()
+	if err != nil {
+		return fmt.Errorf("error getting API group resources from discovery: %w", err)
+	}
+
+	freshLocalDiscoveryResponse := map[schema.GroupVersionResource]bool{}
+	for gv, resources := range resourcesByGV {
+		for _, resource := range resources.APIResources {
+			gvr := gv.WithResource(resource.Name)
+			freshLocalDiscoveryResponse[gvr] = true
+		}
+	}
+
+	h.localDiscoveryInfoCache.Store(freshLocalDiscoveryResponse)
+	// Signal that the cache has been populated.
+	h.localDiscoveryInfoCachePopulatedOnce.Do(func() {
+		close(h.localDiscoveryInfoCachePopulated)
+	})
+	return nil
+}
+
+// shouldServeLocally checks if the requested resource is present in the local
+// discovery cache indicating the request can be served by this server.
+func (h *peerProxyHandler) shouldServeLocally(gvr schema.GroupVersionResource) bool {
+	cacheValue := h.localDiscoveryInfoCache.Load()
+	if cacheValue == nil {
+		return false
+	}
+
+	cache, ok := cacheValue.(map[schema.GroupVersionResource]bool)
+	if !ok {
+		klog.Warning("Invalid cache type in localDiscoveryInfoCache")
+		return false
+	}
+
+	exists, ok := cache[gvr]
+	if !ok {
+		klog.V(4).Infof("resource not found for %v in local discovery cache\n", gvr.GroupVersion())
+		return false
+	}
+
+	return exists
+}
diff --git a/staging/src/k8s.io/apiserver/pkg/util/peerproxy/local_discovery_test.go b/staging/src/k8s.io/apiserver/pkg/util/peerproxy/local_discovery_test.go
new file mode 100644
index 0000000000000..273b757785bee
--- /dev/null
+++ b/staging/src/k8s.io/apiserver/pkg/util/peerproxy/local_discovery_test.go
@@ -0,0 +1,68 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package peerproxy
+
+import (
+	"testing"
+
+	"k8s.io/apimachinery/pkg/runtime/schema"
+)
+
+func TestShouldServeLocally_Table(t *testing.T) {
+	testCases := []struct {
+		name  string
+		cache map[schema.GroupVersionResource]bool
+		gvr   schema.GroupVersionResource
+		want  bool
+	}{
+		{
+			name:  "resource present and true",
+			cache: map[schema.GroupVersionResource]bool{{Group: "foo", Version: "v1", Resource: "bars"}: true},
+			gvr:   schema.GroupVersionResource{Group: "foo", Version: "v1", Resource: "bars"},
+			want:  true,
+		},
+		{
+			name:  "resource present and false",
+			cache: map[schema.GroupVersionResource]bool{{Group: "foo", Version: "v1", Resource: "bars"}: false},
+			gvr:   schema.GroupVersionResource{Group: "foo", Version: "v1", Resource: "bars"},
+			want:  false,
+		},
+		{
+			name:  "resource not present",
+			cache: map[schema.GroupVersionResource]bool{{Group: "foo", Version: "v1", Resource: "bars"}: true},
+			gvr:   schema.GroupVersionResource{Group: "foo", Version: "v1", Resource: "baz"},
+			want:  false,
+		},
+		{
+			name:  "empty cache",
+			cache: map[schema.GroupVersionResource]bool{},
+			gvr:   schema.GroupVersionResource{Group: "foo", Version: "v1", Resource: "bars"},
+			want:  false,
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			h := &peerProxyHandler{}
+			h.localDiscoveryInfoCache.Store(tc.cache)
+			got := h.shouldServeLocally(tc.gvr)
+			if got != tc.want {
+				t.Errorf("shouldServeLocally(%v) = %v, want %v", tc.gvr, got, tc.want)
+			}
+		})
+	}
+}
diff --git a/staging/src/k8s.io/apiserver/pkg/util/peerproxy/peer_discovery.go b/staging/src/k8s.io/apiserver/pkg/util/peerproxy/peer_discovery.go
index 8ceef28bb0f40..ae55f90a147ed 100644
--- a/staging/src/k8s.io/apiserver/pkg/util/peerproxy/peer_discovery.go
+++ b/staging/src/k8s.io/apiserver/pkg/util/peerproxy/peer_discovery.go
@@ -1,5 +1,5 @@
 /*
-Copyright 2025 The Kubernetes Authors.
+Copyright 2023 The Kubernetes Authors.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -20,25 +20,34 @@ import (
 	"context"
 	"fmt"
 	"net/http"
+	"strings"
 	"time"
 
 	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/apimachinery/pkg/util/wait"
 	"k8s.io/apiserver/pkg/authentication/user"
 	"k8s.io/client-go/discovery"
+	"k8s.io/client-go/tools/cache"
 	"k8s.io/klog/v2"
 
 	apidiscoveryv2 "k8s.io/api/apidiscovery/v2"
 	v1 "k8s.io/api/coordination/v1"
-	schema "k8s.io/apimachinery/pkg/runtime/schema"
 	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
 	apirequest "k8s.io/apiserver/pkg/endpoints/request"
 	responsewriterutil "k8s.io/apiserver/pkg/util/responsewriter"
 )
 
 const (
-	controllerName = "peer-discovery-cache-sync"
-	maxRetries     = 5
+	peerDiscoveryControllerName = "peer-discovery-cache-sync"
+	// maxRetries is the maximum number of retry attempts per lease, set to 20 to handle
+	// the race condition during API server startup where identity leases are created before
+	// endpoint leases. During initialization, peer discovery sync may attempt to fetch discovery
+	// from a peer before that peer has created its endpoint lease, resulting in "missing port in
+	// address" errors. With the default rate limiting (exponential backoff starting at 5ms),
+	// 20 retries per lease provides approximately 60-90 seconds of retry window, which is
+	// sufficient for both identity and endpoint leases to be established during normal startup.
+	maxRetries = 20
 )
 
 func (h *peerProxyHandler) RunPeerDiscoveryCacheSync(ctx context.Context, workers int) {
@@ -76,7 +85,7 @@ func (h *peerProxyHandler) processNextElectionItem(ctx context.Context) bool {
 	defer h.peerLeaseQueue.Done(key)
 
 	err := h.syncPeerDiscoveryCache(ctx)
-	h.handleErr(err, key)
+	h.handleSyncPeerDiscoveryCacheErr(err, key)
 	return true
 }
 
@@ -89,63 +98,95 @@ func (h *peerProxyHandler) syncPeerDiscoveryCache(ctx context.Context) error {
 		return err
 	}
 
-	newCache := map[string]map[schema.GroupVersionResource]bool{}
+	newCache := map[string]PeerDiscoveryCacheEntry{}
 	for _, l := range leases {
 		_, ok := h.isValidPeerIdentityLease(l)
 		if !ok {
 			continue
 		}
 
-		discoveryInfo, err := h.fetchNewDiscoveryFor(ctx, l.Name, *l.Spec.HolderIdentity)
+		discoveryEntry, err := h.fetchNewDiscoveryFor(ctx, l.Name)
 		if err != nil {
 			fetchDiscoveryErr = err
 		}
+		// Only add if there is at least one GVR or group
+		if len(discoveryEntry.GVRs) > 0 || len(discoveryEntry.GroupDiscovery) > 0 {
+			newCache[l.Name] = discoveryEntry
+		}
+	}
 
-		if discoveryInfo != nil {
-			newCache[l.Name] = discoveryInfo
+	// Apply exclusion filter to the cache.
+	if len(newCache) != 0 {
+		if filteredCache, peerDiscoveryChanged := h.filterPeerDiscoveryCache(newCache); peerDiscoveryChanged {
+			newCache = filteredCache
 		}
 	}
 
-	// Overwrite cache with new contents.
-	h.peerDiscoveryInfoCache.Store(newCache)
+	h.storePeerDiscoveryCacheAndInvalidate(newCache)
 	return fetchDiscoveryErr
 }
 
-func (h *peerProxyHandler) fetchNewDiscoveryFor(ctx context.Context, serverID string, holderIdentity string) (map[schema.GroupVersionResource]bool, error) {
+// storePeerDiscoveryCacheAndInvalidate stores the new peer discovery cache and always calls the invalidation callback if set.
+func (h *peerProxyHandler) storePeerDiscoveryCacheAndInvalidate(newCache map[string]PeerDiscoveryCacheEntry) {
+	h.peerDiscoveryInfoCache.Store(newCache)
+	if callback := h.cacheInvalidationCallback.Load(); callback != nil {
+		(*callback)()
+	}
+}
+
+func (h *peerProxyHandler) fetchNewDiscoveryFor(ctx context.Context, serverID string) (PeerDiscoveryCacheEntry, error) {
 	hostport, err := h.hostportInfo(serverID)
 	if err != nil {
-		return nil, fmt.Errorf("failed to get host port info from identity lease for server %s: %w", serverID, err)
+		return PeerDiscoveryCacheEntry{}, fmt.Errorf("failed to get host port info from identity lease for server %s: %w", serverID, err)
 	}
 
 	klog.V(4).Infof("Proxying an agg-discovery call from %s to %s", h.serverID, serverID)
-	servedResources := make(map[schema.GroupVersionResource]bool)
+	gvrMap := make(map[schema.GroupVersionResource]bool)
 	var discoveryErr error
 	var discoveryResponse *apidiscoveryv2.APIGroupDiscoveryList
 	discoveryPaths := []string{"/api", "/apis"}
+
+	// Use a slice to preserve order from the peer.
+	// Use a map to track seen groups to avoid duplicates.
+	groupList := make([]apidiscoveryv2.APIGroupDiscovery, 0)
+	seenGroups := make(map[string]struct{})
+
 	for _, path := range discoveryPaths {
 		discoveryResponse, discoveryErr = h.aggregateDiscovery(ctx, path, hostport)
-		if err != nil {
-			klog.ErrorS(err, "error querying discovery endpoint for serverID", "path", path, "serverID", serverID)
+		if discoveryErr != nil {
+			klog.ErrorS(discoveryErr, "error querying discovery endpoint for serverID", "path", path, "serverID", serverID)
 			continue
 		}
 
 		for _, groupDiscovery := range discoveryResponse.Items {
-			groupName := groupDiscovery.Name
-			if groupName == "" {
-				groupName = "core"
-			}
-
 			for _, version := range groupDiscovery.Versions {
 				for _, resource := range version.Resources {
-					gvr := schema.GroupVersionResource{Group: groupName, Version: version.Version, Resource: resource.Resource}
-					servedResources[gvr] = true
+					gvr := schema.GroupVersionResource{
+						Group:    groupDiscovery.Name,
+						Version:  version.Version,
+						Resource: resource.Resource,
+					}
+					gvrMap[gvr] = true
 				}
 			}
+			// Skip core/v1 group from peer-aggregated discovery since its not served from /apis.
+			// We still want to re-route core/v1 requests to the peer, but we don't want it
+			// to appear in the peer-aggregated discovery document.
+			if groupDiscovery.Name == "" {
+				continue
+			}
+			if _, ok := seenGroups[groupDiscovery.Name]; !ok {
+				groupList = append(groupList, groupDiscovery)
+				seenGroups[groupDiscovery.Name] = struct{}{}
+			}
 		}
 	}
 
 	klog.V(4).Infof("Agg discovery done successfully by %s for %s", h.serverID, serverID)
-	return servedResources, discoveryErr
+	return PeerDiscoveryCacheEntry{
+		GVRs:           gvrMap,
+		GroupDiscovery: groupList,
+	}, discoveryErr
 }
 
 func (h *peerProxyHandler) aggregateDiscovery(ctx context.Context, path string, hostport string) (*apidiscoveryv2.APIGroupDiscoveryList, error) {
@@ -163,7 +204,8 @@ func (h *peerProxyHandler) aggregateDiscovery(ctx context.Context, path string,
 	ctx = apirequest.WithUser(ctx, apiServerUser)
 	req = req.WithContext(ctx)
 
-	req.Header.Add("Accept", discovery.AcceptV2)
+	// Fallback to V2 and V1 in that order if V2Local is not recognized.
+	req.Header.Add("Accept", discovery.AcceptV2NoPeer+","+discovery.AcceptV2+","+discovery.AcceptV1)
 
 	writer := responsewriterutil.NewInMemoryResponseWriter()
 	h.proxyRequestToDestinationAPIServer(req, writer, hostport)
@@ -179,8 +221,8 @@ func (h *peerProxyHandler) aggregateDiscovery(ctx context.Context, path string,
 	return parsed, nil
 }
 
-// handleErr checks if an error happened and makes sure we will retry later.
-func (h *peerProxyHandler) handleErr(err error, key string) {
+// handleSyncPeerDiscoveryCacheErr checks if an error happened during peer discovery sync and makes sure we will retry later.
+func (h *peerProxyHandler) handleSyncPeerDiscoveryCacheErr(err error, key string) {
 	if err == nil {
 		h.peerLeaseQueue.Forget(key)
 		return
@@ -196,3 +238,74 @@ func (h *peerProxyHandler) handleErr(err error, key string) {
 	utilruntime.HandleError(err)
 	klog.Infof("Dropping lease %s out of the queue: %v", key, err)
 }
+
+func (h *peerProxyHandler) isValidPeerIdentityLease(obj interface{}) (*v1.Lease, bool) {
+	lease, ok := obj.(*v1.Lease)
+	if !ok {
+		tombstone, ok := obj.(cache.DeletedFinalStateUnknown)
+		if !ok {
+			utilruntime.HandleError(fmt.Errorf("unexpected object type: %T", obj))
+			return nil, false
+		}
+		if lease, ok = tombstone.Obj.(*v1.Lease); !ok {
+			utilruntime.HandleError(fmt.Errorf("unexpected object type: %T", obj))
+			return nil, false
+		}
+	}
+
+	if lease == nil {
+		klog.Error(fmt.Errorf("nil lease object provided"))
+		return nil, false
+	}
+
+	if h.identityLeaseLabelSelector != nil && h.identityLeaseLabelSelector.String() != "" {
+		identityLeaseLabel := strings.Split(h.identityLeaseLabelSelector.String(), "=")
+		if len(identityLeaseLabel) != 2 {
+			klog.Errorf("invalid identityLeaseLabelSelector format: %s", h.identityLeaseLabelSelector.String())
+			return nil, false
+		}
+
+		if lease.Labels == nil || lease.Labels[identityLeaseLabel[0]] != identityLeaseLabel[1] {
+			klog.V(4).Infof("lease %s/%s does not match label selector: %s=%s", lease.Namespace, lease.Name, identityLeaseLabel[0], identityLeaseLabel[1])
+			return nil, false
+		}
+
+	}
+
+	// Ignore self.
+	if lease.Name == h.serverID {
+		return nil, false
+	}
+
+	if lease.Spec.HolderIdentity == nil {
+		klog.Error(fmt.Errorf("invalid lease object provided, missing holderIdentity in lease obj"))
+		return nil, false
+	}
+
+	return lease, true
+}
+
+func (h *peerProxyHandler) findServiceableByPeerFromPeerDiscoveryCache(gvr schema.GroupVersionResource) []string {
+	var serviceableByIDs []string
+	cache := h.peerDiscoveryInfoCache.Load()
+	if cache == nil {
+		return serviceableByIDs
+	}
+
+	cacheMap, ok := cache.(map[string]PeerDiscoveryCacheEntry)
+	if !ok {
+		klog.Warning("Invalid cache type in peerDiscoveryInfoCache")
+		return serviceableByIDs
+	}
+
+	for peerID, peerData := range cacheMap {
+		// Ignore local apiserver.
+		if peerID == h.serverID {
+			continue
+		}
+		if _, exists := peerData.GVRs[gvr]; exists {
+			serviceableByIDs = append(serviceableByIDs, peerID)
+		}
+	}
+	return serviceableByIDs
+}
diff --git a/staging/src/k8s.io/apiserver/pkg/util/peerproxy/peer_discovery_test.go b/staging/src/k8s.io/apiserver/pkg/util/peerproxy/peer_discovery_test.go
index 94cefd6df08b9..e15e4c314b992 100644
--- a/staging/src/k8s.io/apiserver/pkg/util/peerproxy/peer_discovery_test.go
+++ b/staging/src/k8s.io/apiserver/pkg/util/peerproxy/peer_discovery_test.go
@@ -52,7 +52,7 @@ func TestRunPeerDiscoveryCacheSync(t *testing.T) {
 		labelSelectorString string
 		updatedLease        *v1.Lease
 		deletedLeaseNames   []string
-		wantCache           map[string]map[schema.GroupVersionResource]bool
+		wantCache           map[string]PeerDiscoveryCacheEntry
 	}{
 		{
 			desc:                "single remote server",
@@ -66,10 +66,8 @@ func TestRunPeerDiscoveryCacheSync(t *testing.T) {
 					Spec: v1.LeaseSpec{HolderIdentity: proto.String("holder-1")},
 				},
 			},
-			wantCache: map[string]map[schema.GroupVersionResource]bool{
-				"remote-1": {
-					{Group: "testgroup", Version: "v1", Resource: "testresources"}: true,
-				},
+			wantCache: map[string]PeerDiscoveryCacheEntry{
+				"remote-1": makePeerDiscoveryCacheEntry("testgroup", "v1", "testresources"),
 			},
 		},
 		{
@@ -91,13 +89,9 @@ func TestRunPeerDiscoveryCacheSync(t *testing.T) {
 					Spec: v1.LeaseSpec{HolderIdentity: proto.String("holder-2")},
 				},
 			},
-			wantCache: map[string]map[schema.GroupVersionResource]bool{
-				"remote-1": {
-					{Group: "testgroup", Version: "v1", Resource: "testresources"}: true,
-				},
-				"remote-2": {
-					{Group: "testgroup", Version: "v1", Resource: "testresources"}: true,
-				},
+			wantCache: map[string]PeerDiscoveryCacheEntry{
+				"remote-1": makePeerDiscoveryCacheEntry("testgroup", "v1", "testresources"),
+				"remote-2": makePeerDiscoveryCacheEntry("testgroup", "v1", "testresources"),
 			},
 		},
 		{
@@ -119,10 +113,8 @@ func TestRunPeerDiscoveryCacheSync(t *testing.T) {
 				},
 				Spec: v1.LeaseSpec{HolderIdentity: proto.String("holder-2")},
 			},
-			wantCache: map[string]map[schema.GroupVersionResource]bool{
-				"remote-1": {
-					{Group: "testgroup", Version: "v1", Resource: "testresources"}: true,
-				},
+			wantCache: map[string]PeerDiscoveryCacheEntry{
+				"remote-1": makePeerDiscoveryCacheEntry("testgroup", "v1", "testresources"),
 			},
 		},
 		{
@@ -138,7 +130,7 @@ func TestRunPeerDiscoveryCacheSync(t *testing.T) {
 				},
 			},
 			deletedLeaseNames: []string{"remote-1"},
-			wantCache:         map[string]map[schema.GroupVersionResource]bool{},
+			wantCache:         map[string]PeerDiscoveryCacheEntry{},
 		},
 	}
 
@@ -202,11 +194,9 @@ func TestRunPeerDiscoveryCacheSync(t *testing.T) {
 			go h.RunPeerDiscoveryCacheSync(ctx, 1)
 
 			// Wait for initial cache update.
-			initialCache := map[string]map[schema.GroupVersionResource]bool{}
+			initialCache := map[string]PeerDiscoveryCacheEntry{}
 			for _, lease := range tt.leases {
-				initialCache[lease.Name] = map[schema.GroupVersionResource]bool{
-					{Group: "testgroup", Version: "v1", Resource: "testresources"}: true,
-				}
+				initialCache[lease.Name] = makePeerDiscoveryCacheEntry("testgroup", "v1", "testresources")
 			}
 			err = wait.PollUntilContextTimeout(ctx, 100*time.Millisecond, 5*time.Second, false, func(ctx context.Context) (bool, error) {
 				select {
@@ -262,7 +252,8 @@ func TestRunPeerDiscoveryCacheSync(t *testing.T) {
 				default:
 				}
 				gotCache := h.peerDiscoveryInfoCache.Load()
-				return assert.ObjectsAreEqual(tt.wantCache, gotCache), nil
+				r := assert.ObjectsAreEqual(tt.wantCache, gotCache)
+				return r, nil
 			})
 			if err != nil {
 				t.Errorf("cache doesnt match expectation: %v", err)
@@ -342,3 +333,26 @@ func (f *fakeReconciler) StopReconciling() {
 func (f *fakeReconciler) setEndpoint(serverID, endpoint string) {
 	f.endpoints[serverID] = endpoint
 }
+
+func makePeerDiscoveryCacheEntry(group, version, resource string) PeerDiscoveryCacheEntry {
+	return PeerDiscoveryCacheEntry{
+		GVRs: map[schema.GroupVersionResource]bool{
+			{Group: group, Version: version, Resource: resource}: true,
+		},
+		GroupDiscovery: []apidiscoveryv2.APIGroupDiscovery{
+			{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: group,
+				},
+				Versions: []apidiscoveryv2.APIVersionDiscovery{
+					{
+						Version: version,
+						Resources: []apidiscoveryv2.APIResourceDiscovery{
+							{Resource: resource},
+						},
+					},
+				},
+			},
+		},
+	}
+}
diff --git a/staging/src/k8s.io/apiserver/pkg/util/peerproxy/peerproxy.go b/staging/src/k8s.io/apiserver/pkg/util/peerproxy/peerproxy.go
index f682a6c6574ba..e89eea6ad3565 100644
--- a/staging/src/k8s.io/apiserver/pkg/util/peerproxy/peerproxy.go
+++ b/staging/src/k8s.io/apiserver/pkg/util/peerproxy/peerproxy.go
@@ -33,19 +33,32 @@ import (
 	"k8s.io/client-go/tools/cache"
 	"k8s.io/client-go/transport"
 	"k8s.io/client-go/util/workqueue"
-	"k8s.io/klog/v2"
 
 	apidiscoveryv2 "k8s.io/api/apidiscovery/v2"
-	v1 "k8s.io/api/coordination/v1"
 	schema "k8s.io/apimachinery/pkg/runtime/schema"
 	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
 	coordinationv1informers "k8s.io/client-go/informers/coordination/v1"
 )
 
-// Local discovery cache needs to be refreshed periodically to store
-// updates made to custom resources or aggregated resource that can
-// change dynamically.
-const localDiscoveryRefreshInterval = 30 * time.Minute
+const (
+	// localDiscoveryRefreshInterval is the interval at which the local discovery cache is refreshed.
+	// This cache is only used for mixed version proxy routing decisions (shouldServeLocally), not for serving discovery responses.
+	// Periodic refreshes ensure that we prefer serving requests locally when possible. Without this refresh,
+	// a stale cache could cause us to proxy a request to a peer even when we can serve it locally, resulting
+	// in unnecessary network hops. This is particularly important during upgrades when new built-in APIs become
+	// available on this server.
+	localDiscoveryRefreshInterval = 30 * time.Minute
+	// defaultExclusionGracePeriod is the default duration to wait before
+	// removing a group from the exclusion set after it is deleted from
+	// CRDs and aggregated APIs.
+	// This is to allow time for all peer API servers to also observe
+	// the deleted CRD or aggregated API before this server stops excluding it
+	// in peer-aggregated discovery and while proxying requests to peers.
+	defaultExclusionGracePeriod = 5 * time.Minute
+	// defaultExclusionReaperInterval is the interval at which the we
+	// clean up deleted groups from the exclusion list.
+	defaultExclusionReaperInterval = 1 * time.Minute
+)
 
 // Interface defines how the Mixed Version Proxy filter interacts with the underlying system.
 type Interface interface {
@@ -54,6 +67,12 @@ type Interface interface {
 	HasFinishedSync() bool
 	RunLocalDiscoveryCacheSync(stopCh <-chan struct{}) error
 	RunPeerDiscoveryCacheSync(ctx context.Context, workers int)
+	RunExcludedGVsReaper(stopCh <-chan struct{})
+	RunGVDeletionWorkers(ctx context.Context, workers int)
+	GetPeerResources() map[string][]apidiscoveryv2.APIGroupDiscovery
+	RegisterCacheInvalidationCallback(cb func())
+	RegisterCRDInformerHandlers(crdInformer cache.SharedIndexInformer, extractor GVExtractor) error
+	RegisterAPIServiceInformerHandlers(apiServiceInformer cache.SharedIndexInformer, extractor GVExtractor) error
 }
 
 // New creates a new instance to implement unknown version proxy
@@ -80,9 +99,17 @@ func NewPeerProxyHandler(
 		peerLeaseQueue: workqueue.NewTypedRateLimitingQueueWithConfig(
 			workqueue.DefaultTypedControllerRateLimiter[string](),
 			workqueue.TypedRateLimitingQueueConfig[string]{
-				Name: controllerName,
+				Name: peerDiscoveryControllerName,
 			}),
 		apiserverIdentityInformer: leaseInformer,
+		excludedGVs:               make(map[schema.GroupVersion]*time.Time),
+		exclusionGracePeriod:      defaultExclusionGracePeriod,
+		reaperCheckInterval:       defaultExclusionReaperInterval,
+		gvDeletionQueue: workqueue.NewTypedRateLimitingQueueWithConfig(
+			workqueue.DefaultTypedControllerRateLimiter[string](),
+			workqueue.TypedRateLimitingQueueConfig[string]{
+				Name: "gv-deletion",
+			}),
 	}
 
 	if parts := strings.Split(identityLeaseLabelSelector, "="); len(parts) != 2 {
@@ -102,9 +129,12 @@ func NewPeerProxyHandler(
 	if err != nil {
 		return nil, fmt.Errorf("error creating discovery client: %w", err)
 	}
+
+	// Always use local discovery to get local view of resources.
+	discoveryClient.NoPeerDiscovery = true
 	h.discoveryClient = discoveryClient
 	h.localDiscoveryInfoCache.Store(map[schema.GroupVersionResource]bool{})
-	h.peerDiscoveryInfoCache.Store(map[string]map[schema.GroupVersionResource]bool{})
+	h.peerDiscoveryInfoCache.Store(map[string]PeerDiscoveryCacheEntry{})
 
 	proxyTransport, err := transport.New(proxyClientConfig)
 	if err != nil {
@@ -139,49 +169,3 @@ func NewPeerProxyHandler(
 	h.leaseRegistration = peerDiscoveryRegistration
 	return h, nil
 }
-
-func (h *peerProxyHandler) isValidPeerIdentityLease(obj interface{}) (*v1.Lease, bool) {
-	lease, ok := obj.(*v1.Lease)
-	if !ok {
-		tombstone, ok := obj.(cache.DeletedFinalStateUnknown)
-		if !ok {
-			utilruntime.HandleError(fmt.Errorf("unexpected object type: %T", obj))
-			return nil, false
-		}
-		if lease, ok = tombstone.Obj.(*v1.Lease); !ok {
-			utilruntime.HandleError(fmt.Errorf("unexpected object type: %T", obj))
-			return nil, false
-		}
-	}
-
-	if lease == nil {
-		klog.Error(fmt.Errorf("nil lease object provided"))
-		return nil, false
-	}
-
-	if h.identityLeaseLabelSelector != nil && h.identityLeaseLabelSelector.String() != "" {
-		identityLeaseLabel := strings.Split(h.identityLeaseLabelSelector.String(), "=")
-		if len(identityLeaseLabel) != 2 {
-			klog.Errorf("invalid identityLeaseLabelSelector format: %s", h.identityLeaseLabelSelector.String())
-			return nil, false
-		}
-
-		if lease.Labels == nil || lease.Labels[identityLeaseLabel[0]] != identityLeaseLabel[1] {
-			klog.V(4).Infof("lease %s/%s does not match label selector: %s=%s", lease.Namespace, lease.Name, identityLeaseLabel[0], identityLeaseLabel[1])
-			return nil, false
-		}
-
-	}
-
-	// Ignore self.
-	if lease.Name == h.serverID {
-		return nil, false
-	}
-
-	if lease.Spec.HolderIdentity == nil {
-		klog.Error(fmt.Errorf("invalid lease object provided, missing holderIdentity in lease obj"))
-		return nil, false
-	}
-
-	return lease, true
-}
diff --git a/staging/src/k8s.io/apiserver/pkg/util/peerproxy/peerproxy_handler.go b/staging/src/k8s.io/apiserver/pkg/util/peerproxy/peerproxy_handler.go
index 2894271346f9f..7d12ee8488951 100644
--- a/staging/src/k8s.io/apiserver/pkg/util/peerproxy/peerproxy_handler.go
+++ b/staging/src/k8s.io/apiserver/pkg/util/peerproxy/peerproxy_handler.go
@@ -31,6 +31,7 @@ import (
 
 	"k8s.io/apimachinery/pkg/labels"
 	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/serializer"
 	"k8s.io/apimachinery/pkg/util/proxy"
 	"k8s.io/apiserver/pkg/endpoints/handlers/responsewriters"
 	"k8s.io/apiserver/pkg/endpoints/responsewriter"
@@ -42,9 +43,9 @@ import (
 	"k8s.io/client-go/util/workqueue"
 	"k8s.io/klog/v2"
 
+	apidiscoveryv2 "k8s.io/api/apidiscovery/v2"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	schema "k8s.io/apimachinery/pkg/runtime/schema"
-	"k8s.io/apimachinery/pkg/runtime/serializer"
 	epmetrics "k8s.io/apiserver/pkg/endpoints/metrics"
 	apirequest "k8s.io/apiserver/pkg/endpoints/request"
 	apiserverproxyutil "k8s.io/apiserver/pkg/util/proxy"
@@ -60,6 +61,7 @@ type peerProxyHandler struct {
 	// Identity for this server.
 	serverID     string
 	finishedSync atomic.Bool
+
 	// Label to check against in identity leases to make sure
 	// we are working with apiserver identity leases only.
 	identityLeaseLabelSelector labels.Selector
@@ -77,14 +79,42 @@ type peerProxyHandler struct {
 	localDiscoveryCacheTicker            *time.Ticker
 	localDiscoveryInfoCachePopulated     chan struct{}
 	localDiscoveryInfoCachePopulatedOnce sync.Once
-	// Cache that stores resources served by peer apiservers.
+	// Cache that stores resources and groups served by peer apiservers.
+	// The map is from string to PeerDiscoveryCacheEntry where the string
+	// is the serverID of the peer apiserver.
 	// Refreshed if a new apiserver identity lease is added, deleted or
 	// holderIndentity change is observed in the lease.
-	peerDiscoveryInfoCache atomic.Value
+	peerDiscoveryInfoCache atomic.Value // map[string]struct{GVRs map[schema.GroupVersionResource]bool; Groups []apidiscoveryv2.APIGroupDiscovery}
 	proxyTransport         http.RoundTripper
 	// Worker queue that keeps the peerDiscoveryInfoCache up-to-date.
-	peerLeaseQueue workqueue.TypedRateLimitingInterface[string]
-	serializer     runtime.NegotiatedSerializer
+	peerLeaseQueue            workqueue.TypedRateLimitingInterface[string]
+	serializer                runtime.NegotiatedSerializer
+	cacheInvalidationCallback atomic.Pointer[func()]
+	// Exclusion set for groups that should not be included in peer proxying
+	// or peer-aggregated discovery (e.g., CRDs/APIServices)
+	//
+	// This map has three states for a group:
+	// - Not in map: Group is not excluded.
+	// - In map, value is nil: Group is actively excluded.
+	// - In map, value is non-nil: Group is pending deletion (grace period).
+	excludedGVs         map[schema.GroupVersion]*time.Time
+	excludedGVsMu       sync.RWMutex
+	crdInformer         cache.SharedIndexInformer
+	crdExtractor        GVExtractor
+	apiServiceInformer  cache.SharedIndexInformer
+	apiServiceExtractor GVExtractor
+
+	exclusionGracePeriod time.Duration
+	reaperCheckInterval  time.Duration
+
+	// Worker queue for processing GV deletions asynchronously
+	gvDeletionQueue workqueue.TypedRateLimitingInterface[string]
+}
+
+// PeerDiscoveryCacheEntry holds the GVRs and group-level discovery info for a peer.
+type PeerDiscoveryCacheEntry struct {
+	GVRs           map[schema.GroupVersionResource]bool
+	GroupDiscovery []apidiscoveryv2.APIGroupDiscovery
 }
 
 // responder implements rest.Responder for assisting a connector in writing objects or errors.
@@ -93,6 +123,10 @@ type responder struct {
 	ctx context.Context
 }
 
+func (h *peerProxyHandler) RegisterCacheInvalidationCallback(cb func()) {
+	h.cacheInvalidationCallback.Store(&cb)
+}
+
 func (h *peerProxyHandler) HasFinishedSync() bool {
 	return h.finishedSync.Load()
 }
@@ -103,10 +137,18 @@ func (h *peerProxyHandler) WaitForCacheSync(stopCh <-chan struct{}) error {
 		return fmt.Errorf("error while waiting for initial cache sync")
 	}
 
-	if !cache.WaitForNamedCacheSync(controllerName, stopCh, h.leaseRegistration.HasSynced) {
+	if !cache.WaitForNamedCacheSync(peerDiscoveryControllerName, stopCh, h.leaseRegistration.HasSynced) {
 		return fmt.Errorf("error while waiting for peer-identity-lease event handler registration sync")
 	}
 
+	if h.crdInformer != nil && !cache.WaitForNamedCacheSync("peer-discovery-crd-informer", stopCh, h.crdInformer.HasSynced) {
+		return fmt.Errorf("error while waiting for crd informer sync")
+	}
+
+	if h.apiServiceInformer != nil && !cache.WaitForNamedCacheSync("peer-discovery-api-service-informer", stopCh, h.apiServiceInformer.HasSynced) {
+		return fmt.Errorf("error while waiting for apiservice informer sync")
+	}
+
 	// Wait for localDiscoveryInfoCache to be populated.
 	select {
 	case <-h.localDiscoveryInfoCachePopulated:
@@ -152,9 +194,6 @@ func (h *peerProxyHandler) WrapHandler(handler http.Handler) http.Handler {
 		}
 
 		gvr := schema.GroupVersionResource{Group: requestInfo.APIGroup, Version: requestInfo.APIVersion, Resource: requestInfo.Resource}
-		if requestInfo.APIGroup == "" {
-			gvr.Group = "core"
-		}
 
 		if h.shouldServeLocally(gvr) {
 			handler.ServeHTTP(w, r)
@@ -183,101 +222,6 @@ func (h *peerProxyHandler) WrapHandler(handler http.Handler) http.Handler {
 	})
 }
 
-// RunLocalDiscoveryCacheSync populated the localDiscoveryInfoCache and
-// starts a goroutine to periodically refresh the local discovery cache.
-func (h *peerProxyHandler) RunLocalDiscoveryCacheSync(stopCh <-chan struct{}) error {
-	klog.Info("localDiscoveryCacheInvalidation goroutine started")
-	// Populate the cache initially.
-	if err := h.populateLocalDiscoveryCache(); err != nil {
-		return fmt.Errorf("failed to populate initial local discovery cache: %w", err)
-	}
-
-	go func() {
-		for {
-			select {
-			case <-h.localDiscoveryCacheTicker.C:
-				klog.V(4).Infof("Invalidating local discovery cache")
-				if err := h.populateLocalDiscoveryCache(); err != nil {
-					klog.Errorf("Failed to repopulate local discovery cache: %v", err)
-				}
-			case <-stopCh:
-				klog.Info("localDiscoveryCacheInvalidation goroutine received stop signal")
-				if h.localDiscoveryCacheTicker != nil {
-					h.localDiscoveryCacheTicker.Stop()
-					klog.Info("localDiscoveryCacheTicker stopped")
-				}
-				klog.Info("localDiscoveryCacheInvalidation goroutine exiting")
-				return
-			}
-		}
-	}()
-	return nil
-}
-
-func (h *peerProxyHandler) populateLocalDiscoveryCache() error {
-	_, resourcesByGV, _, err := h.discoveryClient.GroupsAndMaybeResources()
-	if err != nil {
-		return fmt.Errorf("error getting API group resources from discovery: %w", err)
-	}
-
-	freshLocalDiscoveryResponse := map[schema.GroupVersionResource]bool{}
-	for gv, resources := range resourcesByGV {
-		if gv.Group == "" {
-			gv.Group = "core"
-		}
-		for _, resource := range resources.APIResources {
-			gvr := gv.WithResource(resource.Name)
-			freshLocalDiscoveryResponse[gvr] = true
-		}
-	}
-
-	h.localDiscoveryInfoCache.Store(freshLocalDiscoveryResponse)
-	// Signal that the cache has been populated.
-	h.localDiscoveryInfoCachePopulatedOnce.Do(func() {
-		close(h.localDiscoveryInfoCachePopulated)
-	})
-	return nil
-}
-
-// shouldServeLocally checks if the requested resource is present in the local
-// discovery cache indicating the request can be served by this server.
-func (h *peerProxyHandler) shouldServeLocally(gvr schema.GroupVersionResource) bool {
-	cache := h.localDiscoveryInfoCache.Load().(map[schema.GroupVersionResource]bool)
-	exists, ok := cache[gvr]
-	if !ok {
-		klog.V(4).Infof("resource not found for %v in local discovery cache\n", gvr.GroupVersion())
-		return false
-	}
-
-	if exists {
-		return true
-	}
-
-	return false
-}
-
-func (h *peerProxyHandler) findServiceableByPeerFromPeerDiscoveryCache(gvr schema.GroupVersionResource) []string {
-	var serviceableByIDs []string
-	cache := h.peerDiscoveryInfoCache.Load().(map[string]map[schema.GroupVersionResource]bool)
-	for peerID, servedResources := range cache {
-		// Ignore local apiserver.
-		if peerID == h.serverID {
-			continue
-		}
-
-		exists, ok := servedResources[gvr]
-		if !ok {
-			continue
-		}
-
-		if exists {
-			serviceableByIDs = append(serviceableByIDs, peerID)
-		}
-	}
-
-	return serviceableByIDs
-}
-
 // resolveServingLocation resolves the host:port addresses for the given peer IDs.
 func (h *peerProxyHandler) resolveServingLocation(peerIDs []string) ([]string, error) {
 	var peerServerEndpoints []string
@@ -336,6 +280,7 @@ func (h *peerProxyHandler) proxyRequestToDestinationAPIServer(req *http.Request,
 	delegate := &epmetrics.ResponseWriterDelegator{ResponseWriter: rw}
 	w := responsewriter.WrapForHTTP1Or2(delegate)
 	handler := proxy.NewUpgradeAwareHandler(location, proxyRoundTripper, true, false, &responder{w: w, ctx: req.Context()})
+	klog.Infof("Proxying request for %s from %s to %s", req.URL.Path, req.Host, location.Host)
 	handler.ServeHTTP(w, newReq)
 	metrics.IncPeerProxiedRequest(req.Context(), strconv.Itoa(delegate.Status()))
 }
@@ -353,3 +298,31 @@ func (r *responder) Error(w http.ResponseWriter, req *http.Request, err error) {
 	klog.ErrorS(err, "Error while proxying request to destination apiserver")
 	http.Error(w, err.Error(), http.StatusServiceUnavailable)
 }
+
+// GetPeerResources implements PeerDiscoveryProvider interface
+// Returns a map of serverID -> []apidiscoveryv2.APIGroupDiscovery served by peer servers
+func (h *peerProxyHandler) GetPeerResources() map[string][]apidiscoveryv2.APIGroupDiscovery {
+	result := make(map[string][]apidiscoveryv2.APIGroupDiscovery)
+
+	peerCache := h.peerDiscoveryInfoCache.Load()
+	if peerCache == nil {
+		klog.V(4).Infof("GetPeerResources: peer cache is nil")
+		return result
+	}
+
+	cacheMap, ok := peerCache.(map[string]PeerDiscoveryCacheEntry)
+	if !ok {
+		klog.Warning("Invalid cache type in peerDiscoveryGVRCache")
+		return result
+	}
+
+	for serverID, peerData := range cacheMap {
+		if serverID == h.serverID {
+			klog.V(4).Infof("GetPeerResources: skipping local server %s", serverID)
+			continue // Skip local server
+		}
+		result[serverID] = peerData.GroupDiscovery
+	}
+
+	return result
+}
diff --git a/staging/src/k8s.io/apiserver/pkg/util/peerproxy/peerproxy_handler_test.go b/staging/src/k8s.io/apiserver/pkg/util/peerproxy/peerproxy_handler_test.go
index f313678d49d3f..9598370114221 100644
--- a/staging/src/k8s.io/apiserver/pkg/util/peerproxy/peerproxy_handler_test.go
+++ b/staging/src/k8s.io/apiserver/pkg/util/peerproxy/peerproxy_handler_test.go
@@ -42,6 +42,7 @@ import (
 	"k8s.io/component-base/metrics/legacyregistry"
 	"k8s.io/component-base/metrics/testutil"
 
+	apidiscoveryv2 "k8s.io/api/apidiscovery/v2"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
@@ -77,7 +78,7 @@ func TestPeerProxy(t *testing.T) {
 		peerproxiedHeader    string
 		reconcilerConfig     reconciler
 		localCache           map[schema.GroupVersionResource]bool
-		peerCache            map[string]map[schema.GroupVersionResource]bool
+		peerCache            map[string]PeerDiscoveryCacheEntry
 		wantStatus           int
 		wantMetricsData      string
 	}{
@@ -102,7 +103,7 @@ func TestPeerProxy(t *testing.T) {
 			desc:        "Serve locally if serviceable",
 			requestPath: "/api/foo/bar",
 			localCache: map[schema.GroupVersionResource]bool{
-				{Group: "core", Version: "foo", Resource: "bar"}: true,
+				{Group: "", Version: "foo", Resource: "bar"}: true,
 			},
 			wantStatus: http.StatusOK,
 		},
@@ -116,9 +117,11 @@ func TestPeerProxy(t *testing.T) {
 			desc:                 "503 if no endpoint fetched from lease",
 			requestPath:          "/api/foo/bar",
 			informerFinishedSync: true,
-			peerCache: map[string]map[schema.GroupVersionResource]bool{
+			peerCache: map[string]PeerDiscoveryCacheEntry{
 				remoteServerID1: {
-					{Group: "core", Version: "foo", Resource: "bar"}: true,
+					GVRs: map[schema.GroupVersionResource]bool{
+						{Group: "", Version: "foo", Resource: "bar"}: true,
+					},
 				},
 			},
 			wantStatus: http.StatusServiceUnavailable,
@@ -127,9 +130,11 @@ func TestPeerProxy(t *testing.T) {
 			desc:                 "503 unreachable peer bind address",
 			requestPath:          "/api/foo/bar",
 			informerFinishedSync: true,
-			peerCache: map[string]map[schema.GroupVersionResource]bool{
+			peerCache: map[string]PeerDiscoveryCacheEntry{
 				remoteServerID1: {
-					{Group: "core", Version: "foo", Resource: "bar"}: true,
+					GVRs: map[schema.GroupVersionResource]bool{
+						{Group: "", Version: "foo", Resource: "bar"}: true,
+					},
 				},
 			},
 			reconcilerConfig: reconciler{
@@ -152,12 +157,16 @@ func TestPeerProxy(t *testing.T) {
 			desc:                 "503 if one apiserver's endpoint lease wasnt found but another valid (unreachable) apiserver was found",
 			requestPath:          "/api/foo/bar",
 			informerFinishedSync: true,
-			peerCache: map[string]map[schema.GroupVersionResource]bool{
+			peerCache: map[string]PeerDiscoveryCacheEntry{
 				remoteServerID1: {
-					{Group: "core", Version: "foo", Resource: "bar"}: true,
+					GVRs: map[schema.GroupVersionResource]bool{
+						{Group: "", Version: "foo", Resource: "bar"}: true,
+					},
 				},
 				remoteServerID2: {
-					{Group: "core", Version: "foo", Resource: "bar"}: true,
+					GVRs: map[schema.GroupVersionResource]bool{
+						{Group: "", Version: "foo", Resource: "bar"}: true,
+					},
 				},
 			},
 			reconcilerConfig: reconciler{
@@ -230,12 +239,101 @@ func TestPeerProxy(t *testing.T) {
 
 }
 
+func TestGetPeerResources(t *testing.T) {
+	testCases := []struct {
+		name      string
+		peerCache map[string]PeerDiscoveryCacheEntry
+		want      map[string][]apidiscoveryv2.APIGroupDiscovery
+	}{
+		{
+			name:      "empty peer cache",
+			peerCache: nil,
+			want:      map[string][]apidiscoveryv2.APIGroupDiscovery{},
+		},
+		{
+			name: "peer cache with local server, should be skipped",
+			peerCache: map[string]PeerDiscoveryCacheEntry{
+				localServerID: {
+					GroupDiscovery: []apidiscoveryv2.APIGroupDiscovery{
+						{
+							ObjectMeta: metav1.ObjectMeta{Name: "core"},
+						},
+					},
+				},
+				remoteServerID1: {
+					GroupDiscovery: []apidiscoveryv2.APIGroupDiscovery{
+						{
+							ObjectMeta: metav1.ObjectMeta{Name: "apps"},
+						},
+					},
+				},
+			},
+			want: map[string][]apidiscoveryv2.APIGroupDiscovery{
+				remoteServerID1: {
+					{
+						ObjectMeta: metav1.ObjectMeta{Name: "apps"},
+					},
+				},
+			},
+		},
+		{
+			name: "peer cache with multiple peers",
+			peerCache: map[string]PeerDiscoveryCacheEntry{
+				remoteServerID1: {
+					GroupDiscovery: []apidiscoveryv2.APIGroupDiscovery{
+						{
+							ObjectMeta: metav1.ObjectMeta{Name: "apps"},
+						},
+						{
+							ObjectMeta: metav1.ObjectMeta{Name: "foo"},
+						},
+					},
+				},
+				remoteServerID2: {
+					GroupDiscovery: []apidiscoveryv2.APIGroupDiscovery{
+						{
+							ObjectMeta: metav1.ObjectMeta{Name: "batch"},
+						},
+					},
+				},
+			},
+			want: map[string][]apidiscoveryv2.APIGroupDiscovery{
+				remoteServerID1: {
+					{
+						ObjectMeta: metav1.ObjectMeta{Name: "apps"},
+					},
+					{
+						ObjectMeta: metav1.ObjectMeta{Name: "foo"},
+					},
+				},
+				remoteServerID2: {
+					{
+						ObjectMeta: metav1.ObjectMeta{Name: "batch"},
+					},
+				},
+			},
+		},
+	}
+
+	for _, tt := range testCases {
+		t.Run(tt.name, func(t *testing.T) {
+			s := serializer.NewCodecFactory(runtime.NewScheme()).WithoutConversion()
+			handler, err := newFakePeerProxyHandler(true, nil, localServerID, s, nil, tt.peerCache)
+			if err != nil {
+				t.Fatalf("Error creating peer proxy handler: %v", err)
+			}
+
+			got := handler.GetPeerResources()
+			assert.Equal(t, tt.want, got)
+		})
+	}
+}
+
 func newFakePeerEndpointReconciler(t *testing.T) reconcilers.PeerEndpointLeaseReconciler {
 	server, sc := etcd3testing.NewUnsecuredEtcd3TestClientServer(t)
 	t.Cleanup(func() { server.Terminate(t) })
 	scheme := runtime.NewScheme()
 	metav1.AddToGroupVersion(scheme, metav1.SchemeGroupVersion)
-	//utilruntime.Must(core.AddToScheme(scheme))
 	utilruntime.Must(corev1.AddToScheme(scheme))
 	utilruntime.Must(scheme.SetVersionPriority(corev1.SchemeGroupVersion))
 	codecs := serializer.NewCodecFactory(scheme)
@@ -252,7 +350,7 @@ func newFakePeerEndpointReconciler(t *testing.T) reconcilers.PeerEndpointLeaseRe
 
 func newHandlerChain(t *testing.T, informerFinishedSync bool, handler http.Handler,
 	reconciler reconcilers.PeerEndpointLeaseReconciler,
-	localCache map[schema.GroupVersionResource]bool, peerCache map[string]map[schema.GroupVersionResource]bool) http.Handler {
+	localCache map[schema.GroupVersionResource]bool, peerCache map[string]PeerDiscoveryCacheEntry) http.Handler {
 	// Add peerproxy handler
 	s := serializer.NewCodecFactory(runtime.NewScheme()).WithoutConversion()
 	peerProxyHandler, err := newFakePeerProxyHandler(informerFinishedSync, reconciler, localServerID, s, localCache, peerCache)
@@ -273,7 +371,7 @@ func newHandlerChain(t *testing.T, informerFinishedSync bool, handler http.Handl
 
 func newFakePeerProxyHandler(informerFinishedSync bool,
 	reconciler reconcilers.PeerEndpointLeaseReconciler, id string, s runtime.NegotiatedSerializer,
-	localCache map[schema.GroupVersionResource]bool, peerCache map[string]map[schema.GroupVersionResource]bool) (*peerProxyHandler, error) {
+	localCache map[schema.GroupVersionResource]bool, peerCache map[string]PeerDiscoveryCacheEntry) (*peerProxyHandler, error) {
 	clientset := fake.NewSimpleClientset()
 	informerFactory := informers.NewSharedInformerFactory(clientset, 0)
 	leaseInformer := informerFactory.Coordination().V1().Leases()
diff --git a/staging/src/k8s.io/apiserver/pkg/util/webhook/webhook_test.go b/staging/src/k8s.io/apiserver/pkg/util/webhook/webhook_test.go
index dba0e3ed6e499..cfa09aa7045c2 100644
--- a/staging/src/k8s.io/apiserver/pkg/util/webhook/webhook_test.go
+++ b/staging/src/k8s.io/apiserver/pkg/util/webhook/webhook_test.go
@@ -872,7 +872,7 @@ func TestWithExponentialBackoffParametersNotSet(t *testing.T) {
 
 	err := WithExponentialBackoff(context.TODO(), wait.Backoff{}, webhookFunc, alwaysRetry)
 
-	errExpected := fmt.Errorf("webhook call failed: %s", wait.ErrWaitTimeout)
+	errExpected := fmt.Errorf("webhook call failed: %s", wait.ErrorInterrupted(nil).Error())
 	if errExpected.Error() != err.Error() {
 		t.Errorf("expected error: %v, but got: %v", errExpected, err)
 	}
diff --git a/staging/src/k8s.io/apiserver/pkg/validation/metrics.go b/staging/src/k8s.io/apiserver/pkg/validation/metrics.go
index 256c23c4b1ead..4d06bc96d6776 100644
--- a/staging/src/k8s.io/apiserver/pkg/validation/metrics.go
+++ b/staging/src/k8s.io/apiserver/pkg/validation/metrics.go
@@ -28,8 +28,9 @@ const (
 
 // ValidationMetrics is the interface for validation metrics.
 type ValidationMetrics interface {
-	IncDeclarativeValidationMismatchMetric()
-	IncDeclarativeValidationPanicMetric()
+	IncDeclarativeValidationMismatchMetric(validationIdentifier string)
+	IncDeclarativeValidationPanicMetric(validationIdentifier string)
+	IncDuplicateValidationErrorMetric()
 	Reset()
 }
 
@@ -43,6 +44,16 @@ var validationMetricsInstance = &validationMetrics{
 			StabilityLevel: metrics.BETA,
 		},
 	),
+	DeclarativeValidationMismatchCounterVector: metrics.NewCounterVec(
+		&metrics.CounterOpts{
+			Namespace:      namespace,
+			Subsystem:      subsystem,
+			Name:           "declarative_validation_parity_discrepancies_total",
+			Help:           "Number of discrepancies between declarative and handwritten validation, broken down by validation identifier.",
+			StabilityLevel: metrics.ALPHA,
+		},
+		[]string{"validation_identifier"},
+	),
 	DeclarativeValidationPanicCounter: metrics.NewCounter(
 		&metrics.CounterOpts{
 			Namespace:      namespace,
@@ -52,6 +63,25 @@ var validationMetricsInstance = &validationMetrics{
 			StabilityLevel: metrics.BETA,
 		},
 	),
+	DeclarativeValidationPanicCounterVector: metrics.NewCounterVec(
+		&metrics.CounterOpts{
+			Namespace:      namespace,
+			Subsystem:      subsystem,
+			Name:           "declarative_validation_panics_total",
+			Help:           "Number of panics in declarative validation, broken down by validation identifier.",
+			StabilityLevel: metrics.ALPHA,
+		},
+		[]string{"validation_identifier"},
+	),
+	DuplicateValidationErrorCounter: metrics.NewCounter(
+		&metrics.CounterOpts{
+			Namespace:      namespace,
+			Subsystem:      subsystem,
+			Name:           "duplicate_validation_error_total",
+			Help:           "Number of duplicate validation errors during validation.",
+			StabilityLevel: metrics.INTERNAL,
+		},
+	),
 }
 
 // Metrics provides access to validation metrics.
@@ -59,28 +89,44 @@ var Metrics ValidationMetrics = validationMetricsInstance
 
 func init() {
 	legacyregistry.MustRegister(validationMetricsInstance.DeclarativeValidationMismatchCounter)
+	legacyregistry.MustRegister(validationMetricsInstance.DeclarativeValidationMismatchCounterVector)
 	legacyregistry.MustRegister(validationMetricsInstance.DeclarativeValidationPanicCounter)
+	legacyregistry.MustRegister(validationMetricsInstance.DeclarativeValidationPanicCounterVector)
+	legacyregistry.MustRegister(validationMetricsInstance.DuplicateValidationErrorCounter)
 }
 
 type validationMetrics struct {
-	DeclarativeValidationMismatchCounter *metrics.Counter
-	DeclarativeValidationPanicCounter    *metrics.Counter
+	DeclarativeValidationMismatchCounter       *metrics.Counter
+	DeclarativeValidationMismatchCounterVector *metrics.CounterVec
+	DeclarativeValidationPanicCounter          *metrics.Counter
+	DeclarativeValidationPanicCounterVector    *metrics.CounterVec
+	DuplicateValidationErrorCounter            *metrics.Counter
 }
 
 // Reset resets the validation metrics.
 func (m *validationMetrics) Reset() {
 	m.DeclarativeValidationMismatchCounter.Reset()
+	m.DeclarativeValidationMismatchCounterVector.Reset()
 	m.DeclarativeValidationPanicCounter.Reset()
+	m.DeclarativeValidationPanicCounterVector.Reset()
+	m.DuplicateValidationErrorCounter.Reset()
 }
 
 // IncDeclarativeValidationMismatchMetric increments the counter for the declarative_validation_mismatch_total metric.
-func (m *validationMetrics) IncDeclarativeValidationMismatchMetric() {
+func (m *validationMetrics) IncDeclarativeValidationMismatchMetric(validationIdentifier string) {
 	m.DeclarativeValidationMismatchCounter.Inc()
+	m.DeclarativeValidationMismatchCounterVector.WithLabelValues(validationIdentifier).Inc()
 }
 
 // IncDeclarativeValidationPanicMetric increments the counter for the declarative_validation_panic_total metric.
-func (m *validationMetrics) IncDeclarativeValidationPanicMetric() {
+func (m *validationMetrics) IncDeclarativeValidationPanicMetric(validationIdentifier string) {
 	m.DeclarativeValidationPanicCounter.Inc()
+	m.DeclarativeValidationPanicCounterVector.WithLabelValues(validationIdentifier).Inc()
+}
+
+// IncDuplicateValidationErrorMetric increments the counter for the duplicate_validation_error_total metric.
+func (m *validationMetrics) IncDuplicateValidationErrorMetric() {
+	m.DuplicateValidationErrorCounter.Inc()
 }
 
 func ResetValidationMetricsInstance() {
diff --git a/staging/src/k8s.io/apiserver/pkg/validation/metrics_test.go b/staging/src/k8s.io/apiserver/pkg/validation/metrics_test.go
index e93118a00b74a..016a6956eeae5 100644
--- a/staging/src/k8s.io/apiserver/pkg/validation/metrics_test.go
+++ b/staging/src/k8s.io/apiserver/pkg/validation/metrics_test.go
@@ -24,21 +24,28 @@ import (
 	"k8s.io/component-base/metrics/testutil"
 )
 
+const testIdentifier = "test_validation_identifier"
+const anotherTestIdentifier = "another_test_validation_identifier"
+
 // TestDeclarativeValidationMismatchMetric tests that the mismatch metric correctly increments once
 func TestDeclarativeValidationMismatchMetric(t *testing.T) {
 	defer legacyregistry.Reset()
 	defer ResetValidationMetricsInstance()
 
 	// Increment the metric once
-	Metrics.IncDeclarativeValidationMismatchMetric()
+	Metrics.IncDeclarativeValidationMismatchMetric(testIdentifier)
 
 	expected := `
+	# HELP apiserver_validation_declarative_validation_parity_discrepancies_total [ALPHA] Number of discrepancies between declarative and handwritten validation, broken down by validation identifier.
+	# TYPE apiserver_validation_declarative_validation_parity_discrepancies_total counter
+	apiserver_validation_declarative_validation_parity_discrepancies_total{validation_identifier="test_validation_identifier"} 1
 	# HELP apiserver_validation_declarative_validation_mismatch_total [BETA] Number of times declarative validation results differed from handwritten validation results for core types.
 	# TYPE apiserver_validation_declarative_validation_mismatch_total counter
 	apiserver_validation_declarative_validation_mismatch_total 1
+	
 	`
 
-	if err := testutil.GatherAndCompare(legacyregistry.DefaultGatherer, strings.NewReader(expected), "declarative_validation_mismatch_total"); err != nil {
+	if err := testutil.GatherAndCompare(legacyregistry.DefaultGatherer, strings.NewReader(expected), "apiserver_validation_declarative_validation_parity_discrepancies_total", "apiserver_validation_declarative_validation_mismatch_total"); err != nil {
 		t.Fatal(err)
 	}
 }
@@ -49,15 +56,38 @@ func TestDeclarativeValidationPanicMetric(t *testing.T) {
 	defer ResetValidationMetricsInstance()
 
 	// Increment the metric once
-	Metrics.IncDeclarativeValidationPanicMetric()
+	Metrics.IncDeclarativeValidationPanicMetric(testIdentifier)
 
 	expected := `
+	# HELP apiserver_validation_declarative_validation_panics_total [ALPHA] Number of panics in declarative validation, broken down by validation identifier.
+	# TYPE apiserver_validation_declarative_validation_panics_total counter
+	apiserver_validation_declarative_validation_panics_total{validation_identifier="test_validation_identifier"} 1
 	# HELP apiserver_validation_declarative_validation_panic_total [BETA] Number of times declarative validation has panicked during validation.
 	# TYPE apiserver_validation_declarative_validation_panic_total counter
 	apiserver_validation_declarative_validation_panic_total 1
 	`
 
-	if err := testutil.GatherAndCompare(legacyregistry.DefaultGatherer, strings.NewReader(expected), "declarative_validation_panic_total"); err != nil {
+	if err := testutil.GatherAndCompare(legacyregistry.DefaultGatherer, strings.NewReader(expected),
+		"apiserver_validation_declarative_validation_panic_total", "apiserver_validation_declarative_validation_panics_total"); err != nil {
+		t.Fatal(err)
+	}
+}
+
+// TestDuplicateValidationErrorMetric tests that the duplicate error metric correctly increments once
+func TestDuplicateValidationErrorMetric(t *testing.T) {
+	defer legacyregistry.Reset()
+	defer ResetValidationMetricsInstance()
+
+	// Increment the metric once
+	Metrics.IncDuplicateValidationErrorMetric()
+
+	expected := `
+	# HELP apiserver_validation_duplicate_validation_error_total [INTERNAL] Number of duplicate validation errors during validation.
+	# TYPE apiserver_validation_duplicate_validation_error_total counter
+	apiserver_validation_duplicate_validation_error_total 1
+	`
+
+	if err := testutil.GatherAndCompare(legacyregistry.DefaultGatherer, strings.NewReader(expected), "apiserver_validation_duplicate_validation_error_total"); err != nil {
 		t.Fatal(err)
 	}
 }
@@ -68,17 +98,21 @@ func TestDeclarativeValidationMismatchMetricMultiple(t *testing.T) {
 	defer ResetValidationMetricsInstance()
 
 	// Increment the metric three times
-	Metrics.IncDeclarativeValidationMismatchMetric()
-	Metrics.IncDeclarativeValidationMismatchMetric()
-	Metrics.IncDeclarativeValidationMismatchMetric()
+	Metrics.IncDeclarativeValidationMismatchMetric(testIdentifier)
+	Metrics.IncDeclarativeValidationMismatchMetric(testIdentifier)
+	Metrics.IncDeclarativeValidationMismatchMetric(anotherTestIdentifier)
 
 	expected := `
+	# HELP apiserver_validation_declarative_validation_parity_discrepancies_total [ALPHA] Number of discrepancies between declarative and handwritten validation, broken down by validation identifier.
+	# TYPE apiserver_validation_declarative_validation_parity_discrepancies_total counter
+	apiserver_validation_declarative_validation_parity_discrepancies_total{validation_identifier="test_validation_identifier"} 2
+	apiserver_validation_declarative_validation_parity_discrepancies_total{validation_identifier="another_test_validation_identifier"} 1
 	# HELP apiserver_validation_declarative_validation_mismatch_total [BETA] Number of times declarative validation results differed from handwritten validation results for core types.
 	# TYPE apiserver_validation_declarative_validation_mismatch_total counter
 	apiserver_validation_declarative_validation_mismatch_total 3
 	`
 
-	if err := testutil.GatherAndCompare(legacyregistry.DefaultGatherer, strings.NewReader(expected), "declarative_validation_mismatch_total"); err != nil {
+	if err := testutil.GatherAndCompare(legacyregistry.DefaultGatherer, strings.NewReader(expected), "apiserver_validation_declarative_validation_parity_discrepancies_total", "apiserver_validation_declarative_validation_mismatch_total"); err != nil {
 		t.Fatal(err)
 	}
 }
@@ -89,17 +123,42 @@ func TestDeclarativeValidationPanicMetricMultiple(t *testing.T) {
 	defer ResetValidationMetricsInstance()
 
 	// Increment the metric three times
-	Metrics.IncDeclarativeValidationPanicMetric()
-	Metrics.IncDeclarativeValidationPanicMetric()
-	Metrics.IncDeclarativeValidationPanicMetric()
+	Metrics.IncDeclarativeValidationPanicMetric(testIdentifier)
+	Metrics.IncDeclarativeValidationPanicMetric(testIdentifier)
+	Metrics.IncDeclarativeValidationPanicMetric(anotherTestIdentifier)
 
 	expected := `
+	# HELP apiserver_validation_declarative_validation_panics_total [ALPHA] Number of panics in declarative validation, broken down by validation identifier.
+	# TYPE apiserver_validation_declarative_validation_panics_total counter
+	apiserver_validation_declarative_validation_panics_total{validation_identifier="test_validation_identifier"} 2
+	apiserver_validation_declarative_validation_panics_total{validation_identifier="another_test_validation_identifier"} 1
 	# HELP apiserver_validation_declarative_validation_panic_total [BETA] Number of times declarative validation has panicked during validation.
 	# TYPE apiserver_validation_declarative_validation_panic_total counter
 	apiserver_validation_declarative_validation_panic_total 3
 	`
 
-	if err := testutil.GatherAndCompare(legacyregistry.DefaultGatherer, strings.NewReader(expected), "declarative_validation_panic_total"); err != nil {
+	if err := testutil.GatherAndCompare(legacyregistry.DefaultGatherer, strings.NewReader(expected), "apiserver_validation_declarative_validation_panic_total", "apiserver_validation_declarative_validation_panics_total"); err != nil {
+		t.Fatal(err)
+	}
+}
+
+// TestDuplicateValidationErrorMetricMultiple tests that the duplicate error metric correctly increments multiple times
+func TestDuplicateValidationErrorMetricMultiple(t *testing.T) {
+	defer legacyregistry.Reset()
+	defer ResetValidationMetricsInstance()
+
+	// Increment the metric three times
+	Metrics.IncDuplicateValidationErrorMetric()
+	Metrics.IncDuplicateValidationErrorMetric()
+	Metrics.IncDuplicateValidationErrorMetric()
+
+	expected := `
+	# HELP apiserver_validation_duplicate_validation_error_total [INTERNAL] Number of duplicate validation errors during validation.
+	# TYPE apiserver_validation_duplicate_validation_error_total counter
+	apiserver_validation_duplicate_validation_error_total 3
+	`
+
+	if err := testutil.GatherAndCompare(legacyregistry.DefaultGatherer, strings.NewReader(expected), "apiserver_validation_duplicate_validation_error_total"); err != nil {
 		t.Fatal(err)
 	}
 }
@@ -110,8 +169,9 @@ func TestDeclarativeValidationMetricsReset(t *testing.T) {
 	defer ResetValidationMetricsInstance()
 
 	// Increment both metrics
-	Metrics.IncDeclarativeValidationMismatchMetric()
-	Metrics.IncDeclarativeValidationPanicMetric()
+	Metrics.IncDeclarativeValidationMismatchMetric(testIdentifier)
+	Metrics.IncDeclarativeValidationPanicMetric(testIdentifier)
+	Metrics.IncDuplicateValidationErrorMetric()
 
 	// Reset the metrics
 	Metrics.Reset()
@@ -124,15 +184,22 @@ func TestDeclarativeValidationMetricsReset(t *testing.T) {
 	# HELP apiserver_validation_declarative_validation_panic_total [BETA] Number of times declarative validation has panicked during validation.
 	# TYPE apiserver_validation_declarative_validation_panic_total counter
 	apiserver_validation_declarative_validation_panic_total 0
+	# HELP apiserver_validation_duplicate_validation_error_total [INTERNAL] Number of duplicate validation errors during validation.
+	# TYPE apiserver_validation_duplicate_validation_error_total counter
+	apiserver_validation_duplicate_validation_error_total 0
 	`
 
-	if err := testutil.GatherAndCompare(legacyregistry.DefaultGatherer, strings.NewReader(expected), "declarative_validation_mismatch_total", "declarative_validation_panic_total"); err != nil {
+	if err := testutil.GatherAndCompare(legacyregistry.DefaultGatherer, strings.NewReader(expected),
+		"apiserver_validation_declarative_validation_mismatch_total",
+		"apiserver_validation_declarative_validation_panic_total",
+		"apiserver_validation_duplicate_validation_error_total"); err != nil {
 		t.Fatal(err)
 	}
 
 	// Increment the metrics again to ensure they're still functional
-	Metrics.IncDeclarativeValidationMismatchMetric()
-	Metrics.IncDeclarativeValidationPanicMetric()
+	Metrics.IncDeclarativeValidationMismatchMetric(testIdentifier)
+	Metrics.IncDeclarativeValidationPanicMetric(testIdentifier)
+	Metrics.IncDuplicateValidationErrorMetric()
 
 	// Verify they've been incremented correctly
 	expected = `
@@ -142,9 +209,23 @@ func TestDeclarativeValidationMetricsReset(t *testing.T) {
 	# HELP apiserver_validation_declarative_validation_panic_total [BETA] Number of times declarative validation has panicked during validation.
 	# TYPE apiserver_validation_declarative_validation_panic_total counter
 	apiserver_validation_declarative_validation_panic_total 1
+	# HELP apiserver_validation_duplicate_validation_error_total [INTERNAL] Number of duplicate validation errors during validation.
+	# TYPE apiserver_validation_duplicate_validation_error_total counter
+	apiserver_validation_duplicate_validation_error_total 1
+	# HELP apiserver_validation_declarative_validation_parity_discrepancies_total [ALPHA] Number of discrepancies between declarative and handwritten validation, broken down by validation identifier.
+	# TYPE apiserver_validation_declarative_validation_parity_discrepancies_total counter
+	apiserver_validation_declarative_validation_parity_discrepancies_total{validation_identifier="test_validation_identifier"} 1
+	# HELP apiserver_validation_declarative_validation_panics_total [ALPHA] Number of panics in declarative validation, broken down by validation identifier.
+	# TYPE apiserver_validation_declarative_validation_panics_total counter
+	apiserver_validation_declarative_validation_panics_total{validation_identifier="test_validation_identifier"} 1
 	`
 
-	if err := testutil.GatherAndCompare(legacyregistry.DefaultGatherer, strings.NewReader(expected), "declarative_validation_mismatch_total", "declarative_validation_panic_total"); err != nil {
+	if err := testutil.GatherAndCompare(legacyregistry.DefaultGatherer, strings.NewReader(expected),
+		"apiserver_validation_declarative_validation_mismatch_total",
+		"apiserver_validation_declarative_validation_parity_discrepancies_total",
+		"apiserver_validation_declarative_validation_panic_total",
+		"apiserver_validation_declarative_validation_panics_total",
+		"apiserver_validation_duplicate_validation_error_total"); err != nil {
 		t.Fatal(err)
 	}
 }
diff --git a/staging/src/k8s.io/apiserver/plugin/pkg/authenticator/token/oidc/metrics.go b/staging/src/k8s.io/apiserver/plugin/pkg/authenticator/token/oidc/metrics.go
index 109cde254edb1..8c72ac6810c8d 100644
--- a/staging/src/k8s.io/apiserver/plugin/pkg/authenticator/token/oidc/metrics.go
+++ b/staging/src/k8s.io/apiserver/plugin/pkg/authenticator/token/oidc/metrics.go
@@ -47,13 +47,117 @@ var (
 		},
 		[]string{"result", "jwt_issuer_hash"},
 	)
+
+	jwksFetchLastTimestampSeconds = metrics.NewGaugeVec(
+		&metrics.GaugeOpts{
+			Namespace: namespace,
+			Subsystem: subsystem,
+			Name:      "jwt_authenticator_jwks_fetch_last_timestamp_seconds",
+			Help: "Timestamp of the last successful or failed JWKS fetch split by result, api server identity " +
+				"and jwt issuer for the JWT authenticator.",
+			StabilityLevel: metrics.ALPHA,
+		},
+		[]string{"result", "jwt_issuer_hash", "apiserver_id_hash"},
+	)
+
+	jwksFetchLastKeySetInfo = metrics.NewDesc(
+		metrics.BuildFQName(namespace, subsystem, "jwt_authenticator_jwks_fetch_last_key_set_info"),
+		"Information about the last JWKS fetched by the JWT authenticator with hash as label, split by api server identity and jwt issuer.",
+		[]string{"jwt_issuer_hash", "apiserver_id_hash", "hash"},
+		nil,
+		metrics.ALPHA,
+		"",
+	)
 )
 
+// jwksHashKey uniquely identifies a JWKS by issuer and API server ID
+type jwksHashKey struct {
+	jwtIssuerHash   string
+	apiServerIDHash string
+}
+
+// jwksHashProvider manages JWKS hashes for all authenticators
+type jwksHashProvider struct {
+	hashes sync.Map // map[jwksHashKey]string
+}
+
+func newJWKSHashProvider() *jwksHashProvider {
+	return &jwksHashProvider{}
+}
+
+func (p *jwksHashProvider) setHash(jwtIssuer, apiServerID, keySet string) {
+	key := jwksHashKey{
+		jwtIssuerHash:   getHash(jwtIssuer),
+		apiServerIDHash: getHash(apiServerID),
+	}
+	jwksHash := getHash(keySet)
+	p.hashes.Store(key, jwksHash)
+}
+
+func (p *jwksHashProvider) getHashes() map[jwksHashKey]string {
+	result := make(map[jwksHashKey]string)
+	p.hashes.Range(func(k, v interface{}) bool {
+		result[k.(jwksHashKey)] = v.(string)
+		return true
+	})
+	return result
+}
+
+func (p *jwksHashProvider) reset() {
+	p.hashes.Range(func(k, v interface{}) bool {
+		p.hashes.Delete(k)
+		return true
+	})
+}
+
+func (p *jwksHashProvider) deleteHash(jwtIssuer, apiServerID string) {
+	key := jwksHashKey{
+		jwtIssuerHash:   getHash(jwtIssuer),
+		apiServerIDHash: getHash(apiServerID),
+	}
+	p.hashes.Delete(key)
+}
+
+// jwksHashCollector is a custom collector that emits JWKS hash metrics
+type jwksHashCollector struct {
+	metrics.BaseStableCollector
+	desc         *metrics.Desc
+	hashProvider *jwksHashProvider
+}
+
+func newJWKSHashCollector(desc *metrics.Desc, hashProvider *jwksHashProvider) metrics.StableCollector {
+	return &jwksHashCollector{
+		desc:         desc,
+		hashProvider: hashProvider,
+	}
+}
+
+func (c *jwksHashCollector) DescribeWithStability(ch chan<- *metrics.Desc) {
+	ch <- c.desc
+}
+
+func (c *jwksHashCollector) CollectWithStability(ch chan<- metrics.Metric) {
+	hashes := c.hashProvider.getHashes()
+	for key, hash := range hashes {
+		ch <- metrics.NewLazyConstMetric(
+			c.desc,
+			metrics.GaugeValue,
+			1,
+			key.jwtIssuerHash,
+			key.apiServerIDHash,
+			hash,
+		)
+	}
+}
+
 var registerMetrics sync.Once
+var hashProvider = newJWKSHashProvider()
 
 func RegisterMetrics() {
 	registerMetrics.Do(func() {
 		legacyregistry.MustRegister(jwtAuthenticatorLatencyMetric)
+		legacyregistry.MustRegister(jwksFetchLastTimestampSeconds)
+		legacyregistry.CustomMustRegister(newJWKSHashCollector(jwksFetchLastKeySetInfo, hashProvider))
 	})
 }
 
@@ -61,6 +165,42 @@ func recordAuthenticationLatency(result, jwtIssuerHash string, duration time.Dur
 	jwtAuthenticatorLatencyMetric.WithLabelValues(result, jwtIssuerHash).Observe(duration.Seconds())
 }
 
+func recordJWKSFetchTimestamp(result, jwtIssuer, apiServerID string) {
+	jwksFetchLastTimestampSeconds.WithLabelValues(result, getHash(jwtIssuer), getHash(apiServerID)).SetToCurrentTime()
+}
+
+func recordJWKSFetchKeySetSuccess(jwtIssuer, apiServerID, keySet string) {
+	recordJWKSFetchKeySetHash(jwtIssuer, apiServerID, keySet)
+	recordJWKSFetchTimestamp("success", jwtIssuer, apiServerID)
+}
+
+func recordJWKSFetchKeySetFailure(jwtIssuer, apiServerID string) {
+	recordJWKSFetchTimestamp("failure", jwtIssuer, apiServerID)
+}
+
+func recordJWKSFetchKeySetHash(jwtIssuer, apiServerID, keySet string) {
+	hashProvider.setHash(jwtIssuer, apiServerID, keySet)
+}
+
+// DeleteJWKSFetchMetrics deletes all JWKS-related metrics for a specific issuer and API server.
+// This includes the hash metric and timestamp metrics (both success and failure).
+// This should be called when an issuer is removed from the configuration to clean up stale metrics.
+func DeleteJWKSFetchMetrics(jwtIssuer, apiServerID string) {
+	jwtIssuerHash := getHash(jwtIssuer)
+	apiServerIDHash := getHash(apiServerID)
+
+	hashProvider.deleteHash(jwtIssuer, apiServerID)
+
+	jwksFetchLastTimestampSeconds.DeleteLabelValues("success", jwtIssuerHash, apiServerIDHash)
+	jwksFetchLastTimestampSeconds.DeleteLabelValues("failure", jwtIssuerHash, apiServerIDHash)
+}
+
+func ResetMetrics() {
+	jwtAuthenticatorLatencyMetric.Reset()
+	jwksFetchLastTimestampSeconds.Reset()
+	hashProvider.reset()
+}
+
 func getHash(data string) string {
 	if len(data) > 0 {
 		return fmt.Sprintf("sha256:%x", sha256.Sum256([]byte(data)))
@@ -73,7 +213,6 @@ func newInstrumentedAuthenticator(jwtIssuer string, delegate AuthenticatorTokenW
 }
 
 func newInstrumentedAuthenticatorWithClock(jwtIssuer string, delegate AuthenticatorTokenWithHealthCheck, clock clock.PassiveClock) *instrumentedAuthenticator {
-	RegisterMetrics()
 	return &instrumentedAuthenticator{
 		jwtIssuerHash: getHash(jwtIssuer),
 		delegate:      delegate,
diff --git a/staging/src/k8s.io/apiserver/plugin/pkg/authenticator/token/oidc/metrics_test.go b/staging/src/k8s.io/apiserver/plugin/pkg/authenticator/token/oidc/metrics_test.go
index cdcad1d05ef26..0628a3dee7947 100644
--- a/staging/src/k8s.io/apiserver/plugin/pkg/authenticator/token/oidc/metrics_test.go
+++ b/staging/src/k8s.io/apiserver/plugin/pkg/authenticator/token/oidc/metrics_test.go
@@ -29,7 +29,9 @@ import (
 )
 
 const (
-	testIssuer = "testIssuer"
+	testIssuer      = "testIssuer"
+	testAPIServerID = "testAPIServerID"
+	testKeySet      = `{"keys":[{"kty":"RSA","use":"sig","kid":"test"}]}`
 )
 
 func TestRecordAuthenticationLatency(t *testing.T) {
@@ -131,3 +133,125 @@ func (d dummyClock) Now() time.Time {
 func (d dummyClock) Since(t time.Time) time.Duration {
 	return time.Duration(1)
 }
+
+func TestRecordJWKSFetchKeySetSuccess(t *testing.T) {
+	expectedValue := `
+	# HELP apiserver_authentication_jwt_authenticator_jwks_fetch_last_key_set_info [ALPHA] Information about the last JWKS fetched by the JWT authenticator with hash as label, split by api server identity and jwt issuer.
+	# TYPE apiserver_authentication_jwt_authenticator_jwks_fetch_last_key_set_info gauge
+	apiserver_authentication_jwt_authenticator_jwks_fetch_last_key_set_info{apiserver_id_hash="sha256:14f9d63e669337ac6bfda2e2162915ee6a6067743eddd4e5c374b572f951ff37",hash="sha256:d132d414ef2da3d863abd7bf0165c00403ef1d3510faf8fdf1d7cf335c888e53",jwt_issuer_hash="sha256:29b34beedc55b972f2428f21bc588f9d38e5e8f7a7af825486e7bb4fd9caa2ad"} 1
+	`
+
+	metrics := []string{
+		namespace + "_" + subsystem + "_jwt_authenticator_jwks_fetch_last_key_set_info",
+	}
+
+	ResetMetrics()
+	RegisterMetrics()
+
+	recordJWKSFetchKeySetSuccess(testIssuer, testAPIServerID, testKeySet)
+
+	if err := testutil.GatherAndCompare(legacyregistry.DefaultGatherer, strings.NewReader(expectedValue), metrics...); err != nil {
+		t.Fatal(err)
+	}
+}
+
+func TestRecordJWKSFetchKeySetFailure(t *testing.T) {
+	ResetMetrics()
+	RegisterMetrics()
+
+	recordJWKSFetchKeySetFailure(testIssuer, testAPIServerID)
+
+	metrics, err := legacyregistry.DefaultGatherer.Gather()
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	found := false
+	for _, m := range metrics {
+		if m.GetName() == namespace+"_"+subsystem+"_jwt_authenticator_jwks_fetch_last_timestamp_seconds" {
+			found = true
+			break
+		}
+	}
+	if !found {
+		t.Fatal("Expected jwt_authenticator_jwks_fetch_last_timestamp_seconds metric to be present")
+	}
+}
+
+func TestJWKSHashCollector_MultipleAuthenticators(t *testing.T) {
+	expectedValue := `
+	# HELP apiserver_authentication_jwt_authenticator_jwks_fetch_last_key_set_info [ALPHA] Information about the last JWKS fetched by the JWT authenticator with hash as label, split by api server identity and jwt issuer.
+	# TYPE apiserver_authentication_jwt_authenticator_jwks_fetch_last_key_set_info gauge
+	apiserver_authentication_jwt_authenticator_jwks_fetch_last_key_set_info{apiserver_id_hash="sha256:14f9d63e669337ac6bfda2e2162915ee6a6067743eddd4e5c374b572f951ff37",hash="sha256:d132d414ef2da3d863abd7bf0165c00403ef1d3510faf8fdf1d7cf335c888e53",jwt_issuer_hash="sha256:29b34beedc55b972f2428f21bc588f9d38e5e8f7a7af825486e7bb4fd9caa2ad"} 1
+	apiserver_authentication_jwt_authenticator_jwks_fetch_last_key_set_info{apiserver_id_hash="sha256:14f9d63e669337ac6bfda2e2162915ee6a6067743eddd4e5c374b572f951ff37",hash="sha256:1b5293c65ffc96e13f2d6fefae782190aec8cfb89957a3109419d4f47b80e3e8",jwt_issuer_hash="sha256:f10ab1bafaa1a8628d0fae41ee554948912b01957e4a2db1698fc1c3e4451682"} 1
+	`
+
+	metrics := []string{
+		namespace + "_" + subsystem + "_jwt_authenticator_jwks_fetch_last_key_set_info",
+	}
+
+	ResetMetrics()
+	RegisterMetrics()
+
+	recordJWKSFetchKeySetSuccess(testIssuer, testAPIServerID, testKeySet)
+
+	secondIssuer := "https://another-issuer.example.com"
+	secondKeySet := `{"keys":[{"kty":"EC","use":"sig","kid":"test2"}]}`
+	recordJWKSFetchKeySetSuccess(secondIssuer, testAPIServerID, secondKeySet)
+
+	if err := testutil.GatherAndCompare(legacyregistry.DefaultGatherer, strings.NewReader(expectedValue), metrics...); err != nil {
+		t.Fatal(err)
+	}
+}
+
+func TestJWKSHashCollector_UpdateExistingHash(t *testing.T) {
+	expectedValue := `
+	# HELP apiserver_authentication_jwt_authenticator_jwks_fetch_last_key_set_info [ALPHA] Information about the last JWKS fetched by the JWT authenticator with hash as label, split by api server identity and jwt issuer.
+	# TYPE apiserver_authentication_jwt_authenticator_jwks_fetch_last_key_set_info gauge
+	apiserver_authentication_jwt_authenticator_jwks_fetch_last_key_set_info{apiserver_id_hash="sha256:14f9d63e669337ac6bfda2e2162915ee6a6067743eddd4e5c374b572f951ff37",hash="sha256:1b5293c65ffc96e13f2d6fefae782190aec8cfb89957a3109419d4f47b80e3e8",jwt_issuer_hash="sha256:29b34beedc55b972f2428f21bc588f9d38e5e8f7a7af825486e7bb4fd9caa2ad"} 1
+	`
+
+	metrics := []string{
+		namespace + "_" + subsystem + "_jwt_authenticator_jwks_fetch_last_key_set_info",
+	}
+
+	ResetMetrics()
+	RegisterMetrics()
+
+	recordJWKSFetchKeySetSuccess(testIssuer, testAPIServerID, testKeySet)
+
+	// Update with new JWKS - should replace old hash with new one
+	updatedKeySet := `{"keys":[{"kty":"EC","use":"sig","kid":"test2"}]}`
+	recordJWKSFetchKeySetSuccess(testIssuer, testAPIServerID, updatedKeySet)
+
+	if err := testutil.GatherAndCompare(legacyregistry.DefaultGatherer, strings.NewReader(expectedValue), metrics...); err != nil {
+		t.Fatal(err)
+	}
+}
+
+func TestJWKSHashCollector_DeleteHash(t *testing.T) {
+	ResetMetrics()
+	RegisterMetrics()
+
+	recordJWKSFetchKeySetSuccess(testIssuer, testAPIServerID, testKeySet)
+	secondIssuer := "https://another-issuer.example.com"
+	secondKeySet := `{"keys":[{"kty":"EC","use":"sig","kid":"test2"}]}`
+	recordJWKSFetchKeySetSuccess(secondIssuer, testAPIServerID, secondKeySet)
+
+	// Delete first authenticator's metrics and verify only second authenticator's hash remains
+	DeleteJWKSFetchMetrics(testIssuer, testAPIServerID)
+
+	expectedValue := `
+	# HELP apiserver_authentication_jwt_authenticator_jwks_fetch_last_key_set_info [ALPHA] Information about the last JWKS fetched by the JWT authenticator with hash as label, split by api server identity and jwt issuer.
+	# TYPE apiserver_authentication_jwt_authenticator_jwks_fetch_last_key_set_info gauge
+	apiserver_authentication_jwt_authenticator_jwks_fetch_last_key_set_info{apiserver_id_hash="sha256:14f9d63e669337ac6bfda2e2162915ee6a6067743eddd4e5c374b572f951ff37",hash="sha256:1b5293c65ffc96e13f2d6fefae782190aec8cfb89957a3109419d4f47b80e3e8",jwt_issuer_hash="sha256:f10ab1bafaa1a8628d0fae41ee554948912b01957e4a2db1698fc1c3e4451682"} 1
+	`
+
+	metrics := []string{
+		namespace + "_" + subsystem + "_jwt_authenticator_jwks_fetch_last_key_set_info",
+	}
+
+	if err := testutil.GatherAndCompare(legacyregistry.DefaultGatherer, strings.NewReader(expectedValue), metrics...); err != nil {
+		t.Fatal(err)
+	}
+}
diff --git a/staging/src/k8s.io/apiserver/plugin/pkg/authenticator/token/oidc/oidc.go b/staging/src/k8s.io/apiserver/plugin/pkg/authenticator/token/oidc/oidc.go
index d9063fcd160c8..688f7f6eebd47 100644
--- a/staging/src/k8s.io/apiserver/plugin/pkg/authenticator/token/oidc/oidc.go
+++ b/staging/src/k8s.io/apiserver/plugin/pkg/authenticator/token/oidc/oidc.go
@@ -27,6 +27,7 @@ oidc implements the authenticator.Token interface using the OpenID Connect proto
 package oidc
 
 import (
+	"bytes"
 	"context"
 	"crypto/tls"
 	"crypto/x509"
@@ -34,6 +35,7 @@ import (
 	"encoding/json"
 	"fmt"
 	"io"
+	"mime"
 	"net/http"
 	"net/url"
 	"strings"
@@ -46,6 +48,7 @@ import (
 	"github.com/google/cel-go/common/types"
 	"github.com/google/cel-go/common/types/ref"
 	"github.com/google/cel-go/common/types/traits"
+	jose "gopkg.in/go-jose/go-jose.v2"
 
 	"k8s.io/apimachinery/pkg/util/net"
 	"k8s.io/apimachinery/pkg/util/sets"
@@ -58,7 +61,9 @@ import (
 	"k8s.io/apiserver/pkg/authentication/user"
 	"k8s.io/apiserver/pkg/cel"
 	"k8s.io/apiserver/pkg/cel/lazy"
+	"k8s.io/apiserver/pkg/features"
 	"k8s.io/apiserver/pkg/server/egressselector"
+	utilfeature "k8s.io/apiserver/pkg/util/feature"
 	certutil "k8s.io/client-go/util/cert"
 	"k8s.io/klog/v2"
 )
@@ -79,6 +84,10 @@ type Options struct {
 
 	// Optional KeySet to allow for synchronous initialization instead of fetching from the remote issuer.
 	// Mutually exclusive with JWTAuthenticator.Issuer.DiscoveryURL.
+	//
+	// The following API server metrics for fetching JWKS and provider status will not be recorded if this is set.
+	//  - apiserver_authentication_jwt_authenticator_jwks_fetch_last_timestamp_seconds
+	//  - apiserver_authentication_jwt_authenticator_jwks_fetch_last_key_set_info
 	KeySet oidc.KeySet
 
 	// PEM encoded root certificate contents of the provider.  Mutually exclusive with Client.
@@ -109,6 +118,10 @@ type Options struct {
 
 	DisallowedIssuers []string
 
+	// APIServerID is the ID of the API server
+	// This is used in metrics to identify the API server
+	APIServerID string
+
 	// now is used for testing. It defaults to time.Now.
 	now func() time.Time
 }
@@ -264,6 +277,7 @@ func New(lifecycleCtx context.Context, opts Options) (AuthenticatorTokenWithHeal
 		return nil, err
 	}
 
+	RegisterMetrics()
 	supportedSigningAlgs := opts.SupportedSigningAlgs
 	if len(supportedSigningAlgs) == 0 {
 		// RS256 is the default recommended by OpenID Connect and an 'alg' value
@@ -421,6 +435,31 @@ func New(lifecycleCtx context.Context, opts Options) (AuthenticatorTokenWithHeal
 					return false, nil
 				}
 
+				if utilfeature.DefaultFeatureGate.Enabled(features.StructuredAuthenticationConfigurationJWKSMetrics) {
+					providerJSON := &struct {
+						JWKSURL string `json:"jwks_uri"`
+					}{}
+
+					if err := provider.Claims(providerJSON); err != nil {
+						klog.Errorf("oidc authenticator: error getting JWKS URL: %v", err)
+						authn.healthCheck.Store(&errorHolder{err: err})
+						return false, nil
+					}
+					if len(providerJSON.JWKSURL) == 0 {
+						klog.Errorf("provider did not return JWKS URL")
+						authn.healthCheck.Store(&errorHolder{err: fmt.Errorf("provider did not return JWKS URL")})
+						return false, nil
+					}
+
+					clientWithJWKSMetrics := *client
+					clientWithJWKSMetrics.Transport = withMetricsRoundTripper(client.Transport, providerJSON.JWKSURL, issuerURL, opts.APIServerID, lifecycleCtx)
+					client = &clientWithJWKSMetrics
+
+					remoteKeySet := oidc.NewRemoteKeySet(oidc.ClientContext(lifecycleCtx, client), providerJSON.JWKSURL)
+					authn.setVerifier(&idTokenVerifier{oidc.NewVerifier(issuerURL, remoteKeySet, verifierConfig), audiences})
+					return true, nil
+				}
+
 				verifier := provider.Verifier(verifierConfig)
 				authn.setVerifier(&idTokenVerifier{verifier, audiences})
 				return true, nil
@@ -451,6 +490,100 @@ type errorHolder struct {
 	err error
 }
 
+// metricsRoundTripper is a http.RoundTripper that records metrics for JWKS fetches.
+type metricsRoundTripper struct {
+	base    http.RoundTripper
+	jwksURL string
+
+	jwtIssuer        string
+	apiServerID      string
+	shouldRecordFunc func() bool
+}
+
+// shouldRecordMetrics returns true if metrics should be recorded.
+// This is used to avoid recording metrics after the lifecycle context is done.
+func (m *metricsRoundTripper) shouldRecordMetrics() bool {
+	return m.shouldRecordFunc()
+}
+
+func (m *metricsRoundTripper) RoundTrip(req *http.Request) (*http.Response, error) {
+	if req.URL.String() != m.jwksURL || !m.shouldRecordMetrics() {
+		return m.base.RoundTrip(req)
+	}
+
+	resp, err := m.base.RoundTrip(req)
+	if err != nil || resp.StatusCode != http.StatusOK || resp.Body == nil {
+		if m.shouldRecordMetrics() {
+			recordJWKSFetchKeySetFailure(m.jwtIssuer, m.apiServerID)
+		}
+		return resp, err
+	}
+
+	defer func() {
+		_ = resp.Body.Close()
+	}()
+	body, err := io.ReadAll(resp.Body)
+	if err != nil {
+		if m.shouldRecordMetrics() {
+			recordJWKSFetchKeySetFailure(m.jwtIssuer, m.apiServerID)
+		}
+		return resp, fmt.Errorf("error reading JWKS response: %w", err)
+	}
+
+	// This check has been copied from https://github.com/coreos/go-oidc/blob/0fe98873951208147e6d412602432038c91cda54/oidc/jwks.go#L263-L267
+	// to validate the key set before setting the metrics to avoid recording invalid key sets.
+	var keySet jose.JSONWebKeySet
+	if m.shouldRecordMetrics() {
+		if unmarshalErr := unmarshalResp(resp, body, &keySet); unmarshalErr != nil {
+			recordJWKSFetchKeySetFailure(m.jwtIssuer, m.apiServerID)
+		} else {
+			recordJWKSFetchKeySetSuccess(m.jwtIssuer, m.apiServerID, string(body))
+		}
+	}
+
+	newResp := &http.Response{}
+	*newResp = *resp
+	newResp.Body = io.NopCloser(bytes.NewBuffer(body))
+
+	return newResp, nil
+}
+
+// This function is copied from https://github.com/coreos/go-oidc/blob/0fe98873951208147e6d412602432038c91cda54/oidc/oidc.go#L543-L554
+// to validate the key set before setting the metrics to avoid recording invalid key sets.
+func unmarshalResp(r *http.Response, body []byte, v interface{}) error {
+	err := json.Unmarshal(body, &v)
+	if err == nil {
+		return nil
+	}
+	ct := r.Header.Get("Content-Type")
+	mediaType, _, parseErr := mime.ParseMediaType(ct)
+	if parseErr == nil && mediaType == "application/json" {
+		return fmt.Errorf("got Content-Type = application/json, but could not unmarshal as JSON: %w", err)
+	}
+	return fmt.Errorf("expected Content-Type = application/json, got %q: %w", ct, err)
+}
+
+// withMetricsRoundTripper returns a new http.RoundTripper that records metrics for JWKS fetches.
+func withMetricsRoundTripper(base http.RoundTripper, jwksURL, jwtIssuer, apiServerID string, lifecycleCtx context.Context) http.RoundTripper {
+	if base == nil {
+		base = http.DefaultTransport
+	}
+	return &metricsRoundTripper{
+		base:        base,
+		jwksURL:     jwksURL,
+		jwtIssuer:   jwtIssuer,
+		apiServerID: apiServerID,
+		shouldRecordFunc: func() bool {
+			select {
+			case <-lifecycleCtx.Done():
+				return false
+			default:
+				return true
+			}
+		},
+	}
+}
+
 // discoveryURLRoundTripper is a http.RoundTripper that rewrites the
 // {url}/.well-known/openid-configuration to the discovery URL.
 type discoveryURLRoundTripper struct {
diff --git a/staging/src/k8s.io/apiserver/plugin/pkg/authenticator/token/oidc/oidc_test.go b/staging/src/k8s.io/apiserver/plugin/pkg/authenticator/token/oidc/oidc_test.go
index 36bba4d1a619a..08cd28463aac4 100644
--- a/staging/src/k8s.io/apiserver/plugin/pkg/authenticator/token/oidc/oidc_test.go
+++ b/staging/src/k8s.io/apiserver/plugin/pkg/authenticator/token/oidc/oidc_test.go
@@ -31,6 +31,7 @@ import (
 	"os"
 	"reflect"
 	"strings"
+	"sync"
 	"sync/atomic"
 	"testing"
 	"text/template"
@@ -42,8 +43,12 @@ import (
 	"k8s.io/apimachinery/pkg/util/wait"
 	"k8s.io/apiserver/pkg/apis/apiserver"
 	"k8s.io/apiserver/pkg/authentication/user"
+	"k8s.io/apiserver/pkg/features"
 	"k8s.io/apiserver/pkg/server/dynamiccertificates"
 	"k8s.io/apiserver/pkg/server/egressselector"
+	utilfeature "k8s.io/apiserver/pkg/util/feature"
+	featuregatetesting "k8s.io/component-base/featuregate/testing"
+	"k8s.io/component-base/metrics/legacyregistry"
 	"k8s.io/component-base/metrics/testutil"
 	"k8s.io/klog/v2"
 	"k8s.io/utils/ptr"
@@ -152,6 +157,25 @@ type claimsTest struct {
 	fetchKeysFromRemote bool
 }
 
+type testClaimsServer struct {
+	*httptest.Server
+
+	keys jose.JSONWebKeySet
+	mu   sync.RWMutex
+}
+
+func (c *testClaimsServer) setKeys(keys jose.JSONWebKeySet) {
+	c.mu.Lock()
+	defer c.mu.Unlock()
+	c.keys = keys
+}
+
+func (c *testClaimsServer) getKeys() jose.JSONWebKeySet {
+	c.mu.RLock()
+	defer c.mu.RUnlock()
+	return c.keys
+}
+
 // Replace formats the contents of v into the provided template.
 func replace(tmpl string, v interface{}) string {
 	t := template.Must(template.New("test").Parse(tmpl))
@@ -166,19 +190,29 @@ func replace(tmpl string, v interface{}) string {
 // OIDC responses to requests that resolve distributed claims. signer is the
 // signer used for the served JWT tokens.  claimToResponseMap is a map of
 // responses that the server will return for each claim it is given.
-func newClaimServer(t *testing.T, keys jose.JSONWebKeySet, signer jose.Signer, claimToResponseMap map[string]string, openIDConfig *string) *httptest.Server {
-	ts := httptest.NewTLSServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+func newClaimServer(t *testing.T, keys jose.JSONWebKeySet, signer jose.Signer, claimToResponseMap map[string]string, openIDConfig *string) *testClaimsServer {
+	cs := &testClaimsServer{
+		keys: keys,
+		mu:   sync.RWMutex{},
+	}
+
+	cs.Server = httptest.NewTLSServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		klog.V(5).Infof("request: %+v", *r)
 		switch r.URL.Path {
 		case "/.testing/keys":
 			w.Header().Set("Content-Type", "application/json")
-			keyBytes, err := json.Marshal(keys)
+			keyBytes, err := json.Marshal(cs.getKeys())
 			if err != nil {
 				t.Fatalf("unexpected error while marshaling keys: %v", err)
 			}
 			klog.V(5).Infof("%v: returning: %+v", r.URL, string(keyBytes))
 			w.Write(keyBytes)
 
+		case "/.testing/invalidkeys":
+			w.Header().Set("Content-Type", "application/json")
+		case "/.testing/keys/badstatus":
+			w.WriteHeader(http.StatusInternalServerError)
+
 		// /c/d/bar/.well-known/openid-configuration is used to test issuer url and discovery url with a path
 		case "/.well-known/openid-configuration", "/c/d/bar/.well-known/openid-configuration":
 			w.Header().Set("Content-Type", "application/json")
@@ -211,8 +245,8 @@ func newClaimServer(t *testing.T, keys jose.JSONWebKeySet, signer jose.Signer, c
 			fmt.Fprintf(w, "unexpected URL: %v", r.URL)
 		}
 	}))
-	klog.V(4).Infof("Serving OIDC at: %v", ts.URL)
-	return ts
+	klog.V(4).Infof("Serving OIDC at: %v", cs.Server.URL)
+	return cs
 }
 
 func toKeySet(keys []*jose.JSONWebKey) jose.JSONWebKeySet {
@@ -4611,6 +4645,417 @@ func TestUnmarshalClaim(t *testing.T) {
 	}
 }
 
+func TestJWKSMetricsKeySetError(t *testing.T) {
+	featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.StructuredAuthenticationConfigurationJWKSMetrics, true)
+
+	synchronizeTokenIDVerifierForTest = true
+	signingKey := loadRSAPrivKey(t, "testdata/rsa_1.pem", jose.RS256)
+	pubKeys := []*jose.JSONWebKey{
+		loadRSAKey(t, "testdata/rsa_1.pem", jose.RS256),
+	}
+	signer, err := jose.NewSigner(jose.SigningKey{
+		Algorithm: jose.SignatureAlgorithm(signingKey.Algorithm),
+		Key:       signingKey,
+	}, nil)
+	if err != nil {
+		t.Fatalf("initialize signer: %v", err)
+	}
+
+	tests := []struct {
+		name         string
+		openIDConfig string
+	}{
+		{
+			name: "invalid keyset",
+			openIDConfig: `{
+				"issuer": "{{.URL}}",
+				"jwks_uri": "{{.URL}}/.testing/invalidkeys"
+			}`,
+		},
+		{
+			name: "bad status code",
+			openIDConfig: `{
+				"issuer": "{{.URL}}",
+				"jwks_uri": "{{.URL}}/.testing/keys/badstatus"
+			}`,
+		},
+	}
+
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			ResetMetrics()
+
+			ts := newClaimServer(t, toKeySet(pubKeys), signer, nil, &test.openIDConfig)
+			defer ts.Close()
+
+			v := struct {
+				URL string
+			}{
+				URL: ts.URL,
+			}
+			test.openIDConfig = replace(test.openIDConfig, &v)
+
+			opts := Options{
+				JWTAuthenticator: apiserver.JWTAuthenticator{
+					Issuer: apiserver.Issuer{
+						URL:       ts.URL,
+						Audiences: []string{"my-client"},
+					},
+					ClaimMappings: apiserver.ClaimMappings{
+						Username: apiserver.PrefixedClaimOrExpression{
+							Claim:  "username",
+							Prefix: ptr.To(""),
+						},
+					},
+				},
+				now:         func() time.Time { return now },
+				APIServerID: "testAPIServerID",
+			}
+
+			// Make the certificate of the helper server available to the authenticator
+			caBundle := pem.EncodeToMemory(&pem.Block{
+				Type:  "CERTIFICATE",
+				Bytes: ts.Certificate().Raw,
+			})
+			caContent, err := dynamiccertificates.NewStaticCAContent("oidc-authenticator", caBundle)
+			if err != nil {
+				t.Fatalf("initialize ca: %v", err)
+			}
+			opts.CAContentProvider = caContent
+
+			ctx := testContext(t)
+			// Initialize the authenticator.
+			a, err := New(ctx, opts)
+			if err != nil {
+				t.Fatalf("initialize authenticator: %v", err)
+			}
+
+			claims := fmt.Sprintf(`{
+"iss": "%s",
+"aud": "my-client",
+"username": "jane",
+"exp": %d
+}`, ts.URL, valid.Unix())
+
+			jws, err := signer.Sign([]byte(claims))
+			if err != nil {
+				t.Fatalf("sign claims: %v", err)
+			}
+			token, err := jws.CompactSerialize()
+			if err != nil {
+				t.Fatalf("serialize token: %v", err)
+			}
+
+			ia, ok := a.(*instrumentedAuthenticator)
+			if !ok {
+				t.Fatalf("expected authenticator to be instrumented")
+			}
+			authenticator, ok := ia.delegate.(*jwtAuthenticator)
+			if !ok {
+				t.Fatalf("expected delegate to be Authenticator")
+			}
+			// wait for the authenticator to be initialized
+			err = wait.PollUntilContextCancel(ctx, time.Millisecond, true, func(context.Context) (bool, error) {
+				if v, _ := authenticator.idTokenVerifier(); v == nil {
+					return false, nil
+				}
+				return true, nil
+			})
+			if err != nil {
+				t.Fatalf("failed to initialize the authenticator: %v", err)
+			}
+
+			if _, _, err = a.AuthenticateToken(ctx, token); err == nil {
+				t.Fatalf("expected error but got nil")
+			}
+
+			metricFamilies, err := legacyregistry.DefaultGatherer.Gather()
+			if err != nil {
+				t.Fatalf("failed to gather metrics: %v", err)
+			}
+
+			jwtIssuerHash := getHash(ts.URL)
+			var timestamp float64
+			for _, family := range metricFamilies {
+				if family.GetName() != "apiserver_authentication_jwt_authenticator_jwks_fetch_last_timestamp_seconds" {
+					continue
+				}
+
+				labelFilter := map[string]string{
+					"apiserver_id_hash": "sha256:14f9d63e669337ac6bfda2e2162915ee6a6067743eddd4e5c374b572f951ff37",
+					"jwt_issuer_hash":   jwtIssuerHash,
+					"result":            "failure",
+				}
+				if !testutil.LabelsMatch(family.Metric[0], labelFilter) {
+					t.Fatalf("unexpected metric: %v", family.Metric[0])
+				}
+
+				timestamp = *family.Metric[0].Gauge.Value
+				break
+			}
+			if timestamp == 0 {
+				t.Fatalf("failed to get the timestamp")
+			}
+		})
+	}
+}
+
+func TestJWKSMetrics(t *testing.T) {
+	featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.StructuredAuthenticationConfigurationJWKSMetrics, true)
+	ResetMetrics()
+
+	synchronizeTokenIDVerifierForTest = true
+	signingKey := loadRSAPrivKey(t, "testdata/rsa_1.pem", jose.RS256)
+	pubKeys := []*jose.JSONWebKey{
+		loadRSAKey(t, "testdata/rsa_1.pem", jose.RS256),
+	}
+	signer, err := jose.NewSigner(jose.SigningKey{
+		Algorithm: jose.SignatureAlgorithm(signingKey.Algorithm),
+		Key:       signingKey,
+	}, nil)
+	if err != nil {
+		t.Fatalf("initialize signer: %v", err)
+	}
+	openIDConfig := `{
+		"issuer": "{{.URL}}",
+		"jwks_uri": "{{.URL}}/.testing/keys"
+	}`
+
+	ts := newClaimServer(t, toKeySet(pubKeys), signer, nil, &openIDConfig)
+	defer ts.Close()
+
+	v := struct {
+		URL string
+	}{
+		URL: ts.URL,
+	}
+	openIDConfig = replace(openIDConfig, &v)
+
+	opts := Options{
+		JWTAuthenticator: apiserver.JWTAuthenticator{
+			Issuer: apiserver.Issuer{
+				URL:       ts.URL,
+				Audiences: []string{"my-client"},
+			},
+			ClaimMappings: apiserver.ClaimMappings{
+				Username: apiserver.PrefixedClaimOrExpression{
+					Claim:  "username",
+					Prefix: ptr.To(""),
+				},
+			},
+		},
+		now:         func() time.Time { return now },
+		APIServerID: "testAPIServerID",
+	}
+
+	// Make the certificate of the helper server available to the authenticator
+	caBundle := pem.EncodeToMemory(&pem.Block{
+		Type:  "CERTIFICATE",
+		Bytes: ts.Certificate().Raw,
+	})
+	caContent, err := dynamiccertificates.NewStaticCAContent("oidc-authenticator", caBundle)
+	if err != nil {
+		t.Fatalf("initialize ca: %v", err)
+	}
+	opts.CAContentProvider = caContent
+
+	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel()
+
+	// Initialize the authenticator.
+	a, err := New(ctx, opts)
+	if err != nil {
+		t.Fatalf("initialize authenticator: %v", err)
+	}
+
+	claims := fmt.Sprintf(`{
+"iss": "%s",
+"aud": "my-client",
+"username": "jane",
+"exp": %d
+}`, ts.URL, valid.Unix())
+
+	jws, err := signer.Sign([]byte(claims))
+	if err != nil {
+		t.Fatalf("sign claims: %v", err)
+	}
+	token, err := jws.CompactSerialize()
+	if err != nil {
+		t.Fatalf("serialize token: %v", err)
+	}
+
+	ia, ok := a.(*instrumentedAuthenticator)
+	if !ok {
+		t.Fatalf("expected authenticator to be instrumented")
+	}
+	authenticator, ok := ia.delegate.(*jwtAuthenticator)
+	if !ok {
+		t.Fatalf("expected delegate to be Authenticator")
+	}
+	// wait for the authenticator to be initialized
+	err = wait.PollUntilContextCancel(ctx, time.Millisecond, true, func(context.Context) (bool, error) {
+		if v, _ := authenticator.idTokenVerifier(); v == nil {
+			return false, nil
+		}
+		return true, nil
+	})
+	if err != nil {
+		t.Fatalf("failed to initialize the authenticator: %v", err)
+	}
+
+	jwtIssuerHash := getHash(ts.URL)
+	// 1. Remote JWKS fetch success the first time we fetch the keys.
+	if _, _, err = a.AuthenticateToken(ctx, token); err != nil {
+		t.Fatalf("authenticate token: %v", err)
+	}
+	checkJWKSMetrics(t, jwtIssuerHash, "sha256:6c22a3ad4bfe350786cb03d06c6e6d40a6d642d168935b88f1e72c407d969c83")
+
+	// 2. Rotate the keys and update the server.
+	signingKey = loadRSAPrivKey(t, "testdata/rsa_2.pem", jose.RS256)
+	pubKeys = []*jose.JSONWebKey{
+		loadRSAKey(t, "testdata/rsa_1.pem", jose.RS256),
+		loadRSAKey(t, "testdata/rsa_2.pem", jose.RS256),
+	}
+	signer, err = jose.NewSigner(jose.SigningKey{
+		Algorithm: jose.SignatureAlgorithm(signingKey.Algorithm),
+		Key:       signingKey,
+	}, nil)
+	if err != nil {
+		t.Fatalf("initialize signer: %v", err)
+	}
+	ts.setKeys(toKeySet(pubKeys))
+	// Sign and serialize the claims in a JWT with the new key.
+	// This should trigger a new JWKS fetch as kid not found in the cache.
+	jws, err = signer.Sign([]byte(claims))
+	if err != nil {
+		t.Fatalf("sign claims: %v", err)
+	}
+	token, err = jws.CompactSerialize()
+	if err != nil {
+		t.Fatalf("serialize token: %v", err)
+	}
+	if _, _, err = a.AuthenticateToken(ctx, token); err != nil {
+		t.Fatalf("authenticate token: %v", err)
+	}
+	checkJWKSMetrics(t, jwtIssuerHash, "sha256:42444728eaa3a55f7a0192d60cfea88ff5a69ecb7bf9ef0d2ffa3f9db9ceff41")
+
+	// 3. Cancel the context and verify metrics are NOT updated after cancellation.
+	// Capture current metrics before cancellation.
+	metricsBeforeCancel := captureTimestampMetric(t, jwtIssuerHash, "sha256:14f9d63e669337ac6bfda2e2162915ee6a6067743eddd4e5c374b572f951ff37")
+
+	// Cancel the authenticator's lifecycle context
+	cancel()
+
+	// Rotate keys again to trigger another JWKS fetch attempt.
+	// This should fail because the context is cancelled, but more importantly,
+	// even if the RoundTrip happens, metrics should NOT be recorded.
+	signingKey = loadRSAPrivKey(t, "testdata/rsa_3.pem", jose.RS256)
+	pubKeys = []*jose.JSONWebKey{
+		loadRSAKey(t, "testdata/rsa_1.pem", jose.RS256),
+		loadRSAKey(t, "testdata/rsa_2.pem", jose.RS256),
+		loadRSAKey(t, "testdata/rsa_3.pem", jose.RS256),
+	}
+	signer, err = jose.NewSigner(jose.SigningKey{
+		Algorithm: jose.SignatureAlgorithm(signingKey.Algorithm),
+		Key:       signingKey,
+	}, nil)
+	if err != nil {
+		t.Fatalf("initialize signer: %v", err)
+	}
+	ts.setKeys(toKeySet(pubKeys))
+
+	// Try to authenticate with a new token (this will likely fail due to cancelled context,
+	// but we're testing that even if any HTTP request happens, metrics won't be updated)
+	jws, err = signer.Sign([]byte(claims))
+	if err != nil {
+		t.Fatalf("sign claims: %v", err)
+	}
+	token, err = jws.CompactSerialize()
+	if err != nil {
+		t.Fatalf("serialize token: %v", err)
+	}
+	// Authentication will likely fail with cancelled context, which is expected
+	_, _, err = a.AuthenticateToken(context.Background(), token)
+	if err == nil || !strings.Contains(err.Error(), "context canceled") {
+		t.Fatalf("expected context canceled error, got: %v", err)
+	}
+
+	// Verify metrics did NOT change after context cancellation
+	metricsAfterCancel := captureTimestampMetric(t, jwtIssuerHash, "sha256:14f9d63e669337ac6bfda2e2162915ee6a6067743eddd4e5c374b572f951ff37")
+	if metricsAfterCancel != metricsBeforeCancel {
+		t.Errorf("metrics changed after context cancellation: before=%v, after=%v (should remain unchanged)", metricsBeforeCancel, metricsAfterCancel)
+	}
+}
+
+func captureTimestampMetric(t *testing.T, jwtIssuerHash, apiServerIDHash string) float64 {
+	t.Helper()
+
+	metricFamilies, err := legacyregistry.DefaultGatherer.Gather()
+	if err != nil {
+		t.Fatalf("failed to gather metrics: %v", err)
+	}
+
+	for _, family := range metricFamilies {
+		if family.GetName() != "apiserver_authentication_jwt_authenticator_jwks_fetch_last_timestamp_seconds" {
+			continue
+		}
+
+		for _, metric := range family.Metric {
+			labelFilter := map[string]string{
+				"apiserver_id_hash": apiServerIDHash,
+				"jwt_issuer_hash":   jwtIssuerHash,
+				"result":            "success",
+			}
+			if testutil.LabelsMatch(metric, labelFilter) {
+				return *metric.Gauge.Value
+			}
+		}
+	}
+
+	return 0
+}
+
+func checkJWKSMetrics(t *testing.T, jwtIssuerHash string, expectedJWKSHash string) {
+	t.Helper()
+
+	expectedMetricValue := fmt.Sprintf(`
+       # HELP apiserver_authentication_jwt_authenticator_jwks_fetch_last_key_set_info [ALPHA] Information about the last JWKS fetched by the JWT authenticator with hash as label, split by api server identity and jwt issuer.
+	   # TYPE apiserver_authentication_jwt_authenticator_jwks_fetch_last_key_set_info gauge
+	   apiserver_authentication_jwt_authenticator_jwks_fetch_last_key_set_info{apiserver_id_hash="sha256:14f9d63e669337ac6bfda2e2162915ee6a6067743eddd4e5c374b572f951ff37",hash="%s",jwt_issuer_hash="%s"} 1
+	`, expectedJWKSHash, jwtIssuerHash)
+
+	if err := testutil.GatherAndCompare(legacyregistry.DefaultGatherer, strings.NewReader(expectedMetricValue), "apiserver_authentication_jwt_authenticator_jwks_fetch_last_key_set_info"); err != nil {
+		t.Fatalf("unexpected metrics:\n%s", err)
+	}
+
+	metricFamilies, err := legacyregistry.DefaultGatherer.Gather()
+	if err != nil {
+		t.Fatalf("failed to gather metrics: %v", err)
+	}
+
+	var ts float64
+	for _, family := range metricFamilies {
+		if family.GetName() != "apiserver_authentication_jwt_authenticator_jwks_fetch_last_timestamp_seconds" {
+			continue
+		}
+
+		labelFilter := map[string]string{
+			"apiserver_id_hash": "sha256:14f9d63e669337ac6bfda2e2162915ee6a6067743eddd4e5c374b572f951ff37",
+			"jwt_issuer_hash":   jwtIssuerHash,
+			"result":            "success",
+		}
+		if !testutil.LabelsMatch(family.Metric[0], labelFilter) {
+			t.Fatalf("unexpected metric: %v", family.Metric[0])
+		}
+
+		ts = *family.Metric[0].Gauge.Value
+		break
+	}
+	if ts == 0 {
+		t.Fatalf("failed to get the timestamp")
+	}
+}
+
 type errTransport string
 
 func (e errTransport) RoundTrip(_ *http.Request) (*http.Response, error) {
diff --git a/staging/src/k8s.io/cli-runtime/artifacts/openapi/swagger.json b/staging/src/k8s.io/cli-runtime/artifacts/openapi/swagger.json
index 10fea5c6f45db..5efba3a4f660f 100644
--- a/staging/src/k8s.io/cli-runtime/artifacts/openapi/swagger.json
+++ b/staging/src/k8s.io/cli-runtime/artifacts/openapi/swagger.json
@@ -14256,7 +14256,7 @@
       "description": "CSIDriverSpec is the specification of a CSIDriver.",
       "properties": {
         "attachRequired": {
-          "description": "attachRequired indicates this CSI volume driver requires an attach operation (because it implements the CSI ControllerPublishVolume() method), and that the Kubernetes attach detach controller should call the attach volume interface which checks the volumeattachment status and waits until the volume is attached before proceeding to mounting. The CSI external-attacher coordinates with CSI volume driver and updates the volumeattachment status when the attach operation is complete. If the CSIDriverRegistry feature gate is enabled and the value is specified to false, the attach operation will be skipped. Otherwise the attach operation will be called.\n\nThis field is immutable.",
+          "description": "attachRequired indicates this CSI volume driver requires an attach operation (because it implements the CSI ControllerPublishVolume() method), and that the Kubernetes attach detach controller should call the attach volume interface which checks the volumeattachment status and waits until the volume is attached before proceeding to mounting. The CSI external-attacher coordinates with CSI volume driver and updates the volumeattachment status when the attach operation is complete. If the value is specified to false, the attach operation will be skipped. Otherwise the attach operation will be called.\n\nThis field is immutable.",
           "type": "boolean"
         },
         "fsGroupPolicy": {
diff --git a/staging/src/k8s.io/cli-runtime/go.mod b/staging/src/k8s.io/cli-runtime/go.mod
index b79886b8eb015..fa6887f0ab457 100644
--- a/staging/src/k8s.io/cli-runtime/go.mod
+++ b/staging/src/k8s.io/cli-runtime/go.mod
@@ -2,9 +2,9 @@
 
 module k8s.io/cli-runtime
 
-go 1.24.0
+go 1.25.0
 
-godebug default=go1.24
+godebug default=go1.25
 
 require (
 	github.com/google/gnostic-models v0.7.0
@@ -12,19 +12,19 @@ require (
 	github.com/google/uuid v1.6.0
 	github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de
 	github.com/moby/term v0.5.0
-	github.com/spf13/cobra v1.9.1
-	github.com/spf13/pflag v1.0.6
-	github.com/stretchr/testify v1.10.0
-	go.yaml.in/yaml/v2 v2.4.2
-	golang.org/x/sync v0.17.0
-	golang.org/x/text v0.29.0
-	gopkg.in/evanphx/json-patch.v4 v4.12.0
+	github.com/spf13/cobra v1.10.0
+	github.com/spf13/pflag v1.0.9
+	github.com/stretchr/testify v1.11.1
+	go.yaml.in/yaml/v2 v2.4.3
+	golang.org/x/sync v0.18.0
+	golang.org/x/text v0.31.0
+	gopkg.in/evanphx/json-patch.v4 v4.13.0
 	k8s.io/api v0.0.0
 	k8s.io/apimachinery v0.0.0
 	k8s.io/client-go v0.0.0
 	k8s.io/klog/v2 v2.130.1
-	k8s.io/kube-openapi v0.0.0-20250710124328-f3f2b991d03b
-	k8s.io/utils v0.0.0-20250604170112-4c0f3b243397
+	k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912
+	k8s.io/utils v0.0.0-20251002143259-bc988d571ff4
 	sigs.k8s.io/kustomize/api v0.20.1
 	sigs.k8s.io/kustomize/kyaml v0.20.1
 	sigs.k8s.io/yaml v1.6.0
@@ -37,11 +37,10 @@ require (
 	github.com/emicklei/go-restful/v3 v3.12.2 // indirect
 	github.com/fxamacker/cbor/v2 v2.9.0 // indirect
 	github.com/go-errors/errors v1.4.2 // indirect
-	github.com/go-logr/logr v1.4.2 // indirect
+	github.com/go-logr/logr v1.4.3 // indirect
 	github.com/go-openapi/jsonpointer v0.21.0 // indirect
 	github.com/go-openapi/jsonreference v0.20.2 // indirect
 	github.com/go-openapi/swag v0.23.0 // indirect
-	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/google/btree v1.1.3 // indirect
 	github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
@@ -53,26 +52,25 @@ require (
 	github.com/monochromegane/go-gitignore v0.0.0-20200626010858-205db1a8cc00 // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
 	github.com/peterbourgon/diskv v2.0.1+incompatible // indirect
-	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
 	github.com/x448/float16 v0.8.4 // indirect
 	github.com/xlab/treeprint v1.2.0 // indirect
 	go.yaml.in/yaml/v3 v3.0.4 // indirect
-	golang.org/x/net v0.43.0 // indirect
-	golang.org/x/oauth2 v0.27.0 // indirect
-	golang.org/x/sys v0.36.0 // indirect
-	golang.org/x/term v0.35.0 // indirect
+	golang.org/x/net v0.47.0 // indirect
+	golang.org/x/oauth2 v0.30.0 // indirect
+	golang.org/x/sys v0.38.0 // indirect
+	golang.org/x/term v0.37.0 // indirect
 	golang.org/x/time v0.9.0 // indirect
-	google.golang.org/protobuf v1.36.5 // indirect
+	google.golang.org/protobuf v1.36.8 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
-	sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 // indirect
+	sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 // indirect
 	sigs.k8s.io/randfill v1.0.0 // indirect
 	sigs.k8s.io/structured-merge-diff/v6 v6.3.0 // indirect
 )
 
 replace (
-	github.com/onsi/ginkgo/v2 => github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251001123353-fd5b1fb35db1
+	github.com/onsi/ginkgo/v2 => github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251120221002-696928a6a0d7
 	k8s.io/api => ../api
 	k8s.io/apimachinery => ../apimachinery
 	k8s.io/client-go => ../client-go
diff --git a/staging/src/k8s.io/cli-runtime/go.sum b/staging/src/k8s.io/cli-runtime/go.sum
index f3e91c49b7d5e..b53889afc8eec 100644
--- a/staging/src/k8s.io/cli-runtime/go.sum
+++ b/staging/src/k8s.io/cli-runtime/go.sum
@@ -1,6 +1,8 @@
 cloud.google.com/go/compute/metadata v0.3.0/go.mod h1:zFmK7XCadkQkj6TtorcaGlCW1hT1fIilQDwofLpJ20k=
 github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161 h1:L/gRVlceqvL25UVaW/CKtUDjefjrs0SPonmDGUVOYP0=
 github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E=
+github.com/Masterminds/semver/v3 v3.4.0 h1:Zog+i5UMtVoCU8oKka5P7i9q9HgrJeGzI9SA1Xbatp0=
+github.com/Masterminds/semver/v3 v3.4.0/go.mod h1:4V+yj/TJE1HU9XfppCwVMZq3I84lprf4nC11bSS5beM=
 github.com/NYTimes/gziphandler v1.1.1/go.mod h1:n/CVRwUEOgIxrgPvAQhUUr9oeUtvrhMomdKFjzJNB0c=
 github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkYZB8zMSxRWpUBQtwG5a7fFgvEO+odwuTv2gs=
 github.com/blang/semver/v4 v4.0.0 h1:1PFHFE6yCCTv8C1TeyNNarDzntLi7wMI5i/pzqYIsAM=
@@ -19,8 +21,8 @@ github.com/fxamacker/cbor/v2 v2.9.0 h1:NpKPmjDBgUfBms6tr6JZkTHtfFGcMKsw3eGcmD/sa
 github.com/fxamacker/cbor/v2 v2.9.0/go.mod h1:vM4b+DJCtHn+zz7h3FFp/hDAI9WNWCsZj23V5ytsSxQ=
 github.com/go-errors/errors v1.4.2 h1:J6MZopCL4uSllY1OfXM374weqZFFItUbrImctkmUxIA=
 github.com/go-errors/errors v1.4.2/go.mod h1:sIVyrIiJhuEF+Pj9Ebtd6P/rEYROXFi3BopGUQ5a5Og=
-github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY=
-github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
+github.com/go-logr/logr v1.4.3 h1:CjnDlHq8ikf6E492q6eKboGOC0T8CDaOvkHCIg8idEI=
+github.com/go-logr/logr v1.4.3/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
 github.com/go-openapi/jsonpointer v0.19.6/go.mod h1:osyAmYz/mB/C3I+WsTTSgw1ONzaLJoLCyoi6/zppojs=
 github.com/go-openapi/jsonpointer v0.21.0 h1:YgdVicSA9vH5RiHs9TZW5oyafXZFc6+2Vc1rr/O9oNQ=
 github.com/go-openapi/jsonpointer v0.21.0/go.mod h1:IUyH9l/+uyhIYQ/PXVA41Rexl+kOkAPDdXEYns6fzUY=
@@ -31,8 +33,6 @@ github.com/go-openapi/swag v0.23.0 h1:vsEVJDUo2hPJ2tu0/Xc+4noaxyEffXNIs3cOULZ+Gr
 github.com/go-openapi/swag v0.23.0/go.mod h1:esZ8ITTYEsH1V2trKHjAN8Ai7xHb8RV+YSZ577vPjgQ=
 github.com/go-task/slim-sprig/v3 v3.0.0 h1:sUs3vkvUymDpBKi3qH1YSqBQk9+9D/8M2mN1vB6EwHI=
 github.com/go-task/slim-sprig/v3 v3.0.0/go.mod h1:W848ghGpv3Qj3dhTPRyJypKRiqCdHZiAzKg9hl15HA8=
-github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
-github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
 github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk=
 github.com/google/btree v1.1.3 h1:CVpQJjYgC4VbzxeGVHfvZrv1ctoYCAI8vbl07Fcxlyg=
 github.com/google/btree v1.1.3/go.mod h1:qOPhT0dTNdNzV6Z/lhRX0YXUafgPLFUh+gZMl761Gm4=
@@ -41,8 +41,8 @@ github.com/google/gnostic-models v0.7.0/go.mod h1:whL5G0m6dmc5cPxKc5bdKdEN3UjI7O
 github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
 github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
-github.com/google/pprof v0.0.0-20241029153458-d1b30febd7db h1:097atOisP2aRj7vFgYQBbFN4U4JNXUNYpxael3UzMyo=
-github.com/google/pprof v0.0.0-20241029153458-d1b30febd7db/go.mod h1:vavhavw2zAxS5dIdcRluK6cSGGPlZynqzFM8NdvU144=
+github.com/google/pprof v0.0.0-20250403155104-27863c87afa6 h1:BHT72Gu3keYf3ZEu2J0b1vyeLSOYI8bm5wbJM/8yDe8=
+github.com/google/pprof v0.0.0-20250403155104-27863c87afa6/go.mod h1:boTsfXsheKC2y+lKOCMpSfarhxDeIzfZG1jqGcPl3cA=
 github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/gorilla/websocket v1.5.4-0.20250319132907-e064f32e3674/go.mod h1:r4w70xmWCQKmi1ONH4KIaBptdivuRPyosB9RmPlGEwA=
@@ -54,8 +54,6 @@ github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8Hm
 github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y=
 github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM=
 github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo=
-github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
-github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
 github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
 github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
 github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
@@ -81,26 +79,26 @@ github.com/monochromegane/go-gitignore v0.0.0-20200626010858-205db1a8cc00/go.mod
 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA=
 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
 github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+o7JKHSa8/e818NopupXU1YMK5fe1lsApnBw=
-github.com/onsi/gomega v1.35.1 h1:Cwbd75ZBPxFSuZ6T+rN/WCb/gOc6YgFBXLlZLhC7Ds4=
-github.com/onsi/gomega v1.35.1/go.mod h1:PvZbdDc8J6XJEpDK4HCuRBm8a6Fzp9/DmhC9C7yFlog=
-github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251001123353-fd5b1fb35db1 h1:PMTgifBcBRLJJiM+LgSzPDTk9/Rx4qS09OUrfpY6GBQ=
-github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251001123353-fd5b1fb35db1/go.mod h1:7Du3c42kxCUegi0IImZ1wUQzMBVecgIHjR1C+NkhLQo=
+github.com/onsi/gomega v1.38.2 h1:eZCjf2xjZAqe+LeWvKb5weQ+NcPwX84kqJ0cZNxok2A=
+github.com/onsi/gomega v1.38.2/go.mod h1:W2MJcYxRGV63b418Ai34Ud0hEdTVXq9NW9+Sx6uXf3k=
+github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251120221002-696928a6a0d7 h1:02E4Ttpu+7yCQLQxtY42JfcfHU7TBGnje6uB2ytBSdU=
+github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251120221002-696928a6a0d7/go.mod h1:ArE1D/XhNXBXCBkKOLkbsb2c81dQHCRcF5zwn/ykDRo=
 github.com/peterbourgon/diskv v2.0.1+incompatible h1:UBdAOUP5p4RWqPBg048CAvpKN+vxiaj6gdUUzhl4XmI=
 github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU=
-github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U=
 github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/rogpeppe/go-internal v1.13.1 h1:KvO1DLK/DRN07sQ1LQKScxyZJuNnedQ5/wKSR38lUII=
-github.com/rogpeppe/go-internal v1.13.1/go.mod h1:uMEvuHeurkdAXX61udpOXGD/AzZDWNMNyH2VO9fmH0o=
+github.com/rogpeppe/go-internal v1.14.1 h1:UQB4HGPB6osV0SQTLymcB4TgvyWu6ZyliaW0tI/otEQ=
+github.com/rogpeppe/go-internal v1.14.1/go.mod h1:MaRKkUm5W0goXpeCfT7UZI6fk/L7L7so1lCWt35ZSgc=
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
 github.com/sergi/go-diff v1.2.0 h1:XU+rvMAioB0UC3q1MFrIQy4Vo5/4VsRDQQXHsEya6xQ=
 github.com/sergi/go-diff v1.2.0/go.mod h1:STckp+ISIX8hZLjrqAeVduY0gWCT9IjLuqbuNXdaHfM=
-github.com/spf13/cobra v1.9.1 h1:CXSaggrXdbHK9CF+8ywj8Amf7PBRmPCOJugH954Nnlo=
-github.com/spf13/cobra v1.9.1/go.mod h1:nDyEzZ8ogv936Cinf6g1RU9MRY64Ir93oCnqb9wxYW0=
-github.com/spf13/pflag v1.0.6 h1:jFzHGLGAlb3ruxLB8MhbI6A8+AQX/2eW4qeyNZXNp2o=
-github.com/spf13/pflag v1.0.6/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
+github.com/spf13/cobra v1.10.0 h1:a5/WeUlSDCvV5a45ljW2ZFtV0bTDpkfSAj3uqB6Sc+0=
+github.com/spf13/cobra v1.10.0/go.mod h1:9dhySC7dnTtEiqzmqfkLj47BslqLCUPMXjG2lj/NgoE=
+github.com/spf13/pflag v1.0.8/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
+github.com/spf13/pflag v1.0.9 h1:9exaQaMOCwffKiiiYk6/BndUBv+iRViNW+4lEMi0PvY=
+github.com/spf13/pflag v1.0.9/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
 github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
@@ -111,71 +109,48 @@ github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/
 github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
 github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
-github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
-github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
+github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
+github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
 github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM=
 github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg=
 github.com/xlab/treeprint v1.2.0 h1:HzHnuAF1plUN2zGlAFHbSQP2qJ0ZAD3XF5XD7OesXRQ=
 github.com/xlab/treeprint v1.2.0/go.mod h1:gj5Gd3gPdKtR1ikdDK6fnFLdmIS0X30kTTuNd/WEJu0=
-github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
-github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
 go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
-go.yaml.in/yaml/v2 v2.4.2 h1:DzmwEr2rDGHl7lsFgAHxmNz/1NlQ7xLIrlN2h5d1eGI=
-go.yaml.in/yaml/v2 v2.4.2/go.mod h1:081UH+NErpNdqlCXm3TtEran0rJZGxAYx9hb/ELlsPU=
+go.yaml.in/yaml/v2 v2.4.3 h1:6gvOSjQoTB3vt1l+CU+tSyi/HOjfOjRLJ4YwYZGwRO0=
+go.yaml.in/yaml/v2 v2.4.3/go.mod h1:zSxWcmIDjOzPXpjlTTbAsKokqkDNAVtZO0WOMiT90s8=
 go.yaml.in/yaml/v3 v3.0.4 h1:tfq32ie2Jv2UxXFdLJdh3jXuOzWiL1fo0bu/FbuKpbc=
 go.yaml.in/yaml/v3 v3.0.4/go.mod h1:DhzuOOF2ATzADvBadXxruRBLzYTpT36CKvDb3+aBEFg=
-golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
-golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
-golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
-golang.org/x/crypto v0.41.0/go.mod h1:pO5AFd7FA68rFak7rOAGVuygIISepHftHnr8dr6+sUc=
-golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.27.0/go.mod h1:rWI627Fq0DEoudcK+MBkNkCe0EetEaDSwJJkCcjpazc=
-golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
-golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
-golang.org/x/net v0.43.0 h1:lat02VYK2j4aLzMzecihNvTlJNQUq316m2Mr9rnM6YE=
-golang.org/x/net v0.43.0/go.mod h1:vhO1fvI4dGsIjh73sWfUVjj3N7CA9WkKJNQm2svM6Jg=
-golang.org/x/oauth2 v0.27.0 h1:da9Vo7/tDv5RH/7nZDz1eMGS/q1Vv1N/7FCrBhI9I3M=
-golang.org/x/oauth2 v0.27.0/go.mod h1:onh5ek6nERTohokkhCD/y2cV4Do3fxFHFuAejCkRWT8=
-golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.17.0 h1:l60nONMj9l5drqw6jlhIELNv9I0A4OFgRsG9k2oT9Ug=
-golang.org/x/sync v0.17.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
-golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/crypto v0.44.0/go.mod h1:013i+Nw79BMiQiMsOPcVCB5ZIJbYkerPrGnOa00tvmc=
+golang.org/x/mod v0.29.0 h1:HV8lRxZC4l2cr3Zq1LvtOsi/ThTgWnUk/y64QSs8GwA=
+golang.org/x/mod v0.29.0/go.mod h1:NyhrlYXJ2H4eJiRy/WDBO6HMqZQ6q9nk4JzS3NuCK+w=
+golang.org/x/net v0.47.0 h1:Mx+4dIFzqraBXUugkia1OOvlD6LemFo1ALMHjrXDOhY=
+golang.org/x/net v0.47.0/go.mod h1:/jNxtkgq5yWUGYkaZGqo27cfGZ1c5Nen03aYrrKpVRU=
+golang.org/x/oauth2 v0.30.0 h1:dnDm7JmhM45NNpd8FDDeLhK6FwqbOf4MLCM9zb1BOHI=
+golang.org/x/oauth2 v0.30.0/go.mod h1:B++QgG3ZKulg6sRPGD/mqlHQs5rB3Ml9erfeDY7xKlU=
+golang.org/x/sync v0.18.0 h1:kr88TuHDroi+UVf+0hZnirlk8o8T+4MrK6mr60WkH/I=
+golang.org/x/sync v0.18.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
 golang.org/x/sys v0.0.0-20210616094352-59db8d763f22/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.36.0 h1:KVRy2GtZBrk1cBYA7MKu5bEZFxQk4NIDV6RLVcC8o0k=
-golang.org/x/sys v0.36.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
-golang.org/x/term v0.35.0 h1:bZBVKBudEyhRcajGcNc3jIfWPqV4y/Kt2XcoigOWtDQ=
-golang.org/x/term v0.35.0/go.mod h1:TPGtkTLesOwf2DE8CgVYiZinHAOuy5AYUYT1lENIZnA=
-golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
-golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.29.0 h1:1neNs90w9YzJ9BocxfsQNHKuAT4pkghyXc4nhZ6sJvk=
-golang.org/x/text v0.29.0/go.mod h1:7MhJOA9CD2qZyOKYazxdYMF85OwPdEr9jTtBpO7ydH4=
+golang.org/x/sys v0.38.0 h1:3yZWxaJjBmCWXqhN1qh02AkOnCQ1poK6oF+a7xWL6Gc=
+golang.org/x/sys v0.38.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
+golang.org/x/term v0.37.0 h1:8EGAD0qCmHYZg6J17DvsMy9/wJ7/D/4pV/wfnld5lTU=
+golang.org/x/term v0.37.0/go.mod h1:5pB4lxRNYYVZuTLmy8oR2BH8dflOR+IbTYFD8fi3254=
+golang.org/x/text v0.31.0 h1:aC8ghyu4JhP8VojJ2lEHBnochRno1sgL6nEi9WGFGMM=
+golang.org/x/text v0.31.0/go.mod h1:tKRAlv61yKIjGGHX/4tP1LTbc13YSec1pxVEWXzfoeM=
 golang.org/x/time v0.9.0 h1:EsRrnYcQiGH+5FfbgvV4AP7qEZstoyrHB0DzarOQ4ZY=
 golang.org/x/time v0.9.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
-golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
-golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
-golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
-golang.org/x/tools v0.36.0 h1:kWS0uv/zsvHEle1LbV5LE8QujrxB3wfQyxHfhOk0Qkg=
-golang.org/x/tools v0.36.0/go.mod h1:WBDiHKJK8YgLHlcQPYQzNCkUxUypCaa5ZegCVutKm+s=
-golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/tools v0.38.0 h1:Hx2Xv8hISq8Lm16jvBZ2VQf+RLmbd7wVUsALibYI/IQ=
+golang.org/x/tools v0.38.0/go.mod h1:yEsQ/d/YK8cjh0L6rZlY8tgtlKiBNTL14pGDJPJpYQs=
+golang.org/x/tools/go/expect v0.1.0-deprecated/go.mod h1:eihoPOH+FgIqa3FpoTwguz/bVUSGBlGQU67vpBeOrBY=
+golang.org/x/tools/go/packages/packagestest v0.1.1-deprecated/go.mod h1:RVAQXBGNv1ib0J382/DPCRS/BPnsGebyM1Gj5VSDpG8=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-google.golang.org/protobuf v1.36.5 h1:tPhr+woSbjfYvY6/GPufUoYizxw1cF/yFoxJ2fmpwlM=
-google.golang.org/protobuf v1.36.5/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE=
+google.golang.org/protobuf v1.36.8 h1:xHScyCOEuuwZEc6UtSOvPbAT4zRh0xcNRYekJwfqyMc=
+google.golang.org/protobuf v1.36.8/go.mod h1:fuxRtAxBytpl4zzqUh6/eyUujkJdNiuEkXntxiD/uRU=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
-gopkg.in/evanphx/json-patch.v4 v4.12.0 h1:n6jtcsulIzXPJaxegRbvFNNrZDjbij7ny3gmSPG+6V4=
-gopkg.in/evanphx/json-patch.v4 v4.12.0/go.mod h1:p8EYWUEYMpynmqDbY58zCKCFZw8pRWMG4EsWvDvM72M=
+gopkg.in/evanphx/json-patch.v4 v4.13.0 h1:czT3CmqEaQ1aanPc5SdlgQrrEIb8w/wwCvWWnfEbYzo=
+gopkg.in/evanphx/json-patch.v4 v4.13.0/go.mod h1:p8EYWUEYMpynmqDbY58zCKCFZw8pRWMG4EsWvDvM72M=
 gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc=
 gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
@@ -184,12 +159,12 @@ gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 k8s.io/gengo/v2 v2.0.0-20250604051438-85fd79dbfd9f/go.mod h1:EJykeLsmFC60UQbYJezXkEsG2FLrt0GPNkU5iK5GWxU=
 k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk=
 k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE=
-k8s.io/kube-openapi v0.0.0-20250710124328-f3f2b991d03b h1:MloQ9/bdJyIu9lb1PzujOPolHyvO06MXG5TUIj2mNAA=
-k8s.io/kube-openapi v0.0.0-20250710124328-f3f2b991d03b/go.mod h1:UZ2yyWbFTpuhSbFhv24aGNOdoRdJZgsIObGBUaYVsts=
-k8s.io/utils v0.0.0-20250604170112-4c0f3b243397 h1:hwvWFiBzdWw1FhfY1FooPn3kzWuJ8tmbZBHi4zVsl1Y=
-k8s.io/utils v0.0.0-20250604170112-4c0f3b243397/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
-sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 h1:gBQPwqORJ8d8/YNZWEjoZs7npUVDpVXUUOFfW6CgAqE=
-sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8/go.mod h1:mdzfpAEoE6DHQEN0uh9ZbOCuHbLK5wOm7dK4ctXE9Tg=
+k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912 h1:Y3gxNAuB0OBLImH611+UDZcmKS3g6CthxToOb37KgwE=
+k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912/go.mod h1:kdmbQkyfwUagLfXIad1y2TdrjPFWp2Q89B3qkRwf/pQ=
+k8s.io/utils v0.0.0-20251002143259-bc988d571ff4 h1:SjGebBtkBqHFOli+05xYbK8YF1Dzkbzn+gDM4X9T4Ck=
+k8s.io/utils v0.0.0-20251002143259-bc988d571ff4/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
+sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 h1:IpInykpT6ceI+QxKBbEflcR5EXP7sU1kvOlxwZh5txg=
+sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730/go.mod h1:mdzfpAEoE6DHQEN0uh9ZbOCuHbLK5wOm7dK4ctXE9Tg=
 sigs.k8s.io/kustomize/api v0.20.1 h1:iWP1Ydh3/lmldBnH/S5RXgT98vWYMaTUL1ADcr+Sv7I=
 sigs.k8s.io/kustomize/api v0.20.1/go.mod h1:t6hUFxO+Ph0VxIk1sKp1WS0dOjbPCtLJ4p8aADLwqjM=
 sigs.k8s.io/kustomize/kyaml v0.20.1 h1:PCMnA2mrVbRP3NIB6v9kYCAc38uvFLVs8j/CD567A78=
diff --git a/staging/src/k8s.io/cli-runtime/pkg/genericclioptions/command_headers.go b/staging/src/k8s.io/cli-runtime/pkg/genericclioptions/command_headers.go
index ed47e99942f4d..04712fb497be5 100644
--- a/staging/src/k8s.io/cli-runtime/pkg/genericclioptions/command_headers.go
+++ b/staging/src/k8s.io/cli-runtime/pkg/genericclioptions/command_headers.go
@@ -19,6 +19,7 @@ package genericclioptions
 import (
 	"net/http"
 	"strings"
+	"sync/atomic"
 
 	"github.com/google/uuid"
 	"github.com/spf13/cobra"
@@ -33,8 +34,9 @@ const (
 // round tripper to add Request headers before delegation. Implements
 // the go standard library "http.RoundTripper" interface.
 type CommandHeaderRoundTripper struct {
-	Delegate http.RoundTripper
-	Headers  map[string]string
+	Delegate    http.RoundTripper
+	Headers     map[string]string
+	SkipHeaders *atomic.Bool
 }
 
 // CommandHeaderRoundTripper adds Request headers before delegating to standard
@@ -43,9 +45,14 @@ type CommandHeaderRoundTripper struct {
 //
 //	https://github.com/kubernetes/enhancements/tree/master/keps/sig-cli/859-kubectl-headers
 func (c *CommandHeaderRoundTripper) RoundTrip(req *http.Request) (*http.Response, error) {
+	if c.shouldSkipHeaders() {
+		return c.Delegate.RoundTrip(req)
+	}
+
 	for header, value := range c.Headers {
 		req.Header.Set(header, value)
 	}
+
 	return c.Delegate.RoundTrip(req)
 }
 
@@ -92,3 +99,11 @@ func (c *CommandHeaderRoundTripper) CancelRequest(req *http.Request) {
 		cr.CancelRequest(req)
 	}
 }
+
+func (c *CommandHeaderRoundTripper) shouldSkipHeaders() bool {
+	if c.SkipHeaders == nil {
+		return false
+	}
+
+	return c.SkipHeaders.Load()
+}
diff --git a/staging/src/k8s.io/cli-runtime/pkg/genericclioptions/config_flags.go b/staging/src/k8s.io/cli-runtime/pkg/genericclioptions/config_flags.go
index 8dba84e34206f..350c7beedc5d2 100644
--- a/staging/src/k8s.io/cli-runtime/pkg/genericclioptions/config_flags.go
+++ b/staging/src/k8s.io/cli-runtime/pkg/genericclioptions/config_flags.go
@@ -39,25 +39,26 @@ import (
 )
 
 const (
-	flagClusterName        = "cluster"
-	flagAuthInfoName       = "user"
-	flagContext            = "context"
-	flagNamespace          = "namespace"
-	flagAPIServer          = "server"
-	flagTLSServerName      = "tls-server-name"
-	flagInsecure           = "insecure-skip-tls-verify"
-	flagCertFile           = "client-certificate"
-	flagKeyFile            = "client-key"
-	flagCAFile             = "certificate-authority"
-	flagBearerToken        = "token"
-	flagImpersonate        = "as"
-	flagImpersonateUID     = "as-uid"
-	flagImpersonateGroup   = "as-group"
-	flagUsername           = "username"
-	flagPassword           = "password"
-	flagTimeout            = "request-timeout"
-	flagCacheDir           = "cache-dir"
-	flagDisableCompression = "disable-compression"
+	flagClusterName          = "cluster"
+	flagAuthInfoName         = "user"
+	flagContext              = "context"
+	flagNamespace            = "namespace"
+	flagAPIServer            = "server"
+	flagTLSServerName        = "tls-server-name"
+	flagInsecure             = "insecure-skip-tls-verify"
+	flagCertFile             = "client-certificate"
+	flagKeyFile              = "client-key"
+	flagCAFile               = "certificate-authority"
+	flagBearerToken          = "token"
+	flagImpersonate          = "as"
+	flagImpersonateUID       = "as-uid"
+	flagImpersonateGroup     = "as-group"
+	flagImpersonateUserExtra = "as-user-extra"
+	flagUsername             = "username"
+	flagPassword             = "password"
+	flagTimeout              = "request-timeout"
+	flagCacheDir             = "cache-dir"
+	flagDisableCompression   = "disable-compression"
 )
 
 // RESTClientGetter is an interface that the ConfigFlags describe to provide an easier way to mock for commands
@@ -83,24 +84,25 @@ type ConfigFlags struct {
 	KubeConfig *string
 
 	// config flags
-	ClusterName        *string
-	AuthInfoName       *string
-	Context            *string
-	Namespace          *string
-	APIServer          *string
-	TLSServerName      *string
-	Insecure           *bool
-	CertFile           *string
-	KeyFile            *string
-	CAFile             *string
-	BearerToken        *string
-	Impersonate        *string
-	ImpersonateUID     *string
-	ImpersonateGroup   *[]string
-	Username           *string
-	Password           *string
-	Timeout            *string
-	DisableCompression *bool
+	ClusterName          *string
+	AuthInfoName         *string
+	Context              *string
+	Namespace            *string
+	APIServer            *string
+	TLSServerName        *string
+	Insecure             *bool
+	CertFile             *string
+	KeyFile              *string
+	CAFile               *string
+	BearerToken          *string
+	Impersonate          *string
+	ImpersonateUID       *string
+	ImpersonateGroup     *[]string
+	ImpersonateUserExtra *[]string
+	Username             *string
+	Password             *string
+	Timeout              *string
+	DisableCompression   *bool
 	// If non-nil, wrap config function can transform the Config
 	// before it is returned in ToRESTConfig function.
 	WrapConfigFn func(*rest.Config) *rest.Config
@@ -170,16 +172,32 @@ func (f *ConfigFlags) toRawKubeConfigLoader() clientcmd.ClientConfig {
 	// bind auth info flag values to overrides
 	if f.CertFile != nil {
 		overrides.AuthInfo.ClientCertificate = *f.CertFile
+		overrides.AuthInfo.ClientCertificateData = nil
 	}
 	if f.KeyFile != nil {
 		overrides.AuthInfo.ClientKey = *f.KeyFile
+		overrides.AuthInfo.ClientKeyData = nil
 	}
 	if f.BearerToken != nil {
 		overrides.AuthInfo.Token = *f.BearerToken
+		overrides.AuthInfo.TokenFile = ""
 	}
 	if f.Impersonate != nil {
 		overrides.AuthInfo.Impersonate = *f.Impersonate
 	}
+	if f.ImpersonateUserExtra != nil && len(*f.ImpersonateUserExtra) > 0 {
+		userExtras := make(map[string][]string)
+		for _, extra := range *f.ImpersonateUserExtra {
+			parts := strings.SplitN(extra, "=", 2)
+			if len(parts) != 2 {
+				continue
+			}
+			key := parts[0]
+			value := parts[1]
+			userExtras[key] = append(userExtras[key], value)
+		}
+		overrides.AuthInfo.ImpersonateUserExtra = userExtras
+	}
 	if f.ImpersonateUID != nil {
 		overrides.AuthInfo.ImpersonateUID = *f.ImpersonateUID
 	}
@@ -373,6 +391,9 @@ func (f *ConfigFlags) AddFlags(flags *pflag.FlagSet) {
 	if f.ImpersonateGroup != nil {
 		flags.StringArrayVar(f.ImpersonateGroup, flagImpersonateGroup, *f.ImpersonateGroup, "Group to impersonate for the operation, this flag can be repeated to specify multiple groups.")
 	}
+	if f.ImpersonateUserExtra != nil {
+		flags.StringArrayVar(f.ImpersonateUserExtra, flagImpersonateUserExtra, *f.ImpersonateUserExtra, "User extras to impersonate for the operation, this flag can be repeated to specify multiple values for the same key.")
+	}
 	if f.Username != nil {
 		flags.StringVar(f.Username, flagUsername, *f.Username, "Username for basic authentication to the API server")
 	}
@@ -446,6 +467,7 @@ func (f *ConfigFlags) WithWarningPrinter(ioStreams genericiooptions.IOStreams) *
 // NewConfigFlags returns ConfigFlags with default values set
 func NewConfigFlags(usePersistentConfig bool) *ConfigFlags {
 	impersonateGroup := []string{}
+	impersonateUserExtra := []string{}
 	insecure := false
 	disableCompression := false
 
@@ -454,21 +476,22 @@ func NewConfigFlags(usePersistentConfig bool) *ConfigFlags {
 		Timeout:    ptr.To("0"),
 		KubeConfig: ptr.To(""),
 
-		CacheDir:           ptr.To(getDefaultCacheDir()),
-		ClusterName:        ptr.To(""),
-		AuthInfoName:       ptr.To(""),
-		Context:            ptr.To(""),
-		Namespace:          ptr.To(""),
-		APIServer:          ptr.To(""),
-		TLSServerName:      ptr.To(""),
-		CertFile:           ptr.To(""),
-		KeyFile:            ptr.To(""),
-		CAFile:             ptr.To(""),
-		BearerToken:        ptr.To(""),
-		Impersonate:        ptr.To(""),
-		ImpersonateUID:     ptr.To(""),
-		ImpersonateGroup:   &impersonateGroup,
-		DisableCompression: &disableCompression,
+		CacheDir:             ptr.To(getDefaultCacheDir()),
+		ClusterName:          ptr.To(""),
+		AuthInfoName:         ptr.To(""),
+		Context:              ptr.To(""),
+		Namespace:            ptr.To(""),
+		APIServer:            ptr.To(""),
+		TLSServerName:        ptr.To(""),
+		CertFile:             ptr.To(""),
+		KeyFile:              ptr.To(""),
+		CAFile:               ptr.To(""),
+		BearerToken:          ptr.To(""),
+		Impersonate:          ptr.To(""),
+		ImpersonateUID:       ptr.To(""),
+		ImpersonateGroup:     &impersonateGroup,
+		ImpersonateUserExtra: &impersonateUserExtra,
+		DisableCompression:   &disableCompression,
 
 		usePersistentConfig: usePersistentConfig,
 		// The more groups you have, the more discovery requests you need to make.
diff --git a/staging/src/k8s.io/cli-runtime/pkg/genericclioptions/json_yaml_flags.go b/staging/src/k8s.io/cli-runtime/pkg/genericclioptions/json_yaml_flags.go
index a2eeb1e2c6c78..9828450967d07 100644
--- a/staging/src/k8s.io/cli-runtime/pkg/genericclioptions/json_yaml_flags.go
+++ b/staging/src/k8s.io/cli-runtime/pkg/genericclioptions/json_yaml_flags.go
@@ -33,7 +33,7 @@ func (f *JSONYamlPrintFlags) AllowedFormats() []string {
 	}
 	formats := []string{"json", "yaml"}
 	// We can't use the cmdutil pkg directly because of import cycle.
-	if strings.ToLower(os.Getenv("KUBECTL_KYAML")) == "true" {
+	if strings.ToLower(os.Getenv("KUBECTL_KYAML")) != "false" {
 		formats = append(formats, "kyaml")
 	}
 	return formats
diff --git a/staging/src/k8s.io/cli-runtime/pkg/resource/builder.go b/staging/src/k8s.io/cli-runtime/pkg/resource/builder.go
index 00bd3701a0e87..37e830852c9a2 100644
--- a/staging/src/k8s.io/cli-runtime/pkg/resource/builder.go
+++ b/staging/src/k8s.io/cli-runtime/pkg/resource/builder.go
@@ -129,6 +129,10 @@ Example resource specifications include:
 
 var StdinMultiUseError = errors.New("standard input cannot be used for multiple arguments")
 
+// ErrMultipleResourceTypes is returned when Builder.SingleResourceType() was called,
+// but multiple resource types were specified.
+var ErrMultipleResourceTypes = errors.New("you may only specify a single resource type")
+
 // TODO: expand this to include other errors.
 func IsUsageError(err error) bool {
 	if err == nil {
@@ -813,7 +817,7 @@ func (b *Builder) mappingFor(resourceOrKindArg string) (*meta.RESTMapping, error
 
 func (b *Builder) resourceMappings() ([]*meta.RESTMapping, error) {
 	if len(b.resources) > 1 && b.singleResourceType {
-		return nil, fmt.Errorf("you may only specify a single resource type")
+		return nil, ErrMultipleResourceTypes
 	}
 	mappings := []*meta.RESTMapping{}
 	seen := map[schema.GroupVersionKind]bool{}
@@ -849,7 +853,7 @@ func (b *Builder) resourceTupleMappings() (map[string]*meta.RESTMapping, error)
 		canonical[mapping.Resource] = struct{}{}
 	}
 	if len(canonical) > 1 && b.singleResourceType {
-		return nil, fmt.Errorf("you may only specify a single resource type")
+		return nil, ErrMultipleResourceTypes
 	}
 	return mappings, nil
 }
diff --git a/staging/src/k8s.io/cli-runtime/pkg/resource/builder_test.go b/staging/src/k8s.io/cli-runtime/pkg/resource/builder_test.go
index 41149b43feb2e..e556e462da590 100644
--- a/staging/src/k8s.io/cli-runtime/pkg/resource/builder_test.go
+++ b/staging/src/k8s.io/cli-runtime/pkg/resource/builder_test.go
@@ -1367,8 +1367,8 @@ func TestSingleResourceType(t *testing.T) {
 		SingleResourceType().
 		ResourceTypeOrNameArgs(true, "pods,services")
 
-	if b.Do().Err() == nil {
-		t.Errorf("unexpected non-error")
+	if err := b.Do().Err(); !errors.Is(err, ErrMultipleResourceTypes) {
+		t.Errorf("unexpected error: %s", err)
 	}
 }
 
diff --git a/staging/src/k8s.io/client-go/ARCHITECTURE.md b/staging/src/k8s.io/client-go/ARCHITECTURE.md
new file mode 100644
index 0000000000000..20759b2661923
--- /dev/null
+++ b/staging/src/k8s.io/client-go/ARCHITECTURE.md
@@ -0,0 +1,162 @@
+# `client-go` Architecture
+
+This document explains the internal architecture of `client-go` for contributors. It describes the
+major components, how they interact, and the key design decisions that shape the library.
+
+## Client Configuration
+
+There is an architectural separation between loading client configuration and using it. The
+`rest.Config` object is the in-memory representation of this configuration. The
+`tools/clientcmd` package is the standard factory for producing it. `clientcmd` handles the
+complex logic of parsing `kubeconfig` files, merging contexts, and handling external
+authentication providers (e.g., OIDC).
+
+## REST Client
+
+The `rest.Client` is the foundational HTTP client that underpins all other clients. It separates
+the low-level concerns of HTTP transport, serialization, and error handling from higher-level,
+Kubernetes-specific object logic.
+
+The `rest.Config` object is used to build the underlying HTTP transport, which is typically a
+chain of `http.RoundTripper` objects. Each element in the chain is responsible for a specific
+task, such as adding an `Authorization` header. This is the mechanism by which all authentication
+is injected into requests.
+
+The client uses a builder pattern for requests (e.g., `.Verb()`, `.Resource()`), deferring
+response processing until a method like `.Into(&pod)` is called. This separation is key to
+supporting different client models from a common base.
+
+### Endpoint Interactions
+
+*   **Content Negotiation:** The client uses HTTP `Accept` headers to negotiate the wire format
+    (JSON or Protobuf). A key performance optimization using this mechanism is the ability to
+    request metadata-only objects via the `as=PartialObjectMetadata;g=meta.k8s.io;v=v1` Accept custom parameter.
+    Also the `as=Table;g=meta.k8s.io;v=v1` Accept custom parameters may be used to request lists as tables. 
+*   **Subresources:** The client can target standard subresources like `/status` or `/scale` for
+    object mutations, and it can also handle action-oriented subresources like `/logs` or
+    `/exec`, which often involve streaming data.
+*   **List Pagination:** For `LIST` requests, the client can specify a `limit`. The server will
+    return up to that many items and, if more exist, a `continue` token. The client is
+    responsible for passing this token in a subsequent request to retrieve the next page.
+    Higher-level tools like the `Reflector`'s `ListerWatcher` handle this logic automatically.
+*   **Streaming Watches:** A `WATCH` request returns a `watch.Interface` (from
+    `k8s.io/apimachinery/pkg/watch`), which provides a channel of structured `watch.Event`
+    objects (`ADDED`, `MODIFIED`, `DELETED`, `BOOKMARK`). This decouples the watch consumer from
+    the underlying streaming protocol.
+
+### Errors, Warnings, and Rate Limiting
+
+*   **Structured Errors:** The client deserializes non-2xx responses into a structured
+    `errors.StatusError`, enabling programmatic error handling (e.g., `errors.IsNotFound(err)`).
+*   **Warnings:** It processes non-fatal `Warning` headers from the API server via a
+    `WarningHandler`.
+*   **Client-Side Rate Limiting:** The `QPS` and `Burst` settings in `rest.Config` are the
+    client's half of the contract with the server's API Priority and Fairness system.
+*   **Server-Side Throttling:** The client's default transport automatically handles HTTP `429`
+    responses by reading the `Retry-After` header, waiting, and retrying the request.
+
+## Typed and Dynamic Clients
+
+To handle the extensible nature of the Kubernetes API, `client-go` provides two primary client
+models.
+
+The **`kubernetes.Clientset`** provides compile-time, type-safe access to core, built-in APIs.
+
+The **`dynamic.DynamicClient`** represents all objects as `unstructured.Unstructured`, allowing it
+to interact with any API resource, including CRDs. It relies on two discovery mechanisms:
+1.  The **`discovery.DiscoveryClient`** determines *what* resources exist. The
+    **`CachedDiscoveryClient`** is an optimization that caches this data on disk to solve.
+2.  The **OpenAPI schema** (fetched from `/openapi/v3`) describes the *structure* of those
+    resources, providing the schema awareness needed by the dynamic client.
+
+## Code Generation
+
+A core architectural principle of `client-go` is the use of code generation to provide a
+strongly-typed, compile-time-safe interface for specific API GroupVersions. This makes
+controller code more robust and easier to maintain. The tools in `k8s.io/code-generator` produce
+several key components:
+
+*   **Typed Clientsets:** The primary interface for interacting with a specific GroupVersion.
+*   **Typed Listers:** The read-only, cached accessors used by controllers.
+*   **Typed Informers:** The machinery for populating the cache for a specific type.
+*   **Apply Configurations:** The type-safe builders for Server-Side Apply.
+
+A contributor modifying a built-in API type **must** run the code generation scripts to update all
+of these dependent components. For the Kubernetes project, `hack/update-codegen.sh` runs code generation.
+
+`sample-controller` shows how code generate can be configured to build custom controllers.
+
+## Controller Infrastructure
+
+The `tools/cache` package provides the core infrastructure for controllers, replacing a high-load,
+request-based pattern with a low-load, event-driven, cached model.
+
+The data flow is as follows:
+
+```mermaid
+graph TD
+    subgraph "Kubernetes API"
+        API_Server[API Server]
+    end
+
+    subgraph "client-go: Informer Mechanism"
+        Reflector("1. Reflector")
+        DeltaFIFO("2. DeltaFIFO")
+        Indexer["3. Indexer (Cache)"]
+        EventHandlers("4. Event Handlers")
+    end
+
+    subgraph "User Code"
+        WorkQueue["5. Work Queue"]
+        Controller("6. Controller")
+    end
+
+    API_Server -- LIST/WATCH --> Reflector
+    Reflector -- Puts changes into --> DeltaFIFO
+    DeltaFIFO -- Is popped by internal loop, which updates --> Indexer
+    Indexer -- Update triggers --> EventHandlers
+    EventHandlers -- Adds key to --> WorkQueue
+    WorkQueue -- Is processed by --> Controller
+    Controller -- Reads from cache via Lister --> Indexer
+```
+
+A **`Reflector`** performs a `LIST` to get a consistent snapshot of a resource, identified by a
+`resourceVersion`. It then starts a `WATCH` from that `resourceVersion` to receive a continuous
+stream of subsequent changes. The `Reflector`'s relist/rewatch loop is designed to solve the
+**"too old" `resourceVersion` error** by re-listing. To make this recovery more efficient, the
+`Reflector` consumes **watch bookmarks** from the server, which provide a more recent
+`resourceVersion` to restart from.
+
+The **`Lister`** is the primary, read-only, thread-safe interface for a controller's business
+logic to access the `Indexer`'s cache.
+
+## Controller Patterns
+
+The controller infrastructure is architecturally decoupled from the controller's business logic to
+ensure resiliency.
+
+The **`util/workqueue`** creates a critical boundary between event detection (the informer's job)
+and reconciliation (the controller's job). Informer event handlers only add an object's key to the
+work queue. This allows the controller to retry failed operations with exponential backoff without
+blocking the informer's watch stream.
+
+For high availability, the **`tools/leaderelection`** package provides the standard architectural
+solution to ensure single-writer semantics by having replicas compete to acquire a lock on a
+shared `Lease` object.
+
+## Server-Side Apply
+
+`client-go` provides a distinct architectural pattern for object mutation that aligns with the
+server's declarative model. This is a separate workflow from the traditional `get-modify-update`
+model that allows multiple controllers to safely co-manage the same object. The
+**`applyconfigurations`** package provides the generated, type-safe builder API used to
+construct the declarative patch.
+
+## Versioning and Compatibility
+
+`client-go` has a strict versioning relationship with the main Kubernetes repository. A `client-go`
+version `v0.X.Y` corresponds to the Kubernetes version `v1.X.Y`.
+
+The Kubernetes API has strong backward compatibility guarantees: a client built with an older
+version of `client-go` will work with a newer API server. However, the reverse is not guaranteed.
+A contributor must not break compatibility with supported versions of the Kubernetes API server.
diff --git a/staging/src/k8s.io/client-go/OWNERS b/staging/src/k8s.io/client-go/OWNERS
index 1e07f885438a5..b0ddb05929373 100644
--- a/staging/src/k8s.io/client-go/OWNERS
+++ b/staging/src/k8s.io/client-go/OWNERS
@@ -21,6 +21,7 @@ reviewers:
   - sttts
   - yliaog
   - jpbetz
+  - jefftree
 labels:
   - sig/api-machinery
 emeritus_approvers:
diff --git a/staging/src/k8s.io/client-go/README.md b/staging/src/k8s.io/client-go/README.md
index aed9d29141bca..25d581a8e12c3 100644
--- a/staging/src/k8s.io/client-go/README.md
+++ b/staging/src/k8s.io/client-go/README.md
@@ -80,14 +80,14 @@ We will backport bugfixes--but not new features--into older versions of
 
 #### Compatibility matrix
 
-|                               | Kubernetes 1.27 | Kubernetes 1.28 | Kubernetes 1.29 | Kubernetes 1.30 | Kubernetes 1.31 | Kubernetes 1.32 |
+|                               | Kubernetes 1.29 | Kubernetes 1.30 | Kubernetes 1.31 | Kubernetes 1.32 | Kubernetes 1.33 | Kubernetes 1.34 |
 | ----------------------------- | --------------- | --------------- | --------------- | --------------- | --------------- | --------------- |
-| `kubernetes-1.27.0`/`v0.27.0` | ✓               | +-              | +-              | +-              | +-              | +-              |
-| `kubernetes-1.28.0`/`v0.28.0` | +-              | ✓               | +-              | +-              | +-              | +-              |
-| `kubernetes-1.29.0`/`v0.29.0` | +-              | +-              | ✓               | +-              | +-              | +-              |
-| `kubernetes-1.30.0`/`v0.30.0` | +-              | +-              | +-              | ✓               | +-              | +-              |
-| `kubernetes-1.31.0`/`v0.31.0` | +-              | +-              | +-              | +-              | ✓               | +-              |
-| `kubernetes-1.32.0`/`v0.32.0` | +-              | +-              | +-              | +-              | +-              | ✓               |
+| `kubernetes-1.29.0`/`v0.29.0` | ✓               | +-              | +-              | +-              | +-              | +-              |
+| `kubernetes-1.30.0`/`v0.30.0` | +-              | ✓               | +-              | +-              | +-              | +-              |
+| `kubernetes-1.31.0`/`v0.31.0` | +-              | +-              | ✓               | +-              | +-              | +-              |
+| `kubernetes-1.32.0`/`v0.32.0` | +-              | +-              | +-              | ✓               | +-              | +-              |
+| `kubernetes-1.33.0`/`v0.33.0` | +-              | +-              | +-              | +-              | ✓               | +-              |
+| `kubernetes-1.34.0`/`v0.34.0` | +-              | +-              | +-              | +-              | +-              | ✓               |
 | `HEAD`                        | +-              | +-              | +-              | +-              | +-              | +-              |
 
 Key:
@@ -109,16 +109,16 @@ between client-go versions.
 
 | Branch         | Canonical source code location      | Maintenance status |
 | -------------- | ----------------------------------- | ------------------ |
-| `release-1.23` | Kubernetes main repo, 1.23 branch   | =-                 |
-| `release-1.24` | Kubernetes main repo, 1.24 branch   | =-                 |
 | `release-1.25` | Kubernetes main repo, 1.25 branch   | =-                 |
 | `release-1.26` | Kubernetes main repo, 1.26 branch   | =-                 |
 | `release-1.27` | Kubernetes main repo, 1.27 branch   | =-                 |
 | `release-1.28` | Kubernetes main repo, 1.28 branch   | =-                 |
-| `release-1.29` | Kubernetes main repo, 1.29 branch   | ✓                  |
-| `release-1.30` | Kubernetes main repo, 1.30 branch   | ✓                  |
-| `release-1.31` | Kubernetes main repo, 1.31 branch   | ✓                  |
+| `release-1.29` | Kubernetes main repo, 1.29 branch   | =-                 |
+| `release-1.30` | Kubernetes main repo, 1.30 branch   | =-                 |
+| `release-1.31` | Kubernetes main repo, 1.31 branch   | =                  |
 | `release-1.32` | Kubernetes main repo, 1.32 branch   | ✓                  |
+| `release-1.33` | Kubernetes main repo, 1.33 branch   | ✓                  |
+| `release-1.34` | Kubernetes main repo, 1.34 branch   | ✓                  |
 | client-go HEAD | Kubernetes main repo, master branch | ✓                  |
 
 Key:
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1/auditannotation.go b/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1/auditannotation.go
index 0d50d44ac2ce7..34f9e83008e40 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1/auditannotation.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1/auditannotation.go
@@ -20,8 +20,40 @@ package v1
 
 // AuditAnnotationApplyConfiguration represents a declarative configuration of the AuditAnnotation type for use
 // with apply.
+//
+// AuditAnnotation describes how to produce an audit annotation for an API request.
 type AuditAnnotationApplyConfiguration struct {
-	Key             *string `json:"key,omitempty"`
+	// key specifies the audit annotation key. The audit annotation keys of
+	// a ValidatingAdmissionPolicy must be unique. The key must be a qualified
+	// name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length.
+	//
+	// The key is combined with the resource name of the
+	// ValidatingAdmissionPolicy to construct an audit annotation key:
+	// "{ValidatingAdmissionPolicy name}/{key}".
+	//
+	// If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy
+	// and the same audit annotation key, the annotation key will be identical.
+	// In this case, the first annotation written with the key will be included
+	// in the audit event and all subsequent annotations with the same key
+	// will be discarded.
+	//
+	// Required.
+	Key *string `json:"key,omitempty"`
+	// valueExpression represents the expression which is evaluated by CEL to
+	// produce an audit annotation value. The expression must evaluate to either
+	// a string or null value. If the expression evaluates to a string, the
+	// audit annotation is included with the string value. If the expression
+	// evaluates to null or empty string the audit annotation will be omitted.
+	// The valueExpression may be no longer than 5kb in length.
+	// If the result of the valueExpression is more than 10kb in length, it
+	// will be truncated to 10kb.
+	//
+	// If multiple ValidatingAdmissionPolicyBinding resources match an
+	// API request, then the valueExpression will be evaluated for
+	// each binding. All unique values produced by the valueExpressions
+	// will be joined together in a comma-separated list.
+	//
+	// Required.
 	ValueExpression *string `json:"valueExpression,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1/expressionwarning.go b/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1/expressionwarning.go
index 1f890bcfcb68d..31219c7e80895 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1/expressionwarning.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1/expressionwarning.go
@@ -20,9 +20,17 @@ package v1
 
 // ExpressionWarningApplyConfiguration represents a declarative configuration of the ExpressionWarning type for use
 // with apply.
+//
+// ExpressionWarning is a warning information that targets a specific expression.
 type ExpressionWarningApplyConfiguration struct {
+	// The path to the field that refers the expression.
+	// For example, the reference to the expression of the first item of
+	// validations is "spec.validations[0].expression"
 	FieldRef *string `json:"fieldRef,omitempty"`
-	Warning  *string `json:"warning,omitempty"`
+	// The content of type checking information in a human-readable form.
+	// Each line of the warning contains the type that the expression is checked
+	// against, followed by the type check error from the compiler.
+	Warning *string `json:"warning,omitempty"`
 }
 
 // ExpressionWarningApplyConfiguration constructs a declarative configuration of the ExpressionWarning type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1/matchcondition.go b/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1/matchcondition.go
index d8a816f1e2fac..1e149da4ec4d8 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1/matchcondition.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1/matchcondition.go
@@ -20,8 +20,32 @@ package v1
 
 // MatchConditionApplyConfiguration represents a declarative configuration of the MatchCondition type for use
 // with apply.
+//
+// MatchCondition represents a condition which must by fulfilled for a request to be sent to a webhook.
 type MatchConditionApplyConfiguration struct {
-	Name       *string `json:"name,omitempty"`
+	// Name is an identifier for this match condition, used for strategic merging of MatchConditions,
+	// as well as providing an identifier for logging purposes. A good name should be descriptive of
+	// the associated expression.
+	// Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and
+	// must start and end with an alphanumeric character (e.g. 'MyName',  or 'my.name',  or
+	// '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an
+	// optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')
+	//
+	// Required.
+	Name *string `json:"name,omitempty"`
+	// Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.
+	// CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:
+	//
+	// 'object' - The object from the incoming request. The value is null for DELETE requests.
+	// 'oldObject' - The existing object. The value is null for CREATE requests.
+	// 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
+	// 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.
+	// See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
+	// 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the
+	// request resource.
+	// Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
+	//
+	// Required.
 	Expression *string `json:"expression,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1/matchresources.go b/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1/matchresources.go
index e840fe9ebb1f8..cd1a3d5fcf4eb 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1/matchresources.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1/matchresources.go
@@ -25,12 +25,88 @@ import (
 
 // MatchResourcesApplyConfiguration represents a declarative configuration of the MatchResources type for use
 // with apply.
+//
+// MatchResources decides whether to run the admission control policy on an object based
+// on whether it meets the match criteria.
+// The exclude rules take precedence over include rules (if a resource matches both, it is excluded)
 type MatchResourcesApplyConfiguration struct {
-	NamespaceSelector    *metav1.LabelSelectorApplyConfiguration     `json:"namespaceSelector,omitempty"`
-	ObjectSelector       *metav1.LabelSelectorApplyConfiguration     `json:"objectSelector,omitempty"`
-	ResourceRules        []NamedRuleWithOperationsApplyConfiguration `json:"resourceRules,omitempty"`
+	// NamespaceSelector decides whether to run the admission control policy on an object based
+	// on whether the namespace for that object matches the selector. If the
+	// object itself is a namespace, the matching is performed on
+	// object.metadata.labels. If the object is another cluster scoped resource,
+	// it never skips the policy.
+	//
+	// For example, to run the webhook on any objects whose namespace is not
+	// associated with "runlevel" of "0" or "1";  you will set the selector as
+	// follows:
+	// "namespaceSelector": {
+	// "matchExpressions": [
+	// {
+	// "key": "runlevel",
+	// "operator": "NotIn",
+	// "values": [
+	// "0",
+	// "1"
+	// ]
+	// }
+	// ]
+	// }
+	//
+	// If instead you want to only run the policy on any objects whose
+	// namespace is associated with the "environment" of "prod" or "staging";
+	// you will set the selector as follows:
+	// "namespaceSelector": {
+	// "matchExpressions": [
+	// {
+	// "key": "environment",
+	// "operator": "In",
+	// "values": [
+	// "prod",
+	// "staging"
+	// ]
+	// }
+	// ]
+	// }
+	//
+	// See
+	// https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
+	// for more examples of label selectors.
+	//
+	// Default to the empty LabelSelector, which matches everything.
+	NamespaceSelector *metav1.LabelSelectorApplyConfiguration `json:"namespaceSelector,omitempty"`
+	// ObjectSelector decides whether to run the validation based on if the
+	// object has matching labels. objectSelector is evaluated against both
+	// the oldObject and newObject that would be sent to the cel validation, and
+	// is considered to match if either object matches the selector. A null
+	// object (oldObject in the case of create, or newObject in the case of
+	// delete) or an object that cannot have labels (like a
+	// DeploymentRollback or a PodProxyOptions object) is not considered to
+	// match.
+	// Use the object selector only if the webhook is opt-in, because end
+	// users may skip the admission webhook by setting the labels.
+	// Default to the empty LabelSelector, which matches everything.
+	ObjectSelector *metav1.LabelSelectorApplyConfiguration `json:"objectSelector,omitempty"`
+	// ResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy matches.
+	// The policy cares about an operation if it matches _any_ Rule.
+	ResourceRules []NamedRuleWithOperationsApplyConfiguration `json:"resourceRules,omitempty"`
+	// ExcludeResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy should not care about.
+	// The exclude rules take precedence over include rules (if a resource matches both, it is excluded)
 	ExcludeResourceRules []NamedRuleWithOperationsApplyConfiguration `json:"excludeResourceRules,omitempty"`
-	MatchPolicy          *admissionregistrationv1.MatchPolicyType    `json:"matchPolicy,omitempty"`
+	// matchPolicy defines how the "MatchResources" list is used to match incoming requests.
+	// Allowed values are "Exact" or "Equivalent".
+	//
+	// - Exact: match a request only if it exactly matches a specified rule.
+	// For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,
+	// but "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`,
+	// a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the ValidatingAdmissionPolicy.
+	//
+	// - Equivalent: match a request if modifies a resource listed in rules, even via another API group or version.
+	// For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,
+	// and "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`,
+	// a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the ValidatingAdmissionPolicy.
+	//
+	// Defaults to "Equivalent"
+	MatchPolicy *admissionregistrationv1.MatchPolicyType `json:"matchPolicy,omitempty"`
 }
 
 // MatchResourcesApplyConfiguration constructs a declarative configuration of the MatchResources type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1/mutatingwebhook.go b/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1/mutatingwebhook.go
index cd8096f9020c3..498611b5dd96c 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1/mutatingwebhook.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1/mutatingwebhook.go
@@ -25,19 +25,148 @@ import (
 
 // MutatingWebhookApplyConfiguration represents a declarative configuration of the MutatingWebhook type for use
 // with apply.
+//
+// MutatingWebhook describes an admission webhook and the resources and operations it applies to.
 type MutatingWebhookApplyConfiguration struct {
-	Name                    *string                                         `json:"name,omitempty"`
-	ClientConfig            *WebhookClientConfigApplyConfiguration          `json:"clientConfig,omitempty"`
-	Rules                   []RuleWithOperationsApplyConfiguration          `json:"rules,omitempty"`
-	FailurePolicy           *admissionregistrationv1.FailurePolicyType      `json:"failurePolicy,omitempty"`
-	MatchPolicy             *admissionregistrationv1.MatchPolicyType        `json:"matchPolicy,omitempty"`
-	NamespaceSelector       *metav1.LabelSelectorApplyConfiguration         `json:"namespaceSelector,omitempty"`
-	ObjectSelector          *metav1.LabelSelectorApplyConfiguration         `json:"objectSelector,omitempty"`
-	SideEffects             *admissionregistrationv1.SideEffectClass        `json:"sideEffects,omitempty"`
-	TimeoutSeconds          *int32                                          `json:"timeoutSeconds,omitempty"`
-	AdmissionReviewVersions []string                                        `json:"admissionReviewVersions,omitempty"`
-	ReinvocationPolicy      *admissionregistrationv1.ReinvocationPolicyType `json:"reinvocationPolicy,omitempty"`
-	MatchConditions         []MatchConditionApplyConfiguration              `json:"matchConditions,omitempty"`
+	// The name of the admission webhook.
+	// Name should be fully qualified, e.g., imagepolicy.kubernetes.io, where
+	// "imagepolicy" is the name of the webhook, and kubernetes.io is the name
+	// of the organization.
+	// Required.
+	Name *string `json:"name,omitempty"`
+	// ClientConfig defines how to communicate with the hook.
+	// Required
+	ClientConfig *WebhookClientConfigApplyConfiguration `json:"clientConfig,omitempty"`
+	// Rules describes what operations on what resources/subresources the webhook cares about.
+	// The webhook cares about an operation if it matches _any_ Rule.
+	// However, in order to prevent ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks
+	// from putting the cluster in a state which cannot be recovered from without completely
+	// disabling the plugin, ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks are never called
+	// on admission requests for ValidatingWebhookConfiguration and MutatingWebhookConfiguration objects.
+	Rules []RuleWithOperationsApplyConfiguration `json:"rules,omitempty"`
+	// FailurePolicy defines how unrecognized errors from the admission endpoint are handled -
+	// allowed values are Ignore or Fail. Defaults to Fail.
+	FailurePolicy *admissionregistrationv1.FailurePolicyType `json:"failurePolicy,omitempty"`
+	// matchPolicy defines how the "rules" list is used to match incoming requests.
+	// Allowed values are "Exact" or "Equivalent".
+	//
+	// - Exact: match a request only if it exactly matches a specified rule.
+	// For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,
+	// but "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`,
+	// a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the webhook.
+	//
+	// - Equivalent: match a request if modifies a resource listed in rules, even via another API group or version.
+	// For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,
+	// and "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`,
+	// a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the webhook.
+	//
+	// Defaults to "Equivalent"
+	MatchPolicy *admissionregistrationv1.MatchPolicyType `json:"matchPolicy,omitempty"`
+	// NamespaceSelector decides whether to run the webhook on an object based
+	// on whether the namespace for that object matches the selector. If the
+	// object itself is a namespace, the matching is performed on
+	// object.metadata.labels. If the object is another cluster scoped resource,
+	// it never skips the webhook.
+	//
+	// For example, to run the webhook on any objects whose namespace is not
+	// associated with "runlevel" of "0" or "1";  you will set the selector as
+	// follows:
+	// "namespaceSelector": {
+	// "matchExpressions": [
+	// {
+	// "key": "runlevel",
+	// "operator": "NotIn",
+	// "values": [
+	// "0",
+	// "1"
+	// ]
+	// }
+	// ]
+	// }
+	//
+	// If instead you want to only run the webhook on any objects whose
+	// namespace is associated with the "environment" of "prod" or "staging";
+	// you will set the selector as follows:
+	// "namespaceSelector": {
+	// "matchExpressions": [
+	// {
+	// "key": "environment",
+	// "operator": "In",
+	// "values": [
+	// "prod",
+	// "staging"
+	// ]
+	// }
+	// ]
+	// }
+	//
+	// See
+	// https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
+	// for more examples of label selectors.
+	//
+	// Default to the empty LabelSelector, which matches everything.
+	NamespaceSelector *metav1.LabelSelectorApplyConfiguration `json:"namespaceSelector,omitempty"`
+	// ObjectSelector decides whether to run the webhook based on if the
+	// object has matching labels. objectSelector is evaluated against both
+	// the oldObject and newObject that would be sent to the webhook, and
+	// is considered to match if either object matches the selector. A null
+	// object (oldObject in the case of create, or newObject in the case of
+	// delete) or an object that cannot have labels (like a
+	// DeploymentRollback or a PodProxyOptions object) is not considered to
+	// match.
+	// Use the object selector only if the webhook is opt-in, because end
+	// users may skip the admission webhook by setting the labels.
+	// Default to the empty LabelSelector, which matches everything.
+	ObjectSelector *metav1.LabelSelectorApplyConfiguration `json:"objectSelector,omitempty"`
+	// SideEffects states whether this webhook has side effects.
+	// Acceptable values are: None, NoneOnDryRun (webhooks created via v1beta1 may also specify Some or Unknown).
+	// Webhooks with side effects MUST implement a reconciliation system, since a request may be
+	// rejected by a future step in the admission chain and the side effects therefore need to be undone.
+	// Requests with the dryRun attribute will be auto-rejected if they match a webhook with
+	// sideEffects == Unknown or Some.
+	SideEffects *admissionregistrationv1.SideEffectClass `json:"sideEffects,omitempty"`
+	// TimeoutSeconds specifies the timeout for this webhook. After the timeout passes,
+	// the webhook call will be ignored or the API call will fail based on the
+	// failure policy.
+	// The timeout value must be between 1 and 30 seconds.
+	// Default to 10 seconds.
+	TimeoutSeconds *int32 `json:"timeoutSeconds,omitempty"`
+	// AdmissionReviewVersions is an ordered list of preferred `AdmissionReview`
+	// versions the Webhook expects. API server will try to use first version in
+	// the list which it supports. If none of the versions specified in this list
+	// supported by API server, validation will fail for this object.
+	// If a persisted webhook configuration specifies allowed versions and does not
+	// include any versions known to the API Server, calls to the webhook will fail
+	// and be subject to the failure policy.
+	AdmissionReviewVersions []string `json:"admissionReviewVersions,omitempty"`
+	// reinvocationPolicy indicates whether this webhook should be called multiple times as part of a single admission evaluation.
+	// Allowed values are "Never" and "IfNeeded".
+	//
+	// Never: the webhook will not be called more than once in a single admission evaluation.
+	//
+	// IfNeeded: the webhook will be called at least one additional time as part of the admission evaluation
+	// if the object being admitted is modified by other admission plugins after the initial webhook call.
+	// Webhooks that specify this option *must* be idempotent, able to process objects they previously admitted.
+	// Note:
+	// * the number of additional invocations is not guaranteed to be exactly one.
+	// * if additional invocations result in further modifications to the object, webhooks are not guaranteed to be invoked again.
+	// * webhooks that use this option may be reordered to minimize the number of additional invocations.
+	// * to validate an object after all mutations are guaranteed complete, use a validating admission webhook instead.
+	//
+	// Defaults to "Never".
+	ReinvocationPolicy *admissionregistrationv1.ReinvocationPolicyType `json:"reinvocationPolicy,omitempty"`
+	// MatchConditions is a list of conditions that must be met for a request to be sent to this
+	// webhook. Match conditions filter requests that have already been matched by the rules,
+	// namespaceSelector, and objectSelector. An empty list of matchConditions matches all requests.
+	// There are a maximum of 64 match conditions allowed.
+	//
+	// The exact matching logic is (in order):
+	// 1. If ANY matchCondition evaluates to FALSE, the webhook is skipped.
+	// 2. If ALL matchConditions evaluate to TRUE, the webhook is called.
+	// 3. If any matchCondition evaluates to an error (but none are FALSE):
+	// - If failurePolicy=Fail, reject the request
+	// - If failurePolicy=Ignore, the error is ignored and the webhook is skipped
+	MatchConditions []MatchConditionApplyConfiguration `json:"matchConditions,omitempty"`
 }
 
 // MutatingWebhookApplyConfiguration constructs a declarative configuration of the MutatingWebhook type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1/mutatingwebhookconfiguration.go b/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1/mutatingwebhookconfiguration.go
index 9a12eba075fec..87909f254bba4 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1/mutatingwebhookconfiguration.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1/mutatingwebhookconfiguration.go
@@ -29,10 +29,14 @@ import (
 
 // MutatingWebhookConfigurationApplyConfiguration represents a declarative configuration of the MutatingWebhookConfiguration type for use
 // with apply.
+//
+// MutatingWebhookConfiguration describes the configuration of and admission webhook that accept or reject and may change the object.
 type MutatingWebhookConfigurationApplyConfiguration struct {
-	metav1.TypeMetaApplyConfiguration    `json:",inline"`
+	metav1.TypeMetaApplyConfiguration `json:",inline"`
+	// Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata.
 	*metav1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Webhooks                             []MutatingWebhookApplyConfiguration `json:"webhooks,omitempty"`
+	// Webhooks is a list of webhooks and the affected resources and operations.
+	Webhooks []MutatingWebhookApplyConfiguration `json:"webhooks,omitempty"`
 }
 
 // MutatingWebhookConfiguration constructs a declarative configuration of the MutatingWebhookConfiguration type for use with
@@ -45,29 +49,14 @@ func MutatingWebhookConfiguration(name string) *MutatingWebhookConfigurationAppl
 	return b
 }
 
-// ExtractMutatingWebhookConfiguration extracts the applied configuration owned by fieldManager from
-// mutatingWebhookConfiguration. If no managedFields are found in mutatingWebhookConfiguration for fieldManager, a
-// MutatingWebhookConfigurationApplyConfiguration is returned with only the Name, Namespace (if applicable),
-// APIVersion and Kind populated. It is possible that no managed fields were found for because other
-// field managers have taken ownership of all the fields previously owned by fieldManager, or because
-// the fieldManager never owned fields any fields.
+// ExtractMutatingWebhookConfigurationFrom extracts the applied configuration owned by fieldManager from
+// mutatingWebhookConfiguration for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
 // mutatingWebhookConfiguration must be a unmodified MutatingWebhookConfiguration API object that was retrieved from the Kubernetes API.
-// ExtractMutatingWebhookConfiguration provides a way to perform a extract/modify-in-place/apply workflow.
+// ExtractMutatingWebhookConfigurationFrom provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
-func ExtractMutatingWebhookConfiguration(mutatingWebhookConfiguration *admissionregistrationv1.MutatingWebhookConfiguration, fieldManager string) (*MutatingWebhookConfigurationApplyConfiguration, error) {
-	return extractMutatingWebhookConfiguration(mutatingWebhookConfiguration, fieldManager, "")
-}
-
-// ExtractMutatingWebhookConfigurationStatus is the same as ExtractMutatingWebhookConfiguration except
-// that it extracts the status subresource applied configuration.
-// Experimental!
-func ExtractMutatingWebhookConfigurationStatus(mutatingWebhookConfiguration *admissionregistrationv1.MutatingWebhookConfiguration, fieldManager string) (*MutatingWebhookConfigurationApplyConfiguration, error) {
-	return extractMutatingWebhookConfiguration(mutatingWebhookConfiguration, fieldManager, "status")
-}
-
-func extractMutatingWebhookConfiguration(mutatingWebhookConfiguration *admissionregistrationv1.MutatingWebhookConfiguration, fieldManager string, subresource string) (*MutatingWebhookConfigurationApplyConfiguration, error) {
+func ExtractMutatingWebhookConfigurationFrom(mutatingWebhookConfiguration *admissionregistrationv1.MutatingWebhookConfiguration, fieldManager string, subresource string) (*MutatingWebhookConfigurationApplyConfiguration, error) {
 	b := &MutatingWebhookConfigurationApplyConfiguration{}
 	err := managedfields.ExtractInto(mutatingWebhookConfiguration, internal.Parser().Type("io.k8s.api.admissionregistration.v1.MutatingWebhookConfiguration"), fieldManager, b, subresource)
 	if err != nil {
@@ -79,6 +68,21 @@ func extractMutatingWebhookConfiguration(mutatingWebhookConfiguration *admission
 	b.WithAPIVersion("admissionregistration.k8s.io/v1")
 	return b, nil
 }
+
+// ExtractMutatingWebhookConfiguration extracts the applied configuration owned by fieldManager from
+// mutatingWebhookConfiguration. If no managedFields are found in mutatingWebhookConfiguration for fieldManager, a
+// MutatingWebhookConfigurationApplyConfiguration is returned with only the Name, Namespace (if applicable),
+// APIVersion and Kind populated. It is possible that no managed fields were found for because other
+// field managers have taken ownership of all the fields previously owned by fieldManager, or because
+// the fieldManager never owned fields any fields.
+// mutatingWebhookConfiguration must be a unmodified MutatingWebhookConfiguration API object that was retrieved from the Kubernetes API.
+// ExtractMutatingWebhookConfiguration provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractMutatingWebhookConfiguration(mutatingWebhookConfiguration *admissionregistrationv1.MutatingWebhookConfiguration, fieldManager string) (*MutatingWebhookConfigurationApplyConfiguration, error) {
+	return ExtractMutatingWebhookConfigurationFrom(mutatingWebhookConfiguration, fieldManager, "")
+}
+
 func (b MutatingWebhookConfigurationApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1/namedrulewithoperations.go b/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1/namedrulewithoperations.go
index dd31981ad5e4b..fe7a6b8c0cd1e 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1/namedrulewithoperations.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1/namedrulewithoperations.go
@@ -24,8 +24,12 @@ import (
 
 // NamedRuleWithOperationsApplyConfiguration represents a declarative configuration of the NamedRuleWithOperations type for use
 // with apply.
+//
+// NamedRuleWithOperations is a tuple of Operations and Resources with ResourceNames.
 type NamedRuleWithOperationsApplyConfiguration struct {
-	ResourceNames                        []string `json:"resourceNames,omitempty"`
+	// ResourceNames is an optional white list of names that the rule applies to.  An empty set means that everything is allowed.
+	ResourceNames []string `json:"resourceNames,omitempty"`
+	// RuleWithOperations is a tuple of Operations and Resources.
 	RuleWithOperationsApplyConfiguration `json:",inline"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1/paramkind.go b/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1/paramkind.go
index 07577929ab314..5c6729fc6379c 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1/paramkind.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1/paramkind.go
@@ -20,9 +20,16 @@ package v1
 
 // ParamKindApplyConfiguration represents a declarative configuration of the ParamKind type for use
 // with apply.
+//
+// ParamKind is a tuple of Group Kind and Version.
 type ParamKindApplyConfiguration struct {
+	// APIVersion is the API group version the resources belong to.
+	// In format of "group/version".
+	// Required.
 	APIVersion *string `json:"apiVersion,omitempty"`
-	Kind       *string `json:"kind,omitempty"`
+	// Kind is the API kind the resources belong to.
+	// Required.
+	Kind *string `json:"kind,omitempty"`
 }
 
 // ParamKindApplyConfiguration constructs a declarative configuration of the ParamKind type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1/paramref.go b/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1/paramref.go
index 140233f6ba572..eb9f6c47aaa9a 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1/paramref.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1/paramref.go
@@ -25,10 +25,53 @@ import (
 
 // ParamRefApplyConfiguration represents a declarative configuration of the ParamRef type for use
 // with apply.
+//
+// ParamRef describes how to locate the params to be used as input to
+// expressions of rules applied by a policy binding.
 type ParamRefApplyConfiguration struct {
-	Name                    *string                                              `json:"name,omitempty"`
-	Namespace               *string                                              `json:"namespace,omitempty"`
-	Selector                *metav1.LabelSelectorApplyConfiguration              `json:"selector,omitempty"`
+	// name is the name of the resource being referenced.
+	//
+	// One of `name` or `selector` must be set, but `name` and `selector` are
+	// mutually exclusive properties. If one is set, the other must be unset.
+	//
+	// A single parameter used for all admission requests can be configured
+	// by setting the `name` field, leaving `selector` blank, and setting namespace
+	// if `paramKind` is namespace-scoped.
+	Name *string `json:"name,omitempty"`
+	// namespace is the namespace of the referenced resource. Allows limiting
+	// the search for params to a specific namespace. Applies to both `name` and
+	// `selector` fields.
+	//
+	// A per-namespace parameter may be used by specifying a namespace-scoped
+	// `paramKind` in the policy and leaving this field empty.
+	//
+	// - If `paramKind` is cluster-scoped, this field MUST be unset. Setting this
+	// field results in a configuration error.
+	//
+	// - If `paramKind` is namespace-scoped, the namespace of the object being
+	// evaluated for admission will be used when this field is left unset. Take
+	// care that if this is left empty the binding must not match any cluster-scoped
+	// resources, which will result in an error.
+	Namespace *string `json:"namespace,omitempty"`
+	// selector can be used to match multiple param objects based on their labels.
+	// Supply selector: {} to match all resources of the ParamKind.
+	//
+	// If multiple params are found, they are all evaluated with the policy expressions
+	// and the results are ANDed together.
+	//
+	// One of `name` or `selector` must be set, but `name` and `selector` are
+	// mutually exclusive properties. If one is set, the other must be unset.
+	Selector *metav1.LabelSelectorApplyConfiguration `json:"selector,omitempty"`
+	// `parameterNotFoundAction` controls the behavior of the binding when the resource
+	// exists, and name or selector is valid, but there are no parameters
+	// matched by the binding. If the value is set to `Allow`, then no
+	// matched parameters will be treated as successful validation by the binding.
+	// If set to `Deny`, then no matched parameters will be subject to the
+	// `failurePolicy` of the policy.
+	//
+	// Allowed values are `Allow` or `Deny`
+	//
+	// Required
 	ParameterNotFoundAction *admissionregistrationv1.ParameterNotFoundActionType `json:"parameterNotFoundAction,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1/rule.go b/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1/rule.go
index a8c68136bd9d7..056e944fec741 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1/rule.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1/rule.go
@@ -24,11 +24,43 @@ import (
 
 // RuleApplyConfiguration represents a declarative configuration of the Rule type for use
 // with apply.
+//
+// Rule is a tuple of APIGroups, APIVersion, and Resources.It is recommended
+// to make sure that all the tuple expansions are valid.
 type RuleApplyConfiguration struct {
-	APIGroups   []string                           `json:"apiGroups,omitempty"`
-	APIVersions []string                           `json:"apiVersions,omitempty"`
-	Resources   []string                           `json:"resources,omitempty"`
-	Scope       *admissionregistrationv1.ScopeType `json:"scope,omitempty"`
+	// APIGroups is the API groups the resources belong to. '*' is all groups.
+	// If '*' is present, the length of the slice must be one.
+	// Required.
+	APIGroups []string `json:"apiGroups,omitempty"`
+	// APIVersions is the API versions the resources belong to. '*' is all versions.
+	// If '*' is present, the length of the slice must be one.
+	// Required.
+	APIVersions []string `json:"apiVersions,omitempty"`
+	// Resources is a list of resources this rule applies to.
+	//
+	// For example:
+	// 'pods' means pods.
+	// 'pods/log' means the log subresource of pods.
+	// '*' means all resources, but not subresources.
+	// 'pods/*' means all subresources of pods.
+	// '*/scale' means all scale subresources.
+	// '*/*' means all resources and their subresources.
+	//
+	// If wildcard is present, the validation rule will ensure resources do not
+	// overlap with each other.
+	//
+	// Depending on the enclosing object, subresources might not be allowed.
+	// Required.
+	Resources []string `json:"resources,omitempty"`
+	// scope specifies the scope of this rule.
+	// Valid values are "Cluster", "Namespaced", and "*"
+	// "Cluster" means that only cluster-scoped resources will match this rule.
+	// Namespace API objects are cluster-scoped.
+	// "Namespaced" means that only namespaced resources will match this rule.
+	// "*" means that there are no scope restrictions.
+	// Subresources match the scope of their parent resource.
+	// Default is "*".
+	Scope *admissionregistrationv1.ScopeType `json:"scope,omitempty"`
 }
 
 // RuleApplyConfiguration constructs a declarative configuration of the Rule type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1/rulewithoperations.go b/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1/rulewithoperations.go
index 55a985f9983f1..a4a1643fec50a 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1/rulewithoperations.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1/rulewithoperations.go
@@ -24,8 +24,17 @@ import (
 
 // RuleWithOperationsApplyConfiguration represents a declarative configuration of the RuleWithOperations type for use
 // with apply.
+//
+// RuleWithOperations is a tuple of Operations and Resources. It is recommended to make
+// sure that all the tuple expansions are valid.
 type RuleWithOperationsApplyConfiguration struct {
-	Operations             []admissionregistrationv1.OperationType `json:"operations,omitempty"`
+	// Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or *
+	// for all of those operations and any future admission operations that are added.
+	// If '*' is present, the length of the slice must be one.
+	// Required.
+	Operations []admissionregistrationv1.OperationType `json:"operations,omitempty"`
+	// Rule is embedded, it describes other criteria of the rule, like
+	// APIGroups, APIVersions, Resources, etc.
 	RuleApplyConfiguration `json:",inline"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1/servicereference.go b/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1/servicereference.go
index 239780664df53..c93b61150faf7 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1/servicereference.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1/servicereference.go
@@ -20,11 +20,22 @@ package v1
 
 // ServiceReferenceApplyConfiguration represents a declarative configuration of the ServiceReference type for use
 // with apply.
+//
+// ServiceReference holds a reference to Service.legacy.k8s.io
 type ServiceReferenceApplyConfiguration struct {
+	// `namespace` is the namespace of the service.
+	// Required
 	Namespace *string `json:"namespace,omitempty"`
-	Name      *string `json:"name,omitempty"`
-	Path      *string `json:"path,omitempty"`
-	Port      *int32  `json:"port,omitempty"`
+	// `name` is the name of the service.
+	// Required
+	Name *string `json:"name,omitempty"`
+	// `path` is an optional URL path which will be sent in any request to
+	// this service.
+	Path *string `json:"path,omitempty"`
+	// If specified, the port on the service that hosting webhook.
+	// Default to 443 for backward compatibility.
+	// `port` should be a valid port number (1-65535, inclusive).
+	Port *int32 `json:"port,omitempty"`
 }
 
 // ServiceReferenceApplyConfiguration constructs a declarative configuration of the ServiceReference type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1/typechecking.go b/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1/typechecking.go
index 723d10ecf5eaa..f6077ee39e47b 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1/typechecking.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1/typechecking.go
@@ -20,7 +20,11 @@ package v1
 
 // TypeCheckingApplyConfiguration represents a declarative configuration of the TypeChecking type for use
 // with apply.
+//
+// TypeChecking contains results of type checking the expressions in the
+// ValidatingAdmissionPolicy
 type TypeCheckingApplyConfiguration struct {
+	// The type checking warnings for each expression.
 	ExpressionWarnings []ExpressionWarningApplyConfiguration `json:"expressionWarnings,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1/validatingadmissionpolicy.go b/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1/validatingadmissionpolicy.go
index bbfc66a6f6d78..22d965fa8132d 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1/validatingadmissionpolicy.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1/validatingadmissionpolicy.go
@@ -29,11 +29,19 @@ import (
 
 // ValidatingAdmissionPolicyApplyConfiguration represents a declarative configuration of the ValidatingAdmissionPolicy type for use
 // with apply.
+//
+// ValidatingAdmissionPolicy describes the definition of an admission validation policy that accepts or rejects an object without changing it.
 type ValidatingAdmissionPolicyApplyConfiguration struct {
-	metav1.TypeMetaApplyConfiguration    `json:",inline"`
+	metav1.TypeMetaApplyConfiguration `json:",inline"`
+	// Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata.
 	*metav1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Spec                                 *ValidatingAdmissionPolicySpecApplyConfiguration   `json:"spec,omitempty"`
-	Status                               *ValidatingAdmissionPolicyStatusApplyConfiguration `json:"status,omitempty"`
+	// Specification of the desired behavior of the ValidatingAdmissionPolicy.
+	Spec *ValidatingAdmissionPolicySpecApplyConfiguration `json:"spec,omitempty"`
+	// The status of the ValidatingAdmissionPolicy, including warnings that are useful to determine if the policy
+	// behaves in the expected way.
+	// Populated by the system.
+	// Read-only.
+	Status *ValidatingAdmissionPolicyStatusApplyConfiguration `json:"status,omitempty"`
 }
 
 // ValidatingAdmissionPolicy constructs a declarative configuration of the ValidatingAdmissionPolicy type for use with
@@ -46,6 +54,26 @@ func ValidatingAdmissionPolicy(name string) *ValidatingAdmissionPolicyApplyConfi
 	return b
 }
 
+// ExtractValidatingAdmissionPolicyFrom extracts the applied configuration owned by fieldManager from
+// validatingAdmissionPolicy for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
+// validatingAdmissionPolicy must be a unmodified ValidatingAdmissionPolicy API object that was retrieved from the Kubernetes API.
+// ExtractValidatingAdmissionPolicyFrom provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractValidatingAdmissionPolicyFrom(validatingAdmissionPolicy *admissionregistrationv1.ValidatingAdmissionPolicy, fieldManager string, subresource string) (*ValidatingAdmissionPolicyApplyConfiguration, error) {
+	b := &ValidatingAdmissionPolicyApplyConfiguration{}
+	err := managedfields.ExtractInto(validatingAdmissionPolicy, internal.Parser().Type("io.k8s.api.admissionregistration.v1.ValidatingAdmissionPolicy"), fieldManager, b, subresource)
+	if err != nil {
+		return nil, err
+	}
+	b.WithName(validatingAdmissionPolicy.Name)
+
+	b.WithKind("ValidatingAdmissionPolicy")
+	b.WithAPIVersion("admissionregistration.k8s.io/v1")
+	return b, nil
+}
+
 // ExtractValidatingAdmissionPolicy extracts the applied configuration owned by fieldManager from
 // validatingAdmissionPolicy. If no managedFields are found in validatingAdmissionPolicy for fieldManager, a
 // ValidatingAdmissionPolicyApplyConfiguration is returned with only the Name, Namespace (if applicable),
@@ -56,30 +84,16 @@ func ValidatingAdmissionPolicy(name string) *ValidatingAdmissionPolicyApplyConfi
 // ExtractValidatingAdmissionPolicy provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
 func ExtractValidatingAdmissionPolicy(validatingAdmissionPolicy *admissionregistrationv1.ValidatingAdmissionPolicy, fieldManager string) (*ValidatingAdmissionPolicyApplyConfiguration, error) {
-	return extractValidatingAdmissionPolicy(validatingAdmissionPolicy, fieldManager, "")
+	return ExtractValidatingAdmissionPolicyFrom(validatingAdmissionPolicy, fieldManager, "")
 }
 
-// ExtractValidatingAdmissionPolicyStatus is the same as ExtractValidatingAdmissionPolicy except
-// that it extracts the status subresource applied configuration.
-// Experimental!
+// ExtractValidatingAdmissionPolicyStatus extracts the applied configuration owned by fieldManager from
+// validatingAdmissionPolicy for the status subresource.
 func ExtractValidatingAdmissionPolicyStatus(validatingAdmissionPolicy *admissionregistrationv1.ValidatingAdmissionPolicy, fieldManager string) (*ValidatingAdmissionPolicyApplyConfiguration, error) {
-	return extractValidatingAdmissionPolicy(validatingAdmissionPolicy, fieldManager, "status")
+	return ExtractValidatingAdmissionPolicyFrom(validatingAdmissionPolicy, fieldManager, "status")
 }
 
-func extractValidatingAdmissionPolicy(validatingAdmissionPolicy *admissionregistrationv1.ValidatingAdmissionPolicy, fieldManager string, subresource string) (*ValidatingAdmissionPolicyApplyConfiguration, error) {
-	b := &ValidatingAdmissionPolicyApplyConfiguration{}
-	err := managedfields.ExtractInto(validatingAdmissionPolicy, internal.Parser().Type("io.k8s.api.admissionregistration.v1.ValidatingAdmissionPolicy"), fieldManager, b, subresource)
-	if err != nil {
-		return nil, err
-	}
-	b.WithName(validatingAdmissionPolicy.Name)
-
-	b.WithKind("ValidatingAdmissionPolicy")
-	b.WithAPIVersion("admissionregistration.k8s.io/v1")
-	return b, nil
-}
 func (b ValidatingAdmissionPolicyApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1/validatingadmissionpolicybinding.go b/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1/validatingadmissionpolicybinding.go
index 416d26cbf8bdc..5a083a0568c02 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1/validatingadmissionpolicybinding.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1/validatingadmissionpolicybinding.go
@@ -29,10 +29,24 @@ import (
 
 // ValidatingAdmissionPolicyBindingApplyConfiguration represents a declarative configuration of the ValidatingAdmissionPolicyBinding type for use
 // with apply.
+//
+// ValidatingAdmissionPolicyBinding binds the ValidatingAdmissionPolicy with paramerized resources.
+// ValidatingAdmissionPolicyBinding and parameter CRDs together define how cluster administrators configure policies for clusters.
+//
+// For a given admission request, each binding will cause its policy to be
+// evaluated N times, where N is 1 for policies/bindings that don't use
+// params, otherwise N is the number of parameters selected by the binding.
+//
+// The CEL expressions of a policy must have a computed CEL cost below the maximum
+// CEL budget. Each evaluation of the policy is given an independent CEL cost budget.
+// Adding/removing policies, bindings, or params can not affect whether a
+// given (policy, binding, param) combination is within its own CEL budget.
 type ValidatingAdmissionPolicyBindingApplyConfiguration struct {
-	metav1.TypeMetaApplyConfiguration    `json:",inline"`
+	metav1.TypeMetaApplyConfiguration `json:",inline"`
+	// Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata.
 	*metav1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Spec                                 *ValidatingAdmissionPolicyBindingSpecApplyConfiguration `json:"spec,omitempty"`
+	// Specification of the desired behavior of the ValidatingAdmissionPolicyBinding.
+	Spec *ValidatingAdmissionPolicyBindingSpecApplyConfiguration `json:"spec,omitempty"`
 }
 
 // ValidatingAdmissionPolicyBinding constructs a declarative configuration of the ValidatingAdmissionPolicyBinding type for use with
@@ -45,29 +59,14 @@ func ValidatingAdmissionPolicyBinding(name string) *ValidatingAdmissionPolicyBin
 	return b
 }
 
-// ExtractValidatingAdmissionPolicyBinding extracts the applied configuration owned by fieldManager from
-// validatingAdmissionPolicyBinding. If no managedFields are found in validatingAdmissionPolicyBinding for fieldManager, a
-// ValidatingAdmissionPolicyBindingApplyConfiguration is returned with only the Name, Namespace (if applicable),
-// APIVersion and Kind populated. It is possible that no managed fields were found for because other
-// field managers have taken ownership of all the fields previously owned by fieldManager, or because
-// the fieldManager never owned fields any fields.
+// ExtractValidatingAdmissionPolicyBindingFrom extracts the applied configuration owned by fieldManager from
+// validatingAdmissionPolicyBinding for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
 // validatingAdmissionPolicyBinding must be a unmodified ValidatingAdmissionPolicyBinding API object that was retrieved from the Kubernetes API.
-// ExtractValidatingAdmissionPolicyBinding provides a way to perform a extract/modify-in-place/apply workflow.
+// ExtractValidatingAdmissionPolicyBindingFrom provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
-func ExtractValidatingAdmissionPolicyBinding(validatingAdmissionPolicyBinding *admissionregistrationv1.ValidatingAdmissionPolicyBinding, fieldManager string) (*ValidatingAdmissionPolicyBindingApplyConfiguration, error) {
-	return extractValidatingAdmissionPolicyBinding(validatingAdmissionPolicyBinding, fieldManager, "")
-}
-
-// ExtractValidatingAdmissionPolicyBindingStatus is the same as ExtractValidatingAdmissionPolicyBinding except
-// that it extracts the status subresource applied configuration.
-// Experimental!
-func ExtractValidatingAdmissionPolicyBindingStatus(validatingAdmissionPolicyBinding *admissionregistrationv1.ValidatingAdmissionPolicyBinding, fieldManager string) (*ValidatingAdmissionPolicyBindingApplyConfiguration, error) {
-	return extractValidatingAdmissionPolicyBinding(validatingAdmissionPolicyBinding, fieldManager, "status")
-}
-
-func extractValidatingAdmissionPolicyBinding(validatingAdmissionPolicyBinding *admissionregistrationv1.ValidatingAdmissionPolicyBinding, fieldManager string, subresource string) (*ValidatingAdmissionPolicyBindingApplyConfiguration, error) {
+func ExtractValidatingAdmissionPolicyBindingFrom(validatingAdmissionPolicyBinding *admissionregistrationv1.ValidatingAdmissionPolicyBinding, fieldManager string, subresource string) (*ValidatingAdmissionPolicyBindingApplyConfiguration, error) {
 	b := &ValidatingAdmissionPolicyBindingApplyConfiguration{}
 	err := managedfields.ExtractInto(validatingAdmissionPolicyBinding, internal.Parser().Type("io.k8s.api.admissionregistration.v1.ValidatingAdmissionPolicyBinding"), fieldManager, b, subresource)
 	if err != nil {
@@ -79,6 +78,21 @@ func extractValidatingAdmissionPolicyBinding(validatingAdmissionPolicyBinding *a
 	b.WithAPIVersion("admissionregistration.k8s.io/v1")
 	return b, nil
 }
+
+// ExtractValidatingAdmissionPolicyBinding extracts the applied configuration owned by fieldManager from
+// validatingAdmissionPolicyBinding. If no managedFields are found in validatingAdmissionPolicyBinding for fieldManager, a
+// ValidatingAdmissionPolicyBindingApplyConfiguration is returned with only the Name, Namespace (if applicable),
+// APIVersion and Kind populated. It is possible that no managed fields were found for because other
+// field managers have taken ownership of all the fields previously owned by fieldManager, or because
+// the fieldManager never owned fields any fields.
+// validatingAdmissionPolicyBinding must be a unmodified ValidatingAdmissionPolicyBinding API object that was retrieved from the Kubernetes API.
+// ExtractValidatingAdmissionPolicyBinding provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractValidatingAdmissionPolicyBinding(validatingAdmissionPolicyBinding *admissionregistrationv1.ValidatingAdmissionPolicyBinding, fieldManager string) (*ValidatingAdmissionPolicyBindingApplyConfiguration, error) {
+	return ExtractValidatingAdmissionPolicyBindingFrom(validatingAdmissionPolicyBinding, fieldManager, "")
+}
+
 func (b ValidatingAdmissionPolicyBindingApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1/validatingadmissionpolicybindingspec.go b/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1/validatingadmissionpolicybindingspec.go
index eb426af42ad9e..31d98bb9470bb 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1/validatingadmissionpolicybindingspec.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1/validatingadmissionpolicybindingspec.go
@@ -24,10 +24,63 @@ import (
 
 // ValidatingAdmissionPolicyBindingSpecApplyConfiguration represents a declarative configuration of the ValidatingAdmissionPolicyBindingSpec type for use
 // with apply.
+//
+// ValidatingAdmissionPolicyBindingSpec is the specification of the ValidatingAdmissionPolicyBinding.
 type ValidatingAdmissionPolicyBindingSpecApplyConfiguration struct {
-	PolicyName        *string                                    `json:"policyName,omitempty"`
-	ParamRef          *ParamRefApplyConfiguration                `json:"paramRef,omitempty"`
-	MatchResources    *MatchResourcesApplyConfiguration          `json:"matchResources,omitempty"`
+	// PolicyName references a ValidatingAdmissionPolicy name which the ValidatingAdmissionPolicyBinding binds to.
+	// If the referenced resource does not exist, this binding is considered invalid and will be ignored
+	// Required.
+	PolicyName *string `json:"policyName,omitempty"`
+	// paramRef specifies the parameter resource used to configure the admission control policy.
+	// It should point to a resource of the type specified in ParamKind of the bound ValidatingAdmissionPolicy.
+	// If the policy specifies a ParamKind and the resource referred to by ParamRef does not exist, this binding is considered mis-configured and the FailurePolicy of the ValidatingAdmissionPolicy applied.
+	// If the policy does not specify a ParamKind then this field is ignored, and the rules are evaluated without a param.
+	ParamRef *ParamRefApplyConfiguration `json:"paramRef,omitempty"`
+	// MatchResources declares what resources match this binding and will be validated by it.
+	// Note that this is intersected with the policy's matchConstraints, so only requests that are matched by the policy can be selected by this.
+	// If this is unset, all resources matched by the policy are validated by this binding
+	// When resourceRules is unset, it does not constrain resource matching. If a resource is matched by the other fields of this object, it will be validated.
+	// Note that this is differs from ValidatingAdmissionPolicy matchConstraints, where resourceRules are required.
+	MatchResources *MatchResourcesApplyConfiguration `json:"matchResources,omitempty"`
+	// validationActions declares how Validations of the referenced ValidatingAdmissionPolicy are enforced.
+	// If a validation evaluates to false it is always enforced according to these actions.
+	//
+	// Failures defined by the ValidatingAdmissionPolicy's FailurePolicy are enforced according
+	// to these actions only if the FailurePolicy is set to Fail, otherwise the failures are
+	// ignored. This includes compilation errors, runtime errors and misconfigurations of the policy.
+	//
+	// validationActions is declared as a set of action values. Order does
+	// not matter. validationActions may not contain duplicates of the same action.
+	//
+	// The supported actions values are:
+	//
+	// "Deny" specifies that a validation failure results in a denied request.
+	//
+	// "Warn" specifies that a validation failure is reported to the request client
+	// in HTTP Warning headers, with a warning code of 299. Warnings can be sent
+	// both for allowed or denied admission responses.
+	//
+	// "Audit" specifies that a validation failure is included in the published
+	// audit event for the request. The audit event will contain a
+	// `validation.policy.admission.k8s.io/validation_failure` audit annotation
+	// with a value containing the details of the validation failures, formatted as
+	// a JSON list of objects, each with the following fields:
+	// - message: The validation failure message string
+	// - policy: The resource name of the ValidatingAdmissionPolicy
+	// - binding: The resource name of the ValidatingAdmissionPolicyBinding
+	// - expressionIndex: The index of the failed validations in the ValidatingAdmissionPolicy
+	// - validationActions: The enforcement actions enacted for the validation failure
+	// Example audit annotation:
+	// `"validation.policy.admission.k8s.io/validation_failure": "[{\"message\": \"Invalid value\", {\"policy\": \"policy.example.com\", {\"binding\": \"policybinding.example.com\", {\"expressionIndex\": \"1\", {\"validationActions\": [\"Audit\"]}]"`
+	//
+	// Clients should expect to handle additional values by ignoring
+	// any values not recognized.
+	//
+	// "Deny" and "Warn" may not be used together since this combination
+	// needlessly duplicates the validation failure both in the
+	// API response body and the HTTP warning headers.
+	//
+	// Required.
 	ValidationActions []admissionregistrationv1.ValidationAction `json:"validationActions,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1/validatingadmissionpolicyspec.go b/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1/validatingadmissionpolicyspec.go
index 1635b30a61a5d..b3f6989a72bbe 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1/validatingadmissionpolicyspec.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1/validatingadmissionpolicyspec.go
@@ -24,14 +24,66 @@ import (
 
 // ValidatingAdmissionPolicySpecApplyConfiguration represents a declarative configuration of the ValidatingAdmissionPolicySpec type for use
 // with apply.
+//
+// ValidatingAdmissionPolicySpec is the specification of the desired behavior of the AdmissionPolicy.
 type ValidatingAdmissionPolicySpecApplyConfiguration struct {
-	ParamKind        *ParamKindApplyConfiguration               `json:"paramKind,omitempty"`
-	MatchConstraints *MatchResourcesApplyConfiguration          `json:"matchConstraints,omitempty"`
-	Validations      []ValidationApplyConfiguration             `json:"validations,omitempty"`
-	FailurePolicy    *admissionregistrationv1.FailurePolicyType `json:"failurePolicy,omitempty"`
-	AuditAnnotations []AuditAnnotationApplyConfiguration        `json:"auditAnnotations,omitempty"`
-	MatchConditions  []MatchConditionApplyConfiguration         `json:"matchConditions,omitempty"`
-	Variables        []VariableApplyConfiguration               `json:"variables,omitempty"`
+	// ParamKind specifies the kind of resources used to parameterize this policy.
+	// If absent, there are no parameters for this policy and the param CEL variable will not be provided to validation expressions.
+	// If ParamKind refers to a non-existent kind, this policy definition is mis-configured and the FailurePolicy is applied.
+	// If paramKind is specified but paramRef is unset in ValidatingAdmissionPolicyBinding, the params variable will be null.
+	ParamKind *ParamKindApplyConfiguration `json:"paramKind,omitempty"`
+	// MatchConstraints specifies what resources this policy is designed to validate.
+	// The AdmissionPolicy cares about a request if it matches _all_ Constraints.
+	// However, in order to prevent clusters from being put into an unstable state that cannot be recovered from via the API
+	// ValidatingAdmissionPolicy cannot match ValidatingAdmissionPolicy and ValidatingAdmissionPolicyBinding.
+	// Required.
+	MatchConstraints *MatchResourcesApplyConfiguration `json:"matchConstraints,omitempty"`
+	// Validations contain CEL expressions which is used to apply the validation.
+	// Validations and AuditAnnotations may not both be empty; a minimum of one Validations or AuditAnnotations is
+	// required.
+	Validations []ValidationApplyConfiguration `json:"validations,omitempty"`
+	// failurePolicy defines how to handle failures for the admission policy. Failures can
+	// occur from CEL expression parse errors, type check errors, runtime errors and invalid
+	// or mis-configured policy definitions or bindings.
+	//
+	// A policy is invalid if spec.paramKind refers to a non-existent Kind.
+	// A binding is invalid if spec.paramRef.name refers to a non-existent resource.
+	//
+	// failurePolicy does not define how validations that evaluate to false are handled.
+	//
+	// When failurePolicy is set to Fail, ValidatingAdmissionPolicyBinding validationActions
+	// define how failures are enforced.
+	//
+	// Allowed values are Ignore or Fail. Defaults to Fail.
+	FailurePolicy *admissionregistrationv1.FailurePolicyType `json:"failurePolicy,omitempty"`
+	// auditAnnotations contains CEL expressions which are used to produce audit
+	// annotations for the audit event of the API request.
+	// validations and auditAnnotations may not both be empty; a least one of validations or auditAnnotations is
+	// required.
+	AuditAnnotations []AuditAnnotationApplyConfiguration `json:"auditAnnotations,omitempty"`
+	// MatchConditions is a list of conditions that must be met for a request to be validated.
+	// Match conditions filter requests that have already been matched by the rules,
+	// namespaceSelector, and objectSelector. An empty list of matchConditions matches all requests.
+	// There are a maximum of 64 match conditions allowed.
+	//
+	// If a parameter object is provided, it can be accessed via the `params` handle in the same
+	// manner as validation expressions.
+	//
+	// The exact matching logic is (in order):
+	// 1. If ANY matchCondition evaluates to FALSE, the policy is skipped.
+	// 2. If ALL matchConditions evaluate to TRUE, the policy is evaluated.
+	// 3. If any matchCondition evaluates to an error (but none are FALSE):
+	// - If failurePolicy=Fail, reject the request
+	// - If failurePolicy=Ignore, the policy is skipped
+	MatchConditions []MatchConditionApplyConfiguration `json:"matchConditions,omitempty"`
+	// Variables contain definitions of variables that can be used in composition of other expressions.
+	// Each variable is defined as a named CEL expression.
+	// The variables defined here will be available under `variables` in other expressions of the policy
+	// except MatchConditions because MatchConditions are evaluated before the rest of the policy.
+	//
+	// The expression of a variable can refer to other variables defined earlier in the list but not those after.
+	// Thus, Variables must be sorted by the order of first appearance and acyclic.
+	Variables []VariableApplyConfiguration `json:"variables,omitempty"`
 }
 
 // ValidatingAdmissionPolicySpecApplyConfiguration constructs a declarative configuration of the ValidatingAdmissionPolicySpec type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1/validatingadmissionpolicystatus.go b/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1/validatingadmissionpolicystatus.go
index e6f4e845915e7..0b3ea76124539 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1/validatingadmissionpolicystatus.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1/validatingadmissionpolicystatus.go
@@ -24,10 +24,16 @@ import (
 
 // ValidatingAdmissionPolicyStatusApplyConfiguration represents a declarative configuration of the ValidatingAdmissionPolicyStatus type for use
 // with apply.
+//
+// ValidatingAdmissionPolicyStatus represents the status of an admission validation policy.
 type ValidatingAdmissionPolicyStatusApplyConfiguration struct {
-	ObservedGeneration *int64                               `json:"observedGeneration,omitempty"`
-	TypeChecking       *TypeCheckingApplyConfiguration      `json:"typeChecking,omitempty"`
-	Conditions         []metav1.ConditionApplyConfiguration `json:"conditions,omitempty"`
+	// The generation observed by the controller.
+	ObservedGeneration *int64 `json:"observedGeneration,omitempty"`
+	// The results of type checking for each expression.
+	// Presence of this field indicates the completion of the type checking.
+	TypeChecking *TypeCheckingApplyConfiguration `json:"typeChecking,omitempty"`
+	// The conditions represent the latest available observations of a policy's current state.
+	Conditions []metav1.ConditionApplyConfiguration `json:"conditions,omitempty"`
 }
 
 // ValidatingAdmissionPolicyStatusApplyConfiguration constructs a declarative configuration of the ValidatingAdmissionPolicyStatus type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1/validatingwebhook.go b/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1/validatingwebhook.go
index a2c705eb5c4c7..02298017cb7d1 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1/validatingwebhook.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1/validatingwebhook.go
@@ -25,18 +25,132 @@ import (
 
 // ValidatingWebhookApplyConfiguration represents a declarative configuration of the ValidatingWebhook type for use
 // with apply.
+//
+// ValidatingWebhook describes an admission webhook and the resources and operations it applies to.
 type ValidatingWebhookApplyConfiguration struct {
-	Name                    *string                                    `json:"name,omitempty"`
-	ClientConfig            *WebhookClientConfigApplyConfiguration     `json:"clientConfig,omitempty"`
-	Rules                   []RuleWithOperationsApplyConfiguration     `json:"rules,omitempty"`
-	FailurePolicy           *admissionregistrationv1.FailurePolicyType `json:"failurePolicy,omitempty"`
-	MatchPolicy             *admissionregistrationv1.MatchPolicyType   `json:"matchPolicy,omitempty"`
-	NamespaceSelector       *metav1.LabelSelectorApplyConfiguration    `json:"namespaceSelector,omitempty"`
-	ObjectSelector          *metav1.LabelSelectorApplyConfiguration    `json:"objectSelector,omitempty"`
-	SideEffects             *admissionregistrationv1.SideEffectClass   `json:"sideEffects,omitempty"`
-	TimeoutSeconds          *int32                                     `json:"timeoutSeconds,omitempty"`
-	AdmissionReviewVersions []string                                   `json:"admissionReviewVersions,omitempty"`
-	MatchConditions         []MatchConditionApplyConfiguration         `json:"matchConditions,omitempty"`
+	// The name of the admission webhook.
+	// Name should be fully qualified, e.g., imagepolicy.kubernetes.io, where
+	// "imagepolicy" is the name of the webhook, and kubernetes.io is the name
+	// of the organization.
+	// Required.
+	Name *string `json:"name,omitempty"`
+	// ClientConfig defines how to communicate with the hook.
+	// Required
+	ClientConfig *WebhookClientConfigApplyConfiguration `json:"clientConfig,omitempty"`
+	// Rules describes what operations on what resources/subresources the webhook cares about.
+	// The webhook cares about an operation if it matches _any_ Rule.
+	// However, in order to prevent ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks
+	// from putting the cluster in a state which cannot be recovered from without completely
+	// disabling the plugin, ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks are never called
+	// on admission requests for ValidatingWebhookConfiguration and MutatingWebhookConfiguration objects.
+	Rules []RuleWithOperationsApplyConfiguration `json:"rules,omitempty"`
+	// FailurePolicy defines how unrecognized errors from the admission endpoint are handled -
+	// allowed values are Ignore or Fail. Defaults to Fail.
+	FailurePolicy *admissionregistrationv1.FailurePolicyType `json:"failurePolicy,omitempty"`
+	// matchPolicy defines how the "rules" list is used to match incoming requests.
+	// Allowed values are "Exact" or "Equivalent".
+	//
+	// - Exact: match a request only if it exactly matches a specified rule.
+	// For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,
+	// but "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`,
+	// a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the webhook.
+	//
+	// - Equivalent: match a request if modifies a resource listed in rules, even via another API group or version.
+	// For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,
+	// and "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`,
+	// a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the webhook.
+	//
+	// Defaults to "Equivalent"
+	MatchPolicy *admissionregistrationv1.MatchPolicyType `json:"matchPolicy,omitempty"`
+	// NamespaceSelector decides whether to run the webhook on an object based
+	// on whether the namespace for that object matches the selector. If the
+	// object itself is a namespace, the matching is performed on
+	// object.metadata.labels. If the object is another cluster scoped resource,
+	// it never skips the webhook.
+	//
+	// For example, to run the webhook on any objects whose namespace is not
+	// associated with "runlevel" of "0" or "1";  you will set the selector as
+	// follows:
+	// "namespaceSelector": {
+	// "matchExpressions": [
+	// {
+	// "key": "runlevel",
+	// "operator": "NotIn",
+	// "values": [
+	// "0",
+	// "1"
+	// ]
+	// }
+	// ]
+	// }
+	//
+	// If instead you want to only run the webhook on any objects whose
+	// namespace is associated with the "environment" of "prod" or "staging";
+	// you will set the selector as follows:
+	// "namespaceSelector": {
+	// "matchExpressions": [
+	// {
+	// "key": "environment",
+	// "operator": "In",
+	// "values": [
+	// "prod",
+	// "staging"
+	// ]
+	// }
+	// ]
+	// }
+	//
+	// See
+	// https://kubernetes.io/docs/concepts/overview/working-with-objects/labels
+	// for more examples of label selectors.
+	//
+	// Default to the empty LabelSelector, which matches everything.
+	NamespaceSelector *metav1.LabelSelectorApplyConfiguration `json:"namespaceSelector,omitempty"`
+	// ObjectSelector decides whether to run the webhook based on if the
+	// object has matching labels. objectSelector is evaluated against both
+	// the oldObject and newObject that would be sent to the webhook, and
+	// is considered to match if either object matches the selector. A null
+	// object (oldObject in the case of create, or newObject in the case of
+	// delete) or an object that cannot have labels (like a
+	// DeploymentRollback or a PodProxyOptions object) is not considered to
+	// match.
+	// Use the object selector only if the webhook is opt-in, because end
+	// users may skip the admission webhook by setting the labels.
+	// Default to the empty LabelSelector, which matches everything.
+	ObjectSelector *metav1.LabelSelectorApplyConfiguration `json:"objectSelector,omitempty"`
+	// SideEffects states whether this webhook has side effects.
+	// Acceptable values are: None, NoneOnDryRun (webhooks created via v1beta1 may also specify Some or Unknown).
+	// Webhooks with side effects MUST implement a reconciliation system, since a request may be
+	// rejected by a future step in the admission chain and the side effects therefore need to be undone.
+	// Requests with the dryRun attribute will be auto-rejected if they match a webhook with
+	// sideEffects == Unknown or Some.
+	SideEffects *admissionregistrationv1.SideEffectClass `json:"sideEffects,omitempty"`
+	// TimeoutSeconds specifies the timeout for this webhook. After the timeout passes,
+	// the webhook call will be ignored or the API call will fail based on the
+	// failure policy.
+	// The timeout value must be between 1 and 30 seconds.
+	// Default to 10 seconds.
+	TimeoutSeconds *int32 `json:"timeoutSeconds,omitempty"`
+	// AdmissionReviewVersions is an ordered list of preferred `AdmissionReview`
+	// versions the Webhook expects. API server will try to use first version in
+	// the list which it supports. If none of the versions specified in this list
+	// supported by API server, validation will fail for this object.
+	// If a persisted webhook configuration specifies allowed versions and does not
+	// include any versions known to the API Server, calls to the webhook will fail
+	// and be subject to the failure policy.
+	AdmissionReviewVersions []string `json:"admissionReviewVersions,omitempty"`
+	// MatchConditions is a list of conditions that must be met for a request to be sent to this
+	// webhook. Match conditions filter requests that have already been matched by the rules,
+	// namespaceSelector, and objectSelector. An empty list of matchConditions matches all requests.
+	// There are a maximum of 64 match conditions allowed.
+	//
+	// The exact matching logic is (in order):
+	// 1. If ANY matchCondition evaluates to FALSE, the webhook is skipped.
+	// 2. If ALL matchConditions evaluate to TRUE, the webhook is called.
+	// 3. If any matchCondition evaluates to an error (but none are FALSE):
+	// - If failurePolicy=Fail, reject the request
+	// - If failurePolicy=Ignore, the error is ignored and the webhook is skipped
+	MatchConditions []MatchConditionApplyConfiguration `json:"matchConditions,omitempty"`
 }
 
 // ValidatingWebhookApplyConfiguration constructs a declarative configuration of the ValidatingWebhook type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1/validatingwebhookconfiguration.go b/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1/validatingwebhookconfiguration.go
index cfe2e328f8f66..fdf7923e9687f 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1/validatingwebhookconfiguration.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1/validatingwebhookconfiguration.go
@@ -29,10 +29,14 @@ import (
 
 // ValidatingWebhookConfigurationApplyConfiguration represents a declarative configuration of the ValidatingWebhookConfiguration type for use
 // with apply.
+//
+// ValidatingWebhookConfiguration describes the configuration of and admission webhook that accept or reject and object without changing it.
 type ValidatingWebhookConfigurationApplyConfiguration struct {
-	metav1.TypeMetaApplyConfiguration    `json:",inline"`
+	metav1.TypeMetaApplyConfiguration `json:",inline"`
+	// Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata.
 	*metav1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Webhooks                             []ValidatingWebhookApplyConfiguration `json:"webhooks,omitempty"`
+	// Webhooks is a list of webhooks and the affected resources and operations.
+	Webhooks []ValidatingWebhookApplyConfiguration `json:"webhooks,omitempty"`
 }
 
 // ValidatingWebhookConfiguration constructs a declarative configuration of the ValidatingWebhookConfiguration type for use with
@@ -45,29 +49,14 @@ func ValidatingWebhookConfiguration(name string) *ValidatingWebhookConfiguration
 	return b
 }
 
-// ExtractValidatingWebhookConfiguration extracts the applied configuration owned by fieldManager from
-// validatingWebhookConfiguration. If no managedFields are found in validatingWebhookConfiguration for fieldManager, a
-// ValidatingWebhookConfigurationApplyConfiguration is returned with only the Name, Namespace (if applicable),
-// APIVersion and Kind populated. It is possible that no managed fields were found for because other
-// field managers have taken ownership of all the fields previously owned by fieldManager, or because
-// the fieldManager never owned fields any fields.
+// ExtractValidatingWebhookConfigurationFrom extracts the applied configuration owned by fieldManager from
+// validatingWebhookConfiguration for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
 // validatingWebhookConfiguration must be a unmodified ValidatingWebhookConfiguration API object that was retrieved from the Kubernetes API.
-// ExtractValidatingWebhookConfiguration provides a way to perform a extract/modify-in-place/apply workflow.
+// ExtractValidatingWebhookConfigurationFrom provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
-func ExtractValidatingWebhookConfiguration(validatingWebhookConfiguration *admissionregistrationv1.ValidatingWebhookConfiguration, fieldManager string) (*ValidatingWebhookConfigurationApplyConfiguration, error) {
-	return extractValidatingWebhookConfiguration(validatingWebhookConfiguration, fieldManager, "")
-}
-
-// ExtractValidatingWebhookConfigurationStatus is the same as ExtractValidatingWebhookConfiguration except
-// that it extracts the status subresource applied configuration.
-// Experimental!
-func ExtractValidatingWebhookConfigurationStatus(validatingWebhookConfiguration *admissionregistrationv1.ValidatingWebhookConfiguration, fieldManager string) (*ValidatingWebhookConfigurationApplyConfiguration, error) {
-	return extractValidatingWebhookConfiguration(validatingWebhookConfiguration, fieldManager, "status")
-}
-
-func extractValidatingWebhookConfiguration(validatingWebhookConfiguration *admissionregistrationv1.ValidatingWebhookConfiguration, fieldManager string, subresource string) (*ValidatingWebhookConfigurationApplyConfiguration, error) {
+func ExtractValidatingWebhookConfigurationFrom(validatingWebhookConfiguration *admissionregistrationv1.ValidatingWebhookConfiguration, fieldManager string, subresource string) (*ValidatingWebhookConfigurationApplyConfiguration, error) {
 	b := &ValidatingWebhookConfigurationApplyConfiguration{}
 	err := managedfields.ExtractInto(validatingWebhookConfiguration, internal.Parser().Type("io.k8s.api.admissionregistration.v1.ValidatingWebhookConfiguration"), fieldManager, b, subresource)
 	if err != nil {
@@ -79,6 +68,21 @@ func extractValidatingWebhookConfiguration(validatingWebhookConfiguration *admis
 	b.WithAPIVersion("admissionregistration.k8s.io/v1")
 	return b, nil
 }
+
+// ExtractValidatingWebhookConfiguration extracts the applied configuration owned by fieldManager from
+// validatingWebhookConfiguration. If no managedFields are found in validatingWebhookConfiguration for fieldManager, a
+// ValidatingWebhookConfigurationApplyConfiguration is returned with only the Name, Namespace (if applicable),
+// APIVersion and Kind populated. It is possible that no managed fields were found for because other
+// field managers have taken ownership of all the fields previously owned by fieldManager, or because
+// the fieldManager never owned fields any fields.
+// validatingWebhookConfiguration must be a unmodified ValidatingWebhookConfiguration API object that was retrieved from the Kubernetes API.
+// ExtractValidatingWebhookConfiguration provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractValidatingWebhookConfiguration(validatingWebhookConfiguration *admissionregistrationv1.ValidatingWebhookConfiguration, fieldManager string) (*ValidatingWebhookConfigurationApplyConfiguration, error) {
+	return ExtractValidatingWebhookConfigurationFrom(validatingWebhookConfiguration, fieldManager, "")
+}
+
 func (b ValidatingWebhookConfigurationApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1/validation.go b/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1/validation.go
index 9966a7a2860c0..2ad6756d019e8 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1/validation.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1/validation.go
@@ -24,11 +24,77 @@ import (
 
 // ValidationApplyConfiguration represents a declarative configuration of the Validation type for use
 // with apply.
+//
+// Validation specifies the CEL expression which is used to apply the validation.
 type ValidationApplyConfiguration struct {
-	Expression        *string              `json:"expression,omitempty"`
-	Message           *string              `json:"message,omitempty"`
-	Reason            *metav1.StatusReason `json:"reason,omitempty"`
-	MessageExpression *string              `json:"messageExpression,omitempty"`
+	// Expression represents the expression which will be evaluated by CEL.
+	// ref: https://github.com/google/cel-spec
+	// CEL expressions have access to the contents of the API request/response, organized into CEL variables as well as some other useful variables:
+	//
+	// - 'object' - The object from the incoming request. The value is null for DELETE requests.
+	// - 'oldObject' - The existing object. The value is null for CREATE requests.
+	// - 'request' - Attributes of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).
+	// - 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind.
+	// - 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped resources.
+	// - 'variables' - Map of composited variables, from its name to its lazily evaluated value.
+	// For example, a variable named 'foo' can be accessed as 'variables.foo'.
+	// - 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.
+	// See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
+	// - 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the
+	// request resource.
+	//
+	// The `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` are always accessible from the root of the
+	// object. No other metadata properties are accessible.
+	//
+	// Only property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible.
+	// Accessible property names are escaped according to the following rules when accessed in the expression:
+	// - '__' escapes to '__underscores__'
+	// - '.' escapes to '__dot__'
+	// - '-' escapes to '__dash__'
+	// - '/' escapes to '__slash__'
+	// - Property names that exactly match a CEL RESERVED keyword escape to '__{keyword}__'. The keywords are:
+	// "true", "false", "null", "in", "as", "break", "const", "continue", "else", "for", "function", "if",
+	// "import", "let", "loop", "package", "namespace", "return".
+	// Examples:
+	// - Expression accessing a property named "namespace": {"Expression": "object.__namespace__ > 0"}
+	// - Expression accessing a property named "x-prop": {"Expression": "object.x__dash__prop > 0"}
+	// - Expression accessing a property named "redact__d": {"Expression": "object.redact__underscores__d > 0"}
+	//
+	// Equality on arrays with list type of 'set' or 'map' ignores element order, i.e. [1, 2] == [2, 1].
+	// Concatenation on arrays with x-kubernetes-list-type use the semantics of the list type:
+	// - 'set': `X + Y` performs a union where the array positions of all elements in `X` are preserved and
+	// non-intersecting elements in `Y` are appended, retaining their partial order.
+	// - 'map': `X + Y` performs a merge where the array positions of all keys in `X` are preserved but the values
+	// are overwritten by values in `Y` when the key sets of `X` and `Y` intersect. Elements in `Y` with
+	// non-intersecting keys are appended, retaining their partial order.
+	// Required.
+	Expression *string `json:"expression,omitempty"`
+	// Message represents the message displayed when validation fails. The message is required if the Expression contains
+	// line breaks. The message must not contain line breaks.
+	// If unset, the message is "failed rule: {Rule}".
+	// e.g. "must be a URL with the host matching spec.host"
+	// If the Expression contains line breaks. Message is required.
+	// The message must not contain line breaks.
+	// If unset, the message is "failed Expression: {Expression}".
+	Message *string `json:"message,omitempty"`
+	// Reason represents a machine-readable description of why this validation failed.
+	// If this is the first validation in the list to fail, this reason, as well as the
+	// corresponding HTTP response code, are used in the
+	// HTTP response to the client.
+	// The currently supported reasons are: "Unauthorized", "Forbidden", "Invalid", "RequestEntityTooLarge".
+	// If not set, StatusReasonInvalid is used in the response to the client.
+	Reason *metav1.StatusReason `json:"reason,omitempty"`
+	// messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails.
+	// Since messageExpression is used as a failure message, it must evaluate to a string.
+	// If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails.
+	// If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced
+	// as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string
+	// that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and
+	// the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged.
+	// messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'.
+	// Example:
+	// "object.x must be less than max ("+string(params.max)+")"
+	MessageExpression *string `json:"messageExpression,omitempty"`
 }
 
 // ValidationApplyConfiguration constructs a declarative configuration of the Validation type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1/variable.go b/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1/variable.go
index 9dd20afa72090..a99f837944dc2 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1/variable.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1/variable.go
@@ -20,8 +20,15 @@ package v1
 
 // VariableApplyConfiguration represents a declarative configuration of the Variable type for use
 // with apply.
+//
+// Variable is the definition of a variable that is used for composition. A variable is defined as a named expression.
 type VariableApplyConfiguration struct {
-	Name       *string `json:"name,omitempty"`
+	// Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables.
+	// The variable can be accessed in other expressions through `variables`
+	// For example, if name is "foo", the variable will be available as `variables.foo`
+	Name *string `json:"name,omitempty"`
+	// Expression is the expression that will be evaluated as the value of the variable.
+	// The CEL expression has access to the same identifiers as the CEL expressions in Validation.
 	Expression *string `json:"expression,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1/webhookclientconfig.go b/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1/webhookclientconfig.go
index 77f2227b95ce0..10f3d48de40a1 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1/webhookclientconfig.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1/webhookclientconfig.go
@@ -20,10 +20,44 @@ package v1
 
 // WebhookClientConfigApplyConfiguration represents a declarative configuration of the WebhookClientConfig type for use
 // with apply.
+//
+// WebhookClientConfig contains the information to make a TLS
+// connection with the webhook
 type WebhookClientConfigApplyConfiguration struct {
-	URL      *string                             `json:"url,omitempty"`
-	Service  *ServiceReferenceApplyConfiguration `json:"service,omitempty"`
-	CABundle []byte                              `json:"caBundle,omitempty"`
+	// `url` gives the location of the webhook, in standard URL form
+	// (`scheme://host:port/path`). Exactly one of `url` or `service`
+	// must be specified.
+	//
+	// The `host` should not refer to a service running in the cluster; use
+	// the `service` field instead. The host might be resolved via external
+	// DNS in some apiservers (e.g., `kube-apiserver` cannot resolve
+	// in-cluster DNS as that would be a layering violation). `host` may
+	// also be an IP address.
+	//
+	// Please note that using `localhost` or `127.0.0.1` as a `host` is
+	// risky unless you take great care to run this webhook on all hosts
+	// which run an apiserver which might need to make calls to this
+	// webhook. Such installs are likely to be non-portable, i.e., not easy
+	// to turn up in a new cluster.
+	//
+	// The scheme must be "https"; the URL must begin with "https://".
+	//
+	// A path is optional, and if present may be any string permissible in
+	// a URL. You may use the path to pass an arbitrary string to the
+	// webhook, for example, a cluster identifier.
+	//
+	// Attempting to use a user or basic auth e.g. "user:password@" is not
+	// allowed. Fragments ("#...") and query parameters ("?...") are not
+	// allowed, either.
+	URL *string `json:"url,omitempty"`
+	// `service` is a reference to the service for this webhook. Either
+	// `service` or `url` must be specified.
+	//
+	// If the webhook is running within the cluster, then you should use `service`.
+	Service *ServiceReferenceApplyConfiguration `json:"service,omitempty"`
+	// `caBundle` is a PEM encoded CA bundle which will be used to validate the webhook's server certificate.
+	// If unspecified, system trust roots on the apiserver are used.
+	CABundle []byte `json:"caBundle,omitempty"`
 }
 
 // WebhookClientConfigApplyConfiguration constructs a declarative configuration of the WebhookClientConfig type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1alpha1/applyconfiguration.go b/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1alpha1/applyconfiguration.go
index b08ac72241014..cf0d177c4a55a 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1alpha1/applyconfiguration.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1alpha1/applyconfiguration.go
@@ -20,7 +20,49 @@ package v1alpha1
 
 // ApplyConfigurationApplyConfiguration represents a declarative configuration of the ApplyConfiguration type for use
 // with apply.
+//
+// ApplyConfiguration defines the desired configuration values of an object.
 type ApplyConfigurationApplyConfiguration struct {
+	// expression will be evaluated by CEL to create an apply configuration.
+	// ref: https://github.com/google/cel-spec
+	//
+	// Apply configurations are declared in CEL using object initialization. For example, this CEL expression
+	// returns an apply configuration to set a single field:
+	//
+	// Object{
+	// spec: Object.spec{
+	// serviceAccountName: "example"
+	// }
+	// }
+	//
+	// Apply configurations may not modify atomic structs, maps or arrays due to the risk of accidental deletion of
+	// values not included in the apply configuration.
+	//
+	// CEL expressions have access to the object types needed to create apply configurations:
+	//
+	// - 'Object' - CEL type of the resource object.
+	// - 'Object.<fieldName>' - CEL type of object field (such as 'Object.spec')
+	// - 'Object.<fieldName1>.<fieldName2>...<fieldNameN>` - CEL type of nested field (such as 'Object.spec.containers')
+	//
+	// CEL expressions have access to the contents of the API request, organized into CEL variables as well as some other useful variables:
+	//
+	// - 'object' - The object from the incoming request. The value is null for DELETE requests.
+	// - 'oldObject' - The existing object. The value is null for CREATE requests.
+	// - 'request' - Attributes of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).
+	// - 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind.
+	// - 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped resources.
+	// - 'variables' - Map of composited variables, from its name to its lazily evaluated value.
+	// For example, a variable named 'foo' can be accessed as 'variables.foo'.
+	// - 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.
+	// See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
+	// - 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the
+	// request resource.
+	//
+	// The `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` are always accessible from the root of the
+	// object. No other metadata properties are accessible.
+	//
+	// Only property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible.
+	// Required.
 	Expression *string `json:"expression,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1alpha1/auditannotation.go b/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1alpha1/auditannotation.go
index 958a53740630a..62f2912601441 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1alpha1/auditannotation.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1alpha1/auditannotation.go
@@ -20,8 +20,40 @@ package v1alpha1
 
 // AuditAnnotationApplyConfiguration represents a declarative configuration of the AuditAnnotation type for use
 // with apply.
+//
+// AuditAnnotation describes how to produce an audit annotation for an API request.
 type AuditAnnotationApplyConfiguration struct {
-	Key             *string `json:"key,omitempty"`
+	// key specifies the audit annotation key. The audit annotation keys of
+	// a ValidatingAdmissionPolicy must be unique. The key must be a qualified
+	// name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length.
+	//
+	// The key is combined with the resource name of the
+	// ValidatingAdmissionPolicy to construct an audit annotation key:
+	// "{ValidatingAdmissionPolicy name}/{key}".
+	//
+	// If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy
+	// and the same audit annotation key, the annotation key will be identical.
+	// In this case, the first annotation written with the key will be included
+	// in the audit event and all subsequent annotations with the same key
+	// will be discarded.
+	//
+	// Required.
+	Key *string `json:"key,omitempty"`
+	// valueExpression represents the expression which is evaluated by CEL to
+	// produce an audit annotation value. The expression must evaluate to either
+	// a string or null value. If the expression evaluates to a string, the
+	// audit annotation is included with the string value. If the expression
+	// evaluates to null or empty string the audit annotation will be omitted.
+	// The valueExpression may be no longer than 5kb in length.
+	// If the result of the valueExpression is more than 10kb in length, it
+	// will be truncated to 10kb.
+	//
+	// If multiple ValidatingAdmissionPolicyBinding resources match an
+	// API request, then the valueExpression will be evaluated for
+	// each binding. All unique values produced by the valueExpressions
+	// will be joined together in a comma-separated list.
+	//
+	// Required.
 	ValueExpression *string `json:"valueExpression,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1alpha1/expressionwarning.go b/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1alpha1/expressionwarning.go
index f36c2f0f5ce32..220c5d2c935a5 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1alpha1/expressionwarning.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1alpha1/expressionwarning.go
@@ -20,9 +20,17 @@ package v1alpha1
 
 // ExpressionWarningApplyConfiguration represents a declarative configuration of the ExpressionWarning type for use
 // with apply.
+//
+// ExpressionWarning is a warning information that targets a specific expression.
 type ExpressionWarningApplyConfiguration struct {
+	// The path to the field that refers the expression.
+	// For example, the reference to the expression of the first item of
+	// validations is "spec.validations[0].expression"
 	FieldRef *string `json:"fieldRef,omitempty"`
-	Warning  *string `json:"warning,omitempty"`
+	// The content of type checking information in a human-readable form.
+	// Each line of the warning contains the type that the expression is checked
+	// against, followed by the type check error from the compiler.
+	Warning *string `json:"warning,omitempty"`
 }
 
 // ExpressionWarningApplyConfiguration constructs a declarative configuration of the ExpressionWarning type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1alpha1/jsonpatch.go b/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1alpha1/jsonpatch.go
index 418d86a2b5ffb..c3ad775d2aa7b 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1alpha1/jsonpatch.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1alpha1/jsonpatch.go
@@ -20,7 +20,73 @@ package v1alpha1
 
 // JSONPatchApplyConfiguration represents a declarative configuration of the JSONPatch type for use
 // with apply.
+//
+// JSONPatch defines a JSON Patch.
 type JSONPatchApplyConfiguration struct {
+	// expression will be evaluated by CEL to create a [JSON patch](https://jsonpatch.com/).
+	// ref: https://github.com/google/cel-spec
+	//
+	// expression must return an array of JSONPatch values.
+	//
+	// For example, this CEL expression returns a JSON patch to conditionally modify a value:
+	//
+	// [
+	// JSONPatch{op: "test", path: "/spec/example", value: "Red"},
+	// JSONPatch{op: "replace", path: "/spec/example", value: "Green"}
+	// ]
+	//
+	// To define an object for the patch value, use Object types. For example:
+	//
+	// [
+	// JSONPatch{
+	// op: "add",
+	// path: "/spec/selector",
+	// value: Object.spec.selector{matchLabels: {"environment": "test"}}
+	// }
+	// ]
+	//
+	// To use strings containing '/' and '~' as JSONPatch path keys, use "jsonpatch.escapeKey". For example:
+	//
+	// [
+	// JSONPatch{
+	// op: "add",
+	// path: "/metadata/labels/" + jsonpatch.escapeKey("example.com/environment"),
+	// value: "test"
+	// },
+	// ]
+	//
+	// CEL expressions have access to the types needed to create JSON patches and objects:
+	//
+	// - 'JSONPatch' - CEL type of JSON Patch operations. JSONPatch has the fields 'op', 'from', 'path' and 'value'.
+	// See [JSON patch](https://jsonpatch.com/) for more details. The 'value' field may be set to any of: string,
+	// integer, array, map or object.  If set, the 'path' and 'from' fields must be set to a
+	// [JSON pointer](https://datatracker.ietf.org/doc/html/rfc6901/) string, where the 'jsonpatch.escapeKey()' CEL
+	// function may be used to escape path keys containing '/' and '~'.
+	// - 'Object' - CEL type of the resource object.
+	// - 'Object.<fieldName>' - CEL type of object field (such as 'Object.spec')
+	// - 'Object.<fieldName1>.<fieldName2>...<fieldNameN>` - CEL type of nested field (such as 'Object.spec.containers')
+	//
+	// CEL expressions have access to the contents of the API request, organized into CEL variables as well as some other useful variables:
+	//
+	// - 'object' - The object from the incoming request. The value is null for DELETE requests.
+	// - 'oldObject' - The existing object. The value is null for CREATE requests.
+	// - 'request' - Attributes of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).
+	// - 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind.
+	// - 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped resources.
+	// - 'variables' - Map of composited variables, from its name to its lazily evaluated value.
+	// For example, a variable named 'foo' can be accessed as 'variables.foo'.
+	// - 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.
+	// See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
+	// - 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the
+	// request resource.
+	//
+	// CEL expressions have access to [Kubernetes CEL function libraries](https://kubernetes.io/docs/reference/using-api/cel/#cel-options-language-features-and-libraries)
+	// as well as:
+	//
+	// - 'jsonpatch.escapeKey' - Performs JSONPatch key escaping. '~' and  '/' are escaped as '~0' and `~1' respectively).
+	//
+	// Only property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible.
+	// Required.
 	Expression *string `json:"expression,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1alpha1/matchcondition.go b/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1alpha1/matchcondition.go
index 7f983dcb22aea..7b758dbf4bd40 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1alpha1/matchcondition.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1alpha1/matchcondition.go
@@ -21,7 +21,29 @@ package v1alpha1
 // MatchConditionApplyConfiguration represents a declarative configuration of the MatchCondition type for use
 // with apply.
 type MatchConditionApplyConfiguration struct {
-	Name       *string `json:"name,omitempty"`
+	// Name is an identifier for this match condition, used for strategic merging of MatchConditions,
+	// as well as providing an identifier for logging purposes. A good name should be descriptive of
+	// the associated expression.
+	// Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and
+	// must start and end with an alphanumeric character (e.g. 'MyName',  or 'my.name',  or
+	// '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an
+	// optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')
+	//
+	// Required.
+	Name *string `json:"name,omitempty"`
+	// Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.
+	// CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:
+	//
+	// 'object' - The object from the incoming request. The value is null for DELETE requests.
+	// 'oldObject' - The existing object. The value is null for CREATE requests.
+	// 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
+	// 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.
+	// See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
+	// 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the
+	// request resource.
+	// Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
+	//
+	// Required.
 	Expression *string `json:"expression,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1alpha1/matchresources.go b/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1alpha1/matchresources.go
index e443535b6a619..5bdeab094b327 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1alpha1/matchresources.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1alpha1/matchresources.go
@@ -25,12 +25,89 @@ import (
 
 // MatchResourcesApplyConfiguration represents a declarative configuration of the MatchResources type for use
 // with apply.
+//
+// MatchResources decides whether to run the admission control policy on an object based
+// on whether it meets the match criteria.
+// The exclude rules take precedence over include rules (if a resource matches both, it is excluded)
 type MatchResourcesApplyConfiguration struct {
-	NamespaceSelector    *v1.LabelSelectorApplyConfiguration            `json:"namespaceSelector,omitempty"`
-	ObjectSelector       *v1.LabelSelectorApplyConfiguration            `json:"objectSelector,omitempty"`
-	ResourceRules        []NamedRuleWithOperationsApplyConfiguration    `json:"resourceRules,omitempty"`
-	ExcludeResourceRules []NamedRuleWithOperationsApplyConfiguration    `json:"excludeResourceRules,omitempty"`
-	MatchPolicy          *admissionregistrationv1alpha1.MatchPolicyType `json:"matchPolicy,omitempty"`
+	// NamespaceSelector decides whether to run the admission control policy on an object based
+	// on whether the namespace for that object matches the selector. If the
+	// object itself is a namespace, the matching is performed on
+	// object.metadata.labels. If the object is another cluster scoped resource,
+	// it never skips the policy.
+	//
+	// For example, to run the webhook on any objects whose namespace is not
+	// associated with "runlevel" of "0" or "1";  you will set the selector as
+	// follows:
+	// "namespaceSelector": {
+	// "matchExpressions": [
+	// {
+	// "key": "runlevel",
+	// "operator": "NotIn",
+	// "values": [
+	// "0",
+	// "1"
+	// ]
+	// }
+	// ]
+	// }
+	//
+	// If instead you want to only run the policy on any objects whose
+	// namespace is associated with the "environment" of "prod" or "staging";
+	// you will set the selector as follows:
+	// "namespaceSelector": {
+	// "matchExpressions": [
+	// {
+	// "key": "environment",
+	// "operator": "In",
+	// "values": [
+	// "prod",
+	// "staging"
+	// ]
+	// }
+	// ]
+	// }
+	//
+	// See
+	// https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
+	// for more examples of label selectors.
+	//
+	// Default to the empty LabelSelector, which matches everything.
+	NamespaceSelector *v1.LabelSelectorApplyConfiguration `json:"namespaceSelector,omitempty"`
+	// ObjectSelector decides whether to run the policy based on if the
+	// object has matching labels. objectSelector is evaluated against both
+	// the oldObject and newObject that would be sent to the policy's expression (CEL), and
+	// is considered to match if either object matches the selector. A null
+	// object (oldObject in the case of create, or newObject in the case of
+	// delete) or an object that cannot have labels (like a
+	// DeploymentRollback or a PodProxyOptions object) is not considered to
+	// match.
+	// Use the object selector only if the webhook is opt-in, because end
+	// users may skip the admission webhook by setting the labels.
+	// Default to the empty LabelSelector, which matches everything.
+	ObjectSelector *v1.LabelSelectorApplyConfiguration `json:"objectSelector,omitempty"`
+	// ResourceRules describes what operations on what resources/subresources the admission policy matches.
+	// The policy cares about an operation if it matches _any_ Rule.
+	ResourceRules []NamedRuleWithOperationsApplyConfiguration `json:"resourceRules,omitempty"`
+	// ExcludeResourceRules describes what operations on what resources/subresources the policy should not care about.
+	// The exclude rules take precedence over include rules (if a resource matches both, it is excluded)
+	ExcludeResourceRules []NamedRuleWithOperationsApplyConfiguration `json:"excludeResourceRules,omitempty"`
+	// matchPolicy defines how the "MatchResources" list is used to match incoming requests.
+	// Allowed values are "Exact" or "Equivalent".
+	//
+	// - Exact: match a request only if it exactly matches a specified rule.
+	// For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,
+	// but "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`,
+	// the admission policy does not consider requests to apps/v1beta1 or extensions/v1beta1 API groups.
+	//
+	// - Equivalent: match a request if modifies a resource listed in rules, even via another API group or version.
+	// For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,
+	// and "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`,
+	// the admission policy **does** consider requests made to apps/v1beta1 or extensions/v1beta1
+	// API groups. The API server translates the request to a matched resource API if necessary.
+	//
+	// Defaults to "Equivalent"
+	MatchPolicy *admissionregistrationv1alpha1.MatchPolicyType `json:"matchPolicy,omitempty"`
 }
 
 // MatchResourcesApplyConfiguration constructs a declarative configuration of the MatchResources type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1alpha1/mutatingadmissionpolicy.go b/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1alpha1/mutatingadmissionpolicy.go
index 041bec5e5c620..be5b79124736d 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1alpha1/mutatingadmissionpolicy.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1alpha1/mutatingadmissionpolicy.go
@@ -29,10 +29,14 @@ import (
 
 // MutatingAdmissionPolicyApplyConfiguration represents a declarative configuration of the MutatingAdmissionPolicy type for use
 // with apply.
+//
+// MutatingAdmissionPolicy describes the definition of an admission mutation policy that mutates the object coming into admission chain.
 type MutatingAdmissionPolicyApplyConfiguration struct {
-	v1.TypeMetaApplyConfiguration    `json:",inline"`
+	v1.TypeMetaApplyConfiguration `json:",inline"`
+	// Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata.
 	*v1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Spec                             *MutatingAdmissionPolicySpecApplyConfiguration `json:"spec,omitempty"`
+	// Specification of the desired behavior of the MutatingAdmissionPolicy.
+	Spec *MutatingAdmissionPolicySpecApplyConfiguration `json:"spec,omitempty"`
 }
 
 // MutatingAdmissionPolicy constructs a declarative configuration of the MutatingAdmissionPolicy type for use with
@@ -45,29 +49,14 @@ func MutatingAdmissionPolicy(name string) *MutatingAdmissionPolicyApplyConfigura
 	return b
 }
 
-// ExtractMutatingAdmissionPolicy extracts the applied configuration owned by fieldManager from
-// mutatingAdmissionPolicy. If no managedFields are found in mutatingAdmissionPolicy for fieldManager, a
-// MutatingAdmissionPolicyApplyConfiguration is returned with only the Name, Namespace (if applicable),
-// APIVersion and Kind populated. It is possible that no managed fields were found for because other
-// field managers have taken ownership of all the fields previously owned by fieldManager, or because
-// the fieldManager never owned fields any fields.
+// ExtractMutatingAdmissionPolicyFrom extracts the applied configuration owned by fieldManager from
+// mutatingAdmissionPolicy for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
 // mutatingAdmissionPolicy must be a unmodified MutatingAdmissionPolicy API object that was retrieved from the Kubernetes API.
-// ExtractMutatingAdmissionPolicy provides a way to perform a extract/modify-in-place/apply workflow.
+// ExtractMutatingAdmissionPolicyFrom provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
-func ExtractMutatingAdmissionPolicy(mutatingAdmissionPolicy *admissionregistrationv1alpha1.MutatingAdmissionPolicy, fieldManager string) (*MutatingAdmissionPolicyApplyConfiguration, error) {
-	return extractMutatingAdmissionPolicy(mutatingAdmissionPolicy, fieldManager, "")
-}
-
-// ExtractMutatingAdmissionPolicyStatus is the same as ExtractMutatingAdmissionPolicy except
-// that it extracts the status subresource applied configuration.
-// Experimental!
-func ExtractMutatingAdmissionPolicyStatus(mutatingAdmissionPolicy *admissionregistrationv1alpha1.MutatingAdmissionPolicy, fieldManager string) (*MutatingAdmissionPolicyApplyConfiguration, error) {
-	return extractMutatingAdmissionPolicy(mutatingAdmissionPolicy, fieldManager, "status")
-}
-
-func extractMutatingAdmissionPolicy(mutatingAdmissionPolicy *admissionregistrationv1alpha1.MutatingAdmissionPolicy, fieldManager string, subresource string) (*MutatingAdmissionPolicyApplyConfiguration, error) {
+func ExtractMutatingAdmissionPolicyFrom(mutatingAdmissionPolicy *admissionregistrationv1alpha1.MutatingAdmissionPolicy, fieldManager string, subresource string) (*MutatingAdmissionPolicyApplyConfiguration, error) {
 	b := &MutatingAdmissionPolicyApplyConfiguration{}
 	err := managedfields.ExtractInto(mutatingAdmissionPolicy, internal.Parser().Type("io.k8s.api.admissionregistration.v1alpha1.MutatingAdmissionPolicy"), fieldManager, b, subresource)
 	if err != nil {
@@ -79,6 +68,21 @@ func extractMutatingAdmissionPolicy(mutatingAdmissionPolicy *admissionregistrati
 	b.WithAPIVersion("admissionregistration.k8s.io/v1alpha1")
 	return b, nil
 }
+
+// ExtractMutatingAdmissionPolicy extracts the applied configuration owned by fieldManager from
+// mutatingAdmissionPolicy. If no managedFields are found in mutatingAdmissionPolicy for fieldManager, a
+// MutatingAdmissionPolicyApplyConfiguration is returned with only the Name, Namespace (if applicable),
+// APIVersion and Kind populated. It is possible that no managed fields were found for because other
+// field managers have taken ownership of all the fields previously owned by fieldManager, or because
+// the fieldManager never owned fields any fields.
+// mutatingAdmissionPolicy must be a unmodified MutatingAdmissionPolicy API object that was retrieved from the Kubernetes API.
+// ExtractMutatingAdmissionPolicy provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractMutatingAdmissionPolicy(mutatingAdmissionPolicy *admissionregistrationv1alpha1.MutatingAdmissionPolicy, fieldManager string) (*MutatingAdmissionPolicyApplyConfiguration, error) {
+	return ExtractMutatingAdmissionPolicyFrom(mutatingAdmissionPolicy, fieldManager, "")
+}
+
 func (b MutatingAdmissionPolicyApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1alpha1/mutatingadmissionpolicybinding.go b/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1alpha1/mutatingadmissionpolicybinding.go
index be0690a158be1..4964a3106d8c6 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1alpha1/mutatingadmissionpolicybinding.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1alpha1/mutatingadmissionpolicybinding.go
@@ -29,10 +29,24 @@ import (
 
 // MutatingAdmissionPolicyBindingApplyConfiguration represents a declarative configuration of the MutatingAdmissionPolicyBinding type for use
 // with apply.
+//
+// MutatingAdmissionPolicyBinding binds the MutatingAdmissionPolicy with parametrized resources.
+// MutatingAdmissionPolicyBinding and the optional parameter resource together define how cluster administrators
+// configure policies for clusters.
+//
+// For a given admission request, each binding will cause its policy to be
+// evaluated N times, where N is 1 for policies/bindings that don't use
+// params, otherwise N is the number of parameters selected by the binding.
+// Each evaluation is constrained by a [runtime cost budget](https://kubernetes.io/docs/reference/using-api/cel/#runtime-cost-budget).
+//
+// Adding/removing policies, bindings, or params can not affect whether a
+// given (policy, binding, param) combination is within its own CEL budget.
 type MutatingAdmissionPolicyBindingApplyConfiguration struct {
-	v1.TypeMetaApplyConfiguration    `json:",inline"`
+	v1.TypeMetaApplyConfiguration `json:",inline"`
+	// Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata.
 	*v1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Spec                             *MutatingAdmissionPolicyBindingSpecApplyConfiguration `json:"spec,omitempty"`
+	// Specification of the desired behavior of the MutatingAdmissionPolicyBinding.
+	Spec *MutatingAdmissionPolicyBindingSpecApplyConfiguration `json:"spec,omitempty"`
 }
 
 // MutatingAdmissionPolicyBinding constructs a declarative configuration of the MutatingAdmissionPolicyBinding type for use with
@@ -45,29 +59,14 @@ func MutatingAdmissionPolicyBinding(name string) *MutatingAdmissionPolicyBinding
 	return b
 }
 
-// ExtractMutatingAdmissionPolicyBinding extracts the applied configuration owned by fieldManager from
-// mutatingAdmissionPolicyBinding. If no managedFields are found in mutatingAdmissionPolicyBinding for fieldManager, a
-// MutatingAdmissionPolicyBindingApplyConfiguration is returned with only the Name, Namespace (if applicable),
-// APIVersion and Kind populated. It is possible that no managed fields were found for because other
-// field managers have taken ownership of all the fields previously owned by fieldManager, or because
-// the fieldManager never owned fields any fields.
+// ExtractMutatingAdmissionPolicyBindingFrom extracts the applied configuration owned by fieldManager from
+// mutatingAdmissionPolicyBinding for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
 // mutatingAdmissionPolicyBinding must be a unmodified MutatingAdmissionPolicyBinding API object that was retrieved from the Kubernetes API.
-// ExtractMutatingAdmissionPolicyBinding provides a way to perform a extract/modify-in-place/apply workflow.
+// ExtractMutatingAdmissionPolicyBindingFrom provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
-func ExtractMutatingAdmissionPolicyBinding(mutatingAdmissionPolicyBinding *admissionregistrationv1alpha1.MutatingAdmissionPolicyBinding, fieldManager string) (*MutatingAdmissionPolicyBindingApplyConfiguration, error) {
-	return extractMutatingAdmissionPolicyBinding(mutatingAdmissionPolicyBinding, fieldManager, "")
-}
-
-// ExtractMutatingAdmissionPolicyBindingStatus is the same as ExtractMutatingAdmissionPolicyBinding except
-// that it extracts the status subresource applied configuration.
-// Experimental!
-func ExtractMutatingAdmissionPolicyBindingStatus(mutatingAdmissionPolicyBinding *admissionregistrationv1alpha1.MutatingAdmissionPolicyBinding, fieldManager string) (*MutatingAdmissionPolicyBindingApplyConfiguration, error) {
-	return extractMutatingAdmissionPolicyBinding(mutatingAdmissionPolicyBinding, fieldManager, "status")
-}
-
-func extractMutatingAdmissionPolicyBinding(mutatingAdmissionPolicyBinding *admissionregistrationv1alpha1.MutatingAdmissionPolicyBinding, fieldManager string, subresource string) (*MutatingAdmissionPolicyBindingApplyConfiguration, error) {
+func ExtractMutatingAdmissionPolicyBindingFrom(mutatingAdmissionPolicyBinding *admissionregistrationv1alpha1.MutatingAdmissionPolicyBinding, fieldManager string, subresource string) (*MutatingAdmissionPolicyBindingApplyConfiguration, error) {
 	b := &MutatingAdmissionPolicyBindingApplyConfiguration{}
 	err := managedfields.ExtractInto(mutatingAdmissionPolicyBinding, internal.Parser().Type("io.k8s.api.admissionregistration.v1alpha1.MutatingAdmissionPolicyBinding"), fieldManager, b, subresource)
 	if err != nil {
@@ -79,6 +78,21 @@ func extractMutatingAdmissionPolicyBinding(mutatingAdmissionPolicyBinding *admis
 	b.WithAPIVersion("admissionregistration.k8s.io/v1alpha1")
 	return b, nil
 }
+
+// ExtractMutatingAdmissionPolicyBinding extracts the applied configuration owned by fieldManager from
+// mutatingAdmissionPolicyBinding. If no managedFields are found in mutatingAdmissionPolicyBinding for fieldManager, a
+// MutatingAdmissionPolicyBindingApplyConfiguration is returned with only the Name, Namespace (if applicable),
+// APIVersion and Kind populated. It is possible that no managed fields were found for because other
+// field managers have taken ownership of all the fields previously owned by fieldManager, or because
+// the fieldManager never owned fields any fields.
+// mutatingAdmissionPolicyBinding must be a unmodified MutatingAdmissionPolicyBinding API object that was retrieved from the Kubernetes API.
+// ExtractMutatingAdmissionPolicyBinding provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractMutatingAdmissionPolicyBinding(mutatingAdmissionPolicyBinding *admissionregistrationv1alpha1.MutatingAdmissionPolicyBinding, fieldManager string) (*MutatingAdmissionPolicyBindingApplyConfiguration, error) {
+	return ExtractMutatingAdmissionPolicyBindingFrom(mutatingAdmissionPolicyBinding, fieldManager, "")
+}
+
 func (b MutatingAdmissionPolicyBindingApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1alpha1/mutatingadmissionpolicybindingspec.go b/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1alpha1/mutatingadmissionpolicybindingspec.go
index 04729f42b1f0b..b4f5570c6289d 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1alpha1/mutatingadmissionpolicybindingspec.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1alpha1/mutatingadmissionpolicybindingspec.go
@@ -20,9 +20,27 @@ package v1alpha1
 
 // MutatingAdmissionPolicyBindingSpecApplyConfiguration represents a declarative configuration of the MutatingAdmissionPolicyBindingSpec type for use
 // with apply.
+//
+// MutatingAdmissionPolicyBindingSpec is the specification of the MutatingAdmissionPolicyBinding.
 type MutatingAdmissionPolicyBindingSpecApplyConfiguration struct {
-	PolicyName     *string                           `json:"policyName,omitempty"`
-	ParamRef       *ParamRefApplyConfiguration       `json:"paramRef,omitempty"`
+	// policyName references a MutatingAdmissionPolicy name which the MutatingAdmissionPolicyBinding binds to.
+	// If the referenced resource does not exist, this binding is considered invalid and will be ignored
+	// Required.
+	PolicyName *string `json:"policyName,omitempty"`
+	// paramRef specifies the parameter resource used to configure the admission control policy.
+	// It should point to a resource of the type specified in spec.ParamKind of the bound MutatingAdmissionPolicy.
+	// If the policy specifies a ParamKind and the resource referred to by ParamRef does not exist, this binding is considered mis-configured and the FailurePolicy of the MutatingAdmissionPolicy applied.
+	// If the policy does not specify a ParamKind then this field is ignored, and the rules are evaluated without a param.
+	ParamRef *ParamRefApplyConfiguration `json:"paramRef,omitempty"`
+	// matchResources limits what resources match this binding and may be mutated by it.
+	// Note that if matchResources matches a resource, the resource must also match a policy's matchConstraints and
+	// matchConditions before the resource may be mutated.
+	// When matchResources is unset, it does not constrain resource matching, and only the policy's matchConstraints
+	// and matchConditions must match for the resource to be mutated.
+	// Additionally, matchResources.resourceRules are optional and do not constraint matching when unset.
+	// Note that this is differs from MutatingAdmissionPolicy matchConstraints, where resourceRules are required.
+	// The CREATE, UPDATE and CONNECT operations are allowed.  The DELETE operation may not be matched.
+	// '*' matches CREATE, UPDATE and CONNECT.
 	MatchResources *MatchResourcesApplyConfiguration `json:"matchResources,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1alpha1/mutatingadmissionpolicyspec.go b/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1alpha1/mutatingadmissionpolicyspec.go
index 334056a372434..0c67fd750a6e1 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1alpha1/mutatingadmissionpolicyspec.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1alpha1/mutatingadmissionpolicyspec.go
@@ -25,14 +25,74 @@ import (
 
 // MutatingAdmissionPolicySpecApplyConfiguration represents a declarative configuration of the MutatingAdmissionPolicySpec type for use
 // with apply.
+//
+// MutatingAdmissionPolicySpec is the specification of the desired behavior of the admission policy.
 type MutatingAdmissionPolicySpecApplyConfiguration struct {
-	ParamKind          *ParamKindApplyConfiguration                     `json:"paramKind,omitempty"`
-	MatchConstraints   *MatchResourcesApplyConfiguration                `json:"matchConstraints,omitempty"`
-	Variables          []VariableApplyConfiguration                     `json:"variables,omitempty"`
-	Mutations          []MutationApplyConfiguration                     `json:"mutations,omitempty"`
-	FailurePolicy      *admissionregistrationv1alpha1.FailurePolicyType `json:"failurePolicy,omitempty"`
-	MatchConditions    []MatchConditionApplyConfiguration               `json:"matchConditions,omitempty"`
-	ReinvocationPolicy *v1.ReinvocationPolicyType                       `json:"reinvocationPolicy,omitempty"`
+	// paramKind specifies the kind of resources used to parameterize this policy.
+	// If absent, there are no parameters for this policy and the param CEL variable will not be provided to validation expressions.
+	// If paramKind refers to a non-existent kind, this policy definition is mis-configured and the FailurePolicy is applied.
+	// If paramKind is specified but paramRef is unset in MutatingAdmissionPolicyBinding, the params variable will be null.
+	ParamKind *ParamKindApplyConfiguration `json:"paramKind,omitempty"`
+	// matchConstraints specifies what resources this policy is designed to validate.
+	// The MutatingAdmissionPolicy cares about a request if it matches _all_ Constraints.
+	// However, in order to prevent clusters from being put into an unstable state that cannot be recovered from via the API
+	// MutatingAdmissionPolicy cannot match MutatingAdmissionPolicy and MutatingAdmissionPolicyBinding.
+	// The CREATE, UPDATE and CONNECT operations are allowed.  The DELETE operation may not be matched.
+	// '*' matches CREATE, UPDATE and CONNECT.
+	// Required.
+	MatchConstraints *MatchResourcesApplyConfiguration `json:"matchConstraints,omitempty"`
+	// variables contain definitions of variables that can be used in composition of other expressions.
+	// Each variable is defined as a named CEL expression.
+	// The variables defined here will be available under `variables` in other expressions of the policy
+	// except matchConditions because matchConditions are evaluated before the rest of the policy.
+	//
+	// The expression of a variable can refer to other variables defined earlier in the list but not those after.
+	// Thus, variables must be sorted by the order of first appearance and acyclic.
+	Variables []VariableApplyConfiguration `json:"variables,omitempty"`
+	// mutations contain operations to perform on matching objects.
+	// mutations may not be empty; a minimum of one mutation is required.
+	// mutations are evaluated in order, and are reinvoked according to
+	// the reinvocationPolicy.
+	// The mutations of a policy are invoked for each binding of this policy
+	// and reinvocation of mutations occurs on a per binding basis.
+	Mutations []MutationApplyConfiguration `json:"mutations,omitempty"`
+	// failurePolicy defines how to handle failures for the admission policy. Failures can
+	// occur from CEL expression parse errors, type check errors, runtime errors and invalid
+	// or mis-configured policy definitions or bindings.
+	//
+	// A policy is invalid if paramKind refers to a non-existent Kind.
+	// A binding is invalid if paramRef.name refers to a non-existent resource.
+	//
+	// failurePolicy does not define how validations that evaluate to false are handled.
+	//
+	// Allowed values are Ignore or Fail. Defaults to Fail.
+	FailurePolicy *admissionregistrationv1alpha1.FailurePolicyType `json:"failurePolicy,omitempty"`
+	// matchConditions is a list of conditions that must be met for a request to be validated.
+	// Match conditions filter requests that have already been matched by the matchConstraints.
+	// An empty list of matchConditions matches all requests.
+	// There are a maximum of 64 match conditions allowed.
+	//
+	// If a parameter object is provided, it can be accessed via the `params` handle in the same
+	// manner as validation expressions.
+	//
+	// The exact matching logic is (in order):
+	// 1. If ANY matchCondition evaluates to FALSE, the policy is skipped.
+	// 2. If ALL matchConditions evaluate to TRUE, the policy is evaluated.
+	// 3. If any matchCondition evaluates to an error (but none are FALSE):
+	// - If failurePolicy=Fail, reject the request
+	// - If failurePolicy=Ignore, the policy is skipped
+	MatchConditions []MatchConditionApplyConfiguration `json:"matchConditions,omitempty"`
+	// reinvocationPolicy indicates whether mutations may be called multiple times per MutatingAdmissionPolicyBinding
+	// as part of a single admission evaluation.
+	// Allowed values are "Never" and "IfNeeded".
+	//
+	// Never: These mutations will not be called more than once per binding in a single admission evaluation.
+	//
+	// IfNeeded: These mutations may be invoked more than once per binding for a single admission request and there is no guarantee of
+	// order with respect to other admission plugins, admission webhooks, bindings of this policy and admission policies.  Mutations are only
+	// reinvoked when mutations change the object after this mutation is invoked.
+	// Required.
+	ReinvocationPolicy *v1.ReinvocationPolicyType `json:"reinvocationPolicy,omitempty"`
 }
 
 // MutatingAdmissionPolicySpecApplyConfiguration constructs a declarative configuration of the MutatingAdmissionPolicySpec type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1alpha1/mutation.go b/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1alpha1/mutation.go
index 4ed9d93fdbb7a..001565dbd74f9 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1alpha1/mutation.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1alpha1/mutation.go
@@ -24,10 +24,21 @@ import (
 
 // MutationApplyConfiguration represents a declarative configuration of the Mutation type for use
 // with apply.
+//
+// Mutation specifies the CEL expression which is used to apply the Mutation.
 type MutationApplyConfiguration struct {
-	PatchType          *admissionregistrationv1alpha1.PatchType `json:"patchType,omitempty"`
-	ApplyConfiguration *ApplyConfigurationApplyConfiguration    `json:"applyConfiguration,omitempty"`
-	JSONPatch          *JSONPatchApplyConfiguration             `json:"jsonPatch,omitempty"`
+	// patchType indicates the patch strategy used.
+	// Allowed values are "ApplyConfiguration" and "JSONPatch".
+	// Required.
+	PatchType *admissionregistrationv1alpha1.PatchType `json:"patchType,omitempty"`
+	// applyConfiguration defines the desired configuration values of an object.
+	// The configuration is applied to the admission object using
+	// [structured merge diff](https://github.com/kubernetes-sigs/structured-merge-diff).
+	// A CEL expression is used to create apply configuration.
+	ApplyConfiguration *ApplyConfigurationApplyConfiguration `json:"applyConfiguration,omitempty"`
+	// jsonPatch defines a [JSON patch](https://jsonpatch.com/) operation to perform a mutation to the object.
+	// A CEL expression is used to create the JSON patch.
+	JSONPatch *JSONPatchApplyConfiguration `json:"jsonPatch,omitempty"`
 }
 
 // MutationApplyConfiguration constructs a declarative configuration of the Mutation type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1alpha1/namedrulewithoperations.go b/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1alpha1/namedrulewithoperations.go
index f630224ac476a..b9e309edc2bc2 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1alpha1/namedrulewithoperations.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1alpha1/namedrulewithoperations.go
@@ -25,8 +25,12 @@ import (
 
 // NamedRuleWithOperationsApplyConfiguration represents a declarative configuration of the NamedRuleWithOperations type for use
 // with apply.
+//
+// NamedRuleWithOperations is a tuple of Operations and Resources with ResourceNames.
 type NamedRuleWithOperationsApplyConfiguration struct {
-	ResourceNames                           []string `json:"resourceNames,omitempty"`
+	// ResourceNames is an optional white list of names that the rule applies to.  An empty set means that everything is allowed.
+	ResourceNames []string `json:"resourceNames,omitempty"`
+	// RuleWithOperations is a tuple of Operations and Resources.
 	v1.RuleWithOperationsApplyConfiguration `json:",inline"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1alpha1/paramkind.go b/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1alpha1/paramkind.go
index daf17fb2494e5..7e008e329c4e0 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1alpha1/paramkind.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1alpha1/paramkind.go
@@ -20,9 +20,16 @@ package v1alpha1
 
 // ParamKindApplyConfiguration represents a declarative configuration of the ParamKind type for use
 // with apply.
+//
+// ParamKind is a tuple of Group Kind and Version.
 type ParamKindApplyConfiguration struct {
+	// APIVersion is the API group version the resources belong to.
+	// In format of "group/version".
+	// Required.
 	APIVersion *string `json:"apiVersion,omitempty"`
-	Kind       *string `json:"kind,omitempty"`
+	// Kind is the API kind the resources belong to.
+	// Required.
+	Kind *string `json:"kind,omitempty"`
 }
 
 // ParamKindApplyConfiguration constructs a declarative configuration of the ParamKind type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1alpha1/paramref.go b/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1alpha1/paramref.go
index 669fadbd40a60..6b77cd0eae30d 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1alpha1/paramref.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1alpha1/paramref.go
@@ -25,10 +25,48 @@ import (
 
 // ParamRefApplyConfiguration represents a declarative configuration of the ParamRef type for use
 // with apply.
+//
+// ParamRef describes how to locate the params to be used as input to
+// expressions of rules applied by a policy binding.
 type ParamRefApplyConfiguration struct {
-	Name                    *string                                                    `json:"name,omitempty"`
-	Namespace               *string                                                    `json:"namespace,omitempty"`
-	Selector                *v1.LabelSelectorApplyConfiguration                        `json:"selector,omitempty"`
+	// `name` is the name of the resource being referenced.
+	//
+	// `name` and `selector` are mutually exclusive properties. If one is set,
+	// the other must be unset.
+	Name *string `json:"name,omitempty"`
+	// namespace is the namespace of the referenced resource. Allows limiting
+	// the search for params to a specific namespace. Applies to both `name` and
+	// `selector` fields.
+	//
+	// A per-namespace parameter may be used by specifying a namespace-scoped
+	// `paramKind` in the policy and leaving this field empty.
+	//
+	// - If `paramKind` is cluster-scoped, this field MUST be unset. Setting this
+	// field results in a configuration error.
+	//
+	// - If `paramKind` is namespace-scoped, the namespace of the object being
+	// evaluated for admission will be used when this field is left unset. Take
+	// care that if this is left empty the binding must not match any cluster-scoped
+	// resources, which will result in an error.
+	Namespace *string `json:"namespace,omitempty"`
+	// selector can be used to match multiple param objects based on their labels.
+	// Supply selector: {} to match all resources of the ParamKind.
+	//
+	// If multiple params are found, they are all evaluated with the policy expressions
+	// and the results are ANDed together.
+	//
+	// One of `name` or `selector` must be set, but `name` and `selector` are
+	// mutually exclusive properties. If one is set, the other must be unset.
+	Selector *v1.LabelSelectorApplyConfiguration `json:"selector,omitempty"`
+	// `parameterNotFoundAction` controls the behavior of the binding when the resource
+	// exists, and name or selector is valid, but there are no parameters
+	// matched by the binding. If the value is set to `Allow`, then no
+	// matched parameters will be treated as successful validation by the binding.
+	// If set to `Deny`, then no matched parameters will be subject to the
+	// `failurePolicy` of the policy.
+	//
+	// Allowed values are `Allow` or `Deny`
+	// Default to `Deny`
 	ParameterNotFoundAction *admissionregistrationv1alpha1.ParameterNotFoundActionType `json:"parameterNotFoundAction,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1alpha1/typechecking.go b/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1alpha1/typechecking.go
index d1a7fff50eed5..3b5bff0f3c7b8 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1alpha1/typechecking.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1alpha1/typechecking.go
@@ -20,7 +20,11 @@ package v1alpha1
 
 // TypeCheckingApplyConfiguration represents a declarative configuration of the TypeChecking type for use
 // with apply.
+//
+// TypeChecking contains results of type checking the expressions in the
+// ValidatingAdmissionPolicy
 type TypeCheckingApplyConfiguration struct {
+	// The type checking warnings for each expression.
 	ExpressionWarnings []ExpressionWarningApplyConfiguration `json:"expressionWarnings,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1alpha1/validatingadmissionpolicy.go b/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1alpha1/validatingadmissionpolicy.go
index a8efff6b3e2cb..7f85ed8e2fe1c 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1alpha1/validatingadmissionpolicy.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1alpha1/validatingadmissionpolicy.go
@@ -29,11 +29,19 @@ import (
 
 // ValidatingAdmissionPolicyApplyConfiguration represents a declarative configuration of the ValidatingAdmissionPolicy type for use
 // with apply.
+//
+// ValidatingAdmissionPolicy describes the definition of an admission validation policy that accepts or rejects an object without changing it.
 type ValidatingAdmissionPolicyApplyConfiguration struct {
-	v1.TypeMetaApplyConfiguration    `json:",inline"`
+	v1.TypeMetaApplyConfiguration `json:",inline"`
+	// Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata.
 	*v1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Spec                             *ValidatingAdmissionPolicySpecApplyConfiguration   `json:"spec,omitempty"`
-	Status                           *ValidatingAdmissionPolicyStatusApplyConfiguration `json:"status,omitempty"`
+	// Specification of the desired behavior of the ValidatingAdmissionPolicy.
+	Spec *ValidatingAdmissionPolicySpecApplyConfiguration `json:"spec,omitempty"`
+	// The status of the ValidatingAdmissionPolicy, including warnings that are useful to determine if the policy
+	// behaves in the expected way.
+	// Populated by the system.
+	// Read-only.
+	Status *ValidatingAdmissionPolicyStatusApplyConfiguration `json:"status,omitempty"`
 }
 
 // ValidatingAdmissionPolicy constructs a declarative configuration of the ValidatingAdmissionPolicy type for use with
@@ -46,6 +54,26 @@ func ValidatingAdmissionPolicy(name string) *ValidatingAdmissionPolicyApplyConfi
 	return b
 }
 
+// ExtractValidatingAdmissionPolicyFrom extracts the applied configuration owned by fieldManager from
+// validatingAdmissionPolicy for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
+// validatingAdmissionPolicy must be a unmodified ValidatingAdmissionPolicy API object that was retrieved from the Kubernetes API.
+// ExtractValidatingAdmissionPolicyFrom provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractValidatingAdmissionPolicyFrom(validatingAdmissionPolicy *admissionregistrationv1alpha1.ValidatingAdmissionPolicy, fieldManager string, subresource string) (*ValidatingAdmissionPolicyApplyConfiguration, error) {
+	b := &ValidatingAdmissionPolicyApplyConfiguration{}
+	err := managedfields.ExtractInto(validatingAdmissionPolicy, internal.Parser().Type("io.k8s.api.admissionregistration.v1alpha1.ValidatingAdmissionPolicy"), fieldManager, b, subresource)
+	if err != nil {
+		return nil, err
+	}
+	b.WithName(validatingAdmissionPolicy.Name)
+
+	b.WithKind("ValidatingAdmissionPolicy")
+	b.WithAPIVersion("admissionregistration.k8s.io/v1alpha1")
+	return b, nil
+}
+
 // ExtractValidatingAdmissionPolicy extracts the applied configuration owned by fieldManager from
 // validatingAdmissionPolicy. If no managedFields are found in validatingAdmissionPolicy for fieldManager, a
 // ValidatingAdmissionPolicyApplyConfiguration is returned with only the Name, Namespace (if applicable),
@@ -56,30 +84,16 @@ func ValidatingAdmissionPolicy(name string) *ValidatingAdmissionPolicyApplyConfi
 // ExtractValidatingAdmissionPolicy provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
 func ExtractValidatingAdmissionPolicy(validatingAdmissionPolicy *admissionregistrationv1alpha1.ValidatingAdmissionPolicy, fieldManager string) (*ValidatingAdmissionPolicyApplyConfiguration, error) {
-	return extractValidatingAdmissionPolicy(validatingAdmissionPolicy, fieldManager, "")
+	return ExtractValidatingAdmissionPolicyFrom(validatingAdmissionPolicy, fieldManager, "")
 }
 
-// ExtractValidatingAdmissionPolicyStatus is the same as ExtractValidatingAdmissionPolicy except
-// that it extracts the status subresource applied configuration.
-// Experimental!
+// ExtractValidatingAdmissionPolicyStatus extracts the applied configuration owned by fieldManager from
+// validatingAdmissionPolicy for the status subresource.
 func ExtractValidatingAdmissionPolicyStatus(validatingAdmissionPolicy *admissionregistrationv1alpha1.ValidatingAdmissionPolicy, fieldManager string) (*ValidatingAdmissionPolicyApplyConfiguration, error) {
-	return extractValidatingAdmissionPolicy(validatingAdmissionPolicy, fieldManager, "status")
+	return ExtractValidatingAdmissionPolicyFrom(validatingAdmissionPolicy, fieldManager, "status")
 }
 
-func extractValidatingAdmissionPolicy(validatingAdmissionPolicy *admissionregistrationv1alpha1.ValidatingAdmissionPolicy, fieldManager string, subresource string) (*ValidatingAdmissionPolicyApplyConfiguration, error) {
-	b := &ValidatingAdmissionPolicyApplyConfiguration{}
-	err := managedfields.ExtractInto(validatingAdmissionPolicy, internal.Parser().Type("io.k8s.api.admissionregistration.v1alpha1.ValidatingAdmissionPolicy"), fieldManager, b, subresource)
-	if err != nil {
-		return nil, err
-	}
-	b.WithName(validatingAdmissionPolicy.Name)
-
-	b.WithKind("ValidatingAdmissionPolicy")
-	b.WithAPIVersion("admissionregistration.k8s.io/v1alpha1")
-	return b, nil
-}
 func (b ValidatingAdmissionPolicyApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1alpha1/validatingadmissionpolicybinding.go b/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1alpha1/validatingadmissionpolicybinding.go
index 5bcefba675007..0760e92744979 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1alpha1/validatingadmissionpolicybinding.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1alpha1/validatingadmissionpolicybinding.go
@@ -29,10 +29,24 @@ import (
 
 // ValidatingAdmissionPolicyBindingApplyConfiguration represents a declarative configuration of the ValidatingAdmissionPolicyBinding type for use
 // with apply.
+//
+// ValidatingAdmissionPolicyBinding binds the ValidatingAdmissionPolicy with paramerized resources.
+// ValidatingAdmissionPolicyBinding and parameter CRDs together define how cluster administrators configure policies for clusters.
+//
+// For a given admission request, each binding will cause its policy to be
+// evaluated N times, where N is 1 for policies/bindings that don't use
+// params, otherwise N is the number of parameters selected by the binding.
+//
+// The CEL expressions of a policy must have a computed CEL cost below the maximum
+// CEL budget. Each evaluation of the policy is given an independent CEL cost budget.
+// Adding/removing policies, bindings, or params can not affect whether a
+// given (policy, binding, param) combination is within its own CEL budget.
 type ValidatingAdmissionPolicyBindingApplyConfiguration struct {
-	v1.TypeMetaApplyConfiguration    `json:",inline"`
+	v1.TypeMetaApplyConfiguration `json:",inline"`
+	// Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata.
 	*v1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Spec                             *ValidatingAdmissionPolicyBindingSpecApplyConfiguration `json:"spec,omitempty"`
+	// Specification of the desired behavior of the ValidatingAdmissionPolicyBinding.
+	Spec *ValidatingAdmissionPolicyBindingSpecApplyConfiguration `json:"spec,omitempty"`
 }
 
 // ValidatingAdmissionPolicyBinding constructs a declarative configuration of the ValidatingAdmissionPolicyBinding type for use with
@@ -45,29 +59,14 @@ func ValidatingAdmissionPolicyBinding(name string) *ValidatingAdmissionPolicyBin
 	return b
 }
 
-// ExtractValidatingAdmissionPolicyBinding extracts the applied configuration owned by fieldManager from
-// validatingAdmissionPolicyBinding. If no managedFields are found in validatingAdmissionPolicyBinding for fieldManager, a
-// ValidatingAdmissionPolicyBindingApplyConfiguration is returned with only the Name, Namespace (if applicable),
-// APIVersion and Kind populated. It is possible that no managed fields were found for because other
-// field managers have taken ownership of all the fields previously owned by fieldManager, or because
-// the fieldManager never owned fields any fields.
+// ExtractValidatingAdmissionPolicyBindingFrom extracts the applied configuration owned by fieldManager from
+// validatingAdmissionPolicyBinding for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
 // validatingAdmissionPolicyBinding must be a unmodified ValidatingAdmissionPolicyBinding API object that was retrieved from the Kubernetes API.
-// ExtractValidatingAdmissionPolicyBinding provides a way to perform a extract/modify-in-place/apply workflow.
+// ExtractValidatingAdmissionPolicyBindingFrom provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
-func ExtractValidatingAdmissionPolicyBinding(validatingAdmissionPolicyBinding *admissionregistrationv1alpha1.ValidatingAdmissionPolicyBinding, fieldManager string) (*ValidatingAdmissionPolicyBindingApplyConfiguration, error) {
-	return extractValidatingAdmissionPolicyBinding(validatingAdmissionPolicyBinding, fieldManager, "")
-}
-
-// ExtractValidatingAdmissionPolicyBindingStatus is the same as ExtractValidatingAdmissionPolicyBinding except
-// that it extracts the status subresource applied configuration.
-// Experimental!
-func ExtractValidatingAdmissionPolicyBindingStatus(validatingAdmissionPolicyBinding *admissionregistrationv1alpha1.ValidatingAdmissionPolicyBinding, fieldManager string) (*ValidatingAdmissionPolicyBindingApplyConfiguration, error) {
-	return extractValidatingAdmissionPolicyBinding(validatingAdmissionPolicyBinding, fieldManager, "status")
-}
-
-func extractValidatingAdmissionPolicyBinding(validatingAdmissionPolicyBinding *admissionregistrationv1alpha1.ValidatingAdmissionPolicyBinding, fieldManager string, subresource string) (*ValidatingAdmissionPolicyBindingApplyConfiguration, error) {
+func ExtractValidatingAdmissionPolicyBindingFrom(validatingAdmissionPolicyBinding *admissionregistrationv1alpha1.ValidatingAdmissionPolicyBinding, fieldManager string, subresource string) (*ValidatingAdmissionPolicyBindingApplyConfiguration, error) {
 	b := &ValidatingAdmissionPolicyBindingApplyConfiguration{}
 	err := managedfields.ExtractInto(validatingAdmissionPolicyBinding, internal.Parser().Type("io.k8s.api.admissionregistration.v1alpha1.ValidatingAdmissionPolicyBinding"), fieldManager, b, subresource)
 	if err != nil {
@@ -79,6 +78,21 @@ func extractValidatingAdmissionPolicyBinding(validatingAdmissionPolicyBinding *a
 	b.WithAPIVersion("admissionregistration.k8s.io/v1alpha1")
 	return b, nil
 }
+
+// ExtractValidatingAdmissionPolicyBinding extracts the applied configuration owned by fieldManager from
+// validatingAdmissionPolicyBinding. If no managedFields are found in validatingAdmissionPolicyBinding for fieldManager, a
+// ValidatingAdmissionPolicyBindingApplyConfiguration is returned with only the Name, Namespace (if applicable),
+// APIVersion and Kind populated. It is possible that no managed fields were found for because other
+// field managers have taken ownership of all the fields previously owned by fieldManager, or because
+// the fieldManager never owned fields any fields.
+// validatingAdmissionPolicyBinding must be a unmodified ValidatingAdmissionPolicyBinding API object that was retrieved from the Kubernetes API.
+// ExtractValidatingAdmissionPolicyBinding provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractValidatingAdmissionPolicyBinding(validatingAdmissionPolicyBinding *admissionregistrationv1alpha1.ValidatingAdmissionPolicyBinding, fieldManager string) (*ValidatingAdmissionPolicyBindingApplyConfiguration, error) {
+	return ExtractValidatingAdmissionPolicyBindingFrom(validatingAdmissionPolicyBinding, fieldManager, "")
+}
+
 func (b ValidatingAdmissionPolicyBindingApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1alpha1/validatingadmissionpolicybindingspec.go b/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1alpha1/validatingadmissionpolicybindingspec.go
index 0f8e4e4357029..bbbd59c97a702 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1alpha1/validatingadmissionpolicybindingspec.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1alpha1/validatingadmissionpolicybindingspec.go
@@ -24,10 +24,63 @@ import (
 
 // ValidatingAdmissionPolicyBindingSpecApplyConfiguration represents a declarative configuration of the ValidatingAdmissionPolicyBindingSpec type for use
 // with apply.
+//
+// ValidatingAdmissionPolicyBindingSpec is the specification of the ValidatingAdmissionPolicyBinding.
 type ValidatingAdmissionPolicyBindingSpecApplyConfiguration struct {
-	PolicyName        *string                                          `json:"policyName,omitempty"`
-	ParamRef          *ParamRefApplyConfiguration                      `json:"paramRef,omitempty"`
-	MatchResources    *MatchResourcesApplyConfiguration                `json:"matchResources,omitempty"`
+	// PolicyName references a ValidatingAdmissionPolicy name which the ValidatingAdmissionPolicyBinding binds to.
+	// If the referenced resource does not exist, this binding is considered invalid and will be ignored
+	// Required.
+	PolicyName *string `json:"policyName,omitempty"`
+	// paramRef specifies the parameter resource used to configure the admission control policy.
+	// It should point to a resource of the type specified in ParamKind of the bound ValidatingAdmissionPolicy.
+	// If the policy specifies a ParamKind and the resource referred to by ParamRef does not exist, this binding is considered mis-configured and the FailurePolicy of the ValidatingAdmissionPolicy applied.
+	// If the policy does not specify a ParamKind then this field is ignored, and the rules are evaluated without a param.
+	ParamRef *ParamRefApplyConfiguration `json:"paramRef,omitempty"`
+	// MatchResources declares what resources match this binding and will be validated by it.
+	// Note that this is intersected with the policy's matchConstraints, so only requests that are matched by the policy can be selected by this.
+	// If this is unset, all resources matched by the policy are validated by this binding
+	// When resourceRules is unset, it does not constrain resource matching. If a resource is matched by the other fields of this object, it will be validated.
+	// Note that this is differs from ValidatingAdmissionPolicy matchConstraints, where resourceRules are required.
+	MatchResources *MatchResourcesApplyConfiguration `json:"matchResources,omitempty"`
+	// validationActions declares how Validations of the referenced ValidatingAdmissionPolicy are enforced.
+	// If a validation evaluates to false it is always enforced according to these actions.
+	//
+	// Failures defined by the ValidatingAdmissionPolicy's FailurePolicy are enforced according
+	// to these actions only if the FailurePolicy is set to Fail, otherwise the failures are
+	// ignored. This includes compilation errors, runtime errors and misconfigurations of the policy.
+	//
+	// validationActions is declared as a set of action values. Order does
+	// not matter. validationActions may not contain duplicates of the same action.
+	//
+	// The supported actions values are:
+	//
+	// "Deny" specifies that a validation failure results in a denied request.
+	//
+	// "Warn" specifies that a validation failure is reported to the request client
+	// in HTTP Warning headers, with a warning code of 299. Warnings can be sent
+	// both for allowed or denied admission responses.
+	//
+	// "Audit" specifies that a validation failure is included in the published
+	// audit event for the request. The audit event will contain a
+	// `validation.policy.admission.k8s.io/validation_failure` audit annotation
+	// with a value containing the details of the validation failures, formatted as
+	// a JSON list of objects, each with the following fields:
+	// - message: The validation failure message string
+	// - policy: The resource name of the ValidatingAdmissionPolicy
+	// - binding: The resource name of the ValidatingAdmissionPolicyBinding
+	// - expressionIndex: The index of the failed validations in the ValidatingAdmissionPolicy
+	// - validationActions: The enforcement actions enacted for the validation failure
+	// Example audit annotation:
+	// `"validation.policy.admission.k8s.io/validation_failure": "[{\"message\": \"Invalid value\", {\"policy\": \"policy.example.com\", {\"binding\": \"policybinding.example.com\", {\"expressionIndex\": \"1\", {\"validationActions\": [\"Audit\"]}]"`
+	//
+	// Clients should expect to handle additional values by ignoring
+	// any values not recognized.
+	//
+	// "Deny" and "Warn" may not be used together since this combination
+	// needlessly duplicates the validation failure both in the
+	// API response body and the HTTP warning headers.
+	//
+	// Required.
 	ValidationActions []admissionregistrationv1alpha1.ValidationAction `json:"validationActions,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1alpha1/validatingadmissionpolicyspec.go b/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1alpha1/validatingadmissionpolicyspec.go
index d5d3529949e37..ba20af8851c5a 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1alpha1/validatingadmissionpolicyspec.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1alpha1/validatingadmissionpolicyspec.go
@@ -24,14 +24,66 @@ import (
 
 // ValidatingAdmissionPolicySpecApplyConfiguration represents a declarative configuration of the ValidatingAdmissionPolicySpec type for use
 // with apply.
+//
+// ValidatingAdmissionPolicySpec is the specification of the desired behavior of the AdmissionPolicy.
 type ValidatingAdmissionPolicySpecApplyConfiguration struct {
-	ParamKind        *ParamKindApplyConfiguration                     `json:"paramKind,omitempty"`
-	MatchConstraints *MatchResourcesApplyConfiguration                `json:"matchConstraints,omitempty"`
-	Validations      []ValidationApplyConfiguration                   `json:"validations,omitempty"`
-	FailurePolicy    *admissionregistrationv1alpha1.FailurePolicyType `json:"failurePolicy,omitempty"`
-	AuditAnnotations []AuditAnnotationApplyConfiguration              `json:"auditAnnotations,omitempty"`
-	MatchConditions  []MatchConditionApplyConfiguration               `json:"matchConditions,omitempty"`
-	Variables        []VariableApplyConfiguration                     `json:"variables,omitempty"`
+	// ParamKind specifies the kind of resources used to parameterize this policy.
+	// If absent, there are no parameters for this policy and the param CEL variable will not be provided to validation expressions.
+	// If ParamKind refers to a non-existent kind, this policy definition is mis-configured and the FailurePolicy is applied.
+	// If paramKind is specified but paramRef is unset in ValidatingAdmissionPolicyBinding, the params variable will be null.
+	ParamKind *ParamKindApplyConfiguration `json:"paramKind,omitempty"`
+	// MatchConstraints specifies what resources this policy is designed to validate.
+	// The AdmissionPolicy cares about a request if it matches _all_ Constraints.
+	// However, in order to prevent clusters from being put into an unstable state that cannot be recovered from via the API
+	// ValidatingAdmissionPolicy cannot match ValidatingAdmissionPolicy and ValidatingAdmissionPolicyBinding.
+	// Required.
+	MatchConstraints *MatchResourcesApplyConfiguration `json:"matchConstraints,omitempty"`
+	// Validations contain CEL expressions which is used to apply the validation.
+	// Validations and AuditAnnotations may not both be empty; a minimum of one Validations or AuditAnnotations is
+	// required.
+	Validations []ValidationApplyConfiguration `json:"validations,omitempty"`
+	// failurePolicy defines how to handle failures for the admission policy. Failures can
+	// occur from CEL expression parse errors, type check errors, runtime errors and invalid
+	// or mis-configured policy definitions or bindings.
+	//
+	// A policy is invalid if spec.paramKind refers to a non-existent Kind.
+	// A binding is invalid if spec.paramRef.name refers to a non-existent resource.
+	//
+	// failurePolicy does not define how validations that evaluate to false are handled.
+	//
+	// When failurePolicy is set to Fail, ValidatingAdmissionPolicyBinding validationActions
+	// define how failures are enforced.
+	//
+	// Allowed values are Ignore or Fail. Defaults to Fail.
+	FailurePolicy *admissionregistrationv1alpha1.FailurePolicyType `json:"failurePolicy,omitempty"`
+	// auditAnnotations contains CEL expressions which are used to produce audit
+	// annotations for the audit event of the API request.
+	// validations and auditAnnotations may not both be empty; a least one of validations or auditAnnotations is
+	// required.
+	AuditAnnotations []AuditAnnotationApplyConfiguration `json:"auditAnnotations,omitempty"`
+	// MatchConditions is a list of conditions that must be met for a request to be validated.
+	// Match conditions filter requests that have already been matched by the rules,
+	// namespaceSelector, and objectSelector. An empty list of matchConditions matches all requests.
+	// There are a maximum of 64 match conditions allowed.
+	//
+	// If a parameter object is provided, it can be accessed via the `params` handle in the same
+	// manner as validation expressions.
+	//
+	// The exact matching logic is (in order):
+	// 1. If ANY matchCondition evaluates to FALSE, the policy is skipped.
+	// 2. If ALL matchConditions evaluate to TRUE, the policy is evaluated.
+	// 3. If any matchCondition evaluates to an error (but none are FALSE):
+	// - If failurePolicy=Fail, reject the request
+	// - If failurePolicy=Ignore, the policy is skipped
+	MatchConditions []MatchConditionApplyConfiguration `json:"matchConditions,omitempty"`
+	// Variables contain definitions of variables that can be used in composition of other expressions.
+	// Each variable is defined as a named CEL expression.
+	// The variables defined here will be available under `variables` in other expressions of the policy
+	// except MatchConditions because MatchConditions are evaluated before the rest of the policy.
+	//
+	// The expression of a variable can refer to other variables defined earlier in the list but not those after.
+	// Thus, Variables must be sorted by the order of first appearance and acyclic.
+	Variables []VariableApplyConfiguration `json:"variables,omitempty"`
 }
 
 // ValidatingAdmissionPolicySpecApplyConfiguration constructs a declarative configuration of the ValidatingAdmissionPolicySpec type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1alpha1/validatingadmissionpolicystatus.go b/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1alpha1/validatingadmissionpolicystatus.go
index 2fec5ba477c9e..bd33b855649cc 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1alpha1/validatingadmissionpolicystatus.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1alpha1/validatingadmissionpolicystatus.go
@@ -24,10 +24,16 @@ import (
 
 // ValidatingAdmissionPolicyStatusApplyConfiguration represents a declarative configuration of the ValidatingAdmissionPolicyStatus type for use
 // with apply.
+//
+// ValidatingAdmissionPolicyStatus represents the status of a ValidatingAdmissionPolicy.
 type ValidatingAdmissionPolicyStatusApplyConfiguration struct {
-	ObservedGeneration *int64                           `json:"observedGeneration,omitempty"`
-	TypeChecking       *TypeCheckingApplyConfiguration  `json:"typeChecking,omitempty"`
-	Conditions         []v1.ConditionApplyConfiguration `json:"conditions,omitempty"`
+	// The generation observed by the controller.
+	ObservedGeneration *int64 `json:"observedGeneration,omitempty"`
+	// The results of type checking for each expression.
+	// Presence of this field indicates the completion of the type checking.
+	TypeChecking *TypeCheckingApplyConfiguration `json:"typeChecking,omitempty"`
+	// The conditions represent the latest available observations of a policy's current state.
+	Conditions []v1.ConditionApplyConfiguration `json:"conditions,omitempty"`
 }
 
 // ValidatingAdmissionPolicyStatusApplyConfiguration constructs a declarative configuration of the ValidatingAdmissionPolicyStatus type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1alpha1/validation.go b/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1alpha1/validation.go
index 5f7304373458a..24416b210ec37 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1alpha1/validation.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1alpha1/validation.go
@@ -24,11 +24,77 @@ import (
 
 // ValidationApplyConfiguration represents a declarative configuration of the Validation type for use
 // with apply.
+//
+// Validation specifies the CEL expression which is used to apply the validation.
 type ValidationApplyConfiguration struct {
-	Expression        *string          `json:"expression,omitempty"`
-	Message           *string          `json:"message,omitempty"`
-	Reason            *v1.StatusReason `json:"reason,omitempty"`
-	MessageExpression *string          `json:"messageExpression,omitempty"`
+	// Expression represents the expression which will be evaluated by CEL.
+	// ref: https://github.com/google/cel-spec
+	// CEL expressions have access to the contents of the API request/response, organized into CEL variables as well as some other useful variables:
+	//
+	// - 'object' - The object from the incoming request. The value is null for DELETE requests.
+	// - 'oldObject' - The existing object. The value is null for CREATE requests.
+	// - 'request' - Attributes of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).
+	// - 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind.
+	// - 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped resources.
+	// - 'variables' - Map of composited variables, from its name to its lazily evaluated value.
+	// For example, a variable named 'foo' can be accessed as 'variables.foo'.
+	// - 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.
+	// See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
+	// - 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the
+	// request resource.
+	//
+	// The `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` are always accessible from the root of the
+	// object. No other metadata properties are accessible.
+	//
+	// Only property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible.
+	// Accessible property names are escaped according to the following rules when accessed in the expression:
+	// - '__' escapes to '__underscores__'
+	// - '.' escapes to '__dot__'
+	// - '-' escapes to '__dash__'
+	// - '/' escapes to '__slash__'
+	// - Property names that exactly match a CEL RESERVED keyword escape to '__{keyword}__'. The keywords are:
+	// "true", "false", "null", "in", "as", "break", "const", "continue", "else", "for", "function", "if",
+	// "import", "let", "loop", "package", "namespace", "return".
+	// Examples:
+	// - Expression accessing a property named "namespace": {"Expression": "object.__namespace__ > 0"}
+	// - Expression accessing a property named "x-prop": {"Expression": "object.x__dash__prop > 0"}
+	// - Expression accessing a property named "redact__d": {"Expression": "object.redact__underscores__d > 0"}
+	//
+	// Equality on arrays with list type of 'set' or 'map' ignores element order, i.e. [1, 2] == [2, 1].
+	// Concatenation on arrays with x-kubernetes-list-type use the semantics of the list type:
+	// - 'set': `X + Y` performs a union where the array positions of all elements in `X` are preserved and
+	// non-intersecting elements in `Y` are appended, retaining their partial order.
+	// - 'map': `X + Y` performs a merge where the array positions of all keys in `X` are preserved but the values
+	// are overwritten by values in `Y` when the key sets of `X` and `Y` intersect. Elements in `Y` with
+	// non-intersecting keys are appended, retaining their partial order.
+	// Required.
+	Expression *string `json:"expression,omitempty"`
+	// Message represents the message displayed when validation fails. The message is required if the Expression contains
+	// line breaks. The message must not contain line breaks.
+	// If unset, the message is "failed rule: {Rule}".
+	// e.g. "must be a URL with the host matching spec.host"
+	// If the Expression contains line breaks. Message is required.
+	// The message must not contain line breaks.
+	// If unset, the message is "failed Expression: {Expression}".
+	Message *string `json:"message,omitempty"`
+	// Reason represents a machine-readable description of why this validation failed.
+	// If this is the first validation in the list to fail, this reason, as well as the
+	// corresponding HTTP response code, are used in the
+	// HTTP response to the client.
+	// The currently supported reasons are: "Unauthorized", "Forbidden", "Invalid", "RequestEntityTooLarge".
+	// If not set, StatusReasonInvalid is used in the response to the client.
+	Reason *v1.StatusReason `json:"reason,omitempty"`
+	// messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails.
+	// Since messageExpression is used as a failure message, it must evaluate to a string.
+	// If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails.
+	// If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced
+	// as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string
+	// that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and
+	// the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged.
+	// messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'.
+	// Example:
+	// "object.x must be less than max ("+string(params.max)+")"
+	MessageExpression *string `json:"messageExpression,omitempty"`
 }
 
 // ValidationApplyConfiguration constructs a declarative configuration of the Validation type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1alpha1/variable.go b/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1alpha1/variable.go
index 0459dae655c75..df7e1c9db6685 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1alpha1/variable.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1alpha1/variable.go
@@ -20,8 +20,15 @@ package v1alpha1
 
 // VariableApplyConfiguration represents a declarative configuration of the Variable type for use
 // with apply.
+//
+// Variable is the definition of a variable that is used for composition.
 type VariableApplyConfiguration struct {
-	Name       *string `json:"name,omitempty"`
+	// Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables.
+	// The variable can be accessed in other expressions through `variables`
+	// For example, if name is "foo", the variable will be available as `variables.foo`
+	Name *string `json:"name,omitempty"`
+	// Expression is the expression that will be evaluated as the value of the variable.
+	// The CEL expression has access to the same identifiers as the CEL expressions in Validation.
 	Expression *string `json:"expression,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1beta1/applyconfiguration.go b/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1beta1/applyconfiguration.go
index af604a61f4007..c245dd9af2f15 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1beta1/applyconfiguration.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1beta1/applyconfiguration.go
@@ -20,7 +20,49 @@ package v1beta1
 
 // ApplyConfigurationApplyConfiguration represents a declarative configuration of the ApplyConfiguration type for use
 // with apply.
+//
+// ApplyConfiguration defines the desired configuration values of an object.
 type ApplyConfigurationApplyConfiguration struct {
+	// expression will be evaluated by CEL to create an apply configuration.
+	// ref: https://github.com/google/cel-spec
+	//
+	// Apply configurations are declared in CEL using object initialization. For example, this CEL expression
+	// returns an apply configuration to set a single field:
+	//
+	// Object{
+	// spec: Object.spec{
+	// serviceAccountName: "example"
+	// }
+	// }
+	//
+	// Apply configurations may not modify atomic structs, maps or arrays due to the risk of accidental deletion of
+	// values not included in the apply configuration.
+	//
+	// CEL expressions have access to the object types needed to create apply configurations:
+	//
+	// - 'Object' - CEL type of the resource object.
+	// - 'Object.<fieldName>' - CEL type of object field (such as 'Object.spec')
+	// - 'Object.<fieldName1>.<fieldName2>...<fieldNameN>` - CEL type of nested field (such as 'Object.spec.containers')
+	//
+	// CEL expressions have access to the contents of the API request, organized into CEL variables as well as some other useful variables:
+	//
+	// - 'object' - The object from the incoming request. The value is null for DELETE requests.
+	// - 'oldObject' - The existing object. The value is null for CREATE requests.
+	// - 'request' - Attributes of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).
+	// - 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind.
+	// - 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped resources.
+	// - 'variables' - Map of composited variables, from its name to its lazily evaluated value.
+	// For example, a variable named 'foo' can be accessed as 'variables.foo'.
+	// - 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.
+	// See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
+	// - 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the
+	// request resource.
+	//
+	// The `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` are always accessible from the root of the
+	// object. No other metadata properties are accessible.
+	//
+	// Only property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible.
+	// Required.
 	Expression *string `json:"expression,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1beta1/auditannotation.go b/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1beta1/auditannotation.go
index 8718db944755e..31cc4220dfe60 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1beta1/auditannotation.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1beta1/auditannotation.go
@@ -20,8 +20,40 @@ package v1beta1
 
 // AuditAnnotationApplyConfiguration represents a declarative configuration of the AuditAnnotation type for use
 // with apply.
+//
+// AuditAnnotation describes how to produce an audit annotation for an API request.
 type AuditAnnotationApplyConfiguration struct {
-	Key             *string `json:"key,omitempty"`
+	// key specifies the audit annotation key. The audit annotation keys of
+	// a ValidatingAdmissionPolicy must be unique. The key must be a qualified
+	// name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length.
+	//
+	// The key is combined with the resource name of the
+	// ValidatingAdmissionPolicy to construct an audit annotation key:
+	// "{ValidatingAdmissionPolicy name}/{key}".
+	//
+	// If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy
+	// and the same audit annotation key, the annotation key will be identical.
+	// In this case, the first annotation written with the key will be included
+	// in the audit event and all subsequent annotations with the same key
+	// will be discarded.
+	//
+	// Required.
+	Key *string `json:"key,omitempty"`
+	// valueExpression represents the expression which is evaluated by CEL to
+	// produce an audit annotation value. The expression must evaluate to either
+	// a string or null value. If the expression evaluates to a string, the
+	// audit annotation is included with the string value. If the expression
+	// evaluates to null or empty string the audit annotation will be omitted.
+	// The valueExpression may be no longer than 5kb in length.
+	// If the result of the valueExpression is more than 10kb in length, it
+	// will be truncated to 10kb.
+	//
+	// If multiple ValidatingAdmissionPolicyBinding resources match an
+	// API request, then the valueExpression will be evaluated for
+	// each binding. All unique values produced by the valueExpressions
+	// will be joined together in a comma-separated list.
+	//
+	// Required.
 	ValueExpression *string `json:"valueExpression,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1beta1/expressionwarning.go b/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1beta1/expressionwarning.go
index 66cfc8cdc7574..0b0235f6f0e0c 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1beta1/expressionwarning.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1beta1/expressionwarning.go
@@ -20,9 +20,17 @@ package v1beta1
 
 // ExpressionWarningApplyConfiguration represents a declarative configuration of the ExpressionWarning type for use
 // with apply.
+//
+// ExpressionWarning is a warning information that targets a specific expression.
 type ExpressionWarningApplyConfiguration struct {
+	// The path to the field that refers the expression.
+	// For example, the reference to the expression of the first item of
+	// validations is "spec.validations[0].expression"
 	FieldRef *string `json:"fieldRef,omitempty"`
-	Warning  *string `json:"warning,omitempty"`
+	// The content of type checking information in a human-readable form.
+	// Each line of the warning contains the type that the expression is checked
+	// against, followed by the type check error from the compiler.
+	Warning *string `json:"warning,omitempty"`
 }
 
 // ExpressionWarningApplyConfiguration constructs a declarative configuration of the ExpressionWarning type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1beta1/jsonpatch.go b/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1beta1/jsonpatch.go
index ea6e644c99311..729279aad083b 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1beta1/jsonpatch.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1beta1/jsonpatch.go
@@ -20,7 +20,73 @@ package v1beta1
 
 // JSONPatchApplyConfiguration represents a declarative configuration of the JSONPatch type for use
 // with apply.
+//
+// JSONPatch defines a JSON Patch.
 type JSONPatchApplyConfiguration struct {
+	// expression will be evaluated by CEL to create a [JSON patch](https://jsonpatch.com/).
+	// ref: https://github.com/google/cel-spec
+	//
+	// expression must return an array of JSONPatch values.
+	//
+	// For example, this CEL expression returns a JSON patch to conditionally modify a value:
+	//
+	// [
+	// JSONPatch{op: "test", path: "/spec/example", value: "Red"},
+	// JSONPatch{op: "replace", path: "/spec/example", value: "Green"}
+	// ]
+	//
+	// To define an object for the patch value, use Object types. For example:
+	//
+	// [
+	// JSONPatch{
+	// op: "add",
+	// path: "/spec/selector",
+	// value: Object.spec.selector{matchLabels: {"environment": "test"}}
+	// }
+	// ]
+	//
+	// To use strings containing '/' and '~' as JSONPatch path keys, use "jsonpatch.escapeKey". For example:
+	//
+	// [
+	// JSONPatch{
+	// op: "add",
+	// path: "/metadata/labels/" + jsonpatch.escapeKey("example.com/environment"),
+	// value: "test"
+	// },
+	// ]
+	//
+	// CEL expressions have access to the types needed to create JSON patches and objects:
+	//
+	// - 'JSONPatch' - CEL type of JSON Patch operations. JSONPatch has the fields 'op', 'from', 'path' and 'value'.
+	// See [JSON patch](https://jsonpatch.com/) for more details. The 'value' field may be set to any of: string,
+	// integer, array, map or object.  If set, the 'path' and 'from' fields must be set to a
+	// [JSON pointer](https://datatracker.ietf.org/doc/html/rfc6901/) string, where the 'jsonpatch.escapeKey()' CEL
+	// function may be used to escape path keys containing '/' and '~'.
+	// - 'Object' - CEL type of the resource object.
+	// - 'Object.<fieldName>' - CEL type of object field (such as 'Object.spec')
+	// - 'Object.<fieldName1>.<fieldName2>...<fieldNameN>` - CEL type of nested field (such as 'Object.spec.containers')
+	//
+	// CEL expressions have access to the contents of the API request, organized into CEL variables as well as some other useful variables:
+	//
+	// - 'object' - The object from the incoming request. The value is null for DELETE requests.
+	// - 'oldObject' - The existing object. The value is null for CREATE requests.
+	// - 'request' - Attributes of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).
+	// - 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind.
+	// - 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped resources.
+	// - 'variables' - Map of composited variables, from its name to its lazily evaluated value.
+	// For example, a variable named 'foo' can be accessed as 'variables.foo'.
+	// - 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.
+	// See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
+	// - 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the
+	// request resource.
+	//
+	// CEL expressions have access to [Kubernetes CEL function libraries](https://kubernetes.io/docs/reference/using-api/cel/#cel-options-language-features-and-libraries)
+	// as well as:
+	//
+	// - 'jsonpatch.escapeKey' - Performs JSONPatch key escaping. '~' and  '/' are escaped as '~0' and `~1' respectively).
+	//
+	// Only property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible.
+	// Required.
 	Expression *string `json:"expression,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1beta1/matchcondition.go b/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1beta1/matchcondition.go
index 63db7fc801e37..a5c4b433ed18e 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1beta1/matchcondition.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1beta1/matchcondition.go
@@ -20,8 +20,32 @@ package v1beta1
 
 // MatchConditionApplyConfiguration represents a declarative configuration of the MatchCondition type for use
 // with apply.
+//
+// MatchCondition represents a condition which must be fulfilled for a request to be sent to a webhook.
 type MatchConditionApplyConfiguration struct {
-	Name       *string `json:"name,omitempty"`
+	// Name is an identifier for this match condition, used for strategic merging of MatchConditions,
+	// as well as providing an identifier for logging purposes. A good name should be descriptive of
+	// the associated expression.
+	// Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and
+	// must start and end with an alphanumeric character (e.g. 'MyName',  or 'my.name',  or
+	// '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an
+	// optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')
+	//
+	// Required.
+	Name *string `json:"name,omitempty"`
+	// Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.
+	// CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:
+	//
+	// 'object' - The object from the incoming request. The value is null for DELETE requests.
+	// 'oldObject' - The existing object. The value is null for CREATE requests.
+	// 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
+	// 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.
+	// See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
+	// 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the
+	// request resource.
+	// Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
+	//
+	// Required.
 	Expression *string `json:"expression,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1beta1/matchresources.go b/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1beta1/matchresources.go
index 4005e55a333f8..a74a65fd64ef9 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1beta1/matchresources.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1beta1/matchresources.go
@@ -25,12 +25,88 @@ import (
 
 // MatchResourcesApplyConfiguration represents a declarative configuration of the MatchResources type for use
 // with apply.
+//
+// MatchResources decides whether to run the admission control policy on an object based
+// on whether it meets the match criteria.
+// The exclude rules take precedence over include rules (if a resource matches both, it is excluded)
 type MatchResourcesApplyConfiguration struct {
-	NamespaceSelector    *v1.LabelSelectorApplyConfiguration           `json:"namespaceSelector,omitempty"`
-	ObjectSelector       *v1.LabelSelectorApplyConfiguration           `json:"objectSelector,omitempty"`
-	ResourceRules        []NamedRuleWithOperationsApplyConfiguration   `json:"resourceRules,omitempty"`
-	ExcludeResourceRules []NamedRuleWithOperationsApplyConfiguration   `json:"excludeResourceRules,omitempty"`
-	MatchPolicy          *admissionregistrationv1beta1.MatchPolicyType `json:"matchPolicy,omitempty"`
+	// NamespaceSelector decides whether to run the admission control policy on an object based
+	// on whether the namespace for that object matches the selector. If the
+	// object itself is a namespace, the matching is performed on
+	// object.metadata.labels. If the object is another cluster scoped resource,
+	// it never skips the policy.
+	//
+	// For example, to run the webhook on any objects whose namespace is not
+	// associated with "runlevel" of "0" or "1";  you will set the selector as
+	// follows:
+	// "namespaceSelector": {
+	// "matchExpressions": [
+	// {
+	// "key": "runlevel",
+	// "operator": "NotIn",
+	// "values": [
+	// "0",
+	// "1"
+	// ]
+	// }
+	// ]
+	// }
+	//
+	// If instead you want to only run the policy on any objects whose
+	// namespace is associated with the "environment" of "prod" or "staging";
+	// you will set the selector as follows:
+	// "namespaceSelector": {
+	// "matchExpressions": [
+	// {
+	// "key": "environment",
+	// "operator": "In",
+	// "values": [
+	// "prod",
+	// "staging"
+	// ]
+	// }
+	// ]
+	// }
+	//
+	// See
+	// https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
+	// for more examples of label selectors.
+	//
+	// Default to the empty LabelSelector, which matches everything.
+	NamespaceSelector *v1.LabelSelectorApplyConfiguration `json:"namespaceSelector,omitempty"`
+	// ObjectSelector decides whether to run the validation based on if the
+	// object has matching labels. objectSelector is evaluated against both
+	// the oldObject and newObject that would be sent to the cel validation, and
+	// is considered to match if either object matches the selector. A null
+	// object (oldObject in the case of create, or newObject in the case of
+	// delete) or an object that cannot have labels (like a
+	// DeploymentRollback or a PodProxyOptions object) is not considered to
+	// match.
+	// Use the object selector only if the webhook is opt-in, because end
+	// users may skip the admission webhook by setting the labels.
+	// Default to the empty LabelSelector, which matches everything.
+	ObjectSelector *v1.LabelSelectorApplyConfiguration `json:"objectSelector,omitempty"`
+	// ResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy matches.
+	// The policy cares about an operation if it matches _any_ Rule.
+	ResourceRules []NamedRuleWithOperationsApplyConfiguration `json:"resourceRules,omitempty"`
+	// ExcludeResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy should not care about.
+	// The exclude rules take precedence over include rules (if a resource matches both, it is excluded)
+	ExcludeResourceRules []NamedRuleWithOperationsApplyConfiguration `json:"excludeResourceRules,omitempty"`
+	// matchPolicy defines how the "MatchResources" list is used to match incoming requests.
+	// Allowed values are "Exact" or "Equivalent".
+	//
+	// - Exact: match a request only if it exactly matches a specified rule.
+	// For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,
+	// but "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`,
+	// a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the ValidatingAdmissionPolicy.
+	//
+	// - Equivalent: match a request if modifies a resource listed in rules, even via another API group or version.
+	// For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,
+	// and "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`,
+	// a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the ValidatingAdmissionPolicy.
+	//
+	// Defaults to "Equivalent"
+	MatchPolicy *admissionregistrationv1beta1.MatchPolicyType `json:"matchPolicy,omitempty"`
 }
 
 // MatchResourcesApplyConfiguration constructs a declarative configuration of the MatchResources type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1beta1/mutatingadmissionpolicy.go b/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1beta1/mutatingadmissionpolicy.go
index 41d30201f9caa..8812dee13070a 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1beta1/mutatingadmissionpolicy.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1beta1/mutatingadmissionpolicy.go
@@ -29,10 +29,14 @@ import (
 
 // MutatingAdmissionPolicyApplyConfiguration represents a declarative configuration of the MutatingAdmissionPolicy type for use
 // with apply.
+//
+// MutatingAdmissionPolicy describes the definition of an admission mutation policy that mutates the object coming into admission chain.
 type MutatingAdmissionPolicyApplyConfiguration struct {
-	v1.TypeMetaApplyConfiguration    `json:",inline"`
+	v1.TypeMetaApplyConfiguration `json:",inline"`
+	// Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata.
 	*v1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Spec                             *MutatingAdmissionPolicySpecApplyConfiguration `json:"spec,omitempty"`
+	// Specification of the desired behavior of the MutatingAdmissionPolicy.
+	Spec *MutatingAdmissionPolicySpecApplyConfiguration `json:"spec,omitempty"`
 }
 
 // MutatingAdmissionPolicy constructs a declarative configuration of the MutatingAdmissionPolicy type for use with
@@ -45,29 +49,14 @@ func MutatingAdmissionPolicy(name string) *MutatingAdmissionPolicyApplyConfigura
 	return b
 }
 
-// ExtractMutatingAdmissionPolicy extracts the applied configuration owned by fieldManager from
-// mutatingAdmissionPolicy. If no managedFields are found in mutatingAdmissionPolicy for fieldManager, a
-// MutatingAdmissionPolicyApplyConfiguration is returned with only the Name, Namespace (if applicable),
-// APIVersion and Kind populated. It is possible that no managed fields were found for because other
-// field managers have taken ownership of all the fields previously owned by fieldManager, or because
-// the fieldManager never owned fields any fields.
+// ExtractMutatingAdmissionPolicyFrom extracts the applied configuration owned by fieldManager from
+// mutatingAdmissionPolicy for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
 // mutatingAdmissionPolicy must be a unmodified MutatingAdmissionPolicy API object that was retrieved from the Kubernetes API.
-// ExtractMutatingAdmissionPolicy provides a way to perform a extract/modify-in-place/apply workflow.
+// ExtractMutatingAdmissionPolicyFrom provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
-func ExtractMutatingAdmissionPolicy(mutatingAdmissionPolicy *admissionregistrationv1beta1.MutatingAdmissionPolicy, fieldManager string) (*MutatingAdmissionPolicyApplyConfiguration, error) {
-	return extractMutatingAdmissionPolicy(mutatingAdmissionPolicy, fieldManager, "")
-}
-
-// ExtractMutatingAdmissionPolicyStatus is the same as ExtractMutatingAdmissionPolicy except
-// that it extracts the status subresource applied configuration.
-// Experimental!
-func ExtractMutatingAdmissionPolicyStatus(mutatingAdmissionPolicy *admissionregistrationv1beta1.MutatingAdmissionPolicy, fieldManager string) (*MutatingAdmissionPolicyApplyConfiguration, error) {
-	return extractMutatingAdmissionPolicy(mutatingAdmissionPolicy, fieldManager, "status")
-}
-
-func extractMutatingAdmissionPolicy(mutatingAdmissionPolicy *admissionregistrationv1beta1.MutatingAdmissionPolicy, fieldManager string, subresource string) (*MutatingAdmissionPolicyApplyConfiguration, error) {
+func ExtractMutatingAdmissionPolicyFrom(mutatingAdmissionPolicy *admissionregistrationv1beta1.MutatingAdmissionPolicy, fieldManager string, subresource string) (*MutatingAdmissionPolicyApplyConfiguration, error) {
 	b := &MutatingAdmissionPolicyApplyConfiguration{}
 	err := managedfields.ExtractInto(mutatingAdmissionPolicy, internal.Parser().Type("io.k8s.api.admissionregistration.v1beta1.MutatingAdmissionPolicy"), fieldManager, b, subresource)
 	if err != nil {
@@ -79,6 +68,21 @@ func extractMutatingAdmissionPolicy(mutatingAdmissionPolicy *admissionregistrati
 	b.WithAPIVersion("admissionregistration.k8s.io/v1beta1")
 	return b, nil
 }
+
+// ExtractMutatingAdmissionPolicy extracts the applied configuration owned by fieldManager from
+// mutatingAdmissionPolicy. If no managedFields are found in mutatingAdmissionPolicy for fieldManager, a
+// MutatingAdmissionPolicyApplyConfiguration is returned with only the Name, Namespace (if applicable),
+// APIVersion and Kind populated. It is possible that no managed fields were found for because other
+// field managers have taken ownership of all the fields previously owned by fieldManager, or because
+// the fieldManager never owned fields any fields.
+// mutatingAdmissionPolicy must be a unmodified MutatingAdmissionPolicy API object that was retrieved from the Kubernetes API.
+// ExtractMutatingAdmissionPolicy provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractMutatingAdmissionPolicy(mutatingAdmissionPolicy *admissionregistrationv1beta1.MutatingAdmissionPolicy, fieldManager string) (*MutatingAdmissionPolicyApplyConfiguration, error) {
+	return ExtractMutatingAdmissionPolicyFrom(mutatingAdmissionPolicy, fieldManager, "")
+}
+
 func (b MutatingAdmissionPolicyApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1beta1/mutatingadmissionpolicybinding.go b/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1beta1/mutatingadmissionpolicybinding.go
index 05ab5f6e4a06c..7ee4a731e13f8 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1beta1/mutatingadmissionpolicybinding.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1beta1/mutatingadmissionpolicybinding.go
@@ -29,10 +29,24 @@ import (
 
 // MutatingAdmissionPolicyBindingApplyConfiguration represents a declarative configuration of the MutatingAdmissionPolicyBinding type for use
 // with apply.
+//
+// MutatingAdmissionPolicyBinding binds the MutatingAdmissionPolicy with parametrized resources.
+// MutatingAdmissionPolicyBinding and the optional parameter resource together define how cluster administrators
+// configure policies for clusters.
+//
+// For a given admission request, each binding will cause its policy to be
+// evaluated N times, where N is 1 for policies/bindings that don't use
+// params, otherwise N is the number of parameters selected by the binding.
+// Each evaluation is constrained by a [runtime cost budget](https://kubernetes.io/docs/reference/using-api/cel/#runtime-cost-budget).
+//
+// Adding/removing policies, bindings, or params can not affect whether a
+// given (policy, binding, param) combination is within its own CEL budget.
 type MutatingAdmissionPolicyBindingApplyConfiguration struct {
-	v1.TypeMetaApplyConfiguration    `json:",inline"`
+	v1.TypeMetaApplyConfiguration `json:",inline"`
+	// Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata.
 	*v1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Spec                             *MutatingAdmissionPolicyBindingSpecApplyConfiguration `json:"spec,omitempty"`
+	// Specification of the desired behavior of the MutatingAdmissionPolicyBinding.
+	Spec *MutatingAdmissionPolicyBindingSpecApplyConfiguration `json:"spec,omitempty"`
 }
 
 // MutatingAdmissionPolicyBinding constructs a declarative configuration of the MutatingAdmissionPolicyBinding type for use with
@@ -45,29 +59,14 @@ func MutatingAdmissionPolicyBinding(name string) *MutatingAdmissionPolicyBinding
 	return b
 }
 
-// ExtractMutatingAdmissionPolicyBinding extracts the applied configuration owned by fieldManager from
-// mutatingAdmissionPolicyBinding. If no managedFields are found in mutatingAdmissionPolicyBinding for fieldManager, a
-// MutatingAdmissionPolicyBindingApplyConfiguration is returned with only the Name, Namespace (if applicable),
-// APIVersion and Kind populated. It is possible that no managed fields were found for because other
-// field managers have taken ownership of all the fields previously owned by fieldManager, or because
-// the fieldManager never owned fields any fields.
+// ExtractMutatingAdmissionPolicyBindingFrom extracts the applied configuration owned by fieldManager from
+// mutatingAdmissionPolicyBinding for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
 // mutatingAdmissionPolicyBinding must be a unmodified MutatingAdmissionPolicyBinding API object that was retrieved from the Kubernetes API.
-// ExtractMutatingAdmissionPolicyBinding provides a way to perform a extract/modify-in-place/apply workflow.
+// ExtractMutatingAdmissionPolicyBindingFrom provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
-func ExtractMutatingAdmissionPolicyBinding(mutatingAdmissionPolicyBinding *admissionregistrationv1beta1.MutatingAdmissionPolicyBinding, fieldManager string) (*MutatingAdmissionPolicyBindingApplyConfiguration, error) {
-	return extractMutatingAdmissionPolicyBinding(mutatingAdmissionPolicyBinding, fieldManager, "")
-}
-
-// ExtractMutatingAdmissionPolicyBindingStatus is the same as ExtractMutatingAdmissionPolicyBinding except
-// that it extracts the status subresource applied configuration.
-// Experimental!
-func ExtractMutatingAdmissionPolicyBindingStatus(mutatingAdmissionPolicyBinding *admissionregistrationv1beta1.MutatingAdmissionPolicyBinding, fieldManager string) (*MutatingAdmissionPolicyBindingApplyConfiguration, error) {
-	return extractMutatingAdmissionPolicyBinding(mutatingAdmissionPolicyBinding, fieldManager, "status")
-}
-
-func extractMutatingAdmissionPolicyBinding(mutatingAdmissionPolicyBinding *admissionregistrationv1beta1.MutatingAdmissionPolicyBinding, fieldManager string, subresource string) (*MutatingAdmissionPolicyBindingApplyConfiguration, error) {
+func ExtractMutatingAdmissionPolicyBindingFrom(mutatingAdmissionPolicyBinding *admissionregistrationv1beta1.MutatingAdmissionPolicyBinding, fieldManager string, subresource string) (*MutatingAdmissionPolicyBindingApplyConfiguration, error) {
 	b := &MutatingAdmissionPolicyBindingApplyConfiguration{}
 	err := managedfields.ExtractInto(mutatingAdmissionPolicyBinding, internal.Parser().Type("io.k8s.api.admissionregistration.v1beta1.MutatingAdmissionPolicyBinding"), fieldManager, b, subresource)
 	if err != nil {
@@ -79,6 +78,21 @@ func extractMutatingAdmissionPolicyBinding(mutatingAdmissionPolicyBinding *admis
 	b.WithAPIVersion("admissionregistration.k8s.io/v1beta1")
 	return b, nil
 }
+
+// ExtractMutatingAdmissionPolicyBinding extracts the applied configuration owned by fieldManager from
+// mutatingAdmissionPolicyBinding. If no managedFields are found in mutatingAdmissionPolicyBinding for fieldManager, a
+// MutatingAdmissionPolicyBindingApplyConfiguration is returned with only the Name, Namespace (if applicable),
+// APIVersion and Kind populated. It is possible that no managed fields were found for because other
+// field managers have taken ownership of all the fields previously owned by fieldManager, or because
+// the fieldManager never owned fields any fields.
+// mutatingAdmissionPolicyBinding must be a unmodified MutatingAdmissionPolicyBinding API object that was retrieved from the Kubernetes API.
+// ExtractMutatingAdmissionPolicyBinding provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractMutatingAdmissionPolicyBinding(mutatingAdmissionPolicyBinding *admissionregistrationv1beta1.MutatingAdmissionPolicyBinding, fieldManager string) (*MutatingAdmissionPolicyBindingApplyConfiguration, error) {
+	return ExtractMutatingAdmissionPolicyBindingFrom(mutatingAdmissionPolicyBinding, fieldManager, "")
+}
+
 func (b MutatingAdmissionPolicyBindingApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1beta1/mutatingadmissionpolicybindingspec.go b/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1beta1/mutatingadmissionpolicybindingspec.go
index 6dead7ccc2eb5..57932b927777e 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1beta1/mutatingadmissionpolicybindingspec.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1beta1/mutatingadmissionpolicybindingspec.go
@@ -20,9 +20,27 @@ package v1beta1
 
 // MutatingAdmissionPolicyBindingSpecApplyConfiguration represents a declarative configuration of the MutatingAdmissionPolicyBindingSpec type for use
 // with apply.
+//
+// MutatingAdmissionPolicyBindingSpec is the specification of the MutatingAdmissionPolicyBinding.
 type MutatingAdmissionPolicyBindingSpecApplyConfiguration struct {
-	PolicyName     *string                           `json:"policyName,omitempty"`
-	ParamRef       *ParamRefApplyConfiguration       `json:"paramRef,omitempty"`
+	// policyName references a MutatingAdmissionPolicy name which the MutatingAdmissionPolicyBinding binds to.
+	// If the referenced resource does not exist, this binding is considered invalid and will be ignored
+	// Required.
+	PolicyName *string `json:"policyName,omitempty"`
+	// paramRef specifies the parameter resource used to configure the admission control policy.
+	// It should point to a resource of the type specified in spec.ParamKind of the bound MutatingAdmissionPolicy.
+	// If the policy specifies a ParamKind and the resource referred to by ParamRef does not exist, this binding is considered mis-configured and the FailurePolicy of the MutatingAdmissionPolicy applied.
+	// If the policy does not specify a ParamKind then this field is ignored, and the rules are evaluated without a param.
+	ParamRef *ParamRefApplyConfiguration `json:"paramRef,omitempty"`
+	// matchResources limits what resources match this binding and may be mutated by it.
+	// Note that if matchResources matches a resource, the resource must also match a policy's matchConstraints and
+	// matchConditions before the resource may be mutated.
+	// When matchResources is unset, it does not constrain resource matching, and only the policy's matchConstraints
+	// and matchConditions must match for the resource to be mutated.
+	// Additionally, matchResources.resourceRules are optional and do not constraint matching when unset.
+	// Note that this is differs from MutatingAdmissionPolicy matchConstraints, where resourceRules are required.
+	// The CREATE, UPDATE and CONNECT operations are allowed.  The DELETE operation may not be matched.
+	// '*' matches CREATE, UPDATE and CONNECT.
 	MatchResources *MatchResourcesApplyConfiguration `json:"matchResources,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1beta1/mutatingadmissionpolicyspec.go b/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1beta1/mutatingadmissionpolicyspec.go
index 629d4e3632c69..6de745a4ea50d 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1beta1/mutatingadmissionpolicyspec.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1beta1/mutatingadmissionpolicyspec.go
@@ -25,14 +25,74 @@ import (
 
 // MutatingAdmissionPolicySpecApplyConfiguration represents a declarative configuration of the MutatingAdmissionPolicySpec type for use
 // with apply.
+//
+// MutatingAdmissionPolicySpec is the specification of the desired behavior of the admission policy.
 type MutatingAdmissionPolicySpecApplyConfiguration struct {
-	ParamKind          *ParamKindApplyConfiguration                    `json:"paramKind,omitempty"`
-	MatchConstraints   *MatchResourcesApplyConfiguration               `json:"matchConstraints,omitempty"`
-	Variables          []VariableApplyConfiguration                    `json:"variables,omitempty"`
-	Mutations          []MutationApplyConfiguration                    `json:"mutations,omitempty"`
-	FailurePolicy      *admissionregistrationv1beta1.FailurePolicyType `json:"failurePolicy,omitempty"`
-	MatchConditions    []MatchConditionApplyConfiguration              `json:"matchConditions,omitempty"`
-	ReinvocationPolicy *v1.ReinvocationPolicyType                      `json:"reinvocationPolicy,omitempty"`
+	// paramKind specifies the kind of resources used to parameterize this policy.
+	// If absent, there are no parameters for this policy and the param CEL variable will not be provided to validation expressions.
+	// If paramKind refers to a non-existent kind, this policy definition is mis-configured and the FailurePolicy is applied.
+	// If paramKind is specified but paramRef is unset in MutatingAdmissionPolicyBinding, the params variable will be null.
+	ParamKind *ParamKindApplyConfiguration `json:"paramKind,omitempty"`
+	// matchConstraints specifies what resources this policy is designed to validate.
+	// The MutatingAdmissionPolicy cares about a request if it matches _all_ Constraints.
+	// However, in order to prevent clusters from being put into an unstable state that cannot be recovered from via the API
+	// MutatingAdmissionPolicy cannot match MutatingAdmissionPolicy and MutatingAdmissionPolicyBinding.
+	// The CREATE, UPDATE and CONNECT operations are allowed.  The DELETE operation may not be matched.
+	// '*' matches CREATE, UPDATE and CONNECT.
+	// Required.
+	MatchConstraints *MatchResourcesApplyConfiguration `json:"matchConstraints,omitempty"`
+	// variables contain definitions of variables that can be used in composition of other expressions.
+	// Each variable is defined as a named CEL expression.
+	// The variables defined here will be available under `variables` in other expressions of the policy
+	// except matchConditions because matchConditions are evaluated before the rest of the policy.
+	//
+	// The expression of a variable can refer to other variables defined earlier in the list but not those after.
+	// Thus, variables must be sorted by the order of first appearance and acyclic.
+	Variables []VariableApplyConfiguration `json:"variables,omitempty"`
+	// mutations contain operations to perform on matching objects.
+	// mutations may not be empty; a minimum of one mutation is required.
+	// mutations are evaluated in order, and are reinvoked according to
+	// the reinvocationPolicy.
+	// The mutations of a policy are invoked for each binding of this policy
+	// and reinvocation of mutations occurs on a per binding basis.
+	Mutations []MutationApplyConfiguration `json:"mutations,omitempty"`
+	// failurePolicy defines how to handle failures for the admission policy. Failures can
+	// occur from CEL expression parse errors, type check errors, runtime errors and invalid
+	// or mis-configured policy definitions or bindings.
+	//
+	// A policy is invalid if paramKind refers to a non-existent Kind.
+	// A binding is invalid if paramRef.name refers to a non-existent resource.
+	//
+	// failurePolicy does not define how validations that evaluate to false are handled.
+	//
+	// Allowed values are Ignore or Fail. Defaults to Fail.
+	FailurePolicy *admissionregistrationv1beta1.FailurePolicyType `json:"failurePolicy,omitempty"`
+	// matchConditions is a list of conditions that must be met for a request to be validated.
+	// Match conditions filter requests that have already been matched by the matchConstraints.
+	// An empty list of matchConditions matches all requests.
+	// There are a maximum of 64 match conditions allowed.
+	//
+	// If a parameter object is provided, it can be accessed via the `params` handle in the same
+	// manner as validation expressions.
+	//
+	// The exact matching logic is (in order):
+	// 1. If ANY matchCondition evaluates to FALSE, the policy is skipped.
+	// 2. If ALL matchConditions evaluate to TRUE, the policy is evaluated.
+	// 3. If any matchCondition evaluates to an error (but none are FALSE):
+	// - If failurePolicy=Fail, reject the request
+	// - If failurePolicy=Ignore, the policy is skipped
+	MatchConditions []MatchConditionApplyConfiguration `json:"matchConditions,omitempty"`
+	// reinvocationPolicy indicates whether mutations may be called multiple times per MutatingAdmissionPolicyBinding
+	// as part of a single admission evaluation.
+	// Allowed values are "Never" and "IfNeeded".
+	//
+	// Never: These mutations will not be called more than once per binding in a single admission evaluation.
+	//
+	// IfNeeded: These mutations may be invoked more than once per binding for a single admission request and there is no guarantee of
+	// order with respect to other admission plugins, admission webhooks, bindings of this policy and admission policies.  Mutations are only
+	// reinvoked when mutations change the object after this mutation is invoked.
+	// Required.
+	ReinvocationPolicy *v1.ReinvocationPolicyType `json:"reinvocationPolicy,omitempty"`
 }
 
 // MutatingAdmissionPolicySpecApplyConfiguration constructs a declarative configuration of the MutatingAdmissionPolicySpec type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1beta1/mutatingwebhook.go b/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1beta1/mutatingwebhook.go
index f7eae58a535ad..af93de8a951e3 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1beta1/mutatingwebhook.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1beta1/mutatingwebhook.go
@@ -27,19 +27,149 @@ import (
 
 // MutatingWebhookApplyConfiguration represents a declarative configuration of the MutatingWebhook type for use
 // with apply.
+//
+// MutatingWebhook describes an admission webhook and the resources and operations it applies to.
 type MutatingWebhookApplyConfiguration struct {
-	Name                    *string                                         `json:"name,omitempty"`
-	ClientConfig            *WebhookClientConfigApplyConfiguration          `json:"clientConfig,omitempty"`
-	Rules                   []v1.RuleWithOperationsApplyConfiguration       `json:"rules,omitempty"`
-	FailurePolicy           *admissionregistrationv1beta1.FailurePolicyType `json:"failurePolicy,omitempty"`
-	MatchPolicy             *admissionregistrationv1beta1.MatchPolicyType   `json:"matchPolicy,omitempty"`
-	NamespaceSelector       *metav1.LabelSelectorApplyConfiguration         `json:"namespaceSelector,omitempty"`
-	ObjectSelector          *metav1.LabelSelectorApplyConfiguration         `json:"objectSelector,omitempty"`
-	SideEffects             *admissionregistrationv1beta1.SideEffectClass   `json:"sideEffects,omitempty"`
-	TimeoutSeconds          *int32                                          `json:"timeoutSeconds,omitempty"`
-	AdmissionReviewVersions []string                                        `json:"admissionReviewVersions,omitempty"`
-	ReinvocationPolicy      *admissionregistrationv1.ReinvocationPolicyType `json:"reinvocationPolicy,omitempty"`
-	MatchConditions         []MatchConditionApplyConfiguration              `json:"matchConditions,omitempty"`
+	// The name of the admission webhook.
+	// Name should be fully qualified, e.g., imagepolicy.kubernetes.io, where
+	// "imagepolicy" is the name of the webhook, and kubernetes.io is the name
+	// of the organization.
+	// Required.
+	Name *string `json:"name,omitempty"`
+	// ClientConfig defines how to communicate with the hook.
+	// Required
+	ClientConfig *WebhookClientConfigApplyConfiguration `json:"clientConfig,omitempty"`
+	// Rules describes what operations on what resources/subresources the webhook cares about.
+	// The webhook cares about an operation if it matches _any_ Rule.
+	// However, in order to prevent ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks
+	// from putting the cluster in a state which cannot be recovered from without completely
+	// disabling the plugin, ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks are never called
+	// on admission requests for ValidatingWebhookConfiguration and MutatingWebhookConfiguration objects.
+	Rules []v1.RuleWithOperationsApplyConfiguration `json:"rules,omitempty"`
+	// FailurePolicy defines how unrecognized errors from the admission endpoint are handled -
+	// allowed values are Ignore or Fail. Defaults to Ignore.
+	FailurePolicy *admissionregistrationv1beta1.FailurePolicyType `json:"failurePolicy,omitempty"`
+	// matchPolicy defines how the "rules" list is used to match incoming requests.
+	// Allowed values are "Exact" or "Equivalent".
+	//
+	// - Exact: match a request only if it exactly matches a specified rule.
+	// For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,
+	// but "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`,
+	// a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the webhook.
+	//
+	// - Equivalent: match a request if modifies a resource listed in rules, even via another API group or version.
+	// For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,
+	// and "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`,
+	// a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the webhook.
+	//
+	// Defaults to "Exact"
+	MatchPolicy *admissionregistrationv1beta1.MatchPolicyType `json:"matchPolicy,omitempty"`
+	// NamespaceSelector decides whether to run the webhook on an object based
+	// on whether the namespace for that object matches the selector. If the
+	// object itself is a namespace, the matching is performed on
+	// object.metadata.labels. If the object is another cluster scoped resource,
+	// it never skips the webhook.
+	//
+	// For example, to run the webhook on any objects whose namespace is not
+	// associated with "runlevel" of "0" or "1";  you will set the selector as
+	// follows:
+	// "namespaceSelector": {
+	// "matchExpressions": [
+	// {
+	// "key": "runlevel",
+	// "operator": "NotIn",
+	// "values": [
+	// "0",
+	// "1"
+	// ]
+	// }
+	// ]
+	// }
+	//
+	// If instead you want to only run the webhook on any objects whose
+	// namespace is associated with the "environment" of "prod" or "staging";
+	// you will set the selector as follows:
+	// "namespaceSelector": {
+	// "matchExpressions": [
+	// {
+	// "key": "environment",
+	// "operator": "In",
+	// "values": [
+	// "prod",
+	// "staging"
+	// ]
+	// }
+	// ]
+	// }
+	//
+	// See
+	// https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
+	// for more examples of label selectors.
+	//
+	// Default to the empty LabelSelector, which matches everything.
+	NamespaceSelector *metav1.LabelSelectorApplyConfiguration `json:"namespaceSelector,omitempty"`
+	// ObjectSelector decides whether to run the webhook based on if the
+	// object has matching labels. objectSelector is evaluated against both
+	// the oldObject and newObject that would be sent to the webhook, and
+	// is considered to match if either object matches the selector. A null
+	// object (oldObject in the case of create, or newObject in the case of
+	// delete) or an object that cannot have labels (like a
+	// DeploymentRollback or a PodProxyOptions object) is not considered to
+	// match.
+	// Use the object selector only if the webhook is opt-in, because end
+	// users may skip the admission webhook by setting the labels.
+	// Default to the empty LabelSelector, which matches everything.
+	ObjectSelector *metav1.LabelSelectorApplyConfiguration `json:"objectSelector,omitempty"`
+	// SideEffects states whether this webhook has side effects.
+	// Acceptable values are: Unknown, None, Some, NoneOnDryRun
+	// Webhooks with side effects MUST implement a reconciliation system, since a request may be
+	// rejected by a future step in the admission chain and the side effects therefore need to be undone.
+	// Requests with the dryRun attribute will be auto-rejected if they match a webhook with
+	// sideEffects == Unknown or Some. Defaults to Unknown.
+	SideEffects *admissionregistrationv1beta1.SideEffectClass `json:"sideEffects,omitempty"`
+	// TimeoutSeconds specifies the timeout for this webhook. After the timeout passes,
+	// the webhook call will be ignored or the API call will fail based on the
+	// failure policy.
+	// The timeout value must be between 1 and 30 seconds.
+	// Default to 30 seconds.
+	TimeoutSeconds *int32 `json:"timeoutSeconds,omitempty"`
+	// AdmissionReviewVersions is an ordered list of preferred `AdmissionReview`
+	// versions the Webhook expects. API server will try to use first version in
+	// the list which it supports. If none of the versions specified in this list
+	// supported by API server, validation will fail for this object.
+	// If a persisted webhook configuration specifies allowed versions and does not
+	// include any versions known to the API Server, calls to the webhook will fail
+	// and be subject to the failure policy.
+	// Default to `['v1beta1']`.
+	AdmissionReviewVersions []string `json:"admissionReviewVersions,omitempty"`
+	// reinvocationPolicy indicates whether this webhook should be called multiple times as part of a single admission evaluation.
+	// Allowed values are "Never" and "IfNeeded".
+	//
+	// Never: the webhook will not be called more than once in a single admission evaluation.
+	//
+	// IfNeeded: the webhook will be called at least one additional time as part of the admission evaluation
+	// if the object being admitted is modified by other admission plugins after the initial webhook call.
+	// Webhooks that specify this option *must* be idempotent, able to process objects they previously admitted.
+	// Note:
+	// * the number of additional invocations is not guaranteed to be exactly one.
+	// * if additional invocations result in further modifications to the object, webhooks are not guaranteed to be invoked again.
+	// * webhooks that use this option may be reordered to minimize the number of additional invocations.
+	// * to validate an object after all mutations are guaranteed complete, use a validating admission webhook instead.
+	//
+	// Defaults to "Never".
+	ReinvocationPolicy *admissionregistrationv1.ReinvocationPolicyType `json:"reinvocationPolicy,omitempty"`
+	// MatchConditions is a list of conditions that must be met for a request to be sent to this
+	// webhook. Match conditions filter requests that have already been matched by the rules,
+	// namespaceSelector, and objectSelector. An empty list of matchConditions matches all requests.
+	// There are a maximum of 64 match conditions allowed.
+	//
+	// The exact matching logic is (in order):
+	// 1. If ANY matchCondition evaluates to FALSE, the webhook is skipped.
+	// 2. If ALL matchConditions evaluate to TRUE, the webhook is called.
+	// 3. If any matchCondition evaluates to an error (but none are FALSE):
+	// - If failurePolicy=Fail, reject the request
+	// - If failurePolicy=Ignore, the error is ignored and the webhook is skipped
+	MatchConditions []MatchConditionApplyConfiguration `json:"matchConditions,omitempty"`
 }
 
 // MutatingWebhookApplyConfiguration constructs a declarative configuration of the MutatingWebhook type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1beta1/mutatingwebhookconfiguration.go b/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1beta1/mutatingwebhookconfiguration.go
index 2e70502a38405..d51d71a328ff6 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1beta1/mutatingwebhookconfiguration.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1beta1/mutatingwebhookconfiguration.go
@@ -29,10 +29,15 @@ import (
 
 // MutatingWebhookConfigurationApplyConfiguration represents a declarative configuration of the MutatingWebhookConfiguration type for use
 // with apply.
+//
+// MutatingWebhookConfiguration describes the configuration of and admission webhook that accept or reject and may change the object.
+// Deprecated in v1.16, planned for removal in v1.19. Use admissionregistration.k8s.io/v1 MutatingWebhookConfiguration instead.
 type MutatingWebhookConfigurationApplyConfiguration struct {
-	v1.TypeMetaApplyConfiguration    `json:",inline"`
+	v1.TypeMetaApplyConfiguration `json:",inline"`
+	// Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata.
 	*v1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Webhooks                         []MutatingWebhookApplyConfiguration `json:"webhooks,omitempty"`
+	// Webhooks is a list of webhooks and the affected resources and operations.
+	Webhooks []MutatingWebhookApplyConfiguration `json:"webhooks,omitempty"`
 }
 
 // MutatingWebhookConfiguration constructs a declarative configuration of the MutatingWebhookConfiguration type for use with
@@ -45,29 +50,14 @@ func MutatingWebhookConfiguration(name string) *MutatingWebhookConfigurationAppl
 	return b
 }
 
-// ExtractMutatingWebhookConfiguration extracts the applied configuration owned by fieldManager from
-// mutatingWebhookConfiguration. If no managedFields are found in mutatingWebhookConfiguration for fieldManager, a
-// MutatingWebhookConfigurationApplyConfiguration is returned with only the Name, Namespace (if applicable),
-// APIVersion and Kind populated. It is possible that no managed fields were found for because other
-// field managers have taken ownership of all the fields previously owned by fieldManager, or because
-// the fieldManager never owned fields any fields.
+// ExtractMutatingWebhookConfigurationFrom extracts the applied configuration owned by fieldManager from
+// mutatingWebhookConfiguration for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
 // mutatingWebhookConfiguration must be a unmodified MutatingWebhookConfiguration API object that was retrieved from the Kubernetes API.
-// ExtractMutatingWebhookConfiguration provides a way to perform a extract/modify-in-place/apply workflow.
+// ExtractMutatingWebhookConfigurationFrom provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
-func ExtractMutatingWebhookConfiguration(mutatingWebhookConfiguration *admissionregistrationv1beta1.MutatingWebhookConfiguration, fieldManager string) (*MutatingWebhookConfigurationApplyConfiguration, error) {
-	return extractMutatingWebhookConfiguration(mutatingWebhookConfiguration, fieldManager, "")
-}
-
-// ExtractMutatingWebhookConfigurationStatus is the same as ExtractMutatingWebhookConfiguration except
-// that it extracts the status subresource applied configuration.
-// Experimental!
-func ExtractMutatingWebhookConfigurationStatus(mutatingWebhookConfiguration *admissionregistrationv1beta1.MutatingWebhookConfiguration, fieldManager string) (*MutatingWebhookConfigurationApplyConfiguration, error) {
-	return extractMutatingWebhookConfiguration(mutatingWebhookConfiguration, fieldManager, "status")
-}
-
-func extractMutatingWebhookConfiguration(mutatingWebhookConfiguration *admissionregistrationv1beta1.MutatingWebhookConfiguration, fieldManager string, subresource string) (*MutatingWebhookConfigurationApplyConfiguration, error) {
+func ExtractMutatingWebhookConfigurationFrom(mutatingWebhookConfiguration *admissionregistrationv1beta1.MutatingWebhookConfiguration, fieldManager string, subresource string) (*MutatingWebhookConfigurationApplyConfiguration, error) {
 	b := &MutatingWebhookConfigurationApplyConfiguration{}
 	err := managedfields.ExtractInto(mutatingWebhookConfiguration, internal.Parser().Type("io.k8s.api.admissionregistration.v1beta1.MutatingWebhookConfiguration"), fieldManager, b, subresource)
 	if err != nil {
@@ -79,6 +69,21 @@ func extractMutatingWebhookConfiguration(mutatingWebhookConfiguration *admission
 	b.WithAPIVersion("admissionregistration.k8s.io/v1beta1")
 	return b, nil
 }
+
+// ExtractMutatingWebhookConfiguration extracts the applied configuration owned by fieldManager from
+// mutatingWebhookConfiguration. If no managedFields are found in mutatingWebhookConfiguration for fieldManager, a
+// MutatingWebhookConfigurationApplyConfiguration is returned with only the Name, Namespace (if applicable),
+// APIVersion and Kind populated. It is possible that no managed fields were found for because other
+// field managers have taken ownership of all the fields previously owned by fieldManager, or because
+// the fieldManager never owned fields any fields.
+// mutatingWebhookConfiguration must be a unmodified MutatingWebhookConfiguration API object that was retrieved from the Kubernetes API.
+// ExtractMutatingWebhookConfiguration provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractMutatingWebhookConfiguration(mutatingWebhookConfiguration *admissionregistrationv1beta1.MutatingWebhookConfiguration, fieldManager string) (*MutatingWebhookConfigurationApplyConfiguration, error) {
+	return ExtractMutatingWebhookConfigurationFrom(mutatingWebhookConfiguration, fieldManager, "")
+}
+
 func (b MutatingWebhookConfigurationApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1beta1/mutation.go b/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1beta1/mutation.go
index ab50af6d795f5..b4caf4c41efd7 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1beta1/mutation.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1beta1/mutation.go
@@ -24,10 +24,21 @@ import (
 
 // MutationApplyConfiguration represents a declarative configuration of the Mutation type for use
 // with apply.
+//
+// Mutation specifies the CEL expression which is used to apply the Mutation.
 type MutationApplyConfiguration struct {
-	PatchType          *admissionregistrationv1beta1.PatchType `json:"patchType,omitempty"`
-	ApplyConfiguration *ApplyConfigurationApplyConfiguration   `json:"applyConfiguration,omitempty"`
-	JSONPatch          *JSONPatchApplyConfiguration            `json:"jsonPatch,omitempty"`
+	// patchType indicates the patch strategy used.
+	// Allowed values are "ApplyConfiguration" and "JSONPatch".
+	// Required.
+	PatchType *admissionregistrationv1beta1.PatchType `json:"patchType,omitempty"`
+	// applyConfiguration defines the desired configuration values of an object.
+	// The configuration is applied to the admission object using
+	// [structured merge diff](https://github.com/kubernetes-sigs/structured-merge-diff).
+	// A CEL expression is used to create apply configuration.
+	ApplyConfiguration *ApplyConfigurationApplyConfiguration `json:"applyConfiguration,omitempty"`
+	// jsonPatch defines a [JSON patch](https://jsonpatch.com/) operation to perform a mutation to the object.
+	// A CEL expression is used to create the JSON patch.
+	JSONPatch *JSONPatchApplyConfiguration `json:"jsonPatch,omitempty"`
 }
 
 // MutationApplyConfiguration constructs a declarative configuration of the Mutation type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1beta1/namedrulewithoperations.go b/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1beta1/namedrulewithoperations.go
index 62c617d2fa056..8b189dbb891ed 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1beta1/namedrulewithoperations.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1beta1/namedrulewithoperations.go
@@ -25,8 +25,12 @@ import (
 
 // NamedRuleWithOperationsApplyConfiguration represents a declarative configuration of the NamedRuleWithOperations type for use
 // with apply.
+//
+// NamedRuleWithOperations is a tuple of Operations and Resources with ResourceNames.
 type NamedRuleWithOperationsApplyConfiguration struct {
-	ResourceNames                           []string `json:"resourceNames,omitempty"`
+	// ResourceNames is an optional white list of names that the rule applies to.  An empty set means that everything is allowed.
+	ResourceNames []string `json:"resourceNames,omitempty"`
+	// RuleWithOperations is a tuple of Operations and Resources.
 	v1.RuleWithOperationsApplyConfiguration `json:",inline"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1beta1/paramkind.go b/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1beta1/paramkind.go
index 39831252818da..dbbef1b6e0bea 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1beta1/paramkind.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1beta1/paramkind.go
@@ -20,9 +20,16 @@ package v1beta1
 
 // ParamKindApplyConfiguration represents a declarative configuration of the ParamKind type for use
 // with apply.
+//
+// ParamKind is a tuple of Group Kind and Version.
 type ParamKindApplyConfiguration struct {
+	// APIVersion is the API group version the resources belong to.
+	// In format of "group/version".
+	// Required.
 	APIVersion *string `json:"apiVersion,omitempty"`
-	Kind       *string `json:"kind,omitempty"`
+	// Kind is the API kind the resources belong to.
+	// Required.
+	Kind *string `json:"kind,omitempty"`
 }
 
 // ParamKindApplyConfiguration constructs a declarative configuration of the ParamKind type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1beta1/paramref.go b/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1beta1/paramref.go
index 5143b0cb90e9f..724cd1a0de548 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1beta1/paramref.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1beta1/paramref.go
@@ -25,10 +25,53 @@ import (
 
 // ParamRefApplyConfiguration represents a declarative configuration of the ParamRef type for use
 // with apply.
+//
+// ParamRef describes how to locate the params to be used as input to
+// expressions of rules applied by a policy binding.
 type ParamRefApplyConfiguration struct {
-	Name                    *string                                                   `json:"name,omitempty"`
-	Namespace               *string                                                   `json:"namespace,omitempty"`
-	Selector                *v1.LabelSelectorApplyConfiguration                       `json:"selector,omitempty"`
+	// name is the name of the resource being referenced.
+	//
+	// One of `name` or `selector` must be set, but `name` and `selector` are
+	// mutually exclusive properties. If one is set, the other must be unset.
+	//
+	// A single parameter used for all admission requests can be configured
+	// by setting the `name` field, leaving `selector` blank, and setting namespace
+	// if `paramKind` is namespace-scoped.
+	Name *string `json:"name,omitempty"`
+	// namespace is the namespace of the referenced resource. Allows limiting
+	// the search for params to a specific namespace. Applies to both `name` and
+	// `selector` fields.
+	//
+	// A per-namespace parameter may be used by specifying a namespace-scoped
+	// `paramKind` in the policy and leaving this field empty.
+	//
+	// - If `paramKind` is cluster-scoped, this field MUST be unset. Setting this
+	// field results in a configuration error.
+	//
+	// - If `paramKind` is namespace-scoped, the namespace of the object being
+	// evaluated for admission will be used when this field is left unset. Take
+	// care that if this is left empty the binding must not match any cluster-scoped
+	// resources, which will result in an error.
+	Namespace *string `json:"namespace,omitempty"`
+	// selector can be used to match multiple param objects based on their labels.
+	// Supply selector: {} to match all resources of the ParamKind.
+	//
+	// If multiple params are found, they are all evaluated with the policy expressions
+	// and the results are ANDed together.
+	//
+	// One of `name` or `selector` must be set, but `name` and `selector` are
+	// mutually exclusive properties. If one is set, the other must be unset.
+	Selector *v1.LabelSelectorApplyConfiguration `json:"selector,omitempty"`
+	// `parameterNotFoundAction` controls the behavior of the binding when the resource
+	// exists, and name or selector is valid, but there are no parameters
+	// matched by the binding. If the value is set to `Allow`, then no
+	// matched parameters will be treated as successful validation by the binding.
+	// If set to `Deny`, then no matched parameters will be subject to the
+	// `failurePolicy` of the policy.
+	//
+	// Allowed values are `Allow` or `Deny`
+	//
+	// Required
 	ParameterNotFoundAction *admissionregistrationv1beta1.ParameterNotFoundActionType `json:"parameterNotFoundAction,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1beta1/servicereference.go b/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1beta1/servicereference.go
index 70cc6b5b27198..9591d48a873d5 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1beta1/servicereference.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1beta1/servicereference.go
@@ -20,11 +20,22 @@ package v1beta1
 
 // ServiceReferenceApplyConfiguration represents a declarative configuration of the ServiceReference type for use
 // with apply.
+//
+// ServiceReference holds a reference to Service.legacy.k8s.io
 type ServiceReferenceApplyConfiguration struct {
+	// `namespace` is the namespace of the service.
+	// Required
 	Namespace *string `json:"namespace,omitempty"`
-	Name      *string `json:"name,omitempty"`
-	Path      *string `json:"path,omitempty"`
-	Port      *int32  `json:"port,omitempty"`
+	// `name` is the name of the service.
+	// Required
+	Name *string `json:"name,omitempty"`
+	// `path` is an optional URL path which will be sent in any request to
+	// this service.
+	Path *string `json:"path,omitempty"`
+	// If specified, the port on the service that hosting webhook.
+	// Default to 443 for backward compatibility.
+	// `port` should be a valid port number (1-65535, inclusive).
+	Port *int32 `json:"port,omitempty"`
 }
 
 // ServiceReferenceApplyConfiguration constructs a declarative configuration of the ServiceReference type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1beta1/typechecking.go b/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1beta1/typechecking.go
index cea6e11deed3b..b3b26edb83276 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1beta1/typechecking.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1beta1/typechecking.go
@@ -20,7 +20,11 @@ package v1beta1
 
 // TypeCheckingApplyConfiguration represents a declarative configuration of the TypeChecking type for use
 // with apply.
+//
+// TypeChecking contains results of type checking the expressions in the
+// ValidatingAdmissionPolicy
 type TypeCheckingApplyConfiguration struct {
+	// The type checking warnings for each expression.
 	ExpressionWarnings []ExpressionWarningApplyConfiguration `json:"expressionWarnings,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1beta1/validatingadmissionpolicy.go b/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1beta1/validatingadmissionpolicy.go
index 84f9dea53a9a7..b8eba927d3a5d 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1beta1/validatingadmissionpolicy.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1beta1/validatingadmissionpolicy.go
@@ -29,11 +29,19 @@ import (
 
 // ValidatingAdmissionPolicyApplyConfiguration represents a declarative configuration of the ValidatingAdmissionPolicy type for use
 // with apply.
+//
+// ValidatingAdmissionPolicy describes the definition of an admission validation policy that accepts or rejects an object without changing it.
 type ValidatingAdmissionPolicyApplyConfiguration struct {
-	v1.TypeMetaApplyConfiguration    `json:",inline"`
+	v1.TypeMetaApplyConfiguration `json:",inline"`
+	// Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata.
 	*v1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Spec                             *ValidatingAdmissionPolicySpecApplyConfiguration   `json:"spec,omitempty"`
-	Status                           *ValidatingAdmissionPolicyStatusApplyConfiguration `json:"status,omitempty"`
+	// Specification of the desired behavior of the ValidatingAdmissionPolicy.
+	Spec *ValidatingAdmissionPolicySpecApplyConfiguration `json:"spec,omitempty"`
+	// The status of the ValidatingAdmissionPolicy, including warnings that are useful to determine if the policy
+	// behaves in the expected way.
+	// Populated by the system.
+	// Read-only.
+	Status *ValidatingAdmissionPolicyStatusApplyConfiguration `json:"status,omitempty"`
 }
 
 // ValidatingAdmissionPolicy constructs a declarative configuration of the ValidatingAdmissionPolicy type for use with
@@ -46,6 +54,26 @@ func ValidatingAdmissionPolicy(name string) *ValidatingAdmissionPolicyApplyConfi
 	return b
 }
 
+// ExtractValidatingAdmissionPolicyFrom extracts the applied configuration owned by fieldManager from
+// validatingAdmissionPolicy for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
+// validatingAdmissionPolicy must be a unmodified ValidatingAdmissionPolicy API object that was retrieved from the Kubernetes API.
+// ExtractValidatingAdmissionPolicyFrom provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractValidatingAdmissionPolicyFrom(validatingAdmissionPolicy *admissionregistrationv1beta1.ValidatingAdmissionPolicy, fieldManager string, subresource string) (*ValidatingAdmissionPolicyApplyConfiguration, error) {
+	b := &ValidatingAdmissionPolicyApplyConfiguration{}
+	err := managedfields.ExtractInto(validatingAdmissionPolicy, internal.Parser().Type("io.k8s.api.admissionregistration.v1beta1.ValidatingAdmissionPolicy"), fieldManager, b, subresource)
+	if err != nil {
+		return nil, err
+	}
+	b.WithName(validatingAdmissionPolicy.Name)
+
+	b.WithKind("ValidatingAdmissionPolicy")
+	b.WithAPIVersion("admissionregistration.k8s.io/v1beta1")
+	return b, nil
+}
+
 // ExtractValidatingAdmissionPolicy extracts the applied configuration owned by fieldManager from
 // validatingAdmissionPolicy. If no managedFields are found in validatingAdmissionPolicy for fieldManager, a
 // ValidatingAdmissionPolicyApplyConfiguration is returned with only the Name, Namespace (if applicable),
@@ -56,30 +84,16 @@ func ValidatingAdmissionPolicy(name string) *ValidatingAdmissionPolicyApplyConfi
 // ExtractValidatingAdmissionPolicy provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
 func ExtractValidatingAdmissionPolicy(validatingAdmissionPolicy *admissionregistrationv1beta1.ValidatingAdmissionPolicy, fieldManager string) (*ValidatingAdmissionPolicyApplyConfiguration, error) {
-	return extractValidatingAdmissionPolicy(validatingAdmissionPolicy, fieldManager, "")
+	return ExtractValidatingAdmissionPolicyFrom(validatingAdmissionPolicy, fieldManager, "")
 }
 
-// ExtractValidatingAdmissionPolicyStatus is the same as ExtractValidatingAdmissionPolicy except
-// that it extracts the status subresource applied configuration.
-// Experimental!
+// ExtractValidatingAdmissionPolicyStatus extracts the applied configuration owned by fieldManager from
+// validatingAdmissionPolicy for the status subresource.
 func ExtractValidatingAdmissionPolicyStatus(validatingAdmissionPolicy *admissionregistrationv1beta1.ValidatingAdmissionPolicy, fieldManager string) (*ValidatingAdmissionPolicyApplyConfiguration, error) {
-	return extractValidatingAdmissionPolicy(validatingAdmissionPolicy, fieldManager, "status")
+	return ExtractValidatingAdmissionPolicyFrom(validatingAdmissionPolicy, fieldManager, "status")
 }
 
-func extractValidatingAdmissionPolicy(validatingAdmissionPolicy *admissionregistrationv1beta1.ValidatingAdmissionPolicy, fieldManager string, subresource string) (*ValidatingAdmissionPolicyApplyConfiguration, error) {
-	b := &ValidatingAdmissionPolicyApplyConfiguration{}
-	err := managedfields.ExtractInto(validatingAdmissionPolicy, internal.Parser().Type("io.k8s.api.admissionregistration.v1beta1.ValidatingAdmissionPolicy"), fieldManager, b, subresource)
-	if err != nil {
-		return nil, err
-	}
-	b.WithName(validatingAdmissionPolicy.Name)
-
-	b.WithKind("ValidatingAdmissionPolicy")
-	b.WithAPIVersion("admissionregistration.k8s.io/v1beta1")
-	return b, nil
-}
 func (b ValidatingAdmissionPolicyApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1beta1/validatingadmissionpolicybinding.go b/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1beta1/validatingadmissionpolicybinding.go
index c0cdef9918cb6..db33d910c234e 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1beta1/validatingadmissionpolicybinding.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1beta1/validatingadmissionpolicybinding.go
@@ -29,10 +29,24 @@ import (
 
 // ValidatingAdmissionPolicyBindingApplyConfiguration represents a declarative configuration of the ValidatingAdmissionPolicyBinding type for use
 // with apply.
+//
+// ValidatingAdmissionPolicyBinding binds the ValidatingAdmissionPolicy with paramerized resources.
+// ValidatingAdmissionPolicyBinding and parameter CRDs together define how cluster administrators configure policies for clusters.
+//
+// For a given admission request, each binding will cause its policy to be
+// evaluated N times, where N is 1 for policies/bindings that don't use
+// params, otherwise N is the number of parameters selected by the binding.
+//
+// The CEL expressions of a policy must have a computed CEL cost below the maximum
+// CEL budget. Each evaluation of the policy is given an independent CEL cost budget.
+// Adding/removing policies, bindings, or params can not affect whether a
+// given (policy, binding, param) combination is within its own CEL budget.
 type ValidatingAdmissionPolicyBindingApplyConfiguration struct {
-	v1.TypeMetaApplyConfiguration    `json:",inline"`
+	v1.TypeMetaApplyConfiguration `json:",inline"`
+	// Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata.
 	*v1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Spec                             *ValidatingAdmissionPolicyBindingSpecApplyConfiguration `json:"spec,omitempty"`
+	// Specification of the desired behavior of the ValidatingAdmissionPolicyBinding.
+	Spec *ValidatingAdmissionPolicyBindingSpecApplyConfiguration `json:"spec,omitempty"`
 }
 
 // ValidatingAdmissionPolicyBinding constructs a declarative configuration of the ValidatingAdmissionPolicyBinding type for use with
@@ -45,29 +59,14 @@ func ValidatingAdmissionPolicyBinding(name string) *ValidatingAdmissionPolicyBin
 	return b
 }
 
-// ExtractValidatingAdmissionPolicyBinding extracts the applied configuration owned by fieldManager from
-// validatingAdmissionPolicyBinding. If no managedFields are found in validatingAdmissionPolicyBinding for fieldManager, a
-// ValidatingAdmissionPolicyBindingApplyConfiguration is returned with only the Name, Namespace (if applicable),
-// APIVersion and Kind populated. It is possible that no managed fields were found for because other
-// field managers have taken ownership of all the fields previously owned by fieldManager, or because
-// the fieldManager never owned fields any fields.
+// ExtractValidatingAdmissionPolicyBindingFrom extracts the applied configuration owned by fieldManager from
+// validatingAdmissionPolicyBinding for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
 // validatingAdmissionPolicyBinding must be a unmodified ValidatingAdmissionPolicyBinding API object that was retrieved from the Kubernetes API.
-// ExtractValidatingAdmissionPolicyBinding provides a way to perform a extract/modify-in-place/apply workflow.
+// ExtractValidatingAdmissionPolicyBindingFrom provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
-func ExtractValidatingAdmissionPolicyBinding(validatingAdmissionPolicyBinding *admissionregistrationv1beta1.ValidatingAdmissionPolicyBinding, fieldManager string) (*ValidatingAdmissionPolicyBindingApplyConfiguration, error) {
-	return extractValidatingAdmissionPolicyBinding(validatingAdmissionPolicyBinding, fieldManager, "")
-}
-
-// ExtractValidatingAdmissionPolicyBindingStatus is the same as ExtractValidatingAdmissionPolicyBinding except
-// that it extracts the status subresource applied configuration.
-// Experimental!
-func ExtractValidatingAdmissionPolicyBindingStatus(validatingAdmissionPolicyBinding *admissionregistrationv1beta1.ValidatingAdmissionPolicyBinding, fieldManager string) (*ValidatingAdmissionPolicyBindingApplyConfiguration, error) {
-	return extractValidatingAdmissionPolicyBinding(validatingAdmissionPolicyBinding, fieldManager, "status")
-}
-
-func extractValidatingAdmissionPolicyBinding(validatingAdmissionPolicyBinding *admissionregistrationv1beta1.ValidatingAdmissionPolicyBinding, fieldManager string, subresource string) (*ValidatingAdmissionPolicyBindingApplyConfiguration, error) {
+func ExtractValidatingAdmissionPolicyBindingFrom(validatingAdmissionPolicyBinding *admissionregistrationv1beta1.ValidatingAdmissionPolicyBinding, fieldManager string, subresource string) (*ValidatingAdmissionPolicyBindingApplyConfiguration, error) {
 	b := &ValidatingAdmissionPolicyBindingApplyConfiguration{}
 	err := managedfields.ExtractInto(validatingAdmissionPolicyBinding, internal.Parser().Type("io.k8s.api.admissionregistration.v1beta1.ValidatingAdmissionPolicyBinding"), fieldManager, b, subresource)
 	if err != nil {
@@ -79,6 +78,21 @@ func extractValidatingAdmissionPolicyBinding(validatingAdmissionPolicyBinding *a
 	b.WithAPIVersion("admissionregistration.k8s.io/v1beta1")
 	return b, nil
 }
+
+// ExtractValidatingAdmissionPolicyBinding extracts the applied configuration owned by fieldManager from
+// validatingAdmissionPolicyBinding. If no managedFields are found in validatingAdmissionPolicyBinding for fieldManager, a
+// ValidatingAdmissionPolicyBindingApplyConfiguration is returned with only the Name, Namespace (if applicable),
+// APIVersion and Kind populated. It is possible that no managed fields were found for because other
+// field managers have taken ownership of all the fields previously owned by fieldManager, or because
+// the fieldManager never owned fields any fields.
+// validatingAdmissionPolicyBinding must be a unmodified ValidatingAdmissionPolicyBinding API object that was retrieved from the Kubernetes API.
+// ExtractValidatingAdmissionPolicyBinding provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractValidatingAdmissionPolicyBinding(validatingAdmissionPolicyBinding *admissionregistrationv1beta1.ValidatingAdmissionPolicyBinding, fieldManager string) (*ValidatingAdmissionPolicyBindingApplyConfiguration, error) {
+	return ExtractValidatingAdmissionPolicyBindingFrom(validatingAdmissionPolicyBinding, fieldManager, "")
+}
+
 func (b ValidatingAdmissionPolicyBindingApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1beta1/validatingadmissionpolicybindingspec.go b/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1beta1/validatingadmissionpolicybindingspec.go
index bddc3a40c77d7..7b1c0af26ba88 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1beta1/validatingadmissionpolicybindingspec.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1beta1/validatingadmissionpolicybindingspec.go
@@ -24,10 +24,63 @@ import (
 
 // ValidatingAdmissionPolicyBindingSpecApplyConfiguration represents a declarative configuration of the ValidatingAdmissionPolicyBindingSpec type for use
 // with apply.
+//
+// ValidatingAdmissionPolicyBindingSpec is the specification of the ValidatingAdmissionPolicyBinding.
 type ValidatingAdmissionPolicyBindingSpecApplyConfiguration struct {
-	PolicyName        *string                                         `json:"policyName,omitempty"`
-	ParamRef          *ParamRefApplyConfiguration                     `json:"paramRef,omitempty"`
-	MatchResources    *MatchResourcesApplyConfiguration               `json:"matchResources,omitempty"`
+	// PolicyName references a ValidatingAdmissionPolicy name which the ValidatingAdmissionPolicyBinding binds to.
+	// If the referenced resource does not exist, this binding is considered invalid and will be ignored
+	// Required.
+	PolicyName *string `json:"policyName,omitempty"`
+	// paramRef specifies the parameter resource used to configure the admission control policy.
+	// It should point to a resource of the type specified in ParamKind of the bound ValidatingAdmissionPolicy.
+	// If the policy specifies a ParamKind and the resource referred to by ParamRef does not exist, this binding is considered mis-configured and the FailurePolicy of the ValidatingAdmissionPolicy applied.
+	// If the policy does not specify a ParamKind then this field is ignored, and the rules are evaluated without a param.
+	ParamRef *ParamRefApplyConfiguration `json:"paramRef,omitempty"`
+	// MatchResources declares what resources match this binding and will be validated by it.
+	// Note that this is intersected with the policy's matchConstraints, so only requests that are matched by the policy can be selected by this.
+	// If this is unset, all resources matched by the policy are validated by this binding
+	// When resourceRules is unset, it does not constrain resource matching. If a resource is matched by the other fields of this object, it will be validated.
+	// Note that this is differs from ValidatingAdmissionPolicy matchConstraints, where resourceRules are required.
+	MatchResources *MatchResourcesApplyConfiguration `json:"matchResources,omitempty"`
+	// validationActions declares how Validations of the referenced ValidatingAdmissionPolicy are enforced.
+	// If a validation evaluates to false it is always enforced according to these actions.
+	//
+	// Failures defined by the ValidatingAdmissionPolicy's FailurePolicy are enforced according
+	// to these actions only if the FailurePolicy is set to Fail, otherwise the failures are
+	// ignored. This includes compilation errors, runtime errors and misconfigurations of the policy.
+	//
+	// validationActions is declared as a set of action values. Order does
+	// not matter. validationActions may not contain duplicates of the same action.
+	//
+	// The supported actions values are:
+	//
+	// "Deny" specifies that a validation failure results in a denied request.
+	//
+	// "Warn" specifies that a validation failure is reported to the request client
+	// in HTTP Warning headers, with a warning code of 299. Warnings can be sent
+	// both for allowed or denied admission responses.
+	//
+	// "Audit" specifies that a validation failure is included in the published
+	// audit event for the request. The audit event will contain a
+	// `validation.policy.admission.k8s.io/validation_failure` audit annotation
+	// with a value containing the details of the validation failures, formatted as
+	// a JSON list of objects, each with the following fields:
+	// - message: The validation failure message string
+	// - policy: The resource name of the ValidatingAdmissionPolicy
+	// - binding: The resource name of the ValidatingAdmissionPolicyBinding
+	// - expressionIndex: The index of the failed validations in the ValidatingAdmissionPolicy
+	// - validationActions: The enforcement actions enacted for the validation failure
+	// Example audit annotation:
+	// `"validation.policy.admission.k8s.io/validation_failure": "[{\"message\": \"Invalid value\", {\"policy\": \"policy.example.com\", {\"binding\": \"policybinding.example.com\", {\"expressionIndex\": \"1\", {\"validationActions\": [\"Audit\"]}]"`
+	//
+	// Clients should expect to handle additional values by ignoring
+	// any values not recognized.
+	//
+	// "Deny" and "Warn" may not be used together since this combination
+	// needlessly duplicates the validation failure both in the
+	// API response body and the HTTP warning headers.
+	//
+	// Required.
 	ValidationActions []admissionregistrationv1beta1.ValidationAction `json:"validationActions,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1beta1/validatingadmissionpolicyspec.go b/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1beta1/validatingadmissionpolicyspec.go
index 8b235337d7056..4600fb9da4ab2 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1beta1/validatingadmissionpolicyspec.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1beta1/validatingadmissionpolicyspec.go
@@ -24,14 +24,66 @@ import (
 
 // ValidatingAdmissionPolicySpecApplyConfiguration represents a declarative configuration of the ValidatingAdmissionPolicySpec type for use
 // with apply.
+//
+// ValidatingAdmissionPolicySpec is the specification of the desired behavior of the AdmissionPolicy.
 type ValidatingAdmissionPolicySpecApplyConfiguration struct {
-	ParamKind        *ParamKindApplyConfiguration                    `json:"paramKind,omitempty"`
-	MatchConstraints *MatchResourcesApplyConfiguration               `json:"matchConstraints,omitempty"`
-	Validations      []ValidationApplyConfiguration                  `json:"validations,omitempty"`
-	FailurePolicy    *admissionregistrationv1beta1.FailurePolicyType `json:"failurePolicy,omitempty"`
-	AuditAnnotations []AuditAnnotationApplyConfiguration             `json:"auditAnnotations,omitempty"`
-	MatchConditions  []MatchConditionApplyConfiguration              `json:"matchConditions,omitempty"`
-	Variables        []VariableApplyConfiguration                    `json:"variables,omitempty"`
+	// ParamKind specifies the kind of resources used to parameterize this policy.
+	// If absent, there are no parameters for this policy and the param CEL variable will not be provided to validation expressions.
+	// If ParamKind refers to a non-existent kind, this policy definition is mis-configured and the FailurePolicy is applied.
+	// If paramKind is specified but paramRef is unset in ValidatingAdmissionPolicyBinding, the params variable will be null.
+	ParamKind *ParamKindApplyConfiguration `json:"paramKind,omitempty"`
+	// MatchConstraints specifies what resources this policy is designed to validate.
+	// The AdmissionPolicy cares about a request if it matches _all_ Constraints.
+	// However, in order to prevent clusters from being put into an unstable state that cannot be recovered from via the API
+	// ValidatingAdmissionPolicy cannot match ValidatingAdmissionPolicy and ValidatingAdmissionPolicyBinding.
+	// Required.
+	MatchConstraints *MatchResourcesApplyConfiguration `json:"matchConstraints,omitempty"`
+	// Validations contain CEL expressions which is used to apply the validation.
+	// Validations and AuditAnnotations may not both be empty; a minimum of one Validations or AuditAnnotations is
+	// required.
+	Validations []ValidationApplyConfiguration `json:"validations,omitempty"`
+	// failurePolicy defines how to handle failures for the admission policy. Failures can
+	// occur from CEL expression parse errors, type check errors, runtime errors and invalid
+	// or mis-configured policy definitions or bindings.
+	//
+	// A policy is invalid if spec.paramKind refers to a non-existent Kind.
+	// A binding is invalid if spec.paramRef.name refers to a non-existent resource.
+	//
+	// failurePolicy does not define how validations that evaluate to false are handled.
+	//
+	// When failurePolicy is set to Fail, ValidatingAdmissionPolicyBinding validationActions
+	// define how failures are enforced.
+	//
+	// Allowed values are Ignore or Fail. Defaults to Fail.
+	FailurePolicy *admissionregistrationv1beta1.FailurePolicyType `json:"failurePolicy,omitempty"`
+	// auditAnnotations contains CEL expressions which are used to produce audit
+	// annotations for the audit event of the API request.
+	// validations and auditAnnotations may not both be empty; a least one of validations or auditAnnotations is
+	// required.
+	AuditAnnotations []AuditAnnotationApplyConfiguration `json:"auditAnnotations,omitempty"`
+	// MatchConditions is a list of conditions that must be met for a request to be validated.
+	// Match conditions filter requests that have already been matched by the rules,
+	// namespaceSelector, and objectSelector. An empty list of matchConditions matches all requests.
+	// There are a maximum of 64 match conditions allowed.
+	//
+	// If a parameter object is provided, it can be accessed via the `params` handle in the same
+	// manner as validation expressions.
+	//
+	// The exact matching logic is (in order):
+	// 1. If ANY matchCondition evaluates to FALSE, the policy is skipped.
+	// 2. If ALL matchConditions evaluate to TRUE, the policy is evaluated.
+	// 3. If any matchCondition evaluates to an error (but none are FALSE):
+	// - If failurePolicy=Fail, reject the request
+	// - If failurePolicy=Ignore, the policy is skipped
+	MatchConditions []MatchConditionApplyConfiguration `json:"matchConditions,omitempty"`
+	// Variables contain definitions of variables that can be used in composition of other expressions.
+	// Each variable is defined as a named CEL expression.
+	// The variables defined here will be available under `variables` in other expressions of the policy
+	// except MatchConditions because MatchConditions are evaluated before the rest of the policy.
+	//
+	// The expression of a variable can refer to other variables defined earlier in the list but not those after.
+	// Thus, Variables must be sorted by the order of first appearance and acyclic.
+	Variables []VariableApplyConfiguration `json:"variables,omitempty"`
 }
 
 // ValidatingAdmissionPolicySpecApplyConfiguration constructs a declarative configuration of the ValidatingAdmissionPolicySpec type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1beta1/validatingadmissionpolicystatus.go b/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1beta1/validatingadmissionpolicystatus.go
index 4612af0cffa03..9e05da1395f36 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1beta1/validatingadmissionpolicystatus.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1beta1/validatingadmissionpolicystatus.go
@@ -24,10 +24,16 @@ import (
 
 // ValidatingAdmissionPolicyStatusApplyConfiguration represents a declarative configuration of the ValidatingAdmissionPolicyStatus type for use
 // with apply.
+//
+// ValidatingAdmissionPolicyStatus represents the status of an admission validation policy.
 type ValidatingAdmissionPolicyStatusApplyConfiguration struct {
-	ObservedGeneration *int64                           `json:"observedGeneration,omitempty"`
-	TypeChecking       *TypeCheckingApplyConfiguration  `json:"typeChecking,omitempty"`
-	Conditions         []v1.ConditionApplyConfiguration `json:"conditions,omitempty"`
+	// The generation observed by the controller.
+	ObservedGeneration *int64 `json:"observedGeneration,omitempty"`
+	// The results of type checking for each expression.
+	// Presence of this field indicates the completion of the type checking.
+	TypeChecking *TypeCheckingApplyConfiguration `json:"typeChecking,omitempty"`
+	// The conditions represent the latest available observations of a policy's current state.
+	Conditions []v1.ConditionApplyConfiguration `json:"conditions,omitempty"`
 }
 
 // ValidatingAdmissionPolicyStatusApplyConfiguration constructs a declarative configuration of the ValidatingAdmissionPolicyStatus type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1beta1/validatingwebhook.go b/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1beta1/validatingwebhook.go
index 1e107d68f7bcd..c3df12b87b5fa 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1beta1/validatingwebhook.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1beta1/validatingwebhook.go
@@ -26,18 +26,133 @@ import (
 
 // ValidatingWebhookApplyConfiguration represents a declarative configuration of the ValidatingWebhook type for use
 // with apply.
+//
+// ValidatingWebhook describes an admission webhook and the resources and operations it applies to.
 type ValidatingWebhookApplyConfiguration struct {
-	Name                    *string                                         `json:"name,omitempty"`
-	ClientConfig            *WebhookClientConfigApplyConfiguration          `json:"clientConfig,omitempty"`
-	Rules                   []v1.RuleWithOperationsApplyConfiguration       `json:"rules,omitempty"`
-	FailurePolicy           *admissionregistrationv1beta1.FailurePolicyType `json:"failurePolicy,omitempty"`
-	MatchPolicy             *admissionregistrationv1beta1.MatchPolicyType   `json:"matchPolicy,omitempty"`
-	NamespaceSelector       *metav1.LabelSelectorApplyConfiguration         `json:"namespaceSelector,omitempty"`
-	ObjectSelector          *metav1.LabelSelectorApplyConfiguration         `json:"objectSelector,omitempty"`
-	SideEffects             *admissionregistrationv1beta1.SideEffectClass   `json:"sideEffects,omitempty"`
-	TimeoutSeconds          *int32                                          `json:"timeoutSeconds,omitempty"`
-	AdmissionReviewVersions []string                                        `json:"admissionReviewVersions,omitempty"`
-	MatchConditions         []MatchConditionApplyConfiguration              `json:"matchConditions,omitempty"`
+	// The name of the admission webhook.
+	// Name should be fully qualified, e.g., imagepolicy.kubernetes.io, where
+	// "imagepolicy" is the name of the webhook, and kubernetes.io is the name
+	// of the organization.
+	// Required.
+	Name *string `json:"name,omitempty"`
+	// ClientConfig defines how to communicate with the hook.
+	// Required
+	ClientConfig *WebhookClientConfigApplyConfiguration `json:"clientConfig,omitempty"`
+	// Rules describes what operations on what resources/subresources the webhook cares about.
+	// The webhook cares about an operation if it matches _any_ Rule.
+	// However, in order to prevent ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks
+	// from putting the cluster in a state which cannot be recovered from without completely
+	// disabling the plugin, ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks are never called
+	// on admission requests for ValidatingWebhookConfiguration and MutatingWebhookConfiguration objects.
+	Rules []v1.RuleWithOperationsApplyConfiguration `json:"rules,omitempty"`
+	// FailurePolicy defines how unrecognized errors from the admission endpoint are handled -
+	// allowed values are Ignore or Fail. Defaults to Ignore.
+	FailurePolicy *admissionregistrationv1beta1.FailurePolicyType `json:"failurePolicy,omitempty"`
+	// matchPolicy defines how the "rules" list is used to match incoming requests.
+	// Allowed values are "Exact" or "Equivalent".
+	//
+	// - Exact: match a request only if it exactly matches a specified rule.
+	// For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,
+	// but "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`,
+	// a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the webhook.
+	//
+	// - Equivalent: match a request if modifies a resource listed in rules, even via another API group or version.
+	// For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,
+	// and "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`,
+	// a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the webhook.
+	//
+	// Defaults to "Exact"
+	MatchPolicy *admissionregistrationv1beta1.MatchPolicyType `json:"matchPolicy,omitempty"`
+	// NamespaceSelector decides whether to run the webhook on an object based
+	// on whether the namespace for that object matches the selector. If the
+	// object itself is a namespace, the matching is performed on
+	// object.metadata.labels. If the object is another cluster scoped resource,
+	// it never skips the webhook.
+	//
+	// For example, to run the webhook on any objects whose namespace is not
+	// associated with "runlevel" of "0" or "1";  you will set the selector as
+	// follows:
+	// "namespaceSelector": {
+	// "matchExpressions": [
+	// {
+	// "key": "runlevel",
+	// "operator": "NotIn",
+	// "values": [
+	// "0",
+	// "1"
+	// ]
+	// }
+	// ]
+	// }
+	//
+	// If instead you want to only run the webhook on any objects whose
+	// namespace is associated with the "environment" of "prod" or "staging";
+	// you will set the selector as follows:
+	// "namespaceSelector": {
+	// "matchExpressions": [
+	// {
+	// "key": "environment",
+	// "operator": "In",
+	// "values": [
+	// "prod",
+	// "staging"
+	// ]
+	// }
+	// ]
+	// }
+	//
+	// See
+	// https://kubernetes.io/docs/concepts/overview/working-with-objects/labels
+	// for more examples of label selectors.
+	//
+	// Default to the empty LabelSelector, which matches everything.
+	NamespaceSelector *metav1.LabelSelectorApplyConfiguration `json:"namespaceSelector,omitempty"`
+	// ObjectSelector decides whether to run the webhook based on if the
+	// object has matching labels. objectSelector is evaluated against both
+	// the oldObject and newObject that would be sent to the webhook, and
+	// is considered to match if either object matches the selector. A null
+	// object (oldObject in the case of create, or newObject in the case of
+	// delete) or an object that cannot have labels (like a
+	// DeploymentRollback or a PodProxyOptions object) is not considered to
+	// match.
+	// Use the object selector only if the webhook is opt-in, because end
+	// users may skip the admission webhook by setting the labels.
+	// Default to the empty LabelSelector, which matches everything.
+	ObjectSelector *metav1.LabelSelectorApplyConfiguration `json:"objectSelector,omitempty"`
+	// SideEffects states whether this webhook has side effects.
+	// Acceptable values are: Unknown, None, Some, NoneOnDryRun
+	// Webhooks with side effects MUST implement a reconciliation system, since a request may be
+	// rejected by a future step in the admission chain and the side effects therefore need to be undone.
+	// Requests with the dryRun attribute will be auto-rejected if they match a webhook with
+	// sideEffects == Unknown or Some. Defaults to Unknown.
+	SideEffects *admissionregistrationv1beta1.SideEffectClass `json:"sideEffects,omitempty"`
+	// TimeoutSeconds specifies the timeout for this webhook. After the timeout passes,
+	// the webhook call will be ignored or the API call will fail based on the
+	// failure policy.
+	// The timeout value must be between 1 and 30 seconds.
+	// Default to 30 seconds.
+	TimeoutSeconds *int32 `json:"timeoutSeconds,omitempty"`
+	// AdmissionReviewVersions is an ordered list of preferred `AdmissionReview`
+	// versions the Webhook expects. API server will try to use first version in
+	// the list which it supports. If none of the versions specified in this list
+	// supported by API server, validation will fail for this object.
+	// If a persisted webhook configuration specifies allowed versions and does not
+	// include any versions known to the API Server, calls to the webhook will fail
+	// and be subject to the failure policy.
+	// Default to `['v1beta1']`.
+	AdmissionReviewVersions []string `json:"admissionReviewVersions,omitempty"`
+	// MatchConditions is a list of conditions that must be met for a request to be sent to this
+	// webhook. Match conditions filter requests that have already been matched by the rules,
+	// namespaceSelector, and objectSelector. An empty list of matchConditions matches all requests.
+	// There are a maximum of 64 match conditions allowed.
+	//
+	// The exact matching logic is (in order):
+	// 1. If ANY matchCondition evaluates to FALSE, the webhook is skipped.
+	// 2. If ALL matchConditions evaluate to TRUE, the webhook is called.
+	// 3. If any matchCondition evaluates to an error (but none are FALSE):
+	// - If failurePolicy=Fail, reject the request
+	// - If failurePolicy=Ignore, the error is ignored and the webhook is skipped
+	MatchConditions []MatchConditionApplyConfiguration `json:"matchConditions,omitempty"`
 }
 
 // ValidatingWebhookApplyConfiguration constructs a declarative configuration of the ValidatingWebhook type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1beta1/validatingwebhookconfiguration.go b/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1beta1/validatingwebhookconfiguration.go
index 2ad1fb8cf6929..66b74b31d8b00 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1beta1/validatingwebhookconfiguration.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1beta1/validatingwebhookconfiguration.go
@@ -29,10 +29,15 @@ import (
 
 // ValidatingWebhookConfigurationApplyConfiguration represents a declarative configuration of the ValidatingWebhookConfiguration type for use
 // with apply.
+//
+// ValidatingWebhookConfiguration describes the configuration of and admission webhook that accept or reject and object without changing it.
+// Deprecated in v1.16, planned for removal in v1.19. Use admissionregistration.k8s.io/v1 ValidatingWebhookConfiguration instead.
 type ValidatingWebhookConfigurationApplyConfiguration struct {
-	v1.TypeMetaApplyConfiguration    `json:",inline"`
+	v1.TypeMetaApplyConfiguration `json:",inline"`
+	// Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata.
 	*v1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Webhooks                         []ValidatingWebhookApplyConfiguration `json:"webhooks,omitempty"`
+	// Webhooks is a list of webhooks and the affected resources and operations.
+	Webhooks []ValidatingWebhookApplyConfiguration `json:"webhooks,omitempty"`
 }
 
 // ValidatingWebhookConfiguration constructs a declarative configuration of the ValidatingWebhookConfiguration type for use with
@@ -45,29 +50,14 @@ func ValidatingWebhookConfiguration(name string) *ValidatingWebhookConfiguration
 	return b
 }
 
-// ExtractValidatingWebhookConfiguration extracts the applied configuration owned by fieldManager from
-// validatingWebhookConfiguration. If no managedFields are found in validatingWebhookConfiguration for fieldManager, a
-// ValidatingWebhookConfigurationApplyConfiguration is returned with only the Name, Namespace (if applicable),
-// APIVersion and Kind populated. It is possible that no managed fields were found for because other
-// field managers have taken ownership of all the fields previously owned by fieldManager, or because
-// the fieldManager never owned fields any fields.
+// ExtractValidatingWebhookConfigurationFrom extracts the applied configuration owned by fieldManager from
+// validatingWebhookConfiguration for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
 // validatingWebhookConfiguration must be a unmodified ValidatingWebhookConfiguration API object that was retrieved from the Kubernetes API.
-// ExtractValidatingWebhookConfiguration provides a way to perform a extract/modify-in-place/apply workflow.
+// ExtractValidatingWebhookConfigurationFrom provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
-func ExtractValidatingWebhookConfiguration(validatingWebhookConfiguration *admissionregistrationv1beta1.ValidatingWebhookConfiguration, fieldManager string) (*ValidatingWebhookConfigurationApplyConfiguration, error) {
-	return extractValidatingWebhookConfiguration(validatingWebhookConfiguration, fieldManager, "")
-}
-
-// ExtractValidatingWebhookConfigurationStatus is the same as ExtractValidatingWebhookConfiguration except
-// that it extracts the status subresource applied configuration.
-// Experimental!
-func ExtractValidatingWebhookConfigurationStatus(validatingWebhookConfiguration *admissionregistrationv1beta1.ValidatingWebhookConfiguration, fieldManager string) (*ValidatingWebhookConfigurationApplyConfiguration, error) {
-	return extractValidatingWebhookConfiguration(validatingWebhookConfiguration, fieldManager, "status")
-}
-
-func extractValidatingWebhookConfiguration(validatingWebhookConfiguration *admissionregistrationv1beta1.ValidatingWebhookConfiguration, fieldManager string, subresource string) (*ValidatingWebhookConfigurationApplyConfiguration, error) {
+func ExtractValidatingWebhookConfigurationFrom(validatingWebhookConfiguration *admissionregistrationv1beta1.ValidatingWebhookConfiguration, fieldManager string, subresource string) (*ValidatingWebhookConfigurationApplyConfiguration, error) {
 	b := &ValidatingWebhookConfigurationApplyConfiguration{}
 	err := managedfields.ExtractInto(validatingWebhookConfiguration, internal.Parser().Type("io.k8s.api.admissionregistration.v1beta1.ValidatingWebhookConfiguration"), fieldManager, b, subresource)
 	if err != nil {
@@ -79,6 +69,21 @@ func extractValidatingWebhookConfiguration(validatingWebhookConfiguration *admis
 	b.WithAPIVersion("admissionregistration.k8s.io/v1beta1")
 	return b, nil
 }
+
+// ExtractValidatingWebhookConfiguration extracts the applied configuration owned by fieldManager from
+// validatingWebhookConfiguration. If no managedFields are found in validatingWebhookConfiguration for fieldManager, a
+// ValidatingWebhookConfigurationApplyConfiguration is returned with only the Name, Namespace (if applicable),
+// APIVersion and Kind populated. It is possible that no managed fields were found for because other
+// field managers have taken ownership of all the fields previously owned by fieldManager, or because
+// the fieldManager never owned fields any fields.
+// validatingWebhookConfiguration must be a unmodified ValidatingWebhookConfiguration API object that was retrieved from the Kubernetes API.
+// ExtractValidatingWebhookConfiguration provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractValidatingWebhookConfiguration(validatingWebhookConfiguration *admissionregistrationv1beta1.ValidatingWebhookConfiguration, fieldManager string) (*ValidatingWebhookConfigurationApplyConfiguration, error) {
+	return ExtractValidatingWebhookConfigurationFrom(validatingWebhookConfiguration, fieldManager, "")
+}
+
 func (b ValidatingWebhookConfigurationApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1beta1/validation.go b/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1beta1/validation.go
index 019e8e7aa968c..6505b8b498349 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1beta1/validation.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1beta1/validation.go
@@ -24,11 +24,77 @@ import (
 
 // ValidationApplyConfiguration represents a declarative configuration of the Validation type for use
 // with apply.
+//
+// Validation specifies the CEL expression which is used to apply the validation.
 type ValidationApplyConfiguration struct {
-	Expression        *string          `json:"expression,omitempty"`
-	Message           *string          `json:"message,omitempty"`
-	Reason            *v1.StatusReason `json:"reason,omitempty"`
-	MessageExpression *string          `json:"messageExpression,omitempty"`
+	// Expression represents the expression which will be evaluated by CEL.
+	// ref: https://github.com/google/cel-spec
+	// CEL expressions have access to the contents of the API request/response, organized into CEL variables as well as some other useful variables:
+	//
+	// - 'object' - The object from the incoming request. The value is null for DELETE requests.
+	// - 'oldObject' - The existing object. The value is null for CREATE requests.
+	// - 'request' - Attributes of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).
+	// - 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind.
+	// - 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped resources.
+	// - 'variables' - Map of composited variables, from its name to its lazily evaluated value.
+	// For example, a variable named 'foo' can be accessed as 'variables.foo'.
+	// - 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.
+	// See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
+	// - 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the
+	// request resource.
+	//
+	// The `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` are always accessible from the root of the
+	// object. No other metadata properties are accessible.
+	//
+	// Only property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible.
+	// Accessible property names are escaped according to the following rules when accessed in the expression:
+	// - '__' escapes to '__underscores__'
+	// - '.' escapes to '__dot__'
+	// - '-' escapes to '__dash__'
+	// - '/' escapes to '__slash__'
+	// - Property names that exactly match a CEL RESERVED keyword escape to '__{keyword}__'. The keywords are:
+	// "true", "false", "null", "in", "as", "break", "const", "continue", "else", "for", "function", "if",
+	// "import", "let", "loop", "package", "namespace", "return".
+	// Examples:
+	// - Expression accessing a property named "namespace": {"Expression": "object.__namespace__ > 0"}
+	// - Expression accessing a property named "x-prop": {"Expression": "object.x__dash__prop > 0"}
+	// - Expression accessing a property named "redact__d": {"Expression": "object.redact__underscores__d > 0"}
+	//
+	// Equality on arrays with list type of 'set' or 'map' ignores element order, i.e. [1, 2] == [2, 1].
+	// Concatenation on arrays with x-kubernetes-list-type use the semantics of the list type:
+	// - 'set': `X + Y` performs a union where the array positions of all elements in `X` are preserved and
+	// non-intersecting elements in `Y` are appended, retaining their partial order.
+	// - 'map': `X + Y` performs a merge where the array positions of all keys in `X` are preserved but the values
+	// are overwritten by values in `Y` when the key sets of `X` and `Y` intersect. Elements in `Y` with
+	// non-intersecting keys are appended, retaining their partial order.
+	// Required.
+	Expression *string `json:"expression,omitempty"`
+	// Message represents the message displayed when validation fails. The message is required if the Expression contains
+	// line breaks. The message must not contain line breaks.
+	// If unset, the message is "failed rule: {Rule}".
+	// e.g. "must be a URL with the host matching spec.host"
+	// If the Expression contains line breaks. Message is required.
+	// The message must not contain line breaks.
+	// If unset, the message is "failed Expression: {Expression}".
+	Message *string `json:"message,omitempty"`
+	// Reason represents a machine-readable description of why this validation failed.
+	// If this is the first validation in the list to fail, this reason, as well as the
+	// corresponding HTTP response code, are used in the
+	// HTTP response to the client.
+	// The currently supported reasons are: "Unauthorized", "Forbidden", "Invalid", "RequestEntityTooLarge".
+	// If not set, StatusReasonInvalid is used in the response to the client.
+	Reason *v1.StatusReason `json:"reason,omitempty"`
+	// messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails.
+	// Since messageExpression is used as a failure message, it must evaluate to a string.
+	// If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails.
+	// If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced
+	// as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string
+	// that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and
+	// the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged.
+	// messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'.
+	// Example:
+	// "object.x must be less than max ("+string(params.max)+")"
+	MessageExpression *string `json:"messageExpression,omitempty"`
 }
 
 // ValidationApplyConfiguration constructs a declarative configuration of the Validation type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1beta1/variable.go b/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1beta1/variable.go
index 0ece197db2a1b..db334f2265712 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1beta1/variable.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1beta1/variable.go
@@ -20,8 +20,15 @@ package v1beta1
 
 // VariableApplyConfiguration represents a declarative configuration of the Variable type for use
 // with apply.
+//
+// Variable is the definition of a variable that is used for composition. A variable is defined as a named expression.
 type VariableApplyConfiguration struct {
-	Name       *string `json:"name,omitempty"`
+	// Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables.
+	// The variable can be accessed in other expressions through `variables`
+	// For example, if name is "foo", the variable will be available as `variables.foo`
+	Name *string `json:"name,omitempty"`
+	// Expression is the expression that will be evaluated as the value of the variable.
+	// The CEL expression has access to the same identifiers as the CEL expressions in Validation.
 	Expression *string `json:"expression,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1beta1/webhookclientconfig.go b/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1beta1/webhookclientconfig.go
index 76ff71b4aec3f..593ff43ebfe6e 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1beta1/webhookclientconfig.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/admissionregistration/v1beta1/webhookclientconfig.go
@@ -20,10 +20,44 @@ package v1beta1
 
 // WebhookClientConfigApplyConfiguration represents a declarative configuration of the WebhookClientConfig type for use
 // with apply.
+//
+// WebhookClientConfig contains the information to make a TLS
+// connection with the webhook
 type WebhookClientConfigApplyConfiguration struct {
-	URL      *string                             `json:"url,omitempty"`
-	Service  *ServiceReferenceApplyConfiguration `json:"service,omitempty"`
-	CABundle []byte                              `json:"caBundle,omitempty"`
+	// `url` gives the location of the webhook, in standard URL form
+	// (`scheme://host:port/path`). Exactly one of `url` or `service`
+	// must be specified.
+	//
+	// The `host` should not refer to a service running in the cluster; use
+	// the `service` field instead. The host might be resolved via external
+	// DNS in some apiservers (e.g., `kube-apiserver` cannot resolve
+	// in-cluster DNS as that would be a layering violation). `host` may
+	// also be an IP address.
+	//
+	// Please note that using `localhost` or `127.0.0.1` as a `host` is
+	// risky unless you take great care to run this webhook on all hosts
+	// which run an apiserver which might need to make calls to this
+	// webhook. Such installs are likely to be non-portable, i.e., not easy
+	// to turn up in a new cluster.
+	//
+	// The scheme must be "https"; the URL must begin with "https://".
+	//
+	// A path is optional, and if present may be any string permissible in
+	// a URL. You may use the path to pass an arbitrary string to the
+	// webhook, for example, a cluster identifier.
+	//
+	// Attempting to use a user or basic auth e.g. "user:password@" is not
+	// allowed. Fragments ("#...") and query parameters ("?...") are not
+	// allowed, either.
+	URL *string `json:"url,omitempty"`
+	// `service` is a reference to the service for this webhook. Either
+	// `service` or `url` must be specified.
+	//
+	// If the webhook is running within the cluster, then you should use `service`.
+	Service *ServiceReferenceApplyConfiguration `json:"service,omitempty"`
+	// `caBundle` is a PEM encoded CA bundle which will be used to validate the webhook's server certificate.
+	// If unspecified, system trust roots on the apiserver are used.
+	CABundle []byte `json:"caBundle,omitempty"`
 }
 
 // WebhookClientConfigApplyConfiguration constructs a declarative configuration of the WebhookClientConfig type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/apiserverinternal/v1alpha1/serverstorageversion.go b/staging/src/k8s.io/client-go/applyconfigurations/apiserverinternal/v1alpha1/serverstorageversion.go
index 8394298b93ed2..94379ddc5af46 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/apiserverinternal/v1alpha1/serverstorageversion.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/apiserverinternal/v1alpha1/serverstorageversion.go
@@ -20,11 +20,21 @@ package v1alpha1
 
 // ServerStorageVersionApplyConfiguration represents a declarative configuration of the ServerStorageVersion type for use
 // with apply.
+//
+// An API server instance reports the version it can decode and the version it
+// encodes objects to when persisting objects in the backend.
 type ServerStorageVersionApplyConfiguration struct {
-	APIServerID       *string  `json:"apiServerID,omitempty"`
-	EncodingVersion   *string  `json:"encodingVersion,omitempty"`
+	// The ID of the reporting API server.
+	APIServerID *string `json:"apiServerID,omitempty"`
+	// The API server encodes the object to this version when persisting it in
+	// the backend (e.g., etcd).
+	EncodingVersion *string `json:"encodingVersion,omitempty"`
+	// The API server can decode objects encoded in these versions.
+	// The encodingVersion must be included in the decodableVersions.
 	DecodableVersions []string `json:"decodableVersions,omitempty"`
-	ServedVersions    []string `json:"servedVersions,omitempty"`
+	// The API server can serve these versions.
+	// DecodableVersions must include all ServedVersions.
+	ServedVersions []string `json:"servedVersions,omitempty"`
 }
 
 // ServerStorageVersionApplyConfiguration constructs a declarative configuration of the ServerStorageVersion type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/apiserverinternal/v1alpha1/storageversion.go b/staging/src/k8s.io/client-go/applyconfigurations/apiserverinternal/v1alpha1/storageversion.go
index 9838e3c9c2f46..e9f41cc2773b5 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/apiserverinternal/v1alpha1/storageversion.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/apiserverinternal/v1alpha1/storageversion.go
@@ -29,11 +29,17 @@ import (
 
 // StorageVersionApplyConfiguration represents a declarative configuration of the StorageVersion type for use
 // with apply.
+//
+// Storage version of a specific resource.
 type StorageVersionApplyConfiguration struct {
-	v1.TypeMetaApplyConfiguration    `json:",inline"`
+	v1.TypeMetaApplyConfiguration `json:",inline"`
+	// The name is <group>.<resource>.
 	*v1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Spec                             *apiserverinternalv1alpha1.StorageVersionSpec `json:"spec,omitempty"`
-	Status                           *StorageVersionStatusApplyConfiguration       `json:"status,omitempty"`
+	// Spec is an empty spec. It is here to comply with Kubernetes API style.
+	Spec *apiserverinternalv1alpha1.StorageVersionSpec `json:"spec,omitempty"`
+	// API server instances report the version they can decode and the version they
+	// encode objects to when persisting objects in the backend.
+	Status *StorageVersionStatusApplyConfiguration `json:"status,omitempty"`
 }
 
 // StorageVersion constructs a declarative configuration of the StorageVersion type for use with
@@ -46,6 +52,26 @@ func StorageVersion(name string) *StorageVersionApplyConfiguration {
 	return b
 }
 
+// ExtractStorageVersionFrom extracts the applied configuration owned by fieldManager from
+// storageVersion for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
+// storageVersion must be a unmodified StorageVersion API object that was retrieved from the Kubernetes API.
+// ExtractStorageVersionFrom provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractStorageVersionFrom(storageVersion *apiserverinternalv1alpha1.StorageVersion, fieldManager string, subresource string) (*StorageVersionApplyConfiguration, error) {
+	b := &StorageVersionApplyConfiguration{}
+	err := managedfields.ExtractInto(storageVersion, internal.Parser().Type("io.k8s.api.apiserverinternal.v1alpha1.StorageVersion"), fieldManager, b, subresource)
+	if err != nil {
+		return nil, err
+	}
+	b.WithName(storageVersion.Name)
+
+	b.WithKind("StorageVersion")
+	b.WithAPIVersion("internal.apiserver.k8s.io/v1alpha1")
+	return b, nil
+}
+
 // ExtractStorageVersion extracts the applied configuration owned by fieldManager from
 // storageVersion. If no managedFields are found in storageVersion for fieldManager, a
 // StorageVersionApplyConfiguration is returned with only the Name, Namespace (if applicable),
@@ -56,30 +82,16 @@ func StorageVersion(name string) *StorageVersionApplyConfiguration {
 // ExtractStorageVersion provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
 func ExtractStorageVersion(storageVersion *apiserverinternalv1alpha1.StorageVersion, fieldManager string) (*StorageVersionApplyConfiguration, error) {
-	return extractStorageVersion(storageVersion, fieldManager, "")
+	return ExtractStorageVersionFrom(storageVersion, fieldManager, "")
 }
 
-// ExtractStorageVersionStatus is the same as ExtractStorageVersion except
-// that it extracts the status subresource applied configuration.
-// Experimental!
+// ExtractStorageVersionStatus extracts the applied configuration owned by fieldManager from
+// storageVersion for the status subresource.
 func ExtractStorageVersionStatus(storageVersion *apiserverinternalv1alpha1.StorageVersion, fieldManager string) (*StorageVersionApplyConfiguration, error) {
-	return extractStorageVersion(storageVersion, fieldManager, "status")
+	return ExtractStorageVersionFrom(storageVersion, fieldManager, "status")
 }
 
-func extractStorageVersion(storageVersion *apiserverinternalv1alpha1.StorageVersion, fieldManager string, subresource string) (*StorageVersionApplyConfiguration, error) {
-	b := &StorageVersionApplyConfiguration{}
-	err := managedfields.ExtractInto(storageVersion, internal.Parser().Type("io.k8s.api.apiserverinternal.v1alpha1.StorageVersion"), fieldManager, b, subresource)
-	if err != nil {
-		return nil, err
-	}
-	b.WithName(storageVersion.Name)
-
-	b.WithKind("StorageVersion")
-	b.WithAPIVersion("internal.apiserver.k8s.io/v1alpha1")
-	return b, nil
-}
 func (b StorageVersionApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/apiserverinternal/v1alpha1/storageversioncondition.go b/staging/src/k8s.io/client-go/applyconfigurations/apiserverinternal/v1alpha1/storageversioncondition.go
index 1ed71cf8e938e..84752a459969e 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/apiserverinternal/v1alpha1/storageversioncondition.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/apiserverinternal/v1alpha1/storageversioncondition.go
@@ -25,13 +25,21 @@ import (
 
 // StorageVersionConditionApplyConfiguration represents a declarative configuration of the StorageVersionCondition type for use
 // with apply.
+//
+// Describes the state of the storageVersion at a certain point.
 type StorageVersionConditionApplyConfiguration struct {
-	Type               *apiserverinternalv1alpha1.StorageVersionConditionType `json:"type,omitempty"`
-	Status             *apiserverinternalv1alpha1.ConditionStatus             `json:"status,omitempty"`
-	ObservedGeneration *int64                                                 `json:"observedGeneration,omitempty"`
-	LastTransitionTime *v1.Time                                               `json:"lastTransitionTime,omitempty"`
-	Reason             *string                                                `json:"reason,omitempty"`
-	Message            *string                                                `json:"message,omitempty"`
+	// Type of the condition.
+	Type *apiserverinternalv1alpha1.StorageVersionConditionType `json:"type,omitempty"`
+	// Status of the condition, one of True, False, Unknown.
+	Status *apiserverinternalv1alpha1.ConditionStatus `json:"status,omitempty"`
+	// If set, this represents the .metadata.generation that the condition was set based upon.
+	ObservedGeneration *int64 `json:"observedGeneration,omitempty"`
+	// Last time the condition transitioned from one status to another.
+	LastTransitionTime *v1.Time `json:"lastTransitionTime,omitempty"`
+	// The reason for the condition's last transition.
+	Reason *string `json:"reason,omitempty"`
+	// A human readable message indicating details about the transition.
+	Message *string `json:"message,omitempty"`
 }
 
 // StorageVersionConditionApplyConfiguration constructs a declarative configuration of the StorageVersionCondition type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/apiserverinternal/v1alpha1/storageversionstatus.go b/staging/src/k8s.io/client-go/applyconfigurations/apiserverinternal/v1alpha1/storageversionstatus.go
index 2e25d675241b5..00a71ad5a21f4 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/apiserverinternal/v1alpha1/storageversionstatus.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/apiserverinternal/v1alpha1/storageversionstatus.go
@@ -20,10 +20,19 @@ package v1alpha1
 
 // StorageVersionStatusApplyConfiguration represents a declarative configuration of the StorageVersionStatus type for use
 // with apply.
+//
+// API server instances report the versions they can decode and the version they
+// encode objects to when persisting objects in the backend.
 type StorageVersionStatusApplyConfiguration struct {
-	StorageVersions       []ServerStorageVersionApplyConfiguration    `json:"storageVersions,omitempty"`
-	CommonEncodingVersion *string                                     `json:"commonEncodingVersion,omitempty"`
-	Conditions            []StorageVersionConditionApplyConfiguration `json:"conditions,omitempty"`
+	// The reported versions per API server instance.
+	StorageVersions []ServerStorageVersionApplyConfiguration `json:"storageVersions,omitempty"`
+	// If all API server instances agree on the same encoding storage version,
+	// then this field is set to that version. Otherwise this field is left empty.
+	// API servers should finish updating its storageVersionStatus entry before
+	// serving write operations, so that this field will be in sync with the reality.
+	CommonEncodingVersion *string `json:"commonEncodingVersion,omitempty"`
+	// The latest available observations of the storageVersion's state.
+	Conditions []StorageVersionConditionApplyConfiguration `json:"conditions,omitempty"`
 }
 
 // StorageVersionStatusApplyConfiguration constructs a declarative configuration of the StorageVersionStatus type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/apps/v1/controllerrevision.go b/staging/src/k8s.io/client-go/applyconfigurations/apps/v1/controllerrevision.go
index 1c97bcc598343..8a01c0d75492f 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/apps/v1/controllerrevision.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/apps/v1/controllerrevision.go
@@ -30,11 +30,25 @@ import (
 
 // ControllerRevisionApplyConfiguration represents a declarative configuration of the ControllerRevision type for use
 // with apply.
+//
+// ControllerRevision implements an immutable snapshot of state data. Clients
+// are responsible for serializing and deserializing the objects that contain
+// their internal state.
+// Once a ControllerRevision has been successfully created, it can not be updated.
+// The API Server will fail validation of all requests that attempt to mutate
+// the Data field. ControllerRevisions may, however, be deleted. Note that, due to its use by both
+// the DaemonSet and StatefulSet controllers for update and rollback, this object is beta. However,
+// it may be subject to name and representation changes in future releases, and clients should not
+// depend on its stability. It is primarily for internal use by controllers.
 type ControllerRevisionApplyConfiguration struct {
-	metav1.TypeMetaApplyConfiguration    `json:",inline"`
+	metav1.TypeMetaApplyConfiguration `json:",inline"`
+	// Standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	*metav1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Data                                 *runtime.RawExtension `json:"data,omitempty"`
-	Revision                             *int64                `json:"revision,omitempty"`
+	// Data is the serialized representation of the state.
+	Data *runtime.RawExtension `json:"data,omitempty"`
+	// Revision indicates the revision of the state represented by Data.
+	Revision *int64 `json:"revision,omitempty"`
 }
 
 // ControllerRevision constructs a declarative configuration of the ControllerRevision type for use with
@@ -48,29 +62,14 @@ func ControllerRevision(name, namespace string) *ControllerRevisionApplyConfigur
 	return b
 }
 
-// ExtractControllerRevision extracts the applied configuration owned by fieldManager from
-// controllerRevision. If no managedFields are found in controllerRevision for fieldManager, a
-// ControllerRevisionApplyConfiguration is returned with only the Name, Namespace (if applicable),
-// APIVersion and Kind populated. It is possible that no managed fields were found for because other
-// field managers have taken ownership of all the fields previously owned by fieldManager, or because
-// the fieldManager never owned fields any fields.
+// ExtractControllerRevisionFrom extracts the applied configuration owned by fieldManager from
+// controllerRevision for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
 // controllerRevision must be a unmodified ControllerRevision API object that was retrieved from the Kubernetes API.
-// ExtractControllerRevision provides a way to perform a extract/modify-in-place/apply workflow.
+// ExtractControllerRevisionFrom provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
-func ExtractControllerRevision(controllerRevision *appsv1.ControllerRevision, fieldManager string) (*ControllerRevisionApplyConfiguration, error) {
-	return extractControllerRevision(controllerRevision, fieldManager, "")
-}
-
-// ExtractControllerRevisionStatus is the same as ExtractControllerRevision except
-// that it extracts the status subresource applied configuration.
-// Experimental!
-func ExtractControllerRevisionStatus(controllerRevision *appsv1.ControllerRevision, fieldManager string) (*ControllerRevisionApplyConfiguration, error) {
-	return extractControllerRevision(controllerRevision, fieldManager, "status")
-}
-
-func extractControllerRevision(controllerRevision *appsv1.ControllerRevision, fieldManager string, subresource string) (*ControllerRevisionApplyConfiguration, error) {
+func ExtractControllerRevisionFrom(controllerRevision *appsv1.ControllerRevision, fieldManager string, subresource string) (*ControllerRevisionApplyConfiguration, error) {
 	b := &ControllerRevisionApplyConfiguration{}
 	err := managedfields.ExtractInto(controllerRevision, internal.Parser().Type("io.k8s.api.apps.v1.ControllerRevision"), fieldManager, b, subresource)
 	if err != nil {
@@ -83,6 +82,21 @@ func extractControllerRevision(controllerRevision *appsv1.ControllerRevision, fi
 	b.WithAPIVersion("apps/v1")
 	return b, nil
 }
+
+// ExtractControllerRevision extracts the applied configuration owned by fieldManager from
+// controllerRevision. If no managedFields are found in controllerRevision for fieldManager, a
+// ControllerRevisionApplyConfiguration is returned with only the Name, Namespace (if applicable),
+// APIVersion and Kind populated. It is possible that no managed fields were found for because other
+// field managers have taken ownership of all the fields previously owned by fieldManager, or because
+// the fieldManager never owned fields any fields.
+// controllerRevision must be a unmodified ControllerRevision API object that was retrieved from the Kubernetes API.
+// ExtractControllerRevision provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractControllerRevision(controllerRevision *appsv1.ControllerRevision, fieldManager string) (*ControllerRevisionApplyConfiguration, error) {
+	return ExtractControllerRevisionFrom(controllerRevision, fieldManager, "")
+}
+
 func (b ControllerRevisionApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/apps/v1/daemonset.go b/staging/src/k8s.io/client-go/applyconfigurations/apps/v1/daemonset.go
index 14b4a88c6fc21..cc8f33f2907a1 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/apps/v1/daemonset.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/apps/v1/daemonset.go
@@ -29,11 +29,22 @@ import (
 
 // DaemonSetApplyConfiguration represents a declarative configuration of the DaemonSet type for use
 // with apply.
+//
+// DaemonSet represents the configuration of a daemon set.
 type DaemonSetApplyConfiguration struct {
-	metav1.TypeMetaApplyConfiguration    `json:",inline"`
+	metav1.TypeMetaApplyConfiguration `json:",inline"`
+	// Standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	*metav1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Spec                                 *DaemonSetSpecApplyConfiguration   `json:"spec,omitempty"`
-	Status                               *DaemonSetStatusApplyConfiguration `json:"status,omitempty"`
+	// The desired behavior of this daemon set.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+	Spec *DaemonSetSpecApplyConfiguration `json:"spec,omitempty"`
+	// The current status of this daemon set. This data may be
+	// out of date by some window of time.
+	// Populated by the system.
+	// Read-only.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+	Status *DaemonSetStatusApplyConfiguration `json:"status,omitempty"`
 }
 
 // DaemonSet constructs a declarative configuration of the DaemonSet type for use with
@@ -47,6 +58,27 @@ func DaemonSet(name, namespace string) *DaemonSetApplyConfiguration {
 	return b
 }
 
+// ExtractDaemonSetFrom extracts the applied configuration owned by fieldManager from
+// daemonSet for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
+// daemonSet must be a unmodified DaemonSet API object that was retrieved from the Kubernetes API.
+// ExtractDaemonSetFrom provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractDaemonSetFrom(daemonSet *appsv1.DaemonSet, fieldManager string, subresource string) (*DaemonSetApplyConfiguration, error) {
+	b := &DaemonSetApplyConfiguration{}
+	err := managedfields.ExtractInto(daemonSet, internal.Parser().Type("io.k8s.api.apps.v1.DaemonSet"), fieldManager, b, subresource)
+	if err != nil {
+		return nil, err
+	}
+	b.WithName(daemonSet.Name)
+	b.WithNamespace(daemonSet.Namespace)
+
+	b.WithKind("DaemonSet")
+	b.WithAPIVersion("apps/v1")
+	return b, nil
+}
+
 // ExtractDaemonSet extracts the applied configuration owned by fieldManager from
 // daemonSet. If no managedFields are found in daemonSet for fieldManager, a
 // DaemonSetApplyConfiguration is returned with only the Name, Namespace (if applicable),
@@ -57,31 +89,16 @@ func DaemonSet(name, namespace string) *DaemonSetApplyConfiguration {
 // ExtractDaemonSet provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
 func ExtractDaemonSet(daemonSet *appsv1.DaemonSet, fieldManager string) (*DaemonSetApplyConfiguration, error) {
-	return extractDaemonSet(daemonSet, fieldManager, "")
+	return ExtractDaemonSetFrom(daemonSet, fieldManager, "")
 }
 
-// ExtractDaemonSetStatus is the same as ExtractDaemonSet except
-// that it extracts the status subresource applied configuration.
-// Experimental!
+// ExtractDaemonSetStatus extracts the applied configuration owned by fieldManager from
+// daemonSet for the status subresource.
 func ExtractDaemonSetStatus(daemonSet *appsv1.DaemonSet, fieldManager string) (*DaemonSetApplyConfiguration, error) {
-	return extractDaemonSet(daemonSet, fieldManager, "status")
+	return ExtractDaemonSetFrom(daemonSet, fieldManager, "status")
 }
 
-func extractDaemonSet(daemonSet *appsv1.DaemonSet, fieldManager string, subresource string) (*DaemonSetApplyConfiguration, error) {
-	b := &DaemonSetApplyConfiguration{}
-	err := managedfields.ExtractInto(daemonSet, internal.Parser().Type("io.k8s.api.apps.v1.DaemonSet"), fieldManager, b, subresource)
-	if err != nil {
-		return nil, err
-	}
-	b.WithName(daemonSet.Name)
-	b.WithNamespace(daemonSet.Namespace)
-
-	b.WithKind("DaemonSet")
-	b.WithAPIVersion("apps/v1")
-	return b, nil
-}
 func (b DaemonSetApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/apps/v1/daemonsetcondition.go b/staging/src/k8s.io/client-go/applyconfigurations/apps/v1/daemonsetcondition.go
index 8c56e4994bd84..c2ba0bf879b18 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/apps/v1/daemonsetcondition.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/apps/v1/daemonsetcondition.go
@@ -26,12 +26,20 @@ import (
 
 // DaemonSetConditionApplyConfiguration represents a declarative configuration of the DaemonSetCondition type for use
 // with apply.
+//
+// TODO: Add valid condition types of a DaemonSet.
+// DaemonSetCondition describes the state of a DaemonSet at a certain point.
 type DaemonSetConditionApplyConfiguration struct {
-	Type               *appsv1.DaemonSetConditionType `json:"type,omitempty"`
-	Status             *corev1.ConditionStatus        `json:"status,omitempty"`
-	LastTransitionTime *metav1.Time                   `json:"lastTransitionTime,omitempty"`
-	Reason             *string                        `json:"reason,omitempty"`
-	Message            *string                        `json:"message,omitempty"`
+	// Type of DaemonSet condition.
+	Type *appsv1.DaemonSetConditionType `json:"type,omitempty"`
+	// Status of the condition, one of True, False, Unknown.
+	Status *corev1.ConditionStatus `json:"status,omitempty"`
+	// Last time the condition transitioned from one status to another.
+	LastTransitionTime *metav1.Time `json:"lastTransitionTime,omitempty"`
+	// The reason for the condition's last transition.
+	Reason *string `json:"reason,omitempty"`
+	// A human readable message indicating details about the transition.
+	Message *string `json:"message,omitempty"`
 }
 
 // DaemonSetConditionApplyConfiguration constructs a declarative configuration of the DaemonSetCondition type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/apps/v1/daemonsetspec.go b/staging/src/k8s.io/client-go/applyconfigurations/apps/v1/daemonsetspec.go
index d2382b80e0f9b..7b7a922db4a91 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/apps/v1/daemonsetspec.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/apps/v1/daemonsetspec.go
@@ -25,12 +25,32 @@ import (
 
 // DaemonSetSpecApplyConfiguration represents a declarative configuration of the DaemonSetSpec type for use
 // with apply.
+//
+// DaemonSetSpec is the specification of a daemon set.
 type DaemonSetSpecApplyConfiguration struct {
-	Selector             *metav1.LabelSelectorApplyConfiguration    `json:"selector,omitempty"`
-	Template             *corev1.PodTemplateSpecApplyConfiguration  `json:"template,omitempty"`
-	UpdateStrategy       *DaemonSetUpdateStrategyApplyConfiguration `json:"updateStrategy,omitempty"`
-	MinReadySeconds      *int32                                     `json:"minReadySeconds,omitempty"`
-	RevisionHistoryLimit *int32                                     `json:"revisionHistoryLimit,omitempty"`
+	// A label query over pods that are managed by the daemon set.
+	// Must match in order to be controlled.
+	// It must match the pod template's labels.
+	// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors
+	Selector *metav1.LabelSelectorApplyConfiguration `json:"selector,omitempty"`
+	// An object that describes the pod that will be created.
+	// The DaemonSet will create exactly one copy of this pod on every node
+	// that matches the template's node selector (or on every node if no node
+	// selector is specified).
+	// The only allowed template.spec.restartPolicy value is "Always".
+	// More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller#pod-template
+	Template *corev1.PodTemplateSpecApplyConfiguration `json:"template,omitempty"`
+	// An update strategy to replace existing DaemonSet pods with new pods.
+	UpdateStrategy *DaemonSetUpdateStrategyApplyConfiguration `json:"updateStrategy,omitempty"`
+	// The minimum number of seconds for which a newly created DaemonSet pod should
+	// be ready without any of its container crashing, for it to be considered
+	// available. Defaults to 0 (pod will be considered available as soon as it
+	// is ready).
+	MinReadySeconds *int32 `json:"minReadySeconds,omitempty"`
+	// The number of old history to retain to allow rollback.
+	// This is a pointer to distinguish between explicit zero and not specified.
+	// Defaults to 10.
+	RevisionHistoryLimit *int32 `json:"revisionHistoryLimit,omitempty"`
 }
 
 // DaemonSetSpecApplyConfiguration constructs a declarative configuration of the DaemonSetSpec type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/apps/v1/daemonsetstatus.go b/staging/src/k8s.io/client-go/applyconfigurations/apps/v1/daemonsetstatus.go
index a40dc16512e3f..c8d76571e0243 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/apps/v1/daemonsetstatus.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/apps/v1/daemonsetstatus.go
@@ -20,17 +20,42 @@ package v1
 
 // DaemonSetStatusApplyConfiguration represents a declarative configuration of the DaemonSetStatus type for use
 // with apply.
+//
+// DaemonSetStatus represents the current status of a daemon set.
 type DaemonSetStatusApplyConfiguration struct {
-	CurrentNumberScheduled *int32                                 `json:"currentNumberScheduled,omitempty"`
-	NumberMisscheduled     *int32                                 `json:"numberMisscheduled,omitempty"`
-	DesiredNumberScheduled *int32                                 `json:"desiredNumberScheduled,omitempty"`
-	NumberReady            *int32                                 `json:"numberReady,omitempty"`
-	ObservedGeneration     *int64                                 `json:"observedGeneration,omitempty"`
-	UpdatedNumberScheduled *int32                                 `json:"updatedNumberScheduled,omitempty"`
-	NumberAvailable        *int32                                 `json:"numberAvailable,omitempty"`
-	NumberUnavailable      *int32                                 `json:"numberUnavailable,omitempty"`
-	CollisionCount         *int32                                 `json:"collisionCount,omitempty"`
-	Conditions             []DaemonSetConditionApplyConfiguration `json:"conditions,omitempty"`
+	// The number of nodes that are running at least 1
+	// daemon pod and are supposed to run the daemon pod.
+	// More info: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/
+	CurrentNumberScheduled *int32 `json:"currentNumberScheduled,omitempty"`
+	// The number of nodes that are running the daemon pod, but are
+	// not supposed to run the daemon pod.
+	// More info: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/
+	NumberMisscheduled *int32 `json:"numberMisscheduled,omitempty"`
+	// The total number of nodes that should be running the daemon
+	// pod (including nodes correctly running the daemon pod).
+	// More info: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/
+	DesiredNumberScheduled *int32 `json:"desiredNumberScheduled,omitempty"`
+	// numberReady is the number of nodes that should be running the daemon pod and have one
+	// or more of the daemon pod running with a Ready Condition.
+	NumberReady *int32 `json:"numberReady,omitempty"`
+	// The most recent generation observed by the daemon set controller.
+	ObservedGeneration *int64 `json:"observedGeneration,omitempty"`
+	// The total number of nodes that are running updated daemon pod
+	UpdatedNumberScheduled *int32 `json:"updatedNumberScheduled,omitempty"`
+	// The number of nodes that should be running the
+	// daemon pod and have one or more of the daemon pod running and
+	// available (ready for at least spec.minReadySeconds)
+	NumberAvailable *int32 `json:"numberAvailable,omitempty"`
+	// The number of nodes that should be running the
+	// daemon pod and have none of the daemon pod running and available
+	// (ready for at least spec.minReadySeconds)
+	NumberUnavailable *int32 `json:"numberUnavailable,omitempty"`
+	// Count of hash collisions for the DaemonSet. The DaemonSet controller
+	// uses this field as a collision avoidance mechanism when it needs to
+	// create the name for the newest ControllerRevision.
+	CollisionCount *int32 `json:"collisionCount,omitempty"`
+	// Represents the latest available observations of a DaemonSet's current state.
+	Conditions []DaemonSetConditionApplyConfiguration `json:"conditions,omitempty"`
 }
 
 // DaemonSetStatusApplyConfiguration constructs a declarative configuration of the DaemonSetStatus type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/apps/v1/daemonsetupdatestrategy.go b/staging/src/k8s.io/client-go/applyconfigurations/apps/v1/daemonsetupdatestrategy.go
index 993e1bd5721ec..3e3168dca6512 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/apps/v1/daemonsetupdatestrategy.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/apps/v1/daemonsetupdatestrategy.go
@@ -24,8 +24,16 @@ import (
 
 // DaemonSetUpdateStrategyApplyConfiguration represents a declarative configuration of the DaemonSetUpdateStrategy type for use
 // with apply.
+//
+// DaemonSetUpdateStrategy is a struct used to control the update strategy for a DaemonSet.
 type DaemonSetUpdateStrategyApplyConfiguration struct {
-	Type          *appsv1.DaemonSetUpdateStrategyType       `json:"type,omitempty"`
+	// Type of daemon set update. Can be "RollingUpdate" or "OnDelete". Default is RollingUpdate.
+	Type *appsv1.DaemonSetUpdateStrategyType `json:"type,omitempty"`
+	// Rolling update config params. Present only if type = "RollingUpdate".
+	// ---
+	// TODO: Update this to follow our convention for oneOf, whatever we decide it
+	// to be. Same as Deployment `strategy.rollingUpdate`.
+	// See https://github.com/kubernetes/kubernetes/issues/35345
 	RollingUpdate *RollingUpdateDaemonSetApplyConfiguration `json:"rollingUpdate,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/apps/v1/deployment.go b/staging/src/k8s.io/client-go/applyconfigurations/apps/v1/deployment.go
index 9678c87b23e9d..771ca0a75ba49 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/apps/v1/deployment.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/apps/v1/deployment.go
@@ -29,11 +29,17 @@ import (
 
 // DeploymentApplyConfiguration represents a declarative configuration of the Deployment type for use
 // with apply.
+//
+// Deployment enables declarative updates for Pods and ReplicaSets.
 type DeploymentApplyConfiguration struct {
-	metav1.TypeMetaApplyConfiguration    `json:",inline"`
+	metav1.TypeMetaApplyConfiguration `json:",inline"`
+	// Standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	*metav1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Spec                                 *DeploymentSpecApplyConfiguration   `json:"spec,omitempty"`
-	Status                               *DeploymentStatusApplyConfiguration `json:"status,omitempty"`
+	// Specification of the desired behavior of the Deployment.
+	Spec *DeploymentSpecApplyConfiguration `json:"spec,omitempty"`
+	// Most recently observed status of the Deployment.
+	Status *DeploymentStatusApplyConfiguration `json:"status,omitempty"`
 }
 
 // Deployment constructs a declarative configuration of the Deployment type for use with
@@ -47,6 +53,27 @@ func Deployment(name, namespace string) *DeploymentApplyConfiguration {
 	return b
 }
 
+// ExtractDeploymentFrom extracts the applied configuration owned by fieldManager from
+// deployment for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
+// deployment must be a unmodified Deployment API object that was retrieved from the Kubernetes API.
+// ExtractDeploymentFrom provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractDeploymentFrom(deployment *appsv1.Deployment, fieldManager string, subresource string) (*DeploymentApplyConfiguration, error) {
+	b := &DeploymentApplyConfiguration{}
+	err := managedfields.ExtractInto(deployment, internal.Parser().Type("io.k8s.api.apps.v1.Deployment"), fieldManager, b, subresource)
+	if err != nil {
+		return nil, err
+	}
+	b.WithName(deployment.Name)
+	b.WithNamespace(deployment.Namespace)
+
+	b.WithKind("Deployment")
+	b.WithAPIVersion("apps/v1")
+	return b, nil
+}
+
 // ExtractDeployment extracts the applied configuration owned by fieldManager from
 // deployment. If no managedFields are found in deployment for fieldManager, a
 // DeploymentApplyConfiguration is returned with only the Name, Namespace (if applicable),
@@ -57,31 +84,22 @@ func Deployment(name, namespace string) *DeploymentApplyConfiguration {
 // ExtractDeployment provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
 func ExtractDeployment(deployment *appsv1.Deployment, fieldManager string) (*DeploymentApplyConfiguration, error) {
-	return extractDeployment(deployment, fieldManager, "")
+	return ExtractDeploymentFrom(deployment, fieldManager, "")
 }
 
-// ExtractDeploymentStatus is the same as ExtractDeployment except
-// that it extracts the status subresource applied configuration.
-// Experimental!
-func ExtractDeploymentStatus(deployment *appsv1.Deployment, fieldManager string) (*DeploymentApplyConfiguration, error) {
-	return extractDeployment(deployment, fieldManager, "status")
+// ExtractDeploymentScale extracts the applied configuration owned by fieldManager from
+// deployment for the scale subresource.
+func ExtractDeploymentScale(deployment *appsv1.Deployment, fieldManager string) (*DeploymentApplyConfiguration, error) {
+	return ExtractDeploymentFrom(deployment, fieldManager, "scale")
 }
 
-func extractDeployment(deployment *appsv1.Deployment, fieldManager string, subresource string) (*DeploymentApplyConfiguration, error) {
-	b := &DeploymentApplyConfiguration{}
-	err := managedfields.ExtractInto(deployment, internal.Parser().Type("io.k8s.api.apps.v1.Deployment"), fieldManager, b, subresource)
-	if err != nil {
-		return nil, err
-	}
-	b.WithName(deployment.Name)
-	b.WithNamespace(deployment.Namespace)
-
-	b.WithKind("Deployment")
-	b.WithAPIVersion("apps/v1")
-	return b, nil
+// ExtractDeploymentStatus extracts the applied configuration owned by fieldManager from
+// deployment for the status subresource.
+func ExtractDeploymentStatus(deployment *appsv1.Deployment, fieldManager string) (*DeploymentApplyConfiguration, error) {
+	return ExtractDeploymentFrom(deployment, fieldManager, "status")
 }
+
 func (b DeploymentApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/apps/v1/deploymentcondition.go b/staging/src/k8s.io/client-go/applyconfigurations/apps/v1/deploymentcondition.go
index 3a669363703bc..a7f5b5060c6fc 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/apps/v1/deploymentcondition.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/apps/v1/deploymentcondition.go
@@ -26,13 +26,21 @@ import (
 
 // DeploymentConditionApplyConfiguration represents a declarative configuration of the DeploymentCondition type for use
 // with apply.
+//
+// DeploymentCondition describes the state of a deployment at a certain point.
 type DeploymentConditionApplyConfiguration struct {
-	Type               *appsv1.DeploymentConditionType `json:"type,omitempty"`
-	Status             *corev1.ConditionStatus         `json:"status,omitempty"`
-	LastUpdateTime     *metav1.Time                    `json:"lastUpdateTime,omitempty"`
-	LastTransitionTime *metav1.Time                    `json:"lastTransitionTime,omitempty"`
-	Reason             *string                         `json:"reason,omitempty"`
-	Message            *string                         `json:"message,omitempty"`
+	// Type of deployment condition.
+	Type *appsv1.DeploymentConditionType `json:"type,omitempty"`
+	// Status of the condition, one of True, False, Unknown.
+	Status *corev1.ConditionStatus `json:"status,omitempty"`
+	// The last time this condition was updated.
+	LastUpdateTime *metav1.Time `json:"lastUpdateTime,omitempty"`
+	// Last time the condition transitioned from one status to another.
+	LastTransitionTime *metav1.Time `json:"lastTransitionTime,omitempty"`
+	// The reason for the condition's last transition.
+	Reason *string `json:"reason,omitempty"`
+	// A human readable message indicating details about the transition.
+	Message *string `json:"message,omitempty"`
 }
 
 // DeploymentConditionApplyConfiguration constructs a declarative configuration of the DeploymentCondition type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/apps/v1/deploymentspec.go b/staging/src/k8s.io/client-go/applyconfigurations/apps/v1/deploymentspec.go
index 5f34b0582ca60..50a45b3e2bc95 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/apps/v1/deploymentspec.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/apps/v1/deploymentspec.go
@@ -25,15 +25,37 @@ import (
 
 // DeploymentSpecApplyConfiguration represents a declarative configuration of the DeploymentSpec type for use
 // with apply.
+//
+// DeploymentSpec is the specification of the desired behavior of the Deployment.
 type DeploymentSpecApplyConfiguration struct {
-	Replicas                *int32                                    `json:"replicas,omitempty"`
-	Selector                *metav1.LabelSelectorApplyConfiguration   `json:"selector,omitempty"`
-	Template                *corev1.PodTemplateSpecApplyConfiguration `json:"template,omitempty"`
-	Strategy                *DeploymentStrategyApplyConfiguration     `json:"strategy,omitempty"`
-	MinReadySeconds         *int32                                    `json:"minReadySeconds,omitempty"`
-	RevisionHistoryLimit    *int32                                    `json:"revisionHistoryLimit,omitempty"`
-	Paused                  *bool                                     `json:"paused,omitempty"`
-	ProgressDeadlineSeconds *int32                                    `json:"progressDeadlineSeconds,omitempty"`
+	// Number of desired pods. This is a pointer to distinguish between explicit
+	// zero and not specified. Defaults to 1.
+	Replicas *int32 `json:"replicas,omitempty"`
+	// Label selector for pods. Existing ReplicaSets whose pods are
+	// selected by this will be the ones affected by this deployment.
+	// It must match the pod template's labels.
+	Selector *metav1.LabelSelectorApplyConfiguration `json:"selector,omitempty"`
+	// Template describes the pods that will be created.
+	// The only allowed template.spec.restartPolicy value is "Always".
+	Template *corev1.PodTemplateSpecApplyConfiguration `json:"template,omitempty"`
+	// The deployment strategy to use to replace existing pods with new ones.
+	Strategy *DeploymentStrategyApplyConfiguration `json:"strategy,omitempty"`
+	// Minimum number of seconds for which a newly created pod should be ready
+	// without any of its container crashing, for it to be considered available.
+	// Defaults to 0 (pod will be considered available as soon as it is ready)
+	MinReadySeconds *int32 `json:"minReadySeconds,omitempty"`
+	// The number of old ReplicaSets to retain to allow rollback.
+	// This is a pointer to distinguish between explicit zero and not specified.
+	// Defaults to 10.
+	RevisionHistoryLimit *int32 `json:"revisionHistoryLimit,omitempty"`
+	// Indicates that the deployment is paused.
+	Paused *bool `json:"paused,omitempty"`
+	// The maximum time in seconds for a deployment to make progress before it
+	// is considered to be failed. The deployment controller will continue to
+	// process failed deployments and a condition with a ProgressDeadlineExceeded
+	// reason will be surfaced in the deployment status. Note that progress will
+	// not be estimated during the time a deployment is paused. Defaults to 600s.
+	ProgressDeadlineSeconds *int32 `json:"progressDeadlineSeconds,omitempty"`
 }
 
 // DeploymentSpecApplyConfiguration constructs a declarative configuration of the DeploymentSpec type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/apps/v1/deploymentstatus.go b/staging/src/k8s.io/client-go/applyconfigurations/apps/v1/deploymentstatus.go
index 8d9e6cca288ae..d932a5b1b4dc6 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/apps/v1/deploymentstatus.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/apps/v1/deploymentstatus.go
@@ -20,16 +20,34 @@ package v1
 
 // DeploymentStatusApplyConfiguration represents a declarative configuration of the DeploymentStatus type for use
 // with apply.
+//
+// DeploymentStatus is the most recently observed status of the Deployment.
 type DeploymentStatusApplyConfiguration struct {
-	ObservedGeneration  *int64                                  `json:"observedGeneration,omitempty"`
-	Replicas            *int32                                  `json:"replicas,omitempty"`
-	UpdatedReplicas     *int32                                  `json:"updatedReplicas,omitempty"`
-	ReadyReplicas       *int32                                  `json:"readyReplicas,omitempty"`
-	AvailableReplicas   *int32                                  `json:"availableReplicas,omitempty"`
-	UnavailableReplicas *int32                                  `json:"unavailableReplicas,omitempty"`
-	TerminatingReplicas *int32                                  `json:"terminatingReplicas,omitempty"`
-	Conditions          []DeploymentConditionApplyConfiguration `json:"conditions,omitempty"`
-	CollisionCount      *int32                                  `json:"collisionCount,omitempty"`
+	// The generation observed by the deployment controller.
+	ObservedGeneration *int64 `json:"observedGeneration,omitempty"`
+	// Total number of non-terminating pods targeted by this deployment (their labels match the selector).
+	Replicas *int32 `json:"replicas,omitempty"`
+	// Total number of non-terminating pods targeted by this deployment that have the desired template spec.
+	UpdatedReplicas *int32 `json:"updatedReplicas,omitempty"`
+	// Total number of non-terminating pods targeted by this Deployment with a Ready Condition.
+	ReadyReplicas *int32 `json:"readyReplicas,omitempty"`
+	// Total number of available non-terminating pods (ready for at least minReadySeconds) targeted by this deployment.
+	AvailableReplicas *int32 `json:"availableReplicas,omitempty"`
+	// Total number of unavailable pods targeted by this deployment. This is the total number of
+	// pods that are still required for the deployment to have 100% available capacity. They may
+	// either be pods that are running but not yet available or pods that still have not been created.
+	UnavailableReplicas *int32 `json:"unavailableReplicas,omitempty"`
+	// Total number of terminating pods targeted by this deployment. Terminating pods have a non-null
+	// .metadata.deletionTimestamp and have not yet reached the Failed or Succeeded .status.phase.
+	//
+	// This is a beta field and requires enabling DeploymentReplicaSetTerminatingReplicas feature (enabled by default).
+	TerminatingReplicas *int32 `json:"terminatingReplicas,omitempty"`
+	// Represents the latest available observations of a deployment's current state.
+	Conditions []DeploymentConditionApplyConfiguration `json:"conditions,omitempty"`
+	// Count of hash collisions for the Deployment. The Deployment controller uses this
+	// field as a collision avoidance mechanism when it needs to create the name for the
+	// newest ReplicaSet.
+	CollisionCount *int32 `json:"collisionCount,omitempty"`
 }
 
 // DeploymentStatusApplyConfiguration constructs a declarative configuration of the DeploymentStatus type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/apps/v1/deploymentstrategy.go b/staging/src/k8s.io/client-go/applyconfigurations/apps/v1/deploymentstrategy.go
index 7bf8a15954d39..eb2737d9260a7 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/apps/v1/deploymentstrategy.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/apps/v1/deploymentstrategy.go
@@ -24,8 +24,16 @@ import (
 
 // DeploymentStrategyApplyConfiguration represents a declarative configuration of the DeploymentStrategy type for use
 // with apply.
+//
+// DeploymentStrategy describes how to replace existing pods with new ones.
 type DeploymentStrategyApplyConfiguration struct {
-	Type          *appsv1.DeploymentStrategyType             `json:"type,omitempty"`
+	// Type of deployment. Can be "Recreate" or "RollingUpdate". Default is RollingUpdate.
+	Type *appsv1.DeploymentStrategyType `json:"type,omitempty"`
+	// Rolling update config params. Present only if DeploymentStrategyType =
+	// RollingUpdate.
+	// ---
+	// TODO: Update this to follow our convention for oneOf, whatever we decide it
+	// to be.
 	RollingUpdate *RollingUpdateDeploymentApplyConfiguration `json:"rollingUpdate,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/apps/v1/replicaset.go b/staging/src/k8s.io/client-go/applyconfigurations/apps/v1/replicaset.go
index aee110a21f758..63f11a2183c8c 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/apps/v1/replicaset.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/apps/v1/replicaset.go
@@ -29,11 +29,24 @@ import (
 
 // ReplicaSetApplyConfiguration represents a declarative configuration of the ReplicaSet type for use
 // with apply.
+//
+// ReplicaSet ensures that a specified number of pod replicas are running at any given time.
 type ReplicaSetApplyConfiguration struct {
-	metav1.TypeMetaApplyConfiguration    `json:",inline"`
+	metav1.TypeMetaApplyConfiguration `json:",inline"`
+	// If the Labels of a ReplicaSet are empty, they are defaulted to
+	// be the same as the Pod(s) that the ReplicaSet manages.
+	// Standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	*metav1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Spec                                 *ReplicaSetSpecApplyConfiguration   `json:"spec,omitempty"`
-	Status                               *ReplicaSetStatusApplyConfiguration `json:"status,omitempty"`
+	// Spec defines the specification of the desired behavior of the ReplicaSet.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+	Spec *ReplicaSetSpecApplyConfiguration `json:"spec,omitempty"`
+	// Status is the most recently observed status of the ReplicaSet.
+	// This data may be out of date by some window of time.
+	// Populated by the system.
+	// Read-only.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+	Status *ReplicaSetStatusApplyConfiguration `json:"status,omitempty"`
 }
 
 // ReplicaSet constructs a declarative configuration of the ReplicaSet type for use with
@@ -47,6 +60,27 @@ func ReplicaSet(name, namespace string) *ReplicaSetApplyConfiguration {
 	return b
 }
 
+// ExtractReplicaSetFrom extracts the applied configuration owned by fieldManager from
+// replicaSet for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
+// replicaSet must be a unmodified ReplicaSet API object that was retrieved from the Kubernetes API.
+// ExtractReplicaSetFrom provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractReplicaSetFrom(replicaSet *appsv1.ReplicaSet, fieldManager string, subresource string) (*ReplicaSetApplyConfiguration, error) {
+	b := &ReplicaSetApplyConfiguration{}
+	err := managedfields.ExtractInto(replicaSet, internal.Parser().Type("io.k8s.api.apps.v1.ReplicaSet"), fieldManager, b, subresource)
+	if err != nil {
+		return nil, err
+	}
+	b.WithName(replicaSet.Name)
+	b.WithNamespace(replicaSet.Namespace)
+
+	b.WithKind("ReplicaSet")
+	b.WithAPIVersion("apps/v1")
+	return b, nil
+}
+
 // ExtractReplicaSet extracts the applied configuration owned by fieldManager from
 // replicaSet. If no managedFields are found in replicaSet for fieldManager, a
 // ReplicaSetApplyConfiguration is returned with only the Name, Namespace (if applicable),
@@ -57,31 +91,22 @@ func ReplicaSet(name, namespace string) *ReplicaSetApplyConfiguration {
 // ExtractReplicaSet provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
 func ExtractReplicaSet(replicaSet *appsv1.ReplicaSet, fieldManager string) (*ReplicaSetApplyConfiguration, error) {
-	return extractReplicaSet(replicaSet, fieldManager, "")
+	return ExtractReplicaSetFrom(replicaSet, fieldManager, "")
 }
 
-// ExtractReplicaSetStatus is the same as ExtractReplicaSet except
-// that it extracts the status subresource applied configuration.
-// Experimental!
-func ExtractReplicaSetStatus(replicaSet *appsv1.ReplicaSet, fieldManager string) (*ReplicaSetApplyConfiguration, error) {
-	return extractReplicaSet(replicaSet, fieldManager, "status")
+// ExtractReplicaSetScale extracts the applied configuration owned by fieldManager from
+// replicaSet for the scale subresource.
+func ExtractReplicaSetScale(replicaSet *appsv1.ReplicaSet, fieldManager string) (*ReplicaSetApplyConfiguration, error) {
+	return ExtractReplicaSetFrom(replicaSet, fieldManager, "scale")
 }
 
-func extractReplicaSet(replicaSet *appsv1.ReplicaSet, fieldManager string, subresource string) (*ReplicaSetApplyConfiguration, error) {
-	b := &ReplicaSetApplyConfiguration{}
-	err := managedfields.ExtractInto(replicaSet, internal.Parser().Type("io.k8s.api.apps.v1.ReplicaSet"), fieldManager, b, subresource)
-	if err != nil {
-		return nil, err
-	}
-	b.WithName(replicaSet.Name)
-	b.WithNamespace(replicaSet.Namespace)
-
-	b.WithKind("ReplicaSet")
-	b.WithAPIVersion("apps/v1")
-	return b, nil
+// ExtractReplicaSetStatus extracts the applied configuration owned by fieldManager from
+// replicaSet for the status subresource.
+func ExtractReplicaSetStatus(replicaSet *appsv1.ReplicaSet, fieldManager string) (*ReplicaSetApplyConfiguration, error) {
+	return ExtractReplicaSetFrom(replicaSet, fieldManager, "status")
 }
+
 func (b ReplicaSetApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/apps/v1/replicasetcondition.go b/staging/src/k8s.io/client-go/applyconfigurations/apps/v1/replicasetcondition.go
index 0325ce0583913..12077083f1267 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/apps/v1/replicasetcondition.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/apps/v1/replicasetcondition.go
@@ -26,12 +26,19 @@ import (
 
 // ReplicaSetConditionApplyConfiguration represents a declarative configuration of the ReplicaSetCondition type for use
 // with apply.
+//
+// ReplicaSetCondition describes the state of a replica set at a certain point.
 type ReplicaSetConditionApplyConfiguration struct {
-	Type               *appsv1.ReplicaSetConditionType `json:"type,omitempty"`
-	Status             *corev1.ConditionStatus         `json:"status,omitempty"`
-	LastTransitionTime *metav1.Time                    `json:"lastTransitionTime,omitempty"`
-	Reason             *string                         `json:"reason,omitempty"`
-	Message            *string                         `json:"message,omitempty"`
+	// Type of replica set condition.
+	Type *appsv1.ReplicaSetConditionType `json:"type,omitempty"`
+	// Status of the condition, one of True, False, Unknown.
+	Status *corev1.ConditionStatus `json:"status,omitempty"`
+	// The last time the condition transitioned from one status to another.
+	LastTransitionTime *metav1.Time `json:"lastTransitionTime,omitempty"`
+	// The reason for the condition's last transition.
+	Reason *string `json:"reason,omitempty"`
+	// A human readable message indicating details about the transition.
+	Message *string `json:"message,omitempty"`
 }
 
 // ReplicaSetConditionApplyConfiguration constructs a declarative configuration of the ReplicaSetCondition type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/apps/v1/replicasetspec.go b/staging/src/k8s.io/client-go/applyconfigurations/apps/v1/replicasetspec.go
index 714ddcfe3df44..01a0c32186a1f 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/apps/v1/replicasetspec.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/apps/v1/replicasetspec.go
@@ -25,11 +25,27 @@ import (
 
 // ReplicaSetSpecApplyConfiguration represents a declarative configuration of the ReplicaSetSpec type for use
 // with apply.
+//
+// ReplicaSetSpec is the specification of a ReplicaSet.
 type ReplicaSetSpecApplyConfiguration struct {
-	Replicas        *int32                                    `json:"replicas,omitempty"`
-	MinReadySeconds *int32                                    `json:"minReadySeconds,omitempty"`
-	Selector        *metav1.LabelSelectorApplyConfiguration   `json:"selector,omitempty"`
-	Template        *corev1.PodTemplateSpecApplyConfiguration `json:"template,omitempty"`
+	// Replicas is the number of desired pods.
+	// This is a pointer to distinguish between explicit zero and unspecified.
+	// Defaults to 1.
+	// More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicaset
+	Replicas *int32 `json:"replicas,omitempty"`
+	// Minimum number of seconds for which a newly created pod should be ready
+	// without any of its container crashing, for it to be considered available.
+	// Defaults to 0 (pod will be considered available as soon as it is ready)
+	MinReadySeconds *int32 `json:"minReadySeconds,omitempty"`
+	// Selector is a label query over pods that should match the replica count.
+	// Label keys and values that must match in order to be controlled by this replica set.
+	// It must match the pod template's labels.
+	// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors
+	Selector *metav1.LabelSelectorApplyConfiguration `json:"selector,omitempty"`
+	// Template is the object that describes the pod that will be created if
+	// insufficient replicas are detected.
+	// More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicaset/#pod-template
+	Template *corev1.PodTemplateSpecApplyConfiguration `json:"template,omitempty"`
 }
 
 // ReplicaSetSpecApplyConfiguration constructs a declarative configuration of the ReplicaSetSpec type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/apps/v1/replicasetstatus.go b/staging/src/k8s.io/client-go/applyconfigurations/apps/v1/replicasetstatus.go
index d11526d60a997..b3560959fa279 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/apps/v1/replicasetstatus.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/apps/v1/replicasetstatus.go
@@ -20,14 +20,27 @@ package v1
 
 // ReplicaSetStatusApplyConfiguration represents a declarative configuration of the ReplicaSetStatus type for use
 // with apply.
+//
+// ReplicaSetStatus represents the current status of a ReplicaSet.
 type ReplicaSetStatusApplyConfiguration struct {
-	Replicas             *int32                                  `json:"replicas,omitempty"`
-	FullyLabeledReplicas *int32                                  `json:"fullyLabeledReplicas,omitempty"`
-	ReadyReplicas        *int32                                  `json:"readyReplicas,omitempty"`
-	AvailableReplicas    *int32                                  `json:"availableReplicas,omitempty"`
-	TerminatingReplicas  *int32                                  `json:"terminatingReplicas,omitempty"`
-	ObservedGeneration   *int64                                  `json:"observedGeneration,omitempty"`
-	Conditions           []ReplicaSetConditionApplyConfiguration `json:"conditions,omitempty"`
+	// Replicas is the most recently observed number of non-terminating pods.
+	// More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicaset
+	Replicas *int32 `json:"replicas,omitempty"`
+	// The number of non-terminating pods that have labels matching the labels of the pod template of the replicaset.
+	FullyLabeledReplicas *int32 `json:"fullyLabeledReplicas,omitempty"`
+	// The number of non-terminating pods targeted by this ReplicaSet with a Ready Condition.
+	ReadyReplicas *int32 `json:"readyReplicas,omitempty"`
+	// The number of available non-terminating pods (ready for at least minReadySeconds) for this replica set.
+	AvailableReplicas *int32 `json:"availableReplicas,omitempty"`
+	// The number of terminating pods for this replica set. Terminating pods have a non-null .metadata.deletionTimestamp
+	// and have not yet reached the Failed or Succeeded .status.phase.
+	//
+	// This is a beta field and requires enabling DeploymentReplicaSetTerminatingReplicas feature (enabled by default).
+	TerminatingReplicas *int32 `json:"terminatingReplicas,omitempty"`
+	// ObservedGeneration reflects the generation of the most recently observed ReplicaSet.
+	ObservedGeneration *int64 `json:"observedGeneration,omitempty"`
+	// Represents the latest available observations of a replica set's current state.
+	Conditions []ReplicaSetConditionApplyConfiguration `json:"conditions,omitempty"`
 }
 
 // ReplicaSetStatusApplyConfiguration constructs a declarative configuration of the ReplicaSetStatus type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/apps/v1/rollingupdatedaemonset.go b/staging/src/k8s.io/client-go/applyconfigurations/apps/v1/rollingupdatedaemonset.go
index e898f5081c8c4..7fbc3e3b8625d 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/apps/v1/rollingupdatedaemonset.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/apps/v1/rollingupdatedaemonset.go
@@ -24,9 +24,43 @@ import (
 
 // RollingUpdateDaemonSetApplyConfiguration represents a declarative configuration of the RollingUpdateDaemonSet type for use
 // with apply.
+//
+// Spec to control the desired behavior of daemon set rolling update.
 type RollingUpdateDaemonSetApplyConfiguration struct {
+	// The maximum number of DaemonSet pods that can be unavailable during the
+	// update. Value can be an absolute number (ex: 5) or a percentage of total
+	// number of DaemonSet pods at the start of the update (ex: 10%). Absolute
+	// number is calculated from percentage by rounding up.
+	// This cannot be 0 if MaxSurge is 0
+	// Default value is 1.
+	// Example: when this is set to 30%, at most 30% of the total number of nodes
+	// that should be running the daemon pod (i.e. status.desiredNumberScheduled)
+	// can have their pods stopped for an update at any given time. The update
+	// starts by stopping at most 30% of those DaemonSet pods and then brings
+	// up new DaemonSet pods in their place. Once the new pods are available,
+	// it then proceeds onto other DaemonSet pods, thus ensuring that at least
+	// 70% of original number of DaemonSet pods are available at all times during
+	// the update.
 	MaxUnavailable *intstr.IntOrString `json:"maxUnavailable,omitempty"`
-	MaxSurge       *intstr.IntOrString `json:"maxSurge,omitempty"`
+	// The maximum number of nodes with an existing available DaemonSet pod that
+	// can have an updated DaemonSet pod during during an update.
+	// Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%).
+	// This can not be 0 if MaxUnavailable is 0.
+	// Absolute number is calculated from percentage by rounding up to a minimum of 1.
+	// Default value is 0.
+	// Example: when this is set to 30%, at most 30% of the total number of nodes
+	// that should be running the daemon pod (i.e. status.desiredNumberScheduled)
+	// can have their a new pod created before the old pod is marked as deleted.
+	// The update starts by launching new pods on 30% of nodes. Once an updated
+	// pod is available (Ready for at least minReadySeconds) the old DaemonSet pod
+	// on that node is marked deleted. If the old pod becomes unavailable for any
+	// reason (Ready transitions to false, is evicted, or is drained) an updated
+	// pod is immediately created on that node without considering surge limits.
+	// Allowing surge implies the possibility that the resources consumed by the
+	// daemonset on any given node can double if the readiness check fails, and
+	// so resource intensive daemonsets should take into account that they may
+	// cause evictions during disruption.
+	MaxSurge *intstr.IntOrString `json:"maxSurge,omitempty"`
 }
 
 // RollingUpdateDaemonSetApplyConfiguration constructs a declarative configuration of the RollingUpdateDaemonSet type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/apps/v1/rollingupdatedeployment.go b/staging/src/k8s.io/client-go/applyconfigurations/apps/v1/rollingupdatedeployment.go
index 2bc2937241f1e..20b52d1e947f1 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/apps/v1/rollingupdatedeployment.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/apps/v1/rollingupdatedeployment.go
@@ -24,9 +24,32 @@ import (
 
 // RollingUpdateDeploymentApplyConfiguration represents a declarative configuration of the RollingUpdateDeployment type for use
 // with apply.
+//
+// Spec to control the desired behavior of rolling update.
 type RollingUpdateDeploymentApplyConfiguration struct {
+	// The maximum number of pods that can be unavailable during the update.
+	// Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%).
+	// Absolute number is calculated from percentage by rounding down.
+	// This can not be 0 if MaxSurge is 0.
+	// Defaults to 25%.
+	// Example: when this is set to 30%, the old ReplicaSet can be scaled down to 70% of desired pods
+	// immediately when the rolling update starts. Once new pods are ready, old ReplicaSet
+	// can be scaled down further, followed by scaling up the new ReplicaSet, ensuring
+	// that the total number of pods available at all times during the update is at
+	// least 70% of desired pods.
 	MaxUnavailable *intstr.IntOrString `json:"maxUnavailable,omitempty"`
-	MaxSurge       *intstr.IntOrString `json:"maxSurge,omitempty"`
+	// The maximum number of pods that can be scheduled above the desired number of
+	// pods.
+	// Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%).
+	// This can not be 0 if MaxUnavailable is 0.
+	// Absolute number is calculated from percentage by rounding up.
+	// Defaults to 25%.
+	// Example: when this is set to 30%, the new ReplicaSet can be scaled up immediately when
+	// the rolling update starts, such that the total number of old and new pods do not exceed
+	// 130% of desired pods. Once old pods have been killed,
+	// new ReplicaSet can be scaled up further, ensuring that total number of pods running
+	// at any time during the update is at most 130% of desired pods.
+	MaxSurge *intstr.IntOrString `json:"maxSurge,omitempty"`
 }
 
 // RollingUpdateDeploymentApplyConfiguration constructs a declarative configuration of the RollingUpdateDeployment type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/apps/v1/rollingupdatestatefulsetstrategy.go b/staging/src/k8s.io/client-go/applyconfigurations/apps/v1/rollingupdatestatefulsetstrategy.go
index dd0de81a6cb17..d73e1f98e14a0 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/apps/v1/rollingupdatestatefulsetstrategy.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/apps/v1/rollingupdatestatefulsetstrategy.go
@@ -24,8 +24,21 @@ import (
 
 // RollingUpdateStatefulSetStrategyApplyConfiguration represents a declarative configuration of the RollingUpdateStatefulSetStrategy type for use
 // with apply.
+//
+// RollingUpdateStatefulSetStrategy is used to communicate parameter for RollingUpdateStatefulSetStrategyType.
 type RollingUpdateStatefulSetStrategyApplyConfiguration struct {
-	Partition      *int32              `json:"partition,omitempty"`
+	// Partition indicates the ordinal at which the StatefulSet should be partitioned
+	// for updates. During a rolling update, all pods from ordinal Replicas-1 to
+	// Partition are updated. All pods from ordinal Partition-1 to 0 remain untouched.
+	// This is helpful in being able to do a canary based deployment. The default value is 0.
+	Partition *int32 `json:"partition,omitempty"`
+	// The maximum number of pods that can be unavailable during the update.
+	// Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%).
+	// Absolute number is calculated from percentage by rounding up. This can not be 0.
+	// Defaults to 1. This field is beta-level and is enabled by default. The field applies to all pods in the range 0 to
+	// Replicas-1. That means if there is any unavailable pod in the range 0 to Replicas-1, it
+	// will be counted towards MaxUnavailable.
+	// This setting might not be effective for the OrderedReady podManagementPolicy. That policy ensures pods are created and become ready one at a time.
 	MaxUnavailable *intstr.IntOrString `json:"maxUnavailable,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/apps/v1/statefulset.go b/staging/src/k8s.io/client-go/applyconfigurations/apps/v1/statefulset.go
index fc682f68f9f4c..e3dc20463796a 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/apps/v1/statefulset.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/apps/v1/statefulset.go
@@ -29,11 +29,24 @@ import (
 
 // StatefulSetApplyConfiguration represents a declarative configuration of the StatefulSet type for use
 // with apply.
+//
+// StatefulSet represents a set of pods with consistent identities.
+// Identities are defined as:
+// - Network: A single stable DNS and hostname.
+// - Storage: As many VolumeClaims as requested.
+//
+// The StatefulSet guarantees that a given network identity will always
+// map to the same storage identity.
 type StatefulSetApplyConfiguration struct {
-	metav1.TypeMetaApplyConfiguration    `json:",inline"`
+	metav1.TypeMetaApplyConfiguration `json:",inline"`
+	// Standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	*metav1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Spec                                 *StatefulSetSpecApplyConfiguration   `json:"spec,omitempty"`
-	Status                               *StatefulSetStatusApplyConfiguration `json:"status,omitempty"`
+	// Spec defines the desired identities of pods in this set.
+	Spec *StatefulSetSpecApplyConfiguration `json:"spec,omitempty"`
+	// Status is the current status of Pods in this StatefulSet. This data
+	// may be out of date by some window of time.
+	Status *StatefulSetStatusApplyConfiguration `json:"status,omitempty"`
 }
 
 // StatefulSet constructs a declarative configuration of the StatefulSet type for use with
@@ -47,6 +60,27 @@ func StatefulSet(name, namespace string) *StatefulSetApplyConfiguration {
 	return b
 }
 
+// ExtractStatefulSetFrom extracts the applied configuration owned by fieldManager from
+// statefulSet for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
+// statefulSet must be a unmodified StatefulSet API object that was retrieved from the Kubernetes API.
+// ExtractStatefulSetFrom provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractStatefulSetFrom(statefulSet *appsv1.StatefulSet, fieldManager string, subresource string) (*StatefulSetApplyConfiguration, error) {
+	b := &StatefulSetApplyConfiguration{}
+	err := managedfields.ExtractInto(statefulSet, internal.Parser().Type("io.k8s.api.apps.v1.StatefulSet"), fieldManager, b, subresource)
+	if err != nil {
+		return nil, err
+	}
+	b.WithName(statefulSet.Name)
+	b.WithNamespace(statefulSet.Namespace)
+
+	b.WithKind("StatefulSet")
+	b.WithAPIVersion("apps/v1")
+	return b, nil
+}
+
 // ExtractStatefulSet extracts the applied configuration owned by fieldManager from
 // statefulSet. If no managedFields are found in statefulSet for fieldManager, a
 // StatefulSetApplyConfiguration is returned with only the Name, Namespace (if applicable),
@@ -57,31 +91,22 @@ func StatefulSet(name, namespace string) *StatefulSetApplyConfiguration {
 // ExtractStatefulSet provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
 func ExtractStatefulSet(statefulSet *appsv1.StatefulSet, fieldManager string) (*StatefulSetApplyConfiguration, error) {
-	return extractStatefulSet(statefulSet, fieldManager, "")
+	return ExtractStatefulSetFrom(statefulSet, fieldManager, "")
 }
 
-// ExtractStatefulSetStatus is the same as ExtractStatefulSet except
-// that it extracts the status subresource applied configuration.
-// Experimental!
-func ExtractStatefulSetStatus(statefulSet *appsv1.StatefulSet, fieldManager string) (*StatefulSetApplyConfiguration, error) {
-	return extractStatefulSet(statefulSet, fieldManager, "status")
+// ExtractStatefulSetScale extracts the applied configuration owned by fieldManager from
+// statefulSet for the scale subresource.
+func ExtractStatefulSetScale(statefulSet *appsv1.StatefulSet, fieldManager string) (*StatefulSetApplyConfiguration, error) {
+	return ExtractStatefulSetFrom(statefulSet, fieldManager, "scale")
 }
 
-func extractStatefulSet(statefulSet *appsv1.StatefulSet, fieldManager string, subresource string) (*StatefulSetApplyConfiguration, error) {
-	b := &StatefulSetApplyConfiguration{}
-	err := managedfields.ExtractInto(statefulSet, internal.Parser().Type("io.k8s.api.apps.v1.StatefulSet"), fieldManager, b, subresource)
-	if err != nil {
-		return nil, err
-	}
-	b.WithName(statefulSet.Name)
-	b.WithNamespace(statefulSet.Namespace)
-
-	b.WithKind("StatefulSet")
-	b.WithAPIVersion("apps/v1")
-	return b, nil
+// ExtractStatefulSetStatus extracts the applied configuration owned by fieldManager from
+// statefulSet for the status subresource.
+func ExtractStatefulSetStatus(statefulSet *appsv1.StatefulSet, fieldManager string) (*StatefulSetApplyConfiguration, error) {
+	return ExtractStatefulSetFrom(statefulSet, fieldManager, "status")
 }
+
 func (b StatefulSetApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/apps/v1/statefulsetcondition.go b/staging/src/k8s.io/client-go/applyconfigurations/apps/v1/statefulsetcondition.go
index 45b2ad81f1d01..2d230fa83c66d 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/apps/v1/statefulsetcondition.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/apps/v1/statefulsetcondition.go
@@ -26,12 +26,19 @@ import (
 
 // StatefulSetConditionApplyConfiguration represents a declarative configuration of the StatefulSetCondition type for use
 // with apply.
+//
+// StatefulSetCondition describes the state of a statefulset at a certain point.
 type StatefulSetConditionApplyConfiguration struct {
-	Type               *appsv1.StatefulSetConditionType `json:"type,omitempty"`
-	Status             *corev1.ConditionStatus          `json:"status,omitempty"`
-	LastTransitionTime *metav1.Time                     `json:"lastTransitionTime,omitempty"`
-	Reason             *string                          `json:"reason,omitempty"`
-	Message            *string                          `json:"message,omitempty"`
+	// Type of statefulset condition.
+	Type *appsv1.StatefulSetConditionType `json:"type,omitempty"`
+	// Status of the condition, one of True, False, Unknown.
+	Status *corev1.ConditionStatus `json:"status,omitempty"`
+	// Last time the condition transitioned from one status to another.
+	LastTransitionTime *metav1.Time `json:"lastTransitionTime,omitempty"`
+	// The reason for the condition's last transition.
+	Reason *string `json:"reason,omitempty"`
+	// A human readable message indicating details about the transition.
+	Message *string `json:"message,omitempty"`
 }
 
 // StatefulSetConditionApplyConfiguration constructs a declarative configuration of the StatefulSetCondition type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/apps/v1/statefulsetordinals.go b/staging/src/k8s.io/client-go/applyconfigurations/apps/v1/statefulsetordinals.go
index 86f39e16c1612..94492ac3d884f 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/apps/v1/statefulsetordinals.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/apps/v1/statefulsetordinals.go
@@ -20,7 +20,18 @@ package v1
 
 // StatefulSetOrdinalsApplyConfiguration represents a declarative configuration of the StatefulSetOrdinals type for use
 // with apply.
+//
+// StatefulSetOrdinals describes the policy used for replica ordinal assignment
+// in this StatefulSet.
 type StatefulSetOrdinalsApplyConfiguration struct {
+	// start is the number representing the first replica's index. It may be used
+	// to number replicas from an alternate index (eg: 1-indexed) over the default
+	// 0-indexed names, or to orchestrate progressive movement of replicas from
+	// one StatefulSet to another.
+	// If set, replica indices will be in the range:
+	// [.spec.ordinals.start, .spec.ordinals.start + .spec.replicas).
+	// If unset, defaults to 0. Replica indices will be in the range:
+	// [0, .spec.replicas).
 	Start *int32 `json:"start,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/apps/v1/statefulsetpersistentvolumeclaimretentionpolicy.go b/staging/src/k8s.io/client-go/applyconfigurations/apps/v1/statefulsetpersistentvolumeclaimretentionpolicy.go
index dff3e2a76bfad..5a4148470d4c2 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/apps/v1/statefulsetpersistentvolumeclaimretentionpolicy.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/apps/v1/statefulsetpersistentvolumeclaimretentionpolicy.go
@@ -24,9 +24,21 @@ import (
 
 // StatefulSetPersistentVolumeClaimRetentionPolicyApplyConfiguration represents a declarative configuration of the StatefulSetPersistentVolumeClaimRetentionPolicy type for use
 // with apply.
+//
+// StatefulSetPersistentVolumeClaimRetentionPolicy describes the policy used for PVCs
+// created from the StatefulSet VolumeClaimTemplates.
 type StatefulSetPersistentVolumeClaimRetentionPolicyApplyConfiguration struct {
+	// WhenDeleted specifies what happens to PVCs created from StatefulSet
+	// VolumeClaimTemplates when the StatefulSet is deleted. The default policy
+	// of `Retain` causes PVCs to not be affected by StatefulSet deletion. The
+	// `Delete` policy causes those PVCs to be deleted.
 	WhenDeleted *appsv1.PersistentVolumeClaimRetentionPolicyType `json:"whenDeleted,omitempty"`
-	WhenScaled  *appsv1.PersistentVolumeClaimRetentionPolicyType `json:"whenScaled,omitempty"`
+	// WhenScaled specifies what happens to PVCs created from StatefulSet
+	// VolumeClaimTemplates when the StatefulSet is scaled down. The default
+	// policy of `Retain` causes PVCs to not be affected by a scaledown. The
+	// `Delete` policy causes the associated PVCs for any excess pods above
+	// the replica count to be deleted.
+	WhenScaled *appsv1.PersistentVolumeClaimRetentionPolicyType `json:"whenScaled,omitempty"`
 }
 
 // StatefulSetPersistentVolumeClaimRetentionPolicyApplyConfiguration constructs a declarative configuration of the StatefulSetPersistentVolumeClaimRetentionPolicy type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/apps/v1/statefulsetspec.go b/staging/src/k8s.io/client-go/applyconfigurations/apps/v1/statefulsetspec.go
index c48b64fe39b2c..ac6114a9b535f 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/apps/v1/statefulsetspec.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/apps/v1/statefulsetspec.go
@@ -26,18 +26,74 @@ import (
 
 // StatefulSetSpecApplyConfiguration represents a declarative configuration of the StatefulSetSpec type for use
 // with apply.
+//
+// A StatefulSetSpec is the specification of a StatefulSet.
 type StatefulSetSpecApplyConfiguration struct {
-	Replicas                             *int32                                                             `json:"replicas,omitempty"`
-	Selector                             *metav1.LabelSelectorApplyConfiguration                            `json:"selector,omitempty"`
-	Template                             *corev1.PodTemplateSpecApplyConfiguration                          `json:"template,omitempty"`
-	VolumeClaimTemplates                 []corev1.PersistentVolumeClaimApplyConfiguration                   `json:"volumeClaimTemplates,omitempty"`
-	ServiceName                          *string                                                            `json:"serviceName,omitempty"`
-	PodManagementPolicy                  *appsv1.PodManagementPolicyType                                    `json:"podManagementPolicy,omitempty"`
-	UpdateStrategy                       *StatefulSetUpdateStrategyApplyConfiguration                       `json:"updateStrategy,omitempty"`
-	RevisionHistoryLimit                 *int32                                                             `json:"revisionHistoryLimit,omitempty"`
-	MinReadySeconds                      *int32                                                             `json:"minReadySeconds,omitempty"`
+	// replicas is the desired number of replicas of the given Template.
+	// These are replicas in the sense that they are instantiations of the
+	// same Template, but individual replicas also have a consistent identity.
+	// If unspecified, defaults to 1.
+	// TODO: Consider a rename of this field.
+	Replicas *int32 `json:"replicas,omitempty"`
+	// selector is a label query over pods that should match the replica count.
+	// It must match the pod template's labels.
+	// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors
+	Selector *metav1.LabelSelectorApplyConfiguration `json:"selector,omitempty"`
+	// template is the object that describes the pod that will be created if
+	// insufficient replicas are detected. Each pod stamped out by the StatefulSet
+	// will fulfill this Template, but have a unique identity from the rest
+	// of the StatefulSet. Each pod will be named with the format
+	// <statefulsetname>-<podindex>. For example, a pod in a StatefulSet named
+	// "web" with index number "3" would be named "web-3".
+	// The only allowed template.spec.restartPolicy value is "Always".
+	Template *corev1.PodTemplateSpecApplyConfiguration `json:"template,omitempty"`
+	// volumeClaimTemplates is a list of claims that pods are allowed to reference.
+	// The StatefulSet controller is responsible for mapping network identities to
+	// claims in a way that maintains the identity of a pod. Every claim in
+	// this list must have at least one matching (by name) volumeMount in one
+	// container in the template. A claim in this list takes precedence over
+	// any volumes in the template, with the same name.
+	// TODO: Define the behavior if a claim already exists with the same name.
+	VolumeClaimTemplates []corev1.PersistentVolumeClaimApplyConfiguration `json:"volumeClaimTemplates,omitempty"`
+	// serviceName is the name of the service that governs this StatefulSet.
+	// This service must exist before the StatefulSet, and is responsible for
+	// the network identity of the set. Pods get DNS/hostnames that follow the
+	// pattern: pod-specific-string.serviceName.default.svc.cluster.local
+	// where "pod-specific-string" is managed by the StatefulSet controller.
+	ServiceName *string `json:"serviceName,omitempty"`
+	// podManagementPolicy controls how pods are created during initial scale up,
+	// when replacing pods on nodes, or when scaling down. The default policy is
+	// `OrderedReady`, where pods are created in increasing order (pod-0, then
+	// pod-1, etc) and the controller will wait until each pod is ready before
+	// continuing. When scaling down, the pods are removed in the opposite order.
+	// The alternative policy is `Parallel` which will create pods in parallel
+	// to match the desired scale without waiting, and on scale down will delete
+	// all pods at once.
+	PodManagementPolicy *appsv1.PodManagementPolicyType `json:"podManagementPolicy,omitempty"`
+	// updateStrategy indicates the StatefulSetUpdateStrategy that will be
+	// employed to update Pods in the StatefulSet when a revision is made to
+	// Template.
+	UpdateStrategy *StatefulSetUpdateStrategyApplyConfiguration `json:"updateStrategy,omitempty"`
+	// revisionHistoryLimit is the maximum number of revisions that will
+	// be maintained in the StatefulSet's revision history. The revision history
+	// consists of all revisions not represented by a currently applied
+	// StatefulSetSpec version. The default value is 10.
+	RevisionHistoryLimit *int32 `json:"revisionHistoryLimit,omitempty"`
+	// Minimum number of seconds for which a newly created pod should be ready
+	// without any of its container crashing for it to be considered available.
+	// Defaults to 0 (pod will be considered available as soon as it is ready)
+	MinReadySeconds *int32 `json:"minReadySeconds,omitempty"`
+	// persistentVolumeClaimRetentionPolicy describes the lifecycle of persistent
+	// volume claims created from volumeClaimTemplates. By default, all persistent
+	// volume claims are created as needed and retained until manually deleted. This
+	// policy allows the lifecycle to be altered, for example by deleting persistent
+	// volume claims when their stateful set is deleted, or when their pod is scaled
+	// down.
 	PersistentVolumeClaimRetentionPolicy *StatefulSetPersistentVolumeClaimRetentionPolicyApplyConfiguration `json:"persistentVolumeClaimRetentionPolicy,omitempty"`
-	Ordinals                             *StatefulSetOrdinalsApplyConfiguration                             `json:"ordinals,omitempty"`
+	// ordinals controls the numbering of replica indices in a StatefulSet. The
+	// default ordinals behavior assigns a "0" index to the first replica and
+	// increments the index by one for each additional replica requested.
+	Ordinals *StatefulSetOrdinalsApplyConfiguration `json:"ordinals,omitempty"`
 }
 
 // StatefulSetSpecApplyConfiguration constructs a declarative configuration of the StatefulSetSpec type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/apps/v1/statefulsetstatus.go b/staging/src/k8s.io/client-go/applyconfigurations/apps/v1/statefulsetstatus.go
index 637a1c649d25f..f60786d4c1f2b 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/apps/v1/statefulsetstatus.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/apps/v1/statefulsetstatus.go
@@ -20,17 +20,36 @@ package v1
 
 // StatefulSetStatusApplyConfiguration represents a declarative configuration of the StatefulSetStatus type for use
 // with apply.
+//
+// StatefulSetStatus represents the current state of a StatefulSet.
 type StatefulSetStatusApplyConfiguration struct {
-	ObservedGeneration *int64                                   `json:"observedGeneration,omitempty"`
-	Replicas           *int32                                   `json:"replicas,omitempty"`
-	ReadyReplicas      *int32                                   `json:"readyReplicas,omitempty"`
-	CurrentReplicas    *int32                                   `json:"currentReplicas,omitempty"`
-	UpdatedReplicas    *int32                                   `json:"updatedReplicas,omitempty"`
-	CurrentRevision    *string                                  `json:"currentRevision,omitempty"`
-	UpdateRevision     *string                                  `json:"updateRevision,omitempty"`
-	CollisionCount     *int32                                   `json:"collisionCount,omitempty"`
-	Conditions         []StatefulSetConditionApplyConfiguration `json:"conditions,omitempty"`
-	AvailableReplicas  *int32                                   `json:"availableReplicas,omitempty"`
+	// observedGeneration is the most recent generation observed for this StatefulSet. It corresponds to the
+	// StatefulSet's generation, which is updated on mutation by the API Server.
+	ObservedGeneration *int64 `json:"observedGeneration,omitempty"`
+	// replicas is the number of Pods created by the StatefulSet controller.
+	Replicas *int32 `json:"replicas,omitempty"`
+	// readyReplicas is the number of pods created for this StatefulSet with a Ready Condition.
+	ReadyReplicas *int32 `json:"readyReplicas,omitempty"`
+	// currentReplicas is the number of Pods created by the StatefulSet controller from the StatefulSet version
+	// indicated by currentRevision.
+	CurrentReplicas *int32 `json:"currentReplicas,omitempty"`
+	// updatedReplicas is the number of Pods created by the StatefulSet controller from the StatefulSet version
+	// indicated by updateRevision.
+	UpdatedReplicas *int32 `json:"updatedReplicas,omitempty"`
+	// currentRevision, if not empty, indicates the version of the StatefulSet used to generate Pods in the
+	// sequence [0,currentReplicas).
+	CurrentRevision *string `json:"currentRevision,omitempty"`
+	// updateRevision, if not empty, indicates the version of the StatefulSet used to generate Pods in the sequence
+	// [replicas-updatedReplicas,replicas)
+	UpdateRevision *string `json:"updateRevision,omitempty"`
+	// collisionCount is the count of hash collisions for the StatefulSet. The StatefulSet controller
+	// uses this field as a collision avoidance mechanism when it needs to create the name for the
+	// newest ControllerRevision.
+	CollisionCount *int32 `json:"collisionCount,omitempty"`
+	// Represents the latest available observations of a statefulset's current state.
+	Conditions []StatefulSetConditionApplyConfiguration `json:"conditions,omitempty"`
+	// Total number of available pods (ready for at least minReadySeconds) targeted by this statefulset.
+	AvailableReplicas *int32 `json:"availableReplicas,omitempty"`
 }
 
 // StatefulSetStatusApplyConfiguration constructs a declarative configuration of the StatefulSetStatus type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/apps/v1/statefulsetupdatestrategy.go b/staging/src/k8s.io/client-go/applyconfigurations/apps/v1/statefulsetupdatestrategy.go
index ae135d34d3b6b..7f27338399b12 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/apps/v1/statefulsetupdatestrategy.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/apps/v1/statefulsetupdatestrategy.go
@@ -24,8 +24,15 @@ import (
 
 // StatefulSetUpdateStrategyApplyConfiguration represents a declarative configuration of the StatefulSetUpdateStrategy type for use
 // with apply.
+//
+// StatefulSetUpdateStrategy indicates the strategy that the StatefulSet
+// controller will use to perform updates. It includes any additional parameters
+// necessary to perform the update for the indicated strategy.
 type StatefulSetUpdateStrategyApplyConfiguration struct {
-	Type          *appsv1.StatefulSetUpdateStrategyType               `json:"type,omitempty"`
+	// Type indicates the type of the StatefulSetUpdateStrategy.
+	// Default is RollingUpdate.
+	Type *appsv1.StatefulSetUpdateStrategyType `json:"type,omitempty"`
+	// RollingUpdate is used to communicate parameters when Type is RollingUpdateStatefulSetStrategyType.
 	RollingUpdate *RollingUpdateStatefulSetStrategyApplyConfiguration `json:"rollingUpdate,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/apps/v1beta1/controllerrevision.go b/staging/src/k8s.io/client-go/applyconfigurations/apps/v1beta1/controllerrevision.go
index f8406d26ae1f5..6d2fdbefc84e8 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/apps/v1beta1/controllerrevision.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/apps/v1beta1/controllerrevision.go
@@ -30,11 +30,27 @@ import (
 
 // ControllerRevisionApplyConfiguration represents a declarative configuration of the ControllerRevision type for use
 // with apply.
+//
+// DEPRECATED - This group version of ControllerRevision is deprecated by apps/v1beta2/ControllerRevision. See the
+// release notes for more information.
+// ControllerRevision implements an immutable snapshot of state data. Clients
+// are responsible for serializing and deserializing the objects that contain
+// their internal state.
+// Once a ControllerRevision has been successfully created, it can not be updated.
+// The API Server will fail validation of all requests that attempt to mutate
+// the Data field. ControllerRevisions may, however, be deleted. Note that, due to its use by both
+// the DaemonSet and StatefulSet controllers for update and rollback, this object is beta. However,
+// it may be subject to name and representation changes in future releases, and clients should not
+// depend on its stability. It is primarily for internal use by controllers.
 type ControllerRevisionApplyConfiguration struct {
-	v1.TypeMetaApplyConfiguration    `json:",inline"`
+	v1.TypeMetaApplyConfiguration `json:",inline"`
+	// Standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	*v1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Data                             *runtime.RawExtension `json:"data,omitempty"`
-	Revision                         *int64                `json:"revision,omitempty"`
+	// data is the serialized representation of the state.
+	Data *runtime.RawExtension `json:"data,omitempty"`
+	// revision indicates the revision of the state represented by Data.
+	Revision *int64 `json:"revision,omitempty"`
 }
 
 // ControllerRevision constructs a declarative configuration of the ControllerRevision type for use with
@@ -48,29 +64,14 @@ func ControllerRevision(name, namespace string) *ControllerRevisionApplyConfigur
 	return b
 }
 
-// ExtractControllerRevision extracts the applied configuration owned by fieldManager from
-// controllerRevision. If no managedFields are found in controllerRevision for fieldManager, a
-// ControllerRevisionApplyConfiguration is returned with only the Name, Namespace (if applicable),
-// APIVersion and Kind populated. It is possible that no managed fields were found for because other
-// field managers have taken ownership of all the fields previously owned by fieldManager, or because
-// the fieldManager never owned fields any fields.
+// ExtractControllerRevisionFrom extracts the applied configuration owned by fieldManager from
+// controllerRevision for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
 // controllerRevision must be a unmodified ControllerRevision API object that was retrieved from the Kubernetes API.
-// ExtractControllerRevision provides a way to perform a extract/modify-in-place/apply workflow.
+// ExtractControllerRevisionFrom provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
-func ExtractControllerRevision(controllerRevision *appsv1beta1.ControllerRevision, fieldManager string) (*ControllerRevisionApplyConfiguration, error) {
-	return extractControllerRevision(controllerRevision, fieldManager, "")
-}
-
-// ExtractControllerRevisionStatus is the same as ExtractControllerRevision except
-// that it extracts the status subresource applied configuration.
-// Experimental!
-func ExtractControllerRevisionStatus(controllerRevision *appsv1beta1.ControllerRevision, fieldManager string) (*ControllerRevisionApplyConfiguration, error) {
-	return extractControllerRevision(controllerRevision, fieldManager, "status")
-}
-
-func extractControllerRevision(controllerRevision *appsv1beta1.ControllerRevision, fieldManager string, subresource string) (*ControllerRevisionApplyConfiguration, error) {
+func ExtractControllerRevisionFrom(controllerRevision *appsv1beta1.ControllerRevision, fieldManager string, subresource string) (*ControllerRevisionApplyConfiguration, error) {
 	b := &ControllerRevisionApplyConfiguration{}
 	err := managedfields.ExtractInto(controllerRevision, internal.Parser().Type("io.k8s.api.apps.v1beta1.ControllerRevision"), fieldManager, b, subresource)
 	if err != nil {
@@ -83,6 +84,21 @@ func extractControllerRevision(controllerRevision *appsv1beta1.ControllerRevisio
 	b.WithAPIVersion("apps/v1beta1")
 	return b, nil
 }
+
+// ExtractControllerRevision extracts the applied configuration owned by fieldManager from
+// controllerRevision. If no managedFields are found in controllerRevision for fieldManager, a
+// ControllerRevisionApplyConfiguration is returned with only the Name, Namespace (if applicable),
+// APIVersion and Kind populated. It is possible that no managed fields were found for because other
+// field managers have taken ownership of all the fields previously owned by fieldManager, or because
+// the fieldManager never owned fields any fields.
+// controllerRevision must be a unmodified ControllerRevision API object that was retrieved from the Kubernetes API.
+// ExtractControllerRevision provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractControllerRevision(controllerRevision *appsv1beta1.ControllerRevision, fieldManager string) (*ControllerRevisionApplyConfiguration, error) {
+	return ExtractControllerRevisionFrom(controllerRevision, fieldManager, "")
+}
+
 func (b ControllerRevisionApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/apps/v1beta1/deployment.go b/staging/src/k8s.io/client-go/applyconfigurations/apps/v1beta1/deployment.go
index eae1504079ce2..e8195218cee24 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/apps/v1beta1/deployment.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/apps/v1beta1/deployment.go
@@ -29,11 +29,18 @@ import (
 
 // DeploymentApplyConfiguration represents a declarative configuration of the Deployment type for use
 // with apply.
+//
+// DEPRECATED - This group version of Deployment is deprecated by apps/v1beta2/Deployment. See the release notes for
+// more information.
+// Deployment enables declarative updates for Pods and ReplicaSets.
 type DeploymentApplyConfiguration struct {
-	v1.TypeMetaApplyConfiguration    `json:",inline"`
+	v1.TypeMetaApplyConfiguration `json:",inline"`
+	// Standard object metadata.
 	*v1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Spec                             *DeploymentSpecApplyConfiguration   `json:"spec,omitempty"`
-	Status                           *DeploymentStatusApplyConfiguration `json:"status,omitempty"`
+	// Specification of the desired behavior of the Deployment.
+	Spec *DeploymentSpecApplyConfiguration `json:"spec,omitempty"`
+	// Most recently observed status of the Deployment.
+	Status *DeploymentStatusApplyConfiguration `json:"status,omitempty"`
 }
 
 // Deployment constructs a declarative configuration of the Deployment type for use with
@@ -47,6 +54,27 @@ func Deployment(name, namespace string) *DeploymentApplyConfiguration {
 	return b
 }
 
+// ExtractDeploymentFrom extracts the applied configuration owned by fieldManager from
+// deployment for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
+// deployment must be a unmodified Deployment API object that was retrieved from the Kubernetes API.
+// ExtractDeploymentFrom provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractDeploymentFrom(deployment *appsv1beta1.Deployment, fieldManager string, subresource string) (*DeploymentApplyConfiguration, error) {
+	b := &DeploymentApplyConfiguration{}
+	err := managedfields.ExtractInto(deployment, internal.Parser().Type("io.k8s.api.apps.v1beta1.Deployment"), fieldManager, b, subresource)
+	if err != nil {
+		return nil, err
+	}
+	b.WithName(deployment.Name)
+	b.WithNamespace(deployment.Namespace)
+
+	b.WithKind("Deployment")
+	b.WithAPIVersion("apps/v1beta1")
+	return b, nil
+}
+
 // ExtractDeployment extracts the applied configuration owned by fieldManager from
 // deployment. If no managedFields are found in deployment for fieldManager, a
 // DeploymentApplyConfiguration is returned with only the Name, Namespace (if applicable),
@@ -57,31 +85,16 @@ func Deployment(name, namespace string) *DeploymentApplyConfiguration {
 // ExtractDeployment provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
 func ExtractDeployment(deployment *appsv1beta1.Deployment, fieldManager string) (*DeploymentApplyConfiguration, error) {
-	return extractDeployment(deployment, fieldManager, "")
+	return ExtractDeploymentFrom(deployment, fieldManager, "")
 }
 
-// ExtractDeploymentStatus is the same as ExtractDeployment except
-// that it extracts the status subresource applied configuration.
-// Experimental!
+// ExtractDeploymentStatus extracts the applied configuration owned by fieldManager from
+// deployment for the status subresource.
 func ExtractDeploymentStatus(deployment *appsv1beta1.Deployment, fieldManager string) (*DeploymentApplyConfiguration, error) {
-	return extractDeployment(deployment, fieldManager, "status")
+	return ExtractDeploymentFrom(deployment, fieldManager, "status")
 }
 
-func extractDeployment(deployment *appsv1beta1.Deployment, fieldManager string, subresource string) (*DeploymentApplyConfiguration, error) {
-	b := &DeploymentApplyConfiguration{}
-	err := managedfields.ExtractInto(deployment, internal.Parser().Type("io.k8s.api.apps.v1beta1.Deployment"), fieldManager, b, subresource)
-	if err != nil {
-		return nil, err
-	}
-	b.WithName(deployment.Name)
-	b.WithNamespace(deployment.Namespace)
-
-	b.WithKind("Deployment")
-	b.WithAPIVersion("apps/v1beta1")
-	return b, nil
-}
 func (b DeploymentApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/apps/v1beta1/deploymentcondition.go b/staging/src/k8s.io/client-go/applyconfigurations/apps/v1beta1/deploymentcondition.go
index b0a45b1a6e43e..a146cbac1ebb0 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/apps/v1beta1/deploymentcondition.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/apps/v1beta1/deploymentcondition.go
@@ -26,13 +26,21 @@ import (
 
 // DeploymentConditionApplyConfiguration represents a declarative configuration of the DeploymentCondition type for use
 // with apply.
+//
+// DeploymentCondition describes the state of a deployment at a certain point.
 type DeploymentConditionApplyConfiguration struct {
-	Type               *appsv1beta1.DeploymentConditionType `json:"type,omitempty"`
-	Status             *v1.ConditionStatus                  `json:"status,omitempty"`
-	LastUpdateTime     *metav1.Time                         `json:"lastUpdateTime,omitempty"`
-	LastTransitionTime *metav1.Time                         `json:"lastTransitionTime,omitempty"`
-	Reason             *string                              `json:"reason,omitempty"`
-	Message            *string                              `json:"message,omitempty"`
+	// Type of deployment condition.
+	Type *appsv1beta1.DeploymentConditionType `json:"type,omitempty"`
+	// Status of the condition, one of True, False, Unknown.
+	Status *v1.ConditionStatus `json:"status,omitempty"`
+	// The last time this condition was updated.
+	LastUpdateTime *metav1.Time `json:"lastUpdateTime,omitempty"`
+	// Last time the condition transitioned from one status to another.
+	LastTransitionTime *metav1.Time `json:"lastTransitionTime,omitempty"`
+	// The reason for the condition's last transition.
+	Reason *string `json:"reason,omitempty"`
+	// A human readable message indicating details about the transition.
+	Message *string `json:"message,omitempty"`
 }
 
 // DeploymentConditionApplyConfiguration constructs a declarative configuration of the DeploymentCondition type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/apps/v1beta1/deploymentspec.go b/staging/src/k8s.io/client-go/applyconfigurations/apps/v1beta1/deploymentspec.go
index 5531c756f9de8..a286c17b83e85 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/apps/v1beta1/deploymentspec.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/apps/v1beta1/deploymentspec.go
@@ -25,16 +25,39 @@ import (
 
 // DeploymentSpecApplyConfiguration represents a declarative configuration of the DeploymentSpec type for use
 // with apply.
+//
+// DeploymentSpec is the specification of the desired behavior of the Deployment.
 type DeploymentSpecApplyConfiguration struct {
-	Replicas                *int32                                    `json:"replicas,omitempty"`
-	Selector                *v1.LabelSelectorApplyConfiguration       `json:"selector,omitempty"`
-	Template                *corev1.PodTemplateSpecApplyConfiguration `json:"template,omitempty"`
-	Strategy                *DeploymentStrategyApplyConfiguration     `json:"strategy,omitempty"`
-	MinReadySeconds         *int32                                    `json:"minReadySeconds,omitempty"`
-	RevisionHistoryLimit    *int32                                    `json:"revisionHistoryLimit,omitempty"`
-	Paused                  *bool                                     `json:"paused,omitempty"`
-	RollbackTo              *RollbackConfigApplyConfiguration         `json:"rollbackTo,omitempty"`
-	ProgressDeadlineSeconds *int32                                    `json:"progressDeadlineSeconds,omitempty"`
+	// replicas is the number of desired pods. This is a pointer to distinguish between explicit
+	// zero and not specified. Defaults to 1.
+	Replicas *int32 `json:"replicas,omitempty"`
+	// selector is the label selector for pods. Existing ReplicaSets whose pods are
+	// selected by this will be the ones affected by this deployment.
+	Selector *v1.LabelSelectorApplyConfiguration `json:"selector,omitempty"`
+	// Template describes the pods that will be created.
+	// The only allowed template.spec.restartPolicy value is "Always".
+	Template *corev1.PodTemplateSpecApplyConfiguration `json:"template,omitempty"`
+	// The deployment strategy to use to replace existing pods with new ones.
+	Strategy *DeploymentStrategyApplyConfiguration `json:"strategy,omitempty"`
+	// minReadySeconds is the minimum number of seconds for which a newly created pod should be ready
+	// without any of its container crashing, for it to be considered available.
+	// Defaults to 0 (pod will be considered available as soon as it is ready)
+	MinReadySeconds *int32 `json:"minReadySeconds,omitempty"`
+	// revisionHistoryLimit is the number of old ReplicaSets to retain to allow rollback.
+	// This is a pointer to distinguish between explicit zero and not specified.
+	// Defaults to 2.
+	RevisionHistoryLimit *int32 `json:"revisionHistoryLimit,omitempty"`
+	// paused indicates that the deployment is paused.
+	Paused *bool `json:"paused,omitempty"`
+	// DEPRECATED.
+	// rollbackTo is the config this deployment is rolling back to. Will be cleared after rollback is done.
+	RollbackTo *RollbackConfigApplyConfiguration `json:"rollbackTo,omitempty"`
+	// progressDeadlineSeconds is the maximum time in seconds for a deployment to make progress before it
+	// is considered to be failed. The deployment controller will continue to
+	// process failed deployments and a condition with a ProgressDeadlineExceeded
+	// reason will be surfaced in the deployment status. Note that progress will
+	// not be estimated during the time a deployment is paused. Defaults to 600s.
+	ProgressDeadlineSeconds *int32 `json:"progressDeadlineSeconds,omitempty"`
 }
 
 // DeploymentSpecApplyConfiguration constructs a declarative configuration of the DeploymentSpec type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/apps/v1beta1/deploymentstatus.go b/staging/src/k8s.io/client-go/applyconfigurations/apps/v1beta1/deploymentstatus.go
index 36b4fd42b6e2b..d508accbcf3cf 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/apps/v1beta1/deploymentstatus.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/apps/v1beta1/deploymentstatus.go
@@ -20,16 +20,34 @@ package v1beta1
 
 // DeploymentStatusApplyConfiguration represents a declarative configuration of the DeploymentStatus type for use
 // with apply.
+//
+// DeploymentStatus is the most recently observed status of the Deployment.
 type DeploymentStatusApplyConfiguration struct {
-	ObservedGeneration  *int64                                  `json:"observedGeneration,omitempty"`
-	Replicas            *int32                                  `json:"replicas,omitempty"`
-	UpdatedReplicas     *int32                                  `json:"updatedReplicas,omitempty"`
-	ReadyReplicas       *int32                                  `json:"readyReplicas,omitempty"`
-	AvailableReplicas   *int32                                  `json:"availableReplicas,omitempty"`
-	UnavailableReplicas *int32                                  `json:"unavailableReplicas,omitempty"`
-	TerminatingReplicas *int32                                  `json:"terminatingReplicas,omitempty"`
-	Conditions          []DeploymentConditionApplyConfiguration `json:"conditions,omitempty"`
-	CollisionCount      *int32                                  `json:"collisionCount,omitempty"`
+	// The generation observed by the deployment controller.
+	ObservedGeneration *int64 `json:"observedGeneration,omitempty"`
+	// Total number of non-terminating pods targeted by this deployment (their labels match the selector).
+	Replicas *int32 `json:"replicas,omitempty"`
+	// Total number of non-terminating pods targeted by this deployment that have the desired template spec.
+	UpdatedReplicas *int32 `json:"updatedReplicas,omitempty"`
+	// Total number of non-terminating pods targeted by this Deployment with a Ready Condition.
+	ReadyReplicas *int32 `json:"readyReplicas,omitempty"`
+	// Total number of available non-terminating pods (ready for at least minReadySeconds) targeted by this deployment.
+	AvailableReplicas *int32 `json:"availableReplicas,omitempty"`
+	// Total number of unavailable pods targeted by this deployment. This is the total number of
+	// pods that are still required for the deployment to have 100% available capacity. They may
+	// either be pods that are running but not yet available or pods that still have not been created.
+	UnavailableReplicas *int32 `json:"unavailableReplicas,omitempty"`
+	// Total number of terminating pods targeted by this deployment. Terminating pods have a non-null
+	// .metadata.deletionTimestamp and have not yet reached the Failed or Succeeded .status.phase.
+	//
+	// This is a beta field and requires enabling DeploymentReplicaSetTerminatingReplicas feature (enabled by default).
+	TerminatingReplicas *int32 `json:"terminatingReplicas,omitempty"`
+	// Represents the latest available observations of a deployment's current state.
+	Conditions []DeploymentConditionApplyConfiguration `json:"conditions,omitempty"`
+	// collisionCount is the count of hash collisions for the Deployment. The Deployment controller uses this
+	// field as a collision avoidance mechanism when it needs to create the name for the
+	// newest ReplicaSet.
+	CollisionCount *int32 `json:"collisionCount,omitempty"`
 }
 
 // DeploymentStatusApplyConfiguration constructs a declarative configuration of the DeploymentStatus type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/apps/v1beta1/deploymentstrategy.go b/staging/src/k8s.io/client-go/applyconfigurations/apps/v1beta1/deploymentstrategy.go
index 03e66555af10b..c033daeb9227d 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/apps/v1beta1/deploymentstrategy.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/apps/v1beta1/deploymentstrategy.go
@@ -24,8 +24,16 @@ import (
 
 // DeploymentStrategyApplyConfiguration represents a declarative configuration of the DeploymentStrategy type for use
 // with apply.
+//
+// DeploymentStrategy describes how to replace existing pods with new ones.
 type DeploymentStrategyApplyConfiguration struct {
-	Type          *appsv1beta1.DeploymentStrategyType        `json:"type,omitempty"`
+	// Type of deployment. Can be "Recreate" or "RollingUpdate". Default is RollingUpdate.
+	Type *appsv1beta1.DeploymentStrategyType `json:"type,omitempty"`
+	// Rolling update config params. Present only if DeploymentStrategyType =
+	// RollingUpdate.
+	// ---
+	// TODO: Update this to follow our convention for oneOf, whatever we decide it
+	// to be.
 	RollingUpdate *RollingUpdateDeploymentApplyConfiguration `json:"rollingUpdate,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/apps/v1beta1/rollbackconfig.go b/staging/src/k8s.io/client-go/applyconfigurations/apps/v1beta1/rollbackconfig.go
index 775f82eef8019..f73b9e670eafe 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/apps/v1beta1/rollbackconfig.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/apps/v1beta1/rollbackconfig.go
@@ -20,7 +20,10 @@ package v1beta1
 
 // RollbackConfigApplyConfiguration represents a declarative configuration of the RollbackConfig type for use
 // with apply.
+//
+// DEPRECATED.
 type RollbackConfigApplyConfiguration struct {
+	// The revision to rollback to. If set to 0, rollback to the last revision.
 	Revision *int64 `json:"revision,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/apps/v1beta1/rollingupdatedeployment.go b/staging/src/k8s.io/client-go/applyconfigurations/apps/v1beta1/rollingupdatedeployment.go
index 244701a5e0158..31f0479999bf8 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/apps/v1beta1/rollingupdatedeployment.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/apps/v1beta1/rollingupdatedeployment.go
@@ -24,9 +24,32 @@ import (
 
 // RollingUpdateDeploymentApplyConfiguration represents a declarative configuration of the RollingUpdateDeployment type for use
 // with apply.
+//
+// Spec to control the desired behavior of rolling update.
 type RollingUpdateDeploymentApplyConfiguration struct {
+	// The maximum number of pods that can be unavailable during the update.
+	// Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%).
+	// Absolute number is calculated from percentage by rounding down.
+	// This can not be 0 if MaxSurge is 0.
+	// Defaults to 25%.
+	// Example: when this is set to 30%, the old ReplicaSet can be scaled down to 70% of desired pods
+	// immediately when the rolling update starts. Once new pods are ready, old ReplicaSet
+	// can be scaled down further, followed by scaling up the new ReplicaSet, ensuring
+	// that the total number of pods available at all times during the update is at
+	// least 70% of desired pods.
 	MaxUnavailable *intstr.IntOrString `json:"maxUnavailable,omitempty"`
-	MaxSurge       *intstr.IntOrString `json:"maxSurge,omitempty"`
+	// The maximum number of pods that can be scheduled above the desired number of
+	// pods.
+	// Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%).
+	// This can not be 0 if MaxUnavailable is 0.
+	// Absolute number is calculated from percentage by rounding up.
+	// Defaults to 25%.
+	// Example: when this is set to 30%, the new ReplicaSet can be scaled up immediately when
+	// the rolling update starts, such that the total number of old and new pods do not exceed
+	// 130% of desired pods. Once old pods have been killed,
+	// new ReplicaSet can be scaled up further, ensuring that total number of pods running
+	// at any time during the update is at most 130% of desired pods.
+	MaxSurge *intstr.IntOrString `json:"maxSurge,omitempty"`
 }
 
 // RollingUpdateDeploymentApplyConfiguration constructs a declarative configuration of the RollingUpdateDeployment type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/apps/v1beta1/rollingupdatestatefulsetstrategy.go b/staging/src/k8s.io/client-go/applyconfigurations/apps/v1beta1/rollingupdatestatefulsetstrategy.go
index 94c2971343e77..38c6b755bd238 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/apps/v1beta1/rollingupdatestatefulsetstrategy.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/apps/v1beta1/rollingupdatestatefulsetstrategy.go
@@ -24,8 +24,21 @@ import (
 
 // RollingUpdateStatefulSetStrategyApplyConfiguration represents a declarative configuration of the RollingUpdateStatefulSetStrategy type for use
 // with apply.
+//
+// RollingUpdateStatefulSetStrategy is used to communicate parameter for RollingUpdateStatefulSetStrategyType.
 type RollingUpdateStatefulSetStrategyApplyConfiguration struct {
-	Partition      *int32              `json:"partition,omitempty"`
+	// Partition indicates the ordinal at which the StatefulSet should be partitioned
+	// for updates. During a rolling update, all pods from ordinal Replicas-1 to
+	// Partition are updated. All pods from ordinal Partition-1 to 0 remain untouched.
+	// This is helpful in being able to do a canary based deployment. The default value is 0.
+	Partition *int32 `json:"partition,omitempty"`
+	// maxUnavailable is the maximum number of pods that can be unavailable during the update.
+	// Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%).
+	// Absolute number is calculated from percentage by rounding up. This can not be 0.
+	// Defaults to 1. This field is beta-level and is enabled by default. The field applies to all pods in the range 0 to
+	// Replicas-1. That means if there is any unavailable pod in the range 0 to Replicas-1, it
+	// will be counted towards MaxUnavailable.
+	// This setting might not be effective for the OrderedReady podManagementPolicy. That policy ensures pods are created and become ready one at a time.
 	MaxUnavailable *intstr.IntOrString `json:"maxUnavailable,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/apps/v1beta1/statefulset.go b/staging/src/k8s.io/client-go/applyconfigurations/apps/v1beta1/statefulset.go
index d9b3af8ef2043..361ed68a9096f 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/apps/v1beta1/statefulset.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/apps/v1beta1/statefulset.go
@@ -29,11 +29,24 @@ import (
 
 // StatefulSetApplyConfiguration represents a declarative configuration of the StatefulSet type for use
 // with apply.
+//
+// DEPRECATED - This group version of StatefulSet is deprecated by apps/v1beta2/StatefulSet. See the release notes for
+// more information.
+// StatefulSet represents a set of pods with consistent identities.
+// Identities are defined as:
+// - Network: A single stable DNS and hostname.
+// - Storage: As many VolumeClaims as requested.
+//
+// The StatefulSet guarantees that a given network identity will always
+// map to the same storage identity.
 type StatefulSetApplyConfiguration struct {
 	v1.TypeMetaApplyConfiguration    `json:",inline"`
 	*v1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Spec                             *StatefulSetSpecApplyConfiguration   `json:"spec,omitempty"`
-	Status                           *StatefulSetStatusApplyConfiguration `json:"status,omitempty"`
+	// Spec defines the desired identities of pods in this set.
+	Spec *StatefulSetSpecApplyConfiguration `json:"spec,omitempty"`
+	// Status is the current status of Pods in this StatefulSet. This data
+	// may be out of date by some window of time.
+	Status *StatefulSetStatusApplyConfiguration `json:"status,omitempty"`
 }
 
 // StatefulSet constructs a declarative configuration of the StatefulSet type for use with
@@ -47,6 +60,27 @@ func StatefulSet(name, namespace string) *StatefulSetApplyConfiguration {
 	return b
 }
 
+// ExtractStatefulSetFrom extracts the applied configuration owned by fieldManager from
+// statefulSet for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
+// statefulSet must be a unmodified StatefulSet API object that was retrieved from the Kubernetes API.
+// ExtractStatefulSetFrom provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractStatefulSetFrom(statefulSet *appsv1beta1.StatefulSet, fieldManager string, subresource string) (*StatefulSetApplyConfiguration, error) {
+	b := &StatefulSetApplyConfiguration{}
+	err := managedfields.ExtractInto(statefulSet, internal.Parser().Type("io.k8s.api.apps.v1beta1.StatefulSet"), fieldManager, b, subresource)
+	if err != nil {
+		return nil, err
+	}
+	b.WithName(statefulSet.Name)
+	b.WithNamespace(statefulSet.Namespace)
+
+	b.WithKind("StatefulSet")
+	b.WithAPIVersion("apps/v1beta1")
+	return b, nil
+}
+
 // ExtractStatefulSet extracts the applied configuration owned by fieldManager from
 // statefulSet. If no managedFields are found in statefulSet for fieldManager, a
 // StatefulSetApplyConfiguration is returned with only the Name, Namespace (if applicable),
@@ -57,31 +91,16 @@ func StatefulSet(name, namespace string) *StatefulSetApplyConfiguration {
 // ExtractStatefulSet provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
 func ExtractStatefulSet(statefulSet *appsv1beta1.StatefulSet, fieldManager string) (*StatefulSetApplyConfiguration, error) {
-	return extractStatefulSet(statefulSet, fieldManager, "")
+	return ExtractStatefulSetFrom(statefulSet, fieldManager, "")
 }
 
-// ExtractStatefulSetStatus is the same as ExtractStatefulSet except
-// that it extracts the status subresource applied configuration.
-// Experimental!
+// ExtractStatefulSetStatus extracts the applied configuration owned by fieldManager from
+// statefulSet for the status subresource.
 func ExtractStatefulSetStatus(statefulSet *appsv1beta1.StatefulSet, fieldManager string) (*StatefulSetApplyConfiguration, error) {
-	return extractStatefulSet(statefulSet, fieldManager, "status")
+	return ExtractStatefulSetFrom(statefulSet, fieldManager, "status")
 }
 
-func extractStatefulSet(statefulSet *appsv1beta1.StatefulSet, fieldManager string, subresource string) (*StatefulSetApplyConfiguration, error) {
-	b := &StatefulSetApplyConfiguration{}
-	err := managedfields.ExtractInto(statefulSet, internal.Parser().Type("io.k8s.api.apps.v1beta1.StatefulSet"), fieldManager, b, subresource)
-	if err != nil {
-		return nil, err
-	}
-	b.WithName(statefulSet.Name)
-	b.WithNamespace(statefulSet.Namespace)
-
-	b.WithKind("StatefulSet")
-	b.WithAPIVersion("apps/v1beta1")
-	return b, nil
-}
 func (b StatefulSetApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/apps/v1beta1/statefulsetcondition.go b/staging/src/k8s.io/client-go/applyconfigurations/apps/v1beta1/statefulsetcondition.go
index 5a13584bc0862..6811ce55f4fbb 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/apps/v1beta1/statefulsetcondition.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/apps/v1beta1/statefulsetcondition.go
@@ -26,12 +26,19 @@ import (
 
 // StatefulSetConditionApplyConfiguration represents a declarative configuration of the StatefulSetCondition type for use
 // with apply.
+//
+// StatefulSetCondition describes the state of a statefulset at a certain point.
 type StatefulSetConditionApplyConfiguration struct {
-	Type               *appsv1beta1.StatefulSetConditionType `json:"type,omitempty"`
-	Status             *v1.ConditionStatus                   `json:"status,omitempty"`
-	LastTransitionTime *metav1.Time                          `json:"lastTransitionTime,omitempty"`
-	Reason             *string                               `json:"reason,omitempty"`
-	Message            *string                               `json:"message,omitempty"`
+	// Type of statefulset condition.
+	Type *appsv1beta1.StatefulSetConditionType `json:"type,omitempty"`
+	// Status of the condition, one of True, False, Unknown.
+	Status *v1.ConditionStatus `json:"status,omitempty"`
+	// Last time the condition transitioned from one status to another.
+	LastTransitionTime *metav1.Time `json:"lastTransitionTime,omitempty"`
+	// The reason for the condition's last transition.
+	Reason *string `json:"reason,omitempty"`
+	// A human readable message indicating details about the transition.
+	Message *string `json:"message,omitempty"`
 }
 
 // StatefulSetConditionApplyConfiguration constructs a declarative configuration of the StatefulSetCondition type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/apps/v1beta1/statefulsetordinals.go b/staging/src/k8s.io/client-go/applyconfigurations/apps/v1beta1/statefulsetordinals.go
index 2e3049e5e2210..a2b1bd09f1a47 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/apps/v1beta1/statefulsetordinals.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/apps/v1beta1/statefulsetordinals.go
@@ -20,7 +20,18 @@ package v1beta1
 
 // StatefulSetOrdinalsApplyConfiguration represents a declarative configuration of the StatefulSetOrdinals type for use
 // with apply.
+//
+// StatefulSetOrdinals describes the policy used for replica ordinal assignment
+// in this StatefulSet.
 type StatefulSetOrdinalsApplyConfiguration struct {
+	// start is the number representing the first replica's index. It may be used
+	// to number replicas from an alternate index (eg: 1-indexed) over the default
+	// 0-indexed names, or to orchestrate progressive movement of replicas from
+	// one StatefulSet to another.
+	// If set, replica indices will be in the range:
+	// [.spec.ordinals.start, .spec.ordinals.start + .spec.replicas).
+	// If unset, defaults to 0. Replica indices will be in the range:
+	// [0, .spec.replicas).
 	Start *int32 `json:"start,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/apps/v1beta1/statefulsetpersistentvolumeclaimretentionpolicy.go b/staging/src/k8s.io/client-go/applyconfigurations/apps/v1beta1/statefulsetpersistentvolumeclaimretentionpolicy.go
index f9b6fbd881685..b2d69b662e5e6 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/apps/v1beta1/statefulsetpersistentvolumeclaimretentionpolicy.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/apps/v1beta1/statefulsetpersistentvolumeclaimretentionpolicy.go
@@ -24,9 +24,21 @@ import (
 
 // StatefulSetPersistentVolumeClaimRetentionPolicyApplyConfiguration represents a declarative configuration of the StatefulSetPersistentVolumeClaimRetentionPolicy type for use
 // with apply.
+//
+// StatefulSetPersistentVolumeClaimRetentionPolicy describes the policy used for PVCs
+// created from the StatefulSet VolumeClaimTemplates.
 type StatefulSetPersistentVolumeClaimRetentionPolicyApplyConfiguration struct {
+	// whenDeleted specifies what happens to PVCs created from StatefulSet
+	// VolumeClaimTemplates when the StatefulSet is deleted. The default policy
+	// of `Retain` causes PVCs to not be affected by StatefulSet deletion. The
+	// `Delete` policy causes those PVCs to be deleted.
 	WhenDeleted *appsv1beta1.PersistentVolumeClaimRetentionPolicyType `json:"whenDeleted,omitempty"`
-	WhenScaled  *appsv1beta1.PersistentVolumeClaimRetentionPolicyType `json:"whenScaled,omitempty"`
+	// whenScaled specifies what happens to PVCs created from StatefulSet
+	// VolumeClaimTemplates when the StatefulSet is scaled down. The default
+	// policy of `Retain` causes PVCs to not be affected by a scaledown. The
+	// `Delete` policy causes the associated PVCs for any excess pods above
+	// the replica count to be deleted.
+	WhenScaled *appsv1beta1.PersistentVolumeClaimRetentionPolicyType `json:"whenScaled,omitempty"`
 }
 
 // StatefulSetPersistentVolumeClaimRetentionPolicyApplyConfiguration constructs a declarative configuration of the StatefulSetPersistentVolumeClaimRetentionPolicy type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/apps/v1beta1/statefulsetspec.go b/staging/src/k8s.io/client-go/applyconfigurations/apps/v1beta1/statefulsetspec.go
index 137c7243b8d38..3047440cac98d 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/apps/v1beta1/statefulsetspec.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/apps/v1beta1/statefulsetspec.go
@@ -26,18 +26,73 @@ import (
 
 // StatefulSetSpecApplyConfiguration represents a declarative configuration of the StatefulSetSpec type for use
 // with apply.
+//
+// A StatefulSetSpec is the specification of a StatefulSet.
 type StatefulSetSpecApplyConfiguration struct {
-	Replicas                             *int32                                                             `json:"replicas,omitempty"`
-	Selector                             *v1.LabelSelectorApplyConfiguration                                `json:"selector,omitempty"`
-	Template                             *corev1.PodTemplateSpecApplyConfiguration                          `json:"template,omitempty"`
-	VolumeClaimTemplates                 []corev1.PersistentVolumeClaimApplyConfiguration                   `json:"volumeClaimTemplates,omitempty"`
-	ServiceName                          *string                                                            `json:"serviceName,omitempty"`
-	PodManagementPolicy                  *appsv1beta1.PodManagementPolicyType                               `json:"podManagementPolicy,omitempty"`
-	UpdateStrategy                       *StatefulSetUpdateStrategyApplyConfiguration                       `json:"updateStrategy,omitempty"`
-	RevisionHistoryLimit                 *int32                                                             `json:"revisionHistoryLimit,omitempty"`
-	MinReadySeconds                      *int32                                                             `json:"minReadySeconds,omitempty"`
+	// replicas is the desired number of replicas of the given Template.
+	// These are replicas in the sense that they are instantiations of the
+	// same Template, but individual replicas also have a consistent identity.
+	// If unspecified, defaults to 1.
+	// TODO: Consider a rename of this field.
+	Replicas *int32 `json:"replicas,omitempty"`
+	// selector is a label query over pods that should match the replica count.
+	// If empty, defaulted to labels on the pod template.
+	// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors
+	Selector *v1.LabelSelectorApplyConfiguration `json:"selector,omitempty"`
+	// template is the object that describes the pod that will be created if
+	// insufficient replicas are detected. Each pod stamped out by the StatefulSet
+	// will fulfill this Template, but have a unique identity from the rest
+	// of the StatefulSet. Each pod will be named with the format
+	// <statefulsetname>-<podindex>. For example, a pod in a StatefulSet named
+	// "web" with index number "3" would be named "web-3".
+	Template *corev1.PodTemplateSpecApplyConfiguration `json:"template,omitempty"`
+	// volumeClaimTemplates is a list of claims that pods are allowed to reference.
+	// The StatefulSet controller is responsible for mapping network identities to
+	// claims in a way that maintains the identity of a pod. Every claim in
+	// this list must have at least one matching (by name) volumeMount in one
+	// container in the template. A claim in this list takes precedence over
+	// any volumes in the template, with the same name.
+	// TODO: Define the behavior if a claim already exists with the same name.
+	VolumeClaimTemplates []corev1.PersistentVolumeClaimApplyConfiguration `json:"volumeClaimTemplates,omitempty"`
+	// serviceName is the name of the service that governs this StatefulSet.
+	// This service must exist before the StatefulSet, and is responsible for
+	// the network identity of the set. Pods get DNS/hostnames that follow the
+	// pattern: pod-specific-string.serviceName.default.svc.cluster.local
+	// where "pod-specific-string" is managed by the StatefulSet controller.
+	ServiceName *string `json:"serviceName,omitempty"`
+	// podManagementPolicy controls how pods are created during initial scale up,
+	// when replacing pods on nodes, or when scaling down. The default policy is
+	// `OrderedReady`, where pods are created in increasing order (pod-0, then
+	// pod-1, etc) and the controller will wait until each pod is ready before
+	// continuing. When scaling down, the pods are removed in the opposite order.
+	// The alternative policy is `Parallel` which will create pods in parallel
+	// to match the desired scale without waiting, and on scale down will delete
+	// all pods at once.
+	PodManagementPolicy *appsv1beta1.PodManagementPolicyType `json:"podManagementPolicy,omitempty"`
+	// updateStrategy indicates the StatefulSetUpdateStrategy that will be
+	// employed to update Pods in the StatefulSet when a revision is made to
+	// Template.
+	UpdateStrategy *StatefulSetUpdateStrategyApplyConfiguration `json:"updateStrategy,omitempty"`
+	// revisionHistoryLimit is the maximum number of revisions that will
+	// be maintained in the StatefulSet's revision history. The revision history
+	// consists of all revisions not represented by a currently applied
+	// StatefulSetSpec version. The default value is 10.
+	RevisionHistoryLimit *int32 `json:"revisionHistoryLimit,omitempty"`
+	// minReadySeconds is the minimum number of seconds for which a newly created pod should be ready
+	// without any of its container crashing for it to be considered available.
+	// Defaults to 0 (pod will be considered available as soon as it is ready)
+	MinReadySeconds *int32 `json:"minReadySeconds,omitempty"`
+	// persistentVolumeClaimRetentionPolicy describes the lifecycle of persistent
+	// volume claims created from volumeClaimTemplates. By default, all persistent
+	// volume claims are created as needed and retained until manually deleted. This
+	// policy allows the lifecycle to be altered, for example by deleting persistent
+	// volume claims when their stateful set is deleted, or when their pod is scaled
+	// down.
 	PersistentVolumeClaimRetentionPolicy *StatefulSetPersistentVolumeClaimRetentionPolicyApplyConfiguration `json:"persistentVolumeClaimRetentionPolicy,omitempty"`
-	Ordinals                             *StatefulSetOrdinalsApplyConfiguration                             `json:"ordinals,omitempty"`
+	// ordinals controls the numbering of replica indices in a StatefulSet. The
+	// default ordinals behavior assigns a "0" index to the first replica and
+	// increments the index by one for each additional replica requested.
+	Ordinals *StatefulSetOrdinalsApplyConfiguration `json:"ordinals,omitempty"`
 }
 
 // StatefulSetSpecApplyConfiguration constructs a declarative configuration of the StatefulSetSpec type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/apps/v1beta1/statefulsetstatus.go b/staging/src/k8s.io/client-go/applyconfigurations/apps/v1beta1/statefulsetstatus.go
index 27ae7540fd245..9ffc085a8ac3a 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/apps/v1beta1/statefulsetstatus.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/apps/v1beta1/statefulsetstatus.go
@@ -20,17 +20,36 @@ package v1beta1
 
 // StatefulSetStatusApplyConfiguration represents a declarative configuration of the StatefulSetStatus type for use
 // with apply.
+//
+// StatefulSetStatus represents the current state of a StatefulSet.
 type StatefulSetStatusApplyConfiguration struct {
-	ObservedGeneration *int64                                   `json:"observedGeneration,omitempty"`
-	Replicas           *int32                                   `json:"replicas,omitempty"`
-	ReadyReplicas      *int32                                   `json:"readyReplicas,omitempty"`
-	CurrentReplicas    *int32                                   `json:"currentReplicas,omitempty"`
-	UpdatedReplicas    *int32                                   `json:"updatedReplicas,omitempty"`
-	CurrentRevision    *string                                  `json:"currentRevision,omitempty"`
-	UpdateRevision     *string                                  `json:"updateRevision,omitempty"`
-	CollisionCount     *int32                                   `json:"collisionCount,omitempty"`
-	Conditions         []StatefulSetConditionApplyConfiguration `json:"conditions,omitempty"`
-	AvailableReplicas  *int32                                   `json:"availableReplicas,omitempty"`
+	// observedGeneration is the most recent generation observed for this StatefulSet. It corresponds to the
+	// StatefulSet's generation, which is updated on mutation by the API Server.
+	ObservedGeneration *int64 `json:"observedGeneration,omitempty"`
+	// replicas is the number of Pods created by the StatefulSet controller.
+	Replicas *int32 `json:"replicas,omitempty"`
+	// readyReplicas is the number of pods created by this StatefulSet controller with a Ready Condition.
+	ReadyReplicas *int32 `json:"readyReplicas,omitempty"`
+	// currentReplicas is the number of Pods created by the StatefulSet controller from the StatefulSet version
+	// indicated by currentRevision.
+	CurrentReplicas *int32 `json:"currentReplicas,omitempty"`
+	// updatedReplicas is the number of Pods created by the StatefulSet controller from the StatefulSet version
+	// indicated by updateRevision.
+	UpdatedReplicas *int32 `json:"updatedReplicas,omitempty"`
+	// currentRevision, if not empty, indicates the version of the StatefulSet used to generate Pods in the
+	// sequence [0,currentReplicas).
+	CurrentRevision *string `json:"currentRevision,omitempty"`
+	// updateRevision, if not empty, indicates the version of the StatefulSet used to generate Pods in the sequence
+	// [replicas-updatedReplicas,replicas)
+	UpdateRevision *string `json:"updateRevision,omitempty"`
+	// collisionCount is the count of hash collisions for the StatefulSet. The StatefulSet controller
+	// uses this field as a collision avoidance mechanism when it needs to create the name for the
+	// newest ControllerRevision.
+	CollisionCount *int32 `json:"collisionCount,omitempty"`
+	// conditions represent the latest available observations of a statefulset's current state.
+	Conditions []StatefulSetConditionApplyConfiguration `json:"conditions,omitempty"`
+	// availableReplicas is the total number of available pods (ready for at least minReadySeconds) targeted by this StatefulSet.
+	AvailableReplicas *int32 `json:"availableReplicas,omitempty"`
 }
 
 // StatefulSetStatusApplyConfiguration constructs a declarative configuration of the StatefulSetStatus type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/apps/v1beta1/statefulsetupdatestrategy.go b/staging/src/k8s.io/client-go/applyconfigurations/apps/v1beta1/statefulsetupdatestrategy.go
index 24154f7af1151..48d62bf5d9ccb 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/apps/v1beta1/statefulsetupdatestrategy.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/apps/v1beta1/statefulsetupdatestrategy.go
@@ -24,8 +24,14 @@ import (
 
 // StatefulSetUpdateStrategyApplyConfiguration represents a declarative configuration of the StatefulSetUpdateStrategy type for use
 // with apply.
+//
+// StatefulSetUpdateStrategy indicates the strategy that the StatefulSet
+// controller will use to perform updates. It includes any additional parameters
+// necessary to perform the update for the indicated strategy.
 type StatefulSetUpdateStrategyApplyConfiguration struct {
-	Type          *appsv1beta1.StatefulSetUpdateStrategyType          `json:"type,omitempty"`
+	// Type indicates the type of the StatefulSetUpdateStrategy.
+	Type *appsv1beta1.StatefulSetUpdateStrategyType `json:"type,omitempty"`
+	// RollingUpdate is used to communicate parameters when Type is RollingUpdateStatefulSetStrategyType.
 	RollingUpdate *RollingUpdateStatefulSetStrategyApplyConfiguration `json:"rollingUpdate,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/apps/v1beta2/controllerrevision.go b/staging/src/k8s.io/client-go/applyconfigurations/apps/v1beta2/controllerrevision.go
index 4c08b852f8372..8ffacf61c2d99 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/apps/v1beta2/controllerrevision.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/apps/v1beta2/controllerrevision.go
@@ -30,11 +30,27 @@ import (
 
 // ControllerRevisionApplyConfiguration represents a declarative configuration of the ControllerRevision type for use
 // with apply.
+//
+// DEPRECATED - This group version of ControllerRevision is deprecated by apps/v1/ControllerRevision. See the
+// release notes for more information.
+// ControllerRevision implements an immutable snapshot of state data. Clients
+// are responsible for serializing and deserializing the objects that contain
+// their internal state.
+// Once a ControllerRevision has been successfully created, it can not be updated.
+// The API Server will fail validation of all requests that attempt to mutate
+// the Data field. ControllerRevisions may, however, be deleted. Note that, due to its use by both
+// the DaemonSet and StatefulSet controllers for update and rollback, this object is beta. However,
+// it may be subject to name and representation changes in future releases, and clients should not
+// depend on its stability. It is primarily for internal use by controllers.
 type ControllerRevisionApplyConfiguration struct {
-	v1.TypeMetaApplyConfiguration    `json:",inline"`
+	v1.TypeMetaApplyConfiguration `json:",inline"`
+	// Standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	*v1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Data                             *runtime.RawExtension `json:"data,omitempty"`
-	Revision                         *int64                `json:"revision,omitempty"`
+	// Data is the serialized representation of the state.
+	Data *runtime.RawExtension `json:"data,omitempty"`
+	// Revision indicates the revision of the state represented by Data.
+	Revision *int64 `json:"revision,omitempty"`
 }
 
 // ControllerRevision constructs a declarative configuration of the ControllerRevision type for use with
@@ -48,29 +64,14 @@ func ControllerRevision(name, namespace string) *ControllerRevisionApplyConfigur
 	return b
 }
 
-// ExtractControllerRevision extracts the applied configuration owned by fieldManager from
-// controllerRevision. If no managedFields are found in controllerRevision for fieldManager, a
-// ControllerRevisionApplyConfiguration is returned with only the Name, Namespace (if applicable),
-// APIVersion and Kind populated. It is possible that no managed fields were found for because other
-// field managers have taken ownership of all the fields previously owned by fieldManager, or because
-// the fieldManager never owned fields any fields.
+// ExtractControllerRevisionFrom extracts the applied configuration owned by fieldManager from
+// controllerRevision for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
 // controllerRevision must be a unmodified ControllerRevision API object that was retrieved from the Kubernetes API.
-// ExtractControllerRevision provides a way to perform a extract/modify-in-place/apply workflow.
+// ExtractControllerRevisionFrom provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
-func ExtractControllerRevision(controllerRevision *appsv1beta2.ControllerRevision, fieldManager string) (*ControllerRevisionApplyConfiguration, error) {
-	return extractControllerRevision(controllerRevision, fieldManager, "")
-}
-
-// ExtractControllerRevisionStatus is the same as ExtractControllerRevision except
-// that it extracts the status subresource applied configuration.
-// Experimental!
-func ExtractControllerRevisionStatus(controllerRevision *appsv1beta2.ControllerRevision, fieldManager string) (*ControllerRevisionApplyConfiguration, error) {
-	return extractControllerRevision(controllerRevision, fieldManager, "status")
-}
-
-func extractControllerRevision(controllerRevision *appsv1beta2.ControllerRevision, fieldManager string, subresource string) (*ControllerRevisionApplyConfiguration, error) {
+func ExtractControllerRevisionFrom(controllerRevision *appsv1beta2.ControllerRevision, fieldManager string, subresource string) (*ControllerRevisionApplyConfiguration, error) {
 	b := &ControllerRevisionApplyConfiguration{}
 	err := managedfields.ExtractInto(controllerRevision, internal.Parser().Type("io.k8s.api.apps.v1beta2.ControllerRevision"), fieldManager, b, subresource)
 	if err != nil {
@@ -83,6 +84,21 @@ func extractControllerRevision(controllerRevision *appsv1beta2.ControllerRevisio
 	b.WithAPIVersion("apps/v1beta2")
 	return b, nil
 }
+
+// ExtractControllerRevision extracts the applied configuration owned by fieldManager from
+// controllerRevision. If no managedFields are found in controllerRevision for fieldManager, a
+// ControllerRevisionApplyConfiguration is returned with only the Name, Namespace (if applicable),
+// APIVersion and Kind populated. It is possible that no managed fields were found for because other
+// field managers have taken ownership of all the fields previously owned by fieldManager, or because
+// the fieldManager never owned fields any fields.
+// controllerRevision must be a unmodified ControllerRevision API object that was retrieved from the Kubernetes API.
+// ExtractControllerRevision provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractControllerRevision(controllerRevision *appsv1beta2.ControllerRevision, fieldManager string) (*ControllerRevisionApplyConfiguration, error) {
+	return ExtractControllerRevisionFrom(controllerRevision, fieldManager, "")
+}
+
 func (b ControllerRevisionApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/apps/v1beta2/daemonset.go b/staging/src/k8s.io/client-go/applyconfigurations/apps/v1beta2/daemonset.go
index b7599b3c48b1e..12b6150a3a01c 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/apps/v1beta2/daemonset.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/apps/v1beta2/daemonset.go
@@ -29,11 +29,24 @@ import (
 
 // DaemonSetApplyConfiguration represents a declarative configuration of the DaemonSet type for use
 // with apply.
+//
+// DEPRECATED - This group version of DaemonSet is deprecated by apps/v1/DaemonSet. See the release notes for
+// more information.
+// DaemonSet represents the configuration of a daemon set.
 type DaemonSetApplyConfiguration struct {
-	v1.TypeMetaApplyConfiguration    `json:",inline"`
+	v1.TypeMetaApplyConfiguration `json:",inline"`
+	// Standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	*v1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Spec                             *DaemonSetSpecApplyConfiguration   `json:"spec,omitempty"`
-	Status                           *DaemonSetStatusApplyConfiguration `json:"status,omitempty"`
+	// The desired behavior of this daemon set.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+	Spec *DaemonSetSpecApplyConfiguration `json:"spec,omitempty"`
+	// The current status of this daemon set. This data may be
+	// out of date by some window of time.
+	// Populated by the system.
+	// Read-only.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+	Status *DaemonSetStatusApplyConfiguration `json:"status,omitempty"`
 }
 
 // DaemonSet constructs a declarative configuration of the DaemonSet type for use with
@@ -47,6 +60,27 @@ func DaemonSet(name, namespace string) *DaemonSetApplyConfiguration {
 	return b
 }
 
+// ExtractDaemonSetFrom extracts the applied configuration owned by fieldManager from
+// daemonSet for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
+// daemonSet must be a unmodified DaemonSet API object that was retrieved from the Kubernetes API.
+// ExtractDaemonSetFrom provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractDaemonSetFrom(daemonSet *appsv1beta2.DaemonSet, fieldManager string, subresource string) (*DaemonSetApplyConfiguration, error) {
+	b := &DaemonSetApplyConfiguration{}
+	err := managedfields.ExtractInto(daemonSet, internal.Parser().Type("io.k8s.api.apps.v1beta2.DaemonSet"), fieldManager, b, subresource)
+	if err != nil {
+		return nil, err
+	}
+	b.WithName(daemonSet.Name)
+	b.WithNamespace(daemonSet.Namespace)
+
+	b.WithKind("DaemonSet")
+	b.WithAPIVersion("apps/v1beta2")
+	return b, nil
+}
+
 // ExtractDaemonSet extracts the applied configuration owned by fieldManager from
 // daemonSet. If no managedFields are found in daemonSet for fieldManager, a
 // DaemonSetApplyConfiguration is returned with only the Name, Namespace (if applicable),
@@ -57,31 +91,16 @@ func DaemonSet(name, namespace string) *DaemonSetApplyConfiguration {
 // ExtractDaemonSet provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
 func ExtractDaemonSet(daemonSet *appsv1beta2.DaemonSet, fieldManager string) (*DaemonSetApplyConfiguration, error) {
-	return extractDaemonSet(daemonSet, fieldManager, "")
+	return ExtractDaemonSetFrom(daemonSet, fieldManager, "")
 }
 
-// ExtractDaemonSetStatus is the same as ExtractDaemonSet except
-// that it extracts the status subresource applied configuration.
-// Experimental!
+// ExtractDaemonSetStatus extracts the applied configuration owned by fieldManager from
+// daemonSet for the status subresource.
 func ExtractDaemonSetStatus(daemonSet *appsv1beta2.DaemonSet, fieldManager string) (*DaemonSetApplyConfiguration, error) {
-	return extractDaemonSet(daemonSet, fieldManager, "status")
+	return ExtractDaemonSetFrom(daemonSet, fieldManager, "status")
 }
 
-func extractDaemonSet(daemonSet *appsv1beta2.DaemonSet, fieldManager string, subresource string) (*DaemonSetApplyConfiguration, error) {
-	b := &DaemonSetApplyConfiguration{}
-	err := managedfields.ExtractInto(daemonSet, internal.Parser().Type("io.k8s.api.apps.v1beta2.DaemonSet"), fieldManager, b, subresource)
-	if err != nil {
-		return nil, err
-	}
-	b.WithName(daemonSet.Name)
-	b.WithNamespace(daemonSet.Namespace)
-
-	b.WithKind("DaemonSet")
-	b.WithAPIVersion("apps/v1beta2")
-	return b, nil
-}
 func (b DaemonSetApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/apps/v1beta2/daemonsetcondition.go b/staging/src/k8s.io/client-go/applyconfigurations/apps/v1beta2/daemonsetcondition.go
index 0aa47cf0afaca..5c25b8158a18e 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/apps/v1beta2/daemonsetcondition.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/apps/v1beta2/daemonsetcondition.go
@@ -26,12 +26,20 @@ import (
 
 // DaemonSetConditionApplyConfiguration represents a declarative configuration of the DaemonSetCondition type for use
 // with apply.
+//
+// TODO: Add valid condition types of a DaemonSet.
+// DaemonSetCondition describes the state of a DaemonSet at a certain point.
 type DaemonSetConditionApplyConfiguration struct {
-	Type               *appsv1beta2.DaemonSetConditionType `json:"type,omitempty"`
-	Status             *v1.ConditionStatus                 `json:"status,omitempty"`
-	LastTransitionTime *metav1.Time                        `json:"lastTransitionTime,omitempty"`
-	Reason             *string                             `json:"reason,omitempty"`
-	Message            *string                             `json:"message,omitempty"`
+	// Type of DaemonSet condition.
+	Type *appsv1beta2.DaemonSetConditionType `json:"type,omitempty"`
+	// Status of the condition, one of True, False, Unknown.
+	Status *v1.ConditionStatus `json:"status,omitempty"`
+	// Last time the condition transitioned from one status to another.
+	LastTransitionTime *metav1.Time `json:"lastTransitionTime,omitempty"`
+	// The reason for the condition's last transition.
+	Reason *string `json:"reason,omitempty"`
+	// A human readable message indicating details about the transition.
+	Message *string `json:"message,omitempty"`
 }
 
 // DaemonSetConditionApplyConfiguration constructs a declarative configuration of the DaemonSetCondition type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/apps/v1beta2/daemonsetspec.go b/staging/src/k8s.io/client-go/applyconfigurations/apps/v1beta2/daemonsetspec.go
index 74d8bf51c6276..a2808eb73ab2a 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/apps/v1beta2/daemonsetspec.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/apps/v1beta2/daemonsetspec.go
@@ -25,12 +25,32 @@ import (
 
 // DaemonSetSpecApplyConfiguration represents a declarative configuration of the DaemonSetSpec type for use
 // with apply.
+//
+// DaemonSetSpec is the specification of a daemon set.
 type DaemonSetSpecApplyConfiguration struct {
-	Selector             *v1.LabelSelectorApplyConfiguration        `json:"selector,omitempty"`
-	Template             *corev1.PodTemplateSpecApplyConfiguration  `json:"template,omitempty"`
-	UpdateStrategy       *DaemonSetUpdateStrategyApplyConfiguration `json:"updateStrategy,omitempty"`
-	MinReadySeconds      *int32                                     `json:"minReadySeconds,omitempty"`
-	RevisionHistoryLimit *int32                                     `json:"revisionHistoryLimit,omitempty"`
+	// A label query over pods that are managed by the daemon set.
+	// Must match in order to be controlled.
+	// It must match the pod template's labels.
+	// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors
+	Selector *v1.LabelSelectorApplyConfiguration `json:"selector,omitempty"`
+	// An object that describes the pod that will be created.
+	// The DaemonSet will create exactly one copy of this pod on every node
+	// that matches the template's node selector (or on every node if no node
+	// selector is specified).
+	// The only allowed template.spec.restartPolicy value is "Always".
+	// More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller#pod-template
+	Template *corev1.PodTemplateSpecApplyConfiguration `json:"template,omitempty"`
+	// An update strategy to replace existing DaemonSet pods with new pods.
+	UpdateStrategy *DaemonSetUpdateStrategyApplyConfiguration `json:"updateStrategy,omitempty"`
+	// The minimum number of seconds for which a newly created DaemonSet pod should
+	// be ready without any of its container crashing, for it to be considered
+	// available. Defaults to 0 (pod will be considered available as soon as it
+	// is ready).
+	MinReadySeconds *int32 `json:"minReadySeconds,omitempty"`
+	// The number of old history to retain to allow rollback.
+	// This is a pointer to distinguish between explicit zero and not specified.
+	// Defaults to 10.
+	RevisionHistoryLimit *int32 `json:"revisionHistoryLimit,omitempty"`
 }
 
 // DaemonSetSpecApplyConfiguration constructs a declarative configuration of the DaemonSetSpec type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/apps/v1beta2/daemonsetstatus.go b/staging/src/k8s.io/client-go/applyconfigurations/apps/v1beta2/daemonsetstatus.go
index 6b0fda89530b1..c42eb276dd64d 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/apps/v1beta2/daemonsetstatus.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/apps/v1beta2/daemonsetstatus.go
@@ -20,17 +20,42 @@ package v1beta2
 
 // DaemonSetStatusApplyConfiguration represents a declarative configuration of the DaemonSetStatus type for use
 // with apply.
+//
+// DaemonSetStatus represents the current status of a daemon set.
 type DaemonSetStatusApplyConfiguration struct {
-	CurrentNumberScheduled *int32                                 `json:"currentNumberScheduled,omitempty"`
-	NumberMisscheduled     *int32                                 `json:"numberMisscheduled,omitempty"`
-	DesiredNumberScheduled *int32                                 `json:"desiredNumberScheduled,omitempty"`
-	NumberReady            *int32                                 `json:"numberReady,omitempty"`
-	ObservedGeneration     *int64                                 `json:"observedGeneration,omitempty"`
-	UpdatedNumberScheduled *int32                                 `json:"updatedNumberScheduled,omitempty"`
-	NumberAvailable        *int32                                 `json:"numberAvailable,omitempty"`
-	NumberUnavailable      *int32                                 `json:"numberUnavailable,omitempty"`
-	CollisionCount         *int32                                 `json:"collisionCount,omitempty"`
-	Conditions             []DaemonSetConditionApplyConfiguration `json:"conditions,omitempty"`
+	// The number of nodes that are running at least 1
+	// daemon pod and are supposed to run the daemon pod.
+	// More info: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/
+	CurrentNumberScheduled *int32 `json:"currentNumberScheduled,omitempty"`
+	// The number of nodes that are running the daemon pod, but are
+	// not supposed to run the daemon pod.
+	// More info: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/
+	NumberMisscheduled *int32 `json:"numberMisscheduled,omitempty"`
+	// The total number of nodes that should be running the daemon
+	// pod (including nodes correctly running the daemon pod).
+	// More info: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/
+	DesiredNumberScheduled *int32 `json:"desiredNumberScheduled,omitempty"`
+	// Total number of nodes that should be running the daemon pod and have one
+	// or more of the daemon pod running with a Ready Condition by passing the readinessProbe.
+	NumberReady *int32 `json:"numberReady,omitempty"`
+	// The most recent generation observed by the daemon set controller.
+	ObservedGeneration *int64 `json:"observedGeneration,omitempty"`
+	// The total number of nodes that are running updated daemon pod
+	UpdatedNumberScheduled *int32 `json:"updatedNumberScheduled,omitempty"`
+	// The number of nodes that should be running the
+	// daemon pod and have one or more of the daemon pod running and
+	// available (ready for at least spec.minReadySeconds)
+	NumberAvailable *int32 `json:"numberAvailable,omitempty"`
+	// The number of nodes that should be running the
+	// daemon pod and have none of the daemon pod running and available
+	// (ready for at least spec.minReadySeconds)
+	NumberUnavailable *int32 `json:"numberUnavailable,omitempty"`
+	// Count of hash collisions for the DaemonSet. The DaemonSet controller
+	// uses this field as a collision avoidance mechanism when it needs to
+	// create the name for the newest ControllerRevision.
+	CollisionCount *int32 `json:"collisionCount,omitempty"`
+	// Represents the latest available observations of a DaemonSet's current state.
+	Conditions []DaemonSetConditionApplyConfiguration `json:"conditions,omitempty"`
 }
 
 // DaemonSetStatusApplyConfiguration constructs a declarative configuration of the DaemonSetStatus type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/apps/v1beta2/daemonsetupdatestrategy.go b/staging/src/k8s.io/client-go/applyconfigurations/apps/v1beta2/daemonsetupdatestrategy.go
index 2cee58cf3e682..2d8f2b6ecef7e 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/apps/v1beta2/daemonsetupdatestrategy.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/apps/v1beta2/daemonsetupdatestrategy.go
@@ -24,8 +24,16 @@ import (
 
 // DaemonSetUpdateStrategyApplyConfiguration represents a declarative configuration of the DaemonSetUpdateStrategy type for use
 // with apply.
+//
+// DaemonSetUpdateStrategy is a struct used to control the update strategy for a DaemonSet.
 type DaemonSetUpdateStrategyApplyConfiguration struct {
-	Type          *appsv1beta2.DaemonSetUpdateStrategyType  `json:"type,omitempty"`
+	// Type of daemon set update. Can be "RollingUpdate" or "OnDelete". Default is RollingUpdate.
+	Type *appsv1beta2.DaemonSetUpdateStrategyType `json:"type,omitempty"`
+	// Rolling update config params. Present only if type = "RollingUpdate".
+	// ---
+	// TODO: Update this to follow our convention for oneOf, whatever we decide it
+	// to be. Same as Deployment `strategy.rollingUpdate`.
+	// See https://github.com/kubernetes/kubernetes/issues/35345
 	RollingUpdate *RollingUpdateDaemonSetApplyConfiguration `json:"rollingUpdate,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/apps/v1beta2/deployment.go b/staging/src/k8s.io/client-go/applyconfigurations/apps/v1beta2/deployment.go
index bb6b67914dfb1..4add5ae25710f 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/apps/v1beta2/deployment.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/apps/v1beta2/deployment.go
@@ -29,11 +29,18 @@ import (
 
 // DeploymentApplyConfiguration represents a declarative configuration of the Deployment type for use
 // with apply.
+//
+// DEPRECATED - This group version of Deployment is deprecated by apps/v1/Deployment. See the release notes for
+// more information.
+// Deployment enables declarative updates for Pods and ReplicaSets.
 type DeploymentApplyConfiguration struct {
-	v1.TypeMetaApplyConfiguration    `json:",inline"`
+	v1.TypeMetaApplyConfiguration `json:",inline"`
+	// Standard object metadata.
 	*v1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Spec                             *DeploymentSpecApplyConfiguration   `json:"spec,omitempty"`
-	Status                           *DeploymentStatusApplyConfiguration `json:"status,omitempty"`
+	// Specification of the desired behavior of the Deployment.
+	Spec *DeploymentSpecApplyConfiguration `json:"spec,omitempty"`
+	// Most recently observed status of the Deployment.
+	Status *DeploymentStatusApplyConfiguration `json:"status,omitempty"`
 }
 
 // Deployment constructs a declarative configuration of the Deployment type for use with
@@ -47,6 +54,27 @@ func Deployment(name, namespace string) *DeploymentApplyConfiguration {
 	return b
 }
 
+// ExtractDeploymentFrom extracts the applied configuration owned by fieldManager from
+// deployment for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
+// deployment must be a unmodified Deployment API object that was retrieved from the Kubernetes API.
+// ExtractDeploymentFrom provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractDeploymentFrom(deployment *appsv1beta2.Deployment, fieldManager string, subresource string) (*DeploymentApplyConfiguration, error) {
+	b := &DeploymentApplyConfiguration{}
+	err := managedfields.ExtractInto(deployment, internal.Parser().Type("io.k8s.api.apps.v1beta2.Deployment"), fieldManager, b, subresource)
+	if err != nil {
+		return nil, err
+	}
+	b.WithName(deployment.Name)
+	b.WithNamespace(deployment.Namespace)
+
+	b.WithKind("Deployment")
+	b.WithAPIVersion("apps/v1beta2")
+	return b, nil
+}
+
 // ExtractDeployment extracts the applied configuration owned by fieldManager from
 // deployment. If no managedFields are found in deployment for fieldManager, a
 // DeploymentApplyConfiguration is returned with only the Name, Namespace (if applicable),
@@ -57,31 +85,16 @@ func Deployment(name, namespace string) *DeploymentApplyConfiguration {
 // ExtractDeployment provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
 func ExtractDeployment(deployment *appsv1beta2.Deployment, fieldManager string) (*DeploymentApplyConfiguration, error) {
-	return extractDeployment(deployment, fieldManager, "")
+	return ExtractDeploymentFrom(deployment, fieldManager, "")
 }
 
-// ExtractDeploymentStatus is the same as ExtractDeployment except
-// that it extracts the status subresource applied configuration.
-// Experimental!
+// ExtractDeploymentStatus extracts the applied configuration owned by fieldManager from
+// deployment for the status subresource.
 func ExtractDeploymentStatus(deployment *appsv1beta2.Deployment, fieldManager string) (*DeploymentApplyConfiguration, error) {
-	return extractDeployment(deployment, fieldManager, "status")
+	return ExtractDeploymentFrom(deployment, fieldManager, "status")
 }
 
-func extractDeployment(deployment *appsv1beta2.Deployment, fieldManager string, subresource string) (*DeploymentApplyConfiguration, error) {
-	b := &DeploymentApplyConfiguration{}
-	err := managedfields.ExtractInto(deployment, internal.Parser().Type("io.k8s.api.apps.v1beta2.Deployment"), fieldManager, b, subresource)
-	if err != nil {
-		return nil, err
-	}
-	b.WithName(deployment.Name)
-	b.WithNamespace(deployment.Namespace)
-
-	b.WithKind("Deployment")
-	b.WithAPIVersion("apps/v1beta2")
-	return b, nil
-}
 func (b DeploymentApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/apps/v1beta2/deploymentcondition.go b/staging/src/k8s.io/client-go/applyconfigurations/apps/v1beta2/deploymentcondition.go
index f404dd9df5d86..5abb05d4f2db7 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/apps/v1beta2/deploymentcondition.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/apps/v1beta2/deploymentcondition.go
@@ -26,13 +26,21 @@ import (
 
 // DeploymentConditionApplyConfiguration represents a declarative configuration of the DeploymentCondition type for use
 // with apply.
+//
+// DeploymentCondition describes the state of a deployment at a certain point.
 type DeploymentConditionApplyConfiguration struct {
-	Type               *appsv1beta2.DeploymentConditionType `json:"type,omitempty"`
-	Status             *v1.ConditionStatus                  `json:"status,omitempty"`
-	LastUpdateTime     *metav1.Time                         `json:"lastUpdateTime,omitempty"`
-	LastTransitionTime *metav1.Time                         `json:"lastTransitionTime,omitempty"`
-	Reason             *string                              `json:"reason,omitempty"`
-	Message            *string                              `json:"message,omitempty"`
+	// Type of deployment condition.
+	Type *appsv1beta2.DeploymentConditionType `json:"type,omitempty"`
+	// Status of the condition, one of True, False, Unknown.
+	Status *v1.ConditionStatus `json:"status,omitempty"`
+	// The last time this condition was updated.
+	LastUpdateTime *metav1.Time `json:"lastUpdateTime,omitempty"`
+	// Last time the condition transitioned from one status to another.
+	LastTransitionTime *metav1.Time `json:"lastTransitionTime,omitempty"`
+	// The reason for the condition's last transition.
+	Reason *string `json:"reason,omitempty"`
+	// A human readable message indicating details about the transition.
+	Message *string `json:"message,omitempty"`
 }
 
 // DeploymentConditionApplyConfiguration constructs a declarative configuration of the DeploymentCondition type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/apps/v1beta2/deploymentspec.go b/staging/src/k8s.io/client-go/applyconfigurations/apps/v1beta2/deploymentspec.go
index 1b55130c6b662..91e37ebc9df7c 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/apps/v1beta2/deploymentspec.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/apps/v1beta2/deploymentspec.go
@@ -25,15 +25,37 @@ import (
 
 // DeploymentSpecApplyConfiguration represents a declarative configuration of the DeploymentSpec type for use
 // with apply.
+//
+// DeploymentSpec is the specification of the desired behavior of the Deployment.
 type DeploymentSpecApplyConfiguration struct {
-	Replicas                *int32                                    `json:"replicas,omitempty"`
-	Selector                *v1.LabelSelectorApplyConfiguration       `json:"selector,omitempty"`
-	Template                *corev1.PodTemplateSpecApplyConfiguration `json:"template,omitempty"`
-	Strategy                *DeploymentStrategyApplyConfiguration     `json:"strategy,omitempty"`
-	MinReadySeconds         *int32                                    `json:"minReadySeconds,omitempty"`
-	RevisionHistoryLimit    *int32                                    `json:"revisionHistoryLimit,omitempty"`
-	Paused                  *bool                                     `json:"paused,omitempty"`
-	ProgressDeadlineSeconds *int32                                    `json:"progressDeadlineSeconds,omitempty"`
+	// Number of desired pods. This is a pointer to distinguish between explicit
+	// zero and not specified. Defaults to 1.
+	Replicas *int32 `json:"replicas,omitempty"`
+	// Label selector for pods. Existing ReplicaSets whose pods are
+	// selected by this will be the ones affected by this deployment.
+	// It must match the pod template's labels.
+	Selector *v1.LabelSelectorApplyConfiguration `json:"selector,omitempty"`
+	// Template describes the pods that will be created.
+	// The only allowed template.spec.restartPolicy value is "Always".
+	Template *corev1.PodTemplateSpecApplyConfiguration `json:"template,omitempty"`
+	// The deployment strategy to use to replace existing pods with new ones.
+	Strategy *DeploymentStrategyApplyConfiguration `json:"strategy,omitempty"`
+	// Minimum number of seconds for which a newly created pod should be ready
+	// without any of its container crashing, for it to be considered available.
+	// Defaults to 0 (pod will be considered available as soon as it is ready)
+	MinReadySeconds *int32 `json:"minReadySeconds,omitempty"`
+	// The number of old ReplicaSets to retain to allow rollback.
+	// This is a pointer to distinguish between explicit zero and not specified.
+	// Defaults to 10.
+	RevisionHistoryLimit *int32 `json:"revisionHistoryLimit,omitempty"`
+	// Indicates that the deployment is paused.
+	Paused *bool `json:"paused,omitempty"`
+	// The maximum time in seconds for a deployment to make progress before it
+	// is considered to be failed. The deployment controller will continue to
+	// process failed deployments and a condition with a ProgressDeadlineExceeded
+	// reason will be surfaced in the deployment status. Note that progress will
+	// not be estimated during the time a deployment is paused. Defaults to 600s.
+	ProgressDeadlineSeconds *int32 `json:"progressDeadlineSeconds,omitempty"`
 }
 
 // DeploymentSpecApplyConfiguration constructs a declarative configuration of the DeploymentSpec type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/apps/v1beta2/deploymentstatus.go b/staging/src/k8s.io/client-go/applyconfigurations/apps/v1beta2/deploymentstatus.go
index 554be024d987f..139fe4cf2a3f0 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/apps/v1beta2/deploymentstatus.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/apps/v1beta2/deploymentstatus.go
@@ -20,16 +20,34 @@ package v1beta2
 
 // DeploymentStatusApplyConfiguration represents a declarative configuration of the DeploymentStatus type for use
 // with apply.
+//
+// DeploymentStatus is the most recently observed status of the Deployment.
 type DeploymentStatusApplyConfiguration struct {
-	ObservedGeneration  *int64                                  `json:"observedGeneration,omitempty"`
-	Replicas            *int32                                  `json:"replicas,omitempty"`
-	UpdatedReplicas     *int32                                  `json:"updatedReplicas,omitempty"`
-	ReadyReplicas       *int32                                  `json:"readyReplicas,omitempty"`
-	AvailableReplicas   *int32                                  `json:"availableReplicas,omitempty"`
-	UnavailableReplicas *int32                                  `json:"unavailableReplicas,omitempty"`
-	TerminatingReplicas *int32                                  `json:"terminatingReplicas,omitempty"`
-	Conditions          []DeploymentConditionApplyConfiguration `json:"conditions,omitempty"`
-	CollisionCount      *int32                                  `json:"collisionCount,omitempty"`
+	// The generation observed by the deployment controller.
+	ObservedGeneration *int64 `json:"observedGeneration,omitempty"`
+	// Total number of non-terminating pods targeted by this deployment (their labels match the selector).
+	Replicas *int32 `json:"replicas,omitempty"`
+	// Total number of non-terminating pods targeted by this deployment that have the desired template spec.
+	UpdatedReplicas *int32 `json:"updatedReplicas,omitempty"`
+	// Total number of non-terminating pods targeted by this Deployment with a Ready Condition.
+	ReadyReplicas *int32 `json:"readyReplicas,omitempty"`
+	// Total number of available non-terminating pods (ready for at least minReadySeconds) targeted by this deployment.
+	AvailableReplicas *int32 `json:"availableReplicas,omitempty"`
+	// Total number of unavailable pods targeted by this deployment. This is the total number of
+	// pods that are still required for the deployment to have 100% available capacity. They may
+	// either be pods that are running but not yet available or pods that still have not been created.
+	UnavailableReplicas *int32 `json:"unavailableReplicas,omitempty"`
+	// Total number of terminating pods targeted by this deployment. Terminating pods have a non-null
+	// .metadata.deletionTimestamp and have not yet reached the Failed or Succeeded .status.phase.
+	//
+	// This is a beta field and requires enabling DeploymentReplicaSetTerminatingReplicas feature (enabled by default).
+	TerminatingReplicas *int32 `json:"terminatingReplicas,omitempty"`
+	// Represents the latest available observations of a deployment's current state.
+	Conditions []DeploymentConditionApplyConfiguration `json:"conditions,omitempty"`
+	// Count of hash collisions for the Deployment. The Deployment controller uses this
+	// field as a collision avoidance mechanism when it needs to create the name for the
+	// newest ReplicaSet.
+	CollisionCount *int32 `json:"collisionCount,omitempty"`
 }
 
 // DeploymentStatusApplyConfiguration constructs a declarative configuration of the DeploymentStatus type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/apps/v1beta2/deploymentstrategy.go b/staging/src/k8s.io/client-go/applyconfigurations/apps/v1beta2/deploymentstrategy.go
index 6347a3a39e759..554f3cdecd2c0 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/apps/v1beta2/deploymentstrategy.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/apps/v1beta2/deploymentstrategy.go
@@ -24,8 +24,16 @@ import (
 
 // DeploymentStrategyApplyConfiguration represents a declarative configuration of the DeploymentStrategy type for use
 // with apply.
+//
+// DeploymentStrategy describes how to replace existing pods with new ones.
 type DeploymentStrategyApplyConfiguration struct {
-	Type          *appsv1beta2.DeploymentStrategyType        `json:"type,omitempty"`
+	// Type of deployment. Can be "Recreate" or "RollingUpdate". Default is RollingUpdate.
+	Type *appsv1beta2.DeploymentStrategyType `json:"type,omitempty"`
+	// Rolling update config params. Present only if DeploymentStrategyType =
+	// RollingUpdate.
+	// ---
+	// TODO: Update this to follow our convention for oneOf, whatever we decide it
+	// to be.
 	RollingUpdate *RollingUpdateDeploymentApplyConfiguration `json:"rollingUpdate,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/apps/v1beta2/replicaset.go b/staging/src/k8s.io/client-go/applyconfigurations/apps/v1beta2/replicaset.go
index b289fdd4fb083..ea35da04ceaac 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/apps/v1beta2/replicaset.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/apps/v1beta2/replicaset.go
@@ -29,11 +29,25 @@ import (
 
 // ReplicaSetApplyConfiguration represents a declarative configuration of the ReplicaSet type for use
 // with apply.
+//
+// DEPRECATED - This group version of ReplicaSet is deprecated by apps/v1/ReplicaSet. See the release notes for
+// more information.
+// ReplicaSet ensures that a specified number of pod replicas are running at any given time.
 type ReplicaSetApplyConfiguration struct {
-	v1.TypeMetaApplyConfiguration    `json:",inline"`
+	v1.TypeMetaApplyConfiguration `json:",inline"`
+	// If the Labels of a ReplicaSet are empty, they are defaulted to
+	// be the same as the Pod(s) that the ReplicaSet manages.
+	// Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	*v1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Spec                             *ReplicaSetSpecApplyConfiguration   `json:"spec,omitempty"`
-	Status                           *ReplicaSetStatusApplyConfiguration `json:"status,omitempty"`
+	// Spec defines the specification of the desired behavior of the ReplicaSet.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+	Spec *ReplicaSetSpecApplyConfiguration `json:"spec,omitempty"`
+	// Status is the most recently observed status of the ReplicaSet.
+	// This data may be out of date by some window of time.
+	// Populated by the system.
+	// Read-only.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+	Status *ReplicaSetStatusApplyConfiguration `json:"status,omitempty"`
 }
 
 // ReplicaSet constructs a declarative configuration of the ReplicaSet type for use with
@@ -47,6 +61,27 @@ func ReplicaSet(name, namespace string) *ReplicaSetApplyConfiguration {
 	return b
 }
 
+// ExtractReplicaSetFrom extracts the applied configuration owned by fieldManager from
+// replicaSet for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
+// replicaSet must be a unmodified ReplicaSet API object that was retrieved from the Kubernetes API.
+// ExtractReplicaSetFrom provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractReplicaSetFrom(replicaSet *appsv1beta2.ReplicaSet, fieldManager string, subresource string) (*ReplicaSetApplyConfiguration, error) {
+	b := &ReplicaSetApplyConfiguration{}
+	err := managedfields.ExtractInto(replicaSet, internal.Parser().Type("io.k8s.api.apps.v1beta2.ReplicaSet"), fieldManager, b, subresource)
+	if err != nil {
+		return nil, err
+	}
+	b.WithName(replicaSet.Name)
+	b.WithNamespace(replicaSet.Namespace)
+
+	b.WithKind("ReplicaSet")
+	b.WithAPIVersion("apps/v1beta2")
+	return b, nil
+}
+
 // ExtractReplicaSet extracts the applied configuration owned by fieldManager from
 // replicaSet. If no managedFields are found in replicaSet for fieldManager, a
 // ReplicaSetApplyConfiguration is returned with only the Name, Namespace (if applicable),
@@ -57,31 +92,16 @@ func ReplicaSet(name, namespace string) *ReplicaSetApplyConfiguration {
 // ExtractReplicaSet provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
 func ExtractReplicaSet(replicaSet *appsv1beta2.ReplicaSet, fieldManager string) (*ReplicaSetApplyConfiguration, error) {
-	return extractReplicaSet(replicaSet, fieldManager, "")
+	return ExtractReplicaSetFrom(replicaSet, fieldManager, "")
 }
 
-// ExtractReplicaSetStatus is the same as ExtractReplicaSet except
-// that it extracts the status subresource applied configuration.
-// Experimental!
+// ExtractReplicaSetStatus extracts the applied configuration owned by fieldManager from
+// replicaSet for the status subresource.
 func ExtractReplicaSetStatus(replicaSet *appsv1beta2.ReplicaSet, fieldManager string) (*ReplicaSetApplyConfiguration, error) {
-	return extractReplicaSet(replicaSet, fieldManager, "status")
+	return ExtractReplicaSetFrom(replicaSet, fieldManager, "status")
 }
 
-func extractReplicaSet(replicaSet *appsv1beta2.ReplicaSet, fieldManager string, subresource string) (*ReplicaSetApplyConfiguration, error) {
-	b := &ReplicaSetApplyConfiguration{}
-	err := managedfields.ExtractInto(replicaSet, internal.Parser().Type("io.k8s.api.apps.v1beta2.ReplicaSet"), fieldManager, b, subresource)
-	if err != nil {
-		return nil, err
-	}
-	b.WithName(replicaSet.Name)
-	b.WithNamespace(replicaSet.Namespace)
-
-	b.WithKind("ReplicaSet")
-	b.WithAPIVersion("apps/v1beta2")
-	return b, nil
-}
 func (b ReplicaSetApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/apps/v1beta2/replicasetcondition.go b/staging/src/k8s.io/client-go/applyconfigurations/apps/v1beta2/replicasetcondition.go
index 3d8cd36326178..72bc1a652a44d 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/apps/v1beta2/replicasetcondition.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/apps/v1beta2/replicasetcondition.go
@@ -26,12 +26,19 @@ import (
 
 // ReplicaSetConditionApplyConfiguration represents a declarative configuration of the ReplicaSetCondition type for use
 // with apply.
+//
+// ReplicaSetCondition describes the state of a replica set at a certain point.
 type ReplicaSetConditionApplyConfiguration struct {
-	Type               *appsv1beta2.ReplicaSetConditionType `json:"type,omitempty"`
-	Status             *v1.ConditionStatus                  `json:"status,omitempty"`
-	LastTransitionTime *metav1.Time                         `json:"lastTransitionTime,omitempty"`
-	Reason             *string                              `json:"reason,omitempty"`
-	Message            *string                              `json:"message,omitempty"`
+	// Type of replica set condition.
+	Type *appsv1beta2.ReplicaSetConditionType `json:"type,omitempty"`
+	// Status of the condition, one of True, False, Unknown.
+	Status *v1.ConditionStatus `json:"status,omitempty"`
+	// The last time the condition transitioned from one status to another.
+	LastTransitionTime *metav1.Time `json:"lastTransitionTime,omitempty"`
+	// The reason for the condition's last transition.
+	Reason *string `json:"reason,omitempty"`
+	// A human readable message indicating details about the transition.
+	Message *string `json:"message,omitempty"`
 }
 
 // ReplicaSetConditionApplyConfiguration constructs a declarative configuration of the ReplicaSetCondition type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/apps/v1beta2/replicasetspec.go b/staging/src/k8s.io/client-go/applyconfigurations/apps/v1beta2/replicasetspec.go
index 1d77b9e0fd6b0..a88612636c4f9 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/apps/v1beta2/replicasetspec.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/apps/v1beta2/replicasetspec.go
@@ -25,11 +25,27 @@ import (
 
 // ReplicaSetSpecApplyConfiguration represents a declarative configuration of the ReplicaSetSpec type for use
 // with apply.
+//
+// ReplicaSetSpec is the specification of a ReplicaSet.
 type ReplicaSetSpecApplyConfiguration struct {
-	Replicas        *int32                                    `json:"replicas,omitempty"`
-	MinReadySeconds *int32                                    `json:"minReadySeconds,omitempty"`
-	Selector        *v1.LabelSelectorApplyConfiguration       `json:"selector,omitempty"`
-	Template        *corev1.PodTemplateSpecApplyConfiguration `json:"template,omitempty"`
+	// Replicas is the number of desired pods.
+	// This is a pointer to distinguish between explicit zero and unspecified.
+	// Defaults to 1.
+	// More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicaset
+	Replicas *int32 `json:"replicas,omitempty"`
+	// Minimum number of seconds for which a newly created pod should be ready
+	// without any of its container crashing, for it to be considered available.
+	// Defaults to 0 (pod will be considered available as soon as it is ready)
+	MinReadySeconds *int32 `json:"minReadySeconds,omitempty"`
+	// Selector is a label query over pods that should match the replica count.
+	// Label keys and values that must match in order to be controlled by this replica set.
+	// It must match the pod template's labels.
+	// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors
+	Selector *v1.LabelSelectorApplyConfiguration `json:"selector,omitempty"`
+	// Template is the object that describes the pod that will be created if
+	// insufficient replicas are detected.
+	// More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicaset/#pod-template
+	Template *corev1.PodTemplateSpecApplyConfiguration `json:"template,omitempty"`
 }
 
 // ReplicaSetSpecApplyConfiguration constructs a declarative configuration of the ReplicaSetSpec type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/apps/v1beta2/replicasetstatus.go b/staging/src/k8s.io/client-go/applyconfigurations/apps/v1beta2/replicasetstatus.go
index 13004fde38927..5d0caaebd526e 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/apps/v1beta2/replicasetstatus.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/apps/v1beta2/replicasetstatus.go
@@ -20,14 +20,27 @@ package v1beta2
 
 // ReplicaSetStatusApplyConfiguration represents a declarative configuration of the ReplicaSetStatus type for use
 // with apply.
+//
+// ReplicaSetStatus represents the current status of a ReplicaSet.
 type ReplicaSetStatusApplyConfiguration struct {
-	Replicas             *int32                                  `json:"replicas,omitempty"`
-	FullyLabeledReplicas *int32                                  `json:"fullyLabeledReplicas,omitempty"`
-	ReadyReplicas        *int32                                  `json:"readyReplicas,omitempty"`
-	AvailableReplicas    *int32                                  `json:"availableReplicas,omitempty"`
-	TerminatingReplicas  *int32                                  `json:"terminatingReplicas,omitempty"`
-	ObservedGeneration   *int64                                  `json:"observedGeneration,omitempty"`
-	Conditions           []ReplicaSetConditionApplyConfiguration `json:"conditions,omitempty"`
+	// Replicas is the most recently observed number of non-terminating pods.
+	// More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicaset
+	Replicas *int32 `json:"replicas,omitempty"`
+	// The number of non-terminating pods that have labels matching the labels of the pod template of the replicaset.
+	FullyLabeledReplicas *int32 `json:"fullyLabeledReplicas,omitempty"`
+	// The number of non-terminating pods targeted by this ReplicaSet with a Ready Condition.
+	ReadyReplicas *int32 `json:"readyReplicas,omitempty"`
+	// The number of available non-terminating pods (ready for at least minReadySeconds) for this replica set.
+	AvailableReplicas *int32 `json:"availableReplicas,omitempty"`
+	// The number of terminating pods for this replica set. Terminating pods have a non-null .metadata.deletionTimestamp
+	// and have not yet reached the Failed or Succeeded .status.phase.
+	//
+	// This is a beta field and requires enabling DeploymentReplicaSetTerminatingReplicas feature (enabled by default).
+	TerminatingReplicas *int32 `json:"terminatingReplicas,omitempty"`
+	// ObservedGeneration reflects the generation of the most recently observed ReplicaSet.
+	ObservedGeneration *int64 `json:"observedGeneration,omitempty"`
+	// Represents the latest available observations of a replica set's current state.
+	Conditions []ReplicaSetConditionApplyConfiguration `json:"conditions,omitempty"`
 }
 
 // ReplicaSetStatusApplyConfiguration constructs a declarative configuration of the ReplicaSetStatus type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/apps/v1beta2/rollingupdatedaemonset.go b/staging/src/k8s.io/client-go/applyconfigurations/apps/v1beta2/rollingupdatedaemonset.go
index ad6021d37a69a..5a4d3df413982 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/apps/v1beta2/rollingupdatedaemonset.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/apps/v1beta2/rollingupdatedaemonset.go
@@ -24,9 +24,43 @@ import (
 
 // RollingUpdateDaemonSetApplyConfiguration represents a declarative configuration of the RollingUpdateDaemonSet type for use
 // with apply.
+//
+// Spec to control the desired behavior of daemon set rolling update.
 type RollingUpdateDaemonSetApplyConfiguration struct {
+	// The maximum number of DaemonSet pods that can be unavailable during the
+	// update. Value can be an absolute number (ex: 5) or a percentage of total
+	// number of DaemonSet pods at the start of the update (ex: 10%). Absolute
+	// number is calculated from percentage by rounding up.
+	// This cannot be 0 if MaxSurge is 0
+	// Default value is 1.
+	// Example: when this is set to 30%, at most 30% of the total number of nodes
+	// that should be running the daemon pod (i.e. status.desiredNumberScheduled)
+	// can have their pods stopped for an update at any given time. The update
+	// starts by stopping at most 30% of those DaemonSet pods and then brings
+	// up new DaemonSet pods in their place. Once the new pods are available,
+	// it then proceeds onto other DaemonSet pods, thus ensuring that at least
+	// 70% of original number of DaemonSet pods are available at all times during
+	// the update.
 	MaxUnavailable *intstr.IntOrString `json:"maxUnavailable,omitempty"`
-	MaxSurge       *intstr.IntOrString `json:"maxSurge,omitempty"`
+	// The maximum number of nodes with an existing available DaemonSet pod that
+	// can have an updated DaemonSet pod during during an update.
+	// Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%).
+	// This can not be 0 if MaxUnavailable is 0.
+	// Absolute number is calculated from percentage by rounding up to a minimum of 1.
+	// Default value is 0.
+	// Example: when this is set to 30%, at most 30% of the total number of nodes
+	// that should be running the daemon pod (i.e. status.desiredNumberScheduled)
+	// can have their a new pod created before the old pod is marked as deleted.
+	// The update starts by launching new pods on 30% of nodes. Once an updated
+	// pod is available (Ready for at least minReadySeconds) the old DaemonSet pod
+	// on that node is marked deleted. If the old pod becomes unavailable for any
+	// reason (Ready transitions to false, is evicted, or is drained) an updated
+	// pod is immediately created on that node without considering surge limits.
+	// Allowing surge implies the possibility that the resources consumed by the
+	// daemonset on any given node can double if the readiness check fails, and
+	// so resource intensive daemonsets should take into account that they may
+	// cause evictions during disruption.
+	MaxSurge *intstr.IntOrString `json:"maxSurge,omitempty"`
 }
 
 // RollingUpdateDaemonSetApplyConfiguration constructs a declarative configuration of the RollingUpdateDaemonSet type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/apps/v1beta2/rollingupdatedeployment.go b/staging/src/k8s.io/client-go/applyconfigurations/apps/v1beta2/rollingupdatedeployment.go
index b0cc3a4ee40f1..c87938a3d6d5e 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/apps/v1beta2/rollingupdatedeployment.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/apps/v1beta2/rollingupdatedeployment.go
@@ -24,9 +24,32 @@ import (
 
 // RollingUpdateDeploymentApplyConfiguration represents a declarative configuration of the RollingUpdateDeployment type for use
 // with apply.
+//
+// Spec to control the desired behavior of rolling update.
 type RollingUpdateDeploymentApplyConfiguration struct {
+	// The maximum number of pods that can be unavailable during the update.
+	// Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%).
+	// Absolute number is calculated from percentage by rounding down.
+	// This can not be 0 if MaxSurge is 0.
+	// Defaults to 25%.
+	// Example: when this is set to 30%, the old ReplicaSet can be scaled down to 70% of desired pods
+	// immediately when the rolling update starts. Once new pods are ready, old ReplicaSet
+	// can be scaled down further, followed by scaling up the new ReplicaSet, ensuring
+	// that the total number of pods available at all times during the update is at
+	// least 70% of desired pods.
 	MaxUnavailable *intstr.IntOrString `json:"maxUnavailable,omitempty"`
-	MaxSurge       *intstr.IntOrString `json:"maxSurge,omitempty"`
+	// The maximum number of pods that can be scheduled above the desired number of
+	// pods.
+	// Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%).
+	// This can not be 0 if MaxUnavailable is 0.
+	// Absolute number is calculated from percentage by rounding up.
+	// Defaults to 25%.
+	// Example: when this is set to 30%, the new ReplicaSet can be scaled up immediately when
+	// the rolling update starts, such that the total number of old and new pods do not exceed
+	// 130% of desired pods. Once old pods have been killed,
+	// new ReplicaSet can be scaled up further, ensuring that total number of pods running
+	// at any time during the update is at most 130% of desired pods.
+	MaxSurge *intstr.IntOrString `json:"maxSurge,omitempty"`
 }
 
 // RollingUpdateDeploymentApplyConfiguration constructs a declarative configuration of the RollingUpdateDeployment type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/apps/v1beta2/rollingupdatestatefulsetstrategy.go b/staging/src/k8s.io/client-go/applyconfigurations/apps/v1beta2/rollingupdatestatefulsetstrategy.go
index 0046c264bbc58..8140b7cab0871 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/apps/v1beta2/rollingupdatestatefulsetstrategy.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/apps/v1beta2/rollingupdatestatefulsetstrategy.go
@@ -24,8 +24,21 @@ import (
 
 // RollingUpdateStatefulSetStrategyApplyConfiguration represents a declarative configuration of the RollingUpdateStatefulSetStrategy type for use
 // with apply.
+//
+// RollingUpdateStatefulSetStrategy is used to communicate parameter for RollingUpdateStatefulSetStrategyType.
 type RollingUpdateStatefulSetStrategyApplyConfiguration struct {
-	Partition      *int32              `json:"partition,omitempty"`
+	// Partition indicates the ordinal at which the StatefulSet should be partitioned
+	// for updates. During a rolling update, all pods from ordinal Replicas-1 to
+	// Partition are updated. All pods from ordinal Partition-1 to 0 remain untouched.
+	// This is helpful in being able to do a canary based deployment. The default value is 0.
+	Partition *int32 `json:"partition,omitempty"`
+	// The maximum number of pods that can be unavailable during the update.
+	// Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%).
+	// Absolute number is calculated from percentage by rounding up. This can not be 0.
+	// Defaults to 1. This field is beta-level and is enabled by default. The field applies to all pods in the range 0 to
+	// Replicas-1. That means if there is any unavailable pod in the range 0 to Replicas-1, it
+	// will be counted towards MaxUnavailable.
+	// This setting might not be effective for the OrderedReady podManagementPolicy. That policy ensures pods are created and become ready one at a time.
 	MaxUnavailable *intstr.IntOrString `json:"maxUnavailable,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/apps/v1beta2/scale.go b/staging/src/k8s.io/client-go/applyconfigurations/apps/v1beta2/scale.go
index 3942ed4b956ad..ca62809fcd765 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/apps/v1beta2/scale.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/apps/v1beta2/scale.go
@@ -27,11 +27,16 @@ import (
 
 // ScaleApplyConfiguration represents a declarative configuration of the Scale type for use
 // with apply.
+//
+// Scale represents a scaling request for a resource.
 type ScaleApplyConfiguration struct {
-	v1.TypeMetaApplyConfiguration    `json:",inline"`
+	v1.TypeMetaApplyConfiguration `json:",inline"`
+	// Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata.
 	*v1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Spec                             *appsv1beta2.ScaleSpec   `json:"spec,omitempty"`
-	Status                           *appsv1beta2.ScaleStatus `json:"status,omitempty"`
+	// defines the behavior of the scale. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status.
+	Spec *appsv1beta2.ScaleSpec `json:"spec,omitempty"`
+	// current status of the scale. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status. Read-only.
+	Status *appsv1beta2.ScaleStatus `json:"status,omitempty"`
 }
 
 // ScaleApplyConfiguration constructs a declarative configuration of the Scale type for use with
@@ -42,6 +47,7 @@ func Scale() *ScaleApplyConfiguration {
 	b.WithAPIVersion("apps/v1beta2")
 	return b
 }
+
 func (b ScaleApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/apps/v1beta2/statefulset.go b/staging/src/k8s.io/client-go/applyconfigurations/apps/v1beta2/statefulset.go
index d2d4e9cdbda1e..5649c11849ec5 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/apps/v1beta2/statefulset.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/apps/v1beta2/statefulset.go
@@ -29,11 +29,24 @@ import (
 
 // StatefulSetApplyConfiguration represents a declarative configuration of the StatefulSet type for use
 // with apply.
+//
+// DEPRECATED - This group version of StatefulSet is deprecated by apps/v1/StatefulSet. See the release notes for
+// more information.
+// StatefulSet represents a set of pods with consistent identities.
+// Identities are defined as:
+// - Network: A single stable DNS and hostname.
+// - Storage: As many VolumeClaims as requested.
+//
+// The StatefulSet guarantees that a given network identity will always
+// map to the same storage identity.
 type StatefulSetApplyConfiguration struct {
 	v1.TypeMetaApplyConfiguration    `json:",inline"`
 	*v1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Spec                             *StatefulSetSpecApplyConfiguration   `json:"spec,omitempty"`
-	Status                           *StatefulSetStatusApplyConfiguration `json:"status,omitempty"`
+	// Spec defines the desired identities of pods in this set.
+	Spec *StatefulSetSpecApplyConfiguration `json:"spec,omitempty"`
+	// Status is the current status of Pods in this StatefulSet. This data
+	// may be out of date by some window of time.
+	Status *StatefulSetStatusApplyConfiguration `json:"status,omitempty"`
 }
 
 // StatefulSet constructs a declarative configuration of the StatefulSet type for use with
@@ -47,6 +60,27 @@ func StatefulSet(name, namespace string) *StatefulSetApplyConfiguration {
 	return b
 }
 
+// ExtractStatefulSetFrom extracts the applied configuration owned by fieldManager from
+// statefulSet for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
+// statefulSet must be a unmodified StatefulSet API object that was retrieved from the Kubernetes API.
+// ExtractStatefulSetFrom provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractStatefulSetFrom(statefulSet *appsv1beta2.StatefulSet, fieldManager string, subresource string) (*StatefulSetApplyConfiguration, error) {
+	b := &StatefulSetApplyConfiguration{}
+	err := managedfields.ExtractInto(statefulSet, internal.Parser().Type("io.k8s.api.apps.v1beta2.StatefulSet"), fieldManager, b, subresource)
+	if err != nil {
+		return nil, err
+	}
+	b.WithName(statefulSet.Name)
+	b.WithNamespace(statefulSet.Namespace)
+
+	b.WithKind("StatefulSet")
+	b.WithAPIVersion("apps/v1beta2")
+	return b, nil
+}
+
 // ExtractStatefulSet extracts the applied configuration owned by fieldManager from
 // statefulSet. If no managedFields are found in statefulSet for fieldManager, a
 // StatefulSetApplyConfiguration is returned with only the Name, Namespace (if applicable),
@@ -57,31 +91,22 @@ func StatefulSet(name, namespace string) *StatefulSetApplyConfiguration {
 // ExtractStatefulSet provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
 func ExtractStatefulSet(statefulSet *appsv1beta2.StatefulSet, fieldManager string) (*StatefulSetApplyConfiguration, error) {
-	return extractStatefulSet(statefulSet, fieldManager, "")
+	return ExtractStatefulSetFrom(statefulSet, fieldManager, "")
 }
 
-// ExtractStatefulSetStatus is the same as ExtractStatefulSet except
-// that it extracts the status subresource applied configuration.
-// Experimental!
-func ExtractStatefulSetStatus(statefulSet *appsv1beta2.StatefulSet, fieldManager string) (*StatefulSetApplyConfiguration, error) {
-	return extractStatefulSet(statefulSet, fieldManager, "status")
+// ExtractStatefulSetScale extracts the applied configuration owned by fieldManager from
+// statefulSet for the scale subresource.
+func ExtractStatefulSetScale(statefulSet *appsv1beta2.StatefulSet, fieldManager string) (*StatefulSetApplyConfiguration, error) {
+	return ExtractStatefulSetFrom(statefulSet, fieldManager, "scale")
 }
 
-func extractStatefulSet(statefulSet *appsv1beta2.StatefulSet, fieldManager string, subresource string) (*StatefulSetApplyConfiguration, error) {
-	b := &StatefulSetApplyConfiguration{}
-	err := managedfields.ExtractInto(statefulSet, internal.Parser().Type("io.k8s.api.apps.v1beta2.StatefulSet"), fieldManager, b, subresource)
-	if err != nil {
-		return nil, err
-	}
-	b.WithName(statefulSet.Name)
-	b.WithNamespace(statefulSet.Namespace)
-
-	b.WithKind("StatefulSet")
-	b.WithAPIVersion("apps/v1beta2")
-	return b, nil
+// ExtractStatefulSetStatus extracts the applied configuration owned by fieldManager from
+// statefulSet for the status subresource.
+func ExtractStatefulSetStatus(statefulSet *appsv1beta2.StatefulSet, fieldManager string) (*StatefulSetApplyConfiguration, error) {
+	return ExtractStatefulSetFrom(statefulSet, fieldManager, "status")
 }
+
 func (b StatefulSetApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/apps/v1beta2/statefulsetcondition.go b/staging/src/k8s.io/client-go/applyconfigurations/apps/v1beta2/statefulsetcondition.go
index 50bef2003424d..50a3c63de6043 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/apps/v1beta2/statefulsetcondition.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/apps/v1beta2/statefulsetcondition.go
@@ -26,12 +26,19 @@ import (
 
 // StatefulSetConditionApplyConfiguration represents a declarative configuration of the StatefulSetCondition type for use
 // with apply.
+//
+// StatefulSetCondition describes the state of a statefulset at a certain point.
 type StatefulSetConditionApplyConfiguration struct {
-	Type               *appsv1beta2.StatefulSetConditionType `json:"type,omitempty"`
-	Status             *v1.ConditionStatus                   `json:"status,omitempty"`
-	LastTransitionTime *metav1.Time                          `json:"lastTransitionTime,omitempty"`
-	Reason             *string                               `json:"reason,omitempty"`
-	Message            *string                               `json:"message,omitempty"`
+	// Type of statefulset condition.
+	Type *appsv1beta2.StatefulSetConditionType `json:"type,omitempty"`
+	// Status of the condition, one of True, False, Unknown.
+	Status *v1.ConditionStatus `json:"status,omitempty"`
+	// Last time the condition transitioned from one status to another.
+	LastTransitionTime *metav1.Time `json:"lastTransitionTime,omitempty"`
+	// The reason for the condition's last transition.
+	Reason *string `json:"reason,omitempty"`
+	// A human readable message indicating details about the transition.
+	Message *string `json:"message,omitempty"`
 }
 
 // StatefulSetConditionApplyConfiguration constructs a declarative configuration of the StatefulSetCondition type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/apps/v1beta2/statefulsetordinals.go b/staging/src/k8s.io/client-go/applyconfigurations/apps/v1beta2/statefulsetordinals.go
index a899243a5a493..ce0db0f0f5284 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/apps/v1beta2/statefulsetordinals.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/apps/v1beta2/statefulsetordinals.go
@@ -20,7 +20,18 @@ package v1beta2
 
 // StatefulSetOrdinalsApplyConfiguration represents a declarative configuration of the StatefulSetOrdinals type for use
 // with apply.
+//
+// StatefulSetOrdinals describes the policy used for replica ordinal assignment
+// in this StatefulSet.
 type StatefulSetOrdinalsApplyConfiguration struct {
+	// start is the number representing the first replica's index. It may be used
+	// to number replicas from an alternate index (eg: 1-indexed) over the default
+	// 0-indexed names, or to orchestrate progressive movement of replicas from
+	// one StatefulSet to another.
+	// If set, replica indices will be in the range:
+	// [.spec.ordinals.start, .spec.ordinals.start + .spec.replicas).
+	// If unset, defaults to 0. Replica indices will be in the range:
+	// [0, .spec.replicas).
 	Start *int32 `json:"start,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/apps/v1beta2/statefulsetpersistentvolumeclaimretentionpolicy.go b/staging/src/k8s.io/client-go/applyconfigurations/apps/v1beta2/statefulsetpersistentvolumeclaimretentionpolicy.go
index d4d139ae3d8fd..8db02c32d0a21 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/apps/v1beta2/statefulsetpersistentvolumeclaimretentionpolicy.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/apps/v1beta2/statefulsetpersistentvolumeclaimretentionpolicy.go
@@ -24,9 +24,21 @@ import (
 
 // StatefulSetPersistentVolumeClaimRetentionPolicyApplyConfiguration represents a declarative configuration of the StatefulSetPersistentVolumeClaimRetentionPolicy type for use
 // with apply.
+//
+// StatefulSetPersistentVolumeClaimRetentionPolicy describes the policy used for PVCs
+// created from the StatefulSet VolumeClaimTemplates.
 type StatefulSetPersistentVolumeClaimRetentionPolicyApplyConfiguration struct {
+	// WhenDeleted specifies what happens to PVCs created from StatefulSet
+	// VolumeClaimTemplates when the StatefulSet is deleted. The default policy
+	// of `Retain` causes PVCs to not be affected by StatefulSet deletion. The
+	// `Delete` policy causes those PVCs to be deleted.
 	WhenDeleted *appsv1beta2.PersistentVolumeClaimRetentionPolicyType `json:"whenDeleted,omitempty"`
-	WhenScaled  *appsv1beta2.PersistentVolumeClaimRetentionPolicyType `json:"whenScaled,omitempty"`
+	// WhenScaled specifies what happens to PVCs created from StatefulSet
+	// VolumeClaimTemplates when the StatefulSet is scaled down. The default
+	// policy of `Retain` causes PVCs to not be affected by a scaledown. The
+	// `Delete` policy causes the associated PVCs for any excess pods above
+	// the replica count to be deleted.
+	WhenScaled *appsv1beta2.PersistentVolumeClaimRetentionPolicyType `json:"whenScaled,omitempty"`
 }
 
 // StatefulSetPersistentVolumeClaimRetentionPolicyApplyConfiguration constructs a declarative configuration of the StatefulSetPersistentVolumeClaimRetentionPolicy type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/apps/v1beta2/statefulsetspec.go b/staging/src/k8s.io/client-go/applyconfigurations/apps/v1beta2/statefulsetspec.go
index 952ca0a814c81..ee24f132e4028 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/apps/v1beta2/statefulsetspec.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/apps/v1beta2/statefulsetspec.go
@@ -26,18 +26,74 @@ import (
 
 // StatefulSetSpecApplyConfiguration represents a declarative configuration of the StatefulSetSpec type for use
 // with apply.
+//
+// A StatefulSetSpec is the specification of a StatefulSet.
 type StatefulSetSpecApplyConfiguration struct {
-	Replicas                             *int32                                                             `json:"replicas,omitempty"`
-	Selector                             *v1.LabelSelectorApplyConfiguration                                `json:"selector,omitempty"`
-	Template                             *corev1.PodTemplateSpecApplyConfiguration                          `json:"template,omitempty"`
-	VolumeClaimTemplates                 []corev1.PersistentVolumeClaimApplyConfiguration                   `json:"volumeClaimTemplates,omitempty"`
-	ServiceName                          *string                                                            `json:"serviceName,omitempty"`
-	PodManagementPolicy                  *appsv1beta2.PodManagementPolicyType                               `json:"podManagementPolicy,omitempty"`
-	UpdateStrategy                       *StatefulSetUpdateStrategyApplyConfiguration                       `json:"updateStrategy,omitempty"`
-	RevisionHistoryLimit                 *int32                                                             `json:"revisionHistoryLimit,omitempty"`
-	MinReadySeconds                      *int32                                                             `json:"minReadySeconds,omitempty"`
+	// replicas is the desired number of replicas of the given Template.
+	// These are replicas in the sense that they are instantiations of the
+	// same Template, but individual replicas also have a consistent identity.
+	// If unspecified, defaults to 1.
+	// TODO: Consider a rename of this field.
+	Replicas *int32 `json:"replicas,omitempty"`
+	// selector is a label query over pods that should match the replica count.
+	// It must match the pod template's labels.
+	// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors
+	Selector *v1.LabelSelectorApplyConfiguration `json:"selector,omitempty"`
+	// template is the object that describes the pod that will be created if
+	// insufficient replicas are detected. Each pod stamped out by the StatefulSet
+	// will fulfill this Template, but have a unique identity from the rest
+	// of the StatefulSet. Each pod will be named with the format
+	// <statefulsetname>-<podindex>. For example, a pod in a StatefulSet named
+	// "web" with index number "3" would be named "web-3".
+	// The only allowed template.spec.restartPolicy value is "Always".
+	Template *corev1.PodTemplateSpecApplyConfiguration `json:"template,omitempty"`
+	// volumeClaimTemplates is a list of claims that pods are allowed to reference.
+	// The StatefulSet controller is responsible for mapping network identities to
+	// claims in a way that maintains the identity of a pod. Every claim in
+	// this list must have at least one matching (by name) volumeMount in one
+	// container in the template. A claim in this list takes precedence over
+	// any volumes in the template, with the same name.
+	// TODO: Define the behavior if a claim already exists with the same name.
+	VolumeClaimTemplates []corev1.PersistentVolumeClaimApplyConfiguration `json:"volumeClaimTemplates,omitempty"`
+	// serviceName is the name of the service that governs this StatefulSet.
+	// This service must exist before the StatefulSet, and is responsible for
+	// the network identity of the set. Pods get DNS/hostnames that follow the
+	// pattern: pod-specific-string.serviceName.default.svc.cluster.local
+	// where "pod-specific-string" is managed by the StatefulSet controller.
+	ServiceName *string `json:"serviceName,omitempty"`
+	// podManagementPolicy controls how pods are created during initial scale up,
+	// when replacing pods on nodes, or when scaling down. The default policy is
+	// `OrderedReady`, where pods are created in increasing order (pod-0, then
+	// pod-1, etc) and the controller will wait until each pod is ready before
+	// continuing. When scaling down, the pods are removed in the opposite order.
+	// The alternative policy is `Parallel` which will create pods in parallel
+	// to match the desired scale without waiting, and on scale down will delete
+	// all pods at once.
+	PodManagementPolicy *appsv1beta2.PodManagementPolicyType `json:"podManagementPolicy,omitempty"`
+	// updateStrategy indicates the StatefulSetUpdateStrategy that will be
+	// employed to update Pods in the StatefulSet when a revision is made to
+	// Template.
+	UpdateStrategy *StatefulSetUpdateStrategyApplyConfiguration `json:"updateStrategy,omitempty"`
+	// revisionHistoryLimit is the maximum number of revisions that will
+	// be maintained in the StatefulSet's revision history. The revision history
+	// consists of all revisions not represented by a currently applied
+	// StatefulSetSpec version. The default value is 10.
+	RevisionHistoryLimit *int32 `json:"revisionHistoryLimit,omitempty"`
+	// Minimum number of seconds for which a newly created pod should be ready
+	// without any of its container crashing for it to be considered available.
+	// Defaults to 0 (pod will be considered available as soon as it is ready)
+	MinReadySeconds *int32 `json:"minReadySeconds,omitempty"`
+	// persistentVolumeClaimRetentionPolicy describes the lifecycle of persistent
+	// volume claims created from volumeClaimTemplates. By default, all persistent
+	// volume claims are created as needed and retained until manually deleted. This
+	// policy allows the lifecycle to be altered, for example by deleting persistent
+	// volume claims when their stateful set is deleted, or when their pod is scaled
+	// down.
 	PersistentVolumeClaimRetentionPolicy *StatefulSetPersistentVolumeClaimRetentionPolicyApplyConfiguration `json:"persistentVolumeClaimRetentionPolicy,omitempty"`
-	Ordinals                             *StatefulSetOrdinalsApplyConfiguration                             `json:"ordinals,omitempty"`
+	// ordinals controls the numbering of replica indices in a StatefulSet. The
+	// default ordinals behavior assigns a "0" index to the first replica and
+	// increments the index by one for each additional replica requested.
+	Ordinals *StatefulSetOrdinalsApplyConfiguration `json:"ordinals,omitempty"`
 }
 
 // StatefulSetSpecApplyConfiguration constructs a declarative configuration of the StatefulSetSpec type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/apps/v1beta2/statefulsetstatus.go b/staging/src/k8s.io/client-go/applyconfigurations/apps/v1beta2/statefulsetstatus.go
index a647cd7d26591..4f40460dbaf02 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/apps/v1beta2/statefulsetstatus.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/apps/v1beta2/statefulsetstatus.go
@@ -20,17 +20,36 @@ package v1beta2
 
 // StatefulSetStatusApplyConfiguration represents a declarative configuration of the StatefulSetStatus type for use
 // with apply.
+//
+// StatefulSetStatus represents the current state of a StatefulSet.
 type StatefulSetStatusApplyConfiguration struct {
-	ObservedGeneration *int64                                   `json:"observedGeneration,omitempty"`
-	Replicas           *int32                                   `json:"replicas,omitempty"`
-	ReadyReplicas      *int32                                   `json:"readyReplicas,omitempty"`
-	CurrentReplicas    *int32                                   `json:"currentReplicas,omitempty"`
-	UpdatedReplicas    *int32                                   `json:"updatedReplicas,omitempty"`
-	CurrentRevision    *string                                  `json:"currentRevision,omitempty"`
-	UpdateRevision     *string                                  `json:"updateRevision,omitempty"`
-	CollisionCount     *int32                                   `json:"collisionCount,omitempty"`
-	Conditions         []StatefulSetConditionApplyConfiguration `json:"conditions,omitempty"`
-	AvailableReplicas  *int32                                   `json:"availableReplicas,omitempty"`
+	// observedGeneration is the most recent generation observed for this StatefulSet. It corresponds to the
+	// StatefulSet's generation, which is updated on mutation by the API Server.
+	ObservedGeneration *int64 `json:"observedGeneration,omitempty"`
+	// replicas is the number of Pods created by the StatefulSet controller.
+	Replicas *int32 `json:"replicas,omitempty"`
+	// readyReplicas is the number of pods created by this StatefulSet controller with a Ready Condition.
+	ReadyReplicas *int32 `json:"readyReplicas,omitempty"`
+	// currentReplicas is the number of Pods created by the StatefulSet controller from the StatefulSet version
+	// indicated by currentRevision.
+	CurrentReplicas *int32 `json:"currentReplicas,omitempty"`
+	// updatedReplicas is the number of Pods created by the StatefulSet controller from the StatefulSet version
+	// indicated by updateRevision.
+	UpdatedReplicas *int32 `json:"updatedReplicas,omitempty"`
+	// currentRevision, if not empty, indicates the version of the StatefulSet used to generate Pods in the
+	// sequence [0,currentReplicas).
+	CurrentRevision *string `json:"currentRevision,omitempty"`
+	// updateRevision, if not empty, indicates the version of the StatefulSet used to generate Pods in the sequence
+	// [replicas-updatedReplicas,replicas)
+	UpdateRevision *string `json:"updateRevision,omitempty"`
+	// collisionCount is the count of hash collisions for the StatefulSet. The StatefulSet controller
+	// uses this field as a collision avoidance mechanism when it needs to create the name for the
+	// newest ControllerRevision.
+	CollisionCount *int32 `json:"collisionCount,omitempty"`
+	// Represents the latest available observations of a statefulset's current state.
+	Conditions []StatefulSetConditionApplyConfiguration `json:"conditions,omitempty"`
+	// Total number of available pods (ready for at least minReadySeconds) targeted by this StatefulSet.
+	AvailableReplicas *int32 `json:"availableReplicas,omitempty"`
 }
 
 // StatefulSetStatusApplyConfiguration constructs a declarative configuration of the StatefulSetStatus type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/apps/v1beta2/statefulsetupdatestrategy.go b/staging/src/k8s.io/client-go/applyconfigurations/apps/v1beta2/statefulsetupdatestrategy.go
index f93db4f7985da..421c9a3d2dbd0 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/apps/v1beta2/statefulsetupdatestrategy.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/apps/v1beta2/statefulsetupdatestrategy.go
@@ -24,8 +24,15 @@ import (
 
 // StatefulSetUpdateStrategyApplyConfiguration represents a declarative configuration of the StatefulSetUpdateStrategy type for use
 // with apply.
+//
+// StatefulSetUpdateStrategy indicates the strategy that the StatefulSet
+// controller will use to perform updates. It includes any additional parameters
+// necessary to perform the update for the indicated strategy.
 type StatefulSetUpdateStrategyApplyConfiguration struct {
-	Type          *appsv1beta2.StatefulSetUpdateStrategyType          `json:"type,omitempty"`
+	// Type indicates the type of the StatefulSetUpdateStrategy.
+	// Default is RollingUpdate.
+	Type *appsv1beta2.StatefulSetUpdateStrategyType `json:"type,omitempty"`
+	// RollingUpdate is used to communicate parameters when Type is RollingUpdateStatefulSetStrategyType.
 	RollingUpdate *RollingUpdateStatefulSetStrategyApplyConfiguration `json:"rollingUpdate,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v1/crossversionobjectreference.go b/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v1/crossversionobjectreference.go
index 51ec665012660..ed688f0a02e9f 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v1/crossversionobjectreference.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v1/crossversionobjectreference.go
@@ -20,9 +20,14 @@ package v1
 
 // CrossVersionObjectReferenceApplyConfiguration represents a declarative configuration of the CrossVersionObjectReference type for use
 // with apply.
+//
+// CrossVersionObjectReference contains enough information to let you identify the referred resource.
 type CrossVersionObjectReferenceApplyConfiguration struct {
-	Kind       *string `json:"kind,omitempty"`
-	Name       *string `json:"name,omitempty"`
+	// kind is the kind of the referent; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+	Kind *string `json:"kind,omitempty"`
+	// name is the name of the referent; More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+	Name *string `json:"name,omitempty"`
+	// apiVersion is the API version of the referent
 	APIVersion *string `json:"apiVersion,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v1/horizontalpodautoscaler.go b/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v1/horizontalpodautoscaler.go
index cbcbfb5798a4b..f3bd143807262 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v1/horizontalpodautoscaler.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v1/horizontalpodautoscaler.go
@@ -29,11 +29,16 @@ import (
 
 // HorizontalPodAutoscalerApplyConfiguration represents a declarative configuration of the HorizontalPodAutoscaler type for use
 // with apply.
+//
+// configuration of a horizontal pod autoscaler.
 type HorizontalPodAutoscalerApplyConfiguration struct {
-	metav1.TypeMetaApplyConfiguration    `json:",inline"`
+	metav1.TypeMetaApplyConfiguration `json:",inline"`
+	// Standard object metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	*metav1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Spec                                 *HorizontalPodAutoscalerSpecApplyConfiguration   `json:"spec,omitempty"`
-	Status                               *HorizontalPodAutoscalerStatusApplyConfiguration `json:"status,omitempty"`
+	// spec defines the behaviour of autoscaler. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status.
+	Spec *HorizontalPodAutoscalerSpecApplyConfiguration `json:"spec,omitempty"`
+	// status is the current information about the autoscaler.
+	Status *HorizontalPodAutoscalerStatusApplyConfiguration `json:"status,omitempty"`
 }
 
 // HorizontalPodAutoscaler constructs a declarative configuration of the HorizontalPodAutoscaler type for use with
@@ -47,6 +52,27 @@ func HorizontalPodAutoscaler(name, namespace string) *HorizontalPodAutoscalerApp
 	return b
 }
 
+// ExtractHorizontalPodAutoscalerFrom extracts the applied configuration owned by fieldManager from
+// horizontalPodAutoscaler for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
+// horizontalPodAutoscaler must be a unmodified HorizontalPodAutoscaler API object that was retrieved from the Kubernetes API.
+// ExtractHorizontalPodAutoscalerFrom provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractHorizontalPodAutoscalerFrom(horizontalPodAutoscaler *autoscalingv1.HorizontalPodAutoscaler, fieldManager string, subresource string) (*HorizontalPodAutoscalerApplyConfiguration, error) {
+	b := &HorizontalPodAutoscalerApplyConfiguration{}
+	err := managedfields.ExtractInto(horizontalPodAutoscaler, internal.Parser().Type("io.k8s.api.autoscaling.v1.HorizontalPodAutoscaler"), fieldManager, b, subresource)
+	if err != nil {
+		return nil, err
+	}
+	b.WithName(horizontalPodAutoscaler.Name)
+	b.WithNamespace(horizontalPodAutoscaler.Namespace)
+
+	b.WithKind("HorizontalPodAutoscaler")
+	b.WithAPIVersion("autoscaling/v1")
+	return b, nil
+}
+
 // ExtractHorizontalPodAutoscaler extracts the applied configuration owned by fieldManager from
 // horizontalPodAutoscaler. If no managedFields are found in horizontalPodAutoscaler for fieldManager, a
 // HorizontalPodAutoscalerApplyConfiguration is returned with only the Name, Namespace (if applicable),
@@ -57,31 +83,16 @@ func HorizontalPodAutoscaler(name, namespace string) *HorizontalPodAutoscalerApp
 // ExtractHorizontalPodAutoscaler provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
 func ExtractHorizontalPodAutoscaler(horizontalPodAutoscaler *autoscalingv1.HorizontalPodAutoscaler, fieldManager string) (*HorizontalPodAutoscalerApplyConfiguration, error) {
-	return extractHorizontalPodAutoscaler(horizontalPodAutoscaler, fieldManager, "")
+	return ExtractHorizontalPodAutoscalerFrom(horizontalPodAutoscaler, fieldManager, "")
 }
 
-// ExtractHorizontalPodAutoscalerStatus is the same as ExtractHorizontalPodAutoscaler except
-// that it extracts the status subresource applied configuration.
-// Experimental!
+// ExtractHorizontalPodAutoscalerStatus extracts the applied configuration owned by fieldManager from
+// horizontalPodAutoscaler for the status subresource.
 func ExtractHorizontalPodAutoscalerStatus(horizontalPodAutoscaler *autoscalingv1.HorizontalPodAutoscaler, fieldManager string) (*HorizontalPodAutoscalerApplyConfiguration, error) {
-	return extractHorizontalPodAutoscaler(horizontalPodAutoscaler, fieldManager, "status")
+	return ExtractHorizontalPodAutoscalerFrom(horizontalPodAutoscaler, fieldManager, "status")
 }
 
-func extractHorizontalPodAutoscaler(horizontalPodAutoscaler *autoscalingv1.HorizontalPodAutoscaler, fieldManager string, subresource string) (*HorizontalPodAutoscalerApplyConfiguration, error) {
-	b := &HorizontalPodAutoscalerApplyConfiguration{}
-	err := managedfields.ExtractInto(horizontalPodAutoscaler, internal.Parser().Type("io.k8s.api.autoscaling.v1.HorizontalPodAutoscaler"), fieldManager, b, subresource)
-	if err != nil {
-		return nil, err
-	}
-	b.WithName(horizontalPodAutoscaler.Name)
-	b.WithNamespace(horizontalPodAutoscaler.Namespace)
-
-	b.WithKind("HorizontalPodAutoscaler")
-	b.WithAPIVersion("autoscaling/v1")
-	return b, nil
-}
 func (b HorizontalPodAutoscalerApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v1/horizontalpodautoscalerspec.go b/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v1/horizontalpodautoscalerspec.go
index 0ca2f84ea9154..bf58371a9f362 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v1/horizontalpodautoscalerspec.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v1/horizontalpodautoscalerspec.go
@@ -20,11 +20,23 @@ package v1
 
 // HorizontalPodAutoscalerSpecApplyConfiguration represents a declarative configuration of the HorizontalPodAutoscalerSpec type for use
 // with apply.
+//
+// specification of a horizontal pod autoscaler.
 type HorizontalPodAutoscalerSpecApplyConfiguration struct {
-	ScaleTargetRef                 *CrossVersionObjectReferenceApplyConfiguration `json:"scaleTargetRef,omitempty"`
-	MinReplicas                    *int32                                         `json:"minReplicas,omitempty"`
-	MaxReplicas                    *int32                                         `json:"maxReplicas,omitempty"`
-	TargetCPUUtilizationPercentage *int32                                         `json:"targetCPUUtilizationPercentage,omitempty"`
+	// reference to scaled resource; horizontal pod autoscaler will learn the current resource consumption
+	// and will set the desired number of pods by using its Scale subresource.
+	ScaleTargetRef *CrossVersionObjectReferenceApplyConfiguration `json:"scaleTargetRef,omitempty"`
+	// minReplicas is the lower limit for the number of replicas to which the autoscaler
+	// can scale down.  It defaults to 1 pod.  minReplicas is allowed to be 0 if the
+	// alpha feature gate HPAScaleToZero is enabled and at least one Object or External
+	// metric is configured.  Scaling is active as long as at least one metric value is
+	// available.
+	MinReplicas *int32 `json:"minReplicas,omitempty"`
+	// maxReplicas is the upper limit for the number of pods that can be set by the autoscaler; cannot be smaller than MinReplicas.
+	MaxReplicas *int32 `json:"maxReplicas,omitempty"`
+	// targetCPUUtilizationPercentage is the target average CPU utilization (represented as a percentage of requested CPU) over all the pods;
+	// if not specified the default autoscaling policy will be used.
+	TargetCPUUtilizationPercentage *int32 `json:"targetCPUUtilizationPercentage,omitempty"`
 }
 
 // HorizontalPodAutoscalerSpecApplyConfiguration constructs a declarative configuration of the HorizontalPodAutoscalerSpec type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v1/horizontalpodautoscalerstatus.go b/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v1/horizontalpodautoscalerstatus.go
index 8575214e1e9a1..0a0d8be736b47 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v1/horizontalpodautoscalerstatus.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v1/horizontalpodautoscalerstatus.go
@@ -24,12 +24,21 @@ import (
 
 // HorizontalPodAutoscalerStatusApplyConfiguration represents a declarative configuration of the HorizontalPodAutoscalerStatus type for use
 // with apply.
+//
+// current status of a horizontal pod autoscaler
 type HorizontalPodAutoscalerStatusApplyConfiguration struct {
-	ObservedGeneration              *int64       `json:"observedGeneration,omitempty"`
-	LastScaleTime                   *metav1.Time `json:"lastScaleTime,omitempty"`
-	CurrentReplicas                 *int32       `json:"currentReplicas,omitempty"`
-	DesiredReplicas                 *int32       `json:"desiredReplicas,omitempty"`
-	CurrentCPUUtilizationPercentage *int32       `json:"currentCPUUtilizationPercentage,omitempty"`
+	// observedGeneration is the most recent generation observed by this autoscaler.
+	ObservedGeneration *int64 `json:"observedGeneration,omitempty"`
+	// lastScaleTime is the last time the HorizontalPodAutoscaler scaled the number of pods;
+	// used by the autoscaler to control how often the number of pods is changed.
+	LastScaleTime *metav1.Time `json:"lastScaleTime,omitempty"`
+	// currentReplicas is the current number of replicas of pods managed by this autoscaler.
+	CurrentReplicas *int32 `json:"currentReplicas,omitempty"`
+	// desiredReplicas is the  desired number of replicas of pods managed by this autoscaler.
+	DesiredReplicas *int32 `json:"desiredReplicas,omitempty"`
+	// currentCPUUtilizationPercentage is the current average CPU utilization over all pods, represented as a percentage of requested CPU,
+	// e.g. 70 means that an average pod is using now 70% of its requested CPU.
+	CurrentCPUUtilizationPercentage *int32 `json:"currentCPUUtilizationPercentage,omitempty"`
 }
 
 // HorizontalPodAutoscalerStatusApplyConfiguration constructs a declarative configuration of the HorizontalPodAutoscalerStatus type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v1/scale.go b/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v1/scale.go
index d5f9d72921ea0..a491c5ac84e0d 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v1/scale.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v1/scale.go
@@ -26,11 +26,16 @@ import (
 
 // ScaleApplyConfiguration represents a declarative configuration of the Scale type for use
 // with apply.
+//
+// Scale represents a scaling request for a resource.
 type ScaleApplyConfiguration struct {
-	metav1.TypeMetaApplyConfiguration    `json:",inline"`
+	metav1.TypeMetaApplyConfiguration `json:",inline"`
+	// Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata.
 	*metav1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Spec                                 *ScaleSpecApplyConfiguration   `json:"spec,omitempty"`
-	Status                               *ScaleStatusApplyConfiguration `json:"status,omitempty"`
+	// spec defines the behavior of the scale. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status.
+	Spec *ScaleSpecApplyConfiguration `json:"spec,omitempty"`
+	// status is the current status of the scale. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status. Read-only.
+	Status *ScaleStatusApplyConfiguration `json:"status,omitempty"`
 }
 
 // ScaleApplyConfiguration constructs a declarative configuration of the Scale type for use with
@@ -41,6 +46,7 @@ func Scale() *ScaleApplyConfiguration {
 	b.WithAPIVersion("autoscaling/v1")
 	return b
 }
+
 func (b ScaleApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v1/scalespec.go b/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v1/scalespec.go
index 025004ba5fed8..e21d4dbaf7a81 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v1/scalespec.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v1/scalespec.go
@@ -20,7 +20,10 @@ package v1
 
 // ScaleSpecApplyConfiguration represents a declarative configuration of the ScaleSpec type for use
 // with apply.
+//
+// ScaleSpec describes the attributes of a scale subresource.
 type ScaleSpecApplyConfiguration struct {
+	// replicas is the desired number of instances for the scaled object.
 	Replicas *int32 `json:"replicas,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v1/scalestatus.go b/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v1/scalestatus.go
index 51f96d2357b26..fb5a5668bc87c 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v1/scalestatus.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v1/scalestatus.go
@@ -20,8 +20,15 @@ package v1
 
 // ScaleStatusApplyConfiguration represents a declarative configuration of the ScaleStatus type for use
 // with apply.
+//
+// ScaleStatus represents the current status of a scale subresource.
 type ScaleStatusApplyConfiguration struct {
-	Replicas *int32  `json:"replicas,omitempty"`
+	// replicas is the actual number of observed instances of the scaled object.
+	Replicas *int32 `json:"replicas,omitempty"`
+	// selector is the label query over pods that should match the replicas count. This is same
+	// as the label selector but in the string format to avoid introspection
+	// by clients. The string will be in the same format as the query-param syntax.
+	// More info about label selectors: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
 	Selector *string `json:"selector,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2/containerresourcemetricsource.go b/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2/containerresourcemetricsource.go
index b6e071e8486e9..6f3eecbed1483 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2/containerresourcemetricsource.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2/containerresourcemetricsource.go
@@ -24,10 +24,21 @@ import (
 
 // ContainerResourceMetricSourceApplyConfiguration represents a declarative configuration of the ContainerResourceMetricSource type for use
 // with apply.
+//
+// ContainerResourceMetricSource indicates how to scale on a resource metric known to
+// Kubernetes, as specified in requests and limits, describing each pod in the
+// current scale target (e.g. CPU or memory).  The values will be averaged
+// together before being compared to the target.  Such metrics are built in to
+// Kubernetes, and have special scaling options on top of those available to
+// normal per-pod metrics using the "pods" source.  Only one "target" type
+// should be set.
 type ContainerResourceMetricSourceApplyConfiguration struct {
-	Name      *v1.ResourceName                `json:"name,omitempty"`
-	Target    *MetricTargetApplyConfiguration `json:"target,omitempty"`
-	Container *string                         `json:"container,omitempty"`
+	// name is the name of the resource in question.
+	Name *v1.ResourceName `json:"name,omitempty"`
+	// target specifies the target value for the given metric
+	Target *MetricTargetApplyConfiguration `json:"target,omitempty"`
+	// container is the name of the container in the pods of the scaling target
+	Container *string `json:"container,omitempty"`
 }
 
 // ContainerResourceMetricSourceApplyConfiguration constructs a declarative configuration of the ContainerResourceMetricSource type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2/containerresourcemetricstatus.go b/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2/containerresourcemetricstatus.go
index 46bd2bac20020..1c9648515306f 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2/containerresourcemetricstatus.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2/containerresourcemetricstatus.go
@@ -24,10 +24,19 @@ import (
 
 // ContainerResourceMetricStatusApplyConfiguration represents a declarative configuration of the ContainerResourceMetricStatus type for use
 // with apply.
+//
+// ContainerResourceMetricStatus indicates the current value of a resource metric known to
+// Kubernetes, as specified in requests and limits, describing a single container in each pod in the
+// current scale target (e.g. CPU or memory).  Such metrics are built in to
+// Kubernetes, and have special scaling options on top of those available to
+// normal per-pod metrics using the "pods" source.
 type ContainerResourceMetricStatusApplyConfiguration struct {
-	Name      *v1.ResourceName                     `json:"name,omitempty"`
-	Current   *MetricValueStatusApplyConfiguration `json:"current,omitempty"`
-	Container *string                              `json:"container,omitempty"`
+	// name is the name of the resource in question.
+	Name *v1.ResourceName `json:"name,omitempty"`
+	// current contains the current value for the given metric
+	Current *MetricValueStatusApplyConfiguration `json:"current,omitempty"`
+	// container is the name of the container in the pods of the scaling target
+	Container *string `json:"container,omitempty"`
 }
 
 // ContainerResourceMetricStatusApplyConfiguration constructs a declarative configuration of the ContainerResourceMetricStatus type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2/crossversionobjectreference.go b/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2/crossversionobjectreference.go
index 645f098577e7f..062065b97d532 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2/crossversionobjectreference.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2/crossversionobjectreference.go
@@ -20,9 +20,14 @@ package v2
 
 // CrossVersionObjectReferenceApplyConfiguration represents a declarative configuration of the CrossVersionObjectReference type for use
 // with apply.
+//
+// CrossVersionObjectReference contains enough information to let you identify the referred resource.
 type CrossVersionObjectReferenceApplyConfiguration struct {
-	Kind       *string `json:"kind,omitempty"`
-	Name       *string `json:"name,omitempty"`
+	// kind is the kind of the referent; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+	Kind *string `json:"kind,omitempty"`
+	// name is the name of the referent; More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+	Name *string `json:"name,omitempty"`
+	// apiVersion is the API version of the referent
 	APIVersion *string `json:"apiVersion,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2/externalmetricsource.go b/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2/externalmetricsource.go
index a9c45b31a0432..be289fd280146 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2/externalmetricsource.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2/externalmetricsource.go
@@ -20,9 +20,15 @@ package v2
 
 // ExternalMetricSourceApplyConfiguration represents a declarative configuration of the ExternalMetricSource type for use
 // with apply.
+//
+// ExternalMetricSource indicates how to scale on a metric not associated with
+// any Kubernetes object (for example length of queue in cloud
+// messaging service, or QPS from loadbalancer running outside of cluster).
 type ExternalMetricSourceApplyConfiguration struct {
+	// metric identifies the target metric by name and selector
 	Metric *MetricIdentifierApplyConfiguration `json:"metric,omitempty"`
-	Target *MetricTargetApplyConfiguration     `json:"target,omitempty"`
+	// target specifies the target value for the given metric
+	Target *MetricTargetApplyConfiguration `json:"target,omitempty"`
 }
 
 // ExternalMetricSourceApplyConfiguration constructs a declarative configuration of the ExternalMetricSource type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2/externalmetricstatus.go b/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2/externalmetricstatus.go
index 4280086f5e74b..000b052182786 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2/externalmetricstatus.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2/externalmetricstatus.go
@@ -20,8 +20,13 @@ package v2
 
 // ExternalMetricStatusApplyConfiguration represents a declarative configuration of the ExternalMetricStatus type for use
 // with apply.
+//
+// ExternalMetricStatus indicates the current value of a global metric
+// not associated with any Kubernetes object.
 type ExternalMetricStatusApplyConfiguration struct {
-	Metric  *MetricIdentifierApplyConfiguration  `json:"metric,omitempty"`
+	// metric identifies the target metric by name and selector
+	Metric *MetricIdentifierApplyConfiguration `json:"metric,omitempty"`
+	// current contains the current value for the given metric
 	Current *MetricValueStatusApplyConfiguration `json:"current,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2/horizontalpodautoscaler.go b/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2/horizontalpodautoscaler.go
index a2a3a5a785ff5..e001653fc2316 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2/horizontalpodautoscaler.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2/horizontalpodautoscaler.go
@@ -29,11 +29,20 @@ import (
 
 // HorizontalPodAutoscalerApplyConfiguration represents a declarative configuration of the HorizontalPodAutoscaler type for use
 // with apply.
+//
+// HorizontalPodAutoscaler is the configuration for a horizontal pod
+// autoscaler, which automatically manages the replica count of any resource
+// implementing the scale subresource based on the metrics specified.
 type HorizontalPodAutoscalerApplyConfiguration struct {
-	v1.TypeMetaApplyConfiguration    `json:",inline"`
+	v1.TypeMetaApplyConfiguration `json:",inline"`
+	// metadata is the standard object metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	*v1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Spec                             *HorizontalPodAutoscalerSpecApplyConfiguration   `json:"spec,omitempty"`
-	Status                           *HorizontalPodAutoscalerStatusApplyConfiguration `json:"status,omitempty"`
+	// spec is the specification for the behaviour of the autoscaler.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status.
+	Spec *HorizontalPodAutoscalerSpecApplyConfiguration `json:"spec,omitempty"`
+	// status is the current information about the autoscaler.
+	Status *HorizontalPodAutoscalerStatusApplyConfiguration `json:"status,omitempty"`
 }
 
 // HorizontalPodAutoscaler constructs a declarative configuration of the HorizontalPodAutoscaler type for use with
@@ -47,6 +56,27 @@ func HorizontalPodAutoscaler(name, namespace string) *HorizontalPodAutoscalerApp
 	return b
 }
 
+// ExtractHorizontalPodAutoscalerFrom extracts the applied configuration owned by fieldManager from
+// horizontalPodAutoscaler for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
+// horizontalPodAutoscaler must be a unmodified HorizontalPodAutoscaler API object that was retrieved from the Kubernetes API.
+// ExtractHorizontalPodAutoscalerFrom provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractHorizontalPodAutoscalerFrom(horizontalPodAutoscaler *autoscalingv2.HorizontalPodAutoscaler, fieldManager string, subresource string) (*HorizontalPodAutoscalerApplyConfiguration, error) {
+	b := &HorizontalPodAutoscalerApplyConfiguration{}
+	err := managedfields.ExtractInto(horizontalPodAutoscaler, internal.Parser().Type("io.k8s.api.autoscaling.v2.HorizontalPodAutoscaler"), fieldManager, b, subresource)
+	if err != nil {
+		return nil, err
+	}
+	b.WithName(horizontalPodAutoscaler.Name)
+	b.WithNamespace(horizontalPodAutoscaler.Namespace)
+
+	b.WithKind("HorizontalPodAutoscaler")
+	b.WithAPIVersion("autoscaling/v2")
+	return b, nil
+}
+
 // ExtractHorizontalPodAutoscaler extracts the applied configuration owned by fieldManager from
 // horizontalPodAutoscaler. If no managedFields are found in horizontalPodAutoscaler for fieldManager, a
 // HorizontalPodAutoscalerApplyConfiguration is returned with only the Name, Namespace (if applicable),
@@ -57,31 +87,16 @@ func HorizontalPodAutoscaler(name, namespace string) *HorizontalPodAutoscalerApp
 // ExtractHorizontalPodAutoscaler provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
 func ExtractHorizontalPodAutoscaler(horizontalPodAutoscaler *autoscalingv2.HorizontalPodAutoscaler, fieldManager string) (*HorizontalPodAutoscalerApplyConfiguration, error) {
-	return extractHorizontalPodAutoscaler(horizontalPodAutoscaler, fieldManager, "")
+	return ExtractHorizontalPodAutoscalerFrom(horizontalPodAutoscaler, fieldManager, "")
 }
 
-// ExtractHorizontalPodAutoscalerStatus is the same as ExtractHorizontalPodAutoscaler except
-// that it extracts the status subresource applied configuration.
-// Experimental!
+// ExtractHorizontalPodAutoscalerStatus extracts the applied configuration owned by fieldManager from
+// horizontalPodAutoscaler for the status subresource.
 func ExtractHorizontalPodAutoscalerStatus(horizontalPodAutoscaler *autoscalingv2.HorizontalPodAutoscaler, fieldManager string) (*HorizontalPodAutoscalerApplyConfiguration, error) {
-	return extractHorizontalPodAutoscaler(horizontalPodAutoscaler, fieldManager, "status")
+	return ExtractHorizontalPodAutoscalerFrom(horizontalPodAutoscaler, fieldManager, "status")
 }
 
-func extractHorizontalPodAutoscaler(horizontalPodAutoscaler *autoscalingv2.HorizontalPodAutoscaler, fieldManager string, subresource string) (*HorizontalPodAutoscalerApplyConfiguration, error) {
-	b := &HorizontalPodAutoscalerApplyConfiguration{}
-	err := managedfields.ExtractInto(horizontalPodAutoscaler, internal.Parser().Type("io.k8s.api.autoscaling.v2.HorizontalPodAutoscaler"), fieldManager, b, subresource)
-	if err != nil {
-		return nil, err
-	}
-	b.WithName(horizontalPodAutoscaler.Name)
-	b.WithNamespace(horizontalPodAutoscaler.Namespace)
-
-	b.WithKind("HorizontalPodAutoscaler")
-	b.WithAPIVersion("autoscaling/v2")
-	return b, nil
-}
 func (b HorizontalPodAutoscalerApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2/horizontalpodautoscalerbehavior.go b/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2/horizontalpodautoscalerbehavior.go
index 05750cc21dae6..faf700214e0b6 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2/horizontalpodautoscalerbehavior.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2/horizontalpodautoscalerbehavior.go
@@ -20,8 +20,20 @@ package v2
 
 // HorizontalPodAutoscalerBehaviorApplyConfiguration represents a declarative configuration of the HorizontalPodAutoscalerBehavior type for use
 // with apply.
+//
+// HorizontalPodAutoscalerBehavior configures the scaling behavior of the target
+// in both Up and Down directions (scaleUp and scaleDown fields respectively).
 type HorizontalPodAutoscalerBehaviorApplyConfiguration struct {
-	ScaleUp   *HPAScalingRulesApplyConfiguration `json:"scaleUp,omitempty"`
+	// scaleUp is scaling policy for scaling Up.
+	// If not set, the default value is the higher of:
+	// * increase no more than 4 pods per 60 seconds
+	// * double the number of pods per 60 seconds
+	// No stabilization is used.
+	ScaleUp *HPAScalingRulesApplyConfiguration `json:"scaleUp,omitempty"`
+	// scaleDown is scaling policy for scaling Down.
+	// If not set, the default value is to allow to scale down to minReplicas pods, with a
+	// 300 second stabilization window (i.e., the highest recommendation for
+	// the last 300sec is used).
 	ScaleDown *HPAScalingRulesApplyConfiguration `json:"scaleDown,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2/horizontalpodautoscalercondition.go b/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2/horizontalpodautoscalercondition.go
index 25ea39039a1b0..75bb498524633 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2/horizontalpodautoscalercondition.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2/horizontalpodautoscalercondition.go
@@ -26,12 +26,22 @@ import (
 
 // HorizontalPodAutoscalerConditionApplyConfiguration represents a declarative configuration of the HorizontalPodAutoscalerCondition type for use
 // with apply.
+//
+// HorizontalPodAutoscalerCondition describes the state of
+// a HorizontalPodAutoscaler at a certain point.
 type HorizontalPodAutoscalerConditionApplyConfiguration struct {
-	Type               *autoscalingv2.HorizontalPodAutoscalerConditionType `json:"type,omitempty"`
-	Status             *v1.ConditionStatus                                 `json:"status,omitempty"`
-	LastTransitionTime *metav1.Time                                        `json:"lastTransitionTime,omitempty"`
-	Reason             *string                                             `json:"reason,omitempty"`
-	Message            *string                                             `json:"message,omitempty"`
+	// type describes the current condition
+	Type *autoscalingv2.HorizontalPodAutoscalerConditionType `json:"type,omitempty"`
+	// status is the status of the condition (True, False, Unknown)
+	Status *v1.ConditionStatus `json:"status,omitempty"`
+	// lastTransitionTime is the last time the condition transitioned from
+	// one status to another
+	LastTransitionTime *metav1.Time `json:"lastTransitionTime,omitempty"`
+	// reason is the reason for the condition's last transition.
+	Reason *string `json:"reason,omitempty"`
+	// message is a human-readable explanation containing details about
+	// the transition
+	Message *string `json:"message,omitempty"`
 }
 
 // HorizontalPodAutoscalerConditionApplyConfiguration constructs a declarative configuration of the HorizontalPodAutoscalerCondition type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2/horizontalpodautoscalerspec.go b/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2/horizontalpodautoscalerspec.go
index e34ababc5835a..5b95ec54828e7 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2/horizontalpodautoscalerspec.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2/horizontalpodautoscalerspec.go
@@ -20,12 +20,34 @@ package v2
 
 // HorizontalPodAutoscalerSpecApplyConfiguration represents a declarative configuration of the HorizontalPodAutoscalerSpec type for use
 // with apply.
+//
+// HorizontalPodAutoscalerSpec describes the desired functionality of the HorizontalPodAutoscaler.
 type HorizontalPodAutoscalerSpecApplyConfiguration struct {
-	ScaleTargetRef *CrossVersionObjectReferenceApplyConfiguration     `json:"scaleTargetRef,omitempty"`
-	MinReplicas    *int32                                             `json:"minReplicas,omitempty"`
-	MaxReplicas    *int32                                             `json:"maxReplicas,omitempty"`
-	Metrics        []MetricSpecApplyConfiguration                     `json:"metrics,omitempty"`
-	Behavior       *HorizontalPodAutoscalerBehaviorApplyConfiguration `json:"behavior,omitempty"`
+	// scaleTargetRef points to the target resource to scale, and is used to the pods for which metrics
+	// should be collected, as well as to actually change the replica count.
+	ScaleTargetRef *CrossVersionObjectReferenceApplyConfiguration `json:"scaleTargetRef,omitempty"`
+	// minReplicas is the lower limit for the number of replicas to which the autoscaler
+	// can scale down.  It defaults to 1 pod.  minReplicas is allowed to be 0 if the
+	// alpha feature gate HPAScaleToZero is enabled and at least one Object or External
+	// metric is configured.  Scaling is active as long as at least one metric value is
+	// available.
+	MinReplicas *int32 `json:"minReplicas,omitempty"`
+	// maxReplicas is the upper limit for the number of replicas to which the autoscaler can scale up.
+	// It cannot be less that minReplicas.
+	MaxReplicas *int32 `json:"maxReplicas,omitempty"`
+	// metrics contains the specifications for which to use to calculate the
+	// desired replica count (the maximum replica count across all metrics will
+	// be used).  The desired replica count is calculated multiplying the
+	// ratio between the target value and the current value by the current
+	// number of pods.  Ergo, metrics used must decrease as the pod count is
+	// increased, and vice-versa.  See the individual metric source types for
+	// more information about how each type of metric must respond.
+	// If not set, the default metric will be set to 80% average CPU utilization.
+	Metrics []MetricSpecApplyConfiguration `json:"metrics,omitempty"`
+	// behavior configures the scaling behavior of the target
+	// in both Up and Down directions (scaleUp and scaleDown fields respectively).
+	// If not set, the default HPAScalingRules for scale up and scale down are used.
+	Behavior *HorizontalPodAutoscalerBehaviorApplyConfiguration `json:"behavior,omitempty"`
 }
 
 // HorizontalPodAutoscalerSpecApplyConfiguration constructs a declarative configuration of the HorizontalPodAutoscalerSpec type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2/horizontalpodautoscalerstatus.go b/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2/horizontalpodautoscalerstatus.go
index f1a2c3f4e931c..c65115bc50be7 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2/horizontalpodautoscalerstatus.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2/horizontalpodautoscalerstatus.go
@@ -24,13 +24,25 @@ import (
 
 // HorizontalPodAutoscalerStatusApplyConfiguration represents a declarative configuration of the HorizontalPodAutoscalerStatus type for use
 // with apply.
+//
+// HorizontalPodAutoscalerStatus describes the current status of a horizontal pod autoscaler.
 type HorizontalPodAutoscalerStatusApplyConfiguration struct {
-	ObservedGeneration *int64                                               `json:"observedGeneration,omitempty"`
-	LastScaleTime      *v1.Time                                             `json:"lastScaleTime,omitempty"`
-	CurrentReplicas    *int32                                               `json:"currentReplicas,omitempty"`
-	DesiredReplicas    *int32                                               `json:"desiredReplicas,omitempty"`
-	CurrentMetrics     []MetricStatusApplyConfiguration                     `json:"currentMetrics,omitempty"`
-	Conditions         []HorizontalPodAutoscalerConditionApplyConfiguration `json:"conditions,omitempty"`
+	// observedGeneration is the most recent generation observed by this autoscaler.
+	ObservedGeneration *int64 `json:"observedGeneration,omitempty"`
+	// lastScaleTime is the last time the HorizontalPodAutoscaler scaled the number of pods,
+	// used by the autoscaler to control how often the number of pods is changed.
+	LastScaleTime *v1.Time `json:"lastScaleTime,omitempty"`
+	// currentReplicas is current number of replicas of pods managed by this autoscaler,
+	// as last seen by the autoscaler.
+	CurrentReplicas *int32 `json:"currentReplicas,omitempty"`
+	// desiredReplicas is the desired number of replicas of pods managed by this autoscaler,
+	// as last calculated by the autoscaler.
+	DesiredReplicas *int32 `json:"desiredReplicas,omitempty"`
+	// currentMetrics is the last read state of the metrics used by this autoscaler.
+	CurrentMetrics []MetricStatusApplyConfiguration `json:"currentMetrics,omitempty"`
+	// conditions is the set of conditions required for this autoscaler to scale its target,
+	// and indicates whether or not those conditions are met.
+	Conditions []HorizontalPodAutoscalerConditionApplyConfiguration `json:"conditions,omitempty"`
 }
 
 // HorizontalPodAutoscalerStatusApplyConfiguration constructs a declarative configuration of the HorizontalPodAutoscalerStatus type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2/hpascalingpolicy.go b/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2/hpascalingpolicy.go
index f89185c575c6b..49a22db7f5afd 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2/hpascalingpolicy.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2/hpascalingpolicy.go
@@ -24,10 +24,17 @@ import (
 
 // HPAScalingPolicyApplyConfiguration represents a declarative configuration of the HPAScalingPolicy type for use
 // with apply.
+//
+// HPAScalingPolicy is a single policy which must hold true for a specified past interval.
 type HPAScalingPolicyApplyConfiguration struct {
-	Type          *autoscalingv2.HPAScalingPolicyType `json:"type,omitempty"`
-	Value         *int32                              `json:"value,omitempty"`
-	PeriodSeconds *int32                              `json:"periodSeconds,omitempty"`
+	// type is used to specify the scaling policy.
+	Type *autoscalingv2.HPAScalingPolicyType `json:"type,omitempty"`
+	// value contains the amount of change which is permitted by the policy.
+	// It must be greater than zero
+	Value *int32 `json:"value,omitempty"`
+	// periodSeconds specifies the window of time for which the policy should hold true.
+	// PeriodSeconds must be greater than zero and less than or equal to 1800 (30 min).
+	PeriodSeconds *int32 `json:"periodSeconds,omitempty"`
 }
 
 // HPAScalingPolicyApplyConfiguration constructs a declarative configuration of the HPAScalingPolicy type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2/hpascalingrules.go b/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2/hpascalingrules.go
index 6fd0f25cc1dfc..cebb11aa6aaa1 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2/hpascalingrules.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2/hpascalingrules.go
@@ -25,11 +25,47 @@ import (
 
 // HPAScalingRulesApplyConfiguration represents a declarative configuration of the HPAScalingRules type for use
 // with apply.
+//
+// HPAScalingRules configures the scaling behavior for one direction via
+// scaling Policy Rules and a configurable metric tolerance.
+//
+// Scaling Policy Rules are applied after calculating DesiredReplicas from metrics for the HPA.
+// They can limit the scaling velocity by specifying scaling policies.
+// They can prevent flapping by specifying the stabilization window, so that the
+// number of replicas is not set instantly, instead, the safest value from the stabilization
+// window is chosen.
+//
+// The tolerance is applied to the metric values and prevents scaling too
+// eagerly for small metric variations. (Note that setting a tolerance requires
+// the beta HPAConfigurableTolerance feature gate to be enabled.)
 type HPAScalingRulesApplyConfiguration struct {
-	StabilizationWindowSeconds *int32                               `json:"stabilizationWindowSeconds,omitempty"`
-	SelectPolicy               *autoscalingv2.ScalingPolicySelect   `json:"selectPolicy,omitempty"`
-	Policies                   []HPAScalingPolicyApplyConfiguration `json:"policies,omitempty"`
-	Tolerance                  *resource.Quantity                   `json:"tolerance,omitempty"`
+	// stabilizationWindowSeconds is the number of seconds for which past recommendations should be
+	// considered while scaling up or scaling down.
+	// StabilizationWindowSeconds must be greater than or equal to zero and less than or equal to 3600 (one hour).
+	// If not set, use the default values:
+	// - For scale up: 0 (i.e. no stabilization is done).
+	// - For scale down: 300 (i.e. the stabilization window is 300 seconds long).
+	StabilizationWindowSeconds *int32 `json:"stabilizationWindowSeconds,omitempty"`
+	// selectPolicy is used to specify which policy should be used.
+	// If not set, the default value Max is used.
+	SelectPolicy *autoscalingv2.ScalingPolicySelect `json:"selectPolicy,omitempty"`
+	// policies is a list of potential scaling polices which can be used during scaling.
+	// If not set, use the default values:
+	// - For scale up: allow doubling the number of pods, or an absolute change of 4 pods in a 15s window.
+	// - For scale down: allow all pods to be removed in a 15s window.
+	Policies []HPAScalingPolicyApplyConfiguration `json:"policies,omitempty"`
+	// tolerance is the tolerance on the ratio between the current and desired
+	// metric value under which no updates are made to the desired number of
+	// replicas (e.g. 0.01 for 1%). Must be greater than or equal to zero. If not
+	// set, the default cluster-wide tolerance is applied (by default 10%).
+	//
+	// For example, if autoscaling is configured with a memory consumption target of 100Mi,
+	// and scale-down and scale-up tolerances of 5% and 1% respectively, scaling will be
+	// triggered when the actual consumption falls below 95Mi or exceeds 101Mi.
+	//
+	// This is an beta field and requires the HPAConfigurableTolerance feature
+	// gate to be enabled.
+	Tolerance *resource.Quantity `json:"tolerance,omitempty"`
 }
 
 // HPAScalingRulesApplyConfiguration constructs a declarative configuration of the HPAScalingRules type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2/metricidentifier.go b/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2/metricidentifier.go
index 2f99f7d0b496b..caa7d594331a1 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2/metricidentifier.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2/metricidentifier.go
@@ -24,8 +24,14 @@ import (
 
 // MetricIdentifierApplyConfiguration represents a declarative configuration of the MetricIdentifier type for use
 // with apply.
+//
+// MetricIdentifier defines the name and optionally selector for a metric
 type MetricIdentifierApplyConfiguration struct {
-	Name     *string                             `json:"name,omitempty"`
+	// name is the name of the given metric
+	Name *string `json:"name,omitempty"`
+	// selector is the string-encoded form of a standard kubernetes label selector for the given metric
+	// When set, it is passed as an additional parameter to the metrics server for more specific metrics scoping.
+	// When unset, just the metricName will be used to gather metrics.
 	Selector *v1.LabelSelectorApplyConfiguration `json:"selector,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2/metricspec.go b/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2/metricspec.go
index 282b84a44f8b3..5e26d8d593b23 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2/metricspec.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2/metricspec.go
@@ -24,13 +24,38 @@ import (
 
 // MetricSpecApplyConfiguration represents a declarative configuration of the MetricSpec type for use
 // with apply.
+//
+// MetricSpec specifies how to scale based on a single metric
+// (only `type` and one other matching field should be set at once).
 type MetricSpecApplyConfiguration struct {
-	Type              *autoscalingv2.MetricSourceType                  `json:"type,omitempty"`
-	Object            *ObjectMetricSourceApplyConfiguration            `json:"object,omitempty"`
-	Pods              *PodsMetricSourceApplyConfiguration              `json:"pods,omitempty"`
-	Resource          *ResourceMetricSourceApplyConfiguration          `json:"resource,omitempty"`
+	// type is the type of metric source.  It should be one of "ContainerResource", "External",
+	// "Object", "Pods" or "Resource", each mapping to a matching field in the object.
+	Type *autoscalingv2.MetricSourceType `json:"type,omitempty"`
+	// object refers to a metric describing a single kubernetes object
+	// (for example, hits-per-second on an Ingress object).
+	Object *ObjectMetricSourceApplyConfiguration `json:"object,omitempty"`
+	// pods refers to a metric describing each pod in the current scale target
+	// (for example, transactions-processed-per-second).  The values will be
+	// averaged together before being compared to the target value.
+	Pods *PodsMetricSourceApplyConfiguration `json:"pods,omitempty"`
+	// resource refers to a resource metric (such as those specified in
+	// requests and limits) known to Kubernetes describing each pod in the
+	// current scale target (e.g. CPU or memory). Such metrics are built in to
+	// Kubernetes, and have special scaling options on top of those available
+	// to normal per-pod metrics using the "pods" source.
+	Resource *ResourceMetricSourceApplyConfiguration `json:"resource,omitempty"`
+	// containerResource refers to a resource metric (such as those specified in
+	// requests and limits) known to Kubernetes describing a single container in
+	// each pod of the current scale target (e.g. CPU or memory). Such metrics are
+	// built in to Kubernetes, and have special scaling options on top of those
+	// available to normal per-pod metrics using the "pods" source.
 	ContainerResource *ContainerResourceMetricSourceApplyConfiguration `json:"containerResource,omitempty"`
-	External          *ExternalMetricSourceApplyConfiguration          `json:"external,omitempty"`
+	// external refers to a global metric that is not associated
+	// with any Kubernetes object. It allows autoscaling based on information
+	// coming from components running outside of cluster
+	// (for example length of queue in cloud messaging service, or
+	// QPS from loadbalancer running outside of cluster).
+	External *ExternalMetricSourceApplyConfiguration `json:"external,omitempty"`
 }
 
 // MetricSpecApplyConfiguration constructs a declarative configuration of the MetricSpec type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2/metricstatus.go b/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2/metricstatus.go
index f1204824e55b5..7c1a2cb0d6c1e 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2/metricstatus.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2/metricstatus.go
@@ -24,13 +24,37 @@ import (
 
 // MetricStatusApplyConfiguration represents a declarative configuration of the MetricStatus type for use
 // with apply.
+//
+// MetricStatus describes the last-read state of a single metric.
 type MetricStatusApplyConfiguration struct {
-	Type              *autoscalingv2.MetricSourceType                  `json:"type,omitempty"`
-	Object            *ObjectMetricStatusApplyConfiguration            `json:"object,omitempty"`
-	Pods              *PodsMetricStatusApplyConfiguration              `json:"pods,omitempty"`
-	Resource          *ResourceMetricStatusApplyConfiguration          `json:"resource,omitempty"`
+	// type is the type of metric source.  It will be one of "ContainerResource", "External",
+	// "Object", "Pods" or "Resource", each corresponds to a matching field in the object.
+	Type *autoscalingv2.MetricSourceType `json:"type,omitempty"`
+	// object refers to a metric describing a single kubernetes object
+	// (for example, hits-per-second on an Ingress object).
+	Object *ObjectMetricStatusApplyConfiguration `json:"object,omitempty"`
+	// pods refers to a metric describing each pod in the current scale target
+	// (for example, transactions-processed-per-second).  The values will be
+	// averaged together before being compared to the target value.
+	Pods *PodsMetricStatusApplyConfiguration `json:"pods,omitempty"`
+	// resource refers to a resource metric (such as those specified in
+	// requests and limits) known to Kubernetes describing each pod in the
+	// current scale target (e.g. CPU or memory). Such metrics are built in to
+	// Kubernetes, and have special scaling options on top of those available
+	// to normal per-pod metrics using the "pods" source.
+	Resource *ResourceMetricStatusApplyConfiguration `json:"resource,omitempty"`
+	// container resource refers to a resource metric (such as those specified in
+	// requests and limits) known to Kubernetes describing a single container in each pod in the
+	// current scale target (e.g. CPU or memory). Such metrics are built in to
+	// Kubernetes, and have special scaling options on top of those available
+	// to normal per-pod metrics using the "pods" source.
 	ContainerResource *ContainerResourceMetricStatusApplyConfiguration `json:"containerResource,omitempty"`
-	External          *ExternalMetricStatusApplyConfiguration          `json:"external,omitempty"`
+	// external refers to a global metric that is not associated
+	// with any Kubernetes object. It allows autoscaling based on information
+	// coming from components running outside of cluster
+	// (for example length of queue in cloud messaging service, or
+	// QPS from loadbalancer running outside of cluster).
+	External *ExternalMetricStatusApplyConfiguration `json:"external,omitempty"`
 }
 
 // MetricStatusApplyConfiguration constructs a declarative configuration of the MetricStatus type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2/metrictarget.go b/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2/metrictarget.go
index 13d2e9365dd69..cf1304a55df0f 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2/metrictarget.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2/metrictarget.go
@@ -25,11 +25,21 @@ import (
 
 // MetricTargetApplyConfiguration represents a declarative configuration of the MetricTarget type for use
 // with apply.
+//
+// MetricTarget defines the target value, average value, or average utilization of a specific metric
 type MetricTargetApplyConfiguration struct {
-	Type               *autoscalingv2.MetricTargetType `json:"type,omitempty"`
-	Value              *resource.Quantity              `json:"value,omitempty"`
-	AverageValue       *resource.Quantity              `json:"averageValue,omitempty"`
-	AverageUtilization *int32                          `json:"averageUtilization,omitempty"`
+	// type represents whether the metric type is Utilization, Value, or AverageValue
+	Type *autoscalingv2.MetricTargetType `json:"type,omitempty"`
+	// value is the target value of the metric (as a quantity).
+	Value *resource.Quantity `json:"value,omitempty"`
+	// averageValue is the target value of the average of the
+	// metric across all relevant pods (as a quantity)
+	AverageValue *resource.Quantity `json:"averageValue,omitempty"`
+	// averageUtilization is the target value of the average of the
+	// resource metric across all relevant pods, represented as a percentage of
+	// the requested value of the resource for the pods.
+	// Currently only valid for Resource metric source type
+	AverageUtilization *int32 `json:"averageUtilization,omitempty"`
 }
 
 // MetricTargetApplyConfiguration constructs a declarative configuration of the MetricTarget type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2/metricvaluestatus.go b/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2/metricvaluestatus.go
index 59732548b8f74..9cd743d3e8d6b 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2/metricvaluestatus.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2/metricvaluestatus.go
@@ -24,10 +24,18 @@ import (
 
 // MetricValueStatusApplyConfiguration represents a declarative configuration of the MetricValueStatus type for use
 // with apply.
+//
+// MetricValueStatus holds the current value for a metric
 type MetricValueStatusApplyConfiguration struct {
-	Value              *resource.Quantity `json:"value,omitempty"`
-	AverageValue       *resource.Quantity `json:"averageValue,omitempty"`
-	AverageUtilization *int32             `json:"averageUtilization,omitempty"`
+	// value is the current value of the metric (as a quantity).
+	Value *resource.Quantity `json:"value,omitempty"`
+	// averageValue is the current value of the average of the
+	// metric across all relevant pods (as a quantity)
+	AverageValue *resource.Quantity `json:"averageValue,omitempty"`
+	// currentAverageUtilization is the current value of the average of the
+	// resource metric across all relevant pods, represented as a percentage of
+	// the requested value of the resource for the pods.
+	AverageUtilization *int32 `json:"averageUtilization,omitempty"`
 }
 
 // MetricValueStatusApplyConfiguration constructs a declarative configuration of the MetricValueStatus type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2/objectmetricsource.go b/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2/objectmetricsource.go
index 2391fa5c22c33..f2004b1471516 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2/objectmetricsource.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2/objectmetricsource.go
@@ -20,10 +20,16 @@ package v2
 
 // ObjectMetricSourceApplyConfiguration represents a declarative configuration of the ObjectMetricSource type for use
 // with apply.
+//
+// ObjectMetricSource indicates how to scale on a metric describing a
+// kubernetes object (for example, hits-per-second on an Ingress object).
 type ObjectMetricSourceApplyConfiguration struct {
+	// describedObject specifies the descriptions of a object,such as kind,name apiVersion
 	DescribedObject *CrossVersionObjectReferenceApplyConfiguration `json:"describedObject,omitempty"`
-	Target          *MetricTargetApplyConfiguration                `json:"target,omitempty"`
-	Metric          *MetricIdentifierApplyConfiguration            `json:"metric,omitempty"`
+	// target specifies the target value for the given metric
+	Target *MetricTargetApplyConfiguration `json:"target,omitempty"`
+	// metric identifies the target metric by name and selector
+	Metric *MetricIdentifierApplyConfiguration `json:"metric,omitempty"`
 }
 
 // ObjectMetricSourceApplyConfiguration constructs a declarative configuration of the ObjectMetricSource type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2/objectmetricstatus.go b/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2/objectmetricstatus.go
index 9ffd0c180d15c..ec5da782a422a 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2/objectmetricstatus.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2/objectmetricstatus.go
@@ -20,9 +20,15 @@ package v2
 
 // ObjectMetricStatusApplyConfiguration represents a declarative configuration of the ObjectMetricStatus type for use
 // with apply.
+//
+// ObjectMetricStatus indicates the current value of a metric describing a
+// kubernetes object (for example, hits-per-second on an Ingress object).
 type ObjectMetricStatusApplyConfiguration struct {
-	Metric          *MetricIdentifierApplyConfiguration            `json:"metric,omitempty"`
-	Current         *MetricValueStatusApplyConfiguration           `json:"current,omitempty"`
+	// metric identifies the target metric by name and selector
+	Metric *MetricIdentifierApplyConfiguration `json:"metric,omitempty"`
+	// current contains the current value for the given metric
+	Current *MetricValueStatusApplyConfiguration `json:"current,omitempty"`
+	// DescribedObject specifies the descriptions of a object,such as kind,name apiVersion
 	DescribedObject *CrossVersionObjectReferenceApplyConfiguration `json:"describedObject,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2/podsmetricsource.go b/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2/podsmetricsource.go
index 28a35a2ae181c..2dd3de71c9943 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2/podsmetricsource.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2/podsmetricsource.go
@@ -20,9 +20,16 @@ package v2
 
 // PodsMetricSourceApplyConfiguration represents a declarative configuration of the PodsMetricSource type for use
 // with apply.
+//
+// PodsMetricSource indicates how to scale on a metric describing each pod in
+// the current scale target (for example, transactions-processed-per-second).
+// The values will be averaged together before being compared to the target
+// value.
 type PodsMetricSourceApplyConfiguration struct {
+	// metric identifies the target metric by name and selector
 	Metric *MetricIdentifierApplyConfiguration `json:"metric,omitempty"`
-	Target *MetricTargetApplyConfiguration     `json:"target,omitempty"`
+	// target specifies the target value for the given metric
+	Target *MetricTargetApplyConfiguration `json:"target,omitempty"`
 }
 
 // PodsMetricSourceApplyConfiguration constructs a declarative configuration of the PodsMetricSource type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2/podsmetricstatus.go b/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2/podsmetricstatus.go
index 4614282ce1991..fcd623b7e368b 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2/podsmetricstatus.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2/podsmetricstatus.go
@@ -20,8 +20,13 @@ package v2
 
 // PodsMetricStatusApplyConfiguration represents a declarative configuration of the PodsMetricStatus type for use
 // with apply.
+//
+// PodsMetricStatus indicates the current value of a metric describing each pod in
+// the current scale target (for example, transactions-processed-per-second).
 type PodsMetricStatusApplyConfiguration struct {
-	Metric  *MetricIdentifierApplyConfiguration  `json:"metric,omitempty"`
+	// metric identifies the target metric by name and selector
+	Metric *MetricIdentifierApplyConfiguration `json:"metric,omitempty"`
+	// current contains the current value for the given metric
 	Current *MetricValueStatusApplyConfiguration `json:"current,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2/resourcemetricsource.go b/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2/resourcemetricsource.go
index ffc9042b9f7a6..cfa2ec538daf6 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2/resourcemetricsource.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2/resourcemetricsource.go
@@ -24,8 +24,18 @@ import (
 
 // ResourceMetricSourceApplyConfiguration represents a declarative configuration of the ResourceMetricSource type for use
 // with apply.
+//
+// ResourceMetricSource indicates how to scale on a resource metric known to
+// Kubernetes, as specified in requests and limits, describing each pod in the
+// current scale target (e.g. CPU or memory).  The values will be averaged
+// together before being compared to the target.  Such metrics are built in to
+// Kubernetes, and have special scaling options on top of those available to
+// normal per-pod metrics using the "pods" source.  Only one "target" type
+// should be set.
 type ResourceMetricSourceApplyConfiguration struct {
-	Name   *v1.ResourceName                `json:"name,omitempty"`
+	// name is the name of the resource in question.
+	Name *v1.ResourceName `json:"name,omitempty"`
+	// target specifies the target value for the given metric
 	Target *MetricTargetApplyConfiguration `json:"target,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2/resourcemetricstatus.go b/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2/resourcemetricstatus.go
index 0fdbfcb5553e6..bbff32f89a140 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2/resourcemetricstatus.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2/resourcemetricstatus.go
@@ -24,8 +24,16 @@ import (
 
 // ResourceMetricStatusApplyConfiguration represents a declarative configuration of the ResourceMetricStatus type for use
 // with apply.
+//
+// ResourceMetricStatus indicates the current value of a resource metric known to
+// Kubernetes, as specified in requests and limits, describing each pod in the
+// current scale target (e.g. CPU or memory).  Such metrics are built in to
+// Kubernetes, and have special scaling options on top of those available to
+// normal per-pod metrics using the "pods" source.
 type ResourceMetricStatusApplyConfiguration struct {
-	Name    *v1.ResourceName                     `json:"name,omitempty"`
+	// name is the name of the resource in question.
+	Name *v1.ResourceName `json:"name,omitempty"`
+	// current contains the current value for the given metric
 	Current *MetricValueStatusApplyConfiguration `json:"current,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2beta1/containerresourcemetricsource.go b/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2beta1/containerresourcemetricsource.go
index f41c5af10f9df..392e491cf9cba 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2beta1/containerresourcemetricsource.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2beta1/containerresourcemetricsource.go
@@ -25,11 +25,27 @@ import (
 
 // ContainerResourceMetricSourceApplyConfiguration represents a declarative configuration of the ContainerResourceMetricSource type for use
 // with apply.
+//
+// ContainerResourceMetricSource indicates how to scale on a resource metric known to
+// Kubernetes, as specified in requests and limits, describing each pod in the
+// current scale target (e.g. CPU or memory).  The values will be averaged
+// together before being compared to the target.  Such metrics are built in to
+// Kubernetes, and have special scaling options on top of those available to
+// normal per-pod metrics using the "pods" source.  Only one "target" type
+// should be set.
 type ContainerResourceMetricSourceApplyConfiguration struct {
-	Name                     *v1.ResourceName   `json:"name,omitempty"`
-	TargetAverageUtilization *int32             `json:"targetAverageUtilization,omitempty"`
-	TargetAverageValue       *resource.Quantity `json:"targetAverageValue,omitempty"`
-	Container                *string            `json:"container,omitempty"`
+	// name is the name of the resource in question.
+	Name *v1.ResourceName `json:"name,omitempty"`
+	// targetAverageUtilization is the target value of the average of the
+	// resource metric across all relevant pods, represented as a percentage of
+	// the requested value of the resource for the pods.
+	TargetAverageUtilization *int32 `json:"targetAverageUtilization,omitempty"`
+	// targetAverageValue is the target value of the average of the
+	// resource metric across all relevant pods, as a raw value (instead of as
+	// a percentage of the request), similar to the "pods" metric source type.
+	TargetAverageValue *resource.Quantity `json:"targetAverageValue,omitempty"`
+	// container is the name of the container in the pods of the scaling target
+	Container *string `json:"container,omitempty"`
 }
 
 // ContainerResourceMetricSourceApplyConfiguration constructs a declarative configuration of the ContainerResourceMetricSource type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2beta1/containerresourcemetricstatus.go b/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2beta1/containerresourcemetricstatus.go
index 4cd56eea371cb..e69d2bad8ac47 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2beta1/containerresourcemetricstatus.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2beta1/containerresourcemetricstatus.go
@@ -25,11 +25,28 @@ import (
 
 // ContainerResourceMetricStatusApplyConfiguration represents a declarative configuration of the ContainerResourceMetricStatus type for use
 // with apply.
+//
+// ContainerResourceMetricStatus indicates the current value of a resource metric known to
+// Kubernetes, as specified in requests and limits, describing a single container in each pod in the
+// current scale target (e.g. CPU or memory).  Such metrics are built in to
+// Kubernetes, and have special scaling options on top of those available to
+// normal per-pod metrics using the "pods" source.
 type ContainerResourceMetricStatusApplyConfiguration struct {
-	Name                      *v1.ResourceName   `json:"name,omitempty"`
-	CurrentAverageUtilization *int32             `json:"currentAverageUtilization,omitempty"`
-	CurrentAverageValue       *resource.Quantity `json:"currentAverageValue,omitempty"`
-	Container                 *string            `json:"container,omitempty"`
+	// name is the name of the resource in question.
+	Name *v1.ResourceName `json:"name,omitempty"`
+	// currentAverageUtilization is the current value of the average of the
+	// resource metric across all relevant pods, represented as a percentage of
+	// the requested value of the resource for the pods.  It will only be
+	// present if `targetAverageValue` was set in the corresponding metric
+	// specification.
+	CurrentAverageUtilization *int32 `json:"currentAverageUtilization,omitempty"`
+	// currentAverageValue is the current value of the average of the
+	// resource metric across all relevant pods, as a raw value (instead of as
+	// a percentage of the request), similar to the "pods" metric source type.
+	// It will always be set, regardless of the corresponding metric specification.
+	CurrentAverageValue *resource.Quantity `json:"currentAverageValue,omitempty"`
+	// container is the name of the container in the pods of the scaling target
+	Container *string `json:"container,omitempty"`
 }
 
 // ContainerResourceMetricStatusApplyConfiguration constructs a declarative configuration of the ContainerResourceMetricStatus type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2beta1/crossversionobjectreference.go b/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2beta1/crossversionobjectreference.go
index f03261612e3c0..40c8e450f58f1 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2beta1/crossversionobjectreference.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2beta1/crossversionobjectreference.go
@@ -20,9 +20,14 @@ package v2beta1
 
 // CrossVersionObjectReferenceApplyConfiguration represents a declarative configuration of the CrossVersionObjectReference type for use
 // with apply.
+//
+// CrossVersionObjectReference contains enough information to let you identify the referred resource.
 type CrossVersionObjectReferenceApplyConfiguration struct {
-	Kind       *string `json:"kind,omitempty"`
-	Name       *string `json:"name,omitempty"`
+	// Kind of the referent; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+	Kind *string `json:"kind,omitempty"`
+	// Name of the referent; More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+	Name *string `json:"name,omitempty"`
+	// API version of the referent
 	APIVersion *string `json:"apiVersion,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2beta1/externalmetricsource.go b/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2beta1/externalmetricsource.go
index 8dce4529dd2d4..3b072172574e5 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2beta1/externalmetricsource.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2beta1/externalmetricsource.go
@@ -25,11 +25,23 @@ import (
 
 // ExternalMetricSourceApplyConfiguration represents a declarative configuration of the ExternalMetricSource type for use
 // with apply.
+//
+// ExternalMetricSource indicates how to scale on a metric not associated with
+// any Kubernetes object (for example length of queue in cloud
+// messaging service, or QPS from loadbalancer running outside of cluster).
+// Exactly one "target" type should be set.
 type ExternalMetricSourceApplyConfiguration struct {
-	MetricName         *string                             `json:"metricName,omitempty"`
-	MetricSelector     *v1.LabelSelectorApplyConfiguration `json:"metricSelector,omitempty"`
-	TargetValue        *resource.Quantity                  `json:"targetValue,omitempty"`
-	TargetAverageValue *resource.Quantity                  `json:"targetAverageValue,omitempty"`
+	// metricName is the name of the metric in question.
+	MetricName *string `json:"metricName,omitempty"`
+	// metricSelector is used to identify a specific time series
+	// within a given metric.
+	MetricSelector *v1.LabelSelectorApplyConfiguration `json:"metricSelector,omitempty"`
+	// targetValue is the target value of the metric (as a quantity).
+	// Mutually exclusive with TargetAverageValue.
+	TargetValue *resource.Quantity `json:"targetValue,omitempty"`
+	// targetAverageValue is the target per-pod value of global metric (as a quantity).
+	// Mutually exclusive with TargetValue.
+	TargetAverageValue *resource.Quantity `json:"targetAverageValue,omitempty"`
 }
 
 // ExternalMetricSourceApplyConfiguration constructs a declarative configuration of the ExternalMetricSource type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2beta1/externalmetricstatus.go b/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2beta1/externalmetricstatus.go
index 4034d7e55c8e8..c7e3629a9addf 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2beta1/externalmetricstatus.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2beta1/externalmetricstatus.go
@@ -25,11 +25,20 @@ import (
 
 // ExternalMetricStatusApplyConfiguration represents a declarative configuration of the ExternalMetricStatus type for use
 // with apply.
+//
+// ExternalMetricStatus indicates the current value of a global metric
+// not associated with any Kubernetes object.
 type ExternalMetricStatusApplyConfiguration struct {
-	MetricName          *string                             `json:"metricName,omitempty"`
-	MetricSelector      *v1.LabelSelectorApplyConfiguration `json:"metricSelector,omitempty"`
-	CurrentValue        *resource.Quantity                  `json:"currentValue,omitempty"`
-	CurrentAverageValue *resource.Quantity                  `json:"currentAverageValue,omitempty"`
+	// metricName is the name of a metric used for autoscaling in
+	// metric system.
+	MetricName *string `json:"metricName,omitempty"`
+	// metricSelector is used to identify a specific time series
+	// within a given metric.
+	MetricSelector *v1.LabelSelectorApplyConfiguration `json:"metricSelector,omitempty"`
+	// currentValue is the current value of the metric (as a quantity)
+	CurrentValue *resource.Quantity `json:"currentValue,omitempty"`
+	// currentAverageValue is the current value of metric averaged over autoscaled pods.
+	CurrentAverageValue *resource.Quantity `json:"currentAverageValue,omitempty"`
 }
 
 // ExternalMetricStatusApplyConfiguration constructs a declarative configuration of the ExternalMetricStatus type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2beta1/horizontalpodautoscaler.go b/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2beta1/horizontalpodautoscaler.go
index e6ac8c950fb01..8a89398f9cb11 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2beta1/horizontalpodautoscaler.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2beta1/horizontalpodautoscaler.go
@@ -29,11 +29,20 @@ import (
 
 // HorizontalPodAutoscalerApplyConfiguration represents a declarative configuration of the HorizontalPodAutoscaler type for use
 // with apply.
+//
+// HorizontalPodAutoscaler is the configuration for a horizontal pod
+// autoscaler, which automatically manages the replica count of any resource
+// implementing the scale subresource based on the metrics specified.
 type HorizontalPodAutoscalerApplyConfiguration struct {
-	v1.TypeMetaApplyConfiguration    `json:",inline"`
+	v1.TypeMetaApplyConfiguration `json:",inline"`
+	// metadata is the standard object metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	*v1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Spec                             *HorizontalPodAutoscalerSpecApplyConfiguration   `json:"spec,omitempty"`
-	Status                           *HorizontalPodAutoscalerStatusApplyConfiguration `json:"status,omitempty"`
+	// spec is the specification for the behaviour of the autoscaler.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status.
+	Spec *HorizontalPodAutoscalerSpecApplyConfiguration `json:"spec,omitempty"`
+	// status is the current information about the autoscaler.
+	Status *HorizontalPodAutoscalerStatusApplyConfiguration `json:"status,omitempty"`
 }
 
 // HorizontalPodAutoscaler constructs a declarative configuration of the HorizontalPodAutoscaler type for use with
@@ -47,6 +56,27 @@ func HorizontalPodAutoscaler(name, namespace string) *HorizontalPodAutoscalerApp
 	return b
 }
 
+// ExtractHorizontalPodAutoscalerFrom extracts the applied configuration owned by fieldManager from
+// horizontalPodAutoscaler for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
+// horizontalPodAutoscaler must be a unmodified HorizontalPodAutoscaler API object that was retrieved from the Kubernetes API.
+// ExtractHorizontalPodAutoscalerFrom provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractHorizontalPodAutoscalerFrom(horizontalPodAutoscaler *autoscalingv2beta1.HorizontalPodAutoscaler, fieldManager string, subresource string) (*HorizontalPodAutoscalerApplyConfiguration, error) {
+	b := &HorizontalPodAutoscalerApplyConfiguration{}
+	err := managedfields.ExtractInto(horizontalPodAutoscaler, internal.Parser().Type("io.k8s.api.autoscaling.v2beta1.HorizontalPodAutoscaler"), fieldManager, b, subresource)
+	if err != nil {
+		return nil, err
+	}
+	b.WithName(horizontalPodAutoscaler.Name)
+	b.WithNamespace(horizontalPodAutoscaler.Namespace)
+
+	b.WithKind("HorizontalPodAutoscaler")
+	b.WithAPIVersion("autoscaling/v2beta1")
+	return b, nil
+}
+
 // ExtractHorizontalPodAutoscaler extracts the applied configuration owned by fieldManager from
 // horizontalPodAutoscaler. If no managedFields are found in horizontalPodAutoscaler for fieldManager, a
 // HorizontalPodAutoscalerApplyConfiguration is returned with only the Name, Namespace (if applicable),
@@ -57,31 +87,16 @@ func HorizontalPodAutoscaler(name, namespace string) *HorizontalPodAutoscalerApp
 // ExtractHorizontalPodAutoscaler provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
 func ExtractHorizontalPodAutoscaler(horizontalPodAutoscaler *autoscalingv2beta1.HorizontalPodAutoscaler, fieldManager string) (*HorizontalPodAutoscalerApplyConfiguration, error) {
-	return extractHorizontalPodAutoscaler(horizontalPodAutoscaler, fieldManager, "")
+	return ExtractHorizontalPodAutoscalerFrom(horizontalPodAutoscaler, fieldManager, "")
 }
 
-// ExtractHorizontalPodAutoscalerStatus is the same as ExtractHorizontalPodAutoscaler except
-// that it extracts the status subresource applied configuration.
-// Experimental!
+// ExtractHorizontalPodAutoscalerStatus extracts the applied configuration owned by fieldManager from
+// horizontalPodAutoscaler for the status subresource.
 func ExtractHorizontalPodAutoscalerStatus(horizontalPodAutoscaler *autoscalingv2beta1.HorizontalPodAutoscaler, fieldManager string) (*HorizontalPodAutoscalerApplyConfiguration, error) {
-	return extractHorizontalPodAutoscaler(horizontalPodAutoscaler, fieldManager, "status")
+	return ExtractHorizontalPodAutoscalerFrom(horizontalPodAutoscaler, fieldManager, "status")
 }
 
-func extractHorizontalPodAutoscaler(horizontalPodAutoscaler *autoscalingv2beta1.HorizontalPodAutoscaler, fieldManager string, subresource string) (*HorizontalPodAutoscalerApplyConfiguration, error) {
-	b := &HorizontalPodAutoscalerApplyConfiguration{}
-	err := managedfields.ExtractInto(horizontalPodAutoscaler, internal.Parser().Type("io.k8s.api.autoscaling.v2beta1.HorizontalPodAutoscaler"), fieldManager, b, subresource)
-	if err != nil {
-		return nil, err
-	}
-	b.WithName(horizontalPodAutoscaler.Name)
-	b.WithNamespace(horizontalPodAutoscaler.Namespace)
-
-	b.WithKind("HorizontalPodAutoscaler")
-	b.WithAPIVersion("autoscaling/v2beta1")
-	return b, nil
-}
 func (b HorizontalPodAutoscalerApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2beta1/horizontalpodautoscalercondition.go b/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2beta1/horizontalpodautoscalercondition.go
index 445cd55ae683e..302df35a73439 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2beta1/horizontalpodautoscalercondition.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2beta1/horizontalpodautoscalercondition.go
@@ -26,12 +26,22 @@ import (
 
 // HorizontalPodAutoscalerConditionApplyConfiguration represents a declarative configuration of the HorizontalPodAutoscalerCondition type for use
 // with apply.
+//
+// HorizontalPodAutoscalerCondition describes the state of
+// a HorizontalPodAutoscaler at a certain point.
 type HorizontalPodAutoscalerConditionApplyConfiguration struct {
-	Type               *autoscalingv2beta1.HorizontalPodAutoscalerConditionType `json:"type,omitempty"`
-	Status             *v1.ConditionStatus                                      `json:"status,omitempty"`
-	LastTransitionTime *metav1.Time                                             `json:"lastTransitionTime,omitempty"`
-	Reason             *string                                                  `json:"reason,omitempty"`
-	Message            *string                                                  `json:"message,omitempty"`
+	// type describes the current condition
+	Type *autoscalingv2beta1.HorizontalPodAutoscalerConditionType `json:"type,omitempty"`
+	// status is the status of the condition (True, False, Unknown)
+	Status *v1.ConditionStatus `json:"status,omitempty"`
+	// lastTransitionTime is the last time the condition transitioned from
+	// one status to another
+	LastTransitionTime *metav1.Time `json:"lastTransitionTime,omitempty"`
+	// reason is the reason for the condition's last transition.
+	Reason *string `json:"reason,omitempty"`
+	// message is a human-readable explanation containing details about
+	// the transition
+	Message *string `json:"message,omitempty"`
 }
 
 // HorizontalPodAutoscalerConditionApplyConfiguration constructs a declarative configuration of the HorizontalPodAutoscalerCondition type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2beta1/horizontalpodautoscalerspec.go b/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2beta1/horizontalpodautoscalerspec.go
index 6f111ceafd865..bbe6a8febff5a 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2beta1/horizontalpodautoscalerspec.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2beta1/horizontalpodautoscalerspec.go
@@ -20,11 +20,29 @@ package v2beta1
 
 // HorizontalPodAutoscalerSpecApplyConfiguration represents a declarative configuration of the HorizontalPodAutoscalerSpec type for use
 // with apply.
+//
+// HorizontalPodAutoscalerSpec describes the desired functionality of the HorizontalPodAutoscaler.
 type HorizontalPodAutoscalerSpecApplyConfiguration struct {
+	// scaleTargetRef points to the target resource to scale, and is used to the pods for which metrics
+	// should be collected, as well as to actually change the replica count.
 	ScaleTargetRef *CrossVersionObjectReferenceApplyConfiguration `json:"scaleTargetRef,omitempty"`
-	MinReplicas    *int32                                         `json:"minReplicas,omitempty"`
-	MaxReplicas    *int32                                         `json:"maxReplicas,omitempty"`
-	Metrics        []MetricSpecApplyConfiguration                 `json:"metrics,omitempty"`
+	// minReplicas is the lower limit for the number of replicas to which the autoscaler
+	// can scale down.  It defaults to 1 pod.  minReplicas is allowed to be 0 if the
+	// alpha feature gate HPAScaleToZero is enabled and at least one Object or External
+	// metric is configured.  Scaling is active as long as at least one metric value is
+	// available.
+	MinReplicas *int32 `json:"minReplicas,omitempty"`
+	// maxReplicas is the upper limit for the number of replicas to which the autoscaler can scale up.
+	// It cannot be less that minReplicas.
+	MaxReplicas *int32 `json:"maxReplicas,omitempty"`
+	// metrics contains the specifications for which to use to calculate the
+	// desired replica count (the maximum replica count across all metrics will
+	// be used).  The desired replica count is calculated multiplying the
+	// ratio between the target value and the current value by the current
+	// number of pods.  Ergo, metrics used must decrease as the pod count is
+	// increased, and vice-versa.  See the individual metric source types for
+	// more information about how each type of metric must respond.
+	Metrics []MetricSpecApplyConfiguration `json:"metrics,omitempty"`
 }
 
 // HorizontalPodAutoscalerSpecApplyConfiguration constructs a declarative configuration of the HorizontalPodAutoscalerSpec type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2beta1/horizontalpodautoscalerstatus.go b/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2beta1/horizontalpodautoscalerstatus.go
index 391b577258f0f..831ad5cf6f695 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2beta1/horizontalpodautoscalerstatus.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2beta1/horizontalpodautoscalerstatus.go
@@ -24,13 +24,25 @@ import (
 
 // HorizontalPodAutoscalerStatusApplyConfiguration represents a declarative configuration of the HorizontalPodAutoscalerStatus type for use
 // with apply.
+//
+// HorizontalPodAutoscalerStatus describes the current status of a horizontal pod autoscaler.
 type HorizontalPodAutoscalerStatusApplyConfiguration struct {
-	ObservedGeneration *int64                                               `json:"observedGeneration,omitempty"`
-	LastScaleTime      *v1.Time                                             `json:"lastScaleTime,omitempty"`
-	CurrentReplicas    *int32                                               `json:"currentReplicas,omitempty"`
-	DesiredReplicas    *int32                                               `json:"desiredReplicas,omitempty"`
-	CurrentMetrics     []MetricStatusApplyConfiguration                     `json:"currentMetrics,omitempty"`
-	Conditions         []HorizontalPodAutoscalerConditionApplyConfiguration `json:"conditions,omitempty"`
+	// observedGeneration is the most recent generation observed by this autoscaler.
+	ObservedGeneration *int64 `json:"observedGeneration,omitempty"`
+	// lastScaleTime is the last time the HorizontalPodAutoscaler scaled the number of pods,
+	// used by the autoscaler to control how often the number of pods is changed.
+	LastScaleTime *v1.Time `json:"lastScaleTime,omitempty"`
+	// currentReplicas is current number of replicas of pods managed by this autoscaler,
+	// as last seen by the autoscaler.
+	CurrentReplicas *int32 `json:"currentReplicas,omitempty"`
+	// desiredReplicas is the desired number of replicas of pods managed by this autoscaler,
+	// as last calculated by the autoscaler.
+	DesiredReplicas *int32 `json:"desiredReplicas,omitempty"`
+	// currentMetrics is the last read state of the metrics used by this autoscaler.
+	CurrentMetrics []MetricStatusApplyConfiguration `json:"currentMetrics,omitempty"`
+	// conditions is the set of conditions required for this autoscaler to scale its target,
+	// and indicates whether or not those conditions are met.
+	Conditions []HorizontalPodAutoscalerConditionApplyConfiguration `json:"conditions,omitempty"`
 }
 
 // HorizontalPodAutoscalerStatusApplyConfiguration constructs a declarative configuration of the HorizontalPodAutoscalerStatus type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2beta1/metricspec.go b/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2beta1/metricspec.go
index 3a5faa3b2e47e..d48043c32234b 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2beta1/metricspec.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2beta1/metricspec.go
@@ -24,13 +24,38 @@ import (
 
 // MetricSpecApplyConfiguration represents a declarative configuration of the MetricSpec type for use
 // with apply.
+//
+// MetricSpec specifies how to scale based on a single metric
+// (only `type` and one other matching field should be set at once).
 type MetricSpecApplyConfiguration struct {
-	Type              *autoscalingv2beta1.MetricSourceType             `json:"type,omitempty"`
-	Object            *ObjectMetricSourceApplyConfiguration            `json:"object,omitempty"`
-	Pods              *PodsMetricSourceApplyConfiguration              `json:"pods,omitempty"`
-	Resource          *ResourceMetricSourceApplyConfiguration          `json:"resource,omitempty"`
+	// type is the type of metric source.  It should be one of "ContainerResource",
+	// "External", "Object", "Pods" or "Resource", each mapping to a matching field in the object.
+	Type *autoscalingv2beta1.MetricSourceType `json:"type,omitempty"`
+	// object refers to a metric describing a single kubernetes object
+	// (for example, hits-per-second on an Ingress object).
+	Object *ObjectMetricSourceApplyConfiguration `json:"object,omitempty"`
+	// pods refers to a metric describing each pod in the current scale target
+	// (for example, transactions-processed-per-second).  The values will be
+	// averaged together before being compared to the target value.
+	Pods *PodsMetricSourceApplyConfiguration `json:"pods,omitempty"`
+	// resource refers to a resource metric (such as those specified in
+	// requests and limits) known to Kubernetes describing each pod in the
+	// current scale target (e.g. CPU or memory). Such metrics are built in to
+	// Kubernetes, and have special scaling options on top of those available
+	// to normal per-pod metrics using the "pods" source.
+	Resource *ResourceMetricSourceApplyConfiguration `json:"resource,omitempty"`
+	// container resource refers to a resource metric (such as those specified in
+	// requests and limits) known to Kubernetes describing a single container in
+	// each pod of the current scale target (e.g. CPU or memory). Such metrics are
+	// built in to Kubernetes, and have special scaling options on top of those
+	// available to normal per-pod metrics using the "pods" source.
 	ContainerResource *ContainerResourceMetricSourceApplyConfiguration `json:"containerResource,omitempty"`
-	External          *ExternalMetricSourceApplyConfiguration          `json:"external,omitempty"`
+	// external refers to a global metric that is not associated
+	// with any Kubernetes object. It allows autoscaling based on information
+	// coming from components running outside of cluster
+	// (for example length of queue in cloud messaging service, or
+	// QPS from loadbalancer running outside of cluster).
+	External *ExternalMetricSourceApplyConfiguration `json:"external,omitempty"`
 }
 
 // MetricSpecApplyConfiguration constructs a declarative configuration of the MetricSpec type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2beta1/metricstatus.go b/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2beta1/metricstatus.go
index f281e182d10b6..7ec38582de84b 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2beta1/metricstatus.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2beta1/metricstatus.go
@@ -24,13 +24,37 @@ import (
 
 // MetricStatusApplyConfiguration represents a declarative configuration of the MetricStatus type for use
 // with apply.
+//
+// MetricStatus describes the last-read state of a single metric.
 type MetricStatusApplyConfiguration struct {
-	Type              *autoscalingv2beta1.MetricSourceType             `json:"type,omitempty"`
-	Object            *ObjectMetricStatusApplyConfiguration            `json:"object,omitempty"`
-	Pods              *PodsMetricStatusApplyConfiguration              `json:"pods,omitempty"`
-	Resource          *ResourceMetricStatusApplyConfiguration          `json:"resource,omitempty"`
+	// type is the type of metric source.  It will be one of "ContainerResource",
+	// "External", "Object", "Pods" or "Resource", each corresponds to a matching field in the object.
+	Type *autoscalingv2beta1.MetricSourceType `json:"type,omitempty"`
+	// object refers to a metric describing a single kubernetes object
+	// (for example, hits-per-second on an Ingress object).
+	Object *ObjectMetricStatusApplyConfiguration `json:"object,omitempty"`
+	// pods refers to a metric describing each pod in the current scale target
+	// (for example, transactions-processed-per-second).  The values will be
+	// averaged together before being compared to the target value.
+	Pods *PodsMetricStatusApplyConfiguration `json:"pods,omitempty"`
+	// resource refers to a resource metric (such as those specified in
+	// requests and limits) known to Kubernetes describing each pod in the
+	// current scale target (e.g. CPU or memory). Such metrics are built in to
+	// Kubernetes, and have special scaling options on top of those available
+	// to normal per-pod metrics using the "pods" source.
+	Resource *ResourceMetricStatusApplyConfiguration `json:"resource,omitempty"`
+	// container resource refers to a resource metric (such as those specified in
+	// requests and limits) known to Kubernetes describing a single container in each pod in the
+	// current scale target (e.g. CPU or memory). Such metrics are built in to
+	// Kubernetes, and have special scaling options on top of those available
+	// to normal per-pod metrics using the "pods" source.
 	ContainerResource *ContainerResourceMetricStatusApplyConfiguration `json:"containerResource,omitempty"`
-	External          *ExternalMetricStatusApplyConfiguration          `json:"external,omitempty"`
+	// external refers to a global metric that is not associated
+	// with any Kubernetes object. It allows autoscaling based on information
+	// coming from components running outside of cluster
+	// (for example length of queue in cloud messaging service, or
+	// QPS from loadbalancer running outside of cluster).
+	External *ExternalMetricStatusApplyConfiguration `json:"external,omitempty"`
 }
 
 // MetricStatusApplyConfiguration constructs a declarative configuration of the MetricStatus type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2beta1/objectmetricsource.go b/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2beta1/objectmetricsource.go
index a9e2eead4d3db..103280e26839c 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2beta1/objectmetricsource.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2beta1/objectmetricsource.go
@@ -25,12 +25,23 @@ import (
 
 // ObjectMetricSourceApplyConfiguration represents a declarative configuration of the ObjectMetricSource type for use
 // with apply.
+//
+// ObjectMetricSource indicates how to scale on a metric describing a
+// kubernetes object (for example, hits-per-second on an Ingress object).
 type ObjectMetricSourceApplyConfiguration struct {
-	Target       *CrossVersionObjectReferenceApplyConfiguration `json:"target,omitempty"`
-	MetricName   *string                                        `json:"metricName,omitempty"`
-	TargetValue  *resource.Quantity                             `json:"targetValue,omitempty"`
-	Selector     *v1.LabelSelectorApplyConfiguration            `json:"selector,omitempty"`
-	AverageValue *resource.Quantity                             `json:"averageValue,omitempty"`
+	// target is the described Kubernetes object.
+	Target *CrossVersionObjectReferenceApplyConfiguration `json:"target,omitempty"`
+	// metricName is the name of the metric in question.
+	MetricName *string `json:"metricName,omitempty"`
+	// targetValue is the target value of the metric (as a quantity).
+	TargetValue *resource.Quantity `json:"targetValue,omitempty"`
+	// selector is the string-encoded form of a standard kubernetes label selector for the given metric
+	// When set, it is passed as an additional parameter to the metrics server for more specific metrics scoping
+	// When unset, just the metricName will be used to gather metrics.
+	Selector *v1.LabelSelectorApplyConfiguration `json:"selector,omitempty"`
+	// averageValue is the target value of the average of the
+	// metric across all relevant pods (as a quantity)
+	AverageValue *resource.Quantity `json:"averageValue,omitempty"`
 }
 
 // ObjectMetricSourceApplyConfiguration constructs a declarative configuration of the ObjectMetricSource type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2beta1/objectmetricstatus.go b/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2beta1/objectmetricstatus.go
index 4d3be8df6cb50..b58d0e28dbc19 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2beta1/objectmetricstatus.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2beta1/objectmetricstatus.go
@@ -25,12 +25,23 @@ import (
 
 // ObjectMetricStatusApplyConfiguration represents a declarative configuration of the ObjectMetricStatus type for use
 // with apply.
+//
+// ObjectMetricStatus indicates the current value of a metric describing a
+// kubernetes object (for example, hits-per-second on an Ingress object).
 type ObjectMetricStatusApplyConfiguration struct {
-	Target       *CrossVersionObjectReferenceApplyConfiguration `json:"target,omitempty"`
-	MetricName   *string                                        `json:"metricName,omitempty"`
-	CurrentValue *resource.Quantity                             `json:"currentValue,omitempty"`
-	Selector     *v1.LabelSelectorApplyConfiguration            `json:"selector,omitempty"`
-	AverageValue *resource.Quantity                             `json:"averageValue,omitempty"`
+	// target is the described Kubernetes object.
+	Target *CrossVersionObjectReferenceApplyConfiguration `json:"target,omitempty"`
+	// metricName is the name of the metric in question.
+	MetricName *string `json:"metricName,omitempty"`
+	// currentValue is the current value of the metric (as a quantity).
+	CurrentValue *resource.Quantity `json:"currentValue,omitempty"`
+	// selector is the string-encoded form of a standard kubernetes label selector for the given metric
+	// When set in the ObjectMetricSource, it is passed as an additional parameter to the metrics server for more specific metrics scoping.
+	// When unset, just the metricName will be used to gather metrics.
+	Selector *v1.LabelSelectorApplyConfiguration `json:"selector,omitempty"`
+	// averageValue is the current value of the average of the
+	// metric across all relevant pods (as a quantity)
+	AverageValue *resource.Quantity `json:"averageValue,omitempty"`
 }
 
 // ObjectMetricStatusApplyConfiguration constructs a declarative configuration of the ObjectMetricStatus type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2beta1/podsmetricsource.go b/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2beta1/podsmetricsource.go
index cfcd752e24322..47ceaee50b6a3 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2beta1/podsmetricsource.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2beta1/podsmetricsource.go
@@ -25,10 +25,21 @@ import (
 
 // PodsMetricSourceApplyConfiguration represents a declarative configuration of the PodsMetricSource type for use
 // with apply.
+//
+// PodsMetricSource indicates how to scale on a metric describing each pod in
+// the current scale target (for example, transactions-processed-per-second).
+// The values will be averaged together before being compared to the target
+// value.
 type PodsMetricSourceApplyConfiguration struct {
-	MetricName         *string                             `json:"metricName,omitempty"`
-	TargetAverageValue *resource.Quantity                  `json:"targetAverageValue,omitempty"`
-	Selector           *v1.LabelSelectorApplyConfiguration `json:"selector,omitempty"`
+	// metricName is the name of the metric in question
+	MetricName *string `json:"metricName,omitempty"`
+	// targetAverageValue is the target value of the average of the
+	// metric across all relevant pods (as a quantity)
+	TargetAverageValue *resource.Quantity `json:"targetAverageValue,omitempty"`
+	// selector is the string-encoded form of a standard kubernetes label selector for the given metric
+	// When set, it is passed as an additional parameter to the metrics server for more specific metrics scoping
+	// When unset, just the metricName will be used to gather metrics.
+	Selector *v1.LabelSelectorApplyConfiguration `json:"selector,omitempty"`
 }
 
 // PodsMetricSourceApplyConfiguration constructs a declarative configuration of the PodsMetricSource type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2beta1/podsmetricstatus.go b/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2beta1/podsmetricstatus.go
index f7a7777fd4f10..140f0a22925bd 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2beta1/podsmetricstatus.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2beta1/podsmetricstatus.go
@@ -25,10 +25,19 @@ import (
 
 // PodsMetricStatusApplyConfiguration represents a declarative configuration of the PodsMetricStatus type for use
 // with apply.
+//
+// PodsMetricStatus indicates the current value of a metric describing each pod in
+// the current scale target (for example, transactions-processed-per-second).
 type PodsMetricStatusApplyConfiguration struct {
-	MetricName          *string                             `json:"metricName,omitempty"`
-	CurrentAverageValue *resource.Quantity                  `json:"currentAverageValue,omitempty"`
-	Selector            *v1.LabelSelectorApplyConfiguration `json:"selector,omitempty"`
+	// metricName is the name of the metric in question
+	MetricName *string `json:"metricName,omitempty"`
+	// currentAverageValue is the current value of the average of the
+	// metric across all relevant pods (as a quantity)
+	CurrentAverageValue *resource.Quantity `json:"currentAverageValue,omitempty"`
+	// selector is the string-encoded form of a standard kubernetes label selector for the given metric
+	// When set in the PodsMetricSource, it is passed as an additional parameter to the metrics server for more specific metrics scoping.
+	// When unset, just the metricName will be used to gather metrics.
+	Selector *v1.LabelSelectorApplyConfiguration `json:"selector,omitempty"`
 }
 
 // PodsMetricStatusApplyConfiguration constructs a declarative configuration of the PodsMetricStatus type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2beta1/resourcemetricsource.go b/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2beta1/resourcemetricsource.go
index ad97d83c3cccc..0c3c849e3c81d 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2beta1/resourcemetricsource.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2beta1/resourcemetricsource.go
@@ -25,10 +25,25 @@ import (
 
 // ResourceMetricSourceApplyConfiguration represents a declarative configuration of the ResourceMetricSource type for use
 // with apply.
+//
+// ResourceMetricSource indicates how to scale on a resource metric known to
+// Kubernetes, as specified in requests and limits, describing each pod in the
+// current scale target (e.g. CPU or memory).  The values will be averaged
+// together before being compared to the target.  Such metrics are built in to
+// Kubernetes, and have special scaling options on top of those available to
+// normal per-pod metrics using the "pods" source.  Only one "target" type
+// should be set.
 type ResourceMetricSourceApplyConfiguration struct {
-	Name                     *v1.ResourceName   `json:"name,omitempty"`
-	TargetAverageUtilization *int32             `json:"targetAverageUtilization,omitempty"`
-	TargetAverageValue       *resource.Quantity `json:"targetAverageValue,omitempty"`
+	// name is the name of the resource in question.
+	Name *v1.ResourceName `json:"name,omitempty"`
+	// targetAverageUtilization is the target value of the average of the
+	// resource metric across all relevant pods, represented as a percentage of
+	// the requested value of the resource for the pods.
+	TargetAverageUtilization *int32 `json:"targetAverageUtilization,omitempty"`
+	// targetAverageValue is the target value of the average of the
+	// resource metric across all relevant pods, as a raw value (instead of as
+	// a percentage of the request), similar to the "pods" metric source type.
+	TargetAverageValue *resource.Quantity `json:"targetAverageValue,omitempty"`
 }
 
 // ResourceMetricSourceApplyConfiguration constructs a declarative configuration of the ResourceMetricSource type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2beta1/resourcemetricstatus.go b/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2beta1/resourcemetricstatus.go
index 78fbeaad0648b..61db2eae0dd87 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2beta1/resourcemetricstatus.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2beta1/resourcemetricstatus.go
@@ -25,10 +25,26 @@ import (
 
 // ResourceMetricStatusApplyConfiguration represents a declarative configuration of the ResourceMetricStatus type for use
 // with apply.
+//
+// ResourceMetricStatus indicates the current value of a resource metric known to
+// Kubernetes, as specified in requests and limits, describing each pod in the
+// current scale target (e.g. CPU or memory).  Such metrics are built in to
+// Kubernetes, and have special scaling options on top of those available to
+// normal per-pod metrics using the "pods" source.
 type ResourceMetricStatusApplyConfiguration struct {
-	Name                      *v1.ResourceName   `json:"name,omitempty"`
-	CurrentAverageUtilization *int32             `json:"currentAverageUtilization,omitempty"`
-	CurrentAverageValue       *resource.Quantity `json:"currentAverageValue,omitempty"`
+	// name is the name of the resource in question.
+	Name *v1.ResourceName `json:"name,omitempty"`
+	// currentAverageUtilization is the current value of the average of the
+	// resource metric across all relevant pods, represented as a percentage of
+	// the requested value of the resource for the pods.  It will only be
+	// present if `targetAverageValue` was set in the corresponding metric
+	// specification.
+	CurrentAverageUtilization *int32 `json:"currentAverageUtilization,omitempty"`
+	// currentAverageValue is the current value of the average of the
+	// resource metric across all relevant pods, as a raw value (instead of as
+	// a percentage of the request), similar to the "pods" metric source type.
+	// It will always be set, regardless of the corresponding metric specification.
+	CurrentAverageValue *resource.Quantity `json:"currentAverageValue,omitempty"`
 }
 
 // ResourceMetricStatusApplyConfiguration constructs a declarative configuration of the ResourceMetricStatus type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2beta2/containerresourcemetricsource.go b/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2beta2/containerresourcemetricsource.go
index 1050165ea36d2..babb8e8bb0ab0 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2beta2/containerresourcemetricsource.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2beta2/containerresourcemetricsource.go
@@ -24,10 +24,21 @@ import (
 
 // ContainerResourceMetricSourceApplyConfiguration represents a declarative configuration of the ContainerResourceMetricSource type for use
 // with apply.
+//
+// ContainerResourceMetricSource indicates how to scale on a resource metric known to
+// Kubernetes, as specified in requests and limits, describing each pod in the
+// current scale target (e.g. CPU or memory).  The values will be averaged
+// together before being compared to the target.  Such metrics are built in to
+// Kubernetes, and have special scaling options on top of those available to
+// normal per-pod metrics using the "pods" source.  Only one "target" type
+// should be set.
 type ContainerResourceMetricSourceApplyConfiguration struct {
-	Name      *v1.ResourceName                `json:"name,omitempty"`
-	Target    *MetricTargetApplyConfiguration `json:"target,omitempty"`
-	Container *string                         `json:"container,omitempty"`
+	// name is the name of the resource in question.
+	Name *v1.ResourceName `json:"name,omitempty"`
+	// target specifies the target value for the given metric
+	Target *MetricTargetApplyConfiguration `json:"target,omitempty"`
+	// container is the name of the container in the pods of the scaling target
+	Container *string `json:"container,omitempty"`
 }
 
 // ContainerResourceMetricSourceApplyConfiguration constructs a declarative configuration of the ContainerResourceMetricSource type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2beta2/containerresourcemetricstatus.go b/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2beta2/containerresourcemetricstatus.go
index 708f68bc6bff4..771e9fdfcf3f3 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2beta2/containerresourcemetricstatus.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2beta2/containerresourcemetricstatus.go
@@ -24,10 +24,19 @@ import (
 
 // ContainerResourceMetricStatusApplyConfiguration represents a declarative configuration of the ContainerResourceMetricStatus type for use
 // with apply.
+//
+// ContainerResourceMetricStatus indicates the current value of a resource metric known to
+// Kubernetes, as specified in requests and limits, describing a single container in each pod in the
+// current scale target (e.g. CPU or memory).  Such metrics are built in to
+// Kubernetes, and have special scaling options on top of those available to
+// normal per-pod metrics using the "pods" source.
 type ContainerResourceMetricStatusApplyConfiguration struct {
-	Name      *v1.ResourceName                     `json:"name,omitempty"`
-	Current   *MetricValueStatusApplyConfiguration `json:"current,omitempty"`
-	Container *string                              `json:"container,omitempty"`
+	// name is the name of the resource in question.
+	Name *v1.ResourceName `json:"name,omitempty"`
+	// current contains the current value for the given metric
+	Current *MetricValueStatusApplyConfiguration `json:"current,omitempty"`
+	// container is the name of the container in the pods of the scaling target
+	Container *string `json:"container,omitempty"`
 }
 
 // ContainerResourceMetricStatusApplyConfiguration constructs a declarative configuration of the ContainerResourceMetricStatus type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2beta2/crossversionobjectreference.go b/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2beta2/crossversionobjectreference.go
index c281084b16588..df6708a19d416 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2beta2/crossversionobjectreference.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2beta2/crossversionobjectreference.go
@@ -20,9 +20,14 @@ package v2beta2
 
 // CrossVersionObjectReferenceApplyConfiguration represents a declarative configuration of the CrossVersionObjectReference type for use
 // with apply.
+//
+// CrossVersionObjectReference contains enough information to let you identify the referred resource.
 type CrossVersionObjectReferenceApplyConfiguration struct {
-	Kind       *string `json:"kind,omitempty"`
-	Name       *string `json:"name,omitempty"`
+	// kind is the kind of the referent; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+	Kind *string `json:"kind,omitempty"`
+	// name is the name of the referent; More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+	Name *string `json:"name,omitempty"`
+	// apiVersion is the API version of the referent
 	APIVersion *string `json:"apiVersion,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2beta2/externalmetricsource.go b/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2beta2/externalmetricsource.go
index d34ca114940cf..6baca7f05d75b 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2beta2/externalmetricsource.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2beta2/externalmetricsource.go
@@ -20,9 +20,15 @@ package v2beta2
 
 // ExternalMetricSourceApplyConfiguration represents a declarative configuration of the ExternalMetricSource type for use
 // with apply.
+//
+// ExternalMetricSource indicates how to scale on a metric not associated with
+// any Kubernetes object (for example length of queue in cloud
+// messaging service, or QPS from loadbalancer running outside of cluster).
 type ExternalMetricSourceApplyConfiguration struct {
+	// metric identifies the target metric by name and selector
 	Metric *MetricIdentifierApplyConfiguration `json:"metric,omitempty"`
-	Target *MetricTargetApplyConfiguration     `json:"target,omitempty"`
+	// target specifies the target value for the given metric
+	Target *MetricTargetApplyConfiguration `json:"target,omitempty"`
 }
 
 // ExternalMetricSourceApplyConfiguration constructs a declarative configuration of the ExternalMetricSource type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2beta2/externalmetricstatus.go b/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2beta2/externalmetricstatus.go
index be29e607fa4b7..725f56354479b 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2beta2/externalmetricstatus.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2beta2/externalmetricstatus.go
@@ -20,8 +20,13 @@ package v2beta2
 
 // ExternalMetricStatusApplyConfiguration represents a declarative configuration of the ExternalMetricStatus type for use
 // with apply.
+//
+// ExternalMetricStatus indicates the current value of a global metric
+// not associated with any Kubernetes object.
 type ExternalMetricStatusApplyConfiguration struct {
-	Metric  *MetricIdentifierApplyConfiguration  `json:"metric,omitempty"`
+	// metric identifies the target metric by name and selector
+	Metric *MetricIdentifierApplyConfiguration `json:"metric,omitempty"`
+	// current contains the current value for the given metric
 	Current *MetricValueStatusApplyConfiguration `json:"current,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2beta2/horizontalpodautoscaler.go b/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2beta2/horizontalpodautoscaler.go
index 93cdd7897710b..9a4588bc8c8b6 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2beta2/horizontalpodautoscaler.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2beta2/horizontalpodautoscaler.go
@@ -29,11 +29,20 @@ import (
 
 // HorizontalPodAutoscalerApplyConfiguration represents a declarative configuration of the HorizontalPodAutoscaler type for use
 // with apply.
+//
+// HorizontalPodAutoscaler is the configuration for a horizontal pod
+// autoscaler, which automatically manages the replica count of any resource
+// implementing the scale subresource based on the metrics specified.
 type HorizontalPodAutoscalerApplyConfiguration struct {
-	v1.TypeMetaApplyConfiguration    `json:",inline"`
+	v1.TypeMetaApplyConfiguration `json:",inline"`
+	// metadata is the standard object metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	*v1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Spec                             *HorizontalPodAutoscalerSpecApplyConfiguration   `json:"spec,omitempty"`
-	Status                           *HorizontalPodAutoscalerStatusApplyConfiguration `json:"status,omitempty"`
+	// spec is the specification for the behaviour of the autoscaler.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status.
+	Spec *HorizontalPodAutoscalerSpecApplyConfiguration `json:"spec,omitempty"`
+	// status is the current information about the autoscaler.
+	Status *HorizontalPodAutoscalerStatusApplyConfiguration `json:"status,omitempty"`
 }
 
 // HorizontalPodAutoscaler constructs a declarative configuration of the HorizontalPodAutoscaler type for use with
@@ -47,6 +56,27 @@ func HorizontalPodAutoscaler(name, namespace string) *HorizontalPodAutoscalerApp
 	return b
 }
 
+// ExtractHorizontalPodAutoscalerFrom extracts the applied configuration owned by fieldManager from
+// horizontalPodAutoscaler for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
+// horizontalPodAutoscaler must be a unmodified HorizontalPodAutoscaler API object that was retrieved from the Kubernetes API.
+// ExtractHorizontalPodAutoscalerFrom provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractHorizontalPodAutoscalerFrom(horizontalPodAutoscaler *autoscalingv2beta2.HorizontalPodAutoscaler, fieldManager string, subresource string) (*HorizontalPodAutoscalerApplyConfiguration, error) {
+	b := &HorizontalPodAutoscalerApplyConfiguration{}
+	err := managedfields.ExtractInto(horizontalPodAutoscaler, internal.Parser().Type("io.k8s.api.autoscaling.v2beta2.HorizontalPodAutoscaler"), fieldManager, b, subresource)
+	if err != nil {
+		return nil, err
+	}
+	b.WithName(horizontalPodAutoscaler.Name)
+	b.WithNamespace(horizontalPodAutoscaler.Namespace)
+
+	b.WithKind("HorizontalPodAutoscaler")
+	b.WithAPIVersion("autoscaling/v2beta2")
+	return b, nil
+}
+
 // ExtractHorizontalPodAutoscaler extracts the applied configuration owned by fieldManager from
 // horizontalPodAutoscaler. If no managedFields are found in horizontalPodAutoscaler for fieldManager, a
 // HorizontalPodAutoscalerApplyConfiguration is returned with only the Name, Namespace (if applicable),
@@ -57,31 +87,16 @@ func HorizontalPodAutoscaler(name, namespace string) *HorizontalPodAutoscalerApp
 // ExtractHorizontalPodAutoscaler provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
 func ExtractHorizontalPodAutoscaler(horizontalPodAutoscaler *autoscalingv2beta2.HorizontalPodAutoscaler, fieldManager string) (*HorizontalPodAutoscalerApplyConfiguration, error) {
-	return extractHorizontalPodAutoscaler(horizontalPodAutoscaler, fieldManager, "")
+	return ExtractHorizontalPodAutoscalerFrom(horizontalPodAutoscaler, fieldManager, "")
 }
 
-// ExtractHorizontalPodAutoscalerStatus is the same as ExtractHorizontalPodAutoscaler except
-// that it extracts the status subresource applied configuration.
-// Experimental!
+// ExtractHorizontalPodAutoscalerStatus extracts the applied configuration owned by fieldManager from
+// horizontalPodAutoscaler for the status subresource.
 func ExtractHorizontalPodAutoscalerStatus(horizontalPodAutoscaler *autoscalingv2beta2.HorizontalPodAutoscaler, fieldManager string) (*HorizontalPodAutoscalerApplyConfiguration, error) {
-	return extractHorizontalPodAutoscaler(horizontalPodAutoscaler, fieldManager, "status")
+	return ExtractHorizontalPodAutoscalerFrom(horizontalPodAutoscaler, fieldManager, "status")
 }
 
-func extractHorizontalPodAutoscaler(horizontalPodAutoscaler *autoscalingv2beta2.HorizontalPodAutoscaler, fieldManager string, subresource string) (*HorizontalPodAutoscalerApplyConfiguration, error) {
-	b := &HorizontalPodAutoscalerApplyConfiguration{}
-	err := managedfields.ExtractInto(horizontalPodAutoscaler, internal.Parser().Type("io.k8s.api.autoscaling.v2beta2.HorizontalPodAutoscaler"), fieldManager, b, subresource)
-	if err != nil {
-		return nil, err
-	}
-	b.WithName(horizontalPodAutoscaler.Name)
-	b.WithNamespace(horizontalPodAutoscaler.Namespace)
-
-	b.WithKind("HorizontalPodAutoscaler")
-	b.WithAPIVersion("autoscaling/v2beta2")
-	return b, nil
-}
 func (b HorizontalPodAutoscalerApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2beta2/horizontalpodautoscalerbehavior.go b/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2beta2/horizontalpodautoscalerbehavior.go
index e9b1a9fb9e229..355e15ff52e6b 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2beta2/horizontalpodautoscalerbehavior.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2beta2/horizontalpodautoscalerbehavior.go
@@ -20,8 +20,20 @@ package v2beta2
 
 // HorizontalPodAutoscalerBehaviorApplyConfiguration represents a declarative configuration of the HorizontalPodAutoscalerBehavior type for use
 // with apply.
+//
+// HorizontalPodAutoscalerBehavior configures the scaling behavior of the target
+// in both Up and Down directions (scaleUp and scaleDown fields respectively).
 type HorizontalPodAutoscalerBehaviorApplyConfiguration struct {
-	ScaleUp   *HPAScalingRulesApplyConfiguration `json:"scaleUp,omitempty"`
+	// scaleUp is scaling policy for scaling Up.
+	// If not set, the default value is the higher of:
+	// * increase no more than 4 pods per 60 seconds
+	// * double the number of pods per 60 seconds
+	// No stabilization is used.
+	ScaleUp *HPAScalingRulesApplyConfiguration `json:"scaleUp,omitempty"`
+	// scaleDown is scaling policy for scaling Down.
+	// If not set, the default value is to allow to scale down to minReplicas pods, with a
+	// 300 second stabilization window (i.e., the highest recommendation for
+	// the last 300sec is used).
 	ScaleDown *HPAScalingRulesApplyConfiguration `json:"scaleDown,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2beta2/horizontalpodautoscalercondition.go b/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2beta2/horizontalpodautoscalercondition.go
index f888691249f5b..a23e18b158efd 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2beta2/horizontalpodautoscalercondition.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2beta2/horizontalpodautoscalercondition.go
@@ -26,12 +26,22 @@ import (
 
 // HorizontalPodAutoscalerConditionApplyConfiguration represents a declarative configuration of the HorizontalPodAutoscalerCondition type for use
 // with apply.
+//
+// HorizontalPodAutoscalerCondition describes the state of
+// a HorizontalPodAutoscaler at a certain point.
 type HorizontalPodAutoscalerConditionApplyConfiguration struct {
-	Type               *autoscalingv2beta2.HorizontalPodAutoscalerConditionType `json:"type,omitempty"`
-	Status             *v1.ConditionStatus                                      `json:"status,omitempty"`
-	LastTransitionTime *metav1.Time                                             `json:"lastTransitionTime,omitempty"`
-	Reason             *string                                                  `json:"reason,omitempty"`
-	Message            *string                                                  `json:"message,omitempty"`
+	// type describes the current condition
+	Type *autoscalingv2beta2.HorizontalPodAutoscalerConditionType `json:"type,omitempty"`
+	// status is the status of the condition (True, False, Unknown)
+	Status *v1.ConditionStatus `json:"status,omitempty"`
+	// lastTransitionTime is the last time the condition transitioned from
+	// one status to another
+	LastTransitionTime *metav1.Time `json:"lastTransitionTime,omitempty"`
+	// reason is the reason for the condition's last transition.
+	Reason *string `json:"reason,omitempty"`
+	// message is a human-readable explanation containing details about
+	// the transition
+	Message *string `json:"message,omitempty"`
 }
 
 // HorizontalPodAutoscalerConditionApplyConfiguration constructs a declarative configuration of the HorizontalPodAutoscalerCondition type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2beta2/horizontalpodautoscalerspec.go b/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2beta2/horizontalpodautoscalerspec.go
index 9629e4bd59868..50ee3fae7b10f 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2beta2/horizontalpodautoscalerspec.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2beta2/horizontalpodautoscalerspec.go
@@ -20,12 +20,34 @@ package v2beta2
 
 // HorizontalPodAutoscalerSpecApplyConfiguration represents a declarative configuration of the HorizontalPodAutoscalerSpec type for use
 // with apply.
+//
+// HorizontalPodAutoscalerSpec describes the desired functionality of the HorizontalPodAutoscaler.
 type HorizontalPodAutoscalerSpecApplyConfiguration struct {
-	ScaleTargetRef *CrossVersionObjectReferenceApplyConfiguration     `json:"scaleTargetRef,omitempty"`
-	MinReplicas    *int32                                             `json:"minReplicas,omitempty"`
-	MaxReplicas    *int32                                             `json:"maxReplicas,omitempty"`
-	Metrics        []MetricSpecApplyConfiguration                     `json:"metrics,omitempty"`
-	Behavior       *HorizontalPodAutoscalerBehaviorApplyConfiguration `json:"behavior,omitempty"`
+	// scaleTargetRef points to the target resource to scale, and is used to the pods for which metrics
+	// should be collected, as well as to actually change the replica count.
+	ScaleTargetRef *CrossVersionObjectReferenceApplyConfiguration `json:"scaleTargetRef,omitempty"`
+	// minReplicas is the lower limit for the number of replicas to which the autoscaler
+	// can scale down.  It defaults to 1 pod.  minReplicas is allowed to be 0 if the
+	// alpha feature gate HPAScaleToZero is enabled and at least one Object or External
+	// metric is configured.  Scaling is active as long as at least one metric value is
+	// available.
+	MinReplicas *int32 `json:"minReplicas,omitempty"`
+	// maxReplicas is the upper limit for the number of replicas to which the autoscaler can scale up.
+	// It cannot be less that minReplicas.
+	MaxReplicas *int32 `json:"maxReplicas,omitempty"`
+	// metrics contains the specifications for which to use to calculate the
+	// desired replica count (the maximum replica count across all metrics will
+	// be used).  The desired replica count is calculated multiplying the
+	// ratio between the target value and the current value by the current
+	// number of pods.  Ergo, metrics used must decrease as the pod count is
+	// increased, and vice-versa.  See the individual metric source types for
+	// more information about how each type of metric must respond.
+	// If not set, the default metric will be set to 80% average CPU utilization.
+	Metrics []MetricSpecApplyConfiguration `json:"metrics,omitempty"`
+	// behavior configures the scaling behavior of the target
+	// in both Up and Down directions (scaleUp and scaleDown fields respectively).
+	// If not set, the default HPAScalingRules for scale up and scale down are used.
+	Behavior *HorizontalPodAutoscalerBehaviorApplyConfiguration `json:"behavior,omitempty"`
 }
 
 // HorizontalPodAutoscalerSpecApplyConfiguration constructs a declarative configuration of the HorizontalPodAutoscalerSpec type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2beta2/horizontalpodautoscalerstatus.go b/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2beta2/horizontalpodautoscalerstatus.go
index 1eee645050d73..ffbdc1c32f34c 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2beta2/horizontalpodautoscalerstatus.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2beta2/horizontalpodautoscalerstatus.go
@@ -24,13 +24,25 @@ import (
 
 // HorizontalPodAutoscalerStatusApplyConfiguration represents a declarative configuration of the HorizontalPodAutoscalerStatus type for use
 // with apply.
+//
+// HorizontalPodAutoscalerStatus describes the current status of a horizontal pod autoscaler.
 type HorizontalPodAutoscalerStatusApplyConfiguration struct {
-	ObservedGeneration *int64                                               `json:"observedGeneration,omitempty"`
-	LastScaleTime      *v1.Time                                             `json:"lastScaleTime,omitempty"`
-	CurrentReplicas    *int32                                               `json:"currentReplicas,omitempty"`
-	DesiredReplicas    *int32                                               `json:"desiredReplicas,omitempty"`
-	CurrentMetrics     []MetricStatusApplyConfiguration                     `json:"currentMetrics,omitempty"`
-	Conditions         []HorizontalPodAutoscalerConditionApplyConfiguration `json:"conditions,omitempty"`
+	// observedGeneration is the most recent generation observed by this autoscaler.
+	ObservedGeneration *int64 `json:"observedGeneration,omitempty"`
+	// lastScaleTime is the last time the HorizontalPodAutoscaler scaled the number of pods,
+	// used by the autoscaler to control how often the number of pods is changed.
+	LastScaleTime *v1.Time `json:"lastScaleTime,omitempty"`
+	// currentReplicas is current number of replicas of pods managed by this autoscaler,
+	// as last seen by the autoscaler.
+	CurrentReplicas *int32 `json:"currentReplicas,omitempty"`
+	// desiredReplicas is the desired number of replicas of pods managed by this autoscaler,
+	// as last calculated by the autoscaler.
+	DesiredReplicas *int32 `json:"desiredReplicas,omitempty"`
+	// currentMetrics is the last read state of the metrics used by this autoscaler.
+	CurrentMetrics []MetricStatusApplyConfiguration `json:"currentMetrics,omitempty"`
+	// conditions is the set of conditions required for this autoscaler to scale its target,
+	// and indicates whether or not those conditions are met.
+	Conditions []HorizontalPodAutoscalerConditionApplyConfiguration `json:"conditions,omitempty"`
 }
 
 // HorizontalPodAutoscalerStatusApplyConfiguration constructs a declarative configuration of the HorizontalPodAutoscalerStatus type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2beta2/hpascalingpolicy.go b/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2beta2/hpascalingpolicy.go
index 2bbbbddec4bba..ca07910b907ff 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2beta2/hpascalingpolicy.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2beta2/hpascalingpolicy.go
@@ -24,10 +24,17 @@ import (
 
 // HPAScalingPolicyApplyConfiguration represents a declarative configuration of the HPAScalingPolicy type for use
 // with apply.
+//
+// HPAScalingPolicy is a single policy which must hold true for a specified past interval.
 type HPAScalingPolicyApplyConfiguration struct {
-	Type          *autoscalingv2beta2.HPAScalingPolicyType `json:"type,omitempty"`
-	Value         *int32                                   `json:"value,omitempty"`
-	PeriodSeconds *int32                                   `json:"periodSeconds,omitempty"`
+	// type is used to specify the scaling policy.
+	Type *autoscalingv2beta2.HPAScalingPolicyType `json:"type,omitempty"`
+	// value contains the amount of change which is permitted by the policy.
+	// It must be greater than zero
+	Value *int32 `json:"value,omitempty"`
+	// periodSeconds specifies the window of time for which the policy should hold true.
+	// PeriodSeconds must be greater than zero and less than or equal to 1800 (30 min).
+	PeriodSeconds *int32 `json:"periodSeconds,omitempty"`
 }
 
 // HPAScalingPolicyApplyConfiguration constructs a declarative configuration of the HPAScalingPolicy type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2beta2/hpascalingrules.go b/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2beta2/hpascalingrules.go
index 92aa449aa47af..a87dc3d3c95e2 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2beta2/hpascalingrules.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2beta2/hpascalingrules.go
@@ -24,10 +24,27 @@ import (
 
 // HPAScalingRulesApplyConfiguration represents a declarative configuration of the HPAScalingRules type for use
 // with apply.
+//
+// HPAScalingRules configures the scaling behavior for one direction.
+// These Rules are applied after calculating DesiredReplicas from metrics for the HPA.
+// They can limit the scaling velocity by specifying scaling policies.
+// They can prevent flapping by specifying the stabilization window, so that the
+// number of replicas is not set instantly, instead, the safest value from the stabilization
+// window is chosen.
 type HPAScalingRulesApplyConfiguration struct {
-	StabilizationWindowSeconds *int32                                  `json:"stabilizationWindowSeconds,omitempty"`
-	SelectPolicy               *autoscalingv2beta2.ScalingPolicySelect `json:"selectPolicy,omitempty"`
-	Policies                   []HPAScalingPolicyApplyConfiguration    `json:"policies,omitempty"`
+	// stabilizationWindowSeconds is the number of seconds for which past recommendations should be
+	// considered while scaling up or scaling down.
+	// StabilizationWindowSeconds must be greater than or equal to zero and less than or equal to 3600 (one hour).
+	// If not set, use the default values:
+	// - For scale up: 0 (i.e. no stabilization is done).
+	// - For scale down: 300 (i.e. the stabilization window is 300 seconds long).
+	StabilizationWindowSeconds *int32 `json:"stabilizationWindowSeconds,omitempty"`
+	// selectPolicy is used to specify which policy should be used.
+	// If not set, the default value MaxPolicySelect is used.
+	SelectPolicy *autoscalingv2beta2.ScalingPolicySelect `json:"selectPolicy,omitempty"`
+	// policies is a list of potential scaling polices which can be used during scaling.
+	// At least one policy must be specified, otherwise the HPAScalingRules will be discarded as invalid
+	Policies []HPAScalingPolicyApplyConfiguration `json:"policies,omitempty"`
 }
 
 // HPAScalingRulesApplyConfiguration constructs a declarative configuration of the HPAScalingRules type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2beta2/metricidentifier.go b/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2beta2/metricidentifier.go
index e8b2abb0e6182..9fd064cb9cee7 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2beta2/metricidentifier.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2beta2/metricidentifier.go
@@ -24,8 +24,14 @@ import (
 
 // MetricIdentifierApplyConfiguration represents a declarative configuration of the MetricIdentifier type for use
 // with apply.
+//
+// MetricIdentifier defines the name and optionally selector for a metric
 type MetricIdentifierApplyConfiguration struct {
-	Name     *string                             `json:"name,omitempty"`
+	// name is the name of the given metric
+	Name *string `json:"name,omitempty"`
+	// selector is the string-encoded form of a standard kubernetes label selector for the given metric
+	// When set, it is passed as an additional parameter to the metrics server for more specific metrics scoping.
+	// When unset, just the metricName will be used to gather metrics.
 	Selector *v1.LabelSelectorApplyConfiguration `json:"selector,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2beta2/metricspec.go b/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2beta2/metricspec.go
index 3da1617cfb483..92eb2fa644923 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2beta2/metricspec.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2beta2/metricspec.go
@@ -24,13 +24,38 @@ import (
 
 // MetricSpecApplyConfiguration represents a declarative configuration of the MetricSpec type for use
 // with apply.
+//
+// MetricSpec specifies how to scale based on a single metric
+// (only `type` and one other matching field should be set at once).
 type MetricSpecApplyConfiguration struct {
-	Type              *autoscalingv2beta2.MetricSourceType             `json:"type,omitempty"`
-	Object            *ObjectMetricSourceApplyConfiguration            `json:"object,omitempty"`
-	Pods              *PodsMetricSourceApplyConfiguration              `json:"pods,omitempty"`
-	Resource          *ResourceMetricSourceApplyConfiguration          `json:"resource,omitempty"`
+	// type is the type of metric source.  It should be one of "ContainerResource", "External",
+	// "Object", "Pods" or "Resource", each mapping to a matching field in the object.
+	Type *autoscalingv2beta2.MetricSourceType `json:"type,omitempty"`
+	// object refers to a metric describing a single kubernetes object
+	// (for example, hits-per-second on an Ingress object).
+	Object *ObjectMetricSourceApplyConfiguration `json:"object,omitempty"`
+	// pods refers to a metric describing each pod in the current scale target
+	// (for example, transactions-processed-per-second).  The values will be
+	// averaged together before being compared to the target value.
+	Pods *PodsMetricSourceApplyConfiguration `json:"pods,omitempty"`
+	// resource refers to a resource metric (such as those specified in
+	// requests and limits) known to Kubernetes describing each pod in the
+	// current scale target (e.g. CPU or memory). Such metrics are built in to
+	// Kubernetes, and have special scaling options on top of those available
+	// to normal per-pod metrics using the "pods" source.
+	Resource *ResourceMetricSourceApplyConfiguration `json:"resource,omitempty"`
+	// container resource refers to a resource metric (such as those specified in
+	// requests and limits) known to Kubernetes describing a single container in
+	// each pod of the current scale target (e.g. CPU or memory). Such metrics are
+	// built in to Kubernetes, and have special scaling options on top of those
+	// available to normal per-pod metrics using the "pods" source.
 	ContainerResource *ContainerResourceMetricSourceApplyConfiguration `json:"containerResource,omitempty"`
-	External          *ExternalMetricSourceApplyConfiguration          `json:"external,omitempty"`
+	// external refers to a global metric that is not associated
+	// with any Kubernetes object. It allows autoscaling based on information
+	// coming from components running outside of cluster
+	// (for example length of queue in cloud messaging service, or
+	// QPS from loadbalancer running outside of cluster).
+	External *ExternalMetricSourceApplyConfiguration `json:"external,omitempty"`
 }
 
 // MetricSpecApplyConfiguration constructs a declarative configuration of the MetricSpec type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2beta2/metricstatus.go b/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2beta2/metricstatus.go
index b528bd76059f4..16dc67814f787 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2beta2/metricstatus.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2beta2/metricstatus.go
@@ -24,13 +24,37 @@ import (
 
 // MetricStatusApplyConfiguration represents a declarative configuration of the MetricStatus type for use
 // with apply.
+//
+// MetricStatus describes the last-read state of a single metric.
 type MetricStatusApplyConfiguration struct {
-	Type              *autoscalingv2beta2.MetricSourceType             `json:"type,omitempty"`
-	Object            *ObjectMetricStatusApplyConfiguration            `json:"object,omitempty"`
-	Pods              *PodsMetricStatusApplyConfiguration              `json:"pods,omitempty"`
-	Resource          *ResourceMetricStatusApplyConfiguration          `json:"resource,omitempty"`
+	// type is the type of metric source.  It will be one of "ContainerResource", "External",
+	// "Object", "Pods" or "Resource", each corresponds to a matching field in the object.
+	Type *autoscalingv2beta2.MetricSourceType `json:"type,omitempty"`
+	// object refers to a metric describing a single kubernetes object
+	// (for example, hits-per-second on an Ingress object).
+	Object *ObjectMetricStatusApplyConfiguration `json:"object,omitempty"`
+	// pods refers to a metric describing each pod in the current scale target
+	// (for example, transactions-processed-per-second).  The values will be
+	// averaged together before being compared to the target value.
+	Pods *PodsMetricStatusApplyConfiguration `json:"pods,omitempty"`
+	// resource refers to a resource metric (such as those specified in
+	// requests and limits) known to Kubernetes describing each pod in the
+	// current scale target (e.g. CPU or memory). Such metrics are built in to
+	// Kubernetes, and have special scaling options on top of those available
+	// to normal per-pod metrics using the "pods" source.
+	Resource *ResourceMetricStatusApplyConfiguration `json:"resource,omitempty"`
+	// containerResource refers to a resource metric (such as those specified in
+	// requests and limits) known to Kubernetes describing a single container in each pod in the
+	// current scale target (e.g. CPU or memory). Such metrics are built in to
+	// Kubernetes, and have special scaling options on top of those available
+	// to normal per-pod metrics using the "pods" source.
 	ContainerResource *ContainerResourceMetricStatusApplyConfiguration `json:"containerResource,omitempty"`
-	External          *ExternalMetricStatusApplyConfiguration          `json:"external,omitempty"`
+	// external refers to a global metric that is not associated
+	// with any Kubernetes object. It allows autoscaling based on information
+	// coming from components running outside of cluster
+	// (for example length of queue in cloud messaging service, or
+	// QPS from loadbalancer running outside of cluster).
+	External *ExternalMetricStatusApplyConfiguration `json:"external,omitempty"`
 }
 
 // MetricStatusApplyConfiguration constructs a declarative configuration of the MetricStatus type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2beta2/metrictarget.go b/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2beta2/metrictarget.go
index 286856d823389..eedcd59d105fd 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2beta2/metrictarget.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2beta2/metrictarget.go
@@ -25,11 +25,21 @@ import (
 
 // MetricTargetApplyConfiguration represents a declarative configuration of the MetricTarget type for use
 // with apply.
+//
+// MetricTarget defines the target value, average value, or average utilization of a specific metric
 type MetricTargetApplyConfiguration struct {
-	Type               *autoscalingv2beta2.MetricTargetType `json:"type,omitempty"`
-	Value              *resource.Quantity                   `json:"value,omitempty"`
-	AverageValue       *resource.Quantity                   `json:"averageValue,omitempty"`
-	AverageUtilization *int32                               `json:"averageUtilization,omitempty"`
+	// type represents whether the metric type is Utilization, Value, or AverageValue
+	Type *autoscalingv2beta2.MetricTargetType `json:"type,omitempty"`
+	// value is the target value of the metric (as a quantity).
+	Value *resource.Quantity `json:"value,omitempty"`
+	// averageValue is the target value of the average of the
+	// metric across all relevant pods (as a quantity)
+	AverageValue *resource.Quantity `json:"averageValue,omitempty"`
+	// averageUtilization is the target value of the average of the
+	// resource metric across all relevant pods, represented as a percentage of
+	// the requested value of the resource for the pods.
+	// Currently only valid for Resource metric source type
+	AverageUtilization *int32 `json:"averageUtilization,omitempty"`
 }
 
 // MetricTargetApplyConfiguration constructs a declarative configuration of the MetricTarget type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2beta2/metricvaluestatus.go b/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2beta2/metricvaluestatus.go
index cc409fc283b95..49141abcc63d7 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2beta2/metricvaluestatus.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2beta2/metricvaluestatus.go
@@ -24,10 +24,18 @@ import (
 
 // MetricValueStatusApplyConfiguration represents a declarative configuration of the MetricValueStatus type for use
 // with apply.
+//
+// MetricValueStatus holds the current value for a metric
 type MetricValueStatusApplyConfiguration struct {
-	Value              *resource.Quantity `json:"value,omitempty"`
-	AverageValue       *resource.Quantity `json:"averageValue,omitempty"`
-	AverageUtilization *int32             `json:"averageUtilization,omitempty"`
+	// value is the current value of the metric (as a quantity).
+	Value *resource.Quantity `json:"value,omitempty"`
+	// averageValue is the current value of the average of the
+	// metric across all relevant pods (as a quantity)
+	AverageValue *resource.Quantity `json:"averageValue,omitempty"`
+	// averageUtilization is the current value of the average of the
+	// resource metric across all relevant pods, represented as a percentage of
+	// the requested value of the resource for the pods.
+	AverageUtilization *int32 `json:"averageUtilization,omitempty"`
 }
 
 // MetricValueStatusApplyConfiguration constructs a declarative configuration of the MetricValueStatus type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2beta2/objectmetricsource.go b/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2beta2/objectmetricsource.go
index 17b492fa06acf..e99e081cea42f 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2beta2/objectmetricsource.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2beta2/objectmetricsource.go
@@ -20,10 +20,15 @@ package v2beta2
 
 // ObjectMetricSourceApplyConfiguration represents a declarative configuration of the ObjectMetricSource type for use
 // with apply.
+//
+// ObjectMetricSource indicates how to scale on a metric describing a
+// kubernetes object (for example, hits-per-second on an Ingress object).
 type ObjectMetricSourceApplyConfiguration struct {
 	DescribedObject *CrossVersionObjectReferenceApplyConfiguration `json:"describedObject,omitempty"`
-	Target          *MetricTargetApplyConfiguration                `json:"target,omitempty"`
-	Metric          *MetricIdentifierApplyConfiguration            `json:"metric,omitempty"`
+	// target specifies the target value for the given metric
+	Target *MetricTargetApplyConfiguration `json:"target,omitempty"`
+	// metric identifies the target metric by name and selector
+	Metric *MetricIdentifierApplyConfiguration `json:"metric,omitempty"`
 }
 
 // ObjectMetricSourceApplyConfiguration constructs a declarative configuration of the ObjectMetricSource type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2beta2/objectmetricstatus.go b/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2beta2/objectmetricstatus.go
index e87417f2e7e45..4d5d016791d7a 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2beta2/objectmetricstatus.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2beta2/objectmetricstatus.go
@@ -20,8 +20,13 @@ package v2beta2
 
 // ObjectMetricStatusApplyConfiguration represents a declarative configuration of the ObjectMetricStatus type for use
 // with apply.
+//
+// ObjectMetricStatus indicates the current value of a metric describing a
+// kubernetes object (for example, hits-per-second on an Ingress object).
 type ObjectMetricStatusApplyConfiguration struct {
-	Metric          *MetricIdentifierApplyConfiguration            `json:"metric,omitempty"`
+	// metric identifies the target metric by name and selector
+	Metric *MetricIdentifierApplyConfiguration `json:"metric,omitempty"`
+	// current contains the current value for the given metric
 	Current         *MetricValueStatusApplyConfiguration           `json:"current,omitempty"`
 	DescribedObject *CrossVersionObjectReferenceApplyConfiguration `json:"describedObject,omitempty"`
 }
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2beta2/podsmetricsource.go b/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2beta2/podsmetricsource.go
index 6ecbb1807198e..11dd2f6e9b736 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2beta2/podsmetricsource.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2beta2/podsmetricsource.go
@@ -20,9 +20,16 @@ package v2beta2
 
 // PodsMetricSourceApplyConfiguration represents a declarative configuration of the PodsMetricSource type for use
 // with apply.
+//
+// PodsMetricSource indicates how to scale on a metric describing each pod in
+// the current scale target (for example, transactions-processed-per-second).
+// The values will be averaged together before being compared to the target
+// value.
 type PodsMetricSourceApplyConfiguration struct {
+	// metric identifies the target metric by name and selector
 	Metric *MetricIdentifierApplyConfiguration `json:"metric,omitempty"`
-	Target *MetricTargetApplyConfiguration     `json:"target,omitempty"`
+	// target specifies the target value for the given metric
+	Target *MetricTargetApplyConfiguration `json:"target,omitempty"`
 }
 
 // PodsMetricSourceApplyConfiguration constructs a declarative configuration of the PodsMetricSource type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2beta2/podsmetricstatus.go b/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2beta2/podsmetricstatus.go
index cd1029726118b..929c02d4a41d1 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2beta2/podsmetricstatus.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2beta2/podsmetricstatus.go
@@ -20,8 +20,13 @@ package v2beta2
 
 // PodsMetricStatusApplyConfiguration represents a declarative configuration of the PodsMetricStatus type for use
 // with apply.
+//
+// PodsMetricStatus indicates the current value of a metric describing each pod in
+// the current scale target (for example, transactions-processed-per-second).
 type PodsMetricStatusApplyConfiguration struct {
-	Metric  *MetricIdentifierApplyConfiguration  `json:"metric,omitempty"`
+	// metric identifies the target metric by name and selector
+	Metric *MetricIdentifierApplyConfiguration `json:"metric,omitempty"`
+	// current contains the current value for the given metric
 	Current *MetricValueStatusApplyConfiguration `json:"current,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2beta2/resourcemetricsource.go b/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2beta2/resourcemetricsource.go
index c482d75f4b829..ce7e7e5fe27d3 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2beta2/resourcemetricsource.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2beta2/resourcemetricsource.go
@@ -24,8 +24,18 @@ import (
 
 // ResourceMetricSourceApplyConfiguration represents a declarative configuration of the ResourceMetricSource type for use
 // with apply.
+//
+// ResourceMetricSource indicates how to scale on a resource metric known to
+// Kubernetes, as specified in requests and limits, describing each pod in the
+// current scale target (e.g. CPU or memory).  The values will be averaged
+// together before being compared to the target.  Such metrics are built in to
+// Kubernetes, and have special scaling options on top of those available to
+// normal per-pod metrics using the "pods" source.  Only one "target" type
+// should be set.
 type ResourceMetricSourceApplyConfiguration struct {
-	Name   *v1.ResourceName                `json:"name,omitempty"`
+	// name is the name of the resource in question.
+	Name *v1.ResourceName `json:"name,omitempty"`
+	// target specifies the target value for the given metric
 	Target *MetricTargetApplyConfiguration `json:"target,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2beta2/resourcemetricstatus.go b/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2beta2/resourcemetricstatus.go
index eb13e90b7d3f2..9a6f3919001db 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2beta2/resourcemetricstatus.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/autoscaling/v2beta2/resourcemetricstatus.go
@@ -24,8 +24,16 @@ import (
 
 // ResourceMetricStatusApplyConfiguration represents a declarative configuration of the ResourceMetricStatus type for use
 // with apply.
+//
+// ResourceMetricStatus indicates the current value of a resource metric known to
+// Kubernetes, as specified in requests and limits, describing each pod in the
+// current scale target (e.g. CPU or memory).  Such metrics are built in to
+// Kubernetes, and have special scaling options on top of those available to
+// normal per-pod metrics using the "pods" source.
 type ResourceMetricStatusApplyConfiguration struct {
-	Name    *v1.ResourceName                     `json:"name,omitempty"`
+	// name is the name of the resource in question.
+	Name *v1.ResourceName `json:"name,omitempty"`
+	// current contains the current value for the given metric
 	Current *MetricValueStatusApplyConfiguration `json:"current,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/batch/v1/cronjob.go b/staging/src/k8s.io/client-go/applyconfigurations/batch/v1/cronjob.go
index 623b183cf76e4..2fbd4896330cb 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/batch/v1/cronjob.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/batch/v1/cronjob.go
@@ -29,11 +29,19 @@ import (
 
 // CronJobApplyConfiguration represents a declarative configuration of the CronJob type for use
 // with apply.
+//
+// CronJob represents the configuration of a single cron job.
 type CronJobApplyConfiguration struct {
-	metav1.TypeMetaApplyConfiguration    `json:",inline"`
+	metav1.TypeMetaApplyConfiguration `json:",inline"`
+	// Standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	*metav1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Spec                                 *CronJobSpecApplyConfiguration   `json:"spec,omitempty"`
-	Status                               *CronJobStatusApplyConfiguration `json:"status,omitempty"`
+	// Specification of the desired behavior of a cron job, including the schedule.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+	Spec *CronJobSpecApplyConfiguration `json:"spec,omitempty"`
+	// Current status of a cron job.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+	Status *CronJobStatusApplyConfiguration `json:"status,omitempty"`
 }
 
 // CronJob constructs a declarative configuration of the CronJob type for use with
@@ -47,6 +55,27 @@ func CronJob(name, namespace string) *CronJobApplyConfiguration {
 	return b
 }
 
+// ExtractCronJobFrom extracts the applied configuration owned by fieldManager from
+// cronJob for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
+// cronJob must be a unmodified CronJob API object that was retrieved from the Kubernetes API.
+// ExtractCronJobFrom provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractCronJobFrom(cronJob *batchv1.CronJob, fieldManager string, subresource string) (*CronJobApplyConfiguration, error) {
+	b := &CronJobApplyConfiguration{}
+	err := managedfields.ExtractInto(cronJob, internal.Parser().Type("io.k8s.api.batch.v1.CronJob"), fieldManager, b, subresource)
+	if err != nil {
+		return nil, err
+	}
+	b.WithName(cronJob.Name)
+	b.WithNamespace(cronJob.Namespace)
+
+	b.WithKind("CronJob")
+	b.WithAPIVersion("batch/v1")
+	return b, nil
+}
+
 // ExtractCronJob extracts the applied configuration owned by fieldManager from
 // cronJob. If no managedFields are found in cronJob for fieldManager, a
 // CronJobApplyConfiguration is returned with only the Name, Namespace (if applicable),
@@ -57,31 +86,16 @@ func CronJob(name, namespace string) *CronJobApplyConfiguration {
 // ExtractCronJob provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
 func ExtractCronJob(cronJob *batchv1.CronJob, fieldManager string) (*CronJobApplyConfiguration, error) {
-	return extractCronJob(cronJob, fieldManager, "")
+	return ExtractCronJobFrom(cronJob, fieldManager, "")
 }
 
-// ExtractCronJobStatus is the same as ExtractCronJob except
-// that it extracts the status subresource applied configuration.
-// Experimental!
+// ExtractCronJobStatus extracts the applied configuration owned by fieldManager from
+// cronJob for the status subresource.
 func ExtractCronJobStatus(cronJob *batchv1.CronJob, fieldManager string) (*CronJobApplyConfiguration, error) {
-	return extractCronJob(cronJob, fieldManager, "status")
+	return ExtractCronJobFrom(cronJob, fieldManager, "status")
 }
 
-func extractCronJob(cronJob *batchv1.CronJob, fieldManager string, subresource string) (*CronJobApplyConfiguration, error) {
-	b := &CronJobApplyConfiguration{}
-	err := managedfields.ExtractInto(cronJob, internal.Parser().Type("io.k8s.api.batch.v1.CronJob"), fieldManager, b, subresource)
-	if err != nil {
-		return nil, err
-	}
-	b.WithName(cronJob.Name)
-	b.WithNamespace(cronJob.Namespace)
-
-	b.WithKind("CronJob")
-	b.WithAPIVersion("batch/v1")
-	return b, nil
-}
 func (b CronJobApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/batch/v1/cronjobspec.go b/staging/src/k8s.io/client-go/applyconfigurations/batch/v1/cronjobspec.go
index f53d140d3bdb8..f76d58ba72ab7 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/batch/v1/cronjobspec.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/batch/v1/cronjobspec.go
@@ -24,15 +24,42 @@ import (
 
 // CronJobSpecApplyConfiguration represents a declarative configuration of the CronJobSpec type for use
 // with apply.
+//
+// CronJobSpec describes how the job execution will look like and when it will actually run.
 type CronJobSpecApplyConfiguration struct {
-	Schedule                   *string                            `json:"schedule,omitempty"`
-	TimeZone                   *string                            `json:"timeZone,omitempty"`
-	StartingDeadlineSeconds    *int64                             `json:"startingDeadlineSeconds,omitempty"`
-	ConcurrencyPolicy          *batchv1.ConcurrencyPolicy         `json:"concurrencyPolicy,omitempty"`
-	Suspend                    *bool                              `json:"suspend,omitempty"`
-	JobTemplate                *JobTemplateSpecApplyConfiguration `json:"jobTemplate,omitempty"`
-	SuccessfulJobsHistoryLimit *int32                             `json:"successfulJobsHistoryLimit,omitempty"`
-	FailedJobsHistoryLimit     *int32                             `json:"failedJobsHistoryLimit,omitempty"`
+	// The schedule in Cron format, see https://en.wikipedia.org/wiki/Cron.
+	Schedule *string `json:"schedule,omitempty"`
+	// The time zone name for the given schedule, see https://en.wikipedia.org/wiki/List_of_tz_database_time_zones.
+	// If not specified, this will default to the time zone of the kube-controller-manager process.
+	// The set of valid time zone names and the time zone offset is loaded from the system-wide time zone
+	// database by the API server during CronJob validation and the controller manager during execution.
+	// If no system-wide time zone database can be found a bundled version of the database is used instead.
+	// If the time zone name becomes invalid during the lifetime of a CronJob or due to a change in host
+	// configuration, the controller will stop creating new new Jobs and will create a system event with the
+	// reason UnknownTimeZone.
+	// More information can be found in https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/#time-zones
+	TimeZone *string `json:"timeZone,omitempty"`
+	// Optional deadline in seconds for starting the job if it misses scheduled
+	// time for any reason.  Missed jobs executions will be counted as failed ones.
+	StartingDeadlineSeconds *int64 `json:"startingDeadlineSeconds,omitempty"`
+	// Specifies how to treat concurrent executions of a Job.
+	// Valid values are:
+	//
+	// - "Allow" (default): allows CronJobs to run concurrently;
+	// - "Forbid": forbids concurrent runs, skipping next run if previous run hasn't finished yet;
+	// - "Replace": cancels currently running job and replaces it with a new one
+	ConcurrencyPolicy *batchv1.ConcurrencyPolicy `json:"concurrencyPolicy,omitempty"`
+	// This flag tells the controller to suspend subsequent executions, it does
+	// not apply to already started executions.  Defaults to false.
+	Suspend *bool `json:"suspend,omitempty"`
+	// Specifies the job that will be created when executing a CronJob.
+	JobTemplate *JobTemplateSpecApplyConfiguration `json:"jobTemplate,omitempty"`
+	// The number of successful finished jobs to retain. Value must be non-negative integer.
+	// Defaults to 3.
+	SuccessfulJobsHistoryLimit *int32 `json:"successfulJobsHistoryLimit,omitempty"`
+	// The number of failed finished jobs to retain. Value must be non-negative integer.
+	// Defaults to 1.
+	FailedJobsHistoryLimit *int32 `json:"failedJobsHistoryLimit,omitempty"`
 }
 
 // CronJobSpecApplyConfiguration constructs a declarative configuration of the CronJobSpec type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/batch/v1/cronjobstatus.go b/staging/src/k8s.io/client-go/applyconfigurations/batch/v1/cronjobstatus.go
index d29d9e8922fa3..664b104a9423c 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/batch/v1/cronjobstatus.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/batch/v1/cronjobstatus.go
@@ -25,10 +25,15 @@ import (
 
 // CronJobStatusApplyConfiguration represents a declarative configuration of the CronJobStatus type for use
 // with apply.
+//
+// CronJobStatus represents the current state of a cron job.
 type CronJobStatusApplyConfiguration struct {
-	Active             []corev1.ObjectReferenceApplyConfiguration `json:"active,omitempty"`
-	LastScheduleTime   *metav1.Time                               `json:"lastScheduleTime,omitempty"`
-	LastSuccessfulTime *metav1.Time                               `json:"lastSuccessfulTime,omitempty"`
+	// A list of pointers to currently running jobs.
+	Active []corev1.ObjectReferenceApplyConfiguration `json:"active,omitempty"`
+	// Information when was the last time the job was successfully scheduled.
+	LastScheduleTime *metav1.Time `json:"lastScheduleTime,omitempty"`
+	// Information when was the last time the job successfully completed.
+	LastSuccessfulTime *metav1.Time `json:"lastSuccessfulTime,omitempty"`
 }
 
 // CronJobStatusApplyConfiguration constructs a declarative configuration of the CronJobStatus type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/batch/v1/job.go b/staging/src/k8s.io/client-go/applyconfigurations/batch/v1/job.go
index 8aeec8f3d85e9..02d59f0ec4e71 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/batch/v1/job.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/batch/v1/job.go
@@ -29,11 +29,19 @@ import (
 
 // JobApplyConfiguration represents a declarative configuration of the Job type for use
 // with apply.
+//
+// Job represents the configuration of a single job.
 type JobApplyConfiguration struct {
-	metav1.TypeMetaApplyConfiguration    `json:",inline"`
+	metav1.TypeMetaApplyConfiguration `json:",inline"`
+	// Standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	*metav1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Spec                                 *JobSpecApplyConfiguration   `json:"spec,omitempty"`
-	Status                               *JobStatusApplyConfiguration `json:"status,omitempty"`
+	// Specification of the desired behavior of a job.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+	Spec *JobSpecApplyConfiguration `json:"spec,omitempty"`
+	// Current status of a job.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+	Status *JobStatusApplyConfiguration `json:"status,omitempty"`
 }
 
 // Job constructs a declarative configuration of the Job type for use with
@@ -47,6 +55,27 @@ func Job(name, namespace string) *JobApplyConfiguration {
 	return b
 }
 
+// ExtractJobFrom extracts the applied configuration owned by fieldManager from
+// job for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
+// job must be a unmodified Job API object that was retrieved from the Kubernetes API.
+// ExtractJobFrom provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractJobFrom(job *batchv1.Job, fieldManager string, subresource string) (*JobApplyConfiguration, error) {
+	b := &JobApplyConfiguration{}
+	err := managedfields.ExtractInto(job, internal.Parser().Type("io.k8s.api.batch.v1.Job"), fieldManager, b, subresource)
+	if err != nil {
+		return nil, err
+	}
+	b.WithName(job.Name)
+	b.WithNamespace(job.Namespace)
+
+	b.WithKind("Job")
+	b.WithAPIVersion("batch/v1")
+	return b, nil
+}
+
 // ExtractJob extracts the applied configuration owned by fieldManager from
 // job. If no managedFields are found in job for fieldManager, a
 // JobApplyConfiguration is returned with only the Name, Namespace (if applicable),
@@ -57,31 +86,16 @@ func Job(name, namespace string) *JobApplyConfiguration {
 // ExtractJob provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
 func ExtractJob(job *batchv1.Job, fieldManager string) (*JobApplyConfiguration, error) {
-	return extractJob(job, fieldManager, "")
+	return ExtractJobFrom(job, fieldManager, "")
 }
 
-// ExtractJobStatus is the same as ExtractJob except
-// that it extracts the status subresource applied configuration.
-// Experimental!
+// ExtractJobStatus extracts the applied configuration owned by fieldManager from
+// job for the status subresource.
 func ExtractJobStatus(job *batchv1.Job, fieldManager string) (*JobApplyConfiguration, error) {
-	return extractJob(job, fieldManager, "status")
+	return ExtractJobFrom(job, fieldManager, "status")
 }
 
-func extractJob(job *batchv1.Job, fieldManager string, subresource string) (*JobApplyConfiguration, error) {
-	b := &JobApplyConfiguration{}
-	err := managedfields.ExtractInto(job, internal.Parser().Type("io.k8s.api.batch.v1.Job"), fieldManager, b, subresource)
-	if err != nil {
-		return nil, err
-	}
-	b.WithName(job.Name)
-	b.WithNamespace(job.Namespace)
-
-	b.WithKind("Job")
-	b.WithAPIVersion("batch/v1")
-	return b, nil
-}
 func (b JobApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/batch/v1/jobcondition.go b/staging/src/k8s.io/client-go/applyconfigurations/batch/v1/jobcondition.go
index fb3c65aba611a..66487972125f0 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/batch/v1/jobcondition.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/batch/v1/jobcondition.go
@@ -26,13 +26,21 @@ import (
 
 // JobConditionApplyConfiguration represents a declarative configuration of the JobCondition type for use
 // with apply.
+//
+// JobCondition describes current state of a job.
 type JobConditionApplyConfiguration struct {
-	Type               *batchv1.JobConditionType `json:"type,omitempty"`
-	Status             *corev1.ConditionStatus   `json:"status,omitempty"`
-	LastProbeTime      *metav1.Time              `json:"lastProbeTime,omitempty"`
-	LastTransitionTime *metav1.Time              `json:"lastTransitionTime,omitempty"`
-	Reason             *string                   `json:"reason,omitempty"`
-	Message            *string                   `json:"message,omitempty"`
+	// Type of job condition, Complete or Failed.
+	Type *batchv1.JobConditionType `json:"type,omitempty"`
+	// Status of the condition, one of True, False, Unknown.
+	Status *corev1.ConditionStatus `json:"status,omitempty"`
+	// Last time the condition was checked.
+	LastProbeTime *metav1.Time `json:"lastProbeTime,omitempty"`
+	// Last time the condition transit from one status to another.
+	LastTransitionTime *metav1.Time `json:"lastTransitionTime,omitempty"`
+	// (brief) reason for the condition's last transition.
+	Reason *string `json:"reason,omitempty"`
+	// Human readable message indicating details about last transition.
+	Message *string `json:"message,omitempty"`
 }
 
 // JobConditionApplyConfiguration constructs a declarative configuration of the JobCondition type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/batch/v1/jobspec.go b/staging/src/k8s.io/client-go/applyconfigurations/batch/v1/jobspec.go
index 2104fe113d345..81064df751ad8 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/batch/v1/jobspec.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/batch/v1/jobspec.go
@@ -26,23 +26,140 @@ import (
 
 // JobSpecApplyConfiguration represents a declarative configuration of the JobSpec type for use
 // with apply.
+//
+// JobSpec describes how the job execution will look like.
 type JobSpecApplyConfiguration struct {
-	Parallelism             *int32                                    `json:"parallelism,omitempty"`
-	Completions             *int32                                    `json:"completions,omitempty"`
-	ActiveDeadlineSeconds   *int64                                    `json:"activeDeadlineSeconds,omitempty"`
-	PodFailurePolicy        *PodFailurePolicyApplyConfiguration       `json:"podFailurePolicy,omitempty"`
-	SuccessPolicy           *SuccessPolicyApplyConfiguration          `json:"successPolicy,omitempty"`
-	BackoffLimit            *int32                                    `json:"backoffLimit,omitempty"`
-	BackoffLimitPerIndex    *int32                                    `json:"backoffLimitPerIndex,omitempty"`
-	MaxFailedIndexes        *int32                                    `json:"maxFailedIndexes,omitempty"`
-	Selector                *metav1.LabelSelectorApplyConfiguration   `json:"selector,omitempty"`
-	ManualSelector          *bool                                     `json:"manualSelector,omitempty"`
-	Template                *corev1.PodTemplateSpecApplyConfiguration `json:"template,omitempty"`
-	TTLSecondsAfterFinished *int32                                    `json:"ttlSecondsAfterFinished,omitempty"`
-	CompletionMode          *batchv1.CompletionMode                   `json:"completionMode,omitempty"`
-	Suspend                 *bool                                     `json:"suspend,omitempty"`
-	PodReplacementPolicy    *batchv1.PodReplacementPolicy             `json:"podReplacementPolicy,omitempty"`
-	ManagedBy               *string                                   `json:"managedBy,omitempty"`
+	// Specifies the maximum desired number of pods the job should
+	// run at any given time. The actual number of pods running in steady state will
+	// be less than this number when ((.spec.completions - .status.successful) < .spec.parallelism),
+	// i.e. when the work left to do is less than max parallelism.
+	// More info: https://kubernetes.io/docs/concepts/workloads/controllers/jobs-run-to-completion/
+	Parallelism *int32 `json:"parallelism,omitempty"`
+	// Specifies the desired number of successfully finished pods the
+	// job should be run with.  Setting to null means that the success of any
+	// pod signals the success of all pods, and allows parallelism to have any positive
+	// value.  Setting to 1 means that parallelism is limited to 1 and the success of that
+	// pod signals the success of the job.
+	// More info: https://kubernetes.io/docs/concepts/workloads/controllers/jobs-run-to-completion/
+	Completions *int32 `json:"completions,omitempty"`
+	// Specifies the duration in seconds relative to the startTime that the job
+	// may be continuously active before the system tries to terminate it; value
+	// must be positive integer. If a Job is suspended (at creation or through an
+	// update), this timer will effectively be stopped and reset when the Job is
+	// resumed again.
+	ActiveDeadlineSeconds *int64 `json:"activeDeadlineSeconds,omitempty"`
+	// Specifies the policy of handling failed pods. In particular, it allows to
+	// specify the set of actions and conditions which need to be
+	// satisfied to take the associated action.
+	// If empty, the default behaviour applies - the counter of failed pods,
+	// represented by the jobs's .status.failed field, is incremented and it is
+	// checked against the backoffLimit. This field cannot be used in combination
+	// with restartPolicy=OnFailure.
+	PodFailurePolicy *PodFailurePolicyApplyConfiguration `json:"podFailurePolicy,omitempty"`
+	// successPolicy specifies the policy when the Job can be declared as succeeded.
+	// If empty, the default behavior applies - the Job is declared as succeeded
+	// only when the number of succeeded pods equals to the completions.
+	// When the field is specified, it must be immutable and works only for the Indexed Jobs.
+	// Once the Job meets the SuccessPolicy, the lingering pods are terminated.
+	SuccessPolicy *SuccessPolicyApplyConfiguration `json:"successPolicy,omitempty"`
+	// Specifies the number of retries before marking this job failed.
+	// Defaults to 6, unless backoffLimitPerIndex (only Indexed Job) is specified.
+	// When backoffLimitPerIndex is specified, backoffLimit defaults to 2147483647.
+	BackoffLimit *int32 `json:"backoffLimit,omitempty"`
+	// Specifies the limit for the number of retries within an
+	// index before marking this index as failed. When enabled the number of
+	// failures per index is kept in the pod's
+	// batch.kubernetes.io/job-index-failure-count annotation. It can only
+	// be set when Job's completionMode=Indexed, and the Pod's restart
+	// policy is Never. The field is immutable.
+	BackoffLimitPerIndex *int32 `json:"backoffLimitPerIndex,omitempty"`
+	// Specifies the maximal number of failed indexes before marking the Job as
+	// failed, when backoffLimitPerIndex is set. Once the number of failed
+	// indexes exceeds this number the entire Job is marked as Failed and its
+	// execution is terminated. When left as null the job continues execution of
+	// all of its indexes and is marked with the `Complete` Job condition.
+	// It can only be specified when backoffLimitPerIndex is set.
+	// It can be null or up to completions. It is required and must be
+	// less than or equal to 10^4 when is completions greater than 10^5.
+	MaxFailedIndexes *int32 `json:"maxFailedIndexes,omitempty"`
+	// A label query over pods that should match the pod count.
+	// Normally, the system sets this field for you.
+	// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors
+	Selector *metav1.LabelSelectorApplyConfiguration `json:"selector,omitempty"`
+	// manualSelector controls generation of pod labels and pod selectors.
+	// Leave `manualSelector` unset unless you are certain what you are doing.
+	// When false or unset, the system pick labels unique to this job
+	// and appends those labels to the pod template.  When true,
+	// the user is responsible for picking unique labels and specifying
+	// the selector.  Failure to pick a unique label may cause this
+	// and other jobs to not function correctly.  However, You may see
+	// `manualSelector=true` in jobs that were created with the old `extensions/v1beta1`
+	// API.
+	// More info: https://kubernetes.io/docs/concepts/workloads/controllers/jobs-run-to-completion/#specifying-your-own-pod-selector
+	ManualSelector *bool `json:"manualSelector,omitempty"`
+	// Describes the pod that will be created when executing a job.
+	// The only allowed template.spec.restartPolicy values are "Never" or "OnFailure".
+	// More info: https://kubernetes.io/docs/concepts/workloads/controllers/jobs-run-to-completion/
+	Template *corev1.PodTemplateSpecApplyConfiguration `json:"template,omitempty"`
+	// ttlSecondsAfterFinished limits the lifetime of a Job that has finished
+	// execution (either Complete or Failed). If this field is set,
+	// ttlSecondsAfterFinished after the Job finishes, it is eligible to be
+	// automatically deleted. When the Job is being deleted, its lifecycle
+	// guarantees (e.g. finalizers) will be honored. If this field is unset,
+	// the Job won't be automatically deleted. If this field is set to zero,
+	// the Job becomes eligible to be deleted immediately after it finishes.
+	TTLSecondsAfterFinished *int32 `json:"ttlSecondsAfterFinished,omitempty"`
+	// completionMode specifies how Pod completions are tracked. It can be
+	// `NonIndexed` (default) or `Indexed`.
+	//
+	// `NonIndexed` means that the Job is considered complete when there have
+	// been .spec.completions successfully completed Pods. Each Pod completion is
+	// homologous to each other.
+	//
+	// `Indexed` means that the Pods of a
+	// Job get an associated completion index from 0 to (.spec.completions - 1),
+	// available in the annotation batch.kubernetes.io/job-completion-index.
+	// The Job is considered complete when there is one successfully completed Pod
+	// for each index.
+	// When value is `Indexed`, .spec.completions must be specified and
+	// `.spec.parallelism` must be less than or equal to 10^5.
+	// In addition, The Pod name takes the form
+	// `$(job-name)-$(index)-$(random-string)`,
+	// the Pod hostname takes the form `$(job-name)-$(index)`.
+	//
+	// More completion modes can be added in the future.
+	// If the Job controller observes a mode that it doesn't recognize, which
+	// is possible during upgrades due to version skew, the controller
+	// skips updates for the Job.
+	CompletionMode *batchv1.CompletionMode `json:"completionMode,omitempty"`
+	// suspend specifies whether the Job controller should create Pods or not. If
+	// a Job is created with suspend set to true, no Pods are created by the Job
+	// controller. If a Job is suspended after creation (i.e. the flag goes from
+	// false to true), the Job controller will delete all active Pods associated
+	// with this Job. Users must design their workload to gracefully handle this.
+	// Suspending a Job will reset the StartTime field of the Job, effectively
+	// resetting the ActiveDeadlineSeconds timer too. Defaults to false.
+	Suspend *bool `json:"suspend,omitempty"`
+	// podReplacementPolicy specifies when to create replacement Pods.
+	// Possible values are:
+	// - TerminatingOrFailed means that we recreate pods
+	// when they are terminating (has a metadata.deletionTimestamp) or failed.
+	// - Failed means to wait until a previously created Pod is fully terminated (has phase
+	// Failed or Succeeded) before creating a replacement Pod.
+	//
+	// When using podFailurePolicy, Failed is the the only allowed value.
+	// TerminatingOrFailed and Failed are allowed values when podFailurePolicy is not in use.
+	PodReplacementPolicy *batchv1.PodReplacementPolicy `json:"podReplacementPolicy,omitempty"`
+	// ManagedBy field indicates the controller that manages a Job. The k8s Job
+	// controller reconciles jobs which don't have this field at all or the field
+	// value is the reserved string `kubernetes.io/job-controller`, but skips
+	// reconciling Jobs with a custom value for this field.
+	// The value must be a valid domain-prefixed path (e.g. acme.io/foo) -
+	// all characters before the first "/" must be a valid subdomain as defined
+	// by RFC 1123. All characters trailing the first "/" must be valid HTTP Path
+	// characters as defined by RFC 3986. The value cannot exceed 63 characters.
+	// This field is immutable.
+	ManagedBy *string `json:"managedBy,omitempty"`
 }
 
 // JobSpecApplyConfiguration constructs a declarative configuration of the JobSpec type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/batch/v1/jobstatus.go b/staging/src/k8s.io/client-go/applyconfigurations/batch/v1/jobstatus.go
index 071a0153f54e0..0e11fd9beb8ce 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/batch/v1/jobstatus.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/batch/v1/jobstatus.go
@@ -24,18 +24,92 @@ import (
 
 // JobStatusApplyConfiguration represents a declarative configuration of the JobStatus type for use
 // with apply.
+//
+// JobStatus represents the current state of a Job.
 type JobStatusApplyConfiguration struct {
-	Conditions              []JobConditionApplyConfiguration           `json:"conditions,omitempty"`
-	StartTime               *metav1.Time                               `json:"startTime,omitempty"`
-	CompletionTime          *metav1.Time                               `json:"completionTime,omitempty"`
-	Active                  *int32                                     `json:"active,omitempty"`
-	Succeeded               *int32                                     `json:"succeeded,omitempty"`
-	Failed                  *int32                                     `json:"failed,omitempty"`
-	Terminating             *int32                                     `json:"terminating,omitempty"`
-	CompletedIndexes        *string                                    `json:"completedIndexes,omitempty"`
-	FailedIndexes           *string                                    `json:"failedIndexes,omitempty"`
+	// The latest available observations of an object's current state. When a Job
+	// fails, one of the conditions will have type "Failed" and status true. When
+	// a Job is suspended, one of the conditions will have type "Suspended" and
+	// status true; when the Job is resumed, the status of this condition will
+	// become false. When a Job is completed, one of the conditions will have
+	// type "Complete" and status true.
+	//
+	// A job is considered finished when it is in a terminal condition, either
+	// "Complete" or "Failed". A Job cannot have both the "Complete" and "Failed" conditions.
+	// Additionally, it cannot be in the "Complete" and "FailureTarget" conditions.
+	// The "Complete", "Failed" and "FailureTarget" conditions cannot be disabled.
+	//
+	// More info: https://kubernetes.io/docs/concepts/workloads/controllers/jobs-run-to-completion/
+	Conditions []JobConditionApplyConfiguration `json:"conditions,omitempty"`
+	// Represents time when the job controller started processing a job. When a
+	// Job is created in the suspended state, this field is not set until the
+	// first time it is resumed. This field is reset every time a Job is resumed
+	// from suspension. It is represented in RFC3339 form and is in UTC.
+	//
+	// Once set, the field can only be removed when the job is suspended.
+	// The field cannot be modified while the job is unsuspended or finished.
+	StartTime *metav1.Time `json:"startTime,omitempty"`
+	// Represents time when the job was completed. It is not guaranteed to
+	// be set in happens-before order across separate operations.
+	// It is represented in RFC3339 form and is in UTC.
+	// The completion time is set when the job finishes successfully, and only then.
+	// The value cannot be updated or removed. The value indicates the same or
+	// later point in time as the startTime field.
+	CompletionTime *metav1.Time `json:"completionTime,omitempty"`
+	// The number of pending and running pods which are not terminating (without
+	// a deletionTimestamp).
+	// The value is zero for finished jobs.
+	Active *int32 `json:"active,omitempty"`
+	// The number of pods which reached phase Succeeded.
+	// The value increases monotonically for a given spec. However, it may
+	// decrease in reaction to scale down of elastic indexed jobs.
+	Succeeded *int32 `json:"succeeded,omitempty"`
+	// The number of pods which reached phase Failed.
+	// The value increases monotonically.
+	Failed *int32 `json:"failed,omitempty"`
+	// The number of pods which are terminating (in phase Pending or Running
+	// and have a deletionTimestamp).
+	//
+	// This field is beta-level. The job controller populates the field when
+	// the feature gate JobPodReplacementPolicy is enabled (enabled by default).
+	Terminating *int32 `json:"terminating,omitempty"`
+	// completedIndexes holds the completed indexes when .spec.completionMode =
+	// "Indexed" in a text format. The indexes are represented as decimal integers
+	// separated by commas. The numbers are listed in increasing order. Three or
+	// more consecutive numbers are compressed and represented by the first and
+	// last element of the series, separated by a hyphen.
+	// For example, if the completed indexes are 1, 3, 4, 5 and 7, they are
+	// represented as "1,3-5,7".
+	CompletedIndexes *string `json:"completedIndexes,omitempty"`
+	// FailedIndexes holds the failed indexes when spec.backoffLimitPerIndex is set.
+	// The indexes are represented in the text format analogous as for the
+	// `completedIndexes` field, ie. they are kept as decimal integers
+	// separated by commas. The numbers are listed in increasing order. Three or
+	// more consecutive numbers are compressed and represented by the first and
+	// last element of the series, separated by a hyphen.
+	// For example, if the failed indexes are 1, 3, 4, 5 and 7, they are
+	// represented as "1,3-5,7".
+	// The set of failed indexes cannot overlap with the set of completed indexes.
+	FailedIndexes *string `json:"failedIndexes,omitempty"`
+	// uncountedTerminatedPods holds the UIDs of Pods that have terminated but
+	// the job controller hasn't yet accounted for in the status counters.
+	//
+	// The job controller creates pods with a finalizer. When a pod terminates
+	// (succeeded or failed), the controller does three steps to account for it
+	// in the job status:
+	//
+	// 1. Add the pod UID to the arrays in this field.
+	// 2. Remove the pod finalizer.
+	// 3. Remove the pod UID from the arrays while increasing the corresponding
+	// counter.
+	//
+	// Old jobs might not be tracked using this field, in which case the field
+	// remains null.
+	// The structure is empty for finished jobs.
 	UncountedTerminatedPods *UncountedTerminatedPodsApplyConfiguration `json:"uncountedTerminatedPods,omitempty"`
-	Ready                   *int32                                     `json:"ready,omitempty"`
+	// The number of active pods which have a Ready condition and are not
+	// terminating (without a deletionTimestamp).
+	Ready *int32 `json:"ready,omitempty"`
 }
 
 // JobStatusApplyConfiguration constructs a declarative configuration of the JobStatus type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/batch/v1/jobtemplatespec.go b/staging/src/k8s.io/client-go/applyconfigurations/batch/v1/jobtemplatespec.go
index 149c5e8f5efd1..7fb67d2d497fb 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/batch/v1/jobtemplatespec.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/batch/v1/jobtemplatespec.go
@@ -26,9 +26,15 @@ import (
 
 // JobTemplateSpecApplyConfiguration represents a declarative configuration of the JobTemplateSpec type for use
 // with apply.
+//
+// JobTemplateSpec describes the data a Job should have when created from a template
 type JobTemplateSpecApplyConfiguration struct {
+	// Standard object's metadata of the jobs created from this template.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	*metav1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Spec                                 *JobSpecApplyConfiguration `json:"spec,omitempty"`
+	// Specification of the desired behavior of the job.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+	Spec *JobSpecApplyConfiguration `json:"spec,omitempty"`
 }
 
 // JobTemplateSpecApplyConfiguration constructs a declarative configuration of the JobTemplateSpec type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/batch/v1/podfailurepolicy.go b/staging/src/k8s.io/client-go/applyconfigurations/batch/v1/podfailurepolicy.go
index 05a68b3c94b68..27b3e0a1146b3 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/batch/v1/podfailurepolicy.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/batch/v1/podfailurepolicy.go
@@ -20,7 +20,14 @@ package v1
 
 // PodFailurePolicyApplyConfiguration represents a declarative configuration of the PodFailurePolicy type for use
 // with apply.
+//
+// PodFailurePolicy describes how failed pods influence the backoffLimit.
 type PodFailurePolicyApplyConfiguration struct {
+	// A list of pod failure policy rules. The rules are evaluated in order.
+	// Once a rule matches a Pod failure, the remaining of the rules are ignored.
+	// When no rule matches the Pod failure, the default handling applies - the
+	// counter of pod failures is incremented and it is checked against
+	// the backoffLimit. At most 20 elements are allowed.
 	Rules []PodFailurePolicyRuleApplyConfiguration `json:"rules,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/batch/v1/podfailurepolicyonexitcodesrequirement.go b/staging/src/k8s.io/client-go/applyconfigurations/batch/v1/podfailurepolicyonexitcodesrequirement.go
index aa4dfc4c14233..b72cf68421122 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/batch/v1/podfailurepolicyonexitcodesrequirement.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/batch/v1/podfailurepolicyonexitcodesrequirement.go
@@ -24,10 +24,38 @@ import (
 
 // PodFailurePolicyOnExitCodesRequirementApplyConfiguration represents a declarative configuration of the PodFailurePolicyOnExitCodesRequirement type for use
 // with apply.
+//
+// PodFailurePolicyOnExitCodesRequirement describes the requirement for handling
+// a failed pod based on its container exit codes. In particular, it lookups the
+// .state.terminated.exitCode for each app container and init container status,
+// represented by the .status.containerStatuses and .status.initContainerStatuses
+// fields in the Pod status, respectively. Containers completed with success
+// (exit code 0) are excluded from the requirement check.
 type PodFailurePolicyOnExitCodesRequirementApplyConfiguration struct {
-	ContainerName *string                                      `json:"containerName,omitempty"`
-	Operator      *batchv1.PodFailurePolicyOnExitCodesOperator `json:"operator,omitempty"`
-	Values        []int32                                      `json:"values,omitempty"`
+	// Restricts the check for exit codes to the container with the
+	// specified name. When null, the rule applies to all containers.
+	// When specified, it should match one the container or initContainer
+	// names in the pod template.
+	ContainerName *string `json:"containerName,omitempty"`
+	// Represents the relationship between the container exit code(s) and the
+	// specified values. Containers completed with success (exit code 0) are
+	// excluded from the requirement check. Possible values are:
+	//
+	// - In: the requirement is satisfied if at least one container exit code
+	// (might be multiple if there are multiple containers not restricted
+	// by the 'containerName' field) is in the set of specified values.
+	// - NotIn: the requirement is satisfied if at least one container exit code
+	// (might be multiple if there are multiple containers not restricted
+	// by the 'containerName' field) is not in the set of specified values.
+	// Additional values are considered to be added in the future. Clients should
+	// react to an unknown operator by assuming the requirement is not satisfied.
+	Operator *batchv1.PodFailurePolicyOnExitCodesOperator `json:"operator,omitempty"`
+	// Specifies the set of values. Each returned container exit code (might be
+	// multiple in case of multiple containers) is checked against this set of
+	// values with respect to the operator. The list of values must be ordered
+	// and must not contain duplicates. Value '0' cannot be used for the In operator.
+	// At least one element is required. At most 255 elements are allowed.
+	Values []int32 `json:"values,omitempty"`
 }
 
 // PodFailurePolicyOnExitCodesRequirementApplyConfiguration constructs a declarative configuration of the PodFailurePolicyOnExitCodesRequirement type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/batch/v1/podfailurepolicyonpodconditionspattern.go b/staging/src/k8s.io/client-go/applyconfigurations/batch/v1/podfailurepolicyonpodconditionspattern.go
index 6459a6e594335..34f1a09245c1e 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/batch/v1/podfailurepolicyonpodconditionspattern.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/batch/v1/podfailurepolicyonpodconditionspattern.go
@@ -24,9 +24,17 @@ import (
 
 // PodFailurePolicyOnPodConditionsPatternApplyConfiguration represents a declarative configuration of the PodFailurePolicyOnPodConditionsPattern type for use
 // with apply.
+//
+// PodFailurePolicyOnPodConditionsPattern describes a pattern for matching
+// an actual pod condition type.
 type PodFailurePolicyOnPodConditionsPatternApplyConfiguration struct {
-	Type   *corev1.PodConditionType `json:"type,omitempty"`
-	Status *corev1.ConditionStatus  `json:"status,omitempty"`
+	// Specifies the required Pod condition type. To match a pod condition
+	// it is required that specified type equals the pod condition type.
+	Type *corev1.PodConditionType `json:"type,omitempty"`
+	// Specifies the required Pod condition status. To match a pod condition
+	// it is required that the specified status equals the pod condition status.
+	// Defaults to True.
+	Status *corev1.ConditionStatus `json:"status,omitempty"`
 }
 
 // PodFailurePolicyOnPodConditionsPatternApplyConfiguration constructs a declarative configuration of the PodFailurePolicyOnPodConditionsPattern type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/batch/v1/podfailurepolicyrule.go b/staging/src/k8s.io/client-go/applyconfigurations/batch/v1/podfailurepolicyrule.go
index 847ec7c9548be..d3a2e69f53ae6 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/batch/v1/podfailurepolicyrule.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/batch/v1/podfailurepolicyrule.go
@@ -24,9 +24,29 @@ import (
 
 // PodFailurePolicyRuleApplyConfiguration represents a declarative configuration of the PodFailurePolicyRule type for use
 // with apply.
+//
+// PodFailurePolicyRule describes how a pod failure is handled when the requirements are met.
+// One of onExitCodes and onPodConditions, but not both, can be used in each rule.
 type PodFailurePolicyRuleApplyConfiguration struct {
-	Action          *batchv1.PodFailurePolicyAction                            `json:"action,omitempty"`
-	OnExitCodes     *PodFailurePolicyOnExitCodesRequirementApplyConfiguration  `json:"onExitCodes,omitempty"`
+	// Specifies the action taken on a pod failure when the requirements are satisfied.
+	// Possible values are:
+	//
+	// - FailJob: indicates that the pod's job is marked as Failed and all
+	// running pods are terminated.
+	// - FailIndex: indicates that the pod's index is marked as Failed and will
+	// not be restarted.
+	// - Ignore: indicates that the counter towards the .backoffLimit is not
+	// incremented and a replacement pod is created.
+	// - Count: indicates that the pod is handled in the default way - the
+	// counter towards the .backoffLimit is incremented.
+	// Additional values are considered to be added in the future. Clients should
+	// react to an unknown action by skipping the rule.
+	Action *batchv1.PodFailurePolicyAction `json:"action,omitempty"`
+	// Represents the requirement on the container exit codes.
+	OnExitCodes *PodFailurePolicyOnExitCodesRequirementApplyConfiguration `json:"onExitCodes,omitempty"`
+	// Represents the requirement on the pod conditions. The requirement is represented
+	// as a list of pod condition patterns. The requirement is satisfied if at
+	// least one pattern matches an actual pod condition. At most 20 elements are allowed.
 	OnPodConditions []PodFailurePolicyOnPodConditionsPatternApplyConfiguration `json:"onPodConditions,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/batch/v1/successpolicy.go b/staging/src/k8s.io/client-go/applyconfigurations/batch/v1/successpolicy.go
index a3f4f39e2eae8..53ecd3ebc085c 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/batch/v1/successpolicy.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/batch/v1/successpolicy.go
@@ -20,7 +20,15 @@ package v1
 
 // SuccessPolicyApplyConfiguration represents a declarative configuration of the SuccessPolicy type for use
 // with apply.
+//
+// SuccessPolicy describes when a Job can be declared as succeeded based on the success of some indexes.
 type SuccessPolicyApplyConfiguration struct {
+	// rules represents the list of alternative rules for the declaring the Jobs
+	// as successful before `.status.succeeded >= .spec.completions`. Once any of the rules are met,
+	// the "SuccessCriteriaMet" condition is added, and the lingering pods are removed.
+	// The terminal state for such a Job has the "Complete" condition.
+	// Additionally, these rules are evaluated in order; Once the Job meets one of the rules,
+	// other rules are ignored. At most 20 elements are allowed.
 	Rules []SuccessPolicyRuleApplyConfiguration `json:"rules,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/batch/v1/successpolicyrule.go b/staging/src/k8s.io/client-go/applyconfigurations/batch/v1/successpolicyrule.go
index 2b5e3d91fe628..430054ac66029 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/batch/v1/successpolicyrule.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/batch/v1/successpolicyrule.go
@@ -20,9 +20,33 @@ package v1
 
 // SuccessPolicyRuleApplyConfiguration represents a declarative configuration of the SuccessPolicyRule type for use
 // with apply.
+//
+// SuccessPolicyRule describes rule for declaring a Job as succeeded.
+// Each rule must have at least one of the "succeededIndexes" or "succeededCount" specified.
 type SuccessPolicyRuleApplyConfiguration struct {
+	// succeededIndexes specifies the set of indexes
+	// which need to be contained in the actual set of the succeeded indexes for the Job.
+	// The list of indexes must be within 0 to ".spec.completions-1" and
+	// must not contain duplicates. At least one element is required.
+	// The indexes are represented as intervals separated by commas.
+	// The intervals can be a decimal integer or a pair of decimal integers separated by a hyphen.
+	// The number are listed in represented by the first and last element of the series,
+	// separated by a hyphen.
+	// For example, if the completed indexes are 1, 3, 4, 5 and 7, they are
+	// represented as "1,3-5,7".
+	// When this field is null, this field doesn't default to any value
+	// and is never evaluated at any time.
 	SucceededIndexes *string `json:"succeededIndexes,omitempty"`
-	SucceededCount   *int32  `json:"succeededCount,omitempty"`
+	// succeededCount specifies the minimal required size of the actual set of the succeeded indexes
+	// for the Job. When succeededCount is used along with succeededIndexes, the check is
+	// constrained only to the set of indexes specified by succeededIndexes.
+	// For example, given that succeededIndexes is "1-4", succeededCount is "3",
+	// and completed indexes are "1", "3", and "5", the Job isn't declared as succeeded
+	// because only "1" and "3" indexes are considered in that rules.
+	// When this field is null, this doesn't default to any value and
+	// is never evaluated at any time.
+	// When specified it needs to be a positive integer.
+	SucceededCount *int32 `json:"succeededCount,omitempty"`
 }
 
 // SuccessPolicyRuleApplyConfiguration constructs a declarative configuration of the SuccessPolicyRule type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/batch/v1/uncountedterminatedpods.go b/staging/src/k8s.io/client-go/applyconfigurations/batch/v1/uncountedterminatedpods.go
index ff6b57b86cbb8..0b9199d2de5d6 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/batch/v1/uncountedterminatedpods.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/batch/v1/uncountedterminatedpods.go
@@ -24,9 +24,14 @@ import (
 
 // UncountedTerminatedPodsApplyConfiguration represents a declarative configuration of the UncountedTerminatedPods type for use
 // with apply.
+//
+// UncountedTerminatedPods holds UIDs of Pods that have terminated but haven't
+// been accounted in Job status counters.
 type UncountedTerminatedPodsApplyConfiguration struct {
+	// succeeded holds UIDs of succeeded Pods.
 	Succeeded []types.UID `json:"succeeded,omitempty"`
-	Failed    []types.UID `json:"failed,omitempty"`
+	// failed holds UIDs of failed Pods.
+	Failed []types.UID `json:"failed,omitempty"`
 }
 
 // UncountedTerminatedPodsApplyConfiguration constructs a declarative configuration of the UncountedTerminatedPods type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/batch/v1beta1/cronjob.go b/staging/src/k8s.io/client-go/applyconfigurations/batch/v1beta1/cronjob.go
index 89b181cd867d6..f0ab32de4d1fd 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/batch/v1beta1/cronjob.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/batch/v1beta1/cronjob.go
@@ -29,11 +29,19 @@ import (
 
 // CronJobApplyConfiguration represents a declarative configuration of the CronJob type for use
 // with apply.
+//
+// CronJob represents the configuration of a single cron job.
 type CronJobApplyConfiguration struct {
-	v1.TypeMetaApplyConfiguration    `json:",inline"`
+	v1.TypeMetaApplyConfiguration `json:",inline"`
+	// Standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	*v1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Spec                             *CronJobSpecApplyConfiguration   `json:"spec,omitempty"`
-	Status                           *CronJobStatusApplyConfiguration `json:"status,omitempty"`
+	// Specification of the desired behavior of a cron job, including the schedule.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+	Spec *CronJobSpecApplyConfiguration `json:"spec,omitempty"`
+	// Current status of a cron job.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+	Status *CronJobStatusApplyConfiguration `json:"status,omitempty"`
 }
 
 // CronJob constructs a declarative configuration of the CronJob type for use with
@@ -47,6 +55,27 @@ func CronJob(name, namespace string) *CronJobApplyConfiguration {
 	return b
 }
 
+// ExtractCronJobFrom extracts the applied configuration owned by fieldManager from
+// cronJob for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
+// cronJob must be a unmodified CronJob API object that was retrieved from the Kubernetes API.
+// ExtractCronJobFrom provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractCronJobFrom(cronJob *batchv1beta1.CronJob, fieldManager string, subresource string) (*CronJobApplyConfiguration, error) {
+	b := &CronJobApplyConfiguration{}
+	err := managedfields.ExtractInto(cronJob, internal.Parser().Type("io.k8s.api.batch.v1beta1.CronJob"), fieldManager, b, subresource)
+	if err != nil {
+		return nil, err
+	}
+	b.WithName(cronJob.Name)
+	b.WithNamespace(cronJob.Namespace)
+
+	b.WithKind("CronJob")
+	b.WithAPIVersion("batch/v1beta1")
+	return b, nil
+}
+
 // ExtractCronJob extracts the applied configuration owned by fieldManager from
 // cronJob. If no managedFields are found in cronJob for fieldManager, a
 // CronJobApplyConfiguration is returned with only the Name, Namespace (if applicable),
@@ -57,31 +86,16 @@ func CronJob(name, namespace string) *CronJobApplyConfiguration {
 // ExtractCronJob provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
 func ExtractCronJob(cronJob *batchv1beta1.CronJob, fieldManager string) (*CronJobApplyConfiguration, error) {
-	return extractCronJob(cronJob, fieldManager, "")
+	return ExtractCronJobFrom(cronJob, fieldManager, "")
 }
 
-// ExtractCronJobStatus is the same as ExtractCronJob except
-// that it extracts the status subresource applied configuration.
-// Experimental!
+// ExtractCronJobStatus extracts the applied configuration owned by fieldManager from
+// cronJob for the status subresource.
 func ExtractCronJobStatus(cronJob *batchv1beta1.CronJob, fieldManager string) (*CronJobApplyConfiguration, error) {
-	return extractCronJob(cronJob, fieldManager, "status")
+	return ExtractCronJobFrom(cronJob, fieldManager, "status")
 }
 
-func extractCronJob(cronJob *batchv1beta1.CronJob, fieldManager string, subresource string) (*CronJobApplyConfiguration, error) {
-	b := &CronJobApplyConfiguration{}
-	err := managedfields.ExtractInto(cronJob, internal.Parser().Type("io.k8s.api.batch.v1beta1.CronJob"), fieldManager, b, subresource)
-	if err != nil {
-		return nil, err
-	}
-	b.WithName(cronJob.Name)
-	b.WithNamespace(cronJob.Namespace)
-
-	b.WithKind("CronJob")
-	b.WithAPIVersion("batch/v1beta1")
-	return b, nil
-}
 func (b CronJobApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/batch/v1beta1/cronjobspec.go b/staging/src/k8s.io/client-go/applyconfigurations/batch/v1beta1/cronjobspec.go
index 30604ac7edb8a..0a15bc89c1efe 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/batch/v1beta1/cronjobspec.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/batch/v1beta1/cronjobspec.go
@@ -24,15 +24,44 @@ import (
 
 // CronJobSpecApplyConfiguration represents a declarative configuration of the CronJobSpec type for use
 // with apply.
+//
+// CronJobSpec describes how the job execution will look like and when it will actually run.
 type CronJobSpecApplyConfiguration struct {
-	Schedule                   *string                            `json:"schedule,omitempty"`
-	TimeZone                   *string                            `json:"timeZone,omitempty"`
-	StartingDeadlineSeconds    *int64                             `json:"startingDeadlineSeconds,omitempty"`
-	ConcurrencyPolicy          *batchv1beta1.ConcurrencyPolicy    `json:"concurrencyPolicy,omitempty"`
-	Suspend                    *bool                              `json:"suspend,omitempty"`
-	JobTemplate                *JobTemplateSpecApplyConfiguration `json:"jobTemplate,omitempty"`
-	SuccessfulJobsHistoryLimit *int32                             `json:"successfulJobsHistoryLimit,omitempty"`
-	FailedJobsHistoryLimit     *int32                             `json:"failedJobsHistoryLimit,omitempty"`
+	// The schedule in Cron format, see https://en.wikipedia.org/wiki/Cron.
+	Schedule *string `json:"schedule,omitempty"`
+	// The time zone name for the given schedule, see https://en.wikipedia.org/wiki/List_of_tz_database_time_zones.
+	// If not specified, this will default to the time zone of the kube-controller-manager process.
+	// The set of valid time zone names and the time zone offset is loaded from the system-wide time zone
+	// database by the API server during CronJob validation and the controller manager during execution.
+	// If no system-wide time zone database can be found a bundled version of the database is used instead.
+	// If the time zone name becomes invalid during the lifetime of a CronJob or due to a change in host
+	// configuration, the controller will stop creating new new Jobs and will create a system event with the
+	// reason UnknownTimeZone.
+	// More information can be found in https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/#time-zones
+	TimeZone *string `json:"timeZone,omitempty"`
+	// Optional deadline in seconds for starting the job if it misses scheduled
+	// time for any reason.  Missed jobs executions will be counted as failed ones.
+	StartingDeadlineSeconds *int64 `json:"startingDeadlineSeconds,omitempty"`
+	// Specifies how to treat concurrent executions of a Job.
+	// Valid values are:
+	//
+	// - "Allow" (default): allows CronJobs to run concurrently;
+	// - "Forbid": forbids concurrent runs, skipping next run if previous run hasn't finished yet;
+	// - "Replace": cancels currently running job and replaces it with a new one
+	ConcurrencyPolicy *batchv1beta1.ConcurrencyPolicy `json:"concurrencyPolicy,omitempty"`
+	// This flag tells the controller to suspend subsequent executions, it does
+	// not apply to already started executions.  Defaults to false.
+	Suspend *bool `json:"suspend,omitempty"`
+	// Specifies the job that will be created when executing a CronJob.
+	JobTemplate *JobTemplateSpecApplyConfiguration `json:"jobTemplate,omitempty"`
+	// The number of successful finished jobs to retain.
+	// This is a pointer to distinguish between explicit zero and not specified.
+	// Defaults to 3.
+	SuccessfulJobsHistoryLimit *int32 `json:"successfulJobsHistoryLimit,omitempty"`
+	// The number of failed finished jobs to retain.
+	// This is a pointer to distinguish between explicit zero and not specified.
+	// Defaults to 1.
+	FailedJobsHistoryLimit *int32 `json:"failedJobsHistoryLimit,omitempty"`
 }
 
 // CronJobSpecApplyConfiguration constructs a declarative configuration of the CronJobSpec type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/batch/v1beta1/cronjobstatus.go b/staging/src/k8s.io/client-go/applyconfigurations/batch/v1beta1/cronjobstatus.go
index 335f9e0dce834..caf58aa65f87d 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/batch/v1beta1/cronjobstatus.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/batch/v1beta1/cronjobstatus.go
@@ -25,10 +25,15 @@ import (
 
 // CronJobStatusApplyConfiguration represents a declarative configuration of the CronJobStatus type for use
 // with apply.
+//
+// CronJobStatus represents the current state of a cron job.
 type CronJobStatusApplyConfiguration struct {
-	Active             []v1.ObjectReferenceApplyConfiguration `json:"active,omitempty"`
-	LastScheduleTime   *metav1.Time                           `json:"lastScheduleTime,omitempty"`
-	LastSuccessfulTime *metav1.Time                           `json:"lastSuccessfulTime,omitempty"`
+	// A list of pointers to currently running jobs.
+	Active []v1.ObjectReferenceApplyConfiguration `json:"active,omitempty"`
+	// Information when was the last time the job was successfully scheduled.
+	LastScheduleTime *metav1.Time `json:"lastScheduleTime,omitempty"`
+	// Information when was the last time the job successfully completed.
+	LastSuccessfulTime *metav1.Time `json:"lastSuccessfulTime,omitempty"`
 }
 
 // CronJobStatusApplyConfiguration constructs a declarative configuration of the CronJobStatus type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/batch/v1beta1/jobtemplatespec.go b/staging/src/k8s.io/client-go/applyconfigurations/batch/v1beta1/jobtemplatespec.go
index 5f0fc4925adbd..3f6347ace9bf4 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/batch/v1beta1/jobtemplatespec.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/batch/v1beta1/jobtemplatespec.go
@@ -27,9 +27,15 @@ import (
 
 // JobTemplateSpecApplyConfiguration represents a declarative configuration of the JobTemplateSpec type for use
 // with apply.
+//
+// JobTemplateSpec describes the data a Job should have when created from a template
 type JobTemplateSpecApplyConfiguration struct {
+	// Standard object's metadata of the jobs created from this template.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	*v1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Spec                             *batchv1.JobSpecApplyConfiguration `json:"spec,omitempty"`
+	// Specification of the desired behavior of the job.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+	Spec *batchv1.JobSpecApplyConfiguration `json:"spec,omitempty"`
 }
 
 // JobTemplateSpecApplyConfiguration constructs a declarative configuration of the JobTemplateSpec type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/certificates/v1/certificatesigningrequest.go b/staging/src/k8s.io/client-go/applyconfigurations/certificates/v1/certificatesigningrequest.go
index e78702cb35b97..0769c9f2c776f 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/certificates/v1/certificatesigningrequest.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/certificates/v1/certificatesigningrequest.go
@@ -29,11 +29,27 @@ import (
 
 // CertificateSigningRequestApplyConfiguration represents a declarative configuration of the CertificateSigningRequest type for use
 // with apply.
+//
+// CertificateSigningRequest objects provide a mechanism to obtain x509 certificates
+// by submitting a certificate signing request, and having it asynchronously approved and issued.
+//
+// Kubelets use this API to obtain:
+// 1. client certificates to authenticate to kube-apiserver (with the "kubernetes.io/kube-apiserver-client-kubelet" signerName).
+// 2. serving certificates for TLS endpoints kube-apiserver can connect to securely (with the "kubernetes.io/kubelet-serving" signerName).
+//
+// This API can be used to request client certificates to authenticate to kube-apiserver
+// (with the "kubernetes.io/kube-apiserver-client" signerName),
+// or to obtain certificates from custom non-Kubernetes signers.
 type CertificateSigningRequestApplyConfiguration struct {
 	metav1.TypeMetaApplyConfiguration    `json:",inline"`
 	*metav1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Spec                                 *CertificateSigningRequestSpecApplyConfiguration   `json:"spec,omitempty"`
-	Status                               *CertificateSigningRequestStatusApplyConfiguration `json:"status,omitempty"`
+	// spec contains the certificate request, and is immutable after creation.
+	// Only the request, signerName, expirationSeconds, and usages fields can be set on creation.
+	// Other fields are derived by Kubernetes and cannot be modified by users.
+	Spec *CertificateSigningRequestSpecApplyConfiguration `json:"spec,omitempty"`
+	// status contains information about whether the request is approved or denied,
+	// and the certificate issued by the signer, or the failure condition indicating signer failure.
+	Status *CertificateSigningRequestStatusApplyConfiguration `json:"status,omitempty"`
 }
 
 // CertificateSigningRequest constructs a declarative configuration of the CertificateSigningRequest type for use with
@@ -46,6 +62,26 @@ func CertificateSigningRequest(name string) *CertificateSigningRequestApplyConfi
 	return b
 }
 
+// ExtractCertificateSigningRequestFrom extracts the applied configuration owned by fieldManager from
+// certificateSigningRequest for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
+// certificateSigningRequest must be a unmodified CertificateSigningRequest API object that was retrieved from the Kubernetes API.
+// ExtractCertificateSigningRequestFrom provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractCertificateSigningRequestFrom(certificateSigningRequest *certificatesv1.CertificateSigningRequest, fieldManager string, subresource string) (*CertificateSigningRequestApplyConfiguration, error) {
+	b := &CertificateSigningRequestApplyConfiguration{}
+	err := managedfields.ExtractInto(certificateSigningRequest, internal.Parser().Type("io.k8s.api.certificates.v1.CertificateSigningRequest"), fieldManager, b, subresource)
+	if err != nil {
+		return nil, err
+	}
+	b.WithName(certificateSigningRequest.Name)
+
+	b.WithKind("CertificateSigningRequest")
+	b.WithAPIVersion("certificates.k8s.io/v1")
+	return b, nil
+}
+
 // ExtractCertificateSigningRequest extracts the applied configuration owned by fieldManager from
 // certificateSigningRequest. If no managedFields are found in certificateSigningRequest for fieldManager, a
 // CertificateSigningRequestApplyConfiguration is returned with only the Name, Namespace (if applicable),
@@ -56,30 +92,22 @@ func CertificateSigningRequest(name string) *CertificateSigningRequestApplyConfi
 // ExtractCertificateSigningRequest provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
 func ExtractCertificateSigningRequest(certificateSigningRequest *certificatesv1.CertificateSigningRequest, fieldManager string) (*CertificateSigningRequestApplyConfiguration, error) {
-	return extractCertificateSigningRequest(certificateSigningRequest, fieldManager, "")
+	return ExtractCertificateSigningRequestFrom(certificateSigningRequest, fieldManager, "")
 }
 
-// ExtractCertificateSigningRequestStatus is the same as ExtractCertificateSigningRequest except
-// that it extracts the status subresource applied configuration.
-// Experimental!
-func ExtractCertificateSigningRequestStatus(certificateSigningRequest *certificatesv1.CertificateSigningRequest, fieldManager string) (*CertificateSigningRequestApplyConfiguration, error) {
-	return extractCertificateSigningRequest(certificateSigningRequest, fieldManager, "status")
+// ExtractCertificateSigningRequestApproval extracts the applied configuration owned by fieldManager from
+// certificateSigningRequest for the approval subresource.
+func ExtractCertificateSigningRequestApproval(certificateSigningRequest *certificatesv1.CertificateSigningRequest, fieldManager string) (*CertificateSigningRequestApplyConfiguration, error) {
+	return ExtractCertificateSigningRequestFrom(certificateSigningRequest, fieldManager, "approval")
 }
 
-func extractCertificateSigningRequest(certificateSigningRequest *certificatesv1.CertificateSigningRequest, fieldManager string, subresource string) (*CertificateSigningRequestApplyConfiguration, error) {
-	b := &CertificateSigningRequestApplyConfiguration{}
-	err := managedfields.ExtractInto(certificateSigningRequest, internal.Parser().Type("io.k8s.api.certificates.v1.CertificateSigningRequest"), fieldManager, b, subresource)
-	if err != nil {
-		return nil, err
-	}
-	b.WithName(certificateSigningRequest.Name)
-
-	b.WithKind("CertificateSigningRequest")
-	b.WithAPIVersion("certificates.k8s.io/v1")
-	return b, nil
+// ExtractCertificateSigningRequestStatus extracts the applied configuration owned by fieldManager from
+// certificateSigningRequest for the status subresource.
+func ExtractCertificateSigningRequestStatus(certificateSigningRequest *certificatesv1.CertificateSigningRequest, fieldManager string) (*CertificateSigningRequestApplyConfiguration, error) {
+	return ExtractCertificateSigningRequestFrom(certificateSigningRequest, fieldManager, "status")
 }
+
 func (b CertificateSigningRequestApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/certificates/v1/certificatesigningrequestcondition.go b/staging/src/k8s.io/client-go/applyconfigurations/certificates/v1/certificatesigningrequestcondition.go
index a6dedcb595e31..f4f23f055bab2 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/certificates/v1/certificatesigningrequestcondition.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/certificates/v1/certificatesigningrequestcondition.go
@@ -26,13 +26,38 @@ import (
 
 // CertificateSigningRequestConditionApplyConfiguration represents a declarative configuration of the CertificateSigningRequestCondition type for use
 // with apply.
+//
+// CertificateSigningRequestCondition describes a condition of a CertificateSigningRequest object
 type CertificateSigningRequestConditionApplyConfiguration struct {
-	Type               *certificatesv1.RequestConditionType `json:"type,omitempty"`
-	Status             *corev1.ConditionStatus              `json:"status,omitempty"`
-	Reason             *string                              `json:"reason,omitempty"`
-	Message            *string                              `json:"message,omitempty"`
-	LastUpdateTime     *metav1.Time                         `json:"lastUpdateTime,omitempty"`
-	LastTransitionTime *metav1.Time                         `json:"lastTransitionTime,omitempty"`
+	// type of the condition. Known conditions are "Approved", "Denied", and "Failed".
+	//
+	// An "Approved" condition is added via the /approval subresource,
+	// indicating the request was approved and should be issued by the signer.
+	//
+	// A "Denied" condition is added via the /approval subresource,
+	// indicating the request was denied and should not be issued by the signer.
+	//
+	// A "Failed" condition is added via the /status subresource,
+	// indicating the signer failed to issue the certificate.
+	//
+	// Approved and Denied conditions are mutually exclusive.
+	// Approved, Denied, and Failed conditions cannot be removed once added.
+	//
+	// Only one condition of a given type is allowed.
+	Type *certificatesv1.RequestConditionType `json:"type,omitempty"`
+	// status of the condition, one of True, False, Unknown.
+	// Approved, Denied, and Failed conditions may not be "False" or "Unknown".
+	Status *corev1.ConditionStatus `json:"status,omitempty"`
+	// reason indicates a brief reason for the request state
+	Reason *string `json:"reason,omitempty"`
+	// message contains a human readable message with details about the request state
+	Message *string `json:"message,omitempty"`
+	// lastUpdateTime is the time of the last update to this condition
+	LastUpdateTime *metav1.Time `json:"lastUpdateTime,omitempty"`
+	// lastTransitionTime is the time the condition last transitioned from one status to another.
+	// If unset, when a new condition type is added or an existing condition's status is changed,
+	// the server defaults this to the current time.
+	LastTransitionTime *metav1.Time `json:"lastTransitionTime,omitempty"`
 }
 
 // CertificateSigningRequestConditionApplyConfiguration constructs a declarative configuration of the CertificateSigningRequestCondition type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/certificates/v1/certificatesigningrequestspec.go b/staging/src/k8s.io/client-go/applyconfigurations/certificates/v1/certificatesigningrequestspec.go
index 82da53c9e195a..983ee001b7d3b 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/certificates/v1/certificatesigningrequestspec.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/certificates/v1/certificatesigningrequestspec.go
@@ -24,15 +24,80 @@ import (
 
 // CertificateSigningRequestSpecApplyConfiguration represents a declarative configuration of the CertificateSigningRequestSpec type for use
 // with apply.
+//
+// CertificateSigningRequestSpec contains the certificate request.
 type CertificateSigningRequestSpecApplyConfiguration struct {
-	Request           []byte                               `json:"request,omitempty"`
-	SignerName        *string                              `json:"signerName,omitempty"`
-	ExpirationSeconds *int32                               `json:"expirationSeconds,omitempty"`
-	Usages            []certificatesv1.KeyUsage            `json:"usages,omitempty"`
-	Username          *string                              `json:"username,omitempty"`
-	UID               *string                              `json:"uid,omitempty"`
-	Groups            []string                             `json:"groups,omitempty"`
-	Extra             map[string]certificatesv1.ExtraValue `json:"extra,omitempty"`
+	// request contains an x509 certificate signing request encoded in a "CERTIFICATE REQUEST" PEM block.
+	// When serialized as JSON or YAML, the data is additionally base64-encoded.
+	Request []byte `json:"request,omitempty"`
+	// signerName indicates the requested signer, and is a qualified name.
+	//
+	// List/watch requests for CertificateSigningRequests can filter on this field using a "spec.signerName=NAME" fieldSelector.
+	//
+	// Well-known Kubernetes signers are:
+	// 1. "kubernetes.io/kube-apiserver-client": issues client certificates that can be used to authenticate to kube-apiserver.
+	// Requests for this signer are never auto-approved by kube-controller-manager, can be issued by the "csrsigning" controller in kube-controller-manager.
+	// 2. "kubernetes.io/kube-apiserver-client-kubelet": issues client certificates that kubelets use to authenticate to kube-apiserver.
+	// Requests for this signer can be auto-approved by the "csrapproving" controller in kube-controller-manager, and can be issued by the "csrsigning" controller in kube-controller-manager.
+	// 3. "kubernetes.io/kubelet-serving" issues serving certificates that kubelets use to serve TLS endpoints, which kube-apiserver can connect to securely.
+	// Requests for this signer are never auto-approved by kube-controller-manager, and can be issued by the "csrsigning" controller in kube-controller-manager.
+	//
+	// More details are available at https://k8s.io/docs/reference/access-authn-authz/certificate-signing-requests/#kubernetes-signers
+	//
+	// Custom signerNames can also be specified. The signer defines:
+	// 1. Trust distribution: how trust (CA bundles) are distributed.
+	// 2. Permitted subjects: and behavior when a disallowed subject is requested.
+	// 3. Required, permitted, or forbidden x509 extensions in the request (including whether subjectAltNames are allowed, which types, restrictions on allowed values) and behavior when a disallowed extension is requested.
+	// 4. Required, permitted, or forbidden key usages / extended key usages.
+	// 5. Expiration/certificate lifetime: whether it is fixed by the signer, configurable by the admin.
+	// 6. Whether or not requests for CA certificates are allowed.
+	SignerName *string `json:"signerName,omitempty"`
+	// expirationSeconds is the requested duration of validity of the issued
+	// certificate. The certificate signer may issue a certificate with a different
+	// validity duration so a client must check the delta between the notBefore and
+	// and notAfter fields in the issued certificate to determine the actual duration.
+	//
+	// The v1.22+ in-tree implementations of the well-known Kubernetes signers will
+	// honor this field as long as the requested duration is not greater than the
+	// maximum duration they will honor per the --cluster-signing-duration CLI
+	// flag to the Kubernetes controller manager.
+	//
+	// Certificate signers may not honor this field for various reasons:
+	//
+	// 1. Old signer that is unaware of the field (such as the in-tree
+	// implementations prior to v1.22)
+	// 2. Signer whose configured maximum is shorter than the requested duration
+	// 3. Signer whose configured minimum is longer than the requested duration
+	//
+	// The minimum valid value for expirationSeconds is 600, i.e. 10 minutes.
+	ExpirationSeconds *int32 `json:"expirationSeconds,omitempty"`
+	// usages specifies a set of key usages requested in the issued certificate.
+	//
+	// Requests for TLS client certificates typically request: "digital signature", "key encipherment", "client auth".
+	//
+	// Requests for TLS serving certificates typically request: "key encipherment", "digital signature", "server auth".
+	//
+	// Valid values are:
+	// "signing", "digital signature", "content commitment",
+	// "key encipherment", "key agreement", "data encipherment",
+	// "cert sign", "crl sign", "encipher only", "decipher only", "any",
+	// "server auth", "client auth",
+	// "code signing", "email protection", "s/mime",
+	// "ipsec end system", "ipsec tunnel", "ipsec user",
+	// "timestamping", "ocsp signing", "microsoft sgc", "netscape sgc"
+	Usages []certificatesv1.KeyUsage `json:"usages,omitempty"`
+	// username contains the name of the user that created the CertificateSigningRequest.
+	// Populated by the API server on creation and immutable.
+	Username *string `json:"username,omitempty"`
+	// uid contains the uid of the user that created the CertificateSigningRequest.
+	// Populated by the API server on creation and immutable.
+	UID *string `json:"uid,omitempty"`
+	// groups contains group membership of the user that created the CertificateSigningRequest.
+	// Populated by the API server on creation and immutable.
+	Groups []string `json:"groups,omitempty"`
+	// extra contains extra attributes of the user that created the CertificateSigningRequest.
+	// Populated by the API server on creation and immutable.
+	Extra map[string]certificatesv1.ExtraValue `json:"extra,omitempty"`
 }
 
 // CertificateSigningRequestSpecApplyConfiguration constructs a declarative configuration of the CertificateSigningRequestSpec type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/certificates/v1/certificatesigningrequeststatus.go b/staging/src/k8s.io/client-go/applyconfigurations/certificates/v1/certificatesigningrequeststatus.go
index 897f6d1e982c3..1eb79965ca900 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/certificates/v1/certificatesigningrequeststatus.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/certificates/v1/certificatesigningrequeststatus.go
@@ -20,9 +20,39 @@ package v1
 
 // CertificateSigningRequestStatusApplyConfiguration represents a declarative configuration of the CertificateSigningRequestStatus type for use
 // with apply.
+//
+// CertificateSigningRequestStatus contains conditions used to indicate
+// approved/denied/failed status of the request, and the issued certificate.
 type CertificateSigningRequestStatusApplyConfiguration struct {
-	Conditions  []CertificateSigningRequestConditionApplyConfiguration `json:"conditions,omitempty"`
-	Certificate []byte                                                 `json:"certificate,omitempty"`
+	// conditions applied to the request. Known conditions are "Approved", "Denied", and "Failed".
+	Conditions []CertificateSigningRequestConditionApplyConfiguration `json:"conditions,omitempty"`
+	// certificate is populated with an issued certificate by the signer after an Approved condition is present.
+	// This field is set via the /status subresource. Once populated, this field is immutable.
+	//
+	// If the certificate signing request is denied, a condition of type "Denied" is added and this field remains empty.
+	// If the signer cannot issue the certificate, a condition of type "Failed" is added and this field remains empty.
+	//
+	// Validation requirements:
+	// 1. certificate must contain one or more PEM blocks.
+	// 2. All PEM blocks must have the "CERTIFICATE" label, contain no headers, and the encoded data
+	// must be a BER-encoded ASN.1 Certificate structure as described in section 4 of RFC5280.
+	// 3. Non-PEM content may appear before or after the "CERTIFICATE" PEM blocks and is unvalidated,
+	// to allow for explanatory text as described in section 5.2 of RFC7468.
+	//
+	// If more than one PEM block is present, and the definition of the requested spec.signerName
+	// does not indicate otherwise, the first block is the issued certificate,
+	// and subsequent blocks should be treated as intermediate certificates and presented in TLS handshakes.
+	//
+	// The certificate is encoded in PEM format.
+	//
+	// When serialized as JSON or YAML, the data is additionally base64-encoded, so it consists of:
+	//
+	// base64(
+	// -----BEGIN CERTIFICATE-----
+	// ...
+	// -----END CERTIFICATE-----
+	// )
+	Certificate []byte `json:"certificate,omitempty"`
 }
 
 // CertificateSigningRequestStatusApplyConfiguration constructs a declarative configuration of the CertificateSigningRequestStatus type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/certificates/v1alpha1/clustertrustbundle.go b/staging/src/k8s.io/client-go/applyconfigurations/certificates/v1alpha1/clustertrustbundle.go
index 82c2efc2f0311..9c26cdb9155b3 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/certificates/v1alpha1/clustertrustbundle.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/certificates/v1alpha1/clustertrustbundle.go
@@ -29,10 +29,28 @@ import (
 
 // ClusterTrustBundleApplyConfiguration represents a declarative configuration of the ClusterTrustBundle type for use
 // with apply.
+//
+// ClusterTrustBundle is a cluster-scoped container for X.509 trust anchors
+// (root certificates).
+//
+// ClusterTrustBundle objects are considered to be readable by any authenticated
+// user in the cluster, because they can be mounted by pods using the
+// `clusterTrustBundle` projection.  All service accounts have read access to
+// ClusterTrustBundles by default.  Users who only have namespace-level access
+// to a cluster can read ClusterTrustBundles by impersonating a serviceaccount
+// that they have access to.
+//
+// It can be optionally associated with a particular assigner, in which case it
+// contains one valid set of trust anchors for that signer. Signers may have
+// multiple associated ClusterTrustBundles; each is an independent set of trust
+// anchors for that signer. Admission control is used to enforce that only users
+// with permissions on the signer can create or modify the corresponding bundle.
 type ClusterTrustBundleApplyConfiguration struct {
-	v1.TypeMetaApplyConfiguration    `json:",inline"`
+	v1.TypeMetaApplyConfiguration `json:",inline"`
+	// metadata contains the object metadata.
 	*v1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Spec                             *ClusterTrustBundleSpecApplyConfiguration `json:"spec,omitempty"`
+	// spec contains the signer (if any) and trust anchors.
+	Spec *ClusterTrustBundleSpecApplyConfiguration `json:"spec,omitempty"`
 }
 
 // ClusterTrustBundle constructs a declarative configuration of the ClusterTrustBundle type for use with
@@ -45,29 +63,14 @@ func ClusterTrustBundle(name string) *ClusterTrustBundleApplyConfiguration {
 	return b
 }
 
-// ExtractClusterTrustBundle extracts the applied configuration owned by fieldManager from
-// clusterTrustBundle. If no managedFields are found in clusterTrustBundle for fieldManager, a
-// ClusterTrustBundleApplyConfiguration is returned with only the Name, Namespace (if applicable),
-// APIVersion and Kind populated. It is possible that no managed fields were found for because other
-// field managers have taken ownership of all the fields previously owned by fieldManager, or because
-// the fieldManager never owned fields any fields.
+// ExtractClusterTrustBundleFrom extracts the applied configuration owned by fieldManager from
+// clusterTrustBundle for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
 // clusterTrustBundle must be a unmodified ClusterTrustBundle API object that was retrieved from the Kubernetes API.
-// ExtractClusterTrustBundle provides a way to perform a extract/modify-in-place/apply workflow.
+// ExtractClusterTrustBundleFrom provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
-func ExtractClusterTrustBundle(clusterTrustBundle *certificatesv1alpha1.ClusterTrustBundle, fieldManager string) (*ClusterTrustBundleApplyConfiguration, error) {
-	return extractClusterTrustBundle(clusterTrustBundle, fieldManager, "")
-}
-
-// ExtractClusterTrustBundleStatus is the same as ExtractClusterTrustBundle except
-// that it extracts the status subresource applied configuration.
-// Experimental!
-func ExtractClusterTrustBundleStatus(clusterTrustBundle *certificatesv1alpha1.ClusterTrustBundle, fieldManager string) (*ClusterTrustBundleApplyConfiguration, error) {
-	return extractClusterTrustBundle(clusterTrustBundle, fieldManager, "status")
-}
-
-func extractClusterTrustBundle(clusterTrustBundle *certificatesv1alpha1.ClusterTrustBundle, fieldManager string, subresource string) (*ClusterTrustBundleApplyConfiguration, error) {
+func ExtractClusterTrustBundleFrom(clusterTrustBundle *certificatesv1alpha1.ClusterTrustBundle, fieldManager string, subresource string) (*ClusterTrustBundleApplyConfiguration, error) {
 	b := &ClusterTrustBundleApplyConfiguration{}
 	err := managedfields.ExtractInto(clusterTrustBundle, internal.Parser().Type("io.k8s.api.certificates.v1alpha1.ClusterTrustBundle"), fieldManager, b, subresource)
 	if err != nil {
@@ -79,6 +82,21 @@ func extractClusterTrustBundle(clusterTrustBundle *certificatesv1alpha1.ClusterT
 	b.WithAPIVersion("certificates.k8s.io/v1alpha1")
 	return b, nil
 }
+
+// ExtractClusterTrustBundle extracts the applied configuration owned by fieldManager from
+// clusterTrustBundle. If no managedFields are found in clusterTrustBundle for fieldManager, a
+// ClusterTrustBundleApplyConfiguration is returned with only the Name, Namespace (if applicable),
+// APIVersion and Kind populated. It is possible that no managed fields were found for because other
+// field managers have taken ownership of all the fields previously owned by fieldManager, or because
+// the fieldManager never owned fields any fields.
+// clusterTrustBundle must be a unmodified ClusterTrustBundle API object that was retrieved from the Kubernetes API.
+// ExtractClusterTrustBundle provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractClusterTrustBundle(clusterTrustBundle *certificatesv1alpha1.ClusterTrustBundle, fieldManager string) (*ClusterTrustBundleApplyConfiguration, error) {
+	return ExtractClusterTrustBundleFrom(clusterTrustBundle, fieldManager, "")
+}
+
 func (b ClusterTrustBundleApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/certificates/v1alpha1/clustertrustbundlespec.go b/staging/src/k8s.io/client-go/applyconfigurations/certificates/v1alpha1/clustertrustbundlespec.go
index 7bb36f7084df4..14ba99c6f875f 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/certificates/v1alpha1/clustertrustbundlespec.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/certificates/v1alpha1/clustertrustbundlespec.go
@@ -20,8 +20,39 @@ package v1alpha1
 
 // ClusterTrustBundleSpecApplyConfiguration represents a declarative configuration of the ClusterTrustBundleSpec type for use
 // with apply.
+//
+// ClusterTrustBundleSpec contains the signer and trust anchors.
 type ClusterTrustBundleSpecApplyConfiguration struct {
-	SignerName  *string `json:"signerName,omitempty"`
+	// signerName indicates the associated signer, if any.
+	//
+	// In order to create or update a ClusterTrustBundle that sets signerName,
+	// you must have the following cluster-scoped permission:
+	// group=certificates.k8s.io resource=signers resourceName=<the signer name>
+	// verb=attest.
+	//
+	// If signerName is not empty, then the ClusterTrustBundle object must be
+	// named with the signer name as a prefix (translating slashes to colons).
+	// For example, for the signer name `example.com/foo`, valid
+	// ClusterTrustBundle object names include `example.com:foo:abc` and
+	// `example.com:foo:v1`.
+	//
+	// If signerName is empty, then the ClusterTrustBundle object's name must
+	// not have such a prefix.
+	//
+	// List/watch requests for ClusterTrustBundles can filter on this field
+	// using a `spec.signerName=NAME` field selector.
+	SignerName *string `json:"signerName,omitempty"`
+	// trustBundle contains the individual X.509 trust anchors for this
+	// bundle, as PEM bundle of PEM-wrapped, DER-formatted X.509 certificates.
+	//
+	// The data must consist only of PEM certificate blocks that parse as valid
+	// X.509 certificates.  Each certificate must include a basic constraints
+	// extension with the CA bit set.  The API server will reject objects that
+	// contain duplicate certificates, or that use PEM block headers.
+	//
+	// Users of ClusterTrustBundles, including Kubelet, are free to reorder and
+	// deduplicate certificate blocks in this file according to their own logic,
+	// as well as to drop PEM block headers and inter-block data.
 	TrustBundle *string `json:"trustBundle,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/certificates/v1alpha1/podcertificaterequest.go b/staging/src/k8s.io/client-go/applyconfigurations/certificates/v1alpha1/podcertificaterequest.go
deleted file mode 100644
index df6d15bf71326..0000000000000
--- a/staging/src/k8s.io/client-go/applyconfigurations/certificates/v1alpha1/podcertificaterequest.go
+++ /dev/null
@@ -1,281 +0,0 @@
-/*
-Copyright The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-// Code generated by applyconfiguration-gen. DO NOT EDIT.
-
-package v1alpha1
-
-import (
-	certificatesv1alpha1 "k8s.io/api/certificates/v1alpha1"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	types "k8s.io/apimachinery/pkg/types"
-	managedfields "k8s.io/apimachinery/pkg/util/managedfields"
-	internal "k8s.io/client-go/applyconfigurations/internal"
-	v1 "k8s.io/client-go/applyconfigurations/meta/v1"
-)
-
-// PodCertificateRequestApplyConfiguration represents a declarative configuration of the PodCertificateRequest type for use
-// with apply.
-type PodCertificateRequestApplyConfiguration struct {
-	v1.TypeMetaApplyConfiguration    `json:",inline"`
-	*v1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Spec                             *PodCertificateRequestSpecApplyConfiguration   `json:"spec,omitempty"`
-	Status                           *PodCertificateRequestStatusApplyConfiguration `json:"status,omitempty"`
-}
-
-// PodCertificateRequest constructs a declarative configuration of the PodCertificateRequest type for use with
-// apply.
-func PodCertificateRequest(name, namespace string) *PodCertificateRequestApplyConfiguration {
-	b := &PodCertificateRequestApplyConfiguration{}
-	b.WithName(name)
-	b.WithNamespace(namespace)
-	b.WithKind("PodCertificateRequest")
-	b.WithAPIVersion("certificates.k8s.io/v1alpha1")
-	return b
-}
-
-// ExtractPodCertificateRequest extracts the applied configuration owned by fieldManager from
-// podCertificateRequest. If no managedFields are found in podCertificateRequest for fieldManager, a
-// PodCertificateRequestApplyConfiguration is returned with only the Name, Namespace (if applicable),
-// APIVersion and Kind populated. It is possible that no managed fields were found for because other
-// field managers have taken ownership of all the fields previously owned by fieldManager, or because
-// the fieldManager never owned fields any fields.
-// podCertificateRequest must be a unmodified PodCertificateRequest API object that was retrieved from the Kubernetes API.
-// ExtractPodCertificateRequest provides a way to perform a extract/modify-in-place/apply workflow.
-// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
-// applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
-func ExtractPodCertificateRequest(podCertificateRequest *certificatesv1alpha1.PodCertificateRequest, fieldManager string) (*PodCertificateRequestApplyConfiguration, error) {
-	return extractPodCertificateRequest(podCertificateRequest, fieldManager, "")
-}
-
-// ExtractPodCertificateRequestStatus is the same as ExtractPodCertificateRequest except
-// that it extracts the status subresource applied configuration.
-// Experimental!
-func ExtractPodCertificateRequestStatus(podCertificateRequest *certificatesv1alpha1.PodCertificateRequest, fieldManager string) (*PodCertificateRequestApplyConfiguration, error) {
-	return extractPodCertificateRequest(podCertificateRequest, fieldManager, "status")
-}
-
-func extractPodCertificateRequest(podCertificateRequest *certificatesv1alpha1.PodCertificateRequest, fieldManager string, subresource string) (*PodCertificateRequestApplyConfiguration, error) {
-	b := &PodCertificateRequestApplyConfiguration{}
-	err := managedfields.ExtractInto(podCertificateRequest, internal.Parser().Type("io.k8s.api.certificates.v1alpha1.PodCertificateRequest"), fieldManager, b, subresource)
-	if err != nil {
-		return nil, err
-	}
-	b.WithName(podCertificateRequest.Name)
-	b.WithNamespace(podCertificateRequest.Namespace)
-
-	b.WithKind("PodCertificateRequest")
-	b.WithAPIVersion("certificates.k8s.io/v1alpha1")
-	return b, nil
-}
-func (b PodCertificateRequestApplyConfiguration) IsApplyConfiguration() {}
-
-// WithKind sets the Kind field in the declarative configuration to the given value
-// and returns the receiver, so that objects can be built by chaining "With" function invocations.
-// If called multiple times, the Kind field is set to the value of the last call.
-func (b *PodCertificateRequestApplyConfiguration) WithKind(value string) *PodCertificateRequestApplyConfiguration {
-	b.TypeMetaApplyConfiguration.Kind = &value
-	return b
-}
-
-// WithAPIVersion sets the APIVersion field in the declarative configuration to the given value
-// and returns the receiver, so that objects can be built by chaining "With" function invocations.
-// If called multiple times, the APIVersion field is set to the value of the last call.
-func (b *PodCertificateRequestApplyConfiguration) WithAPIVersion(value string) *PodCertificateRequestApplyConfiguration {
-	b.TypeMetaApplyConfiguration.APIVersion = &value
-	return b
-}
-
-// WithName sets the Name field in the declarative configuration to the given value
-// and returns the receiver, so that objects can be built by chaining "With" function invocations.
-// If called multiple times, the Name field is set to the value of the last call.
-func (b *PodCertificateRequestApplyConfiguration) WithName(value string) *PodCertificateRequestApplyConfiguration {
-	b.ensureObjectMetaApplyConfigurationExists()
-	b.ObjectMetaApplyConfiguration.Name = &value
-	return b
-}
-
-// WithGenerateName sets the GenerateName field in the declarative configuration to the given value
-// and returns the receiver, so that objects can be built by chaining "With" function invocations.
-// If called multiple times, the GenerateName field is set to the value of the last call.
-func (b *PodCertificateRequestApplyConfiguration) WithGenerateName(value string) *PodCertificateRequestApplyConfiguration {
-	b.ensureObjectMetaApplyConfigurationExists()
-	b.ObjectMetaApplyConfiguration.GenerateName = &value
-	return b
-}
-
-// WithNamespace sets the Namespace field in the declarative configuration to the given value
-// and returns the receiver, so that objects can be built by chaining "With" function invocations.
-// If called multiple times, the Namespace field is set to the value of the last call.
-func (b *PodCertificateRequestApplyConfiguration) WithNamespace(value string) *PodCertificateRequestApplyConfiguration {
-	b.ensureObjectMetaApplyConfigurationExists()
-	b.ObjectMetaApplyConfiguration.Namespace = &value
-	return b
-}
-
-// WithUID sets the UID field in the declarative configuration to the given value
-// and returns the receiver, so that objects can be built by chaining "With" function invocations.
-// If called multiple times, the UID field is set to the value of the last call.
-func (b *PodCertificateRequestApplyConfiguration) WithUID(value types.UID) *PodCertificateRequestApplyConfiguration {
-	b.ensureObjectMetaApplyConfigurationExists()
-	b.ObjectMetaApplyConfiguration.UID = &value
-	return b
-}
-
-// WithResourceVersion sets the ResourceVersion field in the declarative configuration to the given value
-// and returns the receiver, so that objects can be built by chaining "With" function invocations.
-// If called multiple times, the ResourceVersion field is set to the value of the last call.
-func (b *PodCertificateRequestApplyConfiguration) WithResourceVersion(value string) *PodCertificateRequestApplyConfiguration {
-	b.ensureObjectMetaApplyConfigurationExists()
-	b.ObjectMetaApplyConfiguration.ResourceVersion = &value
-	return b
-}
-
-// WithGeneration sets the Generation field in the declarative configuration to the given value
-// and returns the receiver, so that objects can be built by chaining "With" function invocations.
-// If called multiple times, the Generation field is set to the value of the last call.
-func (b *PodCertificateRequestApplyConfiguration) WithGeneration(value int64) *PodCertificateRequestApplyConfiguration {
-	b.ensureObjectMetaApplyConfigurationExists()
-	b.ObjectMetaApplyConfiguration.Generation = &value
-	return b
-}
-
-// WithCreationTimestamp sets the CreationTimestamp field in the declarative configuration to the given value
-// and returns the receiver, so that objects can be built by chaining "With" function invocations.
-// If called multiple times, the CreationTimestamp field is set to the value of the last call.
-func (b *PodCertificateRequestApplyConfiguration) WithCreationTimestamp(value metav1.Time) *PodCertificateRequestApplyConfiguration {
-	b.ensureObjectMetaApplyConfigurationExists()
-	b.ObjectMetaApplyConfiguration.CreationTimestamp = &value
-	return b
-}
-
-// WithDeletionTimestamp sets the DeletionTimestamp field in the declarative configuration to the given value
-// and returns the receiver, so that objects can be built by chaining "With" function invocations.
-// If called multiple times, the DeletionTimestamp field is set to the value of the last call.
-func (b *PodCertificateRequestApplyConfiguration) WithDeletionTimestamp(value metav1.Time) *PodCertificateRequestApplyConfiguration {
-	b.ensureObjectMetaApplyConfigurationExists()
-	b.ObjectMetaApplyConfiguration.DeletionTimestamp = &value
-	return b
-}
-
-// WithDeletionGracePeriodSeconds sets the DeletionGracePeriodSeconds field in the declarative configuration to the given value
-// and returns the receiver, so that objects can be built by chaining "With" function invocations.
-// If called multiple times, the DeletionGracePeriodSeconds field is set to the value of the last call.
-func (b *PodCertificateRequestApplyConfiguration) WithDeletionGracePeriodSeconds(value int64) *PodCertificateRequestApplyConfiguration {
-	b.ensureObjectMetaApplyConfigurationExists()
-	b.ObjectMetaApplyConfiguration.DeletionGracePeriodSeconds = &value
-	return b
-}
-
-// WithLabels puts the entries into the Labels field in the declarative configuration
-// and returns the receiver, so that objects can be build by chaining "With" function invocations.
-// If called multiple times, the entries provided by each call will be put on the Labels field,
-// overwriting an existing map entries in Labels field with the same key.
-func (b *PodCertificateRequestApplyConfiguration) WithLabels(entries map[string]string) *PodCertificateRequestApplyConfiguration {
-	b.ensureObjectMetaApplyConfigurationExists()
-	if b.ObjectMetaApplyConfiguration.Labels == nil && len(entries) > 0 {
-		b.ObjectMetaApplyConfiguration.Labels = make(map[string]string, len(entries))
-	}
-	for k, v := range entries {
-		b.ObjectMetaApplyConfiguration.Labels[k] = v
-	}
-	return b
-}
-
-// WithAnnotations puts the entries into the Annotations field in the declarative configuration
-// and returns the receiver, so that objects can be build by chaining "With" function invocations.
-// If called multiple times, the entries provided by each call will be put on the Annotations field,
-// overwriting an existing map entries in Annotations field with the same key.
-func (b *PodCertificateRequestApplyConfiguration) WithAnnotations(entries map[string]string) *PodCertificateRequestApplyConfiguration {
-	b.ensureObjectMetaApplyConfigurationExists()
-	if b.ObjectMetaApplyConfiguration.Annotations == nil && len(entries) > 0 {
-		b.ObjectMetaApplyConfiguration.Annotations = make(map[string]string, len(entries))
-	}
-	for k, v := range entries {
-		b.ObjectMetaApplyConfiguration.Annotations[k] = v
-	}
-	return b
-}
-
-// WithOwnerReferences adds the given value to the OwnerReferences field in the declarative configuration
-// and returns the receiver, so that objects can be build by chaining "With" function invocations.
-// If called multiple times, values provided by each call will be appended to the OwnerReferences field.
-func (b *PodCertificateRequestApplyConfiguration) WithOwnerReferences(values ...*v1.OwnerReferenceApplyConfiguration) *PodCertificateRequestApplyConfiguration {
-	b.ensureObjectMetaApplyConfigurationExists()
-	for i := range values {
-		if values[i] == nil {
-			panic("nil value passed to WithOwnerReferences")
-		}
-		b.ObjectMetaApplyConfiguration.OwnerReferences = append(b.ObjectMetaApplyConfiguration.OwnerReferences, *values[i])
-	}
-	return b
-}
-
-// WithFinalizers adds the given value to the Finalizers field in the declarative configuration
-// and returns the receiver, so that objects can be build by chaining "With" function invocations.
-// If called multiple times, values provided by each call will be appended to the Finalizers field.
-func (b *PodCertificateRequestApplyConfiguration) WithFinalizers(values ...string) *PodCertificateRequestApplyConfiguration {
-	b.ensureObjectMetaApplyConfigurationExists()
-	for i := range values {
-		b.ObjectMetaApplyConfiguration.Finalizers = append(b.ObjectMetaApplyConfiguration.Finalizers, values[i])
-	}
-	return b
-}
-
-func (b *PodCertificateRequestApplyConfiguration) ensureObjectMetaApplyConfigurationExists() {
-	if b.ObjectMetaApplyConfiguration == nil {
-		b.ObjectMetaApplyConfiguration = &v1.ObjectMetaApplyConfiguration{}
-	}
-}
-
-// WithSpec sets the Spec field in the declarative configuration to the given value
-// and returns the receiver, so that objects can be built by chaining "With" function invocations.
-// If called multiple times, the Spec field is set to the value of the last call.
-func (b *PodCertificateRequestApplyConfiguration) WithSpec(value *PodCertificateRequestSpecApplyConfiguration) *PodCertificateRequestApplyConfiguration {
-	b.Spec = value
-	return b
-}
-
-// WithStatus sets the Status field in the declarative configuration to the given value
-// and returns the receiver, so that objects can be built by chaining "With" function invocations.
-// If called multiple times, the Status field is set to the value of the last call.
-func (b *PodCertificateRequestApplyConfiguration) WithStatus(value *PodCertificateRequestStatusApplyConfiguration) *PodCertificateRequestApplyConfiguration {
-	b.Status = value
-	return b
-}
-
-// GetKind retrieves the value of the Kind field in the declarative configuration.
-func (b *PodCertificateRequestApplyConfiguration) GetKind() *string {
-	return b.TypeMetaApplyConfiguration.Kind
-}
-
-// GetAPIVersion retrieves the value of the APIVersion field in the declarative configuration.
-func (b *PodCertificateRequestApplyConfiguration) GetAPIVersion() *string {
-	return b.TypeMetaApplyConfiguration.APIVersion
-}
-
-// GetName retrieves the value of the Name field in the declarative configuration.
-func (b *PodCertificateRequestApplyConfiguration) GetName() *string {
-	b.ensureObjectMetaApplyConfigurationExists()
-	return b.ObjectMetaApplyConfiguration.Name
-}
-
-// GetNamespace retrieves the value of the Namespace field in the declarative configuration.
-func (b *PodCertificateRequestApplyConfiguration) GetNamespace() *string {
-	b.ensureObjectMetaApplyConfigurationExists()
-	return b.ObjectMetaApplyConfiguration.Namespace
-}
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/certificates/v1alpha1/podcertificaterequestspec.go b/staging/src/k8s.io/client-go/applyconfigurations/certificates/v1alpha1/podcertificaterequestspec.go
deleted file mode 100644
index 2ceb9bb2e8802..0000000000000
--- a/staging/src/k8s.io/client-go/applyconfigurations/certificates/v1alpha1/podcertificaterequestspec.go
+++ /dev/null
@@ -1,128 +0,0 @@
-/*
-Copyright The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-// Code generated by applyconfiguration-gen. DO NOT EDIT.
-
-package v1alpha1
-
-import (
-	types "k8s.io/apimachinery/pkg/types"
-)
-
-// PodCertificateRequestSpecApplyConfiguration represents a declarative configuration of the PodCertificateRequestSpec type for use
-// with apply.
-type PodCertificateRequestSpecApplyConfiguration struct {
-	SignerName           *string         `json:"signerName,omitempty"`
-	PodName              *string         `json:"podName,omitempty"`
-	PodUID               *types.UID      `json:"podUID,omitempty"`
-	ServiceAccountName   *string         `json:"serviceAccountName,omitempty"`
-	ServiceAccountUID    *types.UID      `json:"serviceAccountUID,omitempty"`
-	NodeName             *types.NodeName `json:"nodeName,omitempty"`
-	NodeUID              *types.UID      `json:"nodeUID,omitempty"`
-	MaxExpirationSeconds *int32          `json:"maxExpirationSeconds,omitempty"`
-	PKIXPublicKey        []byte          `json:"pkixPublicKey,omitempty"`
-	ProofOfPossession    []byte          `json:"proofOfPossession,omitempty"`
-}
-
-// PodCertificateRequestSpecApplyConfiguration constructs a declarative configuration of the PodCertificateRequestSpec type for use with
-// apply.
-func PodCertificateRequestSpec() *PodCertificateRequestSpecApplyConfiguration {
-	return &PodCertificateRequestSpecApplyConfiguration{}
-}
-
-// WithSignerName sets the SignerName field in the declarative configuration to the given value
-// and returns the receiver, so that objects can be built by chaining "With" function invocations.
-// If called multiple times, the SignerName field is set to the value of the last call.
-func (b *PodCertificateRequestSpecApplyConfiguration) WithSignerName(value string) *PodCertificateRequestSpecApplyConfiguration {
-	b.SignerName = &value
-	return b
-}
-
-// WithPodName sets the PodName field in the declarative configuration to the given value
-// and returns the receiver, so that objects can be built by chaining "With" function invocations.
-// If called multiple times, the PodName field is set to the value of the last call.
-func (b *PodCertificateRequestSpecApplyConfiguration) WithPodName(value string) *PodCertificateRequestSpecApplyConfiguration {
-	b.PodName = &value
-	return b
-}
-
-// WithPodUID sets the PodUID field in the declarative configuration to the given value
-// and returns the receiver, so that objects can be built by chaining "With" function invocations.
-// If called multiple times, the PodUID field is set to the value of the last call.
-func (b *PodCertificateRequestSpecApplyConfiguration) WithPodUID(value types.UID) *PodCertificateRequestSpecApplyConfiguration {
-	b.PodUID = &value
-	return b
-}
-
-// WithServiceAccountName sets the ServiceAccountName field in the declarative configuration to the given value
-// and returns the receiver, so that objects can be built by chaining "With" function invocations.
-// If called multiple times, the ServiceAccountName field is set to the value of the last call.
-func (b *PodCertificateRequestSpecApplyConfiguration) WithServiceAccountName(value string) *PodCertificateRequestSpecApplyConfiguration {
-	b.ServiceAccountName = &value
-	return b
-}
-
-// WithServiceAccountUID sets the ServiceAccountUID field in the declarative configuration to the given value
-// and returns the receiver, so that objects can be built by chaining "With" function invocations.
-// If called multiple times, the ServiceAccountUID field is set to the value of the last call.
-func (b *PodCertificateRequestSpecApplyConfiguration) WithServiceAccountUID(value types.UID) *PodCertificateRequestSpecApplyConfiguration {
-	b.ServiceAccountUID = &value
-	return b
-}
-
-// WithNodeName sets the NodeName field in the declarative configuration to the given value
-// and returns the receiver, so that objects can be built by chaining "With" function invocations.
-// If called multiple times, the NodeName field is set to the value of the last call.
-func (b *PodCertificateRequestSpecApplyConfiguration) WithNodeName(value types.NodeName) *PodCertificateRequestSpecApplyConfiguration {
-	b.NodeName = &value
-	return b
-}
-
-// WithNodeUID sets the NodeUID field in the declarative configuration to the given value
-// and returns the receiver, so that objects can be built by chaining "With" function invocations.
-// If called multiple times, the NodeUID field is set to the value of the last call.
-func (b *PodCertificateRequestSpecApplyConfiguration) WithNodeUID(value types.UID) *PodCertificateRequestSpecApplyConfiguration {
-	b.NodeUID = &value
-	return b
-}
-
-// WithMaxExpirationSeconds sets the MaxExpirationSeconds field in the declarative configuration to the given value
-// and returns the receiver, so that objects can be built by chaining "With" function invocations.
-// If called multiple times, the MaxExpirationSeconds field is set to the value of the last call.
-func (b *PodCertificateRequestSpecApplyConfiguration) WithMaxExpirationSeconds(value int32) *PodCertificateRequestSpecApplyConfiguration {
-	b.MaxExpirationSeconds = &value
-	return b
-}
-
-// WithPKIXPublicKey adds the given value to the PKIXPublicKey field in the declarative configuration
-// and returns the receiver, so that objects can be build by chaining "With" function invocations.
-// If called multiple times, values provided by each call will be appended to the PKIXPublicKey field.
-func (b *PodCertificateRequestSpecApplyConfiguration) WithPKIXPublicKey(values ...byte) *PodCertificateRequestSpecApplyConfiguration {
-	for i := range values {
-		b.PKIXPublicKey = append(b.PKIXPublicKey, values[i])
-	}
-	return b
-}
-
-// WithProofOfPossession adds the given value to the ProofOfPossession field in the declarative configuration
-// and returns the receiver, so that objects can be build by chaining "With" function invocations.
-// If called multiple times, values provided by each call will be appended to the ProofOfPossession field.
-func (b *PodCertificateRequestSpecApplyConfiguration) WithProofOfPossession(values ...byte) *PodCertificateRequestSpecApplyConfiguration {
-	for i := range values {
-		b.ProofOfPossession = append(b.ProofOfPossession, values[i])
-	}
-	return b
-}
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/certificates/v1alpha1/podcertificaterequeststatus.go b/staging/src/k8s.io/client-go/applyconfigurations/certificates/v1alpha1/podcertificaterequeststatus.go
deleted file mode 100644
index ed5f52e73a1b1..0000000000000
--- a/staging/src/k8s.io/client-go/applyconfigurations/certificates/v1alpha1/podcertificaterequeststatus.go
+++ /dev/null
@@ -1,85 +0,0 @@
-/*
-Copyright The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-// Code generated by applyconfiguration-gen. DO NOT EDIT.
-
-package v1alpha1
-
-import (
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	v1 "k8s.io/client-go/applyconfigurations/meta/v1"
-)
-
-// PodCertificateRequestStatusApplyConfiguration represents a declarative configuration of the PodCertificateRequestStatus type for use
-// with apply.
-type PodCertificateRequestStatusApplyConfiguration struct {
-	Conditions       []v1.ConditionApplyConfiguration `json:"conditions,omitempty"`
-	CertificateChain *string                          `json:"certificateChain,omitempty"`
-	NotBefore        *metav1.Time                     `json:"notBefore,omitempty"`
-	BeginRefreshAt   *metav1.Time                     `json:"beginRefreshAt,omitempty"`
-	NotAfter         *metav1.Time                     `json:"notAfter,omitempty"`
-}
-
-// PodCertificateRequestStatusApplyConfiguration constructs a declarative configuration of the PodCertificateRequestStatus type for use with
-// apply.
-func PodCertificateRequestStatus() *PodCertificateRequestStatusApplyConfiguration {
-	return &PodCertificateRequestStatusApplyConfiguration{}
-}
-
-// WithConditions adds the given value to the Conditions field in the declarative configuration
-// and returns the receiver, so that objects can be build by chaining "With" function invocations.
-// If called multiple times, values provided by each call will be appended to the Conditions field.
-func (b *PodCertificateRequestStatusApplyConfiguration) WithConditions(values ...*v1.ConditionApplyConfiguration) *PodCertificateRequestStatusApplyConfiguration {
-	for i := range values {
-		if values[i] == nil {
-			panic("nil value passed to WithConditions")
-		}
-		b.Conditions = append(b.Conditions, *values[i])
-	}
-	return b
-}
-
-// WithCertificateChain sets the CertificateChain field in the declarative configuration to the given value
-// and returns the receiver, so that objects can be built by chaining "With" function invocations.
-// If called multiple times, the CertificateChain field is set to the value of the last call.
-func (b *PodCertificateRequestStatusApplyConfiguration) WithCertificateChain(value string) *PodCertificateRequestStatusApplyConfiguration {
-	b.CertificateChain = &value
-	return b
-}
-
-// WithNotBefore sets the NotBefore field in the declarative configuration to the given value
-// and returns the receiver, so that objects can be built by chaining "With" function invocations.
-// If called multiple times, the NotBefore field is set to the value of the last call.
-func (b *PodCertificateRequestStatusApplyConfiguration) WithNotBefore(value metav1.Time) *PodCertificateRequestStatusApplyConfiguration {
-	b.NotBefore = &value
-	return b
-}
-
-// WithBeginRefreshAt sets the BeginRefreshAt field in the declarative configuration to the given value
-// and returns the receiver, so that objects can be built by chaining "With" function invocations.
-// If called multiple times, the BeginRefreshAt field is set to the value of the last call.
-func (b *PodCertificateRequestStatusApplyConfiguration) WithBeginRefreshAt(value metav1.Time) *PodCertificateRequestStatusApplyConfiguration {
-	b.BeginRefreshAt = &value
-	return b
-}
-
-// WithNotAfter sets the NotAfter field in the declarative configuration to the given value
-// and returns the receiver, so that objects can be built by chaining "With" function invocations.
-// If called multiple times, the NotAfter field is set to the value of the last call.
-func (b *PodCertificateRequestStatusApplyConfiguration) WithNotAfter(value metav1.Time) *PodCertificateRequestStatusApplyConfiguration {
-	b.NotAfter = &value
-	return b
-}
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/certificates/v1beta1/certificatesigningrequest.go b/staging/src/k8s.io/client-go/applyconfigurations/certificates/v1beta1/certificatesigningrequest.go
index 49009d3b0d725..05e16d20545ea 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/certificates/v1beta1/certificatesigningrequest.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/certificates/v1beta1/certificatesigningrequest.go
@@ -29,11 +29,17 @@ import (
 
 // CertificateSigningRequestApplyConfiguration represents a declarative configuration of the CertificateSigningRequest type for use
 // with apply.
+//
+// Describes a certificate signing request
 type CertificateSigningRequestApplyConfiguration struct {
 	v1.TypeMetaApplyConfiguration    `json:",inline"`
 	*v1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Spec                             *CertificateSigningRequestSpecApplyConfiguration   `json:"spec,omitempty"`
-	Status                           *CertificateSigningRequestStatusApplyConfiguration `json:"status,omitempty"`
+	// spec contains the certificate request, and is immutable after creation.
+	// Only the request, signerName, expirationSeconds, and usages fields can be set on creation.
+	// Other fields are derived by Kubernetes and cannot be modified by users.
+	Spec *CertificateSigningRequestSpecApplyConfiguration `json:"spec,omitempty"`
+	// Derived information about the request.
+	Status *CertificateSigningRequestStatusApplyConfiguration `json:"status,omitempty"`
 }
 
 // CertificateSigningRequest constructs a declarative configuration of the CertificateSigningRequest type for use with
@@ -46,6 +52,26 @@ func CertificateSigningRequest(name string) *CertificateSigningRequestApplyConfi
 	return b
 }
 
+// ExtractCertificateSigningRequestFrom extracts the applied configuration owned by fieldManager from
+// certificateSigningRequest for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
+// certificateSigningRequest must be a unmodified CertificateSigningRequest API object that was retrieved from the Kubernetes API.
+// ExtractCertificateSigningRequestFrom provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractCertificateSigningRequestFrom(certificateSigningRequest *certificatesv1beta1.CertificateSigningRequest, fieldManager string, subresource string) (*CertificateSigningRequestApplyConfiguration, error) {
+	b := &CertificateSigningRequestApplyConfiguration{}
+	err := managedfields.ExtractInto(certificateSigningRequest, internal.Parser().Type("io.k8s.api.certificates.v1beta1.CertificateSigningRequest"), fieldManager, b, subresource)
+	if err != nil {
+		return nil, err
+	}
+	b.WithName(certificateSigningRequest.Name)
+
+	b.WithKind("CertificateSigningRequest")
+	b.WithAPIVersion("certificates.k8s.io/v1beta1")
+	return b, nil
+}
+
 // ExtractCertificateSigningRequest extracts the applied configuration owned by fieldManager from
 // certificateSigningRequest. If no managedFields are found in certificateSigningRequest for fieldManager, a
 // CertificateSigningRequestApplyConfiguration is returned with only the Name, Namespace (if applicable),
@@ -56,30 +82,16 @@ func CertificateSigningRequest(name string) *CertificateSigningRequestApplyConfi
 // ExtractCertificateSigningRequest provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
 func ExtractCertificateSigningRequest(certificateSigningRequest *certificatesv1beta1.CertificateSigningRequest, fieldManager string) (*CertificateSigningRequestApplyConfiguration, error) {
-	return extractCertificateSigningRequest(certificateSigningRequest, fieldManager, "")
+	return ExtractCertificateSigningRequestFrom(certificateSigningRequest, fieldManager, "")
 }
 
-// ExtractCertificateSigningRequestStatus is the same as ExtractCertificateSigningRequest except
-// that it extracts the status subresource applied configuration.
-// Experimental!
+// ExtractCertificateSigningRequestStatus extracts the applied configuration owned by fieldManager from
+// certificateSigningRequest for the status subresource.
 func ExtractCertificateSigningRequestStatus(certificateSigningRequest *certificatesv1beta1.CertificateSigningRequest, fieldManager string) (*CertificateSigningRequestApplyConfiguration, error) {
-	return extractCertificateSigningRequest(certificateSigningRequest, fieldManager, "status")
+	return ExtractCertificateSigningRequestFrom(certificateSigningRequest, fieldManager, "status")
 }
 
-func extractCertificateSigningRequest(certificateSigningRequest *certificatesv1beta1.CertificateSigningRequest, fieldManager string, subresource string) (*CertificateSigningRequestApplyConfiguration, error) {
-	b := &CertificateSigningRequestApplyConfiguration{}
-	err := managedfields.ExtractInto(certificateSigningRequest, internal.Parser().Type("io.k8s.api.certificates.v1beta1.CertificateSigningRequest"), fieldManager, b, subresource)
-	if err != nil {
-		return nil, err
-	}
-	b.WithName(certificateSigningRequest.Name)
-
-	b.WithKind("CertificateSigningRequest")
-	b.WithAPIVersion("certificates.k8s.io/v1beta1")
-	return b, nil
-}
 func (b CertificateSigningRequestApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/certificates/v1beta1/certificatesigningrequestcondition.go b/staging/src/k8s.io/client-go/applyconfigurations/certificates/v1beta1/certificatesigningrequestcondition.go
index a845ec4047964..f88fc10c167c9 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/certificates/v1beta1/certificatesigningrequestcondition.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/certificates/v1beta1/certificatesigningrequestcondition.go
@@ -27,12 +27,23 @@ import (
 // CertificateSigningRequestConditionApplyConfiguration represents a declarative configuration of the CertificateSigningRequestCondition type for use
 // with apply.
 type CertificateSigningRequestConditionApplyConfiguration struct {
-	Type               *certificatesv1beta1.RequestConditionType `json:"type,omitempty"`
-	Status             *v1.ConditionStatus                       `json:"status,omitempty"`
-	Reason             *string                                   `json:"reason,omitempty"`
-	Message            *string                                   `json:"message,omitempty"`
-	LastUpdateTime     *metav1.Time                              `json:"lastUpdateTime,omitempty"`
-	LastTransitionTime *metav1.Time                              `json:"lastTransitionTime,omitempty"`
+	// type of the condition. Known conditions include "Approved", "Denied", and "Failed".
+	Type *certificatesv1beta1.RequestConditionType `json:"type,omitempty"`
+	// Status of the condition, one of True, False, Unknown.
+	// Approved, Denied, and Failed conditions may not be "False" or "Unknown".
+	// Defaults to "True".
+	// If unset, should be treated as "True".
+	Status *v1.ConditionStatus `json:"status,omitempty"`
+	// brief reason for the request state
+	Reason *string `json:"reason,omitempty"`
+	// human readable message with details about the request state
+	Message *string `json:"message,omitempty"`
+	// timestamp for the last update to this condition
+	LastUpdateTime *metav1.Time `json:"lastUpdateTime,omitempty"`
+	// lastTransitionTime is the time the condition last transitioned from one status to another.
+	// If unset, when a new condition type is added or an existing condition's status is changed,
+	// the server defaults this to the current time.
+	LastTransitionTime *metav1.Time `json:"lastTransitionTime,omitempty"`
 }
 
 // CertificateSigningRequestConditionApplyConfiguration constructs a declarative configuration of the CertificateSigningRequestCondition type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/certificates/v1beta1/certificatesigningrequestspec.go b/staging/src/k8s.io/client-go/applyconfigurations/certificates/v1beta1/certificatesigningrequestspec.go
index ee4016c76d94f..f5186620b0480 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/certificates/v1beta1/certificatesigningrequestspec.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/certificates/v1beta1/certificatesigningrequestspec.go
@@ -24,15 +24,84 @@ import (
 
 // CertificateSigningRequestSpecApplyConfiguration represents a declarative configuration of the CertificateSigningRequestSpec type for use
 // with apply.
+//
+// CertificateSigningRequestSpec contains the certificate request.
 type CertificateSigningRequestSpecApplyConfiguration struct {
-	Request           []byte                                    `json:"request,omitempty"`
-	SignerName        *string                                   `json:"signerName,omitempty"`
-	ExpirationSeconds *int32                                    `json:"expirationSeconds,omitempty"`
-	Usages            []certificatesv1beta1.KeyUsage            `json:"usages,omitempty"`
-	Username          *string                                   `json:"username,omitempty"`
-	UID               *string                                   `json:"uid,omitempty"`
-	Groups            []string                                  `json:"groups,omitempty"`
-	Extra             map[string]certificatesv1beta1.ExtraValue `json:"extra,omitempty"`
+	// Base64-encoded PKCS#10 CSR data
+	Request []byte `json:"request,omitempty"`
+	// Requested signer for the request. It is a qualified name in the form:
+	// `scope-hostname.io/name`.
+	// If empty, it will be defaulted:
+	// 1. If it's a kubelet client certificate, it is assigned
+	// "kubernetes.io/kube-apiserver-client-kubelet".
+	// 2. If it's a kubelet serving certificate, it is assigned
+	// "kubernetes.io/kubelet-serving".
+	// 3. Otherwise, it is assigned "kubernetes.io/legacy-unknown".
+	// Distribution of trust for signers happens out of band.
+	// You can select on this field using `spec.signerName`.
+	SignerName *string `json:"signerName,omitempty"`
+	// expirationSeconds is the requested duration of validity of the issued
+	// certificate. The certificate signer may issue a certificate with a different
+	// validity duration so a client must check the delta between the notBefore and
+	// and notAfter fields in the issued certificate to determine the actual duration.
+	//
+	// The v1.22+ in-tree implementations of the well-known Kubernetes signers will
+	// honor this field as long as the requested duration is not greater than the
+	// maximum duration they will honor per the --cluster-signing-duration CLI
+	// flag to the Kubernetes controller manager.
+	//
+	// Certificate signers may not honor this field for various reasons:
+	//
+	// 1. Old signer that is unaware of the field (such as the in-tree
+	// implementations prior to v1.22)
+	// 2. Signer whose configured maximum is shorter than the requested duration
+	// 3. Signer whose configured minimum is longer than the requested duration
+	//
+	// The minimum valid value for expirationSeconds is 600, i.e. 10 minutes.
+	ExpirationSeconds *int32 `json:"expirationSeconds,omitempty"`
+	// allowedUsages specifies a set of usage contexts the key will be
+	// valid for.
+	// See:
+	// https://tools.ietf.org/html/rfc5280#section-4.2.1.3
+	// https://tools.ietf.org/html/rfc5280#section-4.2.1.12
+	//
+	// Valid values are:
+	// "signing",
+	// "digital signature",
+	// "content commitment",
+	// "key encipherment",
+	// "key agreement",
+	// "data encipherment",
+	// "cert sign",
+	// "crl sign",
+	// "encipher only",
+	// "decipher only",
+	// "any",
+	// "server auth",
+	// "client auth",
+	// "code signing",
+	// "email protection",
+	// "s/mime",
+	// "ipsec end system",
+	// "ipsec tunnel",
+	// "ipsec user",
+	// "timestamping",
+	// "ocsp signing",
+	// "microsoft sgc",
+	// "netscape sgc"
+	Usages []certificatesv1beta1.KeyUsage `json:"usages,omitempty"`
+	// Information about the requesting user.
+	// See user.Info interface for details.
+	Username *string `json:"username,omitempty"`
+	// UID information about the requesting user.
+	// See user.Info interface for details.
+	UID *string `json:"uid,omitempty"`
+	// Group information about the requesting user.
+	// See user.Info interface for details.
+	Groups []string `json:"groups,omitempty"`
+	// Extra information about the requesting user.
+	// See user.Info interface for details.
+	Extra map[string]certificatesv1beta1.ExtraValue `json:"extra,omitempty"`
 }
 
 // CertificateSigningRequestSpecApplyConfiguration constructs a declarative configuration of the CertificateSigningRequestSpec type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/certificates/v1beta1/certificatesigningrequeststatus.go b/staging/src/k8s.io/client-go/applyconfigurations/certificates/v1beta1/certificatesigningrequeststatus.go
index f82e8aed3bca9..f2de25704f3b0 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/certificates/v1beta1/certificatesigningrequeststatus.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/certificates/v1beta1/certificatesigningrequeststatus.go
@@ -21,8 +21,10 @@ package v1beta1
 // CertificateSigningRequestStatusApplyConfiguration represents a declarative configuration of the CertificateSigningRequestStatus type for use
 // with apply.
 type CertificateSigningRequestStatusApplyConfiguration struct {
-	Conditions  []CertificateSigningRequestConditionApplyConfiguration `json:"conditions,omitempty"`
-	Certificate []byte                                                 `json:"certificate,omitempty"`
+	// Conditions applied to the request, such as approval or denial.
+	Conditions []CertificateSigningRequestConditionApplyConfiguration `json:"conditions,omitempty"`
+	// If request was approved, the controller will place the issued certificate here.
+	Certificate []byte `json:"certificate,omitempty"`
 }
 
 // CertificateSigningRequestStatusApplyConfiguration constructs a declarative configuration of the CertificateSigningRequestStatus type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/certificates/v1beta1/clustertrustbundle.go b/staging/src/k8s.io/client-go/applyconfigurations/certificates/v1beta1/clustertrustbundle.go
index dc0dab1ae9e36..7f8be00ce4362 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/certificates/v1beta1/clustertrustbundle.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/certificates/v1beta1/clustertrustbundle.go
@@ -29,10 +29,28 @@ import (
 
 // ClusterTrustBundleApplyConfiguration represents a declarative configuration of the ClusterTrustBundle type for use
 // with apply.
+//
+// ClusterTrustBundle is a cluster-scoped container for X.509 trust anchors
+// (root certificates).
+//
+// ClusterTrustBundle objects are considered to be readable by any authenticated
+// user in the cluster, because they can be mounted by pods using the
+// `clusterTrustBundle` projection.  All service accounts have read access to
+// ClusterTrustBundles by default.  Users who only have namespace-level access
+// to a cluster can read ClusterTrustBundles by impersonating a serviceaccount
+// that they have access to.
+//
+// It can be optionally associated with a particular assigner, in which case it
+// contains one valid set of trust anchors for that signer. Signers may have
+// multiple associated ClusterTrustBundles; each is an independent set of trust
+// anchors for that signer. Admission control is used to enforce that only users
+// with permissions on the signer can create or modify the corresponding bundle.
 type ClusterTrustBundleApplyConfiguration struct {
-	v1.TypeMetaApplyConfiguration    `json:",inline"`
+	v1.TypeMetaApplyConfiguration `json:",inline"`
+	// metadata contains the object metadata.
 	*v1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Spec                             *ClusterTrustBundleSpecApplyConfiguration `json:"spec,omitempty"`
+	// spec contains the signer (if any) and trust anchors.
+	Spec *ClusterTrustBundleSpecApplyConfiguration `json:"spec,omitempty"`
 }
 
 // ClusterTrustBundle constructs a declarative configuration of the ClusterTrustBundle type for use with
@@ -45,29 +63,14 @@ func ClusterTrustBundle(name string) *ClusterTrustBundleApplyConfiguration {
 	return b
 }
 
-// ExtractClusterTrustBundle extracts the applied configuration owned by fieldManager from
-// clusterTrustBundle. If no managedFields are found in clusterTrustBundle for fieldManager, a
-// ClusterTrustBundleApplyConfiguration is returned with only the Name, Namespace (if applicable),
-// APIVersion and Kind populated. It is possible that no managed fields were found for because other
-// field managers have taken ownership of all the fields previously owned by fieldManager, or because
-// the fieldManager never owned fields any fields.
+// ExtractClusterTrustBundleFrom extracts the applied configuration owned by fieldManager from
+// clusterTrustBundle for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
 // clusterTrustBundle must be a unmodified ClusterTrustBundle API object that was retrieved from the Kubernetes API.
-// ExtractClusterTrustBundle provides a way to perform a extract/modify-in-place/apply workflow.
+// ExtractClusterTrustBundleFrom provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
-func ExtractClusterTrustBundle(clusterTrustBundle *certificatesv1beta1.ClusterTrustBundle, fieldManager string) (*ClusterTrustBundleApplyConfiguration, error) {
-	return extractClusterTrustBundle(clusterTrustBundle, fieldManager, "")
-}
-
-// ExtractClusterTrustBundleStatus is the same as ExtractClusterTrustBundle except
-// that it extracts the status subresource applied configuration.
-// Experimental!
-func ExtractClusterTrustBundleStatus(clusterTrustBundle *certificatesv1beta1.ClusterTrustBundle, fieldManager string) (*ClusterTrustBundleApplyConfiguration, error) {
-	return extractClusterTrustBundle(clusterTrustBundle, fieldManager, "status")
-}
-
-func extractClusterTrustBundle(clusterTrustBundle *certificatesv1beta1.ClusterTrustBundle, fieldManager string, subresource string) (*ClusterTrustBundleApplyConfiguration, error) {
+func ExtractClusterTrustBundleFrom(clusterTrustBundle *certificatesv1beta1.ClusterTrustBundle, fieldManager string, subresource string) (*ClusterTrustBundleApplyConfiguration, error) {
 	b := &ClusterTrustBundleApplyConfiguration{}
 	err := managedfields.ExtractInto(clusterTrustBundle, internal.Parser().Type("io.k8s.api.certificates.v1beta1.ClusterTrustBundle"), fieldManager, b, subresource)
 	if err != nil {
@@ -79,6 +82,21 @@ func extractClusterTrustBundle(clusterTrustBundle *certificatesv1beta1.ClusterTr
 	b.WithAPIVersion("certificates.k8s.io/v1beta1")
 	return b, nil
 }
+
+// ExtractClusterTrustBundle extracts the applied configuration owned by fieldManager from
+// clusterTrustBundle. If no managedFields are found in clusterTrustBundle for fieldManager, a
+// ClusterTrustBundleApplyConfiguration is returned with only the Name, Namespace (if applicable),
+// APIVersion and Kind populated. It is possible that no managed fields were found for because other
+// field managers have taken ownership of all the fields previously owned by fieldManager, or because
+// the fieldManager never owned fields any fields.
+// clusterTrustBundle must be a unmodified ClusterTrustBundle API object that was retrieved from the Kubernetes API.
+// ExtractClusterTrustBundle provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractClusterTrustBundle(clusterTrustBundle *certificatesv1beta1.ClusterTrustBundle, fieldManager string) (*ClusterTrustBundleApplyConfiguration, error) {
+	return ExtractClusterTrustBundleFrom(clusterTrustBundle, fieldManager, "")
+}
+
 func (b ClusterTrustBundleApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/certificates/v1beta1/clustertrustbundlespec.go b/staging/src/k8s.io/client-go/applyconfigurations/certificates/v1beta1/clustertrustbundlespec.go
index 157a9efa840e9..a130051bb362b 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/certificates/v1beta1/clustertrustbundlespec.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/certificates/v1beta1/clustertrustbundlespec.go
@@ -20,8 +20,39 @@ package v1beta1
 
 // ClusterTrustBundleSpecApplyConfiguration represents a declarative configuration of the ClusterTrustBundleSpec type for use
 // with apply.
+//
+// ClusterTrustBundleSpec contains the signer and trust anchors.
 type ClusterTrustBundleSpecApplyConfiguration struct {
-	SignerName  *string `json:"signerName,omitempty"`
+	// signerName indicates the associated signer, if any.
+	//
+	// In order to create or update a ClusterTrustBundle that sets signerName,
+	// you must have the following cluster-scoped permission:
+	// group=certificates.k8s.io resource=signers resourceName=<the signer name>
+	// verb=attest.
+	//
+	// If signerName is not empty, then the ClusterTrustBundle object must be
+	// named with the signer name as a prefix (translating slashes to colons).
+	// For example, for the signer name `example.com/foo`, valid
+	// ClusterTrustBundle object names include `example.com:foo:abc` and
+	// `example.com:foo:v1`.
+	//
+	// If signerName is empty, then the ClusterTrustBundle object's name must
+	// not have such a prefix.
+	//
+	// List/watch requests for ClusterTrustBundles can filter on this field
+	// using a `spec.signerName=NAME` field selector.
+	SignerName *string `json:"signerName,omitempty"`
+	// trustBundle contains the individual X.509 trust anchors for this
+	// bundle, as PEM bundle of PEM-wrapped, DER-formatted X.509 certificates.
+	//
+	// The data must consist only of PEM certificate blocks that parse as valid
+	// X.509 certificates.  Each certificate must include a basic constraints
+	// extension with the CA bit set.  The API server will reject objects that
+	// contain duplicate certificates, or that use PEM block headers.
+	//
+	// Users of ClusterTrustBundles, including Kubelet, are free to reorder and
+	// deduplicate certificate blocks in this file according to their own logic,
+	// as well as to drop PEM block headers and inter-block data.
 	TrustBundle *string `json:"trustBundle,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/certificates/v1beta1/podcertificaterequest.go b/staging/src/k8s.io/client-go/applyconfigurations/certificates/v1beta1/podcertificaterequest.go
new file mode 100644
index 0000000000000..447172552c165
--- /dev/null
+++ b/staging/src/k8s.io/client-go/applyconfigurations/certificates/v1beta1/podcertificaterequest.go
@@ -0,0 +1,295 @@
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by applyconfiguration-gen. DO NOT EDIT.
+
+package v1beta1
+
+import (
+	certificatesv1beta1 "k8s.io/api/certificates/v1beta1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	types "k8s.io/apimachinery/pkg/types"
+	managedfields "k8s.io/apimachinery/pkg/util/managedfields"
+	internal "k8s.io/client-go/applyconfigurations/internal"
+	v1 "k8s.io/client-go/applyconfigurations/meta/v1"
+)
+
+// PodCertificateRequestApplyConfiguration represents a declarative configuration of the PodCertificateRequest type for use
+// with apply.
+//
+// PodCertificateRequest encodes a pod requesting a certificate from a given
+// signer.
+//
+// Kubelets use this API to implement podCertificate projected volumes
+type PodCertificateRequestApplyConfiguration struct {
+	v1.TypeMetaApplyConfiguration `json:",inline"`
+	// metadata contains the object metadata.
+	*v1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
+	// spec contains the details about the certificate being requested.
+	Spec *PodCertificateRequestSpecApplyConfiguration `json:"spec,omitempty"`
+	// status contains the issued certificate, and a standard set of conditions.
+	Status *PodCertificateRequestStatusApplyConfiguration `json:"status,omitempty"`
+}
+
+// PodCertificateRequest constructs a declarative configuration of the PodCertificateRequest type for use with
+// apply.
+func PodCertificateRequest(name, namespace string) *PodCertificateRequestApplyConfiguration {
+	b := &PodCertificateRequestApplyConfiguration{}
+	b.WithName(name)
+	b.WithNamespace(namespace)
+	b.WithKind("PodCertificateRequest")
+	b.WithAPIVersion("certificates.k8s.io/v1beta1")
+	return b
+}
+
+// ExtractPodCertificateRequestFrom extracts the applied configuration owned by fieldManager from
+// podCertificateRequest for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
+// podCertificateRequest must be a unmodified PodCertificateRequest API object that was retrieved from the Kubernetes API.
+// ExtractPodCertificateRequestFrom provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractPodCertificateRequestFrom(podCertificateRequest *certificatesv1beta1.PodCertificateRequest, fieldManager string, subresource string) (*PodCertificateRequestApplyConfiguration, error) {
+	b := &PodCertificateRequestApplyConfiguration{}
+	err := managedfields.ExtractInto(podCertificateRequest, internal.Parser().Type("io.k8s.api.certificates.v1beta1.PodCertificateRequest"), fieldManager, b, subresource)
+	if err != nil {
+		return nil, err
+	}
+	b.WithName(podCertificateRequest.Name)
+	b.WithNamespace(podCertificateRequest.Namespace)
+
+	b.WithKind("PodCertificateRequest")
+	b.WithAPIVersion("certificates.k8s.io/v1beta1")
+	return b, nil
+}
+
+// ExtractPodCertificateRequest extracts the applied configuration owned by fieldManager from
+// podCertificateRequest. If no managedFields are found in podCertificateRequest for fieldManager, a
+// PodCertificateRequestApplyConfiguration is returned with only the Name, Namespace (if applicable),
+// APIVersion and Kind populated. It is possible that no managed fields were found for because other
+// field managers have taken ownership of all the fields previously owned by fieldManager, or because
+// the fieldManager never owned fields any fields.
+// podCertificateRequest must be a unmodified PodCertificateRequest API object that was retrieved from the Kubernetes API.
+// ExtractPodCertificateRequest provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractPodCertificateRequest(podCertificateRequest *certificatesv1beta1.PodCertificateRequest, fieldManager string) (*PodCertificateRequestApplyConfiguration, error) {
+	return ExtractPodCertificateRequestFrom(podCertificateRequest, fieldManager, "")
+}
+
+// ExtractPodCertificateRequestStatus extracts the applied configuration owned by fieldManager from
+// podCertificateRequest for the status subresource.
+func ExtractPodCertificateRequestStatus(podCertificateRequest *certificatesv1beta1.PodCertificateRequest, fieldManager string) (*PodCertificateRequestApplyConfiguration, error) {
+	return ExtractPodCertificateRequestFrom(podCertificateRequest, fieldManager, "status")
+}
+
+func (b PodCertificateRequestApplyConfiguration) IsApplyConfiguration() {}
+
+// WithKind sets the Kind field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Kind field is set to the value of the last call.
+func (b *PodCertificateRequestApplyConfiguration) WithKind(value string) *PodCertificateRequestApplyConfiguration {
+	b.TypeMetaApplyConfiguration.Kind = &value
+	return b
+}
+
+// WithAPIVersion sets the APIVersion field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the APIVersion field is set to the value of the last call.
+func (b *PodCertificateRequestApplyConfiguration) WithAPIVersion(value string) *PodCertificateRequestApplyConfiguration {
+	b.TypeMetaApplyConfiguration.APIVersion = &value
+	return b
+}
+
+// WithName sets the Name field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Name field is set to the value of the last call.
+func (b *PodCertificateRequestApplyConfiguration) WithName(value string) *PodCertificateRequestApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	b.ObjectMetaApplyConfiguration.Name = &value
+	return b
+}
+
+// WithGenerateName sets the GenerateName field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the GenerateName field is set to the value of the last call.
+func (b *PodCertificateRequestApplyConfiguration) WithGenerateName(value string) *PodCertificateRequestApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	b.ObjectMetaApplyConfiguration.GenerateName = &value
+	return b
+}
+
+// WithNamespace sets the Namespace field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Namespace field is set to the value of the last call.
+func (b *PodCertificateRequestApplyConfiguration) WithNamespace(value string) *PodCertificateRequestApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	b.ObjectMetaApplyConfiguration.Namespace = &value
+	return b
+}
+
+// WithUID sets the UID field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the UID field is set to the value of the last call.
+func (b *PodCertificateRequestApplyConfiguration) WithUID(value types.UID) *PodCertificateRequestApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	b.ObjectMetaApplyConfiguration.UID = &value
+	return b
+}
+
+// WithResourceVersion sets the ResourceVersion field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the ResourceVersion field is set to the value of the last call.
+func (b *PodCertificateRequestApplyConfiguration) WithResourceVersion(value string) *PodCertificateRequestApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	b.ObjectMetaApplyConfiguration.ResourceVersion = &value
+	return b
+}
+
+// WithGeneration sets the Generation field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Generation field is set to the value of the last call.
+func (b *PodCertificateRequestApplyConfiguration) WithGeneration(value int64) *PodCertificateRequestApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	b.ObjectMetaApplyConfiguration.Generation = &value
+	return b
+}
+
+// WithCreationTimestamp sets the CreationTimestamp field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the CreationTimestamp field is set to the value of the last call.
+func (b *PodCertificateRequestApplyConfiguration) WithCreationTimestamp(value metav1.Time) *PodCertificateRequestApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	b.ObjectMetaApplyConfiguration.CreationTimestamp = &value
+	return b
+}
+
+// WithDeletionTimestamp sets the DeletionTimestamp field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the DeletionTimestamp field is set to the value of the last call.
+func (b *PodCertificateRequestApplyConfiguration) WithDeletionTimestamp(value metav1.Time) *PodCertificateRequestApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	b.ObjectMetaApplyConfiguration.DeletionTimestamp = &value
+	return b
+}
+
+// WithDeletionGracePeriodSeconds sets the DeletionGracePeriodSeconds field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the DeletionGracePeriodSeconds field is set to the value of the last call.
+func (b *PodCertificateRequestApplyConfiguration) WithDeletionGracePeriodSeconds(value int64) *PodCertificateRequestApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	b.ObjectMetaApplyConfiguration.DeletionGracePeriodSeconds = &value
+	return b
+}
+
+// WithLabels puts the entries into the Labels field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, the entries provided by each call will be put on the Labels field,
+// overwriting an existing map entries in Labels field with the same key.
+func (b *PodCertificateRequestApplyConfiguration) WithLabels(entries map[string]string) *PodCertificateRequestApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	if b.ObjectMetaApplyConfiguration.Labels == nil && len(entries) > 0 {
+		b.ObjectMetaApplyConfiguration.Labels = make(map[string]string, len(entries))
+	}
+	for k, v := range entries {
+		b.ObjectMetaApplyConfiguration.Labels[k] = v
+	}
+	return b
+}
+
+// WithAnnotations puts the entries into the Annotations field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, the entries provided by each call will be put on the Annotations field,
+// overwriting an existing map entries in Annotations field with the same key.
+func (b *PodCertificateRequestApplyConfiguration) WithAnnotations(entries map[string]string) *PodCertificateRequestApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	if b.ObjectMetaApplyConfiguration.Annotations == nil && len(entries) > 0 {
+		b.ObjectMetaApplyConfiguration.Annotations = make(map[string]string, len(entries))
+	}
+	for k, v := range entries {
+		b.ObjectMetaApplyConfiguration.Annotations[k] = v
+	}
+	return b
+}
+
+// WithOwnerReferences adds the given value to the OwnerReferences field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, values provided by each call will be appended to the OwnerReferences field.
+func (b *PodCertificateRequestApplyConfiguration) WithOwnerReferences(values ...*v1.OwnerReferenceApplyConfiguration) *PodCertificateRequestApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	for i := range values {
+		if values[i] == nil {
+			panic("nil value passed to WithOwnerReferences")
+		}
+		b.ObjectMetaApplyConfiguration.OwnerReferences = append(b.ObjectMetaApplyConfiguration.OwnerReferences, *values[i])
+	}
+	return b
+}
+
+// WithFinalizers adds the given value to the Finalizers field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, values provided by each call will be appended to the Finalizers field.
+func (b *PodCertificateRequestApplyConfiguration) WithFinalizers(values ...string) *PodCertificateRequestApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	for i := range values {
+		b.ObjectMetaApplyConfiguration.Finalizers = append(b.ObjectMetaApplyConfiguration.Finalizers, values[i])
+	}
+	return b
+}
+
+func (b *PodCertificateRequestApplyConfiguration) ensureObjectMetaApplyConfigurationExists() {
+	if b.ObjectMetaApplyConfiguration == nil {
+		b.ObjectMetaApplyConfiguration = &v1.ObjectMetaApplyConfiguration{}
+	}
+}
+
+// WithSpec sets the Spec field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Spec field is set to the value of the last call.
+func (b *PodCertificateRequestApplyConfiguration) WithSpec(value *PodCertificateRequestSpecApplyConfiguration) *PodCertificateRequestApplyConfiguration {
+	b.Spec = value
+	return b
+}
+
+// WithStatus sets the Status field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Status field is set to the value of the last call.
+func (b *PodCertificateRequestApplyConfiguration) WithStatus(value *PodCertificateRequestStatusApplyConfiguration) *PodCertificateRequestApplyConfiguration {
+	b.Status = value
+	return b
+}
+
+// GetKind retrieves the value of the Kind field in the declarative configuration.
+func (b *PodCertificateRequestApplyConfiguration) GetKind() *string {
+	return b.TypeMetaApplyConfiguration.Kind
+}
+
+// GetAPIVersion retrieves the value of the APIVersion field in the declarative configuration.
+func (b *PodCertificateRequestApplyConfiguration) GetAPIVersion() *string {
+	return b.TypeMetaApplyConfiguration.APIVersion
+}
+
+// GetName retrieves the value of the Name field in the declarative configuration.
+func (b *PodCertificateRequestApplyConfiguration) GetName() *string {
+	b.ensureObjectMetaApplyConfigurationExists()
+	return b.ObjectMetaApplyConfiguration.Name
+}
+
+// GetNamespace retrieves the value of the Namespace field in the declarative configuration.
+func (b *PodCertificateRequestApplyConfiguration) GetNamespace() *string {
+	b.ensureObjectMetaApplyConfigurationExists()
+	return b.ObjectMetaApplyConfiguration.Namespace
+}
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/certificates/v1beta1/podcertificaterequestspec.go b/staging/src/k8s.io/client-go/applyconfigurations/certificates/v1beta1/podcertificaterequestspec.go
new file mode 100644
index 0000000000000..234420c40ab8d
--- /dev/null
+++ b/staging/src/k8s.io/client-go/applyconfigurations/certificates/v1beta1/podcertificaterequestspec.go
@@ -0,0 +1,214 @@
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by applyconfiguration-gen. DO NOT EDIT.
+
+package v1beta1
+
+import (
+	types "k8s.io/apimachinery/pkg/types"
+)
+
+// PodCertificateRequestSpecApplyConfiguration represents a declarative configuration of the PodCertificateRequestSpec type for use
+// with apply.
+//
+// PodCertificateRequestSpec describes the certificate request.  All fields are
+// immutable after creation.
+type PodCertificateRequestSpecApplyConfiguration struct {
+	// signerName indicates the requested signer.
+	//
+	// All signer names beginning with `kubernetes.io` are reserved for use by
+	// the Kubernetes project.  There is currently one well-known signer
+	// documented by the Kubernetes project,
+	// `kubernetes.io/kube-apiserver-client-pod`, which will issue client
+	// certificates understood by kube-apiserver.  It is currently
+	// unimplemented.
+	SignerName *string `json:"signerName,omitempty"`
+	// podName is the name of the pod into which the certificate will be mounted.
+	PodName *string `json:"podName,omitempty"`
+	// podUID is the UID of the pod into which the certificate will be mounted.
+	PodUID *types.UID `json:"podUID,omitempty"`
+	// serviceAccountName is the name of the service account the pod is running as.
+	ServiceAccountName *string `json:"serviceAccountName,omitempty"`
+	// serviceAccountUID is the UID of the service account the pod is running as.
+	ServiceAccountUID *types.UID `json:"serviceAccountUID,omitempty"`
+	// nodeName is the name of the node the pod is assigned to.
+	NodeName *types.NodeName `json:"nodeName,omitempty"`
+	// nodeUID is the UID of the node the pod is assigned to.
+	NodeUID *types.UID `json:"nodeUID,omitempty"`
+	// maxExpirationSeconds is the maximum lifetime permitted for the
+	// certificate.
+	//
+	// If omitted, kube-apiserver will set it to 86400(24 hours). kube-apiserver
+	// will reject values shorter than 3600 (1 hour).  The maximum allowable
+	// value is 7862400 (91 days).
+	//
+	// The signer implementation is then free to issue a certificate with any
+	// lifetime *shorter* than MaxExpirationSeconds, but no shorter than 3600
+	// seconds (1 hour).  This constraint is enforced by kube-apiserver.
+	// `kubernetes.io` signers will never issue certificates with a lifetime
+	// longer than 24 hours.
+	MaxExpirationSeconds *int32 `json:"maxExpirationSeconds,omitempty"`
+	// pkixPublicKey is the PKIX-serialized public key the signer will issue the
+	// certificate to.
+	//
+	// The key must be one of RSA3072, RSA4096, ECDSAP256, ECDSAP384, ECDSAP521,
+	// or ED25519. Note that this list may be expanded in the future.
+	//
+	// Signer implementations do not need to support all key types supported by
+	// kube-apiserver and kubelet.  If a signer does not support the key type
+	// used for a given PodCertificateRequest, it must deny the request by
+	// setting a status.conditions entry with a type of "Denied" and a reason of
+	// "UnsupportedKeyType". It may also suggest a key type that it does support
+	// in the message field.
+	PKIXPublicKey []byte `json:"pkixPublicKey,omitempty"`
+	// proofOfPossession proves that the requesting kubelet holds the private
+	// key corresponding to pkixPublicKey.
+	//
+	// It is contructed by signing the ASCII bytes of the pod's UID using
+	// `pkixPublicKey`.
+	//
+	// kube-apiserver validates the proof of possession during creation of the
+	// PodCertificateRequest.
+	//
+	// If the key is an RSA key, then the signature is over the ASCII bytes of
+	// the pod UID, using RSASSA-PSS from RFC 8017 (as implemented by the golang
+	// function crypto/rsa.SignPSS with nil options).
+	//
+	// If the key is an ECDSA key, then the signature is as described by [SEC 1,
+	// Version 2.0](https://www.secg.org/sec1-v2.pdf) (as implemented by the
+	// golang library function crypto/ecdsa.SignASN1)
+	//
+	// If the key is an ED25519 key, the the signature is as described by the
+	// [ED25519 Specification](https://ed25519.cr.yp.to/) (as implemented by
+	// the golang library crypto/ed25519.Sign).
+	ProofOfPossession []byte `json:"proofOfPossession,omitempty"`
+	// unverifiedUserAnnotations allow pod authors to pass additional information to
+	// the signer implementation.  Kubernetes does not restrict or validate this
+	// metadata in any way.
+	//
+	// Entries are subject to the same validation as object metadata annotations,
+	// with the addition that all keys must be domain-prefixed. No restrictions
+	// are placed on values, except an overall size limitation on the entire field.
+	//
+	// Signers should document the keys and values they support.  Signers should
+	// deny requests that contain keys they do not recognize.
+	UnverifiedUserAnnotations map[string]string `json:"unverifiedUserAnnotations,omitempty"`
+}
+
+// PodCertificateRequestSpecApplyConfiguration constructs a declarative configuration of the PodCertificateRequestSpec type for use with
+// apply.
+func PodCertificateRequestSpec() *PodCertificateRequestSpecApplyConfiguration {
+	return &PodCertificateRequestSpecApplyConfiguration{}
+}
+
+// WithSignerName sets the SignerName field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the SignerName field is set to the value of the last call.
+func (b *PodCertificateRequestSpecApplyConfiguration) WithSignerName(value string) *PodCertificateRequestSpecApplyConfiguration {
+	b.SignerName = &value
+	return b
+}
+
+// WithPodName sets the PodName field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the PodName field is set to the value of the last call.
+func (b *PodCertificateRequestSpecApplyConfiguration) WithPodName(value string) *PodCertificateRequestSpecApplyConfiguration {
+	b.PodName = &value
+	return b
+}
+
+// WithPodUID sets the PodUID field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the PodUID field is set to the value of the last call.
+func (b *PodCertificateRequestSpecApplyConfiguration) WithPodUID(value types.UID) *PodCertificateRequestSpecApplyConfiguration {
+	b.PodUID = &value
+	return b
+}
+
+// WithServiceAccountName sets the ServiceAccountName field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the ServiceAccountName field is set to the value of the last call.
+func (b *PodCertificateRequestSpecApplyConfiguration) WithServiceAccountName(value string) *PodCertificateRequestSpecApplyConfiguration {
+	b.ServiceAccountName = &value
+	return b
+}
+
+// WithServiceAccountUID sets the ServiceAccountUID field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the ServiceAccountUID field is set to the value of the last call.
+func (b *PodCertificateRequestSpecApplyConfiguration) WithServiceAccountUID(value types.UID) *PodCertificateRequestSpecApplyConfiguration {
+	b.ServiceAccountUID = &value
+	return b
+}
+
+// WithNodeName sets the NodeName field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the NodeName field is set to the value of the last call.
+func (b *PodCertificateRequestSpecApplyConfiguration) WithNodeName(value types.NodeName) *PodCertificateRequestSpecApplyConfiguration {
+	b.NodeName = &value
+	return b
+}
+
+// WithNodeUID sets the NodeUID field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the NodeUID field is set to the value of the last call.
+func (b *PodCertificateRequestSpecApplyConfiguration) WithNodeUID(value types.UID) *PodCertificateRequestSpecApplyConfiguration {
+	b.NodeUID = &value
+	return b
+}
+
+// WithMaxExpirationSeconds sets the MaxExpirationSeconds field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the MaxExpirationSeconds field is set to the value of the last call.
+func (b *PodCertificateRequestSpecApplyConfiguration) WithMaxExpirationSeconds(value int32) *PodCertificateRequestSpecApplyConfiguration {
+	b.MaxExpirationSeconds = &value
+	return b
+}
+
+// WithPKIXPublicKey adds the given value to the PKIXPublicKey field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, values provided by each call will be appended to the PKIXPublicKey field.
+func (b *PodCertificateRequestSpecApplyConfiguration) WithPKIXPublicKey(values ...byte) *PodCertificateRequestSpecApplyConfiguration {
+	for i := range values {
+		b.PKIXPublicKey = append(b.PKIXPublicKey, values[i])
+	}
+	return b
+}
+
+// WithProofOfPossession adds the given value to the ProofOfPossession field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, values provided by each call will be appended to the ProofOfPossession field.
+func (b *PodCertificateRequestSpecApplyConfiguration) WithProofOfPossession(values ...byte) *PodCertificateRequestSpecApplyConfiguration {
+	for i := range values {
+		b.ProofOfPossession = append(b.ProofOfPossession, values[i])
+	}
+	return b
+}
+
+// WithUnverifiedUserAnnotations puts the entries into the UnverifiedUserAnnotations field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, the entries provided by each call will be put on the UnverifiedUserAnnotations field,
+// overwriting an existing map entries in UnverifiedUserAnnotations field with the same key.
+func (b *PodCertificateRequestSpecApplyConfiguration) WithUnverifiedUserAnnotations(entries map[string]string) *PodCertificateRequestSpecApplyConfiguration {
+	if b.UnverifiedUserAnnotations == nil && len(entries) > 0 {
+		b.UnverifiedUserAnnotations = make(map[string]string, len(entries))
+	}
+	for k, v := range entries {
+		b.UnverifiedUserAnnotations[k] = v
+	}
+	return b
+}
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/certificates/v1beta1/podcertificaterequeststatus.go b/staging/src/k8s.io/client-go/applyconfigurations/certificates/v1beta1/podcertificaterequeststatus.go
new file mode 100644
index 0000000000000..ae3e956904d84
--- /dev/null
+++ b/staging/src/k8s.io/client-go/applyconfigurations/certificates/v1beta1/podcertificaterequeststatus.go
@@ -0,0 +1,133 @@
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by applyconfiguration-gen. DO NOT EDIT.
+
+package v1beta1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	v1 "k8s.io/client-go/applyconfigurations/meta/v1"
+)
+
+// PodCertificateRequestStatusApplyConfiguration represents a declarative configuration of the PodCertificateRequestStatus type for use
+// with apply.
+//
+// PodCertificateRequestStatus describes the status of the request, and holds
+// the certificate data if the request is issued.
+type PodCertificateRequestStatusApplyConfiguration struct {
+	// conditions applied to the request.
+	//
+	// The types "Issued", "Denied", and "Failed" have special handling.  At
+	// most one of these conditions may be present, and they must have status
+	// "True".
+	//
+	// If the request is denied with `Reason=UnsupportedKeyType`, the signer may
+	// suggest a key type that will work in the message field.
+	Conditions []v1.ConditionApplyConfiguration `json:"conditions,omitempty"`
+	// certificateChain is populated with an issued certificate by the signer.
+	// This field is set via the /status subresource. Once populated, this field
+	// is immutable.
+	//
+	// If the certificate signing request is denied, a condition of type
+	// "Denied" is added and this field remains empty. If the signer cannot
+	// issue the certificate, a condition of type "Failed" is added and this
+	// field remains empty.
+	//
+	// Validation requirements:
+	// 1. certificateChain must consist of one or more PEM-formatted certificates.
+	// 2. Each entry must be a valid PEM-wrapped, DER-encoded ASN.1 Certificate as
+	// described in section 4 of RFC5280.
+	//
+	// If more than one block is present, and the definition of the requested
+	// spec.signerName does not indicate otherwise, the first block is the
+	// issued certificate, and subsequent blocks should be treated as
+	// intermediate certificates and presented in TLS handshakes.  When
+	// projecting the chain into a pod volume, kubelet will drop any data
+	// in-between the PEM blocks, as well as any PEM block headers.
+	CertificateChain *string `json:"certificateChain,omitempty"`
+	// notBefore is the time at which the certificate becomes valid.  The value
+	// must be the same as the notBefore value in the leaf certificate in
+	// certificateChain.  This field is set via the /status subresource.  Once
+	// populated, it is immutable. The signer must set this field at the same
+	// time it sets certificateChain.
+	NotBefore *metav1.Time `json:"notBefore,omitempty"`
+	// beginRefreshAt is the time at which the kubelet should begin trying to
+	// refresh the certificate.  This field is set via the /status subresource,
+	// and must be set at the same time as certificateChain.  Once populated,
+	// this field is immutable.
+	//
+	// This field is only a hint.  Kubelet may start refreshing before or after
+	// this time if necessary.
+	BeginRefreshAt *metav1.Time `json:"beginRefreshAt,omitempty"`
+	// notAfter is the time at which the certificate expires.  The value must be
+	// the same as the notAfter value in the leaf certificate in
+	// certificateChain.  This field is set via the /status subresource.  Once
+	// populated, it is immutable.  The signer must set this field at the same
+	// time it sets certificateChain.
+	NotAfter *metav1.Time `json:"notAfter,omitempty"`
+}
+
+// PodCertificateRequestStatusApplyConfiguration constructs a declarative configuration of the PodCertificateRequestStatus type for use with
+// apply.
+func PodCertificateRequestStatus() *PodCertificateRequestStatusApplyConfiguration {
+	return &PodCertificateRequestStatusApplyConfiguration{}
+}
+
+// WithConditions adds the given value to the Conditions field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, values provided by each call will be appended to the Conditions field.
+func (b *PodCertificateRequestStatusApplyConfiguration) WithConditions(values ...*v1.ConditionApplyConfiguration) *PodCertificateRequestStatusApplyConfiguration {
+	for i := range values {
+		if values[i] == nil {
+			panic("nil value passed to WithConditions")
+		}
+		b.Conditions = append(b.Conditions, *values[i])
+	}
+	return b
+}
+
+// WithCertificateChain sets the CertificateChain field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the CertificateChain field is set to the value of the last call.
+func (b *PodCertificateRequestStatusApplyConfiguration) WithCertificateChain(value string) *PodCertificateRequestStatusApplyConfiguration {
+	b.CertificateChain = &value
+	return b
+}
+
+// WithNotBefore sets the NotBefore field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the NotBefore field is set to the value of the last call.
+func (b *PodCertificateRequestStatusApplyConfiguration) WithNotBefore(value metav1.Time) *PodCertificateRequestStatusApplyConfiguration {
+	b.NotBefore = &value
+	return b
+}
+
+// WithBeginRefreshAt sets the BeginRefreshAt field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the BeginRefreshAt field is set to the value of the last call.
+func (b *PodCertificateRequestStatusApplyConfiguration) WithBeginRefreshAt(value metav1.Time) *PodCertificateRequestStatusApplyConfiguration {
+	b.BeginRefreshAt = &value
+	return b
+}
+
+// WithNotAfter sets the NotAfter field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the NotAfter field is set to the value of the last call.
+func (b *PodCertificateRequestStatusApplyConfiguration) WithNotAfter(value metav1.Time) *PodCertificateRequestStatusApplyConfiguration {
+	b.NotAfter = &value
+	return b
+}
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/coordination/v1/lease.go b/staging/src/k8s.io/client-go/applyconfigurations/coordination/v1/lease.go
index 1918345671cf2..de18339754e9b 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/coordination/v1/lease.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/coordination/v1/lease.go
@@ -29,10 +29,15 @@ import (
 
 // LeaseApplyConfiguration represents a declarative configuration of the Lease type for use
 // with apply.
+//
+// Lease defines a lease concept.
 type LeaseApplyConfiguration struct {
-	metav1.TypeMetaApplyConfiguration    `json:",inline"`
+	metav1.TypeMetaApplyConfiguration `json:",inline"`
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	*metav1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Spec                                 *LeaseSpecApplyConfiguration `json:"spec,omitempty"`
+	// spec contains the specification of the Lease.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+	Spec *LeaseSpecApplyConfiguration `json:"spec,omitempty"`
 }
 
 // Lease constructs a declarative configuration of the Lease type for use with
@@ -46,29 +51,14 @@ func Lease(name, namespace string) *LeaseApplyConfiguration {
 	return b
 }
 
-// ExtractLease extracts the applied configuration owned by fieldManager from
-// lease. If no managedFields are found in lease for fieldManager, a
-// LeaseApplyConfiguration is returned with only the Name, Namespace (if applicable),
-// APIVersion and Kind populated. It is possible that no managed fields were found for because other
-// field managers have taken ownership of all the fields previously owned by fieldManager, or because
-// the fieldManager never owned fields any fields.
+// ExtractLeaseFrom extracts the applied configuration owned by fieldManager from
+// lease for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
 // lease must be a unmodified Lease API object that was retrieved from the Kubernetes API.
-// ExtractLease provides a way to perform a extract/modify-in-place/apply workflow.
+// ExtractLeaseFrom provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
-func ExtractLease(lease *coordinationv1.Lease, fieldManager string) (*LeaseApplyConfiguration, error) {
-	return extractLease(lease, fieldManager, "")
-}
-
-// ExtractLeaseStatus is the same as ExtractLease except
-// that it extracts the status subresource applied configuration.
-// Experimental!
-func ExtractLeaseStatus(lease *coordinationv1.Lease, fieldManager string) (*LeaseApplyConfiguration, error) {
-	return extractLease(lease, fieldManager, "status")
-}
-
-func extractLease(lease *coordinationv1.Lease, fieldManager string, subresource string) (*LeaseApplyConfiguration, error) {
+func ExtractLeaseFrom(lease *coordinationv1.Lease, fieldManager string, subresource string) (*LeaseApplyConfiguration, error) {
 	b := &LeaseApplyConfiguration{}
 	err := managedfields.ExtractInto(lease, internal.Parser().Type("io.k8s.api.coordination.v1.Lease"), fieldManager, b, subresource)
 	if err != nil {
@@ -81,6 +71,21 @@ func extractLease(lease *coordinationv1.Lease, fieldManager string, subresource
 	b.WithAPIVersion("coordination.k8s.io/v1")
 	return b, nil
 }
+
+// ExtractLease extracts the applied configuration owned by fieldManager from
+// lease. If no managedFields are found in lease for fieldManager, a
+// LeaseApplyConfiguration is returned with only the Name, Namespace (if applicable),
+// APIVersion and Kind populated. It is possible that no managed fields were found for because other
+// field managers have taken ownership of all the fields previously owned by fieldManager, or because
+// the fieldManager never owned fields any fields.
+// lease must be a unmodified Lease API object that was retrieved from the Kubernetes API.
+// ExtractLease provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractLease(lease *coordinationv1.Lease, fieldManager string) (*LeaseApplyConfiguration, error) {
+	return ExtractLeaseFrom(lease, fieldManager, "")
+}
+
 func (b LeaseApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/coordination/v1/leasespec.go b/staging/src/k8s.io/client-go/applyconfigurations/coordination/v1/leasespec.go
index d0099872c89bc..4dca58e2e5720 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/coordination/v1/leasespec.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/coordination/v1/leasespec.go
@@ -25,14 +25,33 @@ import (
 
 // LeaseSpecApplyConfiguration represents a declarative configuration of the LeaseSpec type for use
 // with apply.
+//
+// LeaseSpec is a specification of a Lease.
 type LeaseSpecApplyConfiguration struct {
-	HolderIdentity       *string                                  `json:"holderIdentity,omitempty"`
-	LeaseDurationSeconds *int32                                   `json:"leaseDurationSeconds,omitempty"`
-	AcquireTime          *metav1.MicroTime                        `json:"acquireTime,omitempty"`
-	RenewTime            *metav1.MicroTime                        `json:"renewTime,omitempty"`
-	LeaseTransitions     *int32                                   `json:"leaseTransitions,omitempty"`
-	Strategy             *coordinationv1.CoordinatedLeaseStrategy `json:"strategy,omitempty"`
-	PreferredHolder      *string                                  `json:"preferredHolder,omitempty"`
+	// holderIdentity contains the identity of the holder of a current lease.
+	// If Coordinated Leader Election is used, the holder identity must be
+	// equal to the elected LeaseCandidate.metadata.name field.
+	HolderIdentity *string `json:"holderIdentity,omitempty"`
+	// leaseDurationSeconds is a duration that candidates for a lease need
+	// to wait to force acquire it. This is measured against the time of last
+	// observed renewTime.
+	LeaseDurationSeconds *int32 `json:"leaseDurationSeconds,omitempty"`
+	// acquireTime is a time when the current lease was acquired.
+	AcquireTime *metav1.MicroTime `json:"acquireTime,omitempty"`
+	// renewTime is a time when the current holder of a lease has last
+	// updated the lease.
+	RenewTime *metav1.MicroTime `json:"renewTime,omitempty"`
+	// leaseTransitions is the number of transitions of a lease between
+	// holders.
+	LeaseTransitions *int32 `json:"leaseTransitions,omitempty"`
+	// Strategy indicates the strategy for picking the leader for coordinated leader election.
+	// If the field is not specified, there is no active coordination for this lease.
+	// (Alpha) Using this field requires the CoordinatedLeaderElection feature gate to be enabled.
+	Strategy *coordinationv1.CoordinatedLeaseStrategy `json:"strategy,omitempty"`
+	// PreferredHolder signals to a lease holder that the lease has a
+	// more optimal holder and should be given up.
+	// This field can only be set if Strategy is also set.
+	PreferredHolder *string `json:"preferredHolder,omitempty"`
 }
 
 // LeaseSpecApplyConfiguration constructs a declarative configuration of the LeaseSpec type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/coordination/v1alpha2/leasecandidate.go b/staging/src/k8s.io/client-go/applyconfigurations/coordination/v1alpha2/leasecandidate.go
index e3d9b5ab68378..73150cb43a445 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/coordination/v1alpha2/leasecandidate.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/coordination/v1alpha2/leasecandidate.go
@@ -29,10 +29,16 @@ import (
 
 // LeaseCandidateApplyConfiguration represents a declarative configuration of the LeaseCandidate type for use
 // with apply.
+//
+// LeaseCandidate defines a candidate for a Lease object.
+// Candidates are created such that coordinated leader election will pick the best leader from the list of candidates.
 type LeaseCandidateApplyConfiguration struct {
-	v1.TypeMetaApplyConfiguration    `json:",inline"`
+	v1.TypeMetaApplyConfiguration `json:",inline"`
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	*v1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Spec                             *LeaseCandidateSpecApplyConfiguration `json:"spec,omitempty"`
+	// spec contains the specification of the Lease.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+	Spec *LeaseCandidateSpecApplyConfiguration `json:"spec,omitempty"`
 }
 
 // LeaseCandidate constructs a declarative configuration of the LeaseCandidate type for use with
@@ -46,29 +52,14 @@ func LeaseCandidate(name, namespace string) *LeaseCandidateApplyConfiguration {
 	return b
 }
 
-// ExtractLeaseCandidate extracts the applied configuration owned by fieldManager from
-// leaseCandidate. If no managedFields are found in leaseCandidate for fieldManager, a
-// LeaseCandidateApplyConfiguration is returned with only the Name, Namespace (if applicable),
-// APIVersion and Kind populated. It is possible that no managed fields were found for because other
-// field managers have taken ownership of all the fields previously owned by fieldManager, or because
-// the fieldManager never owned fields any fields.
+// ExtractLeaseCandidateFrom extracts the applied configuration owned by fieldManager from
+// leaseCandidate for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
 // leaseCandidate must be a unmodified LeaseCandidate API object that was retrieved from the Kubernetes API.
-// ExtractLeaseCandidate provides a way to perform a extract/modify-in-place/apply workflow.
+// ExtractLeaseCandidateFrom provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
-func ExtractLeaseCandidate(leaseCandidate *coordinationv1alpha2.LeaseCandidate, fieldManager string) (*LeaseCandidateApplyConfiguration, error) {
-	return extractLeaseCandidate(leaseCandidate, fieldManager, "")
-}
-
-// ExtractLeaseCandidateStatus is the same as ExtractLeaseCandidate except
-// that it extracts the status subresource applied configuration.
-// Experimental!
-func ExtractLeaseCandidateStatus(leaseCandidate *coordinationv1alpha2.LeaseCandidate, fieldManager string) (*LeaseCandidateApplyConfiguration, error) {
-	return extractLeaseCandidate(leaseCandidate, fieldManager, "status")
-}
-
-func extractLeaseCandidate(leaseCandidate *coordinationv1alpha2.LeaseCandidate, fieldManager string, subresource string) (*LeaseCandidateApplyConfiguration, error) {
+func ExtractLeaseCandidateFrom(leaseCandidate *coordinationv1alpha2.LeaseCandidate, fieldManager string, subresource string) (*LeaseCandidateApplyConfiguration, error) {
 	b := &LeaseCandidateApplyConfiguration{}
 	err := managedfields.ExtractInto(leaseCandidate, internal.Parser().Type("io.k8s.api.coordination.v1alpha2.LeaseCandidate"), fieldManager, b, subresource)
 	if err != nil {
@@ -81,6 +72,21 @@ func extractLeaseCandidate(leaseCandidate *coordinationv1alpha2.LeaseCandidate,
 	b.WithAPIVersion("coordination.k8s.io/v1alpha2")
 	return b, nil
 }
+
+// ExtractLeaseCandidate extracts the applied configuration owned by fieldManager from
+// leaseCandidate. If no managedFields are found in leaseCandidate for fieldManager, a
+// LeaseCandidateApplyConfiguration is returned with only the Name, Namespace (if applicable),
+// APIVersion and Kind populated. It is possible that no managed fields were found for because other
+// field managers have taken ownership of all the fields previously owned by fieldManager, or because
+// the fieldManager never owned fields any fields.
+// leaseCandidate must be a unmodified LeaseCandidate API object that was retrieved from the Kubernetes API.
+// ExtractLeaseCandidate provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractLeaseCandidate(leaseCandidate *coordinationv1alpha2.LeaseCandidate, fieldManager string) (*LeaseCandidateApplyConfiguration, error) {
+	return ExtractLeaseCandidateFrom(leaseCandidate, fieldManager, "")
+}
+
 func (b LeaseCandidateApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/coordination/v1alpha2/leasecandidatespec.go b/staging/src/k8s.io/client-go/applyconfigurations/coordination/v1alpha2/leasecandidatespec.go
index f52aaab24beb9..44a2db06ffa0c 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/coordination/v1alpha2/leasecandidatespec.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/coordination/v1alpha2/leasecandidatespec.go
@@ -25,13 +25,37 @@ import (
 
 // LeaseCandidateSpecApplyConfiguration represents a declarative configuration of the LeaseCandidateSpec type for use
 // with apply.
+//
+// LeaseCandidateSpec is a specification of a Lease.
 type LeaseCandidateSpecApplyConfiguration struct {
-	LeaseName        *string                                  `json:"leaseName,omitempty"`
-	PingTime         *v1.MicroTime                            `json:"pingTime,omitempty"`
-	RenewTime        *v1.MicroTime                            `json:"renewTime,omitempty"`
-	BinaryVersion    *string                                  `json:"binaryVersion,omitempty"`
-	EmulationVersion *string                                  `json:"emulationVersion,omitempty"`
-	Strategy         *coordinationv1.CoordinatedLeaseStrategy `json:"strategy,omitempty"`
+	// LeaseName is the name of the lease for which this candidate is contending.
+	// This field is immutable.
+	LeaseName *string `json:"leaseName,omitempty"`
+	// PingTime is the last time that the server has requested the LeaseCandidate
+	// to renew. It is only done during leader election to check if any
+	// LeaseCandidates have become ineligible. When PingTime is updated, the
+	// LeaseCandidate will respond by updating RenewTime.
+	PingTime *v1.MicroTime `json:"pingTime,omitempty"`
+	// RenewTime is the time that the LeaseCandidate was last updated.
+	// Any time a Lease needs to do leader election, the PingTime field
+	// is updated to signal to the LeaseCandidate that they should update
+	// the RenewTime.
+	// Old LeaseCandidate objects are also garbage collected if it has been hours
+	// since the last renew. The PingTime field is updated regularly to prevent
+	// garbage collection for still active LeaseCandidates.
+	RenewTime *v1.MicroTime `json:"renewTime,omitempty"`
+	// BinaryVersion is the binary version. It must be in a semver format without leading `v`.
+	// This field is required.
+	BinaryVersion *string `json:"binaryVersion,omitempty"`
+	// EmulationVersion is the emulation version. It must be in a semver format without leading `v`.
+	// EmulationVersion must be less than or equal to BinaryVersion.
+	// This field is required when strategy is "OldestEmulationVersion"
+	EmulationVersion *string `json:"emulationVersion,omitempty"`
+	// Strategy is the strategy that coordinated leader election will use for picking the leader.
+	// If multiple candidates for the same Lease return different strategies, the strategy provided
+	// by the candidate with the latest BinaryVersion will be used. If there is still conflict,
+	// this is a user error and coordinated leader election will not operate the Lease until resolved.
+	Strategy *coordinationv1.CoordinatedLeaseStrategy `json:"strategy,omitempty"`
 }
 
 // LeaseCandidateSpecApplyConfiguration constructs a declarative configuration of the LeaseCandidateSpec type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/coordination/v1beta1/lease.go b/staging/src/k8s.io/client-go/applyconfigurations/coordination/v1beta1/lease.go
index 377d8f493a1b9..38263059a88d1 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/coordination/v1beta1/lease.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/coordination/v1beta1/lease.go
@@ -29,10 +29,15 @@ import (
 
 // LeaseApplyConfiguration represents a declarative configuration of the Lease type for use
 // with apply.
+//
+// Lease defines a lease concept.
 type LeaseApplyConfiguration struct {
-	v1.TypeMetaApplyConfiguration    `json:",inline"`
+	v1.TypeMetaApplyConfiguration `json:",inline"`
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	*v1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Spec                             *LeaseSpecApplyConfiguration `json:"spec,omitempty"`
+	// spec contains the specification of the Lease.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+	Spec *LeaseSpecApplyConfiguration `json:"spec,omitempty"`
 }
 
 // Lease constructs a declarative configuration of the Lease type for use with
@@ -46,29 +51,14 @@ func Lease(name, namespace string) *LeaseApplyConfiguration {
 	return b
 }
 
-// ExtractLease extracts the applied configuration owned by fieldManager from
-// lease. If no managedFields are found in lease for fieldManager, a
-// LeaseApplyConfiguration is returned with only the Name, Namespace (if applicable),
-// APIVersion and Kind populated. It is possible that no managed fields were found for because other
-// field managers have taken ownership of all the fields previously owned by fieldManager, or because
-// the fieldManager never owned fields any fields.
+// ExtractLeaseFrom extracts the applied configuration owned by fieldManager from
+// lease for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
 // lease must be a unmodified Lease API object that was retrieved from the Kubernetes API.
-// ExtractLease provides a way to perform a extract/modify-in-place/apply workflow.
+// ExtractLeaseFrom provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
-func ExtractLease(lease *coordinationv1beta1.Lease, fieldManager string) (*LeaseApplyConfiguration, error) {
-	return extractLease(lease, fieldManager, "")
-}
-
-// ExtractLeaseStatus is the same as ExtractLease except
-// that it extracts the status subresource applied configuration.
-// Experimental!
-func ExtractLeaseStatus(lease *coordinationv1beta1.Lease, fieldManager string) (*LeaseApplyConfiguration, error) {
-	return extractLease(lease, fieldManager, "status")
-}
-
-func extractLease(lease *coordinationv1beta1.Lease, fieldManager string, subresource string) (*LeaseApplyConfiguration, error) {
+func ExtractLeaseFrom(lease *coordinationv1beta1.Lease, fieldManager string, subresource string) (*LeaseApplyConfiguration, error) {
 	b := &LeaseApplyConfiguration{}
 	err := managedfields.ExtractInto(lease, internal.Parser().Type("io.k8s.api.coordination.v1beta1.Lease"), fieldManager, b, subresource)
 	if err != nil {
@@ -81,6 +71,21 @@ func extractLease(lease *coordinationv1beta1.Lease, fieldManager string, subreso
 	b.WithAPIVersion("coordination.k8s.io/v1beta1")
 	return b, nil
 }
+
+// ExtractLease extracts the applied configuration owned by fieldManager from
+// lease. If no managedFields are found in lease for fieldManager, a
+// LeaseApplyConfiguration is returned with only the Name, Namespace (if applicable),
+// APIVersion and Kind populated. It is possible that no managed fields were found for because other
+// field managers have taken ownership of all the fields previously owned by fieldManager, or because
+// the fieldManager never owned fields any fields.
+// lease must be a unmodified Lease API object that was retrieved from the Kubernetes API.
+// ExtractLease provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractLease(lease *coordinationv1beta1.Lease, fieldManager string) (*LeaseApplyConfiguration, error) {
+	return ExtractLeaseFrom(lease, fieldManager, "")
+}
+
 func (b LeaseApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/coordination/v1beta1/leasecandidate.go b/staging/src/k8s.io/client-go/applyconfigurations/coordination/v1beta1/leasecandidate.go
index 57c0c85911643..4670d9d2b9335 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/coordination/v1beta1/leasecandidate.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/coordination/v1beta1/leasecandidate.go
@@ -29,10 +29,16 @@ import (
 
 // LeaseCandidateApplyConfiguration represents a declarative configuration of the LeaseCandidate type for use
 // with apply.
+//
+// LeaseCandidate defines a candidate for a Lease object.
+// Candidates are created such that coordinated leader election will pick the best leader from the list of candidates.
 type LeaseCandidateApplyConfiguration struct {
-	v1.TypeMetaApplyConfiguration    `json:",inline"`
+	v1.TypeMetaApplyConfiguration `json:",inline"`
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	*v1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Spec                             *LeaseCandidateSpecApplyConfiguration `json:"spec,omitempty"`
+	// spec contains the specification of the Lease.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+	Spec *LeaseCandidateSpecApplyConfiguration `json:"spec,omitempty"`
 }
 
 // LeaseCandidate constructs a declarative configuration of the LeaseCandidate type for use with
@@ -46,29 +52,14 @@ func LeaseCandidate(name, namespace string) *LeaseCandidateApplyConfiguration {
 	return b
 }
 
-// ExtractLeaseCandidate extracts the applied configuration owned by fieldManager from
-// leaseCandidate. If no managedFields are found in leaseCandidate for fieldManager, a
-// LeaseCandidateApplyConfiguration is returned with only the Name, Namespace (if applicable),
-// APIVersion and Kind populated. It is possible that no managed fields were found for because other
-// field managers have taken ownership of all the fields previously owned by fieldManager, or because
-// the fieldManager never owned fields any fields.
+// ExtractLeaseCandidateFrom extracts the applied configuration owned by fieldManager from
+// leaseCandidate for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
 // leaseCandidate must be a unmodified LeaseCandidate API object that was retrieved from the Kubernetes API.
-// ExtractLeaseCandidate provides a way to perform a extract/modify-in-place/apply workflow.
+// ExtractLeaseCandidateFrom provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
-func ExtractLeaseCandidate(leaseCandidate *coordinationv1beta1.LeaseCandidate, fieldManager string) (*LeaseCandidateApplyConfiguration, error) {
-	return extractLeaseCandidate(leaseCandidate, fieldManager, "")
-}
-
-// ExtractLeaseCandidateStatus is the same as ExtractLeaseCandidate except
-// that it extracts the status subresource applied configuration.
-// Experimental!
-func ExtractLeaseCandidateStatus(leaseCandidate *coordinationv1beta1.LeaseCandidate, fieldManager string) (*LeaseCandidateApplyConfiguration, error) {
-	return extractLeaseCandidate(leaseCandidate, fieldManager, "status")
-}
-
-func extractLeaseCandidate(leaseCandidate *coordinationv1beta1.LeaseCandidate, fieldManager string, subresource string) (*LeaseCandidateApplyConfiguration, error) {
+func ExtractLeaseCandidateFrom(leaseCandidate *coordinationv1beta1.LeaseCandidate, fieldManager string, subresource string) (*LeaseCandidateApplyConfiguration, error) {
 	b := &LeaseCandidateApplyConfiguration{}
 	err := managedfields.ExtractInto(leaseCandidate, internal.Parser().Type("io.k8s.api.coordination.v1beta1.LeaseCandidate"), fieldManager, b, subresource)
 	if err != nil {
@@ -81,6 +72,21 @@ func extractLeaseCandidate(leaseCandidate *coordinationv1beta1.LeaseCandidate, f
 	b.WithAPIVersion("coordination.k8s.io/v1beta1")
 	return b, nil
 }
+
+// ExtractLeaseCandidate extracts the applied configuration owned by fieldManager from
+// leaseCandidate. If no managedFields are found in leaseCandidate for fieldManager, a
+// LeaseCandidateApplyConfiguration is returned with only the Name, Namespace (if applicable),
+// APIVersion and Kind populated. It is possible that no managed fields were found for because other
+// field managers have taken ownership of all the fields previously owned by fieldManager, or because
+// the fieldManager never owned fields any fields.
+// leaseCandidate must be a unmodified LeaseCandidate API object that was retrieved from the Kubernetes API.
+// ExtractLeaseCandidate provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractLeaseCandidate(leaseCandidate *coordinationv1beta1.LeaseCandidate, fieldManager string) (*LeaseCandidateApplyConfiguration, error) {
+	return ExtractLeaseCandidateFrom(leaseCandidate, fieldManager, "")
+}
+
 func (b LeaseCandidateApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/coordination/v1beta1/leasecandidatespec.go b/staging/src/k8s.io/client-go/applyconfigurations/coordination/v1beta1/leasecandidatespec.go
index c3ea12c813c5b..6b146dc494936 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/coordination/v1beta1/leasecandidatespec.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/coordination/v1beta1/leasecandidatespec.go
@@ -25,13 +25,39 @@ import (
 
 // LeaseCandidateSpecApplyConfiguration represents a declarative configuration of the LeaseCandidateSpec type for use
 // with apply.
+//
+// LeaseCandidateSpec is a specification of a Lease.
 type LeaseCandidateSpecApplyConfiguration struct {
-	LeaseName        *string                                  `json:"leaseName,omitempty"`
-	PingTime         *v1.MicroTime                            `json:"pingTime,omitempty"`
-	RenewTime        *v1.MicroTime                            `json:"renewTime,omitempty"`
-	BinaryVersion    *string                                  `json:"binaryVersion,omitempty"`
-	EmulationVersion *string                                  `json:"emulationVersion,omitempty"`
-	Strategy         *coordinationv1.CoordinatedLeaseStrategy `json:"strategy,omitempty"`
+	// LeaseName is the name of the lease for which this candidate is contending.
+	// The limits on this field are the same as on Lease.name. Multiple lease candidates
+	// may reference the same Lease.name.
+	// This field is immutable.
+	LeaseName *string `json:"leaseName,omitempty"`
+	// PingTime is the last time that the server has requested the LeaseCandidate
+	// to renew. It is only done during leader election to check if any
+	// LeaseCandidates have become ineligible. When PingTime is updated, the
+	// LeaseCandidate will respond by updating RenewTime.
+	PingTime *v1.MicroTime `json:"pingTime,omitempty"`
+	// RenewTime is the time that the LeaseCandidate was last updated.
+	// Any time a Lease needs to do leader election, the PingTime field
+	// is updated to signal to the LeaseCandidate that they should update
+	// the RenewTime.
+	// Old LeaseCandidate objects are also garbage collected if it has been hours
+	// since the last renew. The PingTime field is updated regularly to prevent
+	// garbage collection for still active LeaseCandidates.
+	RenewTime *v1.MicroTime `json:"renewTime,omitempty"`
+	// BinaryVersion is the binary version. It must be in a semver format without leading `v`.
+	// This field is required.
+	BinaryVersion *string `json:"binaryVersion,omitempty"`
+	// EmulationVersion is the emulation version. It must be in a semver format without leading `v`.
+	// EmulationVersion must be less than or equal to BinaryVersion.
+	// This field is required when strategy is "OldestEmulationVersion"
+	EmulationVersion *string `json:"emulationVersion,omitempty"`
+	// Strategy is the strategy that coordinated leader election will use for picking the leader.
+	// If multiple candidates for the same Lease return different strategies, the strategy provided
+	// by the candidate with the latest BinaryVersion will be used. If there is still conflict,
+	// this is a user error and coordinated leader election will not operate the Lease until resolved.
+	Strategy *coordinationv1.CoordinatedLeaseStrategy `json:"strategy,omitempty"`
 }
 
 // LeaseCandidateSpecApplyConfiguration constructs a declarative configuration of the LeaseCandidateSpec type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/coordination/v1beta1/leasespec.go b/staging/src/k8s.io/client-go/applyconfigurations/coordination/v1beta1/leasespec.go
index 8c7fddfc614b5..db40b83592b9b 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/coordination/v1beta1/leasespec.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/coordination/v1beta1/leasespec.go
@@ -25,14 +25,31 @@ import (
 
 // LeaseSpecApplyConfiguration represents a declarative configuration of the LeaseSpec type for use
 // with apply.
+//
+// LeaseSpec is a specification of a Lease.
 type LeaseSpecApplyConfiguration struct {
-	HolderIdentity       *string                                  `json:"holderIdentity,omitempty"`
-	LeaseDurationSeconds *int32                                   `json:"leaseDurationSeconds,omitempty"`
-	AcquireTime          *v1.MicroTime                            `json:"acquireTime,omitempty"`
-	RenewTime            *v1.MicroTime                            `json:"renewTime,omitempty"`
-	LeaseTransitions     *int32                                   `json:"leaseTransitions,omitempty"`
-	Strategy             *coordinationv1.CoordinatedLeaseStrategy `json:"strategy,omitempty"`
-	PreferredHolder      *string                                  `json:"preferredHolder,omitempty"`
+	// holderIdentity contains the identity of the holder of a current lease.
+	// If Coordinated Leader Election is used, the holder identity must be
+	// equal to the elected LeaseCandidate.metadata.name field.
+	HolderIdentity *string `json:"holderIdentity,omitempty"`
+	// leaseDurationSeconds is a duration that candidates for a lease need
+	// to wait to force acquire it. This is measure against time of last
+	// observed renewTime.
+	LeaseDurationSeconds *int32 `json:"leaseDurationSeconds,omitempty"`
+	// acquireTime is a time when the current lease was acquired.
+	AcquireTime *v1.MicroTime `json:"acquireTime,omitempty"`
+	// renewTime is a time when the current holder of a lease has last
+	// updated the lease.
+	RenewTime *v1.MicroTime `json:"renewTime,omitempty"`
+	// leaseTransitions is the number of transitions of a lease between
+	// holders.
+	LeaseTransitions *int32 `json:"leaseTransitions,omitempty"`
+	// Strategy indicates the strategy for picking the leader for coordinated leader election
+	// (Alpha) Using this field requires the CoordinatedLeaderElection feature gate to be enabled.
+	Strategy *coordinationv1.CoordinatedLeaseStrategy `json:"strategy,omitempty"`
+	// PreferredHolder signals to a lease holder that the lease has a
+	// more optimal holder and should be given up.
+	PreferredHolder *string `json:"preferredHolder,omitempty"`
 }
 
 // LeaseSpecApplyConfiguration constructs a declarative configuration of the LeaseSpec type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/affinity.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/affinity.go
index 45484f140dc15..6ee627b8a1856 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/affinity.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/affinity.go
@@ -20,9 +20,14 @@ package v1
 
 // AffinityApplyConfiguration represents a declarative configuration of the Affinity type for use
 // with apply.
+//
+// Affinity is a group of affinity scheduling rules.
 type AffinityApplyConfiguration struct {
-	NodeAffinity    *NodeAffinityApplyConfiguration    `json:"nodeAffinity,omitempty"`
-	PodAffinity     *PodAffinityApplyConfiguration     `json:"podAffinity,omitempty"`
+	// Describes node affinity scheduling rules for the pod.
+	NodeAffinity *NodeAffinityApplyConfiguration `json:"nodeAffinity,omitempty"`
+	// Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
+	PodAffinity *PodAffinityApplyConfiguration `json:"podAffinity,omitempty"`
+	// Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
 	PodAntiAffinity *PodAntiAffinityApplyConfiguration `json:"podAntiAffinity,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/apparmorprofile.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/apparmorprofile.go
index 3f7de21b390e5..27a4289a7478e 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/apparmorprofile.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/apparmorprofile.go
@@ -24,9 +24,20 @@ import (
 
 // AppArmorProfileApplyConfiguration represents a declarative configuration of the AppArmorProfile type for use
 // with apply.
+//
+// AppArmorProfile defines a pod or container's AppArmor settings.
 type AppArmorProfileApplyConfiguration struct {
-	Type             *corev1.AppArmorProfileType `json:"type,omitempty"`
-	LocalhostProfile *string                     `json:"localhostProfile,omitempty"`
+	// type indicates which kind of AppArmor profile will be applied.
+	// Valid options are:
+	// Localhost - a profile pre-loaded on the node.
+	// RuntimeDefault - the container runtime's default profile.
+	// Unconfined - no AppArmor enforcement.
+	Type *corev1.AppArmorProfileType `json:"type,omitempty"`
+	// localhostProfile indicates a profile loaded on the node that should be used.
+	// The profile must be preconfigured on the node to work.
+	// Must match the loaded name of the profile.
+	// Must be set if and only if type is "Localhost".
+	LocalhostProfile *string `json:"localhostProfile,omitempty"`
 }
 
 // AppArmorProfileApplyConfiguration constructs a declarative configuration of the AppArmorProfile type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/attachedvolume.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/attachedvolume.go
index 2c76161a10309..a3e956290511d 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/attachedvolume.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/attachedvolume.go
@@ -24,9 +24,13 @@ import (
 
 // AttachedVolumeApplyConfiguration represents a declarative configuration of the AttachedVolume type for use
 // with apply.
+//
+// AttachedVolume describes a volume attached to a node
 type AttachedVolumeApplyConfiguration struct {
-	Name       *corev1.UniqueVolumeName `json:"name,omitempty"`
-	DevicePath *string                  `json:"devicePath,omitempty"`
+	// Name of the attached volume
+	Name *corev1.UniqueVolumeName `json:"name,omitempty"`
+	// DevicePath represents the device path where the volume should be available
+	DevicePath *string `json:"devicePath,omitempty"`
 }
 
 // AttachedVolumeApplyConfiguration constructs a declarative configuration of the AttachedVolume type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/awselasticblockstorevolumesource.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/awselasticblockstorevolumesource.go
index d08786965e900..04f206f872298 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/awselasticblockstorevolumesource.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/awselasticblockstorevolumesource.go
@@ -20,11 +20,31 @@ package v1
 
 // AWSElasticBlockStoreVolumeSourceApplyConfiguration represents a declarative configuration of the AWSElasticBlockStoreVolumeSource type for use
 // with apply.
+//
+// Represents a Persistent Disk resource in AWS.
+//
+// An AWS EBS disk must exist before mounting to a container. The disk
+// must also be in the same AWS zone as the kubelet. An AWS EBS disk
+// can only be mounted as read/write once. AWS EBS volumes support
+// ownership management and SELinux relabeling.
 type AWSElasticBlockStoreVolumeSourceApplyConfiguration struct {
-	VolumeID  *string `json:"volumeID,omitempty"`
-	FSType    *string `json:"fsType,omitempty"`
-	Partition *int32  `json:"partition,omitempty"`
-	ReadOnly  *bool   `json:"readOnly,omitempty"`
+	// volumeID is unique ID of the persistent disk resource in AWS (Amazon EBS volume).
+	// More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore
+	VolumeID *string `json:"volumeID,omitempty"`
+	// fsType is the filesystem type of the volume that you want to mount.
+	// Tip: Ensure that the filesystem type is supported by the host operating system.
+	// Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+	// More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore
+	// TODO: how do we prevent errors in the filesystem from compromising the machine
+	FSType *string `json:"fsType,omitempty"`
+	// partition is the partition in the volume that you want to mount.
+	// If omitted, the default is to mount by volume name.
+	// Examples: For volume /dev/sda1, you specify the partition as "1".
+	// Similarly, the volume partition for /dev/sda is "0" (or you can leave the property empty).
+	Partition *int32 `json:"partition,omitempty"`
+	// readOnly value true will force the readOnly setting in VolumeMounts.
+	// More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore
+	ReadOnly *bool `json:"readOnly,omitempty"`
 }
 
 // AWSElasticBlockStoreVolumeSourceApplyConfiguration constructs a declarative configuration of the AWSElasticBlockStoreVolumeSource type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/azurediskvolumesource.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/azurediskvolumesource.go
index d4d20dfa91b7d..bb0464262ae9f 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/azurediskvolumesource.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/azurediskvolumesource.go
@@ -24,13 +24,24 @@ import (
 
 // AzureDiskVolumeSourceApplyConfiguration represents a declarative configuration of the AzureDiskVolumeSource type for use
 // with apply.
+//
+// AzureDisk represents an Azure Data Disk mount on the host and bind mount to the pod.
 type AzureDiskVolumeSourceApplyConfiguration struct {
-	DiskName    *string                          `json:"diskName,omitempty"`
-	DataDiskURI *string                          `json:"diskURI,omitempty"`
+	// diskName is the Name of the data disk in the blob storage
+	DiskName *string `json:"diskName,omitempty"`
+	// diskURI is the URI of data disk in the blob storage
+	DataDiskURI *string `json:"diskURI,omitempty"`
+	// cachingMode is the Host Caching mode: None, Read Only, Read Write.
 	CachingMode *corev1.AzureDataDiskCachingMode `json:"cachingMode,omitempty"`
-	FSType      *string                          `json:"fsType,omitempty"`
-	ReadOnly    *bool                            `json:"readOnly,omitempty"`
-	Kind        *corev1.AzureDataDiskKind        `json:"kind,omitempty"`
+	// fsType is Filesystem type to mount.
+	// Must be a filesystem type supported by the host operating system.
+	// Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+	FSType *string `json:"fsType,omitempty"`
+	// readOnly Defaults to false (read/write). ReadOnly here will force
+	// the ReadOnly setting in VolumeMounts.
+	ReadOnly *bool `json:"readOnly,omitempty"`
+	// kind expected values are Shared: multiple blob disks per storage account  Dedicated: single blob disk per storage account  Managed: azure managed data disk (only in managed availability set). defaults to shared
+	Kind *corev1.AzureDataDiskKind `json:"kind,omitempty"`
 }
 
 // AzureDiskVolumeSourceApplyConfiguration constructs a declarative configuration of the AzureDiskVolumeSource type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/azurefilepersistentvolumesource.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/azurefilepersistentvolumesource.go
index 70a6b17be8831..db55eb1e6285c 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/azurefilepersistentvolumesource.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/azurefilepersistentvolumesource.go
@@ -20,10 +20,18 @@ package v1
 
 // AzureFilePersistentVolumeSourceApplyConfiguration represents a declarative configuration of the AzureFilePersistentVolumeSource type for use
 // with apply.
+//
+// AzureFile represents an Azure File Service mount on the host and bind mount to the pod.
 type AzureFilePersistentVolumeSourceApplyConfiguration struct {
-	SecretName      *string `json:"secretName,omitempty"`
-	ShareName       *string `json:"shareName,omitempty"`
-	ReadOnly        *bool   `json:"readOnly,omitempty"`
+	// secretName is the name of secret that contains Azure Storage Account Name and Key
+	SecretName *string `json:"secretName,omitempty"`
+	// shareName is the azure Share Name
+	ShareName *string `json:"shareName,omitempty"`
+	// readOnly defaults to false (read/write). ReadOnly here will force
+	// the ReadOnly setting in VolumeMounts.
+	ReadOnly *bool `json:"readOnly,omitempty"`
+	// secretNamespace is the namespace of the secret that contains Azure Storage Account Name and Key
+	// default is the same as the Pod
 	SecretNamespace *string `json:"secretNamespace,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/azurefilevolumesource.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/azurefilevolumesource.go
index ff0c867919ec2..af5c62363cb86 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/azurefilevolumesource.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/azurefilevolumesource.go
@@ -20,10 +20,16 @@ package v1
 
 // AzureFileVolumeSourceApplyConfiguration represents a declarative configuration of the AzureFileVolumeSource type for use
 // with apply.
+//
+// AzureFile represents an Azure File Service mount on the host and bind mount to the pod.
 type AzureFileVolumeSourceApplyConfiguration struct {
+	// secretName is the  name of secret that contains Azure Storage Account Name and Key
 	SecretName *string `json:"secretName,omitempty"`
-	ShareName  *string `json:"shareName,omitempty"`
-	ReadOnly   *bool   `json:"readOnly,omitempty"`
+	// shareName is the azure share Name
+	ShareName *string `json:"shareName,omitempty"`
+	// readOnly defaults to false (read/write). ReadOnly here will force
+	// the ReadOnly setting in VolumeMounts.
+	ReadOnly *bool `json:"readOnly,omitempty"`
 }
 
 // AzureFileVolumeSourceApplyConfiguration constructs a declarative configuration of the AzureFileVolumeSource type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/capabilities.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/capabilities.go
index e5c52b3c13724..f9f6b0e01b6e3 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/capabilities.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/capabilities.go
@@ -24,8 +24,12 @@ import (
 
 // CapabilitiesApplyConfiguration represents a declarative configuration of the Capabilities type for use
 // with apply.
+//
+// Adds and removes POSIX capabilities from running containers.
 type CapabilitiesApplyConfiguration struct {
-	Add  []corev1.Capability `json:"add,omitempty"`
+	// Added capabilities
+	Add []corev1.Capability `json:"add,omitempty"`
+	// Removed capabilities
 	Drop []corev1.Capability `json:"drop,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/cephfspersistentvolumesource.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/cephfspersistentvolumesource.go
index f3ee2d03e9f0f..c2ce40a806a33 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/cephfspersistentvolumesource.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/cephfspersistentvolumesource.go
@@ -20,13 +20,28 @@ package v1
 
 // CephFSPersistentVolumeSourceApplyConfiguration represents a declarative configuration of the CephFSPersistentVolumeSource type for use
 // with apply.
+//
+// Represents a Ceph Filesystem mount that lasts the lifetime of a pod
+// Cephfs volumes do not support ownership management or SELinux relabeling.
 type CephFSPersistentVolumeSourceApplyConfiguration struct {
-	Monitors   []string                           `json:"monitors,omitempty"`
-	Path       *string                            `json:"path,omitempty"`
-	User       *string                            `json:"user,omitempty"`
-	SecretFile *string                            `json:"secretFile,omitempty"`
-	SecretRef  *SecretReferenceApplyConfiguration `json:"secretRef,omitempty"`
-	ReadOnly   *bool                              `json:"readOnly,omitempty"`
+	// monitors is Required: Monitors is a collection of Ceph monitors
+	// More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
+	Monitors []string `json:"monitors,omitempty"`
+	// path is Optional: Used as the mounted root, rather than the full Ceph tree, default is /
+	Path *string `json:"path,omitempty"`
+	// user is Optional: User is the rados user name, default is admin
+	// More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
+	User *string `json:"user,omitempty"`
+	// secretFile is Optional: SecretFile is the path to key ring for User, default is /etc/ceph/user.secret
+	// More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
+	SecretFile *string `json:"secretFile,omitempty"`
+	// secretRef is Optional: SecretRef is reference to the authentication secret for User, default is empty.
+	// More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
+	SecretRef *SecretReferenceApplyConfiguration `json:"secretRef,omitempty"`
+	// readOnly is Optional: Defaults to false (read/write). ReadOnly here will force
+	// the ReadOnly setting in VolumeMounts.
+	// More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
+	ReadOnly *bool `json:"readOnly,omitempty"`
 }
 
 // CephFSPersistentVolumeSourceApplyConfiguration constructs a declarative configuration of the CephFSPersistentVolumeSource type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/cephfsvolumesource.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/cephfsvolumesource.go
index 77d53d6eb0447..0ce5126ec2e09 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/cephfsvolumesource.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/cephfsvolumesource.go
@@ -20,13 +20,28 @@ package v1
 
 // CephFSVolumeSourceApplyConfiguration represents a declarative configuration of the CephFSVolumeSource type for use
 // with apply.
+//
+// Represents a Ceph Filesystem mount that lasts the lifetime of a pod
+// Cephfs volumes do not support ownership management or SELinux relabeling.
 type CephFSVolumeSourceApplyConfiguration struct {
-	Monitors   []string                                `json:"monitors,omitempty"`
-	Path       *string                                 `json:"path,omitempty"`
-	User       *string                                 `json:"user,omitempty"`
-	SecretFile *string                                 `json:"secretFile,omitempty"`
-	SecretRef  *LocalObjectReferenceApplyConfiguration `json:"secretRef,omitempty"`
-	ReadOnly   *bool                                   `json:"readOnly,omitempty"`
+	// monitors is Required: Monitors is a collection of Ceph monitors
+	// More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
+	Monitors []string `json:"monitors,omitempty"`
+	// path is Optional: Used as the mounted root, rather than the full Ceph tree, default is /
+	Path *string `json:"path,omitempty"`
+	// user is optional: User is the rados user name, default is admin
+	// More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
+	User *string `json:"user,omitempty"`
+	// secretFile is Optional: SecretFile is the path to key ring for User, default is /etc/ceph/user.secret
+	// More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
+	SecretFile *string `json:"secretFile,omitempty"`
+	// secretRef is Optional: SecretRef is reference to the authentication secret for User, default is empty.
+	// More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
+	SecretRef *LocalObjectReferenceApplyConfiguration `json:"secretRef,omitempty"`
+	// readOnly is Optional: Defaults to false (read/write). ReadOnly here will force
+	// the ReadOnly setting in VolumeMounts.
+	// More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
+	ReadOnly *bool `json:"readOnly,omitempty"`
 }
 
 // CephFSVolumeSourceApplyConfiguration constructs a declarative configuration of the CephFSVolumeSource type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/cinderpersistentvolumesource.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/cinderpersistentvolumesource.go
index b26573488291f..6771d87492218 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/cinderpersistentvolumesource.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/cinderpersistentvolumesource.go
@@ -20,10 +20,26 @@ package v1
 
 // CinderPersistentVolumeSourceApplyConfiguration represents a declarative configuration of the CinderPersistentVolumeSource type for use
 // with apply.
+//
+// Represents a cinder volume resource in Openstack.
+// A Cinder volume must exist before mounting to a container.
+// The volume must also be in the same region as the kubelet.
+// Cinder volumes support ownership management and SELinux relabeling.
 type CinderPersistentVolumeSourceApplyConfiguration struct {
-	VolumeID  *string                            `json:"volumeID,omitempty"`
-	FSType    *string                            `json:"fsType,omitempty"`
-	ReadOnly  *bool                              `json:"readOnly,omitempty"`
+	// volumeID used to identify the volume in cinder.
+	// More info: https://examples.k8s.io/mysql-cinder-pd/README.md
+	VolumeID *string `json:"volumeID,omitempty"`
+	// fsType Filesystem type to mount.
+	// Must be a filesystem type supported by the host operating system.
+	// Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+	// More info: https://examples.k8s.io/mysql-cinder-pd/README.md
+	FSType *string `json:"fsType,omitempty"`
+	// readOnly is Optional: Defaults to false (read/write). ReadOnly here will force
+	// the ReadOnly setting in VolumeMounts.
+	// More info: https://examples.k8s.io/mysql-cinder-pd/README.md
+	ReadOnly *bool `json:"readOnly,omitempty"`
+	// secretRef is Optional: points to a secret object containing parameters used to connect
+	// to OpenStack.
 	SecretRef *SecretReferenceApplyConfiguration `json:"secretRef,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/cindervolumesource.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/cindervolumesource.go
index 131cbf219c6d7..b19fcee385c46 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/cindervolumesource.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/cindervolumesource.go
@@ -20,10 +20,26 @@ package v1
 
 // CinderVolumeSourceApplyConfiguration represents a declarative configuration of the CinderVolumeSource type for use
 // with apply.
+//
+// Represents a cinder volume resource in Openstack.
+// A Cinder volume must exist before mounting to a container.
+// The volume must also be in the same region as the kubelet.
+// Cinder volumes support ownership management and SELinux relabeling.
 type CinderVolumeSourceApplyConfiguration struct {
-	VolumeID  *string                                 `json:"volumeID,omitempty"`
-	FSType    *string                                 `json:"fsType,omitempty"`
-	ReadOnly  *bool                                   `json:"readOnly,omitempty"`
+	// volumeID used to identify the volume in cinder.
+	// More info: https://examples.k8s.io/mysql-cinder-pd/README.md
+	VolumeID *string `json:"volumeID,omitempty"`
+	// fsType is the filesystem type to mount.
+	// Must be a filesystem type supported by the host operating system.
+	// Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+	// More info: https://examples.k8s.io/mysql-cinder-pd/README.md
+	FSType *string `json:"fsType,omitempty"`
+	// readOnly defaults to false (read/write). ReadOnly here will force
+	// the ReadOnly setting in VolumeMounts.
+	// More info: https://examples.k8s.io/mysql-cinder-pd/README.md
+	ReadOnly *bool `json:"readOnly,omitempty"`
+	// secretRef is optional: points to a secret object containing parameters used to connect
+	// to OpenStack.
 	SecretRef *LocalObjectReferenceApplyConfiguration `json:"secretRef,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/clientipconfig.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/clientipconfig.go
index 02c4e55e1383d..3fed4e3520627 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/clientipconfig.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/clientipconfig.go
@@ -20,7 +20,12 @@ package v1
 
 // ClientIPConfigApplyConfiguration represents a declarative configuration of the ClientIPConfig type for use
 // with apply.
+//
+// ClientIPConfig represents the configurations of Client IP based session affinity.
 type ClientIPConfigApplyConfiguration struct {
+	// timeoutSeconds specifies the seconds of ClientIP type session sticky time.
+	// The value must be >0 && <=86400(for 1 day) if ServiceAffinity == "ClientIP".
+	// Default value is 10800(for 3 hours).
 	TimeoutSeconds *int32 `json:"timeoutSeconds,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/clustertrustbundleprojection.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/clustertrustbundleprojection.go
index ab1c578c85863..00eec6b377bcf 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/clustertrustbundleprojection.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/clustertrustbundleprojection.go
@@ -24,12 +24,31 @@ import (
 
 // ClusterTrustBundleProjectionApplyConfiguration represents a declarative configuration of the ClusterTrustBundleProjection type for use
 // with apply.
+//
+// ClusterTrustBundleProjection describes how to select a set of
+// ClusterTrustBundle objects and project their contents into the pod
+// filesystem.
 type ClusterTrustBundleProjectionApplyConfiguration struct {
-	Name          *string                                 `json:"name,omitempty"`
-	SignerName    *string                                 `json:"signerName,omitempty"`
+	// Select a single ClusterTrustBundle by object name.  Mutually-exclusive
+	// with signerName and labelSelector.
+	Name *string `json:"name,omitempty"`
+	// Select all ClusterTrustBundles that match this signer name.
+	// Mutually-exclusive with name.  The contents of all selected
+	// ClusterTrustBundles will be unified and deduplicated.
+	SignerName *string `json:"signerName,omitempty"`
+	// Select all ClusterTrustBundles that match this label selector.  Only has
+	// effect if signerName is set.  Mutually-exclusive with name.  If unset,
+	// interpreted as "match nothing".  If set but empty, interpreted as "match
+	// everything".
 	LabelSelector *metav1.LabelSelectorApplyConfiguration `json:"labelSelector,omitempty"`
-	Optional      *bool                                   `json:"optional,omitempty"`
-	Path          *string                                 `json:"path,omitempty"`
+	// If true, don't block pod startup if the referenced ClusterTrustBundle(s)
+	// aren't available.  If using name, then the named ClusterTrustBundle is
+	// allowed not to exist.  If using signerName, then the combination of
+	// signerName and labelSelector is allowed to match zero
+	// ClusterTrustBundles.
+	Optional *bool `json:"optional,omitempty"`
+	// Relative path from the volume root to write the bundle.
+	Path *string `json:"path,omitempty"`
 }
 
 // ClusterTrustBundleProjectionApplyConfiguration constructs a declarative configuration of the ClusterTrustBundleProjection type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/componentcondition.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/componentcondition.go
index 60be6fe801173..954a7e4c75331 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/componentcondition.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/componentcondition.go
@@ -24,11 +24,21 @@ import (
 
 // ComponentConditionApplyConfiguration represents a declarative configuration of the ComponentCondition type for use
 // with apply.
+//
+// Information about the condition of a component.
 type ComponentConditionApplyConfiguration struct {
-	Type    *corev1.ComponentConditionType `json:"type,omitempty"`
-	Status  *corev1.ConditionStatus        `json:"status,omitempty"`
-	Message *string                        `json:"message,omitempty"`
-	Error   *string                        `json:"error,omitempty"`
+	// Type of condition for a component.
+	// Valid value: "Healthy"
+	Type *corev1.ComponentConditionType `json:"type,omitempty"`
+	// Status of the condition for a component.
+	// Valid values for "Healthy": "True", "False", or "Unknown".
+	Status *corev1.ConditionStatus `json:"status,omitempty"`
+	// Message about the condition for a component.
+	// For example, information about a health check.
+	Message *string `json:"message,omitempty"`
+	// Condition error code for a component.
+	// For example, a health check error code.
+	Error *string `json:"error,omitempty"`
 }
 
 // ComponentConditionApplyConfiguration constructs a declarative configuration of the ComponentCondition type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/componentstatus.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/componentstatus.go
index 567446df87098..5b9b7f32cebd8 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/componentstatus.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/componentstatus.go
@@ -29,10 +29,16 @@ import (
 
 // ComponentStatusApplyConfiguration represents a declarative configuration of the ComponentStatus type for use
 // with apply.
+//
+// ComponentStatus (and ComponentStatusList) holds the cluster validation info.
+// Deprecated: This API is deprecated in v1.19+
 type ComponentStatusApplyConfiguration struct {
-	metav1.TypeMetaApplyConfiguration    `json:",inline"`
+	metav1.TypeMetaApplyConfiguration `json:",inline"`
+	// Standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	*metav1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Conditions                           []ComponentConditionApplyConfiguration `json:"conditions,omitempty"`
+	// List of component conditions observed
+	Conditions []ComponentConditionApplyConfiguration `json:"conditions,omitempty"`
 }
 
 // ComponentStatus constructs a declarative configuration of the ComponentStatus type for use with
@@ -45,29 +51,14 @@ func ComponentStatus(name string) *ComponentStatusApplyConfiguration {
 	return b
 }
 
-// ExtractComponentStatus extracts the applied configuration owned by fieldManager from
-// componentStatus. If no managedFields are found in componentStatus for fieldManager, a
-// ComponentStatusApplyConfiguration is returned with only the Name, Namespace (if applicable),
-// APIVersion and Kind populated. It is possible that no managed fields were found for because other
-// field managers have taken ownership of all the fields previously owned by fieldManager, or because
-// the fieldManager never owned fields any fields.
+// ExtractComponentStatusFrom extracts the applied configuration owned by fieldManager from
+// componentStatus for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
 // componentStatus must be a unmodified ComponentStatus API object that was retrieved from the Kubernetes API.
-// ExtractComponentStatus provides a way to perform a extract/modify-in-place/apply workflow.
+// ExtractComponentStatusFrom provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
-func ExtractComponentStatus(componentStatus *corev1.ComponentStatus, fieldManager string) (*ComponentStatusApplyConfiguration, error) {
-	return extractComponentStatus(componentStatus, fieldManager, "")
-}
-
-// ExtractComponentStatusStatus is the same as ExtractComponentStatus except
-// that it extracts the status subresource applied configuration.
-// Experimental!
-func ExtractComponentStatusStatus(componentStatus *corev1.ComponentStatus, fieldManager string) (*ComponentStatusApplyConfiguration, error) {
-	return extractComponentStatus(componentStatus, fieldManager, "status")
-}
-
-func extractComponentStatus(componentStatus *corev1.ComponentStatus, fieldManager string, subresource string) (*ComponentStatusApplyConfiguration, error) {
+func ExtractComponentStatusFrom(componentStatus *corev1.ComponentStatus, fieldManager string, subresource string) (*ComponentStatusApplyConfiguration, error) {
 	b := &ComponentStatusApplyConfiguration{}
 	err := managedfields.ExtractInto(componentStatus, internal.Parser().Type("io.k8s.api.core.v1.ComponentStatus"), fieldManager, b, subresource)
 	if err != nil {
@@ -79,6 +70,21 @@ func extractComponentStatus(componentStatus *corev1.ComponentStatus, fieldManage
 	b.WithAPIVersion("v1")
 	return b, nil
 }
+
+// ExtractComponentStatus extracts the applied configuration owned by fieldManager from
+// componentStatus. If no managedFields are found in componentStatus for fieldManager, a
+// ComponentStatusApplyConfiguration is returned with only the Name, Namespace (if applicable),
+// APIVersion and Kind populated. It is possible that no managed fields were found for because other
+// field managers have taken ownership of all the fields previously owned by fieldManager, or because
+// the fieldManager never owned fields any fields.
+// componentStatus must be a unmodified ComponentStatus API object that was retrieved from the Kubernetes API.
+// ExtractComponentStatus provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractComponentStatus(componentStatus *corev1.ComponentStatus, fieldManager string) (*ComponentStatusApplyConfiguration, error) {
+	return ExtractComponentStatusFrom(componentStatus, fieldManager, "")
+}
+
 func (b ComponentStatusApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/configmap.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/configmap.go
index 496f7cadbeee6..d638482048a06 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/configmap.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/configmap.go
@@ -29,12 +29,32 @@ import (
 
 // ConfigMapApplyConfiguration represents a declarative configuration of the ConfigMap type for use
 // with apply.
+//
+// ConfigMap holds configuration data for pods to consume.
 type ConfigMapApplyConfiguration struct {
-	metav1.TypeMetaApplyConfiguration    `json:",inline"`
+	metav1.TypeMetaApplyConfiguration `json:",inline"`
+	// Standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	*metav1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Immutable                            *bool             `json:"immutable,omitempty"`
-	Data                                 map[string]string `json:"data,omitempty"`
-	BinaryData                           map[string][]byte `json:"binaryData,omitempty"`
+	// Immutable, if set to true, ensures that data stored in the ConfigMap cannot
+	// be updated (only object metadata can be modified).
+	// If not set to true, the field can be modified at any time.
+	// Defaulted to nil.
+	Immutable *bool `json:"immutable,omitempty"`
+	// Data contains the configuration data.
+	// Each key must consist of alphanumeric characters, '-', '_' or '.'.
+	// Values with non-UTF-8 byte sequences must use the BinaryData field.
+	// The keys stored in Data must not overlap with the keys in
+	// the BinaryData field, this is enforced during validation process.
+	Data map[string]string `json:"data,omitempty"`
+	// BinaryData contains the binary data.
+	// Each key must consist of alphanumeric characters, '-', '_' or '.'.
+	// BinaryData can contain byte sequences that are not in the UTF-8 range.
+	// The keys stored in BinaryData must not overlap with the ones in
+	// the Data field, this is enforced during validation process.
+	// Using this field will require 1.10+ apiserver and
+	// kubelet.
+	BinaryData map[string][]byte `json:"binaryData,omitempty"`
 }
 
 // ConfigMap constructs a declarative configuration of the ConfigMap type for use with
@@ -48,29 +68,14 @@ func ConfigMap(name, namespace string) *ConfigMapApplyConfiguration {
 	return b
 }
 
-// ExtractConfigMap extracts the applied configuration owned by fieldManager from
-// configMap. If no managedFields are found in configMap for fieldManager, a
-// ConfigMapApplyConfiguration is returned with only the Name, Namespace (if applicable),
-// APIVersion and Kind populated. It is possible that no managed fields were found for because other
-// field managers have taken ownership of all the fields previously owned by fieldManager, or because
-// the fieldManager never owned fields any fields.
+// ExtractConfigMapFrom extracts the applied configuration owned by fieldManager from
+// configMap for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
 // configMap must be a unmodified ConfigMap API object that was retrieved from the Kubernetes API.
-// ExtractConfigMap provides a way to perform a extract/modify-in-place/apply workflow.
+// ExtractConfigMapFrom provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
-func ExtractConfigMap(configMap *corev1.ConfigMap, fieldManager string) (*ConfigMapApplyConfiguration, error) {
-	return extractConfigMap(configMap, fieldManager, "")
-}
-
-// ExtractConfigMapStatus is the same as ExtractConfigMap except
-// that it extracts the status subresource applied configuration.
-// Experimental!
-func ExtractConfigMapStatus(configMap *corev1.ConfigMap, fieldManager string) (*ConfigMapApplyConfiguration, error) {
-	return extractConfigMap(configMap, fieldManager, "status")
-}
-
-func extractConfigMap(configMap *corev1.ConfigMap, fieldManager string, subresource string) (*ConfigMapApplyConfiguration, error) {
+func ExtractConfigMapFrom(configMap *corev1.ConfigMap, fieldManager string, subresource string) (*ConfigMapApplyConfiguration, error) {
 	b := &ConfigMapApplyConfiguration{}
 	err := managedfields.ExtractInto(configMap, internal.Parser().Type("io.k8s.api.core.v1.ConfigMap"), fieldManager, b, subresource)
 	if err != nil {
@@ -83,6 +88,21 @@ func extractConfigMap(configMap *corev1.ConfigMap, fieldManager string, subresou
 	b.WithAPIVersion("v1")
 	return b, nil
 }
+
+// ExtractConfigMap extracts the applied configuration owned by fieldManager from
+// configMap. If no managedFields are found in configMap for fieldManager, a
+// ConfigMapApplyConfiguration is returned with only the Name, Namespace (if applicable),
+// APIVersion and Kind populated. It is possible that no managed fields were found for because other
+// field managers have taken ownership of all the fields previously owned by fieldManager, or because
+// the fieldManager never owned fields any fields.
+// configMap must be a unmodified ConfigMap API object that was retrieved from the Kubernetes API.
+// ExtractConfigMap provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractConfigMap(configMap *corev1.ConfigMap, fieldManager string) (*ConfigMapApplyConfiguration, error) {
+	return ExtractConfigMapFrom(configMap, fieldManager, "")
+}
+
 func (b ConfigMapApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/configmapenvsource.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/configmapenvsource.go
index 4c0d2cbdd9df7..c2c067b2c416d 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/configmapenvsource.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/configmapenvsource.go
@@ -20,9 +20,17 @@ package v1
 
 // ConfigMapEnvSourceApplyConfiguration represents a declarative configuration of the ConfigMapEnvSource type for use
 // with apply.
+//
+// ConfigMapEnvSource selects a ConfigMap to populate the environment
+// variables with.
+//
+// The contents of the target ConfigMap's Data field will represent the
+// key-value pairs as environment variables.
 type ConfigMapEnvSourceApplyConfiguration struct {
+	// The ConfigMap to select from.
 	LocalObjectReferenceApplyConfiguration `json:",inline"`
-	Optional                               *bool `json:"optional,omitempty"`
+	// Specify whether the ConfigMap must be defined
+	Optional *bool `json:"optional,omitempty"`
 }
 
 // ConfigMapEnvSourceApplyConfiguration constructs a declarative configuration of the ConfigMapEnvSource type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/configmapkeyselector.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/configmapkeyselector.go
index 97c0e7210aa53..415edded52864 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/configmapkeyselector.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/configmapkeyselector.go
@@ -20,10 +20,15 @@ package v1
 
 // ConfigMapKeySelectorApplyConfiguration represents a declarative configuration of the ConfigMapKeySelector type for use
 // with apply.
+//
+// Selects a key from a ConfigMap.
 type ConfigMapKeySelectorApplyConfiguration struct {
+	// The ConfigMap to select from.
 	LocalObjectReferenceApplyConfiguration `json:",inline"`
-	Key                                    *string `json:"key,omitempty"`
-	Optional                               *bool   `json:"optional,omitempty"`
+	// The key to select.
+	Key *string `json:"key,omitempty"`
+	// Specify whether the ConfigMap or its key must be defined
+	Optional *bool `json:"optional,omitempty"`
 }
 
 // ConfigMapKeySelectorApplyConfiguration constructs a declarative configuration of the ConfigMapKeySelector type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/configmapnodeconfigsource.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/configmapnodeconfigsource.go
index 135bb7d427eae..4e1e227ed0528 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/configmapnodeconfigsource.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/configmapnodeconfigsource.go
@@ -24,12 +24,25 @@ import (
 
 // ConfigMapNodeConfigSourceApplyConfiguration represents a declarative configuration of the ConfigMapNodeConfigSource type for use
 // with apply.
+//
+// ConfigMapNodeConfigSource contains the information to reference a ConfigMap as a config source for the Node.
+// This API is deprecated since 1.22: https://git.k8s.io/enhancements/keps/sig-node/281-dynamic-kubelet-configuration
 type ConfigMapNodeConfigSourceApplyConfiguration struct {
-	Namespace        *string    `json:"namespace,omitempty"`
-	Name             *string    `json:"name,omitempty"`
-	UID              *types.UID `json:"uid,omitempty"`
-	ResourceVersion  *string    `json:"resourceVersion,omitempty"`
-	KubeletConfigKey *string    `json:"kubeletConfigKey,omitempty"`
+	// Namespace is the metadata.namespace of the referenced ConfigMap.
+	// This field is required in all cases.
+	Namespace *string `json:"namespace,omitempty"`
+	// Name is the metadata.name of the referenced ConfigMap.
+	// This field is required in all cases.
+	Name *string `json:"name,omitempty"`
+	// UID is the metadata.UID of the referenced ConfigMap.
+	// This field is forbidden in Node.Spec, and required in Node.Status.
+	UID *types.UID `json:"uid,omitempty"`
+	// ResourceVersion is the metadata.ResourceVersion of the referenced ConfigMap.
+	// This field is forbidden in Node.Spec, and required in Node.Status.
+	ResourceVersion *string `json:"resourceVersion,omitempty"`
+	// KubeletConfigKey declares which key of the referenced ConfigMap corresponds to the KubeletConfiguration structure
+	// This field is required in all cases.
+	KubeletConfigKey *string `json:"kubeletConfigKey,omitempty"`
 }
 
 // ConfigMapNodeConfigSourceApplyConfiguration constructs a declarative configuration of the ConfigMapNodeConfigSource type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/configmapprojection.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/configmapprojection.go
index d8c5e21d3a5d8..0357ca99832f6 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/configmapprojection.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/configmapprojection.go
@@ -20,10 +20,26 @@ package v1
 
 // ConfigMapProjectionApplyConfiguration represents a declarative configuration of the ConfigMapProjection type for use
 // with apply.
+//
+// Adapts a ConfigMap into a projected volume.
+//
+// The contents of the target ConfigMap's Data field will be presented in a
+// projected volume as files using the keys in the Data field as the file names,
+// unless the items element is populated with specific mappings of keys to paths.
+// Note that this is identical to a configmap volume source without the default
+// mode.
 type ConfigMapProjectionApplyConfiguration struct {
 	LocalObjectReferenceApplyConfiguration `json:",inline"`
-	Items                                  []KeyToPathApplyConfiguration `json:"items,omitempty"`
-	Optional                               *bool                         `json:"optional,omitempty"`
+	// items if unspecified, each key-value pair in the Data field of the referenced
+	// ConfigMap will be projected into the volume as a file whose name is the
+	// key and content is the value. If specified, the listed keys will be
+	// projected into the specified paths, and unlisted keys will not be
+	// present. If a key is specified which is not present in the ConfigMap,
+	// the volume setup will error unless it is marked optional. Paths must be
+	// relative and may not contain the '..' path or start with '..'.
+	Items []KeyToPathApplyConfiguration `json:"items,omitempty"`
+	// optional specify whether the ConfigMap or its keys must be defined
+	Optional *bool `json:"optional,omitempty"`
 }
 
 // ConfigMapProjectionApplyConfiguration constructs a declarative configuration of the ConfigMapProjection type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/configmapvolumesource.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/configmapvolumesource.go
index b5f410397757f..b8a6a333f6097 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/configmapvolumesource.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/configmapvolumesource.go
@@ -20,11 +20,33 @@ package v1
 
 // ConfigMapVolumeSourceApplyConfiguration represents a declarative configuration of the ConfigMapVolumeSource type for use
 // with apply.
+//
+// Adapts a ConfigMap into a volume.
+//
+// The contents of the target ConfigMap's Data field will be presented in a
+// volume as files using the keys in the Data field as the file names, unless
+// the items element is populated with specific mappings of keys to paths.
+// ConfigMap volumes support ownership management and SELinux relabeling.
 type ConfigMapVolumeSourceApplyConfiguration struct {
 	LocalObjectReferenceApplyConfiguration `json:",inline"`
-	Items                                  []KeyToPathApplyConfiguration `json:"items,omitempty"`
-	DefaultMode                            *int32                        `json:"defaultMode,omitempty"`
-	Optional                               *bool                         `json:"optional,omitempty"`
+	// items if unspecified, each key-value pair in the Data field of the referenced
+	// ConfigMap will be projected into the volume as a file whose name is the
+	// key and content is the value. If specified, the listed keys will be
+	// projected into the specified paths, and unlisted keys will not be
+	// present. If a key is specified which is not present in the ConfigMap,
+	// the volume setup will error unless it is marked optional. Paths must be
+	// relative and may not contain the '..' path or start with '..'.
+	Items []KeyToPathApplyConfiguration `json:"items,omitempty"`
+	// defaultMode is optional: mode bits used to set permissions on created files by default.
+	// Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
+	// YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+	// Defaults to 0644.
+	// Directories within the path are not affected by this setting.
+	// This might be in conflict with other options that affect the file
+	// mode, like fsGroup, and the result can be other mode bits set.
+	DefaultMode *int32 `json:"defaultMode,omitempty"`
+	// optional specify whether the ConfigMap or its keys must be defined
+	Optional *bool `json:"optional,omitempty"`
 }
 
 // ConfigMapVolumeSourceApplyConfiguration constructs a declarative configuration of the ConfigMapVolumeSource type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/container.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/container.go
index 4694b12fa28b1..262ee48c07558 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/container.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/container.go
@@ -24,32 +24,161 @@ import (
 
 // ContainerApplyConfiguration represents a declarative configuration of the Container type for use
 // with apply.
+//
+// A single application container that you want to run within a pod.
 type ContainerApplyConfiguration struct {
-	Name                     *string                                   `json:"name,omitempty"`
-	Image                    *string                                   `json:"image,omitempty"`
-	Command                  []string                                  `json:"command,omitempty"`
-	Args                     []string                                  `json:"args,omitempty"`
-	WorkingDir               *string                                   `json:"workingDir,omitempty"`
-	Ports                    []ContainerPortApplyConfiguration         `json:"ports,omitempty"`
-	EnvFrom                  []EnvFromSourceApplyConfiguration         `json:"envFrom,omitempty"`
-	Env                      []EnvVarApplyConfiguration                `json:"env,omitempty"`
-	Resources                *ResourceRequirementsApplyConfiguration   `json:"resources,omitempty"`
-	ResizePolicy             []ContainerResizePolicyApplyConfiguration `json:"resizePolicy,omitempty"`
-	RestartPolicy            *corev1.ContainerRestartPolicy            `json:"restartPolicy,omitempty"`
-	RestartPolicyRules       []ContainerRestartRuleApplyConfiguration  `json:"restartPolicyRules,omitempty"`
-	VolumeMounts             []VolumeMountApplyConfiguration           `json:"volumeMounts,omitempty"`
-	VolumeDevices            []VolumeDeviceApplyConfiguration          `json:"volumeDevices,omitempty"`
-	LivenessProbe            *ProbeApplyConfiguration                  `json:"livenessProbe,omitempty"`
-	ReadinessProbe           *ProbeApplyConfiguration                  `json:"readinessProbe,omitempty"`
-	StartupProbe             *ProbeApplyConfiguration                  `json:"startupProbe,omitempty"`
-	Lifecycle                *LifecycleApplyConfiguration              `json:"lifecycle,omitempty"`
-	TerminationMessagePath   *string                                   `json:"terminationMessagePath,omitempty"`
-	TerminationMessagePolicy *corev1.TerminationMessagePolicy          `json:"terminationMessagePolicy,omitempty"`
-	ImagePullPolicy          *corev1.PullPolicy                        `json:"imagePullPolicy,omitempty"`
-	SecurityContext          *SecurityContextApplyConfiguration        `json:"securityContext,omitempty"`
-	Stdin                    *bool                                     `json:"stdin,omitempty"`
-	StdinOnce                *bool                                     `json:"stdinOnce,omitempty"`
-	TTY                      *bool                                     `json:"tty,omitempty"`
+	// Name of the container specified as a DNS_LABEL.
+	// Each container in a pod must have a unique name (DNS_LABEL).
+	// Cannot be updated.
+	Name *string `json:"name,omitempty"`
+	// Container image name.
+	// More info: https://kubernetes.io/docs/concepts/containers/images
+	// This field is optional to allow higher level config management to default or override
+	// container images in workload controllers like Deployments and StatefulSets.
+	Image *string `json:"image,omitempty"`
+	// Entrypoint array. Not executed within a shell.
+	// The container image's ENTRYPOINT is used if this is not provided.
+	// Variable references $(VAR_NAME) are expanded using the container's environment. If a variable
+	// cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced
+	// to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will
+	// produce the string literal "$(VAR_NAME)". Escaped references will never be expanded, regardless
+	// of whether the variable exists or not. Cannot be updated.
+	// More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell
+	Command []string `json:"command,omitempty"`
+	// Arguments to the entrypoint.
+	// The container image's CMD is used if this is not provided.
+	// Variable references $(VAR_NAME) are expanded using the container's environment. If a variable
+	// cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced
+	// to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will
+	// produce the string literal "$(VAR_NAME)". Escaped references will never be expanded, regardless
+	// of whether the variable exists or not. Cannot be updated.
+	// More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell
+	Args []string `json:"args,omitempty"`
+	// Container's working directory.
+	// If not specified, the container runtime's default will be used, which
+	// might be configured in the container image.
+	// Cannot be updated.
+	WorkingDir *string `json:"workingDir,omitempty"`
+	// List of ports to expose from the container. Not specifying a port here
+	// DOES NOT prevent that port from being exposed. Any port which is
+	// listening on the default "0.0.0.0" address inside a container will be
+	// accessible from the network.
+	// Modifying this array with strategic merge patch may corrupt the data.
+	// For more information See https://github.com/kubernetes/kubernetes/issues/108255.
+	// Cannot be updated.
+	Ports []ContainerPortApplyConfiguration `json:"ports,omitempty"`
+	// List of sources to populate environment variables in the container.
+	// The keys defined within a source may consist of any printable ASCII characters except '='.
+	// When a key exists in multiple
+	// sources, the value associated with the last source will take precedence.
+	// Values defined by an Env with a duplicate key will take precedence.
+	// Cannot be updated.
+	EnvFrom []EnvFromSourceApplyConfiguration `json:"envFrom,omitempty"`
+	// List of environment variables to set in the container.
+	// Cannot be updated.
+	Env []EnvVarApplyConfiguration `json:"env,omitempty"`
+	// Compute Resources required by this container.
+	// Cannot be updated.
+	// More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+	Resources *ResourceRequirementsApplyConfiguration `json:"resources,omitempty"`
+	// Resources resize policy for the container.
+	// This field cannot be set on ephemeral containers.
+	ResizePolicy []ContainerResizePolicyApplyConfiguration `json:"resizePolicy,omitempty"`
+	// RestartPolicy defines the restart behavior of individual containers in a pod.
+	// This overrides the pod-level restart policy. When this field is not specified,
+	// the restart behavior is defined by the Pod's restart policy and the container type.
+	// Additionally, setting the RestartPolicy as "Always" for the init container will
+	// have the following effect:
+	// this init container will be continually restarted on
+	// exit until all regular containers have terminated. Once all regular
+	// containers have completed, all init containers with restartPolicy "Always"
+	// will be shut down. This lifecycle differs from normal init containers and
+	// is often referred to as a "sidecar" container. Although this init
+	// container still starts in the init container sequence, it does not wait
+	// for the container to complete before proceeding to the next init
+	// container. Instead, the next init container starts immediately after this
+	// init container is started, or after any startupProbe has successfully
+	// completed.
+	RestartPolicy *corev1.ContainerRestartPolicy `json:"restartPolicy,omitempty"`
+	// Represents a list of rules to be checked to determine if the
+	// container should be restarted on exit. The rules are evaluated in
+	// order. Once a rule matches a container exit condition, the remaining
+	// rules are ignored. If no rule matches the container exit condition,
+	// the Container-level restart policy determines the whether the container
+	// is restarted or not. Constraints on the rules:
+	// - At most 20 rules are allowed.
+	// - Rules can have the same action.
+	// - Identical rules are not forbidden in validations.
+	// When rules are specified, container MUST set RestartPolicy explicitly
+	// even it if matches the Pod's RestartPolicy.
+	RestartPolicyRules []ContainerRestartRuleApplyConfiguration `json:"restartPolicyRules,omitempty"`
+	// Pod volumes to mount into the container's filesystem.
+	// Cannot be updated.
+	VolumeMounts []VolumeMountApplyConfiguration `json:"volumeMounts,omitempty"`
+	// volumeDevices is the list of block devices to be used by the container.
+	VolumeDevices []VolumeDeviceApplyConfiguration `json:"volumeDevices,omitempty"`
+	// Periodic probe of container liveness.
+	// Container will be restarted if the probe fails.
+	// Cannot be updated.
+	// More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
+	LivenessProbe *ProbeApplyConfiguration `json:"livenessProbe,omitempty"`
+	// Periodic probe of container service readiness.
+	// Container will be removed from service endpoints if the probe fails.
+	// Cannot be updated.
+	// More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
+	ReadinessProbe *ProbeApplyConfiguration `json:"readinessProbe,omitempty"`
+	// StartupProbe indicates that the Pod has successfully initialized.
+	// If specified, no other probes are executed until this completes successfully.
+	// If this probe fails, the Pod will be restarted, just as if the livenessProbe failed.
+	// This can be used to provide different probe parameters at the beginning of a Pod's lifecycle,
+	// when it might take a long time to load data or warm a cache, than during steady-state operation.
+	// This cannot be updated.
+	// More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
+	StartupProbe *ProbeApplyConfiguration `json:"startupProbe,omitempty"`
+	// Actions that the management system should take in response to container lifecycle events.
+	// Cannot be updated.
+	Lifecycle *LifecycleApplyConfiguration `json:"lifecycle,omitempty"`
+	// Optional: Path at which the file to which the container's termination message
+	// will be written is mounted into the container's filesystem.
+	// Message written is intended to be brief final status, such as an assertion failure message.
+	// Will be truncated by the node if greater than 4096 bytes. The total message length across
+	// all containers will be limited to 12kb.
+	// Defaults to /dev/termination-log.
+	// Cannot be updated.
+	TerminationMessagePath *string `json:"terminationMessagePath,omitempty"`
+	// Indicate how the termination message should be populated. File will use the contents of
+	// terminationMessagePath to populate the container status message on both success and failure.
+	// FallbackToLogsOnError will use the last chunk of container log output if the termination
+	// message file is empty and the container exited with an error.
+	// The log output is limited to 2048 bytes or 80 lines, whichever is smaller.
+	// Defaults to File.
+	// Cannot be updated.
+	TerminationMessagePolicy *corev1.TerminationMessagePolicy `json:"terminationMessagePolicy,omitempty"`
+	// Image pull policy.
+	// One of Always, Never, IfNotPresent.
+	// Defaults to Always if :latest tag is specified, or IfNotPresent otherwise.
+	// Cannot be updated.
+	// More info: https://kubernetes.io/docs/concepts/containers/images#updating-images
+	ImagePullPolicy *corev1.PullPolicy `json:"imagePullPolicy,omitempty"`
+	// SecurityContext defines the security options the container should be run with.
+	// If set, the fields of SecurityContext override the equivalent fields of PodSecurityContext.
+	// More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+	SecurityContext *SecurityContextApplyConfiguration `json:"securityContext,omitempty"`
+	// Whether this container should allocate a buffer for stdin in the container runtime. If this
+	// is not set, reads from stdin in the container will always result in EOF.
+	// Default is false.
+	Stdin *bool `json:"stdin,omitempty"`
+	// Whether the container runtime should close the stdin channel after it has been opened by
+	// a single attach. When stdin is true the stdin stream will remain open across multiple attach
+	// sessions. If stdinOnce is set to true, stdin is opened on container start, is empty until the
+	// first client attaches to stdin, and then remains open and accepts data until the client disconnects,
+	// at which time stdin is closed and remains closed until the container is restarted. If this
+	// flag is false, a container processes that reads from stdin will never receive an EOF.
+	// Default is false
+	StdinOnce *bool `json:"stdinOnce,omitempty"`
+	// Whether this container should allocate a TTY for itself, also requires 'stdin' to be true.
+	// Default is false.
+	TTY *bool `json:"tty,omitempty"`
 }
 
 // ContainerApplyConfiguration constructs a declarative configuration of the Container type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/containerextendedresourcerequest.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/containerextendedresourcerequest.go
index 0b83b3824512f..9131bba6a74b2 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/containerextendedresourcerequest.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/containerextendedresourcerequest.go
@@ -20,10 +20,16 @@ package v1
 
 // ContainerExtendedResourceRequestApplyConfiguration represents a declarative configuration of the ContainerExtendedResourceRequest type for use
 // with apply.
+//
+// ContainerExtendedResourceRequest has the mapping of container name,
+// extended resource name to the device request name.
 type ContainerExtendedResourceRequestApplyConfiguration struct {
+	// The name of the container requesting resources.
 	ContainerName *string `json:"containerName,omitempty"`
-	ResourceName  *string `json:"resourceName,omitempty"`
-	RequestName   *string `json:"requestName,omitempty"`
+	// The name of the extended resource in that container which gets backed by DRA.
+	ResourceName *string `json:"resourceName,omitempty"`
+	// The name of the request in the special ResourceClaim which corresponds to the extended resource.
+	RequestName *string `json:"requestName,omitempty"`
 }
 
 // ContainerExtendedResourceRequestApplyConfiguration constructs a declarative configuration of the ContainerExtendedResourceRequest type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/containerimage.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/containerimage.go
index bc9428fd10ed2..1c42e73cbd988 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/containerimage.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/containerimage.go
@@ -20,9 +20,14 @@ package v1
 
 // ContainerImageApplyConfiguration represents a declarative configuration of the ContainerImage type for use
 // with apply.
+//
+// Describe a container image
 type ContainerImageApplyConfiguration struct {
-	Names     []string `json:"names,omitempty"`
-	SizeBytes *int64   `json:"sizeBytes,omitempty"`
+	// Names by which this image is known.
+	// e.g. ["kubernetes.example/hyperkube:v1.0.7", "cloud-vendor.registry.example/cloud-vendor/hyperkube:v1.0.7"]
+	Names []string `json:"names,omitempty"`
+	// The size of the image in bytes.
+	SizeBytes *int64 `json:"sizeBytes,omitempty"`
 }
 
 // ContainerImageApplyConfiguration constructs a declarative configuration of the ContainerImage type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/containerport.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/containerport.go
index 2ad47b3a9610a..2fdabaab169c6 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/containerport.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/containerport.go
@@ -24,12 +24,26 @@ import (
 
 // ContainerPortApplyConfiguration represents a declarative configuration of the ContainerPort type for use
 // with apply.
+//
+// ContainerPort represents a network port in a single container.
 type ContainerPortApplyConfiguration struct {
-	Name          *string          `json:"name,omitempty"`
-	HostPort      *int32           `json:"hostPort,omitempty"`
-	ContainerPort *int32           `json:"containerPort,omitempty"`
-	Protocol      *corev1.Protocol `json:"protocol,omitempty"`
-	HostIP        *string          `json:"hostIP,omitempty"`
+	// If specified, this must be an IANA_SVC_NAME and unique within the pod. Each
+	// named port in a pod must have a unique name. Name for the port that can be
+	// referred to by services.
+	Name *string `json:"name,omitempty"`
+	// Number of port to expose on the host.
+	// If specified, this must be a valid port number, 0 < x < 65536.
+	// If HostNetwork is specified, this must match ContainerPort.
+	// Most containers do not need this.
+	HostPort *int32 `json:"hostPort,omitempty"`
+	// Number of port to expose on the pod's IP address.
+	// This must be a valid port number, 0 < x < 65536.
+	ContainerPort *int32 `json:"containerPort,omitempty"`
+	// Protocol for port. Must be UDP, TCP, or SCTP.
+	// Defaults to "TCP".
+	Protocol *corev1.Protocol `json:"protocol,omitempty"`
+	// What host IP to bind the external port to.
+	HostIP *string `json:"hostIP,omitempty"`
 }
 
 // ContainerPortApplyConfiguration constructs a declarative configuration of the ContainerPort type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/containerresizepolicy.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/containerresizepolicy.go
index d45dbceaf9f07..4066727fc82a1 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/containerresizepolicy.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/containerresizepolicy.go
@@ -24,8 +24,14 @@ import (
 
 // ContainerResizePolicyApplyConfiguration represents a declarative configuration of the ContainerResizePolicy type for use
 // with apply.
+//
+// ContainerResizePolicy represents resource resize policy for the container.
 type ContainerResizePolicyApplyConfiguration struct {
-	ResourceName  *corev1.ResourceName                `json:"resourceName,omitempty"`
+	// Name of the resource to which this resource resize policy applies.
+	// Supported values: cpu, memory.
+	ResourceName *corev1.ResourceName `json:"resourceName,omitempty"`
+	// Restart policy to apply when specified resource is resized.
+	// If not specified, it defaults to NotRequired.
 	RestartPolicy *corev1.ResourceResizeRestartPolicy `json:"restartPolicy,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/containerrestartrule.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/containerrestartrule.go
index 6ec09000f97f6..f44278e80dbb4 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/containerrestartrule.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/containerrestartrule.go
@@ -24,8 +24,14 @@ import (
 
 // ContainerRestartRuleApplyConfiguration represents a declarative configuration of the ContainerRestartRule type for use
 // with apply.
+//
+// ContainerRestartRule describes how a container exit is handled.
 type ContainerRestartRuleApplyConfiguration struct {
-	Action    *corev1.ContainerRestartRuleAction                 `json:"action,omitempty"`
+	// Specifies the action taken on a container exit if the requirements
+	// are satisfied. The only possible value is "Restart" to restart the
+	// container.
+	Action *corev1.ContainerRestartRuleAction `json:"action,omitempty"`
+	// Represents the exit codes to check on container exits.
 	ExitCodes *ContainerRestartRuleOnExitCodesApplyConfiguration `json:"exitCodes,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/containerrestartruleonexitcodes.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/containerrestartruleonexitcodes.go
index 6bfd9619dfae0..f0cfbaf42c535 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/containerrestartruleonexitcodes.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/containerrestartruleonexitcodes.go
@@ -24,9 +24,20 @@ import (
 
 // ContainerRestartRuleOnExitCodesApplyConfiguration represents a declarative configuration of the ContainerRestartRuleOnExitCodes type for use
 // with apply.
+//
+// ContainerRestartRuleOnExitCodes describes the condition
+// for handling an exited container based on its exit codes.
 type ContainerRestartRuleOnExitCodesApplyConfiguration struct {
+	// Represents the relationship between the container exit code(s) and the
+	// specified values. Possible values are:
+	// - In: the requirement is satisfied if the container exit code is in the
+	// set of specified values.
+	// - NotIn: the requirement is satisfied if the container exit code is
+	// not in the set of specified values.
 	Operator *corev1.ContainerRestartRuleOnExitCodesOperator `json:"operator,omitempty"`
-	Values   []int32                                         `json:"values,omitempty"`
+	// Specifies the set of values to check for container exit codes.
+	// At most 255 elements are allowed.
+	Values []int32 `json:"values,omitempty"`
 }
 
 // ContainerRestartRuleOnExitCodesApplyConfiguration constructs a declarative configuration of the ContainerRestartRuleOnExitCodes type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/containerstate.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/containerstate.go
index b958e0177421f..5b6cd96c6626e 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/containerstate.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/containerstate.go
@@ -20,9 +20,16 @@ package v1
 
 // ContainerStateApplyConfiguration represents a declarative configuration of the ContainerState type for use
 // with apply.
+//
+// ContainerState holds a possible state of container.
+// Only one of its members may be specified.
+// If none of them is specified, the default one is ContainerStateWaiting.
 type ContainerStateApplyConfiguration struct {
-	Waiting    *ContainerStateWaitingApplyConfiguration    `json:"waiting,omitempty"`
-	Running    *ContainerStateRunningApplyConfiguration    `json:"running,omitempty"`
+	// Details about a waiting container
+	Waiting *ContainerStateWaitingApplyConfiguration `json:"waiting,omitempty"`
+	// Details about a running container
+	Running *ContainerStateRunningApplyConfiguration `json:"running,omitempty"`
+	// Details about a terminated container
 	Terminated *ContainerStateTerminatedApplyConfiguration `json:"terminated,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/containerstaterunning.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/containerstaterunning.go
index 0ed59c177450d..1a9d6ac07e083 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/containerstaterunning.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/containerstaterunning.go
@@ -24,7 +24,10 @@ import (
 
 // ContainerStateRunningApplyConfiguration represents a declarative configuration of the ContainerStateRunning type for use
 // with apply.
+//
+// ContainerStateRunning is a running state of a container.
 type ContainerStateRunningApplyConfiguration struct {
+	// Time at which the container was last (re-)started
 	StartedAt *metav1.Time `json:"startedAt,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/containerstateterminated.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/containerstateterminated.go
index cfadd93c99f76..63217e052b035 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/containerstateterminated.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/containerstateterminated.go
@@ -24,14 +24,23 @@ import (
 
 // ContainerStateTerminatedApplyConfiguration represents a declarative configuration of the ContainerStateTerminated type for use
 // with apply.
+//
+// ContainerStateTerminated is a terminated state of a container.
 type ContainerStateTerminatedApplyConfiguration struct {
-	ExitCode    *int32       `json:"exitCode,omitempty"`
-	Signal      *int32       `json:"signal,omitempty"`
-	Reason      *string      `json:"reason,omitempty"`
-	Message     *string      `json:"message,omitempty"`
-	StartedAt   *metav1.Time `json:"startedAt,omitempty"`
-	FinishedAt  *metav1.Time `json:"finishedAt,omitempty"`
-	ContainerID *string      `json:"containerID,omitempty"`
+	// Exit status from the last termination of the container
+	ExitCode *int32 `json:"exitCode,omitempty"`
+	// Signal from the last termination of the container
+	Signal *int32 `json:"signal,omitempty"`
+	// (brief) reason from the last termination of the container
+	Reason *string `json:"reason,omitempty"`
+	// Message regarding the last termination of the container
+	Message *string `json:"message,omitempty"`
+	// Time at which previous execution of the container started
+	StartedAt *metav1.Time `json:"startedAt,omitempty"`
+	// Time at which the container last terminated
+	FinishedAt *metav1.Time `json:"finishedAt,omitempty"`
+	// Container's ID in the format '<type>://<container_id>'
+	ContainerID *string `json:"containerID,omitempty"`
 }
 
 // ContainerStateTerminatedApplyConfiguration constructs a declarative configuration of the ContainerStateTerminated type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/containerstatewaiting.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/containerstatewaiting.go
index 7756c7da03ae4..8c99c00cf3d28 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/containerstatewaiting.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/containerstatewaiting.go
@@ -20,8 +20,12 @@ package v1
 
 // ContainerStateWaitingApplyConfiguration represents a declarative configuration of the ContainerStateWaiting type for use
 // with apply.
+//
+// ContainerStateWaiting is a waiting state of a container.
 type ContainerStateWaitingApplyConfiguration struct {
-	Reason  *string `json:"reason,omitempty"`
+	// (brief) reason the container is not yet running.
+	Reason *string `json:"reason,omitempty"`
+	// Message regarding why the container is not yet running.
 	Message *string `json:"message,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/containerstatus.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/containerstatus.go
index 8f64501bb1b8e..a2e4a3172f890 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/containerstatus.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/containerstatus.go
@@ -24,22 +24,70 @@ import (
 
 // ContainerStatusApplyConfiguration represents a declarative configuration of the ContainerStatus type for use
 // with apply.
+//
+// ContainerStatus contains details for the current status of this container.
 type ContainerStatusApplyConfiguration struct {
-	Name                     *string                                 `json:"name,omitempty"`
-	State                    *ContainerStateApplyConfiguration       `json:"state,omitempty"`
-	LastTerminationState     *ContainerStateApplyConfiguration       `json:"lastState,omitempty"`
-	Ready                    *bool                                   `json:"ready,omitempty"`
-	RestartCount             *int32                                  `json:"restartCount,omitempty"`
-	Image                    *string                                 `json:"image,omitempty"`
-	ImageID                  *string                                 `json:"imageID,omitempty"`
-	ContainerID              *string                                 `json:"containerID,omitempty"`
-	Started                  *bool                                   `json:"started,omitempty"`
-	AllocatedResources       *corev1.ResourceList                    `json:"allocatedResources,omitempty"`
-	Resources                *ResourceRequirementsApplyConfiguration `json:"resources,omitempty"`
-	VolumeMounts             []VolumeMountStatusApplyConfiguration   `json:"volumeMounts,omitempty"`
-	User                     *ContainerUserApplyConfiguration        `json:"user,omitempty"`
-	AllocatedResourcesStatus []ResourceStatusApplyConfiguration      `json:"allocatedResourcesStatus,omitempty"`
-	StopSignal               *corev1.Signal                          `json:"stopSignal,omitempty"`
+	// Name is a DNS_LABEL representing the unique name of the container.
+	// Each container in a pod must have a unique name across all container types.
+	// Cannot be updated.
+	Name *string `json:"name,omitempty"`
+	// State holds details about the container's current condition.
+	State *ContainerStateApplyConfiguration `json:"state,omitempty"`
+	// LastTerminationState holds the last termination state of the container to
+	// help debug container crashes and restarts. This field is not
+	// populated if the container is still running and RestartCount is 0.
+	LastTerminationState *ContainerStateApplyConfiguration `json:"lastState,omitempty"`
+	// Ready specifies whether the container is currently passing its readiness check.
+	// The value will change as readiness probes keep executing. If no readiness
+	// probes are specified, this field defaults to true once the container is
+	// fully started (see Started field).
+	//
+	// The value is typically used to determine whether a container is ready to
+	// accept traffic.
+	Ready *bool `json:"ready,omitempty"`
+	// RestartCount holds the number of times the container has been restarted.
+	// Kubelet makes an effort to always increment the value, but there
+	// are cases when the state may be lost due to node restarts and then the value
+	// may be reset to 0. The value is never negative.
+	RestartCount *int32 `json:"restartCount,omitempty"`
+	// Image is the name of container image that the container is running.
+	// The container image may not match the image used in the PodSpec,
+	// as it may have been resolved by the runtime.
+	// More info: https://kubernetes.io/docs/concepts/containers/images.
+	Image *string `json:"image,omitempty"`
+	// ImageID is the image ID of the container's image. The image ID may not
+	// match the image ID of the image used in the PodSpec, as it may have been
+	// resolved by the runtime.
+	ImageID *string `json:"imageID,omitempty"`
+	// ContainerID is the ID of the container in the format '<type>://<container_id>'.
+	// Where type is a container runtime identifier, returned from Version call of CRI API
+	// (for example "containerd").
+	ContainerID *string `json:"containerID,omitempty"`
+	// Started indicates whether the container has finished its postStart lifecycle hook
+	// and passed its startup probe.
+	// Initialized as false, becomes true after startupProbe is considered
+	// successful. Resets to false when the container is restarted, or if kubelet
+	// loses state temporarily. In both cases, startup probes will run again.
+	// Is always true when no startupProbe is defined and container is running and
+	// has passed the postStart lifecycle hook. The null value must be treated the
+	// same as false.
+	Started *bool `json:"started,omitempty"`
+	// AllocatedResources represents the compute resources allocated for this container by the
+	// node. Kubelet sets this value to Container.Resources.Requests upon successful pod admission
+	// and after successfully admitting desired pod resize.
+	AllocatedResources *corev1.ResourceList `json:"allocatedResources,omitempty"`
+	// Resources represents the compute resource requests and limits that have been successfully
+	// enacted on the running container after it has been started or has been successfully resized.
+	Resources *ResourceRequirementsApplyConfiguration `json:"resources,omitempty"`
+	// Status of volume mounts.
+	VolumeMounts []VolumeMountStatusApplyConfiguration `json:"volumeMounts,omitempty"`
+	// User represents user identity information initially attached to the first process of the container
+	User *ContainerUserApplyConfiguration `json:"user,omitempty"`
+	// AllocatedResourcesStatus represents the status of various resources
+	// allocated for this Pod.
+	AllocatedResourcesStatus []ResourceStatusApplyConfiguration `json:"allocatedResourcesStatus,omitempty"`
+	// StopSignal reports the effective stop signal for this container
+	StopSignal *corev1.Signal `json:"stopSignal,omitempty"`
 }
 
 // ContainerStatusApplyConfiguration constructs a declarative configuration of the ContainerStatus type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/containeruser.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/containeruser.go
index 34ec8e4146523..b8dcdb1115e6f 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/containeruser.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/containeruser.go
@@ -20,7 +20,11 @@ package v1
 
 // ContainerUserApplyConfiguration represents a declarative configuration of the ContainerUser type for use
 // with apply.
+//
+// ContainerUser represents user identity information
 type ContainerUserApplyConfiguration struct {
+	// Linux holds user identity information initially attached to the first process of the containers in Linux.
+	// Note that the actual running identity can be changed if the process has enough privilege to do so.
 	Linux *LinuxContainerUserApplyConfiguration `json:"linux,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/csipersistentvolumesource.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/csipersistentvolumesource.go
index a614d10805b67..c71d5b3d93e9c 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/csipersistentvolumesource.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/csipersistentvolumesource.go
@@ -20,17 +20,54 @@ package v1
 
 // CSIPersistentVolumeSourceApplyConfiguration represents a declarative configuration of the CSIPersistentVolumeSource type for use
 // with apply.
+//
+// Represents storage that is managed by an external CSI volume driver
 type CSIPersistentVolumeSourceApplyConfiguration struct {
-	Driver                     *string                            `json:"driver,omitempty"`
-	VolumeHandle               *string                            `json:"volumeHandle,omitempty"`
-	ReadOnly                   *bool                              `json:"readOnly,omitempty"`
-	FSType                     *string                            `json:"fsType,omitempty"`
-	VolumeAttributes           map[string]string                  `json:"volumeAttributes,omitempty"`
+	// driver is the name of the driver to use for this volume.
+	// Required.
+	Driver *string `json:"driver,omitempty"`
+	// volumeHandle is the unique volume name returned by the CSI volume
+	// plugin’s CreateVolume to refer to the volume on all subsequent calls.
+	// Required.
+	VolumeHandle *string `json:"volumeHandle,omitempty"`
+	// readOnly value to pass to ControllerPublishVolumeRequest.
+	// Defaults to false (read/write).
+	ReadOnly *bool `json:"readOnly,omitempty"`
+	// fsType to mount. Must be a filesystem type supported by the host operating system.
+	// Ex. "ext4", "xfs", "ntfs".
+	FSType *string `json:"fsType,omitempty"`
+	// volumeAttributes of the volume to publish.
+	VolumeAttributes map[string]string `json:"volumeAttributes,omitempty"`
+	// controllerPublishSecretRef is a reference to the secret object containing
+	// sensitive information to pass to the CSI driver to complete the CSI
+	// ControllerPublishVolume and ControllerUnpublishVolume calls.
+	// This field is optional, and may be empty if no secret is required. If the
+	// secret object contains more than one secret, all secrets are passed.
 	ControllerPublishSecretRef *SecretReferenceApplyConfiguration `json:"controllerPublishSecretRef,omitempty"`
-	NodeStageSecretRef         *SecretReferenceApplyConfiguration `json:"nodeStageSecretRef,omitempty"`
-	NodePublishSecretRef       *SecretReferenceApplyConfiguration `json:"nodePublishSecretRef,omitempty"`
-	ControllerExpandSecretRef  *SecretReferenceApplyConfiguration `json:"controllerExpandSecretRef,omitempty"`
-	NodeExpandSecretRef        *SecretReferenceApplyConfiguration `json:"nodeExpandSecretRef,omitempty"`
+	// nodeStageSecretRef is a reference to the secret object containing sensitive
+	// information to pass to the CSI driver to complete the CSI NodeStageVolume
+	// and NodeStageVolume and NodeUnstageVolume calls.
+	// This field is optional, and may be empty if no secret is required. If the
+	// secret object contains more than one secret, all secrets are passed.
+	NodeStageSecretRef *SecretReferenceApplyConfiguration `json:"nodeStageSecretRef,omitempty"`
+	// nodePublishSecretRef is a reference to the secret object containing
+	// sensitive information to pass to the CSI driver to complete the CSI
+	// NodePublishVolume and NodeUnpublishVolume calls.
+	// This field is optional, and may be empty if no secret is required. If the
+	// secret object contains more than one secret, all secrets are passed.
+	NodePublishSecretRef *SecretReferenceApplyConfiguration `json:"nodePublishSecretRef,omitempty"`
+	// controllerExpandSecretRef is a reference to the secret object containing
+	// sensitive information to pass to the CSI driver to complete the CSI
+	// ControllerExpandVolume call.
+	// This field is optional, and may be empty if no secret is required. If the
+	// secret object contains more than one secret, all secrets are passed.
+	ControllerExpandSecretRef *SecretReferenceApplyConfiguration `json:"controllerExpandSecretRef,omitempty"`
+	// nodeExpandSecretRef is a reference to the secret object containing
+	// sensitive information to pass to the CSI driver to complete the CSI
+	// NodeExpandVolume call.
+	// This field is optional, may be omitted if no secret is required. If the
+	// secret object contains more than one secret, all secrets are passed.
+	NodeExpandSecretRef *SecretReferenceApplyConfiguration `json:"nodeExpandSecretRef,omitempty"`
 }
 
 // CSIPersistentVolumeSourceApplyConfiguration constructs a declarative configuration of the CSIPersistentVolumeSource type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/csivolumesource.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/csivolumesource.go
index b58d9bbb4b592..f50ac94e5bbca 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/csivolumesource.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/csivolumesource.go
@@ -20,11 +20,27 @@ package v1
 
 // CSIVolumeSourceApplyConfiguration represents a declarative configuration of the CSIVolumeSource type for use
 // with apply.
+//
+// Represents a source location of a volume to mount, managed by an external CSI driver
 type CSIVolumeSourceApplyConfiguration struct {
-	Driver               *string                                 `json:"driver,omitempty"`
-	ReadOnly             *bool                                   `json:"readOnly,omitempty"`
-	FSType               *string                                 `json:"fsType,omitempty"`
-	VolumeAttributes     map[string]string                       `json:"volumeAttributes,omitempty"`
+	// driver is the name of the CSI driver that handles this volume.
+	// Consult with your admin for the correct name as registered in the cluster.
+	Driver *string `json:"driver,omitempty"`
+	// readOnly specifies a read-only configuration for the volume.
+	// Defaults to false (read/write).
+	ReadOnly *bool `json:"readOnly,omitempty"`
+	// fsType to mount. Ex. "ext4", "xfs", "ntfs".
+	// If not provided, the empty value is passed to the associated CSI driver
+	// which will determine the default filesystem to apply.
+	FSType *string `json:"fsType,omitempty"`
+	// volumeAttributes stores driver-specific properties that are passed to the CSI
+	// driver. Consult your driver's documentation for supported values.
+	VolumeAttributes map[string]string `json:"volumeAttributes,omitempty"`
+	// nodePublishSecretRef is a reference to the secret object containing
+	// sensitive information to pass to the CSI driver to complete the CSI
+	// NodePublishVolume and NodeUnpublishVolume calls.
+	// This field is optional, and  may be empty if no secret is required. If the
+	// secret object contains more than one secret, all secret references are passed.
 	NodePublishSecretRef *LocalObjectReferenceApplyConfiguration `json:"nodePublishSecretRef,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/daemonendpoint.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/daemonendpoint.go
index 5be27ec0c572e..4eba20326780a 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/daemonendpoint.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/daemonendpoint.go
@@ -20,7 +20,10 @@ package v1
 
 // DaemonEndpointApplyConfiguration represents a declarative configuration of the DaemonEndpoint type for use
 // with apply.
+//
+// DaemonEndpoint contains information about a single Daemon endpoint.
 type DaemonEndpointApplyConfiguration struct {
+	// Port number of the given endpoint.
 	Port *int32 `json:"Port,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/downwardapiprojection.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/downwardapiprojection.go
index ed6b8b1bbe409..c5aed20a3c751 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/downwardapiprojection.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/downwardapiprojection.go
@@ -20,7 +20,12 @@ package v1
 
 // DownwardAPIProjectionApplyConfiguration represents a declarative configuration of the DownwardAPIProjection type for use
 // with apply.
+//
+// Represents downward API info for projecting into a projected volume.
+// Note that this is identical to a downwardAPI volume source without the default
+// mode.
 type DownwardAPIProjectionApplyConfiguration struct {
+	// Items is a list of DownwardAPIVolume file
 	Items []DownwardAPIVolumeFileApplyConfiguration `json:"items,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/downwardapivolumefile.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/downwardapivolumefile.go
index ec9d013dd9481..9028f3133cd8e 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/downwardapivolumefile.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/downwardapivolumefile.go
@@ -20,11 +20,23 @@ package v1
 
 // DownwardAPIVolumeFileApplyConfiguration represents a declarative configuration of the DownwardAPIVolumeFile type for use
 // with apply.
+//
+// DownwardAPIVolumeFile represents information to create the file containing the pod field
 type DownwardAPIVolumeFileApplyConfiguration struct {
-	Path             *string                                  `json:"path,omitempty"`
-	FieldRef         *ObjectFieldSelectorApplyConfiguration   `json:"fieldRef,omitempty"`
+	// Required: Path is  the relative path name of the file to be created. Must not be absolute or contain the '..' path. Must be utf-8 encoded. The first item of the relative path must not start with '..'
+	Path *string `json:"path,omitempty"`
+	// Required: Selects a field of the pod: only annotations, labels, name, namespace and uid are supported.
+	FieldRef *ObjectFieldSelectorApplyConfiguration `json:"fieldRef,omitempty"`
+	// Selects a resource of the container: only resources limits and requests
+	// (limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported.
 	ResourceFieldRef *ResourceFieldSelectorApplyConfiguration `json:"resourceFieldRef,omitempty"`
-	Mode             *int32                                   `json:"mode,omitempty"`
+	// Optional: mode bits used to set permissions on this file, must be an octal value
+	// between 0000 and 0777 or a decimal value between 0 and 511.
+	// YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+	// If not specified, the volume defaultMode will be used.
+	// This might be in conflict with other options that affect the file
+	// mode, like fsGroup, and the result can be other mode bits set.
+	Mode *int32 `json:"mode,omitempty"`
 }
 
 // DownwardAPIVolumeFileApplyConfiguration constructs a declarative configuration of the DownwardAPIVolumeFile type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/downwardapivolumesource.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/downwardapivolumesource.go
index eef9d7ef8d5c1..42e726689db95 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/downwardapivolumesource.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/downwardapivolumesource.go
@@ -20,9 +20,21 @@ package v1
 
 // DownwardAPIVolumeSourceApplyConfiguration represents a declarative configuration of the DownwardAPIVolumeSource type for use
 // with apply.
+//
+// DownwardAPIVolumeSource represents a volume containing downward API info.
+// Downward API volumes support ownership management and SELinux relabeling.
 type DownwardAPIVolumeSourceApplyConfiguration struct {
-	Items       []DownwardAPIVolumeFileApplyConfiguration `json:"items,omitempty"`
-	DefaultMode *int32                                    `json:"defaultMode,omitempty"`
+	// Items is a list of downward API volume file
+	Items []DownwardAPIVolumeFileApplyConfiguration `json:"items,omitempty"`
+	// Optional: mode bits to use on created files by default. Must be a
+	// Optional: mode bits used to set permissions on created files by default.
+	// Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
+	// YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+	// Defaults to 0644.
+	// Directories within the path are not affected by this setting.
+	// This might be in conflict with other options that affect the file
+	// mode, like fsGroup, and the result can be other mode bits set.
+	DefaultMode *int32 `json:"defaultMode,omitempty"`
 }
 
 // DownwardAPIVolumeSourceApplyConfiguration constructs a declarative configuration of the DownwardAPIVolumeSource type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/emptydirvolumesource.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/emptydirvolumesource.go
index 63e9f56ab712c..97f71e8d218b5 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/emptydirvolumesource.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/emptydirvolumesource.go
@@ -25,9 +25,22 @@ import (
 
 // EmptyDirVolumeSourceApplyConfiguration represents a declarative configuration of the EmptyDirVolumeSource type for use
 // with apply.
+//
+// Represents an empty directory for a pod.
+// Empty directory volumes support ownership management and SELinux relabeling.
 type EmptyDirVolumeSourceApplyConfiguration struct {
-	Medium    *corev1.StorageMedium `json:"medium,omitempty"`
-	SizeLimit *resource.Quantity    `json:"sizeLimit,omitempty"`
+	// medium represents what type of storage medium should back this directory.
+	// The default is "" which means to use the node's default medium.
+	// Must be an empty string (default) or Memory.
+	// More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir
+	Medium *corev1.StorageMedium `json:"medium,omitempty"`
+	// sizeLimit is the total amount of local storage required for this EmptyDir volume.
+	// The size limit is also applicable for memory medium.
+	// The maximum usage on memory medium EmptyDir would be the minimum value between
+	// the SizeLimit specified here and the sum of memory limits of all containers in a pod.
+	// The default is nil which means that the limit is undefined.
+	// More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir
+	SizeLimit *resource.Quantity `json:"sizeLimit,omitempty"`
 }
 
 // EmptyDirVolumeSourceApplyConfiguration constructs a declarative configuration of the EmptyDirVolumeSource type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/endpointaddress.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/endpointaddress.go
index 536e697a9a64a..b45448c92d450 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/endpointaddress.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/endpointaddress.go
@@ -20,10 +20,19 @@ package v1
 
 // EndpointAddressApplyConfiguration represents a declarative configuration of the EndpointAddress type for use
 // with apply.
+//
+// EndpointAddress is a tuple that describes single IP address.
+// Deprecated: This API is deprecated in v1.33+.
 type EndpointAddressApplyConfiguration struct {
-	IP        *string                            `json:"ip,omitempty"`
-	Hostname  *string                            `json:"hostname,omitempty"`
-	NodeName  *string                            `json:"nodeName,omitempty"`
+	// The IP of this endpoint.
+	// May not be loopback (127.0.0.0/8 or ::1), link-local (169.254.0.0/16 or fe80::/10),
+	// or link-local multicast (224.0.0.0/24 or ff02::/16).
+	IP *string `json:"ip,omitempty"`
+	// The Hostname of this endpoint
+	Hostname *string `json:"hostname,omitempty"`
+	// Optional: Node hosting this endpoint. This can be used to determine endpoints local to a node.
+	NodeName *string `json:"nodeName,omitempty"`
+	// Reference to object providing the endpoint.
 	TargetRef *ObjectReferenceApplyConfiguration `json:"targetRef,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/endpointport.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/endpointport.go
index 05ee64ddca47b..8ebfdc7c8327d 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/endpointport.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/endpointport.go
@@ -24,11 +24,37 @@ import (
 
 // EndpointPortApplyConfiguration represents a declarative configuration of the EndpointPort type for use
 // with apply.
+//
+// EndpointPort is a tuple that describes a single port.
+// Deprecated: This API is deprecated in v1.33+.
 type EndpointPortApplyConfiguration struct {
-	Name        *string          `json:"name,omitempty"`
-	Port        *int32           `json:"port,omitempty"`
-	Protocol    *corev1.Protocol `json:"protocol,omitempty"`
-	AppProtocol *string          `json:"appProtocol,omitempty"`
+	// The name of this port.  This must match the 'name' field in the
+	// corresponding ServicePort.
+	// Must be a DNS_LABEL.
+	// Optional only if one port is defined.
+	Name *string `json:"name,omitempty"`
+	// The port number of the endpoint.
+	Port *int32 `json:"port,omitempty"`
+	// The IP protocol for this port.
+	// Must be UDP, TCP, or SCTP.
+	// Default is TCP.
+	Protocol *corev1.Protocol `json:"protocol,omitempty"`
+	// The application protocol for this port.
+	// This is used as a hint for implementations to offer richer behavior for protocols that they understand.
+	// This field follows standard Kubernetes label syntax.
+	// Valid values are either:
+	//
+	// * Un-prefixed protocol names - reserved for IANA standard service names (as per
+	// RFC-6335 and https://www.iana.org/assignments/service-names).
+	//
+	// * Kubernetes-defined prefixed names:
+	// * 'kubernetes.io/h2c' - HTTP/2 prior knowledge over cleartext as described in https://www.rfc-editor.org/rfc/rfc9113.html#name-starting-http-2-with-prior-
+	// * 'kubernetes.io/ws'  - WebSocket over cleartext as described in https://www.rfc-editor.org/rfc/rfc6455
+	// * 'kubernetes.io/wss' - WebSocket over TLS as described in https://www.rfc-editor.org/rfc/rfc6455
+	//
+	// * Other protocols should use implementation-defined prefixed names such as
+	// mycompany.com/my-custom-protocol.
+	AppProtocol *string `json:"appProtocol,omitempty"`
 }
 
 // EndpointPortApplyConfiguration constructs a declarative configuration of the EndpointPort type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/endpoints.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/endpoints.go
index 1cb1d40aed6b8..a13cd30e8930a 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/endpoints.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/endpoints.go
@@ -29,10 +29,38 @@ import (
 
 // EndpointsApplyConfiguration represents a declarative configuration of the Endpoints type for use
 // with apply.
+//
+// Endpoints is a collection of endpoints that implement the actual service. Example:
+//
+// Name: "mysvc",
+// Subsets: [
+// {
+// Addresses: [{"ip": "10.10.1.1"}, {"ip": "10.10.2.2"}],
+// Ports: [{"name": "a", "port": 8675}, {"name": "b", "port": 309}]
+// },
+// {
+// Addresses: [{"ip": "10.10.3.3"}],
+// Ports: [{"name": "a", "port": 93}, {"name": "b", "port": 76}]
+// },
+// ]
+//
+// Endpoints is a legacy API and does not contain information about all Service features.
+// Use discoveryv1.EndpointSlice for complete information about Service endpoints.
+//
+// Deprecated: This API is deprecated in v1.33+. Use discoveryv1.EndpointSlice.
 type EndpointsApplyConfiguration struct {
-	metav1.TypeMetaApplyConfiguration    `json:",inline"`
+	metav1.TypeMetaApplyConfiguration `json:",inline"`
+	// Standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	*metav1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Subsets                              []EndpointSubsetApplyConfiguration `json:"subsets,omitempty"`
+	// The set of all endpoints is the union of all subsets. Addresses are placed into
+	// subsets according to the IPs they share. A single address with multiple ports,
+	// some of which are ready and some of which are not (because they come from
+	// different containers) will result in the address being displayed in different
+	// subsets for the different ports. No address will appear in both Addresses and
+	// NotReadyAddresses in the same subset.
+	// Sets of addresses and ports that comprise a service.
+	Subsets []EndpointSubsetApplyConfiguration `json:"subsets,omitempty"`
 }
 
 // Endpoints constructs a declarative configuration of the Endpoints type for use with
@@ -46,29 +74,14 @@ func Endpoints(name, namespace string) *EndpointsApplyConfiguration {
 	return b
 }
 
-// ExtractEndpoints extracts the applied configuration owned by fieldManager from
-// endpoints. If no managedFields are found in endpoints for fieldManager, a
-// EndpointsApplyConfiguration is returned with only the Name, Namespace (if applicable),
-// APIVersion and Kind populated. It is possible that no managed fields were found for because other
-// field managers have taken ownership of all the fields previously owned by fieldManager, or because
-// the fieldManager never owned fields any fields.
+// ExtractEndpointsFrom extracts the applied configuration owned by fieldManager from
+// endpoints for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
 // endpoints must be a unmodified Endpoints API object that was retrieved from the Kubernetes API.
-// ExtractEndpoints provides a way to perform a extract/modify-in-place/apply workflow.
+// ExtractEndpointsFrom provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
-func ExtractEndpoints(endpoints *corev1.Endpoints, fieldManager string) (*EndpointsApplyConfiguration, error) {
-	return extractEndpoints(endpoints, fieldManager, "")
-}
-
-// ExtractEndpointsStatus is the same as ExtractEndpoints except
-// that it extracts the status subresource applied configuration.
-// Experimental!
-func ExtractEndpointsStatus(endpoints *corev1.Endpoints, fieldManager string) (*EndpointsApplyConfiguration, error) {
-	return extractEndpoints(endpoints, fieldManager, "status")
-}
-
-func extractEndpoints(endpoints *corev1.Endpoints, fieldManager string, subresource string) (*EndpointsApplyConfiguration, error) {
+func ExtractEndpointsFrom(endpoints *corev1.Endpoints, fieldManager string, subresource string) (*EndpointsApplyConfiguration, error) {
 	b := &EndpointsApplyConfiguration{}
 	err := managedfields.ExtractInto(endpoints, internal.Parser().Type("io.k8s.api.core.v1.Endpoints"), fieldManager, b, subresource)
 	if err != nil {
@@ -81,6 +94,21 @@ func extractEndpoints(endpoints *corev1.Endpoints, fieldManager string, subresou
 	b.WithAPIVersion("v1")
 	return b, nil
 }
+
+// ExtractEndpoints extracts the applied configuration owned by fieldManager from
+// endpoints. If no managedFields are found in endpoints for fieldManager, a
+// EndpointsApplyConfiguration is returned with only the Name, Namespace (if applicable),
+// APIVersion and Kind populated. It is possible that no managed fields were found for because other
+// field managers have taken ownership of all the fields previously owned by fieldManager, or because
+// the fieldManager never owned fields any fields.
+// endpoints must be a unmodified Endpoints API object that was retrieved from the Kubernetes API.
+// ExtractEndpoints provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractEndpoints(endpoints *corev1.Endpoints, fieldManager string) (*EndpointsApplyConfiguration, error) {
+	return ExtractEndpointsFrom(endpoints, fieldManager, "")
+}
+
 func (b EndpointsApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/endpointsubset.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/endpointsubset.go
index 33cd8496a7337..de1cbafa528fe 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/endpointsubset.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/endpointsubset.go
@@ -20,10 +20,32 @@ package v1
 
 // EndpointSubsetApplyConfiguration represents a declarative configuration of the EndpointSubset type for use
 // with apply.
+//
+// EndpointSubset is a group of addresses with a common set of ports. The
+// expanded set of endpoints is the Cartesian product of Addresses x Ports.
+// For example, given:
+//
+// {
+// Addresses: [{"ip": "10.10.1.1"}, {"ip": "10.10.2.2"}],
+// Ports:     [{"name": "a", "port": 8675}, {"name": "b", "port": 309}]
+// }
+//
+// The resulting set of endpoints can be viewed as:
+//
+// a: [ 10.10.1.1:8675, 10.10.2.2:8675 ],
+// b: [ 10.10.1.1:309, 10.10.2.2:309 ]
+//
+// Deprecated: This API is deprecated in v1.33+.
 type EndpointSubsetApplyConfiguration struct {
-	Addresses         []EndpointAddressApplyConfiguration `json:"addresses,omitempty"`
+	// IP addresses which offer the related ports that are marked as ready. These endpoints
+	// should be considered safe for load balancers and clients to utilize.
+	Addresses []EndpointAddressApplyConfiguration `json:"addresses,omitempty"`
+	// IP addresses which offer the related ports but are not currently marked as ready
+	// because they have not yet finished starting, have recently failed a readiness check,
+	// or have recently failed a liveness check.
 	NotReadyAddresses []EndpointAddressApplyConfiguration `json:"notReadyAddresses,omitempty"`
-	Ports             []EndpointPortApplyConfiguration    `json:"ports,omitempty"`
+	// Port numbers available on the related IP addresses.
+	Ports []EndpointPortApplyConfiguration `json:"ports,omitempty"`
 }
 
 // EndpointSubsetApplyConfiguration constructs a declarative configuration of the EndpointSubset type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/envfromsource.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/envfromsource.go
index 7aa181cf1a075..05e18bed4a12e 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/envfromsource.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/envfromsource.go
@@ -20,10 +20,16 @@ package v1
 
 // EnvFromSourceApplyConfiguration represents a declarative configuration of the EnvFromSource type for use
 // with apply.
+//
+// EnvFromSource represents the source of a set of ConfigMaps or Secrets
 type EnvFromSourceApplyConfiguration struct {
-	Prefix       *string                               `json:"prefix,omitempty"`
+	// Optional text to prepend to the name of each environment variable.
+	// May consist of any printable ASCII characters except '='.
+	Prefix *string `json:"prefix,omitempty"`
+	// The ConfigMap to select from
 	ConfigMapRef *ConfigMapEnvSourceApplyConfiguration `json:"configMapRef,omitempty"`
-	SecretRef    *SecretEnvSourceApplyConfiguration    `json:"secretRef,omitempty"`
+	// The Secret to select from
+	SecretRef *SecretEnvSourceApplyConfiguration `json:"secretRef,omitempty"`
 }
 
 // EnvFromSourceApplyConfiguration constructs a declarative configuration of the EnvFromSource type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/envvar.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/envvar.go
index 5894166ca4b39..dfde1cb6a57be 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/envvar.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/envvar.go
@@ -20,9 +20,23 @@ package v1
 
 // EnvVarApplyConfiguration represents a declarative configuration of the EnvVar type for use
 // with apply.
+//
+// EnvVar represents an environment variable present in a Container.
 type EnvVarApplyConfiguration struct {
-	Name      *string                         `json:"name,omitempty"`
-	Value     *string                         `json:"value,omitempty"`
+	// Name of the environment variable.
+	// May consist of any printable ASCII characters except '='.
+	Name *string `json:"name,omitempty"`
+	// Variable references $(VAR_NAME) are expanded
+	// using the previously defined environment variables in the container and
+	// any service environment variables. If a variable cannot be resolved,
+	// the reference in the input string will be unchanged. Double $$ are reduced
+	// to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e.
+	// "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)".
+	// Escaped references will never be expanded, regardless of whether the variable
+	// exists or not.
+	// Defaults to "".
+	Value *string `json:"value,omitempty"`
+	// Source for the environment variable's value. Cannot be used if value is not empty.
 	ValueFrom *EnvVarSourceApplyConfiguration `json:"valueFrom,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/envvarsource.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/envvarsource.go
index 8705a2b642da7..84e2a661783d5 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/envvarsource.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/envvarsource.go
@@ -20,12 +20,22 @@ package v1
 
 // EnvVarSourceApplyConfiguration represents a declarative configuration of the EnvVarSource type for use
 // with apply.
+//
+// EnvVarSource represents a source for the value of an EnvVar.
 type EnvVarSourceApplyConfiguration struct {
-	FieldRef         *ObjectFieldSelectorApplyConfiguration   `json:"fieldRef,omitempty"`
+	// Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['<KEY>']`, `metadata.annotations['<KEY>']`,
+	// spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs.
+	FieldRef *ObjectFieldSelectorApplyConfiguration `json:"fieldRef,omitempty"`
+	// Selects a resource of the container: only resources limits and requests
+	// (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported.
 	ResourceFieldRef *ResourceFieldSelectorApplyConfiguration `json:"resourceFieldRef,omitempty"`
-	ConfigMapKeyRef  *ConfigMapKeySelectorApplyConfiguration  `json:"configMapKeyRef,omitempty"`
-	SecretKeyRef     *SecretKeySelectorApplyConfiguration     `json:"secretKeyRef,omitempty"`
-	FileKeyRef       *FileKeySelectorApplyConfiguration       `json:"fileKeyRef,omitempty"`
+	// Selects a key of a ConfigMap.
+	ConfigMapKeyRef *ConfigMapKeySelectorApplyConfiguration `json:"configMapKeyRef,omitempty"`
+	// Selects a key of a secret in the pod's namespace
+	SecretKeyRef *SecretKeySelectorApplyConfiguration `json:"secretKeyRef,omitempty"`
+	// FileKeyRef selects a key of the env file.
+	// Requires the EnvFiles feature gate to be enabled.
+	FileKeyRef *FileKeySelectorApplyConfiguration `json:"fileKeyRef,omitempty"`
 }
 
 // EnvVarSourceApplyConfiguration constructs a declarative configuration of the EnvVarSource type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/ephemeralcontainer.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/ephemeralcontainer.go
index d41c985366cdd..43d97a6eff6dd 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/ephemeralcontainer.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/ephemeralcontainer.go
@@ -24,9 +24,28 @@ import (
 
 // EphemeralContainerApplyConfiguration represents a declarative configuration of the EphemeralContainer type for use
 // with apply.
+//
+// An EphemeralContainer is a temporary container that you may add to an existing Pod for
+// user-initiated activities such as debugging. Ephemeral containers have no resource or
+// scheduling guarantees, and they will not be restarted when they exit or when a Pod is
+// removed or restarted. The kubelet may evict a Pod if an ephemeral container causes the
+// Pod to exceed its resource allocation.
+//
+// To add an ephemeral container, use the ephemeralcontainers subresource of an existing
+// Pod. Ephemeral containers may not be removed or restarted.
 type EphemeralContainerApplyConfiguration struct {
+	// Ephemeral containers have all of the fields of Container, plus additional fields
+	// specific to ephemeral containers. Fields in common with Container are in the
+	// following inlined struct so than an EphemeralContainer may easily be converted
+	// to a Container.
 	EphemeralContainerCommonApplyConfiguration `json:",inline"`
-	TargetContainerName                        *string `json:"targetContainerName,omitempty"`
+	// If set, the name of the container from PodSpec that this ephemeral container targets.
+	// The ephemeral container will be run in the namespaces (IPC, PID, etc) of this container.
+	// If not set then the ephemeral container uses the namespaces configured in the Pod spec.
+	//
+	// The container runtime must implement support for this feature. If the runtime does not
+	// support namespace targeting then the result of setting this field is undefined.
+	TargetContainerName *string `json:"targetContainerName,omitempty"`
 }
 
 // EphemeralContainerApplyConfiguration constructs a declarative configuration of the EphemeralContainer type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/ephemeralcontainercommon.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/ephemeralcontainercommon.go
index cd9bf08fa698e..23ac3f08572ff 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/ephemeralcontainercommon.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/ephemeralcontainercommon.go
@@ -24,32 +24,119 @@ import (
 
 // EphemeralContainerCommonApplyConfiguration represents a declarative configuration of the EphemeralContainerCommon type for use
 // with apply.
+//
+// EphemeralContainerCommon is a copy of all fields in Container to be inlined in
+// EphemeralContainer. This separate type allows easy conversion from EphemeralContainer
+// to Container and allows separate documentation for the fields of EphemeralContainer.
+// When a new field is added to Container it must be added here as well.
 type EphemeralContainerCommonApplyConfiguration struct {
-	Name                     *string                                   `json:"name,omitempty"`
-	Image                    *string                                   `json:"image,omitempty"`
-	Command                  []string                                  `json:"command,omitempty"`
-	Args                     []string                                  `json:"args,omitempty"`
-	WorkingDir               *string                                   `json:"workingDir,omitempty"`
-	Ports                    []ContainerPortApplyConfiguration         `json:"ports,omitempty"`
-	EnvFrom                  []EnvFromSourceApplyConfiguration         `json:"envFrom,omitempty"`
-	Env                      []EnvVarApplyConfiguration                `json:"env,omitempty"`
-	Resources                *ResourceRequirementsApplyConfiguration   `json:"resources,omitempty"`
-	ResizePolicy             []ContainerResizePolicyApplyConfiguration `json:"resizePolicy,omitempty"`
-	RestartPolicy            *corev1.ContainerRestartPolicy            `json:"restartPolicy,omitempty"`
-	RestartPolicyRules       []ContainerRestartRuleApplyConfiguration  `json:"restartPolicyRules,omitempty"`
-	VolumeMounts             []VolumeMountApplyConfiguration           `json:"volumeMounts,omitempty"`
-	VolumeDevices            []VolumeDeviceApplyConfiguration          `json:"volumeDevices,omitempty"`
-	LivenessProbe            *ProbeApplyConfiguration                  `json:"livenessProbe,omitempty"`
-	ReadinessProbe           *ProbeApplyConfiguration                  `json:"readinessProbe,omitempty"`
-	StartupProbe             *ProbeApplyConfiguration                  `json:"startupProbe,omitempty"`
-	Lifecycle                *LifecycleApplyConfiguration              `json:"lifecycle,omitempty"`
-	TerminationMessagePath   *string                                   `json:"terminationMessagePath,omitempty"`
-	TerminationMessagePolicy *corev1.TerminationMessagePolicy          `json:"terminationMessagePolicy,omitempty"`
-	ImagePullPolicy          *corev1.PullPolicy                        `json:"imagePullPolicy,omitempty"`
-	SecurityContext          *SecurityContextApplyConfiguration        `json:"securityContext,omitempty"`
-	Stdin                    *bool                                     `json:"stdin,omitempty"`
-	StdinOnce                *bool                                     `json:"stdinOnce,omitempty"`
-	TTY                      *bool                                     `json:"tty,omitempty"`
+	// Name of the ephemeral container specified as a DNS_LABEL.
+	// This name must be unique among all containers, init containers and ephemeral containers.
+	Name *string `json:"name,omitempty"`
+	// Container image name.
+	// More info: https://kubernetes.io/docs/concepts/containers/images
+	Image *string `json:"image,omitempty"`
+	// Entrypoint array. Not executed within a shell.
+	// The image's ENTRYPOINT is used if this is not provided.
+	// Variable references $(VAR_NAME) are expanded using the container's environment. If a variable
+	// cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced
+	// to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will
+	// produce the string literal "$(VAR_NAME)". Escaped references will never be expanded, regardless
+	// of whether the variable exists or not. Cannot be updated.
+	// More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell
+	Command []string `json:"command,omitempty"`
+	// Arguments to the entrypoint.
+	// The image's CMD is used if this is not provided.
+	// Variable references $(VAR_NAME) are expanded using the container's environment. If a variable
+	// cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced
+	// to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will
+	// produce the string literal "$(VAR_NAME)". Escaped references will never be expanded, regardless
+	// of whether the variable exists or not. Cannot be updated.
+	// More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell
+	Args []string `json:"args,omitempty"`
+	// Container's working directory.
+	// If not specified, the container runtime's default will be used, which
+	// might be configured in the container image.
+	// Cannot be updated.
+	WorkingDir *string `json:"workingDir,omitempty"`
+	// Ports are not allowed for ephemeral containers.
+	Ports []ContainerPortApplyConfiguration `json:"ports,omitempty"`
+	// List of sources to populate environment variables in the container.
+	// The keys defined within a source may consist of any printable ASCII characters except '='.
+	// When a key exists in multiple
+	// sources, the value associated with the last source will take precedence.
+	// Values defined by an Env with a duplicate key will take precedence.
+	// Cannot be updated.
+	EnvFrom []EnvFromSourceApplyConfiguration `json:"envFrom,omitempty"`
+	// List of environment variables to set in the container.
+	// Cannot be updated.
+	Env []EnvVarApplyConfiguration `json:"env,omitempty"`
+	// Resources are not allowed for ephemeral containers. Ephemeral containers use spare resources
+	// already allocated to the pod.
+	Resources *ResourceRequirementsApplyConfiguration `json:"resources,omitempty"`
+	// Resources resize policy for the container.
+	ResizePolicy []ContainerResizePolicyApplyConfiguration `json:"resizePolicy,omitempty"`
+	// Restart policy for the container to manage the restart behavior of each
+	// container within a pod.
+	// You cannot set this field on ephemeral containers.
+	RestartPolicy *corev1.ContainerRestartPolicy `json:"restartPolicy,omitempty"`
+	// Represents a list of rules to be checked to determine if the
+	// container should be restarted on exit. You cannot set this field on
+	// ephemeral containers.
+	RestartPolicyRules []ContainerRestartRuleApplyConfiguration `json:"restartPolicyRules,omitempty"`
+	// Pod volumes to mount into the container's filesystem. Subpath mounts are not allowed for ephemeral containers.
+	// Cannot be updated.
+	VolumeMounts []VolumeMountApplyConfiguration `json:"volumeMounts,omitempty"`
+	// volumeDevices is the list of block devices to be used by the container.
+	VolumeDevices []VolumeDeviceApplyConfiguration `json:"volumeDevices,omitempty"`
+	// Probes are not allowed for ephemeral containers.
+	LivenessProbe *ProbeApplyConfiguration `json:"livenessProbe,omitempty"`
+	// Probes are not allowed for ephemeral containers.
+	ReadinessProbe *ProbeApplyConfiguration `json:"readinessProbe,omitempty"`
+	// Probes are not allowed for ephemeral containers.
+	StartupProbe *ProbeApplyConfiguration `json:"startupProbe,omitempty"`
+	// Lifecycle is not allowed for ephemeral containers.
+	Lifecycle *LifecycleApplyConfiguration `json:"lifecycle,omitempty"`
+	// Optional: Path at which the file to which the container's termination message
+	// will be written is mounted into the container's filesystem.
+	// Message written is intended to be brief final status, such as an assertion failure message.
+	// Will be truncated by the node if greater than 4096 bytes. The total message length across
+	// all containers will be limited to 12kb.
+	// Defaults to /dev/termination-log.
+	// Cannot be updated.
+	TerminationMessagePath *string `json:"terminationMessagePath,omitempty"`
+	// Indicate how the termination message should be populated. File will use the contents of
+	// terminationMessagePath to populate the container status message on both success and failure.
+	// FallbackToLogsOnError will use the last chunk of container log output if the termination
+	// message file is empty and the container exited with an error.
+	// The log output is limited to 2048 bytes or 80 lines, whichever is smaller.
+	// Defaults to File.
+	// Cannot be updated.
+	TerminationMessagePolicy *corev1.TerminationMessagePolicy `json:"terminationMessagePolicy,omitempty"`
+	// Image pull policy.
+	// One of Always, Never, IfNotPresent.
+	// Defaults to Always if :latest tag is specified, or IfNotPresent otherwise.
+	// Cannot be updated.
+	// More info: https://kubernetes.io/docs/concepts/containers/images#updating-images
+	ImagePullPolicy *corev1.PullPolicy `json:"imagePullPolicy,omitempty"`
+	// Optional: SecurityContext defines the security options the ephemeral container should be run with.
+	// If set, the fields of SecurityContext override the equivalent fields of PodSecurityContext.
+	SecurityContext *SecurityContextApplyConfiguration `json:"securityContext,omitempty"`
+	// Whether this container should allocate a buffer for stdin in the container runtime. If this
+	// is not set, reads from stdin in the container will always result in EOF.
+	// Default is false.
+	Stdin *bool `json:"stdin,omitempty"`
+	// Whether the container runtime should close the stdin channel after it has been opened by
+	// a single attach. When stdin is true the stdin stream will remain open across multiple attach
+	// sessions. If stdinOnce is set to true, stdin is opened on container start, is empty until the
+	// first client attaches to stdin, and then remains open and accepts data until the client disconnects,
+	// at which time stdin is closed and remains closed until the container is restarted. If this
+	// flag is false, a container processes that reads from stdin will never receive an EOF.
+	// Default is false
+	StdinOnce *bool `json:"stdinOnce,omitempty"`
+	// Whether this container should allocate a TTY for itself, also requires 'stdin' to be true.
+	// Default is false.
+	TTY *bool `json:"tty,omitempty"`
 }
 
 // EphemeralContainerCommonApplyConfiguration constructs a declarative configuration of the EphemeralContainerCommon type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/ephemeralvolumesource.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/ephemeralvolumesource.go
index d2c8c6722e8a3..030107b409cb4 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/ephemeralvolumesource.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/ephemeralvolumesource.go
@@ -20,7 +20,30 @@ package v1
 
 // EphemeralVolumeSourceApplyConfiguration represents a declarative configuration of the EphemeralVolumeSource type for use
 // with apply.
+//
+// Represents an ephemeral volume that is handled by a normal storage driver.
 type EphemeralVolumeSourceApplyConfiguration struct {
+	// Will be used to create a stand-alone PVC to provision the volume.
+	// The pod in which this EphemeralVolumeSource is embedded will be the
+	// owner of the PVC, i.e. the PVC will be deleted together with the
+	// pod.  The name of the PVC will be `<pod name>-<volume name>` where
+	// `<volume name>` is the name from the `PodSpec.Volumes` array
+	// entry. Pod validation will reject the pod if the concatenated name
+	// is not valid for a PVC (for example, too long).
+	//
+	// An existing PVC with that name that is not owned by the pod
+	// will *not* be used for the pod to avoid using an unrelated
+	// volume by mistake. Starting the pod is then blocked until
+	// the unrelated PVC is removed. If such a pre-created PVC is
+	// meant to be used by the pod, the PVC has to updated with an
+	// owner reference to the pod once the pod exists. Normally
+	// this should not be necessary, but it may be useful when
+	// manually reconstructing a broken cluster.
+	//
+	// This field is read-only and no changes will be made by Kubernetes
+	// to the PVC after it has been created.
+	//
+	// Required, must not be nil.
 	VolumeClaimTemplate *PersistentVolumeClaimTemplateApplyConfiguration `json:"volumeClaimTemplate,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/event.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/event.go
index a4f1905090e6c..676a719b2fa95 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/event.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/event.go
@@ -29,23 +29,49 @@ import (
 
 // EventApplyConfiguration represents a declarative configuration of the Event type for use
 // with apply.
+//
+// Event is a report of an event somewhere in the cluster.  Events
+// have a limited retention time and triggers and messages may evolve
+// with time.  Event consumers should not rely on the timing of an event
+// with a given Reason reflecting a consistent underlying trigger, or the
+// continued existence of events with that Reason.  Events should be
+// treated as informative, best-effort, supplemental data.
 type EventApplyConfiguration struct {
-	metav1.TypeMetaApplyConfiguration    `json:",inline"`
+	metav1.TypeMetaApplyConfiguration `json:",inline"`
+	// Standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	*metav1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	InvolvedObject                       *ObjectReferenceApplyConfiguration `json:"involvedObject,omitempty"`
-	Reason                               *string                            `json:"reason,omitempty"`
-	Message                              *string                            `json:"message,omitempty"`
-	Source                               *EventSourceApplyConfiguration     `json:"source,omitempty"`
-	FirstTimestamp                       *apismetav1.Time                   `json:"firstTimestamp,omitempty"`
-	LastTimestamp                        *apismetav1.Time                   `json:"lastTimestamp,omitempty"`
-	Count                                *int32                             `json:"count,omitempty"`
-	Type                                 *string                            `json:"type,omitempty"`
-	EventTime                            *apismetav1.MicroTime              `json:"eventTime,omitempty"`
-	Series                               *EventSeriesApplyConfiguration     `json:"series,omitempty"`
-	Action                               *string                            `json:"action,omitempty"`
-	Related                              *ObjectReferenceApplyConfiguration `json:"related,omitempty"`
-	ReportingController                  *string                            `json:"reportingComponent,omitempty"`
-	ReportingInstance                    *string                            `json:"reportingInstance,omitempty"`
+	// The object that this event is about.
+	InvolvedObject *ObjectReferenceApplyConfiguration `json:"involvedObject,omitempty"`
+	// This should be a short, machine understandable string that gives the reason
+	// for the transition into the object's current status.
+	// TODO: provide exact specification for format.
+	Reason *string `json:"reason,omitempty"`
+	// A human-readable description of the status of this operation.
+	// TODO: decide on maximum length.
+	Message *string `json:"message,omitempty"`
+	// The component reporting this event. Should be a short machine understandable string.
+	Source *EventSourceApplyConfiguration `json:"source,omitempty"`
+	// The time at which the event was first recorded. (Time of server receipt is in TypeMeta.)
+	FirstTimestamp *apismetav1.Time `json:"firstTimestamp,omitempty"`
+	// The time at which the most recent occurrence of this event was recorded.
+	LastTimestamp *apismetav1.Time `json:"lastTimestamp,omitempty"`
+	// The number of times this event has occurred.
+	Count *int32 `json:"count,omitempty"`
+	// Type of this event (Normal, Warning), new types could be added in the future
+	Type *string `json:"type,omitempty"`
+	// Time when this Event was first observed.
+	EventTime *apismetav1.MicroTime `json:"eventTime,omitempty"`
+	// Data about the Event series this event represents or nil if it's a singleton Event.
+	Series *EventSeriesApplyConfiguration `json:"series,omitempty"`
+	// What action was taken/failed regarding to the Regarding object.
+	Action *string `json:"action,omitempty"`
+	// Optional secondary object for more complex actions.
+	Related *ObjectReferenceApplyConfiguration `json:"related,omitempty"`
+	// Name of the controller that emitted this Event, e.g. `kubernetes.io/kubelet`.
+	ReportingController *string `json:"reportingComponent,omitempty"`
+	// ID of the controller instance, e.g. `kubelet-xyzf`.
+	ReportingInstance *string `json:"reportingInstance,omitempty"`
 }
 
 // Event constructs a declarative configuration of the Event type for use with
@@ -59,29 +85,14 @@ func Event(name, namespace string) *EventApplyConfiguration {
 	return b
 }
 
-// ExtractEvent extracts the applied configuration owned by fieldManager from
-// event. If no managedFields are found in event for fieldManager, a
-// EventApplyConfiguration is returned with only the Name, Namespace (if applicable),
-// APIVersion and Kind populated. It is possible that no managed fields were found for because other
-// field managers have taken ownership of all the fields previously owned by fieldManager, or because
-// the fieldManager never owned fields any fields.
+// ExtractEventFrom extracts the applied configuration owned by fieldManager from
+// event for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
 // event must be a unmodified Event API object that was retrieved from the Kubernetes API.
-// ExtractEvent provides a way to perform a extract/modify-in-place/apply workflow.
+// ExtractEventFrom provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
-func ExtractEvent(event *corev1.Event, fieldManager string) (*EventApplyConfiguration, error) {
-	return extractEvent(event, fieldManager, "")
-}
-
-// ExtractEventStatus is the same as ExtractEvent except
-// that it extracts the status subresource applied configuration.
-// Experimental!
-func ExtractEventStatus(event *corev1.Event, fieldManager string) (*EventApplyConfiguration, error) {
-	return extractEvent(event, fieldManager, "status")
-}
-
-func extractEvent(event *corev1.Event, fieldManager string, subresource string) (*EventApplyConfiguration, error) {
+func ExtractEventFrom(event *corev1.Event, fieldManager string, subresource string) (*EventApplyConfiguration, error) {
 	b := &EventApplyConfiguration{}
 	err := managedfields.ExtractInto(event, internal.Parser().Type("io.k8s.api.core.v1.Event"), fieldManager, b, subresource)
 	if err != nil {
@@ -94,6 +105,21 @@ func extractEvent(event *corev1.Event, fieldManager string, subresource string)
 	b.WithAPIVersion("v1")
 	return b, nil
 }
+
+// ExtractEvent extracts the applied configuration owned by fieldManager from
+// event. If no managedFields are found in event for fieldManager, a
+// EventApplyConfiguration is returned with only the Name, Namespace (if applicable),
+// APIVersion and Kind populated. It is possible that no managed fields were found for because other
+// field managers have taken ownership of all the fields previously owned by fieldManager, or because
+// the fieldManager never owned fields any fields.
+// event must be a unmodified Event API object that was retrieved from the Kubernetes API.
+// ExtractEvent provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractEvent(event *corev1.Event, fieldManager string) (*EventApplyConfiguration, error) {
+	return ExtractEventFrom(event, fieldManager, "")
+}
+
 func (b EventApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/eventseries.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/eventseries.go
index c90954bccbd8b..fdaa06b655e51 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/eventseries.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/eventseries.go
@@ -24,8 +24,13 @@ import (
 
 // EventSeriesApplyConfiguration represents a declarative configuration of the EventSeries type for use
 // with apply.
+//
+// EventSeries contain information on series of events, i.e. thing that was/is happening
+// continuously for some time.
 type EventSeriesApplyConfiguration struct {
-	Count            *int32            `json:"count,omitempty"`
+	// Number of occurrences in this series up to the last heartbeat time
+	Count *int32 `json:"count,omitempty"`
+	// Time of the last occurrence observed
 	LastObservedTime *metav1.MicroTime `json:"lastObservedTime,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/eventsource.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/eventsource.go
index 97edb049310a2..10ca1db8df589 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/eventsource.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/eventsource.go
@@ -20,9 +20,13 @@ package v1
 
 // EventSourceApplyConfiguration represents a declarative configuration of the EventSource type for use
 // with apply.
+//
+// EventSource contains information for an event.
 type EventSourceApplyConfiguration struct {
+	// Component from which the event is generated.
 	Component *string `json:"component,omitempty"`
-	Host      *string `json:"host,omitempty"`
+	// Node name on which the event is generated.
+	Host *string `json:"host,omitempty"`
 }
 
 // EventSourceApplyConfiguration constructs a declarative configuration of the EventSource type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/execaction.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/execaction.go
index b7208a91cfe87..de3e85900f65d 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/execaction.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/execaction.go
@@ -20,7 +20,14 @@ package v1
 
 // ExecActionApplyConfiguration represents a declarative configuration of the ExecAction type for use
 // with apply.
+//
+// ExecAction describes a "run in container" action.
 type ExecActionApplyConfiguration struct {
+	// Command is the command line to execute inside the container, the working directory for the
+	// command  is root ('/') in the container's filesystem. The command is simply exec'd, it is
+	// not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use
+	// a shell, you need to explicitly call out to that shell.
+	// Exit status of 0 is treated as live/healthy and non-zero is unhealthy.
 	Command []string `json:"command,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/fcvolumesource.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/fcvolumesource.go
index 000ff2cc62d81..f77f82f990610 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/fcvolumesource.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/fcvolumesource.go
@@ -20,12 +20,26 @@ package v1
 
 // FCVolumeSourceApplyConfiguration represents a declarative configuration of the FCVolumeSource type for use
 // with apply.
+//
+// Represents a Fibre Channel volume.
+// Fibre Channel volumes can only be mounted as read/write once.
+// Fibre Channel volumes support ownership management and SELinux relabeling.
 type FCVolumeSourceApplyConfiguration struct {
+	// targetWWNs is Optional: FC target worldwide names (WWNs)
 	TargetWWNs []string `json:"targetWWNs,omitempty"`
-	Lun        *int32   `json:"lun,omitempty"`
-	FSType     *string  `json:"fsType,omitempty"`
-	ReadOnly   *bool    `json:"readOnly,omitempty"`
-	WWIDs      []string `json:"wwids,omitempty"`
+	// lun is Optional: FC target lun number
+	Lun *int32 `json:"lun,omitempty"`
+	// fsType is the filesystem type to mount.
+	// Must be a filesystem type supported by the host operating system.
+	// Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+	// TODO: how do we prevent errors in the filesystem from compromising the machine
+	FSType *string `json:"fsType,omitempty"`
+	// readOnly is Optional: Defaults to false (read/write). ReadOnly here will force
+	// the ReadOnly setting in VolumeMounts.
+	ReadOnly *bool `json:"readOnly,omitempty"`
+	// wwids Optional: FC volume world wide identifiers (wwids)
+	// Either wwids or combination of targetWWNs and lun must be set, but not both simultaneously.
+	WWIDs []string `json:"wwids,omitempty"`
 }
 
 // FCVolumeSourceApplyConfiguration constructs a declarative configuration of the FCVolumeSource type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/filekeyselector.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/filekeyselector.go
index d543e12001d6c..7c1f21282146b 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/filekeyselector.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/filekeyselector.go
@@ -20,11 +20,26 @@ package v1
 
 // FileKeySelectorApplyConfiguration represents a declarative configuration of the FileKeySelector type for use
 // with apply.
+//
+// FileKeySelector selects a key of the env file.
 type FileKeySelectorApplyConfiguration struct {
+	// The name of the volume mount containing the env file.
 	VolumeName *string `json:"volumeName,omitempty"`
-	Path       *string `json:"path,omitempty"`
-	Key        *string `json:"key,omitempty"`
-	Optional   *bool   `json:"optional,omitempty"`
+	// The path within the volume from which to select the file.
+	// Must be relative and may not contain the '..' path or start with '..'.
+	Path *string `json:"path,omitempty"`
+	// The key within the env file. An invalid key will prevent the pod from starting.
+	// The keys defined within a source may consist of any printable ASCII characters except '='.
+	// During Alpha stage of the EnvFiles feature gate, the key size is limited to 128 characters.
+	Key *string `json:"key,omitempty"`
+	// Specify whether the file or its key must be defined. If the file or key
+	// does not exist, then the env var is not published.
+	// If optional is set to true and the specified key does not exist,
+	// the environment variable will not be set in the Pod's containers.
+	//
+	// If optional is set to false and the specified key does not exist,
+	// an error will be returned during Pod creation.
+	Optional *bool `json:"optional,omitempty"`
 }
 
 // FileKeySelectorApplyConfiguration constructs a declarative configuration of the FileKeySelector type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/flexpersistentvolumesource.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/flexpersistentvolumesource.go
index 355c2c82d0739..a1a57bb7adffb 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/flexpersistentvolumesource.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/flexpersistentvolumesource.go
@@ -20,12 +20,27 @@ package v1
 
 // FlexPersistentVolumeSourceApplyConfiguration represents a declarative configuration of the FlexPersistentVolumeSource type for use
 // with apply.
+//
+// FlexPersistentVolumeSource represents a generic persistent volume resource that is
+// provisioned/attached using an exec based plugin.
 type FlexPersistentVolumeSourceApplyConfiguration struct {
-	Driver    *string                            `json:"driver,omitempty"`
-	FSType    *string                            `json:"fsType,omitempty"`
+	// driver is the name of the driver to use for this volume.
+	Driver *string `json:"driver,omitempty"`
+	// fsType is the Filesystem type to mount.
+	// Must be a filesystem type supported by the host operating system.
+	// Ex. "ext4", "xfs", "ntfs". The default filesystem depends on FlexVolume script.
+	FSType *string `json:"fsType,omitempty"`
+	// secretRef is Optional: SecretRef is reference to the secret object containing
+	// sensitive information to pass to the plugin scripts. This may be
+	// empty if no secret object is specified. If the secret object
+	// contains more than one secret, all secrets are passed to the plugin
+	// scripts.
 	SecretRef *SecretReferenceApplyConfiguration `json:"secretRef,omitempty"`
-	ReadOnly  *bool                              `json:"readOnly,omitempty"`
-	Options   map[string]string                  `json:"options,omitempty"`
+	// readOnly is Optional: defaults to false (read/write). ReadOnly here will force
+	// the ReadOnly setting in VolumeMounts.
+	ReadOnly *bool `json:"readOnly,omitempty"`
+	// options is Optional: this field holds extra command options if any.
+	Options map[string]string `json:"options,omitempty"`
 }
 
 // FlexPersistentVolumeSourceApplyConfiguration constructs a declarative configuration of the FlexPersistentVolumeSource type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/flexvolumesource.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/flexvolumesource.go
index 08ae9e1bead04..e9fc295034327 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/flexvolumesource.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/flexvolumesource.go
@@ -20,12 +20,27 @@ package v1
 
 // FlexVolumeSourceApplyConfiguration represents a declarative configuration of the FlexVolumeSource type for use
 // with apply.
+//
+// FlexVolume represents a generic volume resource that is
+// provisioned/attached using an exec based plugin.
 type FlexVolumeSourceApplyConfiguration struct {
-	Driver    *string                                 `json:"driver,omitempty"`
-	FSType    *string                                 `json:"fsType,omitempty"`
+	// driver is the name of the driver to use for this volume.
+	Driver *string `json:"driver,omitempty"`
+	// fsType is the filesystem type to mount.
+	// Must be a filesystem type supported by the host operating system.
+	// Ex. "ext4", "xfs", "ntfs". The default filesystem depends on FlexVolume script.
+	FSType *string `json:"fsType,omitempty"`
+	// secretRef is Optional: secretRef is reference to the secret object containing
+	// sensitive information to pass to the plugin scripts. This may be
+	// empty if no secret object is specified. If the secret object
+	// contains more than one secret, all secrets are passed to the plugin
+	// scripts.
 	SecretRef *LocalObjectReferenceApplyConfiguration `json:"secretRef,omitempty"`
-	ReadOnly  *bool                                   `json:"readOnly,omitempty"`
-	Options   map[string]string                       `json:"options,omitempty"`
+	// readOnly is Optional: defaults to false (read/write). ReadOnly here will force
+	// the ReadOnly setting in VolumeMounts.
+	ReadOnly *bool `json:"readOnly,omitempty"`
+	// options is Optional: this field holds extra command options if any.
+	Options map[string]string `json:"options,omitempty"`
 }
 
 // FlexVolumeSourceApplyConfiguration constructs a declarative configuration of the FlexVolumeSource type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/flockervolumesource.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/flockervolumesource.go
index e4ecbba0e48c3..452105d987250 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/flockervolumesource.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/flockervolumesource.go
@@ -20,8 +20,15 @@ package v1
 
 // FlockerVolumeSourceApplyConfiguration represents a declarative configuration of the FlockerVolumeSource type for use
 // with apply.
+//
+// Represents a Flocker volume mounted by the Flocker agent.
+// One and only one of datasetName and datasetUUID should be set.
+// Flocker volumes do not support ownership management or SELinux relabeling.
 type FlockerVolumeSourceApplyConfiguration struct {
+	// datasetName is Name of the dataset stored as metadata -> name on the dataset for Flocker
+	// should be considered as deprecated
 	DatasetName *string `json:"datasetName,omitempty"`
+	// datasetUUID is the UUID of the dataset. This is unique identifier of a Flocker dataset
 	DatasetUUID *string `json:"datasetUUID,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/gcepersistentdiskvolumesource.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/gcepersistentdiskvolumesource.go
index 56c4d03fa2147..5283c30a2f5d3 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/gcepersistentdiskvolumesource.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/gcepersistentdiskvolumesource.go
@@ -20,11 +20,33 @@ package v1
 
 // GCEPersistentDiskVolumeSourceApplyConfiguration represents a declarative configuration of the GCEPersistentDiskVolumeSource type for use
 // with apply.
+//
+// Represents a Persistent Disk resource in Google Compute Engine.
+//
+// A GCE PD must exist before mounting to a container. The disk must
+// also be in the same GCE project and zone as the kubelet. A GCE PD
+// can only be mounted as read/write once or read-only many times. GCE
+// PDs support ownership management and SELinux relabeling.
 type GCEPersistentDiskVolumeSourceApplyConfiguration struct {
-	PDName    *string `json:"pdName,omitempty"`
-	FSType    *string `json:"fsType,omitempty"`
-	Partition *int32  `json:"partition,omitempty"`
-	ReadOnly  *bool   `json:"readOnly,omitempty"`
+	// pdName is unique name of the PD resource in GCE. Used to identify the disk in GCE.
+	// More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
+	PDName *string `json:"pdName,omitempty"`
+	// fsType is filesystem type of the volume that you want to mount.
+	// Tip: Ensure that the filesystem type is supported by the host operating system.
+	// Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+	// More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
+	// TODO: how do we prevent errors in the filesystem from compromising the machine
+	FSType *string `json:"fsType,omitempty"`
+	// partition is the partition in the volume that you want to mount.
+	// If omitted, the default is to mount by volume name.
+	// Examples: For volume /dev/sda1, you specify the partition as "1".
+	// Similarly, the volume partition for /dev/sda is "0" (or you can leave the property empty).
+	// More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
+	Partition *int32 `json:"partition,omitempty"`
+	// readOnly here will force the ReadOnly setting in VolumeMounts.
+	// Defaults to false.
+	// More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
+	ReadOnly *bool `json:"readOnly,omitempty"`
 }
 
 // GCEPersistentDiskVolumeSourceApplyConfiguration constructs a declarative configuration of the GCEPersistentDiskVolumeSource type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/gitrepovolumesource.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/gitrepovolumesource.go
index 4ed92317c871b..37977d0f51b6b 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/gitrepovolumesource.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/gitrepovolumesource.go
@@ -20,10 +20,24 @@ package v1
 
 // GitRepoVolumeSourceApplyConfiguration represents a declarative configuration of the GitRepoVolumeSource type for use
 // with apply.
+//
+// Represents a volume that is populated with the contents of a git repository.
+// Git repo volumes do not support ownership management.
+// Git repo volumes support SELinux relabeling.
+//
+// DEPRECATED: GitRepo is deprecated. To provision a container with a git repo, mount an
+// EmptyDir into an InitContainer that clones the repo using git, then mount the EmptyDir
+// into the Pod's container.
 type GitRepoVolumeSourceApplyConfiguration struct {
+	// repository is the URL
 	Repository *string `json:"repository,omitempty"`
-	Revision   *string `json:"revision,omitempty"`
-	Directory  *string `json:"directory,omitempty"`
+	// revision is the commit hash for the specified revision.
+	Revision *string `json:"revision,omitempty"`
+	// directory is the target directory name.
+	// Must not contain or start with '..'.  If '.' is supplied, the volume directory will be the
+	// git repository.  Otherwise, if specified, the volume will contain the git repository in
+	// the subdirectory with the given name.
+	Directory *string `json:"directory,omitempty"`
 }
 
 // GitRepoVolumeSourceApplyConfiguration constructs a declarative configuration of the GitRepoVolumeSource type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/glusterfspersistentvolumesource.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/glusterfspersistentvolumesource.go
index c9a23ca5d7405..bd53ab409a767 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/glusterfspersistentvolumesource.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/glusterfspersistentvolumesource.go
@@ -20,10 +20,23 @@ package v1
 
 // GlusterfsPersistentVolumeSourceApplyConfiguration represents a declarative configuration of the GlusterfsPersistentVolumeSource type for use
 // with apply.
+//
+// Represents a Glusterfs mount that lasts the lifetime of a pod.
+// Glusterfs volumes do not support ownership management or SELinux relabeling.
 type GlusterfsPersistentVolumeSourceApplyConfiguration struct {
-	EndpointsName      *string `json:"endpoints,omitempty"`
-	Path               *string `json:"path,omitempty"`
-	ReadOnly           *bool   `json:"readOnly,omitempty"`
+	// endpoints is the endpoint name that details Glusterfs topology.
+	// More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod
+	EndpointsName *string `json:"endpoints,omitempty"`
+	// path is the Glusterfs volume path.
+	// More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod
+	Path *string `json:"path,omitempty"`
+	// readOnly here will force the Glusterfs volume to be mounted with read-only permissions.
+	// Defaults to false.
+	// More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod
+	ReadOnly *bool `json:"readOnly,omitempty"`
+	// endpointsNamespace is the namespace that contains Glusterfs endpoint.
+	// If this field is empty, the EndpointNamespace defaults to the same namespace as the bound PVC.
+	// More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod
 	EndpointsNamespace *string `json:"endpointsNamespace,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/glusterfsvolumesource.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/glusterfsvolumesource.go
index 8c27f8c70d1c8..f558c152b73a7 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/glusterfsvolumesource.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/glusterfsvolumesource.go
@@ -20,10 +20,19 @@ package v1
 
 // GlusterfsVolumeSourceApplyConfiguration represents a declarative configuration of the GlusterfsVolumeSource type for use
 // with apply.
+//
+// Represents a Glusterfs mount that lasts the lifetime of a pod.
+// Glusterfs volumes do not support ownership management or SELinux relabeling.
 type GlusterfsVolumeSourceApplyConfiguration struct {
+	// endpoints is the endpoint name that details Glusterfs topology.
 	EndpointsName *string `json:"endpoints,omitempty"`
-	Path          *string `json:"path,omitempty"`
-	ReadOnly      *bool   `json:"readOnly,omitempty"`
+	// path is the Glusterfs volume path.
+	// More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod
+	Path *string `json:"path,omitempty"`
+	// readOnly here will force the Glusterfs volume to be mounted with read-only permissions.
+	// Defaults to false.
+	// More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod
+	ReadOnly *bool `json:"readOnly,omitempty"`
 }
 
 // GlusterfsVolumeSourceApplyConfiguration constructs a declarative configuration of the GlusterfsVolumeSource type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/grpcaction.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/grpcaction.go
index 0f3a886714db6..40f5f9ecfd02c 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/grpcaction.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/grpcaction.go
@@ -20,8 +20,15 @@ package v1
 
 // GRPCActionApplyConfiguration represents a declarative configuration of the GRPCAction type for use
 // with apply.
+//
+// GRPCAction specifies an action involving a GRPC service.
 type GRPCActionApplyConfiguration struct {
-	Port    *int32  `json:"port,omitempty"`
+	// Port number of the gRPC service. Number must be in the range 1 to 65535.
+	Port *int32 `json:"port,omitempty"`
+	// Service is the name of the service to place in the gRPC HealthCheckRequest
+	// (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
+	//
+	// If this is not specified, the default behavior is defined by gRPC.
 	Service *string `json:"service,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/hostalias.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/hostalias.go
index ec9ea1741376b..687c1eb92f261 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/hostalias.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/hostalias.go
@@ -20,8 +20,13 @@ package v1
 
 // HostAliasApplyConfiguration represents a declarative configuration of the HostAlias type for use
 // with apply.
+//
+// HostAlias holds the mapping between IP and hostnames that will be injected as an entry in the
+// pod's hosts file.
 type HostAliasApplyConfiguration struct {
-	IP        *string  `json:"ip,omitempty"`
+	// IP address of the host file entry.
+	IP *string `json:"ip,omitempty"`
+	// Hostnames for the above IP address.
 	Hostnames []string `json:"hostnames,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/hostip.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/hostip.go
index 439b5ce2d6b07..eeb30f9e984c2 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/hostip.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/hostip.go
@@ -20,7 +20,10 @@ package v1
 
 // HostIPApplyConfiguration represents a declarative configuration of the HostIP type for use
 // with apply.
+//
+// HostIP represents a single IP address allocated to the host.
 type HostIPApplyConfiguration struct {
+	// IP is the IP address assigned to the host
 	IP *string `json:"ip,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/hostpathvolumesource.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/hostpathvolumesource.go
index 6a41d67cd06fd..a69e71e1e3bb2 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/hostpathvolumesource.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/hostpathvolumesource.go
@@ -24,8 +24,17 @@ import (
 
 // HostPathVolumeSourceApplyConfiguration represents a declarative configuration of the HostPathVolumeSource type for use
 // with apply.
+//
+// Represents a host path mapped into a pod.
+// Host path volumes do not support ownership management or SELinux relabeling.
 type HostPathVolumeSourceApplyConfiguration struct {
-	Path *string              `json:"path,omitempty"`
+	// path of the directory on the host.
+	// If the path is a symlink, it will follow the link to the real path.
+	// More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath
+	Path *string `json:"path,omitempty"`
+	// type for HostPath Volume
+	// Defaults to ""
+	// More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath
 	Type *corev1.HostPathType `json:"type,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/httpgetaction.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/httpgetaction.go
index ca61c5ae244ad..3f892c752d323 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/httpgetaction.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/httpgetaction.go
@@ -25,11 +25,22 @@ import (
 
 // HTTPGetActionApplyConfiguration represents a declarative configuration of the HTTPGetAction type for use
 // with apply.
+//
+// HTTPGetAction describes an action based on HTTP Get requests.
 type HTTPGetActionApplyConfiguration struct {
-	Path        *string                        `json:"path,omitempty"`
-	Port        *intstr.IntOrString            `json:"port,omitempty"`
-	Host        *string                        `json:"host,omitempty"`
-	Scheme      *corev1.URIScheme              `json:"scheme,omitempty"`
+	// Path to access on the HTTP server.
+	Path *string `json:"path,omitempty"`
+	// Name or number of the port to access on the container.
+	// Number must be in the range 1 to 65535.
+	// Name must be an IANA_SVC_NAME.
+	Port *intstr.IntOrString `json:"port,omitempty"`
+	// Host name to connect to, defaults to the pod IP. You probably want to set
+	// "Host" in httpHeaders instead.
+	Host *string `json:"host,omitempty"`
+	// Scheme to use for connecting to the host.
+	// Defaults to HTTP.
+	Scheme *corev1.URIScheme `json:"scheme,omitempty"`
+	// Custom headers to set in the request. HTTP allows repeated headers.
 	HTTPHeaders []HTTPHeaderApplyConfiguration `json:"httpHeaders,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/httpheader.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/httpheader.go
index 2526371669941..c62c85bad3921 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/httpheader.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/httpheader.go
@@ -20,8 +20,13 @@ package v1
 
 // HTTPHeaderApplyConfiguration represents a declarative configuration of the HTTPHeader type for use
 // with apply.
+//
+// HTTPHeader describes a custom header to be used in HTTP probes
 type HTTPHeaderApplyConfiguration struct {
-	Name  *string `json:"name,omitempty"`
+	// The header field name.
+	// This will be canonicalized upon output, so case-variant names will be understood as the same header.
+	Name *string `json:"name,omitempty"`
+	// The header field value
 	Value *string `json:"value,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/imagevolumesource.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/imagevolumesource.go
index 9a146e68526f0..90109d49b06f0 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/imagevolumesource.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/imagevolumesource.go
@@ -24,8 +24,21 @@ import (
 
 // ImageVolumeSourceApplyConfiguration represents a declarative configuration of the ImageVolumeSource type for use
 // with apply.
+//
+// ImageVolumeSource represents a image volume resource.
 type ImageVolumeSourceApplyConfiguration struct {
-	Reference  *string            `json:"reference,omitempty"`
+	// Required: Image or artifact reference to be used.
+	// Behaves in the same way as pod.spec.containers[*].image.
+	// Pull secrets will be assembled in the same way as for the container image by looking up node credentials, SA image pull secrets, and pod spec image pull secrets.
+	// More info: https://kubernetes.io/docs/concepts/containers/images
+	// This field is optional to allow higher level config management to default or override
+	// container images in workload controllers like Deployments and StatefulSets.
+	Reference *string `json:"reference,omitempty"`
+	// Policy for pulling OCI objects. Possible values are:
+	// Always: the kubelet always attempts to pull the reference. Container creation will fail If the pull fails.
+	// Never: the kubelet never pulls the reference and only uses a local image or artifact. Container creation will fail if the reference isn't present.
+	// IfNotPresent: the kubelet pulls if the reference isn't already present on disk. Container creation will fail if the reference isn't present and the pull fails.
+	// Defaults to Always if :latest tag is specified, or IfNotPresent otherwise.
 	PullPolicy *corev1.PullPolicy `json:"pullPolicy,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/iscsipersistentvolumesource.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/iscsipersistentvolumesource.go
index 42f420c56867c..02900a4d279ab 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/iscsipersistentvolumesource.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/iscsipersistentvolumesource.go
@@ -20,18 +20,43 @@ package v1
 
 // ISCSIPersistentVolumeSourceApplyConfiguration represents a declarative configuration of the ISCSIPersistentVolumeSource type for use
 // with apply.
+//
+// ISCSIPersistentVolumeSource represents an ISCSI disk.
+// ISCSI volumes can only be mounted as read/write once.
+// ISCSI volumes support ownership management and SELinux relabeling.
 type ISCSIPersistentVolumeSourceApplyConfiguration struct {
-	TargetPortal      *string                            `json:"targetPortal,omitempty"`
-	IQN               *string                            `json:"iqn,omitempty"`
-	Lun               *int32                             `json:"lun,omitempty"`
-	ISCSIInterface    *string                            `json:"iscsiInterface,omitempty"`
-	FSType            *string                            `json:"fsType,omitempty"`
-	ReadOnly          *bool                              `json:"readOnly,omitempty"`
-	Portals           []string                           `json:"portals,omitempty"`
-	DiscoveryCHAPAuth *bool                              `json:"chapAuthDiscovery,omitempty"`
-	SessionCHAPAuth   *bool                              `json:"chapAuthSession,omitempty"`
-	SecretRef         *SecretReferenceApplyConfiguration `json:"secretRef,omitempty"`
-	InitiatorName     *string                            `json:"initiatorName,omitempty"`
+	// targetPortal is iSCSI Target Portal. The Portal is either an IP or ip_addr:port if the port
+	// is other than default (typically TCP ports 860 and 3260).
+	TargetPortal *string `json:"targetPortal,omitempty"`
+	// iqn is Target iSCSI Qualified Name.
+	IQN *string `json:"iqn,omitempty"`
+	// lun is iSCSI Target Lun number.
+	Lun *int32 `json:"lun,omitempty"`
+	// iscsiInterface is the interface Name that uses an iSCSI transport.
+	// Defaults to 'default' (tcp).
+	ISCSIInterface *string `json:"iscsiInterface,omitempty"`
+	// fsType is the filesystem type of the volume that you want to mount.
+	// Tip: Ensure that the filesystem type is supported by the host operating system.
+	// Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+	// More info: https://kubernetes.io/docs/concepts/storage/volumes#iscsi
+	// TODO: how do we prevent errors in the filesystem from compromising the machine
+	FSType *string `json:"fsType,omitempty"`
+	// readOnly here will force the ReadOnly setting in VolumeMounts.
+	// Defaults to false.
+	ReadOnly *bool `json:"readOnly,omitempty"`
+	// portals is the iSCSI Target Portal List. The Portal is either an IP or ip_addr:port if the port
+	// is other than default (typically TCP ports 860 and 3260).
+	Portals []string `json:"portals,omitempty"`
+	// chapAuthDiscovery defines whether support iSCSI Discovery CHAP authentication
+	DiscoveryCHAPAuth *bool `json:"chapAuthDiscovery,omitempty"`
+	// chapAuthSession defines whether support iSCSI Session CHAP authentication
+	SessionCHAPAuth *bool `json:"chapAuthSession,omitempty"`
+	// secretRef is the CHAP Secret for iSCSI target and initiator authentication
+	SecretRef *SecretReferenceApplyConfiguration `json:"secretRef,omitempty"`
+	// initiatorName is the custom iSCSI Initiator Name.
+	// If initiatorName is specified with iscsiInterface simultaneously, new iSCSI interface
+	// <target portal>:<volume name> will be created for the connection.
+	InitiatorName *string `json:"initiatorName,omitempty"`
 }
 
 // ISCSIPersistentVolumeSourceApplyConfiguration constructs a declarative configuration of the ISCSIPersistentVolumeSource type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/iscsivolumesource.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/iscsivolumesource.go
index 61055434bce63..12fe844fc0edf 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/iscsivolumesource.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/iscsivolumesource.go
@@ -20,18 +20,43 @@ package v1
 
 // ISCSIVolumeSourceApplyConfiguration represents a declarative configuration of the ISCSIVolumeSource type for use
 // with apply.
+//
+// Represents an ISCSI disk.
+// ISCSI volumes can only be mounted as read/write once.
+// ISCSI volumes support ownership management and SELinux relabeling.
 type ISCSIVolumeSourceApplyConfiguration struct {
-	TargetPortal      *string                                 `json:"targetPortal,omitempty"`
-	IQN               *string                                 `json:"iqn,omitempty"`
-	Lun               *int32                                  `json:"lun,omitempty"`
-	ISCSIInterface    *string                                 `json:"iscsiInterface,omitempty"`
-	FSType            *string                                 `json:"fsType,omitempty"`
-	ReadOnly          *bool                                   `json:"readOnly,omitempty"`
-	Portals           []string                                `json:"portals,omitempty"`
-	DiscoveryCHAPAuth *bool                                   `json:"chapAuthDiscovery,omitempty"`
-	SessionCHAPAuth   *bool                                   `json:"chapAuthSession,omitempty"`
-	SecretRef         *LocalObjectReferenceApplyConfiguration `json:"secretRef,omitempty"`
-	InitiatorName     *string                                 `json:"initiatorName,omitempty"`
+	// targetPortal is iSCSI Target Portal. The Portal is either an IP or ip_addr:port if the port
+	// is other than default (typically TCP ports 860 and 3260).
+	TargetPortal *string `json:"targetPortal,omitempty"`
+	// iqn is the target iSCSI Qualified Name.
+	IQN *string `json:"iqn,omitempty"`
+	// lun represents iSCSI Target Lun number.
+	Lun *int32 `json:"lun,omitempty"`
+	// iscsiInterface is the interface Name that uses an iSCSI transport.
+	// Defaults to 'default' (tcp).
+	ISCSIInterface *string `json:"iscsiInterface,omitempty"`
+	// fsType is the filesystem type of the volume that you want to mount.
+	// Tip: Ensure that the filesystem type is supported by the host operating system.
+	// Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+	// More info: https://kubernetes.io/docs/concepts/storage/volumes#iscsi
+	// TODO: how do we prevent errors in the filesystem from compromising the machine
+	FSType *string `json:"fsType,omitempty"`
+	// readOnly here will force the ReadOnly setting in VolumeMounts.
+	// Defaults to false.
+	ReadOnly *bool `json:"readOnly,omitempty"`
+	// portals is the iSCSI Target Portal List. The portal is either an IP or ip_addr:port if the port
+	// is other than default (typically TCP ports 860 and 3260).
+	Portals []string `json:"portals,omitempty"`
+	// chapAuthDiscovery defines whether support iSCSI Discovery CHAP authentication
+	DiscoveryCHAPAuth *bool `json:"chapAuthDiscovery,omitempty"`
+	// chapAuthSession defines whether support iSCSI Session CHAP authentication
+	SessionCHAPAuth *bool `json:"chapAuthSession,omitempty"`
+	// secretRef is the CHAP Secret for iSCSI target and initiator authentication
+	SecretRef *LocalObjectReferenceApplyConfiguration `json:"secretRef,omitempty"`
+	// initiatorName is the custom iSCSI Initiator Name.
+	// If initiatorName is specified with iscsiInterface simultaneously, new iSCSI interface
+	// <target portal>:<volume name> will be created for the connection.
+	InitiatorName *string `json:"initiatorName,omitempty"`
 }
 
 // ISCSIVolumeSourceApplyConfiguration constructs a declarative configuration of the ISCSIVolumeSource type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/keytopath.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/keytopath.go
index c961b07955b0b..75ce1130a68c5 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/keytopath.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/keytopath.go
@@ -20,10 +20,23 @@ package v1
 
 // KeyToPathApplyConfiguration represents a declarative configuration of the KeyToPath type for use
 // with apply.
+//
+// Maps a string key to a path within a volume.
 type KeyToPathApplyConfiguration struct {
-	Key  *string `json:"key,omitempty"`
+	// key is the key to project.
+	Key *string `json:"key,omitempty"`
+	// path is the relative path of the file to map the key to.
+	// May not be an absolute path.
+	// May not contain the path element '..'.
+	// May not start with the string '..'.
 	Path *string `json:"path,omitempty"`
-	Mode *int32  `json:"mode,omitempty"`
+	// mode is Optional: mode bits used to set permissions on this file.
+	// Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
+	// YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+	// If not specified, the volume defaultMode will be used.
+	// This might be in conflict with other options that affect the file
+	// mode, like fsGroup, and the result can be other mode bits set.
+	Mode *int32 `json:"mode,omitempty"`
 }
 
 // KeyToPathApplyConfiguration constructs a declarative configuration of the KeyToPath type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/lifecycle.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/lifecycle.go
index f8c18a7502c10..8880934a6857a 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/lifecycle.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/lifecycle.go
@@ -24,10 +24,30 @@ import (
 
 // LifecycleApplyConfiguration represents a declarative configuration of the Lifecycle type for use
 // with apply.
+//
+// Lifecycle describes actions that the management system should take in response to container lifecycle
+// events. For the PostStart and PreStop lifecycle handlers, management of the container blocks
+// until the action is complete, unless the container process fails, in which case the handler is aborted.
 type LifecycleApplyConfiguration struct {
-	PostStart  *LifecycleHandlerApplyConfiguration `json:"postStart,omitempty"`
-	PreStop    *LifecycleHandlerApplyConfiguration `json:"preStop,omitempty"`
-	StopSignal *corev1.Signal                      `json:"stopSignal,omitempty"`
+	// PostStart is called immediately after a container is created. If the handler fails,
+	// the container is terminated and restarted according to its restart policy.
+	// Other management of the container blocks until the hook completes.
+	// More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks
+	PostStart *LifecycleHandlerApplyConfiguration `json:"postStart,omitempty"`
+	// PreStop is called immediately before a container is terminated due to an
+	// API request or management event such as liveness/startup probe failure,
+	// preemption, resource contention, etc. The handler is not called if the
+	// container crashes or exits. The Pod's termination grace period countdown begins before the
+	// PreStop hook is executed. Regardless of the outcome of the handler, the
+	// container will eventually terminate within the Pod's termination grace
+	// period (unless delayed by finalizers). Other management of the container blocks until the hook completes
+	// or until the termination grace period is reached.
+	// More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks
+	PreStop *LifecycleHandlerApplyConfiguration `json:"preStop,omitempty"`
+	// StopSignal defines which signal will be sent to a container when it is being stopped.
+	// If not specified, the default is defined by the container runtime in use.
+	// StopSignal can only be set for Pods with a non-empty .spec.os.name
+	StopSignal *corev1.Signal `json:"stopSignal,omitempty"`
 }
 
 // LifecycleApplyConfiguration constructs a declarative configuration of the Lifecycle type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/lifecyclehandler.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/lifecyclehandler.go
index b7c706d58dd28..d01d39648eb3c 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/lifecyclehandler.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/lifecyclehandler.go
@@ -20,11 +20,20 @@ package v1
 
 // LifecycleHandlerApplyConfiguration represents a declarative configuration of the LifecycleHandler type for use
 // with apply.
+//
+// LifecycleHandler defines a specific action that should be taken in a lifecycle
+// hook. One and only one of the fields, except TCPSocket must be specified.
 type LifecycleHandlerApplyConfiguration struct {
-	Exec      *ExecActionApplyConfiguration      `json:"exec,omitempty"`
-	HTTPGet   *HTTPGetActionApplyConfiguration   `json:"httpGet,omitempty"`
+	// Exec specifies a command to execute in the container.
+	Exec *ExecActionApplyConfiguration `json:"exec,omitempty"`
+	// HTTPGet specifies an HTTP GET request to perform.
+	HTTPGet *HTTPGetActionApplyConfiguration `json:"httpGet,omitempty"`
+	// Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept
+	// for backward compatibility. There is no validation of this field and
+	// lifecycle hooks will fail at runtime when it is specified.
 	TCPSocket *TCPSocketActionApplyConfiguration `json:"tcpSocket,omitempty"`
-	Sleep     *SleepActionApplyConfiguration     `json:"sleep,omitempty"`
+	// Sleep represents a duration that the container should sleep.
+	Sleep *SleepActionApplyConfiguration `json:"sleep,omitempty"`
 }
 
 // LifecycleHandlerApplyConfiguration constructs a declarative configuration of the LifecycleHandler type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/limitrange.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/limitrange.go
index 349a212d5697d..84a9fca312a55 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/limitrange.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/limitrange.go
@@ -29,10 +29,16 @@ import (
 
 // LimitRangeApplyConfiguration represents a declarative configuration of the LimitRange type for use
 // with apply.
+//
+// LimitRange sets resource usage limits for each kind of resource in a Namespace.
 type LimitRangeApplyConfiguration struct {
-	metav1.TypeMetaApplyConfiguration    `json:",inline"`
+	metav1.TypeMetaApplyConfiguration `json:",inline"`
+	// Standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	*metav1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Spec                                 *LimitRangeSpecApplyConfiguration `json:"spec,omitempty"`
+	// Spec defines the limits enforced.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+	Spec *LimitRangeSpecApplyConfiguration `json:"spec,omitempty"`
 }
 
 // LimitRange constructs a declarative configuration of the LimitRange type for use with
@@ -46,29 +52,14 @@ func LimitRange(name, namespace string) *LimitRangeApplyConfiguration {
 	return b
 }
 
-// ExtractLimitRange extracts the applied configuration owned by fieldManager from
-// limitRange. If no managedFields are found in limitRange for fieldManager, a
-// LimitRangeApplyConfiguration is returned with only the Name, Namespace (if applicable),
-// APIVersion and Kind populated. It is possible that no managed fields were found for because other
-// field managers have taken ownership of all the fields previously owned by fieldManager, or because
-// the fieldManager never owned fields any fields.
+// ExtractLimitRangeFrom extracts the applied configuration owned by fieldManager from
+// limitRange for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
 // limitRange must be a unmodified LimitRange API object that was retrieved from the Kubernetes API.
-// ExtractLimitRange provides a way to perform a extract/modify-in-place/apply workflow.
+// ExtractLimitRangeFrom provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
-func ExtractLimitRange(limitRange *corev1.LimitRange, fieldManager string) (*LimitRangeApplyConfiguration, error) {
-	return extractLimitRange(limitRange, fieldManager, "")
-}
-
-// ExtractLimitRangeStatus is the same as ExtractLimitRange except
-// that it extracts the status subresource applied configuration.
-// Experimental!
-func ExtractLimitRangeStatus(limitRange *corev1.LimitRange, fieldManager string) (*LimitRangeApplyConfiguration, error) {
-	return extractLimitRange(limitRange, fieldManager, "status")
-}
-
-func extractLimitRange(limitRange *corev1.LimitRange, fieldManager string, subresource string) (*LimitRangeApplyConfiguration, error) {
+func ExtractLimitRangeFrom(limitRange *corev1.LimitRange, fieldManager string, subresource string) (*LimitRangeApplyConfiguration, error) {
 	b := &LimitRangeApplyConfiguration{}
 	err := managedfields.ExtractInto(limitRange, internal.Parser().Type("io.k8s.api.core.v1.LimitRange"), fieldManager, b, subresource)
 	if err != nil {
@@ -81,6 +72,21 @@ func extractLimitRange(limitRange *corev1.LimitRange, fieldManager string, subre
 	b.WithAPIVersion("v1")
 	return b, nil
 }
+
+// ExtractLimitRange extracts the applied configuration owned by fieldManager from
+// limitRange. If no managedFields are found in limitRange for fieldManager, a
+// LimitRangeApplyConfiguration is returned with only the Name, Namespace (if applicable),
+// APIVersion and Kind populated. It is possible that no managed fields were found for because other
+// field managers have taken ownership of all the fields previously owned by fieldManager, or because
+// the fieldManager never owned fields any fields.
+// limitRange must be a unmodified LimitRange API object that was retrieved from the Kubernetes API.
+// ExtractLimitRange provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractLimitRange(limitRange *corev1.LimitRange, fieldManager string) (*LimitRangeApplyConfiguration, error) {
+	return ExtractLimitRangeFrom(limitRange, fieldManager, "")
+}
+
 func (b LimitRangeApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/limitrangeitem.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/limitrangeitem.go
index 5ad8ac0e6e226..af3d912d3d622 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/limitrangeitem.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/limitrangeitem.go
@@ -24,12 +24,20 @@ import (
 
 // LimitRangeItemApplyConfiguration represents a declarative configuration of the LimitRangeItem type for use
 // with apply.
+//
+// LimitRangeItem defines a min/max usage limit for any resource that matches on kind.
 type LimitRangeItemApplyConfiguration struct {
-	Type                 *corev1.LimitType    `json:"type,omitempty"`
-	Max                  *corev1.ResourceList `json:"max,omitempty"`
-	Min                  *corev1.ResourceList `json:"min,omitempty"`
-	Default              *corev1.ResourceList `json:"default,omitempty"`
-	DefaultRequest       *corev1.ResourceList `json:"defaultRequest,omitempty"`
+	// Type of resource that this limit applies to.
+	Type *corev1.LimitType `json:"type,omitempty"`
+	// Max usage constraints on this kind by resource name.
+	Max *corev1.ResourceList `json:"max,omitempty"`
+	// Min usage constraints on this kind by resource name.
+	Min *corev1.ResourceList `json:"min,omitempty"`
+	// Default resource requirement limit value by resource name if resource limit is omitted.
+	Default *corev1.ResourceList `json:"default,omitempty"`
+	// DefaultRequest is the default resource requirement request value by resource name if resource request is omitted.
+	DefaultRequest *corev1.ResourceList `json:"defaultRequest,omitempty"`
+	// MaxLimitRequestRatio if specified, the named resource must have a request and limit that are both non-zero where limit divided by request is less than or equal to the enumerated value; this represents the max burst for the named resource.
 	MaxLimitRequestRatio *corev1.ResourceList `json:"maxLimitRequestRatio,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/limitrangespec.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/limitrangespec.go
index 8d69c1c0cd7e0..198e1178f6176 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/limitrangespec.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/limitrangespec.go
@@ -20,7 +20,10 @@ package v1
 
 // LimitRangeSpecApplyConfiguration represents a declarative configuration of the LimitRangeSpec type for use
 // with apply.
+//
+// LimitRangeSpec defines a min/max usage limit for resources that match on kind.
 type LimitRangeSpecApplyConfiguration struct {
+	// Limits is the list of LimitRangeItem objects that are enforced.
 	Limits []LimitRangeItemApplyConfiguration `json:"limits,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/linuxcontaineruser.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/linuxcontaineruser.go
index fbab4815ab893..1dc8fc70a3374 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/linuxcontaineruser.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/linuxcontaineruser.go
@@ -20,9 +20,14 @@ package v1
 
 // LinuxContainerUserApplyConfiguration represents a declarative configuration of the LinuxContainerUser type for use
 // with apply.
+//
+// LinuxContainerUser represents user identity information in Linux containers
 type LinuxContainerUserApplyConfiguration struct {
-	UID                *int64  `json:"uid,omitempty"`
-	GID                *int64  `json:"gid,omitempty"`
+	// UID is the primary uid initially attached to the first process in the container
+	UID *int64 `json:"uid,omitempty"`
+	// GID is the primary gid initially attached to the first process in the container
+	GID *int64 `json:"gid,omitempty"`
+	// SupplementalGroups are the supplemental groups initially attached to the first process in the container
 	SupplementalGroups []int64 `json:"supplementalGroups,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/loadbalanceringress.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/loadbalanceringress.go
index ae5c410a2439b..91c3225ecf03a 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/loadbalanceringress.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/loadbalanceringress.go
@@ -24,11 +24,26 @@ import (
 
 // LoadBalancerIngressApplyConfiguration represents a declarative configuration of the LoadBalancerIngress type for use
 // with apply.
+//
+// LoadBalancerIngress represents the status of a load-balancer ingress point:
+// traffic intended for the service should be sent to an ingress point.
 type LoadBalancerIngressApplyConfiguration struct {
-	IP       *string                        `json:"ip,omitempty"`
-	Hostname *string                        `json:"hostname,omitempty"`
-	IPMode   *corev1.LoadBalancerIPMode     `json:"ipMode,omitempty"`
-	Ports    []PortStatusApplyConfiguration `json:"ports,omitempty"`
+	// IP is set for load-balancer ingress points that are IP based
+	// (typically GCE or OpenStack load-balancers)
+	IP *string `json:"ip,omitempty"`
+	// Hostname is set for load-balancer ingress points that are DNS based
+	// (typically AWS load-balancers)
+	Hostname *string `json:"hostname,omitempty"`
+	// IPMode specifies how the load-balancer IP behaves, and may only be specified when the ip field is specified.
+	// Setting this to "VIP" indicates that traffic is delivered to the node with
+	// the destination set to the load-balancer's IP and port.
+	// Setting this to "Proxy" indicates that traffic is delivered to the node or pod with
+	// the destination set to the node's IP and node port or the pod's IP and port.
+	// Service implementations may use this information to adjust traffic routing.
+	IPMode *corev1.LoadBalancerIPMode `json:"ipMode,omitempty"`
+	// Ports is a list of records of service ports
+	// If used, every port defined in the service should have an entry in it
+	Ports []PortStatusApplyConfiguration `json:"ports,omitempty"`
 }
 
 // LoadBalancerIngressApplyConfiguration constructs a declarative configuration of the LoadBalancerIngress type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/loadbalancerstatus.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/loadbalancerstatus.go
index bb3d616c15f71..dd22551480120 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/loadbalancerstatus.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/loadbalancerstatus.go
@@ -20,7 +20,11 @@ package v1
 
 // LoadBalancerStatusApplyConfiguration represents a declarative configuration of the LoadBalancerStatus type for use
 // with apply.
+//
+// LoadBalancerStatus represents the status of a load-balancer.
 type LoadBalancerStatusApplyConfiguration struct {
+	// Ingress is a list containing ingress points for the load-balancer.
+	// Traffic intended for the service should be sent to these ingress points.
 	Ingress []LoadBalancerIngressApplyConfiguration `json:"ingress,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/localobjectreference.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/localobjectreference.go
index c55d6803dc8e5..2841adb672b1b 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/localobjectreference.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/localobjectreference.go
@@ -20,7 +20,27 @@ package v1
 
 // LocalObjectReferenceApplyConfiguration represents a declarative configuration of the LocalObjectReference type for use
 // with apply.
+//
+// LocalObjectReference contains enough information to let you locate the
+// referenced object inside the same namespace.
+// ---
+// New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs.
+// 1. Invalid usage help.  It is impossible to add specific help for individual usage.  In most embedded usages, there are particular
+// restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted".
+// Those cannot be well described when embedded.
+// 2. Inconsistent validation.  Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen.
+// 3. We cannot easily change it.  Because this type is embedded in many locations, updates to this type
+// will affect numerous schemas.  Don't make new APIs embed an underspecified API type they do not control.
+//
+// Instead of using this type, create a locally provided and used type that is well-focused on your reference.
+// For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 .
 type LocalObjectReferenceApplyConfiguration struct {
+	// Name of the referent.
+	// This field is effectively required, but due to backwards compatibility is
+	// allowed to be empty. Instances of this type with an empty value here are
+	// almost certainly wrong.
+	// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+	// TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896.
 	Name *string `json:"name,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/localvolumesource.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/localvolumesource.go
index db711d99349c8..27827ed1ba682 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/localvolumesource.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/localvolumesource.go
@@ -20,8 +20,16 @@ package v1
 
 // LocalVolumeSourceApplyConfiguration represents a declarative configuration of the LocalVolumeSource type for use
 // with apply.
+//
+// Local represents directly-attached storage with node affinity
 type LocalVolumeSourceApplyConfiguration struct {
-	Path   *string `json:"path,omitempty"`
+	// path of the full path to the volume on the node.
+	// It can be either a directory or block device (disk, partition, ...).
+	Path *string `json:"path,omitempty"`
+	// fsType is the filesystem type to mount.
+	// It applies only when the Path is a block device.
+	// Must be a filesystem type supported by the host operating system.
+	// Ex. "ext4", "xfs", "ntfs". The default value is to auto-select a filesystem if unspecified.
 	FSType *string `json:"fsType,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/modifyvolumestatus.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/modifyvolumestatus.go
index 9a1a6af2a6e08..4fa86ce042579 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/modifyvolumestatus.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/modifyvolumestatus.go
@@ -24,9 +24,22 @@ import (
 
 // ModifyVolumeStatusApplyConfiguration represents a declarative configuration of the ModifyVolumeStatus type for use
 // with apply.
+//
+// ModifyVolumeStatus represents the status object of ControllerModifyVolume operation
 type ModifyVolumeStatusApplyConfiguration struct {
-	TargetVolumeAttributesClassName *string                                         `json:"targetVolumeAttributesClassName,omitempty"`
-	Status                          *corev1.PersistentVolumeClaimModifyVolumeStatus `json:"status,omitempty"`
+	// targetVolumeAttributesClassName is the name of the VolumeAttributesClass the PVC currently being reconciled
+	TargetVolumeAttributesClassName *string `json:"targetVolumeAttributesClassName,omitempty"`
+	// status is the status of the ControllerModifyVolume operation. It can be in any of following states:
+	// - Pending
+	// Pending indicates that the PersistentVolumeClaim cannot be modified due to unmet requirements, such as
+	// the specified VolumeAttributesClass not existing.
+	// - InProgress
+	// InProgress indicates that the volume is being modified.
+	// - Infeasible
+	// Infeasible indicates that the request has been rejected as invalid by the CSI driver. To
+	// resolve the error, a valid VolumeAttributesClass needs to be specified.
+	// Note: New statuses can be added in the future. Consumers should check for unknown statuses and fail appropriately.
+	Status *corev1.PersistentVolumeClaimModifyVolumeStatus `json:"status,omitempty"`
 }
 
 // ModifyVolumeStatusApplyConfiguration constructs a declarative configuration of the ModifyVolumeStatus type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/namespace.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/namespace.go
index 671a3cbccb83b..a5bf0f9468e36 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/namespace.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/namespace.go
@@ -29,11 +29,20 @@ import (
 
 // NamespaceApplyConfiguration represents a declarative configuration of the Namespace type for use
 // with apply.
+//
+// Namespace provides a scope for Names.
+// Use of multiple namespaces is optional.
 type NamespaceApplyConfiguration struct {
-	metav1.TypeMetaApplyConfiguration    `json:",inline"`
+	metav1.TypeMetaApplyConfiguration `json:",inline"`
+	// Standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	*metav1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Spec                                 *NamespaceSpecApplyConfiguration   `json:"spec,omitempty"`
-	Status                               *NamespaceStatusApplyConfiguration `json:"status,omitempty"`
+	// Spec defines the behavior of the Namespace.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+	Spec *NamespaceSpecApplyConfiguration `json:"spec,omitempty"`
+	// Status describes the current status of a Namespace.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+	Status *NamespaceStatusApplyConfiguration `json:"status,omitempty"`
 }
 
 // Namespace constructs a declarative configuration of the Namespace type for use with
@@ -46,6 +55,26 @@ func Namespace(name string) *NamespaceApplyConfiguration {
 	return b
 }
 
+// ExtractNamespaceFrom extracts the applied configuration owned by fieldManager from
+// namespace for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
+// namespace must be a unmodified Namespace API object that was retrieved from the Kubernetes API.
+// ExtractNamespaceFrom provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractNamespaceFrom(namespace *corev1.Namespace, fieldManager string, subresource string) (*NamespaceApplyConfiguration, error) {
+	b := &NamespaceApplyConfiguration{}
+	err := managedfields.ExtractInto(namespace, internal.Parser().Type("io.k8s.api.core.v1.Namespace"), fieldManager, b, subresource)
+	if err != nil {
+		return nil, err
+	}
+	b.WithName(namespace.Name)
+
+	b.WithKind("Namespace")
+	b.WithAPIVersion("v1")
+	return b, nil
+}
+
 // ExtractNamespace extracts the applied configuration owned by fieldManager from
 // namespace. If no managedFields are found in namespace for fieldManager, a
 // NamespaceApplyConfiguration is returned with only the Name, Namespace (if applicable),
@@ -56,30 +85,16 @@ func Namespace(name string) *NamespaceApplyConfiguration {
 // ExtractNamespace provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
 func ExtractNamespace(namespace *corev1.Namespace, fieldManager string) (*NamespaceApplyConfiguration, error) {
-	return extractNamespace(namespace, fieldManager, "")
+	return ExtractNamespaceFrom(namespace, fieldManager, "")
 }
 
-// ExtractNamespaceStatus is the same as ExtractNamespace except
-// that it extracts the status subresource applied configuration.
-// Experimental!
+// ExtractNamespaceStatus extracts the applied configuration owned by fieldManager from
+// namespace for the status subresource.
 func ExtractNamespaceStatus(namespace *corev1.Namespace, fieldManager string) (*NamespaceApplyConfiguration, error) {
-	return extractNamespace(namespace, fieldManager, "status")
+	return ExtractNamespaceFrom(namespace, fieldManager, "status")
 }
 
-func extractNamespace(namespace *corev1.Namespace, fieldManager string, subresource string) (*NamespaceApplyConfiguration, error) {
-	b := &NamespaceApplyConfiguration{}
-	err := managedfields.ExtractInto(namespace, internal.Parser().Type("io.k8s.api.core.v1.Namespace"), fieldManager, b, subresource)
-	if err != nil {
-		return nil, err
-	}
-	b.WithName(namespace.Name)
-
-	b.WithKind("Namespace")
-	b.WithAPIVersion("v1")
-	return b, nil
-}
 func (b NamespaceApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/namespacecondition.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/namespacecondition.go
index 82b4cc1ca3b0a..df2bfd2fb48be 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/namespacecondition.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/namespacecondition.go
@@ -25,12 +25,19 @@ import (
 
 // NamespaceConditionApplyConfiguration represents a declarative configuration of the NamespaceCondition type for use
 // with apply.
+//
+// NamespaceCondition contains details about state of namespace.
 type NamespaceConditionApplyConfiguration struct {
-	Type               *corev1.NamespaceConditionType `json:"type,omitempty"`
-	Status             *corev1.ConditionStatus        `json:"status,omitempty"`
-	LastTransitionTime *metav1.Time                   `json:"lastTransitionTime,omitempty"`
-	Reason             *string                        `json:"reason,omitempty"`
-	Message            *string                        `json:"message,omitempty"`
+	// Type of namespace controller condition.
+	Type *corev1.NamespaceConditionType `json:"type,omitempty"`
+	// Status of the condition, one of True, False, Unknown.
+	Status *corev1.ConditionStatus `json:"status,omitempty"`
+	// Last time the condition transitioned from one status to another.
+	LastTransitionTime *metav1.Time `json:"lastTransitionTime,omitempty"`
+	// Unique, one-word, CamelCase reason for the condition's last transition.
+	Reason *string `json:"reason,omitempty"`
+	// Human-readable message indicating details about last transition.
+	Message *string `json:"message,omitempty"`
 }
 
 // NamespaceConditionApplyConfiguration constructs a declarative configuration of the NamespaceCondition type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/namespacespec.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/namespacespec.go
index 1f8fcaf9a1262..48813e2bb78d7 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/namespacespec.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/namespacespec.go
@@ -24,7 +24,11 @@ import (
 
 // NamespaceSpecApplyConfiguration represents a declarative configuration of the NamespaceSpec type for use
 // with apply.
+//
+// NamespaceSpec describes the attributes on a Namespace.
 type NamespaceSpecApplyConfiguration struct {
+	// Finalizers is an opaque list of values that must be empty to permanently remove object from storage.
+	// More info: https://kubernetes.io/docs/tasks/administer-cluster/namespaces/
 	Finalizers []corev1.FinalizerName `json:"finalizers,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/namespacestatus.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/namespacestatus.go
index 1484be684292e..cde2cd1a5a8a6 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/namespacestatus.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/namespacestatus.go
@@ -24,8 +24,13 @@ import (
 
 // NamespaceStatusApplyConfiguration represents a declarative configuration of the NamespaceStatus type for use
 // with apply.
+//
+// NamespaceStatus is information about the current status of a Namespace.
 type NamespaceStatusApplyConfiguration struct {
-	Phase      *corev1.NamespacePhase                 `json:"phase,omitempty"`
+	// Phase is the current lifecycle phase of the namespace.
+	// More info: https://kubernetes.io/docs/tasks/administer-cluster/namespaces/
+	Phase *corev1.NamespacePhase `json:"phase,omitempty"`
+	// Represents the latest available observations of a namespace's current state.
 	Conditions []NamespaceConditionApplyConfiguration `json:"conditions,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/nfsvolumesource.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/nfsvolumesource.go
index ed49a87a9eb4c..a539c4076983d 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/nfsvolumesource.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/nfsvolumesource.go
@@ -20,10 +20,20 @@ package v1
 
 // NFSVolumeSourceApplyConfiguration represents a declarative configuration of the NFSVolumeSource type for use
 // with apply.
+//
+// Represents an NFS mount that lasts the lifetime of a pod.
+// NFS volumes do not support ownership management or SELinux relabeling.
 type NFSVolumeSourceApplyConfiguration struct {
-	Server   *string `json:"server,omitempty"`
-	Path     *string `json:"path,omitempty"`
-	ReadOnly *bool   `json:"readOnly,omitempty"`
+	// server is the hostname or IP address of the NFS server.
+	// More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs
+	Server *string `json:"server,omitempty"`
+	// path that is exported by the NFS server.
+	// More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs
+	Path *string `json:"path,omitempty"`
+	// readOnly here will force the NFS export to be mounted with read-only permissions.
+	// Defaults to false.
+	// More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs
+	ReadOnly *bool `json:"readOnly,omitempty"`
 }
 
 // NFSVolumeSourceApplyConfiguration constructs a declarative configuration of the NFSVolumeSource type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/node.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/node.go
index 3682e62e2178b..ff45b89945c2d 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/node.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/node.go
@@ -29,11 +29,22 @@ import (
 
 // NodeApplyConfiguration represents a declarative configuration of the Node type for use
 // with apply.
+//
+// Node is a worker node in Kubernetes.
+// Each node will have a unique identifier in the cache (i.e. in etcd).
 type NodeApplyConfiguration struct {
-	metav1.TypeMetaApplyConfiguration    `json:",inline"`
+	metav1.TypeMetaApplyConfiguration `json:",inline"`
+	// Standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	*metav1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Spec                                 *NodeSpecApplyConfiguration   `json:"spec,omitempty"`
-	Status                               *NodeStatusApplyConfiguration `json:"status,omitempty"`
+	// Spec defines the behavior of a node.
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+	Spec *NodeSpecApplyConfiguration `json:"spec,omitempty"`
+	// Most recently observed status of the node.
+	// Populated by the system.
+	// Read-only.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+	Status *NodeStatusApplyConfiguration `json:"status,omitempty"`
 }
 
 // Node constructs a declarative configuration of the Node type for use with
@@ -46,6 +57,26 @@ func Node(name string) *NodeApplyConfiguration {
 	return b
 }
 
+// ExtractNodeFrom extracts the applied configuration owned by fieldManager from
+// node for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
+// node must be a unmodified Node API object that was retrieved from the Kubernetes API.
+// ExtractNodeFrom provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractNodeFrom(node *corev1.Node, fieldManager string, subresource string) (*NodeApplyConfiguration, error) {
+	b := &NodeApplyConfiguration{}
+	err := managedfields.ExtractInto(node, internal.Parser().Type("io.k8s.api.core.v1.Node"), fieldManager, b, subresource)
+	if err != nil {
+		return nil, err
+	}
+	b.WithName(node.Name)
+
+	b.WithKind("Node")
+	b.WithAPIVersion("v1")
+	return b, nil
+}
+
 // ExtractNode extracts the applied configuration owned by fieldManager from
 // node. If no managedFields are found in node for fieldManager, a
 // NodeApplyConfiguration is returned with only the Name, Namespace (if applicable),
@@ -56,30 +87,16 @@ func Node(name string) *NodeApplyConfiguration {
 // ExtractNode provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
 func ExtractNode(node *corev1.Node, fieldManager string) (*NodeApplyConfiguration, error) {
-	return extractNode(node, fieldManager, "")
+	return ExtractNodeFrom(node, fieldManager, "")
 }
 
-// ExtractNodeStatus is the same as ExtractNode except
-// that it extracts the status subresource applied configuration.
-// Experimental!
+// ExtractNodeStatus extracts the applied configuration owned by fieldManager from
+// node for the status subresource.
 func ExtractNodeStatus(node *corev1.Node, fieldManager string) (*NodeApplyConfiguration, error) {
-	return extractNode(node, fieldManager, "status")
+	return ExtractNodeFrom(node, fieldManager, "status")
 }
 
-func extractNode(node *corev1.Node, fieldManager string, subresource string) (*NodeApplyConfiguration, error) {
-	b := &NodeApplyConfiguration{}
-	err := managedfields.ExtractInto(node, internal.Parser().Type("io.k8s.api.core.v1.Node"), fieldManager, b, subresource)
-	if err != nil {
-		return nil, err
-	}
-	b.WithName(node.Name)
-
-	b.WithKind("Node")
-	b.WithAPIVersion("v1")
-	return b, nil
-}
 func (b NodeApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/nodeaddress.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/nodeaddress.go
index 779fe0e2fdc8b..0eb14a5941df1 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/nodeaddress.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/nodeaddress.go
@@ -24,9 +24,13 @@ import (
 
 // NodeAddressApplyConfiguration represents a declarative configuration of the NodeAddress type for use
 // with apply.
+//
+// NodeAddress contains information for the node's address.
 type NodeAddressApplyConfiguration struct {
-	Type    *corev1.NodeAddressType `json:"type,omitempty"`
-	Address *string                 `json:"address,omitempty"`
+	// Node address type, one of Hostname, ExternalIP or InternalIP.
+	Type *corev1.NodeAddressType `json:"type,omitempty"`
+	// The node address.
+	Address *string `json:"address,omitempty"`
 }
 
 // NodeAddressApplyConfiguration constructs a declarative configuration of the NodeAddress type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/nodeaffinity.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/nodeaffinity.go
index 5d11d746dcddc..099cd0aaf52e1 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/nodeaffinity.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/nodeaffinity.go
@@ -20,8 +20,24 @@ package v1
 
 // NodeAffinityApplyConfiguration represents a declarative configuration of the NodeAffinity type for use
 // with apply.
+//
+// Node affinity is a group of node affinity scheduling rules.
 type NodeAffinityApplyConfiguration struct {
-	RequiredDuringSchedulingIgnoredDuringExecution  *NodeSelectorApplyConfiguration             `json:"requiredDuringSchedulingIgnoredDuringExecution,omitempty"`
+	// If the affinity requirements specified by this field are not met at
+	// scheduling time, the pod will not be scheduled onto the node.
+	// If the affinity requirements specified by this field cease to be met
+	// at some point during pod execution (e.g. due to an update), the system
+	// may or may not try to eventually evict the pod from its node.
+	RequiredDuringSchedulingIgnoredDuringExecution *NodeSelectorApplyConfiguration `json:"requiredDuringSchedulingIgnoredDuringExecution,omitempty"`
+	// The scheduler will prefer to schedule pods to nodes that satisfy
+	// the affinity expressions specified by this field, but it may choose
+	// a node that violates one or more of the expressions. The node that is
+	// most preferred is the one with the greatest sum of weights, i.e.
+	// for each node that meets all of the scheduling requirements (resource
+	// request, requiredDuringScheduling affinity expressions, etc.),
+	// compute a sum by iterating through the elements of this field and adding
+	// "weight" to the sum if the node matches the corresponding matchExpressions; the
+	// node(s) with the highest sum are the most preferred.
 	PreferredDuringSchedulingIgnoredDuringExecution []PreferredSchedulingTermApplyConfiguration `json:"preferredDuringSchedulingIgnoredDuringExecution,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/nodecondition.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/nodecondition.go
index e3a2d3bb0634b..0362ec20de7d4 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/nodecondition.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/nodecondition.go
@@ -25,13 +25,21 @@ import (
 
 // NodeConditionApplyConfiguration represents a declarative configuration of the NodeCondition type for use
 // with apply.
+//
+// NodeCondition contains condition information for a node.
 type NodeConditionApplyConfiguration struct {
-	Type               *corev1.NodeConditionType `json:"type,omitempty"`
-	Status             *corev1.ConditionStatus   `json:"status,omitempty"`
-	LastHeartbeatTime  *metav1.Time              `json:"lastHeartbeatTime,omitempty"`
-	LastTransitionTime *metav1.Time              `json:"lastTransitionTime,omitempty"`
-	Reason             *string                   `json:"reason,omitempty"`
-	Message            *string                   `json:"message,omitempty"`
+	// Type of node condition.
+	Type *corev1.NodeConditionType `json:"type,omitempty"`
+	// Status of the condition, one of True, False, Unknown.
+	Status *corev1.ConditionStatus `json:"status,omitempty"`
+	// Last time we got an update on a given condition.
+	LastHeartbeatTime *metav1.Time `json:"lastHeartbeatTime,omitempty"`
+	// Last time the condition transit from one status to another.
+	LastTransitionTime *metav1.Time `json:"lastTransitionTime,omitempty"`
+	// (brief) reason for the condition's last transition.
+	Reason *string `json:"reason,omitempty"`
+	// Human readable message indicating details about last transition.
+	Message *string `json:"message,omitempty"`
 }
 
 // NodeConditionApplyConfiguration constructs a declarative configuration of the NodeCondition type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/nodeconfigsource.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/nodeconfigsource.go
index 00a671fc0c717..ae63ae36f3bfe 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/nodeconfigsource.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/nodeconfigsource.go
@@ -20,7 +20,11 @@ package v1
 
 // NodeConfigSourceApplyConfiguration represents a declarative configuration of the NodeConfigSource type for use
 // with apply.
+//
+// NodeConfigSource specifies a source of node configuration. Exactly one subfield (excluding metadata) must be non-nil.
+// This API is deprecated since 1.22
 type NodeConfigSourceApplyConfiguration struct {
+	// ConfigMap is a reference to a Node's ConfigMap
 	ConfigMap *ConfigMapNodeConfigSourceApplyConfiguration `json:"configMap,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/nodeconfigstatus.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/nodeconfigstatus.go
index d5ccc45c6a8b6..88c0b3c31fdb3 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/nodeconfigstatus.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/nodeconfigstatus.go
@@ -20,11 +20,48 @@ package v1
 
 // NodeConfigStatusApplyConfiguration represents a declarative configuration of the NodeConfigStatus type for use
 // with apply.
+//
+// NodeConfigStatus describes the status of the config assigned by Node.Spec.ConfigSource.
 type NodeConfigStatusApplyConfiguration struct {
-	Assigned      *NodeConfigSourceApplyConfiguration `json:"assigned,omitempty"`
-	Active        *NodeConfigSourceApplyConfiguration `json:"active,omitempty"`
+	// Assigned reports the checkpointed config the node will try to use.
+	// When Node.Spec.ConfigSource is updated, the node checkpoints the associated
+	// config payload to local disk, along with a record indicating intended
+	// config. The node refers to this record to choose its config checkpoint, and
+	// reports this record in Assigned. Assigned only updates in the status after
+	// the record has been checkpointed to disk. When the Kubelet is restarted,
+	// it tries to make the Assigned config the Active config by loading and
+	// validating the checkpointed payload identified by Assigned.
+	Assigned *NodeConfigSourceApplyConfiguration `json:"assigned,omitempty"`
+	// Active reports the checkpointed config the node is actively using.
+	// Active will represent either the current version of the Assigned config,
+	// or the current LastKnownGood config, depending on whether attempting to use the
+	// Assigned config results in an error.
+	Active *NodeConfigSourceApplyConfiguration `json:"active,omitempty"`
+	// LastKnownGood reports the checkpointed config the node will fall back to
+	// when it encounters an error attempting to use the Assigned config.
+	// The Assigned config becomes the LastKnownGood config when the node determines
+	// that the Assigned config is stable and correct.
+	// This is currently implemented as a 10-minute soak period starting when the local
+	// record of Assigned config is updated. If the Assigned config is Active at the end
+	// of this period, it becomes the LastKnownGood. Note that if Spec.ConfigSource is
+	// reset to nil (use local defaults), the LastKnownGood is also immediately reset to nil,
+	// because the local default config is always assumed good.
+	// You should not make assumptions about the node's method of determining config stability
+	// and correctness, as this may change or become configurable in the future.
 	LastKnownGood *NodeConfigSourceApplyConfiguration `json:"lastKnownGood,omitempty"`
-	Error         *string                             `json:"error,omitempty"`
+	// Error describes any problems reconciling the Spec.ConfigSource to the Active config.
+	// Errors may occur, for example, attempting to checkpoint Spec.ConfigSource to the local Assigned
+	// record, attempting to checkpoint the payload associated with Spec.ConfigSource, attempting
+	// to load or validate the Assigned config, etc.
+	// Errors may occur at different points while syncing config. Earlier errors (e.g. download or
+	// checkpointing errors) will not result in a rollback to LastKnownGood, and may resolve across
+	// Kubelet retries. Later errors (e.g. loading or validating a checkpointed config) will result in
+	// a rollback to LastKnownGood. In the latter case, it is usually possible to resolve the error
+	// by fixing the config assigned in Spec.ConfigSource.
+	// You can find additional information for debugging by searching the error message in the Kubelet log.
+	// Error is a human-readable description of the error state; machines can check whether or not Error
+	// is empty, but should not rely on the stability of the Error text across Kubelet versions.
+	Error *string `json:"error,omitempty"`
 }
 
 // NodeConfigStatusApplyConfiguration constructs a declarative configuration of the NodeConfigStatus type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/nodedaemonendpoints.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/nodedaemonendpoints.go
index 11228b36913fd..b36d2ec33d209 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/nodedaemonendpoints.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/nodedaemonendpoints.go
@@ -20,7 +20,10 @@ package v1
 
 // NodeDaemonEndpointsApplyConfiguration represents a declarative configuration of the NodeDaemonEndpoints type for use
 // with apply.
+//
+// NodeDaemonEndpoints lists ports opened by daemons running on the Node.
 type NodeDaemonEndpointsApplyConfiguration struct {
+	// Endpoint on which Kubelet is listening.
 	KubeletEndpoint *DaemonEndpointApplyConfiguration `json:"kubeletEndpoint,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/nodefeatures.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/nodefeatures.go
index 678b0e36d6e37..c3b467193cb1d 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/nodefeatures.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/nodefeatures.go
@@ -20,7 +20,12 @@ package v1
 
 // NodeFeaturesApplyConfiguration represents a declarative configuration of the NodeFeatures type for use
 // with apply.
+//
+// NodeFeatures describes the set of features implemented by the CRI implementation.
+// The features contained in the NodeFeatures should depend only on the cri implementation
+// independent of runtime handlers.
 type NodeFeaturesApplyConfiguration struct {
+	// SupplementalGroupsPolicy is set to true if the runtime supports SupplementalGroupsPolicy and ContainerUser.
 	SupplementalGroupsPolicy *bool `json:"supplementalGroupsPolicy,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/noderuntimehandler.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/noderuntimehandler.go
index c7c664974e09e..afebc7fc159f3 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/noderuntimehandler.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/noderuntimehandler.go
@@ -20,8 +20,13 @@ package v1
 
 // NodeRuntimeHandlerApplyConfiguration represents a declarative configuration of the NodeRuntimeHandler type for use
 // with apply.
+//
+// NodeRuntimeHandler is a set of runtime handler information.
 type NodeRuntimeHandlerApplyConfiguration struct {
-	Name     *string                                       `json:"name,omitempty"`
+	// Runtime handler name.
+	// Empty for the default runtime handler.
+	Name *string `json:"name,omitempty"`
+	// Supported features.
 	Features *NodeRuntimeHandlerFeaturesApplyConfiguration `json:"features,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/noderuntimehandlerfeatures.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/noderuntimehandlerfeatures.go
index a295b609690b2..47866f8cdb62f 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/noderuntimehandlerfeatures.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/noderuntimehandlerfeatures.go
@@ -20,9 +20,13 @@ package v1
 
 // NodeRuntimeHandlerFeaturesApplyConfiguration represents a declarative configuration of the NodeRuntimeHandlerFeatures type for use
 // with apply.
+//
+// NodeRuntimeHandlerFeatures is a set of features implemented by the runtime handler.
 type NodeRuntimeHandlerFeaturesApplyConfiguration struct {
+	// RecursiveReadOnlyMounts is set to true if the runtime handler supports RecursiveReadOnlyMounts.
 	RecursiveReadOnlyMounts *bool `json:"recursiveReadOnlyMounts,omitempty"`
-	UserNamespaces          *bool `json:"userNamespaces,omitempty"`
+	// UserNamespaces is set to true if the runtime handler supports UserNamespaces, including for volumes.
+	UserNamespaces *bool `json:"userNamespaces,omitempty"`
 }
 
 // NodeRuntimeHandlerFeaturesApplyConfiguration constructs a declarative configuration of the NodeRuntimeHandlerFeatures type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/nodeselector.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/nodeselector.go
index 6eab109795e21..3809873c1a47d 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/nodeselector.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/nodeselector.go
@@ -20,7 +20,12 @@ package v1
 
 // NodeSelectorApplyConfiguration represents a declarative configuration of the NodeSelector type for use
 // with apply.
+//
+// A node selector represents the union of the results of one or more label queries
+// over a set of nodes; that is, it represents the OR of the selectors represented
+// by the node selector terms.
 type NodeSelectorApplyConfiguration struct {
+	// Required. A list of node selector terms. The terms are ORed.
 	NodeSelectorTerms []NodeSelectorTermApplyConfiguration `json:"nodeSelectorTerms,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/nodeselectorrequirement.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/nodeselectorrequirement.go
index 4dcbc9a2e775d..4428d85c7c792 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/nodeselectorrequirement.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/nodeselectorrequirement.go
@@ -24,10 +24,21 @@ import (
 
 // NodeSelectorRequirementApplyConfiguration represents a declarative configuration of the NodeSelectorRequirement type for use
 // with apply.
+//
+// A node selector requirement is a selector that contains values, a key, and an operator
+// that relates the key and values.
 type NodeSelectorRequirementApplyConfiguration struct {
-	Key      *string                      `json:"key,omitempty"`
+	// The label key that the selector applies to.
+	Key *string `json:"key,omitempty"`
+	// Represents a key's relationship to a set of values.
+	// Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
 	Operator *corev1.NodeSelectorOperator `json:"operator,omitempty"`
-	Values   []string                     `json:"values,omitempty"`
+	// An array of string values. If the operator is In or NotIn,
+	// the values array must be non-empty. If the operator is Exists or DoesNotExist,
+	// the values array must be empty. If the operator is Gt or Lt, the values
+	// array must have a single element, which will be interpreted as an integer.
+	// This array is replaced during a strategic merge patch.
+	Values []string `json:"values,omitempty"`
 }
 
 // NodeSelectorRequirementApplyConfiguration constructs a declarative configuration of the NodeSelectorRequirement type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/nodeselectorterm.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/nodeselectorterm.go
index 9d0d780f3e047..98c1739bbb954 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/nodeselectorterm.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/nodeselectorterm.go
@@ -20,9 +20,15 @@ package v1
 
 // NodeSelectorTermApplyConfiguration represents a declarative configuration of the NodeSelectorTerm type for use
 // with apply.
+//
+// A null or empty node selector term matches no objects. The requirements of
+// them are ANDed.
+// The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
 type NodeSelectorTermApplyConfiguration struct {
+	// A list of node selector requirements by node's labels.
 	MatchExpressions []NodeSelectorRequirementApplyConfiguration `json:"matchExpressions,omitempty"`
-	MatchFields      []NodeSelectorRequirementApplyConfiguration `json:"matchFields,omitempty"`
+	// A list of node selector requirements by node's fields.
+	MatchFields []NodeSelectorRequirementApplyConfiguration `json:"matchFields,omitempty"`
 }
 
 // NodeSelectorTermApplyConfiguration constructs a declarative configuration of the NodeSelectorTerm type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/nodespec.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/nodespec.go
index 8ac3497127b2b..b53ed21d79a17 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/nodespec.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/nodespec.go
@@ -20,14 +20,27 @@ package v1
 
 // NodeSpecApplyConfiguration represents a declarative configuration of the NodeSpec type for use
 // with apply.
+//
+// NodeSpec describes the attributes that a node is created with.
 type NodeSpecApplyConfiguration struct {
-	PodCIDR            *string                             `json:"podCIDR,omitempty"`
-	PodCIDRs           []string                            `json:"podCIDRs,omitempty"`
-	ProviderID         *string                             `json:"providerID,omitempty"`
-	Unschedulable      *bool                               `json:"unschedulable,omitempty"`
-	Taints             []TaintApplyConfiguration           `json:"taints,omitempty"`
-	ConfigSource       *NodeConfigSourceApplyConfiguration `json:"configSource,omitempty"`
-	DoNotUseExternalID *string                             `json:"externalID,omitempty"`
+	// PodCIDR represents the pod IP range assigned to the node.
+	PodCIDR *string `json:"podCIDR,omitempty"`
+	// podCIDRs represents the IP ranges assigned to the node for usage by Pods on that node. If this
+	// field is specified, the 0th entry must match the podCIDR field. It may contain at most 1 value for
+	// each of IPv4 and IPv6.
+	PodCIDRs []string `json:"podCIDRs,omitempty"`
+	// ID of the node assigned by the cloud provider in the format: <ProviderName>://<ProviderSpecificNodeID>
+	ProviderID *string `json:"providerID,omitempty"`
+	// Unschedulable controls node schedulability of new pods. By default, node is schedulable.
+	// More info: https://kubernetes.io/docs/concepts/nodes/node/#manual-node-administration
+	Unschedulable *bool `json:"unschedulable,omitempty"`
+	// If specified, the node's taints.
+	Taints []TaintApplyConfiguration `json:"taints,omitempty"`
+	// Deprecated: Previously used to specify the source of the node's configuration for the DynamicKubeletConfig feature. This feature is removed.
+	ConfigSource *NodeConfigSourceApplyConfiguration `json:"configSource,omitempty"`
+	// Deprecated. Not all kubelets will set this field. Remove field after 1.13.
+	// see: https://issues.k8s.io/61966
+	DoNotUseExternalID *string `json:"externalID,omitempty"`
 }
 
 // NodeSpecApplyConfiguration constructs a declarative configuration of the NodeSpec type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/nodestatus.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/nodestatus.go
index 3859ccd503e8f..1eec7057b1aab 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/nodestatus.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/nodestatus.go
@@ -24,20 +24,52 @@ import (
 
 // NodeStatusApplyConfiguration represents a declarative configuration of the NodeStatus type for use
 // with apply.
+//
+// NodeStatus is information about the current status of a node.
 type NodeStatusApplyConfiguration struct {
-	Capacity        *corev1.ResourceList                   `json:"capacity,omitempty"`
-	Allocatable     *corev1.ResourceList                   `json:"allocatable,omitempty"`
-	Phase           *corev1.NodePhase                      `json:"phase,omitempty"`
-	Conditions      []NodeConditionApplyConfiguration      `json:"conditions,omitempty"`
-	Addresses       []NodeAddressApplyConfiguration        `json:"addresses,omitempty"`
+	// Capacity represents the total resources of a node.
+	// More info: https://kubernetes.io/docs/reference/node/node-status/#capacity
+	Capacity *corev1.ResourceList `json:"capacity,omitempty"`
+	// Allocatable represents the resources of a node that are available for scheduling.
+	// Defaults to Capacity.
+	Allocatable *corev1.ResourceList `json:"allocatable,omitempty"`
+	// NodePhase is the recently observed lifecycle phase of the node.
+	// More info: https://kubernetes.io/docs/concepts/nodes/node/#phase
+	// The field is never populated, and now is deprecated.
+	Phase *corev1.NodePhase `json:"phase,omitempty"`
+	// Conditions is an array of current observed node conditions.
+	// More info: https://kubernetes.io/docs/reference/node/node-status/#condition
+	Conditions []NodeConditionApplyConfiguration `json:"conditions,omitempty"`
+	// List of addresses reachable to the node.
+	// Queried from cloud provider, if available.
+	// More info: https://kubernetes.io/docs/reference/node/node-status/#addresses
+	// Note: This field is declared as mergeable, but the merge key is not sufficiently
+	// unique, which can cause data corruption when it is merged. Callers should instead
+	// use a full-replacement patch. See https://pr.k8s.io/79391 for an example.
+	// Consumers should assume that addresses can change during the
+	// lifetime of a Node. However, there are some exceptions where this may not
+	// be possible, such as Pods that inherit a Node's address in its own status or
+	// consumers of the downward API (status.hostIP).
+	Addresses []NodeAddressApplyConfiguration `json:"addresses,omitempty"`
+	// Endpoints of daemons running on the Node.
 	DaemonEndpoints *NodeDaemonEndpointsApplyConfiguration `json:"daemonEndpoints,omitempty"`
-	NodeInfo        *NodeSystemInfoApplyConfiguration      `json:"nodeInfo,omitempty"`
-	Images          []ContainerImageApplyConfiguration     `json:"images,omitempty"`
-	VolumesInUse    []corev1.UniqueVolumeName              `json:"volumesInUse,omitempty"`
-	VolumesAttached []AttachedVolumeApplyConfiguration     `json:"volumesAttached,omitempty"`
-	Config          *NodeConfigStatusApplyConfiguration    `json:"config,omitempty"`
+	// Set of ids/uuids to uniquely identify the node.
+	// More info: https://kubernetes.io/docs/reference/node/node-status/#info
+	NodeInfo *NodeSystemInfoApplyConfiguration `json:"nodeInfo,omitempty"`
+	// List of container images on this node
+	Images []ContainerImageApplyConfiguration `json:"images,omitempty"`
+	// List of attachable volumes in use (mounted) by the node.
+	VolumesInUse []corev1.UniqueVolumeName `json:"volumesInUse,omitempty"`
+	// List of volumes that are attached to the node.
+	VolumesAttached []AttachedVolumeApplyConfiguration `json:"volumesAttached,omitempty"`
+	// Status of the config assigned to the node via the dynamic Kubelet config feature.
+	Config *NodeConfigStatusApplyConfiguration `json:"config,omitempty"`
+	// The available runtime handlers.
 	RuntimeHandlers []NodeRuntimeHandlerApplyConfiguration `json:"runtimeHandlers,omitempty"`
-	Features        *NodeFeaturesApplyConfiguration        `json:"features,omitempty"`
+	// Features describes the set of features implemented by the CRI implementation.
+	Features *NodeFeaturesApplyConfiguration `json:"features,omitempty"`
+	// DeclaredFeatures represents the features related to feature gates that are declared by the node.
+	DeclaredFeatures []string `json:"declaredFeatures,omitempty"`
 }
 
 // NodeStatusApplyConfiguration constructs a declarative configuration of the NodeStatus type for use with
@@ -176,3 +208,13 @@ func (b *NodeStatusApplyConfiguration) WithFeatures(value *NodeFeaturesApplyConf
 	b.Features = value
 	return b
 }
+
+// WithDeclaredFeatures adds the given value to the DeclaredFeatures field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, values provided by each call will be appended to the DeclaredFeatures field.
+func (b *NodeStatusApplyConfiguration) WithDeclaredFeatures(values ...string) *NodeStatusApplyConfiguration {
+	for i := range values {
+		b.DeclaredFeatures = append(b.DeclaredFeatures, values[i])
+	}
+	return b
+}
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/nodeswapstatus.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/nodeswapstatus.go
index 2a7a2e685dba1..d9548e6b01d38 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/nodeswapstatus.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/nodeswapstatus.go
@@ -20,7 +20,10 @@ package v1
 
 // NodeSwapStatusApplyConfiguration represents a declarative configuration of the NodeSwapStatus type for use
 // with apply.
+//
+// NodeSwapStatus represents swap memory information.
 type NodeSwapStatusApplyConfiguration struct {
+	// Total amount of swap memory in bytes.
 	Capacity *int64 `json:"capacity,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/nodesysteminfo.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/nodesysteminfo.go
index 55effd717187e..70b8a7819d9e5 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/nodesysteminfo.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/nodesysteminfo.go
@@ -20,18 +20,35 @@ package v1
 
 // NodeSystemInfoApplyConfiguration represents a declarative configuration of the NodeSystemInfo type for use
 // with apply.
+//
+// NodeSystemInfo is a set of ids/uuids to uniquely identify the node.
 type NodeSystemInfoApplyConfiguration struct {
-	MachineID               *string                           `json:"machineID,omitempty"`
-	SystemUUID              *string                           `json:"systemUUID,omitempty"`
-	BootID                  *string                           `json:"bootID,omitempty"`
-	KernelVersion           *string                           `json:"kernelVersion,omitempty"`
-	OSImage                 *string                           `json:"osImage,omitempty"`
-	ContainerRuntimeVersion *string                           `json:"containerRuntimeVersion,omitempty"`
-	KubeletVersion          *string                           `json:"kubeletVersion,omitempty"`
-	KubeProxyVersion        *string                           `json:"kubeProxyVersion,omitempty"`
-	OperatingSystem         *string                           `json:"operatingSystem,omitempty"`
-	Architecture            *string                           `json:"architecture,omitempty"`
-	Swap                    *NodeSwapStatusApplyConfiguration `json:"swap,omitempty"`
+	// MachineID reported by the node. For unique machine identification
+	// in the cluster this field is preferred. Learn more from man(5)
+	// machine-id: http://man7.org/linux/man-pages/man5/machine-id.5.html
+	MachineID *string `json:"machineID,omitempty"`
+	// SystemUUID reported by the node. For unique machine identification
+	// MachineID is preferred. This field is specific to Red Hat hosts
+	// https://access.redhat.com/documentation/en-us/red_hat_subscription_management/1/html/rhsm/uuid
+	SystemUUID *string `json:"systemUUID,omitempty"`
+	// Boot ID reported by the node.
+	BootID *string `json:"bootID,omitempty"`
+	// Kernel Version reported by the node from 'uname -r' (e.g. 3.16.0-0.bpo.4-amd64).
+	KernelVersion *string `json:"kernelVersion,omitempty"`
+	// OS Image reported by the node from /etc/os-release (e.g. Debian GNU/Linux 7 (wheezy)).
+	OSImage *string `json:"osImage,omitempty"`
+	// ContainerRuntime Version reported by the node through runtime remote API (e.g. containerd://1.4.2).
+	ContainerRuntimeVersion *string `json:"containerRuntimeVersion,omitempty"`
+	// Kubelet Version reported by the node.
+	KubeletVersion *string `json:"kubeletVersion,omitempty"`
+	// Deprecated: KubeProxy Version reported by the node.
+	KubeProxyVersion *string `json:"kubeProxyVersion,omitempty"`
+	// The Operating System reported by the node
+	OperatingSystem *string `json:"operatingSystem,omitempty"`
+	// The Architecture reported by the node
+	Architecture *string `json:"architecture,omitempty"`
+	// Swap Info reported by the node.
+	Swap *NodeSwapStatusApplyConfiguration `json:"swap,omitempty"`
 }
 
 // NodeSystemInfoApplyConfiguration constructs a declarative configuration of the NodeSystemInfo type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/objectfieldselector.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/objectfieldselector.go
index c129c998b1687..e941ac9942a10 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/objectfieldselector.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/objectfieldselector.go
@@ -20,9 +20,13 @@ package v1
 
 // ObjectFieldSelectorApplyConfiguration represents a declarative configuration of the ObjectFieldSelector type for use
 // with apply.
+//
+// ObjectFieldSelector selects an APIVersioned field of an object.
 type ObjectFieldSelectorApplyConfiguration struct {
+	// Version of the schema the FieldPath is written in terms of, defaults to "v1".
 	APIVersion *string `json:"apiVersion,omitempty"`
-	FieldPath  *string `json:"fieldPath,omitempty"`
+	// Path of the field to select in the specified API version.
+	FieldPath *string `json:"fieldPath,omitempty"`
 }
 
 // ObjectFieldSelectorApplyConfiguration constructs a declarative configuration of the ObjectFieldSelector type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/objectreference.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/objectreference.go
index 4cd3f226ef315..1de02cd16787c 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/objectreference.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/objectreference.go
@@ -24,14 +24,50 @@ import (
 
 // ObjectReferenceApplyConfiguration represents a declarative configuration of the ObjectReference type for use
 // with apply.
+//
+// ObjectReference contains enough information to let you inspect or modify the referred object.
+// ---
+// New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs.
+// 1. Ignored fields.  It includes many fields which are not generally honored.  For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage.
+// 2. Invalid usage help.  It is impossible to add specific help for individual usage.  In most embedded usages, there are particular
+// restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted".
+// Those cannot be well described when embedded.
+// 3. Inconsistent validation.  Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen.
+// 4. The fields are both imprecise and overly precise.  Kind is not a precise mapping to a URL. This can produce ambiguity
+// during interpretation and require a REST mapping.  In most cases, the dependency is on the group,resource tuple
+// and the version of the actual struct is irrelevant.
+// 5. We cannot easily change it.  Because this type is embedded in many locations, updates to this type
+// will affect numerous schemas.  Don't make new APIs embed an underspecified API type they do not control.
+//
+// Instead of using this type, create a locally provided and used type that is well-focused on your reference.
+// For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 .
 type ObjectReferenceApplyConfiguration struct {
-	Kind            *string    `json:"kind,omitempty"`
-	Namespace       *string    `json:"namespace,omitempty"`
-	Name            *string    `json:"name,omitempty"`
-	UID             *types.UID `json:"uid,omitempty"`
-	APIVersion      *string    `json:"apiVersion,omitempty"`
-	ResourceVersion *string    `json:"resourceVersion,omitempty"`
-	FieldPath       *string    `json:"fieldPath,omitempty"`
+	// Kind of the referent.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+	Kind *string `json:"kind,omitempty"`
+	// Namespace of the referent.
+	// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
+	Namespace *string `json:"namespace,omitempty"`
+	// Name of the referent.
+	// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+	Name *string `json:"name,omitempty"`
+	// UID of the referent.
+	// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
+	UID *types.UID `json:"uid,omitempty"`
+	// API version of the referent.
+	APIVersion *string `json:"apiVersion,omitempty"`
+	// Specific resourceVersion to which this reference is made, if any.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
+	ResourceVersion *string `json:"resourceVersion,omitempty"`
+	// If referring to a piece of an object instead of an entire object, this string
+	// should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2].
+	// For example, if the object reference is to a container within a pod, this would take on a value like:
+	// "spec.containers{name}" (where "name" refers to the name of the container that triggered
+	// the event) or if no container name is specified "spec.containers[2]" (container with
+	// index 2 in this pod). This syntax is chosen only to have some well-defined way of
+	// referencing a part of an object.
+	// TODO: this design is not final and this field is subject to change in the future.
+	FieldPath *string `json:"fieldPath,omitempty"`
 }
 
 // ObjectReferenceApplyConfiguration constructs a declarative configuration of the ObjectReference type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/persistentvolume.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/persistentvolume.go
index 25a0c69df1eef..4ef8ed4b5f3d4 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/persistentvolume.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/persistentvolume.go
@@ -29,11 +29,24 @@ import (
 
 // PersistentVolumeApplyConfiguration represents a declarative configuration of the PersistentVolume type for use
 // with apply.
+//
+// PersistentVolume (PV) is a storage resource provisioned by an administrator.
+// It is analogous to a node.
+// More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes
 type PersistentVolumeApplyConfiguration struct {
-	metav1.TypeMetaApplyConfiguration    `json:",inline"`
+	metav1.TypeMetaApplyConfiguration `json:",inline"`
+	// Standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	*metav1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Spec                                 *PersistentVolumeSpecApplyConfiguration   `json:"spec,omitempty"`
-	Status                               *PersistentVolumeStatusApplyConfiguration `json:"status,omitempty"`
+	// spec defines a specification of a persistent volume owned by the cluster.
+	// Provisioned by an administrator.
+	// More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistent-volumes
+	Spec *PersistentVolumeSpecApplyConfiguration `json:"spec,omitempty"`
+	// status represents the current information/status for the persistent volume.
+	// Populated by the system.
+	// Read-only.
+	// More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistent-volumes
+	Status *PersistentVolumeStatusApplyConfiguration `json:"status,omitempty"`
 }
 
 // PersistentVolume constructs a declarative configuration of the PersistentVolume type for use with
@@ -46,6 +59,26 @@ func PersistentVolume(name string) *PersistentVolumeApplyConfiguration {
 	return b
 }
 
+// ExtractPersistentVolumeFrom extracts the applied configuration owned by fieldManager from
+// persistentVolume for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
+// persistentVolume must be a unmodified PersistentVolume API object that was retrieved from the Kubernetes API.
+// ExtractPersistentVolumeFrom provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractPersistentVolumeFrom(persistentVolume *corev1.PersistentVolume, fieldManager string, subresource string) (*PersistentVolumeApplyConfiguration, error) {
+	b := &PersistentVolumeApplyConfiguration{}
+	err := managedfields.ExtractInto(persistentVolume, internal.Parser().Type("io.k8s.api.core.v1.PersistentVolume"), fieldManager, b, subresource)
+	if err != nil {
+		return nil, err
+	}
+	b.WithName(persistentVolume.Name)
+
+	b.WithKind("PersistentVolume")
+	b.WithAPIVersion("v1")
+	return b, nil
+}
+
 // ExtractPersistentVolume extracts the applied configuration owned by fieldManager from
 // persistentVolume. If no managedFields are found in persistentVolume for fieldManager, a
 // PersistentVolumeApplyConfiguration is returned with only the Name, Namespace (if applicable),
@@ -56,30 +89,16 @@ func PersistentVolume(name string) *PersistentVolumeApplyConfiguration {
 // ExtractPersistentVolume provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
 func ExtractPersistentVolume(persistentVolume *corev1.PersistentVolume, fieldManager string) (*PersistentVolumeApplyConfiguration, error) {
-	return extractPersistentVolume(persistentVolume, fieldManager, "")
+	return ExtractPersistentVolumeFrom(persistentVolume, fieldManager, "")
 }
 
-// ExtractPersistentVolumeStatus is the same as ExtractPersistentVolume except
-// that it extracts the status subresource applied configuration.
-// Experimental!
+// ExtractPersistentVolumeStatus extracts the applied configuration owned by fieldManager from
+// persistentVolume for the status subresource.
 func ExtractPersistentVolumeStatus(persistentVolume *corev1.PersistentVolume, fieldManager string) (*PersistentVolumeApplyConfiguration, error) {
-	return extractPersistentVolume(persistentVolume, fieldManager, "status")
+	return ExtractPersistentVolumeFrom(persistentVolume, fieldManager, "status")
 }
 
-func extractPersistentVolume(persistentVolume *corev1.PersistentVolume, fieldManager string, subresource string) (*PersistentVolumeApplyConfiguration, error) {
-	b := &PersistentVolumeApplyConfiguration{}
-	err := managedfields.ExtractInto(persistentVolume, internal.Parser().Type("io.k8s.api.core.v1.PersistentVolume"), fieldManager, b, subresource)
-	if err != nil {
-		return nil, err
-	}
-	b.WithName(persistentVolume.Name)
-
-	b.WithKind("PersistentVolume")
-	b.WithAPIVersion("v1")
-	return b, nil
-}
 func (b PersistentVolumeApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/persistentvolumeclaim.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/persistentvolumeclaim.go
index e42d443b44aa7..d77417f359d7b 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/persistentvolumeclaim.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/persistentvolumeclaim.go
@@ -29,11 +29,20 @@ import (
 
 // PersistentVolumeClaimApplyConfiguration represents a declarative configuration of the PersistentVolumeClaim type for use
 // with apply.
+//
+// PersistentVolumeClaim is a user's request for and claim to a persistent volume
 type PersistentVolumeClaimApplyConfiguration struct {
-	metav1.TypeMetaApplyConfiguration    `json:",inline"`
+	metav1.TypeMetaApplyConfiguration `json:",inline"`
+	// Standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	*metav1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Spec                                 *PersistentVolumeClaimSpecApplyConfiguration   `json:"spec,omitempty"`
-	Status                               *PersistentVolumeClaimStatusApplyConfiguration `json:"status,omitempty"`
+	// spec defines the desired characteristics of a volume requested by a pod author.
+	// More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims
+	Spec *PersistentVolumeClaimSpecApplyConfiguration `json:"spec,omitempty"`
+	// status represents the current information/status of a persistent volume claim.
+	// Read-only.
+	// More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims
+	Status *PersistentVolumeClaimStatusApplyConfiguration `json:"status,omitempty"`
 }
 
 // PersistentVolumeClaim constructs a declarative configuration of the PersistentVolumeClaim type for use with
@@ -47,6 +56,27 @@ func PersistentVolumeClaim(name, namespace string) *PersistentVolumeClaimApplyCo
 	return b
 }
 
+// ExtractPersistentVolumeClaimFrom extracts the applied configuration owned by fieldManager from
+// persistentVolumeClaim for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
+// persistentVolumeClaim must be a unmodified PersistentVolumeClaim API object that was retrieved from the Kubernetes API.
+// ExtractPersistentVolumeClaimFrom provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractPersistentVolumeClaimFrom(persistentVolumeClaim *corev1.PersistentVolumeClaim, fieldManager string, subresource string) (*PersistentVolumeClaimApplyConfiguration, error) {
+	b := &PersistentVolumeClaimApplyConfiguration{}
+	err := managedfields.ExtractInto(persistentVolumeClaim, internal.Parser().Type("io.k8s.api.core.v1.PersistentVolumeClaim"), fieldManager, b, subresource)
+	if err != nil {
+		return nil, err
+	}
+	b.WithName(persistentVolumeClaim.Name)
+	b.WithNamespace(persistentVolumeClaim.Namespace)
+
+	b.WithKind("PersistentVolumeClaim")
+	b.WithAPIVersion("v1")
+	return b, nil
+}
+
 // ExtractPersistentVolumeClaim extracts the applied configuration owned by fieldManager from
 // persistentVolumeClaim. If no managedFields are found in persistentVolumeClaim for fieldManager, a
 // PersistentVolumeClaimApplyConfiguration is returned with only the Name, Namespace (if applicable),
@@ -57,31 +87,16 @@ func PersistentVolumeClaim(name, namespace string) *PersistentVolumeClaimApplyCo
 // ExtractPersistentVolumeClaim provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
 func ExtractPersistentVolumeClaim(persistentVolumeClaim *corev1.PersistentVolumeClaim, fieldManager string) (*PersistentVolumeClaimApplyConfiguration, error) {
-	return extractPersistentVolumeClaim(persistentVolumeClaim, fieldManager, "")
+	return ExtractPersistentVolumeClaimFrom(persistentVolumeClaim, fieldManager, "")
 }
 
-// ExtractPersistentVolumeClaimStatus is the same as ExtractPersistentVolumeClaim except
-// that it extracts the status subresource applied configuration.
-// Experimental!
+// ExtractPersistentVolumeClaimStatus extracts the applied configuration owned by fieldManager from
+// persistentVolumeClaim for the status subresource.
 func ExtractPersistentVolumeClaimStatus(persistentVolumeClaim *corev1.PersistentVolumeClaim, fieldManager string) (*PersistentVolumeClaimApplyConfiguration, error) {
-	return extractPersistentVolumeClaim(persistentVolumeClaim, fieldManager, "status")
+	return ExtractPersistentVolumeClaimFrom(persistentVolumeClaim, fieldManager, "status")
 }
 
-func extractPersistentVolumeClaim(persistentVolumeClaim *corev1.PersistentVolumeClaim, fieldManager string, subresource string) (*PersistentVolumeClaimApplyConfiguration, error) {
-	b := &PersistentVolumeClaimApplyConfiguration{}
-	err := managedfields.ExtractInto(persistentVolumeClaim, internal.Parser().Type("io.k8s.api.core.v1.PersistentVolumeClaim"), fieldManager, b, subresource)
-	if err != nil {
-		return nil, err
-	}
-	b.WithName(persistentVolumeClaim.Name)
-	b.WithNamespace(persistentVolumeClaim.Namespace)
-
-	b.WithKind("PersistentVolumeClaim")
-	b.WithAPIVersion("v1")
-	return b, nil
-}
 func (b PersistentVolumeClaimApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/persistentvolumeclaimcondition.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/persistentvolumeclaimcondition.go
index 40025d533b232..03b32abcc8945 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/persistentvolumeclaimcondition.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/persistentvolumeclaimcondition.go
@@ -25,13 +25,26 @@ import (
 
 // PersistentVolumeClaimConditionApplyConfiguration represents a declarative configuration of the PersistentVolumeClaimCondition type for use
 // with apply.
+//
+// PersistentVolumeClaimCondition contains details about state of pvc
 type PersistentVolumeClaimConditionApplyConfiguration struct {
-	Type               *corev1.PersistentVolumeClaimConditionType `json:"type,omitempty"`
-	Status             *corev1.ConditionStatus                    `json:"status,omitempty"`
-	LastProbeTime      *metav1.Time                               `json:"lastProbeTime,omitempty"`
-	LastTransitionTime *metav1.Time                               `json:"lastTransitionTime,omitempty"`
-	Reason             *string                                    `json:"reason,omitempty"`
-	Message            *string                                    `json:"message,omitempty"`
+	// Type is the type of the condition.
+	// More info: https://kubernetes.io/docs/reference/kubernetes-api/config-and-storage-resources/persistent-volume-claim-v1/#:~:text=set%20to%20%27ResizeStarted%27.-,PersistentVolumeClaimCondition,-contains%20details%20about
+	Type *corev1.PersistentVolumeClaimConditionType `json:"type,omitempty"`
+	// Status is the status of the condition.
+	// Can be True, False, Unknown.
+	// More info: https://kubernetes.io/docs/reference/kubernetes-api/config-and-storage-resources/persistent-volume-claim-v1/#:~:text=state%20of%20pvc-,conditions.status,-(string)%2C%20required
+	Status *corev1.ConditionStatus `json:"status,omitempty"`
+	// lastProbeTime is the time we probed the condition.
+	LastProbeTime *metav1.Time `json:"lastProbeTime,omitempty"`
+	// lastTransitionTime is the time the condition transitioned from one status to another.
+	LastTransitionTime *metav1.Time `json:"lastTransitionTime,omitempty"`
+	// reason is a unique, this should be a short, machine understandable string that gives the reason
+	// for condition's last transition. If it reports "Resizing" that means the underlying
+	// persistent volume is being resized.
+	Reason *string `json:"reason,omitempty"`
+	// message is the human-readable message indicating details about last transition.
+	Message *string `json:"message,omitempty"`
 }
 
 // PersistentVolumeClaimConditionApplyConfiguration constructs a declarative configuration of the PersistentVolumeClaimCondition type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/persistentvolumeclaimspec.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/persistentvolumeclaimspec.go
index 2c2be16b37d47..8710769b771ab 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/persistentvolumeclaimspec.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/persistentvolumeclaimspec.go
@@ -25,16 +25,73 @@ import (
 
 // PersistentVolumeClaimSpecApplyConfiguration represents a declarative configuration of the PersistentVolumeClaimSpec type for use
 // with apply.
+//
+// PersistentVolumeClaimSpec describes the common attributes of storage devices
+// and allows a Source for provider-specific attributes
 type PersistentVolumeClaimSpecApplyConfiguration struct {
-	AccessModes               []corev1.PersistentVolumeAccessMode           `json:"accessModes,omitempty"`
-	Selector                  *metav1.LabelSelectorApplyConfiguration       `json:"selector,omitempty"`
-	Resources                 *VolumeResourceRequirementsApplyConfiguration `json:"resources,omitempty"`
-	VolumeName                *string                                       `json:"volumeName,omitempty"`
-	StorageClassName          *string                                       `json:"storageClassName,omitempty"`
-	VolumeMode                *corev1.PersistentVolumeMode                  `json:"volumeMode,omitempty"`
-	DataSource                *TypedLocalObjectReferenceApplyConfiguration  `json:"dataSource,omitempty"`
-	DataSourceRef             *TypedObjectReferenceApplyConfiguration       `json:"dataSourceRef,omitempty"`
-	VolumeAttributesClassName *string                                       `json:"volumeAttributesClassName,omitempty"`
+	// accessModes contains the desired access modes the volume should have.
+	// More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1
+	AccessModes []corev1.PersistentVolumeAccessMode `json:"accessModes,omitempty"`
+	// selector is a label query over volumes to consider for binding.
+	Selector *metav1.LabelSelectorApplyConfiguration `json:"selector,omitempty"`
+	// resources represents the minimum resources the volume should have.
+	// Users are allowed to specify resource requirements
+	// that are lower than previous value but must still be higher than capacity recorded in the
+	// status field of the claim.
+	// More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources
+	Resources *VolumeResourceRequirementsApplyConfiguration `json:"resources,omitempty"`
+	// volumeName is the binding reference to the PersistentVolume backing this claim.
+	VolumeName *string `json:"volumeName,omitempty"`
+	// storageClassName is the name of the StorageClass required by the claim.
+	// More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1
+	StorageClassName *string `json:"storageClassName,omitempty"`
+	// volumeMode defines what type of volume is required by the claim.
+	// Value of Filesystem is implied when not included in claim spec.
+	VolumeMode *corev1.PersistentVolumeMode `json:"volumeMode,omitempty"`
+	// dataSource field can be used to specify either:
+	// * An existing VolumeSnapshot object (snapshot.storage.k8s.io/VolumeSnapshot)
+	// * An existing PVC (PersistentVolumeClaim)
+	// If the provisioner or an external controller can support the specified data source,
+	// it will create a new volume based on the contents of the specified data source.
+	// When the AnyVolumeDataSource feature gate is enabled, dataSource contents will be copied to dataSourceRef,
+	// and dataSourceRef contents will be copied to dataSource when dataSourceRef.namespace is not specified.
+	// If the namespace is specified, then dataSourceRef will not be copied to dataSource.
+	DataSource *TypedLocalObjectReferenceApplyConfiguration `json:"dataSource,omitempty"`
+	// dataSourceRef specifies the object from which to populate the volume with data, if a non-empty
+	// volume is desired. This may be any object from a non-empty API group (non
+	// core object) or a PersistentVolumeClaim object.
+	// When this field is specified, volume binding will only succeed if the type of
+	// the specified object matches some installed volume populator or dynamic
+	// provisioner.
+	// This field will replace the functionality of the dataSource field and as such
+	// if both fields are non-empty, they must have the same value. For backwards
+	// compatibility, when namespace isn't specified in dataSourceRef,
+	// both fields (dataSource and dataSourceRef) will be set to the same
+	// value automatically if one of them is empty and the other is non-empty.
+	// When namespace is specified in dataSourceRef,
+	// dataSource isn't set to the same value and must be empty.
+	// There are three important differences between dataSource and dataSourceRef:
+	// * While dataSource only allows two specific types of objects, dataSourceRef
+	// allows any non-core object, as well as PersistentVolumeClaim objects.
+	// * While dataSource ignores disallowed values (dropping them), dataSourceRef
+	// preserves all values, and generates an error if a disallowed value is
+	// specified.
+	// * While dataSource only allows local objects, dataSourceRef allows objects
+	// in any namespaces.
+	// (Beta) Using this field requires the AnyVolumeDataSource feature gate to be enabled.
+	// (Alpha) Using the namespace field of dataSourceRef requires the CrossNamespaceVolumeDataSource feature gate to be enabled.
+	DataSourceRef *TypedObjectReferenceApplyConfiguration `json:"dataSourceRef,omitempty"`
+	// volumeAttributesClassName may be used to set the VolumeAttributesClass used by this claim.
+	// If specified, the CSI driver will create or update the volume with the attributes defined
+	// in the corresponding VolumeAttributesClass. This has a different purpose than storageClassName,
+	// it can be changed after the claim is created. An empty string or nil value indicates that no
+	// VolumeAttributesClass will be applied to the claim. If the claim enters an Infeasible error state,
+	// this field can be reset to its previous value (including nil) to cancel the modification.
+	// If the resource referred to by volumeAttributesClass does not exist, this PersistentVolumeClaim will be
+	// set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource
+	// exists.
+	// More info: https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/
+	VolumeAttributesClassName *string `json:"volumeAttributesClassName,omitempty"`
 }
 
 // PersistentVolumeClaimSpecApplyConfiguration constructs a declarative configuration of the PersistentVolumeClaimSpec type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/persistentvolumeclaimstatus.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/persistentvolumeclaimstatus.go
index 6cea23a2ce132..ee2d5adbd38a6 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/persistentvolumeclaimstatus.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/persistentvolumeclaimstatus.go
@@ -24,15 +24,80 @@ import (
 
 // PersistentVolumeClaimStatusApplyConfiguration represents a declarative configuration of the PersistentVolumeClaimStatus type for use
 // with apply.
+//
+// PersistentVolumeClaimStatus is the current status of a persistent volume claim.
 type PersistentVolumeClaimStatusApplyConfiguration struct {
-	Phase                            *corev1.PersistentVolumeClaimPhase                 `json:"phase,omitempty"`
-	AccessModes                      []corev1.PersistentVolumeAccessMode                `json:"accessModes,omitempty"`
-	Capacity                         *corev1.ResourceList                               `json:"capacity,omitempty"`
-	Conditions                       []PersistentVolumeClaimConditionApplyConfiguration `json:"conditions,omitempty"`
-	AllocatedResources               *corev1.ResourceList                               `json:"allocatedResources,omitempty"`
-	AllocatedResourceStatuses        map[corev1.ResourceName]corev1.ClaimResourceStatus `json:"allocatedResourceStatuses,omitempty"`
-	CurrentVolumeAttributesClassName *string                                            `json:"currentVolumeAttributesClassName,omitempty"`
-	ModifyVolumeStatus               *ModifyVolumeStatusApplyConfiguration              `json:"modifyVolumeStatus,omitempty"`
+	// phase represents the current phase of PersistentVolumeClaim.
+	Phase *corev1.PersistentVolumeClaimPhase `json:"phase,omitempty"`
+	// accessModes contains the actual access modes the volume backing the PVC has.
+	// More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1
+	AccessModes []corev1.PersistentVolumeAccessMode `json:"accessModes,omitempty"`
+	// capacity represents the actual resources of the underlying volume.
+	Capacity *corev1.ResourceList `json:"capacity,omitempty"`
+	// conditions is the current Condition of persistent volume claim. If underlying persistent volume is being
+	// resized then the Condition will be set to 'Resizing'.
+	Conditions []PersistentVolumeClaimConditionApplyConfiguration `json:"conditions,omitempty"`
+	// allocatedResources tracks the resources allocated to a PVC including its capacity.
+	// Key names follow standard Kubernetes label syntax. Valid values are either:
+	// * Un-prefixed keys:
+	// - storage - the capacity of the volume.
+	// * Custom resources must use implementation-defined prefixed names such as "example.com/my-custom-resource"
+	// Apart from above values - keys that are unprefixed or have kubernetes.io prefix are considered
+	// reserved and hence may not be used.
+	//
+	// Capacity reported here may be larger than the actual capacity when a volume expansion operation
+	// is requested.
+	// For storage quota, the larger value from allocatedResources and PVC.spec.resources is used.
+	// If allocatedResources is not set, PVC.spec.resources alone is used for quota calculation.
+	// If a volume expansion capacity request is lowered, allocatedResources is only
+	// lowered if there are no expansion operations in progress and if the actual volume capacity
+	// is equal or lower than the requested capacity.
+	//
+	// A controller that receives PVC update with previously unknown resourceName
+	// should ignore the update for the purpose it was designed. For example - a controller that
+	// only is responsible for resizing capacity of the volume, should ignore PVC updates that change other valid
+	// resources associated with PVC.
+	AllocatedResources *corev1.ResourceList `json:"allocatedResources,omitempty"`
+	// allocatedResourceStatuses stores status of resource being resized for the given PVC.
+	// Key names follow standard Kubernetes label syntax. Valid values are either:
+	// * Un-prefixed keys:
+	// - storage - the capacity of the volume.
+	// * Custom resources must use implementation-defined prefixed names such as "example.com/my-custom-resource"
+	// Apart from above values - keys that are unprefixed or have kubernetes.io prefix are considered
+	// reserved and hence may not be used.
+	//
+	// ClaimResourceStatus can be in any of following states:
+	// - ControllerResizeInProgress:
+	// State set when resize controller starts resizing the volume in control-plane.
+	// - ControllerResizeFailed:
+	// State set when resize has failed in resize controller with a terminal error.
+	// - NodeResizePending:
+	// State set when resize controller has finished resizing the volume but further resizing of
+	// volume is needed on the node.
+	// - NodeResizeInProgress:
+	// State set when kubelet starts resizing the volume.
+	// - NodeResizeFailed:
+	// State set when resizing has failed in kubelet with a terminal error. Transient errors don't set
+	// NodeResizeFailed.
+	// For example: if expanding a PVC for more capacity - this field can be one of the following states:
+	// - pvc.status.allocatedResourceStatus['storage'] = "ControllerResizeInProgress"
+	// - pvc.status.allocatedResourceStatus['storage'] = "ControllerResizeFailed"
+	// - pvc.status.allocatedResourceStatus['storage'] = "NodeResizePending"
+	// - pvc.status.allocatedResourceStatus['storage'] = "NodeResizeInProgress"
+	// - pvc.status.allocatedResourceStatus['storage'] = "NodeResizeFailed"
+	// When this field is not set, it means that no resize operation is in progress for the given PVC.
+	//
+	// A controller that receives PVC update with previously unknown resourceName or ClaimResourceStatus
+	// should ignore the update for the purpose it was designed. For example - a controller that
+	// only is responsible for resizing capacity of the volume, should ignore PVC updates that change other valid
+	// resources associated with PVC.
+	AllocatedResourceStatuses map[corev1.ResourceName]corev1.ClaimResourceStatus `json:"allocatedResourceStatuses,omitempty"`
+	// currentVolumeAttributesClassName is the current name of the VolumeAttributesClass the PVC is using.
+	// When unset, there is no VolumeAttributeClass applied to this PersistentVolumeClaim
+	CurrentVolumeAttributesClassName *string `json:"currentVolumeAttributesClassName,omitempty"`
+	// ModifyVolumeStatus represents the status object of ControllerModifyVolume operation.
+	// When this is unset, there is no ModifyVolume operation being attempted.
+	ModifyVolumeStatus *ModifyVolumeStatusApplyConfiguration `json:"modifyVolumeStatus,omitempty"`
 }
 
 // PersistentVolumeClaimStatusApplyConfiguration constructs a declarative configuration of the PersistentVolumeClaimStatus type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/persistentvolumeclaimtemplate.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/persistentvolumeclaimtemplate.go
index 8d031c9e8e292..db5ce71a725eb 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/persistentvolumeclaimtemplate.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/persistentvolumeclaimtemplate.go
@@ -26,9 +26,19 @@ import (
 
 // PersistentVolumeClaimTemplateApplyConfiguration represents a declarative configuration of the PersistentVolumeClaimTemplate type for use
 // with apply.
+//
+// PersistentVolumeClaimTemplate is used to produce
+// PersistentVolumeClaim objects as part of an EphemeralVolumeSource.
 type PersistentVolumeClaimTemplateApplyConfiguration struct {
+	// May contain labels and annotations that will be copied into the PVC
+	// when creating it. No other fields are allowed and will be rejected during
+	// validation.
 	*metav1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Spec                                 *PersistentVolumeClaimSpecApplyConfiguration `json:"spec,omitempty"`
+	// The specification for the PersistentVolumeClaim. The entire content is
+	// copied unchanged into the PVC that gets created from this
+	// template. The same fields as in a PersistentVolumeClaim
+	// are also valid here.
+	Spec *PersistentVolumeClaimSpecApplyConfiguration `json:"spec,omitempty"`
 }
 
 // PersistentVolumeClaimTemplateApplyConfiguration constructs a declarative configuration of the PersistentVolumeClaimTemplate type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/persistentvolumeclaimvolumesource.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/persistentvolumeclaimvolumesource.go
index ccccdfb49306c..a171ebc1779e2 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/persistentvolumeclaimvolumesource.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/persistentvolumeclaimvolumesource.go
@@ -20,9 +20,18 @@ package v1
 
 // PersistentVolumeClaimVolumeSourceApplyConfiguration represents a declarative configuration of the PersistentVolumeClaimVolumeSource type for use
 // with apply.
+//
+// PersistentVolumeClaimVolumeSource references the user's PVC in the same namespace.
+// This volume finds the bound PV and mounts that volume for the pod. A
+// PersistentVolumeClaimVolumeSource is, essentially, a wrapper around another
+// type of volume that is owned by someone else (the system).
 type PersistentVolumeClaimVolumeSourceApplyConfiguration struct {
+	// claimName is the name of a PersistentVolumeClaim in the same namespace as the pod using this volume.
+	// More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims
 	ClaimName *string `json:"claimName,omitempty"`
-	ReadOnly  *bool   `json:"readOnly,omitempty"`
+	// readOnly Will force the ReadOnly setting in VolumeMounts.
+	// Default false.
+	ReadOnly *bool `json:"readOnly,omitempty"`
 }
 
 // PersistentVolumeClaimVolumeSourceApplyConfiguration constructs a declarative configuration of the PersistentVolumeClaimVolumeSource type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/persistentvolumesource.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/persistentvolumesource.go
index aba01246224e6..8627148bfc00b 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/persistentvolumesource.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/persistentvolumesource.go
@@ -20,29 +20,94 @@ package v1
 
 // PersistentVolumeSourceApplyConfiguration represents a declarative configuration of the PersistentVolumeSource type for use
 // with apply.
+//
+// PersistentVolumeSource is similar to VolumeSource but meant for the
+// administrator who creates PVs. Exactly one of its members must be set.
 type PersistentVolumeSourceApplyConfiguration struct {
-	GCEPersistentDisk    *GCEPersistentDiskVolumeSourceApplyConfiguration    `json:"gcePersistentDisk,omitempty"`
+	// gcePersistentDisk represents a GCE Disk resource that is attached to a
+	// kubelet's host machine and then exposed to the pod. Provisioned by an admin.
+	// Deprecated: GCEPersistentDisk is deprecated. All operations for the in-tree
+	// gcePersistentDisk type are redirected to the pd.csi.storage.gke.io CSI driver.
+	// More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
+	GCEPersistentDisk *GCEPersistentDiskVolumeSourceApplyConfiguration `json:"gcePersistentDisk,omitempty"`
+	// awsElasticBlockStore represents an AWS Disk resource that is attached to a
+	// kubelet's host machine and then exposed to the pod.
+	// Deprecated: AWSElasticBlockStore is deprecated. All operations for the in-tree
+	// awsElasticBlockStore type are redirected to the ebs.csi.aws.com CSI driver.
+	// More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore
 	AWSElasticBlockStore *AWSElasticBlockStoreVolumeSourceApplyConfiguration `json:"awsElasticBlockStore,omitempty"`
-	HostPath             *HostPathVolumeSourceApplyConfiguration             `json:"hostPath,omitempty"`
-	Glusterfs            *GlusterfsPersistentVolumeSourceApplyConfiguration  `json:"glusterfs,omitempty"`
-	NFS                  *NFSVolumeSourceApplyConfiguration                  `json:"nfs,omitempty"`
-	RBD                  *RBDPersistentVolumeSourceApplyConfiguration        `json:"rbd,omitempty"`
-	ISCSI                *ISCSIPersistentVolumeSourceApplyConfiguration      `json:"iscsi,omitempty"`
-	Cinder               *CinderPersistentVolumeSourceApplyConfiguration     `json:"cinder,omitempty"`
-	CephFS               *CephFSPersistentVolumeSourceApplyConfiguration     `json:"cephfs,omitempty"`
-	FC                   *FCVolumeSourceApplyConfiguration                   `json:"fc,omitempty"`
-	Flocker              *FlockerVolumeSourceApplyConfiguration              `json:"flocker,omitempty"`
-	FlexVolume           *FlexPersistentVolumeSourceApplyConfiguration       `json:"flexVolume,omitempty"`
-	AzureFile            *AzureFilePersistentVolumeSourceApplyConfiguration  `json:"azureFile,omitempty"`
-	VsphereVolume        *VsphereVirtualDiskVolumeSourceApplyConfiguration   `json:"vsphereVolume,omitempty"`
-	Quobyte              *QuobyteVolumeSourceApplyConfiguration              `json:"quobyte,omitempty"`
-	AzureDisk            *AzureDiskVolumeSourceApplyConfiguration            `json:"azureDisk,omitempty"`
+	// hostPath represents a directory on the host.
+	// Provisioned by a developer or tester.
+	// This is useful for single-node development and testing only!
+	// On-host storage is not supported in any way and WILL NOT WORK in a multi-node cluster.
+	// More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath
+	HostPath *HostPathVolumeSourceApplyConfiguration `json:"hostPath,omitempty"`
+	// glusterfs represents a Glusterfs volume that is attached to a host and
+	// exposed to the pod. Provisioned by an admin.
+	// Deprecated: Glusterfs is deprecated and the in-tree glusterfs type is no longer supported.
+	// More info: https://examples.k8s.io/volumes/glusterfs/README.md
+	Glusterfs *GlusterfsPersistentVolumeSourceApplyConfiguration `json:"glusterfs,omitempty"`
+	// nfs represents an NFS mount on the host. Provisioned by an admin.
+	// More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs
+	NFS *NFSVolumeSourceApplyConfiguration `json:"nfs,omitempty"`
+	// rbd represents a Rados Block Device mount on the host that shares a pod's lifetime.
+	// Deprecated: RBD is deprecated and the in-tree rbd type is no longer supported.
+	// More info: https://examples.k8s.io/volumes/rbd/README.md
+	RBD *RBDPersistentVolumeSourceApplyConfiguration `json:"rbd,omitempty"`
+	// iscsi represents an ISCSI Disk resource that is attached to a
+	// kubelet's host machine and then exposed to the pod. Provisioned by an admin.
+	ISCSI *ISCSIPersistentVolumeSourceApplyConfiguration `json:"iscsi,omitempty"`
+	// cinder represents a cinder volume attached and mounted on kubelets host machine.
+	// Deprecated: Cinder is deprecated. All operations for the in-tree cinder type
+	// are redirected to the cinder.csi.openstack.org CSI driver.
+	// More info: https://examples.k8s.io/mysql-cinder-pd/README.md
+	Cinder *CinderPersistentVolumeSourceApplyConfiguration `json:"cinder,omitempty"`
+	// cephFS represents a Ceph FS mount on the host that shares a pod's lifetime.
+	// Deprecated: CephFS is deprecated and the in-tree cephfs type is no longer supported.
+	CephFS *CephFSPersistentVolumeSourceApplyConfiguration `json:"cephfs,omitempty"`
+	// fc represents a Fibre Channel resource that is attached to a kubelet's host machine and then exposed to the pod.
+	FC *FCVolumeSourceApplyConfiguration `json:"fc,omitempty"`
+	// flocker represents a Flocker volume attached to a kubelet's host machine and exposed to the pod for its usage. This depends on the Flocker control service being running.
+	// Deprecated: Flocker is deprecated and the in-tree flocker type is no longer supported.
+	Flocker *FlockerVolumeSourceApplyConfiguration `json:"flocker,omitempty"`
+	// flexVolume represents a generic volume resource that is
+	// provisioned/attached using an exec based plugin.
+	// Deprecated: FlexVolume is deprecated. Consider using a CSIDriver instead.
+	FlexVolume *FlexPersistentVolumeSourceApplyConfiguration `json:"flexVolume,omitempty"`
+	// azureFile represents an Azure File Service mount on the host and bind mount to the pod.
+	// Deprecated: AzureFile is deprecated. All operations for the in-tree azureFile type
+	// are redirected to the file.csi.azure.com CSI driver.
+	AzureFile *AzureFilePersistentVolumeSourceApplyConfiguration `json:"azureFile,omitempty"`
+	// vsphereVolume represents a vSphere volume attached and mounted on kubelets host machine.
+	// Deprecated: VsphereVolume is deprecated. All operations for the in-tree vsphereVolume type
+	// are redirected to the csi.vsphere.vmware.com CSI driver.
+	VsphereVolume *VsphereVirtualDiskVolumeSourceApplyConfiguration `json:"vsphereVolume,omitempty"`
+	// quobyte represents a Quobyte mount on the host that shares a pod's lifetime.
+	// Deprecated: Quobyte is deprecated and the in-tree quobyte type is no longer supported.
+	Quobyte *QuobyteVolumeSourceApplyConfiguration `json:"quobyte,omitempty"`
+	// azureDisk represents an Azure Data Disk mount on the host and bind mount to the pod.
+	// Deprecated: AzureDisk is deprecated. All operations for the in-tree azureDisk type
+	// are redirected to the disk.csi.azure.com CSI driver.
+	AzureDisk *AzureDiskVolumeSourceApplyConfiguration `json:"azureDisk,omitempty"`
+	// photonPersistentDisk represents a PhotonController persistent disk attached and mounted on kubelets host machine.
+	// Deprecated: PhotonPersistentDisk is deprecated and the in-tree photonPersistentDisk type is no longer supported.
 	PhotonPersistentDisk *PhotonPersistentDiskVolumeSourceApplyConfiguration `json:"photonPersistentDisk,omitempty"`
-	PortworxVolume       *PortworxVolumeSourceApplyConfiguration             `json:"portworxVolume,omitempty"`
-	ScaleIO              *ScaleIOPersistentVolumeSourceApplyConfiguration    `json:"scaleIO,omitempty"`
-	Local                *LocalVolumeSourceApplyConfiguration                `json:"local,omitempty"`
-	StorageOS            *StorageOSPersistentVolumeSourceApplyConfiguration  `json:"storageos,omitempty"`
-	CSI                  *CSIPersistentVolumeSourceApplyConfiguration        `json:"csi,omitempty"`
+	// portworxVolume represents a portworx volume attached and mounted on kubelets host machine.
+	// Deprecated: PortworxVolume is deprecated. All operations for the in-tree portworxVolume type
+	// are redirected to the pxd.portworx.com CSI driver when the CSIMigrationPortworx feature-gate
+	// is on.
+	PortworxVolume *PortworxVolumeSourceApplyConfiguration `json:"portworxVolume,omitempty"`
+	// scaleIO represents a ScaleIO persistent volume attached and mounted on Kubernetes nodes.
+	// Deprecated: ScaleIO is deprecated and the in-tree scaleIO type is no longer supported.
+	ScaleIO *ScaleIOPersistentVolumeSourceApplyConfiguration `json:"scaleIO,omitempty"`
+	// local represents directly-attached storage with node affinity
+	Local *LocalVolumeSourceApplyConfiguration `json:"local,omitempty"`
+	// storageOS represents a StorageOS volume that is attached to the kubelet's host machine and mounted into the pod.
+	// Deprecated: StorageOS is deprecated and the in-tree storageos type is no longer supported.
+	// More info: https://examples.k8s.io/volumes/storageos/README.md
+	StorageOS *StorageOSPersistentVolumeSourceApplyConfiguration `json:"storageos,omitempty"`
+	// csi represents storage that is handled by an external CSI driver.
+	CSI *CSIPersistentVolumeSourceApplyConfiguration `json:"csi,omitempty"`
 }
 
 // PersistentVolumeSourceApplyConfiguration constructs a declarative configuration of the PersistentVolumeSource type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/persistentvolumespec.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/persistentvolumespec.go
index 792e3b94401fe..8c16610222884 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/persistentvolumespec.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/persistentvolumespec.go
@@ -24,17 +24,49 @@ import (
 
 // PersistentVolumeSpecApplyConfiguration represents a declarative configuration of the PersistentVolumeSpec type for use
 // with apply.
+//
+// PersistentVolumeSpec is the specification of a persistent volume.
 type PersistentVolumeSpecApplyConfiguration struct {
-	Capacity                                 *corev1.ResourceList `json:"capacity,omitempty"`
+	// capacity is the description of the persistent volume's resources and capacity.
+	// More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#capacity
+	Capacity *corev1.ResourceList `json:"capacity,omitempty"`
+	// persistentVolumeSource is the actual volume backing the persistent volume.
 	PersistentVolumeSourceApplyConfiguration `json:",inline"`
-	AccessModes                              []corev1.PersistentVolumeAccessMode   `json:"accessModes,omitempty"`
-	ClaimRef                                 *ObjectReferenceApplyConfiguration    `json:"claimRef,omitempty"`
-	PersistentVolumeReclaimPolicy            *corev1.PersistentVolumeReclaimPolicy `json:"persistentVolumeReclaimPolicy,omitempty"`
-	StorageClassName                         *string                               `json:"storageClassName,omitempty"`
-	MountOptions                             []string                              `json:"mountOptions,omitempty"`
-	VolumeMode                               *corev1.PersistentVolumeMode          `json:"volumeMode,omitempty"`
-	NodeAffinity                             *VolumeNodeAffinityApplyConfiguration `json:"nodeAffinity,omitempty"`
-	VolumeAttributesClassName                *string                               `json:"volumeAttributesClassName,omitempty"`
+	// accessModes contains all ways the volume can be mounted.
+	// More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes
+	AccessModes []corev1.PersistentVolumeAccessMode `json:"accessModes,omitempty"`
+	// claimRef is part of a bi-directional binding between PersistentVolume and PersistentVolumeClaim.
+	// Expected to be non-nil when bound.
+	// claim.VolumeName is the authoritative bind between PV and PVC.
+	// More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#binding
+	ClaimRef *ObjectReferenceApplyConfiguration `json:"claimRef,omitempty"`
+	// persistentVolumeReclaimPolicy defines what happens to a persistent volume when released from its claim.
+	// Valid options are Retain (default for manually created PersistentVolumes), Delete (default
+	// for dynamically provisioned PersistentVolumes), and Recycle (deprecated).
+	// Recycle must be supported by the volume plugin underlying this PersistentVolume.
+	// More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#reclaiming
+	PersistentVolumeReclaimPolicy *corev1.PersistentVolumeReclaimPolicy `json:"persistentVolumeReclaimPolicy,omitempty"`
+	// storageClassName is the name of StorageClass to which this persistent volume belongs. Empty value
+	// means that this volume does not belong to any StorageClass.
+	StorageClassName *string `json:"storageClassName,omitempty"`
+	// mountOptions is the list of mount options, e.g. ["ro", "soft"]. Not validated - mount will
+	// simply fail if one is invalid.
+	// More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes/#mount-options
+	MountOptions []string `json:"mountOptions,omitempty"`
+	// volumeMode defines if a volume is intended to be used with a formatted filesystem
+	// or to remain in raw block state. Value of Filesystem is implied when not included in spec.
+	VolumeMode *corev1.PersistentVolumeMode `json:"volumeMode,omitempty"`
+	// nodeAffinity defines constraints that limit what nodes this volume can be accessed from.
+	// This field influences the scheduling of pods that use this volume.
+	// This field is mutable if MutablePVNodeAffinity feature gate is enabled.
+	NodeAffinity *VolumeNodeAffinityApplyConfiguration `json:"nodeAffinity,omitempty"`
+	// Name of VolumeAttributesClass to which this persistent volume belongs. Empty value
+	// is not allowed. When this field is not set, it indicates that this volume does not belong to any
+	// VolumeAttributesClass. This field is mutable and can be changed by the CSI driver
+	// after a volume has been updated successfully to a new class.
+	// For an unbound PersistentVolume, the volumeAttributesClassName will be matched with unbound
+	// PersistentVolumeClaims during the binding process.
+	VolumeAttributesClassName *string `json:"volumeAttributesClassName,omitempty"`
 }
 
 // PersistentVolumeSpecApplyConfiguration constructs a declarative configuration of the PersistentVolumeSpec type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/persistentvolumestatus.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/persistentvolumestatus.go
index 0bb077ae09764..9d6e5340fe7fe 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/persistentvolumestatus.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/persistentvolumestatus.go
@@ -25,11 +25,20 @@ import (
 
 // PersistentVolumeStatusApplyConfiguration represents a declarative configuration of the PersistentVolumeStatus type for use
 // with apply.
+//
+// PersistentVolumeStatus is the current status of a persistent volume.
 type PersistentVolumeStatusApplyConfiguration struct {
-	Phase                   *corev1.PersistentVolumePhase `json:"phase,omitempty"`
-	Message                 *string                       `json:"message,omitempty"`
-	Reason                  *string                       `json:"reason,omitempty"`
-	LastPhaseTransitionTime *metav1.Time                  `json:"lastPhaseTransitionTime,omitempty"`
+	// phase indicates if a volume is available, bound to a claim, or released by a claim.
+	// More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#phase
+	Phase *corev1.PersistentVolumePhase `json:"phase,omitempty"`
+	// message is a human-readable message indicating details about why the volume is in this state.
+	Message *string `json:"message,omitempty"`
+	// reason is a brief CamelCase string that describes any failure and is meant
+	// for machine parsing and tidy display in the CLI.
+	Reason *string `json:"reason,omitempty"`
+	// lastPhaseTransitionTime is the time the phase transitioned from one to another
+	// and automatically resets to current time everytime a volume phase transitions.
+	LastPhaseTransitionTime *metav1.Time `json:"lastPhaseTransitionTime,omitempty"`
 }
 
 // PersistentVolumeStatusApplyConfiguration constructs a declarative configuration of the PersistentVolumeStatus type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/photonpersistentdiskvolumesource.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/photonpersistentdiskvolumesource.go
index d8dc103e2af14..585e50ea4af4f 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/photonpersistentdiskvolumesource.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/photonpersistentdiskvolumesource.go
@@ -20,8 +20,14 @@ package v1
 
 // PhotonPersistentDiskVolumeSourceApplyConfiguration represents a declarative configuration of the PhotonPersistentDiskVolumeSource type for use
 // with apply.
+//
+// Represents a Photon Controller persistent disk resource.
 type PhotonPersistentDiskVolumeSourceApplyConfiguration struct {
-	PdID   *string `json:"pdID,omitempty"`
+	// pdID is the ID that identifies Photon Controller persistent disk
+	PdID *string `json:"pdID,omitempty"`
+	// fsType is the filesystem type to mount.
+	// Must be a filesystem type supported by the host operating system.
+	// Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
 	FSType *string `json:"fsType,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/pod.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/pod.go
index df4e99b32f097..d10d38de19e35 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/pod.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/pod.go
@@ -29,11 +29,23 @@ import (
 
 // PodApplyConfiguration represents a declarative configuration of the Pod type for use
 // with apply.
+//
+// Pod is a collection of containers that can run on a host. This resource is created
+// by clients and scheduled onto hosts.
 type PodApplyConfiguration struct {
-	metav1.TypeMetaApplyConfiguration    `json:",inline"`
+	metav1.TypeMetaApplyConfiguration `json:",inline"`
+	// Standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	*metav1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Spec                                 *PodSpecApplyConfiguration   `json:"spec,omitempty"`
-	Status                               *PodStatusApplyConfiguration `json:"status,omitempty"`
+	// Specification of the desired behavior of the pod.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+	Spec *PodSpecApplyConfiguration `json:"spec,omitempty"`
+	// Most recently observed status of the pod.
+	// This data may not be up to date.
+	// Populated by the system.
+	// Read-only.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+	Status *PodStatusApplyConfiguration `json:"status,omitempty"`
 }
 
 // Pod constructs a declarative configuration of the Pod type for use with
@@ -47,6 +59,27 @@ func Pod(name, namespace string) *PodApplyConfiguration {
 	return b
 }
 
+// ExtractPodFrom extracts the applied configuration owned by fieldManager from
+// pod for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
+// pod must be a unmodified Pod API object that was retrieved from the Kubernetes API.
+// ExtractPodFrom provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractPodFrom(pod *corev1.Pod, fieldManager string, subresource string) (*PodApplyConfiguration, error) {
+	b := &PodApplyConfiguration{}
+	err := managedfields.ExtractInto(pod, internal.Parser().Type("io.k8s.api.core.v1.Pod"), fieldManager, b, subresource)
+	if err != nil {
+		return nil, err
+	}
+	b.WithName(pod.Name)
+	b.WithNamespace(pod.Namespace)
+
+	b.WithKind("Pod")
+	b.WithAPIVersion("v1")
+	return b, nil
+}
+
 // ExtractPod extracts the applied configuration owned by fieldManager from
 // pod. If no managedFields are found in pod for fieldManager, a
 // PodApplyConfiguration is returned with only the Name, Namespace (if applicable),
@@ -57,31 +90,28 @@ func Pod(name, namespace string) *PodApplyConfiguration {
 // ExtractPod provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
 func ExtractPod(pod *corev1.Pod, fieldManager string) (*PodApplyConfiguration, error) {
-	return extractPod(pod, fieldManager, "")
+	return ExtractPodFrom(pod, fieldManager, "")
 }
 
-// ExtractPodStatus is the same as ExtractPod except
-// that it extracts the status subresource applied configuration.
-// Experimental!
-func ExtractPodStatus(pod *corev1.Pod, fieldManager string) (*PodApplyConfiguration, error) {
-	return extractPod(pod, fieldManager, "status")
+// ExtractPodEphemeralcontainers extracts the applied configuration owned by fieldManager from
+// pod for the ephemeralcontainers subresource.
+func ExtractPodEphemeralcontainers(pod *corev1.Pod, fieldManager string) (*PodApplyConfiguration, error) {
+	return ExtractPodFrom(pod, fieldManager, "ephemeralcontainers")
 }
 
-func extractPod(pod *corev1.Pod, fieldManager string, subresource string) (*PodApplyConfiguration, error) {
-	b := &PodApplyConfiguration{}
-	err := managedfields.ExtractInto(pod, internal.Parser().Type("io.k8s.api.core.v1.Pod"), fieldManager, b, subresource)
-	if err != nil {
-		return nil, err
-	}
-	b.WithName(pod.Name)
-	b.WithNamespace(pod.Namespace)
+// ExtractPodResize extracts the applied configuration owned by fieldManager from
+// pod for the resize subresource.
+func ExtractPodResize(pod *corev1.Pod, fieldManager string) (*PodApplyConfiguration, error) {
+	return ExtractPodFrom(pod, fieldManager, "resize")
+}
 
-	b.WithKind("Pod")
-	b.WithAPIVersion("v1")
-	return b, nil
+// ExtractPodStatus extracts the applied configuration owned by fieldManager from
+// pod for the status subresource.
+func ExtractPodStatus(pod *corev1.Pod, fieldManager string) (*PodApplyConfiguration, error) {
+	return ExtractPodFrom(pod, fieldManager, "status")
 }
+
 func (b PodApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/podaffinity.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/podaffinity.go
index 23fed95464691..dda9727a69004 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/podaffinity.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/podaffinity.go
@@ -20,8 +20,26 @@ package v1
 
 // PodAffinityApplyConfiguration represents a declarative configuration of the PodAffinity type for use
 // with apply.
+//
+// Pod affinity is a group of inter pod affinity scheduling rules.
 type PodAffinityApplyConfiguration struct {
-	RequiredDuringSchedulingIgnoredDuringExecution  []PodAffinityTermApplyConfiguration         `json:"requiredDuringSchedulingIgnoredDuringExecution,omitempty"`
+	// If the affinity requirements specified by this field are not met at
+	// scheduling time, the pod will not be scheduled onto the node.
+	// If the affinity requirements specified by this field cease to be met
+	// at some point during pod execution (e.g. due to a pod label update), the
+	// system may or may not try to eventually evict the pod from its node.
+	// When there are multiple elements, the lists of nodes corresponding to each
+	// podAffinityTerm are intersected, i.e. all terms must be satisfied.
+	RequiredDuringSchedulingIgnoredDuringExecution []PodAffinityTermApplyConfiguration `json:"requiredDuringSchedulingIgnoredDuringExecution,omitempty"`
+	// The scheduler will prefer to schedule pods to nodes that satisfy
+	// the affinity expressions specified by this field, but it may choose
+	// a node that violates one or more of the expressions. The node that is
+	// most preferred is the one with the greatest sum of weights, i.e.
+	// for each node that meets all of the scheduling requirements (resource
+	// request, requiredDuringScheduling affinity expressions, etc.),
+	// compute a sum by iterating through the elements of this field and adding
+	// "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
+	// node(s) with the highest sum are the most preferred.
 	PreferredDuringSchedulingIgnoredDuringExecution []WeightedPodAffinityTermApplyConfiguration `json:"preferredDuringSchedulingIgnoredDuringExecution,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/podaffinityterm.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/podaffinityterm.go
index 1cc1ca0d06322..8dbf0c66a7ebb 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/podaffinityterm.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/podaffinityterm.go
@@ -24,13 +24,52 @@ import (
 
 // PodAffinityTermApplyConfiguration represents a declarative configuration of the PodAffinityTerm type for use
 // with apply.
+//
+// Defines a set of pods (namely those matching the labelSelector
+// relative to the given namespace(s)) that this pod should be
+// co-located (affinity) or not co-located (anti-affinity) with,
+// where co-located is defined as running on a node whose value of
+// the label with key <topologyKey> matches that of any node on which
+// a pod of the set of pods is running
 type PodAffinityTermApplyConfiguration struct {
-	LabelSelector     *metav1.LabelSelectorApplyConfiguration `json:"labelSelector,omitempty"`
-	Namespaces        []string                                `json:"namespaces,omitempty"`
-	TopologyKey       *string                                 `json:"topologyKey,omitempty"`
+	// A label query over a set of resources, in this case pods.
+	// If it's null, this PodAffinityTerm matches with no Pods.
+	LabelSelector *metav1.LabelSelectorApplyConfiguration `json:"labelSelector,omitempty"`
+	// namespaces specifies a static list of namespace names that the term applies to.
+	// The term is applied to the union of the namespaces listed in this field
+	// and the ones selected by namespaceSelector.
+	// null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+	Namespaces []string `json:"namespaces,omitempty"`
+	// This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+	// the labelSelector in the specified namespaces, where co-located is defined as running on a node
+	// whose value of the label with key topologyKey matches that of any node on which any of the
+	// selected pods is running.
+	// Empty topologyKey is not allowed.
+	TopologyKey *string `json:"topologyKey,omitempty"`
+	// A label query over the set of namespaces that the term applies to.
+	// The term is applied to the union of the namespaces selected by this field
+	// and the ones listed in the namespaces field.
+	// null selector and null or empty namespaces list means "this pod's namespace".
+	// An empty selector ({}) matches all namespaces.
 	NamespaceSelector *metav1.LabelSelectorApplyConfiguration `json:"namespaceSelector,omitempty"`
-	MatchLabelKeys    []string                                `json:"matchLabelKeys,omitempty"`
-	MismatchLabelKeys []string                                `json:"mismatchLabelKeys,omitempty"`
+	// MatchLabelKeys is a set of pod label keys to select which pods will
+	// be taken into consideration. The keys are used to lookup values from the
+	// incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+	// to select the group of existing pods which pods will be taken into consideration
+	// for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+	// pod labels will be ignored. The default value is empty.
+	// The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+	// Also, matchLabelKeys cannot be set when labelSelector isn't set.
+	MatchLabelKeys []string `json:"matchLabelKeys,omitempty"`
+	// MismatchLabelKeys is a set of pod label keys to select which pods will
+	// be taken into consideration. The keys are used to lookup values from the
+	// incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+	// to select the group of existing pods which pods will be taken into consideration
+	// for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+	// pod labels will be ignored. The default value is empty.
+	// The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+	// Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+	MismatchLabelKeys []string `json:"mismatchLabelKeys,omitempty"`
 }
 
 // PodAffinityTermApplyConfiguration constructs a declarative configuration of the PodAffinityTerm type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/podantiaffinity.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/podantiaffinity.go
index ae9848963df10..5e1ece1984b26 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/podantiaffinity.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/podantiaffinity.go
@@ -20,8 +20,26 @@ package v1
 
 // PodAntiAffinityApplyConfiguration represents a declarative configuration of the PodAntiAffinity type for use
 // with apply.
+//
+// Pod anti affinity is a group of inter pod anti affinity scheduling rules.
 type PodAntiAffinityApplyConfiguration struct {
-	RequiredDuringSchedulingIgnoredDuringExecution  []PodAffinityTermApplyConfiguration         `json:"requiredDuringSchedulingIgnoredDuringExecution,omitempty"`
+	// If the anti-affinity requirements specified by this field are not met at
+	// scheduling time, the pod will not be scheduled onto the node.
+	// If the anti-affinity requirements specified by this field cease to be met
+	// at some point during pod execution (e.g. due to a pod label update), the
+	// system may or may not try to eventually evict the pod from its node.
+	// When there are multiple elements, the lists of nodes corresponding to each
+	// podAffinityTerm are intersected, i.e. all terms must be satisfied.
+	RequiredDuringSchedulingIgnoredDuringExecution []PodAffinityTermApplyConfiguration `json:"requiredDuringSchedulingIgnoredDuringExecution,omitempty"`
+	// The scheduler will prefer to schedule pods to nodes that satisfy
+	// the anti-affinity expressions specified by this field, but it may choose
+	// a node that violates one or more of the expressions. The node that is
+	// most preferred is the one with the greatest sum of weights, i.e.
+	// for each node that meets all of the scheduling requirements (resource
+	// request, requiredDuringScheduling anti-affinity expressions, etc.),
+	// compute a sum by iterating through the elements of this field and subtracting
+	// "weight" from the sum if the node has pods which matches the corresponding podAffinityTerm; the
+	// node(s) with the highest sum are the most preferred.
 	PreferredDuringSchedulingIgnoredDuringExecution []WeightedPodAffinityTermApplyConfiguration `json:"preferredDuringSchedulingIgnoredDuringExecution,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/podcertificateprojection.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/podcertificateprojection.go
index 1b6ffffba765e..0d951a89488b5 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/podcertificateprojection.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/podcertificateprojection.go
@@ -20,13 +20,75 @@ package v1
 
 // PodCertificateProjectionApplyConfiguration represents a declarative configuration of the PodCertificateProjection type for use
 // with apply.
+//
+// PodCertificateProjection provides a private key and X.509 certificate in the
+// pod filesystem.
 type PodCertificateProjectionApplyConfiguration struct {
-	SignerName           *string `json:"signerName,omitempty"`
-	KeyType              *string `json:"keyType,omitempty"`
-	MaxExpirationSeconds *int32  `json:"maxExpirationSeconds,omitempty"`
+	// Kubelet's generated CSRs will be addressed to this signer.
+	SignerName *string `json:"signerName,omitempty"`
+	// The type of keypair Kubelet will generate for the pod.
+	//
+	// Valid values are "RSA3072", "RSA4096", "ECDSAP256", "ECDSAP384",
+	// "ECDSAP521", and "ED25519".
+	KeyType *string `json:"keyType,omitempty"`
+	// maxExpirationSeconds is the maximum lifetime permitted for the
+	// certificate.
+	//
+	// Kubelet copies this value verbatim into the PodCertificateRequests it
+	// generates for this projection.
+	//
+	// If omitted, kube-apiserver will set it to 86400(24 hours). kube-apiserver
+	// will reject values shorter than 3600 (1 hour).  The maximum allowable
+	// value is 7862400 (91 days).
+	//
+	// The signer implementation is then free to issue a certificate with any
+	// lifetime *shorter* than MaxExpirationSeconds, but no shorter than 3600
+	// seconds (1 hour).  This constraint is enforced by kube-apiserver.
+	// `kubernetes.io` signers will never issue certificates with a lifetime
+	// longer than 24 hours.
+	MaxExpirationSeconds *int32 `json:"maxExpirationSeconds,omitempty"`
+	// Write the credential bundle at this path in the projected volume.
+	//
+	// The credential bundle is a single file that contains multiple PEM blocks.
+	// The first PEM block is a PRIVATE KEY block, containing a PKCS#8 private
+	// key.
+	//
+	// The remaining blocks are CERTIFICATE blocks, containing the issued
+	// certificate chain from the signer (leaf and any intermediates).
+	//
+	// Using credentialBundlePath lets your Pod's application code make a single
+	// atomic read that retrieves a consistent key and certificate chain.  If you
+	// project them to separate files, your application code will need to
+	// additionally check that the leaf certificate was issued to the key.
 	CredentialBundlePath *string `json:"credentialBundlePath,omitempty"`
-	KeyPath              *string `json:"keyPath,omitempty"`
+	// Write the key at this path in the projected volume.
+	//
+	// Most applications should use credentialBundlePath.  When using keyPath
+	// and certificateChainPath, your application needs to check that the key
+	// and leaf certificate are consistent, because it is possible to read the
+	// files mid-rotation.
+	KeyPath *string `json:"keyPath,omitempty"`
+	// Write the certificate chain at this path in the projected volume.
+	//
+	// Most applications should use credentialBundlePath.  When using keyPath
+	// and certificateChainPath, your application needs to check that the key
+	// and leaf certificate are consistent, because it is possible to read the
+	// files mid-rotation.
 	CertificateChainPath *string `json:"certificateChainPath,omitempty"`
+	// userAnnotations allow pod authors to pass additional information to
+	// the signer implementation.  Kubernetes does not restrict or validate this
+	// metadata in any way.
+	//
+	// These values are copied verbatim into the `spec.unverifiedUserAnnotations` field of
+	// the PodCertificateRequest objects that Kubelet creates.
+	//
+	// Entries are subject to the same validation as object metadata annotations,
+	// with the addition that all keys must be domain-prefixed. No restrictions
+	// are placed on values, except an overall size limitation on the entire field.
+	//
+	// Signers should document the keys and values they support. Signers should
+	// deny requests that contain keys they do not recognize.
+	UserAnnotations map[string]string `json:"userAnnotations,omitempty"`
 }
 
 // PodCertificateProjectionApplyConfiguration constructs a declarative configuration of the PodCertificateProjection type for use with
@@ -82,3 +144,17 @@ func (b *PodCertificateProjectionApplyConfiguration) WithCertificateChainPath(va
 	b.CertificateChainPath = &value
 	return b
 }
+
+// WithUserAnnotations puts the entries into the UserAnnotations field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, the entries provided by each call will be put on the UserAnnotations field,
+// overwriting an existing map entries in UserAnnotations field with the same key.
+func (b *PodCertificateProjectionApplyConfiguration) WithUserAnnotations(entries map[string]string) *PodCertificateProjectionApplyConfiguration {
+	if b.UserAnnotations == nil && len(entries) > 0 {
+		b.UserAnnotations = make(map[string]string, len(entries))
+	}
+	for k, v := range entries {
+		b.UserAnnotations[k] = v
+	}
+	return b
+}
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/podcondition.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/podcondition.go
index 90bb8711b18aa..55e55dd0f2bce 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/podcondition.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/podcondition.go
@@ -25,14 +25,27 @@ import (
 
 // PodConditionApplyConfiguration represents a declarative configuration of the PodCondition type for use
 // with apply.
+//
+// PodCondition contains details for the current condition of this pod.
 type PodConditionApplyConfiguration struct {
-	Type               *corev1.PodConditionType `json:"type,omitempty"`
-	ObservedGeneration *int64                   `json:"observedGeneration,omitempty"`
-	Status             *corev1.ConditionStatus  `json:"status,omitempty"`
-	LastProbeTime      *metav1.Time             `json:"lastProbeTime,omitempty"`
-	LastTransitionTime *metav1.Time             `json:"lastTransitionTime,omitempty"`
-	Reason             *string                  `json:"reason,omitempty"`
-	Message            *string                  `json:"message,omitempty"`
+	// Type is the type of the condition.
+	// More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-conditions
+	Type *corev1.PodConditionType `json:"type,omitempty"`
+	// If set, this represents the .metadata.generation that the pod condition was set based upon.
+	// The PodObservedGenerationTracking feature gate must be enabled to use this field.
+	ObservedGeneration *int64 `json:"observedGeneration,omitempty"`
+	// Status is the status of the condition.
+	// Can be True, False, Unknown.
+	// More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-conditions
+	Status *corev1.ConditionStatus `json:"status,omitempty"`
+	// Last time we probed the condition.
+	LastProbeTime *metav1.Time `json:"lastProbeTime,omitempty"`
+	// Last time the condition transitioned from one status to another.
+	LastTransitionTime *metav1.Time `json:"lastTransitionTime,omitempty"`
+	// Unique, one-word, CamelCase reason for the condition's last transition.
+	Reason *string `json:"reason,omitempty"`
+	// Human-readable message indicating details about last transition.
+	Message *string `json:"message,omitempty"`
 }
 
 // PodConditionApplyConfiguration constructs a declarative configuration of the PodCondition type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/poddnsconfig.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/poddnsconfig.go
index 2e0ce9a91e68e..a725e3a91028f 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/poddnsconfig.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/poddnsconfig.go
@@ -20,10 +20,23 @@ package v1
 
 // PodDNSConfigApplyConfiguration represents a declarative configuration of the PodDNSConfig type for use
 // with apply.
+//
+// PodDNSConfig defines the DNS parameters of a pod in addition to
+// those generated from DNSPolicy.
 type PodDNSConfigApplyConfiguration struct {
-	Nameservers []string                               `json:"nameservers,omitempty"`
-	Searches    []string                               `json:"searches,omitempty"`
-	Options     []PodDNSConfigOptionApplyConfiguration `json:"options,omitempty"`
+	// A list of DNS name server IP addresses.
+	// This will be appended to the base nameservers generated from DNSPolicy.
+	// Duplicated nameservers will be removed.
+	Nameservers []string `json:"nameservers,omitempty"`
+	// A list of DNS search domains for host-name lookup.
+	// This will be appended to the base search paths generated from DNSPolicy.
+	// Duplicated search paths will be removed.
+	Searches []string `json:"searches,omitempty"`
+	// A list of DNS resolver options.
+	// This will be merged with the base options generated from DNSPolicy.
+	// Duplicated entries will be removed. Resolution options given in Options
+	// will override those that appear in the base DNSPolicy.
+	Options []PodDNSConfigOptionApplyConfiguration `json:"options,omitempty"`
 }
 
 // PodDNSConfigApplyConfiguration constructs a declarative configuration of the PodDNSConfig type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/poddnsconfigoption.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/poddnsconfigoption.go
index 458b333bf23c0..3b9a868e4e039 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/poddnsconfigoption.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/poddnsconfigoption.go
@@ -20,8 +20,13 @@ package v1
 
 // PodDNSConfigOptionApplyConfiguration represents a declarative configuration of the PodDNSConfigOption type for use
 // with apply.
+//
+// PodDNSConfigOption defines DNS resolver options of a pod.
 type PodDNSConfigOptionApplyConfiguration struct {
-	Name  *string `json:"name,omitempty"`
+	// Name is this DNS resolver option's name.
+	// Required.
+	Name *string `json:"name,omitempty"`
+	// Value is this DNS resolver option's value.
 	Value *string `json:"value,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/podextendedresourceclaimstatus.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/podextendedresourceclaimstatus.go
index d437886305a50..460936eea29cc 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/podextendedresourceclaimstatus.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/podextendedresourceclaimstatus.go
@@ -20,9 +20,17 @@ package v1
 
 // PodExtendedResourceClaimStatusApplyConfiguration represents a declarative configuration of the PodExtendedResourceClaimStatus type for use
 // with apply.
+//
+// PodExtendedResourceClaimStatus is stored in the PodStatus for the extended
+// resource requests backed by DRA. It stores the generated name for
+// the corresponding special ResourceClaim created by the scheduler.
 type PodExtendedResourceClaimStatusApplyConfiguration struct {
-	RequestMappings   []ContainerExtendedResourceRequestApplyConfiguration `json:"requestMappings,omitempty"`
-	ResourceClaimName *string                                              `json:"resourceClaimName,omitempty"`
+	// RequestMappings identifies the mapping of <container, extended resource backed by DRA> to  device request
+	// in the generated ResourceClaim.
+	RequestMappings []ContainerExtendedResourceRequestApplyConfiguration `json:"requestMappings,omitempty"`
+	// ResourceClaimName is the name of the ResourceClaim that was
+	// generated for the Pod in the namespace of the Pod.
+	ResourceClaimName *string `json:"resourceClaimName,omitempty"`
 }
 
 // PodExtendedResourceClaimStatusApplyConfiguration constructs a declarative configuration of the PodExtendedResourceClaimStatus type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/podip.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/podip.go
index 73f089856f702..42412090b7552 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/podip.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/podip.go
@@ -20,7 +20,10 @@ package v1
 
 // PodIPApplyConfiguration represents a declarative configuration of the PodIP type for use
 // with apply.
+//
+// PodIP represents a single IP address allocated to the pod.
 type PodIPApplyConfiguration struct {
+	// IP is the IP address assigned to the pod
 	IP *string `json:"ip,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/podos.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/podos.go
index 22a74560115e6..8c0010b6a5cdc 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/podos.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/podos.go
@@ -24,7 +24,13 @@ import (
 
 // PodOSApplyConfiguration represents a declarative configuration of the PodOS type for use
 // with apply.
+//
+// PodOS defines the OS parameters of a pod.
 type PodOSApplyConfiguration struct {
+	// Name is the name of the operating system. The currently supported values are linux and windows.
+	// Additional value may be defined in future and can be one of:
+	// https://github.com/opencontainers/runtime-spec/blob/master/config.md#platform-specific-configuration
+	// Clients should expect to handle additional values and treat unrecognized values in this field as os: null
 	Name *corev1.OSName `json:"name,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/podreadinessgate.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/podreadinessgate.go
index 4298b1ca62a2f..b86f48378c66e 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/podreadinessgate.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/podreadinessgate.go
@@ -24,7 +24,10 @@ import (
 
 // PodReadinessGateApplyConfiguration represents a declarative configuration of the PodReadinessGate type for use
 // with apply.
+//
+// PodReadinessGate contains the reference to a pod condition
 type PodReadinessGateApplyConfiguration struct {
+	// ConditionType refers to a condition in the pod's condition list with matching type.
 	ConditionType *corev1.PodConditionType `json:"conditionType,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/podresourceclaim.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/podresourceclaim.go
index b0bd67fa11372..93d2280f0dfa6 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/podresourceclaim.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/podresourceclaim.go
@@ -20,9 +20,38 @@ package v1
 
 // PodResourceClaimApplyConfiguration represents a declarative configuration of the PodResourceClaim type for use
 // with apply.
+//
+// PodResourceClaim references exactly one ResourceClaim, either directly
+// or by naming a ResourceClaimTemplate which is then turned into a ResourceClaim
+// for the pod.
+//
+// It adds a name to it that uniquely identifies the ResourceClaim inside the Pod.
+// Containers that need access to the ResourceClaim reference it with this name.
 type PodResourceClaimApplyConfiguration struct {
-	Name                      *string `json:"name,omitempty"`
-	ResourceClaimName         *string `json:"resourceClaimName,omitempty"`
+	// Name uniquely identifies this resource claim inside the pod.
+	// This must be a DNS_LABEL.
+	Name *string `json:"name,omitempty"`
+	// ResourceClaimName is the name of a ResourceClaim object in the same
+	// namespace as this pod.
+	//
+	// Exactly one of ResourceClaimName and ResourceClaimTemplateName must
+	// be set.
+	ResourceClaimName *string `json:"resourceClaimName,omitempty"`
+	// ResourceClaimTemplateName is the name of a ResourceClaimTemplate
+	// object in the same namespace as this pod.
+	//
+	// The template will be used to create a new ResourceClaim, which will
+	// be bound to this pod. When this pod is deleted, the ResourceClaim
+	// will also be deleted. The pod name and resource name, along with a
+	// generated component, will be used to form a unique name for the
+	// ResourceClaim, which will be recorded in pod.status.resourceClaimStatuses.
+	//
+	// This field is immutable and no changes will be made to the
+	// corresponding ResourceClaim by the control plane after creating the
+	// ResourceClaim.
+	//
+	// Exactly one of ResourceClaimName and ResourceClaimTemplateName must
+	// be set.
 	ResourceClaimTemplateName *string `json:"resourceClaimTemplateName,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/podresourceclaimstatus.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/podresourceclaimstatus.go
index f60ad4b052950..f0673fa0f118c 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/podresourceclaimstatus.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/podresourceclaimstatus.go
@@ -20,8 +20,19 @@ package v1
 
 // PodResourceClaimStatusApplyConfiguration represents a declarative configuration of the PodResourceClaimStatus type for use
 // with apply.
+//
+// PodResourceClaimStatus is stored in the PodStatus for each PodResourceClaim
+// which references a ResourceClaimTemplate. It stores the generated name for
+// the corresponding ResourceClaim.
 type PodResourceClaimStatusApplyConfiguration struct {
-	Name              *string `json:"name,omitempty"`
+	// Name uniquely identifies this resource claim inside the pod.
+	// This must match the name of an entry in pod.spec.resourceClaims,
+	// which implies that the string must be a DNS_LABEL.
+	Name *string `json:"name,omitempty"`
+	// ResourceClaimName is the name of the ResourceClaim that was
+	// generated for the Pod in the namespace of the Pod. If this is
+	// unset, then generating a ResourceClaim was not necessary. The
+	// pod.spec.resourceClaims entry can be ignored in this case.
 	ResourceClaimName *string `json:"resourceClaimName,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/podschedulinggate.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/podschedulinggate.go
index 3d910927765e9..bf9d551e8f9fe 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/podschedulinggate.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/podschedulinggate.go
@@ -20,7 +20,11 @@ package v1
 
 // PodSchedulingGateApplyConfiguration represents a declarative configuration of the PodSchedulingGate type for use
 // with apply.
+//
+// PodSchedulingGate is associated to a Pod to guard its scheduling.
 type PodSchedulingGateApplyConfiguration struct {
+	// Name of the scheduling gate.
+	// Each scheduling gate must have a unique name field.
 	Name *string `json:"name,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/podsecuritycontext.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/podsecuritycontext.go
index f0a3e662c834b..a6f1629ed76e0 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/podsecuritycontext.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/podsecuritycontext.go
@@ -24,20 +24,114 @@ import (
 
 // PodSecurityContextApplyConfiguration represents a declarative configuration of the PodSecurityContext type for use
 // with apply.
+//
+// PodSecurityContext holds pod-level security attributes and common container settings.
+// Some fields are also present in container.securityContext.  Field values of
+// container.securityContext take precedence over field values of PodSecurityContext.
 type PodSecurityContextApplyConfiguration struct {
-	SELinuxOptions           *SELinuxOptionsApplyConfiguration                `json:"seLinuxOptions,omitempty"`
-	WindowsOptions           *WindowsSecurityContextOptionsApplyConfiguration `json:"windowsOptions,omitempty"`
-	RunAsUser                *int64                                           `json:"runAsUser,omitempty"`
-	RunAsGroup               *int64                                           `json:"runAsGroup,omitempty"`
-	RunAsNonRoot             *bool                                            `json:"runAsNonRoot,omitempty"`
-	SupplementalGroups       []int64                                          `json:"supplementalGroups,omitempty"`
-	SupplementalGroupsPolicy *corev1.SupplementalGroupsPolicy                 `json:"supplementalGroupsPolicy,omitempty"`
-	FSGroup                  *int64                                           `json:"fsGroup,omitempty"`
-	Sysctls                  []SysctlApplyConfiguration                       `json:"sysctls,omitempty"`
-	FSGroupChangePolicy      *corev1.PodFSGroupChangePolicy                   `json:"fsGroupChangePolicy,omitempty"`
-	SeccompProfile           *SeccompProfileApplyConfiguration                `json:"seccompProfile,omitempty"`
-	AppArmorProfile          *AppArmorProfileApplyConfiguration               `json:"appArmorProfile,omitempty"`
-	SELinuxChangePolicy      *corev1.PodSELinuxChangePolicy                   `json:"seLinuxChangePolicy,omitempty"`
+	// The SELinux context to be applied to all containers.
+	// If unspecified, the container runtime will allocate a random SELinux context for each
+	// container.  May also be set in SecurityContext.  If set in
+	// both SecurityContext and PodSecurityContext, the value specified in SecurityContext
+	// takes precedence for that container.
+	// Note that this field cannot be set when spec.os.name is windows.
+	SELinuxOptions *SELinuxOptionsApplyConfiguration `json:"seLinuxOptions,omitempty"`
+	// The Windows specific settings applied to all containers.
+	// If unspecified, the options within a container's SecurityContext will be used.
+	// If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.
+	// Note that this field cannot be set when spec.os.name is linux.
+	WindowsOptions *WindowsSecurityContextOptionsApplyConfiguration `json:"windowsOptions,omitempty"`
+	// The UID to run the entrypoint of the container process.
+	// Defaults to user specified in image metadata if unspecified.
+	// May also be set in SecurityContext.  If set in both SecurityContext and
+	// PodSecurityContext, the value specified in SecurityContext takes precedence
+	// for that container.
+	// Note that this field cannot be set when spec.os.name is windows.
+	RunAsUser *int64 `json:"runAsUser,omitempty"`
+	// The GID to run the entrypoint of the container process.
+	// Uses runtime default if unset.
+	// May also be set in SecurityContext.  If set in both SecurityContext and
+	// PodSecurityContext, the value specified in SecurityContext takes precedence
+	// for that container.
+	// Note that this field cannot be set when spec.os.name is windows.
+	RunAsGroup *int64 `json:"runAsGroup,omitempty"`
+	// Indicates that the container must run as a non-root user.
+	// If true, the Kubelet will validate the image at runtime to ensure that it
+	// does not run as UID 0 (root) and fail to start the container if it does.
+	// If unset or false, no such validation will be performed.
+	// May also be set in SecurityContext.  If set in both SecurityContext and
+	// PodSecurityContext, the value specified in SecurityContext takes precedence.
+	RunAsNonRoot *bool `json:"runAsNonRoot,omitempty"`
+	// A list of groups applied to the first process run in each container, in
+	// addition to the container's primary GID and fsGroup (if specified).  If
+	// the SupplementalGroupsPolicy feature is enabled, the
+	// supplementalGroupsPolicy field determines whether these are in addition
+	// to or instead of any group memberships defined in the container image.
+	// If unspecified, no additional groups are added, though group memberships
+	// defined in the container image may still be used, depending on the
+	// supplementalGroupsPolicy field.
+	// Note that this field cannot be set when spec.os.name is windows.
+	SupplementalGroups []int64 `json:"supplementalGroups,omitempty"`
+	// Defines how supplemental groups of the first container processes are calculated.
+	// Valid values are "Merge" and "Strict". If not specified, "Merge" is used.
+	// (Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled
+	// and the container runtime must implement support for this feature.
+	// Note that this field cannot be set when spec.os.name is windows.
+	// TODO: update the default value to "Merge" when spec.os.name is not windows in v1.34
+	SupplementalGroupsPolicy *corev1.SupplementalGroupsPolicy `json:"supplementalGroupsPolicy,omitempty"`
+	// A special supplemental group that applies to all containers in a pod.
+	// Some volume types allow the Kubelet to change the ownership of that volume
+	// to be owned by the pod:
+	//
+	// 1. The owning GID will be the FSGroup
+	// 2. The setgid bit is set (new files created in the volume will be owned by FSGroup)
+	// 3. The permission bits are OR'd with rw-rw----
+	//
+	// If unset, the Kubelet will not modify the ownership and permissions of any volume.
+	// Note that this field cannot be set when spec.os.name is windows.
+	FSGroup *int64 `json:"fsGroup,omitempty"`
+	// Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported
+	// sysctls (by the container runtime) might fail to launch.
+	// Note that this field cannot be set when spec.os.name is windows.
+	Sysctls []SysctlApplyConfiguration `json:"sysctls,omitempty"`
+	// fsGroupChangePolicy defines behavior of changing ownership and permission of the volume
+	// before being exposed inside Pod. This field will only apply to
+	// volume types which support fsGroup based ownership(and permissions).
+	// It will have no effect on ephemeral volume types such as: secret, configmaps
+	// and emptydir.
+	// Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used.
+	// Note that this field cannot be set when spec.os.name is windows.
+	FSGroupChangePolicy *corev1.PodFSGroupChangePolicy `json:"fsGroupChangePolicy,omitempty"`
+	// The seccomp options to use by the containers in this pod.
+	// Note that this field cannot be set when spec.os.name is windows.
+	SeccompProfile *SeccompProfileApplyConfiguration `json:"seccompProfile,omitempty"`
+	// appArmorProfile is the AppArmor options to use by the containers in this pod.
+	// Note that this field cannot be set when spec.os.name is windows.
+	AppArmorProfile *AppArmorProfileApplyConfiguration `json:"appArmorProfile,omitempty"`
+	// seLinuxChangePolicy defines how the container's SELinux label is applied to all volumes used by the Pod.
+	// It has no effect on nodes that do not support SELinux or to volumes does not support SELinux.
+	// Valid values are "MountOption" and "Recursive".
+	//
+	// "Recursive" means relabeling of all files on all Pod volumes by the container runtime.
+	// This may be slow for large volumes, but allows mixing privileged and unprivileged Pods sharing the same volume on the same node.
+	//
+	// "MountOption" mounts all eligible Pod volumes with `-o context` mount option.
+	// This requires all Pods that share the same volume to use the same SELinux label.
+	// It is not possible to share the same volume among privileged and unprivileged Pods.
+	// Eligible volumes are in-tree FibreChannel and iSCSI volumes, and all CSI volumes
+	// whose CSI driver announces SELinux support by setting spec.seLinuxMount: true in their
+	// CSIDriver instance. Other volumes are always re-labelled recursively.
+	// "MountOption" value is allowed only when SELinuxMount feature gate is enabled.
+	//
+	// If not specified and SELinuxMount feature gate is enabled, "MountOption" is used.
+	// If not specified and SELinuxMount feature gate is disabled, "MountOption" is used for ReadWriteOncePod volumes
+	// and "Recursive" for all other volumes.
+	//
+	// This field affects only Pods that have SELinux label set, either in PodSecurityContext or in SecurityContext of all containers.
+	//
+	// All Pods that use the same volume should use the same seLinuxChangePolicy, otherwise some pods can get stuck in ContainerCreating state.
+	// Note that this field cannot be set when spec.os.name is windows.
+	SELinuxChangePolicy *corev1.PodSELinuxChangePolicy `json:"seLinuxChangePolicy,omitempty"`
 }
 
 // PodSecurityContextApplyConfiguration constructs a declarative configuration of the PodSecurityContext type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/podspec.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/podspec.go
index 82a1afa61c569..1948c7131f9c8 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/podspec.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/podspec.go
@@ -24,48 +24,263 @@ import (
 
 // PodSpecApplyConfiguration represents a declarative configuration of the PodSpec type for use
 // with apply.
+//
+// PodSpec is a description of a pod.
 type PodSpecApplyConfiguration struct {
-	Volumes                       []VolumeApplyConfiguration                   `json:"volumes,omitempty"`
-	InitContainers                []ContainerApplyConfiguration                `json:"initContainers,omitempty"`
-	Containers                    []ContainerApplyConfiguration                `json:"containers,omitempty"`
-	EphemeralContainers           []EphemeralContainerApplyConfiguration       `json:"ephemeralContainers,omitempty"`
-	RestartPolicy                 *corev1.RestartPolicy                        `json:"restartPolicy,omitempty"`
-	TerminationGracePeriodSeconds *int64                                       `json:"terminationGracePeriodSeconds,omitempty"`
-	ActiveDeadlineSeconds         *int64                                       `json:"activeDeadlineSeconds,omitempty"`
-	DNSPolicy                     *corev1.DNSPolicy                            `json:"dnsPolicy,omitempty"`
-	NodeSelector                  map[string]string                            `json:"nodeSelector,omitempty"`
-	ServiceAccountName            *string                                      `json:"serviceAccountName,omitempty"`
-	DeprecatedServiceAccount      *string                                      `json:"serviceAccount,omitempty"`
-	AutomountServiceAccountToken  *bool                                        `json:"automountServiceAccountToken,omitempty"`
-	NodeName                      *string                                      `json:"nodeName,omitempty"`
-	HostNetwork                   *bool                                        `json:"hostNetwork,omitempty"`
-	HostPID                       *bool                                        `json:"hostPID,omitempty"`
-	HostIPC                       *bool                                        `json:"hostIPC,omitempty"`
-	ShareProcessNamespace         *bool                                        `json:"shareProcessNamespace,omitempty"`
-	SecurityContext               *PodSecurityContextApplyConfiguration        `json:"securityContext,omitempty"`
-	ImagePullSecrets              []LocalObjectReferenceApplyConfiguration     `json:"imagePullSecrets,omitempty"`
-	Hostname                      *string                                      `json:"hostname,omitempty"`
-	Subdomain                     *string                                      `json:"subdomain,omitempty"`
-	Affinity                      *AffinityApplyConfiguration                  `json:"affinity,omitempty"`
-	SchedulerName                 *string                                      `json:"schedulerName,omitempty"`
-	Tolerations                   []TolerationApplyConfiguration               `json:"tolerations,omitempty"`
-	HostAliases                   []HostAliasApplyConfiguration                `json:"hostAliases,omitempty"`
-	PriorityClassName             *string                                      `json:"priorityClassName,omitempty"`
-	Priority                      *int32                                       `json:"priority,omitempty"`
-	DNSConfig                     *PodDNSConfigApplyConfiguration              `json:"dnsConfig,omitempty"`
-	ReadinessGates                []PodReadinessGateApplyConfiguration         `json:"readinessGates,omitempty"`
-	RuntimeClassName              *string                                      `json:"runtimeClassName,omitempty"`
-	EnableServiceLinks            *bool                                        `json:"enableServiceLinks,omitempty"`
-	PreemptionPolicy              *corev1.PreemptionPolicy                     `json:"preemptionPolicy,omitempty"`
-	Overhead                      *corev1.ResourceList                         `json:"overhead,omitempty"`
-	TopologySpreadConstraints     []TopologySpreadConstraintApplyConfiguration `json:"topologySpreadConstraints,omitempty"`
-	SetHostnameAsFQDN             *bool                                        `json:"setHostnameAsFQDN,omitempty"`
-	OS                            *PodOSApplyConfiguration                     `json:"os,omitempty"`
-	HostUsers                     *bool                                        `json:"hostUsers,omitempty"`
-	SchedulingGates               []PodSchedulingGateApplyConfiguration        `json:"schedulingGates,omitempty"`
-	ResourceClaims                []PodResourceClaimApplyConfiguration         `json:"resourceClaims,omitempty"`
-	Resources                     *ResourceRequirementsApplyConfiguration      `json:"resources,omitempty"`
-	HostnameOverride              *string                                      `json:"hostnameOverride,omitempty"`
+	// List of volumes that can be mounted by containers belonging to the pod.
+	// More info: https://kubernetes.io/docs/concepts/storage/volumes
+	Volumes []VolumeApplyConfiguration `json:"volumes,omitempty"`
+	// List of initialization containers belonging to the pod.
+	// Init containers are executed in order prior to containers being started. If any
+	// init container fails, the pod is considered to have failed and is handled according
+	// to its restartPolicy. The name for an init container or normal container must be
+	// unique among all containers.
+	// Init containers may not have Lifecycle actions, Readiness probes, Liveness probes, or Startup probes.
+	// The resourceRequirements of an init container are taken into account during scheduling
+	// by finding the highest request/limit for each resource type, and then using the max of
+	// that value or the sum of the normal containers. Limits are applied to init containers
+	// in a similar fashion.
+	// Init containers cannot currently be added or removed.
+	// Cannot be updated.
+	// More info: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/
+	InitContainers []ContainerApplyConfiguration `json:"initContainers,omitempty"`
+	// List of containers belonging to the pod.
+	// Containers cannot currently be added or removed.
+	// There must be at least one container in a Pod.
+	// Cannot be updated.
+	Containers []ContainerApplyConfiguration `json:"containers,omitempty"`
+	// List of ephemeral containers run in this pod. Ephemeral containers may be run in an existing
+	// pod to perform user-initiated actions such as debugging. This list cannot be specified when
+	// creating a pod, and it cannot be modified by updating the pod spec. In order to add an
+	// ephemeral container to an existing pod, use the pod's ephemeralcontainers subresource.
+	EphemeralContainers []EphemeralContainerApplyConfiguration `json:"ephemeralContainers,omitempty"`
+	// Restart policy for all containers within the pod.
+	// One of Always, OnFailure, Never. In some contexts, only a subset of those values may be permitted.
+	// Default to Always.
+	// More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#restart-policy
+	RestartPolicy *corev1.RestartPolicy `json:"restartPolicy,omitempty"`
+	// Optional duration in seconds the pod needs to terminate gracefully. May be decreased in delete request.
+	// Value must be non-negative integer. The value zero indicates stop immediately via
+	// the kill signal (no opportunity to shut down).
+	// If this value is nil, the default grace period will be used instead.
+	// The grace period is the duration in seconds after the processes running in the pod are sent
+	// a termination signal and the time when the processes are forcibly halted with a kill signal.
+	// Set this value longer than the expected cleanup time for your process.
+	// Defaults to 30 seconds.
+	TerminationGracePeriodSeconds *int64 `json:"terminationGracePeriodSeconds,omitempty"`
+	// Optional duration in seconds the pod may be active on the node relative to
+	// StartTime before the system will actively try to mark it failed and kill associated containers.
+	// Value must be a positive integer.
+	ActiveDeadlineSeconds *int64 `json:"activeDeadlineSeconds,omitempty"`
+	// Set DNS policy for the pod.
+	// Defaults to "ClusterFirst".
+	// Valid values are 'ClusterFirstWithHostNet', 'ClusterFirst', 'Default' or 'None'.
+	// DNS parameters given in DNSConfig will be merged with the policy selected with DNSPolicy.
+	// To have DNS options set along with hostNetwork, you have to specify DNS policy
+	// explicitly to 'ClusterFirstWithHostNet'.
+	DNSPolicy *corev1.DNSPolicy `json:"dnsPolicy,omitempty"`
+	// NodeSelector is a selector which must be true for the pod to fit on a node.
+	// Selector which must match a node's labels for the pod to be scheduled on that node.
+	// More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
+	NodeSelector map[string]string `json:"nodeSelector,omitempty"`
+	// ServiceAccountName is the name of the ServiceAccount to use to run this pod.
+	// More info: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/
+	ServiceAccountName *string `json:"serviceAccountName,omitempty"`
+	// DeprecatedServiceAccount is a deprecated alias for ServiceAccountName.
+	// Deprecated: Use serviceAccountName instead.
+	DeprecatedServiceAccount *string `json:"serviceAccount,omitempty"`
+	// AutomountServiceAccountToken indicates whether a service account token should be automatically mounted.
+	AutomountServiceAccountToken *bool `json:"automountServiceAccountToken,omitempty"`
+	// NodeName indicates in which node this pod is scheduled.
+	// If empty, this pod is a candidate for scheduling by the scheduler defined in schedulerName.
+	// Once this field is set, the kubelet for this node becomes responsible for the lifecycle of this pod.
+	// This field should not be used to express a desire for the pod to be scheduled on a specific node.
+	// https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodename
+	NodeName *string `json:"nodeName,omitempty"`
+	// Host networking requested for this pod. Use the host's network namespace.
+	// When using HostNetwork you should specify ports so the scheduler is aware.
+	// When `hostNetwork` is true, specified `hostPort` fields in port definitions must match `containerPort`,
+	// and unspecified `hostPort` fields in port definitions are defaulted to match `containerPort`.
+	// Default to false.
+	HostNetwork *bool `json:"hostNetwork,omitempty"`
+	// Use the host's pid namespace.
+	// Optional: Default to false.
+	HostPID *bool `json:"hostPID,omitempty"`
+	// Use the host's ipc namespace.
+	// Optional: Default to false.
+	HostIPC *bool `json:"hostIPC,omitempty"`
+	// Share a single process namespace between all of the containers in a pod.
+	// When this is set containers will be able to view and signal processes from other containers
+	// in the same pod, and the first process in each container will not be assigned PID 1.
+	// HostPID and ShareProcessNamespace cannot both be set.
+	// Optional: Default to false.
+	ShareProcessNamespace *bool `json:"shareProcessNamespace,omitempty"`
+	// SecurityContext holds pod-level security attributes and common container settings.
+	// Optional: Defaults to empty.  See type description for default values of each field.
+	SecurityContext *PodSecurityContextApplyConfiguration `json:"securityContext,omitempty"`
+	// ImagePullSecrets is an optional list of references to secrets in the same namespace to use for pulling any of the images used by this PodSpec.
+	// If specified, these secrets will be passed to individual puller implementations for them to use.
+	// More info: https://kubernetes.io/docs/concepts/containers/images#specifying-imagepullsecrets-on-a-pod
+	ImagePullSecrets []LocalObjectReferenceApplyConfiguration `json:"imagePullSecrets,omitempty"`
+	// Specifies the hostname of the Pod
+	// If not specified, the pod's hostname will be set to a system-defined value.
+	Hostname *string `json:"hostname,omitempty"`
+	// If specified, the fully qualified Pod hostname will be "<hostname>.<subdomain>.<pod namespace>.svc.<cluster domain>".
+	// If not specified, the pod will not have a domainname at all.
+	Subdomain *string `json:"subdomain,omitempty"`
+	// If specified, the pod's scheduling constraints
+	Affinity *AffinityApplyConfiguration `json:"affinity,omitempty"`
+	// If specified, the pod will be dispatched by specified scheduler.
+	// If not specified, the pod will be dispatched by default scheduler.
+	SchedulerName *string `json:"schedulerName,omitempty"`
+	// If specified, the pod's tolerations.
+	Tolerations []TolerationApplyConfiguration `json:"tolerations,omitempty"`
+	// HostAliases is an optional list of hosts and IPs that will be injected into the pod's hosts
+	// file if specified.
+	HostAliases []HostAliasApplyConfiguration `json:"hostAliases,omitempty"`
+	// If specified, indicates the pod's priority. "system-node-critical" and
+	// "system-cluster-critical" are two special keywords which indicate the
+	// highest priorities with the former being the highest priority. Any other
+	// name must be defined by creating a PriorityClass object with that name.
+	// If not specified, the pod priority will be default or zero if there is no
+	// default.
+	PriorityClassName *string `json:"priorityClassName,omitempty"`
+	// The priority value. Various system components use this field to find the
+	// priority of the pod. When Priority Admission Controller is enabled, it
+	// prevents users from setting this field. The admission controller populates
+	// this field from PriorityClassName.
+	// The higher the value, the higher the priority.
+	Priority *int32 `json:"priority,omitempty"`
+	// Specifies the DNS parameters of a pod.
+	// Parameters specified here will be merged to the generated DNS
+	// configuration based on DNSPolicy.
+	DNSConfig *PodDNSConfigApplyConfiguration `json:"dnsConfig,omitempty"`
+	// If specified, all readiness gates will be evaluated for pod readiness.
+	// A pod is ready when all its containers are ready AND
+	// all conditions specified in the readiness gates have status equal to "True"
+	// More info: https://git.k8s.io/enhancements/keps/sig-network/580-pod-readiness-gates
+	ReadinessGates []PodReadinessGateApplyConfiguration `json:"readinessGates,omitempty"`
+	// RuntimeClassName refers to a RuntimeClass object in the node.k8s.io group, which should be used
+	// to run this pod.  If no RuntimeClass resource matches the named class, the pod will not be run.
+	// If unset or empty, the "legacy" RuntimeClass will be used, which is an implicit class with an
+	// empty definition that uses the default runtime handler.
+	// More info: https://git.k8s.io/enhancements/keps/sig-node/585-runtime-class
+	RuntimeClassName *string `json:"runtimeClassName,omitempty"`
+	// EnableServiceLinks indicates whether information about services should be injected into pod's
+	// environment variables, matching the syntax of Docker links.
+	// Optional: Defaults to true.
+	EnableServiceLinks *bool `json:"enableServiceLinks,omitempty"`
+	// PreemptionPolicy is the Policy for preempting pods with lower priority.
+	// One of Never, PreemptLowerPriority.
+	// Defaults to PreemptLowerPriority if unset.
+	PreemptionPolicy *corev1.PreemptionPolicy `json:"preemptionPolicy,omitempty"`
+	// Overhead represents the resource overhead associated with running a pod for a given RuntimeClass.
+	// This field will be autopopulated at admission time by the RuntimeClass admission controller. If
+	// the RuntimeClass admission controller is enabled, overhead must not be set in Pod create requests.
+	// The RuntimeClass admission controller will reject Pod create requests which have the overhead already
+	// set. If RuntimeClass is configured and selected in the PodSpec, Overhead will be set to the value
+	// defined in the corresponding RuntimeClass, otherwise it will remain unset and treated as zero.
+	// More info: https://git.k8s.io/enhancements/keps/sig-node/688-pod-overhead/README.md
+	Overhead *corev1.ResourceList `json:"overhead,omitempty"`
+	// TopologySpreadConstraints describes how a group of pods ought to spread across topology
+	// domains. Scheduler will schedule pods in a way which abides by the constraints.
+	// All topologySpreadConstraints are ANDed.
+	TopologySpreadConstraints []TopologySpreadConstraintApplyConfiguration `json:"topologySpreadConstraints,omitempty"`
+	// If true the pod's hostname will be configured as the pod's FQDN, rather than the leaf name (the default).
+	// In Linux containers, this means setting the FQDN in the hostname field of the kernel (the nodename field of struct utsname).
+	// In Windows containers, this means setting the registry value of hostname for the registry key HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters to FQDN.
+	// If a pod does not have FQDN, this has no effect.
+	// Default to false.
+	SetHostnameAsFQDN *bool `json:"setHostnameAsFQDN,omitempty"`
+	// Specifies the OS of the containers in the pod.
+	// Some pod and container fields are restricted if this is set.
+	//
+	// If the OS field is set to linux, the following fields must be unset:
+	// -securityContext.windowsOptions
+	//
+	// If the OS field is set to windows, following fields must be unset:
+	// - spec.hostPID
+	// - spec.hostIPC
+	// - spec.hostUsers
+	// - spec.resources
+	// - spec.securityContext.appArmorProfile
+	// - spec.securityContext.seLinuxOptions
+	// - spec.securityContext.seccompProfile
+	// - spec.securityContext.fsGroup
+	// - spec.securityContext.fsGroupChangePolicy
+	// - spec.securityContext.sysctls
+	// - spec.shareProcessNamespace
+	// - spec.securityContext.runAsUser
+	// - spec.securityContext.runAsGroup
+	// - spec.securityContext.supplementalGroups
+	// - spec.securityContext.supplementalGroupsPolicy
+	// - spec.containers[*].securityContext.appArmorProfile
+	// - spec.containers[*].securityContext.seLinuxOptions
+	// - spec.containers[*].securityContext.seccompProfile
+	// - spec.containers[*].securityContext.capabilities
+	// - spec.containers[*].securityContext.readOnlyRootFilesystem
+	// - spec.containers[*].securityContext.privileged
+	// - spec.containers[*].securityContext.allowPrivilegeEscalation
+	// - spec.containers[*].securityContext.procMount
+	// - spec.containers[*].securityContext.runAsUser
+	// - spec.containers[*].securityContext.runAsGroup
+	OS *PodOSApplyConfiguration `json:"os,omitempty"`
+	// Use the host's user namespace.
+	// Optional: Default to true.
+	// If set to true or not present, the pod will be run in the host user namespace, useful
+	// for when the pod needs a feature only available to the host user namespace, such as
+	// loading a kernel module with CAP_SYS_MODULE.
+	// When set to false, a new userns is created for the pod. Setting false is useful for
+	// mitigating container breakout vulnerabilities even allowing users to run their
+	// containers as root without actually having root privileges on the host.
+	// This field is alpha-level and is only honored by servers that enable the UserNamespacesSupport feature.
+	HostUsers *bool `json:"hostUsers,omitempty"`
+	// SchedulingGates is an opaque list of values that if specified will block scheduling the pod.
+	// If schedulingGates is not empty, the pod will stay in the SchedulingGated state and the
+	// scheduler will not attempt to schedule the pod.
+	//
+	// SchedulingGates can only be set at pod creation time, and be removed only afterwards.
+	SchedulingGates []PodSchedulingGateApplyConfiguration `json:"schedulingGates,omitempty"`
+	// ResourceClaims defines which ResourceClaims must be allocated
+	// and reserved before the Pod is allowed to start. The resources
+	// will be made available to those containers which consume them
+	// by name.
+	//
+	// This is a stable field but requires that the
+	// DynamicResourceAllocation feature gate is enabled.
+	//
+	// This field is immutable.
+	ResourceClaims []PodResourceClaimApplyConfiguration `json:"resourceClaims,omitempty"`
+	// Resources is the total amount of CPU and Memory resources required by all
+	// containers in the pod. It supports specifying Requests and Limits for
+	// "cpu", "memory" and "hugepages-" resource names only. ResourceClaims are not supported.
+	//
+	// This field enables fine-grained control over resource allocation for the
+	// entire pod, allowing resource sharing among containers in a pod.
+	// TODO: For beta graduation, expand this comment with a detailed explanation.
+	//
+	// This is an alpha field and requires enabling the PodLevelResources feature
+	// gate.
+	Resources *ResourceRequirementsApplyConfiguration `json:"resources,omitempty"`
+	// HostnameOverride specifies an explicit override for the pod's hostname as perceived by the pod.
+	// This field only specifies the pod's hostname and does not affect its DNS records.
+	// When this field is set to a non-empty string:
+	// - It takes precedence over the values set in `hostname` and `subdomain`.
+	// - The Pod's hostname will be set to this value.
+	// - `setHostnameAsFQDN` must be nil or set to false.
+	// - `hostNetwork` must be set to false.
+	//
+	// This field must be a valid DNS subdomain as defined in RFC 1123 and contain at most 64 characters.
+	// Requires the HostnameOverride feature gate to be enabled.
+	HostnameOverride *string `json:"hostnameOverride,omitempty"`
+	// WorkloadRef provides a reference to the Workload object that this Pod belongs to.
+	// This field is used by the scheduler to identify the PodGroup and apply the
+	// correct group scheduling policies. The Workload object referenced
+	// by this field may not exist at the time the Pod is created.
+	// This field is immutable, but a Workload object with the same name
+	// may be recreated with different policies. Doing this during pod scheduling
+	// may result in the placement not conforming to the expected policies.
+	WorkloadRef *WorkloadReferenceApplyConfiguration `json:"workloadRef,omitempty"`
 }
 
 // PodSpecApplyConfiguration constructs a declarative configuration of the PodSpec type for use with
@@ -462,3 +677,11 @@ func (b *PodSpecApplyConfiguration) WithHostnameOverride(value string) *PodSpecA
 	b.HostnameOverride = &value
 	return b
 }
+
+// WithWorkloadRef sets the WorkloadRef field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the WorkloadRef field is set to the value of the last call.
+func (b *PodSpecApplyConfiguration) WithWorkloadRef(value *WorkloadReferenceApplyConfiguration) *PodSpecApplyConfiguration {
+	b.WorkloadRef = value
+	return b
+}
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/podstatus.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/podstatus.go
index 4e64342027f5e..e50ca9335e880 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/podstatus.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/podstatus.go
@@ -25,25 +25,120 @@ import (
 
 // PodStatusApplyConfiguration represents a declarative configuration of the PodStatus type for use
 // with apply.
+//
+// PodStatus represents information about the status of a pod. Status may trail the actual
+// state of a system, especially if the node that hosts the pod cannot contact the control
+// plane.
 type PodStatusApplyConfiguration struct {
-	ObservedGeneration          *int64                                            `json:"observedGeneration,omitempty"`
-	Phase                       *corev1.PodPhase                                  `json:"phase,omitempty"`
-	Conditions                  []PodConditionApplyConfiguration                  `json:"conditions,omitempty"`
-	Message                     *string                                           `json:"message,omitempty"`
-	Reason                      *string                                           `json:"reason,omitempty"`
-	NominatedNodeName           *string                                           `json:"nominatedNodeName,omitempty"`
-	HostIP                      *string                                           `json:"hostIP,omitempty"`
-	HostIPs                     []HostIPApplyConfiguration                        `json:"hostIPs,omitempty"`
-	PodIP                       *string                                           `json:"podIP,omitempty"`
-	PodIPs                      []PodIPApplyConfiguration                         `json:"podIPs,omitempty"`
-	StartTime                   *metav1.Time                                      `json:"startTime,omitempty"`
-	InitContainerStatuses       []ContainerStatusApplyConfiguration               `json:"initContainerStatuses,omitempty"`
-	ContainerStatuses           []ContainerStatusApplyConfiguration               `json:"containerStatuses,omitempty"`
-	QOSClass                    *corev1.PodQOSClass                               `json:"qosClass,omitempty"`
-	EphemeralContainerStatuses  []ContainerStatusApplyConfiguration               `json:"ephemeralContainerStatuses,omitempty"`
-	Resize                      *corev1.PodResizeStatus                           `json:"resize,omitempty"`
-	ResourceClaimStatuses       []PodResourceClaimStatusApplyConfiguration        `json:"resourceClaimStatuses,omitempty"`
+	// If set, this represents the .metadata.generation that the pod status was set based upon.
+	// The PodObservedGenerationTracking feature gate must be enabled to use this field.
+	ObservedGeneration *int64 `json:"observedGeneration,omitempty"`
+	// The phase of a Pod is a simple, high-level summary of where the Pod is in its lifecycle.
+	// The conditions array, the reason and message fields, and the individual container status
+	// arrays contain more detail about the pod's status.
+	// There are five possible phase values:
+	//
+	// Pending: The pod has been accepted by the Kubernetes system, but one or more of the
+	// container images has not been created. This includes time before being scheduled as
+	// well as time spent downloading images over the network, which could take a while.
+	// Running: The pod has been bound to a node, and all of the containers have been created.
+	// At least one container is still running, or is in the process of starting or restarting.
+	// Succeeded: All containers in the pod have terminated in success, and will not be restarted.
+	// Failed: All containers in the pod have terminated, and at least one container has
+	// terminated in failure. The container either exited with non-zero status or was terminated
+	// by the system.
+	// Unknown: For some reason the state of the pod could not be obtained, typically due to an
+	// error in communicating with the host of the pod.
+	//
+	// More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-phase
+	Phase *corev1.PodPhase `json:"phase,omitempty"`
+	// Current service state of pod.
+	// More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-conditions
+	Conditions []PodConditionApplyConfiguration `json:"conditions,omitempty"`
+	// A human readable message indicating details about why the pod is in this condition.
+	Message *string `json:"message,omitempty"`
+	// A brief CamelCase message indicating details about why the pod is in this state.
+	// e.g. 'Evicted'
+	Reason *string `json:"reason,omitempty"`
+	// nominatedNodeName is set only when this pod preempts other pods on the node, but it cannot be
+	// scheduled right away as preemption victims receive their graceful termination periods.
+	// This field does not guarantee that the pod will be scheduled on this node. Scheduler may decide
+	// to place the pod elsewhere if other nodes become available sooner. Scheduler may also decide to
+	// give the resources on this node to a higher priority pod that is created after preemption.
+	// As a result, this field may be different than PodSpec.nodeName when the pod is
+	// scheduled.
+	NominatedNodeName *string `json:"nominatedNodeName,omitempty"`
+	// hostIP holds the IP address of the host to which the pod is assigned. Empty if the pod has not started yet.
+	// A pod can be assigned to a node that has a problem in kubelet which in turns mean that HostIP will
+	// not be updated even if there is a node is assigned to pod
+	HostIP *string `json:"hostIP,omitempty"`
+	// hostIPs holds the IP addresses allocated to the host. If this field is specified, the first entry must
+	// match the hostIP field. This list is empty if the pod has not started yet.
+	// A pod can be assigned to a node that has a problem in kubelet which in turns means that HostIPs will
+	// not be updated even if there is a node is assigned to this pod.
+	HostIPs []HostIPApplyConfiguration `json:"hostIPs,omitempty"`
+	// podIP address allocated to the pod. Routable at least within the cluster.
+	// Empty if not yet allocated.
+	PodIP *string `json:"podIP,omitempty"`
+	// podIPs holds the IP addresses allocated to the pod. If this field is specified, the 0th entry must
+	// match the podIP field. Pods may be allocated at most 1 value for each of IPv4 and IPv6. This list
+	// is empty if no IPs have been allocated yet.
+	PodIPs []PodIPApplyConfiguration `json:"podIPs,omitempty"`
+	// RFC 3339 date and time at which the object was acknowledged by the Kubelet.
+	// This is before the Kubelet pulled the container image(s) for the pod.
+	StartTime *metav1.Time `json:"startTime,omitempty"`
+	// Statuses of init containers in this pod. The most recent successful non-restartable
+	// init container will have ready = true, the most recently started container will have
+	// startTime set.
+	// Each init container in the pod should have at most one status in this list,
+	// and all statuses should be for containers in the pod.
+	// However this is not enforced.
+	// If a status for a non-existent container is present in the list, or the list has duplicate names,
+	// the behavior of various Kubernetes components is not defined and those statuses might be
+	// ignored.
+	// More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#pod-and-container-status
+	InitContainerStatuses []ContainerStatusApplyConfiguration `json:"initContainerStatuses,omitempty"`
+	// Statuses of containers in this pod.
+	// Each container in the pod should have at most one status in this list,
+	// and all statuses should be for containers in the pod.
+	// However this is not enforced.
+	// If a status for a non-existent container is present in the list, or the list has duplicate names,
+	// the behavior of various Kubernetes components is not defined and those statuses might be
+	// ignored.
+	// More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-and-container-status
+	ContainerStatuses []ContainerStatusApplyConfiguration `json:"containerStatuses,omitempty"`
+	// The Quality of Service (QOS) classification assigned to the pod based on resource requirements
+	// See PodQOSClass type for available QOS classes
+	// More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-qos/#quality-of-service-classes
+	QOSClass *corev1.PodQOSClass `json:"qosClass,omitempty"`
+	// Statuses for any ephemeral containers that have run in this pod.
+	// Each ephemeral container in the pod should have at most one status in this list,
+	// and all statuses should be for containers in the pod.
+	// However this is not enforced.
+	// If a status for a non-existent container is present in the list, or the list has duplicate names,
+	// the behavior of various Kubernetes components is not defined and those statuses might be
+	// ignored.
+	// More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-and-container-status
+	EphemeralContainerStatuses []ContainerStatusApplyConfiguration `json:"ephemeralContainerStatuses,omitempty"`
+	// Status of resources resize desired for pod's containers.
+	// It is empty if no resources resize is pending.
+	// Any changes to container resources will automatically set this to "Proposed"
+	// Deprecated: Resize status is moved to two pod conditions PodResizePending and PodResizeInProgress.
+	// PodResizePending will track states where the spec has been resized, but the Kubelet has not yet allocated the resources.
+	// PodResizeInProgress will track in-progress resizes, and should be present whenever allocated resources != acknowledged resources.
+	Resize *corev1.PodResizeStatus `json:"resize,omitempty"`
+	// Status of resource claims.
+	ResourceClaimStatuses []PodResourceClaimStatusApplyConfiguration `json:"resourceClaimStatuses,omitempty"`
+	// Status of extended resource claim backed by DRA.
 	ExtendedResourceClaimStatus *PodExtendedResourceClaimStatusApplyConfiguration `json:"extendedResourceClaimStatus,omitempty"`
+	// AllocatedResources is the total requests allocated for this pod by the node.
+	// If pod-level requests are not set, this will be the total requests aggregated
+	// across containers in the pod.
+	AllocatedResources *corev1.ResourceList `json:"allocatedResources,omitempty"`
+	// Resources represents the compute resource requests and limits that have been
+	// applied at the pod level if pod-level requests or limits are set in
+	// PodSpec.Resources
+	Resources *ResourceRequirementsApplyConfiguration `json:"resources,omitempty"`
 }
 
 // PodStatusApplyConfiguration constructs a declarative configuration of the PodStatus type for use with
@@ -230,3 +325,19 @@ func (b *PodStatusApplyConfiguration) WithExtendedResourceClaimStatus(value *Pod
 	b.ExtendedResourceClaimStatus = value
 	return b
 }
+
+// WithAllocatedResources sets the AllocatedResources field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the AllocatedResources field is set to the value of the last call.
+func (b *PodStatusApplyConfiguration) WithAllocatedResources(value corev1.ResourceList) *PodStatusApplyConfiguration {
+	b.AllocatedResources = &value
+	return b
+}
+
+// WithResources sets the Resources field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Resources field is set to the value of the last call.
+func (b *PodStatusApplyConfiguration) WithResources(value *ResourceRequirementsApplyConfiguration) *PodStatusApplyConfiguration {
+	b.Resources = value
+	return b
+}
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/podtemplate.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/podtemplate.go
index e723125f2e357..a4a2e300e472c 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/podtemplate.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/podtemplate.go
@@ -29,10 +29,16 @@ import (
 
 // PodTemplateApplyConfiguration represents a declarative configuration of the PodTemplate type for use
 // with apply.
+//
+// PodTemplate describes a template for creating copies of a predefined pod.
 type PodTemplateApplyConfiguration struct {
-	metav1.TypeMetaApplyConfiguration    `json:",inline"`
+	metav1.TypeMetaApplyConfiguration `json:",inline"`
+	// Standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	*metav1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Template                             *PodTemplateSpecApplyConfiguration `json:"template,omitempty"`
+	// Template defines the pods that will be created from this pod template.
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+	Template *PodTemplateSpecApplyConfiguration `json:"template,omitempty"`
 }
 
 // PodTemplate constructs a declarative configuration of the PodTemplate type for use with
@@ -46,29 +52,14 @@ func PodTemplate(name, namespace string) *PodTemplateApplyConfiguration {
 	return b
 }
 
-// ExtractPodTemplate extracts the applied configuration owned by fieldManager from
-// podTemplate. If no managedFields are found in podTemplate for fieldManager, a
-// PodTemplateApplyConfiguration is returned with only the Name, Namespace (if applicable),
-// APIVersion and Kind populated. It is possible that no managed fields were found for because other
-// field managers have taken ownership of all the fields previously owned by fieldManager, or because
-// the fieldManager never owned fields any fields.
+// ExtractPodTemplateFrom extracts the applied configuration owned by fieldManager from
+// podTemplate for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
 // podTemplate must be a unmodified PodTemplate API object that was retrieved from the Kubernetes API.
-// ExtractPodTemplate provides a way to perform a extract/modify-in-place/apply workflow.
+// ExtractPodTemplateFrom provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
-func ExtractPodTemplate(podTemplate *corev1.PodTemplate, fieldManager string) (*PodTemplateApplyConfiguration, error) {
-	return extractPodTemplate(podTemplate, fieldManager, "")
-}
-
-// ExtractPodTemplateStatus is the same as ExtractPodTemplate except
-// that it extracts the status subresource applied configuration.
-// Experimental!
-func ExtractPodTemplateStatus(podTemplate *corev1.PodTemplate, fieldManager string) (*PodTemplateApplyConfiguration, error) {
-	return extractPodTemplate(podTemplate, fieldManager, "status")
-}
-
-func extractPodTemplate(podTemplate *corev1.PodTemplate, fieldManager string, subresource string) (*PodTemplateApplyConfiguration, error) {
+func ExtractPodTemplateFrom(podTemplate *corev1.PodTemplate, fieldManager string, subresource string) (*PodTemplateApplyConfiguration, error) {
 	b := &PodTemplateApplyConfiguration{}
 	err := managedfields.ExtractInto(podTemplate, internal.Parser().Type("io.k8s.api.core.v1.PodTemplate"), fieldManager, b, subresource)
 	if err != nil {
@@ -81,6 +72,21 @@ func extractPodTemplate(podTemplate *corev1.PodTemplate, fieldManager string, su
 	b.WithAPIVersion("v1")
 	return b, nil
 }
+
+// ExtractPodTemplate extracts the applied configuration owned by fieldManager from
+// podTemplate. If no managedFields are found in podTemplate for fieldManager, a
+// PodTemplateApplyConfiguration is returned with only the Name, Namespace (if applicable),
+// APIVersion and Kind populated. It is possible that no managed fields were found for because other
+// field managers have taken ownership of all the fields previously owned by fieldManager, or because
+// the fieldManager never owned fields any fields.
+// podTemplate must be a unmodified PodTemplate API object that was retrieved from the Kubernetes API.
+// ExtractPodTemplate provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractPodTemplate(podTemplate *corev1.PodTemplate, fieldManager string) (*PodTemplateApplyConfiguration, error) {
+	return ExtractPodTemplateFrom(podTemplate, fieldManager, "")
+}
+
 func (b PodTemplateApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/podtemplatespec.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/podtemplatespec.go
index 9aa83092334f9..6e87db6279b9b 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/podtemplatespec.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/podtemplatespec.go
@@ -26,9 +26,15 @@ import (
 
 // PodTemplateSpecApplyConfiguration represents a declarative configuration of the PodTemplateSpec type for use
 // with apply.
+//
+// PodTemplateSpec describes the data a pod should have when created from a template
 type PodTemplateSpecApplyConfiguration struct {
+	// Standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	*metav1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Spec                                 *PodSpecApplyConfiguration `json:"spec,omitempty"`
+	// Specification of the desired behavior of the pod.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+	Spec *PodSpecApplyConfiguration `json:"spec,omitempty"`
 }
 
 // PodTemplateSpecApplyConfiguration constructs a declarative configuration of the PodTemplateSpec type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/portstatus.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/portstatus.go
index eff8fc2acb089..8eb3634156e50 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/portstatus.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/portstatus.go
@@ -24,10 +24,23 @@ import (
 
 // PortStatusApplyConfiguration represents a declarative configuration of the PortStatus type for use
 // with apply.
+//
+// PortStatus represents the error condition of a service port
 type PortStatusApplyConfiguration struct {
-	Port     *int32           `json:"port,omitempty"`
+	// Port is the port number of the service port of which status is recorded here
+	Port *int32 `json:"port,omitempty"`
+	// Protocol is the protocol of the service port of which status is recorded here
+	// The supported values are: "TCP", "UDP", "SCTP"
 	Protocol *corev1.Protocol `json:"protocol,omitempty"`
-	Error    *string          `json:"error,omitempty"`
+	// Error is to record the problem with the service port
+	// The format of the error shall comply with the following rules:
+	// - built-in error values shall be specified in this file and those shall use
+	// CamelCase names
+	// - cloud provider specific error values must have names that comply with the
+	// format foo.example.com/CamelCase.
+	// ---
+	// The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+	Error *string `json:"error,omitempty"`
 }
 
 // PortStatusApplyConfiguration constructs a declarative configuration of the PortStatus type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/portworxvolumesource.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/portworxvolumesource.go
index 29715e0219223..56948168de92e 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/portworxvolumesource.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/portworxvolumesource.go
@@ -20,10 +20,18 @@ package v1
 
 // PortworxVolumeSourceApplyConfiguration represents a declarative configuration of the PortworxVolumeSource type for use
 // with apply.
+//
+// PortworxVolumeSource represents a Portworx volume resource.
 type PortworxVolumeSourceApplyConfiguration struct {
+	// volumeID uniquely identifies a Portworx volume
 	VolumeID *string `json:"volumeID,omitempty"`
-	FSType   *string `json:"fsType,omitempty"`
-	ReadOnly *bool   `json:"readOnly,omitempty"`
+	// fSType represents the filesystem type to mount
+	// Must be a filesystem type supported by the host operating system.
+	// Ex. "ext4", "xfs". Implicitly inferred to be "ext4" if unspecified.
+	FSType *string `json:"fsType,omitempty"`
+	// readOnly defaults to false (read/write). ReadOnly here will force
+	// the ReadOnly setting in VolumeMounts.
+	ReadOnly *bool `json:"readOnly,omitempty"`
 }
 
 // PortworxVolumeSourceApplyConfiguration constructs a declarative configuration of the PortworxVolumeSource type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/preferredschedulingterm.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/preferredschedulingterm.go
index b88a3646fc5fb..db8d15123791b 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/preferredschedulingterm.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/preferredschedulingterm.go
@@ -20,8 +20,13 @@ package v1
 
 // PreferredSchedulingTermApplyConfiguration represents a declarative configuration of the PreferredSchedulingTerm type for use
 // with apply.
+//
+// An empty preferred scheduling term matches all objects with implicit weight 0
+// (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
 type PreferredSchedulingTermApplyConfiguration struct {
-	Weight     *int32                              `json:"weight,omitempty"`
+	// Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.
+	Weight *int32 `json:"weight,omitempty"`
+	// A node selector term, associated with the corresponding weight.
 	Preference *NodeSelectorTermApplyConfiguration `json:"preference,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/probe.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/probe.go
index d6c654689b920..e6b3ddd7c5faa 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/probe.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/probe.go
@@ -20,14 +20,39 @@ package v1
 
 // ProbeApplyConfiguration represents a declarative configuration of the Probe type for use
 // with apply.
+//
+// Probe describes a health check to be performed against a container to determine whether it is
+// alive or ready to receive traffic.
 type ProbeApplyConfiguration struct {
+	// The action taken to determine the health of a container
 	ProbeHandlerApplyConfiguration `json:",inline"`
-	InitialDelaySeconds            *int32 `json:"initialDelaySeconds,omitempty"`
-	TimeoutSeconds                 *int32 `json:"timeoutSeconds,omitempty"`
-	PeriodSeconds                  *int32 `json:"periodSeconds,omitempty"`
-	SuccessThreshold               *int32 `json:"successThreshold,omitempty"`
-	FailureThreshold               *int32 `json:"failureThreshold,omitempty"`
-	TerminationGracePeriodSeconds  *int64 `json:"terminationGracePeriodSeconds,omitempty"`
+	// Number of seconds after the container has started before liveness probes are initiated.
+	// More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
+	InitialDelaySeconds *int32 `json:"initialDelaySeconds,omitempty"`
+	// Number of seconds after which the probe times out.
+	// Defaults to 1 second. Minimum value is 1.
+	// More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
+	TimeoutSeconds *int32 `json:"timeoutSeconds,omitempty"`
+	// How often (in seconds) to perform the probe.
+	// Default to 10 seconds. Minimum value is 1.
+	PeriodSeconds *int32 `json:"periodSeconds,omitempty"`
+	// Minimum consecutive successes for the probe to be considered successful after having failed.
+	// Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1.
+	SuccessThreshold *int32 `json:"successThreshold,omitempty"`
+	// Minimum consecutive failures for the probe to be considered failed after having succeeded.
+	// Defaults to 3. Minimum value is 1.
+	FailureThreshold *int32 `json:"failureThreshold,omitempty"`
+	// Optional duration in seconds the pod needs to terminate gracefully upon probe failure.
+	// The grace period is the duration in seconds after the processes running in the pod are sent
+	// a termination signal and the time when the processes are forcibly halted with a kill signal.
+	// Set this value longer than the expected cleanup time for your process.
+	// If this value is nil, the pod's terminationGracePeriodSeconds will be used. Otherwise, this
+	// value overrides the value provided by the pod spec.
+	// Value must be non-negative integer. The value zero indicates stop immediately via
+	// the kill signal (no opportunity to shut down).
+	// This is a beta field and requires enabling ProbeTerminationGracePeriod feature gate.
+	// Minimum value is 1. spec.terminationGracePeriodSeconds is used if unset.
+	TerminationGracePeriodSeconds *int64 `json:"terminationGracePeriodSeconds,omitempty"`
 }
 
 // ProbeApplyConfiguration constructs a declarative configuration of the Probe type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/probehandler.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/probehandler.go
index 1f88745eabfd2..58fce86075564 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/probehandler.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/probehandler.go
@@ -20,11 +20,18 @@ package v1
 
 // ProbeHandlerApplyConfiguration represents a declarative configuration of the ProbeHandler type for use
 // with apply.
+//
+// ProbeHandler defines a specific action that should be taken in a probe.
+// One and only one of the fields must be specified.
 type ProbeHandlerApplyConfiguration struct {
-	Exec      *ExecActionApplyConfiguration      `json:"exec,omitempty"`
-	HTTPGet   *HTTPGetActionApplyConfiguration   `json:"httpGet,omitempty"`
+	// Exec specifies a command to execute in the container.
+	Exec *ExecActionApplyConfiguration `json:"exec,omitempty"`
+	// HTTPGet specifies an HTTP GET request to perform.
+	HTTPGet *HTTPGetActionApplyConfiguration `json:"httpGet,omitempty"`
+	// TCPSocket specifies a connection to a TCP port.
 	TCPSocket *TCPSocketActionApplyConfiguration `json:"tcpSocket,omitempty"`
-	GRPC      *GRPCActionApplyConfiguration      `json:"grpc,omitempty"`
+	// GRPC specifies a GRPC HealthCheckRequest.
+	GRPC *GRPCActionApplyConfiguration `json:"grpc,omitempty"`
 }
 
 // ProbeHandlerApplyConfiguration constructs a declarative configuration of the ProbeHandler type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/projectedvolumesource.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/projectedvolumesource.go
index c922ec8cc2820..a17e4d1dfc056 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/projectedvolumesource.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/projectedvolumesource.go
@@ -20,9 +20,19 @@ package v1
 
 // ProjectedVolumeSourceApplyConfiguration represents a declarative configuration of the ProjectedVolumeSource type for use
 // with apply.
+//
+// Represents a projected volume source
 type ProjectedVolumeSourceApplyConfiguration struct {
-	Sources     []VolumeProjectionApplyConfiguration `json:"sources,omitempty"`
-	DefaultMode *int32                               `json:"defaultMode,omitempty"`
+	// sources is the list of volume projections. Each entry in this list
+	// handles one source.
+	Sources []VolumeProjectionApplyConfiguration `json:"sources,omitempty"`
+	// defaultMode are the mode bits used to set permissions on created files by default.
+	// Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
+	// YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+	// Directories within the path are not affected by this setting.
+	// This might be in conflict with other options that affect the file
+	// mode, like fsGroup, and the result can be other mode bits set.
+	DefaultMode *int32 `json:"defaultMode,omitempty"`
 }
 
 // ProjectedVolumeSourceApplyConfiguration constructs a declarative configuration of the ProjectedVolumeSource type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/quobytevolumesource.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/quobytevolumesource.go
index 9a042a0a12dd1..b9ac1ba0d0fcd 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/quobytevolumesource.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/quobytevolumesource.go
@@ -20,13 +20,28 @@ package v1
 
 // QuobyteVolumeSourceApplyConfiguration represents a declarative configuration of the QuobyteVolumeSource type for use
 // with apply.
+//
+// Represents a Quobyte mount that lasts the lifetime of a pod.
+// Quobyte volumes do not support ownership management or SELinux relabeling.
 type QuobyteVolumeSourceApplyConfiguration struct {
+	// registry represents a single or multiple Quobyte Registry services
+	// specified as a string as host:port pair (multiple entries are separated with commas)
+	// which acts as the central registry for volumes
 	Registry *string `json:"registry,omitempty"`
-	Volume   *string `json:"volume,omitempty"`
-	ReadOnly *bool   `json:"readOnly,omitempty"`
-	User     *string `json:"user,omitempty"`
-	Group    *string `json:"group,omitempty"`
-	Tenant   *string `json:"tenant,omitempty"`
+	// volume is a string that references an already created Quobyte volume by name.
+	Volume *string `json:"volume,omitempty"`
+	// readOnly here will force the Quobyte volume to be mounted with read-only permissions.
+	// Defaults to false.
+	ReadOnly *bool `json:"readOnly,omitempty"`
+	// user to map volume access to
+	// Defaults to serivceaccount user
+	User *string `json:"user,omitempty"`
+	// group to map volume access to
+	// Default is no group
+	Group *string `json:"group,omitempty"`
+	// tenant owning the given Quobyte volume in the Backend
+	// Used with dynamically provisioned Quobyte volumes, value is set by the plugin
+	Tenant *string `json:"tenant,omitempty"`
 }
 
 // QuobyteVolumeSourceApplyConfiguration constructs a declarative configuration of the QuobyteVolumeSource type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/rbdpersistentvolumesource.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/rbdpersistentvolumesource.go
index 64f25724a36e4..e1f0960e50e34 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/rbdpersistentvolumesource.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/rbdpersistentvolumesource.go
@@ -20,15 +20,43 @@ package v1
 
 // RBDPersistentVolumeSourceApplyConfiguration represents a declarative configuration of the RBDPersistentVolumeSource type for use
 // with apply.
+//
+// Represents a Rados Block Device mount that lasts the lifetime of a pod.
+// RBD volumes support ownership management and SELinux relabeling.
 type RBDPersistentVolumeSourceApplyConfiguration struct {
-	CephMonitors []string                           `json:"monitors,omitempty"`
-	RBDImage     *string                            `json:"image,omitempty"`
-	FSType       *string                            `json:"fsType,omitempty"`
-	RBDPool      *string                            `json:"pool,omitempty"`
-	RadosUser    *string                            `json:"user,omitempty"`
-	Keyring      *string                            `json:"keyring,omitempty"`
-	SecretRef    *SecretReferenceApplyConfiguration `json:"secretRef,omitempty"`
-	ReadOnly     *bool                              `json:"readOnly,omitempty"`
+	// monitors is a collection of Ceph monitors.
+	// More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
+	CephMonitors []string `json:"monitors,omitempty"`
+	// image is the rados image name.
+	// More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
+	RBDImage *string `json:"image,omitempty"`
+	// fsType is the filesystem type of the volume that you want to mount.
+	// Tip: Ensure that the filesystem type is supported by the host operating system.
+	// Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+	// More info: https://kubernetes.io/docs/concepts/storage/volumes#rbd
+	// TODO: how do we prevent errors in the filesystem from compromising the machine
+	FSType *string `json:"fsType,omitempty"`
+	// pool is the rados pool name.
+	// Default is rbd.
+	// More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
+	RBDPool *string `json:"pool,omitempty"`
+	// user is the rados user name.
+	// Default is admin.
+	// More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
+	RadosUser *string `json:"user,omitempty"`
+	// keyring is the path to key ring for RBDUser.
+	// Default is /etc/ceph/keyring.
+	// More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
+	Keyring *string `json:"keyring,omitempty"`
+	// secretRef is name of the authentication secret for RBDUser. If provided
+	// overrides keyring.
+	// Default is nil.
+	// More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
+	SecretRef *SecretReferenceApplyConfiguration `json:"secretRef,omitempty"`
+	// readOnly here will force the ReadOnly setting in VolumeMounts.
+	// Defaults to false.
+	// More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
+	ReadOnly *bool `json:"readOnly,omitempty"`
 }
 
 // RBDPersistentVolumeSourceApplyConfiguration constructs a declarative configuration of the RBDPersistentVolumeSource type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/rbdvolumesource.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/rbdvolumesource.go
index 8dae198c09c41..907bcedb0c36c 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/rbdvolumesource.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/rbdvolumesource.go
@@ -20,15 +20,43 @@ package v1
 
 // RBDVolumeSourceApplyConfiguration represents a declarative configuration of the RBDVolumeSource type for use
 // with apply.
+//
+// Represents a Rados Block Device mount that lasts the lifetime of a pod.
+// RBD volumes support ownership management and SELinux relabeling.
 type RBDVolumeSourceApplyConfiguration struct {
-	CephMonitors []string                                `json:"monitors,omitempty"`
-	RBDImage     *string                                 `json:"image,omitempty"`
-	FSType       *string                                 `json:"fsType,omitempty"`
-	RBDPool      *string                                 `json:"pool,omitempty"`
-	RadosUser    *string                                 `json:"user,omitempty"`
-	Keyring      *string                                 `json:"keyring,omitempty"`
-	SecretRef    *LocalObjectReferenceApplyConfiguration `json:"secretRef,omitempty"`
-	ReadOnly     *bool                                   `json:"readOnly,omitempty"`
+	// monitors is a collection of Ceph monitors.
+	// More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
+	CephMonitors []string `json:"monitors,omitempty"`
+	// image is the rados image name.
+	// More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
+	RBDImage *string `json:"image,omitempty"`
+	// fsType is the filesystem type of the volume that you want to mount.
+	// Tip: Ensure that the filesystem type is supported by the host operating system.
+	// Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+	// More info: https://kubernetes.io/docs/concepts/storage/volumes#rbd
+	// TODO: how do we prevent errors in the filesystem from compromising the machine
+	FSType *string `json:"fsType,omitempty"`
+	// pool is the rados pool name.
+	// Default is rbd.
+	// More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
+	RBDPool *string `json:"pool,omitempty"`
+	// user is the rados user name.
+	// Default is admin.
+	// More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
+	RadosUser *string `json:"user,omitempty"`
+	// keyring is the path to key ring for RBDUser.
+	// Default is /etc/ceph/keyring.
+	// More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
+	Keyring *string `json:"keyring,omitempty"`
+	// secretRef is name of the authentication secret for RBDUser. If provided
+	// overrides keyring.
+	// Default is nil.
+	// More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
+	SecretRef *LocalObjectReferenceApplyConfiguration `json:"secretRef,omitempty"`
+	// readOnly here will force the ReadOnly setting in VolumeMounts.
+	// Defaults to false.
+	// More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
+	ReadOnly *bool `json:"readOnly,omitempty"`
 }
 
 // RBDVolumeSourceApplyConfiguration constructs a declarative configuration of the RBDVolumeSource type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/replicationcontroller.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/replicationcontroller.go
index 6b06c2907c079..a6416c4b77c19 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/replicationcontroller.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/replicationcontroller.go
@@ -29,11 +29,23 @@ import (
 
 // ReplicationControllerApplyConfiguration represents a declarative configuration of the ReplicationController type for use
 // with apply.
+//
+// ReplicationController represents the configuration of a replication controller.
 type ReplicationControllerApplyConfiguration struct {
-	metav1.TypeMetaApplyConfiguration    `json:",inline"`
+	metav1.TypeMetaApplyConfiguration `json:",inline"`
+	// If the Labels of a ReplicationController are empty, they are defaulted to
+	// be the same as the Pod(s) that the replication controller manages.
+	// Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	*metav1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Spec                                 *ReplicationControllerSpecApplyConfiguration   `json:"spec,omitempty"`
-	Status                               *ReplicationControllerStatusApplyConfiguration `json:"status,omitempty"`
+	// Spec defines the specification of the desired behavior of the replication controller.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+	Spec *ReplicationControllerSpecApplyConfiguration `json:"spec,omitempty"`
+	// Status is the most recently observed status of the replication controller.
+	// This data may be out of date by some window of time.
+	// Populated by the system.
+	// Read-only.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+	Status *ReplicationControllerStatusApplyConfiguration `json:"status,omitempty"`
 }
 
 // ReplicationController constructs a declarative configuration of the ReplicationController type for use with
@@ -47,6 +59,27 @@ func ReplicationController(name, namespace string) *ReplicationControllerApplyCo
 	return b
 }
 
+// ExtractReplicationControllerFrom extracts the applied configuration owned by fieldManager from
+// replicationController for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
+// replicationController must be a unmodified ReplicationController API object that was retrieved from the Kubernetes API.
+// ExtractReplicationControllerFrom provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractReplicationControllerFrom(replicationController *corev1.ReplicationController, fieldManager string, subresource string) (*ReplicationControllerApplyConfiguration, error) {
+	b := &ReplicationControllerApplyConfiguration{}
+	err := managedfields.ExtractInto(replicationController, internal.Parser().Type("io.k8s.api.core.v1.ReplicationController"), fieldManager, b, subresource)
+	if err != nil {
+		return nil, err
+	}
+	b.WithName(replicationController.Name)
+	b.WithNamespace(replicationController.Namespace)
+
+	b.WithKind("ReplicationController")
+	b.WithAPIVersion("v1")
+	return b, nil
+}
+
 // ExtractReplicationController extracts the applied configuration owned by fieldManager from
 // replicationController. If no managedFields are found in replicationController for fieldManager, a
 // ReplicationControllerApplyConfiguration is returned with only the Name, Namespace (if applicable),
@@ -57,31 +90,22 @@ func ReplicationController(name, namespace string) *ReplicationControllerApplyCo
 // ExtractReplicationController provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
 func ExtractReplicationController(replicationController *corev1.ReplicationController, fieldManager string) (*ReplicationControllerApplyConfiguration, error) {
-	return extractReplicationController(replicationController, fieldManager, "")
+	return ExtractReplicationControllerFrom(replicationController, fieldManager, "")
 }
 
-// ExtractReplicationControllerStatus is the same as ExtractReplicationController except
-// that it extracts the status subresource applied configuration.
-// Experimental!
-func ExtractReplicationControllerStatus(replicationController *corev1.ReplicationController, fieldManager string) (*ReplicationControllerApplyConfiguration, error) {
-	return extractReplicationController(replicationController, fieldManager, "status")
+// ExtractReplicationControllerScale extracts the applied configuration owned by fieldManager from
+// replicationController for the scale subresource.
+func ExtractReplicationControllerScale(replicationController *corev1.ReplicationController, fieldManager string) (*ReplicationControllerApplyConfiguration, error) {
+	return ExtractReplicationControllerFrom(replicationController, fieldManager, "scale")
 }
 
-func extractReplicationController(replicationController *corev1.ReplicationController, fieldManager string, subresource string) (*ReplicationControllerApplyConfiguration, error) {
-	b := &ReplicationControllerApplyConfiguration{}
-	err := managedfields.ExtractInto(replicationController, internal.Parser().Type("io.k8s.api.core.v1.ReplicationController"), fieldManager, b, subresource)
-	if err != nil {
-		return nil, err
-	}
-	b.WithName(replicationController.Name)
-	b.WithNamespace(replicationController.Namespace)
-
-	b.WithKind("ReplicationController")
-	b.WithAPIVersion("v1")
-	return b, nil
+// ExtractReplicationControllerStatus extracts the applied configuration owned by fieldManager from
+// replicationController for the status subresource.
+func ExtractReplicationControllerStatus(replicationController *corev1.ReplicationController, fieldManager string) (*ReplicationControllerApplyConfiguration, error) {
+	return ExtractReplicationControllerFrom(replicationController, fieldManager, "status")
 }
+
 func (b ReplicationControllerApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/replicationcontrollercondition.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/replicationcontrollercondition.go
index dfcecc0532134..728086853163f 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/replicationcontrollercondition.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/replicationcontrollercondition.go
@@ -25,12 +25,19 @@ import (
 
 // ReplicationControllerConditionApplyConfiguration represents a declarative configuration of the ReplicationControllerCondition type for use
 // with apply.
+//
+// ReplicationControllerCondition describes the state of a replication controller at a certain point.
 type ReplicationControllerConditionApplyConfiguration struct {
-	Type               *corev1.ReplicationControllerConditionType `json:"type,omitempty"`
-	Status             *corev1.ConditionStatus                    `json:"status,omitempty"`
-	LastTransitionTime *metav1.Time                               `json:"lastTransitionTime,omitempty"`
-	Reason             *string                                    `json:"reason,omitempty"`
-	Message            *string                                    `json:"message,omitempty"`
+	// Type of replication controller condition.
+	Type *corev1.ReplicationControllerConditionType `json:"type,omitempty"`
+	// Status of the condition, one of True, False, Unknown.
+	Status *corev1.ConditionStatus `json:"status,omitempty"`
+	// The last time the condition transitioned from one status to another.
+	LastTransitionTime *metav1.Time `json:"lastTransitionTime,omitempty"`
+	// The reason for the condition's last transition.
+	Reason *string `json:"reason,omitempty"`
+	// A human readable message indicating details about the transition.
+	Message *string `json:"message,omitempty"`
 }
 
 // ReplicationControllerConditionApplyConfiguration constructs a declarative configuration of the ReplicationControllerCondition type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/replicationcontrollerspec.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/replicationcontrollerspec.go
index 07bac9f4c92de..e556b8295c314 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/replicationcontrollerspec.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/replicationcontrollerspec.go
@@ -20,11 +20,29 @@ package v1
 
 // ReplicationControllerSpecApplyConfiguration represents a declarative configuration of the ReplicationControllerSpec type for use
 // with apply.
+//
+// ReplicationControllerSpec is the specification of a replication controller.
 type ReplicationControllerSpecApplyConfiguration struct {
-	Replicas        *int32                             `json:"replicas,omitempty"`
-	MinReadySeconds *int32                             `json:"minReadySeconds,omitempty"`
-	Selector        map[string]string                  `json:"selector,omitempty"`
-	Template        *PodTemplateSpecApplyConfiguration `json:"template,omitempty"`
+	// Replicas is the number of desired replicas.
+	// This is a pointer to distinguish between explicit zero and unspecified.
+	// Defaults to 1.
+	// More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller#what-is-a-replicationcontroller
+	Replicas *int32 `json:"replicas,omitempty"`
+	// Minimum number of seconds for which a newly created pod should be ready
+	// without any of its container crashing, for it to be considered available.
+	// Defaults to 0 (pod will be considered available as soon as it is ready)
+	MinReadySeconds *int32 `json:"minReadySeconds,omitempty"`
+	// Selector is a label query over pods that should match the Replicas count.
+	// If Selector is empty, it is defaulted to the labels present on the Pod template.
+	// Label keys and values that must match in order to be controlled by this replication
+	// controller, if empty defaulted to labels on Pod template.
+	// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors
+	Selector map[string]string `json:"selector,omitempty"`
+	// Template is the object that describes the pod that will be created if
+	// insufficient replicas are detected. This takes precedence over a TemplateRef.
+	// The only allowed template.spec.restartPolicy value is "Always".
+	// More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller#pod-template
+	Template *PodTemplateSpecApplyConfiguration `json:"template,omitempty"`
 }
 
 // ReplicationControllerSpecApplyConfiguration constructs a declarative configuration of the ReplicationControllerSpec type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/replicationcontrollerstatus.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/replicationcontrollerstatus.go
index c8046aa5a47d5..607d543fa0a64 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/replicationcontrollerstatus.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/replicationcontrollerstatus.go
@@ -20,13 +20,23 @@ package v1
 
 // ReplicationControllerStatusApplyConfiguration represents a declarative configuration of the ReplicationControllerStatus type for use
 // with apply.
+//
+// ReplicationControllerStatus represents the current status of a replication
+// controller.
 type ReplicationControllerStatusApplyConfiguration struct {
-	Replicas             *int32                                             `json:"replicas,omitempty"`
-	FullyLabeledReplicas *int32                                             `json:"fullyLabeledReplicas,omitempty"`
-	ReadyReplicas        *int32                                             `json:"readyReplicas,omitempty"`
-	AvailableReplicas    *int32                                             `json:"availableReplicas,omitempty"`
-	ObservedGeneration   *int64                                             `json:"observedGeneration,omitempty"`
-	Conditions           []ReplicationControllerConditionApplyConfiguration `json:"conditions,omitempty"`
+	// Replicas is the most recently observed number of replicas.
+	// More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller#what-is-a-replicationcontroller
+	Replicas *int32 `json:"replicas,omitempty"`
+	// The number of pods that have labels matching the labels of the pod template of the replication controller.
+	FullyLabeledReplicas *int32 `json:"fullyLabeledReplicas,omitempty"`
+	// The number of ready replicas for this replication controller.
+	ReadyReplicas *int32 `json:"readyReplicas,omitempty"`
+	// The number of available replicas (ready for at least minReadySeconds) for this replication controller.
+	AvailableReplicas *int32 `json:"availableReplicas,omitempty"`
+	// ObservedGeneration reflects the generation of the most recently observed replication controller.
+	ObservedGeneration *int64 `json:"observedGeneration,omitempty"`
+	// Represents the latest available observations of a replication controller's current state.
+	Conditions []ReplicationControllerConditionApplyConfiguration `json:"conditions,omitempty"`
 }
 
 // ReplicationControllerStatusApplyConfiguration constructs a declarative configuration of the ReplicationControllerStatus type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/resourceclaim.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/resourceclaim.go
index b00c692485785..1c283d013ca1f 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/resourceclaim.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/resourceclaim.go
@@ -20,8 +20,16 @@ package v1
 
 // ResourceClaimApplyConfiguration represents a declarative configuration of the ResourceClaim type for use
 // with apply.
+//
+// ResourceClaim references one entry in PodSpec.ResourceClaims.
 type ResourceClaimApplyConfiguration struct {
-	Name    *string `json:"name,omitempty"`
+	// Name must match the name of one entry in pod.spec.resourceClaims of
+	// the Pod where this field is used. It makes that resource available
+	// inside a container.
+	Name *string `json:"name,omitempty"`
+	// Request is the name chosen for a request in the referenced claim.
+	// If empty, everything from the claim is made available, otherwise
+	// only the result of this request.
 	Request *string `json:"request,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/resourcefieldselector.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/resourcefieldselector.go
index 1b4918a633f8e..ebff4d2b1829a 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/resourcefieldselector.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/resourcefieldselector.go
@@ -24,10 +24,15 @@ import (
 
 // ResourceFieldSelectorApplyConfiguration represents a declarative configuration of the ResourceFieldSelector type for use
 // with apply.
+//
+// ResourceFieldSelector represents container resources (cpu, memory) and their output format
 type ResourceFieldSelectorApplyConfiguration struct {
-	ContainerName *string            `json:"containerName,omitempty"`
-	Resource      *string            `json:"resource,omitempty"`
-	Divisor       *resource.Quantity `json:"divisor,omitempty"`
+	// Container name: required for volumes, optional for env vars
+	ContainerName *string `json:"containerName,omitempty"`
+	// Required: resource to select
+	Resource *string `json:"resource,omitempty"`
+	// Specifies the output format of the exposed resources, defaults to "1"
+	Divisor *resource.Quantity `json:"divisor,omitempty"`
 }
 
 // ResourceFieldSelectorApplyConfiguration constructs a declarative configuration of the ResourceFieldSelector type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/resourcehealth.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/resourcehealth.go
index 0338780b3e72d..684153c49b464 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/resourcehealth.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/resourcehealth.go
@@ -24,9 +24,23 @@ import (
 
 // ResourceHealthApplyConfiguration represents a declarative configuration of the ResourceHealth type for use
 // with apply.
+//
+// ResourceHealth represents the health of a resource. It has the latest device health information.
+// This is a part of KEP https://kep.k8s.io/4680.
 type ResourceHealthApplyConfiguration struct {
-	ResourceID *corev1.ResourceID           `json:"resourceID,omitempty"`
-	Health     *corev1.ResourceHealthStatus `json:"health,omitempty"`
+	// ResourceID is the unique identifier of the resource. See the ResourceID type for more information.
+	ResourceID *corev1.ResourceID `json:"resourceID,omitempty"`
+	// Health of the resource.
+	// can be one of:
+	// - Healthy: operates as normal
+	// - Unhealthy: reported unhealthy. We consider this a temporary health issue
+	// since we do not have a mechanism today to distinguish
+	// temporary and permanent issues.
+	// - Unknown: The status cannot be determined.
+	// For example, Device Plugin got unregistered and hasn't been re-registered since.
+	//
+	// In future we may want to introduce the PermanentlyUnhealthy Status.
+	Health *corev1.ResourceHealthStatus `json:"health,omitempty"`
 }
 
 // ResourceHealthApplyConfiguration constructs a declarative configuration of the ResourceHealth type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/resourcequota.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/resourcequota.go
index 7abe77b29ec03..6489d2928d65d 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/resourcequota.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/resourcequota.go
@@ -29,11 +29,19 @@ import (
 
 // ResourceQuotaApplyConfiguration represents a declarative configuration of the ResourceQuota type for use
 // with apply.
+//
+// ResourceQuota sets aggregate quota restrictions enforced per namespace
 type ResourceQuotaApplyConfiguration struct {
-	metav1.TypeMetaApplyConfiguration    `json:",inline"`
+	metav1.TypeMetaApplyConfiguration `json:",inline"`
+	// Standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	*metav1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Spec                                 *ResourceQuotaSpecApplyConfiguration   `json:"spec,omitempty"`
-	Status                               *ResourceQuotaStatusApplyConfiguration `json:"status,omitempty"`
+	// Spec defines the desired quota.
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+	Spec *ResourceQuotaSpecApplyConfiguration `json:"spec,omitempty"`
+	// Status defines the actual enforced quota and its current usage.
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+	Status *ResourceQuotaStatusApplyConfiguration `json:"status,omitempty"`
 }
 
 // ResourceQuota constructs a declarative configuration of the ResourceQuota type for use with
@@ -47,6 +55,27 @@ func ResourceQuota(name, namespace string) *ResourceQuotaApplyConfiguration {
 	return b
 }
 
+// ExtractResourceQuotaFrom extracts the applied configuration owned by fieldManager from
+// resourceQuota for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
+// resourceQuota must be a unmodified ResourceQuota API object that was retrieved from the Kubernetes API.
+// ExtractResourceQuotaFrom provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractResourceQuotaFrom(resourceQuota *corev1.ResourceQuota, fieldManager string, subresource string) (*ResourceQuotaApplyConfiguration, error) {
+	b := &ResourceQuotaApplyConfiguration{}
+	err := managedfields.ExtractInto(resourceQuota, internal.Parser().Type("io.k8s.api.core.v1.ResourceQuota"), fieldManager, b, subresource)
+	if err != nil {
+		return nil, err
+	}
+	b.WithName(resourceQuota.Name)
+	b.WithNamespace(resourceQuota.Namespace)
+
+	b.WithKind("ResourceQuota")
+	b.WithAPIVersion("v1")
+	return b, nil
+}
+
 // ExtractResourceQuota extracts the applied configuration owned by fieldManager from
 // resourceQuota. If no managedFields are found in resourceQuota for fieldManager, a
 // ResourceQuotaApplyConfiguration is returned with only the Name, Namespace (if applicable),
@@ -57,31 +86,16 @@ func ResourceQuota(name, namespace string) *ResourceQuotaApplyConfiguration {
 // ExtractResourceQuota provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
 func ExtractResourceQuota(resourceQuota *corev1.ResourceQuota, fieldManager string) (*ResourceQuotaApplyConfiguration, error) {
-	return extractResourceQuota(resourceQuota, fieldManager, "")
+	return ExtractResourceQuotaFrom(resourceQuota, fieldManager, "")
 }
 
-// ExtractResourceQuotaStatus is the same as ExtractResourceQuota except
-// that it extracts the status subresource applied configuration.
-// Experimental!
+// ExtractResourceQuotaStatus extracts the applied configuration owned by fieldManager from
+// resourceQuota for the status subresource.
 func ExtractResourceQuotaStatus(resourceQuota *corev1.ResourceQuota, fieldManager string) (*ResourceQuotaApplyConfiguration, error) {
-	return extractResourceQuota(resourceQuota, fieldManager, "status")
+	return ExtractResourceQuotaFrom(resourceQuota, fieldManager, "status")
 }
 
-func extractResourceQuota(resourceQuota *corev1.ResourceQuota, fieldManager string, subresource string) (*ResourceQuotaApplyConfiguration, error) {
-	b := &ResourceQuotaApplyConfiguration{}
-	err := managedfields.ExtractInto(resourceQuota, internal.Parser().Type("io.k8s.api.core.v1.ResourceQuota"), fieldManager, b, subresource)
-	if err != nil {
-		return nil, err
-	}
-	b.WithName(resourceQuota.Name)
-	b.WithNamespace(resourceQuota.Namespace)
-
-	b.WithKind("ResourceQuota")
-	b.WithAPIVersion("v1")
-	return b, nil
-}
 func (b ResourceQuotaApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/resourcequotaspec.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/resourcequotaspec.go
index 36d342fcdd469..a08e4b73f2286 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/resourcequotaspec.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/resourcequotaspec.go
@@ -24,9 +24,18 @@ import (
 
 // ResourceQuotaSpecApplyConfiguration represents a declarative configuration of the ResourceQuotaSpec type for use
 // with apply.
+//
+// ResourceQuotaSpec defines the desired hard limits to enforce for Quota.
 type ResourceQuotaSpecApplyConfiguration struct {
-	Hard          *corev1.ResourceList             `json:"hard,omitempty"`
-	Scopes        []corev1.ResourceQuotaScope      `json:"scopes,omitempty"`
+	// hard is the set of desired hard limits for each named resource.
+	// More info: https://kubernetes.io/docs/concepts/policy/resource-quotas/
+	Hard *corev1.ResourceList `json:"hard,omitempty"`
+	// A collection of filters that must match each object tracked by a quota.
+	// If not specified, the quota matches all objects.
+	Scopes []corev1.ResourceQuotaScope `json:"scopes,omitempty"`
+	// scopeSelector is also a collection of filters like scopes that must match each object tracked by a quota
+	// but expressed using ScopeSelectorOperator in combination with possible values.
+	// For a resource to match, both scopes AND scopeSelector (if specified in spec), must be matched.
 	ScopeSelector *ScopeSelectorApplyConfiguration `json:"scopeSelector,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/resourcequotastatus.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/resourcequotastatus.go
index 6338a130829a8..4d7faf84cd048 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/resourcequotastatus.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/resourcequotastatus.go
@@ -24,8 +24,13 @@ import (
 
 // ResourceQuotaStatusApplyConfiguration represents a declarative configuration of the ResourceQuotaStatus type for use
 // with apply.
+//
+// ResourceQuotaStatus defines the enforced hard limits and observed use.
 type ResourceQuotaStatusApplyConfiguration struct {
+	// Hard is the set of enforced hard limits for each named resource.
+	// More info: https://kubernetes.io/docs/concepts/policy/resource-quotas/
 	Hard *corev1.ResourceList `json:"hard,omitempty"`
+	// Used is the current observed total usage of the resource in the namespace.
 	Used *corev1.ResourceList `json:"used,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/resourcerequirements.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/resourcerequirements.go
index ea77647a91bca..4ba93df18337b 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/resourcerequirements.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/resourcerequirements.go
@@ -24,10 +24,25 @@ import (
 
 // ResourceRequirementsApplyConfiguration represents a declarative configuration of the ResourceRequirements type for use
 // with apply.
+//
+// ResourceRequirements describes the compute resource requirements.
 type ResourceRequirementsApplyConfiguration struct {
-	Limits   *corev1.ResourceList              `json:"limits,omitempty"`
-	Requests *corev1.ResourceList              `json:"requests,omitempty"`
-	Claims   []ResourceClaimApplyConfiguration `json:"claims,omitempty"`
+	// Limits describes the maximum amount of compute resources allowed.
+	// More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+	Limits *corev1.ResourceList `json:"limits,omitempty"`
+	// Requests describes the minimum amount of compute resources required.
+	// If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
+	// otherwise to an implementation-defined value. Requests cannot exceed Limits.
+	// More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+	Requests *corev1.ResourceList `json:"requests,omitempty"`
+	// Claims lists the names of resources, defined in spec.resourceClaims,
+	// that are used by this container.
+	//
+	// This field depends on the
+	// DynamicResourceAllocation feature gate.
+	//
+	// This field is immutable. It can only be set for containers.
+	Claims []ResourceClaimApplyConfiguration `json:"claims,omitempty"`
 }
 
 // ResourceRequirementsApplyConfiguration constructs a declarative configuration of the ResourceRequirements type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/resourcestatus.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/resourcestatus.go
index e99586659899e..511164e7cfd6e 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/resourcestatus.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/resourcestatus.go
@@ -24,8 +24,17 @@ import (
 
 // ResourceStatusApplyConfiguration represents a declarative configuration of the ResourceStatus type for use
 // with apply.
+//
+// ResourceStatus represents the status of a single resource allocated to a Pod.
 type ResourceStatusApplyConfiguration struct {
-	Name      *corev1.ResourceName               `json:"name,omitempty"`
+	// Name of the resource. Must be unique within the pod and in case of non-DRA resource, match one of the resources from the pod spec.
+	// For DRA resources, the value must be "claim:<claim_name>/<request>".
+	// When this status is reported about a container, the "claim_name" and "request" must match one of the claims of this container.
+	Name *corev1.ResourceName `json:"name,omitempty"`
+	// List of unique resources health. Each element in the list contains an unique resource ID and its health.
+	// At a minimum, for the lifetime of a Pod, resource ID must uniquely identify the resource allocated to the Pod on the Node.
+	// If other Pod on the same Node reports the status with the same resource ID, it must be the same resource they share.
+	// See ResourceID type definition for a specific format it has in various use cases.
 	Resources []ResourceHealthApplyConfiguration `json:"resources,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/scaleiopersistentvolumesource.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/scaleiopersistentvolumesource.go
index b07f46de918f1..4fcb35ed938ef 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/scaleiopersistentvolumesource.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/scaleiopersistentvolumesource.go
@@ -20,17 +20,36 @@ package v1
 
 // ScaleIOPersistentVolumeSourceApplyConfiguration represents a declarative configuration of the ScaleIOPersistentVolumeSource type for use
 // with apply.
+//
+// ScaleIOPersistentVolumeSource represents a persistent ScaleIO volume
 type ScaleIOPersistentVolumeSourceApplyConfiguration struct {
-	Gateway          *string                            `json:"gateway,omitempty"`
-	System           *string                            `json:"system,omitempty"`
-	SecretRef        *SecretReferenceApplyConfiguration `json:"secretRef,omitempty"`
-	SSLEnabled       *bool                              `json:"sslEnabled,omitempty"`
-	ProtectionDomain *string                            `json:"protectionDomain,omitempty"`
-	StoragePool      *string                            `json:"storagePool,omitempty"`
-	StorageMode      *string                            `json:"storageMode,omitempty"`
-	VolumeName       *string                            `json:"volumeName,omitempty"`
-	FSType           *string                            `json:"fsType,omitempty"`
-	ReadOnly         *bool                              `json:"readOnly,omitempty"`
+	// gateway is the host address of the ScaleIO API Gateway.
+	Gateway *string `json:"gateway,omitempty"`
+	// system is the name of the storage system as configured in ScaleIO.
+	System *string `json:"system,omitempty"`
+	// secretRef references to the secret for ScaleIO user and other
+	// sensitive information. If this is not provided, Login operation will fail.
+	SecretRef *SecretReferenceApplyConfiguration `json:"secretRef,omitempty"`
+	// sslEnabled is the flag to enable/disable SSL communication with Gateway, default false
+	SSLEnabled *bool `json:"sslEnabled,omitempty"`
+	// protectionDomain is the name of the ScaleIO Protection Domain for the configured storage.
+	ProtectionDomain *string `json:"protectionDomain,omitempty"`
+	// storagePool is the ScaleIO Storage Pool associated with the protection domain.
+	StoragePool *string `json:"storagePool,omitempty"`
+	// storageMode indicates whether the storage for a volume should be ThickProvisioned or ThinProvisioned.
+	// Default is ThinProvisioned.
+	StorageMode *string `json:"storageMode,omitempty"`
+	// volumeName is the name of a volume already created in the ScaleIO system
+	// that is associated with this volume source.
+	VolumeName *string `json:"volumeName,omitempty"`
+	// fsType is the filesystem type to mount.
+	// Must be a filesystem type supported by the host operating system.
+	// Ex. "ext4", "xfs", "ntfs".
+	// Default is "xfs"
+	FSType *string `json:"fsType,omitempty"`
+	// readOnly defaults to false (read/write). ReadOnly here will force
+	// the ReadOnly setting in VolumeMounts.
+	ReadOnly *bool `json:"readOnly,omitempty"`
 }
 
 // ScaleIOPersistentVolumeSourceApplyConfiguration constructs a declarative configuration of the ScaleIOPersistentVolumeSource type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/scaleiovolumesource.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/scaleiovolumesource.go
index 740c05ebb7d46..2a484851bd080 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/scaleiovolumesource.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/scaleiovolumesource.go
@@ -20,17 +20,36 @@ package v1
 
 // ScaleIOVolumeSourceApplyConfiguration represents a declarative configuration of the ScaleIOVolumeSource type for use
 // with apply.
+//
+// ScaleIOVolumeSource represents a persistent ScaleIO volume
 type ScaleIOVolumeSourceApplyConfiguration struct {
-	Gateway          *string                                 `json:"gateway,omitempty"`
-	System           *string                                 `json:"system,omitempty"`
-	SecretRef        *LocalObjectReferenceApplyConfiguration `json:"secretRef,omitempty"`
-	SSLEnabled       *bool                                   `json:"sslEnabled,omitempty"`
-	ProtectionDomain *string                                 `json:"protectionDomain,omitempty"`
-	StoragePool      *string                                 `json:"storagePool,omitempty"`
-	StorageMode      *string                                 `json:"storageMode,omitempty"`
-	VolumeName       *string                                 `json:"volumeName,omitempty"`
-	FSType           *string                                 `json:"fsType,omitempty"`
-	ReadOnly         *bool                                   `json:"readOnly,omitempty"`
+	// gateway is the host address of the ScaleIO API Gateway.
+	Gateway *string `json:"gateway,omitempty"`
+	// system is the name of the storage system as configured in ScaleIO.
+	System *string `json:"system,omitempty"`
+	// secretRef references to the secret for ScaleIO user and other
+	// sensitive information. If this is not provided, Login operation will fail.
+	SecretRef *LocalObjectReferenceApplyConfiguration `json:"secretRef,omitempty"`
+	// sslEnabled Flag enable/disable SSL communication with Gateway, default false
+	SSLEnabled *bool `json:"sslEnabled,omitempty"`
+	// protectionDomain is the name of the ScaleIO Protection Domain for the configured storage.
+	ProtectionDomain *string `json:"protectionDomain,omitempty"`
+	// storagePool is the ScaleIO Storage Pool associated with the protection domain.
+	StoragePool *string `json:"storagePool,omitempty"`
+	// storageMode indicates whether the storage for a volume should be ThickProvisioned or ThinProvisioned.
+	// Default is ThinProvisioned.
+	StorageMode *string `json:"storageMode,omitempty"`
+	// volumeName is the name of a volume already created in the ScaleIO system
+	// that is associated with this volume source.
+	VolumeName *string `json:"volumeName,omitempty"`
+	// fsType is the filesystem type to mount.
+	// Must be a filesystem type supported by the host operating system.
+	// Ex. "ext4", "xfs", "ntfs".
+	// Default is "xfs".
+	FSType *string `json:"fsType,omitempty"`
+	// readOnly Defaults to false (read/write). ReadOnly here will force
+	// the ReadOnly setting in VolumeMounts.
+	ReadOnly *bool `json:"readOnly,omitempty"`
 }
 
 // ScaleIOVolumeSourceApplyConfiguration constructs a declarative configuration of the ScaleIOVolumeSource type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/scopedresourceselectorrequirement.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/scopedresourceselectorrequirement.go
index c2481f490637b..cae949e81abbc 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/scopedresourceselectorrequirement.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/scopedresourceselectorrequirement.go
@@ -24,10 +24,20 @@ import (
 
 // ScopedResourceSelectorRequirementApplyConfiguration represents a declarative configuration of the ScopedResourceSelectorRequirement type for use
 // with apply.
+//
+// A scoped-resource selector requirement is a selector that contains values, a scope name, and an operator
+// that relates the scope name and values.
 type ScopedResourceSelectorRequirementApplyConfiguration struct {
-	ScopeName *corev1.ResourceQuotaScope    `json:"scopeName,omitempty"`
-	Operator  *corev1.ScopeSelectorOperator `json:"operator,omitempty"`
-	Values    []string                      `json:"values,omitempty"`
+	// The name of the scope that the selector applies to.
+	ScopeName *corev1.ResourceQuotaScope `json:"scopeName,omitempty"`
+	// Represents a scope's relationship to a set of values.
+	// Valid operators are In, NotIn, Exists, DoesNotExist.
+	Operator *corev1.ScopeSelectorOperator `json:"operator,omitempty"`
+	// An array of string values. If the operator is In or NotIn,
+	// the values array must be non-empty. If the operator is Exists or DoesNotExist,
+	// the values array must be empty.
+	// This array is replaced during a strategic merge patch.
+	Values []string `json:"values,omitempty"`
 }
 
 // ScopedResourceSelectorRequirementApplyConfiguration constructs a declarative configuration of the ScopedResourceSelectorRequirement type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/scopeselector.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/scopeselector.go
index a9fb9a1b19710..26c1eabf4de60 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/scopeselector.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/scopeselector.go
@@ -20,7 +20,11 @@ package v1
 
 // ScopeSelectorApplyConfiguration represents a declarative configuration of the ScopeSelector type for use
 // with apply.
+//
+// A scope selector represents the AND of the selectors represented
+// by the scoped-resource selector requirements.
 type ScopeSelectorApplyConfiguration struct {
+	// A list of scope selector requirements by scope of the resources.
 	MatchExpressions []ScopedResourceSelectorRequirementApplyConfiguration `json:"matchExpressions,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/seccompprofile.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/seccompprofile.go
index 754bfd1b3e8ad..858ac80faae6e 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/seccompprofile.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/seccompprofile.go
@@ -24,9 +24,22 @@ import (
 
 // SeccompProfileApplyConfiguration represents a declarative configuration of the SeccompProfile type for use
 // with apply.
+//
+// SeccompProfile defines a pod/container's seccomp profile settings.
+// Only one profile source may be set.
 type SeccompProfileApplyConfiguration struct {
-	Type             *corev1.SeccompProfileType `json:"type,omitempty"`
-	LocalhostProfile *string                    `json:"localhostProfile,omitempty"`
+	// type indicates which kind of seccomp profile will be applied.
+	// Valid options are:
+	//
+	// Localhost - a profile defined in a file on the node should be used.
+	// RuntimeDefault - the container runtime default profile should be used.
+	// Unconfined - no profile should be applied.
+	Type *corev1.SeccompProfileType `json:"type,omitempty"`
+	// localhostProfile indicates a profile defined in a file on the node should be used.
+	// The profile must be preconfigured on the node to work.
+	// Must be a descending path, relative to the kubelet's configured seccomp profile location.
+	// Must be set if type is "Localhost". Must NOT be set for any other type.
+	LocalhostProfile *string `json:"localhostProfile,omitempty"`
 }
 
 // SeccompProfileApplyConfiguration constructs a declarative configuration of the SeccompProfile type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/secret.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/secret.go
index ff859d86bc95b..42be77931158b 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/secret.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/secret.go
@@ -29,13 +29,32 @@ import (
 
 // SecretApplyConfiguration represents a declarative configuration of the Secret type for use
 // with apply.
+//
+// Secret holds secret data of a certain type. The total bytes of the values in
+// the Data field must be less than MaxSecretSize bytes.
 type SecretApplyConfiguration struct {
-	metav1.TypeMetaApplyConfiguration    `json:",inline"`
+	metav1.TypeMetaApplyConfiguration `json:",inline"`
+	// Standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	*metav1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Immutable                            *bool              `json:"immutable,omitempty"`
-	Data                                 map[string][]byte  `json:"data,omitempty"`
-	StringData                           map[string]string  `json:"stringData,omitempty"`
-	Type                                 *corev1.SecretType `json:"type,omitempty"`
+	// Immutable, if set to true, ensures that data stored in the Secret cannot
+	// be updated (only object metadata can be modified).
+	// If not set to true, the field can be modified at any time.
+	// Defaulted to nil.
+	Immutable *bool `json:"immutable,omitempty"`
+	// Data contains the secret data. Each key must consist of alphanumeric
+	// characters, '-', '_' or '.'. The serialized form of the secret data is a
+	// base64 encoded string, representing the arbitrary (possibly non-string)
+	// data value here. Described in https://tools.ietf.org/html/rfc4648#section-4
+	Data map[string][]byte `json:"data,omitempty"`
+	// stringData allows specifying non-binary secret data in string form.
+	// It is provided as a write-only input field for convenience.
+	// All keys and values are merged into the data field on write, overwriting any existing values.
+	// The stringData field is never output when reading from the API.
+	StringData map[string]string `json:"stringData,omitempty"`
+	// Used to facilitate programmatic handling of secret data.
+	// More info: https://kubernetes.io/docs/concepts/configuration/secret/#secret-types
+	Type *corev1.SecretType `json:"type,omitempty"`
 }
 
 // Secret constructs a declarative configuration of the Secret type for use with
@@ -49,29 +68,14 @@ func Secret(name, namespace string) *SecretApplyConfiguration {
 	return b
 }
 
-// ExtractSecret extracts the applied configuration owned by fieldManager from
-// secret. If no managedFields are found in secret for fieldManager, a
-// SecretApplyConfiguration is returned with only the Name, Namespace (if applicable),
-// APIVersion and Kind populated. It is possible that no managed fields were found for because other
-// field managers have taken ownership of all the fields previously owned by fieldManager, or because
-// the fieldManager never owned fields any fields.
+// ExtractSecretFrom extracts the applied configuration owned by fieldManager from
+// secret for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
 // secret must be a unmodified Secret API object that was retrieved from the Kubernetes API.
-// ExtractSecret provides a way to perform a extract/modify-in-place/apply workflow.
+// ExtractSecretFrom provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
-func ExtractSecret(secret *corev1.Secret, fieldManager string) (*SecretApplyConfiguration, error) {
-	return extractSecret(secret, fieldManager, "")
-}
-
-// ExtractSecretStatus is the same as ExtractSecret except
-// that it extracts the status subresource applied configuration.
-// Experimental!
-func ExtractSecretStatus(secret *corev1.Secret, fieldManager string) (*SecretApplyConfiguration, error) {
-	return extractSecret(secret, fieldManager, "status")
-}
-
-func extractSecret(secret *corev1.Secret, fieldManager string, subresource string) (*SecretApplyConfiguration, error) {
+func ExtractSecretFrom(secret *corev1.Secret, fieldManager string, subresource string) (*SecretApplyConfiguration, error) {
 	b := &SecretApplyConfiguration{}
 	err := managedfields.ExtractInto(secret, internal.Parser().Type("io.k8s.api.core.v1.Secret"), fieldManager, b, subresource)
 	if err != nil {
@@ -84,6 +88,21 @@ func extractSecret(secret *corev1.Secret, fieldManager string, subresource strin
 	b.WithAPIVersion("v1")
 	return b, nil
 }
+
+// ExtractSecret extracts the applied configuration owned by fieldManager from
+// secret. If no managedFields are found in secret for fieldManager, a
+// SecretApplyConfiguration is returned with only the Name, Namespace (if applicable),
+// APIVersion and Kind populated. It is possible that no managed fields were found for because other
+// field managers have taken ownership of all the fields previously owned by fieldManager, or because
+// the fieldManager never owned fields any fields.
+// secret must be a unmodified Secret API object that was retrieved from the Kubernetes API.
+// ExtractSecret provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractSecret(secret *corev1.Secret, fieldManager string) (*SecretApplyConfiguration, error) {
+	return ExtractSecretFrom(secret, fieldManager, "")
+}
+
 func (b SecretApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/secretenvsource.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/secretenvsource.go
index d3cc9f6a625d0..21a6b75248948 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/secretenvsource.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/secretenvsource.go
@@ -20,9 +20,17 @@ package v1
 
 // SecretEnvSourceApplyConfiguration represents a declarative configuration of the SecretEnvSource type for use
 // with apply.
+//
+// SecretEnvSource selects a Secret to populate the environment
+// variables with.
+//
+// The contents of the target Secret's Data field will represent the
+// key-value pairs as environment variables.
 type SecretEnvSourceApplyConfiguration struct {
+	// The Secret to select from.
 	LocalObjectReferenceApplyConfiguration `json:",inline"`
-	Optional                               *bool `json:"optional,omitempty"`
+	// Specify whether the Secret must be defined
+	Optional *bool `json:"optional,omitempty"`
 }
 
 // SecretEnvSourceApplyConfiguration constructs a declarative configuration of the SecretEnvSource type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/secretkeyselector.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/secretkeyselector.go
index f1cd8b2d31eb4..8e83bc813c37f 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/secretkeyselector.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/secretkeyselector.go
@@ -20,10 +20,15 @@ package v1
 
 // SecretKeySelectorApplyConfiguration represents a declarative configuration of the SecretKeySelector type for use
 // with apply.
+//
+// SecretKeySelector selects a key of a Secret.
 type SecretKeySelectorApplyConfiguration struct {
+	// The name of the secret in the pod's namespace to select from.
 	LocalObjectReferenceApplyConfiguration `json:",inline"`
-	Key                                    *string `json:"key,omitempty"`
-	Optional                               *bool   `json:"optional,omitempty"`
+	// The key of the secret to select from.  Must be a valid secret key.
+	Key *string `json:"key,omitempty"`
+	// Specify whether the Secret or its key must be defined
+	Optional *bool `json:"optional,omitempty"`
 }
 
 // SecretKeySelectorApplyConfiguration constructs a declarative configuration of the SecretKeySelector type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/secretprojection.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/secretprojection.go
index 99fa36ecc0ec0..87016d9fa379c 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/secretprojection.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/secretprojection.go
@@ -20,10 +20,25 @@ package v1
 
 // SecretProjectionApplyConfiguration represents a declarative configuration of the SecretProjection type for use
 // with apply.
+//
+// Adapts a secret into a projected volume.
+//
+// The contents of the target Secret's Data field will be presented in a
+// projected volume as files using the keys in the Data field as the file names.
+// Note that this is identical to a secret volume source without the default
+// mode.
 type SecretProjectionApplyConfiguration struct {
 	LocalObjectReferenceApplyConfiguration `json:",inline"`
-	Items                                  []KeyToPathApplyConfiguration `json:"items,omitempty"`
-	Optional                               *bool                         `json:"optional,omitempty"`
+	// items if unspecified, each key-value pair in the Data field of the referenced
+	// Secret will be projected into the volume as a file whose name is the
+	// key and content is the value. If specified, the listed keys will be
+	// projected into the specified paths, and unlisted keys will not be
+	// present. If a key is specified which is not present in the Secret,
+	// the volume setup will error unless it is marked optional. Paths must be
+	// relative and may not contain the '..' path or start with '..'.
+	Items []KeyToPathApplyConfiguration `json:"items,omitempty"`
+	// optional field specify whether the Secret or its key must be defined
+	Optional *bool `json:"optional,omitempty"`
 }
 
 // SecretProjectionApplyConfiguration constructs a declarative configuration of the SecretProjection type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/secretreference.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/secretreference.go
index f5e0de23aa6d3..607f825062157 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/secretreference.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/secretreference.go
@@ -20,8 +20,13 @@ package v1
 
 // SecretReferenceApplyConfiguration represents a declarative configuration of the SecretReference type for use
 // with apply.
+//
+// SecretReference represents a Secret Reference. It has enough information to retrieve secret
+// in any namespace
 type SecretReferenceApplyConfiguration struct {
-	Name      *string `json:"name,omitempty"`
+	// name is unique within a namespace to reference a secret resource.
+	Name *string `json:"name,omitempty"`
+	// namespace defines the space within which the secret name must be unique.
 	Namespace *string `json:"namespace,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/secretvolumesource.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/secretvolumesource.go
index 9f765d354da7e..bdc098535e1a7 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/secretvolumesource.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/secretvolumesource.go
@@ -20,11 +20,34 @@ package v1
 
 // SecretVolumeSourceApplyConfiguration represents a declarative configuration of the SecretVolumeSource type for use
 // with apply.
+//
+// Adapts a Secret into a volume.
+//
+// The contents of the target Secret's Data field will be presented in a volume
+// as files using the keys in the Data field as the file names.
+// Secret volumes support ownership management and SELinux relabeling.
 type SecretVolumeSourceApplyConfiguration struct {
-	SecretName  *string                       `json:"secretName,omitempty"`
-	Items       []KeyToPathApplyConfiguration `json:"items,omitempty"`
-	DefaultMode *int32                        `json:"defaultMode,omitempty"`
-	Optional    *bool                         `json:"optional,omitempty"`
+	// secretName is the name of the secret in the pod's namespace to use.
+	// More info: https://kubernetes.io/docs/concepts/storage/volumes#secret
+	SecretName *string `json:"secretName,omitempty"`
+	// items If unspecified, each key-value pair in the Data field of the referenced
+	// Secret will be projected into the volume as a file whose name is the
+	// key and content is the value. If specified, the listed keys will be
+	// projected into the specified paths, and unlisted keys will not be
+	// present. If a key is specified which is not present in the Secret,
+	// the volume setup will error unless it is marked optional. Paths must be
+	// relative and may not contain the '..' path or start with '..'.
+	Items []KeyToPathApplyConfiguration `json:"items,omitempty"`
+	// defaultMode is Optional: mode bits used to set permissions on created files by default.
+	// Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
+	// YAML accepts both octal and decimal values, JSON requires decimal values
+	// for mode bits. Defaults to 0644.
+	// Directories within the path are not affected by this setting.
+	// This might be in conflict with other options that affect the file
+	// mode, like fsGroup, and the result can be other mode bits set.
+	DefaultMode *int32 `json:"defaultMode,omitempty"`
+	// optional field specify whether the Secret or its keys must be defined
+	Optional *bool `json:"optional,omitempty"`
 }
 
 // SecretVolumeSourceApplyConfiguration constructs a declarative configuration of the SecretVolumeSource type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/securitycontext.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/securitycontext.go
index 99faab72da035..aee2635238f11 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/securitycontext.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/securitycontext.go
@@ -24,19 +24,77 @@ import (
 
 // SecurityContextApplyConfiguration represents a declarative configuration of the SecurityContext type for use
 // with apply.
+//
+// SecurityContext holds security configuration that will be applied to a container.
+// Some fields are present in both SecurityContext and PodSecurityContext.  When both
+// are set, the values in SecurityContext take precedence.
 type SecurityContextApplyConfiguration struct {
-	Capabilities             *CapabilitiesApplyConfiguration                  `json:"capabilities,omitempty"`
-	Privileged               *bool                                            `json:"privileged,omitempty"`
-	SELinuxOptions           *SELinuxOptionsApplyConfiguration                `json:"seLinuxOptions,omitempty"`
-	WindowsOptions           *WindowsSecurityContextOptionsApplyConfiguration `json:"windowsOptions,omitempty"`
-	RunAsUser                *int64                                           `json:"runAsUser,omitempty"`
-	RunAsGroup               *int64                                           `json:"runAsGroup,omitempty"`
-	RunAsNonRoot             *bool                                            `json:"runAsNonRoot,omitempty"`
-	ReadOnlyRootFilesystem   *bool                                            `json:"readOnlyRootFilesystem,omitempty"`
-	AllowPrivilegeEscalation *bool                                            `json:"allowPrivilegeEscalation,omitempty"`
-	ProcMount                *corev1.ProcMountType                            `json:"procMount,omitempty"`
-	SeccompProfile           *SeccompProfileApplyConfiguration                `json:"seccompProfile,omitempty"`
-	AppArmorProfile          *AppArmorProfileApplyConfiguration               `json:"appArmorProfile,omitempty"`
+	// The capabilities to add/drop when running containers.
+	// Defaults to the default set of capabilities granted by the container runtime.
+	// Note that this field cannot be set when spec.os.name is windows.
+	Capabilities *CapabilitiesApplyConfiguration `json:"capabilities,omitempty"`
+	// Run container in privileged mode.
+	// Processes in privileged containers are essentially equivalent to root on the host.
+	// Defaults to false.
+	// Note that this field cannot be set when spec.os.name is windows.
+	Privileged *bool `json:"privileged,omitempty"`
+	// The SELinux context to be applied to the container.
+	// If unspecified, the container runtime will allocate a random SELinux context for each
+	// container.  May also be set in PodSecurityContext.  If set in both SecurityContext and
+	// PodSecurityContext, the value specified in SecurityContext takes precedence.
+	// Note that this field cannot be set when spec.os.name is windows.
+	SELinuxOptions *SELinuxOptionsApplyConfiguration `json:"seLinuxOptions,omitempty"`
+	// The Windows specific settings applied to all containers.
+	// If unspecified, the options from the PodSecurityContext will be used.
+	// If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.
+	// Note that this field cannot be set when spec.os.name is linux.
+	WindowsOptions *WindowsSecurityContextOptionsApplyConfiguration `json:"windowsOptions,omitempty"`
+	// The UID to run the entrypoint of the container process.
+	// Defaults to user specified in image metadata if unspecified.
+	// May also be set in PodSecurityContext.  If set in both SecurityContext and
+	// PodSecurityContext, the value specified in SecurityContext takes precedence.
+	// Note that this field cannot be set when spec.os.name is windows.
+	RunAsUser *int64 `json:"runAsUser,omitempty"`
+	// The GID to run the entrypoint of the container process.
+	// Uses runtime default if unset.
+	// May also be set in PodSecurityContext.  If set in both SecurityContext and
+	// PodSecurityContext, the value specified in SecurityContext takes precedence.
+	// Note that this field cannot be set when spec.os.name is windows.
+	RunAsGroup *int64 `json:"runAsGroup,omitempty"`
+	// Indicates that the container must run as a non-root user.
+	// If true, the Kubelet will validate the image at runtime to ensure that it
+	// does not run as UID 0 (root) and fail to start the container if it does.
+	// If unset or false, no such validation will be performed.
+	// May also be set in PodSecurityContext.  If set in both SecurityContext and
+	// PodSecurityContext, the value specified in SecurityContext takes precedence.
+	RunAsNonRoot *bool `json:"runAsNonRoot,omitempty"`
+	// Whether this container has a read-only root filesystem.
+	// Default is false.
+	// Note that this field cannot be set when spec.os.name is windows.
+	ReadOnlyRootFilesystem *bool `json:"readOnlyRootFilesystem,omitempty"`
+	// AllowPrivilegeEscalation controls whether a process can gain more
+	// privileges than its parent process. This bool directly controls if
+	// the no_new_privs flag will be set on the container process.
+	// AllowPrivilegeEscalation is true always when the container is:
+	// 1) run as Privileged
+	// 2) has CAP_SYS_ADMIN
+	// Note that this field cannot be set when spec.os.name is windows.
+	AllowPrivilegeEscalation *bool `json:"allowPrivilegeEscalation,omitempty"`
+	// procMount denotes the type of proc mount to use for the containers.
+	// The default value is Default which uses the container runtime defaults for
+	// readonly paths and masked paths.
+	// This requires the ProcMountType feature flag to be enabled.
+	// Note that this field cannot be set when spec.os.name is windows.
+	ProcMount *corev1.ProcMountType `json:"procMount,omitempty"`
+	// The seccomp options to use by this container. If seccomp options are
+	// provided at both the pod & container level, the container options
+	// override the pod options.
+	// Note that this field cannot be set when spec.os.name is windows.
+	SeccompProfile *SeccompProfileApplyConfiguration `json:"seccompProfile,omitempty"`
+	// appArmorProfile is the AppArmor options to use by this container. If set, this profile
+	// overrides the pod's appArmorProfile.
+	// Note that this field cannot be set when spec.os.name is windows.
+	AppArmorProfile *AppArmorProfileApplyConfiguration `json:"appArmorProfile,omitempty"`
 }
 
 // SecurityContextApplyConfiguration constructs a declarative configuration of the SecurityContext type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/selinuxoptions.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/selinuxoptions.go
index bad01300f04d3..d03e63e27b658 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/selinuxoptions.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/selinuxoptions.go
@@ -20,10 +20,16 @@ package v1
 
 // SELinuxOptionsApplyConfiguration represents a declarative configuration of the SELinuxOptions type for use
 // with apply.
+//
+// SELinuxOptions are the labels to be applied to the container
 type SELinuxOptionsApplyConfiguration struct {
-	User  *string `json:"user,omitempty"`
-	Role  *string `json:"role,omitempty"`
-	Type  *string `json:"type,omitempty"`
+	// User is a SELinux user label that applies to the container.
+	User *string `json:"user,omitempty"`
+	// Role is a SELinux role label that applies to the container.
+	Role *string `json:"role,omitempty"`
+	// Type is a SELinux type label that applies to the container.
+	Type *string `json:"type,omitempty"`
+	// Level is SELinux level label that applies to the container.
 	Level *string `json:"level,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/service.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/service.go
index 90d2ca0f8d3f0..b0e667824bcc5 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/service.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/service.go
@@ -29,11 +29,23 @@ import (
 
 // ServiceApplyConfiguration represents a declarative configuration of the Service type for use
 // with apply.
+//
+// Service is a named abstraction of software service (for example, mysql) consisting of local port
+// (for example 3306) that the proxy listens on, and the selector that determines which pods
+// will answer requests sent through the proxy.
 type ServiceApplyConfiguration struct {
-	metav1.TypeMetaApplyConfiguration    `json:",inline"`
+	metav1.TypeMetaApplyConfiguration `json:",inline"`
+	// Standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	*metav1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Spec                                 *ServiceSpecApplyConfiguration   `json:"spec,omitempty"`
-	Status                               *ServiceStatusApplyConfiguration `json:"status,omitempty"`
+	// Spec defines the behavior of a service.
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+	Spec *ServiceSpecApplyConfiguration `json:"spec,omitempty"`
+	// Most recently observed status of the service.
+	// Populated by the system.
+	// Read-only.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+	Status *ServiceStatusApplyConfiguration `json:"status,omitempty"`
 }
 
 // Service constructs a declarative configuration of the Service type for use with
@@ -47,6 +59,27 @@ func Service(name, namespace string) *ServiceApplyConfiguration {
 	return b
 }
 
+// ExtractServiceFrom extracts the applied configuration owned by fieldManager from
+// service for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
+// service must be a unmodified Service API object that was retrieved from the Kubernetes API.
+// ExtractServiceFrom provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractServiceFrom(service *corev1.Service, fieldManager string, subresource string) (*ServiceApplyConfiguration, error) {
+	b := &ServiceApplyConfiguration{}
+	err := managedfields.ExtractInto(service, internal.Parser().Type("io.k8s.api.core.v1.Service"), fieldManager, b, subresource)
+	if err != nil {
+		return nil, err
+	}
+	b.WithName(service.Name)
+	b.WithNamespace(service.Namespace)
+
+	b.WithKind("Service")
+	b.WithAPIVersion("v1")
+	return b, nil
+}
+
 // ExtractService extracts the applied configuration owned by fieldManager from
 // service. If no managedFields are found in service for fieldManager, a
 // ServiceApplyConfiguration is returned with only the Name, Namespace (if applicable),
@@ -57,31 +90,16 @@ func Service(name, namespace string) *ServiceApplyConfiguration {
 // ExtractService provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
 func ExtractService(service *corev1.Service, fieldManager string) (*ServiceApplyConfiguration, error) {
-	return extractService(service, fieldManager, "")
+	return ExtractServiceFrom(service, fieldManager, "")
 }
 
-// ExtractServiceStatus is the same as ExtractService except
-// that it extracts the status subresource applied configuration.
-// Experimental!
+// ExtractServiceStatus extracts the applied configuration owned by fieldManager from
+// service for the status subresource.
 func ExtractServiceStatus(service *corev1.Service, fieldManager string) (*ServiceApplyConfiguration, error) {
-	return extractService(service, fieldManager, "status")
+	return ExtractServiceFrom(service, fieldManager, "status")
 }
 
-func extractService(service *corev1.Service, fieldManager string, subresource string) (*ServiceApplyConfiguration, error) {
-	b := &ServiceApplyConfiguration{}
-	err := managedfields.ExtractInto(service, internal.Parser().Type("io.k8s.api.core.v1.Service"), fieldManager, b, subresource)
-	if err != nil {
-		return nil, err
-	}
-	b.WithName(service.Name)
-	b.WithNamespace(service.Namespace)
-
-	b.WithKind("Service")
-	b.WithAPIVersion("v1")
-	return b, nil
-}
 func (b ServiceApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/serviceaccount.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/serviceaccount.go
index 768acb2eb6ca0..d43934777813b 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/serviceaccount.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/serviceaccount.go
@@ -29,12 +29,32 @@ import (
 
 // ServiceAccountApplyConfiguration represents a declarative configuration of the ServiceAccount type for use
 // with apply.
+//
+// ServiceAccount binds together:
+// * a name, understood by users, and perhaps by peripheral systems, for an identity
+// * a principal that can be authenticated and authorized
+// * a set of secrets
 type ServiceAccountApplyConfiguration struct {
-	metav1.TypeMetaApplyConfiguration    `json:",inline"`
+	metav1.TypeMetaApplyConfiguration `json:",inline"`
+	// Standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	*metav1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Secrets                              []ObjectReferenceApplyConfiguration      `json:"secrets,omitempty"`
-	ImagePullSecrets                     []LocalObjectReferenceApplyConfiguration `json:"imagePullSecrets,omitempty"`
-	AutomountServiceAccountToken         *bool                                    `json:"automountServiceAccountToken,omitempty"`
+	// Secrets is a list of the secrets in the same namespace that pods running using this ServiceAccount are allowed to use.
+	// Pods are only limited to this list if this service account has a "kubernetes.io/enforce-mountable-secrets" annotation set to "true".
+	// The "kubernetes.io/enforce-mountable-secrets" annotation is deprecated since v1.32.
+	// Prefer separate namespaces to isolate access to mounted secrets.
+	// This field should not be used to find auto-generated service account token secrets for use outside of pods.
+	// Instead, tokens can be requested directly using the TokenRequest API, or service account token secrets can be manually created.
+	// More info: https://kubernetes.io/docs/concepts/configuration/secret
+	Secrets []ObjectReferenceApplyConfiguration `json:"secrets,omitempty"`
+	// ImagePullSecrets is a list of references to secrets in the same namespace to use for pulling any images
+	// in pods that reference this ServiceAccount. ImagePullSecrets are distinct from Secrets because Secrets
+	// can be mounted in the pod, but ImagePullSecrets are only accessed by the kubelet.
+	// More info: https://kubernetes.io/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod
+	ImagePullSecrets []LocalObjectReferenceApplyConfiguration `json:"imagePullSecrets,omitempty"`
+	// AutomountServiceAccountToken indicates whether pods running as this service account should have an API token automatically mounted.
+	// Can be overridden at the pod level.
+	AutomountServiceAccountToken *bool `json:"automountServiceAccountToken,omitempty"`
 }
 
 // ServiceAccount constructs a declarative configuration of the ServiceAccount type for use with
@@ -48,29 +68,14 @@ func ServiceAccount(name, namespace string) *ServiceAccountApplyConfiguration {
 	return b
 }
 
-// ExtractServiceAccount extracts the applied configuration owned by fieldManager from
-// serviceAccount. If no managedFields are found in serviceAccount for fieldManager, a
-// ServiceAccountApplyConfiguration is returned with only the Name, Namespace (if applicable),
-// APIVersion and Kind populated. It is possible that no managed fields were found for because other
-// field managers have taken ownership of all the fields previously owned by fieldManager, or because
-// the fieldManager never owned fields any fields.
+// ExtractServiceAccountFrom extracts the applied configuration owned by fieldManager from
+// serviceAccount for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
 // serviceAccount must be a unmodified ServiceAccount API object that was retrieved from the Kubernetes API.
-// ExtractServiceAccount provides a way to perform a extract/modify-in-place/apply workflow.
+// ExtractServiceAccountFrom provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
-func ExtractServiceAccount(serviceAccount *corev1.ServiceAccount, fieldManager string) (*ServiceAccountApplyConfiguration, error) {
-	return extractServiceAccount(serviceAccount, fieldManager, "")
-}
-
-// ExtractServiceAccountStatus is the same as ExtractServiceAccount except
-// that it extracts the status subresource applied configuration.
-// Experimental!
-func ExtractServiceAccountStatus(serviceAccount *corev1.ServiceAccount, fieldManager string) (*ServiceAccountApplyConfiguration, error) {
-	return extractServiceAccount(serviceAccount, fieldManager, "status")
-}
-
-func extractServiceAccount(serviceAccount *corev1.ServiceAccount, fieldManager string, subresource string) (*ServiceAccountApplyConfiguration, error) {
+func ExtractServiceAccountFrom(serviceAccount *corev1.ServiceAccount, fieldManager string, subresource string) (*ServiceAccountApplyConfiguration, error) {
 	b := &ServiceAccountApplyConfiguration{}
 	err := managedfields.ExtractInto(serviceAccount, internal.Parser().Type("io.k8s.api.core.v1.ServiceAccount"), fieldManager, b, subresource)
 	if err != nil {
@@ -83,6 +88,27 @@ func extractServiceAccount(serviceAccount *corev1.ServiceAccount, fieldManager s
 	b.WithAPIVersion("v1")
 	return b, nil
 }
+
+// ExtractServiceAccount extracts the applied configuration owned by fieldManager from
+// serviceAccount. If no managedFields are found in serviceAccount for fieldManager, a
+// ServiceAccountApplyConfiguration is returned with only the Name, Namespace (if applicable),
+// APIVersion and Kind populated. It is possible that no managed fields were found for because other
+// field managers have taken ownership of all the fields previously owned by fieldManager, or because
+// the fieldManager never owned fields any fields.
+// serviceAccount must be a unmodified ServiceAccount API object that was retrieved from the Kubernetes API.
+// ExtractServiceAccount provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractServiceAccount(serviceAccount *corev1.ServiceAccount, fieldManager string) (*ServiceAccountApplyConfiguration, error) {
+	return ExtractServiceAccountFrom(serviceAccount, fieldManager, "")
+}
+
+// ExtractServiceAccountToken extracts the applied configuration owned by fieldManager from
+// serviceAccount for the token subresource.
+func ExtractServiceAccountToken(serviceAccount *corev1.ServiceAccount, fieldManager string) (*ServiceAccountApplyConfiguration, error) {
+	return ExtractServiceAccountFrom(serviceAccount, fieldManager, "token")
+}
+
 func (b ServiceAccountApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/serviceaccounttokenprojection.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/serviceaccounttokenprojection.go
index fab81bf8a2f89..e2bf69bc4456e 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/serviceaccounttokenprojection.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/serviceaccounttokenprojection.go
@@ -20,10 +20,27 @@ package v1
 
 // ServiceAccountTokenProjectionApplyConfiguration represents a declarative configuration of the ServiceAccountTokenProjection type for use
 // with apply.
+//
+// ServiceAccountTokenProjection represents a projected service account token
+// volume. This projection can be used to insert a service account token into
+// the pods runtime filesystem for use against APIs (Kubernetes API Server or
+// otherwise).
 type ServiceAccountTokenProjectionApplyConfiguration struct {
-	Audience          *string `json:"audience,omitempty"`
-	ExpirationSeconds *int64  `json:"expirationSeconds,omitempty"`
-	Path              *string `json:"path,omitempty"`
+	// audience is the intended audience of the token. A recipient of a token
+	// must identify itself with an identifier specified in the audience of the
+	// token, and otherwise should reject the token. The audience defaults to the
+	// identifier of the apiserver.
+	Audience *string `json:"audience,omitempty"`
+	// expirationSeconds is the requested duration of validity of the service
+	// account token. As the token approaches expiration, the kubelet volume
+	// plugin will proactively rotate the service account token. The kubelet will
+	// start trying to rotate the token if the token is older than 80 percent of
+	// its time to live or if the token is older than 24 hours.Defaults to 1 hour
+	// and must be at least 10 minutes.
+	ExpirationSeconds *int64 `json:"expirationSeconds,omitempty"`
+	// path is the path relative to the mount point of the file to project the
+	// token into.
+	Path *string `json:"path,omitempty"`
 }
 
 // ServiceAccountTokenProjectionApplyConfiguration constructs a declarative configuration of the ServiceAccountTokenProjection type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/serviceport.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/serviceport.go
index 4d5774d8d4475..44353149228b3 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/serviceport.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/serviceport.go
@@ -25,13 +25,55 @@ import (
 
 // ServicePortApplyConfiguration represents a declarative configuration of the ServicePort type for use
 // with apply.
+//
+// ServicePort contains information on service's port.
 type ServicePortApplyConfiguration struct {
-	Name        *string             `json:"name,omitempty"`
-	Protocol    *corev1.Protocol    `json:"protocol,omitempty"`
-	AppProtocol *string             `json:"appProtocol,omitempty"`
-	Port        *int32              `json:"port,omitempty"`
-	TargetPort  *intstr.IntOrString `json:"targetPort,omitempty"`
-	NodePort    *int32              `json:"nodePort,omitempty"`
+	// The name of this port within the service. This must be a DNS_LABEL.
+	// All ports within a ServiceSpec must have unique names. When considering
+	// the endpoints for a Service, this must match the 'name' field in the
+	// EndpointPort.
+	// Optional if only one ServicePort is defined on this service.
+	Name *string `json:"name,omitempty"`
+	// The IP protocol for this port. Supports "TCP", "UDP", and "SCTP".
+	// Default is TCP.
+	Protocol *corev1.Protocol `json:"protocol,omitempty"`
+	// The application protocol for this port.
+	// This is used as a hint for implementations to offer richer behavior for protocols that they understand.
+	// This field follows standard Kubernetes label syntax.
+	// Valid values are either:
+	//
+	// * Un-prefixed protocol names - reserved for IANA standard service names (as per
+	// RFC-6335 and https://www.iana.org/assignments/service-names).
+	//
+	// * Kubernetes-defined prefixed names:
+	// * 'kubernetes.io/h2c' - HTTP/2 prior knowledge over cleartext as described in https://www.rfc-editor.org/rfc/rfc9113.html#name-starting-http-2-with-prior-
+	// * 'kubernetes.io/ws'  - WebSocket over cleartext as described in https://www.rfc-editor.org/rfc/rfc6455
+	// * 'kubernetes.io/wss' - WebSocket over TLS as described in https://www.rfc-editor.org/rfc/rfc6455
+	//
+	// * Other protocols should use implementation-defined prefixed names such as
+	// mycompany.com/my-custom-protocol.
+	AppProtocol *string `json:"appProtocol,omitempty"`
+	// The port that will be exposed by this service.
+	Port *int32 `json:"port,omitempty"`
+	// Number or name of the port to access on the pods targeted by the service.
+	// Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME.
+	// If this is a string, it will be looked up as a named port in the
+	// target Pod's container ports. If this is not specified, the value
+	// of the 'port' field is used (an identity map).
+	// This field is ignored for services with clusterIP=None, and should be
+	// omitted or set equal to the 'port' field.
+	// More info: https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service
+	TargetPort *intstr.IntOrString `json:"targetPort,omitempty"`
+	// The port on each node on which this service is exposed when type is
+	// NodePort or LoadBalancer.  Usually assigned by the system. If a value is
+	// specified, in-range, and not in use it will be used, otherwise the
+	// operation will fail.  If not specified, a port will be allocated if this
+	// Service requires one.  If this field is specified when creating a
+	// Service which does not need it, creation will fail. This field will be
+	// wiped when updating a Service to no longer need it (e.g. changing type
+	// from NodePort to ClusterIP).
+	// More info: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport
+	NodePort *int32 `json:"nodePort,omitempty"`
 }
 
 // ServicePortApplyConfiguration constructs a declarative configuration of the ServicePort type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/servicespec.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/servicespec.go
index 41367dce4f092..c6a09d26fac9b 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/servicespec.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/servicespec.go
@@ -24,27 +24,201 @@ import (
 
 // ServiceSpecApplyConfiguration represents a declarative configuration of the ServiceSpec type for use
 // with apply.
+//
+// ServiceSpec describes the attributes that a user creates on a service.
 type ServiceSpecApplyConfiguration struct {
-	Ports                         []ServicePortApplyConfiguration          `json:"ports,omitempty"`
-	Selector                      map[string]string                        `json:"selector,omitempty"`
-	ClusterIP                     *string                                  `json:"clusterIP,omitempty"`
-	ClusterIPs                    []string                                 `json:"clusterIPs,omitempty"`
-	Type                          *corev1.ServiceType                      `json:"type,omitempty"`
-	ExternalIPs                   []string                                 `json:"externalIPs,omitempty"`
-	SessionAffinity               *corev1.ServiceAffinity                  `json:"sessionAffinity,omitempty"`
-	LoadBalancerIP                *string                                  `json:"loadBalancerIP,omitempty"`
-	LoadBalancerSourceRanges      []string                                 `json:"loadBalancerSourceRanges,omitempty"`
-	ExternalName                  *string                                  `json:"externalName,omitempty"`
-	ExternalTrafficPolicy         *corev1.ServiceExternalTrafficPolicy     `json:"externalTrafficPolicy,omitempty"`
-	HealthCheckNodePort           *int32                                   `json:"healthCheckNodePort,omitempty"`
-	PublishNotReadyAddresses      *bool                                    `json:"publishNotReadyAddresses,omitempty"`
-	SessionAffinityConfig         *SessionAffinityConfigApplyConfiguration `json:"sessionAffinityConfig,omitempty"`
-	IPFamilies                    []corev1.IPFamily                        `json:"ipFamilies,omitempty"`
-	IPFamilyPolicy                *corev1.IPFamilyPolicy                   `json:"ipFamilyPolicy,omitempty"`
-	AllocateLoadBalancerNodePorts *bool                                    `json:"allocateLoadBalancerNodePorts,omitempty"`
-	LoadBalancerClass             *string                                  `json:"loadBalancerClass,omitempty"`
-	InternalTrafficPolicy         *corev1.ServiceInternalTrafficPolicy     `json:"internalTrafficPolicy,omitempty"`
-	TrafficDistribution           *string                                  `json:"trafficDistribution,omitempty"`
+	// The list of ports that are exposed by this service.
+	// More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies
+	Ports []ServicePortApplyConfiguration `json:"ports,omitempty"`
+	// Route service traffic to pods with label keys and values matching this
+	// selector. If empty or not present, the service is assumed to have an
+	// external process managing its endpoints, which Kubernetes will not
+	// modify. Only applies to types ClusterIP, NodePort, and LoadBalancer.
+	// Ignored if type is ExternalName.
+	// More info: https://kubernetes.io/docs/concepts/services-networking/service/
+	Selector map[string]string `json:"selector,omitempty"`
+	// clusterIP is the IP address of the service and is usually assigned
+	// randomly. If an address is specified manually, is in-range (as per
+	// system configuration), and is not in use, it will be allocated to the
+	// service; otherwise creation of the service will fail. This field may not
+	// be changed through updates unless the type field is also being changed
+	// to ExternalName (which requires this field to be blank) or the type
+	// field is being changed from ExternalName (in which case this field may
+	// optionally be specified, as describe above).  Valid values are "None",
+	// empty string (""), or a valid IP address. Setting this to "None" makes a
+	// "headless service" (no virtual IP), which is useful when direct endpoint
+	// connections are preferred and proxying is not required.  Only applies to
+	// types ClusterIP, NodePort, and LoadBalancer. If this field is specified
+	// when creating a Service of type ExternalName, creation will fail. This
+	// field will be wiped when updating a Service to type ExternalName.
+	// More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies
+	ClusterIP *string `json:"clusterIP,omitempty"`
+	// ClusterIPs is a list of IP addresses assigned to this service, and are
+	// usually assigned randomly.  If an address is specified manually, is
+	// in-range (as per system configuration), and is not in use, it will be
+	// allocated to the service; otherwise creation of the service will fail.
+	// This field may not be changed through updates unless the type field is
+	// also being changed to ExternalName (which requires this field to be
+	// empty) or the type field is being changed from ExternalName (in which
+	// case this field may optionally be specified, as describe above).  Valid
+	// values are "None", empty string (""), or a valid IP address.  Setting
+	// this to "None" makes a "headless service" (no virtual IP), which is
+	// useful when direct endpoint connections are preferred and proxying is
+	// not required.  Only applies to types ClusterIP, NodePort, and
+	// LoadBalancer. If this field is specified when creating a Service of type
+	// ExternalName, creation will fail. This field will be wiped when updating
+	// a Service to type ExternalName.  If this field is not specified, it will
+	// be initialized from the clusterIP field.  If this field is specified,
+	// clients must ensure that clusterIPs[0] and clusterIP have the same
+	// value.
+	//
+	// This field may hold a maximum of two entries (dual-stack IPs, in either order).
+	// These IPs must correspond to the values of the ipFamilies field. Both
+	// clusterIPs and ipFamilies are governed by the ipFamilyPolicy field.
+	// More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies
+	ClusterIPs []string `json:"clusterIPs,omitempty"`
+	// type determines how the Service is exposed. Defaults to ClusterIP. Valid
+	// options are ExternalName, ClusterIP, NodePort, and LoadBalancer.
+	// "ClusterIP" allocates a cluster-internal IP address for load-balancing
+	// to endpoints. Endpoints are determined by the selector or if that is not
+	// specified, by manual construction of an Endpoints object or
+	// EndpointSlice objects. If clusterIP is "None", no virtual IP is
+	// allocated and the endpoints are published as a set of endpoints rather
+	// than a virtual IP.
+	// "NodePort" builds on ClusterIP and allocates a port on every node which
+	// routes to the same endpoints as the clusterIP.
+	// "LoadBalancer" builds on NodePort and creates an external load-balancer
+	// (if supported in the current cloud) which routes to the same endpoints
+	// as the clusterIP.
+	// "ExternalName" aliases this service to the specified externalName.
+	// Several other fields do not apply to ExternalName services.
+	// More info: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types
+	Type *corev1.ServiceType `json:"type,omitempty"`
+	// externalIPs is a list of IP addresses for which nodes in the cluster
+	// will also accept traffic for this service.  These IPs are not managed by
+	// Kubernetes.  The user is responsible for ensuring that traffic arrives
+	// at a node with this IP.  A common example is external load-balancers
+	// that are not part of the Kubernetes system.
+	ExternalIPs []string `json:"externalIPs,omitempty"`
+	// Supports "ClientIP" and "None". Used to maintain session affinity.
+	// Enable client IP based session affinity.
+	// Must be ClientIP or None.
+	// Defaults to None.
+	// More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies
+	SessionAffinity *corev1.ServiceAffinity `json:"sessionAffinity,omitempty"`
+	// Only applies to Service Type: LoadBalancer.
+	// This feature depends on whether the underlying cloud-provider supports specifying
+	// the loadBalancerIP when a load balancer is created.
+	// This field will be ignored if the cloud-provider does not support the feature.
+	// Deprecated: This field was under-specified and its meaning varies across implementations.
+	// Using it is non-portable and it may not support dual-stack.
+	// Users are encouraged to use implementation-specific annotations when available.
+	LoadBalancerIP *string `json:"loadBalancerIP,omitempty"`
+	// If specified and supported by the platform, this will restrict traffic through the cloud-provider
+	// load-balancer will be restricted to the specified client IPs. This field will be ignored if the
+	// cloud-provider does not support the feature."
+	// More info: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/
+	LoadBalancerSourceRanges []string `json:"loadBalancerSourceRanges,omitempty"`
+	// externalName is the external reference that discovery mechanisms will
+	// return as an alias for this service (e.g. a DNS CNAME record). No
+	// proxying will be involved.  Must be a lowercase RFC-1123 hostname
+	// (https://tools.ietf.org/html/rfc1123) and requires `type` to be "ExternalName".
+	ExternalName *string `json:"externalName,omitempty"`
+	// externalTrafficPolicy describes how nodes distribute service traffic they
+	// receive on one of the Service's "externally-facing" addresses (NodePorts,
+	// ExternalIPs, and LoadBalancer IPs). If set to "Local", the proxy will configure
+	// the service in a way that assumes that external load balancers will take care
+	// of balancing the service traffic between nodes, and so each node will deliver
+	// traffic only to the node-local endpoints of the service, without masquerading
+	// the client source IP. (Traffic mistakenly sent to a node with no endpoints will
+	// be dropped.) The default value, "Cluster", uses the standard behavior of
+	// routing to all endpoints evenly (possibly modified by topology and other
+	// features). Note that traffic sent to an External IP or LoadBalancer IP from
+	// within the cluster will always get "Cluster" semantics, but clients sending to
+	// a NodePort from within the cluster may need to take traffic policy into account
+	// when picking a node.
+	ExternalTrafficPolicy *corev1.ServiceExternalTrafficPolicy `json:"externalTrafficPolicy,omitempty"`
+	// healthCheckNodePort specifies the healthcheck nodePort for the service.
+	// This only applies when type is set to LoadBalancer and
+	// externalTrafficPolicy is set to Local. If a value is specified, is
+	// in-range, and is not in use, it will be used.  If not specified, a value
+	// will be automatically allocated.  External systems (e.g. load-balancers)
+	// can use this port to determine if a given node holds endpoints for this
+	// service or not.  If this field is specified when creating a Service
+	// which does not need it, creation will fail. This field will be wiped
+	// when updating a Service to no longer need it (e.g. changing type).
+	// This field cannot be updated once set.
+	HealthCheckNodePort *int32 `json:"healthCheckNodePort,omitempty"`
+	// publishNotReadyAddresses indicates that any agent which deals with endpoints for this
+	// Service should disregard any indications of ready/not-ready.
+	// The primary use case for setting this field is for a StatefulSet's Headless Service to
+	// propagate SRV DNS records for its Pods for the purpose of peer discovery.
+	// The Kubernetes controllers that generate Endpoints and EndpointSlice resources for
+	// Services interpret this to mean that all endpoints are considered "ready" even if the
+	// Pods themselves are not. Agents which consume only Kubernetes generated endpoints
+	// through the Endpoints or EndpointSlice resources can safely assume this behavior.
+	PublishNotReadyAddresses *bool `json:"publishNotReadyAddresses,omitempty"`
+	// sessionAffinityConfig contains the configurations of session affinity.
+	SessionAffinityConfig *SessionAffinityConfigApplyConfiguration `json:"sessionAffinityConfig,omitempty"`
+	// IPFamilies is a list of IP families (e.g. IPv4, IPv6) assigned to this
+	// service. This field is usually assigned automatically based on cluster
+	// configuration and the ipFamilyPolicy field. If this field is specified
+	// manually, the requested family is available in the cluster,
+	// and ipFamilyPolicy allows it, it will be used; otherwise creation of
+	// the service will fail. This field is conditionally mutable: it allows
+	// for adding or removing a secondary IP family, but it does not allow
+	// changing the primary IP family of the Service. Valid values are "IPv4"
+	// and "IPv6".  This field only applies to Services of types ClusterIP,
+	// NodePort, and LoadBalancer, and does apply to "headless" services.
+	// This field will be wiped when updating a Service to type ExternalName.
+	//
+	// This field may hold a maximum of two entries (dual-stack families, in
+	// either order).  These families must correspond to the values of the
+	// clusterIPs field, if specified. Both clusterIPs and ipFamilies are
+	// governed by the ipFamilyPolicy field.
+	IPFamilies []corev1.IPFamily `json:"ipFamilies,omitempty"`
+	// IPFamilyPolicy represents the dual-stack-ness requested or required by
+	// this Service. If there is no value provided, then this field will be set
+	// to SingleStack. Services can be "SingleStack" (a single IP family),
+	// "PreferDualStack" (two IP families on dual-stack configured clusters or
+	// a single IP family on single-stack clusters), or "RequireDualStack"
+	// (two IP families on dual-stack configured clusters, otherwise fail). The
+	// ipFamilies and clusterIPs fields depend on the value of this field. This
+	// field will be wiped when updating a service to type ExternalName.
+	IPFamilyPolicy *corev1.IPFamilyPolicy `json:"ipFamilyPolicy,omitempty"`
+	// allocateLoadBalancerNodePorts defines if NodePorts will be automatically
+	// allocated for services with type LoadBalancer.  Default is "true". It
+	// may be set to "false" if the cluster load-balancer does not rely on
+	// NodePorts.  If the caller requests specific NodePorts (by specifying a
+	// value), those requests will be respected, regardless of this field.
+	// This field may only be set for services with type LoadBalancer and will
+	// be cleared if the type is changed to any other type.
+	AllocateLoadBalancerNodePorts *bool `json:"allocateLoadBalancerNodePorts,omitempty"`
+	// loadBalancerClass is the class of the load balancer implementation this Service belongs to.
+	// If specified, the value of this field must be a label-style identifier, with an optional prefix,
+	// e.g. "internal-vip" or "example.com/internal-vip". Unprefixed names are reserved for end-users.
+	// This field can only be set when the Service type is 'LoadBalancer'. If not set, the default load
+	// balancer implementation is used, today this is typically done through the cloud provider integration,
+	// but should apply for any default implementation. If set, it is assumed that a load balancer
+	// implementation is watching for Services with a matching class. Any default load balancer
+	// implementation (e.g. cloud providers) should ignore Services that set this field.
+	// This field can only be set when creating or updating a Service to type 'LoadBalancer'.
+	// Once set, it can not be changed. This field will be wiped when a service is updated to a non 'LoadBalancer' type.
+	LoadBalancerClass *string `json:"loadBalancerClass,omitempty"`
+	// InternalTrafficPolicy describes how nodes distribute service traffic they
+	// receive on the ClusterIP. If set to "Local", the proxy will assume that pods
+	// only want to talk to endpoints of the service on the same node as the pod,
+	// dropping the traffic if there are no local endpoints. The default value,
+	// "Cluster", uses the standard behavior of routing to all endpoints evenly
+	// (possibly modified by topology and other features).
+	InternalTrafficPolicy *corev1.ServiceInternalTrafficPolicy `json:"internalTrafficPolicy,omitempty"`
+	// TrafficDistribution offers a way to express preferences for how traffic
+	// is distributed to Service endpoints. Implementations can use this field
+	// as a hint, but are not required to guarantee strict adherence. If the
+	// field is not set, the implementation will apply its default routing
+	// strategy. If set to "PreferClose", implementations should prioritize
+	// endpoints that are in the same zone.
+	TrafficDistribution *string `json:"trafficDistribution,omitempty"`
 }
 
 // ServiceSpecApplyConfiguration constructs a declarative configuration of the ServiceSpec type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/servicestatus.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/servicestatus.go
index 11c3f8a80a82e..6b0d450d68ff8 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/servicestatus.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/servicestatus.go
@@ -24,9 +24,14 @@ import (
 
 // ServiceStatusApplyConfiguration represents a declarative configuration of the ServiceStatus type for use
 // with apply.
+//
+// ServiceStatus represents the current status of a service.
 type ServiceStatusApplyConfiguration struct {
+	// LoadBalancer contains the current status of the load-balancer,
+	// if one is present.
 	LoadBalancer *LoadBalancerStatusApplyConfiguration `json:"loadBalancer,omitempty"`
-	Conditions   []metav1.ConditionApplyConfiguration  `json:"conditions,omitempty"`
+	// Current service state
+	Conditions []metav1.ConditionApplyConfiguration `json:"conditions,omitempty"`
 }
 
 // ServiceStatusApplyConfiguration constructs a declarative configuration of the ServiceStatus type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/sessionaffinityconfig.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/sessionaffinityconfig.go
index 13b045fffc829..18b7410f031af 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/sessionaffinityconfig.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/sessionaffinityconfig.go
@@ -20,7 +20,10 @@ package v1
 
 // SessionAffinityConfigApplyConfiguration represents a declarative configuration of the SessionAffinityConfig type for use
 // with apply.
+//
+// SessionAffinityConfig represents the configurations of session affinity.
 type SessionAffinityConfigApplyConfiguration struct {
+	// clientIP contains the configurations of Client IP based session affinity.
 	ClientIP *ClientIPConfigApplyConfiguration `json:"clientIP,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/sleepaction.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/sleepaction.go
index b4115609b1a14..a74fec68c1366 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/sleepaction.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/sleepaction.go
@@ -20,7 +20,10 @@ package v1
 
 // SleepActionApplyConfiguration represents a declarative configuration of the SleepAction type for use
 // with apply.
+//
+// SleepAction describes a "sleep" action.
 type SleepActionApplyConfiguration struct {
+	// Seconds is the number of seconds to sleep.
 	Seconds *int64 `json:"seconds,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/storageospersistentvolumesource.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/storageospersistentvolumesource.go
index 7381a498e1f14..8aa7ea7ab39b7 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/storageospersistentvolumesource.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/storageospersistentvolumesource.go
@@ -20,12 +20,29 @@ package v1
 
 // StorageOSPersistentVolumeSourceApplyConfiguration represents a declarative configuration of the StorageOSPersistentVolumeSource type for use
 // with apply.
+//
+// Represents a StorageOS persistent volume resource.
 type StorageOSPersistentVolumeSourceApplyConfiguration struct {
-	VolumeName      *string                            `json:"volumeName,omitempty"`
-	VolumeNamespace *string                            `json:"volumeNamespace,omitempty"`
-	FSType          *string                            `json:"fsType,omitempty"`
-	ReadOnly        *bool                              `json:"readOnly,omitempty"`
-	SecretRef       *ObjectReferenceApplyConfiguration `json:"secretRef,omitempty"`
+	// volumeName is the human-readable name of the StorageOS volume.  Volume
+	// names are only unique within a namespace.
+	VolumeName *string `json:"volumeName,omitempty"`
+	// volumeNamespace specifies the scope of the volume within StorageOS.  If no
+	// namespace is specified then the Pod's namespace will be used.  This allows the
+	// Kubernetes name scoping to be mirrored within StorageOS for tighter integration.
+	// Set VolumeName to any name to override the default behaviour.
+	// Set to "default" if you are not using namespaces within StorageOS.
+	// Namespaces that do not pre-exist within StorageOS will be created.
+	VolumeNamespace *string `json:"volumeNamespace,omitempty"`
+	// fsType is the filesystem type to mount.
+	// Must be a filesystem type supported by the host operating system.
+	// Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+	FSType *string `json:"fsType,omitempty"`
+	// readOnly defaults to false (read/write). ReadOnly here will force
+	// the ReadOnly setting in VolumeMounts.
+	ReadOnly *bool `json:"readOnly,omitempty"`
+	// secretRef specifies the secret to use for obtaining the StorageOS API
+	// credentials.  If not specified, default values will be attempted.
+	SecretRef *ObjectReferenceApplyConfiguration `json:"secretRef,omitempty"`
 }
 
 // StorageOSPersistentVolumeSourceApplyConfiguration constructs a declarative configuration of the StorageOSPersistentVolumeSource type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/storageosvolumesource.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/storageosvolumesource.go
index 81d9373c196f7..2419121e1a8a1 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/storageosvolumesource.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/storageosvolumesource.go
@@ -20,12 +20,29 @@ package v1
 
 // StorageOSVolumeSourceApplyConfiguration represents a declarative configuration of the StorageOSVolumeSource type for use
 // with apply.
+//
+// Represents a StorageOS persistent volume resource.
 type StorageOSVolumeSourceApplyConfiguration struct {
-	VolumeName      *string                                 `json:"volumeName,omitempty"`
-	VolumeNamespace *string                                 `json:"volumeNamespace,omitempty"`
-	FSType          *string                                 `json:"fsType,omitempty"`
-	ReadOnly        *bool                                   `json:"readOnly,omitempty"`
-	SecretRef       *LocalObjectReferenceApplyConfiguration `json:"secretRef,omitempty"`
+	// volumeName is the human-readable name of the StorageOS volume.  Volume
+	// names are only unique within a namespace.
+	VolumeName *string `json:"volumeName,omitempty"`
+	// volumeNamespace specifies the scope of the volume within StorageOS.  If no
+	// namespace is specified then the Pod's namespace will be used.  This allows the
+	// Kubernetes name scoping to be mirrored within StorageOS for tighter integration.
+	// Set VolumeName to any name to override the default behaviour.
+	// Set to "default" if you are not using namespaces within StorageOS.
+	// Namespaces that do not pre-exist within StorageOS will be created.
+	VolumeNamespace *string `json:"volumeNamespace,omitempty"`
+	// fsType is the filesystem type to mount.
+	// Must be a filesystem type supported by the host operating system.
+	// Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+	FSType *string `json:"fsType,omitempty"`
+	// readOnly defaults to false (read/write). ReadOnly here will force
+	// the ReadOnly setting in VolumeMounts.
+	ReadOnly *bool `json:"readOnly,omitempty"`
+	// secretRef specifies the secret to use for obtaining the StorageOS API
+	// credentials.  If not specified, default values will be attempted.
+	SecretRef *LocalObjectReferenceApplyConfiguration `json:"secretRef,omitempty"`
 }
 
 // StorageOSVolumeSourceApplyConfiguration constructs a declarative configuration of the StorageOSVolumeSource type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/sysctl.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/sysctl.go
index 7719eb7d60628..5bb09a3a2cd9c 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/sysctl.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/sysctl.go
@@ -20,8 +20,12 @@ package v1
 
 // SysctlApplyConfiguration represents a declarative configuration of the Sysctl type for use
 // with apply.
+//
+// Sysctl defines a kernel parameter to be set
 type SysctlApplyConfiguration struct {
-	Name  *string `json:"name,omitempty"`
+	// Name of a property to set
+	Name *string `json:"name,omitempty"`
+	// Value of a property to set
 	Value *string `json:"value,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/taint.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/taint.go
index 4b9e43051fc19..6c4879806b7d1 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/taint.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/taint.go
@@ -25,11 +25,20 @@ import (
 
 // TaintApplyConfiguration represents a declarative configuration of the Taint type for use
 // with apply.
+//
+// The node this Taint is attached to has the "effect" on
+// any pod that does not tolerate the Taint.
 type TaintApplyConfiguration struct {
-	Key       *string             `json:"key,omitempty"`
-	Value     *string             `json:"value,omitempty"`
-	Effect    *corev1.TaintEffect `json:"effect,omitempty"`
-	TimeAdded *metav1.Time        `json:"timeAdded,omitempty"`
+	// Required. The taint key to be applied to a node.
+	Key *string `json:"key,omitempty"`
+	// The taint value corresponding to the taint key.
+	Value *string `json:"value,omitempty"`
+	// Required. The effect of the taint on pods
+	// that do not tolerate the taint.
+	// Valid effects are NoSchedule, PreferNoSchedule and NoExecute.
+	Effect *corev1.TaintEffect `json:"effect,omitempty"`
+	// TimeAdded represents the time at which the taint was added.
+	TimeAdded *metav1.Time `json:"timeAdded,omitempty"`
 }
 
 // TaintApplyConfiguration constructs a declarative configuration of the Taint type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/tcpsocketaction.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/tcpsocketaction.go
index cba1a7d081610..ede78a3f6df79 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/tcpsocketaction.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/tcpsocketaction.go
@@ -24,9 +24,15 @@ import (
 
 // TCPSocketActionApplyConfiguration represents a declarative configuration of the TCPSocketAction type for use
 // with apply.
+//
+// TCPSocketAction describes an action based on opening a socket
 type TCPSocketActionApplyConfiguration struct {
+	// Number or name of the port to access on the container.
+	// Number must be in the range 1 to 65535.
+	// Name must be an IANA_SVC_NAME.
 	Port *intstr.IntOrString `json:"port,omitempty"`
-	Host *string             `json:"host,omitempty"`
+	// Optional: Host name to connect to, defaults to the pod IP.
+	Host *string `json:"host,omitempty"`
 }
 
 // TCPSocketActionApplyConfiguration constructs a declarative configuration of the TCPSocketAction type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/toleration.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/toleration.go
index a0a0aac0032cd..1870cbf1865ae 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/toleration.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/toleration.go
@@ -24,12 +24,30 @@ import (
 
 // TolerationApplyConfiguration represents a declarative configuration of the Toleration type for use
 // with apply.
+//
+// The pod this Toleration is attached to tolerates any taint that matches
+// the triple <key,value,effect> using the matching operator <operator>.
 type TolerationApplyConfiguration struct {
-	Key               *string                    `json:"key,omitempty"`
-	Operator          *corev1.TolerationOperator `json:"operator,omitempty"`
-	Value             *string                    `json:"value,omitempty"`
-	Effect            *corev1.TaintEffect        `json:"effect,omitempty"`
-	TolerationSeconds *int64                     `json:"tolerationSeconds,omitempty"`
+	// Key is the taint key that the toleration applies to. Empty means match all taint keys.
+	// If the key is empty, operator must be Exists; this combination means to match all values and all keys.
+	Key *string `json:"key,omitempty"`
+	// Operator represents a key's relationship to the value.
+	// Valid operators are Exists, Equal, Lt, and Gt. Defaults to Equal.
+	// Exists is equivalent to wildcard for value, so that a pod can
+	// tolerate all taints of a particular category.
+	// Lt and Gt perform numeric comparisons (requires feature gate TaintTolerationComparisonOperators).
+	Operator *corev1.TolerationOperator `json:"operator,omitempty"`
+	// Value is the taint value the toleration matches to.
+	// If the operator is Exists, the value should be empty, otherwise just a regular string.
+	Value *string `json:"value,omitempty"`
+	// Effect indicates the taint effect to match. Empty means match all taint effects.
+	// When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
+	Effect *corev1.TaintEffect `json:"effect,omitempty"`
+	// TolerationSeconds represents the period of time the toleration (which must be
+	// of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,
+	// it is not set, which means tolerate the taint forever (do not evict). Zero and
+	// negative values will be treated as 0 (evict immediately) by the system.
+	TolerationSeconds *int64 `json:"tolerationSeconds,omitempty"`
 }
 
 // TolerationApplyConfiguration constructs a declarative configuration of the Toleration type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/topologyselectorlabelrequirement.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/topologyselectorlabelrequirement.go
index 674ddec93ce7b..4f1a875f64cb4 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/topologyselectorlabelrequirement.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/topologyselectorlabelrequirement.go
@@ -20,8 +20,14 @@ package v1
 
 // TopologySelectorLabelRequirementApplyConfiguration represents a declarative configuration of the TopologySelectorLabelRequirement type for use
 // with apply.
+//
+// A topology selector requirement is a selector that matches given label.
+// This is an alpha feature and may change in the future.
 type TopologySelectorLabelRequirementApplyConfiguration struct {
-	Key    *string  `json:"key,omitempty"`
+	// The label key that the selector applies to.
+	Key *string `json:"key,omitempty"`
+	// An array of string values. One value must match the label to be selected.
+	// Each entry in Values is ORed.
 	Values []string `json:"values,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/topologyselectorterm.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/topologyselectorterm.go
index 7812ae5204d76..2aaddefddef41 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/topologyselectorterm.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/topologyselectorterm.go
@@ -20,7 +20,14 @@ package v1
 
 // TopologySelectorTermApplyConfiguration represents a declarative configuration of the TopologySelectorTerm type for use
 // with apply.
+//
+// A topology selector term represents the result of label queries.
+// A null or empty topology selector term matches no objects.
+// The requirements of them are ANDed.
+// It provides a subset of functionality as NodeSelectorTerm.
+// This is an alpha feature and may change in the future.
 type TopologySelectorTermApplyConfiguration struct {
+	// A list of topology selector requirements by labels.
 	MatchLabelExpressions []TopologySelectorLabelRequirementApplyConfiguration `json:"matchLabelExpressions,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/topologyspreadconstraint.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/topologyspreadconstraint.go
index ab814e8e0908c..6bd28b1147a4b 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/topologyspreadconstraint.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/topologyspreadconstraint.go
@@ -25,15 +25,107 @@ import (
 
 // TopologySpreadConstraintApplyConfiguration represents a declarative configuration of the TopologySpreadConstraint type for use
 // with apply.
+//
+// TopologySpreadConstraint specifies how to spread matching pods among the given topology.
 type TopologySpreadConstraintApplyConfiguration struct {
-	MaxSkew            *int32                                  `json:"maxSkew,omitempty"`
-	TopologyKey        *string                                 `json:"topologyKey,omitempty"`
-	WhenUnsatisfiable  *corev1.UnsatisfiableConstraintAction   `json:"whenUnsatisfiable,omitempty"`
-	LabelSelector      *metav1.LabelSelectorApplyConfiguration `json:"labelSelector,omitempty"`
-	MinDomains         *int32                                  `json:"minDomains,omitempty"`
-	NodeAffinityPolicy *corev1.NodeInclusionPolicy             `json:"nodeAffinityPolicy,omitempty"`
-	NodeTaintsPolicy   *corev1.NodeInclusionPolicy             `json:"nodeTaintsPolicy,omitempty"`
-	MatchLabelKeys     []string                                `json:"matchLabelKeys,omitempty"`
+	// MaxSkew describes the degree to which pods may be unevenly distributed.
+	// When `whenUnsatisfiable=DoNotSchedule`, it is the maximum permitted difference
+	// between the number of matching pods in the target topology and the global minimum.
+	// The global minimum is the minimum number of matching pods in an eligible domain
+	// or zero if the number of eligible domains is less than MinDomains.
+	// For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same
+	// labelSelector spread as 2/2/1:
+	// In this case, the global minimum is 1.
+	// | zone1 | zone2 | zone3 |
+	// |  P P  |  P P  |   P   |
+	// - if MaxSkew is 1, incoming pod can only be scheduled to zone3 to become 2/2/2;
+	// scheduling it onto zone1(zone2) would make the ActualSkew(3-1) on zone1(zone2)
+	// violate MaxSkew(1).
+	// - if MaxSkew is 2, incoming pod can be scheduled onto any zone.
+	// When `whenUnsatisfiable=ScheduleAnyway`, it is used to give higher precedence
+	// to topologies that satisfy it.
+	// It's a required field. Default value is 1 and 0 is not allowed.
+	MaxSkew *int32 `json:"maxSkew,omitempty"`
+	// TopologyKey is the key of node labels. Nodes that have a label with this key
+	// and identical values are considered to be in the same topology.
+	// We consider each <key, value> as a "bucket", and try to put balanced number
+	// of pods into each bucket.
+	// We define a domain as a particular instance of a topology.
+	// Also, we define an eligible domain as a domain whose nodes meet the requirements of
+	// nodeAffinityPolicy and nodeTaintsPolicy.
+	// e.g. If TopologyKey is "kubernetes.io/hostname", each Node is a domain of that topology.
+	// And, if TopologyKey is "topology.kubernetes.io/zone", each zone is a domain of that topology.
+	// It's a required field.
+	TopologyKey *string `json:"topologyKey,omitempty"`
+	// WhenUnsatisfiable indicates how to deal with a pod if it doesn't satisfy
+	// the spread constraint.
+	// - DoNotSchedule (default) tells the scheduler not to schedule it.
+	// - ScheduleAnyway tells the scheduler to schedule the pod in any location,
+	// but giving higher precedence to topologies that would help reduce the
+	// skew.
+	// A constraint is considered "Unsatisfiable" for an incoming pod
+	// if and only if every possible node assignment for that pod would violate
+	// "MaxSkew" on some topology.
+	// For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same
+	// labelSelector spread as 3/1/1:
+	// | zone1 | zone2 | zone3 |
+	// | P P P |   P   |   P   |
+	// If WhenUnsatisfiable is set to DoNotSchedule, incoming pod can only be scheduled
+	// to zone2(zone3) to become 3/2/1(3/1/2) as ActualSkew(2-1) on zone2(zone3) satisfies
+	// MaxSkew(1). In other words, the cluster can still be imbalanced, but scheduler
+	// won't make it *more* imbalanced.
+	// It's a required field.
+	WhenUnsatisfiable *corev1.UnsatisfiableConstraintAction `json:"whenUnsatisfiable,omitempty"`
+	// LabelSelector is used to find matching pods.
+	// Pods that match this label selector are counted to determine the number of pods
+	// in their corresponding topology domain.
+	LabelSelector *metav1.LabelSelectorApplyConfiguration `json:"labelSelector,omitempty"`
+	// MinDomains indicates a minimum number of eligible domains.
+	// When the number of eligible domains with matching topology keys is less than minDomains,
+	// Pod Topology Spread treats "global minimum" as 0, and then the calculation of Skew is performed.
+	// And when the number of eligible domains with matching topology keys equals or greater than minDomains,
+	// this value has no effect on scheduling.
+	// As a result, when the number of eligible domains is less than minDomains,
+	// scheduler won't schedule more than maxSkew Pods to those domains.
+	// If value is nil, the constraint behaves as if MinDomains is equal to 1.
+	// Valid values are integers greater than 0.
+	// When value is not nil, WhenUnsatisfiable must be DoNotSchedule.
+	//
+	// For example, in a 3-zone cluster, MaxSkew is set to 2, MinDomains is set to 5 and pods with the same
+	// labelSelector spread as 2/2/2:
+	// | zone1 | zone2 | zone3 |
+	// |  P P  |  P P  |  P P  |
+	// The number of domains is less than 5(MinDomains), so "global minimum" is treated as 0.
+	// In this situation, new pod with the same labelSelector cannot be scheduled,
+	// because computed skew will be 3(3 - 0) if new Pod is scheduled to any of the three zones,
+	// it will violate MaxSkew.
+	MinDomains *int32 `json:"minDomains,omitempty"`
+	// NodeAffinityPolicy indicates how we will treat Pod's nodeAffinity/nodeSelector
+	// when calculating pod topology spread skew. Options are:
+	// - Honor: only nodes matching nodeAffinity/nodeSelector are included in the calculations.
+	// - Ignore: nodeAffinity/nodeSelector are ignored. All nodes are included in the calculations.
+	//
+	// If this value is nil, the behavior is equivalent to the Honor policy.
+	NodeAffinityPolicy *corev1.NodeInclusionPolicy `json:"nodeAffinityPolicy,omitempty"`
+	// NodeTaintsPolicy indicates how we will treat node taints when calculating
+	// pod topology spread skew. Options are:
+	// - Honor: nodes without taints, along with tainted nodes for which the incoming pod
+	// has a toleration, are included.
+	// - Ignore: node taints are ignored. All nodes are included.
+	//
+	// If this value is nil, the behavior is equivalent to the Ignore policy.
+	NodeTaintsPolicy *corev1.NodeInclusionPolicy `json:"nodeTaintsPolicy,omitempty"`
+	// MatchLabelKeys is a set of pod label keys to select the pods over which
+	// spreading will be calculated. The keys are used to lookup values from the
+	// incoming pod labels, those key-value labels are ANDed with labelSelector
+	// to select the group of existing pods over which spreading will be calculated
+	// for the incoming pod. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector.
+	// MatchLabelKeys cannot be set when LabelSelector isn't set.
+	// Keys that don't exist in the incoming pod labels will
+	// be ignored. A null or empty list means only match against labelSelector.
+	//
+	// This is a beta field and requires the MatchLabelKeysInPodTopologySpread feature gate to be enabled (enabled by default).
+	MatchLabelKeys []string `json:"matchLabelKeys,omitempty"`
 }
 
 // TopologySpreadConstraintApplyConfiguration constructs a declarative configuration of the TopologySpreadConstraint type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/typedlocalobjectreference.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/typedlocalobjectreference.go
index 1e63b79889e5b..5864532adb3f5 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/typedlocalobjectreference.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/typedlocalobjectreference.go
@@ -20,10 +20,32 @@ package v1
 
 // TypedLocalObjectReferenceApplyConfiguration represents a declarative configuration of the TypedLocalObjectReference type for use
 // with apply.
+//
+// TypedLocalObjectReference contains enough information to let you locate the
+// typed referenced object inside the same namespace.
+// ---
+// New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs.
+// 1. Invalid usage help.  It is impossible to add specific help for individual usage.  In most embedded usages, there are particular
+// restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted".
+// Those cannot be well described when embedded.
+// 2. Inconsistent validation.  Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen.
+// 3. The fields are both imprecise and overly precise.  Kind is not a precise mapping to a URL. This can produce ambiguity
+// during interpretation and require a REST mapping.  In most cases, the dependency is on the group,resource tuple
+// and the version of the actual struct is irrelevant.
+// 4. We cannot easily change it.  Because this type is embedded in many locations, updates to this type
+// will affect numerous schemas.  Don't make new APIs embed an underspecified API type they do not control.
+//
+// Instead of using this type, create a locally provided and used type that is well-focused on your reference.
+// For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 .
 type TypedLocalObjectReferenceApplyConfiguration struct {
+	// APIGroup is the group for the resource being referenced.
+	// If APIGroup is not specified, the specified Kind must be in the core API group.
+	// For any other third-party types, APIGroup is required.
 	APIGroup *string `json:"apiGroup,omitempty"`
-	Kind     *string `json:"kind,omitempty"`
-	Name     *string `json:"name,omitempty"`
+	// Kind is the type of resource being referenced
+	Kind *string `json:"kind,omitempty"`
+	// Name is the name of resource being referenced
+	Name *string `json:"name,omitempty"`
 }
 
 // TypedLocalObjectReferenceApplyConfiguration constructs a declarative configuration of the TypedLocalObjectReference type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/typedobjectreference.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/typedobjectreference.go
index f07de8902e602..f2eab829e28cb 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/typedobjectreference.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/typedobjectreference.go
@@ -20,10 +20,20 @@ package v1
 
 // TypedObjectReferenceApplyConfiguration represents a declarative configuration of the TypedObjectReference type for use
 // with apply.
+//
+// TypedObjectReference contains enough information to let you locate the typed referenced object
 type TypedObjectReferenceApplyConfiguration struct {
-	APIGroup  *string `json:"apiGroup,omitempty"`
-	Kind      *string `json:"kind,omitempty"`
-	Name      *string `json:"name,omitempty"`
+	// APIGroup is the group for the resource being referenced.
+	// If APIGroup is not specified, the specified Kind must be in the core API group.
+	// For any other third-party types, APIGroup is required.
+	APIGroup *string `json:"apiGroup,omitempty"`
+	// Kind is the type of resource being referenced
+	Kind *string `json:"kind,omitempty"`
+	// Name is the name of resource being referenced
+	Name *string `json:"name,omitempty"`
+	// Namespace is the namespace of resource being referenced
+	// Note that when a namespace is specified, a gateway.networking.k8s.io/ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details.
+	// (Alpha) This field requires the CrossNamespaceVolumeDataSource feature gate to be enabled.
 	Namespace *string `json:"namespace,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/volume.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/volume.go
index e47cd031dd3de..2e4c0e6ad65a2 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/volume.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/volume.go
@@ -20,8 +20,16 @@ package v1
 
 // VolumeApplyConfiguration represents a declarative configuration of the Volume type for use
 // with apply.
+//
+// Volume represents a named volume in a pod that may be accessed by any container in the pod.
 type VolumeApplyConfiguration struct {
-	Name                           *string `json:"name,omitempty"`
+	// name of the volume.
+	// Must be a DNS_LABEL and unique within the pod.
+	// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+	Name *string `json:"name,omitempty"`
+	// volumeSource represents the location and type of the mounted volume.
+	// If not specified, the Volume is implied to be an EmptyDir.
+	// This implied behavior is deprecated and will be removed in a future version.
 	VolumeSourceApplyConfiguration `json:",inline"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/volumedevice.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/volumedevice.go
index 0bc52aad2a1e4..ce4f766c77524 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/volumedevice.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/volumedevice.go
@@ -20,8 +20,12 @@ package v1
 
 // VolumeDeviceApplyConfiguration represents a declarative configuration of the VolumeDevice type for use
 // with apply.
+//
+// volumeDevice describes a mapping of a raw block device within a container.
 type VolumeDeviceApplyConfiguration struct {
-	Name       *string `json:"name,omitempty"`
+	// name must match the name of a persistentVolumeClaim in the pod
+	Name *string `json:"name,omitempty"`
+	// devicePath is the path inside of the container that the device will be mapped to.
 	DevicePath *string `json:"devicePath,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/volumemount.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/volumemount.go
index ccd426a0cff9e..83b71eb659015 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/volumemount.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/volumemount.go
@@ -24,14 +24,49 @@ import (
 
 // VolumeMountApplyConfiguration represents a declarative configuration of the VolumeMount type for use
 // with apply.
+//
+// VolumeMount describes a mounting of a Volume within a container.
 type VolumeMountApplyConfiguration struct {
-	Name              *string                       `json:"name,omitempty"`
-	ReadOnly          *bool                         `json:"readOnly,omitempty"`
+	// This must match the Name of a Volume.
+	Name *string `json:"name,omitempty"`
+	// Mounted read-only if true, read-write otherwise (false or unspecified).
+	// Defaults to false.
+	ReadOnly *bool `json:"readOnly,omitempty"`
+	// RecursiveReadOnly specifies whether read-only mounts should be handled
+	// recursively.
+	//
+	// If ReadOnly is false, this field has no meaning and must be unspecified.
+	//
+	// If ReadOnly is true, and this field is set to Disabled, the mount is not made
+	// recursively read-only.  If this field is set to IfPossible, the mount is made
+	// recursively read-only, if it is supported by the container runtime.  If this
+	// field is set to Enabled, the mount is made recursively read-only if it is
+	// supported by the container runtime, otherwise the pod will not be started and
+	// an error will be generated to indicate the reason.
+	//
+	// If this field is set to IfPossible or Enabled, MountPropagation must be set to
+	// None (or be unspecified, which defaults to None).
+	//
+	// If this field is not specified, it is treated as an equivalent of Disabled.
 	RecursiveReadOnly *corev1.RecursiveReadOnlyMode `json:"recursiveReadOnly,omitempty"`
-	MountPath         *string                       `json:"mountPath,omitempty"`
-	SubPath           *string                       `json:"subPath,omitempty"`
-	MountPropagation  *corev1.MountPropagationMode  `json:"mountPropagation,omitempty"`
-	SubPathExpr       *string                       `json:"subPathExpr,omitempty"`
+	// Path within the container at which the volume should be mounted.  Must
+	// not contain ':'.
+	MountPath *string `json:"mountPath,omitempty"`
+	// Path within the volume from which the container's volume should be mounted.
+	// Defaults to "" (volume's root).
+	SubPath *string `json:"subPath,omitempty"`
+	// mountPropagation determines how mounts are propagated from the host
+	// to container and the other way around.
+	// When not set, MountPropagationNone is used.
+	// This field is beta in 1.10.
+	// When RecursiveReadOnly is set to IfPossible or to Enabled, MountPropagation must be None or unspecified
+	// (which defaults to None).
+	MountPropagation *corev1.MountPropagationMode `json:"mountPropagation,omitempty"`
+	// Expanded path within the volume from which the container's volume should be mounted.
+	// Behaves similarly to SubPath but environment variable references $(VAR_NAME) are expanded using the container's environment.
+	// Defaults to "" (volume's root).
+	// SubPathExpr and SubPath are mutually exclusive.
+	SubPathExpr *string `json:"subPathExpr,omitempty"`
 }
 
 // VolumeMountApplyConfiguration constructs a declarative configuration of the VolumeMount type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/volumemountstatus.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/volumemountstatus.go
index f55c407235e4c..ad4965a17d23b 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/volumemountstatus.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/volumemountstatus.go
@@ -24,10 +24,18 @@ import (
 
 // VolumeMountStatusApplyConfiguration represents a declarative configuration of the VolumeMountStatus type for use
 // with apply.
+//
+// VolumeMountStatus shows status of volume mounts.
 type VolumeMountStatusApplyConfiguration struct {
-	Name              *string                       `json:"name,omitempty"`
-	MountPath         *string                       `json:"mountPath,omitempty"`
-	ReadOnly          *bool                         `json:"readOnly,omitempty"`
+	// Name corresponds to the name of the original VolumeMount.
+	Name *string `json:"name,omitempty"`
+	// MountPath corresponds to the original VolumeMount.
+	MountPath *string `json:"mountPath,omitempty"`
+	// ReadOnly corresponds to the original VolumeMount.
+	ReadOnly *bool `json:"readOnly,omitempty"`
+	// RecursiveReadOnly must be set to Disabled, Enabled, or unspecified (for non-readonly mounts).
+	// An IfPossible value in the original VolumeMount must be translated to Disabled or Enabled,
+	// depending on the mount result.
 	RecursiveReadOnly *corev1.RecursiveReadOnlyMode `json:"recursiveReadOnly,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/volumenodeaffinity.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/volumenodeaffinity.go
index 9198c25dc8893..3719b829f9fd2 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/volumenodeaffinity.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/volumenodeaffinity.go
@@ -20,7 +20,10 @@ package v1
 
 // VolumeNodeAffinityApplyConfiguration represents a declarative configuration of the VolumeNodeAffinity type for use
 // with apply.
+//
+// VolumeNodeAffinity defines constraints that limit what nodes this volume can be accessed from.
 type VolumeNodeAffinityApplyConfiguration struct {
+	// required specifies hard node constraints that must be met.
 	Required *NodeSelectorApplyConfiguration `json:"required,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/volumeprojection.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/volumeprojection.go
index 28d9e5679b342..b6f493d075928 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/volumeprojection.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/volumeprojection.go
@@ -20,13 +20,67 @@ package v1
 
 // VolumeProjectionApplyConfiguration represents a declarative configuration of the VolumeProjection type for use
 // with apply.
+//
+// Projection that may be projected along with other supported volume types.
+// Exactly one of these fields must be set.
 type VolumeProjectionApplyConfiguration struct {
-	Secret              *SecretProjectionApplyConfiguration              `json:"secret,omitempty"`
-	DownwardAPI         *DownwardAPIProjectionApplyConfiguration         `json:"downwardAPI,omitempty"`
-	ConfigMap           *ConfigMapProjectionApplyConfiguration           `json:"configMap,omitempty"`
+	// secret information about the secret data to project
+	Secret *SecretProjectionApplyConfiguration `json:"secret,omitempty"`
+	// downwardAPI information about the downwardAPI data to project
+	DownwardAPI *DownwardAPIProjectionApplyConfiguration `json:"downwardAPI,omitempty"`
+	// configMap information about the configMap data to project
+	ConfigMap *ConfigMapProjectionApplyConfiguration `json:"configMap,omitempty"`
+	// serviceAccountToken is information about the serviceAccountToken data to project
 	ServiceAccountToken *ServiceAccountTokenProjectionApplyConfiguration `json:"serviceAccountToken,omitempty"`
-	ClusterTrustBundle  *ClusterTrustBundleProjectionApplyConfiguration  `json:"clusterTrustBundle,omitempty"`
-	PodCertificate      *PodCertificateProjectionApplyConfiguration      `json:"podCertificate,omitempty"`
+	// ClusterTrustBundle allows a pod to access the `.spec.trustBundle` field
+	// of ClusterTrustBundle objects in an auto-updating file.
+	//
+	// Alpha, gated by the ClusterTrustBundleProjection feature gate.
+	//
+	// ClusterTrustBundle objects can either be selected by name, or by the
+	// combination of signer name and a label selector.
+	//
+	// Kubelet performs aggressive normalization of the PEM contents written
+	// into the pod filesystem.  Esoteric PEM features such as inter-block
+	// comments and block headers are stripped.  Certificates are deduplicated.
+	// The ordering of certificates within the file is arbitrary, and Kubelet
+	// may change the order over time.
+	ClusterTrustBundle *ClusterTrustBundleProjectionApplyConfiguration `json:"clusterTrustBundle,omitempty"`
+	// Projects an auto-rotating credential bundle (private key and certificate
+	// chain) that the pod can use either as a TLS client or server.
+	//
+	// Kubelet generates a private key and uses it to send a
+	// PodCertificateRequest to the named signer.  Once the signer approves the
+	// request and issues a certificate chain, Kubelet writes the key and
+	// certificate chain to the pod filesystem.  The pod does not start until
+	// certificates have been issued for each podCertificate projected volume
+	// source in its spec.
+	//
+	// Kubelet will begin trying to rotate the certificate at the time indicated
+	// by the signer using the PodCertificateRequest.Status.BeginRefreshAt
+	// timestamp.
+	//
+	// Kubelet can write a single file, indicated by the credentialBundlePath
+	// field, or separate files, indicated by the keyPath and
+	// certificateChainPath fields.
+	//
+	// The credential bundle is a single file in PEM format.  The first PEM
+	// entry is the private key (in PKCS#8 format), and the remaining PEM
+	// entries are the certificate chain issued by the signer (typically,
+	// signers will return their certificate chain in leaf-to-root order).
+	//
+	// Prefer using the credential bundle format, since your application code
+	// can read it atomically.  If you use keyPath and certificateChainPath,
+	// your application must make two separate file reads. If these coincide
+	// with a certificate rotation, it is possible that the private key and leaf
+	// certificate you read may not correspond to each other.  Your application
+	// will need to check for this condition, and re-read until they are
+	// consistent.
+	//
+	// The named signer controls chooses the format of the certificate it
+	// issues; consult the signer implementation's documentation to learn how to
+	// use the certificates it issues.
+	PodCertificate *PodCertificateProjectionApplyConfiguration `json:"podCertificate,omitempty"`
 }
 
 // VolumeProjectionApplyConfiguration constructs a declarative configuration of the VolumeProjection type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/volumeresourcerequirements.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/volumeresourcerequirements.go
index 5c83ae6d45e59..64f52bed557db 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/volumeresourcerequirements.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/volumeresourcerequirements.go
@@ -24,8 +24,16 @@ import (
 
 // VolumeResourceRequirementsApplyConfiguration represents a declarative configuration of the VolumeResourceRequirements type for use
 // with apply.
+//
+// VolumeResourceRequirements describes the storage resource requirements for a volume.
 type VolumeResourceRequirementsApplyConfiguration struct {
-	Limits   *corev1.ResourceList `json:"limits,omitempty"`
+	// Limits describes the maximum amount of compute resources allowed.
+	// More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+	Limits *corev1.ResourceList `json:"limits,omitempty"`
+	// Requests describes the minimum amount of compute resources required.
+	// If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
+	// otherwise to an implementation-defined value. Requests cannot exceed Limits.
+	// More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
 	Requests *corev1.ResourceList `json:"requests,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/volumesource.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/volumesource.go
index aeead953cf596..5d9a6b0f6d3ac 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/volumesource.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/volumesource.go
@@ -20,37 +20,153 @@ package v1
 
 // VolumeSourceApplyConfiguration represents a declarative configuration of the VolumeSource type for use
 // with apply.
+//
+// Represents the source of a volume to mount.
+// Only one of its members may be specified.
 type VolumeSourceApplyConfiguration struct {
-	HostPath              *HostPathVolumeSourceApplyConfiguration              `json:"hostPath,omitempty"`
-	EmptyDir              *EmptyDirVolumeSourceApplyConfiguration              `json:"emptyDir,omitempty"`
-	GCEPersistentDisk     *GCEPersistentDiskVolumeSourceApplyConfiguration     `json:"gcePersistentDisk,omitempty"`
-	AWSElasticBlockStore  *AWSElasticBlockStoreVolumeSourceApplyConfiguration  `json:"awsElasticBlockStore,omitempty"`
-	GitRepo               *GitRepoVolumeSourceApplyConfiguration               `json:"gitRepo,omitempty"`
-	Secret                *SecretVolumeSourceApplyConfiguration                `json:"secret,omitempty"`
-	NFS                   *NFSVolumeSourceApplyConfiguration                   `json:"nfs,omitempty"`
-	ISCSI                 *ISCSIVolumeSourceApplyConfiguration                 `json:"iscsi,omitempty"`
-	Glusterfs             *GlusterfsVolumeSourceApplyConfiguration             `json:"glusterfs,omitempty"`
+	// hostPath represents a pre-existing file or directory on the host
+	// machine that is directly exposed to the container. This is generally
+	// used for system agents or other privileged things that are allowed
+	// to see the host machine. Most containers will NOT need this.
+	// More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath
+	// ---
+	// TODO(jonesdl) We need to restrict who can use host directory mounts and who can/can not
+	// mount host directories as read/write.
+	HostPath *HostPathVolumeSourceApplyConfiguration `json:"hostPath,omitempty"`
+	// emptyDir represents a temporary directory that shares a pod's lifetime.
+	// More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir
+	EmptyDir *EmptyDirVolumeSourceApplyConfiguration `json:"emptyDir,omitempty"`
+	// gcePersistentDisk represents a GCE Disk resource that is attached to a
+	// kubelet's host machine and then exposed to the pod.
+	// Deprecated: GCEPersistentDisk is deprecated. All operations for the in-tree
+	// gcePersistentDisk type are redirected to the pd.csi.storage.gke.io CSI driver.
+	// More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
+	GCEPersistentDisk *GCEPersistentDiskVolumeSourceApplyConfiguration `json:"gcePersistentDisk,omitempty"`
+	// awsElasticBlockStore represents an AWS Disk resource that is attached to a
+	// kubelet's host machine and then exposed to the pod.
+	// Deprecated: AWSElasticBlockStore is deprecated. All operations for the in-tree
+	// awsElasticBlockStore type are redirected to the ebs.csi.aws.com CSI driver.
+	// More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore
+	AWSElasticBlockStore *AWSElasticBlockStoreVolumeSourceApplyConfiguration `json:"awsElasticBlockStore,omitempty"`
+	// gitRepo represents a git repository at a particular revision.
+	// Deprecated: GitRepo is deprecated. To provision a container with a git repo, mount an
+	// EmptyDir into an InitContainer that clones the repo using git, then mount the EmptyDir
+	// into the Pod's container.
+	GitRepo *GitRepoVolumeSourceApplyConfiguration `json:"gitRepo,omitempty"`
+	// secret represents a secret that should populate this volume.
+	// More info: https://kubernetes.io/docs/concepts/storage/volumes#secret
+	Secret *SecretVolumeSourceApplyConfiguration `json:"secret,omitempty"`
+	// nfs represents an NFS mount on the host that shares a pod's lifetime
+	// More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs
+	NFS *NFSVolumeSourceApplyConfiguration `json:"nfs,omitempty"`
+	// iscsi represents an ISCSI Disk resource that is attached to a
+	// kubelet's host machine and then exposed to the pod.
+	// More info: https://kubernetes.io/docs/concepts/storage/volumes/#iscsi
+	ISCSI *ISCSIVolumeSourceApplyConfiguration `json:"iscsi,omitempty"`
+	// glusterfs represents a Glusterfs mount on the host that shares a pod's lifetime.
+	// Deprecated: Glusterfs is deprecated and the in-tree glusterfs type is no longer supported.
+	Glusterfs *GlusterfsVolumeSourceApplyConfiguration `json:"glusterfs,omitempty"`
+	// persistentVolumeClaimVolumeSource represents a reference to a
+	// PersistentVolumeClaim in the same namespace.
+	// More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims
 	PersistentVolumeClaim *PersistentVolumeClaimVolumeSourceApplyConfiguration `json:"persistentVolumeClaim,omitempty"`
-	RBD                   *RBDVolumeSourceApplyConfiguration                   `json:"rbd,omitempty"`
-	FlexVolume            *FlexVolumeSourceApplyConfiguration                  `json:"flexVolume,omitempty"`
-	Cinder                *CinderVolumeSourceApplyConfiguration                `json:"cinder,omitempty"`
-	CephFS                *CephFSVolumeSourceApplyConfiguration                `json:"cephfs,omitempty"`
-	Flocker               *FlockerVolumeSourceApplyConfiguration               `json:"flocker,omitempty"`
-	DownwardAPI           *DownwardAPIVolumeSourceApplyConfiguration           `json:"downwardAPI,omitempty"`
-	FC                    *FCVolumeSourceApplyConfiguration                    `json:"fc,omitempty"`
-	AzureFile             *AzureFileVolumeSourceApplyConfiguration             `json:"azureFile,omitempty"`
-	ConfigMap             *ConfigMapVolumeSourceApplyConfiguration             `json:"configMap,omitempty"`
-	VsphereVolume         *VsphereVirtualDiskVolumeSourceApplyConfiguration    `json:"vsphereVolume,omitempty"`
-	Quobyte               *QuobyteVolumeSourceApplyConfiguration               `json:"quobyte,omitempty"`
-	AzureDisk             *AzureDiskVolumeSourceApplyConfiguration             `json:"azureDisk,omitempty"`
-	PhotonPersistentDisk  *PhotonPersistentDiskVolumeSourceApplyConfiguration  `json:"photonPersistentDisk,omitempty"`
-	Projected             *ProjectedVolumeSourceApplyConfiguration             `json:"projected,omitempty"`
-	PortworxVolume        *PortworxVolumeSourceApplyConfiguration              `json:"portworxVolume,omitempty"`
-	ScaleIO               *ScaleIOVolumeSourceApplyConfiguration               `json:"scaleIO,omitempty"`
-	StorageOS             *StorageOSVolumeSourceApplyConfiguration             `json:"storageos,omitempty"`
-	CSI                   *CSIVolumeSourceApplyConfiguration                   `json:"csi,omitempty"`
-	Ephemeral             *EphemeralVolumeSourceApplyConfiguration             `json:"ephemeral,omitempty"`
-	Image                 *ImageVolumeSourceApplyConfiguration                 `json:"image,omitempty"`
+	// rbd represents a Rados Block Device mount on the host that shares a pod's lifetime.
+	// Deprecated: RBD is deprecated and the in-tree rbd type is no longer supported.
+	RBD *RBDVolumeSourceApplyConfiguration `json:"rbd,omitempty"`
+	// flexVolume represents a generic volume resource that is
+	// provisioned/attached using an exec based plugin.
+	// Deprecated: FlexVolume is deprecated. Consider using a CSIDriver instead.
+	FlexVolume *FlexVolumeSourceApplyConfiguration `json:"flexVolume,omitempty"`
+	// cinder represents a cinder volume attached and mounted on kubelets host machine.
+	// Deprecated: Cinder is deprecated. All operations for the in-tree cinder type
+	// are redirected to the cinder.csi.openstack.org CSI driver.
+	// More info: https://examples.k8s.io/mysql-cinder-pd/README.md
+	Cinder *CinderVolumeSourceApplyConfiguration `json:"cinder,omitempty"`
+	// cephFS represents a Ceph FS mount on the host that shares a pod's lifetime.
+	// Deprecated: CephFS is deprecated and the in-tree cephfs type is no longer supported.
+	CephFS *CephFSVolumeSourceApplyConfiguration `json:"cephfs,omitempty"`
+	// flocker represents a Flocker volume attached to a kubelet's host machine. This depends on the Flocker control service being running.
+	// Deprecated: Flocker is deprecated and the in-tree flocker type is no longer supported.
+	Flocker *FlockerVolumeSourceApplyConfiguration `json:"flocker,omitempty"`
+	// downwardAPI represents downward API about the pod that should populate this volume
+	DownwardAPI *DownwardAPIVolumeSourceApplyConfiguration `json:"downwardAPI,omitempty"`
+	// fc represents a Fibre Channel resource that is attached to a kubelet's host machine and then exposed to the pod.
+	FC *FCVolumeSourceApplyConfiguration `json:"fc,omitempty"`
+	// azureFile represents an Azure File Service mount on the host and bind mount to the pod.
+	// Deprecated: AzureFile is deprecated. All operations for the in-tree azureFile type
+	// are redirected to the file.csi.azure.com CSI driver.
+	AzureFile *AzureFileVolumeSourceApplyConfiguration `json:"azureFile,omitempty"`
+	// configMap represents a configMap that should populate this volume
+	ConfigMap *ConfigMapVolumeSourceApplyConfiguration `json:"configMap,omitempty"`
+	// vsphereVolume represents a vSphere volume attached and mounted on kubelets host machine.
+	// Deprecated: VsphereVolume is deprecated. All operations for the in-tree vsphereVolume type
+	// are redirected to the csi.vsphere.vmware.com CSI driver.
+	VsphereVolume *VsphereVirtualDiskVolumeSourceApplyConfiguration `json:"vsphereVolume,omitempty"`
+	// quobyte represents a Quobyte mount on the host that shares a pod's lifetime.
+	// Deprecated: Quobyte is deprecated and the in-tree quobyte type is no longer supported.
+	Quobyte *QuobyteVolumeSourceApplyConfiguration `json:"quobyte,omitempty"`
+	// azureDisk represents an Azure Data Disk mount on the host and bind mount to the pod.
+	// Deprecated: AzureDisk is deprecated. All operations for the in-tree azureDisk type
+	// are redirected to the disk.csi.azure.com CSI driver.
+	AzureDisk *AzureDiskVolumeSourceApplyConfiguration `json:"azureDisk,omitempty"`
+	// photonPersistentDisk represents a PhotonController persistent disk attached and mounted on kubelets host machine.
+	// Deprecated: PhotonPersistentDisk is deprecated and the in-tree photonPersistentDisk type is no longer supported.
+	PhotonPersistentDisk *PhotonPersistentDiskVolumeSourceApplyConfiguration `json:"photonPersistentDisk,omitempty"`
+	// projected items for all in one resources secrets, configmaps, and downward API
+	Projected *ProjectedVolumeSourceApplyConfiguration `json:"projected,omitempty"`
+	// portworxVolume represents a portworx volume attached and mounted on kubelets host machine.
+	// Deprecated: PortworxVolume is deprecated. All operations for the in-tree portworxVolume type
+	// are redirected to the pxd.portworx.com CSI driver when the CSIMigrationPortworx feature-gate
+	// is on.
+	PortworxVolume *PortworxVolumeSourceApplyConfiguration `json:"portworxVolume,omitempty"`
+	// scaleIO represents a ScaleIO persistent volume attached and mounted on Kubernetes nodes.
+	// Deprecated: ScaleIO is deprecated and the in-tree scaleIO type is no longer supported.
+	ScaleIO *ScaleIOVolumeSourceApplyConfiguration `json:"scaleIO,omitempty"`
+	// storageOS represents a StorageOS volume attached and mounted on Kubernetes nodes.
+	// Deprecated: StorageOS is deprecated and the in-tree storageos type is no longer supported.
+	StorageOS *StorageOSVolumeSourceApplyConfiguration `json:"storageos,omitempty"`
+	// csi (Container Storage Interface) represents ephemeral storage that is handled by certain external CSI drivers.
+	CSI *CSIVolumeSourceApplyConfiguration `json:"csi,omitempty"`
+	// ephemeral represents a volume that is handled by a cluster storage driver.
+	// The volume's lifecycle is tied to the pod that defines it - it will be created before the pod starts,
+	// and deleted when the pod is removed.
+	//
+	// Use this if:
+	// a) the volume is only needed while the pod runs,
+	// b) features of normal volumes like restoring from snapshot or capacity
+	// tracking are needed,
+	// c) the storage driver is specified through a storage class, and
+	// d) the storage driver supports dynamic volume provisioning through
+	// a PersistentVolumeClaim (see EphemeralVolumeSource for more
+	// information on the connection between this volume type
+	// and PersistentVolumeClaim).
+	//
+	// Use PersistentVolumeClaim or one of the vendor-specific
+	// APIs for volumes that persist for longer than the lifecycle
+	// of an individual pod.
+	//
+	// Use CSI for light-weight local ephemeral volumes if the CSI driver is meant to
+	// be used that way - see the documentation of the driver for
+	// more information.
+	//
+	// A pod can use both types of ephemeral volumes and
+	// persistent volumes at the same time.
+	Ephemeral *EphemeralVolumeSourceApplyConfiguration `json:"ephemeral,omitempty"`
+	// image represents an OCI object (a container image or artifact) pulled and mounted on the kubelet's host machine.
+	// The volume is resolved at pod startup depending on which PullPolicy value is provided:
+	//
+	// - Always: the kubelet always attempts to pull the reference. Container creation will fail If the pull fails.
+	// - Never: the kubelet never pulls the reference and only uses a local image or artifact. Container creation will fail if the reference isn't present.
+	// - IfNotPresent: the kubelet pulls if the reference isn't already present on disk. Container creation will fail if the reference isn't present and the pull fails.
+	//
+	// The volume gets re-resolved if the pod gets deleted and recreated, which means that new remote content will become available on pod recreation.
+	// A failure to resolve or pull the image during pod startup will block containers from starting and may add significant latency. Failures will be retried using normal volume backoff and will be reported on the pod reason and message.
+	// The types of objects that may be mounted by this volume are defined by the container runtime implementation on a host machine and at minimum must include all valid types supported by the container image field.
+	// The OCI object gets mounted in a single directory (spec.containers[*].volumeMounts.mountPath) by merging the manifest layers in the same way as for container images.
+	// The volume will be mounted read-only (ro) and non-executable files (noexec).
+	// Sub path mounts for containers are not supported (spec.containers[*].volumeMounts.subpath) before 1.33.
+	// The field spec.securityContext.fsGroupChangePolicy has no effect on this volume type.
+	Image *ImageVolumeSourceApplyConfiguration `json:"image,omitempty"`
 }
 
 // VolumeSourceApplyConfiguration constructs a declarative configuration of the VolumeSource type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/vspherevirtualdiskvolumesource.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/vspherevirtualdiskvolumesource.go
index ea8fd8d62e374..f32a4211f45fd 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/vspherevirtualdiskvolumesource.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/vspherevirtualdiskvolumesource.go
@@ -20,11 +20,19 @@ package v1
 
 // VsphereVirtualDiskVolumeSourceApplyConfiguration represents a declarative configuration of the VsphereVirtualDiskVolumeSource type for use
 // with apply.
+//
+// Represents a vSphere volume resource.
 type VsphereVirtualDiskVolumeSourceApplyConfiguration struct {
-	VolumePath        *string `json:"volumePath,omitempty"`
-	FSType            *string `json:"fsType,omitempty"`
+	// volumePath is the path that identifies vSphere volume vmdk
+	VolumePath *string `json:"volumePath,omitempty"`
+	// fsType is filesystem type to mount.
+	// Must be a filesystem type supported by the host operating system.
+	// Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+	FSType *string `json:"fsType,omitempty"`
+	// storagePolicyName is the storage Policy Based Management (SPBM) profile name.
 	StoragePolicyName *string `json:"storagePolicyName,omitempty"`
-	StoragePolicyID   *string `json:"storagePolicyID,omitempty"`
+	// storagePolicyID is the storage Policy Based Management (SPBM) profile ID associated with the StoragePolicyName.
+	StoragePolicyID *string `json:"storagePolicyID,omitempty"`
 }
 
 // VsphereVirtualDiskVolumeSourceApplyConfiguration constructs a declarative configuration of the VsphereVirtualDiskVolumeSource type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/weightedpodaffinityterm.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/weightedpodaffinityterm.go
index c49ef93eb4b72..dea0cbb791f41 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/weightedpodaffinityterm.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/weightedpodaffinityterm.go
@@ -20,8 +20,13 @@ package v1
 
 // WeightedPodAffinityTermApplyConfiguration represents a declarative configuration of the WeightedPodAffinityTerm type for use
 // with apply.
+//
+// The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
 type WeightedPodAffinityTermApplyConfiguration struct {
-	Weight          *int32                             `json:"weight,omitempty"`
+	// weight associated with matching the corresponding podAffinityTerm,
+	// in the range 1-100.
+	Weight *int32 `json:"weight,omitempty"`
+	// Required. A pod affinity term, associated with the corresponding weight.
 	PodAffinityTerm *PodAffinityTermApplyConfiguration `json:"podAffinityTerm,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/windowssecuritycontextoptions.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/windowssecuritycontextoptions.go
index bb37a500b48eb..8ad2ce999af3c 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/windowssecuritycontextoptions.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/windowssecuritycontextoptions.go
@@ -20,11 +20,25 @@ package v1
 
 // WindowsSecurityContextOptionsApplyConfiguration represents a declarative configuration of the WindowsSecurityContextOptions type for use
 // with apply.
+//
+// WindowsSecurityContextOptions contain Windows-specific options and credentials.
 type WindowsSecurityContextOptionsApplyConfiguration struct {
+	// GMSACredentialSpecName is the name of the GMSA credential spec to use.
 	GMSACredentialSpecName *string `json:"gmsaCredentialSpecName,omitempty"`
-	GMSACredentialSpec     *string `json:"gmsaCredentialSpec,omitempty"`
-	RunAsUserName          *string `json:"runAsUserName,omitempty"`
-	HostProcess            *bool   `json:"hostProcess,omitempty"`
+	// GMSACredentialSpec is where the GMSA admission webhook
+	// (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the
+	// GMSA credential spec named by the GMSACredentialSpecName field.
+	GMSACredentialSpec *string `json:"gmsaCredentialSpec,omitempty"`
+	// The UserName in Windows to run the entrypoint of the container process.
+	// Defaults to the user specified in image metadata if unspecified.
+	// May also be set in PodSecurityContext. If set in both SecurityContext and
+	// PodSecurityContext, the value specified in SecurityContext takes precedence.
+	RunAsUserName *string `json:"runAsUserName,omitempty"`
+	// HostProcess determines if a container should be run as a 'Host Process' container.
+	// All of a Pod's containers must have the same effective HostProcess value
+	// (it is not allowed to have a mix of HostProcess containers and non-HostProcess containers).
+	// In addition, if HostProcess is true then HostNetwork must also be set to true.
+	HostProcess *bool `json:"hostProcess,omitempty"`
 }
 
 // WindowsSecurityContextOptionsApplyConfiguration constructs a declarative configuration of the WindowsSecurityContextOptions type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/core/v1/workloadreference.go b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/workloadreference.go
new file mode 100644
index 0000000000000..758c4517dfd67
--- /dev/null
+++ b/staging/src/k8s.io/client-go/applyconfigurations/core/v1/workloadreference.go
@@ -0,0 +1,74 @@
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by applyconfiguration-gen. DO NOT EDIT.
+
+package v1
+
+// WorkloadReferenceApplyConfiguration represents a declarative configuration of the WorkloadReference type for use
+// with apply.
+//
+// WorkloadReference identifies the Workload object and PodGroup membership
+// that a Pod belongs to. The scheduler uses this information to apply
+// workload-aware scheduling semantics.
+type WorkloadReferenceApplyConfiguration struct {
+	// Name defines the name of the Workload object this Pod belongs to.
+	// Workload must be in the same namespace as the Pod.
+	// If it doesn't match any existing Workload, the Pod will remain unschedulable
+	// until a Workload object is created and observed by the kube-scheduler.
+	// It must be a DNS subdomain.
+	Name *string `json:"name,omitempty"`
+	// PodGroup is the name of the PodGroup within the Workload that this Pod
+	// belongs to. If it doesn't match any existing PodGroup within the Workload,
+	// the Pod will remain unschedulable until the Workload object is recreated
+	// and observed by the kube-scheduler. It must be a DNS label.
+	PodGroup *string `json:"podGroup,omitempty"`
+	// PodGroupReplicaKey specifies the replica key of the PodGroup to which this
+	// Pod belongs. It is used to distinguish pods belonging to different replicas
+	// of the same pod group. The pod group policy is applied separately to each replica.
+	// When set, it must be a DNS label.
+	PodGroupReplicaKey *string `json:"podGroupReplicaKey,omitempty"`
+}
+
+// WorkloadReferenceApplyConfiguration constructs a declarative configuration of the WorkloadReference type for use with
+// apply.
+func WorkloadReference() *WorkloadReferenceApplyConfiguration {
+	return &WorkloadReferenceApplyConfiguration{}
+}
+
+// WithName sets the Name field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Name field is set to the value of the last call.
+func (b *WorkloadReferenceApplyConfiguration) WithName(value string) *WorkloadReferenceApplyConfiguration {
+	b.Name = &value
+	return b
+}
+
+// WithPodGroup sets the PodGroup field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the PodGroup field is set to the value of the last call.
+func (b *WorkloadReferenceApplyConfiguration) WithPodGroup(value string) *WorkloadReferenceApplyConfiguration {
+	b.PodGroup = &value
+	return b
+}
+
+// WithPodGroupReplicaKey sets the PodGroupReplicaKey field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the PodGroupReplicaKey field is set to the value of the last call.
+func (b *WorkloadReferenceApplyConfiguration) WithPodGroupReplicaKey(value string) *WorkloadReferenceApplyConfiguration {
+	b.PodGroupReplicaKey = &value
+	return b
+}
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/discovery/v1/endpoint.go b/staging/src/k8s.io/client-go/applyconfigurations/discovery/v1/endpoint.go
index df45a6fb8aa3a..950dc52e93b95 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/discovery/v1/endpoint.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/discovery/v1/endpoint.go
@@ -24,15 +24,42 @@ import (
 
 // EndpointApplyConfiguration represents a declarative configuration of the Endpoint type for use
 // with apply.
+//
+// Endpoint represents a single logical "backend" implementing a service.
 type EndpointApplyConfiguration struct {
-	Addresses          []string                                  `json:"addresses,omitempty"`
-	Conditions         *EndpointConditionsApplyConfiguration     `json:"conditions,omitempty"`
-	Hostname           *string                                   `json:"hostname,omitempty"`
-	TargetRef          *corev1.ObjectReferenceApplyConfiguration `json:"targetRef,omitempty"`
-	DeprecatedTopology map[string]string                         `json:"deprecatedTopology,omitempty"`
-	NodeName           *string                                   `json:"nodeName,omitempty"`
-	Zone               *string                                   `json:"zone,omitempty"`
-	Hints              *EndpointHintsApplyConfiguration          `json:"hints,omitempty"`
+	// addresses of this endpoint. For EndpointSlices of addressType "IPv4" or "IPv6",
+	// the values are IP addresses in canonical form. The syntax and semantics of
+	// other addressType values are not defined. This must contain at least one
+	// address but no more than 100. EndpointSlices generated by the EndpointSlice
+	// controller will always have exactly 1 address. No semantics are defined for
+	// additional addresses beyond the first, and kube-proxy does not look at them.
+	Addresses []string `json:"addresses,omitempty"`
+	// conditions contains information about the current status of the endpoint.
+	Conditions *EndpointConditionsApplyConfiguration `json:"conditions,omitempty"`
+	// hostname of this endpoint. This field may be used by consumers of
+	// endpoints to distinguish endpoints from each other (e.g. in DNS names).
+	// Multiple endpoints which use the same hostname should be considered
+	// fungible (e.g. multiple A values in DNS). Must be lowercase and pass DNS
+	// Label (RFC 1123) validation.
+	Hostname *string `json:"hostname,omitempty"`
+	// targetRef is a reference to a Kubernetes object that represents this
+	// endpoint.
+	TargetRef *corev1.ObjectReferenceApplyConfiguration `json:"targetRef,omitempty"`
+	// deprecatedTopology contains topology information part of the v1beta1
+	// API. This field is deprecated, and will be removed when the v1beta1
+	// API is removed (no sooner than kubernetes v1.24).  While this field can
+	// hold values, it is not writable through the v1 API, and any attempts to
+	// write to it will be silently ignored. Topology information can be found
+	// in the zone and nodeName fields instead.
+	DeprecatedTopology map[string]string `json:"deprecatedTopology,omitempty"`
+	// nodeName represents the name of the Node hosting this endpoint. This can
+	// be used to determine endpoints local to a Node.
+	NodeName *string `json:"nodeName,omitempty"`
+	// zone is the name of the Zone this endpoint exists in.
+	Zone *string `json:"zone,omitempty"`
+	// hints contains information associated with how an endpoint should be
+	// consumed.
+	Hints *EndpointHintsApplyConfiguration `json:"hints,omitempty"`
 }
 
 // EndpointApplyConfiguration constructs a declarative configuration of the Endpoint type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/discovery/v1/endpointconditions.go b/staging/src/k8s.io/client-go/applyconfigurations/discovery/v1/endpointconditions.go
index 20f0b97124af2..abd46414b5d5e 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/discovery/v1/endpointconditions.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/discovery/v1/endpointconditions.go
@@ -20,9 +20,24 @@ package v1
 
 // EndpointConditionsApplyConfiguration represents a declarative configuration of the EndpointConditions type for use
 // with apply.
+//
+// EndpointConditions represents the current condition of an endpoint.
 type EndpointConditionsApplyConfiguration struct {
-	Ready       *bool `json:"ready,omitempty"`
-	Serving     *bool `json:"serving,omitempty"`
+	// ready indicates that this endpoint is ready to receive traffic,
+	// according to whatever system is managing the endpoint. A nil value
+	// should be interpreted as "true". In general, an endpoint should be
+	// marked ready if it is serving and not terminating, though this can
+	// be overridden in some cases, such as when the associated Service has
+	// set the publishNotReadyAddresses flag.
+	Ready *bool `json:"ready,omitempty"`
+	// serving indicates that this endpoint is able to receive traffic,
+	// according to whatever system is managing the endpoint. For endpoints
+	// backed by pods, the EndpointSlice controller will mark the endpoint
+	// as serving if the pod's Ready condition is True. A nil value should be
+	// interpreted as "true".
+	Serving *bool `json:"serving,omitempty"`
+	// terminating indicates that this endpoint is terminating. A nil value
+	// should be interpreted as "false".
 	Terminating *bool `json:"terminating,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/discovery/v1/endpointhints.go b/staging/src/k8s.io/client-go/applyconfigurations/discovery/v1/endpointhints.go
index 7afda39b6baf3..7b9e5be752e9e 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/discovery/v1/endpointhints.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/discovery/v1/endpointhints.go
@@ -20,8 +20,14 @@ package v1
 
 // EndpointHintsApplyConfiguration represents a declarative configuration of the EndpointHints type for use
 // with apply.
+//
+// EndpointHints provides hints describing how an endpoint should be consumed.
 type EndpointHintsApplyConfiguration struct {
+	// forZones indicates the zone(s) this endpoint should be consumed by when
+	// using topology aware routing. May contain a maximum of 8 entries.
 	ForZones []ForZoneApplyConfiguration `json:"forZones,omitempty"`
+	// forNodes indicates the node(s) this endpoint should be consumed by when
+	// using topology aware routing. May contain a maximum of 8 entries.
 	ForNodes []ForNodeApplyConfiguration `json:"forNodes,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/discovery/v1/endpointport.go b/staging/src/k8s.io/client-go/applyconfigurations/discovery/v1/endpointport.go
index b55c868cb1ab6..7a55f60bd8efd 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/discovery/v1/endpointport.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/discovery/v1/endpointport.go
@@ -24,11 +24,42 @@ import (
 
 // EndpointPortApplyConfiguration represents a declarative configuration of the EndpointPort type for use
 // with apply.
+//
+// EndpointPort represents a Port used by an EndpointSlice
 type EndpointPortApplyConfiguration struct {
-	Name        *string          `json:"name,omitempty"`
-	Protocol    *corev1.Protocol `json:"protocol,omitempty"`
-	Port        *int32           `json:"port,omitempty"`
-	AppProtocol *string          `json:"appProtocol,omitempty"`
+	// name represents the name of this port. All ports in an EndpointSlice must have a unique name.
+	// If the EndpointSlice is derived from a Kubernetes service, this corresponds to the Service.ports[].name.
+	// Name must either be an empty string or pass DNS_LABEL validation:
+	// * must be no more than 63 characters long.
+	// * must consist of lower case alphanumeric characters or '-'.
+	// * must start and end with an alphanumeric character.
+	// Default is empty string.
+	Name *string `json:"name,omitempty"`
+	// protocol represents the IP protocol for this port.
+	// Must be UDP, TCP, or SCTP.
+	// Default is TCP.
+	Protocol *corev1.Protocol `json:"protocol,omitempty"`
+	// port represents the port number of the endpoint.
+	// If the EndpointSlice is derived from a Kubernetes service, this must be set
+	// to the service's target port. EndpointSlices used for other purposes may have
+	// a nil port.
+	Port *int32 `json:"port,omitempty"`
+	// The application protocol for this port.
+	// This is used as a hint for implementations to offer richer behavior for protocols that they understand.
+	// This field follows standard Kubernetes label syntax.
+	// Valid values are either:
+	//
+	// * Un-prefixed protocol names - reserved for IANA standard service names (as per
+	// RFC-6335 and https://www.iana.org/assignments/service-names).
+	//
+	// * Kubernetes-defined prefixed names:
+	// * 'kubernetes.io/h2c' - HTTP/2 prior knowledge over cleartext as described in https://www.rfc-editor.org/rfc/rfc9113.html#name-starting-http-2-with-prior-
+	// * 'kubernetes.io/ws'  - WebSocket over cleartext as described in https://www.rfc-editor.org/rfc/rfc6455
+	// * 'kubernetes.io/wss' - WebSocket over TLS as described in https://www.rfc-editor.org/rfc/rfc6455
+	//
+	// * Other protocols should use implementation-defined prefixed names such as
+	// mycompany.com/my-custom-protocol.
+	AppProtocol *string `json:"appProtocol,omitempty"`
 }
 
 // EndpointPortApplyConfiguration constructs a declarative configuration of the EndpointPort type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/discovery/v1/endpointslice.go b/staging/src/k8s.io/client-go/applyconfigurations/discovery/v1/endpointslice.go
index d976ca8229ba3..cba77dd57132f 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/discovery/v1/endpointslice.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/discovery/v1/endpointslice.go
@@ -29,12 +29,38 @@ import (
 
 // EndpointSliceApplyConfiguration represents a declarative configuration of the EndpointSlice type for use
 // with apply.
+//
+// EndpointSlice represents a set of service endpoints. Most EndpointSlices are created by
+// the EndpointSlice controller to represent the Pods selected by Service objects. For a
+// given service there may be multiple EndpointSlice objects which must be joined to
+// produce the full set of endpoints; you can find all of the slices for a given service
+// by listing EndpointSlices in the service's namespace whose `kubernetes.io/service-name`
+// label contains the service's name.
 type EndpointSliceApplyConfiguration struct {
-	metav1.TypeMetaApplyConfiguration    `json:",inline"`
+	metav1.TypeMetaApplyConfiguration `json:",inline"`
+	// Standard object's metadata.
 	*metav1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	AddressType                          *discoveryv1.AddressType         `json:"addressType,omitempty"`
-	Endpoints                            []EndpointApplyConfiguration     `json:"endpoints,omitempty"`
-	Ports                                []EndpointPortApplyConfiguration `json:"ports,omitempty"`
+	// addressType specifies the type of address carried by this EndpointSlice.
+	// All addresses in this slice must be the same type. This field is
+	// immutable after creation. The following address types are currently
+	// supported:
+	// * IPv4: Represents an IPv4 Address.
+	// * IPv6: Represents an IPv6 Address.
+	// * FQDN: Represents a Fully Qualified Domain Name. (Deprecated)
+	// The EndpointSlice controller only generates, and kube-proxy only processes,
+	// slices of addressType "IPv4" and "IPv6". No semantics are defined for
+	// the "FQDN" type.
+	AddressType *discoveryv1.AddressType `json:"addressType,omitempty"`
+	// endpoints is a list of unique endpoints in this slice. Each slice may
+	// include a maximum of 1000 endpoints.
+	Endpoints []EndpointApplyConfiguration `json:"endpoints,omitempty"`
+	// ports specifies the list of network ports exposed by each endpoint in
+	// this slice. Each port must have a unique name. Each slice may include a
+	// maximum of 100 ports.
+	// Services always have at least 1 port, so EndpointSlices generated by the
+	// EndpointSlice controller will likewise always have at least 1 port.
+	// EndpointSlices used for other purposes may have an empty ports list.
+	Ports []EndpointPortApplyConfiguration `json:"ports,omitempty"`
 }
 
 // EndpointSlice constructs a declarative configuration of the EndpointSlice type for use with
@@ -48,29 +74,14 @@ func EndpointSlice(name, namespace string) *EndpointSliceApplyConfiguration {
 	return b
 }
 
-// ExtractEndpointSlice extracts the applied configuration owned by fieldManager from
-// endpointSlice. If no managedFields are found in endpointSlice for fieldManager, a
-// EndpointSliceApplyConfiguration is returned with only the Name, Namespace (if applicable),
-// APIVersion and Kind populated. It is possible that no managed fields were found for because other
-// field managers have taken ownership of all the fields previously owned by fieldManager, or because
-// the fieldManager never owned fields any fields.
+// ExtractEndpointSliceFrom extracts the applied configuration owned by fieldManager from
+// endpointSlice for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
 // endpointSlice must be a unmodified EndpointSlice API object that was retrieved from the Kubernetes API.
-// ExtractEndpointSlice provides a way to perform a extract/modify-in-place/apply workflow.
+// ExtractEndpointSliceFrom provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
-func ExtractEndpointSlice(endpointSlice *discoveryv1.EndpointSlice, fieldManager string) (*EndpointSliceApplyConfiguration, error) {
-	return extractEndpointSlice(endpointSlice, fieldManager, "")
-}
-
-// ExtractEndpointSliceStatus is the same as ExtractEndpointSlice except
-// that it extracts the status subresource applied configuration.
-// Experimental!
-func ExtractEndpointSliceStatus(endpointSlice *discoveryv1.EndpointSlice, fieldManager string) (*EndpointSliceApplyConfiguration, error) {
-	return extractEndpointSlice(endpointSlice, fieldManager, "status")
-}
-
-func extractEndpointSlice(endpointSlice *discoveryv1.EndpointSlice, fieldManager string, subresource string) (*EndpointSliceApplyConfiguration, error) {
+func ExtractEndpointSliceFrom(endpointSlice *discoveryv1.EndpointSlice, fieldManager string, subresource string) (*EndpointSliceApplyConfiguration, error) {
 	b := &EndpointSliceApplyConfiguration{}
 	err := managedfields.ExtractInto(endpointSlice, internal.Parser().Type("io.k8s.api.discovery.v1.EndpointSlice"), fieldManager, b, subresource)
 	if err != nil {
@@ -83,6 +94,21 @@ func extractEndpointSlice(endpointSlice *discoveryv1.EndpointSlice, fieldManager
 	b.WithAPIVersion("discovery.k8s.io/v1")
 	return b, nil
 }
+
+// ExtractEndpointSlice extracts the applied configuration owned by fieldManager from
+// endpointSlice. If no managedFields are found in endpointSlice for fieldManager, a
+// EndpointSliceApplyConfiguration is returned with only the Name, Namespace (if applicable),
+// APIVersion and Kind populated. It is possible that no managed fields were found for because other
+// field managers have taken ownership of all the fields previously owned by fieldManager, or because
+// the fieldManager never owned fields any fields.
+// endpointSlice must be a unmodified EndpointSlice API object that was retrieved from the Kubernetes API.
+// ExtractEndpointSlice provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractEndpointSlice(endpointSlice *discoveryv1.EndpointSlice, fieldManager string) (*EndpointSliceApplyConfiguration, error) {
+	return ExtractEndpointSliceFrom(endpointSlice, fieldManager, "")
+}
+
 func (b EndpointSliceApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/discovery/v1/fornode.go b/staging/src/k8s.io/client-go/applyconfigurations/discovery/v1/fornode.go
index 3b2304d307908..5818f70b3fbce 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/discovery/v1/fornode.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/discovery/v1/fornode.go
@@ -20,7 +20,10 @@ package v1
 
 // ForNodeApplyConfiguration represents a declarative configuration of the ForNode type for use
 // with apply.
+//
+// ForNode provides information about which nodes should consume this endpoint.
 type ForNodeApplyConfiguration struct {
+	// name represents the name of the node.
 	Name *string `json:"name,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/discovery/v1/forzone.go b/staging/src/k8s.io/client-go/applyconfigurations/discovery/v1/forzone.go
index 505d11ae2f13d..1d06e1ad83665 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/discovery/v1/forzone.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/discovery/v1/forzone.go
@@ -20,7 +20,10 @@ package v1
 
 // ForZoneApplyConfiguration represents a declarative configuration of the ForZone type for use
 // with apply.
+//
+// ForZone provides information about which zones should consume this endpoint.
 type ForZoneApplyConfiguration struct {
+	// name represents the name of the zone.
 	Name *string `json:"name,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/discovery/v1beta1/endpoint.go b/staging/src/k8s.io/client-go/applyconfigurations/discovery/v1beta1/endpoint.go
index 5d87dae72ef2f..4d7b39979d630 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/discovery/v1beta1/endpoint.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/discovery/v1beta1/endpoint.go
@@ -24,14 +24,47 @@ import (
 
 // EndpointApplyConfiguration represents a declarative configuration of the Endpoint type for use
 // with apply.
+//
+// Endpoint represents a single logical "backend" implementing a service.
 type EndpointApplyConfiguration struct {
-	Addresses  []string                              `json:"addresses,omitempty"`
+	// addresses of this endpoint. The contents of this field are interpreted
+	// according to the corresponding EndpointSlice addressType field. Consumers
+	// must handle different types of addresses in the context of their own
+	// capabilities. This must contain at least one address but no more than
+	// 100. These are all assumed to be fungible and clients may choose to only
+	// use the first element. Refer to: https://issue.k8s.io/106267
+	Addresses []string `json:"addresses,omitempty"`
+	// conditions contains information about the current status of the endpoint.
 	Conditions *EndpointConditionsApplyConfiguration `json:"conditions,omitempty"`
-	Hostname   *string                               `json:"hostname,omitempty"`
-	TargetRef  *v1.ObjectReferenceApplyConfiguration `json:"targetRef,omitempty"`
-	Topology   map[string]string                     `json:"topology,omitempty"`
-	NodeName   *string                               `json:"nodeName,omitempty"`
-	Hints      *EndpointHintsApplyConfiguration      `json:"hints,omitempty"`
+	// hostname of this endpoint. This field may be used by consumers of
+	// endpoints to distinguish endpoints from each other (e.g. in DNS names).
+	// Multiple endpoints which use the same hostname should be considered
+	// fungible (e.g. multiple A values in DNS). Must be lowercase and pass DNS
+	// Label (RFC 1123) validation.
+	Hostname *string `json:"hostname,omitempty"`
+	// targetRef is a reference to a Kubernetes object that represents this
+	// endpoint.
+	TargetRef *v1.ObjectReferenceApplyConfiguration `json:"targetRef,omitempty"`
+	// topology contains arbitrary topology information associated with the
+	// endpoint. These key/value pairs must conform with the label format.
+	// https://kubernetes.io/docs/concepts/overview/working-with-objects/labels
+	// Topology may include a maximum of 16 key/value pairs. This includes, but
+	// is not limited to the following well known keys:
+	// * kubernetes.io/hostname: the value indicates the hostname of the node
+	// where the endpoint is located. This should match the corresponding
+	// node label.
+	// * topology.kubernetes.io/zone: the value indicates the zone where the
+	// endpoint is located. This should match the corresponding node label.
+	// * topology.kubernetes.io/region: the value indicates the region where the
+	// endpoint is located. This should match the corresponding node label.
+	// This field is deprecated and will be removed in future api versions.
+	Topology map[string]string `json:"topology,omitempty"`
+	// nodeName represents the name of the Node hosting this endpoint. This can
+	// be used to determine endpoints local to a Node.
+	NodeName *string `json:"nodeName,omitempty"`
+	// hints contains information associated with how an endpoint should be
+	// consumed.
+	Hints *EndpointHintsApplyConfiguration `json:"hints,omitempty"`
 }
 
 // EndpointApplyConfiguration constructs a declarative configuration of the Endpoint type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/discovery/v1beta1/endpointconditions.go b/staging/src/k8s.io/client-go/applyconfigurations/discovery/v1beta1/endpointconditions.go
index 13f5fa5575537..e94b988782ea8 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/discovery/v1beta1/endpointconditions.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/discovery/v1beta1/endpointconditions.go
@@ -20,9 +20,23 @@ package v1beta1
 
 // EndpointConditionsApplyConfiguration represents a declarative configuration of the EndpointConditions type for use
 // with apply.
+//
+// EndpointConditions represents the current condition of an endpoint.
 type EndpointConditionsApplyConfiguration struct {
-	Ready       *bool `json:"ready,omitempty"`
-	Serving     *bool `json:"serving,omitempty"`
+	// ready indicates that this endpoint is prepared to receive traffic,
+	// according to whatever system is managing the endpoint. A nil value
+	// indicates an unknown state. In most cases consumers should interpret this
+	// unknown state as ready. For compatibility reasons, ready should never be
+	// "true" for terminating endpoints.
+	Ready *bool `json:"ready,omitempty"`
+	// serving is identical to ready except that it is set regardless of the
+	// terminating state of endpoints. This condition should be set to true for
+	// a ready endpoint that is terminating. If nil, consumers should defer to
+	// the ready condition.
+	Serving *bool `json:"serving,omitempty"`
+	// terminating indicates that this endpoint is terminating. A nil value
+	// indicates an unknown state. Consumers should interpret this unknown state
+	// to mean that the endpoint is not terminating.
 	Terminating *bool `json:"terminating,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/discovery/v1beta1/endpointhints.go b/staging/src/k8s.io/client-go/applyconfigurations/discovery/v1beta1/endpointhints.go
index 9637f9940faf9..0e36451a7f777 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/discovery/v1beta1/endpointhints.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/discovery/v1beta1/endpointhints.go
@@ -20,8 +20,14 @@ package v1beta1
 
 // EndpointHintsApplyConfiguration represents a declarative configuration of the EndpointHints type for use
 // with apply.
+//
+// EndpointHints provides hints describing how an endpoint should be consumed.
 type EndpointHintsApplyConfiguration struct {
+	// forZones indicates the zone(s) this endpoint should be consumed by to
+	// enable topology aware routing. May contain a maximum of 8 entries.
 	ForZones []ForZoneApplyConfiguration `json:"forZones,omitempty"`
+	// forNodes indicates the node(s) this endpoint should be consumed by when
+	// using topology aware routing. May contain a maximum of 8 entries.
 	ForNodes []ForNodeApplyConfiguration `json:"forNodes,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/discovery/v1beta1/endpointport.go b/staging/src/k8s.io/client-go/applyconfigurations/discovery/v1beta1/endpointport.go
index 07cfc684b25e1..224295293aa41 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/discovery/v1beta1/endpointport.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/discovery/v1beta1/endpointport.go
@@ -24,11 +24,32 @@ import (
 
 // EndpointPortApplyConfiguration represents a declarative configuration of the EndpointPort type for use
 // with apply.
+//
+// EndpointPort represents a Port used by an EndpointSlice
 type EndpointPortApplyConfiguration struct {
-	Name        *string      `json:"name,omitempty"`
-	Protocol    *v1.Protocol `json:"protocol,omitempty"`
-	Port        *int32       `json:"port,omitempty"`
-	AppProtocol *string      `json:"appProtocol,omitempty"`
+	// name represents the name of this port. All ports in an EndpointSlice must have a unique name.
+	// If the EndpointSlice is derived from a Kubernetes service, this corresponds to the Service.ports[].name.
+	// Name must either be an empty string or pass DNS_LABEL validation:
+	// * must be no more than 63 characters long.
+	// * must consist of lower case alphanumeric characters or '-'.
+	// * must start and end with an alphanumeric character.
+	// Default is empty string.
+	Name *string `json:"name,omitempty"`
+	// protocol represents the IP protocol for this port.
+	// Must be UDP, TCP, or SCTP.
+	// Default is TCP.
+	Protocol *v1.Protocol `json:"protocol,omitempty"`
+	// port represents the port number of the endpoint.
+	// If this is not specified, ports are not restricted and must be
+	// interpreted in the context of the specific consumer.
+	Port *int32 `json:"port,omitempty"`
+	// appProtocol represents the application protocol for this port.
+	// This field follows standard Kubernetes label syntax.
+	// Un-prefixed names are reserved for IANA standard service names (as per
+	// RFC-6335 and https://www.iana.org/assignments/service-names).
+	// Non-standard protocols should use prefixed names such as
+	// mycompany.com/my-custom-protocol.
+	AppProtocol *string `json:"appProtocol,omitempty"`
 }
 
 // EndpointPortApplyConfiguration constructs a declarative configuration of the EndpointPort type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/discovery/v1beta1/endpointslice.go b/staging/src/k8s.io/client-go/applyconfigurations/discovery/v1beta1/endpointslice.go
index 437cef59cfe72..4d40de54a627e 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/discovery/v1beta1/endpointslice.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/discovery/v1beta1/endpointslice.go
@@ -29,12 +29,31 @@ import (
 
 // EndpointSliceApplyConfiguration represents a declarative configuration of the EndpointSlice type for use
 // with apply.
+//
+// EndpointSlice represents a subset of the endpoints that implement a service.
+// For a given service there may be multiple EndpointSlice objects, selected by
+// labels, which must be joined to produce the full set of endpoints.
 type EndpointSliceApplyConfiguration struct {
-	v1.TypeMetaApplyConfiguration    `json:",inline"`
+	v1.TypeMetaApplyConfiguration `json:",inline"`
+	// Standard object's metadata.
 	*v1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	AddressType                      *discoveryv1beta1.AddressType    `json:"addressType,omitempty"`
-	Endpoints                        []EndpointApplyConfiguration     `json:"endpoints,omitempty"`
-	Ports                            []EndpointPortApplyConfiguration `json:"ports,omitempty"`
+	// addressType specifies the type of address carried by this EndpointSlice.
+	// All addresses in this slice must be the same type. This field is
+	// immutable after creation. The following address types are currently
+	// supported:
+	// * IPv4: Represents an IPv4 Address.
+	// * IPv6: Represents an IPv6 Address.
+	// * FQDN: Represents a Fully Qualified Domain Name.
+	AddressType *discoveryv1beta1.AddressType `json:"addressType,omitempty"`
+	// endpoints is a list of unique endpoints in this slice. Each slice may
+	// include a maximum of 1000 endpoints.
+	Endpoints []EndpointApplyConfiguration `json:"endpoints,omitempty"`
+	// ports specifies the list of network ports exposed by each endpoint in
+	// this slice. Each port must have a unique name. When ports is empty, it
+	// indicates that there are no defined ports. When a port is defined with a
+	// nil port value, it indicates "all ports". Each slice may include a
+	// maximum of 100 ports.
+	Ports []EndpointPortApplyConfiguration `json:"ports,omitempty"`
 }
 
 // EndpointSlice constructs a declarative configuration of the EndpointSlice type for use with
@@ -48,29 +67,14 @@ func EndpointSlice(name, namespace string) *EndpointSliceApplyConfiguration {
 	return b
 }
 
-// ExtractEndpointSlice extracts the applied configuration owned by fieldManager from
-// endpointSlice. If no managedFields are found in endpointSlice for fieldManager, a
-// EndpointSliceApplyConfiguration is returned with only the Name, Namespace (if applicable),
-// APIVersion and Kind populated. It is possible that no managed fields were found for because other
-// field managers have taken ownership of all the fields previously owned by fieldManager, or because
-// the fieldManager never owned fields any fields.
+// ExtractEndpointSliceFrom extracts the applied configuration owned by fieldManager from
+// endpointSlice for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
 // endpointSlice must be a unmodified EndpointSlice API object that was retrieved from the Kubernetes API.
-// ExtractEndpointSlice provides a way to perform a extract/modify-in-place/apply workflow.
+// ExtractEndpointSliceFrom provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
-func ExtractEndpointSlice(endpointSlice *discoveryv1beta1.EndpointSlice, fieldManager string) (*EndpointSliceApplyConfiguration, error) {
-	return extractEndpointSlice(endpointSlice, fieldManager, "")
-}
-
-// ExtractEndpointSliceStatus is the same as ExtractEndpointSlice except
-// that it extracts the status subresource applied configuration.
-// Experimental!
-func ExtractEndpointSliceStatus(endpointSlice *discoveryv1beta1.EndpointSlice, fieldManager string) (*EndpointSliceApplyConfiguration, error) {
-	return extractEndpointSlice(endpointSlice, fieldManager, "status")
-}
-
-func extractEndpointSlice(endpointSlice *discoveryv1beta1.EndpointSlice, fieldManager string, subresource string) (*EndpointSliceApplyConfiguration, error) {
+func ExtractEndpointSliceFrom(endpointSlice *discoveryv1beta1.EndpointSlice, fieldManager string, subresource string) (*EndpointSliceApplyConfiguration, error) {
 	b := &EndpointSliceApplyConfiguration{}
 	err := managedfields.ExtractInto(endpointSlice, internal.Parser().Type("io.k8s.api.discovery.v1beta1.EndpointSlice"), fieldManager, b, subresource)
 	if err != nil {
@@ -83,6 +87,21 @@ func extractEndpointSlice(endpointSlice *discoveryv1beta1.EndpointSlice, fieldMa
 	b.WithAPIVersion("discovery.k8s.io/v1beta1")
 	return b, nil
 }
+
+// ExtractEndpointSlice extracts the applied configuration owned by fieldManager from
+// endpointSlice. If no managedFields are found in endpointSlice for fieldManager, a
+// EndpointSliceApplyConfiguration is returned with only the Name, Namespace (if applicable),
+// APIVersion and Kind populated. It is possible that no managed fields were found for because other
+// field managers have taken ownership of all the fields previously owned by fieldManager, or because
+// the fieldManager never owned fields any fields.
+// endpointSlice must be a unmodified EndpointSlice API object that was retrieved from the Kubernetes API.
+// ExtractEndpointSlice provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractEndpointSlice(endpointSlice *discoveryv1beta1.EndpointSlice, fieldManager string) (*EndpointSliceApplyConfiguration, error) {
+	return ExtractEndpointSliceFrom(endpointSlice, fieldManager, "")
+}
+
 func (b EndpointSliceApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/discovery/v1beta1/fornode.go b/staging/src/k8s.io/client-go/applyconfigurations/discovery/v1beta1/fornode.go
index 79aff881d2d38..bb976f2f73662 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/discovery/v1beta1/fornode.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/discovery/v1beta1/fornode.go
@@ -20,7 +20,10 @@ package v1beta1
 
 // ForNodeApplyConfiguration represents a declarative configuration of the ForNode type for use
 // with apply.
+//
+// ForNode provides information about which nodes should consume this endpoint.
 type ForNodeApplyConfiguration struct {
+	// name represents the name of the node.
 	Name *string `json:"name,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/discovery/v1beta1/forzone.go b/staging/src/k8s.io/client-go/applyconfigurations/discovery/v1beta1/forzone.go
index 4af09cc49bbfd..6308861c9aff5 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/discovery/v1beta1/forzone.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/discovery/v1beta1/forzone.go
@@ -20,7 +20,10 @@ package v1beta1
 
 // ForZoneApplyConfiguration represents a declarative configuration of the ForZone type for use
 // with apply.
+//
+// ForZone provides information about which zones should consume this endpoint.
 type ForZoneApplyConfiguration struct {
+	// name represents the name of the zone.
 	Name *string `json:"name,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/events/v1/event.go b/staging/src/k8s.io/client-go/applyconfigurations/events/v1/event.go
index 391dfc96a5825..122cccad7e377 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/events/v1/event.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/events/v1/event.go
@@ -30,23 +30,57 @@ import (
 
 // EventApplyConfiguration represents a declarative configuration of the Event type for use
 // with apply.
+//
+// Event is a report of an event somewhere in the cluster. It generally denotes some state change in the system.
+// Events have a limited retention time and triggers and messages may evolve
+// with time.  Event consumers should not rely on the timing of an event
+// with a given Reason reflecting a consistent underlying trigger, or the
+// continued existence of events with that Reason.  Events should be
+// treated as informative, best-effort, supplemental data.
 type EventApplyConfiguration struct {
-	metav1.TypeMetaApplyConfiguration    `json:",inline"`
+	metav1.TypeMetaApplyConfiguration `json:",inline"`
+	// Standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	*metav1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	EventTime                            *apismetav1.MicroTime                     `json:"eventTime,omitempty"`
-	Series                               *EventSeriesApplyConfiguration            `json:"series,omitempty"`
-	ReportingController                  *string                                   `json:"reportingController,omitempty"`
-	ReportingInstance                    *string                                   `json:"reportingInstance,omitempty"`
-	Action                               *string                                   `json:"action,omitempty"`
-	Reason                               *string                                   `json:"reason,omitempty"`
-	Regarding                            *corev1.ObjectReferenceApplyConfiguration `json:"regarding,omitempty"`
-	Related                              *corev1.ObjectReferenceApplyConfiguration `json:"related,omitempty"`
-	Note                                 *string                                   `json:"note,omitempty"`
-	Type                                 *string                                   `json:"type,omitempty"`
-	DeprecatedSource                     *corev1.EventSourceApplyConfiguration     `json:"deprecatedSource,omitempty"`
-	DeprecatedFirstTimestamp             *apismetav1.Time                          `json:"deprecatedFirstTimestamp,omitempty"`
-	DeprecatedLastTimestamp              *apismetav1.Time                          `json:"deprecatedLastTimestamp,omitempty"`
-	DeprecatedCount                      *int32                                    `json:"deprecatedCount,omitempty"`
+	// eventTime is the time when this Event was first observed. It is required.
+	EventTime *apismetav1.MicroTime `json:"eventTime,omitempty"`
+	// series is data about the Event series this event represents or nil if it's a singleton Event.
+	Series *EventSeriesApplyConfiguration `json:"series,omitempty"`
+	// reportingController is the name of the controller that emitted this Event, e.g. `kubernetes.io/kubelet`.
+	// This field cannot be empty for new Events.
+	ReportingController *string `json:"reportingController,omitempty"`
+	// reportingInstance is the ID of the controller instance, e.g. `kubelet-xyzf`.
+	// This field cannot be empty for new Events and it can have at most 128 characters.
+	ReportingInstance *string `json:"reportingInstance,omitempty"`
+	// action is what action was taken/failed regarding to the regarding object. It is machine-readable.
+	// This field cannot be empty for new Events and it can have at most 128 characters.
+	Action *string `json:"action,omitempty"`
+	// reason is why the action was taken. It is human-readable.
+	// This field cannot be empty for new Events and it can have at most 128 characters.
+	Reason *string `json:"reason,omitempty"`
+	// regarding contains the object this Event is about. In most cases it's an Object reporting controller
+	// implements, e.g. ReplicaSetController implements ReplicaSets and this event is emitted because
+	// it acts on some changes in a ReplicaSet object.
+	Regarding *corev1.ObjectReferenceApplyConfiguration `json:"regarding,omitempty"`
+	// related is the optional secondary object for more complex actions. E.g. when regarding object triggers
+	// a creation or deletion of related object.
+	Related *corev1.ObjectReferenceApplyConfiguration `json:"related,omitempty"`
+	// note is a human-readable description of the status of this operation.
+	// Maximal length of the note is 1kB, but libraries should be prepared to
+	// handle values up to 64kB.
+	Note *string `json:"note,omitempty"`
+	// type is the type of this event (Normal, Warning), new types could be added in the future.
+	// It is machine-readable.
+	// This field cannot be empty for new Events.
+	Type *string `json:"type,omitempty"`
+	// deprecatedSource is the deprecated field assuring backward compatibility with core.v1 Event type.
+	DeprecatedSource *corev1.EventSourceApplyConfiguration `json:"deprecatedSource,omitempty"`
+	// deprecatedFirstTimestamp is the deprecated field assuring backward compatibility with core.v1 Event type.
+	DeprecatedFirstTimestamp *apismetav1.Time `json:"deprecatedFirstTimestamp,omitempty"`
+	// deprecatedLastTimestamp is the deprecated field assuring backward compatibility with core.v1 Event type.
+	DeprecatedLastTimestamp *apismetav1.Time `json:"deprecatedLastTimestamp,omitempty"`
+	// deprecatedCount is the deprecated field assuring backward compatibility with core.v1 Event type.
+	DeprecatedCount *int32 `json:"deprecatedCount,omitempty"`
 }
 
 // Event constructs a declarative configuration of the Event type for use with
@@ -60,29 +94,14 @@ func Event(name, namespace string) *EventApplyConfiguration {
 	return b
 }
 
-// ExtractEvent extracts the applied configuration owned by fieldManager from
-// event. If no managedFields are found in event for fieldManager, a
-// EventApplyConfiguration is returned with only the Name, Namespace (if applicable),
-// APIVersion and Kind populated. It is possible that no managed fields were found for because other
-// field managers have taken ownership of all the fields previously owned by fieldManager, or because
-// the fieldManager never owned fields any fields.
+// ExtractEventFrom extracts the applied configuration owned by fieldManager from
+// event for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
 // event must be a unmodified Event API object that was retrieved from the Kubernetes API.
-// ExtractEvent provides a way to perform a extract/modify-in-place/apply workflow.
+// ExtractEventFrom provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
-func ExtractEvent(event *eventsv1.Event, fieldManager string) (*EventApplyConfiguration, error) {
-	return extractEvent(event, fieldManager, "")
-}
-
-// ExtractEventStatus is the same as ExtractEvent except
-// that it extracts the status subresource applied configuration.
-// Experimental!
-func ExtractEventStatus(event *eventsv1.Event, fieldManager string) (*EventApplyConfiguration, error) {
-	return extractEvent(event, fieldManager, "status")
-}
-
-func extractEvent(event *eventsv1.Event, fieldManager string, subresource string) (*EventApplyConfiguration, error) {
+func ExtractEventFrom(event *eventsv1.Event, fieldManager string, subresource string) (*EventApplyConfiguration, error) {
 	b := &EventApplyConfiguration{}
 	err := managedfields.ExtractInto(event, internal.Parser().Type("io.k8s.api.events.v1.Event"), fieldManager, b, subresource)
 	if err != nil {
@@ -95,6 +114,21 @@ func extractEvent(event *eventsv1.Event, fieldManager string, subresource string
 	b.WithAPIVersion("events.k8s.io/v1")
 	return b, nil
 }
+
+// ExtractEvent extracts the applied configuration owned by fieldManager from
+// event. If no managedFields are found in event for fieldManager, a
+// EventApplyConfiguration is returned with only the Name, Namespace (if applicable),
+// APIVersion and Kind populated. It is possible that no managed fields were found for because other
+// field managers have taken ownership of all the fields previously owned by fieldManager, or because
+// the fieldManager never owned fields any fields.
+// event must be a unmodified Event API object that was retrieved from the Kubernetes API.
+// ExtractEvent provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractEvent(event *eventsv1.Event, fieldManager string) (*EventApplyConfiguration, error) {
+	return ExtractEventFrom(event, fieldManager, "")
+}
+
 func (b EventApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/events/v1/eventseries.go b/staging/src/k8s.io/client-go/applyconfigurations/events/v1/eventseries.go
index c90954bccbd8b..ddacc01e1d441 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/events/v1/eventseries.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/events/v1/eventseries.go
@@ -24,8 +24,15 @@ import (
 
 // EventSeriesApplyConfiguration represents a declarative configuration of the EventSeries type for use
 // with apply.
+//
+// EventSeries contain information on series of events, i.e. thing that was/is happening
+// continuously for some time. How often to update the EventSeries is up to the event reporters.
+// The default event reporter in "k8s.io/client-go/tools/events/event_broadcaster.go" shows
+// how this struct is updated on heartbeats and can guide customized reporter implementations.
 type EventSeriesApplyConfiguration struct {
-	Count            *int32            `json:"count,omitempty"`
+	// count is the number of occurrences in this series up to the last heartbeat time.
+	Count *int32 `json:"count,omitempty"`
+	// lastObservedTime is the time when last Event from the series was seen before last heartbeat.
 	LastObservedTime *metav1.MicroTime `json:"lastObservedTime,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/events/v1beta1/event.go b/staging/src/k8s.io/client-go/applyconfigurations/events/v1beta1/event.go
index c57af55b5d8a4..cf6068f470b1b 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/events/v1beta1/event.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/events/v1beta1/event.go
@@ -30,23 +30,56 @@ import (
 
 // EventApplyConfiguration represents a declarative configuration of the Event type for use
 // with apply.
+//
+// Event is a report of an event somewhere in the cluster. It generally denotes some state change in the system.
+// Events have a limited retention time and triggers and messages may evolve
+// with time.  Event consumers should not rely on the timing of an event
+// with a given Reason reflecting a consistent underlying trigger, or the
+// continued existence of events with that Reason.  Events should be
+// treated as informative, best-effort, supplemental data.
 type EventApplyConfiguration struct {
-	v1.TypeMetaApplyConfiguration    `json:",inline"`
+	v1.TypeMetaApplyConfiguration `json:",inline"`
+	// Standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	*v1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	EventTime                        *metav1.MicroTime                         `json:"eventTime,omitempty"`
-	Series                           *EventSeriesApplyConfiguration            `json:"series,omitempty"`
-	ReportingController              *string                                   `json:"reportingController,omitempty"`
-	ReportingInstance                *string                                   `json:"reportingInstance,omitempty"`
-	Action                           *string                                   `json:"action,omitempty"`
-	Reason                           *string                                   `json:"reason,omitempty"`
-	Regarding                        *corev1.ObjectReferenceApplyConfiguration `json:"regarding,omitempty"`
-	Related                          *corev1.ObjectReferenceApplyConfiguration `json:"related,omitempty"`
-	Note                             *string                                   `json:"note,omitempty"`
-	Type                             *string                                   `json:"type,omitempty"`
-	DeprecatedSource                 *corev1.EventSourceApplyConfiguration     `json:"deprecatedSource,omitempty"`
-	DeprecatedFirstTimestamp         *metav1.Time                              `json:"deprecatedFirstTimestamp,omitempty"`
-	DeprecatedLastTimestamp          *metav1.Time                              `json:"deprecatedLastTimestamp,omitempty"`
-	DeprecatedCount                  *int32                                    `json:"deprecatedCount,omitempty"`
+	// eventTime is the time when this Event was first observed. It is required.
+	EventTime *metav1.MicroTime `json:"eventTime,omitempty"`
+	// series is data about the Event series this event represents or nil if it's a singleton Event.
+	Series *EventSeriesApplyConfiguration `json:"series,omitempty"`
+	// reportingController is the name of the controller that emitted this Event, e.g. `kubernetes.io/kubelet`.
+	// This field cannot be empty for new Events.
+	ReportingController *string `json:"reportingController,omitempty"`
+	// reportingInstance is the ID of the controller instance, e.g. `kubelet-xyzf`.
+	// This field cannot be empty for new Events and it can have at most 128 characters.
+	ReportingInstance *string `json:"reportingInstance,omitempty"`
+	// action is what action was taken/failed regarding to the regarding object. It is machine-readable.
+	// This field can have at most 128 characters.
+	Action *string `json:"action,omitempty"`
+	// reason is why the action was taken. It is human-readable.
+	// This field can have at most 128 characters.
+	Reason *string `json:"reason,omitempty"`
+	// regarding contains the object this Event is about. In most cases it's an Object reporting controller
+	// implements, e.g. ReplicaSetController implements ReplicaSets and this event is emitted because
+	// it acts on some changes in a ReplicaSet object.
+	Regarding *corev1.ObjectReferenceApplyConfiguration `json:"regarding,omitempty"`
+	// related is the optional secondary object for more complex actions. E.g. when regarding object triggers
+	// a creation or deletion of related object.
+	Related *corev1.ObjectReferenceApplyConfiguration `json:"related,omitempty"`
+	// note is a human-readable description of the status of this operation.
+	// Maximal length of the note is 1kB, but libraries should be prepared to
+	// handle values up to 64kB.
+	Note *string `json:"note,omitempty"`
+	// type is the type of this event (Normal, Warning), new types could be added in the future.
+	// It is machine-readable.
+	Type *string `json:"type,omitempty"`
+	// deprecatedSource is the deprecated field assuring backward compatibility with core.v1 Event type.
+	DeprecatedSource *corev1.EventSourceApplyConfiguration `json:"deprecatedSource,omitempty"`
+	// deprecatedFirstTimestamp is the deprecated field assuring backward compatibility with core.v1 Event type.
+	DeprecatedFirstTimestamp *metav1.Time `json:"deprecatedFirstTimestamp,omitempty"`
+	// deprecatedLastTimestamp is the deprecated field assuring backward compatibility with core.v1 Event type.
+	DeprecatedLastTimestamp *metav1.Time `json:"deprecatedLastTimestamp,omitempty"`
+	// deprecatedCount is the deprecated field assuring backward compatibility with core.v1 Event type.
+	DeprecatedCount *int32 `json:"deprecatedCount,omitempty"`
 }
 
 // Event constructs a declarative configuration of the Event type for use with
@@ -60,29 +93,14 @@ func Event(name, namespace string) *EventApplyConfiguration {
 	return b
 }
 
-// ExtractEvent extracts the applied configuration owned by fieldManager from
-// event. If no managedFields are found in event for fieldManager, a
-// EventApplyConfiguration is returned with only the Name, Namespace (if applicable),
-// APIVersion and Kind populated. It is possible that no managed fields were found for because other
-// field managers have taken ownership of all the fields previously owned by fieldManager, or because
-// the fieldManager never owned fields any fields.
+// ExtractEventFrom extracts the applied configuration owned by fieldManager from
+// event for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
 // event must be a unmodified Event API object that was retrieved from the Kubernetes API.
-// ExtractEvent provides a way to perform a extract/modify-in-place/apply workflow.
+// ExtractEventFrom provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
-func ExtractEvent(event *eventsv1beta1.Event, fieldManager string) (*EventApplyConfiguration, error) {
-	return extractEvent(event, fieldManager, "")
-}
-
-// ExtractEventStatus is the same as ExtractEvent except
-// that it extracts the status subresource applied configuration.
-// Experimental!
-func ExtractEventStatus(event *eventsv1beta1.Event, fieldManager string) (*EventApplyConfiguration, error) {
-	return extractEvent(event, fieldManager, "status")
-}
-
-func extractEvent(event *eventsv1beta1.Event, fieldManager string, subresource string) (*EventApplyConfiguration, error) {
+func ExtractEventFrom(event *eventsv1beta1.Event, fieldManager string, subresource string) (*EventApplyConfiguration, error) {
 	b := &EventApplyConfiguration{}
 	err := managedfields.ExtractInto(event, internal.Parser().Type("io.k8s.api.events.v1beta1.Event"), fieldManager, b, subresource)
 	if err != nil {
@@ -95,6 +113,21 @@ func extractEvent(event *eventsv1beta1.Event, fieldManager string, subresource s
 	b.WithAPIVersion("events.k8s.io/v1beta1")
 	return b, nil
 }
+
+// ExtractEvent extracts the applied configuration owned by fieldManager from
+// event. If no managedFields are found in event for fieldManager, a
+// EventApplyConfiguration is returned with only the Name, Namespace (if applicable),
+// APIVersion and Kind populated. It is possible that no managed fields were found for because other
+// field managers have taken ownership of all the fields previously owned by fieldManager, or because
+// the fieldManager never owned fields any fields.
+// event must be a unmodified Event API object that was retrieved from the Kubernetes API.
+// ExtractEvent provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractEvent(event *eventsv1beta1.Event, fieldManager string) (*EventApplyConfiguration, error) {
+	return ExtractEventFrom(event, fieldManager, "")
+}
+
 func (b EventApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/events/v1beta1/eventseries.go b/staging/src/k8s.io/client-go/applyconfigurations/events/v1beta1/eventseries.go
index 75d936e8be851..fa1edd563cc76 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/events/v1beta1/eventseries.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/events/v1beta1/eventseries.go
@@ -24,8 +24,13 @@ import (
 
 // EventSeriesApplyConfiguration represents a declarative configuration of the EventSeries type for use
 // with apply.
+//
+// EventSeries contain information on series of events, i.e. thing that was/is happening
+// continuously for some time.
 type EventSeriesApplyConfiguration struct {
-	Count            *int32        `json:"count,omitempty"`
+	// count is the number of occurrences in this series up to the last heartbeat time.
+	Count *int32 `json:"count,omitempty"`
+	// lastObservedTime is the time when last Event from the series was seen before last heartbeat.
 	LastObservedTime *v1.MicroTime `json:"lastObservedTime,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/extensions/v1beta1/daemonset.go b/staging/src/k8s.io/client-go/applyconfigurations/extensions/v1beta1/daemonset.go
index 081b00d06c7b1..452f9b1c2dba3 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/extensions/v1beta1/daemonset.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/extensions/v1beta1/daemonset.go
@@ -29,11 +29,24 @@ import (
 
 // DaemonSetApplyConfiguration represents a declarative configuration of the DaemonSet type for use
 // with apply.
+//
+// DEPRECATED - This group version of DaemonSet is deprecated by apps/v1beta2/DaemonSet. See the release notes for
+// more information.
+// DaemonSet represents the configuration of a daemon set.
 type DaemonSetApplyConfiguration struct {
-	v1.TypeMetaApplyConfiguration    `json:",inline"`
+	v1.TypeMetaApplyConfiguration `json:",inline"`
+	// Standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	*v1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Spec                             *DaemonSetSpecApplyConfiguration   `json:"spec,omitempty"`
-	Status                           *DaemonSetStatusApplyConfiguration `json:"status,omitempty"`
+	// The desired behavior of this daemon set.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+	Spec *DaemonSetSpecApplyConfiguration `json:"spec,omitempty"`
+	// The current status of this daemon set. This data may be
+	// out of date by some window of time.
+	// Populated by the system.
+	// Read-only.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+	Status *DaemonSetStatusApplyConfiguration `json:"status,omitempty"`
 }
 
 // DaemonSet constructs a declarative configuration of the DaemonSet type for use with
@@ -47,6 +60,27 @@ func DaemonSet(name, namespace string) *DaemonSetApplyConfiguration {
 	return b
 }
 
+// ExtractDaemonSetFrom extracts the applied configuration owned by fieldManager from
+// daemonSet for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
+// daemonSet must be a unmodified DaemonSet API object that was retrieved from the Kubernetes API.
+// ExtractDaemonSetFrom provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractDaemonSetFrom(daemonSet *extensionsv1beta1.DaemonSet, fieldManager string, subresource string) (*DaemonSetApplyConfiguration, error) {
+	b := &DaemonSetApplyConfiguration{}
+	err := managedfields.ExtractInto(daemonSet, internal.Parser().Type("io.k8s.api.extensions.v1beta1.DaemonSet"), fieldManager, b, subresource)
+	if err != nil {
+		return nil, err
+	}
+	b.WithName(daemonSet.Name)
+	b.WithNamespace(daemonSet.Namespace)
+
+	b.WithKind("DaemonSet")
+	b.WithAPIVersion("extensions/v1beta1")
+	return b, nil
+}
+
 // ExtractDaemonSet extracts the applied configuration owned by fieldManager from
 // daemonSet. If no managedFields are found in daemonSet for fieldManager, a
 // DaemonSetApplyConfiguration is returned with only the Name, Namespace (if applicable),
@@ -57,31 +91,16 @@ func DaemonSet(name, namespace string) *DaemonSetApplyConfiguration {
 // ExtractDaemonSet provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
 func ExtractDaemonSet(daemonSet *extensionsv1beta1.DaemonSet, fieldManager string) (*DaemonSetApplyConfiguration, error) {
-	return extractDaemonSet(daemonSet, fieldManager, "")
+	return ExtractDaemonSetFrom(daemonSet, fieldManager, "")
 }
 
-// ExtractDaemonSetStatus is the same as ExtractDaemonSet except
-// that it extracts the status subresource applied configuration.
-// Experimental!
+// ExtractDaemonSetStatus extracts the applied configuration owned by fieldManager from
+// daemonSet for the status subresource.
 func ExtractDaemonSetStatus(daemonSet *extensionsv1beta1.DaemonSet, fieldManager string) (*DaemonSetApplyConfiguration, error) {
-	return extractDaemonSet(daemonSet, fieldManager, "status")
+	return ExtractDaemonSetFrom(daemonSet, fieldManager, "status")
 }
 
-func extractDaemonSet(daemonSet *extensionsv1beta1.DaemonSet, fieldManager string, subresource string) (*DaemonSetApplyConfiguration, error) {
-	b := &DaemonSetApplyConfiguration{}
-	err := managedfields.ExtractInto(daemonSet, internal.Parser().Type("io.k8s.api.extensions.v1beta1.DaemonSet"), fieldManager, b, subresource)
-	if err != nil {
-		return nil, err
-	}
-	b.WithName(daemonSet.Name)
-	b.WithNamespace(daemonSet.Namespace)
-
-	b.WithKind("DaemonSet")
-	b.WithAPIVersion("extensions/v1beta1")
-	return b, nil
-}
 func (b DaemonSetApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/extensions/v1beta1/daemonsetcondition.go b/staging/src/k8s.io/client-go/applyconfigurations/extensions/v1beta1/daemonsetcondition.go
index 0312a3099427e..971c68474d81e 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/extensions/v1beta1/daemonsetcondition.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/extensions/v1beta1/daemonsetcondition.go
@@ -26,12 +26,20 @@ import (
 
 // DaemonSetConditionApplyConfiguration represents a declarative configuration of the DaemonSetCondition type for use
 // with apply.
+//
+// TODO: Add valid condition types of a DaemonSet.
+// DaemonSetCondition describes the state of a DaemonSet at a certain point.
 type DaemonSetConditionApplyConfiguration struct {
-	Type               *extensionsv1beta1.DaemonSetConditionType `json:"type,omitempty"`
-	Status             *v1.ConditionStatus                       `json:"status,omitempty"`
-	LastTransitionTime *metav1.Time                              `json:"lastTransitionTime,omitempty"`
-	Reason             *string                                   `json:"reason,omitempty"`
-	Message            *string                                   `json:"message,omitempty"`
+	// Type of DaemonSet condition.
+	Type *extensionsv1beta1.DaemonSetConditionType `json:"type,omitempty"`
+	// Status of the condition, one of True, False, Unknown.
+	Status *v1.ConditionStatus `json:"status,omitempty"`
+	// Last time the condition transitioned from one status to another.
+	LastTransitionTime *metav1.Time `json:"lastTransitionTime,omitempty"`
+	// The reason for the condition's last transition.
+	Reason *string `json:"reason,omitempty"`
+	// A human readable message indicating details about the transition.
+	Message *string `json:"message,omitempty"`
 }
 
 // DaemonSetConditionApplyConfiguration constructs a declarative configuration of the DaemonSetCondition type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/extensions/v1beta1/daemonsetspec.go b/staging/src/k8s.io/client-go/applyconfigurations/extensions/v1beta1/daemonsetspec.go
index d628969187a93..eddbbe41d38bd 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/extensions/v1beta1/daemonsetspec.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/extensions/v1beta1/daemonsetspec.go
@@ -25,13 +25,35 @@ import (
 
 // DaemonSetSpecApplyConfiguration represents a declarative configuration of the DaemonSetSpec type for use
 // with apply.
+//
+// DaemonSetSpec is the specification of a daemon set.
 type DaemonSetSpecApplyConfiguration struct {
-	Selector             *v1.LabelSelectorApplyConfiguration        `json:"selector,omitempty"`
-	Template             *corev1.PodTemplateSpecApplyConfiguration  `json:"template,omitempty"`
-	UpdateStrategy       *DaemonSetUpdateStrategyApplyConfiguration `json:"updateStrategy,omitempty"`
-	MinReadySeconds      *int32                                     `json:"minReadySeconds,omitempty"`
-	TemplateGeneration   *int64                                     `json:"templateGeneration,omitempty"`
-	RevisionHistoryLimit *int32                                     `json:"revisionHistoryLimit,omitempty"`
+	// A label query over pods that are managed by the daemon set.
+	// Must match in order to be controlled.
+	// If empty, defaulted to labels on Pod template.
+	// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors
+	Selector *v1.LabelSelectorApplyConfiguration `json:"selector,omitempty"`
+	// An object that describes the pod that will be created.
+	// The DaemonSet will create exactly one copy of this pod on every node
+	// that matches the template's node selector (or on every node if no node
+	// selector is specified).
+	// More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller#pod-template
+	Template *corev1.PodTemplateSpecApplyConfiguration `json:"template,omitempty"`
+	// An update strategy to replace existing DaemonSet pods with new pods.
+	UpdateStrategy *DaemonSetUpdateStrategyApplyConfiguration `json:"updateStrategy,omitempty"`
+	// The minimum number of seconds for which a newly created DaemonSet pod should
+	// be ready without any of its container crashing, for it to be considered
+	// available. Defaults to 0 (pod will be considered available as soon as it
+	// is ready).
+	MinReadySeconds *int32 `json:"minReadySeconds,omitempty"`
+	// DEPRECATED.
+	// A sequence number representing a specific generation of the template.
+	// Populated by the system. It can be set only during the creation.
+	TemplateGeneration *int64 `json:"templateGeneration,omitempty"`
+	// The number of old history to retain to allow rollback.
+	// This is a pointer to distinguish between explicit zero and not specified.
+	// Defaults to 10.
+	RevisionHistoryLimit *int32 `json:"revisionHistoryLimit,omitempty"`
 }
 
 // DaemonSetSpecApplyConfiguration constructs a declarative configuration of the DaemonSetSpec type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/extensions/v1beta1/daemonsetstatus.go b/staging/src/k8s.io/client-go/applyconfigurations/extensions/v1beta1/daemonsetstatus.go
index 373f9ef97a76f..1803d3b74a280 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/extensions/v1beta1/daemonsetstatus.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/extensions/v1beta1/daemonsetstatus.go
@@ -20,17 +20,42 @@ package v1beta1
 
 // DaemonSetStatusApplyConfiguration represents a declarative configuration of the DaemonSetStatus type for use
 // with apply.
+//
+// DaemonSetStatus represents the current status of a daemon set.
 type DaemonSetStatusApplyConfiguration struct {
-	CurrentNumberScheduled *int32                                 `json:"currentNumberScheduled,omitempty"`
-	NumberMisscheduled     *int32                                 `json:"numberMisscheduled,omitempty"`
-	DesiredNumberScheduled *int32                                 `json:"desiredNumberScheduled,omitempty"`
-	NumberReady            *int32                                 `json:"numberReady,omitempty"`
-	ObservedGeneration     *int64                                 `json:"observedGeneration,omitempty"`
-	UpdatedNumberScheduled *int32                                 `json:"updatedNumberScheduled,omitempty"`
-	NumberAvailable        *int32                                 `json:"numberAvailable,omitempty"`
-	NumberUnavailable      *int32                                 `json:"numberUnavailable,omitempty"`
-	CollisionCount         *int32                                 `json:"collisionCount,omitempty"`
-	Conditions             []DaemonSetConditionApplyConfiguration `json:"conditions,omitempty"`
+	// The number of nodes that are running at least 1
+	// daemon pod and are supposed to run the daemon pod.
+	// More info: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/
+	CurrentNumberScheduled *int32 `json:"currentNumberScheduled,omitempty"`
+	// The number of nodes that are running the daemon pod, but are
+	// not supposed to run the daemon pod.
+	// More info: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/
+	NumberMisscheduled *int32 `json:"numberMisscheduled,omitempty"`
+	// The total number of nodes that should be running the daemon
+	// pod (including nodes correctly running the daemon pod).
+	// More info: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/
+	DesiredNumberScheduled *int32 `json:"desiredNumberScheduled,omitempty"`
+	// The number of nodes that should be running the daemon pod and have one
+	// or more of the daemon pod running and ready.
+	NumberReady *int32 `json:"numberReady,omitempty"`
+	// The most recent generation observed by the daemon set controller.
+	ObservedGeneration *int64 `json:"observedGeneration,omitempty"`
+	// The total number of nodes that are running updated daemon pod
+	UpdatedNumberScheduled *int32 `json:"updatedNumberScheduled,omitempty"`
+	// The number of nodes that should be running the
+	// daemon pod and have one or more of the daemon pod running and
+	// available (ready for at least spec.minReadySeconds)
+	NumberAvailable *int32 `json:"numberAvailable,omitempty"`
+	// The number of nodes that should be running the
+	// daemon pod and have none of the daemon pod running and available
+	// (ready for at least spec.minReadySeconds)
+	NumberUnavailable *int32 `json:"numberUnavailable,omitempty"`
+	// Count of hash collisions for the DaemonSet. The DaemonSet controller
+	// uses this field as a collision avoidance mechanism when it needs to
+	// create the name for the newest ControllerRevision.
+	CollisionCount *int32 `json:"collisionCount,omitempty"`
+	// Represents the latest available observations of a DaemonSet's current state.
+	Conditions []DaemonSetConditionApplyConfiguration `json:"conditions,omitempty"`
 }
 
 // DaemonSetStatusApplyConfiguration constructs a declarative configuration of the DaemonSetStatus type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/extensions/v1beta1/daemonsetupdatestrategy.go b/staging/src/k8s.io/client-go/applyconfigurations/extensions/v1beta1/daemonsetupdatestrategy.go
index d3403605f8472..4dec8afef6290 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/extensions/v1beta1/daemonsetupdatestrategy.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/extensions/v1beta1/daemonsetupdatestrategy.go
@@ -24,9 +24,20 @@ import (
 
 // DaemonSetUpdateStrategyApplyConfiguration represents a declarative configuration of the DaemonSetUpdateStrategy type for use
 // with apply.
+//
+// DaemonSetUpdateStrategy indicates the strategy that the DaemonSet
+// controller will use to perform updates. It includes any additional parameters
+// necessary to perform the update for the indicated strategy.
 type DaemonSetUpdateStrategyApplyConfiguration struct {
-	Type          *extensionsv1beta1.DaemonSetUpdateStrategyType `json:"type,omitempty"`
-	RollingUpdate *RollingUpdateDaemonSetApplyConfiguration      `json:"rollingUpdate,omitempty"`
+	// Type of daemon set update. Can be "RollingUpdate" or "OnDelete".
+	// Default is OnDelete.
+	Type *extensionsv1beta1.DaemonSetUpdateStrategyType `json:"type,omitempty"`
+	// Rolling update config params. Present only if type = "RollingUpdate".
+	// ---
+	// TODO: Update this to follow our convention for oneOf, whatever we decide it
+	// to be. Same as Deployment `strategy.rollingUpdate`.
+	// See https://github.com/kubernetes/kubernetes/issues/35345
+	RollingUpdate *RollingUpdateDaemonSetApplyConfiguration `json:"rollingUpdate,omitempty"`
 }
 
 // DaemonSetUpdateStrategyApplyConfiguration constructs a declarative configuration of the DaemonSetUpdateStrategy type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/extensions/v1beta1/deployment.go b/staging/src/k8s.io/client-go/applyconfigurations/extensions/v1beta1/deployment.go
index d9351479cbded..6d0e5f89cf21f 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/extensions/v1beta1/deployment.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/extensions/v1beta1/deployment.go
@@ -29,11 +29,18 @@ import (
 
 // DeploymentApplyConfiguration represents a declarative configuration of the Deployment type for use
 // with apply.
+//
+// DEPRECATED - This group version of Deployment is deprecated by apps/v1beta2/Deployment. See the release notes for
+// more information.
+// Deployment enables declarative updates for Pods and ReplicaSets.
 type DeploymentApplyConfiguration struct {
-	v1.TypeMetaApplyConfiguration    `json:",inline"`
+	v1.TypeMetaApplyConfiguration `json:",inline"`
+	// Standard object metadata.
 	*v1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Spec                             *DeploymentSpecApplyConfiguration   `json:"spec,omitempty"`
-	Status                           *DeploymentStatusApplyConfiguration `json:"status,omitempty"`
+	// Specification of the desired behavior of the Deployment.
+	Spec *DeploymentSpecApplyConfiguration `json:"spec,omitempty"`
+	// Most recently observed status of the Deployment.
+	Status *DeploymentStatusApplyConfiguration `json:"status,omitempty"`
 }
 
 // Deployment constructs a declarative configuration of the Deployment type for use with
@@ -47,6 +54,27 @@ func Deployment(name, namespace string) *DeploymentApplyConfiguration {
 	return b
 }
 
+// ExtractDeploymentFrom extracts the applied configuration owned by fieldManager from
+// deployment for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
+// deployment must be a unmodified Deployment API object that was retrieved from the Kubernetes API.
+// ExtractDeploymentFrom provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractDeploymentFrom(deployment *extensionsv1beta1.Deployment, fieldManager string, subresource string) (*DeploymentApplyConfiguration, error) {
+	b := &DeploymentApplyConfiguration{}
+	err := managedfields.ExtractInto(deployment, internal.Parser().Type("io.k8s.api.extensions.v1beta1.Deployment"), fieldManager, b, subresource)
+	if err != nil {
+		return nil, err
+	}
+	b.WithName(deployment.Name)
+	b.WithNamespace(deployment.Namespace)
+
+	b.WithKind("Deployment")
+	b.WithAPIVersion("extensions/v1beta1")
+	return b, nil
+}
+
 // ExtractDeployment extracts the applied configuration owned by fieldManager from
 // deployment. If no managedFields are found in deployment for fieldManager, a
 // DeploymentApplyConfiguration is returned with only the Name, Namespace (if applicable),
@@ -57,31 +85,22 @@ func Deployment(name, namespace string) *DeploymentApplyConfiguration {
 // ExtractDeployment provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
 func ExtractDeployment(deployment *extensionsv1beta1.Deployment, fieldManager string) (*DeploymentApplyConfiguration, error) {
-	return extractDeployment(deployment, fieldManager, "")
+	return ExtractDeploymentFrom(deployment, fieldManager, "")
 }
 
-// ExtractDeploymentStatus is the same as ExtractDeployment except
-// that it extracts the status subresource applied configuration.
-// Experimental!
-func ExtractDeploymentStatus(deployment *extensionsv1beta1.Deployment, fieldManager string) (*DeploymentApplyConfiguration, error) {
-	return extractDeployment(deployment, fieldManager, "status")
+// ExtractDeploymentScale extracts the applied configuration owned by fieldManager from
+// deployment for the scale subresource.
+func ExtractDeploymentScale(deployment *extensionsv1beta1.Deployment, fieldManager string) (*DeploymentApplyConfiguration, error) {
+	return ExtractDeploymentFrom(deployment, fieldManager, "scale")
 }
 
-func extractDeployment(deployment *extensionsv1beta1.Deployment, fieldManager string, subresource string) (*DeploymentApplyConfiguration, error) {
-	b := &DeploymentApplyConfiguration{}
-	err := managedfields.ExtractInto(deployment, internal.Parser().Type("io.k8s.api.extensions.v1beta1.Deployment"), fieldManager, b, subresource)
-	if err != nil {
-		return nil, err
-	}
-	b.WithName(deployment.Name)
-	b.WithNamespace(deployment.Namespace)
-
-	b.WithKind("Deployment")
-	b.WithAPIVersion("extensions/v1beta1")
-	return b, nil
+// ExtractDeploymentStatus extracts the applied configuration owned by fieldManager from
+// deployment for the status subresource.
+func ExtractDeploymentStatus(deployment *extensionsv1beta1.Deployment, fieldManager string) (*DeploymentApplyConfiguration, error) {
+	return ExtractDeploymentFrom(deployment, fieldManager, "status")
 }
+
 func (b DeploymentApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/extensions/v1beta1/deploymentcondition.go b/staging/src/k8s.io/client-go/applyconfigurations/extensions/v1beta1/deploymentcondition.go
index 2b64508d9d25a..c423e756e0984 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/extensions/v1beta1/deploymentcondition.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/extensions/v1beta1/deploymentcondition.go
@@ -26,13 +26,21 @@ import (
 
 // DeploymentConditionApplyConfiguration represents a declarative configuration of the DeploymentCondition type for use
 // with apply.
+//
+// DeploymentCondition describes the state of a deployment at a certain point.
 type DeploymentConditionApplyConfiguration struct {
-	Type               *extensionsv1beta1.DeploymentConditionType `json:"type,omitempty"`
-	Status             *v1.ConditionStatus                        `json:"status,omitempty"`
-	LastUpdateTime     *metav1.Time                               `json:"lastUpdateTime,omitempty"`
-	LastTransitionTime *metav1.Time                               `json:"lastTransitionTime,omitempty"`
-	Reason             *string                                    `json:"reason,omitempty"`
-	Message            *string                                    `json:"message,omitempty"`
+	// Type of deployment condition.
+	Type *extensionsv1beta1.DeploymentConditionType `json:"type,omitempty"`
+	// Status of the condition, one of True, False, Unknown.
+	Status *v1.ConditionStatus `json:"status,omitempty"`
+	// The last time this condition was updated.
+	LastUpdateTime *metav1.Time `json:"lastUpdateTime,omitempty"`
+	// Last time the condition transitioned from one status to another.
+	LastTransitionTime *metav1.Time `json:"lastTransitionTime,omitempty"`
+	// The reason for the condition's last transition.
+	Reason *string `json:"reason,omitempty"`
+	// A human readable message indicating details about the transition.
+	Message *string `json:"message,omitempty"`
 }
 
 // DeploymentConditionApplyConfiguration constructs a declarative configuration of the DeploymentCondition type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/extensions/v1beta1/deploymentspec.go b/staging/src/k8s.io/client-go/applyconfigurations/extensions/v1beta1/deploymentspec.go
index 5531c756f9de8..12f3e2c71614d 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/extensions/v1beta1/deploymentspec.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/extensions/v1beta1/deploymentspec.go
@@ -25,16 +25,41 @@ import (
 
 // DeploymentSpecApplyConfiguration represents a declarative configuration of the DeploymentSpec type for use
 // with apply.
+//
+// DeploymentSpec is the specification of the desired behavior of the Deployment.
 type DeploymentSpecApplyConfiguration struct {
-	Replicas                *int32                                    `json:"replicas,omitempty"`
-	Selector                *v1.LabelSelectorApplyConfiguration       `json:"selector,omitempty"`
-	Template                *corev1.PodTemplateSpecApplyConfiguration `json:"template,omitempty"`
-	Strategy                *DeploymentStrategyApplyConfiguration     `json:"strategy,omitempty"`
-	MinReadySeconds         *int32                                    `json:"minReadySeconds,omitempty"`
-	RevisionHistoryLimit    *int32                                    `json:"revisionHistoryLimit,omitempty"`
-	Paused                  *bool                                     `json:"paused,omitempty"`
-	RollbackTo              *RollbackConfigApplyConfiguration         `json:"rollbackTo,omitempty"`
-	ProgressDeadlineSeconds *int32                                    `json:"progressDeadlineSeconds,omitempty"`
+	// Number of desired pods. This is a pointer to distinguish between explicit
+	// zero and not specified. Defaults to 1.
+	Replicas *int32 `json:"replicas,omitempty"`
+	// Label selector for pods. Existing ReplicaSets whose pods are
+	// selected by this will be the ones affected by this deployment.
+	Selector *v1.LabelSelectorApplyConfiguration `json:"selector,omitempty"`
+	// Template describes the pods that will be created.
+	Template *corev1.PodTemplateSpecApplyConfiguration `json:"template,omitempty"`
+	// The deployment strategy to use to replace existing pods with new ones.
+	Strategy *DeploymentStrategyApplyConfiguration `json:"strategy,omitempty"`
+	// Minimum number of seconds for which a newly created pod should be ready
+	// without any of its container crashing, for it to be considered available.
+	// Defaults to 0 (pod will be considered available as soon as it is ready)
+	MinReadySeconds *int32 `json:"minReadySeconds,omitempty"`
+	// The number of old ReplicaSets to retain to allow rollback.
+	// This is a pointer to distinguish between explicit zero and not specified.
+	// This is set to the max value of int32 (i.e. 2147483647) by default, which
+	// means "retaining all old ReplicaSets".
+	RevisionHistoryLimit *int32 `json:"revisionHistoryLimit,omitempty"`
+	// Indicates that the deployment is paused and will not be processed by the
+	// deployment controller.
+	Paused *bool `json:"paused,omitempty"`
+	// DEPRECATED.
+	// The config this deployment is rolling back to. Will be cleared after rollback is done.
+	RollbackTo *RollbackConfigApplyConfiguration `json:"rollbackTo,omitempty"`
+	// The maximum time in seconds for a deployment to make progress before it
+	// is considered to be failed. The deployment controller will continue to
+	// process failed deployments and a condition with a ProgressDeadlineExceeded
+	// reason will be surfaced in the deployment status. Note that progress will
+	// not be estimated during the time a deployment is paused. This is set to
+	// the max value of int32 (i.e. 2147483647) by default, which means "no deadline".
+	ProgressDeadlineSeconds *int32 `json:"progressDeadlineSeconds,omitempty"`
 }
 
 // DeploymentSpecApplyConfiguration constructs a declarative configuration of the DeploymentSpec type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/extensions/v1beta1/deploymentstatus.go b/staging/src/k8s.io/client-go/applyconfigurations/extensions/v1beta1/deploymentstatus.go
index 36b4fd42b6e2b..e58b08ed29e62 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/extensions/v1beta1/deploymentstatus.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/extensions/v1beta1/deploymentstatus.go
@@ -20,16 +20,34 @@ package v1beta1
 
 // DeploymentStatusApplyConfiguration represents a declarative configuration of the DeploymentStatus type for use
 // with apply.
+//
+// DeploymentStatus is the most recently observed status of the Deployment.
 type DeploymentStatusApplyConfiguration struct {
-	ObservedGeneration  *int64                                  `json:"observedGeneration,omitempty"`
-	Replicas            *int32                                  `json:"replicas,omitempty"`
-	UpdatedReplicas     *int32                                  `json:"updatedReplicas,omitempty"`
-	ReadyReplicas       *int32                                  `json:"readyReplicas,omitempty"`
-	AvailableReplicas   *int32                                  `json:"availableReplicas,omitempty"`
-	UnavailableReplicas *int32                                  `json:"unavailableReplicas,omitempty"`
-	TerminatingReplicas *int32                                  `json:"terminatingReplicas,omitempty"`
-	Conditions          []DeploymentConditionApplyConfiguration `json:"conditions,omitempty"`
-	CollisionCount      *int32                                  `json:"collisionCount,omitempty"`
+	// The generation observed by the deployment controller.
+	ObservedGeneration *int64 `json:"observedGeneration,omitempty"`
+	// Total number of non-terminating pods targeted by this deployment (their labels match the selector).
+	Replicas *int32 `json:"replicas,omitempty"`
+	// Total number of non-terminating pods targeted by this deployment that have the desired template spec.
+	UpdatedReplicas *int32 `json:"updatedReplicas,omitempty"`
+	// Total number of non-terminating pods targeted by this Deployment with a Ready Condition.
+	ReadyReplicas *int32 `json:"readyReplicas,omitempty"`
+	// Total number of available non-terminating pods (ready for at least minReadySeconds) targeted by this deployment.
+	AvailableReplicas *int32 `json:"availableReplicas,omitempty"`
+	// Total number of unavailable pods targeted by this deployment. This is the total number of
+	// pods that are still required for the deployment to have 100% available capacity. They may
+	// either be pods that are running but not yet available or pods that still have not been created.
+	UnavailableReplicas *int32 `json:"unavailableReplicas,omitempty"`
+	// Total number of terminating pods targeted by this deployment. Terminating pods have a non-null
+	// .metadata.deletionTimestamp and have not yet reached the Failed or Succeeded .status.phase.
+	//
+	// This is a beta field and requires enabling DeploymentReplicaSetTerminatingReplicas feature (enabled by default).
+	TerminatingReplicas *int32 `json:"terminatingReplicas,omitempty"`
+	// Represents the latest available observations of a deployment's current state.
+	Conditions []DeploymentConditionApplyConfiguration `json:"conditions,omitempty"`
+	// Count of hash collisions for the Deployment. The Deployment controller uses this
+	// field as a collision avoidance mechanism when it needs to create the name for the
+	// newest ReplicaSet.
+	CollisionCount *int32 `json:"collisionCount,omitempty"`
 }
 
 // DeploymentStatusApplyConfiguration constructs a declarative configuration of the DeploymentStatus type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/extensions/v1beta1/deploymentstrategy.go b/staging/src/k8s.io/client-go/applyconfigurations/extensions/v1beta1/deploymentstrategy.go
index b142b0deb07b9..4c368f33fcdde 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/extensions/v1beta1/deploymentstrategy.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/extensions/v1beta1/deploymentstrategy.go
@@ -24,8 +24,16 @@ import (
 
 // DeploymentStrategyApplyConfiguration represents a declarative configuration of the DeploymentStrategy type for use
 // with apply.
+//
+// DeploymentStrategy describes how to replace existing pods with new ones.
 type DeploymentStrategyApplyConfiguration struct {
-	Type          *extensionsv1beta1.DeploymentStrategyType  `json:"type,omitempty"`
+	// Type of deployment. Can be "Recreate" or "RollingUpdate". Default is RollingUpdate.
+	Type *extensionsv1beta1.DeploymentStrategyType `json:"type,omitempty"`
+	// Rolling update config params. Present only if DeploymentStrategyType =
+	// RollingUpdate.
+	// ---
+	// TODO: Update this to follow our convention for oneOf, whatever we decide it
+	// to be.
 	RollingUpdate *RollingUpdateDeploymentApplyConfiguration `json:"rollingUpdate,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/extensions/v1beta1/httpingresspath.go b/staging/src/k8s.io/client-go/applyconfigurations/extensions/v1beta1/httpingresspath.go
index 32e0c8b1d2114..1a84aebc19e3c 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/extensions/v1beta1/httpingresspath.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/extensions/v1beta1/httpingresspath.go
@@ -24,10 +24,34 @@ import (
 
 // HTTPIngressPathApplyConfiguration represents a declarative configuration of the HTTPIngressPath type for use
 // with apply.
+//
+// HTTPIngressPath associates a path with a backend. Incoming urls matching the
+// path are forwarded to the backend.
 type HTTPIngressPathApplyConfiguration struct {
-	Path     *string                           `json:"path,omitempty"`
-	PathType *extensionsv1beta1.PathType       `json:"pathType,omitempty"`
-	Backend  *IngressBackendApplyConfiguration `json:"backend,omitempty"`
+	// Path is matched against the path of an incoming request. Currently it can
+	// contain characters disallowed from the conventional "path" part of a URL
+	// as defined by RFC 3986. Paths must begin with a '/'. When unspecified,
+	// all paths from incoming requests are matched.
+	Path *string `json:"path,omitempty"`
+	// PathType determines the interpretation of the Path matching. PathType can
+	// be one of the following values:
+	// * Exact: Matches the URL path exactly.
+	// * Prefix: Matches based on a URL path prefix split by '/'. Matching is
+	// done on a path element by element basis. A path element refers is the
+	// list of labels in the path split by the '/' separator. A request is a
+	// match for path p if every p is an element-wise prefix of p of the
+	// request path. Note that if the last element of the path is a substring
+	// of the last element in request path, it is not a match (e.g. /foo/bar
+	// matches /foo/bar/baz, but does not match /foo/barbaz).
+	// * ImplementationSpecific: Interpretation of the Path matching is up to
+	// the IngressClass. Implementations can treat this as a separate PathType
+	// or treat it identically to Prefix or Exact path types.
+	// Implementations are required to support all path types.
+	// Defaults to ImplementationSpecific.
+	PathType *extensionsv1beta1.PathType `json:"pathType,omitempty"`
+	// Backend defines the referenced service endpoint to which the traffic
+	// will be forwarded to.
+	Backend *IngressBackendApplyConfiguration `json:"backend,omitempty"`
 }
 
 // HTTPIngressPathApplyConfiguration constructs a declarative configuration of the HTTPIngressPath type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/extensions/v1beta1/httpingressrulevalue.go b/staging/src/k8s.io/client-go/applyconfigurations/extensions/v1beta1/httpingressrulevalue.go
index 12454522374fb..8c8db0c3bed80 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/extensions/v1beta1/httpingressrulevalue.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/extensions/v1beta1/httpingressrulevalue.go
@@ -20,7 +20,14 @@ package v1beta1
 
 // HTTPIngressRuleValueApplyConfiguration represents a declarative configuration of the HTTPIngressRuleValue type for use
 // with apply.
+//
+// HTTPIngressRuleValue is a list of http selectors pointing to backends.
+// In the example: http://<host>/<path>?<searchpart> -> backend where
+// where parts of the url correspond to RFC 3986, this resource will be used
+// to match against everything after the last '/' and before the first '?'
+// or '#'.
 type HTTPIngressRuleValueApplyConfiguration struct {
+	// A collection of paths that map requests to backends.
 	Paths []HTTPIngressPathApplyConfiguration `json:"paths,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/extensions/v1beta1/ingress.go b/staging/src/k8s.io/client-go/applyconfigurations/extensions/v1beta1/ingress.go
index 6c7925317db50..ba82ba9be4233 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/extensions/v1beta1/ingress.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/extensions/v1beta1/ingress.go
@@ -29,11 +29,23 @@ import (
 
 // IngressApplyConfiguration represents a declarative configuration of the Ingress type for use
 // with apply.
+//
+// Ingress is a collection of rules that allow inbound connections to reach the
+// endpoints defined by a backend. An Ingress can be configured to give services
+// externally-reachable urls, load balance traffic, terminate SSL, offer name
+// based virtual hosting etc.
+// DEPRECATED - This group version of Ingress is deprecated by networking.k8s.io/v1beta1 Ingress. See the release notes for more information.
 type IngressApplyConfiguration struct {
-	v1.TypeMetaApplyConfiguration    `json:",inline"`
+	v1.TypeMetaApplyConfiguration `json:",inline"`
+	// Standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	*v1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Spec                             *IngressSpecApplyConfiguration   `json:"spec,omitempty"`
-	Status                           *IngressStatusApplyConfiguration `json:"status,omitempty"`
+	// Spec is the desired state of the Ingress.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+	Spec *IngressSpecApplyConfiguration `json:"spec,omitempty"`
+	// Status is the current state of the Ingress.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+	Status *IngressStatusApplyConfiguration `json:"status,omitempty"`
 }
 
 // Ingress constructs a declarative configuration of the Ingress type for use with
@@ -47,6 +59,27 @@ func Ingress(name, namespace string) *IngressApplyConfiguration {
 	return b
 }
 
+// ExtractIngressFrom extracts the applied configuration owned by fieldManager from
+// ingress for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
+// ingress must be a unmodified Ingress API object that was retrieved from the Kubernetes API.
+// ExtractIngressFrom provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractIngressFrom(ingress *extensionsv1beta1.Ingress, fieldManager string, subresource string) (*IngressApplyConfiguration, error) {
+	b := &IngressApplyConfiguration{}
+	err := managedfields.ExtractInto(ingress, internal.Parser().Type("io.k8s.api.extensions.v1beta1.Ingress"), fieldManager, b, subresource)
+	if err != nil {
+		return nil, err
+	}
+	b.WithName(ingress.Name)
+	b.WithNamespace(ingress.Namespace)
+
+	b.WithKind("Ingress")
+	b.WithAPIVersion("extensions/v1beta1")
+	return b, nil
+}
+
 // ExtractIngress extracts the applied configuration owned by fieldManager from
 // ingress. If no managedFields are found in ingress for fieldManager, a
 // IngressApplyConfiguration is returned with only the Name, Namespace (if applicable),
@@ -57,31 +90,16 @@ func Ingress(name, namespace string) *IngressApplyConfiguration {
 // ExtractIngress provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
 func ExtractIngress(ingress *extensionsv1beta1.Ingress, fieldManager string) (*IngressApplyConfiguration, error) {
-	return extractIngress(ingress, fieldManager, "")
+	return ExtractIngressFrom(ingress, fieldManager, "")
 }
 
-// ExtractIngressStatus is the same as ExtractIngress except
-// that it extracts the status subresource applied configuration.
-// Experimental!
+// ExtractIngressStatus extracts the applied configuration owned by fieldManager from
+// ingress for the status subresource.
 func ExtractIngressStatus(ingress *extensionsv1beta1.Ingress, fieldManager string) (*IngressApplyConfiguration, error) {
-	return extractIngress(ingress, fieldManager, "status")
+	return ExtractIngressFrom(ingress, fieldManager, "status")
 }
 
-func extractIngress(ingress *extensionsv1beta1.Ingress, fieldManager string, subresource string) (*IngressApplyConfiguration, error) {
-	b := &IngressApplyConfiguration{}
-	err := managedfields.ExtractInto(ingress, internal.Parser().Type("io.k8s.api.extensions.v1beta1.Ingress"), fieldManager, b, subresource)
-	if err != nil {
-		return nil, err
-	}
-	b.WithName(ingress.Name)
-	b.WithNamespace(ingress.Namespace)
-
-	b.WithKind("Ingress")
-	b.WithAPIVersion("extensions/v1beta1")
-	return b, nil
-}
 func (b IngressApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/extensions/v1beta1/ingressbackend.go b/staging/src/k8s.io/client-go/applyconfigurations/extensions/v1beta1/ingressbackend.go
index 9d386f160861a..7c84833a5b44a 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/extensions/v1beta1/ingressbackend.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/extensions/v1beta1/ingressbackend.go
@@ -25,10 +25,17 @@ import (
 
 // IngressBackendApplyConfiguration represents a declarative configuration of the IngressBackend type for use
 // with apply.
+//
+// IngressBackend describes all endpoints for a given service and port.
 type IngressBackendApplyConfiguration struct {
-	ServiceName *string                                         `json:"serviceName,omitempty"`
-	ServicePort *intstr.IntOrString                             `json:"servicePort,omitempty"`
-	Resource    *v1.TypedLocalObjectReferenceApplyConfiguration `json:"resource,omitempty"`
+	// Specifies the name of the referenced service.
+	ServiceName *string `json:"serviceName,omitempty"`
+	// Specifies the port of the referenced service.
+	ServicePort *intstr.IntOrString `json:"servicePort,omitempty"`
+	// Resource is an ObjectRef to another Kubernetes resource in the namespace
+	// of the Ingress object. If resource is specified, serviceName and servicePort
+	// must not be specified.
+	Resource *v1.TypedLocalObjectReferenceApplyConfiguration `json:"resource,omitempty"`
 }
 
 // IngressBackendApplyConfiguration constructs a declarative configuration of the IngressBackend type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/extensions/v1beta1/ingressloadbalanceringress.go b/staging/src/k8s.io/client-go/applyconfigurations/extensions/v1beta1/ingressloadbalanceringress.go
index 12dbc35969b05..6b1d3cd80c24c 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/extensions/v1beta1/ingressloadbalanceringress.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/extensions/v1beta1/ingressloadbalanceringress.go
@@ -20,10 +20,15 @@ package v1beta1
 
 // IngressLoadBalancerIngressApplyConfiguration represents a declarative configuration of the IngressLoadBalancerIngress type for use
 // with apply.
+//
+// IngressLoadBalancerIngress represents the status of a load-balancer ingress point.
 type IngressLoadBalancerIngressApplyConfiguration struct {
-	IP       *string                               `json:"ip,omitempty"`
-	Hostname *string                               `json:"hostname,omitempty"`
-	Ports    []IngressPortStatusApplyConfiguration `json:"ports,omitempty"`
+	// IP is set for load-balancer ingress points that are IP based.
+	IP *string `json:"ip,omitempty"`
+	// Hostname is set for load-balancer ingress points that are DNS based.
+	Hostname *string `json:"hostname,omitempty"`
+	// Ports provides information about the ports exposed by this LoadBalancer.
+	Ports []IngressPortStatusApplyConfiguration `json:"ports,omitempty"`
 }
 
 // IngressLoadBalancerIngressApplyConfiguration constructs a declarative configuration of the IngressLoadBalancerIngress type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/extensions/v1beta1/ingressloadbalancerstatus.go b/staging/src/k8s.io/client-go/applyconfigurations/extensions/v1beta1/ingressloadbalancerstatus.go
index e896ab3415596..a71887ad46cc6 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/extensions/v1beta1/ingressloadbalancerstatus.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/extensions/v1beta1/ingressloadbalancerstatus.go
@@ -20,7 +20,10 @@ package v1beta1
 
 // IngressLoadBalancerStatusApplyConfiguration represents a declarative configuration of the IngressLoadBalancerStatus type for use
 // with apply.
+//
+// LoadBalancerStatus represents the status of a load-balancer.
 type IngressLoadBalancerStatusApplyConfiguration struct {
+	// Ingress is a list containing ingress points for the load-balancer.
 	Ingress []IngressLoadBalancerIngressApplyConfiguration `json:"ingress,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/extensions/v1beta1/ingressportstatus.go b/staging/src/k8s.io/client-go/applyconfigurations/extensions/v1beta1/ingressportstatus.go
index 4ee3f01617f9c..019c29bc9e3c4 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/extensions/v1beta1/ingressportstatus.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/extensions/v1beta1/ingressportstatus.go
@@ -24,10 +24,23 @@ import (
 
 // IngressPortStatusApplyConfiguration represents a declarative configuration of the IngressPortStatus type for use
 // with apply.
+//
+// IngressPortStatus represents the error condition of a service port
 type IngressPortStatusApplyConfiguration struct {
-	Port     *int32       `json:"port,omitempty"`
+	// Port is the port number of the ingress port.
+	Port *int32 `json:"port,omitempty"`
+	// Protocol is the protocol of the ingress port.
+	// The supported values are: "TCP", "UDP", "SCTP"
 	Protocol *v1.Protocol `json:"protocol,omitempty"`
-	Error    *string      `json:"error,omitempty"`
+	// Error is to record the problem with the service port
+	// The format of the error shall comply with the following rules:
+	// - built-in error values shall be specified in this file and those shall use
+	// CamelCase names
+	// - cloud provider specific error values must have names that comply with the
+	// format foo.example.com/CamelCase.
+	// ---
+	// The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+	Error *string `json:"error,omitempty"`
 }
 
 // IngressPortStatusApplyConfiguration constructs a declarative configuration of the IngressPortStatus type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/extensions/v1beta1/ingressrule.go b/staging/src/k8s.io/client-go/applyconfigurations/extensions/v1beta1/ingressrule.go
index 809fada928eac..91ebcf89f0452 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/extensions/v1beta1/ingressrule.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/extensions/v1beta1/ingressrule.go
@@ -20,8 +20,39 @@ package v1beta1
 
 // IngressRuleApplyConfiguration represents a declarative configuration of the IngressRule type for use
 // with apply.
+//
+// IngressRule represents the rules mapping the paths under a specified host to
+// the related backend services. Incoming requests are first evaluated for a host
+// match, then routed to the backend associated with the matching IngressRuleValue.
 type IngressRuleApplyConfiguration struct {
-	Host                               *string `json:"host,omitempty"`
+	// Host is the fully qualified domain name of a network host, as defined by RFC 3986.
+	// Note the following deviations from the "host" part of the
+	// URI as defined in RFC 3986:
+	// 1. IPs are not allowed. Currently an IngressRuleValue can only apply to
+	// the IP in the Spec of the parent Ingress.
+	// 2. The `:` delimiter is not respected because ports are not allowed.
+	// Currently the port of an Ingress is implicitly :80 for http and
+	// :443 for https.
+	// Both these may change in the future.
+	// Incoming requests are matched against the host before the
+	// IngressRuleValue. If the host is unspecified, the Ingress routes all
+	// traffic based on the specified IngressRuleValue.
+	//
+	// Host can be "precise" which is a domain name without the terminating dot of
+	// a network host (e.g. "foo.bar.com") or "wildcard", which is a domain name
+	// prefixed with a single wildcard label (e.g. "*.foo.com").
+	// The wildcard character '*' must appear by itself as the first DNS label and
+	// matches only a single label. You cannot have a wildcard label by itself (e.g. Host == "*").
+	// Requests will be matched against the Host field in the following way:
+	// 1. If Host is precise, the request matches this rule if the http host header is equal to Host.
+	// 2. If Host is a wildcard, then the request matches this rule if the http host header
+	// is to equal to the suffix (removing the first label) of the wildcard rule.
+	Host *string `json:"host,omitempty"`
+	// IngressRuleValue represents a rule to route requests for this IngressRule.
+	// If unspecified, the rule defaults to a http catch-all. Whether that sends
+	// just traffic matching the host to the default backend or all traffic to the
+	// default backend, is left to the controller fulfilling the Ingress. Http is
+	// currently the only supported IngressRuleValue.
 	IngressRuleValueApplyConfiguration `json:",inline"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/extensions/v1beta1/ingressrulevalue.go b/staging/src/k8s.io/client-go/applyconfigurations/extensions/v1beta1/ingressrulevalue.go
index 4a64124755608..1ace13224fd89 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/extensions/v1beta1/ingressrulevalue.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/extensions/v1beta1/ingressrulevalue.go
@@ -20,7 +20,18 @@ package v1beta1
 
 // IngressRuleValueApplyConfiguration represents a declarative configuration of the IngressRuleValue type for use
 // with apply.
+//
+// IngressRuleValue represents a rule to apply against incoming requests. If the
+// rule is satisfied, the request is routed to the specified backend. Currently
+// mixing different types of rules in a single Ingress is disallowed, so exactly
+// one of the following must be set.
 type IngressRuleValueApplyConfiguration struct {
+	// http is a list of http selectors pointing to backends.
+	// A path is matched against the path of an incoming request. Currently it can
+	// contain characters disallowed from the conventional "path" part of a URL
+	// as defined by RFC 3986. Paths must begin with a '/'.
+	// A backend defines the referenced service endpoint to which the traffic
+	// will be forwarded to.
 	HTTP *HTTPIngressRuleValueApplyConfiguration `json:"http,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/extensions/v1beta1/ingressspec.go b/staging/src/k8s.io/client-go/applyconfigurations/extensions/v1beta1/ingressspec.go
index 58fbde8b35251..1b01da93feb2e 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/extensions/v1beta1/ingressspec.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/extensions/v1beta1/ingressspec.go
@@ -20,11 +20,34 @@ package v1beta1
 
 // IngressSpecApplyConfiguration represents a declarative configuration of the IngressSpec type for use
 // with apply.
+//
+// IngressSpec describes the Ingress the user wishes to exist.
 type IngressSpecApplyConfiguration struct {
-	IngressClassName *string                           `json:"ingressClassName,omitempty"`
-	Backend          *IngressBackendApplyConfiguration `json:"backend,omitempty"`
-	TLS              []IngressTLSApplyConfiguration    `json:"tls,omitempty"`
-	Rules            []IngressRuleApplyConfiguration   `json:"rules,omitempty"`
+	// IngressClassName is the name of the IngressClass cluster resource. The
+	// associated IngressClass defines which controller will implement the
+	// resource. This replaces the deprecated `kubernetes.io/ingress.class`
+	// annotation. For backwards compatibility, when that annotation is set, it
+	// must be given precedence over this field. The controller may emit a
+	// warning if the field and annotation have different values.
+	// Implementations of this API should ignore Ingresses without a class
+	// specified. An IngressClass resource may be marked as default, which can
+	// be used to set a default value for this field. For more information,
+	// refer to the IngressClass documentation.
+	IngressClassName *string `json:"ingressClassName,omitempty"`
+	// A default backend capable of servicing requests that don't match any
+	// rule. At least one of 'backend' or 'rules' must be specified. This field
+	// is optional to allow the loadbalancer controller or defaulting logic to
+	// specify a global default.
+	Backend *IngressBackendApplyConfiguration `json:"backend,omitempty"`
+	// TLS configuration. Currently the Ingress only supports a single TLS
+	// port, 443. If multiple members of this list specify different hosts, they
+	// will be multiplexed on the same port according to the hostname specified
+	// through the SNI TLS extension, if the ingress controller fulfilling the
+	// ingress supports SNI.
+	TLS []IngressTLSApplyConfiguration `json:"tls,omitempty"`
+	// A list of host rules used to configure the Ingress. If unspecified, or
+	// no rule matches, all traffic is sent to the default backend.
+	Rules []IngressRuleApplyConfiguration `json:"rules,omitempty"`
 }
 
 // IngressSpecApplyConfiguration constructs a declarative configuration of the IngressSpec type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/extensions/v1beta1/ingressstatus.go b/staging/src/k8s.io/client-go/applyconfigurations/extensions/v1beta1/ingressstatus.go
index 3aed616889c0f..1374e0161d427 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/extensions/v1beta1/ingressstatus.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/extensions/v1beta1/ingressstatus.go
@@ -20,7 +20,10 @@ package v1beta1
 
 // IngressStatusApplyConfiguration represents a declarative configuration of the IngressStatus type for use
 // with apply.
+//
+// IngressStatus describe the current state of the Ingress.
 type IngressStatusApplyConfiguration struct {
+	// LoadBalancer contains the current status of the load-balancer.
 	LoadBalancer *IngressLoadBalancerStatusApplyConfiguration `json:"loadBalancer,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/extensions/v1beta1/ingresstls.go b/staging/src/k8s.io/client-go/applyconfigurations/extensions/v1beta1/ingresstls.go
index 63648cd464952..87e6315b9a3ca 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/extensions/v1beta1/ingresstls.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/extensions/v1beta1/ingresstls.go
@@ -20,9 +20,20 @@ package v1beta1
 
 // IngressTLSApplyConfiguration represents a declarative configuration of the IngressTLS type for use
 // with apply.
+//
+// IngressTLS describes the transport layer security associated with an Ingress.
 type IngressTLSApplyConfiguration struct {
-	Hosts      []string `json:"hosts,omitempty"`
-	SecretName *string  `json:"secretName,omitempty"`
+	// Hosts are a list of hosts included in the TLS certificate. The values in
+	// this list must match the name/s used in the tlsSecret. Defaults to the
+	// wildcard host setting for the loadbalancer controller fulfilling this
+	// Ingress, if left unspecified.
+	Hosts []string `json:"hosts,omitempty"`
+	// SecretName is the name of the secret used to terminate SSL traffic on 443.
+	// Field is left optional to allow SSL routing based on SNI hostname alone.
+	// If the SNI host in a listener conflicts with the "Host" header field used
+	// by an IngressRule, the SNI host is used for termination and value of the
+	// Host header is used for routing.
+	SecretName *string `json:"secretName,omitempty"`
 }
 
 // IngressTLSApplyConfiguration constructs a declarative configuration of the IngressTLS type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/extensions/v1beta1/ipblock.go b/staging/src/k8s.io/client-go/applyconfigurations/extensions/v1beta1/ipblock.go
index 4a671130b8592..903a870d152a1 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/extensions/v1beta1/ipblock.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/extensions/v1beta1/ipblock.go
@@ -20,8 +20,18 @@ package v1beta1
 
 // IPBlockApplyConfiguration represents a declarative configuration of the IPBlock type for use
 // with apply.
+//
+// DEPRECATED 1.9 - This group version of IPBlock is deprecated by networking/v1/IPBlock.
+// IPBlock describes a particular CIDR (Ex. "192.168.1.0/24","2001:db8::/64") that is allowed
+// to the pods matched by a NetworkPolicySpec's podSelector. The except entry describes CIDRs
+// that should not be included within this rule.
 type IPBlockApplyConfiguration struct {
-	CIDR   *string  `json:"cidr,omitempty"`
+	// CIDR is a string representing the IP Block
+	// Valid examples are "192.168.1.0/24" or "2001:db8::/64"
+	CIDR *string `json:"cidr,omitempty"`
+	// Except is a slice of CIDRs that should not be included within an IP Block
+	// Valid examples are "192.168.1.0/24" or "2001:db8::/64"
+	// Except values will be rejected if they are outside the CIDR range
 	Except []string `json:"except,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/extensions/v1beta1/networkpolicy.go b/staging/src/k8s.io/client-go/applyconfigurations/extensions/v1beta1/networkpolicy.go
index e1f0aad86f5be..64d95e49251b6 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/extensions/v1beta1/networkpolicy.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/extensions/v1beta1/networkpolicy.go
@@ -29,10 +29,16 @@ import (
 
 // NetworkPolicyApplyConfiguration represents a declarative configuration of the NetworkPolicy type for use
 // with apply.
+//
+// DEPRECATED 1.9 - This group version of NetworkPolicy is deprecated by networking/v1/NetworkPolicy.
+// NetworkPolicy describes what network traffic is allowed for a set of Pods
 type NetworkPolicyApplyConfiguration struct {
-	v1.TypeMetaApplyConfiguration    `json:",inline"`
+	v1.TypeMetaApplyConfiguration `json:",inline"`
+	// Standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	*v1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Spec                             *NetworkPolicySpecApplyConfiguration `json:"spec,omitempty"`
+	// Specification of the desired behavior for this NetworkPolicy.
+	Spec *NetworkPolicySpecApplyConfiguration `json:"spec,omitempty"`
 }
 
 // NetworkPolicy constructs a declarative configuration of the NetworkPolicy type for use with
@@ -46,29 +52,14 @@ func NetworkPolicy(name, namespace string) *NetworkPolicyApplyConfiguration {
 	return b
 }
 
-// ExtractNetworkPolicy extracts the applied configuration owned by fieldManager from
-// networkPolicy. If no managedFields are found in networkPolicy for fieldManager, a
-// NetworkPolicyApplyConfiguration is returned with only the Name, Namespace (if applicable),
-// APIVersion and Kind populated. It is possible that no managed fields were found for because other
-// field managers have taken ownership of all the fields previously owned by fieldManager, or because
-// the fieldManager never owned fields any fields.
+// ExtractNetworkPolicyFrom extracts the applied configuration owned by fieldManager from
+// networkPolicy for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
 // networkPolicy must be a unmodified NetworkPolicy API object that was retrieved from the Kubernetes API.
-// ExtractNetworkPolicy provides a way to perform a extract/modify-in-place/apply workflow.
+// ExtractNetworkPolicyFrom provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
-func ExtractNetworkPolicy(networkPolicy *extensionsv1beta1.NetworkPolicy, fieldManager string) (*NetworkPolicyApplyConfiguration, error) {
-	return extractNetworkPolicy(networkPolicy, fieldManager, "")
-}
-
-// ExtractNetworkPolicyStatus is the same as ExtractNetworkPolicy except
-// that it extracts the status subresource applied configuration.
-// Experimental!
-func ExtractNetworkPolicyStatus(networkPolicy *extensionsv1beta1.NetworkPolicy, fieldManager string) (*NetworkPolicyApplyConfiguration, error) {
-	return extractNetworkPolicy(networkPolicy, fieldManager, "status")
-}
-
-func extractNetworkPolicy(networkPolicy *extensionsv1beta1.NetworkPolicy, fieldManager string, subresource string) (*NetworkPolicyApplyConfiguration, error) {
+func ExtractNetworkPolicyFrom(networkPolicy *extensionsv1beta1.NetworkPolicy, fieldManager string, subresource string) (*NetworkPolicyApplyConfiguration, error) {
 	b := &NetworkPolicyApplyConfiguration{}
 	err := managedfields.ExtractInto(networkPolicy, internal.Parser().Type("io.k8s.api.extensions.v1beta1.NetworkPolicy"), fieldManager, b, subresource)
 	if err != nil {
@@ -81,6 +72,21 @@ func extractNetworkPolicy(networkPolicy *extensionsv1beta1.NetworkPolicy, fieldM
 	b.WithAPIVersion("extensions/v1beta1")
 	return b, nil
 }
+
+// ExtractNetworkPolicy extracts the applied configuration owned by fieldManager from
+// networkPolicy. If no managedFields are found in networkPolicy for fieldManager, a
+// NetworkPolicyApplyConfiguration is returned with only the Name, Namespace (if applicable),
+// APIVersion and Kind populated. It is possible that no managed fields were found for because other
+// field managers have taken ownership of all the fields previously owned by fieldManager, or because
+// the fieldManager never owned fields any fields.
+// networkPolicy must be a unmodified NetworkPolicy API object that was retrieved from the Kubernetes API.
+// ExtractNetworkPolicy provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractNetworkPolicy(networkPolicy *extensionsv1beta1.NetworkPolicy, fieldManager string) (*NetworkPolicyApplyConfiguration, error) {
+	return ExtractNetworkPolicyFrom(networkPolicy, fieldManager, "")
+}
+
 func (b NetworkPolicyApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/extensions/v1beta1/networkpolicyegressrule.go b/staging/src/k8s.io/client-go/applyconfigurations/extensions/v1beta1/networkpolicyegressrule.go
index ca3e174f93c8a..d9812fc22a19b 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/extensions/v1beta1/networkpolicyegressrule.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/extensions/v1beta1/networkpolicyegressrule.go
@@ -20,9 +20,24 @@ package v1beta1
 
 // NetworkPolicyEgressRuleApplyConfiguration represents a declarative configuration of the NetworkPolicyEgressRule type for use
 // with apply.
+//
+// DEPRECATED 1.9 - This group version of NetworkPolicyEgressRule is deprecated by networking/v1/NetworkPolicyEgressRule.
+// NetworkPolicyEgressRule describes a particular set of traffic that is allowed out of pods
+// matched by a NetworkPolicySpec's podSelector. The traffic must match both ports and to.
+// This type is beta-level in 1.8
 type NetworkPolicyEgressRuleApplyConfiguration struct {
+	// List of destination ports for outgoing traffic.
+	// Each item in this list is combined using a logical OR. If this field is
+	// empty or missing, this rule matches all ports (traffic not restricted by port).
+	// If this field is present and contains at least one item, then this rule allows
+	// traffic only if the traffic matches at least one port in the list.
 	Ports []NetworkPolicyPortApplyConfiguration `json:"ports,omitempty"`
-	To    []NetworkPolicyPeerApplyConfiguration `json:"to,omitempty"`
+	// List of destinations for outgoing traffic of pods selected for this rule.
+	// Items in this list are combined using a logical OR operation. If this field is
+	// empty or missing, this rule matches all destinations (traffic not restricted by
+	// destination). If this field is present and contains at least one item, this rule
+	// allows traffic only if the traffic matches at least one item in the to list.
+	To []NetworkPolicyPeerApplyConfiguration `json:"to,omitempty"`
 }
 
 // NetworkPolicyEgressRuleApplyConfiguration constructs a declarative configuration of the NetworkPolicyEgressRule type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/extensions/v1beta1/networkpolicyingressrule.go b/staging/src/k8s.io/client-go/applyconfigurations/extensions/v1beta1/networkpolicyingressrule.go
index 16071372047a9..c52d5116a4252 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/extensions/v1beta1/networkpolicyingressrule.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/extensions/v1beta1/networkpolicyingressrule.go
@@ -20,9 +20,22 @@ package v1beta1
 
 // NetworkPolicyIngressRuleApplyConfiguration represents a declarative configuration of the NetworkPolicyIngressRule type for use
 // with apply.
+//
+// DEPRECATED 1.9 - This group version of NetworkPolicyIngressRule is deprecated by networking/v1/NetworkPolicyIngressRule.
+// This NetworkPolicyIngressRule matches traffic if and only if the traffic matches both ports AND from.
 type NetworkPolicyIngressRuleApplyConfiguration struct {
+	// List of ports which should be made accessible on the pods selected for this rule.
+	// Each item in this list is combined using a logical OR.
+	// If this field is empty or missing, this rule matches all ports (traffic not restricted by port).
+	// If this field is present and contains at least one item, then this rule allows traffic
+	// only if the traffic matches at least one port in the list.
 	Ports []NetworkPolicyPortApplyConfiguration `json:"ports,omitempty"`
-	From  []NetworkPolicyPeerApplyConfiguration `json:"from,omitempty"`
+	// List of sources which should be able to access the pods selected for this rule.
+	// Items in this list are combined using a logical OR operation.
+	// If this field is empty or missing, this rule matches all sources (traffic not restricted by source).
+	// If this field is present and contains at least one item, this rule allows traffic only if the
+	// traffic matches at least one item in the from list.
+	From []NetworkPolicyPeerApplyConfiguration `json:"from,omitempty"`
 }
 
 // NetworkPolicyIngressRuleApplyConfiguration constructs a declarative configuration of the NetworkPolicyIngressRule type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/extensions/v1beta1/networkpolicypeer.go b/staging/src/k8s.io/client-go/applyconfigurations/extensions/v1beta1/networkpolicypeer.go
index 8a0fa57415242..153095e85d337 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/extensions/v1beta1/networkpolicypeer.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/extensions/v1beta1/networkpolicypeer.go
@@ -24,10 +24,26 @@ import (
 
 // NetworkPolicyPeerApplyConfiguration represents a declarative configuration of the NetworkPolicyPeer type for use
 // with apply.
+//
+// DEPRECATED 1.9 - This group version of NetworkPolicyPeer is deprecated by networking/v1/NetworkPolicyPeer.
 type NetworkPolicyPeerApplyConfiguration struct {
-	PodSelector       *v1.LabelSelectorApplyConfiguration `json:"podSelector,omitempty"`
+	// This is a label selector which selects Pods. This field follows standard label
+	// selector semantics; if present but empty, it selects all pods.
+	//
+	// If NamespaceSelector is also set, then the NetworkPolicyPeer as a whole selects
+	// the Pods matching PodSelector in the Namespaces selected by NamespaceSelector.
+	// Otherwise it selects the Pods matching PodSelector in the policy's own Namespace.
+	PodSelector *v1.LabelSelectorApplyConfiguration `json:"podSelector,omitempty"`
+	// Selects Namespaces using cluster-scoped labels. This field follows standard label
+	// selector semantics; if present but empty, it selects all namespaces.
+	//
+	// If PodSelector is also set, then the NetworkPolicyPeer as a whole selects
+	// the Pods matching PodSelector in the Namespaces selected by NamespaceSelector.
+	// Otherwise it selects all Pods in the Namespaces selected by NamespaceSelector.
 	NamespaceSelector *v1.LabelSelectorApplyConfiguration `json:"namespaceSelector,omitempty"`
-	IPBlock           *IPBlockApplyConfiguration          `json:"ipBlock,omitempty"`
+	// IPBlock defines policy on a particular IPBlock. If this field is set then
+	// neither of the other fields can be.
+	IPBlock *IPBlockApplyConfiguration `json:"ipBlock,omitempty"`
 }
 
 // NetworkPolicyPeerApplyConfiguration constructs a declarative configuration of the NetworkPolicyPeer type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/extensions/v1beta1/networkpolicyport.go b/staging/src/k8s.io/client-go/applyconfigurations/extensions/v1beta1/networkpolicyport.go
index 6bc1c1977b615..94ea3bdd1f5eb 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/extensions/v1beta1/networkpolicyport.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/extensions/v1beta1/networkpolicyport.go
@@ -25,10 +25,22 @@ import (
 
 // NetworkPolicyPortApplyConfiguration represents a declarative configuration of the NetworkPolicyPort type for use
 // with apply.
+//
+// DEPRECATED 1.9 - This group version of NetworkPolicyPort is deprecated by networking/v1/NetworkPolicyPort.
 type NetworkPolicyPortApplyConfiguration struct {
-	Protocol *v1.Protocol        `json:"protocol,omitempty"`
-	Port     *intstr.IntOrString `json:"port,omitempty"`
-	EndPort  *int32              `json:"endPort,omitempty"`
+	// Optional.  The protocol (TCP, UDP, or SCTP) which traffic must match.
+	// If not specified, this field defaults to TCP.
+	Protocol *v1.Protocol `json:"protocol,omitempty"`
+	// The port on the given protocol. This can either be a numerical or named
+	// port on a pod. If this field is not provided, this matches all port names and
+	// numbers.
+	// If present, only traffic on the specified protocol AND port will be matched.
+	Port *intstr.IntOrString `json:"port,omitempty"`
+	// If set, indicates that the range of ports from port to endPort, inclusive,
+	// should be allowed by the policy. This field cannot be defined if the port field
+	// is not defined or if the port field is defined as a named (string) port.
+	// The endPort must be equal or greater than port.
+	EndPort *int32 `json:"endPort,omitempty"`
 }
 
 // NetworkPolicyPortApplyConfiguration constructs a declarative configuration of the NetworkPolicyPort type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/extensions/v1beta1/networkpolicyspec.go b/staging/src/k8s.io/client-go/applyconfigurations/extensions/v1beta1/networkpolicyspec.go
index 4454329c5b5b2..5785b82e40772 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/extensions/v1beta1/networkpolicyspec.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/extensions/v1beta1/networkpolicyspec.go
@@ -25,11 +25,42 @@ import (
 
 // NetworkPolicySpecApplyConfiguration represents a declarative configuration of the NetworkPolicySpec type for use
 // with apply.
+//
+// DEPRECATED 1.9 - This group version of NetworkPolicySpec is deprecated by networking/v1/NetworkPolicySpec.
 type NetworkPolicySpecApplyConfiguration struct {
-	PodSelector *v1.LabelSelectorApplyConfiguration          `json:"podSelector,omitempty"`
-	Ingress     []NetworkPolicyIngressRuleApplyConfiguration `json:"ingress,omitempty"`
-	Egress      []NetworkPolicyEgressRuleApplyConfiguration  `json:"egress,omitempty"`
-	PolicyTypes []extensionsv1beta1.PolicyType               `json:"policyTypes,omitempty"`
+	// Selects the pods to which this NetworkPolicy object applies.  The array of ingress rules
+	// is applied to any pods selected by this field. Multiple network policies can select the
+	// same set of pods.  In this case, the ingress rules for each are combined additively.
+	// This field is NOT optional and follows standard label selector semantics.
+	// An empty podSelector matches all pods in this namespace.
+	PodSelector *v1.LabelSelectorApplyConfiguration `json:"podSelector,omitempty"`
+	// List of ingress rules to be applied to the selected pods.
+	// Traffic is allowed to a pod if there are no NetworkPolicies selecting the pod
+	// OR if the traffic source is the pod's local node,
+	// OR if the traffic matches at least one ingress rule across all of the NetworkPolicy
+	// objects whose podSelector matches the pod.
+	// If this field is empty then this NetworkPolicy does not allow any traffic
+	// (and serves solely to ensure that the pods it selects are isolated by default).
+	Ingress []NetworkPolicyIngressRuleApplyConfiguration `json:"ingress,omitempty"`
+	// List of egress rules to be applied to the selected pods. Outgoing traffic is
+	// allowed if there are no NetworkPolicies selecting the pod (and cluster policy
+	// otherwise allows the traffic), OR if the traffic matches at least one egress rule
+	// across all of the NetworkPolicy objects whose podSelector matches the pod. If
+	// this field is empty then this NetworkPolicy limits all outgoing traffic (and serves
+	// solely to ensure that the pods it selects are isolated by default).
+	// This field is beta-level in 1.8
+	Egress []NetworkPolicyEgressRuleApplyConfiguration `json:"egress,omitempty"`
+	// List of rule types that the NetworkPolicy relates to.
+	// Valid options are ["Ingress"], ["Egress"], or ["Ingress", "Egress"].
+	// If this field is not specified, it will default based on the existence of Ingress or Egress rules;
+	// policies that contain an Egress section are assumed to affect Egress, and all policies
+	// (whether or not they contain an Ingress section) are assumed to affect Ingress.
+	// If you want to write an egress-only policy, you must explicitly specify policyTypes [ "Egress" ].
+	// Likewise, if you want to write a policy that specifies that no egress is allowed,
+	// you must specify a policyTypes value that include "Egress" (since such a policy would not include
+	// an Egress section and would otherwise default to just [ "Ingress" ]).
+	// This field is beta-level in 1.8
+	PolicyTypes []extensionsv1beta1.PolicyType `json:"policyTypes,omitempty"`
 }
 
 // NetworkPolicySpecApplyConfiguration constructs a declarative configuration of the NetworkPolicySpec type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/extensions/v1beta1/replicaset.go b/staging/src/k8s.io/client-go/applyconfigurations/extensions/v1beta1/replicaset.go
index dbe787b5bfd20..02d6cbffe403f 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/extensions/v1beta1/replicaset.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/extensions/v1beta1/replicaset.go
@@ -29,11 +29,25 @@ import (
 
 // ReplicaSetApplyConfiguration represents a declarative configuration of the ReplicaSet type for use
 // with apply.
+//
+// DEPRECATED - This group version of ReplicaSet is deprecated by apps/v1beta2/ReplicaSet. See the release notes for
+// more information.
+// ReplicaSet ensures that a specified number of pod replicas are running at any given time.
 type ReplicaSetApplyConfiguration struct {
-	v1.TypeMetaApplyConfiguration    `json:",inline"`
+	v1.TypeMetaApplyConfiguration `json:",inline"`
+	// If the Labels of a ReplicaSet are empty, they are defaulted to
+	// be the same as the Pod(s) that the ReplicaSet manages.
+	// Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	*v1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Spec                             *ReplicaSetSpecApplyConfiguration   `json:"spec,omitempty"`
-	Status                           *ReplicaSetStatusApplyConfiguration `json:"status,omitempty"`
+	// Spec defines the specification of the desired behavior of the ReplicaSet.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+	Spec *ReplicaSetSpecApplyConfiguration `json:"spec,omitempty"`
+	// Status is the most recently observed status of the ReplicaSet.
+	// This data may be out of date by some window of time.
+	// Populated by the system.
+	// Read-only.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+	Status *ReplicaSetStatusApplyConfiguration `json:"status,omitempty"`
 }
 
 // ReplicaSet constructs a declarative configuration of the ReplicaSet type for use with
@@ -47,6 +61,27 @@ func ReplicaSet(name, namespace string) *ReplicaSetApplyConfiguration {
 	return b
 }
 
+// ExtractReplicaSetFrom extracts the applied configuration owned by fieldManager from
+// replicaSet for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
+// replicaSet must be a unmodified ReplicaSet API object that was retrieved from the Kubernetes API.
+// ExtractReplicaSetFrom provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractReplicaSetFrom(replicaSet *extensionsv1beta1.ReplicaSet, fieldManager string, subresource string) (*ReplicaSetApplyConfiguration, error) {
+	b := &ReplicaSetApplyConfiguration{}
+	err := managedfields.ExtractInto(replicaSet, internal.Parser().Type("io.k8s.api.extensions.v1beta1.ReplicaSet"), fieldManager, b, subresource)
+	if err != nil {
+		return nil, err
+	}
+	b.WithName(replicaSet.Name)
+	b.WithNamespace(replicaSet.Namespace)
+
+	b.WithKind("ReplicaSet")
+	b.WithAPIVersion("extensions/v1beta1")
+	return b, nil
+}
+
 // ExtractReplicaSet extracts the applied configuration owned by fieldManager from
 // replicaSet. If no managedFields are found in replicaSet for fieldManager, a
 // ReplicaSetApplyConfiguration is returned with only the Name, Namespace (if applicable),
@@ -57,31 +92,22 @@ func ReplicaSet(name, namespace string) *ReplicaSetApplyConfiguration {
 // ExtractReplicaSet provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
 func ExtractReplicaSet(replicaSet *extensionsv1beta1.ReplicaSet, fieldManager string) (*ReplicaSetApplyConfiguration, error) {
-	return extractReplicaSet(replicaSet, fieldManager, "")
+	return ExtractReplicaSetFrom(replicaSet, fieldManager, "")
 }
 
-// ExtractReplicaSetStatus is the same as ExtractReplicaSet except
-// that it extracts the status subresource applied configuration.
-// Experimental!
-func ExtractReplicaSetStatus(replicaSet *extensionsv1beta1.ReplicaSet, fieldManager string) (*ReplicaSetApplyConfiguration, error) {
-	return extractReplicaSet(replicaSet, fieldManager, "status")
+// ExtractReplicaSetScale extracts the applied configuration owned by fieldManager from
+// replicaSet for the scale subresource.
+func ExtractReplicaSetScale(replicaSet *extensionsv1beta1.ReplicaSet, fieldManager string) (*ReplicaSetApplyConfiguration, error) {
+	return ExtractReplicaSetFrom(replicaSet, fieldManager, "scale")
 }
 
-func extractReplicaSet(replicaSet *extensionsv1beta1.ReplicaSet, fieldManager string, subresource string) (*ReplicaSetApplyConfiguration, error) {
-	b := &ReplicaSetApplyConfiguration{}
-	err := managedfields.ExtractInto(replicaSet, internal.Parser().Type("io.k8s.api.extensions.v1beta1.ReplicaSet"), fieldManager, b, subresource)
-	if err != nil {
-		return nil, err
-	}
-	b.WithName(replicaSet.Name)
-	b.WithNamespace(replicaSet.Namespace)
-
-	b.WithKind("ReplicaSet")
-	b.WithAPIVersion("extensions/v1beta1")
-	return b, nil
+// ExtractReplicaSetStatus extracts the applied configuration owned by fieldManager from
+// replicaSet for the status subresource.
+func ExtractReplicaSetStatus(replicaSet *extensionsv1beta1.ReplicaSet, fieldManager string) (*ReplicaSetApplyConfiguration, error) {
+	return ExtractReplicaSetFrom(replicaSet, fieldManager, "status")
 }
+
 func (b ReplicaSetApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/extensions/v1beta1/replicasetcondition.go b/staging/src/k8s.io/client-go/applyconfigurations/extensions/v1beta1/replicasetcondition.go
index 540079fe53da2..e8100ce0594bb 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/extensions/v1beta1/replicasetcondition.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/extensions/v1beta1/replicasetcondition.go
@@ -26,12 +26,19 @@ import (
 
 // ReplicaSetConditionApplyConfiguration represents a declarative configuration of the ReplicaSetCondition type for use
 // with apply.
+//
+// ReplicaSetCondition describes the state of a replica set at a certain point.
 type ReplicaSetConditionApplyConfiguration struct {
-	Type               *extensionsv1beta1.ReplicaSetConditionType `json:"type,omitempty"`
-	Status             *v1.ConditionStatus                        `json:"status,omitempty"`
-	LastTransitionTime *metav1.Time                               `json:"lastTransitionTime,omitempty"`
-	Reason             *string                                    `json:"reason,omitempty"`
-	Message            *string                                    `json:"message,omitempty"`
+	// Type of replica set condition.
+	Type *extensionsv1beta1.ReplicaSetConditionType `json:"type,omitempty"`
+	// Status of the condition, one of True, False, Unknown.
+	Status *v1.ConditionStatus `json:"status,omitempty"`
+	// The last time the condition transitioned from one status to another.
+	LastTransitionTime *metav1.Time `json:"lastTransitionTime,omitempty"`
+	// The reason for the condition's last transition.
+	Reason *string `json:"reason,omitempty"`
+	// A human readable message indicating details about the transition.
+	Message *string `json:"message,omitempty"`
 }
 
 // ReplicaSetConditionApplyConfiguration constructs a declarative configuration of the ReplicaSetCondition type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/extensions/v1beta1/replicasetspec.go b/staging/src/k8s.io/client-go/applyconfigurations/extensions/v1beta1/replicasetspec.go
index 27653dd1af834..233c622e03cf2 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/extensions/v1beta1/replicasetspec.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/extensions/v1beta1/replicasetspec.go
@@ -25,11 +25,27 @@ import (
 
 // ReplicaSetSpecApplyConfiguration represents a declarative configuration of the ReplicaSetSpec type for use
 // with apply.
+//
+// ReplicaSetSpec is the specification of a ReplicaSet.
 type ReplicaSetSpecApplyConfiguration struct {
-	Replicas        *int32                                    `json:"replicas,omitempty"`
-	MinReadySeconds *int32                                    `json:"minReadySeconds,omitempty"`
-	Selector        *v1.LabelSelectorApplyConfiguration       `json:"selector,omitempty"`
-	Template        *corev1.PodTemplateSpecApplyConfiguration `json:"template,omitempty"`
+	// Replicas is the number of desired pods.
+	// This is a pointer to distinguish between explicit zero and unspecified.
+	// Defaults to 1.
+	// More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicaset
+	Replicas *int32 `json:"replicas,omitempty"`
+	// Minimum number of seconds for which a newly created pod should be ready
+	// without any of its container crashing, for it to be considered available.
+	// Defaults to 0 (pod will be considered available as soon as it is ready)
+	MinReadySeconds *int32 `json:"minReadySeconds,omitempty"`
+	// Selector is a label query over pods that should match the replica count.
+	// If the selector is empty, it is defaulted to the labels present on the pod template.
+	// Label keys and values that must match in order to be controlled by this replica set.
+	// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors
+	Selector *v1.LabelSelectorApplyConfiguration `json:"selector,omitempty"`
+	// Template is the object that describes the pod that will be created if
+	// insufficient replicas are detected.
+	// More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicaset/#pod-template
+	Template *corev1.PodTemplateSpecApplyConfiguration `json:"template,omitempty"`
 }
 
 // ReplicaSetSpecApplyConfiguration constructs a declarative configuration of the ReplicaSetSpec type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/extensions/v1beta1/replicasetstatus.go b/staging/src/k8s.io/client-go/applyconfigurations/extensions/v1beta1/replicasetstatus.go
index 46abc94322b6f..6882bc6660007 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/extensions/v1beta1/replicasetstatus.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/extensions/v1beta1/replicasetstatus.go
@@ -20,14 +20,27 @@ package v1beta1
 
 // ReplicaSetStatusApplyConfiguration represents a declarative configuration of the ReplicaSetStatus type for use
 // with apply.
+//
+// ReplicaSetStatus represents the current status of a ReplicaSet.
 type ReplicaSetStatusApplyConfiguration struct {
-	Replicas             *int32                                  `json:"replicas,omitempty"`
-	FullyLabeledReplicas *int32                                  `json:"fullyLabeledReplicas,omitempty"`
-	ReadyReplicas        *int32                                  `json:"readyReplicas,omitempty"`
-	AvailableReplicas    *int32                                  `json:"availableReplicas,omitempty"`
-	TerminatingReplicas  *int32                                  `json:"terminatingReplicas,omitempty"`
-	ObservedGeneration   *int64                                  `json:"observedGeneration,omitempty"`
-	Conditions           []ReplicaSetConditionApplyConfiguration `json:"conditions,omitempty"`
+	// Replicas is the most recently observed number of non-terminating pods.
+	// More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicaset
+	Replicas *int32 `json:"replicas,omitempty"`
+	// The number of non-terminating pods that have labels matching the labels of the pod template of the replicaset.
+	FullyLabeledReplicas *int32 `json:"fullyLabeledReplicas,omitempty"`
+	// The number of non-terminating pods targeted by this ReplicaSet with a Ready Condition.
+	ReadyReplicas *int32 `json:"readyReplicas,omitempty"`
+	// The number of available non-terminating pods (ready for at least minReadySeconds) for this replica set.
+	AvailableReplicas *int32 `json:"availableReplicas,omitempty"`
+	// The number of terminating pods for this replica set. Terminating pods have a non-null .metadata.deletionTimestamp
+	// and have not yet reached the Failed or Succeeded .status.phase.
+	//
+	// This is a beta field and requires enabling DeploymentReplicaSetTerminatingReplicas feature (enabled by default).
+	TerminatingReplicas *int32 `json:"terminatingReplicas,omitempty"`
+	// ObservedGeneration reflects the generation of the most recently observed ReplicaSet.
+	ObservedGeneration *int64 `json:"observedGeneration,omitempty"`
+	// Represents the latest available observations of a replica set's current state.
+	Conditions []ReplicaSetConditionApplyConfiguration `json:"conditions,omitempty"`
 }
 
 // ReplicaSetStatusApplyConfiguration constructs a declarative configuration of the ReplicaSetStatus type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/extensions/v1beta1/rollbackconfig.go b/staging/src/k8s.io/client-go/applyconfigurations/extensions/v1beta1/rollbackconfig.go
index 775f82eef8019..f73b9e670eafe 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/extensions/v1beta1/rollbackconfig.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/extensions/v1beta1/rollbackconfig.go
@@ -20,7 +20,10 @@ package v1beta1
 
 // RollbackConfigApplyConfiguration represents a declarative configuration of the RollbackConfig type for use
 // with apply.
+//
+// DEPRECATED.
 type RollbackConfigApplyConfiguration struct {
+	// The revision to rollback to. If set to 0, rollback to the last revision.
 	Revision *int64 `json:"revision,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/extensions/v1beta1/rollingupdatedaemonset.go b/staging/src/k8s.io/client-go/applyconfigurations/extensions/v1beta1/rollingupdatedaemonset.go
index 4352f7fac7f28..0ce80e98820e2 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/extensions/v1beta1/rollingupdatedaemonset.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/extensions/v1beta1/rollingupdatedaemonset.go
@@ -24,9 +24,44 @@ import (
 
 // RollingUpdateDaemonSetApplyConfiguration represents a declarative configuration of the RollingUpdateDaemonSet type for use
 // with apply.
+//
+// Spec to control the desired behavior of daemon set rolling update.
 type RollingUpdateDaemonSetApplyConfiguration struct {
+	// The maximum number of DaemonSet pods that can be unavailable during the
+	// update. Value can be an absolute number (ex: 5) or a percentage of total
+	// number of DaemonSet pods at the start of the update (ex: 10%). Absolute
+	// number is calculated from percentage by rounding up.
+	// This cannot be 0 if MaxSurge is 0
+	// Default value is 1.
+	// Example: when this is set to 30%, at most 30% of the total number of nodes
+	// that should be running the daemon pod (i.e. status.desiredNumberScheduled)
+	// can have their pods stopped for an update at any given time. The update
+	// starts by stopping at most 30% of those DaemonSet pods and then brings
+	// up new DaemonSet pods in their place. Once the new pods are available,
+	// it then proceeds onto other DaemonSet pods, thus ensuring that at least
+	// 70% of original number of DaemonSet pods are available at all times during
+	// the update.
 	MaxUnavailable *intstr.IntOrString `json:"maxUnavailable,omitempty"`
-	MaxSurge       *intstr.IntOrString `json:"maxSurge,omitempty"`
+	// The maximum number of nodes with an existing available DaemonSet pod that
+	// can have an updated DaemonSet pod during during an update.
+	// Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%).
+	// This can not be 0 if MaxUnavailable is 0.
+	// Absolute number is calculated from percentage by rounding up to a minimum of 1.
+	// Default value is 0.
+	// Example: when this is set to 30%, at most 30% of the total number of nodes
+	// that should be running the daemon pod (i.e. status.desiredNumberScheduled)
+	// can have their a new pod created before the old pod is marked as deleted.
+	// The update starts by launching new pods on 30% of nodes. Once an updated
+	// pod is available (Ready for at least minReadySeconds) the old DaemonSet pod
+	// on that node is marked deleted. If the old pod becomes unavailable for any
+	// reason (Ready transitions to false, is evicted, or is drained) an updated
+	// pod is immediately created on that node without considering surge limits.
+	// Allowing surge implies the possibility that the resources consumed by the
+	// daemonset on any given node can double if the readiness check fails, and
+	// so resource intensive daemonsets should take into account that they may
+	// cause evictions during disruption.
+	// This is an alpha field and requires enabling DaemonSetUpdateSurge feature gate.
+	MaxSurge *intstr.IntOrString `json:"maxSurge,omitempty"`
 }
 
 // RollingUpdateDaemonSetApplyConfiguration constructs a declarative configuration of the RollingUpdateDaemonSet type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/extensions/v1beta1/rollingupdatedeployment.go b/staging/src/k8s.io/client-go/applyconfigurations/extensions/v1beta1/rollingupdatedeployment.go
index 244701a5e0158..34461b6539827 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/extensions/v1beta1/rollingupdatedeployment.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/extensions/v1beta1/rollingupdatedeployment.go
@@ -24,9 +24,32 @@ import (
 
 // RollingUpdateDeploymentApplyConfiguration represents a declarative configuration of the RollingUpdateDeployment type for use
 // with apply.
+//
+// Spec to control the desired behavior of rolling update.
 type RollingUpdateDeploymentApplyConfiguration struct {
+	// The maximum number of pods that can be unavailable during the update.
+	// Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%).
+	// Absolute number is calculated from percentage by rounding down.
+	// This can not be 0 if MaxSurge is 0.
+	// By default, a fixed value of 1 is used.
+	// Example: when this is set to 30%, the old RC can be scaled down to 70% of desired pods
+	// immediately when the rolling update starts. Once new pods are ready, old RC
+	// can be scaled down further, followed by scaling up the new RC, ensuring
+	// that the total number of pods available at all times during the update is at
+	// least 70% of desired pods.
 	MaxUnavailable *intstr.IntOrString `json:"maxUnavailable,omitempty"`
-	MaxSurge       *intstr.IntOrString `json:"maxSurge,omitempty"`
+	// The maximum number of pods that can be scheduled above the desired number of
+	// pods.
+	// Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%).
+	// This can not be 0 if MaxUnavailable is 0.
+	// Absolute number is calculated from percentage by rounding up.
+	// By default, a value of 1 is used.
+	// Example: when this is set to 30%, the new RC can be scaled up immediately when
+	// the rolling update starts, such that the total number of old and new pods do not exceed
+	// 130% of desired pods. Once old pods have been killed,
+	// new RC can be scaled up further, ensuring that total number of pods running
+	// at any time during the update is at most 130% of desired pods.
+	MaxSurge *intstr.IntOrString `json:"maxSurge,omitempty"`
 }
 
 // RollingUpdateDeploymentApplyConfiguration constructs a declarative configuration of the RollingUpdateDeployment type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/extensions/v1beta1/scale.go b/staging/src/k8s.io/client-go/applyconfigurations/extensions/v1beta1/scale.go
index 84dcc97c401f7..9637d58c8433e 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/extensions/v1beta1/scale.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/extensions/v1beta1/scale.go
@@ -27,11 +27,16 @@ import (
 
 // ScaleApplyConfiguration represents a declarative configuration of the Scale type for use
 // with apply.
+//
+// represents a scaling request for a resource.
 type ScaleApplyConfiguration struct {
-	v1.TypeMetaApplyConfiguration    `json:",inline"`
+	v1.TypeMetaApplyConfiguration `json:",inline"`
+	// Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata.
 	*v1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Spec                             *extensionsv1beta1.ScaleSpec   `json:"spec,omitempty"`
-	Status                           *extensionsv1beta1.ScaleStatus `json:"status,omitempty"`
+	// defines the behavior of the scale. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status.
+	Spec *extensionsv1beta1.ScaleSpec `json:"spec,omitempty"`
+	// current status of the scale. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status. Read-only.
+	Status *extensionsv1beta1.ScaleStatus `json:"status,omitempty"`
 }
 
 // ScaleApplyConfiguration constructs a declarative configuration of the Scale type for use with
@@ -42,6 +47,7 @@ func Scale() *ScaleApplyConfiguration {
 	b.WithAPIVersion("extensions/v1beta1")
 	return b
 }
+
 func (b ScaleApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1/exemptprioritylevelconfiguration.go b/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1/exemptprioritylevelconfiguration.go
index 4e5805f394548..e95d6a62850a7 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1/exemptprioritylevelconfiguration.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1/exemptprioritylevelconfiguration.go
@@ -20,9 +20,35 @@ package v1
 
 // ExemptPriorityLevelConfigurationApplyConfiguration represents a declarative configuration of the ExemptPriorityLevelConfiguration type for use
 // with apply.
+//
+// ExemptPriorityLevelConfiguration describes the configurable aspects
+// of the handling of exempt requests.
+// In the mandatory exempt configuration object the values in the fields
+// here can be modified by authorized users, unlike the rest of the `spec`.
 type ExemptPriorityLevelConfigurationApplyConfiguration struct {
+	// `nominalConcurrencyShares` (NCS) contributes to the computation of the
+	// NominalConcurrencyLimit (NominalCL) of this level.
+	// This is the number of execution seats nominally reserved for this priority level.
+	// This DOES NOT limit the dispatching from this priority level
+	// but affects the other priority levels through the borrowing mechanism.
+	// The server's concurrency limit (ServerCL) is divided among all the
+	// priority levels in proportion to their NCS values:
+	//
+	// NominalCL(i)  = ceil( ServerCL * NCS(i) / sum_ncs )
+	// sum_ncs = sum[priority level k] NCS(k)
+	//
+	// Bigger numbers mean a larger nominal concurrency limit,
+	// at the expense of every other priority level.
+	// This field has a default value of zero.
 	NominalConcurrencyShares *int32 `json:"nominalConcurrencyShares,omitempty"`
-	LendablePercent          *int32 `json:"lendablePercent,omitempty"`
+	// `lendablePercent` prescribes the fraction of the level's NominalCL that
+	// can be borrowed by other priority levels.  This value of this
+	// field must be between 0 and 100, inclusive, and it defaults to 0.
+	// The number of seats that other levels can borrow from this level, known
+	// as this level's LendableConcurrencyLimit (LendableCL), is defined as follows.
+	//
+	// LendableCL(i) = round( NominalCL(i) * lendablePercent(i)/100.0 )
+	LendablePercent *int32 `json:"lendablePercent,omitempty"`
 }
 
 // ExemptPriorityLevelConfigurationApplyConfiguration constructs a declarative configuration of the ExemptPriorityLevelConfiguration type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1/flowdistinguishermethod.go b/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1/flowdistinguishermethod.go
index f8923ae7b35e3..ef941c1e1506f 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1/flowdistinguishermethod.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1/flowdistinguishermethod.go
@@ -24,7 +24,12 @@ import (
 
 // FlowDistinguisherMethodApplyConfiguration represents a declarative configuration of the FlowDistinguisherMethod type for use
 // with apply.
+//
+// FlowDistinguisherMethod specifies the method of a flow distinguisher.
 type FlowDistinguisherMethodApplyConfiguration struct {
+	// `type` is the type of flow distinguisher method
+	// The supported types are "ByUser" and "ByNamespace".
+	// Required.
 	Type *flowcontrolv1.FlowDistinguisherMethodType `json:"type,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1/flowschema.go b/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1/flowschema.go
index 5ffebfd322019..1bfc945a3f56e 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1/flowschema.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1/flowschema.go
@@ -29,11 +29,20 @@ import (
 
 // FlowSchemaApplyConfiguration represents a declarative configuration of the FlowSchema type for use
 // with apply.
+//
+// FlowSchema defines the schema of a group of flows. Note that a flow is made up of a set of inbound API requests with
+// similar attributes and is identified by a pair of strings: the name of the FlowSchema and a "flow distinguisher".
 type FlowSchemaApplyConfiguration struct {
-	metav1.TypeMetaApplyConfiguration    `json:",inline"`
+	metav1.TypeMetaApplyConfiguration `json:",inline"`
+	// `metadata` is the standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	*metav1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Spec                                 *FlowSchemaSpecApplyConfiguration   `json:"spec,omitempty"`
-	Status                               *FlowSchemaStatusApplyConfiguration `json:"status,omitempty"`
+	// `spec` is the specification of the desired behavior of a FlowSchema.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+	Spec *FlowSchemaSpecApplyConfiguration `json:"spec,omitempty"`
+	// `status` is the current status of a FlowSchema.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+	Status *FlowSchemaStatusApplyConfiguration `json:"status,omitempty"`
 }
 
 // FlowSchema constructs a declarative configuration of the FlowSchema type for use with
@@ -46,6 +55,26 @@ func FlowSchema(name string) *FlowSchemaApplyConfiguration {
 	return b
 }
 
+// ExtractFlowSchemaFrom extracts the applied configuration owned by fieldManager from
+// flowSchema for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
+// flowSchema must be a unmodified FlowSchema API object that was retrieved from the Kubernetes API.
+// ExtractFlowSchemaFrom provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractFlowSchemaFrom(flowSchema *flowcontrolv1.FlowSchema, fieldManager string, subresource string) (*FlowSchemaApplyConfiguration, error) {
+	b := &FlowSchemaApplyConfiguration{}
+	err := managedfields.ExtractInto(flowSchema, internal.Parser().Type("io.k8s.api.flowcontrol.v1.FlowSchema"), fieldManager, b, subresource)
+	if err != nil {
+		return nil, err
+	}
+	b.WithName(flowSchema.Name)
+
+	b.WithKind("FlowSchema")
+	b.WithAPIVersion("flowcontrol.apiserver.k8s.io/v1")
+	return b, nil
+}
+
 // ExtractFlowSchema extracts the applied configuration owned by fieldManager from
 // flowSchema. If no managedFields are found in flowSchema for fieldManager, a
 // FlowSchemaApplyConfiguration is returned with only the Name, Namespace (if applicable),
@@ -56,30 +85,16 @@ func FlowSchema(name string) *FlowSchemaApplyConfiguration {
 // ExtractFlowSchema provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
 func ExtractFlowSchema(flowSchema *flowcontrolv1.FlowSchema, fieldManager string) (*FlowSchemaApplyConfiguration, error) {
-	return extractFlowSchema(flowSchema, fieldManager, "")
+	return ExtractFlowSchemaFrom(flowSchema, fieldManager, "")
 }
 
-// ExtractFlowSchemaStatus is the same as ExtractFlowSchema except
-// that it extracts the status subresource applied configuration.
-// Experimental!
+// ExtractFlowSchemaStatus extracts the applied configuration owned by fieldManager from
+// flowSchema for the status subresource.
 func ExtractFlowSchemaStatus(flowSchema *flowcontrolv1.FlowSchema, fieldManager string) (*FlowSchemaApplyConfiguration, error) {
-	return extractFlowSchema(flowSchema, fieldManager, "status")
+	return ExtractFlowSchemaFrom(flowSchema, fieldManager, "status")
 }
 
-func extractFlowSchema(flowSchema *flowcontrolv1.FlowSchema, fieldManager string, subresource string) (*FlowSchemaApplyConfiguration, error) {
-	b := &FlowSchemaApplyConfiguration{}
-	err := managedfields.ExtractInto(flowSchema, internal.Parser().Type("io.k8s.api.flowcontrol.v1.FlowSchema"), fieldManager, b, subresource)
-	if err != nil {
-		return nil, err
-	}
-	b.WithName(flowSchema.Name)
-
-	b.WithKind("FlowSchema")
-	b.WithAPIVersion("flowcontrol.apiserver.k8s.io/v1")
-	return b, nil
-}
 func (b FlowSchemaApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1/flowschemacondition.go b/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1/flowschemacondition.go
index d1c3dfbc67290..a9023615de17e 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1/flowschemacondition.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1/flowschemacondition.go
@@ -25,12 +25,22 @@ import (
 
 // FlowSchemaConditionApplyConfiguration represents a declarative configuration of the FlowSchemaCondition type for use
 // with apply.
+//
+// FlowSchemaCondition describes conditions for a FlowSchema.
 type FlowSchemaConditionApplyConfiguration struct {
-	Type               *flowcontrolv1.FlowSchemaConditionType `json:"type,omitempty"`
-	Status             *flowcontrolv1.ConditionStatus         `json:"status,omitempty"`
-	LastTransitionTime *metav1.Time                           `json:"lastTransitionTime,omitempty"`
-	Reason             *string                                `json:"reason,omitempty"`
-	Message            *string                                `json:"message,omitempty"`
+	// `type` is the type of the condition.
+	// Required.
+	Type *flowcontrolv1.FlowSchemaConditionType `json:"type,omitempty"`
+	// `status` is the status of the condition.
+	// Can be True, False, Unknown.
+	// Required.
+	Status *flowcontrolv1.ConditionStatus `json:"status,omitempty"`
+	// `lastTransitionTime` is the last time the condition transitioned from one status to another.
+	LastTransitionTime *metav1.Time `json:"lastTransitionTime,omitempty"`
+	// `reason` is a unique, one-word, CamelCase reason for the condition's last transition.
+	Reason *string `json:"reason,omitempty"`
+	// `message` is a human-readable message indicating details about last transition.
+	Message *string `json:"message,omitempty"`
 }
 
 // FlowSchemaConditionApplyConfiguration constructs a declarative configuration of the FlowSchemaCondition type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1/flowschemaspec.go b/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1/flowschemaspec.go
index 4efd5d2875fff..dc3476557f636 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1/flowschemaspec.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1/flowschemaspec.go
@@ -20,11 +20,25 @@ package v1
 
 // FlowSchemaSpecApplyConfiguration represents a declarative configuration of the FlowSchemaSpec type for use
 // with apply.
+//
+// FlowSchemaSpec describes how the FlowSchema's specification looks like.
 type FlowSchemaSpecApplyConfiguration struct {
+	// `priorityLevelConfiguration` should reference a PriorityLevelConfiguration in the cluster. If the reference cannot
+	// be resolved, the FlowSchema will be ignored and marked as invalid in its status.
+	// Required.
 	PriorityLevelConfiguration *PriorityLevelConfigurationReferenceApplyConfiguration `json:"priorityLevelConfiguration,omitempty"`
-	MatchingPrecedence         *int32                                                 `json:"matchingPrecedence,omitempty"`
-	DistinguisherMethod        *FlowDistinguisherMethodApplyConfiguration             `json:"distinguisherMethod,omitempty"`
-	Rules                      []PolicyRulesWithSubjectsApplyConfiguration            `json:"rules,omitempty"`
+	// `matchingPrecedence` is used to choose among the FlowSchemas that match a given request. The chosen
+	// FlowSchema is among those with the numerically lowest (which we take to be logically highest)
+	// MatchingPrecedence.  Each MatchingPrecedence value must be ranged in [1,10000].
+	// Note that if the precedence is not specified, it will be set to 1000 as default.
+	MatchingPrecedence *int32 `json:"matchingPrecedence,omitempty"`
+	// `distinguisherMethod` defines how to compute the flow distinguisher for requests that match this schema.
+	// `nil` specifies that the distinguisher is disabled and thus will always be the empty string.
+	DistinguisherMethod *FlowDistinguisherMethodApplyConfiguration `json:"distinguisherMethod,omitempty"`
+	// `rules` describes which requests will match this flow schema. This FlowSchema matches a request if and only if
+	// at least one member of rules matches the request.
+	// if it is an empty slice, there will be no requests matching the FlowSchema.
+	Rules []PolicyRulesWithSubjectsApplyConfiguration `json:"rules,omitempty"`
 }
 
 // FlowSchemaSpecApplyConfiguration constructs a declarative configuration of the FlowSchemaSpec type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1/flowschemastatus.go b/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1/flowschemastatus.go
index 6f951967e8897..c9bd727576247 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1/flowschemastatus.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1/flowschemastatus.go
@@ -20,7 +20,10 @@ package v1
 
 // FlowSchemaStatusApplyConfiguration represents a declarative configuration of the FlowSchemaStatus type for use
 // with apply.
+//
+// FlowSchemaStatus represents the current state of a FlowSchema.
 type FlowSchemaStatusApplyConfiguration struct {
+	// `conditions` is a list of the current states of FlowSchema.
 	Conditions []FlowSchemaConditionApplyConfiguration `json:"conditions,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1/groupsubject.go b/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1/groupsubject.go
index 0be9eddfd6f20..50a4c9a05e3fa 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1/groupsubject.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1/groupsubject.go
@@ -20,7 +20,13 @@ package v1
 
 // GroupSubjectApplyConfiguration represents a declarative configuration of the GroupSubject type for use
 // with apply.
+//
+// GroupSubject holds detailed information for group-kind subject.
 type GroupSubjectApplyConfiguration struct {
+	// name is the user group that matches, or "*" to match all user groups.
+	// See https://github.com/kubernetes/apiserver/blob/master/pkg/authentication/user/user.go for some
+	// well-known group names.
+	// Required.
 	Name *string `json:"name,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1/limitedprioritylevelconfiguration.go b/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1/limitedprioritylevelconfiguration.go
index 8e27642985039..cd93e92651811 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1/limitedprioritylevelconfiguration.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1/limitedprioritylevelconfiguration.go
@@ -20,11 +20,58 @@ package v1
 
 // LimitedPriorityLevelConfigurationApplyConfiguration represents a declarative configuration of the LimitedPriorityLevelConfiguration type for use
 // with apply.
+//
+// LimitedPriorityLevelConfiguration specifies how to handle requests that are subject to limits.
+// It addresses two issues:
+// - How are requests for this priority level limited?
+// - What should be done with requests that exceed the limit?
 type LimitedPriorityLevelConfigurationApplyConfiguration struct {
-	NominalConcurrencyShares *int32                           `json:"nominalConcurrencyShares,omitempty"`
-	LimitResponse            *LimitResponseApplyConfiguration `json:"limitResponse,omitempty"`
-	LendablePercent          *int32                           `json:"lendablePercent,omitempty"`
-	BorrowingLimitPercent    *int32                           `json:"borrowingLimitPercent,omitempty"`
+	// `nominalConcurrencyShares` (NCS) contributes to the computation of the
+	// NominalConcurrencyLimit (NominalCL) of this level.
+	// This is the number of execution seats available at this priority level.
+	// This is used both for requests dispatched from this priority level
+	// as well as requests dispatched from other priority levels
+	// borrowing seats from this level.
+	// The server's concurrency limit (ServerCL) is divided among the
+	// Limited priority levels in proportion to their NCS values:
+	//
+	// NominalCL(i)  = ceil( ServerCL * NCS(i) / sum_ncs )
+	// sum_ncs = sum[priority level k] NCS(k)
+	//
+	// Bigger numbers mean a larger nominal concurrency limit,
+	// at the expense of every other priority level.
+	//
+	// If not specified, this field defaults to a value of 30.
+	//
+	// Setting this field to zero supports the construction of a
+	// "jail" for this priority level that is used to hold some request(s)
+	NominalConcurrencyShares *int32 `json:"nominalConcurrencyShares,omitempty"`
+	// `limitResponse` indicates what to do with requests that can not be executed right now
+	LimitResponse *LimitResponseApplyConfiguration `json:"limitResponse,omitempty"`
+	// `lendablePercent` prescribes the fraction of the level's NominalCL that
+	// can be borrowed by other priority levels. The value of this
+	// field must be between 0 and 100, inclusive, and it defaults to 0.
+	// The number of seats that other levels can borrow from this level, known
+	// as this level's LendableConcurrencyLimit (LendableCL), is defined as follows.
+	//
+	// LendableCL(i) = round( NominalCL(i) * lendablePercent(i)/100.0 )
+	LendablePercent *int32 `json:"lendablePercent,omitempty"`
+	// `borrowingLimitPercent`, if present, configures a limit on how many
+	// seats this priority level can borrow from other priority levels.
+	// The limit is known as this level's BorrowingConcurrencyLimit
+	// (BorrowingCL) and is a limit on the total number of seats that this
+	// level may borrow at any one time.
+	// This field holds the ratio of that limit to the level's nominal
+	// concurrency limit. When this field is non-nil, it must hold a
+	// non-negative integer and the limit is calculated as follows.
+	//
+	// BorrowingCL(i) = round( NominalCL(i) * borrowingLimitPercent(i)/100.0 )
+	//
+	// The value of this field can be more than 100, implying that this
+	// priority level can borrow a number of seats that is greater than
+	// its own nominal concurrency limit (NominalCL).
+	// When this field is left `nil`, the limit is effectively infinite.
+	BorrowingLimitPercent *int32 `json:"borrowingLimitPercent,omitempty"`
 }
 
 // LimitedPriorityLevelConfigurationApplyConfiguration constructs a declarative configuration of the LimitedPriorityLevelConfiguration type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1/limitresponse.go b/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1/limitresponse.go
index dc2e919d7f446..9ba5d18876a1c 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1/limitresponse.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1/limitresponse.go
@@ -24,8 +24,19 @@ import (
 
 // LimitResponseApplyConfiguration represents a declarative configuration of the LimitResponse type for use
 // with apply.
+//
+// LimitResponse defines how to handle requests that can not be executed right now.
 type LimitResponseApplyConfiguration struct {
-	Type    *flowcontrolv1.LimitResponseType        `json:"type,omitempty"`
+	// `type` is "Queue" or "Reject".
+	// "Queue" means that requests that can not be executed upon arrival
+	// are held in a queue until they can be executed or a queuing limit
+	// is reached.
+	// "Reject" means that requests that can not be executed upon arrival
+	// are rejected.
+	// Required.
+	Type *flowcontrolv1.LimitResponseType `json:"type,omitempty"`
+	// `queuing` holds the configuration parameters for queuing.
+	// This field may be non-empty only if `type` is `"Queue"`.
 	Queuing *QueuingConfigurationApplyConfiguration `json:"queuing,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1/nonresourcepolicyrule.go b/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1/nonresourcepolicyrule.go
index 29c26b3406e70..5aeaa9de61333 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1/nonresourcepolicyrule.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1/nonresourcepolicyrule.go
@@ -20,8 +20,24 @@ package v1
 
 // NonResourcePolicyRuleApplyConfiguration represents a declarative configuration of the NonResourcePolicyRule type for use
 // with apply.
+//
+// NonResourcePolicyRule is a predicate that matches non-resource requests according to their verb and the
+// target non-resource URL. A NonResourcePolicyRule matches a request if and only if both (a) at least one member
+// of verbs matches the request and (b) at least one member of nonResourceURLs matches the request.
 type NonResourcePolicyRuleApplyConfiguration struct {
-	Verbs           []string `json:"verbs,omitempty"`
+	// `verbs` is a list of matching verbs and may not be empty.
+	// "*" matches all verbs. If it is present, it must be the only entry.
+	// Required.
+	Verbs []string `json:"verbs,omitempty"`
+	// `nonResourceURLs` is a set of url prefixes that a user should have access to and may not be empty.
+	// For example:
+	// - "/healthz" is legal
+	// - "/hea*" is illegal
+	// - "/hea" is legal but matches nothing
+	// - "/hea/*" also matches nothing
+	// - "/healthz/*" matches all per-component health checks.
+	// "*" matches all non-resource urls. if it is present, it must be the only entry.
+	// Required.
 	NonResourceURLs []string `json:"nonResourceURLs,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1/policyruleswithsubjects.go b/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1/policyruleswithsubjects.go
index 088afdc584b5b..7e17164813cef 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1/policyruleswithsubjects.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1/policyruleswithsubjects.go
@@ -20,9 +20,23 @@ package v1
 
 // PolicyRulesWithSubjectsApplyConfiguration represents a declarative configuration of the PolicyRulesWithSubjects type for use
 // with apply.
+//
+// PolicyRulesWithSubjects prescribes a test that applies to a request to an apiserver. The test considers the subject
+// making the request, the verb being requested, and the resource to be acted upon. This PolicyRulesWithSubjects matches
+// a request if and only if both (a) at least one member of subjects matches the request and (b) at least one member
+// of resourceRules or nonResourceRules matches the request.
 type PolicyRulesWithSubjectsApplyConfiguration struct {
-	Subjects         []SubjectApplyConfiguration               `json:"subjects,omitempty"`
-	ResourceRules    []ResourcePolicyRuleApplyConfiguration    `json:"resourceRules,omitempty"`
+	// subjects is the list of normal user, serviceaccount, or group that this rule cares about.
+	// There must be at least one member in this slice.
+	// A slice that includes both the system:authenticated and system:unauthenticated user groups matches every request.
+	// Required.
+	Subjects []SubjectApplyConfiguration `json:"subjects,omitempty"`
+	// `resourceRules` is a slice of ResourcePolicyRules that identify matching requests according to their verb and the
+	// target resource.
+	// At least one of `resourceRules` and `nonResourceRules` has to be non-empty.
+	ResourceRules []ResourcePolicyRuleApplyConfiguration `json:"resourceRules,omitempty"`
+	// `nonResourceRules` is a list of NonResourcePolicyRules that identify matching requests according to their verb
+	// and the target non-resource URL.
 	NonResourceRules []NonResourcePolicyRuleApplyConfiguration `json:"nonResourceRules,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1/prioritylevelconfiguration.go b/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1/prioritylevelconfiguration.go
index 8fb6a66454dc8..d64c3acb62067 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1/prioritylevelconfiguration.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1/prioritylevelconfiguration.go
@@ -29,11 +29,19 @@ import (
 
 // PriorityLevelConfigurationApplyConfiguration represents a declarative configuration of the PriorityLevelConfiguration type for use
 // with apply.
+//
+// PriorityLevelConfiguration represents the configuration of a priority level.
 type PriorityLevelConfigurationApplyConfiguration struct {
-	metav1.TypeMetaApplyConfiguration    `json:",inline"`
+	metav1.TypeMetaApplyConfiguration `json:",inline"`
+	// `metadata` is the standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	*metav1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Spec                                 *PriorityLevelConfigurationSpecApplyConfiguration   `json:"spec,omitempty"`
-	Status                               *PriorityLevelConfigurationStatusApplyConfiguration `json:"status,omitempty"`
+	// `spec` is the specification of the desired behavior of a "request-priority".
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+	Spec *PriorityLevelConfigurationSpecApplyConfiguration `json:"spec,omitempty"`
+	// `status` is the current status of a "request-priority".
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+	Status *PriorityLevelConfigurationStatusApplyConfiguration `json:"status,omitempty"`
 }
 
 // PriorityLevelConfiguration constructs a declarative configuration of the PriorityLevelConfiguration type for use with
@@ -46,6 +54,26 @@ func PriorityLevelConfiguration(name string) *PriorityLevelConfigurationApplyCon
 	return b
 }
 
+// ExtractPriorityLevelConfigurationFrom extracts the applied configuration owned by fieldManager from
+// priorityLevelConfiguration for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
+// priorityLevelConfiguration must be a unmodified PriorityLevelConfiguration API object that was retrieved from the Kubernetes API.
+// ExtractPriorityLevelConfigurationFrom provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractPriorityLevelConfigurationFrom(priorityLevelConfiguration *flowcontrolv1.PriorityLevelConfiguration, fieldManager string, subresource string) (*PriorityLevelConfigurationApplyConfiguration, error) {
+	b := &PriorityLevelConfigurationApplyConfiguration{}
+	err := managedfields.ExtractInto(priorityLevelConfiguration, internal.Parser().Type("io.k8s.api.flowcontrol.v1.PriorityLevelConfiguration"), fieldManager, b, subresource)
+	if err != nil {
+		return nil, err
+	}
+	b.WithName(priorityLevelConfiguration.Name)
+
+	b.WithKind("PriorityLevelConfiguration")
+	b.WithAPIVersion("flowcontrol.apiserver.k8s.io/v1")
+	return b, nil
+}
+
 // ExtractPriorityLevelConfiguration extracts the applied configuration owned by fieldManager from
 // priorityLevelConfiguration. If no managedFields are found in priorityLevelConfiguration for fieldManager, a
 // PriorityLevelConfigurationApplyConfiguration is returned with only the Name, Namespace (if applicable),
@@ -56,30 +84,16 @@ func PriorityLevelConfiguration(name string) *PriorityLevelConfigurationApplyCon
 // ExtractPriorityLevelConfiguration provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
 func ExtractPriorityLevelConfiguration(priorityLevelConfiguration *flowcontrolv1.PriorityLevelConfiguration, fieldManager string) (*PriorityLevelConfigurationApplyConfiguration, error) {
-	return extractPriorityLevelConfiguration(priorityLevelConfiguration, fieldManager, "")
+	return ExtractPriorityLevelConfigurationFrom(priorityLevelConfiguration, fieldManager, "")
 }
 
-// ExtractPriorityLevelConfigurationStatus is the same as ExtractPriorityLevelConfiguration except
-// that it extracts the status subresource applied configuration.
-// Experimental!
+// ExtractPriorityLevelConfigurationStatus extracts the applied configuration owned by fieldManager from
+// priorityLevelConfiguration for the status subresource.
 func ExtractPriorityLevelConfigurationStatus(priorityLevelConfiguration *flowcontrolv1.PriorityLevelConfiguration, fieldManager string) (*PriorityLevelConfigurationApplyConfiguration, error) {
-	return extractPriorityLevelConfiguration(priorityLevelConfiguration, fieldManager, "status")
+	return ExtractPriorityLevelConfigurationFrom(priorityLevelConfiguration, fieldManager, "status")
 }
 
-func extractPriorityLevelConfiguration(priorityLevelConfiguration *flowcontrolv1.PriorityLevelConfiguration, fieldManager string, subresource string) (*PriorityLevelConfigurationApplyConfiguration, error) {
-	b := &PriorityLevelConfigurationApplyConfiguration{}
-	err := managedfields.ExtractInto(priorityLevelConfiguration, internal.Parser().Type("io.k8s.api.flowcontrol.v1.PriorityLevelConfiguration"), fieldManager, b, subresource)
-	if err != nil {
-		return nil, err
-	}
-	b.WithName(priorityLevelConfiguration.Name)
-
-	b.WithKind("PriorityLevelConfiguration")
-	b.WithAPIVersion("flowcontrol.apiserver.k8s.io/v1")
-	return b, nil
-}
 func (b PriorityLevelConfigurationApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1/prioritylevelconfigurationcondition.go b/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1/prioritylevelconfigurationcondition.go
index a7810adfbfafc..82b9547d576be 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1/prioritylevelconfigurationcondition.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1/prioritylevelconfigurationcondition.go
@@ -25,12 +25,22 @@ import (
 
 // PriorityLevelConfigurationConditionApplyConfiguration represents a declarative configuration of the PriorityLevelConfigurationCondition type for use
 // with apply.
+//
+// PriorityLevelConfigurationCondition defines the condition of priority level.
 type PriorityLevelConfigurationConditionApplyConfiguration struct {
-	Type               *flowcontrolv1.PriorityLevelConfigurationConditionType `json:"type,omitempty"`
-	Status             *flowcontrolv1.ConditionStatus                         `json:"status,omitempty"`
-	LastTransitionTime *metav1.Time                                           `json:"lastTransitionTime,omitempty"`
-	Reason             *string                                                `json:"reason,omitempty"`
-	Message            *string                                                `json:"message,omitempty"`
+	// `type` is the type of the condition.
+	// Required.
+	Type *flowcontrolv1.PriorityLevelConfigurationConditionType `json:"type,omitempty"`
+	// `status` is the status of the condition.
+	// Can be True, False, Unknown.
+	// Required.
+	Status *flowcontrolv1.ConditionStatus `json:"status,omitempty"`
+	// `lastTransitionTime` is the last time the condition transitioned from one status to another.
+	LastTransitionTime *metav1.Time `json:"lastTransitionTime,omitempty"`
+	// `reason` is a unique, one-word, CamelCase reason for the condition's last transition.
+	Reason *string `json:"reason,omitempty"`
+	// `message` is a human-readable message indicating details about last transition.
+	Message *string `json:"message,omitempty"`
 }
 
 // PriorityLevelConfigurationConditionApplyConfiguration constructs a declarative configuration of the PriorityLevelConfigurationCondition type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1/prioritylevelconfigurationreference.go b/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1/prioritylevelconfigurationreference.go
index f445713f0ccae..aec06f307f0a7 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1/prioritylevelconfigurationreference.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1/prioritylevelconfigurationreference.go
@@ -20,7 +20,11 @@ package v1
 
 // PriorityLevelConfigurationReferenceApplyConfiguration represents a declarative configuration of the PriorityLevelConfigurationReference type for use
 // with apply.
+//
+// PriorityLevelConfigurationReference contains information that points to the "request-priority" being used.
 type PriorityLevelConfigurationReferenceApplyConfiguration struct {
+	// `name` is the name of the priority level configuration being referenced
+	// Required.
 	Name *string `json:"name,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1/prioritylevelconfigurationspec.go b/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1/prioritylevelconfigurationspec.go
index 45e4cdcd8ad01..820b0bb61b866 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1/prioritylevelconfigurationspec.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1/prioritylevelconfigurationspec.go
@@ -24,10 +24,28 @@ import (
 
 // PriorityLevelConfigurationSpecApplyConfiguration represents a declarative configuration of the PriorityLevelConfigurationSpec type for use
 // with apply.
+//
+// PriorityLevelConfigurationSpec specifies the configuration of a priority level.
 type PriorityLevelConfigurationSpecApplyConfiguration struct {
-	Type    *flowcontrolv1.PriorityLevelEnablement               `json:"type,omitempty"`
+	// `type` indicates whether this priority level is subject to
+	// limitation on request execution.  A value of `"Exempt"` means
+	// that requests of this priority level are not subject to a limit
+	// (and thus are never queued) and do not detract from the
+	// capacity made available to other priority levels.  A value of
+	// `"Limited"` means that (a) requests of this priority level
+	// _are_ subject to limits and (b) some of the server's limited
+	// capacity is made available exclusively to this priority level.
+	// Required.
+	Type *flowcontrolv1.PriorityLevelEnablement `json:"type,omitempty"`
+	// `limited` specifies how requests are handled for a Limited priority level.
+	// This field must be non-empty if and only if `type` is `"Limited"`.
 	Limited *LimitedPriorityLevelConfigurationApplyConfiguration `json:"limited,omitempty"`
-	Exempt  *ExemptPriorityLevelConfigurationApplyConfiguration  `json:"exempt,omitempty"`
+	// `exempt` specifies how requests are handled for an exempt priority level.
+	// This field MUST be empty if `type` is `"Limited"`.
+	// This field MAY be non-empty if `type` is `"Exempt"`.
+	// If empty and `type` is `"Exempt"` then the default values
+	// for `ExemptPriorityLevelConfiguration` apply.
+	Exempt *ExemptPriorityLevelConfigurationApplyConfiguration `json:"exempt,omitempty"`
 }
 
 // PriorityLevelConfigurationSpecApplyConfiguration constructs a declarative configuration of the PriorityLevelConfigurationSpec type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1/prioritylevelconfigurationstatus.go b/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1/prioritylevelconfigurationstatus.go
index ff650bc3d58b1..3633154883a22 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1/prioritylevelconfigurationstatus.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1/prioritylevelconfigurationstatus.go
@@ -20,7 +20,10 @@ package v1
 
 // PriorityLevelConfigurationStatusApplyConfiguration represents a declarative configuration of the PriorityLevelConfigurationStatus type for use
 // with apply.
+//
+// PriorityLevelConfigurationStatus represents the current state of a "request-priority".
 type PriorityLevelConfigurationStatusApplyConfiguration struct {
+	// `conditions` is the current state of "request-priority".
 	Conditions []PriorityLevelConfigurationConditionApplyConfiguration `json:"conditions,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1/queuingconfiguration.go b/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1/queuingconfiguration.go
index 7488f9bbe2de4..04bc6dfeda6f2 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1/queuingconfiguration.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1/queuingconfiguration.go
@@ -20,9 +20,32 @@ package v1
 
 // QueuingConfigurationApplyConfiguration represents a declarative configuration of the QueuingConfiguration type for use
 // with apply.
+//
+// QueuingConfiguration holds the configuration parameters for queuing
 type QueuingConfigurationApplyConfiguration struct {
-	Queues           *int32 `json:"queues,omitempty"`
-	HandSize         *int32 `json:"handSize,omitempty"`
+	// `queues` is the number of queues for this priority level. The
+	// queues exist independently at each apiserver. The value must be
+	// positive.  Setting it to 1 effectively precludes
+	// shufflesharding and thus makes the distinguisher method of
+	// associated flow schemas irrelevant.  This field has a default
+	// value of 64.
+	Queues *int32 `json:"queues,omitempty"`
+	// `handSize` is a small positive number that configures the
+	// shuffle sharding of requests into queues.  When enqueuing a request
+	// at this priority level the request's flow identifier (a string
+	// pair) is hashed and the hash value is used to shuffle the list
+	// of queues and deal a hand of the size specified here.  The
+	// request is put into one of the shortest queues in that hand.
+	// `handSize` must be no larger than `queues`, and should be
+	// significantly smaller (so that a few heavy flows do not
+	// saturate most of the queues).  See the user-facing
+	// documentation for more extensive guidance on setting this
+	// field.  This field has a default value of 8.
+	HandSize *int32 `json:"handSize,omitempty"`
+	// `queueLengthLimit` is the maximum number of requests allowed to
+	// be waiting in a given queue of this priority level at a time;
+	// excess requests are rejected.  This value must be positive.  If
+	// not specified, it will be defaulted to 50.
 	QueueLengthLimit *int32 `json:"queueLengthLimit,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1/resourcepolicyrule.go b/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1/resourcepolicyrule.go
index 7428582a82eb6..5ff4588a9c36d 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1/resourcepolicyrule.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1/resourcepolicyrule.go
@@ -20,12 +20,46 @@ package v1
 
 // ResourcePolicyRuleApplyConfiguration represents a declarative configuration of the ResourcePolicyRule type for use
 // with apply.
+//
+// ResourcePolicyRule is a predicate that matches some resource
+// requests, testing the request's verb and the target resource. A
+// ResourcePolicyRule matches a resource request if and only if: (a)
+// at least one member of verbs matches the request, (b) at least one
+// member of apiGroups matches the request, (c) at least one member of
+// resources matches the request, and (d) either (d1) the request does
+// not specify a namespace (i.e., `Namespace==""`) and clusterScope is
+// true or (d2) the request specifies a namespace and least one member
+// of namespaces matches the request's namespace.
 type ResourcePolicyRuleApplyConfiguration struct {
-	Verbs        []string `json:"verbs,omitempty"`
-	APIGroups    []string `json:"apiGroups,omitempty"`
-	Resources    []string `json:"resources,omitempty"`
-	ClusterScope *bool    `json:"clusterScope,omitempty"`
-	Namespaces   []string `json:"namespaces,omitempty"`
+	// `verbs` is a list of matching verbs and may not be empty.
+	// "*" matches all verbs and, if present, must be the only entry.
+	// Required.
+	Verbs []string `json:"verbs,omitempty"`
+	// `apiGroups` is a list of matching API groups and may not be empty.
+	// "*" matches all API groups and, if present, must be the only entry.
+	// Required.
+	APIGroups []string `json:"apiGroups,omitempty"`
+	// `resources` is a list of matching resources (i.e., lowercase
+	// and plural) with, if desired, subresource.  For example, [
+	// "services", "nodes/status" ].  This list may not be empty.
+	// "*" matches all resources and, if present, must be the only entry.
+	// Required.
+	Resources []string `json:"resources,omitempty"`
+	// `clusterScope` indicates whether to match requests that do not
+	// specify a namespace (which happens either because the resource
+	// is not namespaced or the request targets all namespaces).
+	// If this field is omitted or false then the `namespaces` field
+	// must contain a non-empty list.
+	ClusterScope *bool `json:"clusterScope,omitempty"`
+	// `namespaces` is a list of target namespaces that restricts
+	// matches.  A request that specifies a target namespace matches
+	// only if either (a) this list contains that target namespace or
+	// (b) this list contains "*".  Note that "*" matches any
+	// specified namespace but does not match a request that _does
+	// not specify_ a namespace (see the `clusterScope` field for
+	// that).
+	// This list may be empty, but only if `clusterScope` is true.
+	Namespaces []string `json:"namespaces,omitempty"`
 }
 
 // ResourcePolicyRuleApplyConfiguration constructs a declarative configuration of the ResourcePolicyRule type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1/serviceaccountsubject.go b/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1/serviceaccountsubject.go
index 58ad10764b3d0..2267a8365f146 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1/serviceaccountsubject.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1/serviceaccountsubject.go
@@ -20,9 +20,15 @@ package v1
 
 // ServiceAccountSubjectApplyConfiguration represents a declarative configuration of the ServiceAccountSubject type for use
 // with apply.
+//
+// ServiceAccountSubject holds detailed information for service-account-kind subject.
 type ServiceAccountSubjectApplyConfiguration struct {
+	// `namespace` is the namespace of matching ServiceAccount objects.
+	// Required.
 	Namespace *string `json:"namespace,omitempty"`
-	Name      *string `json:"name,omitempty"`
+	// `name` is the name of matching ServiceAccount objects, or "*" to match regardless of name.
+	// Required.
+	Name *string `json:"name,omitempty"`
 }
 
 // ServiceAccountSubjectApplyConfiguration constructs a declarative configuration of the ServiceAccountSubject type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1/subject.go b/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1/subject.go
index e2f6f3849b777..12317c587dab5 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1/subject.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1/subject.go
@@ -24,10 +24,18 @@ import (
 
 // SubjectApplyConfiguration represents a declarative configuration of the Subject type for use
 // with apply.
+//
+// Subject matches the originator of a request, as identified by the request authentication system. There are three
+// ways of matching an originator; by user, group, or service account.
 type SubjectApplyConfiguration struct {
-	Kind           *flowcontrolv1.SubjectKind               `json:"kind,omitempty"`
-	User           *UserSubjectApplyConfiguration           `json:"user,omitempty"`
-	Group          *GroupSubjectApplyConfiguration          `json:"group,omitempty"`
+	// `kind` indicates which one of the other fields is non-empty.
+	// Required
+	Kind *flowcontrolv1.SubjectKind `json:"kind,omitempty"`
+	// `user` matches based on username.
+	User *UserSubjectApplyConfiguration `json:"user,omitempty"`
+	// `group` matches based on user group name.
+	Group *GroupSubjectApplyConfiguration `json:"group,omitempty"`
+	// `serviceAccount` matches ServiceAccounts.
 	ServiceAccount *ServiceAccountSubjectApplyConfiguration `json:"serviceAccount,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1/usersubject.go b/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1/usersubject.go
index fd90067d4dac8..438df0303373e 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1/usersubject.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1/usersubject.go
@@ -20,7 +20,11 @@ package v1
 
 // UserSubjectApplyConfiguration represents a declarative configuration of the UserSubject type for use
 // with apply.
+//
+// UserSubject holds detailed information for user-kind subject.
 type UserSubjectApplyConfiguration struct {
+	// `name` is the username that matches, or "*" to match all usernames.
+	// Required.
 	Name *string `json:"name,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta1/exemptprioritylevelconfiguration.go b/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta1/exemptprioritylevelconfiguration.go
index 45ccc5cb75934..2d2504f815911 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta1/exemptprioritylevelconfiguration.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta1/exemptprioritylevelconfiguration.go
@@ -20,9 +20,35 @@ package v1beta1
 
 // ExemptPriorityLevelConfigurationApplyConfiguration represents a declarative configuration of the ExemptPriorityLevelConfiguration type for use
 // with apply.
+//
+// ExemptPriorityLevelConfiguration describes the configurable aspects
+// of the handling of exempt requests.
+// In the mandatory exempt configuration object the values in the fields
+// here can be modified by authorized users, unlike the rest of the `spec`.
 type ExemptPriorityLevelConfigurationApplyConfiguration struct {
+	// `nominalConcurrencyShares` (NCS) contributes to the computation of the
+	// NominalConcurrencyLimit (NominalCL) of this level.
+	// This is the number of execution seats nominally reserved for this priority level.
+	// This DOES NOT limit the dispatching from this priority level
+	// but affects the other priority levels through the borrowing mechanism.
+	// The server's concurrency limit (ServerCL) is divided among all the
+	// priority levels in proportion to their NCS values:
+	//
+	// NominalCL(i)  = ceil( ServerCL * NCS(i) / sum_ncs )
+	// sum_ncs = sum[priority level k] NCS(k)
+	//
+	// Bigger numbers mean a larger nominal concurrency limit,
+	// at the expense of every other priority level.
+	// This field has a default value of zero.
 	NominalConcurrencyShares *int32 `json:"nominalConcurrencyShares,omitempty"`
-	LendablePercent          *int32 `json:"lendablePercent,omitempty"`
+	// `lendablePercent` prescribes the fraction of the level's NominalCL that
+	// can be borrowed by other priority levels.  This value of this
+	// field must be between 0 and 100, inclusive, and it defaults to 0.
+	// The number of seats that other levels can borrow from this level, known
+	// as this level's LendableConcurrencyLimit (LendableCL), is defined as follows.
+	//
+	// LendableCL(i) = round( NominalCL(i) * lendablePercent(i)/100.0 )
+	LendablePercent *int32 `json:"lendablePercent,omitempty"`
 }
 
 // ExemptPriorityLevelConfigurationApplyConfiguration constructs a declarative configuration of the ExemptPriorityLevelConfiguration type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta1/flowdistinguishermethod.go b/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta1/flowdistinguishermethod.go
index 11aa62bba2000..80cb05ac2119e 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta1/flowdistinguishermethod.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta1/flowdistinguishermethod.go
@@ -24,7 +24,12 @@ import (
 
 // FlowDistinguisherMethodApplyConfiguration represents a declarative configuration of the FlowDistinguisherMethod type for use
 // with apply.
+//
+// FlowDistinguisherMethod specifies the method of a flow distinguisher.
 type FlowDistinguisherMethodApplyConfiguration struct {
+	// `type` is the type of flow distinguisher method
+	// The supported types are "ByUser" and "ByNamespace".
+	// Required.
 	Type *flowcontrolv1beta1.FlowDistinguisherMethodType `json:"type,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta1/flowschema.go b/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta1/flowschema.go
index 09c40405ff35a..80a1f720fa596 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta1/flowschema.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta1/flowschema.go
@@ -29,11 +29,20 @@ import (
 
 // FlowSchemaApplyConfiguration represents a declarative configuration of the FlowSchema type for use
 // with apply.
+//
+// FlowSchema defines the schema of a group of flows. Note that a flow is made up of a set of inbound API requests with
+// similar attributes and is identified by a pair of strings: the name of the FlowSchema and a "flow distinguisher".
 type FlowSchemaApplyConfiguration struct {
-	v1.TypeMetaApplyConfiguration    `json:",inline"`
+	v1.TypeMetaApplyConfiguration `json:",inline"`
+	// `metadata` is the standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	*v1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Spec                             *FlowSchemaSpecApplyConfiguration   `json:"spec,omitempty"`
-	Status                           *FlowSchemaStatusApplyConfiguration `json:"status,omitempty"`
+	// `spec` is the specification of the desired behavior of a FlowSchema.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+	Spec *FlowSchemaSpecApplyConfiguration `json:"spec,omitempty"`
+	// `status` is the current status of a FlowSchema.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+	Status *FlowSchemaStatusApplyConfiguration `json:"status,omitempty"`
 }
 
 // FlowSchema constructs a declarative configuration of the FlowSchema type for use with
@@ -46,6 +55,26 @@ func FlowSchema(name string) *FlowSchemaApplyConfiguration {
 	return b
 }
 
+// ExtractFlowSchemaFrom extracts the applied configuration owned by fieldManager from
+// flowSchema for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
+// flowSchema must be a unmodified FlowSchema API object that was retrieved from the Kubernetes API.
+// ExtractFlowSchemaFrom provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractFlowSchemaFrom(flowSchema *flowcontrolv1beta1.FlowSchema, fieldManager string, subresource string) (*FlowSchemaApplyConfiguration, error) {
+	b := &FlowSchemaApplyConfiguration{}
+	err := managedfields.ExtractInto(flowSchema, internal.Parser().Type("io.k8s.api.flowcontrol.v1beta1.FlowSchema"), fieldManager, b, subresource)
+	if err != nil {
+		return nil, err
+	}
+	b.WithName(flowSchema.Name)
+
+	b.WithKind("FlowSchema")
+	b.WithAPIVersion("flowcontrol.apiserver.k8s.io/v1beta1")
+	return b, nil
+}
+
 // ExtractFlowSchema extracts the applied configuration owned by fieldManager from
 // flowSchema. If no managedFields are found in flowSchema for fieldManager, a
 // FlowSchemaApplyConfiguration is returned with only the Name, Namespace (if applicable),
@@ -56,30 +85,16 @@ func FlowSchema(name string) *FlowSchemaApplyConfiguration {
 // ExtractFlowSchema provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
 func ExtractFlowSchema(flowSchema *flowcontrolv1beta1.FlowSchema, fieldManager string) (*FlowSchemaApplyConfiguration, error) {
-	return extractFlowSchema(flowSchema, fieldManager, "")
+	return ExtractFlowSchemaFrom(flowSchema, fieldManager, "")
 }
 
-// ExtractFlowSchemaStatus is the same as ExtractFlowSchema except
-// that it extracts the status subresource applied configuration.
-// Experimental!
+// ExtractFlowSchemaStatus extracts the applied configuration owned by fieldManager from
+// flowSchema for the status subresource.
 func ExtractFlowSchemaStatus(flowSchema *flowcontrolv1beta1.FlowSchema, fieldManager string) (*FlowSchemaApplyConfiguration, error) {
-	return extractFlowSchema(flowSchema, fieldManager, "status")
+	return ExtractFlowSchemaFrom(flowSchema, fieldManager, "status")
 }
 
-func extractFlowSchema(flowSchema *flowcontrolv1beta1.FlowSchema, fieldManager string, subresource string) (*FlowSchemaApplyConfiguration, error) {
-	b := &FlowSchemaApplyConfiguration{}
-	err := managedfields.ExtractInto(flowSchema, internal.Parser().Type("io.k8s.api.flowcontrol.v1beta1.FlowSchema"), fieldManager, b, subresource)
-	if err != nil {
-		return nil, err
-	}
-	b.WithName(flowSchema.Name)
-
-	b.WithKind("FlowSchema")
-	b.WithAPIVersion("flowcontrol.apiserver.k8s.io/v1beta1")
-	return b, nil
-}
 func (b FlowSchemaApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta1/flowschemacondition.go b/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta1/flowschemacondition.go
index e7dcb4366ac3b..9462bbd02ec5c 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta1/flowschemacondition.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta1/flowschemacondition.go
@@ -25,12 +25,22 @@ import (
 
 // FlowSchemaConditionApplyConfiguration represents a declarative configuration of the FlowSchemaCondition type for use
 // with apply.
+//
+// FlowSchemaCondition describes conditions for a FlowSchema.
 type FlowSchemaConditionApplyConfiguration struct {
-	Type               *flowcontrolv1beta1.FlowSchemaConditionType `json:"type,omitempty"`
-	Status             *flowcontrolv1beta1.ConditionStatus         `json:"status,omitempty"`
-	LastTransitionTime *v1.Time                                    `json:"lastTransitionTime,omitempty"`
-	Reason             *string                                     `json:"reason,omitempty"`
-	Message            *string                                     `json:"message,omitempty"`
+	// `type` is the type of the condition.
+	// Required.
+	Type *flowcontrolv1beta1.FlowSchemaConditionType `json:"type,omitempty"`
+	// `status` is the status of the condition.
+	// Can be True, False, Unknown.
+	// Required.
+	Status *flowcontrolv1beta1.ConditionStatus `json:"status,omitempty"`
+	// `lastTransitionTime` is the last time the condition transitioned from one status to another.
+	LastTransitionTime *v1.Time `json:"lastTransitionTime,omitempty"`
+	// `reason` is a unique, one-word, CamelCase reason for the condition's last transition.
+	Reason *string `json:"reason,omitempty"`
+	// `message` is a human-readable message indicating details about last transition.
+	Message *string `json:"message,omitempty"`
 }
 
 // FlowSchemaConditionApplyConfiguration constructs a declarative configuration of the FlowSchemaCondition type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta1/flowschemaspec.go b/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta1/flowschemaspec.go
index 1d6e8fc58e76b..470708eb36a6b 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta1/flowschemaspec.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta1/flowschemaspec.go
@@ -20,11 +20,25 @@ package v1beta1
 
 // FlowSchemaSpecApplyConfiguration represents a declarative configuration of the FlowSchemaSpec type for use
 // with apply.
+//
+// FlowSchemaSpec describes how the FlowSchema's specification looks like.
 type FlowSchemaSpecApplyConfiguration struct {
+	// `priorityLevelConfiguration` should reference a PriorityLevelConfiguration in the cluster. If the reference cannot
+	// be resolved, the FlowSchema will be ignored and marked as invalid in its status.
+	// Required.
 	PriorityLevelConfiguration *PriorityLevelConfigurationReferenceApplyConfiguration `json:"priorityLevelConfiguration,omitempty"`
-	MatchingPrecedence         *int32                                                 `json:"matchingPrecedence,omitempty"`
-	DistinguisherMethod        *FlowDistinguisherMethodApplyConfiguration             `json:"distinguisherMethod,omitempty"`
-	Rules                      []PolicyRulesWithSubjectsApplyConfiguration            `json:"rules,omitempty"`
+	// `matchingPrecedence` is used to choose among the FlowSchemas that match a given request. The chosen
+	// FlowSchema is among those with the numerically lowest (which we take to be logically highest)
+	// MatchingPrecedence.  Each MatchingPrecedence value must be ranged in [1,10000].
+	// Note that if the precedence is not specified, it will be set to 1000 as default.
+	MatchingPrecedence *int32 `json:"matchingPrecedence,omitempty"`
+	// `distinguisherMethod` defines how to compute the flow distinguisher for requests that match this schema.
+	// `nil` specifies that the distinguisher is disabled and thus will always be the empty string.
+	DistinguisherMethod *FlowDistinguisherMethodApplyConfiguration `json:"distinguisherMethod,omitempty"`
+	// `rules` describes which requests will match this flow schema. This FlowSchema matches a request if and only if
+	// at least one member of rules matches the request.
+	// if it is an empty slice, there will be no requests matching the FlowSchema.
+	Rules []PolicyRulesWithSubjectsApplyConfiguration `json:"rules,omitempty"`
 }
 
 // FlowSchemaSpecApplyConfiguration constructs a declarative configuration of the FlowSchemaSpec type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta1/flowschemastatus.go b/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta1/flowschemastatus.go
index 5ad8a432b2855..8403a3d8f3f16 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta1/flowschemastatus.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta1/flowschemastatus.go
@@ -20,7 +20,10 @@ package v1beta1
 
 // FlowSchemaStatusApplyConfiguration represents a declarative configuration of the FlowSchemaStatus type for use
 // with apply.
+//
+// FlowSchemaStatus represents the current state of a FlowSchema.
 type FlowSchemaStatusApplyConfiguration struct {
+	// `conditions` is a list of the current states of FlowSchema.
 	Conditions []FlowSchemaConditionApplyConfiguration `json:"conditions,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta1/groupsubject.go b/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta1/groupsubject.go
index cc274fe2f3b84..48d255c4963f5 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta1/groupsubject.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta1/groupsubject.go
@@ -20,7 +20,13 @@ package v1beta1
 
 // GroupSubjectApplyConfiguration represents a declarative configuration of the GroupSubject type for use
 // with apply.
+//
+// GroupSubject holds detailed information for group-kind subject.
 type GroupSubjectApplyConfiguration struct {
+	// name is the user group that matches, or "*" to match all user groups.
+	// See https://github.com/kubernetes/apiserver/blob/master/pkg/authentication/user/user.go for some
+	// well-known group names.
+	// Required.
 	Name *string `json:"name,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta1/limitedprioritylevelconfiguration.go b/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta1/limitedprioritylevelconfiguration.go
index 0fe5feca12fa5..b1b3fcd5b59e6 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta1/limitedprioritylevelconfiguration.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta1/limitedprioritylevelconfiguration.go
@@ -20,11 +20,54 @@ package v1beta1
 
 // LimitedPriorityLevelConfigurationApplyConfiguration represents a declarative configuration of the LimitedPriorityLevelConfiguration type for use
 // with apply.
+//
+// LimitedPriorityLevelConfiguration specifies how to handle requests that are subject to limits.
+// It addresses two issues:
+// - How are requests for this priority level limited?
+// - What should be done with requests that exceed the limit?
 type LimitedPriorityLevelConfigurationApplyConfiguration struct {
-	AssuredConcurrencyShares *int32                           `json:"assuredConcurrencyShares,omitempty"`
-	LimitResponse            *LimitResponseApplyConfiguration `json:"limitResponse,omitempty"`
-	LendablePercent          *int32                           `json:"lendablePercent,omitempty"`
-	BorrowingLimitPercent    *int32                           `json:"borrowingLimitPercent,omitempty"`
+	// `assuredConcurrencyShares` (ACS) configures the execution
+	// limit, which is a limit on the number of requests of this
+	// priority level that may be executing at a given time.  ACS must
+	// be a positive number. The server's concurrency limit (SCL) is
+	// divided among the concurrency-controlled priority levels in
+	// proportion to their assured concurrency shares. This produces
+	// the assured concurrency value (ACV) --- the number of requests
+	// that may be executing at a time --- for each such priority
+	// level:
+	//
+	// ACV(l) = ceil( SCL * ACS(l) / ( sum[priority levels k] ACS(k) ) )
+	//
+	// bigger numbers of ACS mean more reserved concurrent requests (at the
+	// expense of every other PL).
+	// This field has a default value of 30.
+	AssuredConcurrencyShares *int32 `json:"assuredConcurrencyShares,omitempty"`
+	// `limitResponse` indicates what to do with requests that can not be executed right now
+	LimitResponse *LimitResponseApplyConfiguration `json:"limitResponse,omitempty"`
+	// `lendablePercent` prescribes the fraction of the level's NominalCL that
+	// can be borrowed by other priority levels. The value of this
+	// field must be between 0 and 100, inclusive, and it defaults to 0.
+	// The number of seats that other levels can borrow from this level, known
+	// as this level's LendableConcurrencyLimit (LendableCL), is defined as follows.
+	//
+	// LendableCL(i) = round( NominalCL(i) * lendablePercent(i)/100.0 )
+	LendablePercent *int32 `json:"lendablePercent,omitempty"`
+	// `borrowingLimitPercent`, if present, configures a limit on how many
+	// seats this priority level can borrow from other priority levels.
+	// The limit is known as this level's BorrowingConcurrencyLimit
+	// (BorrowingCL) and is a limit on the total number of seats that this
+	// level may borrow at any one time.
+	// This field holds the ratio of that limit to the level's nominal
+	// concurrency limit. When this field is non-nil, it must hold a
+	// non-negative integer and the limit is calculated as follows.
+	//
+	// BorrowingCL(i) = round( NominalCL(i) * borrowingLimitPercent(i)/100.0 )
+	//
+	// The value of this field can be more than 100, implying that this
+	// priority level can borrow a number of seats that is greater than
+	// its own nominal concurrency limit (NominalCL).
+	// When this field is left `nil`, the limit is effectively infinite.
+	BorrowingLimitPercent *int32 `json:"borrowingLimitPercent,omitempty"`
 }
 
 // LimitedPriorityLevelConfigurationApplyConfiguration constructs a declarative configuration of the LimitedPriorityLevelConfiguration type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta1/limitresponse.go b/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta1/limitresponse.go
index 20e1b17bd39ab..a684a3f2038eb 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta1/limitresponse.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta1/limitresponse.go
@@ -24,8 +24,19 @@ import (
 
 // LimitResponseApplyConfiguration represents a declarative configuration of the LimitResponse type for use
 // with apply.
+//
+// LimitResponse defines how to handle requests that can not be executed right now.
 type LimitResponseApplyConfiguration struct {
-	Type    *flowcontrolv1beta1.LimitResponseType   `json:"type,omitempty"`
+	// `type` is "Queue" or "Reject".
+	// "Queue" means that requests that can not be executed upon arrival
+	// are held in a queue until they can be executed or a queuing limit
+	// is reached.
+	// "Reject" means that requests that can not be executed upon arrival
+	// are rejected.
+	// Required.
+	Type *flowcontrolv1beta1.LimitResponseType `json:"type,omitempty"`
+	// `queuing` holds the configuration parameters for queuing.
+	// This field may be non-empty only if `type` is `"Queue"`.
 	Queuing *QueuingConfigurationApplyConfiguration `json:"queuing,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta1/nonresourcepolicyrule.go b/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta1/nonresourcepolicyrule.go
index 3c571ccb062c0..4090136cb0320 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta1/nonresourcepolicyrule.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta1/nonresourcepolicyrule.go
@@ -20,8 +20,24 @@ package v1beta1
 
 // NonResourcePolicyRuleApplyConfiguration represents a declarative configuration of the NonResourcePolicyRule type for use
 // with apply.
+//
+// NonResourcePolicyRule is a predicate that matches non-resource requests according to their verb and the
+// target non-resource URL. A NonResourcePolicyRule matches a request if and only if both (a) at least one member
+// of verbs matches the request and (b) at least one member of nonResourceURLs matches the request.
 type NonResourcePolicyRuleApplyConfiguration struct {
-	Verbs           []string `json:"verbs,omitempty"`
+	// `verbs` is a list of matching verbs and may not be empty.
+	// "*" matches all verbs. If it is present, it must be the only entry.
+	// Required.
+	Verbs []string `json:"verbs,omitempty"`
+	// `nonResourceURLs` is a set of url prefixes that a user should have access to and may not be empty.
+	// For example:
+	// - "/healthz" is legal
+	// - "/hea*" is illegal
+	// - "/hea" is legal but matches nothing
+	// - "/hea/*" also matches nothing
+	// - "/healthz/*" matches all per-component health checks.
+	// "*" matches all non-resource urls. if it is present, it must be the only entry.
+	// Required.
 	NonResourceURLs []string `json:"nonResourceURLs,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta1/policyruleswithsubjects.go b/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta1/policyruleswithsubjects.go
index 32a082dc76da5..e77d0a7fce954 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta1/policyruleswithsubjects.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta1/policyruleswithsubjects.go
@@ -20,9 +20,23 @@ package v1beta1
 
 // PolicyRulesWithSubjectsApplyConfiguration represents a declarative configuration of the PolicyRulesWithSubjects type for use
 // with apply.
+//
+// PolicyRulesWithSubjects prescribes a test that applies to a request to an apiserver. The test considers the subject
+// making the request, the verb being requested, and the resource to be acted upon. This PolicyRulesWithSubjects matches
+// a request if and only if both (a) at least one member of subjects matches the request and (b) at least one member
+// of resourceRules or nonResourceRules matches the request.
 type PolicyRulesWithSubjectsApplyConfiguration struct {
-	Subjects         []SubjectApplyConfiguration               `json:"subjects,omitempty"`
-	ResourceRules    []ResourcePolicyRuleApplyConfiguration    `json:"resourceRules,omitempty"`
+	// subjects is the list of normal user, serviceaccount, or group that this rule cares about.
+	// There must be at least one member in this slice.
+	// A slice that includes both the system:authenticated and system:unauthenticated user groups matches every request.
+	// Required.
+	Subjects []SubjectApplyConfiguration `json:"subjects,omitempty"`
+	// `resourceRules` is a slice of ResourcePolicyRules that identify matching requests according to their verb and the
+	// target resource.
+	// At least one of `resourceRules` and `nonResourceRules` has to be non-empty.
+	ResourceRules []ResourcePolicyRuleApplyConfiguration `json:"resourceRules,omitempty"`
+	// `nonResourceRules` is a list of NonResourcePolicyRules that identify matching requests according to their verb
+	// and the target non-resource URL.
 	NonResourceRules []NonResourcePolicyRuleApplyConfiguration `json:"nonResourceRules,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta1/prioritylevelconfiguration.go b/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta1/prioritylevelconfiguration.go
index a67079097dff8..8fecf8688c841 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta1/prioritylevelconfiguration.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta1/prioritylevelconfiguration.go
@@ -29,11 +29,19 @@ import (
 
 // PriorityLevelConfigurationApplyConfiguration represents a declarative configuration of the PriorityLevelConfiguration type for use
 // with apply.
+//
+// PriorityLevelConfiguration represents the configuration of a priority level.
 type PriorityLevelConfigurationApplyConfiguration struct {
-	v1.TypeMetaApplyConfiguration    `json:",inline"`
+	v1.TypeMetaApplyConfiguration `json:",inline"`
+	// `metadata` is the standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	*v1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Spec                             *PriorityLevelConfigurationSpecApplyConfiguration   `json:"spec,omitempty"`
-	Status                           *PriorityLevelConfigurationStatusApplyConfiguration `json:"status,omitempty"`
+	// `spec` is the specification of the desired behavior of a "request-priority".
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+	Spec *PriorityLevelConfigurationSpecApplyConfiguration `json:"spec,omitempty"`
+	// `status` is the current status of a "request-priority".
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+	Status *PriorityLevelConfigurationStatusApplyConfiguration `json:"status,omitempty"`
 }
 
 // PriorityLevelConfiguration constructs a declarative configuration of the PriorityLevelConfiguration type for use with
@@ -46,6 +54,26 @@ func PriorityLevelConfiguration(name string) *PriorityLevelConfigurationApplyCon
 	return b
 }
 
+// ExtractPriorityLevelConfigurationFrom extracts the applied configuration owned by fieldManager from
+// priorityLevelConfiguration for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
+// priorityLevelConfiguration must be a unmodified PriorityLevelConfiguration API object that was retrieved from the Kubernetes API.
+// ExtractPriorityLevelConfigurationFrom provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractPriorityLevelConfigurationFrom(priorityLevelConfiguration *flowcontrolv1beta1.PriorityLevelConfiguration, fieldManager string, subresource string) (*PriorityLevelConfigurationApplyConfiguration, error) {
+	b := &PriorityLevelConfigurationApplyConfiguration{}
+	err := managedfields.ExtractInto(priorityLevelConfiguration, internal.Parser().Type("io.k8s.api.flowcontrol.v1beta1.PriorityLevelConfiguration"), fieldManager, b, subresource)
+	if err != nil {
+		return nil, err
+	}
+	b.WithName(priorityLevelConfiguration.Name)
+
+	b.WithKind("PriorityLevelConfiguration")
+	b.WithAPIVersion("flowcontrol.apiserver.k8s.io/v1beta1")
+	return b, nil
+}
+
 // ExtractPriorityLevelConfiguration extracts the applied configuration owned by fieldManager from
 // priorityLevelConfiguration. If no managedFields are found in priorityLevelConfiguration for fieldManager, a
 // PriorityLevelConfigurationApplyConfiguration is returned with only the Name, Namespace (if applicable),
@@ -56,30 +84,16 @@ func PriorityLevelConfiguration(name string) *PriorityLevelConfigurationApplyCon
 // ExtractPriorityLevelConfiguration provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
 func ExtractPriorityLevelConfiguration(priorityLevelConfiguration *flowcontrolv1beta1.PriorityLevelConfiguration, fieldManager string) (*PriorityLevelConfigurationApplyConfiguration, error) {
-	return extractPriorityLevelConfiguration(priorityLevelConfiguration, fieldManager, "")
+	return ExtractPriorityLevelConfigurationFrom(priorityLevelConfiguration, fieldManager, "")
 }
 
-// ExtractPriorityLevelConfigurationStatus is the same as ExtractPriorityLevelConfiguration except
-// that it extracts the status subresource applied configuration.
-// Experimental!
+// ExtractPriorityLevelConfigurationStatus extracts the applied configuration owned by fieldManager from
+// priorityLevelConfiguration for the status subresource.
 func ExtractPriorityLevelConfigurationStatus(priorityLevelConfiguration *flowcontrolv1beta1.PriorityLevelConfiguration, fieldManager string) (*PriorityLevelConfigurationApplyConfiguration, error) {
-	return extractPriorityLevelConfiguration(priorityLevelConfiguration, fieldManager, "status")
+	return ExtractPriorityLevelConfigurationFrom(priorityLevelConfiguration, fieldManager, "status")
 }
 
-func extractPriorityLevelConfiguration(priorityLevelConfiguration *flowcontrolv1beta1.PriorityLevelConfiguration, fieldManager string, subresource string) (*PriorityLevelConfigurationApplyConfiguration, error) {
-	b := &PriorityLevelConfigurationApplyConfiguration{}
-	err := managedfields.ExtractInto(priorityLevelConfiguration, internal.Parser().Type("io.k8s.api.flowcontrol.v1beta1.PriorityLevelConfiguration"), fieldManager, b, subresource)
-	if err != nil {
-		return nil, err
-	}
-	b.WithName(priorityLevelConfiguration.Name)
-
-	b.WithKind("PriorityLevelConfiguration")
-	b.WithAPIVersion("flowcontrol.apiserver.k8s.io/v1beta1")
-	return b, nil
-}
 func (b PriorityLevelConfigurationApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta1/prioritylevelconfigurationcondition.go b/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta1/prioritylevelconfigurationcondition.go
index 74eda91700afa..a2ebf71fc54d2 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta1/prioritylevelconfigurationcondition.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta1/prioritylevelconfigurationcondition.go
@@ -25,12 +25,22 @@ import (
 
 // PriorityLevelConfigurationConditionApplyConfiguration represents a declarative configuration of the PriorityLevelConfigurationCondition type for use
 // with apply.
+//
+// PriorityLevelConfigurationCondition defines the condition of priority level.
 type PriorityLevelConfigurationConditionApplyConfiguration struct {
-	Type               *flowcontrolv1beta1.PriorityLevelConfigurationConditionType `json:"type,omitempty"`
-	Status             *flowcontrolv1beta1.ConditionStatus                         `json:"status,omitempty"`
-	LastTransitionTime *v1.Time                                                    `json:"lastTransitionTime,omitempty"`
-	Reason             *string                                                     `json:"reason,omitempty"`
-	Message            *string                                                     `json:"message,omitempty"`
+	// `type` is the type of the condition.
+	// Required.
+	Type *flowcontrolv1beta1.PriorityLevelConfigurationConditionType `json:"type,omitempty"`
+	// `status` is the status of the condition.
+	// Can be True, False, Unknown.
+	// Required.
+	Status *flowcontrolv1beta1.ConditionStatus `json:"status,omitempty"`
+	// `lastTransitionTime` is the last time the condition transitioned from one status to another.
+	LastTransitionTime *v1.Time `json:"lastTransitionTime,omitempty"`
+	// `reason` is a unique, one-word, CamelCase reason for the condition's last transition.
+	Reason *string `json:"reason,omitempty"`
+	// `message` is a human-readable message indicating details about last transition.
+	Message *string `json:"message,omitempty"`
 }
 
 // PriorityLevelConfigurationConditionApplyConfiguration constructs a declarative configuration of the PriorityLevelConfigurationCondition type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta1/prioritylevelconfigurationreference.go b/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta1/prioritylevelconfigurationreference.go
index b5e773e82ac18..f83ebcac3b8f4 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta1/prioritylevelconfigurationreference.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta1/prioritylevelconfigurationreference.go
@@ -20,7 +20,11 @@ package v1beta1
 
 // PriorityLevelConfigurationReferenceApplyConfiguration represents a declarative configuration of the PriorityLevelConfigurationReference type for use
 // with apply.
+//
+// PriorityLevelConfigurationReference contains information that points to the "request-priority" being used.
 type PriorityLevelConfigurationReferenceApplyConfiguration struct {
+	// `name` is the name of the priority level configuration being referenced
+	// Required.
 	Name *string `json:"name,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta1/prioritylevelconfigurationspec.go b/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta1/prioritylevelconfigurationspec.go
index 775f476ddd60a..6f5ccc077ba52 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta1/prioritylevelconfigurationspec.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta1/prioritylevelconfigurationspec.go
@@ -24,10 +24,28 @@ import (
 
 // PriorityLevelConfigurationSpecApplyConfiguration represents a declarative configuration of the PriorityLevelConfigurationSpec type for use
 // with apply.
+//
+// PriorityLevelConfigurationSpec specifies the configuration of a priority level.
 type PriorityLevelConfigurationSpecApplyConfiguration struct {
-	Type    *flowcontrolv1beta1.PriorityLevelEnablement          `json:"type,omitempty"`
+	// `type` indicates whether this priority level is subject to
+	// limitation on request execution.  A value of `"Exempt"` means
+	// that requests of this priority level are not subject to a limit
+	// (and thus are never queued) and do not detract from the
+	// capacity made available to other priority levels.  A value of
+	// `"Limited"` means that (a) requests of this priority level
+	// _are_ subject to limits and (b) some of the server's limited
+	// capacity is made available exclusively to this priority level.
+	// Required.
+	Type *flowcontrolv1beta1.PriorityLevelEnablement `json:"type,omitempty"`
+	// `limited` specifies how requests are handled for a Limited priority level.
+	// This field must be non-empty if and only if `type` is `"Limited"`.
 	Limited *LimitedPriorityLevelConfigurationApplyConfiguration `json:"limited,omitempty"`
-	Exempt  *ExemptPriorityLevelConfigurationApplyConfiguration  `json:"exempt,omitempty"`
+	// `exempt` specifies how requests are handled for an exempt priority level.
+	// This field MUST be empty if `type` is `"Limited"`.
+	// This field MAY be non-empty if `type` is `"Exempt"`.
+	// If empty and `type` is `"Exempt"` then the default values
+	// for `ExemptPriorityLevelConfiguration` apply.
+	Exempt *ExemptPriorityLevelConfigurationApplyConfiguration `json:"exempt,omitempty"`
 }
 
 // PriorityLevelConfigurationSpecApplyConfiguration constructs a declarative configuration of the PriorityLevelConfigurationSpec type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta1/prioritylevelconfigurationstatus.go b/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta1/prioritylevelconfigurationstatus.go
index 875b01efec9d5..ef9af41b958d8 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta1/prioritylevelconfigurationstatus.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta1/prioritylevelconfigurationstatus.go
@@ -20,7 +20,10 @@ package v1beta1
 
 // PriorityLevelConfigurationStatusApplyConfiguration represents a declarative configuration of the PriorityLevelConfigurationStatus type for use
 // with apply.
+//
+// PriorityLevelConfigurationStatus represents the current state of a "request-priority".
 type PriorityLevelConfigurationStatusApplyConfiguration struct {
+	// `conditions` is the current state of "request-priority".
 	Conditions []PriorityLevelConfigurationConditionApplyConfiguration `json:"conditions,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta1/queuingconfiguration.go b/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta1/queuingconfiguration.go
index 85a8b88630f6b..fc15548d4a93c 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta1/queuingconfiguration.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta1/queuingconfiguration.go
@@ -20,9 +20,32 @@ package v1beta1
 
 // QueuingConfigurationApplyConfiguration represents a declarative configuration of the QueuingConfiguration type for use
 // with apply.
+//
+// QueuingConfiguration holds the configuration parameters for queuing
 type QueuingConfigurationApplyConfiguration struct {
-	Queues           *int32 `json:"queues,omitempty"`
-	HandSize         *int32 `json:"handSize,omitempty"`
+	// `queues` is the number of queues for this priority level. The
+	// queues exist independently at each apiserver. The value must be
+	// positive.  Setting it to 1 effectively precludes
+	// shufflesharding and thus makes the distinguisher method of
+	// associated flow schemas irrelevant.  This field has a default
+	// value of 64.
+	Queues *int32 `json:"queues,omitempty"`
+	// `handSize` is a small positive number that configures the
+	// shuffle sharding of requests into queues.  When enqueuing a request
+	// at this priority level the request's flow identifier (a string
+	// pair) is hashed and the hash value is used to shuffle the list
+	// of queues and deal a hand of the size specified here.  The
+	// request is put into one of the shortest queues in that hand.
+	// `handSize` must be no larger than `queues`, and should be
+	// significantly smaller (so that a few heavy flows do not
+	// saturate most of the queues).  See the user-facing
+	// documentation for more extensive guidance on setting this
+	// field.  This field has a default value of 8.
+	HandSize *int32 `json:"handSize,omitempty"`
+	// `queueLengthLimit` is the maximum number of requests allowed to
+	// be waiting in a given queue of this priority level at a time;
+	// excess requests are rejected.  This value must be positive.  If
+	// not specified, it will be defaulted to 50.
 	QueueLengthLimit *int32 `json:"queueLengthLimit,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta1/resourcepolicyrule.go b/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta1/resourcepolicyrule.go
index 5c67dad75925a..4322432ed3d11 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta1/resourcepolicyrule.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta1/resourcepolicyrule.go
@@ -20,12 +20,46 @@ package v1beta1
 
 // ResourcePolicyRuleApplyConfiguration represents a declarative configuration of the ResourcePolicyRule type for use
 // with apply.
+//
+// ResourcePolicyRule is a predicate that matches some resource
+// requests, testing the request's verb and the target resource. A
+// ResourcePolicyRule matches a resource request if and only if: (a)
+// at least one member of verbs matches the request, (b) at least one
+// member of apiGroups matches the request, (c) at least one member of
+// resources matches the request, and (d) either (d1) the request does
+// not specify a namespace (i.e., `Namespace==""`) and clusterScope is
+// true or (d2) the request specifies a namespace and least one member
+// of namespaces matches the request's namespace.
 type ResourcePolicyRuleApplyConfiguration struct {
-	Verbs        []string `json:"verbs,omitempty"`
-	APIGroups    []string `json:"apiGroups,omitempty"`
-	Resources    []string `json:"resources,omitempty"`
-	ClusterScope *bool    `json:"clusterScope,omitempty"`
-	Namespaces   []string `json:"namespaces,omitempty"`
+	// `verbs` is a list of matching verbs and may not be empty.
+	// "*" matches all verbs and, if present, must be the only entry.
+	// Required.
+	Verbs []string `json:"verbs,omitempty"`
+	// `apiGroups` is a list of matching API groups and may not be empty.
+	// "*" matches all API groups and, if present, must be the only entry.
+	// Required.
+	APIGroups []string `json:"apiGroups,omitempty"`
+	// `resources` is a list of matching resources (i.e., lowercase
+	// and plural) with, if desired, subresource.  For example, [
+	// "services", "nodes/status" ].  This list may not be empty.
+	// "*" matches all resources and, if present, must be the only entry.
+	// Required.
+	Resources []string `json:"resources,omitempty"`
+	// `clusterScope` indicates whether to match requests that do not
+	// specify a namespace (which happens either because the resource
+	// is not namespaced or the request targets all namespaces).
+	// If this field is omitted or false then the `namespaces` field
+	// must contain a non-empty list.
+	ClusterScope *bool `json:"clusterScope,omitempty"`
+	// `namespaces` is a list of target namespaces that restricts
+	// matches.  A request that specifies a target namespace matches
+	// only if either (a) this list contains that target namespace or
+	// (b) this list contains "*".  Note that "*" matches any
+	// specified namespace but does not match a request that _does
+	// not specify_ a namespace (see the `clusterScope` field for
+	// that).
+	// This list may be empty, but only if `clusterScope` is true.
+	Namespaces []string `json:"namespaces,omitempty"`
 }
 
 // ResourcePolicyRuleApplyConfiguration constructs a declarative configuration of the ResourcePolicyRule type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta1/serviceaccountsubject.go b/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta1/serviceaccountsubject.go
index 439e5ff753082..aa176c99e7fed 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta1/serviceaccountsubject.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta1/serviceaccountsubject.go
@@ -20,9 +20,15 @@ package v1beta1
 
 // ServiceAccountSubjectApplyConfiguration represents a declarative configuration of the ServiceAccountSubject type for use
 // with apply.
+//
+// ServiceAccountSubject holds detailed information for service-account-kind subject.
 type ServiceAccountSubjectApplyConfiguration struct {
+	// `namespace` is the namespace of matching ServiceAccount objects.
+	// Required.
 	Namespace *string `json:"namespace,omitempty"`
-	Name      *string `json:"name,omitempty"`
+	// `name` is the name of matching ServiceAccount objects, or "*" to match regardless of name.
+	// Required.
+	Name *string `json:"name,omitempty"`
 }
 
 // ServiceAccountSubjectApplyConfiguration constructs a declarative configuration of the ServiceAccountSubject type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta1/subject.go b/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta1/subject.go
index 000508065dac0..d3d48f2b1bb29 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta1/subject.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta1/subject.go
@@ -24,10 +24,18 @@ import (
 
 // SubjectApplyConfiguration represents a declarative configuration of the Subject type for use
 // with apply.
+//
+// Subject matches the originator of a request, as identified by the request authentication system. There are three
+// ways of matching an originator; by user, group, or service account.
 type SubjectApplyConfiguration struct {
-	Kind           *flowcontrolv1beta1.SubjectKind          `json:"kind,omitempty"`
-	User           *UserSubjectApplyConfiguration           `json:"user,omitempty"`
-	Group          *GroupSubjectApplyConfiguration          `json:"group,omitempty"`
+	// `kind` indicates which one of the other fields is non-empty.
+	// Required
+	Kind *flowcontrolv1beta1.SubjectKind `json:"kind,omitempty"`
+	// `user` matches based on username.
+	User *UserSubjectApplyConfiguration `json:"user,omitempty"`
+	// `group` matches based on user group name.
+	Group *GroupSubjectApplyConfiguration `json:"group,omitempty"`
+	// `serviceAccount` matches ServiceAccounts.
 	ServiceAccount *ServiceAccountSubjectApplyConfiguration `json:"serviceAccount,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta1/usersubject.go b/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta1/usersubject.go
index bc2deae4c2c33..82775c304bc22 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta1/usersubject.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta1/usersubject.go
@@ -20,7 +20,11 @@ package v1beta1
 
 // UserSubjectApplyConfiguration represents a declarative configuration of the UserSubject type for use
 // with apply.
+//
+// UserSubject holds detailed information for user-kind subject.
 type UserSubjectApplyConfiguration struct {
+	// `name` is the username that matches, or "*" to match all usernames.
+	// Required.
 	Name *string `json:"name,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta2/exemptprioritylevelconfiguration.go b/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta2/exemptprioritylevelconfiguration.go
index 0c02d9b3892fd..52d22909ca28a 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta2/exemptprioritylevelconfiguration.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta2/exemptprioritylevelconfiguration.go
@@ -20,9 +20,35 @@ package v1beta2
 
 // ExemptPriorityLevelConfigurationApplyConfiguration represents a declarative configuration of the ExemptPriorityLevelConfiguration type for use
 // with apply.
+//
+// ExemptPriorityLevelConfiguration describes the configurable aspects
+// of the handling of exempt requests.
+// In the mandatory exempt configuration object the values in the fields
+// here can be modified by authorized users, unlike the rest of the `spec`.
 type ExemptPriorityLevelConfigurationApplyConfiguration struct {
+	// `nominalConcurrencyShares` (NCS) contributes to the computation of the
+	// NominalConcurrencyLimit (NominalCL) of this level.
+	// This is the number of execution seats nominally reserved for this priority level.
+	// This DOES NOT limit the dispatching from this priority level
+	// but affects the other priority levels through the borrowing mechanism.
+	// The server's concurrency limit (ServerCL) is divided among all the
+	// priority levels in proportion to their NCS values:
+	//
+	// NominalCL(i)  = ceil( ServerCL * NCS(i) / sum_ncs )
+	// sum_ncs = sum[priority level k] NCS(k)
+	//
+	// Bigger numbers mean a larger nominal concurrency limit,
+	// at the expense of every other priority level.
+	// This field has a default value of zero.
 	NominalConcurrencyShares *int32 `json:"nominalConcurrencyShares,omitempty"`
-	LendablePercent          *int32 `json:"lendablePercent,omitempty"`
+	// `lendablePercent` prescribes the fraction of the level's NominalCL that
+	// can be borrowed by other priority levels.  This value of this
+	// field must be between 0 and 100, inclusive, and it defaults to 0.
+	// The number of seats that other levels can borrow from this level, known
+	// as this level's LendableConcurrencyLimit (LendableCL), is defined as follows.
+	//
+	// LendableCL(i) = round( NominalCL(i) * lendablePercent(i)/100.0 )
+	LendablePercent *int32 `json:"lendablePercent,omitempty"`
 }
 
 // ExemptPriorityLevelConfigurationApplyConfiguration constructs a declarative configuration of the ExemptPriorityLevelConfiguration type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta2/flowdistinguishermethod.go b/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta2/flowdistinguishermethod.go
index 3922c47296010..cbd6e4dda0339 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta2/flowdistinguishermethod.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta2/flowdistinguishermethod.go
@@ -24,7 +24,12 @@ import (
 
 // FlowDistinguisherMethodApplyConfiguration represents a declarative configuration of the FlowDistinguisherMethod type for use
 // with apply.
+//
+// FlowDistinguisherMethod specifies the method of a flow distinguisher.
 type FlowDistinguisherMethodApplyConfiguration struct {
+	// `type` is the type of flow distinguisher method
+	// The supported types are "ByUser" and "ByNamespace".
+	// Required.
 	Type *flowcontrolv1beta2.FlowDistinguisherMethodType `json:"type,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta2/flowschema.go b/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta2/flowschema.go
index db8cb397a807c..394f24b9936fe 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta2/flowschema.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta2/flowschema.go
@@ -29,11 +29,20 @@ import (
 
 // FlowSchemaApplyConfiguration represents a declarative configuration of the FlowSchema type for use
 // with apply.
+//
+// FlowSchema defines the schema of a group of flows. Note that a flow is made up of a set of inbound API requests with
+// similar attributes and is identified by a pair of strings: the name of the FlowSchema and a "flow distinguisher".
 type FlowSchemaApplyConfiguration struct {
-	v1.TypeMetaApplyConfiguration    `json:",inline"`
+	v1.TypeMetaApplyConfiguration `json:",inline"`
+	// `metadata` is the standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	*v1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Spec                             *FlowSchemaSpecApplyConfiguration   `json:"spec,omitempty"`
-	Status                           *FlowSchemaStatusApplyConfiguration `json:"status,omitempty"`
+	// `spec` is the specification of the desired behavior of a FlowSchema.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+	Spec *FlowSchemaSpecApplyConfiguration `json:"spec,omitempty"`
+	// `status` is the current status of a FlowSchema.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+	Status *FlowSchemaStatusApplyConfiguration `json:"status,omitempty"`
 }
 
 // FlowSchema constructs a declarative configuration of the FlowSchema type for use with
@@ -46,6 +55,26 @@ func FlowSchema(name string) *FlowSchemaApplyConfiguration {
 	return b
 }
 
+// ExtractFlowSchemaFrom extracts the applied configuration owned by fieldManager from
+// flowSchema for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
+// flowSchema must be a unmodified FlowSchema API object that was retrieved from the Kubernetes API.
+// ExtractFlowSchemaFrom provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractFlowSchemaFrom(flowSchema *flowcontrolv1beta2.FlowSchema, fieldManager string, subresource string) (*FlowSchemaApplyConfiguration, error) {
+	b := &FlowSchemaApplyConfiguration{}
+	err := managedfields.ExtractInto(flowSchema, internal.Parser().Type("io.k8s.api.flowcontrol.v1beta2.FlowSchema"), fieldManager, b, subresource)
+	if err != nil {
+		return nil, err
+	}
+	b.WithName(flowSchema.Name)
+
+	b.WithKind("FlowSchema")
+	b.WithAPIVersion("flowcontrol.apiserver.k8s.io/v1beta2")
+	return b, nil
+}
+
 // ExtractFlowSchema extracts the applied configuration owned by fieldManager from
 // flowSchema. If no managedFields are found in flowSchema for fieldManager, a
 // FlowSchemaApplyConfiguration is returned with only the Name, Namespace (if applicable),
@@ -56,30 +85,16 @@ func FlowSchema(name string) *FlowSchemaApplyConfiguration {
 // ExtractFlowSchema provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
 func ExtractFlowSchema(flowSchema *flowcontrolv1beta2.FlowSchema, fieldManager string) (*FlowSchemaApplyConfiguration, error) {
-	return extractFlowSchema(flowSchema, fieldManager, "")
+	return ExtractFlowSchemaFrom(flowSchema, fieldManager, "")
 }
 
-// ExtractFlowSchemaStatus is the same as ExtractFlowSchema except
-// that it extracts the status subresource applied configuration.
-// Experimental!
+// ExtractFlowSchemaStatus extracts the applied configuration owned by fieldManager from
+// flowSchema for the status subresource.
 func ExtractFlowSchemaStatus(flowSchema *flowcontrolv1beta2.FlowSchema, fieldManager string) (*FlowSchemaApplyConfiguration, error) {
-	return extractFlowSchema(flowSchema, fieldManager, "status")
+	return ExtractFlowSchemaFrom(flowSchema, fieldManager, "status")
 }
 
-func extractFlowSchema(flowSchema *flowcontrolv1beta2.FlowSchema, fieldManager string, subresource string) (*FlowSchemaApplyConfiguration, error) {
-	b := &FlowSchemaApplyConfiguration{}
-	err := managedfields.ExtractInto(flowSchema, internal.Parser().Type("io.k8s.api.flowcontrol.v1beta2.FlowSchema"), fieldManager, b, subresource)
-	if err != nil {
-		return nil, err
-	}
-	b.WithName(flowSchema.Name)
-
-	b.WithKind("FlowSchema")
-	b.WithAPIVersion("flowcontrol.apiserver.k8s.io/v1beta2")
-	return b, nil
-}
 func (b FlowSchemaApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta2/flowschemacondition.go b/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta2/flowschemacondition.go
index f47130eeb0730..6bebc912c6d20 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta2/flowschemacondition.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta2/flowschemacondition.go
@@ -25,12 +25,22 @@ import (
 
 // FlowSchemaConditionApplyConfiguration represents a declarative configuration of the FlowSchemaCondition type for use
 // with apply.
+//
+// FlowSchemaCondition describes conditions for a FlowSchema.
 type FlowSchemaConditionApplyConfiguration struct {
-	Type               *flowcontrolv1beta2.FlowSchemaConditionType `json:"type,omitempty"`
-	Status             *flowcontrolv1beta2.ConditionStatus         `json:"status,omitempty"`
-	LastTransitionTime *v1.Time                                    `json:"lastTransitionTime,omitempty"`
-	Reason             *string                                     `json:"reason,omitempty"`
-	Message            *string                                     `json:"message,omitempty"`
+	// `type` is the type of the condition.
+	// Required.
+	Type *flowcontrolv1beta2.FlowSchemaConditionType `json:"type,omitempty"`
+	// `status` is the status of the condition.
+	// Can be True, False, Unknown.
+	// Required.
+	Status *flowcontrolv1beta2.ConditionStatus `json:"status,omitempty"`
+	// `lastTransitionTime` is the last time the condition transitioned from one status to another.
+	LastTransitionTime *v1.Time `json:"lastTransitionTime,omitempty"`
+	// `reason` is a unique, one-word, CamelCase reason for the condition's last transition.
+	Reason *string `json:"reason,omitempty"`
+	// `message` is a human-readable message indicating details about last transition.
+	Message *string `json:"message,omitempty"`
 }
 
 // FlowSchemaConditionApplyConfiguration constructs a declarative configuration of the FlowSchemaCondition type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta2/flowschemaspec.go b/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta2/flowschemaspec.go
index 6eab63bfa9f60..9e8e23984a83f 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta2/flowschemaspec.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta2/flowschemaspec.go
@@ -20,11 +20,25 @@ package v1beta2
 
 // FlowSchemaSpecApplyConfiguration represents a declarative configuration of the FlowSchemaSpec type for use
 // with apply.
+//
+// FlowSchemaSpec describes how the FlowSchema's specification looks like.
 type FlowSchemaSpecApplyConfiguration struct {
+	// `priorityLevelConfiguration` should reference a PriorityLevelConfiguration in the cluster. If the reference cannot
+	// be resolved, the FlowSchema will be ignored and marked as invalid in its status.
+	// Required.
 	PriorityLevelConfiguration *PriorityLevelConfigurationReferenceApplyConfiguration `json:"priorityLevelConfiguration,omitempty"`
-	MatchingPrecedence         *int32                                                 `json:"matchingPrecedence,omitempty"`
-	DistinguisherMethod        *FlowDistinguisherMethodApplyConfiguration             `json:"distinguisherMethod,omitempty"`
-	Rules                      []PolicyRulesWithSubjectsApplyConfiguration            `json:"rules,omitempty"`
+	// `matchingPrecedence` is used to choose among the FlowSchemas that match a given request. The chosen
+	// FlowSchema is among those with the numerically lowest (which we take to be logically highest)
+	// MatchingPrecedence.  Each MatchingPrecedence value must be ranged in [1,10000].
+	// Note that if the precedence is not specified, it will be set to 1000 as default.
+	MatchingPrecedence *int32 `json:"matchingPrecedence,omitempty"`
+	// `distinguisherMethod` defines how to compute the flow distinguisher for requests that match this schema.
+	// `nil` specifies that the distinguisher is disabled and thus will always be the empty string.
+	DistinguisherMethod *FlowDistinguisherMethodApplyConfiguration `json:"distinguisherMethod,omitempty"`
+	// `rules` describes which requests will match this flow schema. This FlowSchema matches a request if and only if
+	// at least one member of rules matches the request.
+	// if it is an empty slice, there will be no requests matching the FlowSchema.
+	Rules []PolicyRulesWithSubjectsApplyConfiguration `json:"rules,omitempty"`
 }
 
 // FlowSchemaSpecApplyConfiguration constructs a declarative configuration of the FlowSchemaSpec type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta2/flowschemastatus.go b/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta2/flowschemastatus.go
index 70ac997e45219..8e2e8f2aa6296 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta2/flowschemastatus.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta2/flowschemastatus.go
@@ -20,7 +20,10 @@ package v1beta2
 
 // FlowSchemaStatusApplyConfiguration represents a declarative configuration of the FlowSchemaStatus type for use
 // with apply.
+//
+// FlowSchemaStatus represents the current state of a FlowSchema.
 type FlowSchemaStatusApplyConfiguration struct {
+	// `conditions` is a list of the current states of FlowSchema.
 	Conditions []FlowSchemaConditionApplyConfiguration `json:"conditions,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta2/groupsubject.go b/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta2/groupsubject.go
index 25207d7c1a23f..0b2bc7afec514 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta2/groupsubject.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta2/groupsubject.go
@@ -20,7 +20,13 @@ package v1beta2
 
 // GroupSubjectApplyConfiguration represents a declarative configuration of the GroupSubject type for use
 // with apply.
+//
+// GroupSubject holds detailed information for group-kind subject.
 type GroupSubjectApplyConfiguration struct {
+	// name is the user group that matches, or "*" to match all user groups.
+	// See https://github.com/kubernetes/apiserver/blob/master/pkg/authentication/user/user.go for some
+	// well-known group names.
+	// Required.
 	Name *string `json:"name,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta2/limitedprioritylevelconfiguration.go b/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta2/limitedprioritylevelconfiguration.go
index 298dd46370668..2eca0e5c6e971 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta2/limitedprioritylevelconfiguration.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta2/limitedprioritylevelconfiguration.go
@@ -20,11 +20,54 @@ package v1beta2
 
 // LimitedPriorityLevelConfigurationApplyConfiguration represents a declarative configuration of the LimitedPriorityLevelConfiguration type for use
 // with apply.
+//
+// LimitedPriorityLevelConfiguration specifies how to handle requests that are subject to limits.
+// It addresses two issues:
+// - How are requests for this priority level limited?
+// - What should be done with requests that exceed the limit?
 type LimitedPriorityLevelConfigurationApplyConfiguration struct {
-	AssuredConcurrencyShares *int32                           `json:"assuredConcurrencyShares,omitempty"`
-	LimitResponse            *LimitResponseApplyConfiguration `json:"limitResponse,omitempty"`
-	LendablePercent          *int32                           `json:"lendablePercent,omitempty"`
-	BorrowingLimitPercent    *int32                           `json:"borrowingLimitPercent,omitempty"`
+	// `assuredConcurrencyShares` (ACS) configures the execution
+	// limit, which is a limit on the number of requests of this
+	// priority level that may be executing at a given time.  ACS must
+	// be a positive number. The server's concurrency limit (SCL) is
+	// divided among the concurrency-controlled priority levels in
+	// proportion to their assured concurrency shares. This produces
+	// the assured concurrency value (ACV) --- the number of requests
+	// that may be executing at a time --- for each such priority
+	// level:
+	//
+	// ACV(l) = ceil( SCL * ACS(l) / ( sum[priority levels k] ACS(k) ) )
+	//
+	// bigger numbers of ACS mean more reserved concurrent requests (at the
+	// expense of every other PL).
+	// This field has a default value of 30.
+	AssuredConcurrencyShares *int32 `json:"assuredConcurrencyShares,omitempty"`
+	// `limitResponse` indicates what to do with requests that can not be executed right now
+	LimitResponse *LimitResponseApplyConfiguration `json:"limitResponse,omitempty"`
+	// `lendablePercent` prescribes the fraction of the level's NominalCL that
+	// can be borrowed by other priority levels. The value of this
+	// field must be between 0 and 100, inclusive, and it defaults to 0.
+	// The number of seats that other levels can borrow from this level, known
+	// as this level's LendableConcurrencyLimit (LendableCL), is defined as follows.
+	//
+	// LendableCL(i) = round( NominalCL(i) * lendablePercent(i)/100.0 )
+	LendablePercent *int32 `json:"lendablePercent,omitempty"`
+	// `borrowingLimitPercent`, if present, configures a limit on how many
+	// seats this priority level can borrow from other priority levels.
+	// The limit is known as this level's BorrowingConcurrencyLimit
+	// (BorrowingCL) and is a limit on the total number of seats that this
+	// level may borrow at any one time.
+	// This field holds the ratio of that limit to the level's nominal
+	// concurrency limit. When this field is non-nil, it must hold a
+	// non-negative integer and the limit is calculated as follows.
+	//
+	// BorrowingCL(i) = round( NominalCL(i) * borrowingLimitPercent(i)/100.0 )
+	//
+	// The value of this field can be more than 100, implying that this
+	// priority level can borrow a number of seats that is greater than
+	// its own nominal concurrency limit (NominalCL).
+	// When this field is left `nil`, the limit is effectively infinite.
+	BorrowingLimitPercent *int32 `json:"borrowingLimitPercent,omitempty"`
 }
 
 // LimitedPriorityLevelConfigurationApplyConfiguration constructs a declarative configuration of the LimitedPriorityLevelConfiguration type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta2/limitresponse.go b/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta2/limitresponse.go
index 58cd78006bcc0..6b4ea88140903 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta2/limitresponse.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta2/limitresponse.go
@@ -24,8 +24,19 @@ import (
 
 // LimitResponseApplyConfiguration represents a declarative configuration of the LimitResponse type for use
 // with apply.
+//
+// LimitResponse defines how to handle requests that can not be executed right now.
 type LimitResponseApplyConfiguration struct {
-	Type    *flowcontrolv1beta2.LimitResponseType   `json:"type,omitempty"`
+	// `type` is "Queue" or "Reject".
+	// "Queue" means that requests that can not be executed upon arrival
+	// are held in a queue until they can be executed or a queuing limit
+	// is reached.
+	// "Reject" means that requests that can not be executed upon arrival
+	// are rejected.
+	// Required.
+	Type *flowcontrolv1beta2.LimitResponseType `json:"type,omitempty"`
+	// `queuing` holds the configuration parameters for queuing.
+	// This field may be non-empty only if `type` is `"Queue"`.
 	Queuing *QueuingConfigurationApplyConfiguration `json:"queuing,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta2/nonresourcepolicyrule.go b/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta2/nonresourcepolicyrule.go
index 5032ee4898bdf..8bfd336374cef 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta2/nonresourcepolicyrule.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta2/nonresourcepolicyrule.go
@@ -20,8 +20,24 @@ package v1beta2
 
 // NonResourcePolicyRuleApplyConfiguration represents a declarative configuration of the NonResourcePolicyRule type for use
 // with apply.
+//
+// NonResourcePolicyRule is a predicate that matches non-resource requests according to their verb and the
+// target non-resource URL. A NonResourcePolicyRule matches a request if and only if both (a) at least one member
+// of verbs matches the request and (b) at least one member of nonResourceURLs matches the request.
 type NonResourcePolicyRuleApplyConfiguration struct {
-	Verbs           []string `json:"verbs,omitempty"`
+	// `verbs` is a list of matching verbs and may not be empty.
+	// "*" matches all verbs. If it is present, it must be the only entry.
+	// Required.
+	Verbs []string `json:"verbs,omitempty"`
+	// `nonResourceURLs` is a set of url prefixes that a user should have access to and may not be empty.
+	// For example:
+	// - "/healthz" is legal
+	// - "/hea*" is illegal
+	// - "/hea" is legal but matches nothing
+	// - "/hea/*" also matches nothing
+	// - "/healthz/*" matches all per-component health checks.
+	// "*" matches all non-resource urls. if it is present, it must be the only entry.
+	// Required.
 	NonResourceURLs []string `json:"nonResourceURLs,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta2/policyruleswithsubjects.go b/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta2/policyruleswithsubjects.go
index 2bb8c871828a2..6a42bdf850c4d 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta2/policyruleswithsubjects.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta2/policyruleswithsubjects.go
@@ -20,9 +20,23 @@ package v1beta2
 
 // PolicyRulesWithSubjectsApplyConfiguration represents a declarative configuration of the PolicyRulesWithSubjects type for use
 // with apply.
+//
+// PolicyRulesWithSubjects prescribes a test that applies to a request to an apiserver. The test considers the subject
+// making the request, the verb being requested, and the resource to be acted upon. This PolicyRulesWithSubjects matches
+// a request if and only if both (a) at least one member of subjects matches the request and (b) at least one member
+// of resourceRules or nonResourceRules matches the request.
 type PolicyRulesWithSubjectsApplyConfiguration struct {
-	Subjects         []SubjectApplyConfiguration               `json:"subjects,omitempty"`
-	ResourceRules    []ResourcePolicyRuleApplyConfiguration    `json:"resourceRules,omitempty"`
+	// subjects is the list of normal user, serviceaccount, or group that this rule cares about.
+	// There must be at least one member in this slice.
+	// A slice that includes both the system:authenticated and system:unauthenticated user groups matches every request.
+	// Required.
+	Subjects []SubjectApplyConfiguration `json:"subjects,omitempty"`
+	// `resourceRules` is a slice of ResourcePolicyRules that identify matching requests according to their verb and the
+	// target resource.
+	// At least one of `resourceRules` and `nonResourceRules` has to be non-empty.
+	ResourceRules []ResourcePolicyRuleApplyConfiguration `json:"resourceRules,omitempty"`
+	// `nonResourceRules` is a list of NonResourcePolicyRules that identify matching requests according to their verb
+	// and the target non-resource URL.
 	NonResourceRules []NonResourcePolicyRuleApplyConfiguration `json:"nonResourceRules,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta2/prioritylevelconfiguration.go b/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta2/prioritylevelconfiguration.go
index 7cb04bb758d9d..a60827b6365ee 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta2/prioritylevelconfiguration.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta2/prioritylevelconfiguration.go
@@ -29,11 +29,19 @@ import (
 
 // PriorityLevelConfigurationApplyConfiguration represents a declarative configuration of the PriorityLevelConfiguration type for use
 // with apply.
+//
+// PriorityLevelConfiguration represents the configuration of a priority level.
 type PriorityLevelConfigurationApplyConfiguration struct {
-	v1.TypeMetaApplyConfiguration    `json:",inline"`
+	v1.TypeMetaApplyConfiguration `json:",inline"`
+	// `metadata` is the standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	*v1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Spec                             *PriorityLevelConfigurationSpecApplyConfiguration   `json:"spec,omitempty"`
-	Status                           *PriorityLevelConfigurationStatusApplyConfiguration `json:"status,omitempty"`
+	// `spec` is the specification of the desired behavior of a "request-priority".
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+	Spec *PriorityLevelConfigurationSpecApplyConfiguration `json:"spec,omitempty"`
+	// `status` is the current status of a "request-priority".
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+	Status *PriorityLevelConfigurationStatusApplyConfiguration `json:"status,omitempty"`
 }
 
 // PriorityLevelConfiguration constructs a declarative configuration of the PriorityLevelConfiguration type for use with
@@ -46,6 +54,26 @@ func PriorityLevelConfiguration(name string) *PriorityLevelConfigurationApplyCon
 	return b
 }
 
+// ExtractPriorityLevelConfigurationFrom extracts the applied configuration owned by fieldManager from
+// priorityLevelConfiguration for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
+// priorityLevelConfiguration must be a unmodified PriorityLevelConfiguration API object that was retrieved from the Kubernetes API.
+// ExtractPriorityLevelConfigurationFrom provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractPriorityLevelConfigurationFrom(priorityLevelConfiguration *flowcontrolv1beta2.PriorityLevelConfiguration, fieldManager string, subresource string) (*PriorityLevelConfigurationApplyConfiguration, error) {
+	b := &PriorityLevelConfigurationApplyConfiguration{}
+	err := managedfields.ExtractInto(priorityLevelConfiguration, internal.Parser().Type("io.k8s.api.flowcontrol.v1beta2.PriorityLevelConfiguration"), fieldManager, b, subresource)
+	if err != nil {
+		return nil, err
+	}
+	b.WithName(priorityLevelConfiguration.Name)
+
+	b.WithKind("PriorityLevelConfiguration")
+	b.WithAPIVersion("flowcontrol.apiserver.k8s.io/v1beta2")
+	return b, nil
+}
+
 // ExtractPriorityLevelConfiguration extracts the applied configuration owned by fieldManager from
 // priorityLevelConfiguration. If no managedFields are found in priorityLevelConfiguration for fieldManager, a
 // PriorityLevelConfigurationApplyConfiguration is returned with only the Name, Namespace (if applicable),
@@ -56,30 +84,16 @@ func PriorityLevelConfiguration(name string) *PriorityLevelConfigurationApplyCon
 // ExtractPriorityLevelConfiguration provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
 func ExtractPriorityLevelConfiguration(priorityLevelConfiguration *flowcontrolv1beta2.PriorityLevelConfiguration, fieldManager string) (*PriorityLevelConfigurationApplyConfiguration, error) {
-	return extractPriorityLevelConfiguration(priorityLevelConfiguration, fieldManager, "")
+	return ExtractPriorityLevelConfigurationFrom(priorityLevelConfiguration, fieldManager, "")
 }
 
-// ExtractPriorityLevelConfigurationStatus is the same as ExtractPriorityLevelConfiguration except
-// that it extracts the status subresource applied configuration.
-// Experimental!
+// ExtractPriorityLevelConfigurationStatus extracts the applied configuration owned by fieldManager from
+// priorityLevelConfiguration for the status subresource.
 func ExtractPriorityLevelConfigurationStatus(priorityLevelConfiguration *flowcontrolv1beta2.PriorityLevelConfiguration, fieldManager string) (*PriorityLevelConfigurationApplyConfiguration, error) {
-	return extractPriorityLevelConfiguration(priorityLevelConfiguration, fieldManager, "status")
+	return ExtractPriorityLevelConfigurationFrom(priorityLevelConfiguration, fieldManager, "status")
 }
 
-func extractPriorityLevelConfiguration(priorityLevelConfiguration *flowcontrolv1beta2.PriorityLevelConfiguration, fieldManager string, subresource string) (*PriorityLevelConfigurationApplyConfiguration, error) {
-	b := &PriorityLevelConfigurationApplyConfiguration{}
-	err := managedfields.ExtractInto(priorityLevelConfiguration, internal.Parser().Type("io.k8s.api.flowcontrol.v1beta2.PriorityLevelConfiguration"), fieldManager, b, subresource)
-	if err != nil {
-		return nil, err
-	}
-	b.WithName(priorityLevelConfiguration.Name)
-
-	b.WithKind("PriorityLevelConfiguration")
-	b.WithAPIVersion("flowcontrol.apiserver.k8s.io/v1beta2")
-	return b, nil
-}
 func (b PriorityLevelConfigurationApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta2/prioritylevelconfigurationcondition.go b/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta2/prioritylevelconfigurationcondition.go
index caf517be3b37e..26a8b66243b92 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta2/prioritylevelconfigurationcondition.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta2/prioritylevelconfigurationcondition.go
@@ -25,12 +25,22 @@ import (
 
 // PriorityLevelConfigurationConditionApplyConfiguration represents a declarative configuration of the PriorityLevelConfigurationCondition type for use
 // with apply.
+//
+// PriorityLevelConfigurationCondition defines the condition of priority level.
 type PriorityLevelConfigurationConditionApplyConfiguration struct {
-	Type               *flowcontrolv1beta2.PriorityLevelConfigurationConditionType `json:"type,omitempty"`
-	Status             *flowcontrolv1beta2.ConditionStatus                         `json:"status,omitempty"`
-	LastTransitionTime *v1.Time                                                    `json:"lastTransitionTime,omitempty"`
-	Reason             *string                                                     `json:"reason,omitempty"`
-	Message            *string                                                     `json:"message,omitempty"`
+	// `type` is the type of the condition.
+	// Required.
+	Type *flowcontrolv1beta2.PriorityLevelConfigurationConditionType `json:"type,omitempty"`
+	// `status` is the status of the condition.
+	// Can be True, False, Unknown.
+	// Required.
+	Status *flowcontrolv1beta2.ConditionStatus `json:"status,omitempty"`
+	// `lastTransitionTime` is the last time the condition transitioned from one status to another.
+	LastTransitionTime *v1.Time `json:"lastTransitionTime,omitempty"`
+	// `reason` is a unique, one-word, CamelCase reason for the condition's last transition.
+	Reason *string `json:"reason,omitempty"`
+	// `message` is a human-readable message indicating details about last transition.
+	Message *string `json:"message,omitempty"`
 }
 
 // PriorityLevelConfigurationConditionApplyConfiguration constructs a declarative configuration of the PriorityLevelConfigurationCondition type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta2/prioritylevelconfigurationreference.go b/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta2/prioritylevelconfigurationreference.go
index bbf718b60f9c7..67c6b63a45e4a 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta2/prioritylevelconfigurationreference.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta2/prioritylevelconfigurationreference.go
@@ -20,7 +20,11 @@ package v1beta2
 
 // PriorityLevelConfigurationReferenceApplyConfiguration represents a declarative configuration of the PriorityLevelConfigurationReference type for use
 // with apply.
+//
+// PriorityLevelConfigurationReference contains information that points to the "request-priority" being used.
 type PriorityLevelConfigurationReferenceApplyConfiguration struct {
+	// `name` is the name of the priority level configuration being referenced
+	// Required.
 	Name *string `json:"name,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta2/prioritylevelconfigurationspec.go b/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta2/prioritylevelconfigurationspec.go
index c680ea1ef37ec..4c4b743cde183 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta2/prioritylevelconfigurationspec.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta2/prioritylevelconfigurationspec.go
@@ -24,10 +24,28 @@ import (
 
 // PriorityLevelConfigurationSpecApplyConfiguration represents a declarative configuration of the PriorityLevelConfigurationSpec type for use
 // with apply.
+//
+// PriorityLevelConfigurationSpec specifies the configuration of a priority level.
 type PriorityLevelConfigurationSpecApplyConfiguration struct {
-	Type    *flowcontrolv1beta2.PriorityLevelEnablement          `json:"type,omitempty"`
+	// `type` indicates whether this priority level is subject to
+	// limitation on request execution.  A value of `"Exempt"` means
+	// that requests of this priority level are not subject to a limit
+	// (and thus are never queued) and do not detract from the
+	// capacity made available to other priority levels.  A value of
+	// `"Limited"` means that (a) requests of this priority level
+	// _are_ subject to limits and (b) some of the server's limited
+	// capacity is made available exclusively to this priority level.
+	// Required.
+	Type *flowcontrolv1beta2.PriorityLevelEnablement `json:"type,omitempty"`
+	// `limited` specifies how requests are handled for a Limited priority level.
+	// This field must be non-empty if and only if `type` is `"Limited"`.
 	Limited *LimitedPriorityLevelConfigurationApplyConfiguration `json:"limited,omitempty"`
-	Exempt  *ExemptPriorityLevelConfigurationApplyConfiguration  `json:"exempt,omitempty"`
+	// `exempt` specifies how requests are handled for an exempt priority level.
+	// This field MUST be empty if `type` is `"Limited"`.
+	// This field MAY be non-empty if `type` is `"Exempt"`.
+	// If empty and `type` is `"Exempt"` then the default values
+	// for `ExemptPriorityLevelConfiguration` apply.
+	Exempt *ExemptPriorityLevelConfigurationApplyConfiguration `json:"exempt,omitempty"`
 }
 
 // PriorityLevelConfigurationSpecApplyConfiguration constructs a declarative configuration of the PriorityLevelConfigurationSpec type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta2/prioritylevelconfigurationstatus.go b/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta2/prioritylevelconfigurationstatus.go
index 7a1f8790b93c3..da9990cf97603 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta2/prioritylevelconfigurationstatus.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta2/prioritylevelconfigurationstatus.go
@@ -20,7 +20,10 @@ package v1beta2
 
 // PriorityLevelConfigurationStatusApplyConfiguration represents a declarative configuration of the PriorityLevelConfigurationStatus type for use
 // with apply.
+//
+// PriorityLevelConfigurationStatus represents the current state of a "request-priority".
 type PriorityLevelConfigurationStatusApplyConfiguration struct {
+	// `conditions` is the current state of "request-priority".
 	Conditions []PriorityLevelConfigurationConditionApplyConfiguration `json:"conditions,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta2/queuingconfiguration.go b/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta2/queuingconfiguration.go
index 19c34c5f8317a..e145ab83b7e4f 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta2/queuingconfiguration.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta2/queuingconfiguration.go
@@ -20,9 +20,32 @@ package v1beta2
 
 // QueuingConfigurationApplyConfiguration represents a declarative configuration of the QueuingConfiguration type for use
 // with apply.
+//
+// QueuingConfiguration holds the configuration parameters for queuing
 type QueuingConfigurationApplyConfiguration struct {
-	Queues           *int32 `json:"queues,omitempty"`
-	HandSize         *int32 `json:"handSize,omitempty"`
+	// `queues` is the number of queues for this priority level. The
+	// queues exist independently at each apiserver. The value must be
+	// positive.  Setting it to 1 effectively precludes
+	// shufflesharding and thus makes the distinguisher method of
+	// associated flow schemas irrelevant.  This field has a default
+	// value of 64.
+	Queues *int32 `json:"queues,omitempty"`
+	// `handSize` is a small positive number that configures the
+	// shuffle sharding of requests into queues.  When enqueuing a request
+	// at this priority level the request's flow identifier (a string
+	// pair) is hashed and the hash value is used to shuffle the list
+	// of queues and deal a hand of the size specified here.  The
+	// request is put into one of the shortest queues in that hand.
+	// `handSize` must be no larger than `queues`, and should be
+	// significantly smaller (so that a few heavy flows do not
+	// saturate most of the queues).  See the user-facing
+	// documentation for more extensive guidance on setting this
+	// field.  This field has a default value of 8.
+	HandSize *int32 `json:"handSize,omitempty"`
+	// `queueLengthLimit` is the maximum number of requests allowed to
+	// be waiting in a given queue of this priority level at a time;
+	// excess requests are rejected.  This value must be positive.  If
+	// not specified, it will be defaulted to 50.
 	QueueLengthLimit *int32 `json:"queueLengthLimit,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta2/resourcepolicyrule.go b/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta2/resourcepolicyrule.go
index 070d2ed46514d..97b1012a77fb8 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta2/resourcepolicyrule.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta2/resourcepolicyrule.go
@@ -20,12 +20,46 @@ package v1beta2
 
 // ResourcePolicyRuleApplyConfiguration represents a declarative configuration of the ResourcePolicyRule type for use
 // with apply.
+//
+// ResourcePolicyRule is a predicate that matches some resource
+// requests, testing the request's verb and the target resource. A
+// ResourcePolicyRule matches a resource request if and only if: (a)
+// at least one member of verbs matches the request, (b) at least one
+// member of apiGroups matches the request, (c) at least one member of
+// resources matches the request, and (d) either (d1) the request does
+// not specify a namespace (i.e., `Namespace==""`) and clusterScope is
+// true or (d2) the request specifies a namespace and least one member
+// of namespaces matches the request's namespace.
 type ResourcePolicyRuleApplyConfiguration struct {
-	Verbs        []string `json:"verbs,omitempty"`
-	APIGroups    []string `json:"apiGroups,omitempty"`
-	Resources    []string `json:"resources,omitempty"`
-	ClusterScope *bool    `json:"clusterScope,omitempty"`
-	Namespaces   []string `json:"namespaces,omitempty"`
+	// `verbs` is a list of matching verbs and may not be empty.
+	// "*" matches all verbs and, if present, must be the only entry.
+	// Required.
+	Verbs []string `json:"verbs,omitempty"`
+	// `apiGroups` is a list of matching API groups and may not be empty.
+	// "*" matches all API groups and, if present, must be the only entry.
+	// Required.
+	APIGroups []string `json:"apiGroups,omitempty"`
+	// `resources` is a list of matching resources (i.e., lowercase
+	// and plural) with, if desired, subresource.  For example, [
+	// "services", "nodes/status" ].  This list may not be empty.
+	// "*" matches all resources and, if present, must be the only entry.
+	// Required.
+	Resources []string `json:"resources,omitempty"`
+	// `clusterScope` indicates whether to match requests that do not
+	// specify a namespace (which happens either because the resource
+	// is not namespaced or the request targets all namespaces).
+	// If this field is omitted or false then the `namespaces` field
+	// must contain a non-empty list.
+	ClusterScope *bool `json:"clusterScope,omitempty"`
+	// `namespaces` is a list of target namespaces that restricts
+	// matches.  A request that specifies a target namespace matches
+	// only if either (a) this list contains that target namespace or
+	// (b) this list contains "*".  Note that "*" matches any
+	// specified namespace but does not match a request that _does
+	// not specify_ a namespace (see the `clusterScope` field for
+	// that).
+	// This list may be empty, but only if `clusterScope` is true.
+	Namespaces []string `json:"namespaces,omitempty"`
 }
 
 // ResourcePolicyRuleApplyConfiguration constructs a declarative configuration of the ResourcePolicyRule type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta2/serviceaccountsubject.go b/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta2/serviceaccountsubject.go
index c0d44721cccc5..0e41716d149b3 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta2/serviceaccountsubject.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta2/serviceaccountsubject.go
@@ -20,9 +20,15 @@ package v1beta2
 
 // ServiceAccountSubjectApplyConfiguration represents a declarative configuration of the ServiceAccountSubject type for use
 // with apply.
+//
+// ServiceAccountSubject holds detailed information for service-account-kind subject.
 type ServiceAccountSubjectApplyConfiguration struct {
+	// `namespace` is the namespace of matching ServiceAccount objects.
+	// Required.
 	Namespace *string `json:"namespace,omitempty"`
-	Name      *string `json:"name,omitempty"`
+	// `name` is the name of matching ServiceAccount objects, or "*" to match regardless of name.
+	// Required.
+	Name *string `json:"name,omitempty"`
 }
 
 // ServiceAccountSubjectApplyConfiguration constructs a declarative configuration of the ServiceAccountSubject type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta2/subject.go b/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta2/subject.go
index 2b569a628105b..d275444e1e62f 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta2/subject.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta2/subject.go
@@ -24,10 +24,18 @@ import (
 
 // SubjectApplyConfiguration represents a declarative configuration of the Subject type for use
 // with apply.
+//
+// Subject matches the originator of a request, as identified by the request authentication system. There are three
+// ways of matching an originator; by user, group, or service account.
 type SubjectApplyConfiguration struct {
-	Kind           *flowcontrolv1beta2.SubjectKind          `json:"kind,omitempty"`
-	User           *UserSubjectApplyConfiguration           `json:"user,omitempty"`
-	Group          *GroupSubjectApplyConfiguration          `json:"group,omitempty"`
+	// `kind` indicates which one of the other fields is non-empty.
+	// Required
+	Kind *flowcontrolv1beta2.SubjectKind `json:"kind,omitempty"`
+	// `user` matches based on username.
+	User *UserSubjectApplyConfiguration `json:"user,omitempty"`
+	// `group` matches based on user group name.
+	Group *GroupSubjectApplyConfiguration `json:"group,omitempty"`
+	// `serviceAccount` matches ServiceAccounts.
 	ServiceAccount *ServiceAccountSubjectApplyConfiguration `json:"serviceAccount,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta2/usersubject.go b/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta2/usersubject.go
index c249f042dae14..4de656a9d9d15 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta2/usersubject.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta2/usersubject.go
@@ -20,7 +20,11 @@ package v1beta2
 
 // UserSubjectApplyConfiguration represents a declarative configuration of the UserSubject type for use
 // with apply.
+//
+// UserSubject holds detailed information for user-kind subject.
 type UserSubjectApplyConfiguration struct {
+	// `name` is the username that matches, or "*" to match all usernames.
+	// Required.
 	Name *string `json:"name,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta3/exemptprioritylevelconfiguration.go b/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta3/exemptprioritylevelconfiguration.go
index b9bf6993af38d..410a79b79a86f 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta3/exemptprioritylevelconfiguration.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta3/exemptprioritylevelconfiguration.go
@@ -20,9 +20,35 @@ package v1beta3
 
 // ExemptPriorityLevelConfigurationApplyConfiguration represents a declarative configuration of the ExemptPriorityLevelConfiguration type for use
 // with apply.
+//
+// ExemptPriorityLevelConfiguration describes the configurable aspects
+// of the handling of exempt requests.
+// In the mandatory exempt configuration object the values in the fields
+// here can be modified by authorized users, unlike the rest of the `spec`.
 type ExemptPriorityLevelConfigurationApplyConfiguration struct {
+	// `nominalConcurrencyShares` (NCS) contributes to the computation of the
+	// NominalConcurrencyLimit (NominalCL) of this level.
+	// This is the number of execution seats nominally reserved for this priority level.
+	// This DOES NOT limit the dispatching from this priority level
+	// but affects the other priority levels through the borrowing mechanism.
+	// The server's concurrency limit (ServerCL) is divided among all the
+	// priority levels in proportion to their NCS values:
+	//
+	// NominalCL(i)  = ceil( ServerCL * NCS(i) / sum_ncs )
+	// sum_ncs = sum[priority level k] NCS(k)
+	//
+	// Bigger numbers mean a larger nominal concurrency limit,
+	// at the expense of every other priority level.
+	// This field has a default value of zero.
 	NominalConcurrencyShares *int32 `json:"nominalConcurrencyShares,omitempty"`
-	LendablePercent          *int32 `json:"lendablePercent,omitempty"`
+	// `lendablePercent` prescribes the fraction of the level's NominalCL that
+	// can be borrowed by other priority levels.  This value of this
+	// field must be between 0 and 100, inclusive, and it defaults to 0.
+	// The number of seats that other levels can borrow from this level, known
+	// as this level's LendableConcurrencyLimit (LendableCL), is defined as follows.
+	//
+	// LendableCL(i) = round( NominalCL(i) * lendablePercent(i)/100.0 )
+	LendablePercent *int32 `json:"lendablePercent,omitempty"`
 }
 
 // ExemptPriorityLevelConfigurationApplyConfiguration constructs a declarative configuration of the ExemptPriorityLevelConfiguration type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta3/flowdistinguishermethod.go b/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta3/flowdistinguishermethod.go
index cc32fa1005537..de0f049198050 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta3/flowdistinguishermethod.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta3/flowdistinguishermethod.go
@@ -24,7 +24,12 @@ import (
 
 // FlowDistinguisherMethodApplyConfiguration represents a declarative configuration of the FlowDistinguisherMethod type for use
 // with apply.
+//
+// FlowDistinguisherMethod specifies the method of a flow distinguisher.
 type FlowDistinguisherMethodApplyConfiguration struct {
+	// `type` is the type of flow distinguisher method
+	// The supported types are "ByUser" and "ByNamespace".
+	// Required.
 	Type *flowcontrolv1beta3.FlowDistinguisherMethodType `json:"type,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta3/flowschema.go b/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta3/flowschema.go
index b20c8ce69b96e..0079748b668c6 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta3/flowschema.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta3/flowschema.go
@@ -29,11 +29,20 @@ import (
 
 // FlowSchemaApplyConfiguration represents a declarative configuration of the FlowSchema type for use
 // with apply.
+//
+// FlowSchema defines the schema of a group of flows. Note that a flow is made up of a set of inbound API requests with
+// similar attributes and is identified by a pair of strings: the name of the FlowSchema and a "flow distinguisher".
 type FlowSchemaApplyConfiguration struct {
-	v1.TypeMetaApplyConfiguration    `json:",inline"`
+	v1.TypeMetaApplyConfiguration `json:",inline"`
+	// `metadata` is the standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	*v1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Spec                             *FlowSchemaSpecApplyConfiguration   `json:"spec,omitempty"`
-	Status                           *FlowSchemaStatusApplyConfiguration `json:"status,omitempty"`
+	// `spec` is the specification of the desired behavior of a FlowSchema.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+	Spec *FlowSchemaSpecApplyConfiguration `json:"spec,omitempty"`
+	// `status` is the current status of a FlowSchema.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+	Status *FlowSchemaStatusApplyConfiguration `json:"status,omitempty"`
 }
 
 // FlowSchema constructs a declarative configuration of the FlowSchema type for use with
@@ -46,6 +55,26 @@ func FlowSchema(name string) *FlowSchemaApplyConfiguration {
 	return b
 }
 
+// ExtractFlowSchemaFrom extracts the applied configuration owned by fieldManager from
+// flowSchema for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
+// flowSchema must be a unmodified FlowSchema API object that was retrieved from the Kubernetes API.
+// ExtractFlowSchemaFrom provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractFlowSchemaFrom(flowSchema *flowcontrolv1beta3.FlowSchema, fieldManager string, subresource string) (*FlowSchemaApplyConfiguration, error) {
+	b := &FlowSchemaApplyConfiguration{}
+	err := managedfields.ExtractInto(flowSchema, internal.Parser().Type("io.k8s.api.flowcontrol.v1beta3.FlowSchema"), fieldManager, b, subresource)
+	if err != nil {
+		return nil, err
+	}
+	b.WithName(flowSchema.Name)
+
+	b.WithKind("FlowSchema")
+	b.WithAPIVersion("flowcontrol.apiserver.k8s.io/v1beta3")
+	return b, nil
+}
+
 // ExtractFlowSchema extracts the applied configuration owned by fieldManager from
 // flowSchema. If no managedFields are found in flowSchema for fieldManager, a
 // FlowSchemaApplyConfiguration is returned with only the Name, Namespace (if applicable),
@@ -56,30 +85,16 @@ func FlowSchema(name string) *FlowSchemaApplyConfiguration {
 // ExtractFlowSchema provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
 func ExtractFlowSchema(flowSchema *flowcontrolv1beta3.FlowSchema, fieldManager string) (*FlowSchemaApplyConfiguration, error) {
-	return extractFlowSchema(flowSchema, fieldManager, "")
+	return ExtractFlowSchemaFrom(flowSchema, fieldManager, "")
 }
 
-// ExtractFlowSchemaStatus is the same as ExtractFlowSchema except
-// that it extracts the status subresource applied configuration.
-// Experimental!
+// ExtractFlowSchemaStatus extracts the applied configuration owned by fieldManager from
+// flowSchema for the status subresource.
 func ExtractFlowSchemaStatus(flowSchema *flowcontrolv1beta3.FlowSchema, fieldManager string) (*FlowSchemaApplyConfiguration, error) {
-	return extractFlowSchema(flowSchema, fieldManager, "status")
+	return ExtractFlowSchemaFrom(flowSchema, fieldManager, "status")
 }
 
-func extractFlowSchema(flowSchema *flowcontrolv1beta3.FlowSchema, fieldManager string, subresource string) (*FlowSchemaApplyConfiguration, error) {
-	b := &FlowSchemaApplyConfiguration{}
-	err := managedfields.ExtractInto(flowSchema, internal.Parser().Type("io.k8s.api.flowcontrol.v1beta3.FlowSchema"), fieldManager, b, subresource)
-	if err != nil {
-		return nil, err
-	}
-	b.WithName(flowSchema.Name)
-
-	b.WithKind("FlowSchema")
-	b.WithAPIVersion("flowcontrol.apiserver.k8s.io/v1beta3")
-	return b, nil
-}
 func (b FlowSchemaApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta3/flowschemacondition.go b/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta3/flowschemacondition.go
index d5ba21f71b0b6..de2aff568236b 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta3/flowschemacondition.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta3/flowschemacondition.go
@@ -25,12 +25,22 @@ import (
 
 // FlowSchemaConditionApplyConfiguration represents a declarative configuration of the FlowSchemaCondition type for use
 // with apply.
+//
+// FlowSchemaCondition describes conditions for a FlowSchema.
 type FlowSchemaConditionApplyConfiguration struct {
-	Type               *flowcontrolv1beta3.FlowSchemaConditionType `json:"type,omitempty"`
-	Status             *flowcontrolv1beta3.ConditionStatus         `json:"status,omitempty"`
-	LastTransitionTime *v1.Time                                    `json:"lastTransitionTime,omitempty"`
-	Reason             *string                                     `json:"reason,omitempty"`
-	Message            *string                                     `json:"message,omitempty"`
+	// `type` is the type of the condition.
+	// Required.
+	Type *flowcontrolv1beta3.FlowSchemaConditionType `json:"type,omitempty"`
+	// `status` is the status of the condition.
+	// Can be True, False, Unknown.
+	// Required.
+	Status *flowcontrolv1beta3.ConditionStatus `json:"status,omitempty"`
+	// `lastTransitionTime` is the last time the condition transitioned from one status to another.
+	LastTransitionTime *v1.Time `json:"lastTransitionTime,omitempty"`
+	// `reason` is a unique, one-word, CamelCase reason for the condition's last transition.
+	Reason *string `json:"reason,omitempty"`
+	// `message` is a human-readable message indicating details about last transition.
+	Message *string `json:"message,omitempty"`
 }
 
 // FlowSchemaConditionApplyConfiguration constructs a declarative configuration of the FlowSchemaCondition type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta3/flowschemaspec.go b/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta3/flowschemaspec.go
index 7141f6a6a11b7..6d30db1270842 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta3/flowschemaspec.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta3/flowschemaspec.go
@@ -20,11 +20,25 @@ package v1beta3
 
 // FlowSchemaSpecApplyConfiguration represents a declarative configuration of the FlowSchemaSpec type for use
 // with apply.
+//
+// FlowSchemaSpec describes how the FlowSchema's specification looks like.
 type FlowSchemaSpecApplyConfiguration struct {
+	// `priorityLevelConfiguration` should reference a PriorityLevelConfiguration in the cluster. If the reference cannot
+	// be resolved, the FlowSchema will be ignored and marked as invalid in its status.
+	// Required.
 	PriorityLevelConfiguration *PriorityLevelConfigurationReferenceApplyConfiguration `json:"priorityLevelConfiguration,omitempty"`
-	MatchingPrecedence         *int32                                                 `json:"matchingPrecedence,omitempty"`
-	DistinguisherMethod        *FlowDistinguisherMethodApplyConfiguration             `json:"distinguisherMethod,omitempty"`
-	Rules                      []PolicyRulesWithSubjectsApplyConfiguration            `json:"rules,omitempty"`
+	// `matchingPrecedence` is used to choose among the FlowSchemas that match a given request. The chosen
+	// FlowSchema is among those with the numerically lowest (which we take to be logically highest)
+	// MatchingPrecedence.  Each MatchingPrecedence value must be ranged in [1,10000].
+	// Note that if the precedence is not specified, it will be set to 1000 as default.
+	MatchingPrecedence *int32 `json:"matchingPrecedence,omitempty"`
+	// `distinguisherMethod` defines how to compute the flow distinguisher for requests that match this schema.
+	// `nil` specifies that the distinguisher is disabled and thus will always be the empty string.
+	DistinguisherMethod *FlowDistinguisherMethodApplyConfiguration `json:"distinguisherMethod,omitempty"`
+	// `rules` describes which requests will match this flow schema. This FlowSchema matches a request if and only if
+	// at least one member of rules matches the request.
+	// if it is an empty slice, there will be no requests matching the FlowSchema.
+	Rules []PolicyRulesWithSubjectsApplyConfiguration `json:"rules,omitempty"`
 }
 
 // FlowSchemaSpecApplyConfiguration constructs a declarative configuration of the FlowSchemaSpec type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta3/flowschemastatus.go b/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta3/flowschemastatus.go
index 294ddc9098c60..0405b071b580f 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta3/flowschemastatus.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta3/flowschemastatus.go
@@ -20,7 +20,10 @@ package v1beta3
 
 // FlowSchemaStatusApplyConfiguration represents a declarative configuration of the FlowSchemaStatus type for use
 // with apply.
+//
+// FlowSchemaStatus represents the current state of a FlowSchema.
 type FlowSchemaStatusApplyConfiguration struct {
+	// `conditions` is a list of the current states of FlowSchema.
 	Conditions []FlowSchemaConditionApplyConfiguration `json:"conditions,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta3/groupsubject.go b/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta3/groupsubject.go
index 6576e716eff95..2c5abe56cef23 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta3/groupsubject.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta3/groupsubject.go
@@ -20,7 +20,13 @@ package v1beta3
 
 // GroupSubjectApplyConfiguration represents a declarative configuration of the GroupSubject type for use
 // with apply.
+//
+// GroupSubject holds detailed information for group-kind subject.
 type GroupSubjectApplyConfiguration struct {
+	// name is the user group that matches, or "*" to match all user groups.
+	// See https://github.com/kubernetes/apiserver/blob/master/pkg/authentication/user/user.go for some
+	// well-known group names.
+	// Required.
 	Name *string `json:"name,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta3/limitedprioritylevelconfiguration.go b/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta3/limitedprioritylevelconfiguration.go
index bd98dd683c53e..12173e83bfd1a 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta3/limitedprioritylevelconfiguration.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta3/limitedprioritylevelconfiguration.go
@@ -20,11 +20,54 @@ package v1beta3
 
 // LimitedPriorityLevelConfigurationApplyConfiguration represents a declarative configuration of the LimitedPriorityLevelConfiguration type for use
 // with apply.
+//
+// LimitedPriorityLevelConfiguration specifies how to handle requests that are subject to limits.
+// It addresses two issues:
+// - How are requests for this priority level limited?
+// - What should be done with requests that exceed the limit?
 type LimitedPriorityLevelConfigurationApplyConfiguration struct {
-	NominalConcurrencyShares *int32                           `json:"nominalConcurrencyShares,omitempty"`
-	LimitResponse            *LimitResponseApplyConfiguration `json:"limitResponse,omitempty"`
-	LendablePercent          *int32                           `json:"lendablePercent,omitempty"`
-	BorrowingLimitPercent    *int32                           `json:"borrowingLimitPercent,omitempty"`
+	// `nominalConcurrencyShares` (NCS) contributes to the computation of the
+	// NominalConcurrencyLimit (NominalCL) of this level.
+	// This is the number of execution seats available at this priority level.
+	// This is used both for requests dispatched from this priority level
+	// as well as requests dispatched from other priority levels
+	// borrowing seats from this level.
+	// The server's concurrency limit (ServerCL) is divided among the
+	// Limited priority levels in proportion to their NCS values:
+	//
+	// NominalCL(i)  = ceil( ServerCL * NCS(i) / sum_ncs )
+	// sum_ncs = sum[priority level k] NCS(k)
+	//
+	// Bigger numbers mean a larger nominal concurrency limit,
+	// at the expense of every other priority level.
+	// This field has a default value of 30.
+	NominalConcurrencyShares *int32 `json:"nominalConcurrencyShares,omitempty"`
+	// `limitResponse` indicates what to do with requests that can not be executed right now
+	LimitResponse *LimitResponseApplyConfiguration `json:"limitResponse,omitempty"`
+	// `lendablePercent` prescribes the fraction of the level's NominalCL that
+	// can be borrowed by other priority levels. The value of this
+	// field must be between 0 and 100, inclusive, and it defaults to 0.
+	// The number of seats that other levels can borrow from this level, known
+	// as this level's LendableConcurrencyLimit (LendableCL), is defined as follows.
+	//
+	// LendableCL(i) = round( NominalCL(i) * lendablePercent(i)/100.0 )
+	LendablePercent *int32 `json:"lendablePercent,omitempty"`
+	// `borrowingLimitPercent`, if present, configures a limit on how many
+	// seats this priority level can borrow from other priority levels.
+	// The limit is known as this level's BorrowingConcurrencyLimit
+	// (BorrowingCL) and is a limit on the total number of seats that this
+	// level may borrow at any one time.
+	// This field holds the ratio of that limit to the level's nominal
+	// concurrency limit. When this field is non-nil, it must hold a
+	// non-negative integer and the limit is calculated as follows.
+	//
+	// BorrowingCL(i) = round( NominalCL(i) * borrowingLimitPercent(i)/100.0 )
+	//
+	// The value of this field can be more than 100, implying that this
+	// priority level can borrow a number of seats that is greater than
+	// its own nominal concurrency limit (NominalCL).
+	// When this field is left `nil`, the limit is effectively infinite.
+	BorrowingLimitPercent *int32 `json:"borrowingLimitPercent,omitempty"`
 }
 
 // LimitedPriorityLevelConfigurationApplyConfiguration constructs a declarative configuration of the LimitedPriorityLevelConfiguration type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta3/limitresponse.go b/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta3/limitresponse.go
index 2c289c7775c89..6f253a2a48385 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta3/limitresponse.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta3/limitresponse.go
@@ -24,8 +24,19 @@ import (
 
 // LimitResponseApplyConfiguration represents a declarative configuration of the LimitResponse type for use
 // with apply.
+//
+// LimitResponse defines how to handle requests that can not be executed right now.
 type LimitResponseApplyConfiguration struct {
-	Type    *flowcontrolv1beta3.LimitResponseType   `json:"type,omitempty"`
+	// `type` is "Queue" or "Reject".
+	// "Queue" means that requests that can not be executed upon arrival
+	// are held in a queue until they can be executed or a queuing limit
+	// is reached.
+	// "Reject" means that requests that can not be executed upon arrival
+	// are rejected.
+	// Required.
+	Type *flowcontrolv1beta3.LimitResponseType `json:"type,omitempty"`
+	// `queuing` holds the configuration parameters for queuing.
+	// This field may be non-empty only if `type` is `"Queue"`.
 	Queuing *QueuingConfigurationApplyConfiguration `json:"queuing,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta3/nonresourcepolicyrule.go b/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta3/nonresourcepolicyrule.go
index 2dd0d2b0680b2..6e350a17bd2e5 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta3/nonresourcepolicyrule.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta3/nonresourcepolicyrule.go
@@ -20,8 +20,24 @@ package v1beta3
 
 // NonResourcePolicyRuleApplyConfiguration represents a declarative configuration of the NonResourcePolicyRule type for use
 // with apply.
+//
+// NonResourcePolicyRule is a predicate that matches non-resource requests according to their verb and the
+// target non-resource URL. A NonResourcePolicyRule matches a request if and only if both (a) at least one member
+// of verbs matches the request and (b) at least one member of nonResourceURLs matches the request.
 type NonResourcePolicyRuleApplyConfiguration struct {
-	Verbs           []string `json:"verbs,omitempty"`
+	// `verbs` is a list of matching verbs and may not be empty.
+	// "*" matches all verbs. If it is present, it must be the only entry.
+	// Required.
+	Verbs []string `json:"verbs,omitempty"`
+	// `nonResourceURLs` is a set of url prefixes that a user should have access to and may not be empty.
+	// For example:
+	// - "/healthz" is legal
+	// - "/hea*" is illegal
+	// - "/hea" is legal but matches nothing
+	// - "/hea/*" also matches nothing
+	// - "/healthz/*" matches all per-component health checks.
+	// "*" matches all non-resource urls. if it is present, it must be the only entry.
+	// Required.
 	NonResourceURLs []string `json:"nonResourceURLs,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta3/policyruleswithsubjects.go b/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta3/policyruleswithsubjects.go
index cc64dc585ba84..2588bf9938c83 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta3/policyruleswithsubjects.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta3/policyruleswithsubjects.go
@@ -20,9 +20,23 @@ package v1beta3
 
 // PolicyRulesWithSubjectsApplyConfiguration represents a declarative configuration of the PolicyRulesWithSubjects type for use
 // with apply.
+//
+// PolicyRulesWithSubjects prescribes a test that applies to a request to an apiserver. The test considers the subject
+// making the request, the verb being requested, and the resource to be acted upon. This PolicyRulesWithSubjects matches
+// a request if and only if both (a) at least one member of subjects matches the request and (b) at least one member
+// of resourceRules or nonResourceRules matches the request.
 type PolicyRulesWithSubjectsApplyConfiguration struct {
-	Subjects         []SubjectApplyConfiguration               `json:"subjects,omitempty"`
-	ResourceRules    []ResourcePolicyRuleApplyConfiguration    `json:"resourceRules,omitempty"`
+	// subjects is the list of normal user, serviceaccount, or group that this rule cares about.
+	// There must be at least one member in this slice.
+	// A slice that includes both the system:authenticated and system:unauthenticated user groups matches every request.
+	// Required.
+	Subjects []SubjectApplyConfiguration `json:"subjects,omitempty"`
+	// `resourceRules` is a slice of ResourcePolicyRules that identify matching requests according to their verb and the
+	// target resource.
+	// At least one of `resourceRules` and `nonResourceRules` has to be non-empty.
+	ResourceRules []ResourcePolicyRuleApplyConfiguration `json:"resourceRules,omitempty"`
+	// `nonResourceRules` is a list of NonResourcePolicyRules that identify matching requests according to their verb
+	// and the target non-resource URL.
 	NonResourceRules []NonResourcePolicyRuleApplyConfiguration `json:"nonResourceRules,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta3/prioritylevelconfiguration.go b/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta3/prioritylevelconfiguration.go
index 9a0dad0234ea6..910cb4c25cd37 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta3/prioritylevelconfiguration.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta3/prioritylevelconfiguration.go
@@ -29,11 +29,19 @@ import (
 
 // PriorityLevelConfigurationApplyConfiguration represents a declarative configuration of the PriorityLevelConfiguration type for use
 // with apply.
+//
+// PriorityLevelConfiguration represents the configuration of a priority level.
 type PriorityLevelConfigurationApplyConfiguration struct {
-	v1.TypeMetaApplyConfiguration    `json:",inline"`
+	v1.TypeMetaApplyConfiguration `json:",inline"`
+	// `metadata` is the standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	*v1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Spec                             *PriorityLevelConfigurationSpecApplyConfiguration   `json:"spec,omitempty"`
-	Status                           *PriorityLevelConfigurationStatusApplyConfiguration `json:"status,omitempty"`
+	// `spec` is the specification of the desired behavior of a "request-priority".
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+	Spec *PriorityLevelConfigurationSpecApplyConfiguration `json:"spec,omitempty"`
+	// `status` is the current status of a "request-priority".
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+	Status *PriorityLevelConfigurationStatusApplyConfiguration `json:"status,omitempty"`
 }
 
 // PriorityLevelConfiguration constructs a declarative configuration of the PriorityLevelConfiguration type for use with
@@ -46,6 +54,26 @@ func PriorityLevelConfiguration(name string) *PriorityLevelConfigurationApplyCon
 	return b
 }
 
+// ExtractPriorityLevelConfigurationFrom extracts the applied configuration owned by fieldManager from
+// priorityLevelConfiguration for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
+// priorityLevelConfiguration must be a unmodified PriorityLevelConfiguration API object that was retrieved from the Kubernetes API.
+// ExtractPriorityLevelConfigurationFrom provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractPriorityLevelConfigurationFrom(priorityLevelConfiguration *flowcontrolv1beta3.PriorityLevelConfiguration, fieldManager string, subresource string) (*PriorityLevelConfigurationApplyConfiguration, error) {
+	b := &PriorityLevelConfigurationApplyConfiguration{}
+	err := managedfields.ExtractInto(priorityLevelConfiguration, internal.Parser().Type("io.k8s.api.flowcontrol.v1beta3.PriorityLevelConfiguration"), fieldManager, b, subresource)
+	if err != nil {
+		return nil, err
+	}
+	b.WithName(priorityLevelConfiguration.Name)
+
+	b.WithKind("PriorityLevelConfiguration")
+	b.WithAPIVersion("flowcontrol.apiserver.k8s.io/v1beta3")
+	return b, nil
+}
+
 // ExtractPriorityLevelConfiguration extracts the applied configuration owned by fieldManager from
 // priorityLevelConfiguration. If no managedFields are found in priorityLevelConfiguration for fieldManager, a
 // PriorityLevelConfigurationApplyConfiguration is returned with only the Name, Namespace (if applicable),
@@ -56,30 +84,16 @@ func PriorityLevelConfiguration(name string) *PriorityLevelConfigurationApplyCon
 // ExtractPriorityLevelConfiguration provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
 func ExtractPriorityLevelConfiguration(priorityLevelConfiguration *flowcontrolv1beta3.PriorityLevelConfiguration, fieldManager string) (*PriorityLevelConfigurationApplyConfiguration, error) {
-	return extractPriorityLevelConfiguration(priorityLevelConfiguration, fieldManager, "")
+	return ExtractPriorityLevelConfigurationFrom(priorityLevelConfiguration, fieldManager, "")
 }
 
-// ExtractPriorityLevelConfigurationStatus is the same as ExtractPriorityLevelConfiguration except
-// that it extracts the status subresource applied configuration.
-// Experimental!
+// ExtractPriorityLevelConfigurationStatus extracts the applied configuration owned by fieldManager from
+// priorityLevelConfiguration for the status subresource.
 func ExtractPriorityLevelConfigurationStatus(priorityLevelConfiguration *flowcontrolv1beta3.PriorityLevelConfiguration, fieldManager string) (*PriorityLevelConfigurationApplyConfiguration, error) {
-	return extractPriorityLevelConfiguration(priorityLevelConfiguration, fieldManager, "status")
+	return ExtractPriorityLevelConfigurationFrom(priorityLevelConfiguration, fieldManager, "status")
 }
 
-func extractPriorityLevelConfiguration(priorityLevelConfiguration *flowcontrolv1beta3.PriorityLevelConfiguration, fieldManager string, subresource string) (*PriorityLevelConfigurationApplyConfiguration, error) {
-	b := &PriorityLevelConfigurationApplyConfiguration{}
-	err := managedfields.ExtractInto(priorityLevelConfiguration, internal.Parser().Type("io.k8s.api.flowcontrol.v1beta3.PriorityLevelConfiguration"), fieldManager, b, subresource)
-	if err != nil {
-		return nil, err
-	}
-	b.WithName(priorityLevelConfiguration.Name)
-
-	b.WithKind("PriorityLevelConfiguration")
-	b.WithAPIVersion("flowcontrol.apiserver.k8s.io/v1beta3")
-	return b, nil
-}
 func (b PriorityLevelConfigurationApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta3/prioritylevelconfigurationcondition.go b/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta3/prioritylevelconfigurationcondition.go
index 01695f14481b8..bd14650a93b7a 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta3/prioritylevelconfigurationcondition.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta3/prioritylevelconfigurationcondition.go
@@ -25,12 +25,22 @@ import (
 
 // PriorityLevelConfigurationConditionApplyConfiguration represents a declarative configuration of the PriorityLevelConfigurationCondition type for use
 // with apply.
+//
+// PriorityLevelConfigurationCondition defines the condition of priority level.
 type PriorityLevelConfigurationConditionApplyConfiguration struct {
-	Type               *flowcontrolv1beta3.PriorityLevelConfigurationConditionType `json:"type,omitempty"`
-	Status             *flowcontrolv1beta3.ConditionStatus                         `json:"status,omitempty"`
-	LastTransitionTime *v1.Time                                                    `json:"lastTransitionTime,omitempty"`
-	Reason             *string                                                     `json:"reason,omitempty"`
-	Message            *string                                                     `json:"message,omitempty"`
+	// `type` is the type of the condition.
+	// Required.
+	Type *flowcontrolv1beta3.PriorityLevelConfigurationConditionType `json:"type,omitempty"`
+	// `status` is the status of the condition.
+	// Can be True, False, Unknown.
+	// Required.
+	Status *flowcontrolv1beta3.ConditionStatus `json:"status,omitempty"`
+	// `lastTransitionTime` is the last time the condition transitioned from one status to another.
+	LastTransitionTime *v1.Time `json:"lastTransitionTime,omitempty"`
+	// `reason` is a unique, one-word, CamelCase reason for the condition's last transition.
+	Reason *string `json:"reason,omitempty"`
+	// `message` is a human-readable message indicating details about last transition.
+	Message *string `json:"message,omitempty"`
 }
 
 // PriorityLevelConfigurationConditionApplyConfiguration constructs a declarative configuration of the PriorityLevelConfigurationCondition type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta3/prioritylevelconfigurationreference.go b/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta3/prioritylevelconfigurationreference.go
index 566aaa916b1e9..7221983d7d5a2 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta3/prioritylevelconfigurationreference.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta3/prioritylevelconfigurationreference.go
@@ -20,7 +20,11 @@ package v1beta3
 
 // PriorityLevelConfigurationReferenceApplyConfiguration represents a declarative configuration of the PriorityLevelConfigurationReference type for use
 // with apply.
+//
+// PriorityLevelConfigurationReference contains information that points to the "request-priority" being used.
 type PriorityLevelConfigurationReferenceApplyConfiguration struct {
+	// `name` is the name of the priority level configuration being referenced
+	// Required.
 	Name *string `json:"name,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta3/prioritylevelconfigurationspec.go b/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta3/prioritylevelconfigurationspec.go
index c9508547876a0..3e3f107e011e5 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta3/prioritylevelconfigurationspec.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta3/prioritylevelconfigurationspec.go
@@ -24,10 +24,28 @@ import (
 
 // PriorityLevelConfigurationSpecApplyConfiguration represents a declarative configuration of the PriorityLevelConfigurationSpec type for use
 // with apply.
+//
+// PriorityLevelConfigurationSpec specifies the configuration of a priority level.
 type PriorityLevelConfigurationSpecApplyConfiguration struct {
-	Type    *flowcontrolv1beta3.PriorityLevelEnablement          `json:"type,omitempty"`
+	// `type` indicates whether this priority level is subject to
+	// limitation on request execution.  A value of `"Exempt"` means
+	// that requests of this priority level are not subject to a limit
+	// (and thus are never queued) and do not detract from the
+	// capacity made available to other priority levels.  A value of
+	// `"Limited"` means that (a) requests of this priority level
+	// _are_ subject to limits and (b) some of the server's limited
+	// capacity is made available exclusively to this priority level.
+	// Required.
+	Type *flowcontrolv1beta3.PriorityLevelEnablement `json:"type,omitempty"`
+	// `limited` specifies how requests are handled for a Limited priority level.
+	// This field must be non-empty if and only if `type` is `"Limited"`.
 	Limited *LimitedPriorityLevelConfigurationApplyConfiguration `json:"limited,omitempty"`
-	Exempt  *ExemptPriorityLevelConfigurationApplyConfiguration  `json:"exempt,omitempty"`
+	// `exempt` specifies how requests are handled for an exempt priority level.
+	// This field MUST be empty if `type` is `"Limited"`.
+	// This field MAY be non-empty if `type` is `"Exempt"`.
+	// If empty and `type` is `"Exempt"` then the default values
+	// for `ExemptPriorityLevelConfiguration` apply.
+	Exempt *ExemptPriorityLevelConfigurationApplyConfiguration `json:"exempt,omitempty"`
 }
 
 // PriorityLevelConfigurationSpecApplyConfiguration constructs a declarative configuration of the PriorityLevelConfigurationSpec type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta3/prioritylevelconfigurationstatus.go b/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta3/prioritylevelconfigurationstatus.go
index be2436457eeec..1d5e87a093ef2 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta3/prioritylevelconfigurationstatus.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta3/prioritylevelconfigurationstatus.go
@@ -20,7 +20,10 @@ package v1beta3
 
 // PriorityLevelConfigurationStatusApplyConfiguration represents a declarative configuration of the PriorityLevelConfigurationStatus type for use
 // with apply.
+//
+// PriorityLevelConfigurationStatus represents the current state of a "request-priority".
 type PriorityLevelConfigurationStatusApplyConfiguration struct {
+	// `conditions` is the current state of "request-priority".
 	Conditions []PriorityLevelConfigurationConditionApplyConfiguration `json:"conditions,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta3/queuingconfiguration.go b/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta3/queuingconfiguration.go
index f9a3c6d1a6e39..b73113b631022 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta3/queuingconfiguration.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta3/queuingconfiguration.go
@@ -20,9 +20,32 @@ package v1beta3
 
 // QueuingConfigurationApplyConfiguration represents a declarative configuration of the QueuingConfiguration type for use
 // with apply.
+//
+// QueuingConfiguration holds the configuration parameters for queuing
 type QueuingConfigurationApplyConfiguration struct {
-	Queues           *int32 `json:"queues,omitempty"`
-	HandSize         *int32 `json:"handSize,omitempty"`
+	// `queues` is the number of queues for this priority level. The
+	// queues exist independently at each apiserver. The value must be
+	// positive.  Setting it to 1 effectively precludes
+	// shufflesharding and thus makes the distinguisher method of
+	// associated flow schemas irrelevant.  This field has a default
+	// value of 64.
+	Queues *int32 `json:"queues,omitempty"`
+	// `handSize` is a small positive number that configures the
+	// shuffle sharding of requests into queues.  When enqueuing a request
+	// at this priority level the request's flow identifier (a string
+	// pair) is hashed and the hash value is used to shuffle the list
+	// of queues and deal a hand of the size specified here.  The
+	// request is put into one of the shortest queues in that hand.
+	// `handSize` must be no larger than `queues`, and should be
+	// significantly smaller (so that a few heavy flows do not
+	// saturate most of the queues).  See the user-facing
+	// documentation for more extensive guidance on setting this
+	// field.  This field has a default value of 8.
+	HandSize *int32 `json:"handSize,omitempty"`
+	// `queueLengthLimit` is the maximum number of requests allowed to
+	// be waiting in a given queue of this priority level at a time;
+	// excess requests are rejected.  This value must be positive.  If
+	// not specified, it will be defaulted to 50.
 	QueueLengthLimit *int32 `json:"queueLengthLimit,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta3/resourcepolicyrule.go b/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta3/resourcepolicyrule.go
index e38f711db0a60..572c56e8e0c30 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta3/resourcepolicyrule.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta3/resourcepolicyrule.go
@@ -20,12 +20,46 @@ package v1beta3
 
 // ResourcePolicyRuleApplyConfiguration represents a declarative configuration of the ResourcePolicyRule type for use
 // with apply.
+//
+// ResourcePolicyRule is a predicate that matches some resource
+// requests, testing the request's verb and the target resource. A
+// ResourcePolicyRule matches a resource request if and only if: (a)
+// at least one member of verbs matches the request, (b) at least one
+// member of apiGroups matches the request, (c) at least one member of
+// resources matches the request, and (d) either (d1) the request does
+// not specify a namespace (i.e., `Namespace==""`) and clusterScope is
+// true or (d2) the request specifies a namespace and least one member
+// of namespaces matches the request's namespace.
 type ResourcePolicyRuleApplyConfiguration struct {
-	Verbs        []string `json:"verbs,omitempty"`
-	APIGroups    []string `json:"apiGroups,omitempty"`
-	Resources    []string `json:"resources,omitempty"`
-	ClusterScope *bool    `json:"clusterScope,omitempty"`
-	Namespaces   []string `json:"namespaces,omitempty"`
+	// `verbs` is a list of matching verbs and may not be empty.
+	// "*" matches all verbs and, if present, must be the only entry.
+	// Required.
+	Verbs []string `json:"verbs,omitempty"`
+	// `apiGroups` is a list of matching API groups and may not be empty.
+	// "*" matches all API groups and, if present, must be the only entry.
+	// Required.
+	APIGroups []string `json:"apiGroups,omitempty"`
+	// `resources` is a list of matching resources (i.e., lowercase
+	// and plural) with, if desired, subresource.  For example, [
+	// "services", "nodes/status" ].  This list may not be empty.
+	// "*" matches all resources and, if present, must be the only entry.
+	// Required.
+	Resources []string `json:"resources,omitempty"`
+	// `clusterScope` indicates whether to match requests that do not
+	// specify a namespace (which happens either because the resource
+	// is not namespaced or the request targets all namespaces).
+	// If this field is omitted or false then the `namespaces` field
+	// must contain a non-empty list.
+	ClusterScope *bool `json:"clusterScope,omitempty"`
+	// `namespaces` is a list of target namespaces that restricts
+	// matches.  A request that specifies a target namespace matches
+	// only if either (a) this list contains that target namespace or
+	// (b) this list contains "*".  Note that "*" matches any
+	// specified namespace but does not match a request that _does
+	// not specify_ a namespace (see the `clusterScope` field for
+	// that).
+	// This list may be empty, but only if `clusterScope` is true.
+	Namespaces []string `json:"namespaces,omitempty"`
 }
 
 // ResourcePolicyRuleApplyConfiguration constructs a declarative configuration of the ResourcePolicyRule type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta3/serviceaccountsubject.go b/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta3/serviceaccountsubject.go
index a5ed40c2ae631..a298d9d019600 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta3/serviceaccountsubject.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta3/serviceaccountsubject.go
@@ -20,9 +20,15 @@ package v1beta3
 
 // ServiceAccountSubjectApplyConfiguration represents a declarative configuration of the ServiceAccountSubject type for use
 // with apply.
+//
+// ServiceAccountSubject holds detailed information for service-account-kind subject.
 type ServiceAccountSubjectApplyConfiguration struct {
+	// `namespace` is the namespace of matching ServiceAccount objects.
+	// Required.
 	Namespace *string `json:"namespace,omitempty"`
-	Name      *string `json:"name,omitempty"`
+	// `name` is the name of matching ServiceAccount objects, or "*" to match regardless of name.
+	// Required.
+	Name *string `json:"name,omitempty"`
 }
 
 // ServiceAccountSubjectApplyConfiguration constructs a declarative configuration of the ServiceAccountSubject type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta3/subject.go b/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta3/subject.go
index 46499f5418cfd..426c65e6bb16d 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta3/subject.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta3/subject.go
@@ -24,10 +24,18 @@ import (
 
 // SubjectApplyConfiguration represents a declarative configuration of the Subject type for use
 // with apply.
+//
+// Subject matches the originator of a request, as identified by the request authentication system. There are three
+// ways of matching an originator; by user, group, or service account.
 type SubjectApplyConfiguration struct {
-	Kind           *flowcontrolv1beta3.SubjectKind          `json:"kind,omitempty"`
-	User           *UserSubjectApplyConfiguration           `json:"user,omitempty"`
-	Group          *GroupSubjectApplyConfiguration          `json:"group,omitempty"`
+	// `kind` indicates which one of the other fields is non-empty.
+	// Required
+	Kind *flowcontrolv1beta3.SubjectKind `json:"kind,omitempty"`
+	// `user` matches based on username.
+	User *UserSubjectApplyConfiguration `json:"user,omitempty"`
+	// `group` matches based on user group name.
+	Group *GroupSubjectApplyConfiguration `json:"group,omitempty"`
+	// `serviceAccount` matches ServiceAccounts.
 	ServiceAccount *ServiceAccountSubjectApplyConfiguration `json:"serviceAccount,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta3/usersubject.go b/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta3/usersubject.go
index 7b3ec2ba82473..f17a99cf4f827 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta3/usersubject.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/flowcontrol/v1beta3/usersubject.go
@@ -20,7 +20,11 @@ package v1beta3
 
 // UserSubjectApplyConfiguration represents a declarative configuration of the UserSubject type for use
 // with apply.
+//
+// UserSubject holds detailed information for user-kind subject.
 type UserSubjectApplyConfiguration struct {
+	// `name` is the username that matches, or "*" to match all usernames.
+	// Required.
 	Name *string `json:"name,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/imagepolicy/v1alpha1/imagereview.go b/staging/src/k8s.io/client-go/applyconfigurations/imagepolicy/v1alpha1/imagereview.go
index 0d428e06bc0a2..f63c86ceb2079 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/imagepolicy/v1alpha1/imagereview.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/imagepolicy/v1alpha1/imagereview.go
@@ -29,11 +29,17 @@ import (
 
 // ImageReviewApplyConfiguration represents a declarative configuration of the ImageReview type for use
 // with apply.
+//
+// ImageReview checks if the set of images in a pod are allowed.
 type ImageReviewApplyConfiguration struct {
-	v1.TypeMetaApplyConfiguration    `json:",inline"`
+	v1.TypeMetaApplyConfiguration `json:",inline"`
+	// Standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	*v1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Spec                             *ImageReviewSpecApplyConfiguration   `json:"spec,omitempty"`
-	Status                           *ImageReviewStatusApplyConfiguration `json:"status,omitempty"`
+	// Spec holds information about the pod being evaluated
+	Spec *ImageReviewSpecApplyConfiguration `json:"spec,omitempty"`
+	// Status is filled in by the backend and indicates whether the pod should be allowed.
+	Status *ImageReviewStatusApplyConfiguration `json:"status,omitempty"`
 }
 
 // ImageReview constructs a declarative configuration of the ImageReview type for use with
@@ -46,6 +52,26 @@ func ImageReview(name string) *ImageReviewApplyConfiguration {
 	return b
 }
 
+// ExtractImageReviewFrom extracts the applied configuration owned by fieldManager from
+// imageReview for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
+// imageReview must be a unmodified ImageReview API object that was retrieved from the Kubernetes API.
+// ExtractImageReviewFrom provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractImageReviewFrom(imageReview *imagepolicyv1alpha1.ImageReview, fieldManager string, subresource string) (*ImageReviewApplyConfiguration, error) {
+	b := &ImageReviewApplyConfiguration{}
+	err := managedfields.ExtractInto(imageReview, internal.Parser().Type("io.k8s.api.imagepolicy.v1alpha1.ImageReview"), fieldManager, b, subresource)
+	if err != nil {
+		return nil, err
+	}
+	b.WithName(imageReview.Name)
+
+	b.WithKind("ImageReview")
+	b.WithAPIVersion("imagepolicy.k8s.io/v1alpha1")
+	return b, nil
+}
+
 // ExtractImageReview extracts the applied configuration owned by fieldManager from
 // imageReview. If no managedFields are found in imageReview for fieldManager, a
 // ImageReviewApplyConfiguration is returned with only the Name, Namespace (if applicable),
@@ -56,30 +82,16 @@ func ImageReview(name string) *ImageReviewApplyConfiguration {
 // ExtractImageReview provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
 func ExtractImageReview(imageReview *imagepolicyv1alpha1.ImageReview, fieldManager string) (*ImageReviewApplyConfiguration, error) {
-	return extractImageReview(imageReview, fieldManager, "")
+	return ExtractImageReviewFrom(imageReview, fieldManager, "")
 }
 
-// ExtractImageReviewStatus is the same as ExtractImageReview except
-// that it extracts the status subresource applied configuration.
-// Experimental!
+// ExtractImageReviewStatus extracts the applied configuration owned by fieldManager from
+// imageReview for the status subresource.
 func ExtractImageReviewStatus(imageReview *imagepolicyv1alpha1.ImageReview, fieldManager string) (*ImageReviewApplyConfiguration, error) {
-	return extractImageReview(imageReview, fieldManager, "status")
+	return ExtractImageReviewFrom(imageReview, fieldManager, "status")
 }
 
-func extractImageReview(imageReview *imagepolicyv1alpha1.ImageReview, fieldManager string, subresource string) (*ImageReviewApplyConfiguration, error) {
-	b := &ImageReviewApplyConfiguration{}
-	err := managedfields.ExtractInto(imageReview, internal.Parser().Type("io.k8s.api.imagepolicy.v1alpha1.ImageReview"), fieldManager, b, subresource)
-	if err != nil {
-		return nil, err
-	}
-	b.WithName(imageReview.Name)
-
-	b.WithKind("ImageReview")
-	b.WithAPIVersion("imagepolicy.k8s.io/v1alpha1")
-	return b, nil
-}
 func (b ImageReviewApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/imagepolicy/v1alpha1/imagereviewcontainerspec.go b/staging/src/k8s.io/client-go/applyconfigurations/imagepolicy/v1alpha1/imagereviewcontainerspec.go
index adfdb3258421a..1f0193f031a66 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/imagepolicy/v1alpha1/imagereviewcontainerspec.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/imagepolicy/v1alpha1/imagereviewcontainerspec.go
@@ -20,7 +20,10 @@ package v1alpha1
 
 // ImageReviewContainerSpecApplyConfiguration represents a declarative configuration of the ImageReviewContainerSpec type for use
 // with apply.
+//
+// ImageReviewContainerSpec is a description of a container within the pod creation request.
 type ImageReviewContainerSpecApplyConfiguration struct {
+	// This can be in the form image:tag or image@SHA:012345679abcdef.
 	Image *string `json:"image,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/imagepolicy/v1alpha1/imagereviewspec.go b/staging/src/k8s.io/client-go/applyconfigurations/imagepolicy/v1alpha1/imagereviewspec.go
index 7efc36a321495..14c6603f5e64e 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/imagepolicy/v1alpha1/imagereviewspec.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/imagepolicy/v1alpha1/imagereviewspec.go
@@ -20,10 +20,17 @@ package v1alpha1
 
 // ImageReviewSpecApplyConfiguration represents a declarative configuration of the ImageReviewSpec type for use
 // with apply.
+//
+// ImageReviewSpec is a description of the pod creation request.
 type ImageReviewSpecApplyConfiguration struct {
-	Containers  []ImageReviewContainerSpecApplyConfiguration `json:"containers,omitempty"`
-	Annotations map[string]string                            `json:"annotations,omitempty"`
-	Namespace   *string                                      `json:"namespace,omitempty"`
+	// Containers is a list of a subset of the information in each container of the Pod being created.
+	Containers []ImageReviewContainerSpecApplyConfiguration `json:"containers,omitempty"`
+	// Annotations is a list of key-value pairs extracted from the Pod's annotations.
+	// It only includes keys which match the pattern `*.image-policy.k8s.io/*`.
+	// It is up to each webhook backend to determine how to interpret these annotations, if at all.
+	Annotations map[string]string `json:"annotations,omitempty"`
+	// Namespace is the namespace the pod is being created in.
+	Namespace *string `json:"namespace,omitempty"`
 }
 
 // ImageReviewSpecApplyConfiguration constructs a declarative configuration of the ImageReviewSpec type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/imagepolicy/v1alpha1/imagereviewstatus.go b/staging/src/k8s.io/client-go/applyconfigurations/imagepolicy/v1alpha1/imagereviewstatus.go
index e26a427e69eab..52828a29c1eda 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/imagepolicy/v1alpha1/imagereviewstatus.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/imagepolicy/v1alpha1/imagereviewstatus.go
@@ -20,9 +20,19 @@ package v1alpha1
 
 // ImageReviewStatusApplyConfiguration represents a declarative configuration of the ImageReviewStatus type for use
 // with apply.
+//
+// ImageReviewStatus is the result of the review for the pod creation request.
 type ImageReviewStatusApplyConfiguration struct {
-	Allowed          *bool             `json:"allowed,omitempty"`
-	Reason           *string           `json:"reason,omitempty"`
+	// Allowed indicates that all images were allowed to be run.
+	Allowed *bool `json:"allowed,omitempty"`
+	// Reason should be empty unless Allowed is false in which case it
+	// may contain a short description of what is wrong.  Kubernetes
+	// may truncate excessively long errors when displaying to the user.
+	Reason *string `json:"reason,omitempty"`
+	// AuditAnnotations will be added to the attributes object of the
+	// admission controller request using 'AddAnnotation'.  The keys should
+	// be prefix-less (i.e., the admission controller will add an
+	// appropriate prefix).
 	AuditAnnotations map[string]string `json:"auditAnnotations,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/internal/internal.go b/staging/src/k8s.io/client-go/applyconfigurations/internal/internal.go
index ed8b7a18eea17..2d66c9ba08bf1 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/internal/internal.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/internal/internal.go
@@ -4458,91 +4458,6 @@ var schemaYAML = typed.YAMLObject(`types:
       type:
         scalar: string
       default: ""
-- name: io.k8s.api.certificates.v1alpha1.PodCertificateRequest
-  map:
-    fields:
-    - name: apiVersion
-      type:
-        scalar: string
-    - name: kind
-      type:
-        scalar: string
-    - name: metadata
-      type:
-        namedType: io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta
-      default: {}
-    - name: spec
-      type:
-        namedType: io.k8s.api.certificates.v1alpha1.PodCertificateRequestSpec
-      default: {}
-    - name: status
-      type:
-        namedType: io.k8s.api.certificates.v1alpha1.PodCertificateRequestStatus
-      default: {}
-- name: io.k8s.api.certificates.v1alpha1.PodCertificateRequestSpec
-  map:
-    fields:
-    - name: maxExpirationSeconds
-      type:
-        scalar: numeric
-      default: 86400
-    - name: nodeName
-      type:
-        scalar: string
-      default: ""
-    - name: nodeUID
-      type:
-        scalar: string
-      default: ""
-    - name: pkixPublicKey
-      type:
-        scalar: string
-    - name: podName
-      type:
-        scalar: string
-      default: ""
-    - name: podUID
-      type:
-        scalar: string
-      default: ""
-    - name: proofOfPossession
-      type:
-        scalar: string
-    - name: serviceAccountName
-      type:
-        scalar: string
-      default: ""
-    - name: serviceAccountUID
-      type:
-        scalar: string
-      default: ""
-    - name: signerName
-      type:
-        scalar: string
-      default: ""
-- name: io.k8s.api.certificates.v1alpha1.PodCertificateRequestStatus
-  map:
-    fields:
-    - name: beginRefreshAt
-      type:
-        namedType: io.k8s.apimachinery.pkg.apis.meta.v1.Time
-    - name: certificateChain
-      type:
-        scalar: string
-    - name: conditions
-      type:
-        list:
-          elementType:
-            namedType: io.k8s.apimachinery.pkg.apis.meta.v1.Condition
-          elementRelationship: associative
-          keys:
-          - type
-    - name: notAfter
-      type:
-        namedType: io.k8s.apimachinery.pkg.apis.meta.v1.Time
-    - name: notBefore
-      type:
-        namedType: io.k8s.apimachinery.pkg.apis.meta.v1.Time
 - name: io.k8s.api.certificates.v1beta1.CertificateSigningRequest
   map:
     fields:
@@ -4666,6 +4581,96 @@ var schemaYAML = typed.YAMLObject(`types:
       type:
         scalar: string
       default: ""
+- name: io.k8s.api.certificates.v1beta1.PodCertificateRequest
+  map:
+    fields:
+    - name: apiVersion
+      type:
+        scalar: string
+    - name: kind
+      type:
+        scalar: string
+    - name: metadata
+      type:
+        namedType: io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta
+      default: {}
+    - name: spec
+      type:
+        namedType: io.k8s.api.certificates.v1beta1.PodCertificateRequestSpec
+      default: {}
+    - name: status
+      type:
+        namedType: io.k8s.api.certificates.v1beta1.PodCertificateRequestStatus
+      default: {}
+- name: io.k8s.api.certificates.v1beta1.PodCertificateRequestSpec
+  map:
+    fields:
+    - name: maxExpirationSeconds
+      type:
+        scalar: numeric
+      default: 86400
+    - name: nodeName
+      type:
+        scalar: string
+      default: ""
+    - name: nodeUID
+      type:
+        scalar: string
+      default: ""
+    - name: pkixPublicKey
+      type:
+        scalar: string
+    - name: podName
+      type:
+        scalar: string
+      default: ""
+    - name: podUID
+      type:
+        scalar: string
+      default: ""
+    - name: proofOfPossession
+      type:
+        scalar: string
+    - name: serviceAccountName
+      type:
+        scalar: string
+      default: ""
+    - name: serviceAccountUID
+      type:
+        scalar: string
+      default: ""
+    - name: signerName
+      type:
+        scalar: string
+      default: ""
+    - name: unverifiedUserAnnotations
+      type:
+        map:
+          elementType:
+            scalar: string
+- name: io.k8s.api.certificates.v1beta1.PodCertificateRequestStatus
+  map:
+    fields:
+    - name: beginRefreshAt
+      type:
+        namedType: io.k8s.apimachinery.pkg.apis.meta.v1.Time
+    - name: certificateChain
+      type:
+        scalar: string
+    - name: conditions
+      type:
+        list:
+          elementType:
+            namedType: io.k8s.apimachinery.pkg.apis.meta.v1.Condition
+          elementRelationship: associative
+          keys:
+          - type
+    - name: notAfter
+      type:
+        namedType: io.k8s.apimachinery.pkg.apis.meta.v1.Time
+    - name: notBefore
+      type:
+        namedType: io.k8s.apimachinery.pkg.apis.meta.v1.Time
 - name: io.k8s.api.coordination.v1.Lease
   map:
     fields:
@@ -6765,6 +6770,12 @@ var schemaYAML = typed.YAMLObject(`types:
       type:
         namedType: io.k8s.api.core.v1.NodeDaemonEndpoints
       default: {}
+    - name: declaredFeatures
+      type:
+        list:
+          elementType:
+            scalar: string
+          elementRelationship: atomic
     - name: features
       type:
         namedType: io.k8s.api.core.v1.NodeFeatures
@@ -7282,6 +7293,11 @@ var schemaYAML = typed.YAMLObject(`types:
     - name: signerName
       type:
         scalar: string
+    - name: userAnnotations
+      type:
+        map:
+          elementType:
+            scalar: string
 - name: io.k8s.api.core.v1.PodCondition
   map:
     fields:
@@ -7633,9 +7649,17 @@ var schemaYAML = typed.YAMLObject(`types:
           elementRelationship: associative
           keys:
           - name
+    - name: workloadRef
+      type:
+        namedType: io.k8s.api.core.v1.WorkloadReference
 - name: io.k8s.api.core.v1.PodStatus
   map:
     fields:
+    - name: allocatedResources
+      type:
+        map:
+          elementType:
+            namedType: io.k8s.apimachinery.pkg.api.resource.Quantity
     - name: conditions
       type:
         list:
@@ -7714,6 +7738,9 @@ var schemaYAML = typed.YAMLObject(`types:
           elementRelationship: associative
           keys:
           - name
+    - name: resources
+      type:
+        namedType: io.k8s.api.core.v1.ResourceRequirements
     - name: startTime
       type:
         namedType: io.k8s.apimachinery.pkg.apis.meta.v1.Time
@@ -9007,6 +9034,20 @@ var schemaYAML = typed.YAMLObject(`types:
     - name: runAsUserName
       type:
         scalar: string
+- name: io.k8s.api.core.v1.WorkloadReference
+  map:
+    fields:
+    - name: name
+      type:
+        scalar: string
+      default: ""
+    - name: podGroup
+      type:
+        scalar: string
+      default: ""
+    - name: podGroupReplicaKey
+      type:
+        scalar: string
 - name: io.k8s.api.discovery.v1.Endpoint
   map:
     fields:
@@ -13476,19 +13517,6 @@ var schemaYAML = typed.YAMLObject(`types:
           elementType:
             namedType: io.k8s.api.resource.v1.CounterSet
           elementRelationship: atomic
-- name: io.k8s.api.resource.v1alpha3.CELDeviceSelector
-  map:
-    fields:
-    - name: expression
-      type:
-        scalar: string
-      default: ""
-- name: io.k8s.api.resource.v1alpha3.DeviceSelector
-  map:
-    fields:
-    - name: cel
-      type:
-        namedType: io.k8s.api.resource.v1alpha3.CELDeviceSelector
 - name: io.k8s.api.resource.v1alpha3.DeviceTaint
   map:
     fields:
@@ -13523,6 +13551,10 @@ var schemaYAML = typed.YAMLObject(`types:
       type:
         namedType: io.k8s.api.resource.v1alpha3.DeviceTaintRuleSpec
       default: {}
+    - name: status
+      type:
+        namedType: io.k8s.api.resource.v1alpha3.DeviceTaintRuleStatus
+      default: {}
 - name: io.k8s.api.resource.v1alpha3.DeviceTaintRuleSpec
   map:
     fields:
@@ -13533,27 +13565,29 @@ var schemaYAML = typed.YAMLObject(`types:
       type:
         namedType: io.k8s.api.resource.v1alpha3.DeviceTaint
       default: {}
+- name: io.k8s.api.resource.v1alpha3.DeviceTaintRuleStatus
+  map:
+    fields:
+    - name: conditions
+      type:
+        list:
+          elementType:
+            namedType: io.k8s.apimachinery.pkg.apis.meta.v1.Condition
+          elementRelationship: associative
+          keys:
+          - type
 - name: io.k8s.api.resource.v1alpha3.DeviceTaintSelector
   map:
     fields:
     - name: device
       type:
         scalar: string
-    - name: deviceClassName
-      type:
-        scalar: string
     - name: driver
       type:
         scalar: string
     - name: pool
       type:
         scalar: string
-    - name: selectors
-      type:
-        list:
-          elementType:
-            namedType: io.k8s.api.resource.v1alpha3.DeviceSelector
-          elementRelationship: atomic
 - name: io.k8s.api.resource.v1beta1.AllocatedDeviceStatus
   map:
     fields:
@@ -14934,6 +14968,45 @@ var schemaYAML = typed.YAMLObject(`types:
       type:
         scalar: numeric
       default: 0
+- name: io.k8s.api.scheduling.v1alpha1.BasicSchedulingPolicy
+  map:
+    elementType:
+      scalar: untyped
+      list:
+        elementType:
+          namedType: __untyped_atomic_
+        elementRelationship: atomic
+      map:
+        elementType:
+          namedType: __untyped_deduced_
+        elementRelationship: separable
+- name: io.k8s.api.scheduling.v1alpha1.GangSchedulingPolicy
+  map:
+    fields:
+    - name: minCount
+      type:
+        scalar: numeric
+      default: 0
+- name: io.k8s.api.scheduling.v1alpha1.PodGroup
+  map:
+    fields:
+    - name: name
+      type:
+        scalar: string
+      default: ""
+    - name: policy
+      type:
+        namedType: io.k8s.api.scheduling.v1alpha1.PodGroupPolicy
+      default: {}
+- name: io.k8s.api.scheduling.v1alpha1.PodGroupPolicy
+  map:
+    fields:
+    - name: basic
+      type:
+        namedType: io.k8s.api.scheduling.v1alpha1.BasicSchedulingPolicy
+    - name: gang
+      type:
+        namedType: io.k8s.api.scheduling.v1alpha1.GangSchedulingPolicy
 - name: io.k8s.api.scheduling.v1alpha1.PriorityClass
   map:
     fields:
@@ -14960,6 +15033,51 @@ var schemaYAML = typed.YAMLObject(`types:
       type:
         scalar: numeric
       default: 0
+- name: io.k8s.api.scheduling.v1alpha1.TypedLocalObjectReference
+  map:
+    fields:
+    - name: apiGroup
+      type:
+        scalar: string
+    - name: kind
+      type:
+        scalar: string
+      default: ""
+    - name: name
+      type:
+        scalar: string
+      default: ""
+- name: io.k8s.api.scheduling.v1alpha1.Workload
+  map:
+    fields:
+    - name: apiVersion
+      type:
+        scalar: string
+    - name: kind
+      type:
+        scalar: string
+    - name: metadata
+      type:
+        namedType: io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta
+      default: {}
+    - name: spec
+      type:
+        namedType: io.k8s.api.scheduling.v1alpha1.WorkloadSpec
+      default: {}
+- name: io.k8s.api.scheduling.v1alpha1.WorkloadSpec
+  map:
+    fields:
+    - name: controllerRef
+      type:
+        namedType: io.k8s.api.scheduling.v1alpha1.TypedLocalObjectReference
+    - name: podGroups
+      type:
+        list:
+          elementType:
+            namedType: io.k8s.api.scheduling.v1alpha1.PodGroup
+          elementRelationship: associative
+          keys:
+          - name
 - name: io.k8s.api.scheduling.v1beta1.PriorityClass
   map:
     fields:
@@ -15024,6 +15142,9 @@ var schemaYAML = typed.YAMLObject(`types:
     - name: seLinuxMount
       type:
         scalar: boolean
+    - name: serviceAccountTokenInSecrets
+      type:
+        scalar: boolean
     - name: storageCapacity
       type:
         scalar: boolean
@@ -15430,6 +15551,9 @@ var schemaYAML = typed.YAMLObject(`types:
     - name: seLinuxMount
       type:
         scalar: boolean
+    - name: serviceAccountTokenInSecrets
+      type:
+        scalar: boolean
     - name: storageCapacity
       type:
         scalar: boolean
@@ -15675,39 +15799,7 @@ var schemaYAML = typed.YAMLObject(`types:
     - name: count
       type:
         scalar: numeric
-- name: io.k8s.api.storagemigration.v1alpha1.GroupVersionResource
-  map:
-    fields:
-    - name: group
-      type:
-        scalar: string
-    - name: resource
-      type:
-        scalar: string
-    - name: version
-      type:
-        scalar: string
-- name: io.k8s.api.storagemigration.v1alpha1.MigrationCondition
-  map:
-    fields:
-    - name: lastUpdateTime
-      type:
-        namedType: io.k8s.apimachinery.pkg.apis.meta.v1.Time
-    - name: message
-      type:
-        scalar: string
-    - name: reason
-      type:
-        scalar: string
-    - name: status
-      type:
-        scalar: string
-      default: ""
-    - name: type
-      type:
-        scalar: string
-      default: ""
-- name: io.k8s.api.storagemigration.v1alpha1.StorageVersionMigration
+- name: io.k8s.api.storagemigration.v1beta1.StorageVersionMigration
   map:
     fields:
     - name: apiVersion
@@ -15722,30 +15814,27 @@ var schemaYAML = typed.YAMLObject(`types:
       default: {}
     - name: spec
       type:
-        namedType: io.k8s.api.storagemigration.v1alpha1.StorageVersionMigrationSpec
+        namedType: io.k8s.api.storagemigration.v1beta1.StorageVersionMigrationSpec
       default: {}
     - name: status
       type:
-        namedType: io.k8s.api.storagemigration.v1alpha1.StorageVersionMigrationStatus
+        namedType: io.k8s.api.storagemigration.v1beta1.StorageVersionMigrationStatus
       default: {}
-- name: io.k8s.api.storagemigration.v1alpha1.StorageVersionMigrationSpec
+- name: io.k8s.api.storagemigration.v1beta1.StorageVersionMigrationSpec
   map:
     fields:
-    - name: continueToken
-      type:
-        scalar: string
     - name: resource
       type:
-        namedType: io.k8s.api.storagemigration.v1alpha1.GroupVersionResource
+        namedType: io.k8s.apimachinery.pkg.apis.meta.v1.GroupResource
       default: {}
-- name: io.k8s.api.storagemigration.v1alpha1.StorageVersionMigrationStatus
+- name: io.k8s.api.storagemigration.v1beta1.StorageVersionMigrationStatus
   map:
     fields:
     - name: conditions
       type:
         list:
           elementType:
-            namedType: io.k8s.api.storagemigration.v1alpha1.MigrationCondition
+            namedType: io.k8s.apimachinery.pkg.apis.meta.v1.Condition
           elementRelationship: associative
           keys:
           - type
@@ -15821,6 +15910,17 @@ var schemaYAML = typed.YAMLObject(`types:
         elementType:
           namedType: __untyped_deduced_
         elementRelationship: separable
+- name: io.k8s.apimachinery.pkg.apis.meta.v1.GroupResource
+  map:
+    fields:
+    - name: group
+      type:
+        scalar: string
+      default: ""
+    - name: resource
+      type:
+        scalar: string
+      default: ""
 - name: io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector
   map:
     fields:
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/meta/v1/condition.go b/staging/src/k8s.io/client-go/applyconfigurations/meta/v1/condition.go
index 69063df65b62a..6b0a44312b788 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/meta/v1/condition.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/meta/v1/condition.go
@@ -24,13 +24,47 @@ import (
 
 // ConditionApplyConfiguration represents a declarative configuration of the Condition type for use
 // with apply.
+//
+// Condition contains details for one aspect of the current state of this API Resource.
+// ---
+// This struct is intended for direct use as an array at the field path .status.conditions.  For example,
+//
+// type FooStatus struct{
+// // Represents the observations of a foo's current state.
+// // Known .status.conditions.type are: "Available", "Progressing", and "Degraded"
+// // +patchMergeKey=type
+// // +patchStrategy=merge
+// // +listType=map
+// // +listMapKey=type
+// Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type" protobuf:"bytes,1,rep,name=conditions"`
+//
+// // other fields
+// }
 type ConditionApplyConfiguration struct {
-	Type               *string                 `json:"type,omitempty"`
-	Status             *metav1.ConditionStatus `json:"status,omitempty"`
-	ObservedGeneration *int64                  `json:"observedGeneration,omitempty"`
-	LastTransitionTime *metav1.Time            `json:"lastTransitionTime,omitempty"`
-	Reason             *string                 `json:"reason,omitempty"`
-	Message            *string                 `json:"message,omitempty"`
+	// type of condition in CamelCase or in foo.example.com/CamelCase.
+	// ---
+	// Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
+	// useful (see .node.status.conditions), the ability to deconflict is important.
+	// The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+	Type *string `json:"type,omitempty"`
+	// status of the condition, one of True, False, Unknown.
+	Status *metav1.ConditionStatus `json:"status,omitempty"`
+	// observedGeneration represents the .metadata.generation that the condition was set based upon.
+	// For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+	// with respect to the current state of the instance.
+	ObservedGeneration *int64 `json:"observedGeneration,omitempty"`
+	// lastTransitionTime is the last time the condition transitioned from one status to another.
+	// This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+	LastTransitionTime *metav1.Time `json:"lastTransitionTime,omitempty"`
+	// reason contains a programmatic identifier indicating the reason for the condition's last transition.
+	// Producers of specific condition types may define expected values and meanings for this field,
+	// and whether the values are considered a guaranteed API.
+	// The value should be a CamelCase string.
+	// This field may not be empty.
+	Reason *string `json:"reason,omitempty"`
+	// message is a human readable message indicating details about the transition.
+	// This may be an empty string.
+	Message *string `json:"message,omitempty"`
 }
 
 // ConditionApplyConfiguration constructs a declarative configuration of the Condition type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/meta/v1/deleteoptions.go b/staging/src/k8s.io/client-go/applyconfigurations/meta/v1/deleteoptions.go
index a872d19cafb8f..ed4c4bfa5075e 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/meta/v1/deleteoptions.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/meta/v1/deleteoptions.go
@@ -24,14 +24,51 @@ import (
 
 // DeleteOptionsApplyConfiguration represents a declarative configuration of the DeleteOptions type for use
 // with apply.
+//
+// DeleteOptions may be provided when deleting an API object.
 type DeleteOptionsApplyConfiguration struct {
-	TypeMetaApplyConfiguration                       `json:",inline"`
-	GracePeriodSeconds                               *int64                           `json:"gracePeriodSeconds,omitempty"`
-	Preconditions                                    *PreconditionsApplyConfiguration `json:"preconditions,omitempty"`
-	OrphanDependents                                 *bool                            `json:"orphanDependents,omitempty"`
-	PropagationPolicy                                *metav1.DeletionPropagation      `json:"propagationPolicy,omitempty"`
-	DryRun                                           []string                         `json:"dryRun,omitempty"`
-	IgnoreStoreReadErrorWithClusterBreakingPotential *bool                            `json:"ignoreStoreReadErrorWithClusterBreakingPotential,omitempty"`
+	TypeMetaApplyConfiguration `json:",inline"`
+	// The duration in seconds before the object should be deleted. Value must be non-negative integer.
+	// The value zero indicates delete immediately. If this value is nil, the default grace period for the
+	// specified type will be used.
+	// Defaults to a per object value if not specified. zero means delete immediately.
+	GracePeriodSeconds *int64 `json:"gracePeriodSeconds,omitempty"`
+	// Must be fulfilled before a deletion is carried out. If not possible, a 409 Conflict status will be
+	// returned.
+	Preconditions *PreconditionsApplyConfiguration `json:"preconditions,omitempty"`
+	// Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7.
+	// Should the dependent objects be orphaned. If true/false, the "orphan"
+	// finalizer will be added to/removed from the object's finalizers list.
+	// Either this field or PropagationPolicy may be set, but not both.
+	OrphanDependents *bool `json:"orphanDependents,omitempty"`
+	// Whether and how garbage collection will be performed.
+	// Either this field or OrphanDependents may be set, but not both.
+	// The default policy is decided by the existing finalizer set in the
+	// metadata.finalizers and the resource-specific default policy.
+	// Acceptable values are: 'Orphan' - orphan the dependents; 'Background' -
+	// allow the garbage collector to delete the dependents in the background;
+	// 'Foreground' - a cascading policy that deletes all dependents in the
+	// foreground.
+	PropagationPolicy *metav1.DeletionPropagation `json:"propagationPolicy,omitempty"`
+	// When present, indicates that modifications should not be
+	// persisted. An invalid or unrecognized dryRun directive will
+	// result in an error response and no further processing of the
+	// request. Valid values are:
+	// - All: all dry run stages will be processed
+	DryRun []string `json:"dryRun,omitempty"`
+	// if set to true, it will trigger an unsafe deletion of the resource in
+	// case the normal deletion flow fails with a corrupt object error.
+	// A resource is considered corrupt if it can not be retrieved from
+	// the underlying storage successfully because of a) its data can
+	// not be transformed e.g. decryption failure, or b) it fails
+	// to decode into an object.
+	// NOTE: unsafe deletion ignores finalizer constraints, skips
+	// precondition checks, and removes the object from the storage.
+	// WARNING: This may potentially break the cluster if the workload
+	// associated with the resource being unsafe-deleted relies on normal
+	// deletion flow. Use only if you REALLY know what you are doing.
+	// The default value is false, and the user must opt in to enable it
+	IgnoreStoreReadErrorWithClusterBreakingPotential *bool `json:"ignoreStoreReadErrorWithClusterBreakingPotential,omitempty"`
 }
 
 // DeleteOptionsApplyConfiguration constructs a declarative configuration of the DeleteOptions type for use with
@@ -42,6 +79,7 @@ func DeleteOptions() *DeleteOptionsApplyConfiguration {
 	b.WithAPIVersion("meta.k8s.io/v1")
 	return b
 }
+
 func (b DeleteOptionsApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/meta/v1/groupresource.go b/staging/src/k8s.io/client-go/applyconfigurations/meta/v1/groupresource.go
new file mode 100644
index 0000000000000..d2e56d637caae
--- /dev/null
+++ b/staging/src/k8s.io/client-go/applyconfigurations/meta/v1/groupresource.go
@@ -0,0 +1,51 @@
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by applyconfiguration-gen. DO NOT EDIT.
+
+package v1
+
+// GroupResourceApplyConfiguration represents a declarative configuration of the GroupResource type for use
+// with apply.
+//
+// GroupResource specifies a Group and a Resource, but does not force a version.  This is useful for identifying
+// concepts during lookup stages without having partially valid types
+type GroupResourceApplyConfiguration struct {
+	Group    *string `json:"group,omitempty"`
+	Resource *string `json:"resource,omitempty"`
+}
+
+// GroupResourceApplyConfiguration constructs a declarative configuration of the GroupResource type for use with
+// apply.
+func GroupResource() *GroupResourceApplyConfiguration {
+	return &GroupResourceApplyConfiguration{}
+}
+
+// WithGroup sets the Group field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Group field is set to the value of the last call.
+func (b *GroupResourceApplyConfiguration) WithGroup(value string) *GroupResourceApplyConfiguration {
+	b.Group = &value
+	return b
+}
+
+// WithResource sets the Resource field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Resource field is set to the value of the last call.
+func (b *GroupResourceApplyConfiguration) WithResource(value string) *GroupResourceApplyConfiguration {
+	b.Resource = &value
+	return b
+}
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/meta/v1/labelselector.go b/staging/src/k8s.io/client-go/applyconfigurations/meta/v1/labelselector.go
index 1f33c94e0c71f..7342725e54cf1 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/meta/v1/labelselector.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/meta/v1/labelselector.go
@@ -20,8 +20,21 @@ package v1
 
 // LabelSelectorApplyConfiguration represents a declarative configuration of the LabelSelector type for use
 // with apply.
+//
+// Note:
+// There are two different styles of label selectors used in versioned types:
+// an older style which is represented as just a string in versioned types, and a
+// newer style that is structured.  LabelSelector is an internal representation for the
+// latter style.
+// A label selector is a label query over a set of resources. The result of matchLabels and
+// matchExpressions are ANDed. An empty label selector matches all objects. A null
+// label selector matches no objects.
 type LabelSelectorApplyConfiguration struct {
-	MatchLabels      map[string]string                            `json:"matchLabels,omitempty"`
+	// matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+	// map is equivalent to an element of matchExpressions, whose key field is "key", the
+	// operator is "In", and the values array contains only "value". The requirements are ANDed.
+	MatchLabels map[string]string `json:"matchLabels,omitempty"`
+	// matchExpressions is a list of label selector requirements. The requirements are ANDed.
 	MatchExpressions []LabelSelectorRequirementApplyConfiguration `json:"matchExpressions,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/meta/v1/labelselectorrequirement.go b/staging/src/k8s.io/client-go/applyconfigurations/meta/v1/labelselectorrequirement.go
index c8b015c985272..1403135754274 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/meta/v1/labelselectorrequirement.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/meta/v1/labelselectorrequirement.go
@@ -24,10 +24,20 @@ import (
 
 // LabelSelectorRequirementApplyConfiguration represents a declarative configuration of the LabelSelectorRequirement type for use
 // with apply.
+//
+// A label selector requirement is a selector that contains values, a key, and an operator that
+// relates the key and values.
 type LabelSelectorRequirementApplyConfiguration struct {
-	Key      *string                       `json:"key,omitempty"`
+	// key is the label key that the selector applies to.
+	Key *string `json:"key,omitempty"`
+	// operator represents a key's relationship to a set of values.
+	// Valid operators are In, NotIn, Exists and DoesNotExist.
 	Operator *metav1.LabelSelectorOperator `json:"operator,omitempty"`
-	Values   []string                      `json:"values,omitempty"`
+	// values is an array of string values. If the operator is In or NotIn,
+	// the values array must be non-empty. If the operator is Exists or DoesNotExist,
+	// the values array must be empty. This array is replaced during a strategic
+	// merge patch.
+	Values []string `json:"values,omitempty"`
 }
 
 // LabelSelectorRequirementApplyConfiguration constructs a declarative configuration of the LabelSelectorRequirement type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/meta/v1/managedfieldsentry.go b/staging/src/k8s.io/client-go/applyconfigurations/meta/v1/managedfieldsentry.go
index 7175537c3e6bc..beb9d5e5b7f2b 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/meta/v1/managedfieldsentry.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/meta/v1/managedfieldsentry.go
@@ -24,14 +24,39 @@ import (
 
 // ManagedFieldsEntryApplyConfiguration represents a declarative configuration of the ManagedFieldsEntry type for use
 // with apply.
+//
+// ManagedFieldsEntry is a workflow-id, a FieldSet and the group version of the resource
+// that the fieldset applies to.
 type ManagedFieldsEntryApplyConfiguration struct {
-	Manager     *string                            `json:"manager,omitempty"`
-	Operation   *metav1.ManagedFieldsOperationType `json:"operation,omitempty"`
-	APIVersion  *string                            `json:"apiVersion,omitempty"`
-	Time        *metav1.Time                       `json:"time,omitempty"`
-	FieldsType  *string                            `json:"fieldsType,omitempty"`
-	FieldsV1    *metav1.FieldsV1                   `json:"fieldsV1,omitempty"`
-	Subresource *string                            `json:"subresource,omitempty"`
+	// Manager is an identifier of the workflow managing these fields.
+	Manager *string `json:"manager,omitempty"`
+	// Operation is the type of operation which lead to this ManagedFieldsEntry being created.
+	// The only valid values for this field are 'Apply' and 'Update'.
+	Operation *metav1.ManagedFieldsOperationType `json:"operation,omitempty"`
+	// APIVersion defines the version of this resource that this field set
+	// applies to. The format is "group/version" just like the top-level
+	// APIVersion field. It is necessary to track the version of a field
+	// set because it cannot be automatically converted.
+	APIVersion *string `json:"apiVersion,omitempty"`
+	// Time is the timestamp of when the ManagedFields entry was added. The
+	// timestamp will also be updated if a field is added, the manager
+	// changes any of the owned fields value or removes a field. The
+	// timestamp does not update when a field is removed from the entry
+	// because another manager took it over.
+	Time *metav1.Time `json:"time,omitempty"`
+	// FieldsType is the discriminator for the different fields format and version.
+	// There is currently only one possible value: "FieldsV1"
+	FieldsType *string `json:"fieldsType,omitempty"`
+	// FieldsV1 holds the first JSON version format as described in the "FieldsV1" type.
+	FieldsV1 *metav1.FieldsV1 `json:"fieldsV1,omitempty"`
+	// Subresource is the name of the subresource used to update that object, or
+	// empty string if the object was updated through the main resource. The
+	// value of this field is used to distinguish between managers, even if they
+	// share the same name. For example, a status update will be distinct from a
+	// regular update using the same manager name.
+	// Note that the APIVersion field is not related to the Subresource field and
+	// it always corresponds to the version of the main resource.
+	Subresource *string `json:"subresource,omitempty"`
 }
 
 // ManagedFieldsEntryApplyConfiguration constructs a declarative configuration of the ManagedFieldsEntry type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/meta/v1/objectmeta.go b/staging/src/k8s.io/client-go/applyconfigurations/meta/v1/objectmeta.go
index 13e1366d78640..fae9d6202bb85 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/meta/v1/objectmeta.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/meta/v1/objectmeta.go
@@ -25,20 +25,123 @@ import (
 
 // ObjectMetaApplyConfiguration represents a declarative configuration of the ObjectMeta type for use
 // with apply.
+//
+// ObjectMeta is metadata that all persisted resources must have, which includes all objects
+// users must create.
 type ObjectMetaApplyConfiguration struct {
-	Name                       *string                            `json:"name,omitempty"`
-	GenerateName               *string                            `json:"generateName,omitempty"`
-	Namespace                  *string                            `json:"namespace,omitempty"`
-	UID                        *types.UID                         `json:"uid,omitempty"`
-	ResourceVersion            *string                            `json:"resourceVersion,omitempty"`
-	Generation                 *int64                             `json:"generation,omitempty"`
-	CreationTimestamp          *metav1.Time                       `json:"creationTimestamp,omitempty"`
-	DeletionTimestamp          *metav1.Time                       `json:"deletionTimestamp,omitempty"`
-	DeletionGracePeriodSeconds *int64                             `json:"deletionGracePeriodSeconds,omitempty"`
-	Labels                     map[string]string                  `json:"labels,omitempty"`
-	Annotations                map[string]string                  `json:"annotations,omitempty"`
-	OwnerReferences            []OwnerReferenceApplyConfiguration `json:"ownerReferences,omitempty"`
-	Finalizers                 []string                           `json:"finalizers,omitempty"`
+	// Name must be unique within a namespace. Is required when creating resources, although
+	// some resources may allow a client to request the generation of an appropriate name
+	// automatically. Name is primarily intended for creation idempotence and configuration
+	// definition.
+	// Cannot be updated.
+	// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names
+	Name *string `json:"name,omitempty"`
+	// GenerateName is an optional prefix, used by the server, to generate a unique
+	// name ONLY IF the Name field has not been provided.
+	// If this field is used, the name returned to the client will be different
+	// than the name passed. This value will also be combined with a unique suffix.
+	// The provided value has the same validation rules as the Name field,
+	// and may be truncated by the length of the suffix required to make the value
+	// unique on the server.
+	//
+	// If this field is specified and the generated name exists, the server will return a 409.
+	//
+	// Applied only if Name is not specified.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#idempotency
+	GenerateName *string `json:"generateName,omitempty"`
+	// Namespace defines the space within which each name must be unique. An empty namespace is
+	// equivalent to the "default" namespace, but "default" is the canonical representation.
+	// Not all objects are required to be scoped to a namespace - the value of this field for
+	// those objects will be empty.
+	//
+	// Must be a DNS_LABEL.
+	// Cannot be updated.
+	// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces
+	Namespace *string `json:"namespace,omitempty"`
+	// UID is the unique in time and space value for this object. It is typically generated by
+	// the server on successful creation of a resource and is not allowed to change on PUT
+	// operations.
+	//
+	// Populated by the system.
+	// Read-only.
+	// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids
+	UID *types.UID `json:"uid,omitempty"`
+	// An opaque value that represents the internal version of this object that can
+	// be used by clients to determine when objects have changed. May be used for optimistic
+	// concurrency, change detection, and the watch operation on a resource or set of resources.
+	// Clients must treat these values as opaque and passed unmodified back to the server.
+	// They may only be valid for a particular resource or set of resources.
+	//
+	// Populated by the system.
+	// Read-only.
+	// Value must be treated as opaque by clients and .
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
+	ResourceVersion *string `json:"resourceVersion,omitempty"`
+	// A sequence number representing a specific generation of the desired state.
+	// Populated by the system. Read-only.
+	Generation *int64 `json:"generation,omitempty"`
+	// CreationTimestamp is a timestamp representing the server time when this object was
+	// created. It is not guaranteed to be set in happens-before order across separate operations.
+	// Clients may not set this value. It is represented in RFC3339 form and is in UTC.
+	//
+	// Populated by the system.
+	// Read-only.
+	// Null for lists.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	CreationTimestamp *metav1.Time `json:"creationTimestamp,omitempty"`
+	// DeletionTimestamp is RFC 3339 date and time at which this resource will be deleted. This
+	// field is set by the server when a graceful deletion is requested by the user, and is not
+	// directly settable by a client. The resource is expected to be deleted (no longer visible
+	// from resource lists, and not reachable by name) after the time in this field, once the
+	// finalizers list is empty. As long as the finalizers list contains items, deletion is blocked.
+	// Once the deletionTimestamp is set, this value may not be unset or be set further into the
+	// future, although it may be shortened or the resource may be deleted prior to this time.
+	// For example, a user may request that a pod is deleted in 30 seconds. The Kubelet will react
+	// by sending a graceful termination signal to the containers in the pod. After that 30 seconds,
+	// the Kubelet will send a hard termination signal (SIGKILL) to the container and after cleanup,
+	// remove the pod from the API. In the presence of network partitions, this object may still
+	// exist after this timestamp, until an administrator or automated process can determine the
+	// resource is fully terminated.
+	// If not set, graceful deletion of the object has not been requested.
+	//
+	// Populated by the system when a graceful deletion is requested.
+	// Read-only.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	DeletionTimestamp *metav1.Time `json:"deletionTimestamp,omitempty"`
+	// Number of seconds allowed for this object to gracefully terminate before
+	// it will be removed from the system. Only set when deletionTimestamp is also set.
+	// May only be shortened.
+	// Read-only.
+	DeletionGracePeriodSeconds *int64 `json:"deletionGracePeriodSeconds,omitempty"`
+	// Map of string keys and values that can be used to organize and categorize
+	// (scope and select) objects. May match selectors of replication controllers
+	// and services.
+	// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels
+	Labels map[string]string `json:"labels,omitempty"`
+	// Annotations is an unstructured key value map stored with a resource that may be
+	// set by external tools to store and retrieve arbitrary metadata. They are not
+	// queryable and should be preserved when modifying objects.
+	// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations
+	Annotations map[string]string `json:"annotations,omitempty"`
+	// List of objects depended by this object. If ALL objects in the list have
+	// been deleted, this object will be garbage collected. If this object is managed by a controller,
+	// then an entry in this list will point to this controller, with the controller field set to true.
+	// There cannot be more than one managing controller.
+	OwnerReferences []OwnerReferenceApplyConfiguration `json:"ownerReferences,omitempty"`
+	// Must be empty before the object is deleted from the registry. Each entry
+	// is an identifier for the responsible component that will remove the entry
+	// from the list. If the deletionTimestamp of the object is non-nil, entries
+	// in this list can only be removed.
+	// Finalizers may be processed and removed in any order.  Order is NOT enforced
+	// because it introduces significant risk of stuck finalizers.
+	// finalizers is a shared field, any actor with permission can reorder it.
+	// If the finalizer list is processed in order, then this can lead to a situation
+	// in which the component responsible for the first finalizer in the list is
+	// waiting for a signal (field value, external system, or other) produced by a
+	// component responsible for a finalizer later in the list, resulting in a deadlock.
+	// Without enforced ordering finalizers are free to order amongst themselves and
+	// are not vulnerable to ordering changes in the list.
+	Finalizers []string `json:"finalizers,omitempty"`
 }
 
 // ObjectMetaApplyConfiguration constructs a declarative configuration of the ObjectMeta type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/meta/v1/ownerreference.go b/staging/src/k8s.io/client-go/applyconfigurations/meta/v1/ownerreference.go
index 2776152322e4c..35501b163166f 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/meta/v1/ownerreference.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/meta/v1/ownerreference.go
@@ -24,13 +24,33 @@ import (
 
 // OwnerReferenceApplyConfiguration represents a declarative configuration of the OwnerReference type for use
 // with apply.
+//
+// OwnerReference contains enough information to let you identify an owning
+// object. An owning object must be in the same namespace as the dependent, or
+// be cluster-scoped, so there is no namespace field.
 type OwnerReferenceApplyConfiguration struct {
-	APIVersion         *string    `json:"apiVersion,omitempty"`
-	Kind               *string    `json:"kind,omitempty"`
-	Name               *string    `json:"name,omitempty"`
-	UID                *types.UID `json:"uid,omitempty"`
-	Controller         *bool      `json:"controller,omitempty"`
-	BlockOwnerDeletion *bool      `json:"blockOwnerDeletion,omitempty"`
+	// API version of the referent.
+	APIVersion *string `json:"apiVersion,omitempty"`
+	// Kind of the referent.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+	Kind *string `json:"kind,omitempty"`
+	// Name of the referent.
+	// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names
+	Name *string `json:"name,omitempty"`
+	// UID of the referent.
+	// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids
+	UID *types.UID `json:"uid,omitempty"`
+	// If true, this reference points to the managing controller.
+	Controller *bool `json:"controller,omitempty"`
+	// If true, AND if the owner has the "foregroundDeletion" finalizer, then
+	// the owner cannot be deleted from the key-value store until this
+	// reference is removed.
+	// See https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion
+	// for how the garbage collector interacts with this field and enforces the foreground deletion.
+	// Defaults to false.
+	// To set this field, a user needs "delete" permission of the owner,
+	// otherwise 422 (Unprocessable Entity) will be returned.
+	BlockOwnerDeletion *bool `json:"blockOwnerDeletion,omitempty"`
 }
 
 // OwnerReferenceApplyConfiguration constructs a declarative configuration of the OwnerReference type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/meta/v1/preconditions.go b/staging/src/k8s.io/client-go/applyconfigurations/meta/v1/preconditions.go
index 8f8b6c6b3a001..cc4e472682813 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/meta/v1/preconditions.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/meta/v1/preconditions.go
@@ -24,9 +24,13 @@ import (
 
 // PreconditionsApplyConfiguration represents a declarative configuration of the Preconditions type for use
 // with apply.
+//
+// Preconditions must be fulfilled before an operation (update, delete, etc.) is carried out.
 type PreconditionsApplyConfiguration struct {
-	UID             *types.UID `json:"uid,omitempty"`
-	ResourceVersion *string    `json:"resourceVersion,omitempty"`
+	// Specifies the target UID.
+	UID *types.UID `json:"uid,omitempty"`
+	// Specifies the target ResourceVersion
+	ResourceVersion *string `json:"resourceVersion,omitempty"`
 }
 
 // PreconditionsApplyConfiguration constructs a declarative configuration of the Preconditions type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/meta/v1/typemeta.go b/staging/src/k8s.io/client-go/applyconfigurations/meta/v1/typemeta.go
index 29a47e44c3e39..feb29e1b98860 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/meta/v1/typemeta.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/meta/v1/typemeta.go
@@ -20,8 +20,21 @@ package v1
 
 // TypeMetaApplyConfiguration represents a declarative configuration of the TypeMeta type for use
 // with apply.
+//
+// TypeMeta describes an individual object in an API response or request
+// with strings representing the type of the object and its API schema version.
+// Structures that are versioned or persisted should inline TypeMeta.
 type TypeMetaApplyConfiguration struct {
-	Kind       *string `json:"kind,omitempty"`
+	// Kind is a string value representing the REST resource this object represents.
+	// Servers may infer this from the endpoint the client submits requests to.
+	// Cannot be updated.
+	// In CamelCase.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+	Kind *string `json:"kind,omitempty"`
+	// APIVersion defines the versioned schema of this representation of an object.
+	// Servers should convert recognized schemas to the latest internal value, and
+	// may reject unrecognized values.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
 	APIVersion *string `json:"apiVersion,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/networking/v1/httpingresspath.go b/staging/src/k8s.io/client-go/applyconfigurations/networking/v1/httpingresspath.go
index 96f9b1f567cc2..e6a0116c76527 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/networking/v1/httpingresspath.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/networking/v1/httpingresspath.go
@@ -24,10 +24,33 @@ import (
 
 // HTTPIngressPathApplyConfiguration represents a declarative configuration of the HTTPIngressPath type for use
 // with apply.
+//
+// HTTPIngressPath associates a path with a backend. Incoming urls matching the
+// path are forwarded to the backend.
 type HTTPIngressPathApplyConfiguration struct {
-	Path     *string                           `json:"path,omitempty"`
-	PathType *networkingv1.PathType            `json:"pathType,omitempty"`
-	Backend  *IngressBackendApplyConfiguration `json:"backend,omitempty"`
+	// path is matched against the path of an incoming request. Currently it can
+	// contain characters disallowed from the conventional "path" part of a URL
+	// as defined by RFC 3986. Paths must begin with a '/' and must be present
+	// when using PathType with value "Exact" or "Prefix".
+	Path *string `json:"path,omitempty"`
+	// pathType determines the interpretation of the path matching. PathType can
+	// be one of the following values:
+	// * Exact: Matches the URL path exactly.
+	// * Prefix: Matches based on a URL path prefix split by '/'. Matching is
+	// done on a path element by element basis. A path element refers is the
+	// list of labels in the path split by the '/' separator. A request is a
+	// match for path p if every p is an element-wise prefix of p of the
+	// request path. Note that if the last element of the path is a substring
+	// of the last element in request path, it is not a match (e.g. /foo/bar
+	// matches /foo/bar/baz, but does not match /foo/barbaz).
+	// * ImplementationSpecific: Interpretation of the Path matching is up to
+	// the IngressClass. Implementations can treat this as a separate PathType
+	// or treat it identically to Prefix or Exact path types.
+	// Implementations are required to support all path types.
+	PathType *networkingv1.PathType `json:"pathType,omitempty"`
+	// backend defines the referenced service endpoint to which the traffic
+	// will be forwarded to.
+	Backend *IngressBackendApplyConfiguration `json:"backend,omitempty"`
 }
 
 // HTTPIngressPathApplyConfiguration constructs a declarative configuration of the HTTPIngressPath type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/networking/v1/httpingressrulevalue.go b/staging/src/k8s.io/client-go/applyconfigurations/networking/v1/httpingressrulevalue.go
index ad9a7a6771600..ff3a476a91f2b 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/networking/v1/httpingressrulevalue.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/networking/v1/httpingressrulevalue.go
@@ -20,7 +20,14 @@ package v1
 
 // HTTPIngressRuleValueApplyConfiguration represents a declarative configuration of the HTTPIngressRuleValue type for use
 // with apply.
+//
+// HTTPIngressRuleValue is a list of http selectors pointing to backends.
+// In the example: http://<host>/<path>?<searchpart> -> backend where
+// where parts of the url correspond to RFC 3986, this resource will be used
+// to match against everything after the last '/' and before the first '?'
+// or '#'.
 type HTTPIngressRuleValueApplyConfiguration struct {
+	// paths is a collection of paths that map requests to backends.
 	Paths []HTTPIngressPathApplyConfiguration `json:"paths,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/networking/v1/ingress.go b/staging/src/k8s.io/client-go/applyconfigurations/networking/v1/ingress.go
index 3085e4cf5dfec..e6bb92050b2fb 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/networking/v1/ingress.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/networking/v1/ingress.go
@@ -29,11 +29,22 @@ import (
 
 // IngressApplyConfiguration represents a declarative configuration of the Ingress type for use
 // with apply.
+//
+// Ingress is a collection of rules that allow inbound connections to reach the
+// endpoints defined by a backend. An Ingress can be configured to give services
+// externally-reachable urls, load balance traffic, terminate SSL, offer name
+// based virtual hosting etc.
 type IngressApplyConfiguration struct {
-	metav1.TypeMetaApplyConfiguration    `json:",inline"`
+	metav1.TypeMetaApplyConfiguration `json:",inline"`
+	// Standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	*metav1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Spec                                 *IngressSpecApplyConfiguration   `json:"spec,omitempty"`
-	Status                               *IngressStatusApplyConfiguration `json:"status,omitempty"`
+	// spec is the desired state of the Ingress.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+	Spec *IngressSpecApplyConfiguration `json:"spec,omitempty"`
+	// status is the current state of the Ingress.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+	Status *IngressStatusApplyConfiguration `json:"status,omitempty"`
 }
 
 // Ingress constructs a declarative configuration of the Ingress type for use with
@@ -47,6 +58,27 @@ func Ingress(name, namespace string) *IngressApplyConfiguration {
 	return b
 }
 
+// ExtractIngressFrom extracts the applied configuration owned by fieldManager from
+// ingress for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
+// ingress must be a unmodified Ingress API object that was retrieved from the Kubernetes API.
+// ExtractIngressFrom provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractIngressFrom(ingress *networkingv1.Ingress, fieldManager string, subresource string) (*IngressApplyConfiguration, error) {
+	b := &IngressApplyConfiguration{}
+	err := managedfields.ExtractInto(ingress, internal.Parser().Type("io.k8s.api.networking.v1.Ingress"), fieldManager, b, subresource)
+	if err != nil {
+		return nil, err
+	}
+	b.WithName(ingress.Name)
+	b.WithNamespace(ingress.Namespace)
+
+	b.WithKind("Ingress")
+	b.WithAPIVersion("networking.k8s.io/v1")
+	return b, nil
+}
+
 // ExtractIngress extracts the applied configuration owned by fieldManager from
 // ingress. If no managedFields are found in ingress for fieldManager, a
 // IngressApplyConfiguration is returned with only the Name, Namespace (if applicable),
@@ -57,31 +89,16 @@ func Ingress(name, namespace string) *IngressApplyConfiguration {
 // ExtractIngress provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
 func ExtractIngress(ingress *networkingv1.Ingress, fieldManager string) (*IngressApplyConfiguration, error) {
-	return extractIngress(ingress, fieldManager, "")
+	return ExtractIngressFrom(ingress, fieldManager, "")
 }
 
-// ExtractIngressStatus is the same as ExtractIngress except
-// that it extracts the status subresource applied configuration.
-// Experimental!
+// ExtractIngressStatus extracts the applied configuration owned by fieldManager from
+// ingress for the status subresource.
 func ExtractIngressStatus(ingress *networkingv1.Ingress, fieldManager string) (*IngressApplyConfiguration, error) {
-	return extractIngress(ingress, fieldManager, "status")
+	return ExtractIngressFrom(ingress, fieldManager, "status")
 }
 
-func extractIngress(ingress *networkingv1.Ingress, fieldManager string, subresource string) (*IngressApplyConfiguration, error) {
-	b := &IngressApplyConfiguration{}
-	err := managedfields.ExtractInto(ingress, internal.Parser().Type("io.k8s.api.networking.v1.Ingress"), fieldManager, b, subresource)
-	if err != nil {
-		return nil, err
-	}
-	b.WithName(ingress.Name)
-	b.WithNamespace(ingress.Namespace)
-
-	b.WithKind("Ingress")
-	b.WithAPIVersion("networking.k8s.io/v1")
-	return b, nil
-}
 func (b IngressApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/networking/v1/ingressbackend.go b/staging/src/k8s.io/client-go/applyconfigurations/networking/v1/ingressbackend.go
index b014b7beefa95..4c7f6bfe368fb 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/networking/v1/ingressbackend.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/networking/v1/ingressbackend.go
@@ -24,8 +24,16 @@ import (
 
 // IngressBackendApplyConfiguration represents a declarative configuration of the IngressBackend type for use
 // with apply.
+//
+// IngressBackend describes all endpoints for a given service and port.
 type IngressBackendApplyConfiguration struct {
-	Service  *IngressServiceBackendApplyConfiguration            `json:"service,omitempty"`
+	// service references a service as a backend.
+	// This is a mutually exclusive setting with "Resource".
+	Service *IngressServiceBackendApplyConfiguration `json:"service,omitempty"`
+	// resource is an ObjectRef to another Kubernetes resource in the namespace
+	// of the Ingress object. If resource is specified, a service.Name and
+	// service.Port must not be specified.
+	// This is a mutually exclusive setting with "Service".
 	Resource *corev1.TypedLocalObjectReferenceApplyConfiguration `json:"resource,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/networking/v1/ingressclass.go b/staging/src/k8s.io/client-go/applyconfigurations/networking/v1/ingressclass.go
index a03b9127189d0..387e45728bd7f 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/networking/v1/ingressclass.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/networking/v1/ingressclass.go
@@ -29,10 +29,20 @@ import (
 
 // IngressClassApplyConfiguration represents a declarative configuration of the IngressClass type for use
 // with apply.
+//
+// IngressClass represents the class of the Ingress, referenced by the Ingress
+// Spec. The `ingressclass.kubernetes.io/is-default-class` annotation can be
+// used to indicate that an IngressClass should be considered default. When a
+// single IngressClass resource has this annotation set to true, new Ingress
+// resources without a class specified will be assigned this default class.
 type IngressClassApplyConfiguration struct {
-	metav1.TypeMetaApplyConfiguration    `json:",inline"`
+	metav1.TypeMetaApplyConfiguration `json:",inline"`
+	// Standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	*metav1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Spec                                 *IngressClassSpecApplyConfiguration `json:"spec,omitempty"`
+	// spec is the desired state of the IngressClass.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+	Spec *IngressClassSpecApplyConfiguration `json:"spec,omitempty"`
 }
 
 // IngressClass constructs a declarative configuration of the IngressClass type for use with
@@ -45,29 +55,14 @@ func IngressClass(name string) *IngressClassApplyConfiguration {
 	return b
 }
 
-// ExtractIngressClass extracts the applied configuration owned by fieldManager from
-// ingressClass. If no managedFields are found in ingressClass for fieldManager, a
-// IngressClassApplyConfiguration is returned with only the Name, Namespace (if applicable),
-// APIVersion and Kind populated. It is possible that no managed fields were found for because other
-// field managers have taken ownership of all the fields previously owned by fieldManager, or because
-// the fieldManager never owned fields any fields.
+// ExtractIngressClassFrom extracts the applied configuration owned by fieldManager from
+// ingressClass for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
 // ingressClass must be a unmodified IngressClass API object that was retrieved from the Kubernetes API.
-// ExtractIngressClass provides a way to perform a extract/modify-in-place/apply workflow.
+// ExtractIngressClassFrom provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
-func ExtractIngressClass(ingressClass *networkingv1.IngressClass, fieldManager string) (*IngressClassApplyConfiguration, error) {
-	return extractIngressClass(ingressClass, fieldManager, "")
-}
-
-// ExtractIngressClassStatus is the same as ExtractIngressClass except
-// that it extracts the status subresource applied configuration.
-// Experimental!
-func ExtractIngressClassStatus(ingressClass *networkingv1.IngressClass, fieldManager string) (*IngressClassApplyConfiguration, error) {
-	return extractIngressClass(ingressClass, fieldManager, "status")
-}
-
-func extractIngressClass(ingressClass *networkingv1.IngressClass, fieldManager string, subresource string) (*IngressClassApplyConfiguration, error) {
+func ExtractIngressClassFrom(ingressClass *networkingv1.IngressClass, fieldManager string, subresource string) (*IngressClassApplyConfiguration, error) {
 	b := &IngressClassApplyConfiguration{}
 	err := managedfields.ExtractInto(ingressClass, internal.Parser().Type("io.k8s.api.networking.v1.IngressClass"), fieldManager, b, subresource)
 	if err != nil {
@@ -79,6 +74,21 @@ func extractIngressClass(ingressClass *networkingv1.IngressClass, fieldManager s
 	b.WithAPIVersion("networking.k8s.io/v1")
 	return b, nil
 }
+
+// ExtractIngressClass extracts the applied configuration owned by fieldManager from
+// ingressClass. If no managedFields are found in ingressClass for fieldManager, a
+// IngressClassApplyConfiguration is returned with only the Name, Namespace (if applicable),
+// APIVersion and Kind populated. It is possible that no managed fields were found for because other
+// field managers have taken ownership of all the fields previously owned by fieldManager, or because
+// the fieldManager never owned fields any fields.
+// ingressClass must be a unmodified IngressClass API object that was retrieved from the Kubernetes API.
+// ExtractIngressClass provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractIngressClass(ingressClass *networkingv1.IngressClass, fieldManager string) (*IngressClassApplyConfiguration, error) {
+	return ExtractIngressClassFrom(ingressClass, fieldManager, "")
+}
+
 func (b IngressClassApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/networking/v1/ingressclassparametersreference.go b/staging/src/k8s.io/client-go/applyconfigurations/networking/v1/ingressclassparametersreference.go
index 0dba1ebc5dd04..6be74dfb48bb2 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/networking/v1/ingressclassparametersreference.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/networking/v1/ingressclassparametersreference.go
@@ -20,11 +20,24 @@ package v1
 
 // IngressClassParametersReferenceApplyConfiguration represents a declarative configuration of the IngressClassParametersReference type for use
 // with apply.
+//
+// IngressClassParametersReference identifies an API object. This can be used
+// to specify a cluster or namespace-scoped resource.
 type IngressClassParametersReferenceApplyConfiguration struct {
-	APIGroup  *string `json:"apiGroup,omitempty"`
-	Kind      *string `json:"kind,omitempty"`
-	Name      *string `json:"name,omitempty"`
-	Scope     *string `json:"scope,omitempty"`
+	// apiGroup is the group for the resource being referenced. If APIGroup is
+	// not specified, the specified Kind must be in the core API group. For any
+	// other third-party types, APIGroup is required.
+	APIGroup *string `json:"apiGroup,omitempty"`
+	// kind is the type of resource being referenced.
+	Kind *string `json:"kind,omitempty"`
+	// name is the name of resource being referenced.
+	Name *string `json:"name,omitempty"`
+	// scope represents if this refers to a cluster or namespace scoped resource.
+	// This may be set to "Cluster" (default) or "Namespace".
+	Scope *string `json:"scope,omitempty"`
+	// namespace is the namespace of the resource being referenced. This field is
+	// required when scope is set to "Namespace" and must be unset when scope is set to
+	// "Cluster".
 	Namespace *string `json:"namespace,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/networking/v1/ingressclassspec.go b/staging/src/k8s.io/client-go/applyconfigurations/networking/v1/ingressclassspec.go
index 23e8484344915..9dda6ae6e01c8 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/networking/v1/ingressclassspec.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/networking/v1/ingressclassspec.go
@@ -20,8 +20,19 @@ package v1
 
 // IngressClassSpecApplyConfiguration represents a declarative configuration of the IngressClassSpec type for use
 // with apply.
+//
+// IngressClassSpec provides information about the class of an Ingress.
 type IngressClassSpecApplyConfiguration struct {
-	Controller *string                                            `json:"controller,omitempty"`
+	// controller refers to the name of the controller that should handle this
+	// class. This allows for different "flavors" that are controlled by the
+	// same controller. For example, you may have different parameters for the
+	// same implementing controller. This should be specified as a
+	// domain-prefixed path no more than 250 characters in length, e.g.
+	// "acme.io/ingress-controller". This field is immutable.
+	Controller *string `json:"controller,omitempty"`
+	// parameters is a link to a custom resource containing additional
+	// configuration for the controller. This is optional if the controller does
+	// not require extra parameters.
 	Parameters *IngressClassParametersReferenceApplyConfiguration `json:"parameters,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/networking/v1/ingressloadbalanceringress.go b/staging/src/k8s.io/client-go/applyconfigurations/networking/v1/ingressloadbalanceringress.go
index d0feb44da45ad..2ebbad3623545 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/networking/v1/ingressloadbalanceringress.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/networking/v1/ingressloadbalanceringress.go
@@ -20,10 +20,15 @@ package v1
 
 // IngressLoadBalancerIngressApplyConfiguration represents a declarative configuration of the IngressLoadBalancerIngress type for use
 // with apply.
+//
+// IngressLoadBalancerIngress represents the status of a load-balancer ingress point.
 type IngressLoadBalancerIngressApplyConfiguration struct {
-	IP       *string                               `json:"ip,omitempty"`
-	Hostname *string                               `json:"hostname,omitempty"`
-	Ports    []IngressPortStatusApplyConfiguration `json:"ports,omitempty"`
+	// ip is set for load-balancer ingress points that are IP based.
+	IP *string `json:"ip,omitempty"`
+	// hostname is set for load-balancer ingress points that are DNS based.
+	Hostname *string `json:"hostname,omitempty"`
+	// ports provides information about the ports exposed by this LoadBalancer.
+	Ports []IngressPortStatusApplyConfiguration `json:"ports,omitempty"`
 }
 
 // IngressLoadBalancerIngressApplyConfiguration constructs a declarative configuration of the IngressLoadBalancerIngress type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/networking/v1/ingressloadbalancerstatus.go b/staging/src/k8s.io/client-go/applyconfigurations/networking/v1/ingressloadbalancerstatus.go
index 08c841f06bc97..393daf1f4d298 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/networking/v1/ingressloadbalancerstatus.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/networking/v1/ingressloadbalancerstatus.go
@@ -20,7 +20,10 @@ package v1
 
 // IngressLoadBalancerStatusApplyConfiguration represents a declarative configuration of the IngressLoadBalancerStatus type for use
 // with apply.
+//
+// IngressLoadBalancerStatus represents the status of a load-balancer.
 type IngressLoadBalancerStatusApplyConfiguration struct {
+	// ingress is a list containing ingress points for the load-balancer.
 	Ingress []IngressLoadBalancerIngressApplyConfiguration `json:"ingress,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/networking/v1/ingressportstatus.go b/staging/src/k8s.io/client-go/applyconfigurations/networking/v1/ingressportstatus.go
index 84ba243ab97c4..ad9e977ad5d8b 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/networking/v1/ingressportstatus.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/networking/v1/ingressportstatus.go
@@ -24,10 +24,23 @@ import (
 
 // IngressPortStatusApplyConfiguration represents a declarative configuration of the IngressPortStatus type for use
 // with apply.
+//
+// IngressPortStatus represents the error condition of a service port
 type IngressPortStatusApplyConfiguration struct {
-	Port     *int32           `json:"port,omitempty"`
+	// port is the port number of the ingress port.
+	Port *int32 `json:"port,omitempty"`
+	// protocol is the protocol of the ingress port.
+	// The supported values are: "TCP", "UDP", "SCTP"
 	Protocol *corev1.Protocol `json:"protocol,omitempty"`
-	Error    *string          `json:"error,omitempty"`
+	// error is to record the problem with the service port
+	// The format of the error shall comply with the following rules:
+	// - built-in error values shall be specified in this file and those shall use
+	// CamelCase names
+	// - cloud provider specific error values must have names that comply with the
+	// format foo.example.com/CamelCase.
+	// ---
+	// The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+	Error *string `json:"error,omitempty"`
 }
 
 // IngressPortStatusApplyConfiguration constructs a declarative configuration of the IngressPortStatus type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/networking/v1/ingressrule.go b/staging/src/k8s.io/client-go/applyconfigurations/networking/v1/ingressrule.go
index 20a1816bf1300..e77494d8699ed 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/networking/v1/ingressrule.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/networking/v1/ingressrule.go
@@ -20,8 +20,39 @@ package v1
 
 // IngressRuleApplyConfiguration represents a declarative configuration of the IngressRule type for use
 // with apply.
+//
+// IngressRule represents the rules mapping the paths under a specified host to
+// the related backend services. Incoming requests are first evaluated for a host
+// match, then routed to the backend associated with the matching IngressRuleValue.
 type IngressRuleApplyConfiguration struct {
-	Host                               *string `json:"host,omitempty"`
+	// host is the fully qualified domain name of a network host, as defined by RFC 3986.
+	// Note the following deviations from the "host" part of the
+	// URI as defined in RFC 3986:
+	// 1. IPs are not allowed. Currently an IngressRuleValue can only apply to
+	// the IP in the Spec of the parent Ingress.
+	// 2. The `:` delimiter is not respected because ports are not allowed.
+	// Currently the port of an Ingress is implicitly :80 for http and
+	// :443 for https.
+	// Both these may change in the future.
+	// Incoming requests are matched against the host before the
+	// IngressRuleValue. If the host is unspecified, the Ingress routes all
+	// traffic based on the specified IngressRuleValue.
+	//
+	// host can be "precise" which is a domain name without the terminating dot of
+	// a network host (e.g. "foo.bar.com") or "wildcard", which is a domain name
+	// prefixed with a single wildcard label (e.g. "*.foo.com").
+	// The wildcard character '*' must appear by itself as the first DNS label and
+	// matches only a single label. You cannot have a wildcard label by itself (e.g. Host == "*").
+	// Requests will be matched against the Host field in the following way:
+	// 1. If host is precise, the request matches this rule if the http host header is equal to Host.
+	// 2. If host is a wildcard, then the request matches this rule if the http host header
+	// is to equal to the suffix (removing the first label) of the wildcard rule.
+	Host *string `json:"host,omitempty"`
+	// IngressRuleValue represents a rule to route requests for this IngressRule.
+	// If unspecified, the rule defaults to a http catch-all. Whether that sends
+	// just traffic matching the host to the default backend or all traffic to the
+	// default backend, is left to the controller fulfilling the Ingress. Http is
+	// currently the only supported IngressRuleValue.
 	IngressRuleValueApplyConfiguration `json:",inline"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/networking/v1/ingressrulevalue.go b/staging/src/k8s.io/client-go/applyconfigurations/networking/v1/ingressrulevalue.go
index 1e13e378be9a9..c1ca4853e2d87 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/networking/v1/ingressrulevalue.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/networking/v1/ingressrulevalue.go
@@ -20,6 +20,11 @@ package v1
 
 // IngressRuleValueApplyConfiguration represents a declarative configuration of the IngressRuleValue type for use
 // with apply.
+//
+// IngressRuleValue represents a rule to apply against incoming requests. If the
+// rule is satisfied, the request is routed to the specified backend. Currently
+// mixing different types of rules in a single Ingress is disallowed, so exactly
+// one of the following must be set.
 type IngressRuleValueApplyConfiguration struct {
 	HTTP *HTTPIngressRuleValueApplyConfiguration `json:"http,omitempty"`
 }
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/networking/v1/ingressservicebackend.go b/staging/src/k8s.io/client-go/applyconfigurations/networking/v1/ingressservicebackend.go
index 07876afd17ed7..bc48a6e02443e 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/networking/v1/ingressservicebackend.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/networking/v1/ingressservicebackend.go
@@ -20,8 +20,14 @@ package v1
 
 // IngressServiceBackendApplyConfiguration represents a declarative configuration of the IngressServiceBackend type for use
 // with apply.
+//
+// IngressServiceBackend references a Kubernetes Service as a Backend.
 type IngressServiceBackendApplyConfiguration struct {
-	Name *string                               `json:"name,omitempty"`
+	// name is the referenced service. The service must exist in
+	// the same namespace as the Ingress object.
+	Name *string `json:"name,omitempty"`
+	// port of the referenced service. A port name or port number
+	// is required for a IngressServiceBackend.
 	Port *ServiceBackendPortApplyConfiguration `json:"port,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/networking/v1/ingressspec.go b/staging/src/k8s.io/client-go/applyconfigurations/networking/v1/ingressspec.go
index 0572153aa1b1b..67b1ac4d9eaf4 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/networking/v1/ingressspec.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/networking/v1/ingressspec.go
@@ -20,11 +20,34 @@ package v1
 
 // IngressSpecApplyConfiguration represents a declarative configuration of the IngressSpec type for use
 // with apply.
+//
+// IngressSpec describes the Ingress the user wishes to exist.
 type IngressSpecApplyConfiguration struct {
-	IngressClassName *string                           `json:"ingressClassName,omitempty"`
-	DefaultBackend   *IngressBackendApplyConfiguration `json:"defaultBackend,omitempty"`
-	TLS              []IngressTLSApplyConfiguration    `json:"tls,omitempty"`
-	Rules            []IngressRuleApplyConfiguration   `json:"rules,omitempty"`
+	// ingressClassName is the name of an IngressClass cluster resource. Ingress
+	// controller implementations use this field to know whether they should be
+	// serving this Ingress resource, by a transitive connection
+	// (controller -> IngressClass -> Ingress resource). Although the
+	// `kubernetes.io/ingress.class` annotation (simple constant name) was never
+	// formally defined, it was widely supported by Ingress controllers to create
+	// a direct binding between Ingress controller and Ingress resources. Newly
+	// created Ingress resources should prefer using the field. However, even
+	// though the annotation is officially deprecated, for backwards compatibility
+	// reasons, ingress controllers should still honor that annotation if present.
+	IngressClassName *string `json:"ingressClassName,omitempty"`
+	// defaultBackend is the backend that should handle requests that don't
+	// match any rule. If Rules are not specified, DefaultBackend must be specified.
+	// If DefaultBackend is not set, the handling of requests that do not match any
+	// of the rules will be up to the Ingress controller.
+	DefaultBackend *IngressBackendApplyConfiguration `json:"defaultBackend,omitempty"`
+	// tls represents the TLS configuration. Currently the Ingress only supports a
+	// single TLS port, 443. If multiple members of this list specify different hosts,
+	// they will be multiplexed on the same port according to the hostname specified
+	// through the SNI TLS extension, if the ingress controller fulfilling the
+	// ingress supports SNI.
+	TLS []IngressTLSApplyConfiguration `json:"tls,omitempty"`
+	// rules is a list of host rules used to configure the Ingress. If unspecified,
+	// or no rule matches, all traffic is sent to the default backend.
+	Rules []IngressRuleApplyConfiguration `json:"rules,omitempty"`
 }
 
 // IngressSpecApplyConfiguration constructs a declarative configuration of the IngressSpec type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/networking/v1/ingressstatus.go b/staging/src/k8s.io/client-go/applyconfigurations/networking/v1/ingressstatus.go
index bd1327c93f12e..1df2804bf2801 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/networking/v1/ingressstatus.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/networking/v1/ingressstatus.go
@@ -20,7 +20,10 @@ package v1
 
 // IngressStatusApplyConfiguration represents a declarative configuration of the IngressStatus type for use
 // with apply.
+//
+// IngressStatus describe the current state of the Ingress.
 type IngressStatusApplyConfiguration struct {
+	// loadBalancer contains the current status of the load-balancer.
 	LoadBalancer *IngressLoadBalancerStatusApplyConfiguration `json:"loadBalancer,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/networking/v1/ingresstls.go b/staging/src/k8s.io/client-go/applyconfigurations/networking/v1/ingresstls.go
index 44092503f92b8..07b403b706138 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/networking/v1/ingresstls.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/networking/v1/ingresstls.go
@@ -20,9 +20,20 @@ package v1
 
 // IngressTLSApplyConfiguration represents a declarative configuration of the IngressTLS type for use
 // with apply.
+//
+// IngressTLS describes the transport layer security associated with an ingress.
 type IngressTLSApplyConfiguration struct {
-	Hosts      []string `json:"hosts,omitempty"`
-	SecretName *string  `json:"secretName,omitempty"`
+	// hosts is a list of hosts included in the TLS certificate. The values in
+	// this list must match the name/s used in the tlsSecret. Defaults to the
+	// wildcard host setting for the loadbalancer controller fulfilling this
+	// Ingress, if left unspecified.
+	Hosts []string `json:"hosts,omitempty"`
+	// secretName is the name of the secret used to terminate TLS traffic on
+	// port 443. Field is left optional to allow TLS routing based on SNI
+	// hostname alone. If the SNI host in a listener conflicts with the "Host"
+	// header field used by an IngressRule, the SNI host is used for termination
+	// and value of the "Host" header is used for routing.
+	SecretName *string `json:"secretName,omitempty"`
 }
 
 // IngressTLSApplyConfiguration constructs a declarative configuration of the IngressTLS type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/networking/v1/ipaddress.go b/staging/src/k8s.io/client-go/applyconfigurations/networking/v1/ipaddress.go
index a5407dbc73cae..c0e4298aa35e9 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/networking/v1/ipaddress.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/networking/v1/ipaddress.go
@@ -29,10 +29,22 @@ import (
 
 // IPAddressApplyConfiguration represents a declarative configuration of the IPAddress type for use
 // with apply.
+//
+// IPAddress represents a single IP of a single IP Family. The object is designed to be used by APIs
+// that operate on IP addresses. The object is used by the Service core API for allocation of IP addresses.
+// An IP address can be represented in different formats, to guarantee the uniqueness of the IP,
+// the name of the object is the IP address in canonical format, four decimal digits separated
+// by dots suppressing leading zeros for IPv4 and the representation defined by RFC 5952 for IPv6.
+// Valid: 192.168.1.5 or 2001:db8::1 or 2001:db8:aaaa:bbbb:cccc:dddd:eeee:1
+// Invalid: 10.01.2.3 or 2001:db8:0:0:0::1
 type IPAddressApplyConfiguration struct {
-	metav1.TypeMetaApplyConfiguration    `json:",inline"`
+	metav1.TypeMetaApplyConfiguration `json:",inline"`
+	// Standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	*metav1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Spec                                 *IPAddressSpecApplyConfiguration `json:"spec,omitempty"`
+	// spec is the desired state of the IPAddress.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+	Spec *IPAddressSpecApplyConfiguration `json:"spec,omitempty"`
 }
 
 // IPAddress constructs a declarative configuration of the IPAddress type for use with
@@ -45,29 +57,14 @@ func IPAddress(name string) *IPAddressApplyConfiguration {
 	return b
 }
 
-// ExtractIPAddress extracts the applied configuration owned by fieldManager from
-// iPAddress. If no managedFields are found in iPAddress for fieldManager, a
-// IPAddressApplyConfiguration is returned with only the Name, Namespace (if applicable),
-// APIVersion and Kind populated. It is possible that no managed fields were found for because other
-// field managers have taken ownership of all the fields previously owned by fieldManager, or because
-// the fieldManager never owned fields any fields.
+// ExtractIPAddressFrom extracts the applied configuration owned by fieldManager from
+// iPAddress for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
 // iPAddress must be a unmodified IPAddress API object that was retrieved from the Kubernetes API.
-// ExtractIPAddress provides a way to perform a extract/modify-in-place/apply workflow.
+// ExtractIPAddressFrom provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
-func ExtractIPAddress(iPAddress *networkingv1.IPAddress, fieldManager string) (*IPAddressApplyConfiguration, error) {
-	return extractIPAddress(iPAddress, fieldManager, "")
-}
-
-// ExtractIPAddressStatus is the same as ExtractIPAddress except
-// that it extracts the status subresource applied configuration.
-// Experimental!
-func ExtractIPAddressStatus(iPAddress *networkingv1.IPAddress, fieldManager string) (*IPAddressApplyConfiguration, error) {
-	return extractIPAddress(iPAddress, fieldManager, "status")
-}
-
-func extractIPAddress(iPAddress *networkingv1.IPAddress, fieldManager string, subresource string) (*IPAddressApplyConfiguration, error) {
+func ExtractIPAddressFrom(iPAddress *networkingv1.IPAddress, fieldManager string, subresource string) (*IPAddressApplyConfiguration, error) {
 	b := &IPAddressApplyConfiguration{}
 	err := managedfields.ExtractInto(iPAddress, internal.Parser().Type("io.k8s.api.networking.v1.IPAddress"), fieldManager, b, subresource)
 	if err != nil {
@@ -79,6 +76,21 @@ func extractIPAddress(iPAddress *networkingv1.IPAddress, fieldManager string, su
 	b.WithAPIVersion("networking.k8s.io/v1")
 	return b, nil
 }
+
+// ExtractIPAddress extracts the applied configuration owned by fieldManager from
+// iPAddress. If no managedFields are found in iPAddress for fieldManager, a
+// IPAddressApplyConfiguration is returned with only the Name, Namespace (if applicable),
+// APIVersion and Kind populated. It is possible that no managed fields were found for because other
+// field managers have taken ownership of all the fields previously owned by fieldManager, or because
+// the fieldManager never owned fields any fields.
+// iPAddress must be a unmodified IPAddress API object that was retrieved from the Kubernetes API.
+// ExtractIPAddress provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractIPAddress(iPAddress *networkingv1.IPAddress, fieldManager string) (*IPAddressApplyConfiguration, error) {
+	return ExtractIPAddressFrom(iPAddress, fieldManager, "")
+}
+
 func (b IPAddressApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/networking/v1/ipaddressspec.go b/staging/src/k8s.io/client-go/applyconfigurations/networking/v1/ipaddressspec.go
index bac6e7912f73f..e9dce93b64383 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/networking/v1/ipaddressspec.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/networking/v1/ipaddressspec.go
@@ -20,7 +20,11 @@ package v1
 
 // IPAddressSpecApplyConfiguration represents a declarative configuration of the IPAddressSpec type for use
 // with apply.
+//
+// IPAddressSpec describe the attributes in an IP Address.
 type IPAddressSpecApplyConfiguration struct {
+	// ParentRef references the resource that an IPAddress is attached to.
+	// An IPAddress must reference a parent object.
 	ParentRef *ParentReferenceApplyConfiguration `json:"parentRef,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/networking/v1/ipblock.go b/staging/src/k8s.io/client-go/applyconfigurations/networking/v1/ipblock.go
index f3447a8f10b33..95bc99f0ce58b 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/networking/v1/ipblock.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/networking/v1/ipblock.go
@@ -20,8 +20,17 @@ package v1
 
 // IPBlockApplyConfiguration represents a declarative configuration of the IPBlock type for use
 // with apply.
+//
+// IPBlock describes a particular CIDR (Ex. "192.168.1.0/24","2001:db8::/64") that is allowed
+// to the pods matched by a NetworkPolicySpec's podSelector. The except entry describes CIDRs
+// that should not be included within this rule.
 type IPBlockApplyConfiguration struct {
-	CIDR   *string  `json:"cidr,omitempty"`
+	// cidr is a string representing the IPBlock
+	// Valid examples are "192.168.1.0/24" or "2001:db8::/64"
+	CIDR *string `json:"cidr,omitempty"`
+	// except is a slice of CIDRs that should not be included within an IPBlock
+	// Valid examples are "192.168.1.0/24" or "2001:db8::/64"
+	// Except values will be rejected if they are outside the cidr range
 	Except []string `json:"except,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/networking/v1/networkpolicy.go b/staging/src/k8s.io/client-go/applyconfigurations/networking/v1/networkpolicy.go
index 6c6a76e8bfb6b..f3e1e1e5ed77a 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/networking/v1/networkpolicy.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/networking/v1/networkpolicy.go
@@ -29,10 +29,15 @@ import (
 
 // NetworkPolicyApplyConfiguration represents a declarative configuration of the NetworkPolicy type for use
 // with apply.
+//
+// NetworkPolicy describes what network traffic is allowed for a set of Pods
 type NetworkPolicyApplyConfiguration struct {
-	metav1.TypeMetaApplyConfiguration    `json:",inline"`
+	metav1.TypeMetaApplyConfiguration `json:",inline"`
+	// Standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	*metav1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Spec                                 *NetworkPolicySpecApplyConfiguration `json:"spec,omitempty"`
+	// spec represents the specification of the desired behavior for this NetworkPolicy.
+	Spec *NetworkPolicySpecApplyConfiguration `json:"spec,omitempty"`
 }
 
 // NetworkPolicy constructs a declarative configuration of the NetworkPolicy type for use with
@@ -46,29 +51,14 @@ func NetworkPolicy(name, namespace string) *NetworkPolicyApplyConfiguration {
 	return b
 }
 
-// ExtractNetworkPolicy extracts the applied configuration owned by fieldManager from
-// networkPolicy. If no managedFields are found in networkPolicy for fieldManager, a
-// NetworkPolicyApplyConfiguration is returned with only the Name, Namespace (if applicable),
-// APIVersion and Kind populated. It is possible that no managed fields were found for because other
-// field managers have taken ownership of all the fields previously owned by fieldManager, or because
-// the fieldManager never owned fields any fields.
+// ExtractNetworkPolicyFrom extracts the applied configuration owned by fieldManager from
+// networkPolicy for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
 // networkPolicy must be a unmodified NetworkPolicy API object that was retrieved from the Kubernetes API.
-// ExtractNetworkPolicy provides a way to perform a extract/modify-in-place/apply workflow.
+// ExtractNetworkPolicyFrom provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
-func ExtractNetworkPolicy(networkPolicy *networkingv1.NetworkPolicy, fieldManager string) (*NetworkPolicyApplyConfiguration, error) {
-	return extractNetworkPolicy(networkPolicy, fieldManager, "")
-}
-
-// ExtractNetworkPolicyStatus is the same as ExtractNetworkPolicy except
-// that it extracts the status subresource applied configuration.
-// Experimental!
-func ExtractNetworkPolicyStatus(networkPolicy *networkingv1.NetworkPolicy, fieldManager string) (*NetworkPolicyApplyConfiguration, error) {
-	return extractNetworkPolicy(networkPolicy, fieldManager, "status")
-}
-
-func extractNetworkPolicy(networkPolicy *networkingv1.NetworkPolicy, fieldManager string, subresource string) (*NetworkPolicyApplyConfiguration, error) {
+func ExtractNetworkPolicyFrom(networkPolicy *networkingv1.NetworkPolicy, fieldManager string, subresource string) (*NetworkPolicyApplyConfiguration, error) {
 	b := &NetworkPolicyApplyConfiguration{}
 	err := managedfields.ExtractInto(networkPolicy, internal.Parser().Type("io.k8s.api.networking.v1.NetworkPolicy"), fieldManager, b, subresource)
 	if err != nil {
@@ -81,6 +71,21 @@ func extractNetworkPolicy(networkPolicy *networkingv1.NetworkPolicy, fieldManage
 	b.WithAPIVersion("networking.k8s.io/v1")
 	return b, nil
 }
+
+// ExtractNetworkPolicy extracts the applied configuration owned by fieldManager from
+// networkPolicy. If no managedFields are found in networkPolicy for fieldManager, a
+// NetworkPolicyApplyConfiguration is returned with only the Name, Namespace (if applicable),
+// APIVersion and Kind populated. It is possible that no managed fields were found for because other
+// field managers have taken ownership of all the fields previously owned by fieldManager, or because
+// the fieldManager never owned fields any fields.
+// networkPolicy must be a unmodified NetworkPolicy API object that was retrieved from the Kubernetes API.
+// ExtractNetworkPolicy provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractNetworkPolicy(networkPolicy *networkingv1.NetworkPolicy, fieldManager string) (*NetworkPolicyApplyConfiguration, error) {
+	return ExtractNetworkPolicyFrom(networkPolicy, fieldManager, "")
+}
+
 func (b NetworkPolicyApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/networking/v1/networkpolicyegressrule.go b/staging/src/k8s.io/client-go/applyconfigurations/networking/v1/networkpolicyegressrule.go
index 46e2706eceb40..694c148cd99a4 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/networking/v1/networkpolicyegressrule.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/networking/v1/networkpolicyegressrule.go
@@ -20,9 +20,23 @@ package v1
 
 // NetworkPolicyEgressRuleApplyConfiguration represents a declarative configuration of the NetworkPolicyEgressRule type for use
 // with apply.
+//
+// NetworkPolicyEgressRule describes a particular set of traffic that is allowed out of pods
+// matched by a NetworkPolicySpec's podSelector. The traffic must match both ports and to.
+// This type is beta-level in 1.8
 type NetworkPolicyEgressRuleApplyConfiguration struct {
+	// ports is a list of destination ports for outgoing traffic.
+	// Each item in this list is combined using a logical OR. If this field is
+	// empty or missing, this rule matches all ports (traffic not restricted by port).
+	// If this field is present and contains at least one item, then this rule allows
+	// traffic only if the traffic matches at least one port in the list.
 	Ports []NetworkPolicyPortApplyConfiguration `json:"ports,omitempty"`
-	To    []NetworkPolicyPeerApplyConfiguration `json:"to,omitempty"`
+	// to is a list of destinations for outgoing traffic of pods selected for this rule.
+	// Items in this list are combined using a logical OR operation. If this field is
+	// empty or missing, this rule matches all destinations (traffic not restricted by
+	// destination). If this field is present and contains at least one item, this rule
+	// allows traffic only if the traffic matches at least one item in the to list.
+	To []NetworkPolicyPeerApplyConfiguration `json:"to,omitempty"`
 }
 
 // NetworkPolicyEgressRuleApplyConfiguration constructs a declarative configuration of the NetworkPolicyEgressRule type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/networking/v1/networkpolicyingressrule.go b/staging/src/k8s.io/client-go/applyconfigurations/networking/v1/networkpolicyingressrule.go
index 6e9875978690f..a597f92eeffa9 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/networking/v1/networkpolicyingressrule.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/networking/v1/networkpolicyingressrule.go
@@ -20,9 +20,22 @@ package v1
 
 // NetworkPolicyIngressRuleApplyConfiguration represents a declarative configuration of the NetworkPolicyIngressRule type for use
 // with apply.
+//
+// NetworkPolicyIngressRule describes a particular set of traffic that is allowed to the pods
+// matched by a NetworkPolicySpec's podSelector. The traffic must match both ports and from.
 type NetworkPolicyIngressRuleApplyConfiguration struct {
+	// ports is a list of ports which should be made accessible on the pods selected for
+	// this rule. Each item in this list is combined using a logical OR. If this field is
+	// empty or missing, this rule matches all ports (traffic not restricted by port).
+	// If this field is present and contains at least one item, then this rule allows
+	// traffic only if the traffic matches at least one port in the list.
 	Ports []NetworkPolicyPortApplyConfiguration `json:"ports,omitempty"`
-	From  []NetworkPolicyPeerApplyConfiguration `json:"from,omitempty"`
+	// from is a list of sources which should be able to access the pods selected for this rule.
+	// Items in this list are combined using a logical OR operation. If this field is
+	// empty or missing, this rule matches all sources (traffic not restricted by
+	// source). If this field is present and contains at least one item, this rule
+	// allows traffic only if the traffic matches at least one item in the from list.
+	From []NetworkPolicyPeerApplyConfiguration `json:"from,omitempty"`
 }
 
 // NetworkPolicyIngressRuleApplyConfiguration constructs a declarative configuration of the NetworkPolicyIngressRule type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/networking/v1/networkpolicypeer.go b/staging/src/k8s.io/client-go/applyconfigurations/networking/v1/networkpolicypeer.go
index 716ceeeefb729..c16fbf07afa90 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/networking/v1/networkpolicypeer.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/networking/v1/networkpolicypeer.go
@@ -24,10 +24,27 @@ import (
 
 // NetworkPolicyPeerApplyConfiguration represents a declarative configuration of the NetworkPolicyPeer type for use
 // with apply.
+//
+// NetworkPolicyPeer describes a peer to allow traffic to/from. Only certain combinations of
+// fields are allowed
 type NetworkPolicyPeerApplyConfiguration struct {
-	PodSelector       *metav1.LabelSelectorApplyConfiguration `json:"podSelector,omitempty"`
+	// podSelector is a label selector which selects pods. This field follows standard label
+	// selector semantics; if present but empty, it selects all pods.
+	//
+	// If namespaceSelector is also set, then the NetworkPolicyPeer as a whole selects
+	// the pods matching podSelector in the Namespaces selected by NamespaceSelector.
+	// Otherwise it selects the pods matching podSelector in the policy's own namespace.
+	PodSelector *metav1.LabelSelectorApplyConfiguration `json:"podSelector,omitempty"`
+	// namespaceSelector selects namespaces using cluster-scoped labels. This field follows
+	// standard label selector semantics; if present but empty, it selects all namespaces.
+	//
+	// If podSelector is also set, then the NetworkPolicyPeer as a whole selects
+	// the pods matching podSelector in the namespaces selected by namespaceSelector.
+	// Otherwise it selects all pods in the namespaces selected by namespaceSelector.
 	NamespaceSelector *metav1.LabelSelectorApplyConfiguration `json:"namespaceSelector,omitempty"`
-	IPBlock           *IPBlockApplyConfiguration              `json:"ipBlock,omitempty"`
+	// ipBlock defines policy on a particular IPBlock. If this field is set then
+	// neither of the other fields can be.
+	IPBlock *IPBlockApplyConfiguration `json:"ipBlock,omitempty"`
 }
 
 // NetworkPolicyPeerApplyConfiguration constructs a declarative configuration of the NetworkPolicyPeer type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/networking/v1/networkpolicyport.go b/staging/src/k8s.io/client-go/applyconfigurations/networking/v1/networkpolicyport.go
index 2ded0aecf69d4..483a0f95b781d 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/networking/v1/networkpolicyport.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/networking/v1/networkpolicyport.go
@@ -25,10 +25,22 @@ import (
 
 // NetworkPolicyPortApplyConfiguration represents a declarative configuration of the NetworkPolicyPort type for use
 // with apply.
+//
+// NetworkPolicyPort describes a port to allow traffic on
 type NetworkPolicyPortApplyConfiguration struct {
-	Protocol *corev1.Protocol    `json:"protocol,omitempty"`
-	Port     *intstr.IntOrString `json:"port,omitempty"`
-	EndPort  *int32              `json:"endPort,omitempty"`
+	// protocol represents the protocol (TCP, UDP, or SCTP) which traffic must match.
+	// If not specified, this field defaults to TCP.
+	Protocol *corev1.Protocol `json:"protocol,omitempty"`
+	// port represents the port on the given protocol. This can either be a numerical or named
+	// port on a pod. If this field is not provided, this matches all port names and
+	// numbers.
+	// If present, only traffic on the specified protocol AND port will be matched.
+	Port *intstr.IntOrString `json:"port,omitempty"`
+	// endPort indicates that the range of ports from port to endPort if set, inclusive,
+	// should be allowed by the policy. This field cannot be defined if the port field
+	// is not defined or if the port field is defined as a named (string) port.
+	// The endPort must be equal or greater than port.
+	EndPort *int32 `json:"endPort,omitempty"`
 }
 
 // NetworkPolicyPortApplyConfiguration constructs a declarative configuration of the NetworkPolicyPort type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/networking/v1/networkpolicyspec.go b/staging/src/k8s.io/client-go/applyconfigurations/networking/v1/networkpolicyspec.go
index 48369b921ca93..734c238e4b0a3 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/networking/v1/networkpolicyspec.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/networking/v1/networkpolicyspec.go
@@ -25,11 +25,43 @@ import (
 
 // NetworkPolicySpecApplyConfiguration represents a declarative configuration of the NetworkPolicySpec type for use
 // with apply.
+//
+// NetworkPolicySpec provides the specification of a NetworkPolicy
 type NetworkPolicySpecApplyConfiguration struct {
-	PodSelector *metav1.LabelSelectorApplyConfiguration      `json:"podSelector,omitempty"`
-	Ingress     []NetworkPolicyIngressRuleApplyConfiguration `json:"ingress,omitempty"`
-	Egress      []NetworkPolicyEgressRuleApplyConfiguration  `json:"egress,omitempty"`
-	PolicyTypes []networkingv1.PolicyType                    `json:"policyTypes,omitempty"`
+	// podSelector selects the pods to which this NetworkPolicy object applies.
+	// The array of rules is applied to any pods selected by this field. An empty
+	// selector matches all pods in the policy's namespace.
+	// Multiple network policies can select the same set of pods. In this case,
+	// the ingress rules for each are combined additively.
+	// This field is optional. If it is not specified, it defaults to an empty selector.
+	PodSelector *metav1.LabelSelectorApplyConfiguration `json:"podSelector,omitempty"`
+	// ingress is a list of ingress rules to be applied to the selected pods.
+	// Traffic is allowed to a pod if there are no NetworkPolicies selecting the pod
+	// (and cluster policy otherwise allows the traffic), OR if the traffic source is
+	// the pod's local node, OR if the traffic matches at least one ingress rule
+	// across all of the NetworkPolicy objects whose podSelector matches the pod. If
+	// this field is empty then this NetworkPolicy does not allow any traffic (and serves
+	// solely to ensure that the pods it selects are isolated by default)
+	Ingress []NetworkPolicyIngressRuleApplyConfiguration `json:"ingress,omitempty"`
+	// egress is a list of egress rules to be applied to the selected pods. Outgoing traffic
+	// is allowed if there are no NetworkPolicies selecting the pod (and cluster policy
+	// otherwise allows the traffic), OR if the traffic matches at least one egress rule
+	// across all of the NetworkPolicy objects whose podSelector matches the pod. If
+	// this field is empty then this NetworkPolicy limits all outgoing traffic (and serves
+	// solely to ensure that the pods it selects are isolated by default).
+	// This field is beta-level in 1.8
+	Egress []NetworkPolicyEgressRuleApplyConfiguration `json:"egress,omitempty"`
+	// policyTypes is a list of rule types that the NetworkPolicy relates to.
+	// Valid options are ["Ingress"], ["Egress"], or ["Ingress", "Egress"].
+	// If this field is not specified, it will default based on the existence of ingress or egress rules;
+	// policies that contain an egress section are assumed to affect egress, and all policies
+	// (whether or not they contain an ingress section) are assumed to affect ingress.
+	// If you want to write an egress-only policy, you must explicitly specify policyTypes [ "Egress" ].
+	// Likewise, if you want to write a policy that specifies that no egress is allowed,
+	// you must specify a policyTypes value that include "Egress" (since such a policy would not include
+	// an egress section and would otherwise default to just [ "Ingress" ]).
+	// This field is beta-level in 1.8
+	PolicyTypes []networkingv1.PolicyType `json:"policyTypes,omitempty"`
 }
 
 // NetworkPolicySpecApplyConfiguration constructs a declarative configuration of the NetworkPolicySpec type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/networking/v1/parentreference.go b/staging/src/k8s.io/client-go/applyconfigurations/networking/v1/parentreference.go
index 896c0f8a6dcf0..c725e697b0e0d 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/networking/v1/parentreference.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/networking/v1/parentreference.go
@@ -20,11 +20,17 @@ package v1
 
 // ParentReferenceApplyConfiguration represents a declarative configuration of the ParentReference type for use
 // with apply.
+//
+// ParentReference describes a reference to a parent object.
 type ParentReferenceApplyConfiguration struct {
-	Group     *string `json:"group,omitempty"`
-	Resource  *string `json:"resource,omitempty"`
+	// Group is the group of the object being referenced.
+	Group *string `json:"group,omitempty"`
+	// Resource is the resource of the object being referenced.
+	Resource *string `json:"resource,omitempty"`
+	// Namespace is the namespace of the object being referenced.
 	Namespace *string `json:"namespace,omitempty"`
-	Name      *string `json:"name,omitempty"`
+	// Name is the name of the object being referenced.
+	Name *string `json:"name,omitempty"`
 }
 
 // ParentReferenceApplyConfiguration constructs a declarative configuration of the ParentReference type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/networking/v1/servicebackendport.go b/staging/src/k8s.io/client-go/applyconfigurations/networking/v1/servicebackendport.go
index 517f974838031..aa38123722267 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/networking/v1/servicebackendport.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/networking/v1/servicebackendport.go
@@ -20,9 +20,15 @@ package v1
 
 // ServiceBackendPortApplyConfiguration represents a declarative configuration of the ServiceBackendPort type for use
 // with apply.
+//
+// ServiceBackendPort is the service port being referenced.
 type ServiceBackendPortApplyConfiguration struct {
-	Name   *string `json:"name,omitempty"`
-	Number *int32  `json:"number,omitempty"`
+	// name is the name of the port on the Service.
+	// This is a mutually exclusive setting with "Number".
+	Name *string `json:"name,omitempty"`
+	// number is the numerical port number (e.g. 80) on the Service.
+	// This is a mutually exclusive setting with "Name".
+	Number *int32 `json:"number,omitempty"`
 }
 
 // ServiceBackendPortApplyConfiguration constructs a declarative configuration of the ServiceBackendPort type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/networking/v1/servicecidr.go b/staging/src/k8s.io/client-go/applyconfigurations/networking/v1/servicecidr.go
index fc06d85ed9257..8eede13e36a4f 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/networking/v1/servicecidr.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/networking/v1/servicecidr.go
@@ -29,11 +29,20 @@ import (
 
 // ServiceCIDRApplyConfiguration represents a declarative configuration of the ServiceCIDR type for use
 // with apply.
+//
+// ServiceCIDR defines a range of IP addresses using CIDR format (e.g. 192.168.0.0/24 or 2001:db2::/64).
+// This range is used to allocate ClusterIPs to Service objects.
 type ServiceCIDRApplyConfiguration struct {
-	metav1.TypeMetaApplyConfiguration    `json:",inline"`
+	metav1.TypeMetaApplyConfiguration `json:",inline"`
+	// Standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	*metav1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Spec                                 *ServiceCIDRSpecApplyConfiguration   `json:"spec,omitempty"`
-	Status                               *ServiceCIDRStatusApplyConfiguration `json:"status,omitempty"`
+	// spec is the desired state of the ServiceCIDR.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+	Spec *ServiceCIDRSpecApplyConfiguration `json:"spec,omitempty"`
+	// status represents the current state of the ServiceCIDR.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+	Status *ServiceCIDRStatusApplyConfiguration `json:"status,omitempty"`
 }
 
 // ServiceCIDR constructs a declarative configuration of the ServiceCIDR type for use with
@@ -46,6 +55,26 @@ func ServiceCIDR(name string) *ServiceCIDRApplyConfiguration {
 	return b
 }
 
+// ExtractServiceCIDRFrom extracts the applied configuration owned by fieldManager from
+// serviceCIDR for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
+// serviceCIDR must be a unmodified ServiceCIDR API object that was retrieved from the Kubernetes API.
+// ExtractServiceCIDRFrom provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractServiceCIDRFrom(serviceCIDR *networkingv1.ServiceCIDR, fieldManager string, subresource string) (*ServiceCIDRApplyConfiguration, error) {
+	b := &ServiceCIDRApplyConfiguration{}
+	err := managedfields.ExtractInto(serviceCIDR, internal.Parser().Type("io.k8s.api.networking.v1.ServiceCIDR"), fieldManager, b, subresource)
+	if err != nil {
+		return nil, err
+	}
+	b.WithName(serviceCIDR.Name)
+
+	b.WithKind("ServiceCIDR")
+	b.WithAPIVersion("networking.k8s.io/v1")
+	return b, nil
+}
+
 // ExtractServiceCIDR extracts the applied configuration owned by fieldManager from
 // serviceCIDR. If no managedFields are found in serviceCIDR for fieldManager, a
 // ServiceCIDRApplyConfiguration is returned with only the Name, Namespace (if applicable),
@@ -56,30 +85,16 @@ func ServiceCIDR(name string) *ServiceCIDRApplyConfiguration {
 // ExtractServiceCIDR provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
 func ExtractServiceCIDR(serviceCIDR *networkingv1.ServiceCIDR, fieldManager string) (*ServiceCIDRApplyConfiguration, error) {
-	return extractServiceCIDR(serviceCIDR, fieldManager, "")
+	return ExtractServiceCIDRFrom(serviceCIDR, fieldManager, "")
 }
 
-// ExtractServiceCIDRStatus is the same as ExtractServiceCIDR except
-// that it extracts the status subresource applied configuration.
-// Experimental!
+// ExtractServiceCIDRStatus extracts the applied configuration owned by fieldManager from
+// serviceCIDR for the status subresource.
 func ExtractServiceCIDRStatus(serviceCIDR *networkingv1.ServiceCIDR, fieldManager string) (*ServiceCIDRApplyConfiguration, error) {
-	return extractServiceCIDR(serviceCIDR, fieldManager, "status")
+	return ExtractServiceCIDRFrom(serviceCIDR, fieldManager, "status")
 }
 
-func extractServiceCIDR(serviceCIDR *networkingv1.ServiceCIDR, fieldManager string, subresource string) (*ServiceCIDRApplyConfiguration, error) {
-	b := &ServiceCIDRApplyConfiguration{}
-	err := managedfields.ExtractInto(serviceCIDR, internal.Parser().Type("io.k8s.api.networking.v1.ServiceCIDR"), fieldManager, b, subresource)
-	if err != nil {
-		return nil, err
-	}
-	b.WithName(serviceCIDR.Name)
-
-	b.WithKind("ServiceCIDR")
-	b.WithAPIVersion("networking.k8s.io/v1")
-	return b, nil
-}
 func (b ServiceCIDRApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/networking/v1/servicecidrspec.go b/staging/src/k8s.io/client-go/applyconfigurations/networking/v1/servicecidrspec.go
index f84b7ba1e0bef..9372a162bd4ff 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/networking/v1/servicecidrspec.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/networking/v1/servicecidrspec.go
@@ -20,7 +20,12 @@ package v1
 
 // ServiceCIDRSpecApplyConfiguration represents a declarative configuration of the ServiceCIDRSpec type for use
 // with apply.
+//
+// ServiceCIDRSpec define the CIDRs the user wants to use for allocating ClusterIPs for Services.
 type ServiceCIDRSpecApplyConfiguration struct {
+	// CIDRs defines the IP blocks in CIDR notation (e.g. "192.168.0.0/24" or "2001:db8::/64")
+	// from which to assign service cluster IPs. Max of two CIDRs is allowed, one of each IP family.
+	// This field is immutable.
 	CIDRs []string `json:"cidrs,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/networking/v1/servicecidrstatus.go b/staging/src/k8s.io/client-go/applyconfigurations/networking/v1/servicecidrstatus.go
index 9e3d52ae8b338..d7135dc130a8f 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/networking/v1/servicecidrstatus.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/networking/v1/servicecidrstatus.go
@@ -24,7 +24,11 @@ import (
 
 // ServiceCIDRStatusApplyConfiguration represents a declarative configuration of the ServiceCIDRStatus type for use
 // with apply.
+//
+// ServiceCIDRStatus describes the current state of the ServiceCIDR.
 type ServiceCIDRStatusApplyConfiguration struct {
+	// conditions holds an array of metav1.Condition that describe the state of the ServiceCIDR.
+	// Current service state
 	Conditions []metav1.ConditionApplyConfiguration `json:"conditions,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/networking/v1beta1/httpingresspath.go b/staging/src/k8s.io/client-go/applyconfigurations/networking/v1beta1/httpingresspath.go
index c7301c6a32d56..c8e51bfdd5c22 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/networking/v1beta1/httpingresspath.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/networking/v1beta1/httpingresspath.go
@@ -24,10 +24,34 @@ import (
 
 // HTTPIngressPathApplyConfiguration represents a declarative configuration of the HTTPIngressPath type for use
 // with apply.
+//
+// HTTPIngressPath associates a path with a backend. Incoming urls matching the
+// path are forwarded to the backend.
 type HTTPIngressPathApplyConfiguration struct {
-	Path     *string                           `json:"path,omitempty"`
-	PathType *networkingv1beta1.PathType       `json:"pathType,omitempty"`
-	Backend  *IngressBackendApplyConfiguration `json:"backend,omitempty"`
+	// path is matched against the path of an incoming request. Currently it can
+	// contain characters disallowed from the conventional "path" part of a URL
+	// as defined by RFC 3986. Paths must begin with a '/' and must be present
+	// when using PathType with value "Exact" or "Prefix".
+	Path *string `json:"path,omitempty"`
+	// pathType determines the interpretation of the path matching. PathType can
+	// be one of the following values:
+	// * Exact: Matches the URL path exactly.
+	// * Prefix: Matches based on a URL path prefix split by '/'. Matching is
+	// done on a path element by element basis. A path element refers is the
+	// list of labels in the path split by the '/' separator. A request is a
+	// match for path p if every p is an element-wise prefix of p of the
+	// request path. Note that if the last element of the path is a substring
+	// of the last element in request path, it is not a match (e.g. /foo/bar
+	// matches /foo/bar/baz, but does not match /foo/barbaz).
+	// * ImplementationSpecific: Interpretation of the Path matching is up to
+	// the IngressClass. Implementations can treat this as a separate PathType
+	// or treat it identically to Prefix or Exact path types.
+	// Implementations are required to support all path types.
+	// Defaults to ImplementationSpecific.
+	PathType *networkingv1beta1.PathType `json:"pathType,omitempty"`
+	// backend defines the referenced service endpoint to which the traffic
+	// will be forwarded to.
+	Backend *IngressBackendApplyConfiguration `json:"backend,omitempty"`
 }
 
 // HTTPIngressPathApplyConfiguration constructs a declarative configuration of the HTTPIngressPath type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/networking/v1beta1/httpingressrulevalue.go b/staging/src/k8s.io/client-go/applyconfigurations/networking/v1beta1/httpingressrulevalue.go
index 12454522374fb..865697512ef35 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/networking/v1beta1/httpingressrulevalue.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/networking/v1beta1/httpingressrulevalue.go
@@ -20,7 +20,14 @@ package v1beta1
 
 // HTTPIngressRuleValueApplyConfiguration represents a declarative configuration of the HTTPIngressRuleValue type for use
 // with apply.
+//
+// HTTPIngressRuleValue is a list of http selectors pointing to backends.
+// In the example: http://<host>/<path>?<searchpart> -> backend where
+// where parts of the url correspond to RFC 3986, this resource will be used
+// to match against everything after the last '/' and before the first '?'
+// or '#'.
 type HTTPIngressRuleValueApplyConfiguration struct {
+	// paths is a collection of paths that map requests to backends.
 	Paths []HTTPIngressPathApplyConfiguration `json:"paths,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/networking/v1beta1/ingress.go b/staging/src/k8s.io/client-go/applyconfigurations/networking/v1beta1/ingress.go
index 9ef43b1429de8..061c29c992e37 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/networking/v1beta1/ingress.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/networking/v1beta1/ingress.go
@@ -29,11 +29,22 @@ import (
 
 // IngressApplyConfiguration represents a declarative configuration of the Ingress type for use
 // with apply.
+//
+// Ingress is a collection of rules that allow inbound connections to reach the
+// endpoints defined by a backend. An Ingress can be configured to give services
+// externally-reachable urls, load balance traffic, terminate SSL, offer name
+// based virtual hosting etc.
 type IngressApplyConfiguration struct {
-	v1.TypeMetaApplyConfiguration    `json:",inline"`
+	v1.TypeMetaApplyConfiguration `json:",inline"`
+	// Standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	*v1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Spec                             *IngressSpecApplyConfiguration   `json:"spec,omitempty"`
-	Status                           *IngressStatusApplyConfiguration `json:"status,omitempty"`
+	// spec is the desired state of the Ingress.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+	Spec *IngressSpecApplyConfiguration `json:"spec,omitempty"`
+	// status is the current state of the Ingress.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+	Status *IngressStatusApplyConfiguration `json:"status,omitempty"`
 }
 
 // Ingress constructs a declarative configuration of the Ingress type for use with
@@ -47,6 +58,27 @@ func Ingress(name, namespace string) *IngressApplyConfiguration {
 	return b
 }
 
+// ExtractIngressFrom extracts the applied configuration owned by fieldManager from
+// ingress for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
+// ingress must be a unmodified Ingress API object that was retrieved from the Kubernetes API.
+// ExtractIngressFrom provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractIngressFrom(ingress *networkingv1beta1.Ingress, fieldManager string, subresource string) (*IngressApplyConfiguration, error) {
+	b := &IngressApplyConfiguration{}
+	err := managedfields.ExtractInto(ingress, internal.Parser().Type("io.k8s.api.networking.v1beta1.Ingress"), fieldManager, b, subresource)
+	if err != nil {
+		return nil, err
+	}
+	b.WithName(ingress.Name)
+	b.WithNamespace(ingress.Namespace)
+
+	b.WithKind("Ingress")
+	b.WithAPIVersion("networking.k8s.io/v1beta1")
+	return b, nil
+}
+
 // ExtractIngress extracts the applied configuration owned by fieldManager from
 // ingress. If no managedFields are found in ingress for fieldManager, a
 // IngressApplyConfiguration is returned with only the Name, Namespace (if applicable),
@@ -57,31 +89,16 @@ func Ingress(name, namespace string) *IngressApplyConfiguration {
 // ExtractIngress provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
 func ExtractIngress(ingress *networkingv1beta1.Ingress, fieldManager string) (*IngressApplyConfiguration, error) {
-	return extractIngress(ingress, fieldManager, "")
+	return ExtractIngressFrom(ingress, fieldManager, "")
 }
 
-// ExtractIngressStatus is the same as ExtractIngress except
-// that it extracts the status subresource applied configuration.
-// Experimental!
+// ExtractIngressStatus extracts the applied configuration owned by fieldManager from
+// ingress for the status subresource.
 func ExtractIngressStatus(ingress *networkingv1beta1.Ingress, fieldManager string) (*IngressApplyConfiguration, error) {
-	return extractIngress(ingress, fieldManager, "status")
+	return ExtractIngressFrom(ingress, fieldManager, "status")
 }
 
-func extractIngress(ingress *networkingv1beta1.Ingress, fieldManager string, subresource string) (*IngressApplyConfiguration, error) {
-	b := &IngressApplyConfiguration{}
-	err := managedfields.ExtractInto(ingress, internal.Parser().Type("io.k8s.api.networking.v1beta1.Ingress"), fieldManager, b, subresource)
-	if err != nil {
-		return nil, err
-	}
-	b.WithName(ingress.Name)
-	b.WithNamespace(ingress.Namespace)
-
-	b.WithKind("Ingress")
-	b.WithAPIVersion("networking.k8s.io/v1beta1")
-	return b, nil
-}
 func (b IngressApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/networking/v1beta1/ingressbackend.go b/staging/src/k8s.io/client-go/applyconfigurations/networking/v1beta1/ingressbackend.go
index 9d386f160861a..9d85f45acf94a 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/networking/v1beta1/ingressbackend.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/networking/v1beta1/ingressbackend.go
@@ -25,10 +25,17 @@ import (
 
 // IngressBackendApplyConfiguration represents a declarative configuration of the IngressBackend type for use
 // with apply.
+//
+// IngressBackend describes all endpoints for a given service and port.
 type IngressBackendApplyConfiguration struct {
-	ServiceName *string                                         `json:"serviceName,omitempty"`
-	ServicePort *intstr.IntOrString                             `json:"servicePort,omitempty"`
-	Resource    *v1.TypedLocalObjectReferenceApplyConfiguration `json:"resource,omitempty"`
+	// serviceName specifies the name of the referenced service.
+	ServiceName *string `json:"serviceName,omitempty"`
+	// servicePort Specifies the port of the referenced service.
+	ServicePort *intstr.IntOrString `json:"servicePort,omitempty"`
+	// resource is an ObjectRef to another Kubernetes resource in the namespace
+	// of the Ingress object. If resource is specified, serviceName and servicePort
+	// must not be specified.
+	Resource *v1.TypedLocalObjectReferenceApplyConfiguration `json:"resource,omitempty"`
 }
 
 // IngressBackendApplyConfiguration constructs a declarative configuration of the IngressBackend type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/networking/v1beta1/ingressclass.go b/staging/src/k8s.io/client-go/applyconfigurations/networking/v1beta1/ingressclass.go
index ec8062c50e2b2..c4d6df50b493e 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/networking/v1beta1/ingressclass.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/networking/v1beta1/ingressclass.go
@@ -29,10 +29,20 @@ import (
 
 // IngressClassApplyConfiguration represents a declarative configuration of the IngressClass type for use
 // with apply.
+//
+// IngressClass represents the class of the Ingress, referenced by the Ingress
+// Spec. The `ingressclass.kubernetes.io/is-default-class` annotation can be
+// used to indicate that an IngressClass should be considered default. When a
+// single IngressClass resource has this annotation set to true, new Ingress
+// resources without a class specified will be assigned this default class.
 type IngressClassApplyConfiguration struct {
-	v1.TypeMetaApplyConfiguration    `json:",inline"`
+	v1.TypeMetaApplyConfiguration `json:",inline"`
+	// Standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	*v1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Spec                             *IngressClassSpecApplyConfiguration `json:"spec,omitempty"`
+	// spec is the desired state of the IngressClass.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+	Spec *IngressClassSpecApplyConfiguration `json:"spec,omitempty"`
 }
 
 // IngressClass constructs a declarative configuration of the IngressClass type for use with
@@ -45,29 +55,14 @@ func IngressClass(name string) *IngressClassApplyConfiguration {
 	return b
 }
 
-// ExtractIngressClass extracts the applied configuration owned by fieldManager from
-// ingressClass. If no managedFields are found in ingressClass for fieldManager, a
-// IngressClassApplyConfiguration is returned with only the Name, Namespace (if applicable),
-// APIVersion and Kind populated. It is possible that no managed fields were found for because other
-// field managers have taken ownership of all the fields previously owned by fieldManager, or because
-// the fieldManager never owned fields any fields.
+// ExtractIngressClassFrom extracts the applied configuration owned by fieldManager from
+// ingressClass for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
 // ingressClass must be a unmodified IngressClass API object that was retrieved from the Kubernetes API.
-// ExtractIngressClass provides a way to perform a extract/modify-in-place/apply workflow.
+// ExtractIngressClassFrom provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
-func ExtractIngressClass(ingressClass *networkingv1beta1.IngressClass, fieldManager string) (*IngressClassApplyConfiguration, error) {
-	return extractIngressClass(ingressClass, fieldManager, "")
-}
-
-// ExtractIngressClassStatus is the same as ExtractIngressClass except
-// that it extracts the status subresource applied configuration.
-// Experimental!
-func ExtractIngressClassStatus(ingressClass *networkingv1beta1.IngressClass, fieldManager string) (*IngressClassApplyConfiguration, error) {
-	return extractIngressClass(ingressClass, fieldManager, "status")
-}
-
-func extractIngressClass(ingressClass *networkingv1beta1.IngressClass, fieldManager string, subresource string) (*IngressClassApplyConfiguration, error) {
+func ExtractIngressClassFrom(ingressClass *networkingv1beta1.IngressClass, fieldManager string, subresource string) (*IngressClassApplyConfiguration, error) {
 	b := &IngressClassApplyConfiguration{}
 	err := managedfields.ExtractInto(ingressClass, internal.Parser().Type("io.k8s.api.networking.v1beta1.IngressClass"), fieldManager, b, subresource)
 	if err != nil {
@@ -79,6 +74,21 @@ func extractIngressClass(ingressClass *networkingv1beta1.IngressClass, fieldMana
 	b.WithAPIVersion("networking.k8s.io/v1beta1")
 	return b, nil
 }
+
+// ExtractIngressClass extracts the applied configuration owned by fieldManager from
+// ingressClass. If no managedFields are found in ingressClass for fieldManager, a
+// IngressClassApplyConfiguration is returned with only the Name, Namespace (if applicable),
+// APIVersion and Kind populated. It is possible that no managed fields were found for because other
+// field managers have taken ownership of all the fields previously owned by fieldManager, or because
+// the fieldManager never owned fields any fields.
+// ingressClass must be a unmodified IngressClass API object that was retrieved from the Kubernetes API.
+// ExtractIngressClass provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractIngressClass(ingressClass *networkingv1beta1.IngressClass, fieldManager string) (*IngressClassApplyConfiguration, error) {
+	return ExtractIngressClassFrom(ingressClass, fieldManager, "")
+}
+
 func (b IngressClassApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/networking/v1beta1/ingressclassparametersreference.go b/staging/src/k8s.io/client-go/applyconfigurations/networking/v1beta1/ingressclassparametersreference.go
index 2a307a676030d..a5ca2ed3f4dbf 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/networking/v1beta1/ingressclassparametersreference.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/networking/v1beta1/ingressclassparametersreference.go
@@ -20,11 +20,24 @@ package v1beta1
 
 // IngressClassParametersReferenceApplyConfiguration represents a declarative configuration of the IngressClassParametersReference type for use
 // with apply.
+//
+// IngressClassParametersReference identifies an API object. This can be used
+// to specify a cluster or namespace-scoped resource.
 type IngressClassParametersReferenceApplyConfiguration struct {
-	APIGroup  *string `json:"apiGroup,omitempty"`
-	Kind      *string `json:"kind,omitempty"`
-	Name      *string `json:"name,omitempty"`
-	Scope     *string `json:"scope,omitempty"`
+	// apiGroup is the group for the resource being referenced. If APIGroup is
+	// not specified, the specified Kind must be in the core API group. For any
+	// other third-party types, APIGroup is required.
+	APIGroup *string `json:"apiGroup,omitempty"`
+	// kind is the type of resource being referenced.
+	Kind *string `json:"kind,omitempty"`
+	// name is the name of resource being referenced.
+	Name *string `json:"name,omitempty"`
+	// scope represents if this refers to a cluster or namespace scoped resource.
+	// This may be set to "Cluster" (default) or "Namespace".
+	Scope *string `json:"scope,omitempty"`
+	// namespace is the namespace of the resource being referenced. This field is
+	// required when scope is set to "Namespace" and must be unset when scope is set to
+	// "Cluster".
 	Namespace *string `json:"namespace,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/networking/v1beta1/ingressclassspec.go b/staging/src/k8s.io/client-go/applyconfigurations/networking/v1beta1/ingressclassspec.go
index eefbf62b87ace..b17f3e10f05e1 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/networking/v1beta1/ingressclassspec.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/networking/v1beta1/ingressclassspec.go
@@ -20,8 +20,19 @@ package v1beta1
 
 // IngressClassSpecApplyConfiguration represents a declarative configuration of the IngressClassSpec type for use
 // with apply.
+//
+// IngressClassSpec provides information about the class of an Ingress.
 type IngressClassSpecApplyConfiguration struct {
-	Controller *string                                            `json:"controller,omitempty"`
+	// controller refers to the name of the controller that should handle this
+	// class. This allows for different "flavors" that are controlled by the
+	// same controller. For example, you may have different parameters for the
+	// same implementing controller. This should be specified as a
+	// domain-prefixed path no more than 250 characters in length, e.g.
+	// "acme.io/ingress-controller". This field is immutable.
+	Controller *string `json:"controller,omitempty"`
+	// parameters is a link to a custom resource containing additional
+	// configuration for the controller. This is optional if the controller does
+	// not require extra parameters.
 	Parameters *IngressClassParametersReferenceApplyConfiguration `json:"parameters,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/networking/v1beta1/ingressloadbalanceringress.go b/staging/src/k8s.io/client-go/applyconfigurations/networking/v1beta1/ingressloadbalanceringress.go
index 12dbc35969b05..b831be67d96db 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/networking/v1beta1/ingressloadbalanceringress.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/networking/v1beta1/ingressloadbalanceringress.go
@@ -20,10 +20,15 @@ package v1beta1
 
 // IngressLoadBalancerIngressApplyConfiguration represents a declarative configuration of the IngressLoadBalancerIngress type for use
 // with apply.
+//
+// IngressLoadBalancerIngress represents the status of a load-balancer ingress point.
 type IngressLoadBalancerIngressApplyConfiguration struct {
-	IP       *string                               `json:"ip,omitempty"`
-	Hostname *string                               `json:"hostname,omitempty"`
-	Ports    []IngressPortStatusApplyConfiguration `json:"ports,omitempty"`
+	// ip is set for load-balancer ingress points that are IP based.
+	IP *string `json:"ip,omitempty"`
+	// hostname is set for load-balancer ingress points that are DNS based.
+	Hostname *string `json:"hostname,omitempty"`
+	// ports provides information about the ports exposed by this LoadBalancer.
+	Ports []IngressPortStatusApplyConfiguration `json:"ports,omitempty"`
 }
 
 // IngressLoadBalancerIngressApplyConfiguration constructs a declarative configuration of the IngressLoadBalancerIngress type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/networking/v1beta1/ingressloadbalancerstatus.go b/staging/src/k8s.io/client-go/applyconfigurations/networking/v1beta1/ingressloadbalancerstatus.go
index e896ab3415596..322935e3637f5 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/networking/v1beta1/ingressloadbalancerstatus.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/networking/v1beta1/ingressloadbalancerstatus.go
@@ -20,7 +20,10 @@ package v1beta1
 
 // IngressLoadBalancerStatusApplyConfiguration represents a declarative configuration of the IngressLoadBalancerStatus type for use
 // with apply.
+//
+// LoadBalancerStatus represents the status of a load-balancer.
 type IngressLoadBalancerStatusApplyConfiguration struct {
+	// ingress is a list containing ingress points for the load-balancer.
 	Ingress []IngressLoadBalancerIngressApplyConfiguration `json:"ingress,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/networking/v1beta1/ingressportstatus.go b/staging/src/k8s.io/client-go/applyconfigurations/networking/v1beta1/ingressportstatus.go
index 4ee3f01617f9c..5de062db30aba 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/networking/v1beta1/ingressportstatus.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/networking/v1beta1/ingressportstatus.go
@@ -24,10 +24,23 @@ import (
 
 // IngressPortStatusApplyConfiguration represents a declarative configuration of the IngressPortStatus type for use
 // with apply.
+//
+// IngressPortStatus represents the error condition of a service port
 type IngressPortStatusApplyConfiguration struct {
-	Port     *int32       `json:"port,omitempty"`
+	// port is the port number of the ingress port.
+	Port *int32 `json:"port,omitempty"`
+	// protocol is the protocol of the ingress port.
+	// The supported values are: "TCP", "UDP", "SCTP"
 	Protocol *v1.Protocol `json:"protocol,omitempty"`
-	Error    *string      `json:"error,omitempty"`
+	// error is to record the problem with the service port
+	// The format of the error shall comply with the following rules:
+	// - built-in error values shall be specified in this file and those shall use
+	// CamelCase names
+	// - cloud provider specific error values must have names that comply with the
+	// format foo.example.com/CamelCase.
+	// ---
+	// The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+	Error *string `json:"error,omitempty"`
 }
 
 // IngressPortStatusApplyConfiguration constructs a declarative configuration of the IngressPortStatus type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/networking/v1beta1/ingressrule.go b/staging/src/k8s.io/client-go/applyconfigurations/networking/v1beta1/ingressrule.go
index 809fada928eac..6c8b973ed0ab1 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/networking/v1beta1/ingressrule.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/networking/v1beta1/ingressrule.go
@@ -20,8 +20,39 @@ package v1beta1
 
 // IngressRuleApplyConfiguration represents a declarative configuration of the IngressRule type for use
 // with apply.
+//
+// IngressRule represents the rules mapping the paths under a specified host to
+// the related backend services. Incoming requests are first evaluated for a host
+// match, then routed to the backend associated with the matching IngressRuleValue.
 type IngressRuleApplyConfiguration struct {
-	Host                               *string `json:"host,omitempty"`
+	// host is the fully qualified domain name of a network host, as defined by RFC 3986.
+	// Note the following deviations from the "host" part of the
+	// URI as defined in RFC 3986:
+	// 1. IPs are not allowed. Currently an IngressRuleValue can only apply to
+	// the IP in the Spec of the parent Ingress.
+	// 2. The `:` delimiter is not respected because ports are not allowed.
+	// Currently the port of an Ingress is implicitly :80 for http and
+	// :443 for https.
+	// Both these may change in the future.
+	// Incoming requests are matched against the host before the
+	// IngressRuleValue. If the host is unspecified, the Ingress routes all
+	// traffic based on the specified IngressRuleValue.
+	//
+	// host can be "precise" which is a domain name without the terminating dot of
+	// a network host (e.g. "foo.bar.com") or "wildcard", which is a domain name
+	// prefixed with a single wildcard label (e.g. "*.foo.com").
+	// The wildcard character '*' must appear by itself as the first DNS label and
+	// matches only a single label. You cannot have a wildcard label by itself (e.g. Host == "*").
+	// Requests will be matched against the Host field in the following way:
+	// 1. If Host is precise, the request matches this rule if the http host header is equal to Host.
+	// 2. If Host is a wildcard, then the request matches this rule if the http host header
+	// is to equal to the suffix (removing the first label) of the wildcard rule.
+	Host *string `json:"host,omitempty"`
+	// IngressRuleValue represents a rule to route requests for this IngressRule.
+	// If unspecified, the rule defaults to a http catch-all. Whether that sends
+	// just traffic matching the host to the default backend or all traffic to the
+	// default backend, is left to the controller fulfilling the Ingress. Http is
+	// currently the only supported IngressRuleValue.
 	IngressRuleValueApplyConfiguration `json:",inline"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/networking/v1beta1/ingressrulevalue.go b/staging/src/k8s.io/client-go/applyconfigurations/networking/v1beta1/ingressrulevalue.go
index 4a64124755608..502384fa3dd70 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/networking/v1beta1/ingressrulevalue.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/networking/v1beta1/ingressrulevalue.go
@@ -20,6 +20,11 @@ package v1beta1
 
 // IngressRuleValueApplyConfiguration represents a declarative configuration of the IngressRuleValue type for use
 // with apply.
+//
+// IngressRuleValue represents a rule to apply against incoming requests. If the
+// rule is satisfied, the request is routed to the specified backend. Currently
+// mixing different types of rules in a single Ingress is disallowed, so exactly
+// one of the following must be set.
 type IngressRuleValueApplyConfiguration struct {
 	HTTP *HTTPIngressRuleValueApplyConfiguration `json:"http,omitempty"`
 }
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/networking/v1beta1/ingressspec.go b/staging/src/k8s.io/client-go/applyconfigurations/networking/v1beta1/ingressspec.go
index 58fbde8b35251..fd616d6881d53 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/networking/v1beta1/ingressspec.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/networking/v1beta1/ingressspec.go
@@ -20,11 +20,34 @@ package v1beta1
 
 // IngressSpecApplyConfiguration represents a declarative configuration of the IngressSpec type for use
 // with apply.
+//
+// IngressSpec describes the Ingress the user wishes to exist.
 type IngressSpecApplyConfiguration struct {
-	IngressClassName *string                           `json:"ingressClassName,omitempty"`
-	Backend          *IngressBackendApplyConfiguration `json:"backend,omitempty"`
-	TLS              []IngressTLSApplyConfiguration    `json:"tls,omitempty"`
-	Rules            []IngressRuleApplyConfiguration   `json:"rules,omitempty"`
+	// ingressClassName is the name of the IngressClass cluster resource. The
+	// associated IngressClass defines which controller will implement the
+	// resource. This replaces the deprecated `kubernetes.io/ingress.class`
+	// annotation. For backwards compatibility, when that annotation is set, it
+	// must be given precedence over this field. The controller may emit a
+	// warning if the field and annotation have different values.
+	// Implementations of this API should ignore Ingresses without a class
+	// specified. An IngressClass resource may be marked as default, which can
+	// be used to set a default value for this field. For more information,
+	// refer to the IngressClass documentation.
+	IngressClassName *string `json:"ingressClassName,omitempty"`
+	// backend is the default backend capable of servicing requests that don't match any
+	// rule. At least one of 'backend' or 'rules' must be specified. This field
+	// is optional to allow the loadbalancer controller or defaulting logic to
+	// specify a global default.
+	Backend *IngressBackendApplyConfiguration `json:"backend,omitempty"`
+	// tls represents the TLS configuration. Currently the Ingress only supports a
+	// single TLS port, 443. If multiple members of this list specify different hosts,
+	// they will be multiplexed on the same port according to the hostname specified
+	// through the SNI TLS extension, if the ingress controller fulfilling the
+	// ingress supports SNI.
+	TLS []IngressTLSApplyConfiguration `json:"tls,omitempty"`
+	// rules is a list of host rules used to configure the Ingress. If unspecified, or
+	// no rule matches, all traffic is sent to the default backend.
+	Rules []IngressRuleApplyConfiguration `json:"rules,omitempty"`
 }
 
 // IngressSpecApplyConfiguration constructs a declarative configuration of the IngressSpec type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/networking/v1beta1/ingressstatus.go b/staging/src/k8s.io/client-go/applyconfigurations/networking/v1beta1/ingressstatus.go
index 3aed616889c0f..2c7d01c93af3b 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/networking/v1beta1/ingressstatus.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/networking/v1beta1/ingressstatus.go
@@ -20,7 +20,10 @@ package v1beta1
 
 // IngressStatusApplyConfiguration represents a declarative configuration of the IngressStatus type for use
 // with apply.
+//
+// IngressStatus describes the current state of the Ingress.
 type IngressStatusApplyConfiguration struct {
+	// loadBalancer contains the current status of the load-balancer.
 	LoadBalancer *IngressLoadBalancerStatusApplyConfiguration `json:"loadBalancer,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/networking/v1beta1/ingresstls.go b/staging/src/k8s.io/client-go/applyconfigurations/networking/v1beta1/ingresstls.go
index 63648cd464952..cad7f0ed3212f 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/networking/v1beta1/ingresstls.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/networking/v1beta1/ingresstls.go
@@ -20,9 +20,20 @@ package v1beta1
 
 // IngressTLSApplyConfiguration represents a declarative configuration of the IngressTLS type for use
 // with apply.
+//
+// IngressTLS describes the transport layer security associated with an Ingress.
 type IngressTLSApplyConfiguration struct {
-	Hosts      []string `json:"hosts,omitempty"`
-	SecretName *string  `json:"secretName,omitempty"`
+	// hosts is a list of hosts included in the TLS certificate. The values in
+	// this list must match the name/s used in the tlsSecret. Defaults to the
+	// wildcard host setting for the loadbalancer controller fulfilling this
+	// Ingress, if left unspecified.
+	Hosts []string `json:"hosts,omitempty"`
+	// secretName is the name of the secret used to terminate TLS traffic on
+	// port 443. Field is left optional to allow TLS routing based on SNI
+	// hostname alone. If the SNI host in a listener conflicts with the "Host"
+	// header field used by an IngressRule, the SNI host is used for termination
+	// and value of the Host header is used for routing.
+	SecretName *string `json:"secretName,omitempty"`
 }
 
 // IngressTLSApplyConfiguration constructs a declarative configuration of the IngressTLS type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/networking/v1beta1/ipaddress.go b/staging/src/k8s.io/client-go/applyconfigurations/networking/v1beta1/ipaddress.go
index f1f9680da044d..28167f1f4c553 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/networking/v1beta1/ipaddress.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/networking/v1beta1/ipaddress.go
@@ -29,10 +29,22 @@ import (
 
 // IPAddressApplyConfiguration represents a declarative configuration of the IPAddress type for use
 // with apply.
+//
+// IPAddress represents a single IP of a single IP Family. The object is designed to be used by APIs
+// that operate on IP addresses. The object is used by the Service core API for allocation of IP addresses.
+// An IP address can be represented in different formats, to guarantee the uniqueness of the IP,
+// the name of the object is the IP address in canonical format, four decimal digits separated
+// by dots suppressing leading zeros for IPv4 and the representation defined by RFC 5952 for IPv6.
+// Valid: 192.168.1.5 or 2001:db8::1 or 2001:db8:aaaa:bbbb:cccc:dddd:eeee:1
+// Invalid: 10.01.2.3 or 2001:db8:0:0:0::1
 type IPAddressApplyConfiguration struct {
-	v1.TypeMetaApplyConfiguration    `json:",inline"`
+	v1.TypeMetaApplyConfiguration `json:",inline"`
+	// Standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	*v1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Spec                             *IPAddressSpecApplyConfiguration `json:"spec,omitempty"`
+	// spec is the desired state of the IPAddress.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+	Spec *IPAddressSpecApplyConfiguration `json:"spec,omitempty"`
 }
 
 // IPAddress constructs a declarative configuration of the IPAddress type for use with
@@ -45,29 +57,14 @@ func IPAddress(name string) *IPAddressApplyConfiguration {
 	return b
 }
 
-// ExtractIPAddress extracts the applied configuration owned by fieldManager from
-// iPAddress. If no managedFields are found in iPAddress for fieldManager, a
-// IPAddressApplyConfiguration is returned with only the Name, Namespace (if applicable),
-// APIVersion and Kind populated. It is possible that no managed fields were found for because other
-// field managers have taken ownership of all the fields previously owned by fieldManager, or because
-// the fieldManager never owned fields any fields.
+// ExtractIPAddressFrom extracts the applied configuration owned by fieldManager from
+// iPAddress for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
 // iPAddress must be a unmodified IPAddress API object that was retrieved from the Kubernetes API.
-// ExtractIPAddress provides a way to perform a extract/modify-in-place/apply workflow.
+// ExtractIPAddressFrom provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
-func ExtractIPAddress(iPAddress *networkingv1beta1.IPAddress, fieldManager string) (*IPAddressApplyConfiguration, error) {
-	return extractIPAddress(iPAddress, fieldManager, "")
-}
-
-// ExtractIPAddressStatus is the same as ExtractIPAddress except
-// that it extracts the status subresource applied configuration.
-// Experimental!
-func ExtractIPAddressStatus(iPAddress *networkingv1beta1.IPAddress, fieldManager string) (*IPAddressApplyConfiguration, error) {
-	return extractIPAddress(iPAddress, fieldManager, "status")
-}
-
-func extractIPAddress(iPAddress *networkingv1beta1.IPAddress, fieldManager string, subresource string) (*IPAddressApplyConfiguration, error) {
+func ExtractIPAddressFrom(iPAddress *networkingv1beta1.IPAddress, fieldManager string, subresource string) (*IPAddressApplyConfiguration, error) {
 	b := &IPAddressApplyConfiguration{}
 	err := managedfields.ExtractInto(iPAddress, internal.Parser().Type("io.k8s.api.networking.v1beta1.IPAddress"), fieldManager, b, subresource)
 	if err != nil {
@@ -79,6 +76,21 @@ func extractIPAddress(iPAddress *networkingv1beta1.IPAddress, fieldManager strin
 	b.WithAPIVersion("networking.k8s.io/v1beta1")
 	return b, nil
 }
+
+// ExtractIPAddress extracts the applied configuration owned by fieldManager from
+// iPAddress. If no managedFields are found in iPAddress for fieldManager, a
+// IPAddressApplyConfiguration is returned with only the Name, Namespace (if applicable),
+// APIVersion and Kind populated. It is possible that no managed fields were found for because other
+// field managers have taken ownership of all the fields previously owned by fieldManager, or because
+// the fieldManager never owned fields any fields.
+// iPAddress must be a unmodified IPAddress API object that was retrieved from the Kubernetes API.
+// ExtractIPAddress provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractIPAddress(iPAddress *networkingv1beta1.IPAddress, fieldManager string) (*IPAddressApplyConfiguration, error) {
+	return ExtractIPAddressFrom(iPAddress, fieldManager, "")
+}
+
 func (b IPAddressApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/networking/v1beta1/ipaddressspec.go b/staging/src/k8s.io/client-go/applyconfigurations/networking/v1beta1/ipaddressspec.go
index 76b02137d2367..c0c012aaa6eee 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/networking/v1beta1/ipaddressspec.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/networking/v1beta1/ipaddressspec.go
@@ -20,7 +20,11 @@ package v1beta1
 
 // IPAddressSpecApplyConfiguration represents a declarative configuration of the IPAddressSpec type for use
 // with apply.
+//
+// IPAddressSpec describe the attributes in an IP Address.
 type IPAddressSpecApplyConfiguration struct {
+	// ParentRef references the resource that an IPAddress is attached to.
+	// An IPAddress must reference a parent object.
 	ParentRef *ParentReferenceApplyConfiguration `json:"parentRef,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/networking/v1beta1/parentreference.go b/staging/src/k8s.io/client-go/applyconfigurations/networking/v1beta1/parentreference.go
index 1863938f16cc9..edcc3b95d368b 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/networking/v1beta1/parentreference.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/networking/v1beta1/parentreference.go
@@ -20,11 +20,17 @@ package v1beta1
 
 // ParentReferenceApplyConfiguration represents a declarative configuration of the ParentReference type for use
 // with apply.
+//
+// ParentReference describes a reference to a parent object.
 type ParentReferenceApplyConfiguration struct {
-	Group     *string `json:"group,omitempty"`
-	Resource  *string `json:"resource,omitempty"`
+	// Group is the group of the object being referenced.
+	Group *string `json:"group,omitempty"`
+	// Resource is the resource of the object being referenced.
+	Resource *string `json:"resource,omitempty"`
+	// Namespace is the namespace of the object being referenced.
 	Namespace *string `json:"namespace,omitempty"`
-	Name      *string `json:"name,omitempty"`
+	// Name is the name of the object being referenced.
+	Name *string `json:"name,omitempty"`
 }
 
 // ParentReferenceApplyConfiguration constructs a declarative configuration of the ParentReference type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/networking/v1beta1/servicecidr.go b/staging/src/k8s.io/client-go/applyconfigurations/networking/v1beta1/servicecidr.go
index 37a6ee6f487af..07281de61618f 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/networking/v1beta1/servicecidr.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/networking/v1beta1/servicecidr.go
@@ -29,11 +29,20 @@ import (
 
 // ServiceCIDRApplyConfiguration represents a declarative configuration of the ServiceCIDR type for use
 // with apply.
+//
+// ServiceCIDR defines a range of IP addresses using CIDR format (e.g. 192.168.0.0/24 or 2001:db2::/64).
+// This range is used to allocate ClusterIPs to Service objects.
 type ServiceCIDRApplyConfiguration struct {
-	v1.TypeMetaApplyConfiguration    `json:",inline"`
+	v1.TypeMetaApplyConfiguration `json:",inline"`
+	// Standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	*v1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Spec                             *ServiceCIDRSpecApplyConfiguration   `json:"spec,omitempty"`
-	Status                           *ServiceCIDRStatusApplyConfiguration `json:"status,omitempty"`
+	// spec is the desired state of the ServiceCIDR.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+	Spec *ServiceCIDRSpecApplyConfiguration `json:"spec,omitempty"`
+	// status represents the current state of the ServiceCIDR.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+	Status *ServiceCIDRStatusApplyConfiguration `json:"status,omitempty"`
 }
 
 // ServiceCIDR constructs a declarative configuration of the ServiceCIDR type for use with
@@ -46,6 +55,26 @@ func ServiceCIDR(name string) *ServiceCIDRApplyConfiguration {
 	return b
 }
 
+// ExtractServiceCIDRFrom extracts the applied configuration owned by fieldManager from
+// serviceCIDR for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
+// serviceCIDR must be a unmodified ServiceCIDR API object that was retrieved from the Kubernetes API.
+// ExtractServiceCIDRFrom provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractServiceCIDRFrom(serviceCIDR *networkingv1beta1.ServiceCIDR, fieldManager string, subresource string) (*ServiceCIDRApplyConfiguration, error) {
+	b := &ServiceCIDRApplyConfiguration{}
+	err := managedfields.ExtractInto(serviceCIDR, internal.Parser().Type("io.k8s.api.networking.v1beta1.ServiceCIDR"), fieldManager, b, subresource)
+	if err != nil {
+		return nil, err
+	}
+	b.WithName(serviceCIDR.Name)
+
+	b.WithKind("ServiceCIDR")
+	b.WithAPIVersion("networking.k8s.io/v1beta1")
+	return b, nil
+}
+
 // ExtractServiceCIDR extracts the applied configuration owned by fieldManager from
 // serviceCIDR. If no managedFields are found in serviceCIDR for fieldManager, a
 // ServiceCIDRApplyConfiguration is returned with only the Name, Namespace (if applicable),
@@ -56,30 +85,16 @@ func ServiceCIDR(name string) *ServiceCIDRApplyConfiguration {
 // ExtractServiceCIDR provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
 func ExtractServiceCIDR(serviceCIDR *networkingv1beta1.ServiceCIDR, fieldManager string) (*ServiceCIDRApplyConfiguration, error) {
-	return extractServiceCIDR(serviceCIDR, fieldManager, "")
+	return ExtractServiceCIDRFrom(serviceCIDR, fieldManager, "")
 }
 
-// ExtractServiceCIDRStatus is the same as ExtractServiceCIDR except
-// that it extracts the status subresource applied configuration.
-// Experimental!
+// ExtractServiceCIDRStatus extracts the applied configuration owned by fieldManager from
+// serviceCIDR for the status subresource.
 func ExtractServiceCIDRStatus(serviceCIDR *networkingv1beta1.ServiceCIDR, fieldManager string) (*ServiceCIDRApplyConfiguration, error) {
-	return extractServiceCIDR(serviceCIDR, fieldManager, "status")
+	return ExtractServiceCIDRFrom(serviceCIDR, fieldManager, "status")
 }
 
-func extractServiceCIDR(serviceCIDR *networkingv1beta1.ServiceCIDR, fieldManager string, subresource string) (*ServiceCIDRApplyConfiguration, error) {
-	b := &ServiceCIDRApplyConfiguration{}
-	err := managedfields.ExtractInto(serviceCIDR, internal.Parser().Type("io.k8s.api.networking.v1beta1.ServiceCIDR"), fieldManager, b, subresource)
-	if err != nil {
-		return nil, err
-	}
-	b.WithName(serviceCIDR.Name)
-
-	b.WithKind("ServiceCIDR")
-	b.WithAPIVersion("networking.k8s.io/v1beta1")
-	return b, nil
-}
 func (b ServiceCIDRApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/networking/v1beta1/servicecidrspec.go b/staging/src/k8s.io/client-go/applyconfigurations/networking/v1beta1/servicecidrspec.go
index 1f283532d31cc..7652700e2af29 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/networking/v1beta1/servicecidrspec.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/networking/v1beta1/servicecidrspec.go
@@ -20,7 +20,12 @@ package v1beta1
 
 // ServiceCIDRSpecApplyConfiguration represents a declarative configuration of the ServiceCIDRSpec type for use
 // with apply.
+//
+// ServiceCIDRSpec define the CIDRs the user wants to use for allocating ClusterIPs for Services.
 type ServiceCIDRSpecApplyConfiguration struct {
+	// CIDRs defines the IP blocks in CIDR notation (e.g. "192.168.0.0/24" or "2001:db8::/64")
+	// from which to assign service cluster IPs. Max of two CIDRs is allowed, one of each IP family.
+	// This field is immutable.
 	CIDRs []string `json:"cidrs,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/networking/v1beta1/servicecidrstatus.go b/staging/src/k8s.io/client-go/applyconfigurations/networking/v1beta1/servicecidrstatus.go
index f2dd92404dde8..307043d989301 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/networking/v1beta1/servicecidrstatus.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/networking/v1beta1/servicecidrstatus.go
@@ -24,7 +24,11 @@ import (
 
 // ServiceCIDRStatusApplyConfiguration represents a declarative configuration of the ServiceCIDRStatus type for use
 // with apply.
+//
+// ServiceCIDRStatus describes the current state of the ServiceCIDR.
 type ServiceCIDRStatusApplyConfiguration struct {
+	// conditions holds an array of metav1.Condition that describe the state of the ServiceCIDR.
+	// Current service state
 	Conditions []v1.ConditionApplyConfiguration `json:"conditions,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/node/v1/overhead.go b/staging/src/k8s.io/client-go/applyconfigurations/node/v1/overhead.go
index 30ce9fb42e00c..5584ddfd97c17 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/node/v1/overhead.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/node/v1/overhead.go
@@ -24,7 +24,10 @@ import (
 
 // OverheadApplyConfiguration represents a declarative configuration of the Overhead type for use
 // with apply.
+//
+// Overhead structure represents the resource overhead associated with running a pod.
 type OverheadApplyConfiguration struct {
+	// podFixed represents the fixed resource overhead associated with running a pod.
 	PodFixed *corev1.ResourceList `json:"podFixed,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/node/v1/runtimeclass.go b/staging/src/k8s.io/client-go/applyconfigurations/node/v1/runtimeclass.go
index 0c855cfdcb7c0..6b33701cabe23 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/node/v1/runtimeclass.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/node/v1/runtimeclass.go
@@ -29,12 +29,38 @@ import (
 
 // RuntimeClassApplyConfiguration represents a declarative configuration of the RuntimeClass type for use
 // with apply.
+//
+// RuntimeClass defines a class of container runtime supported in the cluster.
+// The RuntimeClass is used to determine which container runtime is used to run
+// all containers in a pod. RuntimeClasses are manually defined by a
+// user or cluster provisioner, and referenced in the PodSpec. The Kubelet is
+// responsible for resolving the RuntimeClassName reference before running the
+// pod.  For more details, see
+// https://kubernetes.io/docs/concepts/containers/runtime-class/
 type RuntimeClassApplyConfiguration struct {
-	metav1.TypeMetaApplyConfiguration    `json:",inline"`
+	metav1.TypeMetaApplyConfiguration `json:",inline"`
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	*metav1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Handler                              *string                       `json:"handler,omitempty"`
-	Overhead                             *OverheadApplyConfiguration   `json:"overhead,omitempty"`
-	Scheduling                           *SchedulingApplyConfiguration `json:"scheduling,omitempty"`
+	// handler specifies the underlying runtime and configuration that the CRI
+	// implementation will use to handle pods of this class. The possible values
+	// are specific to the node & CRI configuration.  It is assumed that all
+	// handlers are available on every node, and handlers of the same name are
+	// equivalent on every node.
+	// For example, a handler called "runc" might specify that the runc OCI
+	// runtime (using native Linux containers) will be used to run the containers
+	// in a pod.
+	// The Handler must be lowercase, conform to the DNS Label (RFC 1123) requirements,
+	// and is immutable.
+	Handler *string `json:"handler,omitempty"`
+	// overhead represents the resource overhead associated with running a pod for a
+	// given RuntimeClass. For more details, see
+	// https://kubernetes.io/docs/concepts/scheduling-eviction/pod-overhead/
+	Overhead *OverheadApplyConfiguration `json:"overhead,omitempty"`
+	// scheduling holds the scheduling constraints to ensure that pods running
+	// with this RuntimeClass are scheduled to nodes that support it.
+	// If scheduling is nil, this RuntimeClass is assumed to be supported by all
+	// nodes.
+	Scheduling *SchedulingApplyConfiguration `json:"scheduling,omitempty"`
 }
 
 // RuntimeClass constructs a declarative configuration of the RuntimeClass type for use with
@@ -47,29 +73,14 @@ func RuntimeClass(name string) *RuntimeClassApplyConfiguration {
 	return b
 }
 
-// ExtractRuntimeClass extracts the applied configuration owned by fieldManager from
-// runtimeClass. If no managedFields are found in runtimeClass for fieldManager, a
-// RuntimeClassApplyConfiguration is returned with only the Name, Namespace (if applicable),
-// APIVersion and Kind populated. It is possible that no managed fields were found for because other
-// field managers have taken ownership of all the fields previously owned by fieldManager, or because
-// the fieldManager never owned fields any fields.
+// ExtractRuntimeClassFrom extracts the applied configuration owned by fieldManager from
+// runtimeClass for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
 // runtimeClass must be a unmodified RuntimeClass API object that was retrieved from the Kubernetes API.
-// ExtractRuntimeClass provides a way to perform a extract/modify-in-place/apply workflow.
+// ExtractRuntimeClassFrom provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
-func ExtractRuntimeClass(runtimeClass *nodev1.RuntimeClass, fieldManager string) (*RuntimeClassApplyConfiguration, error) {
-	return extractRuntimeClass(runtimeClass, fieldManager, "")
-}
-
-// ExtractRuntimeClassStatus is the same as ExtractRuntimeClass except
-// that it extracts the status subresource applied configuration.
-// Experimental!
-func ExtractRuntimeClassStatus(runtimeClass *nodev1.RuntimeClass, fieldManager string) (*RuntimeClassApplyConfiguration, error) {
-	return extractRuntimeClass(runtimeClass, fieldManager, "status")
-}
-
-func extractRuntimeClass(runtimeClass *nodev1.RuntimeClass, fieldManager string, subresource string) (*RuntimeClassApplyConfiguration, error) {
+func ExtractRuntimeClassFrom(runtimeClass *nodev1.RuntimeClass, fieldManager string, subresource string) (*RuntimeClassApplyConfiguration, error) {
 	b := &RuntimeClassApplyConfiguration{}
 	err := managedfields.ExtractInto(runtimeClass, internal.Parser().Type("io.k8s.api.node.v1.RuntimeClass"), fieldManager, b, subresource)
 	if err != nil {
@@ -81,6 +92,21 @@ func extractRuntimeClass(runtimeClass *nodev1.RuntimeClass, fieldManager string,
 	b.WithAPIVersion("node.k8s.io/v1")
 	return b, nil
 }
+
+// ExtractRuntimeClass extracts the applied configuration owned by fieldManager from
+// runtimeClass. If no managedFields are found in runtimeClass for fieldManager, a
+// RuntimeClassApplyConfiguration is returned with only the Name, Namespace (if applicable),
+// APIVersion and Kind populated. It is possible that no managed fields were found for because other
+// field managers have taken ownership of all the fields previously owned by fieldManager, or because
+// the fieldManager never owned fields any fields.
+// runtimeClass must be a unmodified RuntimeClass API object that was retrieved from the Kubernetes API.
+// ExtractRuntimeClass provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractRuntimeClass(runtimeClass *nodev1.RuntimeClass, fieldManager string) (*RuntimeClassApplyConfiguration, error) {
+	return ExtractRuntimeClassFrom(runtimeClass, fieldManager, "")
+}
+
 func (b RuntimeClassApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/node/v1/scheduling.go b/staging/src/k8s.io/client-go/applyconfigurations/node/v1/scheduling.go
index b45400fbcd768..849a9a4e5c454 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/node/v1/scheduling.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/node/v1/scheduling.go
@@ -24,9 +24,20 @@ import (
 
 // SchedulingApplyConfiguration represents a declarative configuration of the Scheduling type for use
 // with apply.
+//
+// Scheduling specifies the scheduling constraints for nodes supporting a
+// RuntimeClass.
 type SchedulingApplyConfiguration struct {
-	NodeSelector map[string]string                     `json:"nodeSelector,omitempty"`
-	Tolerations  []corev1.TolerationApplyConfiguration `json:"tolerations,omitempty"`
+	// nodeSelector lists labels that must be present on nodes that support this
+	// RuntimeClass. Pods using this RuntimeClass can only be scheduled to a
+	// node matched by this selector. The RuntimeClass nodeSelector is merged
+	// with a pod's existing nodeSelector. Any conflicts will cause the pod to
+	// be rejected in admission.
+	NodeSelector map[string]string `json:"nodeSelector,omitempty"`
+	// tolerations are appended (excluding duplicates) to pods running with this
+	// RuntimeClass during admission, effectively unioning the set of nodes
+	// tolerated by the pod and the RuntimeClass.
+	Tolerations []corev1.TolerationApplyConfiguration `json:"tolerations,omitempty"`
 }
 
 // SchedulingApplyConfiguration constructs a declarative configuration of the Scheduling type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/node/v1alpha1/overhead.go b/staging/src/k8s.io/client-go/applyconfigurations/node/v1alpha1/overhead.go
index 84770a09205fe..ce66afc6d4c54 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/node/v1alpha1/overhead.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/node/v1alpha1/overhead.go
@@ -24,7 +24,10 @@ import (
 
 // OverheadApplyConfiguration represents a declarative configuration of the Overhead type for use
 // with apply.
+//
+// Overhead structure represents the resource overhead associated with running a pod.
 type OverheadApplyConfiguration struct {
+	// podFixed represents the fixed resource overhead associated with running a pod.
 	PodFixed *v1.ResourceList `json:"podFixed,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/node/v1alpha1/runtimeclass.go b/staging/src/k8s.io/client-go/applyconfigurations/node/v1alpha1/runtimeclass.go
index f185c31669b8e..5fbf9a649acfb 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/node/v1alpha1/runtimeclass.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/node/v1alpha1/runtimeclass.go
@@ -29,10 +29,21 @@ import (
 
 // RuntimeClassApplyConfiguration represents a declarative configuration of the RuntimeClass type for use
 // with apply.
+//
+// RuntimeClass defines a class of container runtime supported in the cluster.
+// The RuntimeClass is used to determine which container runtime is used to run
+// all containers in a pod. RuntimeClasses are (currently) manually defined by a
+// user or cluster provisioner, and referenced in the PodSpec. The Kubelet is
+// responsible for resolving the RuntimeClassName reference before running the
+// pod.  For more details, see
+// https://git.k8s.io/enhancements/keps/sig-node/585-runtime-class
 type RuntimeClassApplyConfiguration struct {
-	v1.TypeMetaApplyConfiguration    `json:",inline"`
+	v1.TypeMetaApplyConfiguration `json:",inline"`
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	*v1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Spec                             *RuntimeClassSpecApplyConfiguration `json:"spec,omitempty"`
+	// spec represents specification of the RuntimeClass
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+	Spec *RuntimeClassSpecApplyConfiguration `json:"spec,omitempty"`
 }
 
 // RuntimeClass constructs a declarative configuration of the RuntimeClass type for use with
@@ -45,29 +56,14 @@ func RuntimeClass(name string) *RuntimeClassApplyConfiguration {
 	return b
 }
 
-// ExtractRuntimeClass extracts the applied configuration owned by fieldManager from
-// runtimeClass. If no managedFields are found in runtimeClass for fieldManager, a
-// RuntimeClassApplyConfiguration is returned with only the Name, Namespace (if applicable),
-// APIVersion and Kind populated. It is possible that no managed fields were found for because other
-// field managers have taken ownership of all the fields previously owned by fieldManager, or because
-// the fieldManager never owned fields any fields.
+// ExtractRuntimeClassFrom extracts the applied configuration owned by fieldManager from
+// runtimeClass for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
 // runtimeClass must be a unmodified RuntimeClass API object that was retrieved from the Kubernetes API.
-// ExtractRuntimeClass provides a way to perform a extract/modify-in-place/apply workflow.
+// ExtractRuntimeClassFrom provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
-func ExtractRuntimeClass(runtimeClass *nodev1alpha1.RuntimeClass, fieldManager string) (*RuntimeClassApplyConfiguration, error) {
-	return extractRuntimeClass(runtimeClass, fieldManager, "")
-}
-
-// ExtractRuntimeClassStatus is the same as ExtractRuntimeClass except
-// that it extracts the status subresource applied configuration.
-// Experimental!
-func ExtractRuntimeClassStatus(runtimeClass *nodev1alpha1.RuntimeClass, fieldManager string) (*RuntimeClassApplyConfiguration, error) {
-	return extractRuntimeClass(runtimeClass, fieldManager, "status")
-}
-
-func extractRuntimeClass(runtimeClass *nodev1alpha1.RuntimeClass, fieldManager string, subresource string) (*RuntimeClassApplyConfiguration, error) {
+func ExtractRuntimeClassFrom(runtimeClass *nodev1alpha1.RuntimeClass, fieldManager string, subresource string) (*RuntimeClassApplyConfiguration, error) {
 	b := &RuntimeClassApplyConfiguration{}
 	err := managedfields.ExtractInto(runtimeClass, internal.Parser().Type("io.k8s.api.node.v1alpha1.RuntimeClass"), fieldManager, b, subresource)
 	if err != nil {
@@ -79,6 +75,21 @@ func extractRuntimeClass(runtimeClass *nodev1alpha1.RuntimeClass, fieldManager s
 	b.WithAPIVersion("node.k8s.io/v1alpha1")
 	return b, nil
 }
+
+// ExtractRuntimeClass extracts the applied configuration owned by fieldManager from
+// runtimeClass. If no managedFields are found in runtimeClass for fieldManager, a
+// RuntimeClassApplyConfiguration is returned with only the Name, Namespace (if applicable),
+// APIVersion and Kind populated. It is possible that no managed fields were found for because other
+// field managers have taken ownership of all the fields previously owned by fieldManager, or because
+// the fieldManager never owned fields any fields.
+// runtimeClass must be a unmodified RuntimeClass API object that was retrieved from the Kubernetes API.
+// ExtractRuntimeClass provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractRuntimeClass(runtimeClass *nodev1alpha1.RuntimeClass, fieldManager string) (*RuntimeClassApplyConfiguration, error) {
+	return ExtractRuntimeClassFrom(runtimeClass, fieldManager, "")
+}
+
 func (b RuntimeClassApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/node/v1alpha1/runtimeclassspec.go b/staging/src/k8s.io/client-go/applyconfigurations/node/v1alpha1/runtimeclassspec.go
index 1aa43eb13203e..0ad3269bedcea 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/node/v1alpha1/runtimeclassspec.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/node/v1alpha1/runtimeclassspec.go
@@ -20,10 +20,32 @@ package v1alpha1
 
 // RuntimeClassSpecApplyConfiguration represents a declarative configuration of the RuntimeClassSpec type for use
 // with apply.
+//
+// RuntimeClassSpec is a specification of a RuntimeClass. It contains parameters
+// that are required to describe the RuntimeClass to the Container Runtime
+// Interface (CRI) implementation, as well as any other components that need to
+// understand how the pod will be run. The RuntimeClassSpec is immutable.
 type RuntimeClassSpecApplyConfiguration struct {
-	RuntimeHandler *string                       `json:"runtimeHandler,omitempty"`
-	Overhead       *OverheadApplyConfiguration   `json:"overhead,omitempty"`
-	Scheduling     *SchedulingApplyConfiguration `json:"scheduling,omitempty"`
+	// runtimeHandler specifies the underlying runtime and configuration that the
+	// CRI implementation will use to handle pods of this class. The possible
+	// values are specific to the node & CRI configuration.  It is assumed that
+	// all handlers are available on every node, and handlers of the same name are
+	// equivalent on every node.
+	// For example, a handler called "runc" might specify that the runc OCI
+	// runtime (using native Linux containers) will be used to run the containers
+	// in a pod.
+	// The runtimeHandler must be lowercase, conform to the DNS Label (RFC 1123)
+	// requirements, and is immutable.
+	RuntimeHandler *string `json:"runtimeHandler,omitempty"`
+	// overhead represents the resource overhead associated with running a pod for a
+	// given RuntimeClass. For more details, see
+	// https://git.k8s.io/enhancements/keps/sig-node/688-pod-overhead/README.md
+	Overhead *OverheadApplyConfiguration `json:"overhead,omitempty"`
+	// scheduling holds the scheduling constraints to ensure that pods running
+	// with this RuntimeClass are scheduled to nodes that support it.
+	// If scheduling is nil, this RuntimeClass is assumed to be supported by all
+	// nodes.
+	Scheduling *SchedulingApplyConfiguration `json:"scheduling,omitempty"`
 }
 
 // RuntimeClassSpecApplyConfiguration constructs a declarative configuration of the RuntimeClassSpec type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/node/v1alpha1/scheduling.go b/staging/src/k8s.io/client-go/applyconfigurations/node/v1alpha1/scheduling.go
index 6ce49ad8664f9..b79301de87113 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/node/v1alpha1/scheduling.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/node/v1alpha1/scheduling.go
@@ -24,9 +24,20 @@ import (
 
 // SchedulingApplyConfiguration represents a declarative configuration of the Scheduling type for use
 // with apply.
+//
+// Scheduling specifies the scheduling constraints for nodes supporting a
+// RuntimeClass.
 type SchedulingApplyConfiguration struct {
-	NodeSelector map[string]string                 `json:"nodeSelector,omitempty"`
-	Tolerations  []v1.TolerationApplyConfiguration `json:"tolerations,omitempty"`
+	// nodeSelector lists labels that must be present on nodes that support this
+	// RuntimeClass. Pods using this RuntimeClass can only be scheduled to a
+	// node matched by this selector. The RuntimeClass nodeSelector is merged
+	// with a pod's existing nodeSelector. Any conflicts will cause the pod to
+	// be rejected in admission.
+	NodeSelector map[string]string `json:"nodeSelector,omitempty"`
+	// tolerations are appended (excluding duplicates) to pods running with this
+	// RuntimeClass during admission, effectively unioning the set of nodes
+	// tolerated by the pod and the RuntimeClass.
+	Tolerations []v1.TolerationApplyConfiguration `json:"tolerations,omitempty"`
 }
 
 // SchedulingApplyConfiguration constructs a declarative configuration of the Scheduling type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/node/v1beta1/overhead.go b/staging/src/k8s.io/client-go/applyconfigurations/node/v1beta1/overhead.go
index cf767e702eeeb..2c3d34250cadd 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/node/v1beta1/overhead.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/node/v1beta1/overhead.go
@@ -24,7 +24,10 @@ import (
 
 // OverheadApplyConfiguration represents a declarative configuration of the Overhead type for use
 // with apply.
+//
+// Overhead structure represents the resource overhead associated with running a pod.
 type OverheadApplyConfiguration struct {
+	// podFixed represents the fixed resource overhead associated with running a pod.
 	PodFixed *v1.ResourceList `json:"podFixed,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/node/v1beta1/runtimeclass.go b/staging/src/k8s.io/client-go/applyconfigurations/node/v1beta1/runtimeclass.go
index f6cbcf8fd3a41..fc75967fc0b96 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/node/v1beta1/runtimeclass.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/node/v1beta1/runtimeclass.go
@@ -29,12 +29,38 @@ import (
 
 // RuntimeClassApplyConfiguration represents a declarative configuration of the RuntimeClass type for use
 // with apply.
+//
+// RuntimeClass defines a class of container runtime supported in the cluster.
+// The RuntimeClass is used to determine which container runtime is used to run
+// all containers in a pod. RuntimeClasses are (currently) manually defined by a
+// user or cluster provisioner, and referenced in the PodSpec. The Kubelet is
+// responsible for resolving the RuntimeClassName reference before running the
+// pod.  For more details, see
+// https://git.k8s.io/enhancements/keps/sig-node/585-runtime-class
 type RuntimeClassApplyConfiguration struct {
-	v1.TypeMetaApplyConfiguration    `json:",inline"`
+	v1.TypeMetaApplyConfiguration `json:",inline"`
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	*v1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Handler                          *string                       `json:"handler,omitempty"`
-	Overhead                         *OverheadApplyConfiguration   `json:"overhead,omitempty"`
-	Scheduling                       *SchedulingApplyConfiguration `json:"scheduling,omitempty"`
+	// handler specifies the underlying runtime and configuration that the CRI
+	// implementation will use to handle pods of this class. The possible values
+	// are specific to the node & CRI configuration.  It is assumed that all
+	// handlers are available on every node, and handlers of the same name are
+	// equivalent on every node.
+	// For example, a handler called "runc" might specify that the runc OCI
+	// runtime (using native Linux containers) will be used to run the containers
+	// in a pod.
+	// The handler must be lowercase, conform to the DNS Label (RFC 1123) requirements,
+	// and is immutable.
+	Handler *string `json:"handler,omitempty"`
+	// overhead represents the resource overhead associated with running a pod for a
+	// given RuntimeClass. For more details, see
+	// https://git.k8s.io/enhancements/keps/sig-node/688-pod-overhead/README.md
+	Overhead *OverheadApplyConfiguration `json:"overhead,omitempty"`
+	// scheduling holds the scheduling constraints to ensure that pods running
+	// with this RuntimeClass are scheduled to nodes that support it.
+	// If scheduling is nil, this RuntimeClass is assumed to be supported by all
+	// nodes.
+	Scheduling *SchedulingApplyConfiguration `json:"scheduling,omitempty"`
 }
 
 // RuntimeClass constructs a declarative configuration of the RuntimeClass type for use with
@@ -47,29 +73,14 @@ func RuntimeClass(name string) *RuntimeClassApplyConfiguration {
 	return b
 }
 
-// ExtractRuntimeClass extracts the applied configuration owned by fieldManager from
-// runtimeClass. If no managedFields are found in runtimeClass for fieldManager, a
-// RuntimeClassApplyConfiguration is returned with only the Name, Namespace (if applicable),
-// APIVersion and Kind populated. It is possible that no managed fields were found for because other
-// field managers have taken ownership of all the fields previously owned by fieldManager, or because
-// the fieldManager never owned fields any fields.
+// ExtractRuntimeClassFrom extracts the applied configuration owned by fieldManager from
+// runtimeClass for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
 // runtimeClass must be a unmodified RuntimeClass API object that was retrieved from the Kubernetes API.
-// ExtractRuntimeClass provides a way to perform a extract/modify-in-place/apply workflow.
+// ExtractRuntimeClassFrom provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
-func ExtractRuntimeClass(runtimeClass *nodev1beta1.RuntimeClass, fieldManager string) (*RuntimeClassApplyConfiguration, error) {
-	return extractRuntimeClass(runtimeClass, fieldManager, "")
-}
-
-// ExtractRuntimeClassStatus is the same as ExtractRuntimeClass except
-// that it extracts the status subresource applied configuration.
-// Experimental!
-func ExtractRuntimeClassStatus(runtimeClass *nodev1beta1.RuntimeClass, fieldManager string) (*RuntimeClassApplyConfiguration, error) {
-	return extractRuntimeClass(runtimeClass, fieldManager, "status")
-}
-
-func extractRuntimeClass(runtimeClass *nodev1beta1.RuntimeClass, fieldManager string, subresource string) (*RuntimeClassApplyConfiguration, error) {
+func ExtractRuntimeClassFrom(runtimeClass *nodev1beta1.RuntimeClass, fieldManager string, subresource string) (*RuntimeClassApplyConfiguration, error) {
 	b := &RuntimeClassApplyConfiguration{}
 	err := managedfields.ExtractInto(runtimeClass, internal.Parser().Type("io.k8s.api.node.v1beta1.RuntimeClass"), fieldManager, b, subresource)
 	if err != nil {
@@ -81,6 +92,21 @@ func extractRuntimeClass(runtimeClass *nodev1beta1.RuntimeClass, fieldManager st
 	b.WithAPIVersion("node.k8s.io/v1beta1")
 	return b, nil
 }
+
+// ExtractRuntimeClass extracts the applied configuration owned by fieldManager from
+// runtimeClass. If no managedFields are found in runtimeClass for fieldManager, a
+// RuntimeClassApplyConfiguration is returned with only the Name, Namespace (if applicable),
+// APIVersion and Kind populated. It is possible that no managed fields were found for because other
+// field managers have taken ownership of all the fields previously owned by fieldManager, or because
+// the fieldManager never owned fields any fields.
+// runtimeClass must be a unmodified RuntimeClass API object that was retrieved from the Kubernetes API.
+// ExtractRuntimeClass provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractRuntimeClass(runtimeClass *nodev1beta1.RuntimeClass, fieldManager string) (*RuntimeClassApplyConfiguration, error) {
+	return ExtractRuntimeClassFrom(runtimeClass, fieldManager, "")
+}
+
 func (b RuntimeClassApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/node/v1beta1/scheduling.go b/staging/src/k8s.io/client-go/applyconfigurations/node/v1beta1/scheduling.go
index 23d0b97527dc0..9eab351b80ebf 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/node/v1beta1/scheduling.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/node/v1beta1/scheduling.go
@@ -24,9 +24,20 @@ import (
 
 // SchedulingApplyConfiguration represents a declarative configuration of the Scheduling type for use
 // with apply.
+//
+// Scheduling specifies the scheduling constraints for nodes supporting a
+// RuntimeClass.
 type SchedulingApplyConfiguration struct {
-	NodeSelector map[string]string                 `json:"nodeSelector,omitempty"`
-	Tolerations  []v1.TolerationApplyConfiguration `json:"tolerations,omitempty"`
+	// nodeSelector lists labels that must be present on nodes that support this
+	// RuntimeClass. Pods using this RuntimeClass can only be scheduled to a
+	// node matched by this selector. The RuntimeClass nodeSelector is merged
+	// with a pod's existing nodeSelector. Any conflicts will cause the pod to
+	// be rejected in admission.
+	NodeSelector map[string]string `json:"nodeSelector,omitempty"`
+	// tolerations are appended (excluding duplicates) to pods running with this
+	// RuntimeClass during admission, effectively unioning the set of nodes
+	// tolerated by the pod and the RuntimeClass.
+	Tolerations []v1.TolerationApplyConfiguration `json:"tolerations,omitempty"`
 }
 
 // SchedulingApplyConfiguration constructs a declarative configuration of the Scheduling type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/policy/v1/eviction.go b/staging/src/k8s.io/client-go/applyconfigurations/policy/v1/eviction.go
index da18b73a22689..bd944a5e8b948 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/policy/v1/eviction.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/policy/v1/eviction.go
@@ -29,10 +29,16 @@ import (
 
 // EvictionApplyConfiguration represents a declarative configuration of the Eviction type for use
 // with apply.
+//
+// Eviction evicts a pod from its node subject to certain policies and safety constraints.
+// This is a subresource of Pod.  A request to cause such an eviction is
+// created by POSTing to .../pods/<pod name>/evictions.
 type EvictionApplyConfiguration struct {
-	metav1.TypeMetaApplyConfiguration    `json:",inline"`
+	metav1.TypeMetaApplyConfiguration `json:",inline"`
+	// ObjectMeta describes the pod that is being evicted.
 	*metav1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	DeleteOptions                        *metav1.DeleteOptionsApplyConfiguration `json:"deleteOptions,omitempty"`
+	// DeleteOptions may be provided
+	DeleteOptions *metav1.DeleteOptionsApplyConfiguration `json:"deleteOptions,omitempty"`
 }
 
 // Eviction constructs a declarative configuration of the Eviction type for use with
@@ -46,29 +52,14 @@ func Eviction(name, namespace string) *EvictionApplyConfiguration {
 	return b
 }
 
-// ExtractEviction extracts the applied configuration owned by fieldManager from
-// eviction. If no managedFields are found in eviction for fieldManager, a
-// EvictionApplyConfiguration is returned with only the Name, Namespace (if applicable),
-// APIVersion and Kind populated. It is possible that no managed fields were found for because other
-// field managers have taken ownership of all the fields previously owned by fieldManager, or because
-// the fieldManager never owned fields any fields.
+// ExtractEvictionFrom extracts the applied configuration owned by fieldManager from
+// eviction for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
 // eviction must be a unmodified Eviction API object that was retrieved from the Kubernetes API.
-// ExtractEviction provides a way to perform a extract/modify-in-place/apply workflow.
+// ExtractEvictionFrom provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
-func ExtractEviction(eviction *policyv1.Eviction, fieldManager string) (*EvictionApplyConfiguration, error) {
-	return extractEviction(eviction, fieldManager, "")
-}
-
-// ExtractEvictionStatus is the same as ExtractEviction except
-// that it extracts the status subresource applied configuration.
-// Experimental!
-func ExtractEvictionStatus(eviction *policyv1.Eviction, fieldManager string) (*EvictionApplyConfiguration, error) {
-	return extractEviction(eviction, fieldManager, "status")
-}
-
-func extractEviction(eviction *policyv1.Eviction, fieldManager string, subresource string) (*EvictionApplyConfiguration, error) {
+func ExtractEvictionFrom(eviction *policyv1.Eviction, fieldManager string, subresource string) (*EvictionApplyConfiguration, error) {
 	b := &EvictionApplyConfiguration{}
 	err := managedfields.ExtractInto(eviction, internal.Parser().Type("io.k8s.api.policy.v1.Eviction"), fieldManager, b, subresource)
 	if err != nil {
@@ -81,6 +72,21 @@ func extractEviction(eviction *policyv1.Eviction, fieldManager string, subresour
 	b.WithAPIVersion("policy/v1")
 	return b, nil
 }
+
+// ExtractEviction extracts the applied configuration owned by fieldManager from
+// eviction. If no managedFields are found in eviction for fieldManager, a
+// EvictionApplyConfiguration is returned with only the Name, Namespace (if applicable),
+// APIVersion and Kind populated. It is possible that no managed fields were found for because other
+// field managers have taken ownership of all the fields previously owned by fieldManager, or because
+// the fieldManager never owned fields any fields.
+// eviction must be a unmodified Eviction API object that was retrieved from the Kubernetes API.
+// ExtractEviction provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractEviction(eviction *policyv1.Eviction, fieldManager string) (*EvictionApplyConfiguration, error) {
+	return ExtractEvictionFrom(eviction, fieldManager, "")
+}
+
 func (b EvictionApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/policy/v1/poddisruptionbudget.go b/staging/src/k8s.io/client-go/applyconfigurations/policy/v1/poddisruptionbudget.go
index 995a4f661b9ff..c9d4fd1a605f5 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/policy/v1/poddisruptionbudget.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/policy/v1/poddisruptionbudget.go
@@ -29,11 +29,17 @@ import (
 
 // PodDisruptionBudgetApplyConfiguration represents a declarative configuration of the PodDisruptionBudget type for use
 // with apply.
+//
+// PodDisruptionBudget is an object to define the max disruption that can be caused to a collection of pods
 type PodDisruptionBudgetApplyConfiguration struct {
-	metav1.TypeMetaApplyConfiguration    `json:",inline"`
+	metav1.TypeMetaApplyConfiguration `json:",inline"`
+	// Standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	*metav1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Spec                                 *PodDisruptionBudgetSpecApplyConfiguration   `json:"spec,omitempty"`
-	Status                               *PodDisruptionBudgetStatusApplyConfiguration `json:"status,omitempty"`
+	// Specification of the desired behavior of the PodDisruptionBudget.
+	Spec *PodDisruptionBudgetSpecApplyConfiguration `json:"spec,omitempty"`
+	// Most recently observed status of the PodDisruptionBudget.
+	Status *PodDisruptionBudgetStatusApplyConfiguration `json:"status,omitempty"`
 }
 
 // PodDisruptionBudget constructs a declarative configuration of the PodDisruptionBudget type for use with
@@ -47,6 +53,27 @@ func PodDisruptionBudget(name, namespace string) *PodDisruptionBudgetApplyConfig
 	return b
 }
 
+// ExtractPodDisruptionBudgetFrom extracts the applied configuration owned by fieldManager from
+// podDisruptionBudget for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
+// podDisruptionBudget must be a unmodified PodDisruptionBudget API object that was retrieved from the Kubernetes API.
+// ExtractPodDisruptionBudgetFrom provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractPodDisruptionBudgetFrom(podDisruptionBudget *policyv1.PodDisruptionBudget, fieldManager string, subresource string) (*PodDisruptionBudgetApplyConfiguration, error) {
+	b := &PodDisruptionBudgetApplyConfiguration{}
+	err := managedfields.ExtractInto(podDisruptionBudget, internal.Parser().Type("io.k8s.api.policy.v1.PodDisruptionBudget"), fieldManager, b, subresource)
+	if err != nil {
+		return nil, err
+	}
+	b.WithName(podDisruptionBudget.Name)
+	b.WithNamespace(podDisruptionBudget.Namespace)
+
+	b.WithKind("PodDisruptionBudget")
+	b.WithAPIVersion("policy/v1")
+	return b, nil
+}
+
 // ExtractPodDisruptionBudget extracts the applied configuration owned by fieldManager from
 // podDisruptionBudget. If no managedFields are found in podDisruptionBudget for fieldManager, a
 // PodDisruptionBudgetApplyConfiguration is returned with only the Name, Namespace (if applicable),
@@ -57,31 +84,16 @@ func PodDisruptionBudget(name, namespace string) *PodDisruptionBudgetApplyConfig
 // ExtractPodDisruptionBudget provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
 func ExtractPodDisruptionBudget(podDisruptionBudget *policyv1.PodDisruptionBudget, fieldManager string) (*PodDisruptionBudgetApplyConfiguration, error) {
-	return extractPodDisruptionBudget(podDisruptionBudget, fieldManager, "")
+	return ExtractPodDisruptionBudgetFrom(podDisruptionBudget, fieldManager, "")
 }
 
-// ExtractPodDisruptionBudgetStatus is the same as ExtractPodDisruptionBudget except
-// that it extracts the status subresource applied configuration.
-// Experimental!
+// ExtractPodDisruptionBudgetStatus extracts the applied configuration owned by fieldManager from
+// podDisruptionBudget for the status subresource.
 func ExtractPodDisruptionBudgetStatus(podDisruptionBudget *policyv1.PodDisruptionBudget, fieldManager string) (*PodDisruptionBudgetApplyConfiguration, error) {
-	return extractPodDisruptionBudget(podDisruptionBudget, fieldManager, "status")
+	return ExtractPodDisruptionBudgetFrom(podDisruptionBudget, fieldManager, "status")
 }
 
-func extractPodDisruptionBudget(podDisruptionBudget *policyv1.PodDisruptionBudget, fieldManager string, subresource string) (*PodDisruptionBudgetApplyConfiguration, error) {
-	b := &PodDisruptionBudgetApplyConfiguration{}
-	err := managedfields.ExtractInto(podDisruptionBudget, internal.Parser().Type("io.k8s.api.policy.v1.PodDisruptionBudget"), fieldManager, b, subresource)
-	if err != nil {
-		return nil, err
-	}
-	b.WithName(podDisruptionBudget.Name)
-	b.WithNamespace(podDisruptionBudget.Namespace)
-
-	b.WithKind("PodDisruptionBudget")
-	b.WithAPIVersion("policy/v1")
-	return b, nil
-}
 func (b PodDisruptionBudgetApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/policy/v1/poddisruptionbudgetspec.go b/staging/src/k8s.io/client-go/applyconfigurations/policy/v1/poddisruptionbudgetspec.go
index 3c66739bd5c38..0d2307332b68b 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/policy/v1/poddisruptionbudgetspec.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/policy/v1/poddisruptionbudgetspec.go
@@ -26,10 +26,46 @@ import (
 
 // PodDisruptionBudgetSpecApplyConfiguration represents a declarative configuration of the PodDisruptionBudgetSpec type for use
 // with apply.
+//
+// PodDisruptionBudgetSpec is a description of a PodDisruptionBudget.
 type PodDisruptionBudgetSpecApplyConfiguration struct {
-	MinAvailable               *intstr.IntOrString                      `json:"minAvailable,omitempty"`
-	Selector                   *metav1.LabelSelectorApplyConfiguration  `json:"selector,omitempty"`
-	MaxUnavailable             *intstr.IntOrString                      `json:"maxUnavailable,omitempty"`
+	// An eviction is allowed if at least "minAvailable" pods selected by
+	// "selector" will still be available after the eviction, i.e. even in the
+	// absence of the evicted pod.  So for example you can prevent all voluntary
+	// evictions by specifying "100%".
+	MinAvailable *intstr.IntOrString `json:"minAvailable,omitempty"`
+	// Label query over pods whose evictions are managed by the disruption
+	// budget.
+	// A null selector will match no pods, while an empty ({}) selector will select
+	// all pods within the namespace.
+	Selector *metav1.LabelSelectorApplyConfiguration `json:"selector,omitempty"`
+	// An eviction is allowed if at most "maxUnavailable" pods selected by
+	// "selector" are unavailable after the eviction, i.e. even in absence of
+	// the evicted pod. For example, one can prevent all voluntary evictions
+	// by specifying 0. This is a mutually exclusive setting with "minAvailable".
+	MaxUnavailable *intstr.IntOrString `json:"maxUnavailable,omitempty"`
+	// UnhealthyPodEvictionPolicy defines the criteria for when unhealthy pods
+	// should be considered for eviction. Current implementation considers healthy pods,
+	// as pods that have status.conditions item with type="Ready",status="True".
+	//
+	// Valid policies are IfHealthyBudget and AlwaysAllow.
+	// If no policy is specified, the default behavior will be used,
+	// which corresponds to the IfHealthyBudget policy.
+	//
+	// IfHealthyBudget policy means that running pods (status.phase="Running"),
+	// but not yet healthy can be evicted only if the guarded application is not
+	// disrupted (status.currentHealthy is at least equal to status.desiredHealthy).
+	// Healthy pods will be subject to the PDB for eviction.
+	//
+	// AlwaysAllow policy means that all running pods (status.phase="Running"),
+	// but not yet healthy are considered disrupted and can be evicted regardless
+	// of whether the criteria in a PDB is met. This means perspective running
+	// pods of a disrupted application might not get a chance to become healthy.
+	// Healthy pods will be subject to the PDB for eviction.
+	//
+	// Additional policies may be added in the future.
+	// Clients making eviction decisions should disallow eviction of unhealthy pods
+	// if they encounter an unrecognized policy in this field.
 	UnhealthyPodEvictionPolicy *policyv1.UnhealthyPodEvictionPolicyType `json:"unhealthyPodEvictionPolicy,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/policy/v1/poddisruptionbudgetstatus.go b/staging/src/k8s.io/client-go/applyconfigurations/policy/v1/poddisruptionbudgetstatus.go
index d3c44d90ab115..7e05f15076789 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/policy/v1/poddisruptionbudgetstatus.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/policy/v1/poddisruptionbudgetstatus.go
@@ -25,14 +25,46 @@ import (
 
 // PodDisruptionBudgetStatusApplyConfiguration represents a declarative configuration of the PodDisruptionBudgetStatus type for use
 // with apply.
+//
+// PodDisruptionBudgetStatus represents information about the status of a
+// PodDisruptionBudget. Status may trail the actual state of a system.
 type PodDisruptionBudgetStatusApplyConfiguration struct {
-	ObservedGeneration *int64                                                  `json:"observedGeneration,omitempty"`
-	DisruptedPods      map[string]metav1.Time                                  `json:"disruptedPods,omitempty"`
-	DisruptionsAllowed *int32                                                  `json:"disruptionsAllowed,omitempty"`
-	CurrentHealthy     *int32                                                  `json:"currentHealthy,omitempty"`
-	DesiredHealthy     *int32                                                  `json:"desiredHealthy,omitempty"`
-	ExpectedPods       *int32                                                  `json:"expectedPods,omitempty"`
-	Conditions         []applyconfigurationsmetav1.ConditionApplyConfiguration `json:"conditions,omitempty"`
+	// Most recent generation observed when updating this PDB status. DisruptionsAllowed and other
+	// status information is valid only if observedGeneration equals to PDB's object generation.
+	ObservedGeneration *int64 `json:"observedGeneration,omitempty"`
+	// DisruptedPods contains information about pods whose eviction was
+	// processed by the API server eviction subresource handler but has not
+	// yet been observed by the PodDisruptionBudget controller.
+	// A pod will be in this map from the time when the API server processed the
+	// eviction request to the time when the pod is seen by PDB controller
+	// as having been marked for deletion (or after a timeout). The key in the map is the name of the pod
+	// and the value is the time when the API server processed the eviction request. If
+	// the deletion didn't occur and a pod is still there it will be removed from
+	// the list automatically by PodDisruptionBudget controller after some time.
+	// If everything goes smooth this map should be empty for the most of the time.
+	// Large number of entries in the map may indicate problems with pod deletions.
+	DisruptedPods map[string]metav1.Time `json:"disruptedPods,omitempty"`
+	// Number of pod disruptions that are currently allowed.
+	DisruptionsAllowed *int32 `json:"disruptionsAllowed,omitempty"`
+	// current number of healthy pods
+	CurrentHealthy *int32 `json:"currentHealthy,omitempty"`
+	// minimum desired number of healthy pods
+	DesiredHealthy *int32 `json:"desiredHealthy,omitempty"`
+	// total number of pods counted by this disruption budget
+	ExpectedPods *int32 `json:"expectedPods,omitempty"`
+	// Conditions contain conditions for PDB. The disruption controller sets the
+	// DisruptionAllowed condition. The following are known values for the reason field
+	// (additional reasons could be added in the future):
+	// - SyncFailed: The controller encountered an error and wasn't able to compute
+	// the number of allowed disruptions. Therefore no disruptions are
+	// allowed and the status of the condition will be False.
+	// - InsufficientPods: The number of pods are either at or below the number
+	// required by the PodDisruptionBudget. No disruptions are
+	// allowed and the status of the condition will be False.
+	// - SufficientPods: There are more pods than required by the PodDisruptionBudget.
+	// The condition will be True, and the number of allowed
+	// disruptions are provided by the disruptionsAllowed property.
+	Conditions []applyconfigurationsmetav1.ConditionApplyConfiguration `json:"conditions,omitempty"`
 }
 
 // PodDisruptionBudgetStatusApplyConfiguration constructs a declarative configuration of the PodDisruptionBudgetStatus type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/policy/v1beta1/eviction.go b/staging/src/k8s.io/client-go/applyconfigurations/policy/v1beta1/eviction.go
index be0f1c1c1b10b..eeadbbcb7d7b9 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/policy/v1beta1/eviction.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/policy/v1beta1/eviction.go
@@ -29,10 +29,16 @@ import (
 
 // EvictionApplyConfiguration represents a declarative configuration of the Eviction type for use
 // with apply.
+//
+// Eviction evicts a pod from its node subject to certain policies and safety constraints.
+// This is a subresource of Pod.  A request to cause such an eviction is
+// created by POSTing to .../pods/<pod name>/evictions.
 type EvictionApplyConfiguration struct {
-	v1.TypeMetaApplyConfiguration    `json:",inline"`
+	v1.TypeMetaApplyConfiguration `json:",inline"`
+	// ObjectMeta describes the pod that is being evicted.
 	*v1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	DeleteOptions                    *v1.DeleteOptionsApplyConfiguration `json:"deleteOptions,omitempty"`
+	// DeleteOptions may be provided
+	DeleteOptions *v1.DeleteOptionsApplyConfiguration `json:"deleteOptions,omitempty"`
 }
 
 // Eviction constructs a declarative configuration of the Eviction type for use with
@@ -46,29 +52,14 @@ func Eviction(name, namespace string) *EvictionApplyConfiguration {
 	return b
 }
 
-// ExtractEviction extracts the applied configuration owned by fieldManager from
-// eviction. If no managedFields are found in eviction for fieldManager, a
-// EvictionApplyConfiguration is returned with only the Name, Namespace (if applicable),
-// APIVersion and Kind populated. It is possible that no managed fields were found for because other
-// field managers have taken ownership of all the fields previously owned by fieldManager, or because
-// the fieldManager never owned fields any fields.
+// ExtractEvictionFrom extracts the applied configuration owned by fieldManager from
+// eviction for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
 // eviction must be a unmodified Eviction API object that was retrieved from the Kubernetes API.
-// ExtractEviction provides a way to perform a extract/modify-in-place/apply workflow.
+// ExtractEvictionFrom provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
-func ExtractEviction(eviction *policyv1beta1.Eviction, fieldManager string) (*EvictionApplyConfiguration, error) {
-	return extractEviction(eviction, fieldManager, "")
-}
-
-// ExtractEvictionStatus is the same as ExtractEviction except
-// that it extracts the status subresource applied configuration.
-// Experimental!
-func ExtractEvictionStatus(eviction *policyv1beta1.Eviction, fieldManager string) (*EvictionApplyConfiguration, error) {
-	return extractEviction(eviction, fieldManager, "status")
-}
-
-func extractEviction(eviction *policyv1beta1.Eviction, fieldManager string, subresource string) (*EvictionApplyConfiguration, error) {
+func ExtractEvictionFrom(eviction *policyv1beta1.Eviction, fieldManager string, subresource string) (*EvictionApplyConfiguration, error) {
 	b := &EvictionApplyConfiguration{}
 	err := managedfields.ExtractInto(eviction, internal.Parser().Type("io.k8s.api.policy.v1beta1.Eviction"), fieldManager, b, subresource)
 	if err != nil {
@@ -81,6 +72,21 @@ func extractEviction(eviction *policyv1beta1.Eviction, fieldManager string, subr
 	b.WithAPIVersion("policy/v1beta1")
 	return b, nil
 }
+
+// ExtractEviction extracts the applied configuration owned by fieldManager from
+// eviction. If no managedFields are found in eviction for fieldManager, a
+// EvictionApplyConfiguration is returned with only the Name, Namespace (if applicable),
+// APIVersion and Kind populated. It is possible that no managed fields were found for because other
+// field managers have taken ownership of all the fields previously owned by fieldManager, or because
+// the fieldManager never owned fields any fields.
+// eviction must be a unmodified Eviction API object that was retrieved from the Kubernetes API.
+// ExtractEviction provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractEviction(eviction *policyv1beta1.Eviction, fieldManager string) (*EvictionApplyConfiguration, error) {
+	return ExtractEvictionFrom(eviction, fieldManager, "")
+}
+
 func (b EvictionApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/policy/v1beta1/poddisruptionbudget.go b/staging/src/k8s.io/client-go/applyconfigurations/policy/v1beta1/poddisruptionbudget.go
index 159f19eae9f2e..ca2d839daa86c 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/policy/v1beta1/poddisruptionbudget.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/policy/v1beta1/poddisruptionbudget.go
@@ -29,11 +29,17 @@ import (
 
 // PodDisruptionBudgetApplyConfiguration represents a declarative configuration of the PodDisruptionBudget type for use
 // with apply.
+//
+// PodDisruptionBudget is an object to define the max disruption that can be caused to a collection of pods
 type PodDisruptionBudgetApplyConfiguration struct {
-	v1.TypeMetaApplyConfiguration    `json:",inline"`
+	v1.TypeMetaApplyConfiguration `json:",inline"`
+	// Standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	*v1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Spec                             *PodDisruptionBudgetSpecApplyConfiguration   `json:"spec,omitempty"`
-	Status                           *PodDisruptionBudgetStatusApplyConfiguration `json:"status,omitempty"`
+	// Specification of the desired behavior of the PodDisruptionBudget.
+	Spec *PodDisruptionBudgetSpecApplyConfiguration `json:"spec,omitempty"`
+	// Most recently observed status of the PodDisruptionBudget.
+	Status *PodDisruptionBudgetStatusApplyConfiguration `json:"status,omitempty"`
 }
 
 // PodDisruptionBudget constructs a declarative configuration of the PodDisruptionBudget type for use with
@@ -47,6 +53,27 @@ func PodDisruptionBudget(name, namespace string) *PodDisruptionBudgetApplyConfig
 	return b
 }
 
+// ExtractPodDisruptionBudgetFrom extracts the applied configuration owned by fieldManager from
+// podDisruptionBudget for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
+// podDisruptionBudget must be a unmodified PodDisruptionBudget API object that was retrieved from the Kubernetes API.
+// ExtractPodDisruptionBudgetFrom provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractPodDisruptionBudgetFrom(podDisruptionBudget *policyv1beta1.PodDisruptionBudget, fieldManager string, subresource string) (*PodDisruptionBudgetApplyConfiguration, error) {
+	b := &PodDisruptionBudgetApplyConfiguration{}
+	err := managedfields.ExtractInto(podDisruptionBudget, internal.Parser().Type("io.k8s.api.policy.v1beta1.PodDisruptionBudget"), fieldManager, b, subresource)
+	if err != nil {
+		return nil, err
+	}
+	b.WithName(podDisruptionBudget.Name)
+	b.WithNamespace(podDisruptionBudget.Namespace)
+
+	b.WithKind("PodDisruptionBudget")
+	b.WithAPIVersion("policy/v1beta1")
+	return b, nil
+}
+
 // ExtractPodDisruptionBudget extracts the applied configuration owned by fieldManager from
 // podDisruptionBudget. If no managedFields are found in podDisruptionBudget for fieldManager, a
 // PodDisruptionBudgetApplyConfiguration is returned with only the Name, Namespace (if applicable),
@@ -57,31 +84,16 @@ func PodDisruptionBudget(name, namespace string) *PodDisruptionBudgetApplyConfig
 // ExtractPodDisruptionBudget provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
 func ExtractPodDisruptionBudget(podDisruptionBudget *policyv1beta1.PodDisruptionBudget, fieldManager string) (*PodDisruptionBudgetApplyConfiguration, error) {
-	return extractPodDisruptionBudget(podDisruptionBudget, fieldManager, "")
+	return ExtractPodDisruptionBudgetFrom(podDisruptionBudget, fieldManager, "")
 }
 
-// ExtractPodDisruptionBudgetStatus is the same as ExtractPodDisruptionBudget except
-// that it extracts the status subresource applied configuration.
-// Experimental!
+// ExtractPodDisruptionBudgetStatus extracts the applied configuration owned by fieldManager from
+// podDisruptionBudget for the status subresource.
 func ExtractPodDisruptionBudgetStatus(podDisruptionBudget *policyv1beta1.PodDisruptionBudget, fieldManager string) (*PodDisruptionBudgetApplyConfiguration, error) {
-	return extractPodDisruptionBudget(podDisruptionBudget, fieldManager, "status")
+	return ExtractPodDisruptionBudgetFrom(podDisruptionBudget, fieldManager, "status")
 }
 
-func extractPodDisruptionBudget(podDisruptionBudget *policyv1beta1.PodDisruptionBudget, fieldManager string, subresource string) (*PodDisruptionBudgetApplyConfiguration, error) {
-	b := &PodDisruptionBudgetApplyConfiguration{}
-	err := managedfields.ExtractInto(podDisruptionBudget, internal.Parser().Type("io.k8s.api.policy.v1beta1.PodDisruptionBudget"), fieldManager, b, subresource)
-	if err != nil {
-		return nil, err
-	}
-	b.WithName(podDisruptionBudget.Name)
-	b.WithNamespace(podDisruptionBudget.Namespace)
-
-	b.WithKind("PodDisruptionBudget")
-	b.WithAPIVersion("policy/v1beta1")
-	return b, nil
-}
 func (b PodDisruptionBudgetApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/policy/v1beta1/poddisruptionbudgetspec.go b/staging/src/k8s.io/client-go/applyconfigurations/policy/v1beta1/poddisruptionbudgetspec.go
index d8fecf7a36ead..1fe247b48905e 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/policy/v1beta1/poddisruptionbudgetspec.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/policy/v1beta1/poddisruptionbudgetspec.go
@@ -26,10 +26,47 @@ import (
 
 // PodDisruptionBudgetSpecApplyConfiguration represents a declarative configuration of the PodDisruptionBudgetSpec type for use
 // with apply.
+//
+// PodDisruptionBudgetSpec is a description of a PodDisruptionBudget.
 type PodDisruptionBudgetSpecApplyConfiguration struct {
-	MinAvailable               *intstr.IntOrString                           `json:"minAvailable,omitempty"`
-	Selector                   *v1.LabelSelectorApplyConfiguration           `json:"selector,omitempty"`
-	MaxUnavailable             *intstr.IntOrString                           `json:"maxUnavailable,omitempty"`
+	// An eviction is allowed if at least "minAvailable" pods selected by
+	// "selector" will still be available after the eviction, i.e. even in the
+	// absence of the evicted pod.  So for example you can prevent all voluntary
+	// evictions by specifying "100%".
+	MinAvailable *intstr.IntOrString `json:"minAvailable,omitempty"`
+	// Label query over pods whose evictions are managed by the disruption
+	// budget.
+	// A null selector selects no pods.
+	// An empty selector ({}) also selects no pods, which differs from standard behavior of selecting all pods.
+	// In policy/v1, an empty selector will select all pods in the namespace.
+	Selector *v1.LabelSelectorApplyConfiguration `json:"selector,omitempty"`
+	// An eviction is allowed if at most "maxUnavailable" pods selected by
+	// "selector" are unavailable after the eviction, i.e. even in absence of
+	// the evicted pod. For example, one can prevent all voluntary evictions
+	// by specifying 0. This is a mutually exclusive setting with "minAvailable".
+	MaxUnavailable *intstr.IntOrString `json:"maxUnavailable,omitempty"`
+	// UnhealthyPodEvictionPolicy defines the criteria for when unhealthy pods
+	// should be considered for eviction. Current implementation considers healthy pods,
+	// as pods that have status.conditions item with type="Ready",status="True".
+	//
+	// Valid policies are IfHealthyBudget and AlwaysAllow.
+	// If no policy is specified, the default behavior will be used,
+	// which corresponds to the IfHealthyBudget policy.
+	//
+	// IfHealthyBudget policy means that running pods (status.phase="Running"),
+	// but not yet healthy can be evicted only if the guarded application is not
+	// disrupted (status.currentHealthy is at least equal to status.desiredHealthy).
+	// Healthy pods will be subject to the PDB for eviction.
+	//
+	// AlwaysAllow policy means that all running pods (status.phase="Running"),
+	// but not yet healthy are considered disrupted and can be evicted regardless
+	// of whether the criteria in a PDB is met. This means perspective running
+	// pods of a disrupted application might not get a chance to become healthy.
+	// Healthy pods will be subject to the PDB for eviction.
+	//
+	// Additional policies may be added in the future.
+	// Clients making eviction decisions should disallow eviction of unhealthy pods
+	// if they encounter an unrecognized policy in this field.
 	UnhealthyPodEvictionPolicy *policyv1beta1.UnhealthyPodEvictionPolicyType `json:"unhealthyPodEvictionPolicy,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/policy/v1beta1/poddisruptionbudgetstatus.go b/staging/src/k8s.io/client-go/applyconfigurations/policy/v1beta1/poddisruptionbudgetstatus.go
index e66a7fb3861c6..e7faa861d4453 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/policy/v1beta1/poddisruptionbudgetstatus.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/policy/v1beta1/poddisruptionbudgetstatus.go
@@ -25,14 +25,46 @@ import (
 
 // PodDisruptionBudgetStatusApplyConfiguration represents a declarative configuration of the PodDisruptionBudgetStatus type for use
 // with apply.
+//
+// PodDisruptionBudgetStatus represents information about the status of a
+// PodDisruptionBudget. Status may trail the actual state of a system.
 type PodDisruptionBudgetStatusApplyConfiguration struct {
-	ObservedGeneration *int64                               `json:"observedGeneration,omitempty"`
-	DisruptedPods      map[string]v1.Time                   `json:"disruptedPods,omitempty"`
-	DisruptionsAllowed *int32                               `json:"disruptionsAllowed,omitempty"`
-	CurrentHealthy     *int32                               `json:"currentHealthy,omitempty"`
-	DesiredHealthy     *int32                               `json:"desiredHealthy,omitempty"`
-	ExpectedPods       *int32                               `json:"expectedPods,omitempty"`
-	Conditions         []metav1.ConditionApplyConfiguration `json:"conditions,omitempty"`
+	// Most recent generation observed when updating this PDB status. DisruptionsAllowed and other
+	// status information is valid only if observedGeneration equals to PDB's object generation.
+	ObservedGeneration *int64 `json:"observedGeneration,omitempty"`
+	// DisruptedPods contains information about pods whose eviction was
+	// processed by the API server eviction subresource handler but has not
+	// yet been observed by the PodDisruptionBudget controller.
+	// A pod will be in this map from the time when the API server processed the
+	// eviction request to the time when the pod is seen by PDB controller
+	// as having been marked for deletion (or after a timeout). The key in the map is the name of the pod
+	// and the value is the time when the API server processed the eviction request. If
+	// the deletion didn't occur and a pod is still there it will be removed from
+	// the list automatically by PodDisruptionBudget controller after some time.
+	// If everything goes smooth this map should be empty for the most of the time.
+	// Large number of entries in the map may indicate problems with pod deletions.
+	DisruptedPods map[string]v1.Time `json:"disruptedPods,omitempty"`
+	// Number of pod disruptions that are currently allowed.
+	DisruptionsAllowed *int32 `json:"disruptionsAllowed,omitempty"`
+	// current number of healthy pods
+	CurrentHealthy *int32 `json:"currentHealthy,omitempty"`
+	// minimum desired number of healthy pods
+	DesiredHealthy *int32 `json:"desiredHealthy,omitempty"`
+	// total number of pods counted by this disruption budget
+	ExpectedPods *int32 `json:"expectedPods,omitempty"`
+	// Conditions contain conditions for PDB. The disruption controller sets the
+	// DisruptionAllowed condition. The following are known values for the reason field
+	// (additional reasons could be added in the future):
+	// - SyncFailed: The controller encountered an error and wasn't able to compute
+	// the number of allowed disruptions. Therefore no disruptions are
+	// allowed and the status of the condition will be False.
+	// - InsufficientPods: The number of pods are either at or below the number
+	// required by the PodDisruptionBudget. No disruptions are
+	// allowed and the status of the condition will be False.
+	// - SufficientPods: There are more pods than required by the PodDisruptionBudget.
+	// The condition will be True, and the number of allowed
+	// disruptions are provided by the disruptionsAllowed property.
+	Conditions []metav1.ConditionApplyConfiguration `json:"conditions,omitempty"`
 }
 
 // PodDisruptionBudgetStatusApplyConfiguration constructs a declarative configuration of the PodDisruptionBudgetStatus type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/rbac/v1/aggregationrule.go b/staging/src/k8s.io/client-go/applyconfigurations/rbac/v1/aggregationrule.go
index b7049a8efae19..6f44e79795382 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/rbac/v1/aggregationrule.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/rbac/v1/aggregationrule.go
@@ -24,7 +24,11 @@ import (
 
 // AggregationRuleApplyConfiguration represents a declarative configuration of the AggregationRule type for use
 // with apply.
+//
+// AggregationRule describes how to locate ClusterRoles to aggregate into the ClusterRole
 type AggregationRuleApplyConfiguration struct {
+	// ClusterRoleSelectors holds a list of selectors which will be used to find ClusterRoles and create the rules.
+	// If any of the selectors match, then the ClusterRole's permissions will be added
 	ClusterRoleSelectors []metav1.LabelSelectorApplyConfiguration `json:"clusterRoleSelectors,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/rbac/v1/clusterrole.go b/staging/src/k8s.io/client-go/applyconfigurations/rbac/v1/clusterrole.go
index b8634870ea09e..d65387e24953d 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/rbac/v1/clusterrole.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/rbac/v1/clusterrole.go
@@ -29,11 +29,18 @@ import (
 
 // ClusterRoleApplyConfiguration represents a declarative configuration of the ClusterRole type for use
 // with apply.
+//
+// ClusterRole is a cluster level, logical grouping of PolicyRules that can be referenced as a unit by a RoleBinding or ClusterRoleBinding.
 type ClusterRoleApplyConfiguration struct {
-	metav1.TypeMetaApplyConfiguration    `json:",inline"`
+	metav1.TypeMetaApplyConfiguration `json:",inline"`
+	// Standard object's metadata.
 	*metav1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Rules                                []PolicyRuleApplyConfiguration     `json:"rules,omitempty"`
-	AggregationRule                      *AggregationRuleApplyConfiguration `json:"aggregationRule,omitempty"`
+	// Rules holds all the PolicyRules for this ClusterRole
+	Rules []PolicyRuleApplyConfiguration `json:"rules,omitempty"`
+	// AggregationRule is an optional field that describes how to build the Rules for this ClusterRole.
+	// If AggregationRule is set, then the Rules are controller managed and direct changes to Rules will be
+	// stomped by the controller.
+	AggregationRule *AggregationRuleApplyConfiguration `json:"aggregationRule,omitempty"`
 }
 
 // ClusterRole constructs a declarative configuration of the ClusterRole type for use with
@@ -46,29 +53,14 @@ func ClusterRole(name string) *ClusterRoleApplyConfiguration {
 	return b
 }
 
-// ExtractClusterRole extracts the applied configuration owned by fieldManager from
-// clusterRole. If no managedFields are found in clusterRole for fieldManager, a
-// ClusterRoleApplyConfiguration is returned with only the Name, Namespace (if applicable),
-// APIVersion and Kind populated. It is possible that no managed fields were found for because other
-// field managers have taken ownership of all the fields previously owned by fieldManager, or because
-// the fieldManager never owned fields any fields.
+// ExtractClusterRoleFrom extracts the applied configuration owned by fieldManager from
+// clusterRole for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
 // clusterRole must be a unmodified ClusterRole API object that was retrieved from the Kubernetes API.
-// ExtractClusterRole provides a way to perform a extract/modify-in-place/apply workflow.
+// ExtractClusterRoleFrom provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
-func ExtractClusterRole(clusterRole *rbacv1.ClusterRole, fieldManager string) (*ClusterRoleApplyConfiguration, error) {
-	return extractClusterRole(clusterRole, fieldManager, "")
-}
-
-// ExtractClusterRoleStatus is the same as ExtractClusterRole except
-// that it extracts the status subresource applied configuration.
-// Experimental!
-func ExtractClusterRoleStatus(clusterRole *rbacv1.ClusterRole, fieldManager string) (*ClusterRoleApplyConfiguration, error) {
-	return extractClusterRole(clusterRole, fieldManager, "status")
-}
-
-func extractClusterRole(clusterRole *rbacv1.ClusterRole, fieldManager string, subresource string) (*ClusterRoleApplyConfiguration, error) {
+func ExtractClusterRoleFrom(clusterRole *rbacv1.ClusterRole, fieldManager string, subresource string) (*ClusterRoleApplyConfiguration, error) {
 	b := &ClusterRoleApplyConfiguration{}
 	err := managedfields.ExtractInto(clusterRole, internal.Parser().Type("io.k8s.api.rbac.v1.ClusterRole"), fieldManager, b, subresource)
 	if err != nil {
@@ -80,6 +72,21 @@ func extractClusterRole(clusterRole *rbacv1.ClusterRole, fieldManager string, su
 	b.WithAPIVersion("rbac.authorization.k8s.io/v1")
 	return b, nil
 }
+
+// ExtractClusterRole extracts the applied configuration owned by fieldManager from
+// clusterRole. If no managedFields are found in clusterRole for fieldManager, a
+// ClusterRoleApplyConfiguration is returned with only the Name, Namespace (if applicable),
+// APIVersion and Kind populated. It is possible that no managed fields were found for because other
+// field managers have taken ownership of all the fields previously owned by fieldManager, or because
+// the fieldManager never owned fields any fields.
+// clusterRole must be a unmodified ClusterRole API object that was retrieved from the Kubernetes API.
+// ExtractClusterRole provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractClusterRole(clusterRole *rbacv1.ClusterRole, fieldManager string) (*ClusterRoleApplyConfiguration, error) {
+	return ExtractClusterRoleFrom(clusterRole, fieldManager, "")
+}
+
 func (b ClusterRoleApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/rbac/v1/clusterrolebinding.go b/staging/src/k8s.io/client-go/applyconfigurations/rbac/v1/clusterrolebinding.go
index 0fd5a9514aa96..13d3d0201fc7f 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/rbac/v1/clusterrolebinding.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/rbac/v1/clusterrolebinding.go
@@ -29,11 +29,19 @@ import (
 
 // ClusterRoleBindingApplyConfiguration represents a declarative configuration of the ClusterRoleBinding type for use
 // with apply.
+//
+// ClusterRoleBinding references a ClusterRole, but not contain it.  It can reference a ClusterRole in the global namespace,
+// and adds who information via Subject.
 type ClusterRoleBindingApplyConfiguration struct {
-	metav1.TypeMetaApplyConfiguration    `json:",inline"`
+	metav1.TypeMetaApplyConfiguration `json:",inline"`
+	// Standard object's metadata.
 	*metav1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Subjects                             []SubjectApplyConfiguration `json:"subjects,omitempty"`
-	RoleRef                              *RoleRefApplyConfiguration  `json:"roleRef,omitempty"`
+	// Subjects holds references to the objects the role applies to.
+	Subjects []SubjectApplyConfiguration `json:"subjects,omitempty"`
+	// RoleRef can only reference a ClusterRole in the global namespace.
+	// If the RoleRef cannot be resolved, the Authorizer must return an error.
+	// This field is immutable.
+	RoleRef *RoleRefApplyConfiguration `json:"roleRef,omitempty"`
 }
 
 // ClusterRoleBinding constructs a declarative configuration of the ClusterRoleBinding type for use with
@@ -46,29 +54,14 @@ func ClusterRoleBinding(name string) *ClusterRoleBindingApplyConfiguration {
 	return b
 }
 
-// ExtractClusterRoleBinding extracts the applied configuration owned by fieldManager from
-// clusterRoleBinding. If no managedFields are found in clusterRoleBinding for fieldManager, a
-// ClusterRoleBindingApplyConfiguration is returned with only the Name, Namespace (if applicable),
-// APIVersion and Kind populated. It is possible that no managed fields were found for because other
-// field managers have taken ownership of all the fields previously owned by fieldManager, or because
-// the fieldManager never owned fields any fields.
+// ExtractClusterRoleBindingFrom extracts the applied configuration owned by fieldManager from
+// clusterRoleBinding for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
 // clusterRoleBinding must be a unmodified ClusterRoleBinding API object that was retrieved from the Kubernetes API.
-// ExtractClusterRoleBinding provides a way to perform a extract/modify-in-place/apply workflow.
+// ExtractClusterRoleBindingFrom provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
-func ExtractClusterRoleBinding(clusterRoleBinding *rbacv1.ClusterRoleBinding, fieldManager string) (*ClusterRoleBindingApplyConfiguration, error) {
-	return extractClusterRoleBinding(clusterRoleBinding, fieldManager, "")
-}
-
-// ExtractClusterRoleBindingStatus is the same as ExtractClusterRoleBinding except
-// that it extracts the status subresource applied configuration.
-// Experimental!
-func ExtractClusterRoleBindingStatus(clusterRoleBinding *rbacv1.ClusterRoleBinding, fieldManager string) (*ClusterRoleBindingApplyConfiguration, error) {
-	return extractClusterRoleBinding(clusterRoleBinding, fieldManager, "status")
-}
-
-func extractClusterRoleBinding(clusterRoleBinding *rbacv1.ClusterRoleBinding, fieldManager string, subresource string) (*ClusterRoleBindingApplyConfiguration, error) {
+func ExtractClusterRoleBindingFrom(clusterRoleBinding *rbacv1.ClusterRoleBinding, fieldManager string, subresource string) (*ClusterRoleBindingApplyConfiguration, error) {
 	b := &ClusterRoleBindingApplyConfiguration{}
 	err := managedfields.ExtractInto(clusterRoleBinding, internal.Parser().Type("io.k8s.api.rbac.v1.ClusterRoleBinding"), fieldManager, b, subresource)
 	if err != nil {
@@ -80,6 +73,21 @@ func extractClusterRoleBinding(clusterRoleBinding *rbacv1.ClusterRoleBinding, fi
 	b.WithAPIVersion("rbac.authorization.k8s.io/v1")
 	return b, nil
 }
+
+// ExtractClusterRoleBinding extracts the applied configuration owned by fieldManager from
+// clusterRoleBinding. If no managedFields are found in clusterRoleBinding for fieldManager, a
+// ClusterRoleBindingApplyConfiguration is returned with only the Name, Namespace (if applicable),
+// APIVersion and Kind populated. It is possible that no managed fields were found for because other
+// field managers have taken ownership of all the fields previously owned by fieldManager, or because
+// the fieldManager never owned fields any fields.
+// clusterRoleBinding must be a unmodified ClusterRoleBinding API object that was retrieved from the Kubernetes API.
+// ExtractClusterRoleBinding provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractClusterRoleBinding(clusterRoleBinding *rbacv1.ClusterRoleBinding, fieldManager string) (*ClusterRoleBindingApplyConfiguration, error) {
+	return ExtractClusterRoleBindingFrom(clusterRoleBinding, fieldManager, "")
+}
+
 func (b ClusterRoleBindingApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/rbac/v1/policyrule.go b/staging/src/k8s.io/client-go/applyconfigurations/rbac/v1/policyrule.go
index a2e66d1096a95..03556b01c4cfe 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/rbac/v1/policyrule.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/rbac/v1/policyrule.go
@@ -20,11 +20,26 @@ package v1
 
 // PolicyRuleApplyConfiguration represents a declarative configuration of the PolicyRule type for use
 // with apply.
+//
+// Authorization is calculated against
+// 1. evaluation of ClusterRoleBindings - short circuit on match
+// 2. evaluation of RoleBindings in the namespace requested - short circuit on match
+// 3. deny by default
+// PolicyRule holds information that describes a policy rule, but does not contain information
+// about who the rule applies to or which namespace the rule applies to.
 type PolicyRuleApplyConfiguration struct {
-	Verbs           []string `json:"verbs,omitempty"`
-	APIGroups       []string `json:"apiGroups,omitempty"`
-	Resources       []string `json:"resources,omitempty"`
-	ResourceNames   []string `json:"resourceNames,omitempty"`
+	// Verbs is a list of Verbs that apply to ALL the ResourceKinds contained in this rule. '*' represents all verbs.
+	Verbs []string `json:"verbs,omitempty"`
+	// APIGroups is the name of the APIGroup that contains the resources.  If multiple API groups are specified, any action requested against one of
+	// the enumerated resources in any API group will be allowed. "" represents the core API group and "*" represents all API groups.
+	APIGroups []string `json:"apiGroups,omitempty"`
+	// Resources is a list of resources this rule applies to. '*' represents all resources.
+	Resources []string `json:"resources,omitempty"`
+	// ResourceNames is an optional white list of names that the rule applies to.  An empty set means that everything is allowed.
+	ResourceNames []string `json:"resourceNames,omitempty"`
+	// NonResourceURLs is a set of partial urls that a user should have access to.  *s are allowed, but only as the full, final step in the path
+	// Since non-resource URLs are not namespaced, this field is only applicable for ClusterRoles referenced from a ClusterRoleBinding.
+	// Rules can either apply to API resources (such as "pods" or "secrets") or non-resource URL paths (such as "/api"),  but not both.
 	NonResourceURLs []string `json:"nonResourceURLs,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/rbac/v1/role.go b/staging/src/k8s.io/client-go/applyconfigurations/rbac/v1/role.go
index 1a363eebb93f0..9e2895b1a8f71 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/rbac/v1/role.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/rbac/v1/role.go
@@ -29,10 +29,14 @@ import (
 
 // RoleApplyConfiguration represents a declarative configuration of the Role type for use
 // with apply.
+//
+// Role is a namespaced, logical grouping of PolicyRules that can be referenced as a unit by a RoleBinding.
 type RoleApplyConfiguration struct {
-	metav1.TypeMetaApplyConfiguration    `json:",inline"`
+	metav1.TypeMetaApplyConfiguration `json:",inline"`
+	// Standard object's metadata.
 	*metav1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Rules                                []PolicyRuleApplyConfiguration `json:"rules,omitempty"`
+	// Rules holds all the PolicyRules for this Role
+	Rules []PolicyRuleApplyConfiguration `json:"rules,omitempty"`
 }
 
 // Role constructs a declarative configuration of the Role type for use with
@@ -46,29 +50,14 @@ func Role(name, namespace string) *RoleApplyConfiguration {
 	return b
 }
 
-// ExtractRole extracts the applied configuration owned by fieldManager from
-// role. If no managedFields are found in role for fieldManager, a
-// RoleApplyConfiguration is returned with only the Name, Namespace (if applicable),
-// APIVersion and Kind populated. It is possible that no managed fields were found for because other
-// field managers have taken ownership of all the fields previously owned by fieldManager, or because
-// the fieldManager never owned fields any fields.
+// ExtractRoleFrom extracts the applied configuration owned by fieldManager from
+// role for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
 // role must be a unmodified Role API object that was retrieved from the Kubernetes API.
-// ExtractRole provides a way to perform a extract/modify-in-place/apply workflow.
+// ExtractRoleFrom provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
-func ExtractRole(role *rbacv1.Role, fieldManager string) (*RoleApplyConfiguration, error) {
-	return extractRole(role, fieldManager, "")
-}
-
-// ExtractRoleStatus is the same as ExtractRole except
-// that it extracts the status subresource applied configuration.
-// Experimental!
-func ExtractRoleStatus(role *rbacv1.Role, fieldManager string) (*RoleApplyConfiguration, error) {
-	return extractRole(role, fieldManager, "status")
-}
-
-func extractRole(role *rbacv1.Role, fieldManager string, subresource string) (*RoleApplyConfiguration, error) {
+func ExtractRoleFrom(role *rbacv1.Role, fieldManager string, subresource string) (*RoleApplyConfiguration, error) {
 	b := &RoleApplyConfiguration{}
 	err := managedfields.ExtractInto(role, internal.Parser().Type("io.k8s.api.rbac.v1.Role"), fieldManager, b, subresource)
 	if err != nil {
@@ -81,6 +70,21 @@ func extractRole(role *rbacv1.Role, fieldManager string, subresource string) (*R
 	b.WithAPIVersion("rbac.authorization.k8s.io/v1")
 	return b, nil
 }
+
+// ExtractRole extracts the applied configuration owned by fieldManager from
+// role. If no managedFields are found in role for fieldManager, a
+// RoleApplyConfiguration is returned with only the Name, Namespace (if applicable),
+// APIVersion and Kind populated. It is possible that no managed fields were found for because other
+// field managers have taken ownership of all the fields previously owned by fieldManager, or because
+// the fieldManager never owned fields any fields.
+// role must be a unmodified Role API object that was retrieved from the Kubernetes API.
+// ExtractRole provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractRole(role *rbacv1.Role, fieldManager string) (*RoleApplyConfiguration, error) {
+	return ExtractRoleFrom(role, fieldManager, "")
+}
+
 func (b RoleApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/rbac/v1/rolebinding.go b/staging/src/k8s.io/client-go/applyconfigurations/rbac/v1/rolebinding.go
index fcda064c0ba1d..776fb3ed300f8 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/rbac/v1/rolebinding.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/rbac/v1/rolebinding.go
@@ -29,11 +29,20 @@ import (
 
 // RoleBindingApplyConfiguration represents a declarative configuration of the RoleBinding type for use
 // with apply.
+//
+// RoleBinding references a role, but does not contain it.  It can reference a Role in the same namespace or a ClusterRole in the global namespace.
+// It adds who information via Subjects and namespace information by which namespace it exists in.  RoleBindings in a given
+// namespace only have effect in that namespace.
 type RoleBindingApplyConfiguration struct {
-	metav1.TypeMetaApplyConfiguration    `json:",inline"`
+	metav1.TypeMetaApplyConfiguration `json:",inline"`
+	// Standard object's metadata.
 	*metav1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Subjects                             []SubjectApplyConfiguration `json:"subjects,omitempty"`
-	RoleRef                              *RoleRefApplyConfiguration  `json:"roleRef,omitempty"`
+	// Subjects holds references to the objects the role applies to.
+	Subjects []SubjectApplyConfiguration `json:"subjects,omitempty"`
+	// RoleRef can reference a Role in the current namespace or a ClusterRole in the global namespace.
+	// If the RoleRef cannot be resolved, the Authorizer must return an error.
+	// This field is immutable.
+	RoleRef *RoleRefApplyConfiguration `json:"roleRef,omitempty"`
 }
 
 // RoleBinding constructs a declarative configuration of the RoleBinding type for use with
@@ -47,29 +56,14 @@ func RoleBinding(name, namespace string) *RoleBindingApplyConfiguration {
 	return b
 }
 
-// ExtractRoleBinding extracts the applied configuration owned by fieldManager from
-// roleBinding. If no managedFields are found in roleBinding for fieldManager, a
-// RoleBindingApplyConfiguration is returned with only the Name, Namespace (if applicable),
-// APIVersion and Kind populated. It is possible that no managed fields were found for because other
-// field managers have taken ownership of all the fields previously owned by fieldManager, or because
-// the fieldManager never owned fields any fields.
+// ExtractRoleBindingFrom extracts the applied configuration owned by fieldManager from
+// roleBinding for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
 // roleBinding must be a unmodified RoleBinding API object that was retrieved from the Kubernetes API.
-// ExtractRoleBinding provides a way to perform a extract/modify-in-place/apply workflow.
+// ExtractRoleBindingFrom provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
-func ExtractRoleBinding(roleBinding *rbacv1.RoleBinding, fieldManager string) (*RoleBindingApplyConfiguration, error) {
-	return extractRoleBinding(roleBinding, fieldManager, "")
-}
-
-// ExtractRoleBindingStatus is the same as ExtractRoleBinding except
-// that it extracts the status subresource applied configuration.
-// Experimental!
-func ExtractRoleBindingStatus(roleBinding *rbacv1.RoleBinding, fieldManager string) (*RoleBindingApplyConfiguration, error) {
-	return extractRoleBinding(roleBinding, fieldManager, "status")
-}
-
-func extractRoleBinding(roleBinding *rbacv1.RoleBinding, fieldManager string, subresource string) (*RoleBindingApplyConfiguration, error) {
+func ExtractRoleBindingFrom(roleBinding *rbacv1.RoleBinding, fieldManager string, subresource string) (*RoleBindingApplyConfiguration, error) {
 	b := &RoleBindingApplyConfiguration{}
 	err := managedfields.ExtractInto(roleBinding, internal.Parser().Type("io.k8s.api.rbac.v1.RoleBinding"), fieldManager, b, subresource)
 	if err != nil {
@@ -82,6 +76,21 @@ func extractRoleBinding(roleBinding *rbacv1.RoleBinding, fieldManager string, su
 	b.WithAPIVersion("rbac.authorization.k8s.io/v1")
 	return b, nil
 }
+
+// ExtractRoleBinding extracts the applied configuration owned by fieldManager from
+// roleBinding. If no managedFields are found in roleBinding for fieldManager, a
+// RoleBindingApplyConfiguration is returned with only the Name, Namespace (if applicable),
+// APIVersion and Kind populated. It is possible that no managed fields were found for because other
+// field managers have taken ownership of all the fields previously owned by fieldManager, or because
+// the fieldManager never owned fields any fields.
+// roleBinding must be a unmodified RoleBinding API object that was retrieved from the Kubernetes API.
+// ExtractRoleBinding provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractRoleBinding(roleBinding *rbacv1.RoleBinding, fieldManager string) (*RoleBindingApplyConfiguration, error) {
+	return ExtractRoleBindingFrom(roleBinding, fieldManager, "")
+}
+
 func (b RoleBindingApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/rbac/v1/roleref.go b/staging/src/k8s.io/client-go/applyconfigurations/rbac/v1/roleref.go
index 646a3bb194d8e..231fe0dd49279 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/rbac/v1/roleref.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/rbac/v1/roleref.go
@@ -20,10 +20,15 @@ package v1
 
 // RoleRefApplyConfiguration represents a declarative configuration of the RoleRef type for use
 // with apply.
+//
+// RoleRef contains information that points to the role being used
 type RoleRefApplyConfiguration struct {
+	// APIGroup is the group for the resource being referenced
 	APIGroup *string `json:"apiGroup,omitempty"`
-	Kind     *string `json:"kind,omitempty"`
-	Name     *string `json:"name,omitempty"`
+	// Kind is the type of resource being referenced
+	Kind *string `json:"kind,omitempty"`
+	// Name is the name of resource being referenced
+	Name *string `json:"name,omitempty"`
 }
 
 // RoleRefApplyConfiguration constructs a declarative configuration of the RoleRef type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/rbac/v1/subject.go b/staging/src/k8s.io/client-go/applyconfigurations/rbac/v1/subject.go
index e1d9c5cfb8142..1914086c0fc3f 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/rbac/v1/subject.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/rbac/v1/subject.go
@@ -20,10 +20,21 @@ package v1
 
 // SubjectApplyConfiguration represents a declarative configuration of the Subject type for use
 // with apply.
+//
+// Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,
+// or a value for non-objects such as user and group names.
 type SubjectApplyConfiguration struct {
-	Kind      *string `json:"kind,omitempty"`
-	APIGroup  *string `json:"apiGroup,omitempty"`
-	Name      *string `json:"name,omitempty"`
+	// Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+	// If the Authorizer does not recognized the kind value, the Authorizer should report an error.
+	Kind *string `json:"kind,omitempty"`
+	// APIGroup holds the API group of the referenced subject.
+	// Defaults to "" for ServiceAccount subjects.
+	// Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
+	APIGroup *string `json:"apiGroup,omitempty"`
+	// Name of the object being referenced.
+	Name *string `json:"name,omitempty"`
+	// Namespace of the referenced object.  If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+	// the Authorizer should report an error.
 	Namespace *string `json:"namespace,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/rbac/v1alpha1/aggregationrule.go b/staging/src/k8s.io/client-go/applyconfigurations/rbac/v1alpha1/aggregationrule.go
index ff4aeb59e5e10..397d14a1acde6 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/rbac/v1alpha1/aggregationrule.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/rbac/v1alpha1/aggregationrule.go
@@ -24,7 +24,11 @@ import (
 
 // AggregationRuleApplyConfiguration represents a declarative configuration of the AggregationRule type for use
 // with apply.
+//
+// AggregationRule describes how to locate ClusterRoles to aggregate into the ClusterRole
 type AggregationRuleApplyConfiguration struct {
+	// ClusterRoleSelectors holds a list of selectors which will be used to find ClusterRoles and create the rules.
+	// If any of the selectors match, then the ClusterRole's permissions will be added
 	ClusterRoleSelectors []v1.LabelSelectorApplyConfiguration `json:"clusterRoleSelectors,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/rbac/v1alpha1/clusterrole.go b/staging/src/k8s.io/client-go/applyconfigurations/rbac/v1alpha1/clusterrole.go
index e0ccc04be4d5f..678761e6a03ea 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/rbac/v1alpha1/clusterrole.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/rbac/v1alpha1/clusterrole.go
@@ -29,11 +29,19 @@ import (
 
 // ClusterRoleApplyConfiguration represents a declarative configuration of the ClusterRole type for use
 // with apply.
+//
+// ClusterRole is a cluster level, logical grouping of PolicyRules that can be referenced as a unit by a RoleBinding or ClusterRoleBinding.
+// Deprecated in v1.17 in favor of rbac.authorization.k8s.io/v1 ClusterRole, and will no longer be served in v1.22.
 type ClusterRoleApplyConfiguration struct {
-	v1.TypeMetaApplyConfiguration    `json:",inline"`
+	v1.TypeMetaApplyConfiguration `json:",inline"`
+	// Standard object's metadata.
 	*v1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Rules                            []PolicyRuleApplyConfiguration     `json:"rules,omitempty"`
-	AggregationRule                  *AggregationRuleApplyConfiguration `json:"aggregationRule,omitempty"`
+	// Rules holds all the PolicyRules for this ClusterRole
+	Rules []PolicyRuleApplyConfiguration `json:"rules,omitempty"`
+	// AggregationRule is an optional field that describes how to build the Rules for this ClusterRole.
+	// If AggregationRule is set, then the Rules are controller managed and direct changes to Rules will be
+	// stomped by the controller.
+	AggregationRule *AggregationRuleApplyConfiguration `json:"aggregationRule,omitempty"`
 }
 
 // ClusterRole constructs a declarative configuration of the ClusterRole type for use with
@@ -46,29 +54,14 @@ func ClusterRole(name string) *ClusterRoleApplyConfiguration {
 	return b
 }
 
-// ExtractClusterRole extracts the applied configuration owned by fieldManager from
-// clusterRole. If no managedFields are found in clusterRole for fieldManager, a
-// ClusterRoleApplyConfiguration is returned with only the Name, Namespace (if applicable),
-// APIVersion and Kind populated. It is possible that no managed fields were found for because other
-// field managers have taken ownership of all the fields previously owned by fieldManager, or because
-// the fieldManager never owned fields any fields.
+// ExtractClusterRoleFrom extracts the applied configuration owned by fieldManager from
+// clusterRole for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
 // clusterRole must be a unmodified ClusterRole API object that was retrieved from the Kubernetes API.
-// ExtractClusterRole provides a way to perform a extract/modify-in-place/apply workflow.
+// ExtractClusterRoleFrom provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
-func ExtractClusterRole(clusterRole *rbacv1alpha1.ClusterRole, fieldManager string) (*ClusterRoleApplyConfiguration, error) {
-	return extractClusterRole(clusterRole, fieldManager, "")
-}
-
-// ExtractClusterRoleStatus is the same as ExtractClusterRole except
-// that it extracts the status subresource applied configuration.
-// Experimental!
-func ExtractClusterRoleStatus(clusterRole *rbacv1alpha1.ClusterRole, fieldManager string) (*ClusterRoleApplyConfiguration, error) {
-	return extractClusterRole(clusterRole, fieldManager, "status")
-}
-
-func extractClusterRole(clusterRole *rbacv1alpha1.ClusterRole, fieldManager string, subresource string) (*ClusterRoleApplyConfiguration, error) {
+func ExtractClusterRoleFrom(clusterRole *rbacv1alpha1.ClusterRole, fieldManager string, subresource string) (*ClusterRoleApplyConfiguration, error) {
 	b := &ClusterRoleApplyConfiguration{}
 	err := managedfields.ExtractInto(clusterRole, internal.Parser().Type("io.k8s.api.rbac.v1alpha1.ClusterRole"), fieldManager, b, subresource)
 	if err != nil {
@@ -80,6 +73,21 @@ func extractClusterRole(clusterRole *rbacv1alpha1.ClusterRole, fieldManager stri
 	b.WithAPIVersion("rbac.authorization.k8s.io/v1alpha1")
 	return b, nil
 }
+
+// ExtractClusterRole extracts the applied configuration owned by fieldManager from
+// clusterRole. If no managedFields are found in clusterRole for fieldManager, a
+// ClusterRoleApplyConfiguration is returned with only the Name, Namespace (if applicable),
+// APIVersion and Kind populated. It is possible that no managed fields were found for because other
+// field managers have taken ownership of all the fields previously owned by fieldManager, or because
+// the fieldManager never owned fields any fields.
+// clusterRole must be a unmodified ClusterRole API object that was retrieved from the Kubernetes API.
+// ExtractClusterRole provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractClusterRole(clusterRole *rbacv1alpha1.ClusterRole, fieldManager string) (*ClusterRoleApplyConfiguration, error) {
+	return ExtractClusterRoleFrom(clusterRole, fieldManager, "")
+}
+
 func (b ClusterRoleApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/rbac/v1alpha1/clusterrolebinding.go b/staging/src/k8s.io/client-go/applyconfigurations/rbac/v1alpha1/clusterrolebinding.go
index d7085ae9c60f8..f4ee74f18f3bb 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/rbac/v1alpha1/clusterrolebinding.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/rbac/v1alpha1/clusterrolebinding.go
@@ -29,11 +29,19 @@ import (
 
 // ClusterRoleBindingApplyConfiguration represents a declarative configuration of the ClusterRoleBinding type for use
 // with apply.
+//
+// ClusterRoleBinding references a ClusterRole, but not contain it.  It can reference a ClusterRole in the global namespace,
+// and adds who information via Subject.
+// Deprecated in v1.17 in favor of rbac.authorization.k8s.io/v1 ClusterRoleBinding, and will no longer be served in v1.22.
 type ClusterRoleBindingApplyConfiguration struct {
-	v1.TypeMetaApplyConfiguration    `json:",inline"`
+	v1.TypeMetaApplyConfiguration `json:",inline"`
+	// Standard object's metadata.
 	*v1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Subjects                         []SubjectApplyConfiguration `json:"subjects,omitempty"`
-	RoleRef                          *RoleRefApplyConfiguration  `json:"roleRef,omitempty"`
+	// Subjects holds references to the objects the role applies to.
+	Subjects []SubjectApplyConfiguration `json:"subjects,omitempty"`
+	// RoleRef can only reference a ClusterRole in the global namespace.
+	// If the RoleRef cannot be resolved, the Authorizer must return an error.
+	RoleRef *RoleRefApplyConfiguration `json:"roleRef,omitempty"`
 }
 
 // ClusterRoleBinding constructs a declarative configuration of the ClusterRoleBinding type for use with
@@ -46,29 +54,14 @@ func ClusterRoleBinding(name string) *ClusterRoleBindingApplyConfiguration {
 	return b
 }
 
-// ExtractClusterRoleBinding extracts the applied configuration owned by fieldManager from
-// clusterRoleBinding. If no managedFields are found in clusterRoleBinding for fieldManager, a
-// ClusterRoleBindingApplyConfiguration is returned with only the Name, Namespace (if applicable),
-// APIVersion and Kind populated. It is possible that no managed fields were found for because other
-// field managers have taken ownership of all the fields previously owned by fieldManager, or because
-// the fieldManager never owned fields any fields.
+// ExtractClusterRoleBindingFrom extracts the applied configuration owned by fieldManager from
+// clusterRoleBinding for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
 // clusterRoleBinding must be a unmodified ClusterRoleBinding API object that was retrieved from the Kubernetes API.
-// ExtractClusterRoleBinding provides a way to perform a extract/modify-in-place/apply workflow.
+// ExtractClusterRoleBindingFrom provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
-func ExtractClusterRoleBinding(clusterRoleBinding *rbacv1alpha1.ClusterRoleBinding, fieldManager string) (*ClusterRoleBindingApplyConfiguration, error) {
-	return extractClusterRoleBinding(clusterRoleBinding, fieldManager, "")
-}
-
-// ExtractClusterRoleBindingStatus is the same as ExtractClusterRoleBinding except
-// that it extracts the status subresource applied configuration.
-// Experimental!
-func ExtractClusterRoleBindingStatus(clusterRoleBinding *rbacv1alpha1.ClusterRoleBinding, fieldManager string) (*ClusterRoleBindingApplyConfiguration, error) {
-	return extractClusterRoleBinding(clusterRoleBinding, fieldManager, "status")
-}
-
-func extractClusterRoleBinding(clusterRoleBinding *rbacv1alpha1.ClusterRoleBinding, fieldManager string, subresource string) (*ClusterRoleBindingApplyConfiguration, error) {
+func ExtractClusterRoleBindingFrom(clusterRoleBinding *rbacv1alpha1.ClusterRoleBinding, fieldManager string, subresource string) (*ClusterRoleBindingApplyConfiguration, error) {
 	b := &ClusterRoleBindingApplyConfiguration{}
 	err := managedfields.ExtractInto(clusterRoleBinding, internal.Parser().Type("io.k8s.api.rbac.v1alpha1.ClusterRoleBinding"), fieldManager, b, subresource)
 	if err != nil {
@@ -80,6 +73,21 @@ func extractClusterRoleBinding(clusterRoleBinding *rbacv1alpha1.ClusterRoleBindi
 	b.WithAPIVersion("rbac.authorization.k8s.io/v1alpha1")
 	return b, nil
 }
+
+// ExtractClusterRoleBinding extracts the applied configuration owned by fieldManager from
+// clusterRoleBinding. If no managedFields are found in clusterRoleBinding for fieldManager, a
+// ClusterRoleBindingApplyConfiguration is returned with only the Name, Namespace (if applicable),
+// APIVersion and Kind populated. It is possible that no managed fields were found for because other
+// field managers have taken ownership of all the fields previously owned by fieldManager, or because
+// the fieldManager never owned fields any fields.
+// clusterRoleBinding must be a unmodified ClusterRoleBinding API object that was retrieved from the Kubernetes API.
+// ExtractClusterRoleBinding provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractClusterRoleBinding(clusterRoleBinding *rbacv1alpha1.ClusterRoleBinding, fieldManager string) (*ClusterRoleBindingApplyConfiguration, error) {
+	return ExtractClusterRoleBindingFrom(clusterRoleBinding, fieldManager, "")
+}
+
 func (b ClusterRoleBindingApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/rbac/v1alpha1/policyrule.go b/staging/src/k8s.io/client-go/applyconfigurations/rbac/v1alpha1/policyrule.go
index 89d7a2914f784..f4a6d3fff7ddd 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/rbac/v1alpha1/policyrule.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/rbac/v1alpha1/policyrule.go
@@ -20,11 +20,26 @@ package v1alpha1
 
 // PolicyRuleApplyConfiguration represents a declarative configuration of the PolicyRule type for use
 // with apply.
+//
+// Authorization is calculated against
+// 1. evaluation of ClusterRoleBindings - short circuit on match
+// 2. evaluation of RoleBindings in the namespace requested - short circuit on match
+// 3. deny by default
+// PolicyRule holds information that describes a policy rule, but does not contain information
+// about who the rule applies to or which namespace the rule applies to.
 type PolicyRuleApplyConfiguration struct {
-	Verbs           []string `json:"verbs,omitempty"`
-	APIGroups       []string `json:"apiGroups,omitempty"`
-	Resources       []string `json:"resources,omitempty"`
-	ResourceNames   []string `json:"resourceNames,omitempty"`
+	// Verbs is a list of Verbs that apply to ALL the ResourceKinds contained in this rule. '*' represents all verbs.
+	Verbs []string `json:"verbs,omitempty"`
+	// APIGroups is the name of the APIGroup that contains the resources.  If multiple API groups are specified, any action requested against one of
+	// the enumerated resources in any API group will be allowed. "" represents the core API group and "*" represents all API groups.
+	APIGroups []string `json:"apiGroups,omitempty"`
+	// Resources is a list of resources this rule applies to. '*' represents all resources.
+	Resources []string `json:"resources,omitempty"`
+	// ResourceNames is an optional white list of names that the rule applies to.  An empty set means that everything is allowed.
+	ResourceNames []string `json:"resourceNames,omitempty"`
+	// NonResourceURLs is a set of partial urls that a user should have access to.  *s are allowed, but only as the full, final step in the path
+	// Since non-resource URLs are not namespaced, this field is only applicable for ClusterRoles referenced from a ClusterRoleBinding.
+	// Rules can either apply to API resources (such as "pods" or "secrets") or non-resource URL paths (such as "/api"),  but not both.
 	NonResourceURLs []string `json:"nonResourceURLs,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/rbac/v1alpha1/role.go b/staging/src/k8s.io/client-go/applyconfigurations/rbac/v1alpha1/role.go
index 0cefea4f09212..19b123b2d20a6 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/rbac/v1alpha1/role.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/rbac/v1alpha1/role.go
@@ -29,10 +29,15 @@ import (
 
 // RoleApplyConfiguration represents a declarative configuration of the Role type for use
 // with apply.
+//
+// Role is a namespaced, logical grouping of PolicyRules that can be referenced as a unit by a RoleBinding.
+// Deprecated in v1.17 in favor of rbac.authorization.k8s.io/v1 Role, and will no longer be served in v1.22.
 type RoleApplyConfiguration struct {
-	v1.TypeMetaApplyConfiguration    `json:",inline"`
+	v1.TypeMetaApplyConfiguration `json:",inline"`
+	// Standard object's metadata.
 	*v1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Rules                            []PolicyRuleApplyConfiguration `json:"rules,omitempty"`
+	// Rules holds all the PolicyRules for this Role
+	Rules []PolicyRuleApplyConfiguration `json:"rules,omitempty"`
 }
 
 // Role constructs a declarative configuration of the Role type for use with
@@ -46,29 +51,14 @@ func Role(name, namespace string) *RoleApplyConfiguration {
 	return b
 }
 
-// ExtractRole extracts the applied configuration owned by fieldManager from
-// role. If no managedFields are found in role for fieldManager, a
-// RoleApplyConfiguration is returned with only the Name, Namespace (if applicable),
-// APIVersion and Kind populated. It is possible that no managed fields were found for because other
-// field managers have taken ownership of all the fields previously owned by fieldManager, or because
-// the fieldManager never owned fields any fields.
+// ExtractRoleFrom extracts the applied configuration owned by fieldManager from
+// role for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
 // role must be a unmodified Role API object that was retrieved from the Kubernetes API.
-// ExtractRole provides a way to perform a extract/modify-in-place/apply workflow.
+// ExtractRoleFrom provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
-func ExtractRole(role *rbacv1alpha1.Role, fieldManager string) (*RoleApplyConfiguration, error) {
-	return extractRole(role, fieldManager, "")
-}
-
-// ExtractRoleStatus is the same as ExtractRole except
-// that it extracts the status subresource applied configuration.
-// Experimental!
-func ExtractRoleStatus(role *rbacv1alpha1.Role, fieldManager string) (*RoleApplyConfiguration, error) {
-	return extractRole(role, fieldManager, "status")
-}
-
-func extractRole(role *rbacv1alpha1.Role, fieldManager string, subresource string) (*RoleApplyConfiguration, error) {
+func ExtractRoleFrom(role *rbacv1alpha1.Role, fieldManager string, subresource string) (*RoleApplyConfiguration, error) {
 	b := &RoleApplyConfiguration{}
 	err := managedfields.ExtractInto(role, internal.Parser().Type("io.k8s.api.rbac.v1alpha1.Role"), fieldManager, b, subresource)
 	if err != nil {
@@ -81,6 +71,21 @@ func extractRole(role *rbacv1alpha1.Role, fieldManager string, subresource strin
 	b.WithAPIVersion("rbac.authorization.k8s.io/v1alpha1")
 	return b, nil
 }
+
+// ExtractRole extracts the applied configuration owned by fieldManager from
+// role. If no managedFields are found in role for fieldManager, a
+// RoleApplyConfiguration is returned with only the Name, Namespace (if applicable),
+// APIVersion and Kind populated. It is possible that no managed fields were found for because other
+// field managers have taken ownership of all the fields previously owned by fieldManager, or because
+// the fieldManager never owned fields any fields.
+// role must be a unmodified Role API object that was retrieved from the Kubernetes API.
+// ExtractRole provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractRole(role *rbacv1alpha1.Role, fieldManager string) (*RoleApplyConfiguration, error) {
+	return ExtractRoleFrom(role, fieldManager, "")
+}
+
 func (b RoleApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/rbac/v1alpha1/rolebinding.go b/staging/src/k8s.io/client-go/applyconfigurations/rbac/v1alpha1/rolebinding.go
index d40781804c4b9..116f293765cd3 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/rbac/v1alpha1/rolebinding.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/rbac/v1alpha1/rolebinding.go
@@ -29,11 +29,20 @@ import (
 
 // RoleBindingApplyConfiguration represents a declarative configuration of the RoleBinding type for use
 // with apply.
+//
+// RoleBinding references a role, but does not contain it.  It can reference a Role in the same namespace or a ClusterRole in the global namespace.
+// It adds who information via Subjects and namespace information by which namespace it exists in.  RoleBindings in a given
+// namespace only have effect in that namespace.
+// Deprecated in v1.17 in favor of rbac.authorization.k8s.io/v1 RoleBinding, and will no longer be served in v1.22.
 type RoleBindingApplyConfiguration struct {
-	v1.TypeMetaApplyConfiguration    `json:",inline"`
+	v1.TypeMetaApplyConfiguration `json:",inline"`
+	// Standard object's metadata.
 	*v1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Subjects                         []SubjectApplyConfiguration `json:"subjects,omitempty"`
-	RoleRef                          *RoleRefApplyConfiguration  `json:"roleRef,omitempty"`
+	// Subjects holds references to the objects the role applies to.
+	Subjects []SubjectApplyConfiguration `json:"subjects,omitempty"`
+	// RoleRef can reference a Role in the current namespace or a ClusterRole in the global namespace.
+	// If the RoleRef cannot be resolved, the Authorizer must return an error.
+	RoleRef *RoleRefApplyConfiguration `json:"roleRef,omitempty"`
 }
 
 // RoleBinding constructs a declarative configuration of the RoleBinding type for use with
@@ -47,29 +56,14 @@ func RoleBinding(name, namespace string) *RoleBindingApplyConfiguration {
 	return b
 }
 
-// ExtractRoleBinding extracts the applied configuration owned by fieldManager from
-// roleBinding. If no managedFields are found in roleBinding for fieldManager, a
-// RoleBindingApplyConfiguration is returned with only the Name, Namespace (if applicable),
-// APIVersion and Kind populated. It is possible that no managed fields were found for because other
-// field managers have taken ownership of all the fields previously owned by fieldManager, or because
-// the fieldManager never owned fields any fields.
+// ExtractRoleBindingFrom extracts the applied configuration owned by fieldManager from
+// roleBinding for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
 // roleBinding must be a unmodified RoleBinding API object that was retrieved from the Kubernetes API.
-// ExtractRoleBinding provides a way to perform a extract/modify-in-place/apply workflow.
+// ExtractRoleBindingFrom provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
-func ExtractRoleBinding(roleBinding *rbacv1alpha1.RoleBinding, fieldManager string) (*RoleBindingApplyConfiguration, error) {
-	return extractRoleBinding(roleBinding, fieldManager, "")
-}
-
-// ExtractRoleBindingStatus is the same as ExtractRoleBinding except
-// that it extracts the status subresource applied configuration.
-// Experimental!
-func ExtractRoleBindingStatus(roleBinding *rbacv1alpha1.RoleBinding, fieldManager string) (*RoleBindingApplyConfiguration, error) {
-	return extractRoleBinding(roleBinding, fieldManager, "status")
-}
-
-func extractRoleBinding(roleBinding *rbacv1alpha1.RoleBinding, fieldManager string, subresource string) (*RoleBindingApplyConfiguration, error) {
+func ExtractRoleBindingFrom(roleBinding *rbacv1alpha1.RoleBinding, fieldManager string, subresource string) (*RoleBindingApplyConfiguration, error) {
 	b := &RoleBindingApplyConfiguration{}
 	err := managedfields.ExtractInto(roleBinding, internal.Parser().Type("io.k8s.api.rbac.v1alpha1.RoleBinding"), fieldManager, b, subresource)
 	if err != nil {
@@ -82,6 +76,21 @@ func extractRoleBinding(roleBinding *rbacv1alpha1.RoleBinding, fieldManager stri
 	b.WithAPIVersion("rbac.authorization.k8s.io/v1alpha1")
 	return b, nil
 }
+
+// ExtractRoleBinding extracts the applied configuration owned by fieldManager from
+// roleBinding. If no managedFields are found in roleBinding for fieldManager, a
+// RoleBindingApplyConfiguration is returned with only the Name, Namespace (if applicable),
+// APIVersion and Kind populated. It is possible that no managed fields were found for because other
+// field managers have taken ownership of all the fields previously owned by fieldManager, or because
+// the fieldManager never owned fields any fields.
+// roleBinding must be a unmodified RoleBinding API object that was retrieved from the Kubernetes API.
+// ExtractRoleBinding provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractRoleBinding(roleBinding *rbacv1alpha1.RoleBinding, fieldManager string) (*RoleBindingApplyConfiguration, error) {
+	return ExtractRoleBindingFrom(roleBinding, fieldManager, "")
+}
+
 func (b RoleBindingApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/rbac/v1alpha1/roleref.go b/staging/src/k8s.io/client-go/applyconfigurations/rbac/v1alpha1/roleref.go
index 4b2553117df4b..a02a36be897e2 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/rbac/v1alpha1/roleref.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/rbac/v1alpha1/roleref.go
@@ -20,10 +20,15 @@ package v1alpha1
 
 // RoleRefApplyConfiguration represents a declarative configuration of the RoleRef type for use
 // with apply.
+//
+// RoleRef contains information that points to the role being used
 type RoleRefApplyConfiguration struct {
+	// APIGroup is the group for the resource being referenced
 	APIGroup *string `json:"apiGroup,omitempty"`
-	Kind     *string `json:"kind,omitempty"`
-	Name     *string `json:"name,omitempty"`
+	// Kind is the type of resource being referenced
+	Kind *string `json:"kind,omitempty"`
+	// Name is the name of resource being referenced
+	Name *string `json:"name,omitempty"`
 }
 
 // RoleRefApplyConfiguration constructs a declarative configuration of the RoleRef type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/rbac/v1alpha1/subject.go b/staging/src/k8s.io/client-go/applyconfigurations/rbac/v1alpha1/subject.go
index 665b42af50f41..d24f865d4ee43 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/rbac/v1alpha1/subject.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/rbac/v1alpha1/subject.go
@@ -20,11 +20,22 @@ package v1alpha1
 
 // SubjectApplyConfiguration represents a declarative configuration of the Subject type for use
 // with apply.
+//
+// Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,
+// or a value for non-objects such as user and group names.
 type SubjectApplyConfiguration struct {
-	Kind       *string `json:"kind,omitempty"`
+	// Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+	// If the Authorizer does not recognized the kind value, the Authorizer should report an error.
+	Kind *string `json:"kind,omitempty"`
+	// APIVersion holds the API group and version of the referenced subject.
+	// Defaults to "v1" for ServiceAccount subjects.
+	// Defaults to "rbac.authorization.k8s.io/v1alpha1" for User and Group subjects.
 	APIVersion *string `json:"apiVersion,omitempty"`
-	Name       *string `json:"name,omitempty"`
-	Namespace  *string `json:"namespace,omitempty"`
+	// Name of the object being referenced.
+	Name *string `json:"name,omitempty"`
+	// Namespace of the referenced object.  If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+	// the Authorizer should report an error.
+	Namespace *string `json:"namespace,omitempty"`
 }
 
 // SubjectApplyConfiguration constructs a declarative configuration of the Subject type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/rbac/v1beta1/aggregationrule.go b/staging/src/k8s.io/client-go/applyconfigurations/rbac/v1beta1/aggregationrule.go
index e9bb68dcb6858..b4c6bd5aed955 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/rbac/v1beta1/aggregationrule.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/rbac/v1beta1/aggregationrule.go
@@ -24,7 +24,11 @@ import (
 
 // AggregationRuleApplyConfiguration represents a declarative configuration of the AggregationRule type for use
 // with apply.
+//
+// AggregationRule describes how to locate ClusterRoles to aggregate into the ClusterRole
 type AggregationRuleApplyConfiguration struct {
+	// ClusterRoleSelectors holds a list of selectors which will be used to find ClusterRoles and create the rules.
+	// If any of the selectors match, then the ClusterRole's permissions will be added
 	ClusterRoleSelectors []v1.LabelSelectorApplyConfiguration `json:"clusterRoleSelectors,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/rbac/v1beta1/clusterrole.go b/staging/src/k8s.io/client-go/applyconfigurations/rbac/v1beta1/clusterrole.go
index 6fe51e22447c9..a105df5f0d597 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/rbac/v1beta1/clusterrole.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/rbac/v1beta1/clusterrole.go
@@ -29,11 +29,19 @@ import (
 
 // ClusterRoleApplyConfiguration represents a declarative configuration of the ClusterRole type for use
 // with apply.
+//
+// ClusterRole is a cluster level, logical grouping of PolicyRules that can be referenced as a unit by a RoleBinding or ClusterRoleBinding.
+// Deprecated in v1.17 in favor of rbac.authorization.k8s.io/v1 ClusterRole, and will no longer be served in v1.22.
 type ClusterRoleApplyConfiguration struct {
-	v1.TypeMetaApplyConfiguration    `json:",inline"`
+	v1.TypeMetaApplyConfiguration `json:",inline"`
+	// Standard object's metadata.
 	*v1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Rules                            []PolicyRuleApplyConfiguration     `json:"rules,omitempty"`
-	AggregationRule                  *AggregationRuleApplyConfiguration `json:"aggregationRule,omitempty"`
+	// Rules holds all the PolicyRules for this ClusterRole
+	Rules []PolicyRuleApplyConfiguration `json:"rules,omitempty"`
+	// AggregationRule is an optional field that describes how to build the Rules for this ClusterRole.
+	// If AggregationRule is set, then the Rules are controller managed and direct changes to Rules will be
+	// stomped by the controller.
+	AggregationRule *AggregationRuleApplyConfiguration `json:"aggregationRule,omitempty"`
 }
 
 // ClusterRole constructs a declarative configuration of the ClusterRole type for use with
@@ -46,29 +54,14 @@ func ClusterRole(name string) *ClusterRoleApplyConfiguration {
 	return b
 }
 
-// ExtractClusterRole extracts the applied configuration owned by fieldManager from
-// clusterRole. If no managedFields are found in clusterRole for fieldManager, a
-// ClusterRoleApplyConfiguration is returned with only the Name, Namespace (if applicable),
-// APIVersion and Kind populated. It is possible that no managed fields were found for because other
-// field managers have taken ownership of all the fields previously owned by fieldManager, or because
-// the fieldManager never owned fields any fields.
+// ExtractClusterRoleFrom extracts the applied configuration owned by fieldManager from
+// clusterRole for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
 // clusterRole must be a unmodified ClusterRole API object that was retrieved from the Kubernetes API.
-// ExtractClusterRole provides a way to perform a extract/modify-in-place/apply workflow.
+// ExtractClusterRoleFrom provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
-func ExtractClusterRole(clusterRole *rbacv1beta1.ClusterRole, fieldManager string) (*ClusterRoleApplyConfiguration, error) {
-	return extractClusterRole(clusterRole, fieldManager, "")
-}
-
-// ExtractClusterRoleStatus is the same as ExtractClusterRole except
-// that it extracts the status subresource applied configuration.
-// Experimental!
-func ExtractClusterRoleStatus(clusterRole *rbacv1beta1.ClusterRole, fieldManager string) (*ClusterRoleApplyConfiguration, error) {
-	return extractClusterRole(clusterRole, fieldManager, "status")
-}
-
-func extractClusterRole(clusterRole *rbacv1beta1.ClusterRole, fieldManager string, subresource string) (*ClusterRoleApplyConfiguration, error) {
+func ExtractClusterRoleFrom(clusterRole *rbacv1beta1.ClusterRole, fieldManager string, subresource string) (*ClusterRoleApplyConfiguration, error) {
 	b := &ClusterRoleApplyConfiguration{}
 	err := managedfields.ExtractInto(clusterRole, internal.Parser().Type("io.k8s.api.rbac.v1beta1.ClusterRole"), fieldManager, b, subresource)
 	if err != nil {
@@ -80,6 +73,21 @@ func extractClusterRole(clusterRole *rbacv1beta1.ClusterRole, fieldManager strin
 	b.WithAPIVersion("rbac.authorization.k8s.io/v1beta1")
 	return b, nil
 }
+
+// ExtractClusterRole extracts the applied configuration owned by fieldManager from
+// clusterRole. If no managedFields are found in clusterRole for fieldManager, a
+// ClusterRoleApplyConfiguration is returned with only the Name, Namespace (if applicable),
+// APIVersion and Kind populated. It is possible that no managed fields were found for because other
+// field managers have taken ownership of all the fields previously owned by fieldManager, or because
+// the fieldManager never owned fields any fields.
+// clusterRole must be a unmodified ClusterRole API object that was retrieved from the Kubernetes API.
+// ExtractClusterRole provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractClusterRole(clusterRole *rbacv1beta1.ClusterRole, fieldManager string) (*ClusterRoleApplyConfiguration, error) {
+	return ExtractClusterRoleFrom(clusterRole, fieldManager, "")
+}
+
 func (b ClusterRoleApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/rbac/v1beta1/clusterrolebinding.go b/staging/src/k8s.io/client-go/applyconfigurations/rbac/v1beta1/clusterrolebinding.go
index e75ab7a883b90..c519c6e078423 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/rbac/v1beta1/clusterrolebinding.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/rbac/v1beta1/clusterrolebinding.go
@@ -29,11 +29,19 @@ import (
 
 // ClusterRoleBindingApplyConfiguration represents a declarative configuration of the ClusterRoleBinding type for use
 // with apply.
+//
+// ClusterRoleBinding references a ClusterRole, but not contain it.  It can reference a ClusterRole in the global namespace,
+// and adds who information via Subject.
+// Deprecated in v1.17 in favor of rbac.authorization.k8s.io/v1 ClusterRoleBinding, and will no longer be served in v1.22.
 type ClusterRoleBindingApplyConfiguration struct {
-	v1.TypeMetaApplyConfiguration    `json:",inline"`
+	v1.TypeMetaApplyConfiguration `json:",inline"`
+	// Standard object's metadata.
 	*v1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Subjects                         []SubjectApplyConfiguration `json:"subjects,omitempty"`
-	RoleRef                          *RoleRefApplyConfiguration  `json:"roleRef,omitempty"`
+	// Subjects holds references to the objects the role applies to.
+	Subjects []SubjectApplyConfiguration `json:"subjects,omitempty"`
+	// RoleRef can only reference a ClusterRole in the global namespace.
+	// If the RoleRef cannot be resolved, the Authorizer must return an error.
+	RoleRef *RoleRefApplyConfiguration `json:"roleRef,omitempty"`
 }
 
 // ClusterRoleBinding constructs a declarative configuration of the ClusterRoleBinding type for use with
@@ -46,29 +54,14 @@ func ClusterRoleBinding(name string) *ClusterRoleBindingApplyConfiguration {
 	return b
 }
 
-// ExtractClusterRoleBinding extracts the applied configuration owned by fieldManager from
-// clusterRoleBinding. If no managedFields are found in clusterRoleBinding for fieldManager, a
-// ClusterRoleBindingApplyConfiguration is returned with only the Name, Namespace (if applicable),
-// APIVersion and Kind populated. It is possible that no managed fields were found for because other
-// field managers have taken ownership of all the fields previously owned by fieldManager, or because
-// the fieldManager never owned fields any fields.
+// ExtractClusterRoleBindingFrom extracts the applied configuration owned by fieldManager from
+// clusterRoleBinding for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
 // clusterRoleBinding must be a unmodified ClusterRoleBinding API object that was retrieved from the Kubernetes API.
-// ExtractClusterRoleBinding provides a way to perform a extract/modify-in-place/apply workflow.
+// ExtractClusterRoleBindingFrom provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
-func ExtractClusterRoleBinding(clusterRoleBinding *rbacv1beta1.ClusterRoleBinding, fieldManager string) (*ClusterRoleBindingApplyConfiguration, error) {
-	return extractClusterRoleBinding(clusterRoleBinding, fieldManager, "")
-}
-
-// ExtractClusterRoleBindingStatus is the same as ExtractClusterRoleBinding except
-// that it extracts the status subresource applied configuration.
-// Experimental!
-func ExtractClusterRoleBindingStatus(clusterRoleBinding *rbacv1beta1.ClusterRoleBinding, fieldManager string) (*ClusterRoleBindingApplyConfiguration, error) {
-	return extractClusterRoleBinding(clusterRoleBinding, fieldManager, "status")
-}
-
-func extractClusterRoleBinding(clusterRoleBinding *rbacv1beta1.ClusterRoleBinding, fieldManager string, subresource string) (*ClusterRoleBindingApplyConfiguration, error) {
+func ExtractClusterRoleBindingFrom(clusterRoleBinding *rbacv1beta1.ClusterRoleBinding, fieldManager string, subresource string) (*ClusterRoleBindingApplyConfiguration, error) {
 	b := &ClusterRoleBindingApplyConfiguration{}
 	err := managedfields.ExtractInto(clusterRoleBinding, internal.Parser().Type("io.k8s.api.rbac.v1beta1.ClusterRoleBinding"), fieldManager, b, subresource)
 	if err != nil {
@@ -80,6 +73,21 @@ func extractClusterRoleBinding(clusterRoleBinding *rbacv1beta1.ClusterRoleBindin
 	b.WithAPIVersion("rbac.authorization.k8s.io/v1beta1")
 	return b, nil
 }
+
+// ExtractClusterRoleBinding extracts the applied configuration owned by fieldManager from
+// clusterRoleBinding. If no managedFields are found in clusterRoleBinding for fieldManager, a
+// ClusterRoleBindingApplyConfiguration is returned with only the Name, Namespace (if applicable),
+// APIVersion and Kind populated. It is possible that no managed fields were found for because other
+// field managers have taken ownership of all the fields previously owned by fieldManager, or because
+// the fieldManager never owned fields any fields.
+// clusterRoleBinding must be a unmodified ClusterRoleBinding API object that was retrieved from the Kubernetes API.
+// ExtractClusterRoleBinding provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractClusterRoleBinding(clusterRoleBinding *rbacv1beta1.ClusterRoleBinding, fieldManager string) (*ClusterRoleBindingApplyConfiguration, error) {
+	return ExtractClusterRoleBindingFrom(clusterRoleBinding, fieldManager, "")
+}
+
 func (b ClusterRoleBindingApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/rbac/v1beta1/policyrule.go b/staging/src/k8s.io/client-go/applyconfigurations/rbac/v1beta1/policyrule.go
index dc630df206a99..bf3a5a50867e5 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/rbac/v1beta1/policyrule.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/rbac/v1beta1/policyrule.go
@@ -20,11 +20,27 @@ package v1beta1
 
 // PolicyRuleApplyConfiguration represents a declarative configuration of the PolicyRule type for use
 // with apply.
+//
+// Authorization is calculated against
+// 1. evaluation of ClusterRoleBindings - short circuit on match
+// 2. evaluation of RoleBindings in the namespace requested - short circuit on match
+// 3. deny by default
+// PolicyRule holds information that describes a policy rule, but does not contain information
+// about who the rule applies to or which namespace the rule applies to.
 type PolicyRuleApplyConfiguration struct {
-	Verbs           []string `json:"verbs,omitempty"`
-	APIGroups       []string `json:"apiGroups,omitempty"`
-	Resources       []string `json:"resources,omitempty"`
-	ResourceNames   []string `json:"resourceNames,omitempty"`
+	// Verbs is a list of Verbs that apply to ALL the ResourceKinds contained in this rule. '*' represents all verbs.
+	Verbs []string `json:"verbs,omitempty"`
+	// APIGroups is the name of the APIGroup that contains the resources.  If multiple API groups are specified, any action requested against one of
+	// the enumerated resources in any API group will be allowed. "" represents the core API group and "*" represents all API groups.
+	APIGroups []string `json:"apiGroups,omitempty"`
+	// Resources is a list of resources this rule applies to.  '*' represents all resources in the specified apiGroups.
+	// '*/foo' represents the subresource 'foo' for all resources in the specified apiGroups.
+	Resources []string `json:"resources,omitempty"`
+	// ResourceNames is an optional white list of names that the rule applies to.  An empty set means that everything is allowed.
+	ResourceNames []string `json:"resourceNames,omitempty"`
+	// NonResourceURLs is a set of partial urls that a user should have access to.  *s are allowed, but only as the full, final step in the path
+	// Since non-resource URLs are not namespaced, this field is only applicable for ClusterRoles referenced from a ClusterRoleBinding.
+	// Rules can either apply to API resources (such as "pods" or "secrets") or non-resource URL paths (such as "/api"),  but not both.
 	NonResourceURLs []string `json:"nonResourceURLs,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/rbac/v1beta1/role.go b/staging/src/k8s.io/client-go/applyconfigurations/rbac/v1beta1/role.go
index 7a628b9545292..d0a4c20c68c70 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/rbac/v1beta1/role.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/rbac/v1beta1/role.go
@@ -29,10 +29,15 @@ import (
 
 // RoleApplyConfiguration represents a declarative configuration of the Role type for use
 // with apply.
+//
+// Role is a namespaced, logical grouping of PolicyRules that can be referenced as a unit by a RoleBinding.
+// Deprecated in v1.17 in favor of rbac.authorization.k8s.io/v1 Role, and will no longer be served in v1.22.
 type RoleApplyConfiguration struct {
-	v1.TypeMetaApplyConfiguration    `json:",inline"`
+	v1.TypeMetaApplyConfiguration `json:",inline"`
+	// Standard object's metadata.
 	*v1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Rules                            []PolicyRuleApplyConfiguration `json:"rules,omitempty"`
+	// Rules holds all the PolicyRules for this Role
+	Rules []PolicyRuleApplyConfiguration `json:"rules,omitempty"`
 }
 
 // Role constructs a declarative configuration of the Role type for use with
@@ -46,29 +51,14 @@ func Role(name, namespace string) *RoleApplyConfiguration {
 	return b
 }
 
-// ExtractRole extracts the applied configuration owned by fieldManager from
-// role. If no managedFields are found in role for fieldManager, a
-// RoleApplyConfiguration is returned with only the Name, Namespace (if applicable),
-// APIVersion and Kind populated. It is possible that no managed fields were found for because other
-// field managers have taken ownership of all the fields previously owned by fieldManager, or because
-// the fieldManager never owned fields any fields.
+// ExtractRoleFrom extracts the applied configuration owned by fieldManager from
+// role for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
 // role must be a unmodified Role API object that was retrieved from the Kubernetes API.
-// ExtractRole provides a way to perform a extract/modify-in-place/apply workflow.
+// ExtractRoleFrom provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
-func ExtractRole(role *rbacv1beta1.Role, fieldManager string) (*RoleApplyConfiguration, error) {
-	return extractRole(role, fieldManager, "")
-}
-
-// ExtractRoleStatus is the same as ExtractRole except
-// that it extracts the status subresource applied configuration.
-// Experimental!
-func ExtractRoleStatus(role *rbacv1beta1.Role, fieldManager string) (*RoleApplyConfiguration, error) {
-	return extractRole(role, fieldManager, "status")
-}
-
-func extractRole(role *rbacv1beta1.Role, fieldManager string, subresource string) (*RoleApplyConfiguration, error) {
+func ExtractRoleFrom(role *rbacv1beta1.Role, fieldManager string, subresource string) (*RoleApplyConfiguration, error) {
 	b := &RoleApplyConfiguration{}
 	err := managedfields.ExtractInto(role, internal.Parser().Type("io.k8s.api.rbac.v1beta1.Role"), fieldManager, b, subresource)
 	if err != nil {
@@ -81,6 +71,21 @@ func extractRole(role *rbacv1beta1.Role, fieldManager string, subresource string
 	b.WithAPIVersion("rbac.authorization.k8s.io/v1beta1")
 	return b, nil
 }
+
+// ExtractRole extracts the applied configuration owned by fieldManager from
+// role. If no managedFields are found in role for fieldManager, a
+// RoleApplyConfiguration is returned with only the Name, Namespace (if applicable),
+// APIVersion and Kind populated. It is possible that no managed fields were found for because other
+// field managers have taken ownership of all the fields previously owned by fieldManager, or because
+// the fieldManager never owned fields any fields.
+// role must be a unmodified Role API object that was retrieved from the Kubernetes API.
+// ExtractRole provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractRole(role *rbacv1beta1.Role, fieldManager string) (*RoleApplyConfiguration, error) {
+	return ExtractRoleFrom(role, fieldManager, "")
+}
+
 func (b RoleApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/rbac/v1beta1/rolebinding.go b/staging/src/k8s.io/client-go/applyconfigurations/rbac/v1beta1/rolebinding.go
index be180c3f5182b..64669c1033bce 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/rbac/v1beta1/rolebinding.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/rbac/v1beta1/rolebinding.go
@@ -29,11 +29,20 @@ import (
 
 // RoleBindingApplyConfiguration represents a declarative configuration of the RoleBinding type for use
 // with apply.
+//
+// RoleBinding references a role, but does not contain it.  It can reference a Role in the same namespace or a ClusterRole in the global namespace.
+// It adds who information via Subjects and namespace information by which namespace it exists in.  RoleBindings in a given
+// namespace only have effect in that namespace.
+// Deprecated in v1.17 in favor of rbac.authorization.k8s.io/v1 RoleBinding, and will no longer be served in v1.22.
 type RoleBindingApplyConfiguration struct {
-	v1.TypeMetaApplyConfiguration    `json:",inline"`
+	v1.TypeMetaApplyConfiguration `json:",inline"`
+	// Standard object's metadata.
 	*v1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Subjects                         []SubjectApplyConfiguration `json:"subjects,omitempty"`
-	RoleRef                          *RoleRefApplyConfiguration  `json:"roleRef,omitempty"`
+	// Subjects holds references to the objects the role applies to.
+	Subjects []SubjectApplyConfiguration `json:"subjects,omitempty"`
+	// RoleRef can reference a Role in the current namespace or a ClusterRole in the global namespace.
+	// If the RoleRef cannot be resolved, the Authorizer must return an error.
+	RoleRef *RoleRefApplyConfiguration `json:"roleRef,omitempty"`
 }
 
 // RoleBinding constructs a declarative configuration of the RoleBinding type for use with
@@ -47,29 +56,14 @@ func RoleBinding(name, namespace string) *RoleBindingApplyConfiguration {
 	return b
 }
 
-// ExtractRoleBinding extracts the applied configuration owned by fieldManager from
-// roleBinding. If no managedFields are found in roleBinding for fieldManager, a
-// RoleBindingApplyConfiguration is returned with only the Name, Namespace (if applicable),
-// APIVersion and Kind populated. It is possible that no managed fields were found for because other
-// field managers have taken ownership of all the fields previously owned by fieldManager, or because
-// the fieldManager never owned fields any fields.
+// ExtractRoleBindingFrom extracts the applied configuration owned by fieldManager from
+// roleBinding for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
 // roleBinding must be a unmodified RoleBinding API object that was retrieved from the Kubernetes API.
-// ExtractRoleBinding provides a way to perform a extract/modify-in-place/apply workflow.
+// ExtractRoleBindingFrom provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
-func ExtractRoleBinding(roleBinding *rbacv1beta1.RoleBinding, fieldManager string) (*RoleBindingApplyConfiguration, error) {
-	return extractRoleBinding(roleBinding, fieldManager, "")
-}
-
-// ExtractRoleBindingStatus is the same as ExtractRoleBinding except
-// that it extracts the status subresource applied configuration.
-// Experimental!
-func ExtractRoleBindingStatus(roleBinding *rbacv1beta1.RoleBinding, fieldManager string) (*RoleBindingApplyConfiguration, error) {
-	return extractRoleBinding(roleBinding, fieldManager, "status")
-}
-
-func extractRoleBinding(roleBinding *rbacv1beta1.RoleBinding, fieldManager string, subresource string) (*RoleBindingApplyConfiguration, error) {
+func ExtractRoleBindingFrom(roleBinding *rbacv1beta1.RoleBinding, fieldManager string, subresource string) (*RoleBindingApplyConfiguration, error) {
 	b := &RoleBindingApplyConfiguration{}
 	err := managedfields.ExtractInto(roleBinding, internal.Parser().Type("io.k8s.api.rbac.v1beta1.RoleBinding"), fieldManager, b, subresource)
 	if err != nil {
@@ -82,6 +76,21 @@ func extractRoleBinding(roleBinding *rbacv1beta1.RoleBinding, fieldManager strin
 	b.WithAPIVersion("rbac.authorization.k8s.io/v1beta1")
 	return b, nil
 }
+
+// ExtractRoleBinding extracts the applied configuration owned by fieldManager from
+// roleBinding. If no managedFields are found in roleBinding for fieldManager, a
+// RoleBindingApplyConfiguration is returned with only the Name, Namespace (if applicable),
+// APIVersion and Kind populated. It is possible that no managed fields were found for because other
+// field managers have taken ownership of all the fields previously owned by fieldManager, or because
+// the fieldManager never owned fields any fields.
+// roleBinding must be a unmodified RoleBinding API object that was retrieved from the Kubernetes API.
+// ExtractRoleBinding provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractRoleBinding(roleBinding *rbacv1beta1.RoleBinding, fieldManager string) (*RoleBindingApplyConfiguration, error) {
+	return ExtractRoleBindingFrom(roleBinding, fieldManager, "")
+}
+
 func (b RoleBindingApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/rbac/v1beta1/roleref.go b/staging/src/k8s.io/client-go/applyconfigurations/rbac/v1beta1/roleref.go
index 19d0420a816ff..350930af7a0cc 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/rbac/v1beta1/roleref.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/rbac/v1beta1/roleref.go
@@ -20,10 +20,15 @@ package v1beta1
 
 // RoleRefApplyConfiguration represents a declarative configuration of the RoleRef type for use
 // with apply.
+//
+// RoleRef contains information that points to the role being used
 type RoleRefApplyConfiguration struct {
+	// APIGroup is the group for the resource being referenced
 	APIGroup *string `json:"apiGroup,omitempty"`
-	Kind     *string `json:"kind,omitempty"`
-	Name     *string `json:"name,omitempty"`
+	// Kind is the type of resource being referenced
+	Kind *string `json:"kind,omitempty"`
+	// Name is the name of resource being referenced
+	Name *string `json:"name,omitempty"`
 }
 
 // RoleRefApplyConfiguration constructs a declarative configuration of the RoleRef type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/rbac/v1beta1/subject.go b/staging/src/k8s.io/client-go/applyconfigurations/rbac/v1beta1/subject.go
index f7c1a21a9ccfe..8abbaa9fb364d 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/rbac/v1beta1/subject.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/rbac/v1beta1/subject.go
@@ -20,10 +20,21 @@ package v1beta1
 
 // SubjectApplyConfiguration represents a declarative configuration of the Subject type for use
 // with apply.
+//
+// Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,
+// or a value for non-objects such as user and group names.
 type SubjectApplyConfiguration struct {
-	Kind      *string `json:"kind,omitempty"`
-	APIGroup  *string `json:"apiGroup,omitempty"`
-	Name      *string `json:"name,omitempty"`
+	// Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+	// If the Authorizer does not recognized the kind value, the Authorizer should report an error.
+	Kind *string `json:"kind,omitempty"`
+	// APIGroup holds the API group of the referenced subject.
+	// Defaults to "" for ServiceAccount subjects.
+	// Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
+	APIGroup *string `json:"apiGroup,omitempty"`
+	// Name of the object being referenced.
+	Name *string `json:"name,omitempty"`
+	// Namespace of the referenced object.  If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+	// the Authorizer should report an error.
 	Namespace *string `json:"namespace,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1/allocateddevicestatus.go b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1/allocateddevicestatus.go
index 2c2c415655410..3b04727e3457e 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1/allocateddevicestatus.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1/allocateddevicestatus.go
@@ -25,13 +25,42 @@ import (
 
 // AllocatedDeviceStatusApplyConfiguration represents a declarative configuration of the AllocatedDeviceStatus type for use
 // with apply.
+//
+// AllocatedDeviceStatus contains the status of an allocated device, if the
+// driver chooses to report it. This may include driver-specific information.
+//
+// The combination of Driver, Pool, Device, and ShareID must match the corresponding key
+// in Status.Allocation.Devices.
 type AllocatedDeviceStatusApplyConfiguration struct {
-	Driver      *string                              `json:"driver,omitempty"`
-	Pool        *string                              `json:"pool,omitempty"`
-	Device      *string                              `json:"device,omitempty"`
-	ShareID     *string                              `json:"shareID,omitempty"`
-	Conditions  []metav1.ConditionApplyConfiguration `json:"conditions,omitempty"`
-	Data        *runtime.RawExtension                `json:"data,omitempty"`
+	// Driver specifies the name of the DRA driver whose kubelet
+	// plugin should be invoked to process the allocation once the claim is
+	// needed on a node.
+	//
+	// Must be a DNS subdomain and should end with a DNS domain owned by the
+	// vendor of the driver. It should use only lower case characters.
+	Driver *string `json:"driver,omitempty"`
+	// This name together with the driver name and the device name field
+	// identify which device was allocated (`<driver name>/<pool name>/<device name>`).
+	//
+	// Must not be longer than 253 characters and may contain one or more
+	// DNS sub-domains separated by slashes.
+	Pool *string `json:"pool,omitempty"`
+	// Device references one device instance via its name in the driver's
+	// resource pool. It must be a DNS label.
+	Device *string `json:"device,omitempty"`
+	// ShareID uniquely identifies an individual allocation share of the device.
+	ShareID *string `json:"shareID,omitempty"`
+	// Conditions contains the latest observation of the device's state.
+	// If the device has been configured according to the class and claim
+	// config references, the `Ready` condition should be True.
+	//
+	// Must not contain more than 8 entries.
+	Conditions []metav1.ConditionApplyConfiguration `json:"conditions,omitempty"`
+	// Data contains arbitrary driver-specific data.
+	//
+	// The length of the raw data must be smaller or equal to 10 Ki.
+	Data *runtime.RawExtension `json:"data,omitempty"`
+	// NetworkData contains network-related information specific to the device.
 	NetworkData *NetworkDeviceDataApplyConfiguration `json:"networkData,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1/allocationresult.go b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1/allocationresult.go
index b536e49d2a535..83f0b96895659 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1/allocationresult.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1/allocationresult.go
@@ -25,10 +25,20 @@ import (
 
 // AllocationResultApplyConfiguration represents a declarative configuration of the AllocationResult type for use
 // with apply.
+//
+// AllocationResult contains attributes of an allocated resource.
 type AllocationResultApplyConfiguration struct {
-	Devices             *DeviceAllocationResultApplyConfiguration `json:"devices,omitempty"`
-	NodeSelector        *corev1.NodeSelectorApplyConfiguration    `json:"nodeSelector,omitempty"`
-	AllocationTimestamp *metav1.Time                              `json:"allocationTimestamp,omitempty"`
+	// Devices is the result of allocating devices.
+	Devices *DeviceAllocationResultApplyConfiguration `json:"devices,omitempty"`
+	// NodeSelector defines where the allocated resources are available. If
+	// unset, they are available everywhere.
+	NodeSelector *corev1.NodeSelectorApplyConfiguration `json:"nodeSelector,omitempty"`
+	// AllocationTimestamp stores the time when the resources were allocated.
+	// This field is not guaranteed to be set, in which case that time is unknown.
+	//
+	// This is an alpha field and requires enabling the DRADeviceBindingConditions and DRAResourceClaimDeviceStatus
+	// feature gate.
+	AllocationTimestamp *metav1.Time `json:"allocationTimestamp,omitempty"`
 }
 
 // AllocationResultApplyConfiguration constructs a declarative configuration of the AllocationResult type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1/capacityrequestpolicy.go b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1/capacityrequestpolicy.go
index 2c016efa21530..43bd7e0142a5d 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1/capacityrequestpolicy.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1/capacityrequestpolicy.go
@@ -24,10 +24,39 @@ import (
 
 // CapacityRequestPolicyApplyConfiguration represents a declarative configuration of the CapacityRequestPolicy type for use
 // with apply.
+//
+// CapacityRequestPolicy defines how requests consume device capacity.
+//
+// Must not set more than one ValidRequestValues.
 type CapacityRequestPolicyApplyConfiguration struct {
-	Default     *resource.Quantity                            `json:"default,omitempty"`
-	ValidValues []resource.Quantity                           `json:"validValues,omitempty"`
-	ValidRange  *CapacityRequestPolicyRangeApplyConfiguration `json:"validRange,omitempty"`
+	// Default specifies how much of this capacity is consumed by a request
+	// that does not contain an entry for it in DeviceRequest's Capacity.
+	Default *resource.Quantity `json:"default,omitempty"`
+	// ValidValues defines a set of acceptable quantity values in consuming requests.
+	//
+	// Must not contain more than 10 entries.
+	// Must be sorted in ascending order.
+	//
+	// If this field is set,
+	// Default must be defined and it must be included in ValidValues list.
+	//
+	// If the requested amount does not match any valid value but smaller than some valid values,
+	// the scheduler calculates the smallest valid value that is greater than or equal to the request.
+	// That is: min(ceil(requestedValue) ∈ validValues), where requestedValue ≤ max(validValues).
+	//
+	// If the requested amount exceeds all valid values, the request violates the policy,
+	// and this device cannot be allocated.
+	ValidValues []resource.Quantity `json:"validValues,omitempty"`
+	// ValidRange defines an acceptable quantity value range in consuming requests.
+	//
+	// If this field is set,
+	// Default must be defined and it must fall within the defined ValidRange.
+	//
+	// If the requested amount does not fall within the defined range, the request violates the policy,
+	// and this device cannot be allocated.
+	//
+	// If the request doesn't contain this capacity entry, Default value is used.
+	ValidRange *CapacityRequestPolicyRangeApplyConfiguration `json:"validRange,omitempty"`
 }
 
 // CapacityRequestPolicyApplyConfiguration constructs a declarative configuration of the CapacityRequestPolicy type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1/capacityrequestpolicyrange.go b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1/capacityrequestpolicyrange.go
index 6f486b48fae50..b3bade6113d1e 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1/capacityrequestpolicyrange.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1/capacityrequestpolicyrange.go
@@ -24,9 +24,31 @@ import (
 
 // CapacityRequestPolicyRangeApplyConfiguration represents a declarative configuration of the CapacityRequestPolicyRange type for use
 // with apply.
+//
+// CapacityRequestPolicyRange defines a valid range for consumable capacity values.
+//
+// - If the requested amount is less than Min, it is rounded up to the Min value.
+// - If Step is set and the requested amount is between Min and Max but not aligned with Step,
+// it will be rounded up to the next value equal to Min + (n * Step).
+// - If Step is not set, the requested amount is used as-is if it falls within the range Min to Max (if set).
+// - If the requested or rounded amount exceeds Max (if set), the request does not satisfy the policy,
+// and the device cannot be allocated.
 type CapacityRequestPolicyRangeApplyConfiguration struct {
-	Min  *resource.Quantity `json:"min,omitempty"`
-	Max  *resource.Quantity `json:"max,omitempty"`
+	// Min specifies the minimum capacity allowed for a consumption request.
+	//
+	// Min must be greater than or equal to zero,
+	// and less than or equal to the capacity value.
+	// requestPolicy.default must be more than or equal to the minimum.
+	Min *resource.Quantity `json:"min,omitempty"`
+	// Max defines the upper limit for capacity that can be requested.
+	//
+	// Max must be less than or equal to the capacity value.
+	// Min and requestPolicy.default must be less than or equal to the maximum.
+	Max *resource.Quantity `json:"max,omitempty"`
+	// Step defines the step size between valid capacity amounts within the range.
+	//
+	// Max (if set) and requestPolicy.default must be a multiple of Step.
+	// Min + Step must be less than or equal to the capacity value.
 	Step *resource.Quantity `json:"step,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1/capacityrequirements.go b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1/capacityrequirements.go
index b6143efaaf247..83d321cd772d6 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1/capacityrequirements.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1/capacityrequirements.go
@@ -25,7 +25,31 @@ import (
 
 // CapacityRequirementsApplyConfiguration represents a declarative configuration of the CapacityRequirements type for use
 // with apply.
+//
+// CapacityRequirements defines the capacity requirements for a specific device request.
 type CapacityRequirementsApplyConfiguration struct {
+	// Requests represent individual device resource requests for distinct resources,
+	// all of which must be provided by the device.
+	//
+	// This value is used as an additional filtering condition against the available capacity on the device.
+	// This is semantically equivalent to a CEL selector with
+	// `device.capacity[<domain>].<name>.compareTo(quantity(<request quantity>)) >= 0`.
+	// For example, device.capacity['test-driver.cdi.k8s.io'].counters.compareTo(quantity('2')) >= 0.
+	//
+	// When a requestPolicy is defined, the requested amount is adjusted upward
+	// to the nearest valid value based on the policy.
+	// If the requested amount cannot be adjusted to a valid value—because it exceeds what the requestPolicy allows—
+	// the device is considered ineligible for allocation.
+	//
+	// For any capacity that is not explicitly requested:
+	// - If no requestPolicy is set, the default consumed capacity is equal to the full device capacity
+	// (i.e., the whole device is claimed).
+	// - If a requestPolicy is set, the default consumed capacity is determined according to that policy.
+	//
+	// If the device allows multiple allocation,
+	// the aggregated amount across all requests must not exceed the capacity value.
+	// The consumed capacity, which may be adjusted based on the requestPolicy if defined,
+	// is recorded in the resource claim’s status.devices[*].consumedCapacity field.
 	Requests map[resourcev1.QualifiedName]resource.Quantity `json:"requests,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1/celdeviceselector.go b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1/celdeviceselector.go
index 4d1e8ecb7c255..5a77aac95fad7 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1/celdeviceselector.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1/celdeviceselector.go
@@ -20,7 +20,61 @@ package v1
 
 // CELDeviceSelectorApplyConfiguration represents a declarative configuration of the CELDeviceSelector type for use
 // with apply.
+//
+// CELDeviceSelector contains a CEL expression for selecting a device.
 type CELDeviceSelectorApplyConfiguration struct {
+	// Expression is a CEL expression which evaluates a single device. It
+	// must evaluate to true when the device under consideration satisfies
+	// the desired criteria, and false when it does not. Any other result
+	// is an error and causes allocation of devices to abort.
+	//
+	// The expression's input is an object named "device", which carries
+	// the following properties:
+	// - driver (string): the name of the driver which defines this device.
+	// - attributes (map[string]object): the device's attributes, grouped by prefix
+	// (e.g. device.attributes["dra.example.com"] evaluates to an object with all
+	// of the attributes which were prefixed by "dra.example.com".
+	// - capacity (map[string]object): the device's capacities, grouped by prefix.
+	// - allowMultipleAllocations (bool): the allowMultipleAllocations property of the device
+	// (v1.34+ with the DRAConsumableCapacity feature enabled).
+	//
+	// Example: Consider a device with driver="dra.example.com", which exposes
+	// two attributes named "model" and "ext.example.com/family" and which
+	// exposes one capacity named "modules". This input to this expression
+	// would have the following fields:
+	//
+	// device.driver
+	// device.attributes["dra.example.com"].model
+	// device.attributes["ext.example.com"].family
+	// device.capacity["dra.example.com"].modules
+	//
+	// The device.driver field can be used to check for a specific driver,
+	// either as a high-level precondition (i.e. you only want to consider
+	// devices from this driver) or as part of a multi-clause expression
+	// that is meant to consider devices from different drivers.
+	//
+	// The value type of each attribute is defined by the device
+	// definition, and users who write these expressions must consult the
+	// documentation for their specific drivers. The value type of each
+	// capacity is Quantity.
+	//
+	// If an unknown prefix is used as a lookup in either device.attributes
+	// or device.capacity, an empty map will be returned. Any reference to
+	// an unknown field will cause an evaluation error and allocation to
+	// abort.
+	//
+	// A robust expression should check for the existence of attributes
+	// before referencing them.
+	//
+	// For ease of use, the cel.bind() function is enabled, and can be used
+	// to simplify expressions that access multiple attributes with the
+	// same domain. For example:
+	//
+	// cel.bind(dra, device.attributes["dra.example.com"], dra.someBool && dra.anotherBool)
+	//
+	// The length of the expression must be smaller or equal to 10 Ki. The
+	// cost of evaluating it is also limited based on the estimated number
+	// of logical steps.
 	Expression *string `json:"expression,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1/counter.go b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1/counter.go
index 92ec63bb4ed81..161b8e161f612 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1/counter.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1/counter.go
@@ -24,7 +24,10 @@ import (
 
 // CounterApplyConfiguration represents a declarative configuration of the Counter type for use
 // with apply.
+//
+// Counter describes a quantity associated with a device.
 type CounterApplyConfiguration struct {
+	// Value defines how much of a certain device counter is available.
 	Value *resource.Quantity `json:"value,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1/counterset.go b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1/counterset.go
index 3a5d2863d0b6b..0874899095964 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1/counterset.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1/counterset.go
@@ -20,8 +20,23 @@ package v1
 
 // CounterSetApplyConfiguration represents a declarative configuration of the CounterSet type for use
 // with apply.
+//
+// CounterSet defines a named set of counters
+// that are available to be used by devices defined in the
+// ResourcePool.
+//
+// The counters are not allocatable by themselves, but
+// can be referenced by devices. When a device is allocated,
+// the portion of counters it uses will no longer be available for use
+// by other devices.
 type CounterSetApplyConfiguration struct {
-	Name     *string                              `json:"name,omitempty"`
+	// Name defines the name of the counter set.
+	// It must be a DNS label.
+	Name *string `json:"name,omitempty"`
+	// Counters defines the set of counters for this CounterSet
+	// The name of each counter must be unique in that set and must be a DNS label.
+	//
+	// The maximum number of counters is 32.
 	Counters map[string]CounterApplyConfiguration `json:"counters,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1/device.go b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1/device.go
index 2b6b5bfe913bd..ca50f6024acb0 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1/device.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1/device.go
@@ -25,19 +25,94 @@ import (
 
 // DeviceApplyConfiguration represents a declarative configuration of the Device type for use
 // with apply.
+//
+// Device represents one individual hardware instance that can be selected based
+// on its attributes. Besides the name, exactly one field must be set.
 type DeviceApplyConfiguration struct {
-	Name                     *string                                                        `json:"name,omitempty"`
-	Attributes               map[resourcev1.QualifiedName]DeviceAttributeApplyConfiguration `json:"attributes,omitempty"`
-	Capacity                 map[resourcev1.QualifiedName]DeviceCapacityApplyConfiguration  `json:"capacity,omitempty"`
-	ConsumesCounters         []DeviceCounterConsumptionApplyConfiguration                   `json:"consumesCounters,omitempty"`
-	NodeName                 *string                                                        `json:"nodeName,omitempty"`
-	NodeSelector             *corev1.NodeSelectorApplyConfiguration                         `json:"nodeSelector,omitempty"`
-	AllNodes                 *bool                                                          `json:"allNodes,omitempty"`
-	Taints                   []DeviceTaintApplyConfiguration                                `json:"taints,omitempty"`
-	BindsToNode              *bool                                                          `json:"bindsToNode,omitempty"`
-	BindingConditions        []string                                                       `json:"bindingConditions,omitempty"`
-	BindingFailureConditions []string                                                       `json:"bindingFailureConditions,omitempty"`
-	AllowMultipleAllocations *bool                                                          `json:"allowMultipleAllocations,omitempty"`
+	// Name is unique identifier among all devices managed by
+	// the driver in the pool. It must be a DNS label.
+	Name *string `json:"name,omitempty"`
+	// Attributes defines the set of attributes for this device.
+	// The name of each attribute must be unique in that set.
+	//
+	// The maximum number of attributes and capacities combined is 32.
+	Attributes map[resourcev1.QualifiedName]DeviceAttributeApplyConfiguration `json:"attributes,omitempty"`
+	// Capacity defines the set of capacities for this device.
+	// The name of each capacity must be unique in that set.
+	//
+	// The maximum number of attributes and capacities combined is 32.
+	Capacity map[resourcev1.QualifiedName]DeviceCapacityApplyConfiguration `json:"capacity,omitempty"`
+	// ConsumesCounters defines a list of references to sharedCounters
+	// and the set of counters that the device will
+	// consume from those counter sets.
+	//
+	// There can only be a single entry per counterSet.
+	//
+	// The maximum number of device counter consumptions per
+	// device is 2.
+	ConsumesCounters []DeviceCounterConsumptionApplyConfiguration `json:"consumesCounters,omitempty"`
+	// NodeName identifies the node where the device is available.
+	//
+	// Must only be set if Spec.PerDeviceNodeSelection is set to true.
+	// At most one of NodeName, NodeSelector and AllNodes can be set.
+	NodeName *string `json:"nodeName,omitempty"`
+	// NodeSelector defines the nodes where the device is available.
+	//
+	// Must use exactly one term.
+	//
+	// Must only be set if Spec.PerDeviceNodeSelection is set to true.
+	// At most one of NodeName, NodeSelector and AllNodes can be set.
+	NodeSelector *corev1.NodeSelectorApplyConfiguration `json:"nodeSelector,omitempty"`
+	// AllNodes indicates that all nodes have access to the device.
+	//
+	// Must only be set if Spec.PerDeviceNodeSelection is set to true.
+	// At most one of NodeName, NodeSelector and AllNodes can be set.
+	AllNodes *bool `json:"allNodes,omitempty"`
+	// If specified, these are the driver-defined taints.
+	//
+	// The maximum number of taints is 16. If taints are set for
+	// any device in a ResourceSlice, then the maximum number of
+	// allowed devices per ResourceSlice is 64 instead of 128.
+	//
+	// This is an alpha field and requires enabling the DRADeviceTaints
+	// feature gate.
+	Taints []DeviceTaintApplyConfiguration `json:"taints,omitempty"`
+	// BindsToNode indicates if the usage of an allocation involving this device
+	// has to be limited to exactly the node that was chosen when allocating the claim.
+	// If set to true, the scheduler will set the ResourceClaim.Status.Allocation.NodeSelector
+	// to match the node where the allocation was made.
+	//
+	// This is an alpha field and requires enabling the DRADeviceBindingConditions and DRAResourceClaimDeviceStatus
+	// feature gates.
+	BindsToNode *bool `json:"bindsToNode,omitempty"`
+	// BindingConditions defines the conditions for proceeding with binding.
+	// All of these conditions must be set in the per-device status
+	// conditions with a value of True to proceed with binding the pod to the node
+	// while scheduling the pod.
+	//
+	// The maximum number of binding conditions is 4.
+	//
+	// The conditions must be a valid condition type string.
+	//
+	// This is an alpha field and requires enabling the DRADeviceBindingConditions and DRAResourceClaimDeviceStatus
+	// feature gates.
+	BindingConditions []string `json:"bindingConditions,omitempty"`
+	// BindingFailureConditions defines the conditions for binding failure.
+	// They may be set in the per-device status conditions.
+	// If any is set to "True", a binding failure occurred.
+	//
+	// The maximum number of binding failure conditions is 4.
+	//
+	// The conditions must be a valid condition type string.
+	//
+	// This is an alpha field and requires enabling the DRADeviceBindingConditions and DRAResourceClaimDeviceStatus
+	// feature gates.
+	BindingFailureConditions []string `json:"bindingFailureConditions,omitempty"`
+	// AllowMultipleAllocations marks whether the device is allowed to be allocated to multiple DeviceRequests.
+	//
+	// If AllowMultipleAllocations is set to true, the device can be allocated more than once,
+	// and all of its capacity is consumable, regardless of whether the requestPolicy is defined or not.
+	AllowMultipleAllocations *bool `json:"allowMultipleAllocations,omitempty"`
 }
 
 // DeviceApplyConfiguration constructs a declarative configuration of the Device type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1/deviceallocationconfiguration.go b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1/deviceallocationconfiguration.go
index f1d009cc484b6..29e1ba427a959 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1/deviceallocationconfiguration.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1/deviceallocationconfiguration.go
@@ -24,9 +24,20 @@ import (
 
 // DeviceAllocationConfigurationApplyConfiguration represents a declarative configuration of the DeviceAllocationConfiguration type for use
 // with apply.
+//
+// DeviceAllocationConfiguration gets embedded in an AllocationResult.
 type DeviceAllocationConfigurationApplyConfiguration struct {
-	Source                                *resourcev1.AllocationConfigSource `json:"source,omitempty"`
-	Requests                              []string                           `json:"requests,omitempty"`
+	// Source records whether the configuration comes from a class and thus
+	// is not something that a normal user would have been able to set
+	// or from a claim.
+	Source *resourcev1.AllocationConfigSource `json:"source,omitempty"`
+	// Requests lists the names of requests where the configuration applies.
+	// If empty, its applies to all requests.
+	//
+	// References to subrequests must include the name of the main request
+	// and may include the subrequest using the format <main request>[/<subrequest>]. If just
+	// the main request is given, the configuration applies to all subrequests.
+	Requests                              []string `json:"requests,omitempty"`
 	DeviceConfigurationApplyConfiguration `json:",inline"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1/deviceallocationresult.go b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1/deviceallocationresult.go
index e95e45f283f4f..911f3a634dcf0 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1/deviceallocationresult.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1/deviceallocationresult.go
@@ -20,9 +20,19 @@ package v1
 
 // DeviceAllocationResultApplyConfiguration represents a declarative configuration of the DeviceAllocationResult type for use
 // with apply.
+//
+// DeviceAllocationResult is the result of allocating devices.
 type DeviceAllocationResultApplyConfiguration struct {
+	// Results lists all allocated devices.
 	Results []DeviceRequestAllocationResultApplyConfiguration `json:"results,omitempty"`
-	Config  []DeviceAllocationConfigurationApplyConfiguration `json:"config,omitempty"`
+	// This field is a combination of all the claim and class configuration parameters.
+	// Drivers can distinguish between those based on a flag.
+	//
+	// This includes configuration parameters for drivers which have no allocated
+	// devices in the result because it is up to the drivers which configuration
+	// parameters they support. They can silently ignore unknown configuration
+	// parameters.
+	Config []DeviceAllocationConfigurationApplyConfiguration `json:"config,omitempty"`
 }
 
 // DeviceAllocationResultApplyConfiguration constructs a declarative configuration of the DeviceAllocationResult type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1/deviceattribute.go b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1/deviceattribute.go
index c2e5829a9c4a6..e41696ab8822a 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1/deviceattribute.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1/deviceattribute.go
@@ -20,10 +20,17 @@ package v1
 
 // DeviceAttributeApplyConfiguration represents a declarative configuration of the DeviceAttribute type for use
 // with apply.
+//
+// DeviceAttribute must have exactly one field set.
 type DeviceAttributeApplyConfiguration struct {
-	IntValue     *int64  `json:"int,omitempty"`
-	BoolValue    *bool   `json:"bool,omitempty"`
-	StringValue  *string `json:"string,omitempty"`
+	// IntValue is a number.
+	IntValue *int64 `json:"int,omitempty"`
+	// BoolValue is a true/false value.
+	BoolValue *bool `json:"bool,omitempty"`
+	// StringValue is a string. Must not be longer than 64 characters.
+	StringValue *string `json:"string,omitempty"`
+	// VersionValue is a semantic version according to semver.org spec 2.0.0.
+	// Must not be longer than 64 characters.
 	VersionValue *string `json:"version,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1/devicecapacity.go b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1/devicecapacity.go
index 769b9cbcee3a0..322ca55a5f34c 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1/devicecapacity.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1/devicecapacity.go
@@ -24,8 +24,24 @@ import (
 
 // DeviceCapacityApplyConfiguration represents a declarative configuration of the DeviceCapacity type for use
 // with apply.
+//
+// DeviceCapacity describes a quantity associated with a device.
 type DeviceCapacityApplyConfiguration struct {
-	Value         *resource.Quantity                       `json:"value,omitempty"`
+	// Value defines how much of a certain capacity that device has.
+	//
+	// This field reflects the fixed total capacity and does not change.
+	// The consumed amount is tracked separately by scheduler
+	// and does not affect this value.
+	Value *resource.Quantity `json:"value,omitempty"`
+	// RequestPolicy defines how this DeviceCapacity must be consumed
+	// when the device is allowed to be shared by multiple allocations.
+	//
+	// The Device must have allowMultipleAllocations set to true in order to set a requestPolicy.
+	//
+	// If unset, capacity requests are unconstrained:
+	// requests can consume any amount of capacity, as long as the total consumed
+	// across all allocations does not exceed the device's defined capacity.
+	// If request is also unset, default is the full capacity value.
 	RequestPolicy *CapacityRequestPolicyApplyConfiguration `json:"requestPolicy,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1/deviceclaim.go b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1/deviceclaim.go
index 8297805f2d0e3..1b85b4fa84366 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1/deviceclaim.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1/deviceclaim.go
@@ -20,10 +20,19 @@ package v1
 
 // DeviceClaimApplyConfiguration represents a declarative configuration of the DeviceClaim type for use
 // with apply.
+//
+// DeviceClaim defines how to request devices with a ResourceClaim.
 type DeviceClaimApplyConfiguration struct {
-	Requests    []DeviceRequestApplyConfiguration            `json:"requests,omitempty"`
-	Constraints []DeviceConstraintApplyConfiguration         `json:"constraints,omitempty"`
-	Config      []DeviceClaimConfigurationApplyConfiguration `json:"config,omitempty"`
+	// Requests represent individual requests for distinct devices which
+	// must all be satisfied. If empty, nothing needs to be allocated.
+	Requests []DeviceRequestApplyConfiguration `json:"requests,omitempty"`
+	// These constraints must be satisfied by the set of devices that get
+	// allocated for the claim.
+	Constraints []DeviceConstraintApplyConfiguration `json:"constraints,omitempty"`
+	// This field holds configuration for multiple potential drivers which
+	// could satisfy requests in this claim. It is ignored while allocating
+	// the claim.
+	Config []DeviceClaimConfigurationApplyConfiguration `json:"config,omitempty"`
 }
 
 // DeviceClaimApplyConfiguration constructs a declarative configuration of the DeviceClaim type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1/deviceclaimconfiguration.go b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1/deviceclaimconfiguration.go
index a5bae3bf91f6e..402cd877c9c72 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1/deviceclaimconfiguration.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1/deviceclaimconfiguration.go
@@ -20,7 +20,15 @@ package v1
 
 // DeviceClaimConfigurationApplyConfiguration represents a declarative configuration of the DeviceClaimConfiguration type for use
 // with apply.
+//
+// DeviceClaimConfiguration is used for configuration parameters in DeviceClaim.
 type DeviceClaimConfigurationApplyConfiguration struct {
+	// Requests lists the names of requests where the configuration applies.
+	// If empty, it applies to all requests.
+	//
+	// References to subrequests must include the name of the main request
+	// and may include the subrequest using the format <main request>[/<subrequest>]. If just
+	// the main request is given, the configuration applies to all subrequests.
 	Requests                              []string `json:"requests,omitempty"`
 	DeviceConfigurationApplyConfiguration `json:",inline"`
 }
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1/deviceclass.go b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1/deviceclass.go
index 2c9ed5bb397fe..6d3bc7e76d75b 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1/deviceclass.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1/deviceclass.go
@@ -29,10 +29,27 @@ import (
 
 // DeviceClassApplyConfiguration represents a declarative configuration of the DeviceClass type for use
 // with apply.
+//
+// DeviceClass is a vendor- or admin-provided resource that contains
+// device configuration and selectors. It can be referenced in
+// the device requests of a claim to apply these presets.
+// Cluster scoped.
+//
+// This is an alpha type and requires enabling the DynamicResourceAllocation
+// feature gate.
 type DeviceClassApplyConfiguration struct {
-	metav1.TypeMetaApplyConfiguration    `json:",inline"`
+	metav1.TypeMetaApplyConfiguration `json:",inline"`
+	// Standard object metadata
 	*metav1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Spec                                 *DeviceClassSpecApplyConfiguration `json:"spec,omitempty"`
+	// Spec defines what can be allocated and how to configure it.
+	//
+	// This is mutable. Consumers have to be prepared for classes changing
+	// at any time, either because they get updated or replaced. Claim
+	// allocations are done once based on whatever was set in classes at
+	// the time of allocation.
+	//
+	// Changing the spec automatically increments the metadata.generation number.
+	Spec *DeviceClassSpecApplyConfiguration `json:"spec,omitempty"`
 }
 
 // DeviceClass constructs a declarative configuration of the DeviceClass type for use with
@@ -45,29 +62,14 @@ func DeviceClass(name string) *DeviceClassApplyConfiguration {
 	return b
 }
 
-// ExtractDeviceClass extracts the applied configuration owned by fieldManager from
-// deviceClass. If no managedFields are found in deviceClass for fieldManager, a
-// DeviceClassApplyConfiguration is returned with only the Name, Namespace (if applicable),
-// APIVersion and Kind populated. It is possible that no managed fields were found for because other
-// field managers have taken ownership of all the fields previously owned by fieldManager, or because
-// the fieldManager never owned fields any fields.
+// ExtractDeviceClassFrom extracts the applied configuration owned by fieldManager from
+// deviceClass for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
 // deviceClass must be a unmodified DeviceClass API object that was retrieved from the Kubernetes API.
-// ExtractDeviceClass provides a way to perform a extract/modify-in-place/apply workflow.
+// ExtractDeviceClassFrom provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
-func ExtractDeviceClass(deviceClass *resourcev1.DeviceClass, fieldManager string) (*DeviceClassApplyConfiguration, error) {
-	return extractDeviceClass(deviceClass, fieldManager, "")
-}
-
-// ExtractDeviceClassStatus is the same as ExtractDeviceClass except
-// that it extracts the status subresource applied configuration.
-// Experimental!
-func ExtractDeviceClassStatus(deviceClass *resourcev1.DeviceClass, fieldManager string) (*DeviceClassApplyConfiguration, error) {
-	return extractDeviceClass(deviceClass, fieldManager, "status")
-}
-
-func extractDeviceClass(deviceClass *resourcev1.DeviceClass, fieldManager string, subresource string) (*DeviceClassApplyConfiguration, error) {
+func ExtractDeviceClassFrom(deviceClass *resourcev1.DeviceClass, fieldManager string, subresource string) (*DeviceClassApplyConfiguration, error) {
 	b := &DeviceClassApplyConfiguration{}
 	err := managedfields.ExtractInto(deviceClass, internal.Parser().Type("io.k8s.api.resource.v1.DeviceClass"), fieldManager, b, subresource)
 	if err != nil {
@@ -79,6 +81,21 @@ func extractDeviceClass(deviceClass *resourcev1.DeviceClass, fieldManager string
 	b.WithAPIVersion("resource.k8s.io/v1")
 	return b, nil
 }
+
+// ExtractDeviceClass extracts the applied configuration owned by fieldManager from
+// deviceClass. If no managedFields are found in deviceClass for fieldManager, a
+// DeviceClassApplyConfiguration is returned with only the Name, Namespace (if applicable),
+// APIVersion and Kind populated. It is possible that no managed fields were found for because other
+// field managers have taken ownership of all the fields previously owned by fieldManager, or because
+// the fieldManager never owned fields any fields.
+// deviceClass must be a unmodified DeviceClass API object that was retrieved from the Kubernetes API.
+// ExtractDeviceClass provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractDeviceClass(deviceClass *resourcev1.DeviceClass, fieldManager string) (*DeviceClassApplyConfiguration, error) {
+	return ExtractDeviceClassFrom(deviceClass, fieldManager, "")
+}
+
 func (b DeviceClassApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1/deviceclassconfiguration.go b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1/deviceclassconfiguration.go
index 73d7e15a7f464..c47fd9f85c755 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1/deviceclassconfiguration.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1/deviceclassconfiguration.go
@@ -20,6 +20,8 @@ package v1
 
 // DeviceClassConfigurationApplyConfiguration represents a declarative configuration of the DeviceClassConfiguration type for use
 // with apply.
+//
+// DeviceClassConfiguration is used in DeviceClass.
 type DeviceClassConfigurationApplyConfiguration struct {
 	DeviceConfigurationApplyConfiguration `json:",inline"`
 }
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1/deviceclassspec.go b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1/deviceclassspec.go
index 09500361e4cd8..a304c7d8d2b69 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1/deviceclassspec.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1/deviceclassspec.go
@@ -20,10 +20,29 @@ package v1
 
 // DeviceClassSpecApplyConfiguration represents a declarative configuration of the DeviceClassSpec type for use
 // with apply.
+//
+// DeviceClassSpec is used in a [DeviceClass] to define what can be allocated
+// and how to configure it.
 type DeviceClassSpecApplyConfiguration struct {
-	Selectors            []DeviceSelectorApplyConfiguration           `json:"selectors,omitempty"`
-	Config               []DeviceClassConfigurationApplyConfiguration `json:"config,omitempty"`
-	ExtendedResourceName *string                                      `json:"extendedResourceName,omitempty"`
+	// Each selector must be satisfied by a device which is claimed via this class.
+	Selectors []DeviceSelectorApplyConfiguration `json:"selectors,omitempty"`
+	// Config defines configuration parameters that apply to each device that is claimed via this class.
+	// Some classses may potentially be satisfied by multiple drivers, so each instance of a vendor
+	// configuration applies to exactly one driver.
+	//
+	// They are passed to the driver, but are not considered while allocating the claim.
+	Config []DeviceClassConfigurationApplyConfiguration `json:"config,omitempty"`
+	// ExtendedResourceName is the extended resource name for the devices of this class.
+	// The devices of this class can be used to satisfy a pod's extended resource requests.
+	// It has the same format as the name of a pod's extended resource.
+	// It should be unique among all the device classes in a cluster.
+	// If two device classes have the same name, then the class created later
+	// is picked to satisfy a pod's extended resource requests.
+	// If two classes are created at the same time, then the name of the class
+	// lexicographically sorted first is picked.
+	//
+	// This is an alpha field.
+	ExtendedResourceName *string `json:"extendedResourceName,omitempty"`
 }
 
 // DeviceClassSpecApplyConfiguration constructs a declarative configuration of the DeviceClassSpec type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1/deviceconfiguration.go b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1/deviceconfiguration.go
index 7f4b88a3d6971..c96749b0577b0 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1/deviceconfiguration.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1/deviceconfiguration.go
@@ -20,7 +20,12 @@ package v1
 
 // DeviceConfigurationApplyConfiguration represents a declarative configuration of the DeviceConfiguration type for use
 // with apply.
+//
+// DeviceConfiguration must have exactly one field set. It gets embedded
+// inline in some other structs which have other fields, so field names must
+// not conflict with those.
 type DeviceConfigurationApplyConfiguration struct {
+	// Opaque provides driver-specific configuration parameters.
 	Opaque *OpaqueDeviceConfigurationApplyConfiguration `json:"opaque,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1/deviceconstraint.go b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1/deviceconstraint.go
index 1942f03f05bad..cd2467e694510 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1/deviceconstraint.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1/deviceconstraint.go
@@ -24,9 +24,42 @@ import (
 
 // DeviceConstraintApplyConfiguration represents a declarative configuration of the DeviceConstraint type for use
 // with apply.
+//
+// DeviceConstraint must have exactly one field set besides Requests.
 type DeviceConstraintApplyConfiguration struct {
-	Requests          []string                       `json:"requests,omitempty"`
-	MatchAttribute    *resourcev1.FullyQualifiedName `json:"matchAttribute,omitempty"`
+	// Requests is a list of the one or more requests in this claim which
+	// must co-satisfy this constraint. If a request is fulfilled by
+	// multiple devices, then all of the devices must satisfy the
+	// constraint. If this is not specified, this constraint applies to all
+	// requests in this claim.
+	//
+	// References to subrequests must include the name of the main request
+	// and may include the subrequest using the format <main request>[/<subrequest>]. If just
+	// the main request is given, the constraint applies to all subrequests.
+	Requests []string `json:"requests,omitempty"`
+	// MatchAttribute requires that all devices in question have this
+	// attribute and that its type and value are the same across those
+	// devices.
+	//
+	// For example, if you specified "dra.example.com/numa" (a hypothetical example!),
+	// then only devices in the same NUMA node will be chosen. A device which
+	// does not have that attribute will not be chosen. All devices should
+	// use a value of the same type for this attribute because that is part of
+	// its specification, but if one device doesn't, then it also will not be
+	// chosen.
+	//
+	// Must include the domain qualifier.
+	MatchAttribute *resourcev1.FullyQualifiedName `json:"matchAttribute,omitempty"`
+	// DistinctAttribute requires that all devices in question have this
+	// attribute and that its type and value are unique across those devices.
+	//
+	// This acts as the inverse of MatchAttribute.
+	//
+	// This constraint is used to avoid allocating multiple requests to the same device
+	// by ensuring attribute-level differentiation.
+	//
+	// This is useful for scenarios where resource requests must be fulfilled by separate physical devices.
+	// For example, a container requests two network interfaces that must be allocated from two different physical NICs.
 	DistinctAttribute *resourcev1.FullyQualifiedName `json:"distinctAttribute,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1/devicecounterconsumption.go b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1/devicecounterconsumption.go
index 6377d0041f14a..9bcd936db2934 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1/devicecounterconsumption.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1/devicecounterconsumption.go
@@ -20,9 +20,17 @@ package v1
 
 // DeviceCounterConsumptionApplyConfiguration represents a declarative configuration of the DeviceCounterConsumption type for use
 // with apply.
+//
+// DeviceCounterConsumption defines a set of counters that
+// a device will consume from a CounterSet.
 type DeviceCounterConsumptionApplyConfiguration struct {
-	CounterSet *string                              `json:"counterSet,omitempty"`
-	Counters   map[string]CounterApplyConfiguration `json:"counters,omitempty"`
+	// CounterSet is the name of the set from which the
+	// counters defined will be consumed.
+	CounterSet *string `json:"counterSet,omitempty"`
+	// Counters defines the counters that will be consumed by the device.
+	//
+	// The maximum number of counters is 32.
+	Counters map[string]CounterApplyConfiguration `json:"counters,omitempty"`
 }
 
 // DeviceCounterConsumptionApplyConfiguration constructs a declarative configuration of the DeviceCounterConsumption type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1/devicerequest.go b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1/devicerequest.go
index a17ecfc69dea0..57836ef30fe92 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1/devicerequest.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1/devicerequest.go
@@ -20,10 +20,42 @@ package v1
 
 // DeviceRequestApplyConfiguration represents a declarative configuration of the DeviceRequest type for use
 // with apply.
+//
+// DeviceRequest is a request for devices required for a claim.
+// This is typically a request for a single resource like a device, but can
+// also ask for several identical devices. With FirstAvailable it is also
+// possible to provide a prioritized list of requests.
 type DeviceRequestApplyConfiguration struct {
-	Name           *string                               `json:"name,omitempty"`
-	Exactly        *ExactDeviceRequestApplyConfiguration `json:"exactly,omitempty"`
-	FirstAvailable []DeviceSubRequestApplyConfiguration  `json:"firstAvailable,omitempty"`
+	// Name can be used to reference this request in a pod.spec.containers[].resources.claims
+	// entry and in a constraint of the claim.
+	//
+	// References using the name in the DeviceRequest will uniquely
+	// identify a request when the Exactly field is set. When the
+	// FirstAvailable field is set, a reference to the name of the
+	// DeviceRequest will match whatever subrequest is chosen by the
+	// scheduler.
+	//
+	// Must be a DNS label.
+	Name *string `json:"name,omitempty"`
+	// Exactly specifies the details for a single request that must
+	// be met exactly for the request to be satisfied.
+	//
+	// One of Exactly or FirstAvailable must be set.
+	Exactly *ExactDeviceRequestApplyConfiguration `json:"exactly,omitempty"`
+	// FirstAvailable contains subrequests, of which exactly one will be
+	// selected by the scheduler. It tries to
+	// satisfy them in the order in which they are listed here. So if
+	// there are two entries in the list, the scheduler will only check
+	// the second one if it determines that the first one can not be used.
+	//
+	// DRA does not yet implement scoring, so the scheduler will
+	// select the first set of devices that satisfies all the
+	// requests in the claim. And if the requirements can
+	// be satisfied on more than one node, other scheduling features
+	// will determine which node is chosen. This means that the set of
+	// devices allocated to a claim might not be the optimal set
+	// available to the cluster. Scoring will be implemented later.
+	FirstAvailable []DeviceSubRequestApplyConfiguration `json:"firstAvailable,omitempty"`
 }
 
 // DeviceRequestApplyConfiguration constructs a declarative configuration of the DeviceRequest type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1/devicerequestallocationresult.go b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1/devicerequestallocationresult.go
index e9f49aa7f80d1..8b38fd2887535 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1/devicerequestallocationresult.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1/devicerequestallocationresult.go
@@ -26,17 +26,75 @@ import (
 
 // DeviceRequestAllocationResultApplyConfiguration represents a declarative configuration of the DeviceRequestAllocationResult type for use
 // with apply.
+//
+// DeviceRequestAllocationResult contains the allocation result for one request.
 type DeviceRequestAllocationResultApplyConfiguration struct {
-	Request                  *string                                        `json:"request,omitempty"`
-	Driver                   *string                                        `json:"driver,omitempty"`
-	Pool                     *string                                        `json:"pool,omitempty"`
-	Device                   *string                                        `json:"device,omitempty"`
-	AdminAccess              *bool                                          `json:"adminAccess,omitempty"`
-	Tolerations              []DeviceTolerationApplyConfiguration           `json:"tolerations,omitempty"`
-	BindingConditions        []string                                       `json:"bindingConditions,omitempty"`
-	BindingFailureConditions []string                                       `json:"bindingFailureConditions,omitempty"`
-	ShareID                  *types.UID                                     `json:"shareID,omitempty"`
-	ConsumedCapacity         map[resourcev1.QualifiedName]resource.Quantity `json:"consumedCapacity,omitempty"`
+	// Request is the name of the request in the claim which caused this
+	// device to be allocated. If it references a subrequest in the
+	// firstAvailable list on a DeviceRequest, this field must
+	// include both the name of the main request and the subrequest
+	// using the format <main request>/<subrequest>.
+	//
+	// Multiple devices may have been allocated per request.
+	Request *string `json:"request,omitempty"`
+	// Driver specifies the name of the DRA driver whose kubelet
+	// plugin should be invoked to process the allocation once the claim is
+	// needed on a node.
+	//
+	// Must be a DNS subdomain and should end with a DNS domain owned by the
+	// vendor of the driver. It should use only lower case characters.
+	Driver *string `json:"driver,omitempty"`
+	// This name together with the driver name and the device name field
+	// identify which device was allocated (`<driver name>/<pool name>/<device name>`).
+	//
+	// Must not be longer than 253 characters and may contain one or more
+	// DNS sub-domains separated by slashes.
+	Pool *string `json:"pool,omitempty"`
+	// Device references one device instance via its name in the driver's
+	// resource pool. It must be a DNS label.
+	Device *string `json:"device,omitempty"`
+	// AdminAccess indicates that this device was allocated for
+	// administrative access. See the corresponding request field
+	// for a definition of mode.
+	//
+	// This is an alpha field and requires enabling the DRAAdminAccess
+	// feature gate. Admin access is disabled if this field is unset or
+	// set to false, otherwise it is enabled.
+	AdminAccess *bool `json:"adminAccess,omitempty"`
+	// A copy of all tolerations specified in the request at the time
+	// when the device got allocated.
+	//
+	// The maximum number of tolerations is 16.
+	//
+	// This is an alpha field and requires enabling the DRADeviceTaints
+	// feature gate.
+	Tolerations []DeviceTolerationApplyConfiguration `json:"tolerations,omitempty"`
+	// BindingConditions contains a copy of the BindingConditions
+	// from the corresponding ResourceSlice at the time of allocation.
+	//
+	// This is an alpha field and requires enabling the DRADeviceBindingConditions and DRAResourceClaimDeviceStatus
+	// feature gates.
+	BindingConditions []string `json:"bindingConditions,omitempty"`
+	// BindingFailureConditions contains a copy of the BindingFailureConditions
+	// from the corresponding ResourceSlice at the time of allocation.
+	//
+	// This is an alpha field and requires enabling the DRADeviceBindingConditions and DRAResourceClaimDeviceStatus
+	// feature gates.
+	BindingFailureConditions []string `json:"bindingFailureConditions,omitempty"`
+	// ShareID uniquely identifies an individual allocation share of the device,
+	// used when the device supports multiple simultaneous allocations.
+	// It serves as an additional map key to differentiate concurrent shares
+	// of the same device.
+	ShareID *types.UID `json:"shareID,omitempty"`
+	// ConsumedCapacity tracks the amount of capacity consumed per device as part of the claim request.
+	// The consumed amount may differ from the requested amount: it is rounded up to the nearest valid
+	// value based on the device’s requestPolicy if applicable (i.e., may not be less than the requested amount).
+	//
+	// The total consumed capacity for each device must not exceed the DeviceCapacity's Value.
+	//
+	// This field is populated only for devices that allow multiple allocations.
+	// All capacity entries are included, even if the consumed amount is zero.
+	ConsumedCapacity map[resourcev1.QualifiedName]resource.Quantity `json:"consumedCapacity,omitempty"`
 }
 
 // DeviceRequestAllocationResultApplyConfiguration constructs a declarative configuration of the DeviceRequestAllocationResult type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1/deviceselector.go b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1/deviceselector.go
index 0426206a8f2f0..ba43ea2295574 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1/deviceselector.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1/deviceselector.go
@@ -20,7 +20,10 @@ package v1
 
 // DeviceSelectorApplyConfiguration represents a declarative configuration of the DeviceSelector type for use
 // with apply.
+//
+// DeviceSelector must have exactly one field set.
 type DeviceSelectorApplyConfiguration struct {
+	// CEL contains a CEL expression for selecting a device.
 	CEL *CELDeviceSelectorApplyConfiguration `json:"cel,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1/devicesubrequest.go b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1/devicesubrequest.go
index 4d5df3122be15..f3ee27af3c48c 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1/devicesubrequest.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1/devicesubrequest.go
@@ -24,14 +24,91 @@ import (
 
 // DeviceSubRequestApplyConfiguration represents a declarative configuration of the DeviceSubRequest type for use
 // with apply.
+//
+// DeviceSubRequest describes a request for device provided in the
+// claim.spec.devices.requests[].firstAvailable array. Each
+// is typically a request for a single resource like a device, but can
+// also ask for several identical devices.
+//
+// DeviceSubRequest is similar to ExactDeviceRequest, but doesn't expose the
+// AdminAccess field as that one is only supported when requesting a
+// specific device.
 type DeviceSubRequestApplyConfiguration struct {
-	Name            *string                                 `json:"name,omitempty"`
-	DeviceClassName *string                                 `json:"deviceClassName,omitempty"`
-	Selectors       []DeviceSelectorApplyConfiguration      `json:"selectors,omitempty"`
-	AllocationMode  *resourcev1.DeviceAllocationMode        `json:"allocationMode,omitempty"`
-	Count           *int64                                  `json:"count,omitempty"`
-	Tolerations     []DeviceTolerationApplyConfiguration    `json:"tolerations,omitempty"`
-	Capacity        *CapacityRequirementsApplyConfiguration `json:"capacity,omitempty"`
+	// Name can be used to reference this subrequest in the list of constraints
+	// or the list of configurations for the claim. References must use the
+	// format <main request>/<subrequest>.
+	//
+	// Must be a DNS label.
+	Name *string `json:"name,omitempty"`
+	// DeviceClassName references a specific DeviceClass, which can define
+	// additional configuration and selectors to be inherited by this
+	// subrequest.
+	//
+	// A class is required. Which classes are available depends on the cluster.
+	//
+	// Administrators may use this to restrict which devices may get
+	// requested by only installing classes with selectors for permitted
+	// devices. If users are free to request anything without restrictions,
+	// then administrators can create an empty DeviceClass for users
+	// to reference.
+	DeviceClassName *string `json:"deviceClassName,omitempty"`
+	// Selectors define criteria which must be satisfied by a specific
+	// device in order for that device to be considered for this
+	// subrequest. All selectors must be satisfied for a device to be
+	// considered.
+	Selectors []DeviceSelectorApplyConfiguration `json:"selectors,omitempty"`
+	// AllocationMode and its related fields define how devices are allocated
+	// to satisfy this subrequest. Supported values are:
+	//
+	// - ExactCount: This request is for a specific number of devices.
+	// This is the default. The exact number is provided in the
+	// count field.
+	//
+	// - All: This subrequest is for all of the matching devices in a pool.
+	// Allocation will fail if some devices are already allocated,
+	// unless adminAccess is requested.
+	//
+	// If AllocationMode is not specified, the default mode is ExactCount. If
+	// the mode is ExactCount and count is not specified, the default count is
+	// one. Any other subrequests must specify this field.
+	//
+	// More modes may get added in the future. Clients must refuse to handle
+	// requests with unknown modes.
+	AllocationMode *resourcev1.DeviceAllocationMode `json:"allocationMode,omitempty"`
+	// Count is used only when the count mode is "ExactCount". Must be greater than zero.
+	// If AllocationMode is ExactCount and this field is not specified, the default is one.
+	Count *int64 `json:"count,omitempty"`
+	// If specified, the request's tolerations.
+	//
+	// Tolerations for NoSchedule are required to allocate a
+	// device which has a taint with that effect. The same applies
+	// to NoExecute.
+	//
+	// In addition, should any of the allocated devices get tainted
+	// with NoExecute after allocation and that effect is not tolerated,
+	// then all pods consuming the ResourceClaim get deleted to evict
+	// them. The scheduler will not let new pods reserve the claim while
+	// it has these tainted devices. Once all pods are evicted, the
+	// claim will get deallocated.
+	//
+	// The maximum number of tolerations is 16.
+	//
+	// This is an alpha field and requires enabling the DRADeviceTaints
+	// feature gate.
+	Tolerations []DeviceTolerationApplyConfiguration `json:"tolerations,omitempty"`
+	// Capacity define resource requirements against each capacity.
+	//
+	// If this field is unset and the device supports multiple allocations,
+	// the default value will be applied to each capacity according to requestPolicy.
+	// For the capacity that has no requestPolicy, default is the full capacity value.
+	//
+	// Applies to each device allocation.
+	// If Count > 1,
+	// the request fails if there aren't enough devices that meet the requirements.
+	// If AllocationMode is set to All,
+	// the request fails if there are devices that otherwise match the request,
+	// and have this capacity, with a value >= the requested amount, but which cannot be allocated to this request.
+	Capacity *CapacityRequirementsApplyConfiguration `json:"capacity,omitempty"`
 }
 
 // DeviceSubRequestApplyConfiguration constructs a declarative configuration of the DeviceSubRequest type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1/devicetaint.go b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1/devicetaint.go
index c4e7a22172f11..db98da8b87967 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1/devicetaint.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1/devicetaint.go
@@ -25,11 +25,27 @@ import (
 
 // DeviceTaintApplyConfiguration represents a declarative configuration of the DeviceTaint type for use
 // with apply.
+//
+// The device this taint is attached to has the "effect" on
+// any claim which does not tolerate the taint and, through the claim,
+// to pods using the claim.
 type DeviceTaintApplyConfiguration struct {
-	Key       *string                       `json:"key,omitempty"`
-	Value     *string                       `json:"value,omitempty"`
-	Effect    *resourcev1.DeviceTaintEffect `json:"effect,omitempty"`
-	TimeAdded *metav1.Time                  `json:"timeAdded,omitempty"`
+	// The taint key to be applied to a device.
+	// Must be a label name.
+	Key *string `json:"key,omitempty"`
+	// The taint value corresponding to the taint key.
+	// Must be a label value.
+	Value *string `json:"value,omitempty"`
+	// The effect of the taint on claims that do not tolerate the taint
+	// and through such claims on the pods using them.
+	//
+	// Valid effects are None, NoSchedule and NoExecute. PreferNoSchedule as used for
+	// nodes is not valid here. More effects may get added in the future.
+	// Consumers must treat unknown effects like None.
+	Effect *resourcev1.DeviceTaintEffect `json:"effect,omitempty"`
+	// TimeAdded represents the time at which the taint was added.
+	// Added automatically during create or update if not set.
+	TimeAdded *metav1.Time `json:"timeAdded,omitempty"`
 }
 
 // DeviceTaintApplyConfiguration constructs a declarative configuration of the DeviceTaint type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1/devicetoleration.go b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1/devicetoleration.go
index de995b25a44a0..6e6df9e705232 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1/devicetoleration.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1/devicetoleration.go
@@ -24,12 +24,33 @@ import (
 
 // DeviceTolerationApplyConfiguration represents a declarative configuration of the DeviceToleration type for use
 // with apply.
+//
+// The ResourceClaim this DeviceToleration is attached to tolerates any taint that matches
+// the triple <key,value,effect> using the matching operator <operator>.
 type DeviceTolerationApplyConfiguration struct {
-	Key               *string                              `json:"key,omitempty"`
-	Operator          *resourcev1.DeviceTolerationOperator `json:"operator,omitempty"`
-	Value             *string                              `json:"value,omitempty"`
-	Effect            *resourcev1.DeviceTaintEffect        `json:"effect,omitempty"`
-	TolerationSeconds *int64                               `json:"tolerationSeconds,omitempty"`
+	// Key is the taint key that the toleration applies to. Empty means match all taint keys.
+	// If the key is empty, operator must be Exists; this combination means to match all values and all keys.
+	// Must be a label name.
+	Key *string `json:"key,omitempty"`
+	// Operator represents a key's relationship to the value.
+	// Valid operators are Exists and Equal. Defaults to Equal.
+	// Exists is equivalent to wildcard for value, so that a ResourceClaim can
+	// tolerate all taints of a particular category.
+	Operator *resourcev1.DeviceTolerationOperator `json:"operator,omitempty"`
+	// Value is the taint value the toleration matches to.
+	// If the operator is Exists, the value must be empty, otherwise just a regular string.
+	// Must be a label value.
+	Value *string `json:"value,omitempty"`
+	// Effect indicates the taint effect to match. Empty means match all taint effects.
+	// When specified, allowed values are NoSchedule and NoExecute.
+	Effect *resourcev1.DeviceTaintEffect `json:"effect,omitempty"`
+	// TolerationSeconds represents the period of time the toleration (which must be
+	// of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,
+	// it is not set, which means tolerate the taint forever (do not evict). Zero and
+	// negative values will be treated as 0 (evict immediately) by the system.
+	// If larger than zero, the time when the pod needs to be evicted is calculated as <time when
+	// taint was adedd> + <toleration seconds>.
+	TolerationSeconds *int64 `json:"tolerationSeconds,omitempty"`
 }
 
 // DeviceTolerationApplyConfiguration constructs a declarative configuration of the DeviceToleration type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1/exactdevicerequest.go b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1/exactdevicerequest.go
index 64d4f8d641ee5..130893c6d6841 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1/exactdevicerequest.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1/exactdevicerequest.go
@@ -24,14 +24,89 @@ import (
 
 // ExactDeviceRequestApplyConfiguration represents a declarative configuration of the ExactDeviceRequest type for use
 // with apply.
+//
+// ExactDeviceRequest is a request for one or more identical devices.
 type ExactDeviceRequestApplyConfiguration struct {
-	DeviceClassName *string                                 `json:"deviceClassName,omitempty"`
-	Selectors       []DeviceSelectorApplyConfiguration      `json:"selectors,omitempty"`
-	AllocationMode  *resourcev1.DeviceAllocationMode        `json:"allocationMode,omitempty"`
-	Count           *int64                                  `json:"count,omitempty"`
-	AdminAccess     *bool                                   `json:"adminAccess,omitempty"`
-	Tolerations     []DeviceTolerationApplyConfiguration    `json:"tolerations,omitempty"`
-	Capacity        *CapacityRequirementsApplyConfiguration `json:"capacity,omitempty"`
+	// DeviceClassName references a specific DeviceClass, which can define
+	// additional configuration and selectors to be inherited by this
+	// request.
+	//
+	// A DeviceClassName is required.
+	//
+	// Administrators may use this to restrict which devices may get
+	// requested by only installing classes with selectors for permitted
+	// devices. If users are free to request anything without restrictions,
+	// then administrators can create an empty DeviceClass for users
+	// to reference.
+	DeviceClassName *string `json:"deviceClassName,omitempty"`
+	// Selectors define criteria which must be satisfied by a specific
+	// device in order for that device to be considered for this
+	// request. All selectors must be satisfied for a device to be
+	// considered.
+	Selectors []DeviceSelectorApplyConfiguration `json:"selectors,omitempty"`
+	// AllocationMode and its related fields define how devices are allocated
+	// to satisfy this request. Supported values are:
+	//
+	// - ExactCount: This request is for a specific number of devices.
+	// This is the default. The exact number is provided in the
+	// count field.
+	//
+	// - All: This request is for all of the matching devices in a pool.
+	// At least one device must exist on the node for the allocation to succeed.
+	// Allocation will fail if some devices are already allocated,
+	// unless adminAccess is requested.
+	//
+	// If AllocationMode is not specified, the default mode is ExactCount. If
+	// the mode is ExactCount and count is not specified, the default count is
+	// one. Any other requests must specify this field.
+	//
+	// More modes may get added in the future. Clients must refuse to handle
+	// requests with unknown modes.
+	AllocationMode *resourcev1.DeviceAllocationMode `json:"allocationMode,omitempty"`
+	// Count is used only when the count mode is "ExactCount". Must be greater than zero.
+	// If AllocationMode is ExactCount and this field is not specified, the default is one.
+	Count *int64 `json:"count,omitempty"`
+	// AdminAccess indicates that this is a claim for administrative access
+	// to the device(s). Claims with AdminAccess are expected to be used for
+	// monitoring or other management services for a device.  They ignore
+	// all ordinary claims to the device with respect to access modes and
+	// any resource allocations.
+	//
+	// This is an alpha field and requires enabling the DRAAdminAccess
+	// feature gate. Admin access is disabled if this field is unset or
+	// set to false, otherwise it is enabled.
+	AdminAccess *bool `json:"adminAccess,omitempty"`
+	// If specified, the request's tolerations.
+	//
+	// Tolerations for NoSchedule are required to allocate a
+	// device which has a taint with that effect. The same applies
+	// to NoExecute.
+	//
+	// In addition, should any of the allocated devices get tainted
+	// with NoExecute after allocation and that effect is not tolerated,
+	// then all pods consuming the ResourceClaim get deleted to evict
+	// them. The scheduler will not let new pods reserve the claim while
+	// it has these tainted devices. Once all pods are evicted, the
+	// claim will get deallocated.
+	//
+	// The maximum number of tolerations is 16.
+	//
+	// This is an alpha field and requires enabling the DRADeviceTaints
+	// feature gate.
+	Tolerations []DeviceTolerationApplyConfiguration `json:"tolerations,omitempty"`
+	// Capacity define resource requirements against each capacity.
+	//
+	// If this field is unset and the device supports multiple allocations,
+	// the default value will be applied to each capacity according to requestPolicy.
+	// For the capacity that has no requestPolicy, default is the full capacity value.
+	//
+	// Applies to each device allocation.
+	// If Count > 1,
+	// the request fails if there aren't enough devices that meet the requirements.
+	// If AllocationMode is set to All,
+	// the request fails if there are devices that otherwise match the request,
+	// and have this capacity, with a value >= the requested amount, but which cannot be allocated to this request.
+	Capacity *CapacityRequirementsApplyConfiguration `json:"capacity,omitempty"`
 }
 
 // ExactDeviceRequestApplyConfiguration constructs a declarative configuration of the ExactDeviceRequest type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1/networkdevicedata.go b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1/networkdevicedata.go
index 37bf604aadd71..5d0ee8fc50168 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1/networkdevicedata.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1/networkdevicedata.go
@@ -20,10 +20,27 @@ package v1
 
 // NetworkDeviceDataApplyConfiguration represents a declarative configuration of the NetworkDeviceData type for use
 // with apply.
+//
+// NetworkDeviceData provides network-related details for the allocated device.
+// This information may be filled by drivers or other components to configure
+// or identify the device within a network context.
 type NetworkDeviceDataApplyConfiguration struct {
-	InterfaceName   *string  `json:"interfaceName,omitempty"`
-	IPs             []string `json:"ips,omitempty"`
-	HardwareAddress *string  `json:"hardwareAddress,omitempty"`
+	// InterfaceName specifies the name of the network interface associated with
+	// the allocated device. This might be the name of a physical or virtual
+	// network interface being configured in the pod.
+	//
+	// Must not be longer than 256 characters.
+	InterfaceName *string `json:"interfaceName,omitempty"`
+	// IPs lists the network addresses assigned to the device's network interface.
+	// This can include both IPv4 and IPv6 addresses.
+	// The IPs are in the CIDR notation, which includes both the address and the
+	// associated subnet mask.
+	// e.g.: "192.0.2.5/24" for IPv4 and "2001:db8::5/64" for IPv6.
+	IPs []string `json:"ips,omitempty"`
+	// HardwareAddress represents the hardware address (e.g. MAC Address) of the device's network interface.
+	//
+	// Must not be longer than 128 characters.
+	HardwareAddress *string `json:"hardwareAddress,omitempty"`
 }
 
 // NetworkDeviceDataApplyConfiguration constructs a declarative configuration of the NetworkDeviceData type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1/opaquedeviceconfiguration.go b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1/opaquedeviceconfiguration.go
index 5df44a9c7ddd8..4e2210d72f63f 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1/opaquedeviceconfiguration.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1/opaquedeviceconfiguration.go
@@ -24,8 +24,25 @@ import (
 
 // OpaqueDeviceConfigurationApplyConfiguration represents a declarative configuration of the OpaqueDeviceConfiguration type for use
 // with apply.
+//
+// OpaqueDeviceConfiguration contains configuration parameters for a driver
+// in a format defined by the driver vendor.
 type OpaqueDeviceConfigurationApplyConfiguration struct {
-	Driver     *string               `json:"driver,omitempty"`
+	// Driver is used to determine which kubelet plugin needs
+	// to be passed these configuration parameters.
+	//
+	// An admission policy provided by the driver developer could use this
+	// to decide whether it needs to validate them.
+	//
+	// Must be a DNS subdomain and should end with a DNS domain owned by the
+	// vendor of the driver. It should use only lower case characters.
+	Driver *string `json:"driver,omitempty"`
+	// Parameters can contain arbitrary data. It is the responsibility of
+	// the driver developer to handle validation and versioning. Typically this
+	// includes self-identification and a version ("kind" + "apiVersion" for
+	// Kubernetes types), with conversion between different versions.
+	//
+	// The length of the raw data must be smaller or equal to 10 Ki.
 	Parameters *runtime.RawExtension `json:"parameters,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1/resourceclaim.go b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1/resourceclaim.go
index dada5ca3c7181..240e181846495 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1/resourceclaim.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1/resourceclaim.go
@@ -29,11 +29,24 @@ import (
 
 // ResourceClaimApplyConfiguration represents a declarative configuration of the ResourceClaim type for use
 // with apply.
+//
+// ResourceClaim describes a request for access to resources in the cluster,
+// for use by workloads. For example, if a workload needs an accelerator device
+// with specific properties, this is how that request is expressed. The status
+// stanza tracks whether this claim has been satisfied and what specific
+// resources have been allocated.
+//
+// This is an alpha type and requires enabling the DynamicResourceAllocation
+// feature gate.
 type ResourceClaimApplyConfiguration struct {
-	metav1.TypeMetaApplyConfiguration    `json:",inline"`
+	metav1.TypeMetaApplyConfiguration `json:",inline"`
+	// Standard object metadata
 	*metav1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Spec                                 *ResourceClaimSpecApplyConfiguration   `json:"spec,omitempty"`
-	Status                               *ResourceClaimStatusApplyConfiguration `json:"status,omitempty"`
+	// Spec describes what is being requested and how to configure it.
+	// The spec is immutable.
+	Spec *ResourceClaimSpecApplyConfiguration `json:"spec,omitempty"`
+	// Status describes whether the claim is ready to use and what has been allocated.
+	Status *ResourceClaimStatusApplyConfiguration `json:"status,omitempty"`
 }
 
 // ResourceClaim constructs a declarative configuration of the ResourceClaim type for use with
@@ -47,6 +60,27 @@ func ResourceClaim(name, namespace string) *ResourceClaimApplyConfiguration {
 	return b
 }
 
+// ExtractResourceClaimFrom extracts the applied configuration owned by fieldManager from
+// resourceClaim for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
+// resourceClaim must be a unmodified ResourceClaim API object that was retrieved from the Kubernetes API.
+// ExtractResourceClaimFrom provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractResourceClaimFrom(resourceClaim *resourcev1.ResourceClaim, fieldManager string, subresource string) (*ResourceClaimApplyConfiguration, error) {
+	b := &ResourceClaimApplyConfiguration{}
+	err := managedfields.ExtractInto(resourceClaim, internal.Parser().Type("io.k8s.api.resource.v1.ResourceClaim"), fieldManager, b, subresource)
+	if err != nil {
+		return nil, err
+	}
+	b.WithName(resourceClaim.Name)
+	b.WithNamespace(resourceClaim.Namespace)
+
+	b.WithKind("ResourceClaim")
+	b.WithAPIVersion("resource.k8s.io/v1")
+	return b, nil
+}
+
 // ExtractResourceClaim extracts the applied configuration owned by fieldManager from
 // resourceClaim. If no managedFields are found in resourceClaim for fieldManager, a
 // ResourceClaimApplyConfiguration is returned with only the Name, Namespace (if applicable),
@@ -57,31 +91,16 @@ func ResourceClaim(name, namespace string) *ResourceClaimApplyConfiguration {
 // ExtractResourceClaim provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
 func ExtractResourceClaim(resourceClaim *resourcev1.ResourceClaim, fieldManager string) (*ResourceClaimApplyConfiguration, error) {
-	return extractResourceClaim(resourceClaim, fieldManager, "")
+	return ExtractResourceClaimFrom(resourceClaim, fieldManager, "")
 }
 
-// ExtractResourceClaimStatus is the same as ExtractResourceClaim except
-// that it extracts the status subresource applied configuration.
-// Experimental!
+// ExtractResourceClaimStatus extracts the applied configuration owned by fieldManager from
+// resourceClaim for the status subresource.
 func ExtractResourceClaimStatus(resourceClaim *resourcev1.ResourceClaim, fieldManager string) (*ResourceClaimApplyConfiguration, error) {
-	return extractResourceClaim(resourceClaim, fieldManager, "status")
+	return ExtractResourceClaimFrom(resourceClaim, fieldManager, "status")
 }
 
-func extractResourceClaim(resourceClaim *resourcev1.ResourceClaim, fieldManager string, subresource string) (*ResourceClaimApplyConfiguration, error) {
-	b := &ResourceClaimApplyConfiguration{}
-	err := managedfields.ExtractInto(resourceClaim, internal.Parser().Type("io.k8s.api.resource.v1.ResourceClaim"), fieldManager, b, subresource)
-	if err != nil {
-		return nil, err
-	}
-	b.WithName(resourceClaim.Name)
-	b.WithNamespace(resourceClaim.Namespace)
-
-	b.WithKind("ResourceClaim")
-	b.WithAPIVersion("resource.k8s.io/v1")
-	return b, nil
-}
 func (b ResourceClaimApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1/resourceclaimconsumerreference.go b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1/resourceclaimconsumerreference.go
index 7c761a44487a8..c0cf7d87fec20 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1/resourceclaimconsumerreference.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1/resourceclaimconsumerreference.go
@@ -24,11 +24,21 @@ import (
 
 // ResourceClaimConsumerReferenceApplyConfiguration represents a declarative configuration of the ResourceClaimConsumerReference type for use
 // with apply.
+//
+// ResourceClaimConsumerReference contains enough information to let you
+// locate the consumer of a ResourceClaim. The user must be a resource in the same
+// namespace as the ResourceClaim.
 type ResourceClaimConsumerReferenceApplyConfiguration struct {
-	APIGroup *string    `json:"apiGroup,omitempty"`
-	Resource *string    `json:"resource,omitempty"`
-	Name     *string    `json:"name,omitempty"`
-	UID      *types.UID `json:"uid,omitempty"`
+	// APIGroup is the group for the resource being referenced. It is
+	// empty for the core API. This matches the group in the APIVersion
+	// that is used when creating the resources.
+	APIGroup *string `json:"apiGroup,omitempty"`
+	// Resource is the type of resource being referenced, for example "pods".
+	Resource *string `json:"resource,omitempty"`
+	// Name is the name of resource being referenced.
+	Name *string `json:"name,omitempty"`
+	// UID identifies exactly one incarnation of the resource.
+	UID *types.UID `json:"uid,omitempty"`
 }
 
 // ResourceClaimConsumerReferenceApplyConfiguration constructs a declarative configuration of the ResourceClaimConsumerReference type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1/resourceclaimspec.go b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1/resourceclaimspec.go
index 7f05f4f99b1d4..7585c00c9dc05 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1/resourceclaimspec.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1/resourceclaimspec.go
@@ -20,7 +20,10 @@ package v1
 
 // ResourceClaimSpecApplyConfiguration represents a declarative configuration of the ResourceClaimSpec type for use
 // with apply.
+//
+// ResourceClaimSpec defines what is being requested in a ResourceClaim and how to configure it.
 type ResourceClaimSpecApplyConfiguration struct {
+	// Devices defines how to request devices.
 	Devices *DeviceClaimApplyConfiguration `json:"devices,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1/resourceclaimstatus.go b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1/resourceclaimstatus.go
index 75865ba496173..15b05a56366da 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1/resourceclaimstatus.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1/resourceclaimstatus.go
@@ -20,10 +20,36 @@ package v1
 
 // ResourceClaimStatusApplyConfiguration represents a declarative configuration of the ResourceClaimStatus type for use
 // with apply.
+//
+// ResourceClaimStatus tracks whether the resource has been allocated and what
+// the result of that was.
 type ResourceClaimStatusApplyConfiguration struct {
-	Allocation  *AllocationResultApplyConfiguration                `json:"allocation,omitempty"`
+	// Allocation is set once the claim has been allocated successfully.
+	Allocation *AllocationResultApplyConfiguration `json:"allocation,omitempty"`
+	// ReservedFor indicates which entities are currently allowed to use
+	// the claim. A Pod which references a ResourceClaim which is not
+	// reserved for that Pod will not be started. A claim that is in
+	// use or might be in use because it has been reserved must not get
+	// deallocated.
+	//
+	// In a cluster with multiple scheduler instances, two pods might get
+	// scheduled concurrently by different schedulers. When they reference
+	// the same ResourceClaim which already has reached its maximum number
+	// of consumers, only one pod can be scheduled.
+	//
+	// Both schedulers try to add their pod to the claim.status.reservedFor
+	// field, but only the update that reaches the API server first gets
+	// stored. The other one fails with an error and the scheduler
+	// which issued it knows that it must put the pod back into the queue,
+	// waiting for the ResourceClaim to become usable again.
+	//
+	// There can be at most 256 such reservations. This may get increased in
+	// the future, but not reduced.
 	ReservedFor []ResourceClaimConsumerReferenceApplyConfiguration `json:"reservedFor,omitempty"`
-	Devices     []AllocatedDeviceStatusApplyConfiguration          `json:"devices,omitempty"`
+	// Devices contains the status of each device allocated for this
+	// claim, as reported by the driver. This can include driver-specific
+	// information. Entries are owned by their respective drivers.
+	Devices []AllocatedDeviceStatusApplyConfiguration `json:"devices,omitempty"`
 }
 
 // ResourceClaimStatusApplyConfiguration constructs a declarative configuration of the ResourceClaimStatus type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1/resourceclaimtemplate.go b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1/resourceclaimtemplate.go
index 694246618415d..7bbadb7009512 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1/resourceclaimtemplate.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1/resourceclaimtemplate.go
@@ -29,10 +29,21 @@ import (
 
 // ResourceClaimTemplateApplyConfiguration represents a declarative configuration of the ResourceClaimTemplate type for use
 // with apply.
+//
+// ResourceClaimTemplate is used to produce ResourceClaim objects.
+//
+// This is an alpha type and requires enabling the DynamicResourceAllocation
+// feature gate.
 type ResourceClaimTemplateApplyConfiguration struct {
-	metav1.TypeMetaApplyConfiguration    `json:",inline"`
+	metav1.TypeMetaApplyConfiguration `json:",inline"`
+	// Standard object metadata
 	*metav1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Spec                                 *ResourceClaimTemplateSpecApplyConfiguration `json:"spec,omitempty"`
+	// Describes the ResourceClaim that is to be generated.
+	//
+	// This field is immutable. A ResourceClaim will get created by the
+	// control plane for a Pod when needed and then not get updated
+	// anymore.
+	Spec *ResourceClaimTemplateSpecApplyConfiguration `json:"spec,omitempty"`
 }
 
 // ResourceClaimTemplate constructs a declarative configuration of the ResourceClaimTemplate type for use with
@@ -46,29 +57,14 @@ func ResourceClaimTemplate(name, namespace string) *ResourceClaimTemplateApplyCo
 	return b
 }
 
-// ExtractResourceClaimTemplate extracts the applied configuration owned by fieldManager from
-// resourceClaimTemplate. If no managedFields are found in resourceClaimTemplate for fieldManager, a
-// ResourceClaimTemplateApplyConfiguration is returned with only the Name, Namespace (if applicable),
-// APIVersion and Kind populated. It is possible that no managed fields were found for because other
-// field managers have taken ownership of all the fields previously owned by fieldManager, or because
-// the fieldManager never owned fields any fields.
+// ExtractResourceClaimTemplateFrom extracts the applied configuration owned by fieldManager from
+// resourceClaimTemplate for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
 // resourceClaimTemplate must be a unmodified ResourceClaimTemplate API object that was retrieved from the Kubernetes API.
-// ExtractResourceClaimTemplate provides a way to perform a extract/modify-in-place/apply workflow.
+// ExtractResourceClaimTemplateFrom provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
-func ExtractResourceClaimTemplate(resourceClaimTemplate *resourcev1.ResourceClaimTemplate, fieldManager string) (*ResourceClaimTemplateApplyConfiguration, error) {
-	return extractResourceClaimTemplate(resourceClaimTemplate, fieldManager, "")
-}
-
-// ExtractResourceClaimTemplateStatus is the same as ExtractResourceClaimTemplate except
-// that it extracts the status subresource applied configuration.
-// Experimental!
-func ExtractResourceClaimTemplateStatus(resourceClaimTemplate *resourcev1.ResourceClaimTemplate, fieldManager string) (*ResourceClaimTemplateApplyConfiguration, error) {
-	return extractResourceClaimTemplate(resourceClaimTemplate, fieldManager, "status")
-}
-
-func extractResourceClaimTemplate(resourceClaimTemplate *resourcev1.ResourceClaimTemplate, fieldManager string, subresource string) (*ResourceClaimTemplateApplyConfiguration, error) {
+func ExtractResourceClaimTemplateFrom(resourceClaimTemplate *resourcev1.ResourceClaimTemplate, fieldManager string, subresource string) (*ResourceClaimTemplateApplyConfiguration, error) {
 	b := &ResourceClaimTemplateApplyConfiguration{}
 	err := managedfields.ExtractInto(resourceClaimTemplate, internal.Parser().Type("io.k8s.api.resource.v1.ResourceClaimTemplate"), fieldManager, b, subresource)
 	if err != nil {
@@ -81,6 +77,21 @@ func extractResourceClaimTemplate(resourceClaimTemplate *resourcev1.ResourceClai
 	b.WithAPIVersion("resource.k8s.io/v1")
 	return b, nil
 }
+
+// ExtractResourceClaimTemplate extracts the applied configuration owned by fieldManager from
+// resourceClaimTemplate. If no managedFields are found in resourceClaimTemplate for fieldManager, a
+// ResourceClaimTemplateApplyConfiguration is returned with only the Name, Namespace (if applicable),
+// APIVersion and Kind populated. It is possible that no managed fields were found for because other
+// field managers have taken ownership of all the fields previously owned by fieldManager, or because
+// the fieldManager never owned fields any fields.
+// resourceClaimTemplate must be a unmodified ResourceClaimTemplate API object that was retrieved from the Kubernetes API.
+// ExtractResourceClaimTemplate provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractResourceClaimTemplate(resourceClaimTemplate *resourcev1.ResourceClaimTemplate, fieldManager string) (*ResourceClaimTemplateApplyConfiguration, error) {
+	return ExtractResourceClaimTemplateFrom(resourceClaimTemplate, fieldManager, "")
+}
+
 func (b ResourceClaimTemplateApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1/resourceclaimtemplatespec.go b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1/resourceclaimtemplatespec.go
index af7d877269ffa..0d2a2135afbdc 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1/resourceclaimtemplatespec.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1/resourceclaimtemplatespec.go
@@ -26,9 +26,17 @@ import (
 
 // ResourceClaimTemplateSpecApplyConfiguration represents a declarative configuration of the ResourceClaimTemplateSpec type for use
 // with apply.
+//
+// ResourceClaimTemplateSpec contains the metadata and fields for a ResourceClaim.
 type ResourceClaimTemplateSpecApplyConfiguration struct {
+	// ObjectMeta may contain labels and annotations that will be copied into the ResourceClaim
+	// when creating it. No other fields are allowed and will be rejected during
+	// validation.
 	*metav1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Spec                                 *ResourceClaimSpecApplyConfiguration `json:"spec,omitempty"`
+	// Spec for the ResourceClaim. The entire content is copied unchanged
+	// into the ResourceClaim that gets created from this template. The
+	// same fields as in a ResourceClaim are also valid here.
+	Spec *ResourceClaimSpecApplyConfiguration `json:"spec,omitempty"`
 }
 
 // ResourceClaimTemplateSpecApplyConfiguration constructs a declarative configuration of the ResourceClaimTemplateSpec type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1/resourcepool.go b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1/resourcepool.go
index 22e06076dc623..2c779f3cad700 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1/resourcepool.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1/resourcepool.go
@@ -20,10 +20,34 @@ package v1
 
 // ResourcePoolApplyConfiguration represents a declarative configuration of the ResourcePool type for use
 // with apply.
+//
+// ResourcePool describes the pool that ResourceSlices belong to.
 type ResourcePoolApplyConfiguration struct {
-	Name               *string `json:"name,omitempty"`
-	Generation         *int64  `json:"generation,omitempty"`
-	ResourceSliceCount *int64  `json:"resourceSliceCount,omitempty"`
+	// Name is used to identify the pool. For node-local devices, this
+	// is often the node name, but this is not required.
+	//
+	// It must not be longer than 253 characters and must consist of one or more DNS sub-domains
+	// separated by slashes. This field is immutable.
+	Name *string `json:"name,omitempty"`
+	// Generation tracks the change in a pool over time. Whenever a driver
+	// changes something about one or more of the resources in a pool, it
+	// must change the generation in all ResourceSlices which are part of
+	// that pool. Consumers of ResourceSlices should only consider
+	// resources from the pool with the highest generation number. The
+	// generation may be reset by drivers, which should be fine for
+	// consumers, assuming that all ResourceSlices in a pool are updated to
+	// match or deleted.
+	//
+	// Combined with ResourceSliceCount, this mechanism enables consumers to
+	// detect pools which are comprised of multiple ResourceSlices and are
+	// in an incomplete state.
+	Generation *int64 `json:"generation,omitempty"`
+	// ResourceSliceCount is the total number of ResourceSlices in the pool at this
+	// generation number. Must be greater than zero.
+	//
+	// Consumers can use this to check whether they have seen all ResourceSlices
+	// belonging to the same pool.
+	ResourceSliceCount *int64 `json:"resourceSliceCount,omitempty"`
 }
 
 // ResourcePoolApplyConfiguration constructs a declarative configuration of the ResourcePool type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1/resourceslice.go b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1/resourceslice.go
index 6f9b202154f31..6c7ddf41e3f75 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1/resourceslice.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1/resourceslice.go
@@ -29,10 +29,39 @@ import (
 
 // ResourceSliceApplyConfiguration represents a declarative configuration of the ResourceSlice type for use
 // with apply.
+//
+// ResourceSlice represents one or more resources in a pool of similar resources,
+// managed by a common driver. A pool may span more than one ResourceSlice, and exactly how many
+// ResourceSlices comprise a pool is determined by the driver.
+//
+// At the moment, the only supported resources are devices with attributes and capacities.
+// Each device in a given pool, regardless of how many ResourceSlices, must have a unique name.
+// The ResourceSlice in which a device gets published may change over time. The unique identifier
+// for a device is the tuple <driver name>, <pool name>, <device name>.
+//
+// Whenever a driver needs to update a pool, it increments the pool.Spec.Pool.Generation number
+// and updates all ResourceSlices with that new number and new resource definitions. A consumer
+// must only use ResourceSlices with the highest generation number and ignore all others.
+//
+// When allocating all resources in a pool matching certain criteria or when
+// looking for the best solution among several different alternatives, a
+// consumer should check the number of ResourceSlices in a pool (included in
+// each ResourceSlice) to determine whether its view of a pool is complete and
+// if not, should wait until the driver has completed updating the pool.
+//
+// For resources that are not local to a node, the node name is not set. Instead,
+// the driver may use a node selector to specify where the devices are available.
+//
+// This is an alpha type and requires enabling the DynamicResourceAllocation
+// feature gate.
 type ResourceSliceApplyConfiguration struct {
-	metav1.TypeMetaApplyConfiguration    `json:",inline"`
+	metav1.TypeMetaApplyConfiguration `json:",inline"`
+	// Standard object metadata
 	*metav1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Spec                                 *ResourceSliceSpecApplyConfiguration `json:"spec,omitempty"`
+	// Contains the information published by the driver.
+	//
+	// Changing the spec automatically increments the metadata.generation number.
+	Spec *ResourceSliceSpecApplyConfiguration `json:"spec,omitempty"`
 }
 
 // ResourceSlice constructs a declarative configuration of the ResourceSlice type for use with
@@ -45,29 +74,14 @@ func ResourceSlice(name string) *ResourceSliceApplyConfiguration {
 	return b
 }
 
-// ExtractResourceSlice extracts the applied configuration owned by fieldManager from
-// resourceSlice. If no managedFields are found in resourceSlice for fieldManager, a
-// ResourceSliceApplyConfiguration is returned with only the Name, Namespace (if applicable),
-// APIVersion and Kind populated. It is possible that no managed fields were found for because other
-// field managers have taken ownership of all the fields previously owned by fieldManager, or because
-// the fieldManager never owned fields any fields.
+// ExtractResourceSliceFrom extracts the applied configuration owned by fieldManager from
+// resourceSlice for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
 // resourceSlice must be a unmodified ResourceSlice API object that was retrieved from the Kubernetes API.
-// ExtractResourceSlice provides a way to perform a extract/modify-in-place/apply workflow.
+// ExtractResourceSliceFrom provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
-func ExtractResourceSlice(resourceSlice *resourcev1.ResourceSlice, fieldManager string) (*ResourceSliceApplyConfiguration, error) {
-	return extractResourceSlice(resourceSlice, fieldManager, "")
-}
-
-// ExtractResourceSliceStatus is the same as ExtractResourceSlice except
-// that it extracts the status subresource applied configuration.
-// Experimental!
-func ExtractResourceSliceStatus(resourceSlice *resourcev1.ResourceSlice, fieldManager string) (*ResourceSliceApplyConfiguration, error) {
-	return extractResourceSlice(resourceSlice, fieldManager, "status")
-}
-
-func extractResourceSlice(resourceSlice *resourcev1.ResourceSlice, fieldManager string, subresource string) (*ResourceSliceApplyConfiguration, error) {
+func ExtractResourceSliceFrom(resourceSlice *resourcev1.ResourceSlice, fieldManager string, subresource string) (*ResourceSliceApplyConfiguration, error) {
 	b := &ResourceSliceApplyConfiguration{}
 	err := managedfields.ExtractInto(resourceSlice, internal.Parser().Type("io.k8s.api.resource.v1.ResourceSlice"), fieldManager, b, subresource)
 	if err != nil {
@@ -79,6 +93,21 @@ func extractResourceSlice(resourceSlice *resourcev1.ResourceSlice, fieldManager
 	b.WithAPIVersion("resource.k8s.io/v1")
 	return b, nil
 }
+
+// ExtractResourceSlice extracts the applied configuration owned by fieldManager from
+// resourceSlice. If no managedFields are found in resourceSlice for fieldManager, a
+// ResourceSliceApplyConfiguration is returned with only the Name, Namespace (if applicable),
+// APIVersion and Kind populated. It is possible that no managed fields were found for because other
+// field managers have taken ownership of all the fields previously owned by fieldManager, or because
+// the fieldManager never owned fields any fields.
+// resourceSlice must be a unmodified ResourceSlice API object that was retrieved from the Kubernetes API.
+// ExtractResourceSlice provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractResourceSlice(resourceSlice *resourcev1.ResourceSlice, fieldManager string) (*ResourceSliceApplyConfiguration, error) {
+	return ExtractResourceSliceFrom(resourceSlice, fieldManager, "")
+}
+
 func (b ResourceSliceApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1/resourceslicespec.go b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1/resourceslicespec.go
index c629a0923d1c6..b268fc8d7c65b 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1/resourceslicespec.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1/resourceslicespec.go
@@ -24,15 +24,64 @@ import (
 
 // ResourceSliceSpecApplyConfiguration represents a declarative configuration of the ResourceSliceSpec type for use
 // with apply.
+//
+// ResourceSliceSpec contains the information published by the driver in one ResourceSlice.
 type ResourceSliceSpecApplyConfiguration struct {
-	Driver                 *string                                `json:"driver,omitempty"`
-	Pool                   *ResourcePoolApplyConfiguration        `json:"pool,omitempty"`
-	NodeName               *string                                `json:"nodeName,omitempty"`
-	NodeSelector           *corev1.NodeSelectorApplyConfiguration `json:"nodeSelector,omitempty"`
-	AllNodes               *bool                                  `json:"allNodes,omitempty"`
-	Devices                []DeviceApplyConfiguration             `json:"devices,omitempty"`
-	PerDeviceNodeSelection *bool                                  `json:"perDeviceNodeSelection,omitempty"`
-	SharedCounters         []CounterSetApplyConfiguration         `json:"sharedCounters,omitempty"`
+	// Driver identifies the DRA driver providing the capacity information.
+	// A field selector can be used to list only ResourceSlice
+	// objects with a certain driver name.
+	//
+	// Must be a DNS subdomain and should end with a DNS domain owned by the
+	// vendor of the driver. It should use only lower case characters.
+	// This field is immutable.
+	Driver *string `json:"driver,omitempty"`
+	// Pool describes the pool that this ResourceSlice belongs to.
+	Pool *ResourcePoolApplyConfiguration `json:"pool,omitempty"`
+	// NodeName identifies the node which provides the resources in this pool.
+	// A field selector can be used to list only ResourceSlice
+	// objects belonging to a certain node.
+	//
+	// This field can be used to limit access from nodes to ResourceSlices with
+	// the same node name. It also indicates to autoscalers that adding
+	// new nodes of the same type as some old node might also make new
+	// resources available.
+	//
+	// Exactly one of NodeName, NodeSelector, AllNodes, and PerDeviceNodeSelection must be set.
+	// This field is immutable.
+	NodeName *string `json:"nodeName,omitempty"`
+	// NodeSelector defines which nodes have access to the resources in the pool,
+	// when that pool is not limited to a single node.
+	//
+	// Must use exactly one term.
+	//
+	// Exactly one of NodeName, NodeSelector, AllNodes, and PerDeviceNodeSelection must be set.
+	NodeSelector *corev1.NodeSelectorApplyConfiguration `json:"nodeSelector,omitempty"`
+	// AllNodes indicates that all nodes have access to the resources in the pool.
+	//
+	// Exactly one of NodeName, NodeSelector, AllNodes, and PerDeviceNodeSelection must be set.
+	AllNodes *bool `json:"allNodes,omitempty"`
+	// Devices lists some or all of the devices in this pool.
+	//
+	// Must not have more than 128 entries. If any device uses taints or consumes counters the limit is 64.
+	//
+	// Only one of Devices and SharedCounters can be set in a ResourceSlice.
+	Devices []DeviceApplyConfiguration `json:"devices,omitempty"`
+	// PerDeviceNodeSelection defines whether the access from nodes to
+	// resources in the pool is set on the ResourceSlice level or on each
+	// device. If it is set to true, every device defined the ResourceSlice
+	// must specify this individually.
+	//
+	// Exactly one of NodeName, NodeSelector, AllNodes, and PerDeviceNodeSelection must be set.
+	PerDeviceNodeSelection *bool `json:"perDeviceNodeSelection,omitempty"`
+	// SharedCounters defines a list of counter sets, each of which
+	// has a name and a list of counters available.
+	//
+	// The names of the counter sets must be unique in the ResourcePool.
+	//
+	// Only one of Devices and SharedCounters can be set in a ResourceSlice.
+	//
+	// The maximum number of counter sets is 8.
+	SharedCounters []CounterSetApplyConfiguration `json:"sharedCounters,omitempty"`
 }
 
 // ResourceSliceSpecApplyConfiguration constructs a declarative configuration of the ResourceSliceSpec type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1alpha3/celdeviceselector.go b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1alpha3/celdeviceselector.go
deleted file mode 100644
index c59b6a2e37039..0000000000000
--- a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1alpha3/celdeviceselector.go
+++ /dev/null
@@ -1,39 +0,0 @@
-/*
-Copyright The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-// Code generated by applyconfiguration-gen. DO NOT EDIT.
-
-package v1alpha3
-
-// CELDeviceSelectorApplyConfiguration represents a declarative configuration of the CELDeviceSelector type for use
-// with apply.
-type CELDeviceSelectorApplyConfiguration struct {
-	Expression *string `json:"expression,omitempty"`
-}
-
-// CELDeviceSelectorApplyConfiguration constructs a declarative configuration of the CELDeviceSelector type for use with
-// apply.
-func CELDeviceSelector() *CELDeviceSelectorApplyConfiguration {
-	return &CELDeviceSelectorApplyConfiguration{}
-}
-
-// WithExpression sets the Expression field in the declarative configuration to the given value
-// and returns the receiver, so that objects can be built by chaining "With" function invocations.
-// If called multiple times, the Expression field is set to the value of the last call.
-func (b *CELDeviceSelectorApplyConfiguration) WithExpression(value string) *CELDeviceSelectorApplyConfiguration {
-	b.Expression = &value
-	return b
-}
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1alpha3/deviceselector.go b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1alpha3/deviceselector.go
deleted file mode 100644
index 574299d15e4e0..0000000000000
--- a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1alpha3/deviceselector.go
+++ /dev/null
@@ -1,39 +0,0 @@
-/*
-Copyright The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-// Code generated by applyconfiguration-gen. DO NOT EDIT.
-
-package v1alpha3
-
-// DeviceSelectorApplyConfiguration represents a declarative configuration of the DeviceSelector type for use
-// with apply.
-type DeviceSelectorApplyConfiguration struct {
-	CEL *CELDeviceSelectorApplyConfiguration `json:"cel,omitempty"`
-}
-
-// DeviceSelectorApplyConfiguration constructs a declarative configuration of the DeviceSelector type for use with
-// apply.
-func DeviceSelector() *DeviceSelectorApplyConfiguration {
-	return &DeviceSelectorApplyConfiguration{}
-}
-
-// WithCEL sets the CEL field in the declarative configuration to the given value
-// and returns the receiver, so that objects can be built by chaining "With" function invocations.
-// If called multiple times, the CEL field is set to the value of the last call.
-func (b *DeviceSelectorApplyConfiguration) WithCEL(value *CELDeviceSelectorApplyConfiguration) *DeviceSelectorApplyConfiguration {
-	b.CEL = value
-	return b
-}
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1alpha3/devicetaint.go b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1alpha3/devicetaint.go
index 0dcd9a58c3690..d9c2c6f48d9a0 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1alpha3/devicetaint.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1alpha3/devicetaint.go
@@ -25,11 +25,27 @@ import (
 
 // DeviceTaintApplyConfiguration represents a declarative configuration of the DeviceTaint type for use
 // with apply.
+//
+// The device this taint is attached to has the "effect" on
+// any claim which does not tolerate the taint and, through the claim,
+// to pods using the claim.
 type DeviceTaintApplyConfiguration struct {
-	Key       *string                             `json:"key,omitempty"`
-	Value     *string                             `json:"value,omitempty"`
-	Effect    *resourcev1alpha3.DeviceTaintEffect `json:"effect,omitempty"`
-	TimeAdded *v1.Time                            `json:"timeAdded,omitempty"`
+	// The taint key to be applied to a device.
+	// Must be a label name.
+	Key *string `json:"key,omitempty"`
+	// The taint value corresponding to the taint key.
+	// Must be a label value.
+	Value *string `json:"value,omitempty"`
+	// The effect of the taint on claims that do not tolerate the taint
+	// and through such claims on the pods using them.
+	//
+	// Valid effects are None, NoSchedule and NoExecute. PreferNoSchedule as used for
+	// nodes is not valid here. More effects may get added in the future.
+	// Consumers must treat unknown effects like None.
+	Effect *resourcev1alpha3.DeviceTaintEffect `json:"effect,omitempty"`
+	// TimeAdded represents the time at which the taint was added.
+	// Added automatically during create or update if not set.
+	TimeAdded *v1.Time `json:"timeAdded,omitempty"`
 }
 
 // DeviceTaintApplyConfiguration constructs a declarative configuration of the DeviceTaint type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1alpha3/devicetaintrule.go b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1alpha3/devicetaintrule.go
index f3327cf7585a9..b28d015de3d7a 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1alpha3/devicetaintrule.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1alpha3/devicetaintrule.go
@@ -29,10 +29,20 @@ import (
 
 // DeviceTaintRuleApplyConfiguration represents a declarative configuration of the DeviceTaintRule type for use
 // with apply.
+//
+// DeviceTaintRule adds one taint to all devices which match the selector.
+// This has the same effect as if the taint was specified directly
+// in the ResourceSlice by the DRA driver.
 type DeviceTaintRuleApplyConfiguration struct {
-	v1.TypeMetaApplyConfiguration    `json:",inline"`
+	v1.TypeMetaApplyConfiguration `json:",inline"`
+	// Standard object metadata
 	*v1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Spec                             *DeviceTaintRuleSpecApplyConfiguration `json:"spec,omitempty"`
+	// Spec specifies the selector and one taint.
+	//
+	// Changing the spec automatically increments the metadata.generation number.
+	Spec *DeviceTaintRuleSpecApplyConfiguration `json:"spec,omitempty"`
+	// Status provides information about what was requested in the spec.
+	Status *DeviceTaintRuleStatusApplyConfiguration `json:"status,omitempty"`
 }
 
 // DeviceTaintRule constructs a declarative configuration of the DeviceTaintRule type for use with
@@ -45,6 +55,26 @@ func DeviceTaintRule(name string) *DeviceTaintRuleApplyConfiguration {
 	return b
 }
 
+// ExtractDeviceTaintRuleFrom extracts the applied configuration owned by fieldManager from
+// deviceTaintRule for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
+// deviceTaintRule must be a unmodified DeviceTaintRule API object that was retrieved from the Kubernetes API.
+// ExtractDeviceTaintRuleFrom provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractDeviceTaintRuleFrom(deviceTaintRule *resourcev1alpha3.DeviceTaintRule, fieldManager string, subresource string) (*DeviceTaintRuleApplyConfiguration, error) {
+	b := &DeviceTaintRuleApplyConfiguration{}
+	err := managedfields.ExtractInto(deviceTaintRule, internal.Parser().Type("io.k8s.api.resource.v1alpha3.DeviceTaintRule"), fieldManager, b, subresource)
+	if err != nil {
+		return nil, err
+	}
+	b.WithName(deviceTaintRule.Name)
+
+	b.WithKind("DeviceTaintRule")
+	b.WithAPIVersion("resource.k8s.io/v1alpha3")
+	return b, nil
+}
+
 // ExtractDeviceTaintRule extracts the applied configuration owned by fieldManager from
 // deviceTaintRule. If no managedFields are found in deviceTaintRule for fieldManager, a
 // DeviceTaintRuleApplyConfiguration is returned with only the Name, Namespace (if applicable),
@@ -55,30 +85,16 @@ func DeviceTaintRule(name string) *DeviceTaintRuleApplyConfiguration {
 // ExtractDeviceTaintRule provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
 func ExtractDeviceTaintRule(deviceTaintRule *resourcev1alpha3.DeviceTaintRule, fieldManager string) (*DeviceTaintRuleApplyConfiguration, error) {
-	return extractDeviceTaintRule(deviceTaintRule, fieldManager, "")
+	return ExtractDeviceTaintRuleFrom(deviceTaintRule, fieldManager, "")
 }
 
-// ExtractDeviceTaintRuleStatus is the same as ExtractDeviceTaintRule except
-// that it extracts the status subresource applied configuration.
-// Experimental!
+// ExtractDeviceTaintRuleStatus extracts the applied configuration owned by fieldManager from
+// deviceTaintRule for the status subresource.
 func ExtractDeviceTaintRuleStatus(deviceTaintRule *resourcev1alpha3.DeviceTaintRule, fieldManager string) (*DeviceTaintRuleApplyConfiguration, error) {
-	return extractDeviceTaintRule(deviceTaintRule, fieldManager, "status")
+	return ExtractDeviceTaintRuleFrom(deviceTaintRule, fieldManager, "status")
 }
 
-func extractDeviceTaintRule(deviceTaintRule *resourcev1alpha3.DeviceTaintRule, fieldManager string, subresource string) (*DeviceTaintRuleApplyConfiguration, error) {
-	b := &DeviceTaintRuleApplyConfiguration{}
-	err := managedfields.ExtractInto(deviceTaintRule, internal.Parser().Type("io.k8s.api.resource.v1alpha3.DeviceTaintRule"), fieldManager, b, subresource)
-	if err != nil {
-		return nil, err
-	}
-	b.WithName(deviceTaintRule.Name)
-
-	b.WithKind("DeviceTaintRule")
-	b.WithAPIVersion("resource.k8s.io/v1alpha3")
-	return b, nil
-}
 func (b DeviceTaintRuleApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
@@ -247,6 +263,14 @@ func (b *DeviceTaintRuleApplyConfiguration) WithSpec(value *DeviceTaintRuleSpecA
 	return b
 }
 
+// WithStatus sets the Status field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Status field is set to the value of the last call.
+func (b *DeviceTaintRuleApplyConfiguration) WithStatus(value *DeviceTaintRuleStatusApplyConfiguration) *DeviceTaintRuleApplyConfiguration {
+	b.Status = value
+	return b
+}
+
 // GetKind retrieves the value of the Kind field in the declarative configuration.
 func (b *DeviceTaintRuleApplyConfiguration) GetKind() *string {
 	return b.TypeMetaApplyConfiguration.Kind
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1alpha3/devicetaintrulespec.go b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1alpha3/devicetaintrulespec.go
index a14ada3d45075..bbdee4ee260ce 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1alpha3/devicetaintrulespec.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1alpha3/devicetaintrulespec.go
@@ -20,9 +20,16 @@ package v1alpha3
 
 // DeviceTaintRuleSpecApplyConfiguration represents a declarative configuration of the DeviceTaintRuleSpec type for use
 // with apply.
+//
+// DeviceTaintRuleSpec specifies the selector and one taint.
 type DeviceTaintRuleSpecApplyConfiguration struct {
+	// DeviceSelector defines which device(s) the taint is applied to.
+	// All selector criteria must be satisfied for a device to
+	// match. The empty selector matches all devices. Without
+	// a selector, no devices are matches.
 	DeviceSelector *DeviceTaintSelectorApplyConfiguration `json:"deviceSelector,omitempty"`
-	Taint          *DeviceTaintApplyConfiguration         `json:"taint,omitempty"`
+	// The taint that gets applied to matching devices.
+	Taint *DeviceTaintApplyConfiguration `json:"taint,omitempty"`
 }
 
 // DeviceTaintRuleSpecApplyConfiguration constructs a declarative configuration of the DeviceTaintRuleSpec type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1alpha3/devicetaintrulestatus.go b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1alpha3/devicetaintrulestatus.go
new file mode 100644
index 0000000000000..1cbc143348d59
--- /dev/null
+++ b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1alpha3/devicetaintrulestatus.go
@@ -0,0 +1,70 @@
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by applyconfiguration-gen. DO NOT EDIT.
+
+package v1alpha3
+
+import (
+	v1 "k8s.io/client-go/applyconfigurations/meta/v1"
+)
+
+// DeviceTaintRuleStatusApplyConfiguration represents a declarative configuration of the DeviceTaintRuleStatus type for use
+// with apply.
+//
+// DeviceTaintRuleStatus provides information about an on-going pod eviction.
+type DeviceTaintRuleStatusApplyConfiguration struct {
+	// Conditions provide information about the state of the DeviceTaintRule
+	// and the cluster at some point in time,
+	// in a machine-readable and human-readable format.
+	//
+	// The following condition is currently defined as part of this API, more may
+	// get added:
+	// - Type: EvictionInProgress
+	// - Status: True if there are currently pods which need to be evicted, False otherwise
+	// (includes the effects which don't cause eviction).
+	// - Reason: not specified, may change
+	// - Message: includes information about number of pending pods and already evicted pods
+	// in a human-readable format, updated periodically, may change
+	//
+	// For `effect: None`, the condition above gets set once for each change to
+	// the spec, with the message containing information about what would happen
+	// if the effect was `NoExecute`. This feedback can be used to decide whether
+	// changing the effect to `NoExecute` will work as intended. It only gets
+	// set once to avoid having to constantly update the status.
+	//
+	// Must have 8 or fewer entries.
+	Conditions []v1.ConditionApplyConfiguration `json:"conditions,omitempty"`
+}
+
+// DeviceTaintRuleStatusApplyConfiguration constructs a declarative configuration of the DeviceTaintRuleStatus type for use with
+// apply.
+func DeviceTaintRuleStatus() *DeviceTaintRuleStatusApplyConfiguration {
+	return &DeviceTaintRuleStatusApplyConfiguration{}
+}
+
+// WithConditions adds the given value to the Conditions field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, values provided by each call will be appended to the Conditions field.
+func (b *DeviceTaintRuleStatusApplyConfiguration) WithConditions(values ...*v1.ConditionApplyConfiguration) *DeviceTaintRuleStatusApplyConfiguration {
+	for i := range values {
+		if values[i] == nil {
+			panic("nil value passed to WithConditions")
+		}
+		b.Conditions = append(b.Conditions, *values[i])
+	}
+	return b
+}
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1alpha3/devicetaintselector.go b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1alpha3/devicetaintselector.go
index aecb2aa2458db..a1a06fd34347b 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1alpha3/devicetaintselector.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1alpha3/devicetaintselector.go
@@ -20,12 +20,29 @@ package v1alpha3
 
 // DeviceTaintSelectorApplyConfiguration represents a declarative configuration of the DeviceTaintSelector type for use
 // with apply.
+//
+// DeviceTaintSelector defines which device(s) a DeviceTaintRule applies to.
+// The empty selector matches all devices. Without a selector, no devices
+// are matched.
 type DeviceTaintSelectorApplyConfiguration struct {
-	DeviceClassName *string                            `json:"deviceClassName,omitempty"`
-	Driver          *string                            `json:"driver,omitempty"`
-	Pool            *string                            `json:"pool,omitempty"`
-	Device          *string                            `json:"device,omitempty"`
-	Selectors       []DeviceSelectorApplyConfiguration `json:"selectors,omitempty"`
+	// If driver is set, only devices from that driver are selected.
+	// This fields corresponds to slice.spec.driver.
+	Driver *string `json:"driver,omitempty"`
+	// If pool is set, only devices in that pool are selected.
+	//
+	// Also setting the driver name may be useful to avoid
+	// ambiguity when different drivers use the same pool name,
+	// but this is not required because selecting pools from
+	// different drivers may also be useful, for example when
+	// drivers with node-local devices use the node name as
+	// their pool name.
+	Pool *string `json:"pool,omitempty"`
+	// If device is set, only devices with that name are selected.
+	// This field corresponds to slice.spec.devices[].name.
+	//
+	// Setting also driver and pool may be required to avoid ambiguity,
+	// but is not required.
+	Device *string `json:"device,omitempty"`
 }
 
 // DeviceTaintSelectorApplyConfiguration constructs a declarative configuration of the DeviceTaintSelector type for use with
@@ -34,14 +51,6 @@ func DeviceTaintSelector() *DeviceTaintSelectorApplyConfiguration {
 	return &DeviceTaintSelectorApplyConfiguration{}
 }
 
-// WithDeviceClassName sets the DeviceClassName field in the declarative configuration to the given value
-// and returns the receiver, so that objects can be built by chaining "With" function invocations.
-// If called multiple times, the DeviceClassName field is set to the value of the last call.
-func (b *DeviceTaintSelectorApplyConfiguration) WithDeviceClassName(value string) *DeviceTaintSelectorApplyConfiguration {
-	b.DeviceClassName = &value
-	return b
-}
-
 // WithDriver sets the Driver field in the declarative configuration to the given value
 // and returns the receiver, so that objects can be built by chaining "With" function invocations.
 // If called multiple times, the Driver field is set to the value of the last call.
@@ -65,16 +74,3 @@ func (b *DeviceTaintSelectorApplyConfiguration) WithDevice(value string) *Device
 	b.Device = &value
 	return b
 }
-
-// WithSelectors adds the given value to the Selectors field in the declarative configuration
-// and returns the receiver, so that objects can be build by chaining "With" function invocations.
-// If called multiple times, values provided by each call will be appended to the Selectors field.
-func (b *DeviceTaintSelectorApplyConfiguration) WithSelectors(values ...*DeviceSelectorApplyConfiguration) *DeviceTaintSelectorApplyConfiguration {
-	for i := range values {
-		if values[i] == nil {
-			panic("nil value passed to WithSelectors")
-		}
-		b.Selectors = append(b.Selectors, *values[i])
-	}
-	return b
-}
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta1/allocateddevicestatus.go b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta1/allocateddevicestatus.go
index 3fe28a394f038..45b08dfe6787d 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta1/allocateddevicestatus.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta1/allocateddevicestatus.go
@@ -25,13 +25,42 @@ import (
 
 // AllocatedDeviceStatusApplyConfiguration represents a declarative configuration of the AllocatedDeviceStatus type for use
 // with apply.
+//
+// AllocatedDeviceStatus contains the status of an allocated device, if the
+// driver chooses to report it. This may include driver-specific information.
+//
+// The combination of Driver, Pool, Device, and ShareID must match the corresponding key
+// in Status.Allocation.Devices.
 type AllocatedDeviceStatusApplyConfiguration struct {
-	Driver      *string                              `json:"driver,omitempty"`
-	Pool        *string                              `json:"pool,omitempty"`
-	Device      *string                              `json:"device,omitempty"`
-	ShareID     *string                              `json:"shareID,omitempty"`
-	Conditions  []v1.ConditionApplyConfiguration     `json:"conditions,omitempty"`
-	Data        *runtime.RawExtension                `json:"data,omitempty"`
+	// Driver specifies the name of the DRA driver whose kubelet
+	// plugin should be invoked to process the allocation once the claim is
+	// needed on a node.
+	//
+	// Must be a DNS subdomain and should end with a DNS domain owned by the
+	// vendor of the driver. It should use only lower case characters.
+	Driver *string `json:"driver,omitempty"`
+	// This name together with the driver name and the device name field
+	// identify which device was allocated (`<driver name>/<pool name>/<device name>`).
+	//
+	// Must not be longer than 253 characters and may contain one or more
+	// DNS sub-domains separated by slashes.
+	Pool *string `json:"pool,omitempty"`
+	// Device references one device instance via its name in the driver's
+	// resource pool. It must be a DNS label.
+	Device *string `json:"device,omitempty"`
+	// ShareID uniquely identifies an individual allocation share of the device.
+	ShareID *string `json:"shareID,omitempty"`
+	// Conditions contains the latest observation of the device's state.
+	// If the device has been configured according to the class and claim
+	// config references, the `Ready` condition should be True.
+	//
+	// Must not contain more than 8 entries.
+	Conditions []v1.ConditionApplyConfiguration `json:"conditions,omitempty"`
+	// Data contains arbitrary driver-specific data.
+	//
+	// The length of the raw data must be smaller or equal to 10 Ki.
+	Data *runtime.RawExtension `json:"data,omitempty"`
+	// NetworkData contains network-related information specific to the device.
 	NetworkData *NetworkDeviceDataApplyConfiguration `json:"networkData,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta1/allocationresult.go b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta1/allocationresult.go
index f031f97433a0f..f6fd7e2034fd5 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta1/allocationresult.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta1/allocationresult.go
@@ -25,10 +25,20 @@ import (
 
 // AllocationResultApplyConfiguration represents a declarative configuration of the AllocationResult type for use
 // with apply.
+//
+// AllocationResult contains attributes of an allocated resource.
 type AllocationResultApplyConfiguration struct {
-	Devices             *DeviceAllocationResultApplyConfiguration `json:"devices,omitempty"`
-	NodeSelector        *v1.NodeSelectorApplyConfiguration        `json:"nodeSelector,omitempty"`
-	AllocationTimestamp *metav1.Time                              `json:"allocationTimestamp,omitempty"`
+	// Devices is the result of allocating devices.
+	Devices *DeviceAllocationResultApplyConfiguration `json:"devices,omitempty"`
+	// NodeSelector defines where the allocated resources are available. If
+	// unset, they are available everywhere.
+	NodeSelector *v1.NodeSelectorApplyConfiguration `json:"nodeSelector,omitempty"`
+	// AllocationTimestamp stores the time when the resources were allocated.
+	// This field is not guaranteed to be set, in which case that time is unknown.
+	//
+	// This is an alpha field and requires enabling the DRADeviceBindingConditions and DRAResourceClaimDeviceStatus
+	// feature gate.
+	AllocationTimestamp *metav1.Time `json:"allocationTimestamp,omitempty"`
 }
 
 // AllocationResultApplyConfiguration constructs a declarative configuration of the AllocationResult type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta1/basicdevice.go b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta1/basicdevice.go
index e792ca24d4b3f..8a0241a2f3ae6 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta1/basicdevice.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta1/basicdevice.go
@@ -25,18 +25,90 @@ import (
 
 // BasicDeviceApplyConfiguration represents a declarative configuration of the BasicDevice type for use
 // with apply.
+//
+// BasicDevice defines one device instance.
 type BasicDeviceApplyConfiguration struct {
-	Attributes               map[resourcev1beta1.QualifiedName]DeviceAttributeApplyConfiguration `json:"attributes,omitempty"`
-	Capacity                 map[resourcev1beta1.QualifiedName]DeviceCapacityApplyConfiguration  `json:"capacity,omitempty"`
-	ConsumesCounters         []DeviceCounterConsumptionApplyConfiguration                        `json:"consumesCounters,omitempty"`
-	NodeName                 *string                                                             `json:"nodeName,omitempty"`
-	NodeSelector             *v1.NodeSelectorApplyConfiguration                                  `json:"nodeSelector,omitempty"`
-	AllNodes                 *bool                                                               `json:"allNodes,omitempty"`
-	Taints                   []DeviceTaintApplyConfiguration                                     `json:"taints,omitempty"`
-	BindsToNode              *bool                                                               `json:"bindsToNode,omitempty"`
-	BindingConditions        []string                                                            `json:"bindingConditions,omitempty"`
-	BindingFailureConditions []string                                                            `json:"bindingFailureConditions,omitempty"`
-	AllowMultipleAllocations *bool                                                               `json:"allowMultipleAllocations,omitempty"`
+	// Attributes defines the set of attributes for this device.
+	// The name of each attribute must be unique in that set.
+	//
+	// The maximum number of attributes and capacities combined is 32.
+	Attributes map[resourcev1beta1.QualifiedName]DeviceAttributeApplyConfiguration `json:"attributes,omitempty"`
+	// Capacity defines the set of capacities for this device.
+	// The name of each capacity must be unique in that set.
+	//
+	// The maximum number of attributes and capacities combined is 32.
+	Capacity map[resourcev1beta1.QualifiedName]DeviceCapacityApplyConfiguration `json:"capacity,omitempty"`
+	// ConsumesCounters defines a list of references to sharedCounters
+	// and the set of counters that the device will
+	// consume from those counter sets.
+	//
+	// There can only be a single entry per counterSet.
+	//
+	// The maximum number of device counter consumptions per
+	// device is 2.
+	ConsumesCounters []DeviceCounterConsumptionApplyConfiguration `json:"consumesCounters,omitempty"`
+	// NodeName identifies the node where the device is available.
+	//
+	// Must only be set if Spec.PerDeviceNodeSelection is set to true.
+	// At most one of NodeName, NodeSelector and AllNodes can be set.
+	NodeName *string `json:"nodeName,omitempty"`
+	// NodeSelector defines the nodes where the device is available.
+	//
+	// Must use exactly one term.
+	//
+	// Must only be set if Spec.PerDeviceNodeSelection is set to true.
+	// At most one of NodeName, NodeSelector and AllNodes can be set.
+	NodeSelector *v1.NodeSelectorApplyConfiguration `json:"nodeSelector,omitempty"`
+	// AllNodes indicates that all nodes have access to the device.
+	//
+	// Must only be set if Spec.PerDeviceNodeSelection is set to true.
+	// At most one of NodeName, NodeSelector and AllNodes can be set.
+	AllNodes *bool `json:"allNodes,omitempty"`
+	// If specified, these are the driver-defined taints.
+	//
+	// The maximum number of taints is 16. If taints are set for
+	// any device in a ResourceSlice, then the maximum number of
+	// allowed devices per ResourceSlice is 64 instead of 128.
+	//
+	// This is an alpha field and requires enabling the DRADeviceTaints
+	// feature gate.
+	Taints []DeviceTaintApplyConfiguration `json:"taints,omitempty"`
+	// BindsToNode indicates if the usage of an allocation involving this device
+	// has to be limited to exactly the node that was chosen when allocating the claim.
+	// If set to true, the scheduler will set the ResourceClaim.Status.Allocation.NodeSelector
+	// to match the node where the allocation was made.
+	//
+	// This is an alpha field and requires enabling the DRADeviceBindingConditions and DRAResourceClaimDeviceStatus
+	// feature gates.
+	BindsToNode *bool `json:"bindsToNode,omitempty"`
+	// BindingConditions defines the conditions for proceeding with binding.
+	// All of these conditions must be set in the per-device status
+	// conditions with a value of True to proceed with binding the pod to the node
+	// while scheduling the pod.
+	//
+	// The maximum number of binding conditions is 4.
+	//
+	// The conditions must be a valid condition type string.
+	//
+	// This is an alpha field and requires enabling the DRADeviceBindingConditions and DRAResourceClaimDeviceStatus
+	// feature gates.
+	BindingConditions []string `json:"bindingConditions,omitempty"`
+	// BindingFailureConditions defines the conditions for binding failure.
+	// They may be set in the per-device status conditions.
+	// If any is true, a binding failure occurred.
+	//
+	// The maximum number of binding failure conditions is 4.
+	//
+	// The conditions must be a valid condition type string.
+	//
+	// This is an alpha field and requires enabling the DRADeviceBindingConditions and DRAResourceClaimDeviceStatus
+	// feature gates.
+	BindingFailureConditions []string `json:"bindingFailureConditions,omitempty"`
+	// AllowMultipleAllocations marks whether the device is allowed to be allocated to multiple DeviceRequests.
+	//
+	// If AllowMultipleAllocations is set to true, the device can be allocated more than once,
+	// and all of its capacity is consumable, regardless of whether the requestPolicy is defined or not.
+	AllowMultipleAllocations *bool `json:"allowMultipleAllocations,omitempty"`
 }
 
 // BasicDeviceApplyConfiguration constructs a declarative configuration of the BasicDevice type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta1/capacityrequestpolicy.go b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta1/capacityrequestpolicy.go
index 2f76a55dbeaf7..6c6aa2b8a2604 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta1/capacityrequestpolicy.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta1/capacityrequestpolicy.go
@@ -24,10 +24,39 @@ import (
 
 // CapacityRequestPolicyApplyConfiguration represents a declarative configuration of the CapacityRequestPolicy type for use
 // with apply.
+//
+// CapacityRequestPolicy defines how requests consume device capacity.
+//
+// Must not set more than one ValidRequestValues.
 type CapacityRequestPolicyApplyConfiguration struct {
-	Default     *resource.Quantity                            `json:"default,omitempty"`
-	ValidValues []resource.Quantity                           `json:"validValues,omitempty"`
-	ValidRange  *CapacityRequestPolicyRangeApplyConfiguration `json:"validRange,omitempty"`
+	// Default specifies how much of this capacity is consumed by a request
+	// that does not contain an entry for it in DeviceRequest's Capacity.
+	Default *resource.Quantity `json:"default,omitempty"`
+	// ValidValues defines a set of acceptable quantity values in consuming requests.
+	//
+	// Must not contain more than 10 entries.
+	// Must be sorted in ascending order.
+	//
+	// If this field is set,
+	// Default must be defined and it must be included in ValidValues list.
+	//
+	// If the requested amount does not match any valid value but smaller than some valid values,
+	// the scheduler calculates the smallest valid value that is greater than or equal to the request.
+	// That is: min(ceil(requestedValue) ∈ validValues), where requestedValue ≤ max(validValues).
+	//
+	// If the requested amount exceeds all valid values, the request violates the policy,
+	// and this device cannot be allocated.
+	ValidValues []resource.Quantity `json:"validValues,omitempty"`
+	// ValidRange defines an acceptable quantity value range in consuming requests.
+	//
+	// If this field is set,
+	// Default must be defined and it must fall within the defined ValidRange.
+	//
+	// If the requested amount does not fall within the defined range, the request violates the policy,
+	// and this device cannot be allocated.
+	//
+	// If the request doesn't contain this capacity entry, Default value is used.
+	ValidRange *CapacityRequestPolicyRangeApplyConfiguration `json:"validRange,omitempty"`
 }
 
 // CapacityRequestPolicyApplyConfiguration constructs a declarative configuration of the CapacityRequestPolicy type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta1/capacityrequestpolicyrange.go b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta1/capacityrequestpolicyrange.go
index ec67e8dfe5c14..cddfe6daf9af6 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta1/capacityrequestpolicyrange.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta1/capacityrequestpolicyrange.go
@@ -24,9 +24,31 @@ import (
 
 // CapacityRequestPolicyRangeApplyConfiguration represents a declarative configuration of the CapacityRequestPolicyRange type for use
 // with apply.
+//
+// CapacityRequestPolicyRange defines a valid range for consumable capacity values.
+//
+// - If the requested amount is less than Min, it is rounded up to the Min value.
+// - If Step is set and the requested amount is between Min and Max but not aligned with Step,
+// it will be rounded up to the next value equal to Min + (n * Step).
+// - If Step is not set, the requested amount is used as-is if it falls within the range Min to Max (if set).
+// - If the requested or rounded amount exceeds Max (if set), the request does not satisfy the policy,
+// and the device cannot be allocated.
 type CapacityRequestPolicyRangeApplyConfiguration struct {
-	Min  *resource.Quantity `json:"min,omitempty"`
-	Max  *resource.Quantity `json:"max,omitempty"`
+	// Min specifies the minimum capacity allowed for a consumption request.
+	//
+	// Min must be greater than or equal to zero,
+	// and less than or equal to the capacity value.
+	// requestPolicy.default must be more than or equal to the minimum.
+	Min *resource.Quantity `json:"min,omitempty"`
+	// Max defines the upper limit for capacity that can be requested.
+	//
+	// Max must be less than or equal to the capacity value.
+	// Min and requestPolicy.default must be less than or equal to the maximum.
+	Max *resource.Quantity `json:"max,omitempty"`
+	// Step defines the step size between valid capacity amounts within the range.
+	//
+	// Max (if set) and requestPolicy.default must be a multiple of Step.
+	// Min + Step must be less than or equal to the capacity value.
 	Step *resource.Quantity `json:"step,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta1/capacityrequirements.go b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta1/capacityrequirements.go
index c78618f4e66bd..03662a8c7a864 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta1/capacityrequirements.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta1/capacityrequirements.go
@@ -25,7 +25,31 @@ import (
 
 // CapacityRequirementsApplyConfiguration represents a declarative configuration of the CapacityRequirements type for use
 // with apply.
+//
+// CapacityRequirements defines the capacity requirements for a specific device request.
 type CapacityRequirementsApplyConfiguration struct {
+	// Requests represent individual device resource requests for distinct resources,
+	// all of which must be provided by the device.
+	//
+	// This value is used as an additional filtering condition against the available capacity on the device.
+	// This is semantically equivalent to a CEL selector with
+	// `device.capacity[<domain>].<name>.compareTo(quantity(<request quantity>)) >= 0`.
+	// For example, device.capacity['test-driver.cdi.k8s.io'].counters.compareTo(quantity('2')) >= 0.
+	//
+	// When a requestPolicy is defined, the requested amount is adjusted upward
+	// to the nearest valid value based on the policy.
+	// If the requested amount cannot be adjusted to a valid value—because it exceeds what the requestPolicy allows—
+	// the device is considered ineligible for allocation.
+	//
+	// For any capacity that is not explicitly requested:
+	// - If no requestPolicy is set, the default consumed capacity is equal to the full device capacity
+	// (i.e., the whole device is claimed).
+	// - If a requestPolicy is set, the default consumed capacity is determined according to that policy.
+	//
+	// If the device allows multiple allocation,
+	// the aggregated amount across all requests must not exceed the capacity value.
+	// The consumed capacity, which may be adjusted based on the requestPolicy if defined,
+	// is recorded in the resource claim’s status.devices[*].consumedCapacity field.
 	Requests map[resourcev1beta1.QualifiedName]resource.Quantity `json:"requests,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta1/celdeviceselector.go b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta1/celdeviceselector.go
index c4a28bbf8ab7b..42708c5c9f830 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta1/celdeviceselector.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta1/celdeviceselector.go
@@ -20,7 +20,61 @@ package v1beta1
 
 // CELDeviceSelectorApplyConfiguration represents a declarative configuration of the CELDeviceSelector type for use
 // with apply.
+//
+// CELDeviceSelector contains a CEL expression for selecting a device.
 type CELDeviceSelectorApplyConfiguration struct {
+	// Expression is a CEL expression which evaluates a single device. It
+	// must evaluate to true when the device under consideration satisfies
+	// the desired criteria, and false when it does not. Any other result
+	// is an error and causes allocation of devices to abort.
+	//
+	// The expression's input is an object named "device", which carries
+	// the following properties:
+	// - driver (string): the name of the driver which defines this device.
+	// - attributes (map[string]object): the device's attributes, grouped by prefix
+	// (e.g. device.attributes["dra.example.com"] evaluates to an object with all
+	// of the attributes which were prefixed by "dra.example.com".
+	// - capacity (map[string]object): the device's capacities, grouped by prefix.
+	// - allowMultipleAllocations (bool): the allowMultipleAllocations property of the device
+	// (v1.34+ with the DRAConsumableCapacity feature enabled).
+	//
+	// Example: Consider a device with driver="dra.example.com", which exposes
+	// two attributes named "model" and "ext.example.com/family" and which
+	// exposes one capacity named "modules". This input to this expression
+	// would have the following fields:
+	//
+	// device.driver
+	// device.attributes["dra.example.com"].model
+	// device.attributes["ext.example.com"].family
+	// device.capacity["dra.example.com"].modules
+	//
+	// The device.driver field can be used to check for a specific driver,
+	// either as a high-level precondition (i.e. you only want to consider
+	// devices from this driver) or as part of a multi-clause expression
+	// that is meant to consider devices from different drivers.
+	//
+	// The value type of each attribute is defined by the device
+	// definition, and users who write these expressions must consult the
+	// documentation for their specific drivers. The value type of each
+	// capacity is Quantity.
+	//
+	// If an unknown prefix is used as a lookup in either device.attributes
+	// or device.capacity, an empty map will be returned. Any reference to
+	// an unknown field will cause an evaluation error and allocation to
+	// abort.
+	//
+	// A robust expression should check for the existence of attributes
+	// before referencing them.
+	//
+	// For ease of use, the cel.bind() function is enabled, and can be used
+	// to simplify expressions that access multiple attributes with the
+	// same domain. For example:
+	//
+	// cel.bind(dra, device.attributes["dra.example.com"], dra.someBool && dra.anotherBool)
+	//
+	// The length of the expression must be smaller or equal to 10 Ki. The
+	// cost of evaluating it is also limited based on the estimated number
+	// of logical steps.
 	Expression *string `json:"expression,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta1/counter.go b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta1/counter.go
index b33ed99a59270..951f3859f10c1 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta1/counter.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta1/counter.go
@@ -24,7 +24,10 @@ import (
 
 // CounterApplyConfiguration represents a declarative configuration of the Counter type for use
 // with apply.
+//
+// Counter describes a quantity associated with a device.
 type CounterApplyConfiguration struct {
+	// Value defines how much of a certain device counter is available.
 	Value *resource.Quantity `json:"value,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta1/counterset.go b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta1/counterset.go
index 7592fa4d5bf2b..d5fad0dd67a54 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta1/counterset.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta1/counterset.go
@@ -20,8 +20,23 @@ package v1beta1
 
 // CounterSetApplyConfiguration represents a declarative configuration of the CounterSet type for use
 // with apply.
+//
+// CounterSet defines a named set of counters
+// that are available to be used by devices defined in the
+// ResourcePool.
+//
+// The counters are not allocatable by themselves, but
+// can be referenced by devices. When a device is allocated,
+// the portion of counters it uses will no longer be available for use
+// by other devices.
 type CounterSetApplyConfiguration struct {
-	Name     *string                              `json:"name,omitempty"`
+	// Name defines the name of the counter set.
+	// It must be a DNS label.
+	Name *string `json:"name,omitempty"`
+	// Counters defines the set of counters for this CounterSet
+	// The name of each counter must be unique in that set and must be a DNS label.
+	//
+	// The maximum number of counters is 32.
 	Counters map[string]CounterApplyConfiguration `json:"counters,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta1/device.go b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta1/device.go
index f635267e21580..7695698937173 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta1/device.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta1/device.go
@@ -20,8 +20,14 @@ package v1beta1
 
 // DeviceApplyConfiguration represents a declarative configuration of the Device type for use
 // with apply.
+//
+// Device represents one individual hardware instance that can be selected based
+// on its attributes. Besides the name, exactly one field must be set.
 type DeviceApplyConfiguration struct {
-	Name  *string                        `json:"name,omitempty"`
+	// Name is unique identifier among all devices managed by
+	// the driver in the pool. It must be a DNS label.
+	Name *string `json:"name,omitempty"`
+	// Basic defines one device instance.
 	Basic *BasicDeviceApplyConfiguration `json:"basic,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta1/deviceallocationconfiguration.go b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta1/deviceallocationconfiguration.go
index b5218ba4a3b97..314ff5fa718fe 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta1/deviceallocationconfiguration.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta1/deviceallocationconfiguration.go
@@ -24,9 +24,20 @@ import (
 
 // DeviceAllocationConfigurationApplyConfiguration represents a declarative configuration of the DeviceAllocationConfiguration type for use
 // with apply.
+//
+// DeviceAllocationConfiguration gets embedded in an AllocationResult.
 type DeviceAllocationConfigurationApplyConfiguration struct {
-	Source                                *resourcev1beta1.AllocationConfigSource `json:"source,omitempty"`
-	Requests                              []string                                `json:"requests,omitempty"`
+	// Source records whether the configuration comes from a class and thus
+	// is not something that a normal user would have been able to set
+	// or from a claim.
+	Source *resourcev1beta1.AllocationConfigSource `json:"source,omitempty"`
+	// Requests lists the names of requests where the configuration applies.
+	// If empty, its applies to all requests.
+	//
+	// References to subrequests must include the name of the main request
+	// and may include the subrequest using the format <main request>[/<subrequest>]. If just
+	// the main request is given, the configuration applies to all subrequests.
+	Requests                              []string `json:"requests,omitempty"`
 	DeviceConfigurationApplyConfiguration `json:",inline"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta1/deviceallocationresult.go b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta1/deviceallocationresult.go
index bf309cf2380b0..ee17ee194135e 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta1/deviceallocationresult.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta1/deviceallocationresult.go
@@ -20,9 +20,19 @@ package v1beta1
 
 // DeviceAllocationResultApplyConfiguration represents a declarative configuration of the DeviceAllocationResult type for use
 // with apply.
+//
+// DeviceAllocationResult is the result of allocating devices.
 type DeviceAllocationResultApplyConfiguration struct {
+	// Results lists all allocated devices.
 	Results []DeviceRequestAllocationResultApplyConfiguration `json:"results,omitempty"`
-	Config  []DeviceAllocationConfigurationApplyConfiguration `json:"config,omitempty"`
+	// This field is a combination of all the claim and class configuration parameters.
+	// Drivers can distinguish between those based on a flag.
+	//
+	// This includes configuration parameters for drivers which have no allocated
+	// devices in the result because it is up to the drivers which configuration
+	// parameters they support. They can silently ignore unknown configuration
+	// parameters.
+	Config []DeviceAllocationConfigurationApplyConfiguration `json:"config,omitempty"`
 }
 
 // DeviceAllocationResultApplyConfiguration constructs a declarative configuration of the DeviceAllocationResult type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta1/deviceattribute.go b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta1/deviceattribute.go
index 6e88ae38a11dc..a4e9fe8504c6e 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta1/deviceattribute.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta1/deviceattribute.go
@@ -20,10 +20,17 @@ package v1beta1
 
 // DeviceAttributeApplyConfiguration represents a declarative configuration of the DeviceAttribute type for use
 // with apply.
+//
+// DeviceAttribute must have exactly one field set.
 type DeviceAttributeApplyConfiguration struct {
-	IntValue     *int64  `json:"int,omitempty"`
-	BoolValue    *bool   `json:"bool,omitempty"`
-	StringValue  *string `json:"string,omitempty"`
+	// IntValue is a number.
+	IntValue *int64 `json:"int,omitempty"`
+	// BoolValue is a true/false value.
+	BoolValue *bool `json:"bool,omitempty"`
+	// StringValue is a string. Must not be longer than 64 characters.
+	StringValue *string `json:"string,omitempty"`
+	// VersionValue is a semantic version according to semver.org spec 2.0.0.
+	// Must not be longer than 64 characters.
 	VersionValue *string `json:"version,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta1/devicecapacity.go b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta1/devicecapacity.go
index 43a112b252043..4e4a5b66296a4 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta1/devicecapacity.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta1/devicecapacity.go
@@ -24,8 +24,24 @@ import (
 
 // DeviceCapacityApplyConfiguration represents a declarative configuration of the DeviceCapacity type for use
 // with apply.
+//
+// DeviceCapacity describes a quantity associated with a device.
 type DeviceCapacityApplyConfiguration struct {
-	Value         *resource.Quantity                       `json:"value,omitempty"`
+	// Value defines how much of a certain capacity that device has.
+	//
+	// This field reflects the fixed total capacity and does not change.
+	// The consumed amount is tracked separately by scheduler
+	// and does not affect this value.
+	Value *resource.Quantity `json:"value,omitempty"`
+	// RequestPolicy defines how this DeviceCapacity must be consumed
+	// when the device is allowed to be shared by multiple allocations.
+	//
+	// The Device must have allowMultipleAllocations set to true in order to set a requestPolicy.
+	//
+	// If unset, capacity requests are unconstrained:
+	// requests can consume any amount of capacity, as long as the total consumed
+	// across all allocations does not exceed the device's defined capacity.
+	// If request is also unset, default is the full capacity value.
 	RequestPolicy *CapacityRequestPolicyApplyConfiguration `json:"requestPolicy,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta1/deviceclaim.go b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta1/deviceclaim.go
index 95c1c2e6e923f..b5176ba034541 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta1/deviceclaim.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta1/deviceclaim.go
@@ -20,10 +20,19 @@ package v1beta1
 
 // DeviceClaimApplyConfiguration represents a declarative configuration of the DeviceClaim type for use
 // with apply.
+//
+// DeviceClaim defines how to request devices with a ResourceClaim.
 type DeviceClaimApplyConfiguration struct {
-	Requests    []DeviceRequestApplyConfiguration            `json:"requests,omitempty"`
-	Constraints []DeviceConstraintApplyConfiguration         `json:"constraints,omitempty"`
-	Config      []DeviceClaimConfigurationApplyConfiguration `json:"config,omitempty"`
+	// Requests represent individual requests for distinct devices which
+	// must all be satisfied. If empty, nothing needs to be allocated.
+	Requests []DeviceRequestApplyConfiguration `json:"requests,omitempty"`
+	// These constraints must be satisfied by the set of devices that get
+	// allocated for the claim.
+	Constraints []DeviceConstraintApplyConfiguration `json:"constraints,omitempty"`
+	// This field holds configuration for multiple potential drivers which
+	// could satisfy requests in this claim. It is ignored while allocating
+	// the claim.
+	Config []DeviceClaimConfigurationApplyConfiguration `json:"config,omitempty"`
 }
 
 // DeviceClaimApplyConfiguration constructs a declarative configuration of the DeviceClaim type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta1/deviceclaimconfiguration.go b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta1/deviceclaimconfiguration.go
index beac5e9d95602..2c7faab5b9b90 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta1/deviceclaimconfiguration.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta1/deviceclaimconfiguration.go
@@ -20,7 +20,15 @@ package v1beta1
 
 // DeviceClaimConfigurationApplyConfiguration represents a declarative configuration of the DeviceClaimConfiguration type for use
 // with apply.
+//
+// DeviceClaimConfiguration is used for configuration parameters in DeviceClaim.
 type DeviceClaimConfigurationApplyConfiguration struct {
+	// Requests lists the names of requests where the configuration applies.
+	// If empty, it applies to all requests.
+	//
+	// References to subrequests must include the name of the main request
+	// and may include the subrequest using the format <main request>[/<subrequest>]. If just
+	// the main request is given, the configuration applies to all subrequests.
 	Requests                              []string `json:"requests,omitempty"`
 	DeviceConfigurationApplyConfiguration `json:",inline"`
 }
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta1/deviceclass.go b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta1/deviceclass.go
index 894580cd0b1c2..b0fcbac6fb6a6 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta1/deviceclass.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta1/deviceclass.go
@@ -29,10 +29,27 @@ import (
 
 // DeviceClassApplyConfiguration represents a declarative configuration of the DeviceClass type for use
 // with apply.
+//
+// DeviceClass is a vendor- or admin-provided resource that contains
+// device configuration and selectors. It can be referenced in
+// the device requests of a claim to apply these presets.
+// Cluster scoped.
+//
+// This is an alpha type and requires enabling the DynamicResourceAllocation
+// feature gate.
 type DeviceClassApplyConfiguration struct {
-	v1.TypeMetaApplyConfiguration    `json:",inline"`
+	v1.TypeMetaApplyConfiguration `json:",inline"`
+	// Standard object metadata
 	*v1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Spec                             *DeviceClassSpecApplyConfiguration `json:"spec,omitempty"`
+	// Spec defines what can be allocated and how to configure it.
+	//
+	// This is mutable. Consumers have to be prepared for classes changing
+	// at any time, either because they get updated or replaced. Claim
+	// allocations are done once based on whatever was set in classes at
+	// the time of allocation.
+	//
+	// Changing the spec automatically increments the metadata.generation number.
+	Spec *DeviceClassSpecApplyConfiguration `json:"spec,omitempty"`
 }
 
 // DeviceClass constructs a declarative configuration of the DeviceClass type for use with
@@ -45,29 +62,14 @@ func DeviceClass(name string) *DeviceClassApplyConfiguration {
 	return b
 }
 
-// ExtractDeviceClass extracts the applied configuration owned by fieldManager from
-// deviceClass. If no managedFields are found in deviceClass for fieldManager, a
-// DeviceClassApplyConfiguration is returned with only the Name, Namespace (if applicable),
-// APIVersion and Kind populated. It is possible that no managed fields were found for because other
-// field managers have taken ownership of all the fields previously owned by fieldManager, or because
-// the fieldManager never owned fields any fields.
+// ExtractDeviceClassFrom extracts the applied configuration owned by fieldManager from
+// deviceClass for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
 // deviceClass must be a unmodified DeviceClass API object that was retrieved from the Kubernetes API.
-// ExtractDeviceClass provides a way to perform a extract/modify-in-place/apply workflow.
+// ExtractDeviceClassFrom provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
-func ExtractDeviceClass(deviceClass *resourcev1beta1.DeviceClass, fieldManager string) (*DeviceClassApplyConfiguration, error) {
-	return extractDeviceClass(deviceClass, fieldManager, "")
-}
-
-// ExtractDeviceClassStatus is the same as ExtractDeviceClass except
-// that it extracts the status subresource applied configuration.
-// Experimental!
-func ExtractDeviceClassStatus(deviceClass *resourcev1beta1.DeviceClass, fieldManager string) (*DeviceClassApplyConfiguration, error) {
-	return extractDeviceClass(deviceClass, fieldManager, "status")
-}
-
-func extractDeviceClass(deviceClass *resourcev1beta1.DeviceClass, fieldManager string, subresource string) (*DeviceClassApplyConfiguration, error) {
+func ExtractDeviceClassFrom(deviceClass *resourcev1beta1.DeviceClass, fieldManager string, subresource string) (*DeviceClassApplyConfiguration, error) {
 	b := &DeviceClassApplyConfiguration{}
 	err := managedfields.ExtractInto(deviceClass, internal.Parser().Type("io.k8s.api.resource.v1beta1.DeviceClass"), fieldManager, b, subresource)
 	if err != nil {
@@ -79,6 +81,21 @@ func extractDeviceClass(deviceClass *resourcev1beta1.DeviceClass, fieldManager s
 	b.WithAPIVersion("resource.k8s.io/v1beta1")
 	return b, nil
 }
+
+// ExtractDeviceClass extracts the applied configuration owned by fieldManager from
+// deviceClass. If no managedFields are found in deviceClass for fieldManager, a
+// DeviceClassApplyConfiguration is returned with only the Name, Namespace (if applicable),
+// APIVersion and Kind populated. It is possible that no managed fields were found for because other
+// field managers have taken ownership of all the fields previously owned by fieldManager, or because
+// the fieldManager never owned fields any fields.
+// deviceClass must be a unmodified DeviceClass API object that was retrieved from the Kubernetes API.
+// ExtractDeviceClass provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractDeviceClass(deviceClass *resourcev1beta1.DeviceClass, fieldManager string) (*DeviceClassApplyConfiguration, error) {
+	return ExtractDeviceClassFrom(deviceClass, fieldManager, "")
+}
+
 func (b DeviceClassApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta1/deviceclassconfiguration.go b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta1/deviceclassconfiguration.go
index 3ce90eab56788..d521f01e12fa2 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta1/deviceclassconfiguration.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta1/deviceclassconfiguration.go
@@ -20,6 +20,8 @@ package v1beta1
 
 // DeviceClassConfigurationApplyConfiguration represents a declarative configuration of the DeviceClassConfiguration type for use
 // with apply.
+//
+// DeviceClassConfiguration is used in DeviceClass.
 type DeviceClassConfigurationApplyConfiguration struct {
 	DeviceConfigurationApplyConfiguration `json:",inline"`
 }
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta1/deviceclassspec.go b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta1/deviceclassspec.go
index 171149eba68f1..942da3efed838 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta1/deviceclassspec.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta1/deviceclassspec.go
@@ -20,10 +20,29 @@ package v1beta1
 
 // DeviceClassSpecApplyConfiguration represents a declarative configuration of the DeviceClassSpec type for use
 // with apply.
+//
+// DeviceClassSpec is used in a [DeviceClass] to define what can be allocated
+// and how to configure it.
 type DeviceClassSpecApplyConfiguration struct {
-	Selectors            []DeviceSelectorApplyConfiguration           `json:"selectors,omitempty"`
-	Config               []DeviceClassConfigurationApplyConfiguration `json:"config,omitempty"`
-	ExtendedResourceName *string                                      `json:"extendedResourceName,omitempty"`
+	// Each selector must be satisfied by a device which is claimed via this class.
+	Selectors []DeviceSelectorApplyConfiguration `json:"selectors,omitempty"`
+	// Config defines configuration parameters that apply to each device that is claimed via this class.
+	// Some classses may potentially be satisfied by multiple drivers, so each instance of a vendor
+	// configuration applies to exactly one driver.
+	//
+	// They are passed to the driver, but are not considered while allocating the claim.
+	Config []DeviceClassConfigurationApplyConfiguration `json:"config,omitempty"`
+	// ExtendedResourceName is the extended resource name for the devices of this class.
+	// The devices of this class can be used to satisfy a pod's extended resource requests.
+	// It has the same format as the name of a pod's extended resource.
+	// It should be unique among all the device classes in a cluster.
+	// If two device classes have the same name, then the class created later
+	// is picked to satisfy a pod's extended resource requests.
+	// If two classes are created at the same time, then the name of the class
+	// lexicographically sorted first is picked.
+	//
+	// This is an alpha field.
+	ExtendedResourceName *string `json:"extendedResourceName,omitempty"`
 }
 
 // DeviceClassSpecApplyConfiguration constructs a declarative configuration of the DeviceClassSpec type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta1/deviceconfiguration.go b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta1/deviceconfiguration.go
index b0f41f5a195ab..98861a3b872de 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta1/deviceconfiguration.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta1/deviceconfiguration.go
@@ -20,7 +20,12 @@ package v1beta1
 
 // DeviceConfigurationApplyConfiguration represents a declarative configuration of the DeviceConfiguration type for use
 // with apply.
+//
+// DeviceConfiguration must have exactly one field set. It gets embedded
+// inline in some other structs which have other fields, so field names must
+// not conflict with those.
 type DeviceConfigurationApplyConfiguration struct {
+	// Opaque provides driver-specific configuration parameters.
 	Opaque *OpaqueDeviceConfigurationApplyConfiguration `json:"opaque,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta1/deviceconstraint.go b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta1/deviceconstraint.go
index 624d9885ce04c..1716c9233109a 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta1/deviceconstraint.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta1/deviceconstraint.go
@@ -24,9 +24,42 @@ import (
 
 // DeviceConstraintApplyConfiguration represents a declarative configuration of the DeviceConstraint type for use
 // with apply.
+//
+// DeviceConstraint must have exactly one field set besides Requests.
 type DeviceConstraintApplyConfiguration struct {
-	Requests          []string                            `json:"requests,omitempty"`
-	MatchAttribute    *resourcev1beta1.FullyQualifiedName `json:"matchAttribute,omitempty"`
+	// Requests is a list of the one or more requests in this claim which
+	// must co-satisfy this constraint. If a request is fulfilled by
+	// multiple devices, then all of the devices must satisfy the
+	// constraint. If this is not specified, this constraint applies to all
+	// requests in this claim.
+	//
+	// References to subrequests must include the name of the main request
+	// and may include the subrequest using the format <main request>[/<subrequest>]. If just
+	// the main request is given, the constraint applies to all subrequests.
+	Requests []string `json:"requests,omitempty"`
+	// MatchAttribute requires that all devices in question have this
+	// attribute and that its type and value are the same across those
+	// devices.
+	//
+	// For example, if you specified "dra.example.com/numa" (a hypothetical example!),
+	// then only devices in the same NUMA node will be chosen. A device which
+	// does not have that attribute will not be chosen. All devices should
+	// use a value of the same type for this attribute because that is part of
+	// its specification, but if one device doesn't, then it also will not be
+	// chosen.
+	//
+	// Must include the domain qualifier.
+	MatchAttribute *resourcev1beta1.FullyQualifiedName `json:"matchAttribute,omitempty"`
+	// DistinctAttribute requires that all devices in question have this
+	// attribute and that its type and value are unique across those devices.
+	//
+	// This acts as the inverse of MatchAttribute.
+	//
+	// This constraint is used to avoid allocating multiple requests to the same device
+	// by ensuring attribute-level differentiation.
+	//
+	// This is useful for scenarios where resource requests must be fulfilled by separate physical devices.
+	// For example, a container requests two network interfaces that must be allocated from two different physical NICs.
 	DistinctAttribute *resourcev1beta1.FullyQualifiedName `json:"distinctAttribute,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta1/devicecounterconsumption.go b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta1/devicecounterconsumption.go
index a8a8a5f58129a..1b1956c5cf094 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta1/devicecounterconsumption.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta1/devicecounterconsumption.go
@@ -20,9 +20,17 @@ package v1beta1
 
 // DeviceCounterConsumptionApplyConfiguration represents a declarative configuration of the DeviceCounterConsumption type for use
 // with apply.
+//
+// DeviceCounterConsumption defines a set of counters that
+// a device will consume from a CounterSet.
 type DeviceCounterConsumptionApplyConfiguration struct {
-	CounterSet *string                              `json:"counterSet,omitempty"`
-	Counters   map[string]CounterApplyConfiguration `json:"counters,omitempty"`
+	// CounterSet is the name of the set from which the
+	// counters defined will be consumed.
+	CounterSet *string `json:"counterSet,omitempty"`
+	// Counters defines the counters that will be consumed by the device.
+	//
+	// The maximum number of counters is 32.
+	Counters map[string]CounterApplyConfiguration `json:"counters,omitempty"`
 }
 
 // DeviceCounterConsumptionApplyConfiguration constructs a declarative configuration of the DeviceCounterConsumption type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta1/devicerequest.go b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta1/devicerequest.go
index 1d3f604e91525..eab54ba01c1fb 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta1/devicerequest.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta1/devicerequest.go
@@ -24,16 +24,131 @@ import (
 
 // DeviceRequestApplyConfiguration represents a declarative configuration of the DeviceRequest type for use
 // with apply.
+//
+// DeviceRequest is a request for devices required for a claim.
+// This is typically a request for a single resource like a device, but can
+// also ask for several identical devices.
 type DeviceRequestApplyConfiguration struct {
-	Name            *string                                 `json:"name,omitempty"`
-	DeviceClassName *string                                 `json:"deviceClassName,omitempty"`
-	Selectors       []DeviceSelectorApplyConfiguration      `json:"selectors,omitempty"`
-	AllocationMode  *resourcev1beta1.DeviceAllocationMode   `json:"allocationMode,omitempty"`
-	Count           *int64                                  `json:"count,omitempty"`
-	AdminAccess     *bool                                   `json:"adminAccess,omitempty"`
-	FirstAvailable  []DeviceSubRequestApplyConfiguration    `json:"firstAvailable,omitempty"`
-	Tolerations     []DeviceTolerationApplyConfiguration    `json:"tolerations,omitempty"`
-	Capacity        *CapacityRequirementsApplyConfiguration `json:"capacity,omitempty"`
+	// Name can be used to reference this request in a pod.spec.containers[].resources.claims
+	// entry and in a constraint of the claim.
+	//
+	// Must be a DNS label and unique among all DeviceRequests in a
+	// ResourceClaim.
+	Name *string `json:"name,omitempty"`
+	// DeviceClassName references a specific DeviceClass, which can define
+	// additional configuration and selectors to be inherited by this
+	// request.
+	//
+	// A class is required if no subrequests are specified in the
+	// firstAvailable list and no class can be set if subrequests
+	// are specified in the firstAvailable list.
+	// Which classes are available depends on the cluster.
+	//
+	// Administrators may use this to restrict which devices may get
+	// requested by only installing classes with selectors for permitted
+	// devices. If users are free to request anything without restrictions,
+	// then administrators can create an empty DeviceClass for users
+	// to reference.
+	DeviceClassName *string `json:"deviceClassName,omitempty"`
+	// Selectors define criteria which must be satisfied by a specific
+	// device in order for that device to be considered for this
+	// request. All selectors must be satisfied for a device to be
+	// considered.
+	//
+	// This field can only be set when deviceClassName is set and no subrequests
+	// are specified in the firstAvailable list.
+	Selectors []DeviceSelectorApplyConfiguration `json:"selectors,omitempty"`
+	// AllocationMode and its related fields define how devices are allocated
+	// to satisfy this request. Supported values are:
+	//
+	// - ExactCount: This request is for a specific number of devices.
+	// This is the default. The exact number is provided in the
+	// count field.
+	//
+	// - All: This request is for all of the matching devices in a pool.
+	// At least one device must exist on the node for the allocation to succeed.
+	// Allocation will fail if some devices are already allocated,
+	// unless adminAccess is requested.
+	//
+	// If AllocationMode is not specified, the default mode is ExactCount. If
+	// the mode is ExactCount and count is not specified, the default count is
+	// one. Any other requests must specify this field.
+	//
+	// This field can only be set when deviceClassName is set and no subrequests
+	// are specified in the firstAvailable list.
+	//
+	// More modes may get added in the future. Clients must refuse to handle
+	// requests with unknown modes.
+	AllocationMode *resourcev1beta1.DeviceAllocationMode `json:"allocationMode,omitempty"`
+	// Count is used only when the count mode is "ExactCount". Must be greater than zero.
+	// If AllocationMode is ExactCount and this field is not specified, the default is one.
+	//
+	// This field can only be set when deviceClassName is set and no subrequests
+	// are specified in the firstAvailable list.
+	Count *int64 `json:"count,omitempty"`
+	// AdminAccess indicates that this is a claim for administrative access
+	// to the device(s). Claims with AdminAccess are expected to be used for
+	// monitoring or other management services for a device.  They ignore
+	// all ordinary claims to the device with respect to access modes and
+	// any resource allocations.
+	//
+	// This field can only be set when deviceClassName is set and no subrequests
+	// are specified in the firstAvailable list.
+	//
+	// This is an alpha field and requires enabling the DRAAdminAccess
+	// feature gate. Admin access is disabled if this field is unset or
+	// set to false, otherwise it is enabled.
+	AdminAccess *bool `json:"adminAccess,omitempty"`
+	// FirstAvailable contains subrequests, of which exactly one will be
+	// satisfied by the scheduler to satisfy this request. It tries to
+	// satisfy them in the order in which they are listed here. So if
+	// there are two entries in the list, the scheduler will only check
+	// the second one if it determines that the first one cannot be used.
+	//
+	// This field may only be set in the entries of DeviceClaim.Requests.
+	//
+	// DRA does not yet implement scoring, so the scheduler will
+	// select the first set of devices that satisfies all the
+	// requests in the claim. And if the requirements can
+	// be satisfied on more than one node, other scheduling features
+	// will determine which node is chosen. This means that the set of
+	// devices allocated to a claim might not be the optimal set
+	// available to the cluster. Scoring will be implemented later.
+	FirstAvailable []DeviceSubRequestApplyConfiguration `json:"firstAvailable,omitempty"`
+	// If specified, the request's tolerations.
+	//
+	// Tolerations for NoSchedule are required to allocate a
+	// device which has a taint with that effect. The same applies
+	// to NoExecute.
+	//
+	// In addition, should any of the allocated devices get tainted
+	// with NoExecute after allocation and that effect is not tolerated,
+	// then all pods consuming the ResourceClaim get deleted to evict
+	// them. The scheduler will not let new pods reserve the claim while
+	// it has these tainted devices. Once all pods are evicted, the
+	// claim will get deallocated.
+	//
+	// The maximum number of tolerations is 16.
+	//
+	// This field can only be set when deviceClassName is set and no subrequests
+	// are specified in the firstAvailable list.
+	//
+	// This is an alpha field and requires enabling the DRADeviceTaints
+	// feature gate.
+	Tolerations []DeviceTolerationApplyConfiguration `json:"tolerations,omitempty"`
+	// Capacity define resource requirements against each capacity.
+	//
+	// If this field is unset and the device supports multiple allocations,
+	// the default value will be applied to each capacity according to requestPolicy.
+	// For the capacity that has no requestPolicy, default is the full capacity value.
+	//
+	// Applies to each device allocation.
+	// If Count > 1,
+	// the request fails if there aren't enough devices that meet the requirements.
+	// If AllocationMode is set to All,
+	// the request fails if there are devices that otherwise match the request,
+	// and have this capacity, with a value >= the requested amount, but which cannot be allocated to this request.
+	Capacity *CapacityRequirementsApplyConfiguration `json:"capacity,omitempty"`
 }
 
 // DeviceRequestApplyConfiguration constructs a declarative configuration of the DeviceRequest type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta1/devicerequestallocationresult.go b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta1/devicerequestallocationresult.go
index b61c42520158a..2171522a35f02 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta1/devicerequestallocationresult.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta1/devicerequestallocationresult.go
@@ -26,17 +26,75 @@ import (
 
 // DeviceRequestAllocationResultApplyConfiguration represents a declarative configuration of the DeviceRequestAllocationResult type for use
 // with apply.
+//
+// DeviceRequestAllocationResult contains the allocation result for one request.
 type DeviceRequestAllocationResultApplyConfiguration struct {
-	Request                  *string                                             `json:"request,omitempty"`
-	Driver                   *string                                             `json:"driver,omitempty"`
-	Pool                     *string                                             `json:"pool,omitempty"`
-	Device                   *string                                             `json:"device,omitempty"`
-	AdminAccess              *bool                                               `json:"adminAccess,omitempty"`
-	Tolerations              []DeviceTolerationApplyConfiguration                `json:"tolerations,omitempty"`
-	BindingConditions        []string                                            `json:"bindingConditions,omitempty"`
-	BindingFailureConditions []string                                            `json:"bindingFailureConditions,omitempty"`
-	ShareID                  *types.UID                                          `json:"shareID,omitempty"`
-	ConsumedCapacity         map[resourcev1beta1.QualifiedName]resource.Quantity `json:"consumedCapacity,omitempty"`
+	// Request is the name of the request in the claim which caused this
+	// device to be allocated. If it references a subrequest in the
+	// firstAvailable list on a DeviceRequest, this field must
+	// include both the name of the main request and the subrequest
+	// using the format <main request>/<subrequest>.
+	//
+	// Multiple devices may have been allocated per request.
+	Request *string `json:"request,omitempty"`
+	// Driver specifies the name of the DRA driver whose kubelet
+	// plugin should be invoked to process the allocation once the claim is
+	// needed on a node.
+	//
+	// Must be a DNS subdomain and should end with a DNS domain owned by the
+	// vendor of the driver. It should use only lower case characters.
+	Driver *string `json:"driver,omitempty"`
+	// This name together with the driver name and the device name field
+	// identify which device was allocated (`<driver name>/<pool name>/<device name>`).
+	//
+	// Must not be longer than 253 characters and may contain one or more
+	// DNS sub-domains separated by slashes.
+	Pool *string `json:"pool,omitempty"`
+	// Device references one device instance via its name in the driver's
+	// resource pool. It must be a DNS label.
+	Device *string `json:"device,omitempty"`
+	// AdminAccess indicates that this device was allocated for
+	// administrative access. See the corresponding request field
+	// for a definition of mode.
+	//
+	// This is an alpha field and requires enabling the DRAAdminAccess
+	// feature gate. Admin access is disabled if this field is unset or
+	// set to false, otherwise it is enabled.
+	AdminAccess *bool `json:"adminAccess,omitempty"`
+	// A copy of all tolerations specified in the request at the time
+	// when the device got allocated.
+	//
+	// The maximum number of tolerations is 16.
+	//
+	// This is an alpha field and requires enabling the DRADeviceTaints
+	// feature gate.
+	Tolerations []DeviceTolerationApplyConfiguration `json:"tolerations,omitempty"`
+	// BindingConditions contains a copy of the BindingConditions
+	// from the corresponding ResourceSlice at the time of allocation.
+	//
+	// This is an alpha field and requires enabling the DRADeviceBindingConditions and DRAResourceClaimDeviceStatus
+	// feature gates.
+	BindingConditions []string `json:"bindingConditions,omitempty"`
+	// BindingFailureConditions contains a copy of the BindingFailureConditions
+	// from the corresponding ResourceSlice at the time of allocation.
+	//
+	// This is an alpha field and requires enabling the DRADeviceBindingConditions and DRAResourceClaimDeviceStatus
+	// feature gates.
+	BindingFailureConditions []string `json:"bindingFailureConditions,omitempty"`
+	// ShareID uniquely identifies an individual allocation share of the device,
+	// used when the device supports multiple simultaneous allocations.
+	// It serves as an additional map key to differentiate concurrent shares
+	// of the same device.
+	ShareID *types.UID `json:"shareID,omitempty"`
+	// ConsumedCapacity tracks the amount of capacity consumed per device as part of the claim request.
+	// The consumed amount may differ from the requested amount: it is rounded up to the nearest valid
+	// value based on the device’s requestPolicy if applicable (i.e., may not be less than the requested amount).
+	//
+	// The total consumed capacity for each device must not exceed the DeviceCapacity's Value.
+	//
+	// This field is populated only for devices that allow multiple allocations.
+	// All capacity entries are included, even if the consumed amount is zero.
+	ConsumedCapacity map[resourcev1beta1.QualifiedName]resource.Quantity `json:"consumedCapacity,omitempty"`
 }
 
 // DeviceRequestAllocationResultApplyConfiguration constructs a declarative configuration of the DeviceRequestAllocationResult type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta1/deviceselector.go b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta1/deviceselector.go
index bf60bf4345d55..2a40d6e1e1b37 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta1/deviceselector.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta1/deviceselector.go
@@ -20,7 +20,10 @@ package v1beta1
 
 // DeviceSelectorApplyConfiguration represents a declarative configuration of the DeviceSelector type for use
 // with apply.
+//
+// DeviceSelector must have exactly one field set.
 type DeviceSelectorApplyConfiguration struct {
+	// CEL contains a CEL expression for selecting a device.
 	CEL *CELDeviceSelectorApplyConfiguration `json:"cel,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta1/devicesubrequest.go b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta1/devicesubrequest.go
index ef2079252aa4f..2701074e90559 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta1/devicesubrequest.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta1/devicesubrequest.go
@@ -24,14 +24,92 @@ import (
 
 // DeviceSubRequestApplyConfiguration represents a declarative configuration of the DeviceSubRequest type for use
 // with apply.
+//
+// DeviceSubRequest describes a request for device provided in the
+// claim.spec.devices.requests[].firstAvailable array. Each
+// is typically a request for a single resource like a device, but can
+// also ask for several identical devices.
+//
+// DeviceSubRequest is similar to Request, but doesn't expose the AdminAccess
+// or FirstAvailable fields, as those can only be set on the top-level request.
+// AdminAccess is not supported for requests with a prioritized list, and
+// recursive FirstAvailable fields are not supported.
 type DeviceSubRequestApplyConfiguration struct {
-	Name            *string                                 `json:"name,omitempty"`
-	DeviceClassName *string                                 `json:"deviceClassName,omitempty"`
-	Selectors       []DeviceSelectorApplyConfiguration      `json:"selectors,omitempty"`
-	AllocationMode  *resourcev1beta1.DeviceAllocationMode   `json:"allocationMode,omitempty"`
-	Count           *int64                                  `json:"count,omitempty"`
-	Tolerations     []DeviceTolerationApplyConfiguration    `json:"tolerations,omitempty"`
-	Capacity        *CapacityRequirementsApplyConfiguration `json:"capacity,omitempty"`
+	// Name can be used to reference this subrequest in the list of constraints
+	// or the list of configurations for the claim. References must use the
+	// format <main request>/<subrequest>.
+	//
+	// Must be a DNS label.
+	Name *string `json:"name,omitempty"`
+	// DeviceClassName references a specific DeviceClass, which can define
+	// additional configuration and selectors to be inherited by this
+	// subrequest.
+	//
+	// A class is required. Which classes are available depends on the cluster.
+	//
+	// Administrators may use this to restrict which devices may get
+	// requested by only installing classes with selectors for permitted
+	// devices. If users are free to request anything without restrictions,
+	// then administrators can create an empty DeviceClass for users
+	// to reference.
+	DeviceClassName *string `json:"deviceClassName,omitempty"`
+	// Selectors define criteria which must be satisfied by a specific
+	// device in order for that device to be considered for this
+	// subrequest. All selectors must be satisfied for a device to be
+	// considered.
+	Selectors []DeviceSelectorApplyConfiguration `json:"selectors,omitempty"`
+	// AllocationMode and its related fields define how devices are allocated
+	// to satisfy this subrequest. Supported values are:
+	//
+	// - ExactCount: This request is for a specific number of devices.
+	// This is the default. The exact number is provided in the
+	// count field.
+	//
+	// - All: This subrequest is for all of the matching devices in a pool.
+	// Allocation will fail if some devices are already allocated,
+	// unless adminAccess is requested.
+	//
+	// If AllocationMode is not specified, the default mode is ExactCount. If
+	// the mode is ExactCount and count is not specified, the default count is
+	// one. Any other subrequests must specify this field.
+	//
+	// More modes may get added in the future. Clients must refuse to handle
+	// requests with unknown modes.
+	AllocationMode *resourcev1beta1.DeviceAllocationMode `json:"allocationMode,omitempty"`
+	// Count is used only when the count mode is "ExactCount". Must be greater than zero.
+	// If AllocationMode is ExactCount and this field is not specified, the default is one.
+	Count *int64 `json:"count,omitempty"`
+	// If specified, the request's tolerations.
+	//
+	// Tolerations for NoSchedule are required to allocate a
+	// device which has a taint with that effect. The same applies
+	// to NoExecute.
+	//
+	// In addition, should any of the allocated devices get tainted
+	// with NoExecute after allocation and that effect is not tolerated,
+	// then all pods consuming the ResourceClaim get deleted to evict
+	// them. The scheduler will not let new pods reserve the claim while
+	// it has these tainted devices. Once all pods are evicted, the
+	// claim will get deallocated.
+	//
+	// The maximum number of tolerations is 16.
+	//
+	// This is an alpha field and requires enabling the DRADeviceTaints
+	// feature gate.
+	Tolerations []DeviceTolerationApplyConfiguration `json:"tolerations,omitempty"`
+	// Capacity define resource requirements against each capacity.
+	//
+	// If this field is unset and the device supports multiple allocations,
+	// the default value will be applied to each capacity according to requestPolicy.
+	// For the capacity that has no requestPolicy, default is the full capacity value.
+	//
+	// Applies to each device allocation.
+	// If Count > 1,
+	// the request fails if there aren't enough devices that meet the requirements.
+	// If AllocationMode is set to All,
+	// the request fails if there are devices that otherwise match the request,
+	// and have this capacity, with a value >= the requested amount, but which cannot be allocated to this request.
+	Capacity *CapacityRequirementsApplyConfiguration `json:"capacity,omitempty"`
 }
 
 // DeviceSubRequestApplyConfiguration constructs a declarative configuration of the DeviceSubRequest type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta1/devicetaint.go b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta1/devicetaint.go
index bfa826f063fa6..55c7d58a681a1 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta1/devicetaint.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta1/devicetaint.go
@@ -25,11 +25,27 @@ import (
 
 // DeviceTaintApplyConfiguration represents a declarative configuration of the DeviceTaint type for use
 // with apply.
+//
+// The device this taint is attached to has the "effect" on
+// any claim which does not tolerate the taint and, through the claim,
+// to pods using the claim.
 type DeviceTaintApplyConfiguration struct {
-	Key       *string                            `json:"key,omitempty"`
-	Value     *string                            `json:"value,omitempty"`
-	Effect    *resourcev1beta1.DeviceTaintEffect `json:"effect,omitempty"`
-	TimeAdded *v1.Time                           `json:"timeAdded,omitempty"`
+	// The taint key to be applied to a device.
+	// Must be a label name.
+	Key *string `json:"key,omitempty"`
+	// The taint value corresponding to the taint key.
+	// Must be a label value.
+	Value *string `json:"value,omitempty"`
+	// The effect of the taint on claims that do not tolerate the taint
+	// and through such claims on the pods using them.
+	//
+	// Valid effects are None, NoSchedule and NoExecute. PreferNoSchedule as used for
+	// nodes is not valid here. More effects may get added in the future.
+	// Consumers must treat unknown effects like None.
+	Effect *resourcev1beta1.DeviceTaintEffect `json:"effect,omitempty"`
+	// TimeAdded represents the time at which the taint was added.
+	// Added automatically during create or update if not set.
+	TimeAdded *v1.Time `json:"timeAdded,omitempty"`
 }
 
 // DeviceTaintApplyConfiguration constructs a declarative configuration of the DeviceTaint type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta1/devicetoleration.go b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta1/devicetoleration.go
index 977af67043c82..26a7445291d7c 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta1/devicetoleration.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta1/devicetoleration.go
@@ -24,12 +24,33 @@ import (
 
 // DeviceTolerationApplyConfiguration represents a declarative configuration of the DeviceToleration type for use
 // with apply.
+//
+// The ResourceClaim this DeviceToleration is attached to tolerates any taint that matches
+// the triple <key,value,effect> using the matching operator <operator>.
 type DeviceTolerationApplyConfiguration struct {
-	Key               *string                                   `json:"key,omitempty"`
-	Operator          *resourcev1beta1.DeviceTolerationOperator `json:"operator,omitempty"`
-	Value             *string                                   `json:"value,omitempty"`
-	Effect            *resourcev1beta1.DeviceTaintEffect        `json:"effect,omitempty"`
-	TolerationSeconds *int64                                    `json:"tolerationSeconds,omitempty"`
+	// Key is the taint key that the toleration applies to. Empty means match all taint keys.
+	// If the key is empty, operator must be Exists; this combination means to match all values and all keys.
+	// Must be a label name.
+	Key *string `json:"key,omitempty"`
+	// Operator represents a key's relationship to the value.
+	// Valid operators are Exists and Equal. Defaults to Equal.
+	// Exists is equivalent to wildcard for value, so that a ResourceClaim can
+	// tolerate all taints of a particular category.
+	Operator *resourcev1beta1.DeviceTolerationOperator `json:"operator,omitempty"`
+	// Value is the taint value the toleration matches to.
+	// If the operator is Exists, the value must be empty, otherwise just a regular string.
+	// Must be a label value.
+	Value *string `json:"value,omitempty"`
+	// Effect indicates the taint effect to match. Empty means match all taint effects.
+	// When specified, allowed values are NoSchedule and NoExecute.
+	Effect *resourcev1beta1.DeviceTaintEffect `json:"effect,omitempty"`
+	// TolerationSeconds represents the period of time the toleration (which must be
+	// of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,
+	// it is not set, which means tolerate the taint forever (do not evict). Zero and
+	// negative values will be treated as 0 (evict immediately) by the system.
+	// If larger than zero, the time when the pod needs to be evicted is calculated as <time when
+	// taint was adedd> + <toleration seconds>.
+	TolerationSeconds *int64 `json:"tolerationSeconds,omitempty"`
 }
 
 // DeviceTolerationApplyConfiguration constructs a declarative configuration of the DeviceToleration type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta1/networkdevicedata.go b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta1/networkdevicedata.go
index c9d4880193344..5c3edcfe8863e 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta1/networkdevicedata.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta1/networkdevicedata.go
@@ -20,10 +20,29 @@ package v1beta1
 
 // NetworkDeviceDataApplyConfiguration represents a declarative configuration of the NetworkDeviceData type for use
 // with apply.
+//
+// NetworkDeviceData provides network-related details for the allocated device.
+// This information may be filled by drivers or other components to configure
+// or identify the device within a network context.
 type NetworkDeviceDataApplyConfiguration struct {
-	InterfaceName   *string  `json:"interfaceName,omitempty"`
-	IPs             []string `json:"ips,omitempty"`
-	HardwareAddress *string  `json:"hardwareAddress,omitempty"`
+	// InterfaceName specifies the name of the network interface associated with
+	// the allocated device. This might be the name of a physical or virtual
+	// network interface being configured in the pod.
+	//
+	// Must not be longer than 256 characters.
+	InterfaceName *string `json:"interfaceName,omitempty"`
+	// IPs lists the network addresses assigned to the device's network interface.
+	// This can include both IPv4 and IPv6 addresses.
+	// The IPs are in the CIDR notation, which includes both the address and the
+	// associated subnet mask.
+	// e.g.: "192.0.2.5/24" for IPv4 and "2001:db8::5/64" for IPv6.
+	//
+	// Must not contain more than 16 entries.
+	IPs []string `json:"ips,omitempty"`
+	// HardwareAddress represents the hardware address (e.g. MAC Address) of the device's network interface.
+	//
+	// Must not be longer than 128 characters.
+	HardwareAddress *string `json:"hardwareAddress,omitempty"`
 }
 
 // NetworkDeviceDataApplyConfiguration constructs a declarative configuration of the NetworkDeviceData type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta1/opaquedeviceconfiguration.go b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta1/opaquedeviceconfiguration.go
index 0b52fa93a8fe1..ae8231f0b4f57 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta1/opaquedeviceconfiguration.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta1/opaquedeviceconfiguration.go
@@ -24,8 +24,25 @@ import (
 
 // OpaqueDeviceConfigurationApplyConfiguration represents a declarative configuration of the OpaqueDeviceConfiguration type for use
 // with apply.
+//
+// OpaqueDeviceConfiguration contains configuration parameters for a driver
+// in a format defined by the driver vendor.
 type OpaqueDeviceConfigurationApplyConfiguration struct {
-	Driver     *string               `json:"driver,omitempty"`
+	// Driver is used to determine which kubelet plugin needs
+	// to be passed these configuration parameters.
+	//
+	// An admission policy provided by the driver developer could use this
+	// to decide whether it needs to validate them.
+	//
+	// Must be a DNS subdomain and should end with a DNS domain owned by the
+	// vendor of the driver. It should use only lower case characters.
+	Driver *string `json:"driver,omitempty"`
+	// Parameters can contain arbitrary data. It is the responsibility of
+	// the driver developer to handle validation and versioning. Typically this
+	// includes self-identification and a version ("kind" + "apiVersion" for
+	// Kubernetes types), with conversion between different versions.
+	//
+	// The length of the raw data must be smaller or equal to 10 Ki.
 	Parameters *runtime.RawExtension `json:"parameters,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta1/resourceclaim.go b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta1/resourceclaim.go
index 82055340f3bf2..aaeaf687d6843 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta1/resourceclaim.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta1/resourceclaim.go
@@ -29,11 +29,24 @@ import (
 
 // ResourceClaimApplyConfiguration represents a declarative configuration of the ResourceClaim type for use
 // with apply.
+//
+// ResourceClaim describes a request for access to resources in the cluster,
+// for use by workloads. For example, if a workload needs an accelerator device
+// with specific properties, this is how that request is expressed. The status
+// stanza tracks whether this claim has been satisfied and what specific
+// resources have been allocated.
+//
+// This is an alpha type and requires enabling the DynamicResourceAllocation
+// feature gate.
 type ResourceClaimApplyConfiguration struct {
-	v1.TypeMetaApplyConfiguration    `json:",inline"`
+	v1.TypeMetaApplyConfiguration `json:",inline"`
+	// Standard object metadata
 	*v1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Spec                             *ResourceClaimSpecApplyConfiguration   `json:"spec,omitempty"`
-	Status                           *ResourceClaimStatusApplyConfiguration `json:"status,omitempty"`
+	// Spec describes what is being requested and how to configure it.
+	// The spec is immutable.
+	Spec *ResourceClaimSpecApplyConfiguration `json:"spec,omitempty"`
+	// Status describes whether the claim is ready to use and what has been allocated.
+	Status *ResourceClaimStatusApplyConfiguration `json:"status,omitempty"`
 }
 
 // ResourceClaim constructs a declarative configuration of the ResourceClaim type for use with
@@ -47,6 +60,27 @@ func ResourceClaim(name, namespace string) *ResourceClaimApplyConfiguration {
 	return b
 }
 
+// ExtractResourceClaimFrom extracts the applied configuration owned by fieldManager from
+// resourceClaim for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
+// resourceClaim must be a unmodified ResourceClaim API object that was retrieved from the Kubernetes API.
+// ExtractResourceClaimFrom provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractResourceClaimFrom(resourceClaim *resourcev1beta1.ResourceClaim, fieldManager string, subresource string) (*ResourceClaimApplyConfiguration, error) {
+	b := &ResourceClaimApplyConfiguration{}
+	err := managedfields.ExtractInto(resourceClaim, internal.Parser().Type("io.k8s.api.resource.v1beta1.ResourceClaim"), fieldManager, b, subresource)
+	if err != nil {
+		return nil, err
+	}
+	b.WithName(resourceClaim.Name)
+	b.WithNamespace(resourceClaim.Namespace)
+
+	b.WithKind("ResourceClaim")
+	b.WithAPIVersion("resource.k8s.io/v1beta1")
+	return b, nil
+}
+
 // ExtractResourceClaim extracts the applied configuration owned by fieldManager from
 // resourceClaim. If no managedFields are found in resourceClaim for fieldManager, a
 // ResourceClaimApplyConfiguration is returned with only the Name, Namespace (if applicable),
@@ -57,31 +91,16 @@ func ResourceClaim(name, namespace string) *ResourceClaimApplyConfiguration {
 // ExtractResourceClaim provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
 func ExtractResourceClaim(resourceClaim *resourcev1beta1.ResourceClaim, fieldManager string) (*ResourceClaimApplyConfiguration, error) {
-	return extractResourceClaim(resourceClaim, fieldManager, "")
+	return ExtractResourceClaimFrom(resourceClaim, fieldManager, "")
 }
 
-// ExtractResourceClaimStatus is the same as ExtractResourceClaim except
-// that it extracts the status subresource applied configuration.
-// Experimental!
+// ExtractResourceClaimStatus extracts the applied configuration owned by fieldManager from
+// resourceClaim for the status subresource.
 func ExtractResourceClaimStatus(resourceClaim *resourcev1beta1.ResourceClaim, fieldManager string) (*ResourceClaimApplyConfiguration, error) {
-	return extractResourceClaim(resourceClaim, fieldManager, "status")
+	return ExtractResourceClaimFrom(resourceClaim, fieldManager, "status")
 }
 
-func extractResourceClaim(resourceClaim *resourcev1beta1.ResourceClaim, fieldManager string, subresource string) (*ResourceClaimApplyConfiguration, error) {
-	b := &ResourceClaimApplyConfiguration{}
-	err := managedfields.ExtractInto(resourceClaim, internal.Parser().Type("io.k8s.api.resource.v1beta1.ResourceClaim"), fieldManager, b, subresource)
-	if err != nil {
-		return nil, err
-	}
-	b.WithName(resourceClaim.Name)
-	b.WithNamespace(resourceClaim.Namespace)
-
-	b.WithKind("ResourceClaim")
-	b.WithAPIVersion("resource.k8s.io/v1beta1")
-	return b, nil
-}
 func (b ResourceClaimApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta1/resourceclaimconsumerreference.go b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta1/resourceclaimconsumerreference.go
index f6eefdda533b7..4891123b31a76 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta1/resourceclaimconsumerreference.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta1/resourceclaimconsumerreference.go
@@ -24,11 +24,21 @@ import (
 
 // ResourceClaimConsumerReferenceApplyConfiguration represents a declarative configuration of the ResourceClaimConsumerReference type for use
 // with apply.
+//
+// ResourceClaimConsumerReference contains enough information to let you
+// locate the consumer of a ResourceClaim. The user must be a resource in the same
+// namespace as the ResourceClaim.
 type ResourceClaimConsumerReferenceApplyConfiguration struct {
-	APIGroup *string    `json:"apiGroup,omitempty"`
-	Resource *string    `json:"resource,omitempty"`
-	Name     *string    `json:"name,omitempty"`
-	UID      *types.UID `json:"uid,omitempty"`
+	// APIGroup is the group for the resource being referenced. It is
+	// empty for the core API. This matches the group in the APIVersion
+	// that is used when creating the resources.
+	APIGroup *string `json:"apiGroup,omitempty"`
+	// Resource is the type of resource being referenced, for example "pods".
+	Resource *string `json:"resource,omitempty"`
+	// Name is the name of resource being referenced.
+	Name *string `json:"name,omitempty"`
+	// UID identifies exactly one incarnation of the resource.
+	UID *types.UID `json:"uid,omitempty"`
 }
 
 // ResourceClaimConsumerReferenceApplyConfiguration constructs a declarative configuration of the ResourceClaimConsumerReference type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta1/resourceclaimspec.go b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta1/resourceclaimspec.go
index c6b1b0b4be049..2e3a41f0deb82 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta1/resourceclaimspec.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta1/resourceclaimspec.go
@@ -20,7 +20,10 @@ package v1beta1
 
 // ResourceClaimSpecApplyConfiguration represents a declarative configuration of the ResourceClaimSpec type for use
 // with apply.
+//
+// ResourceClaimSpec defines what is being requested in a ResourceClaim and how to configure it.
 type ResourceClaimSpecApplyConfiguration struct {
+	// Devices defines how to request devices.
 	Devices *DeviceClaimApplyConfiguration `json:"devices,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta1/resourceclaimstatus.go b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta1/resourceclaimstatus.go
index bb3db18bebf6c..899660dc9e311 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta1/resourceclaimstatus.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta1/resourceclaimstatus.go
@@ -20,10 +20,36 @@ package v1beta1
 
 // ResourceClaimStatusApplyConfiguration represents a declarative configuration of the ResourceClaimStatus type for use
 // with apply.
+//
+// ResourceClaimStatus tracks whether the resource has been allocated and what
+// the result of that was.
 type ResourceClaimStatusApplyConfiguration struct {
-	Allocation  *AllocationResultApplyConfiguration                `json:"allocation,omitempty"`
+	// Allocation is set once the claim has been allocated successfully.
+	Allocation *AllocationResultApplyConfiguration `json:"allocation,omitempty"`
+	// ReservedFor indicates which entities are currently allowed to use
+	// the claim. A Pod which references a ResourceClaim which is not
+	// reserved for that Pod will not be started. A claim that is in
+	// use or might be in use because it has been reserved must not get
+	// deallocated.
+	//
+	// In a cluster with multiple scheduler instances, two pods might get
+	// scheduled concurrently by different schedulers. When they reference
+	// the same ResourceClaim which already has reached its maximum number
+	// of consumers, only one pod can be scheduled.
+	//
+	// Both schedulers try to add their pod to the claim.status.reservedFor
+	// field, but only the update that reaches the API server first gets
+	// stored. The other one fails with an error and the scheduler
+	// which issued it knows that it must put the pod back into the queue,
+	// waiting for the ResourceClaim to become usable again.
+	//
+	// There can be at most 256 such reservations. This may get increased in
+	// the future, but not reduced.
 	ReservedFor []ResourceClaimConsumerReferenceApplyConfiguration `json:"reservedFor,omitempty"`
-	Devices     []AllocatedDeviceStatusApplyConfiguration          `json:"devices,omitempty"`
+	// Devices contains the status of each device allocated for this
+	// claim, as reported by the driver. This can include driver-specific
+	// information. Entries are owned by their respective drivers.
+	Devices []AllocatedDeviceStatusApplyConfiguration `json:"devices,omitempty"`
 }
 
 // ResourceClaimStatusApplyConfiguration constructs a declarative configuration of the ResourceClaimStatus type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta1/resourceclaimtemplate.go b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta1/resourceclaimtemplate.go
index deb46a25285dd..fe42003266e72 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta1/resourceclaimtemplate.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta1/resourceclaimtemplate.go
@@ -29,10 +29,21 @@ import (
 
 // ResourceClaimTemplateApplyConfiguration represents a declarative configuration of the ResourceClaimTemplate type for use
 // with apply.
+//
+// ResourceClaimTemplate is used to produce ResourceClaim objects.
+//
+// This is an alpha type and requires enabling the DynamicResourceAllocation
+// feature gate.
 type ResourceClaimTemplateApplyConfiguration struct {
-	v1.TypeMetaApplyConfiguration    `json:",inline"`
+	v1.TypeMetaApplyConfiguration `json:",inline"`
+	// Standard object metadata
 	*v1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Spec                             *ResourceClaimTemplateSpecApplyConfiguration `json:"spec,omitempty"`
+	// Describes the ResourceClaim that is to be generated.
+	//
+	// This field is immutable. A ResourceClaim will get created by the
+	// control plane for a Pod when needed and then not get updated
+	// anymore.
+	Spec *ResourceClaimTemplateSpecApplyConfiguration `json:"spec,omitempty"`
 }
 
 // ResourceClaimTemplate constructs a declarative configuration of the ResourceClaimTemplate type for use with
@@ -46,29 +57,14 @@ func ResourceClaimTemplate(name, namespace string) *ResourceClaimTemplateApplyCo
 	return b
 }
 
-// ExtractResourceClaimTemplate extracts the applied configuration owned by fieldManager from
-// resourceClaimTemplate. If no managedFields are found in resourceClaimTemplate for fieldManager, a
-// ResourceClaimTemplateApplyConfiguration is returned with only the Name, Namespace (if applicable),
-// APIVersion and Kind populated. It is possible that no managed fields were found for because other
-// field managers have taken ownership of all the fields previously owned by fieldManager, or because
-// the fieldManager never owned fields any fields.
+// ExtractResourceClaimTemplateFrom extracts the applied configuration owned by fieldManager from
+// resourceClaimTemplate for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
 // resourceClaimTemplate must be a unmodified ResourceClaimTemplate API object that was retrieved from the Kubernetes API.
-// ExtractResourceClaimTemplate provides a way to perform a extract/modify-in-place/apply workflow.
+// ExtractResourceClaimTemplateFrom provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
-func ExtractResourceClaimTemplate(resourceClaimTemplate *resourcev1beta1.ResourceClaimTemplate, fieldManager string) (*ResourceClaimTemplateApplyConfiguration, error) {
-	return extractResourceClaimTemplate(resourceClaimTemplate, fieldManager, "")
-}
-
-// ExtractResourceClaimTemplateStatus is the same as ExtractResourceClaimTemplate except
-// that it extracts the status subresource applied configuration.
-// Experimental!
-func ExtractResourceClaimTemplateStatus(resourceClaimTemplate *resourcev1beta1.ResourceClaimTemplate, fieldManager string) (*ResourceClaimTemplateApplyConfiguration, error) {
-	return extractResourceClaimTemplate(resourceClaimTemplate, fieldManager, "status")
-}
-
-func extractResourceClaimTemplate(resourceClaimTemplate *resourcev1beta1.ResourceClaimTemplate, fieldManager string, subresource string) (*ResourceClaimTemplateApplyConfiguration, error) {
+func ExtractResourceClaimTemplateFrom(resourceClaimTemplate *resourcev1beta1.ResourceClaimTemplate, fieldManager string, subresource string) (*ResourceClaimTemplateApplyConfiguration, error) {
 	b := &ResourceClaimTemplateApplyConfiguration{}
 	err := managedfields.ExtractInto(resourceClaimTemplate, internal.Parser().Type("io.k8s.api.resource.v1beta1.ResourceClaimTemplate"), fieldManager, b, subresource)
 	if err != nil {
@@ -81,6 +77,21 @@ func extractResourceClaimTemplate(resourceClaimTemplate *resourcev1beta1.Resourc
 	b.WithAPIVersion("resource.k8s.io/v1beta1")
 	return b, nil
 }
+
+// ExtractResourceClaimTemplate extracts the applied configuration owned by fieldManager from
+// resourceClaimTemplate. If no managedFields are found in resourceClaimTemplate for fieldManager, a
+// ResourceClaimTemplateApplyConfiguration is returned with only the Name, Namespace (if applicable),
+// APIVersion and Kind populated. It is possible that no managed fields were found for because other
+// field managers have taken ownership of all the fields previously owned by fieldManager, or because
+// the fieldManager never owned fields any fields.
+// resourceClaimTemplate must be a unmodified ResourceClaimTemplate API object that was retrieved from the Kubernetes API.
+// ExtractResourceClaimTemplate provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractResourceClaimTemplate(resourceClaimTemplate *resourcev1beta1.ResourceClaimTemplate, fieldManager string) (*ResourceClaimTemplateApplyConfiguration, error) {
+	return ExtractResourceClaimTemplateFrom(resourceClaimTemplate, fieldManager, "")
+}
+
 func (b ResourceClaimTemplateApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta1/resourceclaimtemplatespec.go b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta1/resourceclaimtemplatespec.go
index 4c17b756401d6..765dcc52bc726 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta1/resourceclaimtemplatespec.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta1/resourceclaimtemplatespec.go
@@ -26,9 +26,17 @@ import (
 
 // ResourceClaimTemplateSpecApplyConfiguration represents a declarative configuration of the ResourceClaimTemplateSpec type for use
 // with apply.
+//
+// ResourceClaimTemplateSpec contains the metadata and fields for a ResourceClaim.
 type ResourceClaimTemplateSpecApplyConfiguration struct {
+	// ObjectMeta may contain labels and annotations that will be copied into the ResourceClaim
+	// when creating it. No other fields are allowed and will be rejected during
+	// validation.
 	*v1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Spec                             *ResourceClaimSpecApplyConfiguration `json:"spec,omitempty"`
+	// Spec for the ResourceClaim. The entire content is copied unchanged
+	// into the ResourceClaim that gets created from this template. The
+	// same fields as in a ResourceClaim are also valid here.
+	Spec *ResourceClaimSpecApplyConfiguration `json:"spec,omitempty"`
 }
 
 // ResourceClaimTemplateSpecApplyConfiguration constructs a declarative configuration of the ResourceClaimTemplateSpec type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta1/resourcepool.go b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta1/resourcepool.go
index 33c155b5280bd..eff9e042c8a77 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta1/resourcepool.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta1/resourcepool.go
@@ -20,10 +20,34 @@ package v1beta1
 
 // ResourcePoolApplyConfiguration represents a declarative configuration of the ResourcePool type for use
 // with apply.
+//
+// ResourcePool describes the pool that ResourceSlices belong to.
 type ResourcePoolApplyConfiguration struct {
-	Name               *string `json:"name,omitempty"`
-	Generation         *int64  `json:"generation,omitempty"`
-	ResourceSliceCount *int64  `json:"resourceSliceCount,omitempty"`
+	// Name is used to identify the pool. For node-local devices, this
+	// is often the node name, but this is not required.
+	//
+	// It must not be longer than 253 characters and must consist of one or more DNS sub-domains
+	// separated by slashes. This field is immutable.
+	Name *string `json:"name,omitempty"`
+	// Generation tracks the change in a pool over time. Whenever a driver
+	// changes something about one or more of the resources in a pool, it
+	// must change the generation in all ResourceSlices which are part of
+	// that pool. Consumers of ResourceSlices should only consider
+	// resources from the pool with the highest generation number. The
+	// generation may be reset by drivers, which should be fine for
+	// consumers, assuming that all ResourceSlices in a pool are updated to
+	// match or deleted.
+	//
+	// Combined with ResourceSliceCount, this mechanism enables consumers to
+	// detect pools which are comprised of multiple ResourceSlices and are
+	// in an incomplete state.
+	Generation *int64 `json:"generation,omitempty"`
+	// ResourceSliceCount is the total number of ResourceSlices in the pool at this
+	// generation number. Must be greater than zero.
+	//
+	// Consumers can use this to check whether they have seen all ResourceSlices
+	// belonging to the same pool.
+	ResourceSliceCount *int64 `json:"resourceSliceCount,omitempty"`
 }
 
 // ResourcePoolApplyConfiguration constructs a declarative configuration of the ResourcePool type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta1/resourceslice.go b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta1/resourceslice.go
index d4d78a71ab93f..c9ec6a7b742fb 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta1/resourceslice.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta1/resourceslice.go
@@ -29,10 +29,39 @@ import (
 
 // ResourceSliceApplyConfiguration represents a declarative configuration of the ResourceSlice type for use
 // with apply.
+//
+// ResourceSlice represents one or more resources in a pool of similar resources,
+// managed by a common driver. A pool may span more than one ResourceSlice, and exactly how many
+// ResourceSlices comprise a pool is determined by the driver.
+//
+// At the moment, the only supported resources are devices with attributes and capacities.
+// Each device in a given pool, regardless of how many ResourceSlices, must have a unique name.
+// The ResourceSlice in which a device gets published may change over time. The unique identifier
+// for a device is the tuple <driver name>, <pool name>, <device name>.
+//
+// Whenever a driver needs to update a pool, it increments the pool.Spec.Pool.Generation number
+// and updates all ResourceSlices with that new number and new resource definitions. A consumer
+// must only use ResourceSlices with the highest generation number and ignore all others.
+//
+// When allocating all resources in a pool matching certain criteria or when
+// looking for the best solution among several different alternatives, a
+// consumer should check the number of ResourceSlices in a pool (included in
+// each ResourceSlice) to determine whether its view of a pool is complete and
+// if not, should wait until the driver has completed updating the pool.
+//
+// For resources that are not local to a node, the node name is not set. Instead,
+// the driver may use a node selector to specify where the devices are available.
+//
+// This is an alpha type and requires enabling the DynamicResourceAllocation
+// feature gate.
 type ResourceSliceApplyConfiguration struct {
-	v1.TypeMetaApplyConfiguration    `json:",inline"`
+	v1.TypeMetaApplyConfiguration `json:",inline"`
+	// Standard object metadata
 	*v1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Spec                             *ResourceSliceSpecApplyConfiguration `json:"spec,omitempty"`
+	// Contains the information published by the driver.
+	//
+	// Changing the spec automatically increments the metadata.generation number.
+	Spec *ResourceSliceSpecApplyConfiguration `json:"spec,omitempty"`
 }
 
 // ResourceSlice constructs a declarative configuration of the ResourceSlice type for use with
@@ -45,29 +74,14 @@ func ResourceSlice(name string) *ResourceSliceApplyConfiguration {
 	return b
 }
 
-// ExtractResourceSlice extracts the applied configuration owned by fieldManager from
-// resourceSlice. If no managedFields are found in resourceSlice for fieldManager, a
-// ResourceSliceApplyConfiguration is returned with only the Name, Namespace (if applicable),
-// APIVersion and Kind populated. It is possible that no managed fields were found for because other
-// field managers have taken ownership of all the fields previously owned by fieldManager, or because
-// the fieldManager never owned fields any fields.
+// ExtractResourceSliceFrom extracts the applied configuration owned by fieldManager from
+// resourceSlice for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
 // resourceSlice must be a unmodified ResourceSlice API object that was retrieved from the Kubernetes API.
-// ExtractResourceSlice provides a way to perform a extract/modify-in-place/apply workflow.
+// ExtractResourceSliceFrom provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
-func ExtractResourceSlice(resourceSlice *resourcev1beta1.ResourceSlice, fieldManager string) (*ResourceSliceApplyConfiguration, error) {
-	return extractResourceSlice(resourceSlice, fieldManager, "")
-}
-
-// ExtractResourceSliceStatus is the same as ExtractResourceSlice except
-// that it extracts the status subresource applied configuration.
-// Experimental!
-func ExtractResourceSliceStatus(resourceSlice *resourcev1beta1.ResourceSlice, fieldManager string) (*ResourceSliceApplyConfiguration, error) {
-	return extractResourceSlice(resourceSlice, fieldManager, "status")
-}
-
-func extractResourceSlice(resourceSlice *resourcev1beta1.ResourceSlice, fieldManager string, subresource string) (*ResourceSliceApplyConfiguration, error) {
+func ExtractResourceSliceFrom(resourceSlice *resourcev1beta1.ResourceSlice, fieldManager string, subresource string) (*ResourceSliceApplyConfiguration, error) {
 	b := &ResourceSliceApplyConfiguration{}
 	err := managedfields.ExtractInto(resourceSlice, internal.Parser().Type("io.k8s.api.resource.v1beta1.ResourceSlice"), fieldManager, b, subresource)
 	if err != nil {
@@ -79,6 +93,21 @@ func extractResourceSlice(resourceSlice *resourcev1beta1.ResourceSlice, fieldMan
 	b.WithAPIVersion("resource.k8s.io/v1beta1")
 	return b, nil
 }
+
+// ExtractResourceSlice extracts the applied configuration owned by fieldManager from
+// resourceSlice. If no managedFields are found in resourceSlice for fieldManager, a
+// ResourceSliceApplyConfiguration is returned with only the Name, Namespace (if applicable),
+// APIVersion and Kind populated. It is possible that no managed fields were found for because other
+// field managers have taken ownership of all the fields previously owned by fieldManager, or because
+// the fieldManager never owned fields any fields.
+// resourceSlice must be a unmodified ResourceSlice API object that was retrieved from the Kubernetes API.
+// ExtractResourceSlice provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractResourceSlice(resourceSlice *resourcev1beta1.ResourceSlice, fieldManager string) (*ResourceSliceApplyConfiguration, error) {
+	return ExtractResourceSliceFrom(resourceSlice, fieldManager, "")
+}
+
 func (b ResourceSliceApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta1/resourceslicespec.go b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta1/resourceslicespec.go
index 6eaae7da85eaa..23024864335ee 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta1/resourceslicespec.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta1/resourceslicespec.go
@@ -24,15 +24,64 @@ import (
 
 // ResourceSliceSpecApplyConfiguration represents a declarative configuration of the ResourceSliceSpec type for use
 // with apply.
+//
+// ResourceSliceSpec contains the information published by the driver in one ResourceSlice.
 type ResourceSliceSpecApplyConfiguration struct {
-	Driver                 *string                            `json:"driver,omitempty"`
-	Pool                   *ResourcePoolApplyConfiguration    `json:"pool,omitempty"`
-	NodeName               *string                            `json:"nodeName,omitempty"`
-	NodeSelector           *v1.NodeSelectorApplyConfiguration `json:"nodeSelector,omitempty"`
-	AllNodes               *bool                              `json:"allNodes,omitempty"`
-	Devices                []DeviceApplyConfiguration         `json:"devices,omitempty"`
-	PerDeviceNodeSelection *bool                              `json:"perDeviceNodeSelection,omitempty"`
-	SharedCounters         []CounterSetApplyConfiguration     `json:"sharedCounters,omitempty"`
+	// Driver identifies the DRA driver providing the capacity information.
+	// A field selector can be used to list only ResourceSlice
+	// objects with a certain driver name.
+	//
+	// Must be a DNS subdomain and should end with a DNS domain owned by the
+	// vendor of the driver. It should use only lower case characters.
+	// This field is immutable.
+	Driver *string `json:"driver,omitempty"`
+	// Pool describes the pool that this ResourceSlice belongs to.
+	Pool *ResourcePoolApplyConfiguration `json:"pool,omitempty"`
+	// NodeName identifies the node which provides the resources in this pool.
+	// A field selector can be used to list only ResourceSlice
+	// objects belonging to a certain node.
+	//
+	// This field can be used to limit access from nodes to ResourceSlices with
+	// the same node name. It also indicates to autoscalers that adding
+	// new nodes of the same type as some old node might also make new
+	// resources available.
+	//
+	// Exactly one of NodeName, NodeSelector, AllNodes, and PerDeviceNodeSelection must be set.
+	// This field is immutable.
+	NodeName *string `json:"nodeName,omitempty"`
+	// NodeSelector defines which nodes have access to the resources in the pool,
+	// when that pool is not limited to a single node.
+	//
+	// Must use exactly one term.
+	//
+	// Exactly one of NodeName, NodeSelector, AllNodes, and PerDeviceNodeSelection must be set.
+	NodeSelector *v1.NodeSelectorApplyConfiguration `json:"nodeSelector,omitempty"`
+	// AllNodes indicates that all nodes have access to the resources in the pool.
+	//
+	// Exactly one of NodeName, NodeSelector, AllNodes, and PerDeviceNodeSelection must be set.
+	AllNodes *bool `json:"allNodes,omitempty"`
+	// Devices lists some or all of the devices in this pool.
+	//
+	// Must not have more than 128 entries. If any device uses taints or consumes counters the limit is 64.
+	//
+	// Only one of Devices and SharedCounters can be set in a ResourceSlice.
+	Devices []DeviceApplyConfiguration `json:"devices,omitempty"`
+	// PerDeviceNodeSelection defines whether the access from nodes to
+	// resources in the pool is set on the ResourceSlice level or on each
+	// device. If it is set to true, every device defined the ResourceSlice
+	// must specify this individually.
+	//
+	// Exactly one of NodeName, NodeSelector, AllNodes, and PerDeviceNodeSelection must be set.
+	PerDeviceNodeSelection *bool `json:"perDeviceNodeSelection,omitempty"`
+	// SharedCounters defines a list of counter sets, each of which
+	// has a name and a list of counters available.
+	//
+	// The names of the counter sets must be unique in the ResourcePool.
+	//
+	// Only one of Devices and SharedCounters can be set in a ResourceSlice.
+	//
+	// The maximum number of counter sets is 8.
+	SharedCounters []CounterSetApplyConfiguration `json:"sharedCounters,omitempty"`
 }
 
 // ResourceSliceSpecApplyConfiguration constructs a declarative configuration of the ResourceSliceSpec type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta2/allocateddevicestatus.go b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta2/allocateddevicestatus.go
index 5e408c9ca7bae..4d7ba35c855f7 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta2/allocateddevicestatus.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta2/allocateddevicestatus.go
@@ -25,13 +25,42 @@ import (
 
 // AllocatedDeviceStatusApplyConfiguration represents a declarative configuration of the AllocatedDeviceStatus type for use
 // with apply.
+//
+// AllocatedDeviceStatus contains the status of an allocated device, if the
+// driver chooses to report it. This may include driver-specific information.
+//
+// The combination of Driver, Pool, Device, and ShareID must match the corresponding key
+// in Status.Allocation.Devices.
 type AllocatedDeviceStatusApplyConfiguration struct {
-	Driver      *string                              `json:"driver,omitempty"`
-	Pool        *string                              `json:"pool,omitempty"`
-	Device      *string                              `json:"device,omitempty"`
-	ShareID     *string                              `json:"shareID,omitempty"`
-	Conditions  []v1.ConditionApplyConfiguration     `json:"conditions,omitempty"`
-	Data        *runtime.RawExtension                `json:"data,omitempty"`
+	// Driver specifies the name of the DRA driver whose kubelet
+	// plugin should be invoked to process the allocation once the claim is
+	// needed on a node.
+	//
+	// Must be a DNS subdomain and should end with a DNS domain owned by the
+	// vendor of the driver. It should use only lower case characters.
+	Driver *string `json:"driver,omitempty"`
+	// This name together with the driver name and the device name field
+	// identify which device was allocated (`<driver name>/<pool name>/<device name>`).
+	//
+	// Must not be longer than 253 characters and may contain one or more
+	// DNS sub-domains separated by slashes.
+	Pool *string `json:"pool,omitempty"`
+	// Device references one device instance via its name in the driver's
+	// resource pool. It must be a DNS label.
+	Device *string `json:"device,omitempty"`
+	// ShareID uniquely identifies an individual allocation share of the device.
+	ShareID *string `json:"shareID,omitempty"`
+	// Conditions contains the latest observation of the device's state.
+	// If the device has been configured according to the class and claim
+	// config references, the `Ready` condition should be True.
+	//
+	// Must not contain more than 8 entries.
+	Conditions []v1.ConditionApplyConfiguration `json:"conditions,omitempty"`
+	// Data contains arbitrary driver-specific data.
+	//
+	// The length of the raw data must be smaller or equal to 10 Ki.
+	Data *runtime.RawExtension `json:"data,omitempty"`
+	// NetworkData contains network-related information specific to the device.
 	NetworkData *NetworkDeviceDataApplyConfiguration `json:"networkData,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta2/allocationresult.go b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta2/allocationresult.go
index fb2a78ec8a38c..91db54f92e512 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta2/allocationresult.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta2/allocationresult.go
@@ -25,10 +25,20 @@ import (
 
 // AllocationResultApplyConfiguration represents a declarative configuration of the AllocationResult type for use
 // with apply.
+//
+// AllocationResult contains attributes of an allocated resource.
 type AllocationResultApplyConfiguration struct {
-	Devices             *DeviceAllocationResultApplyConfiguration `json:"devices,omitempty"`
-	NodeSelector        *v1.NodeSelectorApplyConfiguration        `json:"nodeSelector,omitempty"`
-	AllocationTimestamp *metav1.Time                              `json:"allocationTimestamp,omitempty"`
+	// Devices is the result of allocating devices.
+	Devices *DeviceAllocationResultApplyConfiguration `json:"devices,omitempty"`
+	// NodeSelector defines where the allocated resources are available. If
+	// unset, they are available everywhere.
+	NodeSelector *v1.NodeSelectorApplyConfiguration `json:"nodeSelector,omitempty"`
+	// AllocationTimestamp stores the time when the resources were allocated.
+	// This field is not guaranteed to be set, in which case that time is unknown.
+	//
+	// This is an alpha field and requires enabling the DRADeviceBindingConditions and DRAResourceClaimDeviceStatus
+	// feature gate.
+	AllocationTimestamp *metav1.Time `json:"allocationTimestamp,omitempty"`
 }
 
 // AllocationResultApplyConfiguration constructs a declarative configuration of the AllocationResult type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta2/capacityrequestpolicy.go b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta2/capacityrequestpolicy.go
index 6d0ed27db5618..2f83af4af1787 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta2/capacityrequestpolicy.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta2/capacityrequestpolicy.go
@@ -24,10 +24,39 @@ import (
 
 // CapacityRequestPolicyApplyConfiguration represents a declarative configuration of the CapacityRequestPolicy type for use
 // with apply.
+//
+// CapacityRequestPolicy defines how requests consume device capacity.
+//
+// Must not set more than one ValidRequestValues.
 type CapacityRequestPolicyApplyConfiguration struct {
-	Default     *resource.Quantity                            `json:"default,omitempty"`
-	ValidValues []resource.Quantity                           `json:"validValues,omitempty"`
-	ValidRange  *CapacityRequestPolicyRangeApplyConfiguration `json:"validRange,omitempty"`
+	// Default specifies how much of this capacity is consumed by a request
+	// that does not contain an entry for it in DeviceRequest's Capacity.
+	Default *resource.Quantity `json:"default,omitempty"`
+	// ValidValues defines a set of acceptable quantity values in consuming requests.
+	//
+	// Must not contain more than 10 entries.
+	// Must be sorted in ascending order.
+	//
+	// If this field is set,
+	// Default must be defined and it must be included in ValidValues list.
+	//
+	// If the requested amount does not match any valid value but smaller than some valid values,
+	// the scheduler calculates the smallest valid value that is greater than or equal to the request.
+	// That is: min(ceil(requestedValue) ∈ validValues), where requestedValue ≤ max(validValues).
+	//
+	// If the requested amount exceeds all valid values, the request violates the policy,
+	// and this device cannot be allocated.
+	ValidValues []resource.Quantity `json:"validValues,omitempty"`
+	// ValidRange defines an acceptable quantity value range in consuming requests.
+	//
+	// If this field is set,
+	// Default must be defined and it must fall within the defined ValidRange.
+	//
+	// If the requested amount does not fall within the defined range, the request violates the policy,
+	// and this device cannot be allocated.
+	//
+	// If the request doesn't contain this capacity entry, Default value is used.
+	ValidRange *CapacityRequestPolicyRangeApplyConfiguration `json:"validRange,omitempty"`
 }
 
 // CapacityRequestPolicyApplyConfiguration constructs a declarative configuration of the CapacityRequestPolicy type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta2/capacityrequestpolicyrange.go b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta2/capacityrequestpolicyrange.go
index c3728db1fb6c7..bd9a734221562 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta2/capacityrequestpolicyrange.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta2/capacityrequestpolicyrange.go
@@ -24,9 +24,31 @@ import (
 
 // CapacityRequestPolicyRangeApplyConfiguration represents a declarative configuration of the CapacityRequestPolicyRange type for use
 // with apply.
+//
+// CapacityRequestPolicyRange defines a valid range for consumable capacity values.
+//
+// - If the requested amount is less than Min, it is rounded up to the Min value.
+// - If Step is set and the requested amount is between Min and Max but not aligned with Step,
+// it will be rounded up to the next value equal to Min + (n * Step).
+// - If Step is not set, the requested amount is used as-is if it falls within the range Min to Max (if set).
+// - If the requested or rounded amount exceeds Max (if set), the request does not satisfy the policy,
+// and the device cannot be allocated.
 type CapacityRequestPolicyRangeApplyConfiguration struct {
-	Min  *resource.Quantity `json:"min,omitempty"`
-	Max  *resource.Quantity `json:"max,omitempty"`
+	// Min specifies the minimum capacity allowed for a consumption request.
+	//
+	// Min must be greater than or equal to zero,
+	// and less than or equal to the capacity value.
+	// requestPolicy.default must be more than or equal to the minimum.
+	Min *resource.Quantity `json:"min,omitempty"`
+	// Max defines the upper limit for capacity that can be requested.
+	//
+	// Max must be less than or equal to the capacity value.
+	// Min and requestPolicy.default must be less than or equal to the maximum.
+	Max *resource.Quantity `json:"max,omitempty"`
+	// Step defines the step size between valid capacity amounts within the range.
+	//
+	// Max (if set) and requestPolicy.default must be a multiple of Step.
+	// Min + Step must be less than or equal to the capacity value.
 	Step *resource.Quantity `json:"step,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta2/capacityrequirements.go b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta2/capacityrequirements.go
index 57b6f1e274d6f..4b36a08dcdf00 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta2/capacityrequirements.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta2/capacityrequirements.go
@@ -25,7 +25,31 @@ import (
 
 // CapacityRequirementsApplyConfiguration represents a declarative configuration of the CapacityRequirements type for use
 // with apply.
+//
+// CapacityRequirements defines the capacity requirements for a specific device request.
 type CapacityRequirementsApplyConfiguration struct {
+	// Requests represent individual device resource requests for distinct resources,
+	// all of which must be provided by the device.
+	//
+	// This value is used as an additional filtering condition against the available capacity on the device.
+	// This is semantically equivalent to a CEL selector with
+	// `device.capacity[<domain>].<name>.compareTo(quantity(<request quantity>)) >= 0`.
+	// For example, device.capacity['test-driver.cdi.k8s.io'].counters.compareTo(quantity('2')) >= 0.
+	//
+	// When a requestPolicy is defined, the requested amount is adjusted upward
+	// to the nearest valid value based on the policy.
+	// If the requested amount cannot be adjusted to a valid value—because it exceeds what the requestPolicy allows—
+	// the device is considered ineligible for allocation.
+	//
+	// For any capacity that is not explicitly requested:
+	// - If no requestPolicy is set, the default consumed capacity is equal to the full device capacity
+	// (i.e., the whole device is claimed).
+	// - If a requestPolicy is set, the default consumed capacity is determined according to that policy.
+	//
+	// If the device allows multiple allocation,
+	// the aggregated amount across all requests must not exceed the capacity value.
+	// The consumed capacity, which may be adjusted based on the requestPolicy if defined,
+	// is recorded in the resource claim’s status.devices[*].consumedCapacity field.
 	Requests map[resourcev1beta2.QualifiedName]resource.Quantity `json:"requests,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta2/celdeviceselector.go b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta2/celdeviceselector.go
index c2c3e52f0ea09..861168b9e705b 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta2/celdeviceselector.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta2/celdeviceselector.go
@@ -20,7 +20,61 @@ package v1beta2
 
 // CELDeviceSelectorApplyConfiguration represents a declarative configuration of the CELDeviceSelector type for use
 // with apply.
+//
+// CELDeviceSelector contains a CEL expression for selecting a device.
 type CELDeviceSelectorApplyConfiguration struct {
+	// Expression is a CEL expression which evaluates a single device. It
+	// must evaluate to true when the device under consideration satisfies
+	// the desired criteria, and false when it does not. Any other result
+	// is an error and causes allocation of devices to abort.
+	//
+	// The expression's input is an object named "device", which carries
+	// the following properties:
+	// - driver (string): the name of the driver which defines this device.
+	// - attributes (map[string]object): the device's attributes, grouped by prefix
+	// (e.g. device.attributes["dra.example.com"] evaluates to an object with all
+	// of the attributes which were prefixed by "dra.example.com".
+	// - capacity (map[string]object): the device's capacities, grouped by prefix.
+	// - allowMultipleAllocations (bool): the allowMultipleAllocations property of the device
+	// (v1.34+ with the DRAConsumableCapacity feature enabled).
+	//
+	// Example: Consider a device with driver="dra.example.com", which exposes
+	// two attributes named "model" and "ext.example.com/family" and which
+	// exposes one capacity named "modules". This input to this expression
+	// would have the following fields:
+	//
+	// device.driver
+	// device.attributes["dra.example.com"].model
+	// device.attributes["ext.example.com"].family
+	// device.capacity["dra.example.com"].modules
+	//
+	// The device.driver field can be used to check for a specific driver,
+	// either as a high-level precondition (i.e. you only want to consider
+	// devices from this driver) or as part of a multi-clause expression
+	// that is meant to consider devices from different drivers.
+	//
+	// The value type of each attribute is defined by the device
+	// definition, and users who write these expressions must consult the
+	// documentation for their specific drivers. The value type of each
+	// capacity is Quantity.
+	//
+	// If an unknown prefix is used as a lookup in either device.attributes
+	// or device.capacity, an empty map will be returned. Any reference to
+	// an unknown field will cause an evaluation error and allocation to
+	// abort.
+	//
+	// A robust expression should check for the existence of attributes
+	// before referencing them.
+	//
+	// For ease of use, the cel.bind() function is enabled, and can be used
+	// to simplify expressions that access multiple attributes with the
+	// same domain. For example:
+	//
+	// cel.bind(dra, device.attributes["dra.example.com"], dra.someBool && dra.anotherBool)
+	//
+	// The length of the expression must be smaller or equal to 10 Ki. The
+	// cost of evaluating it is also limited based on the estimated number
+	// of logical steps.
 	Expression *string `json:"expression,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta2/counter.go b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta2/counter.go
index 4afdb9a3a5dd4..0157816491910 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta2/counter.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta2/counter.go
@@ -24,7 +24,10 @@ import (
 
 // CounterApplyConfiguration represents a declarative configuration of the Counter type for use
 // with apply.
+//
+// Counter describes a quantity associated with a device.
 type CounterApplyConfiguration struct {
+	// Value defines how much of a certain device counter is available.
 	Value *resource.Quantity `json:"value,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta2/counterset.go b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta2/counterset.go
index 2882b4ef25a40..dfee5b721e865 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta2/counterset.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta2/counterset.go
@@ -20,8 +20,23 @@ package v1beta2
 
 // CounterSetApplyConfiguration represents a declarative configuration of the CounterSet type for use
 // with apply.
+//
+// CounterSet defines a named set of counters
+// that are available to be used by devices defined in the
+// ResourcePool.
+//
+// The counters are not allocatable by themselves, but
+// can be referenced by devices. When a device is allocated,
+// the portion of counters it uses will no longer be available for use
+// by other devices.
 type CounterSetApplyConfiguration struct {
-	Name     *string                              `json:"name,omitempty"`
+	// Name defines the name of the counter set.
+	// It must be a DNS label.
+	Name *string `json:"name,omitempty"`
+	// Counters defines the set of counters for this CounterSet
+	// The name of each counter must be unique in that set and must be a DNS label.
+	//
+	// The maximum number of counters is 32.
 	Counters map[string]CounterApplyConfiguration `json:"counters,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta2/device.go b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta2/device.go
index 7896a3838c726..607c9f5eb7950 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta2/device.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta2/device.go
@@ -25,19 +25,94 @@ import (
 
 // DeviceApplyConfiguration represents a declarative configuration of the Device type for use
 // with apply.
+//
+// Device represents one individual hardware instance that can be selected based
+// on its attributes. Besides the name, exactly one field must be set.
 type DeviceApplyConfiguration struct {
-	Name                     *string                                                             `json:"name,omitempty"`
-	Attributes               map[resourcev1beta2.QualifiedName]DeviceAttributeApplyConfiguration `json:"attributes,omitempty"`
-	Capacity                 map[resourcev1beta2.QualifiedName]DeviceCapacityApplyConfiguration  `json:"capacity,omitempty"`
-	ConsumesCounters         []DeviceCounterConsumptionApplyConfiguration                        `json:"consumesCounters,omitempty"`
-	NodeName                 *string                                                             `json:"nodeName,omitempty"`
-	NodeSelector             *v1.NodeSelectorApplyConfiguration                                  `json:"nodeSelector,omitempty"`
-	AllNodes                 *bool                                                               `json:"allNodes,omitempty"`
-	Taints                   []DeviceTaintApplyConfiguration                                     `json:"taints,omitempty"`
-	BindsToNode              *bool                                                               `json:"bindsToNode,omitempty"`
-	BindingConditions        []string                                                            `json:"bindingConditions,omitempty"`
-	BindingFailureConditions []string                                                            `json:"bindingFailureConditions,omitempty"`
-	AllowMultipleAllocations *bool                                                               `json:"allowMultipleAllocations,omitempty"`
+	// Name is unique identifier among all devices managed by
+	// the driver in the pool. It must be a DNS label.
+	Name *string `json:"name,omitempty"`
+	// Attributes defines the set of attributes for this device.
+	// The name of each attribute must be unique in that set.
+	//
+	// The maximum number of attributes and capacities combined is 32.
+	Attributes map[resourcev1beta2.QualifiedName]DeviceAttributeApplyConfiguration `json:"attributes,omitempty"`
+	// Capacity defines the set of capacities for this device.
+	// The name of each capacity must be unique in that set.
+	//
+	// The maximum number of attributes and capacities combined is 32.
+	Capacity map[resourcev1beta2.QualifiedName]DeviceCapacityApplyConfiguration `json:"capacity,omitempty"`
+	// ConsumesCounters defines a list of references to sharedCounters
+	// and the set of counters that the device will
+	// consume from those counter sets.
+	//
+	// There can only be a single entry per counterSet.
+	//
+	// The maximum number of device counter consumptions per
+	// device is 2.
+	ConsumesCounters []DeviceCounterConsumptionApplyConfiguration `json:"consumesCounters,omitempty"`
+	// NodeName identifies the node where the device is available.
+	//
+	// Must only be set if Spec.PerDeviceNodeSelection is set to true.
+	// At most one of NodeName, NodeSelector and AllNodes can be set.
+	NodeName *string `json:"nodeName,omitempty"`
+	// NodeSelector defines the nodes where the device is available.
+	//
+	// Must use exactly one term.
+	//
+	// Must only be set if Spec.PerDeviceNodeSelection is set to true.
+	// At most one of NodeName, NodeSelector and AllNodes can be set.
+	NodeSelector *v1.NodeSelectorApplyConfiguration `json:"nodeSelector,omitempty"`
+	// AllNodes indicates that all nodes have access to the device.
+	//
+	// Must only be set if Spec.PerDeviceNodeSelection is set to true.
+	// At most one of NodeName, NodeSelector and AllNodes can be set.
+	AllNodes *bool `json:"allNodes,omitempty"`
+	// If specified, these are the driver-defined taints.
+	//
+	// The maximum number of taints is 16. If taints are set for
+	// any device in a ResourceSlice, then the maximum number of
+	// allowed devices per ResourceSlice is 64 instead of 128.
+	//
+	// This is an alpha field and requires enabling the DRADeviceTaints
+	// feature gate.
+	Taints []DeviceTaintApplyConfiguration `json:"taints,omitempty"`
+	// BindsToNode indicates if the usage of an allocation involving this device
+	// has to be limited to exactly the node that was chosen when allocating the claim.
+	// If set to true, the scheduler will set the ResourceClaim.Status.Allocation.NodeSelector
+	// to match the node where the allocation was made.
+	//
+	// This is an alpha field and requires enabling the DRADeviceBindingConditions and DRAResourceClaimDeviceStatus
+	// feature gates.
+	BindsToNode *bool `json:"bindsToNode,omitempty"`
+	// BindingConditions defines the conditions for proceeding with binding.
+	// All of these conditions must be set in the per-device status
+	// conditions with a value of True to proceed with binding the pod to the node
+	// while scheduling the pod.
+	//
+	// The maximum number of binding conditions is 4.
+	//
+	// The conditions must be a valid condition type string.
+	//
+	// This is an alpha field and requires enabling the DRADeviceBindingConditions and DRAResourceClaimDeviceStatus
+	// feature gates.
+	BindingConditions []string `json:"bindingConditions,omitempty"`
+	// BindingFailureConditions defines the conditions for binding failure.
+	// They may be set in the per-device status conditions.
+	// If any is set to "True", a binding failure occurred.
+	//
+	// The maximum number of binding failure conditions is 4.
+	//
+	// The conditions must be a valid condition type string.
+	//
+	// This is an alpha field and requires enabling the DRADeviceBindingConditions and DRAResourceClaimDeviceStatus
+	// feature gates.
+	BindingFailureConditions []string `json:"bindingFailureConditions,omitempty"`
+	// AllowMultipleAllocations marks whether the device is allowed to be allocated to multiple DeviceRequests.
+	//
+	// If AllowMultipleAllocations is set to true, the device can be allocated more than once,
+	// and all of its capacity is consumable, regardless of whether the requestPolicy is defined or not.
+	AllowMultipleAllocations *bool `json:"allowMultipleAllocations,omitempty"`
 }
 
 // DeviceApplyConfiguration constructs a declarative configuration of the Device type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta2/deviceallocationconfiguration.go b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta2/deviceallocationconfiguration.go
index 971fe807c8d97..cbfb0c1f26e49 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta2/deviceallocationconfiguration.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta2/deviceallocationconfiguration.go
@@ -24,9 +24,20 @@ import (
 
 // DeviceAllocationConfigurationApplyConfiguration represents a declarative configuration of the DeviceAllocationConfiguration type for use
 // with apply.
+//
+// DeviceAllocationConfiguration gets embedded in an AllocationResult.
 type DeviceAllocationConfigurationApplyConfiguration struct {
-	Source                                *resourcev1beta2.AllocationConfigSource `json:"source,omitempty"`
-	Requests                              []string                                `json:"requests,omitempty"`
+	// Source records whether the configuration comes from a class and thus
+	// is not something that a normal user would have been able to set
+	// or from a claim.
+	Source *resourcev1beta2.AllocationConfigSource `json:"source,omitempty"`
+	// Requests lists the names of requests where the configuration applies.
+	// If empty, its applies to all requests.
+	//
+	// References to subrequests must include the name of the main request
+	// and may include the subrequest using the format <main request>[/<subrequest>]. If just
+	// the main request is given, the configuration applies to all subrequests.
+	Requests                              []string `json:"requests,omitempty"`
 	DeviceConfigurationApplyConfiguration `json:",inline"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta2/deviceallocationresult.go b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta2/deviceallocationresult.go
index 5d9f0130732e8..8907ac8dcc5ac 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta2/deviceallocationresult.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta2/deviceallocationresult.go
@@ -20,9 +20,19 @@ package v1beta2
 
 // DeviceAllocationResultApplyConfiguration represents a declarative configuration of the DeviceAllocationResult type for use
 // with apply.
+//
+// DeviceAllocationResult is the result of allocating devices.
 type DeviceAllocationResultApplyConfiguration struct {
+	// Results lists all allocated devices.
 	Results []DeviceRequestAllocationResultApplyConfiguration `json:"results,omitempty"`
-	Config  []DeviceAllocationConfigurationApplyConfiguration `json:"config,omitempty"`
+	// This field is a combination of all the claim and class configuration parameters.
+	// Drivers can distinguish between those based on a flag.
+	//
+	// This includes configuration parameters for drivers which have no allocated
+	// devices in the result because it is up to the drivers which configuration
+	// parameters they support. They can silently ignore unknown configuration
+	// parameters.
+	Config []DeviceAllocationConfigurationApplyConfiguration `json:"config,omitempty"`
 }
 
 // DeviceAllocationResultApplyConfiguration constructs a declarative configuration of the DeviceAllocationResult type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta2/deviceattribute.go b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta2/deviceattribute.go
index c5f88c3f78148..63c7f2051059f 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta2/deviceattribute.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta2/deviceattribute.go
@@ -20,10 +20,17 @@ package v1beta2
 
 // DeviceAttributeApplyConfiguration represents a declarative configuration of the DeviceAttribute type for use
 // with apply.
+//
+// DeviceAttribute must have exactly one field set.
 type DeviceAttributeApplyConfiguration struct {
-	IntValue     *int64  `json:"int,omitempty"`
-	BoolValue    *bool   `json:"bool,omitempty"`
-	StringValue  *string `json:"string,omitempty"`
+	// IntValue is a number.
+	IntValue *int64 `json:"int,omitempty"`
+	// BoolValue is a true/false value.
+	BoolValue *bool `json:"bool,omitempty"`
+	// StringValue is a string. Must not be longer than 64 characters.
+	StringValue *string `json:"string,omitempty"`
+	// VersionValue is a semantic version according to semver.org spec 2.0.0.
+	// Must not be longer than 64 characters.
 	VersionValue *string `json:"version,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta2/devicecapacity.go b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta2/devicecapacity.go
index 79a4e12507799..4e41c8e66b964 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta2/devicecapacity.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta2/devicecapacity.go
@@ -24,8 +24,24 @@ import (
 
 // DeviceCapacityApplyConfiguration represents a declarative configuration of the DeviceCapacity type for use
 // with apply.
+//
+// DeviceCapacity describes a quantity associated with a device.
 type DeviceCapacityApplyConfiguration struct {
-	Value         *resource.Quantity                       `json:"value,omitempty"`
+	// Value defines how much of a certain capacity that device has.
+	//
+	// This field reflects the fixed total capacity and does not change.
+	// The consumed amount is tracked separately by scheduler
+	// and does not affect this value.
+	Value *resource.Quantity `json:"value,omitempty"`
+	// RequestPolicy defines how this DeviceCapacity must be consumed
+	// when the device is allowed to be shared by multiple allocations.
+	//
+	// The Device must have allowMultipleAllocations set to true in order to set a requestPolicy.
+	//
+	// If unset, capacity requests are unconstrained:
+	// requests can consume any amount of capacity, as long as the total consumed
+	// across all allocations does not exceed the device's defined capacity.
+	// If request is also unset, default is the full capacity value.
 	RequestPolicy *CapacityRequestPolicyApplyConfiguration `json:"requestPolicy,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta2/deviceclaim.go b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta2/deviceclaim.go
index 33af599ac810f..f142c13eeaef2 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta2/deviceclaim.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta2/deviceclaim.go
@@ -20,10 +20,19 @@ package v1beta2
 
 // DeviceClaimApplyConfiguration represents a declarative configuration of the DeviceClaim type for use
 // with apply.
+//
+// DeviceClaim defines how to request devices with a ResourceClaim.
 type DeviceClaimApplyConfiguration struct {
-	Requests    []DeviceRequestApplyConfiguration            `json:"requests,omitempty"`
-	Constraints []DeviceConstraintApplyConfiguration         `json:"constraints,omitempty"`
-	Config      []DeviceClaimConfigurationApplyConfiguration `json:"config,omitempty"`
+	// Requests represent individual requests for distinct devices which
+	// must all be satisfied. If empty, nothing needs to be allocated.
+	Requests []DeviceRequestApplyConfiguration `json:"requests,omitempty"`
+	// These constraints must be satisfied by the set of devices that get
+	// allocated for the claim.
+	Constraints []DeviceConstraintApplyConfiguration `json:"constraints,omitempty"`
+	// This field holds configuration for multiple potential drivers which
+	// could satisfy requests in this claim. It is ignored while allocating
+	// the claim.
+	Config []DeviceClaimConfigurationApplyConfiguration `json:"config,omitempty"`
 }
 
 // DeviceClaimApplyConfiguration constructs a declarative configuration of the DeviceClaim type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta2/deviceclaimconfiguration.go b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta2/deviceclaimconfiguration.go
index 08464b399a793..59a4f50f6b587 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta2/deviceclaimconfiguration.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta2/deviceclaimconfiguration.go
@@ -20,7 +20,15 @@ package v1beta2
 
 // DeviceClaimConfigurationApplyConfiguration represents a declarative configuration of the DeviceClaimConfiguration type for use
 // with apply.
+//
+// DeviceClaimConfiguration is used for configuration parameters in DeviceClaim.
 type DeviceClaimConfigurationApplyConfiguration struct {
+	// Requests lists the names of requests where the configuration applies.
+	// If empty, it applies to all requests.
+	//
+	// References to subrequests must include the name of the main request
+	// and may include the subrequest using the format <main request>[/<subrequest>]. If just
+	// the main request is given, the configuration applies to all subrequests.
 	Requests                              []string `json:"requests,omitempty"`
 	DeviceConfigurationApplyConfiguration `json:",inline"`
 }
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta2/deviceclass.go b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta2/deviceclass.go
index 39cac1154abc0..439e03c6d08b1 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta2/deviceclass.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta2/deviceclass.go
@@ -29,10 +29,27 @@ import (
 
 // DeviceClassApplyConfiguration represents a declarative configuration of the DeviceClass type for use
 // with apply.
+//
+// DeviceClass is a vendor- or admin-provided resource that contains
+// device configuration and selectors. It can be referenced in
+// the device requests of a claim to apply these presets.
+// Cluster scoped.
+//
+// This is an alpha type and requires enabling the DynamicResourceAllocation
+// feature gate.
 type DeviceClassApplyConfiguration struct {
-	v1.TypeMetaApplyConfiguration    `json:",inline"`
+	v1.TypeMetaApplyConfiguration `json:",inline"`
+	// Standard object metadata
 	*v1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Spec                             *DeviceClassSpecApplyConfiguration `json:"spec,omitempty"`
+	// Spec defines what can be allocated and how to configure it.
+	//
+	// This is mutable. Consumers have to be prepared for classes changing
+	// at any time, either because they get updated or replaced. Claim
+	// allocations are done once based on whatever was set in classes at
+	// the time of allocation.
+	//
+	// Changing the spec automatically increments the metadata.generation number.
+	Spec *DeviceClassSpecApplyConfiguration `json:"spec,omitempty"`
 }
 
 // DeviceClass constructs a declarative configuration of the DeviceClass type for use with
@@ -45,29 +62,14 @@ func DeviceClass(name string) *DeviceClassApplyConfiguration {
 	return b
 }
 
-// ExtractDeviceClass extracts the applied configuration owned by fieldManager from
-// deviceClass. If no managedFields are found in deviceClass for fieldManager, a
-// DeviceClassApplyConfiguration is returned with only the Name, Namespace (if applicable),
-// APIVersion and Kind populated. It is possible that no managed fields were found for because other
-// field managers have taken ownership of all the fields previously owned by fieldManager, or because
-// the fieldManager never owned fields any fields.
+// ExtractDeviceClassFrom extracts the applied configuration owned by fieldManager from
+// deviceClass for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
 // deviceClass must be a unmodified DeviceClass API object that was retrieved from the Kubernetes API.
-// ExtractDeviceClass provides a way to perform a extract/modify-in-place/apply workflow.
+// ExtractDeviceClassFrom provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
-func ExtractDeviceClass(deviceClass *resourcev1beta2.DeviceClass, fieldManager string) (*DeviceClassApplyConfiguration, error) {
-	return extractDeviceClass(deviceClass, fieldManager, "")
-}
-
-// ExtractDeviceClassStatus is the same as ExtractDeviceClass except
-// that it extracts the status subresource applied configuration.
-// Experimental!
-func ExtractDeviceClassStatus(deviceClass *resourcev1beta2.DeviceClass, fieldManager string) (*DeviceClassApplyConfiguration, error) {
-	return extractDeviceClass(deviceClass, fieldManager, "status")
-}
-
-func extractDeviceClass(deviceClass *resourcev1beta2.DeviceClass, fieldManager string, subresource string) (*DeviceClassApplyConfiguration, error) {
+func ExtractDeviceClassFrom(deviceClass *resourcev1beta2.DeviceClass, fieldManager string, subresource string) (*DeviceClassApplyConfiguration, error) {
 	b := &DeviceClassApplyConfiguration{}
 	err := managedfields.ExtractInto(deviceClass, internal.Parser().Type("io.k8s.api.resource.v1beta2.DeviceClass"), fieldManager, b, subresource)
 	if err != nil {
@@ -79,6 +81,21 @@ func extractDeviceClass(deviceClass *resourcev1beta2.DeviceClass, fieldManager s
 	b.WithAPIVersion("resource.k8s.io/v1beta2")
 	return b, nil
 }
+
+// ExtractDeviceClass extracts the applied configuration owned by fieldManager from
+// deviceClass. If no managedFields are found in deviceClass for fieldManager, a
+// DeviceClassApplyConfiguration is returned with only the Name, Namespace (if applicable),
+// APIVersion and Kind populated. It is possible that no managed fields were found for because other
+// field managers have taken ownership of all the fields previously owned by fieldManager, or because
+// the fieldManager never owned fields any fields.
+// deviceClass must be a unmodified DeviceClass API object that was retrieved from the Kubernetes API.
+// ExtractDeviceClass provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractDeviceClass(deviceClass *resourcev1beta2.DeviceClass, fieldManager string) (*DeviceClassApplyConfiguration, error) {
+	return ExtractDeviceClassFrom(deviceClass, fieldManager, "")
+}
+
 func (b DeviceClassApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta2/deviceclassconfiguration.go b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta2/deviceclassconfiguration.go
index 904410280294f..f668fcf865236 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta2/deviceclassconfiguration.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta2/deviceclassconfiguration.go
@@ -20,6 +20,8 @@ package v1beta2
 
 // DeviceClassConfigurationApplyConfiguration represents a declarative configuration of the DeviceClassConfiguration type for use
 // with apply.
+//
+// DeviceClassConfiguration is used in DeviceClass.
 type DeviceClassConfigurationApplyConfiguration struct {
 	DeviceConfigurationApplyConfiguration `json:",inline"`
 }
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta2/deviceclassspec.go b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta2/deviceclassspec.go
index b181fd68414eb..e270c5908b90f 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta2/deviceclassspec.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta2/deviceclassspec.go
@@ -20,10 +20,29 @@ package v1beta2
 
 // DeviceClassSpecApplyConfiguration represents a declarative configuration of the DeviceClassSpec type for use
 // with apply.
+//
+// DeviceClassSpec is used in a [DeviceClass] to define what can be allocated
+// and how to configure it.
 type DeviceClassSpecApplyConfiguration struct {
-	Selectors            []DeviceSelectorApplyConfiguration           `json:"selectors,omitempty"`
-	Config               []DeviceClassConfigurationApplyConfiguration `json:"config,omitempty"`
-	ExtendedResourceName *string                                      `json:"extendedResourceName,omitempty"`
+	// Each selector must be satisfied by a device which is claimed via this class.
+	Selectors []DeviceSelectorApplyConfiguration `json:"selectors,omitempty"`
+	// Config defines configuration parameters that apply to each device that is claimed via this class.
+	// Some classses may potentially be satisfied by multiple drivers, so each instance of a vendor
+	// configuration applies to exactly one driver.
+	//
+	// They are passed to the driver, but are not considered while allocating the claim.
+	Config []DeviceClassConfigurationApplyConfiguration `json:"config,omitempty"`
+	// ExtendedResourceName is the extended resource name for the devices of this class.
+	// The devices of this class can be used to satisfy a pod's extended resource requests.
+	// It has the same format as the name of a pod's extended resource.
+	// It should be unique among all the device classes in a cluster.
+	// If two device classes have the same name, then the class created later
+	// is picked to satisfy a pod's extended resource requests.
+	// If two classes are created at the same time, then the name of the class
+	// lexicographically sorted first is picked.
+	//
+	// This is an alpha field.
+	ExtendedResourceName *string `json:"extendedResourceName,omitempty"`
 }
 
 // DeviceClassSpecApplyConfiguration constructs a declarative configuration of the DeviceClassSpec type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta2/deviceconfiguration.go b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta2/deviceconfiguration.go
index 2032433f3477b..9d79fe23533c7 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta2/deviceconfiguration.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta2/deviceconfiguration.go
@@ -20,7 +20,12 @@ package v1beta2
 
 // DeviceConfigurationApplyConfiguration represents a declarative configuration of the DeviceConfiguration type for use
 // with apply.
+//
+// DeviceConfiguration must have exactly one field set. It gets embedded
+// inline in some other structs which have other fields, so field names must
+// not conflict with those.
 type DeviceConfigurationApplyConfiguration struct {
+	// Opaque provides driver-specific configuration parameters.
 	Opaque *OpaqueDeviceConfigurationApplyConfiguration `json:"opaque,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta2/deviceconstraint.go b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta2/deviceconstraint.go
index dd23cd22fda5e..81a682c82b816 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta2/deviceconstraint.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta2/deviceconstraint.go
@@ -24,9 +24,42 @@ import (
 
 // DeviceConstraintApplyConfiguration represents a declarative configuration of the DeviceConstraint type for use
 // with apply.
+//
+// DeviceConstraint must have exactly one field set besides Requests.
 type DeviceConstraintApplyConfiguration struct {
-	Requests          []string                            `json:"requests,omitempty"`
-	MatchAttribute    *resourcev1beta2.FullyQualifiedName `json:"matchAttribute,omitempty"`
+	// Requests is a list of the one or more requests in this claim which
+	// must co-satisfy this constraint. If a request is fulfilled by
+	// multiple devices, then all of the devices must satisfy the
+	// constraint. If this is not specified, this constraint applies to all
+	// requests in this claim.
+	//
+	// References to subrequests must include the name of the main request
+	// and may include the subrequest using the format <main request>[/<subrequest>]. If just
+	// the main request is given, the constraint applies to all subrequests.
+	Requests []string `json:"requests,omitempty"`
+	// MatchAttribute requires that all devices in question have this
+	// attribute and that its type and value are the same across those
+	// devices.
+	//
+	// For example, if you specified "dra.example.com/numa" (a hypothetical example!),
+	// then only devices in the same NUMA node will be chosen. A device which
+	// does not have that attribute will not be chosen. All devices should
+	// use a value of the same type for this attribute because that is part of
+	// its specification, but if one device doesn't, then it also will not be
+	// chosen.
+	//
+	// Must include the domain qualifier.
+	MatchAttribute *resourcev1beta2.FullyQualifiedName `json:"matchAttribute,omitempty"`
+	// DistinctAttribute requires that all devices in question have this
+	// attribute and that its type and value are unique across those devices.
+	//
+	// This acts as the inverse of MatchAttribute.
+	//
+	// This constraint is used to avoid allocating multiple requests to the same device
+	// by ensuring attribute-level differentiation.
+	//
+	// This is useful for scenarios where resource requests must be fulfilled by separate physical devices.
+	// For example, a container requests two network interfaces that must be allocated from two different physical NICs.
 	DistinctAttribute *resourcev1beta2.FullyQualifiedName `json:"distinctAttribute,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta2/devicecounterconsumption.go b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta2/devicecounterconsumption.go
index 9d6d0a87384b9..f636ccdbd8480 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta2/devicecounterconsumption.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta2/devicecounterconsumption.go
@@ -20,9 +20,17 @@ package v1beta2
 
 // DeviceCounterConsumptionApplyConfiguration represents a declarative configuration of the DeviceCounterConsumption type for use
 // with apply.
+//
+// DeviceCounterConsumption defines a set of counters that
+// a device will consume from a CounterSet.
 type DeviceCounterConsumptionApplyConfiguration struct {
-	CounterSet *string                              `json:"counterSet,omitempty"`
-	Counters   map[string]CounterApplyConfiguration `json:"counters,omitempty"`
+	// CounterSet is the name of the set from which the
+	// counters defined will be consumed.
+	CounterSet *string `json:"counterSet,omitempty"`
+	// Counters defines the counters that will be consumed by the device.
+	//
+	// The maximum number of counters is 32.
+	Counters map[string]CounterApplyConfiguration `json:"counters,omitempty"`
 }
 
 // DeviceCounterConsumptionApplyConfiguration constructs a declarative configuration of the DeviceCounterConsumption type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta2/devicerequest.go b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta2/devicerequest.go
index 426c974876790..c2e9ef20c4774 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta2/devicerequest.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta2/devicerequest.go
@@ -20,10 +20,42 @@ package v1beta2
 
 // DeviceRequestApplyConfiguration represents a declarative configuration of the DeviceRequest type for use
 // with apply.
+//
+// DeviceRequest is a request for devices required for a claim.
+// This is typically a request for a single resource like a device, but can
+// also ask for several identical devices. With FirstAvailable it is also
+// possible to provide a prioritized list of requests.
 type DeviceRequestApplyConfiguration struct {
-	Name           *string                               `json:"name,omitempty"`
-	Exactly        *ExactDeviceRequestApplyConfiguration `json:"exactly,omitempty"`
-	FirstAvailable []DeviceSubRequestApplyConfiguration  `json:"firstAvailable,omitempty"`
+	// Name can be used to reference this request in a pod.spec.containers[].resources.claims
+	// entry and in a constraint of the claim.
+	//
+	// References using the name in the DeviceRequest will uniquely
+	// identify a request when the Exactly field is set. When the
+	// FirstAvailable field is set, a reference to the name of the
+	// DeviceRequest will match whatever subrequest is chosen by the
+	// scheduler.
+	//
+	// Must be a DNS label.
+	Name *string `json:"name,omitempty"`
+	// Exactly specifies the details for a single request that must
+	// be met exactly for the request to be satisfied.
+	//
+	// One of Exactly or FirstAvailable must be set.
+	Exactly *ExactDeviceRequestApplyConfiguration `json:"exactly,omitempty"`
+	// FirstAvailable contains subrequests, of which exactly one will be
+	// selected by the scheduler. It tries to
+	// satisfy them in the order in which they are listed here. So if
+	// there are two entries in the list, the scheduler will only check
+	// the second one if it determines that the first one can not be used.
+	//
+	// DRA does not yet implement scoring, so the scheduler will
+	// select the first set of devices that satisfies all the
+	// requests in the claim. And if the requirements can
+	// be satisfied on more than one node, other scheduling features
+	// will determine which node is chosen. This means that the set of
+	// devices allocated to a claim might not be the optimal set
+	// available to the cluster. Scoring will be implemented later.
+	FirstAvailable []DeviceSubRequestApplyConfiguration `json:"firstAvailable,omitempty"`
 }
 
 // DeviceRequestApplyConfiguration constructs a declarative configuration of the DeviceRequest type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta2/devicerequestallocationresult.go b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta2/devicerequestallocationresult.go
index 202fca5dfbb61..c1fd0266f5980 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta2/devicerequestallocationresult.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta2/devicerequestallocationresult.go
@@ -26,17 +26,75 @@ import (
 
 // DeviceRequestAllocationResultApplyConfiguration represents a declarative configuration of the DeviceRequestAllocationResult type for use
 // with apply.
+//
+// DeviceRequestAllocationResult contains the allocation result for one request.
 type DeviceRequestAllocationResultApplyConfiguration struct {
-	Request                  *string                                             `json:"request,omitempty"`
-	Driver                   *string                                             `json:"driver,omitempty"`
-	Pool                     *string                                             `json:"pool,omitempty"`
-	Device                   *string                                             `json:"device,omitempty"`
-	AdminAccess              *bool                                               `json:"adminAccess,omitempty"`
-	Tolerations              []DeviceTolerationApplyConfiguration                `json:"tolerations,omitempty"`
-	BindingConditions        []string                                            `json:"bindingConditions,omitempty"`
-	BindingFailureConditions []string                                            `json:"bindingFailureConditions,omitempty"`
-	ShareID                  *types.UID                                          `json:"shareID,omitempty"`
-	ConsumedCapacity         map[resourcev1beta2.QualifiedName]resource.Quantity `json:"consumedCapacity,omitempty"`
+	// Request is the name of the request in the claim which caused this
+	// device to be allocated. If it references a subrequest in the
+	// firstAvailable list on a DeviceRequest, this field must
+	// include both the name of the main request and the subrequest
+	// using the format <main request>/<subrequest>.
+	//
+	// Multiple devices may have been allocated per request.
+	Request *string `json:"request,omitempty"`
+	// Driver specifies the name of the DRA driver whose kubelet
+	// plugin should be invoked to process the allocation once the claim is
+	// needed on a node.
+	//
+	// Must be a DNS subdomain and should end with a DNS domain owned by the
+	// vendor of the driver. It should use only lower case characters.
+	Driver *string `json:"driver,omitempty"`
+	// This name together with the driver name and the device name field
+	// identify which device was allocated (`<driver name>/<pool name>/<device name>`).
+	//
+	// Must not be longer than 253 characters and may contain one or more
+	// DNS sub-domains separated by slashes.
+	Pool *string `json:"pool,omitempty"`
+	// Device references one device instance via its name in the driver's
+	// resource pool. It must be a DNS label.
+	Device *string `json:"device,omitempty"`
+	// AdminAccess indicates that this device was allocated for
+	// administrative access. See the corresponding request field
+	// for a definition of mode.
+	//
+	// This is an alpha field and requires enabling the DRAAdminAccess
+	// feature gate. Admin access is disabled if this field is unset or
+	// set to false, otherwise it is enabled.
+	AdminAccess *bool `json:"adminAccess,omitempty"`
+	// A copy of all tolerations specified in the request at the time
+	// when the device got allocated.
+	//
+	// The maximum number of tolerations is 16.
+	//
+	// This is an alpha field and requires enabling the DRADeviceTaints
+	// feature gate.
+	Tolerations []DeviceTolerationApplyConfiguration `json:"tolerations,omitempty"`
+	// BindingConditions contains a copy of the BindingConditions
+	// from the corresponding ResourceSlice at the time of allocation.
+	//
+	// This is an alpha field and requires enabling the DRADeviceBindingConditions and DRAResourceClaimDeviceStatus
+	// feature gates.
+	BindingConditions []string `json:"bindingConditions,omitempty"`
+	// BindingFailureConditions contains a copy of the BindingFailureConditions
+	// from the corresponding ResourceSlice at the time of allocation.
+	//
+	// This is an alpha field and requires enabling the DRADeviceBindingConditions and DRAResourceClaimDeviceStatus
+	// feature gates.
+	BindingFailureConditions []string `json:"bindingFailureConditions,omitempty"`
+	// ShareID uniquely identifies an individual allocation share of the device,
+	// used when the device supports multiple simultaneous allocations.
+	// It serves as an additional map key to differentiate concurrent shares
+	// of the same device.
+	ShareID *types.UID `json:"shareID,omitempty"`
+	// ConsumedCapacity tracks the amount of capacity consumed per device as part of the claim request.
+	// The consumed amount may differ from the requested amount: it is rounded up to the nearest valid
+	// value based on the device’s requestPolicy if applicable (i.e., may not be less than the requested amount).
+	//
+	// The total consumed capacity for each device must not exceed the DeviceCapacity's Value.
+	//
+	// This field is populated only for devices that allow multiple allocations.
+	// All capacity entries are included, even if the consumed amount is zero.
+	ConsumedCapacity map[resourcev1beta2.QualifiedName]resource.Quantity `json:"consumedCapacity,omitempty"`
 }
 
 // DeviceRequestAllocationResultApplyConfiguration constructs a declarative configuration of the DeviceRequestAllocationResult type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta2/deviceselector.go b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta2/deviceselector.go
index fd064e5f6cbae..aa4b931211130 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta2/deviceselector.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta2/deviceselector.go
@@ -20,7 +20,10 @@ package v1beta2
 
 // DeviceSelectorApplyConfiguration represents a declarative configuration of the DeviceSelector type for use
 // with apply.
+//
+// DeviceSelector must have exactly one field set.
 type DeviceSelectorApplyConfiguration struct {
+	// CEL contains a CEL expression for selecting a device.
 	CEL *CELDeviceSelectorApplyConfiguration `json:"cel,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta2/devicesubrequest.go b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta2/devicesubrequest.go
index 1ebd716d3ec85..79345cf6c53cb 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta2/devicesubrequest.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta2/devicesubrequest.go
@@ -24,14 +24,91 @@ import (
 
 // DeviceSubRequestApplyConfiguration represents a declarative configuration of the DeviceSubRequest type for use
 // with apply.
+//
+// DeviceSubRequest describes a request for device provided in the
+// claim.spec.devices.requests[].firstAvailable array. Each
+// is typically a request for a single resource like a device, but can
+// also ask for several identical devices.
+//
+// DeviceSubRequest is similar to ExactDeviceRequest, but doesn't expose the
+// AdminAccess field as that one is only supported when requesting a
+// specific device.
 type DeviceSubRequestApplyConfiguration struct {
-	Name            *string                                 `json:"name,omitempty"`
-	DeviceClassName *string                                 `json:"deviceClassName,omitempty"`
-	Selectors       []DeviceSelectorApplyConfiguration      `json:"selectors,omitempty"`
-	AllocationMode  *resourcev1beta2.DeviceAllocationMode   `json:"allocationMode,omitempty"`
-	Count           *int64                                  `json:"count,omitempty"`
-	Tolerations     []DeviceTolerationApplyConfiguration    `json:"tolerations,omitempty"`
-	Capacity        *CapacityRequirementsApplyConfiguration `json:"capacity,omitempty"`
+	// Name can be used to reference this subrequest in the list of constraints
+	// or the list of configurations for the claim. References must use the
+	// format <main request>/<subrequest>.
+	//
+	// Must be a DNS label.
+	Name *string `json:"name,omitempty"`
+	// DeviceClassName references a specific DeviceClass, which can define
+	// additional configuration and selectors to be inherited by this
+	// subrequest.
+	//
+	// A class is required. Which classes are available depends on the cluster.
+	//
+	// Administrators may use this to restrict which devices may get
+	// requested by only installing classes with selectors for permitted
+	// devices. If users are free to request anything without restrictions,
+	// then administrators can create an empty DeviceClass for users
+	// to reference.
+	DeviceClassName *string `json:"deviceClassName,omitempty"`
+	// Selectors define criteria which must be satisfied by a specific
+	// device in order for that device to be considered for this
+	// subrequest. All selectors must be satisfied for a device to be
+	// considered.
+	Selectors []DeviceSelectorApplyConfiguration `json:"selectors,omitempty"`
+	// AllocationMode and its related fields define how devices are allocated
+	// to satisfy this subrequest. Supported values are:
+	//
+	// - ExactCount: This request is for a specific number of devices.
+	// This is the default. The exact number is provided in the
+	// count field.
+	//
+	// - All: This subrequest is for all of the matching devices in a pool.
+	// Allocation will fail if some devices are already allocated,
+	// unless adminAccess is requested.
+	//
+	// If AllocationMode is not specified, the default mode is ExactCount. If
+	// the mode is ExactCount and count is not specified, the default count is
+	// one. Any other subrequests must specify this field.
+	//
+	// More modes may get added in the future. Clients must refuse to handle
+	// requests with unknown modes.
+	AllocationMode *resourcev1beta2.DeviceAllocationMode `json:"allocationMode,omitempty"`
+	// Count is used only when the count mode is "ExactCount". Must be greater than zero.
+	// If AllocationMode is ExactCount and this field is not specified, the default is one.
+	Count *int64 `json:"count,omitempty"`
+	// If specified, the request's tolerations.
+	//
+	// Tolerations for NoSchedule are required to allocate a
+	// device which has a taint with that effect. The same applies
+	// to NoExecute.
+	//
+	// In addition, should any of the allocated devices get tainted
+	// with NoExecute after allocation and that effect is not tolerated,
+	// then all pods consuming the ResourceClaim get deleted to evict
+	// them. The scheduler will not let new pods reserve the claim while
+	// it has these tainted devices. Once all pods are evicted, the
+	// claim will get deallocated.
+	//
+	// The maximum number of tolerations is 16.
+	//
+	// This is an alpha field and requires enabling the DRADeviceTaints
+	// feature gate.
+	Tolerations []DeviceTolerationApplyConfiguration `json:"tolerations,omitempty"`
+	// Capacity define resource requirements against each capacity.
+	//
+	// If this field is unset and the device supports multiple allocations,
+	// the default value will be applied to each capacity according to requestPolicy.
+	// For the capacity that has no requestPolicy, default is the full capacity value.
+	//
+	// Applies to each device allocation.
+	// If Count > 1,
+	// the request fails if there aren't enough devices that meet the requirements.
+	// If AllocationMode is set to All,
+	// the request fails if there are devices that otherwise match the request,
+	// and have this capacity, with a value >= the requested amount, but which cannot be allocated to this request.
+	Capacity *CapacityRequirementsApplyConfiguration `json:"capacity,omitempty"`
 }
 
 // DeviceSubRequestApplyConfiguration constructs a declarative configuration of the DeviceSubRequest type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta2/devicetaint.go b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta2/devicetaint.go
index b21f98a15282e..8049f52cc0cd1 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta2/devicetaint.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta2/devicetaint.go
@@ -25,11 +25,27 @@ import (
 
 // DeviceTaintApplyConfiguration represents a declarative configuration of the DeviceTaint type for use
 // with apply.
+//
+// The device this taint is attached to has the "effect" on
+// any claim which does not tolerate the taint and, through the claim,
+// to pods using the claim.
 type DeviceTaintApplyConfiguration struct {
-	Key       *string                            `json:"key,omitempty"`
-	Value     *string                            `json:"value,omitempty"`
-	Effect    *resourcev1beta2.DeviceTaintEffect `json:"effect,omitempty"`
-	TimeAdded *v1.Time                           `json:"timeAdded,omitempty"`
+	// The taint key to be applied to a device.
+	// Must be a label name.
+	Key *string `json:"key,omitempty"`
+	// The taint value corresponding to the taint key.
+	// Must be a label value.
+	Value *string `json:"value,omitempty"`
+	// The effect of the taint on claims that do not tolerate the taint
+	// and through such claims on the pods using them.
+	//
+	// Valid effects are None, NoSchedule and NoExecute. PreferNoSchedule as used for
+	// nodes is not valid here. More effects may get added in the future.
+	// Consumers must treat unknown effects like None.
+	Effect *resourcev1beta2.DeviceTaintEffect `json:"effect,omitempty"`
+	// TimeAdded represents the time at which the taint was added.
+	// Added automatically during create or update if not set.
+	TimeAdded *v1.Time `json:"timeAdded,omitempty"`
 }
 
 // DeviceTaintApplyConfiguration constructs a declarative configuration of the DeviceTaint type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta2/devicetoleration.go b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta2/devicetoleration.go
index ae471233f4de8..988d7f89092f9 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta2/devicetoleration.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta2/devicetoleration.go
@@ -24,12 +24,33 @@ import (
 
 // DeviceTolerationApplyConfiguration represents a declarative configuration of the DeviceToleration type for use
 // with apply.
+//
+// The ResourceClaim this DeviceToleration is attached to tolerates any taint that matches
+// the triple <key,value,effect> using the matching operator <operator>.
 type DeviceTolerationApplyConfiguration struct {
-	Key               *string                                   `json:"key,omitempty"`
-	Operator          *resourcev1beta2.DeviceTolerationOperator `json:"operator,omitempty"`
-	Value             *string                                   `json:"value,omitempty"`
-	Effect            *resourcev1beta2.DeviceTaintEffect        `json:"effect,omitempty"`
-	TolerationSeconds *int64                                    `json:"tolerationSeconds,omitempty"`
+	// Key is the taint key that the toleration applies to. Empty means match all taint keys.
+	// If the key is empty, operator must be Exists; this combination means to match all values and all keys.
+	// Must be a label name.
+	Key *string `json:"key,omitempty"`
+	// Operator represents a key's relationship to the value.
+	// Valid operators are Exists and Equal. Defaults to Equal.
+	// Exists is equivalent to wildcard for value, so that a ResourceClaim can
+	// tolerate all taints of a particular category.
+	Operator *resourcev1beta2.DeviceTolerationOperator `json:"operator,omitempty"`
+	// Value is the taint value the toleration matches to.
+	// If the operator is Exists, the value must be empty, otherwise just a regular string.
+	// Must be a label value.
+	Value *string `json:"value,omitempty"`
+	// Effect indicates the taint effect to match. Empty means match all taint effects.
+	// When specified, allowed values are NoSchedule and NoExecute.
+	Effect *resourcev1beta2.DeviceTaintEffect `json:"effect,omitempty"`
+	// TolerationSeconds represents the period of time the toleration (which must be
+	// of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,
+	// it is not set, which means tolerate the taint forever (do not evict). Zero and
+	// negative values will be treated as 0 (evict immediately) by the system.
+	// If larger than zero, the time when the pod needs to be evicted is calculated as <time when
+	// taint was adedd> + <toleration seconds>.
+	TolerationSeconds *int64 `json:"tolerationSeconds,omitempty"`
 }
 
 // DeviceTolerationApplyConfiguration constructs a declarative configuration of the DeviceToleration type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta2/exactdevicerequest.go b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta2/exactdevicerequest.go
index 1f0d6b4106210..e4c5d599633fa 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta2/exactdevicerequest.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta2/exactdevicerequest.go
@@ -24,14 +24,89 @@ import (
 
 // ExactDeviceRequestApplyConfiguration represents a declarative configuration of the ExactDeviceRequest type for use
 // with apply.
+//
+// ExactDeviceRequest is a request for one or more identical devices.
 type ExactDeviceRequestApplyConfiguration struct {
-	DeviceClassName *string                                 `json:"deviceClassName,omitempty"`
-	Selectors       []DeviceSelectorApplyConfiguration      `json:"selectors,omitempty"`
-	AllocationMode  *resourcev1beta2.DeviceAllocationMode   `json:"allocationMode,omitempty"`
-	Count           *int64                                  `json:"count,omitempty"`
-	AdminAccess     *bool                                   `json:"adminAccess,omitempty"`
-	Tolerations     []DeviceTolerationApplyConfiguration    `json:"tolerations,omitempty"`
-	Capacity        *CapacityRequirementsApplyConfiguration `json:"capacity,omitempty"`
+	// DeviceClassName references a specific DeviceClass, which can define
+	// additional configuration and selectors to be inherited by this
+	// request.
+	//
+	// A DeviceClassName is required.
+	//
+	// Administrators may use this to restrict which devices may get
+	// requested by only installing classes with selectors for permitted
+	// devices. If users are free to request anything without restrictions,
+	// then administrators can create an empty DeviceClass for users
+	// to reference.
+	DeviceClassName *string `json:"deviceClassName,omitempty"`
+	// Selectors define criteria which must be satisfied by a specific
+	// device in order for that device to be considered for this
+	// request. All selectors must be satisfied for a device to be
+	// considered.
+	Selectors []DeviceSelectorApplyConfiguration `json:"selectors,omitempty"`
+	// AllocationMode and its related fields define how devices are allocated
+	// to satisfy this request. Supported values are:
+	//
+	// - ExactCount: This request is for a specific number of devices.
+	// This is the default. The exact number is provided in the
+	// count field.
+	//
+	// - All: This request is for all of the matching devices in a pool.
+	// At least one device must exist on the node for the allocation to succeed.
+	// Allocation will fail if some devices are already allocated,
+	// unless adminAccess is requested.
+	//
+	// If AllocationMode is not specified, the default mode is ExactCount. If
+	// the mode is ExactCount and count is not specified, the default count is
+	// one. Any other requests must specify this field.
+	//
+	// More modes may get added in the future. Clients must refuse to handle
+	// requests with unknown modes.
+	AllocationMode *resourcev1beta2.DeviceAllocationMode `json:"allocationMode,omitempty"`
+	// Count is used only when the count mode is "ExactCount". Must be greater than zero.
+	// If AllocationMode is ExactCount and this field is not specified, the default is one.
+	Count *int64 `json:"count,omitempty"`
+	// AdminAccess indicates that this is a claim for administrative access
+	// to the device(s). Claims with AdminAccess are expected to be used for
+	// monitoring or other management services for a device.  They ignore
+	// all ordinary claims to the device with respect to access modes and
+	// any resource allocations.
+	//
+	// This is an alpha field and requires enabling the DRAAdminAccess
+	// feature gate. Admin access is disabled if this field is unset or
+	// set to false, otherwise it is enabled.
+	AdminAccess *bool `json:"adminAccess,omitempty"`
+	// If specified, the request's tolerations.
+	//
+	// Tolerations for NoSchedule are required to allocate a
+	// device which has a taint with that effect. The same applies
+	// to NoExecute.
+	//
+	// In addition, should any of the allocated devices get tainted
+	// with NoExecute after allocation and that effect is not tolerated,
+	// then all pods consuming the ResourceClaim get deleted to evict
+	// them. The scheduler will not let new pods reserve the claim while
+	// it has these tainted devices. Once all pods are evicted, the
+	// claim will get deallocated.
+	//
+	// The maximum number of tolerations is 16.
+	//
+	// This is an alpha field and requires enabling the DRADeviceTaints
+	// feature gate.
+	Tolerations []DeviceTolerationApplyConfiguration `json:"tolerations,omitempty"`
+	// Capacity define resource requirements against each capacity.
+	//
+	// If this field is unset and the device supports multiple allocations,
+	// the default value will be applied to each capacity according to requestPolicy.
+	// For the capacity that has no requestPolicy, default is the full capacity value.
+	//
+	// Applies to each device allocation.
+	// If Count > 1,
+	// the request fails if there aren't enough devices that meet the requirements.
+	// If AllocationMode is set to All,
+	// the request fails if there are devices that otherwise match the request,
+	// and have this capacity, with a value >= the requested amount, but which cannot be allocated to this request.
+	Capacity *CapacityRequirementsApplyConfiguration `json:"capacity,omitempty"`
 }
 
 // ExactDeviceRequestApplyConfiguration constructs a declarative configuration of the ExactDeviceRequest type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta2/networkdevicedata.go b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta2/networkdevicedata.go
index 9b0944f8f2148..9621703268fe8 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta2/networkdevicedata.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta2/networkdevicedata.go
@@ -20,10 +20,27 @@ package v1beta2
 
 // NetworkDeviceDataApplyConfiguration represents a declarative configuration of the NetworkDeviceData type for use
 // with apply.
+//
+// NetworkDeviceData provides network-related details for the allocated device.
+// This information may be filled by drivers or other components to configure
+// or identify the device within a network context.
 type NetworkDeviceDataApplyConfiguration struct {
-	InterfaceName   *string  `json:"interfaceName,omitempty"`
-	IPs             []string `json:"ips,omitempty"`
-	HardwareAddress *string  `json:"hardwareAddress,omitempty"`
+	// InterfaceName specifies the name of the network interface associated with
+	// the allocated device. This might be the name of a physical or virtual
+	// network interface being configured in the pod.
+	//
+	// Must not be longer than 256 characters.
+	InterfaceName *string `json:"interfaceName,omitempty"`
+	// IPs lists the network addresses assigned to the device's network interface.
+	// This can include both IPv4 and IPv6 addresses.
+	// The IPs are in the CIDR notation, which includes both the address and the
+	// associated subnet mask.
+	// e.g.: "192.0.2.5/24" for IPv4 and "2001:db8::5/64" for IPv6.
+	IPs []string `json:"ips,omitempty"`
+	// HardwareAddress represents the hardware address (e.g. MAC Address) of the device's network interface.
+	//
+	// Must not be longer than 128 characters.
+	HardwareAddress *string `json:"hardwareAddress,omitempty"`
 }
 
 // NetworkDeviceDataApplyConfiguration constructs a declarative configuration of the NetworkDeviceData type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta2/opaquedeviceconfiguration.go b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta2/opaquedeviceconfiguration.go
index aa8fe43f3e472..d4ac456795d03 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta2/opaquedeviceconfiguration.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta2/opaquedeviceconfiguration.go
@@ -24,8 +24,25 @@ import (
 
 // OpaqueDeviceConfigurationApplyConfiguration represents a declarative configuration of the OpaqueDeviceConfiguration type for use
 // with apply.
+//
+// OpaqueDeviceConfiguration contains configuration parameters for a driver
+// in a format defined by the driver vendor.
 type OpaqueDeviceConfigurationApplyConfiguration struct {
-	Driver     *string               `json:"driver,omitempty"`
+	// Driver is used to determine which kubelet plugin needs
+	// to be passed these configuration parameters.
+	//
+	// An admission policy provided by the driver developer could use this
+	// to decide whether it needs to validate them.
+	//
+	// Must be a DNS subdomain and should end with a DNS domain owned by the
+	// vendor of the driver. It should use only lower case characters.
+	Driver *string `json:"driver,omitempty"`
+	// Parameters can contain arbitrary data. It is the responsibility of
+	// the driver developer to handle validation and versioning. Typically this
+	// includes self-identification and a version ("kind" + "apiVersion" for
+	// Kubernetes types), with conversion between different versions.
+	//
+	// The length of the raw data must be smaller or equal to 10 Ki.
 	Parameters *runtime.RawExtension `json:"parameters,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta2/resourceclaim.go b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta2/resourceclaim.go
index 0d8d59db991c6..e35d087cd67d6 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta2/resourceclaim.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta2/resourceclaim.go
@@ -29,11 +29,24 @@ import (
 
 // ResourceClaimApplyConfiguration represents a declarative configuration of the ResourceClaim type for use
 // with apply.
+//
+// ResourceClaim describes a request for access to resources in the cluster,
+// for use by workloads. For example, if a workload needs an accelerator device
+// with specific properties, this is how that request is expressed. The status
+// stanza tracks whether this claim has been satisfied and what specific
+// resources have been allocated.
+//
+// This is an alpha type and requires enabling the DynamicResourceAllocation
+// feature gate.
 type ResourceClaimApplyConfiguration struct {
-	v1.TypeMetaApplyConfiguration    `json:",inline"`
+	v1.TypeMetaApplyConfiguration `json:",inline"`
+	// Standard object metadata
 	*v1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Spec                             *ResourceClaimSpecApplyConfiguration   `json:"spec,omitempty"`
-	Status                           *ResourceClaimStatusApplyConfiguration `json:"status,omitempty"`
+	// Spec describes what is being requested and how to configure it.
+	// The spec is immutable.
+	Spec *ResourceClaimSpecApplyConfiguration `json:"spec,omitempty"`
+	// Status describes whether the claim is ready to use and what has been allocated.
+	Status *ResourceClaimStatusApplyConfiguration `json:"status,omitempty"`
 }
 
 // ResourceClaim constructs a declarative configuration of the ResourceClaim type for use with
@@ -47,6 +60,27 @@ func ResourceClaim(name, namespace string) *ResourceClaimApplyConfiguration {
 	return b
 }
 
+// ExtractResourceClaimFrom extracts the applied configuration owned by fieldManager from
+// resourceClaim for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
+// resourceClaim must be a unmodified ResourceClaim API object that was retrieved from the Kubernetes API.
+// ExtractResourceClaimFrom provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractResourceClaimFrom(resourceClaim *resourcev1beta2.ResourceClaim, fieldManager string, subresource string) (*ResourceClaimApplyConfiguration, error) {
+	b := &ResourceClaimApplyConfiguration{}
+	err := managedfields.ExtractInto(resourceClaim, internal.Parser().Type("io.k8s.api.resource.v1beta2.ResourceClaim"), fieldManager, b, subresource)
+	if err != nil {
+		return nil, err
+	}
+	b.WithName(resourceClaim.Name)
+	b.WithNamespace(resourceClaim.Namespace)
+
+	b.WithKind("ResourceClaim")
+	b.WithAPIVersion("resource.k8s.io/v1beta2")
+	return b, nil
+}
+
 // ExtractResourceClaim extracts the applied configuration owned by fieldManager from
 // resourceClaim. If no managedFields are found in resourceClaim for fieldManager, a
 // ResourceClaimApplyConfiguration is returned with only the Name, Namespace (if applicable),
@@ -57,31 +91,16 @@ func ResourceClaim(name, namespace string) *ResourceClaimApplyConfiguration {
 // ExtractResourceClaim provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
 func ExtractResourceClaim(resourceClaim *resourcev1beta2.ResourceClaim, fieldManager string) (*ResourceClaimApplyConfiguration, error) {
-	return extractResourceClaim(resourceClaim, fieldManager, "")
+	return ExtractResourceClaimFrom(resourceClaim, fieldManager, "")
 }
 
-// ExtractResourceClaimStatus is the same as ExtractResourceClaim except
-// that it extracts the status subresource applied configuration.
-// Experimental!
+// ExtractResourceClaimStatus extracts the applied configuration owned by fieldManager from
+// resourceClaim for the status subresource.
 func ExtractResourceClaimStatus(resourceClaim *resourcev1beta2.ResourceClaim, fieldManager string) (*ResourceClaimApplyConfiguration, error) {
-	return extractResourceClaim(resourceClaim, fieldManager, "status")
+	return ExtractResourceClaimFrom(resourceClaim, fieldManager, "status")
 }
 
-func extractResourceClaim(resourceClaim *resourcev1beta2.ResourceClaim, fieldManager string, subresource string) (*ResourceClaimApplyConfiguration, error) {
-	b := &ResourceClaimApplyConfiguration{}
-	err := managedfields.ExtractInto(resourceClaim, internal.Parser().Type("io.k8s.api.resource.v1beta2.ResourceClaim"), fieldManager, b, subresource)
-	if err != nil {
-		return nil, err
-	}
-	b.WithName(resourceClaim.Name)
-	b.WithNamespace(resourceClaim.Namespace)
-
-	b.WithKind("ResourceClaim")
-	b.WithAPIVersion("resource.k8s.io/v1beta2")
-	return b, nil
-}
 func (b ResourceClaimApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta2/resourceclaimconsumerreference.go b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta2/resourceclaimconsumerreference.go
index b7824e8599a45..08d973e2398aa 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta2/resourceclaimconsumerreference.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta2/resourceclaimconsumerreference.go
@@ -24,11 +24,21 @@ import (
 
 // ResourceClaimConsumerReferenceApplyConfiguration represents a declarative configuration of the ResourceClaimConsumerReference type for use
 // with apply.
+//
+// ResourceClaimConsumerReference contains enough information to let you
+// locate the consumer of a ResourceClaim. The user must be a resource in the same
+// namespace as the ResourceClaim.
 type ResourceClaimConsumerReferenceApplyConfiguration struct {
-	APIGroup *string    `json:"apiGroup,omitempty"`
-	Resource *string    `json:"resource,omitempty"`
-	Name     *string    `json:"name,omitempty"`
-	UID      *types.UID `json:"uid,omitempty"`
+	// APIGroup is the group for the resource being referenced. It is
+	// empty for the core API. This matches the group in the APIVersion
+	// that is used when creating the resources.
+	APIGroup *string `json:"apiGroup,omitempty"`
+	// Resource is the type of resource being referenced, for example "pods".
+	Resource *string `json:"resource,omitempty"`
+	// Name is the name of resource being referenced.
+	Name *string `json:"name,omitempty"`
+	// UID identifies exactly one incarnation of the resource.
+	UID *types.UID `json:"uid,omitempty"`
 }
 
 // ResourceClaimConsumerReferenceApplyConfiguration constructs a declarative configuration of the ResourceClaimConsumerReference type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta2/resourceclaimspec.go b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta2/resourceclaimspec.go
index e1fce17157287..7057dd71c8eee 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta2/resourceclaimspec.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta2/resourceclaimspec.go
@@ -20,7 +20,10 @@ package v1beta2
 
 // ResourceClaimSpecApplyConfiguration represents a declarative configuration of the ResourceClaimSpec type for use
 // with apply.
+//
+// ResourceClaimSpec defines what is being requested in a ResourceClaim and how to configure it.
 type ResourceClaimSpecApplyConfiguration struct {
+	// Devices defines how to request devices.
 	Devices *DeviceClaimApplyConfiguration `json:"devices,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta2/resourceclaimstatus.go b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta2/resourceclaimstatus.go
index a3e7ae258fdec..87d76e0974030 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta2/resourceclaimstatus.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta2/resourceclaimstatus.go
@@ -20,10 +20,36 @@ package v1beta2
 
 // ResourceClaimStatusApplyConfiguration represents a declarative configuration of the ResourceClaimStatus type for use
 // with apply.
+//
+// ResourceClaimStatus tracks whether the resource has been allocated and what
+// the result of that was.
 type ResourceClaimStatusApplyConfiguration struct {
-	Allocation  *AllocationResultApplyConfiguration                `json:"allocation,omitempty"`
+	// Allocation is set once the claim has been allocated successfully.
+	Allocation *AllocationResultApplyConfiguration `json:"allocation,omitempty"`
+	// ReservedFor indicates which entities are currently allowed to use
+	// the claim. A Pod which references a ResourceClaim which is not
+	// reserved for that Pod will not be started. A claim that is in
+	// use or might be in use because it has been reserved must not get
+	// deallocated.
+	//
+	// In a cluster with multiple scheduler instances, two pods might get
+	// scheduled concurrently by different schedulers. When they reference
+	// the same ResourceClaim which already has reached its maximum number
+	// of consumers, only one pod can be scheduled.
+	//
+	// Both schedulers try to add their pod to the claim.status.reservedFor
+	// field, but only the update that reaches the API server first gets
+	// stored. The other one fails with an error and the scheduler
+	// which issued it knows that it must put the pod back into the queue,
+	// waiting for the ResourceClaim to become usable again.
+	//
+	// There can be at most 256 such reservations. This may get increased in
+	// the future, but not reduced.
 	ReservedFor []ResourceClaimConsumerReferenceApplyConfiguration `json:"reservedFor,omitempty"`
-	Devices     []AllocatedDeviceStatusApplyConfiguration          `json:"devices,omitempty"`
+	// Devices contains the status of each device allocated for this
+	// claim, as reported by the driver. This can include driver-specific
+	// information. Entries are owned by their respective drivers.
+	Devices []AllocatedDeviceStatusApplyConfiguration `json:"devices,omitempty"`
 }
 
 // ResourceClaimStatusApplyConfiguration constructs a declarative configuration of the ResourceClaimStatus type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta2/resourceclaimtemplate.go b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta2/resourceclaimtemplate.go
index 2e79c66405b92..999521cee2381 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta2/resourceclaimtemplate.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta2/resourceclaimtemplate.go
@@ -29,10 +29,21 @@ import (
 
 // ResourceClaimTemplateApplyConfiguration represents a declarative configuration of the ResourceClaimTemplate type for use
 // with apply.
+//
+// ResourceClaimTemplate is used to produce ResourceClaim objects.
+//
+// This is an alpha type and requires enabling the DynamicResourceAllocation
+// feature gate.
 type ResourceClaimTemplateApplyConfiguration struct {
-	v1.TypeMetaApplyConfiguration    `json:",inline"`
+	v1.TypeMetaApplyConfiguration `json:",inline"`
+	// Standard object metadata
 	*v1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Spec                             *ResourceClaimTemplateSpecApplyConfiguration `json:"spec,omitempty"`
+	// Describes the ResourceClaim that is to be generated.
+	//
+	// This field is immutable. A ResourceClaim will get created by the
+	// control plane for a Pod when needed and then not get updated
+	// anymore.
+	Spec *ResourceClaimTemplateSpecApplyConfiguration `json:"spec,omitempty"`
 }
 
 // ResourceClaimTemplate constructs a declarative configuration of the ResourceClaimTemplate type for use with
@@ -46,29 +57,14 @@ func ResourceClaimTemplate(name, namespace string) *ResourceClaimTemplateApplyCo
 	return b
 }
 
-// ExtractResourceClaimTemplate extracts the applied configuration owned by fieldManager from
-// resourceClaimTemplate. If no managedFields are found in resourceClaimTemplate for fieldManager, a
-// ResourceClaimTemplateApplyConfiguration is returned with only the Name, Namespace (if applicable),
-// APIVersion and Kind populated. It is possible that no managed fields were found for because other
-// field managers have taken ownership of all the fields previously owned by fieldManager, or because
-// the fieldManager never owned fields any fields.
+// ExtractResourceClaimTemplateFrom extracts the applied configuration owned by fieldManager from
+// resourceClaimTemplate for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
 // resourceClaimTemplate must be a unmodified ResourceClaimTemplate API object that was retrieved from the Kubernetes API.
-// ExtractResourceClaimTemplate provides a way to perform a extract/modify-in-place/apply workflow.
+// ExtractResourceClaimTemplateFrom provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
-func ExtractResourceClaimTemplate(resourceClaimTemplate *resourcev1beta2.ResourceClaimTemplate, fieldManager string) (*ResourceClaimTemplateApplyConfiguration, error) {
-	return extractResourceClaimTemplate(resourceClaimTemplate, fieldManager, "")
-}
-
-// ExtractResourceClaimTemplateStatus is the same as ExtractResourceClaimTemplate except
-// that it extracts the status subresource applied configuration.
-// Experimental!
-func ExtractResourceClaimTemplateStatus(resourceClaimTemplate *resourcev1beta2.ResourceClaimTemplate, fieldManager string) (*ResourceClaimTemplateApplyConfiguration, error) {
-	return extractResourceClaimTemplate(resourceClaimTemplate, fieldManager, "status")
-}
-
-func extractResourceClaimTemplate(resourceClaimTemplate *resourcev1beta2.ResourceClaimTemplate, fieldManager string, subresource string) (*ResourceClaimTemplateApplyConfiguration, error) {
+func ExtractResourceClaimTemplateFrom(resourceClaimTemplate *resourcev1beta2.ResourceClaimTemplate, fieldManager string, subresource string) (*ResourceClaimTemplateApplyConfiguration, error) {
 	b := &ResourceClaimTemplateApplyConfiguration{}
 	err := managedfields.ExtractInto(resourceClaimTemplate, internal.Parser().Type("io.k8s.api.resource.v1beta2.ResourceClaimTemplate"), fieldManager, b, subresource)
 	if err != nil {
@@ -81,6 +77,21 @@ func extractResourceClaimTemplate(resourceClaimTemplate *resourcev1beta2.Resourc
 	b.WithAPIVersion("resource.k8s.io/v1beta2")
 	return b, nil
 }
+
+// ExtractResourceClaimTemplate extracts the applied configuration owned by fieldManager from
+// resourceClaimTemplate. If no managedFields are found in resourceClaimTemplate for fieldManager, a
+// ResourceClaimTemplateApplyConfiguration is returned with only the Name, Namespace (if applicable),
+// APIVersion and Kind populated. It is possible that no managed fields were found for because other
+// field managers have taken ownership of all the fields previously owned by fieldManager, or because
+// the fieldManager never owned fields any fields.
+// resourceClaimTemplate must be a unmodified ResourceClaimTemplate API object that was retrieved from the Kubernetes API.
+// ExtractResourceClaimTemplate provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractResourceClaimTemplate(resourceClaimTemplate *resourcev1beta2.ResourceClaimTemplate, fieldManager string) (*ResourceClaimTemplateApplyConfiguration, error) {
+	return ExtractResourceClaimTemplateFrom(resourceClaimTemplate, fieldManager, "")
+}
+
 func (b ResourceClaimTemplateApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta2/resourceclaimtemplatespec.go b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta2/resourceclaimtemplatespec.go
index 7868d1dd94c95..da19bf364cc11 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta2/resourceclaimtemplatespec.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta2/resourceclaimtemplatespec.go
@@ -26,9 +26,17 @@ import (
 
 // ResourceClaimTemplateSpecApplyConfiguration represents a declarative configuration of the ResourceClaimTemplateSpec type for use
 // with apply.
+//
+// ResourceClaimTemplateSpec contains the metadata and fields for a ResourceClaim.
 type ResourceClaimTemplateSpecApplyConfiguration struct {
+	// ObjectMeta may contain labels and annotations that will be copied into the ResourceClaim
+	// when creating it. No other fields are allowed and will be rejected during
+	// validation.
 	*v1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Spec                             *ResourceClaimSpecApplyConfiguration `json:"spec,omitempty"`
+	// Spec for the ResourceClaim. The entire content is copied unchanged
+	// into the ResourceClaim that gets created from this template. The
+	// same fields as in a ResourceClaim are also valid here.
+	Spec *ResourceClaimSpecApplyConfiguration `json:"spec,omitempty"`
 }
 
 // ResourceClaimTemplateSpecApplyConfiguration constructs a declarative configuration of the ResourceClaimTemplateSpec type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta2/resourcepool.go b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta2/resourcepool.go
index 6923085d6b8f5..f5b0c9b618d32 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta2/resourcepool.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta2/resourcepool.go
@@ -20,10 +20,34 @@ package v1beta2
 
 // ResourcePoolApplyConfiguration represents a declarative configuration of the ResourcePool type for use
 // with apply.
+//
+// ResourcePool describes the pool that ResourceSlices belong to.
 type ResourcePoolApplyConfiguration struct {
-	Name               *string `json:"name,omitempty"`
-	Generation         *int64  `json:"generation,omitempty"`
-	ResourceSliceCount *int64  `json:"resourceSliceCount,omitempty"`
+	// Name is used to identify the pool. For node-local devices, this
+	// is often the node name, but this is not required.
+	//
+	// It must not be longer than 253 characters and must consist of one or more DNS sub-domains
+	// separated by slashes. This field is immutable.
+	Name *string `json:"name,omitempty"`
+	// Generation tracks the change in a pool over time. Whenever a driver
+	// changes something about one or more of the resources in a pool, it
+	// must change the generation in all ResourceSlices which are part of
+	// that pool. Consumers of ResourceSlices should only consider
+	// resources from the pool with the highest generation number. The
+	// generation may be reset by drivers, which should be fine for
+	// consumers, assuming that all ResourceSlices in a pool are updated to
+	// match or deleted.
+	//
+	// Combined with ResourceSliceCount, this mechanism enables consumers to
+	// detect pools which are comprised of multiple ResourceSlices and are
+	// in an incomplete state.
+	Generation *int64 `json:"generation,omitempty"`
+	// ResourceSliceCount is the total number of ResourceSlices in the pool at this
+	// generation number. Must be greater than zero.
+	//
+	// Consumers can use this to check whether they have seen all ResourceSlices
+	// belonging to the same pool.
+	ResourceSliceCount *int64 `json:"resourceSliceCount,omitempty"`
 }
 
 // ResourcePoolApplyConfiguration constructs a declarative configuration of the ResourcePool type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta2/resourceslice.go b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta2/resourceslice.go
index d62ff1e13fcb6..dbbe7b2ea2c5f 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta2/resourceslice.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta2/resourceslice.go
@@ -29,10 +29,39 @@ import (
 
 // ResourceSliceApplyConfiguration represents a declarative configuration of the ResourceSlice type for use
 // with apply.
+//
+// ResourceSlice represents one or more resources in a pool of similar resources,
+// managed by a common driver. A pool may span more than one ResourceSlice, and exactly how many
+// ResourceSlices comprise a pool is determined by the driver.
+//
+// At the moment, the only supported resources are devices with attributes and capacities.
+// Each device in a given pool, regardless of how many ResourceSlices, must have a unique name.
+// The ResourceSlice in which a device gets published may change over time. The unique identifier
+// for a device is the tuple <driver name>, <pool name>, <device name>.
+//
+// Whenever a driver needs to update a pool, it increments the pool.Spec.Pool.Generation number
+// and updates all ResourceSlices with that new number and new resource definitions. A consumer
+// must only use ResourceSlices with the highest generation number and ignore all others.
+//
+// When allocating all resources in a pool matching certain criteria or when
+// looking for the best solution among several different alternatives, a
+// consumer should check the number of ResourceSlices in a pool (included in
+// each ResourceSlice) to determine whether its view of a pool is complete and
+// if not, should wait until the driver has completed updating the pool.
+//
+// For resources that are not local to a node, the node name is not set. Instead,
+// the driver may use a node selector to specify where the devices are available.
+//
+// This is an alpha type and requires enabling the DynamicResourceAllocation
+// feature gate.
 type ResourceSliceApplyConfiguration struct {
-	v1.TypeMetaApplyConfiguration    `json:",inline"`
+	v1.TypeMetaApplyConfiguration `json:",inline"`
+	// Standard object metadata
 	*v1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Spec                             *ResourceSliceSpecApplyConfiguration `json:"spec,omitempty"`
+	// Contains the information published by the driver.
+	//
+	// Changing the spec automatically increments the metadata.generation number.
+	Spec *ResourceSliceSpecApplyConfiguration `json:"spec,omitempty"`
 }
 
 // ResourceSlice constructs a declarative configuration of the ResourceSlice type for use with
@@ -45,29 +74,14 @@ func ResourceSlice(name string) *ResourceSliceApplyConfiguration {
 	return b
 }
 
-// ExtractResourceSlice extracts the applied configuration owned by fieldManager from
-// resourceSlice. If no managedFields are found in resourceSlice for fieldManager, a
-// ResourceSliceApplyConfiguration is returned with only the Name, Namespace (if applicable),
-// APIVersion and Kind populated. It is possible that no managed fields were found for because other
-// field managers have taken ownership of all the fields previously owned by fieldManager, or because
-// the fieldManager never owned fields any fields.
+// ExtractResourceSliceFrom extracts the applied configuration owned by fieldManager from
+// resourceSlice for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
 // resourceSlice must be a unmodified ResourceSlice API object that was retrieved from the Kubernetes API.
-// ExtractResourceSlice provides a way to perform a extract/modify-in-place/apply workflow.
+// ExtractResourceSliceFrom provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
-func ExtractResourceSlice(resourceSlice *resourcev1beta2.ResourceSlice, fieldManager string) (*ResourceSliceApplyConfiguration, error) {
-	return extractResourceSlice(resourceSlice, fieldManager, "")
-}
-
-// ExtractResourceSliceStatus is the same as ExtractResourceSlice except
-// that it extracts the status subresource applied configuration.
-// Experimental!
-func ExtractResourceSliceStatus(resourceSlice *resourcev1beta2.ResourceSlice, fieldManager string) (*ResourceSliceApplyConfiguration, error) {
-	return extractResourceSlice(resourceSlice, fieldManager, "status")
-}
-
-func extractResourceSlice(resourceSlice *resourcev1beta2.ResourceSlice, fieldManager string, subresource string) (*ResourceSliceApplyConfiguration, error) {
+func ExtractResourceSliceFrom(resourceSlice *resourcev1beta2.ResourceSlice, fieldManager string, subresource string) (*ResourceSliceApplyConfiguration, error) {
 	b := &ResourceSliceApplyConfiguration{}
 	err := managedfields.ExtractInto(resourceSlice, internal.Parser().Type("io.k8s.api.resource.v1beta2.ResourceSlice"), fieldManager, b, subresource)
 	if err != nil {
@@ -79,6 +93,21 @@ func extractResourceSlice(resourceSlice *resourcev1beta2.ResourceSlice, fieldMan
 	b.WithAPIVersion("resource.k8s.io/v1beta2")
 	return b, nil
 }
+
+// ExtractResourceSlice extracts the applied configuration owned by fieldManager from
+// resourceSlice. If no managedFields are found in resourceSlice for fieldManager, a
+// ResourceSliceApplyConfiguration is returned with only the Name, Namespace (if applicable),
+// APIVersion and Kind populated. It is possible that no managed fields were found for because other
+// field managers have taken ownership of all the fields previously owned by fieldManager, or because
+// the fieldManager never owned fields any fields.
+// resourceSlice must be a unmodified ResourceSlice API object that was retrieved from the Kubernetes API.
+// ExtractResourceSlice provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractResourceSlice(resourceSlice *resourcev1beta2.ResourceSlice, fieldManager string) (*ResourceSliceApplyConfiguration, error) {
+	return ExtractResourceSliceFrom(resourceSlice, fieldManager, "")
+}
+
 func (b ResourceSliceApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta2/resourceslicespec.go b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta2/resourceslicespec.go
index 5a000829f986f..2efc7d07509bf 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta2/resourceslicespec.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta2/resourceslicespec.go
@@ -24,15 +24,64 @@ import (
 
 // ResourceSliceSpecApplyConfiguration represents a declarative configuration of the ResourceSliceSpec type for use
 // with apply.
+//
+// ResourceSliceSpec contains the information published by the driver in one ResourceSlice.
 type ResourceSliceSpecApplyConfiguration struct {
-	Driver                 *string                            `json:"driver,omitempty"`
-	Pool                   *ResourcePoolApplyConfiguration    `json:"pool,omitempty"`
-	NodeName               *string                            `json:"nodeName,omitempty"`
-	NodeSelector           *v1.NodeSelectorApplyConfiguration `json:"nodeSelector,omitempty"`
-	AllNodes               *bool                              `json:"allNodes,omitempty"`
-	Devices                []DeviceApplyConfiguration         `json:"devices,omitempty"`
-	PerDeviceNodeSelection *bool                              `json:"perDeviceNodeSelection,omitempty"`
-	SharedCounters         []CounterSetApplyConfiguration     `json:"sharedCounters,omitempty"`
+	// Driver identifies the DRA driver providing the capacity information.
+	// A field selector can be used to list only ResourceSlice
+	// objects with a certain driver name.
+	//
+	// Must be a DNS subdomain and should end with a DNS domain owned by the
+	// vendor of the driver. It should use only lower case characters.
+	// This field is immutable.
+	Driver *string `json:"driver,omitempty"`
+	// Pool describes the pool that this ResourceSlice belongs to.
+	Pool *ResourcePoolApplyConfiguration `json:"pool,omitempty"`
+	// NodeName identifies the node which provides the resources in this pool.
+	// A field selector can be used to list only ResourceSlice
+	// objects belonging to a certain node.
+	//
+	// This field can be used to limit access from nodes to ResourceSlices with
+	// the same node name. It also indicates to autoscalers that adding
+	// new nodes of the same type as some old node might also make new
+	// resources available.
+	//
+	// Exactly one of NodeName, NodeSelector, AllNodes, and PerDeviceNodeSelection must be set.
+	// This field is immutable.
+	NodeName *string `json:"nodeName,omitempty"`
+	// NodeSelector defines which nodes have access to the resources in the pool,
+	// when that pool is not limited to a single node.
+	//
+	// Must use exactly one term.
+	//
+	// Exactly one of NodeName, NodeSelector, AllNodes, and PerDeviceNodeSelection must be set.
+	NodeSelector *v1.NodeSelectorApplyConfiguration `json:"nodeSelector,omitempty"`
+	// AllNodes indicates that all nodes have access to the resources in the pool.
+	//
+	// Exactly one of NodeName, NodeSelector, AllNodes, and PerDeviceNodeSelection must be set.
+	AllNodes *bool `json:"allNodes,omitempty"`
+	// Devices lists some or all of the devices in this pool.
+	//
+	// Must not have more than 128 entries. If any device uses taints or consumes counters the limit is 64.
+	//
+	// Only one of Devices and SharedCounters can be set in a ResourceSlice.
+	Devices []DeviceApplyConfiguration `json:"devices,omitempty"`
+	// PerDeviceNodeSelection defines whether the access from nodes to
+	// resources in the pool is set on the ResourceSlice level or on each
+	// device. If it is set to true, every device defined the ResourceSlice
+	// must specify this individually.
+	//
+	// Exactly one of NodeName, NodeSelector, AllNodes, and PerDeviceNodeSelection must be set.
+	PerDeviceNodeSelection *bool `json:"perDeviceNodeSelection,omitempty"`
+	// SharedCounters defines a list of counter sets, each of which
+	// has a name and a list of counters available.
+	//
+	// The names of the counter sets must be unique in the ResourcePool.
+	//
+	// Only one of Devices and SharedCounters can be set in a ResourceSlice.
+	//
+	// The maximum number of counter sets is 8.
+	SharedCounters []CounterSetApplyConfiguration `json:"sharedCounters,omitempty"`
 }
 
 // ResourceSliceSpecApplyConfiguration constructs a declarative configuration of the ResourceSliceSpec type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/scheduling/v1/priorityclass.go b/staging/src/k8s.io/client-go/applyconfigurations/scheduling/v1/priorityclass.go
index 907a15014231c..4056dcdd2fcbd 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/scheduling/v1/priorityclass.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/scheduling/v1/priorityclass.go
@@ -30,13 +30,30 @@ import (
 
 // PriorityClassApplyConfiguration represents a declarative configuration of the PriorityClass type for use
 // with apply.
+//
+// PriorityClass defines mapping from a priority class name to the priority
+// integer value. The value can be any valid integer.
 type PriorityClassApplyConfiguration struct {
-	metav1.TypeMetaApplyConfiguration    `json:",inline"`
+	metav1.TypeMetaApplyConfiguration `json:",inline"`
+	// Standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	*metav1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Value                                *int32                   `json:"value,omitempty"`
-	GlobalDefault                        *bool                    `json:"globalDefault,omitempty"`
-	Description                          *string                  `json:"description,omitempty"`
-	PreemptionPolicy                     *corev1.PreemptionPolicy `json:"preemptionPolicy,omitempty"`
+	// value represents the integer value of this priority class. This is the actual priority that pods
+	// receive when they have the name of this class in their pod spec.
+	Value *int32 `json:"value,omitempty"`
+	// globalDefault specifies whether this PriorityClass should be considered as
+	// the default priority for pods that do not have any priority class.
+	// Only one PriorityClass can be marked as `globalDefault`. However, if more than
+	// one PriorityClasses exists with their `globalDefault` field set to true,
+	// the smallest value of such global default PriorityClasses will be used as the default priority.
+	GlobalDefault *bool `json:"globalDefault,omitempty"`
+	// description is an arbitrary string that usually provides guidelines on
+	// when this priority class should be used.
+	Description *string `json:"description,omitempty"`
+	// preemptionPolicy is the Policy for preempting pods with lower priority.
+	// One of Never, PreemptLowerPriority.
+	// Defaults to PreemptLowerPriority if unset.
+	PreemptionPolicy *corev1.PreemptionPolicy `json:"preemptionPolicy,omitempty"`
 }
 
 // PriorityClass constructs a declarative configuration of the PriorityClass type for use with
@@ -49,29 +66,14 @@ func PriorityClass(name string) *PriorityClassApplyConfiguration {
 	return b
 }
 
-// ExtractPriorityClass extracts the applied configuration owned by fieldManager from
-// priorityClass. If no managedFields are found in priorityClass for fieldManager, a
-// PriorityClassApplyConfiguration is returned with only the Name, Namespace (if applicable),
-// APIVersion and Kind populated. It is possible that no managed fields were found for because other
-// field managers have taken ownership of all the fields previously owned by fieldManager, or because
-// the fieldManager never owned fields any fields.
+// ExtractPriorityClassFrom extracts the applied configuration owned by fieldManager from
+// priorityClass for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
 // priorityClass must be a unmodified PriorityClass API object that was retrieved from the Kubernetes API.
-// ExtractPriorityClass provides a way to perform a extract/modify-in-place/apply workflow.
+// ExtractPriorityClassFrom provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
-func ExtractPriorityClass(priorityClass *schedulingv1.PriorityClass, fieldManager string) (*PriorityClassApplyConfiguration, error) {
-	return extractPriorityClass(priorityClass, fieldManager, "")
-}
-
-// ExtractPriorityClassStatus is the same as ExtractPriorityClass except
-// that it extracts the status subresource applied configuration.
-// Experimental!
-func ExtractPriorityClassStatus(priorityClass *schedulingv1.PriorityClass, fieldManager string) (*PriorityClassApplyConfiguration, error) {
-	return extractPriorityClass(priorityClass, fieldManager, "status")
-}
-
-func extractPriorityClass(priorityClass *schedulingv1.PriorityClass, fieldManager string, subresource string) (*PriorityClassApplyConfiguration, error) {
+func ExtractPriorityClassFrom(priorityClass *schedulingv1.PriorityClass, fieldManager string, subresource string) (*PriorityClassApplyConfiguration, error) {
 	b := &PriorityClassApplyConfiguration{}
 	err := managedfields.ExtractInto(priorityClass, internal.Parser().Type("io.k8s.api.scheduling.v1.PriorityClass"), fieldManager, b, subresource)
 	if err != nil {
@@ -83,6 +85,21 @@ func extractPriorityClass(priorityClass *schedulingv1.PriorityClass, fieldManage
 	b.WithAPIVersion("scheduling.k8s.io/v1")
 	return b, nil
 }
+
+// ExtractPriorityClass extracts the applied configuration owned by fieldManager from
+// priorityClass. If no managedFields are found in priorityClass for fieldManager, a
+// PriorityClassApplyConfiguration is returned with only the Name, Namespace (if applicable),
+// APIVersion and Kind populated. It is possible that no managed fields were found for because other
+// field managers have taken ownership of all the fields previously owned by fieldManager, or because
+// the fieldManager never owned fields any fields.
+// priorityClass must be a unmodified PriorityClass API object that was retrieved from the Kubernetes API.
+// ExtractPriorityClass provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractPriorityClass(priorityClass *schedulingv1.PriorityClass, fieldManager string) (*PriorityClassApplyConfiguration, error) {
+	return ExtractPriorityClassFrom(priorityClass, fieldManager, "")
+}
+
 func (b PriorityClassApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/scheduling/v1alpha1/gangschedulingpolicy.go b/staging/src/k8s.io/client-go/applyconfigurations/scheduling/v1alpha1/gangschedulingpolicy.go
new file mode 100644
index 0000000000000..6bf41585cfb0e
--- /dev/null
+++ b/staging/src/k8s.io/client-go/applyconfigurations/scheduling/v1alpha1/gangschedulingpolicy.go
@@ -0,0 +1,44 @@
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by applyconfiguration-gen. DO NOT EDIT.
+
+package v1alpha1
+
+// GangSchedulingPolicyApplyConfiguration represents a declarative configuration of the GangSchedulingPolicy type for use
+// with apply.
+//
+// GangSchedulingPolicy defines the parameters for gang scheduling.
+type GangSchedulingPolicyApplyConfiguration struct {
+	// MinCount is the minimum number of pods that must be schedulable or scheduled
+	// at the same time for the scheduler to admit the entire group.
+	// It must be a positive integer.
+	MinCount *int32 `json:"minCount,omitempty"`
+}
+
+// GangSchedulingPolicyApplyConfiguration constructs a declarative configuration of the GangSchedulingPolicy type for use with
+// apply.
+func GangSchedulingPolicy() *GangSchedulingPolicyApplyConfiguration {
+	return &GangSchedulingPolicyApplyConfiguration{}
+}
+
+// WithMinCount sets the MinCount field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the MinCount field is set to the value of the last call.
+func (b *GangSchedulingPolicyApplyConfiguration) WithMinCount(value int32) *GangSchedulingPolicyApplyConfiguration {
+	b.MinCount = &value
+	return b
+}
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/scheduling/v1alpha1/podgroup.go b/staging/src/k8s.io/client-go/applyconfigurations/scheduling/v1alpha1/podgroup.go
new file mode 100644
index 0000000000000..b1ce26179a872
--- /dev/null
+++ b/staging/src/k8s.io/client-go/applyconfigurations/scheduling/v1alpha1/podgroup.go
@@ -0,0 +1,53 @@
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by applyconfiguration-gen. DO NOT EDIT.
+
+package v1alpha1
+
+// PodGroupApplyConfiguration represents a declarative configuration of the PodGroup type for use
+// with apply.
+//
+// PodGroup represents a set of pods with a common scheduling policy.
+type PodGroupApplyConfiguration struct {
+	// Name is a unique identifier for the PodGroup within the Workload.
+	// It must be a DNS label. This field is immutable.
+	Name *string `json:"name,omitempty"`
+	// Policy defines the scheduling policy for this PodGroup.
+	Policy *PodGroupPolicyApplyConfiguration `json:"policy,omitempty"`
+}
+
+// PodGroupApplyConfiguration constructs a declarative configuration of the PodGroup type for use with
+// apply.
+func PodGroup() *PodGroupApplyConfiguration {
+	return &PodGroupApplyConfiguration{}
+}
+
+// WithName sets the Name field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Name field is set to the value of the last call.
+func (b *PodGroupApplyConfiguration) WithName(value string) *PodGroupApplyConfiguration {
+	b.Name = &value
+	return b
+}
+
+// WithPolicy sets the Policy field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Policy field is set to the value of the last call.
+func (b *PodGroupApplyConfiguration) WithPolicy(value *PodGroupPolicyApplyConfiguration) *PodGroupApplyConfiguration {
+	b.Policy = value
+	return b
+}
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/scheduling/v1alpha1/podgrouppolicy.go b/staging/src/k8s.io/client-go/applyconfigurations/scheduling/v1alpha1/podgrouppolicy.go
new file mode 100644
index 0000000000000..d73c5e44095c3
--- /dev/null
+++ b/staging/src/k8s.io/client-go/applyconfigurations/scheduling/v1alpha1/podgrouppolicy.go
@@ -0,0 +1,58 @@
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by applyconfiguration-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	schedulingv1alpha1 "k8s.io/api/scheduling/v1alpha1"
+)
+
+// PodGroupPolicyApplyConfiguration represents a declarative configuration of the PodGroupPolicy type for use
+// with apply.
+//
+// PodGroupPolicy defines the scheduling configuration for a PodGroup.
+type PodGroupPolicyApplyConfiguration struct {
+	// Basic specifies that the pods in this group should be scheduled using
+	// standard Kubernetes scheduling behavior.
+	Basic *schedulingv1alpha1.BasicSchedulingPolicy `json:"basic,omitempty"`
+	// Gang specifies that the pods in this group should be scheduled using
+	// all-or-nothing semantics.
+	Gang *GangSchedulingPolicyApplyConfiguration `json:"gang,omitempty"`
+}
+
+// PodGroupPolicyApplyConfiguration constructs a declarative configuration of the PodGroupPolicy type for use with
+// apply.
+func PodGroupPolicy() *PodGroupPolicyApplyConfiguration {
+	return &PodGroupPolicyApplyConfiguration{}
+}
+
+// WithBasic sets the Basic field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Basic field is set to the value of the last call.
+func (b *PodGroupPolicyApplyConfiguration) WithBasic(value schedulingv1alpha1.BasicSchedulingPolicy) *PodGroupPolicyApplyConfiguration {
+	b.Basic = &value
+	return b
+}
+
+// WithGang sets the Gang field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Gang field is set to the value of the last call.
+func (b *PodGroupPolicyApplyConfiguration) WithGang(value *GangSchedulingPolicyApplyConfiguration) *PodGroupPolicyApplyConfiguration {
+	b.Gang = value
+	return b
+}
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/scheduling/v1alpha1/priorityclass.go b/staging/src/k8s.io/client-go/applyconfigurations/scheduling/v1alpha1/priorityclass.go
index e658b1195db58..1735a6deae51e 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/scheduling/v1alpha1/priorityclass.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/scheduling/v1alpha1/priorityclass.go
@@ -30,13 +30,31 @@ import (
 
 // PriorityClassApplyConfiguration represents a declarative configuration of the PriorityClass type for use
 // with apply.
+//
+// DEPRECATED - This group version of PriorityClass is deprecated by scheduling.k8s.io/v1/PriorityClass.
+// PriorityClass defines mapping from a priority class name to the priority
+// integer value. The value can be any valid integer.
 type PriorityClassApplyConfiguration struct {
-	v1.TypeMetaApplyConfiguration    `json:",inline"`
+	v1.TypeMetaApplyConfiguration `json:",inline"`
+	// Standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	*v1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Value                            *int32                   `json:"value,omitempty"`
-	GlobalDefault                    *bool                    `json:"globalDefault,omitempty"`
-	Description                      *string                  `json:"description,omitempty"`
-	PreemptionPolicy                 *corev1.PreemptionPolicy `json:"preemptionPolicy,omitempty"`
+	// value represents the integer value of this priority class. This is the actual priority that pods
+	// receive when they have the name of this class in their pod spec.
+	Value *int32 `json:"value,omitempty"`
+	// globalDefault specifies whether this PriorityClass should be considered as
+	// the default priority for pods that do not have any priority class.
+	// Only one PriorityClass can be marked as `globalDefault`. However, if more than
+	// one PriorityClasses exists with their `globalDefault` field set to true,
+	// the smallest value of such global default PriorityClasses will be used as the default priority.
+	GlobalDefault *bool `json:"globalDefault,omitempty"`
+	// description is an arbitrary string that usually provides guidelines on
+	// when this priority class should be used.
+	Description *string `json:"description,omitempty"`
+	// preemptionPolicy is the Policy for preempting pods with lower priority.
+	// One of Never, PreemptLowerPriority.
+	// Defaults to PreemptLowerPriority if unset.
+	PreemptionPolicy *corev1.PreemptionPolicy `json:"preemptionPolicy,omitempty"`
 }
 
 // PriorityClass constructs a declarative configuration of the PriorityClass type for use with
@@ -49,29 +67,14 @@ func PriorityClass(name string) *PriorityClassApplyConfiguration {
 	return b
 }
 
-// ExtractPriorityClass extracts the applied configuration owned by fieldManager from
-// priorityClass. If no managedFields are found in priorityClass for fieldManager, a
-// PriorityClassApplyConfiguration is returned with only the Name, Namespace (if applicable),
-// APIVersion and Kind populated. It is possible that no managed fields were found for because other
-// field managers have taken ownership of all the fields previously owned by fieldManager, or because
-// the fieldManager never owned fields any fields.
+// ExtractPriorityClassFrom extracts the applied configuration owned by fieldManager from
+// priorityClass for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
 // priorityClass must be a unmodified PriorityClass API object that was retrieved from the Kubernetes API.
-// ExtractPriorityClass provides a way to perform a extract/modify-in-place/apply workflow.
+// ExtractPriorityClassFrom provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
-func ExtractPriorityClass(priorityClass *schedulingv1alpha1.PriorityClass, fieldManager string) (*PriorityClassApplyConfiguration, error) {
-	return extractPriorityClass(priorityClass, fieldManager, "")
-}
-
-// ExtractPriorityClassStatus is the same as ExtractPriorityClass except
-// that it extracts the status subresource applied configuration.
-// Experimental!
-func ExtractPriorityClassStatus(priorityClass *schedulingv1alpha1.PriorityClass, fieldManager string) (*PriorityClassApplyConfiguration, error) {
-	return extractPriorityClass(priorityClass, fieldManager, "status")
-}
-
-func extractPriorityClass(priorityClass *schedulingv1alpha1.PriorityClass, fieldManager string, subresource string) (*PriorityClassApplyConfiguration, error) {
+func ExtractPriorityClassFrom(priorityClass *schedulingv1alpha1.PriorityClass, fieldManager string, subresource string) (*PriorityClassApplyConfiguration, error) {
 	b := &PriorityClassApplyConfiguration{}
 	err := managedfields.ExtractInto(priorityClass, internal.Parser().Type("io.k8s.api.scheduling.v1alpha1.PriorityClass"), fieldManager, b, subresource)
 	if err != nil {
@@ -83,6 +86,21 @@ func extractPriorityClass(priorityClass *schedulingv1alpha1.PriorityClass, field
 	b.WithAPIVersion("scheduling.k8s.io/v1alpha1")
 	return b, nil
 }
+
+// ExtractPriorityClass extracts the applied configuration owned by fieldManager from
+// priorityClass. If no managedFields are found in priorityClass for fieldManager, a
+// PriorityClassApplyConfiguration is returned with only the Name, Namespace (if applicable),
+// APIVersion and Kind populated. It is possible that no managed fields were found for because other
+// field managers have taken ownership of all the fields previously owned by fieldManager, or because
+// the fieldManager never owned fields any fields.
+// priorityClass must be a unmodified PriorityClass API object that was retrieved from the Kubernetes API.
+// ExtractPriorityClass provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractPriorityClass(priorityClass *schedulingv1alpha1.PriorityClass, fieldManager string) (*PriorityClassApplyConfiguration, error) {
+	return ExtractPriorityClassFrom(priorityClass, fieldManager, "")
+}
+
 func (b PriorityClassApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/scheduling/v1alpha1/typedlocalobjectreference.go b/staging/src/k8s.io/client-go/applyconfigurations/scheduling/v1alpha1/typedlocalobjectreference.go
new file mode 100644
index 0000000000000..73c11c884e86a
--- /dev/null
+++ b/staging/src/k8s.io/client-go/applyconfigurations/scheduling/v1alpha1/typedlocalobjectreference.go
@@ -0,0 +1,67 @@
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by applyconfiguration-gen. DO NOT EDIT.
+
+package v1alpha1
+
+// TypedLocalObjectReferenceApplyConfiguration represents a declarative configuration of the TypedLocalObjectReference type for use
+// with apply.
+//
+// TypedLocalObjectReference allows to reference typed object inside the same namespace.
+type TypedLocalObjectReferenceApplyConfiguration struct {
+	// APIGroup is the group for the resource being referenced.
+	// If APIGroup is empty, the specified Kind must be in the core API group.
+	// For any other third-party types, setting APIGroup is required.
+	// It must be a DNS subdomain.
+	APIGroup *string `json:"apiGroup,omitempty"`
+	// Kind is the type of resource being referenced.
+	// It must be a path segment name.
+	Kind *string `json:"kind,omitempty"`
+	// Name is the name of resource being referenced.
+	// It must be a path segment name.
+	Name *string `json:"name,omitempty"`
+}
+
+// TypedLocalObjectReferenceApplyConfiguration constructs a declarative configuration of the TypedLocalObjectReference type for use with
+// apply.
+func TypedLocalObjectReference() *TypedLocalObjectReferenceApplyConfiguration {
+	return &TypedLocalObjectReferenceApplyConfiguration{}
+}
+
+// WithAPIGroup sets the APIGroup field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the APIGroup field is set to the value of the last call.
+func (b *TypedLocalObjectReferenceApplyConfiguration) WithAPIGroup(value string) *TypedLocalObjectReferenceApplyConfiguration {
+	b.APIGroup = &value
+	return b
+}
+
+// WithKind sets the Kind field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Kind field is set to the value of the last call.
+func (b *TypedLocalObjectReferenceApplyConfiguration) WithKind(value string) *TypedLocalObjectReferenceApplyConfiguration {
+	b.Kind = &value
+	return b
+}
+
+// WithName sets the Name field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Name field is set to the value of the last call.
+func (b *TypedLocalObjectReferenceApplyConfiguration) WithName(value string) *TypedLocalObjectReferenceApplyConfiguration {
+	b.Name = &value
+	return b
+}
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/scheduling/v1alpha1/workload.go b/staging/src/k8s.io/client-go/applyconfigurations/scheduling/v1alpha1/workload.go
new file mode 100644
index 0000000000000..6530899aee330
--- /dev/null
+++ b/staging/src/k8s.io/client-go/applyconfigurations/scheduling/v1alpha1/workload.go
@@ -0,0 +1,279 @@
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by applyconfiguration-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	schedulingv1alpha1 "k8s.io/api/scheduling/v1alpha1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	types "k8s.io/apimachinery/pkg/types"
+	managedfields "k8s.io/apimachinery/pkg/util/managedfields"
+	internal "k8s.io/client-go/applyconfigurations/internal"
+	v1 "k8s.io/client-go/applyconfigurations/meta/v1"
+)
+
+// WorkloadApplyConfiguration represents a declarative configuration of the Workload type for use
+// with apply.
+//
+// Workload allows for expressing scheduling constraints that should be used
+// when managing lifecycle of workloads from scheduling perspective,
+// including scheduling, preemption, eviction and other phases.
+type WorkloadApplyConfiguration struct {
+	v1.TypeMetaApplyConfiguration `json:",inline"`
+	// Standard object's metadata.
+	// Name must be a DNS subdomain.
+	*v1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
+	// Spec defines the desired behavior of a Workload.
+	Spec *WorkloadSpecApplyConfiguration `json:"spec,omitempty"`
+}
+
+// Workload constructs a declarative configuration of the Workload type for use with
+// apply.
+func Workload(name, namespace string) *WorkloadApplyConfiguration {
+	b := &WorkloadApplyConfiguration{}
+	b.WithName(name)
+	b.WithNamespace(namespace)
+	b.WithKind("Workload")
+	b.WithAPIVersion("scheduling.k8s.io/v1alpha1")
+	return b
+}
+
+// ExtractWorkloadFrom extracts the applied configuration owned by fieldManager from
+// workload for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
+// workload must be a unmodified Workload API object that was retrieved from the Kubernetes API.
+// ExtractWorkloadFrom provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractWorkloadFrom(workload *schedulingv1alpha1.Workload, fieldManager string, subresource string) (*WorkloadApplyConfiguration, error) {
+	b := &WorkloadApplyConfiguration{}
+	err := managedfields.ExtractInto(workload, internal.Parser().Type("io.k8s.api.scheduling.v1alpha1.Workload"), fieldManager, b, subresource)
+	if err != nil {
+		return nil, err
+	}
+	b.WithName(workload.Name)
+	b.WithNamespace(workload.Namespace)
+
+	b.WithKind("Workload")
+	b.WithAPIVersion("scheduling.k8s.io/v1alpha1")
+	return b, nil
+}
+
+// ExtractWorkload extracts the applied configuration owned by fieldManager from
+// workload. If no managedFields are found in workload for fieldManager, a
+// WorkloadApplyConfiguration is returned with only the Name, Namespace (if applicable),
+// APIVersion and Kind populated. It is possible that no managed fields were found for because other
+// field managers have taken ownership of all the fields previously owned by fieldManager, or because
+// the fieldManager never owned fields any fields.
+// workload must be a unmodified Workload API object that was retrieved from the Kubernetes API.
+// ExtractWorkload provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractWorkload(workload *schedulingv1alpha1.Workload, fieldManager string) (*WorkloadApplyConfiguration, error) {
+	return ExtractWorkloadFrom(workload, fieldManager, "")
+}
+
+func (b WorkloadApplyConfiguration) IsApplyConfiguration() {}
+
+// WithKind sets the Kind field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Kind field is set to the value of the last call.
+func (b *WorkloadApplyConfiguration) WithKind(value string) *WorkloadApplyConfiguration {
+	b.TypeMetaApplyConfiguration.Kind = &value
+	return b
+}
+
+// WithAPIVersion sets the APIVersion field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the APIVersion field is set to the value of the last call.
+func (b *WorkloadApplyConfiguration) WithAPIVersion(value string) *WorkloadApplyConfiguration {
+	b.TypeMetaApplyConfiguration.APIVersion = &value
+	return b
+}
+
+// WithName sets the Name field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Name field is set to the value of the last call.
+func (b *WorkloadApplyConfiguration) WithName(value string) *WorkloadApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	b.ObjectMetaApplyConfiguration.Name = &value
+	return b
+}
+
+// WithGenerateName sets the GenerateName field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the GenerateName field is set to the value of the last call.
+func (b *WorkloadApplyConfiguration) WithGenerateName(value string) *WorkloadApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	b.ObjectMetaApplyConfiguration.GenerateName = &value
+	return b
+}
+
+// WithNamespace sets the Namespace field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Namespace field is set to the value of the last call.
+func (b *WorkloadApplyConfiguration) WithNamespace(value string) *WorkloadApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	b.ObjectMetaApplyConfiguration.Namespace = &value
+	return b
+}
+
+// WithUID sets the UID field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the UID field is set to the value of the last call.
+func (b *WorkloadApplyConfiguration) WithUID(value types.UID) *WorkloadApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	b.ObjectMetaApplyConfiguration.UID = &value
+	return b
+}
+
+// WithResourceVersion sets the ResourceVersion field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the ResourceVersion field is set to the value of the last call.
+func (b *WorkloadApplyConfiguration) WithResourceVersion(value string) *WorkloadApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	b.ObjectMetaApplyConfiguration.ResourceVersion = &value
+	return b
+}
+
+// WithGeneration sets the Generation field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Generation field is set to the value of the last call.
+func (b *WorkloadApplyConfiguration) WithGeneration(value int64) *WorkloadApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	b.ObjectMetaApplyConfiguration.Generation = &value
+	return b
+}
+
+// WithCreationTimestamp sets the CreationTimestamp field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the CreationTimestamp field is set to the value of the last call.
+func (b *WorkloadApplyConfiguration) WithCreationTimestamp(value metav1.Time) *WorkloadApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	b.ObjectMetaApplyConfiguration.CreationTimestamp = &value
+	return b
+}
+
+// WithDeletionTimestamp sets the DeletionTimestamp field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the DeletionTimestamp field is set to the value of the last call.
+func (b *WorkloadApplyConfiguration) WithDeletionTimestamp(value metav1.Time) *WorkloadApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	b.ObjectMetaApplyConfiguration.DeletionTimestamp = &value
+	return b
+}
+
+// WithDeletionGracePeriodSeconds sets the DeletionGracePeriodSeconds field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the DeletionGracePeriodSeconds field is set to the value of the last call.
+func (b *WorkloadApplyConfiguration) WithDeletionGracePeriodSeconds(value int64) *WorkloadApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	b.ObjectMetaApplyConfiguration.DeletionGracePeriodSeconds = &value
+	return b
+}
+
+// WithLabels puts the entries into the Labels field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, the entries provided by each call will be put on the Labels field,
+// overwriting an existing map entries in Labels field with the same key.
+func (b *WorkloadApplyConfiguration) WithLabels(entries map[string]string) *WorkloadApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	if b.ObjectMetaApplyConfiguration.Labels == nil && len(entries) > 0 {
+		b.ObjectMetaApplyConfiguration.Labels = make(map[string]string, len(entries))
+	}
+	for k, v := range entries {
+		b.ObjectMetaApplyConfiguration.Labels[k] = v
+	}
+	return b
+}
+
+// WithAnnotations puts the entries into the Annotations field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, the entries provided by each call will be put on the Annotations field,
+// overwriting an existing map entries in Annotations field with the same key.
+func (b *WorkloadApplyConfiguration) WithAnnotations(entries map[string]string) *WorkloadApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	if b.ObjectMetaApplyConfiguration.Annotations == nil && len(entries) > 0 {
+		b.ObjectMetaApplyConfiguration.Annotations = make(map[string]string, len(entries))
+	}
+	for k, v := range entries {
+		b.ObjectMetaApplyConfiguration.Annotations[k] = v
+	}
+	return b
+}
+
+// WithOwnerReferences adds the given value to the OwnerReferences field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, values provided by each call will be appended to the OwnerReferences field.
+func (b *WorkloadApplyConfiguration) WithOwnerReferences(values ...*v1.OwnerReferenceApplyConfiguration) *WorkloadApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	for i := range values {
+		if values[i] == nil {
+			panic("nil value passed to WithOwnerReferences")
+		}
+		b.ObjectMetaApplyConfiguration.OwnerReferences = append(b.ObjectMetaApplyConfiguration.OwnerReferences, *values[i])
+	}
+	return b
+}
+
+// WithFinalizers adds the given value to the Finalizers field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, values provided by each call will be appended to the Finalizers field.
+func (b *WorkloadApplyConfiguration) WithFinalizers(values ...string) *WorkloadApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	for i := range values {
+		b.ObjectMetaApplyConfiguration.Finalizers = append(b.ObjectMetaApplyConfiguration.Finalizers, values[i])
+	}
+	return b
+}
+
+func (b *WorkloadApplyConfiguration) ensureObjectMetaApplyConfigurationExists() {
+	if b.ObjectMetaApplyConfiguration == nil {
+		b.ObjectMetaApplyConfiguration = &v1.ObjectMetaApplyConfiguration{}
+	}
+}
+
+// WithSpec sets the Spec field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Spec field is set to the value of the last call.
+func (b *WorkloadApplyConfiguration) WithSpec(value *WorkloadSpecApplyConfiguration) *WorkloadApplyConfiguration {
+	b.Spec = value
+	return b
+}
+
+// GetKind retrieves the value of the Kind field in the declarative configuration.
+func (b *WorkloadApplyConfiguration) GetKind() *string {
+	return b.TypeMetaApplyConfiguration.Kind
+}
+
+// GetAPIVersion retrieves the value of the APIVersion field in the declarative configuration.
+func (b *WorkloadApplyConfiguration) GetAPIVersion() *string {
+	return b.TypeMetaApplyConfiguration.APIVersion
+}
+
+// GetName retrieves the value of the Name field in the declarative configuration.
+func (b *WorkloadApplyConfiguration) GetName() *string {
+	b.ensureObjectMetaApplyConfigurationExists()
+	return b.ObjectMetaApplyConfiguration.Name
+}
+
+// GetNamespace retrieves the value of the Namespace field in the declarative configuration.
+func (b *WorkloadApplyConfiguration) GetNamespace() *string {
+	b.ensureObjectMetaApplyConfigurationExists()
+	return b.ObjectMetaApplyConfiguration.Namespace
+}
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/scheduling/v1alpha1/workloadspec.go b/staging/src/k8s.io/client-go/applyconfigurations/scheduling/v1alpha1/workloadspec.go
new file mode 100644
index 0000000000000..1ceb9210db1ce
--- /dev/null
+++ b/staging/src/k8s.io/client-go/applyconfigurations/scheduling/v1alpha1/workloadspec.go
@@ -0,0 +1,61 @@
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by applyconfiguration-gen. DO NOT EDIT.
+
+package v1alpha1
+
+// WorkloadSpecApplyConfiguration represents a declarative configuration of the WorkloadSpec type for use
+// with apply.
+//
+// WorkloadSpec defines the desired state of a Workload.
+type WorkloadSpecApplyConfiguration struct {
+	// ControllerRef is an optional reference to the controlling object, such as a
+	// Deployment or Job. This field is intended for use by tools like CLIs
+	// to provide a link back to the original workload definition.
+	// When set, it cannot be changed.
+	ControllerRef *TypedLocalObjectReferenceApplyConfiguration `json:"controllerRef,omitempty"`
+	// PodGroups is the list of pod groups that make up the Workload.
+	// The maximum number of pod groups is 8. This field is immutable.
+	PodGroups []PodGroupApplyConfiguration `json:"podGroups,omitempty"`
+}
+
+// WorkloadSpecApplyConfiguration constructs a declarative configuration of the WorkloadSpec type for use with
+// apply.
+func WorkloadSpec() *WorkloadSpecApplyConfiguration {
+	return &WorkloadSpecApplyConfiguration{}
+}
+
+// WithControllerRef sets the ControllerRef field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the ControllerRef field is set to the value of the last call.
+func (b *WorkloadSpecApplyConfiguration) WithControllerRef(value *TypedLocalObjectReferenceApplyConfiguration) *WorkloadSpecApplyConfiguration {
+	b.ControllerRef = value
+	return b
+}
+
+// WithPodGroups adds the given value to the PodGroups field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, values provided by each call will be appended to the PodGroups field.
+func (b *WorkloadSpecApplyConfiguration) WithPodGroups(values ...*PodGroupApplyConfiguration) *WorkloadSpecApplyConfiguration {
+	for i := range values {
+		if values[i] == nil {
+			panic("nil value passed to WithPodGroups")
+		}
+		b.PodGroups = append(b.PodGroups, *values[i])
+	}
+	return b
+}
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/scheduling/v1beta1/priorityclass.go b/staging/src/k8s.io/client-go/applyconfigurations/scheduling/v1beta1/priorityclass.go
index 3b5ad5f911f33..5fab5624ec67f 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/scheduling/v1beta1/priorityclass.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/scheduling/v1beta1/priorityclass.go
@@ -30,13 +30,31 @@ import (
 
 // PriorityClassApplyConfiguration represents a declarative configuration of the PriorityClass type for use
 // with apply.
+//
+// DEPRECATED - This group version of PriorityClass is deprecated by scheduling.k8s.io/v1/PriorityClass.
+// PriorityClass defines mapping from a priority class name to the priority
+// integer value. The value can be any valid integer.
 type PriorityClassApplyConfiguration struct {
-	v1.TypeMetaApplyConfiguration    `json:",inline"`
+	v1.TypeMetaApplyConfiguration `json:",inline"`
+	// Standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	*v1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Value                            *int32                   `json:"value,omitempty"`
-	GlobalDefault                    *bool                    `json:"globalDefault,omitempty"`
-	Description                      *string                  `json:"description,omitempty"`
-	PreemptionPolicy                 *corev1.PreemptionPolicy `json:"preemptionPolicy,omitempty"`
+	// value represents the integer value of this priority class. This is the actual priority that pods
+	// receive when they have the name of this class in their pod spec.
+	Value *int32 `json:"value,omitempty"`
+	// globalDefault specifies whether this PriorityClass should be considered as
+	// the default priority for pods that do not have any priority class.
+	// Only one PriorityClass can be marked as `globalDefault`. However, if more than
+	// one PriorityClasses exists with their `globalDefault` field set to true,
+	// the smallest value of such global default PriorityClasses will be used as the default priority.
+	GlobalDefault *bool `json:"globalDefault,omitempty"`
+	// description is an arbitrary string that usually provides guidelines on
+	// when this priority class should be used.
+	Description *string `json:"description,omitempty"`
+	// preemptionPolicy is the Policy for preempting pods with lower priority.
+	// One of Never, PreemptLowerPriority.
+	// Defaults to PreemptLowerPriority if unset.
+	PreemptionPolicy *corev1.PreemptionPolicy `json:"preemptionPolicy,omitempty"`
 }
 
 // PriorityClass constructs a declarative configuration of the PriorityClass type for use with
@@ -49,29 +67,14 @@ func PriorityClass(name string) *PriorityClassApplyConfiguration {
 	return b
 }
 
-// ExtractPriorityClass extracts the applied configuration owned by fieldManager from
-// priorityClass. If no managedFields are found in priorityClass for fieldManager, a
-// PriorityClassApplyConfiguration is returned with only the Name, Namespace (if applicable),
-// APIVersion and Kind populated. It is possible that no managed fields were found for because other
-// field managers have taken ownership of all the fields previously owned by fieldManager, or because
-// the fieldManager never owned fields any fields.
+// ExtractPriorityClassFrom extracts the applied configuration owned by fieldManager from
+// priorityClass for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
 // priorityClass must be a unmodified PriorityClass API object that was retrieved from the Kubernetes API.
-// ExtractPriorityClass provides a way to perform a extract/modify-in-place/apply workflow.
+// ExtractPriorityClassFrom provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
-func ExtractPriorityClass(priorityClass *schedulingv1beta1.PriorityClass, fieldManager string) (*PriorityClassApplyConfiguration, error) {
-	return extractPriorityClass(priorityClass, fieldManager, "")
-}
-
-// ExtractPriorityClassStatus is the same as ExtractPriorityClass except
-// that it extracts the status subresource applied configuration.
-// Experimental!
-func ExtractPriorityClassStatus(priorityClass *schedulingv1beta1.PriorityClass, fieldManager string) (*PriorityClassApplyConfiguration, error) {
-	return extractPriorityClass(priorityClass, fieldManager, "status")
-}
-
-func extractPriorityClass(priorityClass *schedulingv1beta1.PriorityClass, fieldManager string, subresource string) (*PriorityClassApplyConfiguration, error) {
+func ExtractPriorityClassFrom(priorityClass *schedulingv1beta1.PriorityClass, fieldManager string, subresource string) (*PriorityClassApplyConfiguration, error) {
 	b := &PriorityClassApplyConfiguration{}
 	err := managedfields.ExtractInto(priorityClass, internal.Parser().Type("io.k8s.api.scheduling.v1beta1.PriorityClass"), fieldManager, b, subresource)
 	if err != nil {
@@ -83,6 +86,21 @@ func extractPriorityClass(priorityClass *schedulingv1beta1.PriorityClass, fieldM
 	b.WithAPIVersion("scheduling.k8s.io/v1beta1")
 	return b, nil
 }
+
+// ExtractPriorityClass extracts the applied configuration owned by fieldManager from
+// priorityClass. If no managedFields are found in priorityClass for fieldManager, a
+// PriorityClassApplyConfiguration is returned with only the Name, Namespace (if applicable),
+// APIVersion and Kind populated. It is possible that no managed fields were found for because other
+// field managers have taken ownership of all the fields previously owned by fieldManager, or because
+// the fieldManager never owned fields any fields.
+// priorityClass must be a unmodified PriorityClass API object that was retrieved from the Kubernetes API.
+// ExtractPriorityClass provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractPriorityClass(priorityClass *schedulingv1beta1.PriorityClass, fieldManager string) (*PriorityClassApplyConfiguration, error) {
+	return ExtractPriorityClassFrom(priorityClass, fieldManager, "")
+}
+
 func (b PriorityClassApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/storage/v1/csidriver.go b/staging/src/k8s.io/client-go/applyconfigurations/storage/v1/csidriver.go
index 99a8bf393331d..39ce1eb045732 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/storage/v1/csidriver.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/storage/v1/csidriver.go
@@ -29,10 +29,25 @@ import (
 
 // CSIDriverApplyConfiguration represents a declarative configuration of the CSIDriver type for use
 // with apply.
+//
+// CSIDriver captures information about a Container Storage Interface (CSI)
+// volume driver deployed on the cluster.
+// Kubernetes attach detach controller uses this object to determine whether attach is required.
+// Kubelet uses this object to determine whether pod information needs to be passed on mount.
+// CSIDriver objects are non-namespaced.
 type CSIDriverApplyConfiguration struct {
-	metav1.TypeMetaApplyConfiguration    `json:",inline"`
+	metav1.TypeMetaApplyConfiguration `json:",inline"`
+	// Standard object metadata.
+	// metadata.Name indicates the name of the CSI driver that this object
+	// refers to; it MUST be the same name returned by the CSI GetPluginName()
+	// call for that driver.
+	// The driver name must be 63 characters or less, beginning and ending with
+	// an alphanumeric character ([a-z0-9A-Z]) with dashes (-), dots (.), and
+	// alphanumerics between.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	*metav1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Spec                                 *CSIDriverSpecApplyConfiguration `json:"spec,omitempty"`
+	// spec represents the specification of the CSI Driver.
+	Spec *CSIDriverSpecApplyConfiguration `json:"spec,omitempty"`
 }
 
 // CSIDriver constructs a declarative configuration of the CSIDriver type for use with
@@ -45,29 +60,14 @@ func CSIDriver(name string) *CSIDriverApplyConfiguration {
 	return b
 }
 
-// ExtractCSIDriver extracts the applied configuration owned by fieldManager from
-// cSIDriver. If no managedFields are found in cSIDriver for fieldManager, a
-// CSIDriverApplyConfiguration is returned with only the Name, Namespace (if applicable),
-// APIVersion and Kind populated. It is possible that no managed fields were found for because other
-// field managers have taken ownership of all the fields previously owned by fieldManager, or because
-// the fieldManager never owned fields any fields.
+// ExtractCSIDriverFrom extracts the applied configuration owned by fieldManager from
+// cSIDriver for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
 // cSIDriver must be a unmodified CSIDriver API object that was retrieved from the Kubernetes API.
-// ExtractCSIDriver provides a way to perform a extract/modify-in-place/apply workflow.
+// ExtractCSIDriverFrom provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
-func ExtractCSIDriver(cSIDriver *storagev1.CSIDriver, fieldManager string) (*CSIDriverApplyConfiguration, error) {
-	return extractCSIDriver(cSIDriver, fieldManager, "")
-}
-
-// ExtractCSIDriverStatus is the same as ExtractCSIDriver except
-// that it extracts the status subresource applied configuration.
-// Experimental!
-func ExtractCSIDriverStatus(cSIDriver *storagev1.CSIDriver, fieldManager string) (*CSIDriverApplyConfiguration, error) {
-	return extractCSIDriver(cSIDriver, fieldManager, "status")
-}
-
-func extractCSIDriver(cSIDriver *storagev1.CSIDriver, fieldManager string, subresource string) (*CSIDriverApplyConfiguration, error) {
+func ExtractCSIDriverFrom(cSIDriver *storagev1.CSIDriver, fieldManager string, subresource string) (*CSIDriverApplyConfiguration, error) {
 	b := &CSIDriverApplyConfiguration{}
 	err := managedfields.ExtractInto(cSIDriver, internal.Parser().Type("io.k8s.api.storage.v1.CSIDriver"), fieldManager, b, subresource)
 	if err != nil {
@@ -79,6 +79,21 @@ func extractCSIDriver(cSIDriver *storagev1.CSIDriver, fieldManager string, subre
 	b.WithAPIVersion("storage.k8s.io/v1")
 	return b, nil
 }
+
+// ExtractCSIDriver extracts the applied configuration owned by fieldManager from
+// cSIDriver. If no managedFields are found in cSIDriver for fieldManager, a
+// CSIDriverApplyConfiguration is returned with only the Name, Namespace (if applicable),
+// APIVersion and Kind populated. It is possible that no managed fields were found for because other
+// field managers have taken ownership of all the fields previously owned by fieldManager, or because
+// the fieldManager never owned fields any fields.
+// cSIDriver must be a unmodified CSIDriver API object that was retrieved from the Kubernetes API.
+// ExtractCSIDriver provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractCSIDriver(cSIDriver *storagev1.CSIDriver, fieldManager string) (*CSIDriverApplyConfiguration, error) {
+	return ExtractCSIDriverFrom(cSIDriver, fieldManager, "")
+}
+
 func (b CSIDriverApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/storage/v1/csidriverspec.go b/staging/src/k8s.io/client-go/applyconfigurations/storage/v1/csidriverspec.go
index fc6f2fbf9479e..653329ececb02 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/storage/v1/csidriverspec.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/storage/v1/csidriverspec.go
@@ -24,16 +24,160 @@ import (
 
 // CSIDriverSpecApplyConfiguration represents a declarative configuration of the CSIDriverSpec type for use
 // with apply.
+//
+// CSIDriverSpec is the specification of a CSIDriver.
 type CSIDriverSpecApplyConfiguration struct {
-	AttachRequired                     *bool                            `json:"attachRequired,omitempty"`
-	PodInfoOnMount                     *bool                            `json:"podInfoOnMount,omitempty"`
-	VolumeLifecycleModes               []storagev1.VolumeLifecycleMode  `json:"volumeLifecycleModes,omitempty"`
-	StorageCapacity                    *bool                            `json:"storageCapacity,omitempty"`
-	FSGroupPolicy                      *storagev1.FSGroupPolicy         `json:"fsGroupPolicy,omitempty"`
-	TokenRequests                      []TokenRequestApplyConfiguration `json:"tokenRequests,omitempty"`
-	RequiresRepublish                  *bool                            `json:"requiresRepublish,omitempty"`
-	SELinuxMount                       *bool                            `json:"seLinuxMount,omitempty"`
-	NodeAllocatableUpdatePeriodSeconds *int64                           `json:"nodeAllocatableUpdatePeriodSeconds,omitempty"`
+	// attachRequired indicates this CSI volume driver requires an attach
+	// operation (because it implements the CSI ControllerPublishVolume()
+	// method), and that the Kubernetes attach detach controller should call
+	// the attach volume interface which checks the volumeattachment status
+	// and waits until the volume is attached before proceeding to mounting.
+	// The CSI external-attacher coordinates with CSI volume driver and updates
+	// the volumeattachment status when the attach operation is complete.
+	// If the value is specified to false, the attach operation will be skipped.
+	// Otherwise the attach operation will be called.
+	//
+	// This field is immutable.
+	AttachRequired *bool `json:"attachRequired,omitempty"`
+	// podInfoOnMount indicates this CSI volume driver requires additional pod information (like podName, podUID, etc.)
+	// during mount operations, if set to true.
+	// If set to false, pod information will not be passed on mount.
+	// Default is false.
+	//
+	// The CSI driver specifies podInfoOnMount as part of driver deployment.
+	// If true, Kubelet will pass pod information as VolumeContext in the CSI NodePublishVolume() calls.
+	// The CSI driver is responsible for parsing and validating the information passed in as VolumeContext.
+	//
+	// The following VolumeContext will be passed if podInfoOnMount is set to true.
+	// This list might grow, but the prefix will be used.
+	// "csi.storage.k8s.io/pod.name": pod.Name
+	// "csi.storage.k8s.io/pod.namespace": pod.Namespace
+	// "csi.storage.k8s.io/pod.uid": string(pod.UID)
+	// "csi.storage.k8s.io/ephemeral": "true" if the volume is an ephemeral inline volume
+	// defined by a CSIVolumeSource, otherwise "false"
+	//
+	// "csi.storage.k8s.io/ephemeral" is a new feature in Kubernetes 1.16. It is only
+	// required for drivers which support both the "Persistent" and "Ephemeral" VolumeLifecycleMode.
+	// Other drivers can leave pod info disabled and/or ignore this field.
+	// As Kubernetes 1.15 doesn't support this field, drivers can only support one mode when
+	// deployed on such a cluster and the deployment determines which mode that is, for example
+	// via a command line parameter of the driver.
+	//
+	// This field was immutable in Kubernetes < 1.29 and now is mutable.
+	PodInfoOnMount *bool `json:"podInfoOnMount,omitempty"`
+	// volumeLifecycleModes defines what kind of volumes this CSI volume driver supports.
+	// The default if the list is empty is "Persistent", which is the usage defined by the
+	// CSI specification and implemented in Kubernetes via the usual PV/PVC mechanism.
+	//
+	// The other mode is "Ephemeral". In this mode, volumes are defined inline inside the pod spec
+	// with CSIVolumeSource and their lifecycle is tied to the lifecycle of that pod.
+	// A driver has to be aware of this because it is only going to get a NodePublishVolume call for such a volume.
+	//
+	// For more information about implementing this mode, see
+	// https://kubernetes-csi.github.io/docs/ephemeral-local-volumes.html
+	// A driver can support one or more of these modes and more modes may be added in the future.
+	//
+	// This field is beta.
+	// This field is immutable.
+	VolumeLifecycleModes []storagev1.VolumeLifecycleMode `json:"volumeLifecycleModes,omitempty"`
+	// storageCapacity indicates that the CSI volume driver wants pod scheduling to consider the storage
+	// capacity that the driver deployment will report by creating
+	// CSIStorageCapacity objects with capacity information, if set to true.
+	//
+	// The check can be enabled immediately when deploying a driver.
+	// In that case, provisioning new volumes with late binding
+	// will pause until the driver deployment has published
+	// some suitable CSIStorageCapacity object.
+	//
+	// Alternatively, the driver can be deployed with the field
+	// unset or false and it can be flipped later when storage
+	// capacity information has been published.
+	//
+	// This field was immutable in Kubernetes <= 1.22 and now is mutable.
+	StorageCapacity *bool `json:"storageCapacity,omitempty"`
+	// fsGroupPolicy defines if the underlying volume supports changing ownership and
+	// permission of the volume before being mounted.
+	// Refer to the specific FSGroupPolicy values for additional details.
+	//
+	// This field was immutable in Kubernetes < 1.29 and now is mutable.
+	//
+	// Defaults to ReadWriteOnceWithFSType, which will examine each volume
+	// to determine if Kubernetes should modify ownership and permissions of the volume.
+	// With the default policy the defined fsGroup will only be applied
+	// if a fstype is defined and the volume's access mode contains ReadWriteOnce.
+	FSGroupPolicy *storagev1.FSGroupPolicy `json:"fsGroupPolicy,omitempty"`
+	// tokenRequests indicates the CSI driver needs pods' service account
+	// tokens it is mounting volume for to do necessary authentication. Kubelet
+	// will pass the tokens in VolumeContext in the CSI NodePublishVolume calls.
+	// The CSI driver should parse and validate the following VolumeContext:
+	// "csi.storage.k8s.io/serviceAccount.tokens": {
+	// "<audience>": {
+	// "token": <token>,
+	// "expirationTimestamp": <expiration timestamp in RFC3339>,
+	// },
+	// ...
+	// }
+	//
+	// Note: Audience in each TokenRequest should be different and at
+	// most one token is empty string. To receive a new token after expiry,
+	// RequiresRepublish can be used to trigger NodePublishVolume periodically.
+	TokenRequests []TokenRequestApplyConfiguration `json:"tokenRequests,omitempty"`
+	// requiresRepublish indicates the CSI driver wants `NodePublishVolume`
+	// being periodically called to reflect any possible change in the mounted
+	// volume. This field defaults to false.
+	//
+	// Note: After a successful initial NodePublishVolume call, subsequent calls
+	// to NodePublishVolume should only update the contents of the volume. New
+	// mount points will not be seen by a running container.
+	RequiresRepublish *bool `json:"requiresRepublish,omitempty"`
+	// seLinuxMount specifies if the CSI driver supports "-o context"
+	// mount option.
+	//
+	// When "true", the CSI driver must ensure that all volumes provided by this CSI
+	// driver can be mounted separately with different `-o context` options. This is
+	// typical for storage backends that provide volumes as filesystems on block
+	// devices or as independent shared volumes.
+	// Kubernetes will call NodeStage / NodePublish with "-o context=xyz" mount
+	// option when mounting a ReadWriteOncePod volume used in Pod that has
+	// explicitly set SELinux context. In the future, it may be expanded to other
+	// volume AccessModes. In any case, Kubernetes will ensure that the volume is
+	// mounted only with a single SELinux context.
+	//
+	// When "false", Kubernetes won't pass any special SELinux mount options to the driver.
+	// This is typical for volumes that represent subdirectories of a bigger shared filesystem.
+	//
+	// Default is "false".
+	SELinuxMount *bool `json:"seLinuxMount,omitempty"`
+	// nodeAllocatableUpdatePeriodSeconds specifies the interval between periodic updates of
+	// the CSINode allocatable capacity for this driver. When set, both periodic updates and
+	// updates triggered by capacity-related failures are enabled. If not set, no updates
+	// occur (neither periodic nor upon detecting capacity-related failures), and the
+	// allocatable.count remains static. The minimum allowed value for this field is 10 seconds.
+	//
+	// This is a beta feature and requires the MutableCSINodeAllocatableCount feature gate to be enabled.
+	//
+	// This field is mutable.
+	NodeAllocatableUpdatePeriodSeconds *int64 `json:"nodeAllocatableUpdatePeriodSeconds,omitempty"`
+	// serviceAccountTokenInSecrets is an opt-in for CSI drivers to indicate that
+	// service account tokens should be passed via the Secrets field in NodePublishVolumeRequest
+	// instead of the VolumeContext field. The CSI specification provides a dedicated Secrets
+	// field for sensitive information like tokens, which is the appropriate mechanism for
+	// handling credentials. This addresses security concerns where sensitive tokens were being
+	// logged as part of volume context.
+	//
+	// When "true", kubelet will pass the tokens only in the Secrets field with the key
+	// "csi.storage.k8s.io/serviceAccount.tokens". The CSI driver must be updated to read
+	// tokens from the Secrets field instead of VolumeContext.
+	//
+	// When "false" or not set, kubelet will pass the tokens in VolumeContext with the key
+	// "csi.storage.k8s.io/serviceAccount.tokens" (existing behavior). This maintains backward
+	// compatibility with existing CSI drivers.
+	//
+	// This field can only be set when TokenRequests is configured. The API server will reject
+	// CSIDriver specs that set this field without TokenRequests.
+	//
+	// Default behavior if unset is to pass tokens in the VolumeContext field.
+	ServiceAccountTokenInSecrets *bool `json:"serviceAccountTokenInSecrets,omitempty"`
 }
 
 // CSIDriverSpecApplyConfiguration constructs a declarative configuration of the CSIDriverSpec type for use with
@@ -120,3 +264,11 @@ func (b *CSIDriverSpecApplyConfiguration) WithNodeAllocatableUpdatePeriodSeconds
 	b.NodeAllocatableUpdatePeriodSeconds = &value
 	return b
 }
+
+// WithServiceAccountTokenInSecrets sets the ServiceAccountTokenInSecrets field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the ServiceAccountTokenInSecrets field is set to the value of the last call.
+func (b *CSIDriverSpecApplyConfiguration) WithServiceAccountTokenInSecrets(value bool) *CSIDriverSpecApplyConfiguration {
+	b.ServiceAccountTokenInSecrets = &value
+	return b
+}
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/storage/v1/csinode.go b/staging/src/k8s.io/client-go/applyconfigurations/storage/v1/csinode.go
index 8d141a5250111..e0b7f349e2721 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/storage/v1/csinode.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/storage/v1/csinode.go
@@ -29,10 +29,23 @@ import (
 
 // CSINodeApplyConfiguration represents a declarative configuration of the CSINode type for use
 // with apply.
+//
+// CSINode holds information about all CSI drivers installed on a node.
+// CSI drivers do not need to create the CSINode object directly. As long as
+// they use the node-driver-registrar sidecar container, the kubelet will
+// automatically populate the CSINode object for the CSI driver as part of
+// kubelet plugin registration.
+// CSINode has the same name as a node. If the object is missing, it means either
+// there are no CSI Drivers available on the node, or the Kubelet version is low
+// enough that it doesn't create this object.
+// CSINode has an OwnerReference that points to the corresponding node object.
 type CSINodeApplyConfiguration struct {
-	metav1.TypeMetaApplyConfiguration    `json:",inline"`
+	metav1.TypeMetaApplyConfiguration `json:",inline"`
+	// Standard object's metadata.
+	// metadata.name must be the Kubernetes node name.
 	*metav1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Spec                                 *CSINodeSpecApplyConfiguration `json:"spec,omitempty"`
+	// spec is the specification of CSINode
+	Spec *CSINodeSpecApplyConfiguration `json:"spec,omitempty"`
 }
 
 // CSINode constructs a declarative configuration of the CSINode type for use with
@@ -45,29 +58,14 @@ func CSINode(name string) *CSINodeApplyConfiguration {
 	return b
 }
 
-// ExtractCSINode extracts the applied configuration owned by fieldManager from
-// cSINode. If no managedFields are found in cSINode for fieldManager, a
-// CSINodeApplyConfiguration is returned with only the Name, Namespace (if applicable),
-// APIVersion and Kind populated. It is possible that no managed fields were found for because other
-// field managers have taken ownership of all the fields previously owned by fieldManager, or because
-// the fieldManager never owned fields any fields.
+// ExtractCSINodeFrom extracts the applied configuration owned by fieldManager from
+// cSINode for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
 // cSINode must be a unmodified CSINode API object that was retrieved from the Kubernetes API.
-// ExtractCSINode provides a way to perform a extract/modify-in-place/apply workflow.
+// ExtractCSINodeFrom provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
-func ExtractCSINode(cSINode *storagev1.CSINode, fieldManager string) (*CSINodeApplyConfiguration, error) {
-	return extractCSINode(cSINode, fieldManager, "")
-}
-
-// ExtractCSINodeStatus is the same as ExtractCSINode except
-// that it extracts the status subresource applied configuration.
-// Experimental!
-func ExtractCSINodeStatus(cSINode *storagev1.CSINode, fieldManager string) (*CSINodeApplyConfiguration, error) {
-	return extractCSINode(cSINode, fieldManager, "status")
-}
-
-func extractCSINode(cSINode *storagev1.CSINode, fieldManager string, subresource string) (*CSINodeApplyConfiguration, error) {
+func ExtractCSINodeFrom(cSINode *storagev1.CSINode, fieldManager string, subresource string) (*CSINodeApplyConfiguration, error) {
 	b := &CSINodeApplyConfiguration{}
 	err := managedfields.ExtractInto(cSINode, internal.Parser().Type("io.k8s.api.storage.v1.CSINode"), fieldManager, b, subresource)
 	if err != nil {
@@ -79,6 +77,21 @@ func extractCSINode(cSINode *storagev1.CSINode, fieldManager string, subresource
 	b.WithAPIVersion("storage.k8s.io/v1")
 	return b, nil
 }
+
+// ExtractCSINode extracts the applied configuration owned by fieldManager from
+// cSINode. If no managedFields are found in cSINode for fieldManager, a
+// CSINodeApplyConfiguration is returned with only the Name, Namespace (if applicable),
+// APIVersion and Kind populated. It is possible that no managed fields were found for because other
+// field managers have taken ownership of all the fields previously owned by fieldManager, or because
+// the fieldManager never owned fields any fields.
+// cSINode must be a unmodified CSINode API object that was retrieved from the Kubernetes API.
+// ExtractCSINode provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractCSINode(cSINode *storagev1.CSINode, fieldManager string) (*CSINodeApplyConfiguration, error) {
+	return ExtractCSINodeFrom(cSINode, fieldManager, "")
+}
+
 func (b CSINodeApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/storage/v1/csinodedriver.go b/staging/src/k8s.io/client-go/applyconfigurations/storage/v1/csinodedriver.go
index 8c69e435e7ef7..22492d7ff2491 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/storage/v1/csinodedriver.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/storage/v1/csinodedriver.go
@@ -20,11 +20,37 @@ package v1
 
 // CSINodeDriverApplyConfiguration represents a declarative configuration of the CSINodeDriver type for use
 // with apply.
+//
+// CSINodeDriver holds information about the specification of one CSI driver installed on a node
 type CSINodeDriverApplyConfiguration struct {
-	Name         *string                                `json:"name,omitempty"`
-	NodeID       *string                                `json:"nodeID,omitempty"`
-	TopologyKeys []string                               `json:"topologyKeys,omitempty"`
-	Allocatable  *VolumeNodeResourcesApplyConfiguration `json:"allocatable,omitempty"`
+	// name represents the name of the CSI driver that this object refers to.
+	// This MUST be the same name returned by the CSI GetPluginName() call for
+	// that driver.
+	Name *string `json:"name,omitempty"`
+	// nodeID of the node from the driver point of view.
+	// This field enables Kubernetes to communicate with storage systems that do
+	// not share the same nomenclature for nodes. For example, Kubernetes may
+	// refer to a given node as "node1", but the storage system may refer to
+	// the same node as "nodeA". When Kubernetes issues a command to the storage
+	// system to attach a volume to a specific node, it can use this field to
+	// refer to the node name using the ID that the storage system will
+	// understand, e.g. "nodeA" instead of "node1". This field is required.
+	NodeID *string `json:"nodeID,omitempty"`
+	// topologyKeys is the list of keys supported by the driver.
+	// When a driver is initialized on a cluster, it provides a set of topology
+	// keys that it understands (e.g. "company.com/zone", "company.com/region").
+	// When a driver is initialized on a node, it provides the same topology keys
+	// along with values. Kubelet will expose these topology keys as labels
+	// on its own node object.
+	// When Kubernetes does topology aware provisioning, it can use this list to
+	// determine which labels it should retrieve from the node object and pass
+	// back to the driver.
+	// It is possible for different nodes to use different topology keys.
+	// This can be empty if driver does not support topology.
+	TopologyKeys []string `json:"topologyKeys,omitempty"`
+	// allocatable represents the volume resources of a node that are available for scheduling.
+	// This field is beta.
+	Allocatable *VolumeNodeResourcesApplyConfiguration `json:"allocatable,omitempty"`
 }
 
 // CSINodeDriverApplyConfiguration constructs a declarative configuration of the CSINodeDriver type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/storage/v1/csinodespec.go b/staging/src/k8s.io/client-go/applyconfigurations/storage/v1/csinodespec.go
index 21d3ba7cccf8c..2b1753d7981b7 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/storage/v1/csinodespec.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/storage/v1/csinodespec.go
@@ -20,7 +20,11 @@ package v1
 
 // CSINodeSpecApplyConfiguration represents a declarative configuration of the CSINodeSpec type for use
 // with apply.
+//
+// CSINodeSpec holds information about the specification of all CSI drivers installed on a node
 type CSINodeSpecApplyConfiguration struct {
+	// drivers is a list of information of all CSI Drivers existing on a node.
+	// If all drivers in the list are uninstalled, this can become empty.
 	Drivers []CSINodeDriverApplyConfiguration `json:"drivers,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/storage/v1/csistoragecapacity.go b/staging/src/k8s.io/client-go/applyconfigurations/storage/v1/csistoragecapacity.go
index 9a5c41c601e85..8682c4349ffdd 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/storage/v1/csistoragecapacity.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/storage/v1/csistoragecapacity.go
@@ -30,13 +30,76 @@ import (
 
 // CSIStorageCapacityApplyConfiguration represents a declarative configuration of the CSIStorageCapacity type for use
 // with apply.
+//
+// CSIStorageCapacity stores the result of one CSI GetCapacity call.
+// For a given StorageClass, this describes the available capacity in a
+// particular topology segment.  This can be used when considering where to
+// instantiate new PersistentVolumes.
+//
+// For example this can express things like:
+// - StorageClass "standard" has "1234 GiB" available in "topology.kubernetes.io/zone=us-east1"
+// - StorageClass "localssd" has "10 GiB" available in "kubernetes.io/hostname=knode-abc123"
+//
+// The following three cases all imply that no capacity is available for
+// a certain combination:
+// - no object exists with suitable topology and storage class name
+// - such an object exists, but the capacity is unset
+// - such an object exists, but the capacity is zero
+//
+// The producer of these objects can decide which approach is more suitable.
+//
+// They are consumed by the kube-scheduler when a CSI driver opts into
+// capacity-aware scheduling with CSIDriverSpec.StorageCapacity. The scheduler
+// compares the MaximumVolumeSize against the requested size of pending volumes
+// to filter out unsuitable nodes. If MaximumVolumeSize is unset, it falls back
+// to a comparison against the less precise Capacity. If that is also unset,
+// the scheduler assumes that capacity is insufficient and tries some other
+// node.
 type CSIStorageCapacityApplyConfiguration struct {
-	metav1.TypeMetaApplyConfiguration    `json:",inline"`
+	metav1.TypeMetaApplyConfiguration `json:",inline"`
+	// Standard object's metadata.
+	// The name has no particular meaning. It must be a DNS subdomain (dots allowed, 253 characters).
+	// To ensure that there are no conflicts with other CSI drivers on the cluster,
+	// the recommendation is to use csisc-<uuid>, a generated name, or a reverse-domain name
+	// which ends with the unique CSI driver name.
+	//
+	// Objects are namespaced.
+	//
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	*metav1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	NodeTopology                         *metav1.LabelSelectorApplyConfiguration `json:"nodeTopology,omitempty"`
-	StorageClassName                     *string                                 `json:"storageClassName,omitempty"`
-	Capacity                             *resource.Quantity                      `json:"capacity,omitempty"`
-	MaximumVolumeSize                    *resource.Quantity                      `json:"maximumVolumeSize,omitempty"`
+	// nodeTopology defines which nodes have access to the storage
+	// for which capacity was reported. If not set, the storage is
+	// not accessible from any node in the cluster. If empty, the
+	// storage is accessible from all nodes. This field is
+	// immutable.
+	NodeTopology *metav1.LabelSelectorApplyConfiguration `json:"nodeTopology,omitempty"`
+	// storageClassName represents the name of the StorageClass that the reported capacity applies to.
+	// It must meet the same requirements as the name of a StorageClass
+	// object (non-empty, DNS subdomain). If that object no longer exists,
+	// the CSIStorageCapacity object is obsolete and should be removed by its
+	// creator.
+	// This field is immutable.
+	StorageClassName *string `json:"storageClassName,omitempty"`
+	// capacity is the value reported by the CSI driver in its GetCapacityResponse
+	// for a GetCapacityRequest with topology and parameters that match the
+	// previous fields.
+	//
+	// The semantic is currently (CSI spec 1.2) defined as:
+	// The available capacity, in bytes, of the storage that can be used
+	// to provision volumes. If not set, that information is currently
+	// unavailable.
+	Capacity *resource.Quantity `json:"capacity,omitempty"`
+	// maximumVolumeSize is the value reported by the CSI driver in its GetCapacityResponse
+	// for a GetCapacityRequest with topology and parameters that match the
+	// previous fields.
+	//
+	// This is defined since CSI spec 1.4.0 as the largest size
+	// that may be used in a
+	// CreateVolumeRequest.capacity_range.required_bytes field to
+	// create a volume with the same parameters as those in
+	// GetCapacityRequest. The corresponding value in the Kubernetes
+	// API is ResourceRequirements.Requests in a volume claim.
+	MaximumVolumeSize *resource.Quantity `json:"maximumVolumeSize,omitempty"`
 }
 
 // CSIStorageCapacity constructs a declarative configuration of the CSIStorageCapacity type for use with
@@ -50,29 +113,14 @@ func CSIStorageCapacity(name, namespace string) *CSIStorageCapacityApplyConfigur
 	return b
 }
 
-// ExtractCSIStorageCapacity extracts the applied configuration owned by fieldManager from
-// cSIStorageCapacity. If no managedFields are found in cSIStorageCapacity for fieldManager, a
-// CSIStorageCapacityApplyConfiguration is returned with only the Name, Namespace (if applicable),
-// APIVersion and Kind populated. It is possible that no managed fields were found for because other
-// field managers have taken ownership of all the fields previously owned by fieldManager, or because
-// the fieldManager never owned fields any fields.
+// ExtractCSIStorageCapacityFrom extracts the applied configuration owned by fieldManager from
+// cSIStorageCapacity for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
 // cSIStorageCapacity must be a unmodified CSIStorageCapacity API object that was retrieved from the Kubernetes API.
-// ExtractCSIStorageCapacity provides a way to perform a extract/modify-in-place/apply workflow.
+// ExtractCSIStorageCapacityFrom provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
-func ExtractCSIStorageCapacity(cSIStorageCapacity *storagev1.CSIStorageCapacity, fieldManager string) (*CSIStorageCapacityApplyConfiguration, error) {
-	return extractCSIStorageCapacity(cSIStorageCapacity, fieldManager, "")
-}
-
-// ExtractCSIStorageCapacityStatus is the same as ExtractCSIStorageCapacity except
-// that it extracts the status subresource applied configuration.
-// Experimental!
-func ExtractCSIStorageCapacityStatus(cSIStorageCapacity *storagev1.CSIStorageCapacity, fieldManager string) (*CSIStorageCapacityApplyConfiguration, error) {
-	return extractCSIStorageCapacity(cSIStorageCapacity, fieldManager, "status")
-}
-
-func extractCSIStorageCapacity(cSIStorageCapacity *storagev1.CSIStorageCapacity, fieldManager string, subresource string) (*CSIStorageCapacityApplyConfiguration, error) {
+func ExtractCSIStorageCapacityFrom(cSIStorageCapacity *storagev1.CSIStorageCapacity, fieldManager string, subresource string) (*CSIStorageCapacityApplyConfiguration, error) {
 	b := &CSIStorageCapacityApplyConfiguration{}
 	err := managedfields.ExtractInto(cSIStorageCapacity, internal.Parser().Type("io.k8s.api.storage.v1.CSIStorageCapacity"), fieldManager, b, subresource)
 	if err != nil {
@@ -85,6 +133,21 @@ func extractCSIStorageCapacity(cSIStorageCapacity *storagev1.CSIStorageCapacity,
 	b.WithAPIVersion("storage.k8s.io/v1")
 	return b, nil
 }
+
+// ExtractCSIStorageCapacity extracts the applied configuration owned by fieldManager from
+// cSIStorageCapacity. If no managedFields are found in cSIStorageCapacity for fieldManager, a
+// CSIStorageCapacityApplyConfiguration is returned with only the Name, Namespace (if applicable),
+// APIVersion and Kind populated. It is possible that no managed fields were found for because other
+// field managers have taken ownership of all the fields previously owned by fieldManager, or because
+// the fieldManager never owned fields any fields.
+// cSIStorageCapacity must be a unmodified CSIStorageCapacity API object that was retrieved from the Kubernetes API.
+// ExtractCSIStorageCapacity provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractCSIStorageCapacity(cSIStorageCapacity *storagev1.CSIStorageCapacity, fieldManager string) (*CSIStorageCapacityApplyConfiguration, error) {
+	return ExtractCSIStorageCapacityFrom(cSIStorageCapacity, fieldManager, "")
+}
+
 func (b CSIStorageCapacityApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/storage/v1/storageclass.go b/staging/src/k8s.io/client-go/applyconfigurations/storage/v1/storageclass.go
index 0e6c9fbed3f27..766b795c47896 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/storage/v1/storageclass.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/storage/v1/storageclass.go
@@ -31,16 +31,40 @@ import (
 
 // StorageClassApplyConfiguration represents a declarative configuration of the StorageClass type for use
 // with apply.
+//
+// StorageClass describes the parameters for a class of storage for
+// which PersistentVolumes can be dynamically provisioned.
+//
+// StorageClasses are non-namespaced; the name of the storage class
+// according to etcd is in ObjectMeta.Name.
 type StorageClassApplyConfiguration struct {
-	metav1.TypeMetaApplyConfiguration    `json:",inline"`
+	metav1.TypeMetaApplyConfiguration `json:",inline"`
+	// Standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	*metav1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Provisioner                          *string                                                            `json:"provisioner,omitempty"`
-	Parameters                           map[string]string                                                  `json:"parameters,omitempty"`
-	ReclaimPolicy                        *corev1.PersistentVolumeReclaimPolicy                              `json:"reclaimPolicy,omitempty"`
-	MountOptions                         []string                                                           `json:"mountOptions,omitempty"`
-	AllowVolumeExpansion                 *bool                                                              `json:"allowVolumeExpansion,omitempty"`
-	VolumeBindingMode                    *storagev1.VolumeBindingMode                                       `json:"volumeBindingMode,omitempty"`
-	AllowedTopologies                    []applyconfigurationscorev1.TopologySelectorTermApplyConfiguration `json:"allowedTopologies,omitempty"`
+	// provisioner indicates the type of the provisioner.
+	Provisioner *string `json:"provisioner,omitempty"`
+	// parameters holds the parameters for the provisioner that should
+	// create volumes of this storage class.
+	Parameters map[string]string `json:"parameters,omitempty"`
+	// reclaimPolicy controls the reclaimPolicy for dynamically provisioned PersistentVolumes of this storage class.
+	// Defaults to Delete.
+	ReclaimPolicy *corev1.PersistentVolumeReclaimPolicy `json:"reclaimPolicy,omitempty"`
+	// mountOptions controls the mountOptions for dynamically provisioned PersistentVolumes of this storage class.
+	// e.g. ["ro", "soft"]. Not validated -
+	// mount of the PVs will simply fail if one is invalid.
+	MountOptions []string `json:"mountOptions,omitempty"`
+	// allowVolumeExpansion shows whether the storage class allow volume expand.
+	AllowVolumeExpansion *bool `json:"allowVolumeExpansion,omitempty"`
+	// volumeBindingMode indicates how PersistentVolumeClaims should be
+	// provisioned and bound.  When unset, VolumeBindingImmediate is used.
+	// This field is only honored by servers that enable the VolumeScheduling feature.
+	VolumeBindingMode *storagev1.VolumeBindingMode `json:"volumeBindingMode,omitempty"`
+	// allowedTopologies restrict the node topologies where volumes can be dynamically provisioned.
+	// Each volume plugin defines its own supported topology specifications.
+	// An empty TopologySelectorTerm list means there is no topology restriction.
+	// This field is only honored by servers that enable the VolumeScheduling feature.
+	AllowedTopologies []applyconfigurationscorev1.TopologySelectorTermApplyConfiguration `json:"allowedTopologies,omitempty"`
 }
 
 // StorageClass constructs a declarative configuration of the StorageClass type for use with
@@ -53,29 +77,14 @@ func StorageClass(name string) *StorageClassApplyConfiguration {
 	return b
 }
 
-// ExtractStorageClass extracts the applied configuration owned by fieldManager from
-// storageClass. If no managedFields are found in storageClass for fieldManager, a
-// StorageClassApplyConfiguration is returned with only the Name, Namespace (if applicable),
-// APIVersion and Kind populated. It is possible that no managed fields were found for because other
-// field managers have taken ownership of all the fields previously owned by fieldManager, or because
-// the fieldManager never owned fields any fields.
+// ExtractStorageClassFrom extracts the applied configuration owned by fieldManager from
+// storageClass for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
 // storageClass must be a unmodified StorageClass API object that was retrieved from the Kubernetes API.
-// ExtractStorageClass provides a way to perform a extract/modify-in-place/apply workflow.
+// ExtractStorageClassFrom provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
-func ExtractStorageClass(storageClass *storagev1.StorageClass, fieldManager string) (*StorageClassApplyConfiguration, error) {
-	return extractStorageClass(storageClass, fieldManager, "")
-}
-
-// ExtractStorageClassStatus is the same as ExtractStorageClass except
-// that it extracts the status subresource applied configuration.
-// Experimental!
-func ExtractStorageClassStatus(storageClass *storagev1.StorageClass, fieldManager string) (*StorageClassApplyConfiguration, error) {
-	return extractStorageClass(storageClass, fieldManager, "status")
-}
-
-func extractStorageClass(storageClass *storagev1.StorageClass, fieldManager string, subresource string) (*StorageClassApplyConfiguration, error) {
+func ExtractStorageClassFrom(storageClass *storagev1.StorageClass, fieldManager string, subresource string) (*StorageClassApplyConfiguration, error) {
 	b := &StorageClassApplyConfiguration{}
 	err := managedfields.ExtractInto(storageClass, internal.Parser().Type("io.k8s.api.storage.v1.StorageClass"), fieldManager, b, subresource)
 	if err != nil {
@@ -87,6 +96,21 @@ func extractStorageClass(storageClass *storagev1.StorageClass, fieldManager stri
 	b.WithAPIVersion("storage.k8s.io/v1")
 	return b, nil
 }
+
+// ExtractStorageClass extracts the applied configuration owned by fieldManager from
+// storageClass. If no managedFields are found in storageClass for fieldManager, a
+// StorageClassApplyConfiguration is returned with only the Name, Namespace (if applicable),
+// APIVersion and Kind populated. It is possible that no managed fields were found for because other
+// field managers have taken ownership of all the fields previously owned by fieldManager, or because
+// the fieldManager never owned fields any fields.
+// storageClass must be a unmodified StorageClass API object that was retrieved from the Kubernetes API.
+// ExtractStorageClass provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractStorageClass(storageClass *storagev1.StorageClass, fieldManager string) (*StorageClassApplyConfiguration, error) {
+	return ExtractStorageClassFrom(storageClass, fieldManager, "")
+}
+
 func (b StorageClassApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/storage/v1/tokenrequest.go b/staging/src/k8s.io/client-go/applyconfigurations/storage/v1/tokenrequest.go
index 77b96db2f05ab..a4558aa4a4f8f 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/storage/v1/tokenrequest.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/storage/v1/tokenrequest.go
@@ -20,9 +20,15 @@ package v1
 
 // TokenRequestApplyConfiguration represents a declarative configuration of the TokenRequest type for use
 // with apply.
+//
+// TokenRequest contains parameters of a service account token.
 type TokenRequestApplyConfiguration struct {
-	Audience          *string `json:"audience,omitempty"`
-	ExpirationSeconds *int64  `json:"expirationSeconds,omitempty"`
+	// audience is the intended audience of the token in "TokenRequestSpec".
+	// It will default to the audiences of kube apiserver.
+	Audience *string `json:"audience,omitempty"`
+	// expirationSeconds is the duration of validity of the token in "TokenRequestSpec".
+	// It has the same default value of "ExpirationSeconds" in "TokenRequestSpec".
+	ExpirationSeconds *int64 `json:"expirationSeconds,omitempty"`
 }
 
 // TokenRequestApplyConfiguration constructs a declarative configuration of the TokenRequest type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/storage/v1/volumeattachment.go b/staging/src/k8s.io/client-go/applyconfigurations/storage/v1/volumeattachment.go
index a7c0a24f84a3e..6240421803a53 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/storage/v1/volumeattachment.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/storage/v1/volumeattachment.go
@@ -29,11 +29,23 @@ import (
 
 // VolumeAttachmentApplyConfiguration represents a declarative configuration of the VolumeAttachment type for use
 // with apply.
+//
+// VolumeAttachment captures the intent to attach or detach the specified volume
+// to/from the specified node.
+//
+// VolumeAttachment objects are non-namespaced.
 type VolumeAttachmentApplyConfiguration struct {
-	metav1.TypeMetaApplyConfiguration    `json:",inline"`
+	metav1.TypeMetaApplyConfiguration `json:",inline"`
+	// Standard object metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	*metav1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Spec                                 *VolumeAttachmentSpecApplyConfiguration   `json:"spec,omitempty"`
-	Status                               *VolumeAttachmentStatusApplyConfiguration `json:"status,omitempty"`
+	// spec represents specification of the desired attach/detach volume behavior.
+	// Populated by the Kubernetes system.
+	Spec *VolumeAttachmentSpecApplyConfiguration `json:"spec,omitempty"`
+	// status represents status of the VolumeAttachment request.
+	// Populated by the entity completing the attach or detach
+	// operation, i.e. the external-attacher.
+	Status *VolumeAttachmentStatusApplyConfiguration `json:"status,omitempty"`
 }
 
 // VolumeAttachment constructs a declarative configuration of the VolumeAttachment type for use with
@@ -46,6 +58,26 @@ func VolumeAttachment(name string) *VolumeAttachmentApplyConfiguration {
 	return b
 }
 
+// ExtractVolumeAttachmentFrom extracts the applied configuration owned by fieldManager from
+// volumeAttachment for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
+// volumeAttachment must be a unmodified VolumeAttachment API object that was retrieved from the Kubernetes API.
+// ExtractVolumeAttachmentFrom provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractVolumeAttachmentFrom(volumeAttachment *storagev1.VolumeAttachment, fieldManager string, subresource string) (*VolumeAttachmentApplyConfiguration, error) {
+	b := &VolumeAttachmentApplyConfiguration{}
+	err := managedfields.ExtractInto(volumeAttachment, internal.Parser().Type("io.k8s.api.storage.v1.VolumeAttachment"), fieldManager, b, subresource)
+	if err != nil {
+		return nil, err
+	}
+	b.WithName(volumeAttachment.Name)
+
+	b.WithKind("VolumeAttachment")
+	b.WithAPIVersion("storage.k8s.io/v1")
+	return b, nil
+}
+
 // ExtractVolumeAttachment extracts the applied configuration owned by fieldManager from
 // volumeAttachment. If no managedFields are found in volumeAttachment for fieldManager, a
 // VolumeAttachmentApplyConfiguration is returned with only the Name, Namespace (if applicable),
@@ -56,30 +88,16 @@ func VolumeAttachment(name string) *VolumeAttachmentApplyConfiguration {
 // ExtractVolumeAttachment provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
 func ExtractVolumeAttachment(volumeAttachment *storagev1.VolumeAttachment, fieldManager string) (*VolumeAttachmentApplyConfiguration, error) {
-	return extractVolumeAttachment(volumeAttachment, fieldManager, "")
+	return ExtractVolumeAttachmentFrom(volumeAttachment, fieldManager, "")
 }
 
-// ExtractVolumeAttachmentStatus is the same as ExtractVolumeAttachment except
-// that it extracts the status subresource applied configuration.
-// Experimental!
+// ExtractVolumeAttachmentStatus extracts the applied configuration owned by fieldManager from
+// volumeAttachment for the status subresource.
 func ExtractVolumeAttachmentStatus(volumeAttachment *storagev1.VolumeAttachment, fieldManager string) (*VolumeAttachmentApplyConfiguration, error) {
-	return extractVolumeAttachment(volumeAttachment, fieldManager, "status")
+	return ExtractVolumeAttachmentFrom(volumeAttachment, fieldManager, "status")
 }
 
-func extractVolumeAttachment(volumeAttachment *storagev1.VolumeAttachment, fieldManager string, subresource string) (*VolumeAttachmentApplyConfiguration, error) {
-	b := &VolumeAttachmentApplyConfiguration{}
-	err := managedfields.ExtractInto(volumeAttachment, internal.Parser().Type("io.k8s.api.storage.v1.VolumeAttachment"), fieldManager, b, subresource)
-	if err != nil {
-		return nil, err
-	}
-	b.WithName(volumeAttachment.Name)
-
-	b.WithKind("VolumeAttachment")
-	b.WithAPIVersion("storage.k8s.io/v1")
-	return b, nil
-}
 func (b VolumeAttachmentApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/storage/v1/volumeattachmentsource.go b/staging/src/k8s.io/client-go/applyconfigurations/storage/v1/volumeattachmentsource.go
index 1c865c001f339..328312615614a 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/storage/v1/volumeattachmentsource.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/storage/v1/volumeattachmentsource.go
@@ -24,9 +24,21 @@ import (
 
 // VolumeAttachmentSourceApplyConfiguration represents a declarative configuration of the VolumeAttachmentSource type for use
 // with apply.
+//
+// VolumeAttachmentSource represents a volume that should be attached.
+// Right now only PersistentVolumes can be attached via external attacher,
+// in the future we may allow also inline volumes in pods.
+// Exactly one member can be set.
 type VolumeAttachmentSourceApplyConfiguration struct {
-	PersistentVolumeName *string                                        `json:"persistentVolumeName,omitempty"`
-	InlineVolumeSpec     *corev1.PersistentVolumeSpecApplyConfiguration `json:"inlineVolumeSpec,omitempty"`
+	// persistentVolumeName represents the name of the persistent volume to attach.
+	PersistentVolumeName *string `json:"persistentVolumeName,omitempty"`
+	// inlineVolumeSpec contains all the information necessary to attach
+	// a persistent volume defined by a pod's inline VolumeSource. This field
+	// is populated only for the CSIMigration feature. It contains
+	// translated fields from a pod's inline VolumeSource to a
+	// PersistentVolumeSpec. This field is beta-level and is only
+	// honored by servers that enabled the CSIMigration feature.
+	InlineVolumeSpec *corev1.PersistentVolumeSpecApplyConfiguration `json:"inlineVolumeSpec,omitempty"`
 }
 
 // VolumeAttachmentSourceApplyConfiguration constructs a declarative configuration of the VolumeAttachmentSource type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/storage/v1/volumeattachmentspec.go b/staging/src/k8s.io/client-go/applyconfigurations/storage/v1/volumeattachmentspec.go
index 8965392352ea8..e707834d00f3c 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/storage/v1/volumeattachmentspec.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/storage/v1/volumeattachmentspec.go
@@ -20,10 +20,16 @@ package v1
 
 // VolumeAttachmentSpecApplyConfiguration represents a declarative configuration of the VolumeAttachmentSpec type for use
 // with apply.
+//
+// VolumeAttachmentSpec is the specification of a VolumeAttachment request.
 type VolumeAttachmentSpecApplyConfiguration struct {
-	Attacher *string                                   `json:"attacher,omitempty"`
-	Source   *VolumeAttachmentSourceApplyConfiguration `json:"source,omitempty"`
-	NodeName *string                                   `json:"nodeName,omitempty"`
+	// attacher indicates the name of the volume driver that MUST handle this
+	// request. This is the name returned by GetPluginName().
+	Attacher *string `json:"attacher,omitempty"`
+	// source represents the volume that should be attached.
+	Source *VolumeAttachmentSourceApplyConfiguration `json:"source,omitempty"`
+	// nodeName represents the node that the volume should be attached to.
+	NodeName *string `json:"nodeName,omitempty"`
 }
 
 // VolumeAttachmentSpecApplyConfiguration constructs a declarative configuration of the VolumeAttachmentSpec type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/storage/v1/volumeattachmentstatus.go b/staging/src/k8s.io/client-go/applyconfigurations/storage/v1/volumeattachmentstatus.go
index 14293376d0933..e41c36e5aa643 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/storage/v1/volumeattachmentstatus.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/storage/v1/volumeattachmentstatus.go
@@ -20,11 +20,27 @@ package v1
 
 // VolumeAttachmentStatusApplyConfiguration represents a declarative configuration of the VolumeAttachmentStatus type for use
 // with apply.
+//
+// VolumeAttachmentStatus is the status of a VolumeAttachment request.
 type VolumeAttachmentStatusApplyConfiguration struct {
-	Attached           *bool                          `json:"attached,omitempty"`
-	AttachmentMetadata map[string]string              `json:"attachmentMetadata,omitempty"`
-	AttachError        *VolumeErrorApplyConfiguration `json:"attachError,omitempty"`
-	DetachError        *VolumeErrorApplyConfiguration `json:"detachError,omitempty"`
+	// attached indicates the volume is successfully attached.
+	// This field must only be set by the entity completing the attach
+	// operation, i.e. the external-attacher.
+	Attached *bool `json:"attached,omitempty"`
+	// attachmentMetadata is populated with any
+	// information returned by the attach operation, upon successful attach, that must be passed
+	// into subsequent WaitForAttach or Mount calls.
+	// This field must only be set by the entity completing the attach
+	// operation, i.e. the external-attacher.
+	AttachmentMetadata map[string]string `json:"attachmentMetadata,omitempty"`
+	// attachError represents the last error encountered during attach operation, if any.
+	// This field must only be set by the entity completing the attach
+	// operation, i.e. the external-attacher.
+	AttachError *VolumeErrorApplyConfiguration `json:"attachError,omitempty"`
+	// detachError represents the last error encountered during detach operation, if any.
+	// This field must only be set by the entity completing the detach
+	// operation, i.e. the external-attacher.
+	DetachError *VolumeErrorApplyConfiguration `json:"detachError,omitempty"`
 }
 
 // VolumeAttachmentStatusApplyConfiguration constructs a declarative configuration of the VolumeAttachmentStatus type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/storage/v1/volumeattributesclass.go b/staging/src/k8s.io/client-go/applyconfigurations/storage/v1/volumeattributesclass.go
index 25774aeefb485..aee276c3d7546 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/storage/v1/volumeattributesclass.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/storage/v1/volumeattributesclass.go
@@ -29,11 +29,32 @@ import (
 
 // VolumeAttributesClassApplyConfiguration represents a declarative configuration of the VolumeAttributesClass type for use
 // with apply.
+//
+// VolumeAttributesClass represents a specification of mutable volume attributes
+// defined by the CSI driver. The class can be specified during dynamic provisioning
+// of PersistentVolumeClaims, and changed in the PersistentVolumeClaim spec after provisioning.
 type VolumeAttributesClassApplyConfiguration struct {
-	metav1.TypeMetaApplyConfiguration    `json:",inline"`
+	metav1.TypeMetaApplyConfiguration `json:",inline"`
+	// Standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	*metav1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	DriverName                           *string           `json:"driverName,omitempty"`
-	Parameters                           map[string]string `json:"parameters,omitempty"`
+	// Name of the CSI driver
+	// This field is immutable.
+	DriverName *string `json:"driverName,omitempty"`
+	// parameters hold volume attributes defined by the CSI driver. These values
+	// are opaque to the Kubernetes and are passed directly to the CSI driver.
+	// The underlying storage provider supports changing these attributes on an
+	// existing volume, however the parameters field itself is immutable. To
+	// invoke a volume update, a new VolumeAttributesClass should be created with
+	// new parameters, and the PersistentVolumeClaim should be updated to reference
+	// the new VolumeAttributesClass.
+	//
+	// This field is required and must contain at least one key/value pair.
+	// The keys cannot be empty, and the maximum number of parameters is 512, with
+	// a cumulative max size of 256K. If the CSI driver rejects invalid parameters,
+	// the target PersistentVolumeClaim will be set to an "Infeasible" state in the
+	// modifyVolumeStatus field.
+	Parameters map[string]string `json:"parameters,omitempty"`
 }
 
 // VolumeAttributesClass constructs a declarative configuration of the VolumeAttributesClass type for use with
@@ -46,29 +67,14 @@ func VolumeAttributesClass(name string) *VolumeAttributesClassApplyConfiguration
 	return b
 }
 
-// ExtractVolumeAttributesClass extracts the applied configuration owned by fieldManager from
-// volumeAttributesClass. If no managedFields are found in volumeAttributesClass for fieldManager, a
-// VolumeAttributesClassApplyConfiguration is returned with only the Name, Namespace (if applicable),
-// APIVersion and Kind populated. It is possible that no managed fields were found for because other
-// field managers have taken ownership of all the fields previously owned by fieldManager, or because
-// the fieldManager never owned fields any fields.
+// ExtractVolumeAttributesClassFrom extracts the applied configuration owned by fieldManager from
+// volumeAttributesClass for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
 // volumeAttributesClass must be a unmodified VolumeAttributesClass API object that was retrieved from the Kubernetes API.
-// ExtractVolumeAttributesClass provides a way to perform a extract/modify-in-place/apply workflow.
+// ExtractVolumeAttributesClassFrom provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
-func ExtractVolumeAttributesClass(volumeAttributesClass *storagev1.VolumeAttributesClass, fieldManager string) (*VolumeAttributesClassApplyConfiguration, error) {
-	return extractVolumeAttributesClass(volumeAttributesClass, fieldManager, "")
-}
-
-// ExtractVolumeAttributesClassStatus is the same as ExtractVolumeAttributesClass except
-// that it extracts the status subresource applied configuration.
-// Experimental!
-func ExtractVolumeAttributesClassStatus(volumeAttributesClass *storagev1.VolumeAttributesClass, fieldManager string) (*VolumeAttributesClassApplyConfiguration, error) {
-	return extractVolumeAttributesClass(volumeAttributesClass, fieldManager, "status")
-}
-
-func extractVolumeAttributesClass(volumeAttributesClass *storagev1.VolumeAttributesClass, fieldManager string, subresource string) (*VolumeAttributesClassApplyConfiguration, error) {
+func ExtractVolumeAttributesClassFrom(volumeAttributesClass *storagev1.VolumeAttributesClass, fieldManager string, subresource string) (*VolumeAttributesClassApplyConfiguration, error) {
 	b := &VolumeAttributesClassApplyConfiguration{}
 	err := managedfields.ExtractInto(volumeAttributesClass, internal.Parser().Type("io.k8s.api.storage.v1.VolumeAttributesClass"), fieldManager, b, subresource)
 	if err != nil {
@@ -80,6 +86,21 @@ func extractVolumeAttributesClass(volumeAttributesClass *storagev1.VolumeAttribu
 	b.WithAPIVersion("storage.k8s.io/v1")
 	return b, nil
 }
+
+// ExtractVolumeAttributesClass extracts the applied configuration owned by fieldManager from
+// volumeAttributesClass. If no managedFields are found in volumeAttributesClass for fieldManager, a
+// VolumeAttributesClassApplyConfiguration is returned with only the Name, Namespace (if applicable),
+// APIVersion and Kind populated. It is possible that no managed fields were found for because other
+// field managers have taken ownership of all the fields previously owned by fieldManager, or because
+// the fieldManager never owned fields any fields.
+// volumeAttributesClass must be a unmodified VolumeAttributesClass API object that was retrieved from the Kubernetes API.
+// ExtractVolumeAttributesClass provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractVolumeAttributesClass(volumeAttributesClass *storagev1.VolumeAttributesClass, fieldManager string) (*VolumeAttributesClassApplyConfiguration, error) {
+	return ExtractVolumeAttributesClassFrom(volumeAttributesClass, fieldManager, "")
+}
+
 func (b VolumeAttributesClassApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/storage/v1/volumeerror.go b/staging/src/k8s.io/client-go/applyconfigurations/storage/v1/volumeerror.go
index 9becf77268ca9..b1a572f4eb3b3 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/storage/v1/volumeerror.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/storage/v1/volumeerror.go
@@ -24,10 +24,19 @@ import (
 
 // VolumeErrorApplyConfiguration represents a declarative configuration of the VolumeError type for use
 // with apply.
+//
+// VolumeError captures an error encountered during a volume operation.
 type VolumeErrorApplyConfiguration struct {
-	Time      *metav1.Time `json:"time,omitempty"`
-	Message   *string      `json:"message,omitempty"`
-	ErrorCode *int32       `json:"errorCode,omitempty"`
+	// time represents the time the error was encountered.
+	Time *metav1.Time `json:"time,omitempty"`
+	// message represents the error encountered during Attach or Detach operation.
+	// This string may be logged, so it should not contain sensitive
+	// information.
+	Message *string `json:"message,omitempty"`
+	// errorCode is a numeric gRPC code representing the error encountered during Attach or Detach operations.
+	//
+	// This is an optional, beta field that requires the MutableCSINodeAllocatableCount feature gate being enabled to be set.
+	ErrorCode *int32 `json:"errorCode,omitempty"`
 }
 
 // VolumeErrorApplyConfiguration constructs a declarative configuration of the VolumeError type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/storage/v1/volumenoderesources.go b/staging/src/k8s.io/client-go/applyconfigurations/storage/v1/volumenoderesources.go
index 735853c48b8f3..6648d59fca4c3 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/storage/v1/volumenoderesources.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/storage/v1/volumenoderesources.go
@@ -20,7 +20,13 @@ package v1
 
 // VolumeNodeResourcesApplyConfiguration represents a declarative configuration of the VolumeNodeResources type for use
 // with apply.
+//
+// VolumeNodeResources is a set of resource limits for scheduling of volumes.
 type VolumeNodeResourcesApplyConfiguration struct {
+	// count indicates the maximum number of unique volumes managed by the CSI driver that can be used on a node.
+	// A volume that is both attached and mounted on a node is considered to be used once, not twice.
+	// The same rule applies for a unique volume that is shared among multiple pods on the same node.
+	// If this field is not specified, then the supported number of volumes on this node is unbounded.
 	Count *int32 `json:"count,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/storage/v1alpha1/csistoragecapacity.go b/staging/src/k8s.io/client-go/applyconfigurations/storage/v1alpha1/csistoragecapacity.go
index 92e70f10094a0..e52c1adf4f101 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/storage/v1alpha1/csistoragecapacity.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/storage/v1alpha1/csistoragecapacity.go
@@ -30,13 +30,76 @@ import (
 
 // CSIStorageCapacityApplyConfiguration represents a declarative configuration of the CSIStorageCapacity type for use
 // with apply.
+//
+// CSIStorageCapacity stores the result of one CSI GetCapacity call.
+// For a given StorageClass, this describes the available capacity in a
+// particular topology segment.  This can be used when considering where to
+// instantiate new PersistentVolumes.
+//
+// For example this can express things like:
+// - StorageClass "standard" has "1234 GiB" available in "topology.kubernetes.io/zone=us-east1"
+// - StorageClass "localssd" has "10 GiB" available in "kubernetes.io/hostname=knode-abc123"
+//
+// The following three cases all imply that no capacity is available for
+// a certain combination:
+// - no object exists with suitable topology and storage class name
+// - such an object exists, but the capacity is unset
+// - such an object exists, but the capacity is zero
+//
+// The producer of these objects can decide which approach is more suitable.
+//
+// They are consumed by the kube-scheduler when a CSI driver opts into
+// capacity-aware scheduling with CSIDriverSpec.StorageCapacity. The scheduler
+// compares the MaximumVolumeSize against the requested size of pending volumes
+// to filter out unsuitable nodes. If MaximumVolumeSize is unset, it falls back
+// to a comparison against the less precise Capacity. If that is also unset,
+// the scheduler assumes that capacity is insufficient and tries some other
+// node.
 type CSIStorageCapacityApplyConfiguration struct {
-	v1.TypeMetaApplyConfiguration    `json:",inline"`
+	v1.TypeMetaApplyConfiguration `json:",inline"`
+	// Standard object's metadata. The name has no particular meaning. It must be
+	// be a DNS subdomain (dots allowed, 253 characters). To ensure that
+	// there are no conflicts with other CSI drivers on the cluster, the recommendation
+	// is to use csisc-<uuid>, a generated name, or a reverse-domain name which ends
+	// with the unique CSI driver name.
+	//
+	// Objects are namespaced.
+	//
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	*v1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	NodeTopology                     *v1.LabelSelectorApplyConfiguration `json:"nodeTopology,omitempty"`
-	StorageClassName                 *string                             `json:"storageClassName,omitempty"`
-	Capacity                         *resource.Quantity                  `json:"capacity,omitempty"`
-	MaximumVolumeSize                *resource.Quantity                  `json:"maximumVolumeSize,omitempty"`
+	// nodeTopology defines which nodes have access to the storage
+	// for which capacity was reported. If not set, the storage is
+	// not accessible from any node in the cluster. If empty, the
+	// storage is accessible from all nodes. This field is
+	// immutable.
+	NodeTopology *v1.LabelSelectorApplyConfiguration `json:"nodeTopology,omitempty"`
+	// storageClassName represents the name of the StorageClass that the reported capacity applies to.
+	// It must meet the same requirements as the name of a StorageClass
+	// object (non-empty, DNS subdomain). If that object no longer exists,
+	// the CSIStorageCapacity object is obsolete and should be removed by its
+	// creator.
+	// This field is immutable.
+	StorageClassName *string `json:"storageClassName,omitempty"`
+	// capacity is the value reported by the CSI driver in its GetCapacityResponse
+	// for a GetCapacityRequest with topology and parameters that match the
+	// previous fields.
+	//
+	// The semantic is currently (CSI spec 1.2) defined as:
+	// The available capacity, in bytes, of the storage that can be used
+	// to provision volumes. If not set, that information is currently
+	// unavailable.
+	Capacity *resource.Quantity `json:"capacity,omitempty"`
+	// maximumVolumeSize is the value reported by the CSI driver in its GetCapacityResponse
+	// for a GetCapacityRequest with topology and parameters that match the
+	// previous fields.
+	//
+	// This is defined since CSI spec 1.4.0 as the largest size
+	// that may be used in a
+	// CreateVolumeRequest.capacity_range.required_bytes field to
+	// create a volume with the same parameters as those in
+	// GetCapacityRequest. The corresponding value in the Kubernetes
+	// API is ResourceRequirements.Requests in a volume claim.
+	MaximumVolumeSize *resource.Quantity `json:"maximumVolumeSize,omitempty"`
 }
 
 // CSIStorageCapacity constructs a declarative configuration of the CSIStorageCapacity type for use with
@@ -50,29 +113,14 @@ func CSIStorageCapacity(name, namespace string) *CSIStorageCapacityApplyConfigur
 	return b
 }
 
-// ExtractCSIStorageCapacity extracts the applied configuration owned by fieldManager from
-// cSIStorageCapacity. If no managedFields are found in cSIStorageCapacity for fieldManager, a
-// CSIStorageCapacityApplyConfiguration is returned with only the Name, Namespace (if applicable),
-// APIVersion and Kind populated. It is possible that no managed fields were found for because other
-// field managers have taken ownership of all the fields previously owned by fieldManager, or because
-// the fieldManager never owned fields any fields.
+// ExtractCSIStorageCapacityFrom extracts the applied configuration owned by fieldManager from
+// cSIStorageCapacity for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
 // cSIStorageCapacity must be a unmodified CSIStorageCapacity API object that was retrieved from the Kubernetes API.
-// ExtractCSIStorageCapacity provides a way to perform a extract/modify-in-place/apply workflow.
+// ExtractCSIStorageCapacityFrom provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
-func ExtractCSIStorageCapacity(cSIStorageCapacity *storagev1alpha1.CSIStorageCapacity, fieldManager string) (*CSIStorageCapacityApplyConfiguration, error) {
-	return extractCSIStorageCapacity(cSIStorageCapacity, fieldManager, "")
-}
-
-// ExtractCSIStorageCapacityStatus is the same as ExtractCSIStorageCapacity except
-// that it extracts the status subresource applied configuration.
-// Experimental!
-func ExtractCSIStorageCapacityStatus(cSIStorageCapacity *storagev1alpha1.CSIStorageCapacity, fieldManager string) (*CSIStorageCapacityApplyConfiguration, error) {
-	return extractCSIStorageCapacity(cSIStorageCapacity, fieldManager, "status")
-}
-
-func extractCSIStorageCapacity(cSIStorageCapacity *storagev1alpha1.CSIStorageCapacity, fieldManager string, subresource string) (*CSIStorageCapacityApplyConfiguration, error) {
+func ExtractCSIStorageCapacityFrom(cSIStorageCapacity *storagev1alpha1.CSIStorageCapacity, fieldManager string, subresource string) (*CSIStorageCapacityApplyConfiguration, error) {
 	b := &CSIStorageCapacityApplyConfiguration{}
 	err := managedfields.ExtractInto(cSIStorageCapacity, internal.Parser().Type("io.k8s.api.storage.v1alpha1.CSIStorageCapacity"), fieldManager, b, subresource)
 	if err != nil {
@@ -85,6 +133,21 @@ func extractCSIStorageCapacity(cSIStorageCapacity *storagev1alpha1.CSIStorageCap
 	b.WithAPIVersion("storage.k8s.io/v1alpha1")
 	return b, nil
 }
+
+// ExtractCSIStorageCapacity extracts the applied configuration owned by fieldManager from
+// cSIStorageCapacity. If no managedFields are found in cSIStorageCapacity for fieldManager, a
+// CSIStorageCapacityApplyConfiguration is returned with only the Name, Namespace (if applicable),
+// APIVersion and Kind populated. It is possible that no managed fields were found for because other
+// field managers have taken ownership of all the fields previously owned by fieldManager, or because
+// the fieldManager never owned fields any fields.
+// cSIStorageCapacity must be a unmodified CSIStorageCapacity API object that was retrieved from the Kubernetes API.
+// ExtractCSIStorageCapacity provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractCSIStorageCapacity(cSIStorageCapacity *storagev1alpha1.CSIStorageCapacity, fieldManager string) (*CSIStorageCapacityApplyConfiguration, error) {
+	return ExtractCSIStorageCapacityFrom(cSIStorageCapacity, fieldManager, "")
+}
+
 func (b CSIStorageCapacityApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/storage/v1alpha1/volumeattachment.go b/staging/src/k8s.io/client-go/applyconfigurations/storage/v1alpha1/volumeattachment.go
index ae8ab651ae31a..bd214650ba020 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/storage/v1alpha1/volumeattachment.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/storage/v1alpha1/volumeattachment.go
@@ -29,11 +29,23 @@ import (
 
 // VolumeAttachmentApplyConfiguration represents a declarative configuration of the VolumeAttachment type for use
 // with apply.
+//
+// VolumeAttachment captures the intent to attach or detach the specified volume
+// to/from the specified node.
+//
+// VolumeAttachment objects are non-namespaced.
 type VolumeAttachmentApplyConfiguration struct {
-	v1.TypeMetaApplyConfiguration    `json:",inline"`
+	v1.TypeMetaApplyConfiguration `json:",inline"`
+	// Standard object metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	*v1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Spec                             *VolumeAttachmentSpecApplyConfiguration   `json:"spec,omitempty"`
-	Status                           *VolumeAttachmentStatusApplyConfiguration `json:"status,omitempty"`
+	// spec represents specification of the desired attach/detach volume behavior.
+	// Populated by the Kubernetes system.
+	Spec *VolumeAttachmentSpecApplyConfiguration `json:"spec,omitempty"`
+	// status represents status of the VolumeAttachment request.
+	// Populated by the entity completing the attach or detach
+	// operation, i.e. the external-attacher.
+	Status *VolumeAttachmentStatusApplyConfiguration `json:"status,omitempty"`
 }
 
 // VolumeAttachment constructs a declarative configuration of the VolumeAttachment type for use with
@@ -46,6 +58,26 @@ func VolumeAttachment(name string) *VolumeAttachmentApplyConfiguration {
 	return b
 }
 
+// ExtractVolumeAttachmentFrom extracts the applied configuration owned by fieldManager from
+// volumeAttachment for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
+// volumeAttachment must be a unmodified VolumeAttachment API object that was retrieved from the Kubernetes API.
+// ExtractVolumeAttachmentFrom provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractVolumeAttachmentFrom(volumeAttachment *storagev1alpha1.VolumeAttachment, fieldManager string, subresource string) (*VolumeAttachmentApplyConfiguration, error) {
+	b := &VolumeAttachmentApplyConfiguration{}
+	err := managedfields.ExtractInto(volumeAttachment, internal.Parser().Type("io.k8s.api.storage.v1alpha1.VolumeAttachment"), fieldManager, b, subresource)
+	if err != nil {
+		return nil, err
+	}
+	b.WithName(volumeAttachment.Name)
+
+	b.WithKind("VolumeAttachment")
+	b.WithAPIVersion("storage.k8s.io/v1alpha1")
+	return b, nil
+}
+
 // ExtractVolumeAttachment extracts the applied configuration owned by fieldManager from
 // volumeAttachment. If no managedFields are found in volumeAttachment for fieldManager, a
 // VolumeAttachmentApplyConfiguration is returned with only the Name, Namespace (if applicable),
@@ -56,30 +88,16 @@ func VolumeAttachment(name string) *VolumeAttachmentApplyConfiguration {
 // ExtractVolumeAttachment provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
 func ExtractVolumeAttachment(volumeAttachment *storagev1alpha1.VolumeAttachment, fieldManager string) (*VolumeAttachmentApplyConfiguration, error) {
-	return extractVolumeAttachment(volumeAttachment, fieldManager, "")
+	return ExtractVolumeAttachmentFrom(volumeAttachment, fieldManager, "")
 }
 
-// ExtractVolumeAttachmentStatus is the same as ExtractVolumeAttachment except
-// that it extracts the status subresource applied configuration.
-// Experimental!
+// ExtractVolumeAttachmentStatus extracts the applied configuration owned by fieldManager from
+// volumeAttachment for the status subresource.
 func ExtractVolumeAttachmentStatus(volumeAttachment *storagev1alpha1.VolumeAttachment, fieldManager string) (*VolumeAttachmentApplyConfiguration, error) {
-	return extractVolumeAttachment(volumeAttachment, fieldManager, "status")
+	return ExtractVolumeAttachmentFrom(volumeAttachment, fieldManager, "status")
 }
 
-func extractVolumeAttachment(volumeAttachment *storagev1alpha1.VolumeAttachment, fieldManager string, subresource string) (*VolumeAttachmentApplyConfiguration, error) {
-	b := &VolumeAttachmentApplyConfiguration{}
-	err := managedfields.ExtractInto(volumeAttachment, internal.Parser().Type("io.k8s.api.storage.v1alpha1.VolumeAttachment"), fieldManager, b, subresource)
-	if err != nil {
-		return nil, err
-	}
-	b.WithName(volumeAttachment.Name)
-
-	b.WithKind("VolumeAttachment")
-	b.WithAPIVersion("storage.k8s.io/v1alpha1")
-	return b, nil
-}
 func (b VolumeAttachmentApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/storage/v1alpha1/volumeattachmentsource.go b/staging/src/k8s.io/client-go/applyconfigurations/storage/v1alpha1/volumeattachmentsource.go
index be7da5dd15066..a7753ff85a0c9 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/storage/v1alpha1/volumeattachmentsource.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/storage/v1alpha1/volumeattachmentsource.go
@@ -24,9 +24,21 @@ import (
 
 // VolumeAttachmentSourceApplyConfiguration represents a declarative configuration of the VolumeAttachmentSource type for use
 // with apply.
+//
+// VolumeAttachmentSource represents a volume that should be attached.
+// Right now only PersistentVolumes can be attached via external attacher,
+// in the future we may allow also inline volumes in pods.
+// Exactly one member can be set.
 type VolumeAttachmentSourceApplyConfiguration struct {
-	PersistentVolumeName *string                                    `json:"persistentVolumeName,omitempty"`
-	InlineVolumeSpec     *v1.PersistentVolumeSpecApplyConfiguration `json:"inlineVolumeSpec,omitempty"`
+	// persistentVolumeName represents the name of the persistent volume to attach.
+	PersistentVolumeName *string `json:"persistentVolumeName,omitempty"`
+	// inlineVolumeSpec contains all the information necessary to attach
+	// a persistent volume defined by a pod's inline VolumeSource. This field
+	// is populated only for the CSIMigration feature. It contains
+	// translated fields from a pod's inline VolumeSource to a
+	// PersistentVolumeSpec. This field is alpha-level and is only
+	// honored by servers that enabled the CSIMigration feature.
+	InlineVolumeSpec *v1.PersistentVolumeSpecApplyConfiguration `json:"inlineVolumeSpec,omitempty"`
 }
 
 // VolumeAttachmentSourceApplyConfiguration constructs a declarative configuration of the VolumeAttachmentSource type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/storage/v1alpha1/volumeattachmentspec.go b/staging/src/k8s.io/client-go/applyconfigurations/storage/v1alpha1/volumeattachmentspec.go
index e97487a645dda..d6f6a7511fb14 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/storage/v1alpha1/volumeattachmentspec.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/storage/v1alpha1/volumeattachmentspec.go
@@ -20,10 +20,16 @@ package v1alpha1
 
 // VolumeAttachmentSpecApplyConfiguration represents a declarative configuration of the VolumeAttachmentSpec type for use
 // with apply.
+//
+// VolumeAttachmentSpec is the specification of a VolumeAttachment request.
 type VolumeAttachmentSpecApplyConfiguration struct {
-	Attacher *string                                   `json:"attacher,omitempty"`
-	Source   *VolumeAttachmentSourceApplyConfiguration `json:"source,omitempty"`
-	NodeName *string                                   `json:"nodeName,omitempty"`
+	// attacher indicates the name of the volume driver that MUST handle this
+	// request. This is the name returned by GetPluginName().
+	Attacher *string `json:"attacher,omitempty"`
+	// source represents the volume that should be attached.
+	Source *VolumeAttachmentSourceApplyConfiguration `json:"source,omitempty"`
+	// nodeName represents the node that the volume should be attached to.
+	NodeName *string `json:"nodeName,omitempty"`
 }
 
 // VolumeAttachmentSpecApplyConfiguration constructs a declarative configuration of the VolumeAttachmentSpec type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/storage/v1alpha1/volumeattachmentstatus.go b/staging/src/k8s.io/client-go/applyconfigurations/storage/v1alpha1/volumeattachmentstatus.go
index a287fc6b28c7e..a4681f03edc11 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/storage/v1alpha1/volumeattachmentstatus.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/storage/v1alpha1/volumeattachmentstatus.go
@@ -20,11 +20,27 @@ package v1alpha1
 
 // VolumeAttachmentStatusApplyConfiguration represents a declarative configuration of the VolumeAttachmentStatus type for use
 // with apply.
+//
+// VolumeAttachmentStatus is the status of a VolumeAttachment request.
 type VolumeAttachmentStatusApplyConfiguration struct {
-	Attached           *bool                          `json:"attached,omitempty"`
-	AttachmentMetadata map[string]string              `json:"attachmentMetadata,omitempty"`
-	AttachError        *VolumeErrorApplyConfiguration `json:"attachError,omitempty"`
-	DetachError        *VolumeErrorApplyConfiguration `json:"detachError,omitempty"`
+	// attached indicates the volume is successfully attached.
+	// This field must only be set by the entity completing the attach
+	// operation, i.e. the external-attacher.
+	Attached *bool `json:"attached,omitempty"`
+	// attachmentMetadata is populated with any
+	// information returned by the attach operation, upon successful attach, that must be passed
+	// into subsequent WaitForAttach or Mount calls.
+	// This field must only be set by the entity completing the attach
+	// operation, i.e. the external-attacher.
+	AttachmentMetadata map[string]string `json:"attachmentMetadata,omitempty"`
+	// attachError represents the last error encountered during attach operation, if any.
+	// This field must only be set by the entity completing the attach
+	// operation, i.e. the external-attacher.
+	AttachError *VolumeErrorApplyConfiguration `json:"attachError,omitempty"`
+	// detachError represents the last error encountered during detach operation, if any.
+	// This field must only be set by the entity completing the detach
+	// operation, i.e. the external-attacher.
+	DetachError *VolumeErrorApplyConfiguration `json:"detachError,omitempty"`
 }
 
 // VolumeAttachmentStatusApplyConfiguration constructs a declarative configuration of the VolumeAttachmentStatus type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/storage/v1alpha1/volumeattributesclass.go b/staging/src/k8s.io/client-go/applyconfigurations/storage/v1alpha1/volumeattributesclass.go
index 9982cd6b7f842..62ff6dcbf93ce 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/storage/v1alpha1/volumeattributesclass.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/storage/v1alpha1/volumeattributesclass.go
@@ -29,11 +29,32 @@ import (
 
 // VolumeAttributesClassApplyConfiguration represents a declarative configuration of the VolumeAttributesClass type for use
 // with apply.
+//
+// VolumeAttributesClass represents a specification of mutable volume attributes
+// defined by the CSI driver. The class can be specified during dynamic provisioning
+// of PersistentVolumeClaims, and changed in the PersistentVolumeClaim spec after provisioning.
 type VolumeAttributesClassApplyConfiguration struct {
-	v1.TypeMetaApplyConfiguration    `json:",inline"`
+	v1.TypeMetaApplyConfiguration `json:",inline"`
+	// Standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	*v1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	DriverName                       *string           `json:"driverName,omitempty"`
-	Parameters                       map[string]string `json:"parameters,omitempty"`
+	// Name of the CSI driver
+	// This field is immutable.
+	DriverName *string `json:"driverName,omitempty"`
+	// parameters hold volume attributes defined by the CSI driver. These values
+	// are opaque to the Kubernetes and are passed directly to the CSI driver.
+	// The underlying storage provider supports changing these attributes on an
+	// existing volume, however the parameters field itself is immutable. To
+	// invoke a volume update, a new VolumeAttributesClass should be created with
+	// new parameters, and the PersistentVolumeClaim should be updated to reference
+	// the new VolumeAttributesClass.
+	//
+	// This field is required and must contain at least one key/value pair.
+	// The keys cannot be empty, and the maximum number of parameters is 512, with
+	// a cumulative max size of 256K. If the CSI driver rejects invalid parameters,
+	// the target PersistentVolumeClaim will be set to an "Infeasible" state in the
+	// modifyVolumeStatus field.
+	Parameters map[string]string `json:"parameters,omitempty"`
 }
 
 // VolumeAttributesClass constructs a declarative configuration of the VolumeAttributesClass type for use with
@@ -46,29 +67,14 @@ func VolumeAttributesClass(name string) *VolumeAttributesClassApplyConfiguration
 	return b
 }
 
-// ExtractVolumeAttributesClass extracts the applied configuration owned by fieldManager from
-// volumeAttributesClass. If no managedFields are found in volumeAttributesClass for fieldManager, a
-// VolumeAttributesClassApplyConfiguration is returned with only the Name, Namespace (if applicable),
-// APIVersion and Kind populated. It is possible that no managed fields were found for because other
-// field managers have taken ownership of all the fields previously owned by fieldManager, or because
-// the fieldManager never owned fields any fields.
+// ExtractVolumeAttributesClassFrom extracts the applied configuration owned by fieldManager from
+// volumeAttributesClass for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
 // volumeAttributesClass must be a unmodified VolumeAttributesClass API object that was retrieved from the Kubernetes API.
-// ExtractVolumeAttributesClass provides a way to perform a extract/modify-in-place/apply workflow.
+// ExtractVolumeAttributesClassFrom provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
-func ExtractVolumeAttributesClass(volumeAttributesClass *storagev1alpha1.VolumeAttributesClass, fieldManager string) (*VolumeAttributesClassApplyConfiguration, error) {
-	return extractVolumeAttributesClass(volumeAttributesClass, fieldManager, "")
-}
-
-// ExtractVolumeAttributesClassStatus is the same as ExtractVolumeAttributesClass except
-// that it extracts the status subresource applied configuration.
-// Experimental!
-func ExtractVolumeAttributesClassStatus(volumeAttributesClass *storagev1alpha1.VolumeAttributesClass, fieldManager string) (*VolumeAttributesClassApplyConfiguration, error) {
-	return extractVolumeAttributesClass(volumeAttributesClass, fieldManager, "status")
-}
-
-func extractVolumeAttributesClass(volumeAttributesClass *storagev1alpha1.VolumeAttributesClass, fieldManager string, subresource string) (*VolumeAttributesClassApplyConfiguration, error) {
+func ExtractVolumeAttributesClassFrom(volumeAttributesClass *storagev1alpha1.VolumeAttributesClass, fieldManager string, subresource string) (*VolumeAttributesClassApplyConfiguration, error) {
 	b := &VolumeAttributesClassApplyConfiguration{}
 	err := managedfields.ExtractInto(volumeAttributesClass, internal.Parser().Type("io.k8s.api.storage.v1alpha1.VolumeAttributesClass"), fieldManager, b, subresource)
 	if err != nil {
@@ -80,6 +86,21 @@ func extractVolumeAttributesClass(volumeAttributesClass *storagev1alpha1.VolumeA
 	b.WithAPIVersion("storage.k8s.io/v1alpha1")
 	return b, nil
 }
+
+// ExtractVolumeAttributesClass extracts the applied configuration owned by fieldManager from
+// volumeAttributesClass. If no managedFields are found in volumeAttributesClass for fieldManager, a
+// VolumeAttributesClassApplyConfiguration is returned with only the Name, Namespace (if applicable),
+// APIVersion and Kind populated. It is possible that no managed fields were found for because other
+// field managers have taken ownership of all the fields previously owned by fieldManager, or because
+// the fieldManager never owned fields any fields.
+// volumeAttributesClass must be a unmodified VolumeAttributesClass API object that was retrieved from the Kubernetes API.
+// ExtractVolumeAttributesClass provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractVolumeAttributesClass(volumeAttributesClass *storagev1alpha1.VolumeAttributesClass, fieldManager string) (*VolumeAttributesClassApplyConfiguration, error) {
+	return ExtractVolumeAttributesClassFrom(volumeAttributesClass, fieldManager, "")
+}
+
 func (b VolumeAttributesClassApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/storage/v1alpha1/volumeerror.go b/staging/src/k8s.io/client-go/applyconfigurations/storage/v1alpha1/volumeerror.go
index 19e5275105d5f..d9106e361ce38 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/storage/v1alpha1/volumeerror.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/storage/v1alpha1/volumeerror.go
@@ -24,10 +24,19 @@ import (
 
 // VolumeErrorApplyConfiguration represents a declarative configuration of the VolumeError type for use
 // with apply.
+//
+// VolumeError captures an error encountered during a volume operation.
 type VolumeErrorApplyConfiguration struct {
-	Time      *v1.Time `json:"time,omitempty"`
-	Message   *string  `json:"message,omitempty"`
-	ErrorCode *int32   `json:"errorCode,omitempty"`
+	// time represents the time the error was encountered.
+	Time *v1.Time `json:"time,omitempty"`
+	// message represents the error encountered during Attach or Detach operation.
+	// This string maybe logged, so it should not contain sensitive
+	// information.
+	Message *string `json:"message,omitempty"`
+	// errorCode is a numeric gRPC code representing the error encountered during Attach or Detach operations.
+	//
+	// This is an optional, alpha field that requires the MutableCSINodeAllocatableCount feature gate being enabled to be set.
+	ErrorCode *int32 `json:"errorCode,omitempty"`
 }
 
 // VolumeErrorApplyConfiguration constructs a declarative configuration of the VolumeError type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/storage/v1beta1/csidriver.go b/staging/src/k8s.io/client-go/applyconfigurations/storage/v1beta1/csidriver.go
index f741821521364..bace6d42b6aec 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/storage/v1beta1/csidriver.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/storage/v1beta1/csidriver.go
@@ -29,10 +29,28 @@ import (
 
 // CSIDriverApplyConfiguration represents a declarative configuration of the CSIDriver type for use
 // with apply.
+//
+// CSIDriver captures information about a Container Storage Interface (CSI)
+// volume driver deployed on the cluster.
+// CSI drivers do not need to create the CSIDriver object directly. Instead they may use the
+// cluster-driver-registrar sidecar container. When deployed with a CSI driver it automatically
+// creates a CSIDriver object representing the driver.
+// Kubernetes attach detach controller uses this object to determine whether attach is required.
+// Kubelet uses this object to determine whether pod information needs to be passed on mount.
+// CSIDriver objects are non-namespaced.
 type CSIDriverApplyConfiguration struct {
-	v1.TypeMetaApplyConfiguration    `json:",inline"`
+	v1.TypeMetaApplyConfiguration `json:",inline"`
+	// Standard object metadata.
+	// metadata.Name indicates the name of the CSI driver that this object
+	// refers to; it MUST be the same name returned by the CSI GetPluginName()
+	// call for that driver.
+	// The driver name must be 63 characters or less, beginning and ending with
+	// an alphanumeric character ([a-z0-9A-Z]) with dashes (-), dots (.), and
+	// alphanumerics between.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	*v1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Spec                             *CSIDriverSpecApplyConfiguration `json:"spec,omitempty"`
+	// spec represents the specification of the CSI Driver.
+	Spec *CSIDriverSpecApplyConfiguration `json:"spec,omitempty"`
 }
 
 // CSIDriver constructs a declarative configuration of the CSIDriver type for use with
@@ -45,29 +63,14 @@ func CSIDriver(name string) *CSIDriverApplyConfiguration {
 	return b
 }
 
-// ExtractCSIDriver extracts the applied configuration owned by fieldManager from
-// cSIDriver. If no managedFields are found in cSIDriver for fieldManager, a
-// CSIDriverApplyConfiguration is returned with only the Name, Namespace (if applicable),
-// APIVersion and Kind populated. It is possible that no managed fields were found for because other
-// field managers have taken ownership of all the fields previously owned by fieldManager, or because
-// the fieldManager never owned fields any fields.
+// ExtractCSIDriverFrom extracts the applied configuration owned by fieldManager from
+// cSIDriver for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
 // cSIDriver must be a unmodified CSIDriver API object that was retrieved from the Kubernetes API.
-// ExtractCSIDriver provides a way to perform a extract/modify-in-place/apply workflow.
+// ExtractCSIDriverFrom provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
-func ExtractCSIDriver(cSIDriver *storagev1beta1.CSIDriver, fieldManager string) (*CSIDriverApplyConfiguration, error) {
-	return extractCSIDriver(cSIDriver, fieldManager, "")
-}
-
-// ExtractCSIDriverStatus is the same as ExtractCSIDriver except
-// that it extracts the status subresource applied configuration.
-// Experimental!
-func ExtractCSIDriverStatus(cSIDriver *storagev1beta1.CSIDriver, fieldManager string) (*CSIDriverApplyConfiguration, error) {
-	return extractCSIDriver(cSIDriver, fieldManager, "status")
-}
-
-func extractCSIDriver(cSIDriver *storagev1beta1.CSIDriver, fieldManager string, subresource string) (*CSIDriverApplyConfiguration, error) {
+func ExtractCSIDriverFrom(cSIDriver *storagev1beta1.CSIDriver, fieldManager string, subresource string) (*CSIDriverApplyConfiguration, error) {
 	b := &CSIDriverApplyConfiguration{}
 	err := managedfields.ExtractInto(cSIDriver, internal.Parser().Type("io.k8s.api.storage.v1beta1.CSIDriver"), fieldManager, b, subresource)
 	if err != nil {
@@ -79,6 +82,21 @@ func extractCSIDriver(cSIDriver *storagev1beta1.CSIDriver, fieldManager string,
 	b.WithAPIVersion("storage.k8s.io/v1beta1")
 	return b, nil
 }
+
+// ExtractCSIDriver extracts the applied configuration owned by fieldManager from
+// cSIDriver. If no managedFields are found in cSIDriver for fieldManager, a
+// CSIDriverApplyConfiguration is returned with only the Name, Namespace (if applicable),
+// APIVersion and Kind populated. It is possible that no managed fields were found for because other
+// field managers have taken ownership of all the fields previously owned by fieldManager, or because
+// the fieldManager never owned fields any fields.
+// cSIDriver must be a unmodified CSIDriver API object that was retrieved from the Kubernetes API.
+// ExtractCSIDriver provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractCSIDriver(cSIDriver *storagev1beta1.CSIDriver, fieldManager string) (*CSIDriverApplyConfiguration, error) {
+	return ExtractCSIDriverFrom(cSIDriver, fieldManager, "")
+}
+
 func (b CSIDriverApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/storage/v1beta1/csidriverspec.go b/staging/src/k8s.io/client-go/applyconfigurations/storage/v1beta1/csidriverspec.go
index b1c9ec6d12edd..323065d2a415e 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/storage/v1beta1/csidriverspec.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/storage/v1beta1/csidriverspec.go
@@ -24,16 +24,160 @@ import (
 
 // CSIDriverSpecApplyConfiguration represents a declarative configuration of the CSIDriverSpec type for use
 // with apply.
+//
+// CSIDriverSpec is the specification of a CSIDriver.
 type CSIDriverSpecApplyConfiguration struct {
-	AttachRequired                     *bool                                `json:"attachRequired,omitempty"`
-	PodInfoOnMount                     *bool                                `json:"podInfoOnMount,omitempty"`
-	VolumeLifecycleModes               []storagev1beta1.VolumeLifecycleMode `json:"volumeLifecycleModes,omitempty"`
-	StorageCapacity                    *bool                                `json:"storageCapacity,omitempty"`
-	FSGroupPolicy                      *storagev1beta1.FSGroupPolicy        `json:"fsGroupPolicy,omitempty"`
-	TokenRequests                      []TokenRequestApplyConfiguration     `json:"tokenRequests,omitempty"`
-	RequiresRepublish                  *bool                                `json:"requiresRepublish,omitempty"`
-	SELinuxMount                       *bool                                `json:"seLinuxMount,omitempty"`
-	NodeAllocatableUpdatePeriodSeconds *int64                               `json:"nodeAllocatableUpdatePeriodSeconds,omitempty"`
+	// attachRequired indicates this CSI volume driver requires an attach
+	// operation (because it implements the CSI ControllerPublishVolume()
+	// method), and that the Kubernetes attach detach controller should call
+	// the attach volume interface which checks the volumeattachment status
+	// and waits until the volume is attached before proceeding to mounting.
+	// The CSI external-attacher coordinates with CSI volume driver and updates
+	// the volumeattachment status when the attach operation is complete.
+	// If the value is specified to false, the attach operation will be skipped.
+	// Otherwise the attach operation will be called.
+	//
+	// This field is immutable.
+	AttachRequired *bool `json:"attachRequired,omitempty"`
+	// podInfoOnMount indicates this CSI volume driver requires additional pod information (like podName, podUID, etc.)
+	// during mount operations, if set to true.
+	// If set to false, pod information will not be passed on mount.
+	// Default is false.
+	//
+	// The CSI driver specifies podInfoOnMount as part of driver deployment.
+	// If true, Kubelet will pass pod information as VolumeContext in the CSI NodePublishVolume() calls.
+	// The CSI driver is responsible for parsing and validating the information passed in as VolumeContext.
+	//
+	// The following VolumeContext will be passed if podInfoOnMount is set to true.
+	// This list might grow, but the prefix will be used.
+	// "csi.storage.k8s.io/pod.name": pod.Name
+	// "csi.storage.k8s.io/pod.namespace": pod.Namespace
+	// "csi.storage.k8s.io/pod.uid": string(pod.UID)
+	// "csi.storage.k8s.io/ephemeral": "true" if the volume is an ephemeral inline volume
+	// defined by a CSIVolumeSource, otherwise "false"
+	//
+	// "csi.storage.k8s.io/ephemeral" is a new feature in Kubernetes 1.16. It is only
+	// required for drivers which support both the "Persistent" and "Ephemeral" VolumeLifecycleMode.
+	// Other drivers can leave pod info disabled and/or ignore this field.
+	// As Kubernetes 1.15 doesn't support this field, drivers can only support one mode when
+	// deployed on such a cluster and the deployment determines which mode that is, for example
+	// via a command line parameter of the driver.
+	//
+	// This field is immutable.
+	PodInfoOnMount *bool `json:"podInfoOnMount,omitempty"`
+	// volumeLifecycleModes defines what kind of volumes this CSI volume driver supports.
+	// The default if the list is empty is "Persistent", which is the usage defined by the
+	// CSI specification and implemented in Kubernetes via the usual PV/PVC mechanism.
+	//
+	// The other mode is "Ephemeral". In this mode, volumes are defined inline inside the pod spec
+	// with CSIVolumeSource and their lifecycle is tied to the lifecycle of that pod.
+	// A driver has to be aware of this because it is only going to get a NodePublishVolume call for such a volume.
+	//
+	// For more information about implementing this mode, see
+	// https://kubernetes-csi.github.io/docs/ephemeral-local-volumes.html
+	// A driver can support one or more of these modes and
+	// more modes may be added in the future.
+	//
+	// This field is immutable.
+	VolumeLifecycleModes []storagev1beta1.VolumeLifecycleMode `json:"volumeLifecycleModes,omitempty"`
+	// storageCapacity indicates that the CSI volume driver wants pod scheduling to consider the storage
+	// capacity that the driver deployment will report by creating
+	// CSIStorageCapacity objects with capacity information, if set to true.
+	//
+	// The check can be enabled immediately when deploying a driver.
+	// In that case, provisioning new volumes with late binding
+	// will pause until the driver deployment has published
+	// some suitable CSIStorageCapacity object.
+	//
+	// Alternatively, the driver can be deployed with the field
+	// unset or false and it can be flipped later when storage
+	// capacity information has been published.
+	//
+	// This field was immutable in Kubernetes <= 1.22 and now is mutable.
+	StorageCapacity *bool `json:"storageCapacity,omitempty"`
+	// fsGroupPolicy defines if the underlying volume supports changing ownership and
+	// permission of the volume before being mounted.
+	// Refer to the specific FSGroupPolicy values for additional details.
+	//
+	// This field is immutable.
+	//
+	// Defaults to ReadWriteOnceWithFSType, which will examine each volume
+	// to determine if Kubernetes should modify ownership and permissions of the volume.
+	// With the default policy the defined fsGroup will only be applied
+	// if a fstype is defined and the volume's access mode contains ReadWriteOnce.
+	FSGroupPolicy *storagev1beta1.FSGroupPolicy `json:"fsGroupPolicy,omitempty"`
+	// tokenRequests indicates the CSI driver needs pods' service account
+	// tokens it is mounting volume for to do necessary authentication. Kubelet
+	// will pass the tokens in VolumeContext in the CSI NodePublishVolume calls.
+	// The CSI driver should parse and validate the following VolumeContext:
+	// "csi.storage.k8s.io/serviceAccount.tokens": {
+	// "<audience>": {
+	// "token": <token>,
+	// "expirationTimestamp": <expiration timestamp in RFC3339>,
+	// },
+	// ...
+	// }
+	//
+	// Note: Audience in each TokenRequest should be different and at
+	// most one token is empty string. To receive a new token after expiry,
+	// RequiresRepublish can be used to trigger NodePublishVolume periodically.
+	TokenRequests []TokenRequestApplyConfiguration `json:"tokenRequests,omitempty"`
+	// requiresRepublish indicates the CSI driver wants `NodePublishVolume`
+	// being periodically called to reflect any possible change in the mounted
+	// volume. This field defaults to false.
+	//
+	// Note: After a successful initial NodePublishVolume call, subsequent calls
+	// to NodePublishVolume should only update the contents of the volume. New
+	// mount points will not be seen by a running container.
+	RequiresRepublish *bool `json:"requiresRepublish,omitempty"`
+	// seLinuxMount specifies if the CSI driver supports "-o context"
+	// mount option.
+	//
+	// When "true", the CSI driver must ensure that all volumes provided by this CSI
+	// driver can be mounted separately with different `-o context` options. This is
+	// typical for storage backends that provide volumes as filesystems on block
+	// devices or as independent shared volumes.
+	// Kubernetes will call NodeStage / NodePublish with "-o context=xyz" mount
+	// option when mounting a ReadWriteOncePod volume used in Pod that has
+	// explicitly set SELinux context. In the future, it may be expanded to other
+	// volume AccessModes. In any case, Kubernetes will ensure that the volume is
+	// mounted only with a single SELinux context.
+	//
+	// When "false", Kubernetes won't pass any special SELinux mount options to the driver.
+	// This is typical for volumes that represent subdirectories of a bigger shared filesystem.
+	//
+	// Default is "false".
+	SELinuxMount *bool `json:"seLinuxMount,omitempty"`
+	// nodeAllocatableUpdatePeriodSeconds specifies the interval between periodic updates of
+	// the CSINode allocatable capacity for this driver. When set, both periodic updates and
+	// updates triggered by capacity-related failures are enabled. If not set, no updates
+	// occur (neither periodic nor upon detecting capacity-related failures), and the
+	// allocatable.count remains static. The minimum allowed value for this field is 10 seconds.
+	//
+	// This is a beta feature and requires the MutableCSINodeAllocatableCount feature gate to be enabled.
+	//
+	// This field is mutable.
+	NodeAllocatableUpdatePeriodSeconds *int64 `json:"nodeAllocatableUpdatePeriodSeconds,omitempty"`
+	// serviceAccountTokenInSecrets is an opt-in for CSI drivers to indicate that
+	// service account tokens should be passed via the Secrets field in NodePublishVolumeRequest
+	// instead of the VolumeContext field. The CSI specification provides a dedicated Secrets
+	// field for sensitive information like tokens, which is the appropriate mechanism for
+	// handling credentials. This addresses security concerns where sensitive tokens were being
+	// logged as part of volume context.
+	//
+	// When "true", kubelet will pass the tokens only in the Secrets field with the key
+	// "csi.storage.k8s.io/serviceAccount.tokens". The CSI driver must be updated to read
+	// tokens from the Secrets field instead of VolumeContext.
+	//
+	// When "false" or not set, kubelet will pass the tokens in VolumeContext with the key
+	// "csi.storage.k8s.io/serviceAccount.tokens" (existing behavior). This maintains backward
+	// compatibility with existing CSI drivers.
+	//
+	// This field can only be set when TokenRequests is configured. The API server will reject
+	// CSIDriver specs that set this field without TokenRequests.
+	//
+	// Default behavior if unset is to pass tokens in the VolumeContext field.
+	ServiceAccountTokenInSecrets *bool `json:"serviceAccountTokenInSecrets,omitempty"`
 }
 
 // CSIDriverSpecApplyConfiguration constructs a declarative configuration of the CSIDriverSpec type for use with
@@ -120,3 +264,11 @@ func (b *CSIDriverSpecApplyConfiguration) WithNodeAllocatableUpdatePeriodSeconds
 	b.NodeAllocatableUpdatePeriodSeconds = &value
 	return b
 }
+
+// WithServiceAccountTokenInSecrets sets the ServiceAccountTokenInSecrets field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the ServiceAccountTokenInSecrets field is set to the value of the last call.
+func (b *CSIDriverSpecApplyConfiguration) WithServiceAccountTokenInSecrets(value bool) *CSIDriverSpecApplyConfiguration {
+	b.ServiceAccountTokenInSecrets = &value
+	return b
+}
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/storage/v1beta1/csinode.go b/staging/src/k8s.io/client-go/applyconfigurations/storage/v1beta1/csinode.go
index 85e70903505f2..7f6907275edc3 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/storage/v1beta1/csinode.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/storage/v1beta1/csinode.go
@@ -29,10 +29,24 @@ import (
 
 // CSINodeApplyConfiguration represents a declarative configuration of the CSINode type for use
 // with apply.
+//
+// DEPRECATED - This group version of CSINode is deprecated by storage/v1/CSINode.
+// See the release notes for more information.
+// CSINode holds information about all CSI drivers installed on a node.
+// CSI drivers do not need to create the CSINode object directly. As long as
+// they use the node-driver-registrar sidecar container, the kubelet will
+// automatically populate the CSINode object for the CSI driver as part of
+// kubelet plugin registration.
+// CSINode has the same name as a node. If the object is missing, it means either
+// there are no CSI Drivers available on the node, or the Kubelet version is low
+// enough that it doesn't create this object.
+// CSINode has an OwnerReference that points to the corresponding node object.
 type CSINodeApplyConfiguration struct {
-	v1.TypeMetaApplyConfiguration    `json:",inline"`
+	v1.TypeMetaApplyConfiguration `json:",inline"`
+	// metadata.name must be the Kubernetes node name.
 	*v1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Spec                             *CSINodeSpecApplyConfiguration `json:"spec,omitempty"`
+	// spec is the specification of CSINode
+	Spec *CSINodeSpecApplyConfiguration `json:"spec,omitempty"`
 }
 
 // CSINode constructs a declarative configuration of the CSINode type for use with
@@ -45,29 +59,14 @@ func CSINode(name string) *CSINodeApplyConfiguration {
 	return b
 }
 
-// ExtractCSINode extracts the applied configuration owned by fieldManager from
-// cSINode. If no managedFields are found in cSINode for fieldManager, a
-// CSINodeApplyConfiguration is returned with only the Name, Namespace (if applicable),
-// APIVersion and Kind populated. It is possible that no managed fields were found for because other
-// field managers have taken ownership of all the fields previously owned by fieldManager, or because
-// the fieldManager never owned fields any fields.
+// ExtractCSINodeFrom extracts the applied configuration owned by fieldManager from
+// cSINode for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
 // cSINode must be a unmodified CSINode API object that was retrieved from the Kubernetes API.
-// ExtractCSINode provides a way to perform a extract/modify-in-place/apply workflow.
+// ExtractCSINodeFrom provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
-func ExtractCSINode(cSINode *storagev1beta1.CSINode, fieldManager string) (*CSINodeApplyConfiguration, error) {
-	return extractCSINode(cSINode, fieldManager, "")
-}
-
-// ExtractCSINodeStatus is the same as ExtractCSINode except
-// that it extracts the status subresource applied configuration.
-// Experimental!
-func ExtractCSINodeStatus(cSINode *storagev1beta1.CSINode, fieldManager string) (*CSINodeApplyConfiguration, error) {
-	return extractCSINode(cSINode, fieldManager, "status")
-}
-
-func extractCSINode(cSINode *storagev1beta1.CSINode, fieldManager string, subresource string) (*CSINodeApplyConfiguration, error) {
+func ExtractCSINodeFrom(cSINode *storagev1beta1.CSINode, fieldManager string, subresource string) (*CSINodeApplyConfiguration, error) {
 	b := &CSINodeApplyConfiguration{}
 	err := managedfields.ExtractInto(cSINode, internal.Parser().Type("io.k8s.api.storage.v1beta1.CSINode"), fieldManager, b, subresource)
 	if err != nil {
@@ -79,6 +78,21 @@ func extractCSINode(cSINode *storagev1beta1.CSINode, fieldManager string, subres
 	b.WithAPIVersion("storage.k8s.io/v1beta1")
 	return b, nil
 }
+
+// ExtractCSINode extracts the applied configuration owned by fieldManager from
+// cSINode. If no managedFields are found in cSINode for fieldManager, a
+// CSINodeApplyConfiguration is returned with only the Name, Namespace (if applicable),
+// APIVersion and Kind populated. It is possible that no managed fields were found for because other
+// field managers have taken ownership of all the fields previously owned by fieldManager, or because
+// the fieldManager never owned fields any fields.
+// cSINode must be a unmodified CSINode API object that was retrieved from the Kubernetes API.
+// ExtractCSINode provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractCSINode(cSINode *storagev1beta1.CSINode, fieldManager string) (*CSINodeApplyConfiguration, error) {
+	return ExtractCSINodeFrom(cSINode, fieldManager, "")
+}
+
 func (b CSINodeApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/storage/v1beta1/csinodedriver.go b/staging/src/k8s.io/client-go/applyconfigurations/storage/v1beta1/csinodedriver.go
index 65ad771bb24b9..7e16fbdcffe1f 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/storage/v1beta1/csinodedriver.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/storage/v1beta1/csinodedriver.go
@@ -20,11 +20,36 @@ package v1beta1
 
 // CSINodeDriverApplyConfiguration represents a declarative configuration of the CSINodeDriver type for use
 // with apply.
+//
+// CSINodeDriver holds information about the specification of one CSI driver installed on a node
 type CSINodeDriverApplyConfiguration struct {
-	Name         *string                                `json:"name,omitempty"`
-	NodeID       *string                                `json:"nodeID,omitempty"`
-	TopologyKeys []string                               `json:"topologyKeys,omitempty"`
-	Allocatable  *VolumeNodeResourcesApplyConfiguration `json:"allocatable,omitempty"`
+	// name represents the name of the CSI driver that this object refers to.
+	// This MUST be the same name returned by the CSI GetPluginName() call for
+	// that driver.
+	Name *string `json:"name,omitempty"`
+	// nodeID of the node from the driver point of view.
+	// This field enables Kubernetes to communicate with storage systems that do
+	// not share the same nomenclature for nodes. For example, Kubernetes may
+	// refer to a given node as "node1", but the storage system may refer to
+	// the same node as "nodeA". When Kubernetes issues a command to the storage
+	// system to attach a volume to a specific node, it can use this field to
+	// refer to the node name using the ID that the storage system will
+	// understand, e.g. "nodeA" instead of "node1". This field is required.
+	NodeID *string `json:"nodeID,omitempty"`
+	// topologyKeys is the list of keys supported by the driver.
+	// When a driver is initialized on a cluster, it provides a set of topology
+	// keys that it understands (e.g. "company.com/zone", "company.com/region").
+	// When a driver is initialized on a node, it provides the same topology keys
+	// along with values. Kubelet will expose these topology keys as labels
+	// on its own node object.
+	// When Kubernetes does topology aware provisioning, it can use this list to
+	// determine which labels it should retrieve from the node object and pass
+	// back to the driver.
+	// It is possible for different nodes to use different topology keys.
+	// This can be empty if driver does not support topology.
+	TopologyKeys []string `json:"topologyKeys,omitempty"`
+	// allocatable represents the volume resources of a node that are available for scheduling.
+	Allocatable *VolumeNodeResourcesApplyConfiguration `json:"allocatable,omitempty"`
 }
 
 // CSINodeDriverApplyConfiguration constructs a declarative configuration of the CSINodeDriver type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/storage/v1beta1/csinodespec.go b/staging/src/k8s.io/client-go/applyconfigurations/storage/v1beta1/csinodespec.go
index c9cbea1d9c2fa..71fc06a70d438 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/storage/v1beta1/csinodespec.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/storage/v1beta1/csinodespec.go
@@ -20,7 +20,11 @@ package v1beta1
 
 // CSINodeSpecApplyConfiguration represents a declarative configuration of the CSINodeSpec type for use
 // with apply.
+//
+// CSINodeSpec holds information about the specification of all CSI drivers installed on a node
 type CSINodeSpecApplyConfiguration struct {
+	// drivers is a list of information of all CSI Drivers existing on a node.
+	// If all drivers in the list are uninstalled, this can become empty.
 	Drivers []CSINodeDriverApplyConfiguration `json:"drivers,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/storage/v1beta1/csistoragecapacity.go b/staging/src/k8s.io/client-go/applyconfigurations/storage/v1beta1/csistoragecapacity.go
index d0da232dbd2dc..e27221e82c2f0 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/storage/v1beta1/csistoragecapacity.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/storage/v1beta1/csistoragecapacity.go
@@ -30,13 +30,76 @@ import (
 
 // CSIStorageCapacityApplyConfiguration represents a declarative configuration of the CSIStorageCapacity type for use
 // with apply.
+//
+// CSIStorageCapacity stores the result of one CSI GetCapacity call.
+// For a given StorageClass, this describes the available capacity in a
+// particular topology segment.  This can be used when considering where to
+// instantiate new PersistentVolumes.
+//
+// For example this can express things like:
+// - StorageClass "standard" has "1234 GiB" available in "topology.kubernetes.io/zone=us-east1"
+// - StorageClass "localssd" has "10 GiB" available in "kubernetes.io/hostname=knode-abc123"
+//
+// The following three cases all imply that no capacity is available for
+// a certain combination:
+// - no object exists with suitable topology and storage class name
+// - such an object exists, but the capacity is unset
+// - such an object exists, but the capacity is zero
+//
+// The producer of these objects can decide which approach is more suitable.
+//
+// They are consumed by the kube-scheduler when a CSI driver opts into
+// capacity-aware scheduling with CSIDriverSpec.StorageCapacity. The scheduler
+// compares the MaximumVolumeSize against the requested size of pending volumes
+// to filter out unsuitable nodes. If MaximumVolumeSize is unset, it falls back
+// to a comparison against the less precise Capacity. If that is also unset,
+// the scheduler assumes that capacity is insufficient and tries some other
+// node.
 type CSIStorageCapacityApplyConfiguration struct {
-	v1.TypeMetaApplyConfiguration    `json:",inline"`
+	v1.TypeMetaApplyConfiguration `json:",inline"`
+	// Standard object's metadata. The name has no particular meaning. It must be
+	// be a DNS subdomain (dots allowed, 253 characters). To ensure that
+	// there are no conflicts with other CSI drivers on the cluster, the recommendation
+	// is to use csisc-<uuid>, a generated name, or a reverse-domain name which ends
+	// with the unique CSI driver name.
+	//
+	// Objects are namespaced.
+	//
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	*v1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	NodeTopology                     *v1.LabelSelectorApplyConfiguration `json:"nodeTopology,omitempty"`
-	StorageClassName                 *string                             `json:"storageClassName,omitempty"`
-	Capacity                         *resource.Quantity                  `json:"capacity,omitempty"`
-	MaximumVolumeSize                *resource.Quantity                  `json:"maximumVolumeSize,omitempty"`
+	// nodeTopology defines which nodes have access to the storage
+	// for which capacity was reported. If not set, the storage is
+	// not accessible from any node in the cluster. If empty, the
+	// storage is accessible from all nodes. This field is
+	// immutable.
+	NodeTopology *v1.LabelSelectorApplyConfiguration `json:"nodeTopology,omitempty"`
+	// storageClassName represents the name of the StorageClass that the reported capacity applies to.
+	// It must meet the same requirements as the name of a StorageClass
+	// object (non-empty, DNS subdomain). If that object no longer exists,
+	// the CSIStorageCapacity object is obsolete and should be removed by its
+	// creator.
+	// This field is immutable.
+	StorageClassName *string `json:"storageClassName,omitempty"`
+	// capacity is the value reported by the CSI driver in its GetCapacityResponse
+	// for a GetCapacityRequest with topology and parameters that match the
+	// previous fields.
+	//
+	// The semantic is currently (CSI spec 1.2) defined as:
+	// The available capacity, in bytes, of the storage that can be used
+	// to provision volumes. If not set, that information is currently
+	// unavailable.
+	Capacity *resource.Quantity `json:"capacity,omitempty"`
+	// maximumVolumeSize is the value reported by the CSI driver in its GetCapacityResponse
+	// for a GetCapacityRequest with topology and parameters that match the
+	// previous fields.
+	//
+	// This is defined since CSI spec 1.4.0 as the largest size
+	// that may be used in a
+	// CreateVolumeRequest.capacity_range.required_bytes field to
+	// create a volume with the same parameters as those in
+	// GetCapacityRequest. The corresponding value in the Kubernetes
+	// API is ResourceRequirements.Requests in a volume claim.
+	MaximumVolumeSize *resource.Quantity `json:"maximumVolumeSize,omitempty"`
 }
 
 // CSIStorageCapacity constructs a declarative configuration of the CSIStorageCapacity type for use with
@@ -50,29 +113,14 @@ func CSIStorageCapacity(name, namespace string) *CSIStorageCapacityApplyConfigur
 	return b
 }
 
-// ExtractCSIStorageCapacity extracts the applied configuration owned by fieldManager from
-// cSIStorageCapacity. If no managedFields are found in cSIStorageCapacity for fieldManager, a
-// CSIStorageCapacityApplyConfiguration is returned with only the Name, Namespace (if applicable),
-// APIVersion and Kind populated. It is possible that no managed fields were found for because other
-// field managers have taken ownership of all the fields previously owned by fieldManager, or because
-// the fieldManager never owned fields any fields.
+// ExtractCSIStorageCapacityFrom extracts the applied configuration owned by fieldManager from
+// cSIStorageCapacity for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
 // cSIStorageCapacity must be a unmodified CSIStorageCapacity API object that was retrieved from the Kubernetes API.
-// ExtractCSIStorageCapacity provides a way to perform a extract/modify-in-place/apply workflow.
+// ExtractCSIStorageCapacityFrom provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
-func ExtractCSIStorageCapacity(cSIStorageCapacity *storagev1beta1.CSIStorageCapacity, fieldManager string) (*CSIStorageCapacityApplyConfiguration, error) {
-	return extractCSIStorageCapacity(cSIStorageCapacity, fieldManager, "")
-}
-
-// ExtractCSIStorageCapacityStatus is the same as ExtractCSIStorageCapacity except
-// that it extracts the status subresource applied configuration.
-// Experimental!
-func ExtractCSIStorageCapacityStatus(cSIStorageCapacity *storagev1beta1.CSIStorageCapacity, fieldManager string) (*CSIStorageCapacityApplyConfiguration, error) {
-	return extractCSIStorageCapacity(cSIStorageCapacity, fieldManager, "status")
-}
-
-func extractCSIStorageCapacity(cSIStorageCapacity *storagev1beta1.CSIStorageCapacity, fieldManager string, subresource string) (*CSIStorageCapacityApplyConfiguration, error) {
+func ExtractCSIStorageCapacityFrom(cSIStorageCapacity *storagev1beta1.CSIStorageCapacity, fieldManager string, subresource string) (*CSIStorageCapacityApplyConfiguration, error) {
 	b := &CSIStorageCapacityApplyConfiguration{}
 	err := managedfields.ExtractInto(cSIStorageCapacity, internal.Parser().Type("io.k8s.api.storage.v1beta1.CSIStorageCapacity"), fieldManager, b, subresource)
 	if err != nil {
@@ -85,6 +133,21 @@ func extractCSIStorageCapacity(cSIStorageCapacity *storagev1beta1.CSIStorageCapa
 	b.WithAPIVersion("storage.k8s.io/v1beta1")
 	return b, nil
 }
+
+// ExtractCSIStorageCapacity extracts the applied configuration owned by fieldManager from
+// cSIStorageCapacity. If no managedFields are found in cSIStorageCapacity for fieldManager, a
+// CSIStorageCapacityApplyConfiguration is returned with only the Name, Namespace (if applicable),
+// APIVersion and Kind populated. It is possible that no managed fields were found for because other
+// field managers have taken ownership of all the fields previously owned by fieldManager, or because
+// the fieldManager never owned fields any fields.
+// cSIStorageCapacity must be a unmodified CSIStorageCapacity API object that was retrieved from the Kubernetes API.
+// ExtractCSIStorageCapacity provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractCSIStorageCapacity(cSIStorageCapacity *storagev1beta1.CSIStorageCapacity, fieldManager string) (*CSIStorageCapacityApplyConfiguration, error) {
+	return ExtractCSIStorageCapacityFrom(cSIStorageCapacity, fieldManager, "")
+}
+
 func (b CSIStorageCapacityApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/storage/v1beta1/storageclass.go b/staging/src/k8s.io/client-go/applyconfigurations/storage/v1beta1/storageclass.go
index 3eccf819d34a8..49bf87ac590ee 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/storage/v1beta1/storageclass.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/storage/v1beta1/storageclass.go
@@ -31,16 +31,40 @@ import (
 
 // StorageClassApplyConfiguration represents a declarative configuration of the StorageClass type for use
 // with apply.
+//
+// StorageClass describes the parameters for a class of storage for
+// which PersistentVolumes can be dynamically provisioned.
+//
+// StorageClasses are non-namespaced; the name of the storage class
+// according to etcd is in ObjectMeta.Name.
 type StorageClassApplyConfiguration struct {
-	v1.TypeMetaApplyConfiguration    `json:",inline"`
+	v1.TypeMetaApplyConfiguration `json:",inline"`
+	// Standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	*v1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Provisioner                      *string                                                            `json:"provisioner,omitempty"`
-	Parameters                       map[string]string                                                  `json:"parameters,omitempty"`
-	ReclaimPolicy                    *corev1.PersistentVolumeReclaimPolicy                              `json:"reclaimPolicy,omitempty"`
-	MountOptions                     []string                                                           `json:"mountOptions,omitempty"`
-	AllowVolumeExpansion             *bool                                                              `json:"allowVolumeExpansion,omitempty"`
-	VolumeBindingMode                *storagev1beta1.VolumeBindingMode                                  `json:"volumeBindingMode,omitempty"`
-	AllowedTopologies                []applyconfigurationscorev1.TopologySelectorTermApplyConfiguration `json:"allowedTopologies,omitempty"`
+	// provisioner indicates the type of the provisioner.
+	Provisioner *string `json:"provisioner,omitempty"`
+	// parameters holds the parameters for the provisioner that should
+	// create volumes of this storage class.
+	Parameters map[string]string `json:"parameters,omitempty"`
+	// reclaimPolicy controls the reclaimPolicy for dynamically provisioned PersistentVolumes of this storage class.
+	// Defaults to Delete.
+	ReclaimPolicy *corev1.PersistentVolumeReclaimPolicy `json:"reclaimPolicy,omitempty"`
+	// mountOptions controls the mountOptions for dynamically provisioned PersistentVolumes of this storage class.
+	// e.g. ["ro", "soft"]. Not validated -
+	// mount of the PVs will simply fail if one is invalid.
+	MountOptions []string `json:"mountOptions,omitempty"`
+	// allowVolumeExpansion shows whether the storage class allow volume expand
+	AllowVolumeExpansion *bool `json:"allowVolumeExpansion,omitempty"`
+	// volumeBindingMode indicates how PersistentVolumeClaims should be
+	// provisioned and bound.  When unset, VolumeBindingImmediate is used.
+	// This field is only honored by servers that enable the VolumeScheduling feature.
+	VolumeBindingMode *storagev1beta1.VolumeBindingMode `json:"volumeBindingMode,omitempty"`
+	// allowedTopologies restrict the node topologies where volumes can be dynamically provisioned.
+	// Each volume plugin defines its own supported topology specifications.
+	// An empty TopologySelectorTerm list means there is no topology restriction.
+	// This field is only honored by servers that enable the VolumeScheduling feature.
+	AllowedTopologies []applyconfigurationscorev1.TopologySelectorTermApplyConfiguration `json:"allowedTopologies,omitempty"`
 }
 
 // StorageClass constructs a declarative configuration of the StorageClass type for use with
@@ -53,29 +77,14 @@ func StorageClass(name string) *StorageClassApplyConfiguration {
 	return b
 }
 
-// ExtractStorageClass extracts the applied configuration owned by fieldManager from
-// storageClass. If no managedFields are found in storageClass for fieldManager, a
-// StorageClassApplyConfiguration is returned with only the Name, Namespace (if applicable),
-// APIVersion and Kind populated. It is possible that no managed fields were found for because other
-// field managers have taken ownership of all the fields previously owned by fieldManager, or because
-// the fieldManager never owned fields any fields.
+// ExtractStorageClassFrom extracts the applied configuration owned by fieldManager from
+// storageClass for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
 // storageClass must be a unmodified StorageClass API object that was retrieved from the Kubernetes API.
-// ExtractStorageClass provides a way to perform a extract/modify-in-place/apply workflow.
+// ExtractStorageClassFrom provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
-func ExtractStorageClass(storageClass *storagev1beta1.StorageClass, fieldManager string) (*StorageClassApplyConfiguration, error) {
-	return extractStorageClass(storageClass, fieldManager, "")
-}
-
-// ExtractStorageClassStatus is the same as ExtractStorageClass except
-// that it extracts the status subresource applied configuration.
-// Experimental!
-func ExtractStorageClassStatus(storageClass *storagev1beta1.StorageClass, fieldManager string) (*StorageClassApplyConfiguration, error) {
-	return extractStorageClass(storageClass, fieldManager, "status")
-}
-
-func extractStorageClass(storageClass *storagev1beta1.StorageClass, fieldManager string, subresource string) (*StorageClassApplyConfiguration, error) {
+func ExtractStorageClassFrom(storageClass *storagev1beta1.StorageClass, fieldManager string, subresource string) (*StorageClassApplyConfiguration, error) {
 	b := &StorageClassApplyConfiguration{}
 	err := managedfields.ExtractInto(storageClass, internal.Parser().Type("io.k8s.api.storage.v1beta1.StorageClass"), fieldManager, b, subresource)
 	if err != nil {
@@ -87,6 +96,21 @@ func extractStorageClass(storageClass *storagev1beta1.StorageClass, fieldManager
 	b.WithAPIVersion("storage.k8s.io/v1beta1")
 	return b, nil
 }
+
+// ExtractStorageClass extracts the applied configuration owned by fieldManager from
+// storageClass. If no managedFields are found in storageClass for fieldManager, a
+// StorageClassApplyConfiguration is returned with only the Name, Namespace (if applicable),
+// APIVersion and Kind populated. It is possible that no managed fields were found for because other
+// field managers have taken ownership of all the fields previously owned by fieldManager, or because
+// the fieldManager never owned fields any fields.
+// storageClass must be a unmodified StorageClass API object that was retrieved from the Kubernetes API.
+// ExtractStorageClass provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractStorageClass(storageClass *storagev1beta1.StorageClass, fieldManager string) (*StorageClassApplyConfiguration, error) {
+	return ExtractStorageClassFrom(storageClass, fieldManager, "")
+}
+
 func (b StorageClassApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/storage/v1beta1/tokenrequest.go b/staging/src/k8s.io/client-go/applyconfigurations/storage/v1beta1/tokenrequest.go
index e0f2df28e03a8..6a8946e1bcd41 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/storage/v1beta1/tokenrequest.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/storage/v1beta1/tokenrequest.go
@@ -20,9 +20,15 @@ package v1beta1
 
 // TokenRequestApplyConfiguration represents a declarative configuration of the TokenRequest type for use
 // with apply.
+//
+// TokenRequest contains parameters of a service account token.
 type TokenRequestApplyConfiguration struct {
-	Audience          *string `json:"audience,omitempty"`
-	ExpirationSeconds *int64  `json:"expirationSeconds,omitempty"`
+	// audience is the intended audience of the token in "TokenRequestSpec".
+	// It will default to the audiences of kube apiserver.
+	Audience *string `json:"audience,omitempty"`
+	// expirationSeconds is the duration of validity of the token in "TokenRequestSpec".
+	// It has the same default value of "ExpirationSeconds" in "TokenRequestSpec"
+	ExpirationSeconds *int64 `json:"expirationSeconds,omitempty"`
 }
 
 // TokenRequestApplyConfiguration constructs a declarative configuration of the TokenRequest type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/storage/v1beta1/volumeattachment.go b/staging/src/k8s.io/client-go/applyconfigurations/storage/v1beta1/volumeattachment.go
index 9e7fce4c4b208..da938bd301e61 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/storage/v1beta1/volumeattachment.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/storage/v1beta1/volumeattachment.go
@@ -29,11 +29,23 @@ import (
 
 // VolumeAttachmentApplyConfiguration represents a declarative configuration of the VolumeAttachment type for use
 // with apply.
+//
+// VolumeAttachment captures the intent to attach or detach the specified volume
+// to/from the specified node.
+//
+// VolumeAttachment objects are non-namespaced.
 type VolumeAttachmentApplyConfiguration struct {
-	v1.TypeMetaApplyConfiguration    `json:",inline"`
+	v1.TypeMetaApplyConfiguration `json:",inline"`
+	// Standard object metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	*v1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Spec                             *VolumeAttachmentSpecApplyConfiguration   `json:"spec,omitempty"`
-	Status                           *VolumeAttachmentStatusApplyConfiguration `json:"status,omitempty"`
+	// spec represents specification of the desired attach/detach volume behavior.
+	// Populated by the Kubernetes system.
+	Spec *VolumeAttachmentSpecApplyConfiguration `json:"spec,omitempty"`
+	// status represents status of the VolumeAttachment request.
+	// Populated by the entity completing the attach or detach
+	// operation, i.e. the external-attacher.
+	Status *VolumeAttachmentStatusApplyConfiguration `json:"status,omitempty"`
 }
 
 // VolumeAttachment constructs a declarative configuration of the VolumeAttachment type for use with
@@ -46,6 +58,26 @@ func VolumeAttachment(name string) *VolumeAttachmentApplyConfiguration {
 	return b
 }
 
+// ExtractVolumeAttachmentFrom extracts the applied configuration owned by fieldManager from
+// volumeAttachment for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
+// volumeAttachment must be a unmodified VolumeAttachment API object that was retrieved from the Kubernetes API.
+// ExtractVolumeAttachmentFrom provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractVolumeAttachmentFrom(volumeAttachment *storagev1beta1.VolumeAttachment, fieldManager string, subresource string) (*VolumeAttachmentApplyConfiguration, error) {
+	b := &VolumeAttachmentApplyConfiguration{}
+	err := managedfields.ExtractInto(volumeAttachment, internal.Parser().Type("io.k8s.api.storage.v1beta1.VolumeAttachment"), fieldManager, b, subresource)
+	if err != nil {
+		return nil, err
+	}
+	b.WithName(volumeAttachment.Name)
+
+	b.WithKind("VolumeAttachment")
+	b.WithAPIVersion("storage.k8s.io/v1beta1")
+	return b, nil
+}
+
 // ExtractVolumeAttachment extracts the applied configuration owned by fieldManager from
 // volumeAttachment. If no managedFields are found in volumeAttachment for fieldManager, a
 // VolumeAttachmentApplyConfiguration is returned with only the Name, Namespace (if applicable),
@@ -56,30 +88,16 @@ func VolumeAttachment(name string) *VolumeAttachmentApplyConfiguration {
 // ExtractVolumeAttachment provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
 func ExtractVolumeAttachment(volumeAttachment *storagev1beta1.VolumeAttachment, fieldManager string) (*VolumeAttachmentApplyConfiguration, error) {
-	return extractVolumeAttachment(volumeAttachment, fieldManager, "")
+	return ExtractVolumeAttachmentFrom(volumeAttachment, fieldManager, "")
 }
 
-// ExtractVolumeAttachmentStatus is the same as ExtractVolumeAttachment except
-// that it extracts the status subresource applied configuration.
-// Experimental!
+// ExtractVolumeAttachmentStatus extracts the applied configuration owned by fieldManager from
+// volumeAttachment for the status subresource.
 func ExtractVolumeAttachmentStatus(volumeAttachment *storagev1beta1.VolumeAttachment, fieldManager string) (*VolumeAttachmentApplyConfiguration, error) {
-	return extractVolumeAttachment(volumeAttachment, fieldManager, "status")
+	return ExtractVolumeAttachmentFrom(volumeAttachment, fieldManager, "status")
 }
 
-func extractVolumeAttachment(volumeAttachment *storagev1beta1.VolumeAttachment, fieldManager string, subresource string) (*VolumeAttachmentApplyConfiguration, error) {
-	b := &VolumeAttachmentApplyConfiguration{}
-	err := managedfields.ExtractInto(volumeAttachment, internal.Parser().Type("io.k8s.api.storage.v1beta1.VolumeAttachment"), fieldManager, b, subresource)
-	if err != nil {
-		return nil, err
-	}
-	b.WithName(volumeAttachment.Name)
-
-	b.WithKind("VolumeAttachment")
-	b.WithAPIVersion("storage.k8s.io/v1beta1")
-	return b, nil
-}
 func (b VolumeAttachmentApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/storage/v1beta1/volumeattachmentsource.go b/staging/src/k8s.io/client-go/applyconfigurations/storage/v1beta1/volumeattachmentsource.go
index b08dd3148b8b0..5fcf33c85613d 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/storage/v1beta1/volumeattachmentsource.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/storage/v1beta1/volumeattachmentsource.go
@@ -24,9 +24,21 @@ import (
 
 // VolumeAttachmentSourceApplyConfiguration represents a declarative configuration of the VolumeAttachmentSource type for use
 // with apply.
+//
+// VolumeAttachmentSource represents a volume that should be attached.
+// Right now only PersistentVolumes can be attached via external attacher,
+// in the future we may allow also inline volumes in pods.
+// Exactly one member can be set.
 type VolumeAttachmentSourceApplyConfiguration struct {
-	PersistentVolumeName *string                                    `json:"persistentVolumeName,omitempty"`
-	InlineVolumeSpec     *v1.PersistentVolumeSpecApplyConfiguration `json:"inlineVolumeSpec,omitempty"`
+	// persistentVolumeName represents the name of the persistent volume to attach.
+	PersistentVolumeName *string `json:"persistentVolumeName,omitempty"`
+	// inlineVolumeSpec contains all the information necessary to attach
+	// a persistent volume defined by a pod's inline VolumeSource. This field
+	// is populated only for the CSIMigration feature. It contains
+	// translated fields from a pod's inline VolumeSource to a
+	// PersistentVolumeSpec. This field is beta-level and is only
+	// honored by servers that enabled the CSIMigration feature.
+	InlineVolumeSpec *v1.PersistentVolumeSpecApplyConfiguration `json:"inlineVolumeSpec,omitempty"`
 }
 
 // VolumeAttachmentSourceApplyConfiguration constructs a declarative configuration of the VolumeAttachmentSource type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/storage/v1beta1/volumeattachmentspec.go b/staging/src/k8s.io/client-go/applyconfigurations/storage/v1beta1/volumeattachmentspec.go
index 3bdaeb45d72b4..f018c2a758039 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/storage/v1beta1/volumeattachmentspec.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/storage/v1beta1/volumeattachmentspec.go
@@ -20,10 +20,16 @@ package v1beta1
 
 // VolumeAttachmentSpecApplyConfiguration represents a declarative configuration of the VolumeAttachmentSpec type for use
 // with apply.
+//
+// VolumeAttachmentSpec is the specification of a VolumeAttachment request.
 type VolumeAttachmentSpecApplyConfiguration struct {
-	Attacher *string                                   `json:"attacher,omitempty"`
-	Source   *VolumeAttachmentSourceApplyConfiguration `json:"source,omitempty"`
-	NodeName *string                                   `json:"nodeName,omitempty"`
+	// attacher indicates the name of the volume driver that MUST handle this
+	// request. This is the name returned by GetPluginName().
+	Attacher *string `json:"attacher,omitempty"`
+	// source represents the volume that should be attached.
+	Source *VolumeAttachmentSourceApplyConfiguration `json:"source,omitempty"`
+	// nodeName represents the node that the volume should be attached to.
+	NodeName *string `json:"nodeName,omitempty"`
 }
 
 // VolumeAttachmentSpecApplyConfiguration constructs a declarative configuration of the VolumeAttachmentSpec type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/storage/v1beta1/volumeattachmentstatus.go b/staging/src/k8s.io/client-go/applyconfigurations/storage/v1beta1/volumeattachmentstatus.go
index f7046cdb35fd0..a8ef137e5ea5d 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/storage/v1beta1/volumeattachmentstatus.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/storage/v1beta1/volumeattachmentstatus.go
@@ -20,11 +20,27 @@ package v1beta1
 
 // VolumeAttachmentStatusApplyConfiguration represents a declarative configuration of the VolumeAttachmentStatus type for use
 // with apply.
+//
+// VolumeAttachmentStatus is the status of a VolumeAttachment request.
 type VolumeAttachmentStatusApplyConfiguration struct {
-	Attached           *bool                          `json:"attached,omitempty"`
-	AttachmentMetadata map[string]string              `json:"attachmentMetadata,omitempty"`
-	AttachError        *VolumeErrorApplyConfiguration `json:"attachError,omitempty"`
-	DetachError        *VolumeErrorApplyConfiguration `json:"detachError,omitempty"`
+	// attached indicates the volume is successfully attached.
+	// This field must only be set by the entity completing the attach
+	// operation, i.e. the external-attacher.
+	Attached *bool `json:"attached,omitempty"`
+	// attachmentMetadata is populated with any
+	// information returned by the attach operation, upon successful attach, that must be passed
+	// into subsequent WaitForAttach or Mount calls.
+	// This field must only be set by the entity completing the attach
+	// operation, i.e. the external-attacher.
+	AttachmentMetadata map[string]string `json:"attachmentMetadata,omitempty"`
+	// attachError represents the last error encountered during attach operation, if any.
+	// This field must only be set by the entity completing the attach
+	// operation, i.e. the external-attacher.
+	AttachError *VolumeErrorApplyConfiguration `json:"attachError,omitempty"`
+	// detachError represents the last error encountered during detach operation, if any.
+	// This field must only be set by the entity completing the detach
+	// operation, i.e. the external-attacher.
+	DetachError *VolumeErrorApplyConfiguration `json:"detachError,omitempty"`
 }
 
 // VolumeAttachmentStatusApplyConfiguration constructs a declarative configuration of the VolumeAttachmentStatus type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/storage/v1beta1/volumeattributesclass.go b/staging/src/k8s.io/client-go/applyconfigurations/storage/v1beta1/volumeattributesclass.go
index 7def1435ee8b6..7d04a86c84da4 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/storage/v1beta1/volumeattributesclass.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/storage/v1beta1/volumeattributesclass.go
@@ -29,11 +29,32 @@ import (
 
 // VolumeAttributesClassApplyConfiguration represents a declarative configuration of the VolumeAttributesClass type for use
 // with apply.
+//
+// VolumeAttributesClass represents a specification of mutable volume attributes
+// defined by the CSI driver. The class can be specified during dynamic provisioning
+// of PersistentVolumeClaims, and changed in the PersistentVolumeClaim spec after provisioning.
 type VolumeAttributesClassApplyConfiguration struct {
-	v1.TypeMetaApplyConfiguration    `json:",inline"`
+	v1.TypeMetaApplyConfiguration `json:",inline"`
+	// Standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	*v1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	DriverName                       *string           `json:"driverName,omitempty"`
-	Parameters                       map[string]string `json:"parameters,omitempty"`
+	// Name of the CSI driver
+	// This field is immutable.
+	DriverName *string `json:"driverName,omitempty"`
+	// parameters hold volume attributes defined by the CSI driver. These values
+	// are opaque to the Kubernetes and are passed directly to the CSI driver.
+	// The underlying storage provider supports changing these attributes on an
+	// existing volume, however the parameters field itself is immutable. To
+	// invoke a volume update, a new VolumeAttributesClass should be created with
+	// new parameters, and the PersistentVolumeClaim should be updated to reference
+	// the new VolumeAttributesClass.
+	//
+	// This field is required and must contain at least one key/value pair.
+	// The keys cannot be empty, and the maximum number of parameters is 512, with
+	// a cumulative max size of 256K. If the CSI driver rejects invalid parameters,
+	// the target PersistentVolumeClaim will be set to an "Infeasible" state in the
+	// modifyVolumeStatus field.
+	Parameters map[string]string `json:"parameters,omitempty"`
 }
 
 // VolumeAttributesClass constructs a declarative configuration of the VolumeAttributesClass type for use with
@@ -46,29 +67,14 @@ func VolumeAttributesClass(name string) *VolumeAttributesClassApplyConfiguration
 	return b
 }
 
-// ExtractVolumeAttributesClass extracts the applied configuration owned by fieldManager from
-// volumeAttributesClass. If no managedFields are found in volumeAttributesClass for fieldManager, a
-// VolumeAttributesClassApplyConfiguration is returned with only the Name, Namespace (if applicable),
-// APIVersion and Kind populated. It is possible that no managed fields were found for because other
-// field managers have taken ownership of all the fields previously owned by fieldManager, or because
-// the fieldManager never owned fields any fields.
+// ExtractVolumeAttributesClassFrom extracts the applied configuration owned by fieldManager from
+// volumeAttributesClass for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
 // volumeAttributesClass must be a unmodified VolumeAttributesClass API object that was retrieved from the Kubernetes API.
-// ExtractVolumeAttributesClass provides a way to perform a extract/modify-in-place/apply workflow.
+// ExtractVolumeAttributesClassFrom provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
-func ExtractVolumeAttributesClass(volumeAttributesClass *storagev1beta1.VolumeAttributesClass, fieldManager string) (*VolumeAttributesClassApplyConfiguration, error) {
-	return extractVolumeAttributesClass(volumeAttributesClass, fieldManager, "")
-}
-
-// ExtractVolumeAttributesClassStatus is the same as ExtractVolumeAttributesClass except
-// that it extracts the status subresource applied configuration.
-// Experimental!
-func ExtractVolumeAttributesClassStatus(volumeAttributesClass *storagev1beta1.VolumeAttributesClass, fieldManager string) (*VolumeAttributesClassApplyConfiguration, error) {
-	return extractVolumeAttributesClass(volumeAttributesClass, fieldManager, "status")
-}
-
-func extractVolumeAttributesClass(volumeAttributesClass *storagev1beta1.VolumeAttributesClass, fieldManager string, subresource string) (*VolumeAttributesClassApplyConfiguration, error) {
+func ExtractVolumeAttributesClassFrom(volumeAttributesClass *storagev1beta1.VolumeAttributesClass, fieldManager string, subresource string) (*VolumeAttributesClassApplyConfiguration, error) {
 	b := &VolumeAttributesClassApplyConfiguration{}
 	err := managedfields.ExtractInto(volumeAttributesClass, internal.Parser().Type("io.k8s.api.storage.v1beta1.VolumeAttributesClass"), fieldManager, b, subresource)
 	if err != nil {
@@ -80,6 +86,21 @@ func extractVolumeAttributesClass(volumeAttributesClass *storagev1beta1.VolumeAt
 	b.WithAPIVersion("storage.k8s.io/v1beta1")
 	return b, nil
 }
+
+// ExtractVolumeAttributesClass extracts the applied configuration owned by fieldManager from
+// volumeAttributesClass. If no managedFields are found in volumeAttributesClass for fieldManager, a
+// VolumeAttributesClassApplyConfiguration is returned with only the Name, Namespace (if applicable),
+// APIVersion and Kind populated. It is possible that no managed fields were found for because other
+// field managers have taken ownership of all the fields previously owned by fieldManager, or because
+// the fieldManager never owned fields any fields.
+// volumeAttributesClass must be a unmodified VolumeAttributesClass API object that was retrieved from the Kubernetes API.
+// ExtractVolumeAttributesClass provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractVolumeAttributesClass(volumeAttributesClass *storagev1beta1.VolumeAttributesClass, fieldManager string) (*VolumeAttributesClassApplyConfiguration, error) {
+	return ExtractVolumeAttributesClassFrom(volumeAttributesClass, fieldManager, "")
+}
+
 func (b VolumeAttributesClassApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/storage/v1beta1/volumeerror.go b/staging/src/k8s.io/client-go/applyconfigurations/storage/v1beta1/volumeerror.go
index 015bcd86d503d..e3dca51b0bcef 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/storage/v1beta1/volumeerror.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/storage/v1beta1/volumeerror.go
@@ -24,10 +24,19 @@ import (
 
 // VolumeErrorApplyConfiguration represents a declarative configuration of the VolumeError type for use
 // with apply.
+//
+// VolumeError captures an error encountered during a volume operation.
 type VolumeErrorApplyConfiguration struct {
-	Time      *v1.Time `json:"time,omitempty"`
-	Message   *string  `json:"message,omitempty"`
-	ErrorCode *int32   `json:"errorCode,omitempty"`
+	// time represents the time the error was encountered.
+	Time *v1.Time `json:"time,omitempty"`
+	// message represents the error encountered during Attach or Detach operation.
+	// This string may be logged, so it should not contain sensitive
+	// information.
+	Message *string `json:"message,omitempty"`
+	// errorCode is a numeric gRPC code representing the error encountered during Attach or Detach operations.
+	//
+	// This is an optional, beta field that requires the MutableCSINodeAllocatableCount feature gate being enabled to be set.
+	ErrorCode *int32 `json:"errorCode,omitempty"`
 }
 
 // VolumeErrorApplyConfiguration constructs a declarative configuration of the VolumeError type for use with
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/storage/v1beta1/volumenoderesources.go b/staging/src/k8s.io/client-go/applyconfigurations/storage/v1beta1/volumenoderesources.go
index b42c9decc0283..92522236f901e 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/storage/v1beta1/volumenoderesources.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/storage/v1beta1/volumenoderesources.go
@@ -20,7 +20,13 @@ package v1beta1
 
 // VolumeNodeResourcesApplyConfiguration represents a declarative configuration of the VolumeNodeResources type for use
 // with apply.
+//
+// VolumeNodeResources is a set of resource limits for scheduling of volumes.
 type VolumeNodeResourcesApplyConfiguration struct {
+	// count indicates the maximum number of unique volumes managed by the CSI driver that can be used on a node.
+	// A volume that is both attached and mounted on a node is considered to be used once, not twice.
+	// The same rule applies for a unique volume that is shared among multiple pods on the same node.
+	// If this field is nil, then the supported number of volumes on this node is unbounded.
 	Count *int32 `json:"count,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/storagemigration/v1alpha1/groupversionresource.go b/staging/src/k8s.io/client-go/applyconfigurations/storagemigration/v1alpha1/groupversionresource.go
deleted file mode 100644
index c8f9f009a50c4..0000000000000
--- a/staging/src/k8s.io/client-go/applyconfigurations/storagemigration/v1alpha1/groupversionresource.go
+++ /dev/null
@@ -1,57 +0,0 @@
-/*
-Copyright The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-// Code generated by applyconfiguration-gen. DO NOT EDIT.
-
-package v1alpha1
-
-// GroupVersionResourceApplyConfiguration represents a declarative configuration of the GroupVersionResource type for use
-// with apply.
-type GroupVersionResourceApplyConfiguration struct {
-	Group    *string `json:"group,omitempty"`
-	Version  *string `json:"version,omitempty"`
-	Resource *string `json:"resource,omitempty"`
-}
-
-// GroupVersionResourceApplyConfiguration constructs a declarative configuration of the GroupVersionResource type for use with
-// apply.
-func GroupVersionResource() *GroupVersionResourceApplyConfiguration {
-	return &GroupVersionResourceApplyConfiguration{}
-}
-
-// WithGroup sets the Group field in the declarative configuration to the given value
-// and returns the receiver, so that objects can be built by chaining "With" function invocations.
-// If called multiple times, the Group field is set to the value of the last call.
-func (b *GroupVersionResourceApplyConfiguration) WithGroup(value string) *GroupVersionResourceApplyConfiguration {
-	b.Group = &value
-	return b
-}
-
-// WithVersion sets the Version field in the declarative configuration to the given value
-// and returns the receiver, so that objects can be built by chaining "With" function invocations.
-// If called multiple times, the Version field is set to the value of the last call.
-func (b *GroupVersionResourceApplyConfiguration) WithVersion(value string) *GroupVersionResourceApplyConfiguration {
-	b.Version = &value
-	return b
-}
-
-// WithResource sets the Resource field in the declarative configuration to the given value
-// and returns the receiver, so that objects can be built by chaining "With" function invocations.
-// If called multiple times, the Resource field is set to the value of the last call.
-func (b *GroupVersionResourceApplyConfiguration) WithResource(value string) *GroupVersionResourceApplyConfiguration {
-	b.Resource = &value
-	return b
-}
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/storagemigration/v1alpha1/migrationcondition.go b/staging/src/k8s.io/client-go/applyconfigurations/storagemigration/v1alpha1/migrationcondition.go
deleted file mode 100644
index 5ffd572eedc12..0000000000000
--- a/staging/src/k8s.io/client-go/applyconfigurations/storagemigration/v1alpha1/migrationcondition.go
+++ /dev/null
@@ -1,81 +0,0 @@
-/*
-Copyright The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-// Code generated by applyconfiguration-gen. DO NOT EDIT.
-
-package v1alpha1
-
-import (
-	v1 "k8s.io/api/core/v1"
-	storagemigrationv1alpha1 "k8s.io/api/storagemigration/v1alpha1"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-)
-
-// MigrationConditionApplyConfiguration represents a declarative configuration of the MigrationCondition type for use
-// with apply.
-type MigrationConditionApplyConfiguration struct {
-	Type           *storagemigrationv1alpha1.MigrationConditionType `json:"type,omitempty"`
-	Status         *v1.ConditionStatus                              `json:"status,omitempty"`
-	LastUpdateTime *metav1.Time                                     `json:"lastUpdateTime,omitempty"`
-	Reason         *string                                          `json:"reason,omitempty"`
-	Message        *string                                          `json:"message,omitempty"`
-}
-
-// MigrationConditionApplyConfiguration constructs a declarative configuration of the MigrationCondition type for use with
-// apply.
-func MigrationCondition() *MigrationConditionApplyConfiguration {
-	return &MigrationConditionApplyConfiguration{}
-}
-
-// WithType sets the Type field in the declarative configuration to the given value
-// and returns the receiver, so that objects can be built by chaining "With" function invocations.
-// If called multiple times, the Type field is set to the value of the last call.
-func (b *MigrationConditionApplyConfiguration) WithType(value storagemigrationv1alpha1.MigrationConditionType) *MigrationConditionApplyConfiguration {
-	b.Type = &value
-	return b
-}
-
-// WithStatus sets the Status field in the declarative configuration to the given value
-// and returns the receiver, so that objects can be built by chaining "With" function invocations.
-// If called multiple times, the Status field is set to the value of the last call.
-func (b *MigrationConditionApplyConfiguration) WithStatus(value v1.ConditionStatus) *MigrationConditionApplyConfiguration {
-	b.Status = &value
-	return b
-}
-
-// WithLastUpdateTime sets the LastUpdateTime field in the declarative configuration to the given value
-// and returns the receiver, so that objects can be built by chaining "With" function invocations.
-// If called multiple times, the LastUpdateTime field is set to the value of the last call.
-func (b *MigrationConditionApplyConfiguration) WithLastUpdateTime(value metav1.Time) *MigrationConditionApplyConfiguration {
-	b.LastUpdateTime = &value
-	return b
-}
-
-// WithReason sets the Reason field in the declarative configuration to the given value
-// and returns the receiver, so that objects can be built by chaining "With" function invocations.
-// If called multiple times, the Reason field is set to the value of the last call.
-func (b *MigrationConditionApplyConfiguration) WithReason(value string) *MigrationConditionApplyConfiguration {
-	b.Reason = &value
-	return b
-}
-
-// WithMessage sets the Message field in the declarative configuration to the given value
-// and returns the receiver, so that objects can be built by chaining "With" function invocations.
-// If called multiple times, the Message field is set to the value of the last call.
-func (b *MigrationConditionApplyConfiguration) WithMessage(value string) *MigrationConditionApplyConfiguration {
-	b.Message = &value
-	return b
-}
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/storagemigration/v1alpha1/storageversionmigration.go b/staging/src/k8s.io/client-go/applyconfigurations/storagemigration/v1alpha1/storageversionmigration.go
deleted file mode 100644
index e7963d5591f7f..0000000000000
--- a/staging/src/k8s.io/client-go/applyconfigurations/storagemigration/v1alpha1/storageversionmigration.go
+++ /dev/null
@@ -1,279 +0,0 @@
-/*
-Copyright The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-// Code generated by applyconfiguration-gen. DO NOT EDIT.
-
-package v1alpha1
-
-import (
-	storagemigrationv1alpha1 "k8s.io/api/storagemigration/v1alpha1"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	types "k8s.io/apimachinery/pkg/types"
-	managedfields "k8s.io/apimachinery/pkg/util/managedfields"
-	internal "k8s.io/client-go/applyconfigurations/internal"
-	v1 "k8s.io/client-go/applyconfigurations/meta/v1"
-)
-
-// StorageVersionMigrationApplyConfiguration represents a declarative configuration of the StorageVersionMigration type for use
-// with apply.
-type StorageVersionMigrationApplyConfiguration struct {
-	v1.TypeMetaApplyConfiguration    `json:",inline"`
-	*v1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Spec                             *StorageVersionMigrationSpecApplyConfiguration   `json:"spec,omitempty"`
-	Status                           *StorageVersionMigrationStatusApplyConfiguration `json:"status,omitempty"`
-}
-
-// StorageVersionMigration constructs a declarative configuration of the StorageVersionMigration type for use with
-// apply.
-func StorageVersionMigration(name string) *StorageVersionMigrationApplyConfiguration {
-	b := &StorageVersionMigrationApplyConfiguration{}
-	b.WithName(name)
-	b.WithKind("StorageVersionMigration")
-	b.WithAPIVersion("storagemigration.k8s.io/v1alpha1")
-	return b
-}
-
-// ExtractStorageVersionMigration extracts the applied configuration owned by fieldManager from
-// storageVersionMigration. If no managedFields are found in storageVersionMigration for fieldManager, a
-// StorageVersionMigrationApplyConfiguration is returned with only the Name, Namespace (if applicable),
-// APIVersion and Kind populated. It is possible that no managed fields were found for because other
-// field managers have taken ownership of all the fields previously owned by fieldManager, or because
-// the fieldManager never owned fields any fields.
-// storageVersionMigration must be a unmodified StorageVersionMigration API object that was retrieved from the Kubernetes API.
-// ExtractStorageVersionMigration provides a way to perform a extract/modify-in-place/apply workflow.
-// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
-// applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
-func ExtractStorageVersionMigration(storageVersionMigration *storagemigrationv1alpha1.StorageVersionMigration, fieldManager string) (*StorageVersionMigrationApplyConfiguration, error) {
-	return extractStorageVersionMigration(storageVersionMigration, fieldManager, "")
-}
-
-// ExtractStorageVersionMigrationStatus is the same as ExtractStorageVersionMigration except
-// that it extracts the status subresource applied configuration.
-// Experimental!
-func ExtractStorageVersionMigrationStatus(storageVersionMigration *storagemigrationv1alpha1.StorageVersionMigration, fieldManager string) (*StorageVersionMigrationApplyConfiguration, error) {
-	return extractStorageVersionMigration(storageVersionMigration, fieldManager, "status")
-}
-
-func extractStorageVersionMigration(storageVersionMigration *storagemigrationv1alpha1.StorageVersionMigration, fieldManager string, subresource string) (*StorageVersionMigrationApplyConfiguration, error) {
-	b := &StorageVersionMigrationApplyConfiguration{}
-	err := managedfields.ExtractInto(storageVersionMigration, internal.Parser().Type("io.k8s.api.storagemigration.v1alpha1.StorageVersionMigration"), fieldManager, b, subresource)
-	if err != nil {
-		return nil, err
-	}
-	b.WithName(storageVersionMigration.Name)
-
-	b.WithKind("StorageVersionMigration")
-	b.WithAPIVersion("storagemigration.k8s.io/v1alpha1")
-	return b, nil
-}
-func (b StorageVersionMigrationApplyConfiguration) IsApplyConfiguration() {}
-
-// WithKind sets the Kind field in the declarative configuration to the given value
-// and returns the receiver, so that objects can be built by chaining "With" function invocations.
-// If called multiple times, the Kind field is set to the value of the last call.
-func (b *StorageVersionMigrationApplyConfiguration) WithKind(value string) *StorageVersionMigrationApplyConfiguration {
-	b.TypeMetaApplyConfiguration.Kind = &value
-	return b
-}
-
-// WithAPIVersion sets the APIVersion field in the declarative configuration to the given value
-// and returns the receiver, so that objects can be built by chaining "With" function invocations.
-// If called multiple times, the APIVersion field is set to the value of the last call.
-func (b *StorageVersionMigrationApplyConfiguration) WithAPIVersion(value string) *StorageVersionMigrationApplyConfiguration {
-	b.TypeMetaApplyConfiguration.APIVersion = &value
-	return b
-}
-
-// WithName sets the Name field in the declarative configuration to the given value
-// and returns the receiver, so that objects can be built by chaining "With" function invocations.
-// If called multiple times, the Name field is set to the value of the last call.
-func (b *StorageVersionMigrationApplyConfiguration) WithName(value string) *StorageVersionMigrationApplyConfiguration {
-	b.ensureObjectMetaApplyConfigurationExists()
-	b.ObjectMetaApplyConfiguration.Name = &value
-	return b
-}
-
-// WithGenerateName sets the GenerateName field in the declarative configuration to the given value
-// and returns the receiver, so that objects can be built by chaining "With" function invocations.
-// If called multiple times, the GenerateName field is set to the value of the last call.
-func (b *StorageVersionMigrationApplyConfiguration) WithGenerateName(value string) *StorageVersionMigrationApplyConfiguration {
-	b.ensureObjectMetaApplyConfigurationExists()
-	b.ObjectMetaApplyConfiguration.GenerateName = &value
-	return b
-}
-
-// WithNamespace sets the Namespace field in the declarative configuration to the given value
-// and returns the receiver, so that objects can be built by chaining "With" function invocations.
-// If called multiple times, the Namespace field is set to the value of the last call.
-func (b *StorageVersionMigrationApplyConfiguration) WithNamespace(value string) *StorageVersionMigrationApplyConfiguration {
-	b.ensureObjectMetaApplyConfigurationExists()
-	b.ObjectMetaApplyConfiguration.Namespace = &value
-	return b
-}
-
-// WithUID sets the UID field in the declarative configuration to the given value
-// and returns the receiver, so that objects can be built by chaining "With" function invocations.
-// If called multiple times, the UID field is set to the value of the last call.
-func (b *StorageVersionMigrationApplyConfiguration) WithUID(value types.UID) *StorageVersionMigrationApplyConfiguration {
-	b.ensureObjectMetaApplyConfigurationExists()
-	b.ObjectMetaApplyConfiguration.UID = &value
-	return b
-}
-
-// WithResourceVersion sets the ResourceVersion field in the declarative configuration to the given value
-// and returns the receiver, so that objects can be built by chaining "With" function invocations.
-// If called multiple times, the ResourceVersion field is set to the value of the last call.
-func (b *StorageVersionMigrationApplyConfiguration) WithResourceVersion(value string) *StorageVersionMigrationApplyConfiguration {
-	b.ensureObjectMetaApplyConfigurationExists()
-	b.ObjectMetaApplyConfiguration.ResourceVersion = &value
-	return b
-}
-
-// WithGeneration sets the Generation field in the declarative configuration to the given value
-// and returns the receiver, so that objects can be built by chaining "With" function invocations.
-// If called multiple times, the Generation field is set to the value of the last call.
-func (b *StorageVersionMigrationApplyConfiguration) WithGeneration(value int64) *StorageVersionMigrationApplyConfiguration {
-	b.ensureObjectMetaApplyConfigurationExists()
-	b.ObjectMetaApplyConfiguration.Generation = &value
-	return b
-}
-
-// WithCreationTimestamp sets the CreationTimestamp field in the declarative configuration to the given value
-// and returns the receiver, so that objects can be built by chaining "With" function invocations.
-// If called multiple times, the CreationTimestamp field is set to the value of the last call.
-func (b *StorageVersionMigrationApplyConfiguration) WithCreationTimestamp(value metav1.Time) *StorageVersionMigrationApplyConfiguration {
-	b.ensureObjectMetaApplyConfigurationExists()
-	b.ObjectMetaApplyConfiguration.CreationTimestamp = &value
-	return b
-}
-
-// WithDeletionTimestamp sets the DeletionTimestamp field in the declarative configuration to the given value
-// and returns the receiver, so that objects can be built by chaining "With" function invocations.
-// If called multiple times, the DeletionTimestamp field is set to the value of the last call.
-func (b *StorageVersionMigrationApplyConfiguration) WithDeletionTimestamp(value metav1.Time) *StorageVersionMigrationApplyConfiguration {
-	b.ensureObjectMetaApplyConfigurationExists()
-	b.ObjectMetaApplyConfiguration.DeletionTimestamp = &value
-	return b
-}
-
-// WithDeletionGracePeriodSeconds sets the DeletionGracePeriodSeconds field in the declarative configuration to the given value
-// and returns the receiver, so that objects can be built by chaining "With" function invocations.
-// If called multiple times, the DeletionGracePeriodSeconds field is set to the value of the last call.
-func (b *StorageVersionMigrationApplyConfiguration) WithDeletionGracePeriodSeconds(value int64) *StorageVersionMigrationApplyConfiguration {
-	b.ensureObjectMetaApplyConfigurationExists()
-	b.ObjectMetaApplyConfiguration.DeletionGracePeriodSeconds = &value
-	return b
-}
-
-// WithLabels puts the entries into the Labels field in the declarative configuration
-// and returns the receiver, so that objects can be build by chaining "With" function invocations.
-// If called multiple times, the entries provided by each call will be put on the Labels field,
-// overwriting an existing map entries in Labels field with the same key.
-func (b *StorageVersionMigrationApplyConfiguration) WithLabels(entries map[string]string) *StorageVersionMigrationApplyConfiguration {
-	b.ensureObjectMetaApplyConfigurationExists()
-	if b.ObjectMetaApplyConfiguration.Labels == nil && len(entries) > 0 {
-		b.ObjectMetaApplyConfiguration.Labels = make(map[string]string, len(entries))
-	}
-	for k, v := range entries {
-		b.ObjectMetaApplyConfiguration.Labels[k] = v
-	}
-	return b
-}
-
-// WithAnnotations puts the entries into the Annotations field in the declarative configuration
-// and returns the receiver, so that objects can be build by chaining "With" function invocations.
-// If called multiple times, the entries provided by each call will be put on the Annotations field,
-// overwriting an existing map entries in Annotations field with the same key.
-func (b *StorageVersionMigrationApplyConfiguration) WithAnnotations(entries map[string]string) *StorageVersionMigrationApplyConfiguration {
-	b.ensureObjectMetaApplyConfigurationExists()
-	if b.ObjectMetaApplyConfiguration.Annotations == nil && len(entries) > 0 {
-		b.ObjectMetaApplyConfiguration.Annotations = make(map[string]string, len(entries))
-	}
-	for k, v := range entries {
-		b.ObjectMetaApplyConfiguration.Annotations[k] = v
-	}
-	return b
-}
-
-// WithOwnerReferences adds the given value to the OwnerReferences field in the declarative configuration
-// and returns the receiver, so that objects can be build by chaining "With" function invocations.
-// If called multiple times, values provided by each call will be appended to the OwnerReferences field.
-func (b *StorageVersionMigrationApplyConfiguration) WithOwnerReferences(values ...*v1.OwnerReferenceApplyConfiguration) *StorageVersionMigrationApplyConfiguration {
-	b.ensureObjectMetaApplyConfigurationExists()
-	for i := range values {
-		if values[i] == nil {
-			panic("nil value passed to WithOwnerReferences")
-		}
-		b.ObjectMetaApplyConfiguration.OwnerReferences = append(b.ObjectMetaApplyConfiguration.OwnerReferences, *values[i])
-	}
-	return b
-}
-
-// WithFinalizers adds the given value to the Finalizers field in the declarative configuration
-// and returns the receiver, so that objects can be build by chaining "With" function invocations.
-// If called multiple times, values provided by each call will be appended to the Finalizers field.
-func (b *StorageVersionMigrationApplyConfiguration) WithFinalizers(values ...string) *StorageVersionMigrationApplyConfiguration {
-	b.ensureObjectMetaApplyConfigurationExists()
-	for i := range values {
-		b.ObjectMetaApplyConfiguration.Finalizers = append(b.ObjectMetaApplyConfiguration.Finalizers, values[i])
-	}
-	return b
-}
-
-func (b *StorageVersionMigrationApplyConfiguration) ensureObjectMetaApplyConfigurationExists() {
-	if b.ObjectMetaApplyConfiguration == nil {
-		b.ObjectMetaApplyConfiguration = &v1.ObjectMetaApplyConfiguration{}
-	}
-}
-
-// WithSpec sets the Spec field in the declarative configuration to the given value
-// and returns the receiver, so that objects can be built by chaining "With" function invocations.
-// If called multiple times, the Spec field is set to the value of the last call.
-func (b *StorageVersionMigrationApplyConfiguration) WithSpec(value *StorageVersionMigrationSpecApplyConfiguration) *StorageVersionMigrationApplyConfiguration {
-	b.Spec = value
-	return b
-}
-
-// WithStatus sets the Status field in the declarative configuration to the given value
-// and returns the receiver, so that objects can be built by chaining "With" function invocations.
-// If called multiple times, the Status field is set to the value of the last call.
-func (b *StorageVersionMigrationApplyConfiguration) WithStatus(value *StorageVersionMigrationStatusApplyConfiguration) *StorageVersionMigrationApplyConfiguration {
-	b.Status = value
-	return b
-}
-
-// GetKind retrieves the value of the Kind field in the declarative configuration.
-func (b *StorageVersionMigrationApplyConfiguration) GetKind() *string {
-	return b.TypeMetaApplyConfiguration.Kind
-}
-
-// GetAPIVersion retrieves the value of the APIVersion field in the declarative configuration.
-func (b *StorageVersionMigrationApplyConfiguration) GetAPIVersion() *string {
-	return b.TypeMetaApplyConfiguration.APIVersion
-}
-
-// GetName retrieves the value of the Name field in the declarative configuration.
-func (b *StorageVersionMigrationApplyConfiguration) GetName() *string {
-	b.ensureObjectMetaApplyConfigurationExists()
-	return b.ObjectMetaApplyConfiguration.Name
-}
-
-// GetNamespace retrieves the value of the Namespace field in the declarative configuration.
-func (b *StorageVersionMigrationApplyConfiguration) GetNamespace() *string {
-	b.ensureObjectMetaApplyConfigurationExists()
-	return b.ObjectMetaApplyConfiguration.Namespace
-}
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/storagemigration/v1alpha1/storageversionmigrationspec.go b/staging/src/k8s.io/client-go/applyconfigurations/storagemigration/v1alpha1/storageversionmigrationspec.go
deleted file mode 100644
index 02ddb540f87a0..0000000000000
--- a/staging/src/k8s.io/client-go/applyconfigurations/storagemigration/v1alpha1/storageversionmigrationspec.go
+++ /dev/null
@@ -1,48 +0,0 @@
-/*
-Copyright The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-// Code generated by applyconfiguration-gen. DO NOT EDIT.
-
-package v1alpha1
-
-// StorageVersionMigrationSpecApplyConfiguration represents a declarative configuration of the StorageVersionMigrationSpec type for use
-// with apply.
-type StorageVersionMigrationSpecApplyConfiguration struct {
-	Resource      *GroupVersionResourceApplyConfiguration `json:"resource,omitempty"`
-	ContinueToken *string                                 `json:"continueToken,omitempty"`
-}
-
-// StorageVersionMigrationSpecApplyConfiguration constructs a declarative configuration of the StorageVersionMigrationSpec type for use with
-// apply.
-func StorageVersionMigrationSpec() *StorageVersionMigrationSpecApplyConfiguration {
-	return &StorageVersionMigrationSpecApplyConfiguration{}
-}
-
-// WithResource sets the Resource field in the declarative configuration to the given value
-// and returns the receiver, so that objects can be built by chaining "With" function invocations.
-// If called multiple times, the Resource field is set to the value of the last call.
-func (b *StorageVersionMigrationSpecApplyConfiguration) WithResource(value *GroupVersionResourceApplyConfiguration) *StorageVersionMigrationSpecApplyConfiguration {
-	b.Resource = value
-	return b
-}
-
-// WithContinueToken sets the ContinueToken field in the declarative configuration to the given value
-// and returns the receiver, so that objects can be built by chaining "With" function invocations.
-// If called multiple times, the ContinueToken field is set to the value of the last call.
-func (b *StorageVersionMigrationSpecApplyConfiguration) WithContinueToken(value string) *StorageVersionMigrationSpecApplyConfiguration {
-	b.ContinueToken = &value
-	return b
-}
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/storagemigration/v1beta1/storageversionmigration.go b/staging/src/k8s.io/client-go/applyconfigurations/storagemigration/v1beta1/storageversionmigration.go
new file mode 100644
index 0000000000000..e52fa5d813335
--- /dev/null
+++ b/staging/src/k8s.io/client-go/applyconfigurations/storagemigration/v1beta1/storageversionmigration.go
@@ -0,0 +1,292 @@
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by applyconfiguration-gen. DO NOT EDIT.
+
+package v1beta1
+
+import (
+	storagemigrationv1beta1 "k8s.io/api/storagemigration/v1beta1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	types "k8s.io/apimachinery/pkg/types"
+	managedfields "k8s.io/apimachinery/pkg/util/managedfields"
+	internal "k8s.io/client-go/applyconfigurations/internal"
+	v1 "k8s.io/client-go/applyconfigurations/meta/v1"
+)
+
+// StorageVersionMigrationApplyConfiguration represents a declarative configuration of the StorageVersionMigration type for use
+// with apply.
+//
+// StorageVersionMigration represents a migration of stored data to the latest
+// storage version.
+type StorageVersionMigrationApplyConfiguration struct {
+	v1.TypeMetaApplyConfiguration `json:",inline"`
+	// Standard object metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	*v1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
+	// Specification of the migration.
+	Spec *StorageVersionMigrationSpecApplyConfiguration `json:"spec,omitempty"`
+	// Status of the migration.
+	Status *StorageVersionMigrationStatusApplyConfiguration `json:"status,omitempty"`
+}
+
+// StorageVersionMigration constructs a declarative configuration of the StorageVersionMigration type for use with
+// apply.
+func StorageVersionMigration(name string) *StorageVersionMigrationApplyConfiguration {
+	b := &StorageVersionMigrationApplyConfiguration{}
+	b.WithName(name)
+	b.WithKind("StorageVersionMigration")
+	b.WithAPIVersion("storagemigration.k8s.io/v1beta1")
+	return b
+}
+
+// ExtractStorageVersionMigrationFrom extracts the applied configuration owned by fieldManager from
+// storageVersionMigration for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
+// storageVersionMigration must be a unmodified StorageVersionMigration API object that was retrieved from the Kubernetes API.
+// ExtractStorageVersionMigrationFrom provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractStorageVersionMigrationFrom(storageVersionMigration *storagemigrationv1beta1.StorageVersionMigration, fieldManager string, subresource string) (*StorageVersionMigrationApplyConfiguration, error) {
+	b := &StorageVersionMigrationApplyConfiguration{}
+	err := managedfields.ExtractInto(storageVersionMigration, internal.Parser().Type("io.k8s.api.storagemigration.v1beta1.StorageVersionMigration"), fieldManager, b, subresource)
+	if err != nil {
+		return nil, err
+	}
+	b.WithName(storageVersionMigration.Name)
+
+	b.WithKind("StorageVersionMigration")
+	b.WithAPIVersion("storagemigration.k8s.io/v1beta1")
+	return b, nil
+}
+
+// ExtractStorageVersionMigration extracts the applied configuration owned by fieldManager from
+// storageVersionMigration. If no managedFields are found in storageVersionMigration for fieldManager, a
+// StorageVersionMigrationApplyConfiguration is returned with only the Name, Namespace (if applicable),
+// APIVersion and Kind populated. It is possible that no managed fields were found for because other
+// field managers have taken ownership of all the fields previously owned by fieldManager, or because
+// the fieldManager never owned fields any fields.
+// storageVersionMigration must be a unmodified StorageVersionMigration API object that was retrieved from the Kubernetes API.
+// ExtractStorageVersionMigration provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractStorageVersionMigration(storageVersionMigration *storagemigrationv1beta1.StorageVersionMigration, fieldManager string) (*StorageVersionMigrationApplyConfiguration, error) {
+	return ExtractStorageVersionMigrationFrom(storageVersionMigration, fieldManager, "")
+}
+
+// ExtractStorageVersionMigrationStatus extracts the applied configuration owned by fieldManager from
+// storageVersionMigration for the status subresource.
+func ExtractStorageVersionMigrationStatus(storageVersionMigration *storagemigrationv1beta1.StorageVersionMigration, fieldManager string) (*StorageVersionMigrationApplyConfiguration, error) {
+	return ExtractStorageVersionMigrationFrom(storageVersionMigration, fieldManager, "status")
+}
+
+func (b StorageVersionMigrationApplyConfiguration) IsApplyConfiguration() {}
+
+// WithKind sets the Kind field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Kind field is set to the value of the last call.
+func (b *StorageVersionMigrationApplyConfiguration) WithKind(value string) *StorageVersionMigrationApplyConfiguration {
+	b.TypeMetaApplyConfiguration.Kind = &value
+	return b
+}
+
+// WithAPIVersion sets the APIVersion field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the APIVersion field is set to the value of the last call.
+func (b *StorageVersionMigrationApplyConfiguration) WithAPIVersion(value string) *StorageVersionMigrationApplyConfiguration {
+	b.TypeMetaApplyConfiguration.APIVersion = &value
+	return b
+}
+
+// WithName sets the Name field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Name field is set to the value of the last call.
+func (b *StorageVersionMigrationApplyConfiguration) WithName(value string) *StorageVersionMigrationApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	b.ObjectMetaApplyConfiguration.Name = &value
+	return b
+}
+
+// WithGenerateName sets the GenerateName field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the GenerateName field is set to the value of the last call.
+func (b *StorageVersionMigrationApplyConfiguration) WithGenerateName(value string) *StorageVersionMigrationApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	b.ObjectMetaApplyConfiguration.GenerateName = &value
+	return b
+}
+
+// WithNamespace sets the Namespace field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Namespace field is set to the value of the last call.
+func (b *StorageVersionMigrationApplyConfiguration) WithNamespace(value string) *StorageVersionMigrationApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	b.ObjectMetaApplyConfiguration.Namespace = &value
+	return b
+}
+
+// WithUID sets the UID field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the UID field is set to the value of the last call.
+func (b *StorageVersionMigrationApplyConfiguration) WithUID(value types.UID) *StorageVersionMigrationApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	b.ObjectMetaApplyConfiguration.UID = &value
+	return b
+}
+
+// WithResourceVersion sets the ResourceVersion field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the ResourceVersion field is set to the value of the last call.
+func (b *StorageVersionMigrationApplyConfiguration) WithResourceVersion(value string) *StorageVersionMigrationApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	b.ObjectMetaApplyConfiguration.ResourceVersion = &value
+	return b
+}
+
+// WithGeneration sets the Generation field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Generation field is set to the value of the last call.
+func (b *StorageVersionMigrationApplyConfiguration) WithGeneration(value int64) *StorageVersionMigrationApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	b.ObjectMetaApplyConfiguration.Generation = &value
+	return b
+}
+
+// WithCreationTimestamp sets the CreationTimestamp field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the CreationTimestamp field is set to the value of the last call.
+func (b *StorageVersionMigrationApplyConfiguration) WithCreationTimestamp(value metav1.Time) *StorageVersionMigrationApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	b.ObjectMetaApplyConfiguration.CreationTimestamp = &value
+	return b
+}
+
+// WithDeletionTimestamp sets the DeletionTimestamp field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the DeletionTimestamp field is set to the value of the last call.
+func (b *StorageVersionMigrationApplyConfiguration) WithDeletionTimestamp(value metav1.Time) *StorageVersionMigrationApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	b.ObjectMetaApplyConfiguration.DeletionTimestamp = &value
+	return b
+}
+
+// WithDeletionGracePeriodSeconds sets the DeletionGracePeriodSeconds field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the DeletionGracePeriodSeconds field is set to the value of the last call.
+func (b *StorageVersionMigrationApplyConfiguration) WithDeletionGracePeriodSeconds(value int64) *StorageVersionMigrationApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	b.ObjectMetaApplyConfiguration.DeletionGracePeriodSeconds = &value
+	return b
+}
+
+// WithLabels puts the entries into the Labels field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, the entries provided by each call will be put on the Labels field,
+// overwriting an existing map entries in Labels field with the same key.
+func (b *StorageVersionMigrationApplyConfiguration) WithLabels(entries map[string]string) *StorageVersionMigrationApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	if b.ObjectMetaApplyConfiguration.Labels == nil && len(entries) > 0 {
+		b.ObjectMetaApplyConfiguration.Labels = make(map[string]string, len(entries))
+	}
+	for k, v := range entries {
+		b.ObjectMetaApplyConfiguration.Labels[k] = v
+	}
+	return b
+}
+
+// WithAnnotations puts the entries into the Annotations field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, the entries provided by each call will be put on the Annotations field,
+// overwriting an existing map entries in Annotations field with the same key.
+func (b *StorageVersionMigrationApplyConfiguration) WithAnnotations(entries map[string]string) *StorageVersionMigrationApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	if b.ObjectMetaApplyConfiguration.Annotations == nil && len(entries) > 0 {
+		b.ObjectMetaApplyConfiguration.Annotations = make(map[string]string, len(entries))
+	}
+	for k, v := range entries {
+		b.ObjectMetaApplyConfiguration.Annotations[k] = v
+	}
+	return b
+}
+
+// WithOwnerReferences adds the given value to the OwnerReferences field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, values provided by each call will be appended to the OwnerReferences field.
+func (b *StorageVersionMigrationApplyConfiguration) WithOwnerReferences(values ...*v1.OwnerReferenceApplyConfiguration) *StorageVersionMigrationApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	for i := range values {
+		if values[i] == nil {
+			panic("nil value passed to WithOwnerReferences")
+		}
+		b.ObjectMetaApplyConfiguration.OwnerReferences = append(b.ObjectMetaApplyConfiguration.OwnerReferences, *values[i])
+	}
+	return b
+}
+
+// WithFinalizers adds the given value to the Finalizers field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, values provided by each call will be appended to the Finalizers field.
+func (b *StorageVersionMigrationApplyConfiguration) WithFinalizers(values ...string) *StorageVersionMigrationApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	for i := range values {
+		b.ObjectMetaApplyConfiguration.Finalizers = append(b.ObjectMetaApplyConfiguration.Finalizers, values[i])
+	}
+	return b
+}
+
+func (b *StorageVersionMigrationApplyConfiguration) ensureObjectMetaApplyConfigurationExists() {
+	if b.ObjectMetaApplyConfiguration == nil {
+		b.ObjectMetaApplyConfiguration = &v1.ObjectMetaApplyConfiguration{}
+	}
+}
+
+// WithSpec sets the Spec field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Spec field is set to the value of the last call.
+func (b *StorageVersionMigrationApplyConfiguration) WithSpec(value *StorageVersionMigrationSpecApplyConfiguration) *StorageVersionMigrationApplyConfiguration {
+	b.Spec = value
+	return b
+}
+
+// WithStatus sets the Status field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Status field is set to the value of the last call.
+func (b *StorageVersionMigrationApplyConfiguration) WithStatus(value *StorageVersionMigrationStatusApplyConfiguration) *StorageVersionMigrationApplyConfiguration {
+	b.Status = value
+	return b
+}
+
+// GetKind retrieves the value of the Kind field in the declarative configuration.
+func (b *StorageVersionMigrationApplyConfiguration) GetKind() *string {
+	return b.TypeMetaApplyConfiguration.Kind
+}
+
+// GetAPIVersion retrieves the value of the APIVersion field in the declarative configuration.
+func (b *StorageVersionMigrationApplyConfiguration) GetAPIVersion() *string {
+	return b.TypeMetaApplyConfiguration.APIVersion
+}
+
+// GetName retrieves the value of the Name field in the declarative configuration.
+func (b *StorageVersionMigrationApplyConfiguration) GetName() *string {
+	b.ensureObjectMetaApplyConfigurationExists()
+	return b.ObjectMetaApplyConfiguration.Name
+}
+
+// GetNamespace retrieves the value of the Namespace field in the declarative configuration.
+func (b *StorageVersionMigrationApplyConfiguration) GetNamespace() *string {
+	b.ensureObjectMetaApplyConfigurationExists()
+	return b.ObjectMetaApplyConfiguration.Namespace
+}
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/storagemigration/v1beta1/storageversionmigrationspec.go b/staging/src/k8s.io/client-go/applyconfigurations/storagemigration/v1beta1/storageversionmigrationspec.go
new file mode 100644
index 0000000000000..57e013d643a70
--- /dev/null
+++ b/staging/src/k8s.io/client-go/applyconfigurations/storagemigration/v1beta1/storageversionmigrationspec.go
@@ -0,0 +1,48 @@
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by applyconfiguration-gen. DO NOT EDIT.
+
+package v1beta1
+
+import (
+	v1 "k8s.io/client-go/applyconfigurations/meta/v1"
+)
+
+// StorageVersionMigrationSpecApplyConfiguration represents a declarative configuration of the StorageVersionMigrationSpec type for use
+// with apply.
+//
+// Spec of the storage version migration.
+type StorageVersionMigrationSpecApplyConfiguration struct {
+	// The resource that is being migrated. The migrator sends requests to
+	// the endpoint serving the resource.
+	// Immutable.
+	Resource *v1.GroupResourceApplyConfiguration `json:"resource,omitempty"`
+}
+
+// StorageVersionMigrationSpecApplyConfiguration constructs a declarative configuration of the StorageVersionMigrationSpec type for use with
+// apply.
+func StorageVersionMigrationSpec() *StorageVersionMigrationSpecApplyConfiguration {
+	return &StorageVersionMigrationSpecApplyConfiguration{}
+}
+
+// WithResource sets the Resource field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Resource field is set to the value of the last call.
+func (b *StorageVersionMigrationSpecApplyConfiguration) WithResource(value *v1.GroupResourceApplyConfiguration) *StorageVersionMigrationSpecApplyConfiguration {
+	b.Resource = value
+	return b
+}
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/storagemigration/v1alpha1/storageversionmigrationstatus.go b/staging/src/k8s.io/client-go/applyconfigurations/storagemigration/v1beta1/storageversionmigrationstatus.go
similarity index 76%
rename from staging/src/k8s.io/client-go/applyconfigurations/storagemigration/v1alpha1/storageversionmigrationstatus.go
rename to staging/src/k8s.io/client-go/applyconfigurations/storagemigration/v1beta1/storageversionmigrationstatus.go
index fc957cb15cc44..65f4ca7228198 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/storagemigration/v1alpha1/storageversionmigrationstatus.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/storagemigration/v1beta1/storageversionmigrationstatus.go
@@ -16,13 +16,23 @@ limitations under the License.
 
 // Code generated by applyconfiguration-gen. DO NOT EDIT.
 
-package v1alpha1
+package v1beta1
+
+import (
+	v1 "k8s.io/client-go/applyconfigurations/meta/v1"
+)
 
 // StorageVersionMigrationStatusApplyConfiguration represents a declarative configuration of the StorageVersionMigrationStatus type for use
 // with apply.
+//
+// Status of the storage version migration.
 type StorageVersionMigrationStatusApplyConfiguration struct {
-	Conditions      []MigrationConditionApplyConfiguration `json:"conditions,omitempty"`
-	ResourceVersion *string                                `json:"resourceVersion,omitempty"`
+	// The latest available observations of the migration's current state.
+	Conditions []v1.ConditionApplyConfiguration `json:"conditions,omitempty"`
+	// ResourceVersion to compare with the GC cache for performing the migration.
+	// This is the current resource version of given group, version and resource when
+	// kube-controller-manager first observes this StorageVersionMigration resource.
+	ResourceVersion *string `json:"resourceVersion,omitempty"`
 }
 
 // StorageVersionMigrationStatusApplyConfiguration constructs a declarative configuration of the StorageVersionMigrationStatus type for use with
@@ -34,7 +44,7 @@ func StorageVersionMigrationStatus() *StorageVersionMigrationStatusApplyConfigur
 // WithConditions adds the given value to the Conditions field in the declarative configuration
 // and returns the receiver, so that objects can be build by chaining "With" function invocations.
 // If called multiple times, values provided by each call will be appended to the Conditions field.
-func (b *StorageVersionMigrationStatusApplyConfiguration) WithConditions(values ...*MigrationConditionApplyConfiguration) *StorageVersionMigrationStatusApplyConfiguration {
+func (b *StorageVersionMigrationStatusApplyConfiguration) WithConditions(values ...*v1.ConditionApplyConfiguration) *StorageVersionMigrationStatusApplyConfiguration {
 	for i := range values {
 		if values[i] == nil {
 			panic("nil value passed to WithConditions")
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/utils.go b/staging/src/k8s.io/client-go/applyconfigurations/utils.go
index af4346689fc52..ef6f16e83b998 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/utils.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/utils.go
@@ -69,7 +69,7 @@ import (
 	storagev1 "k8s.io/api/storage/v1"
 	storagev1alpha1 "k8s.io/api/storage/v1alpha1"
 	storagev1beta1 "k8s.io/api/storage/v1beta1"
-	storagemigrationv1alpha1 "k8s.io/api/storagemigration/v1alpha1"
+	storagemigrationv1beta1 "k8s.io/api/storagemigration/v1beta1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	runtime "k8s.io/apimachinery/pkg/runtime"
 	schema "k8s.io/apimachinery/pkg/runtime/schema"
@@ -126,7 +126,7 @@ import (
 	applyconfigurationsstoragev1 "k8s.io/client-go/applyconfigurations/storage/v1"
 	applyconfigurationsstoragev1alpha1 "k8s.io/client-go/applyconfigurations/storage/v1alpha1"
 	applyconfigurationsstoragev1beta1 "k8s.io/client-go/applyconfigurations/storage/v1beta1"
-	applyconfigurationsstoragemigrationv1alpha1 "k8s.io/client-go/applyconfigurations/storagemigration/v1alpha1"
+	applyconfigurationsstoragemigrationv1beta1 "k8s.io/client-go/applyconfigurations/storagemigration/v1beta1"
 )
 
 // ForKind returns an apply configuration type for the given GroupVersionKind, or nil if no
@@ -630,12 +630,6 @@ func ForKind(kind schema.GroupVersionKind) interface{} {
 		return &applyconfigurationscertificatesv1alpha1.ClusterTrustBundleApplyConfiguration{}
 	case certificatesv1alpha1.SchemeGroupVersion.WithKind("ClusterTrustBundleSpec"):
 		return &applyconfigurationscertificatesv1alpha1.ClusterTrustBundleSpecApplyConfiguration{}
-	case certificatesv1alpha1.SchemeGroupVersion.WithKind("PodCertificateRequest"):
-		return &applyconfigurationscertificatesv1alpha1.PodCertificateRequestApplyConfiguration{}
-	case certificatesv1alpha1.SchemeGroupVersion.WithKind("PodCertificateRequestSpec"):
-		return &applyconfigurationscertificatesv1alpha1.PodCertificateRequestSpecApplyConfiguration{}
-	case certificatesv1alpha1.SchemeGroupVersion.WithKind("PodCertificateRequestStatus"):
-		return &applyconfigurationscertificatesv1alpha1.PodCertificateRequestStatusApplyConfiguration{}
 
 		// Group=certificates.k8s.io, Version=v1beta1
 	case certificatesv1beta1.SchemeGroupVersion.WithKind("CertificateSigningRequest"):
@@ -650,6 +644,12 @@ func ForKind(kind schema.GroupVersionKind) interface{} {
 		return &applyconfigurationscertificatesv1beta1.ClusterTrustBundleApplyConfiguration{}
 	case certificatesv1beta1.SchemeGroupVersion.WithKind("ClusterTrustBundleSpec"):
 		return &applyconfigurationscertificatesv1beta1.ClusterTrustBundleSpecApplyConfiguration{}
+	case certificatesv1beta1.SchemeGroupVersion.WithKind("PodCertificateRequest"):
+		return &applyconfigurationscertificatesv1beta1.PodCertificateRequestApplyConfiguration{}
+	case certificatesv1beta1.SchemeGroupVersion.WithKind("PodCertificateRequestSpec"):
+		return &applyconfigurationscertificatesv1beta1.PodCertificateRequestSpecApplyConfiguration{}
+	case certificatesv1beta1.SchemeGroupVersion.WithKind("PodCertificateRequestStatus"):
+		return &applyconfigurationscertificatesv1beta1.PodCertificateRequestStatusApplyConfiguration{}
 
 		// Group=coordination.k8s.io, Version=v1
 	case coordinationv1.SchemeGroupVersion.WithKind("Lease"):
@@ -1084,6 +1084,8 @@ func ForKind(kind schema.GroupVersionKind) interface{} {
 		return &applyconfigurationscorev1.WeightedPodAffinityTermApplyConfiguration{}
 	case corev1.SchemeGroupVersion.WithKind("WindowsSecurityContextOptions"):
 		return &applyconfigurationscorev1.WindowsSecurityContextOptionsApplyConfiguration{}
+	case corev1.SchemeGroupVersion.WithKind("WorkloadReference"):
+		return &applyconfigurationscorev1.WorkloadReferenceApplyConfiguration{}
 
 		// Group=discovery.k8s.io, Version=v1
 	case discoveryv1.SchemeGroupVersion.WithKind("Endpoint"):
@@ -1406,6 +1408,8 @@ func ForKind(kind schema.GroupVersionKind) interface{} {
 		return &applyconfigurationsmetav1.ConditionApplyConfiguration{}
 	case metav1.SchemeGroupVersion.WithKind("DeleteOptions"):
 		return &applyconfigurationsmetav1.DeleteOptionsApplyConfiguration{}
+	case metav1.SchemeGroupVersion.WithKind("GroupResource"):
+		return &applyconfigurationsmetav1.GroupResourceApplyConfiguration{}
 	case metav1.SchemeGroupVersion.WithKind("LabelSelector"):
 		return &applyconfigurationsmetav1.LabelSelectorApplyConfiguration{}
 	case metav1.SchemeGroupVersion.WithKind("LabelSelectorRequirement"):
@@ -1708,16 +1712,14 @@ func ForKind(kind schema.GroupVersionKind) interface{} {
 		return &applyconfigurationsresourcev1.ResourceSliceSpecApplyConfiguration{}
 
 		// Group=resource.k8s.io, Version=v1alpha3
-	case v1alpha3.SchemeGroupVersion.WithKind("CELDeviceSelector"):
-		return &resourcev1alpha3.CELDeviceSelectorApplyConfiguration{}
-	case v1alpha3.SchemeGroupVersion.WithKind("DeviceSelector"):
-		return &resourcev1alpha3.DeviceSelectorApplyConfiguration{}
 	case v1alpha3.SchemeGroupVersion.WithKind("DeviceTaint"):
 		return &resourcev1alpha3.DeviceTaintApplyConfiguration{}
 	case v1alpha3.SchemeGroupVersion.WithKind("DeviceTaintRule"):
 		return &resourcev1alpha3.DeviceTaintRuleApplyConfiguration{}
 	case v1alpha3.SchemeGroupVersion.WithKind("DeviceTaintRuleSpec"):
 		return &resourcev1alpha3.DeviceTaintRuleSpecApplyConfiguration{}
+	case v1alpha3.SchemeGroupVersion.WithKind("DeviceTaintRuleStatus"):
+		return &resourcev1alpha3.DeviceTaintRuleStatusApplyConfiguration{}
 	case v1alpha3.SchemeGroupVersion.WithKind("DeviceTaintSelector"):
 		return &resourcev1alpha3.DeviceTaintSelectorApplyConfiguration{}
 
@@ -1886,8 +1888,20 @@ func ForKind(kind schema.GroupVersionKind) interface{} {
 		return &applyconfigurationsschedulingv1.PriorityClassApplyConfiguration{}
 
 		// Group=scheduling.k8s.io, Version=v1alpha1
+	case schedulingv1alpha1.SchemeGroupVersion.WithKind("GangSchedulingPolicy"):
+		return &applyconfigurationsschedulingv1alpha1.GangSchedulingPolicyApplyConfiguration{}
+	case schedulingv1alpha1.SchemeGroupVersion.WithKind("PodGroup"):
+		return &applyconfigurationsschedulingv1alpha1.PodGroupApplyConfiguration{}
+	case schedulingv1alpha1.SchemeGroupVersion.WithKind("PodGroupPolicy"):
+		return &applyconfigurationsschedulingv1alpha1.PodGroupPolicyApplyConfiguration{}
 	case schedulingv1alpha1.SchemeGroupVersion.WithKind("PriorityClass"):
 		return &applyconfigurationsschedulingv1alpha1.PriorityClassApplyConfiguration{}
+	case schedulingv1alpha1.SchemeGroupVersion.WithKind("TypedLocalObjectReference"):
+		return &applyconfigurationsschedulingv1alpha1.TypedLocalObjectReferenceApplyConfiguration{}
+	case schedulingv1alpha1.SchemeGroupVersion.WithKind("Workload"):
+		return &applyconfigurationsschedulingv1alpha1.WorkloadApplyConfiguration{}
+	case schedulingv1alpha1.SchemeGroupVersion.WithKind("WorkloadSpec"):
+		return &applyconfigurationsschedulingv1alpha1.WorkloadSpecApplyConfiguration{}
 
 		// Group=scheduling.k8s.io, Version=v1beta1
 	case schedulingv1beta1.SchemeGroupVersion.WithKind("PriorityClass"):
@@ -1973,17 +1987,13 @@ func ForKind(kind schema.GroupVersionKind) interface{} {
 	case storagev1beta1.SchemeGroupVersion.WithKind("VolumeNodeResources"):
 		return &applyconfigurationsstoragev1beta1.VolumeNodeResourcesApplyConfiguration{}
 
-		// Group=storagemigration.k8s.io, Version=v1alpha1
-	case storagemigrationv1alpha1.SchemeGroupVersion.WithKind("GroupVersionResource"):
-		return &applyconfigurationsstoragemigrationv1alpha1.GroupVersionResourceApplyConfiguration{}
-	case storagemigrationv1alpha1.SchemeGroupVersion.WithKind("MigrationCondition"):
-		return &applyconfigurationsstoragemigrationv1alpha1.MigrationConditionApplyConfiguration{}
-	case storagemigrationv1alpha1.SchemeGroupVersion.WithKind("StorageVersionMigration"):
-		return &applyconfigurationsstoragemigrationv1alpha1.StorageVersionMigrationApplyConfiguration{}
-	case storagemigrationv1alpha1.SchemeGroupVersion.WithKind("StorageVersionMigrationSpec"):
-		return &applyconfigurationsstoragemigrationv1alpha1.StorageVersionMigrationSpecApplyConfiguration{}
-	case storagemigrationv1alpha1.SchemeGroupVersion.WithKind("StorageVersionMigrationStatus"):
-		return &applyconfigurationsstoragemigrationv1alpha1.StorageVersionMigrationStatusApplyConfiguration{}
+		// Group=storagemigration.k8s.io, Version=v1beta1
+	case storagemigrationv1beta1.SchemeGroupVersion.WithKind("StorageVersionMigration"):
+		return &applyconfigurationsstoragemigrationv1beta1.StorageVersionMigrationApplyConfiguration{}
+	case storagemigrationv1beta1.SchemeGroupVersion.WithKind("StorageVersionMigrationSpec"):
+		return &applyconfigurationsstoragemigrationv1beta1.StorageVersionMigrationSpecApplyConfiguration{}
+	case storagemigrationv1beta1.SchemeGroupVersion.WithKind("StorageVersionMigrationStatus"):
+		return &applyconfigurationsstoragemigrationv1beta1.StorageVersionMigrationStatusApplyConfiguration{}
 
 	}
 	return nil
diff --git a/staging/src/k8s.io/client-go/discovery/discovery_client.go b/staging/src/k8s.io/client-go/discovery/discovery_client.go
index 646820cbc2ef3..aae94f9b8a2cc 100644
--- a/staging/src/k8s.io/client-go/discovery/discovery_client.go
+++ b/staging/src/k8s.io/client-go/discovery/discovery_client.go
@@ -63,8 +63,9 @@ const (
 	// Aggregated discovery content-type (v2beta1). NOTE: content-type parameters
 	// MUST be ordered (g, v, as) for server in "Accept" header (BUT we are resilient
 	// to ordering when comparing returned values in "Content-Type" header).
-	AcceptV2Beta1 = runtime.ContentTypeJSON + ";" + "g=apidiscovery.k8s.io;v=v2beta1;as=APIGroupDiscoveryList"
-	AcceptV2      = runtime.ContentTypeJSON + ";" + "g=apidiscovery.k8s.io;v=v2;as=APIGroupDiscoveryList"
+	AcceptV2Beta1  = runtime.ContentTypeJSON + ";" + "g=apidiscovery.k8s.io;v=v2beta1;as=APIGroupDiscoveryList"
+	AcceptV2       = runtime.ContentTypeJSON + ";" + "g=apidiscovery.k8s.io;v=v2;as=APIGroupDiscoveryList"
+	AcceptV2NoPeer = runtime.ContentTypeJSON + ";" + "g=apidiscovery.k8s.io;v=v2;as=APIGroupDiscoveryList;profile=nopeer"
 	// Prioritize aggregated discovery by placing first in the order of discovery accept types.
 	acceptDiscoveryFormats = AcceptV2 + "," + AcceptV2Beta1 + "," + AcceptV1
 )
@@ -168,6 +169,11 @@ type DiscoveryClient struct {
 	LegacyPrefix string
 	// Forces the client to request only "unaggregated" (legacy) discovery.
 	UseLegacyDiscovery bool
+	// NoPeerDiscovery will request the "nopeer" profile of aggregated discovery.
+	// This allows a client to get just the discovery documents served by the single apiserver
+	// that it is talking to. This is useful for clients that need to understand the state
+	// of a single apiserver, for example, to validate that the apiserver is ready to serve traffic.
+	NoPeerDiscovery bool
 }
 
 var _ AggregatedDiscoveryInterface = &DiscoveryClient{}
@@ -241,10 +247,7 @@ func (d *DiscoveryClient) downloadLegacy() (
 	map[schema.GroupVersion]*metav1.APIResourceList,
 	map[schema.GroupVersion]error,
 	error) {
-	accept := acceptDiscoveryFormats
-	if d.UseLegacyDiscovery {
-		accept = AcceptV1
-	}
+	accept := selectDiscoveryAcceptHeader(d.UseLegacyDiscovery, d.NoPeerDiscovery)
 	var responseContentType string
 	body, err := d.restClient.Get().
 		AbsPath("/api").
@@ -307,10 +310,7 @@ func (d *DiscoveryClient) downloadAPIs() (
 	map[schema.GroupVersion]*metav1.APIResourceList,
 	map[schema.GroupVersion]error,
 	error) {
-	accept := acceptDiscoveryFormats
-	if d.UseLegacyDiscovery {
-		accept = AcceptV1
-	}
+	accept := selectDiscoveryAcceptHeader(d.UseLegacyDiscovery, d.NoPeerDiscovery)
 	var responseContentType string
 	body, err := d.restClient.Get().
 		AbsPath("/apis").
@@ -351,6 +351,16 @@ func (d *DiscoveryClient) downloadAPIs() (
 	return apiGroupList, resourcesByGV, failedGVs, nil
 }
 
+func selectDiscoveryAcceptHeader(useLegacy, nopeer bool) string {
+	if useLegacy {
+		return AcceptV1
+	}
+	if nopeer {
+		return AcceptV2NoPeer + "," + acceptDiscoveryFormats
+	}
+	return acceptDiscoveryFormats
+}
+
 // ContentTypeIsGVK checks of the content-type string is both
 // "application/json" and matches the provided GVK. An error
 // is returned if the content type string is malformed.
diff --git a/staging/src/k8s.io/client-go/discovery/discovery_client_test.go b/staging/src/k8s.io/client-go/discovery/discovery_client_test.go
index 7f36980690a78..6b94edf6dc472 100644
--- a/staging/src/k8s.io/client-go/discovery/discovery_client_test.go
+++ b/staging/src/k8s.io/client-go/discovery/discovery_client_test.go
@@ -25,13 +25,13 @@ import (
 	"testing"
 	"time"
 
-	"github.com/gogo/protobuf/proto"
 	openapi_v2 "github.com/google/gnostic-models/openapiv2"
 	openapi_v3 "github.com/google/gnostic-models/openapiv3"
 	"github.com/google/go-cmp/cmp"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	golangproto "google.golang.org/protobuf/proto"
+
 	apidiscovery "k8s.io/api/apidiscovery/v2"
 	apidiscoveryv2beta1 "k8s.io/api/apidiscovery/v2beta1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -533,7 +533,7 @@ func openapiSchemaFakeServer(t *testing.T) (*httptest.Server, error) {
 			return
 		}
 
-		output, err := proto.Marshal(returnedOpenAPI())
+		output, err := golangproto.Marshal(returnedOpenAPI())
 		if err != nil {
 			errMsg := fmt.Sprintf("Unexpected marshal error: %v", err)
 			w.WriteHeader(http.StatusInternalServerError)
diff --git a/staging/src/k8s.io/client-go/doc.go b/staging/src/k8s.io/client-go/doc.go
index d0f766a7ed5d5..27e92a2652f6b 100644
--- a/staging/src/k8s.io/client-go/doc.go
+++ b/staging/src/k8s.io/client-go/doc.go
@@ -14,4 +14,97 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
+// Package clientgo is the official Go client for the Kubernetes API. It provides
+// a standard set of clients and tools for building applications, controllers,
+// and operators that communicate with a Kubernetes cluster.
+//
+// # Key Packages
+//
+//   - kubernetes: Contains the typed Clientset for interacting with built-in,
+//     versioned API objects (e.g., Pods, Deployments). This is the most common
+//     starting point.
+//
+//   - dynamic: Provides a dynamic client that can perform operations on any
+//     Kubernetes object, including Custom Resources (CRs). It is essential for
+//     building controllers that work with CRDs.
+//
+//   - discovery: Used to discover the API groups, versions, and resources
+//     supported by a Kubernetes cluster.
+//
+//   - tools/cache: The foundation of the controller pattern. This package provides
+//     efficient caching and synchronization mechanisms (Informers and Listers)
+//     for building controllers.
+//
+//   - tools/clientcmd: Provides methods for loading client configuration from
+//     kubeconfig files. This is essential for out-of-cluster applications and CLI tools.
+//
+//   - rest: Provides a lower-level RESTClient that manages the details of
+//     communicating with the Kubernetes API server. It is useful for advanced
+//     use cases that require fine-grained control over requests, such as working
+//     with non-standard REST verbs.
+//
+// # Connecting to the API
+//
+// There are two primary ways to configure a client to connect to the API server:
+//
+//  1. In-Cluster Configuration: For applications running inside a Kubernetes pod,
+//     the `rest.InClusterConfig()` function provides a straightforward way to
+//     configure the client. It automatically uses the pod's service account for
+//     authentication and is the recommended approach for controllers and operators.
+//
+//  2. Out-of-Cluster Configuration: For local development or command-line tools,
+//     the `clientcmd` package is used to load configuration from a
+//     kubeconfig file.
+//
+// The `rest.Config` object allows for fine-grained control over client-side
+// performance and reliability. Key settings include:
+//
+//   - QPS: The maximum number of queries per second to the API server.
+//   - Burst: The maximum number of queries that can be issued in a single burst.
+//   - Timeout: The timeout for individual requests.
+//
+// # Interacting with API Objects
+//
+// Once configured, a client can be used to interact with objects in the cluster.
+//
+//   - The Typed Clientset (`kubernetes` package) provides a strongly typed
+//     interface for working with built-in Kubernetes objects.
+//
+//   - The Dynamic Client (`dynamic` package) can work with any object, including
+//     Custom Resources, using `unstructured.Unstructured` types.
+//
+//   - For Custom Resources (CRDs), the `k8s.io/code-generator` repository
+//     contains the tools to generate typed clients, informers, and listers. The
+//     `sample-controller` is the canonical example of this pattern.
+//
+//   - Server-Side Apply is a patching strategy that allows multiple actors to
+//     share management of an object by tracking field ownership. This prevents
+//     actors from inadvertently overwriting each other's changes and provides
+//     a mechanism for resolving conflicts. The `applyconfigurations` package
+//     provides the necessary tools for this declarative approach.
+//
+// # Handling API Errors
+//
+// Robust error handling is essential when interacting with the API. The
+// `k8s.io/apimachinery/pkg/api/errors` package provides functions to inspect
+// errors and check for common conditions, such as whether a resource was not
+// found or already exists. This allows controllers to implement robust,
+// idempotent reconciliation logic.
+//
+// # Building Controllers
+//
+// The controller pattern is central to Kubernetes. A controller observes the
+// state of the cluster and works to bring it to the desired state.
+//
+//   - The `tools/cache` package provides the building blocks for this pattern.
+//     Informers watch the API server and maintain a local cache, Listers provide
+//     read-only access to the cache, and Workqueues decouple event detection
+//     from processing.
+//
+//   - In a high-availability deployment where multiple instances of a controller
+//     are running, leader election (`tools/leaderelection`) is used to ensure
+//     that only one instance is active at a time.
+//
+//   - Client-side feature gates allow for enabling or disabling experimental
+//     features in `client-go`. They can be configured via the `rest.Config` object.
 package clientgo
diff --git a/staging/src/k8s.io/client-go/dynamic/client_test.go b/staging/src/k8s.io/client-go/dynamic/client_test.go
index 85bb052aaddad..057b277b081f9 100644
--- a/staging/src/k8s.io/client-go/dynamic/client_test.go
+++ b/staging/src/k8s.io/client-go/dynamic/client_test.go
@@ -36,6 +36,7 @@ import (
 	"k8s.io/apimachinery/pkg/watch"
 	restclient "k8s.io/client-go/rest"
 	restclientwatch "k8s.io/client-go/rest/watch"
+	"k8s.io/client-go/util/watchlist"
 )
 
 func getJSON(version, kind, name string) []byte {
@@ -78,6 +79,16 @@ func getClientServer(h func(http.ResponseWriter, *http.Request)) (Interface, *ht
 	return cl, srv, nil
 }
 
+func TestDoesClientSupportWatchListSemantics(t *testing.T) {
+	target, err := NewForConfig(&restclient.Config{})
+	if err != nil {
+		t.Fatal(err)
+	}
+	if watchlist.DoesClientNotSupportWatchListSemantics(target) {
+		t.Fatalf("Dynamic client should support WatchList semantics")
+	}
+}
+
 func TestList(t *testing.T) {
 	tcs := []struct {
 		name      string
diff --git a/staging/src/k8s.io/client-go/dynamic/dynamicinformer/informer.go b/staging/src/k8s.io/client-go/dynamic/dynamicinformer/informer.go
index d1381823d6cf6..b933c13798b07 100644
--- a/staging/src/k8s.io/client-go/dynamic/dynamicinformer/informer.go
+++ b/staging/src/k8s.io/client-go/dynamic/dynamicinformer/informer.go
@@ -148,7 +148,7 @@ func NewFilteredDynamicInformer(client dynamic.Interface, gvr schema.GroupVersio
 	return &dynamicInformer{
 		gvr: gvr,
 		informer: cache.NewSharedIndexInformerWithOptions(
-			&cache.ListWatch{
+			cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 				ListFunc: func(options metav1.ListOptions) (runtime.Object, error) {
 					if tweakListOptions != nil {
 						tweakListOptions(&options)
@@ -173,7 +173,7 @@ func NewFilteredDynamicInformer(client dynamic.Interface, gvr schema.GroupVersio
 					}
 					return client.Resource(gvr).Namespace(namespace).Watch(ctx, options)
 				},
-			},
+			}, client),
 			&unstructured.Unstructured{},
 			cache.SharedIndexInformerOptions{
 				ResyncPeriod:      resyncPeriod,
diff --git a/staging/src/k8s.io/client-go/dynamic/dynamicinformer/informer_test.go b/staging/src/k8s.io/client-go/dynamic/dynamicinformer/informer_test.go
index 3ea31b6249b24..6c779f89074cf 100644
--- a/staging/src/k8s.io/client-go/dynamic/dynamicinformer/informer_test.go
+++ b/staging/src/k8s.io/client-go/dynamic/dynamicinformer/informer_test.go
@@ -18,19 +18,29 @@ package dynamicinformer_test
 
 import (
 	"context"
+	"fmt"
 	"testing"
 	"time"
 
 	"github.com/google/go-cmp/cmp"
 
+	appsv1 "k8s.io/api/apps/v1"
 	"k8s.io/apimachinery/pkg/api/equality"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/apimachinery/pkg/util/json"
+	"k8s.io/apimachinery/pkg/watch"
+	"k8s.io/client-go/dynamic"
 	"k8s.io/client-go/dynamic/dynamicinformer"
 	"k8s.io/client-go/dynamic/fake"
+	clientfeatures "k8s.io/client-go/features"
+	clientfeaturestesting "k8s.io/client-go/features/testing"
+	"k8s.io/client-go/rest"
 	"k8s.io/client-go/tools/cache"
+	"net/http"
+	"net/http/httptest"
 )
 
 type triggerFunc func(gvr schema.GroupVersionResource, ns string, fakeClient *fake.FakeDynamicClient, testObject *unstructured.Unstructured) *unstructured.Unstructured
@@ -55,6 +65,91 @@ func handler(rcvCh chan<- *unstructured.Unstructured) *cache.ResourceEventHandle
 	}
 }
 
+func TestWatchListSemanticsSimple(t *testing.T) {
+	clientfeaturestesting.SetFeatureDuringTest(t, clientfeatures.WatchListClient, true)
+
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
+		if _, ok := req.URL.Query()["watch"]; !ok {
+			t.Errorf("expected a watch request, params: %v", req.URL.Query())
+			http.Error(w, fmt.Errorf("unexpected request").Error(), http.StatusInternalServerError)
+			return
+		}
+
+		obj := &appsv1.Deployment{
+			TypeMeta: metav1.TypeMeta{
+				APIVersion: "apps/v1",
+				Kind:       "Deployment",
+			},
+			ObjectMeta: metav1.ObjectMeta{
+				Annotations: map[string]string{
+					metav1.InitialEventsAnnotationKey: "true",
+				},
+			},
+		}
+		rawObj, err := json.Marshal(obj)
+		if err != nil {
+			t.Errorf("failed to marshal rawObj: %v", err)
+			http.Error(w, err.Error(), http.StatusInternalServerError)
+			return
+		}
+
+		watchEvent := &metav1.WatchEvent{
+			Type:   string(watch.Bookmark),
+			Object: runtime.RawExtension{Raw: rawObj},
+		}
+		rawRsp, err := json.Marshal(watchEvent)
+		if err != nil {
+			t.Errorf("failed to marshal watchEvent: %v", err)
+			http.Error(w, err.Error(), http.StatusInternalServerError)
+			return
+		}
+		w.Header().Set("Content-Type", "application/json")
+		_, err = w.Write(rawRsp)
+		if err != nil {
+			t.Fatalf("failed to write response: %v", err)
+		}
+	}))
+	defer server.Close()
+
+	cfg := &rest.Config{Host: server.URL}
+	client, err := dynamic.NewForConfig(cfg)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	factory := dynamicinformer.NewFilteredDynamicSharedInformerFactory(client, 0, "ns", nil)
+	target := factory.ForResource(schema.GroupVersionResource{Group: "apps", Version: "v1", Resource: "deployments"})
+
+	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+	defer cancel()
+	factory.Start(ctx.Done())
+
+	if !cache.WaitForCacheSync(ctx.Done(), target.Informer().HasSynced) {
+		t.Fatalf("failed to wait for caches to sync")
+	}
+}
+
+func TestUnSupportWatchListSemantics(t *testing.T) {
+	clientfeaturestesting.SetFeatureDuringTest(t, clientfeatures.WatchListClient, true)
+	scheme := runtime.NewScheme()
+	if err := appsv1.AddToScheme(scheme); err != nil {
+		t.Fatalf("failed to add corev1 to scheme: %v", err)
+	}
+	// The fake client doesn’t support WatchList semantics,
+	// so we don’t need to prepare a response.
+	fakeClient := fake.NewSimpleDynamicClient(scheme)
+	factory := dynamicinformer.NewFilteredDynamicSharedInformerFactory(fakeClient, 0, "ns", nil)
+	target := factory.ForResource(schema.GroupVersionResource{Group: "apps", Version: "v1", Resource: "deployments"})
+
+	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+	defer cancel()
+	factory.Start(ctx.Done())
+
+	if !cache.WaitForCacheSync(ctx.Done(), target.Informer().HasSynced) {
+		t.Fatalf("failed to wait for caches to sync")
+	}
+}
+
 func TestFilteredDynamicSharedInformerFactory(t *testing.T) {
 	scenarios := []struct {
 		name             string
diff --git a/staging/src/k8s.io/client-go/dynamic/fake/simple.go b/staging/src/k8s.io/client-go/dynamic/fake/simple.go
index 43d908051c7bf..06ef859425f1e 100644
--- a/staging/src/k8s.io/client-go/dynamic/fake/simple.go
+++ b/staging/src/k8s.io/client-go/dynamic/fake/simple.go
@@ -156,6 +156,10 @@ func (c *FakeDynamicClient) Resource(resource schema.GroupVersionResource) dynam
 	return &dynamicResourceClient{client: c, resource: resource, listKind: c.gvrToListKind[resource]}
 }
 
+func (c *FakeDynamicClient) IsWatchListSemanticsUnSupported() bool {
+	return true
+}
+
 func (c *dynamicResourceClient) Namespace(ns string) dynamic.ResourceInterface {
 	ret := *c
 	ret.namespace = ns
@@ -168,7 +172,7 @@ func (c *dynamicResourceClient) Create(ctx context.Context, obj *unstructured.Un
 	switch {
 	case len(c.namespace) == 0 && len(subresources) == 0:
 		uncastRet, err = c.client.Fake.
-			Invokes(testing.NewRootCreateAction(c.resource, obj), obj)
+			Invokes(testing.NewRootCreateActionWithOptions(c.resource, obj, opts), obj)
 
 	case len(c.namespace) == 0 && len(subresources) > 0:
 		var accessor metav1.Object // avoid shadowing err
@@ -178,11 +182,11 @@ func (c *dynamicResourceClient) Create(ctx context.Context, obj *unstructured.Un
 		}
 		name := accessor.GetName()
 		uncastRet, err = c.client.Fake.
-			Invokes(testing.NewRootCreateSubresourceAction(c.resource, name, strings.Join(subresources, "/"), obj), obj)
+			Invokes(testing.NewRootCreateSubresourceActionWithOptions(c.resource, name, strings.Join(subresources, "/"), obj, opts), obj)
 
 	case len(c.namespace) > 0 && len(subresources) == 0:
 		uncastRet, err = c.client.Fake.
-			Invokes(testing.NewCreateAction(c.resource, c.namespace, obj), obj)
+			Invokes(testing.NewCreateActionWithOptions(c.resource, c.namespace, obj, opts), obj)
 
 	case len(c.namespace) > 0 && len(subresources) > 0:
 		var accessor metav1.Object // avoid shadowing err
@@ -192,7 +196,7 @@ func (c *dynamicResourceClient) Create(ctx context.Context, obj *unstructured.Un
 		}
 		name := accessor.GetName()
 		uncastRet, err = c.client.Fake.
-			Invokes(testing.NewCreateSubresourceAction(c.resource, name, strings.Join(subresources, "/"), c.namespace, obj), obj)
+			Invokes(testing.NewCreateSubresourceActionWithOptions(c.resource, name, strings.Join(subresources, "/"), c.namespace, obj, opts), obj)
 
 	}
 
@@ -216,19 +220,19 @@ func (c *dynamicResourceClient) Update(ctx context.Context, obj *unstructured.Un
 	switch {
 	case len(c.namespace) == 0 && len(subresources) == 0:
 		uncastRet, err = c.client.Fake.
-			Invokes(testing.NewRootUpdateAction(c.resource, obj), obj)
+			Invokes(testing.NewRootUpdateActionWithOptions(c.resource, obj, opts), obj)
 
 	case len(c.namespace) == 0 && len(subresources) > 0:
 		uncastRet, err = c.client.Fake.
-			Invokes(testing.NewRootUpdateSubresourceAction(c.resource, strings.Join(subresources, "/"), obj), obj)
+			Invokes(testing.NewRootUpdateSubresourceActionWithOptions(c.resource, strings.Join(subresources, "/"), obj, opts), obj)
 
 	case len(c.namespace) > 0 && len(subresources) == 0:
 		uncastRet, err = c.client.Fake.
-			Invokes(testing.NewUpdateAction(c.resource, c.namespace, obj), obj)
+			Invokes(testing.NewUpdateActionWithOptions(c.resource, c.namespace, obj, opts), obj)
 
 	case len(c.namespace) > 0 && len(subresources) > 0:
 		uncastRet, err = c.client.Fake.
-			Invokes(testing.NewUpdateSubresourceAction(c.resource, strings.Join(subresources, "/"), c.namespace, obj), obj)
+			Invokes(testing.NewUpdateSubresourceActionWithOptions(c.resource, strings.Join(subresources, "/"), c.namespace, obj, opts), obj)
 
 	}
 
@@ -252,11 +256,11 @@ func (c *dynamicResourceClient) UpdateStatus(ctx context.Context, obj *unstructu
 	switch {
 	case len(c.namespace) == 0:
 		uncastRet, err = c.client.Fake.
-			Invokes(testing.NewRootUpdateSubresourceAction(c.resource, "status", obj), obj)
+			Invokes(testing.NewRootUpdateSubresourceActionWithOptions(c.resource, "status", obj, opts), obj)
 
 	case len(c.namespace) > 0:
 		uncastRet, err = c.client.Fake.
-			Invokes(testing.NewUpdateSubresourceAction(c.resource, "status", c.namespace, obj), obj)
+			Invokes(testing.NewUpdateSubresourceActionWithOptions(c.resource, "status", c.namespace, obj, opts), obj)
 
 	}
 
@@ -301,11 +305,11 @@ func (c *dynamicResourceClient) DeleteCollection(ctx context.Context, opts metav
 	var err error
 	switch {
 	case len(c.namespace) == 0:
-		action := testing.NewRootDeleteCollectionAction(c.resource, listOptions)
+		action := testing.NewRootDeleteCollectionActionWithOptions(c.resource, opts, listOptions)
 		_, err = c.client.Fake.Invokes(action, &metav1.Status{Status: "dynamic deletecollection fail"})
 
 	case len(c.namespace) > 0:
-		action := testing.NewDeleteCollectionAction(c.resource, c.namespace, listOptions)
+		action := testing.NewDeleteCollectionActionWithOptions(c.resource, c.namespace, opts, listOptions)
 		_, err = c.client.Fake.Invokes(action, &metav1.Status{Status: "dynamic deletecollection fail"})
 
 	}
@@ -319,19 +323,19 @@ func (c *dynamicResourceClient) Get(ctx context.Context, name string, opts metav
 	switch {
 	case len(c.namespace) == 0 && len(subresources) == 0:
 		uncastRet, err = c.client.Fake.
-			Invokes(testing.NewRootGetAction(c.resource, name), &metav1.Status{Status: "dynamic get fail"})
+			Invokes(testing.NewRootGetActionWithOptions(c.resource, name, opts), &metav1.Status{Status: "dynamic get fail"})
 
 	case len(c.namespace) == 0 && len(subresources) > 0:
 		uncastRet, err = c.client.Fake.
-			Invokes(testing.NewRootGetSubresourceAction(c.resource, strings.Join(subresources, "/"), name), &metav1.Status{Status: "dynamic get fail"})
+			Invokes(testing.NewRootGetSubresourceActionWithOptions(c.resource, strings.Join(subresources, "/"), name, opts), &metav1.Status{Status: "dynamic get fail"})
 
 	case len(c.namespace) > 0 && len(subresources) == 0:
 		uncastRet, err = c.client.Fake.
-			Invokes(testing.NewGetAction(c.resource, c.namespace, name), &metav1.Status{Status: "dynamic get fail"})
+			Invokes(testing.NewGetActionWithOptions(c.resource, c.namespace, name, opts), &metav1.Status{Status: "dynamic get fail"})
 
 	case len(c.namespace) > 0 && len(subresources) > 0:
 		uncastRet, err = c.client.Fake.
-			Invokes(testing.NewGetSubresourceAction(c.resource, c.namespace, strings.Join(subresources, "/"), name), &metav1.Status{Status: "dynamic get fail"})
+			Invokes(testing.NewGetSubresourceActionWithOptions(c.resource, c.namespace, strings.Join(subresources, "/"), name, opts), &metav1.Status{Status: "dynamic get fail"})
 	}
 
 	if err != nil {
@@ -360,11 +364,11 @@ func (c *dynamicResourceClient) List(ctx context.Context, opts metav1.ListOption
 	switch {
 	case len(c.namespace) == 0:
 		obj, err = c.client.Fake.
-			Invokes(testing.NewRootListAction(c.resource, listForFakeClientGVK, opts), &metav1.Status{Status: "dynamic list fail"})
+			Invokes(testing.NewRootListActionWithOptions(c.resource, listForFakeClientGVK, opts), &metav1.Status{Status: "dynamic list fail"})
 
 	case len(c.namespace) > 0:
 		obj, err = c.client.Fake.
-			Invokes(testing.NewListAction(c.resource, listForFakeClientGVK, c.namespace, opts), &metav1.Status{Status: "dynamic list fail"})
+			Invokes(testing.NewListActionWithOptions(c.resource, listForFakeClientGVK, c.namespace, opts), &metav1.Status{Status: "dynamic list fail"})
 
 	}
 
@@ -409,11 +413,11 @@ func (c *dynamicResourceClient) Watch(ctx context.Context, opts metav1.ListOptio
 	switch {
 	case len(c.namespace) == 0:
 		return c.client.Fake.
-			InvokesWatch(testing.NewRootWatchAction(c.resource, opts))
+			InvokesWatch(testing.NewRootWatchActionWithOptions(c.resource, opts))
 
 	case len(c.namespace) > 0:
 		return c.client.Fake.
-			InvokesWatch(testing.NewWatchAction(c.resource, c.namespace, opts))
+			InvokesWatch(testing.NewWatchActionWithOptions(c.resource, c.namespace, opts))
 	}
 
 	panic("math broke")
@@ -426,19 +430,19 @@ func (c *dynamicResourceClient) Patch(ctx context.Context, name string, pt types
 	switch {
 	case len(c.namespace) == 0 && len(subresources) == 0:
 		uncastRet, err = c.client.Fake.
-			Invokes(testing.NewRootPatchAction(c.resource, name, pt, data), &metav1.Status{Status: "dynamic patch fail"})
+			Invokes(testing.NewRootPatchActionWithOptions(c.resource, name, pt, data, opts), &metav1.Status{Status: "dynamic patch fail"})
 
 	case len(c.namespace) == 0 && len(subresources) > 0:
 		uncastRet, err = c.client.Fake.
-			Invokes(testing.NewRootPatchSubresourceAction(c.resource, name, pt, data, subresources...), &metav1.Status{Status: "dynamic patch fail"})
+			Invokes(testing.NewRootPatchSubresourceActionWithOptions(c.resource, name, pt, data, opts, subresources...), &metav1.Status{Status: "dynamic patch fail"})
 
 	case len(c.namespace) > 0 && len(subresources) == 0:
 		uncastRet, err = c.client.Fake.
-			Invokes(testing.NewPatchAction(c.resource, c.namespace, name, pt, data), &metav1.Status{Status: "dynamic patch fail"})
+			Invokes(testing.NewPatchActionWithOptions(c.resource, c.namespace, name, pt, data, opts), &metav1.Status{Status: "dynamic patch fail"})
 
 	case len(c.namespace) > 0 && len(subresources) > 0:
 		uncastRet, err = c.client.Fake.
-			Invokes(testing.NewPatchSubresourceAction(c.resource, c.namespace, name, pt, data, subresources...), &metav1.Status{Status: "dynamic patch fail"})
+			Invokes(testing.NewPatchSubresourceActionWithOptions(c.resource, c.namespace, name, pt, data, opts, subresources...), &metav1.Status{Status: "dynamic patch fail"})
 
 	}
 
@@ -462,23 +466,28 @@ func (c *dynamicResourceClient) Apply(ctx context.Context, name string, obj *uns
 	if err != nil {
 		return nil, err
 	}
+	patchOptions := metav1.PatchOptions{
+		Force:        &options.Force,
+		DryRun:       options.DryRun,
+		FieldManager: options.FieldManager,
+	}
 	var uncastRet runtime.Object
 	switch {
 	case len(c.namespace) == 0 && len(subresources) == 0:
 		uncastRet, err = c.client.Fake.
-			Invokes(testing.NewRootPatchAction(c.resource, name, types.ApplyPatchType, outBytes), &metav1.Status{Status: "dynamic patch fail"})
+			Invokes(testing.NewRootPatchActionWithOptions(c.resource, name, types.ApplyPatchType, outBytes, patchOptions), &metav1.Status{Status: "dynamic patch fail"})
 
 	case len(c.namespace) == 0 && len(subresources) > 0:
 		uncastRet, err = c.client.Fake.
-			Invokes(testing.NewRootPatchSubresourceAction(c.resource, name, types.ApplyPatchType, outBytes, subresources...), &metav1.Status{Status: "dynamic patch fail"})
+			Invokes(testing.NewRootPatchSubresourceActionWithOptions(c.resource, name, types.ApplyPatchType, outBytes, patchOptions, subresources...), &metav1.Status{Status: "dynamic patch fail"})
 
 	case len(c.namespace) > 0 && len(subresources) == 0:
 		uncastRet, err = c.client.Fake.
-			Invokes(testing.NewPatchAction(c.resource, c.namespace, name, types.ApplyPatchType, outBytes), &metav1.Status{Status: "dynamic patch fail"})
+			Invokes(testing.NewPatchActionWithOptions(c.resource, c.namespace, name, types.ApplyPatchType, outBytes, patchOptions), &metav1.Status{Status: "dynamic patch fail"})
 
 	case len(c.namespace) > 0 && len(subresources) > 0:
 		uncastRet, err = c.client.Fake.
-			Invokes(testing.NewPatchSubresourceAction(c.resource, c.namespace, name, types.ApplyPatchType, outBytes, subresources...), &metav1.Status{Status: "dynamic patch fail"})
+			Invokes(testing.NewPatchSubresourceActionWithOptions(c.resource, c.namespace, name, types.ApplyPatchType, outBytes, patchOptions, subresources...), &metav1.Status{Status: "dynamic patch fail"})
 
 	}
 
diff --git a/staging/src/k8s.io/client-go/dynamic/fake/simple_test.go b/staging/src/k8s.io/client-go/dynamic/fake/simple_test.go
index 10dc3a2d576a4..50f22c49b9e46 100644
--- a/staging/src/k8s.io/client-go/dynamic/fake/simple_test.go
+++ b/staging/src/k8s.io/client-go/dynamic/fake/simple_test.go
@@ -29,6 +29,7 @@ import (
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/client-go/util/watchlist"
 )
 
 const (
@@ -60,6 +61,12 @@ func newUnstructuredWithSpec(spec map[string]interface{}) *unstructured.Unstruct
 	return u
 }
 
+func TestDoesClientSupportWatchListSemantics(t *testing.T) {
+	target := &FakeDynamicClient{}
+	if !watchlist.DoesClientNotSupportWatchListSemantics(target) {
+		t.Fatalf("FakeDynamicClient should NOT support WatchList semantics")
+	}
+}
 func TestGet(t *testing.T) {
 	scheme := runtime.NewScheme()
 
diff --git a/staging/src/k8s.io/client-go/example_test.go b/staging/src/k8s.io/client-go/example_test.go
new file mode 100644
index 0000000000000..57633f42578ae
--- /dev/null
+++ b/staging/src/k8s.io/client-go/example_test.go
@@ -0,0 +1,431 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package clientgo_test
+
+import (
+	"context"
+	"fmt"
+	"log"
+	"os"
+	"os/signal"
+	"path/filepath"
+	"syscall"
+	"time"
+
+	"k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	appsv1ac "k8s.io/client-go/applyconfigurations/apps/v1"
+	corev1ac "k8s.io/client-go/applyconfigurations/core/v1"
+	metav1ac "k8s.io/client-go/applyconfigurations/meta/v1"
+	"k8s.io/client-go/dynamic"
+	"k8s.io/client-go/informers"
+	"k8s.io/client-go/kubernetes"
+	"k8s.io/client-go/rest"
+	"k8s.io/client-go/tools/cache"
+	"k8s.io/client-go/tools/clientcmd"
+	"k8s.io/client-go/tools/leaderelection"
+	"k8s.io/client-go/tools/leaderelection/resourcelock"
+)
+
+func Example_inClusterConfiguration() {
+	// This example demonstrates how to create a clientset for an application
+	// running inside a Kubernetes cluster. It uses the pod's service account
+	// for authentication.
+
+	// rest.InClusterConfig() returns a configuration object that can be used to
+	// create a clientset. It is the recommended way to configure a client for
+	// in-cluster applications.
+	config, err := rest.InClusterConfig()
+	if err != nil {
+		fmt.Printf("Error encountered: %v\n", err)
+		return
+	}
+
+	// Create the clientset.
+	clientset, err := kubernetes.NewForConfig(config)
+	if err != nil {
+		fmt.Printf("Error encountered: %v\n", err)
+		return
+	}
+
+	// Use the clientset to interact with the API.
+
+	pods, err := clientset.CoreV1().Pods("default").List(context.TODO(), metav1.ListOptions{})
+	if err != nil {
+		fmt.Printf("Error encountered: %v\n", err)
+		return
+	}
+
+	fmt.Printf("There are %d pods in the default namespace\n", len(pods.Items))
+}
+
+func Example_outOfClusterConfiguration() {
+	// This example demonstrates how to create a clientset for an application
+	// running outside of a Kubernetes cluster, using a kubeconfig file. This is
+	// the standard approach for local development and command-line tools.
+
+	// The default location for the kubeconfig file is in the user's home directory.
+	var kubeconfig string
+	if home := os.Getenv("HOME"); home != "" {
+		kubeconfig = filepath.Join(home, ".kube", "config")
+	}
+
+	// Create the client configuration from the kubeconfig file.
+	config, err := clientcmd.BuildConfigFromFlags("", kubeconfig)
+	if err != nil {
+		fmt.Printf("Error encountered: %v\n", err)
+		return
+	}
+
+	// Configure client-side rate limiting.
+	config.QPS = 50
+	config.Burst = 100
+
+	// A clientset contains clients for all the API groups and versions supported
+	// by the cluster.
+	clientset, err := kubernetes.NewForConfig(config)
+	if err != nil {
+		fmt.Printf("Error encountered: %v\n", err)
+		return
+	}
+
+	// Use the clientset to interact with the API.
+
+	pods, err := clientset.CoreV1().Pods("default").List(context.TODO(), metav1.ListOptions{})
+	if err != nil {
+		fmt.Printf("Error encountered: %v\n", err)
+		return
+	}
+
+	fmt.Printf("There are %d pods in the default namespace\n", len(pods.Items))
+}
+
+func Example_handlingAPIErrors() {
+	// This example demonstrates how to handle common API errors.
+	// Create a NotFound error to simulate a failed API request.
+	err := errors.NewNotFound(schema.GroupResource{Group: "v1", Resource: "pods"}, "my-pod")
+
+	// The errors.IsNotFound() function checks if an error is a NotFound error.
+	if errors.IsNotFound(err) {
+		fmt.Println("Pod not found")
+	}
+
+	// The errors package provides functions for other common API errors, such as:
+	// - errors.IsAlreadyExists(err)
+	// - errors.IsConflict(err)
+	// - errors.IsServerTimeout(err)
+
+	// Output:
+	// Pod not found
+}
+
+func Example_usingDynamicClient() {
+	// This example demonstrates how to create and use a dynamic client to work
+	// with Custom Resources or other objects without needing their Go type
+	// definitions.
+
+	// Configure the client (out-of-cluster for this example).
+	var kubeconfig string
+	if home := os.Getenv("HOME"); home != "" {
+		kubeconfig = filepath.Join(home, ".kube", "config")
+	}
+	config, err := clientcmd.BuildConfigFromFlags("", kubeconfig)
+	if err != nil {
+		fmt.Printf("Error encountered: %v\n", err)
+		return
+	}
+
+	// Create a dynamic client.
+	dynamicClient, err := dynamic.NewForConfig(config)
+	if err != nil {
+		fmt.Printf("Error encountered: %v\n", err)
+		return
+	}
+
+	// Define the GroupVersionResource for the object you want to access.
+	// For Pods, this is {Group: "", Version: "v1", Resource: "pods"}.
+	gvr := schema.GroupVersionResource{Version: "v1", Resource: "pods"}
+
+	// Use the dynamic client to list all pods in the "default" namespace.
+	// The result is an UnstructuredList.
+	list, err := dynamicClient.Resource(gvr).Namespace("default").List(context.TODO(), metav1.ListOptions{})
+	if err != nil {
+		fmt.Printf("Error encountered: %v\n", err)
+		return
+	}
+
+	// Iterate over the list and print the name of each pod.
+	for _, item := range list.Items {
+		name, found, err := unstructured.NestedString(item.Object, "metadata", "name")
+		if err != nil || !found {
+			fmt.Printf("Could not find name for pod: %v\n", err)
+			continue
+		}
+		fmt.Printf("Pod Name: %s\n", name)
+	}
+}
+
+func Example_usingInformers() {
+	// This example demonstrates the basic pattern for using an informer to watch
+	// for changes to Pods. This is a conceptual example; a real controller would
+	// have more robust logic and a workqueue.
+
+	// Configure the client (out-of-cluster for this example).
+	var kubeconfig string
+	if home := os.Getenv("HOME"); home != "" {
+		kubeconfig = filepath.Join(home, ".kube", "config")
+	}
+	config, err := clientcmd.BuildConfigFromFlags("", kubeconfig)
+	if err != nil {
+		fmt.Printf("Error encountered: %v\n", err)
+		return
+	}
+	clientset, err := kubernetes.NewForConfig(config)
+	if err != nil {
+		fmt.Printf("Error encountered: %v\n", err)
+		return
+	}
+
+	// A SharedInformerFactory provides a shared cache for multiple informers,
+	// which reduces memory and network overhead.
+	factory := informers.NewSharedInformerFactory(clientset, 10*time.Minute)
+	podInformer := factory.Core().V1().Pods().Informer()
+
+	_, err = podInformer.AddEventHandler(cache.ResourceEventHandlerFuncs{
+		AddFunc: func(obj interface{}) {
+			key, err := cache.MetaNamespaceKeyFunc(obj)
+			if err == nil {
+				log.Printf("Pod ADDED: %s", key)
+			}
+		},
+		UpdateFunc: func(oldObj, newObj interface{}) {
+			key, err := cache.MetaNamespaceKeyFunc(newObj)
+			if err == nil {
+				log.Printf("Pod UPDATED: %s", key)
+			}
+		},
+		DeleteFunc: func(obj interface{}) {
+			key, err := cache.DeletionHandlingMetaNamespaceKeyFunc(obj)
+			if err == nil {
+				log.Printf("Pod DELETED: %s", key)
+			}
+		},
+	})
+	if err != nil {
+		fmt.Printf("Error encountered: %v\n", err)
+		return
+	}
+
+	// Graceful shutdown requires a two-channel pattern.
+	//
+	// The first channel, `sigCh`, is used by the `signal` package to send us
+	// OS signals (e.g., Ctrl+C). This channel must be of type `chan os.Signal`.
+	//
+	// The second channel, `stopCh`, is used to tell the informer factory to
+	// stop. The informer factory's `Start` method expects a channel of type
+	// `<-chan struct{}`. It will stop when this channel is closed.
+	//
+	// The goroutine below is the "translator" that connects these two channels.
+	// It waits for a signal on `sigCh`, and when it receives one, it closes
+	// `stopCh`, which in turn tells the informer factory to shut down.
+	sigCh := make(chan os.Signal, 1)
+	signal.Notify(sigCh, syscall.SIGINT, syscall.SIGTERM)
+	stopCh := make(chan struct{})
+	go func() {
+		<-sigCh
+		close(stopCh)
+	}()
+
+	// Start the informer.
+	factory.Start(stopCh)
+
+	// Wait for the initial cache sync.
+	if !cache.WaitForCacheSync(stopCh, podInformer.HasSynced) {
+		log.Println("Timed out waiting for caches to sync")
+		return
+	}
+
+	log.Println("Informer has synced. Watching for Pod events...")
+
+	// Wait for the stop signal.
+	<-stopCh
+	log.Println("Shutting down...")
+}
+
+func Example_serverSideApply() {
+	// This example demonstrates how to use Server-Side Apply to declaratively
+	// manage a Deployment object. Server-Side Apply is the recommended approach
+	// for controllers and operators to manage objects.
+
+	// Configure the client (out-of-cluster for this example).
+	var kubeconfig string
+	if home := os.Getenv("HOME"); home != "" {
+		kubeconfig = filepath.Join(home, ".kube", "config")
+	}
+	config, err := clientcmd.BuildConfigFromFlags("", kubeconfig)
+	if err != nil {
+		fmt.Printf("Error encountered: %v\n", err)
+		return
+	}
+	clientset, err := kubernetes.NewForConfig(config)
+	if err != nil {
+		fmt.Printf("Error encountered: %v\n", err)
+		return
+	}
+
+	// Define the desired state of the Deployment using the applyconfigurations package.
+	// This provides a typed, structured way to build the patch.
+	deploymentName := "my-app"
+	replicas := int32(2)
+	image := "nginx:1.14.2"
+
+	// The FieldManager is a required field that identifies the controller managing
+	// this object's state.
+	fieldManager := "my-controller"
+
+	// Build the apply configuration.
+	deploymentApplyConfig := appsv1ac.Deployment(deploymentName, "default").
+		WithSpec(appsv1ac.DeploymentSpec().
+			WithReplicas(replicas).
+			WithSelector(metav1ac.LabelSelector().WithMatchLabels(map[string]string{"app": "my-app"})).
+			WithTemplate(corev1ac.PodTemplateSpec().
+				WithLabels(map[string]string{"app": "my-app"}).
+				WithSpec(corev1ac.PodSpec().
+					WithContainers(corev1ac.Container().
+						WithName("nginx").
+						WithImage(image),
+					),
+				),
+			),
+		)
+
+	// Perform the Server-Side Apply patch. The PatchType must be types.ApplyPatchType.
+	// The context, name, apply configuration, and patch options are required.
+	result, err := clientset.AppsV1().Deployments("default").Apply(
+		context.TODO(),
+		deploymentApplyConfig,
+		metav1.ApplyOptions{FieldManager: fieldManager},
+	)
+
+	if err != nil {
+		fmt.Printf("Error encountered: %v\n", err)
+		return
+	}
+
+	fmt.Printf("Deployment %q applied successfully.\n", result.Name)
+}
+
+func Example_leaderElection() {
+	// This example demonstrates the leader election pattern. A controller running
+	// multiple replicas uses leader election to ensure that only one replica is
+	// active at a time.
+
+	// Configure the client (out-of-cluster for this example).
+	var kubeconfig string
+	if home := os.Getenv("HOME"); home != "" {
+		kubeconfig = filepath.Join(home, ".kube", "config")
+	}
+	config, err := clientcmd.BuildConfigFromFlags("", kubeconfig)
+	if err != nil {
+		fmt.Printf("Error building kubeconfig: %s\n", err.Error())
+		return
+	}
+	clientset, err := kubernetes.NewForConfig(config)
+	if err != nil {
+		fmt.Printf("Error building clientset: %s\n", err.Error())
+		return
+	}
+
+	// The unique name of the controller writing to the Lease object.
+	id := "my-controller"
+
+	// The namespace and name of the Lease object.
+	leaseNamespace := "default"
+	leaseName := "my-controller-lease"
+
+	// Create a context that can be cancelled to stop the leader election.
+	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel()
+
+	// Set up a signal handler to cancel the context on termination.
+	sigCh := make(chan os.Signal, 1)
+	signal.Notify(sigCh, syscall.SIGINT, syscall.SIGTERM)
+	go func() {
+		<-sigCh
+		log.Println("Received termination signal, shutting down...")
+		cancel()
+	}()
+
+	// Create the lock object.
+	lock, err := resourcelock.New(resourcelock.LeasesResourceLock,
+		leaseNamespace,
+		leaseName,
+		clientset.CoreV1(),
+		clientset.CoordinationV1(),
+		resourcelock.ResourceLockConfig{
+			Identity: id,
+		})
+	if err != nil {
+		fmt.Printf("Error creating lock: %v\n", err)
+		return
+	}
+
+	// Create the leader elector.
+	elector, err := leaderelection.NewLeaderElector(leaderelection.LeaderElectionConfig{
+		Lock:          lock,
+		LeaseDuration: 15 * time.Second,
+		RenewDeadline: 10 * time.Second,
+		RetryPeriod:   2 * time.Second,
+		Callbacks: leaderelection.LeaderCallbacks{
+			OnStartedLeading: func(ctx context.Context) {
+				// This function is called when the controller becomes the leader.
+				// You would start your controller's main logic here.
+				log.Println("Became leader, starting controller.")
+				// This is a simple placeholder for the controller's work.
+				for {
+					select {
+					case <-time.After(5 * time.Second):
+						log.Println("Doing controller work...")
+					case <-ctx.Done():
+						log.Println("Controller stopped.")
+						return
+					}
+				}
+			},
+			OnStoppedLeading: func() {
+				// This function is called when the controller loses leadership.
+				// You should stop any active work and gracefully shut down.
+				log.Printf("Lost leadership, shutting down.")
+			},
+			OnNewLeader: func(identity string) {
+				// This function is called when a new leader is elected.
+				if identity != id {
+					log.Printf("New leader elected: %s", identity)
+				}
+			},
+		},
+	})
+	if err != nil {
+		fmt.Printf("Error creating leader elector: %v\n", err)
+		return
+	}
+
+	// Start the leader election loop.
+	elector.Run(ctx)
+}
diff --git a/staging/src/k8s.io/client-go/features/features.go b/staging/src/k8s.io/client-go/features/features.go
index 5ccdcc55f6c8c..cabb7468d6137 100644
--- a/staging/src/k8s.io/client-go/features/features.go
+++ b/staging/src/k8s.io/client-go/features/features.go
@@ -21,6 +21,7 @@ import (
 	"sync/atomic"
 
 	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
+	"k8s.io/apimachinery/pkg/util/version"
 )
 
 // NOTE: types Feature, FeatureSpec, prerelease (and its values)
@@ -49,8 +50,14 @@ type FeatureSpec struct {
 	LockToDefault bool
 	// PreRelease indicates the maturity level of the feature
 	PreRelease prerelease
+	// Version indicates the earliest version from which this FeatureSpec is valid.
+	// If multiple FeatureSpecs exist for a Feature, the one with the highest version that is less
+	// than or equal to the effective version of the component is used.
+	Version *version.Version
 }
 
+type VersionedSpecs []FeatureSpec
+
 // Gates indicates whether a given feature is enabled or not.
 type Gates interface {
 	// Enabled returns true if the key is enabled.
@@ -66,6 +73,15 @@ type Registry interface {
 	Add(map[Feature]FeatureSpec) error
 }
 
+// VersionedRegistry represents an external versioned feature gates registry.
+type VersionedRegistry interface {
+	// AddVersioned adds existing versioned feature gates to the provided registry.
+	//
+	// As of today, this method is used by AddVersionedFeaturesToExistingFeatureGates and
+	// ReplaceFeatureGates to take control of the features exposed by this library.
+	AddVersioned(in map[Feature]VersionedSpecs) error
+}
+
 // FeatureGates returns the feature gates exposed by this library.
 //
 // By default, only the default features gates will be returned.
@@ -85,7 +101,15 @@ func FeatureGates() Gates {
 // Usually this function is combined with ReplaceFeatureGates to take control of the
 // features exposed by this library.
 func AddFeaturesToExistingFeatureGates(registry Registry) error {
-	return registry.Add(defaultKubernetesFeatureGates)
+	return registry.Add(unversionedFeatureGates(defaultVersionedKubernetesFeatureGates))
+}
+
+// AddFeaturesToExistingFeatureGates adds the default versioned feature gates to the provided registry.
+// Usually this function is combined with ReplaceFeatureGates to take control of the
+// features exposed by this library.
+// Generally only used by k/k.
+func AddVersionedFeaturesToExistingFeatureGates(registry VersionedRegistry) error {
+	return registry.AddVersioned(defaultVersionedKubernetesFeatureGates)
 }
 
 // ReplaceFeatureGates overwrites the default implementation of the feature gates
@@ -121,8 +145,23 @@ func replaceFeatureGatesWithWarningIndicator(newFeatureGates Gates) bool {
 	return shouldProduceWarning
 }
 
+// unversionedFeatureGates takes the latest entry from the VersionedSpecs of each feature, and clears out the version information,
+// so that the result can be used with an unversioned feature gate.
+func unversionedFeatureGates(featureGates map[Feature]VersionedSpecs) map[Feature]FeatureSpec {
+	unversioned := map[Feature]FeatureSpec{}
+	for feature, specs := range featureGates {
+		if len(specs) == 0 {
+			continue
+		}
+		latestSpec := specs[len(specs)-1]
+		latestSpec.Version = nil // Clear version information.
+		unversioned[feature] = latestSpec
+	}
+	return unversioned
+}
+
 func init() {
-	envVarGates := newEnvVarFeatureGates(defaultKubernetesFeatureGates)
+	envVarGates := newEnvVarFeatureGates(unversionedFeatureGates(defaultVersionedKubernetesFeatureGates))
 
 	wrappedFeatureGates := &featureGatesWrapper{envVarGates}
 	featureGates.Store(wrappedFeatureGates)
diff --git a/staging/src/k8s.io/client-go/features/features_test.go b/staging/src/k8s.io/client-go/features/features_test.go
index 5a68303768a9c..4d4b7fe65da6d 100644
--- a/staging/src/k8s.io/client-go/features/features_test.go
+++ b/staging/src/k8s.io/client-go/features/features_test.go
@@ -17,17 +17,67 @@ limitations under the License.
 package features
 
 import (
+	"reflect"
 	"testing"
 
 	"github.com/stretchr/testify/require"
+	"k8s.io/apimachinery/pkg/util/version"
 )
 
 // TestAddFeaturesToExistingFeatureGates ensures that
-// the defaultKubernetesFeatureGates are added to a test feature gates registry.
+// the defaultVersionedKubernetesFeatureGates are added to a test feature gates registry.
 func TestAddFeaturesToExistingFeatureGates(t *testing.T) {
 	fakeFeatureGates := &fakeRegistry{}
 	require.NoError(t, AddFeaturesToExistingFeatureGates(fakeFeatureGates))
-	require.Equal(t, defaultKubernetesFeatureGates, fakeFeatureGates.specs)
+	require.Equal(t, unversionedFeatureGates(defaultVersionedKubernetesFeatureGates), fakeFeatureGates.specs)
+}
+
+// TestAddVersionedFeaturesToExistingFeatureGates ensures that
+// the defaultVersionedKubernetesFeatureGates are added to a versioned test feature gates registry.
+func TestAddVersionedFeaturesToExistingFeatureGates(t *testing.T) {
+	fakeFeatureGates := &fakeVersionedRegistry{}
+	require.NoError(t, AddVersionedFeaturesToExistingFeatureGates(fakeFeatureGates))
+	require.Equal(t, defaultVersionedKubernetesFeatureGates, fakeFeatureGates.specs)
+}
+
+func TestUnversionedFeatureGates(t *testing.T) {
+	testCases := []struct {
+		name         string
+		featureGates map[Feature]VersionedSpecs
+		expected     map[Feature]FeatureSpec
+	}{
+		{
+			name: "multiple features",
+			featureGates: map[Feature]VersionedSpecs{
+				"AlphaFeature": {
+					{Version: version.MustParse("1.30"), Default: false, PreRelease: Alpha},
+				},
+				"BetaFeature": {
+					{Version: version.MustParse("1.28"), Default: false, PreRelease: Alpha},
+					{Version: version.MustParse("1.30"), Default: true, PreRelease: Beta},
+				},
+				"GAFeature": {
+					{Version: version.MustParse("1.25"), Default: false, PreRelease: Alpha},
+					{Version: version.MustParse("1.27"), Default: true, PreRelease: Beta},
+					{Version: version.MustParse("1.29"), Default: true, PreRelease: GA, LockToDefault: true},
+				},
+			},
+			expected: map[Feature]FeatureSpec{
+				"AlphaFeature": {Default: false, PreRelease: Alpha},
+				"BetaFeature":  {Default: true, PreRelease: Beta},
+				"GAFeature":    {Default: true, PreRelease: GA, LockToDefault: true},
+			},
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			actual := unversionedFeatureGates(tc.featureGates)
+			if !reflect.DeepEqual(actual, tc.expected) {
+				t.Errorf("unversionedFeatureGates() = %v, want %v", actual, tc.expected)
+			}
+		})
+	}
 }
 
 func TestReplaceFeatureGatesWithWarningIndicator(t *testing.T) {
@@ -47,3 +97,12 @@ func (f *fakeRegistry) Add(specs map[Feature]FeatureSpec) error {
 	f.specs = specs
 	return nil
 }
+
+type fakeVersionedRegistry struct {
+	specs map[Feature]VersionedSpecs
+}
+
+func (f *fakeVersionedRegistry) AddVersioned(specs map[Feature]VersionedSpecs) error {
+	f.specs = specs
+	return nil
+}
diff --git a/staging/src/k8s.io/client-go/features/known_features.go b/staging/src/k8s.io/client-go/features/known_features.go
index 4aa8e40cbcd46..4b022c4b4f9c1 100644
--- a/staging/src/k8s.io/client-go/features/known_features.go
+++ b/staging/src/k8s.io/client-go/features/known_features.go
@@ -16,6 +16,10 @@ limitations under the License.
 
 package features
 
+import (
+	"k8s.io/apimachinery/pkg/util/version"
+)
+
 // Every feature gate should have an entry here following this template:
 //
 // // owner: @username
@@ -54,30 +58,48 @@ const (
 	// Refactor informers to deliver watch stream events in order instead of out of order.
 	InOrderInformers Feature = "InOrderInformers"
 
-	// owner: @nilekhc
+	// owner: @yue9944882
+	// beta: v1.35
+	//
+	// Allow InOrderInformer to process incoming events in batches to expedite the process rate.
+	InOrderInformersBatchProcess Feature = "InOrderInformersBatchProcess"
+
+	// owner: @enj, @michaelasp
 	// alpha: v1.30
+	// GA: v1.35
 	InformerResourceVersion Feature = "InformerResourceVersion"
 
 	// owner: @p0lyn0mial
 	// beta: v1.30
 	//
 	// Allow the client to get a stream of individual items instead of chunking from the server.
-	//
-	// NOTE:
-	//  The feature is disabled in Beta by default because
-	//  it will only be turned on for selected control plane component(s).
 	WatchListClient Feature = "WatchListClient"
 )
 
-// defaultKubernetesFeatureGates consists of all known Kubernetes-specific feature keys.
+// defaultVersionedKubernetesFeatureGates consists of all known Kubernetes-specific feature keys.
 //
 // To add a new feature, define a key for it above and add it here.
 // After registering with the binary, the features are, by default, controllable using environment variables.
 // For more details, please see envVarFeatureGates implementation.
-var defaultKubernetesFeatureGates = map[Feature]FeatureSpec{
-	ClientsAllowCBOR:        {Default: false, PreRelease: Alpha},
-	ClientsPreferCBOR:       {Default: false, PreRelease: Alpha},
-	InOrderInformers:        {Default: true, PreRelease: Beta},
-	InformerResourceVersion: {Default: false, PreRelease: Alpha},
-	WatchListClient:         {Default: false, PreRelease: Beta},
+var defaultVersionedKubernetesFeatureGates = map[Feature]VersionedSpecs{
+	ClientsAllowCBOR: {
+		{Version: version.MustParse("1.32"), Default: false, PreRelease: Alpha},
+	},
+	ClientsPreferCBOR: {
+		{Version: version.MustParse("1.32"), Default: false, PreRelease: Alpha},
+	},
+	InOrderInformers: {
+		{Version: version.MustParse("1.33"), Default: true, PreRelease: Beta},
+	},
+	InOrderInformersBatchProcess: {
+		{Version: version.MustParse("1.35"), Default: true, PreRelease: Beta},
+	},
+	InformerResourceVersion: {
+		{Version: version.MustParse("1.30"), Default: false, PreRelease: Alpha},
+		{Version: version.MustParse("1.35"), Default: true, PreRelease: GA},
+	},
+	WatchListClient: {
+		{Version: version.MustParse("1.30"), Default: false, PreRelease: Beta},
+		{Version: version.MustParse("1.35"), Default: true, PreRelease: Beta},
+	},
 }
diff --git a/staging/src/k8s.io/client-go/features/testing/features.go b/staging/src/k8s.io/client-go/features/testing/features.go
index 4f4c3ed4de975..b5555ff800b9b 100644
--- a/staging/src/k8s.io/client-go/features/testing/features.go
+++ b/staging/src/k8s.io/client-go/features/testing/features.go
@@ -77,6 +77,7 @@ func setFeatureDuringTestInternal(tb testing.TB, feature clientfeatures.Feature,
 		overriddenFeaturesLock.Lock()
 		defer overriddenFeaturesLock.Unlock()
 		delete(overriddenFeatures, feature)
+		// if default is not set
 		if err := featureGates.Set(feature, originalFeatureValue); err != nil {
 			tb.Errorf("failed restoring client-go feature: %v to its original value: %v, err: %v", feature, originalFeatureValue, err)
 		}
diff --git a/staging/src/k8s.io/client-go/gentype/type.go b/staging/src/k8s.io/client-go/gentype/type.go
index e9f42e14e3e6b..e91941d4a5b3c 100644
--- a/staging/src/k8s.io/client-go/gentype/type.go
+++ b/staging/src/k8s.io/client-go/gentype/type.go
@@ -23,9 +23,9 @@ import (
 
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
-	types "k8s.io/apimachinery/pkg/types"
-	watch "k8s.io/apimachinery/pkg/watch"
-	rest "k8s.io/client-go/rest"
+	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/apimachinery/pkg/watch"
+	"k8s.io/client-go/rest"
 	"k8s.io/client-go/util/apply"
 )
 
@@ -318,7 +318,7 @@ func (a *alsoApplier[T, C]) Apply(ctx context.Context, obj C, opts metav1.ApplyO
 	return result, err
 }
 
-// Apply takes the given apply declarative configuration, applies it to the status subresource and returns the applied resource.
+// ApplyStatus takes the given apply declarative configuration, applies it to the status subresource and returns the applied resource.
 func (a *alsoApplier[T, C]) ApplyStatus(ctx context.Context, obj C, opts metav1.ApplyOptions) (T, error) {
 	if obj == *new(C) {
 		return *new(T), fmt.Errorf("object provided to Apply must not be nil")
diff --git a/staging/src/k8s.io/client-go/go.mod b/staging/src/k8s.io/client-go/go.mod
index 3d36952ed6875..88358c0ffe119 100644
--- a/staging/src/k8s.io/client-go/go.mod
+++ b/staging/src/k8s.io/client-go/go.mod
@@ -2,13 +2,12 @@
 
 module k8s.io/client-go
 
-go 1.24.0
+go 1.25.0
 
-godebug default=go1.24
+godebug default=go1.25
 
 require (
-	github.com/go-logr/logr v1.4.2
-	github.com/gogo/protobuf v1.3.2
+	github.com/go-logr/logr v1.4.3
 	github.com/google/gnostic-models v0.7.0
 	github.com/google/go-cmp v0.7.0
 	github.com/google/uuid v1.6.0
@@ -16,27 +15,28 @@ require (
 	github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822
 	github.com/peterbourgon/diskv v2.0.1+incompatible
-	github.com/spf13/pflag v1.0.6
-	github.com/stretchr/testify v1.10.0
+	github.com/spf13/pflag v1.0.9
+	github.com/stretchr/testify v1.11.1
 	go.uber.org/goleak v1.3.0
-	golang.org/x/net v0.43.0
-	golang.org/x/oauth2 v0.27.0
-	golang.org/x/term v0.35.0
+	golang.org/x/net v0.47.0
+	golang.org/x/oauth2 v0.30.0
+	golang.org/x/term v0.37.0
 	golang.org/x/time v0.9.0
-	google.golang.org/protobuf v1.36.5
-	gopkg.in/evanphx/json-patch.v4 v4.12.0
+	google.golang.org/protobuf v1.36.8
+	gopkg.in/evanphx/json-patch.v4 v4.13.0
 	k8s.io/api v0.0.0
 	k8s.io/apimachinery v0.0.0
 	k8s.io/klog/v2 v2.130.1
-	k8s.io/kube-openapi v0.0.0-20250710124328-f3f2b991d03b
-	k8s.io/utils v0.0.0-20250604170112-4c0f3b243397
-	sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8
+	k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912
+	k8s.io/utils v0.0.0-20251002143259-bc988d571ff4
+	sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730
 	sigs.k8s.io/randfill v1.0.0
 	sigs.k8s.io/structured-merge-diff/v6 v6.3.0
 	sigs.k8s.io/yaml v1.6.0
 )
 
 require (
+	github.com/Masterminds/semver/v3 v3.4.0 // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/emicklei/go-restful/v3 v3.12.2 // indirect
 	github.com/fxamacker/cbor/v2 v2.9.0 // indirect
@@ -44,7 +44,7 @@ require (
 	github.com/go-openapi/jsonreference v0.20.2 // indirect
 	github.com/go-openapi/swag v0.23.0 // indirect
 	github.com/google/btree v1.1.3 // indirect
-	github.com/google/pprof v0.0.0-20241029153458-d1b30febd7db // indirect
+	github.com/google/pprof v0.0.0-20250403155104-27863c87afa6 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/mailru/easyjson v0.7.7 // indirect
@@ -52,20 +52,19 @@ require (
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee // indirect
 	github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f // indirect
-	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
 	github.com/stretchr/objx v0.5.2 // indirect
 	github.com/x448/float16 v0.8.4 // indirect
-	go.yaml.in/yaml/v2 v2.4.2 // indirect
+	go.yaml.in/yaml/v2 v2.4.3 // indirect
 	go.yaml.in/yaml/v3 v3.0.4 // indirect
-	golang.org/x/sys v0.36.0 // indirect
-	golang.org/x/text v0.29.0 // indirect
+	golang.org/x/sys v0.38.0 // indirect
+	golang.org/x/text v0.31.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )
 
 replace (
-	github.com/onsi/ginkgo/v2 => github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251001123353-fd5b1fb35db1
+	github.com/onsi/ginkgo/v2 => github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251120221002-696928a6a0d7
 	k8s.io/api => ../api
 	k8s.io/apimachinery => ../apimachinery
 )
diff --git a/staging/src/k8s.io/client-go/go.sum b/staging/src/k8s.io/client-go/go.sum
index 0074e6e933446..334359afd18fa 100644
--- a/staging/src/k8s.io/client-go/go.sum
+++ b/staging/src/k8s.io/client-go/go.sum
@@ -1,4 +1,6 @@
 cloud.google.com/go/compute/metadata v0.3.0/go.mod h1:zFmK7XCadkQkj6TtorcaGlCW1hT1fIilQDwofLpJ20k=
+github.com/Masterminds/semver/v3 v3.4.0 h1:Zog+i5UMtVoCU8oKka5P7i9q9HgrJeGzI9SA1Xbatp0=
+github.com/Masterminds/semver/v3 v3.4.0/go.mod h1:4V+yj/TJE1HU9XfppCwVMZq3I84lprf4nC11bSS5beM=
 github.com/NYTimes/gziphandler v1.1.1/go.mod h1:n/CVRwUEOgIxrgPvAQhUUr9oeUtvrhMomdKFjzJNB0c=
 github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5 h1:0CwZNZbxp69SHPdPJAN/hZIm0C4OItdklCFmMRWYpio=
 github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkYZB8zMSxRWpUBQtwG5a7fFgvEO+odwuTv2gs=
@@ -12,8 +14,8 @@ github.com/emicklei/go-restful/v3 v3.12.2 h1:DhwDP0vY3k8ZzE0RunuJy8GhNpPL6zqLkDf
 github.com/emicklei/go-restful/v3 v3.12.2/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc=
 github.com/fxamacker/cbor/v2 v2.9.0 h1:NpKPmjDBgUfBms6tr6JZkTHtfFGcMKsw3eGcmD/sapM=
 github.com/fxamacker/cbor/v2 v2.9.0/go.mod h1:vM4b+DJCtHn+zz7h3FFp/hDAI9WNWCsZj23V5ytsSxQ=
-github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY=
-github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
+github.com/go-logr/logr v1.4.3 h1:CjnDlHq8ikf6E492q6eKboGOC0T8CDaOvkHCIg8idEI=
+github.com/go-logr/logr v1.4.3/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
 github.com/go-openapi/jsonpointer v0.19.6/go.mod h1:osyAmYz/mB/C3I+WsTTSgw1ONzaLJoLCyoi6/zppojs=
 github.com/go-openapi/jsonpointer v0.21.0 h1:YgdVicSA9vH5RiHs9TZW5oyafXZFc6+2Vc1rr/O9oNQ=
 github.com/go-openapi/jsonpointer v0.21.0/go.mod h1:IUyH9l/+uyhIYQ/PXVA41Rexl+kOkAPDdXEYns6fzUY=
@@ -24,8 +26,6 @@ github.com/go-openapi/swag v0.23.0 h1:vsEVJDUo2hPJ2tu0/Xc+4noaxyEffXNIs3cOULZ+Gr
 github.com/go-openapi/swag v0.23.0/go.mod h1:esZ8ITTYEsH1V2trKHjAN8Ai7xHb8RV+YSZ577vPjgQ=
 github.com/go-task/slim-sprig/v3 v3.0.0 h1:sUs3vkvUymDpBKi3qH1YSqBQk9+9D/8M2mN1vB6EwHI=
 github.com/go-task/slim-sprig/v3 v3.0.0/go.mod h1:W848ghGpv3Qj3dhTPRyJypKRiqCdHZiAzKg9hl15HA8=
-github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
-github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
 github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk=
 github.com/google/btree v1.1.3 h1:CVpQJjYgC4VbzxeGVHfvZrv1ctoYCAI8vbl07Fcxlyg=
 github.com/google/btree v1.1.3/go.mod h1:qOPhT0dTNdNzV6Z/lhRX0YXUafgPLFUh+gZMl761Gm4=
@@ -34,8 +34,8 @@ github.com/google/gnostic-models v0.7.0/go.mod h1:whL5G0m6dmc5cPxKc5bdKdEN3UjI7O
 github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
 github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
-github.com/google/pprof v0.0.0-20241029153458-d1b30febd7db h1:097atOisP2aRj7vFgYQBbFN4U4JNXUNYpxael3UzMyo=
-github.com/google/pprof v0.0.0-20241029153458-d1b30febd7db/go.mod h1:vavhavw2zAxS5dIdcRluK6cSGGPlZynqzFM8NdvU144=
+github.com/google/pprof v0.0.0-20250403155104-27863c87afa6 h1:BHT72Gu3keYf3ZEu2J0b1vyeLSOYI8bm5wbJM/8yDe8=
+github.com/google/pprof v0.0.0-20250403155104-27863c87afa6/go.mod h1:boTsfXsheKC2y+lKOCMpSfarhxDeIzfZG1jqGcPl3cA=
 github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/gorilla/websocket v1.5.4-0.20250319132907-e064f32e3674 h1:JeSE6pjso5THxAzdVpqr6/geYxZytqFMBCOtn/ujyeo=
@@ -47,8 +47,6 @@ github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8Hm
 github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y=
 github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM=
 github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo=
-github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
-github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
 github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
 github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
 github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
@@ -70,21 +68,19 @@ github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq
 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
 github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f h1:y5//uYreIhSUg3J1GEMiLbxo1LJaP8RfCpH6pymGZus=
 github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+o7JKHSa8/e818NopupXU1YMK5fe1lsApnBw=
-github.com/onsi/gomega v1.35.1 h1:Cwbd75ZBPxFSuZ6T+rN/WCb/gOc6YgFBXLlZLhC7Ds4=
-github.com/onsi/gomega v1.35.1/go.mod h1:PvZbdDc8J6XJEpDK4HCuRBm8a6Fzp9/DmhC9C7yFlog=
-github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251001123353-fd5b1fb35db1 h1:PMTgifBcBRLJJiM+LgSzPDTk9/Rx4qS09OUrfpY6GBQ=
-github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251001123353-fd5b1fb35db1/go.mod h1:7Du3c42kxCUegi0IImZ1wUQzMBVecgIHjR1C+NkhLQo=
+github.com/onsi/gomega v1.38.2 h1:eZCjf2xjZAqe+LeWvKb5weQ+NcPwX84kqJ0cZNxok2A=
+github.com/onsi/gomega v1.38.2/go.mod h1:W2MJcYxRGV63b418Ai34Ud0hEdTVXq9NW9+Sx6uXf3k=
+github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251120221002-696928a6a0d7 h1:02E4Ttpu+7yCQLQxtY42JfcfHU7TBGnje6uB2ytBSdU=
+github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251120221002-696928a6a0d7/go.mod h1:ArE1D/XhNXBXCBkKOLkbsb2c81dQHCRcF5zwn/ykDRo=
 github.com/peterbourgon/diskv v2.0.1+incompatible h1:UBdAOUP5p4RWqPBg048CAvpKN+vxiaj6gdUUzhl4XmI=
 github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU=
-github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
-github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U=
 github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/rogpeppe/go-internal v1.13.1 h1:KvO1DLK/DRN07sQ1LQKScxyZJuNnedQ5/wKSR38lUII=
-github.com/rogpeppe/go-internal v1.13.1/go.mod h1:uMEvuHeurkdAXX61udpOXGD/AzZDWNMNyH2VO9fmH0o=
-github.com/spf13/pflag v1.0.6 h1:jFzHGLGAlb3ruxLB8MhbI6A8+AQX/2eW4qeyNZXNp2o=
-github.com/spf13/pflag v1.0.6/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
+github.com/rogpeppe/go-internal v1.14.1 h1:UQB4HGPB6osV0SQTLymcB4TgvyWu6ZyliaW0tI/otEQ=
+github.com/rogpeppe/go-internal v1.14.1/go.mod h1:MaRKkUm5W0goXpeCfT7UZI6fk/L7L7so1lCWt35ZSgc=
+github.com/spf13/pflag v1.0.9 h1:9exaQaMOCwffKiiiYk6/BndUBv+iRViNW+4lEMi0PvY=
+github.com/spf13/pflag v1.0.9/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
 github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
@@ -94,67 +90,45 @@ github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UV
 github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
 github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
-github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
-github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
+github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
+github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
 github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM=
 github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg=
-github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
-github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
 go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
-go.yaml.in/yaml/v2 v2.4.2 h1:DzmwEr2rDGHl7lsFgAHxmNz/1NlQ7xLIrlN2h5d1eGI=
-go.yaml.in/yaml/v2 v2.4.2/go.mod h1:081UH+NErpNdqlCXm3TtEran0rJZGxAYx9hb/ELlsPU=
+go.yaml.in/yaml/v2 v2.4.3 h1:6gvOSjQoTB3vt1l+CU+tSyi/HOjfOjRLJ4YwYZGwRO0=
+go.yaml.in/yaml/v2 v2.4.3/go.mod h1:zSxWcmIDjOzPXpjlTTbAsKokqkDNAVtZO0WOMiT90s8=
 go.yaml.in/yaml/v3 v3.0.4 h1:tfq32ie2Jv2UxXFdLJdh3jXuOzWiL1fo0bu/FbuKpbc=
 go.yaml.in/yaml/v3 v3.0.4/go.mod h1:DhzuOOF2ATzADvBadXxruRBLzYTpT36CKvDb3+aBEFg=
-golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
-golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
-golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
-golang.org/x/crypto v0.41.0/go.mod h1:pO5AFd7FA68rFak7rOAGVuygIISepHftHnr8dr6+sUc=
-golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.27.0/go.mod h1:rWI627Fq0DEoudcK+MBkNkCe0EetEaDSwJJkCcjpazc=
-golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
-golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
-golang.org/x/net v0.43.0 h1:lat02VYK2j4aLzMzecihNvTlJNQUq316m2Mr9rnM6YE=
-golang.org/x/net v0.43.0/go.mod h1:vhO1fvI4dGsIjh73sWfUVjj3N7CA9WkKJNQm2svM6Jg=
-golang.org/x/oauth2 v0.27.0 h1:da9Vo7/tDv5RH/7nZDz1eMGS/q1Vv1N/7FCrBhI9I3M=
-golang.org/x/oauth2 v0.27.0/go.mod h1:onh5ek6nERTohokkhCD/y2cV4Do3fxFHFuAejCkRWT8=
-golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.17.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
-golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.36.0 h1:KVRy2GtZBrk1cBYA7MKu5bEZFxQk4NIDV6RLVcC8o0k=
-golang.org/x/sys v0.36.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
-golang.org/x/term v0.35.0 h1:bZBVKBudEyhRcajGcNc3jIfWPqV4y/Kt2XcoigOWtDQ=
-golang.org/x/term v0.35.0/go.mod h1:TPGtkTLesOwf2DE8CgVYiZinHAOuy5AYUYT1lENIZnA=
-golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
-golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.29.0 h1:1neNs90w9YzJ9BocxfsQNHKuAT4pkghyXc4nhZ6sJvk=
-golang.org/x/text v0.29.0/go.mod h1:7MhJOA9CD2qZyOKYazxdYMF85OwPdEr9jTtBpO7ydH4=
+golang.org/x/crypto v0.44.0/go.mod h1:013i+Nw79BMiQiMsOPcVCB5ZIJbYkerPrGnOa00tvmc=
+golang.org/x/mod v0.29.0 h1:HV8lRxZC4l2cr3Zq1LvtOsi/ThTgWnUk/y64QSs8GwA=
+golang.org/x/mod v0.29.0/go.mod h1:NyhrlYXJ2H4eJiRy/WDBO6HMqZQ6q9nk4JzS3NuCK+w=
+golang.org/x/net v0.47.0 h1:Mx+4dIFzqraBXUugkia1OOvlD6LemFo1ALMHjrXDOhY=
+golang.org/x/net v0.47.0/go.mod h1:/jNxtkgq5yWUGYkaZGqo27cfGZ1c5Nen03aYrrKpVRU=
+golang.org/x/oauth2 v0.30.0 h1:dnDm7JmhM45NNpd8FDDeLhK6FwqbOf4MLCM9zb1BOHI=
+golang.org/x/oauth2 v0.30.0/go.mod h1:B++QgG3ZKulg6sRPGD/mqlHQs5rB3Ml9erfeDY7xKlU=
+golang.org/x/sync v0.18.0 h1:kr88TuHDroi+UVf+0hZnirlk8o8T+4MrK6mr60WkH/I=
+golang.org/x/sync v0.18.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
+golang.org/x/sys v0.38.0 h1:3yZWxaJjBmCWXqhN1qh02AkOnCQ1poK6oF+a7xWL6Gc=
+golang.org/x/sys v0.38.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
+golang.org/x/term v0.37.0 h1:8EGAD0qCmHYZg6J17DvsMy9/wJ7/D/4pV/wfnld5lTU=
+golang.org/x/term v0.37.0/go.mod h1:5pB4lxRNYYVZuTLmy8oR2BH8dflOR+IbTYFD8fi3254=
+golang.org/x/text v0.31.0 h1:aC8ghyu4JhP8VojJ2lEHBnochRno1sgL6nEi9WGFGMM=
+golang.org/x/text v0.31.0/go.mod h1:tKRAlv61yKIjGGHX/4tP1LTbc13YSec1pxVEWXzfoeM=
 golang.org/x/time v0.9.0 h1:EsRrnYcQiGH+5FfbgvV4AP7qEZstoyrHB0DzarOQ4ZY=
 golang.org/x/time v0.9.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
-golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
-golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
-golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
-golang.org/x/tools v0.36.0 h1:kWS0uv/zsvHEle1LbV5LE8QujrxB3wfQyxHfhOk0Qkg=
-golang.org/x/tools v0.36.0/go.mod h1:WBDiHKJK8YgLHlcQPYQzNCkUxUypCaa5ZegCVutKm+s=
-golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/tools v0.38.0 h1:Hx2Xv8hISq8Lm16jvBZ2VQf+RLmbd7wVUsALibYI/IQ=
+golang.org/x/tools v0.38.0/go.mod h1:yEsQ/d/YK8cjh0L6rZlY8tgtlKiBNTL14pGDJPJpYQs=
+golang.org/x/tools/go/expect v0.1.0-deprecated/go.mod h1:eihoPOH+FgIqa3FpoTwguz/bVUSGBlGQU67vpBeOrBY=
+golang.org/x/tools/go/packages/packagestest v0.1.1-deprecated/go.mod h1:RVAQXBGNv1ib0J382/DPCRS/BPnsGebyM1Gj5VSDpG8=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-google.golang.org/protobuf v1.36.5 h1:tPhr+woSbjfYvY6/GPufUoYizxw1cF/yFoxJ2fmpwlM=
-google.golang.org/protobuf v1.36.5/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE=
+google.golang.org/protobuf v1.36.8 h1:xHScyCOEuuwZEc6UtSOvPbAT4zRh0xcNRYekJwfqyMc=
+google.golang.org/protobuf v1.36.8/go.mod h1:fuxRtAxBytpl4zzqUh6/eyUujkJdNiuEkXntxiD/uRU=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
-gopkg.in/evanphx/json-patch.v4 v4.12.0 h1:n6jtcsulIzXPJaxegRbvFNNrZDjbij7ny3gmSPG+6V4=
-gopkg.in/evanphx/json-patch.v4 v4.12.0/go.mod h1:p8EYWUEYMpynmqDbY58zCKCFZw8pRWMG4EsWvDvM72M=
+gopkg.in/evanphx/json-patch.v4 v4.13.0 h1:czT3CmqEaQ1aanPc5SdlgQrrEIb8w/wwCvWWnfEbYzo=
+gopkg.in/evanphx/json-patch.v4 v4.13.0/go.mod h1:p8EYWUEYMpynmqDbY58zCKCFZw8pRWMG4EsWvDvM72M=
 gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc=
 gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
@@ -163,12 +137,12 @@ gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 k8s.io/gengo/v2 v2.0.0-20250604051438-85fd79dbfd9f/go.mod h1:EJykeLsmFC60UQbYJezXkEsG2FLrt0GPNkU5iK5GWxU=
 k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk=
 k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE=
-k8s.io/kube-openapi v0.0.0-20250710124328-f3f2b991d03b h1:MloQ9/bdJyIu9lb1PzujOPolHyvO06MXG5TUIj2mNAA=
-k8s.io/kube-openapi v0.0.0-20250710124328-f3f2b991d03b/go.mod h1:UZ2yyWbFTpuhSbFhv24aGNOdoRdJZgsIObGBUaYVsts=
-k8s.io/utils v0.0.0-20250604170112-4c0f3b243397 h1:hwvWFiBzdWw1FhfY1FooPn3kzWuJ8tmbZBHi4zVsl1Y=
-k8s.io/utils v0.0.0-20250604170112-4c0f3b243397/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
-sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 h1:gBQPwqORJ8d8/YNZWEjoZs7npUVDpVXUUOFfW6CgAqE=
-sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8/go.mod h1:mdzfpAEoE6DHQEN0uh9ZbOCuHbLK5wOm7dK4ctXE9Tg=
+k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912 h1:Y3gxNAuB0OBLImH611+UDZcmKS3g6CthxToOb37KgwE=
+k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912/go.mod h1:kdmbQkyfwUagLfXIad1y2TdrjPFWp2Q89B3qkRwf/pQ=
+k8s.io/utils v0.0.0-20251002143259-bc988d571ff4 h1:SjGebBtkBqHFOli+05xYbK8YF1Dzkbzn+gDM4X9T4Ck=
+k8s.io/utils v0.0.0-20251002143259-bc988d571ff4/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
+sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 h1:IpInykpT6ceI+QxKBbEflcR5EXP7sU1kvOlxwZh5txg=
+sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730/go.mod h1:mdzfpAEoE6DHQEN0uh9ZbOCuHbLK5wOm7dK4ctXE9Tg=
 sigs.k8s.io/randfill v1.0.0 h1:JfjMILfT8A6RbawdsK2JXGBR5AQVfd+9TbzrlneTyrU=
 sigs.k8s.io/randfill v1.0.0/go.mod h1:XeLlZ/jmk4i1HRopwe7/aU3H5n1zNUcX6TM94b3QxOY=
 sigs.k8s.io/structured-merge-diff/v6 v6.3.0 h1:jTijUJbW353oVOd9oTlifJqOGEkUw2jB/fXCbTiQEco=
diff --git a/staging/src/k8s.io/client-go/informers/admissionregistration/v1/mutatingwebhookconfiguration.go b/staging/src/k8s.io/client-go/informers/admissionregistration/v1/mutatingwebhookconfiguration.go
index 7adafde23e210..77439c4bc70c5 100644
--- a/staging/src/k8s.io/client-go/informers/admissionregistration/v1/mutatingwebhookconfiguration.go
+++ b/staging/src/k8s.io/client-go/informers/admissionregistration/v1/mutatingwebhookconfiguration.go
@@ -56,7 +56,7 @@ func NewMutatingWebhookConfigurationInformer(client kubernetes.Interface, resync
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredMutatingWebhookConfigurationInformer(client kubernetes.Interface, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options metav1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -81,7 +81,7 @@ func NewFilteredMutatingWebhookConfigurationInformer(client kubernetes.Interface
 				}
 				return client.AdmissionregistrationV1().MutatingWebhookConfigurations().Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apiadmissionregistrationv1.MutatingWebhookConfiguration{},
 		resyncPeriod,
 		indexers,
diff --git a/staging/src/k8s.io/client-go/informers/admissionregistration/v1/validatingadmissionpolicy.go b/staging/src/k8s.io/client-go/informers/admissionregistration/v1/validatingadmissionpolicy.go
index 92cfa1fa4f312..89b86c09e1550 100644
--- a/staging/src/k8s.io/client-go/informers/admissionregistration/v1/validatingadmissionpolicy.go
+++ b/staging/src/k8s.io/client-go/informers/admissionregistration/v1/validatingadmissionpolicy.go
@@ -56,7 +56,7 @@ func NewValidatingAdmissionPolicyInformer(client kubernetes.Interface, resyncPer
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredValidatingAdmissionPolicyInformer(client kubernetes.Interface, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options metav1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -81,7 +81,7 @@ func NewFilteredValidatingAdmissionPolicyInformer(client kubernetes.Interface, r
 				}
 				return client.AdmissionregistrationV1().ValidatingAdmissionPolicies().Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apiadmissionregistrationv1.ValidatingAdmissionPolicy{},
 		resyncPeriod,
 		indexers,
diff --git a/staging/src/k8s.io/client-go/informers/admissionregistration/v1/validatingadmissionpolicybinding.go b/staging/src/k8s.io/client-go/informers/admissionregistration/v1/validatingadmissionpolicybinding.go
index e0c35ec5e37d7..b318ed445bc67 100644
--- a/staging/src/k8s.io/client-go/informers/admissionregistration/v1/validatingadmissionpolicybinding.go
+++ b/staging/src/k8s.io/client-go/informers/admissionregistration/v1/validatingadmissionpolicybinding.go
@@ -56,7 +56,7 @@ func NewValidatingAdmissionPolicyBindingInformer(client kubernetes.Interface, re
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredValidatingAdmissionPolicyBindingInformer(client kubernetes.Interface, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options metav1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -81,7 +81,7 @@ func NewFilteredValidatingAdmissionPolicyBindingInformer(client kubernetes.Inter
 				}
 				return client.AdmissionregistrationV1().ValidatingAdmissionPolicyBindings().Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apiadmissionregistrationv1.ValidatingAdmissionPolicyBinding{},
 		resyncPeriod,
 		indexers,
diff --git a/staging/src/k8s.io/client-go/informers/admissionregistration/v1/validatingwebhookconfiguration.go b/staging/src/k8s.io/client-go/informers/admissionregistration/v1/validatingwebhookconfiguration.go
index 8ddeb0492d94d..d1d38407951c2 100644
--- a/staging/src/k8s.io/client-go/informers/admissionregistration/v1/validatingwebhookconfiguration.go
+++ b/staging/src/k8s.io/client-go/informers/admissionregistration/v1/validatingwebhookconfiguration.go
@@ -56,7 +56,7 @@ func NewValidatingWebhookConfigurationInformer(client kubernetes.Interface, resy
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredValidatingWebhookConfigurationInformer(client kubernetes.Interface, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options metav1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -81,7 +81,7 @@ func NewFilteredValidatingWebhookConfigurationInformer(client kubernetes.Interfa
 				}
 				return client.AdmissionregistrationV1().ValidatingWebhookConfigurations().Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apiadmissionregistrationv1.ValidatingWebhookConfiguration{},
 		resyncPeriod,
 		indexers,
diff --git a/staging/src/k8s.io/client-go/informers/admissionregistration/v1alpha1/mutatingadmissionpolicy.go b/staging/src/k8s.io/client-go/informers/admissionregistration/v1alpha1/mutatingadmissionpolicy.go
index 939eff98353f6..2a0cb2cfde590 100644
--- a/staging/src/k8s.io/client-go/informers/admissionregistration/v1alpha1/mutatingadmissionpolicy.go
+++ b/staging/src/k8s.io/client-go/informers/admissionregistration/v1alpha1/mutatingadmissionpolicy.go
@@ -56,7 +56,7 @@ func NewMutatingAdmissionPolicyInformer(client kubernetes.Interface, resyncPerio
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredMutatingAdmissionPolicyInformer(client kubernetes.Interface, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -81,7 +81,7 @@ func NewFilteredMutatingAdmissionPolicyInformer(client kubernetes.Interface, res
 				}
 				return client.AdmissionregistrationV1alpha1().MutatingAdmissionPolicies().Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apiadmissionregistrationv1alpha1.MutatingAdmissionPolicy{},
 		resyncPeriod,
 		indexers,
diff --git a/staging/src/k8s.io/client-go/informers/admissionregistration/v1alpha1/mutatingadmissionpolicybinding.go b/staging/src/k8s.io/client-go/informers/admissionregistration/v1alpha1/mutatingadmissionpolicybinding.go
index a94f6d27bdffb..23ef580fefe7b 100644
--- a/staging/src/k8s.io/client-go/informers/admissionregistration/v1alpha1/mutatingadmissionpolicybinding.go
+++ b/staging/src/k8s.io/client-go/informers/admissionregistration/v1alpha1/mutatingadmissionpolicybinding.go
@@ -56,7 +56,7 @@ func NewMutatingAdmissionPolicyBindingInformer(client kubernetes.Interface, resy
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredMutatingAdmissionPolicyBindingInformer(client kubernetes.Interface, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -81,7 +81,7 @@ func NewFilteredMutatingAdmissionPolicyBindingInformer(client kubernetes.Interfa
 				}
 				return client.AdmissionregistrationV1alpha1().MutatingAdmissionPolicyBindings().Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apiadmissionregistrationv1alpha1.MutatingAdmissionPolicyBinding{},
 		resyncPeriod,
 		indexers,
diff --git a/staging/src/k8s.io/client-go/informers/admissionregistration/v1alpha1/validatingadmissionpolicy.go b/staging/src/k8s.io/client-go/informers/admissionregistration/v1alpha1/validatingadmissionpolicy.go
index 1a6f7d56defb4..9a896b70dd0be 100644
--- a/staging/src/k8s.io/client-go/informers/admissionregistration/v1alpha1/validatingadmissionpolicy.go
+++ b/staging/src/k8s.io/client-go/informers/admissionregistration/v1alpha1/validatingadmissionpolicy.go
@@ -56,7 +56,7 @@ func NewValidatingAdmissionPolicyInformer(client kubernetes.Interface, resyncPer
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredValidatingAdmissionPolicyInformer(client kubernetes.Interface, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -81,7 +81,7 @@ func NewFilteredValidatingAdmissionPolicyInformer(client kubernetes.Interface, r
 				}
 				return client.AdmissionregistrationV1alpha1().ValidatingAdmissionPolicies().Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apiadmissionregistrationv1alpha1.ValidatingAdmissionPolicy{},
 		resyncPeriod,
 		indexers,
diff --git a/staging/src/k8s.io/client-go/informers/admissionregistration/v1alpha1/validatingadmissionpolicybinding.go b/staging/src/k8s.io/client-go/informers/admissionregistration/v1alpha1/validatingadmissionpolicybinding.go
index 3afaa3beca3ac..630471e9e22aa 100644
--- a/staging/src/k8s.io/client-go/informers/admissionregistration/v1alpha1/validatingadmissionpolicybinding.go
+++ b/staging/src/k8s.io/client-go/informers/admissionregistration/v1alpha1/validatingadmissionpolicybinding.go
@@ -56,7 +56,7 @@ func NewValidatingAdmissionPolicyBindingInformer(client kubernetes.Interface, re
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredValidatingAdmissionPolicyBindingInformer(client kubernetes.Interface, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -81,7 +81,7 @@ func NewFilteredValidatingAdmissionPolicyBindingInformer(client kubernetes.Inter
 				}
 				return client.AdmissionregistrationV1alpha1().ValidatingAdmissionPolicyBindings().Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apiadmissionregistrationv1alpha1.ValidatingAdmissionPolicyBinding{},
 		resyncPeriod,
 		indexers,
diff --git a/staging/src/k8s.io/client-go/informers/admissionregistration/v1beta1/mutatingadmissionpolicy.go b/staging/src/k8s.io/client-go/informers/admissionregistration/v1beta1/mutatingadmissionpolicy.go
index c2df805f08617..bfd1e4245df4e 100644
--- a/staging/src/k8s.io/client-go/informers/admissionregistration/v1beta1/mutatingadmissionpolicy.go
+++ b/staging/src/k8s.io/client-go/informers/admissionregistration/v1beta1/mutatingadmissionpolicy.go
@@ -56,7 +56,7 @@ func NewMutatingAdmissionPolicyInformer(client kubernetes.Interface, resyncPerio
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredMutatingAdmissionPolicyInformer(client kubernetes.Interface, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -81,7 +81,7 @@ func NewFilteredMutatingAdmissionPolicyInformer(client kubernetes.Interface, res
 				}
 				return client.AdmissionregistrationV1beta1().MutatingAdmissionPolicies().Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apiadmissionregistrationv1beta1.MutatingAdmissionPolicy{},
 		resyncPeriod,
 		indexers,
diff --git a/staging/src/k8s.io/client-go/informers/admissionregistration/v1beta1/mutatingadmissionpolicybinding.go b/staging/src/k8s.io/client-go/informers/admissionregistration/v1beta1/mutatingadmissionpolicybinding.go
index 0adc02f7e7eef..416590c0b7de7 100644
--- a/staging/src/k8s.io/client-go/informers/admissionregistration/v1beta1/mutatingadmissionpolicybinding.go
+++ b/staging/src/k8s.io/client-go/informers/admissionregistration/v1beta1/mutatingadmissionpolicybinding.go
@@ -56,7 +56,7 @@ func NewMutatingAdmissionPolicyBindingInformer(client kubernetes.Interface, resy
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredMutatingAdmissionPolicyBindingInformer(client kubernetes.Interface, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -81,7 +81,7 @@ func NewFilteredMutatingAdmissionPolicyBindingInformer(client kubernetes.Interfa
 				}
 				return client.AdmissionregistrationV1beta1().MutatingAdmissionPolicyBindings().Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apiadmissionregistrationv1beta1.MutatingAdmissionPolicyBinding{},
 		resyncPeriod,
 		indexers,
diff --git a/staging/src/k8s.io/client-go/informers/admissionregistration/v1beta1/mutatingwebhookconfiguration.go b/staging/src/k8s.io/client-go/informers/admissionregistration/v1beta1/mutatingwebhookconfiguration.go
index 697dae852a831..2f086798e290e 100644
--- a/staging/src/k8s.io/client-go/informers/admissionregistration/v1beta1/mutatingwebhookconfiguration.go
+++ b/staging/src/k8s.io/client-go/informers/admissionregistration/v1beta1/mutatingwebhookconfiguration.go
@@ -56,7 +56,7 @@ func NewMutatingWebhookConfigurationInformer(client kubernetes.Interface, resync
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredMutatingWebhookConfigurationInformer(client kubernetes.Interface, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -81,7 +81,7 @@ func NewFilteredMutatingWebhookConfigurationInformer(client kubernetes.Interface
 				}
 				return client.AdmissionregistrationV1beta1().MutatingWebhookConfigurations().Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apiadmissionregistrationv1beta1.MutatingWebhookConfiguration{},
 		resyncPeriod,
 		indexers,
diff --git a/staging/src/k8s.io/client-go/informers/admissionregistration/v1beta1/validatingadmissionpolicy.go b/staging/src/k8s.io/client-go/informers/admissionregistration/v1beta1/validatingadmissionpolicy.go
index 31c3569d94d4b..18960ff9f8003 100644
--- a/staging/src/k8s.io/client-go/informers/admissionregistration/v1beta1/validatingadmissionpolicy.go
+++ b/staging/src/k8s.io/client-go/informers/admissionregistration/v1beta1/validatingadmissionpolicy.go
@@ -56,7 +56,7 @@ func NewValidatingAdmissionPolicyInformer(client kubernetes.Interface, resyncPer
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredValidatingAdmissionPolicyInformer(client kubernetes.Interface, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -81,7 +81,7 @@ func NewFilteredValidatingAdmissionPolicyInformer(client kubernetes.Interface, r
 				}
 				return client.AdmissionregistrationV1beta1().ValidatingAdmissionPolicies().Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apiadmissionregistrationv1beta1.ValidatingAdmissionPolicy{},
 		resyncPeriod,
 		indexers,
diff --git a/staging/src/k8s.io/client-go/informers/admissionregistration/v1beta1/validatingadmissionpolicybinding.go b/staging/src/k8s.io/client-go/informers/admissionregistration/v1beta1/validatingadmissionpolicybinding.go
index fb2c10e3e7050..ab3febb15a6e8 100644
--- a/staging/src/k8s.io/client-go/informers/admissionregistration/v1beta1/validatingadmissionpolicybinding.go
+++ b/staging/src/k8s.io/client-go/informers/admissionregistration/v1beta1/validatingadmissionpolicybinding.go
@@ -56,7 +56,7 @@ func NewValidatingAdmissionPolicyBindingInformer(client kubernetes.Interface, re
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredValidatingAdmissionPolicyBindingInformer(client kubernetes.Interface, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -81,7 +81,7 @@ func NewFilteredValidatingAdmissionPolicyBindingInformer(client kubernetes.Inter
 				}
 				return client.AdmissionregistrationV1beta1().ValidatingAdmissionPolicyBindings().Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apiadmissionregistrationv1beta1.ValidatingAdmissionPolicyBinding{},
 		resyncPeriod,
 		indexers,
diff --git a/staging/src/k8s.io/client-go/informers/admissionregistration/v1beta1/validatingwebhookconfiguration.go b/staging/src/k8s.io/client-go/informers/admissionregistration/v1beta1/validatingwebhookconfiguration.go
index 2eb6991cb5bdc..ae88860543b7e 100644
--- a/staging/src/k8s.io/client-go/informers/admissionregistration/v1beta1/validatingwebhookconfiguration.go
+++ b/staging/src/k8s.io/client-go/informers/admissionregistration/v1beta1/validatingwebhookconfiguration.go
@@ -56,7 +56,7 @@ func NewValidatingWebhookConfigurationInformer(client kubernetes.Interface, resy
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredValidatingWebhookConfigurationInformer(client kubernetes.Interface, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -81,7 +81,7 @@ func NewFilteredValidatingWebhookConfigurationInformer(client kubernetes.Interfa
 				}
 				return client.AdmissionregistrationV1beta1().ValidatingWebhookConfigurations().Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apiadmissionregistrationv1beta1.ValidatingWebhookConfiguration{},
 		resyncPeriod,
 		indexers,
diff --git a/staging/src/k8s.io/client-go/informers/apiserverinternal/v1alpha1/storageversion.go b/staging/src/k8s.io/client-go/informers/apiserverinternal/v1alpha1/storageversion.go
index e8e1669d12243..1f1cfd503f69a 100644
--- a/staging/src/k8s.io/client-go/informers/apiserverinternal/v1alpha1/storageversion.go
+++ b/staging/src/k8s.io/client-go/informers/apiserverinternal/v1alpha1/storageversion.go
@@ -56,7 +56,7 @@ func NewStorageVersionInformer(client kubernetes.Interface, resyncPeriod time.Du
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredStorageVersionInformer(client kubernetes.Interface, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -81,7 +81,7 @@ func NewFilteredStorageVersionInformer(client kubernetes.Interface, resyncPeriod
 				}
 				return client.InternalV1alpha1().StorageVersions().Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apiapiserverinternalv1alpha1.StorageVersion{},
 		resyncPeriod,
 		indexers,
diff --git a/staging/src/k8s.io/client-go/informers/apps/v1/controllerrevision.go b/staging/src/k8s.io/client-go/informers/apps/v1/controllerrevision.go
index 64eeddec0e897..1d306123ca2a2 100644
--- a/staging/src/k8s.io/client-go/informers/apps/v1/controllerrevision.go
+++ b/staging/src/k8s.io/client-go/informers/apps/v1/controllerrevision.go
@@ -57,7 +57,7 @@ func NewControllerRevisionInformer(client kubernetes.Interface, namespace string
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredControllerRevisionInformer(client kubernetes.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options metav1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -82,7 +82,7 @@ func NewFilteredControllerRevisionInformer(client kubernetes.Interface, namespac
 				}
 				return client.AppsV1().ControllerRevisions(namespace).Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apiappsv1.ControllerRevision{},
 		resyncPeriod,
 		indexers,
diff --git a/staging/src/k8s.io/client-go/informers/apps/v1/daemonset.go b/staging/src/k8s.io/client-go/informers/apps/v1/daemonset.go
index 4a3e95e1f109a..658d6b9ae0dcb 100644
--- a/staging/src/k8s.io/client-go/informers/apps/v1/daemonset.go
+++ b/staging/src/k8s.io/client-go/informers/apps/v1/daemonset.go
@@ -57,7 +57,7 @@ func NewDaemonSetInformer(client kubernetes.Interface, namespace string, resyncP
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredDaemonSetInformer(client kubernetes.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options metav1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -82,7 +82,7 @@ func NewFilteredDaemonSetInformer(client kubernetes.Interface, namespace string,
 				}
 				return client.AppsV1().DaemonSets(namespace).Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apiappsv1.DaemonSet{},
 		resyncPeriod,
 		indexers,
diff --git a/staging/src/k8s.io/client-go/informers/apps/v1/deployment.go b/staging/src/k8s.io/client-go/informers/apps/v1/deployment.go
index 9c0c20c5366d4..4a8a29c246445 100644
--- a/staging/src/k8s.io/client-go/informers/apps/v1/deployment.go
+++ b/staging/src/k8s.io/client-go/informers/apps/v1/deployment.go
@@ -57,7 +57,7 @@ func NewDeploymentInformer(client kubernetes.Interface, namespace string, resync
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredDeploymentInformer(client kubernetes.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options metav1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -82,7 +82,7 @@ func NewFilteredDeploymentInformer(client kubernetes.Interface, namespace string
 				}
 				return client.AppsV1().Deployments(namespace).Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apiappsv1.Deployment{},
 		resyncPeriod,
 		indexers,
diff --git a/staging/src/k8s.io/client-go/informers/apps/v1/replicaset.go b/staging/src/k8s.io/client-go/informers/apps/v1/replicaset.go
index 75c7a79e82005..d37292cb6def3 100644
--- a/staging/src/k8s.io/client-go/informers/apps/v1/replicaset.go
+++ b/staging/src/k8s.io/client-go/informers/apps/v1/replicaset.go
@@ -57,7 +57,7 @@ func NewReplicaSetInformer(client kubernetes.Interface, namespace string, resync
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredReplicaSetInformer(client kubernetes.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options metav1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -82,7 +82,7 @@ func NewFilteredReplicaSetInformer(client kubernetes.Interface, namespace string
 				}
 				return client.AppsV1().ReplicaSets(namespace).Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apiappsv1.ReplicaSet{},
 		resyncPeriod,
 		indexers,
diff --git a/staging/src/k8s.io/client-go/informers/apps/v1/statefulset.go b/staging/src/k8s.io/client-go/informers/apps/v1/statefulset.go
index f759e0464f4f1..70a5f9c0ba528 100644
--- a/staging/src/k8s.io/client-go/informers/apps/v1/statefulset.go
+++ b/staging/src/k8s.io/client-go/informers/apps/v1/statefulset.go
@@ -57,7 +57,7 @@ func NewStatefulSetInformer(client kubernetes.Interface, namespace string, resyn
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredStatefulSetInformer(client kubernetes.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options metav1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -82,7 +82,7 @@ func NewFilteredStatefulSetInformer(client kubernetes.Interface, namespace strin
 				}
 				return client.AppsV1().StatefulSets(namespace).Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apiappsv1.StatefulSet{},
 		resyncPeriod,
 		indexers,
diff --git a/staging/src/k8s.io/client-go/informers/apps/v1beta1/controllerrevision.go b/staging/src/k8s.io/client-go/informers/apps/v1beta1/controllerrevision.go
index 79b2fb907e24d..deaaa24c6bcd3 100644
--- a/staging/src/k8s.io/client-go/informers/apps/v1beta1/controllerrevision.go
+++ b/staging/src/k8s.io/client-go/informers/apps/v1beta1/controllerrevision.go
@@ -57,7 +57,7 @@ func NewControllerRevisionInformer(client kubernetes.Interface, namespace string
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredControllerRevisionInformer(client kubernetes.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -82,7 +82,7 @@ func NewFilteredControllerRevisionInformer(client kubernetes.Interface, namespac
 				}
 				return client.AppsV1beta1().ControllerRevisions(namespace).Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apiappsv1beta1.ControllerRevision{},
 		resyncPeriod,
 		indexers,
diff --git a/staging/src/k8s.io/client-go/informers/apps/v1beta1/deployment.go b/staging/src/k8s.io/client-go/informers/apps/v1beta1/deployment.go
index 1334c03a97006..4dbad1e983751 100644
--- a/staging/src/k8s.io/client-go/informers/apps/v1beta1/deployment.go
+++ b/staging/src/k8s.io/client-go/informers/apps/v1beta1/deployment.go
@@ -57,7 +57,7 @@ func NewDeploymentInformer(client kubernetes.Interface, namespace string, resync
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredDeploymentInformer(client kubernetes.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -82,7 +82,7 @@ func NewFilteredDeploymentInformer(client kubernetes.Interface, namespace string
 				}
 				return client.AppsV1beta1().Deployments(namespace).Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apiappsv1beta1.Deployment{},
 		resyncPeriod,
 		indexers,
diff --git a/staging/src/k8s.io/client-go/informers/apps/v1beta1/statefulset.go b/staging/src/k8s.io/client-go/informers/apps/v1beta1/statefulset.go
index 2d52ae02da630..2c5aa846ece57 100644
--- a/staging/src/k8s.io/client-go/informers/apps/v1beta1/statefulset.go
+++ b/staging/src/k8s.io/client-go/informers/apps/v1beta1/statefulset.go
@@ -57,7 +57,7 @@ func NewStatefulSetInformer(client kubernetes.Interface, namespace string, resyn
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredStatefulSetInformer(client kubernetes.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -82,7 +82,7 @@ func NewFilteredStatefulSetInformer(client kubernetes.Interface, namespace strin
 				}
 				return client.AppsV1beta1().StatefulSets(namespace).Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apiappsv1beta1.StatefulSet{},
 		resyncPeriod,
 		indexers,
diff --git a/staging/src/k8s.io/client-go/informers/apps/v1beta2/controllerrevision.go b/staging/src/k8s.io/client-go/informers/apps/v1beta2/controllerrevision.go
index 0936ef7b962c6..f6cca7d57493c 100644
--- a/staging/src/k8s.io/client-go/informers/apps/v1beta2/controllerrevision.go
+++ b/staging/src/k8s.io/client-go/informers/apps/v1beta2/controllerrevision.go
@@ -57,7 +57,7 @@ func NewControllerRevisionInformer(client kubernetes.Interface, namespace string
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredControllerRevisionInformer(client kubernetes.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -82,7 +82,7 @@ func NewFilteredControllerRevisionInformer(client kubernetes.Interface, namespac
 				}
 				return client.AppsV1beta2().ControllerRevisions(namespace).Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apiappsv1beta2.ControllerRevision{},
 		resyncPeriod,
 		indexers,
diff --git a/staging/src/k8s.io/client-go/informers/apps/v1beta2/daemonset.go b/staging/src/k8s.io/client-go/informers/apps/v1beta2/daemonset.go
index d5c49d77f2640..aaec4988c2652 100644
--- a/staging/src/k8s.io/client-go/informers/apps/v1beta2/daemonset.go
+++ b/staging/src/k8s.io/client-go/informers/apps/v1beta2/daemonset.go
@@ -57,7 +57,7 @@ func NewDaemonSetInformer(client kubernetes.Interface, namespace string, resyncP
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredDaemonSetInformer(client kubernetes.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -82,7 +82,7 @@ func NewFilteredDaemonSetInformer(client kubernetes.Interface, namespace string,
 				}
 				return client.AppsV1beta2().DaemonSets(namespace).Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apiappsv1beta2.DaemonSet{},
 		resyncPeriod,
 		indexers,
diff --git a/staging/src/k8s.io/client-go/informers/apps/v1beta2/deployment.go b/staging/src/k8s.io/client-go/informers/apps/v1beta2/deployment.go
index 575ddbfca872d..69f6e3fb8ed86 100644
--- a/staging/src/k8s.io/client-go/informers/apps/v1beta2/deployment.go
+++ b/staging/src/k8s.io/client-go/informers/apps/v1beta2/deployment.go
@@ -57,7 +57,7 @@ func NewDeploymentInformer(client kubernetes.Interface, namespace string, resync
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredDeploymentInformer(client kubernetes.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -82,7 +82,7 @@ func NewFilteredDeploymentInformer(client kubernetes.Interface, namespace string
 				}
 				return client.AppsV1beta2().Deployments(namespace).Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apiappsv1beta2.Deployment{},
 		resyncPeriod,
 		indexers,
diff --git a/staging/src/k8s.io/client-go/informers/apps/v1beta2/replicaset.go b/staging/src/k8s.io/client-go/informers/apps/v1beta2/replicaset.go
index cfc4b3289f644..a65d451616e1a 100644
--- a/staging/src/k8s.io/client-go/informers/apps/v1beta2/replicaset.go
+++ b/staging/src/k8s.io/client-go/informers/apps/v1beta2/replicaset.go
@@ -57,7 +57,7 @@ func NewReplicaSetInformer(client kubernetes.Interface, namespace string, resync
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredReplicaSetInformer(client kubernetes.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -82,7 +82,7 @@ func NewFilteredReplicaSetInformer(client kubernetes.Interface, namespace string
 				}
 				return client.AppsV1beta2().ReplicaSets(namespace).Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apiappsv1beta2.ReplicaSet{},
 		resyncPeriod,
 		indexers,
diff --git a/staging/src/k8s.io/client-go/informers/apps/v1beta2/statefulset.go b/staging/src/k8s.io/client-go/informers/apps/v1beta2/statefulset.go
index a514c5bbb57bf..5e90c39c7b169 100644
--- a/staging/src/k8s.io/client-go/informers/apps/v1beta2/statefulset.go
+++ b/staging/src/k8s.io/client-go/informers/apps/v1beta2/statefulset.go
@@ -57,7 +57,7 @@ func NewStatefulSetInformer(client kubernetes.Interface, namespace string, resyn
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredStatefulSetInformer(client kubernetes.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -82,7 +82,7 @@ func NewFilteredStatefulSetInformer(client kubernetes.Interface, namespace strin
 				}
 				return client.AppsV1beta2().StatefulSets(namespace).Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apiappsv1beta2.StatefulSet{},
 		resyncPeriod,
 		indexers,
diff --git a/staging/src/k8s.io/client-go/informers/autoscaling/v1/horizontalpodautoscaler.go b/staging/src/k8s.io/client-go/informers/autoscaling/v1/horizontalpodautoscaler.go
index e92f756394215..98aacb1e3c35f 100644
--- a/staging/src/k8s.io/client-go/informers/autoscaling/v1/horizontalpodautoscaler.go
+++ b/staging/src/k8s.io/client-go/informers/autoscaling/v1/horizontalpodautoscaler.go
@@ -57,7 +57,7 @@ func NewHorizontalPodAutoscalerInformer(client kubernetes.Interface, namespace s
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredHorizontalPodAutoscalerInformer(client kubernetes.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options metav1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -82,7 +82,7 @@ func NewFilteredHorizontalPodAutoscalerInformer(client kubernetes.Interface, nam
 				}
 				return client.AutoscalingV1().HorizontalPodAutoscalers(namespace).Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apiautoscalingv1.HorizontalPodAutoscaler{},
 		resyncPeriod,
 		indexers,
diff --git a/staging/src/k8s.io/client-go/informers/autoscaling/v2/horizontalpodautoscaler.go b/staging/src/k8s.io/client-go/informers/autoscaling/v2/horizontalpodautoscaler.go
index b5d4123e52e25..ce86ea8778485 100644
--- a/staging/src/k8s.io/client-go/informers/autoscaling/v2/horizontalpodautoscaler.go
+++ b/staging/src/k8s.io/client-go/informers/autoscaling/v2/horizontalpodautoscaler.go
@@ -57,7 +57,7 @@ func NewHorizontalPodAutoscalerInformer(client kubernetes.Interface, namespace s
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredHorizontalPodAutoscalerInformer(client kubernetes.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -82,7 +82,7 @@ func NewFilteredHorizontalPodAutoscalerInformer(client kubernetes.Interface, nam
 				}
 				return client.AutoscalingV2().HorizontalPodAutoscalers(namespace).Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apiautoscalingv2.HorizontalPodAutoscaler{},
 		resyncPeriod,
 		indexers,
diff --git a/staging/src/k8s.io/client-go/informers/autoscaling/v2beta1/horizontalpodautoscaler.go b/staging/src/k8s.io/client-go/informers/autoscaling/v2beta1/horizontalpodautoscaler.go
index 5a64e7ef9e7a3..71368420063b2 100644
--- a/staging/src/k8s.io/client-go/informers/autoscaling/v2beta1/horizontalpodautoscaler.go
+++ b/staging/src/k8s.io/client-go/informers/autoscaling/v2beta1/horizontalpodautoscaler.go
@@ -57,7 +57,7 @@ func NewHorizontalPodAutoscalerInformer(client kubernetes.Interface, namespace s
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredHorizontalPodAutoscalerInformer(client kubernetes.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -82,7 +82,7 @@ func NewFilteredHorizontalPodAutoscalerInformer(client kubernetes.Interface, nam
 				}
 				return client.AutoscalingV2beta1().HorizontalPodAutoscalers(namespace).Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apiautoscalingv2beta1.HorizontalPodAutoscaler{},
 		resyncPeriod,
 		indexers,
diff --git a/staging/src/k8s.io/client-go/informers/autoscaling/v2beta2/horizontalpodautoscaler.go b/staging/src/k8s.io/client-go/informers/autoscaling/v2beta2/horizontalpodautoscaler.go
index 2d4c3f1de6875..4ff8b103313af 100644
--- a/staging/src/k8s.io/client-go/informers/autoscaling/v2beta2/horizontalpodautoscaler.go
+++ b/staging/src/k8s.io/client-go/informers/autoscaling/v2beta2/horizontalpodautoscaler.go
@@ -57,7 +57,7 @@ func NewHorizontalPodAutoscalerInformer(client kubernetes.Interface, namespace s
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredHorizontalPodAutoscalerInformer(client kubernetes.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -82,7 +82,7 @@ func NewFilteredHorizontalPodAutoscalerInformer(client kubernetes.Interface, nam
 				}
 				return client.AutoscalingV2beta2().HorizontalPodAutoscalers(namespace).Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apiautoscalingv2beta2.HorizontalPodAutoscaler{},
 		resyncPeriod,
 		indexers,
diff --git a/staging/src/k8s.io/client-go/informers/batch/v1/cronjob.go b/staging/src/k8s.io/client-go/informers/batch/v1/cronjob.go
index ee4f8808a8643..9875a88b5b9db 100644
--- a/staging/src/k8s.io/client-go/informers/batch/v1/cronjob.go
+++ b/staging/src/k8s.io/client-go/informers/batch/v1/cronjob.go
@@ -57,7 +57,7 @@ func NewCronJobInformer(client kubernetes.Interface, namespace string, resyncPer
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredCronJobInformer(client kubernetes.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options metav1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -82,7 +82,7 @@ func NewFilteredCronJobInformer(client kubernetes.Interface, namespace string, r
 				}
 				return client.BatchV1().CronJobs(namespace).Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apibatchv1.CronJob{},
 		resyncPeriod,
 		indexers,
diff --git a/staging/src/k8s.io/client-go/informers/batch/v1/job.go b/staging/src/k8s.io/client-go/informers/batch/v1/job.go
index d3965f53e91b9..a68178d639a5e 100644
--- a/staging/src/k8s.io/client-go/informers/batch/v1/job.go
+++ b/staging/src/k8s.io/client-go/informers/batch/v1/job.go
@@ -57,7 +57,7 @@ func NewJobInformer(client kubernetes.Interface, namespace string, resyncPeriod
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredJobInformer(client kubernetes.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options metav1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -82,7 +82,7 @@ func NewFilteredJobInformer(client kubernetes.Interface, namespace string, resyn
 				}
 				return client.BatchV1().Jobs(namespace).Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apibatchv1.Job{},
 		resyncPeriod,
 		indexers,
diff --git a/staging/src/k8s.io/client-go/informers/batch/v1beta1/cronjob.go b/staging/src/k8s.io/client-go/informers/batch/v1beta1/cronjob.go
index 1cf169d92e718..16644920c7b6d 100644
--- a/staging/src/k8s.io/client-go/informers/batch/v1beta1/cronjob.go
+++ b/staging/src/k8s.io/client-go/informers/batch/v1beta1/cronjob.go
@@ -57,7 +57,7 @@ func NewCronJobInformer(client kubernetes.Interface, namespace string, resyncPer
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredCronJobInformer(client kubernetes.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -82,7 +82,7 @@ func NewFilteredCronJobInformer(client kubernetes.Interface, namespace string, r
 				}
 				return client.BatchV1beta1().CronJobs(namespace).Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apibatchv1beta1.CronJob{},
 		resyncPeriod,
 		indexers,
diff --git a/staging/src/k8s.io/client-go/informers/certificates/v1/certificatesigningrequest.go b/staging/src/k8s.io/client-go/informers/certificates/v1/certificatesigningrequest.go
index 076da13627ae5..a16eb3f3b0ffc 100644
--- a/staging/src/k8s.io/client-go/informers/certificates/v1/certificatesigningrequest.go
+++ b/staging/src/k8s.io/client-go/informers/certificates/v1/certificatesigningrequest.go
@@ -56,7 +56,7 @@ func NewCertificateSigningRequestInformer(client kubernetes.Interface, resyncPer
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredCertificateSigningRequestInformer(client kubernetes.Interface, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options metav1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -81,7 +81,7 @@ func NewFilteredCertificateSigningRequestInformer(client kubernetes.Interface, r
 				}
 				return client.CertificatesV1().CertificateSigningRequests().Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apicertificatesv1.CertificateSigningRequest{},
 		resyncPeriod,
 		indexers,
diff --git a/staging/src/k8s.io/client-go/informers/certificates/v1alpha1/clustertrustbundle.go b/staging/src/k8s.io/client-go/informers/certificates/v1alpha1/clustertrustbundle.go
index ca5ee2c979bff..02d8800fb3d14 100644
--- a/staging/src/k8s.io/client-go/informers/certificates/v1alpha1/clustertrustbundle.go
+++ b/staging/src/k8s.io/client-go/informers/certificates/v1alpha1/clustertrustbundle.go
@@ -56,7 +56,7 @@ func NewClusterTrustBundleInformer(client kubernetes.Interface, resyncPeriod tim
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredClusterTrustBundleInformer(client kubernetes.Interface, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -81,7 +81,7 @@ func NewFilteredClusterTrustBundleInformer(client kubernetes.Interface, resyncPe
 				}
 				return client.CertificatesV1alpha1().ClusterTrustBundles().Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apicertificatesv1alpha1.ClusterTrustBundle{},
 		resyncPeriod,
 		indexers,
diff --git a/staging/src/k8s.io/client-go/informers/certificates/v1alpha1/interface.go b/staging/src/k8s.io/client-go/informers/certificates/v1alpha1/interface.go
index 870fa0cf39f39..40ce8f42dbb49 100644
--- a/staging/src/k8s.io/client-go/informers/certificates/v1alpha1/interface.go
+++ b/staging/src/k8s.io/client-go/informers/certificates/v1alpha1/interface.go
@@ -26,8 +26,6 @@ import (
 type Interface interface {
 	// ClusterTrustBundles returns a ClusterTrustBundleInformer.
 	ClusterTrustBundles() ClusterTrustBundleInformer
-	// PodCertificateRequests returns a PodCertificateRequestInformer.
-	PodCertificateRequests() PodCertificateRequestInformer
 }
 
 type version struct {
@@ -45,8 +43,3 @@ func New(f internalinterfaces.SharedInformerFactory, namespace string, tweakList
 func (v *version) ClusterTrustBundles() ClusterTrustBundleInformer {
 	return &clusterTrustBundleInformer{factory: v.factory, tweakListOptions: v.tweakListOptions}
 }
-
-// PodCertificateRequests returns a PodCertificateRequestInformer.
-func (v *version) PodCertificateRequests() PodCertificateRequestInformer {
-	return &podCertificateRequestInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions}
-}
diff --git a/staging/src/k8s.io/client-go/informers/certificates/v1alpha1/podcertificaterequest.go b/staging/src/k8s.io/client-go/informers/certificates/v1alpha1/podcertificaterequest.go
deleted file mode 100644
index 71382e24abdc6..0000000000000
--- a/staging/src/k8s.io/client-go/informers/certificates/v1alpha1/podcertificaterequest.go
+++ /dev/null
@@ -1,102 +0,0 @@
-/*
-Copyright The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-// Code generated by informer-gen. DO NOT EDIT.
-
-package v1alpha1
-
-import (
-	context "context"
-	time "time"
-
-	apicertificatesv1alpha1 "k8s.io/api/certificates/v1alpha1"
-	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	runtime "k8s.io/apimachinery/pkg/runtime"
-	watch "k8s.io/apimachinery/pkg/watch"
-	internalinterfaces "k8s.io/client-go/informers/internalinterfaces"
-	kubernetes "k8s.io/client-go/kubernetes"
-	certificatesv1alpha1 "k8s.io/client-go/listers/certificates/v1alpha1"
-	cache "k8s.io/client-go/tools/cache"
-)
-
-// PodCertificateRequestInformer provides access to a shared informer and lister for
-// PodCertificateRequests.
-type PodCertificateRequestInformer interface {
-	Informer() cache.SharedIndexInformer
-	Lister() certificatesv1alpha1.PodCertificateRequestLister
-}
-
-type podCertificateRequestInformer struct {
-	factory          internalinterfaces.SharedInformerFactory
-	tweakListOptions internalinterfaces.TweakListOptionsFunc
-	namespace        string
-}
-
-// NewPodCertificateRequestInformer constructs a new informer for PodCertificateRequest type.
-// Always prefer using an informer factory to get a shared informer instead of getting an independent
-// one. This reduces memory footprint and number of connections to the server.
-func NewPodCertificateRequestInformer(client kubernetes.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers) cache.SharedIndexInformer {
-	return NewFilteredPodCertificateRequestInformer(client, namespace, resyncPeriod, indexers, nil)
-}
-
-// NewFilteredPodCertificateRequestInformer constructs a new informer for PodCertificateRequest type.
-// Always prefer using an informer factory to get a shared informer instead of getting an independent
-// one. This reduces memory footprint and number of connections to the server.
-func NewFilteredPodCertificateRequestInformer(client kubernetes.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
-	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
-			ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
-				if tweakListOptions != nil {
-					tweakListOptions(&options)
-				}
-				return client.CertificatesV1alpha1().PodCertificateRequests(namespace).List(context.Background(), options)
-			},
-			WatchFunc: func(options v1.ListOptions) (watch.Interface, error) {
-				if tweakListOptions != nil {
-					tweakListOptions(&options)
-				}
-				return client.CertificatesV1alpha1().PodCertificateRequests(namespace).Watch(context.Background(), options)
-			},
-			ListWithContextFunc: func(ctx context.Context, options v1.ListOptions) (runtime.Object, error) {
-				if tweakListOptions != nil {
-					tweakListOptions(&options)
-				}
-				return client.CertificatesV1alpha1().PodCertificateRequests(namespace).List(ctx, options)
-			},
-			WatchFuncWithContext: func(ctx context.Context, options v1.ListOptions) (watch.Interface, error) {
-				if tweakListOptions != nil {
-					tweakListOptions(&options)
-				}
-				return client.CertificatesV1alpha1().PodCertificateRequests(namespace).Watch(ctx, options)
-			},
-		},
-		&apicertificatesv1alpha1.PodCertificateRequest{},
-		resyncPeriod,
-		indexers,
-	)
-}
-
-func (f *podCertificateRequestInformer) defaultInformer(client kubernetes.Interface, resyncPeriod time.Duration) cache.SharedIndexInformer {
-	return NewFilteredPodCertificateRequestInformer(client, f.namespace, resyncPeriod, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}, f.tweakListOptions)
-}
-
-func (f *podCertificateRequestInformer) Informer() cache.SharedIndexInformer {
-	return f.factory.InformerFor(&apicertificatesv1alpha1.PodCertificateRequest{}, f.defaultInformer)
-}
-
-func (f *podCertificateRequestInformer) Lister() certificatesv1alpha1.PodCertificateRequestLister {
-	return certificatesv1alpha1.NewPodCertificateRequestLister(f.Informer().GetIndexer())
-}
diff --git a/staging/src/k8s.io/client-go/informers/certificates/v1beta1/certificatesigningrequest.go b/staging/src/k8s.io/client-go/informers/certificates/v1beta1/certificatesigningrequest.go
index f93d435a060d6..57097b7a9b2a7 100644
--- a/staging/src/k8s.io/client-go/informers/certificates/v1beta1/certificatesigningrequest.go
+++ b/staging/src/k8s.io/client-go/informers/certificates/v1beta1/certificatesigningrequest.go
@@ -56,7 +56,7 @@ func NewCertificateSigningRequestInformer(client kubernetes.Interface, resyncPer
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredCertificateSigningRequestInformer(client kubernetes.Interface, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -81,7 +81,7 @@ func NewFilteredCertificateSigningRequestInformer(client kubernetes.Interface, r
 				}
 				return client.CertificatesV1beta1().CertificateSigningRequests().Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apicertificatesv1beta1.CertificateSigningRequest{},
 		resyncPeriod,
 		indexers,
diff --git a/staging/src/k8s.io/client-go/informers/certificates/v1beta1/clustertrustbundle.go b/staging/src/k8s.io/client-go/informers/certificates/v1beta1/clustertrustbundle.go
index c4a69b22ef572..93b5d631db14e 100644
--- a/staging/src/k8s.io/client-go/informers/certificates/v1beta1/clustertrustbundle.go
+++ b/staging/src/k8s.io/client-go/informers/certificates/v1beta1/clustertrustbundle.go
@@ -56,7 +56,7 @@ func NewClusterTrustBundleInformer(client kubernetes.Interface, resyncPeriod tim
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredClusterTrustBundleInformer(client kubernetes.Interface, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -81,7 +81,7 @@ func NewFilteredClusterTrustBundleInformer(client kubernetes.Interface, resyncPe
 				}
 				return client.CertificatesV1beta1().ClusterTrustBundles().Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apicertificatesv1beta1.ClusterTrustBundle{},
 		resyncPeriod,
 		indexers,
diff --git a/staging/src/k8s.io/client-go/informers/certificates/v1beta1/interface.go b/staging/src/k8s.io/client-go/informers/certificates/v1beta1/interface.go
index f13d5e6633444..b2d39e2068cfe 100644
--- a/staging/src/k8s.io/client-go/informers/certificates/v1beta1/interface.go
+++ b/staging/src/k8s.io/client-go/informers/certificates/v1beta1/interface.go
@@ -28,6 +28,8 @@ type Interface interface {
 	CertificateSigningRequests() CertificateSigningRequestInformer
 	// ClusterTrustBundles returns a ClusterTrustBundleInformer.
 	ClusterTrustBundles() ClusterTrustBundleInformer
+	// PodCertificateRequests returns a PodCertificateRequestInformer.
+	PodCertificateRequests() PodCertificateRequestInformer
 }
 
 type version struct {
@@ -50,3 +52,8 @@ func (v *version) CertificateSigningRequests() CertificateSigningRequestInformer
 func (v *version) ClusterTrustBundles() ClusterTrustBundleInformer {
 	return &clusterTrustBundleInformer{factory: v.factory, tweakListOptions: v.tweakListOptions}
 }
+
+// PodCertificateRequests returns a PodCertificateRequestInformer.
+func (v *version) PodCertificateRequests() PodCertificateRequestInformer {
+	return &podCertificateRequestInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions}
+}
diff --git a/staging/src/k8s.io/client-go/informers/certificates/v1beta1/podcertificaterequest.go b/staging/src/k8s.io/client-go/informers/certificates/v1beta1/podcertificaterequest.go
new file mode 100644
index 0000000000000..2d41c76e92074
--- /dev/null
+++ b/staging/src/k8s.io/client-go/informers/certificates/v1beta1/podcertificaterequest.go
@@ -0,0 +1,102 @@
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by informer-gen. DO NOT EDIT.
+
+package v1beta1
+
+import (
+	context "context"
+	time "time"
+
+	apicertificatesv1beta1 "k8s.io/api/certificates/v1beta1"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	runtime "k8s.io/apimachinery/pkg/runtime"
+	watch "k8s.io/apimachinery/pkg/watch"
+	internalinterfaces "k8s.io/client-go/informers/internalinterfaces"
+	kubernetes "k8s.io/client-go/kubernetes"
+	certificatesv1beta1 "k8s.io/client-go/listers/certificates/v1beta1"
+	cache "k8s.io/client-go/tools/cache"
+)
+
+// PodCertificateRequestInformer provides access to a shared informer and lister for
+// PodCertificateRequests.
+type PodCertificateRequestInformer interface {
+	Informer() cache.SharedIndexInformer
+	Lister() certificatesv1beta1.PodCertificateRequestLister
+}
+
+type podCertificateRequestInformer struct {
+	factory          internalinterfaces.SharedInformerFactory
+	tweakListOptions internalinterfaces.TweakListOptionsFunc
+	namespace        string
+}
+
+// NewPodCertificateRequestInformer constructs a new informer for PodCertificateRequest type.
+// Always prefer using an informer factory to get a shared informer instead of getting an independent
+// one. This reduces memory footprint and number of connections to the server.
+func NewPodCertificateRequestInformer(client kubernetes.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers) cache.SharedIndexInformer {
+	return NewFilteredPodCertificateRequestInformer(client, namespace, resyncPeriod, indexers, nil)
+}
+
+// NewFilteredPodCertificateRequestInformer constructs a new informer for PodCertificateRequest type.
+// Always prefer using an informer factory to get a shared informer instead of getting an independent
+// one. This reduces memory footprint and number of connections to the server.
+func NewFilteredPodCertificateRequestInformer(client kubernetes.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
+	return cache.NewSharedIndexInformer(
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
+			ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
+				if tweakListOptions != nil {
+					tweakListOptions(&options)
+				}
+				return client.CertificatesV1beta1().PodCertificateRequests(namespace).List(context.Background(), options)
+			},
+			WatchFunc: func(options v1.ListOptions) (watch.Interface, error) {
+				if tweakListOptions != nil {
+					tweakListOptions(&options)
+				}
+				return client.CertificatesV1beta1().PodCertificateRequests(namespace).Watch(context.Background(), options)
+			},
+			ListWithContextFunc: func(ctx context.Context, options v1.ListOptions) (runtime.Object, error) {
+				if tweakListOptions != nil {
+					tweakListOptions(&options)
+				}
+				return client.CertificatesV1beta1().PodCertificateRequests(namespace).List(ctx, options)
+			},
+			WatchFuncWithContext: func(ctx context.Context, options v1.ListOptions) (watch.Interface, error) {
+				if tweakListOptions != nil {
+					tweakListOptions(&options)
+				}
+				return client.CertificatesV1beta1().PodCertificateRequests(namespace).Watch(ctx, options)
+			},
+		}, client),
+		&apicertificatesv1beta1.PodCertificateRequest{},
+		resyncPeriod,
+		indexers,
+	)
+}
+
+func (f *podCertificateRequestInformer) defaultInformer(client kubernetes.Interface, resyncPeriod time.Duration) cache.SharedIndexInformer {
+	return NewFilteredPodCertificateRequestInformer(client, f.namespace, resyncPeriod, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}, f.tweakListOptions)
+}
+
+func (f *podCertificateRequestInformer) Informer() cache.SharedIndexInformer {
+	return f.factory.InformerFor(&apicertificatesv1beta1.PodCertificateRequest{}, f.defaultInformer)
+}
+
+func (f *podCertificateRequestInformer) Lister() certificatesv1beta1.PodCertificateRequestLister {
+	return certificatesv1beta1.NewPodCertificateRequestLister(f.Informer().GetIndexer())
+}
diff --git a/staging/src/k8s.io/client-go/informers/coordination/v1/lease.go b/staging/src/k8s.io/client-go/informers/coordination/v1/lease.go
index 2d0c812d6bcca..1a34bf73f30c8 100644
--- a/staging/src/k8s.io/client-go/informers/coordination/v1/lease.go
+++ b/staging/src/k8s.io/client-go/informers/coordination/v1/lease.go
@@ -57,7 +57,7 @@ func NewLeaseInformer(client kubernetes.Interface, namespace string, resyncPerio
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredLeaseInformer(client kubernetes.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options metav1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -82,7 +82,7 @@ func NewFilteredLeaseInformer(client kubernetes.Interface, namespace string, res
 				}
 				return client.CoordinationV1().Leases(namespace).Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apicoordinationv1.Lease{},
 		resyncPeriod,
 		indexers,
diff --git a/staging/src/k8s.io/client-go/informers/coordination/v1alpha2/leasecandidate.go b/staging/src/k8s.io/client-go/informers/coordination/v1alpha2/leasecandidate.go
index c220a9b20c458..f029be068a45c 100644
--- a/staging/src/k8s.io/client-go/informers/coordination/v1alpha2/leasecandidate.go
+++ b/staging/src/k8s.io/client-go/informers/coordination/v1alpha2/leasecandidate.go
@@ -57,7 +57,7 @@ func NewLeaseCandidateInformer(client kubernetes.Interface, namespace string, re
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredLeaseCandidateInformer(client kubernetes.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -82,7 +82,7 @@ func NewFilteredLeaseCandidateInformer(client kubernetes.Interface, namespace st
 				}
 				return client.CoordinationV1alpha2().LeaseCandidates(namespace).Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apicoordinationv1alpha2.LeaseCandidate{},
 		resyncPeriod,
 		indexers,
diff --git a/staging/src/k8s.io/client-go/informers/coordination/v1beta1/lease.go b/staging/src/k8s.io/client-go/informers/coordination/v1beta1/lease.go
index ef91381c1d9dd..f254e30da304c 100644
--- a/staging/src/k8s.io/client-go/informers/coordination/v1beta1/lease.go
+++ b/staging/src/k8s.io/client-go/informers/coordination/v1beta1/lease.go
@@ -57,7 +57,7 @@ func NewLeaseInformer(client kubernetes.Interface, namespace string, resyncPerio
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredLeaseInformer(client kubernetes.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -82,7 +82,7 @@ func NewFilteredLeaseInformer(client kubernetes.Interface, namespace string, res
 				}
 				return client.CoordinationV1beta1().Leases(namespace).Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apicoordinationv1beta1.Lease{},
 		resyncPeriod,
 		indexers,
diff --git a/staging/src/k8s.io/client-go/informers/coordination/v1beta1/leasecandidate.go b/staging/src/k8s.io/client-go/informers/coordination/v1beta1/leasecandidate.go
index 4315e50c321d4..bdb3e1be13df9 100644
--- a/staging/src/k8s.io/client-go/informers/coordination/v1beta1/leasecandidate.go
+++ b/staging/src/k8s.io/client-go/informers/coordination/v1beta1/leasecandidate.go
@@ -57,7 +57,7 @@ func NewLeaseCandidateInformer(client kubernetes.Interface, namespace string, re
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredLeaseCandidateInformer(client kubernetes.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -82,7 +82,7 @@ func NewFilteredLeaseCandidateInformer(client kubernetes.Interface, namespace st
 				}
 				return client.CoordinationV1beta1().LeaseCandidates(namespace).Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apicoordinationv1beta1.LeaseCandidate{},
 		resyncPeriod,
 		indexers,
diff --git a/staging/src/k8s.io/client-go/informers/core/v1/componentstatus.go b/staging/src/k8s.io/client-go/informers/core/v1/componentstatus.go
index a7992bfdff0e7..9cf1a062aa374 100644
--- a/staging/src/k8s.io/client-go/informers/core/v1/componentstatus.go
+++ b/staging/src/k8s.io/client-go/informers/core/v1/componentstatus.go
@@ -56,7 +56,7 @@ func NewComponentStatusInformer(client kubernetes.Interface, resyncPeriod time.D
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredComponentStatusInformer(client kubernetes.Interface, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options metav1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -81,7 +81,7 @@ func NewFilteredComponentStatusInformer(client kubernetes.Interface, resyncPerio
 				}
 				return client.CoreV1().ComponentStatuses().Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apicorev1.ComponentStatus{},
 		resyncPeriod,
 		indexers,
diff --git a/staging/src/k8s.io/client-go/informers/core/v1/configmap.go b/staging/src/k8s.io/client-go/informers/core/v1/configmap.go
index 014e55afe41a2..5772678bfa1f4 100644
--- a/staging/src/k8s.io/client-go/informers/core/v1/configmap.go
+++ b/staging/src/k8s.io/client-go/informers/core/v1/configmap.go
@@ -57,7 +57,7 @@ func NewConfigMapInformer(client kubernetes.Interface, namespace string, resyncP
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredConfigMapInformer(client kubernetes.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options metav1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -82,7 +82,7 @@ func NewFilteredConfigMapInformer(client kubernetes.Interface, namespace string,
 				}
 				return client.CoreV1().ConfigMaps(namespace).Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apicorev1.ConfigMap{},
 		resyncPeriod,
 		indexers,
diff --git a/staging/src/k8s.io/client-go/informers/core/v1/endpoints.go b/staging/src/k8s.io/client-go/informers/core/v1/endpoints.go
index 2d4412ad00156..6c55df988724b 100644
--- a/staging/src/k8s.io/client-go/informers/core/v1/endpoints.go
+++ b/staging/src/k8s.io/client-go/informers/core/v1/endpoints.go
@@ -57,7 +57,7 @@ func NewEndpointsInformer(client kubernetes.Interface, namespace string, resyncP
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredEndpointsInformer(client kubernetes.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options metav1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -82,7 +82,7 @@ func NewFilteredEndpointsInformer(client kubernetes.Interface, namespace string,
 				}
 				return client.CoreV1().Endpoints(namespace).Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apicorev1.Endpoints{},
 		resyncPeriod,
 		indexers,
diff --git a/staging/src/k8s.io/client-go/informers/core/v1/event.go b/staging/src/k8s.io/client-go/informers/core/v1/event.go
index 80a5cad84393e..63df621b664e5 100644
--- a/staging/src/k8s.io/client-go/informers/core/v1/event.go
+++ b/staging/src/k8s.io/client-go/informers/core/v1/event.go
@@ -57,7 +57,7 @@ func NewEventInformer(client kubernetes.Interface, namespace string, resyncPerio
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredEventInformer(client kubernetes.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options metav1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -82,7 +82,7 @@ func NewFilteredEventInformer(client kubernetes.Interface, namespace string, res
 				}
 				return client.CoreV1().Events(namespace).Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apicorev1.Event{},
 		resyncPeriod,
 		indexers,
diff --git a/staging/src/k8s.io/client-go/informers/core/v1/limitrange.go b/staging/src/k8s.io/client-go/informers/core/v1/limitrange.go
index cf8e1eb4223f4..229adb2b8f3b3 100644
--- a/staging/src/k8s.io/client-go/informers/core/v1/limitrange.go
+++ b/staging/src/k8s.io/client-go/informers/core/v1/limitrange.go
@@ -57,7 +57,7 @@ func NewLimitRangeInformer(client kubernetes.Interface, namespace string, resync
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredLimitRangeInformer(client kubernetes.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options metav1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -82,7 +82,7 @@ func NewFilteredLimitRangeInformer(client kubernetes.Interface, namespace string
 				}
 				return client.CoreV1().LimitRanges(namespace).Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apicorev1.LimitRange{},
 		resyncPeriod,
 		indexers,
diff --git a/staging/src/k8s.io/client-go/informers/core/v1/namespace.go b/staging/src/k8s.io/client-go/informers/core/v1/namespace.go
index ae09888b9b952..d45d2eee62a1f 100644
--- a/staging/src/k8s.io/client-go/informers/core/v1/namespace.go
+++ b/staging/src/k8s.io/client-go/informers/core/v1/namespace.go
@@ -56,7 +56,7 @@ func NewNamespaceInformer(client kubernetes.Interface, resyncPeriod time.Duratio
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredNamespaceInformer(client kubernetes.Interface, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options metav1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -81,7 +81,7 @@ func NewFilteredNamespaceInformer(client kubernetes.Interface, resyncPeriod time
 				}
 				return client.CoreV1().Namespaces().Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apicorev1.Namespace{},
 		resyncPeriod,
 		indexers,
diff --git a/staging/src/k8s.io/client-go/informers/core/v1/node.go b/staging/src/k8s.io/client-go/informers/core/v1/node.go
index a036db034bae3..a5224761f9422 100644
--- a/staging/src/k8s.io/client-go/informers/core/v1/node.go
+++ b/staging/src/k8s.io/client-go/informers/core/v1/node.go
@@ -56,7 +56,7 @@ func NewNodeInformer(client kubernetes.Interface, resyncPeriod time.Duration, in
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredNodeInformer(client kubernetes.Interface, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options metav1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -81,7 +81,7 @@ func NewFilteredNodeInformer(client kubernetes.Interface, resyncPeriod time.Dura
 				}
 				return client.CoreV1().Nodes().Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apicorev1.Node{},
 		resyncPeriod,
 		indexers,
diff --git a/staging/src/k8s.io/client-go/informers/core/v1/persistentvolume.go b/staging/src/k8s.io/client-go/informers/core/v1/persistentvolume.go
index 4d1d63eadc047..0458fc1956e82 100644
--- a/staging/src/k8s.io/client-go/informers/core/v1/persistentvolume.go
+++ b/staging/src/k8s.io/client-go/informers/core/v1/persistentvolume.go
@@ -56,7 +56,7 @@ func NewPersistentVolumeInformer(client kubernetes.Interface, resyncPeriod time.
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredPersistentVolumeInformer(client kubernetes.Interface, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options metav1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -81,7 +81,7 @@ func NewFilteredPersistentVolumeInformer(client kubernetes.Interface, resyncPeri
 				}
 				return client.CoreV1().PersistentVolumes().Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apicorev1.PersistentVolume{},
 		resyncPeriod,
 		indexers,
diff --git a/staging/src/k8s.io/client-go/informers/core/v1/persistentvolumeclaim.go b/staging/src/k8s.io/client-go/informers/core/v1/persistentvolumeclaim.go
index 87a4cc037c8af..dd75924def727 100644
--- a/staging/src/k8s.io/client-go/informers/core/v1/persistentvolumeclaim.go
+++ b/staging/src/k8s.io/client-go/informers/core/v1/persistentvolumeclaim.go
@@ -57,7 +57,7 @@ func NewPersistentVolumeClaimInformer(client kubernetes.Interface, namespace str
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredPersistentVolumeClaimInformer(client kubernetes.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options metav1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -82,7 +82,7 @@ func NewFilteredPersistentVolumeClaimInformer(client kubernetes.Interface, names
 				}
 				return client.CoreV1().PersistentVolumeClaims(namespace).Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apicorev1.PersistentVolumeClaim{},
 		resyncPeriod,
 		indexers,
diff --git a/staging/src/k8s.io/client-go/informers/core/v1/pod.go b/staging/src/k8s.io/client-go/informers/core/v1/pod.go
index e3a40729f1052..b68ebc1dd5c47 100644
--- a/staging/src/k8s.io/client-go/informers/core/v1/pod.go
+++ b/staging/src/k8s.io/client-go/informers/core/v1/pod.go
@@ -57,7 +57,7 @@ func NewPodInformer(client kubernetes.Interface, namespace string, resyncPeriod
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredPodInformer(client kubernetes.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options metav1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -82,7 +82,7 @@ func NewFilteredPodInformer(client kubernetes.Interface, namespace string, resyn
 				}
 				return client.CoreV1().Pods(namespace).Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apicorev1.Pod{},
 		resyncPeriod,
 		indexers,
diff --git a/staging/src/k8s.io/client-go/informers/core/v1/podtemplate.go b/staging/src/k8s.io/client-go/informers/core/v1/podtemplate.go
index 9d6e7048e62fb..c4b4cd12be86e 100644
--- a/staging/src/k8s.io/client-go/informers/core/v1/podtemplate.go
+++ b/staging/src/k8s.io/client-go/informers/core/v1/podtemplate.go
@@ -57,7 +57,7 @@ func NewPodTemplateInformer(client kubernetes.Interface, namespace string, resyn
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredPodTemplateInformer(client kubernetes.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options metav1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -82,7 +82,7 @@ func NewFilteredPodTemplateInformer(client kubernetes.Interface, namespace strin
 				}
 				return client.CoreV1().PodTemplates(namespace).Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apicorev1.PodTemplate{},
 		resyncPeriod,
 		indexers,
diff --git a/staging/src/k8s.io/client-go/informers/core/v1/replicationcontroller.go b/staging/src/k8s.io/client-go/informers/core/v1/replicationcontroller.go
index 89c216e82197d..58b66c2bd5dba 100644
--- a/staging/src/k8s.io/client-go/informers/core/v1/replicationcontroller.go
+++ b/staging/src/k8s.io/client-go/informers/core/v1/replicationcontroller.go
@@ -57,7 +57,7 @@ func NewReplicationControllerInformer(client kubernetes.Interface, namespace str
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredReplicationControllerInformer(client kubernetes.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options metav1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -82,7 +82,7 @@ func NewFilteredReplicationControllerInformer(client kubernetes.Interface, names
 				}
 				return client.CoreV1().ReplicationControllers(namespace).Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apicorev1.ReplicationController{},
 		resyncPeriod,
 		indexers,
diff --git a/staging/src/k8s.io/client-go/informers/core/v1/resourcequota.go b/staging/src/k8s.io/client-go/informers/core/v1/resourcequota.go
index aa77e05702e79..408c024581060 100644
--- a/staging/src/k8s.io/client-go/informers/core/v1/resourcequota.go
+++ b/staging/src/k8s.io/client-go/informers/core/v1/resourcequota.go
@@ -57,7 +57,7 @@ func NewResourceQuotaInformer(client kubernetes.Interface, namespace string, res
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredResourceQuotaInformer(client kubernetes.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options metav1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -82,7 +82,7 @@ func NewFilteredResourceQuotaInformer(client kubernetes.Interface, namespace str
 				}
 				return client.CoreV1().ResourceQuotas(namespace).Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apicorev1.ResourceQuota{},
 		resyncPeriod,
 		indexers,
diff --git a/staging/src/k8s.io/client-go/informers/core/v1/secret.go b/staging/src/k8s.io/client-go/informers/core/v1/secret.go
index be5a80a96983b..7f7338d063041 100644
--- a/staging/src/k8s.io/client-go/informers/core/v1/secret.go
+++ b/staging/src/k8s.io/client-go/informers/core/v1/secret.go
@@ -57,7 +57,7 @@ func NewSecretInformer(client kubernetes.Interface, namespace string, resyncPeri
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredSecretInformer(client kubernetes.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options metav1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -82,7 +82,7 @@ func NewFilteredSecretInformer(client kubernetes.Interface, namespace string, re
 				}
 				return client.CoreV1().Secrets(namespace).Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apicorev1.Secret{},
 		resyncPeriod,
 		indexers,
diff --git a/staging/src/k8s.io/client-go/informers/core/v1/service.go b/staging/src/k8s.io/client-go/informers/core/v1/service.go
index 10b0587579c97..b4dcb75d79440 100644
--- a/staging/src/k8s.io/client-go/informers/core/v1/service.go
+++ b/staging/src/k8s.io/client-go/informers/core/v1/service.go
@@ -57,7 +57,7 @@ func NewServiceInformer(client kubernetes.Interface, namespace string, resyncPer
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredServiceInformer(client kubernetes.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options metav1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -82,7 +82,7 @@ func NewFilteredServiceInformer(client kubernetes.Interface, namespace string, r
 				}
 				return client.CoreV1().Services(namespace).Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apicorev1.Service{},
 		resyncPeriod,
 		indexers,
diff --git a/staging/src/k8s.io/client-go/informers/core/v1/serviceaccount.go b/staging/src/k8s.io/client-go/informers/core/v1/serviceaccount.go
index 594439618f4cf..5ddc98b24e716 100644
--- a/staging/src/k8s.io/client-go/informers/core/v1/serviceaccount.go
+++ b/staging/src/k8s.io/client-go/informers/core/v1/serviceaccount.go
@@ -57,7 +57,7 @@ func NewServiceAccountInformer(client kubernetes.Interface, namespace string, re
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredServiceAccountInformer(client kubernetes.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options metav1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -82,7 +82,7 @@ func NewFilteredServiceAccountInformer(client kubernetes.Interface, namespace st
 				}
 				return client.CoreV1().ServiceAccounts(namespace).Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apicorev1.ServiceAccount{},
 		resyncPeriod,
 		indexers,
diff --git a/staging/src/k8s.io/client-go/informers/discovery/v1/endpointslice.go b/staging/src/k8s.io/client-go/informers/discovery/v1/endpointslice.go
index 38f09183cdc88..1291912816f3e 100644
--- a/staging/src/k8s.io/client-go/informers/discovery/v1/endpointslice.go
+++ b/staging/src/k8s.io/client-go/informers/discovery/v1/endpointslice.go
@@ -57,7 +57,7 @@ func NewEndpointSliceInformer(client kubernetes.Interface, namespace string, res
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredEndpointSliceInformer(client kubernetes.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options metav1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -82,7 +82,7 @@ func NewFilteredEndpointSliceInformer(client kubernetes.Interface, namespace str
 				}
 				return client.DiscoveryV1().EndpointSlices(namespace).Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apidiscoveryv1.EndpointSlice{},
 		resyncPeriod,
 		indexers,
diff --git a/staging/src/k8s.io/client-go/informers/discovery/v1beta1/endpointslice.go b/staging/src/k8s.io/client-go/informers/discovery/v1beta1/endpointslice.go
index 23c51eb7b22bd..80147e2438cdc 100644
--- a/staging/src/k8s.io/client-go/informers/discovery/v1beta1/endpointslice.go
+++ b/staging/src/k8s.io/client-go/informers/discovery/v1beta1/endpointslice.go
@@ -57,7 +57,7 @@ func NewEndpointSliceInformer(client kubernetes.Interface, namespace string, res
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredEndpointSliceInformer(client kubernetes.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -82,7 +82,7 @@ func NewFilteredEndpointSliceInformer(client kubernetes.Interface, namespace str
 				}
 				return client.DiscoveryV1beta1().EndpointSlices(namespace).Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apidiscoveryv1beta1.EndpointSlice{},
 		resyncPeriod,
 		indexers,
diff --git a/staging/src/k8s.io/client-go/informers/events/v1/event.go b/staging/src/k8s.io/client-go/informers/events/v1/event.go
index 139cc155ab086..68eafe312ce27 100644
--- a/staging/src/k8s.io/client-go/informers/events/v1/event.go
+++ b/staging/src/k8s.io/client-go/informers/events/v1/event.go
@@ -57,7 +57,7 @@ func NewEventInformer(client kubernetes.Interface, namespace string, resyncPerio
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredEventInformer(client kubernetes.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options metav1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -82,7 +82,7 @@ func NewFilteredEventInformer(client kubernetes.Interface, namespace string, res
 				}
 				return client.EventsV1().Events(namespace).Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apieventsv1.Event{},
 		resyncPeriod,
 		indexers,
diff --git a/staging/src/k8s.io/client-go/informers/events/v1beta1/event.go b/staging/src/k8s.io/client-go/informers/events/v1beta1/event.go
index 75818c0efbf39..b26c208938f42 100644
--- a/staging/src/k8s.io/client-go/informers/events/v1beta1/event.go
+++ b/staging/src/k8s.io/client-go/informers/events/v1beta1/event.go
@@ -57,7 +57,7 @@ func NewEventInformer(client kubernetes.Interface, namespace string, resyncPerio
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredEventInformer(client kubernetes.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -82,7 +82,7 @@ func NewFilteredEventInformer(client kubernetes.Interface, namespace string, res
 				}
 				return client.EventsV1beta1().Events(namespace).Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apieventsv1beta1.Event{},
 		resyncPeriod,
 		indexers,
diff --git a/staging/src/k8s.io/client-go/informers/extensions/v1beta1/daemonset.go b/staging/src/k8s.io/client-go/informers/extensions/v1beta1/daemonset.go
index ce8612c1c24eb..fdfbb02306028 100644
--- a/staging/src/k8s.io/client-go/informers/extensions/v1beta1/daemonset.go
+++ b/staging/src/k8s.io/client-go/informers/extensions/v1beta1/daemonset.go
@@ -57,7 +57,7 @@ func NewDaemonSetInformer(client kubernetes.Interface, namespace string, resyncP
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredDaemonSetInformer(client kubernetes.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -82,7 +82,7 @@ func NewFilteredDaemonSetInformer(client kubernetes.Interface, namespace string,
 				}
 				return client.ExtensionsV1beta1().DaemonSets(namespace).Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apiextensionsv1beta1.DaemonSet{},
 		resyncPeriod,
 		indexers,
diff --git a/staging/src/k8s.io/client-go/informers/extensions/v1beta1/deployment.go b/staging/src/k8s.io/client-go/informers/extensions/v1beta1/deployment.go
index 5dd957baa400c..6442266250946 100644
--- a/staging/src/k8s.io/client-go/informers/extensions/v1beta1/deployment.go
+++ b/staging/src/k8s.io/client-go/informers/extensions/v1beta1/deployment.go
@@ -57,7 +57,7 @@ func NewDeploymentInformer(client kubernetes.Interface, namespace string, resync
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredDeploymentInformer(client kubernetes.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -82,7 +82,7 @@ func NewFilteredDeploymentInformer(client kubernetes.Interface, namespace string
 				}
 				return client.ExtensionsV1beta1().Deployments(namespace).Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apiextensionsv1beta1.Deployment{},
 		resyncPeriod,
 		indexers,
diff --git a/staging/src/k8s.io/client-go/informers/extensions/v1beta1/ingress.go b/staging/src/k8s.io/client-go/informers/extensions/v1beta1/ingress.go
index 935f6868c2515..bbd7286843be8 100644
--- a/staging/src/k8s.io/client-go/informers/extensions/v1beta1/ingress.go
+++ b/staging/src/k8s.io/client-go/informers/extensions/v1beta1/ingress.go
@@ -57,7 +57,7 @@ func NewIngressInformer(client kubernetes.Interface, namespace string, resyncPer
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredIngressInformer(client kubernetes.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -82,7 +82,7 @@ func NewFilteredIngressInformer(client kubernetes.Interface, namespace string, r
 				}
 				return client.ExtensionsV1beta1().Ingresses(namespace).Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apiextensionsv1beta1.Ingress{},
 		resyncPeriod,
 		indexers,
diff --git a/staging/src/k8s.io/client-go/informers/extensions/v1beta1/networkpolicy.go b/staging/src/k8s.io/client-go/informers/extensions/v1beta1/networkpolicy.go
index f485f3149c374..45eb5e95bb9d9 100644
--- a/staging/src/k8s.io/client-go/informers/extensions/v1beta1/networkpolicy.go
+++ b/staging/src/k8s.io/client-go/informers/extensions/v1beta1/networkpolicy.go
@@ -57,7 +57,7 @@ func NewNetworkPolicyInformer(client kubernetes.Interface, namespace string, res
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredNetworkPolicyInformer(client kubernetes.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -82,7 +82,7 @@ func NewFilteredNetworkPolicyInformer(client kubernetes.Interface, namespace str
 				}
 				return client.ExtensionsV1beta1().NetworkPolicies(namespace).Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apiextensionsv1beta1.NetworkPolicy{},
 		resyncPeriod,
 		indexers,
diff --git a/staging/src/k8s.io/client-go/informers/extensions/v1beta1/replicaset.go b/staging/src/k8s.io/client-go/informers/extensions/v1beta1/replicaset.go
index 4b1be5421cc36..82a183b3c7d6e 100644
--- a/staging/src/k8s.io/client-go/informers/extensions/v1beta1/replicaset.go
+++ b/staging/src/k8s.io/client-go/informers/extensions/v1beta1/replicaset.go
@@ -57,7 +57,7 @@ func NewReplicaSetInformer(client kubernetes.Interface, namespace string, resync
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredReplicaSetInformer(client kubernetes.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -82,7 +82,7 @@ func NewFilteredReplicaSetInformer(client kubernetes.Interface, namespace string
 				}
 				return client.ExtensionsV1beta1().ReplicaSets(namespace).Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apiextensionsv1beta1.ReplicaSet{},
 		resyncPeriod,
 		indexers,
diff --git a/staging/src/k8s.io/client-go/informers/factory.go b/staging/src/k8s.io/client-go/informers/factory.go
index 86c24551ef98d..bd3d16c0108b2 100644
--- a/staging/src/k8s.io/client-go/informers/factory.go
+++ b/staging/src/k8s.io/client-go/informers/factory.go
@@ -116,6 +116,7 @@ func NewSharedInformerFactory(client kubernetes.Interface, defaultResync time.Du
 // NewFilteredSharedInformerFactory constructs a new instance of sharedInformerFactory.
 // Listers obtained via this SharedInformerFactory will be subject to the same filters
 // as specified here.
+//
 // Deprecated: Please use NewSharedInformerFactoryWithOptions instead
 func NewFilteredSharedInformerFactory(client kubernetes.Interface, defaultResync time.Duration, namespace string, tweakListOptions internalinterfaces.TweakListOptionsFunc) SharedInformerFactory {
 	return NewSharedInformerFactoryWithOptions(client, defaultResync, WithNamespace(namespace), WithTweakListOptions(tweakListOptions))
@@ -223,7 +224,7 @@ func (f *sharedInformerFactory) InformerFor(obj runtime.Object, newFunc internal
 //
 // It is typically used like this:
 //
-//	ctx, cancel := context.Background()
+//	ctx, cancel := context.WithCancel(context.Background())
 //	defer cancel()
 //	factory := NewSharedInformerFactory(client, resyncPeriod)
 //	defer factory.WaitForStop()    // Returns immediately if nothing was started.
diff --git a/staging/src/k8s.io/client-go/informers/flowcontrol/v1/flowschema.go b/staging/src/k8s.io/client-go/informers/flowcontrol/v1/flowschema.go
index f8918dcf7231e..734ee0ebf4ee2 100644
--- a/staging/src/k8s.io/client-go/informers/flowcontrol/v1/flowschema.go
+++ b/staging/src/k8s.io/client-go/informers/flowcontrol/v1/flowschema.go
@@ -56,7 +56,7 @@ func NewFlowSchemaInformer(client kubernetes.Interface, resyncPeriod time.Durati
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredFlowSchemaInformer(client kubernetes.Interface, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options metav1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -81,7 +81,7 @@ func NewFilteredFlowSchemaInformer(client kubernetes.Interface, resyncPeriod tim
 				}
 				return client.FlowcontrolV1().FlowSchemas().Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apiflowcontrolv1.FlowSchema{},
 		resyncPeriod,
 		indexers,
diff --git a/staging/src/k8s.io/client-go/informers/flowcontrol/v1/prioritylevelconfiguration.go b/staging/src/k8s.io/client-go/informers/flowcontrol/v1/prioritylevelconfiguration.go
index 2ec4f39887c80..a5f23218efc5b 100644
--- a/staging/src/k8s.io/client-go/informers/flowcontrol/v1/prioritylevelconfiguration.go
+++ b/staging/src/k8s.io/client-go/informers/flowcontrol/v1/prioritylevelconfiguration.go
@@ -56,7 +56,7 @@ func NewPriorityLevelConfigurationInformer(client kubernetes.Interface, resyncPe
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredPriorityLevelConfigurationInformer(client kubernetes.Interface, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options metav1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -81,7 +81,7 @@ func NewFilteredPriorityLevelConfigurationInformer(client kubernetes.Interface,
 				}
 				return client.FlowcontrolV1().PriorityLevelConfigurations().Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apiflowcontrolv1.PriorityLevelConfiguration{},
 		resyncPeriod,
 		indexers,
diff --git a/staging/src/k8s.io/client-go/informers/flowcontrol/v1beta1/flowschema.go b/staging/src/k8s.io/client-go/informers/flowcontrol/v1beta1/flowschema.go
index 322fa318137b4..5e88fe8cb9c03 100644
--- a/staging/src/k8s.io/client-go/informers/flowcontrol/v1beta1/flowschema.go
+++ b/staging/src/k8s.io/client-go/informers/flowcontrol/v1beta1/flowschema.go
@@ -56,7 +56,7 @@ func NewFlowSchemaInformer(client kubernetes.Interface, resyncPeriod time.Durati
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredFlowSchemaInformer(client kubernetes.Interface, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -81,7 +81,7 @@ func NewFilteredFlowSchemaInformer(client kubernetes.Interface, resyncPeriod tim
 				}
 				return client.FlowcontrolV1beta1().FlowSchemas().Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apiflowcontrolv1beta1.FlowSchema{},
 		resyncPeriod,
 		indexers,
diff --git a/staging/src/k8s.io/client-go/informers/flowcontrol/v1beta1/prioritylevelconfiguration.go b/staging/src/k8s.io/client-go/informers/flowcontrol/v1beta1/prioritylevelconfiguration.go
index aebc788f7e163..f86a96e38cffe 100644
--- a/staging/src/k8s.io/client-go/informers/flowcontrol/v1beta1/prioritylevelconfiguration.go
+++ b/staging/src/k8s.io/client-go/informers/flowcontrol/v1beta1/prioritylevelconfiguration.go
@@ -56,7 +56,7 @@ func NewPriorityLevelConfigurationInformer(client kubernetes.Interface, resyncPe
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredPriorityLevelConfigurationInformer(client kubernetes.Interface, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -81,7 +81,7 @@ func NewFilteredPriorityLevelConfigurationInformer(client kubernetes.Interface,
 				}
 				return client.FlowcontrolV1beta1().PriorityLevelConfigurations().Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apiflowcontrolv1beta1.PriorityLevelConfiguration{},
 		resyncPeriod,
 		indexers,
diff --git a/staging/src/k8s.io/client-go/informers/flowcontrol/v1beta2/flowschema.go b/staging/src/k8s.io/client-go/informers/flowcontrol/v1beta2/flowschema.go
index 522e24b7b51a1..e17e4c9fa23c0 100644
--- a/staging/src/k8s.io/client-go/informers/flowcontrol/v1beta2/flowschema.go
+++ b/staging/src/k8s.io/client-go/informers/flowcontrol/v1beta2/flowschema.go
@@ -56,7 +56,7 @@ func NewFlowSchemaInformer(client kubernetes.Interface, resyncPeriod time.Durati
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredFlowSchemaInformer(client kubernetes.Interface, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -81,7 +81,7 @@ func NewFilteredFlowSchemaInformer(client kubernetes.Interface, resyncPeriod tim
 				}
 				return client.FlowcontrolV1beta2().FlowSchemas().Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apiflowcontrolv1beta2.FlowSchema{},
 		resyncPeriod,
 		indexers,
diff --git a/staging/src/k8s.io/client-go/informers/flowcontrol/v1beta2/prioritylevelconfiguration.go b/staging/src/k8s.io/client-go/informers/flowcontrol/v1beta2/prioritylevelconfiguration.go
index 0ee0506e253d3..1db6efa6fe92d 100644
--- a/staging/src/k8s.io/client-go/informers/flowcontrol/v1beta2/prioritylevelconfiguration.go
+++ b/staging/src/k8s.io/client-go/informers/flowcontrol/v1beta2/prioritylevelconfiguration.go
@@ -56,7 +56,7 @@ func NewPriorityLevelConfigurationInformer(client kubernetes.Interface, resyncPe
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredPriorityLevelConfigurationInformer(client kubernetes.Interface, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -81,7 +81,7 @@ func NewFilteredPriorityLevelConfigurationInformer(client kubernetes.Interface,
 				}
 				return client.FlowcontrolV1beta2().PriorityLevelConfigurations().Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apiflowcontrolv1beta2.PriorityLevelConfiguration{},
 		resyncPeriod,
 		indexers,
diff --git a/staging/src/k8s.io/client-go/informers/flowcontrol/v1beta3/flowschema.go b/staging/src/k8s.io/client-go/informers/flowcontrol/v1beta3/flowschema.go
index 3b0dca3cc22e6..626a20d6201ca 100644
--- a/staging/src/k8s.io/client-go/informers/flowcontrol/v1beta3/flowschema.go
+++ b/staging/src/k8s.io/client-go/informers/flowcontrol/v1beta3/flowschema.go
@@ -56,7 +56,7 @@ func NewFlowSchemaInformer(client kubernetes.Interface, resyncPeriod time.Durati
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredFlowSchemaInformer(client kubernetes.Interface, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -81,7 +81,7 @@ func NewFilteredFlowSchemaInformer(client kubernetes.Interface, resyncPeriod tim
 				}
 				return client.FlowcontrolV1beta3().FlowSchemas().Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apiflowcontrolv1beta3.FlowSchema{},
 		resyncPeriod,
 		indexers,
diff --git a/staging/src/k8s.io/client-go/informers/flowcontrol/v1beta3/prioritylevelconfiguration.go b/staging/src/k8s.io/client-go/informers/flowcontrol/v1beta3/prioritylevelconfiguration.go
index 77ff4e4e7c6ef..43f697423487c 100644
--- a/staging/src/k8s.io/client-go/informers/flowcontrol/v1beta3/prioritylevelconfiguration.go
+++ b/staging/src/k8s.io/client-go/informers/flowcontrol/v1beta3/prioritylevelconfiguration.go
@@ -56,7 +56,7 @@ func NewPriorityLevelConfigurationInformer(client kubernetes.Interface, resyncPe
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredPriorityLevelConfigurationInformer(client kubernetes.Interface, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -81,7 +81,7 @@ func NewFilteredPriorityLevelConfigurationInformer(client kubernetes.Interface,
 				}
 				return client.FlowcontrolV1beta3().PriorityLevelConfigurations().Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apiflowcontrolv1beta3.PriorityLevelConfiguration{},
 		resyncPeriod,
 		indexers,
diff --git a/staging/src/k8s.io/client-go/informers/generic.go b/staging/src/k8s.io/client-go/informers/generic.go
index 980c991696633..2b7efe7f4a45e 100644
--- a/staging/src/k8s.io/client-go/informers/generic.go
+++ b/staging/src/k8s.io/client-go/informers/generic.go
@@ -70,7 +70,7 @@ import (
 	storagev1 "k8s.io/api/storage/v1"
 	storagev1alpha1 "k8s.io/api/storage/v1alpha1"
 	storagev1beta1 "k8s.io/api/storage/v1beta1"
-	storagemigrationv1alpha1 "k8s.io/api/storagemigration/v1alpha1"
+	storagemigrationv1beta1 "k8s.io/api/storagemigration/v1beta1"
 	schema "k8s.io/apimachinery/pkg/runtime/schema"
 	cache "k8s.io/client-go/tools/cache"
 )
@@ -200,14 +200,14 @@ func (f *sharedInformerFactory) ForResource(resource schema.GroupVersionResource
 		// Group=certificates.k8s.io, Version=v1alpha1
 	case certificatesv1alpha1.SchemeGroupVersion.WithResource("clustertrustbundles"):
 		return &genericInformer{resource: resource.GroupResource(), informer: f.Certificates().V1alpha1().ClusterTrustBundles().Informer()}, nil
-	case certificatesv1alpha1.SchemeGroupVersion.WithResource("podcertificaterequests"):
-		return &genericInformer{resource: resource.GroupResource(), informer: f.Certificates().V1alpha1().PodCertificateRequests().Informer()}, nil
 
 		// Group=certificates.k8s.io, Version=v1beta1
 	case certificatesv1beta1.SchemeGroupVersion.WithResource("certificatesigningrequests"):
 		return &genericInformer{resource: resource.GroupResource(), informer: f.Certificates().V1beta1().CertificateSigningRequests().Informer()}, nil
 	case certificatesv1beta1.SchemeGroupVersion.WithResource("clustertrustbundles"):
 		return &genericInformer{resource: resource.GroupResource(), informer: f.Certificates().V1beta1().ClusterTrustBundles().Informer()}, nil
+	case certificatesv1beta1.SchemeGroupVersion.WithResource("podcertificaterequests"):
+		return &genericInformer{resource: resource.GroupResource(), informer: f.Certificates().V1beta1().PodCertificateRequests().Informer()}, nil
 
 		// Group=coordination.k8s.io, Version=v1
 	case coordinationv1.SchemeGroupVersion.WithResource("leases"):
@@ -426,6 +426,8 @@ func (f *sharedInformerFactory) ForResource(resource schema.GroupVersionResource
 		// Group=scheduling.k8s.io, Version=v1alpha1
 	case schedulingv1alpha1.SchemeGroupVersion.WithResource("priorityclasses"):
 		return &genericInformer{resource: resource.GroupResource(), informer: f.Scheduling().V1alpha1().PriorityClasses().Informer()}, nil
+	case schedulingv1alpha1.SchemeGroupVersion.WithResource("workloads"):
+		return &genericInformer{resource: resource.GroupResource(), informer: f.Scheduling().V1alpha1().Workloads().Informer()}, nil
 
 		// Group=scheduling.k8s.io, Version=v1beta1
 	case schedulingv1beta1.SchemeGroupVersion.WithResource("priorityclasses"):
@@ -467,9 +469,9 @@ func (f *sharedInformerFactory) ForResource(resource schema.GroupVersionResource
 	case storagev1beta1.SchemeGroupVersion.WithResource("volumeattributesclasses"):
 		return &genericInformer{resource: resource.GroupResource(), informer: f.Storage().V1beta1().VolumeAttributesClasses().Informer()}, nil
 
-		// Group=storagemigration.k8s.io, Version=v1alpha1
-	case storagemigrationv1alpha1.SchemeGroupVersion.WithResource("storageversionmigrations"):
-		return &genericInformer{resource: resource.GroupResource(), informer: f.Storagemigration().V1alpha1().StorageVersionMigrations().Informer()}, nil
+		// Group=storagemigration.k8s.io, Version=v1beta1
+	case storagemigrationv1beta1.SchemeGroupVersion.WithResource("storageversionmigrations"):
+		return &genericInformer{resource: resource.GroupResource(), informer: f.Storagemigration().V1beta1().StorageVersionMigrations().Informer()}, nil
 
 	}
 
diff --git a/staging/src/k8s.io/client-go/informers/networking/v1/ingress.go b/staging/src/k8s.io/client-go/informers/networking/v1/ingress.go
index 6f1b0b7816203..fa7252dfa777a 100644
--- a/staging/src/k8s.io/client-go/informers/networking/v1/ingress.go
+++ b/staging/src/k8s.io/client-go/informers/networking/v1/ingress.go
@@ -57,7 +57,7 @@ func NewIngressInformer(client kubernetes.Interface, namespace string, resyncPer
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredIngressInformer(client kubernetes.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options metav1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -82,7 +82,7 @@ func NewFilteredIngressInformer(client kubernetes.Interface, namespace string, r
 				}
 				return client.NetworkingV1().Ingresses(namespace).Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apinetworkingv1.Ingress{},
 		resyncPeriod,
 		indexers,
diff --git a/staging/src/k8s.io/client-go/informers/networking/v1/ingressclass.go b/staging/src/k8s.io/client-go/informers/networking/v1/ingressclass.go
index b0d4803d89589..bd6696a37f9bc 100644
--- a/staging/src/k8s.io/client-go/informers/networking/v1/ingressclass.go
+++ b/staging/src/k8s.io/client-go/informers/networking/v1/ingressclass.go
@@ -56,7 +56,7 @@ func NewIngressClassInformer(client kubernetes.Interface, resyncPeriod time.Dura
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredIngressClassInformer(client kubernetes.Interface, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options metav1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -81,7 +81,7 @@ func NewFilteredIngressClassInformer(client kubernetes.Interface, resyncPeriod t
 				}
 				return client.NetworkingV1().IngressClasses().Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apinetworkingv1.IngressClass{},
 		resyncPeriod,
 		indexers,
diff --git a/staging/src/k8s.io/client-go/informers/networking/v1/ipaddress.go b/staging/src/k8s.io/client-go/informers/networking/v1/ipaddress.go
index e3459e72ba800..8ab3ac5d63b99 100644
--- a/staging/src/k8s.io/client-go/informers/networking/v1/ipaddress.go
+++ b/staging/src/k8s.io/client-go/informers/networking/v1/ipaddress.go
@@ -56,7 +56,7 @@ func NewIPAddressInformer(client kubernetes.Interface, resyncPeriod time.Duratio
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredIPAddressInformer(client kubernetes.Interface, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options metav1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -81,7 +81,7 @@ func NewFilteredIPAddressInformer(client kubernetes.Interface, resyncPeriod time
 				}
 				return client.NetworkingV1().IPAddresses().Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apinetworkingv1.IPAddress{},
 		resyncPeriod,
 		indexers,
diff --git a/staging/src/k8s.io/client-go/informers/networking/v1/networkpolicy.go b/staging/src/k8s.io/client-go/informers/networking/v1/networkpolicy.go
index 0dba59c5ef52d..1b39b0e6cf863 100644
--- a/staging/src/k8s.io/client-go/informers/networking/v1/networkpolicy.go
+++ b/staging/src/k8s.io/client-go/informers/networking/v1/networkpolicy.go
@@ -57,7 +57,7 @@ func NewNetworkPolicyInformer(client kubernetes.Interface, namespace string, res
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredNetworkPolicyInformer(client kubernetes.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options metav1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -82,7 +82,7 @@ func NewFilteredNetworkPolicyInformer(client kubernetes.Interface, namespace str
 				}
 				return client.NetworkingV1().NetworkPolicies(namespace).Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apinetworkingv1.NetworkPolicy{},
 		resyncPeriod,
 		indexers,
diff --git a/staging/src/k8s.io/client-go/informers/networking/v1/servicecidr.go b/staging/src/k8s.io/client-go/informers/networking/v1/servicecidr.go
index 039cdc7539acd..299e40611eb4e 100644
--- a/staging/src/k8s.io/client-go/informers/networking/v1/servicecidr.go
+++ b/staging/src/k8s.io/client-go/informers/networking/v1/servicecidr.go
@@ -56,7 +56,7 @@ func NewServiceCIDRInformer(client kubernetes.Interface, resyncPeriod time.Durat
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredServiceCIDRInformer(client kubernetes.Interface, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options metav1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -81,7 +81,7 @@ func NewFilteredServiceCIDRInformer(client kubernetes.Interface, resyncPeriod ti
 				}
 				return client.NetworkingV1().ServiceCIDRs().Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apinetworkingv1.ServiceCIDR{},
 		resyncPeriod,
 		indexers,
diff --git a/staging/src/k8s.io/client-go/informers/networking/v1beta1/ingress.go b/staging/src/k8s.io/client-go/informers/networking/v1beta1/ingress.go
index 6c616b902bea4..3e279cb544401 100644
--- a/staging/src/k8s.io/client-go/informers/networking/v1beta1/ingress.go
+++ b/staging/src/k8s.io/client-go/informers/networking/v1beta1/ingress.go
@@ -57,7 +57,7 @@ func NewIngressInformer(client kubernetes.Interface, namespace string, resyncPer
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredIngressInformer(client kubernetes.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -82,7 +82,7 @@ func NewFilteredIngressInformer(client kubernetes.Interface, namespace string, r
 				}
 				return client.NetworkingV1beta1().Ingresses(namespace).Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apinetworkingv1beta1.Ingress{},
 		resyncPeriod,
 		indexers,
diff --git a/staging/src/k8s.io/client-go/informers/networking/v1beta1/ingressclass.go b/staging/src/k8s.io/client-go/informers/networking/v1beta1/ingressclass.go
index dd3a9aa7c5581..296abfa8c4c9f 100644
--- a/staging/src/k8s.io/client-go/informers/networking/v1beta1/ingressclass.go
+++ b/staging/src/k8s.io/client-go/informers/networking/v1beta1/ingressclass.go
@@ -56,7 +56,7 @@ func NewIngressClassInformer(client kubernetes.Interface, resyncPeriod time.Dura
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredIngressClassInformer(client kubernetes.Interface, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -81,7 +81,7 @@ func NewFilteredIngressClassInformer(client kubernetes.Interface, resyncPeriod t
 				}
 				return client.NetworkingV1beta1().IngressClasses().Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apinetworkingv1beta1.IngressClass{},
 		resyncPeriod,
 		indexers,
diff --git a/staging/src/k8s.io/client-go/informers/networking/v1beta1/ipaddress.go b/staging/src/k8s.io/client-go/informers/networking/v1beta1/ipaddress.go
index 32ce3c4a8af3a..94f785f10dd45 100644
--- a/staging/src/k8s.io/client-go/informers/networking/v1beta1/ipaddress.go
+++ b/staging/src/k8s.io/client-go/informers/networking/v1beta1/ipaddress.go
@@ -56,7 +56,7 @@ func NewIPAddressInformer(client kubernetes.Interface, resyncPeriod time.Duratio
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredIPAddressInformer(client kubernetes.Interface, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -81,7 +81,7 @@ func NewFilteredIPAddressInformer(client kubernetes.Interface, resyncPeriod time
 				}
 				return client.NetworkingV1beta1().IPAddresses().Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apinetworkingv1beta1.IPAddress{},
 		resyncPeriod,
 		indexers,
diff --git a/staging/src/k8s.io/client-go/informers/networking/v1beta1/servicecidr.go b/staging/src/k8s.io/client-go/informers/networking/v1beta1/servicecidr.go
index 25843d2fef536..67776463965ab 100644
--- a/staging/src/k8s.io/client-go/informers/networking/v1beta1/servicecidr.go
+++ b/staging/src/k8s.io/client-go/informers/networking/v1beta1/servicecidr.go
@@ -56,7 +56,7 @@ func NewServiceCIDRInformer(client kubernetes.Interface, resyncPeriod time.Durat
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredServiceCIDRInformer(client kubernetes.Interface, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -81,7 +81,7 @@ func NewFilteredServiceCIDRInformer(client kubernetes.Interface, resyncPeriod ti
 				}
 				return client.NetworkingV1beta1().ServiceCIDRs().Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apinetworkingv1beta1.ServiceCIDR{},
 		resyncPeriod,
 		indexers,
diff --git a/staging/src/k8s.io/client-go/informers/node/v1/runtimeclass.go b/staging/src/k8s.io/client-go/informers/node/v1/runtimeclass.go
index 85625e3e0189e..d794c569517ec 100644
--- a/staging/src/k8s.io/client-go/informers/node/v1/runtimeclass.go
+++ b/staging/src/k8s.io/client-go/informers/node/v1/runtimeclass.go
@@ -56,7 +56,7 @@ func NewRuntimeClassInformer(client kubernetes.Interface, resyncPeriod time.Dura
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredRuntimeClassInformer(client kubernetes.Interface, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options metav1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -81,7 +81,7 @@ func NewFilteredRuntimeClassInformer(client kubernetes.Interface, resyncPeriod t
 				}
 				return client.NodeV1().RuntimeClasses().Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apinodev1.RuntimeClass{},
 		resyncPeriod,
 		indexers,
diff --git a/staging/src/k8s.io/client-go/informers/node/v1alpha1/runtimeclass.go b/staging/src/k8s.io/client-go/informers/node/v1alpha1/runtimeclass.go
index b3ac2e2a22949..01718ac102f35 100644
--- a/staging/src/k8s.io/client-go/informers/node/v1alpha1/runtimeclass.go
+++ b/staging/src/k8s.io/client-go/informers/node/v1alpha1/runtimeclass.go
@@ -56,7 +56,7 @@ func NewRuntimeClassInformer(client kubernetes.Interface, resyncPeriod time.Dura
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredRuntimeClassInformer(client kubernetes.Interface, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -81,7 +81,7 @@ func NewFilteredRuntimeClassInformer(client kubernetes.Interface, resyncPeriod t
 				}
 				return client.NodeV1alpha1().RuntimeClasses().Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apinodev1alpha1.RuntimeClass{},
 		resyncPeriod,
 		indexers,
diff --git a/staging/src/k8s.io/client-go/informers/node/v1beta1/runtimeclass.go b/staging/src/k8s.io/client-go/informers/node/v1beta1/runtimeclass.go
index b562476d48342..09390f58b45f5 100644
--- a/staging/src/k8s.io/client-go/informers/node/v1beta1/runtimeclass.go
+++ b/staging/src/k8s.io/client-go/informers/node/v1beta1/runtimeclass.go
@@ -56,7 +56,7 @@ func NewRuntimeClassInformer(client kubernetes.Interface, resyncPeriod time.Dura
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredRuntimeClassInformer(client kubernetes.Interface, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -81,7 +81,7 @@ func NewFilteredRuntimeClassInformer(client kubernetes.Interface, resyncPeriod t
 				}
 				return client.NodeV1beta1().RuntimeClasses().Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apinodev1beta1.RuntimeClass{},
 		resyncPeriod,
 		indexers,
diff --git a/staging/src/k8s.io/client-go/informers/policy/v1/poddisruptionbudget.go b/staging/src/k8s.io/client-go/informers/policy/v1/poddisruptionbudget.go
index f80d7dd9140e8..10e45d851e56f 100644
--- a/staging/src/k8s.io/client-go/informers/policy/v1/poddisruptionbudget.go
+++ b/staging/src/k8s.io/client-go/informers/policy/v1/poddisruptionbudget.go
@@ -57,7 +57,7 @@ func NewPodDisruptionBudgetInformer(client kubernetes.Interface, namespace strin
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredPodDisruptionBudgetInformer(client kubernetes.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options metav1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -82,7 +82,7 @@ func NewFilteredPodDisruptionBudgetInformer(client kubernetes.Interface, namespa
 				}
 				return client.PolicyV1().PodDisruptionBudgets(namespace).Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apipolicyv1.PodDisruptionBudget{},
 		resyncPeriod,
 		indexers,
diff --git a/staging/src/k8s.io/client-go/informers/policy/v1beta1/poddisruptionbudget.go b/staging/src/k8s.io/client-go/informers/policy/v1beta1/poddisruptionbudget.go
index 92e37d0eb7d30..a45d753eb6704 100644
--- a/staging/src/k8s.io/client-go/informers/policy/v1beta1/poddisruptionbudget.go
+++ b/staging/src/k8s.io/client-go/informers/policy/v1beta1/poddisruptionbudget.go
@@ -57,7 +57,7 @@ func NewPodDisruptionBudgetInformer(client kubernetes.Interface, namespace strin
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredPodDisruptionBudgetInformer(client kubernetes.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -82,7 +82,7 @@ func NewFilteredPodDisruptionBudgetInformer(client kubernetes.Interface, namespa
 				}
 				return client.PolicyV1beta1().PodDisruptionBudgets(namespace).Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apipolicyv1beta1.PodDisruptionBudget{},
 		resyncPeriod,
 		indexers,
diff --git a/staging/src/k8s.io/client-go/informers/rbac/v1/clusterrole.go b/staging/src/k8s.io/client-go/informers/rbac/v1/clusterrole.go
index 4118bffff6986..02dab4f9a6c71 100644
--- a/staging/src/k8s.io/client-go/informers/rbac/v1/clusterrole.go
+++ b/staging/src/k8s.io/client-go/informers/rbac/v1/clusterrole.go
@@ -56,7 +56,7 @@ func NewClusterRoleInformer(client kubernetes.Interface, resyncPeriod time.Durat
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredClusterRoleInformer(client kubernetes.Interface, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options metav1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -81,7 +81,7 @@ func NewFilteredClusterRoleInformer(client kubernetes.Interface, resyncPeriod ti
 				}
 				return client.RbacV1().ClusterRoles().Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apirbacv1.ClusterRole{},
 		resyncPeriod,
 		indexers,
diff --git a/staging/src/k8s.io/client-go/informers/rbac/v1/clusterrolebinding.go b/staging/src/k8s.io/client-go/informers/rbac/v1/clusterrolebinding.go
index 67c06d601270f..182009da85451 100644
--- a/staging/src/k8s.io/client-go/informers/rbac/v1/clusterrolebinding.go
+++ b/staging/src/k8s.io/client-go/informers/rbac/v1/clusterrolebinding.go
@@ -56,7 +56,7 @@ func NewClusterRoleBindingInformer(client kubernetes.Interface, resyncPeriod tim
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredClusterRoleBindingInformer(client kubernetes.Interface, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options metav1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -81,7 +81,7 @@ func NewFilteredClusterRoleBindingInformer(client kubernetes.Interface, resyncPe
 				}
 				return client.RbacV1().ClusterRoleBindings().Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apirbacv1.ClusterRoleBinding{},
 		resyncPeriod,
 		indexers,
diff --git a/staging/src/k8s.io/client-go/informers/rbac/v1/role.go b/staging/src/k8s.io/client-go/informers/rbac/v1/role.go
index e931d2396276a..5a0a1f8003559 100644
--- a/staging/src/k8s.io/client-go/informers/rbac/v1/role.go
+++ b/staging/src/k8s.io/client-go/informers/rbac/v1/role.go
@@ -57,7 +57,7 @@ func NewRoleInformer(client kubernetes.Interface, namespace string, resyncPeriod
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredRoleInformer(client kubernetes.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options metav1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -82,7 +82,7 @@ func NewFilteredRoleInformer(client kubernetes.Interface, namespace string, resy
 				}
 				return client.RbacV1().Roles(namespace).Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apirbacv1.Role{},
 		resyncPeriod,
 		indexers,
diff --git a/staging/src/k8s.io/client-go/informers/rbac/v1/rolebinding.go b/staging/src/k8s.io/client-go/informers/rbac/v1/rolebinding.go
index 89b11efff248f..0f0eec60f84a9 100644
--- a/staging/src/k8s.io/client-go/informers/rbac/v1/rolebinding.go
+++ b/staging/src/k8s.io/client-go/informers/rbac/v1/rolebinding.go
@@ -57,7 +57,7 @@ func NewRoleBindingInformer(client kubernetes.Interface, namespace string, resyn
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredRoleBindingInformer(client kubernetes.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options metav1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -82,7 +82,7 @@ func NewFilteredRoleBindingInformer(client kubernetes.Interface, namespace strin
 				}
 				return client.RbacV1().RoleBindings(namespace).Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apirbacv1.RoleBinding{},
 		resyncPeriod,
 		indexers,
diff --git a/staging/src/k8s.io/client-go/informers/rbac/v1alpha1/clusterrole.go b/staging/src/k8s.io/client-go/informers/rbac/v1alpha1/clusterrole.go
index ff95f62ff9047..e1b25180b9579 100644
--- a/staging/src/k8s.io/client-go/informers/rbac/v1alpha1/clusterrole.go
+++ b/staging/src/k8s.io/client-go/informers/rbac/v1alpha1/clusterrole.go
@@ -56,7 +56,7 @@ func NewClusterRoleInformer(client kubernetes.Interface, resyncPeriod time.Durat
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredClusterRoleInformer(client kubernetes.Interface, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -81,7 +81,7 @@ func NewFilteredClusterRoleInformer(client kubernetes.Interface, resyncPeriod ti
 				}
 				return client.RbacV1alpha1().ClusterRoles().Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apirbacv1alpha1.ClusterRole{},
 		resyncPeriod,
 		indexers,
diff --git a/staging/src/k8s.io/client-go/informers/rbac/v1alpha1/clusterrolebinding.go b/staging/src/k8s.io/client-go/informers/rbac/v1alpha1/clusterrolebinding.go
index 1002f16300b62..d61e8b2930cf7 100644
--- a/staging/src/k8s.io/client-go/informers/rbac/v1alpha1/clusterrolebinding.go
+++ b/staging/src/k8s.io/client-go/informers/rbac/v1alpha1/clusterrolebinding.go
@@ -56,7 +56,7 @@ func NewClusterRoleBindingInformer(client kubernetes.Interface, resyncPeriod tim
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredClusterRoleBindingInformer(client kubernetes.Interface, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -81,7 +81,7 @@ func NewFilteredClusterRoleBindingInformer(client kubernetes.Interface, resyncPe
 				}
 				return client.RbacV1alpha1().ClusterRoleBindings().Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apirbacv1alpha1.ClusterRoleBinding{},
 		resyncPeriod,
 		indexers,
diff --git a/staging/src/k8s.io/client-go/informers/rbac/v1alpha1/role.go b/staging/src/k8s.io/client-go/informers/rbac/v1alpha1/role.go
index ad7b1c0b8b905..497bccbba1a67 100644
--- a/staging/src/k8s.io/client-go/informers/rbac/v1alpha1/role.go
+++ b/staging/src/k8s.io/client-go/informers/rbac/v1alpha1/role.go
@@ -57,7 +57,7 @@ func NewRoleInformer(client kubernetes.Interface, namespace string, resyncPeriod
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredRoleInformer(client kubernetes.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -82,7 +82,7 @@ func NewFilteredRoleInformer(client kubernetes.Interface, namespace string, resy
 				}
 				return client.RbacV1alpha1().Roles(namespace).Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apirbacv1alpha1.Role{},
 		resyncPeriod,
 		indexers,
diff --git a/staging/src/k8s.io/client-go/informers/rbac/v1alpha1/rolebinding.go b/staging/src/k8s.io/client-go/informers/rbac/v1alpha1/rolebinding.go
index c5d915d23aa50..0d8b390b30bbc 100644
--- a/staging/src/k8s.io/client-go/informers/rbac/v1alpha1/rolebinding.go
+++ b/staging/src/k8s.io/client-go/informers/rbac/v1alpha1/rolebinding.go
@@ -57,7 +57,7 @@ func NewRoleBindingInformer(client kubernetes.Interface, namespace string, resyn
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredRoleBindingInformer(client kubernetes.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -82,7 +82,7 @@ func NewFilteredRoleBindingInformer(client kubernetes.Interface, namespace strin
 				}
 				return client.RbacV1alpha1().RoleBindings(namespace).Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apirbacv1alpha1.RoleBinding{},
 		resyncPeriod,
 		indexers,
diff --git a/staging/src/k8s.io/client-go/informers/rbac/v1beta1/clusterrole.go b/staging/src/k8s.io/client-go/informers/rbac/v1beta1/clusterrole.go
index 24aad0b826391..1cc1a0dd0017b 100644
--- a/staging/src/k8s.io/client-go/informers/rbac/v1beta1/clusterrole.go
+++ b/staging/src/k8s.io/client-go/informers/rbac/v1beta1/clusterrole.go
@@ -56,7 +56,7 @@ func NewClusterRoleInformer(client kubernetes.Interface, resyncPeriod time.Durat
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredClusterRoleInformer(client kubernetes.Interface, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -81,7 +81,7 @@ func NewFilteredClusterRoleInformer(client kubernetes.Interface, resyncPeriod ti
 				}
 				return client.RbacV1beta1().ClusterRoles().Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apirbacv1beta1.ClusterRole{},
 		resyncPeriod,
 		indexers,
diff --git a/staging/src/k8s.io/client-go/informers/rbac/v1beta1/clusterrolebinding.go b/staging/src/k8s.io/client-go/informers/rbac/v1beta1/clusterrolebinding.go
index 3506b79722e16..a96ed0889a16e 100644
--- a/staging/src/k8s.io/client-go/informers/rbac/v1beta1/clusterrolebinding.go
+++ b/staging/src/k8s.io/client-go/informers/rbac/v1beta1/clusterrolebinding.go
@@ -56,7 +56,7 @@ func NewClusterRoleBindingInformer(client kubernetes.Interface, resyncPeriod tim
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredClusterRoleBindingInformer(client kubernetes.Interface, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -81,7 +81,7 @@ func NewFilteredClusterRoleBindingInformer(client kubernetes.Interface, resyncPe
 				}
 				return client.RbacV1beta1().ClusterRoleBindings().Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apirbacv1beta1.ClusterRoleBinding{},
 		resyncPeriod,
 		indexers,
diff --git a/staging/src/k8s.io/client-go/informers/rbac/v1beta1/role.go b/staging/src/k8s.io/client-go/informers/rbac/v1beta1/role.go
index 119a601f09bed..922ac5dc5cf4d 100644
--- a/staging/src/k8s.io/client-go/informers/rbac/v1beta1/role.go
+++ b/staging/src/k8s.io/client-go/informers/rbac/v1beta1/role.go
@@ -57,7 +57,7 @@ func NewRoleInformer(client kubernetes.Interface, namespace string, resyncPeriod
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredRoleInformer(client kubernetes.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -82,7 +82,7 @@ func NewFilteredRoleInformer(client kubernetes.Interface, namespace string, resy
 				}
 				return client.RbacV1beta1().Roles(namespace).Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apirbacv1beta1.Role{},
 		resyncPeriod,
 		indexers,
diff --git a/staging/src/k8s.io/client-go/informers/rbac/v1beta1/rolebinding.go b/staging/src/k8s.io/client-go/informers/rbac/v1beta1/rolebinding.go
index c36c295c0c75e..5fcd488493730 100644
--- a/staging/src/k8s.io/client-go/informers/rbac/v1beta1/rolebinding.go
+++ b/staging/src/k8s.io/client-go/informers/rbac/v1beta1/rolebinding.go
@@ -57,7 +57,7 @@ func NewRoleBindingInformer(client kubernetes.Interface, namespace string, resyn
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredRoleBindingInformer(client kubernetes.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -82,7 +82,7 @@ func NewFilteredRoleBindingInformer(client kubernetes.Interface, namespace strin
 				}
 				return client.RbacV1beta1().RoleBindings(namespace).Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apirbacv1beta1.RoleBinding{},
 		resyncPeriod,
 		indexers,
diff --git a/staging/src/k8s.io/client-go/informers/resource/v1/deviceclass.go b/staging/src/k8s.io/client-go/informers/resource/v1/deviceclass.go
index 2b7e6b54ea4f4..867bb7b35e87b 100644
--- a/staging/src/k8s.io/client-go/informers/resource/v1/deviceclass.go
+++ b/staging/src/k8s.io/client-go/informers/resource/v1/deviceclass.go
@@ -56,7 +56,7 @@ func NewDeviceClassInformer(client kubernetes.Interface, resyncPeriod time.Durat
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredDeviceClassInformer(client kubernetes.Interface, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options metav1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -81,7 +81,7 @@ func NewFilteredDeviceClassInformer(client kubernetes.Interface, resyncPeriod ti
 				}
 				return client.ResourceV1().DeviceClasses().Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apiresourcev1.DeviceClass{},
 		resyncPeriod,
 		indexers,
diff --git a/staging/src/k8s.io/client-go/informers/resource/v1/resourceclaim.go b/staging/src/k8s.io/client-go/informers/resource/v1/resourceclaim.go
index 19100c4d14612..64deaed694e94 100644
--- a/staging/src/k8s.io/client-go/informers/resource/v1/resourceclaim.go
+++ b/staging/src/k8s.io/client-go/informers/resource/v1/resourceclaim.go
@@ -57,7 +57,7 @@ func NewResourceClaimInformer(client kubernetes.Interface, namespace string, res
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredResourceClaimInformer(client kubernetes.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options metav1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -82,7 +82,7 @@ func NewFilteredResourceClaimInformer(client kubernetes.Interface, namespace str
 				}
 				return client.ResourceV1().ResourceClaims(namespace).Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apiresourcev1.ResourceClaim{},
 		resyncPeriod,
 		indexers,
diff --git a/staging/src/k8s.io/client-go/informers/resource/v1/resourceclaimtemplate.go b/staging/src/k8s.io/client-go/informers/resource/v1/resourceclaimtemplate.go
index 999785261ebb7..131e159ef9a3c 100644
--- a/staging/src/k8s.io/client-go/informers/resource/v1/resourceclaimtemplate.go
+++ b/staging/src/k8s.io/client-go/informers/resource/v1/resourceclaimtemplate.go
@@ -57,7 +57,7 @@ func NewResourceClaimTemplateInformer(client kubernetes.Interface, namespace str
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredResourceClaimTemplateInformer(client kubernetes.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options metav1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -82,7 +82,7 @@ func NewFilteredResourceClaimTemplateInformer(client kubernetes.Interface, names
 				}
 				return client.ResourceV1().ResourceClaimTemplates(namespace).Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apiresourcev1.ResourceClaimTemplate{},
 		resyncPeriod,
 		indexers,
diff --git a/staging/src/k8s.io/client-go/informers/resource/v1/resourceslice.go b/staging/src/k8s.io/client-go/informers/resource/v1/resourceslice.go
index ec2099c73c4de..a01abf0739603 100644
--- a/staging/src/k8s.io/client-go/informers/resource/v1/resourceslice.go
+++ b/staging/src/k8s.io/client-go/informers/resource/v1/resourceslice.go
@@ -56,7 +56,7 @@ func NewResourceSliceInformer(client kubernetes.Interface, resyncPeriod time.Dur
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredResourceSliceInformer(client kubernetes.Interface, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options metav1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -81,7 +81,7 @@ func NewFilteredResourceSliceInformer(client kubernetes.Interface, resyncPeriod
 				}
 				return client.ResourceV1().ResourceSlices().Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apiresourcev1.ResourceSlice{},
 		resyncPeriod,
 		indexers,
diff --git a/staging/src/k8s.io/client-go/informers/resource/v1alpha3/devicetaintrule.go b/staging/src/k8s.io/client-go/informers/resource/v1alpha3/devicetaintrule.go
index 9a07c8f4e53dc..0fdc88ac59650 100644
--- a/staging/src/k8s.io/client-go/informers/resource/v1alpha3/devicetaintrule.go
+++ b/staging/src/k8s.io/client-go/informers/resource/v1alpha3/devicetaintrule.go
@@ -56,7 +56,7 @@ func NewDeviceTaintRuleInformer(client kubernetes.Interface, resyncPeriod time.D
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredDeviceTaintRuleInformer(client kubernetes.Interface, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -81,7 +81,7 @@ func NewFilteredDeviceTaintRuleInformer(client kubernetes.Interface, resyncPerio
 				}
 				return client.ResourceV1alpha3().DeviceTaintRules().Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apiresourcev1alpha3.DeviceTaintRule{},
 		resyncPeriod,
 		indexers,
diff --git a/staging/src/k8s.io/client-go/informers/resource/v1beta1/deviceclass.go b/staging/src/k8s.io/client-go/informers/resource/v1beta1/deviceclass.go
index bb0b28245bea8..cb15fbc08ff9c 100644
--- a/staging/src/k8s.io/client-go/informers/resource/v1beta1/deviceclass.go
+++ b/staging/src/k8s.io/client-go/informers/resource/v1beta1/deviceclass.go
@@ -56,7 +56,7 @@ func NewDeviceClassInformer(client kubernetes.Interface, resyncPeriod time.Durat
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredDeviceClassInformer(client kubernetes.Interface, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -81,7 +81,7 @@ func NewFilteredDeviceClassInformer(client kubernetes.Interface, resyncPeriod ti
 				}
 				return client.ResourceV1beta1().DeviceClasses().Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apiresourcev1beta1.DeviceClass{},
 		resyncPeriod,
 		indexers,
diff --git a/staging/src/k8s.io/client-go/informers/resource/v1beta1/resourceclaim.go b/staging/src/k8s.io/client-go/informers/resource/v1beta1/resourceclaim.go
index 5e13b79732791..982c598515a15 100644
--- a/staging/src/k8s.io/client-go/informers/resource/v1beta1/resourceclaim.go
+++ b/staging/src/k8s.io/client-go/informers/resource/v1beta1/resourceclaim.go
@@ -57,7 +57,7 @@ func NewResourceClaimInformer(client kubernetes.Interface, namespace string, res
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredResourceClaimInformer(client kubernetes.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -82,7 +82,7 @@ func NewFilteredResourceClaimInformer(client kubernetes.Interface, namespace str
 				}
 				return client.ResourceV1beta1().ResourceClaims(namespace).Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apiresourcev1beta1.ResourceClaim{},
 		resyncPeriod,
 		indexers,
diff --git a/staging/src/k8s.io/client-go/informers/resource/v1beta1/resourceclaimtemplate.go b/staging/src/k8s.io/client-go/informers/resource/v1beta1/resourceclaimtemplate.go
index 86c13a8f21588..51a6381af63a8 100644
--- a/staging/src/k8s.io/client-go/informers/resource/v1beta1/resourceclaimtemplate.go
+++ b/staging/src/k8s.io/client-go/informers/resource/v1beta1/resourceclaimtemplate.go
@@ -57,7 +57,7 @@ func NewResourceClaimTemplateInformer(client kubernetes.Interface, namespace str
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredResourceClaimTemplateInformer(client kubernetes.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -82,7 +82,7 @@ func NewFilteredResourceClaimTemplateInformer(client kubernetes.Interface, names
 				}
 				return client.ResourceV1beta1().ResourceClaimTemplates(namespace).Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apiresourcev1beta1.ResourceClaimTemplate{},
 		resyncPeriod,
 		indexers,
diff --git a/staging/src/k8s.io/client-go/informers/resource/v1beta1/resourceslice.go b/staging/src/k8s.io/client-go/informers/resource/v1beta1/resourceslice.go
index 6cc3c65fdf6e1..b6b1cc1fdc536 100644
--- a/staging/src/k8s.io/client-go/informers/resource/v1beta1/resourceslice.go
+++ b/staging/src/k8s.io/client-go/informers/resource/v1beta1/resourceslice.go
@@ -56,7 +56,7 @@ func NewResourceSliceInformer(client kubernetes.Interface, resyncPeriod time.Dur
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredResourceSliceInformer(client kubernetes.Interface, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -81,7 +81,7 @@ func NewFilteredResourceSliceInformer(client kubernetes.Interface, resyncPeriod
 				}
 				return client.ResourceV1beta1().ResourceSlices().Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apiresourcev1beta1.ResourceSlice{},
 		resyncPeriod,
 		indexers,
diff --git a/staging/src/k8s.io/client-go/informers/resource/v1beta2/deviceclass.go b/staging/src/k8s.io/client-go/informers/resource/v1beta2/deviceclass.go
index 372d35d8aab36..a940a214f4794 100644
--- a/staging/src/k8s.io/client-go/informers/resource/v1beta2/deviceclass.go
+++ b/staging/src/k8s.io/client-go/informers/resource/v1beta2/deviceclass.go
@@ -56,7 +56,7 @@ func NewDeviceClassInformer(client kubernetes.Interface, resyncPeriod time.Durat
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredDeviceClassInformer(client kubernetes.Interface, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -81,7 +81,7 @@ func NewFilteredDeviceClassInformer(client kubernetes.Interface, resyncPeriod ti
 				}
 				return client.ResourceV1beta2().DeviceClasses().Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apiresourcev1beta2.DeviceClass{},
 		resyncPeriod,
 		indexers,
diff --git a/staging/src/k8s.io/client-go/informers/resource/v1beta2/resourceclaim.go b/staging/src/k8s.io/client-go/informers/resource/v1beta2/resourceclaim.go
index e245d998c11aa..a5c085c2f0ccd 100644
--- a/staging/src/k8s.io/client-go/informers/resource/v1beta2/resourceclaim.go
+++ b/staging/src/k8s.io/client-go/informers/resource/v1beta2/resourceclaim.go
@@ -57,7 +57,7 @@ func NewResourceClaimInformer(client kubernetes.Interface, namespace string, res
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredResourceClaimInformer(client kubernetes.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -82,7 +82,7 @@ func NewFilteredResourceClaimInformer(client kubernetes.Interface, namespace str
 				}
 				return client.ResourceV1beta2().ResourceClaims(namespace).Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apiresourcev1beta2.ResourceClaim{},
 		resyncPeriod,
 		indexers,
diff --git a/staging/src/k8s.io/client-go/informers/resource/v1beta2/resourceclaimtemplate.go b/staging/src/k8s.io/client-go/informers/resource/v1beta2/resourceclaimtemplate.go
index 4b973bd969c52..7df9f74dd516d 100644
--- a/staging/src/k8s.io/client-go/informers/resource/v1beta2/resourceclaimtemplate.go
+++ b/staging/src/k8s.io/client-go/informers/resource/v1beta2/resourceclaimtemplate.go
@@ -57,7 +57,7 @@ func NewResourceClaimTemplateInformer(client kubernetes.Interface, namespace str
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredResourceClaimTemplateInformer(client kubernetes.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -82,7 +82,7 @@ func NewFilteredResourceClaimTemplateInformer(client kubernetes.Interface, names
 				}
 				return client.ResourceV1beta2().ResourceClaimTemplates(namespace).Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apiresourcev1beta2.ResourceClaimTemplate{},
 		resyncPeriod,
 		indexers,
diff --git a/staging/src/k8s.io/client-go/informers/resource/v1beta2/resourceslice.go b/staging/src/k8s.io/client-go/informers/resource/v1beta2/resourceslice.go
index c0cdc67a83d14..83e6cc037aa22 100644
--- a/staging/src/k8s.io/client-go/informers/resource/v1beta2/resourceslice.go
+++ b/staging/src/k8s.io/client-go/informers/resource/v1beta2/resourceslice.go
@@ -56,7 +56,7 @@ func NewResourceSliceInformer(client kubernetes.Interface, resyncPeriod time.Dur
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredResourceSliceInformer(client kubernetes.Interface, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -81,7 +81,7 @@ func NewFilteredResourceSliceInformer(client kubernetes.Interface, resyncPeriod
 				}
 				return client.ResourceV1beta2().ResourceSlices().Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apiresourcev1beta2.ResourceSlice{},
 		resyncPeriod,
 		indexers,
diff --git a/staging/src/k8s.io/client-go/informers/scheduling/v1/priorityclass.go b/staging/src/k8s.io/client-go/informers/scheduling/v1/priorityclass.go
index df426366321cb..8cce79ce2387c 100644
--- a/staging/src/k8s.io/client-go/informers/scheduling/v1/priorityclass.go
+++ b/staging/src/k8s.io/client-go/informers/scheduling/v1/priorityclass.go
@@ -56,7 +56,7 @@ func NewPriorityClassInformer(client kubernetes.Interface, resyncPeriod time.Dur
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredPriorityClassInformer(client kubernetes.Interface, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options metav1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -81,7 +81,7 @@ func NewFilteredPriorityClassInformer(client kubernetes.Interface, resyncPeriod
 				}
 				return client.SchedulingV1().PriorityClasses().Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apischedulingv1.PriorityClass{},
 		resyncPeriod,
 		indexers,
diff --git a/staging/src/k8s.io/client-go/informers/scheduling/v1alpha1/interface.go b/staging/src/k8s.io/client-go/informers/scheduling/v1alpha1/interface.go
index cd908d14e6f88..fdfc4e6af476b 100644
--- a/staging/src/k8s.io/client-go/informers/scheduling/v1alpha1/interface.go
+++ b/staging/src/k8s.io/client-go/informers/scheduling/v1alpha1/interface.go
@@ -26,6 +26,8 @@ import (
 type Interface interface {
 	// PriorityClasses returns a PriorityClassInformer.
 	PriorityClasses() PriorityClassInformer
+	// Workloads returns a WorkloadInformer.
+	Workloads() WorkloadInformer
 }
 
 type version struct {
@@ -43,3 +45,8 @@ func New(f internalinterfaces.SharedInformerFactory, namespace string, tweakList
 func (v *version) PriorityClasses() PriorityClassInformer {
 	return &priorityClassInformer{factory: v.factory, tweakListOptions: v.tweakListOptions}
 }
+
+// Workloads returns a WorkloadInformer.
+func (v *version) Workloads() WorkloadInformer {
+	return &workloadInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions}
+}
diff --git a/staging/src/k8s.io/client-go/informers/scheduling/v1alpha1/priorityclass.go b/staging/src/k8s.io/client-go/informers/scheduling/v1alpha1/priorityclass.go
index 228240af12e88..88f99a7d005a9 100644
--- a/staging/src/k8s.io/client-go/informers/scheduling/v1alpha1/priorityclass.go
+++ b/staging/src/k8s.io/client-go/informers/scheduling/v1alpha1/priorityclass.go
@@ -56,7 +56,7 @@ func NewPriorityClassInformer(client kubernetes.Interface, resyncPeriod time.Dur
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredPriorityClassInformer(client kubernetes.Interface, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -81,7 +81,7 @@ func NewFilteredPriorityClassInformer(client kubernetes.Interface, resyncPeriod
 				}
 				return client.SchedulingV1alpha1().PriorityClasses().Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apischedulingv1alpha1.PriorityClass{},
 		resyncPeriod,
 		indexers,
diff --git a/staging/src/k8s.io/client-go/informers/scheduling/v1alpha1/workload.go b/staging/src/k8s.io/client-go/informers/scheduling/v1alpha1/workload.go
new file mode 100644
index 0000000000000..c58e788946ce9
--- /dev/null
+++ b/staging/src/k8s.io/client-go/informers/scheduling/v1alpha1/workload.go
@@ -0,0 +1,102 @@
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by informer-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	context "context"
+	time "time"
+
+	apischedulingv1alpha1 "k8s.io/api/scheduling/v1alpha1"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	runtime "k8s.io/apimachinery/pkg/runtime"
+	watch "k8s.io/apimachinery/pkg/watch"
+	internalinterfaces "k8s.io/client-go/informers/internalinterfaces"
+	kubernetes "k8s.io/client-go/kubernetes"
+	schedulingv1alpha1 "k8s.io/client-go/listers/scheduling/v1alpha1"
+	cache "k8s.io/client-go/tools/cache"
+)
+
+// WorkloadInformer provides access to a shared informer and lister for
+// Workloads.
+type WorkloadInformer interface {
+	Informer() cache.SharedIndexInformer
+	Lister() schedulingv1alpha1.WorkloadLister
+}
+
+type workloadInformer struct {
+	factory          internalinterfaces.SharedInformerFactory
+	tweakListOptions internalinterfaces.TweakListOptionsFunc
+	namespace        string
+}
+
+// NewWorkloadInformer constructs a new informer for Workload type.
+// Always prefer using an informer factory to get a shared informer instead of getting an independent
+// one. This reduces memory footprint and number of connections to the server.
+func NewWorkloadInformer(client kubernetes.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers) cache.SharedIndexInformer {
+	return NewFilteredWorkloadInformer(client, namespace, resyncPeriod, indexers, nil)
+}
+
+// NewFilteredWorkloadInformer constructs a new informer for Workload type.
+// Always prefer using an informer factory to get a shared informer instead of getting an independent
+// one. This reduces memory footprint and number of connections to the server.
+func NewFilteredWorkloadInformer(client kubernetes.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
+	return cache.NewSharedIndexInformer(
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
+			ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
+				if tweakListOptions != nil {
+					tweakListOptions(&options)
+				}
+				return client.SchedulingV1alpha1().Workloads(namespace).List(context.Background(), options)
+			},
+			WatchFunc: func(options v1.ListOptions) (watch.Interface, error) {
+				if tweakListOptions != nil {
+					tweakListOptions(&options)
+				}
+				return client.SchedulingV1alpha1().Workloads(namespace).Watch(context.Background(), options)
+			},
+			ListWithContextFunc: func(ctx context.Context, options v1.ListOptions) (runtime.Object, error) {
+				if tweakListOptions != nil {
+					tweakListOptions(&options)
+				}
+				return client.SchedulingV1alpha1().Workloads(namespace).List(ctx, options)
+			},
+			WatchFuncWithContext: func(ctx context.Context, options v1.ListOptions) (watch.Interface, error) {
+				if tweakListOptions != nil {
+					tweakListOptions(&options)
+				}
+				return client.SchedulingV1alpha1().Workloads(namespace).Watch(ctx, options)
+			},
+		}, client),
+		&apischedulingv1alpha1.Workload{},
+		resyncPeriod,
+		indexers,
+	)
+}
+
+func (f *workloadInformer) defaultInformer(client kubernetes.Interface, resyncPeriod time.Duration) cache.SharedIndexInformer {
+	return NewFilteredWorkloadInformer(client, f.namespace, resyncPeriod, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}, f.tweakListOptions)
+}
+
+func (f *workloadInformer) Informer() cache.SharedIndexInformer {
+	return f.factory.InformerFor(&apischedulingv1alpha1.Workload{}, f.defaultInformer)
+}
+
+func (f *workloadInformer) Lister() schedulingv1alpha1.WorkloadLister {
+	return schedulingv1alpha1.NewWorkloadLister(f.Informer().GetIndexer())
+}
diff --git a/staging/src/k8s.io/client-go/informers/scheduling/v1beta1/priorityclass.go b/staging/src/k8s.io/client-go/informers/scheduling/v1beta1/priorityclass.go
index fd40bd0860f57..e8057f921a21b 100644
--- a/staging/src/k8s.io/client-go/informers/scheduling/v1beta1/priorityclass.go
+++ b/staging/src/k8s.io/client-go/informers/scheduling/v1beta1/priorityclass.go
@@ -56,7 +56,7 @@ func NewPriorityClassInformer(client kubernetes.Interface, resyncPeriod time.Dur
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredPriorityClassInformer(client kubernetes.Interface, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -81,7 +81,7 @@ func NewFilteredPriorityClassInformer(client kubernetes.Interface, resyncPeriod
 				}
 				return client.SchedulingV1beta1().PriorityClasses().Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apischedulingv1beta1.PriorityClass{},
 		resyncPeriod,
 		indexers,
diff --git a/staging/src/k8s.io/client-go/informers/storage/v1/csidriver.go b/staging/src/k8s.io/client-go/informers/storage/v1/csidriver.go
index b79a51ca00116..3a1922edaa3a8 100644
--- a/staging/src/k8s.io/client-go/informers/storage/v1/csidriver.go
+++ b/staging/src/k8s.io/client-go/informers/storage/v1/csidriver.go
@@ -56,7 +56,7 @@ func NewCSIDriverInformer(client kubernetes.Interface, resyncPeriod time.Duratio
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredCSIDriverInformer(client kubernetes.Interface, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options metav1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -81,7 +81,7 @@ func NewFilteredCSIDriverInformer(client kubernetes.Interface, resyncPeriod time
 				}
 				return client.StorageV1().CSIDrivers().Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apistoragev1.CSIDriver{},
 		resyncPeriod,
 		indexers,
diff --git a/staging/src/k8s.io/client-go/informers/storage/v1/csinode.go b/staging/src/k8s.io/client-go/informers/storage/v1/csinode.go
index 7a6040795e3c7..350ab61e57d46 100644
--- a/staging/src/k8s.io/client-go/informers/storage/v1/csinode.go
+++ b/staging/src/k8s.io/client-go/informers/storage/v1/csinode.go
@@ -56,7 +56,7 @@ func NewCSINodeInformer(client kubernetes.Interface, resyncPeriod time.Duration,
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredCSINodeInformer(client kubernetes.Interface, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options metav1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -81,7 +81,7 @@ func NewFilteredCSINodeInformer(client kubernetes.Interface, resyncPeriod time.D
 				}
 				return client.StorageV1().CSINodes().Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apistoragev1.CSINode{},
 		resyncPeriod,
 		indexers,
diff --git a/staging/src/k8s.io/client-go/informers/storage/v1/csistoragecapacity.go b/staging/src/k8s.io/client-go/informers/storage/v1/csistoragecapacity.go
index 84ef70f2e7f45..7c88e6e07b454 100644
--- a/staging/src/k8s.io/client-go/informers/storage/v1/csistoragecapacity.go
+++ b/staging/src/k8s.io/client-go/informers/storage/v1/csistoragecapacity.go
@@ -57,7 +57,7 @@ func NewCSIStorageCapacityInformer(client kubernetes.Interface, namespace string
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredCSIStorageCapacityInformer(client kubernetes.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options metav1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -82,7 +82,7 @@ func NewFilteredCSIStorageCapacityInformer(client kubernetes.Interface, namespac
 				}
 				return client.StorageV1().CSIStorageCapacities(namespace).Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apistoragev1.CSIStorageCapacity{},
 		resyncPeriod,
 		indexers,
diff --git a/staging/src/k8s.io/client-go/informers/storage/v1/storageclass.go b/staging/src/k8s.io/client-go/informers/storage/v1/storageclass.go
index 7f17ecf8c78c9..620c1d3489c8f 100644
--- a/staging/src/k8s.io/client-go/informers/storage/v1/storageclass.go
+++ b/staging/src/k8s.io/client-go/informers/storage/v1/storageclass.go
@@ -56,7 +56,7 @@ func NewStorageClassInformer(client kubernetes.Interface, resyncPeriod time.Dura
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredStorageClassInformer(client kubernetes.Interface, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options metav1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -81,7 +81,7 @@ func NewFilteredStorageClassInformer(client kubernetes.Interface, resyncPeriod t
 				}
 				return client.StorageV1().StorageClasses().Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apistoragev1.StorageClass{},
 		resyncPeriod,
 		indexers,
diff --git a/staging/src/k8s.io/client-go/informers/storage/v1/volumeattachment.go b/staging/src/k8s.io/client-go/informers/storage/v1/volumeattachment.go
index 3dee340d52ab3..3b7c4611448c7 100644
--- a/staging/src/k8s.io/client-go/informers/storage/v1/volumeattachment.go
+++ b/staging/src/k8s.io/client-go/informers/storage/v1/volumeattachment.go
@@ -56,7 +56,7 @@ func NewVolumeAttachmentInformer(client kubernetes.Interface, resyncPeriod time.
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredVolumeAttachmentInformer(client kubernetes.Interface, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options metav1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -81,7 +81,7 @@ func NewFilteredVolumeAttachmentInformer(client kubernetes.Interface, resyncPeri
 				}
 				return client.StorageV1().VolumeAttachments().Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apistoragev1.VolumeAttachment{},
 		resyncPeriod,
 		indexers,
diff --git a/staging/src/k8s.io/client-go/informers/storage/v1/volumeattributesclass.go b/staging/src/k8s.io/client-go/informers/storage/v1/volumeattributesclass.go
index a230ba563f182..34dc8b48d89eb 100644
--- a/staging/src/k8s.io/client-go/informers/storage/v1/volumeattributesclass.go
+++ b/staging/src/k8s.io/client-go/informers/storage/v1/volumeattributesclass.go
@@ -56,7 +56,7 @@ func NewVolumeAttributesClassInformer(client kubernetes.Interface, resyncPeriod
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredVolumeAttributesClassInformer(client kubernetes.Interface, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options metav1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -81,7 +81,7 @@ func NewFilteredVolumeAttributesClassInformer(client kubernetes.Interface, resyn
 				}
 				return client.StorageV1().VolumeAttributesClasses().Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apistoragev1.VolumeAttributesClass{},
 		resyncPeriod,
 		indexers,
diff --git a/staging/src/k8s.io/client-go/informers/storage/v1alpha1/csistoragecapacity.go b/staging/src/k8s.io/client-go/informers/storage/v1alpha1/csistoragecapacity.go
index 794de10db170f..3b2753200c5bb 100644
--- a/staging/src/k8s.io/client-go/informers/storage/v1alpha1/csistoragecapacity.go
+++ b/staging/src/k8s.io/client-go/informers/storage/v1alpha1/csistoragecapacity.go
@@ -57,7 +57,7 @@ func NewCSIStorageCapacityInformer(client kubernetes.Interface, namespace string
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredCSIStorageCapacityInformer(client kubernetes.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -82,7 +82,7 @@ func NewFilteredCSIStorageCapacityInformer(client kubernetes.Interface, namespac
 				}
 				return client.StorageV1alpha1().CSIStorageCapacities(namespace).Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apistoragev1alpha1.CSIStorageCapacity{},
 		resyncPeriod,
 		indexers,
diff --git a/staging/src/k8s.io/client-go/informers/storage/v1alpha1/volumeattachment.go b/staging/src/k8s.io/client-go/informers/storage/v1alpha1/volumeattachment.go
index dc68be234499a..10ac7e55ed4f7 100644
--- a/staging/src/k8s.io/client-go/informers/storage/v1alpha1/volumeattachment.go
+++ b/staging/src/k8s.io/client-go/informers/storage/v1alpha1/volumeattachment.go
@@ -56,7 +56,7 @@ func NewVolumeAttachmentInformer(client kubernetes.Interface, resyncPeriod time.
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredVolumeAttachmentInformer(client kubernetes.Interface, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -81,7 +81,7 @@ func NewFilteredVolumeAttachmentInformer(client kubernetes.Interface, resyncPeri
 				}
 				return client.StorageV1alpha1().VolumeAttachments().Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apistoragev1alpha1.VolumeAttachment{},
 		resyncPeriod,
 		indexers,
diff --git a/staging/src/k8s.io/client-go/informers/storage/v1alpha1/volumeattributesclass.go b/staging/src/k8s.io/client-go/informers/storage/v1alpha1/volumeattributesclass.go
index 5210ea79a9199..312a443e34676 100644
--- a/staging/src/k8s.io/client-go/informers/storage/v1alpha1/volumeattributesclass.go
+++ b/staging/src/k8s.io/client-go/informers/storage/v1alpha1/volumeattributesclass.go
@@ -56,7 +56,7 @@ func NewVolumeAttributesClassInformer(client kubernetes.Interface, resyncPeriod
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredVolumeAttributesClassInformer(client kubernetes.Interface, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -81,7 +81,7 @@ func NewFilteredVolumeAttributesClassInformer(client kubernetes.Interface, resyn
 				}
 				return client.StorageV1alpha1().VolumeAttributesClasses().Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apistoragev1alpha1.VolumeAttributesClass{},
 		resyncPeriod,
 		indexers,
diff --git a/staging/src/k8s.io/client-go/informers/storage/v1beta1/csidriver.go b/staging/src/k8s.io/client-go/informers/storage/v1beta1/csidriver.go
index a21dc94ff8902..007caaab5421c 100644
--- a/staging/src/k8s.io/client-go/informers/storage/v1beta1/csidriver.go
+++ b/staging/src/k8s.io/client-go/informers/storage/v1beta1/csidriver.go
@@ -56,7 +56,7 @@ func NewCSIDriverInformer(client kubernetes.Interface, resyncPeriod time.Duratio
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredCSIDriverInformer(client kubernetes.Interface, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -81,7 +81,7 @@ func NewFilteredCSIDriverInformer(client kubernetes.Interface, resyncPeriod time
 				}
 				return client.StorageV1beta1().CSIDrivers().Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apistoragev1beta1.CSIDriver{},
 		resyncPeriod,
 		indexers,
diff --git a/staging/src/k8s.io/client-go/informers/storage/v1beta1/csinode.go b/staging/src/k8s.io/client-go/informers/storage/v1beta1/csinode.go
index e789fe30964db..ce518f0b2e32c 100644
--- a/staging/src/k8s.io/client-go/informers/storage/v1beta1/csinode.go
+++ b/staging/src/k8s.io/client-go/informers/storage/v1beta1/csinode.go
@@ -56,7 +56,7 @@ func NewCSINodeInformer(client kubernetes.Interface, resyncPeriod time.Duration,
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredCSINodeInformer(client kubernetes.Interface, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -81,7 +81,7 @@ func NewFilteredCSINodeInformer(client kubernetes.Interface, resyncPeriod time.D
 				}
 				return client.StorageV1beta1().CSINodes().Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apistoragev1beta1.CSINode{},
 		resyncPeriod,
 		indexers,
diff --git a/staging/src/k8s.io/client-go/informers/storage/v1beta1/csistoragecapacity.go b/staging/src/k8s.io/client-go/informers/storage/v1beta1/csistoragecapacity.go
index fa75b0b4f9a2c..88446b7695ebe 100644
--- a/staging/src/k8s.io/client-go/informers/storage/v1beta1/csistoragecapacity.go
+++ b/staging/src/k8s.io/client-go/informers/storage/v1beta1/csistoragecapacity.go
@@ -57,7 +57,7 @@ func NewCSIStorageCapacityInformer(client kubernetes.Interface, namespace string
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredCSIStorageCapacityInformer(client kubernetes.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -82,7 +82,7 @@ func NewFilteredCSIStorageCapacityInformer(client kubernetes.Interface, namespac
 				}
 				return client.StorageV1beta1().CSIStorageCapacities(namespace).Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apistoragev1beta1.CSIStorageCapacity{},
 		resyncPeriod,
 		indexers,
diff --git a/staging/src/k8s.io/client-go/informers/storage/v1beta1/storageclass.go b/staging/src/k8s.io/client-go/informers/storage/v1beta1/storageclass.go
index 23d7ca4fc7e2c..786d46d3a4943 100644
--- a/staging/src/k8s.io/client-go/informers/storage/v1beta1/storageclass.go
+++ b/staging/src/k8s.io/client-go/informers/storage/v1beta1/storageclass.go
@@ -56,7 +56,7 @@ func NewStorageClassInformer(client kubernetes.Interface, resyncPeriod time.Dura
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredStorageClassInformer(client kubernetes.Interface, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -81,7 +81,7 @@ func NewFilteredStorageClassInformer(client kubernetes.Interface, resyncPeriod t
 				}
 				return client.StorageV1beta1().StorageClasses().Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apistoragev1beta1.StorageClass{},
 		resyncPeriod,
 		indexers,
diff --git a/staging/src/k8s.io/client-go/informers/storage/v1beta1/volumeattachment.go b/staging/src/k8s.io/client-go/informers/storage/v1beta1/volumeattachment.go
index 691b2c6d12793..0f1bf216138ed 100644
--- a/staging/src/k8s.io/client-go/informers/storage/v1beta1/volumeattachment.go
+++ b/staging/src/k8s.io/client-go/informers/storage/v1beta1/volumeattachment.go
@@ -56,7 +56,7 @@ func NewVolumeAttachmentInformer(client kubernetes.Interface, resyncPeriod time.
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredVolumeAttachmentInformer(client kubernetes.Interface, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -81,7 +81,7 @@ func NewFilteredVolumeAttachmentInformer(client kubernetes.Interface, resyncPeri
 				}
 				return client.StorageV1beta1().VolumeAttachments().Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apistoragev1beta1.VolumeAttachment{},
 		resyncPeriod,
 		indexers,
diff --git a/staging/src/k8s.io/client-go/informers/storage/v1beta1/volumeattributesclass.go b/staging/src/k8s.io/client-go/informers/storage/v1beta1/volumeattributesclass.go
index 7d66c581565ac..90e79cc710561 100644
--- a/staging/src/k8s.io/client-go/informers/storage/v1beta1/volumeattributesclass.go
+++ b/staging/src/k8s.io/client-go/informers/storage/v1beta1/volumeattributesclass.go
@@ -56,7 +56,7 @@ func NewVolumeAttributesClassInformer(client kubernetes.Interface, resyncPeriod
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredVolumeAttributesClassInformer(client kubernetes.Interface, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -81,7 +81,7 @@ func NewFilteredVolumeAttributesClassInformer(client kubernetes.Interface, resyn
 				}
 				return client.StorageV1beta1().VolumeAttributesClasses().Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apistoragev1beta1.VolumeAttributesClass{},
 		resyncPeriod,
 		indexers,
diff --git a/staging/src/k8s.io/client-go/informers/storagemigration/interface.go b/staging/src/k8s.io/client-go/informers/storagemigration/interface.go
index 1f7030fea8db4..426e50fd579d5 100644
--- a/staging/src/k8s.io/client-go/informers/storagemigration/interface.go
+++ b/staging/src/k8s.io/client-go/informers/storagemigration/interface.go
@@ -20,13 +20,13 @@ package storagemigration
 
 import (
 	internalinterfaces "k8s.io/client-go/informers/internalinterfaces"
-	v1alpha1 "k8s.io/client-go/informers/storagemigration/v1alpha1"
+	v1beta1 "k8s.io/client-go/informers/storagemigration/v1beta1"
 )
 
 // Interface provides access to each of this group's versions.
 type Interface interface {
-	// V1alpha1 provides access to shared informers for resources in V1alpha1.
-	V1alpha1() v1alpha1.Interface
+	// V1beta1 provides access to shared informers for resources in V1beta1.
+	V1beta1() v1beta1.Interface
 }
 
 type group struct {
@@ -40,7 +40,7 @@ func New(f internalinterfaces.SharedInformerFactory, namespace string, tweakList
 	return &group{factory: f, namespace: namespace, tweakListOptions: tweakListOptions}
 }
 
-// V1alpha1 returns a new v1alpha1.Interface.
-func (g *group) V1alpha1() v1alpha1.Interface {
-	return v1alpha1.New(g.factory, g.namespace, g.tweakListOptions)
+// V1beta1 returns a new v1beta1.Interface.
+func (g *group) V1beta1() v1beta1.Interface {
+	return v1beta1.New(g.factory, g.namespace, g.tweakListOptions)
 }
diff --git a/staging/src/k8s.io/client-go/informers/storagemigration/v1alpha1/storageversionmigration.go b/staging/src/k8s.io/client-go/informers/storagemigration/v1alpha1/storageversionmigration.go
deleted file mode 100644
index 4debb5eef9fa8..0000000000000
--- a/staging/src/k8s.io/client-go/informers/storagemigration/v1alpha1/storageversionmigration.go
+++ /dev/null
@@ -1,101 +0,0 @@
-/*
-Copyright The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-// Code generated by informer-gen. DO NOT EDIT.
-
-package v1alpha1
-
-import (
-	context "context"
-	time "time"
-
-	apistoragemigrationv1alpha1 "k8s.io/api/storagemigration/v1alpha1"
-	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	runtime "k8s.io/apimachinery/pkg/runtime"
-	watch "k8s.io/apimachinery/pkg/watch"
-	internalinterfaces "k8s.io/client-go/informers/internalinterfaces"
-	kubernetes "k8s.io/client-go/kubernetes"
-	storagemigrationv1alpha1 "k8s.io/client-go/listers/storagemigration/v1alpha1"
-	cache "k8s.io/client-go/tools/cache"
-)
-
-// StorageVersionMigrationInformer provides access to a shared informer and lister for
-// StorageVersionMigrations.
-type StorageVersionMigrationInformer interface {
-	Informer() cache.SharedIndexInformer
-	Lister() storagemigrationv1alpha1.StorageVersionMigrationLister
-}
-
-type storageVersionMigrationInformer struct {
-	factory          internalinterfaces.SharedInformerFactory
-	tweakListOptions internalinterfaces.TweakListOptionsFunc
-}
-
-// NewStorageVersionMigrationInformer constructs a new informer for StorageVersionMigration type.
-// Always prefer using an informer factory to get a shared informer instead of getting an independent
-// one. This reduces memory footprint and number of connections to the server.
-func NewStorageVersionMigrationInformer(client kubernetes.Interface, resyncPeriod time.Duration, indexers cache.Indexers) cache.SharedIndexInformer {
-	return NewFilteredStorageVersionMigrationInformer(client, resyncPeriod, indexers, nil)
-}
-
-// NewFilteredStorageVersionMigrationInformer constructs a new informer for StorageVersionMigration type.
-// Always prefer using an informer factory to get a shared informer instead of getting an independent
-// one. This reduces memory footprint and number of connections to the server.
-func NewFilteredStorageVersionMigrationInformer(client kubernetes.Interface, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
-	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
-			ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
-				if tweakListOptions != nil {
-					tweakListOptions(&options)
-				}
-				return client.StoragemigrationV1alpha1().StorageVersionMigrations().List(context.Background(), options)
-			},
-			WatchFunc: func(options v1.ListOptions) (watch.Interface, error) {
-				if tweakListOptions != nil {
-					tweakListOptions(&options)
-				}
-				return client.StoragemigrationV1alpha1().StorageVersionMigrations().Watch(context.Background(), options)
-			},
-			ListWithContextFunc: func(ctx context.Context, options v1.ListOptions) (runtime.Object, error) {
-				if tweakListOptions != nil {
-					tweakListOptions(&options)
-				}
-				return client.StoragemigrationV1alpha1().StorageVersionMigrations().List(ctx, options)
-			},
-			WatchFuncWithContext: func(ctx context.Context, options v1.ListOptions) (watch.Interface, error) {
-				if tweakListOptions != nil {
-					tweakListOptions(&options)
-				}
-				return client.StoragemigrationV1alpha1().StorageVersionMigrations().Watch(ctx, options)
-			},
-		},
-		&apistoragemigrationv1alpha1.StorageVersionMigration{},
-		resyncPeriod,
-		indexers,
-	)
-}
-
-func (f *storageVersionMigrationInformer) defaultInformer(client kubernetes.Interface, resyncPeriod time.Duration) cache.SharedIndexInformer {
-	return NewFilteredStorageVersionMigrationInformer(client, resyncPeriod, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}, f.tweakListOptions)
-}
-
-func (f *storageVersionMigrationInformer) Informer() cache.SharedIndexInformer {
-	return f.factory.InformerFor(&apistoragemigrationv1alpha1.StorageVersionMigration{}, f.defaultInformer)
-}
-
-func (f *storageVersionMigrationInformer) Lister() storagemigrationv1alpha1.StorageVersionMigrationLister {
-	return storagemigrationv1alpha1.NewStorageVersionMigrationLister(f.Informer().GetIndexer())
-}
diff --git a/staging/src/k8s.io/client-go/informers/storagemigration/v1alpha1/interface.go b/staging/src/k8s.io/client-go/informers/storagemigration/v1beta1/interface.go
similarity index 98%
rename from staging/src/k8s.io/client-go/informers/storagemigration/v1alpha1/interface.go
rename to staging/src/k8s.io/client-go/informers/storagemigration/v1beta1/interface.go
index 60724e7a287a9..220e1f5c8ce70 100644
--- a/staging/src/k8s.io/client-go/informers/storagemigration/v1alpha1/interface.go
+++ b/staging/src/k8s.io/client-go/informers/storagemigration/v1beta1/interface.go
@@ -16,7 +16,7 @@ limitations under the License.
 
 // Code generated by informer-gen. DO NOT EDIT.
 
-package v1alpha1
+package v1beta1
 
 import (
 	internalinterfaces "k8s.io/client-go/informers/internalinterfaces"
diff --git a/staging/src/k8s.io/client-go/informers/storagemigration/v1beta1/storageversionmigration.go b/staging/src/k8s.io/client-go/informers/storagemigration/v1beta1/storageversionmigration.go
new file mode 100644
index 0000000000000..370d88f242eba
--- /dev/null
+++ b/staging/src/k8s.io/client-go/informers/storagemigration/v1beta1/storageversionmigration.go
@@ -0,0 +1,101 @@
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by informer-gen. DO NOT EDIT.
+
+package v1beta1
+
+import (
+	context "context"
+	time "time"
+
+	apistoragemigrationv1beta1 "k8s.io/api/storagemigration/v1beta1"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	runtime "k8s.io/apimachinery/pkg/runtime"
+	watch "k8s.io/apimachinery/pkg/watch"
+	internalinterfaces "k8s.io/client-go/informers/internalinterfaces"
+	kubernetes "k8s.io/client-go/kubernetes"
+	storagemigrationv1beta1 "k8s.io/client-go/listers/storagemigration/v1beta1"
+	cache "k8s.io/client-go/tools/cache"
+)
+
+// StorageVersionMigrationInformer provides access to a shared informer and lister for
+// StorageVersionMigrations.
+type StorageVersionMigrationInformer interface {
+	Informer() cache.SharedIndexInformer
+	Lister() storagemigrationv1beta1.StorageVersionMigrationLister
+}
+
+type storageVersionMigrationInformer struct {
+	factory          internalinterfaces.SharedInformerFactory
+	tweakListOptions internalinterfaces.TweakListOptionsFunc
+}
+
+// NewStorageVersionMigrationInformer constructs a new informer for StorageVersionMigration type.
+// Always prefer using an informer factory to get a shared informer instead of getting an independent
+// one. This reduces memory footprint and number of connections to the server.
+func NewStorageVersionMigrationInformer(client kubernetes.Interface, resyncPeriod time.Duration, indexers cache.Indexers) cache.SharedIndexInformer {
+	return NewFilteredStorageVersionMigrationInformer(client, resyncPeriod, indexers, nil)
+}
+
+// NewFilteredStorageVersionMigrationInformer constructs a new informer for StorageVersionMigration type.
+// Always prefer using an informer factory to get a shared informer instead of getting an independent
+// one. This reduces memory footprint and number of connections to the server.
+func NewFilteredStorageVersionMigrationInformer(client kubernetes.Interface, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
+	return cache.NewSharedIndexInformer(
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
+			ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
+				if tweakListOptions != nil {
+					tweakListOptions(&options)
+				}
+				return client.StoragemigrationV1beta1().StorageVersionMigrations().List(context.Background(), options)
+			},
+			WatchFunc: func(options v1.ListOptions) (watch.Interface, error) {
+				if tweakListOptions != nil {
+					tweakListOptions(&options)
+				}
+				return client.StoragemigrationV1beta1().StorageVersionMigrations().Watch(context.Background(), options)
+			},
+			ListWithContextFunc: func(ctx context.Context, options v1.ListOptions) (runtime.Object, error) {
+				if tweakListOptions != nil {
+					tweakListOptions(&options)
+				}
+				return client.StoragemigrationV1beta1().StorageVersionMigrations().List(ctx, options)
+			},
+			WatchFuncWithContext: func(ctx context.Context, options v1.ListOptions) (watch.Interface, error) {
+				if tweakListOptions != nil {
+					tweakListOptions(&options)
+				}
+				return client.StoragemigrationV1beta1().StorageVersionMigrations().Watch(ctx, options)
+			},
+		}, client),
+		&apistoragemigrationv1beta1.StorageVersionMigration{},
+		resyncPeriod,
+		indexers,
+	)
+}
+
+func (f *storageVersionMigrationInformer) defaultInformer(client kubernetes.Interface, resyncPeriod time.Duration) cache.SharedIndexInformer {
+	return NewFilteredStorageVersionMigrationInformer(client, resyncPeriod, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}, f.tweakListOptions)
+}
+
+func (f *storageVersionMigrationInformer) Informer() cache.SharedIndexInformer {
+	return f.factory.InformerFor(&apistoragemigrationv1beta1.StorageVersionMigration{}, f.defaultInformer)
+}
+
+func (f *storageVersionMigrationInformer) Lister() storagemigrationv1beta1.StorageVersionMigrationLister {
+	return storagemigrationv1beta1.NewStorageVersionMigrationLister(f.Informer().GetIndexer())
+}
diff --git a/staging/src/k8s.io/client-go/kubernetes/clientset.go b/staging/src/k8s.io/client-go/kubernetes/clientset.go
index 9a8b6f2acfd45..1ef0ff4b2cbea 100644
--- a/staging/src/k8s.io/client-go/kubernetes/clientset.go
+++ b/staging/src/k8s.io/client-go/kubernetes/clientset.go
@@ -77,7 +77,7 @@ import (
 	storagev1 "k8s.io/client-go/kubernetes/typed/storage/v1"
 	storagev1alpha1 "k8s.io/client-go/kubernetes/typed/storage/v1alpha1"
 	storagev1beta1 "k8s.io/client-go/kubernetes/typed/storage/v1beta1"
-	storagemigrationv1alpha1 "k8s.io/client-go/kubernetes/typed/storagemigration/v1alpha1"
+	storagemigrationv1beta1 "k8s.io/client-go/kubernetes/typed/storagemigration/v1beta1"
 	rest "k8s.io/client-go/rest"
 	flowcontrol "k8s.io/client-go/util/flowcontrol"
 )
@@ -138,7 +138,7 @@ type Interface interface {
 	StorageV1beta1() storagev1beta1.StorageV1beta1Interface
 	StorageV1() storagev1.StorageV1Interface
 	StorageV1alpha1() storagev1alpha1.StorageV1alpha1Interface
-	StoragemigrationV1alpha1() storagemigrationv1alpha1.StoragemigrationV1alpha1Interface
+	StoragemigrationV1beta1() storagemigrationv1beta1.StoragemigrationV1beta1Interface
 }
 
 // Clientset contains the clients for groups.
@@ -198,7 +198,7 @@ type Clientset struct {
 	storageV1beta1                *storagev1beta1.StorageV1beta1Client
 	storageV1                     *storagev1.StorageV1Client
 	storageV1alpha1               *storagev1alpha1.StorageV1alpha1Client
-	storagemigrationV1alpha1      *storagemigrationv1alpha1.StoragemigrationV1alpha1Client
+	storagemigrationV1beta1       *storagemigrationv1beta1.StoragemigrationV1beta1Client
 }
 
 // AdmissionregistrationV1 retrieves the AdmissionregistrationV1Client
@@ -471,9 +471,9 @@ func (c *Clientset) StorageV1alpha1() storagev1alpha1.StorageV1alpha1Interface {
 	return c.storageV1alpha1
 }
 
-// StoragemigrationV1alpha1 retrieves the StoragemigrationV1alpha1Client
-func (c *Clientset) StoragemigrationV1alpha1() storagemigrationv1alpha1.StoragemigrationV1alpha1Interface {
-	return c.storagemigrationV1alpha1
+// StoragemigrationV1beta1 retrieves the StoragemigrationV1beta1Client
+func (c *Clientset) StoragemigrationV1beta1() storagemigrationv1beta1.StoragemigrationV1beta1Interface {
+	return c.storagemigrationV1beta1
 }
 
 // Discovery retrieves the DiscoveryClient
@@ -736,7 +736,7 @@ func NewForConfigAndClient(c *rest.Config, httpClient *http.Client) (*Clientset,
 	if err != nil {
 		return nil, err
 	}
-	cs.storagemigrationV1alpha1, err = storagemigrationv1alpha1.NewForConfigAndClient(&configShallowCopy, httpClient)
+	cs.storagemigrationV1beta1, err = storagemigrationv1beta1.NewForConfigAndClient(&configShallowCopy, httpClient)
 	if err != nil {
 		return nil, err
 	}
@@ -815,7 +815,7 @@ func New(c rest.Interface) *Clientset {
 	cs.storageV1beta1 = storagev1beta1.New(c)
 	cs.storageV1 = storagev1.New(c)
 	cs.storageV1alpha1 = storagev1alpha1.New(c)
-	cs.storagemigrationV1alpha1 = storagemigrationv1alpha1.New(c)
+	cs.storagemigrationV1beta1 = storagemigrationv1beta1.New(c)
 
 	cs.DiscoveryClient = discovery.NewDiscoveryClient(c)
 	return &cs
diff --git a/staging/src/k8s.io/client-go/kubernetes/fake/clientset_generated.go b/staging/src/k8s.io/client-go/kubernetes/fake/clientset_generated.go
index 973b8a7159a0c..f729718bfb727 100644
--- a/staging/src/k8s.io/client-go/kubernetes/fake/clientset_generated.go
+++ b/staging/src/k8s.io/client-go/kubernetes/fake/clientset_generated.go
@@ -134,8 +134,8 @@ import (
 	fakestoragev1alpha1 "k8s.io/client-go/kubernetes/typed/storage/v1alpha1/fake"
 	storagev1beta1 "k8s.io/client-go/kubernetes/typed/storage/v1beta1"
 	fakestoragev1beta1 "k8s.io/client-go/kubernetes/typed/storage/v1beta1/fake"
-	storagemigrationv1alpha1 "k8s.io/client-go/kubernetes/typed/storagemigration/v1alpha1"
-	fakestoragemigrationv1alpha1 "k8s.io/client-go/kubernetes/typed/storagemigration/v1alpha1/fake"
+	storagemigrationv1beta1 "k8s.io/client-go/kubernetes/typed/storagemigration/v1beta1"
+	fakestoragemigrationv1beta1 "k8s.io/client-go/kubernetes/typed/storagemigration/v1beta1/fake"
 	"k8s.io/client-go/testing"
 )
 
@@ -144,7 +144,7 @@ import (
 // without applying any field management, validations and/or defaults. It shouldn't be considered a replacement
 // for a real clientset and is mostly useful in simple unit tests.
 //
-// DEPRECATED: NewClientset replaces this with support for field management, which significantly improves
+// Deprecated: NewClientset replaces this with support for field management, which significantly improves
 // server side apply testing. NewClientset is only available when apply configurations are generated (e.g.
 // via --with-applyconfig).
 func NewSimpleClientset(objects ...runtime.Object) *Clientset {
@@ -160,8 +160,8 @@ func NewSimpleClientset(objects ...runtime.Object) *Clientset {
 	cs.AddReactor("*", "*", testing.ObjectReaction(o))
 	cs.AddWatchReactor("*", func(action testing.Action) (handled bool, ret watch.Interface, err error) {
 		var opts metav1.ListOptions
-		if watchActcion, ok := action.(testing.WatchActionImpl); ok {
-			opts = watchActcion.ListOptions
+		if watchAction, ok := action.(testing.WatchActionImpl); ok {
+			opts = watchAction.ListOptions
 		}
 		gvr := action.GetResource()
 		ns := action.GetNamespace()
@@ -192,6 +192,17 @@ func (c *Clientset) Tracker() testing.ObjectTracker {
 	return c.tracker
 }
 
+// IsWatchListSemanticsSupported informs the reflector that this client
+// doesn't support WatchList semantics.
+//
+// This is a synthetic method whose sole purpose is to satisfy the optional
+// interface check performed by the reflector.
+// Returning true signals that WatchList can NOT be used.
+// No additional logic is implemented here.
+func (c *Clientset) IsWatchListSemanticsUnSupported() bool {
+	return true
+}
+
 // NewClientset returns a clientset that will respond with the provided objects.
 // It's backed by a very simple object tracker that processes creates, updates and deletions as-is,
 // without applying any validations and/or defaults. It shouldn't be considered a replacement
@@ -503,7 +514,7 @@ func (c *Clientset) StorageV1alpha1() storagev1alpha1.StorageV1alpha1Interface {
 	return &fakestoragev1alpha1.FakeStorageV1alpha1{Fake: &c.Fake}
 }
 
-// StoragemigrationV1alpha1 retrieves the StoragemigrationV1alpha1Client
-func (c *Clientset) StoragemigrationV1alpha1() storagemigrationv1alpha1.StoragemigrationV1alpha1Interface {
-	return &fakestoragemigrationv1alpha1.FakeStoragemigrationV1alpha1{Fake: &c.Fake}
+// StoragemigrationV1beta1 retrieves the StoragemigrationV1beta1Client
+func (c *Clientset) StoragemigrationV1beta1() storagemigrationv1beta1.StoragemigrationV1beta1Interface {
+	return &fakestoragemigrationv1beta1.FakeStoragemigrationV1beta1{Fake: &c.Fake}
 }
diff --git a/staging/src/k8s.io/client-go/kubernetes/fake/register.go b/staging/src/k8s.io/client-go/kubernetes/fake/register.go
index 3be5276fbec4f..7a2bacfb573d3 100644
--- a/staging/src/k8s.io/client-go/kubernetes/fake/register.go
+++ b/staging/src/k8s.io/client-go/kubernetes/fake/register.go
@@ -73,7 +73,7 @@ import (
 	storagev1 "k8s.io/api/storage/v1"
 	storagev1alpha1 "k8s.io/api/storage/v1alpha1"
 	storagev1beta1 "k8s.io/api/storage/v1beta1"
-	storagemigrationv1alpha1 "k8s.io/api/storagemigration/v1alpha1"
+	storagemigrationv1beta1 "k8s.io/api/storagemigration/v1beta1"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	runtime "k8s.io/apimachinery/pkg/runtime"
 	schema "k8s.io/apimachinery/pkg/runtime/schema"
@@ -139,7 +139,7 @@ var localSchemeBuilder = runtime.SchemeBuilder{
 	storagev1beta1.AddToScheme,
 	storagev1.AddToScheme,
 	storagev1alpha1.AddToScheme,
-	storagemigrationv1alpha1.AddToScheme,
+	storagemigrationv1beta1.AddToScheme,
 }
 
 // AddToScheme adds all types of this clientset into the given scheme. This allows composition
diff --git a/staging/src/k8s.io/client-go/kubernetes/scheme/register.go b/staging/src/k8s.io/client-go/kubernetes/scheme/register.go
index b96612ee5507c..9557cba2b4436 100644
--- a/staging/src/k8s.io/client-go/kubernetes/scheme/register.go
+++ b/staging/src/k8s.io/client-go/kubernetes/scheme/register.go
@@ -73,7 +73,7 @@ import (
 	storagev1 "k8s.io/api/storage/v1"
 	storagev1alpha1 "k8s.io/api/storage/v1alpha1"
 	storagev1beta1 "k8s.io/api/storage/v1beta1"
-	storagemigrationv1alpha1 "k8s.io/api/storagemigration/v1alpha1"
+	storagemigrationv1beta1 "k8s.io/api/storagemigration/v1beta1"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	runtime "k8s.io/apimachinery/pkg/runtime"
 	schema "k8s.io/apimachinery/pkg/runtime/schema"
@@ -139,7 +139,7 @@ var localSchemeBuilder = runtime.SchemeBuilder{
 	storagev1beta1.AddToScheme,
 	storagev1.AddToScheme,
 	storagev1alpha1.AddToScheme,
-	storagemigrationv1alpha1.AddToScheme,
+	storagemigrationv1beta1.AddToScheme,
 }
 
 // AddToScheme adds all types of this clientset into the given scheme. This allows composition
diff --git a/staging/src/k8s.io/client-go/kubernetes/typed/certificates/v1alpha1/certificates_client.go b/staging/src/k8s.io/client-go/kubernetes/typed/certificates/v1alpha1/certificates_client.go
index 06d3ce56a1c6f..163ddad017f71 100644
--- a/staging/src/k8s.io/client-go/kubernetes/typed/certificates/v1alpha1/certificates_client.go
+++ b/staging/src/k8s.io/client-go/kubernetes/typed/certificates/v1alpha1/certificates_client.go
@@ -29,7 +29,6 @@ import (
 type CertificatesV1alpha1Interface interface {
 	RESTClient() rest.Interface
 	ClusterTrustBundlesGetter
-	PodCertificateRequestsGetter
 }
 
 // CertificatesV1alpha1Client is used to interact with features provided by the certificates.k8s.io group.
@@ -41,10 +40,6 @@ func (c *CertificatesV1alpha1Client) ClusterTrustBundles() ClusterTrustBundleInt
 	return newClusterTrustBundles(c)
 }
 
-func (c *CertificatesV1alpha1Client) PodCertificateRequests(namespace string) PodCertificateRequestInterface {
-	return newPodCertificateRequests(c, namespace)
-}
-
 // NewForConfig creates a new CertificatesV1alpha1Client for the given config.
 // NewForConfig is equivalent to NewForConfigAndClient(c, httpClient),
 // where httpClient was generated with rest.HTTPClientFor(c).
diff --git a/staging/src/k8s.io/client-go/kubernetes/typed/certificates/v1alpha1/fake/fake_certificates_client.go b/staging/src/k8s.io/client-go/kubernetes/typed/certificates/v1alpha1/fake/fake_certificates_client.go
index 7202eedd934cc..491e381005ff2 100644
--- a/staging/src/k8s.io/client-go/kubernetes/typed/certificates/v1alpha1/fake/fake_certificates_client.go
+++ b/staging/src/k8s.io/client-go/kubernetes/typed/certificates/v1alpha1/fake/fake_certificates_client.go
@@ -32,10 +32,6 @@ func (c *FakeCertificatesV1alpha1) ClusterTrustBundles() v1alpha1.ClusterTrustBu
 	return newFakeClusterTrustBundles(c)
 }
 
-func (c *FakeCertificatesV1alpha1) PodCertificateRequests(namespace string) v1alpha1.PodCertificateRequestInterface {
-	return newFakePodCertificateRequests(c, namespace)
-}
-
 // RESTClient returns a RESTClient that is used to communicate
 // with API server by this client implementation.
 func (c *FakeCertificatesV1alpha1) RESTClient() rest.Interface {
diff --git a/staging/src/k8s.io/client-go/kubernetes/typed/certificates/v1alpha1/fake/fake_podcertificaterequest.go b/staging/src/k8s.io/client-go/kubernetes/typed/certificates/v1alpha1/fake/fake_podcertificaterequest.go
deleted file mode 100644
index d41e7718eacd3..0000000000000
--- a/staging/src/k8s.io/client-go/kubernetes/typed/certificates/v1alpha1/fake/fake_podcertificaterequest.go
+++ /dev/null
@@ -1,53 +0,0 @@
-/*
-Copyright The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-// Code generated by client-gen. DO NOT EDIT.
-
-package fake
-
-import (
-	v1alpha1 "k8s.io/api/certificates/v1alpha1"
-	certificatesv1alpha1 "k8s.io/client-go/applyconfigurations/certificates/v1alpha1"
-	gentype "k8s.io/client-go/gentype"
-	typedcertificatesv1alpha1 "k8s.io/client-go/kubernetes/typed/certificates/v1alpha1"
-)
-
-// fakePodCertificateRequests implements PodCertificateRequestInterface
-type fakePodCertificateRequests struct {
-	*gentype.FakeClientWithListAndApply[*v1alpha1.PodCertificateRequest, *v1alpha1.PodCertificateRequestList, *certificatesv1alpha1.PodCertificateRequestApplyConfiguration]
-	Fake *FakeCertificatesV1alpha1
-}
-
-func newFakePodCertificateRequests(fake *FakeCertificatesV1alpha1, namespace string) typedcertificatesv1alpha1.PodCertificateRequestInterface {
-	return &fakePodCertificateRequests{
-		gentype.NewFakeClientWithListAndApply[*v1alpha1.PodCertificateRequest, *v1alpha1.PodCertificateRequestList, *certificatesv1alpha1.PodCertificateRequestApplyConfiguration](
-			fake.Fake,
-			namespace,
-			v1alpha1.SchemeGroupVersion.WithResource("podcertificaterequests"),
-			v1alpha1.SchemeGroupVersion.WithKind("PodCertificateRequest"),
-			func() *v1alpha1.PodCertificateRequest { return &v1alpha1.PodCertificateRequest{} },
-			func() *v1alpha1.PodCertificateRequestList { return &v1alpha1.PodCertificateRequestList{} },
-			func(dst, src *v1alpha1.PodCertificateRequestList) { dst.ListMeta = src.ListMeta },
-			func(list *v1alpha1.PodCertificateRequestList) []*v1alpha1.PodCertificateRequest {
-				return gentype.ToPointerSlice(list.Items)
-			},
-			func(list *v1alpha1.PodCertificateRequestList, items []*v1alpha1.PodCertificateRequest) {
-				list.Items = gentype.FromPointerSlice(items)
-			},
-		),
-		fake,
-	}
-}
diff --git a/staging/src/k8s.io/client-go/kubernetes/typed/certificates/v1alpha1/generated_expansion.go b/staging/src/k8s.io/client-go/kubernetes/typed/certificates/v1alpha1/generated_expansion.go
index 9e7382eb11123..43cc534b375a7 100644
--- a/staging/src/k8s.io/client-go/kubernetes/typed/certificates/v1alpha1/generated_expansion.go
+++ b/staging/src/k8s.io/client-go/kubernetes/typed/certificates/v1alpha1/generated_expansion.go
@@ -19,5 +19,3 @@ limitations under the License.
 package v1alpha1
 
 type ClusterTrustBundleExpansion interface{}
-
-type PodCertificateRequestExpansion interface{}
diff --git a/staging/src/k8s.io/client-go/kubernetes/typed/certificates/v1alpha1/podcertificaterequest.go b/staging/src/k8s.io/client-go/kubernetes/typed/certificates/v1alpha1/podcertificaterequest.go
deleted file mode 100644
index cc908efe7e6a0..0000000000000
--- a/staging/src/k8s.io/client-go/kubernetes/typed/certificates/v1alpha1/podcertificaterequest.go
+++ /dev/null
@@ -1,79 +0,0 @@
-/*
-Copyright The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-// Code generated by client-gen. DO NOT EDIT.
-
-package v1alpha1
-
-import (
-	context "context"
-
-	certificatesv1alpha1 "k8s.io/api/certificates/v1alpha1"
-	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	types "k8s.io/apimachinery/pkg/types"
-	watch "k8s.io/apimachinery/pkg/watch"
-	applyconfigurationscertificatesv1alpha1 "k8s.io/client-go/applyconfigurations/certificates/v1alpha1"
-	gentype "k8s.io/client-go/gentype"
-	scheme "k8s.io/client-go/kubernetes/scheme"
-)
-
-// PodCertificateRequestsGetter has a method to return a PodCertificateRequestInterface.
-// A group's client should implement this interface.
-type PodCertificateRequestsGetter interface {
-	PodCertificateRequests(namespace string) PodCertificateRequestInterface
-}
-
-// PodCertificateRequestInterface has methods to work with PodCertificateRequest resources.
-type PodCertificateRequestInterface interface {
-	Create(ctx context.Context, podCertificateRequest *certificatesv1alpha1.PodCertificateRequest, opts v1.CreateOptions) (*certificatesv1alpha1.PodCertificateRequest, error)
-	Update(ctx context.Context, podCertificateRequest *certificatesv1alpha1.PodCertificateRequest, opts v1.UpdateOptions) (*certificatesv1alpha1.PodCertificateRequest, error)
-	// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus().
-	UpdateStatus(ctx context.Context, podCertificateRequest *certificatesv1alpha1.PodCertificateRequest, opts v1.UpdateOptions) (*certificatesv1alpha1.PodCertificateRequest, error)
-	Delete(ctx context.Context, name string, opts v1.DeleteOptions) error
-	DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error
-	Get(ctx context.Context, name string, opts v1.GetOptions) (*certificatesv1alpha1.PodCertificateRequest, error)
-	List(ctx context.Context, opts v1.ListOptions) (*certificatesv1alpha1.PodCertificateRequestList, error)
-	Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error)
-	Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *certificatesv1alpha1.PodCertificateRequest, err error)
-	Apply(ctx context.Context, podCertificateRequest *applyconfigurationscertificatesv1alpha1.PodCertificateRequestApplyConfiguration, opts v1.ApplyOptions) (result *certificatesv1alpha1.PodCertificateRequest, err error)
-	// Add a +genclient:noStatus comment above the type to avoid generating ApplyStatus().
-	ApplyStatus(ctx context.Context, podCertificateRequest *applyconfigurationscertificatesv1alpha1.PodCertificateRequestApplyConfiguration, opts v1.ApplyOptions) (result *certificatesv1alpha1.PodCertificateRequest, err error)
-	PodCertificateRequestExpansion
-}
-
-// podCertificateRequests implements PodCertificateRequestInterface
-type podCertificateRequests struct {
-	*gentype.ClientWithListAndApply[*certificatesv1alpha1.PodCertificateRequest, *certificatesv1alpha1.PodCertificateRequestList, *applyconfigurationscertificatesv1alpha1.PodCertificateRequestApplyConfiguration]
-}
-
-// newPodCertificateRequests returns a PodCertificateRequests
-func newPodCertificateRequests(c *CertificatesV1alpha1Client, namespace string) *podCertificateRequests {
-	return &podCertificateRequests{
-		gentype.NewClientWithListAndApply[*certificatesv1alpha1.PodCertificateRequest, *certificatesv1alpha1.PodCertificateRequestList, *applyconfigurationscertificatesv1alpha1.PodCertificateRequestApplyConfiguration](
-			"podcertificaterequests",
-			c.RESTClient(),
-			scheme.ParameterCodec,
-			namespace,
-			func() *certificatesv1alpha1.PodCertificateRequest {
-				return &certificatesv1alpha1.PodCertificateRequest{}
-			},
-			func() *certificatesv1alpha1.PodCertificateRequestList {
-				return &certificatesv1alpha1.PodCertificateRequestList{}
-			},
-			gentype.PrefersProtobuf[*certificatesv1alpha1.PodCertificateRequest](),
-		),
-	}
-}
diff --git a/staging/src/k8s.io/client-go/kubernetes/typed/certificates/v1beta1/certificates_client.go b/staging/src/k8s.io/client-go/kubernetes/typed/certificates/v1beta1/certificates_client.go
index 8de95609f5c47..680630706f368 100644
--- a/staging/src/k8s.io/client-go/kubernetes/typed/certificates/v1beta1/certificates_client.go
+++ b/staging/src/k8s.io/client-go/kubernetes/typed/certificates/v1beta1/certificates_client.go
@@ -30,6 +30,7 @@ type CertificatesV1beta1Interface interface {
 	RESTClient() rest.Interface
 	CertificateSigningRequestsGetter
 	ClusterTrustBundlesGetter
+	PodCertificateRequestsGetter
 }
 
 // CertificatesV1beta1Client is used to interact with features provided by the certificates.k8s.io group.
@@ -45,6 +46,10 @@ func (c *CertificatesV1beta1Client) ClusterTrustBundles() ClusterTrustBundleInte
 	return newClusterTrustBundles(c)
 }
 
+func (c *CertificatesV1beta1Client) PodCertificateRequests(namespace string) PodCertificateRequestInterface {
+	return newPodCertificateRequests(c, namespace)
+}
+
 // NewForConfig creates a new CertificatesV1beta1Client for the given config.
 // NewForConfig is equivalent to NewForConfigAndClient(c, httpClient),
 // where httpClient was generated with rest.HTTPClientFor(c).
diff --git a/staging/src/k8s.io/client-go/kubernetes/typed/certificates/v1beta1/fake/fake_certificates_client.go b/staging/src/k8s.io/client-go/kubernetes/typed/certificates/v1beta1/fake/fake_certificates_client.go
index fba168ea18bf4..b6cef6de71b69 100644
--- a/staging/src/k8s.io/client-go/kubernetes/typed/certificates/v1beta1/fake/fake_certificates_client.go
+++ b/staging/src/k8s.io/client-go/kubernetes/typed/certificates/v1beta1/fake/fake_certificates_client.go
@@ -36,6 +36,10 @@ func (c *FakeCertificatesV1beta1) ClusterTrustBundles() v1beta1.ClusterTrustBund
 	return newFakeClusterTrustBundles(c)
 }
 
+func (c *FakeCertificatesV1beta1) PodCertificateRequests(namespace string) v1beta1.PodCertificateRequestInterface {
+	return newFakePodCertificateRequests(c, namespace)
+}
+
 // RESTClient returns a RESTClient that is used to communicate
 // with API server by this client implementation.
 func (c *FakeCertificatesV1beta1) RESTClient() rest.Interface {
diff --git a/staging/src/k8s.io/client-go/kubernetes/typed/certificates/v1beta1/fake/fake_podcertificaterequest.go b/staging/src/k8s.io/client-go/kubernetes/typed/certificates/v1beta1/fake/fake_podcertificaterequest.go
new file mode 100644
index 0000000000000..23c56d9b6fa8f
--- /dev/null
+++ b/staging/src/k8s.io/client-go/kubernetes/typed/certificates/v1beta1/fake/fake_podcertificaterequest.go
@@ -0,0 +1,53 @@
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by client-gen. DO NOT EDIT.
+
+package fake
+
+import (
+	v1beta1 "k8s.io/api/certificates/v1beta1"
+	certificatesv1beta1 "k8s.io/client-go/applyconfigurations/certificates/v1beta1"
+	gentype "k8s.io/client-go/gentype"
+	typedcertificatesv1beta1 "k8s.io/client-go/kubernetes/typed/certificates/v1beta1"
+)
+
+// fakePodCertificateRequests implements PodCertificateRequestInterface
+type fakePodCertificateRequests struct {
+	*gentype.FakeClientWithListAndApply[*v1beta1.PodCertificateRequest, *v1beta1.PodCertificateRequestList, *certificatesv1beta1.PodCertificateRequestApplyConfiguration]
+	Fake *FakeCertificatesV1beta1
+}
+
+func newFakePodCertificateRequests(fake *FakeCertificatesV1beta1, namespace string) typedcertificatesv1beta1.PodCertificateRequestInterface {
+	return &fakePodCertificateRequests{
+		gentype.NewFakeClientWithListAndApply[*v1beta1.PodCertificateRequest, *v1beta1.PodCertificateRequestList, *certificatesv1beta1.PodCertificateRequestApplyConfiguration](
+			fake.Fake,
+			namespace,
+			v1beta1.SchemeGroupVersion.WithResource("podcertificaterequests"),
+			v1beta1.SchemeGroupVersion.WithKind("PodCertificateRequest"),
+			func() *v1beta1.PodCertificateRequest { return &v1beta1.PodCertificateRequest{} },
+			func() *v1beta1.PodCertificateRequestList { return &v1beta1.PodCertificateRequestList{} },
+			func(dst, src *v1beta1.PodCertificateRequestList) { dst.ListMeta = src.ListMeta },
+			func(list *v1beta1.PodCertificateRequestList) []*v1beta1.PodCertificateRequest {
+				return gentype.ToPointerSlice(list.Items)
+			},
+			func(list *v1beta1.PodCertificateRequestList, items []*v1beta1.PodCertificateRequest) {
+				list.Items = gentype.FromPointerSlice(items)
+			},
+		),
+		fake,
+	}
+}
diff --git a/staging/src/k8s.io/client-go/kubernetes/typed/certificates/v1beta1/generated_expansion.go b/staging/src/k8s.io/client-go/kubernetes/typed/certificates/v1beta1/generated_expansion.go
index 408936e06baf2..3db796959d948 100644
--- a/staging/src/k8s.io/client-go/kubernetes/typed/certificates/v1beta1/generated_expansion.go
+++ b/staging/src/k8s.io/client-go/kubernetes/typed/certificates/v1beta1/generated_expansion.go
@@ -19,3 +19,5 @@ limitations under the License.
 package v1beta1
 
 type ClusterTrustBundleExpansion interface{}
+
+type PodCertificateRequestExpansion interface{}
diff --git a/staging/src/k8s.io/client-go/kubernetes/typed/certificates/v1beta1/podcertificaterequest.go b/staging/src/k8s.io/client-go/kubernetes/typed/certificates/v1beta1/podcertificaterequest.go
new file mode 100644
index 0000000000000..4ef7d33968d8e
--- /dev/null
+++ b/staging/src/k8s.io/client-go/kubernetes/typed/certificates/v1beta1/podcertificaterequest.go
@@ -0,0 +1,77 @@
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by client-gen. DO NOT EDIT.
+
+package v1beta1
+
+import (
+	context "context"
+
+	certificatesv1beta1 "k8s.io/api/certificates/v1beta1"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	types "k8s.io/apimachinery/pkg/types"
+	watch "k8s.io/apimachinery/pkg/watch"
+	applyconfigurationscertificatesv1beta1 "k8s.io/client-go/applyconfigurations/certificates/v1beta1"
+	gentype "k8s.io/client-go/gentype"
+	scheme "k8s.io/client-go/kubernetes/scheme"
+)
+
+// PodCertificateRequestsGetter has a method to return a PodCertificateRequestInterface.
+// A group's client should implement this interface.
+type PodCertificateRequestsGetter interface {
+	PodCertificateRequests(namespace string) PodCertificateRequestInterface
+}
+
+// PodCertificateRequestInterface has methods to work with PodCertificateRequest resources.
+type PodCertificateRequestInterface interface {
+	Create(ctx context.Context, podCertificateRequest *certificatesv1beta1.PodCertificateRequest, opts v1.CreateOptions) (*certificatesv1beta1.PodCertificateRequest, error)
+	Update(ctx context.Context, podCertificateRequest *certificatesv1beta1.PodCertificateRequest, opts v1.UpdateOptions) (*certificatesv1beta1.PodCertificateRequest, error)
+	// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus().
+	UpdateStatus(ctx context.Context, podCertificateRequest *certificatesv1beta1.PodCertificateRequest, opts v1.UpdateOptions) (*certificatesv1beta1.PodCertificateRequest, error)
+	Delete(ctx context.Context, name string, opts v1.DeleteOptions) error
+	DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error
+	Get(ctx context.Context, name string, opts v1.GetOptions) (*certificatesv1beta1.PodCertificateRequest, error)
+	List(ctx context.Context, opts v1.ListOptions) (*certificatesv1beta1.PodCertificateRequestList, error)
+	Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error)
+	Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *certificatesv1beta1.PodCertificateRequest, err error)
+	Apply(ctx context.Context, podCertificateRequest *applyconfigurationscertificatesv1beta1.PodCertificateRequestApplyConfiguration, opts v1.ApplyOptions) (result *certificatesv1beta1.PodCertificateRequest, err error)
+	// Add a +genclient:noStatus comment above the type to avoid generating ApplyStatus().
+	ApplyStatus(ctx context.Context, podCertificateRequest *applyconfigurationscertificatesv1beta1.PodCertificateRequestApplyConfiguration, opts v1.ApplyOptions) (result *certificatesv1beta1.PodCertificateRequest, err error)
+	PodCertificateRequestExpansion
+}
+
+// podCertificateRequests implements PodCertificateRequestInterface
+type podCertificateRequests struct {
+	*gentype.ClientWithListAndApply[*certificatesv1beta1.PodCertificateRequest, *certificatesv1beta1.PodCertificateRequestList, *applyconfigurationscertificatesv1beta1.PodCertificateRequestApplyConfiguration]
+}
+
+// newPodCertificateRequests returns a PodCertificateRequests
+func newPodCertificateRequests(c *CertificatesV1beta1Client, namespace string) *podCertificateRequests {
+	return &podCertificateRequests{
+		gentype.NewClientWithListAndApply[*certificatesv1beta1.PodCertificateRequest, *certificatesv1beta1.PodCertificateRequestList, *applyconfigurationscertificatesv1beta1.PodCertificateRequestApplyConfiguration](
+			"podcertificaterequests",
+			c.RESTClient(),
+			scheme.ParameterCodec,
+			namespace,
+			func() *certificatesv1beta1.PodCertificateRequest { return &certificatesv1beta1.PodCertificateRequest{} },
+			func() *certificatesv1beta1.PodCertificateRequestList {
+				return &certificatesv1beta1.PodCertificateRequestList{}
+			},
+			gentype.PrefersProtobuf[*certificatesv1beta1.PodCertificateRequest](),
+		),
+	}
+}
diff --git a/staging/src/k8s.io/client-go/kubernetes/typed/resource/v1alpha3/devicetaintrule.go b/staging/src/k8s.io/client-go/kubernetes/typed/resource/v1alpha3/devicetaintrule.go
index 77e26b6e3a531..dd2512c97ab05 100644
--- a/staging/src/k8s.io/client-go/kubernetes/typed/resource/v1alpha3/devicetaintrule.go
+++ b/staging/src/k8s.io/client-go/kubernetes/typed/resource/v1alpha3/devicetaintrule.go
@@ -40,6 +40,8 @@ type DeviceTaintRulesGetter interface {
 type DeviceTaintRuleInterface interface {
 	Create(ctx context.Context, deviceTaintRule *resourcev1alpha3.DeviceTaintRule, opts v1.CreateOptions) (*resourcev1alpha3.DeviceTaintRule, error)
 	Update(ctx context.Context, deviceTaintRule *resourcev1alpha3.DeviceTaintRule, opts v1.UpdateOptions) (*resourcev1alpha3.DeviceTaintRule, error)
+	// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus().
+	UpdateStatus(ctx context.Context, deviceTaintRule *resourcev1alpha3.DeviceTaintRule, opts v1.UpdateOptions) (*resourcev1alpha3.DeviceTaintRule, error)
 	Delete(ctx context.Context, name string, opts v1.DeleteOptions) error
 	DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error
 	Get(ctx context.Context, name string, opts v1.GetOptions) (*resourcev1alpha3.DeviceTaintRule, error)
@@ -47,6 +49,8 @@ type DeviceTaintRuleInterface interface {
 	Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error)
 	Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *resourcev1alpha3.DeviceTaintRule, err error)
 	Apply(ctx context.Context, deviceTaintRule *applyconfigurationsresourcev1alpha3.DeviceTaintRuleApplyConfiguration, opts v1.ApplyOptions) (result *resourcev1alpha3.DeviceTaintRule, err error)
+	// Add a +genclient:noStatus comment above the type to avoid generating ApplyStatus().
+	ApplyStatus(ctx context.Context, deviceTaintRule *applyconfigurationsresourcev1alpha3.DeviceTaintRuleApplyConfiguration, opts v1.ApplyOptions) (result *resourcev1alpha3.DeviceTaintRule, err error)
 	DeviceTaintRuleExpansion
 }
 
diff --git a/staging/src/k8s.io/client-go/kubernetes/typed/scheduling/v1alpha1/fake/fake_scheduling_client.go b/staging/src/k8s.io/client-go/kubernetes/typed/scheduling/v1alpha1/fake/fake_scheduling_client.go
index 34e8ad9bdf4f9..2be141266292a 100644
--- a/staging/src/k8s.io/client-go/kubernetes/typed/scheduling/v1alpha1/fake/fake_scheduling_client.go
+++ b/staging/src/k8s.io/client-go/kubernetes/typed/scheduling/v1alpha1/fake/fake_scheduling_client.go
@@ -32,6 +32,10 @@ func (c *FakeSchedulingV1alpha1) PriorityClasses() v1alpha1.PriorityClassInterfa
 	return newFakePriorityClasses(c)
 }
 
+func (c *FakeSchedulingV1alpha1) Workloads(namespace string) v1alpha1.WorkloadInterface {
+	return newFakeWorkloads(c, namespace)
+}
+
 // RESTClient returns a RESTClient that is used to communicate
 // with API server by this client implementation.
 func (c *FakeSchedulingV1alpha1) RESTClient() rest.Interface {
diff --git a/staging/src/k8s.io/client-go/kubernetes/typed/scheduling/v1alpha1/fake/fake_workload.go b/staging/src/k8s.io/client-go/kubernetes/typed/scheduling/v1alpha1/fake/fake_workload.go
new file mode 100644
index 0000000000000..06a48d24e0c20
--- /dev/null
+++ b/staging/src/k8s.io/client-go/kubernetes/typed/scheduling/v1alpha1/fake/fake_workload.go
@@ -0,0 +1,51 @@
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by client-gen. DO NOT EDIT.
+
+package fake
+
+import (
+	v1alpha1 "k8s.io/api/scheduling/v1alpha1"
+	schedulingv1alpha1 "k8s.io/client-go/applyconfigurations/scheduling/v1alpha1"
+	gentype "k8s.io/client-go/gentype"
+	typedschedulingv1alpha1 "k8s.io/client-go/kubernetes/typed/scheduling/v1alpha1"
+)
+
+// fakeWorkloads implements WorkloadInterface
+type fakeWorkloads struct {
+	*gentype.FakeClientWithListAndApply[*v1alpha1.Workload, *v1alpha1.WorkloadList, *schedulingv1alpha1.WorkloadApplyConfiguration]
+	Fake *FakeSchedulingV1alpha1
+}
+
+func newFakeWorkloads(fake *FakeSchedulingV1alpha1, namespace string) typedschedulingv1alpha1.WorkloadInterface {
+	return &fakeWorkloads{
+		gentype.NewFakeClientWithListAndApply[*v1alpha1.Workload, *v1alpha1.WorkloadList, *schedulingv1alpha1.WorkloadApplyConfiguration](
+			fake.Fake,
+			namespace,
+			v1alpha1.SchemeGroupVersion.WithResource("workloads"),
+			v1alpha1.SchemeGroupVersion.WithKind("Workload"),
+			func() *v1alpha1.Workload { return &v1alpha1.Workload{} },
+			func() *v1alpha1.WorkloadList { return &v1alpha1.WorkloadList{} },
+			func(dst, src *v1alpha1.WorkloadList) { dst.ListMeta = src.ListMeta },
+			func(list *v1alpha1.WorkloadList) []*v1alpha1.Workload { return gentype.ToPointerSlice(list.Items) },
+			func(list *v1alpha1.WorkloadList, items []*v1alpha1.Workload) {
+				list.Items = gentype.FromPointerSlice(items)
+			},
+		),
+		fake,
+	}
+}
diff --git a/staging/src/k8s.io/client-go/kubernetes/typed/scheduling/v1alpha1/generated_expansion.go b/staging/src/k8s.io/client-go/kubernetes/typed/scheduling/v1alpha1/generated_expansion.go
index 52f81d881cc7c..24946041af446 100644
--- a/staging/src/k8s.io/client-go/kubernetes/typed/scheduling/v1alpha1/generated_expansion.go
+++ b/staging/src/k8s.io/client-go/kubernetes/typed/scheduling/v1alpha1/generated_expansion.go
@@ -19,3 +19,5 @@ limitations under the License.
 package v1alpha1
 
 type PriorityClassExpansion interface{}
+
+type WorkloadExpansion interface{}
diff --git a/staging/src/k8s.io/client-go/kubernetes/typed/scheduling/v1alpha1/scheduling_client.go b/staging/src/k8s.io/client-go/kubernetes/typed/scheduling/v1alpha1/scheduling_client.go
index b17b182f135e6..0c53bc368a95d 100644
--- a/staging/src/k8s.io/client-go/kubernetes/typed/scheduling/v1alpha1/scheduling_client.go
+++ b/staging/src/k8s.io/client-go/kubernetes/typed/scheduling/v1alpha1/scheduling_client.go
@@ -29,6 +29,7 @@ import (
 type SchedulingV1alpha1Interface interface {
 	RESTClient() rest.Interface
 	PriorityClassesGetter
+	WorkloadsGetter
 }
 
 // SchedulingV1alpha1Client is used to interact with features provided by the scheduling.k8s.io group.
@@ -40,6 +41,10 @@ func (c *SchedulingV1alpha1Client) PriorityClasses() PriorityClassInterface {
 	return newPriorityClasses(c)
 }
 
+func (c *SchedulingV1alpha1Client) Workloads(namespace string) WorkloadInterface {
+	return newWorkloads(c, namespace)
+}
+
 // NewForConfig creates a new SchedulingV1alpha1Client for the given config.
 // NewForConfig is equivalent to NewForConfigAndClient(c, httpClient),
 // where httpClient was generated with rest.HTTPClientFor(c).
diff --git a/staging/src/k8s.io/client-go/kubernetes/typed/scheduling/v1alpha1/workload.go b/staging/src/k8s.io/client-go/kubernetes/typed/scheduling/v1alpha1/workload.go
new file mode 100644
index 0000000000000..9c906b5e89b26
--- /dev/null
+++ b/staging/src/k8s.io/client-go/kubernetes/typed/scheduling/v1alpha1/workload.go
@@ -0,0 +1,71 @@
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by client-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	context "context"
+
+	schedulingv1alpha1 "k8s.io/api/scheduling/v1alpha1"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	types "k8s.io/apimachinery/pkg/types"
+	watch "k8s.io/apimachinery/pkg/watch"
+	applyconfigurationsschedulingv1alpha1 "k8s.io/client-go/applyconfigurations/scheduling/v1alpha1"
+	gentype "k8s.io/client-go/gentype"
+	scheme "k8s.io/client-go/kubernetes/scheme"
+)
+
+// WorkloadsGetter has a method to return a WorkloadInterface.
+// A group's client should implement this interface.
+type WorkloadsGetter interface {
+	Workloads(namespace string) WorkloadInterface
+}
+
+// WorkloadInterface has methods to work with Workload resources.
+type WorkloadInterface interface {
+	Create(ctx context.Context, workload *schedulingv1alpha1.Workload, opts v1.CreateOptions) (*schedulingv1alpha1.Workload, error)
+	Update(ctx context.Context, workload *schedulingv1alpha1.Workload, opts v1.UpdateOptions) (*schedulingv1alpha1.Workload, error)
+	Delete(ctx context.Context, name string, opts v1.DeleteOptions) error
+	DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error
+	Get(ctx context.Context, name string, opts v1.GetOptions) (*schedulingv1alpha1.Workload, error)
+	List(ctx context.Context, opts v1.ListOptions) (*schedulingv1alpha1.WorkloadList, error)
+	Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error)
+	Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *schedulingv1alpha1.Workload, err error)
+	Apply(ctx context.Context, workload *applyconfigurationsschedulingv1alpha1.WorkloadApplyConfiguration, opts v1.ApplyOptions) (result *schedulingv1alpha1.Workload, err error)
+	WorkloadExpansion
+}
+
+// workloads implements WorkloadInterface
+type workloads struct {
+	*gentype.ClientWithListAndApply[*schedulingv1alpha1.Workload, *schedulingv1alpha1.WorkloadList, *applyconfigurationsschedulingv1alpha1.WorkloadApplyConfiguration]
+}
+
+// newWorkloads returns a Workloads
+func newWorkloads(c *SchedulingV1alpha1Client, namespace string) *workloads {
+	return &workloads{
+		gentype.NewClientWithListAndApply[*schedulingv1alpha1.Workload, *schedulingv1alpha1.WorkloadList, *applyconfigurationsschedulingv1alpha1.WorkloadApplyConfiguration](
+			"workloads",
+			c.RESTClient(),
+			scheme.ParameterCodec,
+			namespace,
+			func() *schedulingv1alpha1.Workload { return &schedulingv1alpha1.Workload{} },
+			func() *schedulingv1alpha1.WorkloadList { return &schedulingv1alpha1.WorkloadList{} },
+			gentype.PrefersProtobuf[*schedulingv1alpha1.Workload](),
+		),
+	}
+}
diff --git a/staging/src/k8s.io/client-go/kubernetes/typed/storagemigration/v1alpha1/doc.go b/staging/src/k8s.io/client-go/kubernetes/typed/storagemigration/v1alpha1/doc.go
deleted file mode 100644
index df51baa4d4c17..0000000000000
--- a/staging/src/k8s.io/client-go/kubernetes/typed/storagemigration/v1alpha1/doc.go
+++ /dev/null
@@ -1,20 +0,0 @@
-/*
-Copyright The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-// Code generated by client-gen. DO NOT EDIT.
-
-// This package has the automatically generated typed clients.
-package v1alpha1
diff --git a/staging/src/k8s.io/client-go/kubernetes/typed/storagemigration/v1alpha1/fake/fake_storageversionmigration.go b/staging/src/k8s.io/client-go/kubernetes/typed/storagemigration/v1alpha1/fake/fake_storageversionmigration.go
deleted file mode 100644
index 02de9f302747e..0000000000000
--- a/staging/src/k8s.io/client-go/kubernetes/typed/storagemigration/v1alpha1/fake/fake_storageversionmigration.go
+++ /dev/null
@@ -1,53 +0,0 @@
-/*
-Copyright The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-// Code generated by client-gen. DO NOT EDIT.
-
-package fake
-
-import (
-	v1alpha1 "k8s.io/api/storagemigration/v1alpha1"
-	storagemigrationv1alpha1 "k8s.io/client-go/applyconfigurations/storagemigration/v1alpha1"
-	gentype "k8s.io/client-go/gentype"
-	typedstoragemigrationv1alpha1 "k8s.io/client-go/kubernetes/typed/storagemigration/v1alpha1"
-)
-
-// fakeStorageVersionMigrations implements StorageVersionMigrationInterface
-type fakeStorageVersionMigrations struct {
-	*gentype.FakeClientWithListAndApply[*v1alpha1.StorageVersionMigration, *v1alpha1.StorageVersionMigrationList, *storagemigrationv1alpha1.StorageVersionMigrationApplyConfiguration]
-	Fake *FakeStoragemigrationV1alpha1
-}
-
-func newFakeStorageVersionMigrations(fake *FakeStoragemigrationV1alpha1) typedstoragemigrationv1alpha1.StorageVersionMigrationInterface {
-	return &fakeStorageVersionMigrations{
-		gentype.NewFakeClientWithListAndApply[*v1alpha1.StorageVersionMigration, *v1alpha1.StorageVersionMigrationList, *storagemigrationv1alpha1.StorageVersionMigrationApplyConfiguration](
-			fake.Fake,
-			"",
-			v1alpha1.SchemeGroupVersion.WithResource("storageversionmigrations"),
-			v1alpha1.SchemeGroupVersion.WithKind("StorageVersionMigration"),
-			func() *v1alpha1.StorageVersionMigration { return &v1alpha1.StorageVersionMigration{} },
-			func() *v1alpha1.StorageVersionMigrationList { return &v1alpha1.StorageVersionMigrationList{} },
-			func(dst, src *v1alpha1.StorageVersionMigrationList) { dst.ListMeta = src.ListMeta },
-			func(list *v1alpha1.StorageVersionMigrationList) []*v1alpha1.StorageVersionMigration {
-				return gentype.ToPointerSlice(list.Items)
-			},
-			func(list *v1alpha1.StorageVersionMigrationList, items []*v1alpha1.StorageVersionMigration) {
-				list.Items = gentype.FromPointerSlice(items)
-			},
-		),
-		fake,
-	}
-}
diff --git a/staging/src/k8s.io/client-go/kubernetes/typed/storagemigration/v1alpha1/storagemigration_client.go b/staging/src/k8s.io/client-go/kubernetes/typed/storagemigration/v1alpha1/storagemigration_client.go
deleted file mode 100644
index f7b5f5a1e20f5..0000000000000
--- a/staging/src/k8s.io/client-go/kubernetes/typed/storagemigration/v1alpha1/storagemigration_client.go
+++ /dev/null
@@ -1,101 +0,0 @@
-/*
-Copyright The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-// Code generated by client-gen. DO NOT EDIT.
-
-package v1alpha1
-
-import (
-	http "net/http"
-
-	storagemigrationv1alpha1 "k8s.io/api/storagemigration/v1alpha1"
-	scheme "k8s.io/client-go/kubernetes/scheme"
-	rest "k8s.io/client-go/rest"
-)
-
-type StoragemigrationV1alpha1Interface interface {
-	RESTClient() rest.Interface
-	StorageVersionMigrationsGetter
-}
-
-// StoragemigrationV1alpha1Client is used to interact with features provided by the storagemigration.k8s.io group.
-type StoragemigrationV1alpha1Client struct {
-	restClient rest.Interface
-}
-
-func (c *StoragemigrationV1alpha1Client) StorageVersionMigrations() StorageVersionMigrationInterface {
-	return newStorageVersionMigrations(c)
-}
-
-// NewForConfig creates a new StoragemigrationV1alpha1Client for the given config.
-// NewForConfig is equivalent to NewForConfigAndClient(c, httpClient),
-// where httpClient was generated with rest.HTTPClientFor(c).
-func NewForConfig(c *rest.Config) (*StoragemigrationV1alpha1Client, error) {
-	config := *c
-	setConfigDefaults(&config)
-	httpClient, err := rest.HTTPClientFor(&config)
-	if err != nil {
-		return nil, err
-	}
-	return NewForConfigAndClient(&config, httpClient)
-}
-
-// NewForConfigAndClient creates a new StoragemigrationV1alpha1Client for the given config and http client.
-// Note the http client provided takes precedence over the configured transport values.
-func NewForConfigAndClient(c *rest.Config, h *http.Client) (*StoragemigrationV1alpha1Client, error) {
-	config := *c
-	setConfigDefaults(&config)
-	client, err := rest.RESTClientForConfigAndClient(&config, h)
-	if err != nil {
-		return nil, err
-	}
-	return &StoragemigrationV1alpha1Client{client}, nil
-}
-
-// NewForConfigOrDie creates a new StoragemigrationV1alpha1Client for the given config and
-// panics if there is an error in the config.
-func NewForConfigOrDie(c *rest.Config) *StoragemigrationV1alpha1Client {
-	client, err := NewForConfig(c)
-	if err != nil {
-		panic(err)
-	}
-	return client
-}
-
-// New creates a new StoragemigrationV1alpha1Client for the given RESTClient.
-func New(c rest.Interface) *StoragemigrationV1alpha1Client {
-	return &StoragemigrationV1alpha1Client{c}
-}
-
-func setConfigDefaults(config *rest.Config) {
-	gv := storagemigrationv1alpha1.SchemeGroupVersion
-	config.GroupVersion = &gv
-	config.APIPath = "/apis"
-	config.NegotiatedSerializer = rest.CodecFactoryForGeneratedClient(scheme.Scheme, scheme.Codecs).WithoutConversion()
-
-	if config.UserAgent == "" {
-		config.UserAgent = rest.DefaultKubernetesUserAgent()
-	}
-}
-
-// RESTClient returns a RESTClient that is used to communicate
-// with API server by this client implementation.
-func (c *StoragemigrationV1alpha1Client) RESTClient() rest.Interface {
-	if c == nil {
-		return nil
-	}
-	return c.restClient
-}
diff --git a/staging/src/k8s.io/client-go/kubernetes/typed/storagemigration/v1alpha1/storageversionmigration.go b/staging/src/k8s.io/client-go/kubernetes/typed/storagemigration/v1alpha1/storageversionmigration.go
deleted file mode 100644
index 5c6981ec87d13..0000000000000
--- a/staging/src/k8s.io/client-go/kubernetes/typed/storagemigration/v1alpha1/storageversionmigration.go
+++ /dev/null
@@ -1,79 +0,0 @@
-/*
-Copyright The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-// Code generated by client-gen. DO NOT EDIT.
-
-package v1alpha1
-
-import (
-	context "context"
-
-	storagemigrationv1alpha1 "k8s.io/api/storagemigration/v1alpha1"
-	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	types "k8s.io/apimachinery/pkg/types"
-	watch "k8s.io/apimachinery/pkg/watch"
-	applyconfigurationsstoragemigrationv1alpha1 "k8s.io/client-go/applyconfigurations/storagemigration/v1alpha1"
-	gentype "k8s.io/client-go/gentype"
-	scheme "k8s.io/client-go/kubernetes/scheme"
-)
-
-// StorageVersionMigrationsGetter has a method to return a StorageVersionMigrationInterface.
-// A group's client should implement this interface.
-type StorageVersionMigrationsGetter interface {
-	StorageVersionMigrations() StorageVersionMigrationInterface
-}
-
-// StorageVersionMigrationInterface has methods to work with StorageVersionMigration resources.
-type StorageVersionMigrationInterface interface {
-	Create(ctx context.Context, storageVersionMigration *storagemigrationv1alpha1.StorageVersionMigration, opts v1.CreateOptions) (*storagemigrationv1alpha1.StorageVersionMigration, error)
-	Update(ctx context.Context, storageVersionMigration *storagemigrationv1alpha1.StorageVersionMigration, opts v1.UpdateOptions) (*storagemigrationv1alpha1.StorageVersionMigration, error)
-	// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus().
-	UpdateStatus(ctx context.Context, storageVersionMigration *storagemigrationv1alpha1.StorageVersionMigration, opts v1.UpdateOptions) (*storagemigrationv1alpha1.StorageVersionMigration, error)
-	Delete(ctx context.Context, name string, opts v1.DeleteOptions) error
-	DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error
-	Get(ctx context.Context, name string, opts v1.GetOptions) (*storagemigrationv1alpha1.StorageVersionMigration, error)
-	List(ctx context.Context, opts v1.ListOptions) (*storagemigrationv1alpha1.StorageVersionMigrationList, error)
-	Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error)
-	Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *storagemigrationv1alpha1.StorageVersionMigration, err error)
-	Apply(ctx context.Context, storageVersionMigration *applyconfigurationsstoragemigrationv1alpha1.StorageVersionMigrationApplyConfiguration, opts v1.ApplyOptions) (result *storagemigrationv1alpha1.StorageVersionMigration, err error)
-	// Add a +genclient:noStatus comment above the type to avoid generating ApplyStatus().
-	ApplyStatus(ctx context.Context, storageVersionMigration *applyconfigurationsstoragemigrationv1alpha1.StorageVersionMigrationApplyConfiguration, opts v1.ApplyOptions) (result *storagemigrationv1alpha1.StorageVersionMigration, err error)
-	StorageVersionMigrationExpansion
-}
-
-// storageVersionMigrations implements StorageVersionMigrationInterface
-type storageVersionMigrations struct {
-	*gentype.ClientWithListAndApply[*storagemigrationv1alpha1.StorageVersionMigration, *storagemigrationv1alpha1.StorageVersionMigrationList, *applyconfigurationsstoragemigrationv1alpha1.StorageVersionMigrationApplyConfiguration]
-}
-
-// newStorageVersionMigrations returns a StorageVersionMigrations
-func newStorageVersionMigrations(c *StoragemigrationV1alpha1Client) *storageVersionMigrations {
-	return &storageVersionMigrations{
-		gentype.NewClientWithListAndApply[*storagemigrationv1alpha1.StorageVersionMigration, *storagemigrationv1alpha1.StorageVersionMigrationList, *applyconfigurationsstoragemigrationv1alpha1.StorageVersionMigrationApplyConfiguration](
-			"storageversionmigrations",
-			c.RESTClient(),
-			scheme.ParameterCodec,
-			"",
-			func() *storagemigrationv1alpha1.StorageVersionMigration {
-				return &storagemigrationv1alpha1.StorageVersionMigration{}
-			},
-			func() *storagemigrationv1alpha1.StorageVersionMigrationList {
-				return &storagemigrationv1alpha1.StorageVersionMigrationList{}
-			},
-			gentype.PrefersProtobuf[*storagemigrationv1alpha1.StorageVersionMigration](),
-		),
-	}
-}
diff --git a/staging/src/k8s.io/client-go/kubernetes/typed/storagemigration/v1beta1/doc.go b/staging/src/k8s.io/client-go/kubernetes/typed/storagemigration/v1beta1/doc.go
new file mode 100644
index 0000000000000..771101956f368
--- /dev/null
+++ b/staging/src/k8s.io/client-go/kubernetes/typed/storagemigration/v1beta1/doc.go
@@ -0,0 +1,20 @@
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by client-gen. DO NOT EDIT.
+
+// This package has the automatically generated typed clients.
+package v1beta1
diff --git a/staging/src/k8s.io/client-go/kubernetes/typed/storagemigration/v1alpha1/fake/doc.go b/staging/src/k8s.io/client-go/kubernetes/typed/storagemigration/v1beta1/fake/doc.go
similarity index 100%
rename from staging/src/k8s.io/client-go/kubernetes/typed/storagemigration/v1alpha1/fake/doc.go
rename to staging/src/k8s.io/client-go/kubernetes/typed/storagemigration/v1beta1/fake/doc.go
diff --git a/staging/src/k8s.io/client-go/kubernetes/typed/storagemigration/v1alpha1/fake/fake_storagemigration_client.go b/staging/src/k8s.io/client-go/kubernetes/typed/storagemigration/v1beta1/fake/fake_storagemigration_client.go
similarity index 75%
rename from staging/src/k8s.io/client-go/kubernetes/typed/storagemigration/v1alpha1/fake/fake_storagemigration_client.go
rename to staging/src/k8s.io/client-go/kubernetes/typed/storagemigration/v1beta1/fake/fake_storagemigration_client.go
index c33a1c0169bb4..3c87c10a0d4e0 100644
--- a/staging/src/k8s.io/client-go/kubernetes/typed/storagemigration/v1alpha1/fake/fake_storagemigration_client.go
+++ b/staging/src/k8s.io/client-go/kubernetes/typed/storagemigration/v1beta1/fake/fake_storagemigration_client.go
@@ -19,22 +19,22 @@ limitations under the License.
 package fake
 
 import (
-	v1alpha1 "k8s.io/client-go/kubernetes/typed/storagemigration/v1alpha1"
+	v1beta1 "k8s.io/client-go/kubernetes/typed/storagemigration/v1beta1"
 	rest "k8s.io/client-go/rest"
 	testing "k8s.io/client-go/testing"
 )
 
-type FakeStoragemigrationV1alpha1 struct {
+type FakeStoragemigrationV1beta1 struct {
 	*testing.Fake
 }
 
-func (c *FakeStoragemigrationV1alpha1) StorageVersionMigrations() v1alpha1.StorageVersionMigrationInterface {
+func (c *FakeStoragemigrationV1beta1) StorageVersionMigrations() v1beta1.StorageVersionMigrationInterface {
 	return newFakeStorageVersionMigrations(c)
 }
 
 // RESTClient returns a RESTClient that is used to communicate
 // with API server by this client implementation.
-func (c *FakeStoragemigrationV1alpha1) RESTClient() rest.Interface {
+func (c *FakeStoragemigrationV1beta1) RESTClient() rest.Interface {
 	var ret *rest.RESTClient
 	return ret
 }
diff --git a/staging/src/k8s.io/client-go/kubernetes/typed/storagemigration/v1beta1/fake/fake_storageversionmigration.go b/staging/src/k8s.io/client-go/kubernetes/typed/storagemigration/v1beta1/fake/fake_storageversionmigration.go
new file mode 100644
index 0000000000000..21fc8dc8ca245
--- /dev/null
+++ b/staging/src/k8s.io/client-go/kubernetes/typed/storagemigration/v1beta1/fake/fake_storageversionmigration.go
@@ -0,0 +1,53 @@
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by client-gen. DO NOT EDIT.
+
+package fake
+
+import (
+	v1beta1 "k8s.io/api/storagemigration/v1beta1"
+	storagemigrationv1beta1 "k8s.io/client-go/applyconfigurations/storagemigration/v1beta1"
+	gentype "k8s.io/client-go/gentype"
+	typedstoragemigrationv1beta1 "k8s.io/client-go/kubernetes/typed/storagemigration/v1beta1"
+)
+
+// fakeStorageVersionMigrations implements StorageVersionMigrationInterface
+type fakeStorageVersionMigrations struct {
+	*gentype.FakeClientWithListAndApply[*v1beta1.StorageVersionMigration, *v1beta1.StorageVersionMigrationList, *storagemigrationv1beta1.StorageVersionMigrationApplyConfiguration]
+	Fake *FakeStoragemigrationV1beta1
+}
+
+func newFakeStorageVersionMigrations(fake *FakeStoragemigrationV1beta1) typedstoragemigrationv1beta1.StorageVersionMigrationInterface {
+	return &fakeStorageVersionMigrations{
+		gentype.NewFakeClientWithListAndApply[*v1beta1.StorageVersionMigration, *v1beta1.StorageVersionMigrationList, *storagemigrationv1beta1.StorageVersionMigrationApplyConfiguration](
+			fake.Fake,
+			"",
+			v1beta1.SchemeGroupVersion.WithResource("storageversionmigrations"),
+			v1beta1.SchemeGroupVersion.WithKind("StorageVersionMigration"),
+			func() *v1beta1.StorageVersionMigration { return &v1beta1.StorageVersionMigration{} },
+			func() *v1beta1.StorageVersionMigrationList { return &v1beta1.StorageVersionMigrationList{} },
+			func(dst, src *v1beta1.StorageVersionMigrationList) { dst.ListMeta = src.ListMeta },
+			func(list *v1beta1.StorageVersionMigrationList) []*v1beta1.StorageVersionMigration {
+				return gentype.ToPointerSlice(list.Items)
+			},
+			func(list *v1beta1.StorageVersionMigrationList, items []*v1beta1.StorageVersionMigration) {
+				list.Items = gentype.FromPointerSlice(items)
+			},
+		),
+		fake,
+	}
+}
diff --git a/staging/src/k8s.io/client-go/kubernetes/typed/storagemigration/v1alpha1/generated_expansion.go b/staging/src/k8s.io/client-go/kubernetes/typed/storagemigration/v1beta1/generated_expansion.go
similarity index 97%
rename from staging/src/k8s.io/client-go/kubernetes/typed/storagemigration/v1alpha1/generated_expansion.go
rename to staging/src/k8s.io/client-go/kubernetes/typed/storagemigration/v1beta1/generated_expansion.go
index 89220c3ce98f8..87a244affb49c 100644
--- a/staging/src/k8s.io/client-go/kubernetes/typed/storagemigration/v1alpha1/generated_expansion.go
+++ b/staging/src/k8s.io/client-go/kubernetes/typed/storagemigration/v1beta1/generated_expansion.go
@@ -16,6 +16,6 @@ limitations under the License.
 
 // Code generated by client-gen. DO NOT EDIT.
 
-package v1alpha1
+package v1beta1
 
 type StorageVersionMigrationExpansion interface{}
diff --git a/staging/src/k8s.io/client-go/kubernetes/typed/storagemigration/v1beta1/storagemigration_client.go b/staging/src/k8s.io/client-go/kubernetes/typed/storagemigration/v1beta1/storagemigration_client.go
new file mode 100644
index 0000000000000..018240793e4e1
--- /dev/null
+++ b/staging/src/k8s.io/client-go/kubernetes/typed/storagemigration/v1beta1/storagemigration_client.go
@@ -0,0 +1,101 @@
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by client-gen. DO NOT EDIT.
+
+package v1beta1
+
+import (
+	http "net/http"
+
+	storagemigrationv1beta1 "k8s.io/api/storagemigration/v1beta1"
+	scheme "k8s.io/client-go/kubernetes/scheme"
+	rest "k8s.io/client-go/rest"
+)
+
+type StoragemigrationV1beta1Interface interface {
+	RESTClient() rest.Interface
+	StorageVersionMigrationsGetter
+}
+
+// StoragemigrationV1beta1Client is used to interact with features provided by the storagemigration.k8s.io group.
+type StoragemigrationV1beta1Client struct {
+	restClient rest.Interface
+}
+
+func (c *StoragemigrationV1beta1Client) StorageVersionMigrations() StorageVersionMigrationInterface {
+	return newStorageVersionMigrations(c)
+}
+
+// NewForConfig creates a new StoragemigrationV1beta1Client for the given config.
+// NewForConfig is equivalent to NewForConfigAndClient(c, httpClient),
+// where httpClient was generated with rest.HTTPClientFor(c).
+func NewForConfig(c *rest.Config) (*StoragemigrationV1beta1Client, error) {
+	config := *c
+	setConfigDefaults(&config)
+	httpClient, err := rest.HTTPClientFor(&config)
+	if err != nil {
+		return nil, err
+	}
+	return NewForConfigAndClient(&config, httpClient)
+}
+
+// NewForConfigAndClient creates a new StoragemigrationV1beta1Client for the given config and http client.
+// Note the http client provided takes precedence over the configured transport values.
+func NewForConfigAndClient(c *rest.Config, h *http.Client) (*StoragemigrationV1beta1Client, error) {
+	config := *c
+	setConfigDefaults(&config)
+	client, err := rest.RESTClientForConfigAndClient(&config, h)
+	if err != nil {
+		return nil, err
+	}
+	return &StoragemigrationV1beta1Client{client}, nil
+}
+
+// NewForConfigOrDie creates a new StoragemigrationV1beta1Client for the given config and
+// panics if there is an error in the config.
+func NewForConfigOrDie(c *rest.Config) *StoragemigrationV1beta1Client {
+	client, err := NewForConfig(c)
+	if err != nil {
+		panic(err)
+	}
+	return client
+}
+
+// New creates a new StoragemigrationV1beta1Client for the given RESTClient.
+func New(c rest.Interface) *StoragemigrationV1beta1Client {
+	return &StoragemigrationV1beta1Client{c}
+}
+
+func setConfigDefaults(config *rest.Config) {
+	gv := storagemigrationv1beta1.SchemeGroupVersion
+	config.GroupVersion = &gv
+	config.APIPath = "/apis"
+	config.NegotiatedSerializer = rest.CodecFactoryForGeneratedClient(scheme.Scheme, scheme.Codecs).WithoutConversion()
+
+	if config.UserAgent == "" {
+		config.UserAgent = rest.DefaultKubernetesUserAgent()
+	}
+}
+
+// RESTClient returns a RESTClient that is used to communicate
+// with API server by this client implementation.
+func (c *StoragemigrationV1beta1Client) RESTClient() rest.Interface {
+	if c == nil {
+		return nil
+	}
+	return c.restClient
+}
diff --git a/staging/src/k8s.io/client-go/kubernetes/typed/storagemigration/v1beta1/storageversionmigration.go b/staging/src/k8s.io/client-go/kubernetes/typed/storagemigration/v1beta1/storageversionmigration.go
new file mode 100644
index 0000000000000..67eba28e0ef8d
--- /dev/null
+++ b/staging/src/k8s.io/client-go/kubernetes/typed/storagemigration/v1beta1/storageversionmigration.go
@@ -0,0 +1,79 @@
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by client-gen. DO NOT EDIT.
+
+package v1beta1
+
+import (
+	context "context"
+
+	storagemigrationv1beta1 "k8s.io/api/storagemigration/v1beta1"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	types "k8s.io/apimachinery/pkg/types"
+	watch "k8s.io/apimachinery/pkg/watch"
+	applyconfigurationsstoragemigrationv1beta1 "k8s.io/client-go/applyconfigurations/storagemigration/v1beta1"
+	gentype "k8s.io/client-go/gentype"
+	scheme "k8s.io/client-go/kubernetes/scheme"
+)
+
+// StorageVersionMigrationsGetter has a method to return a StorageVersionMigrationInterface.
+// A group's client should implement this interface.
+type StorageVersionMigrationsGetter interface {
+	StorageVersionMigrations() StorageVersionMigrationInterface
+}
+
+// StorageVersionMigrationInterface has methods to work with StorageVersionMigration resources.
+type StorageVersionMigrationInterface interface {
+	Create(ctx context.Context, storageVersionMigration *storagemigrationv1beta1.StorageVersionMigration, opts v1.CreateOptions) (*storagemigrationv1beta1.StorageVersionMigration, error)
+	Update(ctx context.Context, storageVersionMigration *storagemigrationv1beta1.StorageVersionMigration, opts v1.UpdateOptions) (*storagemigrationv1beta1.StorageVersionMigration, error)
+	// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus().
+	UpdateStatus(ctx context.Context, storageVersionMigration *storagemigrationv1beta1.StorageVersionMigration, opts v1.UpdateOptions) (*storagemigrationv1beta1.StorageVersionMigration, error)
+	Delete(ctx context.Context, name string, opts v1.DeleteOptions) error
+	DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error
+	Get(ctx context.Context, name string, opts v1.GetOptions) (*storagemigrationv1beta1.StorageVersionMigration, error)
+	List(ctx context.Context, opts v1.ListOptions) (*storagemigrationv1beta1.StorageVersionMigrationList, error)
+	Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error)
+	Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *storagemigrationv1beta1.StorageVersionMigration, err error)
+	Apply(ctx context.Context, storageVersionMigration *applyconfigurationsstoragemigrationv1beta1.StorageVersionMigrationApplyConfiguration, opts v1.ApplyOptions) (result *storagemigrationv1beta1.StorageVersionMigration, err error)
+	// Add a +genclient:noStatus comment above the type to avoid generating ApplyStatus().
+	ApplyStatus(ctx context.Context, storageVersionMigration *applyconfigurationsstoragemigrationv1beta1.StorageVersionMigrationApplyConfiguration, opts v1.ApplyOptions) (result *storagemigrationv1beta1.StorageVersionMigration, err error)
+	StorageVersionMigrationExpansion
+}
+
+// storageVersionMigrations implements StorageVersionMigrationInterface
+type storageVersionMigrations struct {
+	*gentype.ClientWithListAndApply[*storagemigrationv1beta1.StorageVersionMigration, *storagemigrationv1beta1.StorageVersionMigrationList, *applyconfigurationsstoragemigrationv1beta1.StorageVersionMigrationApplyConfiguration]
+}
+
+// newStorageVersionMigrations returns a StorageVersionMigrations
+func newStorageVersionMigrations(c *StoragemigrationV1beta1Client) *storageVersionMigrations {
+	return &storageVersionMigrations{
+		gentype.NewClientWithListAndApply[*storagemigrationv1beta1.StorageVersionMigration, *storagemigrationv1beta1.StorageVersionMigrationList, *applyconfigurationsstoragemigrationv1beta1.StorageVersionMigrationApplyConfiguration](
+			"storageversionmigrations",
+			c.RESTClient(),
+			scheme.ParameterCodec,
+			"",
+			func() *storagemigrationv1beta1.StorageVersionMigration {
+				return &storagemigrationv1beta1.StorageVersionMigration{}
+			},
+			func() *storagemigrationv1beta1.StorageVersionMigrationList {
+				return &storagemigrationv1beta1.StorageVersionMigrationList{}
+			},
+			gentype.PrefersProtobuf[*storagemigrationv1beta1.StorageVersionMigration](),
+		),
+	}
+}
diff --git a/staging/src/k8s.io/client-go/kubernetes_test/clientset_test.go b/staging/src/k8s.io/client-go/kubernetes_test/clientset_test.go
index ce1b1283aef1d..048538fd46fc8 100644
--- a/staging/src/k8s.io/client-go/kubernetes_test/clientset_test.go
+++ b/staging/src/k8s.io/client-go/kubernetes_test/clientset_test.go
@@ -18,17 +18,122 @@ package kubernetes_test
 
 import (
 	"context"
+	"fmt"
 	"net/http"
 	"net/http/httptest"
 	"testing"
+	"time"
 
+	appsv1 "k8s.io/api/apps/v1"
 	v1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/util/json"
+	"k8s.io/apimachinery/pkg/watch"
+	clientfeatures "k8s.io/client-go/features"
+	clientfeaturestesting "k8s.io/client-go/features/testing"
+	"k8s.io/client-go/informers"
 	"k8s.io/client-go/kubernetes"
+	fakeclientset "k8s.io/client-go/kubernetes/fake"
 	"k8s.io/client-go/kubernetes/scheme"
 	"k8s.io/client-go/rest"
+	"k8s.io/client-go/tools/cache"
+	"k8s.io/client-go/util/watchlist"
 )
 
+func TestDoesClientSupportWatchListSemanticsForKubeClient(t *testing.T) {
+	target, err := kubernetes.NewForConfig(&rest.Config{})
+	if err != nil {
+		t.Fatal(err)
+	}
+	if watchlist.DoesClientNotSupportWatchListSemantics(target) {
+		t.Fatalf("Kubernetes client should support WatchList semantics")
+	}
+}
+
+func TestWatchListSemanticsSimple(t *testing.T) {
+	clientfeaturestesting.SetFeatureDuringTest(t, clientfeatures.WatchListClient, true)
+
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
+		if _, ok := req.URL.Query()["watch"]; !ok {
+			t.Errorf("expected a watch request, params: %v", req.URL.Query())
+			http.Error(w, fmt.Errorf("unexpected request").Error(), http.StatusInternalServerError)
+			return
+		}
+
+		obj := &appsv1.Deployment{
+			TypeMeta: metav1.TypeMeta{
+				APIVersion: "apps/v1",
+				Kind:       "Deployment",
+			},
+			ObjectMeta: metav1.ObjectMeta{
+				Annotations: map[string]string{
+					metav1.InitialEventsAnnotationKey: "true",
+				},
+			},
+		}
+		rawObj, err := json.Marshal(obj)
+		if err != nil {
+			t.Errorf("failed to marshal rawObj: %v", err)
+			http.Error(w, err.Error(), http.StatusInternalServerError)
+			return
+		}
+
+		watchEvent := &metav1.WatchEvent{
+			Type:   string(watch.Bookmark),
+			Object: runtime.RawExtension{Raw: rawObj},
+		}
+		rawRsp, err := json.Marshal(watchEvent)
+		if err != nil {
+			t.Errorf("failed to marshal watchEvent: %v", err)
+			http.Error(w, err.Error(), http.StatusInternalServerError)
+			return
+		}
+		w.Header().Set("Content-Type", "application/json")
+		_, err = w.Write(rawRsp)
+		if err != nil {
+			t.Fatalf("failed to write response: %v", err)
+		}
+	}))
+	defer server.Close()
+
+	cfg := &rest.Config{Host: server.URL}
+	client, err := kubernetes.NewForConfig(cfg)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	factory := informers.NewSharedInformerFactory(client, 0)
+	target := factory.Apps().V1().Deployments().Informer()
+
+	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+	defer cancel()
+	factory.Start(ctx.Done())
+
+	if !cache.WaitForCacheSync(ctx.Done(), target.HasSynced) {
+		t.Fatalf("failed to wait for caches to sync")
+	}
+}
+
+func TestUnSupportWatchListSemantics(t *testing.T) {
+	clientfeaturestesting.SetFeatureDuringTest(t, clientfeatures.WatchListClient, true)
+	// The fake client doesn’t support WatchList semantics,
+	// so we don’t need to prepare a response.
+	fakeClient := fakeclientset.NewClientset()
+	factory := informers.NewSharedInformerFactory(fakeClient, 0)
+
+	// register a deployment infm
+	target := factory.Apps().V1().Deployments().Informer()
+
+	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+	defer cancel()
+	factory.Start(ctx.Done())
+
+	if !cache.WaitForCacheSync(ctx.Done(), target.HasSynced) {
+		t.Fatalf("failed to wait for caches to sync")
+	}
+}
+
 func TestClientUserAgent(t *testing.T) {
 	tests := []struct {
 		name      string
diff --git a/staging/src/k8s.io/client-go/kubernetes_test/fake_client_test.go b/staging/src/k8s.io/client-go/kubernetes_test/fake_client_test.go
index b1abc20423f04..95ee276f3ff48 100644
--- a/staging/src/k8s.io/client-go/kubernetes_test/fake_client_test.go
+++ b/staging/src/k8s.io/client-go/kubernetes_test/fake_client_test.go
@@ -26,8 +26,16 @@ import (
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/client-go/kubernetes/fake"
 	"k8s.io/client-go/kubernetes/scheme"
+	"k8s.io/client-go/util/watchlist"
 )
 
+func TestDoesClientSupportWatchListSemantics(t *testing.T) {
+	target := fake.NewClientset()
+	if !watchlist.DoesClientNotSupportWatchListSemantics(target) {
+		t.Fatalf("NewSimpleClientset should NOT support WatchList semantics")
+	}
+}
+
 // This test proves that the kube fake client does not return GVKs.  This is consistent with actual client (see tests below)
 // and should not be changed unless the decoding behavior and somehow literal creation (`&corev1.ConfigMap{}`) behavior change.
 func Test_ConfigMapFakeClient(t *testing.T) {
diff --git a/staging/src/k8s.io/client-go/listers/certificates/v1alpha1/expansion_generated.go b/staging/src/k8s.io/client-go/listers/certificates/v1alpha1/expansion_generated.go
index fd8d92193c494..d77258cb2d464 100644
--- a/staging/src/k8s.io/client-go/listers/certificates/v1alpha1/expansion_generated.go
+++ b/staging/src/k8s.io/client-go/listers/certificates/v1alpha1/expansion_generated.go
@@ -21,11 +21,3 @@ package v1alpha1
 // ClusterTrustBundleListerExpansion allows custom methods to be added to
 // ClusterTrustBundleLister.
 type ClusterTrustBundleListerExpansion interface{}
-
-// PodCertificateRequestListerExpansion allows custom methods to be added to
-// PodCertificateRequestLister.
-type PodCertificateRequestListerExpansion interface{}
-
-// PodCertificateRequestNamespaceListerExpansion allows custom methods to be added to
-// PodCertificateRequestNamespaceLister.
-type PodCertificateRequestNamespaceListerExpansion interface{}
diff --git a/staging/src/k8s.io/client-go/listers/certificates/v1alpha1/podcertificaterequest.go b/staging/src/k8s.io/client-go/listers/certificates/v1alpha1/podcertificaterequest.go
deleted file mode 100644
index 0f90e8b1f00bb..0000000000000
--- a/staging/src/k8s.io/client-go/listers/certificates/v1alpha1/podcertificaterequest.go
+++ /dev/null
@@ -1,70 +0,0 @@
-/*
-Copyright The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-// Code generated by lister-gen. DO NOT EDIT.
-
-package v1alpha1
-
-import (
-	certificatesv1alpha1 "k8s.io/api/certificates/v1alpha1"
-	labels "k8s.io/apimachinery/pkg/labels"
-	listers "k8s.io/client-go/listers"
-	cache "k8s.io/client-go/tools/cache"
-)
-
-// PodCertificateRequestLister helps list PodCertificateRequests.
-// All objects returned here must be treated as read-only.
-type PodCertificateRequestLister interface {
-	// List lists all PodCertificateRequests in the indexer.
-	// Objects returned here must be treated as read-only.
-	List(selector labels.Selector) (ret []*certificatesv1alpha1.PodCertificateRequest, err error)
-	// PodCertificateRequests returns an object that can list and get PodCertificateRequests.
-	PodCertificateRequests(namespace string) PodCertificateRequestNamespaceLister
-	PodCertificateRequestListerExpansion
-}
-
-// podCertificateRequestLister implements the PodCertificateRequestLister interface.
-type podCertificateRequestLister struct {
-	listers.ResourceIndexer[*certificatesv1alpha1.PodCertificateRequest]
-}
-
-// NewPodCertificateRequestLister returns a new PodCertificateRequestLister.
-func NewPodCertificateRequestLister(indexer cache.Indexer) PodCertificateRequestLister {
-	return &podCertificateRequestLister{listers.New[*certificatesv1alpha1.PodCertificateRequest](indexer, certificatesv1alpha1.Resource("podcertificaterequest"))}
-}
-
-// PodCertificateRequests returns an object that can list and get PodCertificateRequests.
-func (s *podCertificateRequestLister) PodCertificateRequests(namespace string) PodCertificateRequestNamespaceLister {
-	return podCertificateRequestNamespaceLister{listers.NewNamespaced[*certificatesv1alpha1.PodCertificateRequest](s.ResourceIndexer, namespace)}
-}
-
-// PodCertificateRequestNamespaceLister helps list and get PodCertificateRequests.
-// All objects returned here must be treated as read-only.
-type PodCertificateRequestNamespaceLister interface {
-	// List lists all PodCertificateRequests in the indexer for a given namespace.
-	// Objects returned here must be treated as read-only.
-	List(selector labels.Selector) (ret []*certificatesv1alpha1.PodCertificateRequest, err error)
-	// Get retrieves the PodCertificateRequest from the indexer for a given namespace and name.
-	// Objects returned here must be treated as read-only.
-	Get(name string) (*certificatesv1alpha1.PodCertificateRequest, error)
-	PodCertificateRequestNamespaceListerExpansion
-}
-
-// podCertificateRequestNamespaceLister implements the PodCertificateRequestNamespaceLister
-// interface.
-type podCertificateRequestNamespaceLister struct {
-	listers.ResourceIndexer[*certificatesv1alpha1.PodCertificateRequest]
-}
diff --git a/staging/src/k8s.io/client-go/listers/certificates/v1beta1/expansion_generated.go b/staging/src/k8s.io/client-go/listers/certificates/v1beta1/expansion_generated.go
index 12a2554df008a..13e0fd65cc95c 100644
--- a/staging/src/k8s.io/client-go/listers/certificates/v1beta1/expansion_generated.go
+++ b/staging/src/k8s.io/client-go/listers/certificates/v1beta1/expansion_generated.go
@@ -25,3 +25,11 @@ type CertificateSigningRequestListerExpansion interface{}
 // ClusterTrustBundleListerExpansion allows custom methods to be added to
 // ClusterTrustBundleLister.
 type ClusterTrustBundleListerExpansion interface{}
+
+// PodCertificateRequestListerExpansion allows custom methods to be added to
+// PodCertificateRequestLister.
+type PodCertificateRequestListerExpansion interface{}
+
+// PodCertificateRequestNamespaceListerExpansion allows custom methods to be added to
+// PodCertificateRequestNamespaceLister.
+type PodCertificateRequestNamespaceListerExpansion interface{}
diff --git a/staging/src/k8s.io/client-go/listers/certificates/v1beta1/podcertificaterequest.go b/staging/src/k8s.io/client-go/listers/certificates/v1beta1/podcertificaterequest.go
new file mode 100644
index 0000000000000..94f7d0dbda7f8
--- /dev/null
+++ b/staging/src/k8s.io/client-go/listers/certificates/v1beta1/podcertificaterequest.go
@@ -0,0 +1,70 @@
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by lister-gen. DO NOT EDIT.
+
+package v1beta1
+
+import (
+	certificatesv1beta1 "k8s.io/api/certificates/v1beta1"
+	labels "k8s.io/apimachinery/pkg/labels"
+	listers "k8s.io/client-go/listers"
+	cache "k8s.io/client-go/tools/cache"
+)
+
+// PodCertificateRequestLister helps list PodCertificateRequests.
+// All objects returned here must be treated as read-only.
+type PodCertificateRequestLister interface {
+	// List lists all PodCertificateRequests in the indexer.
+	// Objects returned here must be treated as read-only.
+	List(selector labels.Selector) (ret []*certificatesv1beta1.PodCertificateRequest, err error)
+	// PodCertificateRequests returns an object that can list and get PodCertificateRequests.
+	PodCertificateRequests(namespace string) PodCertificateRequestNamespaceLister
+	PodCertificateRequestListerExpansion
+}
+
+// podCertificateRequestLister implements the PodCertificateRequestLister interface.
+type podCertificateRequestLister struct {
+	listers.ResourceIndexer[*certificatesv1beta1.PodCertificateRequest]
+}
+
+// NewPodCertificateRequestLister returns a new PodCertificateRequestLister.
+func NewPodCertificateRequestLister(indexer cache.Indexer) PodCertificateRequestLister {
+	return &podCertificateRequestLister{listers.New[*certificatesv1beta1.PodCertificateRequest](indexer, certificatesv1beta1.Resource("podcertificaterequest"))}
+}
+
+// PodCertificateRequests returns an object that can list and get PodCertificateRequests.
+func (s *podCertificateRequestLister) PodCertificateRequests(namespace string) PodCertificateRequestNamespaceLister {
+	return podCertificateRequestNamespaceLister{listers.NewNamespaced[*certificatesv1beta1.PodCertificateRequest](s.ResourceIndexer, namespace)}
+}
+
+// PodCertificateRequestNamespaceLister helps list and get PodCertificateRequests.
+// All objects returned here must be treated as read-only.
+type PodCertificateRequestNamespaceLister interface {
+	// List lists all PodCertificateRequests in the indexer for a given namespace.
+	// Objects returned here must be treated as read-only.
+	List(selector labels.Selector) (ret []*certificatesv1beta1.PodCertificateRequest, err error)
+	// Get retrieves the PodCertificateRequest from the indexer for a given namespace and name.
+	// Objects returned here must be treated as read-only.
+	Get(name string) (*certificatesv1beta1.PodCertificateRequest, error)
+	PodCertificateRequestNamespaceListerExpansion
+}
+
+// podCertificateRequestNamespaceLister implements the PodCertificateRequestNamespaceLister
+// interface.
+type podCertificateRequestNamespaceLister struct {
+	listers.ResourceIndexer[*certificatesv1beta1.PodCertificateRequest]
+}
diff --git a/staging/src/k8s.io/client-go/listers/scheduling/v1alpha1/expansion_generated.go b/staging/src/k8s.io/client-go/listers/scheduling/v1alpha1/expansion_generated.go
index bde8b6206c8c5..8617325d8b6b8 100644
--- a/staging/src/k8s.io/client-go/listers/scheduling/v1alpha1/expansion_generated.go
+++ b/staging/src/k8s.io/client-go/listers/scheduling/v1alpha1/expansion_generated.go
@@ -21,3 +21,11 @@ package v1alpha1
 // PriorityClassListerExpansion allows custom methods to be added to
 // PriorityClassLister.
 type PriorityClassListerExpansion interface{}
+
+// WorkloadListerExpansion allows custom methods to be added to
+// WorkloadLister.
+type WorkloadListerExpansion interface{}
+
+// WorkloadNamespaceListerExpansion allows custom methods to be added to
+// WorkloadNamespaceLister.
+type WorkloadNamespaceListerExpansion interface{}
diff --git a/staging/src/k8s.io/client-go/listers/scheduling/v1alpha1/workload.go b/staging/src/k8s.io/client-go/listers/scheduling/v1alpha1/workload.go
new file mode 100644
index 0000000000000..24f51a5ef38a0
--- /dev/null
+++ b/staging/src/k8s.io/client-go/listers/scheduling/v1alpha1/workload.go
@@ -0,0 +1,70 @@
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by lister-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	schedulingv1alpha1 "k8s.io/api/scheduling/v1alpha1"
+	labels "k8s.io/apimachinery/pkg/labels"
+	listers "k8s.io/client-go/listers"
+	cache "k8s.io/client-go/tools/cache"
+)
+
+// WorkloadLister helps list Workloads.
+// All objects returned here must be treated as read-only.
+type WorkloadLister interface {
+	// List lists all Workloads in the indexer.
+	// Objects returned here must be treated as read-only.
+	List(selector labels.Selector) (ret []*schedulingv1alpha1.Workload, err error)
+	// Workloads returns an object that can list and get Workloads.
+	Workloads(namespace string) WorkloadNamespaceLister
+	WorkloadListerExpansion
+}
+
+// workloadLister implements the WorkloadLister interface.
+type workloadLister struct {
+	listers.ResourceIndexer[*schedulingv1alpha1.Workload]
+}
+
+// NewWorkloadLister returns a new WorkloadLister.
+func NewWorkloadLister(indexer cache.Indexer) WorkloadLister {
+	return &workloadLister{listers.New[*schedulingv1alpha1.Workload](indexer, schedulingv1alpha1.Resource("workload"))}
+}
+
+// Workloads returns an object that can list and get Workloads.
+func (s *workloadLister) Workloads(namespace string) WorkloadNamespaceLister {
+	return workloadNamespaceLister{listers.NewNamespaced[*schedulingv1alpha1.Workload](s.ResourceIndexer, namespace)}
+}
+
+// WorkloadNamespaceLister helps list and get Workloads.
+// All objects returned here must be treated as read-only.
+type WorkloadNamespaceLister interface {
+	// List lists all Workloads in the indexer for a given namespace.
+	// Objects returned here must be treated as read-only.
+	List(selector labels.Selector) (ret []*schedulingv1alpha1.Workload, err error)
+	// Get retrieves the Workload from the indexer for a given namespace and name.
+	// Objects returned here must be treated as read-only.
+	Get(name string) (*schedulingv1alpha1.Workload, error)
+	WorkloadNamespaceListerExpansion
+}
+
+// workloadNamespaceLister implements the WorkloadNamespaceLister
+// interface.
+type workloadNamespaceLister struct {
+	listers.ResourceIndexer[*schedulingv1alpha1.Workload]
+}
diff --git a/staging/src/k8s.io/client-go/listers/storagemigration/v1alpha1/storageversionmigration.go b/staging/src/k8s.io/client-go/listers/storagemigration/v1alpha1/storageversionmigration.go
deleted file mode 100644
index e7d164d040a03..0000000000000
--- a/staging/src/k8s.io/client-go/listers/storagemigration/v1alpha1/storageversionmigration.go
+++ /dev/null
@@ -1,48 +0,0 @@
-/*
-Copyright The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-// Code generated by lister-gen. DO NOT EDIT.
-
-package v1alpha1
-
-import (
-	storagemigrationv1alpha1 "k8s.io/api/storagemigration/v1alpha1"
-	labels "k8s.io/apimachinery/pkg/labels"
-	listers "k8s.io/client-go/listers"
-	cache "k8s.io/client-go/tools/cache"
-)
-
-// StorageVersionMigrationLister helps list StorageVersionMigrations.
-// All objects returned here must be treated as read-only.
-type StorageVersionMigrationLister interface {
-	// List lists all StorageVersionMigrations in the indexer.
-	// Objects returned here must be treated as read-only.
-	List(selector labels.Selector) (ret []*storagemigrationv1alpha1.StorageVersionMigration, err error)
-	// Get retrieves the StorageVersionMigration from the index for a given name.
-	// Objects returned here must be treated as read-only.
-	Get(name string) (*storagemigrationv1alpha1.StorageVersionMigration, error)
-	StorageVersionMigrationListerExpansion
-}
-
-// storageVersionMigrationLister implements the StorageVersionMigrationLister interface.
-type storageVersionMigrationLister struct {
-	listers.ResourceIndexer[*storagemigrationv1alpha1.StorageVersionMigration]
-}
-
-// NewStorageVersionMigrationLister returns a new StorageVersionMigrationLister.
-func NewStorageVersionMigrationLister(indexer cache.Indexer) StorageVersionMigrationLister {
-	return &storageVersionMigrationLister{listers.New[*storagemigrationv1alpha1.StorageVersionMigration](indexer, storagemigrationv1alpha1.Resource("storageversionmigration"))}
-}
diff --git a/staging/src/k8s.io/client-go/listers/storagemigration/v1alpha1/expansion_generated.go b/staging/src/k8s.io/client-go/listers/storagemigration/v1beta1/expansion_generated.go
similarity index 97%
rename from staging/src/k8s.io/client-go/listers/storagemigration/v1alpha1/expansion_generated.go
rename to staging/src/k8s.io/client-go/listers/storagemigration/v1beta1/expansion_generated.go
index 92eb5c65b4f8a..9532c82918252 100644
--- a/staging/src/k8s.io/client-go/listers/storagemigration/v1alpha1/expansion_generated.go
+++ b/staging/src/k8s.io/client-go/listers/storagemigration/v1beta1/expansion_generated.go
@@ -16,7 +16,7 @@ limitations under the License.
 
 // Code generated by lister-gen. DO NOT EDIT.
 
-package v1alpha1
+package v1beta1
 
 // StorageVersionMigrationListerExpansion allows custom methods to be added to
 // StorageVersionMigrationLister.
diff --git a/staging/src/k8s.io/client-go/listers/storagemigration/v1beta1/storageversionmigration.go b/staging/src/k8s.io/client-go/listers/storagemigration/v1beta1/storageversionmigration.go
new file mode 100644
index 0000000000000..f96e066a2b181
--- /dev/null
+++ b/staging/src/k8s.io/client-go/listers/storagemigration/v1beta1/storageversionmigration.go
@@ -0,0 +1,48 @@
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by lister-gen. DO NOT EDIT.
+
+package v1beta1
+
+import (
+	storagemigrationv1beta1 "k8s.io/api/storagemigration/v1beta1"
+	labels "k8s.io/apimachinery/pkg/labels"
+	listers "k8s.io/client-go/listers"
+	cache "k8s.io/client-go/tools/cache"
+)
+
+// StorageVersionMigrationLister helps list StorageVersionMigrations.
+// All objects returned here must be treated as read-only.
+type StorageVersionMigrationLister interface {
+	// List lists all StorageVersionMigrations in the indexer.
+	// Objects returned here must be treated as read-only.
+	List(selector labels.Selector) (ret []*storagemigrationv1beta1.StorageVersionMigration, err error)
+	// Get retrieves the StorageVersionMigration from the index for a given name.
+	// Objects returned here must be treated as read-only.
+	Get(name string) (*storagemigrationv1beta1.StorageVersionMigration, error)
+	StorageVersionMigrationListerExpansion
+}
+
+// storageVersionMigrationLister implements the StorageVersionMigrationLister interface.
+type storageVersionMigrationLister struct {
+	listers.ResourceIndexer[*storagemigrationv1beta1.StorageVersionMigration]
+}
+
+// NewStorageVersionMigrationLister returns a new StorageVersionMigrationLister.
+func NewStorageVersionMigrationLister(indexer cache.Indexer) StorageVersionMigrationLister {
+	return &storageVersionMigrationLister{listers.New[*storagemigrationv1beta1.StorageVersionMigration](indexer, storagemigrationv1beta1.Resource("storageversionmigration"))}
+}
diff --git a/staging/src/k8s.io/client-go/metadata/fake/simple.go b/staging/src/k8s.io/client-go/metadata/fake/simple.go
index 47beb1f8de307..fc50113fca136 100644
--- a/staging/src/k8s.io/client-go/metadata/fake/simple.go
+++ b/staging/src/k8s.io/client-go/metadata/fake/simple.go
@@ -109,6 +109,10 @@ func (c *FakeMetadataClient) Resource(resource schema.GroupVersionResource) meta
 	return &metadataResourceClient{client: c, resource: resource}
 }
 
+func (c *FakeMetadataClient) IsWatchListSemanticsUnSupported() bool {
+	return true
+}
+
 // Namespace returns an interface for accessing the current resource in the specified
 // namespace.
 func (c *metadataResourceClient) Namespace(ns string) metadata.ResourceInterface {
diff --git a/staging/src/k8s.io/client-go/metadata/fake/simple_test.go b/staging/src/k8s.io/client-go/metadata/fake/simple_test.go
index a8369f9f1fbfd..d20a8a2659ada 100644
--- a/staging/src/k8s.io/client-go/metadata/fake/simple_test.go
+++ b/staging/src/k8s.io/client-go/metadata/fake/simple_test.go
@@ -27,6 +27,7 @@ import (
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/client-go/util/watchlist"
 )
 
 const (
@@ -58,6 +59,13 @@ func newPartialObjectMetadataWithAnnotations(annotations map[string]string) *met
 	return u
 }
 
+func TestDoesClientSupportWatchListSemantics(t *testing.T) {
+	target := &FakeMetadataClient{}
+	if !watchlist.DoesClientNotSupportWatchListSemantics(target) {
+		t.Fatalf("FakeMetadataClient should NOT support WatchList semantics")
+	}
+}
+
 func TestList(t *testing.T) {
 	scheme := NewTestScheme()
 	metav1.AddMetaToScheme(scheme)
diff --git a/staging/src/k8s.io/client-go/metadata/metadata_test.go b/staging/src/k8s.io/client-go/metadata/metadata_test.go
index 8e20692652d55..905a7030881f6 100644
--- a/staging/src/k8s.io/client-go/metadata/metadata_test.go
+++ b/staging/src/k8s.io/client-go/metadata/metadata_test.go
@@ -32,9 +32,20 @@ import (
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/client-go/rest"
+	"k8s.io/client-go/util/watchlist"
 	"k8s.io/klog/v2/ktesting"
 )
 
+func TestDoesClientSupportWatchListSemantics(t *testing.T) {
+	target, err := NewForConfig(&rest.Config{})
+	if err != nil {
+		t.Fatal(err)
+	}
+	if watchlist.DoesClientNotSupportWatchListSemantics(target) {
+		t.Fatalf("Metadata client should support WatchList semantics")
+	}
+}
+
 func TestClient(t *testing.T) {
 	gvr := schema.GroupVersionResource{Group: "group", Version: "v1", Resource: "resource"}
 	statusOK := &metav1.Status{
diff --git a/staging/src/k8s.io/client-go/metadata/metadatainformer/informer.go b/staging/src/k8s.io/client-go/metadata/metadatainformer/informer.go
index 6eb0584fd393f..665198f12a250 100644
--- a/staging/src/k8s.io/client-go/metadata/metadatainformer/informer.go
+++ b/staging/src/k8s.io/client-go/metadata/metadatainformer/informer.go
@@ -178,7 +178,7 @@ func NewFilteredMetadataInformer(client metadata.Interface, gvr schema.GroupVers
 	return &metadataInformer{
 		gvr: gvr,
 		informer: cache.NewSharedIndexInformer(
-			&cache.ListWatch{
+			cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 				ListFunc: func(options metav1.ListOptions) (runtime.Object, error) {
 					if tweakListOptions != nil {
 						tweakListOptions(&options)
@@ -203,7 +203,7 @@ func NewFilteredMetadataInformer(client metadata.Interface, gvr schema.GroupVers
 					}
 					return client.Resource(gvr).Namespace(namespace).Watch(ctx, options)
 				},
-			},
+			}, client),
 			&metav1.PartialObjectMetadata{},
 			resyncPeriod,
 			indexers,
diff --git a/staging/src/k8s.io/client-go/metadata/metadatainformer/informer_test.go b/staging/src/k8s.io/client-go/metadata/metadatainformer/informer_test.go
index f52dbf061651c..baef474fbd64d 100644
--- a/staging/src/k8s.io/client-go/metadata/metadatainformer/informer_test.go
+++ b/staging/src/k8s.io/client-go/metadata/metadatainformer/informer_test.go
@@ -19,18 +19,28 @@ package metadatainformer
 import (
 	"context"
 	"flag"
+	"fmt"
+	"net/http"
+	"net/http/httptest"
 	"testing"
 	"time"
 
 	"github.com/google/go-cmp/cmp"
-	"k8s.io/klog/v2"
 
+	appsv1 "k8s.io/api/apps/v1"
 	"k8s.io/apimachinery/pkg/api/equality"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/apimachinery/pkg/util/json"
+	"k8s.io/apimachinery/pkg/watch"
+	clientfeatures "k8s.io/client-go/features"
+	clientfeaturestesting "k8s.io/client-go/features/testing"
+	"k8s.io/client-go/metadata"
 	"k8s.io/client-go/metadata/fake"
+	"k8s.io/client-go/rest"
 	"k8s.io/client-go/tools/cache"
+	"k8s.io/klog/v2"
 )
 
 func init() {
@@ -39,6 +49,91 @@ func init() {
 	flag.CommandLine.Lookup("alsologtostderr").Value.Set("true")
 }
 
+func TestWatchListSemanticsSimple(t *testing.T) {
+	clientfeaturestesting.SetFeatureDuringTest(t, clientfeatures.WatchListClient, true)
+
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
+		if _, ok := req.URL.Query()["watch"]; !ok {
+			t.Errorf("expected a watch request, params: %v", req.URL.Query())
+			http.Error(w, fmt.Errorf("unexpected request").Error(), http.StatusInternalServerError)
+			return
+		}
+
+		obj := &metav1.PartialObjectMetadata{
+			TypeMeta: metav1.TypeMeta{
+				APIVersion: "meta.k8s.io/v1",
+				Kind:       "PartialObjectMetadata",
+			},
+			ObjectMeta: metav1.ObjectMeta{
+				Annotations: map[string]string{
+					metav1.InitialEventsAnnotationKey: "true",
+				},
+			},
+		}
+		rawObj, err := json.Marshal(obj)
+		if err != nil {
+			t.Errorf("failed to marshal rawObj: %v", err)
+			http.Error(w, err.Error(), http.StatusInternalServerError)
+			return
+		}
+
+		watchEvent := &metav1.WatchEvent{
+			Type:   string(watch.Bookmark),
+			Object: runtime.RawExtension{Raw: rawObj},
+		}
+		rawRsp, err := json.Marshal(watchEvent)
+		if err != nil {
+			t.Errorf("failed to marshal watchEvent: %v", err)
+			http.Error(w, err.Error(), http.StatusInternalServerError)
+			return
+		}
+		w.Header().Set("Content-Type", "application/json")
+		_, err = w.Write(rawRsp)
+		if err != nil {
+			t.Fatalf("failed to write response: %v", err)
+		}
+	}))
+	defer server.Close()
+
+	cfg := &rest.Config{Host: server.URL}
+	client, err := metadata.NewForConfig(cfg)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	factory := NewFilteredSharedInformerFactory(client, 0, "ns", nil)
+	target := factory.ForResource(schema.GroupVersionResource{Group: "apps", Version: "v1", Resource: "deployments"})
+
+	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+	defer cancel()
+	factory.Start(ctx.Done())
+
+	if !cache.WaitForCacheSync(ctx.Done(), target.Informer().HasSynced) {
+		t.Fatalf("failed to wait for caches to sync")
+	}
+}
+
+func TestUnSupportWatchListSemantics(t *testing.T) {
+	clientfeaturestesting.SetFeatureDuringTest(t, clientfeatures.WatchListClient, true)
+	scheme := runtime.NewScheme()
+	if err := appsv1.AddToScheme(scheme); err != nil {
+		t.Fatalf("failed to add appsv1 to scheme: %v", err)
+	}
+	// The fake client doesn’t support WatchList semantics,
+	// so we don’t need to prepare a response.
+	fakeClient := fake.NewSimpleMetadataClient(scheme)
+	factory := NewFilteredSharedInformerFactory(fakeClient, 0, "ns", nil)
+	target := factory.ForResource(schema.GroupVersionResource{Group: "apps", Version: "v1", Resource: "deployments"})
+
+	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+	defer cancel()
+	factory.Start(ctx.Done())
+
+	if !cache.WaitForCacheSync(ctx.Done(), target.Informer().HasSynced) {
+		t.Fatalf("failed to wait for caches to sync")
+	}
+}
+
 func TestMetadataSharedInformerFactory(t *testing.T) {
 	scenarios := []struct {
 		name        string
diff --git a/staging/src/k8s.io/client-go/pkg/apis/clientauthentication/v1/doc.go b/staging/src/k8s.io/client-go/pkg/apis/clientauthentication/v1/doc.go
index e378b75cf696a..0925da4243d1b 100644
--- a/staging/src/k8s.io/client-go/pkg/apis/clientauthentication/v1/doc.go
+++ b/staging/src/k8s.io/client-go/pkg/apis/clientauthentication/v1/doc.go
@@ -18,6 +18,7 @@ limitations under the License.
 // +k8s:conversion-gen=k8s.io/client-go/pkg/apis/clientauthentication
 // +k8s:openapi-gen=true
 // +k8s:defaulter-gen=TypeMeta
+// +k8s:openapi-model-package=io.k8s.client-go.pkg.apis.clientauthentication.v1
 
 // +groupName=client.authentication.k8s.io
 
diff --git a/staging/src/k8s.io/client-go/pkg/apis/clientauthentication/v1/zz_generated.model_name.go b/staging/src/k8s.io/client-go/pkg/apis/clientauthentication/v1/zz_generated.model_name.go
new file mode 100644
index 0000000000000..d8fb338e6aa15
--- /dev/null
+++ b/staging/src/k8s.io/client-go/pkg/apis/clientauthentication/v1/zz_generated.model_name.go
@@ -0,0 +1,42 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by openapi-gen. DO NOT EDIT.
+
+package v1
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in Cluster) OpenAPIModelName() string {
+	return "io.k8s.client-go.pkg.apis.clientauthentication.v1.Cluster"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ExecCredential) OpenAPIModelName() string {
+	return "io.k8s.client-go.pkg.apis.clientauthentication.v1.ExecCredential"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ExecCredentialSpec) OpenAPIModelName() string {
+	return "io.k8s.client-go.pkg.apis.clientauthentication.v1.ExecCredentialSpec"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ExecCredentialStatus) OpenAPIModelName() string {
+	return "io.k8s.client-go.pkg.apis.clientauthentication.v1.ExecCredentialStatus"
+}
diff --git a/staging/src/k8s.io/client-go/pkg/apis/clientauthentication/v1beta1/doc.go b/staging/src/k8s.io/client-go/pkg/apis/clientauthentication/v1beta1/doc.go
index 6eb6a98157460..207ff5c9d13fb 100644
--- a/staging/src/k8s.io/client-go/pkg/apis/clientauthentication/v1beta1/doc.go
+++ b/staging/src/k8s.io/client-go/pkg/apis/clientauthentication/v1beta1/doc.go
@@ -18,6 +18,7 @@ limitations under the License.
 // +k8s:conversion-gen=k8s.io/client-go/pkg/apis/clientauthentication
 // +k8s:openapi-gen=true
 // +k8s:defaulter-gen=TypeMeta
+// +k8s:openapi-model-package=io.k8s.client-go.pkg.apis.clientauthentication.v1beta1
 
 // +groupName=client.authentication.k8s.io
 
diff --git a/staging/src/k8s.io/client-go/pkg/apis/clientauthentication/v1beta1/zz_generated.model_name.go b/staging/src/k8s.io/client-go/pkg/apis/clientauthentication/v1beta1/zz_generated.model_name.go
new file mode 100644
index 0000000000000..24b2c12f97ef8
--- /dev/null
+++ b/staging/src/k8s.io/client-go/pkg/apis/clientauthentication/v1beta1/zz_generated.model_name.go
@@ -0,0 +1,42 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by openapi-gen. DO NOT EDIT.
+
+package v1beta1
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in Cluster) OpenAPIModelName() string {
+	return "io.k8s.client-go.pkg.apis.clientauthentication.v1beta1.Cluster"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ExecCredential) OpenAPIModelName() string {
+	return "io.k8s.client-go.pkg.apis.clientauthentication.v1beta1.ExecCredential"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ExecCredentialSpec) OpenAPIModelName() string {
+	return "io.k8s.client-go.pkg.apis.clientauthentication.v1beta1.ExecCredentialSpec"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ExecCredentialStatus) OpenAPIModelName() string {
+	return "io.k8s.client-go.pkg.apis.clientauthentication.v1beta1.ExecCredentialStatus"
+}
diff --git a/staging/src/k8s.io/client-go/plugin/pkg/client/auth/exec/exec.go b/staging/src/k8s.io/client-go/plugin/pkg/client/auth/exec/exec.go
index b471f5cc64869..1af2afdb9120f 100644
--- a/staging/src/k8s.io/client-go/plugin/pkg/client/auth/exec/exec.go
+++ b/staging/src/k8s.io/client-go/plugin/pkg/client/auth/exec/exec.go
@@ -27,6 +27,7 @@ import (
 	"net/http"
 	"os"
 	"os/exec"
+	"path/filepath"
 	"reflect"
 	"strings"
 	"sync"
@@ -39,6 +40,7 @@ import (
 	"k8s.io/apimachinery/pkg/runtime/serializer"
 	"k8s.io/apimachinery/pkg/util/dump"
 	utilnet "k8s.io/apimachinery/pkg/util/net"
+	"k8s.io/apimachinery/pkg/util/sets"
 	"k8s.io/client-go/pkg/apis/clientauthentication"
 	"k8s.io/client-go/pkg/apis/clientauthentication/install"
 	clientauthenticationv1 "k8s.io/client-go/pkg/apis/clientauthentication/v1"
@@ -177,13 +179,29 @@ func newAuthenticator(c *cache, isTerminalFunc func(int) bool, config *api.ExecC
 		connTracker,
 	)
 
+	if err := ValidatePluginPolicy(config.PluginPolicy); err != nil {
+		return nil, fmt.Errorf("invalid plugin policy: %w", err)
+	}
+
+	allowlistLookup := sets.New[string]()
+	for _, entry := range config.PluginPolicy.Allowlist {
+		if entry.Name != "" {
+			allowlistLookup.Insert(entry.Name)
+		}
+	}
+
 	a := &Authenticator{
-		cmd:                config.Command,
+		// Clean is called to normalize the path to facilitate comparison with
+		// the allowlist, when present
+		cmd:                filepath.Clean(config.Command),
 		args:               config.Args,
 		group:              gv,
 		cluster:            cluster,
 		provideClusterInfo: config.ProvideClusterInfo,
 
+		allowlistLookup:  allowlistLookup,
+		execPluginPolicy: config.PluginPolicy,
+
 		installHint: config.InstallHint,
 		sometimes: &sometimes{
 			threshold: 10,
@@ -250,6 +268,9 @@ type Authenticator struct {
 	cluster            *clientauthentication.Cluster
 	provideClusterInfo bool
 
+	allowlistLookup  sets.Set[string]
+	execPluginPolicy api.PluginPolicy
+
 	// Used to avoid log spew by rate limiting install hint printing. We didn't do
 	// this by interval based rate limiting alone since that way may have prevented
 	// the install hint from showing up for kubectl users.
@@ -441,6 +462,12 @@ func (a *Authenticator) refreshCredsLocked() error {
 		cmd.Stdin = a.stdin
 	}
 
+	err = a.updateCommandAndCheckAllowlistLocked(cmd)
+	incrementPolicyMetric(err)
+	if err != nil {
+		return err
+	}
+
 	err = cmd.Run()
 	incrementCallsMetric(err)
 	if err != nil {
@@ -545,3 +572,131 @@ func (a *Authenticator) wrapCmdRunErrorLocked(err error) error {
 		return fmt.Errorf("exec: %v", err)
 	}
 }
+
+// `updateCommandAndCheckAllowlistLocked` determines whether or not the specified executable may run
+// according to the credential plugin policy. If the plugin is allowed, `nil`
+// is returned. If the plugin is not allowed, an error must be returned
+// explaining why.
+func (a *Authenticator) updateCommandAndCheckAllowlistLocked(cmd *exec.Cmd) error {
+	switch a.execPluginPolicy.PolicyType {
+	case "", api.PluginPolicyAllowAll:
+		return nil
+	case api.PluginPolicyDenyAll:
+		return fmt.Errorf("plugin %q not allowed: policy set to %q", a.cmd, api.PluginPolicyDenyAll)
+	case api.PluginPolicyAllowlist:
+		return a.checkAllowlistLocked(cmd)
+	default:
+		return fmt.Errorf("unknown plugin policy %q", a.execPluginPolicy.PolicyType)
+	}
+}
+
+// `checkAllowlistLocked` checks the specified plugin against the allowlist,
+// and may update the Authenticator's allowlistLookup set.
+func (a *Authenticator) checkAllowlistLocked(cmd *exec.Cmd) error {
+	// a.cmd is the original command as specified in the configuration, then filepath.Clean().
+	// cmd.Path is the possibly-resolved command.
+	// If either are an exact match in the allowlist, return success.
+	if a.allowlistLookup.Has(a.cmd) || a.allowlistLookup.Has(cmd.Path) {
+		return nil
+	}
+
+	var cmdResolvedPath string
+	var cmdResolvedErr error
+	if cmd.Path != a.cmd {
+		// cmd.Path changed, use the already-resolved LookPath results
+		cmdResolvedPath = cmd.Path
+		cmdResolvedErr = cmd.Err
+	} else {
+		// cmd.Path is unchanged, do LookPath ourselves
+		cmdResolvedPath, cmdResolvedErr = exec.LookPath(cmd.Path)
+		// update cmd.Path to cmdResolvedPath so we only run the resolved path
+		if cmdResolvedPath != "" {
+			cmd.Path = cmdResolvedPath
+		}
+	}
+
+	if cmdResolvedErr != nil {
+		return fmt.Errorf("plugin path %q cannot be resolved for credential plugin allowlist check: %w", cmd.Path, cmdResolvedErr)
+	}
+
+	// cmdResolvedPath may have changed, and the changed value may be in the allowlist
+	if a.allowlistLookup.Has(cmdResolvedPath) {
+		return nil
+	}
+
+	// There is no verbatim match
+	a.resolveAllowListEntriesLocked(cmd.Path)
+
+	// allowlistLookup may have changed, recheck
+	if a.allowlistLookup.Has(cmdResolvedPath) {
+		return nil
+	}
+
+	return fmt.Errorf("plugin path %q is not permitted by the credential plugin allowlist", cmd.Path)
+}
+
+// resolveAllowListEntriesLocked tries to resolve allowlist entries with LookPath,
+// and adds successfully resolved entries to allowlistLookup.
+// The optional commandHint can be used to limit which entries are resolved to ones which match the hint basename.
+func (a *Authenticator) resolveAllowListEntriesLocked(commandHint string) {
+	hintName := filepath.Base(commandHint)
+	for _, entry := range a.execPluginPolicy.Allowlist {
+		entryBasename := filepath.Base(entry.Name)
+		if hintName != "" && hintName != entryBasename {
+			// we got a hint, and this allowlist entry does not match it
+			continue
+		}
+		entryResolvedPath, err := exec.LookPath(entry.Name)
+		if err != nil {
+			klog.V(5).ErrorS(err, "resolving credential plugin allowlist", "name", entry.Name)
+			continue
+		}
+		if entryResolvedPath != "" {
+			a.allowlistLookup.Insert(entryResolvedPath)
+		}
+	}
+}
+
+func ValidatePluginPolicy(policy api.PluginPolicy) error {
+	switch policy.PolicyType {
+	// "" is equivalent to "AllowAll"
+	case "", api.PluginPolicyAllowAll, api.PluginPolicyDenyAll:
+		if policy.Allowlist != nil {
+			return fmt.Errorf("misconfigured credential plugin allowlist: plugin policy is %q but allowlist is non-nil", policy.PolicyType)
+		}
+		return nil
+	case api.PluginPolicyAllowlist:
+		return validateAllowlist(policy.Allowlist)
+	default:
+		return fmt.Errorf("unknown plugin policy: %q", policy.PolicyType)
+	}
+}
+
+var emptyAllowlistEntry api.AllowlistEntry
+
+func validateAllowlist(list []api.AllowlistEntry) error {
+	// This will be the case if the user has misspelled the field name for the
+	// allowlist. Because this is a security knob, fail immediately rather than
+	// proceed when the user has made a mistake.
+	if list == nil {
+		return fmt.Errorf("credential plugin policy set to %q, but allowlist is unspecified", api.PluginPolicyAllowlist)
+	}
+
+	if len(list) == 0 {
+		return fmt.Errorf("credential plugin policy set to %q, but allowlist is empty; use %q policy instead", api.PluginPolicyAllowlist, api.PluginPolicyDenyAll)
+	}
+
+	for i, item := range list {
+		if item == emptyAllowlistEntry {
+			return fmt.Errorf("misconfigured credential plugin allowlist: empty allowlist entry #%d", i+1)
+		}
+
+		if cleaned := filepath.Clean(item.Name); cleaned != item.Name {
+			return fmt.Errorf("non-normalized file path: %q vs %q", item.Name, cleaned)
+		} else if item.Name == "" {
+			return fmt.Errorf("empty file path: %q", item.Name)
+		}
+	}
+
+	return nil
+}
diff --git a/staging/src/k8s.io/client-go/plugin/pkg/client/auth/exec/exec_test.go b/staging/src/k8s.io/client-go/plugin/pkg/client/auth/exec/exec_test.go
index 291590eca8618..ada512c66a6ab 100644
--- a/staging/src/k8s.io/client-go/plugin/pkg/client/auth/exec/exec_test.go
+++ b/staging/src/k8s.io/client-go/plugin/pkg/client/auth/exec/exec_test.go
@@ -29,8 +29,12 @@ import (
 	"fmt"
 	"io"
 	"math/big"
+	mathrand "math/rand/v2"
 	"net/http"
 	"net/http/httptest"
+	"os"
+	"os/exec"
+	"path/filepath"
 	"reflect"
 	"strconv"
 	"strings"
@@ -845,6 +849,354 @@ func TestRefreshCreds(t *testing.T) {
 	}
 }
 
+type pluginPolicyTest struct {
+	name             string
+	wantErr          bool
+	wantErrSubstr    string
+	config           *api.ExecConfig
+	pluginExists     bool
+	entryExists      bool
+	usePluginAbsPath bool
+	useEntryAbsPath  bool
+	allowlistLength  int
+	policyType       api.PolicyType
+	allowlist        []api.AllowlistEntry
+}
+
+type dualBool struct{ plugin, entry bool }
+
+type pluginPolicyTestMatrix struct {
+	exists           []dualBool
+	absolute         []dualBool
+	allowlistLengths []int
+	policies         []api.PolicyType
+
+	// the logic of whether or not a given test configuration should produce an error
+	shouldErrFunc func(tt *pluginPolicyTest) (bool, string)
+}
+
+var allPermutations = []dualBool{
+	{plugin: false, entry: false},
+	{plugin: false, entry: true},
+	{plugin: true, entry: false},
+	{plugin: true, entry: true},
+}
+
+// TestPluginPolicy tests the functioning of various plugin policies, as well
+// as the the validity of a wide variety of policies.
+func TestPluginPolicy(t *testing.T) {
+	// this is inlined to make highly visible and explicit the logic of which
+	// test configurations should pass and which should fail
+	shouldErrFunc := func(test *pluginPolicyTest) (bool, string) {
+		switch test.policyType {
+		case "", api.PluginPolicyAllowAll:
+			if test.allowlist != nil { // invalid
+				return true, "allowlist is non-nil"
+			}
+
+			if test.pluginExists {
+				return false, ""
+			}
+
+			return true, "not found"
+		case api.PluginPolicyDenyAll:
+			if test.allowlist != nil { // invalid
+				return true, "allowlist is non-nil"
+			}
+
+			return true, `policy set to "DenyAll"`
+		case api.PluginPolicyAllowlist:
+			if test.allowlist == nil { // invalid
+				return true, "allowlist is unspecified"
+			}
+
+			if len(test.allowlist) == 0 { // invalid
+				return true, "allowlist is empty; use \"DenyAll\" policy instead"
+			}
+
+			switch {
+			case test.pluginExists && test.entryExists:
+				return false, ""
+			case test.pluginExists && !test.entryExists:
+				return true, "is not permitted by the credential plugin allowlist"
+			case !test.pluginExists && test.entryExists:
+				// error message varies depending on whether the paths are relative or absolute
+				// what is important is that an error arises here
+				return true, ""
+			case !test.pluginExists && !test.entryExists:
+				// error message varies depending on whether the paths are relative or absolute
+				// what is important is that an error arises here
+				return true, ""
+			}
+
+			panic("unreachable")
+		}
+
+		return true, "unknown plugin policy"
+	}
+
+	wd, err := os.Getwd()
+	if err != nil {
+		t.Fatalf("could not get working directory: %s", err)
+	}
+
+	testdataDir := filepath.Join(wd, "testdata")
+
+	path := os.Getenv("PATH")
+	defer func() {
+		if err = os.Setenv("PATH", path); err != nil {
+			t.Fatal(err)
+		}
+	}()
+
+	matrix := pluginPolicyTestMatrix{
+		shouldErrFunc:    shouldErrFunc,
+		exists:           allPermutations,
+		absolute:         allPermutations,
+		allowlistLengths: []int{-1 /*nil*/, 0, 1, 3},
+		policies: []api.PolicyType{
+			"",
+			api.PluginPolicyAllowAll,
+			api.PluginPolicyDenyAll,
+			api.PluginPolicyAllowlist,
+			api.PolicyType("HIGHLYILLEGAL"),
+		},
+	}
+
+	tests := matrix.makeTests(t, testdataDir, path)
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			c := test.config
+			a, err := newAuthenticator(newCache(), func(_ int) bool { return false }, c, &clientauthentication.Cluster{})
+			if err != nil {
+				if !test.wantErr {
+					t.Fatalf("unexpected validation error: %v", err)
+				} else if !strings.Contains(err.Error(), test.wantErrSubstr) {
+					t.Fatalf("expected error with substring '%v' got '%v'", test.wantErrSubstr, err.Error())
+				}
+
+				return
+			}
+
+			stderr := &bytes.Buffer{}
+			a.stderr = stderr
+			a.environ = func() []string { return nil }
+
+			if err := a.refreshCredsLocked(); err != nil {
+				if !test.wantErr {
+					t.Fatalf("unexpected allows plugin error: %v", err)
+				} else if !strings.Contains(err.Error(), test.wantErrSubstr) {
+					t.Fatalf("expected error with substring '%v' got '%v'", test.wantErrSubstr, err.Error())
+				}
+				return
+			}
+
+			if test.wantErr {
+				t.Fatal("expected allowlist error, but error was nil")
+			}
+		})
+	}
+}
+
+func (m *pluginPolicyTestMatrix) makeTests(t *testing.T, testdataDir, path string) []pluginPolicyTest {
+	const existingPluginInPATHBasename = "test-plugin.sh"
+	existingPluginInPATHAbsolutePath := filepath.Join(testdataDir, existingPluginInPATHBasename)
+
+	err := os.Setenv("PATH", fmt.Sprintf("%s:%s", testdataDir, path))
+	if err != nil {
+		t.Fatalf("error setting PATH: %s", err)
+	}
+
+	resolved, err := exec.LookPath(existingPluginInPATHBasename)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if existingPluginInPATHAbsolutePath != resolved {
+		t.Fatalf("test plugin basename resolved incorrectly: did not resolve to %s", existingPluginInPATHAbsolutePath)
+	}
+
+	resolvedAbs, err := exec.LookPath(existingPluginInPATHAbsolutePath)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if existingPluginInPATHAbsolutePath != resolvedAbs {
+		t.Fatalf("test plugin absolute path resolved incorrectly: did not resolve to %s", existingPluginInPATHAbsolutePath)
+	}
+
+	tests := make([]pluginPolicyTest, 0, len(m.exists)*2+len(m.absolute)*2+len(m.allowlistLengths)+len(m.policies))
+
+	var tt *pluginPolicyTest
+	for _, exists := range m.exists {
+		tt = new(pluginPolicyTest)
+
+		tt.setExists(exists)
+		for _, absolute := range m.absolute {
+			tt.setAbsolute(absolute)
+
+			for _, length := range m.allowlistLengths {
+				tt.setAllowlist(length, existingPluginInPATHAbsolutePath, existingPluginInPATHBasename)
+
+				for _, p := range m.policies {
+					tt.policyType = p
+					tt.setName()
+					tt.setExecConfig(existingPluginInPATHAbsolutePath, existingPluginInPATHBasename)
+					tt.setErrDetails(m)
+
+					tests = append(tests, *tt)
+				}
+			}
+		}
+	}
+
+	return tests
+}
+
+func (tt *pluginPolicyTest) setErrDetails(m *pluginPolicyTestMatrix) {
+	tt.wantErr, tt.wantErrSubstr = m.shouldErrFunc(tt)
+}
+
+func (tt *pluginPolicyTest) setAbsolute(absolute dualBool) {
+	tt.usePluginAbsPath = absolute.plugin
+	tt.useEntryAbsPath = absolute.entry
+}
+
+func (tt *pluginPolicyTest) setExists(exists dualBool) {
+	tt.pluginExists = exists.plugin
+	tt.entryExists = exists.entry
+}
+
+func (tt *pluginPolicyTest) setAllowlist(l int, existingPluginInPATHAbsolutePath string, existingPluginInPATHBasename string) {
+	tt.allowlistLength = l
+	if tt.allowlistLength >= 0 {
+		tt.allowlist = make([]api.AllowlistEntry, 0, tt.allowlistLength)
+	}
+
+	if tt.allowlistLength >= 1 {
+		entry := tt.makeAllowlistEntry(existingPluginInPATHAbsolutePath, existingPluginInPATHBasename)
+		tt.allowlist = append(tt.allowlist, entry)
+	}
+
+	for i := 1; i < tt.allowlistLength; i++ {
+		tt.allowlist = append(tt.allowlist, api.AllowlistEntry{Name: fmt.Sprintf("foo-%d", i)})
+	}
+
+	// shuffle the allowlist to guarantee ordering doesn't matter
+	for i := range tt.allowlist {
+		j := mathrand.IntN(i + 1)
+		tt.allowlist[i], tt.allowlist[j] = tt.allowlist[j], tt.allowlist[i]
+	}
+}
+
+func (tt *pluginPolicyTest) makeAllowlistEntry(existingPluginInPATHAbsolutePath string, existingPluginInPATHBasename string) api.AllowlistEntry {
+	var entry api.AllowlistEntry
+
+	switch {
+	case tt.entryExists && tt.useEntryAbsPath:
+		entry.Name = existingPluginInPATHAbsolutePath
+	case tt.entryExists && !tt.useEntryAbsPath:
+		entry.Name = existingPluginInPATHBasename
+	case !tt.entryExists && tt.useEntryAbsPath:
+		entry.Name = "/this/path/does/not/exist"
+	case !tt.entryExists && !tt.useEntryAbsPath:
+		entry.Name = "does not exist"
+	}
+
+	return entry
+}
+
+func (tt *pluginPolicyTest) setExecConfig(existingPluginInPATHAbsolutePath string, existingPluginInPATHBasename string) {
+	var cmd string
+
+	switch {
+	case tt.pluginExists && tt.usePluginAbsPath:
+		cmd = existingPluginInPATHAbsolutePath
+	case tt.pluginExists && !tt.usePluginAbsPath:
+		cmd = existingPluginInPATHBasename
+	case !tt.pluginExists && tt.usePluginAbsPath:
+		cmd = "/this/path/does/not/exist"
+	case !tt.pluginExists && !tt.usePluginAbsPath:
+		cmd = "does not exist"
+	default: // verifiably unreachable
+		cmd = "does not exist"
+	}
+
+	config := api.ExecConfig{}
+	if strings.HasSuffix(cmd, "test-plugin.sh") {
+		config.Env = append(config.Env, api.ExecEnvVar{
+			Name: "TEST_OUTPUT",
+			Value: `{
+				"kind": "ExecCredential",
+				"apiVersion": "client.authentication.k8s.io/v1",
+				"status": {
+					"token": "foo-bar"
+				}
+			}`,
+		})
+		config.Env = append(config.Env, api.ExecEnvVar{
+			Name:  "TEST_EXIT_CODE",
+			Value: strconv.Itoa(0),
+		})
+	}
+
+	config.APIVersion = "client.authentication.k8s.io/v1"
+	config.InteractiveMode = api.IfAvailableExecInteractiveMode
+	config.Command = cmd
+	config.PluginPolicy.PolicyType = tt.policyType
+	config.PluginPolicy.Allowlist = tt.allowlist
+
+	tt.config = &config
+}
+
+func makeExistsString(s string, t bool) string {
+	ne := "nonexistent"
+	if t {
+		ne = "existing"
+	}
+
+	return fmt.Sprintf("%s-%s-path", ne, s)
+}
+
+func makePathString(s string, t bool) string {
+	ba := "basename"
+	if t {
+		ba = "absolute-path"
+	}
+
+	return fmt.Sprintf("%s-%s", ba, s)
+}
+
+func (tt *pluginPolicyTest) setName() {
+	p := string(tt.policyType)
+	if string(tt.policyType) == "" {
+		p = "unspecified"
+	}
+	var lengthStr string
+	switch tt.allowlistLength {
+	case -1:
+		lengthStr = "nil-allowlist"
+	case 0:
+		lengthStr = "empty-allowlist"
+	case 1:
+		lengthStr = "single-entry-allowlist"
+	default:
+		lengthStr = "multiple-entry-allowlist"
+	}
+	pluginExistsString := makeExistsString("plugin", tt.pluginExists)
+	entryExistsString := makeExistsString("entry", tt.entryExists)
+	pluginPathString := makePathString("plugin", tt.usePluginAbsPath)
+	entryPathString := makePathString("entry", tt.useEntryAbsPath)
+	policyString := fmt.Sprintf("with-%s-policy", strings.ToLower(p))
+
+	tt.name = filepath.Join(
+		policyString,
+		lengthStr,
+		pluginExistsString,
+		entryExistsString,
+		pluginPathString,
+		entryPathString,
+	)
+}
+
 func TestRoundTripper(t *testing.T) {
 	wantToken := ""
 
diff --git a/staging/src/k8s.io/client-go/plugin/pkg/client/auth/exec/metrics.go b/staging/src/k8s.io/client-go/plugin/pkg/client/auth/exec/metrics.go
index 51210975a6668..fb300ae12a4ae 100644
--- a/staging/src/k8s.io/client-go/plugin/pkg/client/auth/exec/metrics.go
+++ b/staging/src/k8s.io/client-go/plugin/pkg/client/auth/exec/metrics.go
@@ -49,6 +49,13 @@ const (
 	// used in some failure modes (e.g., plugin not found, client internal error) so that someone
 	// can more easily monitor all unsuccessful invocations.
 	failureExitCode = 1
+
+	// pluginAllowed represents an exec plugin invocation that was allowed by
+	// the plugin policy and/or the allowlist
+	pluginAllowed = "allowed"
+	// pluginAllowed represents an exec plugin invocation that was denied by
+	// the plugin policy and/or the allowlist
+	pluginDenied = "denied"
 )
 
 type certificateExpirationTracker struct {
@@ -109,3 +116,12 @@ func incrementCallsMetric(err error) {
 		metrics.ExecPluginCalls.Increment(failureExitCode, clientInternalError)
 	}
 }
+
+func incrementPolicyMetric(err error) {
+	if err != nil {
+		metrics.ExecPluginPolicyCalls.Increment(pluginDenied)
+		return
+	}
+
+	metrics.ExecPluginPolicyCalls.Increment(pluginAllowed)
+}
diff --git a/staging/src/k8s.io/client-go/plugin/pkg/client/auth/exec/metrics_test.go b/staging/src/k8s.io/client-go/plugin/pkg/client/auth/exec/metrics_test.go
index bf588dcdeb803..b50ac89b6687d 100644
--- a/staging/src/k8s.io/client-go/plugin/pkg/client/auth/exec/metrics_test.go
+++ b/staging/src/k8s.io/client-go/plugin/pkg/client/auth/exec/metrics_test.go
@@ -196,3 +196,114 @@ func TestCallsMetric(t *testing.T) {
 		t.Fatalf("got unexpected metrics calls; -want, +got:\n%s", diff)
 	}
 }
+
+type mockPolicyCallsMetric struct {
+	status string
+}
+
+type mockPolicyCallsMetricCounter struct {
+	policyCalls []mockPolicyCallsMetric
+}
+
+func (f *mockPolicyCallsMetricCounter) Increment(status string) {
+	f.policyCalls = append(f.policyCalls, mockPolicyCallsMetric{status: status})
+}
+
+func TestPolicyCallsMetric(t *testing.T) {
+	const (
+		goodOutput = `{
+			"kind": "ExecCredential",
+			"apiVersion": "client.authentication.k8s.io/v1beta1",
+			"status": {
+				"token": "foo-bar"
+			}
+		}`
+	)
+
+	policyCallsMetricCounter := &mockPolicyCallsMetricCounter{}
+	originalExecPluginPolicyCalls := metrics.ExecPluginPolicyCalls
+	t.Cleanup(func() { metrics.ExecPluginPolicyCalls = originalExecPluginPolicyCalls })
+	metrics.ExecPluginPolicyCalls = policyCallsMetricCounter
+
+	tests := []struct {
+		wantDenied bool
+		policy     api.PluginPolicy
+	}{
+		{
+			wantDenied: false,
+			policy:     api.PluginPolicy{PolicyType: api.PluginPolicyAllowAll},
+		},
+		{
+			wantDenied: true,
+			policy:     api.PluginPolicy{PolicyType: api.PluginPolicyDenyAll},
+		},
+		{
+			wantDenied: false,
+			policy: api.PluginPolicy{
+				PolicyType: api.PluginPolicyAllowlist,
+				Allowlist: []api.AllowlistEntry{
+					{
+						Name: "foobar",
+					},
+					{
+						Name: "testdata/test-plugin.sh",
+					},
+				},
+			},
+		},
+		{
+			wantDenied: true,
+			policy: api.PluginPolicy{
+				PolicyType: api.PluginPolicyAllowlist,
+				Allowlist: []api.AllowlistEntry{
+					{Name: "foobar"},
+					{Name: "baz"},
+				},
+			},
+		},
+	}
+
+	var wantPolicyCallsMetrics []mockPolicyCallsMetric
+	for _, test := range tests {
+		c := api.ExecConfig{
+			Command:    "./testdata/test-plugin.sh",
+			APIVersion: "client.authentication.k8s.io/v1beta1",
+			Env: []api.ExecEnvVar{
+				{Name: "TEST_EXIT_CODE", Value: fmt.Sprintf("%d", 0)},
+				{Name: "TEST_OUTPUT", Value: goodOutput},
+			},
+			InteractiveMode: api.IfAvailableExecInteractiveMode,
+			PluginPolicy:    test.policy,
+		}
+
+		a, err := newAuthenticator(newCache(), func(_ int) bool { return false }, &c, nil)
+		if err != nil {
+			t.Fatal(err)
+		}
+		a.stderr = io.Discard
+
+		err = a.refreshCredsLocked()
+		if err != nil && !test.wantDenied {
+			t.Fatalf("wanted no error, but got %q", err.Error())
+		}
+		if err == nil && test.wantDenied {
+			t.Fatal("wanted error, but got nil")
+		}
+
+		mockPolicyCallsMetric := mockPolicyCallsMetric{status: "allowed"}
+		if test.wantDenied {
+			mockPolicyCallsMetric.status = "denied"
+		}
+
+		wantPolicyCallsMetrics = append(wantPolicyCallsMetrics, mockPolicyCallsMetric)
+	}
+
+	policyCallsMetricComparer := cmp.Comparer(func(a, b mockPolicyCallsMetric) bool {
+		return a.status == b.status
+	})
+
+	actualPolicyCallsMetrics := policyCallsMetricCounter.policyCalls
+	if diff := cmp.Diff(wantPolicyCallsMetrics, actualPolicyCallsMetrics, policyCallsMetricComparer); diff != "" {
+		t.Fatalf("got unexpected metrics calls; -want, +got:\n%s", diff)
+	}
+}
diff --git a/staging/src/k8s.io/client-go/rest/.mockery.yaml b/staging/src/k8s.io/client-go/rest/.mockery.yaml
index e21d7b5be2670..b4df9ca8c10c5 100644
--- a/staging/src/k8s.io/client-go/rest/.mockery.yaml
+++ b/staging/src/k8s.io/client-go/rest/.mockery.yaml
@@ -1,10 +1,11 @@
 ---
 dir: .
-filename: "mock_{{.InterfaceName | snakecase}}_test.go"
-boilerplate-file: ../../../../../hack/boilerplate/boilerplate.generatego.txt
-outpkg: rest
-with-expecter: true
+pkgname: rest
+template: testify
+template-data:
+  boilerplate-file: ../../../../../hack/boilerplate/boilerplate.generatego.txt
+  unroll-variadic: true
 packages:
   k8s.io/client-go/rest:
     interfaces:
-      BackoffManager:
+      BackoffManager: {}
diff --git a/staging/src/k8s.io/client-go/rest/mock_backoff_manager_test.go b/staging/src/k8s.io/client-go/rest/mock_backoff_manager_test.go
deleted file mode 100644
index 938bc82d4f4a1..0000000000000
--- a/staging/src/k8s.io/client-go/rest/mock_backoff_manager_test.go
+++ /dev/null
@@ -1,168 +0,0 @@
-/*
-Copyright The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-// Code generated by mockery v2.53.3. DO NOT EDIT.
-
-package rest
-
-import (
-	mock "github.com/stretchr/testify/mock"
-
-	time "time"
-
-	url "net/url"
-)
-
-// MockBackoffManager is an autogenerated mock type for the BackoffManager type
-type MockBackoffManager struct {
-	mock.Mock
-}
-
-type MockBackoffManager_Expecter struct {
-	mock *mock.Mock
-}
-
-func (_m *MockBackoffManager) EXPECT() *MockBackoffManager_Expecter {
-	return &MockBackoffManager_Expecter{mock: &_m.Mock}
-}
-
-// CalculateBackoff provides a mock function with given fields: actualURL
-func (_m *MockBackoffManager) CalculateBackoff(actualURL *url.URL) time.Duration {
-	ret := _m.Called(actualURL)
-
-	if len(ret) == 0 {
-		panic("no return value specified for CalculateBackoff")
-	}
-
-	var r0 time.Duration
-	if rf, ok := ret.Get(0).(func(*url.URL) time.Duration); ok {
-		r0 = rf(actualURL)
-	} else {
-		r0 = ret.Get(0).(time.Duration)
-	}
-
-	return r0
-}
-
-// MockBackoffManager_CalculateBackoff_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'CalculateBackoff'
-type MockBackoffManager_CalculateBackoff_Call struct {
-	*mock.Call
-}
-
-// CalculateBackoff is a helper method to define mock.On call
-//   - actualURL *url.URL
-func (_e *MockBackoffManager_Expecter) CalculateBackoff(actualURL interface{}) *MockBackoffManager_CalculateBackoff_Call {
-	return &MockBackoffManager_CalculateBackoff_Call{Call: _e.mock.On("CalculateBackoff", actualURL)}
-}
-
-func (_c *MockBackoffManager_CalculateBackoff_Call) Run(run func(actualURL *url.URL)) *MockBackoffManager_CalculateBackoff_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run(args[0].(*url.URL))
-	})
-	return _c
-}
-
-func (_c *MockBackoffManager_CalculateBackoff_Call) Return(_a0 time.Duration) *MockBackoffManager_CalculateBackoff_Call {
-	_c.Call.Return(_a0)
-	return _c
-}
-
-func (_c *MockBackoffManager_CalculateBackoff_Call) RunAndReturn(run func(*url.URL) time.Duration) *MockBackoffManager_CalculateBackoff_Call {
-	_c.Call.Return(run)
-	return _c
-}
-
-// Sleep provides a mock function with given fields: d
-func (_m *MockBackoffManager) Sleep(d time.Duration) {
-	_m.Called(d)
-}
-
-// MockBackoffManager_Sleep_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Sleep'
-type MockBackoffManager_Sleep_Call struct {
-	*mock.Call
-}
-
-// Sleep is a helper method to define mock.On call
-//   - d time.Duration
-func (_e *MockBackoffManager_Expecter) Sleep(d interface{}) *MockBackoffManager_Sleep_Call {
-	return &MockBackoffManager_Sleep_Call{Call: _e.mock.On("Sleep", d)}
-}
-
-func (_c *MockBackoffManager_Sleep_Call) Run(run func(d time.Duration)) *MockBackoffManager_Sleep_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run(args[0].(time.Duration))
-	})
-	return _c
-}
-
-func (_c *MockBackoffManager_Sleep_Call) Return() *MockBackoffManager_Sleep_Call {
-	_c.Call.Return()
-	return _c
-}
-
-func (_c *MockBackoffManager_Sleep_Call) RunAndReturn(run func(time.Duration)) *MockBackoffManager_Sleep_Call {
-	_c.Run(run)
-	return _c
-}
-
-// UpdateBackoff provides a mock function with given fields: actualURL, err, responseCode
-func (_m *MockBackoffManager) UpdateBackoff(actualURL *url.URL, err error, responseCode int) {
-	_m.Called(actualURL, err, responseCode)
-}
-
-// MockBackoffManager_UpdateBackoff_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'UpdateBackoff'
-type MockBackoffManager_UpdateBackoff_Call struct {
-	*mock.Call
-}
-
-// UpdateBackoff is a helper method to define mock.On call
-//   - actualURL *url.URL
-//   - err error
-//   - responseCode int
-func (_e *MockBackoffManager_Expecter) UpdateBackoff(actualURL interface{}, err interface{}, responseCode interface{}) *MockBackoffManager_UpdateBackoff_Call {
-	return &MockBackoffManager_UpdateBackoff_Call{Call: _e.mock.On("UpdateBackoff", actualURL, err, responseCode)}
-}
-
-func (_c *MockBackoffManager_UpdateBackoff_Call) Run(run func(actualURL *url.URL, err error, responseCode int)) *MockBackoffManager_UpdateBackoff_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run(args[0].(*url.URL), args[1].(error), args[2].(int))
-	})
-	return _c
-}
-
-func (_c *MockBackoffManager_UpdateBackoff_Call) Return() *MockBackoffManager_UpdateBackoff_Call {
-	_c.Call.Return()
-	return _c
-}
-
-func (_c *MockBackoffManager_UpdateBackoff_Call) RunAndReturn(run func(*url.URL, error, int)) *MockBackoffManager_UpdateBackoff_Call {
-	_c.Run(run)
-	return _c
-}
-
-// NewMockBackoffManager creates a new instance of MockBackoffManager. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
-// The first argument is typically a *testing.T value.
-func NewMockBackoffManager(t interface {
-	mock.TestingT
-	Cleanup(func())
-}) *MockBackoffManager {
-	mock := &MockBackoffManager{}
-	mock.Mock.Test(t)
-
-	t.Cleanup(func() { mock.AssertExpectations(t) })
-
-	return mock
-}
diff --git a/staging/src/k8s.io/client-go/rest/mocks_test.go b/staging/src/k8s.io/client-go/rest/mocks_test.go
new file mode 100644
index 0000000000000..996e857f4869d
--- /dev/null
+++ b/staging/src/k8s.io/client-go/rest/mocks_test.go
@@ -0,0 +1,198 @@
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by mockery; DO NOT EDIT.
+// github.com/vektra/mockery
+// template: testify
+
+package rest
+
+import (
+	"net/url"
+	"time"
+
+	mock "github.com/stretchr/testify/mock"
+)
+
+// NewMockBackoffManager creates a new instance of MockBackoffManager. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
+// The first argument is typically a *testing.T value.
+func NewMockBackoffManager(t interface {
+	mock.TestingT
+	Cleanup(func())
+}) *MockBackoffManager {
+	mock := &MockBackoffManager{}
+	mock.Mock.Test(t)
+
+	t.Cleanup(func() { mock.AssertExpectations(t) })
+
+	return mock
+}
+
+// MockBackoffManager is an autogenerated mock type for the BackoffManager type
+type MockBackoffManager struct {
+	mock.Mock
+}
+
+type MockBackoffManager_Expecter struct {
+	mock *mock.Mock
+}
+
+func (_m *MockBackoffManager) EXPECT() *MockBackoffManager_Expecter {
+	return &MockBackoffManager_Expecter{mock: &_m.Mock}
+}
+
+// CalculateBackoff provides a mock function for the type MockBackoffManager
+func (_mock *MockBackoffManager) CalculateBackoff(actualURL *url.URL) time.Duration {
+	ret := _mock.Called(actualURL)
+
+	if len(ret) == 0 {
+		panic("no return value specified for CalculateBackoff")
+	}
+
+	var r0 time.Duration
+	if returnFunc, ok := ret.Get(0).(func(*url.URL) time.Duration); ok {
+		r0 = returnFunc(actualURL)
+	} else {
+		r0 = ret.Get(0).(time.Duration)
+	}
+	return r0
+}
+
+// MockBackoffManager_CalculateBackoff_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'CalculateBackoff'
+type MockBackoffManager_CalculateBackoff_Call struct {
+	*mock.Call
+}
+
+// CalculateBackoff is a helper method to define mock.On call
+//   - actualURL *url.URL
+func (_e *MockBackoffManager_Expecter) CalculateBackoff(actualURL interface{}) *MockBackoffManager_CalculateBackoff_Call {
+	return &MockBackoffManager_CalculateBackoff_Call{Call: _e.mock.On("CalculateBackoff", actualURL)}
+}
+
+func (_c *MockBackoffManager_CalculateBackoff_Call) Run(run func(actualURL *url.URL)) *MockBackoffManager_CalculateBackoff_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 *url.URL
+		if args[0] != nil {
+			arg0 = args[0].(*url.URL)
+		}
+		run(
+			arg0,
+		)
+	})
+	return _c
+}
+
+func (_c *MockBackoffManager_CalculateBackoff_Call) Return(duration time.Duration) *MockBackoffManager_CalculateBackoff_Call {
+	_c.Call.Return(duration)
+	return _c
+}
+
+func (_c *MockBackoffManager_CalculateBackoff_Call) RunAndReturn(run func(actualURL *url.URL) time.Duration) *MockBackoffManager_CalculateBackoff_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// Sleep provides a mock function for the type MockBackoffManager
+func (_mock *MockBackoffManager) Sleep(d time.Duration) {
+	_mock.Called(d)
+	return
+}
+
+// MockBackoffManager_Sleep_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Sleep'
+type MockBackoffManager_Sleep_Call struct {
+	*mock.Call
+}
+
+// Sleep is a helper method to define mock.On call
+//   - d time.Duration
+func (_e *MockBackoffManager_Expecter) Sleep(d interface{}) *MockBackoffManager_Sleep_Call {
+	return &MockBackoffManager_Sleep_Call{Call: _e.mock.On("Sleep", d)}
+}
+
+func (_c *MockBackoffManager_Sleep_Call) Run(run func(d time.Duration)) *MockBackoffManager_Sleep_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 time.Duration
+		if args[0] != nil {
+			arg0 = args[0].(time.Duration)
+		}
+		run(
+			arg0,
+		)
+	})
+	return _c
+}
+
+func (_c *MockBackoffManager_Sleep_Call) Return() *MockBackoffManager_Sleep_Call {
+	_c.Call.Return()
+	return _c
+}
+
+func (_c *MockBackoffManager_Sleep_Call) RunAndReturn(run func(d time.Duration)) *MockBackoffManager_Sleep_Call {
+	_c.Run(run)
+	return _c
+}
+
+// UpdateBackoff provides a mock function for the type MockBackoffManager
+func (_mock *MockBackoffManager) UpdateBackoff(actualURL *url.URL, err error, responseCode int) {
+	_mock.Called(actualURL, err, responseCode)
+	return
+}
+
+// MockBackoffManager_UpdateBackoff_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'UpdateBackoff'
+type MockBackoffManager_UpdateBackoff_Call struct {
+	*mock.Call
+}
+
+// UpdateBackoff is a helper method to define mock.On call
+//   - actualURL *url.URL
+//   - err error
+//   - responseCode int
+func (_e *MockBackoffManager_Expecter) UpdateBackoff(actualURL interface{}, err interface{}, responseCode interface{}) *MockBackoffManager_UpdateBackoff_Call {
+	return &MockBackoffManager_UpdateBackoff_Call{Call: _e.mock.On("UpdateBackoff", actualURL, err, responseCode)}
+}
+
+func (_c *MockBackoffManager_UpdateBackoff_Call) Run(run func(actualURL *url.URL, err error, responseCode int)) *MockBackoffManager_UpdateBackoff_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 *url.URL
+		if args[0] != nil {
+			arg0 = args[0].(*url.URL)
+		}
+		var arg1 error
+		if args[1] != nil {
+			arg1 = args[1].(error)
+		}
+		var arg2 int
+		if args[2] != nil {
+			arg2 = args[2].(int)
+		}
+		run(
+			arg0,
+			arg1,
+			arg2,
+		)
+	})
+	return _c
+}
+
+func (_c *MockBackoffManager_UpdateBackoff_Call) Return() *MockBackoffManager_UpdateBackoff_Call {
+	_c.Call.Return()
+	return _c
+}
+
+func (_c *MockBackoffManager_UpdateBackoff_Call) RunAndReturn(run func(actualURL *url.URL, err error, responseCode int)) *MockBackoffManager_UpdateBackoff_Call {
+	_c.Run(run)
+	return _c
+}
diff --git a/staging/src/k8s.io/client-go/rest/urlbackoff.go b/staging/src/k8s.io/client-go/rest/urlbackoff.go
index 5b7b4e216ef76..a6510e8041c3b 100644
--- a/staging/src/k8s.io/client-go/rest/urlbackoff.go
+++ b/staging/src/k8s.io/client-go/rest/urlbackoff.go
@@ -141,8 +141,8 @@ func (b *URLBackoff) CalculateBackoff(actualURL *url.URL) time.Duration {
 
 // CalculateBackoffWithContext takes a url and back's off exponentially,
 // based on its knowledge of existing failures.
-func (b *URLBackoff) CalculateBackoffWithContext(ctx context.Context, actualURL *url.URL) time.Duration {
-	return b.Backoff.Get(b.baseUrlKey(actualURL))
+func (b *URLBackoff) CalculateBackoffWithContext(_ context.Context, actualURL *url.URL) time.Duration {
+	return b.CalculateBackoff(actualURL)
 }
 
 func (b *URLBackoff) Sleep(d time.Duration) {
diff --git a/staging/src/k8s.io/client-go/rest/warnings.go b/staging/src/k8s.io/client-go/rest/warnings.go
index 713b2d64d64ef..62bbdcee28dcb 100644
--- a/staging/src/k8s.io/client-go/rest/warnings.go
+++ b/staging/src/k8s.io/client-go/rest/warnings.go
@@ -96,11 +96,8 @@ var _ WarningHandlerWithContext = NoWarnings{}
 // WarningLogger is an implementation of [WarningHandler] and [WarningHandlerWithContext] that logs code 299 warnings
 type WarningLogger struct{}
 
-func (WarningLogger) HandleWarningHeader(code int, agent string, message string) {
-	if code != 299 || len(message) == 0 {
-		return
-	}
-	klog.Background().Info("Warning: " + message)
+func (w WarningLogger) HandleWarningHeader(code int, agent string, message string) {
+	w.HandleWarningHeaderWithContext(context.Background(), code, agent, message)
 }
 
 func (WarningLogger) HandleWarningHeaderWithContext(ctx context.Context, code int, agent string, message string) {
diff --git a/staging/src/k8s.io/client-go/testing/fixture.go b/staging/src/k8s.io/client-go/testing/fixture.go
index 65c96a47e3d75..152a5c1bacbf7 100644
--- a/staging/src/k8s.io/client-go/testing/fixture.go
+++ b/staging/src/k8s.io/client-go/testing/fixture.go
@@ -511,6 +511,17 @@ func (t *tracker) Apply(gvr schema.GroupVersionResource, applyConfiguration runt
 	return t.add(gvr, obj, ns, true)
 }
 
+// IsWatchListSemanticsUnSupported informs the reflector that this client
+// doesn't support WatchList semantics.
+//
+// This is a synthetic method whose sole purpose is to satisfy the optional
+// interface check performed by the reflector.
+// Returning true signals that WatchList can NOT be used.
+// No additional logic is implemented here.
+func (t *tracker) IsWatchListSemanticsUnSupported() bool {
+	return true
+}
+
 func (t *tracker) getWatches(gvr schema.GroupVersionResource, ns string) []*watch.RaceFreeFakeWatcher {
 	watches := []*watch.RaceFreeFakeWatcher{}
 	if t.watchers[gvr] != nil {
diff --git a/staging/src/k8s.io/client-go/testing/fixture_test.go b/staging/src/k8s.io/client-go/testing/fixture_test.go
index 2b6894b0db483..709728b78f557 100644
--- a/staging/src/k8s.io/client-go/testing/fixture_test.go
+++ b/staging/src/k8s.io/client-go/testing/fixture_test.go
@@ -39,6 +39,7 @@ import (
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/managedfields"
 	"k8s.io/apimachinery/pkg/watch"
+	"k8s.io/client-go/util/watchlist"
 	"k8s.io/utils/ptr"
 )
 
@@ -740,3 +741,14 @@ func TestManagedFielsdObjectTrackerWithUnstructured(t *testing.T) {
 	unstructured.RemoveNestedField(cmActual.Object, "metadata", "managedFields")
 	require.Empty(t, cmp.Diff(cmOriginal, cmActual))
 }
+
+func TestDoesClientSupportWatchListSemantics(t *testing.T) {
+	scheme := runtime.NewScheme()
+	codecs := serializer.NewCodecFactory(scheme)
+
+	target := NewObjectTracker(scheme, codecs.UniversalDecoder())
+
+	if !watchlist.DoesClientNotSupportWatchListSemantics(target) {
+		t.Fatalf("ObjectTracker should NOT support WatchList semantics")
+	}
+}
diff --git a/staging/src/k8s.io/client-go/tools/cache/controller.go b/staging/src/k8s.io/client-go/tools/cache/controller.go
index 5f983b6b63a0a..51e0a4659fcff 100644
--- a/staging/src/k8s.io/client-go/tools/cache/controller.go
+++ b/staging/src/k8s.io/client-go/tools/cache/controller.go
@@ -19,13 +19,14 @@ package cache
 import (
 	"context"
 	"errors"
-	clientgofeaturegate "k8s.io/client-go/features"
+	"fmt"
 	"sync"
 	"time"
 
 	"k8s.io/apimachinery/pkg/runtime"
 	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
 	"k8s.io/apimachinery/pkg/util/wait"
+	clientgofeaturegate "k8s.io/client-go/features"
 	"k8s.io/utils/clock"
 )
 
@@ -48,9 +49,20 @@ type Config struct {
 	// Something that can list and watch your objects.
 	ListerWatcher
 
-	// Something that can process a popped Deltas.
+	// Process can process a popped Deltas.
 	Process ProcessFunc
 
+	// ProcessBatch can process a batch of popped Deltas, which should return `TransactionError` if not all items
+	// in the batch were successfully processed.
+	//
+	// For batch processing to be used:
+	// * ProcessBatch must be non-nil
+	// * Queue must implement QueueWithBatch
+	// * The client InOrderInformersBatchProcess feature gate must be enabled
+	//
+	// If any of those are false, Process is used and no batch processing is done.
+	ProcessBatch ProcessBatchFunc
+
 	// ObjectType is an example object of the type this controller is
 	// expected to handle.
 	ObjectType runtime.Object
@@ -94,6 +106,10 @@ type ShouldResyncFunc func() bool
 // ProcessFunc processes a single object.
 type ProcessFunc func(obj interface{}, isInInitialList bool) error
 
+// ProcessBatchFunc processes multiple objects in batch.
+// The deltas must not contain multiple entries for the same object.
+type ProcessBatchFunc func(deltas []Delta, isInInitialList bool) error
+
 // `*controller` implements Controller
 type controller struct {
 	config         Config
@@ -203,12 +219,23 @@ func (c *controller) LastSyncResourceVersion() string {
 // to make sure that we don't end up processing the same object multiple times
 // concurrently.
 func (c *controller) processLoop(ctx context.Context) {
+	useBatchProcess := false
+	batchQueue, ok := c.config.Queue.(QueueWithBatch)
+	if ok && c.config.ProcessBatch != nil && clientgofeaturegate.FeatureGates().Enabled(clientgofeaturegate.InOrderInformersBatchProcess) {
+		useBatchProcess = true
+	}
 	for {
 		select {
 		case <-ctx.Done():
 			return
 		default:
-			_, err := c.config.Pop(PopProcessFunc(c.config.Process))
+			var err error
+			if useBatchProcess {
+				err = batchQueue.PopBatch(c.config.ProcessBatch)
+			} else {
+				// otherwise fallback to non-batch process behavior
+				_, err = c.config.Pop(PopProcessFunc(c.config.Process))
+			}
 			if err != nil {
 				if errors.Is(err, ErrFIFOClosed) {
 					return
@@ -585,6 +612,91 @@ func processDeltas(
 	return nil
 }
 
+// processDeltasInBatch applies a batch of Delta objects to the given Store and
+// notifies the ResourceEventHandler of add, update, or delete events.
+//
+// If the Store supports transactions (TransactionStore), all Deltas are applied
+// atomically in a single transaction and corresponding handler callbacks are
+// executed afterward. Otherwise, each Delta is processed individually.
+//
+// Returns an error if any Delta or transaction fails. For TransactionError,
+// only successful operations trigger callbacks.
+func processDeltasInBatch(
+	handler ResourceEventHandler,
+	clientState Store,
+	deltas []Delta,
+	isInInitialList bool,
+) error {
+	// from oldest to newest
+	txns := make([]Transaction, 0)
+	callbacks := make([]func(), 0)
+	txnStore, txnSupported := clientState.(TransactionStore)
+	if !txnSupported {
+		var errs []error
+		for _, delta := range deltas {
+			if err := processDeltas(handler, clientState, Deltas{delta}, isInInitialList); err != nil {
+				errs = append(errs, err)
+			}
+		}
+		if len(errs) > 0 {
+			return fmt.Errorf("unexpected error when handling deltas: %v", errs)
+		}
+		return nil
+	}
+	// deltasList is a list of unique objects
+	for _, d := range deltas {
+		obj := d.Object
+		switch d.Type {
+		case Sync, Replaced, Added, Updated:
+			// it will only return one old object for each because items are unique
+			if old, exists, err := clientState.Get(obj); err == nil && exists {
+				txn := Transaction{
+					Type:   TransactionTypeUpdate,
+					Object: obj,
+				}
+				txns = append(txns, txn)
+				callbacks = append(callbacks, func() {
+					handler.OnUpdate(old, obj)
+				})
+			} else {
+				txn := Transaction{
+					Type:   TransactionTypeAdd,
+					Object: obj,
+				}
+				txns = append(txns, txn)
+				callbacks = append(callbacks, func() {
+					handler.OnAdd(obj, isInInitialList)
+				})
+			}
+		case Deleted:
+			txn := Transaction{
+				Type:   TransactionTypeDelete,
+				Object: obj,
+			}
+			txns = append(txns, txn)
+			callbacks = append(callbacks, func() {
+				handler.OnDelete(obj)
+			})
+		}
+	}
+
+	err := txnStore.Transaction(txns...)
+	if err != nil {
+		// if txn had error, only execute the callbacks for the successful ones
+		for _, i := range err.SuccessfulIndices {
+			if i < len(callbacks) {
+				callbacks[i]()
+			}
+		}
+		// formatting the error so txns doesn't escape and keeps allocated in the stack.
+		return fmt.Errorf("not all items in the batch successfully processed: %s", err.Error())
+	}
+	for _, callback := range callbacks {
+		callback()
+	}
+	return nil
+}
+
 // newInformer returns a controller for populating the store while also
 // providing event notifications.
 //
@@ -596,16 +708,7 @@ func newInformer(clientState Store, options InformerOptions) Controller {
 	// KeyLister, that way resync operations will result in the correct set
 	// of update/delete deltas.
 
-	var fifo Queue
-	if clientgofeaturegate.FeatureGates().Enabled(clientgofeaturegate.InOrderInformers) {
-		fifo = NewRealFIFO(MetaNamespaceKeyFunc, clientState, options.Transform)
-	} else {
-		fifo = NewDeltaFIFOWithOptions(DeltaFIFOOptions{
-			KnownObjects:          clientState,
-			EmitDeltaTypeReplaced: true,
-			Transformer:           options.Transform,
-		})
-	}
+	fifo := newQueueFIFO(clientState, options.Transform)
 
 	cfg := &Config{
 		Queue:            fifo,
@@ -620,6 +723,25 @@ func newInformer(clientState Store, options InformerOptions) Controller {
 			}
 			return errors.New("object given as Process argument is not Deltas")
 		},
+		ProcessBatch: func(deltaList []Delta, isInInitialList bool) error {
+			return processDeltasInBatch(options.Handler, clientState, deltaList, isInInitialList)
+		},
 	}
 	return New(cfg)
 }
+
+func newQueueFIFO(clientState Store, transform TransformFunc) Queue {
+	if clientgofeaturegate.FeatureGates().Enabled(clientgofeaturegate.InOrderInformers) {
+		return NewRealFIFOWithOptions(RealFIFOOptions{
+			KeyFunction:  MetaNamespaceKeyFunc,
+			KnownObjects: clientState,
+			Transformer:  transform,
+		})
+	} else {
+		return NewDeltaFIFOWithOptions(DeltaFIFOOptions{
+			KnownObjects:          clientState,
+			EmitDeltaTypeReplaced: true,
+			Transformer:           transform,
+		})
+	}
+}
diff --git a/staging/src/k8s.io/client-go/tools/cache/controller_test.go b/staging/src/k8s.io/client-go/tools/cache/controller_test.go
index d76cc634de620..21a11c9080fef 100644
--- a/staging/src/k8s.io/client-go/tools/cache/controller_test.go
+++ b/staging/src/k8s.io/client-go/tools/cache/controller_test.go
@@ -18,6 +18,7 @@ package cache
 
 import (
 	"context"
+	"errors"
 	"fmt"
 	"math/rand"
 	"sync"
@@ -25,6 +26,7 @@ import (
 	"testing"
 	"time"
 
+	"github.com/stretchr/testify/assert"
 	v1 "k8s.io/api/core/v1"
 	apiequality "k8s.io/apimachinery/pkg/api/equality"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -110,12 +112,12 @@ func Example() {
 	}
 
 	// Let's wait for the controller to process the things we just added.
-	outputSet := sets.String{}
+	outputSet := sets.Set[string]{}
 	for i := 0; i < len(testIDs); i++ {
 		outputSet.Insert(<-deletionCounter)
 	}
 
-	for _, key := range outputSet.List() {
+	for _, key := range sets.List(outputSet) {
 		fmt.Println(key)
 	}
 	// Output:
@@ -168,12 +170,12 @@ func ExampleNewInformer() {
 	}
 
 	// Let's wait for the controller to process the things we just added.
-	outputSet := sets.String{}
-	for i := 0; i < len(testIDs); i++ {
+	outputSet := sets.Set[string]{}
+	for range testIDs {
 		outputSet.Insert(<-deletionCounter)
 	}
 
-	for _, key := range outputSet.List() {
+	for _, key := range sets.List(outputSet) {
 		fmt.Println(key)
 	}
 	// Output:
@@ -250,7 +252,7 @@ func TestHammerController(t *testing.T) {
 		go func() {
 			defer wg.Done()
 			// Let's add a few objects to the source.
-			currentNames := sets.String{}
+			currentNames := sets.Set[string]{}
 			rs := rand.NewSource(rand.Int63())
 			f := randfill.New().NilChance(.5).NumElements(0, 2).RandSource(rs)
 			for i := 0; i < 100; i++ {
@@ -260,7 +262,7 @@ func TestHammerController(t *testing.T) {
 					f.Fill(&name)
 					isNew = true
 				} else {
-					l := currentNames.List()
+					l := sets.List(currentNames)
 					name = l[rand.Intn(len(l))]
 				}
 
@@ -363,7 +365,7 @@ func TestUpdate(t *testing.T) {
 	// everything we've added has been deleted.
 	watchCh := make(chan struct{})
 	_, controller := NewInformer(
-		&ListWatch{
+		toListWatcherWithUnSupportedWatchListSemantics(&ListWatch{
 			WatchFunc: func(options metav1.ListOptions) (watch.Interface, error) {
 				watch, err := source.Watch(options)
 				close(watchCh)
@@ -372,7 +374,7 @@ func TestUpdate(t *testing.T) {
 			ListFunc: func(options metav1.ListOptions) (runtime.Object, error) {
 				return source.List(options)
 			},
-		},
+		}),
 		&v1.Pod{},
 		0,
 		ResourceEventHandlerFuncs{
@@ -733,3 +735,161 @@ func TestDeletionHandlingObjectToName(t *testing.T) {
 		t.Errorf("Expected %#v, got %#v", expected, actual)
 	}
 }
+
+type listWatchWithUnSupportedWatchListSemanticsWrapper struct {
+	*ListWatch
+}
+
+func (lw listWatchWithUnSupportedWatchListSemanticsWrapper) IsWatchListSemanticsUnSupported() bool {
+	return true
+}
+
+func toListWatcherWithUnSupportedWatchListSemantics(lw *ListWatch) ListerWatcher {
+	return listWatchWithUnSupportedWatchListSemanticsWrapper{
+		lw,
+	}
+}
+
+func TestProcessDeltasInBatch(t *testing.T) {
+	cm1 := &v1.ConfigMap{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "testname1",
+			Namespace: "testnamespace",
+		},
+	}
+	cm2 := &v1.ConfigMap{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "testname2",
+			Namespace: "testnamespace",
+		},
+	}
+	cm3 := &v1.ConfigMap{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "testname3",
+			Namespace: "testnamespace",
+		},
+	}
+	testDelta1 := Delta{
+		Type:   Added,
+		Object: cm1,
+	}
+	testDelta2 := Delta{
+		Type:   Added,
+		Object: cm2,
+	}
+	testDelta3 := Delta{
+		Type:   Added,
+		Object: cm3,
+	}
+	testCases := []struct {
+		name                            string
+		deltaList                       []Delta
+		succeedingObjects               []runtime.Object
+		failingObjects                  []runtime.Object
+		expectedListenerReceivedObjects []interface{}
+		expectedSuccessCount            int
+		assertErr                       func(error) bool
+	}{
+		{
+			name:                            "all transaction succeeding should works",
+			deltaList:                       []Delta{testDelta1},
+			expectedSuccessCount:            1,
+			expectedListenerReceivedObjects: []interface{}{cm1},
+		},
+		{
+			name:                 "all transaction failing should not trigger listener",
+			deltaList:            []Delta{testDelta1},
+			failingObjects:       []runtime.Object{cm1},
+			expectedSuccessCount: 0,
+			assertErr: func(err error) bool {
+				return assert.Contains(t, err.Error(), "failed to execute (1/1) transactions")
+			},
+			expectedListenerReceivedObjects: make([]interface{}, 0),
+		},
+		{
+			name:                 "partial transaction failing should only trigger successful events to listener #1",
+			deltaList:            []Delta{testDelta1, testDelta2},
+			failingObjects:       []runtime.Object{cm2},
+			expectedSuccessCount: 1,
+			assertErr: func(err error) bool {
+				return assert.Contains(t, err.Error(), "failed to execute (1/2) transactions")
+			},
+			expectedListenerReceivedObjects: []interface{}{cm1},
+		},
+		{
+			name:                 "partial transaction failing should only trigger successful events to listener #2",
+			deltaList:            []Delta{testDelta1, testDelta2, testDelta3},
+			failingObjects:       []runtime.Object{cm2},
+			expectedSuccessCount: 2,
+			assertErr: func(err error) bool {
+				return assert.Contains(t, err.Error(), "failed to execute (1/3) transactions")
+			},
+			expectedListenerReceivedObjects: []interface{}{cm1, cm3},
+		},
+	}
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			mockStore := &mockTxnStore{
+				Store:       NewStore(MetaNamespaceKeyFunc),
+				failingObjs: tc.failingObjects,
+			}
+			actualListenerReceivedObjects := make([]interface{}, 0)
+			dummyListener := ResourceEventHandlerFuncs{
+				AddFunc: func(obj interface{}) {
+					actualListenerReceivedObjects = append(actualListenerReceivedObjects, obj)
+				},
+				UpdateFunc: func(oldObj, newObj interface{}) {
+					actualListenerReceivedObjects = append(actualListenerReceivedObjects, newObj)
+				},
+				DeleteFunc: func(obj interface{}) {
+					actualListenerReceivedObjects = append(actualListenerReceivedObjects, obj)
+				},
+			}
+			err := processDeltasInBatch(
+				dummyListener,
+				mockStore,
+				tc.deltaList,
+				true)
+			if tc.assertErr != nil {
+				assert.True(t, tc.assertErr(err))
+			}
+			assert.Equal(t, tc.expectedSuccessCount, mockStore.succeedCount)
+			assert.Equal(t, tc.expectedListenerReceivedObjects, actualListenerReceivedObjects)
+		})
+	}
+}
+
+var _ TransactionStore = &mockTxnStore{}
+
+type mockTxnStore struct {
+	failingObjs  []runtime.Object
+	succeedCount int
+	Store
+}
+
+func (m *mockTxnStore) Transaction(txns ...Transaction) *TransactionError {
+	successfuls := make([]int, 0)
+	fails := make([]int, 0)
+	errs := make([]error, 0)
+	for i := range txns {
+		txn := txns[i]
+		for _, fail := range m.failingObjs {
+			if apiequality.Semantic.DeepEqual(fail, txn.Object) {
+				fails = append(fails, i)
+				errs = append(errs, errors.New("test error"))
+			} else {
+				successfuls = append(successfuls, i)
+			}
+		}
+	}
+	if len(fails) > 0 {
+		m.succeedCount = len(successfuls)
+		return &TransactionError{
+			TotalTransactions: len(txns),
+			SuccessfulIndices: successfuls,
+			Errors:            errs,
+		}
+	}
+	m.succeedCount = len(txns)
+	return nil
+}
diff --git a/staging/src/k8s.io/client-go/tools/cache/delta_fifo.go b/staging/src/k8s.io/client-go/tools/cache/delta_fifo.go
index 9d9e238cccedd..217bcf8b7ad6a 100644
--- a/staging/src/k8s.io/client-go/tools/cache/delta_fifo.go
+++ b/staging/src/k8s.io/client-go/tools/cache/delta_fifo.go
@@ -270,7 +270,8 @@ func NewDeltaFIFOWithOptions(opts DeltaFIFOOptions) *DeltaFIFO {
 }
 
 var (
-	_ = Queue(&DeltaFIFO{}) // DeltaFIFO is a Queue
+	_ = Queue(&DeltaFIFO{})             // DeltaFIFO is a Queue
+	_ = TransformingStore(&DeltaFIFO{}) // DeltaFIFO implements TransformingStore to allow memory optimizations
 )
 
 var (
@@ -554,7 +555,7 @@ func (f *DeltaFIFO) Pop(process PopProcessFunc) (interface{}, error) {
 func (f *DeltaFIFO) Replace(list []interface{}, _ string) error {
 	f.lock.Lock()
 	defer f.lock.Unlock()
-	keys := make(sets.String, len(list))
+	keys := make(sets.Set[string], len(list))
 
 	// keep backwards compat for old clients
 	action := Sync
diff --git a/staging/src/k8s.io/client-go/tools/cache/delta_fifo_test.go b/staging/src/k8s.io/client-go/tools/cache/delta_fifo_test.go
index 9c67012cc1c57..24f0ec87d04bb 100644
--- a/staging/src/k8s.io/client-go/tools/cache/delta_fifo_test.go
+++ b/staging/src/k8s.io/client-go/tools/cache/delta_fifo_test.go
@@ -28,7 +28,7 @@ import (
 // from the most recent Delta.
 // You should treat the items returned inside the deltas as immutable.
 // This function was moved here because it is not consistent with normal list semantics, but is used in unit testing.
-func (f *DeltaFIFO) List() []interface{} {
+func (f *DeltaFIFO) list() []interface{} {
 	f.lock.RLock()
 	defer f.lock.RUnlock()
 	return f.listLocked()
@@ -46,7 +46,7 @@ func (f *DeltaFIFO) listLocked() []interface{} {
 // ListKeys returns a list of all the keys of the objects currently
 // in the FIFO.
 // This function was moved here because it is not consistent with normal list semantics, but is used in unit testing.
-func (f *DeltaFIFO) ListKeys() []string {
+func (f *DeltaFIFO) listKeys() []string {
 	f.lock.RLock()
 	defer f.lock.RUnlock()
 	list := make([]string, 0, len(f.queue))
@@ -60,19 +60,19 @@ func (f *DeltaFIFO) ListKeys() []string {
 // or sets exists=false.
 // You should treat the items returned inside the deltas as immutable.
 // This function was moved here because it is not consistent with normal list semantics, but is used in unit testing.
-func (f *DeltaFIFO) Get(obj interface{}) (item interface{}, exists bool, err error) {
+func (f *DeltaFIFO) get(obj interface{}) (item interface{}, exists bool, err error) {
 	key, err := f.KeyOf(obj)
 	if err != nil {
 		return nil, false, KeyError{obj, err}
 	}
-	return f.GetByKey(key)
+	return f.getByKey(key)
 }
 
 // GetByKey returns the complete list of deltas for the requested item,
 // setting exists=false if that list is empty.
 // You should treat the items returned inside the deltas as immutable.
 // This function was moved here because it is not consistent with normal list semantics, but is used in unit testing.
-func (f *DeltaFIFO) GetByKey(key string) (item interface{}, exists bool, err error) {
+func (f *DeltaFIFO) getByKey(key string) (item interface{}, exists bool, err error) {
 	f.lock.RLock()
 	defer f.lock.RUnlock()
 	d, exists := f.items[key]
@@ -320,10 +320,10 @@ func TestDeltaFIFO_addUpdate(t *testing.T) {
 	f.Update(mkFifoObj("foo", 12))
 	f.Delete(mkFifoObj("foo", 15))
 
-	if e, a := []interface{}{mkFifoObj("foo", 15)}, f.List(); !reflect.DeepEqual(e, a) {
+	if e, a := []interface{}{mkFifoObj("foo", 15)}, f.list(); !reflect.DeepEqual(e, a) {
 		t.Errorf("Expected %+v, got %+v", e, a)
 	}
-	if e, a := []string{"foo"}, f.ListKeys(); !reflect.DeepEqual(e, a) {
+	if e, a := []string{"foo"}, f.listKeys(); !reflect.DeepEqual(e, a) {
 		t.Errorf("Expected %+v, got %+v", e, a)
 	}
 
@@ -349,7 +349,7 @@ func TestDeltaFIFO_addUpdate(t *testing.T) {
 		t.Errorf("Got second value %v", unexpected.val)
 	case <-time.After(50 * time.Millisecond):
 	}
-	_, exists, _ := f.Get(mkFifoObj("foo", ""))
+	_, exists, _ := f.get(mkFifoObj("foo", ""))
 	if exists {
 		t.Errorf("item did not get removed")
 	}
@@ -397,7 +397,7 @@ func TestDeltaFIFO_transformer(t *testing.T) {
 	must(f.Replace([]interface{}{}, ""))
 
 	// Should be empty
-	if e, a := []string{"foo", "bar"}, f.ListKeys(); !reflect.DeepEqual(e, a) {
+	if e, a := []string{"foo", "bar"}, f.listKeys(); !reflect.DeepEqual(e, a) {
 		t.Errorf("Expected %+v, got %+v", e, a)
 	}
 
@@ -507,7 +507,7 @@ func TestDeltaFIFO_addReplace(t *testing.T) {
 		t.Errorf("Got second value %v", unexpected.val)
 	case <-time.After(50 * time.Millisecond):
 	}
-	_, exists, _ := f.Get(mkFifoObj("foo", ""))
+	_, exists, _ := f.get(mkFifoObj("foo", ""))
 	if exists {
 		t.Errorf("item did not get removed")
 	}
@@ -991,7 +991,7 @@ func BenchmarkDeltaFIFOListKeys(b *testing.B) {
 	b.ResetTimer()
 	b.RunParallel(func(pb *testing.PB) {
 		for pb.Next() {
-			_ = f.ListKeys()
+			_ = f.listKeys()
 		}
 	})
 	b.StopTimer()
diff --git a/staging/src/k8s.io/client-go/tools/cache/expiration_cache_fakes.go b/staging/src/k8s.io/client-go/tools/cache/expiration_cache_fakes.go
index a16f4735e3475..d716b232e17b9 100644
--- a/staging/src/k8s.io/client-go/tools/cache/expiration_cache_fakes.go
+++ b/staging/src/k8s.io/client-go/tools/cache/expiration_cache_fakes.go
@@ -35,7 +35,7 @@ func (c *fakeThreadSafeMap) Delete(key string) {
 
 // FakeExpirationPolicy keeps the list for keys which never expires.
 type FakeExpirationPolicy struct {
-	NeverExpire     sets.String
+	NeverExpire     sets.Set[string]
 	RetrieveKeyFunc KeyFunc
 }
 
diff --git a/staging/src/k8s.io/client-go/tools/cache/expiration_cache_test.go b/staging/src/k8s.io/client-go/tools/cache/expiration_cache_test.go
index 00a9e61cf5fa7..c8a91ec3f80fb 100644
--- a/staging/src/k8s.io/client-go/tools/cache/expiration_cache_test.go
+++ b/staging/src/k8s.io/client-go/tools/cache/expiration_cache_test.go
@@ -33,7 +33,7 @@ func TestTTLExpirationBasic(t *testing.T) {
 	ttlStore := NewFakeExpirationStore(
 		testStoreKeyFunc, deleteChan,
 		&FakeExpirationPolicy{
-			NeverExpire: sets.NewString(),
+			NeverExpire: sets.New[string](),
 			RetrieveKeyFunc: func(obj interface{}) (string, error) {
 				return obj.(*TimestampedEntry).Obj.(testStoreObject).id, nil
 			},
@@ -66,7 +66,7 @@ func TestTTLExpirationBasic(t *testing.T) {
 func TestReAddExpiredItem(t *testing.T) {
 	deleteChan := make(chan string, 1)
 	exp := &FakeExpirationPolicy{
-		NeverExpire: sets.NewString(),
+		NeverExpire: sets.New[string](),
 		RetrieveKeyFunc: func(obj interface{}) (string, error) {
 			return obj.(*TimestampedEntry).Obj.(testStoreObject).id, nil
 		},
@@ -105,7 +105,7 @@ func TestReAddExpiredItem(t *testing.T) {
 	case <-time.After(wait.ForeverTestTimeout):
 		t.Errorf("Unexpected timeout waiting on delete")
 	}
-	exp.NeverExpire = sets.NewString(testKey)
+	exp.NeverExpire = sets.New[string](testKey)
 	item, exists, err = ttlStore.GetByKey(testKey)
 	if err != nil {
 		t.Errorf("Failed to get from store, %v", err)
@@ -129,7 +129,7 @@ func TestTTLList(t *testing.T) {
 	ttlStore := NewFakeExpirationStore(
 		testStoreKeyFunc, deleteChan,
 		&FakeExpirationPolicy{
-			NeverExpire: sets.NewString(testObjs[1].id),
+			NeverExpire: sets.New[string](testObjs[1].id),
 			RetrieveKeyFunc: func(obj interface{}) (string, error) {
 				return obj.(*TimestampedEntry).Obj.(testStoreObject).id, nil
 			},
diff --git a/staging/src/k8s.io/client-go/tools/cache/fifo.go b/staging/src/k8s.io/client-go/tools/cache/fifo.go
index 5c2ca90084d74..eb3ef589bd8f0 100644
--- a/staging/src/k8s.io/client-go/tools/cache/fifo.go
+++ b/staging/src/k8s.io/client-go/tools/cache/fifo.go
@@ -60,6 +60,23 @@ type Queue interface {
 	Close()
 }
 
+// QueueWithBatch extends the Queue interface with support for batch processing.
+//
+// In addition to the standard single-item Pop method, QueueWithBatch provides
+// PopBatch, which allows multiple items to be popped and processed together as
+// a batch. This can be used to improve processing efficiency when it is
+// beneficial to handle multiple queued keys or accumulators in a single
+// operation.
+// TODO: Consider merging this interface into Queue after feature gate GA
+type QueueWithBatch interface {
+	Queue
+
+	// PopBatch behaves similarly to Queue#Pop, but processes multiple keys
+	// as a batch. The implementation determines the batching strategy,
+	// such as the number of keys to include per batch.
+	PopBatch(ProcessBatchFunc) error
+}
+
 // Pop is helper function for popping from Queue.
 // WARNING: Do NOT use this function in non-test code to avoid races
 // unless you really really really really know what you are doing.
diff --git a/staging/src/k8s.io/client-go/tools/cache/index.go b/staging/src/k8s.io/client-go/tools/cache/index.go
index c5819fb6f86f8..395268f68cd4d 100644
--- a/staging/src/k8s.io/client-go/tools/cache/index.go
+++ b/staging/src/k8s.io/client-go/tools/cache/index.go
@@ -91,10 +91,10 @@ func MetaNamespaceIndexFunc(obj interface{}) ([]string, error) {
 }
 
 // Index maps the indexed value to a set of keys in the store that match on that value
-type Index map[string]sets.String
+type index map[string]sets.Set[string]
 
 // Indexers maps a name to an IndexFunc
 type Indexers map[string]IndexFunc
 
 // Indices maps a name to an Index
-type Indices map[string]Index
+type Indices map[string]index
diff --git a/staging/src/k8s.io/client-go/tools/cache/index_test.go b/staging/src/k8s.io/client-go/tools/cache/index_test.go
index f20a8ef595c48..4e4e4f78a36e8 100644
--- a/staging/src/k8s.io/client-go/tools/cache/index_test.go
+++ b/staging/src/k8s.io/client-go/tools/cache/index_test.go
@@ -71,15 +71,15 @@ func TestMultiIndexKeys(t *testing.T) {
 	index.Add(pod2)
 	index.Add(pod3)
 
-	expected := map[string]sets.String{}
-	expected["ernie"] = sets.NewString("one", "tre")
-	expected["bert"] = sets.NewString("one", "two")
-	expected["elmo"] = sets.NewString("tre")
-	expected["oscar"] = sets.NewString("two")
-	expected["elmo1"] = sets.NewString()
+	expected := map[string]sets.Set[string]{}
+	expected["ernie"] = sets.New("one", "tre")
+	expected["bert"] = sets.New("one", "two")
+	expected["elmo"] = sets.New("tre")
+	expected["oscar"] = sets.New("two")
+	expected["elmo1"] = sets.Set[string]{}
 	{
 		for k, v := range expected {
-			found := sets.String{}
+			found := sets.Set[string]{}
 			indexResults, err := index.ByIndex("byUser", k)
 			if err != nil {
 				t.Errorf("Unexpected error %v", err)
@@ -88,7 +88,7 @@ func TestMultiIndexKeys(t *testing.T) {
 				found.Insert(item.(*v1.Pod).Name)
 			}
 			if !found.Equal(v) {
-				t.Errorf("missing items, index %s, expected %v but found %v", k, v.List(), found.List())
+				t.Errorf("missing items, index %s, expected %v but found %v", k, sets.List(v), sets.List(found))
 			}
 		}
 	}
diff --git a/staging/src/k8s.io/client-go/tools/cache/listwatch.go b/staging/src/k8s.io/client-go/tools/cache/listwatch.go
index f5b04a19be1d1..2c4065f014667 100644
--- a/staging/src/k8s.io/client-go/tools/cache/listwatch.go
+++ b/staging/src/k8s.io/client-go/tools/cache/listwatch.go
@@ -24,6 +24,7 @@ import (
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/watch"
 	restclient "k8s.io/client-go/rest"
+	"k8s.io/client-go/util/watchlist"
 )
 
 // Lister is any object that knows how to perform an initial list.
@@ -130,6 +131,35 @@ type listerWatcherWrapper struct {
 	ListerWithContext
 	WatcherWithContext
 }
+type listWatcherWithWatchListSemanticsWrapper struct {
+	*ListWatch
+
+	// unsupportedWatchListSemantics indicates whether a client explicitly does NOT support
+	// WatchList semantics.
+	//
+	// Over the years, unit tests in kube have been written in many different ways.
+	// After enabling the WatchListClient feature by default, existing tests started failing.
+	// To avoid breaking lots of existing client-go users after upgrade,
+	// we introduced this field as an opt-in.
+	//
+	// When true, the reflector disables WatchList even if the feature gate is enabled.
+	unsupportedWatchListSemantics bool
+}
+
+func (lw *listWatcherWithWatchListSemanticsWrapper) IsWatchListSemanticsUnSupported() bool {
+	return lw.unsupportedWatchListSemantics
+}
+
+// ToListWatcherWithWatchListSemantics returns a ListerWatcher
+// that knows whether the provided client explicitly
+// does NOT support the WatchList semantics. This allows Reflectors
+// to adapt their behavior based on client capabilities.
+func ToListWatcherWithWatchListSemantics(lw *ListWatch, client any) ListerWatcher {
+	return &listWatcherWithWatchListSemanticsWrapper{
+		lw,
+		watchlist.DoesClientNotSupportWatchListSemantics(client),
+	}
+}
 
 // ListFunc knows how to list resources
 //
diff --git a/staging/src/k8s.io/client-go/tools/cache/listwatch_test.go b/staging/src/k8s.io/client-go/tools/cache/listwatch_test.go
new file mode 100644
index 0000000000000..70bee04c01298
--- /dev/null
+++ b/staging/src/k8s.io/client-go/tools/cache/listwatch_test.go
@@ -0,0 +1,65 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package cache
+
+import (
+	"testing"
+
+	"k8s.io/client-go/util/watchlist"
+)
+
+type fakeWatchListClient struct {
+	unSupportedWatchListSemantics bool
+}
+
+func (f fakeWatchListClient) IsWatchListSemanticsUnSupported() bool {
+	return f.unSupportedWatchListSemantics
+}
+
+func TestToListWatcherWithWatchListSemantics(t *testing.T) {
+	scenarios := []struct {
+		name                                string
+		client                              any
+		expectUnSupportedWatchListSemantics bool
+	}{
+		{
+			name:                                "client which doesn't implement the interface supports WatchList semantics",
+			client:                              nil,
+			expectUnSupportedWatchListSemantics: false,
+		},
+		{
+			name:                                "client does not support WatchList semantics",
+			client:                              fakeWatchListClient{unSupportedWatchListSemantics: true},
+			expectUnSupportedWatchListSemantics: true,
+		},
+		{
+			name:                                "client supports WatchList semantics",
+			client:                              fakeWatchListClient{unSupportedWatchListSemantics: false},
+			expectUnSupportedWatchListSemantics: false,
+		},
+	}
+
+	for _, scenario := range scenarios {
+		t.Run(scenario.name, func(t *testing.T) {
+			target := ToListWatcherWithWatchListSemantics(&ListWatch{}, scenario.client)
+
+			if got := watchlist.DoesClientNotSupportWatchListSemantics(target); got != scenario.expectUnSupportedWatchListSemantics {
+				t.Fatalf("DoesClientNotSupportWatchListSemantics returned: %v, want: %v", got, scenario.expectUnSupportedWatchListSemantics)
+			}
+		})
+	}
+}
diff --git a/staging/src/k8s.io/client-go/tools/cache/mutation_detector_test.go b/staging/src/k8s.io/client-go/tools/cache/mutation_detector_test.go
index fab9f4dd07e2e..29f74676444ae 100644
--- a/staging/src/k8s.io/client-go/tools/cache/mutation_detector_test.go
+++ b/staging/src/k8s.io/client-go/tools/cache/mutation_detector_test.go
@@ -29,14 +29,14 @@ import (
 
 func TestMutationDetector(t *testing.T) {
 	fakeWatch := watch.NewFake()
-	lw := &ListWatch{
+	lw := toListWatcherWithUnSupportedWatchListSemantics(&ListWatch{
 		WatchFunc: func(options metav1.ListOptions) (watch.Interface, error) {
 			return fakeWatch, nil
 		},
 		ListFunc: func(options metav1.ListOptions) (runtime.Object, error) {
 			return &v1.PodList{}, nil
 		},
-	}
+	})
 	pod := &v1.Pod{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:   "anything",
diff --git a/staging/src/k8s.io/client-go/tools/cache/reflector.go b/staging/src/k8s.io/client-go/tools/cache/reflector.go
index ee9be77278ab4..af2c7a22d074f 100644
--- a/staging/src/k8s.io/client-go/tools/cache/reflector.go
+++ b/staging/src/k8s.io/client-go/tools/cache/reflector.go
@@ -41,6 +41,7 @@ import (
 	"k8s.io/apimachinery/pkg/watch"
 	clientfeatures "k8s.io/client-go/features"
 	"k8s.io/client-go/tools/pager"
+	"k8s.io/client-go/util/watchlist"
 	"k8s.io/klog/v2"
 	"k8s.io/utils/clock"
 	"k8s.io/utils/ptr"
@@ -49,11 +50,9 @@ import (
 
 const defaultExpectedTypeName = "<unspecified>"
 
-var (
-	// We try to spread the load on apiserver by setting timeouts for
-	// watch requests - it is random in [minWatchTimeout, 2*minWatchTimeout].
-	defaultMinWatchTimeout = 5 * time.Minute
-)
+// We try to spread the load on apiserver by setting timeouts for
+// watch requests - it is random in [minWatchTimeout, 2*minWatchTimeout].
+var defaultMinWatchTimeout = 5 * time.Minute
 
 // ReflectorStore is the subset of cache.Store that the reflector uses
 type ReflectorStore interface {
@@ -80,7 +79,7 @@ type ReflectorStore interface {
 // TransformingStore is an optional interface that can be implemented by the provided store.
 // If implemented on the provided store reflector will use the same transformer in its internal stores.
 type TransformingStore interface {
-	Store
+	ReflectorStore
 	Transformer() TransformFunc
 }
 
@@ -299,6 +298,16 @@ func NewReflectorWithOptions(lw ListerWatcher, expectedType interface{}, store R
 	}
 
 	r.useWatchList = clientfeatures.FeatureGates().Enabled(clientfeatures.WatchListClient)
+	if r.useWatchList && watchlist.DoesClientNotSupportWatchListSemantics(lw) {
+		// Using klog.TODO() here because switching to a caller-provided contextual logger
+		// would require an API change and updating all existing call sites.
+		klog.TODO().V(2).Info(
+			"The provided ListWatcher doesn't support WatchList semantics. The feature will be disabled. If you are using a custom client, check the documentation of watchlist.DoesClientNotSupportWatchListSemantics() method",
+			"listWatcherType", fmt.Sprintf("%T", lw),
+			"feature", clientfeatures.WatchListClient,
+		)
+		r.useWatchList = false
+	}
 
 	return r
 }
@@ -365,9 +374,6 @@ func (r *Reflector) RunWithContext(ctx context.Context) {
 }
 
 var (
-	// nothing will ever be sent down this channel
-	neverExitWatch <-chan time.Time = make(chan time.Time)
-
 	// Used to indicate that watching stopped because of a signal from the stop
 	// channel passed in from a client of the reflector.
 	errorStopRequested = errors.New("stop requested")
@@ -377,7 +383,8 @@ var (
 // required, and a cleanup function.
 func (r *Reflector) resyncChan() (<-chan time.Time, func() bool) {
 	if r.resyncPeriod == 0 {
-		return neverExitWatch, func() bool { return false }
+		// nothing will ever be sent down this channel
+		return nil, func() bool { return false }
 	}
 	// The cleanup function is required: imagine the scenario where watches
 	// always fail so we end up listing frequently. Then, if we don't
@@ -419,7 +426,10 @@ func (r *Reflector) ListAndWatchWithContext(ctx context.Context) error {
 			return nil
 		}
 		if err != nil {
-			logger.Error(err, "The watchlist request ended with an error, falling back to the standard LIST/WATCH semantics because making progress is better than deadlocking")
+			logger.V(4).Info(
+				"Data couldn't be fetched in watchlist mode. Falling back to regular list. This is expected if watchlist is not supported or disabled in kube-apiserver.",
+				"err", err,
+			)
 			fallbackToList = true
 			// ensure that we won't accidentally pass some garbage down the watch.
 			w = nil
@@ -726,9 +736,11 @@ func (r *Reflector) watchList(ctx context.Context) (watch.Interface, error) {
 		return false
 	}
 
+	var transformer TransformFunc
 	storeOpts := []StoreOption{}
 	if tr, ok := r.store.(TransformingStore); ok && tr.Transformer() != nil {
-		storeOpts = append(storeOpts, WithTransformer(tr.Transformer()))
+		transformer = tr.Transformer()
+		storeOpts = append(storeOpts, WithTransformer(transformer))
 	}
 
 	initTrace := trace.New("Reflector WatchList", trace.Field{Key: "name", Value: r.name})
@@ -788,7 +800,7 @@ func (r *Reflector) watchList(ctx context.Context) (watch.Interface, error) {
 	// we utilize the temporaryStore to ensure independence from the current store implementation.
 	// as of today, the store is implemented as a queue and will be drained by the higher-level
 	// component as soon as it finishes replacing the content.
-	checkWatchListDataConsistencyIfRequested(ctx, r.name, resourceVersion, r.listerWatcher.ListWithContext, temporaryStore.List)
+	checkWatchListDataConsistencyIfRequested(ctx, r.name, resourceVersion, r.listerWatcher.ListWithContext, transformer, temporaryStore.List)
 
 	if err := r.store.Replace(temporaryStore.List(), resourceVersion); err != nil {
 		return nil, fmt.Errorf("unable to sync watch-list result: %w", err)
diff --git a/staging/src/k8s.io/client-go/tools/cache/reflector_data_consistency_detector.go b/staging/src/k8s.io/client-go/tools/cache/reflector_data_consistency_detector.go
index a7e0d9c436859..4119c78a6c0cc 100644
--- a/staging/src/k8s.io/client-go/tools/cache/reflector_data_consistency_detector.go
+++ b/staging/src/k8s.io/client-go/tools/cache/reflector_data_consistency_detector.go
@@ -33,11 +33,11 @@ import (
 //
 // Note that this function will panic when data inconsistency is detected.
 // This is intentional because we want to catch it in the CI.
-func checkWatchListDataConsistencyIfRequested[T runtime.Object, U any](ctx context.Context, identity string, lastSyncedResourceVersion string, listFn consistencydetector.ListFunc[T], retrieveItemsFn consistencydetector.RetrieveItemsFunc[U]) {
+func checkWatchListDataConsistencyIfRequested[T runtime.Object, U any](ctx context.Context, identity string, lastSyncedResourceVersion string, listFn consistencydetector.ListFunc[T], listItemTransformFunc func(interface{}) (interface{}, error), retrieveItemsFn consistencydetector.RetrieveItemsFunc[U]) {
 	if !consistencydetector.IsDataConsistencyDetectionForWatchListEnabled() {
 		return
 	}
 	// for informers we pass an empty ListOptions because
 	// listFn might be wrapped for filtering during informer construction.
-	consistencydetector.CheckDataConsistency(ctx, identity, lastSyncedResourceVersion, listFn, metav1.ListOptions{}, retrieveItemsFn)
+	consistencydetector.CheckDataConsistency(ctx, identity, lastSyncedResourceVersion, listFn, listItemTransformFunc, metav1.ListOptions{}, retrieveItemsFn)
 }
diff --git a/staging/src/k8s.io/client-go/tools/cache/reflector_data_consistency_detector_test.go b/staging/src/k8s.io/client-go/tools/cache/reflector_data_consistency_detector_test.go
new file mode 100644
index 0000000000000..1d18d0be180d0
--- /dev/null
+++ b/staging/src/k8s.io/client-go/tools/cache/reflector_data_consistency_detector_test.go
@@ -0,0 +1,114 @@
+/*
+Copyright 2024 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package cache
+
+import (
+	"context"
+	"fmt"
+	"testing"
+	"time"
+
+	v1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/util/wait"
+	"k8s.io/apimachinery/pkg/watch"
+	clientfeatures "k8s.io/client-go/features"
+	clientfeaturestesting "k8s.io/client-go/features/testing"
+	"k8s.io/client-go/util/consistencydetector"
+	"k8s.io/klog/v2/ktesting"
+)
+
+func TestReflectorDataConsistencyDetector(t *testing.T) {
+	clientfeaturestesting.SetFeatureDuringTest(t, clientfeatures.WatchListClient, true)
+	restore := consistencydetector.SetDataConsistencyDetectionForWatchListEnabledForTest(true)
+	defer restore()
+
+	markTransformed := func(obj interface{}) (interface{}, error) {
+		pod, ok := obj.(*v1.Pod)
+		if !ok {
+			return obj, nil
+		}
+		newPod := pod.DeepCopy()
+		if newPod.Labels == nil {
+			newPod.Labels = make(map[string]string)
+		}
+		newPod.Labels["transformed"] = "true"
+		return newPod, nil
+	}
+
+	for _, inOrder := range []bool{false, true} {
+		t.Run(fmt.Sprintf("InOrder=%v", inOrder), func(t *testing.T) {
+			clientfeaturestesting.SetFeatureDuringTest(t, clientfeatures.InOrderInformers, inOrder)
+			for _, transformerEnabled := range []bool{false, true} {
+				var transformer TransformFunc
+				if transformerEnabled {
+					transformer = markTransformed
+				}
+				t.Run(fmt.Sprintf("Transformer=%v", transformerEnabled), func(t *testing.T) {
+					runTestReflectorDataConsistencyDetector(t, transformer)
+				})
+			}
+		})
+	}
+}
+
+func runTestReflectorDataConsistencyDetector(t *testing.T, transformer TransformFunc) {
+	_, ctx := ktesting.NewTestContext(t)
+	ctx, cancel := context.WithCancel(ctx)
+	defer cancel()
+
+	store := NewStore(MetaNamespaceKeyFunc)
+	fifo := newQueueFIFO(store, transformer)
+
+	lw := &ListWatch{
+		ListFunc: func(options metav1.ListOptions) (runtime.Object, error) {
+			return &v1.PodList{
+				ListMeta: metav1.ListMeta{ResourceVersion: "1"},
+				Items: []v1.Pod{
+					{ObjectMeta: metav1.ObjectMeta{Name: "pod-1", ResourceVersion: "1"}},
+				},
+			}, nil
+		},
+		WatchFunc: func(options metav1.ListOptions) (watch.Interface, error) {
+			w := watch.NewFake()
+			go func() {
+				w.Add(&v1.Pod{ObjectMeta: metav1.ObjectMeta{Name: "pod-1", ResourceVersion: "1"}})
+				w.Action(watch.Bookmark, &v1.Pod{ObjectMeta: metav1.ObjectMeta{
+					Name:            "pod-1",
+					ResourceVersion: "1",
+					Annotations:     map[string]string{metav1.InitialEventsAnnotationKey: "true"},
+				}})
+			}()
+			return w, nil
+		},
+	}
+
+	r := NewReflector(lw, &v1.Pod{}, fifo, 0)
+
+	go func() {
+		_ = wait.PollUntilContextTimeout(ctx, 10*time.Millisecond, 5*time.Second, true, func(ctx context.Context) (bool, error) {
+			return r.LastSyncResourceVersion() != "", nil
+		})
+		cancel()
+	}()
+
+	err := r.ListAndWatchWithContext(ctx)
+	if err != nil {
+		t.Errorf("ListAndWatchWithContext returned error: %v", err)
+	}
+}
diff --git a/staging/src/k8s.io/client-go/tools/cache/reflector_test.go b/staging/src/k8s.io/client-go/tools/cache/reflector_test.go
index 8c20ae0b02a4e..5554b16f2a624 100644
--- a/staging/src/k8s.io/client-go/tools/cache/reflector_test.go
+++ b/staging/src/k8s.io/client-go/tools/cache/reflector_test.go
@@ -20,10 +20,12 @@ import (
 	"context"
 	"errors"
 	"fmt"
+	"maps"
 	"math/rand"
 	"net/http"
 	"reflect"
 	goruntime "runtime"
+	"slices"
 	"strconv"
 	"sync"
 	"sync/atomic"
@@ -686,7 +688,7 @@ func TestReflectorListAndWatchWithErrors(t *testing.T) {
 		watchRet, watchErr := item.events, item.watchErr
 		_, ctx := ktesting.NewTestContext(t)
 		ctx, cancel := context.WithCancelCause(ctx)
-		lw := &ListWatch{
+		lw := toListWatcherWithUnSupportedWatchListSemantics(&ListWatch{
 			WatchFunc: func(options metav1.ListOptions) (watch.Interface, error) {
 				if watchErr != nil {
 					return nil, watchErr
@@ -710,7 +712,7 @@ func TestReflectorListAndWatchWithErrors(t *testing.T) {
 			ListFunc: func(options metav1.ListOptions) (runtime.Object, error) {
 				return item.list, item.listErr
 			},
-		}
+		})
 		r := NewReflector(lw, &v1.Pod{}, s, 0)
 		err := r.ListAndWatchWithContext(ctx)
 		if item.listErr != nil && !errors.Is(err, item.listErr) {
@@ -991,7 +993,7 @@ func TestReflectorResync(t *testing.T) {
 		},
 	}
 
-	lw := &ListWatch{
+	lw := toListWatcherWithUnSupportedWatchListSemantics(&ListWatch{
 		WatchFunc: func(options metav1.ListOptions) (watch.Interface, error) {
 			fw := watch.NewFake()
 			return fw, nil
@@ -999,7 +1001,7 @@ func TestReflectorResync(t *testing.T) {
 		ListFunc: func(options metav1.ListOptions) (runtime.Object, error) {
 			return &v1.PodList{ListMeta: metav1.ListMeta{ResourceVersion: "0"}}, nil
 		},
-	}
+	})
 	resyncPeriod := 1 * time.Millisecond
 	r := NewReflector(lw, &v1.Pod{}, s, resyncPeriod)
 	if err := r.ListAndWatchWithContext(ctx); err != nil {
@@ -1016,7 +1018,7 @@ func TestReflectorWatchListPageSize(t *testing.T) {
 	ctx, cancel := context.WithCancelCause(ctx)
 	s := NewStore(MetaNamespaceKeyFunc)
 
-	lw := &ListWatch{
+	lw := toListWatcherWithUnSupportedWatchListSemantics(&ListWatch{
 		WatchFunc: func(options metav1.ListOptions) (watch.Interface, error) {
 			// Stop once the reflector begins watching since we're only interested in the list.
 			cancel(errors.New("done"))
@@ -1043,7 +1045,7 @@ func TestReflectorWatchListPageSize(t *testing.T) {
 			}
 			return nil, nil
 		},
-	}
+	})
 	r := NewReflector(lw, &v1.Pod{}, s, 0)
 	// Set resource version to test pagination also for not consistent reads.
 	r.setLastSyncResourceVersion("10")
@@ -1062,7 +1064,7 @@ func TestReflectorNotPaginatingNotConsistentReads(t *testing.T) {
 	ctx, cancel := context.WithCancelCause(ctx)
 	s := NewStore(MetaNamespaceKeyFunc)
 
-	lw := &ListWatch{
+	lw := toListWatcherWithUnSupportedWatchListSemantics(&ListWatch{
 		WatchFunc: func(options metav1.ListOptions) (watch.Interface, error) {
 			// Stop once the reflector begins watching since we're only interested in the list.
 			cancel(errors.New("done"))
@@ -1082,7 +1084,7 @@ func TestReflectorNotPaginatingNotConsistentReads(t *testing.T) {
 			}
 			return &v1.PodList{ListMeta: metav1.ListMeta{ResourceVersion: "10"}, Items: pods}, nil
 		},
-	}
+	})
 	r := NewReflector(lw, &v1.Pod{}, s, 0)
 	r.setLastSyncResourceVersion("10")
 	require.NoError(t, r.ListAndWatchWithContext(ctx))
@@ -1098,7 +1100,7 @@ func TestReflectorPaginatingNonConsistentReadsIfWatchCacheDisabled(t *testing.T)
 	var cancel func(error)
 	s := NewStore(MetaNamespaceKeyFunc)
 
-	lw := &ListWatch{
+	lw := toListWatcherWithUnSupportedWatchListSemantics(&ListWatch{
 		WatchFunc: func(options metav1.ListOptions) (watch.Interface, error) {
 			// Stop once the reflector begins watching since we're only interested in the list.
 			cancel(errors.New("done"))
@@ -1126,7 +1128,7 @@ func TestReflectorPaginatingNonConsistentReadsIfWatchCacheDisabled(t *testing.T)
 			}
 			return nil, nil
 		},
-	}
+	})
 	r := NewReflector(lw, &v1.Pod{}, s, 0)
 
 	// Initial list should initialize paginatedResult in the reflector.
@@ -1155,7 +1157,7 @@ func TestReflectorResyncWithResourceVersion(t *testing.T) {
 	s := NewStore(MetaNamespaceKeyFunc)
 	listCallRVs := []string{}
 
-	lw := &ListWatch{
+	lw := toListWatcherWithUnSupportedWatchListSemantics(&ListWatch{
 		WatchFunc: func(options metav1.ListOptions) (watch.Interface, error) {
 			// Stop once the reflector begins watching since we're only interested in the list.
 			cancel(errors.New("done"))
@@ -1178,7 +1180,7 @@ func TestReflectorResyncWithResourceVersion(t *testing.T) {
 			}
 			return nil, nil
 		},
-	}
+	})
 	r := NewReflector(lw, &v1.Pod{}, s, 0)
 
 	// Initial list should use RV=0
@@ -1216,7 +1218,7 @@ func TestReflectorExpiredExactResourceVersion(t *testing.T) {
 	s := NewStore(MetaNamespaceKeyFunc)
 	listCallRVs := []string{}
 
-	lw := &ListWatch{
+	lw := toListWatcherWithUnSupportedWatchListSemantics(&ListWatch{
 		WatchFunc: func(options metav1.ListOptions) (watch.Interface, error) {
 			// Stop once the reflector begins watching since we're only interested in the list.
 			cancel(errors.New("done"))
@@ -1242,7 +1244,7 @@ func TestReflectorExpiredExactResourceVersion(t *testing.T) {
 			}
 			return nil, nil
 		},
-	}
+	})
 	r := NewReflector(lw, &v1.Pod{}, s, 0)
 
 	// Initial list should use RV=0
@@ -1276,7 +1278,7 @@ func TestReflectorFullListIfExpired(t *testing.T) {
 	s := NewStore(MetaNamespaceKeyFunc)
 	listCallRVs := []string{}
 
-	lw := &ListWatch{
+	lw := toListWatcherWithUnSupportedWatchListSemantics(&ListWatch{
 		WatchFunc: func(options metav1.ListOptions) (watch.Interface, error) {
 			// Stop once the reflector begins watching since we're only interested in the list.
 			cancel(errors.New("done"))
@@ -1311,7 +1313,7 @@ func TestReflectorFullListIfExpired(t *testing.T) {
 				return nil, err
 			}
 		},
-	}
+	})
 	r := NewReflector(lw, &v1.Pod{}, s, 0)
 	r.WatchListPageSize = 4
 
@@ -1351,7 +1353,7 @@ func TestReflectorFullListIfTooLarge(t *testing.T) {
 	listCallRVs := []string{}
 	version := 30
 
-	lw := &ListWatch{
+	lw := toListWatcherWithUnSupportedWatchListSemantics(&ListWatch{
 		WatchFunc: func(options metav1.ListOptions) (watch.Interface, error) {
 			// Stop once the reflector begins watching since we're only interested in the list.
 			cancel(errors.New("done"))
@@ -1388,7 +1390,7 @@ func TestReflectorFullListIfTooLarge(t *testing.T) {
 				return nil, fmt.Errorf("unexpected List call: %s", options.ResourceVersion)
 			}
 		},
-	}
+	})
 	r := NewReflector(lw, &v1.Pod{}, s, 0)
 
 	// Initial list should use RV=0
@@ -1581,14 +1583,14 @@ func TestReflectorResourceVersionUpdate(t *testing.T) {
 	ctx, cancel := context.WithCancelCause(ctx)
 	fw := watch.NewFake()
 
-	lw := &ListWatch{
+	lw := toListWatcherWithUnSupportedWatchListSemantics(&ListWatch{
 		WatchFunc: func(options metav1.ListOptions) (watch.Interface, error) {
 			return fw, nil
 		},
 		ListFunc: func(options metav1.ListOptions) (runtime.Object, error) {
 			return &v1.PodList{ListMeta: metav1.ListMeta{ResourceVersion: "10"}}, nil
 		},
-	}
+	})
 	r := NewReflector(lw, &v1.Pod{}, s, 0)
 
 	makePod := func(rv string) *v1.Pod {
@@ -1962,7 +1964,7 @@ func TestReflectorReplacesStoreOnUnsafeDelete(t *testing.T) {
 	s := NewFIFO(MetaNamespaceKeyFunc)
 	var replaceInvoked atomic.Int32
 	store := &fakeStore{
-		Store: s,
+		ReflectorStore: s,
 		beforeReplace: func(list []interface{}, rv string) {
 			// interested in the Replace call that happens after the Error event
 			if rv == lastExpectedRV {
@@ -1997,7 +1999,7 @@ func TestReflectorReplacesStoreOnUnsafeDelete(t *testing.T) {
 	}
 
 	var once sync.Once
-	lw := &ListWatch{
+	lw := toListWatcherWithUnSupportedWatchListSemantics(&ListWatch{
 		WatchFunc: func(options metav1.ListOptions) (watch.Interface, error) {
 			fw := watch.NewFake()
 			go func() {
@@ -2017,7 +2019,7 @@ func TestReflectorReplacesStoreOnUnsafeDelete(t *testing.T) {
 			}
 			return list, nil
 		},
-	}
+	})
 
 	r := NewReflector(lw, &v1.Pod{}, store, 0)
 	doneCh, stopCh := make(chan struct{}), make(chan struct{})
@@ -2057,131 +2059,165 @@ func TestReflectorReplacesStoreOnUnsafeDelete(t *testing.T) {
 }
 
 func TestReflectorRespectStoreTransformer(t *testing.T) {
-	mkPod := func(id string, rv string) *v1.Pod {
-		return &v1.Pod{
-			ObjectMeta: metav1.ObjectMeta{Namespace: "ns", Name: id, ResourceVersion: rv},
-			Spec: v1.PodSpec{
-				Hostname: "test",
+	for name, test := range map[string]struct {
+		storeBuilder func(counter *atomic.Int32) ReflectorStore
+		items        func(rs ReflectorStore) []interface{}
+	}{
+		"real-fifo": {
+			storeBuilder: func(counter *atomic.Int32) ReflectorStore {
+				return NewRealFIFO(MetaNamespaceKeyFunc, NewStore(MetaNamespaceKeyFunc), func(i interface{}) (interface{}, error) {
+					counter.Add(1)
+					cast := i.(*v1.Pod)
+					cast.Spec.Hostname = "transformed"
+					return cast, nil
+				})
 			},
-		}
-	}
-
-	preExisting1 := mkPod("foo-1", "1")
-	preExisting2 := mkPod("foo-2", "2")
-	pod3 := mkPod("foo-3", "3")
-
-	lastExpectedRV := "3"
-	events := []watch.Event{
-		{Type: watch.Added, Object: preExisting1},
-		{Type: watch.Added, Object: preExisting2},
-		{Type: watch.Bookmark, Object: &v1.Pod{
-			ObjectMeta: metav1.ObjectMeta{
-				ResourceVersion: lastExpectedRV,
-				Annotations: map[string]string{
-					metav1.InitialEventsAnnotationKey: "true",
-				},
+			items: func(rs ReflectorStore) []interface{} {
+				store := rs.(*RealFIFO)
+				objects := make(map[string]interface{})
+				for _, item := range store.getItems() {
+					key, _ := store.keyFunc(item.Object)
+					if item.Type == Deleted {
+						delete(objects, key)
+					} else {
+						objects[key] = item.Object
+					}
+				}
+				return slices.Collect(maps.Values(objects))
 			},
-		}},
-		{Type: watch.Added, Object: pod3},
-	}
+		},
+		"delta-fifo": {
+			storeBuilder: func(counter *atomic.Int32) ReflectorStore {
+				return NewDeltaFIFOWithOptions(DeltaFIFOOptions{
+					KeyFunction: MetaNamespaceKeyFunc,
+					Transformer: func(i interface{}) (interface{}, error) {
+						counter.Add(1)
+						cast := i.(*v1.Pod)
+						cast.Spec.Hostname = "transformed"
+						return cast, nil
+					},
+				})
+			},
+			items: func(rs ReflectorStore) []interface{} {
+				return rs.(*DeltaFIFO).list()
+			},
+		},
+	} {
+		t.Run(name, func(t *testing.T) {
+			mkPod := func(id string, rv string) *v1.Pod {
+				return &v1.Pod{
+					ObjectMeta: metav1.ObjectMeta{Namespace: "ns", Name: id, ResourceVersion: rv},
+					Spec: v1.PodSpec{
+						Hostname: "test",
+					},
+				}
+			}
 
-	s := NewFIFO(MetaNamespaceKeyFunc)
-	var replaceInvoked atomic.Int32
-	store := &fakeStore{
-		Store: s,
-		beforeReplace: func(list []interface{}, rv string) {
-			replaceInvoked.Add(1)
-			// Only two pods are present at the point when Replace is called.
-			if len(list) != 2 {
-				t.Errorf("unexpected nb of objects: expected 2 received %d", len(list))
+			preExisting1 := mkPod("foo-1", "1")
+			preExisting2 := mkPod("foo-2", "2")
+			pod3 := mkPod("foo-3", "3")
+
+			lastExpectedRV := "3"
+			events := []watch.Event{
+				{Type: watch.Added, Object: preExisting1},
+				{Type: watch.Added, Object: preExisting2},
+				{Type: watch.Bookmark, Object: &v1.Pod{
+					ObjectMeta: metav1.ObjectMeta{
+						ResourceVersion: lastExpectedRV,
+						Annotations: map[string]string{
+							metav1.InitialEventsAnnotationKey: "true",
+						},
+					},
+				}},
+				{Type: watch.Added, Object: pod3},
 			}
-			for _, obj := range list {
-				cast := obj.(*v1.Pod)
-				if cast.Spec.Hostname != "transformed" {
-					t.Error("Object was not transformed prior to replacement")
-				}
+
+			var transformerInvoked atomic.Int32
+			s := test.storeBuilder(&transformerInvoked)
+
+			var once sync.Once
+			lw := &ListWatch{
+				WatchFunc: func(metav1.ListOptions) (watch.Interface, error) {
+					fw := watch.NewFake()
+					go func() {
+						once.Do(func() {
+							for _, e := range events {
+								fw.Action(e.Type, e.Object)
+							}
+						})
+					}()
+					return fw, nil
+				},
+				// ListFunc should never be used in WatchList mode
+				ListFunc: func(metav1.ListOptions) (runtime.Object, error) {
+					return nil, errors.New("list call not expected in WatchList mode")
+				},
 			}
-		},
-		afterReplace: func(rv string, err error) {},
-		transformer: func(i interface{}) (interface{}, error) {
-			cast := i.(*v1.Pod)
-			cast.Spec.Hostname = "transformed"
-			return cast, nil
-		},
-	}
 
-	var once sync.Once
-	lw := &ListWatch{
-		WatchFunc: func(metav1.ListOptions) (watch.Interface, error) {
-			fw := watch.NewFake()
+			clientfeaturestesting.SetFeatureDuringTest(t, clientfeatures.WatchListClient, true)
+			r := NewReflector(lw, &v1.Pod{}, s, 0)
+			ctx, cancel := context.WithCancel(context.Background())
+			doneCh := make(chan struct{})
 			go func() {
-				once.Do(func() {
-					for _, e := range events {
-						fw.Action(e.Type, e.Object)
-					}
-				})
+				defer close(doneCh)
+				r.RunWithContext(ctx)
 			}()
-			return fw, nil
-		},
-		// ListFunc should never be used in WatchList mode
-		ListFunc: func(metav1.ListOptions) (runtime.Object, error) {
-			return nil, errors.New("list call not expected in WatchList mode")
-		},
-	}
 
-	clientfeaturestesting.SetFeatureDuringTest(t, clientfeatures.WatchListClient, true)
-	r := NewReflector(lw, &v1.Pod{}, store, 0)
-	ctx, cancel := context.WithCancel(context.Background())
-	doneCh := make(chan struct{})
-	go func() {
-		defer close(doneCh)
-		r.RunWithContext(ctx)
-	}()
+			// wait for the RV to sync to the version returned by the final list
+			err := wait.PollUntilContextTimeout(context.Background(), 100*time.Millisecond, 5*time.Second, true, func(ctx context.Context) (done bool, err error) {
+				if rv := r.LastSyncResourceVersion(); rv == lastExpectedRV {
+					return true, nil
+				}
+				return false, nil
+			})
+			if err != nil {
+				t.Fatalf("reflector never caught up with expected revision: %q, err: %v", lastExpectedRV, err)
+			}
 
-	// wait for the RV to sync to the version returned by the final list
-	err := wait.PollUntilContextTimeout(context.Background(), 100*time.Millisecond, 5*time.Second, true, func(ctx context.Context) (done bool, err error) {
-		if rv := r.LastSyncResourceVersion(); rv == lastExpectedRV {
-			return true, nil
-		}
-		return false, nil
-	})
-	if err != nil {
-		t.Fatalf("reflector never caught up with expected revision: %q, err: %v", lastExpectedRV, err)
-	}
+			if want, got := lastExpectedRV, r.LastSyncResourceVersion(); want != got {
+				t.Errorf("expected LastSyncResourceVersion to be %q, but got: %q", want, got)
+			}
 
-	if want, got := lastExpectedRV, r.LastSyncResourceVersion(); want != got {
-		t.Errorf("expected LastSyncResourceVersion to be %q, but got: %q", want, got)
-	}
-	if want, got := 1, int(replaceInvoked.Load()); want != got {
-		t.Errorf("expected replace to be invoked %d times, but got: %d", want, got)
-	}
+			informerItems := test.items(s)
+			if want, got := 3, len(informerItems); want != got {
+				t.Errorf("expected informer to contain %d objects, but got: %d", want, got)
+			}
+			for _, item := range informerItems {
+				cast := item.(*v1.Pod)
+				if cast.Spec.Hostname != "transformed" {
+					t.Error("Object was not transformed prior to replacement")
+				}
+			}
 
-	cancel()
-	select {
-	case <-doneCh:
-	case <-time.After(wait.ForeverTestTimeout):
-		t.Errorf("timed out waiting for Run to return")
+			// Transformer should have been invoked twice for the initial sync in the informer on the temporary store,
+			// then twice on replace, then once on the following update.
+			if want, got := 5, int(transformerInvoked.Load()); want != got {
+				t.Errorf("expected transformer to be invoked %d times, but got: %d", want, got)
+			}
+
+			cancel()
+			select {
+			case <-doneCh:
+			case <-time.After(wait.ForeverTestTimeout):
+				t.Errorf("timed out waiting for Run to return")
+			}
+		})
 	}
 }
 
 type fakeStore struct {
-	Store
+	ReflectorStore
 	beforeReplace func(list []interface{}, s string)
 	afterReplace  func(rv string, err error)
-	transformer   TransformFunc
 }
 
 func (f *fakeStore) Replace(list []interface{}, rv string) error {
 	f.beforeReplace(list, rv)
-	err := f.Store.Replace(list, rv)
+	err := f.ReflectorStore.Replace(list, rv)
 	f.afterReplace(rv, err)
 	return err
 }
 
-func (f *fakeStore) Transformer() TransformFunc {
-	return f.transformer
-}
-
 func BenchmarkExtractList(b *testing.B) {
 	_, _, podList := getPodListItems(0, fakeItemsNum)
 	_, _, configMapList := getConfigmapListItems(0, fakeItemsNum)
diff --git a/staging/src/k8s.io/client-go/tools/cache/reflector_watchlist_test.go b/staging/src/k8s.io/client-go/tools/cache/reflector_watchlist_test.go
index 0a9260c4c75f1..50ebe3e620c45 100644
--- a/staging/src/k8s.io/client-go/tools/cache/reflector_watchlist_test.go
+++ b/staging/src/k8s.io/client-go/tools/cache/reflector_watchlist_test.go
@@ -43,6 +43,62 @@ import (
 	"k8s.io/utils/ptr"
 )
 
+type lwSupportsWatchListSemantics struct{ fakeListWatcher }
+
+func (lw *lwSupportsWatchListSemantics) IsWatchListSemanticsUnSupported() bool { return false }
+
+type lwDoesNotSupportWatchListSemantics struct{ fakeListWatcher }
+
+func (lw *lwDoesNotSupportWatchListSemantics) IsWatchListSemanticsUnSupported() bool { return true }
+
+type lwNoWatchListSemanticsUnSupportedExposed struct{ fakeListWatcher }
+
+func TestNewReflectorWithDisablementWatchList(t *testing.T) {
+	scenarios := []struct {
+		name                    string
+		enableWatchListClientFG bool
+		lw                      ListerWatcher
+		expectUseWatchListValue bool
+	}{
+		{
+			name:                    "WatchListClient feature gate off, client supports WatchList semantics",
+			enableWatchListClientFG: false,
+			lw:                      &lwSupportsWatchListSemantics{},
+			expectUseWatchListValue: false,
+		},
+		{
+			name:                    "WatchListClient feature gate on, client supports WatchList semantics",
+			enableWatchListClientFG: true,
+			lw:                      &lwSupportsWatchListSemantics{},
+			expectUseWatchListValue: true,
+		},
+		{
+			name:                    "WatchListClient feature gate on, client doesn't support the WatchList semantics",
+			enableWatchListClientFG: true,
+			lw:                      &lwDoesNotSupportWatchListSemantics{},
+			expectUseWatchListValue: false,
+		},
+		{
+			name:                    "WatchListClient feature gate on, client doesn't expose the IsWatchListSemanticsUnSupported method",
+			enableWatchListClientFG: true,
+			lw:                      &lwNoWatchListSemanticsUnSupportedExposed{},
+			expectUseWatchListValue: true,
+		},
+	}
+
+	for _, scenario := range scenarios {
+		t.Run(scenario.name, func(t *testing.T) {
+			clientfeaturestesting.SetFeatureDuringTest(t, clientfeatures.WatchListClient, scenario.enableWatchListClientFG)
+
+			r := NewReflectorWithOptions(scenario.lw, struct{}{}, &fakeStore{}, ReflectorOptions{})
+
+			if r.useWatchList != scenario.expectUseWatchListValue {
+				t.Fatalf("got: %v, want: %v", r.useWatchList, scenario.expectUseWatchListValue)
+			}
+		})
+	}
+}
+
 func TestInitialEventsEndBookmarkTicker(t *testing.T) {
 	assertNoEvents := func(t *testing.T, c <-chan time.Time) {
 		select {
diff --git a/staging/src/k8s.io/client-go/tools/cache/shared_informer.go b/staging/src/k8s.io/client-go/tools/cache/shared_informer.go
index 99e5fcd180006..8973a33e8fa51 100644
--- a/staging/src/k8s.io/client-go/tools/cache/shared_informer.go
+++ b/staging/src/k8s.io/client-go/tools/cache/shared_informer.go
@@ -539,16 +539,7 @@ func (s *sharedIndexInformer) RunWithContext(ctx context.Context) {
 		s.startedLock.Lock()
 		defer s.startedLock.Unlock()
 
-		var fifo Queue
-		if clientgofeaturegate.FeatureGates().Enabled(clientgofeaturegate.InOrderInformers) {
-			fifo = NewRealFIFO(MetaNamespaceKeyFunc, s.indexer, s.transform)
-		} else {
-			fifo = NewDeltaFIFOWithOptions(DeltaFIFOOptions{
-				KnownObjects:          s.indexer,
-				EmitDeltaTypeReplaced: true,
-				Transformer:           s.transform,
-			})
-		}
+		fifo := newQueueFIFO(s.indexer, s.transform)
 
 		cfg := &Config{
 			Queue:             fifo,
@@ -559,6 +550,7 @@ func (s *sharedIndexInformer) RunWithContext(ctx context.Context) {
 			ShouldResync:      s.processor.shouldResync,
 
 			Process:                      s.HandleDeltas,
+			ProcessBatch:                 s.HandleBatchDeltas,
 			WatchErrorHandlerWithContext: s.watchErrorHandler,
 		}
 
@@ -731,6 +723,12 @@ func (s *sharedIndexInformer) HandleDeltas(obj interface{}, isInInitialList bool
 	return errors.New("object given as Process argument is not Deltas")
 }
 
+func (s *sharedIndexInformer) HandleBatchDeltas(deltas []Delta, isInInitialList bool) error {
+	s.blockDeltas.Lock()
+	defer s.blockDeltas.Unlock()
+	return processDeltasInBatch(s, s.indexer, deltas, isInInitialList)
+}
+
 // Conforms to ResourceEventHandler
 func (s *sharedIndexInformer) OnAdd(obj interface{}, isInInitialList bool) {
 	// Invocation of this function is locked under s.blockDeltas, so it is
diff --git a/staging/src/k8s.io/client-go/tools/cache/shared_informer_bench_test.go b/staging/src/k8s.io/client-go/tools/cache/shared_informer_bench_test.go
new file mode 100644
index 0000000000000..5ac06ae1f6d60
--- /dev/null
+++ b/staging/src/k8s.io/client-go/tools/cache/shared_informer_bench_test.go
@@ -0,0 +1,160 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package cache
+
+import (
+	"context"
+	"fmt"
+	"sync"
+	"sync/atomic"
+	"testing"
+	"time"
+
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/labels"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/util/rand"
+	"k8s.io/apimachinery/pkg/watch"
+)
+
+var benchmarkNamespace = "default"
+
+func BenchmarkSharedIndexInformer(b *testing.B) {
+	for _, podCount := range []int{10_000, 20_000, 40_000, 80_000, 160_000} {
+		b.Run(fmt.Sprintf("podCount=%d", podCount), func(b *testing.B) {
+			pods := createPods(podCount, benchmarkNamespace)
+			for _, readers := range []int{0, 1, 10, 20, 40, 80} {
+				b.Run(fmt.Sprintf("readers=%d", readers), func(b *testing.B) {
+					watcher := watch.NewFakeWithChanSize(1, false)
+					informer, stop := setupSharedIndexInformer(watcher, pods)
+					defer stop()
+					queuedEvents := 10
+					benchmarkSharedIndexInformer(b, readers, watcher, informer, pods, queuedEvents)
+				})
+			}
+		})
+	}
+}
+
+func createPods(count int, namespace string) []corev1.Pod {
+	pods := []corev1.Pod{}
+	for i := 0; i < count; i++ {
+		pod := &corev1.Pod{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      rand.String(20),
+				Namespace: namespace,
+			},
+		}
+		pods = append(pods, *pod)
+	}
+	return pods
+}
+
+func setupSharedIndexInformer(watcher watch.Interface, pods []corev1.Pod) (SharedIndexInformer, func()) {
+	podInformer := NewSharedIndexInformerWithOptions(
+		&ListWatch{
+			ListWithContextFunc: func(ctx context.Context, options metav1.ListOptions) (runtime.Object, error) {
+				return &corev1.PodList{
+					Items: pods,
+				}, nil
+			},
+			WatchFuncWithContext: func(ctx context.Context, options metav1.ListOptions) (watch.Interface, error) {
+				return watcher, nil
+			},
+		},
+		&corev1.Pod{},
+		SharedIndexInformerOptions{
+			ResyncPeriod: time.Second * 60,
+			Indexers:     Indexers{NamespaceIndex: MetaNamespaceIndexFunc},
+		},
+	)
+
+	stop := make(chan struct{})
+	var wg sync.WaitGroup
+	wg.Add(1)
+	go func() {
+		defer wg.Done()
+		podInformer.Run(stop)
+	}()
+	for !podInformer.HasSynced() {
+		time.Sleep(time.Millisecond)
+	}
+	return podInformer, func() {
+		close(stop)
+		wg.Wait()
+	}
+}
+
+func benchmarkSharedIndexInformer(b *testing.B, readers int, watcher *watch.FakeWatcher, podInformer SharedIndexInformer, pods []corev1.Pod, queuedEvents int) {
+	var writes atomic.Int64
+	got := make(chan struct{}, queuedEvents)
+
+	_, err := podInformer.AddEventHandler(ResourceEventHandlerDetailedFuncs{
+		UpdateFunc: func(oldObj, newObj interface{}) {
+			writes.Add(1)
+			select {
+			case <-got:
+			default:
+			}
+		},
+	})
+	if err != nil {
+		b.Fatal(err)
+	}
+	pod := pods[rand.Intn(len(pods))]
+	watcher.Modify(&pod)
+	// Wait for modify to arrive to confirm initial pods where handled.
+	for writes.Load() == 0 {
+		time.Sleep(time.Millisecond)
+	}
+
+	var wg sync.WaitGroup
+	stop := make(chan struct{})
+	var reads atomic.Int64
+	for i := 0; i < readers; i++ {
+		wg.Add(1)
+		go func() {
+			defer wg.Done()
+			for {
+				select {
+				case <-stop:
+					return
+				default:
+				}
+				err := ListAllByNamespace(podInformer.GetIndexer(), benchmarkNamespace, labels.Everything(), func(obj interface{}) {
+				})
+				if err != nil {
+					panic(err)
+				}
+				reads.Add(1)
+			}
+		}()
+	}
+
+	writes.Store(0)
+	reads.Store(0)
+	for b.Loop() {
+		pod := pods[rand.Intn(len(pods))]
+		watcher.Modify(&pod)
+		got <- struct{}{}
+	}
+	b.ReportMetric(float64(reads.Load())/b.Elapsed().Seconds(), "reads/s")
+	b.ReportMetric(float64(writes.Load())/b.Elapsed().Seconds(), "writes/s")
+	close(stop)
+	wg.Wait()
+}
diff --git a/staging/src/k8s.io/client-go/tools/cache/shared_informer_test.go b/staging/src/k8s.io/client-go/tools/cache/shared_informer_test.go
index 39f4eabce4e60..88713ff6f8c02 100644
--- a/staging/src/k8s.io/client-go/tools/cache/shared_informer_test.go
+++ b/staging/src/k8s.io/client-go/tools/cache/shared_informer_test.go
@@ -48,7 +48,7 @@ import (
 type testListener struct {
 	lock              sync.RWMutex
 	resyncPeriod      time.Duration
-	expectedItemNames sets.String
+	expectedItemNames sets.Set[string]
 	receivedItemNames []string
 	name              string
 }
@@ -56,7 +56,7 @@ type testListener struct {
 func newTestListener(name string, resyncPeriod time.Duration, expected ...string) *testListener {
 	l := &testListener{
 		resyncPeriod:      resyncPeriod,
-		expectedItemNames: sets.NewString(expected...),
+		expectedItemNames: sets.New(expected...),
 		name:              name,
 	}
 	return l
@@ -105,7 +105,7 @@ func (l *testListener) satisfiedExpectations() bool {
 	l.lock.RLock()
 	defer l.lock.RUnlock()
 
-	return sets.NewString(l.receivedItemNames...).Equal(l.expectedItemNames)
+	return sets.New(l.receivedItemNames...).Equal(l.expectedItemNames)
 }
 
 func eventHandlerCount(i SharedInformer) int {
@@ -439,8 +439,8 @@ func TestSharedInformerWatchDisruption(t *testing.T) {
 		listener.receivedItemNames = []string{}
 	}
 
-	listenerNoResync.expectedItemNames = sets.NewString("pod2", "pod3")
-	listenerResync.expectedItemNames = sets.NewString("pod1", "pod2", "pod3")
+	listenerNoResync.expectedItemNames = sets.New("pod2", "pod3")
+	listenerResync.expectedItemNames = sets.New("pod1", "pod2", "pod3")
 
 	// This calls shouldSync, which deletes noResync from the list of syncingListeners
 	clock.Step(1 * time.Second)
diff --git a/staging/src/k8s.io/client-go/tools/cache/store.go b/staging/src/k8s.io/client-go/tools/cache/store.go
index 1d0685804fdbd..a412fd7014dec 100644
--- a/staging/src/k8s.io/client-go/tools/cache/store.go
+++ b/staging/src/k8s.io/client-go/tools/cache/store.go
@@ -17,6 +17,7 @@ limitations under the License.
 package cache
 
 import (
+	"errors"
 	"fmt"
 	"strings"
 
@@ -71,6 +72,42 @@ type Store interface {
 	Resync() error
 }
 
+// TransactionType defines the type of a transaction operation. It is used to indicate whether
+// an object is being added, updated, or deleted.
+type TransactionType string
+
+const (
+	TransactionTypeAdd    TransactionType = "Add"
+	TransactionTypeUpdate TransactionType = "Update"
+	TransactionTypeDelete TransactionType = "Delete"
+)
+
+// Transaction represents a single operation or event in a process. It holds a generic Object
+// associated with the transaction and a Type indicating the kind of transaction being performed.
+type Transaction struct {
+	Object interface{}
+	Type   TransactionType
+}
+
+type TransactionStore interface {
+	// Transaction allows multiple operations to occur within a single lock acquisition to
+	// ensure progress can be made when there is contention.
+	Transaction(txns ...Transaction) *TransactionError
+}
+
+var _ error = &TransactionError{}
+
+type TransactionError struct {
+	SuccessfulIndices []int
+	TotalTransactions int
+	Errors            []error
+}
+
+func (t *TransactionError) Error() string {
+	return fmt.Sprintf("failed to execute (%d/%d) transactions failed due to: %v",
+		t.TotalTransactions-len(t.SuccessfulIndices), t.TotalTransactions, t.Errors)
+}
+
 // KeyFunc knows how to make a key from an object. Implementations should be deterministic.
 type KeyFunc func(obj interface{}) (string, error)
 
@@ -167,6 +204,40 @@ type cache struct {
 
 var _ Store = &cache{}
 
+func (c *cache) Transaction(txns ...Transaction) *TransactionError {
+	txnStore, ok := c.cacheStorage.(ThreadSafeStoreWithTransaction)
+	if !ok {
+		return &TransactionError{
+			TotalTransactions: len(txns),
+			Errors: []error{
+				errors.New("transaction not supported"),
+			},
+		}
+	}
+	keyedTxns := make([]ThreadSafeStoreTransaction, 0, len(txns))
+	successfulIndices := make([]int, 0, len(txns))
+	errs := make([]error, 0)
+	for i := range txns {
+		txn := txns[i]
+		key, err := c.keyFunc(txn.Object)
+		if err != nil {
+			errs = append(errs, KeyError{txn.Object, err})
+			continue
+		}
+		successfulIndices = append(successfulIndices, i)
+		keyedTxns = append(keyedTxns, ThreadSafeStoreTransaction{txn, key})
+	}
+	txnStore.Transaction(keyedTxns...)
+	if len(errs) > 0 {
+		return &TransactionError{
+			SuccessfulIndices: successfulIndices,
+			TotalTransactions: len(txns),
+			Errors:            errs,
+		}
+	}
+	return nil
+}
+
 // Add inserts an item into the cache.
 func (c *cache) Add(obj interface{}) error {
 	key, err := c.keyFunc(obj)
diff --git a/staging/src/k8s.io/client-go/tools/cache/store_test.go b/staging/src/k8s.io/client-go/tools/cache/store_test.go
index f560fb1a84a3b..f3c018c11ac6c 100644
--- a/staging/src/k8s.io/client-go/tools/cache/store_test.go
+++ b/staging/src/k8s.io/client-go/tools/cache/store_test.go
@@ -21,6 +21,7 @@ import (
 	"sync/atomic"
 	"testing"
 
+	"github.com/stretchr/testify/assert"
 	"k8s.io/apimachinery/pkg/util/sets"
 )
 
@@ -56,7 +57,7 @@ func doTestStore(t *testing.T, store Store) {
 	store.Add(mkObj("c", "d"))
 	store.Add(mkObj("e", "e"))
 	{
-		found := sets.String{}
+		found := sets.Set[string]{}
 		for _, item := range store.List() {
 			found.Insert(item.(testStoreObject).val)
 		}
@@ -75,7 +76,7 @@ func doTestStore(t *testing.T, store Store) {
 	}, "0")
 
 	{
-		found := sets.String{}
+		found := sets.Set[string]{}
 		for _, item := range store.List() {
 			found.Insert(item.(testStoreObject).val)
 		}
@@ -95,17 +96,17 @@ func doTestIndex(t *testing.T, indexer Indexer) {
 	}
 
 	// Test Index
-	expected := map[string]sets.String{}
-	expected["b"] = sets.NewString("a", "c")
-	expected["f"] = sets.NewString("e")
-	expected["h"] = sets.NewString("g")
+	expected := map[string]sets.Set[string]{}
+	expected["b"] = sets.New("a", "c")
+	expected["f"] = sets.New("e")
+	expected["h"] = sets.New("g")
 	indexer.Add(mkObj("a", "b"))
 	indexer.Add(mkObj("c", "b"))
 	indexer.Add(mkObj("e", "f"))
 	indexer.Add(mkObj("g", "h"))
 	{
 		for k, v := range expected {
-			found := sets.String{}
+			found := sets.Set[string]{}
 			indexResults, err := indexer.Index("by_val", mkObj("", k))
 			if err != nil {
 				t.Errorf("Unexpected error %v", err)
@@ -113,9 +114,9 @@ func doTestIndex(t *testing.T, indexer Indexer) {
 			for _, item := range indexResults {
 				found.Insert(item.(testStoreObject).id)
 			}
-			items := v.List()
+			items := sets.List(v)
 			if !found.HasAll(items...) {
-				t.Errorf("missing items, index %s, expected %v but found %v", k, items, found.List())
+				t.Errorf("missing items, index %s, expected %v but found %v", k, items, sets.List(found))
 			}
 		}
 	}
@@ -186,3 +187,62 @@ func TestKeyError(t *testing.T) {
 		t.Errorf("not match target error: %v", err)
 	}
 }
+
+func TestCacheTransactionShouldIndexErrors(t *testing.T) {
+	successObj1 := 1
+	successObj2 := 2
+	failObj1 := 3
+	failObj2 := 4
+	testTxnType := TransactionTypeAdd
+	testCases := []struct {
+		name        string
+		objs        []interface{}
+		assertError func(*TransactionError) bool
+	}{
+		{
+			name: "txn all success objects should work",
+			objs: []interface{}{successObj1, successObj2},
+		},
+		{
+			name: "txn all fail objects should work",
+			objs: []interface{}{failObj1, failObj2},
+			assertError: func(err *TransactionError) bool {
+				return assert.Equal(t, []int{}, err.SuccessfulIndices)
+			},
+		},
+		{
+			name: "txn mix success and fail objects should work",
+			objs: []interface{}{successObj1, failObj1, successObj2, failObj2},
+			assertError: func(err *TransactionError) bool {
+				return assert.Equal(t, []int{0, 2}, err.SuccessfulIndices)
+			},
+		},
+	}
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			testKeyFunc := func(obj interface{}) (string, error) {
+				if obj == successObj1 || obj == successObj2 {
+					return "", nil
+				}
+				return "", errors.New("test error")
+			}
+			testStore := NewStore(testKeyFunc)
+			txnStore := testStore.(TransactionStore)
+			txns := make([]Transaction, len(tc.objs))
+			for i := range tc.objs {
+				txns[i] = Transaction{
+					Object: tc.objs[i],
+					Type:   testTxnType,
+				}
+			}
+			txnErr := txnStore.Transaction(txns...)
+			if tc.assertError != nil {
+				tc.assertError(txnErr)
+				return
+			}
+			if txnErr != nil {
+				t.Errorf("unexpected error: %v", txnErr)
+			}
+		})
+	}
+}
diff --git a/staging/src/k8s.io/client-go/tools/cache/the_real_fifo.go b/staging/src/k8s.io/client-go/tools/cache/the_real_fifo.go
index ef322bea85078..933e41bbdc48c 100644
--- a/staging/src/k8s.io/client-go/tools/cache/the_real_fifo.go
+++ b/staging/src/k8s.io/client-go/tools/cache/the_real_fifo.go
@@ -26,6 +26,31 @@ import (
 	utiltrace "k8s.io/utils/trace"
 )
 
+// RealFIFOOptions is the configuration parameters for RealFIFO.
+type RealFIFOOptions struct {
+	// KeyFunction is used to figure out what key an object should have. (It's
+	// exposed in the returned RealFIFO's keyOf() method, with additional
+	// handling around deleted objects and queue state).
+	// Optional, the default is MetaNamespaceKeyFunc.
+	KeyFunction KeyFunc
+
+	// KnownObjects is expected to return a list of keys that the consumer of
+	// this queue "knows about". It is used to decide which items are missing
+	// when Replace() is called; 'Deleted' deltas are produced for the missing items.
+	// KnownObjects is required.
+	KnownObjects KeyListerGetter
+
+	// If set, will be called for objects before enqueueing them. Please
+	// see the comment on TransformFunc for details.
+	Transformer TransformFunc
+}
+
+const (
+	defaultBatchSize = 1000
+)
+
+var _ QueueWithBatch = &RealFIFO{}
+
 // RealFIFO is a Queue in which every notification from the Reflector is passed
 // in order to the Queue via Pop.
 // This means that it
@@ -58,10 +83,14 @@ type RealFIFO struct {
 
 	// Called with every object if non-nil.
 	transformer TransformFunc
+
+	// batchSize determines the maximum number of objects we can combine into a batch.
+	batchSize int
 }
 
 var (
-	_ = Queue(&RealFIFO{}) // RealFIFO is a Queue
+	_ = Queue(&RealFIFO{})             // RealFIFO is a Queue
+	_ = TransformingStore(&RealFIFO{}) // RealFIFO implements TransformingStore to allow memory optimizations
 )
 
 // Close the queue.
@@ -235,6 +264,74 @@ func (f *RealFIFO) Pop(process PopProcessFunc) (interface{}, error) {
 	return Deltas{item}, err
 }
 
+func (f *RealFIFO) PopBatch(process ProcessBatchFunc) error {
+	f.lock.Lock()
+	defer f.lock.Unlock()
+
+	for len(f.items) == 0 {
+		// When the queue is empty, invocation of Pop() is blocked until new item is enqueued.
+		// When Close() is called, the f.closed is set and the condition is broadcasted.
+		// Which causes this loop to continue and return from the Pop().
+		if f.closed {
+			return ErrFIFOClosed
+		}
+
+		f.cond.Wait()
+	}
+
+	isInInitialList := !f.hasSynced_locked()
+	unique := sets.NewString()
+	deltas := make([]Delta, 0, min(len(f.items), f.batchSize))
+	// only bundle unique items into a batch
+	for i := 0; i < f.batchSize && i < len(f.items); i++ {
+		if f.initialPopulationCount > 0 && i >= f.initialPopulationCount {
+			break
+		}
+		item := f.items[i]
+		id, err := f.keyOf(item)
+		if err != nil {
+			// close the batch here if error happens
+			// TODO: log the error when RealFIFOOptions supports passing klog instance like deprecated DeltaFIFO
+			// still pop the broken item out of queue to be compatible with the non-batch behavior it should be safe
+			// when 1st element is broken, however for Nth broken element, there's possible risk that broken item
+			// still can be processed and broke the uniqueness of the batch unexpectedly.
+			deltas = append(deltas, item)
+			// The underlying array still exists and references this object, so the object will not be garbage collected unless we zero the reference.
+			f.items[i] = Delta{}
+			break
+		}
+		if unique.Has(id) {
+			break
+		}
+		unique.Insert(id)
+		deltas = append(deltas, item)
+		// The underlying array still exists and references this object, so the object will not be garbage collected unless we zero the reference.
+		f.items[i] = Delta{}
+	}
+	if f.initialPopulationCount > 0 {
+		f.initialPopulationCount -= len(deltas)
+	}
+	f.items = f.items[len(deltas):]
+
+	// Only log traces if the queue depth is greater than 10 and it takes more than
+	// 100 milliseconds to process one item from the queue (with a max of 1 second for the whole batch)
+	// Queue depth never goes high because processing an item is locking the queue,
+	// and new items can't be added until processing finish.
+	// https://github.com/kubernetes/kubernetes/issues/103789
+	if len(f.items) > 10 {
+		id, _ := f.keyOf(deltas[0])
+		trace := utiltrace.New("RealFIFO PopBatch Process",
+			utiltrace.Field{Key: "ID", Value: id},
+			utiltrace.Field{Key: "Depth", Value: len(f.items)},
+			utiltrace.Field{Key: "Reason", Value: "slow event handlers blocking the queue"},
+			utiltrace.Field{Key: "BatchSize", Value: len(deltas)})
+		defer trace.LogIfLong(min(100*time.Millisecond*time.Duration(len(deltas)), time.Second))
+	}
+
+	err := process(deltas, isInInitialList)
+	return err
+}
+
 // Replace
 // 1. finds those items in f.items that are not in newItems and creates synthetic deletes for them
 // 2. finds items in knownObjects that are not in newItems and creates synthetic deletes for them
@@ -398,16 +495,32 @@ func (f *RealFIFO) Transformer() TransformFunc {
 // NewRealFIFO returns a Store which can be used to queue up items to
 // process.
 func NewRealFIFO(keyFunc KeyFunc, knownObjects KeyListerGetter, transformer TransformFunc) *RealFIFO {
-	if knownObjects == nil {
+	return NewRealFIFOWithOptions(RealFIFOOptions{
+		KeyFunction:  keyFunc,
+		KnownObjects: knownObjects,
+		Transformer:  transformer,
+	})
+}
+
+// NewRealFIFOWithOptions returns a Queue which can be used to process changes to
+// items. See also the comment on RealFIFO.
+func NewRealFIFOWithOptions(opts RealFIFOOptions) *RealFIFO {
+	if opts.KeyFunction == nil {
+		opts.KeyFunction = MetaNamespaceKeyFunc
+	}
+
+	if opts.KnownObjects == nil {
 		panic("coding error: knownObjects must be provided")
 	}
 
 	f := &RealFIFO{
 		items:        make([]Delta, 0, 10),
-		keyFunc:      keyFunc,
-		knownObjects: knownObjects,
-		transformer:  transformer,
+		keyFunc:      opts.KeyFunction,
+		knownObjects: opts.KnownObjects,
+		transformer:  opts.Transformer,
+		batchSize:    defaultBatchSize,
 	}
+
 	f.cond.L = &f.lock
 	return f
 }
diff --git a/staging/src/k8s.io/client-go/tools/cache/the_real_fifo_test.go b/staging/src/k8s.io/client-go/tools/cache/the_real_fifo_test.go
index 649ea36872315..bfd3bcfb9282e 100644
--- a/staging/src/k8s.io/client-go/tools/cache/the_real_fifo_test.go
+++ b/staging/src/k8s.io/client-go/tools/cache/the_real_fifo_test.go
@@ -17,11 +17,16 @@ limitations under the License.
 package cache
 
 import (
+	"errors"
 	"fmt"
 	"reflect"
 	"runtime"
 	"testing"
 	"time"
+
+	"github.com/stretchr/testify/assert"
+	clientfeatures "k8s.io/client-go/features"
+	clientfeaturestesting "k8s.io/client-go/features/testing"
 )
 
 func (f *RealFIFO) getItems() []Delta {
@@ -974,3 +979,313 @@ func TestRealFIFO_PopShouldUnblockWhenClosed(t *testing.T) {
 		}
 	}
 }
+
+func TestRealFIFO_PopMultipleDeltaInBatch(t *testing.T) {
+	clientfeaturestesting.SetFeatureDuringTest(t, clientfeatures.InOrderInformersBatchProcess, true)
+	const unlimitedBatchSize = 999999
+	obj1 := mkFifoObj("foo1", 5)
+	obj2 := mkFifoObj("foo2", 5)
+	obj3 := mkFifoObj("foo3", 5)
+	obj4 := mkFifoObj("foo4", 5)
+	testCases := []struct {
+		name            string
+		initialItems    []testFifoObject
+		actions         []func(f *RealFIFO)
+		batchSize       int
+		expectedBatches [][]Delta
+	}{
+		{
+			name: "non-split: pop unique items should work",
+			initialItems: []testFifoObject{
+				obj1, obj2, obj3,
+			},
+			actions:   []func(f *RealFIFO){},
+			batchSize: unlimitedBatchSize,
+			expectedBatches: [][]Delta{
+				{{Replaced, obj1}, {Replaced, obj2}, {Replaced, obj3}},
+			},
+		},
+		{
+			name: "split due to initial list: initial 2 items with 2 updates should have 2 batches",
+			initialItems: []testFifoObject{
+				obj1, obj2,
+			},
+			actions: []func(f *RealFIFO){
+				func(f *RealFIFO) { _ = f.Update(obj3) },
+				func(f *RealFIFO) { _ = f.Update(obj4) },
+			},
+			batchSize: 2,
+			expectedBatches: [][]Delta{
+				{{Replaced, obj1}, {Replaced, obj2}},
+				{{Updated, obj3}, {Updated, obj4}},
+			},
+		},
+		{
+			name: "split due to non-unique#1: update single item for multiple items should have separate batch",
+			initialItems: []testFifoObject{
+				obj1,
+			},
+			actions: []func(f *RealFIFO){
+				func(f *RealFIFO) { _ = f.Update(obj1) },
+				func(f *RealFIFO) { _ = f.Update(obj1) },
+			},
+			batchSize: unlimitedBatchSize,
+			expectedBatches: [][]Delta{
+				{{Replaced, obj1}},
+				{{Updated, obj1}},
+				{{Updated, obj1}},
+			},
+		},
+		{
+			name: "split due to non-unique#2: update 3 item for with non-unique item at the end should have separate batch",
+			initialItems: []testFifoObject{
+				obj1, obj2,
+			},
+			actions: []func(f *RealFIFO){
+				func(f *RealFIFO) { _ = f.Update(obj2) },
+				func(f *RealFIFO) { _ = f.Update(obj3) },
+			},
+			batchSize: unlimitedBatchSize,
+			expectedBatches: [][]Delta{
+				{{Replaced, obj1}, {Replaced, obj2}},
+				{{Updated, obj2}, {Updated, obj3}},
+			},
+		},
+		{
+			name: "split due to non-unique#3: update 3 item for with non-unique item in the mid should have separate batch",
+			initialItems: []testFifoObject{
+				obj1, obj2, obj3,
+			},
+			actions: []func(f *RealFIFO){
+				func(f *RealFIFO) { _ = f.Update(obj2) },
+			},
+			batchSize: unlimitedBatchSize,
+			expectedBatches: [][]Delta{
+				{{Replaced, obj1}, {Replaced, obj2}, {Replaced, obj3}},
+				{{Updated, obj2}},
+			},
+		},
+		{
+			name: "split due to batch size#1: batching initial list should work",
+			initialItems: []testFifoObject{
+				obj1, obj2, obj3,
+			},
+			actions:   []func(f *RealFIFO){},
+			batchSize: 2,
+			expectedBatches: [][]Delta{
+				{{Replaced, obj1}, {Replaced, obj2}},
+				{{Replaced, obj3}},
+			},
+		},
+		{
+			name:         "split due to batch size#2: batching incoming non-initial deltas should work",
+			initialItems: []testFifoObject{},
+			actions: []func(f *RealFIFO){
+				func(f *RealFIFO) { _ = f.Update(obj1) },
+				func(f *RealFIFO) { _ = f.Update(obj2) },
+				func(f *RealFIFO) { _ = f.Update(obj3) },
+			},
+			batchSize: 2,
+			expectedBatches: [][]Delta{
+				{{Updated, obj1}, {Updated, obj2}},
+				{{Updated, obj3}},
+			},
+		},
+		{
+			name: "split due to batch size#3: pop 4 mixed initial & non-initial items with 2 batch size should have 3 batch",
+			initialItems: []testFifoObject{
+				obj1, obj2, obj3,
+			},
+			actions: []func(f *RealFIFO){
+				func(f *RealFIFO) { _ = f.Update(obj4) },
+			},
+			batchSize: 2,
+			expectedBatches: [][]Delta{
+				{{Replaced, obj1}, {Replaced, obj2}},
+				{{Replaced, obj3}},
+				{{Updated, obj4}},
+			},
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			f := NewRealFIFO(
+				testFifoObjectKeyFunc,
+				literalListerGetter(func() []testFifoObject {
+					return tc.initialItems
+				}),
+				nil)
+			f.batchSize = tc.batchSize
+
+			initialItems := make([]interface{}, len(tc.initialItems))
+			for i, item := range tc.initialItems {
+				initialItems[i] = item
+			}
+			_ = f.Replace(initialItems, "")
+			for _, action := range tc.actions {
+				action(f)
+			}
+
+			const maxAttempts = 10
+			receivedItems := make([][]Delta, 0)
+			receivedInitialDeltas := make([][]Delta, 0)
+
+			for i := 0; i < maxAttempts; i++ {
+				received := make(chan []Delta, 100)
+				receivedInitial := make(chan []Delta, 100)
+				go func() {
+					_ = f.PopBatch(func(obj []Delta, isInInitialList bool) error {
+						received <- obj
+						if isInInitialList {
+							receivedInitial <- obj
+						}
+						return nil
+					})
+				}()
+				timer := time.NewTimer(time.Millisecond * 50)
+				select {
+				case <-timer.C:
+					close(received)
+				case item := <-received:
+					receivedItems = append(receivedItems, item)
+					close(received)
+				}
+				timerInitial := time.NewTimer(time.Millisecond * 50)
+				select {
+				case <-timerInitial.C:
+					close(receivedInitial)
+				case item := <-receivedInitial:
+					receivedInitialDeltas = append(receivedInitialDeltas, item)
+					close(receivedInitial)
+				}
+			}
+
+			runtime.Gosched()
+			f.Close()
+
+			idx := 0
+			for _, batch := range tc.expectedBatches {
+				assert.Equal(t, receivedItems[idx], batch)
+				idx++
+			}
+			receivedInitialItems := make([]testFifoObject, 0)
+			for _, deltas := range receivedInitialDeltas {
+				for _, delta := range deltas {
+					receivedInitialItems = append(receivedInitialItems, delta.Object.(testFifoObject))
+				}
+			}
+
+			assert.Equal(t, tc.initialItems, receivedInitialItems)
+		})
+	}
+}
+
+func TestRealFIFO_PopBrokenItemsInBatch(t *testing.T) {
+	clientfeaturestesting.SetFeatureDuringTest(t, clientfeatures.InOrderInformersBatchProcess, true)
+	const unlimitedBatchSize = 999999
+	sucessObj1 := mkFifoObj("foo1", 5)
+	sucessObj2 := mkFifoObj("foo2", 5)
+	failObj3 := mkFifoObj("foo3", 5)
+	failObj4 := mkFifoObj("foo4", 5)
+	testDeltaType := Added
+	testCases := []struct {
+		name            string
+		batchSize       int
+		incomingItems   []testFifoObject
+		expectedBatches [][]Delta
+	}{
+		{
+			name: "1st item is broken",
+			incomingItems: []testFifoObject{
+				failObj3,
+			},
+			expectedBatches: [][]Delta{
+				{{testDeltaType, failObj3}},
+			},
+		},
+		{
+			name: "nth item is broken",
+			incomingItems: []testFifoObject{
+				sucessObj1, sucessObj2, failObj3,
+			},
+			expectedBatches: [][]Delta{
+				{{testDeltaType, sucessObj1}, {testDeltaType, sucessObj2}, {testDeltaType, failObj3}},
+			},
+		},
+		{
+			name: "multiple nth items are broken",
+			incomingItems: []testFifoObject{
+				sucessObj1, sucessObj2, failObj3, failObj4,
+			},
+			expectedBatches: [][]Delta{
+				{{testDeltaType, sucessObj1}, {testDeltaType, sucessObj2}, {testDeltaType, failObj3}},
+				{{testDeltaType, failObj4}},
+			},
+		},
+		{
+			name: "mixed 1st and nth items are broken",
+			incomingItems: []testFifoObject{
+				failObj3, sucessObj1, failObj4,
+			},
+			expectedBatches: [][]Delta{
+				{{testDeltaType, failObj3}},
+				{{testDeltaType, sucessObj1}, {testDeltaType, failObj4}},
+			},
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			testBrokenItemKeyFunc := func(obj interface{}) (string, error) {
+				if obj == failObj3 || obj == failObj4 {
+					return "", errors.New("test key func error")
+				}
+				// otherwise success
+				return testFifoObjectKeyFunc(obj)
+			}
+			f := NewRealFIFO(
+				testBrokenItemKeyFunc,
+				literalListerGetter(func() []testFifoObject {
+					return nil
+				}),
+				nil)
+			f.batchSize = unlimitedBatchSize
+
+			for _, item := range tc.incomingItems {
+				f.items = append(f.items, Delta{testDeltaType, item})
+			}
+
+			const maxAttempts = 10
+			receivedItems := make([][]Delta, 0)
+
+			for i := 0; i < maxAttempts; i++ {
+				received := make(chan []Delta, 100)
+				go func() {
+					_ = f.PopBatch(func(obj []Delta, isInInitialList bool) error {
+						received <- obj
+						return nil
+					})
+				}()
+				timer := time.NewTimer(time.Millisecond * 50)
+				select {
+				case <-timer.C:
+					close(received)
+				case item := <-received:
+					receivedItems = append(receivedItems, item)
+					close(received)
+				}
+			}
+
+			runtime.Gosched()
+			f.Close()
+
+			idx := 0
+			assert.Len(t, tc.expectedBatches, len(receivedItems))
+			for _, batch := range tc.expectedBatches {
+				assert.Equal(t, receivedItems[idx], batch)
+				idx++
+			}
+		})
+	}
+}
diff --git a/staging/src/k8s.io/client-go/tools/cache/thread_safe_store.go b/staging/src/k8s.io/client-go/tools/cache/thread_safe_store.go
index 7a4df0e1bae21..ef3a599a9b084 100644
--- a/staging/src/k8s.io/client-go/tools/cache/thread_safe_store.go
+++ b/staging/src/k8s.io/client-go/tools/cache/thread_safe_store.go
@@ -19,8 +19,10 @@ package cache
 import (
 	"fmt"
 	"sync"
+	"time"
 
 	"k8s.io/apimachinery/pkg/util/sets"
+	utiltrace "k8s.io/utils/trace"
 )
 
 // ThreadSafeStore is an interface that allows concurrent indexed
@@ -58,6 +60,19 @@ type ThreadSafeStore interface {
 	Resync() error
 }
 
+// ThreadSafeStoreWithTransaction is a store that can batch execute multiple transactions.
+type ThreadSafeStoreWithTransaction interface {
+	ThreadSafeStore
+	// Transaction allows performing multiple writes in one call.
+	Transaction(fns ...ThreadSafeStoreTransaction)
+}
+
+// ThreadSafeStoreTransaction embeds a Transaction and includes the specific Key identifying the affected object.
+type ThreadSafeStoreTransaction struct {
+	Transaction
+	Key string
+}
+
 // storeIndex implements the indexing functionality for Store interface
 type storeIndex struct {
 	// indexers maps a name to an IndexFunc
@@ -70,7 +85,7 @@ func (i *storeIndex) reset() {
 	i.indices = Indices{}
 }
 
-func (i *storeIndex) getKeysFromIndex(indexName string, obj interface{}) (sets.String, error) {
+func (i *storeIndex) getKeysFromIndex(indexName string, obj interface{}) (sets.Set[string], error) {
 	indexFunc := i.indexers[indexName]
 	if indexFunc == nil {
 		return nil, fmt.Errorf("Index with name %s does not exist", indexName)
@@ -82,7 +97,7 @@ func (i *storeIndex) getKeysFromIndex(indexName string, obj interface{}) (sets.S
 	}
 	index := i.indices[indexName]
 
-	var storeKeySet sets.String
+	var storeKeySet sets.Set[string]
 	if len(indexedValues) == 1 {
 		// In majority of cases, there is exactly one value matching.
 		// Optimize the most common path - deduping is not needed here.
@@ -90,7 +105,7 @@ func (i *storeIndex) getKeysFromIndex(indexName string, obj interface{}) (sets.S
 	} else {
 		// Need to de-dupe the return list.
 		// Since multiple keys are allowed, this can happen.
-		storeKeySet = sets.String{}
+		storeKeySet = sets.Set[string]{}
 		for _, indexedValue := range indexedValues {
 			for key := range index[indexedValue] {
 				storeKeySet.Insert(key)
@@ -101,7 +116,7 @@ func (i *storeIndex) getKeysFromIndex(indexName string, obj interface{}) (sets.S
 	return storeKeySet, nil
 }
 
-func (i *storeIndex) getKeysByIndex(indexName, indexedValue string) (sets.String, error) {
+func (i *storeIndex) getKeysByIndex(indexName, indexedValue string) (sets.Set[string], error) {
 	indexFunc := i.indexers[indexName]
 	if indexFunc == nil {
 		return nil, fmt.Errorf("Index with name %s does not exist", indexName)
@@ -121,10 +136,10 @@ func (i *storeIndex) getIndexValues(indexName string) []string {
 }
 
 func (i *storeIndex) addIndexers(newIndexers Indexers) error {
-	oldKeys := sets.StringKeySet(i.indexers)
-	newKeys := sets.StringKeySet(newIndexers)
+	oldKeys := sets.KeySet(i.indexers)
+	newKeys := sets.KeySet(newIndexers)
 
-	if oldKeys.HasAny(newKeys.List()...) {
+	if oldKeys.HasAny(sets.List(newKeys)...) {
 		return fmt.Errorf("indexer conflict: %v", oldKeys.Intersection(newKeys))
 	}
 
@@ -167,10 +182,10 @@ func (i *storeIndex) updateSingleIndex(name string, oldObj interface{}, newObj i
 		indexValues = indexValues[:0]
 	}
 
-	index := i.indices[name]
-	if index == nil {
-		index = Index{}
-		i.indices[name] = index
+	idx := i.indices[name]
+	if idx == nil {
+		idx = index{}
+		i.indices[name] = idx
 	}
 
 	if len(indexValues) == 1 && len(oldIndexValues) == 1 && indexValues[0] == oldIndexValues[0] {
@@ -179,10 +194,10 @@ func (i *storeIndex) updateSingleIndex(name string, oldObj interface{}, newObj i
 	}
 
 	for _, value := range oldIndexValues {
-		i.deleteKeyFromIndex(key, value, index)
+		i.deleteKeyFromIndex(key, value, idx)
 	}
 	for _, value := range indexValues {
-		i.addKeyToIndex(key, value, index)
+		i.addKeyToIndex(key, value, idx)
 	}
 }
 
@@ -197,16 +212,16 @@ func (i *storeIndex) updateIndices(oldObj interface{}, newObj interface{}, key s
 	}
 }
 
-func (i *storeIndex) addKeyToIndex(key, indexValue string, index Index) {
+func (i *storeIndex) addKeyToIndex(key, indexValue string, index index) {
 	set := index[indexValue]
 	if set == nil {
-		set = sets.String{}
+		set = sets.Set[string]{}
 		index[indexValue] = set
 	}
 	set.Insert(key)
 }
 
-func (i *storeIndex) deleteKeyFromIndex(key, indexValue string, index Index) {
+func (i *storeIndex) deleteKeyFromIndex(key, indexValue string, index index) {
 	set := index[indexValue]
 	if set == nil {
 		return
@@ -229,13 +244,41 @@ type threadSafeMap struct {
 	index *storeIndex
 }
 
+func (c *threadSafeMap) Transaction(txns ...ThreadSafeStoreTransaction) {
+	c.lock.Lock()
+	defer c.lock.Unlock()
+	trace := utiltrace.New("ThreadSafeMap Transaction Process",
+		utiltrace.Field{Key: "Size", Value: len(txns)},
+		utiltrace.Field{Key: "Reason", Value: "Slow batch process due to too many items"})
+	defer trace.LogIfLong(min(500*time.Millisecond*time.Duration(len(txns)), 5*time.Second))
+
+	for _, txn := range txns {
+		switch txn.Type {
+		case TransactionTypeAdd:
+			c.addLocked(txn.Key, txn.Object)
+		case TransactionTypeUpdate:
+			c.updateLocked(txn.Key, txn.Object)
+		case TransactionTypeDelete:
+			c.deleteLocked(txn.Key)
+		}
+	}
+}
+
 func (c *threadSafeMap) Add(key string, obj interface{}) {
 	c.Update(key, obj)
 }
 
+func (c *threadSafeMap) addLocked(key string, obj interface{}) {
+	c.updateLocked(key, obj)
+}
+
 func (c *threadSafeMap) Update(key string, obj interface{}) {
 	c.lock.Lock()
 	defer c.lock.Unlock()
+	c.updateLocked(key, obj)
+}
+
+func (c *threadSafeMap) updateLocked(key string, obj interface{}) {
 	oldObject := c.items[key]
 	c.items[key] = obj
 	c.index.updateIndices(oldObject, obj, key)
@@ -244,6 +287,10 @@ func (c *threadSafeMap) Update(key string, obj interface{}) {
 func (c *threadSafeMap) Delete(key string) {
 	c.lock.Lock()
 	defer c.lock.Unlock()
+	c.deleteLocked(key)
+}
+
+func (c *threadSafeMap) deleteLocked(key string) {
 	if obj, exists := c.items[key]; exists {
 		c.index.updateIndices(obj, nil, key)
 		delete(c.items, key)
@@ -336,7 +383,7 @@ func (c *threadSafeMap) IndexKeys(indexName, indexedValue string) ([]string, err
 	if err != nil {
 		return nil, err
 	}
-	return set.List(), nil
+	return sets.List(set), nil
 }
 
 func (c *threadSafeMap) ListIndexFuncValues(indexName string) []string {
diff --git a/staging/src/k8s.io/client-go/tools/cache/thread_safe_store_test.go b/staging/src/k8s.io/client-go/tools/cache/thread_safe_store_test.go
index 53f60208310d5..44d620e53c95f 100644
--- a/staging/src/k8s.io/client-go/tools/cache/thread_safe_store_test.go
+++ b/staging/src/k8s.io/client-go/tools/cache/thread_safe_store_test.go
@@ -23,6 +23,7 @@ import (
 
 	"github.com/google/go-cmp/cmp"
 	"github.com/stretchr/testify/assert"
+	"k8s.io/apimachinery/pkg/util/sets"
 )
 
 func TestThreadSafeStoreDeleteRemovesEmptySetsFromIndex(t *testing.T) {
@@ -114,7 +115,7 @@ func TestThreadSafeStoreIndexingFunctionsWithMultipleValues(t *testing.T) {
 	assert := assert.New(t)
 
 	compare := func(key string, expected []string) error {
-		values := store.index.indices[testIndexer][key].List()
+		values := sets.List(store.index.indices[testIndexer][key])
 		if cmp.Equal(values, expected) {
 			return nil
 		}
diff --git a/staging/src/k8s.io/client-go/tools/clientcmd/api/types.go b/staging/src/k8s.io/client-go/tools/clientcmd/api/types.go
index 8c64adb841e6e..cb21c040a3bc5 100644
--- a/staging/src/k8s.io/client-go/tools/clientcmd/api/types.go
+++ b/staging/src/k8s.io/client-go/tools/clientcmd/api/types.go
@@ -283,8 +283,57 @@ type ExecConfig struct {
 	// read user instructions might set this to "used by my-program to read user instructions".
 	// +k8s:conversion-gen=false
 	StdinUnavailableMessage string `json:"-"`
+
+	// PluginPolicy is the policy governing whether or not the configured
+	// `Command` may run.
+	// +k8s:conversion-gen=false
+	PluginPolicy PluginPolicy `json:"-"`
+}
+
+// AllowlistEntry is an entry in the allowlist. For each allowlist item, at
+// least one field must be nonempty. A struct with all empty fields is
+// considered a misconfiguration error. Each field is a criterion for
+// execution. If multiple fields are specified, then the criteria of all
+// specified fields must be met. That is, the result of an individual entry is
+// the logical AND of all checks corresponding to the specified fields within
+// the entry.
+type AllowlistEntry struct {
+	// Name matching is performed by first resolving the absolute path of both
+	// the plugin and the name in the allowlist entry using `exec.LookPath`. It
+	// will be called on both, and the resulting strings must be equal. If
+	// either call to `exec.LookPath` results in an error, the `Name` check
+	// will be considered a failure.
+	Name string `json:"-"`
+}
+
+// PluginPolicy describes the policy type and allowlist (if any) for client-go
+// credential plugins.
+type PluginPolicy struct {
+	// PolicyType specifies the policy governing which, if any, client-go
+	// credential plugins may be executed. It MUST be one of { "", "AllowAll", "DenyAll", "Allowlist" }.
+	// If the policy is "", then it falls back to "AllowAll" (this is required
+	// to maintain backward compatibility). If the policy is DenyAll, no
+	// credential plugins may run. If the policy is Allowlist, only those
+	// plugins meeting the criteria specified in the `credentialPluginAllowlist`
+	// field may run. If the policy is not `Allowlist` but one is provided, it
+	// is considered a configuration error.
+	PolicyType PolicyType `json:"-"`
+
+	// Allowlist is a slice of allowlist entries. If any of them is a match,
+	// then the executable in question may execute. That is, the result is the
+	// logical OR of all entries in the allowlist. This list MUST be nil
+	// whenever the policy is not "Allowlist".
+	Allowlist []AllowlistEntry `json:"-"`
 }
 
+type PolicyType string
+
+const (
+	PluginPolicyAllowAll  PolicyType = "AllowAll"
+	PluginPolicyDenyAll   PolicyType = "DenyAll"
+	PluginPolicyAllowlist PolicyType = "Allowlist"
+)
+
 var _ fmt.Stringer = new(ExecConfig)
 var _ fmt.GoStringer = new(ExecConfig)
 
diff --git a/staging/src/k8s.io/client-go/tools/clientcmd/api/v1/zz_generated.conversion.go b/staging/src/k8s.io/client-go/tools/clientcmd/api/v1/zz_generated.conversion.go
index bdedc16669583..ef1e9b8eb2465 100644
--- a/staging/src/k8s.io/client-go/tools/clientcmd/api/v1/zz_generated.conversion.go
+++ b/staging/src/k8s.io/client-go/tools/clientcmd/api/v1/zz_generated.conversion.go
@@ -401,6 +401,7 @@ func autoConvert_api_ExecConfig_To_v1_ExecConfig(in *api.ExecConfig, out *ExecCo
 	out.InteractiveMode = ExecInteractiveMode(in.InteractiveMode)
 	// INFO: in.StdinUnavailable opted out of conversion generation
 	// INFO: in.StdinUnavailableMessage opted out of conversion generation
+	// INFO: in.PluginPolicy opted out of conversion generation
 	return nil
 }
 
diff --git a/staging/src/k8s.io/client-go/tools/clientcmd/api/zz_generated.deepcopy.go b/staging/src/k8s.io/client-go/tools/clientcmd/api/zz_generated.deepcopy.go
index 86e4ddef1b13a..aba8add9becc5 100644
--- a/staging/src/k8s.io/client-go/tools/clientcmd/api/zz_generated.deepcopy.go
+++ b/staging/src/k8s.io/client-go/tools/clientcmd/api/zz_generated.deepcopy.go
@@ -25,6 +25,22 @@ import (
 	runtime "k8s.io/apimachinery/pkg/runtime"
 )
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *AllowlistEntry) DeepCopyInto(out *AllowlistEntry) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AllowlistEntry.
+func (in *AllowlistEntry) DeepCopy() *AllowlistEntry {
+	if in == nil {
+		return nil
+	}
+	out := new(AllowlistEntry)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *AuthInfo) DeepCopyInto(out *AuthInfo) {
 	*out = *in
@@ -271,6 +287,7 @@ func (in *ExecConfig) DeepCopyInto(out *ExecConfig) {
 	if in.Config != nil {
 		out.Config = in.Config.DeepCopyObject()
 	}
+	in.PluginPolicy.DeepCopyInto(&out.PluginPolicy)
 	return
 }
 
@@ -300,6 +317,27 @@ func (in *ExecEnvVar) DeepCopy() *ExecEnvVar {
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *PluginPolicy) DeepCopyInto(out *PluginPolicy) {
+	*out = *in
+	if in.Allowlist != nil {
+		in, out := &in.Allowlist, &out.Allowlist
+		*out = make([]AllowlistEntry, len(*in))
+		copy(*out, *in)
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PluginPolicy.
+func (in *PluginPolicy) DeepCopy() *PluginPolicy {
+	if in == nil {
+		return nil
+	}
+	out := new(PluginPolicy)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *Preferences) DeepCopyInto(out *Preferences) {
 	*out = *in
diff --git a/staging/src/k8s.io/client-go/tools/clientcmd/client_config.go b/staging/src/k8s.io/client-go/tools/clientcmd/client_config.go
index cd0a8649b187d..ed35891e5a1f9 100644
--- a/staging/src/k8s.io/client-go/tools/clientcmd/client_config.go
+++ b/staging/src/k8s.io/client-go/tools/clientcmd/client_config.go
@@ -533,6 +533,21 @@ func (config *DirectClientConfig) getAuthInfo() (clientcmdapi.AuthInfo, error) {
 		if err := merge(mergedAuthInfo, &config.overrides.AuthInfo); err != nil {
 			return clientcmdapi.AuthInfo{}, err
 		}
+
+		// Handle ClientKey/ClientKeyData conflict: if override sets ClientKey, also use override's ClientKeyData
+		// otherwise if original config has ClientKeyData set,
+		// validation returns error "client-key-data and client-key are both specified <user-name>"
+		if len(config.overrides.AuthInfo.ClientKey) > 0 || len(config.overrides.AuthInfo.ClientKeyData) > 0 {
+			mergedAuthInfo.ClientKey = config.overrides.AuthInfo.ClientKey
+			mergedAuthInfo.ClientKeyData = config.overrides.AuthInfo.ClientKeyData
+		}
+		// Handle ClientCertificate/ClientCertificateData conflict, if override sets ClientCertificate, also use override's ClientCertificateData
+		// otherwise if original config has ClientCertificateData set,
+		// validation returns error "client-cert-data and client-cert are both specified <user-name>"
+		if len(config.overrides.AuthInfo.ClientCertificate) > 0 || len(config.overrides.AuthInfo.ClientCertificateData) > 0 {
+			mergedAuthInfo.ClientCertificate = config.overrides.AuthInfo.ClientCertificate
+			mergedAuthInfo.ClientCertificateData = config.overrides.AuthInfo.ClientCertificateData
+		}
 	}
 
 	return *mergedAuthInfo, nil
diff --git a/staging/src/k8s.io/client-go/tools/clientcmd/client_config_test.go b/staging/src/k8s.io/client-go/tools/clientcmd/client_config_test.go
index 4872eadf3d217..baa406f4e459c 100644
--- a/staging/src/k8s.io/client-go/tools/clientcmd/client_config_test.go
+++ b/staging/src/k8s.io/client-go/tools/clientcmd/client_config_test.go
@@ -1222,3 +1222,166 @@ func TestMergeRawConfigDoOverride(t *testing.T) {
 		t.Errorf("Expected namespace %v, got %v", config.Contexts["clean"].Namespace, act.Contexts["clean"].Namespace)
 	}
 }
+
+func TestClientCertOverrideData(t *testing.T) {
+	// Test that when overrides contain cert/key file paths or data fields,
+	// the corresponding fields are properly handled to avoid validation conflicts
+	// in particular code in DirectClientConfig::getAuthInfo.
+	// This covers both scenarios: overrides with file paths (which clear data fields)
+	// and overrides with data fields (which clear file paths).
+
+	testCases := []struct {
+		name        string
+		description string
+		setupTest   func(t *testing.T) (*clientcmdapi.Config, *ConfigOverrides, func())
+		validate    func(t *testing.T, authInfo *clientcmdapi.AuthInfo)
+	}{
+		{
+			name:        "override-with-file-paths",
+			description: "Test override with cert/key file paths",
+			setupTest: func(t *testing.T) (*clientcmdapi.Config, *ConfigOverrides, func()) {
+				certFile, err := os.CreateTemp("", "test-client-*.crt")
+				if err != nil {
+					t.Fatalf("Failed to create temp cert file: %v", err)
+				}
+
+				keyFile, err := os.CreateTemp("", "test-client-*.key")
+				if err != nil {
+					t.Fatalf("Failed to create temp key file: %v", err)
+				}
+
+				if err := os.WriteFile(certFile.Name(), []byte("dummy-cert-content"), 0600); err != nil {
+					t.Fatalf("Failed to write cert file: %v", err)
+				}
+				if err := os.WriteFile(keyFile.Name(), []byte("dummy-key-content"), 0600); err != nil {
+					t.Fatalf("Failed to write key file: %v", err)
+				}
+
+				baseConfig := clientcmdapi.Config{
+					Clusters: map[string]*clientcmdapi.Cluster{
+						"test-cluster": {
+							Server:                   "https://example.com:6443",
+							CertificateAuthorityData: []byte("fake-ca-data"),
+						},
+					},
+					AuthInfos: map[string]*clientcmdapi.AuthInfo{
+						"test-user": {
+							ClientCertificateData: []byte("base-cert-data"),
+							ClientKeyData:         []byte("base-key-data"),
+						},
+					},
+					Contexts: map[string]*clientcmdapi.Context{
+						"test-context": {
+							Cluster:  "test-cluster",
+							AuthInfo: "test-user",
+						},
+					},
+					CurrentContext: "test-context",
+				}
+
+				overrides := &ConfigOverrides{
+					AuthInfo: clientcmdapi.AuthInfo{
+						ClientCertificate:     certFile.Name(),
+						ClientCertificateData: nil,
+						ClientKey:             keyFile.Name(),
+						ClientKeyData:         nil,
+					},
+				}
+
+				cleanup := func() {
+					utiltesting.CloseAndRemove(t, certFile)
+					utiltesting.CloseAndRemove(t, keyFile)
+				}
+
+				return &baseConfig, overrides, cleanup
+			},
+			validate: func(t *testing.T, authInfo *clientcmdapi.AuthInfo) {
+				if authInfo.ClientCertificate == "" {
+					t.Errorf("Expected ClientCertificate file path to be set")
+				}
+				if authInfo.ClientKey == "" {
+					t.Errorf("Expected ClientKey file path to be set")
+				}
+				if authInfo.ClientCertificateData != nil {
+					t.Errorf("Expected ClientCertificateData to be nil when file path is used")
+				}
+				if authInfo.ClientKeyData != nil {
+					t.Errorf("Expected ClientKeyData to be nil when file path is used")
+				}
+			},
+		},
+		{
+			name:        "override-with-data-fields",
+			description: "Test override with cert/key data fields",
+			setupTest: func(t *testing.T) (*clientcmdapi.Config, *ConfigOverrides, func()) {
+				baseConfig := clientcmdapi.Config{
+					Clusters: map[string]*clientcmdapi.Cluster{
+						"test-cluster": {
+							Server:                   "https://example.com:6443",
+							CertificateAuthorityData: []byte("fake-ca-data"),
+						},
+					},
+					AuthInfos: map[string]*clientcmdapi.AuthInfo{
+						"test-user": {
+							ClientCertificate: "/path/to/base-cert.pem",
+							ClientKey:         "/path/to/base-key.pem",
+						},
+					},
+					Contexts: map[string]*clientcmdapi.Context{
+						"test-context": {
+							Cluster:  "test-cluster",
+							AuthInfo: "test-user",
+						},
+					},
+					CurrentContext: "test-context",
+				}
+
+				overrides := &ConfigOverrides{
+					AuthInfo: clientcmdapi.AuthInfo{
+						ClientCertificate:     "",
+						ClientCertificateData: []byte("override-cert-data"),
+						ClientKey:             "",
+						ClientKeyData:         []byte("override-key-data"),
+					},
+				}
+
+				return &baseConfig, overrides, func() {}
+			},
+			validate: func(t *testing.T, authInfo *clientcmdapi.AuthInfo) {
+				if authInfo.ClientCertificate != "" {
+					t.Errorf("Expected ClientCertificate file path to be empty when data is used")
+				}
+				if authInfo.ClientKey != "" {
+					t.Errorf("Expected ClientKey file path to be empty when data is used")
+				}
+				if string(authInfo.ClientCertificateData) != "override-cert-data" {
+					t.Errorf("Expected ClientCertificateData to be 'override-cert-data', got %s", string(authInfo.ClientCertificateData))
+				}
+				if string(authInfo.ClientKeyData) != "override-key-data" {
+					t.Errorf("Expected ClientKeyData to be 'override-key-data', got %s", string(authInfo.ClientKeyData))
+				}
+			},
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			baseConfig, overrides, cleanup := tc.setupTest(t)
+			defer cleanup()
+
+			clientConfig := NewNonInteractiveClientConfig(*baseConfig, "test-context", overrides, nil)
+
+			mergedConfig, err := clientConfig.MergedRawConfig()
+			if err != nil {
+				t.Fatalf("MergedRawConfig() failed: %v", err)
+			}
+
+			authInfo := mergedConfig.AuthInfos["test-user"]
+			if authInfo == nil {
+				t.Fatalf("Expected AuthInfo 'test-user' not found")
+			}
+
+			tc.validate(t, authInfo)
+		})
+	}
+}
diff --git a/staging/src/k8s.io/client-go/tools/clientcmd/config_test.go b/staging/src/k8s.io/client-go/tools/clientcmd/config_test.go
new file mode 100644
index 0000000000000..74e9ab4de0452
--- /dev/null
+++ b/staging/src/k8s.io/client-go/tools/clientcmd/config_test.go
@@ -0,0 +1,119 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package clientcmd
+
+import (
+	"fmt"
+	"os"
+	"path/filepath"
+	"testing"
+)
+
+func TestModifyConfigWritesToFirstKubeconfigFile(t *testing.T) {
+	const (
+		contextNameA   = "context-a"
+		contextNameB   = "context-b"
+		newContextName = "new-context"
+	)
+
+	tempdir := t.TempDir()
+	configFile1, _ := os.Create(filepath.Join(tempdir, "kubeconfig-a"))
+	configFile2, _ := os.Create(filepath.Join(tempdir, "kubeconfig-b"))
+
+	// The first kubeconfig has everything.
+	err := os.WriteFile(configFile1.Name(), []byte(`
+kind: Config
+apiVersion: v1
+clusters:
+- cluster:
+    api-version: v1
+    server: https://kubernetes.default.svc:443
+    certificate-authority: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
+  name: kubeconfig-cluster
+contexts:
+- context:
+    cluster: kubeconfig-cluster
+    namespace: default
+    user: kubeconfig-user
+  name: `+contextNameA+`
+current-context: `+contextNameA+`
+users:
+- name: kubeconfig-user
+  user:
+    tokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token
+`), os.FileMode(0755))
+
+	if err != nil {
+		t.Errorf("Unexpected error: %v", err)
+	}
+
+	// The second kubeconfig declares a new context and activates it.
+	err = os.WriteFile(configFile2.Name(), []byte(`
+kind: Config
+apiVersion: v1
+contexts:
+- context:
+    cluster: kubeconfig-cluster
+    namespace: a-different-namespace
+    user: kubeconfig-user
+  name: `+contextNameB+`
+current-context: `+contextNameB+`
+`), os.FileMode(0755))
+
+	if err != nil {
+		t.Errorf("Unexpected error: %v", err)
+	}
+
+	// Set KUBECONFIG to the files, in descending alphabetical order.
+	// This will be used to check that they don't get sorted.
+	envVarValue := fmt.Sprintf("%s%c%s", configFile2.Name(), filepath.ListSeparator, configFile1.Name())
+	t.Setenv(RecommendedConfigPathEnvVar, envVarValue)
+
+	// Load the kubeconfigs, change the active context, and call ModifyConfig.
+	loadingRules := NewDefaultClientConfigLoadingRules()
+	config, err := loadingRules.Load()
+
+	if err != nil {
+		t.Errorf("Unexpected error: %v", err)
+	}
+
+	newConfig := config.DeepCopy()
+	newConfig.CurrentContext = newContextName
+	err = ModifyConfig(loadingRules, *newConfig, false)
+	if err != nil {
+		t.Fatalf("Unexpected error: %v", err)
+	}
+
+	// Load the files again and check that only configFile2 was changed.
+	config1, err := LoadFromFile(configFile1.Name()) // file sorts first, but was specified last
+	if err != nil {
+		t.Fatalf("Unexpected error: %v", err)
+	}
+
+	if config1.CurrentContext != contextNameA {
+		t.Errorf("Config should not be modified, but was. Expected %q, got %q", contextNameA, config1.CurrentContext)
+	}
+
+	config2, err := LoadFromFile(configFile2.Name()) // file sorts last, but was specified first
+	if err != nil {
+		t.Fatalf("Unexpected error: %v", err)
+	}
+
+	if config2.CurrentContext != newContextName {
+		t.Errorf("Config should be modified, but was not. Expected %q, got %q", newContextName, config2.CurrentContext)
+	}
+}
diff --git a/staging/src/k8s.io/client-go/tools/clientcmd/loader.go b/staging/src/k8s.io/client-go/tools/clientcmd/loader.go
index c900e5fd194e4..b127e2e08f7f6 100644
--- a/staging/src/k8s.io/client-go/tools/clientcmd/loader.go
+++ b/staging/src/k8s.io/client-go/tools/clientcmd/loader.go
@@ -331,7 +331,10 @@ func (rules *ClientConfigLoadingRules) GetLoadingPrecedence() []string {
 		return []string{rules.ExplicitPath}
 	}
 
-	return rules.Precedence
+	// Create a copy in case something tries to sort the returned slice.
+	precedence := make([]string, len(rules.Precedence))
+	copy(precedence, rules.Precedence)
+	return precedence
 }
 
 // GetStartingConfig implements ConfigAccess
diff --git a/staging/src/k8s.io/client-go/tools/clientcmd/validation.go b/staging/src/k8s.io/client-go/tools/clientcmd/validation.go
index 088972ef65c99..0389ad6dcb78e 100644
--- a/staging/src/k8s.io/client-go/tools/clientcmd/validation.go
+++ b/staging/src/k8s.io/client-go/tools/clientcmd/validation.go
@@ -25,6 +25,7 @@ import (
 
 	utilerrors "k8s.io/apimachinery/pkg/util/errors"
 	"k8s.io/apimachinery/pkg/util/validation"
+	authexec "k8s.io/client-go/plugin/pkg/client/auth/exec"
 	clientcmdapi "k8s.io/client-go/tools/clientcmd/api"
 )
 
@@ -327,6 +328,10 @@ func validateAuthInfo(authInfoName string, authInfo clientcmdapi.AuthInfo) []err
 		default:
 			validationErrors = append(validationErrors, fmt.Errorf("invalid interactiveMode for %v: %q", authInfoName, authInfo.Exec.InteractiveMode))
 		}
+
+		if err := authexec.ValidatePluginPolicy(authInfo.Exec.PluginPolicy); err != nil {
+			validationErrors = append(validationErrors, fmt.Errorf("allowlist misconfiguration: %w", err))
+		}
 	}
 
 	// authPath also provides information for the client to identify the server, so allow multiple auth methods in that case
diff --git a/staging/src/k8s.io/client-go/tools/events/event_broadcaster.go b/staging/src/k8s.io/client-go/tools/events/event_broadcaster.go
index 94c2012b8bb17..ff6b2c4fab931 100644
--- a/staging/src/k8s.io/client-go/tools/events/event_broadcaster.go
+++ b/staging/src/k8s.io/client-go/tools/events/event_broadcaster.go
@@ -240,7 +240,7 @@ func recordEvent(ctx context.Context, sink EventSink, event *eventsv1.Event) (*e
 		newEvent, err = sink.Patch(ctx, event, patch)
 	}
 	// Update can fail because the event may have been removed and it no longer exists.
-	if !isEventSeries || (isEventSeries && util.IsKeyNotFoundError(err)) {
+	if !isEventSeries || util.IsKeyNotFoundError(err) {
 		// Making sure that ResourceVersion is empty on creation
 		event.ResourceVersion = ""
 		newEvent, err = sink.Create(ctx, event)
diff --git a/staging/src/k8s.io/client-go/tools/leaderelection/leaderelection.go b/staging/src/k8s.io/client-go/tools/leaderelection/leaderelection.go
index 07180630b8d33..29d34c4e906f7 100644
--- a/staging/src/k8s.io/client-go/tools/leaderelection/leaderelection.go
+++ b/staging/src/k8s.io/client-go/tools/leaderelection/leaderelection.go
@@ -209,7 +209,7 @@ type LeaderElector struct {
 // before leader election loop is stopped by ctx or it has
 // stopped holding the leader lease
 func (le *LeaderElector) Run(ctx context.Context) {
-	defer runtime.HandleCrash()
+	defer runtime.HandleCrashWithContext(ctx)
 	defer le.config.Callbacks.OnStoppedLeading()
 
 	if !le.acquire(ctx) {
@@ -254,7 +254,8 @@ func (le *LeaderElector) acquire(ctx context.Context) bool {
 	defer cancel()
 	succeeded := false
 	desc := le.config.Lock.Describe()
-	klog.Infof("attempting to acquire leader lease %v...", desc)
+	logger := klog.FromContext(ctx)
+	logger.Info("Attempting to acquire leader lease...", "lock", desc)
 	wait.JitterUntil(func() {
 		if !le.config.Coordinated {
 			succeeded = le.tryAcquireOrRenew(ctx)
@@ -263,12 +264,12 @@ func (le *LeaderElector) acquire(ctx context.Context) bool {
 		}
 		le.maybeReportTransition()
 		if !succeeded {
-			klog.V(4).Infof("failed to acquire lease %v", desc)
+			logger.V(4).Info("Failed to acquire lease", "lock", desc)
 			return
 		}
 		le.config.Lock.RecordEvent("became leader")
 		le.metrics.leaderOn(le.config.Name)
-		klog.Infof("successfully acquired lease %v", desc)
+		logger.Info("Successfully acquired lease", "lock", desc)
 		cancel()
 	}, le.config.RetryPeriod, JitterFactor, true, ctx.Done())
 	return succeeded
@@ -279,6 +280,7 @@ func (le *LeaderElector) renew(ctx context.Context) {
 	defer le.config.Lock.RecordEvent("stopped leading")
 	ctx, cancel := context.WithCancel(ctx)
 	defer cancel()
+	logger := klog.FromContext(ctx)
 	wait.Until(func() {
 		err := wait.PollUntilContextTimeout(ctx, le.config.RetryPeriod, le.config.RenewDeadline, true, func(ctx context.Context) (done bool, err error) {
 			if !le.config.Coordinated {
@@ -290,22 +292,22 @@ func (le *LeaderElector) renew(ctx context.Context) {
 		le.maybeReportTransition()
 		desc := le.config.Lock.Describe()
 		if err == nil {
-			klog.V(5).Infof("successfully renewed lease %v", desc)
+			logger.V(5).Info("Successfully renewed lease", "lock", desc)
 			return
 		}
 		le.metrics.leaderOff(le.config.Name)
-		klog.Infof("failed to renew lease %v: %v", desc, err)
+		logger.Info("Failed to renew lease", "lock", desc, "err", err)
 		cancel()
 	}, le.config.RetryPeriod, ctx.Done())
 
 	// if we hold the lease, give it up
 	if le.config.ReleaseOnCancel {
-		le.release()
+		le.release(logger)
 	}
 }
 
 // release attempts to release the leader lease if we have acquired it.
-func (le *LeaderElector) release() bool {
+func (le *LeaderElector) release(logger klog.Logger) bool {
 	ctx := context.Background()
 	timeoutCtx, timeoutCancel := context.WithTimeout(ctx, le.config.RenewDeadline)
 	defer timeoutCancel()
@@ -313,10 +315,10 @@ func (le *LeaderElector) release() bool {
 	oldLeaderElectionRecord, _, err := le.config.Lock.Get(timeoutCtx)
 	if err != nil {
 		if !errors.IsNotFound(err) {
-			klog.Errorf("error retrieving resource lock %v: %v", le.config.Lock.Describe(), err)
+			logger.Error(err, "error retrieving resource lock", "lock", le.config.Lock.Describe())
 			return false
 		}
-		klog.Infof("lease lock not found: %v", le.config.Lock.Describe())
+		logger.Info("lease lock not found", "lock", le.config.Lock.Describe())
 		return false
 	}
 
@@ -331,7 +333,7 @@ func (le *LeaderElector) release() bool {
 		AcquireTime:          now,
 	}
 	if err := le.config.Lock.Update(timeoutCtx, leaderElectionRecord); err != nil {
-		klog.Errorf("Failed to release lock: %v", err)
+		logger.Error(err, "Failed to release lease", "lock", le.config.Lock.Describe())
 		return false
 	}
 
@@ -343,6 +345,7 @@ func (le *LeaderElector) release() bool {
 // lease if it has already been acquired. Returns true on success else returns
 // false.
 func (le *LeaderElector) tryCoordinatedRenew(ctx context.Context) bool {
+	logger := klog.FromContext(ctx)
 	now := metav1.NewTime(le.clock.Now())
 	leaderElectionRecord := rl.LeaderElectionRecord{
 		HolderIdentity:       le.config.Lock.Identity(),
@@ -355,10 +358,10 @@ func (le *LeaderElector) tryCoordinatedRenew(ctx context.Context) bool {
 	oldLeaderElectionRecord, oldLeaderElectionRawRecord, err := le.config.Lock.Get(ctx)
 	if err != nil {
 		if !errors.IsNotFound(err) {
-			klog.Errorf("error retrieving resource lock %v: %v", le.config.Lock.Describe(), err)
+			logger.Error(err, "Error retrieving lease lock", "lock", le.config.Lock.Describe())
 			return false
 		}
-		klog.Infof("lease lock not found: %v", le.config.Lock.Describe())
+		logger.Info("Lease lock not found", "lock", le.config.Lock.Describe(), "err", err)
 		return false
 	}
 
@@ -371,18 +374,18 @@ func (le *LeaderElector) tryCoordinatedRenew(ctx context.Context) bool {
 
 	hasExpired := le.observedTime.Add(time.Second * time.Duration(oldLeaderElectionRecord.LeaseDurationSeconds)).Before(now.Time)
 	if hasExpired {
-		klog.Infof("lock has expired: %v", le.config.Lock.Describe())
+		logger.Info("Lease has expired", "lock", le.config.Lock.Describe())
 		return false
 	}
 
 	if !le.IsLeader() {
-		klog.V(6).Infof("lock is held by %v and has not yet expired: %v", oldLeaderElectionRecord.HolderIdentity, le.config.Lock.Describe())
+		logger.V(6).Info("Lease is held and has not yet expired", "lock", le.config.Lock.Describe(), "holder", oldLeaderElectionRecord.HolderIdentity)
 		return false
 	}
 
 	// 2b. If the lease has been marked as "end of term", don't renew it
 	if le.IsLeader() && oldLeaderElectionRecord.PreferredHolder != "" {
-		klog.V(4).Infof("lock is marked as 'end of term': %v", le.config.Lock.Describe())
+		logger.V(4).Info("Lease is marked as 'end of term'", "lock", le.config.Lock.Describe())
 		// TODO: Instead of letting lease expire, the holder may deleted it directly
 		// This will not be compatible with all controllers, so it needs to be opt-in behavior.
 		// We must ensure all code guarded by this lease has successfully completed
@@ -406,7 +409,7 @@ func (le *LeaderElector) tryCoordinatedRenew(ctx context.Context) bool {
 
 	// update the lock itself
 	if err = le.config.Lock.Update(ctx, leaderElectionRecord); err != nil {
-		klog.Errorf("Failed to update lock: %v", err)
+		logger.Error(err, "Failed to update lock", "lock", le.config.Lock.Describe())
 		return false
 	}
 
@@ -418,6 +421,7 @@ func (le *LeaderElector) tryCoordinatedRenew(ctx context.Context) bool {
 // else it tries to renew the lease if it has already been acquired. Returns true
 // on success else returns false.
 func (le *LeaderElector) tryAcquireOrRenew(ctx context.Context) bool {
+	logger := klog.FromContext(ctx)
 	now := metav1.NewTime(le.clock.Now())
 	leaderElectionRecord := rl.LeaderElectionRecord{
 		HolderIdentity:       le.config.Lock.Identity(),
@@ -438,18 +442,18 @@ func (le *LeaderElector) tryAcquireOrRenew(ctx context.Context) bool {
 			le.setObservedRecord(&leaderElectionRecord)
 			return true
 		}
-		klog.Errorf("Failed to update lock optimistically: %v, falling back to slow path", err)
+		logger.Error(err, "Failed to update lease optimistically, falling back to slow path", "lock", le.config.Lock.Describe())
 	}
 
 	// 2. obtain or create the ElectionRecord
 	oldLeaderElectionRecord, oldLeaderElectionRawRecord, err := le.config.Lock.Get(ctx)
 	if err != nil {
 		if !errors.IsNotFound(err) {
-			klog.Errorf("error retrieving resource lock %v: %v", le.config.Lock.Describe(), err)
+			logger.Error(err, "Error retrieving lease lock", "lock", le.config.Lock.Describe())
 			return false
 		}
 		if err = le.config.Lock.Create(ctx, leaderElectionRecord); err != nil {
-			klog.Errorf("error initially creating leader election record: %v", err)
+			logger.Error(err, "Error initially creating lease lock", "lock", le.config.Lock.Describe())
 			return false
 		}
 
@@ -465,7 +469,7 @@ func (le *LeaderElector) tryAcquireOrRenew(ctx context.Context) bool {
 		le.observedRawRecord = oldLeaderElectionRawRecord
 	}
 	if len(oldLeaderElectionRecord.HolderIdentity) > 0 && le.isLeaseValid(now.Time) && !le.IsLeader() {
-		klog.V(4).Infof("lock is held by %v and has not yet expired", oldLeaderElectionRecord.HolderIdentity)
+		logger.V(4).Info("Lease is held by and has not yet expired", "lock", le.config.Lock.Describe(), "holder", oldLeaderElectionRecord.HolderIdentity)
 		return false
 	}
 
@@ -481,7 +485,7 @@ func (le *LeaderElector) tryAcquireOrRenew(ctx context.Context) bool {
 
 	// update the lock itself
 	if err = le.config.Lock.Update(ctx, leaderElectionRecord); err != nil {
-		klog.Errorf("Failed to update lock: %v", err)
+		logger.Error(err, "Failed to update lease", "lock", le.config.Lock.Describe())
 		return false
 	}
 
diff --git a/staging/src/k8s.io/client-go/tools/leaderelection/leaderelection_test.go b/staging/src/k8s.io/client-go/tools/leaderelection/leaderelection_test.go
index eff461770dd1a..6762a32d17cd5 100644
--- a/staging/src/k8s.io/client-go/tools/leaderelection/leaderelection_test.go
+++ b/staging/src/k8s.io/client-go/tools/leaderelection/leaderelection_test.go
@@ -37,6 +37,7 @@ import (
 	fakeclient "k8s.io/client-go/testing"
 	rl "k8s.io/client-go/tools/leaderelection/resourcelock"
 	"k8s.io/client-go/tools/record"
+	"k8s.io/klog/v2/ktesting"
 	"k8s.io/utils/clock"
 )
 
@@ -265,6 +266,8 @@ func testTryAcquireOrRenew(t *testing.T, objectType string) {
 	for i := range tests {
 		test := &tests[i]
 		t.Run(test.name, func(t *testing.T) {
+			_, ctx := ktesting.NewTestContext(t)
+
 			// OnNewLeader is called async so we have to wait for it.
 			var wg sync.WaitGroup
 			wg.Add(1)
@@ -316,10 +319,10 @@ func testTryAcquireOrRenew(t *testing.T, objectType string) {
 				clock:             clock,
 				metrics:           globalMetricsFactory.newLeaderMetrics(),
 			}
-			if test.expectSuccess != le.tryAcquireOrRenew(context.Background()) {
+			if test.expectSuccess != le.tryAcquireOrRenew(ctx) {
 				if test.retryAfter != 0 {
 					time.Sleep(test.retryAfter)
-					if test.expectSuccess != le.tryAcquireOrRenew(context.Background()) {
+					if test.expectSuccess != le.tryAcquireOrRenew(ctx) {
 						t.Errorf("unexpected result of tryAcquireOrRenew: [succeeded=%v]", !test.expectSuccess)
 					}
 				} else {
@@ -411,6 +414,8 @@ func TestTryCoordinatedRenew(t *testing.T) {
 	for i := range tests {
 		test := &tests[i]
 		t.Run(test.name, func(t *testing.T) {
+			_, ctx := ktesting.NewTestContext(t)
+
 			// OnNewLeader is called async so we have to wait for it.
 			var wg sync.WaitGroup
 			wg.Add(1)
@@ -457,10 +462,10 @@ func TestTryCoordinatedRenew(t *testing.T) {
 				clock:             clock,
 				metrics:           globalMetricsFactory.newLeaderMetrics(),
 			}
-			if test.expectSuccess != le.tryCoordinatedRenew(context.Background()) {
+			if test.expectSuccess != le.tryCoordinatedRenew(ctx) {
 				if test.retryAfter != 0 {
 					time.Sleep(test.retryAfter)
-					if test.expectSuccess != le.tryCoordinatedRenew(context.Background()) {
+					if test.expectSuccess != le.tryCoordinatedRenew(ctx) {
 						t.Errorf("unexpected result of tryCoordinatedRenew: [succeeded=%v]", !test.expectSuccess)
 					}
 				} else {
@@ -590,6 +595,8 @@ func testReleaseLease(t *testing.T, objectType string) {
 	for i := range tests {
 		test := &tests[i]
 		t.Run(test.name, func(t *testing.T) {
+			logger, ctx := ktesting.NewTestContext(t)
+
 			// OnNewLeader is called async so we have to wait for it.
 			var wg sync.WaitGroup
 			wg.Add(1)
@@ -641,7 +648,7 @@ func testReleaseLease(t *testing.T, objectType string) {
 				clock:             clock.RealClock{},
 				metrics:           globalMetricsFactory.newLeaderMetrics(),
 			}
-			if !le.tryAcquireOrRenew(context.Background()) {
+			if !le.tryAcquireOrRenew(ctx) {
 				t.Errorf("unexpected result of tryAcquireOrRenew: [succeeded=%v]", true)
 			}
 
@@ -651,7 +658,7 @@ func testReleaseLease(t *testing.T, objectType string) {
 			wg.Wait()
 			wg.Add(1)
 
-			if test.expectSuccess != le.release() {
+			if test.expectSuccess != le.release(logger) {
 				t.Errorf("unexpected result of release: [succeeded=%v]", !test.expectSuccess)
 			}
 
@@ -686,6 +693,7 @@ func TestReleaseLeaseLeases(t *testing.T) {
 
 // TestReleaseMethodCallsGet test release method calls Get
 func TestReleaseMethodCallsGet(t *testing.T) {
+	logger, _ := ktesting.NewTestContext(t)
 	objectType := "leases"
 	getCalled := false
 
@@ -730,7 +738,7 @@ func TestReleaseMethodCallsGet(t *testing.T) {
 		metrics:           globalMetricsFactory.newLeaderMetrics(),
 	}
 
-	le.release()
+	le.release(logger)
 
 	if !getCalled {
 		t.Errorf("release method does not call Get")
@@ -903,6 +911,8 @@ func testReleaseOnCancellation(t *testing.T, objectType string) {
 	for i := range tests {
 		test := &tests[i]
 		t.Run(test.name, func(t *testing.T) {
+			_, ctx := ktesting.NewTestContext(t)
+
 			wg.Add(1)
 			resetVars()
 
@@ -930,7 +940,7 @@ func testReleaseOnCancellation(t *testing.T, objectType string) {
 				t.Fatal("Failed to create leader elector: ", err)
 			}
 
-			ctx, cancel := context.WithCancel(context.Background())
+			ctx, cancel := context.WithCancel(ctx)
 
 			go elector.Run(ctx)
 
@@ -1144,6 +1154,8 @@ func TestFastPathLeaderElection(t *testing.T) {
 	for i := range tests {
 		test := &tests[i]
 		t.Run(test.name, func(t *testing.T) {
+			_, ctx := ktesting.NewTestContext(t)
+
 			resetVars()
 
 			recorder := record.NewFakeRecorder(100)
@@ -1170,7 +1182,7 @@ func TestFastPathLeaderElection(t *testing.T) {
 				t.Fatal("Failed to create leader elector: ", err)
 			}
 
-			ctx, cancel := context.WithCancel(context.Background())
+			ctx, cancel := context.WithCancel(ctx)
 			cancelFunc = cancel
 
 			elector.Run(ctx)
diff --git a/staging/src/k8s.io/client-go/tools/leaderelection/leasecandidate.go b/staging/src/k8s.io/client-go/tools/leaderelection/leasecandidate.go
index 9aaf779eaae27..b2fa14a5f3a69 100644
--- a/staging/src/k8s.io/client-go/tools/leaderelection/leasecandidate.go
+++ b/staging/src/k8s.io/client-go/tools/leaderelection/leasecandidate.go
@@ -120,8 +120,12 @@ func NewCandidate(clientset kubernetes.Interface,
 func (c *LeaseCandidate) Run(ctx context.Context) {
 	defer c.queue.ShutDown()
 
+	logger := klog.FromContext(ctx)
+	logger = klog.LoggerWithName(logger, "leasecandidate")
+	ctx = klog.NewContext(ctx, logger)
+
 	c.informerFactory.Start(ctx.Done())
-	if !cache.WaitForNamedCacheSync("leasecandidateclient", ctx.Done(), c.hasSynced) {
+	if !cache.WaitForNamedCacheSyncWithContext(ctx, c.hasSynced) {
 		return
 	}
 
@@ -148,7 +152,7 @@ func (c *LeaseCandidate) processNextWorkItem(ctx context.Context) bool {
 		return true
 	}
 
-	utilruntime.HandleError(err)
+	utilruntime.HandleErrorWithContext(ctx, err, "Ensuring lease failed")
 	c.queue.AddRateLimited(key)
 
 	return true
@@ -161,20 +165,21 @@ func (c *LeaseCandidate) enqueueLease() {
 // ensureLease creates the lease if it does not exist and renew it if it exists. Returns the lease and
 // a bool (true if this call created the lease), or any error that occurs.
 func (c *LeaseCandidate) ensureLease(ctx context.Context) error {
+	logger := klog.FromContext(ctx)
 	lease, err := c.leaseClient.Get(ctx, c.name, metav1.GetOptions{})
 	if apierrors.IsNotFound(err) {
-		klog.V(2).Infof("Creating lease candidate")
+		logger.V(2).Info("Creating lease candidate")
 		// lease does not exist, create it.
 		leaseToCreate := c.newLeaseCandidate()
 		if _, err := c.leaseClient.Create(ctx, leaseToCreate, metav1.CreateOptions{}); err != nil {
 			return err
 		}
-		klog.V(2).Infof("Created lease candidate")
+		logger.V(2).Info("Created lease candidate")
 		return nil
 	} else if err != nil {
 		return err
 	}
-	klog.V(2).Infof("lease candidate exists. Renewing.")
+	logger.V(2).Info("Lease candidate exists. Renewing.")
 	clone := lease.DeepCopy()
 	clone.Spec.RenewTime = &metav1.MicroTime{Time: c.clock.Now()}
 	_, err = c.leaseClient.Update(ctx, clone, metav1.UpdateOptions{})
diff --git a/staging/src/k8s.io/client-go/tools/leaderelection/leasecandidate_test.go b/staging/src/k8s.io/client-go/tools/leaderelection/leasecandidate_test.go
index 3099a4ea3c957..efd51f460a67a 100644
--- a/staging/src/k8s.io/client-go/tools/leaderelection/leasecandidate_test.go
+++ b/staging/src/k8s.io/client-go/tools/leaderelection/leasecandidate_test.go
@@ -26,6 +26,7 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/util/wait"
 	"k8s.io/client-go/kubernetes/fake"
+	"k8s.io/klog/v2/ktesting"
 )
 
 type testcase struct {
@@ -34,6 +35,7 @@ type testcase struct {
 }
 
 func TestLeaseCandidateCreation(t *testing.T) {
+	_, ctx := ktesting.NewTestContext(t)
 	tc := testcase{
 		candidateName:      "foo",
 		candidateNamespace: "default",
@@ -42,7 +44,7 @@ func TestLeaseCandidateCreation(t *testing.T) {
 		emulationVersion:   "1.30.0",
 	}
 
-	ctx, cancel := context.WithTimeout(context.Background(), time.Minute)
+	ctx, cancel := context.WithTimeout(ctx, time.Minute)
 	defer cancel()
 
 	client := fake.NewSimpleClientset()
@@ -67,6 +69,8 @@ func TestLeaseCandidateCreation(t *testing.T) {
 }
 
 func TestLeaseCandidateAck(t *testing.T) {
+	_, ctx := ktesting.NewTestContext(t)
+
 	tc := testcase{
 		candidateName:      "foo",
 		candidateNamespace: "default",
@@ -75,7 +79,7 @@ func TestLeaseCandidateAck(t *testing.T) {
 		emulationVersion:   "1.30.0",
 	}
 
-	ctx, cancel := context.WithTimeout(context.Background(), time.Minute)
+	ctx, cancel := context.WithTimeout(ctx, time.Minute)
 	defer cancel()
 
 	client := fake.NewSimpleClientset()
diff --git a/staging/src/k8s.io/client-go/tools/metrics/metrics.go b/staging/src/k8s.io/client-go/tools/metrics/metrics.go
index 99d3d8e239ccb..e364b7e1cf0ce 100644
--- a/staging/src/k8s.io/client-go/tools/metrics/metrics.go
+++ b/staging/src/k8s.io/client-go/tools/metrics/metrics.go
@@ -62,6 +62,12 @@ type CallsMetric interface {
 	Increment(exitCode int, callStatus string)
 }
 
+// CallsMetric counts the success or failure of execution for exec plugins.
+type PolicyCallsMetric interface {
+	// Increment increments a counter per status { "allowed", "denied" }
+	Increment(status string)
+}
+
 // RetryMetric counts the number of retries sent to the server
 // partitioned by code, method, and host.
 type RetryMetric interface {
@@ -99,6 +105,9 @@ var (
 	// ExecPluginCalls is the number of calls made to an exec plugin, partitioned by
 	// exit code and call status.
 	ExecPluginCalls CallsMetric = noopCalls{}
+	// ExecPluginPolicyCalls is the number of plugin policy check calls, partitioned
+	// by {"allowed", "denied"}
+	ExecPluginPolicyCalls PolicyCallsMetric = noopPolicy{}
 	// RequestRetry is the retry metric that tracks the number of
 	// retries sent to the server.
 	RequestRetry RetryMetric = noopRetry{}
@@ -121,6 +130,7 @@ type RegisterOpts struct {
 	RateLimiterLatency    LatencyMetric
 	RequestResult         ResultMetric
 	ExecPluginCalls       CallsMetric
+	ExecPluginPolicyCalls PolicyCallsMetric
 	RequestRetry          RetryMetric
 	TransportCacheEntries TransportCacheMetric
 	TransportCreateCalls  TransportCreateCallsMetric
@@ -157,6 +167,9 @@ func Register(opts RegisterOpts) {
 		if opts.ExecPluginCalls != nil {
 			ExecPluginCalls = opts.ExecPluginCalls
 		}
+		if opts.ExecPluginPolicyCalls != nil {
+			ExecPluginCalls = opts.ExecPluginCalls
+		}
 		if opts.RequestRetry != nil {
 			RequestRetry = opts.RequestRetry
 		}
@@ -198,6 +211,10 @@ type noopCalls struct{}
 
 func (noopCalls) Increment(int, string) {}
 
+type noopPolicy struct{}
+
+func (noopPolicy) Increment(string) {}
+
 type noopRetry struct{}
 
 func (noopRetry) IncrementRetry(context.Context, string, string, string) {}
diff --git a/staging/src/k8s.io/client-go/tools/record/event.go b/staging/src/k8s.io/client-go/tools/record/event.go
index f97c5d612eac0..58322d44d23d7 100644
--- a/staging/src/k8s.io/client-go/tools/record/event.go
+++ b/staging/src/k8s.io/client-go/tools/record/event.go
@@ -334,7 +334,7 @@ func recordEvent(ctx context.Context, sink EventSink, event *v1.Event, patch []b
 		newEvent, err = sink.Patch(event, patch)
 	}
 	// Update can fail because the event may have been removed and it no longer exists.
-	if !updateExistingEvent || (updateExistingEvent && util.IsKeyNotFoundError(err)) {
+	if !updateExistingEvent || util.IsKeyNotFoundError(err) {
 		// Making sure that ResourceVersion is empty on creation
 		event.ResourceVersion = ""
 		newEvent, err = sink.Create(event)
diff --git a/staging/src/k8s.io/client-go/tools/record/events_cache.go b/staging/src/k8s.io/client-go/tools/record/events_cache.go
index 170074d4b4e9c..9eae6971c128c 100644
--- a/staging/src/k8s.io/client-go/tools/record/events_cache.go
+++ b/staging/src/k8s.io/client-go/tools/record/events_cache.go
@@ -223,7 +223,7 @@ func NewEventAggregator(lruCacheSize int, keyFunc EventAggregatorKeyFunc, messag
 type aggregateRecord struct {
 	// we track the number of unique local keys we have seen in the aggregate set to know when to actually aggregate
 	// if the size of this set exceeds the max, we know we need to aggregate
-	localKeys sets.String
+	localKeys sets.Set[string]
 	// The last time at which the aggregate was recorded
 	lastTimestamp metav1.Time
 }
@@ -257,7 +257,7 @@ func (e *EventAggregator) EventAggregate(newEvent *v1.Event) (*v1.Event, string)
 	maxInterval := time.Duration(e.maxIntervalInSeconds) * time.Second
 	interval := now.Time.Sub(record.lastTimestamp.Time)
 	if interval > maxInterval {
-		record = aggregateRecord{localKeys: sets.NewString()}
+		record = aggregateRecord{localKeys: sets.New[string]()}
 	}
 
 	// Write the new event into the aggregation record and put it on the cache
diff --git a/staging/src/k8s.io/client-go/tools/reference/ref.go b/staging/src/k8s.io/client-go/tools/reference/ref.go
index 5d4ec3743453b..7ba73924b94e2 100644
--- a/staging/src/k8s.io/client-go/tools/reference/ref.go
+++ b/staging/src/k8s.io/client-go/tools/reference/ref.go
@@ -20,7 +20,7 @@ import (
 	"errors"
 	"fmt"
 
-	"k8s.io/api/core/v1"
+	v1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/meta"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
@@ -63,6 +63,9 @@ func GetReference(scheme *runtime.Scheme, obj runtime.Object) (*v1.ObjectReferen
 	//
 	// TODO: This doesn't work for CRDs, which are not registered in scheme.
 	if gvk.Empty() {
+		if scheme == nil {
+			return nil, errors.New("scheme is required to look up gvk")
+		}
 		gvks, _, err := scheme.ObjectKinds(obj)
 		if err != nil {
 			return nil, err
diff --git a/staging/src/k8s.io/client-go/tools/reference/ref_test.go b/staging/src/k8s.io/client-go/tools/reference/ref_test.go
index c7042c62160bc..488d655d64fa4 100644
--- a/staging/src/k8s.io/client-go/tools/reference/ref_test.go
+++ b/staging/src/k8s.io/client-go/tools/reference/ref_test.go
@@ -72,3 +72,41 @@ func TestGetReferenceRefVersion(t *testing.T) {
 		})
 	}
 }
+
+func TestGetReferenceNilScheme(t *testing.T) {
+	input := &TestRuntimeObj{
+		ObjectMeta: metav1.ObjectMeta{},
+	}
+	_, err := GetReference(nil, input)
+	if err == nil {
+		t.Fatal("expected an error")
+	}
+	if err.Error() != "scheme is required to look up gvk" {
+		t.Errorf("expected %q, got %q", "scheme is required to look up gvk", err.Error())
+	}
+}
+
+func TestGetReferenceNilSchemeWithPopulatedGVK(t *testing.T) {
+	input := &TestRuntimeObj{
+		TypeMeta: metav1.TypeMeta{
+			APIVersion: "foo.group/v3",
+			Kind:       "Bar",
+		},
+		ObjectMeta: metav1.ObjectMeta{
+			Name: "a-name",
+		},
+	}
+	ref, err := GetReference(nil, input)
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	if ref.APIVersion != "foo.group/v3" {
+		t.Errorf("expected %q, got %q", "foo.group/v3", ref.APIVersion)
+	}
+	if ref.Kind != "Bar" {
+		t.Errorf("expected %q, got %q", "Bar", ref.Kind)
+	}
+	if ref.Name != "a-name" {
+		t.Errorf("expected %q, got %q", "a-name", ref.Name)
+	}
+}
diff --git a/staging/src/k8s.io/client-go/tools/remotecommand/resize.go b/staging/src/k8s.io/client-go/tools/remotecommand/resize.go
index c838f21ba6a54..2815112a5378d 100644
--- a/staging/src/k8s.io/client-go/tools/remotecommand/resize.go
+++ b/staging/src/k8s.io/client-go/tools/remotecommand/resize.go
@@ -16,16 +16,17 @@ limitations under the License.
 
 package remotecommand
 
-// TerminalSize and TerminalSizeQueue was a part of k8s.io/kubernetes/pkg/util/term
-// and were moved in order to decouple client from other term dependencies
-
 // TerminalSize represents the width and height of a terminal.
+// It is the same as staging/src/k8s.io/kubectl/pkg/util/term.TerminalSize.
+// Copied to decouple the packages. Terminal-related package should not depend on API client and vice versa.
 type TerminalSize struct {
 	Width  uint16
 	Height uint16
 }
 
 // TerminalSizeQueue is capable of returning terminal resize events as they occur.
+// It is the same as staging/src/k8s.io/kubectl/pkg/util/term.TerminalSizeQueue.
+// Copied to decouple the packages. Terminal-related package should not depend on API client and vice versa.
 type TerminalSizeQueue interface {
 	// Next returns the new terminal size after the terminal has been resized. It returns nil when
 	// monitoring has been stopped.
diff --git a/staging/src/k8s.io/client-go/tools/watch/informerwatcher_test.go b/staging/src/k8s.io/client-go/tools/watch/informerwatcher_test.go
index e03f9612dbafe..07cea00237658 100644
--- a/staging/src/k8s.io/client-go/tools/watch/informerwatcher_test.go
+++ b/staging/src/k8s.io/client-go/tools/watch/informerwatcher_test.go
@@ -387,7 +387,7 @@ func TestNewInformerWatcher(t *testing.T) {
 func TestInformerWatcherDeletedFinalStateUnknown(t *testing.T) {
 	listCalls := 0
 	watchCalls := 0
-	lw := &cache.ListWatch{
+	lw := toListWatcherWithUnSupportedWatchListSemantics(&cache.ListWatch{
 		ListFunc: func(options metav1.ListOptions) (runtime.Object, error) {
 			retval := &corev1.SecretList{}
 			if listCalls == 0 {
@@ -413,7 +413,7 @@ func TestInformerWatcherDeletedFinalStateUnknown(t *testing.T) {
 			watchCalls++
 			return w, nil
 		},
-	}
+	})
 	//nolint:logcheck // Intentionally uses the older API.
 	_, _, w, done := NewIndexerInformerWatcher(lw, &corev1.Secret{})
 	defer w.Stop()
@@ -464,3 +464,17 @@ func TestInformerWatcherDeletedFinalStateUnknown(t *testing.T) {
 		t.Fatalf("expected at least 1 watch call, got %d", watchCalls)
 	}
 }
+
+type listWatchWithUnSupportedWatchListSemanticsWrapper struct {
+	*cache.ListWatch
+}
+
+func (lw listWatchWithUnSupportedWatchListSemanticsWrapper) IsWatchListSemanticsUnSupported() bool {
+	return true
+}
+
+func toListWatcherWithUnSupportedWatchListSemantics(lw *cache.ListWatch) cache.ListerWatcher {
+	return listWatchWithUnSupportedWatchListSemanticsWrapper{
+		lw,
+	}
+}
diff --git a/staging/src/k8s.io/client-go/tools/watch/until_test.go b/staging/src/k8s.io/client-go/tools/watch/until_test.go
index d2194fbd0a4ba..255cf5432b44d 100644
--- a/staging/src/k8s.io/client-go/tools/watch/until_test.go
+++ b/staging/src/k8s.io/client-go/tools/watch/until_test.go
@@ -189,7 +189,7 @@ func TestUntilWithSync(t *testing.T) {
 	// FIXME: test preconditions
 	tt := []struct {
 		name             string
-		lw               *cache.ListWatch
+		lw               cache.ListerWatcher
 		preconditionFunc PreconditionFunc
 		conditionFunc    ConditionFunc
 		expectedErr      error
@@ -197,14 +197,14 @@ func TestUntilWithSync(t *testing.T) {
 	}{
 		{
 			name: "doesn't wait for sync with no precondition",
-			lw: &cache.ListWatch{
+			lw: toListWatcherWithUnSupportedWatchListSemantics(&cache.ListWatch{
 				ListFunc: func(options metav1.ListOptions) (runtime.Object, error) {
 					select {}
 				},
 				WatchFunc: func(options metav1.ListOptions) (watch.Interface, error) {
 					select {}
 				},
-			},
+			}),
 			preconditionFunc: nil,
 			conditionFunc: func(e watch.Event) (bool, error) {
 				return true, nil
@@ -214,14 +214,14 @@ func TestUntilWithSync(t *testing.T) {
 		},
 		{
 			name: "waits indefinitely with precondition if it can't sync",
-			lw: &cache.ListWatch{
+			lw: toListWatcherWithUnSupportedWatchListSemantics(&cache.ListWatch{
 				ListFunc: func(options metav1.ListOptions) (runtime.Object, error) {
 					select {}
 				},
 				WatchFunc: func(options metav1.ListOptions) (watch.Interface, error) {
 					select {}
 				},
-			},
+			}),
 			preconditionFunc: func(store cache.Store) (bool, error) {
 				return true, nil
 			},
@@ -233,17 +233,17 @@ func TestUntilWithSync(t *testing.T) {
 		},
 		{
 			name: "precondition can stop the loop",
-			lw: func() *cache.ListWatch {
+			lw: func() cache.ListerWatcher {
 				fakeclient := fakeclient.NewSimpleClientset(&corev1.Secret{ObjectMeta: metav1.ObjectMeta{Name: "first"}})
 
-				return &cache.ListWatch{
+				return toListWatcherWithUnSupportedWatchListSemantics(&cache.ListWatch{
 					ListFunc: func(options metav1.ListOptions) (runtime.Object, error) {
 						return fakeclient.CoreV1().Secrets("").List(context.TODO(), options)
 					},
 					WatchFunc: func(options metav1.ListOptions) (watch.Interface, error) {
 						return fakeclient.CoreV1().Secrets("").Watch(context.TODO(), options)
 					},
-				}
+				})
 			}(),
 			preconditionFunc: func(store cache.Store) (bool, error) {
 				_, exists, err := store.Get(&metav1.ObjectMeta{Namespace: "", Name: "first"})
@@ -263,17 +263,17 @@ func TestUntilWithSync(t *testing.T) {
 		},
 		{
 			name: "precondition lets it proceed to regular condition",
-			lw: func() *cache.ListWatch {
+			lw: func() cache.ListerWatcher {
 				fakeclient := fakeclient.NewSimpleClientset(&corev1.Secret{ObjectMeta: metav1.ObjectMeta{Name: "first"}})
 
-				return &cache.ListWatch{
+				return toListWatcherWithUnSupportedWatchListSemantics(&cache.ListWatch{
 					ListFunc: func(options metav1.ListOptions) (runtime.Object, error) {
 						return fakeclient.CoreV1().Secrets("").List(context.TODO(), options)
 					},
 					WatchFunc: func(options metav1.ListOptions) (watch.Interface, error) {
 						return fakeclient.CoreV1().Secrets("").Watch(context.TODO(), options)
 					},
-				}
+				})
 			}(),
 			preconditionFunc: func(store cache.Store) (bool, error) {
 				return false, nil
diff --git a/staging/src/k8s.io/client-go/util/certificate/csr/csr.go b/staging/src/k8s.io/client-go/util/certificate/csr/csr.go
index 1cd996c02c5ec..6f99dcd24b0c2 100644
--- a/staging/src/k8s.io/client-go/util/certificate/csr/csr.go
+++ b/staging/src/k8s.io/client-go/util/certificate/csr/csr.go
@@ -178,14 +178,14 @@ func WaitForCertificate(ctx context.Context, client clientset.Interface, reqName
 	fieldSelector := fields.OneTermEqualSelector("metadata.name", reqName).String()
 	logger := klog.FromContext(ctx)
 
-	var lw *cache.ListWatch
+	var lw cache.ListerWatcher
 	var obj runtime.Object
 	for {
 		// see if the v1 API is available
 		if _, err := client.CertificatesV1().CertificateSigningRequests().List(ctx, metav1.ListOptions{FieldSelector: fieldSelector}); err == nil {
 			// watch v1 objects
 			obj = &certificatesv1.CertificateSigningRequest{}
-			lw = &cache.ListWatch{
+			lw = cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 				ListFunc: func(options metav1.ListOptions) (runtime.Object, error) {
 					options.FieldSelector = fieldSelector
 					return client.CertificatesV1().CertificateSigningRequests().List(ctx, options)
@@ -194,7 +194,7 @@ func WaitForCertificate(ctx context.Context, client clientset.Interface, reqName
 					options.FieldSelector = fieldSelector
 					return client.CertificatesV1().CertificateSigningRequests().Watch(ctx, options)
 				},
-			}
+			}, client)
 			break
 		} else {
 			logger.V(2).Info("Error fetching v1 certificate signing request", "err", err)
@@ -209,7 +209,7 @@ func WaitForCertificate(ctx context.Context, client clientset.Interface, reqName
 		if _, err := client.CertificatesV1beta1().CertificateSigningRequests().List(ctx, metav1.ListOptions{FieldSelector: fieldSelector}); err == nil {
 			// watch v1beta1 objects
 			obj = &certificatesv1beta1.CertificateSigningRequest{}
-			lw = &cache.ListWatch{
+			lw = cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 				ListFunc: func(options metav1.ListOptions) (runtime.Object, error) {
 					options.FieldSelector = fieldSelector
 					return client.CertificatesV1beta1().CertificateSigningRequests().List(ctx, options)
@@ -218,7 +218,7 @@ func WaitForCertificate(ctx context.Context, client clientset.Interface, reqName
 					options.FieldSelector = fieldSelector
 					return client.CertificatesV1beta1().CertificateSigningRequests().Watch(ctx, options)
 				},
-			}
+			}, client)
 			break
 		} else {
 			logger.V(2).Info("Error fetching v1beta1 certificate signing request", "err", err)
diff --git a/staging/src/k8s.io/client-go/util/consistencydetector/data_consistency_detector.go b/staging/src/k8s.io/client-go/util/consistencydetector/data_consistency_detector.go
index 06f172d82bfe4..72c0124a0f131 100644
--- a/staging/src/k8s.io/client-go/util/consistencydetector/data_consistency_detector.go
+++ b/staging/src/k8s.io/client-go/util/consistencydetector/data_consistency_detector.go
@@ -45,16 +45,28 @@ func IsDataConsistencyDetectionForWatchListEnabled() bool {
 	return dataConsistencyDetectionForWatchListEnabled
 }
 
+// SetDataConsistencyDetectionForWatchListEnabledForTest allows to enable/disable data consistency detection for testing purposes.
+// It returns a function that restores the original value.
+func SetDataConsistencyDetectionForWatchListEnabledForTest(enabled bool) func() {
+	original := dataConsistencyDetectionForWatchListEnabled
+	dataConsistencyDetectionForWatchListEnabled = enabled
+	return func() {
+		dataConsistencyDetectionForWatchListEnabled = original
+	}
+}
+
 type RetrieveItemsFunc[U any] func() []U
 
 type ListFunc[T runtime.Object] func(ctx context.Context, options metav1.ListOptions) (T, error)
 
+type TransformFunc func(interface{}) (interface{}, error)
+
 // CheckDataConsistency exists solely for testing purposes.
 // we cannot use checkWatchListDataConsistencyIfRequested because
 // it is guarded by an environmental variable.
 // we cannot manipulate the environmental variable because
 // it will affect other tests in this package.
-func CheckDataConsistency[T runtime.Object, U any](ctx context.Context, identity string, lastSyncedResourceVersion string, listFn ListFunc[T], listOptions metav1.ListOptions, retrieveItemsFn RetrieveItemsFunc[U]) {
+func CheckDataConsistency[T runtime.Object, U any](ctx context.Context, identity string, lastSyncedResourceVersion string, listFn ListFunc[T], listItemTransformFunc TransformFunc, listOptions metav1.ListOptions, retrieveItemsFn RetrieveItemsFunc[U]) {
 	if !canFormAdditionalListCall(lastSyncedResourceVersion, listOptions) {
 		klog.V(4).Infof("data consistency check for %s is enabled but the parameters (RV, ListOptions) doesn't allow for creating a valid LIST request. Skipping the data consistency check.", identity)
 		return
@@ -84,6 +96,15 @@ func CheckDataConsistency[T runtime.Object, U any](ctx context.Context, identity
 	if err != nil {
 		panic(err) // this should never happen
 	}
+	if listItemTransformFunc != nil {
+		for i := range rawListItems {
+			obj, err := listItemTransformFunc(rawListItems[i])
+			if err != nil {
+				panic(err)
+			}
+			rawListItems[i] = obj.(runtime.Object)
+		}
+	}
 	listItems := toMetaObjectSliceOrDie(rawListItems)
 
 	sort.Sort(byUID(listItems))
diff --git a/staging/src/k8s.io/client-go/util/consistencydetector/data_consistency_detector_test.go b/staging/src/k8s.io/client-go/util/consistencydetector/data_consistency_detector_test.go
index bdac197a756a5..a5e8bffe73aee 100644
--- a/staging/src/k8s.io/client-go/util/consistencydetector/data_consistency_detector_test.go
+++ b/staging/src/k8s.io/client-go/util/consistencydetector/data_consistency_detector_test.go
@@ -215,10 +215,10 @@ func TestDataConsistencyChecker(t *testing.T) {
 
 			if scenario.expectPanic {
 				require.Panics(t, func() {
-					CheckDataConsistency(ctx, "", scenario.lastSyncedResourceVersion, fakeLister.List, scenario.requestOptions, retrievedItemsFunc)
+					CheckDataConsistency(ctx, "", scenario.lastSyncedResourceVersion, fakeLister.List, nil, scenario.requestOptions, retrievedItemsFunc)
 				})
 			} else {
-				CheckDataConsistency(ctx, "", scenario.lastSyncedResourceVersion, fakeLister.List, scenario.requestOptions, retrievedItemsFunc)
+				CheckDataConsistency(ctx, "", scenario.lastSyncedResourceVersion, fakeLister.List, nil, scenario.requestOptions, retrievedItemsFunc)
 			}
 
 			require.Equal(t, scenario.expectedListRequests, fakeLister.counter)
@@ -235,7 +235,7 @@ func TestDataConsistencyCheckerRetry(t *testing.T) {
 	stopListErrorAfter := 5
 	fakeErrLister := &errorLister{stopErrorAfter: stopListErrorAfter}
 
-	CheckDataConsistency(ctx, "", "", fakeErrLister.List, metav1.ListOptions{}, retrievedItemsFunc)
+	CheckDataConsistency(ctx, "", "", fakeErrLister.List, nil, metav1.ListOptions{}, retrievedItemsFunc)
 	require.Equal(t, fakeErrLister.listCounter, fakeErrLister.stopErrorAfter)
 }
 
diff --git a/staging/src/k8s.io/client-go/util/watchlist/watch_list.go b/staging/src/k8s.io/client-go/util/watchlist/watch_list.go
index 84106458a5fcf..1551a49f7937c 100644
--- a/staging/src/k8s.io/client-go/util/watchlist/watch_list.go
+++ b/staging/src/k8s.io/client-go/util/watchlist/watch_list.go
@@ -80,3 +80,20 @@ func PrepareWatchListOptionsFromListOptions(listOptions metav1.ListOptions) (met
 
 	return watchListOptions, true, nil
 }
+
+type unSupportedWatchListSemantics interface {
+	IsWatchListSemanticsUnSupported() bool
+}
+
+// DoesClientNotSupportWatchListSemantics reports whether the given client
+// does NOT support WatchList semantics.
+//
+// A client does NOT support WatchList only if
+// it implements `IsWatchListSemanticsUnSupported` and that returns true.
+func DoesClientNotSupportWatchListSemantics(client any) bool {
+	lw, ok := client.(unSupportedWatchListSemantics)
+	if !ok {
+		return false
+	}
+	return lw.IsWatchListSemanticsUnSupported()
+}
diff --git a/staging/src/k8s.io/client-go/util/watchlist/watch_list_test.go b/staging/src/k8s.io/client-go/util/watchlist/watch_list_test.go
index b3cc10e1a6859..1ec520be33d29 100644
--- a/staging/src/k8s.io/client-go/util/watchlist/watch_list_test.go
+++ b/staging/src/k8s.io/client-go/util/watchlist/watch_list_test.go
@@ -27,6 +27,52 @@ import (
 	"k8s.io/utils/ptr"
 )
 
+type supportsWLS struct{}
+
+func (supportsWLS) IsWatchListSemanticsUnSupported() bool { return false }
+
+type doesNotSupportWLS struct{}
+
+func (doesNotSupportWLS) IsWatchListSemanticsUnSupported() bool { return true }
+
+func TestDoesClientNotSupportWatchListSemantics(t *testing.T) {
+	scenarios := []struct {
+		name                                string
+		client                              any
+		expectUnSupportedWatchListSemantics bool
+	}{
+		{
+			name:                                "client implements the unSupportedWatchListSemantics interface and returns false",
+			client:                              supportsWLS{},
+			expectUnSupportedWatchListSemantics: false,
+		},
+		{
+			name:                                "client implements the unSupportedWatchListSemantics interface and returns true",
+			client:                              doesNotSupportWLS{},
+			expectUnSupportedWatchListSemantics: true,
+		},
+		{
+			name:                                "client does not implement the unSupportedWatchListSemantics interface",
+			client:                              struct{}{},
+			expectUnSupportedWatchListSemantics: false,
+		},
+		{
+			name:                                "nil client",
+			client:                              nil,
+			expectUnSupportedWatchListSemantics: false,
+		},
+	}
+
+	for _, scenario := range scenarios {
+		t.Run(scenario.name, func(t *testing.T) {
+			got := DoesClientNotSupportWatchListSemantics(scenario.client)
+			if got != scenario.expectUnSupportedWatchListSemantics {
+				t.Errorf("DoesClientNotSupportWatchListSemantics returned: %v, want: %v", got, scenario.expectUnSupportedWatchListSemantics)
+			}
+		})
+	}
+}
+
 // TestPrepareWatchListOptionsFromListOptions test the following cases:
 //
 // +--------------------------+-----------------+---------+-----------------+
diff --git a/staging/src/k8s.io/client-go/util/workqueue/queue.go b/staging/src/k8s.io/client-go/util/workqueue/queue.go
index 78b072dabe108..9bffddd634c1a 100644
--- a/staging/src/k8s.io/client-go/util/workqueue/queue.go
+++ b/staging/src/k8s.io/client-go/util/workqueue/queue.go
@@ -169,12 +169,13 @@ func newQueue[T comparable](c clock.WithTicker, queue Queue[T], metrics queueMet
 		cond:                       sync.NewCond(&sync.Mutex{}),
 		metrics:                    metrics,
 		unfinishedWorkUpdatePeriod: updatePeriod,
+		stopCh:                     make(chan struct{}),
 	}
 
 	// Don't start the goroutine for a type of noMetrics so we don't consume
 	// resources unnecessarily
 	if _, ok := metrics.(noMetrics[T]); !ok {
-		go t.updateUnfinishedWorkLoop()
+		t.wg.Go(t.updateUnfinishedWorkLoop)
 	}
 
 	return t
@@ -210,6 +211,14 @@ type Typed[t comparable] struct {
 
 	unfinishedWorkUpdatePeriod time.Duration
 	clock                      clock.WithTicker
+
+	// wg manages goroutines started by the queue to allow graceful shutdown
+	// ShutDown() will wait for goroutines to exit before returning.
+	wg sync.WaitGroup
+
+	stopCh chan struct{}
+	// stopOnce guarantees we only signal shutdown a single time
+	stopOnce sync.Once
 }
 
 // Add marks item as needing processing. When the queue is shutdown new
@@ -296,6 +305,11 @@ func (q *Typed[T]) Done(item T) {
 // goroutines will continue processing items in the queue until it is
 // empty and then receive the shutdown signal.
 func (q *Typed[T]) ShutDown() {
+	defer q.wg.Wait()
+	q.stopOnce.Do(func() {
+		defer close(q.stopCh)
+	})
+
 	q.cond.L.Lock()
 	defer q.cond.L.Unlock()
 
@@ -311,6 +325,10 @@ func (q *Typed[T]) ShutDown() {
 // Workers must call Done on an item after processing it, otherwise
 // ShutDownWithDrain will block indefinitely.
 func (q *Typed[T]) ShutDownWithDrain() {
+	defer q.wg.Wait()
+	q.stopOnce.Do(func() {
+		defer close(q.stopCh)
+	})
 	q.cond.L.Lock()
 	defer q.cond.L.Unlock()
 
@@ -330,20 +348,22 @@ func (q *Typed[T]) ShuttingDown() bool {
 	return q.shuttingDown
 }
 
+func (q *Typed[T]) updateUnfinishedWork() {
+	q.cond.L.Lock()
+	defer q.cond.L.Unlock()
+	if !q.shuttingDown {
+		q.metrics.updateUnfinishedWork()
+	}
+}
+
 func (q *Typed[T]) updateUnfinishedWorkLoop() {
 	t := q.clock.NewTicker(q.unfinishedWorkUpdatePeriod)
 	defer t.Stop()
-	for range t.C() {
-		if !func() bool {
-			q.cond.L.Lock()
-			defer q.cond.L.Unlock()
-			if !q.shuttingDown {
-				q.metrics.updateUnfinishedWork()
-				return true
-			}
-			return false
-
-		}() {
+	for {
+		select {
+		case <-t.C():
+			q.updateUnfinishedWork()
+		case <-q.stopCh:
 			return
 		}
 	}
diff --git a/staging/src/k8s.io/cloud-provider/app/core.go b/staging/src/k8s.io/cloud-provider/app/core.go
index b19c9f2d8694f..f1a324e3ff0fb 100644
--- a/staging/src/k8s.io/cloud-provider/app/core.go
+++ b/staging/src/k8s.io/cloud-provider/app/core.go
@@ -128,13 +128,16 @@ func startRouteController(ctx context.Context, initContext ControllerInitContext
 		return nil, false, fmt.Errorf("length of clusterCIDRs is:%v more than max allowed of 2", len(clusterCIDRs))
 	}
 
-	routeController := routecontroller.New(
+	routeController, err := routecontroller.New(
 		routes,
 		completedConfig.ClientBuilder.ClientOrDie(initContext.ClientName),
 		completedConfig.SharedInformers.Core().V1().Nodes(),
 		completedConfig.ComponentConfig.KubeCloudShared.ClusterName,
 		clusterCIDRs,
 	)
+	if err != nil {
+		return nil, false, err
+	}
 	go routeController.Run(ctx, completedConfig.ComponentConfig.KubeCloudShared.RouteReconciliationPeriod.Duration, controlexContext.ControllerManagerMetrics)
 
 	return nil, true, nil
diff --git a/staging/src/k8s.io/cloud-provider/app/testing/testserver.go b/staging/src/k8s.io/cloud-provider/app/testing/testserver.go
index 6a74e8b50dd08..3bc0a579b4b1f 100644
--- a/staging/src/k8s.io/cloud-provider/app/testing/testserver.go
+++ b/staging/src/k8s.io/cloud-provider/app/testing/testserver.go
@@ -20,8 +20,8 @@ import (
 	"context"
 	"fmt"
 	"net"
-	"os"
 	"strings"
+	"testing"
 	"time"
 
 	"k8s.io/apimachinery/pkg/util/wait"
@@ -71,14 +71,15 @@ type TestServer struct {
 // Note: we return a tear-down func instead of a stop channel because the later will leak temporary
 // files that because Golang testing's call to os.Exit will not give a stop channel go routine
 // enough time to remove temporary files.
-func StartTestServer(ctx context.Context, customFlags []string) (result TestServer, err error) {
-	return StartTestServerWithOptions(ctx, customFlags, app.DefaultInitFuncConstructors, names.CCMControllerAliases())
+func StartTestServer(t *testing.T, ctx context.Context, customFlags []string) (result TestServer, err error) {
+	return StartTestServerWithOptions(t, ctx, customFlags, app.DefaultInitFuncConstructors, names.CCMControllerAliases())
 }
 
 // StartTestServerWithOptions starts a cloud-controller-manager with extra controller loop initializer constructors
 // and controller loop aliaes. Within the returned TestServer, a rest client config, a tear-down func,
 // and location of the tmpdir are returned; or an error if one occurred.
-func StartTestServerWithOptions(ctx context.Context,
+func StartTestServerWithOptions(t *testing.T,
+	ctx context.Context,
 	customFlags []string,
 	constructors map[string]app.ControllerInitFuncConstructor,
 	aliases map[string]string) (result TestServer, err error) {
@@ -98,9 +99,6 @@ func StartTestServerWithOptions(ctx context.Context,
 				klog.Errorf("Failed to shutdown test server clearly: %v", err)
 			}
 		}
-		if len(result.TmpDir) != 0 {
-			os.RemoveAll(result.TmpDir)
-		}
 	}
 	defer func() {
 		if result.TearDownFn == nil {
@@ -108,10 +106,7 @@ func StartTestServerWithOptions(ctx context.Context,
 		}
 	}()
 
-	result.TmpDir, err = os.MkdirTemp("", "cloud-controller-manager")
-	if err != nil {
-		return result, fmt.Errorf("failed to create temp dir: %v", err)
-	}
+	result.TmpDir = t.TempDir()
 
 	// Do not run leader election.
 	s, err := options.NewCloudControllerManagerOptions()
@@ -241,13 +236,12 @@ func StartTestServerWithOptions(ctx context.Context,
 }
 
 // StartTestServerOrDie calls StartTestServer panic if it does not succeed.
-func StartTestServerOrDie(ctx context.Context, flags []string) *TestServer {
-	result, err := StartTestServer(ctx, flags)
-	if err == nil {
-		return &result
+func StartTestServerOrDie(t *testing.T, ctx context.Context, flags []string) *TestServer {
+	result, err := StartTestServer(t, ctx, flags)
+	if err != nil {
+		t.Fatalf("failed to launch server: %v", err)
 	}
-
-	panic(fmt.Errorf("failed to launch server: %v", err))
+	return &result
 }
 
 func createListenerOnFreePort() (net.Listener, int, error) {
diff --git a/staging/src/k8s.io/cloud-provider/config/v1alpha1/doc.go b/staging/src/k8s.io/cloud-provider/config/v1alpha1/doc.go
index 4bce737d5edd3..487bed6d0ab27 100644
--- a/staging/src/k8s.io/cloud-provider/config/v1alpha1/doc.go
+++ b/staging/src/k8s.io/cloud-provider/config/v1alpha1/doc.go
@@ -27,6 +27,8 @@ limitations under the License.
 // +k8s:conversion-gen=k8s.io/controller-manager/config/v1alpha1
 // +k8s:openapi-gen=true
 // +k8s:defaulter-gen=TypeMeta
+// +k8s:openapi-model-package=io.k8s.cloud-provider.config.v1alpha1
+
 // +groupName=cloudcontrollermanager.config.k8s.io
 
 package v1alpha1
diff --git a/staging/src/k8s.io/cloud-provider/config/v1alpha1/zz_generated.model_name.go b/staging/src/k8s.io/cloud-provider/config/v1alpha1/zz_generated.model_name.go
new file mode 100644
index 0000000000000..25648c45eeda8
--- /dev/null
+++ b/staging/src/k8s.io/cloud-provider/config/v1alpha1/zz_generated.model_name.go
@@ -0,0 +1,42 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by openapi-gen. DO NOT EDIT.
+
+package v1alpha1
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in CloudControllerManagerConfiguration) OpenAPIModelName() string {
+	return "io.k8s.cloud-provider.config.v1alpha1.CloudControllerManagerConfiguration"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in CloudProviderConfiguration) OpenAPIModelName() string {
+	return "io.k8s.cloud-provider.config.v1alpha1.CloudProviderConfiguration"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in KubeCloudSharedConfiguration) OpenAPIModelName() string {
+	return "io.k8s.cloud-provider.config.v1alpha1.KubeCloudSharedConfiguration"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in WebhookConfiguration) OpenAPIModelName() string {
+	return "io.k8s.cloud-provider.config.v1alpha1.WebhookConfiguration"
+}
diff --git a/staging/src/k8s.io/cloud-provider/controllers/node/config/v1alpha1/doc.go b/staging/src/k8s.io/cloud-provider/controllers/node/config/v1alpha1/doc.go
index 05c1119a21ba0..24df66baeba2c 100644
--- a/staging/src/k8s.io/cloud-provider/controllers/node/config/v1alpha1/doc.go
+++ b/staging/src/k8s.io/cloud-provider/controllers/node/config/v1alpha1/doc.go
@@ -17,5 +17,7 @@ limitations under the License.
 // +k8s:deepcopy-gen=package
 // +k8s:conversion-gen=k8s.io/cloud-provider/controllers/node/config
 // +k8s:conversion-gen=k8s.io/cloud-provider/controllers/node/config/v1alpha1
+// +k8s:openapi-gen=true
+// +k8s:openapi-model-package=io.k8s.cloud-provider.controllers.node.config.v1alpha1
 
 package v1alpha1
diff --git a/staging/src/k8s.io/cloud-provider/controllers/node/config/v1alpha1/zz_generated.model_name.go b/staging/src/k8s.io/cloud-provider/controllers/node/config/v1alpha1/zz_generated.model_name.go
new file mode 100644
index 0000000000000..335bbcfe921db
--- /dev/null
+++ b/staging/src/k8s.io/cloud-provider/controllers/node/config/v1alpha1/zz_generated.model_name.go
@@ -0,0 +1,27 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by openapi-gen. DO NOT EDIT.
+
+package v1alpha1
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in NodeControllerConfiguration) OpenAPIModelName() string {
+	return "io.k8s.cloud-provider.controllers.node.config.v1alpha1.NodeControllerConfiguration"
+}
diff --git a/staging/src/k8s.io/cloud-provider/controllers/nodelifecycle/node_lifecycle_controller.go b/staging/src/k8s.io/cloud-provider/controllers/nodelifecycle/node_lifecycle_controller.go
index 836de29ffe238..2c8598b560c16 100644
--- a/staging/src/k8s.io/cloud-provider/controllers/nodelifecycle/node_lifecycle_controller.go
+++ b/staging/src/k8s.io/cloud-provider/controllers/nodelifecycle/node_lifecycle_controller.go
@@ -163,10 +163,11 @@ func (c *CloudNodeLifecycleController) MonitorNodes(ctx context.Context) {
 			klog.V(2).Infof("deleting node since it is no longer present in cloud provider: %s", node.Name)
 
 			ref := &v1.ObjectReference{
-				Kind:      "Node",
-				Name:      node.Name,
-				UID:       types.UID(node.UID),
-				Namespace: "",
+				APIVersion: "v1",
+				Kind:       "Node",
+				Name:       node.Name,
+				UID:        node.UID,
+				Namespace:  "",
 			}
 
 			c.recorder.Eventf(ref, v1.EventTypeNormal, deleteNodeEvent,
diff --git a/staging/src/k8s.io/cloud-provider/controllers/nodelifecycle/node_lifecycle_controller_test.go b/staging/src/k8s.io/cloud-provider/controllers/nodelifecycle/node_lifecycle_controller_test.go
index 3356b6c2f685b..7442f13433e1d 100644
--- a/staging/src/k8s.io/cloud-provider/controllers/nodelifecycle/node_lifecycle_controller_test.go
+++ b/staging/src/k8s.io/cloud-provider/controllers/nodelifecycle/node_lifecycle_controller_test.go
@@ -909,8 +909,14 @@ func Test_NodesShutdown(t *testing.T) {
 				nodeMonitorPeriod: 1 * time.Second,
 			}
 
-			w := eventBroadcaster.StartStructuredLogging(0)
-			defer w.Stop()
+			e := eventBroadcaster.StartEventWatcher(func(e *v1.Event) {
+				loggerV := klog.FromContext(t.Context()).V(0)
+				loggerV.Info("Event occurred", "object", klog.KRef(e.InvolvedObject.Namespace, e.InvolvedObject.Name), "fieldPath", e.InvolvedObject.FieldPath, "kind", e.InvolvedObject.Kind, "apiVersion", e.InvolvedObject.APIVersion, "type", e.Type, "reason", e.Reason, "message", e.Message)
+				if e.InvolvedObject.APIVersion == "" {
+					t.Fatalf("event involvedObject.apiVersion is empty")
+				}
+			})
+			defer e.Stop()
 			cloudNodeLifecycleController.MonitorNodes(ctx)
 
 			updatedNode, err := clientset.CoreV1().Nodes().Get(ctx, testcase.existingNode.Name, metav1.GetOptions{})
diff --git a/staging/src/k8s.io/cloud-provider/controllers/route/route_controller.go b/staging/src/k8s.io/cloud-provider/controllers/route/route_controller.go
index 26e2c36d0a0e3..c7e6c57e7da59 100644
--- a/staging/src/k8s.io/cloud-provider/controllers/route/route_controller.go
+++ b/staging/src/k8s.io/cloud-provider/controllers/route/route_controller.go
@@ -24,6 +24,7 @@ import (
 	"sync"
 	"time"
 
+	"golang.org/x/time/rate"
 	"k8s.io/klog/v2"
 	netutils "k8s.io/utils/net"
 
@@ -33,6 +34,7 @@ import (
 	"k8s.io/apimachinery/pkg/types"
 	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
 	"k8s.io/apimachinery/pkg/util/wait"
+	utilfeature "k8s.io/apiserver/pkg/util/feature"
 	coreinformers "k8s.io/client-go/informers/core/v1"
 	clientset "k8s.io/client-go/kubernetes"
 	"k8s.io/client-go/kubernetes/scheme"
@@ -41,15 +43,22 @@ import (
 	"k8s.io/client-go/tools/cache"
 	"k8s.io/client-go/tools/record"
 	clientretry "k8s.io/client-go/util/retry"
+	"k8s.io/client-go/util/workqueue"
 	cloudprovider "k8s.io/cloud-provider"
 	controllersmetrics "k8s.io/component-base/metrics/prometheus/controllers"
 	nodeutil "k8s.io/component-helpers/node/util"
+	"k8s.io/controller-manager/pkg/features"
 )
 
 const (
 	// Maximal number of concurrent route operation API calls.
 	// TODO: This should be per-provider.
 	maxConcurrentRouteOperations int = 200
+	// In the scenarios with a burst of node events, we don't want to be worse
+	// than a 10s interval.
+	// The 10s interval was defined in KEP 5237, it is equivalent to the default
+	// sync period of the route controller.
+	minRouteResyncInterval time.Duration = 10 * time.Second
 )
 
 var updateNetworkConditionBackoff = wait.Backoff{
@@ -63,13 +72,21 @@ type RouteController struct {
 	kubeClient       clientset.Interface
 	clusterName      string
 	clusterCIDRs     []*net.IPNet
+	nodeInformer     coreinformers.NodeInformer
 	nodeLister       corelisters.NodeLister
 	nodeListerSynced cache.InformerSynced
 	broadcaster      record.EventBroadcaster
 	recorder         record.EventRecorder
+	workqueue        workqueue.TypedRateLimitingInterface[string]
 }
 
-func New(routes cloudprovider.Routes, kubeClient clientset.Interface, nodeInformer coreinformers.NodeInformer, clusterName string, clusterCIDRs []*net.IPNet) *RouteController {
+func New(
+	routes cloudprovider.Routes,
+	kubeClient clientset.Interface,
+	nodeInformer coreinformers.NodeInformer,
+	clusterName string,
+	clusterCIDRs []*net.IPNet,
+) (*RouteController, error) {
 	if len(clusterCIDRs) == 0 {
 		klog.Fatal("RouteController: Must specify clusterCIDR.")
 	}
@@ -79,16 +96,75 @@ func New(routes cloudprovider.Routes, kubeClient clientset.Interface, nodeInform
 		kubeClient:       kubeClient,
 		clusterName:      clusterName,
 		clusterCIDRs:     clusterCIDRs,
+		nodeInformer:     nodeInformer,
 		nodeLister:       nodeInformer.Lister(),
 		nodeListerSynced: nodeInformer.Informer().HasSynced,
 	}
 
-	return rc
+	if utilfeature.DefaultFeatureGate.Enabled(features.CloudControllerManagerWatchBasedRoutesReconciliation) {
+		// We use [TypedWithMaxWaitRateLimiter] to cap the [TypedBucketRateLimiter] at 10 seconds.
+		// Without this cap, the bucket rate limiter would keep accumulating delay for each node event.
+		// With the cap, even under a constant stream of node events, reconciles happen at most every
+		// 10 seconds — either triggered immediately or queued for another run if one is already in progress.
+		bucketRateLimiter := &workqueue.TypedBucketRateLimiter[string]{Limiter: rate.NewLimiter(rate.Every(minRouteResyncInterval), 1)}
+		rc.workqueue = workqueue.NewTypedRateLimitingQueueWithConfig(
+			workqueue.NewTypedWithMaxWaitRateLimiter[string](bucketRateLimiter, minRouteResyncInterval),
+			workqueue.TypedRateLimitingQueueConfig[string]{Name: "Routes"},
+		)
+
+		_, err := rc.nodeInformer.Informer().AddEventHandler(
+			// It is only necessary to reconcile the routes for any events that have the potential to impact them:
+			// - Node is added
+			// - Node is removed
+			// - Node .Status.Addresses is changed
+			// - Node .Spec.PodCIDRs is changed
+			cache.ResourceEventHandlerFuncs{
+				AddFunc:    rc.enqueueClusterReconcile,
+				UpdateFunc: rc.handleNodeUpdate,
+				DeleteFunc: rc.enqueueClusterReconcile,
+			},
+		)
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	return rc, nil
+}
+
+// enqueueClusterReconcile enqueues a route reconciliation of the cluster.
+func (rc *RouteController) enqueueClusterReconcile(_ interface{}) {
+	rc.workqueue.AddRateLimited("routes")
+}
+
+func (rc *RouteController) handleNodeUpdate(oldObj, newObj interface{}) {
+
+	oldNode, oldOk := oldObj.(*v1.Node)
+	newNode, newOk := newObj.(*v1.Node)
+
+	if !oldOk || !newOk {
+		return
+	}
+
+	// The Node informer triggers a periodic update event.
+	// In these cases, the old and new Node objects are identical. We use this event as a signal to perform
+	// a route reconciliation — our regular cleanup process — as described in the KEP 5237.
+	resync := oldNode.GetResourceVersion() == newNode.GetResourceVersion()
+	diffInPodCIDR := !reflect.DeepEqual(oldNode.Spec.PodCIDRs, newNode.Spec.PodCIDRs)
+	diffInNodeAddresses := !reflect.DeepEqual(oldNode.Status.Addresses, newNode.Status.Addresses)
+
+	if diffInPodCIDR || diffInNodeAddresses || resync {
+		rc.enqueueClusterReconcile(newObj)
+	}
 }
 
 func (rc *RouteController) Run(ctx context.Context, syncPeriod time.Duration, controllerManagerMetrics *controllersmetrics.ControllerManagerMetrics) {
 	defer utilruntime.HandleCrash()
 
+	if utilfeature.DefaultFeatureGate.Enabled(features.CloudControllerManagerWatchBasedRoutesReconciliation) && rc.workqueue != nil {
+		defer rc.workqueue.ShutDown()
+	}
+
 	rc.broadcaster = record.NewBroadcaster(record.WithContext(ctx))
 	rc.recorder = rc.broadcaster.NewRecorder(scheme.Scheme, v1.EventSource{Component: "route_controller"})
 
@@ -104,22 +180,70 @@ func (rc *RouteController) Run(ctx context.Context, syncPeriod time.Duration, co
 	controllerManagerMetrics.ControllerStarted("route")
 	defer controllerManagerMetrics.ControllerStopped("route")
 
-	if !cache.WaitForNamedCacheSync("route", ctx.Done(), rc.nodeListerSynced) {
+	if !cache.WaitForNamedCacheSyncWithContext(ctx, rc.nodeListerSynced) {
 		return
 	}
 
-	// TODO: If we do just the full Resync every 5 minutes (default value)
-	// that means that we may wait up to 5 minutes before even starting
-	// creating a route for it. This is bad.
-	// We should have a watch on node and if we observe a new node (with CIDR?)
-	// trigger reconciliation for that node.
-	go wait.NonSlidingUntil(func() {
+	if utilfeature.DefaultFeatureGate.Enabled(features.CloudControllerManagerWatchBasedRoutesReconciliation) {
+		// Process any node events that may change the routes.
+		// It does not make sense to add concurrency here, as the routes
+		// controller always processes the whole cluster.
+		go wait.UntilWithContext(ctx, rc.runWorker, time.Second)
+	} else {
+		go wait.NonSlidingUntil(func() {
+			if err := rc.reconcileNodeRoutes(ctx); err != nil {
+				klog.Errorf("Couldn't reconcile node routes: %v", err)
+			}
+		}, syncPeriod, ctx.Done())
+	}
+
+	<-ctx.Done()
+}
+
+func (rc *RouteController) runWorker(ctx context.Context) {
+	for rc.processNextWorkItem(ctx) {
+	}
+}
+
+// processNextWorkItem will read a single work item off the workqueue and
+// attempt to process it, by calling reconcileNodeRoutes.
+func (rc *RouteController) processNextWorkItem(ctx context.Context) bool {
+	obj, shutdown := rc.workqueue.Get()
+	if shutdown {
+		return false
+	}
+
+	// Forget is a no-op with a BucketRateLimiter. This is still called in case the implementation detail changes,
+	// as the [workqueue.TypedRateLimitingInterface] insists on it being called.
+	//
+	// We call it before reconcileNodeRoutes, as otherwise we may have a race condition:
+	// 1. we start a reconcile with a fixed list of nodes
+	// 2. the event for a new node is enqueued, but it is not considered in the running reconcile
+	// 3. we finish the reconcile and "forget" the event from our queue
+	// => The new node is never reconciled
+	rc.workqueue.Forget(obj)
+
+	// We wrap this block in a func so we can defer rc.workqueue.Done.
+	err := func(key string) error {
+		defer rc.workqueue.Done(key)
+
+		// Run the route reconciliation
 		if err := rc.reconcileNodeRoutes(ctx); err != nil {
-			klog.Errorf("Couldn't reconcile node routes: %v", err)
+			// Put the item back on the workqueue to handle any transient errors.
+			rc.workqueue.AddRateLimited(key)
+			klog.Infof("Couldn't reconcile node routes: %v, requeuing", err)
+			return fmt.Errorf("couldn't reconcile node routes: %w, requeuing", err)
 		}
-	}, syncPeriod, ctx.Done())
 
-	<-ctx.Done()
+		return nil
+	}(obj)
+
+	if err != nil {
+		utilruntime.HandleError(err)
+		return true
+	}
+
+	return true
 }
 
 func (rc *RouteController) reconcileNodeRoutes(ctx context.Context) error {
@@ -307,10 +431,11 @@ func (rc *RouteController) reconcile(ctx context.Context, nodes []*v1.Node, rout
 						if rc.recorder != nil {
 							rc.recorder.Eventf(
 								&v1.ObjectReference{
-									Kind:      "Node",
-									Name:      string(nodeName),
-									UID:       types.UID(nodeName),
-									Namespace: "",
+									APIVersion: "v1",
+									Kind:       "Node",
+									Name:       string(nodeName),
+									UID:        node.UID,
+									Namespace:  "",
 								}, v1.EventTypeWarning, "FailedToCreateRoute", msg)
 							klog.V(4).Info(msg)
 							return err
diff --git a/staging/src/k8s.io/cloud-provider/controllers/route/route_controller_test.go b/staging/src/k8s.io/cloud-provider/controllers/route/route_controller_test.go
index 265fb048ce1b2..7f7257e219cea 100644
--- a/staging/src/k8s.io/cloud-provider/controllers/route/route_controller_test.go
+++ b/staging/src/k8s.io/cloud-provider/controllers/route/route_controller_test.go
@@ -22,12 +22,19 @@ import (
 	"testing"
 	"time"
 
+	utilfeature "k8s.io/apiserver/pkg/util/feature"
+	featuregatetesting "k8s.io/component-base/featuregate/testing"
+	"k8s.io/controller-manager/pkg/features"
+	_ "k8s.io/controller-manager/pkg/features/register"
+
 	v1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/client-go/informers"
 	"k8s.io/client-go/kubernetes/fake"
+	"k8s.io/client-go/kubernetes/scheme"
 	core "k8s.io/client-go/testing"
+	"k8s.io/client-go/tools/record"
 	cloudprovider "k8s.io/cloud-provider"
 	fakecloud "k8s.io/cloud-provider/fake"
 	nodeutil "k8s.io/component-helpers/node/util"
@@ -71,7 +78,8 @@ func TestIsResponsibleForRoute(t *testing.T) {
 		}
 		client := fake.NewSimpleClientset()
 		informerFactory := informers.NewSharedInformerFactory(client, 0)
-		rc := New(nil, nil, informerFactory.Core().V1().Nodes(), myClusterName, []*net.IPNet{cidr})
+		rc, err := New(nil, nil, informerFactory.Core().V1().Nodes(), myClusterName, []*net.IPNet{cidr})
+		require.NoError(t, err)
 		rc.nodeListerSynced = alwaysReady
 		route := &cloudprovider.Route{
 			Name:            testCase.routeName,
@@ -93,6 +101,7 @@ func TestReconcile(t *testing.T) {
 
 	node3 := v1.Node{ObjectMeta: metav1.ObjectMeta{Name: "node-3", UID: "03"}, Spec: v1.NodeSpec{PodCIDR: "10.120.0.0/24", PodCIDRs: []string{"10.120.0.0/24", "a00:100::/24"}}, Status: v1.NodeStatus{Addresses: []v1.NodeAddress{{Type: v1.NodeInternalIP, Address: "10.0.3.1"}}}}
 	node4 := v1.Node{ObjectMeta: metav1.ObjectMeta{Name: "node-4", UID: "04"}, Spec: v1.NodeSpec{PodCIDR: "10.120.1.0/24", PodCIDRs: []string{"10.120.1.0/24", "a00:200::/24"}}, Status: v1.NodeStatus{Addresses: []v1.NodeAddress{{Type: v1.NodeInternalIP, Address: "10.0.4.1"}}}}
+	nodeDuplicateCIDR := v1.Node{ObjectMeta: metav1.ObjectMeta{Name: "node-4", UID: "04"}, Spec: v1.NodeSpec{PodCIDR: "10.120.1.0/24", PodCIDRs: []string{"10.120.1.0/24", "10.120.1.0/24"}}, Status: v1.NodeStatus{Addresses: []v1.NodeAddress{{Type: v1.NodeInternalIP, Address: "10.0.4.1"}}}}
 
 	testCases := []struct {
 		description                string
@@ -102,6 +111,7 @@ func TestReconcile(t *testing.T) {
 		expectedNetworkUnavailable []bool
 		clientset                  *fake.Clientset
 		dualStack                  bool
+		expectError                bool
 	}{
 		{
 			description: "routes have no TargetNodeAddresses at the beginning",
@@ -414,6 +424,17 @@ func TestReconcile(t *testing.T) {
 			expectedNetworkUnavailable: []bool{true, true},
 			clientset:                  fake.NewSimpleClientset(&v1.NodeList{Items: []v1.Node{node1, node2}}),
 		},
+		{
+			description: "duplicate pod cidr",
+			nodes: []*v1.Node{
+				&nodeDuplicateCIDR,
+			},
+			initialRoutes:              []*cloudprovider.Route{},
+			expectedRoutes:             []*cloudprovider.Route{},
+			expectedNetworkUnavailable: []bool{true, false},
+			expectError:                true,
+			clientset:                  fake.NewClientset(&v1.NodeList{Items: []v1.Node{nodeDuplicateCIDR}}),
+		},
 	}
 	for _, testCase := range testCases {
 		t.Run(testCase.description, func(t *testing.T) {
@@ -438,7 +459,19 @@ func TestReconcile(t *testing.T) {
 			}
 
 			informerFactory := informers.NewSharedInformerFactory(testCase.clientset, 0)
-			rc := New(routes, testCase.clientset, informerFactory.Core().V1().Nodes(), cluster, cidrs)
+
+			rc, err := New(routes, testCase.clientset, informerFactory.Core().V1().Nodes(), cluster, cidrs)
+			require.NoError(t, err)
+
+			recorder := record.NewBroadcaster(record.WithContext(ctx))
+			rc.recorder = recorder.NewRecorder(scheme.Scheme, v1.EventSource{Component: "route_controller"})
+			e := recorder.StartEventWatcher(func(e *v1.Event) {
+				if e.InvolvedObject.APIVersion == "" {
+					t.Fatalf("event involvedObject.apiVersion is empty")
+				}
+			})
+			defer e.Stop()
+
 			rc.nodeListerSynced = alwaysReady
 			require.NoError(t, rc.reconcile(ctx, testCase.nodes, testCase.initialRoutes), "failed to reconcile")
 			for _, action := range testCase.clientset.Actions() {
@@ -464,7 +497,6 @@ func TestReconcile(t *testing.T) {
 				}
 			}
 			var finalRoutes []*cloudprovider.Route
-			var err error
 			timeoutChan := time.After(200 * time.Millisecond)
 			tick := time.NewTicker(10 * time.Millisecond)
 			defer tick.Stop()
@@ -476,8 +508,10 @@ func TestReconcile(t *testing.T) {
 						break poll
 					}
 				case <-timeoutChan:
-					t.Errorf("rc.reconcile() err is %v,\nfound routes:\n%v\nexpected routes:\n%v\n",
-						err, flatten(finalRoutes), flatten(testCase.expectedRoutes))
+					if !testCase.expectError {
+						t.Errorf("rc.reconcile() err is %v,\nfound routes:\n%v\nexpected routes:\n%v\n",
+							err, flatten(finalRoutes), flatten(testCase.expectedRoutes))
+					}
 					break poll
 				}
 			}
@@ -486,6 +520,92 @@ func TestReconcile(t *testing.T) {
 	}
 }
 
+func TestHandleNodeUpdate(t *testing.T) {
+	featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.CloudControllerManagerWatchBasedRoutesReconciliation, true)
+
+	cluster := "my-k8s"
+	node := v1.Node{ObjectMeta: metav1.ObjectMeta{Name: "node-1", UID: "01"}, Spec: v1.NodeSpec{PodCIDR: "10.120.0.0/24", PodCIDRs: []string{"10.120.0.0/24"}}, Status: v1.NodeStatus{Addresses: []v1.NodeAddress{{Type: v1.NodeInternalIP, Address: "10.0.1.1"}}}}
+
+	testCases := []struct {
+		description           string
+		clientset             *fake.Clientset
+		updatedNode           v1.Node
+		expectedWorkqueueItem string
+	}{
+		{
+			description:           "internal IP updated",
+			clientset:             fake.NewClientset(&v1.NodeList{Items: []v1.Node{node}}),
+			updatedNode:           v1.Node{ObjectMeta: metav1.ObjectMeta{Name: "node-1", UID: "01"}, Spec: v1.NodeSpec{PodCIDR: "10.120.0.0/24", PodCIDRs: []string{"10.120.0.0/24"}}, Status: v1.NodeStatus{Addresses: []v1.NodeAddress{{Type: v1.NodeInternalIP, Address: "10.0.1.2"}}}},
+			expectedWorkqueueItem: "routes",
+		},
+		{
+			description:           "pod CIDR updated",
+			clientset:             fake.NewClientset(&v1.NodeList{Items: []v1.Node{node}}),
+			updatedNode:           v1.Node{ObjectMeta: metav1.ObjectMeta{Name: "node-1", UID: "01"}, Spec: v1.NodeSpec{PodCIDR: "10.121.0.0/24", PodCIDRs: []string{"10.121.0.0/24"}}, Status: v1.NodeStatus{Addresses: []v1.NodeAddress{{Type: v1.NodeInternalIP, Address: "10.0.1.1"}}}},
+			expectedWorkqueueItem: "routes",
+		},
+		{
+			description: "node object not updated",
+			clientset:   fake.NewClientset(&v1.NodeList{Items: []v1.Node{node}}),
+			updatedNode: node,
+		},
+		{
+			description: "unrelated node update",
+			clientset:   fake.NewClientset(&v1.NodeList{Items: []v1.Node{node}}),
+			updatedNode: v1.Node{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "node-1",
+					UID:  "01",
+				},
+				Spec: v1.NodeSpec{
+					PodCIDR:  "10.120.0.0/24",
+					PodCIDRs: []string{"10.120.0.0/24"},
+				},
+				Status: v1.NodeStatus{
+					Addresses: []v1.NodeAddress{
+						{
+							Type:    v1.NodeInternalIP,
+							Address: "10.0.1.1",
+						},
+					},
+					Images: []v1.ContainerImage{
+						{
+							Names: []string{
+								"registry.k8s.io/pause:latest",
+							},
+							SizeBytes: 239840,
+						},
+					},
+				},
+			},
+		},
+	}
+	for _, testCase := range testCases {
+		t.Run(testCase.description, func(t *testing.T) {
+			cloud := &fakecloud.Cloud{RouteMap: make(map[string]*fakecloud.Route)}
+			routes, ok := cloud.Routes()
+			assert.True(t, ok, "fakecloud failed to run Routes()")
+
+			cidrs := make([]*net.IPNet, 0)
+			_, cidr, _ := netutils.ParseCIDRSloppy("10.120.0.0/16")
+			cidrs = append(cidrs, cidr)
+
+			informerFactory := informers.NewSharedInformerFactory(testCase.clientset, 0)
+			rc, err := New(routes, testCase.clientset, informerFactory.Core().V1().Nodes(), cluster, cidrs)
+			require.NoError(t, err)
+			require.NotNil(t, rc.workqueue)
+
+			rc.handleNodeUpdate(&node, &testCase.updatedNode)
+
+			if testCase.expectedWorkqueueItem != "" {
+				item, shutdown := rc.workqueue.Get()
+				require.False(t, shutdown, "workqueue is shutdown")
+				assert.Equal(t, testCase.expectedWorkqueueItem, item, "unexpected item from workqueue")
+			}
+		})
+	}
+}
+
 func routeListEqual(list1, list2 []*cloudprovider.Route) bool {
 	if len(list1) != len(list2) {
 		return false
diff --git a/staging/src/k8s.io/cloud-provider/controllers/service/config/v1alpha1/doc.go b/staging/src/k8s.io/cloud-provider/controllers/service/config/v1alpha1/doc.go
index 7b9a093517737..84ee720d84074 100644
--- a/staging/src/k8s.io/cloud-provider/controllers/service/config/v1alpha1/doc.go
+++ b/staging/src/k8s.io/cloud-provider/controllers/service/config/v1alpha1/doc.go
@@ -17,5 +17,7 @@ limitations under the License.
 // +k8s:deepcopy-gen=package
 // +k8s:conversion-gen=k8s.io/cloud-provider/controllers/service/config
 // +k8s:conversion-gen=k8s.io/cloud-provider/controllers/service/config/v1alpha1
+// +k8s:openapi-gen=true
+// +k8s:openapi-model-package=io.k8s.cloud-provider.controllers.service.config.v1alpha1
 
 package v1alpha1
diff --git a/staging/src/k8s.io/cloud-provider/controllers/service/config/v1alpha1/zz_generated.model_name.go b/staging/src/k8s.io/cloud-provider/controllers/service/config/v1alpha1/zz_generated.model_name.go
new file mode 100644
index 0000000000000..2f2002f16fc95
--- /dev/null
+++ b/staging/src/k8s.io/cloud-provider/controllers/service/config/v1alpha1/zz_generated.model_name.go
@@ -0,0 +1,27 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by openapi-gen. DO NOT EDIT.
+
+package v1alpha1
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ServiceControllerConfiguration) OpenAPIModelName() string {
+	return "io.k8s.cloud-provider.controllers.service.config.v1alpha1.ServiceControllerConfiguration"
+}
diff --git a/staging/src/k8s.io/cloud-provider/controllers/service/controller.go b/staging/src/k8s.io/cloud-provider/controllers/service/controller.go
index 97764cb793c29..8a3daa848997f 100644
--- a/staging/src/k8s.io/cloud-provider/controllers/service/controller.go
+++ b/staging/src/k8s.io/cloud-provider/controllers/service/controller.go
@@ -237,7 +237,7 @@ func (c *Controller) Run(ctx context.Context, workers int, controllerManagerMetr
 	controllerManagerMetrics.ControllerStarted("service")
 	defer controllerManagerMetrics.ControllerStopped("service")
 
-	if !cache.WaitForNamedCacheSync("service", ctx.Done(), c.serviceListerSynced, c.nodeListerSynced) {
+	if !cache.WaitForNamedCacheSyncWithContext(ctx, c.serviceListerSynced, c.nodeListerSynced) {
 		return
 	}
 
diff --git a/staging/src/k8s.io/cloud-provider/go.mod b/staging/src/k8s.io/cloud-provider/go.mod
index 81f55fc4aea25..3b2c0b5e06438 100644
--- a/staging/src/k8s.io/cloud-provider/go.mod
+++ b/staging/src/k8s.io/cloud-provider/go.mod
@@ -2,24 +2,25 @@
 
 module k8s.io/cloud-provider
 
-go 1.24.0
+go 1.25.0
 
-godebug default=go1.24
+godebug default=go1.25
 
 require (
 	github.com/google/go-cmp v0.7.0
-	github.com/spf13/cobra v1.9.1
-	github.com/spf13/pflag v1.0.6
-	github.com/stretchr/testify v1.10.0
-	k8s.io/api v0.34.1
-	k8s.io/apimachinery v0.34.1
-	k8s.io/apiserver v0.34.1
-	k8s.io/client-go v0.34.1
-	k8s.io/component-base v0.34.1
+	github.com/spf13/cobra v1.10.0
+	github.com/spf13/pflag v1.0.9
+	github.com/stretchr/testify v1.11.1
+	golang.org/x/time v0.9.0
+	k8s.io/api v0.35.1
+	k8s.io/apimachinery v0.35.1
+	k8s.io/apiserver v0.35.1
+	k8s.io/client-go v0.35.1
+	k8s.io/component-base v0.35.1
 	k8s.io/component-helpers v0.0.0
 	k8s.io/controller-manager v0.0.0
 	k8s.io/klog/v2 v2.130.1
-	k8s.io/utils v0.0.0-20250604170112-4c0f3b243397
+	k8s.io/utils v0.0.0-20251002143259-bc988d571ff4
 )
 
 require (
@@ -38,7 +39,7 @@ require (
 	github.com/felixge/httpsnoop v1.0.4 // indirect
 	github.com/fsnotify/fsnotify v1.9.0 // indirect
 	github.com/fxamacker/cbor/v2 v2.9.0 // indirect
-	github.com/go-logr/logr v1.4.2 // indirect
+	github.com/go-logr/logr v1.4.3 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-logr/zapr v1.3.0 // indirect
 	github.com/go-openapi/jsonpointer v0.21.0 // indirect
@@ -61,61 +62,62 @@ require (
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
-	github.com/openshift/library-go v0.0.0-20251015151611-6fc7a74b67c5 // indirect
-	github.com/pkg/errors v0.9.1 // indirect
+	github.com/openshift/library-go v0.0.0-20260211202355-e615a1f60a34 // indirect
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
-	github.com/prometheus/client_golang v1.22.0 // indirect
-	github.com/prometheus/client_model v0.6.1 // indirect
-	github.com/prometheus/common v0.62.0 // indirect
-	github.com/prometheus/procfs v0.15.1 // indirect
+	github.com/prometheus/client_golang v1.23.2 // indirect
+	github.com/prometheus/client_model v0.6.2 // indirect
+	github.com/prometheus/common v0.66.1 // indirect
+	github.com/prometheus/procfs v0.16.1 // indirect
 	github.com/stoewer/go-strcase v1.3.0 // indirect
 	github.com/x448/float16 v0.8.4 // indirect
-	go.etcd.io/etcd/api/v3 v3.6.4 // indirect
-	go.etcd.io/etcd/client/pkg/v3 v3.6.4 // indirect
-	go.etcd.io/etcd/client/v3 v3.6.4 // indirect
+	go.etcd.io/etcd/api/v3 v3.6.5 // indirect
+	go.etcd.io/etcd/client/pkg/v3 v3.6.5 // indirect
+	go.etcd.io/etcd/client/v3 v3.6.5 // indirect
 	go.opentelemetry.io/auto/sdk v1.1.0 // indirect
 	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.60.0 // indirect
-	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.58.0 // indirect
-	go.opentelemetry.io/otel v1.35.0 // indirect
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.61.0 // indirect
+	go.opentelemetry.io/otel v1.36.0 // indirect
 	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.34.0 // indirect
 	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.34.0 // indirect
-	go.opentelemetry.io/otel/metric v1.35.0 // indirect
-	go.opentelemetry.io/otel/sdk v1.34.0 // indirect
-	go.opentelemetry.io/otel/trace v1.35.0 // indirect
+	go.opentelemetry.io/otel/metric v1.36.0 // indirect
+	go.opentelemetry.io/otel/sdk v1.36.0 // indirect
+	go.opentelemetry.io/otel/trace v1.36.0 // indirect
 	go.opentelemetry.io/proto/otlp v1.5.0 // indirect
 	go.uber.org/atomic v1.11.0 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
 	go.uber.org/zap v1.27.0 // indirect
-	go.yaml.in/yaml/v2 v2.4.2 // indirect
+	go.yaml.in/yaml/v2 v2.4.3 // indirect
 	go.yaml.in/yaml/v3 v3.0.4 // indirect
-	golang.org/x/crypto v0.42.0 // indirect
+	golang.org/x/crypto v0.45.0 // indirect
 	golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 // indirect
-	golang.org/x/net v0.43.0 // indirect
-	golang.org/x/oauth2 v0.27.0 // indirect
-	golang.org/x/sync v0.17.0 // indirect
-	golang.org/x/sys v0.36.0 // indirect
-	golang.org/x/term v0.35.0 // indirect
-	golang.org/x/text v0.29.0 // indirect
-	golang.org/x/time v0.9.0 // indirect
+	golang.org/x/net v0.47.0 // indirect
+	golang.org/x/oauth2 v0.30.0 // indirect
+	golang.org/x/sync v0.18.0 // indirect
+	golang.org/x/sys v0.38.0 // indirect
+	golang.org/x/term v0.37.0 // indirect
+	golang.org/x/text v0.31.0 // indirect
 	google.golang.org/genproto/googleapis/api v0.0.0-20250303144028-a0af3efb3deb // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20250303144028-a0af3efb3deb // indirect
-	google.golang.org/grpc v1.72.1 // indirect
-	google.golang.org/protobuf v1.36.5 // indirect
-	gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20250528174236-200df99c418a // indirect
+	google.golang.org/grpc v1.72.2 // indirect
+	google.golang.org/protobuf v1.36.8 // indirect
+	gopkg.in/evanphx/json-patch.v4 v4.13.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/natefinch/lumberjack.v2 v2.2.1 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
-	k8s.io/kms v0.34.1 // indirect
-	k8s.io/kube-openapi v0.0.0-20250710124328-f3f2b991d03b // indirect
+	k8s.io/kms v0.35.1 // indirect
+	k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912 // indirect
 	sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.31.2 // indirect
-	sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 // indirect
+	sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 // indirect
 	sigs.k8s.io/randfill v1.0.0 // indirect
 	sigs.k8s.io/structured-merge-diff/v6 v6.3.0 // indirect
 	sigs.k8s.io/yaml v1.6.0 // indirect
 )
 
 replace (
-	github.com/onsi/ginkgo/v2 => github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251001123353-fd5b1fb35db1
+	github.com/onsi/ginkgo/v2 => github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251120221002-696928a6a0d7
+	github.com/openshift/api => github.com/jacobsee/openshift-api v0.0.0-20260211194905-f62f47eaf03d
+	github.com/openshift/client-go => github.com/jacobsee/client-go v0.0.0-20260211200652-3585e10bcc17
+	github.com/openshift/library-go => github.com/jacobsee/library-go v0.0.0-20260211202355-e615a1f60a34
 	k8s.io/api => ../api
 	k8s.io/apiextensions-apiserver => ../apiextensions-apiserver
 	k8s.io/apimachinery => ../apimachinery
diff --git a/staging/src/k8s.io/cloud-provider/go.sum b/staging/src/k8s.io/cloud-provider/go.sum
index 5d48892329c93..c6c8a40178610 100644
--- a/staging/src/k8s.io/cloud-provider/go.sum
+++ b/staging/src/k8s.io/cloud-provider/go.sum
@@ -1,10 +1,13 @@
 cel.dev/expr v0.24.0 h1:56OvJKSH3hDGL0ml5uSxZmz3/3Pq4tJ+fb1unVLAFcY=
 cel.dev/expr v0.24.0/go.mod h1:hLPLo1W4QUmuYdA72RBX06QTs6MXw941piREPl3Yfiw=
 cloud.google.com/go/compute/metadata v0.6.0/go.mod h1:FjyFAW1MW0C203CEOMDTu3Dk1FlqW3Rga40jzHL4hfg=
+cyphar.com/go-pathrs v0.2.1/go.mod h1:y8f1EMG7r+hCuFf/rXsKqMJrJAUoADZGNh5/vZPKcGc=
 github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161 h1:L/gRVlceqvL25UVaW/CKtUDjefjrs0SPonmDGUVOYP0=
 github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E=
 github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358/go.mod h1:chxPXzSsl7ZWRAuOIE23GDNzjWuZquvFlgA8xmpunjU=
 github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp v1.26.0/go.mod h1:2bIszWvQRlJVmJLiuLhukLImRjKPcYdzzsx6darK02A=
+github.com/Masterminds/semver/v3 v3.4.0 h1:Zog+i5UMtVoCU8oKka5P7i9q9HgrJeGzI9SA1Xbatp0=
+github.com/Masterminds/semver/v3 v3.4.0/go.mod h1:4V+yj/TJE1HU9XfppCwVMZq3I84lprf4nC11bSS5beM=
 github.com/NYTimes/gziphandler v1.1.1 h1:ZUDjpQae29j0ryrS0u/B8HZfJBtBQHjqw2rQ2cqUQ3I=
 github.com/NYTimes/gziphandler v1.1.1/go.mod h1:n/CVRwUEOgIxrgPvAQhUUr9oeUtvrhMomdKFjzJNB0c=
 github.com/RangelReale/osincli v0.0.0-20160924135400-fababb0555f2/go.mod h1:XyjUkMA8GN+tOOPXvnbi3XuRxWFvTJntqvTFnjmhzbk=
@@ -32,6 +35,7 @@ github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6N
 github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
 github.com/creack/pty v1.1.18 h1:n56/Zwd5o6whRC5PMGretI4IdRLlmBXYNjScPaBgsbY=
 github.com/creack/pty v1.1.18/go.mod h1:MOBLtS5ELjhRRrroQr9kyvTxUAFNvYEK993ew/Vr4O4=
+github.com/cyphar/filepath-securejoin v0.6.0/go.mod h1:A8hd4EnAeyujCJRrICiOWqjS1AX0a9kM5XL+NwKoYSc=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM=
@@ -59,8 +63,8 @@ github.com/go-asn1-ber/asn1-ber v1.5.8-0.20250403174932-29230038a667/go.mod h1:h
 github.com/go-jose/go-jose/v4 v4.0.4/go.mod h1:NKb5HO1EZccyMpiZNbdUw/14tiXNyUJh188dfnMCAfc=
 github.com/go-ldap/ldap/v3 v3.4.11/go.mod h1:bY7t0FLK8OAVpp/vV6sSlpz3EQDGcQwc8pF0ujLgKvM=
 github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
-github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY=
-github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
+github.com/go-logr/logr v1.4.3 h1:CjnDlHq8ikf6E492q6eKboGOC0T8CDaOvkHCIg8idEI=
+github.com/go-logr/logr v1.4.3/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
 github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
 github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE=
 github.com/go-logr/zapr v1.3.0 h1:XGdV8XW8zdwFiwOA2Dryh1gj2KRQyOOoNmBy4EplIcQ=
@@ -98,8 +102,8 @@ github.com/google/gnostic-models v0.7.0/go.mod h1:whL5G0m6dmc5cPxKc5bdKdEN3UjI7O
 github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
 github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
-github.com/google/pprof v0.0.0-20241029153458-d1b30febd7db h1:097atOisP2aRj7vFgYQBbFN4U4JNXUNYpxael3UzMyo=
-github.com/google/pprof v0.0.0-20241029153458-d1b30febd7db/go.mod h1:vavhavw2zAxS5dIdcRluK6cSGGPlZynqzFM8NdvU144=
+github.com/google/pprof v0.0.0-20250403155104-27863c87afa6 h1:BHT72Gu3keYf3ZEu2J0b1vyeLSOYI8bm5wbJM/8yDe8=
+github.com/google/pprof v0.0.0-20250403155104-27863c87afa6/go.mod h1:boTsfXsheKC2y+lKOCMpSfarhxDeIzfZG1jqGcPl3cA=
 github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/gorilla/mux v1.8.1/go.mod h1:AKf9I4AEqPTmMytcMc0KkNouC66V3BtZ4qD5fmWSiMQ=
@@ -118,6 +122,10 @@ github.com/hashicorp/golang-lru v0.5.4/go.mod h1:iADmTwqILo4mZ8BN3D2Q6+9jd8WM5uG
 github.com/imdario/mergo v0.3.7/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA=
 github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
 github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
+github.com/jacobsee/client-go v0.0.0-20260211200652-3585e10bcc17/go.mod h1:mCcIpR1nUVJvuLFKl7etbRLixUhJn4XjufJdfzv8Xsc=
+github.com/jacobsee/library-go v0.0.0-20260211202355-e615a1f60a34 h1:iCDeH9PliuQ4IL5NhQhZ1GcXxdlIiuiIed7hK5d5shw=
+github.com/jacobsee/library-go v0.0.0-20260211202355-e615a1f60a34/go.mod h1:mp92ELYoE9GHXRj+jJhp4I9KsFfS5c7WIi5k4RmkPYY=
+github.com/jacobsee/openshift-api v0.0.0-20260211194905-f62f47eaf03d/go.mod h1:u/qMsjN4RliFQwfk4bMEdF1lTjkagrlxPcZ/G9KIVuE=
 github.com/jonboulle/clockwork v0.5.0 h1:Hyh9A8u51kptdkR+cqRpT1EebBwTn1oK9YfGYbdFz6I=
 github.com/jonboulle/clockwork v0.5.0/go.mod h1:3mZlmanh0g2NDKO5TWZVJAfofYk64M7XN3SzBPjZF60=
 github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY=
@@ -156,20 +164,15 @@ github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq
 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
 github.com/mwitkow/go-conntrack v0.0.0-20190716064945-2f068394615f/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U=
 github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+o7JKHSa8/e818NopupXU1YMK5fe1lsApnBw=
-github.com/onsi/gomega v1.35.1 h1:Cwbd75ZBPxFSuZ6T+rN/WCb/gOc6YgFBXLlZLhC7Ds4=
-github.com/onsi/gomega v1.35.1/go.mod h1:PvZbdDc8J6XJEpDK4HCuRBm8a6Fzp9/DmhC9C7yFlog=
+github.com/onsi/gomega v1.38.2 h1:eZCjf2xjZAqe+LeWvKb5weQ+NcPwX84kqJ0cZNxok2A=
+github.com/onsi/gomega v1.38.2/go.mod h1:W2MJcYxRGV63b418Ai34Ud0hEdTVXq9NW9+Sx6uXf3k=
 github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
 github.com/opencontainers/image-spec v1.0.2/go.mod h1:BtxoFyWECRxE4U/7sNtV5W15zMzWCbyJoFRP3s7yZA0=
-github.com/opencontainers/selinux v1.11.0/go.mod h1:E5dMC3VPuVvVHDYmi78qvhJp8+M586T4DlDRYpFkyec=
-github.com/openshift/api v0.0.0-20251015095338-264e80a2b6e7/go.mod h1:d5uzF0YN2nQQFA0jIEWzzOZ+edmo6wzlGLvx5Fhz4uY=
+github.com/opencontainers/selinux v1.13.0/go.mod h1:XxWTed+A/s5NNq4GmYScVy+9jzXhGBVEOAyucdRUY8s=
 github.com/openshift/build-machinery-go v0.0.0-20250530140348-dc5b2804eeee/go.mod h1:8jcm8UPtg2mCAsxfqKil1xrmRMI3a+XU2TZ9fF8A7TE=
-github.com/openshift/client-go v0.0.0-20251015124057-db0dee36e235/go.mod h1:L49W6pfrZkfOE5iC1PqEkuLkXG4W0BX4w8b+L2Bv7fM=
-github.com/openshift/library-go v0.0.0-20251015151611-6fc7a74b67c5 h1:bANtDc8SgetSK4nQehf59x3+H9FqVJCprgjs49/OTg0=
-github.com/openshift/library-go v0.0.0-20251015151611-6fc7a74b67c5/go.mod h1:OlFFws1AO51uzfc48MsStGE4SFMWlMZD0+f5a/zCtKI=
-github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251001123353-fd5b1fb35db1 h1:PMTgifBcBRLJJiM+LgSzPDTk9/Rx4qS09OUrfpY6GBQ=
-github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251001123353-fd5b1fb35db1/go.mod h1:7Du3c42kxCUegi0IImZ1wUQzMBVecgIHjR1C+NkhLQo=
+github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251120221002-696928a6a0d7 h1:02E4Ttpu+7yCQLQxtY42JfcfHU7TBGnje6uB2ytBSdU=
+github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251120221002-696928a6a0d7/go.mod h1:ArE1D/XhNXBXCBkKOLkbsb2c81dQHCRcF5zwn/ykDRo=
 github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU=
-github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/profile v1.7.0/go.mod h1:8Uer0jas47ZQMJ7VD+OHknK4YDY07LPUC6dEvqDjvNo=
 github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10/go.mod h1:t/avpk3KcrXxUnYOhZhMXJlSEyie6gQbtLq5NM3loB8=
@@ -178,27 +181,28 @@ github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRI
 github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/pquerna/cachecontrol v0.1.0/go.mod h1:NrUG3Z7Rdu85UNR3vm7SOsl1nFIeSiQnrHV5K9mBcUI=
 github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring v0.74.0/go.mod h1:wAR5JopumPtAZnu0Cjv2PSqV4p4QB09LMhc6fZZTXuA=
-github.com/prometheus/client_golang v1.22.0 h1:rb93p9lokFEsctTys46VnV1kLCDpVZ0a/Y92Vm0Zc6Q=
-github.com/prometheus/client_golang v1.22.0/go.mod h1:R7ljNsLXhuQXYZYtw6GAE9AZg8Y7vEW5scdCXrWRXC0=
-github.com/prometheus/client_model v0.6.1 h1:ZKSh/rekM+n3CeS952MLRAdFwIKqeY8b62p8ais2e9E=
-github.com/prometheus/client_model v0.6.1/go.mod h1:OrxVMOVHjw3lKMa8+x6HeMGkHMQyHDk9E3jmP2AmGiY=
-github.com/prometheus/common v0.62.0 h1:xasJaQlnWAeyHdUBeGjXmutelfJHWMRr+Fg4QszZ2Io=
-github.com/prometheus/common v0.62.0/go.mod h1:vyBcEuLSvWos9B1+CyL7JZ2up+uFzXhkqml0W5zIY1I=
-github.com/prometheus/procfs v0.15.1 h1:YagwOFzUgYfKKHX6Dr+sHT7km/hxC76UB0learggepc=
-github.com/prometheus/procfs v0.15.1/go.mod h1:fB45yRUv8NstnjriLhBQLuOUt+WW4BsoGhij/e3PBqk=
+github.com/prometheus/client_golang v1.23.2 h1:Je96obch5RDVy3FDMndoUsjAhG5Edi49h0RJWRi/o0o=
+github.com/prometheus/client_golang v1.23.2/go.mod h1:Tb1a6LWHB3/SPIzCoaDXI4I8UHKeFTEQ1YCr+0Gyqmg=
+github.com/prometheus/client_model v0.6.2 h1:oBsgwpGs7iVziMvrGhE53c/GrLUsZdHnqNwqPLxwZyk=
+github.com/prometheus/client_model v0.6.2/go.mod h1:y3m2F6Gdpfy6Ut/GBsUqTWZqCUvMVzSfMLjcu6wAwpE=
+github.com/prometheus/common v0.66.1 h1:h5E0h5/Y8niHc5DlaLlWLArTQI7tMrsfQjHV+d9ZoGs=
+github.com/prometheus/common v0.66.1/go.mod h1:gcaUsgf3KfRSwHY4dIMXLPV0K/Wg1oZ8+SbZk/HH/dA=
+github.com/prometheus/procfs v0.16.1 h1:hZ15bTNuirocR6u0JZ6BAHHmwS1p8B4P6MRqxtzMyRg=
+github.com/prometheus/procfs v0.16.1/go.mod h1:teAbpZRB1iIAJYREa1LsoWUXykVXA1KlTmWl8x/U+Is=
 github.com/robfig/cron v1.2.0/go.mod h1:JGuDeoQd7Z6yL4zQhZ3OPEVHB7fL6Ka6skscFHfmt2k=
 github.com/rogpeppe/fastuuid v1.2.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6LYCDYWNEvQ=
-github.com/rogpeppe/go-internal v1.13.1 h1:KvO1DLK/DRN07sQ1LQKScxyZJuNnedQ5/wKSR38lUII=
-github.com/rogpeppe/go-internal v1.13.1/go.mod h1:uMEvuHeurkdAXX61udpOXGD/AzZDWNMNyH2VO9fmH0o=
+github.com/rogpeppe/go-internal v1.14.1 h1:UQB4HGPB6osV0SQTLymcB4TgvyWu6ZyliaW0tI/otEQ=
+github.com/rogpeppe/go-internal v1.14.1/go.mod h1:MaRKkUm5W0goXpeCfT7UZI6fk/L7L7so1lCWt35ZSgc=
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
 github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ=
 github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
 github.com/soheilhy/cmux v0.1.5 h1:jjzc5WVemNEDTLwv9tlmemhC73tI08BNOIGwBOo10Js=
 github.com/soheilhy/cmux v0.1.5/go.mod h1:T7TcVDs9LWfQgPlPsdngu6I6QIoyIFZDDC6sNE1GqG0=
-github.com/spf13/cobra v1.9.1 h1:CXSaggrXdbHK9CF+8ywj8Amf7PBRmPCOJugH954Nnlo=
-github.com/spf13/cobra v1.9.1/go.mod h1:nDyEzZ8ogv936Cinf6g1RU9MRY64Ir93oCnqb9wxYW0=
-github.com/spf13/pflag v1.0.6 h1:jFzHGLGAlb3ruxLB8MhbI6A8+AQX/2eW4qeyNZXNp2o=
-github.com/spf13/pflag v1.0.6/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
+github.com/spf13/cobra v1.10.0 h1:a5/WeUlSDCvV5a45ljW2ZFtV0bTDpkfSAj3uqB6Sc+0=
+github.com/spf13/cobra v1.10.0/go.mod h1:9dhySC7dnTtEiqzmqfkLj47BslqLCUPMXjG2lj/NgoE=
+github.com/spf13/pflag v1.0.8/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
+github.com/spf13/pflag v1.0.9 h1:9exaQaMOCwffKiiiYk6/BndUBv+iRViNW+4lEMi0PvY=
+github.com/spf13/pflag v1.0.9/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/spiffe/go-spiffe/v2 v2.5.0/go.mod h1:P+NxobPc6wXhVtINNtFjNWGBTreew1GBUCwT2wPmb7g=
 github.com/stoewer/go-strcase v1.3.0 h1:g0eASXYtp+yvN9fK8sH94oCIk0fau9uV1/ZdJ0AVEzs=
 github.com/stoewer/go-strcase v1.3.0/go.mod h1:fAH5hQ5pehh+j3nZfvwdk2RgEgQjAoM8wodgtPmh1xo=
@@ -211,8 +215,8 @@ github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UV
 github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
 github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
-github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
-github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
+github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
+github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
 github.com/tmc/grpc-websocket-proxy v0.0.0-20220101234140-673ab2c3ae75 h1:6fotK7otjonDflCTK0BCfls4SPy3NcCVb5dqqmbRknE=
 github.com/tmc/grpc-websocket-proxy v0.0.0-20220101234140-673ab2c3ae75/go.mod h1:KO6IkyS8Y3j8OdNO85qEYBsRPuteD+YciPomcXdrMnk=
 github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM=
@@ -223,18 +227,18 @@ github.com/xiang90/probing v0.0.0-20221125231312-a49e3df8f510/go.mod h1:UETIi67q
 github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/zeebo/errs v1.4.0/go.mod h1:sgbWHsvVuTPHcqJJGQ1WhI5KbWlHYz+2+2C/LSEtCw4=
-go.etcd.io/bbolt v1.4.2 h1:IrUHp260R8c+zYx/Tm8QZr04CX+qWS5PGfPdevhdm1I=
-go.etcd.io/bbolt v1.4.2/go.mod h1:Is8rSHO/b4f3XigBC0lL0+4FwAQv3HXEEIgFMuKHceM=
-go.etcd.io/etcd/api/v3 v3.6.4 h1:7F6N7toCKcV72QmoUKa23yYLiiljMrT4xCeBL9BmXdo=
-go.etcd.io/etcd/api/v3 v3.6.4/go.mod h1:eFhhvfR8Px1P6SEuLT600v+vrhdDTdcfMzmnxVXXSbk=
-go.etcd.io/etcd/client/pkg/v3 v3.6.4 h1:9HBYrjppeOfFjBjaMTRxT3R7xT0GLK8EJMVC4xg6ok0=
-go.etcd.io/etcd/client/pkg/v3 v3.6.4/go.mod h1:sbdzr2cl3HzVmxNw//PH7aLGVtY4QySjQFuaCgcRFAI=
-go.etcd.io/etcd/client/v3 v3.6.4 h1:YOMrCfMhRzY8NgtzUsHl8hC2EBSnuqbR3dh84Uryl7A=
-go.etcd.io/etcd/client/v3 v3.6.4/go.mod h1:jaNNHCyg2FdALyKWnd7hxZXZxZANb0+KGY+YQaEMISo=
-go.etcd.io/etcd/pkg/v3 v3.6.4 h1:fy8bmXIec1Q35/jRZ0KOes8vuFxbvdN0aAFqmEfJZWA=
-go.etcd.io/etcd/pkg/v3 v3.6.4/go.mod h1:kKcYWP8gHuBRcteyv6MXWSN0+bVMnfgqiHueIZnKMtE=
-go.etcd.io/etcd/server/v3 v3.6.4 h1:LsCA7CzjVt+8WGrdsnh6RhC0XqCsLkBly3ve5rTxMAU=
-go.etcd.io/etcd/server/v3 v3.6.4/go.mod h1:aYCL/h43yiONOv0QIR82kH/2xZ7m+IWYjzRmyQfnCAg=
+go.etcd.io/bbolt v1.4.3 h1:dEadXpI6G79deX5prL3QRNP6JB8UxVkqo4UPnHaNXJo=
+go.etcd.io/bbolt v1.4.3/go.mod h1:tKQlpPaYCVFctUIgFKFnAlvbmB3tpy1vkTnDWohtc0E=
+go.etcd.io/etcd/api/v3 v3.6.5 h1:pMMc42276sgR1j1raO/Qv3QI9Af/AuyQUW6CBAWuntA=
+go.etcd.io/etcd/api/v3 v3.6.5/go.mod h1:ob0/oWA/UQQlT1BmaEkWQzI0sJ1M0Et0mMpaABxguOQ=
+go.etcd.io/etcd/client/pkg/v3 v3.6.5 h1:Duz9fAzIZFhYWgRjp/FgNq2gO1jId9Yae/rLn3RrBP8=
+go.etcd.io/etcd/client/pkg/v3 v3.6.5/go.mod h1:8Wx3eGRPiy0qOFMZT/hfvdos+DjEaPxdIDiCDUv/FQk=
+go.etcd.io/etcd/client/v3 v3.6.5 h1:yRwZNFBx/35VKHTcLDeO7XVLbCBFbPi+XV4OC3QJf2U=
+go.etcd.io/etcd/client/v3 v3.6.5/go.mod h1:ZqwG/7TAFZ0BJ0jXRPoJjKQJtbFo/9NIY8uoFFKcCyo=
+go.etcd.io/etcd/pkg/v3 v3.6.5 h1:byxWB4AqIKI4SBmquZUG1WGtvMfMaorXFoCcFbVeoxM=
+go.etcd.io/etcd/pkg/v3 v3.6.5/go.mod h1:uqrXrzmMIJDEy5j00bCqhVLzR5jEJIwDp5wTlLwPGOU=
+go.etcd.io/etcd/server/v3 v3.6.5 h1:4RbUb1Bd4y1WkBHmuF+cZII83JNQMuNXzyjwigQ06y0=
+go.etcd.io/etcd/server/v3 v3.6.5/go.mod h1:PLuhyVXz8WWRhzXDsl3A3zv/+aK9e4A9lpQkqawIaH0=
 go.etcd.io/raft/v3 v3.6.0 h1:5NtvbDVYpnfZWcIHgGRk9DyzkBIXOi8j+DDp1IcnUWQ=
 go.etcd.io/raft/v3 v3.6.0/go.mod h1:nLvLevg6+xrVtHUmVaTcTz603gQPHfh7kUAwV6YpfGo=
 go.opentelemetry.io/auto/sdk v1.1.0 h1:cH53jehLUN6UFLY71z+NDOiNJqDdPRaXzTel0sJySYA=
@@ -242,22 +246,22 @@ go.opentelemetry.io/auto/sdk v1.1.0/go.mod h1:3wSPjt5PWp2RhlCcmmOial7AvC4DQqZb7a
 go.opentelemetry.io/contrib/detectors/gcp v1.34.0/go.mod h1:cV4BMFcscUR/ckqLkbfQmF0PRsq8w/lMGzdbCSveBHo=
 go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.60.0 h1:x7wzEgXfnzJcHDwStJT+mxOz4etr2EcexjqhBvmoakw=
 go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.60.0/go.mod h1:rg+RlpR5dKwaS95IyyZqj5Wd4E13lk/msnTS0Xl9lJM=
-go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.58.0 h1:yd02MEjBdJkG3uabWP9apV+OuWRIXGDuJEUJbOHmCFU=
-go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.58.0/go.mod h1:umTcuxiv1n/s/S6/c2AT/g2CQ7u5C59sHDNmfSwgz7Q=
-go.opentelemetry.io/otel v1.35.0 h1:xKWKPxrxB6OtMCbmMY021CqC45J+3Onta9MqjhnusiQ=
-go.opentelemetry.io/otel v1.35.0/go.mod h1:UEqy8Zp11hpkUrL73gSlELM0DupHoiq72dR+Zqel/+Y=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.61.0 h1:F7Jx+6hwnZ41NSFTO5q4LYDtJRXBf2PD0rNBkeB/lus=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.61.0/go.mod h1:UHB22Z8QsdRDrnAtX4PntOl36ajSxcdUMt1sF7Y6E7Q=
+go.opentelemetry.io/otel v1.36.0 h1:UumtzIklRBY6cI/lllNZlALOF5nNIzJVb16APdvgTXg=
+go.opentelemetry.io/otel v1.36.0/go.mod h1:/TcFMXYjyRNh8khOAO9ybYkqaDBb/70aVwkNML4pP8E=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.34.0 h1:OeNbIYk/2C15ckl7glBlOBp5+WlYsOElzTNmiPW/x60=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.34.0/go.mod h1:7Bept48yIeqxP2OZ9/AqIpYS94h2or0aB4FypJTc8ZM=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.34.0 h1:tgJ0uaNS4c98WRNUEx5U3aDlrDOI5Rs+1Vifcw4DJ8U=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.34.0/go.mod h1:U7HYyW0zt/a9x5J1Kjs+r1f/d4ZHnYFclhYY2+YbeoE=
-go.opentelemetry.io/otel/metric v1.35.0 h1:0znxYu2SNyuMSQT4Y9WDWej0VpcsxkuklLa4/siN90M=
-go.opentelemetry.io/otel/metric v1.35.0/go.mod h1:nKVFgxBZ2fReX6IlyW28MgZojkoAkJGaE8CpgeAU3oE=
-go.opentelemetry.io/otel/sdk v1.34.0 h1:95zS4k/2GOy069d321O8jWgYsW3MzVV+KuSPKp7Wr1A=
-go.opentelemetry.io/otel/sdk v1.34.0/go.mod h1:0e/pNiaMAqaykJGKbi+tSjWfNNHMTxoC9qANsCzbyxU=
-go.opentelemetry.io/otel/sdk/metric v1.34.0 h1:5CeK9ujjbFVL5c1PhLuStg1wxA7vQv7ce1EK0Gyvahk=
-go.opentelemetry.io/otel/sdk/metric v1.34.0/go.mod h1:jQ/r8Ze28zRKoNRdkjCZxfs6YvBTG1+YIqyFVFYec5w=
-go.opentelemetry.io/otel/trace v1.35.0 h1:dPpEfJu1sDIqruz7BHFG3c7528f6ddfSWfFDVt/xgMs=
-go.opentelemetry.io/otel/trace v1.35.0/go.mod h1:WUk7DtFp1Aw2MkvqGdwiXYDZZNvA/1J8o6xRXLrIkyc=
+go.opentelemetry.io/otel/metric v1.36.0 h1:MoWPKVhQvJ+eeXWHFBOPoBOi20jh6Iq2CcCREuTYufE=
+go.opentelemetry.io/otel/metric v1.36.0/go.mod h1:zC7Ks+yeyJt4xig9DEw9kuUFe5C3zLbVjV2PzT6qzbs=
+go.opentelemetry.io/otel/sdk v1.36.0 h1:b6SYIuLRs88ztox4EyrvRti80uXIFy+Sqzoh9kFULbs=
+go.opentelemetry.io/otel/sdk v1.36.0/go.mod h1:+lC+mTgD+MUWfjJubi2vvXWcVxyr9rmlshZni72pXeY=
+go.opentelemetry.io/otel/sdk/metric v1.36.0 h1:r0ntwwGosWGaa0CrSt8cuNuTcccMXERFwHX4dThiPis=
+go.opentelemetry.io/otel/sdk/metric v1.36.0/go.mod h1:qTNOhFDfKRwX0yXOqJYegL5WRaW376QbB7P4Pb0qva4=
+go.opentelemetry.io/otel/trace v1.36.0 h1:ahxWNuqZjpdiFAyrIoQ4GIiAIhxAunQR6MUoKrsNd4w=
+go.opentelemetry.io/otel/trace v1.36.0/go.mod h1:gQ+OnDZzrybY4k4seLzPAWNwVBBVlF2szhehOBB/tGA=
 go.opentelemetry.io/proto/otlp v1.5.0 h1:xJvq7gMzB31/d406fB8U5CBdyQGw4P399D1aQWU/3i4=
 go.opentelemetry.io/proto/otlp v1.5.0/go.mod h1:keN8WnHxOy8PG0rQZjJJ5A2ebUoafqWp0eVQ4yIXvJ4=
 go.uber.org/atomic v1.11.0 h1:ZvwS0R+56ePWxUNi+Atn9dWONBPp/AUETXlHW0DxSjE=
@@ -268,90 +272,92 @@ go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0=
 go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y=
 go.uber.org/zap v1.27.0 h1:aJMhYGrd5QSmlpLMr2MftRKl7t8J8PTZPA732ud/XR8=
 go.uber.org/zap v1.27.0/go.mod h1:GB2qFLM7cTU87MWRP2mPIjqfIDnGu+VIO4V/SdhGo2E=
-go.yaml.in/yaml/v2 v2.4.2 h1:DzmwEr2rDGHl7lsFgAHxmNz/1NlQ7xLIrlN2h5d1eGI=
-go.yaml.in/yaml/v2 v2.4.2/go.mod h1:081UH+NErpNdqlCXm3TtEran0rJZGxAYx9hb/ELlsPU=
+go.yaml.in/yaml/v2 v2.4.3 h1:6gvOSjQoTB3vt1l+CU+tSyi/HOjfOjRLJ4YwYZGwRO0=
+go.yaml.in/yaml/v2 v2.4.3/go.mod h1:zSxWcmIDjOzPXpjlTTbAsKokqkDNAVtZO0WOMiT90s8=
 go.yaml.in/yaml/v3 v3.0.4 h1:tfq32ie2Jv2UxXFdLJdh3jXuOzWiL1fo0bu/FbuKpbc=
 go.yaml.in/yaml/v3 v3.0.4/go.mod h1:DhzuOOF2ATzADvBadXxruRBLzYTpT36CKvDb3+aBEFg=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
-golang.org/x/crypto v0.42.0 h1:chiH31gIWm57EkTXpwnqf8qeuMUi0yekh6mT2AvFlqI=
-golang.org/x/crypto v0.42.0/go.mod h1:4+rDnOTJhQCx2q7/j6rAN5XDw8kPjeaXEUR2eL94ix8=
+golang.org/x/crypto v0.45.0 h1:jMBrvKuj23MTlT0bQEOBcAE0mjg8mK9RXFhRH6nyF3Q=
+golang.org/x/crypto v0.45.0/go.mod h1:XTGrrkGJve7CYK7J8PEww4aY7gM3qMCElcJQ8n8JdX4=
 golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 h1:2dVuKD2vS7b0QIHQbpyTISPd0LeHDbnYEryqj5Q1ug8=
 golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56/go.mod h1:M4RDyNAINzryxdtnbRXRL/OHtkFuWGRjvuhBJpk2IlY=
 golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.27.0/go.mod h1:rWI627Fq0DEoudcK+MBkNkCe0EetEaDSwJJkCcjpazc=
+golang.org/x/mod v0.29.0 h1:HV8lRxZC4l2cr3Zq1LvtOsi/ThTgWnUk/y64QSs8GwA=
+golang.org/x/mod v0.29.0/go.mod h1:NyhrlYXJ2H4eJiRy/WDBO6HMqZQ6q9nk4JzS3NuCK+w=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
-golang.org/x/net v0.43.0 h1:lat02VYK2j4aLzMzecihNvTlJNQUq316m2Mr9rnM6YE=
-golang.org/x/net v0.43.0/go.mod h1:vhO1fvI4dGsIjh73sWfUVjj3N7CA9WkKJNQm2svM6Jg=
-golang.org/x/oauth2 v0.27.0 h1:da9Vo7/tDv5RH/7nZDz1eMGS/q1Vv1N/7FCrBhI9I3M=
-golang.org/x/oauth2 v0.27.0/go.mod h1:onh5ek6nERTohokkhCD/y2cV4Do3fxFHFuAejCkRWT8=
+golang.org/x/net v0.47.0 h1:Mx+4dIFzqraBXUugkia1OOvlD6LemFo1ALMHjrXDOhY=
+golang.org/x/net v0.47.0/go.mod h1:/jNxtkgq5yWUGYkaZGqo27cfGZ1c5Nen03aYrrKpVRU=
+golang.org/x/oauth2 v0.30.0 h1:dnDm7JmhM45NNpd8FDDeLhK6FwqbOf4MLCM9zb1BOHI=
+golang.org/x/oauth2 v0.30.0/go.mod h1:B++QgG3ZKulg6sRPGD/mqlHQs5rB3Ml9erfeDY7xKlU=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.17.0 h1:l60nONMj9l5drqw6jlhIELNv9I0A4OFgRsG9k2oT9Ug=
-golang.org/x/sync v0.17.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
+golang.org/x/sync v0.18.0 h1:kr88TuHDroi+UVf+0hZnirlk8o8T+4MrK6mr60WkH/I=
+golang.org/x/sync v0.18.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210616094352-59db8d763f22/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.36.0 h1:KVRy2GtZBrk1cBYA7MKu5bEZFxQk4NIDV6RLVcC8o0k=
-golang.org/x/sys v0.36.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
-golang.org/x/term v0.35.0 h1:bZBVKBudEyhRcajGcNc3jIfWPqV4y/Kt2XcoigOWtDQ=
-golang.org/x/term v0.35.0/go.mod h1:TPGtkTLesOwf2DE8CgVYiZinHAOuy5AYUYT1lENIZnA=
+golang.org/x/sys v0.38.0 h1:3yZWxaJjBmCWXqhN1qh02AkOnCQ1poK6oF+a7xWL6Gc=
+golang.org/x/sys v0.38.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
+golang.org/x/term v0.37.0 h1:8EGAD0qCmHYZg6J17DvsMy9/wJ7/D/4pV/wfnld5lTU=
+golang.org/x/term v0.37.0/go.mod h1:5pB4lxRNYYVZuTLmy8oR2BH8dflOR+IbTYFD8fi3254=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.29.0 h1:1neNs90w9YzJ9BocxfsQNHKuAT4pkghyXc4nhZ6sJvk=
-golang.org/x/text v0.29.0/go.mod h1:7MhJOA9CD2qZyOKYazxdYMF85OwPdEr9jTtBpO7ydH4=
+golang.org/x/text v0.31.0 h1:aC8ghyu4JhP8VojJ2lEHBnochRno1sgL6nEi9WGFGMM=
+golang.org/x/text v0.31.0/go.mod h1:tKRAlv61yKIjGGHX/4tP1LTbc13YSec1pxVEWXzfoeM=
 golang.org/x/time v0.9.0 h1:EsRrnYcQiGH+5FfbgvV4AP7qEZstoyrHB0DzarOQ4ZY=
 golang.org/x/time v0.9.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
 golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
-golang.org/x/tools v0.36.0 h1:kWS0uv/zsvHEle1LbV5LE8QujrxB3wfQyxHfhOk0Qkg=
-golang.org/x/tools v0.36.0/go.mod h1:WBDiHKJK8YgLHlcQPYQzNCkUxUypCaa5ZegCVutKm+s=
+golang.org/x/tools v0.38.0 h1:Hx2Xv8hISq8Lm16jvBZ2VQf+RLmbd7wVUsALibYI/IQ=
+golang.org/x/tools v0.38.0/go.mod h1:yEsQ/d/YK8cjh0L6rZlY8tgtlKiBNTL14pGDJPJpYQs=
+golang.org/x/tools/go/expect v0.1.0-deprecated/go.mod h1:eihoPOH+FgIqa3FpoTwguz/bVUSGBlGQU67vpBeOrBY=
+golang.org/x/tools/go/packages/packagestest v0.1.1-deprecated/go.mod h1:RVAQXBGNv1ib0J382/DPCRS/BPnsGebyM1Gj5VSDpG8=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 google.golang.org/genproto/googleapis/api v0.0.0-20250303144028-a0af3efb3deb h1:p31xT4yrYrSM/G4Sn2+TNUkVhFCbG9y8itM2S6Th950=
 google.golang.org/genproto/googleapis/api v0.0.0-20250303144028-a0af3efb3deb/go.mod h1:jbe3Bkdp+Dh2IrslsFCklNhweNTBgSYanP1UXhJDhKg=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20250303144028-a0af3efb3deb h1:TLPQVbx1GJ8VKZxz52VAxl1EBgKXXbTiU9Fc5fZeLn4=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20250303144028-a0af3efb3deb/go.mod h1:LuRYeWDFV6WOn90g357N17oMCaxpgCnbi/44qJvDn2I=
-google.golang.org/grpc v1.72.1 h1:HR03wO6eyZ7lknl75XlxABNVLLFc2PAb6mHlYh756mA=
-google.golang.org/grpc v1.72.1/go.mod h1:wH5Aktxcg25y1I3w7H69nHfXdOG3UiadoBtjh3izSDM=
-google.golang.org/protobuf v1.36.5 h1:tPhr+woSbjfYvY6/GPufUoYizxw1cF/yFoxJ2fmpwlM=
-google.golang.org/protobuf v1.36.5/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20250528174236-200df99c418a h1:v2PbRU4K3llS09c7zodFpNePeamkAwG3mPrAery9VeE=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20250528174236-200df99c418a/go.mod h1:qQ0YXyHHx3XkvlzUtpXDkS29lDSafHMZBAZDc03LQ3A=
+google.golang.org/grpc v1.72.2 h1:TdbGzwb82ty4OusHWepvFWGLgIbNo1/SUynEN0ssqv8=
+google.golang.org/grpc v1.72.2/go.mod h1:wH5Aktxcg25y1I3w7H69nHfXdOG3UiadoBtjh3izSDM=
+google.golang.org/protobuf v1.36.8 h1:xHScyCOEuuwZEc6UtSOvPbAT4zRh0xcNRYekJwfqyMc=
+google.golang.org/protobuf v1.36.8/go.mod h1:fuxRtAxBytpl4zzqUh6/eyUujkJdNiuEkXntxiD/uRU=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
-gopkg.in/evanphx/json-patch.v4 v4.12.0 h1:n6jtcsulIzXPJaxegRbvFNNrZDjbij7ny3gmSPG+6V4=
-gopkg.in/evanphx/json-patch.v4 v4.12.0/go.mod h1:p8EYWUEYMpynmqDbY58zCKCFZw8pRWMG4EsWvDvM72M=
+gopkg.in/evanphx/json-patch.v4 v4.13.0 h1:czT3CmqEaQ1aanPc5SdlgQrrEIb8w/wwCvWWnfEbYzo=
+gopkg.in/evanphx/json-patch.v4 v4.13.0/go.mod h1:p8EYWUEYMpynmqDbY58zCKCFZw8pRWMG4EsWvDvM72M=
 gopkg.in/go-jose/go-jose.v2 v2.6.3/go.mod h1:zzZDPkNNw/c9IE7Z9jr11mBZQhKQTMzoEEIoEdZlFBI=
 gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc=
 gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
 gopkg.in/natefinch/lumberjack.v2 v2.2.1 h1:bBRl1b0OH9s/DuPhuXpNl+VtCaJXFZ5/uEFST95x9zc=
 gopkg.in/natefinch/lumberjack.v2 v2.2.1/go.mod h1:YD8tP3GAjkrDg1eZH7EGmyESg/lsYskCTPBJVb9jqSc=
-gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 k8s.io/gengo/v2 v2.0.0-20250604051438-85fd79dbfd9f/go.mod h1:EJykeLsmFC60UQbYJezXkEsG2FLrt0GPNkU5iK5GWxU=
 k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk=
 k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE=
-k8s.io/kube-openapi v0.0.0-20250710124328-f3f2b991d03b h1:MloQ9/bdJyIu9lb1PzujOPolHyvO06MXG5TUIj2mNAA=
-k8s.io/kube-openapi v0.0.0-20250710124328-f3f2b991d03b/go.mod h1:UZ2yyWbFTpuhSbFhv24aGNOdoRdJZgsIObGBUaYVsts=
-k8s.io/utils v0.0.0-20250604170112-4c0f3b243397 h1:hwvWFiBzdWw1FhfY1FooPn3kzWuJ8tmbZBHi4zVsl1Y=
-k8s.io/utils v0.0.0-20250604170112-4c0f3b243397/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
+k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912 h1:Y3gxNAuB0OBLImH611+UDZcmKS3g6CthxToOb37KgwE=
+k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912/go.mod h1:kdmbQkyfwUagLfXIad1y2TdrjPFWp2Q89B3qkRwf/pQ=
+k8s.io/utils v0.0.0-20251002143259-bc988d571ff4 h1:SjGebBtkBqHFOli+05xYbK8YF1Dzkbzn+gDM4X9T4Ck=
+k8s.io/utils v0.0.0-20251002143259-bc988d571ff4/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
 sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.31.2 h1:jpcvIRr3GLoUoEKRkHKSmGjxb6lWwrBlJsXc+eUYQHM=
 sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.31.2/go.mod h1:Ve9uj1L+deCXFrPOk1LpFXqTg7LCFzFso6PA48q/XZw=
-sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 h1:gBQPwqORJ8d8/YNZWEjoZs7npUVDpVXUUOFfW6CgAqE=
-sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8/go.mod h1:mdzfpAEoE6DHQEN0uh9ZbOCuHbLK5wOm7dK4ctXE9Tg=
+sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 h1:IpInykpT6ceI+QxKBbEflcR5EXP7sU1kvOlxwZh5txg=
+sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730/go.mod h1:mdzfpAEoE6DHQEN0uh9ZbOCuHbLK5wOm7dK4ctXE9Tg=
 sigs.k8s.io/kube-storage-version-migrator v0.0.6-0.20230721195810-5c8923c5ff96/go.mod h1:EOBQyBowOUsd7U4CJnMHNE0ri+zCXyouGdLwC/jZU+I=
 sigs.k8s.io/randfill v1.0.0 h1:JfjMILfT8A6RbawdsK2JXGBR5AQVfd+9TbzrlneTyrU=
 sigs.k8s.io/randfill v1.0.0/go.mod h1:XeLlZ/jmk4i1HRopwe7/aU3H5n1zNUcX6TM94b3QxOY=
diff --git a/staging/src/k8s.io/cluster-bootstrap/go.mod b/staging/src/k8s.io/cluster-bootstrap/go.mod
index 445b7c395837a..23558d9e6eb1c 100644
--- a/staging/src/k8s.io/cluster-bootstrap/go.mod
+++ b/staging/src/k8s.io/cluster-bootstrap/go.mod
@@ -2,12 +2,12 @@
 
 module k8s.io/cluster-bootstrap
 
-go 1.24.0
+go 1.25.0
 
-godebug default=go1.24
+godebug default=go1.25
 
 require (
-	github.com/stretchr/testify v1.10.0
+	github.com/stretchr/testify v1.11.1
 	gopkg.in/go-jose/go-jose.v2 v2.6.3
 	k8s.io/api v0.0.0
 	k8s.io/apimachinery v0.0.0
@@ -17,28 +17,28 @@ require (
 require (
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/fxamacker/cbor/v2 v2.9.0 // indirect
-	github.com/go-logr/logr v1.4.2 // indirect
-	github.com/gogo/protobuf v1.3.2 // indirect
+	github.com/go-logr/logr v1.4.3 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/kr/text v0.2.0 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee // indirect
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
 	github.com/x448/float16 v0.8.4 // indirect
-	go.yaml.in/yaml/v2 v2.4.2 // indirect
-	golang.org/x/crypto v0.42.0 // indirect
-	golang.org/x/net v0.43.0 // indirect
-	golang.org/x/text v0.29.0 // indirect
+	go.yaml.in/yaml/v2 v2.4.3 // indirect
+	golang.org/x/crypto v0.45.0 // indirect
+	golang.org/x/net v0.47.0 // indirect
+	golang.org/x/text v0.31.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
-	k8s.io/utils v0.0.0-20250604170112-4c0f3b243397 // indirect
-	sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 // indirect
+	k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912 // indirect
+	k8s.io/utils v0.0.0-20251002143259-bc988d571ff4 // indirect
+	sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 // indirect
 	sigs.k8s.io/randfill v1.0.0 // indirect
 	sigs.k8s.io/structured-merge-diff/v6 v6.3.0 // indirect
 )
 
 replace (
-	github.com/onsi/ginkgo/v2 => github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251001123353-fd5b1fb35db1
+	github.com/onsi/ginkgo/v2 => github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251120221002-696928a6a0d7
 	k8s.io/api => ../api
 	k8s.io/apimachinery => ../apimachinery
 )
diff --git a/staging/src/k8s.io/cluster-bootstrap/go.sum b/staging/src/k8s.io/cluster-bootstrap/go.sum
index fc2c864da9f44..18c10ad67df12 100644
--- a/staging/src/k8s.io/cluster-bootstrap/go.sum
+++ b/staging/src/k8s.io/cluster-bootstrap/go.sum
@@ -1,28 +1,28 @@
+github.com/NYTimes/gziphandler v1.1.1/go.mod h1:n/CVRwUEOgIxrgPvAQhUUr9oeUtvrhMomdKFjzJNB0c=
 github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkYZB8zMSxRWpUBQtwG5a7fFgvEO+odwuTv2gs=
 github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM=
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/emicklei/go-restful/v3 v3.11.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc=
 github.com/fxamacker/cbor/v2 v2.9.0 h1:NpKPmjDBgUfBms6tr6JZkTHtfFGcMKsw3eGcmD/sapM=
 github.com/fxamacker/cbor/v2 v2.9.0/go.mod h1:vM4b+DJCtHn+zz7h3FFp/hDAI9WNWCsZj23V5ytsSxQ=
-github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY=
-github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
+github.com/go-logr/logr v1.4.3 h1:CjnDlHq8ikf6E492q6eKboGOC0T8CDaOvkHCIg8idEI=
+github.com/go-logr/logr v1.4.3/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
 github.com/go-openapi/jsonpointer v0.21.0/go.mod h1:IUyH9l/+uyhIYQ/PXVA41Rexl+kOkAPDdXEYns6fzUY=
 github.com/go-openapi/jsonreference v0.20.2/go.mod h1:Bl1zwGIM8/wsvqjsOQLJ/SH+En5Ap4rVB5KVcIDZG2k=
 github.com/go-openapi/swag v0.23.0/go.mod h1:esZ8ITTYEsH1V2trKHjAN8Ai7xHb8RV+YSZ577vPjgQ=
-github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
-github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
+github.com/go-task/slim-sprig/v3 v3.0.0/go.mod h1:W848ghGpv3Qj3dhTPRyJypKRiqCdHZiAzKg9hl15HA8=
 github.com/google/gnostic-models v0.7.0/go.mod h1:whL5G0m6dmc5cPxKc5bdKdEN3UjI7OUGxBlw57miDrQ=
 github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
 github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
+github.com/google/pprof v0.0.0-20240727154555-813a5fbdbec8/go.mod h1:K1liHPHnj73Fdn/EKuT8nrFqBihUSKXoLYU0BuatOYo=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y=
 github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM=
 github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo=
-github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
-github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
 github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
 github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
@@ -35,84 +35,61 @@ github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJ
 github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk=
 github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee h1:W5t00kpgFdJifH4BDsTlE89Zl93FEloxaWZfGcifgq8=
 github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk=
+github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
 github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+o7JKHSa8/e818NopupXU1YMK5fe1lsApnBw=
-github.com/onsi/gomega v1.35.1/go.mod h1:PvZbdDc8J6XJEpDK4HCuRBm8a6Fzp9/DmhC9C7yFlog=
-github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251001123353-fd5b1fb35db1/go.mod h1:7Du3c42kxCUegi0IImZ1wUQzMBVecgIHjR1C+NkhLQo=
-github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
+github.com/onsi/gomega v1.38.2/go.mod h1:W2MJcYxRGV63b418Ai34Ud0hEdTVXq9NW9+Sx6uXf3k=
+github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251120221002-696928a6a0d7/go.mod h1:ArE1D/XhNXBXCBkKOLkbsb2c81dQHCRcF5zwn/ykDRo=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U=
 github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/rogpeppe/go-internal v1.13.1 h1:KvO1DLK/DRN07sQ1LQKScxyZJuNnedQ5/wKSR38lUII=
-github.com/rogpeppe/go-internal v1.13.1/go.mod h1:uMEvuHeurkdAXX61udpOXGD/AzZDWNMNyH2VO9fmH0o=
-github.com/spf13/pflag v1.0.6 h1:jFzHGLGAlb3ruxLB8MhbI6A8+AQX/2eW4qeyNZXNp2o=
-github.com/spf13/pflag v1.0.6/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
+github.com/rogpeppe/go-internal v1.14.1 h1:UQB4HGPB6osV0SQTLymcB4TgvyWu6ZyliaW0tI/otEQ=
+github.com/rogpeppe/go-internal v1.14.1/go.mod h1:MaRKkUm5W0goXpeCfT7UZI6fk/L7L7so1lCWt35ZSgc=
+github.com/spf13/pflag v1.0.9 h1:9exaQaMOCwffKiiiYk6/BndUBv+iRViNW+4lEMi0PvY=
+github.com/spf13/pflag v1.0.9/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/8L+MA=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
-github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
-github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
+github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
+github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
 github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM=
 github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg=
-github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
-github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
-go.yaml.in/yaml/v2 v2.4.2 h1:DzmwEr2rDGHl7lsFgAHxmNz/1NlQ7xLIrlN2h5d1eGI=
-go.yaml.in/yaml/v2 v2.4.2/go.mod h1:081UH+NErpNdqlCXm3TtEran0rJZGxAYx9hb/ELlsPU=
+go.yaml.in/yaml/v2 v2.4.3 h1:6gvOSjQoTB3vt1l+CU+tSyi/HOjfOjRLJ4YwYZGwRO0=
+go.yaml.in/yaml/v2 v2.4.3/go.mod h1:zSxWcmIDjOzPXpjlTTbAsKokqkDNAVtZO0WOMiT90s8=
 go.yaml.in/yaml/v3 v3.0.4/go.mod h1:DhzuOOF2ATzADvBadXxruRBLzYTpT36CKvDb3+aBEFg=
-golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
-golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
-golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
-golang.org/x/crypto v0.42.0 h1:chiH31gIWm57EkTXpwnqf8qeuMUi0yekh6mT2AvFlqI=
-golang.org/x/crypto v0.42.0/go.mod h1:4+rDnOTJhQCx2q7/j6rAN5XDw8kPjeaXEUR2eL94ix8=
-golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.27.0/go.mod h1:rWI627Fq0DEoudcK+MBkNkCe0EetEaDSwJJkCcjpazc=
-golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
-golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
-golang.org/x/net v0.43.0 h1:lat02VYK2j4aLzMzecihNvTlJNQUq316m2Mr9rnM6YE=
-golang.org/x/net v0.43.0/go.mod h1:vhO1fvI4dGsIjh73sWfUVjj3N7CA9WkKJNQm2svM6Jg=
-golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.17.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
-golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.36.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
-golang.org/x/term v0.35.0/go.mod h1:TPGtkTLesOwf2DE8CgVYiZinHAOuy5AYUYT1lENIZnA=
-golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
-golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.29.0 h1:1neNs90w9YzJ9BocxfsQNHKuAT4pkghyXc4nhZ6sJvk=
-golang.org/x/text v0.29.0/go.mod h1:7MhJOA9CD2qZyOKYazxdYMF85OwPdEr9jTtBpO7ydH4=
+golang.org/x/crypto v0.45.0 h1:jMBrvKuj23MTlT0bQEOBcAE0mjg8mK9RXFhRH6nyF3Q=
+golang.org/x/crypto v0.45.0/go.mod h1:XTGrrkGJve7CYK7J8PEww4aY7gM3qMCElcJQ8n8JdX4=
+golang.org/x/mod v0.29.0/go.mod h1:NyhrlYXJ2H4eJiRy/WDBO6HMqZQ6q9nk4JzS3NuCK+w=
+golang.org/x/net v0.47.0 h1:Mx+4dIFzqraBXUugkia1OOvlD6LemFo1ALMHjrXDOhY=
+golang.org/x/net v0.47.0/go.mod h1:/jNxtkgq5yWUGYkaZGqo27cfGZ1c5Nen03aYrrKpVRU=
+golang.org/x/sync v0.18.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
+golang.org/x/sys v0.38.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
+golang.org/x/term v0.37.0/go.mod h1:5pB4lxRNYYVZuTLmy8oR2BH8dflOR+IbTYFD8fi3254=
+golang.org/x/text v0.31.0 h1:aC8ghyu4JhP8VojJ2lEHBnochRno1sgL6nEi9WGFGMM=
+golang.org/x/text v0.31.0/go.mod h1:tKRAlv61yKIjGGHX/4tP1LTbc13YSec1pxVEWXzfoeM=
 golang.org/x/time v0.9.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
-golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
-golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
-golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
-golang.org/x/tools v0.36.0/go.mod h1:WBDiHKJK8YgLHlcQPYQzNCkUxUypCaa5ZegCVutKm+s=
-golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-google.golang.org/protobuf v1.36.5/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE=
+golang.org/x/tools v0.38.0/go.mod h1:yEsQ/d/YK8cjh0L6rZlY8tgtlKiBNTL14pGDJPJpYQs=
+golang.org/x/tools/go/expect v0.1.0-deprecated/go.mod h1:eihoPOH+FgIqa3FpoTwguz/bVUSGBlGQU67vpBeOrBY=
+golang.org/x/tools/go/packages/packagestest v0.1.1-deprecated/go.mod h1:RVAQXBGNv1ib0J382/DPCRS/BPnsGebyM1Gj5VSDpG8=
+google.golang.org/protobuf v1.36.8/go.mod h1:fuxRtAxBytpl4zzqUh6/eyUujkJdNiuEkXntxiD/uRU=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
-gopkg.in/evanphx/json-patch.v4 v4.12.0/go.mod h1:p8EYWUEYMpynmqDbY58zCKCFZw8pRWMG4EsWvDvM72M=
+gopkg.in/evanphx/json-patch.v4 v4.13.0/go.mod h1:p8EYWUEYMpynmqDbY58zCKCFZw8pRWMG4EsWvDvM72M=
 gopkg.in/go-jose/go-jose.v2 v2.6.3 h1:nt80fvSDlhKWQgSWyHyy5CfmlQr+asih51R8PTWNKKs=
 gopkg.in/go-jose/go-jose.v2 v2.6.3/go.mod h1:zzZDPkNNw/c9IE7Z9jr11mBZQhKQTMzoEEIoEdZlFBI=
 gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc=
 gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+k8s.io/gengo/v2 v2.0.0-20250604051438-85fd79dbfd9f/go.mod h1:EJykeLsmFC60UQbYJezXkEsG2FLrt0GPNkU5iK5GWxU=
 k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk=
 k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE=
-k8s.io/kube-openapi v0.0.0-20250710124328-f3f2b991d03b/go.mod h1:UZ2yyWbFTpuhSbFhv24aGNOdoRdJZgsIObGBUaYVsts=
-k8s.io/utils v0.0.0-20250604170112-4c0f3b243397 h1:hwvWFiBzdWw1FhfY1FooPn3kzWuJ8tmbZBHi4zVsl1Y=
-k8s.io/utils v0.0.0-20250604170112-4c0f3b243397/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
-sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 h1:gBQPwqORJ8d8/YNZWEjoZs7npUVDpVXUUOFfW6CgAqE=
-sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8/go.mod h1:mdzfpAEoE6DHQEN0uh9ZbOCuHbLK5wOm7dK4ctXE9Tg=
+k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912 h1:Y3gxNAuB0OBLImH611+UDZcmKS3g6CthxToOb37KgwE=
+k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912/go.mod h1:kdmbQkyfwUagLfXIad1y2TdrjPFWp2Q89B3qkRwf/pQ=
+k8s.io/utils v0.0.0-20251002143259-bc988d571ff4 h1:SjGebBtkBqHFOli+05xYbK8YF1Dzkbzn+gDM4X9T4Ck=
+k8s.io/utils v0.0.0-20251002143259-bc988d571ff4/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
+sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 h1:IpInykpT6ceI+QxKBbEflcR5EXP7sU1kvOlxwZh5txg=
+sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730/go.mod h1:mdzfpAEoE6DHQEN0uh9ZbOCuHbLK5wOm7dK4ctXE9Tg=
 sigs.k8s.io/randfill v1.0.0 h1:JfjMILfT8A6RbawdsK2JXGBR5AQVfd+9TbzrlneTyrU=
 sigs.k8s.io/randfill v1.0.0/go.mod h1:XeLlZ/jmk4i1HRopwe7/aU3H5n1zNUcX6TM94b3QxOY=
 sigs.k8s.io/structured-merge-diff/v6 v6.3.0 h1:jTijUJbW353oVOd9oTlifJqOGEkUw2jB/fXCbTiQEco=
diff --git a/staging/src/k8s.io/code-generator/cmd/applyconfiguration-gen/generators/applyconfiguration.go b/staging/src/k8s.io/code-generator/cmd/applyconfiguration-gen/generators/applyconfiguration.go
index 4ed14b8b84e1b..47834b423354a 100644
--- a/staging/src/k8s.io/code-generator/cmd/applyconfiguration-gen/generators/applyconfiguration.go
+++ b/staging/src/k8s.io/code-generator/cmd/applyconfiguration-gen/generators/applyconfiguration.go
@@ -17,16 +17,21 @@ limitations under the License.
 package generators
 
 import (
+	"fmt"
 	"io"
 	"path"
 	"slices"
+	"sort"
 	"strings"
 
+	"golang.org/x/text/cases"
+	"golang.org/x/text/language"
 	"k8s.io/gengo/v2/generator"
 	"k8s.io/gengo/v2/namer"
 	"k8s.io/gengo/v2/types"
 	"k8s.io/klog/v2"
 
+	"k8s.io/apimachinery/pkg/util/sets"
 	"k8s.io/code-generator/cmd/client-gen/generators/util"
 	clientgentypes "k8s.io/code-generator/cmd/client-gen/types"
 )
@@ -97,7 +102,9 @@ func (g *applyConfigurationGenerator) GenerateType(c *generator.Context, t *type
 		OpenAPIType: g.openAPIType,
 	}
 
-	g.generateStruct(sw, typeParams)
+	if err := g.generateStruct(sw, typeParams); err != nil {
+		return fmt.Errorf("failed to generate apply configuration struct for %s: %w", t.Name, err)
+	}
 
 	if typeParams.Tags.GenerateClient {
 		if typeParams.Tags.NonNamespaced {
@@ -106,7 +113,7 @@ func (g *applyConfigurationGenerator) GenerateType(c *generator.Context, t *type
 			sw.Do(clientgenTypeConstructorNamespaced, typeParams)
 		}
 		if typeParams.OpenAPIType != nil {
-			g.generateClientgenExtract(sw, typeParams, !typeParams.Tags.NoStatus)
+			g.generateClientgenExtract(sw, typeParams)
 		}
 	} else {
 		if hasTypeMetaField(t) {
@@ -241,9 +248,16 @@ func (g *applyConfigurationGenerator) generateWithFuncs(t *types.Type, typeParam
 	}
 }
 
-func (g *applyConfigurationGenerator) generateStruct(sw *generator.SnippetWriter, typeParams TypeParams) {
+func (g *applyConfigurationGenerator) generateStruct(sw *generator.SnippetWriter, typeParams TypeParams) error {
 	sw.Do("// $.ApplyConfig.ApplyConfiguration|public$ represents a declarative configuration of the $.ApplyConfig.Type|public$ type for use\n", typeParams)
 	sw.Do("// with apply.\n", typeParams)
+	structComments := commentsWithoutMarkers(append(typeParams.Struct.SecondClosestCommentLines, typeParams.Struct.CommentLines...))
+	if len(structComments) > 0 {
+		sw.Do("//\n", typeParams)
+		if err := sw.Append(strings.NewReader(structComments)); err != nil {
+			return fmt.Errorf("failed to write comments for struct %s: %w", typeParams.Struct.Name, err)
+		}
+	}
 	sw.Do("type $.ApplyConfig.ApplyConfiguration|public$ struct {\n", typeParams)
 	for _, structMember := range typeParams.Struct.Members {
 		if blocklisted(typeParams.Struct, structMember) {
@@ -259,6 +273,10 @@ func (g *applyConfigurationGenerator) generateStruct(sw *generator.SnippetWriter
 				MemberType: g.refGraph.applyConfigForType(structMember.Type),
 				JSONTags:   structMemberTags,
 			}
+
+			if err := sw.Append(strings.NewReader(commentsWithoutMarkers(structMember.CommentLines))); err != nil {
+				return fmt.Errorf("failed to write comments for member %s: %w", structMember.Name, err)
+			}
 			if structMember.Embedded {
 				if structMemberTags.inline {
 					sw.Do("$.MemberType|raw$ `json:\"$.JSONTags$\"`\n", params)
@@ -273,10 +291,14 @@ func (g *applyConfigurationGenerator) generateStruct(sw *generator.SnippetWriter
 		}
 	}
 	sw.Do("}\n", typeParams)
+
+	return nil
 }
 
 func (g *applyConfigurationGenerator) generateIsApplyConfiguration(t *types.Type, sw *generator.SnippetWriter) {
-	sw.Do("func (b $.|public$) IsApplyConfiguration() {}\n", t)
+	sw.Do(`
+func (b $.|public$) IsApplyConfiguration() {}
+`, t)
 }
 
 func deref(t *types.Type) *types.Type {
@@ -290,6 +312,21 @@ func isNillable(t *types.Type) bool {
 	return t.Kind == types.Slice || t.Kind == types.Map
 }
 
+// commentsWithoutMarkers removes comment lines that start with '+' as they are codegen markers
+// and ensures all comments have the proper // prefix
+func commentsWithoutMarkers(comments []string) string {
+	b := strings.Builder{}
+	for _, comment := range comments {
+		trimmed := strings.TrimSpace(comment)
+		if strings.HasPrefix(trimmed, "+") {
+			continue
+		}
+
+		b.WriteString("// " + trimmed + "\n")
+	}
+	return b.String()
+}
+
 func (g *applyConfigurationGenerator) generateMemberWith(sw *generator.SnippetWriter, memberParams memberParams) {
 	sw.Do("// With$.Member.Name$ sets the $.Member.Name$ field in the declarative configuration to the given value\n", memberParams)
 	sw.Do("// and returns the receiver, so that objects can be built by chaining \"With\" function invocations.\n", memberParams)
@@ -433,6 +470,8 @@ func $.ApplyConfig.Type|public$() *$.ApplyConfig.ApplyConfiguration|public$ {
 }
 `
 
+var titler = cases.Title(language.Und)
+
 var constructor = `
 // $.ApplyConfig.ApplyConfiguration|public$ constructs a declarative configuration of the $.ApplyConfig.Type|public$ type for use with
 // apply.
@@ -441,34 +480,18 @@ func $.ApplyConfig.Type|public$() *$.ApplyConfig.ApplyConfiguration|public$ {
 }
 `
 
-func (g *applyConfigurationGenerator) generateClientgenExtract(sw *generator.SnippetWriter, typeParams TypeParams, includeStatus bool) {
+func (g *applyConfigurationGenerator) generateClientgenExtract(sw *generator.SnippetWriter, typeParams TypeParams) {
+	subresources := g.collectSubresources(typeParams)
+
 	sw.Do(`
-// Extract$.ApplyConfig.Type|public$ extracts the applied configuration owned by fieldManager from
-// $.Struct|private$. If no managedFields are found in $.Struct|private$ for fieldManager, a
-// $.ApplyConfig.ApplyConfiguration|public$ is returned with only the Name, Namespace (if applicable),
-// APIVersion and Kind populated. It is possible that no managed fields were found for because other
-// field managers have taken ownership of all the fields previously owned by fieldManager, or because
-// the fieldManager never owned fields any fields.
+// Extract$.ApplyConfig.Type|public$From extracts the applied configuration owned by fieldManager from
+// $.Struct|private$ for the specified subresource. Pass an empty string for subresource to extract 
+// the main resource. Common subresources include "status", "scale", etc.
 // $.Struct|private$ must be a unmodified $.Struct|public$ API object that was retrieved from the Kubernetes API.
-// Extract$.ApplyConfig.Type|public$ provides a way to perform a extract/modify-in-place/apply workflow.
+// Extract$.ApplyConfig.Type|public$From provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
-func Extract$.ApplyConfig.Type|public$($.Struct|private$ *$.Struct|raw$, fieldManager string) (*$.ApplyConfig.ApplyConfiguration|public$, error) {
-	return extract$.ApplyConfig.Type|public$($.Struct|private$, fieldManager, "")
-}`, typeParams)
-	if includeStatus {
-		sw.Do(`
-// Extract$.ApplyConfig.Type|public$Status is the same as Extract$.ApplyConfig.Type|public$ except
-// that it extracts the status subresource applied configuration.
-// Experimental!
-func Extract$.ApplyConfig.Type|public$Status($.Struct|private$ *$.Struct|raw$, fieldManager string) (*$.ApplyConfig.ApplyConfiguration|public$, error) {
-	return extract$.ApplyConfig.Type|public$($.Struct|private$, fieldManager, "status")
-}
-`, typeParams)
-	}
-	sw.Do(`
-func extract$.ApplyConfig.Type|public$($.Struct|private$ *$.Struct|raw$, fieldManager string, subresource string) (*$.ApplyConfig.ApplyConfiguration|public$, error) {
+func Extract$.ApplyConfig.Type|public$From($.Struct|private$ *$.Struct|raw$, fieldManager string, subresource string) (*$.ApplyConfig.ApplyConfiguration|public$, error) {
 	b := &$.ApplyConfig.ApplyConfiguration|public${}
 	err := $.ExtractInto|raw$($.Struct|private$, $.ParserFunc|raw$().Type("$.OpenAPIType$"), fieldManager, b, subresource)
 	if err != nil {
@@ -477,7 +500,7 @@ func extract$.ApplyConfig.Type|public$($.Struct|private$ *$.Struct|raw$, fieldMa
 	b.WithName($.Struct|private$.Name)
 `, typeParams)
 	if !typeParams.Tags.NonNamespaced {
-		sw.Do("b.WithNamespace($.Struct|private$.Namespace)\n", typeParams)
+		sw.Do("	b.WithNamespace($.Struct|private$.Namespace)\n", typeParams)
 	}
 	sw.Do(`
 	b.WithKind("$.ApplyConfig.Type|singularKind$")
@@ -485,4 +508,58 @@ func extract$.ApplyConfig.Type|public$($.Struct|private$ *$.Struct|raw$, fieldMa
 	return b, nil
 }
 `, typeParams)
+
+	sw.Do(`
+// Extract$.ApplyConfig.Type|public$ extracts the applied configuration owned by fieldManager from
+// $.Struct|private$. If no managedFields are found in $.Struct|private$ for fieldManager, a
+// $.ApplyConfig.ApplyConfiguration|public$ is returned with only the Name, Namespace (if applicable),
+// APIVersion and Kind populated. It is possible that no managed fields were found for because other
+// field managers have taken ownership of all the fields previously owned by fieldManager, or because
+// the fieldManager never owned fields any fields.
+// $.Struct|private$ must be a unmodified $.Struct|public$ API object that was retrieved from the Kubernetes API.
+// Extract$.ApplyConfig.Type|public$ provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func Extract$.ApplyConfig.Type|public$($.Struct|private$ *$.Struct|raw$, fieldManager string) (*$.ApplyConfig.ApplyConfiguration|public$, error) {
+	return Extract$.ApplyConfig.Type|public$From($.Struct|private$, fieldManager, "")
+}
+`, typeParams)
+
+	for _, subresource := range subresources {
+		sw.Do(`
+// Extract$.ApplyConfig.Type|public$$.SubresourceName$ extracts the applied configuration owned by fieldManager from
+// $.Struct|private$ for the $.Subresource$ subresource.
+func Extract$.ApplyConfig.Type|public$$.SubresourceName$($.Struct|private$ *$.Struct|raw$, fieldManager string) (*$.ApplyConfig.ApplyConfiguration|public$, error) {
+	return Extract$.ApplyConfig.Type|public$From($.Struct|private$, fieldManager, "$.Subresource$")
+}
+`, map[string]interface{}{
+			"ApplyConfig":     typeParams.ApplyConfig,
+			"Struct":          typeParams.Struct,
+			"SubresourceName": titler.String(subresource),
+			"Subresource":     subresource,
+		})
+	}
+}
+
+func (g *applyConfigurationGenerator) collectSubresources(typeParams TypeParams) []string {
+	subresources := sets.New[string]()
+	if !typeParams.Tags.NoStatus {
+		// Do we even have a status?
+		for _, member := range typeParams.Struct.Members {
+			if member.Name == "Status" {
+				subresources.Insert("status")
+				break
+			}
+		}
+	}
+
+	for _, ext := range typeParams.Tags.Extensions {
+		if ext.SubResourcePath != "" {
+			subresources.Insert(ext.SubResourcePath)
+		}
+	}
+
+	sorted := subresources.UnsortedList()
+	sort.Strings(sorted)
+	return sorted
 }
diff --git a/staging/src/k8s.io/code-generator/cmd/client-gen/generators/fake/generator_fake_for_clientset.go b/staging/src/k8s.io/code-generator/cmd/client-gen/generators/fake/generator_fake_for_clientset.go
index cac8d96d4c91f..c5df71d666eb8 100644
--- a/staging/src/k8s.io/code-generator/cmd/client-gen/generators/fake/generator_fake_for_clientset.go
+++ b/staging/src/k8s.io/code-generator/cmd/client-gen/generators/fake/generator_fake_for_clientset.go
@@ -163,7 +163,7 @@ var common = `
 // without applying any field management, validations and/or defaults. It shouldn't be considered a replacement
 // for a real clientset and is mostly useful in simple unit tests.
 //
-// DEPRECATED: NewClientset replaces this with support for field management, which significantly improves
+// Deprecated: NewClientset replaces this with support for field management, which significantly improves
 // server side apply testing. NewClientset is only available when apply configurations are generated (e.g.
 // via --with-applyconfig).
 func NewSimpleClientset(objects ...runtime.Object) *Clientset {
@@ -179,8 +179,8 @@ func NewSimpleClientset(objects ...runtime.Object) *Clientset {
 	cs.AddReactor("*", "*", testing.ObjectReaction(o))
 	cs.AddWatchReactor("*", func(action testing.Action) (handled bool, ret watch.Interface, err error) {
         var opts metav1.ListOptions
-        if watchActcion, ok := action.(testing.WatchActionImpl); ok {
-            opts = watchActcion.ListOptions
+        if watchAction, ok := action.(testing.WatchActionImpl); ok {
+            opts = watchAction.ListOptions
         }
 		gvr := action.GetResource()
 		ns := action.GetNamespace()
@@ -210,6 +210,17 @@ func (c *Clientset) Discovery() discovery.DiscoveryInterface {
 func (c *Clientset) Tracker() testing.ObjectTracker {
 	return c.tracker
 }
+
+// IsWatchListSemanticsSupported informs the reflector that this client
+// doesn't support WatchList semantics.
+//
+// This is a synthetic method whose sole purpose is to satisfy the optional
+// interface check performed by the reflector.
+// Returning true signals that WatchList can NOT be used.
+// No additional logic is implemented here.
+func (c *Clientset) IsWatchListSemanticsUnSupported() bool {
+	return true
+}
 `
 
 var checkImpl = `
diff --git a/staging/src/k8s.io/code-generator/cmd/conversion-gen/generators/conversion.go b/staging/src/k8s.io/code-generator/cmd/conversion-gen/generators/conversion.go
index 9d21df8a4d1bb..8ce11392d6cca 100644
--- a/staging/src/k8s.io/code-generator/cmd/conversion-gen/generators/conversion.go
+++ b/staging/src/k8s.io/code-generator/cmd/conversion-gen/generators/conversion.go
@@ -685,6 +685,16 @@ func (g *genConversion) preexists(inType, outType *types.Type) (*types.Type, boo
 	return function, ok
 }
 
+func (g *genConversion) preexistsPointers(inType, outType *types.Type) (*types.Type, bool) {
+	if inType.Kind != types.Pointer {
+		return nil, false
+	}
+	if outType.Kind != types.Pointer {
+		return nil, false
+	}
+	return g.preexists(inType.Elem, outType.Elem)
+}
+
 func (g *genConversion) Init(c *generator.Context, w io.Writer) error {
 	klogV := klog.V(6)
 	if klogV.Enabled() {
@@ -864,9 +874,16 @@ func (g *genConversion) doMap(inType, outType *types.Type, sw *generator.Snippet
 			}
 		} else {
 			conversionExists := true
+			conditionalConversionExists := false
 			if function, ok := g.preexists(inType.Elem, outType.Elem); ok {
 				sw.Do("newVal := new($.|raw$)\n", outType.Elem)
 				sw.Do("if err := $.|raw$(&val, newVal, s); err != nil {\n", function)
+			} else if function, ok := g.preexistsPointers(inType.Elem, outType.Elem); ok {
+				sw.Do("newVal := new($.|raw$)\n", outType.Elem)
+				sw.Do("if val != nil {\n", nil)
+				sw.Do("*newVal = new($.|raw$)\n", outType.Elem.Elem)
+				sw.Do("if err := $.|raw$(val, *newVal, s); err != nil {\n", function)
+				conditionalConversionExists = true
 			} else if g.convertibleOnlyWithinPackage(inType.Elem, outType.Elem) {
 				sw.Do("newVal := new($.|raw$)\n", outType.Elem)
 				sw.Do("if err := "+nameTmpl+"(&val, newVal, s); err != nil {\n", argsFromType(inType.Elem, outType.Elem))
@@ -879,6 +896,9 @@ func (g *genConversion) doMap(inType, outType *types.Type, sw *generator.Snippet
 			if conversionExists {
 				sw.Do("return err\n", nil)
 				sw.Do("}\n", nil)
+				if conditionalConversionExists {
+					sw.Do("}\n", nil)
+				}
 				if inType.Key == outType.Key {
 					sw.Do("(*out)[key] = *newVal\n", nil)
 				} else {
@@ -908,8 +928,14 @@ func (g *genConversion) doSlice(inType, outType *types.Type, sw *generator.Snipp
 			}
 		} else {
 			conversionExists := true
+			conditionalConversionExists := false
 			if function, ok := g.preexists(inType.Elem, outType.Elem); ok {
 				sw.Do("if err := $.|raw$(&(*in)[i], &(*out)[i], s); err != nil {\n", function)
+			} else if function, ok := g.preexistsPointers(inType.Elem, outType.Elem); ok {
+				sw.Do("if (*in)[i] != nil {\n", nil)
+				sw.Do("(*out)[i] = new($.|raw$)\n", outType.Elem.Elem)
+				sw.Do("if err := $.|raw$((*in)[i], (*out)[i], s); err != nil {\n", function)
+				conditionalConversionExists = true
 			} else if g.convertibleOnlyWithinPackage(inType.Elem, outType.Elem) {
 				sw.Do("if err := "+nameTmpl+"(&(*in)[i], &(*out)[i], s); err != nil {\n", argsFromType(inType.Elem, outType.Elem))
 			} else {
@@ -921,6 +947,9 @@ func (g *genConversion) doSlice(inType, outType *types.Type, sw *generator.Snipp
 			if conversionExists {
 				sw.Do("return err\n", nil)
 				sw.Do("}\n", nil)
+				if conditionalConversionExists {
+					sw.Do("}\n", nil)
+				}
 			}
 		}
 		sw.Do("}\n", nil)
@@ -946,6 +975,17 @@ func (g *genConversion) doStruct(inType, outType *types.Type, sw *generator.Snip
 			continue
 		}
 
+		if namer.IsPrivateGoName(inMember.Name) && g.outputPackage != inType.Name.Package {
+			sw.Do("// WARNING: in."+inMember.Name+" is not exported and cannot be read\n", nil)
+			g.skippedFields[inType] = append(g.skippedFields[inType], inMember.Name)
+			continue
+		}
+		if namer.IsPrivateGoName(outMember.Name) && g.outputPackage != outType.Name.Package {
+			sw.Do("// WARNING: out."+inMember.Name+" is not exported and cannot be set\n", nil)
+			g.skippedFields[inType] = append(g.skippedFields[inType], inMember.Name)
+			continue
+		}
+
 		inMemberType, outMemberType := inMember.Type, outMember.Type
 		// create a copy of both underlying types but give them the top level alias name (since aliases
 		// are assignable)
diff --git a/staging/src/k8s.io/code-generator/cmd/go-to-protobuf/protobuf/cmd.go b/staging/src/k8s.io/code-generator/cmd/go-to-protobuf/protobuf/cmd.go
index ca21c76c3442f..773482d6e3bb9 100644
--- a/staging/src/k8s.io/code-generator/cmd/go-to-protobuf/protobuf/cmd.go
+++ b/staging/src/k8s.io/code-generator/cmd/go-to-protobuf/protobuf/cmd.go
@@ -46,6 +46,7 @@ type Generator struct {
 	Clean                bool
 	OnlyIDL              bool
 	KeepGogoproto        bool
+	DropGogoGo           bool
 	SkipGeneratedRewrite bool
 	DropEmbeddedFields   string
 }
@@ -65,6 +66,7 @@ func New() *Generator {
 		}, ","),
 		Packages:           "",
 		DropEmbeddedFields: "k8s.io/apimachinery/pkg/apis/meta/v1.TypeMeta",
+		DropGogoGo:         true,
 	}
 }
 
@@ -79,6 +81,7 @@ func (g *Generator) BindFlags(flag *flag.FlagSet) {
 	flag.BoolVar(&g.OnlyIDL, "only-idl", g.OnlyIDL, "If true, only generate the IDL for each package.")
 	flag.BoolVar(&g.KeepGogoproto, "keep-gogoproto", g.KeepGogoproto, "If true, the generated IDL will contain gogoprotobuf extensions which are normally removed")
 	flag.BoolVar(&g.SkipGeneratedRewrite, "skip-generated-rewrite", g.SkipGeneratedRewrite, "If true, skip fixing up the generated.pb.go file (debugging only).")
+	flag.BoolVar(&g.DropGogoGo, "drop-gogo-go", g.DropGogoGo, "Drop all references to gogo packages in generated code")
 	flag.StringVar(&g.DropEmbeddedFields, "drop-embedded-fields", g.DropEmbeddedFields, "Comma-delimited list of embedded Go types to omit from generated protobufs")
 }
 
@@ -99,6 +102,10 @@ func Run(g *Generator) {
 		log.Fatalf("Both apimachinery-packages and packages are empty. At least one package must be specified.")
 	}
 
+	if g.DropGogoGo && g.SkipGeneratedRewrite {
+		log.Fatalf("--drop-gogo-go=true and --skip-generated-rewrite=true are mutually exclusive")
+	}
+
 	// Build up a list of packages to load from all the inputs.  Track the
 	// special modifiers for each.  NOTE: This does not support pkg/... syntax.
 	type modifier struct {
@@ -272,6 +279,7 @@ func Run(g *Generator) {
 
 		path := filepath.Join(g.OutputDir, p.ImportPath())
 		outputPath := filepath.Join(g.OutputDir, p.OutputPath())
+		protomessageOutputPath := filepath.Join(g.OutputDir, p.ProtomessageOutputPath())
 
 		// generate the gogoprotobuf protoc
 		cmd := exec.Command("protoc", append(args, path)...)
@@ -288,12 +296,17 @@ func Run(g *Generator) {
 
 		// alter the generated protobuf file to remove the generated types (but leave the serializers) and rewrite the
 		// package statement to match the desired package name
-		if err := RewriteGeneratedGogoProtobufFile(outputPath, p.ExtractGeneratedType, p.OptionalTypeName, buf.Bytes()); err != nil {
+		if err := RewriteGeneratedGogoProtobufFile(outputPath, protomessageOutputPath, p.ExtractGeneratedType, p.OptionalTypeName, buf.Bytes(), g.DropGogoGo); err != nil {
 			log.Fatalf("Unable to rewrite generated %s: %v", outputPath, err)
 		}
 
+		outputPaths := []string{outputPath}
+		if g.DropGogoGo {
+			outputPaths = append(outputPaths, protomessageOutputPath)
+		}
+
 		// sort imports
-		cmd = exec.Command("goimports", "-w", outputPath)
+		cmd = exec.Command("goimports", append([]string{"-w"}, outputPaths...)...)
 		out, err = cmd.CombinedOutput()
 		if len(out) > 0 {
 			log.Print(string(out))
@@ -304,7 +317,7 @@ func Run(g *Generator) {
 		}
 
 		// format and simplify the generated file
-		cmd = exec.Command("gofmt", "-s", "-w", outputPath)
+		cmd = exec.Command("gofmt", append([]string{"-s", "-w"}, outputPaths...)...)
 		out, err = cmd.CombinedOutput()
 		if len(out) > 0 {
 			log.Print(string(out))
diff --git a/staging/src/k8s.io/code-generator/cmd/go-to-protobuf/protobuf/package.go b/staging/src/k8s.io/code-generator/cmd/go-to-protobuf/protobuf/package.go
index b31a7c4dd792c..c35b73242af9f 100644
--- a/staging/src/k8s.io/code-generator/cmd/go-to-protobuf/protobuf/package.go
+++ b/staging/src/k8s.io/code-generator/cmd/go-to-protobuf/protobuf/package.go
@@ -80,7 +80,7 @@ type protobufPackage struct {
 }
 
 func (p *protobufPackage) Clean() error {
-	for _, s := range []string{p.ImportPath(), p.OutputPath()} {
+	for _, s := range []string{p.ImportPath(), p.OutputPath(), p.ProtomessageOutputPath()} {
 		if err := os.Remove(filepath.Join(p.Dir(), filepath.Base(s))); err != nil && !os.IsNotExist(err) {
 			return err
 		}
@@ -200,6 +200,10 @@ func (p *protobufPackage) OutputPath() string {
 	return filepath.Join(p.Path(), "generated.pb.go")
 }
 
+func (p *protobufPackage) ProtomessageOutputPath() string {
+	return filepath.Join(p.Path(), "generated.protomessage.pb.go")
+}
+
 var (
 	_ = generator.Target(&protobufPackage{})
 )
diff --git a/staging/src/k8s.io/code-generator/cmd/go-to-protobuf/protobuf/parser.go b/staging/src/k8s.io/code-generator/cmd/go-to-protobuf/protobuf/parser.go
index 32f9e0da2740d..ba0d112f6ea57 100644
--- a/staging/src/k8s.io/code-generator/cmd/go-to-protobuf/protobuf/parser.go
+++ b/staging/src/k8s.io/code-generator/cmd/go-to-protobuf/protobuf/parser.go
@@ -27,6 +27,7 @@ import (
 	"go/token"
 	"os"
 	"reflect"
+	"regexp"
 	"strings"
 
 	customreflect "k8s.io/code-generator/third_party/forked/golang/reflect"
@@ -77,14 +78,68 @@ type ExtractFunc func(*ast.TypeSpec) bool
 // and should have its marshal functions adjusted to remove the 'Items' accessor.
 type OptionalFunc func(name string) bool
 
-func RewriteGeneratedGogoProtobufFile(name string, extractFn ExtractFunc, optionalFn OptionalFunc, header []byte) error {
-	return rewriteFile(name, header, func(fset *token.FileSet, file *ast.File) error {
+func RewriteGeneratedGogoProtobufFile(file, protomessageFile string, extractFn ExtractFunc, optionalFn OptionalFunc, header []byte, dropGogo bool) error {
+
+	// Optionally extract ProtoMessage() marker methods to a separate build-tagged file
+	if dropGogo {
+		data, err := os.ReadFile(file)
+		if err != nil {
+			return err
+		}
+
+		packageRE := regexp.MustCompile(`^package .*`)
+		wrotePackage := false
+
+		protomessageFuncRE := regexp.MustCompile(`^func \(.*\) ProtoMessage\(\) \{\}$`)
+
+		b := bytes.NewBuffer(nil)
+		// add build tag
+		b.WriteString("//go:build kubernetes_protomessage_one_more_release\n")
+		b.WriteString("// +build kubernetes_protomessage_one_more_release\n\n")
+		// add boilerplate
+		b.Write(header)
+		b.WriteString("\n// Code generated by go-to-protobuf. DO NOT EDIT.\n\n")
+		for _, line := range bytes.Split(data, []byte("\n")) {
+			// copy package
+			if packageRE.Match(line) && !wrotePackage {
+				b.Write(line)
+				b.WriteString("\n\n")
+				wrotePackage = true
+			}
+			// copy empty ProtoMessage impls
+			if protomessageFuncRE.Match(line) {
+				b.Write(line)
+				b.WriteString("\n\n")
+			}
+		}
+		if err := os.WriteFile(protomessageFile, b.Bytes(), os.FileMode(0644)); err != nil {
+			return err
+		}
+	}
+
+	return rewriteFile(file, header, func(fset *token.FileSet, file *ast.File) error {
 		cmap := ast.NewCommentMap(fset, file, file.Comments)
 
 		// transform methods that point to optional maps or slices
 		for _, d := range file.Decls {
 			rewriteOptionalMethods(d, optionalFn)
 		}
+		if dropGogo {
+			// transform references to gogo sort util
+			var oldSortImport string
+			var usedSort bool
+			for _, d := range file.Decls {
+				oldSortImport, usedSort = rewriteGogoSortImport(d)
+				if usedSort {
+					break
+				}
+			}
+			if usedSort {
+				for _, d := range file.Decls {
+					rewriteGogoSort(d, oldSortImport, "sort")
+				}
+			}
+		}
 
 		// remove types that are already declared
 		decls := []ast.Decl{}
@@ -95,6 +150,10 @@ func RewriteGeneratedGogoProtobufFile(name string, extractFn ExtractFunc, option
 			if dropEmptyImportDeclarations(d) {
 				continue
 			}
+			// remove all but required functions
+			if dropGogo && dropUnusedGo(d) {
+				continue
+			}
 			decls = append(decls, d)
 		}
 		file.Decls = decls
@@ -105,6 +164,132 @@ func RewriteGeneratedGogoProtobufFile(name string, extractFn ExtractFunc, option
 	})
 }
 
+// rewriteGogoSortImport rewrites an import of "github.com/gogo/protobuf/sortkeys" to "sort",
+// and returns the original package alias and true if the rewrite occurred.
+// Returns "", false if the decl is not an import decl, or does not contain an import of "github.com/gogo/protobuf/sortkeys",
+func rewriteGogoSortImport(decl ast.Decl) (string, bool) {
+	t, ok := decl.(*ast.GenDecl)
+	if !ok {
+		return "", false
+	}
+	if t.Tok != token.IMPORT {
+		return "", false
+	}
+	for _, s := range t.Specs {
+		if spec, ok := s.(*ast.ImportSpec); ok {
+			if spec.Path != nil && spec.Path.Value == `"github.com/gogo/protobuf/sortkeys"` {
+				// switch gogo sort to stdlib sort
+				spec.Path.Value = `"sort"`
+				oldName := "sortkeys"
+				if spec.Name != nil {
+					oldName = spec.Name.Name
+				}
+				spec.Name = nil
+				return oldName, true
+			}
+		}
+	}
+	return "", false
+}
+
+// rewriteGogoSort walks the AST, replacing use of the oldSortImport package with newSortImport
+func rewriteGogoSort(decl ast.Decl, oldSortImport, newSortImport string) {
+	t, ok := decl.(*ast.FuncDecl)
+	if !ok {
+		return
+	}
+	ast.Walk(replacePackageVisitor{oldPackage: oldSortImport, newPackage: newSortImport}, t.Body)
+}
+
+// keepFuncs is an allowlist of top-level func decls we should keep
+var keepFuncs = map[string]bool{
+	// generated helpers
+	"sovGenerated":           true,
+	"sozGenerated":           true,
+	"skipGenerated":          true,
+	"encodeVarintGenerated":  true,
+	"valueToStringGenerated": true,
+
+	// unmarshal
+	"Reset":     true,
+	"Unmarshal": true,
+
+	// marshal
+	"Size":                 true,
+	"Marshal":              true,
+	"MarshalTo":            true,
+	"MarshalToSizedBuffer": true,
+
+	// other widely used methods
+	"String": true,
+}
+
+// keepVars is an allowlist of top-level var decls we should keep
+var keepVars = map[string]bool{
+	"ErrInvalidLengthGenerated":        true,
+	"ErrIntOverflowGenerated":          true,
+	"ErrUnexpectedEndOfGroupGenerated": true,
+}
+
+// dropUnusedGo returns true if the top-level decl should be dropped.
+// Has the following behavior for different decl types:
+// * import: decl is rewritten to drop gogo package imports. Returns true if all imports in the decl were gogo imports, false if non-gogo imports remain.
+// * var: decl is rewritten to drop vars not in the keepVars allowlist. Returns true if all vars in the decl were removed, false if allowlisted vars remain.
+// * const: returns true
+// * type: returns true
+// * func: returns true if the func is not in the keepFuncs allowlist and should be dropped.
+// * other: returns false
+func dropUnusedGo(decl ast.Decl) bool {
+	switch t := decl.(type) {
+	case *ast.GenDecl:
+		switch t.Tok {
+		case token.IMPORT:
+			specs := []ast.Spec{}
+			for _, s := range t.Specs {
+				if spec, ok := s.(*ast.ImportSpec); ok {
+					if spec.Path == nil || !strings.HasPrefix(spec.Path.Value, `"github.com/gogo/protobuf/`) {
+						specs = append(specs, spec)
+					}
+				}
+			}
+			if len(specs) == 0 {
+				return true
+			}
+			t.Specs = specs
+			return false
+		case token.CONST:
+			// drop all const declarations
+			return true
+		case token.VAR:
+			specs := []ast.Spec{}
+			for _, s := range t.Specs {
+				if spec, ok := s.(*ast.ValueSpec); ok {
+					if keepVars[spec.Names[0].Name] {
+						specs = append(specs, spec)
+					}
+				}
+			}
+			if len(specs) == 0 {
+				return true
+			}
+			t.Specs = specs
+			return false
+		case token.TYPE:
+			// drop all type declarations
+			return true
+		}
+	case *ast.FuncDecl:
+		name := ""
+		if t.Name != nil {
+			name = t.Name.Name
+		}
+		return !keepFuncs[name]
+	default:
+		return false
+	}
+	return false
+}
+
 // rewriteOptionalMethods makes specific mutations to marshaller methods that belong to types identified
 // as being "optional" (they may be nil on the wire). This allows protobuf to serialize a map or slice and
 // properly discriminate between empty and nil (which is not possible in protobuf).
@@ -451,3 +636,19 @@ func updateStructTags(decl ast.Decl, structTags map[string]map[string]string, to
 	}
 	return errs
 }
+
+type replacePackageVisitor struct {
+	oldPackage string
+	newPackage string
+}
+
+// Visit walks the provided node, transforming references to the old package to the new package.
+func (v replacePackageVisitor) Visit(n ast.Node) ast.Visitor {
+	if e, ok := n.(*ast.SelectorExpr); ok {
+		if i, ok := e.X.(*ast.Ident); ok && i.Name == v.oldPackage {
+			i.Name = v.newPackage
+		}
+		return nil
+	}
+	return v
+}
diff --git a/staging/src/k8s.io/code-generator/cmd/informer-gen/generators/factory.go b/staging/src/k8s.io/code-generator/cmd/informer-gen/generators/factory.go
index b27cfeb0a3ced..a005f5e5e8870 100644
--- a/staging/src/k8s.io/code-generator/cmd/informer-gen/generators/factory.go
+++ b/staging/src/k8s.io/code-generator/cmd/informer-gen/generators/factory.go
@@ -165,6 +165,7 @@ func NewSharedInformerFactory(client {{.clientSetInterface|raw}}, defaultResync
 // NewFilteredSharedInformerFactory constructs a new instance of sharedInformerFactory.
 // Listers obtained via this SharedInformerFactory will be subject to the same filters
 // as specified here.
+//
 // Deprecated: Please use NewSharedInformerFactoryWithOptions instead
 func NewFilteredSharedInformerFactory(client {{.clientSetInterface|raw}}, defaultResync {{.timeDuration|raw}}, namespace string, tweakListOptions {{.interfacesTweakListOptionsFunc|raw}}) SharedInformerFactory {
 	return NewSharedInformerFactoryWithOptions(client, defaultResync, WithNamespace(namespace), WithTweakListOptions(tweakListOptions))
@@ -275,7 +276,7 @@ var sharedInformerFactoryInterface = `
 //
 // It is typically used like this:
 //
-//   ctx, cancel := context.Background()
+//   ctx, cancel := context.WithCancel(context.Background())
 //   defer cancel()
 //   factory := NewSharedInformerFactory(client, resyncPeriod)
 //   defer factory.WaitForStop()    // Returns immediately if nothing was started.
diff --git a/staging/src/k8s.io/code-generator/cmd/informer-gen/generators/informer.go b/staging/src/k8s.io/code-generator/cmd/informer-gen/generators/informer.go
index da693b85d5ef7..7d74c13a6b87c 100644
--- a/staging/src/k8s.io/code-generator/cmd/informer-gen/generators/informer.go
+++ b/staging/src/k8s.io/code-generator/cmd/informer-gen/generators/informer.go
@@ -78,31 +78,32 @@ func (g *informerGenerator) GenerateType(c *generator.Context, t *types.Type, w
 	}
 
 	m := map[string]interface{}{
-		"apiScheme":                       c.Universe.Type(apiScheme),
-		"cacheIndexers":                   c.Universe.Type(cacheIndexers),
-		"cacheListWatch":                  c.Universe.Type(cacheListWatch),
-		"cacheMetaNamespaceIndexFunc":     c.Universe.Function(cacheMetaNamespaceIndexFunc),
-		"cacheNamespaceIndex":             c.Universe.Variable(cacheNamespaceIndex),
-		"cacheNewSharedIndexInformer":     c.Universe.Function(cacheNewSharedIndexInformer),
-		"cacheSharedIndexInformer":        c.Universe.Type(cacheSharedIndexInformer),
-		"clientSetInterface":              clientSetInterface,
-		"contextContext":                  c.Universe.Type(contextContext),
-		"contextBackground":               c.Universe.Function(contextBackgroundFunc),
-		"group":                           namer.IC(g.groupGoName),
-		"informerFor":                     informerFor,
-		"interfacesTweakListOptionsFunc":  c.Universe.Type(types.Name{Package: g.internalInterfacesPackage, Name: "TweakListOptionsFunc"}),
-		"interfacesSharedInformerFactory": c.Universe.Type(types.Name{Package: g.internalInterfacesPackage, Name: "SharedInformerFactory"}),
-		"listOptions":                     c.Universe.Type(listOptions),
-		"lister":                          c.Universe.Type(types.Name{Package: listerPackage, Name: t.Name.Name + "Lister"}),
-		"namespaceAll":                    c.Universe.Type(metav1NamespaceAll),
-		"namespaced":                      !tags.NonNamespaced,
-		"newLister":                       c.Universe.Function(types.Name{Package: listerPackage, Name: "New" + t.Name.Name + "Lister"}),
-		"runtimeObject":                   c.Universe.Type(runtimeObject),
-		"timeDuration":                    c.Universe.Type(timeDuration),
-		"type":                            t,
-		"v1ListOptions":                   c.Universe.Type(v1ListOptions),
-		"version":                         namer.IC(g.groupVersion.Version.String()),
-		"watchInterface":                  c.Universe.Type(watchInterface),
+		"apiScheme":                                c.Universe.Type(apiScheme),
+		"cacheIndexers":                            c.Universe.Type(cacheIndexers),
+		"cacheListWatch":                           c.Universe.Type(cacheListWatch),
+		"cacheMetaNamespaceIndexFunc":              c.Universe.Function(cacheMetaNamespaceIndexFunc),
+		"cacheNamespaceIndex":                      c.Universe.Variable(cacheNamespaceIndex),
+		"cacheNewSharedIndexInformer":              c.Universe.Function(cacheNewSharedIndexInformer),
+		"cacheSharedIndexInformer":                 c.Universe.Type(cacheSharedIndexInformer),
+		"cacheToListWatcherWithWatchListSemantics": c.Universe.Function(cacheToListWatcherWithWatchListSemanticsFunc),
+		"clientSetInterface":                       clientSetInterface,
+		"contextContext":                           c.Universe.Type(contextContext),
+		"contextBackground":                        c.Universe.Function(contextBackgroundFunc),
+		"group":                                    namer.IC(g.groupGoName),
+		"informerFor":                              informerFor,
+		"interfacesTweakListOptionsFunc":           c.Universe.Type(types.Name{Package: g.internalInterfacesPackage, Name: "TweakListOptionsFunc"}),
+		"interfacesSharedInformerFactory":          c.Universe.Type(types.Name{Package: g.internalInterfacesPackage, Name: "SharedInformerFactory"}),
+		"listOptions":                              c.Universe.Type(listOptions),
+		"lister":                                   c.Universe.Type(types.Name{Package: listerPackage, Name: t.Name.Name + "Lister"}),
+		"namespaceAll":                             c.Universe.Type(metav1NamespaceAll),
+		"namespaced":                               !tags.NonNamespaced,
+		"newLister":                                c.Universe.Function(types.Name{Package: listerPackage, Name: "New" + t.Name.Name + "Lister"}),
+		"runtimeObject":                            c.Universe.Type(runtimeObject),
+		"timeDuration":                             c.Universe.Type(timeDuration),
+		"type":                                     t,
+		"v1ListOptions":                            c.Universe.Type(v1ListOptions),
+		"version":                                  namer.IC(g.groupVersion.Version.String()),
+		"watchInterface":                           c.Universe.Type(watchInterface),
 	}
 
 	sw.Do(typeInformerInterface, m)
@@ -148,7 +149,7 @@ var typeFilteredInformerPublicConstructor = `
 // one. This reduces memory footprint and number of connections to the server.
 func NewFiltered$.type|public$Informer(client $.clientSetInterface|raw$$if .namespaced$, namespace string$end$, resyncPeriod $.timeDuration|raw$, indexers $.cacheIndexers|raw$, tweakListOptions $.interfacesTweakListOptionsFunc|raw$) $.cacheSharedIndexInformer|raw$ {
 	return $.cacheNewSharedIndexInformer|raw$(
-		&$.cacheListWatch|raw${
+		$.cacheToListWatcherWithWatchListSemantics|raw$(&$.cacheListWatch|raw${
 			ListFunc: func(options $.v1ListOptions|raw$) ($.runtimeObject|raw$, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -173,7 +174,7 @@ func NewFiltered$.type|public$Informer(client $.clientSetInterface|raw$$if .name
 				}
 				return client.$.group$$.version$().$.type|publicPlural$($if .namespaced$namespace$end$).Watch(ctx, options)
 			},
-		},
+		}, client),
 		&$.type|raw${},
 		resyncPeriod,
 		indexers,
diff --git a/staging/src/k8s.io/code-generator/cmd/informer-gen/generators/types.go b/staging/src/k8s.io/code-generator/cmd/informer-gen/generators/types.go
index 88e981b6620d0..2e1edbd624aa7 100644
--- a/staging/src/k8s.io/code-generator/cmd/informer-gen/generators/types.go
+++ b/staging/src/k8s.io/code-generator/cmd/informer-gen/generators/types.go
@@ -19,28 +19,29 @@ package generators
 import "k8s.io/gengo/v2/types"
 
 var (
-	apiScheme                   = types.Name{Package: "k8s.io/kubernetes/pkg/api/legacyscheme", Name: "Scheme"}
-	cacheGenericLister          = types.Name{Package: "k8s.io/client-go/tools/cache", Name: "GenericLister"}
-	cacheIndexers               = types.Name{Package: "k8s.io/client-go/tools/cache", Name: "Indexers"}
-	cacheListWatch              = types.Name{Package: "k8s.io/client-go/tools/cache", Name: "ListWatch"}
-	cacheMetaNamespaceIndexFunc = types.Name{Package: "k8s.io/client-go/tools/cache", Name: "MetaNamespaceIndexFunc"}
-	cacheNamespaceIndex         = types.Name{Package: "k8s.io/client-go/tools/cache", Name: "NamespaceIndex"}
-	cacheNewGenericLister       = types.Name{Package: "k8s.io/client-go/tools/cache", Name: "NewGenericLister"}
-	cacheNewSharedIndexInformer = types.Name{Package: "k8s.io/client-go/tools/cache", Name: "NewSharedIndexInformer"}
-	cacheSharedIndexInformer    = types.Name{Package: "k8s.io/client-go/tools/cache", Name: "SharedIndexInformer"}
-	cacheTransformFunc          = types.Name{Package: "k8s.io/client-go/tools/cache", Name: "TransformFunc"}
-	contextBackgroundFunc       = types.Name{Package: "context", Name: "Background"}
-	contextContext              = types.Name{Package: "context", Name: "Context"}
-	fmtErrorfFunc               = types.Name{Package: "fmt", Name: "Errorf"}
-	listOptions                 = types.Name{Package: "k8s.io/kubernetes/pkg/apis/core", Name: "ListOptions"}
-	reflectType                 = types.Name{Package: "reflect", Name: "Type"}
-	runtimeObject               = types.Name{Package: "k8s.io/apimachinery/pkg/runtime", Name: "Object"}
-	schemaGroupResource         = types.Name{Package: "k8s.io/apimachinery/pkg/runtime/schema", Name: "GroupResource"}
-	schemaGroupVersionResource  = types.Name{Package: "k8s.io/apimachinery/pkg/runtime/schema", Name: "GroupVersionResource"}
-	syncMutex                   = types.Name{Package: "sync", Name: "Mutex"}
-	timeDuration                = types.Name{Package: "time", Name: "Duration"}
-	v1ListOptions               = types.Name{Package: "k8s.io/apimachinery/pkg/apis/meta/v1", Name: "ListOptions"}
-	metav1NamespaceAll          = types.Name{Package: "k8s.io/apimachinery/pkg/apis/meta/v1", Name: "NamespaceAll"}
-	metav1Object                = types.Name{Package: "k8s.io/apimachinery/pkg/apis/meta/v1", Name: "Object"}
-	watchInterface              = types.Name{Package: "k8s.io/apimachinery/pkg/watch", Name: "Interface"}
+	apiScheme                                    = types.Name{Package: "k8s.io/kubernetes/pkg/api/legacyscheme", Name: "Scheme"}
+	cacheGenericLister                           = types.Name{Package: "k8s.io/client-go/tools/cache", Name: "GenericLister"}
+	cacheIndexers                                = types.Name{Package: "k8s.io/client-go/tools/cache", Name: "Indexers"}
+	cacheListWatch                               = types.Name{Package: "k8s.io/client-go/tools/cache", Name: "ListWatch"}
+	cacheMetaNamespaceIndexFunc                  = types.Name{Package: "k8s.io/client-go/tools/cache", Name: "MetaNamespaceIndexFunc"}
+	cacheNamespaceIndex                          = types.Name{Package: "k8s.io/client-go/tools/cache", Name: "NamespaceIndex"}
+	cacheNewGenericLister                        = types.Name{Package: "k8s.io/client-go/tools/cache", Name: "NewGenericLister"}
+	cacheNewSharedIndexInformer                  = types.Name{Package: "k8s.io/client-go/tools/cache", Name: "NewSharedIndexInformer"}
+	cacheSharedIndexInformer                     = types.Name{Package: "k8s.io/client-go/tools/cache", Name: "SharedIndexInformer"}
+	cacheTransformFunc                           = types.Name{Package: "k8s.io/client-go/tools/cache", Name: "TransformFunc"}
+	cacheToListWatcherWithWatchListSemanticsFunc = types.Name{Package: "k8s.io/client-go/tools/cache", Name: "ToListWatcherWithWatchListSemantics"}
+	contextBackgroundFunc                        = types.Name{Package: "context", Name: "Background"}
+	contextContext                               = types.Name{Package: "context", Name: "Context"}
+	fmtErrorfFunc                                = types.Name{Package: "fmt", Name: "Errorf"}
+	listOptions                                  = types.Name{Package: "k8s.io/kubernetes/pkg/apis/core", Name: "ListOptions"}
+	reflectType                                  = types.Name{Package: "reflect", Name: "Type"}
+	runtimeObject                                = types.Name{Package: "k8s.io/apimachinery/pkg/runtime", Name: "Object"}
+	schemaGroupResource                          = types.Name{Package: "k8s.io/apimachinery/pkg/runtime/schema", Name: "GroupResource"}
+	schemaGroupVersionResource                   = types.Name{Package: "k8s.io/apimachinery/pkg/runtime/schema", Name: "GroupVersionResource"}
+	syncMutex                                    = types.Name{Package: "sync", Name: "Mutex"}
+	timeDuration                                 = types.Name{Package: "time", Name: "Duration"}
+	v1ListOptions                                = types.Name{Package: "k8s.io/apimachinery/pkg/apis/meta/v1", Name: "ListOptions"}
+	metav1NamespaceAll                           = types.Name{Package: "k8s.io/apimachinery/pkg/apis/meta/v1", Name: "NamespaceAll"}
+	metav1Object                                 = types.Name{Package: "k8s.io/apimachinery/pkg/apis/meta/v1", Name: "Object"}
+	watchInterface                               = types.Name{Package: "k8s.io/apimachinery/pkg/watch", Name: "Interface"}
 )
diff --git a/staging/src/k8s.io/code-generator/cmd/register-gen/generators/register_external.go b/staging/src/k8s.io/code-generator/cmd/register-gen/generators/register_external.go
index ba867054e9417..4c3fd37e9056c 100644
--- a/staging/src/k8s.io/code-generator/cmd/register-gen/generators/register_external.go
+++ b/staging/src/k8s.io/code-generator/cmd/register-gen/generators/register_external.go
@@ -83,6 +83,7 @@ const GroupName = "$.groupName$"
 var GroupVersion = $.groupVersion|raw${Group: GroupName, Version: "$.version$"}
 
 // SchemeGroupVersion is group version used to register these objects
+//
 // Deprecated: use GroupVersion instead.
 var SchemeGroupVersion = $.schemaGroupVersion|raw${Group: GroupName, Version: "$.version$"}
 
diff --git a/staging/src/k8s.io/code-generator/cmd/register-gen/output_tests/simpletype/v1/zz_generated.register.go b/staging/src/k8s.io/code-generator/cmd/register-gen/output_tests/simpletype/v1/zz_generated.register.go
index 1dcc5674a7bb9..f4fdd30b6a408 100644
--- a/staging/src/k8s.io/code-generator/cmd/register-gen/output_tests/simpletype/v1/zz_generated.register.go
+++ b/staging/src/k8s.io/code-generator/cmd/register-gen/output_tests/simpletype/v1/zz_generated.register.go
@@ -34,6 +34,7 @@ const GroupName = "simpletype"
 var GroupVersion = metav1.GroupVersion{Group: GroupName, Version: "v1"}
 
 // SchemeGroupVersion is group version used to register these objects
+//
 // Deprecated: use GroupVersion instead.
 var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1"}
 
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/all_types_match/with_field_validations/zz_generated.validations.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/all_types_match/with_field_validations/zz_generated.validations.go
index 94892383e8216..bcd8947cd5ee4 100644
--- a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/all_types_match/with_field_validations/zz_generated.validations.go
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/all_types_match/with_field_validations/zz_generated.validations.go
@@ -37,6 +37,7 @@ func init() { localSchemeBuilder.Register(RegisterValidations) }
 // RegisterValidations adds validation functions to the given scheme.
 // Public to allow building arbitrary schemes.
 func RegisterValidations(scheme *testscheme.Scheme) error {
+	// type T1
 	scheme.AddValidationFunc((*T1)(nil), func(ctx context.Context, op operation.Operation, obj, oldObj interface{}) field.ErrorList {
 		switch op.Request.SubresourcePath() {
 		case "/":
@@ -44,6 +45,7 @@ func RegisterValidations(scheme *testscheme.Scheme) error {
 		}
 		return field.ErrorList{field.InternalError(nil, fmt.Errorf("no validation found for %T, subresource: %v", obj, op.Request.SubresourcePath()))}
 	})
+	// type T2
 	scheme.AddValidationFunc((*T2)(nil), func(ctx context.Context, op operation.Operation, obj, oldObj interface{}) field.ErrorList {
 		switch op.Request.SubresourcePath() {
 		case "/":
@@ -51,6 +53,7 @@ func RegisterValidations(scheme *testscheme.Scheme) error {
 		}
 		return field.ErrorList{field.InternalError(nil, fmt.Errorf("no validation found for %T, subresource: %v", obj, op.Request.SubresourcePath()))}
 	})
+	// type T4
 	scheme.AddValidationFunc((*T4)(nil), func(ctx context.Context, op operation.Operation, obj, oldObj interface{}) field.ErrorList {
 		switch op.Request.SubresourcePath() {
 		case "/":
@@ -61,65 +64,82 @@ func RegisterValidations(scheme *testscheme.Scheme) error {
 	return nil
 }
 
+// Validate_T1 validates an instance of T1 according
+// to declarative validation rules in the API schema.
 func Validate_T1(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *T1) (errs field.ErrorList) {
 	// field T1.S
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *string) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *string, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field T1.S")...)
 			return
-		}(fldPath.Child("s"), &obj.S, safe.Field(oldObj, func(oldObj *T1) *string { return &oldObj.S }))...)
+		}(fldPath.Child("s"), &obj.S, safe.Field(oldObj, func(oldObj *T1) *string { return &oldObj.S }), oldObj != nil)...)
 
 	// field T1.T2
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *T2) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *T2, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field T1.T2")...)
+			// call the type's validation function
 			errs = append(errs, Validate_T2(ctx, op, fldPath, obj, oldObj)...)
 			return
-		}(fldPath.Child("t2"), &obj.T2, safe.Field(oldObj, func(oldObj *T1) *T2 { return &oldObj.T2 }))...)
+		}(fldPath.Child("t2"), &obj.T2, safe.Field(oldObj, func(oldObj *T1) *T2 { return &oldObj.T2 }), oldObj != nil)...)
 
 	// field T1.T3
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *T3) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *T3, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field T1.T3")...)
 			return
-		}(fldPath.Child("t3"), &obj.T3, safe.Field(oldObj, func(oldObj *T1) *T3 { return &oldObj.T3 }))...)
+		}(fldPath.Child("t3"), &obj.T3, safe.Field(oldObj, func(oldObj *T1) *T3 { return &oldObj.T3 }), oldObj != nil)...)
 
 	return errs
 }
 
+// Validate_T2 validates an instance of T2 according
+// to declarative validation rules in the API schema.
 func Validate_T2(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *T2) (errs field.ErrorList) {
 	// field T2.S
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *string) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *string, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field T2.S")...)
 			return
-		}(fldPath.Child("s"), &obj.S, safe.Field(oldObj, func(oldObj *T2) *string { return &oldObj.S }))...)
+		}(fldPath.Child("s"), &obj.S, safe.Field(oldObj, func(oldObj *T2) *string { return &oldObj.S }), oldObj != nil)...)
 
 	return errs
 }
 
+// Validate_T4 validates an instance of T4 according
+// to declarative validation rules in the API schema.
 func Validate_T4(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *T4) (errs field.ErrorList) {
 	// field T4.S
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *string) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *string, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field T4.S")...)
 			return
-		}(fldPath.Child("s"), &obj.S, safe.Field(oldObj, func(oldObj *T4) *string { return &oldObj.S }))...)
+		}(fldPath.Child("s"), &obj.S, safe.Field(oldObj, func(oldObj *T4) *string { return &oldObj.S }), oldObj != nil)...)
 
 	return errs
 }
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/all_types_match/with_type_validations/zz_generated.validations.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/all_types_match/with_type_validations/zz_generated.validations.go
index 5788f6f579f57..b7810d996d13c 100644
--- a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/all_types_match/with_type_validations/zz_generated.validations.go
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/all_types_match/with_type_validations/zz_generated.validations.go
@@ -37,6 +37,7 @@ func init() { localSchemeBuilder.Register(RegisterValidations) }
 // RegisterValidations adds validation functions to the given scheme.
 // Public to allow building arbitrary schemes.
 func RegisterValidations(scheme *testscheme.Scheme) error {
+	// type E1
 	scheme.AddValidationFunc((*E1)(nil), func(ctx context.Context, op operation.Operation, obj, oldObj interface{}) field.ErrorList {
 		switch op.Request.SubresourcePath() {
 		case "/":
@@ -44,6 +45,7 @@ func RegisterValidations(scheme *testscheme.Scheme) error {
 		}
 		return field.ErrorList{field.InternalError(nil, fmt.Errorf("no validation found for %T, subresource: %v", obj, op.Request.SubresourcePath()))}
 	})
+	// type T1
 	scheme.AddValidationFunc((*T1)(nil), func(ctx context.Context, op operation.Operation, obj, oldObj interface{}) field.ErrorList {
 		switch op.Request.SubresourcePath() {
 		case "/":
@@ -54,32 +56,30 @@ func RegisterValidations(scheme *testscheme.Scheme) error {
 	return nil
 }
 
+// Validate_E1 validates an instance of E1 according
+// to declarative validation rules in the API schema.
 func Validate_E1(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *E1) (errs field.ErrorList) {
-	// type E1
-	if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-		return nil // no changes
-	}
 	errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "type E1")...)
 
 	return errs
 }
 
+// Validate_T1 validates an instance of T1 according
+// to declarative validation rules in the API schema.
 func Validate_T1(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *T1) (errs field.ErrorList) {
-	// type T1
-	if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-		return nil // no changes
-	}
 	errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "type T1")...)
 
 	// field T1.S
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *string) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *string, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field T1.S")...)
 			return
-		}(fldPath.Child("s"), &obj.S, safe.Field(oldObj, func(oldObj *T1) *string { return &oldObj.S }))...)
+		}(fldPath.Child("s"), &obj.S, safe.Field(oldObj, func(oldObj *T1) *string { return &oldObj.S }), oldObj != nil)...)
 
 	return errs
 }
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/cohorts/doc.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/cohorts/doc.go
new file mode 100644
index 0000000000000..82482784f49b1
--- /dev/null
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/cohorts/doc.go
@@ -0,0 +1,55 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// +k8s:validation-gen=TypeMeta
+// +k8s:validation-gen-scheme-registry=k8s.io/code-generator/cmd/validation-gen/testscheme.Scheme
+// +k8s:validation-gen-test-fixture=validateFalse
+
+// This is a test package.
+package cohorts
+
+import "k8s.io/code-generator/cmd/validation-gen/testscheme"
+
+var localSchemeBuilder = testscheme.New()
+
+// Note: the following are out of order on purpose.
+// They should be emitted as:
+//   - T {ShortCircuit,Regular}
+//   - T c2 {ShortCircuit,Regular}
+//   - T c1 {ShortCircuit,Regular}
+//
+// +k8s:validateFalse(cohort: "c2")="type T c2 Regular"
+// +k8s:validateFalse(cohort: "c1")="type T c1 Regular"
+// +k8s:validateFalse(cohort: "c1", flags: "ShortCircuit")="type T c1 ShortCircuit"
+// +k8s:validateFalse(cohort: "c2", flags: "ShortCircuit")="type T c2 ShortCircuit"
+// +k8s:validateFalse="type T Regular"
+// +k8s:validateFalse(flags: "ShortCircuit")="type T ShortCircuit"
+type T struct {
+	TypeMeta int
+
+	// Note: the following are out of order on purpose.
+	// They should be emitted as:
+	//   - T.S {ShortCircuit,Regular}
+	//   - T.S c2 {ShortCircuit,Regular}
+	//   - T.S c1 {ShortCircuit,Regular}
+	// +k8s:validateFalse(cohort: "c2")="field T.S c2 Regular"
+	// +k8s:validateFalse(cohort: "c1")="field T.S c1 Regular"
+	// +k8s:validateFalse(cohort: "c1", flags: "ShortCircuit")="field T.S c1 ShortCircuit"
+	// +k8s:validateFalse(cohort: "c2", flags: "ShortCircuit")="field T.S c2 ShortCircuit"
+	// +k8s:validateFalse="field T.S Regular"
+	// +k8s:validateFalse(flags: "ShortCircuit")="field T.S ShortCircuit"
+	S string `json:"s"`
+}
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/cohorts/testdata/validate-false.json b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/cohorts/testdata/validate-false.json
new file mode 100644
index 0000000000000..ad04e39912527
--- /dev/null
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/cohorts/testdata/validate-false.json
@@ -0,0 +1,7 @@
+{
+  "*cohorts.T": {
+    "": [
+      "type T ShortCircuit"
+    ]
+  }
+}
\ No newline at end of file
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/cohorts/zz_generated.validations.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/cohorts/zz_generated.validations.go
new file mode 100644
index 0000000000000..fabdab123b45e
--- /dev/null
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/cohorts/zz_generated.validations.go
@@ -0,0 +1,131 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by validation-gen. DO NOT EDIT.
+
+package cohorts
+
+import (
+	context "context"
+	fmt "fmt"
+
+	operation "k8s.io/apimachinery/pkg/api/operation"
+	safe "k8s.io/apimachinery/pkg/api/safe"
+	validate "k8s.io/apimachinery/pkg/api/validate"
+	field "k8s.io/apimachinery/pkg/util/validation/field"
+	testscheme "k8s.io/code-generator/cmd/validation-gen/testscheme"
+)
+
+func init() { localSchemeBuilder.Register(RegisterValidations) }
+
+// RegisterValidations adds validation functions to the given scheme.
+// Public to allow building arbitrary schemes.
+func RegisterValidations(scheme *testscheme.Scheme) error {
+	// type T
+	scheme.AddValidationFunc((*T)(nil), func(ctx context.Context, op operation.Operation, obj, oldObj interface{}) field.ErrorList {
+		switch op.Request.SubresourcePath() {
+		case "/":
+			return Validate_T(ctx, op, nil /* fldPath */, obj.(*T), safe.Cast[*T](oldObj))
+		}
+		return field.ErrorList{field.InternalError(nil, fmt.Errorf("no validation found for %T, subresource: %v", obj, op.Request.SubresourcePath()))}
+	})
+	return nil
+}
+
+// Validate_T validates an instance of T according
+// to declarative validation rules in the API schema.
+func Validate_T(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *T) (errs field.ErrorList) {
+	earlyReturn := false
+	if e := validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "type T ShortCircuit"); len(e) != 0 {
+		errs = append(errs, e...)
+		earlyReturn = true
+	}
+	if earlyReturn {
+		return // do not proceed
+	}
+	errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "type T Regular")...)
+	func() { // cohort c2
+		earlyReturn := false
+		if e := validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "type T c2 ShortCircuit"); len(e) != 0 {
+			errs = append(errs, e...)
+			earlyReturn = true
+		}
+		if earlyReturn {
+			return // do not proceed
+		}
+		errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "type T c2 Regular")...)
+	}()
+	func() { // cohort c1
+		earlyReturn := false
+		if e := validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "type T c1 ShortCircuit"); len(e) != 0 {
+			errs = append(errs, e...)
+			earlyReturn = true
+		}
+		if earlyReturn {
+			return // do not proceed
+		}
+		errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "type T c1 Regular")...)
+	}()
+
+	// field T.TypeMeta has no validation
+
+	// field T.S
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *string, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field T.S ShortCircuit"); len(e) != 0 {
+				errs = append(errs, e...)
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
+			}
+			errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field T.S Regular")...)
+			func() { // cohort c2
+				earlyReturn := false
+				if e := validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field T.S c2 ShortCircuit"); len(e) != 0 {
+					errs = append(errs, e...)
+					earlyReturn = true
+				}
+				if earlyReturn {
+					return // do not proceed
+				}
+				errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field T.S c2 Regular")...)
+			}()
+			func() { // cohort c1
+				earlyReturn := false
+				if e := validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field T.S c1 ShortCircuit"); len(e) != 0 {
+					errs = append(errs, e...)
+					earlyReturn = true
+				}
+				if earlyReturn {
+					return // do not proceed
+				}
+				errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field T.S c1 Regular")...)
+			}()
+			return
+		}(fldPath.Child("s"), &obj.S, safe.Field(oldObj, func(oldObj *T) *string { return &oldObj.S }), oldObj != nil)...)
+
+	return errs
+}
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/cohorts/zz_generated.validations_test.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/cohorts/zz_generated.validations_test.go
new file mode 100644
index 0000000000000..e9214fd3eb300
--- /dev/null
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/cohorts/zz_generated.validations_test.go
@@ -0,0 +1,30 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by validation-gen. DO NOT EDIT.
+
+package cohorts
+
+import (
+	"testing"
+)
+
+func TestValidation(t *testing.T) {
+	localSchemeBuilder.Test(t).ValidateFixtures()
+}
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/cross_pkg/zz_generated.validations.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/cross_pkg/zz_generated.validations.go
index c981ce03a8f73..34b737ed02838 100644
--- a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/cross_pkg/zz_generated.validations.go
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/cross_pkg/zz_generated.validations.go
@@ -41,6 +41,7 @@ func init() { localSchemeBuilder.Register(RegisterValidations) }
 // RegisterValidations adds validation functions to the given scheme.
 // Public to allow building arbitrary schemes.
 func RegisterValidations(scheme *testscheme.Scheme) error {
+	// type T1
 	scheme.AddValidationFunc((*T1)(nil), func(ctx context.Context, op operation.Operation, obj, oldObj interface{}) field.ErrorList {
 		switch op.Request.SubresourcePath() {
 		case "/":
@@ -51,254 +52,317 @@ func RegisterValidations(scheme *testscheme.Scheme) error {
 	return nil
 }
 
+// Validate_T1 validates an instance of T1 according
+// to declarative validation rules in the API schema.
 func Validate_T1(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *T1) (errs field.ErrorList) {
 	// field T1.TypeMeta has no validation
 
 	// field T1.PrimitivesT1
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *primitives.T1) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *primitives.T1, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, true, "field T1.PrimitivesT1")...)
+			// call the type's validation function
 			errs = append(errs, primitives.Validate_T1(ctx, op, fldPath, obj, oldObj)...)
 			return
-		}(fldPath.Child("primitivest1"), &obj.PrimitivesT1, safe.Field(oldObj, func(oldObj *T1) *primitives.T1 { return &oldObj.PrimitivesT1 }))...)
+		}(fldPath.Child("primitivest1"), &obj.PrimitivesT1, safe.Field(oldObj, func(oldObj *T1) *primitives.T1 { return &oldObj.PrimitivesT1 }), oldObj != nil)...)
 
 	// field T1.PrimitivesT1Ptr
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *primitives.T1) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *primitives.T1, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, true, "field T1.PrimitivesT1Ptr")...)
+			// call the type's validation function
 			errs = append(errs, primitives.Validate_T1(ctx, op, fldPath, obj, oldObj)...)
 			return
-		}(fldPath.Child("primitivest1Ptr"), obj.PrimitivesT1Ptr, safe.Field(oldObj, func(oldObj *T1) *primitives.T1 { return oldObj.PrimitivesT1Ptr }))...)
+		}(fldPath.Child("primitivest1Ptr"), obj.PrimitivesT1Ptr, safe.Field(oldObj, func(oldObj *T1) *primitives.T1 { return oldObj.PrimitivesT1Ptr }), oldObj != nil)...)
 
 	// field T1.PrimitivesT2
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *primitives.T2) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *primitives.T2, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, true, "field T1.PrimitivesT2")...)
+			// call the type's validation function
 			errs = append(errs, primitives.Validate_T2(ctx, op, fldPath, obj, oldObj)...)
 			return
-		}(fldPath.Child("primitivest2"), &obj.PrimitivesT2, safe.Field(oldObj, func(oldObj *T1) *primitives.T2 { return &oldObj.PrimitivesT2 }))...)
+		}(fldPath.Child("primitivest2"), &obj.PrimitivesT2, safe.Field(oldObj, func(oldObj *T1) *primitives.T2 { return &oldObj.PrimitivesT2 }), oldObj != nil)...)
 
 	// field T1.PrimitivesT2Ptr
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *primitives.T1) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *primitives.T1, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, true, "field T1.PrimitivesT2Ptr")...)
+			// call the type's validation function
 			errs = append(errs, primitives.Validate_T1(ctx, op, fldPath, obj, oldObj)...)
 			return
-		}(fldPath.Child("primitivest2Ptr"), obj.PrimitivesT2Ptr, safe.Field(oldObj, func(oldObj *T1) *primitives.T1 { return oldObj.PrimitivesT2Ptr }))...)
+		}(fldPath.Child("primitivest2Ptr"), obj.PrimitivesT2Ptr, safe.Field(oldObj, func(oldObj *T1) *primitives.T1 { return oldObj.PrimitivesT2Ptr }), oldObj != nil)...)
 
 	// field T1.PrimitivesT3
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *primitives.T3) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *primitives.T3, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, true, "field T1.PrimitivesT3")...)
 			return
-		}(fldPath.Child("primitivest3"), &obj.PrimitivesT3, safe.Field(oldObj, func(oldObj *T1) *primitives.T3 { return &oldObj.PrimitivesT3 }))...)
+		}(fldPath.Child("primitivest3"), &obj.PrimitivesT3, safe.Field(oldObj, func(oldObj *T1) *primitives.T3 { return &oldObj.PrimitivesT3 }), oldObj != nil)...)
 
 	// field T1.PrimitivesT3Ptr
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *primitives.T1) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *primitives.T1, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, true, "field T1.PrimitivesT3Ptr")...)
+			// call the type's validation function
 			errs = append(errs, primitives.Validate_T1(ctx, op, fldPath, obj, oldObj)...)
 			return
-		}(fldPath.Child("primitivest3Ptr"), obj.PrimitivesT3Ptr, safe.Field(oldObj, func(oldObj *T1) *primitives.T1 { return oldObj.PrimitivesT3Ptr }))...)
+		}(fldPath.Child("primitivest3Ptr"), obj.PrimitivesT3Ptr, safe.Field(oldObj, func(oldObj *T1) *primitives.T1 { return oldObj.PrimitivesT3Ptr }), oldObj != nil)...)
 
 	// field T1.TypedefsE1
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *typedefs.E1) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *typedefs.E1, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, true, "field T1.TypedefsE1")...)
+			// call the type's validation function
 			errs = append(errs, typedefs.Validate_E1(ctx, op, fldPath, obj, oldObj)...)
 			return
-		}(fldPath.Child("typedefse1"), &obj.TypedefsE1, safe.Field(oldObj, func(oldObj *T1) *typedefs.E1 { return &oldObj.TypedefsE1 }))...)
+		}(fldPath.Child("typedefse1"), &obj.TypedefsE1, safe.Field(oldObj, func(oldObj *T1) *typedefs.E1 { return &oldObj.TypedefsE1 }), oldObj != nil)...)
 
 	// field T1.TypedefsE1Ptr
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *typedefs.E1) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *typedefs.E1, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, true, "field T1.TypedefsE1Ptr")...)
+			// call the type's validation function
 			errs = append(errs, typedefs.Validate_E1(ctx, op, fldPath, obj, oldObj)...)
 			return
-		}(fldPath.Child("typedefse1Ptr"), obj.TypedefsE1Ptr, safe.Field(oldObj, func(oldObj *T1) *typedefs.E1 { return oldObj.TypedefsE1Ptr }))...)
+		}(fldPath.Child("typedefse1Ptr"), obj.TypedefsE1Ptr, safe.Field(oldObj, func(oldObj *T1) *typedefs.E1 { return oldObj.TypedefsE1Ptr }), oldObj != nil)...)
 
 	// field T1.TypedefsE2
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *typedefs.E2) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *typedefs.E2, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, true, "field T1.TypedefsE2")...)
+			// call the type's validation function
 			errs = append(errs, typedefs.Validate_E2(ctx, op, fldPath, obj, oldObj)...)
 			return
-		}(fldPath.Child("typedefse2"), &obj.TypedefsE2, safe.Field(oldObj, func(oldObj *T1) *typedefs.E2 { return &oldObj.TypedefsE2 }))...)
+		}(fldPath.Child("typedefse2"), &obj.TypedefsE2, safe.Field(oldObj, func(oldObj *T1) *typedefs.E2 { return &oldObj.TypedefsE2 }), oldObj != nil)...)
 
 	// field T1.TypedefsE2Ptr
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *typedefs.E2) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *typedefs.E2, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, true, "field T1.TypedefsE2Ptr")...)
+			// call the type's validation function
 			errs = append(errs, typedefs.Validate_E2(ctx, op, fldPath, obj, oldObj)...)
 			return
-		}(fldPath.Child("typedefse2Ptr"), obj.TypedefsE2Ptr, safe.Field(oldObj, func(oldObj *T1) *typedefs.E2 { return oldObj.TypedefsE2Ptr }))...)
+		}(fldPath.Child("typedefse2Ptr"), obj.TypedefsE2Ptr, safe.Field(oldObj, func(oldObj *T1) *typedefs.E2 { return oldObj.TypedefsE2Ptr }), oldObj != nil)...)
 
 	// field T1.TypedefsE3
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *typedefs.E3) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *typedefs.E3, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, true, "field T1.TypedefsE3")...)
+			// call the type's validation function
 			errs = append(errs, typedefs.Validate_E3(ctx, op, fldPath, obj, oldObj)...)
 			return
-		}(fldPath.Child("typedefse3"), &obj.TypedefsE3, safe.Field(oldObj, func(oldObj *T1) *typedefs.E3 { return &oldObj.TypedefsE3 }))...)
+		}(fldPath.Child("typedefse3"), &obj.TypedefsE3, safe.Field(oldObj, func(oldObj *T1) *typedefs.E3 { return &oldObj.TypedefsE3 }), oldObj != nil)...)
 
 	// field T1.TypedefsE3Ptr
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *typedefs.E3) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *typedefs.E3, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, true, "field T1.TypedefsE3Ptr")...)
+			// call the type's validation function
 			errs = append(errs, typedefs.Validate_E3(ctx, op, fldPath, obj, oldObj)...)
 			return
-		}(fldPath.Child("typedefse3Ptr"), obj.TypedefsE3Ptr, safe.Field(oldObj, func(oldObj *T1) *typedefs.E3 { return oldObj.TypedefsE3Ptr }))...)
+		}(fldPath.Child("typedefse3Ptr"), obj.TypedefsE3Ptr, safe.Field(oldObj, func(oldObj *T1) *typedefs.E3 { return oldObj.TypedefsE3Ptr }), oldObj != nil)...)
 
 	// field T1.TypedefsE4
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *typedefs.E4) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *typedefs.E4, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, true, "field T1.TypedefsE4")...)
+			// call the type's validation function
 			errs = append(errs, typedefs.Validate_E4(ctx, op, fldPath, obj, oldObj)...)
 			return
-		}(fldPath.Child("typedefse4"), &obj.TypedefsE4, safe.Field(oldObj, func(oldObj *T1) *typedefs.E4 { return &oldObj.TypedefsE4 }))...)
+		}(fldPath.Child("typedefse4"), &obj.TypedefsE4, safe.Field(oldObj, func(oldObj *T1) *typedefs.E4 { return &oldObj.TypedefsE4 }), oldObj != nil)...)
 
 	// field T1.TypedefsE4Ptr
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *typedefs.E4) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *typedefs.E4, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, true, "field T1.TypedefsE4Ptr")...)
+			// call the type's validation function
 			errs = append(errs, typedefs.Validate_E4(ctx, op, fldPath, obj, oldObj)...)
 			return
-		}(fldPath.Child("typedefse4Ptr"), obj.TypedefsE4Ptr, safe.Field(oldObj, func(oldObj *T1) *typedefs.E4 { return oldObj.TypedefsE4Ptr }))...)
+		}(fldPath.Child("typedefse4Ptr"), obj.TypedefsE4Ptr, safe.Field(oldObj, func(oldObj *T1) *typedefs.E4 { return oldObj.TypedefsE4Ptr }), oldObj != nil)...)
 
 	// field T1.OtherString
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *other.StringType) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *other.StringType, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, true, "field T1.OtherString")...)
 			return
-		}(fldPath.Child("otherString"), &obj.OtherString, safe.Field(oldObj, func(oldObj *T1) *other.StringType { return &oldObj.OtherString }))...)
+		}(fldPath.Child("otherString"), &obj.OtherString, safe.Field(oldObj, func(oldObj *T1) *other.StringType { return &oldObj.OtherString }), oldObj != nil)...)
 
 	// field T1.OtherStringPtr
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *other.StringType) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *other.StringType, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, true, "field T1.OtherStringPtr")...)
 			return
-		}(fldPath.Child("otherStringPtr"), obj.OtherStringPtr, safe.Field(oldObj, func(oldObj *T1) *other.StringType { return oldObj.OtherStringPtr }))...)
+		}(fldPath.Child("otherStringPtr"), obj.OtherStringPtr, safe.Field(oldObj, func(oldObj *T1) *other.StringType { return oldObj.OtherStringPtr }), oldObj != nil)...)
 
 	// field T1.OtherInt
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *other.IntType) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *other.IntType, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, true, "field T1.OtherInt")...)
 			return
-		}(fldPath.Child("otherInt"), &obj.OtherInt, safe.Field(oldObj, func(oldObj *T1) *other.IntType { return &oldObj.OtherInt }))...)
+		}(fldPath.Child("otherInt"), &obj.OtherInt, safe.Field(oldObj, func(oldObj *T1) *other.IntType { return &oldObj.OtherInt }), oldObj != nil)...)
 
 	// field T1.OtherIntPtr
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *other.IntType) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *other.IntType, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, true, "field T1.OtherIntPtr")...)
 			return
-		}(fldPath.Child("otherIntPtr"), obj.OtherIntPtr, safe.Field(oldObj, func(oldObj *T1) *other.IntType { return oldObj.OtherIntPtr }))...)
+		}(fldPath.Child("otherIntPtr"), obj.OtherIntPtr, safe.Field(oldObj, func(oldObj *T1) *other.IntType { return oldObj.OtherIntPtr }), oldObj != nil)...)
 
 	// field T1.OtherStruct
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *other.StructType) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *other.StructType, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, true, "field T1.OtherStruct")...)
 			return
-		}(fldPath.Child("otherStruct"), &obj.OtherStruct, safe.Field(oldObj, func(oldObj *T1) *other.StructType { return &oldObj.OtherStruct }))...)
+		}(fldPath.Child("otherStruct"), &obj.OtherStruct, safe.Field(oldObj, func(oldObj *T1) *other.StructType { return &oldObj.OtherStruct }), oldObj != nil)...)
 
 	// field T1.OtherStructPtr
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *other.StructType) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *other.StructType, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, true, "field T1.OtherStructPtr")...)
 			return
-		}(fldPath.Child("otherStructPtr"), obj.OtherStructPtr, safe.Field(oldObj, func(oldObj *T1) *other.StructType { return oldObj.OtherStructPtr }))...)
+		}(fldPath.Child("otherStructPtr"), obj.OtherStructPtr, safe.Field(oldObj, func(oldObj *T1) *other.StructType { return oldObj.OtherStructPtr }), oldObj != nil)...)
 
 	// field T1.SliceOfOtherStruct
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj []other.StructType) (errs field.ErrorList) {
-			if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj []other.StructType, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, true, "field T1.SliceOfOtherStruct")...)
 			errs = append(errs, validate.EachSliceVal(ctx, op, fldPath, obj, oldObj, nil, nil, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *other.StructType) field.ErrorList {
 				return validate.FixedResult(ctx, op, fldPath, obj, oldObj, true, "field T1.SliceOfOtherStruct values")
 			})...)
 			return
-		}(fldPath.Child("sliceOfOtherStruct"), obj.SliceOfOtherStruct, safe.Field(oldObj, func(oldObj *T1) []other.StructType { return oldObj.SliceOfOtherStruct }))...)
+		}(fldPath.Child("sliceOfOtherStruct"), obj.SliceOfOtherStruct, safe.Field(oldObj, func(oldObj *T1) []other.StructType { return oldObj.SliceOfOtherStruct }), oldObj != nil)...)
 
 	// field T1.ListMapOfOtherStruct
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj []other.StructType) (errs field.ErrorList) {
-			if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj []other.StructType, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, true, "field T1.ListMapOfOtherStruct")...)
 			errs = append(errs, validate.EachSliceVal(ctx, op, fldPath, obj, oldObj, func(a other.StructType, b other.StructType) bool { return a.StringField == b.StringField }, validate.DirectEqual, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *other.StructType) field.ErrorList {
 				return validate.FixedResult(ctx, op, fldPath, obj, oldObj, true, "field T1.SliceOfOtherStruct values")
 			})...)
+			// lists with map semantics require unique keys
+			errs = append(errs, validate.Unique(ctx, op, fldPath, obj, oldObj, func(a other.StructType, b other.StructType) bool { return a.StringField == b.StringField })...)
 			return
-		}(fldPath.Child("listMapOfOtherStruct"), obj.ListMapOfOtherStruct, safe.Field(oldObj, func(oldObj *T1) []other.StructType { return oldObj.ListMapOfOtherStruct }))...)
+		}(fldPath.Child("listMapOfOtherStruct"), obj.ListMapOfOtherStruct, safe.Field(oldObj, func(oldObj *T1) []other.StructType { return oldObj.ListMapOfOtherStruct }), oldObj != nil)...)
 
 	// field T1.MapOfOtherStringToOtherStruct
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj map[other.StringType]other.StructType) (errs field.ErrorList) {
-			if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj map[other.StringType]other.StructType, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.EachMapKey(ctx, op, fldPath, obj, oldObj, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *other.StringType) field.ErrorList {
 				return validate.FixedResult(ctx, op, fldPath, obj, oldObj, true, "field T1.MapOfOtherStringToOtherStruct keys")
 			})...)
@@ -307,7 +371,7 @@ func Validate_T1(ctx context.Context, op operation.Operation, fldPath *field.Pat
 				return validate.FixedResult(ctx, op, fldPath, obj, oldObj, true, "field T1.MapOfOtherStringToOtherStruct values")
 			})...)
 			return
-		}(fldPath.Child("mapOfOtherStringToOtherStruct"), obj.MapOfOtherStringToOtherStruct, safe.Field(oldObj, func(oldObj *T1) map[other.StringType]other.StructType { return oldObj.MapOfOtherStringToOtherStruct }))...)
+		}(fldPath.Child("mapOfOtherStringToOtherStruct"), obj.MapOfOtherStringToOtherStruct, safe.Field(oldObj, func(oldObj *T1) map[other.StringType]other.StructType { return oldObj.MapOfOtherStringToOtherStruct }), oldObj != nil)...)
 
 	return errs
 }
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/elide_no_validations/zz_generated.validations.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/elide_no_validations/zz_generated.validations.go
index 496025b23f251..99dee2639a91c 100644
--- a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/elide_no_validations/zz_generated.validations.go
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/elide_no_validations/zz_generated.validations.go
@@ -37,6 +37,7 @@ func init() { localSchemeBuilder.Register(RegisterValidations) }
 // RegisterValidations adds validation functions to the given scheme.
 // Public to allow building arbitrary schemes.
 func RegisterValidations(scheme *testscheme.Scheme) error {
+	// type T1
 	scheme.AddValidationFunc((*T1)(nil), func(ctx context.Context, op operation.Operation, obj, oldObj interface{}) field.ErrorList {
 		switch op.Request.SubresourcePath() {
 		case "/":
@@ -47,59 +48,75 @@ func RegisterValidations(scheme *testscheme.Scheme) error {
 	return nil
 }
 
+// Validate_HasFieldVal validates an instance of HasFieldVal according
+// to declarative validation rules in the API schema.
 func Validate_HasFieldVal(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *HasFieldVal) (errs field.ErrorList) {
 	// field HasFieldVal.S
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *string) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *string, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field HasFieldVal.S")...)
 			return
-		}(fldPath.Child("s"), &obj.S, safe.Field(oldObj, func(oldObj *HasFieldVal) *string { return &oldObj.S }))...)
+		}(fldPath.Child("s"), &obj.S, safe.Field(oldObj, func(oldObj *HasFieldVal) *string { return &oldObj.S }), oldObj != nil)...)
 
 	return errs
 }
 
+// Validate_HasTypeVal validates an instance of HasTypeVal according
+// to declarative validation rules in the API schema.
 func Validate_HasTypeVal(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *HasTypeVal) (errs field.ErrorList) {
-	// type HasTypeVal
-	if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-		return nil // no changes
-	}
 	errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "type HasTypeVal")...)
 
 	// field HasTypeVal.S has no validation
 	return errs
 }
 
+// Validate_T1 validates an instance of T1 according
+// to declarative validation rules in the API schema.
 func Validate_T1(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *T1) (errs field.ErrorList) {
 	// field T1.TypeMeta has no validation
 
 	// field T1.HasTypeVal
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *HasTypeVal) (errs field.ErrorList) {
+		func(fldPath *field.Path, obj, oldObj *HasTypeVal, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call the type's validation function
 			errs = append(errs, Validate_HasTypeVal(ctx, op, fldPath, obj, oldObj)...)
 			return
-		}(fldPath.Child("hasTypeVal"), &obj.HasTypeVal, safe.Field(oldObj, func(oldObj *T1) *HasTypeVal { return &oldObj.HasTypeVal }))...)
+		}(fldPath.Child("hasTypeVal"), &obj.HasTypeVal, safe.Field(oldObj, func(oldObj *T1) *HasTypeVal { return &oldObj.HasTypeVal }), oldObj != nil)...)
 
 	// field T1.HasFieldVal
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *HasFieldVal) (errs field.ErrorList) {
+		func(fldPath *field.Path, obj, oldObj *HasFieldVal, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call the type's validation function
 			errs = append(errs, Validate_HasFieldVal(ctx, op, fldPath, obj, oldObj)...)
 			return
-		}(fldPath.Child("hasFieldVal"), &obj.HasFieldVal, safe.Field(oldObj, func(oldObj *T1) *HasFieldVal { return &oldObj.HasFieldVal }))...)
+		}(fldPath.Child("hasFieldVal"), &obj.HasFieldVal, safe.Field(oldObj, func(oldObj *T1) *HasFieldVal { return &oldObj.HasFieldVal }), oldObj != nil)...)
 
 	// field T1.HasNoVal has no validation
 
 	// field T1.HasNoValFieldVal
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *HasNoVal) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *HasNoVal, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field T1.HasNoValFieldVal")...)
 			return
-		}(fldPath.Child("hasNoValFieldVal"), &obj.HasNoValFieldVal, safe.Field(oldObj, func(oldObj *T1) *HasNoVal { return &oldObj.HasNoValFieldVal }))...)
+		}(fldPath.Child("hasNoValFieldVal"), &obj.HasNoValFieldVal, safe.Field(oldObj, func(oldObj *T1) *HasNoVal { return &oldObj.HasNoValFieldVal }), oldObj != nil)...)
 
 	return errs
 }
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/embedded/zz_generated.validations.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/embedded/zz_generated.validations.go
index 26dd31341a2c8..771fe24ece602 100644
--- a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/embedded/zz_generated.validations.go
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/embedded/zz_generated.validations.go
@@ -37,6 +37,7 @@ func init() { localSchemeBuilder.Register(RegisterValidations) }
 // RegisterValidations adds validation functions to the given scheme.
 // Public to allow building arbitrary schemes.
 func RegisterValidations(scheme *testscheme.Scheme) error {
+	// type T1
 	scheme.AddValidationFunc((*T1)(nil), func(ctx context.Context, op operation.Operation, obj, oldObj interface{}) field.ErrorList {
 		switch op.Request.SubresourcePath() {
 		case "/":
@@ -47,60 +48,82 @@ func RegisterValidations(scheme *testscheme.Scheme) error {
 	return nil
 }
 
+// Validate_T1 validates an instance of T1 according
+// to declarative validation rules in the API schema.
 func Validate_T1(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *T1) (errs field.ErrorList) {
 	// field T1.TypeMeta has no validation
 
 	// field T1.T2
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *T2) (errs field.ErrorList) {
+		func(fldPath *field.Path, obj, oldObj *T2, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call the type's validation function
 			errs = append(errs, Validate_T2(ctx, op, fldPath, obj, oldObj)...)
 			return
-		}(safe.Value(fldPath, func() *field.Path { return fldPath.Child("T2") }), &obj.T2, safe.Field(oldObj, func(oldObj *T1) *T2 { return &oldObj.T2 }))...)
+		}(safe.Value(fldPath, func() *field.Path { return fldPath.Child("T2") }), &obj.T2, safe.Field(oldObj, func(oldObj *T1) *T2 { return &oldObj.T2 }), oldObj != nil)...)
 
 	// field T1.T3
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *T3) (errs field.ErrorList) {
+		func(fldPath *field.Path, obj, oldObj *T3, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call the type's validation function
 			errs = append(errs, Validate_T3(ctx, op, fldPath, obj, oldObj)...)
 			return
-		}(safe.Value(fldPath, func() *field.Path { return fldPath.Child("T3") }), obj.T3, safe.Field(oldObj, func(oldObj *T1) *T3 { return oldObj.T3 }))...)
+		}(safe.Value(fldPath, func() *field.Path { return fldPath.Child("T3") }), obj.T3, safe.Field(oldObj, func(oldObj *T1) *T3 { return oldObj.T3 }), oldObj != nil)...)
 
 	return errs
 }
 
+// Validate_T2 validates an instance of T2 according
+// to declarative validation rules in the API schema.
 func Validate_T2(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *T2) (errs field.ErrorList) {
 	// field T2.IntField
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *int) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *int, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "T2.IntField")...)
 			return
-		}(fldPath.Child("intField"), &obj.IntField, safe.Field(oldObj, func(oldObj *T2) *int { return &oldObj.IntField }))...)
+		}(fldPath.Child("intField"), &obj.IntField, safe.Field(oldObj, func(oldObj *T2) *int { return &oldObj.IntField }), oldObj != nil)...)
 
 	return errs
 }
 
+// Validate_T3 validates an instance of T3 according
+// to declarative validation rules in the API schema.
 func Validate_T3(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *T3) (errs field.ErrorList) {
 	// field T3.StringField
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *string) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *string, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "T3.StringField")...)
 			return
-		}(fldPath.Child("stringField"), &obj.StringField, safe.Field(oldObj, func(oldObj *T3) *string { return &oldObj.StringField }))...)
+		}(fldPath.Child("stringField"), &obj.StringField, safe.Field(oldObj, func(oldObj *T3) *string { return &oldObj.StringField }), oldObj != nil)...)
 
 	// field T3.IntField
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *int) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *int, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "T3.IntField")...)
 			return
-		}(fldPath.Child("intField"), &obj.IntField, safe.Field(oldObj, func(oldObj *T3) *int { return &oldObj.IntField }))...)
+		}(fldPath.Child("intField"), &obj.IntField, safe.Field(oldObj, func(oldObj *T3) *int { return &oldObj.IntField }), oldObj != nil)...)
 
 	return errs
 }
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/maps/keys/zz_generated.validations.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/maps/keys/zz_generated.validations.go
index f21259adc7769..c5263056eacdd 100644
--- a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/maps/keys/zz_generated.validations.go
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/maps/keys/zz_generated.validations.go
@@ -38,6 +38,7 @@ func init() { localSchemeBuilder.Register(RegisterValidations) }
 // RegisterValidations adds validation functions to the given scheme.
 // Public to allow building arbitrary schemes.
 func RegisterValidations(scheme *testscheme.Scheme) error {
+	// type Struct
 	scheme.AddValidationFunc((*Struct)(nil), func(ctx context.Context, op operation.Operation, obj, oldObj interface{}) field.ErrorList {
 		switch op.Request.SubresourcePath() {
 		case "/":
@@ -48,90 +49,98 @@ func RegisterValidations(scheme *testscheme.Scheme) error {
 	return nil
 }
 
+// Validate_Struct validates an instance of Struct according
+// to declarative validation rules in the API schema.
 func Validate_Struct(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *Struct) (errs field.ErrorList) {
-	// type Struct
-	if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-		return nil // no changes
-	}
 	errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "type Struct")...)
 
 	// field Struct.TypeMeta has no validation
 
 	// field Struct.MapField
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj map[string]string) (errs field.ErrorList) {
-			if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj map[string]string, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.EachMapKey(ctx, op, fldPath, obj, oldObj, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *string) field.ErrorList {
 				return validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field Struct.MapField(keys)")
 			})...)
 			errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field Struct.MapField")...)
 			return
-		}(fldPath.Child("mapField"), obj.MapField, safe.Field(oldObj, func(oldObj *Struct) map[string]string { return oldObj.MapField }))...)
+		}(fldPath.Child("mapField"), obj.MapField, safe.Field(oldObj, func(oldObj *Struct) map[string]string { return oldObj.MapField }), oldObj != nil)...)
 
 	// field Struct.MapTypedefField
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj map[UnvalidatedStringType]string) (errs field.ErrorList) {
-			if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj map[UnvalidatedStringType]string, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.EachMapKey(ctx, op, fldPath, obj, oldObj, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *UnvalidatedStringType) field.ErrorList {
 				return validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field Struct.MapTypedefField(keys)")
 			})...)
 			errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field Struct.MapTypedefField")...)
 			return
-		}(fldPath.Child("mapTypedefField"), obj.MapTypedefField, safe.Field(oldObj, func(oldObj *Struct) map[UnvalidatedStringType]string { return oldObj.MapTypedefField }))...)
+		}(fldPath.Child("mapTypedefField"), obj.MapTypedefField, safe.Field(oldObj, func(oldObj *Struct) map[UnvalidatedStringType]string { return oldObj.MapTypedefField }), oldObj != nil)...)
 
 	// field Struct.MapValidatedTypedefField
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj map[ValidatedStringType]string) (errs field.ErrorList) {
-			if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj map[ValidatedStringType]string, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.EachMapKey(ctx, op, fldPath, obj, oldObj, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *ValidatedStringType) field.ErrorList {
 				return validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field Struct.MapValidatedTypedefField(keys)")
 			})...)
 			errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field Struct.MapValidatedTypedefField")...)
+			// iterate the map and call the key type's validation function
 			errs = append(errs, validate.EachMapKey(ctx, op, fldPath, obj, oldObj, Validate_ValidatedStringType)...)
 			return
-		}(fldPath.Child("mapValidatedTypedefField"), obj.MapValidatedTypedefField, safe.Field(oldObj, func(oldObj *Struct) map[ValidatedStringType]string { return oldObj.MapValidatedTypedefField }))...)
+		}(fldPath.Child("mapValidatedTypedefField"), obj.MapValidatedTypedefField, safe.Field(oldObj, func(oldObj *Struct) map[ValidatedStringType]string { return oldObj.MapValidatedTypedefField }), oldObj != nil)...)
 
 	// field Struct.MapTypeField
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj UnvalidatedMapType) (errs field.ErrorList) {
-			if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj UnvalidatedMapType, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.EachMapKey(ctx, op, fldPath, obj, oldObj, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *string) field.ErrorList {
 				return validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field Struct.MapTypeField(keys)")
 			})...)
 			errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field Struct.MapTypeField")...)
 			return
-		}(fldPath.Child("mapTypeField"), obj.MapTypeField, safe.Field(oldObj, func(oldObj *Struct) UnvalidatedMapType { return oldObj.MapTypeField }))...)
+		}(fldPath.Child("mapTypeField"), obj.MapTypeField, safe.Field(oldObj, func(oldObj *Struct) UnvalidatedMapType { return oldObj.MapTypeField }), oldObj != nil)...)
 
 	// field Struct.ValidatedMapTypeField
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj ValidatedMapType) (errs field.ErrorList) {
-			if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj ValidatedMapType, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.EachMapKey(ctx, op, fldPath, obj, oldObj, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *string) field.ErrorList {
 				return validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field Struct.ValidatedMapTypeField(keys)")
 			})...)
 			errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field Struct.ValidatedMapTypeField")...)
+			// call the type's validation function
 			errs = append(errs, Validate_ValidatedMapType(ctx, op, fldPath, obj, oldObj)...)
 			return
-		}(fldPath.Child("validatedMapTypeField"), obj.ValidatedMapTypeField, safe.Field(oldObj, func(oldObj *Struct) ValidatedMapType { return oldObj.ValidatedMapTypeField }))...)
+		}(fldPath.Child("validatedMapTypeField"), obj.ValidatedMapTypeField, safe.Field(oldObj, func(oldObj *Struct) ValidatedMapType { return oldObj.ValidatedMapTypeField }), oldObj != nil)...)
 
 	return errs
 }
 
+// Validate_ValidatedMapType validates an instance of ValidatedMapType according
+// to declarative validation rules in the API schema.
 func Validate_ValidatedMapType(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj ValidatedMapType) (errs field.ErrorList) {
-	// type ValidatedMapType
-	if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-		return nil // no changes
-	}
 	errs = append(errs, validate.EachMapKey(ctx, op, fldPath, obj, oldObj, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *string) field.ErrorList {
 		return validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "type ValidatedMapType(keys)")
 	})...)
@@ -140,11 +149,9 @@ func Validate_ValidatedMapType(ctx context.Context, op operation.Operation, fldP
 	return errs
 }
 
+// Validate_ValidatedStringType validates an instance of ValidatedStringType according
+// to declarative validation rules in the API schema.
 func Validate_ValidatedStringType(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *ValidatedStringType) (errs field.ErrorList) {
-	// type ValidatedStringType
-	if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-		return nil // no changes
-	}
 	errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "ValidatedStringType")...)
 
 	return errs
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/maps/map_of_primitive/zz_generated.validations.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/maps/map_of_primitive/zz_generated.validations.go
index bcf02bbf67882..d74f91485d6e9 100644
--- a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/maps/map_of_primitive/zz_generated.validations.go
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/maps/map_of_primitive/zz_generated.validations.go
@@ -38,6 +38,7 @@ func init() { localSchemeBuilder.Register(RegisterValidations) }
 // RegisterValidations adds validation functions to the given scheme.
 // Public to allow building arbitrary schemes.
 func RegisterValidations(scheme *testscheme.Scheme) error {
+	// type Struct
 	scheme.AddValidationFunc((*Struct)(nil), func(ctx context.Context, op operation.Operation, obj, oldObj interface{}) field.ErrorList {
 		switch op.Request.SubresourcePath() {
 		case "/":
@@ -48,51 +49,52 @@ func RegisterValidations(scheme *testscheme.Scheme) error {
 	return nil
 }
 
+// Validate_StringType validates an instance of StringType according
+// to declarative validation rules in the API schema.
 func Validate_StringType(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *StringType) (errs field.ErrorList) {
-	// type StringType
-	if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-		return nil // no changes
-	}
 	errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "type StringType")...)
 
 	return errs
 }
 
+// Validate_Struct validates an instance of Struct according
+// to declarative validation rules in the API schema.
 func Validate_Struct(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *Struct) (errs field.ErrorList) {
-	// type Struct
-	if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-		return nil // no changes
-	}
 	errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "type Struct")...)
 
 	// field Struct.TypeMeta has no validation
 
 	// field Struct.MapField
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj map[string]string) (errs field.ErrorList) {
-			if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj map[string]string, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field Struct.MapField")...)
 			errs = append(errs, validate.EachMapVal(ctx, op, fldPath, obj, oldObj, validate.DirectEqual, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *string) field.ErrorList {
 				return validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field Struct.MapField[*]")
 			})...)
 			return
-		}(fldPath.Child("mapField"), obj.MapField, safe.Field(oldObj, func(oldObj *Struct) map[string]string { return oldObj.MapField }))...)
+		}(fldPath.Child("mapField"), obj.MapField, safe.Field(oldObj, func(oldObj *Struct) map[string]string { return oldObj.MapField }), oldObj != nil)...)
 
 	// field Struct.MapTypedefField
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj map[string]StringType) (errs field.ErrorList) {
-			if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj map[string]StringType, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field Struct.MapTypedefField")...)
 			errs = append(errs, validate.EachMapVal(ctx, op, fldPath, obj, oldObj, validate.DirectEqual, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *StringType) field.ErrorList {
 				return validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field Struct.MapTypedefField[*]")
 			})...)
+			// iterate the map and call the value type's validation function
 			errs = append(errs, validate.EachMapVal(ctx, op, fldPath, obj, oldObj, validate.DirectEqual, Validate_StringType)...)
 			return
-		}(fldPath.Child("mapTypedefField"), obj.MapTypedefField, safe.Field(oldObj, func(oldObj *Struct) map[string]StringType { return oldObj.MapTypedefField }))...)
+		}(fldPath.Child("mapTypedefField"), obj.MapTypedefField, safe.Field(oldObj, func(oldObj *Struct) map[string]StringType { return oldObj.MapTypedefField }), oldObj != nil)...)
 
 	// field Struct.UnvalidatedMapField has no validation
 	return errs
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/maps/map_of_struct/zz_generated.validations.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/maps/map_of_struct/zz_generated.validations.go
index d43e1affb5db3..c5f423a736786 100644
--- a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/maps/map_of_struct/zz_generated.validations.go
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/maps/map_of_struct/zz_generated.validations.go
@@ -38,6 +38,7 @@ func init() { localSchemeBuilder.Register(RegisterValidations) }
 // RegisterValidations adds validation functions to the given scheme.
 // Public to allow building arbitrary schemes.
 func RegisterValidations(scheme *testscheme.Scheme) error {
+	// type Struct
 	scheme.AddValidationFunc((*Struct)(nil), func(ctx context.Context, op operation.Operation, obj, oldObj interface{}) field.ErrorList {
 		switch op.Request.SubresourcePath() {
 		case "/":
@@ -48,62 +49,62 @@ func RegisterValidations(scheme *testscheme.Scheme) error {
 	return nil
 }
 
+// Validate_OtherStruct validates an instance of OtherStruct according
+// to declarative validation rules in the API schema.
 func Validate_OtherStruct(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *OtherStruct) (errs field.ErrorList) {
-	// type OtherStruct
-	if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-		return nil // no changes
-	}
 	errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "type OtherStruct")...)
 
 	return errs
 }
 
+// Validate_OtherTypedefStruct validates an instance of OtherTypedefStruct according
+// to declarative validation rules in the API schema.
 func Validate_OtherTypedefStruct(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *OtherTypedefStruct) (errs field.ErrorList) {
-	// type OtherTypedefStruct
-	if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-		return nil // no changes
-	}
 	errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "type OtherTypedefStruct")...)
 
 	return errs
 }
 
+// Validate_Struct validates an instance of Struct according
+// to declarative validation rules in the API schema.
 func Validate_Struct(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *Struct) (errs field.ErrorList) {
-	// type Struct
-	if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-		return nil // no changes
-	}
 	errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "type Struct")...)
 
 	// field Struct.TypeMeta has no validation
 
 	// field Struct.MapField
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj map[string]OtherStruct) (errs field.ErrorList) {
-			if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj map[string]OtherStruct, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field Struct.MapField")...)
 			errs = append(errs, validate.EachMapVal(ctx, op, fldPath, obj, oldObj, validate.DirectEqual, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *OtherStruct) field.ErrorList {
 				return validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field Struct.MapField[*]")
 			})...)
+			// iterate the map and call the value type's validation function
 			errs = append(errs, validate.EachMapVal(ctx, op, fldPath, obj, oldObj, validate.DirectEqual, Validate_OtherStruct)...)
 			return
-		}(fldPath.Child("mapField"), obj.MapField, safe.Field(oldObj, func(oldObj *Struct) map[string]OtherStruct { return oldObj.MapField }))...)
+		}(fldPath.Child("mapField"), obj.MapField, safe.Field(oldObj, func(oldObj *Struct) map[string]OtherStruct { return oldObj.MapField }), oldObj != nil)...)
 
 	// field Struct.MapTypedefField
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj map[string]OtherTypedefStruct) (errs field.ErrorList) {
-			if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj map[string]OtherTypedefStruct, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field Struct.MapTypedefField")...)
 			errs = append(errs, validate.EachMapVal(ctx, op, fldPath, obj, oldObj, validate.DirectEqual, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *OtherTypedefStruct) field.ErrorList {
 				return validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field Struct.MapTypedefField[*]")
 			})...)
+			// iterate the map and call the value type's validation function
 			errs = append(errs, validate.EachMapVal(ctx, op, fldPath, obj, oldObj, validate.DirectEqual, Validate_OtherTypedefStruct)...)
 			return
-		}(fldPath.Child("mapTypedefField"), obj.MapTypedefField, safe.Field(oldObj, func(oldObj *Struct) map[string]OtherTypedefStruct { return oldObj.MapTypedefField }))...)
+		}(fldPath.Child("mapTypedefField"), obj.MapTypedefField, safe.Field(oldObj, func(oldObj *Struct) map[string]OtherTypedefStruct { return oldObj.MapTypedefField }), oldObj != nil)...)
 
 	// field Struct.UnvalidatedMapField has no validation
 	return errs
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/maps/multiple_validations/zz_generated.validations.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/maps/multiple_validations/zz_generated.validations.go
index 6b5904286dc82..188172c492523 100644
--- a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/maps/multiple_validations/zz_generated.validations.go
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/maps/multiple_validations/zz_generated.validations.go
@@ -38,6 +38,7 @@ func init() { localSchemeBuilder.Register(RegisterValidations) }
 // RegisterValidations adds validation functions to the given scheme.
 // Public to allow building arbitrary schemes.
 func RegisterValidations(scheme *testscheme.Scheme) error {
+	// type Struct
 	scheme.AddValidationFunc((*Struct)(nil), func(ctx context.Context, op operation.Operation, obj, oldObj interface{}) field.ErrorList {
 		switch op.Request.SubresourcePath() {
 		case "/":
@@ -48,21 +49,21 @@ func RegisterValidations(scheme *testscheme.Scheme) error {
 	return nil
 }
 
+// Validate_Struct validates an instance of Struct according
+// to declarative validation rules in the API schema.
 func Validate_Struct(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *Struct) (errs field.ErrorList) {
-	// type Struct
-	if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-		return nil // no changes
-	}
 	errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "type Struct")...)
 
 	// field Struct.TypeMeta has no validation
 
 	// field Struct.MapField
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj map[string]string) (errs field.ErrorList) {
-			if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj map[string]string, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.EachMapKey(ctx, op, fldPath, obj, oldObj, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *string) field.ErrorList {
 				return validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field Struct.MapField(keys) #1")
 			})...)
@@ -78,7 +79,7 @@ func Validate_Struct(ctx context.Context, op operation.Operation, fldPath *field
 				return validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field Struct.MapField[*] #2")
 			})...)
 			return
-		}(fldPath.Child("mapField"), obj.MapField, safe.Field(oldObj, func(oldObj *Struct) map[string]string { return oldObj.MapField }))...)
+		}(fldPath.Child("mapField"), obj.MapField, safe.Field(oldObj, func(oldObj *Struct) map[string]string { return oldObj.MapField }), oldObj != nil)...)
 
 	// field Struct.UnvalidatedMapField has no validation
 	return errs
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/maps/typedef_to_map/zz_generated.validations.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/maps/typedef_to_map/zz_generated.validations.go
index ed6ed1e0476e6..28dc10881c379 100644
--- a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/maps/typedef_to_map/zz_generated.validations.go
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/maps/typedef_to_map/zz_generated.validations.go
@@ -38,6 +38,7 @@ func init() { localSchemeBuilder.Register(RegisterValidations) }
 // RegisterValidations adds validation functions to the given scheme.
 // Public to allow building arbitrary schemes.
 func RegisterValidations(scheme *testscheme.Scheme) error {
+	// type Struct
 	scheme.AddValidationFunc((*Struct)(nil), func(ctx context.Context, op operation.Operation, obj, oldObj interface{}) field.ErrorList {
 		switch op.Request.SubresourcePath() {
 		case "/":
@@ -48,11 +49,9 @@ func RegisterValidations(scheme *testscheme.Scheme) error {
 	return nil
 }
 
+// Validate_MapType validates an instance of MapType according
+// to declarative validation rules in the API schema.
 func Validate_MapType(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj MapType) (errs field.ErrorList) {
-	// type MapType
-	if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-		return nil // no changes
-	}
 	errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "type MapType")...)
 	errs = append(errs, validate.EachMapVal(ctx, op, fldPath, obj, oldObj, validate.DirectEqual, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *string) field.ErrorList {
 		return validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "type MapType[*]")
@@ -61,66 +60,67 @@ func Validate_MapType(ctx context.Context, op operation.Operation, fldPath *fiel
 	return errs
 }
 
+// Validate_MapTypedefType validates an instance of MapTypedefType according
+// to declarative validation rules in the API schema.
 func Validate_MapTypedefType(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj MapTypedefType) (errs field.ErrorList) {
-	// type MapTypedefType
-	if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-		return nil // no changes
-	}
 	errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "type MapTypedefType")...)
 	errs = append(errs, validate.EachMapVal(ctx, op, fldPath, obj, oldObj, validate.DirectEqual, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *StringType) field.ErrorList {
 		return validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "type MapTypedefType[*]")
 	})...)
+	// iterate the map and call the value type's validation function
 	errs = append(errs, validate.EachMapVal(ctx, op, fldPath, obj, oldObj, validate.DirectEqual, Validate_StringType)...)
 
 	return errs
 }
 
+// Validate_StringType validates an instance of StringType according
+// to declarative validation rules in the API schema.
 func Validate_StringType(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *StringType) (errs field.ErrorList) {
-	// type StringType
-	if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-		return nil // no changes
-	}
 	errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "type StringType")...)
 
 	return errs
 }
 
+// Validate_Struct validates an instance of Struct according
+// to declarative validation rules in the API schema.
 func Validate_Struct(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *Struct) (errs field.ErrorList) {
-	// type Struct
-	if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-		return nil // no changes
-	}
 	errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "type Struct")...)
 
 	// field Struct.TypeMeta has no validation
 
 	// field Struct.MapField
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj MapType) (errs field.ErrorList) {
-			if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj MapType, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field Struct.MapField")...)
 			errs = append(errs, validate.EachMapVal(ctx, op, fldPath, obj, oldObj, validate.DirectEqual, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *string) field.ErrorList {
 				return validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field Struct.MapField[*]")
 			})...)
+			// call the type's validation function
 			errs = append(errs, Validate_MapType(ctx, op, fldPath, obj, oldObj)...)
 			return
-		}(fldPath.Child("mapField"), obj.MapField, safe.Field(oldObj, func(oldObj *Struct) MapType { return oldObj.MapField }))...)
+		}(fldPath.Child("mapField"), obj.MapField, safe.Field(oldObj, func(oldObj *Struct) MapType { return oldObj.MapField }), oldObj != nil)...)
 
 	// field Struct.MapTypedefField
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj MapTypedefType) (errs field.ErrorList) {
-			if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj MapTypedefType, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field Struct.MapTypedefField")...)
 			errs = append(errs, validate.EachMapVal(ctx, op, fldPath, obj, oldObj, validate.DirectEqual, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *StringType) field.ErrorList {
 				return validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field Struct.MapTypedefField[*]")
 			})...)
+			// call the type's validation function
 			errs = append(errs, Validate_MapTypedefType(ctx, op, fldPath, obj, oldObj)...)
 			return
-		}(fldPath.Child("mapTypedefField"), obj.MapTypedefField, safe.Field(oldObj, func(oldObj *Struct) MapTypedefType { return oldObj.MapTypedefField }))...)
+		}(fldPath.Child("mapTypedefField"), obj.MapTypedefField, safe.Field(oldObj, func(oldObj *Struct) MapTypedefType { return oldObj.MapTypedefField }), oldObj != nil)...)
 
 	return errs
 }
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/multiple_tags/zz_generated.validations.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/multiple_tags/zz_generated.validations.go
index c8bf791b803fc..6a7aa362cdf11 100644
--- a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/multiple_tags/zz_generated.validations.go
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/multiple_tags/zz_generated.validations.go
@@ -37,6 +37,7 @@ func init() { localSchemeBuilder.Register(RegisterValidations) }
 // RegisterValidations adds validation functions to the given scheme.
 // Public to allow building arbitrary schemes.
 func RegisterValidations(scheme *testscheme.Scheme) error {
+	// type T1
 	scheme.AddValidationFunc((*T1)(nil), func(ctx context.Context, op operation.Operation, obj, oldObj interface{}) field.ErrorList {
 		switch op.Request.SubresourcePath() {
 		case "/":
@@ -47,11 +48,9 @@ func RegisterValidations(scheme *testscheme.Scheme) error {
 	return nil
 }
 
+// Validate_T1 validates an instance of T1 according
+// to declarative validation rules in the API schema.
 func Validate_T1(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *T1) (errs field.ErrorList) {
-	// type T1
-	if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-		return nil // no changes
-	}
 	errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "type T1 #1")...)
 	errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "type T1 #2")...)
 	errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "type T1 #3")...)
@@ -61,54 +60,59 @@ func Validate_T1(ctx context.Context, op operation.Operation, fldPath *field.Pat
 
 	// field T1.S
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *string) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *string, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field T1.S false #1")...)
 			errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field T1.S false #2")...)
 			errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field T1.S false #3")...)
 			errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, true, "field T1.S true")...)
 			return
-		}(fldPath.Child("s"), &obj.S, safe.Field(oldObj, func(oldObj *T1) *string { return &oldObj.S }))...)
+		}(fldPath.Child("s"), &obj.S, safe.Field(oldObj, func(oldObj *T1) *string { return &oldObj.S }), oldObj != nil)...)
 
 	// field T1.T2
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *T2) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *T2, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field T1.T2 false #1")...)
 			errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field T1.T2 false #2")...)
 			errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field T1.T2 false #3")...)
 			errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, true, "field T1.T2 true")...)
+			// call the type's validation function
 			errs = append(errs, Validate_T2(ctx, op, fldPath, obj, oldObj)...)
 			return
-		}(fldPath.Child("t2"), &obj.T2, safe.Field(oldObj, func(oldObj *T1) *T2 { return &oldObj.T2 }))...)
+		}(fldPath.Child("t2"), &obj.T2, safe.Field(oldObj, func(oldObj *T1) *T2 { return &oldObj.T2 }), oldObj != nil)...)
 
 	return errs
 }
 
+// Validate_T2 validates an instance of T2 according
+// to declarative validation rules in the API schema.
 func Validate_T2(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *T2) (errs field.ErrorList) {
-	// type T2
-	if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-		return nil // no changes
-	}
 	errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "type T2 false #1")...)
 	errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "type T2 false #2")...)
 	errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, true, "type T2 true")...)
 
 	// field T2.S
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *string) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *string, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field T2.S false #1")...)
 			errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field T2.S false #2")...)
 			errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, true, "field T2.S true")...)
 			return
-		}(fldPath.Child("s"), &obj.S, safe.Field(oldObj, func(oldObj *T2) *string { return &oldObj.S }))...)
+		}(fldPath.Child("s"), &obj.S, safe.Field(oldObj, func(oldObj *T2) *string { return &oldObj.S }), oldObj != nil)...)
 
 	return errs
 }
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/one_type_match/with_field_validations/zz_generated.validations.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/one_type_match/with_field_validations/zz_generated.validations.go
index 60f41b8c713f4..b08696e9cd848 100644
--- a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/one_type_match/with_field_validations/zz_generated.validations.go
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/one_type_match/with_field_validations/zz_generated.validations.go
@@ -37,6 +37,7 @@ func init() { localSchemeBuilder.Register(RegisterValidations) }
 // RegisterValidations adds validation functions to the given scheme.
 // Public to allow building arbitrary schemes.
 func RegisterValidations(scheme *testscheme.Scheme) error {
+	// type T1
 	scheme.AddValidationFunc((*T1)(nil), func(ctx context.Context, op operation.Operation, obj, oldObj interface{}) field.ErrorList {
 		switch op.Request.SubresourcePath() {
 		case "/":
@@ -47,84 +48,100 @@ func RegisterValidations(scheme *testscheme.Scheme) error {
 	return nil
 }
 
+// Validate_E1 validates an instance of E1 according
+// to declarative validation rules in the API schema.
 func Validate_E1(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *E1) (errs field.ErrorList) {
-	// type E1
-	if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-		return nil // no changes
-	}
 	errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "type E1")...)
 
 	return errs
 }
 
+// Validate_T1 validates an instance of T1 according
+// to declarative validation rules in the API schema.
 func Validate_T1(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *T1) (errs field.ErrorList) {
 	// field T1.TypeMeta has no validation
 
 	// field T1.S
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *string) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *string, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field T1.S")...)
 			return
-		}(fldPath.Child("s"), &obj.S, safe.Field(oldObj, func(oldObj *T1) *string { return &oldObj.S }))...)
+		}(fldPath.Child("s"), &obj.S, safe.Field(oldObj, func(oldObj *T1) *string { return &oldObj.S }), oldObj != nil)...)
 
 	// field T1.T2
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *T2) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *T2, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field T1.T2")...)
+			// call the type's validation function
 			errs = append(errs, Validate_T2(ctx, op, fldPath, obj, oldObj)...)
 			return
-		}(fldPath.Child("t2"), &obj.T2, safe.Field(oldObj, func(oldObj *T1) *T2 { return &oldObj.T2 }))...)
+		}(fldPath.Child("t2"), &obj.T2, safe.Field(oldObj, func(oldObj *T1) *T2 { return &oldObj.T2 }), oldObj != nil)...)
 
 	// field T1.T3
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *T3) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *T3, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field T1.T3")...)
 			return
-		}(fldPath.Child("t3"), &obj.T3, safe.Field(oldObj, func(oldObj *T1) *T3 { return &oldObj.T3 }))...)
+		}(fldPath.Child("t3"), &obj.T3, safe.Field(oldObj, func(oldObj *T1) *T3 { return &oldObj.T3 }), oldObj != nil)...)
 
 	// field T1.E1
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *E1) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *E1, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field T1.E1")...)
+			// call the type's validation function
 			errs = append(errs, Validate_E1(ctx, op, fldPath, obj, oldObj)...)
 			return
-		}(fldPath.Child("e1"), &obj.E1, safe.Field(oldObj, func(oldObj *T1) *E1 { return &oldObj.E1 }))...)
+		}(fldPath.Child("e1"), &obj.E1, safe.Field(oldObj, func(oldObj *T1) *E1 { return &oldObj.E1 }), oldObj != nil)...)
 
 	// field T1.E2
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *E2) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *E2, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field T1.E2")...)
 			return
-		}(fldPath.Child("e2"), &obj.E2, safe.Field(oldObj, func(oldObj *T1) *E2 { return &oldObj.E2 }))...)
+		}(fldPath.Child("e2"), &obj.E2, safe.Field(oldObj, func(oldObj *T1) *E2 { return &oldObj.E2 }), oldObj != nil)...)
 
 	return errs
 }
 
+// Validate_T2 validates an instance of T2 according
+// to declarative validation rules in the API schema.
 func Validate_T2(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *T2) (errs field.ErrorList) {
 	// field T2.S
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *string) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *string, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field T2.S")...)
 			return
-		}(fldPath.Child("s"), &obj.S, safe.Field(oldObj, func(oldObj *T2) *string { return &oldObj.S }))...)
+		}(fldPath.Child("s"), &obj.S, safe.Field(oldObj, func(oldObj *T2) *string { return &oldObj.S }), oldObj != nil)...)
 
 	return errs
 }
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/one_type_match/with_type_validations/zz_generated.validations.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/one_type_match/with_type_validations/zz_generated.validations.go
index 9716b26ce9781..dfa60bb6a5e84 100644
--- a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/one_type_match/with_type_validations/zz_generated.validations.go
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/one_type_match/with_type_validations/zz_generated.validations.go
@@ -37,6 +37,7 @@ func init() { localSchemeBuilder.Register(RegisterValidations) }
 // RegisterValidations adds validation functions to the given scheme.
 // Public to allow building arbitrary schemes.
 func RegisterValidations(scheme *testscheme.Scheme) error {
+	// type T1
 	scheme.AddValidationFunc((*T1)(nil), func(ctx context.Context, op operation.Operation, obj, oldObj interface{}) field.ErrorList {
 		switch op.Request.SubresourcePath() {
 		case "/":
@@ -47,11 +48,9 @@ func RegisterValidations(scheme *testscheme.Scheme) error {
 	return nil
 }
 
+// Validate_T1 validates an instance of T1 according
+// to declarative validation rules in the API schema.
 func Validate_T1(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *T1) (errs field.ErrorList) {
-	// type T1
-	if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-		return nil // no changes
-	}
 	errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "type T1")...)
 
 	// field T1.TypeMeta has no validation
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/ordering/structs/testdata/validate-false.json b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/ordering/structs/testdata/validate-false.json
index 6fe7d40337f37..f1fd2b1edf2cb 100644
--- a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/ordering/structs/testdata/validate-false.json
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/ordering/structs/testdata/validate-false.json
@@ -42,7 +42,8 @@
   },
   "*structs.TMultiple": {
     "": [
-      "TMultiple, ShortCircuit 1"
+      "TMultiple, ShortCircuit 1",
+      "TMultiple, ShortCircuit 2"
     ]
   }
 }
\ No newline at end of file
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/ordering/structs/zz_generated.validations.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/ordering/structs/zz_generated.validations.go
index 124a93e6ece94..5d17ed257b95f 100644
--- a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/ordering/structs/zz_generated.validations.go
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/ordering/structs/zz_generated.validations.go
@@ -25,7 +25,6 @@ import (
 	context "context"
 	fmt "fmt"
 
-	equality "k8s.io/apimachinery/pkg/api/equality"
 	operation "k8s.io/apimachinery/pkg/api/operation"
 	safe "k8s.io/apimachinery/pkg/api/safe"
 	validate "k8s.io/apimachinery/pkg/api/validate"
@@ -38,6 +37,7 @@ func init() { localSchemeBuilder.Register(RegisterValidations) }
 // RegisterValidations adds validation functions to the given scheme.
 // Public to allow building arbitrary schemes.
 func RegisterValidations(scheme *testscheme.Scheme) error {
+	// type T00
 	scheme.AddValidationFunc((*T00)(nil), func(ctx context.Context, op operation.Operation, obj, oldObj interface{}) field.ErrorList {
 		switch op.Request.SubresourcePath() {
 		case "/":
@@ -45,6 +45,7 @@ func RegisterValidations(scheme *testscheme.Scheme) error {
 		}
 		return field.ErrorList{field.InternalError(nil, fmt.Errorf("no validation found for %T, subresource: %v", obj, op.Request.SubresourcePath()))}
 	})
+	// type T01
 	scheme.AddValidationFunc((*T01)(nil), func(ctx context.Context, op operation.Operation, obj, oldObj interface{}) field.ErrorList {
 		switch op.Request.SubresourcePath() {
 		case "/":
@@ -52,6 +53,7 @@ func RegisterValidations(scheme *testscheme.Scheme) error {
 		}
 		return field.ErrorList{field.InternalError(nil, fmt.Errorf("no validation found for %T, subresource: %v", obj, op.Request.SubresourcePath()))}
 	})
+	// type T02
 	scheme.AddValidationFunc((*T02)(nil), func(ctx context.Context, op operation.Operation, obj, oldObj interface{}) field.ErrorList {
 		switch op.Request.SubresourcePath() {
 		case "/":
@@ -59,6 +61,7 @@ func RegisterValidations(scheme *testscheme.Scheme) error {
 		}
 		return field.ErrorList{field.InternalError(nil, fmt.Errorf("no validation found for %T, subresource: %v", obj, op.Request.SubresourcePath()))}
 	})
+	// type T03
 	scheme.AddValidationFunc((*T03)(nil), func(ctx context.Context, op operation.Operation, obj, oldObj interface{}) field.ErrorList {
 		switch op.Request.SubresourcePath() {
 		case "/":
@@ -66,6 +69,7 @@ func RegisterValidations(scheme *testscheme.Scheme) error {
 		}
 		return field.ErrorList{field.InternalError(nil, fmt.Errorf("no validation found for %T, subresource: %v", obj, op.Request.SubresourcePath()))}
 	})
+	// type TMultiple
 	scheme.AddValidationFunc((*TMultiple)(nil), func(ctx context.Context, op operation.Operation, obj, oldObj interface{}) field.ErrorList {
 		switch op.Request.SubresourcePath() {
 		case "/":
@@ -76,6 +80,8 @@ func RegisterValidations(scheme *testscheme.Scheme) error {
 	return nil
 }
 
+// Validate_T00 validates an instance of T00 according
+// to declarative validation rules in the API schema.
 func Validate_T00(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *T00) (errs field.ErrorList) {
 	// field T00.TypeMeta has no validation
 	// field T00.S has no validation
@@ -83,82 +89,102 @@ func Validate_T00(ctx context.Context, op operation.Operation, fldPath *field.Pa
 
 	// field T00.T
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *Tother) (errs field.ErrorList) {
+		func(fldPath *field.Path, obj, oldObj *Tother, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call the type's validation function
 			errs = append(errs, Validate_Tother(ctx, op, fldPath, obj, oldObj)...)
 			return
-		}(fldPath.Child("t"), &obj.T, safe.Field(oldObj, func(oldObj *T00) *Tother { return &oldObj.T }))...)
+		}(fldPath.Child("t"), &obj.T, safe.Field(oldObj, func(oldObj *T00) *Tother { return &oldObj.T }), oldObj != nil)...)
 
 	// field T00.PT
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *Tother) (errs field.ErrorList) {
+		func(fldPath *field.Path, obj, oldObj *Tother, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call the type's validation function
 			errs = append(errs, Validate_Tother(ctx, op, fldPath, obj, oldObj)...)
 			return
-		}(fldPath.Child("pt"), obj.PT, safe.Field(oldObj, func(oldObj *T00) *Tother { return oldObj.PT }))...)
+		}(fldPath.Child("pt"), obj.PT, safe.Field(oldObj, func(oldObj *T00) *Tother { return oldObj.PT }), oldObj != nil)...)
 
 	return errs
 }
 
+// Validate_T01 validates an instance of T01 according
+// to declarative validation rules in the API schema.
 func Validate_T01(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *T01) (errs field.ErrorList) {
-	// type T01
-	if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-		return nil // no changes
-	}
 	errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "T01, no flags")...)
 
 	// field T01.TypeMeta has no validation
 
 	// field T01.S
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *string) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *string, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "T01.S, no flags")...)
 			return
-		}(fldPath.Child("s"), &obj.S, safe.Field(oldObj, func(oldObj *T01) *string { return &oldObj.S }))...)
+		}(fldPath.Child("s"), &obj.S, safe.Field(oldObj, func(oldObj *T01) *string { return &oldObj.S }), oldObj != nil)...)
 
 	// field T01.PS
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *string) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *string, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "T01.PS, no flags")...)
 			return
-		}(fldPath.Child("ps"), obj.PS, safe.Field(oldObj, func(oldObj *T01) *string { return oldObj.PS }))...)
+		}(fldPath.Child("ps"), obj.PS, safe.Field(oldObj, func(oldObj *T01) *string { return oldObj.PS }), oldObj != nil)...)
 
 	// field T01.T
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *Tother) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *Tother, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "T01.T, no flags")...)
+			// call the type's validation function
 			errs = append(errs, Validate_Tother(ctx, op, fldPath, obj, oldObj)...)
 			return
-		}(fldPath.Child("t"), &obj.T, safe.Field(oldObj, func(oldObj *T01) *Tother { return &oldObj.T }))...)
+		}(fldPath.Child("t"), &obj.T, safe.Field(oldObj, func(oldObj *T01) *Tother { return &oldObj.T }), oldObj != nil)...)
 
 	// field T01.PT
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *Tother) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *Tother, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "T01.PT, no flags")...)
+			// call the type's validation function
 			errs = append(errs, Validate_Tother(ctx, op, fldPath, obj, oldObj)...)
 			return
-		}(fldPath.Child("pt"), obj.PT, safe.Field(oldObj, func(oldObj *T01) *Tother { return oldObj.PT }))...)
+		}(fldPath.Child("pt"), obj.PT, safe.Field(oldObj, func(oldObj *T01) *Tother { return oldObj.PT }), oldObj != nil)...)
 
 	return errs
 }
 
+// Validate_T02 validates an instance of T02 according
+// to declarative validation rules in the API schema.
 func Validate_T02(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *T02) (errs field.ErrorList) {
-	// type T02
-	if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-		return nil // no changes
-	}
+	earlyReturn := false
 	if e := validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "T02, ShortCircuit"); len(e) != 0 {
 		errs = append(errs, e...)
+		earlyReturn = true
+	}
+	if earlyReturn {
 		return // do not proceed
 	}
 
@@ -166,68 +192,96 @@ func Validate_T02(ctx context.Context, op operation.Operation, fldPath *field.Pa
 
 	// field T02.S
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *string) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *string, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
 			}
+			// call field-attached validations
+			earlyReturn := false
 			if e := validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "T02.S, ShortCircuit"); len(e) != 0 {
 				errs = append(errs, e...)
+				earlyReturn = true
+			}
+			if earlyReturn {
 				return // do not proceed
 			}
 			return
-		}(fldPath.Child("s"), &obj.S, safe.Field(oldObj, func(oldObj *T02) *string { return &oldObj.S }))...)
+		}(fldPath.Child("s"), &obj.S, safe.Field(oldObj, func(oldObj *T02) *string { return &oldObj.S }), oldObj != nil)...)
 
 	// field T02.PS
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *string) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *string, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
 			}
+			// call field-attached validations
+			earlyReturn := false
 			if e := validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "T02.PS, ShortCircuit"); len(e) != 0 {
 				errs = append(errs, e...)
+				earlyReturn = true
+			}
+			if earlyReturn {
 				return // do not proceed
 			}
 			return
-		}(fldPath.Child("ps"), obj.PS, safe.Field(oldObj, func(oldObj *T02) *string { return oldObj.PS }))...)
+		}(fldPath.Child("ps"), obj.PS, safe.Field(oldObj, func(oldObj *T02) *string { return oldObj.PS }), oldObj != nil)...)
 
 	// field T02.T
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *Tother) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *Tother, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
 			}
+			// call field-attached validations
+			earlyReturn := false
 			if e := validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "T02.T, ShortCircuit"); len(e) != 0 {
 				errs = append(errs, e...)
+				earlyReturn = true
+			}
+			if earlyReturn {
 				return // do not proceed
 			}
+			// call the type's validation function
 			errs = append(errs, Validate_Tother(ctx, op, fldPath, obj, oldObj)...)
 			return
-		}(fldPath.Child("t"), &obj.T, safe.Field(oldObj, func(oldObj *T02) *Tother { return &oldObj.T }))...)
+		}(fldPath.Child("t"), &obj.T, safe.Field(oldObj, func(oldObj *T02) *Tother { return &oldObj.T }), oldObj != nil)...)
 
 	// field T02.PT
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *Tother) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *Tother, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
 			}
+			// call field-attached validations
+			earlyReturn := false
 			if e := validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "T02.PT, ShortCircuit"); len(e) != 0 {
 				errs = append(errs, e...)
+				earlyReturn = true
+			}
+			if earlyReturn {
 				return // do not proceed
 			}
+			// call the type's validation function
 			errs = append(errs, Validate_Tother(ctx, op, fldPath, obj, oldObj)...)
 			return
-		}(fldPath.Child("pt"), obj.PT, safe.Field(oldObj, func(oldObj *T02) *Tother { return oldObj.PT }))...)
+		}(fldPath.Child("pt"), obj.PT, safe.Field(oldObj, func(oldObj *T02) *Tother { return oldObj.PT }), oldObj != nil)...)
 
 	return errs
 }
 
+// Validate_T03 validates an instance of T03 according
+// to declarative validation rules in the API schema.
 func Validate_T03(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *T03) (errs field.ErrorList) {
-	// type T03
-	if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-		return nil // no changes
-	}
+	earlyReturn := false
 	if e := validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "T03, ShortCircuit"); len(e) != 0 {
 		errs = append(errs, e...)
+		earlyReturn = true
+	}
+	if earlyReturn {
 		return // do not proceed
 	}
 	errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "T03, no flags")...)
@@ -236,76 +290,104 @@ func Validate_T03(ctx context.Context, op operation.Operation, fldPath *field.Pa
 
 	// field T03.S
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *string) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *string, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
 			}
+			// call field-attached validations
+			earlyReturn := false
 			if e := validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "T03.S, ShortCircuit"); len(e) != 0 {
 				errs = append(errs, e...)
+				earlyReturn = true
+			}
+			if earlyReturn {
 				return // do not proceed
 			}
 			errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "T03.S, no flags")...)
 			return
-		}(fldPath.Child("s"), &obj.S, safe.Field(oldObj, func(oldObj *T03) *string { return &oldObj.S }))...)
+		}(fldPath.Child("s"), &obj.S, safe.Field(oldObj, func(oldObj *T03) *string { return &oldObj.S }), oldObj != nil)...)
 
 	// field T03.PS
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *string) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *string, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
 			}
+			// call field-attached validations
+			earlyReturn := false
 			if e := validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "T03.PS, ShortCircuit"); len(e) != 0 {
 				errs = append(errs, e...)
+				earlyReturn = true
+			}
+			if earlyReturn {
 				return // do not proceed
 			}
 			errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "T03.PS, no flags")...)
 			return
-		}(fldPath.Child("ps"), obj.PS, safe.Field(oldObj, func(oldObj *T03) *string { return oldObj.PS }))...)
+		}(fldPath.Child("ps"), obj.PS, safe.Field(oldObj, func(oldObj *T03) *string { return oldObj.PS }), oldObj != nil)...)
 
 	// field T03.T
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *Tother) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *Tother, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
 			}
+			// call field-attached validations
+			earlyReturn := false
 			if e := validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "T03.T, ShortCircuit"); len(e) != 0 {
 				errs = append(errs, e...)
+				earlyReturn = true
+			}
+			if earlyReturn {
 				return // do not proceed
 			}
 			errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "T03.T, no flags")...)
+			// call the type's validation function
 			errs = append(errs, Validate_Tother(ctx, op, fldPath, obj, oldObj)...)
 			return
-		}(fldPath.Child("t"), &obj.T, safe.Field(oldObj, func(oldObj *T03) *Tother { return &oldObj.T }))...)
+		}(fldPath.Child("t"), &obj.T, safe.Field(oldObj, func(oldObj *T03) *Tother { return &oldObj.T }), oldObj != nil)...)
 
 	// field T03.PT
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *Tother) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *Tother, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
 			}
+			// call field-attached validations
+			earlyReturn := false
 			if e := validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "T03.PT, ShortCircuit"); len(e) != 0 {
 				errs = append(errs, e...)
+				earlyReturn = true
+			}
+			if earlyReturn {
 				return // do not proceed
 			}
 			errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "T03.PT, no flags")...)
+			// call the type's validation function
 			errs = append(errs, Validate_Tother(ctx, op, fldPath, obj, oldObj)...)
 			return
-		}(fldPath.Child("pt"), obj.PT, safe.Field(oldObj, func(oldObj *T03) *Tother { return oldObj.PT }))...)
+		}(fldPath.Child("pt"), obj.PT, safe.Field(oldObj, func(oldObj *T03) *Tother { return oldObj.PT }), oldObj != nil)...)
 
 	return errs
 }
 
+// Validate_TMultiple validates an instance of TMultiple according
+// to declarative validation rules in the API schema.
 func Validate_TMultiple(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *TMultiple) (errs field.ErrorList) {
-	// type TMultiple
-	if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-		return nil // no changes
-	}
+	earlyReturn := false
 	if e := validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "TMultiple, ShortCircuit 1"); len(e) != 0 {
 		errs = append(errs, e...)
-		return // do not proceed
+		earlyReturn = true
 	}
 	if e := validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "TMultiple, ShortCircuit 2"); len(e) != 0 {
 		errs = append(errs, e...)
+		earlyReturn = true
+	}
+	if earlyReturn {
 		return // do not proceed
 	}
 	errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "TMultiple, no flags 1")...)
@@ -316,99 +398,129 @@ func Validate_TMultiple(ctx context.Context, op operation.Operation, fldPath *fi
 
 	// field TMultiple.S
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *string) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *string, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
 			}
+			// call field-attached validations
+			earlyReturn := false
 			if e := validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "TMultiple.S, ShortCircuit 1"); len(e) != 0 {
 				errs = append(errs, e...)
-				return // do not proceed
+				earlyReturn = true
 			}
 			if e := validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "TMultiple.S, ShortCircuit 2"); len(e) != 0 {
 				errs = append(errs, e...)
+				earlyReturn = true
+			}
+			if earlyReturn {
 				return // do not proceed
 			}
 			errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "TMultiple.S, no flags 1")...)
 			errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "T0, string payload")...)
 			errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "TMultiple.S, no flags 2")...)
 			return
-		}(fldPath.Child("s"), &obj.S, safe.Field(oldObj, func(oldObj *TMultiple) *string { return &oldObj.S }))...)
+		}(fldPath.Child("s"), &obj.S, safe.Field(oldObj, func(oldObj *TMultiple) *string { return &oldObj.S }), oldObj != nil)...)
 
 	// field TMultiple.PS
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *string) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *string, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
 			}
+			// call field-attached validations
+			earlyReturn := false
 			if e := validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "TMultiple.PS, ShortCircuit 1"); len(e) != 0 {
 				errs = append(errs, e...)
-				return // do not proceed
+				earlyReturn = true
 			}
 			if e := validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "TMultiple.PS, ShortCircuit 2"); len(e) != 0 {
 				errs = append(errs, e...)
+				earlyReturn = true
+			}
+			if earlyReturn {
 				return // do not proceed
 			}
 			errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "TMultiple.PS, no flags 1")...)
 			errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "T0, string payload")...)
 			errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "TMultiple.PS, no flags 2")...)
 			return
-		}(fldPath.Child("ps"), obj.PS, safe.Field(oldObj, func(oldObj *TMultiple) *string { return oldObj.PS }))...)
+		}(fldPath.Child("ps"), obj.PS, safe.Field(oldObj, func(oldObj *TMultiple) *string { return oldObj.PS }), oldObj != nil)...)
 
 	// field TMultiple.T
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *Tother) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *Tother, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
 			}
+			// call field-attached validations
+			earlyReturn := false
 			if e := validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "TMultiple.T, ShortCircuit 1"); len(e) != 0 {
 				errs = append(errs, e...)
-				return // do not proceed
+				earlyReturn = true
 			}
 			if e := validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "TMultiple.T, ShortCircuit 2"); len(e) != 0 {
 				errs = append(errs, e...)
+				earlyReturn = true
+			}
+			if earlyReturn {
 				return // do not proceed
 			}
 			errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "TMultiple.T, no flags 1")...)
 			errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "T0, string payload")...)
 			errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "TMultiple.T, no flags 2")...)
+			// call the type's validation function
 			errs = append(errs, Validate_Tother(ctx, op, fldPath, obj, oldObj)...)
 			return
-		}(fldPath.Child("t"), &obj.T, safe.Field(oldObj, func(oldObj *TMultiple) *Tother { return &oldObj.T }))...)
+		}(fldPath.Child("t"), &obj.T, safe.Field(oldObj, func(oldObj *TMultiple) *Tother { return &oldObj.T }), oldObj != nil)...)
 
 	// field TMultiple.PT
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *Tother) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *Tother, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
 			}
+			// call field-attached validations
+			earlyReturn := false
 			if e := validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "TMultiple.PT, ShortCircuit 1"); len(e) != 0 {
 				errs = append(errs, e...)
-				return // do not proceed
+				earlyReturn = true
 			}
 			if e := validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "TMultiple.PT, ShortCircuit 2"); len(e) != 0 {
 				errs = append(errs, e...)
+				earlyReturn = true
+			}
+			if earlyReturn {
 				return // do not proceed
 			}
 			errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "TMultiple.PT, no flags 1")...)
 			errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "T0, string payload")...)
 			errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "TMultiple.PT, no flags 2")...)
+			// call the type's validation function
 			errs = append(errs, Validate_Tother(ctx, op, fldPath, obj, oldObj)...)
 			return
-		}(fldPath.Child("pt"), obj.PT, safe.Field(oldObj, func(oldObj *TMultiple) *Tother { return oldObj.PT }))...)
+		}(fldPath.Child("pt"), obj.PT, safe.Field(oldObj, func(oldObj *TMultiple) *Tother { return oldObj.PT }), oldObj != nil)...)
 
 	return errs
 }
 
+// Validate_Tother validates an instance of Tother according
+// to declarative validation rules in the API schema.
 func Validate_Tother(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *Tother) (errs field.ErrorList) {
 	// field Tother.OS
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *string) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *string, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "Tother, no flags")...)
 			return
-		}(fldPath.Child("os"), &obj.OS, safe.Field(oldObj, func(oldObj *Tother) *string { return &oldObj.OS }))...)
+		}(fldPath.Child("os"), &obj.OS, safe.Field(oldObj, func(oldObj *Tother) *string { return &oldObj.OS }), oldObj != nil)...)
 
 	return errs
 }
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/ordering/typedefs/testdata/validate-false.json b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/ordering/typedefs/testdata/validate-false.json
index f1a61e10fa8f4..eb000238a3093 100644
--- a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/ordering/typedefs/testdata/validate-false.json
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/ordering/typedefs/testdata/validate-false.json
@@ -16,7 +16,8 @@
   },
   "*typedefs.EMultiple": {
     "": [
-      "EMultiple, ShortCircuit 1"
+      "EMultiple, ShortCircuit 1",
+      "EMultiple, ShortCircuit 2"
     ]
   }
 }
\ No newline at end of file
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/ordering/typedefs/zz_generated.validations.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/ordering/typedefs/zz_generated.validations.go
index 11fc97154afa9..a0df0df459371 100644
--- a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/ordering/typedefs/zz_generated.validations.go
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/ordering/typedefs/zz_generated.validations.go
@@ -37,6 +37,7 @@ func init() { localSchemeBuilder.Register(RegisterValidations) }
 // RegisterValidations adds validation functions to the given scheme.
 // Public to allow building arbitrary schemes.
 func RegisterValidations(scheme *testscheme.Scheme) error {
+	// type E01
 	scheme.AddValidationFunc((*E01)(nil), func(ctx context.Context, op operation.Operation, obj, oldObj interface{}) field.ErrorList {
 		switch op.Request.SubresourcePath() {
 		case "/":
@@ -44,6 +45,7 @@ func RegisterValidations(scheme *testscheme.Scheme) error {
 		}
 		return field.ErrorList{field.InternalError(nil, fmt.Errorf("no validation found for %T, subresource: %v", obj, op.Request.SubresourcePath()))}
 	})
+	// type E02
 	scheme.AddValidationFunc((*E02)(nil), func(ctx context.Context, op operation.Operation, obj, oldObj interface{}) field.ErrorList {
 		switch op.Request.SubresourcePath() {
 		case "/":
@@ -51,6 +53,7 @@ func RegisterValidations(scheme *testscheme.Scheme) error {
 		}
 		return field.ErrorList{field.InternalError(nil, fmt.Errorf("no validation found for %T, subresource: %v", obj, op.Request.SubresourcePath()))}
 	})
+	// type E03
 	scheme.AddValidationFunc((*E03)(nil), func(ctx context.Context, op operation.Operation, obj, oldObj interface{}) field.ErrorList {
 		switch op.Request.SubresourcePath() {
 		case "/":
@@ -58,6 +61,7 @@ func RegisterValidations(scheme *testscheme.Scheme) error {
 		}
 		return field.ErrorList{field.InternalError(nil, fmt.Errorf("no validation found for %T, subresource: %v", obj, op.Request.SubresourcePath()))}
 	})
+	// type EMultiple
 	scheme.AddValidationFunc((*EMultiple)(nil), func(ctx context.Context, op operation.Operation, obj, oldObj interface{}) field.ErrorList {
 		switch op.Request.SubresourcePath() {
 		case "/":
@@ -68,36 +72,38 @@ func RegisterValidations(scheme *testscheme.Scheme) error {
 	return nil
 }
 
+// Validate_E01 validates an instance of E01 according
+// to declarative validation rules in the API schema.
 func Validate_E01(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *E01) (errs field.ErrorList) {
-	// type E01
-	if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-		return nil // no changes
-	}
 	errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "E01, no flags")...)
 
 	return errs
 }
 
+// Validate_E02 validates an instance of E02 according
+// to declarative validation rules in the API schema.
 func Validate_E02(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *E02) (errs field.ErrorList) {
-	// type E02
-	if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-		return nil // no changes
-	}
+	earlyReturn := false
 	if e := validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "E02, ShortCircuit"); len(e) != 0 {
 		errs = append(errs, e...)
+		earlyReturn = true
+	}
+	if earlyReturn {
 		return // do not proceed
 	}
 
 	return errs
 }
 
+// Validate_E03 validates an instance of E03 according
+// to declarative validation rules in the API schema.
 func Validate_E03(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *E03) (errs field.ErrorList) {
-	// type E03
-	if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-		return nil // no changes
-	}
+	earlyReturn := false
 	if e := validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "E03, ShortCircuit"); len(e) != 0 {
 		errs = append(errs, e...)
+		earlyReturn = true
+	}
+	if earlyReturn {
 		return // do not proceed
 	}
 	errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "E03, no flags")...)
@@ -105,17 +111,19 @@ func Validate_E03(ctx context.Context, op operation.Operation, fldPath *field.Pa
 	return errs
 }
 
+// Validate_EMultiple validates an instance of EMultiple according
+// to declarative validation rules in the API schema.
 func Validate_EMultiple(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *EMultiple) (errs field.ErrorList) {
-	// type EMultiple
-	if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-		return nil // no changes
-	}
+	earlyReturn := false
 	if e := validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "EMultiple, ShortCircuit 1"); len(e) != 0 {
 		errs = append(errs, e...)
-		return // do not proceed
+		earlyReturn = true
 	}
 	if e := validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "EMultiple, ShortCircuit 2"); len(e) != 0 {
 		errs = append(errs, e...)
+		earlyReturn = true
+	}
+	if earlyReturn {
 		return // do not proceed
 	}
 	errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "EMultiple, no flags 1")...)
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/pointers/zz_generated.validations.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/pointers/zz_generated.validations.go
index b353d293a2ec1..880be40681e6c 100644
--- a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/pointers/zz_generated.validations.go
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/pointers/zz_generated.validations.go
@@ -38,6 +38,7 @@ func init() { localSchemeBuilder.Register(RegisterValidations) }
 // RegisterValidations adds validation functions to the given scheme.
 // Public to allow building arbitrary schemes.
 func RegisterValidations(scheme *testscheme.Scheme) error {
+	// type T1
 	scheme.AddValidationFunc((*T1)(nil), func(ctx context.Context, op operation.Operation, obj, oldObj interface{}) field.ErrorList {
 		switch op.Request.SubresourcePath() {
 		case "/":
@@ -48,59 +49,72 @@ func RegisterValidations(scheme *testscheme.Scheme) error {
 	return nil
 }
 
+// Validate_T1 validates an instance of T1 according
+// to declarative validation rules in the API schema.
 func Validate_T1(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *T1) (errs field.ErrorList) {
 	// field T1.TypeMeta has no validation
 
 	// field T1.PS
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *string) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *string, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field T1.PS")...)
 			return
-		}(fldPath.Child("ps"), obj.PS, safe.Field(oldObj, func(oldObj *T1) *string { return oldObj.PS }))...)
+		}(fldPath.Child("ps"), obj.PS, safe.Field(oldObj, func(oldObj *T1) *string { return oldObj.PS }), oldObj != nil)...)
 
 	// field T1.PI
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *int) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *int, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field T1.PI")...)
 			return
-		}(fldPath.Child("pi"), obj.PI, safe.Field(oldObj, func(oldObj *T1) *int { return oldObj.PI }))...)
+		}(fldPath.Child("pi"), obj.PI, safe.Field(oldObj, func(oldObj *T1) *int { return oldObj.PI }), oldObj != nil)...)
 
 	// field T1.PB
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *bool) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *bool, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field T1.PB")...)
 			return
-		}(fldPath.Child("pb"), obj.PB, safe.Field(oldObj, func(oldObj *T1) *bool { return oldObj.PB }))...)
+		}(fldPath.Child("pb"), obj.PB, safe.Field(oldObj, func(oldObj *T1) *bool { return oldObj.PB }), oldObj != nil)...)
 
 	// field T1.PF
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *float64) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *float64, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field T1.PF")...)
 			return
-		}(fldPath.Child("pf"), obj.PF, safe.Field(oldObj, func(oldObj *T1) *float64 { return oldObj.PF }))...)
+		}(fldPath.Child("pf"), obj.PF, safe.Field(oldObj, func(oldObj *T1) *float64 { return oldObj.PF }), oldObj != nil)...)
 
 	// field T1.PT2
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *T2) (errs field.ErrorList) {
-			if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *T2, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field T1.PT2")...)
+			// call the type's validation function
 			errs = append(errs, Validate_T2(ctx, op, fldPath, obj, oldObj)...)
 			return
-		}(fldPath.Child("pt2"), obj.PT2, safe.Field(oldObj, func(oldObj *T1) *T2 { return oldObj.PT2 }))...)
+		}(fldPath.Child("pt2"), obj.PT2, safe.Field(oldObj, func(oldObj *T1) *T2 { return oldObj.PT2 }), oldObj != nil)...)
 
 	// field T1.AnotherPS has no validation
 	// field T1.AnotherPI has no validation
@@ -109,46 +123,56 @@ func Validate_T1(ctx context.Context, op operation.Operation, fldPath *field.Pat
 	return errs
 }
 
+// Validate_T2 validates an instance of T2 according
+// to declarative validation rules in the API schema.
 func Validate_T2(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *T2) (errs field.ErrorList) {
 	// field T2.PS
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *string) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *string, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field T2.PS")...)
 			return
-		}(fldPath.Child("ps"), obj.PS, safe.Field(oldObj, func(oldObj *T2) *string { return oldObj.PS }))...)
+		}(fldPath.Child("ps"), obj.PS, safe.Field(oldObj, func(oldObj *T2) *string { return oldObj.PS }), oldObj != nil)...)
 
 	// field T2.PI
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *int) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *int, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field T2.PI")...)
 			return
-		}(fldPath.Child("pi"), obj.PI, safe.Field(oldObj, func(oldObj *T2) *int { return oldObj.PI }))...)
+		}(fldPath.Child("pi"), obj.PI, safe.Field(oldObj, func(oldObj *T2) *int { return oldObj.PI }), oldObj != nil)...)
 
 	// field T2.PB
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *bool) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *bool, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field T2.PB")...)
 			return
-		}(fldPath.Child("pb"), obj.PB, safe.Field(oldObj, func(oldObj *T2) *bool { return oldObj.PB }))...)
+		}(fldPath.Child("pb"), obj.PB, safe.Field(oldObj, func(oldObj *T2) *bool { return oldObj.PB }), oldObj != nil)...)
 
 	// field T2.PF
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *float64) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *float64, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field T2.PF")...)
 			return
-		}(fldPath.Child("pf"), obj.PF, safe.Field(oldObj, func(oldObj *T2) *float64 { return oldObj.PF }))...)
+		}(fldPath.Child("pf"), obj.PF, safe.Field(oldObj, func(oldObj *T2) *float64 { return oldObj.PF }), oldObj != nil)...)
 
 	return errs
 }
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/primitives/zz_generated.validations.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/primitives/zz_generated.validations.go
index 84d3819e15d52..d816e69df47ec 100644
--- a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/primitives/zz_generated.validations.go
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/primitives/zz_generated.validations.go
@@ -37,6 +37,7 @@ func init() { localSchemeBuilder.Register(RegisterValidations) }
 // RegisterValidations adds validation functions to the given scheme.
 // Public to allow building arbitrary schemes.
 func RegisterValidations(scheme *testscheme.Scheme) error {
+	// type T1
 	scheme.AddValidationFunc((*T1)(nil), func(ctx context.Context, op operation.Operation, obj, oldObj interface{}) field.ErrorList {
 		switch op.Request.SubresourcePath() {
 		case "/":
@@ -47,59 +48,72 @@ func RegisterValidations(scheme *testscheme.Scheme) error {
 	return nil
 }
 
+// Validate_T1 validates an instance of T1 according
+// to declarative validation rules in the API schema.
 func Validate_T1(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *T1) (errs field.ErrorList) {
 	// field T1.TypeMeta has no validation
 
 	// field T1.S
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *string) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *string, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field T1.S")...)
 			return
-		}(fldPath.Child("s"), &obj.S, safe.Field(oldObj, func(oldObj *T1) *string { return &oldObj.S }))...)
+		}(fldPath.Child("s"), &obj.S, safe.Field(oldObj, func(oldObj *T1) *string { return &oldObj.S }), oldObj != nil)...)
 
 	// field T1.I
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *int) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *int, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field T1.I")...)
 			return
-		}(fldPath.Child("i"), &obj.I, safe.Field(oldObj, func(oldObj *T1) *int { return &oldObj.I }))...)
+		}(fldPath.Child("i"), &obj.I, safe.Field(oldObj, func(oldObj *T1) *int { return &oldObj.I }), oldObj != nil)...)
 
 	// field T1.B
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *bool) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *bool, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field T1.B")...)
 			return
-		}(fldPath.Child("b"), &obj.B, safe.Field(oldObj, func(oldObj *T1) *bool { return &oldObj.B }))...)
+		}(fldPath.Child("b"), &obj.B, safe.Field(oldObj, func(oldObj *T1) *bool { return &oldObj.B }), oldObj != nil)...)
 
 	// field T1.F
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *float64) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *float64, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field T1.F")...)
 			return
-		}(fldPath.Child("f"), &obj.F, safe.Field(oldObj, func(oldObj *T1) *float64 { return &oldObj.F }))...)
+		}(fldPath.Child("f"), &obj.F, safe.Field(oldObj, func(oldObj *T1) *float64 { return &oldObj.F }), oldObj != nil)...)
 
 	// field T1.T2
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *T2) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *T2, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field T1.T2")...)
+			// call the type's validation function
 			errs = append(errs, Validate_T2(ctx, op, fldPath, obj, oldObj)...)
 			return
-		}(fldPath.Child("t2"), &obj.T2, safe.Field(oldObj, func(oldObj *T1) *T2 { return &oldObj.T2 }))...)
+		}(fldPath.Child("t2"), &obj.T2, safe.Field(oldObj, func(oldObj *T1) *T2 { return &oldObj.T2 }), oldObj != nil)...)
 
 	// field T1.T3 has no validation
 	// field T1.AnotherS has no validation
@@ -109,54 +123,69 @@ func Validate_T1(ctx context.Context, op operation.Operation, fldPath *field.Pat
 
 	// field T1.AnotherT2
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *T2) (errs field.ErrorList) {
+		func(fldPath *field.Path, obj, oldObj *T2, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call the type's validation function
 			errs = append(errs, Validate_T2(ctx, op, fldPath, obj, oldObj)...)
 			return
-		}(fldPath.Child("anothert2"), &obj.AnotherT2, safe.Field(oldObj, func(oldObj *T1) *T2 { return &oldObj.AnotherT2 }))...)
+		}(fldPath.Child("anothert2"), &obj.AnotherT2, safe.Field(oldObj, func(oldObj *T1) *T2 { return &oldObj.AnotherT2 }), oldObj != nil)...)
 
 	return errs
 }
 
+// Validate_T2 validates an instance of T2 according
+// to declarative validation rules in the API schema.
 func Validate_T2(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *T2) (errs field.ErrorList) {
 	// field T2.S
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *string) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *string, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field T2.S")...)
 			return
-		}(fldPath.Child("s"), &obj.S, safe.Field(oldObj, func(oldObj *T2) *string { return &oldObj.S }))...)
+		}(fldPath.Child("s"), &obj.S, safe.Field(oldObj, func(oldObj *T2) *string { return &oldObj.S }), oldObj != nil)...)
 
 	// field T2.I
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *int) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *int, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field T2.I")...)
 			return
-		}(fldPath.Child("i"), &obj.I, safe.Field(oldObj, func(oldObj *T2) *int { return &oldObj.I }))...)
+		}(fldPath.Child("i"), &obj.I, safe.Field(oldObj, func(oldObj *T2) *int { return &oldObj.I }), oldObj != nil)...)
 
 	// field T2.B
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *bool) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *bool, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field T2.B")...)
 			return
-		}(fldPath.Child("b"), &obj.B, safe.Field(oldObj, func(oldObj *T2) *bool { return &oldObj.B }))...)
+		}(fldPath.Child("b"), &obj.B, safe.Field(oldObj, func(oldObj *T2) *bool { return &oldObj.B }), oldObj != nil)...)
 
 	// field T2.F
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *float64) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *float64, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field T2.F")...)
 			return
-		}(fldPath.Child("f"), &obj.F, safe.Field(oldObj, func(oldObj *T2) *float64 { return &oldObj.F }))...)
+		}(fldPath.Child("f"), &obj.F, safe.Field(oldObj, func(oldObj *T2) *float64 { return &oldObj.F }), oldObj != nil)...)
 
 	return errs
 }
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/public_private/zz_generated.validations.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/public_private/zz_generated.validations.go
index 16de705f7105c..bddbacfaff512 100644
--- a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/public_private/zz_generated.validations.go
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/public_private/zz_generated.validations.go
@@ -37,6 +37,7 @@ func init() { localSchemeBuilder.Register(RegisterValidations) }
 // RegisterValidations adds validation functions to the given scheme.
 // Public to allow building arbitrary schemes.
 func RegisterValidations(scheme *testscheme.Scheme) error {
+	// type T1
 	scheme.AddValidationFunc((*T1)(nil), func(ctx context.Context, op operation.Operation, obj, oldObj interface{}) field.ErrorList {
 		switch op.Request.SubresourcePath() {
 		case "/":
@@ -47,16 +48,20 @@ func RegisterValidations(scheme *testscheme.Scheme) error {
 	return nil
 }
 
+// Validate_T1 validates an instance of T1 according
+// to declarative validation rules in the API schema.
 func Validate_T1(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *T1) (errs field.ErrorList) {
 	// field T1.Public
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *string) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *string, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field T1.Public")...)
 			return
-		}(fldPath.Child("public"), &obj.Public, safe.Field(oldObj, func(oldObj *T1) *string { return &oldObj.Public }))...)
+		}(fldPath.Child("public"), &obj.Public, safe.Field(oldObj, func(oldObj *T1) *string { return &oldObj.Public }), oldObj != nil)...)
 
 	return errs
 }
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/ratcheting/default_behavior/doc.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/ratcheting/default_behavior/doc.go
index b5514658ec96b..f20a4b553e5f6 100644
--- a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/ratcheting/default_behavior/doc.go
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/ratcheting/default_behavior/doc.go
@@ -127,18 +127,27 @@ type DirectComparableStruct struct {
 
 // +k8s:validateFalse="type NonDirectComparableStruct"
 type NonDirectComparableStruct struct {
-	// +k8s:validateFalse="field intField"
+	// +k8s:validateFalse="field intPtrField"
 	IntPtrField *int `json:"intPtrField"`
 }
 
 // +k8s:validateFalse="type NestedDirectComparableStruct"
 type NestedDirectComparableStruct struct {
-	// +k8s:validateFalse="field intField"
+	// +k8s:validateFalse="field directComparableStructField"
 	DirectComparableStructField DirectComparableStruct `json:"directComparableStructField"`
 }
 
 // +k8s:validateFalse="type NestedNonDirectComparableStruct"
 type NestedNonDirectComparableStruct struct {
-	// +k8s:validateFalse="field intField"
+	// +k8s:validateFalse="field nonDirectComparableStructField"
 	NonDirectComparableStructField NonDirectComparableStruct `json:"nonDirectComparableStructField"`
 }
+
+type MixComparableStruct struct {
+	TypeMeta int
+
+	Primitive string `json:"Primitive"`
+
+	// +k8s:validateFalse="field NonComparable"
+	NonComparable []string `json:"NonComparable"`
+}
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/ratcheting/default_behavior/doc_test.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/ratcheting/default_behavior/doc_test.go
index 972049ed2c082..c4bdcd27387e6 100644
--- a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/ratcheting/default_behavior/doc_test.go
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/ratcheting/default_behavior/doc_test.go
@@ -24,186 +24,163 @@ import (
 )
 
 func Test_StructPrimitive(t *testing.T) {
+	mkTest := func() *StructPrimitive {
+		return &StructPrimitive{
+			IntField:    1,
+			IntPtrField: ptr.To(1), // Different pointers each call, but same value.
+		}
+	}
+
 	st := localSchemeBuilder.Test(t)
-	st.Value(&StructPrimitive{
-		IntField:    1,
-		IntPtrField: ptr.To(1),
-	}).ExpectMatches(field.ErrorMatcher{}.ByType().ByField(), field.ErrorList{
+	st.Value(mkTest()).ExpectMatches(field.ErrorMatcher{}.ByType().ByField(), field.ErrorList{
 		field.Invalid(field.NewPath("intField"), "", ""),
 		field.Invalid(field.NewPath("intPtrField"), "", ""),
 	})
-	st.Value(&StructPrimitive{
-		IntField:    1,
-		IntPtrField: ptr.To(1),
-	}).OldValue(&StructPrimitive{
-		IntField:    1,
-		IntPtrField: ptr.To(1), // Different pointers but value unchanged.
-	}).ExpectValid()
+	st.Value(mkTest()).OldValue(mkTest()).ExpectValid()
 }
 
 func Test_StructSlice(t *testing.T) {
+	mkTest := func() *StructSlice {
+		return &StructSlice{
+			SliceField:        []S{""},
+			TypeDefSliceField: MySlice{1},
+		}
+	}
+
 	st := localSchemeBuilder.Test(t)
-	st.Value(&StructSlice{
-		SliceField:        []S{""},
-		TypeDefSliceField: MySlice{1},
-	}).ExpectMatches(field.ErrorMatcher{}.ByType().ByField(), field.ErrorList{
-		field.Invalid(field.NewPath("sliceField"), "", ""),
-		field.Invalid(field.NewPath("sliceField[0]"), "", ""),
-		field.Invalid(field.NewPath("typedefSliceField"), "", ""),
+	st.Value(mkTest()).ExpectValidateFalseByPath(map[string][]string{
+		"sliceField":        {"field sliceField"},
+		"sliceField[0]":     {"type S"},
+		"typedefSliceField": {"field typedefSliceField", "type MySlice"},
 	})
 
-	st.Value(&StructSlice{
-		SliceField:        []S{""},
-		TypeDefSliceField: MySlice{1},
-	}).OldValue(&StructSlice{
-		SliceField:        []S{""},
-		TypeDefSliceField: MySlice{1},
-	}).ExpectValid()
+	st.Value(mkTest()).OldValue(mkTest()).ExpectValid()
 }
 
 func Test_StructMap(t *testing.T) {
+	mkTest := func() *StructMap {
+		return &StructMap{
+			MapKeyField:            map[S]string{S("k"): "v"},
+			MapValueField:          map[string]S{"k": "v"},
+			AliasMapKeyTypeField:   AliasMapKeyType{"k": "v"},
+			AliasMapValueTypeField: AliasMapValueType{"k": "v"},
+		}
+	}
+
 	st := localSchemeBuilder.Test(t)
-	st.Value(&StructMap{
-		MapKeyField:            map[S]string{S("k"): "v"},
-		MapValueField:          map[string]S{"k": "v"},
-		AliasMapKeyTypeField:   AliasMapKeyType{"k": "v"},
-		AliasMapValueTypeField: AliasMapValueType{"k": "v"},
-	}).ExpectMatches(field.ErrorMatcher{}.ByType().ByField(), field.ErrorList{
-		field.Invalid(field.NewPath("mapKeyField"), "", ""),
-		field.Invalid(field.NewPath("mapValueField"), "", ""),
-		field.Invalid(field.NewPath("mapValueField[k]"), "", ""),
-		field.Invalid(field.NewPath("aliasMapKeyTypeField"), "", ""),
-		field.Invalid(field.NewPath("aliasMapValueTypeField"), "", ""),
-		field.Invalid(field.NewPath("aliasMapValueTypeField[k]"), "", ""),
+	st.Value(mkTest()).ExpectValidateFalseByPath(map[string][]string{
+		"aliasMapKeyTypeField":      {"field aliasMapKeyTypeField", "type MapKeyType", "type S"},
+		"aliasMapValueTypeField":    {"field aliasMapValueTypeField", "type MapValueType"},
+		"aliasMapValueTypeField[k]": {"type S"},
+		"mapKeyField":               {"field mapKeyField", "type S"},
+		"mapValueField":             {"field mapValueField"},
+		"mapValueField[k]":          {"type S"},
 	})
 
-	st.Value(&StructMap{
-		MapKeyField:            map[S]string{S("k"): "v"},
-		MapValueField:          map[string]S{"k": "v"},
-		AliasMapKeyTypeField:   AliasMapKeyType{"k": "v"},
-		AliasMapValueTypeField: AliasMapValueType{"k": "v"},
-	}).OldValue(&StructMap{
-		MapKeyField:            map[S]string{S("k"): "v"},
-		MapValueField:          map[string]S{"k": "v"},
-		AliasMapKeyTypeField:   AliasMapKeyType{"k": "v"},
-		AliasMapValueTypeField: AliasMapValueType{"k": "v"},
-	}).ExpectValid()
+	st.Value(mkTest()).OldValue(mkTest()).ExpectValid()
 }
 
 func Test_StructStruct(t *testing.T) {
+	mkTest := func() *StructStruct {
+		return &StructStruct{
+			DirectComparableStructField: DirectComparableStruct{
+				IntField: 1,
+			},
+			NonDirectComparableStructField: NonDirectComparableStruct{
+				IntPtrField: ptr.To(1),
+			},
+			DirectComparableStructPtr: &DirectComparableStruct{
+				IntField: 1,
+			},
+			NonDirectComparableStructPtr: &NonDirectComparableStruct{
+				IntPtrField: ptr.To(1),
+			},
+		}
+	}
+
 	st := localSchemeBuilder.Test(t)
-	st.Value(&StructStruct{
-		DirectComparableStructField: DirectComparableStruct{
-			IntField: 1,
-		},
-		NonDirectComparableStructField: NonDirectComparableStruct{
-			IntPtrField: ptr.To(1),
-		},
-		DirectComparableStructPtr: &DirectComparableStruct{
-			IntField: 1,
-		},
-		NonDirectComparableStructPtr: &NonDirectComparableStruct{
-			IntPtrField: ptr.To(1),
-		},
-	}).ExpectMatches(field.ErrorMatcher{}.ByType().ByField(), field.ErrorList{
-		field.Invalid(field.NewPath("directComparableStructField"), "", ""),
-		field.Invalid(field.NewPath("nonDirectComparableStructField"), "", ""),
-		field.Invalid(field.NewPath("directComparableStructField").Child("intField"), "", ""),
-		field.Invalid(field.NewPath("nonDirectComparableStructField").Child("intPtrField"), "", ""),
-		field.Invalid(field.NewPath("directComparableStructPtrField"), "", ""),
-		field.Invalid(field.NewPath("nonDirectComparableStructPtrField"), "", ""),
-		field.Invalid(field.NewPath("directComparableStructPtrField").Child("intField"), "", ""),
-		field.Invalid(field.NewPath("nonDirectComparableStructPtrField").Child("intPtrField"), "", ""),
-		field.Invalid(field.NewPath("DirectComparableStruct"), "", ""),
-		field.Invalid(field.NewPath("NonDirectComparableStruct"), "", ""),
-		field.Invalid(field.NewPath("DirectComparableStruct").Child("intField"), "", ""),
-		field.Invalid(field.NewPath("NonDirectComparableStruct").Child("intPtrField"), "", ""),
+	st.Value(mkTest()).ExpectValidateFalseByPath(map[string][]string{
+		"directComparableStructField":                   {"field directComparableStructField", "type DirectComparableStruct"},
+		"directComparableStructField.intField":          {"field intField"},
+		"nonDirectComparableStructField":                {"field nonDirectComparableStructField", "type NonDirectComparableStruct"},
+		"nonDirectComparableStructField.intPtrField":    {"field intPtrField"},
+		"directComparableStructPtrField":                {"field directComparableStructPtrField", "type DirectComparableStruct"},
+		"directComparableStructPtrField.intField":       {"field intField"},
+		"nonDirectComparableStructPtrField":             {"field nonDirectComparableStructPtrField", "type NonDirectComparableStruct"},
+		"nonDirectComparableStructPtrField.intPtrField": {"field intPtrField"},
+		"DirectComparableStruct":                        {"field DirectComparableStruct", "type DirectComparableStruct"},
+		"DirectComparableStruct.intField":               {"field intField"},
+		"NonDirectComparableStruct":                     {"field NonDirectComparableStruct", "type NonDirectComparableStruct"},
+		"NonDirectComparableStruct.intPtrField":         {"field intPtrField"},
 	})
 
-	st.Value(&StructStruct{
-		DirectComparableStructField: DirectComparableStruct{
-			IntField: 1,
-		},
-		NonDirectComparableStructField: NonDirectComparableStruct{
-			IntPtrField: ptr.To(1),
-		},
-		DirectComparableStructPtr: &DirectComparableStruct{
-			IntField: 1,
-		},
-		NonDirectComparableStructPtr: &NonDirectComparableStruct{
-			IntPtrField: ptr.To(1),
-		},
-	}).OldValue(&StructStruct{
-		DirectComparableStructField: DirectComparableStruct{
-			IntField: 1,
-		},
-		NonDirectComparableStructField: NonDirectComparableStruct{
-			IntPtrField: ptr.To(1),
-		},
-		DirectComparableStructPtr: &DirectComparableStruct{
-			IntField: 1,
-		},
-		NonDirectComparableStructPtr: &NonDirectComparableStruct{
-			IntPtrField: ptr.To(1),
-		},
-	}).ExpectValid()
+	st.Value(mkTest()).OldValue(mkTest()).ExpectValid()
 }
 
 func Test_StructEmbedded(t *testing.T) {
+	mkTest := func() *StructEmbedded {
+		return &StructEmbedded{
+			DirectComparableStruct: DirectComparableStruct{
+				IntField: 1,
+			},
+			NonDirectComparableStruct: NonDirectComparableStruct{
+				IntPtrField: ptr.To(1),
+			},
+			NestedDirectComparableStructField: NestedDirectComparableStruct{
+				DirectComparableStructField: DirectComparableStruct{
+					IntField: 1,
+				},
+			},
+			NestedNonDirectComparableStructField: NestedNonDirectComparableStruct{
+				NonDirectComparableStructField: NonDirectComparableStruct{
+					IntPtrField: ptr.To(1),
+				},
+			},
+		}
+	}
+
 	st := localSchemeBuilder.Test(t)
-	st.Value(&StructEmbedded{
-		DirectComparableStruct: DirectComparableStruct{
-			IntField: 1,
+	st.Value(mkTest()).ExpectValidateFalseByPath(map[string][]string{
+		"directComparableStruct": {
+			"field DirectComparableStruct", "type DirectComparableStruct",
 		},
-		NonDirectComparableStruct: NonDirectComparableStruct{
-			IntPtrField: ptr.To(1),
+		"directComparableStruct.intField": {
+			"field intField",
 		},
-	}).ExpectMatches(field.ErrorMatcher{}.ByType().ByField(), field.ErrorList{
-		field.Invalid(field.NewPath("directComparableStruct"), "", ""),
-		field.Invalid(field.NewPath("nonDirectComparableStruct"), "", ""),
-		field.Invalid(field.NewPath("directComparableStruct").Child("intField"), "", ""),
-		field.Invalid(field.NewPath("nonDirectComparableStruct").Child("intPtrField"), "", ""),
-		field.Invalid(field.NewPath("nestedDirectComparableStructField"), "", ""),
-		field.Invalid(field.NewPath("nestedDirectComparableStructField").Child("directComparableStructField"), "", ""),
-		field.Invalid(field.NewPath("nestedDirectComparableStructField").Child("directComparableStructField").Child("intField"), "", ""),
-		field.Invalid(field.NewPath("nestedNonDirectComparableStructField"), "", ""),
-		field.Invalid(field.NewPath("nestedNonDirectComparableStructField").Child("nonDirectComparableStructField"), "", ""),
-		field.Invalid(field.NewPath("nestedNonDirectComparableStructField").Child("nonDirectComparableStructField").Child("intPtrField"), "", ""),
-	})
-
-	st.Value(&StructEmbedded{
-		DirectComparableStruct: DirectComparableStruct{
-			IntField: 1,
+		"nonDirectComparableStruct": {
+			"field NonDirectComparableStruct", "type NonDirectComparableStruct",
 		},
-		NonDirectComparableStruct: NonDirectComparableStruct{
-			IntPtrField: ptr.To(1),
+		"nonDirectComparableStruct.intPtrField": {
+			"field intPtrField",
 		},
-		NestedDirectComparableStructField: NestedDirectComparableStruct{
-			DirectComparableStructField: DirectComparableStruct{
-				IntField: 1,
-			},
+		"nestedDirectComparableStructField": {
+			"field NestedDirectComparableStructField", "type NestedDirectComparableStruct",
 		},
-		NestedNonDirectComparableStructField: NestedNonDirectComparableStruct{
-			NonDirectComparableStructField: NonDirectComparableStruct{
-				IntPtrField: ptr.To(1),
-			},
+		"nestedDirectComparableStructField.directComparableStructField": {
+			"field directComparableStructField", "type DirectComparableStruct",
 		},
-	}).OldValue(&StructEmbedded{
-		DirectComparableStruct: DirectComparableStruct{
-			IntField: 1,
+		"nestedDirectComparableStructField.directComparableStructField.intField": {
+			"field intField",
 		},
-		NonDirectComparableStruct: NonDirectComparableStruct{
-			IntPtrField: ptr.To(1),
+		"nestedNonDirectComparableStructField": {
+			"field NestedNonDirectComparableStructField", "type NestedNonDirectComparableStruct",
 		},
-		NestedDirectComparableStructField: NestedDirectComparableStruct{
-			DirectComparableStructField: DirectComparableStruct{
-				IntField: 1,
-			},
+		"nestedNonDirectComparableStructField.nonDirectComparableStructField": {
+			"field nonDirectComparableStructField", "type NonDirectComparableStruct",
 		},
-		NestedNonDirectComparableStructField: NestedNonDirectComparableStruct{
-			NonDirectComparableStructField: NonDirectComparableStruct{
-				IntPtrField: ptr.To(1),
-			},
+		"nestedNonDirectComparableStructField.nonDirectComparableStructField.intPtrField": {
+			"field intPtrField",
 		},
-	}).ExpectValid()
+	})
+
+	st.Value(mkTest()).OldValue(mkTest()).ExpectValid()
+}
+
+func Test_Mix(t *testing.T) {
+	st := localSchemeBuilder.Test(t)
+	st.Value(&MixComparableStruct{
+		Primitive: "a",
+	}).OldValue(nil).ExpectMatches(field.ErrorMatcher{}.ByType().ByField(), field.ErrorList{
+		field.Invalid(field.NewPath("NonComparable"), "", ""),
+	})
 }
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/ratcheting/default_behavior/zz_generated.validations.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/ratcheting/default_behavior/zz_generated.validations.go
index dfb79eafde204..70526d231f9d2 100644
--- a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/ratcheting/default_behavior/zz_generated.validations.go
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/ratcheting/default_behavior/zz_generated.validations.go
@@ -38,6 +38,15 @@ func init() { localSchemeBuilder.Register(RegisterValidations) }
 // RegisterValidations adds validation functions to the given scheme.
 // Public to allow building arbitrary schemes.
 func RegisterValidations(scheme *testscheme.Scheme) error {
+	// type MixComparableStruct
+	scheme.AddValidationFunc((*MixComparableStruct)(nil), func(ctx context.Context, op operation.Operation, obj, oldObj interface{}) field.ErrorList {
+		switch op.Request.SubresourcePath() {
+		case "/":
+			return Validate_MixComparableStruct(ctx, op, nil /* fldPath */, obj.(*MixComparableStruct), safe.Cast[*MixComparableStruct](oldObj))
+		}
+		return field.ErrorList{field.InternalError(nil, fmt.Errorf("no validation found for %T, subresource: %v", obj, op.Request.SubresourcePath()))}
+	})
+	// type StructEmbedded
 	scheme.AddValidationFunc((*StructEmbedded)(nil), func(ctx context.Context, op operation.Operation, obj, oldObj interface{}) field.ErrorList {
 		switch op.Request.SubresourcePath() {
 		case "/":
@@ -45,6 +54,7 @@ func RegisterValidations(scheme *testscheme.Scheme) error {
 		}
 		return field.ErrorList{field.InternalError(nil, fmt.Errorf("no validation found for %T, subresource: %v", obj, op.Request.SubresourcePath()))}
 	})
+	// type StructMap
 	scheme.AddValidationFunc((*StructMap)(nil), func(ctx context.Context, op operation.Operation, obj, oldObj interface{}) field.ErrorList {
 		switch op.Request.SubresourcePath() {
 		case "/":
@@ -52,6 +62,7 @@ func RegisterValidations(scheme *testscheme.Scheme) error {
 		}
 		return field.ErrorList{field.InternalError(nil, fmt.Errorf("no validation found for %T, subresource: %v", obj, op.Request.SubresourcePath()))}
 	})
+	// type StructPrimitive
 	scheme.AddValidationFunc((*StructPrimitive)(nil), func(ctx context.Context, op operation.Operation, obj, oldObj interface{}) field.ErrorList {
 		switch op.Request.SubresourcePath() {
 		case "/":
@@ -59,6 +70,7 @@ func RegisterValidations(scheme *testscheme.Scheme) error {
 		}
 		return field.ErrorList{field.InternalError(nil, fmt.Errorf("no validation found for %T, subresource: %v", obj, op.Request.SubresourcePath()))}
 	})
+	// type StructSlice
 	scheme.AddValidationFunc((*StructSlice)(nil), func(ctx context.Context, op operation.Operation, obj, oldObj interface{}) field.ErrorList {
 		switch op.Request.SubresourcePath() {
 		case "/":
@@ -66,6 +78,7 @@ func RegisterValidations(scheme *testscheme.Scheme) error {
 		}
 		return field.ErrorList{field.InternalError(nil, fmt.Errorf("no validation found for %T, subresource: %v", obj, op.Request.SubresourcePath()))}
 	})
+	// type StructStruct
 	scheme.AddValidationFunc((*StructStruct)(nil), func(ctx context.Context, op operation.Operation, obj, oldObj interface{}) field.ErrorList {
 		switch op.Request.SubresourcePath() {
 		case "/":
@@ -76,363 +89,446 @@ func RegisterValidations(scheme *testscheme.Scheme) error {
 	return nil
 }
 
+// Validate_AliasMapKeyType validates an instance of AliasMapKeyType according
+// to declarative validation rules in the API schema.
 func Validate_AliasMapKeyType(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj AliasMapKeyType) (errs field.ErrorList) {
-	// type AliasMapKeyType
-	if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-		return nil // no changes
-	}
 	errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "type MapKeyType")...)
+	// iterate the map and call the key type's validation function
 	errs = append(errs, validate.EachMapKey(ctx, op, fldPath, obj, oldObj, Validate_S)...)
 
 	return errs
 }
 
+// Validate_AliasMapValueType validates an instance of AliasMapValueType according
+// to declarative validation rules in the API schema.
 func Validate_AliasMapValueType(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj AliasMapValueType) (errs field.ErrorList) {
-	// type AliasMapValueType
-	if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-		return nil // no changes
-	}
 	errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "type MapValueType")...)
+	// iterate the map and call the value type's validation function
 	errs = append(errs, validate.EachMapVal(ctx, op, fldPath, obj, oldObj, validate.DirectEqual, Validate_S)...)
 
 	return errs
 }
 
+// Validate_DirectComparableStruct validates an instance of DirectComparableStruct according
+// to declarative validation rules in the API schema.
 func Validate_DirectComparableStruct(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *DirectComparableStruct) (errs field.ErrorList) {
-	// type DirectComparableStruct
-	if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-		return nil // no changes
-	}
 	errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "type DirectComparableStruct")...)
 
 	// field DirectComparableStruct.IntField
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *int) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *int, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field intField")...)
 			return
-		}(fldPath.Child("intField"), &obj.IntField, safe.Field(oldObj, func(oldObj *DirectComparableStruct) *int { return &oldObj.IntField }))...)
+		}(fldPath.Child("intField"), &obj.IntField, safe.Field(oldObj, func(oldObj *DirectComparableStruct) *int { return &oldObj.IntField }), oldObj != nil)...)
+
+	return errs
+}
+
+// Validate_MixComparableStruct validates an instance of MixComparableStruct according
+// to declarative validation rules in the API schema.
+func Validate_MixComparableStruct(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *MixComparableStruct) (errs field.ErrorList) {
+	// field MixComparableStruct.TypeMeta has no validation
+	// field MixComparableStruct.Primitive has no validation
+
+	// field MixComparableStruct.NonComparable
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj []string, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// call field-attached validations
+			errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field NonComparable")...)
+			return
+		}(fldPath.Child("NonComparable"), obj.NonComparable, safe.Field(oldObj, func(oldObj *MixComparableStruct) []string { return oldObj.NonComparable }), oldObj != nil)...)
 
 	return errs
 }
 
+// Validate_MySlice validates an instance of MySlice according
+// to declarative validation rules in the API schema.
 func Validate_MySlice(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj MySlice) (errs field.ErrorList) {
-	// type MySlice
-	if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-		return nil // no changes
-	}
 	errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "type MySlice")...)
 
 	return errs
 }
 
+// Validate_NestedDirectComparableStruct validates an instance of NestedDirectComparableStruct according
+// to declarative validation rules in the API schema.
 func Validate_NestedDirectComparableStruct(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *NestedDirectComparableStruct) (errs field.ErrorList) {
-	// type NestedDirectComparableStruct
-	if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-		return nil // no changes
-	}
 	errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "type NestedDirectComparableStruct")...)
 
 	// field NestedDirectComparableStruct.DirectComparableStructField
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *DirectComparableStruct) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *DirectComparableStruct, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
 			}
-			errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field intField")...)
+			// call field-attached validations
+			errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field directComparableStructField")...)
+			// call the type's validation function
 			errs = append(errs, Validate_DirectComparableStruct(ctx, op, fldPath, obj, oldObj)...)
 			return
 		}(fldPath.Child("directComparableStructField"), &obj.DirectComparableStructField, safe.Field(oldObj, func(oldObj *NestedDirectComparableStruct) *DirectComparableStruct {
 			return &oldObj.DirectComparableStructField
-		}))...)
+		}), oldObj != nil)...)
 
 	return errs
 }
 
+// Validate_NestedNonDirectComparableStruct validates an instance of NestedNonDirectComparableStruct according
+// to declarative validation rules in the API schema.
 func Validate_NestedNonDirectComparableStruct(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *NestedNonDirectComparableStruct) (errs field.ErrorList) {
-	// type NestedNonDirectComparableStruct
-	if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-		return nil // no changes
-	}
 	errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "type NestedNonDirectComparableStruct")...)
 
 	// field NestedNonDirectComparableStruct.NonDirectComparableStructField
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *NonDirectComparableStruct) (errs field.ErrorList) {
-			if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *NonDirectComparableStruct, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
 			}
-			errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field intField")...)
+			// call field-attached validations
+			errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field nonDirectComparableStructField")...)
+			// call the type's validation function
 			errs = append(errs, Validate_NonDirectComparableStruct(ctx, op, fldPath, obj, oldObj)...)
 			return
 		}(fldPath.Child("nonDirectComparableStructField"), &obj.NonDirectComparableStructField, safe.Field(oldObj, func(oldObj *NestedNonDirectComparableStruct) *NonDirectComparableStruct {
 			return &oldObj.NonDirectComparableStructField
-		}))...)
+		}), oldObj != nil)...)
 
 	return errs
 }
 
+// Validate_NonDirectComparableStruct validates an instance of NonDirectComparableStruct according
+// to declarative validation rules in the API schema.
 func Validate_NonDirectComparableStruct(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *NonDirectComparableStruct) (errs field.ErrorList) {
-	// type NonDirectComparableStruct
-	if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-		return nil // no changes
-	}
 	errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "type NonDirectComparableStruct")...)
 
 	// field NonDirectComparableStruct.IntPtrField
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *int) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *int, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
 			}
-			errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field intField")...)
+			// call field-attached validations
+			errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field intPtrField")...)
 			return
-		}(fldPath.Child("intPtrField"), obj.IntPtrField, safe.Field(oldObj, func(oldObj *NonDirectComparableStruct) *int { return oldObj.IntPtrField }))...)
+		}(fldPath.Child("intPtrField"), obj.IntPtrField, safe.Field(oldObj, func(oldObj *NonDirectComparableStruct) *int { return oldObj.IntPtrField }), oldObj != nil)...)
 
 	return errs
 }
 
+// Validate_S validates an instance of S according
+// to declarative validation rules in the API schema.
 func Validate_S(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *S) (errs field.ErrorList) {
-	// type S
-	if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-		return nil // no changes
-	}
 	errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "type S")...)
 
 	return errs
 }
 
+// Validate_StructEmbedded validates an instance of StructEmbedded according
+// to declarative validation rules in the API schema.
 func Validate_StructEmbedded(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *StructEmbedded) (errs field.ErrorList) {
 	// field StructEmbedded.TypeMeta has no validation
 
 	// field StructEmbedded.DirectComparableStruct
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *DirectComparableStruct) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *DirectComparableStruct, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field DirectComparableStruct")...)
+			// call the type's validation function
 			errs = append(errs, Validate_DirectComparableStruct(ctx, op, fldPath, obj, oldObj)...)
 			return
-		}(fldPath.Child("directComparableStruct"), &obj.DirectComparableStruct, safe.Field(oldObj, func(oldObj *StructEmbedded) *DirectComparableStruct { return &oldObj.DirectComparableStruct }))...)
+		}(fldPath.Child("directComparableStruct"), &obj.DirectComparableStruct, safe.Field(oldObj, func(oldObj *StructEmbedded) *DirectComparableStruct { return &oldObj.DirectComparableStruct }), oldObj != nil)...)
 
 	// field StructEmbedded.NonDirectComparableStruct
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *NonDirectComparableStruct) (errs field.ErrorList) {
-			if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *NonDirectComparableStruct, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field NonDirectComparableStruct")...)
+			// call the type's validation function
 			errs = append(errs, Validate_NonDirectComparableStruct(ctx, op, fldPath, obj, oldObj)...)
 			return
-		}(fldPath.Child("nonDirectComparableStruct"), &obj.NonDirectComparableStruct, safe.Field(oldObj, func(oldObj *StructEmbedded) *NonDirectComparableStruct { return &oldObj.NonDirectComparableStruct }))...)
+		}(fldPath.Child("nonDirectComparableStruct"), &obj.NonDirectComparableStruct, safe.Field(oldObj, func(oldObj *StructEmbedded) *NonDirectComparableStruct { return &oldObj.NonDirectComparableStruct }), oldObj != nil)...)
 
 	// field StructEmbedded.NestedDirectComparableStructField
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *NestedDirectComparableStruct) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *NestedDirectComparableStruct, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field NestedDirectComparableStructField")...)
+			// call the type's validation function
 			errs = append(errs, Validate_NestedDirectComparableStruct(ctx, op, fldPath, obj, oldObj)...)
 			return
 		}(fldPath.Child("nestedDirectComparableStructField"), &obj.NestedDirectComparableStructField, safe.Field(oldObj, func(oldObj *StructEmbedded) *NestedDirectComparableStruct {
 			return &oldObj.NestedDirectComparableStructField
-		}))...)
+		}), oldObj != nil)...)
 
 	// field StructEmbedded.NestedNonDirectComparableStructField
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *NestedNonDirectComparableStruct) (errs field.ErrorList) {
-			if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *NestedNonDirectComparableStruct, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field NestedNonDirectComparableStructField")...)
+			// call the type's validation function
 			errs = append(errs, Validate_NestedNonDirectComparableStruct(ctx, op, fldPath, obj, oldObj)...)
 			return
 		}(fldPath.Child("nestedNonDirectComparableStructField"), &obj.NestedNonDirectComparableStructField, safe.Field(oldObj, func(oldObj *StructEmbedded) *NestedNonDirectComparableStruct {
 			return &oldObj.NestedNonDirectComparableStructField
-		}))...)
+		}), oldObj != nil)...)
 
 	return errs
 }
 
+// Validate_StructMap validates an instance of StructMap according
+// to declarative validation rules in the API schema.
 func Validate_StructMap(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *StructMap) (errs field.ErrorList) {
 	// field StructMap.TypeMeta has no validation
 
 	// field StructMap.MapKeyField
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj map[S]string) (errs field.ErrorList) {
-			if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj map[S]string, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field mapKeyField")...)
+			// iterate the map and call the key type's validation function
 			errs = append(errs, validate.EachMapKey(ctx, op, fldPath, obj, oldObj, Validate_S)...)
 			return
-		}(fldPath.Child("mapKeyField"), obj.MapKeyField, safe.Field(oldObj, func(oldObj *StructMap) map[S]string { return oldObj.MapKeyField }))...)
+		}(fldPath.Child("mapKeyField"), obj.MapKeyField, safe.Field(oldObj, func(oldObj *StructMap) map[S]string { return oldObj.MapKeyField }), oldObj != nil)...)
 
 	// field StructMap.MapValueField
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj map[string]S) (errs field.ErrorList) {
-			if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj map[string]S, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field mapValueField")...)
+			// iterate the map and call the value type's validation function
 			errs = append(errs, validate.EachMapVal(ctx, op, fldPath, obj, oldObj, validate.DirectEqual, Validate_S)...)
 			return
-		}(fldPath.Child("mapValueField"), obj.MapValueField, safe.Field(oldObj, func(oldObj *StructMap) map[string]S { return oldObj.MapValueField }))...)
+		}(fldPath.Child("mapValueField"), obj.MapValueField, safe.Field(oldObj, func(oldObj *StructMap) map[string]S { return oldObj.MapValueField }), oldObj != nil)...)
 
 	// field StructMap.AliasMapKeyTypeField
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj AliasMapKeyType) (errs field.ErrorList) {
-			if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj AliasMapKeyType, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field aliasMapKeyTypeField")...)
+			// call the type's validation function
 			errs = append(errs, Validate_AliasMapKeyType(ctx, op, fldPath, obj, oldObj)...)
 			return
-		}(fldPath.Child("aliasMapKeyTypeField"), obj.AliasMapKeyTypeField, safe.Field(oldObj, func(oldObj *StructMap) AliasMapKeyType { return oldObj.AliasMapKeyTypeField }))...)
+		}(fldPath.Child("aliasMapKeyTypeField"), obj.AliasMapKeyTypeField, safe.Field(oldObj, func(oldObj *StructMap) AliasMapKeyType { return oldObj.AliasMapKeyTypeField }), oldObj != nil)...)
 
 	// field StructMap.AliasMapValueTypeField
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj AliasMapValueType) (errs field.ErrorList) {
-			if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj AliasMapValueType, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field aliasMapValueTypeField")...)
+			// call the type's validation function
 			errs = append(errs, Validate_AliasMapValueType(ctx, op, fldPath, obj, oldObj)...)
 			return
-		}(fldPath.Child("aliasMapValueTypeField"), obj.AliasMapValueTypeField, safe.Field(oldObj, func(oldObj *StructMap) AliasMapValueType { return oldObj.AliasMapValueTypeField }))...)
+		}(fldPath.Child("aliasMapValueTypeField"), obj.AliasMapValueTypeField, safe.Field(oldObj, func(oldObj *StructMap) AliasMapValueType { return oldObj.AliasMapValueTypeField }), oldObj != nil)...)
 
 	return errs
 }
 
+// Validate_StructPrimitive validates an instance of StructPrimitive according
+// to declarative validation rules in the API schema.
 func Validate_StructPrimitive(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *StructPrimitive) (errs field.ErrorList) {
 	// field StructPrimitive.TypeMeta has no validation
 
 	// field StructPrimitive.IntField
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *int) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *int, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field intField")...)
 			return
-		}(fldPath.Child("intField"), &obj.IntField, safe.Field(oldObj, func(oldObj *StructPrimitive) *int { return &oldObj.IntField }))...)
+		}(fldPath.Child("intField"), &obj.IntField, safe.Field(oldObj, func(oldObj *StructPrimitive) *int { return &oldObj.IntField }), oldObj != nil)...)
 
 	// field StructPrimitive.IntPtrField
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *int) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *int, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
 			}
+			// call field-attached validations
+			earlyReturn := false
 			if e := validate.OptionalPointer(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				earlyReturn = true
+			}
+			if earlyReturn {
 				return // do not proceed
 			}
 			errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field intPtrField")...)
 			return
-		}(fldPath.Child("intPtrField"), obj.IntPtrField, safe.Field(oldObj, func(oldObj *StructPrimitive) *int { return oldObj.IntPtrField }))...)
+		}(fldPath.Child("intPtrField"), obj.IntPtrField, safe.Field(oldObj, func(oldObj *StructPrimitive) *int { return oldObj.IntPtrField }), oldObj != nil)...)
 
 	return errs
 }
 
+// Validate_StructSlice validates an instance of StructSlice according
+// to declarative validation rules in the API schema.
 func Validate_StructSlice(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *StructSlice) (errs field.ErrorList) {
 	// field StructSlice.TypeMeta has no validation
 
 	// field StructSlice.SliceField
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj []S) (errs field.ErrorList) {
-			if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj []S, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field sliceField")...)
+			// iterate the list and call the type's validation function
 			errs = append(errs, validate.EachSliceVal(ctx, op, fldPath, obj, oldObj, nil, nil, Validate_S)...)
 			return
-		}(fldPath.Child("sliceField"), obj.SliceField, safe.Field(oldObj, func(oldObj *StructSlice) []S { return oldObj.SliceField }))...)
+		}(fldPath.Child("sliceField"), obj.SliceField, safe.Field(oldObj, func(oldObj *StructSlice) []S { return oldObj.SliceField }), oldObj != nil)...)
 
 	// field StructSlice.TypeDefSliceField
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj MySlice) (errs field.ErrorList) {
-			if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj MySlice, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field typedefSliceField")...)
+			// call the type's validation function
 			errs = append(errs, Validate_MySlice(ctx, op, fldPath, obj, oldObj)...)
 			return
-		}(fldPath.Child("typedefSliceField"), obj.TypeDefSliceField, safe.Field(oldObj, func(oldObj *StructSlice) MySlice { return oldObj.TypeDefSliceField }))...)
+		}(fldPath.Child("typedefSliceField"), obj.TypeDefSliceField, safe.Field(oldObj, func(oldObj *StructSlice) MySlice { return oldObj.TypeDefSliceField }), oldObj != nil)...)
 
 	return errs
 }
 
+// Validate_StructStruct validates an instance of StructStruct according
+// to declarative validation rules in the API schema.
 func Validate_StructStruct(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *StructStruct) (errs field.ErrorList) {
 	// field StructStruct.TypeMeta has no validation
 
 	// field StructStruct.DirectComparableStructField
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *DirectComparableStruct) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *DirectComparableStruct, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field directComparableStructField")...)
+			// call the type's validation function
 			errs = append(errs, Validate_DirectComparableStruct(ctx, op, fldPath, obj, oldObj)...)
 			return
-		}(fldPath.Child("directComparableStructField"), &obj.DirectComparableStructField, safe.Field(oldObj, func(oldObj *StructStruct) *DirectComparableStruct { return &oldObj.DirectComparableStructField }))...)
+		}(fldPath.Child("directComparableStructField"), &obj.DirectComparableStructField, safe.Field(oldObj, func(oldObj *StructStruct) *DirectComparableStruct { return &oldObj.DirectComparableStructField }), oldObj != nil)...)
 
 	// field StructStruct.NonDirectComparableStructField
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *NonDirectComparableStruct) (errs field.ErrorList) {
-			if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *NonDirectComparableStruct, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field nonDirectComparableStructField")...)
+			// call the type's validation function
 			errs = append(errs, Validate_NonDirectComparableStruct(ctx, op, fldPath, obj, oldObj)...)
 			return
-		}(fldPath.Child("nonDirectComparableStructField"), &obj.NonDirectComparableStructField, safe.Field(oldObj, func(oldObj *StructStruct) *NonDirectComparableStruct { return &oldObj.NonDirectComparableStructField }))...)
+		}(fldPath.Child("nonDirectComparableStructField"), &obj.NonDirectComparableStructField, safe.Field(oldObj, func(oldObj *StructStruct) *NonDirectComparableStruct { return &oldObj.NonDirectComparableStructField }), oldObj != nil)...)
 
 	// field StructStruct.DirectComparableStructPtr
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *DirectComparableStruct) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *DirectComparableStruct, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field directComparableStructPtrField")...)
+			// call the type's validation function
 			errs = append(errs, Validate_DirectComparableStruct(ctx, op, fldPath, obj, oldObj)...)
 			return
-		}(fldPath.Child("directComparableStructPtrField"), obj.DirectComparableStructPtr, safe.Field(oldObj, func(oldObj *StructStruct) *DirectComparableStruct { return oldObj.DirectComparableStructPtr }))...)
+		}(fldPath.Child("directComparableStructPtrField"), obj.DirectComparableStructPtr, safe.Field(oldObj, func(oldObj *StructStruct) *DirectComparableStruct { return oldObj.DirectComparableStructPtr }), oldObj != nil)...)
 
 	// field StructStruct.NonDirectComparableStructPtr
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *NonDirectComparableStruct) (errs field.ErrorList) {
-			if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *NonDirectComparableStruct, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field nonDirectComparableStructPtrField")...)
+			// call the type's validation function
 			errs = append(errs, Validate_NonDirectComparableStruct(ctx, op, fldPath, obj, oldObj)...)
 			return
-		}(fldPath.Child("nonDirectComparableStructPtrField"), obj.NonDirectComparableStructPtr, safe.Field(oldObj, func(oldObj *StructStruct) *NonDirectComparableStruct { return oldObj.NonDirectComparableStructPtr }))...)
+		}(fldPath.Child("nonDirectComparableStructPtrField"), obj.NonDirectComparableStructPtr, safe.Field(oldObj, func(oldObj *StructStruct) *NonDirectComparableStruct { return oldObj.NonDirectComparableStructPtr }), oldObj != nil)...)
 
 	// field StructStruct.DirectComparableStruct
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *DirectComparableStruct) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *DirectComparableStruct, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field DirectComparableStruct")...)
+			// call the type's validation function
 			errs = append(errs, Validate_DirectComparableStruct(ctx, op, fldPath, obj, oldObj)...)
 			return
-		}(safe.Value(fldPath, func() *field.Path { return fldPath.Child("DirectComparableStruct") }), &obj.DirectComparableStruct, safe.Field(oldObj, func(oldObj *StructStruct) *DirectComparableStruct { return &oldObj.DirectComparableStruct }))...)
+		}(safe.Value(fldPath, func() *field.Path { return fldPath.Child("DirectComparableStruct") }), &obj.DirectComparableStruct, safe.Field(oldObj, func(oldObj *StructStruct) *DirectComparableStruct { return &oldObj.DirectComparableStruct }), oldObj != nil)...)
 
 	// field StructStruct.NonDirectComparableStruct
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *NonDirectComparableStruct) (errs field.ErrorList) {
-			if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *NonDirectComparableStruct, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field NonDirectComparableStruct")...)
+			// call the type's validation function
 			errs = append(errs, Validate_NonDirectComparableStruct(ctx, op, fldPath, obj, oldObj)...)
 			return
-		}(safe.Value(fldPath, func() *field.Path { return fldPath.Child("NonDirectComparableStruct") }), &obj.NonDirectComparableStruct, safe.Field(oldObj, func(oldObj *StructStruct) *NonDirectComparableStruct { return &oldObj.NonDirectComparableStruct }))...)
+		}(safe.Value(fldPath, func() *field.Path { return fldPath.Child("NonDirectComparableStruct") }), &obj.NonDirectComparableStruct, safe.Field(oldObj, func(oldObj *StructStruct) *NonDirectComparableStruct { return &oldObj.NonDirectComparableStruct }), oldObj != nil)...)
 
 	return errs
 }
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/ratcheting/list/doc.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/ratcheting/list/doc.go
index b9baa2dc228c7..edd0dcca9fee8 100644
--- a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/ratcheting/list/doc.go
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/ratcheting/list/doc.go
@@ -56,10 +56,20 @@ type StructSlice struct {
 	// +k8s:listMapKey=key
 	// +k8s:eachVal=+k8s:validateFalse="field MapSliceNonComparableField[*]"
 	MapSliceNonComparableField []NonComparableStructWithKey `json:"mapSliceNonComparableField"`
+
+	// +k8s:listType=map
+	// +k8s:listMapKey=key
+	// +k8s:eachVal=+k8s:validateFalse="field MapSlicePtrKeyField[*]"
+	MapSlicePtrKeyField []PtrKeyStruct `json:"mapSlicePtrKeyField"`
+
+	// +k8s:listType=map
+	// +k8s:listMapKey=key1
+	// +k8s:listMapKey=key2
+	// +k8s:eachVal=+k8s:validateFalse="field MapSliceMixedKeyField[*]"
+	MapSliceMixedKeyField []MixedKeyStruct `json:"mapSliceMixedKeyField"`
 }
 
 type StringType string
-
 type IntSliceType []int
 
 type ComparableStruct struct {
@@ -81,3 +91,31 @@ type NonComparableStructWithKey struct {
 	Key         string `json:"key"`
 	IntPtrField *int   `json:"intPtrField"`
 }
+
+// +k8s:validateFalse="type PtrKeyStruct"
+type PtrKeyStruct struct {
+	Key  *string `json:"key"`
+	Data string  `json:"data"`
+}
+
+// +k8s:validateFalse="type MixedKeyStruct"
+type MixedKeyStruct struct {
+	Key1 *string `json:"key1"`
+	Key2 string  `json:"key2"`
+	Data string  `json:"data"`
+}
+
+type Item struct {
+	Key string `json:"key"`
+
+	// +k8s:validateFalse="field Data"
+	Data map[string]string `json:"data"`
+}
+
+type ItemList struct {
+	TypeMeta int
+
+	// +k8s:listType=map
+	// +k8s:listMapKey=key
+	Items []Item `json:"items"`
+}
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/ratcheting/list/doc_test.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/ratcheting/list/doc_test.go
index 8a05f169d2b30..2621278ee9d7f 100644
--- a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/ratcheting/list/doc_test.go
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/ratcheting/list/doc_test.go
@@ -34,8 +34,9 @@ func Test_StructSlice(t *testing.T) {
 		SetSliceNonComparableField:    []NonComparableStruct{{IntPtrField: ptr.To(1)}},
 		MapSliceComparableField:       []ComparableStructWithKey{{Key: "x", IntField: 1}},
 		MapSliceNonComparableField:    []NonComparableStructWithKey{{Key: "x", IntPtrField: ptr.To(1)}},
+		MapSlicePtrKeyField:           []PtrKeyStruct{{Key: ptr.To("x"), Data: "y"}},
+		MapSliceMixedKeyField:         []MixedKeyStruct{{Key1: ptr.To("x"), Key2: "y", Data: "z"}},
 	}
-
 	st.Value(invalidStructSlice).ExpectValidateFalseByPath(map[string][]string{
 		"atomicSliceStringField[0]":        {"field AtomicSliceStringField[*]"},
 		"atomicSliceTypeField[0]":          {"field AtomicSliceTypeField[*]"},
@@ -45,6 +46,8 @@ func Test_StructSlice(t *testing.T) {
 		"setSliceNonComparableField[0]":    {"field SetSliceNonComparableField[*]", "type NonComparableStruct"},
 		"mapSliceComparableField[0]":       {"field MapSliceComparableField[*]"},
 		"mapSliceNonComparableField[0]":    {"field MapSliceNonComparableField[*]", "type NonComparableStructWithKey"},
+		"mapSlicePtrKeyField[0]":           {"field MapSlicePtrKeyField[*]", "type PtrKeyStruct"},
+		"mapSliceMixedKeyField[0]":         {"field MapSliceMixedKeyField[*]", "type MixedKeyStruct"},
 	})
 
 	// No changes.
@@ -60,6 +63,8 @@ func Test_StructSlice(t *testing.T) {
 		SetSliceNonComparableField:    []NonComparableStruct{{IntPtrField: ptr.To(1)}},
 		MapSliceComparableField:       []ComparableStructWithKey{{Key: "x", IntField: 1}},
 		MapSliceNonComparableField:    []NonComparableStructWithKey{{Key: "x", IntPtrField: ptr.To(1)}},
+		MapSlicePtrKeyField:           []PtrKeyStruct{{Key: ptr.To("x"), Data: "y"}},
+		MapSliceMixedKeyField:         []MixedKeyStruct{{Key1: ptr.To("x"), Key2: "y", Data: "z"}},
 	}).OldValue(&StructSlice{
 		AtomicSliceStringField:        []StringType{"", "x"},
 		AtomicSliceTypeField:          IntSliceType{1, 2},
@@ -69,8 +74,9 @@ func Test_StructSlice(t *testing.T) {
 		SetSliceNonComparableField:    []NonComparableStruct{{IntPtrField: ptr.To(2)}, {IntPtrField: ptr.To(1)}},
 		MapSliceComparableField:       []ComparableStructWithKey{{Key: "y", IntField: 2}, {Key: "x", IntField: 1}},
 		MapSliceNonComparableField:    []NonComparableStructWithKey{{Key: "y", IntPtrField: ptr.To(2)}, {Key: "x", IntPtrField: ptr.To(1)}},
-	}).ExpectValidateFalseByPath(map[string][]string{
-		"atomicSliceStringField[0]":        {"field AtomicSliceStringField[*]"},
+		MapSlicePtrKeyField:           []PtrKeyStruct{{Key: ptr.To("a"), Data: "b"}, {Key: ptr.To("x"), Data: "y"}},
+		MapSliceMixedKeyField:         []MixedKeyStruct{{Key1: ptr.To("a"), Key2: "b", Data: "c"}, {Key1: ptr.To("x"), Key2: "y", Data: "z"}},
+	}).ExpectValidateFalseByPath(map[string][]string{"atomicSliceStringField[0]": {"field AtomicSliceStringField[*]"},
 		"atomicSliceTypeField[0]":          {"field AtomicSliceTypeField[*]"},
 		"atomicSliceComparableField[0]":    {"field AtomicSliceComparableField[*]"},
 		"atomicSliceNonComparableField[0]": {"field AtomicSliceNonComparableField[*]", "type NonComparableStruct"},
@@ -82,10 +88,30 @@ func Test_StructSlice(t *testing.T) {
 		SetSliceNonComparableField: []NonComparableStruct{{IntPtrField: ptr.To(2)}, {IntPtrField: ptr.To(1)}},
 		MapSliceComparableField:    []ComparableStructWithKey{{Key: "y", IntField: 2}, {Key: "x", IntField: 1}},
 		MapSliceNonComparableField: []NonComparableStructWithKey{{Key: "y", IntPtrField: ptr.To(2)}, {Key: "x", IntPtrField: ptr.To(1)}},
+		MapSlicePtrKeyField:        []PtrKeyStruct{{Key: ptr.To("b"), Data: "2"}, {Key: ptr.To("a"), Data: "1"}},
+		MapSliceMixedKeyField:      []MixedKeyStruct{{Key1: ptr.To("b"), Key2: "2", Data: "B"}, {Key1: ptr.To("a"), Key2: "1", Data: "A"}},
 	}).OldValue(&StructSlice{
 		SetSliceComparableField:    []ComparableStruct{{IntField: 1}, {IntField: 2}},
 		SetSliceNonComparableField: []NonComparableStruct{{IntPtrField: ptr.To(1)}, {IntPtrField: ptr.To(2)}},
 		MapSliceComparableField:    []ComparableStructWithKey{{Key: "x", IntField: 1}, {Key: "y", IntField: 2}},
 		MapSliceNonComparableField: []NonComparableStructWithKey{{Key: "x", IntPtrField: ptr.To(1)}, {Key: "y", IntPtrField: ptr.To(2)}},
+		MapSlicePtrKeyField:        []PtrKeyStruct{{Key: ptr.To("a"), Data: "1"}, {Key: ptr.To("b"), Data: "2"}},
+		MapSliceMixedKeyField:      []MixedKeyStruct{{Key1: ptr.To("a"), Key2: "1", Data: "A"}, {Key1: ptr.To("b"), Key2: "2", Data: "B"}},
 	}).ExpectValid()
 }
+
+func Test_Items(t *testing.T) {
+	st := localSchemeBuilder.Test(t)
+
+	st.Value(&ItemList{
+		Items: []Item{
+			{Key: "valid2"},
+		},
+	}).OldValue(&ItemList{
+		Items: []Item{
+			{Key: "valid1"},
+		},
+	}).ExpectValidateFalseByPath(map[string][]string{
+		"items[0].data": {"field Data"},
+	})
+}
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/ratcheting/list/zz_generated.validations.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/ratcheting/list/zz_generated.validations.go
index 5fa1ed67ecf82..93c0d8aa1bdc8 100644
--- a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/ratcheting/list/zz_generated.validations.go
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/ratcheting/list/zz_generated.validations.go
@@ -38,6 +38,15 @@ func init() { localSchemeBuilder.Register(RegisterValidations) }
 // RegisterValidations adds validation functions to the given scheme.
 // Public to allow building arbitrary schemes.
 func RegisterValidations(scheme *testscheme.Scheme) error {
+	// type ItemList
+	scheme.AddValidationFunc((*ItemList)(nil), func(ctx context.Context, op operation.Operation, obj, oldObj interface{}) field.ErrorList {
+		switch op.Request.SubresourcePath() {
+		case "/":
+			return Validate_ItemList(ctx, op, nil /* fldPath */, obj.(*ItemList), safe.Cast[*ItemList](oldObj))
+		}
+		return field.ErrorList{field.InternalError(nil, fmt.Errorf("no validation found for %T, subresource: %v", obj, op.Request.SubresourcePath()))}
+	})
+	// type StructSlice
 	scheme.AddValidationFunc((*StructSlice)(nil), func(ctx context.Context, op operation.Operation, obj, oldObj interface{}) field.ErrorList {
 		switch op.Request.SubresourcePath() {
 		case "/":
@@ -48,22 +57,72 @@ func RegisterValidations(scheme *testscheme.Scheme) error {
 	return nil
 }
 
+// Validate_Item validates an instance of Item according
+// to declarative validation rules in the API schema.
+func Validate_Item(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *Item) (errs field.ErrorList) {
+	// field Item.Key has no validation
+
+	// field Item.Data
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj map[string]string, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// call field-attached validations
+			errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field Data")...)
+			return
+		}(fldPath.Child("data"), obj.Data, safe.Field(oldObj, func(oldObj *Item) map[string]string { return oldObj.Data }), oldObj != nil)...)
+
+	return errs
+}
+
+// Validate_ItemList validates an instance of ItemList according
+// to declarative validation rules in the API schema.
+func Validate_ItemList(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *ItemList) (errs field.ErrorList) {
+	// field ItemList.TypeMeta has no validation
+
+	// field ItemList.Items
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj []Item, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// call field-attached validations
+			// lists with map semantics require unique keys
+			errs = append(errs, validate.Unique(ctx, op, fldPath, obj, oldObj, func(a Item, b Item) bool { return a.Key == b.Key })...)
+			// iterate the list and call the type's validation function
+			errs = append(errs, validate.EachSliceVal(ctx, op, fldPath, obj, oldObj, func(a Item, b Item) bool { return a.Key == b.Key }, validate.SemanticDeepEqual, Validate_Item)...)
+			return
+		}(fldPath.Child("items"), obj.Items, safe.Field(oldObj, func(oldObj *ItemList) []Item { return oldObj.Items }), oldObj != nil)...)
+
+	return errs
+}
+
+// Validate_MixedKeyStruct validates an instance of MixedKeyStruct according
+// to declarative validation rules in the API schema.
+func Validate_MixedKeyStruct(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *MixedKeyStruct) (errs field.ErrorList) {
+	errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "type MixedKeyStruct")...)
+
+	// field MixedKeyStruct.Key1 has no validation
+	// field MixedKeyStruct.Key2 has no validation
+	// field MixedKeyStruct.Data has no validation
+	return errs
+}
+
+// Validate_NonComparableStruct validates an instance of NonComparableStruct according
+// to declarative validation rules in the API schema.
 func Validate_NonComparableStruct(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *NonComparableStruct) (errs field.ErrorList) {
-	// type NonComparableStruct
-	if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-		return nil // no changes
-	}
 	errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "type NonComparableStruct")...)
 
 	// field NonComparableStruct.IntPtrField has no validation
 	return errs
 }
 
+// Validate_NonComparableStructWithKey validates an instance of NonComparableStructWithKey according
+// to declarative validation rules in the API schema.
 func Validate_NonComparableStructWithKey(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *NonComparableStructWithKey) (errs field.ErrorList) {
-	// type NonComparableStructWithKey
-	if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-		return nil // no changes
-	}
 	errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "type NonComparableStructWithKey")...)
 
 	// field NonComparableStructWithKey.Key has no validation
@@ -71,109 +130,194 @@ func Validate_NonComparableStructWithKey(ctx context.Context, op operation.Opera
 	return errs
 }
 
+// Validate_PtrKeyStruct validates an instance of PtrKeyStruct according
+// to declarative validation rules in the API schema.
+func Validate_PtrKeyStruct(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *PtrKeyStruct) (errs field.ErrorList) {
+	errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "type PtrKeyStruct")...)
+
+	// field PtrKeyStruct.Key has no validation
+	// field PtrKeyStruct.Data has no validation
+	return errs
+}
+
+// Validate_StructSlice validates an instance of StructSlice according
+// to declarative validation rules in the API schema.
 func Validate_StructSlice(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *StructSlice) (errs field.ErrorList) {
 	// field StructSlice.TypeMeta has no validation
 
 	// field StructSlice.AtomicSliceStringField
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj []StringType) (errs field.ErrorList) {
-			if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj []StringType, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.EachSliceVal(ctx, op, fldPath, obj, oldObj, nil, nil, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *StringType) field.ErrorList {
 				return validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field AtomicSliceStringField[*]")
 			})...)
 			return
-		}(fldPath.Child("atomicSliceStringField"), obj.AtomicSliceStringField, safe.Field(oldObj, func(oldObj *StructSlice) []StringType { return oldObj.AtomicSliceStringField }))...)
+		}(fldPath.Child("atomicSliceStringField"), obj.AtomicSliceStringField, safe.Field(oldObj, func(oldObj *StructSlice) []StringType { return oldObj.AtomicSliceStringField }), oldObj != nil)...)
 
 	// field StructSlice.AtomicSliceTypeField
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj IntSliceType) (errs field.ErrorList) {
-			if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj IntSliceType, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.EachSliceVal(ctx, op, fldPath, obj, oldObj, nil, nil, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *int) field.ErrorList {
 				return validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field AtomicSliceTypeField[*]")
 			})...)
 			return
-		}(fldPath.Child("atomicSliceTypeField"), obj.AtomicSliceTypeField, safe.Field(oldObj, func(oldObj *StructSlice) IntSliceType { return oldObj.AtomicSliceTypeField }))...)
+		}(fldPath.Child("atomicSliceTypeField"), obj.AtomicSliceTypeField, safe.Field(oldObj, func(oldObj *StructSlice) IntSliceType { return oldObj.AtomicSliceTypeField }), oldObj != nil)...)
 
 	// field StructSlice.AtomicSliceComparableField
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj []ComparableStruct) (errs field.ErrorList) {
-			if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj []ComparableStruct, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.EachSliceVal(ctx, op, fldPath, obj, oldObj, nil, nil, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *ComparableStruct) field.ErrorList {
 				return validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field AtomicSliceComparableField[*]")
 			})...)
 			return
-		}(fldPath.Child("atomicSliceComparableField"), obj.AtomicSliceComparableField, safe.Field(oldObj, func(oldObj *StructSlice) []ComparableStruct { return oldObj.AtomicSliceComparableField }))...)
+		}(fldPath.Child("atomicSliceComparableField"), obj.AtomicSliceComparableField, safe.Field(oldObj, func(oldObj *StructSlice) []ComparableStruct { return oldObj.AtomicSliceComparableField }), oldObj != nil)...)
 
 	// field StructSlice.AtomicSliceNonComparableField
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj []NonComparableStruct) (errs field.ErrorList) {
-			if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj []NonComparableStruct, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.EachSliceVal(ctx, op, fldPath, obj, oldObj, nil, nil, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *NonComparableStruct) field.ErrorList {
 				return validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field AtomicSliceNonComparableField[*]")
 			})...)
+			// iterate the list and call the type's validation function
 			errs = append(errs, validate.EachSliceVal(ctx, op, fldPath, obj, oldObj, nil, nil, Validate_NonComparableStruct)...)
 			return
-		}(fldPath.Child("atomicSliceNonComparableField"), obj.AtomicSliceNonComparableField, safe.Field(oldObj, func(oldObj *StructSlice) []NonComparableStruct { return oldObj.AtomicSliceNonComparableField }))...)
+		}(fldPath.Child("atomicSliceNonComparableField"), obj.AtomicSliceNonComparableField, safe.Field(oldObj, func(oldObj *StructSlice) []NonComparableStruct { return oldObj.AtomicSliceNonComparableField }), oldObj != nil)...)
 
 	// field StructSlice.SetSliceComparableField
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj []ComparableStruct) (errs field.ErrorList) {
-			if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj []ComparableStruct, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.EachSliceVal(ctx, op, fldPath, obj, oldObj, validate.DirectEqual, nil, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *ComparableStruct) field.ErrorList {
 				return validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field SetSliceComparableField[*]")
 			})...)
+			// lists with set semantics require unique values
 			errs = append(errs, validate.Unique(ctx, op, fldPath, obj, oldObj, validate.DirectEqual)...)
 			return
-		}(fldPath.Child("setSliceComparableField"), obj.SetSliceComparableField, safe.Field(oldObj, func(oldObj *StructSlice) []ComparableStruct { return oldObj.SetSliceComparableField }))...)
+		}(fldPath.Child("setSliceComparableField"), obj.SetSliceComparableField, safe.Field(oldObj, func(oldObj *StructSlice) []ComparableStruct { return oldObj.SetSliceComparableField }), oldObj != nil)...)
 
 	// field StructSlice.SetSliceNonComparableField
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj []NonComparableStruct) (errs field.ErrorList) {
-			if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj []NonComparableStruct, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.EachSliceVal(ctx, op, fldPath, obj, oldObj, validate.SemanticDeepEqual, nil, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *NonComparableStruct) field.ErrorList {
 				return validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field SetSliceNonComparableField[*]")
 			})...)
+			// lists with set semantics require unique values
 			errs = append(errs, validate.Unique(ctx, op, fldPath, obj, oldObj, validate.SemanticDeepEqual)...)
+			// iterate the list and call the type's validation function
 			errs = append(errs, validate.EachSliceVal(ctx, op, fldPath, obj, oldObj, validate.SemanticDeepEqual, nil, Validate_NonComparableStruct)...)
 			return
-		}(fldPath.Child("setSliceNonComparableField"), obj.SetSliceNonComparableField, safe.Field(oldObj, func(oldObj *StructSlice) []NonComparableStruct { return oldObj.SetSliceNonComparableField }))...)
+		}(fldPath.Child("setSliceNonComparableField"), obj.SetSliceNonComparableField, safe.Field(oldObj, func(oldObj *StructSlice) []NonComparableStruct { return oldObj.SetSliceNonComparableField }), oldObj != nil)...)
 
 	// field StructSlice.MapSliceComparableField
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj []ComparableStructWithKey) (errs field.ErrorList) {
-			if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj []ComparableStructWithKey, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.EachSliceVal(ctx, op, fldPath, obj, oldObj, func(a ComparableStructWithKey, b ComparableStructWithKey) bool { return a.Key == b.Key }, validate.DirectEqual, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *ComparableStructWithKey) field.ErrorList {
 				return validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field MapSliceComparableField[*]")
 			})...)
+			// lists with map semantics require unique keys
+			errs = append(errs, validate.Unique(ctx, op, fldPath, obj, oldObj, func(a ComparableStructWithKey, b ComparableStructWithKey) bool { return a.Key == b.Key })...)
 			return
-		}(fldPath.Child("mapSliceComparableField"), obj.MapSliceComparableField, safe.Field(oldObj, func(oldObj *StructSlice) []ComparableStructWithKey { return oldObj.MapSliceComparableField }))...)
+		}(fldPath.Child("mapSliceComparableField"), obj.MapSliceComparableField, safe.Field(oldObj, func(oldObj *StructSlice) []ComparableStructWithKey { return oldObj.MapSliceComparableField }), oldObj != nil)...)
 
 	// field StructSlice.MapSliceNonComparableField
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj []NonComparableStructWithKey) (errs field.ErrorList) {
-			if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj []NonComparableStructWithKey, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.EachSliceVal(ctx, op, fldPath, obj, oldObj, func(a NonComparableStructWithKey, b NonComparableStructWithKey) bool { return a.Key == b.Key }, validate.SemanticDeepEqual, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *NonComparableStructWithKey) field.ErrorList {
 				return validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field MapSliceNonComparableField[*]")
 			})...)
+			// lists with map semantics require unique keys
+			errs = append(errs, validate.Unique(ctx, op, fldPath, obj, oldObj, func(a NonComparableStructWithKey, b NonComparableStructWithKey) bool { return a.Key == b.Key })...)
+			// iterate the list and call the type's validation function
 			errs = append(errs, validate.EachSliceVal(ctx, op, fldPath, obj, oldObj, func(a NonComparableStructWithKey, b NonComparableStructWithKey) bool { return a.Key == b.Key }, validate.SemanticDeepEqual, Validate_NonComparableStructWithKey)...)
 			return
-		}(fldPath.Child("mapSliceNonComparableField"), obj.MapSliceNonComparableField, safe.Field(oldObj, func(oldObj *StructSlice) []NonComparableStructWithKey { return oldObj.MapSliceNonComparableField }))...)
+		}(fldPath.Child("mapSliceNonComparableField"), obj.MapSliceNonComparableField, safe.Field(oldObj, func(oldObj *StructSlice) []NonComparableStructWithKey { return oldObj.MapSliceNonComparableField }), oldObj != nil)...)
+
+	// field StructSlice.MapSlicePtrKeyField
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj []PtrKeyStruct, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// call field-attached validations
+			errs = append(errs, validate.EachSliceVal(ctx, op, fldPath, obj, oldObj, func(a PtrKeyStruct, b PtrKeyStruct) bool {
+				return ((a.Key == nil && b.Key == nil) || (a.Key != nil && b.Key != nil && *a.Key == *b.Key))
+			}, validate.SemanticDeepEqual, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *PtrKeyStruct) field.ErrorList {
+				return validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field MapSlicePtrKeyField[*]")
+			})...)
+			// lists with map semantics require unique keys
+			errs = append(errs, validate.Unique(ctx, op, fldPath, obj, oldObj, func(a PtrKeyStruct, b PtrKeyStruct) bool {
+				return ((a.Key == nil && b.Key == nil) || (a.Key != nil && b.Key != nil && *a.Key == *b.Key))
+			})...)
+			// iterate the list and call the type's validation function
+			errs = append(errs, validate.EachSliceVal(ctx, op, fldPath, obj, oldObj, func(a PtrKeyStruct, b PtrKeyStruct) bool {
+				return ((a.Key == nil && b.Key == nil) || (a.Key != nil && b.Key != nil && *a.Key == *b.Key))
+			}, validate.SemanticDeepEqual, Validate_PtrKeyStruct)...)
+			return
+		}(fldPath.Child("mapSlicePtrKeyField"), obj.MapSlicePtrKeyField, safe.Field(oldObj, func(oldObj *StructSlice) []PtrKeyStruct { return oldObj.MapSlicePtrKeyField }), oldObj != nil)...)
+
+	// field StructSlice.MapSliceMixedKeyField
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj []MixedKeyStruct, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// call field-attached validations
+			errs = append(errs, validate.EachSliceVal(ctx, op, fldPath, obj, oldObj, func(a MixedKeyStruct, b MixedKeyStruct) bool {
+				return ((a.Key1 == nil && b.Key1 == nil) || (a.Key1 != nil && b.Key1 != nil && *a.Key1 == *b.Key1)) && a.Key2 == b.Key2
+			}, validate.SemanticDeepEqual, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *MixedKeyStruct) field.ErrorList {
+				return validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field MapSliceMixedKeyField[*]")
+			})...)
+			// lists with map semantics require unique keys
+			errs = append(errs, validate.Unique(ctx, op, fldPath, obj, oldObj, func(a MixedKeyStruct, b MixedKeyStruct) bool {
+				return ((a.Key1 == nil && b.Key1 == nil) || (a.Key1 != nil && b.Key1 != nil && *a.Key1 == *b.Key1)) && a.Key2 == b.Key2
+			})...)
+			// iterate the list and call the type's validation function
+			errs = append(errs, validate.EachSliceVal(ctx, op, fldPath, obj, oldObj, func(a MixedKeyStruct, b MixedKeyStruct) bool {
+				return ((a.Key1 == nil && b.Key1 == nil) || (a.Key1 != nil && b.Key1 != nil && *a.Key1 == *b.Key1)) && a.Key2 == b.Key2
+			}, validate.SemanticDeepEqual, Validate_MixedKeyStruct)...)
+			return
+		}(fldPath.Child("mapSliceMixedKeyField"), obj.MapSliceMixedKeyField, safe.Field(oldObj, func(oldObj *StructSlice) []MixedKeyStruct { return oldObj.MapSliceMixedKeyField }), oldObj != nil)...)
 
 	return errs
 }
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/ratcheting/maps/eachkey/doc_test.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/ratcheting/maps/eachkey/doc_test.go
index 880adb81a9707..b4a5b637fdcf6 100644
--- a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/ratcheting/maps/eachkey/doc_test.go
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/ratcheting/maps/eachkey/doc_test.go
@@ -22,8 +22,6 @@ package eachkey
 
 import (
 	"testing"
-
-	"k8s.io/apimachinery/pkg/util/validation/field"
 )
 
 func Test_Struct(t *testing.T) {
@@ -42,11 +40,12 @@ func Test_Struct(t *testing.T) {
 		}
 	}
 	st := localSchemeBuilder.Test(t)
-	st.Value(mkTest()).ExpectMatches(field.ErrorMatcher{}.ByType().ByField(), field.ErrorList{
-		field.Invalid(field.NewPath("mapField"), "", ""),
-		field.Invalid(field.NewPath("mapTypedefField"), "", ""),
-		field.Invalid(field.NewPath("mapValidatedTypedefField"), "", ""),
-		field.Invalid(field.NewPath("validatedMapTypeField"), "", ""),
+	st.Value(mkTest()).ExpectValidateFalseByPath(map[string][]string{
+		"mapField":                 {"field Struct.MapField(keys)"},
+		"mapTypedefField":          {"field Struct.MapTypedefField(keys)"},
+		"mapValidatedTypedefField": {"ValidatedStringType", "field Struct.MapValidatedTypedefField(keys)"},
+		"validatedMapTypeField":    {"field Struct.ValidatedMapTypeField(keys)", "type ValidatedMapType(keys)"},
 	})
+
 	st.Value(mkTest()).OldValue(mkTest()).ExpectValid()
 }
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/ratcheting/maps/eachkey/zz_generated.validations.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/ratcheting/maps/eachkey/zz_generated.validations.go
index 2f558180a64af..0eeb6c43dc9de 100644
--- a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/ratcheting/maps/eachkey/zz_generated.validations.go
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/ratcheting/maps/eachkey/zz_generated.validations.go
@@ -38,6 +38,7 @@ func init() { localSchemeBuilder.Register(RegisterValidations) }
 // RegisterValidations adds validation functions to the given scheme.
 // Public to allow building arbitrary schemes.
 func RegisterValidations(scheme *testscheme.Scheme) error {
+	// type Struct
 	scheme.AddValidationFunc((*Struct)(nil), func(ctx context.Context, op operation.Operation, obj, oldObj interface{}) field.ErrorList {
 		switch op.Request.SubresourcePath() {
 		case "/":
@@ -48,67 +49,77 @@ func RegisterValidations(scheme *testscheme.Scheme) error {
 	return nil
 }
 
+// Validate_Struct validates an instance of Struct according
+// to declarative validation rules in the API schema.
 func Validate_Struct(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *Struct) (errs field.ErrorList) {
 	// field Struct.TypeMeta has no validation
 
 	// field Struct.MapField
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj map[string]string) (errs field.ErrorList) {
-			if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj map[string]string, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.EachMapKey(ctx, op, fldPath, obj, oldObj, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *string) field.ErrorList {
 				return validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field Struct.MapField(keys)")
 			})...)
 			return
-		}(fldPath.Child("mapField"), obj.MapField, safe.Field(oldObj, func(oldObj *Struct) map[string]string { return oldObj.MapField }))...)
+		}(fldPath.Child("mapField"), obj.MapField, safe.Field(oldObj, func(oldObj *Struct) map[string]string { return oldObj.MapField }), oldObj != nil)...)
 
 	// field Struct.MapTypedefField
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj map[UnvalidatedStringType]string) (errs field.ErrorList) {
-			if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj map[UnvalidatedStringType]string, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.EachMapKey(ctx, op, fldPath, obj, oldObj, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *UnvalidatedStringType) field.ErrorList {
 				return validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field Struct.MapTypedefField(keys)")
 			})...)
 			return
-		}(fldPath.Child("mapTypedefField"), obj.MapTypedefField, safe.Field(oldObj, func(oldObj *Struct) map[UnvalidatedStringType]string { return oldObj.MapTypedefField }))...)
+		}(fldPath.Child("mapTypedefField"), obj.MapTypedefField, safe.Field(oldObj, func(oldObj *Struct) map[UnvalidatedStringType]string { return oldObj.MapTypedefField }), oldObj != nil)...)
 
 	// field Struct.MapValidatedTypedefField
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj map[ValidatedStringType]string) (errs field.ErrorList) {
-			if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj map[ValidatedStringType]string, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.EachMapKey(ctx, op, fldPath, obj, oldObj, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *ValidatedStringType) field.ErrorList {
 				return validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field Struct.MapValidatedTypedefField(keys)")
 			})...)
+			// iterate the map and call the key type's validation function
 			errs = append(errs, validate.EachMapKey(ctx, op, fldPath, obj, oldObj, Validate_ValidatedStringType)...)
 			return
-		}(fldPath.Child("mapValidatedTypedefField"), obj.MapValidatedTypedefField, safe.Field(oldObj, func(oldObj *Struct) map[ValidatedStringType]string { return oldObj.MapValidatedTypedefField }))...)
+		}(fldPath.Child("mapValidatedTypedefField"), obj.MapValidatedTypedefField, safe.Field(oldObj, func(oldObj *Struct) map[ValidatedStringType]string { return oldObj.MapValidatedTypedefField }), oldObj != nil)...)
 
 	// field Struct.ValidatedMapTypeField
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj ValidatedMapType) (errs field.ErrorList) {
-			if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj ValidatedMapType, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.EachMapKey(ctx, op, fldPath, obj, oldObj, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *string) field.ErrorList {
 				return validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field Struct.ValidatedMapTypeField(keys)")
 			})...)
+			// call the type's validation function
 			errs = append(errs, Validate_ValidatedMapType(ctx, op, fldPath, obj, oldObj)...)
 			return
-		}(fldPath.Child("validatedMapTypeField"), obj.ValidatedMapTypeField, safe.Field(oldObj, func(oldObj *Struct) ValidatedMapType { return oldObj.ValidatedMapTypeField }))...)
+		}(fldPath.Child("validatedMapTypeField"), obj.ValidatedMapTypeField, safe.Field(oldObj, func(oldObj *Struct) ValidatedMapType { return oldObj.ValidatedMapTypeField }), oldObj != nil)...)
 
 	return errs
 }
 
+// Validate_ValidatedMapType validates an instance of ValidatedMapType according
+// to declarative validation rules in the API schema.
 func Validate_ValidatedMapType(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj ValidatedMapType) (errs field.ErrorList) {
-	// type ValidatedMapType
-	if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-		return nil // no changes
-	}
 	errs = append(errs, validate.EachMapKey(ctx, op, fldPath, obj, oldObj, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *string) field.ErrorList {
 		return validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "type ValidatedMapType(keys)")
 	})...)
@@ -116,11 +127,9 @@ func Validate_ValidatedMapType(ctx context.Context, op operation.Operation, fldP
 	return errs
 }
 
+// Validate_ValidatedStringType validates an instance of ValidatedStringType according
+// to declarative validation rules in the API schema.
 func Validate_ValidatedStringType(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *ValidatedStringType) (errs field.ErrorList) {
-	// type ValidatedStringType
-	if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-		return nil // no changes
-	}
 	errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "ValidatedStringType")...)
 
 	return errs
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/ratcheting/maps/eachval/zz_generated.validations.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/ratcheting/maps/eachval/zz_generated.validations.go
index a163e9f9a6170..7f0f8a7f147b6 100644
--- a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/ratcheting/maps/eachval/zz_generated.validations.go
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/ratcheting/maps/eachval/zz_generated.validations.go
@@ -38,6 +38,7 @@ func init() { localSchemeBuilder.Register(RegisterValidations) }
 // RegisterValidations adds validation functions to the given scheme.
 // Public to allow building arbitrary schemes.
 func RegisterValidations(scheme *testscheme.Scheme) error {
+	// type StructWithMaps
 	scheme.AddValidationFunc((*StructWithMaps)(nil), func(ctx context.Context, op operation.Operation, obj, oldObj interface{}) field.ErrorList {
 		switch op.Request.SubresourcePath() {
 		case "/":
@@ -48,56 +49,66 @@ func RegisterValidations(scheme *testscheme.Scheme) error {
 	return nil
 }
 
+// Validate_StructWithMaps validates an instance of StructWithMaps according
+// to declarative validation rules in the API schema.
 func Validate_StructWithMaps(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *StructWithMaps) (errs field.ErrorList) {
 	// field StructWithMaps.TypeMeta has no validation
 
 	// field StructWithMaps.MapPrimitiveField
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj map[string]string) (errs field.ErrorList) {
-			if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj map[string]string, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.EachMapVal(ctx, op, fldPath, obj, oldObj, validate.DirectEqual, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *string) field.ErrorList {
 				return validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field MapTest.MapPrimitiveField[*]")
 			})...)
 			return
-		}(fldPath.Child("mapPrimitiveField"), obj.MapPrimitiveField, safe.Field(oldObj, func(oldObj *StructWithMaps) map[string]string { return oldObj.MapPrimitiveField }))...)
+		}(fldPath.Child("mapPrimitiveField"), obj.MapPrimitiveField, safe.Field(oldObj, func(oldObj *StructWithMaps) map[string]string { return oldObj.MapPrimitiveField }), oldObj != nil)...)
 
 	// field StructWithMaps.MapTypedefField
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj map[string]StringType) (errs field.ErrorList) {
-			if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj map[string]StringType, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.EachMapVal(ctx, op, fldPath, obj, oldObj, validate.DirectEqual, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *StringType) field.ErrorList {
 				return validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field MapTest.MapTypedefField[*]")
 			})...)
 			return
-		}(fldPath.Child("mapTypedefField"), obj.MapTypedefField, safe.Field(oldObj, func(oldObj *StructWithMaps) map[string]StringType { return oldObj.MapTypedefField }))...)
+		}(fldPath.Child("mapTypedefField"), obj.MapTypedefField, safe.Field(oldObj, func(oldObj *StructWithMaps) map[string]StringType { return oldObj.MapTypedefField }), oldObj != nil)...)
 
 	// field StructWithMaps.MapComparableStructField
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj map[string]ComparableStruct) (errs field.ErrorList) {
-			if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj map[string]ComparableStruct, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.EachMapVal(ctx, op, fldPath, obj, oldObj, validate.DirectEqual, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *ComparableStruct) field.ErrorList {
 				return validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field MapTest.MapComparableStructField[*]")
 			})...)
 			return
-		}(fldPath.Child("mapComparableStructField"), obj.MapComparableStructField, safe.Field(oldObj, func(oldObj *StructWithMaps) map[string]ComparableStruct { return oldObj.MapComparableStructField }))...)
+		}(fldPath.Child("mapComparableStructField"), obj.MapComparableStructField, safe.Field(oldObj, func(oldObj *StructWithMaps) map[string]ComparableStruct { return oldObj.MapComparableStructField }), oldObj != nil)...)
 
 	// field StructWithMaps.MapNonComparableStructField
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj map[string]NonComparableStruct) (errs field.ErrorList) {
-			if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj map[string]NonComparableStruct, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.EachMapVal(ctx, op, fldPath, obj, oldObj, validate.SemanticDeepEqual, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *NonComparableStruct) field.ErrorList {
 				return validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field MapTest.MapNonComparableStructField[*]")
 			})...)
 			return
-		}(fldPath.Child("mapNonComparableStructField"), obj.MapNonComparableStructField, safe.Field(oldObj, func(oldObj *StructWithMaps) map[string]NonComparableStruct { return oldObj.MapNonComparableStructField }))...)
+		}(fldPath.Child("mapNonComparableStructField"), obj.MapNonComparableStructField, safe.Field(oldObj, func(oldObj *StructWithMaps) map[string]NonComparableStruct { return oldObj.MapNonComparableStructField }), oldObj != nil)...)
 
 	return errs
 }
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/ratcheting/subfield/zz_generated.validations.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/ratcheting/subfield/zz_generated.validations.go
index 903ce47def1dc..9efb745c1a8ea 100644
--- a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/ratcheting/subfield/zz_generated.validations.go
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/ratcheting/subfield/zz_generated.validations.go
@@ -38,6 +38,7 @@ func init() { localSchemeBuilder.Register(RegisterValidations) }
 // RegisterValidations adds validation functions to the given scheme.
 // Public to allow building arbitrary schemes.
 func RegisterValidations(scheme *testscheme.Scheme) error {
+	// type Struct
 	scheme.AddValidationFunc((*Struct)(nil), func(ctx context.Context, op operation.Operation, obj, oldObj interface{}) field.ErrorList {
 		switch op.Request.SubresourcePath() {
 		case "/":
@@ -45,6 +46,7 @@ func RegisterValidations(scheme *testscheme.Scheme) error {
 		}
 		return field.ErrorList{field.InternalError(nil, fmt.Errorf("no validation found for %T, subresource: %v", obj, op.Request.SubresourcePath()))}
 	})
+	// type StructWithSubfield
 	scheme.AddValidationFunc((*StructWithSubfield)(nil), func(ctx context.Context, op operation.Operation, obj, oldObj interface{}) field.ErrorList {
 		switch op.Request.SubresourcePath() {
 		case "/":
@@ -55,38 +57,48 @@ func RegisterValidations(scheme *testscheme.Scheme) error {
 	return nil
 }
 
+// Validate_Struct validates an instance of Struct according
+// to declarative validation rules in the API schema.
 func Validate_Struct(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *Struct) (errs field.ErrorList) {
 	// field Struct.TypeMeta has no validation
 
 	// field Struct.SubStructField
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *SubStruct) (errs field.ErrorList) {
-			if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *SubStruct, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
 			}
-			errs = append(errs, validate.Subfield(ctx, op, fldPath, obj, oldObj, "intField", func(o *SubStruct) *int { return &o.IntField }, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *int) field.ErrorList {
-				return validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field IntField")
-			})...)
-			errs = append(errs, validate.Subfield(ctx, op, fldPath, obj, oldObj, "intPtrField", func(o *SubStruct) *int { return o.IntPtrField }, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *int) field.ErrorList {
-				return validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field IntPtrField")
-			})...)
+			// call field-attached validations
+			func() { // cohort intField
+				errs = append(errs, validate.Subfield(ctx, op, fldPath, obj, oldObj, "intField", func(o *SubStruct) *int { return &o.IntField }, validate.DirectEqualPtr, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *int) field.ErrorList {
+					return validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field IntField")
+				})...)
+			}()
+			func() { // cohort intPtrField
+				errs = append(errs, validate.Subfield(ctx, op, fldPath, obj, oldObj, "intPtrField", func(o *SubStruct) *int { return o.IntPtrField }, validate.DirectEqualPtr, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *int) field.ErrorList {
+					return validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field IntPtrField")
+				})...)
+			}()
 			return
-		}(fldPath.Child("subStructField"), &obj.SubStructField, safe.Field(oldObj, func(oldObj *Struct) *SubStruct { return &oldObj.SubStructField }))...)
+		}(fldPath.Child("subStructField"), &obj.SubStructField, safe.Field(oldObj, func(oldObj *Struct) *SubStruct { return &oldObj.SubStructField }), oldObj != nil)...)
 
 	return errs
 }
 
+// Validate_StructWithSubfield validates an instance of StructWithSubfield according
+// to declarative validation rules in the API schema.
 func Validate_StructWithSubfield(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *StructWithSubfield) (errs field.ErrorList) {
-	// type StructWithSubfield
-	if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-		return nil // no changes
-	}
-	errs = append(errs, validate.Subfield(ctx, op, fldPath, obj, oldObj, "intField", func(o *StructWithSubfield) *int { return &o.IntField }, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *int) field.ErrorList {
-		return validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field IntField")
-	})...)
-	errs = append(errs, validate.Subfield(ctx, op, fldPath, obj, oldObj, "intPtrField", func(o *StructWithSubfield) *int { return o.IntPtrField }, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *int) field.ErrorList {
-		return validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field IntPtrField")
-	})...)
+	func() { // cohort intField
+		errs = append(errs, validate.Subfield(ctx, op, fldPath, obj, oldObj, "intField", func(o *StructWithSubfield) *int { return &o.IntField }, validate.DirectEqualPtr, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *int) field.ErrorList {
+			return validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field IntField")
+		})...)
+	}()
+	func() { // cohort intPtrField
+		errs = append(errs, validate.Subfield(ctx, op, fldPath, obj, oldObj, "intPtrField", func(o *StructWithSubfield) *int { return o.IntPtrField }, validate.DirectEqualPtr, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *int) field.ErrorList {
+			return validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field IntPtrField")
+		})...)
+	}()
 
 	// field StructWithSubfield.TypeMeta has no validation
 	// field StructWithSubfield.IntField has no validation
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/recursive/maps/zz_generated.validations.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/recursive/maps/zz_generated.validations.go
index 2cc9e62c7b0b9..76ed9e81d2172 100644
--- a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/recursive/maps/zz_generated.validations.go
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/recursive/maps/zz_generated.validations.go
@@ -38,6 +38,7 @@ func init() { localSchemeBuilder.Register(RegisterValidations) }
 // RegisterValidations adds validation functions to the given scheme.
 // Public to allow building arbitrary schemes.
 func RegisterValidations(scheme *testscheme.Scheme) error {
+	// type T1
 	scheme.AddValidationFunc((*T1)(nil), func(ctx context.Context, op operation.Operation, obj, oldObj interface{}) field.ErrorList {
 		switch op.Request.SubresourcePath() {
 		case "/":
@@ -45,6 +46,7 @@ func RegisterValidations(scheme *testscheme.Scheme) error {
 		}
 		return field.ErrorList{field.InternalError(nil, fmt.Errorf("no validation found for %T, subresource: %v", obj, op.Request.SubresourcePath()))}
 	})
+	// type T2
 	scheme.AddValidationFunc((*T2)(nil), func(ctx context.Context, op operation.Operation, obj, oldObj interface{}) field.ErrorList {
 		switch op.Request.SubresourcePath() {
 		case "/":
@@ -52,6 +54,7 @@ func RegisterValidations(scheme *testscheme.Scheme) error {
 		}
 		return field.ErrorList{field.InternalError(nil, fmt.Errorf("no validation found for %T, subresource: %v", obj, op.Request.SubresourcePath()))}
 	})
+	// type T3
 	scheme.AddValidationFunc((*T3)(nil), func(ctx context.Context, op operation.Operation, obj, oldObj interface{}) field.ErrorList {
 		switch op.Request.SubresourcePath() {
 		case "/":
@@ -59,6 +62,7 @@ func RegisterValidations(scheme *testscheme.Scheme) error {
 		}
 		return field.ErrorList{field.InternalError(nil, fmt.Errorf("no validation found for %T, subresource: %v", obj, op.Request.SubresourcePath()))}
 	})
+	// type T4
 	scheme.AddValidationFunc((*T4)(nil), func(ctx context.Context, op operation.Operation, obj, oldObj interface{}) field.ErrorList {
 		switch op.Request.SubresourcePath() {
 		case "/":
@@ -69,65 +73,88 @@ func RegisterValidations(scheme *testscheme.Scheme) error {
 	return nil
 }
 
+// Validate_T1 validates an instance of T1 according
+// to declarative validation rules in the API schema.
 func Validate_T1(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *T1) (errs field.ErrorList) {
 	// field T1.T2
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *T2) (errs field.ErrorList) {
+		func(fldPath *field.Path, obj, oldObj *T2, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// call the type's validation function
 			errs = append(errs, Validate_T2(ctx, op, fldPath, obj, oldObj)...)
 			return
-		}(fldPath.Child("t2"), &obj.T2, safe.Field(oldObj, func(oldObj *T1) *T2 { return &oldObj.T2 }))...)
+		}(fldPath.Child("t2"), &obj.T2, safe.Field(oldObj, func(oldObj *T1) *T2 { return &oldObj.T2 }), oldObj != nil)...)
 
 	// field T1.T3
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *T3) (errs field.ErrorList) {
+		func(fldPath *field.Path, obj, oldObj *T3, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// call the type's validation function
 			errs = append(errs, Validate_T3(ctx, op, fldPath, obj, oldObj)...)
 			return
-		}(fldPath.Child("t3"), &obj.T3, safe.Field(oldObj, func(oldObj *T1) *T3 { return &oldObj.T3 }))...)
+		}(fldPath.Child("t3"), &obj.T3, safe.Field(oldObj, func(oldObj *T1) *T3 { return &oldObj.T3 }), oldObj != nil)...)
 
 	return errs
 }
 
+// Validate_T2 validates an instance of T2 according
+// to declarative validation rules in the API schema.
 func Validate_T2(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *T2) (errs field.ErrorList) {
 	// field T2.MT1
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj map[string]T1) (errs field.ErrorList) {
-			if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj map[string]T1, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
 			}
+			// iterate the map and call the value type's validation function
 			errs = append(errs, validate.EachMapVal(ctx, op, fldPath, obj, oldObj, validate.SemanticDeepEqual, Validate_T1)...)
 			return
-		}(fldPath.Child("mt1"), obj.MT1, safe.Field(oldObj, func(oldObj *T2) map[string]T1 { return oldObj.MT1 }))...)
+		}(fldPath.Child("mt1"), obj.MT1, safe.Field(oldObj, func(oldObj *T2) map[string]T1 { return oldObj.MT1 }), oldObj != nil)...)
 
 	return errs
 }
 
+// Validate_T3 validates an instance of T3 according
+// to declarative validation rules in the API schema.
 func Validate_T3(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *T3) (errs field.ErrorList) {
-	// type T3
-	if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-		return nil // no changes
-	}
 	errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "type T3")...)
 
 	// field T3.T4
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *T4) (errs field.ErrorList) {
+		func(fldPath *field.Path, obj, oldObj *T4, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// call the type's validation function
 			errs = append(errs, Validate_T4(ctx, op, fldPath, obj, oldObj)...)
 			return
-		}(fldPath.Child("t4"), &obj.T4, safe.Field(oldObj, func(oldObj *T3) *T4 { return &oldObj.T4 }))...)
+		}(fldPath.Child("t4"), &obj.T4, safe.Field(oldObj, func(oldObj *T3) *T4 { return &oldObj.T4 }), oldObj != nil)...)
 
 	return errs
 }
 
+// Validate_T4 validates an instance of T4 according
+// to declarative validation rules in the API schema.
 func Validate_T4(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *T4) (errs field.ErrorList) {
 	// field T4.MT3
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj map[string]T3) (errs field.ErrorList) {
-			if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj map[string]T3, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
 			}
+			// iterate the map and call the value type's validation function
 			errs = append(errs, validate.EachMapVal(ctx, op, fldPath, obj, oldObj, validate.SemanticDeepEqual, Validate_T3)...)
 			return
-		}(fldPath.Child("mt3"), obj.MT3, safe.Field(oldObj, func(oldObj *T4) map[string]T3 { return oldObj.MT3 }))...)
+		}(fldPath.Child("mt3"), obj.MT3, safe.Field(oldObj, func(oldObj *T4) map[string]T3 { return oldObj.MT3 }), oldObj != nil)...)
 
 	return errs
 }
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/recursive/pointers/zz_generated.validations.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/recursive/pointers/zz_generated.validations.go
index 1ebdaf5c9599d..d410ebf43335d 100644
--- a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/recursive/pointers/zz_generated.validations.go
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/recursive/pointers/zz_generated.validations.go
@@ -38,6 +38,7 @@ func init() { localSchemeBuilder.Register(RegisterValidations) }
 // RegisterValidations adds validation functions to the given scheme.
 // Public to allow building arbitrary schemes.
 func RegisterValidations(scheme *testscheme.Scheme) error {
+	// type T1
 	scheme.AddValidationFunc((*T1)(nil), func(ctx context.Context, op operation.Operation, obj, oldObj interface{}) field.ErrorList {
 		switch op.Request.SubresourcePath() {
 		case "/":
@@ -45,6 +46,7 @@ func RegisterValidations(scheme *testscheme.Scheme) error {
 		}
 		return field.ErrorList{field.InternalError(nil, fmt.Errorf("no validation found for %T, subresource: %v", obj, op.Request.SubresourcePath()))}
 	})
+	// type T2
 	scheme.AddValidationFunc((*T2)(nil), func(ctx context.Context, op operation.Operation, obj, oldObj interface{}) field.ErrorList {
 		switch op.Request.SubresourcePath() {
 		case "/":
@@ -52,6 +54,7 @@ func RegisterValidations(scheme *testscheme.Scheme) error {
 		}
 		return field.ErrorList{field.InternalError(nil, fmt.Errorf("no validation found for %T, subresource: %v", obj, op.Request.SubresourcePath()))}
 	})
+	// type T3
 	scheme.AddValidationFunc((*T3)(nil), func(ctx context.Context, op operation.Operation, obj, oldObj interface{}) field.ErrorList {
 		switch op.Request.SubresourcePath() {
 		case "/":
@@ -62,91 +65,133 @@ func RegisterValidations(scheme *testscheme.Scheme) error {
 	return nil
 }
 
+// Validate_T1 validates an instance of T1 according
+// to declarative validation rules in the API schema.
 func Validate_T1(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *T1) (errs field.ErrorList) {
 	// field T1.PT1
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *T1) (errs field.ErrorList) {
-			if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *T1, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
 			}
+			// call field-attached validations
+			earlyReturn := false
 			if e := validate.OptionalPointer(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				earlyReturn = true
+			}
+			if earlyReturn {
 				return // do not proceed
 			}
+			// call the type's validation function
 			errs = append(errs, Validate_T1(ctx, op, fldPath, obj, oldObj)...)
 			return
-		}(fldPath.Child("pt1"), obj.PT1, safe.Field(oldObj, func(oldObj *T1) *T1 { return oldObj.PT1 }))...)
+		}(fldPath.Child("pt1"), obj.PT1, safe.Field(oldObj, func(oldObj *T1) *T1 { return oldObj.PT1 }), oldObj != nil)...)
 
 	// field T1.T2
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *T2) (errs field.ErrorList) {
+		func(fldPath *field.Path, obj, oldObj *T2, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// call the type's validation function
 			errs = append(errs, Validate_T2(ctx, op, fldPath, obj, oldObj)...)
 			return
-		}(fldPath.Child("t2"), &obj.T2, safe.Field(oldObj, func(oldObj *T1) *T2 { return &oldObj.T2 }))...)
+		}(fldPath.Child("t2"), &obj.T2, safe.Field(oldObj, func(oldObj *T1) *T2 { return &oldObj.T2 }), oldObj != nil)...)
 
 	// field T1.PT2
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *T2) (errs field.ErrorList) {
-			if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *T2, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
 			}
+			// call field-attached validations
+			earlyReturn := false
 			if e := validate.OptionalPointer(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				earlyReturn = true
+			}
+			if earlyReturn {
 				return // do not proceed
 			}
+			// call the type's validation function
 			errs = append(errs, Validate_T2(ctx, op, fldPath, obj, oldObj)...)
 			return
-		}(fldPath.Child("pt2"), obj.PT2, safe.Field(oldObj, func(oldObj *T1) *T2 { return oldObj.PT2 }))...)
+		}(fldPath.Child("pt2"), obj.PT2, safe.Field(oldObj, func(oldObj *T1) *T2 { return oldObj.PT2 }), oldObj != nil)...)
 
 	return errs
 }
 
+// Validate_T2 validates an instance of T2 according
+// to declarative validation rules in the API schema.
 func Validate_T2(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *T2) (errs field.ErrorList) {
 	// field T2.PT1
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *T1) (errs field.ErrorList) {
-			if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *T1, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
 			}
+			// call field-attached validations
+			earlyReturn := false
 			if e := validate.OptionalPointer(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				earlyReturn = true
+			}
+			if earlyReturn {
 				return // do not proceed
 			}
+			// call the type's validation function
 			errs = append(errs, Validate_T1(ctx, op, fldPath, obj, oldObj)...)
 			return
-		}(fldPath.Child("pt1"), obj.PT1, safe.Field(oldObj, func(oldObj *T2) *T1 { return oldObj.PT1 }))...)
+		}(fldPath.Child("pt1"), obj.PT1, safe.Field(oldObj, func(oldObj *T2) *T1 { return oldObj.PT1 }), oldObj != nil)...)
 
 	// field T2.PT2
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *T2) (errs field.ErrorList) {
-			if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *T2, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
 			}
+			// call field-attached validations
+			earlyReturn := false
 			if e := validate.OptionalPointer(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				earlyReturn = true
+			}
+			if earlyReturn {
 				return // do not proceed
 			}
+			// call the type's validation function
 			errs = append(errs, Validate_T2(ctx, op, fldPath, obj, oldObj)...)
 			return
-		}(fldPath.Child("pt2"), obj.PT2, safe.Field(oldObj, func(oldObj *T2) *T2 { return oldObj.PT2 }))...)
+		}(fldPath.Child("pt2"), obj.PT2, safe.Field(oldObj, func(oldObj *T2) *T2 { return oldObj.PT2 }), oldObj != nil)...)
 
 	// field T2.PT3
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *T3) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *T3, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
 			}
+			// call field-attached validations
+			earlyReturn := false
 			if e := validate.OptionalPointer(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				earlyReturn = true
+			}
+			if earlyReturn {
 				return // do not proceed
 			}
+			// call the type's validation function
 			errs = append(errs, Validate_T3(ctx, op, fldPath, obj, oldObj)...)
 			return
-		}(fldPath.Child("pt3"), obj.PT3, safe.Field(oldObj, func(oldObj *T2) *T3 { return oldObj.PT3 }))...)
+		}(fldPath.Child("pt3"), obj.PT3, safe.Field(oldObj, func(oldObj *T2) *T3 { return oldObj.PT3 }), oldObj != nil)...)
 
 	return errs
 }
 
+// Validate_T3 validates an instance of T3 according
+// to declarative validation rules in the API schema.
 func Validate_T3(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *T3) (errs field.ErrorList) {
-	// type T3
-	if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-		return nil // no changes
-	}
 	errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "type T3")...)
 
 	// field T3.I has no validation
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/recursive/slices/zz_generated.validations.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/recursive/slices/zz_generated.validations.go
index f8dfd019e0038..073d491a601f9 100644
--- a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/recursive/slices/zz_generated.validations.go
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/recursive/slices/zz_generated.validations.go
@@ -38,6 +38,7 @@ func init() { localSchemeBuilder.Register(RegisterValidations) }
 // RegisterValidations adds validation functions to the given scheme.
 // Public to allow building arbitrary schemes.
 func RegisterValidations(scheme *testscheme.Scheme) error {
+	// type T1
 	scheme.AddValidationFunc((*T1)(nil), func(ctx context.Context, op operation.Operation, obj, oldObj interface{}) field.ErrorList {
 		switch op.Request.SubresourcePath() {
 		case "/":
@@ -45,6 +46,7 @@ func RegisterValidations(scheme *testscheme.Scheme) error {
 		}
 		return field.ErrorList{field.InternalError(nil, fmt.Errorf("no validation found for %T, subresource: %v", obj, op.Request.SubresourcePath()))}
 	})
+	// type T2
 	scheme.AddValidationFunc((*T2)(nil), func(ctx context.Context, op operation.Operation, obj, oldObj interface{}) field.ErrorList {
 		switch op.Request.SubresourcePath() {
 		case "/":
@@ -52,6 +54,7 @@ func RegisterValidations(scheme *testscheme.Scheme) error {
 		}
 		return field.ErrorList{field.InternalError(nil, fmt.Errorf("no validation found for %T, subresource: %v", obj, op.Request.SubresourcePath()))}
 	})
+	// type T3
 	scheme.AddValidationFunc((*T3)(nil), func(ctx context.Context, op operation.Operation, obj, oldObj interface{}) field.ErrorList {
 		switch op.Request.SubresourcePath() {
 		case "/":
@@ -59,6 +62,7 @@ func RegisterValidations(scheme *testscheme.Scheme) error {
 		}
 		return field.ErrorList{field.InternalError(nil, fmt.Errorf("no validation found for %T, subresource: %v", obj, op.Request.SubresourcePath()))}
 	})
+	// type T4
 	scheme.AddValidationFunc((*T4)(nil), func(ctx context.Context, op operation.Operation, obj, oldObj interface{}) field.ErrorList {
 		switch op.Request.SubresourcePath() {
 		case "/":
@@ -69,65 +73,88 @@ func RegisterValidations(scheme *testscheme.Scheme) error {
 	return nil
 }
 
+// Validate_T1 validates an instance of T1 according
+// to declarative validation rules in the API schema.
 func Validate_T1(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *T1) (errs field.ErrorList) {
 	// field T1.T2
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *T2) (errs field.ErrorList) {
+		func(fldPath *field.Path, obj, oldObj *T2, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// call the type's validation function
 			errs = append(errs, Validate_T2(ctx, op, fldPath, obj, oldObj)...)
 			return
-		}(fldPath.Child("t2"), &obj.T2, safe.Field(oldObj, func(oldObj *T1) *T2 { return &oldObj.T2 }))...)
+		}(fldPath.Child("t2"), &obj.T2, safe.Field(oldObj, func(oldObj *T1) *T2 { return &oldObj.T2 }), oldObj != nil)...)
 
 	// field T1.T3
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *T3) (errs field.ErrorList) {
+		func(fldPath *field.Path, obj, oldObj *T3, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// call the type's validation function
 			errs = append(errs, Validate_T3(ctx, op, fldPath, obj, oldObj)...)
 			return
-		}(fldPath.Child("t3"), &obj.T3, safe.Field(oldObj, func(oldObj *T1) *T3 { return &oldObj.T3 }))...)
+		}(fldPath.Child("t3"), &obj.T3, safe.Field(oldObj, func(oldObj *T1) *T3 { return &oldObj.T3 }), oldObj != nil)...)
 
 	return errs
 }
 
+// Validate_T2 validates an instance of T2 according
+// to declarative validation rules in the API schema.
 func Validate_T2(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *T2) (errs field.ErrorList) {
 	// field T2.ST1
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj []T1) (errs field.ErrorList) {
-			if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj []T1, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
 			}
+			// iterate the list and call the type's validation function
 			errs = append(errs, validate.EachSliceVal(ctx, op, fldPath, obj, oldObj, nil, nil, Validate_T1)...)
 			return
-		}(fldPath.Child("st1"), obj.ST1, safe.Field(oldObj, func(oldObj *T2) []T1 { return oldObj.ST1 }))...)
+		}(fldPath.Child("st1"), obj.ST1, safe.Field(oldObj, func(oldObj *T2) []T1 { return oldObj.ST1 }), oldObj != nil)...)
 
 	return errs
 }
 
+// Validate_T3 validates an instance of T3 according
+// to declarative validation rules in the API schema.
 func Validate_T3(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *T3) (errs field.ErrorList) {
-	// type T3
-	if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-		return nil // no changes
-	}
 	errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "type T3")...)
 
 	// field T3.T4
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *T4) (errs field.ErrorList) {
+		func(fldPath *field.Path, obj, oldObj *T4, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// call the type's validation function
 			errs = append(errs, Validate_T4(ctx, op, fldPath, obj, oldObj)...)
 			return
-		}(fldPath.Child("t4"), &obj.T4, safe.Field(oldObj, func(oldObj *T3) *T4 { return &oldObj.T4 }))...)
+		}(fldPath.Child("t4"), &obj.T4, safe.Field(oldObj, func(oldObj *T3) *T4 { return &oldObj.T4 }), oldObj != nil)...)
 
 	return errs
 }
 
+// Validate_T4 validates an instance of T4 according
+// to declarative validation rules in the API schema.
 func Validate_T4(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *T4) (errs field.ErrorList) {
 	// field T4.ST3
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj []T3) (errs field.ErrorList) {
-			if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj []T3, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
 			}
+			// iterate the list and call the type's validation function
 			errs = append(errs, validate.EachSliceVal(ctx, op, fldPath, obj, oldObj, nil, nil, Validate_T3)...)
 			return
-		}(fldPath.Child("st3"), obj.ST3, safe.Field(oldObj, func(oldObj *T4) []T3 { return oldObj.ST3 }))...)
+		}(fldPath.Child("st3"), obj.ST3, safe.Field(oldObj, func(oldObj *T4) []T3 { return oldObj.ST3 }), oldObj != nil)...)
 
 	return errs
 }
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/slices/multiple_validations/zz_generated.validations.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/slices/multiple_validations/zz_generated.validations.go
index be7194db9e115..af84e65066f90 100644
--- a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/slices/multiple_validations/zz_generated.validations.go
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/slices/multiple_validations/zz_generated.validations.go
@@ -38,6 +38,7 @@ func init() { localSchemeBuilder.Register(RegisterValidations) }
 // RegisterValidations adds validation functions to the given scheme.
 // Public to allow building arbitrary schemes.
 func RegisterValidations(scheme *testscheme.Scheme) error {
+	// type Struct
 	scheme.AddValidationFunc((*Struct)(nil), func(ctx context.Context, op operation.Operation, obj, oldObj interface{}) field.ErrorList {
 		switch op.Request.SubresourcePath() {
 		case "/":
@@ -48,11 +49,9 @@ func RegisterValidations(scheme *testscheme.Scheme) error {
 	return nil
 }
 
+// Validate_Struct validates an instance of Struct according
+// to declarative validation rules in the API schema.
 func Validate_Struct(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *Struct) (errs field.ErrorList) {
-	// type Struct
-	if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-		return nil // no changes
-	}
 	errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "type Struct #1")...)
 	errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "type Struct #2")...)
 
@@ -60,10 +59,12 @@ func Validate_Struct(ctx context.Context, op operation.Operation, fldPath *field
 
 	// field Struct.ListField
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj []string) (errs field.ErrorList) {
-			if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj []string, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field Struct.ListField #1")...)
 			errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field Struct.ListField #2")...)
 			errs = append(errs, validate.EachSliceVal(ctx, op, fldPath, obj, oldObj, nil, nil, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *string) field.ErrorList {
@@ -73,7 +74,7 @@ func Validate_Struct(ctx context.Context, op operation.Operation, fldPath *field
 				return validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field Struct.ListField[*] #2")
 			})...)
 			return
-		}(fldPath.Child("listField"), obj.ListField, safe.Field(oldObj, func(oldObj *Struct) []string { return oldObj.ListField }))...)
+		}(fldPath.Child("listField"), obj.ListField, safe.Field(oldObj, func(oldObj *Struct) []string { return oldObj.ListField }), oldObj != nil)...)
 
 	// field Struct.UnvalidatedListField has no validation
 	return errs
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/slices/slice_of_primitive/zz_generated.validations.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/slices/slice_of_primitive/zz_generated.validations.go
index 2c4b828abb1d7..d00361b2c8600 100644
--- a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/slices/slice_of_primitive/zz_generated.validations.go
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/slices/slice_of_primitive/zz_generated.validations.go
@@ -38,6 +38,7 @@ func init() { localSchemeBuilder.Register(RegisterValidations) }
 // RegisterValidations adds validation functions to the given scheme.
 // Public to allow building arbitrary schemes.
 func RegisterValidations(scheme *testscheme.Scheme) error {
+	// type Struct
 	scheme.AddValidationFunc((*Struct)(nil), func(ctx context.Context, op operation.Operation, obj, oldObj interface{}) field.ErrorList {
 		switch op.Request.SubresourcePath() {
 		case "/":
@@ -48,51 +49,52 @@ func RegisterValidations(scheme *testscheme.Scheme) error {
 	return nil
 }
 
+// Validate_StringType validates an instance of StringType according
+// to declarative validation rules in the API schema.
 func Validate_StringType(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *StringType) (errs field.ErrorList) {
-	// type StringType
-	if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-		return nil // no changes
-	}
 	errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "type StringType")...)
 
 	return errs
 }
 
+// Validate_Struct validates an instance of Struct according
+// to declarative validation rules in the API schema.
 func Validate_Struct(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *Struct) (errs field.ErrorList) {
-	// type Struct
-	if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-		return nil // no changes
-	}
 	errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "type Struct")...)
 
 	// field Struct.TypeMeta has no validation
 
 	// field Struct.ListField
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj []string) (errs field.ErrorList) {
-			if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj []string, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field Struct.ListField")...)
 			errs = append(errs, validate.EachSliceVal(ctx, op, fldPath, obj, oldObj, nil, nil, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *string) field.ErrorList {
 				return validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field Struct.ListField[*]")
 			})...)
 			return
-		}(fldPath.Child("listField"), obj.ListField, safe.Field(oldObj, func(oldObj *Struct) []string { return oldObj.ListField }))...)
+		}(fldPath.Child("listField"), obj.ListField, safe.Field(oldObj, func(oldObj *Struct) []string { return oldObj.ListField }), oldObj != nil)...)
 
 	// field Struct.ListTypedefField
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj []StringType) (errs field.ErrorList) {
-			if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj []StringType, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field Struct.ListTypedefField")...)
 			errs = append(errs, validate.EachSliceVal(ctx, op, fldPath, obj, oldObj, nil, nil, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *StringType) field.ErrorList {
 				return validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field Struct.ListTypedefField[*]")
 			})...)
+			// iterate the list and call the type's validation function
 			errs = append(errs, validate.EachSliceVal(ctx, op, fldPath, obj, oldObj, nil, nil, Validate_StringType)...)
 			return
-		}(fldPath.Child("listTypedefField"), obj.ListTypedefField, safe.Field(oldObj, func(oldObj *Struct) []StringType { return oldObj.ListTypedefField }))...)
+		}(fldPath.Child("listTypedefField"), obj.ListTypedefField, safe.Field(oldObj, func(oldObj *Struct) []StringType { return oldObj.ListTypedefField }), oldObj != nil)...)
 
 	// field Struct.UnvalidatedListField has no validation
 	return errs
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/slices/slice_of_struct/zz_generated.validations.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/slices/slice_of_struct/zz_generated.validations.go
index 832e388f00f2f..cea3ac249ce25 100644
--- a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/slices/slice_of_struct/zz_generated.validations.go
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/slices/slice_of_struct/zz_generated.validations.go
@@ -38,6 +38,7 @@ func init() { localSchemeBuilder.Register(RegisterValidations) }
 // RegisterValidations adds validation functions to the given scheme.
 // Public to allow building arbitrary schemes.
 func RegisterValidations(scheme *testscheme.Scheme) error {
+	// type Struct
 	scheme.AddValidationFunc((*Struct)(nil), func(ctx context.Context, op operation.Operation, obj, oldObj interface{}) field.ErrorList {
 		switch op.Request.SubresourcePath() {
 		case "/":
@@ -48,72 +49,74 @@ func RegisterValidations(scheme *testscheme.Scheme) error {
 	return nil
 }
 
+// Validate_OtherStruct validates an instance of OtherStruct according
+// to declarative validation rules in the API schema.
 func Validate_OtherStruct(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *OtherStruct) (errs field.ErrorList) {
-	// type OtherStruct
-	if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-		return nil // no changes
-	}
 	errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "type OtherStruct")...)
 
 	return errs
 }
 
+// Validate_OtherTypedefStruct validates an instance of OtherTypedefStruct according
+// to declarative validation rules in the API schema.
 func Validate_OtherTypedefStruct(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *OtherTypedefStruct) (errs field.ErrorList) {
-	// type OtherTypedefStruct
-	if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-		return nil // no changes
-	}
 	errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "type OtherTypedefStruct")...)
 
 	return errs
 }
 
+// Validate_Struct validates an instance of Struct according
+// to declarative validation rules in the API schema.
 func Validate_Struct(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *Struct) (errs field.ErrorList) {
-	// type Struct
-	if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-		return nil // no changes
-	}
 	errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "type Struct")...)
 
 	// field Struct.TypeMeta has no validation
 
 	// field Struct.ListField
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj []OtherStruct) (errs field.ErrorList) {
-			if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj []OtherStruct, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field Struct.ListField")...)
 			errs = append(errs, validate.EachSliceVal(ctx, op, fldPath, obj, oldObj, nil, nil, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *OtherStruct) field.ErrorList {
 				return validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field Struct.ListField[*]")
 			})...)
+			// iterate the list and call the type's validation function
 			errs = append(errs, validate.EachSliceVal(ctx, op, fldPath, obj, oldObj, nil, nil, Validate_OtherStruct)...)
 			return
-		}(fldPath.Child("listField"), obj.ListField, safe.Field(oldObj, func(oldObj *Struct) []OtherStruct { return oldObj.ListField }))...)
+		}(fldPath.Child("listField"), obj.ListField, safe.Field(oldObj, func(oldObj *Struct) []OtherStruct { return oldObj.ListField }), oldObj != nil)...)
 
 	// field Struct.ListTypedefField
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj []OtherTypedefStruct) (errs field.ErrorList) {
-			if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj []OtherTypedefStruct, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field Struct.ListTypedefField")...)
 			errs = append(errs, validate.EachSliceVal(ctx, op, fldPath, obj, oldObj, nil, nil, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *OtherTypedefStruct) field.ErrorList {
 				return validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field Struct.ListTypedefField[*]")
 			})...)
+			// iterate the list and call the type's validation function
 			errs = append(errs, validate.EachSliceVal(ctx, op, fldPath, obj, oldObj, nil, nil, Validate_OtherTypedefStruct)...)
 			return
-		}(fldPath.Child("listTypedefField"), obj.ListTypedefField, safe.Field(oldObj, func(oldObj *Struct) []OtherTypedefStruct { return oldObj.ListTypedefField }))...)
+		}(fldPath.Child("listTypedefField"), obj.ListTypedefField, safe.Field(oldObj, func(oldObj *Struct) []OtherTypedefStruct { return oldObj.ListTypedefField }), oldObj != nil)...)
 
 	// field Struct.UnvalidatedListField
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj []OtherStruct) (errs field.ErrorList) {
-			if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj []OtherStruct, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
 			}
+			// iterate the list and call the type's validation function
 			errs = append(errs, validate.EachSliceVal(ctx, op, fldPath, obj, oldObj, nil, nil, Validate_OtherStruct)...)
 			return
-		}(fldPath.Child("UnvalidatedListField"), obj.UnvalidatedListField, safe.Field(oldObj, func(oldObj *Struct) []OtherStruct { return oldObj.UnvalidatedListField }))...)
+		}(fldPath.Child("UnvalidatedListField"), obj.UnvalidatedListField, safe.Field(oldObj, func(oldObj *Struct) []OtherStruct { return oldObj.UnvalidatedListField }), oldObj != nil)...)
 
 	return errs
 }
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/slices/typedef_to_slice/zz_generated.validations.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/slices/typedef_to_slice/zz_generated.validations.go
index e61bdf2e6413f..910c534cf4be6 100644
--- a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/slices/typedef_to_slice/zz_generated.validations.go
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/slices/typedef_to_slice/zz_generated.validations.go
@@ -38,6 +38,7 @@ func init() { localSchemeBuilder.Register(RegisterValidations) }
 // RegisterValidations adds validation functions to the given scheme.
 // Public to allow building arbitrary schemes.
 func RegisterValidations(scheme *testscheme.Scheme) error {
+	// type Struct
 	scheme.AddValidationFunc((*Struct)(nil), func(ctx context.Context, op operation.Operation, obj, oldObj interface{}) field.ErrorList {
 		switch op.Request.SubresourcePath() {
 		case "/":
@@ -48,11 +49,9 @@ func RegisterValidations(scheme *testscheme.Scheme) error {
 	return nil
 }
 
+// Validate_ListType validates an instance of ListType according
+// to declarative validation rules in the API schema.
 func Validate_ListType(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj ListType) (errs field.ErrorList) {
-	// type ListType
-	if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-		return nil // no changes
-	}
 	errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "type ListType")...)
 	errs = append(errs, validate.EachSliceVal(ctx, op, fldPath, obj, oldObj, nil, nil, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *string) field.ErrorList {
 		return validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "type ListType[*]")
@@ -61,66 +60,67 @@ func Validate_ListType(ctx context.Context, op operation.Operation, fldPath *fie
 	return errs
 }
 
+// Validate_ListTypedefType validates an instance of ListTypedefType according
+// to declarative validation rules in the API schema.
 func Validate_ListTypedefType(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj ListTypedefType) (errs field.ErrorList) {
-	// type ListTypedefType
-	if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-		return nil // no changes
-	}
 	errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "type ListTypedefType")...)
 	errs = append(errs, validate.EachSliceVal(ctx, op, fldPath, obj, oldObj, nil, nil, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *StringType) field.ErrorList {
 		return validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "type ListTypedefType[*]")
 	})...)
+	// iterate the list and call the type's validation function
 	errs = append(errs, validate.EachSliceVal(ctx, op, fldPath, obj, oldObj, nil, nil, Validate_StringType)...)
 
 	return errs
 }
 
+// Validate_StringType validates an instance of StringType according
+// to declarative validation rules in the API schema.
 func Validate_StringType(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *StringType) (errs field.ErrorList) {
-	// type StringType
-	if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-		return nil // no changes
-	}
 	errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "type StringType")...)
 
 	return errs
 }
 
+// Validate_Struct validates an instance of Struct according
+// to declarative validation rules in the API schema.
 func Validate_Struct(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *Struct) (errs field.ErrorList) {
-	// type Struct
-	if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-		return nil // no changes
-	}
 	errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "type Struct")...)
 
 	// field Struct.TypeMeta has no validation
 
 	// field Struct.ListField
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj ListType) (errs field.ErrorList) {
-			if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj ListType, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field Struct.ListField")...)
 			errs = append(errs, validate.EachSliceVal(ctx, op, fldPath, obj, oldObj, nil, nil, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *string) field.ErrorList {
 				return validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field Struct.ListField[*]")
 			})...)
+			// call the type's validation function
 			errs = append(errs, Validate_ListType(ctx, op, fldPath, obj, oldObj)...)
 			return
-		}(fldPath.Child("listField"), obj.ListField, safe.Field(oldObj, func(oldObj *Struct) ListType { return oldObj.ListField }))...)
+		}(fldPath.Child("listField"), obj.ListField, safe.Field(oldObj, func(oldObj *Struct) ListType { return oldObj.ListField }), oldObj != nil)...)
 
 	// field Struct.ListTypedefField
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj ListTypedefType) (errs field.ErrorList) {
-			if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj ListTypedefType, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field Struct.ListTypedefField")...)
 			errs = append(errs, validate.EachSliceVal(ctx, op, fldPath, obj, oldObj, nil, nil, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *StringType) field.ErrorList {
 				return validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field Struct.ListTypedefField[*]")
 			})...)
+			// call the type's validation function
 			errs = append(errs, Validate_ListTypedefType(ctx, op, fldPath, obj, oldObj)...)
 			return
-		}(fldPath.Child("listTypedefField"), obj.ListTypedefField, safe.Field(oldObj, func(oldObj *Struct) ListTypedefType { return oldObj.ListTypedefField }))...)
+		}(fldPath.Child("listTypedefField"), obj.ListTypedefField, safe.Field(oldObj, func(oldObj *Struct) ListTypedefType { return oldObj.ListTypedefField }), oldObj != nil)...)
 
 	return errs
 }
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/eachkey/zz_generated.validations.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/eachkey/zz_generated.validations.go
index 056034839162a..10f6676bf8e95 100644
--- a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/eachkey/zz_generated.validations.go
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/eachkey/zz_generated.validations.go
@@ -38,6 +38,7 @@ func init() { localSchemeBuilder.Register(RegisterValidations) }
 // RegisterValidations adds validation functions to the given scheme.
 // Public to allow building arbitrary schemes.
 func RegisterValidations(scheme *testscheme.Scheme) error {
+	// type Struct
 	scheme.AddValidationFunc((*Struct)(nil), func(ctx context.Context, op operation.Operation, obj, oldObj interface{}) field.ErrorList {
 		switch op.Request.SubresourcePath() {
 		case "/":
@@ -48,79 +49,91 @@ func RegisterValidations(scheme *testscheme.Scheme) error {
 	return nil
 }
 
+// Validate_Struct validates an instance of Struct according
+// to declarative validation rules in the API schema.
 func Validate_Struct(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *Struct) (errs field.ErrorList) {
 	// field Struct.TypeMeta has no validation
 
 	// field Struct.MapField
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj map[string]string) (errs field.ErrorList) {
-			if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj map[string]string, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.EachMapKey(ctx, op, fldPath, obj, oldObj, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *string) field.ErrorList {
 				return validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "Struct.MapField(keys)")
 			})...)
 			return
-		}(fldPath.Child("mapField"), obj.MapField, safe.Field(oldObj, func(oldObj *Struct) map[string]string { return oldObj.MapField }))...)
+		}(fldPath.Child("mapField"), obj.MapField, safe.Field(oldObj, func(oldObj *Struct) map[string]string { return oldObj.MapField }), oldObj != nil)...)
 
 	// field Struct.MapTypedefField
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj map[UnvalidatedStringType]string) (errs field.ErrorList) {
-			if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj map[UnvalidatedStringType]string, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.EachMapKey(ctx, op, fldPath, obj, oldObj, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *UnvalidatedStringType) field.ErrorList {
 				return validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "Struct.MapTypedefField(keys)")
 			})...)
 			return
-		}(fldPath.Child("mapTypedefField"), obj.MapTypedefField, safe.Field(oldObj, func(oldObj *Struct) map[UnvalidatedStringType]string { return oldObj.MapTypedefField }))...)
+		}(fldPath.Child("mapTypedefField"), obj.MapTypedefField, safe.Field(oldObj, func(oldObj *Struct) map[UnvalidatedStringType]string { return oldObj.MapTypedefField }), oldObj != nil)...)
 
 	// field Struct.MapValidatedTypedefField
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj map[ValidatedStringType]string) (errs field.ErrorList) {
-			if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj map[ValidatedStringType]string, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.EachMapKey(ctx, op, fldPath, obj, oldObj, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *ValidatedStringType) field.ErrorList {
 				return validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "Struct.MapValidatedTypedefField(keys)")
 			})...)
+			// iterate the map and call the key type's validation function
 			errs = append(errs, validate.EachMapKey(ctx, op, fldPath, obj, oldObj, Validate_ValidatedStringType)...)
 			return
-		}(fldPath.Child("mapValidatedTypedefField"), obj.MapValidatedTypedefField, safe.Field(oldObj, func(oldObj *Struct) map[ValidatedStringType]string { return oldObj.MapValidatedTypedefField }))...)
+		}(fldPath.Child("mapValidatedTypedefField"), obj.MapValidatedTypedefField, safe.Field(oldObj, func(oldObj *Struct) map[ValidatedStringType]string { return oldObj.MapValidatedTypedefField }), oldObj != nil)...)
 
 	// field Struct.MapTypeField
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj UnvalidatedMapType) (errs field.ErrorList) {
-			if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj UnvalidatedMapType, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.EachMapKey(ctx, op, fldPath, obj, oldObj, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *string) field.ErrorList {
 				return validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "Struct.MapTypeField(keys)")
 			})...)
 			return
-		}(fldPath.Child("mapTypeField"), obj.MapTypeField, safe.Field(oldObj, func(oldObj *Struct) UnvalidatedMapType { return oldObj.MapTypeField }))...)
+		}(fldPath.Child("mapTypeField"), obj.MapTypeField, safe.Field(oldObj, func(oldObj *Struct) UnvalidatedMapType { return oldObj.MapTypeField }), oldObj != nil)...)
 
 	// field Struct.ValidatedMapTypeField
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj ValidatedMapType) (errs field.ErrorList) {
-			if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj ValidatedMapType, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.EachMapKey(ctx, op, fldPath, obj, oldObj, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *string) field.ErrorList {
 				return validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "Struct.ValidatedMapTypeField(keys)")
 			})...)
+			// call the type's validation function
 			errs = append(errs, Validate_ValidatedMapType(ctx, op, fldPath, obj, oldObj)...)
 			return
-		}(fldPath.Child("validatedMapTypeField"), obj.ValidatedMapTypeField, safe.Field(oldObj, func(oldObj *Struct) ValidatedMapType { return oldObj.ValidatedMapTypeField }))...)
+		}(fldPath.Child("validatedMapTypeField"), obj.ValidatedMapTypeField, safe.Field(oldObj, func(oldObj *Struct) ValidatedMapType { return oldObj.ValidatedMapTypeField }), oldObj != nil)...)
 
 	return errs
 }
 
+// Validate_ValidatedMapType validates an instance of ValidatedMapType according
+// to declarative validation rules in the API schema.
 func Validate_ValidatedMapType(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj ValidatedMapType) (errs field.ErrorList) {
-	// type ValidatedMapType
-	if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-		return nil // no changes
-	}
 	errs = append(errs, validate.EachMapKey(ctx, op, fldPath, obj, oldObj, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *string) field.ErrorList {
 		return validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "ValidatedMapType(keys)")
 	})...)
@@ -128,11 +141,9 @@ func Validate_ValidatedMapType(ctx context.Context, op operation.Operation, fldP
 	return errs
 }
 
+// Validate_ValidatedStringType validates an instance of ValidatedStringType according
+// to declarative validation rules in the API schema.
 func Validate_ValidatedStringType(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *ValidatedStringType) (errs field.ErrorList) {
-	// type ValidatedStringType
-	if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-		return nil // no changes
-	}
 	errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "ValidatedStringType")...)
 
 	return errs
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/eachval/map_of_primitive/zz_generated.validations.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/eachval/map_of_primitive/zz_generated.validations.go
index fac9f4b8f2c67..7108c4bcbec0e 100644
--- a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/eachval/map_of_primitive/zz_generated.validations.go
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/eachval/map_of_primitive/zz_generated.validations.go
@@ -38,6 +38,7 @@ func init() { localSchemeBuilder.Register(RegisterValidations) }
 // RegisterValidations adds validation functions to the given scheme.
 // Public to allow building arbitrary schemes.
 func RegisterValidations(scheme *testscheme.Scheme) error {
+	// type Struct
 	scheme.AddValidationFunc((*Struct)(nil), func(ctx context.Context, op operation.Operation, obj, oldObj interface{}) field.ErrorList {
 		switch op.Request.SubresourcePath() {
 		case "/":
@@ -48,32 +49,38 @@ func RegisterValidations(scheme *testscheme.Scheme) error {
 	return nil
 }
 
+// Validate_Struct validates an instance of Struct according
+// to declarative validation rules in the API schema.
 func Validate_Struct(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *Struct) (errs field.ErrorList) {
 	// field Struct.TypeMeta has no validation
 
 	// field Struct.MapField
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj map[string]string) (errs field.ErrorList) {
-			if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj map[string]string, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.EachMapVal(ctx, op, fldPath, obj, oldObj, validate.DirectEqual, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *string) field.ErrorList {
 				return validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field Struct.MapField[*]")
 			})...)
 			return
-		}(fldPath.Child("mapField"), obj.MapField, safe.Field(oldObj, func(oldObj *Struct) map[string]string { return oldObj.MapField }))...)
+		}(fldPath.Child("mapField"), obj.MapField, safe.Field(oldObj, func(oldObj *Struct) map[string]string { return oldObj.MapField }), oldObj != nil)...)
 
 	// field Struct.MapTypedefField
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj map[string]StringType) (errs field.ErrorList) {
-			if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj map[string]StringType, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.EachMapVal(ctx, op, fldPath, obj, oldObj, validate.DirectEqual, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *StringType) field.ErrorList {
 				return validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field Struct.MapTypedefField[*]")
 			})...)
 			return
-		}(fldPath.Child("mapTypedefField"), obj.MapTypedefField, safe.Field(oldObj, func(oldObj *Struct) map[string]StringType { return oldObj.MapTypedefField }))...)
+		}(fldPath.Child("mapTypedefField"), obj.MapTypedefField, safe.Field(oldObj, func(oldObj *Struct) map[string]StringType { return oldObj.MapTypedefField }), oldObj != nil)...)
 
 	return errs
 }
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/eachval/map_of_struct/zz_generated.validations.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/eachval/map_of_struct/zz_generated.validations.go
index d17c6f0d48839..6355fdc6f466d 100644
--- a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/eachval/map_of_struct/zz_generated.validations.go
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/eachval/map_of_struct/zz_generated.validations.go
@@ -38,6 +38,7 @@ func init() { localSchemeBuilder.Register(RegisterValidations) }
 // RegisterValidations adds validation functions to the given scheme.
 // Public to allow building arbitrary schemes.
 func RegisterValidations(scheme *testscheme.Scheme) error {
+	// type Struct
 	scheme.AddValidationFunc((*Struct)(nil), func(ctx context.Context, op operation.Operation, obj, oldObj interface{}) field.ErrorList {
 		switch op.Request.SubresourcePath() {
 		case "/":
@@ -48,32 +49,38 @@ func RegisterValidations(scheme *testscheme.Scheme) error {
 	return nil
 }
 
+// Validate_Struct validates an instance of Struct according
+// to declarative validation rules in the API schema.
 func Validate_Struct(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *Struct) (errs field.ErrorList) {
 	// field Struct.TypeMeta has no validation
 
 	// field Struct.MapField
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj map[string]OtherStruct) (errs field.ErrorList) {
-			if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj map[string]OtherStruct, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.EachMapVal(ctx, op, fldPath, obj, oldObj, validate.DirectEqual, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *OtherStruct) field.ErrorList {
 				return validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field Struct.MapField[*]")
 			})...)
 			return
-		}(fldPath.Child("mapField"), obj.MapField, safe.Field(oldObj, func(oldObj *Struct) map[string]OtherStruct { return oldObj.MapField }))...)
+		}(fldPath.Child("mapField"), obj.MapField, safe.Field(oldObj, func(oldObj *Struct) map[string]OtherStruct { return oldObj.MapField }), oldObj != nil)...)
 
 	// field Struct.MapTypedefField
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj map[string]OtherTypedefStruct) (errs field.ErrorList) {
-			if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj map[string]OtherTypedefStruct, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.EachMapVal(ctx, op, fldPath, obj, oldObj, validate.DirectEqual, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *OtherTypedefStruct) field.ErrorList {
 				return validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field Struct.MapTypedefField[*]")
 			})...)
 			return
-		}(fldPath.Child("mapTypedefField"), obj.MapTypedefField, safe.Field(oldObj, func(oldObj *Struct) map[string]OtherTypedefStruct { return oldObj.MapTypedefField }))...)
+		}(fldPath.Child("mapTypedefField"), obj.MapTypedefField, safe.Field(oldObj, func(oldObj *Struct) map[string]OtherTypedefStruct { return oldObj.MapTypedefField }), oldObj != nil)...)
 
 	return errs
 }
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/eachval/slice_of_primitive/zz_generated.validations.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/eachval/slice_of_primitive/zz_generated.validations.go
index 2c8760fabf5cd..172791abd5813 100644
--- a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/eachval/slice_of_primitive/zz_generated.validations.go
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/eachval/slice_of_primitive/zz_generated.validations.go
@@ -38,6 +38,7 @@ func init() { localSchemeBuilder.Register(RegisterValidations) }
 // RegisterValidations adds validation functions to the given scheme.
 // Public to allow building arbitrary schemes.
 func RegisterValidations(scheme *testscheme.Scheme) error {
+	// type Struct
 	scheme.AddValidationFunc((*Struct)(nil), func(ctx context.Context, op operation.Operation, obj, oldObj interface{}) field.ErrorList {
 		switch op.Request.SubresourcePath() {
 		case "/":
@@ -48,32 +49,38 @@ func RegisterValidations(scheme *testscheme.Scheme) error {
 	return nil
 }
 
+// Validate_Struct validates an instance of Struct according
+// to declarative validation rules in the API schema.
 func Validate_Struct(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *Struct) (errs field.ErrorList) {
 	// field Struct.TypeMeta has no validation
 
 	// field Struct.ListField
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj []string) (errs field.ErrorList) {
-			if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj []string, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.EachSliceVal(ctx, op, fldPath, obj, oldObj, nil, nil, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *string) field.ErrorList {
 				return validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field Struct.ListField[*]")
 			})...)
 			return
-		}(fldPath.Child("listField"), obj.ListField, safe.Field(oldObj, func(oldObj *Struct) []string { return oldObj.ListField }))...)
+		}(fldPath.Child("listField"), obj.ListField, safe.Field(oldObj, func(oldObj *Struct) []string { return oldObj.ListField }), oldObj != nil)...)
 
 	// field Struct.ListTypedefField
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj []StringType) (errs field.ErrorList) {
-			if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj []StringType, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.EachSliceVal(ctx, op, fldPath, obj, oldObj, nil, nil, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *StringType) field.ErrorList {
 				return validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field Struct.ListTypedefField[*]")
 			})...)
 			return
-		}(fldPath.Child("listTypedefField"), obj.ListTypedefField, safe.Field(oldObj, func(oldObj *Struct) []StringType { return oldObj.ListTypedefField }))...)
+		}(fldPath.Child("listTypedefField"), obj.ListTypedefField, safe.Field(oldObj, func(oldObj *Struct) []StringType { return oldObj.ListTypedefField }), oldObj != nil)...)
 
 	return errs
 }
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/eachval/slice_of_struct/zz_generated.validations.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/eachval/slice_of_struct/zz_generated.validations.go
index 6b9716dcaddd4..da8f0b07a97f6 100644
--- a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/eachval/slice_of_struct/zz_generated.validations.go
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/eachval/slice_of_struct/zz_generated.validations.go
@@ -38,6 +38,7 @@ func init() { localSchemeBuilder.Register(RegisterValidations) }
 // RegisterValidations adds validation functions to the given scheme.
 // Public to allow building arbitrary schemes.
 func RegisterValidations(scheme *testscheme.Scheme) error {
+	// type Struct
 	scheme.AddValidationFunc((*Struct)(nil), func(ctx context.Context, op operation.Operation, obj, oldObj interface{}) field.ErrorList {
 		switch op.Request.SubresourcePath() {
 		case "/":
@@ -48,44 +49,52 @@ func RegisterValidations(scheme *testscheme.Scheme) error {
 	return nil
 }
 
+// Validate_Struct validates an instance of Struct according
+// to declarative validation rules in the API schema.
 func Validate_Struct(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *Struct) (errs field.ErrorList) {
 	// field Struct.TypeMeta has no validation
 
 	// field Struct.ListField
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj []OtherStruct) (errs field.ErrorList) {
-			if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj []OtherStruct, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.EachSliceVal(ctx, op, fldPath, obj, oldObj, nil, nil, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *OtherStruct) field.ErrorList {
 				return validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field Struct.ListField[*]")
 			})...)
 			return
-		}(fldPath.Child("listField"), obj.ListField, safe.Field(oldObj, func(oldObj *Struct) []OtherStruct { return oldObj.ListField }))...)
+		}(fldPath.Child("listField"), obj.ListField, safe.Field(oldObj, func(oldObj *Struct) []OtherStruct { return oldObj.ListField }), oldObj != nil)...)
 
 	// field Struct.ListTypedefField
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj []OtherTypedefStruct) (errs field.ErrorList) {
-			if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj []OtherTypedefStruct, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.EachSliceVal(ctx, op, fldPath, obj, oldObj, nil, nil, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *OtherTypedefStruct) field.ErrorList {
 				return validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field Struct.ListTypedefField[*]")
 			})...)
 			return
-		}(fldPath.Child("listTypedefField"), obj.ListTypedefField, safe.Field(oldObj, func(oldObj *Struct) []OtherTypedefStruct { return oldObj.ListTypedefField }))...)
+		}(fldPath.Child("listTypedefField"), obj.ListTypedefField, safe.Field(oldObj, func(oldObj *Struct) []OtherTypedefStruct { return oldObj.ListTypedefField }), oldObj != nil)...)
 
 	// field Struct.ListNonComparableField
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj []NonComparableStruct) (errs field.ErrorList) {
-			if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj []NonComparableStruct, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.EachSliceVal(ctx, op, fldPath, obj, oldObj, nil, nil, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *NonComparableStruct) field.ErrorList {
 				return validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field Struct.ListNonComparableField[*]")
 			})...)
 			return
-		}(fldPath.Child("listNonComparableField"), obj.ListNonComparableField, safe.Field(oldObj, func(oldObj *Struct) []NonComparableStruct { return oldObj.ListNonComparableField }))...)
+		}(fldPath.Child("listNonComparableField"), obj.ListNonComparableField, safe.Field(oldObj, func(oldObj *Struct) []NonComparableStruct { return oldObj.ListNonComparableField }), oldObj != nil)...)
 
 	return errs
 }
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/eachval/typedef_to_map/zz_generated.validations.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/eachval/typedef_to_map/zz_generated.validations.go
index e1a38dbd7abd1..47457f2757fd3 100644
--- a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/eachval/typedef_to_map/zz_generated.validations.go
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/eachval/typedef_to_map/zz_generated.validations.go
@@ -38,6 +38,7 @@ func init() { localSchemeBuilder.Register(RegisterValidations) }
 // RegisterValidations adds validation functions to the given scheme.
 // Public to allow building arbitrary schemes.
 func RegisterValidations(scheme *testscheme.Scheme) error {
+	// type Struct
 	scheme.AddValidationFunc((*Struct)(nil), func(ctx context.Context, op operation.Operation, obj, oldObj interface{}) field.ErrorList {
 		switch op.Request.SubresourcePath() {
 		case "/":
@@ -48,11 +49,9 @@ func RegisterValidations(scheme *testscheme.Scheme) error {
 	return nil
 }
 
+// Validate_MapType validates an instance of MapType according
+// to declarative validation rules in the API schema.
 func Validate_MapType(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj MapType) (errs field.ErrorList) {
-	// type MapType
-	if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-		return nil // no changes
-	}
 	errs = append(errs, validate.EachMapVal(ctx, op, fldPath, obj, oldObj, validate.DirectEqual, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *string) field.ErrorList {
 		return validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "type MapType[*]")
 	})...)
@@ -60,63 +59,64 @@ func Validate_MapType(ctx context.Context, op operation.Operation, fldPath *fiel
 	return errs
 }
 
+// Validate_MapTypedefType validates an instance of MapTypedefType according
+// to declarative validation rules in the API schema.
 func Validate_MapTypedefType(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj MapTypedefType) (errs field.ErrorList) {
-	// type MapTypedefType
-	if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-		return nil // no changes
-	}
 	errs = append(errs, validate.EachMapVal(ctx, op, fldPath, obj, oldObj, validate.DirectEqual, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *StringType) field.ErrorList {
 		return validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "type MapTypedefType[*]")
 	})...)
+	// iterate the map and call the value type's validation function
 	errs = append(errs, validate.EachMapVal(ctx, op, fldPath, obj, oldObj, validate.DirectEqual, Validate_StringType)...)
 
 	return errs
 }
 
+// Validate_StringType validates an instance of StringType according
+// to declarative validation rules in the API schema.
 func Validate_StringType(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *StringType) (errs field.ErrorList) {
-	// type StringType
-	if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-		return nil // no changes
-	}
 	errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "type StringType")...)
 
 	return errs
 }
 
+// Validate_Struct validates an instance of Struct according
+// to declarative validation rules in the API schema.
 func Validate_Struct(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *Struct) (errs field.ErrorList) {
-	// type Struct
-	if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-		return nil // no changes
-	}
 	errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "type Struct")...)
 
 	// field Struct.TypeMeta has no validation
 
 	// field Struct.MapField
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj MapType) (errs field.ErrorList) {
-			if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj MapType, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.EachMapVal(ctx, op, fldPath, obj, oldObj, validate.DirectEqual, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *string) field.ErrorList {
 				return validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field Struct.MapField[*]")
 			})...)
+			// call the type's validation function
 			errs = append(errs, Validate_MapType(ctx, op, fldPath, obj, oldObj)...)
 			return
-		}(fldPath.Child("mapField"), obj.MapField, safe.Field(oldObj, func(oldObj *Struct) MapType { return oldObj.MapField }))...)
+		}(fldPath.Child("mapField"), obj.MapField, safe.Field(oldObj, func(oldObj *Struct) MapType { return oldObj.MapField }), oldObj != nil)...)
 
 	// field Struct.MapTypedefField
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj MapTypedefType) (errs field.ErrorList) {
-			if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj MapTypedefType, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.EachMapVal(ctx, op, fldPath, obj, oldObj, validate.DirectEqual, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *StringType) field.ErrorList {
 				return validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field Struct.MapTypedefField[*]")
 			})...)
+			// call the type's validation function
 			errs = append(errs, Validate_MapTypedefType(ctx, op, fldPath, obj, oldObj)...)
 			return
-		}(fldPath.Child("mapTypedefField"), obj.MapTypedefField, safe.Field(oldObj, func(oldObj *Struct) MapTypedefType { return oldObj.MapTypedefField }))...)
+		}(fldPath.Child("mapTypedefField"), obj.MapTypedefField, safe.Field(oldObj, func(oldObj *Struct) MapTypedefType { return oldObj.MapTypedefField }), oldObj != nil)...)
 
 	return errs
 }
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/eachval/typedef_to_slice/zz_generated.validations.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/eachval/typedef_to_slice/zz_generated.validations.go
index c4fb986a15c98..8e8fd88dca82b 100644
--- a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/eachval/typedef_to_slice/zz_generated.validations.go
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/eachval/typedef_to_slice/zz_generated.validations.go
@@ -38,6 +38,7 @@ func init() { localSchemeBuilder.Register(RegisterValidations) }
 // RegisterValidations adds validation functions to the given scheme.
 // Public to allow building arbitrary schemes.
 func RegisterValidations(scheme *testscheme.Scheme) error {
+	// type Struct
 	scheme.AddValidationFunc((*Struct)(nil), func(ctx context.Context, op operation.Operation, obj, oldObj interface{}) field.ErrorList {
 		switch op.Request.SubresourcePath() {
 		case "/":
@@ -48,11 +49,9 @@ func RegisterValidations(scheme *testscheme.Scheme) error {
 	return nil
 }
 
+// Validate_ListType validates an instance of ListType according
+// to declarative validation rules in the API schema.
 func Validate_ListType(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj ListType) (errs field.ErrorList) {
-	// type ListType
-	if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-		return nil // no changes
-	}
 	errs = append(errs, validate.EachSliceVal(ctx, op, fldPath, obj, oldObj, nil, nil, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *string) field.ErrorList {
 		return validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "type ListType[*]")
 	})...)
@@ -60,11 +59,9 @@ func Validate_ListType(ctx context.Context, op operation.Operation, fldPath *fie
 	return errs
 }
 
+// Validate_ListTypedefType validates an instance of ListTypedefType according
+// to declarative validation rules in the API schema.
 func Validate_ListTypedefType(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj ListTypedefType) (errs field.ErrorList) {
-	// type ListTypedefType
-	if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-		return nil // no changes
-	}
 	errs = append(errs, validate.EachSliceVal(ctx, op, fldPath, obj, oldObj, nil, nil, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *StringType) field.ErrorList {
 		return validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "type ListTypedefType[*]")
 	})...)
@@ -72,34 +69,42 @@ func Validate_ListTypedefType(ctx context.Context, op operation.Operation, fldPa
 	return errs
 }
 
+// Validate_Struct validates an instance of Struct according
+// to declarative validation rules in the API schema.
 func Validate_Struct(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *Struct) (errs field.ErrorList) {
 	// field Struct.TypeMeta has no validation
 
 	// field Struct.ListField
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj ListType) (errs field.ErrorList) {
-			if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj ListType, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.EachSliceVal(ctx, op, fldPath, obj, oldObj, nil, nil, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *string) field.ErrorList {
 				return validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field Struct.ListField[*]")
 			})...)
+			// call the type's validation function
 			errs = append(errs, Validate_ListType(ctx, op, fldPath, obj, oldObj)...)
 			return
-		}(fldPath.Child("listField"), obj.ListField, safe.Field(oldObj, func(oldObj *Struct) ListType { return oldObj.ListField }))...)
+		}(fldPath.Child("listField"), obj.ListField, safe.Field(oldObj, func(oldObj *Struct) ListType { return oldObj.ListField }), oldObj != nil)...)
 
 	// field Struct.ListTypedefField
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj ListTypedefType) (errs field.ErrorList) {
-			if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj ListTypedefType, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.EachSliceVal(ctx, op, fldPath, obj, oldObj, nil, nil, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *StringType) field.ErrorList {
 				return validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field Struct.ListTypedefField[*]")
 			})...)
+			// call the type's validation function
 			errs = append(errs, Validate_ListTypedefType(ctx, op, fldPath, obj, oldObj)...)
 			return
-		}(fldPath.Child("listTypedefField"), obj.ListTypedefField, safe.Field(oldObj, func(oldObj *Struct) ListTypedefType { return oldObj.ListTypedefField }))...)
+		}(fldPath.Child("listTypedefField"), obj.ListTypedefField, safe.Field(oldObj, func(oldObj *Struct) ListTypedefType { return oldObj.ListTypedefField }), oldObj != nil)...)
 
 	return errs
 }
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/enum/doc_test.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/enum/doc_test.go
index 406ac0d1f914d..3c558371c8fb8 100644
--- a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/enum/doc_test.go
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/enum/doc_test.go
@@ -19,6 +19,7 @@ package enum
 import (
 	"testing"
 
+	"k8s.io/apimachinery/pkg/util/validation/field"
 	"k8s.io/utils/ptr"
 )
 
@@ -27,10 +28,10 @@ func Test(t *testing.T) {
 
 	st.Value(&Struct{
 		// All zero vals
-	}).ExpectRegexpsByPath(map[string][]string{
-		"enum0Field": {"Unsupported value: \"\"$"},
-		"enum1Field": {"Unsupported value: \"\": supported values: \"e1v1\""},
-		"enum2Field": {"Unsupported value: \"\": supported values: \"e2v1\", \"e2v2\""},
+	}).ExpectMatches(field.ErrorMatcher{}.ByType().ByField(), field.ErrorList{
+		field.NotSupported(field.NewPath("enum0Field"), Enum0(""), []Enum0{}),
+		field.NotSupported(field.NewPath("enum1Field"), Enum1(""), []Enum1{E1V1}),
+		field.NotSupported(field.NewPath("enum2Field"), Enum2(""), []Enum2{E2V1, E2V2}),
 	})
 
 	st.Value(&Struct{
@@ -42,9 +43,9 @@ func Test(t *testing.T) {
 		Enum2PtrField:   ptr.To(E2V1),
 		NotEnumField:    "x",
 		NotEnumPtrField: ptr.To(NotEnum("x")),
-	}).ExpectRegexpsByPath(map[string][]string{
-		"enum0Field":    {"Unsupported value: \"\"$"},
-		"enum0PtrField": {"Unsupported value: \"\"$"},
+	}).ExpectMatches(field.ErrorMatcher{}.ByType().ByField(), field.ErrorList{
+		field.NotSupported(field.NewPath("enum0Field"), Enum0(""), []Enum0{}),
+		field.NotSupported(field.NewPath("enum0PtrField"), Enum0(""), []Enum0{}),
 	})
 
 	st.Value(&Struct{
@@ -56,12 +57,12 @@ func Test(t *testing.T) {
 		Enum2PtrField:   ptr.To(Enum2("x")),
 		NotEnumField:    "x",
 		NotEnumPtrField: ptr.To(NotEnum("x")),
-	}).ExpectRegexpsByPath(map[string][]string{
-		"enum0Field":    {"Unsupported value: \"x\"$"},
-		"enum0PtrField": {"Unsupported value: \"x\"$"},
-		"enum1Field":    {"Unsupported value: \"x\": supported values: \"e1v1\""},
-		"enum1PtrField": {"Unsupported value: \"x\": supported values: \"e1v1\""},
-		"enum2Field":    {"Unsupported value: \"x\": supported values: \"e2v1\", \"e2v2\""},
-		"enum2PtrField": {"Unsupported value: \"x\": supported values: \"e2v1\", \"e2v2\""},
+	}).ExpectMatches(field.ErrorMatcher{}.ByType().ByField(), field.ErrorList{
+		field.NotSupported(field.NewPath("enum0Field"), Enum0("x"), []Enum0{}),
+		field.NotSupported(field.NewPath("enum0PtrField"), Enum0("x"), []Enum0{}),
+		field.NotSupported(field.NewPath("enum1Field"), Enum1("x"), []Enum1{E1V1}),
+		field.NotSupported(field.NewPath("enum1PtrField"), Enum1("x"), []Enum1{E1V1}),
+		field.NotSupported(field.NewPath("enum2Field"), Enum2("x"), []Enum2{E2V1, E2V2}),
+		field.NotSupported(field.NewPath("enum2PtrField"), Enum2("x"), []Enum2{E2V1, E2V2}),
 	})
 }
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/enum/options/doc.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/enum/options/doc.go
new file mode 100644
index 0000000000000..787fd1f9b5da2
--- /dev/null
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/enum/options/doc.go
@@ -0,0 +1,110 @@
+/*
+Copyright 2024 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// +k8s:validation-gen=TypeMeta
+// +k8s:validation-gen-scheme-registry=k8s.io/code-generator/cmd/validation-gen/testscheme.Scheme
+
+// This is a test package.
+package options
+
+import "k8s.io/code-generator/cmd/validation-gen/testscheme"
+
+var localSchemeBuilder = testscheme.New()
+
+type Struct struct {
+	TypeMeta int
+
+	Enum0Field    Enum0  `json:"enum0Field"`
+	Enum0PtrField *Enum0 `json:"enum0PtrField"`
+
+	Enum1Field    Enum1  `json:"enum1Field"`
+	Enum1PtrField *Enum1 `json:"enum1PtrField"`
+
+	Enum2Field    Enum2  `json:"enum2Field"`
+	Enum2PtrField *Enum2 `json:"enum2PtrField"`
+
+	NotEnumField    NotEnum  `json:"notEnumField"`
+	NotEnumPtrField *NotEnum `json:"notEnumPtrField"`
+
+	EnumWithExcludeField    EnumWithExclude  `json:"enumWithExcludeField"`
+	EnumWithExcludePtrField *EnumWithExclude `json:"enumWithExcludePtrField"`
+}
+
+type ConditionalStruct struct {
+	TypeMeta int
+
+	ConditionalEnumField    ConditionalEnum  `json:"conditionalEnumField"`
+	ConditionalEnumPtrField *ConditionalEnum `json:"conditionalEnumPtrField"`
+}
+
+// +k8s:enum
+type Enum0 string // Note: this enum has no values
+
+// +k8s:enum
+type Enum1 string // Note: this enum has 1 value
+
+const (
+	E1V1 Enum1 = "e1v1"
+)
+
+// +k8s:enum
+type Enum2 string // Note: this enum has 2 values
+
+const (
+	E2V1 Enum2 = "e2v1"
+	E2V2 Enum2 = "e2v2"
+)
+
+// Note: this is not an enum because the const values are of type Enum2, and
+// because go elides intermediate typedefs (this is modelled as "NotEnum" ->
+// "string" in the AST).
+type NotEnum Enum2
+
+// +k8s:enum
+type EnumWithExclude string
+
+const (
+	EnumWithExclude1 EnumWithExclude = "enumWithExclude1"
+
+	// +k8s:enumExclude
+	EnumWithExclude2 EnumWithExclude = "enumWithExclude2"
+)
+
+// +k8s:enum
+type ConditionalEnum string
+
+const (
+	// +k8s:ifEnabled(FeatureA)=+k8s:enumExclude
+	ConditionalA ConditionalEnum = "A"
+
+	// +k8s:ifDisabled(FeatureB)=+k8s:enumExclude
+	ConditionalB ConditionalEnum = "B"
+
+	// This value is always included.
+	ConditionalC ConditionalEnum = "C"
+
+	// +k8s:ifEnabled(FeatureA)=+k8s:enumExclude
+	// +k8s:ifEnabled(FeatureB)=+k8s:enumExclude
+	ConditionalD ConditionalEnum = "D"
+
+	// +k8s:ifDisabled(FeatureC)=+k8s:enumExclude
+	// +k8s:ifDisabled(FeatureD)=+k8s:enumExclude
+	ConditionalE ConditionalEnum = "E"
+
+	// +k8s:ifDisabled(FeatureC)=+k8s:enumExclude
+	// +k8s:ifEnabled(FeatureD)=+k8s:enumExclude
+	ConditionalF ConditionalEnum = "F"
+)
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/enum/options/doc_test.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/enum/options/doc_test.go
new file mode 100644
index 0000000000000..1bccdfb8ef040
--- /dev/null
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/enum/options/doc_test.go
@@ -0,0 +1,197 @@
+/*
+Copyright 2024 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package options
+
+import (
+	"testing"
+
+	"k8s.io/apimachinery/pkg/util/validation/field"
+)
+
+func Test(t *testing.T) {
+	st := localSchemeBuilder.Test(t)
+
+	st.Value(&ConditionalStruct{
+		ConditionalEnumField: "",
+	}).ExpectMatches(field.ErrorMatcher{}.ByType().ByField(), field.ErrorList{
+		field.NotSupported(field.NewPath("conditionalEnumField"), ConditionalEnum(""), []ConditionalEnum{ConditionalA, ConditionalC, ConditionalD}),
+	})
+
+	// Scenario 1: No options (default)
+	// Valid values: A, C, D
+	st.Value(&ConditionalStruct{
+		ConditionalEnumField: "B",
+	}).ExpectMatches(field.ErrorMatcher{}.ByType().ByField(), field.ErrorList{
+		field.NotSupported(field.NewPath("conditionalEnumField"), ConditionalEnum("B"), []ConditionalEnum{ConditionalA, ConditionalC, ConditionalD}),
+	})
+	st.Value(&ConditionalStruct{
+		ConditionalEnumField: "E",
+	}).ExpectMatches(field.ErrorMatcher{}.ByType().ByField(), field.ErrorList{
+		field.NotSupported(field.NewPath("conditionalEnumField"), ConditionalEnum("E"), []ConditionalEnum{ConditionalA, ConditionalC, ConditionalD}),
+	})
+	st.Value(&ConditionalStruct{
+		ConditionalEnumField: "F",
+	}).ExpectMatches(field.ErrorMatcher{}.ByType().ByField(), field.ErrorList{
+		field.NotSupported(field.NewPath("conditionalEnumField"), ConditionalEnum("F"), []ConditionalEnum{ConditionalA, ConditionalC, ConditionalD}),
+	})
+	st.Value(&ConditionalStruct{
+		ConditionalEnumField: "A",
+	}).ExpectValid()
+	st.Value(&ConditionalStruct{
+		ConditionalEnumField: "C",
+	}).ExpectValid()
+	st.Value(&ConditionalStruct{
+		ConditionalEnumField: "D",
+	}).ExpectValid()
+
+	// Scenario 2: FeatureA enabled
+	// Valid values: C
+	st.Value(&ConditionalStruct{
+		ConditionalEnumField: "A",
+	}).Opts([]string{"FeatureA"}).ExpectMatches(field.ErrorMatcher{}.ByType().ByField(), field.ErrorList{
+		field.NotSupported(field.NewPath("conditionalEnumField"), ConditionalEnum("A"), []ConditionalEnum{ConditionalC}),
+	})
+	st.Value(&ConditionalStruct{
+		ConditionalEnumField: "B",
+	}).Opts([]string{"FeatureA"}).ExpectMatches(field.ErrorMatcher{}.ByType().ByField(), field.ErrorList{
+		field.NotSupported(field.NewPath("conditionalEnumField"), ConditionalEnum("B"), []ConditionalEnum{ConditionalC}),
+	})
+	st.Value(&ConditionalStruct{
+		ConditionalEnumField: "D",
+	}).Opts([]string{"FeatureA"}).ExpectMatches(field.ErrorMatcher{}.ByType().ByField(), field.ErrorList{
+		field.NotSupported(field.NewPath("conditionalEnumField"), ConditionalEnum("D"), []ConditionalEnum{ConditionalC}),
+	})
+	st.Value(&ConditionalStruct{
+		ConditionalEnumField: "E",
+	}).Opts([]string{"FeatureA"}).ExpectMatches(field.ErrorMatcher{}.ByType().ByField(), field.ErrorList{
+		field.NotSupported(field.NewPath("conditionalEnumField"), ConditionalEnum("E"), []ConditionalEnum{ConditionalC}),
+	})
+	st.Value(&ConditionalStruct{
+		ConditionalEnumField: "F",
+	}).Opts([]string{"FeatureA"}).ExpectMatches(field.ErrorMatcher{}.ByType().ByField(), field.ErrorList{
+		field.NotSupported(field.NewPath("conditionalEnumField"), ConditionalEnum("F"), []ConditionalEnum{ConditionalC}),
+	})
+	st.Value(&ConditionalStruct{
+		ConditionalEnumField: "C",
+	}).Opts([]string{"FeatureA"}).ExpectValid()
+
+	// Scenario 3: FeatureB enabled
+	// Valid values: A, B, C
+	st.Value(&ConditionalStruct{
+		ConditionalEnumField: "D",
+	}).Opts([]string{"FeatureB"}).ExpectMatches(field.ErrorMatcher{}.ByType().ByField(), field.ErrorList{
+		field.NotSupported(field.NewPath("conditionalEnumField"), ConditionalEnum("D"), []ConditionalEnum{ConditionalA, ConditionalB, ConditionalC}),
+	})
+	st.Value(&ConditionalStruct{
+		ConditionalEnumField: "E",
+	}).Opts([]string{"FeatureB"}).ExpectMatches(field.ErrorMatcher{}.ByType().ByField(), field.ErrorList{
+		field.NotSupported(field.NewPath("conditionalEnumField"), ConditionalEnum("E"), []ConditionalEnum{ConditionalA, ConditionalB, ConditionalC}),
+	})
+	st.Value(&ConditionalStruct{
+		ConditionalEnumField: "F",
+	}).Opts([]string{"FeatureB"}).ExpectMatches(field.ErrorMatcher{}.ByType().ByField(), field.ErrorList{
+		field.NotSupported(field.NewPath("conditionalEnumField"), ConditionalEnum("F"), []ConditionalEnum{ConditionalA, ConditionalB, ConditionalC}),
+	})
+	st.Value(&ConditionalStruct{
+		ConditionalEnumField: "A",
+	}).Opts([]string{"FeatureB"}).ExpectValid()
+	st.Value(&ConditionalStruct{
+		ConditionalEnumField: "B",
+	}).Opts([]string{"FeatureB"}).ExpectValid()
+	st.Value(&ConditionalStruct{
+		ConditionalEnumField: "C",
+	}).Opts([]string{"FeatureB"}).ExpectValid()
+
+	// Scenario 4: FeatureA and FeatureB enabled
+	// Valid values: B, C
+	st.Value(&ConditionalStruct{
+		ConditionalEnumField: "A",
+	}).Opts([]string{"FeatureA", "FeatureB"}).ExpectMatches(field.ErrorMatcher{}.ByType().ByField(), field.ErrorList{
+		field.NotSupported(field.NewPath("conditionalEnumField"), ConditionalEnum("A"), []ConditionalEnum{ConditionalB, ConditionalC}),
+	})
+	st.Value(&ConditionalStruct{
+		ConditionalEnumField: "D",
+	}).Opts([]string{"FeatureA", "FeatureB"}).ExpectMatches(field.ErrorMatcher{}.ByType().ByField(), field.ErrorList{
+		field.NotSupported(field.NewPath("conditionalEnumField"), ConditionalEnum("D"), []ConditionalEnum{ConditionalB, ConditionalC}),
+	})
+	st.Value(&ConditionalStruct{
+		ConditionalEnumField: "E",
+	}).Opts([]string{"FeatureA", "FeatureB"}).ExpectMatches(field.ErrorMatcher{}.ByType().ByField(), field.ErrorList{
+		field.NotSupported(field.NewPath("conditionalEnumField"), ConditionalEnum("E"), []ConditionalEnum{ConditionalB, ConditionalC}),
+	})
+	st.Value(&ConditionalStruct{
+		ConditionalEnumField: "F",
+	}).Opts([]string{"FeatureA", "FeatureB"}).ExpectMatches(field.ErrorMatcher{}.ByType().ByField(), field.ErrorList{
+		field.NotSupported(field.NewPath("conditionalEnumField"), ConditionalEnum("F"), []ConditionalEnum{ConditionalB, ConditionalC}),
+	})
+	st.Value(&ConditionalStruct{
+		ConditionalEnumField: "B",
+	}).Opts([]string{"FeatureA", "FeatureB"}).ExpectValid()
+	st.Value(&ConditionalStruct{
+		ConditionalEnumField: "C",
+	}).Opts([]string{"FeatureA", "FeatureB"}).ExpectValid()
+
+	// Scenario 5: FeatureC and FeatureD enabled
+	// Valid values: A, C, D, E
+	st.Value(&ConditionalStruct{
+		ConditionalEnumField: "B",
+	}).Opts([]string{"FeatureC", "FeatureD"}).ExpectMatches(field.ErrorMatcher{}.ByType().ByField(), field.ErrorList{
+		field.NotSupported(field.NewPath("conditionalEnumField"), ConditionalEnum("B"), []ConditionalEnum{ConditionalA, ConditionalC, ConditionalD, ConditionalE}),
+	})
+	st.Value(&ConditionalStruct{
+		ConditionalEnumField: "F",
+	}).Opts([]string{"FeatureC", "FeatureD"}).ExpectMatches(field.ErrorMatcher{}.ByType().ByField(), field.ErrorList{
+		field.NotSupported(field.NewPath("conditionalEnumField"), ConditionalEnum("F"), []ConditionalEnum{ConditionalA, ConditionalC, ConditionalD, ConditionalE}),
+	})
+	st.Value(&ConditionalStruct{
+		ConditionalEnumField: "A",
+	}).Opts([]string{"FeatureC", "FeatureD"}).ExpectValid()
+	st.Value(&ConditionalStruct{
+		ConditionalEnumField: "C",
+	}).Opts([]string{"FeatureC", "FeatureD"}).ExpectValid()
+	st.Value(&ConditionalStruct{
+		ConditionalEnumField: "D",
+	}).Opts([]string{"FeatureC", "FeatureD"}).ExpectValid()
+	st.Value(&ConditionalStruct{
+		ConditionalEnumField: "E",
+	}).Opts([]string{"FeatureC", "FeatureD"}).ExpectValid()
+
+	// Scenario 6: FeatureB and FeatureC enabled
+	// Valid values: A, B, C, F
+	st.Value(&ConditionalStruct{
+		ConditionalEnumField: "D",
+	}).Opts([]string{"FeatureB", "FeatureC"}).ExpectMatches(field.ErrorMatcher{}.ByType().ByField(), field.ErrorList{
+		field.NotSupported(field.NewPath("conditionalEnumField"), ConditionalEnum("D"), []ConditionalEnum{ConditionalA, ConditionalB, ConditionalC, ConditionalF}),
+	})
+	st.Value(&ConditionalStruct{
+		ConditionalEnumField: "E",
+	}).Opts([]string{"FeatureB", "FeatureC"}).ExpectMatches(field.ErrorMatcher{}.ByType().ByField(), field.ErrorList{
+		field.NotSupported(field.NewPath("conditionalEnumField"), ConditionalEnum("E"), []ConditionalEnum{ConditionalA, ConditionalB, ConditionalC, ConditionalF}),
+	})
+	st.Value(&ConditionalStruct{
+		ConditionalEnumField: "A",
+	}).Opts([]string{"FeatureB", "FeatureC"}).ExpectValid()
+	st.Value(&ConditionalStruct{
+		ConditionalEnumField: "B",
+	}).Opts([]string{"FeatureB", "FeatureC"}).ExpectValid()
+	st.Value(&ConditionalStruct{
+		ConditionalEnumField: "C",
+	}).Opts([]string{"FeatureB", "FeatureC"}).ExpectValid()
+	st.Value(&ConditionalStruct{
+		ConditionalEnumField: "F",
+	}).Opts([]string{"FeatureB", "FeatureC"}).ExpectValid()
+}
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/enum/options/zz_generated.validations.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/enum/options/zz_generated.validations.go
new file mode 100644
index 0000000000000..7de57c27e1ddf
--- /dev/null
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/enum/options/zz_generated.validations.go
@@ -0,0 +1,265 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by validation-gen. DO NOT EDIT.
+
+package options
+
+import (
+	context "context"
+	fmt "fmt"
+
+	operation "k8s.io/apimachinery/pkg/api/operation"
+	safe "k8s.io/apimachinery/pkg/api/safe"
+	validate "k8s.io/apimachinery/pkg/api/validate"
+	sets "k8s.io/apimachinery/pkg/util/sets"
+	field "k8s.io/apimachinery/pkg/util/validation/field"
+	testscheme "k8s.io/code-generator/cmd/validation-gen/testscheme"
+)
+
+func init() { localSchemeBuilder.Register(RegisterValidations) }
+
+// RegisterValidations adds validation functions to the given scheme.
+// Public to allow building arbitrary schemes.
+func RegisterValidations(scheme *testscheme.Scheme) error {
+	// type ConditionalStruct
+	scheme.AddValidationFunc((*ConditionalStruct)(nil), func(ctx context.Context, op operation.Operation, obj, oldObj interface{}) field.ErrorList {
+		switch op.Request.SubresourcePath() {
+		case "/":
+			return Validate_ConditionalStruct(ctx, op, nil /* fldPath */, obj.(*ConditionalStruct), safe.Cast[*ConditionalStruct](oldObj))
+		}
+		return field.ErrorList{field.InternalError(nil, fmt.Errorf("no validation found for %T, subresource: %v", obj, op.Request.SubresourcePath()))}
+	})
+	// type Struct
+	scheme.AddValidationFunc((*Struct)(nil), func(ctx context.Context, op operation.Operation, obj, oldObj interface{}) field.ErrorList {
+		switch op.Request.SubresourcePath() {
+		case "/":
+			return Validate_Struct(ctx, op, nil /* fldPath */, obj.(*Struct), safe.Cast[*Struct](oldObj))
+		}
+		return field.ErrorList{field.InternalError(nil, fmt.Errorf("no validation found for %T, subresource: %v", obj, op.Request.SubresourcePath()))}
+	})
+	return nil
+}
+
+var exclusionsForConditionalEnum = []validate.EnumExclusion[ConditionalEnum]{
+	{
+		Value: ConditionalA, Option: "FeatureA", ExcludeWhen: true},
+	{
+		Value: ConditionalB, Option: "FeatureB", ExcludeWhen: false},
+	{
+		Value: ConditionalD, Option: "FeatureA", ExcludeWhen: true},
+	{
+		Value: ConditionalD, Option: "FeatureB", ExcludeWhen: true},
+	{
+		Value: ConditionalE, Option: "FeatureC", ExcludeWhen: false},
+	{
+		Value: ConditionalE, Option: "FeatureD", ExcludeWhen: false},
+	{
+		Value: ConditionalF, Option: "FeatureC", ExcludeWhen: false},
+	{
+		Value: ConditionalF, Option: "FeatureD", ExcludeWhen: true},
+}
+var symbolsForConditionalEnum = sets.New(ConditionalA, ConditionalB, ConditionalC, ConditionalD, ConditionalE, ConditionalF)
+
+// Validate_ConditionalEnum validates an instance of ConditionalEnum according
+// to declarative validation rules in the API schema.
+func Validate_ConditionalEnum(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *ConditionalEnum) (errs field.ErrorList) {
+	errs = append(errs, validate.Enum(ctx, op, fldPath, obj, oldObj, symbolsForConditionalEnum, exclusionsForConditionalEnum)...)
+
+	return errs
+}
+
+// Validate_ConditionalStruct validates an instance of ConditionalStruct according
+// to declarative validation rules in the API schema.
+func Validate_ConditionalStruct(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *ConditionalStruct) (errs field.ErrorList) {
+	// field ConditionalStruct.TypeMeta has no validation
+
+	// field ConditionalStruct.ConditionalEnumField
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *ConditionalEnum, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call the type's validation function
+			errs = append(errs, Validate_ConditionalEnum(ctx, op, fldPath, obj, oldObj)...)
+			return
+		}(fldPath.Child("conditionalEnumField"), &obj.ConditionalEnumField, safe.Field(oldObj, func(oldObj *ConditionalStruct) *ConditionalEnum { return &oldObj.ConditionalEnumField }), oldObj != nil)...)
+
+	// field ConditionalStruct.ConditionalEnumPtrField
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *ConditionalEnum, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call the type's validation function
+			errs = append(errs, Validate_ConditionalEnum(ctx, op, fldPath, obj, oldObj)...)
+			return
+		}(fldPath.Child("conditionalEnumPtrField"), obj.ConditionalEnumPtrField, safe.Field(oldObj, func(oldObj *ConditionalStruct) *ConditionalEnum { return oldObj.ConditionalEnumPtrField }), oldObj != nil)...)
+
+	return errs
+}
+
+var symbolsForEnum0 = sets.New[Enum0]()
+
+// Validate_Enum0 validates an instance of Enum0 according
+// to declarative validation rules in the API schema.
+func Validate_Enum0(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *Enum0) (errs field.ErrorList) {
+	errs = append(errs, validate.Enum(ctx, op, fldPath, obj, oldObj, symbolsForEnum0, nil)...)
+
+	return errs
+}
+
+var symbolsForEnum1 = sets.New(E1V1)
+
+// Validate_Enum1 validates an instance of Enum1 according
+// to declarative validation rules in the API schema.
+func Validate_Enum1(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *Enum1) (errs field.ErrorList) {
+	errs = append(errs, validate.Enum(ctx, op, fldPath, obj, oldObj, symbolsForEnum1, nil)...)
+
+	return errs
+}
+
+var symbolsForEnum2 = sets.New(E2V1, E2V2)
+
+// Validate_Enum2 validates an instance of Enum2 according
+// to declarative validation rules in the API schema.
+func Validate_Enum2(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *Enum2) (errs field.ErrorList) {
+	errs = append(errs, validate.Enum(ctx, op, fldPath, obj, oldObj, symbolsForEnum2, nil)...)
+
+	return errs
+}
+
+var symbolsForEnumWithExclude = sets.New(EnumWithExclude1)
+
+// Validate_EnumWithExclude validates an instance of EnumWithExclude according
+// to declarative validation rules in the API schema.
+func Validate_EnumWithExclude(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *EnumWithExclude) (errs field.ErrorList) {
+	errs = append(errs, validate.Enum(ctx, op, fldPath, obj, oldObj, symbolsForEnumWithExclude, nil)...)
+
+	return errs
+}
+
+// Validate_Struct validates an instance of Struct according
+// to declarative validation rules in the API schema.
+func Validate_Struct(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *Struct) (errs field.ErrorList) {
+	// field Struct.TypeMeta has no validation
+
+	// field Struct.Enum0Field
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *Enum0, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call the type's validation function
+			errs = append(errs, Validate_Enum0(ctx, op, fldPath, obj, oldObj)...)
+			return
+		}(fldPath.Child("enum0Field"), &obj.Enum0Field, safe.Field(oldObj, func(oldObj *Struct) *Enum0 { return &oldObj.Enum0Field }), oldObj != nil)...)
+
+	// field Struct.Enum0PtrField
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *Enum0, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call the type's validation function
+			errs = append(errs, Validate_Enum0(ctx, op, fldPath, obj, oldObj)...)
+			return
+		}(fldPath.Child("enum0PtrField"), obj.Enum0PtrField, safe.Field(oldObj, func(oldObj *Struct) *Enum0 { return oldObj.Enum0PtrField }), oldObj != nil)...)
+
+	// field Struct.Enum1Field
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *Enum1, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call the type's validation function
+			errs = append(errs, Validate_Enum1(ctx, op, fldPath, obj, oldObj)...)
+			return
+		}(fldPath.Child("enum1Field"), &obj.Enum1Field, safe.Field(oldObj, func(oldObj *Struct) *Enum1 { return &oldObj.Enum1Field }), oldObj != nil)...)
+
+	// field Struct.Enum1PtrField
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *Enum1, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call the type's validation function
+			errs = append(errs, Validate_Enum1(ctx, op, fldPath, obj, oldObj)...)
+			return
+		}(fldPath.Child("enum1PtrField"), obj.Enum1PtrField, safe.Field(oldObj, func(oldObj *Struct) *Enum1 { return oldObj.Enum1PtrField }), oldObj != nil)...)
+
+	// field Struct.Enum2Field
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *Enum2, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call the type's validation function
+			errs = append(errs, Validate_Enum2(ctx, op, fldPath, obj, oldObj)...)
+			return
+		}(fldPath.Child("enum2Field"), &obj.Enum2Field, safe.Field(oldObj, func(oldObj *Struct) *Enum2 { return &oldObj.Enum2Field }), oldObj != nil)...)
+
+	// field Struct.Enum2PtrField
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *Enum2, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call the type's validation function
+			errs = append(errs, Validate_Enum2(ctx, op, fldPath, obj, oldObj)...)
+			return
+		}(fldPath.Child("enum2PtrField"), obj.Enum2PtrField, safe.Field(oldObj, func(oldObj *Struct) *Enum2 { return oldObj.Enum2PtrField }), oldObj != nil)...)
+
+	// field Struct.NotEnumField has no validation
+	// field Struct.NotEnumPtrField has no validation
+
+	// field Struct.EnumWithExcludeField
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *EnumWithExclude, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call the type's validation function
+			errs = append(errs, Validate_EnumWithExclude(ctx, op, fldPath, obj, oldObj)...)
+			return
+		}(fldPath.Child("enumWithExcludeField"), &obj.EnumWithExcludeField, safe.Field(oldObj, func(oldObj *Struct) *EnumWithExclude { return &oldObj.EnumWithExcludeField }), oldObj != nil)...)
+
+	// field Struct.EnumWithExcludePtrField
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *EnumWithExclude, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call the type's validation function
+			errs = append(errs, Validate_EnumWithExclude(ctx, op, fldPath, obj, oldObj)...)
+			return
+		}(fldPath.Child("enumWithExcludePtrField"), obj.EnumWithExcludePtrField, safe.Field(oldObj, func(oldObj *Struct) *EnumWithExclude { return oldObj.EnumWithExcludePtrField }), oldObj != nil)...)
+
+	return errs
+}
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/enum/zz_generated.validations.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/enum/zz_generated.validations.go
index 9b8d09aeb313d..7e8a048a6fd0d 100644
--- a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/enum/zz_generated.validations.go
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/enum/zz_generated.validations.go
@@ -38,6 +38,7 @@ func init() { localSchemeBuilder.Register(RegisterValidations) }
 // RegisterValidations adds validation functions to the given scheme.
 // Public to allow building arbitrary schemes.
 func RegisterValidations(scheme *testscheme.Scheme) error {
+	// type Struct
 	scheme.AddValidationFunc((*Struct)(nil), func(ctx context.Context, op operation.Operation, obj, oldObj interface{}) field.ErrorList {
 		switch op.Request.SubresourcePath() {
 		case "/":
@@ -50,84 +51,110 @@ func RegisterValidations(scheme *testscheme.Scheme) error {
 
 var symbolsForEnum0 = sets.New[Enum0]()
 
+// Validate_Enum0 validates an instance of Enum0 according
+// to declarative validation rules in the API schema.
 func Validate_Enum0(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *Enum0) (errs field.ErrorList) {
-	// type Enum0
-	if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-		return nil // no changes
-	}
-	errs = append(errs, validate.Enum(ctx, op, fldPath, obj, oldObj, symbolsForEnum0)...)
+	errs = append(errs, validate.Enum(ctx, op, fldPath, obj, oldObj, symbolsForEnum0, nil)...)
 
 	return errs
 }
 
-var symbolsForEnum1 = sets.New[Enum1](E1V1)
+var symbolsForEnum1 = sets.New(E1V1)
 
+// Validate_Enum1 validates an instance of Enum1 according
+// to declarative validation rules in the API schema.
 func Validate_Enum1(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *Enum1) (errs field.ErrorList) {
-	// type Enum1
-	if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-		return nil // no changes
-	}
-	errs = append(errs, validate.Enum(ctx, op, fldPath, obj, oldObj, symbolsForEnum1)...)
+	errs = append(errs, validate.Enum(ctx, op, fldPath, obj, oldObj, symbolsForEnum1, nil)...)
 
 	return errs
 }
 
-var symbolsForEnum2 = sets.New[Enum2](E2V1, E2V2)
+var symbolsForEnum2 = sets.New(E2V1, E2V2)
 
+// Validate_Enum2 validates an instance of Enum2 according
+// to declarative validation rules in the API schema.
 func Validate_Enum2(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *Enum2) (errs field.ErrorList) {
-	// type Enum2
-	if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-		return nil // no changes
-	}
-	errs = append(errs, validate.Enum(ctx, op, fldPath, obj, oldObj, symbolsForEnum2)...)
+	errs = append(errs, validate.Enum(ctx, op, fldPath, obj, oldObj, symbolsForEnum2, nil)...)
 
 	return errs
 }
 
+// Validate_Struct validates an instance of Struct according
+// to declarative validation rules in the API schema.
 func Validate_Struct(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *Struct) (errs field.ErrorList) {
 	// field Struct.TypeMeta has no validation
 
 	// field Struct.Enum0Field
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *Enum0) (errs field.ErrorList) {
+		func(fldPath *field.Path, obj, oldObj *Enum0, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call the type's validation function
 			errs = append(errs, Validate_Enum0(ctx, op, fldPath, obj, oldObj)...)
 			return
-		}(fldPath.Child("enum0Field"), &obj.Enum0Field, safe.Field(oldObj, func(oldObj *Struct) *Enum0 { return &oldObj.Enum0Field }))...)
+		}(fldPath.Child("enum0Field"), &obj.Enum0Field, safe.Field(oldObj, func(oldObj *Struct) *Enum0 { return &oldObj.Enum0Field }), oldObj != nil)...)
 
 	// field Struct.Enum0PtrField
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *Enum0) (errs field.ErrorList) {
+		func(fldPath *field.Path, obj, oldObj *Enum0, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call the type's validation function
 			errs = append(errs, Validate_Enum0(ctx, op, fldPath, obj, oldObj)...)
 			return
-		}(fldPath.Child("enum0PtrField"), obj.Enum0PtrField, safe.Field(oldObj, func(oldObj *Struct) *Enum0 { return oldObj.Enum0PtrField }))...)
+		}(fldPath.Child("enum0PtrField"), obj.Enum0PtrField, safe.Field(oldObj, func(oldObj *Struct) *Enum0 { return oldObj.Enum0PtrField }), oldObj != nil)...)
 
 	// field Struct.Enum1Field
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *Enum1) (errs field.ErrorList) {
+		func(fldPath *field.Path, obj, oldObj *Enum1, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call the type's validation function
 			errs = append(errs, Validate_Enum1(ctx, op, fldPath, obj, oldObj)...)
 			return
-		}(fldPath.Child("enum1Field"), &obj.Enum1Field, safe.Field(oldObj, func(oldObj *Struct) *Enum1 { return &oldObj.Enum1Field }))...)
+		}(fldPath.Child("enum1Field"), &obj.Enum1Field, safe.Field(oldObj, func(oldObj *Struct) *Enum1 { return &oldObj.Enum1Field }), oldObj != nil)...)
 
 	// field Struct.Enum1PtrField
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *Enum1) (errs field.ErrorList) {
+		func(fldPath *field.Path, obj, oldObj *Enum1, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call the type's validation function
 			errs = append(errs, Validate_Enum1(ctx, op, fldPath, obj, oldObj)...)
 			return
-		}(fldPath.Child("enum1PtrField"), obj.Enum1PtrField, safe.Field(oldObj, func(oldObj *Struct) *Enum1 { return oldObj.Enum1PtrField }))...)
+		}(fldPath.Child("enum1PtrField"), obj.Enum1PtrField, safe.Field(oldObj, func(oldObj *Struct) *Enum1 { return oldObj.Enum1PtrField }), oldObj != nil)...)
 
 	// field Struct.Enum2Field
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *Enum2) (errs field.ErrorList) {
+		func(fldPath *field.Path, obj, oldObj *Enum2, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call the type's validation function
 			errs = append(errs, Validate_Enum2(ctx, op, fldPath, obj, oldObj)...)
 			return
-		}(fldPath.Child("enum2Field"), &obj.Enum2Field, safe.Field(oldObj, func(oldObj *Struct) *Enum2 { return &oldObj.Enum2Field }))...)
+		}(fldPath.Child("enum2Field"), &obj.Enum2Field, safe.Field(oldObj, func(oldObj *Struct) *Enum2 { return &oldObj.Enum2Field }), oldObj != nil)...)
 
 	// field Struct.Enum2PtrField
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *Enum2) (errs field.ErrorList) {
+		func(fldPath *field.Path, obj, oldObj *Enum2, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call the type's validation function
 			errs = append(errs, Validate_Enum2(ctx, op, fldPath, obj, oldObj)...)
 			return
-		}(fldPath.Child("enum2PtrField"), obj.Enum2PtrField, safe.Field(oldObj, func(oldObj *Struct) *Enum2 { return oldObj.Enum2PtrField }))...)
+		}(fldPath.Child("enum2PtrField"), obj.Enum2PtrField, safe.Field(oldObj, func(oldObj *Struct) *Enum2 { return oldObj.Enum2PtrField }), oldObj != nil)...)
 
 	// field Struct.NotEnumField has no validation
 	// field Struct.NotEnumPtrField has no validation
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/format/k8s-extended-resource-name/doc.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/format/k8s-extended-resource-name/doc.go
new file mode 100644
index 0000000000000..4858b14633276
--- /dev/null
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/format/k8s-extended-resource-name/doc.go
@@ -0,0 +1,42 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// +k8s:validation-gen=TypeMeta
+// +k8s:validation-gen-scheme-registry=k8s.io/code-generator/cmd/validation-gen/testscheme.Scheme
+
+// This is a test package.
+package k8sextendedresourcename
+
+import "k8s.io/code-generator/cmd/validation-gen/testscheme"
+
+var localSchemeBuilder = testscheme.New()
+
+// MyType is a struct that contains a field with the extended-resource-name format.
+// +k8s:validation:Required
+type MyType struct {
+	TypeMeta int
+	// +k8s:optional
+	// +k8s:format=k8s-extended-resource-name
+	NameField string `json:"nameField"`
+	// +k8s:optional
+	// +k8s:format=k8s-extended-resource-name
+	NamePtrField *string `json:"namePtrField"`
+	// Note: no validation here
+	NameTypedefField NameStringType `json:"nameTypedefField"`
+}
+
+// +k8s:format=k8s-extended-resource-name
+type NameStringType string
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/format/k8s-extended-resource-name/doc_test.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/format/k8s-extended-resource-name/doc_test.go
new file mode 100644
index 0000000000000..5fc2b07b3d5e0
--- /dev/null
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/format/k8s-extended-resource-name/doc_test.go
@@ -0,0 +1,68 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package k8sextendedresourcename
+
+import (
+	"testing"
+
+	"k8s.io/apimachinery/pkg/util/validation/field"
+	"k8s.io/utils/ptr"
+)
+
+func TestK8sExtendedResourceName(t *testing.T) {
+	st := localSchemeBuilder.Test(t)
+
+	st.Value(&MyType{
+		NameField:        "example.com/my-resource",
+		NamePtrField:     ptr.To("my-domain.org/foo"),
+		NameTypedefField: "example.com/another-resource",
+	}).ExpectValid()
+
+	st.Value(&MyType{
+		NameField:        "example.com/my_resource",
+		NamePtrField:     ptr.To("example.com/My-Resource"),
+		NameTypedefField: "example.com/my.resource",
+	}).ExpectValid()
+
+	invalidStruct := &MyType{
+		NameField:        "kubernetes.io/my-resource",
+		NamePtrField:     ptr.To("requests.example.com/my-resource"),
+		NameTypedefField: "my-resource",
+	}
+	st.Value(invalidStruct).ExpectMatches(field.ErrorMatcher{}.ByType().ByField().ByOrigin(), field.ErrorList{
+		field.Invalid(field.NewPath("nameField"), invalidStruct.NameField, "a qualified name must not be a reserved name").WithOrigin("format=k8s-extended-resource-name"),
+		field.Invalid(field.NewPath("namePtrField"), *invalidStruct.NamePtrField, "a qualified name must not have a reserved prefix").WithOrigin("format=k8s-extended-resource-name"),
+		field.Invalid(field.NewPath("nameTypedefField"), invalidStruct.NameTypedefField, "a qualified name must be a valid domain prefix and a name separated by a slash").WithOrigin("format=k8s-extended-resource-name"),
+	})
+	// Test validation ratcheting
+	st.Value(invalidStruct).OldValue(invalidStruct).ExpectValid()
+
+	const commonDetail = "a valid extended resource name must consist of a domain name prefix and a path segment separated by a slash, where the path segment consists of alphanumeric characters, '-', and must start and end with an alphanumeric character, and the domain name prefix is a valid DNS subdomain name, with the exception that 'requests' is a valid domain name prefix"
+	invalidStruct = &MyType{
+		NameField:        "example.com/my-resource-",
+		NamePtrField:     ptr.To("example.com/-my-resource"),
+		NameTypedefField: "example.com/",
+	}
+	st.Value(invalidStruct).ExpectMatches(field.ErrorMatcher{}.ByType().ByField().ByOrigin(), field.ErrorList{
+		field.Invalid(field.NewPath("nameField"), invalidStruct.NameField, commonDetail).WithOrigin("format=k8s-extended-resource-name"),
+		field.Invalid(field.NewPath("namePtrField"), *invalidStruct.NamePtrField, commonDetail).WithOrigin("format=k8s-extended-resource-name"),
+		field.Invalid(field.NewPath("nameTypedefField"), invalidStruct.NameTypedefField, commonDetail).WithOrigin("format=k8s-extended-resource-name"),
+	})
+
+	// Test validation ratcheting
+	st.Value(invalidStruct).OldValue(invalidStruct).ExpectValid()
+}
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/format/k8s-extended-resource-name/zz_generated.validations.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/format/k8s-extended-resource-name/zz_generated.validations.go
new file mode 100644
index 0000000000000..8bfe9bba2e04d
--- /dev/null
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/format/k8s-extended-resource-name/zz_generated.validations.go
@@ -0,0 +1,115 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by validation-gen. DO NOT EDIT.
+
+package k8sextendedresourcename
+
+import (
+	context "context"
+	fmt "fmt"
+
+	operation "k8s.io/apimachinery/pkg/api/operation"
+	safe "k8s.io/apimachinery/pkg/api/safe"
+	validate "k8s.io/apimachinery/pkg/api/validate"
+	field "k8s.io/apimachinery/pkg/util/validation/field"
+	testscheme "k8s.io/code-generator/cmd/validation-gen/testscheme"
+)
+
+func init() { localSchemeBuilder.Register(RegisterValidations) }
+
+// RegisterValidations adds validation functions to the given scheme.
+// Public to allow building arbitrary schemes.
+func RegisterValidations(scheme *testscheme.Scheme) error {
+	// type MyType
+	scheme.AddValidationFunc((*MyType)(nil), func(ctx context.Context, op operation.Operation, obj, oldObj interface{}) field.ErrorList {
+		switch op.Request.SubresourcePath() {
+		case "/":
+			return Validate_MyType(ctx, op, nil /* fldPath */, obj.(*MyType), safe.Cast[*MyType](oldObj))
+		}
+		return field.ErrorList{field.InternalError(nil, fmt.Errorf("no validation found for %T, subresource: %v", obj, op.Request.SubresourcePath()))}
+	})
+	return nil
+}
+
+// Validate_MyType validates an instance of MyType according
+// to declarative validation rules in the API schema.
+func Validate_MyType(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *MyType) (errs field.ErrorList) {
+	// field MyType.TypeMeta has no validation
+
+	// field MyType.NameField
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *string, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.OptionalValue(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
+			}
+			errs = append(errs, validate.ExtendedResourceName(ctx, op, fldPath, obj, oldObj)...)
+			return
+		}(fldPath.Child("nameField"), &obj.NameField, safe.Field(oldObj, func(oldObj *MyType) *string { return &oldObj.NameField }), oldObj != nil)...)
+
+	// field MyType.NamePtrField
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *string, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.OptionalPointer(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
+			}
+			errs = append(errs, validate.ExtendedResourceName(ctx, op, fldPath, obj, oldObj)...)
+			return
+		}(fldPath.Child("namePtrField"), obj.NamePtrField, safe.Field(oldObj, func(oldObj *MyType) *string { return oldObj.NamePtrField }), oldObj != nil)...)
+
+	// field MyType.NameTypedefField
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *NameStringType, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call the type's validation function
+			errs = append(errs, Validate_NameStringType(ctx, op, fldPath, obj, oldObj)...)
+			return
+		}(fldPath.Child("nameTypedefField"), &obj.NameTypedefField, safe.Field(oldObj, func(oldObj *MyType) *NameStringType { return &oldObj.NameTypedefField }), oldObj != nil)...)
+
+	return errs
+}
+
+// Validate_NameStringType validates an instance of NameStringType according
+// to declarative validation rules in the API schema.
+func Validate_NameStringType(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *NameStringType) (errs field.ErrorList) {
+	errs = append(errs, validate.ExtendedResourceName(ctx, op, fldPath, obj, oldObj)...)
+
+	return errs
+}
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/format/k8s-label-key/doc.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/format/k8s-label-key/doc.go
new file mode 100644
index 0000000000000..ccb70855816e8
--- /dev/null
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/format/k8s-label-key/doc.go
@@ -0,0 +1,42 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// +k8s:validation-gen=TypeMeta
+// +k8s:validation-gen-scheme-registry=k8s.io/code-generator/cmd/validation-gen/testscheme.Scheme
+
+// Package format is the internal version of the API.
+// +k8s:validation:internal
+package format
+
+import "k8s.io/code-generator/cmd/validation-gen/testscheme"
+
+var localSchemeBuilder = testscheme.New()
+
+type Struct struct {
+	TypeMeta int
+
+	// +k8s:format=k8s-label-key
+	LabelKeyField string `json:"labelKeyField"`
+
+	// +k8s:format=k8s-label-key
+	LabelKeyPtrField *string `json:"labelKeyPtrField"`
+
+	// Note: no validation here
+	LabelKeyTypedefField LabelKeyStringType `json:"labelKeyTypedefField"`
+}
+
+// +k8s:format=k8s-label-key
+type LabelKeyStringType string
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/format/k8s-label-key/doc_test.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/format/k8s-label-key/doc_test.go
new file mode 100644
index 0000000000000..a5e2012c3db04
--- /dev/null
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/format/k8s-label-key/doc_test.go
@@ -0,0 +1,81 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package format
+
+import (
+	"strings"
+	"testing"
+
+	"k8s.io/apimachinery/pkg/util/validation/field"
+	"k8s.io/utils/ptr"
+)
+
+func Test(t *testing.T) {
+	st := localSchemeBuilder.Test(t)
+
+	validCases := []string{
+		"simple",
+		"now-with-dashes",
+		"1-starts-with-num",
+		"1234",
+		"simple.com/simple",
+		"now-with-dashes.com/simple",
+		"now.with.dots.com/simple",
+		"now-with.dashes-and.dots.com/simple",
+		"1-num.2-num.com/3-num",
+		"1234.com/5678",
+		"1.2.3.4/5678",
+		"Uppercase_Is_OK_123",
+		"example.com/Uppercase_Is_OK_123",
+		"requests.storage-foo",
+		strings.Repeat("a", 63),
+		strings.Repeat("a", 253) + "/" + strings.Repeat("b", 63),
+	}
+
+	for _, s := range validCases {
+		st.Value(&Struct{
+			LabelKeyField:        s,
+			LabelKeyPtrField:     ptr.To(s),
+			LabelKeyTypedefField: LabelKeyStringType(s),
+		}).ExpectValid()
+	}
+
+	invalidCases := []string{
+		"nospecialchars%^=@",
+		"cantendwithadash-",
+		"-cantstartwithadash-",
+		"only/one/slash",
+		"Example.com/abc",
+		"example_com/abc",
+		"example.com/",
+		"/simple",
+		strings.Repeat("a", 64),
+		strings.Repeat("a", 254) + "/abc",
+	}
+
+	for _, s := range invalidCases {
+		st.Value(&Struct{
+			LabelKeyField:        s,
+			LabelKeyPtrField:     ptr.To(s),
+			LabelKeyTypedefField: LabelKeyStringType(s),
+		}).ExpectMatches(field.ErrorMatcher{}.ByType().ByField().ByOrigin(), field.ErrorList{
+			field.Invalid(field.NewPath("labelKeyField"), nil, "").WithOrigin("format=k8s-label-key"),
+			field.Invalid(field.NewPath("labelKeyPtrField"), nil, "").WithOrigin("format=k8s-label-key"),
+			field.Invalid(field.NewPath("labelKeyTypedefField"), nil, "").WithOrigin("format=k8s-label-key"),
+		})
+	}
+}
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/format/k8s-label-key/zz_generated.validations.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/format/k8s-label-key/zz_generated.validations.go
new file mode 100644
index 0000000000000..d08feada4fcf3
--- /dev/null
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/format/k8s-label-key/zz_generated.validations.go
@@ -0,0 +1,101 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by validation-gen. DO NOT EDIT.
+
+package format
+
+import (
+	context "context"
+	fmt "fmt"
+
+	operation "k8s.io/apimachinery/pkg/api/operation"
+	safe "k8s.io/apimachinery/pkg/api/safe"
+	validate "k8s.io/apimachinery/pkg/api/validate"
+	field "k8s.io/apimachinery/pkg/util/validation/field"
+	testscheme "k8s.io/code-generator/cmd/validation-gen/testscheme"
+)
+
+func init() { localSchemeBuilder.Register(RegisterValidations) }
+
+// RegisterValidations adds validation functions to the given scheme.
+// Public to allow building arbitrary schemes.
+func RegisterValidations(scheme *testscheme.Scheme) error {
+	// type Struct
+	scheme.AddValidationFunc((*Struct)(nil), func(ctx context.Context, op operation.Operation, obj, oldObj interface{}) field.ErrorList {
+		switch op.Request.SubresourcePath() {
+		case "/":
+			return Validate_Struct(ctx, op, nil /* fldPath */, obj.(*Struct), safe.Cast[*Struct](oldObj))
+		}
+		return field.ErrorList{field.InternalError(nil, fmt.Errorf("no validation found for %T, subresource: %v", obj, op.Request.SubresourcePath()))}
+	})
+	return nil
+}
+
+// Validate_LabelKeyStringType validates an instance of LabelKeyStringType according
+// to declarative validation rules in the API schema.
+func Validate_LabelKeyStringType(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *LabelKeyStringType) (errs field.ErrorList) {
+	errs = append(errs, validate.LabelKey(ctx, op, fldPath, obj, oldObj)...)
+
+	return errs
+}
+
+// Validate_Struct validates an instance of Struct according
+// to declarative validation rules in the API schema.
+func Validate_Struct(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *Struct) (errs field.ErrorList) {
+	// field Struct.TypeMeta has no validation
+
+	// field Struct.LabelKeyField
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *string, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call field-attached validations
+			errs = append(errs, validate.LabelKey(ctx, op, fldPath, obj, oldObj)...)
+			return
+		}(fldPath.Child("labelKeyField"), &obj.LabelKeyField, safe.Field(oldObj, func(oldObj *Struct) *string { return &oldObj.LabelKeyField }), oldObj != nil)...)
+
+	// field Struct.LabelKeyPtrField
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *string, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call field-attached validations
+			errs = append(errs, validate.LabelKey(ctx, op, fldPath, obj, oldObj)...)
+			return
+		}(fldPath.Child("labelKeyPtrField"), obj.LabelKeyPtrField, safe.Field(oldObj, func(oldObj *Struct) *string { return oldObj.LabelKeyPtrField }), oldObj != nil)...)
+
+	// field Struct.LabelKeyTypedefField
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *LabelKeyStringType, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call the type's validation function
+			errs = append(errs, Validate_LabelKeyStringType(ctx, op, fldPath, obj, oldObj)...)
+			return
+		}(fldPath.Child("labelKeyTypedefField"), &obj.LabelKeyTypedefField, safe.Field(oldObj, func(oldObj *Struct) *LabelKeyStringType { return &oldObj.LabelKeyTypedefField }), oldObj != nil)...)
+
+	return errs
+}
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/format/k8s-label-value/doc.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/format/k8s-label-value/doc.go
new file mode 100644
index 0000000000000..f8f00740df949
--- /dev/null
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/format/k8s-label-value/doc.go
@@ -0,0 +1,41 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// +k8s:validation-gen=TypeMeta
+// +k8s:validation-gen-scheme-registry=k8s.io/code-generator/cmd/validation-gen/testscheme.Scheme
+
+// This is a test package.
+package format
+
+import "k8s.io/code-generator/cmd/validation-gen/testscheme"
+
+var localSchemeBuilder = testscheme.New()
+
+type Struct struct {
+	TypeMeta int
+
+	// +k8s:format=k8s-label-value
+	LabelValueField string `json:"labelValueField"`
+
+	// +k8s:format=k8s-label-value
+	LabelValuePtrField *string `json:"labelValuePtrField"`
+
+	// Note: no validation here
+	LabelValueTypedefField LabelValueStringType `json:"labelValueTypedefField"`
+}
+
+// +k8s:format=k8s-label-value
+type LabelValueStringType string
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/format/k8s-label-value/doc_test.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/format/k8s-label-value/doc_test.go
new file mode 100644
index 0000000000000..ec92bc7f84900
--- /dev/null
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/format/k8s-label-value/doc_test.go
@@ -0,0 +1,85 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package format
+
+import (
+	"strings"
+	"testing"
+
+	"k8s.io/apimachinery/pkg/util/validation/field"
+	"k8s.io/utils/ptr"
+)
+
+func Test(t *testing.T) {
+	st := localSchemeBuilder.Test(t)
+
+	validCases := []struct {
+		name  string
+		value string
+	}{
+		{"valid value", "valid-value"},
+		{"valid value with dots", "valid.value"},
+		{"valid value with underscores", "valid_value"},
+		{"valid single character value", "a"},
+		{"valid value with numbers", "123-abc"},
+		{"valid uppercase characters", "Valid-Value"},
+		{"valid: max length", "a" + strings.Repeat("b", 61) + "c"}, // 63 characters
+		{"valid: empty string", ""},
+	}
+
+	for _, tc := range validCases {
+		t.Run(tc.name, func(t *testing.T) {
+			st.Value(&Struct{
+				LabelValueField:        tc.value,
+				LabelValuePtrField:     ptr.To(tc.value),
+				LabelValueTypedefField: LabelValueStringType(tc.value),
+			}).ExpectValid()
+		})
+	}
+
+	invalidCases := []struct {
+		name  string
+		value string
+	}{
+		{"invalid: starts with dash", "-invalid-value"},
+		{"invalid: ends with dash", "invalid-value-"},
+		{"invalid: starts with dot", ".invalid.value"},
+		{"invalid: ends with dot", "invalid.value."},
+		{"invalid: starts with underscore", "_invalid_value"},
+		{"invalid: ends with underscore", "invalid_value_"},
+		{"invalid: contains special characters", "invalid@value"},
+		{"invalid: contains spaces", "Not a LabelValue"},
+		{"invalid: too long", "a" + strings.Repeat("b", 62) + "c"}, // 64 characters
+	}
+
+	for _, tc := range invalidCases {
+		t.Run(tc.name, func(t *testing.T) {
+			invalidStruct := &Struct{
+				LabelValueField:        tc.value,
+				LabelValuePtrField:     ptr.To(tc.value),
+				LabelValueTypedefField: LabelValueStringType(tc.value),
+			}
+			st.Value(invalidStruct).ExpectMatches(field.ErrorMatcher{}.ByType().ByField().ByOrigin(), field.ErrorList{
+				field.Invalid(field.NewPath("labelValueField"), nil, "").WithOrigin("format=k8s-label-value"),
+				field.Invalid(field.NewPath("labelValuePtrField"), nil, "").WithOrigin("format=k8s-label-value"),
+				field.Invalid(field.NewPath("labelValueTypedefField"), nil, "").WithOrigin("format=k8s-label-value"),
+			})
+			// Test validation ratcheting
+			st.Value(invalidStruct).OldValue(invalidStruct).ExpectValid()
+		})
+	}
+}
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/format/k8s-label-value/zz_generated.validations.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/format/k8s-label-value/zz_generated.validations.go
new file mode 100644
index 0000000000000..c18c48ab621b0
--- /dev/null
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/format/k8s-label-value/zz_generated.validations.go
@@ -0,0 +1,101 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by validation-gen. DO NOT EDIT.
+
+package format
+
+import (
+	context "context"
+	fmt "fmt"
+
+	operation "k8s.io/apimachinery/pkg/api/operation"
+	safe "k8s.io/apimachinery/pkg/api/safe"
+	validate "k8s.io/apimachinery/pkg/api/validate"
+	field "k8s.io/apimachinery/pkg/util/validation/field"
+	testscheme "k8s.io/code-generator/cmd/validation-gen/testscheme"
+)
+
+func init() { localSchemeBuilder.Register(RegisterValidations) }
+
+// RegisterValidations adds validation functions to the given scheme.
+// Public to allow building arbitrary schemes.
+func RegisterValidations(scheme *testscheme.Scheme) error {
+	// type Struct
+	scheme.AddValidationFunc((*Struct)(nil), func(ctx context.Context, op operation.Operation, obj, oldObj interface{}) field.ErrorList {
+		switch op.Request.SubresourcePath() {
+		case "/":
+			return Validate_Struct(ctx, op, nil /* fldPath */, obj.(*Struct), safe.Cast[*Struct](oldObj))
+		}
+		return field.ErrorList{field.InternalError(nil, fmt.Errorf("no validation found for %T, subresource: %v", obj, op.Request.SubresourcePath()))}
+	})
+	return nil
+}
+
+// Validate_LabelValueStringType validates an instance of LabelValueStringType according
+// to declarative validation rules in the API schema.
+func Validate_LabelValueStringType(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *LabelValueStringType) (errs field.ErrorList) {
+	errs = append(errs, validate.LabelValue(ctx, op, fldPath, obj, oldObj)...)
+
+	return errs
+}
+
+// Validate_Struct validates an instance of Struct according
+// to declarative validation rules in the API schema.
+func Validate_Struct(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *Struct) (errs field.ErrorList) {
+	// field Struct.TypeMeta has no validation
+
+	// field Struct.LabelValueField
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *string, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call field-attached validations
+			errs = append(errs, validate.LabelValue(ctx, op, fldPath, obj, oldObj)...)
+			return
+		}(fldPath.Child("labelValueField"), &obj.LabelValueField, safe.Field(oldObj, func(oldObj *Struct) *string { return &oldObj.LabelValueField }), oldObj != nil)...)
+
+	// field Struct.LabelValuePtrField
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *string, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call field-attached validations
+			errs = append(errs, validate.LabelValue(ctx, op, fldPath, obj, oldObj)...)
+			return
+		}(fldPath.Child("labelValuePtrField"), obj.LabelValuePtrField, safe.Field(oldObj, func(oldObj *Struct) *string { return oldObj.LabelValuePtrField }), oldObj != nil)...)
+
+	// field Struct.LabelValueTypedefField
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *LabelValueStringType, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call the type's validation function
+			errs = append(errs, Validate_LabelValueStringType(ctx, op, fldPath, obj, oldObj)...)
+			return
+		}(fldPath.Child("labelValueTypedefField"), &obj.LabelValueTypedefField, safe.Field(oldObj, func(oldObj *Struct) *LabelValueStringType { return &oldObj.LabelValueTypedefField }), oldObj != nil)...)
+
+	return errs
+}
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/format/k8s-long-name-caseless/doc.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/format/k8s-long-name-caseless/doc.go
new file mode 100644
index 0000000000000..35632db1ca7c0
--- /dev/null
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/format/k8s-long-name-caseless/doc.go
@@ -0,0 +1,41 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// +k8s:validation-gen=TypeMeta
+// +k8s:validation-gen-scheme-registry=k8s.io/code-generator/cmd/validation-gen/testscheme.Scheme
+
+// This is a test package.
+package format
+
+import "k8s.io/code-generator/cmd/validation-gen/testscheme"
+
+var localSchemeBuilder = testscheme.New()
+
+type Struct struct {
+	TypeMeta int
+
+	// +k8s:format=k8s-long-name-caseless
+	LongNameField string `json:"longNameField"`
+
+	// +k8s:format=k8s-long-name-caseless
+	LongNamePtrField *string `json:"longNamePtrField"`
+
+	// Note: no validation here
+	LongNameTypedefField LongNameStringType `json:"longNameTypedefField"`
+}
+
+// +k8s:format=k8s-long-name-caseless
+type LongNameStringType string
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/format/k8s-long-name-caseless/doc_test.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/format/k8s-long-name-caseless/doc_test.go
new file mode 100644
index 0000000000000..eafa6eaa81236
--- /dev/null
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/format/k8s-long-name-caseless/doc_test.go
@@ -0,0 +1,72 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package format
+
+import (
+	"testing"
+
+	"k8s.io/apimachinery/pkg/util/validation/field"
+	"k8s.io/utils/ptr"
+)
+
+func TestCaseless(t *testing.T) {
+	st := localSchemeBuilder.Test(t)
+
+	st.Value(&Struct{
+		LongNameField:        "foo.bar",
+		LongNamePtrField:     ptr.To("foo.bar"),
+		LongNameTypedefField: "foo.bar",
+	}).ExpectValid()
+
+	st.Value(&Struct{
+		LongNameField:        "1.2.3.4",
+		LongNamePtrField:     ptr.To("1.2.3.4"),
+		LongNameTypedefField: "1.2.3.4",
+	}).ExpectValid()
+
+	st.Value(&Struct{
+		LongNameField:        "Foo.Bar",
+		LongNamePtrField:     ptr.To("Foo.Bar"),
+		LongNameTypedefField: "Foo.Bar",
+	}).ExpectValid()
+
+	invalidStruct := &Struct{
+		LongNameField:        "",
+		LongNamePtrField:     ptr.To(""),
+		LongNameTypedefField: "",
+	}
+	st.Value(invalidStruct).ExpectMatches(field.ErrorMatcher{}.ByType().ByField().ByOrigin(), field.ErrorList{
+		field.Invalid(field.NewPath("longNameField"), nil, "").WithOrigin("format=k8s-long-name-caseless"),
+		field.Invalid(field.NewPath("longNamePtrField"), nil, "").WithOrigin("format=k8s-long-name-caseless"),
+		field.Invalid(field.NewPath("longNameTypedefField"), nil, "").WithOrigin("format=k8s-long-name-caseless"),
+	})
+	// Test validation ratcheting
+	st.Value(invalidStruct).OldValue(invalidStruct).ExpectValid()
+
+	invalidStruct = &Struct{
+		LongNameField:        "Not a LongName",
+		LongNamePtrField:     ptr.To("Not a LongName"),
+		LongNameTypedefField: "Not a LongName",
+	}
+	st.Value(invalidStruct).ExpectMatches(field.ErrorMatcher{}.ByType().ByField().ByOrigin(), field.ErrorList{
+		field.Invalid(field.NewPath("longNameField"), nil, "").WithOrigin("format=k8s-long-name-caseless"),
+		field.Invalid(field.NewPath("longNamePtrField"), nil, "").WithOrigin("format=k8s-long-name-caseless"),
+		field.Invalid(field.NewPath("longNameTypedefField"), nil, "").WithOrigin("format=k8s-long-name-caseless"),
+	})
+	// Test validation ratcheting
+	st.Value(invalidStruct).OldValue(invalidStruct).ExpectValid()
+}
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/format/k8s-long-name-caseless/zz_generated.validations.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/format/k8s-long-name-caseless/zz_generated.validations.go
new file mode 100644
index 0000000000000..567e5fc3cdd7c
--- /dev/null
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/format/k8s-long-name-caseless/zz_generated.validations.go
@@ -0,0 +1,101 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by validation-gen. DO NOT EDIT.
+
+package format
+
+import (
+	context "context"
+	fmt "fmt"
+
+	operation "k8s.io/apimachinery/pkg/api/operation"
+	safe "k8s.io/apimachinery/pkg/api/safe"
+	validate "k8s.io/apimachinery/pkg/api/validate"
+	field "k8s.io/apimachinery/pkg/util/validation/field"
+	testscheme "k8s.io/code-generator/cmd/validation-gen/testscheme"
+)
+
+func init() { localSchemeBuilder.Register(RegisterValidations) }
+
+// RegisterValidations adds validation functions to the given scheme.
+// Public to allow building arbitrary schemes.
+func RegisterValidations(scheme *testscheme.Scheme) error {
+	// type Struct
+	scheme.AddValidationFunc((*Struct)(nil), func(ctx context.Context, op operation.Operation, obj, oldObj interface{}) field.ErrorList {
+		switch op.Request.SubresourcePath() {
+		case "/":
+			return Validate_Struct(ctx, op, nil /* fldPath */, obj.(*Struct), safe.Cast[*Struct](oldObj))
+		}
+		return field.ErrorList{field.InternalError(nil, fmt.Errorf("no validation found for %T, subresource: %v", obj, op.Request.SubresourcePath()))}
+	})
+	return nil
+}
+
+// Validate_LongNameStringType validates an instance of LongNameStringType according
+// to declarative validation rules in the API schema.
+func Validate_LongNameStringType(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *LongNameStringType) (errs field.ErrorList) {
+	errs = append(errs, validate.LongNameCaseless(ctx, op, fldPath, obj, oldObj)...)
+
+	return errs
+}
+
+// Validate_Struct validates an instance of Struct according
+// to declarative validation rules in the API schema.
+func Validate_Struct(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *Struct) (errs field.ErrorList) {
+	// field Struct.TypeMeta has no validation
+
+	// field Struct.LongNameField
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *string, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call field-attached validations
+			errs = append(errs, validate.LongNameCaseless(ctx, op, fldPath, obj, oldObj)...)
+			return
+		}(fldPath.Child("longNameField"), &obj.LongNameField, safe.Field(oldObj, func(oldObj *Struct) *string { return &oldObj.LongNameField }), oldObj != nil)...)
+
+	// field Struct.LongNamePtrField
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *string, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call field-attached validations
+			errs = append(errs, validate.LongNameCaseless(ctx, op, fldPath, obj, oldObj)...)
+			return
+		}(fldPath.Child("longNamePtrField"), obj.LongNamePtrField, safe.Field(oldObj, func(oldObj *Struct) *string { return oldObj.LongNamePtrField }), oldObj != nil)...)
+
+	// field Struct.LongNameTypedefField
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *LongNameStringType, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call the type's validation function
+			errs = append(errs, Validate_LongNameStringType(ctx, op, fldPath, obj, oldObj)...)
+			return
+		}(fldPath.Child("longNameTypedefField"), &obj.LongNameTypedefField, safe.Field(oldObj, func(oldObj *Struct) *LongNameStringType { return &oldObj.LongNameTypedefField }), oldObj != nil)...)
+
+	return errs
+}
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/format/k8s-long-name/k8s-long-name/doc.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/format/k8s-long-name/k8s-long-name/doc.go
new file mode 100644
index 0000000000000..25c625d3a778f
--- /dev/null
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/format/k8s-long-name/k8s-long-name/doc.go
@@ -0,0 +1,41 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// +k8s:validation-gen=TypeMeta
+// +k8s:validation-gen-scheme-registry=k8s.io/code-generator/cmd/validation-gen/testscheme.Scheme
+
+// This is a test package.
+package format
+
+import "k8s.io/code-generator/cmd/validation-gen/testscheme"
+
+var localSchemeBuilder = testscheme.New()
+
+type Struct struct {
+	TypeMeta int
+
+	// +k8s:format=k8s-long-name
+	LongNameField string `json:"longNameField"`
+
+	// +k8s:format=k8s-long-name
+	LongNamePtrField *string `json:"longNamePtrField"`
+
+	// Note: no validation here
+	LongNameTypedefField LongNameStringType `json:"longNameTypedefField"`
+}
+
+// +k8s:format=k8s-long-name
+type LongNameStringType string
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/format/k8s-long-name/k8s-long-name/doc_test.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/format/k8s-long-name/k8s-long-name/doc_test.go
new file mode 100644
index 0000000000000..b0edb4da8da24
--- /dev/null
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/format/k8s-long-name/k8s-long-name/doc_test.go
@@ -0,0 +1,66 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package format
+
+import (
+	"testing"
+
+	"k8s.io/apimachinery/pkg/util/validation/field"
+	"k8s.io/utils/ptr"
+)
+
+func Test(t *testing.T) {
+	st := localSchemeBuilder.Test(t)
+
+	st.Value(&Struct{
+		LongNameField:        "foo.bar",
+		LongNamePtrField:     ptr.To("foo.bar"),
+		LongNameTypedefField: "foo.bar",
+	}).ExpectValid()
+
+	st.Value(&Struct{
+		LongNameField:        "1.2.3.4",
+		LongNamePtrField:     ptr.To("1.2.3.4"),
+		LongNameTypedefField: "1.2.3.4",
+	}).ExpectValid()
+
+	invalidStruct := &Struct{
+		LongNameField:        "",
+		LongNamePtrField:     ptr.To(""),
+		LongNameTypedefField: "",
+	}
+	st.Value(invalidStruct).ExpectMatches(field.ErrorMatcher{}.ByType().ByField().ByOrigin(), field.ErrorList{
+		field.Invalid(field.NewPath("longNameField"), nil, "").WithOrigin("format=k8s-long-name"),
+		field.Invalid(field.NewPath("longNamePtrField"), nil, "").WithOrigin("format=k8s-long-name"),
+		field.Invalid(field.NewPath("longNameTypedefField"), nil, "").WithOrigin("format=k8s-long-name"),
+	})
+	// Test validation ratcheting
+	st.Value(invalidStruct).OldValue(invalidStruct).ExpectValid()
+
+	invalidStruct = &Struct{
+		LongNameField:        "Not a LongName",
+		LongNamePtrField:     ptr.To("Not a LongName"),
+		LongNameTypedefField: "Not a LongName",
+	}
+	st.Value(invalidStruct).ExpectMatches(field.ErrorMatcher{}.ByType().ByField().ByOrigin(), field.ErrorList{
+		field.Invalid(field.NewPath("longNameField"), nil, "").WithOrigin("format=k8s-long-name"),
+		field.Invalid(field.NewPath("longNamePtrField"), nil, "").WithOrigin("format=k8s-long-name"),
+		field.Invalid(field.NewPath("longNameTypedefField"), nil, "").WithOrigin("format=k8s-long-name"),
+	})
+	// Test validation ratcheting
+	st.Value(invalidStruct).OldValue(invalidStruct).ExpectValid()
+}
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/format/k8s-long-name/k8s-long-name/zz_generated.validations.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/format/k8s-long-name/k8s-long-name/zz_generated.validations.go
new file mode 100644
index 0000000000000..3966497a6468f
--- /dev/null
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/format/k8s-long-name/k8s-long-name/zz_generated.validations.go
@@ -0,0 +1,101 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by validation-gen. DO NOT EDIT.
+
+package format
+
+import (
+	context "context"
+	fmt "fmt"
+
+	operation "k8s.io/apimachinery/pkg/api/operation"
+	safe "k8s.io/apimachinery/pkg/api/safe"
+	validate "k8s.io/apimachinery/pkg/api/validate"
+	field "k8s.io/apimachinery/pkg/util/validation/field"
+	testscheme "k8s.io/code-generator/cmd/validation-gen/testscheme"
+)
+
+func init() { localSchemeBuilder.Register(RegisterValidations) }
+
+// RegisterValidations adds validation functions to the given scheme.
+// Public to allow building arbitrary schemes.
+func RegisterValidations(scheme *testscheme.Scheme) error {
+	// type Struct
+	scheme.AddValidationFunc((*Struct)(nil), func(ctx context.Context, op operation.Operation, obj, oldObj interface{}) field.ErrorList {
+		switch op.Request.SubresourcePath() {
+		case "/":
+			return Validate_Struct(ctx, op, nil /* fldPath */, obj.(*Struct), safe.Cast[*Struct](oldObj))
+		}
+		return field.ErrorList{field.InternalError(nil, fmt.Errorf("no validation found for %T, subresource: %v", obj, op.Request.SubresourcePath()))}
+	})
+	return nil
+}
+
+// Validate_LongNameStringType validates an instance of LongNameStringType according
+// to declarative validation rules in the API schema.
+func Validate_LongNameStringType(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *LongNameStringType) (errs field.ErrorList) {
+	errs = append(errs, validate.LongName(ctx, op, fldPath, obj, oldObj)...)
+
+	return errs
+}
+
+// Validate_Struct validates an instance of Struct according
+// to declarative validation rules in the API schema.
+func Validate_Struct(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *Struct) (errs field.ErrorList) {
+	// field Struct.TypeMeta has no validation
+
+	// field Struct.LongNameField
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *string, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call field-attached validations
+			errs = append(errs, validate.LongName(ctx, op, fldPath, obj, oldObj)...)
+			return
+		}(fldPath.Child("longNameField"), &obj.LongNameField, safe.Field(oldObj, func(oldObj *Struct) *string { return &oldObj.LongNameField }), oldObj != nil)...)
+
+	// field Struct.LongNamePtrField
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *string, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call field-attached validations
+			errs = append(errs, validate.LongName(ctx, op, fldPath, obj, oldObj)...)
+			return
+		}(fldPath.Child("longNamePtrField"), obj.LongNamePtrField, safe.Field(oldObj, func(oldObj *Struct) *string { return oldObj.LongNamePtrField }), oldObj != nil)...)
+
+	// field Struct.LongNameTypedefField
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *LongNameStringType, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call the type's validation function
+			errs = append(errs, Validate_LongNameStringType(ctx, op, fldPath, obj, oldObj)...)
+			return
+		}(fldPath.Child("longNameTypedefField"), &obj.LongNameTypedefField, safe.Field(oldObj, func(oldObj *Struct) *LongNameStringType { return &oldObj.LongNameTypedefField }), oldObj != nil)...)
+
+	return errs
+}
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/format/k8s-resource-fully-qualified-name/doc.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/format/k8s-resource-fully-qualified-name/doc.go
new file mode 100644
index 0000000000000..6bd2fe8226737
--- /dev/null
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/format/k8s-resource-fully-qualified-name/doc.go
@@ -0,0 +1,41 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// +k8s:validation-gen=TypeMeta
+// +k8s:validation-gen-scheme-registry=k8s.io/code-generator/cmd/validation-gen/testscheme.Scheme
+
+// This is a test package.
+package fullyqualifiedname
+
+import "k8s.io/code-generator/cmd/validation-gen/testscheme"
+
+var localSchemeBuilder = testscheme.New()
+
+type Struct struct {
+	TypeMeta int
+
+	// +k8s:format=k8s-resource-fully-qualified-name
+	FullyQualifiedNameField string `json:"fullyQualifiedNameField"`
+
+	// +k8s:format=k8s-resource-fully-qualified-name
+	FullyQualifiedNamePtrField *string `json:"fullyQualifiedNamePtrField"`
+
+	// Note: no validation here
+	FullyQualifiedNameTypedefField FullyQualifiedNameStringType `json:"fullyQualifiedNameTypedefField"`
+}
+
+// +k8s:format=k8s-resource-fully-qualified-name
+type FullyQualifiedNameStringType string
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/format/k8s-resource-fully-qualified-name/doc_test.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/format/k8s-resource-fully-qualified-name/doc_test.go
new file mode 100644
index 0000000000000..6d4768b74fab8
--- /dev/null
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/format/k8s-resource-fully-qualified-name/doc_test.go
@@ -0,0 +1,47 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package fullyqualifiedname
+
+import (
+	"testing"
+
+	"k8s.io/apimachinery/pkg/util/validation/field"
+	"k8s.io/utils/ptr"
+)
+
+func TestFullyQualifiedName(t *testing.T) {
+	st := localSchemeBuilder.Test(t)
+
+	st.Value(&Struct{
+		FullyQualifiedNameField:        "my-prefix/my_name",
+		FullyQualifiedNamePtrField:     ptr.To("my-prefix/my_name"),
+		FullyQualifiedNameTypedefField: "my-prefix/my_name",
+	}).ExpectValid()
+
+	invalidStruct := &Struct{
+		FullyQualifiedNameField:        "my_name",
+		FullyQualifiedNamePtrField:     ptr.To(""),
+		FullyQualifiedNameTypedefField: "my-prefix/",
+	}
+	st.Value(invalidStruct).ExpectMatches(field.ErrorMatcher{}.ByType().ByOrigin().ByField(), field.ErrorList{
+		field.Invalid(field.NewPath("fullyQualifiedNameField"), "my_name", "a fully qualified name must be a domain and a name separated by a slash").WithOrigin("format=k8s-resource-fully-qualified-name"),
+		field.Invalid(field.NewPath("fullyQualifiedNamePtrField"), "", "a valid C identifier must start with alphabetic character or '_', followed by a string of alphanumeric characters or '_'").WithOrigin("format=k8s-resource-fully-qualified-name"),
+		field.Invalid(field.NewPath("fullyQualifiedNameTypedefField"), "my-prefix/", "name must not be empty").WithOrigin("format=k8s-resource-fully-qualified-name"),
+	})
+	// Test validation ratcheting
+	st.Value(invalidStruct).OldValue(invalidStruct).ExpectValid()
+}
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/format/k8s-resource-fully-qualified-name/zz_generated.validations.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/format/k8s-resource-fully-qualified-name/zz_generated.validations.go
new file mode 100644
index 0000000000000..441ce0e5a2e63
--- /dev/null
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/format/k8s-resource-fully-qualified-name/zz_generated.validations.go
@@ -0,0 +1,101 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by validation-gen. DO NOT EDIT.
+
+package fullyqualifiedname
+
+import (
+	context "context"
+	fmt "fmt"
+
+	operation "k8s.io/apimachinery/pkg/api/operation"
+	safe "k8s.io/apimachinery/pkg/api/safe"
+	validate "k8s.io/apimachinery/pkg/api/validate"
+	field "k8s.io/apimachinery/pkg/util/validation/field"
+	testscheme "k8s.io/code-generator/cmd/validation-gen/testscheme"
+)
+
+func init() { localSchemeBuilder.Register(RegisterValidations) }
+
+// RegisterValidations adds validation functions to the given scheme.
+// Public to allow building arbitrary schemes.
+func RegisterValidations(scheme *testscheme.Scheme) error {
+	// type Struct
+	scheme.AddValidationFunc((*Struct)(nil), func(ctx context.Context, op operation.Operation, obj, oldObj interface{}) field.ErrorList {
+		switch op.Request.SubresourcePath() {
+		case "/":
+			return Validate_Struct(ctx, op, nil /* fldPath */, obj.(*Struct), safe.Cast[*Struct](oldObj))
+		}
+		return field.ErrorList{field.InternalError(nil, fmt.Errorf("no validation found for %T, subresource: %v", obj, op.Request.SubresourcePath()))}
+	})
+	return nil
+}
+
+// Validate_FullyQualifiedNameStringType validates an instance of FullyQualifiedNameStringType according
+// to declarative validation rules in the API schema.
+func Validate_FullyQualifiedNameStringType(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *FullyQualifiedNameStringType) (errs field.ErrorList) {
+	errs = append(errs, validate.ResourceFullyQualifiedName(ctx, op, fldPath, obj, oldObj)...)
+
+	return errs
+}
+
+// Validate_Struct validates an instance of Struct according
+// to declarative validation rules in the API schema.
+func Validate_Struct(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *Struct) (errs field.ErrorList) {
+	// field Struct.TypeMeta has no validation
+
+	// field Struct.FullyQualifiedNameField
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *string, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call field-attached validations
+			errs = append(errs, validate.ResourceFullyQualifiedName(ctx, op, fldPath, obj, oldObj)...)
+			return
+		}(fldPath.Child("fullyQualifiedNameField"), &obj.FullyQualifiedNameField, safe.Field(oldObj, func(oldObj *Struct) *string { return &oldObj.FullyQualifiedNameField }), oldObj != nil)...)
+
+	// field Struct.FullyQualifiedNamePtrField
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *string, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call field-attached validations
+			errs = append(errs, validate.ResourceFullyQualifiedName(ctx, op, fldPath, obj, oldObj)...)
+			return
+		}(fldPath.Child("fullyQualifiedNamePtrField"), obj.FullyQualifiedNamePtrField, safe.Field(oldObj, func(oldObj *Struct) *string { return oldObj.FullyQualifiedNamePtrField }), oldObj != nil)...)
+
+	// field Struct.FullyQualifiedNameTypedefField
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *FullyQualifiedNameStringType, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call the type's validation function
+			errs = append(errs, Validate_FullyQualifiedNameStringType(ctx, op, fldPath, obj, oldObj)...)
+			return
+		}(fldPath.Child("fullyQualifiedNameTypedefField"), &obj.FullyQualifiedNameTypedefField, safe.Field(oldObj, func(oldObj *Struct) *FullyQualifiedNameStringType { return &oldObj.FullyQualifiedNameTypedefField }), oldObj != nil)...)
+
+	return errs
+}
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/format/k8s-resource-pool-name/doc.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/format/k8s-resource-pool-name/doc.go
new file mode 100644
index 0000000000000..5da57980a4b12
--- /dev/null
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/format/k8s-resource-pool-name/doc.go
@@ -0,0 +1,41 @@
+/*
+Copyright 2024 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// +k8s:validation-gen=TypeMeta
+// +k8s:validation-gen-scheme-registry=k8s.io/code-generator/cmd/validation-gen/testscheme.Scheme
+
+// This is a test package.
+package format
+
+import "k8s.io/code-generator/cmd/validation-gen/testscheme"
+
+var localSchemeBuilder = testscheme.New()
+
+type Struct struct {
+	TypeMeta int
+
+	// +k8s:format=k8s-resource-pool-name
+	ResourcePoolNameField string `json:"resourcePoolNameField"`
+
+	// +k8s:format=k8s-resource-pool-name
+	ResourcePoolNamePtrField *string `json:"resourcePoolNamePtrField"`
+
+	// Note: no validation here
+	ResourcePoolNameTypedefField ResourcePoolNameStringType `json:"resourcePoolNameTypedefField"`
+}
+
+// +k8s:format=k8s-resource-pool-name
+type ResourcePoolNameStringType string
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/format/k8s-resource-pool-name/doc_test.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/format/k8s-resource-pool-name/doc_test.go
new file mode 100644
index 0000000000000..eeab15e5306a8
--- /dev/null
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/format/k8s-resource-pool-name/doc_test.go
@@ -0,0 +1,80 @@
+/*
+Copyright 2024 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// +output_tests
+package format
+
+import (
+	"testing"
+
+	"k8s.io/apimachinery/pkg/util/validation/field"
+	"k8s.io/utils/ptr"
+)
+
+func Test(t *testing.T) {
+	st := localSchemeBuilder.Test(t)
+
+	st.Value(&Struct{
+		ResourcePoolNameField:        "foo.bar",
+		ResourcePoolNamePtrField:     ptr.To("foo.bar"),
+		ResourcePoolNameTypedefField: "foo.bar",
+	}).ExpectValid()
+
+	st.Value(&Struct{
+		ResourcePoolNameField:        "1.2.3.4",
+		ResourcePoolNamePtrField:     ptr.To("1.2.3.4"),
+		ResourcePoolNameTypedefField: "1.2.3.4",
+	}).ExpectValid()
+
+	invalidStruct := &Struct{
+		ResourcePoolNameField:        "",
+		ResourcePoolNamePtrField:     ptr.To(""),
+		ResourcePoolNameTypedefField: "",
+	}
+	st.Value(invalidStruct).ExpectMatches(field.ErrorMatcher{}.ByType().ByField().ByOrigin(), field.ErrorList{
+		field.Invalid(field.NewPath("resourcePoolNameField"), nil, "").WithOrigin("format=k8s-resource-pool-name"),
+		field.Invalid(field.NewPath("resourcePoolNamePtrField"), nil, "").WithOrigin("format=k8s-resource-pool-name"),
+		field.Invalid(field.NewPath("resourcePoolNameTypedefField"), nil, "").WithOrigin("format=k8s-resource-pool-name"),
+	})
+	// Test validation ratcheting
+	st.Value(invalidStruct).OldValue(invalidStruct).ExpectValid()
+
+	invalidStruct = &Struct{
+		ResourcePoolNameField:        "Not a ResourcePoolName",
+		ResourcePoolNamePtrField:     ptr.To("Not a ResourcePoolName"),
+		ResourcePoolNameTypedefField: "Not a ResourcePoolName",
+	}
+	st.Value(invalidStruct).ExpectMatches(field.ErrorMatcher{}.ByType().ByField().ByOrigin(), field.ErrorList{
+		field.Invalid(field.NewPath("resourcePoolNameField"), nil, "").WithOrigin("format=k8s-resource-pool-name"),
+		field.Invalid(field.NewPath("resourcePoolNamePtrField"), nil, "").WithOrigin("format=k8s-resource-pool-name"),
+		field.Invalid(field.NewPath("resourcePoolNameTypedefField"), nil, "").WithOrigin("format=k8s-resource-pool-name"),
+	})
+	// Test validation ratcheting
+	st.Value(invalidStruct).OldValue(invalidStruct).ExpectValid()
+
+	invalidStruct = &Struct{
+		ResourcePoolNameField:        "a..b",
+		ResourcePoolNamePtrField:     ptr.To("a..b"),
+		ResourcePoolNameTypedefField: "a..b",
+	}
+	st.Value(invalidStruct).ExpectMatches(field.ErrorMatcher{}.ByType().ByField().ByOrigin(), field.ErrorList{
+		field.Invalid(field.NewPath("resourcePoolNameField"), nil, "").WithOrigin("format=k8s-resource-pool-name"),
+		field.Invalid(field.NewPath("resourcePoolNamePtrField"), nil, "").WithOrigin("format=k8s-resource-pool-name"),
+		field.Invalid(field.NewPath("resourcePoolNameTypedefField"), nil, "").WithOrigin("format=k8s-resource-pool-name"),
+	})
+	// Test validation ratcheting
+	st.Value(invalidStruct).OldValue(invalidStruct).ExpectValid()
+}
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/format/k8s-resource-pool-name/zz_generated.validations.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/format/k8s-resource-pool-name/zz_generated.validations.go
new file mode 100644
index 0000000000000..e6cff3000eaaf
--- /dev/null
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/format/k8s-resource-pool-name/zz_generated.validations.go
@@ -0,0 +1,101 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by validation-gen. DO NOT EDIT.
+
+package format
+
+import (
+	context "context"
+	fmt "fmt"
+
+	operation "k8s.io/apimachinery/pkg/api/operation"
+	safe "k8s.io/apimachinery/pkg/api/safe"
+	validate "k8s.io/apimachinery/pkg/api/validate"
+	field "k8s.io/apimachinery/pkg/util/validation/field"
+	testscheme "k8s.io/code-generator/cmd/validation-gen/testscheme"
+)
+
+func init() { localSchemeBuilder.Register(RegisterValidations) }
+
+// RegisterValidations adds validation functions to the given scheme.
+// Public to allow building arbitrary schemes.
+func RegisterValidations(scheme *testscheme.Scheme) error {
+	// type Struct
+	scheme.AddValidationFunc((*Struct)(nil), func(ctx context.Context, op operation.Operation, obj, oldObj interface{}) field.ErrorList {
+		switch op.Request.SubresourcePath() {
+		case "/":
+			return Validate_Struct(ctx, op, nil /* fldPath */, obj.(*Struct), safe.Cast[*Struct](oldObj))
+		}
+		return field.ErrorList{field.InternalError(nil, fmt.Errorf("no validation found for %T, subresource: %v", obj, op.Request.SubresourcePath()))}
+	})
+	return nil
+}
+
+// Validate_ResourcePoolNameStringType validates an instance of ResourcePoolNameStringType according
+// to declarative validation rules in the API schema.
+func Validate_ResourcePoolNameStringType(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *ResourcePoolNameStringType) (errs field.ErrorList) {
+	errs = append(errs, validate.ResourcePoolName(ctx, op, fldPath, obj, oldObj)...)
+
+	return errs
+}
+
+// Validate_Struct validates an instance of Struct according
+// to declarative validation rules in the API schema.
+func Validate_Struct(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *Struct) (errs field.ErrorList) {
+	// field Struct.TypeMeta has no validation
+
+	// field Struct.ResourcePoolNameField
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *string, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call field-attached validations
+			errs = append(errs, validate.ResourcePoolName(ctx, op, fldPath, obj, oldObj)...)
+			return
+		}(fldPath.Child("resourcePoolNameField"), &obj.ResourcePoolNameField, safe.Field(oldObj, func(oldObj *Struct) *string { return &oldObj.ResourcePoolNameField }), oldObj != nil)...)
+
+	// field Struct.ResourcePoolNamePtrField
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *string, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call field-attached validations
+			errs = append(errs, validate.ResourcePoolName(ctx, op, fldPath, obj, oldObj)...)
+			return
+		}(fldPath.Child("resourcePoolNamePtrField"), obj.ResourcePoolNamePtrField, safe.Field(oldObj, func(oldObj *Struct) *string { return oldObj.ResourcePoolNamePtrField }), oldObj != nil)...)
+
+	// field Struct.ResourcePoolNameTypedefField
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *ResourcePoolNameStringType, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call the type's validation function
+			errs = append(errs, Validate_ResourcePoolNameStringType(ctx, op, fldPath, obj, oldObj)...)
+			return
+		}(fldPath.Child("resourcePoolNameTypedefField"), &obj.ResourcePoolNameTypedefField, safe.Field(oldObj, func(oldObj *Struct) *ResourcePoolNameStringType { return &oldObj.ResourcePoolNameTypedefField }), oldObj != nil)...)
+
+	return errs
+}
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/format/k8s-short-name/k8s-short-name/doc.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/format/k8s-short-name/k8s-short-name/doc.go
new file mode 100644
index 0000000000000..e5084ac223e9d
--- /dev/null
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/format/k8s-short-name/k8s-short-name/doc.go
@@ -0,0 +1,41 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// +k8s:validation-gen=TypeMeta
+// +k8s:validation-gen-scheme-registry=k8s.io/code-generator/cmd/validation-gen/testscheme.Scheme
+
+// This is a test package.
+package format
+
+import "k8s.io/code-generator/cmd/validation-gen/testscheme"
+
+var localSchemeBuilder = testscheme.New()
+
+type Struct struct {
+	TypeMeta int
+
+	// +k8s:format=k8s-short-name
+	ShortNameField string `json:"shortNameField"`
+
+	// +k8s:format=k8s-short-name
+	ShortNamePtrField *string `json:"shortNamePtrField"`
+
+	// Note: no validation here
+	ShortNameTypedefField ShortNameStringType `json:"shortNameTypedefField"`
+}
+
+// +k8s:format=k8s-short-name
+type ShortNameStringType string
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/format/k8s-short-name/k8s-short-name/doc_test.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/format/k8s-short-name/k8s-short-name/doc_test.go
new file mode 100644
index 0000000000000..bd37ba61f437e
--- /dev/null
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/format/k8s-short-name/k8s-short-name/doc_test.go
@@ -0,0 +1,60 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package format
+
+import (
+	"testing"
+
+	"k8s.io/apimachinery/pkg/util/validation/field"
+	"k8s.io/utils/ptr"
+)
+
+func Test(t *testing.T) {
+	st := localSchemeBuilder.Test(t)
+
+	st.Value(&Struct{
+		ShortNameField:        "foo-bar",
+		ShortNamePtrField:     ptr.To("foo-bar"),
+		ShortNameTypedefField: "foo-bar",
+	}).ExpectValid()
+
+	st.Value(&Struct{
+		ShortNameField:        "1234",
+		ShortNamePtrField:     ptr.To("1234"),
+		ShortNameTypedefField: "1234",
+	}).ExpectValid()
+
+	st.Value(&Struct{
+		ShortNameField:        "",
+		ShortNamePtrField:     ptr.To(""),
+		ShortNameTypedefField: "",
+	}).ExpectMatches(field.ErrorMatcher{}.ByType().ByField().ByOrigin(), field.ErrorList{
+		field.Invalid(field.NewPath("shortNameField"), nil, "").WithOrigin("format=k8s-short-name"),
+		field.Invalid(field.NewPath("shortNamePtrField"), nil, "").WithOrigin("format=k8s-short-name"),
+		field.Invalid(field.NewPath("shortNameTypedefField"), nil, "").WithOrigin("format=k8s-short-name"),
+	})
+
+	st.Value(&Struct{
+		ShortNameField:        "Not a DNS label",
+		ShortNamePtrField:     ptr.To("Not a DNS label"),
+		ShortNameTypedefField: "Not a DNS label",
+	}).ExpectMatches(field.ErrorMatcher{}.ByType().ByField().ByOrigin(), field.ErrorList{
+		field.Invalid(field.NewPath("shortNameField"), nil, "").WithOrigin("format=k8s-short-name"),
+		field.Invalid(field.NewPath("shortNamePtrField"), nil, "").WithOrigin("format=k8s-short-name"),
+		field.Invalid(field.NewPath("shortNameTypedefField"), nil, "").WithOrigin("format=k8s-short-name"),
+	})
+}
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/format/k8s-short-name/k8s-short-name/zz_generated.validations.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/format/k8s-short-name/k8s-short-name/zz_generated.validations.go
new file mode 100644
index 0000000000000..482d164715414
--- /dev/null
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/format/k8s-short-name/k8s-short-name/zz_generated.validations.go
@@ -0,0 +1,101 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by validation-gen. DO NOT EDIT.
+
+package format
+
+import (
+	context "context"
+	fmt "fmt"
+
+	operation "k8s.io/apimachinery/pkg/api/operation"
+	safe "k8s.io/apimachinery/pkg/api/safe"
+	validate "k8s.io/apimachinery/pkg/api/validate"
+	field "k8s.io/apimachinery/pkg/util/validation/field"
+	testscheme "k8s.io/code-generator/cmd/validation-gen/testscheme"
+)
+
+func init() { localSchemeBuilder.Register(RegisterValidations) }
+
+// RegisterValidations adds validation functions to the given scheme.
+// Public to allow building arbitrary schemes.
+func RegisterValidations(scheme *testscheme.Scheme) error {
+	// type Struct
+	scheme.AddValidationFunc((*Struct)(nil), func(ctx context.Context, op operation.Operation, obj, oldObj interface{}) field.ErrorList {
+		switch op.Request.SubresourcePath() {
+		case "/":
+			return Validate_Struct(ctx, op, nil /* fldPath */, obj.(*Struct), safe.Cast[*Struct](oldObj))
+		}
+		return field.ErrorList{field.InternalError(nil, fmt.Errorf("no validation found for %T, subresource: %v", obj, op.Request.SubresourcePath()))}
+	})
+	return nil
+}
+
+// Validate_ShortNameStringType validates an instance of ShortNameStringType according
+// to declarative validation rules in the API schema.
+func Validate_ShortNameStringType(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *ShortNameStringType) (errs field.ErrorList) {
+	errs = append(errs, validate.ShortName(ctx, op, fldPath, obj, oldObj)...)
+
+	return errs
+}
+
+// Validate_Struct validates an instance of Struct according
+// to declarative validation rules in the API schema.
+func Validate_Struct(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *Struct) (errs field.ErrorList) {
+	// field Struct.TypeMeta has no validation
+
+	// field Struct.ShortNameField
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *string, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call field-attached validations
+			errs = append(errs, validate.ShortName(ctx, op, fldPath, obj, oldObj)...)
+			return
+		}(fldPath.Child("shortNameField"), &obj.ShortNameField, safe.Field(oldObj, func(oldObj *Struct) *string { return &oldObj.ShortNameField }), oldObj != nil)...)
+
+	// field Struct.ShortNamePtrField
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *string, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call field-attached validations
+			errs = append(errs, validate.ShortName(ctx, op, fldPath, obj, oldObj)...)
+			return
+		}(fldPath.Child("shortNamePtrField"), obj.ShortNamePtrField, safe.Field(oldObj, func(oldObj *Struct) *string { return oldObj.ShortNamePtrField }), oldObj != nil)...)
+
+	// field Struct.ShortNameTypedefField
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *ShortNameStringType, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call the type's validation function
+			errs = append(errs, Validate_ShortNameStringType(ctx, op, fldPath, obj, oldObj)...)
+			return
+		}(fldPath.Child("shortNameTypedefField"), &obj.ShortNameTypedefField, safe.Field(oldObj, func(oldObj *Struct) *ShortNameStringType { return &oldObj.ShortNameTypedefField }), oldObj != nil)...)
+
+	return errs
+}
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/format/k8s-uuid/doc.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/format/k8s-uuid/doc.go
new file mode 100644
index 0000000000000..8207656918705
--- /dev/null
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/format/k8s-uuid/doc.go
@@ -0,0 +1,42 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// +k8s:validation-gen=TypeMeta
+// +k8s:validation-gen-scheme-registry=k8s.io/code-generator/cmd/validation-gen/testscheme.Scheme
+
+// This is a test package.
+package k8suuid
+
+import "k8s.io/code-generator/cmd/validation-gen/testscheme"
+
+var localSchemeBuilder = testscheme.New()
+
+// MyType is a struct that contains a field with the uuid format.
+// +k8s:validation:Required
+type MyType struct {
+	TypeMeta int
+	// +k8s:optional
+	// +k8s:format=k8s-uuid
+	UUIDField string `json:"uuidField"`
+	// +k8s:optional
+	// +k8s:format=k8s-uuid
+	UUIDPtrField *string `json:"uuidPtrField"`
+	// Note: no validation here
+	UUIDTypedefField UUIDStringType `json:"uuidTypedefField"`
+}
+
+// +k8s:format=k8s-uuid
+type UUIDStringType string
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/format/k8s-uuid/doc_test.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/format/k8s-uuid/doc_test.go
new file mode 100644
index 0000000000000..095439575c7ed
--- /dev/null
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/format/k8s-uuid/doc_test.go
@@ -0,0 +1,60 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package k8suuid
+
+import (
+	"testing"
+
+	"k8s.io/apimachinery/pkg/util/validation/field"
+	"k8s.io/utils/ptr"
+)
+
+func TestK8sUUID(t *testing.T) {
+	st := localSchemeBuilder.Test(t)
+
+	st.Value(&MyType{
+		UUIDField:        "123e4567-e89b-12d3-a456-426614174000",
+		UUIDPtrField:     ptr.To("123e4567-e89b-12d3-a456-426614174000"),
+		UUIDTypedefField: "123e4567-e89b-12d3-a456-426614174000",
+	}).ExpectValid()
+
+	invalidStruct := &MyType{
+		UUIDField:        "123E4567-E89B-12D3-A456-426614174000",
+		UUIDPtrField:     ptr.To("123E4567-E89B-12D3-A456-426614174000"),
+		UUIDTypedefField: "123E4567-E89B-12D3-A456-426614174000",
+	}
+	st.Value(invalidStruct).ExpectMatches(field.ErrorMatcher{}.ByType().ByField().ByOrigin(), field.ErrorList{
+		field.Invalid(field.NewPath("uuidField"), nil, "").WithOrigin("format=k8s-uuid"),
+		field.Invalid(field.NewPath("uuidPtrField"), nil, "").WithOrigin("format=k8s-uuid"),
+		field.Invalid(field.NewPath("uuidTypedefField"), nil, "").WithOrigin("format=k8s-uuid"),
+	})
+	// Test validation ratcheting
+	st.Value(invalidStruct).OldValue(invalidStruct).ExpectValid()
+
+	invalidStruct = &MyType{
+		UUIDField:        "not-a-uuid",
+		UUIDPtrField:     ptr.To("not-a-uuid"),
+		UUIDTypedefField: "not-a-uuid",
+	}
+	st.Value(invalidStruct).ExpectMatches(field.ErrorMatcher{}.ByType().ByField().ByOrigin(), field.ErrorList{
+		field.Invalid(field.NewPath("uuidField"), nil, "").WithOrigin("format=k8s-uuid"),
+		field.Invalid(field.NewPath("uuidPtrField"), nil, "").WithOrigin("format=k8s-uuid"),
+		field.Invalid(field.NewPath("uuidTypedefField"), nil, "").WithOrigin("format=k8s-uuid"),
+	})
+	// Test validation ratcheting
+	st.Value(invalidStruct).OldValue(invalidStruct).ExpectValid()
+}
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/format/k8s-uuid/zz_generated.validations.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/format/k8s-uuid/zz_generated.validations.go
new file mode 100644
index 0000000000000..7145bab600475
--- /dev/null
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/format/k8s-uuid/zz_generated.validations.go
@@ -0,0 +1,115 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by validation-gen. DO NOT EDIT.
+
+package k8suuid
+
+import (
+	context "context"
+	fmt "fmt"
+
+	operation "k8s.io/apimachinery/pkg/api/operation"
+	safe "k8s.io/apimachinery/pkg/api/safe"
+	validate "k8s.io/apimachinery/pkg/api/validate"
+	field "k8s.io/apimachinery/pkg/util/validation/field"
+	testscheme "k8s.io/code-generator/cmd/validation-gen/testscheme"
+)
+
+func init() { localSchemeBuilder.Register(RegisterValidations) }
+
+// RegisterValidations adds validation functions to the given scheme.
+// Public to allow building arbitrary schemes.
+func RegisterValidations(scheme *testscheme.Scheme) error {
+	// type MyType
+	scheme.AddValidationFunc((*MyType)(nil), func(ctx context.Context, op operation.Operation, obj, oldObj interface{}) field.ErrorList {
+		switch op.Request.SubresourcePath() {
+		case "/":
+			return Validate_MyType(ctx, op, nil /* fldPath */, obj.(*MyType), safe.Cast[*MyType](oldObj))
+		}
+		return field.ErrorList{field.InternalError(nil, fmt.Errorf("no validation found for %T, subresource: %v", obj, op.Request.SubresourcePath()))}
+	})
+	return nil
+}
+
+// Validate_MyType validates an instance of MyType according
+// to declarative validation rules in the API schema.
+func Validate_MyType(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *MyType) (errs field.ErrorList) {
+	// field MyType.TypeMeta has no validation
+
+	// field MyType.UUIDField
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *string, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.OptionalValue(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
+			}
+			errs = append(errs, validate.UUID(ctx, op, fldPath, obj, oldObj)...)
+			return
+		}(fldPath.Child("uuidField"), &obj.UUIDField, safe.Field(oldObj, func(oldObj *MyType) *string { return &oldObj.UUIDField }), oldObj != nil)...)
+
+	// field MyType.UUIDPtrField
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *string, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.OptionalPointer(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
+			}
+			errs = append(errs, validate.UUID(ctx, op, fldPath, obj, oldObj)...)
+			return
+		}(fldPath.Child("uuidPtrField"), obj.UUIDPtrField, safe.Field(oldObj, func(oldObj *MyType) *string { return oldObj.UUIDPtrField }), oldObj != nil)...)
+
+	// field MyType.UUIDTypedefField
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *UUIDStringType, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call the type's validation function
+			errs = append(errs, Validate_UUIDStringType(ctx, op, fldPath, obj, oldObj)...)
+			return
+		}(fldPath.Child("uuidTypedefField"), &obj.UUIDTypedefField, safe.Field(oldObj, func(oldObj *MyType) *UUIDStringType { return &oldObj.UUIDTypedefField }), oldObj != nil)...)
+
+	return errs
+}
+
+// Validate_UUIDStringType validates an instance of UUIDStringType according
+// to declarative validation rules in the API schema.
+func Validate_UUIDStringType(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *UUIDStringType) (errs field.ErrorList) {
+	errs = append(errs, validate.UUID(ctx, op, fldPath, obj, oldObj)...)
+
+	return errs
+}
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/immutable/doc_test.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/immutable/doc_test.go
index 8b27cc4edf854..139f8ecc35140 100644
--- a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/immutable/doc_test.go
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/immutable/doc_test.go
@@ -64,16 +64,16 @@ func Test(t *testing.T) {
 	st.Value(&structA).OldValue(&structA2).ExpectValid()
 	st.Value(&structA2).OldValue(&structA).ExpectValid()
 
-	st.Value(&structA).OldValue(&structB).ExpectInvalid(
-		field.Forbidden(field.NewPath("stringField"), "field is immutable"),
-		field.Forbidden(field.NewPath("stringPtrField"), "field is immutable"),
-		field.Forbidden(field.NewPath("structField"), "field is immutable"),
-		field.Forbidden(field.NewPath("structPtrField"), "field is immutable"),
-		field.Forbidden(field.NewPath("noncomparableStructField"), "field is immutable"),
-		field.Forbidden(field.NewPath("noncomparableStructPtrField"), "field is immutable"),
-		field.Forbidden(field.NewPath("sliceField"), "field is immutable"),
-		field.Forbidden(field.NewPath("mapField"), "field is immutable"),
-		field.Forbidden(field.NewPath("immutableField"), "field is immutable"),
-		field.Forbidden(field.NewPath("immutablePtrField"), "field is immutable"),
-	)
+	st.Value(&structA).OldValue(&structB).ExpectMatches(field.ErrorMatcher{}.ByType().ByField().ByOrigin(), field.ErrorList{
+		field.Invalid(field.NewPath("stringField"), nil, "").WithOrigin("immutable"),
+		field.Invalid(field.NewPath("stringPtrField"), nil, "").WithOrigin("immutable"),
+		field.Invalid(field.NewPath("structField"), nil, "").WithOrigin("immutable"),
+		field.Invalid(field.NewPath("structPtrField"), nil, "").WithOrigin("immutable"),
+		field.Invalid(field.NewPath("noncomparableStructField"), nil, "").WithOrigin("immutable"),
+		field.Invalid(field.NewPath("noncomparableStructPtrField"), nil, "").WithOrigin("immutable"),
+		field.Invalid(field.NewPath("sliceField"), nil, "").WithOrigin("immutable"),
+		field.Invalid(field.NewPath("mapField"), nil, "").WithOrigin("immutable"),
+		field.Invalid(field.NewPath("immutableField"), nil, "").WithOrigin("immutable"),
+		field.Invalid(field.NewPath("immutablePtrField"), nil, "").WithOrigin("immutable"),
+	})
 }
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/immutable/zz_generated.validations.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/immutable/zz_generated.validations.go
index b6aff0a3255a1..a391627463fa3 100644
--- a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/immutable/zz_generated.validations.go
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/immutable/zz_generated.validations.go
@@ -38,6 +38,7 @@ func init() { localSchemeBuilder.Register(RegisterValidations) }
 // RegisterValidations adds validation functions to the given scheme.
 // Public to allow building arbitrary schemes.
 func RegisterValidations(scheme *testscheme.Scheme) error {
+	// type Struct
 	scheme.AddValidationFunc((*Struct)(nil), func(ctx context.Context, op operation.Operation, obj, oldObj interface{}) field.ErrorList {
 		switch op.Request.SubresourcePath() {
 		case "/":
@@ -48,112 +49,201 @@ func RegisterValidations(scheme *testscheme.Scheme) error {
 	return nil
 }
 
+// Validate_ImmutableType validates an instance of ImmutableType according
+// to declarative validation rules in the API schema.
 func Validate_ImmutableType(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *ImmutableType) (errs field.ErrorList) {
-	// type ImmutableType
-	if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-		return nil // no changes
+	earlyReturn := false
+	if e := validate.Immutable(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+		errs = append(errs, e...)
+		earlyReturn = true
+	}
+	if earlyReturn {
+		return // do not proceed
 	}
-	errs = append(errs, validate.ImmutableByCompare(ctx, op, fldPath, obj, oldObj)...)
 
 	return errs
 }
 
+// Validate_Struct validates an instance of Struct according
+// to declarative validation rules in the API schema.
 func Validate_Struct(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *Struct) (errs field.ErrorList) {
 	// field Struct.TypeMeta has no validation
 
 	// field Struct.StringField
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *string) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *string, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.Immutable(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				errs = append(errs, e...)
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
 			}
-			errs = append(errs, validate.ImmutableByCompare(ctx, op, fldPath, obj, oldObj)...)
 			return
-		}(fldPath.Child("stringField"), &obj.StringField, safe.Field(oldObj, func(oldObj *Struct) *string { return &oldObj.StringField }))...)
+		}(fldPath.Child("stringField"), &obj.StringField, safe.Field(oldObj, func(oldObj *Struct) *string { return &oldObj.StringField }), oldObj != nil)...)
 
 	// field Struct.StringPtrField
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *string) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *string, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.Immutable(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				errs = append(errs, e...)
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
 			}
-			errs = append(errs, validate.ImmutableByCompare(ctx, op, fldPath, obj, oldObj)...)
 			return
-		}(fldPath.Child("stringPtrField"), obj.StringPtrField, safe.Field(oldObj, func(oldObj *Struct) *string { return oldObj.StringPtrField }))...)
+		}(fldPath.Child("stringPtrField"), obj.StringPtrField, safe.Field(oldObj, func(oldObj *Struct) *string { return oldObj.StringPtrField }), oldObj != nil)...)
 
 	// field Struct.StructField
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *ComparableStruct) (errs field.ErrorList) {
-			if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *ComparableStruct, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.Immutable(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				errs = append(errs, e...)
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
 			}
-			errs = append(errs, validate.ImmutableByReflect(ctx, op, fldPath, obj, oldObj)...)
 			return
-		}(fldPath.Child("structField"), &obj.StructField, safe.Field(oldObj, func(oldObj *Struct) *ComparableStruct { return &oldObj.StructField }))...)
+		}(fldPath.Child("structField"), &obj.StructField, safe.Field(oldObj, func(oldObj *Struct) *ComparableStruct { return &oldObj.StructField }), oldObj != nil)...)
 
 	// field Struct.StructPtrField
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *ComparableStruct) (errs field.ErrorList) {
-			if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *ComparableStruct, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.Immutable(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				errs = append(errs, e...)
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
 			}
-			errs = append(errs, validate.ImmutableByReflect(ctx, op, fldPath, obj, oldObj)...)
 			return
-		}(fldPath.Child("structPtrField"), obj.StructPtrField, safe.Field(oldObj, func(oldObj *Struct) *ComparableStruct { return oldObj.StructPtrField }))...)
+		}(fldPath.Child("structPtrField"), obj.StructPtrField, safe.Field(oldObj, func(oldObj *Struct) *ComparableStruct { return oldObj.StructPtrField }), oldObj != nil)...)
 
 	// field Struct.NonComparableStructField
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *NonComparableStruct) (errs field.ErrorList) {
-			if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *NonComparableStruct, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.Immutable(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				errs = append(errs, e...)
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
 			}
-			errs = append(errs, validate.ImmutableByReflect(ctx, op, fldPath, obj, oldObj)...)
 			return
-		}(fldPath.Child("noncomparableStructField"), &obj.NonComparableStructField, safe.Field(oldObj, func(oldObj *Struct) *NonComparableStruct { return &oldObj.NonComparableStructField }))...)
+		}(fldPath.Child("noncomparableStructField"), &obj.NonComparableStructField, safe.Field(oldObj, func(oldObj *Struct) *NonComparableStruct { return &oldObj.NonComparableStructField }), oldObj != nil)...)
 
 	// field Struct.NonComparableStructPtrField
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *NonComparableStruct) (errs field.ErrorList) {
-			if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *NonComparableStruct, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.Immutable(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				errs = append(errs, e...)
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
 			}
-			errs = append(errs, validate.ImmutableByReflect(ctx, op, fldPath, obj, oldObj)...)
 			return
-		}(fldPath.Child("noncomparableStructPtrField"), obj.NonComparableStructPtrField, safe.Field(oldObj, func(oldObj *Struct) *NonComparableStruct { return oldObj.NonComparableStructPtrField }))...)
+		}(fldPath.Child("noncomparableStructPtrField"), obj.NonComparableStructPtrField, safe.Field(oldObj, func(oldObj *Struct) *NonComparableStruct { return oldObj.NonComparableStructPtrField }), oldObj != nil)...)
 
 	// field Struct.SliceField
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj []string) (errs field.ErrorList) {
-			if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj []string, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.Immutable(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				errs = append(errs, e...)
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
 			}
-			errs = append(errs, validate.ImmutableByReflect(ctx, op, fldPath, obj, oldObj)...)
 			return
-		}(fldPath.Child("sliceField"), obj.SliceField, safe.Field(oldObj, func(oldObj *Struct) []string { return oldObj.SliceField }))...)
+		}(fldPath.Child("sliceField"), obj.SliceField, safe.Field(oldObj, func(oldObj *Struct) []string { return oldObj.SliceField }), oldObj != nil)...)
 
 	// field Struct.MapField
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj map[string]string) (errs field.ErrorList) {
-			if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj map[string]string, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.Immutable(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				errs = append(errs, e...)
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
 			}
-			errs = append(errs, validate.ImmutableByReflect(ctx, op, fldPath, obj, oldObj)...)
 			return
-		}(fldPath.Child("mapField"), obj.MapField, safe.Field(oldObj, func(oldObj *Struct) map[string]string { return oldObj.MapField }))...)
+		}(fldPath.Child("mapField"), obj.MapField, safe.Field(oldObj, func(oldObj *Struct) map[string]string { return oldObj.MapField }), oldObj != nil)...)
 
 	// field Struct.ImmutableField
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *ImmutableType) (errs field.ErrorList) {
+		func(fldPath *field.Path, obj, oldObj *ImmutableType, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call the type's validation function
 			errs = append(errs, Validate_ImmutableType(ctx, op, fldPath, obj, oldObj)...)
 			return
-		}(fldPath.Child("immutableField"), &obj.ImmutableField, safe.Field(oldObj, func(oldObj *Struct) *ImmutableType { return &oldObj.ImmutableField }))...)
+		}(fldPath.Child("immutableField"), &obj.ImmutableField, safe.Field(oldObj, func(oldObj *Struct) *ImmutableType { return &oldObj.ImmutableField }), oldObj != nil)...)
 
 	// field Struct.ImmutablePtrField
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *ImmutableType) (errs field.ErrorList) {
+		func(fldPath *field.Path, obj, oldObj *ImmutableType, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call the type's validation function
 			errs = append(errs, Validate_ImmutableType(ctx, op, fldPath, obj, oldObj)...)
 			return
-		}(fldPath.Child("immutablePtrField"), obj.ImmutablePtrField, safe.Field(oldObj, func(oldObj *Struct) *ImmutableType { return oldObj.ImmutablePtrField }))...)
+		}(fldPath.Child("immutablePtrField"), obj.ImmutablePtrField, safe.Field(oldObj, func(oldObj *Struct) *ImmutableType { return oldObj.ImmutablePtrField }), oldObj != nil)...)
 
 	return errs
 }
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/item/immutable_transitions/doc_test.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/item/immutable_transitions/doc_test.go
index d20d9db9d4790..f6b86edd8ee29 100644
--- a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/item/immutable_transitions/doc_test.go
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/item/immutable_transitions/doc_test.go
@@ -41,15 +41,15 @@ func Test(t *testing.T) {
 		},
 	}
 
-	st.Value(new).OldValue(old).ExpectInvalid(
-		field.Forbidden(field.NewPath("listField").Index(0), "field is immutable"),
-		field.Forbidden(field.NewPath("listField").Index(1).Child("stringField"), "field is immutable"),
-	)
-
-	st.Value(new).OldValue(&Struct{ListField: []Item{}}).ExpectInvalid(
-		field.Forbidden(field.NewPath("listField").Index(0), "field is immutable"),
-		field.Forbidden(field.NewPath("listField").Index(1).Child("stringField"), "field is immutable"),
-	)
+	st.Value(new).OldValue(old).ExpectMatches(field.ErrorMatcher{}.ByType().ByField().ByDetailSubstring().ByOrigin(), field.ErrorList{
+		field.Invalid(field.NewPath("listField").Index(0), nil, "immutable").WithOrigin("immutable"),
+		field.Invalid(field.NewPath("listField").Index(1).Child("stringField"), nil, "immutable").WithOrigin("immutable"),
+	})
+
+	st.Value(new).OldValue(&Struct{ListField: []Item{}}).ExpectMatches(field.ErrorMatcher{}.ByType().ByField().ByDetailSubstring().ByOrigin(), field.ErrorList{
+		field.Invalid(field.NewPath("listField").Index(0), nil, "immutable").WithOrigin("immutable"),
+		field.Invalid(field.NewPath("listField").Index(1).Child("stringField"), nil, "immutable").WithOrigin("immutable"),
+	})
 
 	// Test that "c" can change independently
 	st.Value(&Struct{
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/item/immutable_transitions/zz_generated.validations.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/item/immutable_transitions/zz_generated.validations.go
index a9836c37ba7eb..89a0f4328dac8 100644
--- a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/item/immutable_transitions/zz_generated.validations.go
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/item/immutable_transitions/zz_generated.validations.go
@@ -38,6 +38,7 @@ func init() { localSchemeBuilder.Register(RegisterValidations) }
 // RegisterValidations adds validation functions to the given scheme.
 // Public to allow building arbitrary schemes.
 func RegisterValidations(scheme *testscheme.Scheme) error {
+	// type Struct
 	scheme.AddValidationFunc((*Struct)(nil), func(ctx context.Context, op operation.Operation, obj, oldObj interface{}) field.ErrorList {
 		switch op.Request.SubresourcePath() {
 		case "/":
@@ -48,21 +49,45 @@ func RegisterValidations(scheme *testscheme.Scheme) error {
 	return nil
 }
 
+// Validate_Struct validates an instance of Struct according
+// to declarative validation rules in the API schema.
 func Validate_Struct(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *Struct) (errs field.ErrorList) {
 	// field Struct.TypeMeta has no validation
 
 	// field Struct.ListField
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj []Item) (errs field.ErrorList) {
-			if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj []Item, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
 			}
-			errs = append(errs, validate.SliceItem(ctx, op, fldPath, obj, oldObj, func(item *Item) bool { return item.Key1 == "a" }, validate.DirectEqual, validate.ImmutableByCompare)...)
-			errs = append(errs, validate.SliceItem(ctx, op, fldPath, obj, oldObj, func(item *Item) bool { return item.Key1 == "b" }, validate.DirectEqual, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *Item) field.ErrorList {
-				return validate.Subfield(ctx, op, fldPath, obj, oldObj, "stringField", func(o *Item) *string { return &o.StringField }, validate.ImmutableByCompare)
-			})...)
+			// call field-attached validations
+			// lists with map semantics require unique keys
+			errs = append(errs, validate.Unique(ctx, op, fldPath, obj, oldObj, func(a Item, b Item) bool { return a.Key1 == b.Key1 })...)
+			func() { // cohort {"key1": "a"}
+				earlyReturn := false
+				if e := validate.SliceItem(ctx, op, fldPath, obj, oldObj, func(item *Item) bool { return item.Key1 == "a" }, validate.DirectEqual, validate.Immutable); len(e) != 0 {
+					errs = append(errs, e...)
+					earlyReturn = true
+				}
+				if earlyReturn {
+					return // do not proceed
+				}
+			}()
+			func() { // cohort {"key1": "b"}
+				earlyReturn := false
+				if e := validate.SliceItem(ctx, op, fldPath, obj, oldObj, func(item *Item) bool { return item.Key1 == "b" }, validate.DirectEqual, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *Item) field.ErrorList {
+					return validate.Subfield(ctx, op, fldPath, obj, oldObj, "stringField", func(o *Item) *string { return &o.StringField }, validate.DirectEqualPtr, validate.Immutable)
+				}); len(e) != 0 {
+					errs = append(errs, e...)
+					earlyReturn = true
+				}
+				if earlyReturn {
+					return // do not proceed
+				}
+			}()
 			return
-		}(fldPath.Child("listField"), obj.ListField, safe.Field(oldObj, func(oldObj *Struct) []Item { return oldObj.ListField }))...)
+		}(fldPath.Child("listField"), obj.ListField, safe.Field(oldObj, func(oldObj *Struct) []Item { return oldObj.ListField }), oldObj != nil)...)
 
 	return errs
 }
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/item/multiple_keys/doc.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/item/multiple_keys/doc.go
index bbfadf4e61071..5d3c40fefdfaa 100644
--- a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/item/multiple_keys/doc.go
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/item/multiple_keys/doc.go
@@ -31,8 +31,29 @@ type Struct struct {
 	// +k8s:listMapKey=stringKey
 	// +k8s:listMapKey=intKey
 	// +k8s:listMapKey=boolKey
-	// +k8s:item(stringKey: "target", intKey: 42, boolKey: true)=+k8s:validateFalse="item Items[stringKey=target,intKey=42,boolKey=true]"
+	// +k8s:item(stringKey: "target", intKey: 42, boolKey: true)=+k8s:validateFalse="item Items[stringKey=target,intKey=42,boolKey=true] 1"
+	// +k8s:item(stringKey: "target", intKey: 42, boolKey: true)=+k8s:validateFalse="item Items[stringKey=target,intKey=42,boolKey=true] 2"
 	Items []Item `json:"items"`
+
+	// +k8s:listType=map
+	// +k8s:listMapKey=stringKey
+	// +k8s:listMapKey=intKey
+	// +k8s:listMapKey=boolKey
+	// +k8s:item(boolKey: true, stringKey: "target", intKey: 42)=+k8s:validateFalse="item OutOfOrder[boolKey=42,stringKey=target,intKey=42]"
+	OutOfOrder []Item `json:"outOfOrder"`
+
+	// +k8s:listType=map
+	// +k8s:listMapKey=stringKey
+	// +k8s:listMapKey=intKey
+	// +k8s:listMapKey=boolKey
+	// +k8s:item(stringKey: "target-ptr", intKey: 42, boolKey: true)=+k8s:validateFalse="item PtrItems[stringKey=target-ptr,intKey=42,boolKey=true]"
+	PtrItems []PtrItem `json:"ptrItems"`
+
+	// +k8s:listType=map
+	// +k8s:listMapKey=stringPtrKey
+	// +k8s:listMapKey=stringKey
+	// +k8s:item(stringPtrKey: "target-ptr", stringKey: "target")=+k8s:validateFalse="item MixedPtrItems"
+	MixedPtrItems []MixedPtrItem `json:"mixedPtrItems"`
 }
 
 type Item struct {
@@ -41,3 +62,16 @@ type Item struct {
 	BoolKey   bool   `json:"boolKey"`
 	Data      string `json:"data"`
 }
+
+type PtrItem struct {
+	StringKey *string `json:"stringKey"`
+	IntKey    int     `json:"intKey"`
+	BoolKey   bool    `json:"boolKey"`
+	Data      string  `json:"data"`
+}
+
+type MixedPtrItem struct {
+	StringPtrKey *string `json:"stringPtrKey"`
+	StringKey    string  `json:"stringKey"`
+	Data         string  `json:"data"`
+}
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/item/multiple_keys/doc_test.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/item/multiple_keys/doc_test.go
index c101516a76acf..4354b8392325a 100644
--- a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/item/multiple_keys/doc_test.go
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/item/multiple_keys/doc_test.go
@@ -18,6 +18,8 @@ package multiplekeys
 
 import (
 	"testing"
+
+	"k8s.io/utils/ptr"
 )
 
 func Test(t *testing.T) {
@@ -45,7 +47,10 @@ func Test(t *testing.T) {
 			{StringKey: "other", IntKey: 99, BoolKey: false, Data: "no match, all different"},
 		},
 	}).ExpectValidateFalseByPath(map[string][]string{
-		`items[0]`: {"item Items[stringKey=target,intKey=42,boolKey=true]"},
+		`items[0]`: {
+			"item Items[stringKey=target,intKey=42,boolKey=true] 1",
+			"item Items[stringKey=target,intKey=42,boolKey=true] 2",
+		},
 	})
 
 	st.Value(&Struct{
@@ -68,4 +73,30 @@ func Test(t *testing.T) {
 			{StringKey: "other", IntKey: 1, BoolKey: false},
 		},
 	}).ExpectValid()
+
+	st.Value(&Struct{
+		PtrItems: []PtrItem{
+			{StringKey: ptr.To("target-ptr"), IntKey: 42, BoolKey: true, Data: "match"},
+			{StringKey: ptr.To("target-ptr"), IntKey: 42, BoolKey: false, Data: "no match, bool differs"},
+			{StringKey: ptr.To("target-ptr"), IntKey: 99, BoolKey: true, Data: "no match, int differs"},
+			{StringKey: ptr.To("other"), IntKey: 42, BoolKey: true, Data: "no match, string differs"},
+			{StringKey: nil, IntKey: 42, BoolKey: true, Data: "no match, nil string"},
+		},
+	}).ExpectValidateFalseByPath(map[string][]string{
+		`ptrItems[0]`: {
+			"item PtrItems[stringKey=target-ptr,intKey=42,boolKey=true]",
+		},
+	})
+
+	st.Value(&Struct{
+		MixedPtrItems: []MixedPtrItem{
+			{StringPtrKey: ptr.To("target-ptr"), StringKey: "target", Data: "match"},
+			{StringPtrKey: ptr.To("target-ptr"), StringKey: "other", Data: "no match"},
+			{StringPtrKey: nil, StringKey: "target", Data: "no match"},
+		},
+	}).ExpectValidateFalseByPath(map[string][]string{
+		`mixedPtrItems[0]`: {
+			"item MixedPtrItems",
+		},
+	})
 }
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/item/multiple_keys/zz_generated.validations.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/item/multiple_keys/zz_generated.validations.go
index 0167963f44e16..264626d78ab22 100644
--- a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/item/multiple_keys/zz_generated.validations.go
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/item/multiple_keys/zz_generated.validations.go
@@ -38,6 +38,7 @@ func init() { localSchemeBuilder.Register(RegisterValidations) }
 // RegisterValidations adds validation functions to the given scheme.
 // Public to allow building arbitrary schemes.
 func RegisterValidations(scheme *testscheme.Scheme) error {
+	// type Struct
 	scheme.AddValidationFunc((*Struct)(nil), func(ctx context.Context, op operation.Operation, obj, oldObj interface{}) field.ErrorList {
 		switch op.Request.SubresourcePath() {
 		case "/":
@@ -48,20 +49,97 @@ func RegisterValidations(scheme *testscheme.Scheme) error {
 	return nil
 }
 
+// Validate_Struct validates an instance of Struct according
+// to declarative validation rules in the API schema.
 func Validate_Struct(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *Struct) (errs field.ErrorList) {
 	// field Struct.TypeMeta has no validation
 
 	// field Struct.Items
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj []Item) (errs field.ErrorList) {
-			if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj []Item, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
 			}
-			errs = append(errs, validate.SliceItem(ctx, op, fldPath, obj, oldObj, func(item *Item) bool { return item.StringKey == "target" && item.IntKey == 42 && item.BoolKey == true }, validate.DirectEqual, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *Item) field.ErrorList {
-				return validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "item Items[stringKey=target,intKey=42,boolKey=true]")
+			// call field-attached validations
+			// lists with map semantics require unique keys
+			errs = append(errs, validate.Unique(ctx, op, fldPath, obj, oldObj, func(a Item, b Item) bool {
+				return a.StringKey == b.StringKey && a.IntKey == b.IntKey && a.BoolKey == b.BoolKey
 			})...)
+			func() { // cohort {"stringKey": "target", "intKey": 42, "boolKey": true}
+				errs = append(errs, validate.SliceItem(ctx, op, fldPath, obj, oldObj, func(item *Item) bool { return item.StringKey == "target" && item.IntKey == 42 && item.BoolKey == true }, validate.DirectEqual, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *Item) field.ErrorList {
+					return validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "item Items[stringKey=target,intKey=42,boolKey=true] 1")
+				})...)
+				errs = append(errs, validate.SliceItem(ctx, op, fldPath, obj, oldObj, func(item *Item) bool { return item.StringKey == "target" && item.IntKey == 42 && item.BoolKey == true }, validate.DirectEqual, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *Item) field.ErrorList {
+					return validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "item Items[stringKey=target,intKey=42,boolKey=true] 2")
+				})...)
+			}()
 			return
-		}(fldPath.Child("items"), obj.Items, safe.Field(oldObj, func(oldObj *Struct) []Item { return oldObj.Items }))...)
+		}(fldPath.Child("items"), obj.Items, safe.Field(oldObj, func(oldObj *Struct) []Item { return oldObj.Items }), oldObj != nil)...)
+
+	// field Struct.OutOfOrder
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj []Item, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// call field-attached validations
+			// lists with map semantics require unique keys
+			errs = append(errs, validate.Unique(ctx, op, fldPath, obj, oldObj, func(a Item, b Item) bool {
+				return a.StringKey == b.StringKey && a.IntKey == b.IntKey && a.BoolKey == b.BoolKey
+			})...)
+			func() { // cohort {"stringKey": "target", "intKey": 42, "boolKey": true}
+				errs = append(errs, validate.SliceItem(ctx, op, fldPath, obj, oldObj, func(item *Item) bool { return item.StringKey == "target" && item.IntKey == 42 && item.BoolKey == true }, validate.DirectEqual, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *Item) field.ErrorList {
+					return validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "item OutOfOrder[boolKey=42,stringKey=target,intKey=42]")
+				})...)
+			}()
+			return
+		}(fldPath.Child("outOfOrder"), obj.OutOfOrder, safe.Field(oldObj, func(oldObj *Struct) []Item { return oldObj.OutOfOrder }), oldObj != nil)...)
+
+	// field Struct.PtrItems
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj []PtrItem, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// call field-attached validations
+			// lists with map semantics require unique keys
+			errs = append(errs, validate.Unique(ctx, op, fldPath, obj, oldObj, func(a PtrItem, b PtrItem) bool {
+				return ((a.StringKey == nil && b.StringKey == nil) || (a.StringKey != nil && b.StringKey != nil && *a.StringKey == *b.StringKey)) && a.IntKey == b.IntKey && a.BoolKey == b.BoolKey
+			})...)
+			func() { // cohort {"stringKey": "target-ptr", "intKey": 42, "boolKey": true}
+				errs = append(errs, validate.SliceItem(ctx, op, fldPath, obj, oldObj, func(item *PtrItem) bool {
+					return item.StringKey != nil && *item.StringKey == "target-ptr" && item.IntKey == 42 && item.BoolKey == true
+				}, validate.SemanticDeepEqual, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *PtrItem) field.ErrorList {
+					return validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "item PtrItems[stringKey=target-ptr,intKey=42,boolKey=true]")
+				})...)
+			}()
+			return
+		}(fldPath.Child("ptrItems"), obj.PtrItems, safe.Field(oldObj, func(oldObj *Struct) []PtrItem { return oldObj.PtrItems }), oldObj != nil)...)
+
+	// field Struct.MixedPtrItems
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj []MixedPtrItem, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// call field-attached validations
+			// lists with map semantics require unique keys
+			errs = append(errs, validate.Unique(ctx, op, fldPath, obj, oldObj, func(a MixedPtrItem, b MixedPtrItem) bool {
+				return ((a.StringPtrKey == nil && b.StringPtrKey == nil) || (a.StringPtrKey != nil && b.StringPtrKey != nil && *a.StringPtrKey == *b.StringPtrKey)) && a.StringKey == b.StringKey
+			})...)
+			func() { // cohort {"stringPtrKey": "target-ptr", "stringKey": "target"}
+				errs = append(errs, validate.SliceItem(ctx, op, fldPath, obj, oldObj, func(item *MixedPtrItem) bool {
+					return item.StringPtrKey != nil && *item.StringPtrKey == "target-ptr" && item.StringKey == "target"
+				}, validate.SemanticDeepEqual, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *MixedPtrItem) field.ErrorList {
+					return validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "item MixedPtrItems")
+				})...)
+			}()
+			return
+		}(fldPath.Child("mixedPtrItems"), obj.MixedPtrItems, safe.Field(oldObj, func(oldObj *Struct) []MixedPtrItem { return oldObj.MixedPtrItems }), oldObj != nil)...)
 
 	return errs
 }
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/item/single_key/doc.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/item/single_key/doc.go
index 7950660c4e915..d636653da1992 100644
--- a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/item/single_key/doc.go
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/item/single_key/doc.go
@@ -29,23 +29,39 @@ type Struct struct {
 
 	// +k8s:listType=map
 	// +k8s:listMapKey=key
-	// +k8s:item(key: "target")=+k8s:validateFalse="item Items[key=target]"
+	// +k8s:item(key: "target")=+k8s:validateFalse="item Items[key=target] 1"
+	// +k8s:item(key: "target")=+k8s:validateFalse="item Items[key=target] 2"
 	Items []Item `json:"items"`
 
 	// +k8s:listType=map
 	// +k8s:listMapKey=intField
-	// +k8s:item(intField: 42)=+k8s:validateFalse="item IntKeyItems[intField=42]"
+	// +k8s:item(intField: 42)=+k8s:validateFalse="item IntKeyItems[intField=42] 1"
+	// +k8s:item(intField: 42)=+k8s:validateFalse="item IntKeyItems[intField=42] 2"
 	IntKeyItems []IntKeyItem `json:"intKeyItems"`
 
 	// +k8s:listType=map
 	// +k8s:listMapKey=boolField
-	// +k8s:item(boolField: true)=+k8s:validateFalse="item BoolKeyItems[boolField=true]"
+	// +k8s:item(boolField: true)=+k8s:validateFalse="item BoolKeyItems[boolField=true] 1"
+	// +k8s:item(boolField: true)=+k8s:validateFalse="item BoolKeyItems[boolField=true] 2"
 	BoolKeyItems []BoolKeyItem `json:"boolKeyItems"`
 
 	// +k8s:listType=map
 	// +k8s:listMapKey=id
-	// +k8s:item(id: "typedef-target")=+k8s:validateFalse="item TypedefItems[id=typedef-target]"
+	// +k8s:item(id: "typedef-target")=+k8s:validateFalse="item TypedefItems[id=typedef-target] 1"
+	// +k8s:item(id: "typedef-target")=+k8s:validateFalse="item TypedefItems[id=typedef-target] 2"
 	TypedefItems TypedefItemList `json:"typedefItems"`
+
+	// Test atomic + unique=map + item combination
+	// +k8s:listType=atomic
+	// +k8s:unique=map
+	// +k8s:listMapKey=key
+	// +k8s:item(key: "target")=+k8s:validateFalse="item AtomicUniqueMapItems[key=target]"
+	AtomicUniqueMapItems []Item `json:"atomicUniqueMapItems"`
+
+	// +k8s:listType=map
+	// +k8s:listMapKey=key
+	// +k8s:item(key: "target-ptr")=+k8s:validateFalse="item PtrKeyItems[key=target-ptr]"
+	PtrKeyItems []PtrKeyItem `json:"ptrKeyItems"`
 }
 
 type StructWithNestedTypedef struct {
@@ -84,3 +100,8 @@ type NestedTypedefItem struct {
 	Key  StringAlias `json:"key"`
 	Name string      `json:"name"`
 }
+
+type PtrKeyItem struct {
+	Key  *string `json:"key"`
+	Data string  `json:"data"`
+}
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/item/single_key/doc_test.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/item/single_key/doc_test.go
index d568f48b285a8..4377e16960c61 100644
--- a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/item/single_key/doc_test.go
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/item/single_key/doc_test.go
@@ -18,6 +18,8 @@ package singlekey
 
 import (
 	"testing"
+
+	"k8s.io/utils/ptr"
 )
 
 func Test(t *testing.T) {
@@ -29,7 +31,10 @@ func Test(t *testing.T) {
 			{Key: "target", Data: "d2"},
 		},
 	}).ExpectValidateFalseByPath(map[string][]string{
-		`items[1]`: {"item Items[key=target]"},
+		`items[1]`: {
+			"item Items[key=target] 1",
+			"item Items[key=target] 2",
+		},
 	})
 
 	st.Value(&Struct{
@@ -58,7 +63,10 @@ func Test(t *testing.T) {
 			{IntField: 42, Data: "d2"},
 		},
 	}).ExpectValidateFalseByPath(map[string][]string{
-		`intKeyItems[1]`: {"item IntKeyItems[intField=42]"},
+		`intKeyItems[1]`: {
+			"item IntKeyItems[intField=42] 1",
+			"item IntKeyItems[intField=42] 2",
+		},
 	})
 
 	st.Value(&Struct{
@@ -67,7 +75,10 @@ func Test(t *testing.T) {
 			{BoolField: true, Data: "d2"},
 		},
 	}).ExpectValidateFalseByPath(map[string][]string{
-		`boolKeyItems[1]`: {"item BoolKeyItems[boolField=true]"},
+		`boolKeyItems[1]`: {
+			"item BoolKeyItems[boolField=true] 1",
+			"item BoolKeyItems[boolField=true] 2",
+		},
 	})
 
 	// Test typedef slice.
@@ -77,7 +88,10 @@ func Test(t *testing.T) {
 			{ID: "typedef-target", Description: "d2"},
 		},
 	}).ExpectValidateFalseByPath(map[string][]string{
-		`typedefItems[1]`: {"item TypedefItems[id=typedef-target]"},
+		`typedefItems[1]`: {
+			"item TypedefItems[id=typedef-target] 1",
+			"item TypedefItems[id=typedef-target] 2",
+		},
 	})
 
 	st.Value(&Struct{
@@ -103,4 +117,51 @@ func Test(t *testing.T) {
 			{Key: "b", Name: "n2"},
 		},
 	}).ExpectValid()
+
+	// Test atomic + unique=map + item combination
+	st.Value(&Struct{
+		AtomicUniqueMapItems: []Item{
+			{Key: "a", Data: "d1"},
+			{Key: "target", Data: "d2"},
+		},
+	}).ExpectValidateFalseByPath(map[string][]string{
+		`atomicUniqueMapItems[1]`: {
+			"item AtomicUniqueMapItems[key=target]",
+		},
+	})
+
+	st.Value(&Struct{
+		AtomicUniqueMapItems: []Item{
+			{Key: "a", Data: "d1"},
+			{Key: "b", Data: "d2"},
+		},
+	}).ExpectValid()
+
+	st.Value(&Struct{
+		AtomicUniqueMapItems: []Item{},
+	}).ExpectValid()
+
+	st.Value(&Struct{
+		AtomicUniqueMapItems: nil,
+	}).ExpectValid()
+
+	st.Value(&Struct{
+		PtrKeyItems: []PtrKeyItem{
+			{Key: ptr.To("a"), Data: "d1"},
+			{Key: ptr.To("target-ptr"), Data: "d2"},
+			{Key: nil, Data: "d3"},
+		},
+	}).ExpectValidateFalseByPath(map[string][]string{
+		`ptrKeyItems[1]`: {
+			"item PtrKeyItems[key=target-ptr]",
+		},
+	})
+
+	st.Value(&Struct{
+		PtrKeyItems: []PtrKeyItem{
+			{Key: ptr.To("a"), Data: "d1"},
+			{Key: ptr.To("b"), Data: "d2"},
+			{Key: nil, Data: "d3"},
+		},
+	}).ExpectValid()
 }
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/item/single_key/zz_generated.validations.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/item/single_key/zz_generated.validations.go
index 74fe84d20c699..29410ca04b30c 100644
--- a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/item/single_key/zz_generated.validations.go
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/item/single_key/zz_generated.validations.go
@@ -38,6 +38,7 @@ func init() { localSchemeBuilder.Register(RegisterValidations) }
 // RegisterValidations adds validation functions to the given scheme.
 // Public to allow building arbitrary schemes.
 func RegisterValidations(scheme *testscheme.Scheme) error {
+	// type Struct
 	scheme.AddValidationFunc((*Struct)(nil), func(ctx context.Context, op operation.Operation, obj, oldObj interface{}) field.ErrorList {
 		switch op.Request.SubresourcePath() {
 		case "/":
@@ -45,6 +46,7 @@ func RegisterValidations(scheme *testscheme.Scheme) error {
 		}
 		return field.ErrorList{field.InternalError(nil, fmt.Errorf("no validation found for %T, subresource: %v", obj, op.Request.SubresourcePath()))}
 	})
+	// type StructWithNestedTypedef
 	scheme.AddValidationFunc((*StructWithNestedTypedef)(nil), func(ctx context.Context, op operation.Operation, obj, oldObj interface{}) field.ErrorList {
 		switch op.Request.SubresourcePath() {
 		case "/":
@@ -55,74 +57,158 @@ func RegisterValidations(scheme *testscheme.Scheme) error {
 	return nil
 }
 
+// Validate_Struct validates an instance of Struct according
+// to declarative validation rules in the API schema.
 func Validate_Struct(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *Struct) (errs field.ErrorList) {
 	// field Struct.TypeMeta has no validation
 
 	// field Struct.Items
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj []Item) (errs field.ErrorList) {
-			if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj []Item, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
 			}
-			errs = append(errs, validate.SliceItem(ctx, op, fldPath, obj, oldObj, func(item *Item) bool { return item.Key == "target" }, validate.DirectEqual, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *Item) field.ErrorList {
-				return validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "item Items[key=target]")
-			})...)
+			// call field-attached validations
+			// lists with map semantics require unique keys
+			errs = append(errs, validate.Unique(ctx, op, fldPath, obj, oldObj, func(a Item, b Item) bool { return a.Key == b.Key })...)
+			func() { // cohort {"key": "target"}
+				errs = append(errs, validate.SliceItem(ctx, op, fldPath, obj, oldObj, func(item *Item) bool { return item.Key == "target" }, validate.DirectEqual, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *Item) field.ErrorList {
+					return validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "item Items[key=target] 1")
+				})...)
+				errs = append(errs, validate.SliceItem(ctx, op, fldPath, obj, oldObj, func(item *Item) bool { return item.Key == "target" }, validate.DirectEqual, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *Item) field.ErrorList {
+					return validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "item Items[key=target] 2")
+				})...)
+			}()
 			return
-		}(fldPath.Child("items"), obj.Items, safe.Field(oldObj, func(oldObj *Struct) []Item { return oldObj.Items }))...)
+		}(fldPath.Child("items"), obj.Items, safe.Field(oldObj, func(oldObj *Struct) []Item { return oldObj.Items }), oldObj != nil)...)
 
 	// field Struct.IntKeyItems
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj []IntKeyItem) (errs field.ErrorList) {
-			if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj []IntKeyItem, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
 			}
-			errs = append(errs, validate.SliceItem(ctx, op, fldPath, obj, oldObj, func(item *IntKeyItem) bool { return item.IntField == 42 }, validate.DirectEqual, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *IntKeyItem) field.ErrorList {
-				return validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "item IntKeyItems[intField=42]")
-			})...)
+			// call field-attached validations
+			// lists with map semantics require unique keys
+			errs = append(errs, validate.Unique(ctx, op, fldPath, obj, oldObj, func(a IntKeyItem, b IntKeyItem) bool { return a.IntField == b.IntField })...)
+			func() { // cohort {"intField": 42}
+				errs = append(errs, validate.SliceItem(ctx, op, fldPath, obj, oldObj, func(item *IntKeyItem) bool { return item.IntField == 42 }, validate.DirectEqual, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *IntKeyItem) field.ErrorList {
+					return validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "item IntKeyItems[intField=42] 1")
+				})...)
+				errs = append(errs, validate.SliceItem(ctx, op, fldPath, obj, oldObj, func(item *IntKeyItem) bool { return item.IntField == 42 }, validate.DirectEqual, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *IntKeyItem) field.ErrorList {
+					return validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "item IntKeyItems[intField=42] 2")
+				})...)
+			}()
 			return
-		}(fldPath.Child("intKeyItems"), obj.IntKeyItems, safe.Field(oldObj, func(oldObj *Struct) []IntKeyItem { return oldObj.IntKeyItems }))...)
+		}(fldPath.Child("intKeyItems"), obj.IntKeyItems, safe.Field(oldObj, func(oldObj *Struct) []IntKeyItem { return oldObj.IntKeyItems }), oldObj != nil)...)
 
 	// field Struct.BoolKeyItems
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj []BoolKeyItem) (errs field.ErrorList) {
-			if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj []BoolKeyItem, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
 			}
-			errs = append(errs, validate.SliceItem(ctx, op, fldPath, obj, oldObj, func(item *BoolKeyItem) bool { return item.BoolField == true }, validate.DirectEqual, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *BoolKeyItem) field.ErrorList {
-				return validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "item BoolKeyItems[boolField=true]")
-			})...)
+			// call field-attached validations
+			// lists with map semantics require unique keys
+			errs = append(errs, validate.Unique(ctx, op, fldPath, obj, oldObj, func(a BoolKeyItem, b BoolKeyItem) bool { return a.BoolField == b.BoolField })...)
+			func() { // cohort {"boolField": true}
+				errs = append(errs, validate.SliceItem(ctx, op, fldPath, obj, oldObj, func(item *BoolKeyItem) bool { return item.BoolField == true }, validate.DirectEqual, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *BoolKeyItem) field.ErrorList {
+					return validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "item BoolKeyItems[boolField=true] 1")
+				})...)
+				errs = append(errs, validate.SliceItem(ctx, op, fldPath, obj, oldObj, func(item *BoolKeyItem) bool { return item.BoolField == true }, validate.DirectEqual, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *BoolKeyItem) field.ErrorList {
+					return validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "item BoolKeyItems[boolField=true] 2")
+				})...)
+			}()
 			return
-		}(fldPath.Child("boolKeyItems"), obj.BoolKeyItems, safe.Field(oldObj, func(oldObj *Struct) []BoolKeyItem { return oldObj.BoolKeyItems }))...)
+		}(fldPath.Child("boolKeyItems"), obj.BoolKeyItems, safe.Field(oldObj, func(oldObj *Struct) []BoolKeyItem { return oldObj.BoolKeyItems }), oldObj != nil)...)
 
 	// field Struct.TypedefItems
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj TypedefItemList) (errs field.ErrorList) {
-			if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj TypedefItemList, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// call field-attached validations
+			// lists with map semantics require unique keys
+			errs = append(errs, validate.Unique(ctx, op, fldPath, obj, oldObj, func(a TypedefItem, b TypedefItem) bool { return a.ID == b.ID })...)
+			func() { // cohort {"id": "typedef-target"}
+				errs = append(errs, validate.SliceItem(ctx, op, fldPath, obj, oldObj, func(item *TypedefItem) bool { return item.ID == "typedef-target" }, validate.DirectEqual, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *TypedefItem) field.ErrorList {
+					return validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "item TypedefItems[id=typedef-target] 1")
+				})...)
+				errs = append(errs, validate.SliceItem(ctx, op, fldPath, obj, oldObj, func(item *TypedefItem) bool { return item.ID == "typedef-target" }, validate.DirectEqual, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *TypedefItem) field.ErrorList {
+					return validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "item TypedefItems[id=typedef-target] 2")
+				})...)
+			}()
+			return
+		}(fldPath.Child("typedefItems"), obj.TypedefItems, safe.Field(oldObj, func(oldObj *Struct) TypedefItemList { return oldObj.TypedefItems }), oldObj != nil)...)
+
+	// field Struct.AtomicUniqueMapItems
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj []Item, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// call field-attached validations
+			// lists with map semantics require unique keys
+			errs = append(errs, validate.Unique(ctx, op, fldPath, obj, oldObj, func(a Item, b Item) bool { return a.Key == b.Key })...)
+			func() { // cohort {"key": "target"}
+				errs = append(errs, validate.SliceItem(ctx, op, fldPath, obj, oldObj, func(item *Item) bool { return item.Key == "target" }, validate.DirectEqual, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *Item) field.ErrorList {
+					return validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "item AtomicUniqueMapItems[key=target]")
+				})...)
+			}()
+			return
+		}(fldPath.Child("atomicUniqueMapItems"), obj.AtomicUniqueMapItems, safe.Field(oldObj, func(oldObj *Struct) []Item { return oldObj.AtomicUniqueMapItems }), oldObj != nil)...)
+
+	// field Struct.PtrKeyItems
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj []PtrKeyItem, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
 			}
-			errs = append(errs, validate.SliceItem(ctx, op, fldPath, obj, oldObj, func(item *TypedefItem) bool { return item.ID == "typedef-target" }, validate.DirectEqual, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *TypedefItem) field.ErrorList {
-				return validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "item TypedefItems[id=typedef-target]")
+			// call field-attached validations
+			// lists with map semantics require unique keys
+			errs = append(errs, validate.Unique(ctx, op, fldPath, obj, oldObj, func(a PtrKeyItem, b PtrKeyItem) bool {
+				return ((a.Key == nil && b.Key == nil) || (a.Key != nil && b.Key != nil && *a.Key == *b.Key))
 			})...)
+			func() { // cohort {"key": "target-ptr"}
+				errs = append(errs, validate.SliceItem(ctx, op, fldPath, obj, oldObj, func(item *PtrKeyItem) bool { return item.Key != nil && *item.Key == "target-ptr" }, validate.SemanticDeepEqual, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *PtrKeyItem) field.ErrorList {
+					return validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "item PtrKeyItems[key=target-ptr]")
+				})...)
+			}()
 			return
-		}(fldPath.Child("typedefItems"), obj.TypedefItems, safe.Field(oldObj, func(oldObj *Struct) TypedefItemList { return oldObj.TypedefItems }))...)
+		}(fldPath.Child("ptrKeyItems"), obj.PtrKeyItems, safe.Field(oldObj, func(oldObj *Struct) []PtrKeyItem { return oldObj.PtrKeyItems }), oldObj != nil)...)
 
 	return errs
 }
 
+// Validate_StructWithNestedTypedef validates an instance of StructWithNestedTypedef according
+// to declarative validation rules in the API schema.
 func Validate_StructWithNestedTypedef(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *StructWithNestedTypedef) (errs field.ErrorList) {
 	// field StructWithNestedTypedef.TypeMeta has no validation
 
 	// field StructWithNestedTypedef.NestedItems
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj []NestedTypedefItem) (errs field.ErrorList) {
-			if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj []NestedTypedefItem, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
 			}
-			errs = append(errs, validate.SliceItem(ctx, op, fldPath, obj, oldObj, func(item *NestedTypedefItem) bool { return item.Key == "nested-target" }, validate.DirectEqual, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *NestedTypedefItem) field.ErrorList {
-				return validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "item NestedItems[key=nested-target]")
-			})...)
+			// call field-attached validations
+			// lists with map semantics require unique keys
+			errs = append(errs, validate.Unique(ctx, op, fldPath, obj, oldObj, func(a NestedTypedefItem, b NestedTypedefItem) bool { return a.Key == b.Key })...)
+			func() { // cohort {"key": "nested-target"}
+				errs = append(errs, validate.SliceItem(ctx, op, fldPath, obj, oldObj, func(item *NestedTypedefItem) bool { return item.Key == "nested-target" }, validate.DirectEqual, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *NestedTypedefItem) field.ErrorList {
+					return validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "item NestedItems[key=nested-target]")
+				})...)
+			}()
 			return
-		}(fldPath.Child("nestedItems"), obj.NestedItems, safe.Field(oldObj, func(oldObj *StructWithNestedTypedef) []NestedTypedefItem { return oldObj.NestedItems }))...)
+		}(fldPath.Child("nestedItems"), obj.NestedItems, safe.Field(oldObj, func(oldObj *StructWithNestedTypedef) []NestedTypedefItem { return oldObj.NestedItems }), oldObj != nil)...)
 
 	return errs
 }
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/item/subfield/doc_test.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/item/subfield/doc_test.go
index d53c343e0070f..7ecbbca0c5556 100644
--- a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/item/subfield/doc_test.go
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/item/subfield/doc_test.go
@@ -44,9 +44,9 @@ func Test(t *testing.T) {
 		RatchetItems: []RatchetItem{
 			{Key: "ratchet", Status: "forbidden", Version: 1},
 		},
-	}).ExpectInvalid(
-		field.Invalid(field.NewPath("ratchetItems").Index(0).Child("status"), "forbidden", "must not be equal to \"forbidden\""),
-	)
+	}).ExpectMatches(field.ErrorMatcher{}.ByType().ByField().ByDetailSubstring(), field.ErrorList{
+		field.Invalid(field.NewPath("ratchetItems").Index(0).Child("status"), nil, ""),
+	})
 
 	st.Value(&Struct{
 		RatchetItems: []RatchetItem{
@@ -74,7 +74,7 @@ func Test(t *testing.T) {
 		RatchetItems: []RatchetItem{
 			{Key: "ratchet", Status: "allowed", Version: 1},
 		},
-	}).ExpectInvalid(
-		field.Invalid(field.NewPath("ratchetItems").Index(0).Child("status"), "forbidden", "must not be equal to \"forbidden\""),
-	)
+	}).ExpectMatches(field.ErrorMatcher{}.ByType().ByField().ByDetailSubstring(), field.ErrorList{
+		field.Invalid(field.NewPath("ratchetItems").Index(0).Child("status"), nil, ""),
+	})
 }
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/item/subfield/zz_generated.validations.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/item/subfield/zz_generated.validations.go
index a67bd79bc1347..7e46bf60917be 100644
--- a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/item/subfield/zz_generated.validations.go
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/item/subfield/zz_generated.validations.go
@@ -38,6 +38,7 @@ func init() { localSchemeBuilder.Register(RegisterValidations) }
 // RegisterValidations adds validation functions to the given scheme.
 // Public to allow building arbitrary schemes.
 func RegisterValidations(scheme *testscheme.Scheme) error {
+	// type Struct
 	scheme.AddValidationFunc((*Struct)(nil), func(ctx context.Context, op operation.Operation, obj, oldObj interface{}) field.ErrorList {
 		switch op.Request.SubresourcePath() {
 		case "/":
@@ -48,36 +49,50 @@ func RegisterValidations(scheme *testscheme.Scheme) error {
 	return nil
 }
 
+// Validate_Struct validates an instance of Struct according
+// to declarative validation rules in the API schema.
 func Validate_Struct(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *Struct) (errs field.ErrorList) {
 	// field Struct.TypeMeta has no validation
 
 	// field Struct.Items
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj []Item) (errs field.ErrorList) {
-			if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj []Item, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
 			}
-			errs = append(errs, validate.SliceItem(ctx, op, fldPath, obj, oldObj, func(item *Item) bool { return item.Key == "target" }, validate.DirectEqual, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *Item) field.ErrorList {
-				return validate.Subfield(ctx, op, fldPath, obj, oldObj, "stringField", func(o *Item) *string { return &o.StringField }, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *string) field.ErrorList {
-					return validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "item Items[key=target].stringField")
-				})
-			})...)
+			// call field-attached validations
+			// lists with map semantics require unique keys
+			errs = append(errs, validate.Unique(ctx, op, fldPath, obj, oldObj, func(a Item, b Item) bool { return a.Key == b.Key })...)
+			func() { // cohort {"key": "target"}
+				errs = append(errs, validate.SliceItem(ctx, op, fldPath, obj, oldObj, func(item *Item) bool { return item.Key == "target" }, validate.DirectEqual, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *Item) field.ErrorList {
+					return validate.Subfield(ctx, op, fldPath, obj, oldObj, "stringField", func(o *Item) *string { return &o.StringField }, validate.DirectEqualPtr, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *string) field.ErrorList {
+						return validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "item Items[key=target].stringField")
+					})
+				})...)
+			}()
 			return
-		}(fldPath.Child("items"), obj.Items, safe.Field(oldObj, func(oldObj *Struct) []Item { return oldObj.Items }))...)
+		}(fldPath.Child("items"), obj.Items, safe.Field(oldObj, func(oldObj *Struct) []Item { return oldObj.Items }), oldObj != nil)...)
 
 	// field Struct.RatchetItems
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj []RatchetItem) (errs field.ErrorList) {
-			if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj []RatchetItem, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
 			}
-			errs = append(errs, validate.SliceItem(ctx, op, fldPath, obj, oldObj, func(item *RatchetItem) bool { return item.Key == "ratchet" }, validate.DirectEqual, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *RatchetItem) field.ErrorList {
-				return validate.Subfield(ctx, op, fldPath, obj, oldObj, "status", func(o *RatchetItem) *string { return &o.Status }, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *string) field.ErrorList {
-					return validate.NEQ(ctx, op, fldPath, obj, oldObj, "forbidden")
-				})
-			})...)
+			// call field-attached validations
+			// lists with map semantics require unique keys
+			errs = append(errs, validate.Unique(ctx, op, fldPath, obj, oldObj, func(a RatchetItem, b RatchetItem) bool { return a.Key == b.Key })...)
+			func() { // cohort {"key": "ratchet"}
+				errs = append(errs, validate.SliceItem(ctx, op, fldPath, obj, oldObj, func(item *RatchetItem) bool { return item.Key == "ratchet" }, validate.DirectEqual, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *RatchetItem) field.ErrorList {
+					return validate.Subfield(ctx, op, fldPath, obj, oldObj, "status", func(o *RatchetItem) *string { return &o.Status }, validate.DirectEqualPtr, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *string) field.ErrorList {
+						return validate.NEQ(ctx, op, fldPath, obj, oldObj, "forbidden")
+					})
+				})...)
+			}()
 			return
-		}(fldPath.Child("ratchetItems"), obj.RatchetItems, safe.Field(oldObj, func(oldObj *Struct) []RatchetItem { return oldObj.RatchetItems }))...)
+		}(fldPath.Child("ratchetItems"), obj.RatchetItems, safe.Field(oldObj, func(oldObj *Struct) []RatchetItem { return oldObj.RatchetItems }), oldObj != nil)...)
 
 	return errs
 }
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/item/typedef/doc.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/item/typedef/doc.go
index 5058fb2c4c546..bc49214121b04 100644
--- a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/item/typedef/doc.go
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/item/typedef/doc.go
@@ -32,6 +32,9 @@ type Struct struct {
 
 	// +k8s:item(id: "field-target")=+k8s:validateFalse="item DualItems[id=field-target] from field"
 	DualItems DualItemList `json:"dualItems"`
+
+	// +k8s:item(id: "target")=+k8s:validateFalse="item ConflictingItems[id=target] from field"
+	ConflictingItems ConflictingItemList `json:"conflictingItems"`
 }
 
 type Item struct {
@@ -59,3 +62,8 @@ type DualItem struct {
 // +k8s:listMapKey=id
 // +k8s:item(id: "typedef-target")=+k8s:validateFalse="item DualItems[id=typedef-target] from typedef"
 type DualItemList []DualItem
+
+// +k8s:listType=map
+// +k8s:listMapKey=id
+// +k8s:item(id: "target")=+k8s:validateFalse="item ConflictingItems[id=target] from typedef"
+type ConflictingItemList []DualItem
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/item/typedef/doc_test.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/item/typedef/doc_test.go
index 61f73b72bb96e..d823a2f361e5b 100644
--- a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/item/typedef/doc_test.go
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/item/typedef/doc_test.go
@@ -52,9 +52,9 @@ func Test(t *testing.T) {
 			{Key: "immutable", Data: "changed"},
 		},
 	}
-	st.Value(newStruct).OldValue(oldStruct).ExpectInvalid(
-		field.Forbidden(field.NewPath("typedefItems").Index(0), "field is immutable"),
-	)
+	st.Value(newStruct).OldValue(oldStruct).ExpectMatches(field.ErrorMatcher{}.ByType().ByField().ByDetailSubstring().ByOrigin(), field.ErrorList{
+		field.Invalid(field.NewPath("typedefItems").Index(0), nil, "immutable").WithOrigin("immutable"),
+	})
 
 	// Test nested typedef (typedef of typedef).
 	st.Value(&Struct{
@@ -77,4 +77,17 @@ func Test(t *testing.T) {
 		`dualItems[1]`: {"item DualItems[id=typedef-target] from typedef"},
 		`dualItems[2]`: {"item DualItems[id=field-target] from field"},
 	})
+
+	// Test tag on field and typedef with same key.
+	st.Value(&Struct{
+		ConflictingItems: ConflictingItemList{
+			{ID: "a", Name: "n1"},
+			{ID: "target", Name: "n2"},
+		},
+	}).ExpectValidateFalseByPath(map[string][]string{
+		`conflictingItems[1]`: {
+			"item ConflictingItems[id=target] from typedef",
+			"item ConflictingItems[id=target] from field",
+		},
+	})
 }
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/item/typedef/zz_generated.validations.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/item/typedef/zz_generated.validations.go
index f0a195762a5c1..a7cf2541b2629 100644
--- a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/item/typedef/zz_generated.validations.go
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/item/typedef/zz_generated.validations.go
@@ -38,6 +38,7 @@ func init() { localSchemeBuilder.Register(RegisterValidations) }
 // RegisterValidations adds validation functions to the given scheme.
 // Public to allow building arbitrary schemes.
 func RegisterValidations(scheme *testscheme.Scheme) error {
+	// type Struct
 	scheme.AddValidationFunc((*Struct)(nil), func(ctx context.Context, op operation.Operation, obj, oldObj interface{}) field.ErrorList {
 		switch op.Request.SubresourcePath() {
 		case "/":
@@ -48,72 +49,136 @@ func RegisterValidations(scheme *testscheme.Scheme) error {
 	return nil
 }
 
+// Validate_ConflictingItemList validates an instance of ConflictingItemList according
+// to declarative validation rules in the API schema.
+func Validate_ConflictingItemList(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj ConflictingItemList) (errs field.ErrorList) {
+	// lists with map semantics require unique keys
+	errs = append(errs, validate.Unique(ctx, op, fldPath, obj, oldObj, func(a DualItem, b DualItem) bool { return a.ID == b.ID })...)
+	func() { // cohort {"id": "target"}
+		errs = append(errs, validate.SliceItem(ctx, op, fldPath, obj, oldObj, func(item *DualItem) bool { return item.ID == "target" }, validate.DirectEqual, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *DualItem) field.ErrorList {
+			return validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "item ConflictingItems[id=target] from typedef")
+		})...)
+	}()
+
+	return errs
+}
+
+// Validate_DualItemList validates an instance of DualItemList according
+// to declarative validation rules in the API schema.
 func Validate_DualItemList(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj DualItemList) (errs field.ErrorList) {
-	// type DualItemList
-	if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-		return nil // no changes
-	}
-	errs = append(errs, validate.SliceItem(ctx, op, fldPath, obj, oldObj, func(item *DualItem) bool { return item.ID == "typedef-target" }, validate.DirectEqual, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *DualItem) field.ErrorList {
-		return validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "item DualItems[id=typedef-target] from typedef")
-	})...)
+	// lists with map semantics require unique keys
+	errs = append(errs, validate.Unique(ctx, op, fldPath, obj, oldObj, func(a DualItem, b DualItem) bool { return a.ID == b.ID })...)
+	func() { // cohort {"id": "typedef-target"}
+		errs = append(errs, validate.SliceItem(ctx, op, fldPath, obj, oldObj, func(item *DualItem) bool { return item.ID == "typedef-target" }, validate.DirectEqual, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *DualItem) field.ErrorList {
+			return validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "item DualItems[id=typedef-target] from typedef")
+		})...)
+	}()
 
 	return errs
 }
 
+// Validate_ItemList validates an instance of ItemList according
+// to declarative validation rules in the API schema.
 func Validate_ItemList(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj ItemList) (errs field.ErrorList) {
-	// type ItemList
-	if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-		return nil // no changes
-	}
-	errs = append(errs, validate.SliceItem(ctx, op, fldPath, obj, oldObj, func(item *Item) bool { return item.Key == "immutable" }, validate.DirectEqual, validate.ImmutableByCompare)...)
-	errs = append(errs, validate.SliceItem(ctx, op, fldPath, obj, oldObj, func(item *Item) bool { return item.Key == "validated" }, validate.DirectEqual, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *Item) field.ErrorList {
-		return validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "item ItemList[key=validated]")
-	})...)
+	// lists with map semantics require unique keys
+	errs = append(errs, validate.Unique(ctx, op, fldPath, obj, oldObj, func(a Item, b Item) bool { return a.Key == b.Key })...)
+	func() { // cohort {"key": "immutable"}
+		earlyReturn := false
+		if e := validate.SliceItem(ctx, op, fldPath, obj, oldObj, func(item *Item) bool { return item.Key == "immutable" }, validate.DirectEqual, validate.Immutable); len(e) != 0 {
+			errs = append(errs, e...)
+			earlyReturn = true
+		}
+		if earlyReturn {
+			return // do not proceed
+		}
+	}()
+	func() { // cohort {"key": "validated"}
+		errs = append(errs, validate.SliceItem(ctx, op, fldPath, obj, oldObj, func(item *Item) bool { return item.Key == "validated" }, validate.DirectEqual, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *Item) field.ErrorList {
+			return validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "item ItemList[key=validated]")
+		})...)
+	}()
 
 	return errs
 }
 
+// Validate_ItemListAlias validates an instance of ItemListAlias according
+// to declarative validation rules in the API schema.
 func Validate_ItemListAlias(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj ItemListAlias) (errs field.ErrorList) {
-	// type ItemListAlias
-	if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-		return nil // no changes
-	}
-	errs = append(errs, validate.SliceItem(ctx, op, fldPath, obj, oldObj, func(item *Item) bool { return item.Key == "aliased" }, validate.DirectEqual, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *Item) field.ErrorList {
-		return validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "item ItemListAlias[key=aliased]")
-	})...)
+	// lists with map semantics require unique keys
+	errs = append(errs, validate.Unique(ctx, op, fldPath, obj, oldObj, func(a Item, b Item) bool { return a.Key == b.Key })...)
+	func() { // cohort {"key": "aliased"}
+		errs = append(errs, validate.SliceItem(ctx, op, fldPath, obj, oldObj, func(item *Item) bool { return item.Key == "aliased" }, validate.DirectEqual, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *Item) field.ErrorList {
+			return validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "item ItemListAlias[key=aliased]")
+		})...)
+	}()
 
 	return errs
 }
 
+// Validate_Struct validates an instance of Struct according
+// to declarative validation rules in the API schema.
 func Validate_Struct(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *Struct) (errs field.ErrorList) {
 	// field Struct.TypeMeta has no validation
 
 	// field Struct.TypedefItems
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj ItemList) (errs field.ErrorList) {
+		func(fldPath *field.Path, obj, oldObj ItemList, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// call the type's validation function
 			errs = append(errs, Validate_ItemList(ctx, op, fldPath, obj, oldObj)...)
 			return
-		}(fldPath.Child("typedefItems"), obj.TypedefItems, safe.Field(oldObj, func(oldObj *Struct) ItemList { return oldObj.TypedefItems }))...)
+		}(fldPath.Child("typedefItems"), obj.TypedefItems, safe.Field(oldObj, func(oldObj *Struct) ItemList { return oldObj.TypedefItems }), oldObj != nil)...)
 
 	// field Struct.NestedTypedefItems
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj ItemListAlias) (errs field.ErrorList) {
+		func(fldPath *field.Path, obj, oldObj ItemListAlias, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// call the type's validation function
 			errs = append(errs, Validate_ItemListAlias(ctx, op, fldPath, obj, oldObj)...)
 			return
-		}(fldPath.Child("nestedTypedefItems"), obj.NestedTypedefItems, safe.Field(oldObj, func(oldObj *Struct) ItemListAlias { return oldObj.NestedTypedefItems }))...)
+		}(fldPath.Child("nestedTypedefItems"), obj.NestedTypedefItems, safe.Field(oldObj, func(oldObj *Struct) ItemListAlias { return oldObj.NestedTypedefItems }), oldObj != nil)...)
 
 	// field Struct.DualItems
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj DualItemList) (errs field.ErrorList) {
-			if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj DualItemList, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
 			}
-			errs = append(errs, validate.SliceItem(ctx, op, fldPath, obj, oldObj, func(item *DualItem) bool { return item.ID == "field-target" }, validate.DirectEqual, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *DualItem) field.ErrorList {
-				return validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "item DualItems[id=field-target] from field")
-			})...)
+			// call field-attached validations
+			func() { // cohort {"id": "field-target"}
+				errs = append(errs, validate.SliceItem(ctx, op, fldPath, obj, oldObj, func(item *DualItem) bool { return item.ID == "field-target" }, validate.DirectEqual, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *DualItem) field.ErrorList {
+					return validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "item DualItems[id=field-target] from field")
+				})...)
+			}()
+			// call the type's validation function
 			errs = append(errs, Validate_DualItemList(ctx, op, fldPath, obj, oldObj)...)
 			return
-		}(fldPath.Child("dualItems"), obj.DualItems, safe.Field(oldObj, func(oldObj *Struct) DualItemList { return oldObj.DualItems }))...)
+		}(fldPath.Child("dualItems"), obj.DualItems, safe.Field(oldObj, func(oldObj *Struct) DualItemList { return oldObj.DualItems }), oldObj != nil)...)
+
+	// field Struct.ConflictingItems
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj ConflictingItemList, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// call field-attached validations
+			func() { // cohort {"id": "target"}
+				errs = append(errs, validate.SliceItem(ctx, op, fldPath, obj, oldObj, func(item *DualItem) bool { return item.ID == "target" }, validate.DirectEqual, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *DualItem) field.ErrorList {
+					return validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "item ConflictingItems[id=target] from field")
+				})...)
+			}()
+			// call the type's validation function
+			errs = append(errs, Validate_ConflictingItemList(ctx, op, fldPath, obj, oldObj)...)
+			return
+		}(fldPath.Child("conflictingItems"), obj.ConflictingItems, safe.Field(oldObj, func(oldObj *Struct) ConflictingItemList { return oldObj.ConflictingItems }), oldObj != nil)...)
 
 	return errs
 }
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/item/union/simple/zz_generated.validations.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/item/union/simple/zz_generated.validations.go
index e4c30f1b9ecd5..c3f7f255cb28b 100644
--- a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/item/union/simple/zz_generated.validations.go
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/item/union/simple/zz_generated.validations.go
@@ -38,6 +38,7 @@ func init() { localSchemeBuilder.Register(RegisterValidations) }
 // RegisterValidations adds validation functions to the given scheme.
 // Public to allow building arbitrary schemes.
 func RegisterValidations(scheme *testscheme.Scheme) error {
+	// type Struct
 	scheme.AddValidationFunc((*Struct)(nil), func(ctx context.Context, op operation.Operation, obj, oldObj interface{}) field.ErrorList {
 		switch op.Request.SubresourcePath() {
 		case "/":
@@ -48,18 +49,24 @@ func RegisterValidations(scheme *testscheme.Scheme) error {
 	return nil
 }
 
-var unionMembershipFor_k8s_io_code_generator_cmd_validation_gen_output_tests_tags_item_union_simple_Struct_Tasks_ = validate.NewUnionMembership([2]string{"Tasks[{\"name\": \"succeeded\"}]", ""}, [2]string{"Tasks[{\"name\": \"failed\"}]", ""})
+var unionMembershipFor_k8s_io_code_generator_cmd_validation_gen_output_tests_tags_item_union_simple_Struct_tasks_ = validate.NewUnionMembership(validate.NewUnionMember("tasks[{\"name\": \"succeeded\"}]"), validate.NewUnionMember("tasks[{\"name\": \"failed\"}]"))
 
+// Validate_Struct validates an instance of Struct according
+// to declarative validation rules in the API schema.
 func Validate_Struct(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *Struct) (errs field.ErrorList) {
 	// field Struct.TypeMeta has no validation
 
 	// field Struct.Tasks
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj []Task) (errs field.ErrorList) {
-			if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj []Task, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
 			}
-			errs = append(errs, validate.Union(ctx, op, fldPath, obj, oldObj, unionMembershipFor_k8s_io_code_generator_cmd_validation_gen_output_tests_tags_item_union_simple_Struct_Tasks_, func(list []Task) bool {
+			// call field-attached validations
+			// lists with map semantics require unique keys
+			errs = append(errs, validate.Unique(ctx, op, fldPath, obj, oldObj, func(a Task, b Task) bool { return a.Name == b.Name })...)
+			errs = append(errs, validate.Union(ctx, op, fldPath, obj, oldObj, unionMembershipFor_k8s_io_code_generator_cmd_validation_gen_output_tests_tags_item_union_simple_Struct_tasks_, func(list []Task) bool {
 				for i := range list {
 					if list[i].Name == "failed" {
 						return true
@@ -75,7 +82,7 @@ func Validate_Struct(ctx context.Context, op operation.Operation, fldPath *field
 				return false
 			})...)
 			return
-		}(fldPath.Child("tasks"), obj.Tasks, safe.Field(oldObj, func(oldObj *Struct) []Task { return oldObj.Tasks }))...)
+		}(fldPath.Child("tasks"), obj.Tasks, safe.Field(oldObj, func(oldObj *Struct) []Task { return oldObj.Tasks }), oldObj != nil)...)
 
 	return errs
 }
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/item/union/typedef/zz_generated.validations.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/item/union/typedef/zz_generated.validations.go
index f889e406271f6..873e58d44a558 100644
--- a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/item/union/typedef/zz_generated.validations.go
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/item/union/typedef/zz_generated.validations.go
@@ -38,6 +38,7 @@ func init() { localSchemeBuilder.Register(RegisterValidations) }
 // RegisterValidations adds validation functions to the given scheme.
 // Public to allow building arbitrary schemes.
 func RegisterValidations(scheme *testscheme.Scheme) error {
+	// type Struct
 	scheme.AddValidationFunc((*Struct)(nil), func(ctx context.Context, op operation.Operation, obj, oldObj interface{}) field.ErrorList {
 		switch op.Request.SubresourcePath() {
 		case "/":
@@ -48,26 +49,33 @@ func RegisterValidations(scheme *testscheme.Scheme) error {
 	return nil
 }
 
+// Validate_Struct validates an instance of Struct according
+// to declarative validation rules in the API schema.
 func Validate_Struct(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *Struct) (errs field.ErrorList) {
 	// field Struct.TypeMeta has no validation
 
 	// field Struct.Tasks
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj TaskList) (errs field.ErrorList) {
+		func(fldPath *field.Path, obj, oldObj TaskList, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// call the type's validation function
 			errs = append(errs, Validate_TaskList(ctx, op, fldPath, obj, oldObj)...)
 			return
-		}(fldPath.Child("tasks"), obj.Tasks, safe.Field(oldObj, func(oldObj *Struct) TaskList { return oldObj.Tasks }))...)
+		}(fldPath.Child("tasks"), obj.Tasks, safe.Field(oldObj, func(oldObj *Struct) TaskList { return oldObj.Tasks }), oldObj != nil)...)
 
 	return errs
 }
 
-var unionMembershipFor_k8s_io_code_generator_cmd_validation_gen_output_tests_tags_item_union_typedef_TaskList_ = validate.NewUnionMembership([2]string{"TaskList[{\"name\": \"succeeded\"}]", ""}, [2]string{"TaskList[{\"name\": \"failed\"}]", ""})
+var unionMembershipFor_k8s_io_code_generator_cmd_validation_gen_output_tests_tags_item_union_typedef_TaskList_ = validate.NewUnionMembership(validate.NewUnionMember("TaskList[{\"name\": \"succeeded\"}]"), validate.NewUnionMember("TaskList[{\"name\": \"failed\"}]"))
 
+// Validate_TaskList validates an instance of TaskList according
+// to declarative validation rules in the API schema.
 func Validate_TaskList(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj TaskList) (errs field.ErrorList) {
-	// type TaskList
-	if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-		return nil // no changes
-	}
+	// lists with map semantics require unique keys
+	errs = append(errs, validate.Unique(ctx, op, fldPath, obj, oldObj, func(a Task, b Task) bool { return a.Name == b.Name })...)
 	errs = append(errs, validate.Union(ctx, op, fldPath, obj, oldObj, unionMembershipFor_k8s_io_code_generator_cmd_validation_gen_output_tests_tags_item_union_typedef_TaskList_, func(list TaskList) bool {
 		for i := range list {
 			if list[i].Name == "failed" {
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/item/zerorooneof/simple/zz_generated.validations.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/item/zerorooneof/simple/zz_generated.validations.go
index eaafaf1f2be17..71f31587243d0 100644
--- a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/item/zerorooneof/simple/zz_generated.validations.go
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/item/zerorooneof/simple/zz_generated.validations.go
@@ -38,6 +38,7 @@ func init() { localSchemeBuilder.Register(RegisterValidations) }
 // RegisterValidations adds validation functions to the given scheme.
 // Public to allow building arbitrary schemes.
 func RegisterValidations(scheme *testscheme.Scheme) error {
+	// type Struct
 	scheme.AddValidationFunc((*Struct)(nil), func(ctx context.Context, op operation.Operation, obj, oldObj interface{}) field.ErrorList {
 		switch op.Request.SubresourcePath() {
 		case "/":
@@ -48,18 +49,24 @@ func RegisterValidations(scheme *testscheme.Scheme) error {
 	return nil
 }
 
-var zeroOrOneOfMembershipFor_k8s_io_code_generator_cmd_validation_gen_output_tests_tags_item_zerorooneof_simple_Struct_Tasks_ = validate.NewUnionMembership([2]string{"Tasks[{\"name\": \"succeeded\"}]", ""}, [2]string{"Tasks[{\"name\": \"failed\"}]", ""})
+var zeroOrOneOfMembershipFor_k8s_io_code_generator_cmd_validation_gen_output_tests_tags_item_zerorooneof_simple_Struct_tasks_ = validate.NewUnionMembership(validate.NewUnionMember("tasks[{\"name\": \"succeeded\"}]"), validate.NewUnionMember("tasks[{\"name\": \"failed\"}]"))
 
+// Validate_Struct validates an instance of Struct according
+// to declarative validation rules in the API schema.
 func Validate_Struct(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *Struct) (errs field.ErrorList) {
 	// field Struct.TypeMeta has no validation
 
 	// field Struct.Tasks
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj []Task) (errs field.ErrorList) {
-			if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj []Task, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
 			}
-			errs = append(errs, validate.ZeroOrOneOfUnion(ctx, op, fldPath, obj, oldObj, zeroOrOneOfMembershipFor_k8s_io_code_generator_cmd_validation_gen_output_tests_tags_item_zerorooneof_simple_Struct_Tasks_, func(list []Task) bool {
+			// call field-attached validations
+			// lists with map semantics require unique keys
+			errs = append(errs, validate.Unique(ctx, op, fldPath, obj, oldObj, func(a Task, b Task) bool { return a.Name == b.Name })...)
+			errs = append(errs, validate.ZeroOrOneOfUnion(ctx, op, fldPath, obj, oldObj, zeroOrOneOfMembershipFor_k8s_io_code_generator_cmd_validation_gen_output_tests_tags_item_zerorooneof_simple_Struct_tasks_, func(list []Task) bool {
 				for i := range list {
 					if list[i].Name == "failed" {
 						return true
@@ -75,7 +82,7 @@ func Validate_Struct(ctx context.Context, op operation.Operation, fldPath *field
 				return false
 			})...)
 			return
-		}(fldPath.Child("tasks"), obj.Tasks, safe.Field(oldObj, func(oldObj *Struct) []Task { return oldObj.Tasks }))...)
+		}(fldPath.Child("tasks"), obj.Tasks, safe.Field(oldObj, func(oldObj *Struct) []Task { return oldObj.Tasks }), oldObj != nil)...)
 
 	return errs
 }
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/item/zerorooneof/typedef/zz_generated.validations.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/item/zerorooneof/typedef/zz_generated.validations.go
index 7ab7fbd53b05a..71529e3d4c0e3 100644
--- a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/item/zerorooneof/typedef/zz_generated.validations.go
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/item/zerorooneof/typedef/zz_generated.validations.go
@@ -38,6 +38,7 @@ func init() { localSchemeBuilder.Register(RegisterValidations) }
 // RegisterValidations adds validation functions to the given scheme.
 // Public to allow building arbitrary schemes.
 func RegisterValidations(scheme *testscheme.Scheme) error {
+	// type Struct
 	scheme.AddValidationFunc((*Struct)(nil), func(ctx context.Context, op operation.Operation, obj, oldObj interface{}) field.ErrorList {
 		switch op.Request.SubresourcePath() {
 		case "/":
@@ -48,26 +49,33 @@ func RegisterValidations(scheme *testscheme.Scheme) error {
 	return nil
 }
 
+// Validate_Struct validates an instance of Struct according
+// to declarative validation rules in the API schema.
 func Validate_Struct(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *Struct) (errs field.ErrorList) {
 	// field Struct.TypeMeta has no validation
 
 	// field Struct.Tasks
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj TaskList) (errs field.ErrorList) {
+		func(fldPath *field.Path, obj, oldObj TaskList, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// call the type's validation function
 			errs = append(errs, Validate_TaskList(ctx, op, fldPath, obj, oldObj)...)
 			return
-		}(fldPath.Child("tasks"), obj.Tasks, safe.Field(oldObj, func(oldObj *Struct) TaskList { return oldObj.Tasks }))...)
+		}(fldPath.Child("tasks"), obj.Tasks, safe.Field(oldObj, func(oldObj *Struct) TaskList { return oldObj.Tasks }), oldObj != nil)...)
 
 	return errs
 }
 
-var zeroOrOneOfMembershipFor_k8s_io_code_generator_cmd_validation_gen_output_tests_tags_item_zerorooneof_typedef_TaskList_ = validate.NewUnionMembership([2]string{"TaskList[{\"name\": \"succeeded\"}]", ""}, [2]string{"TaskList[{\"name\": \"failed\"}]", ""})
+var zeroOrOneOfMembershipFor_k8s_io_code_generator_cmd_validation_gen_output_tests_tags_item_zerorooneof_typedef_TaskList_ = validate.NewUnionMembership(validate.NewUnionMember("TaskList[{\"name\": \"succeeded\"}]"), validate.NewUnionMember("TaskList[{\"name\": \"failed\"}]"))
 
+// Validate_TaskList validates an instance of TaskList according
+// to declarative validation rules in the API schema.
 func Validate_TaskList(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj TaskList) (errs field.ErrorList) {
-	// type TaskList
-	if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-		return nil // no changes
-	}
+	// lists with map semantics require unique keys
+	errs = append(errs, validate.Unique(ctx, op, fldPath, obj, oldObj, func(a Task, b Task) bool { return a.Name == b.Name })...)
 	errs = append(errs, validate.ZeroOrOneOfUnion(ctx, op, fldPath, obj, oldObj, zeroOrOneOfMembershipFor_k8s_io_code_generator_cmd_validation_gen_output_tests_tags_item_zerorooneof_typedef_TaskList_, func(list TaskList) bool {
 		for i := range list {
 			if list[i].Name == "failed" {
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/listmap/multiple_keys/doc.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/listmap/multiple_keys/doc.go
index b1a4095427cd1..faaf76dcc065b 100644
--- a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/listmap/multiple_keys/doc.go
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/listmap/multiple_keys/doc.go
@@ -53,6 +53,18 @@ type Struct struct {
 	// +k8s:listMapKey=key2Field
 	// +k8s:eachVal=+k8s:validateFalse="field Struct.ListNonComparableField[*]"
 	ListNonComparableField []NonComparableStruct `json:"listNonComparableField"`
+
+	// +k8s:listType=map
+	// +k8s:listMapKey=key1Field
+	// +k8s:listMapKey=key2Field
+	// +k8s:item(key1Field: "target-ptr", key2Field: 42)=+k8s:validateFalse="item ListPtrKeyField[key1Field=target-ptr,key2Field=42]"
+	ListPtrKeyField []PtrKeyStruct `json:"listPtrKeyField"`
+
+	// +k8s:listType=map
+	// +k8s:listMapKey=stringPtrKey
+	// +k8s:listMapKey=stringKey
+	// +k8s:item(stringPtrKey: "target-ptr", stringKey: "target")=+k8s:validateFalse="item ListMixedPtrKeyField"
+	ListMixedPtrKeyField []MixedPtrKeyStruct `json:"listMixedPtrKeyField"`
 }
 
 type OtherStruct struct {
@@ -73,3 +85,15 @@ type NonComparableStruct struct {
 // +k8s:listMapKey=key1Field
 // +k8s:listMapKey=key2Field
 type ListType []OtherStruct
+
+type PtrKeyStruct struct {
+	Key1Field *string `json:"key1Field"`
+	Key2Field int     `json:"key2Field"`
+	DataField string  `json:"dataField"`
+}
+
+type MixedPtrKeyStruct struct {
+	StringPtrKey *string `json:"stringPtrKey"`
+	StringKey    string  `json:"stringKey"`
+	DataField    string  `json:"dataField"`
+}
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/listmap/multiple_keys/doc_test.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/listmap/multiple_keys/doc_test.go
index b9c1e2185b266..bb41132f25939 100644
--- a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/listmap/multiple_keys/doc_test.go
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/listmap/multiple_keys/doc_test.go
@@ -20,9 +20,36 @@ import (
 	"testing"
 
 	field "k8s.io/apimachinery/pkg/util/validation/field"
+	"k8s.io/utils/ptr"
 )
 
-func Test(t *testing.T) {
+func TestUniqueness(t *testing.T) {
+	st := localSchemeBuilder.Test(t)
+
+	st.Value(&Struct{
+		ListField: []OtherStruct{
+			{"key1", 1, "one"}, // unique
+			{"key2", 2, "two"}, // dup
+			{"key2", 2, "two"},
+		},
+		ListTypedefField: []OtherTypedefStruct{
+			{"key1", 1, "one"}, // unique
+			{"key2", 2, "two"}, // dup
+			{"key2", 2, "two"},
+		},
+		TypedefField: ListType{
+			{"key1", 1, "one"}, // unique
+			{"key2", 2, "two"}, // dup
+			{"key2", 2, "two"},
+		},
+	}).ExpectMatches(field.ErrorMatcher{}.ByType().ByField(), field.ErrorList{
+		field.Duplicate(field.NewPath("listField").Index(2), nil),
+		field.Duplicate(field.NewPath("listTypedefField").Index(2), nil),
+		field.Duplicate(field.NewPath("typedefField").Index(2), nil),
+	})
+}
+
+func TestUpdateCorrelation(t *testing.T) {
 	st := localSchemeBuilder.Test(t)
 
 	structA1 := Struct{
@@ -79,29 +106,32 @@ func Test(t *testing.T) {
 
 	st.Value(&structA2).OldValue(&structA1).ExpectValid()
 
-	st.Value(&structA1).OldValue(&structB).ExpectInvalid(
-		field.Forbidden(field.NewPath("listField").Index(0), "field is immutable"),
-		field.Forbidden(field.NewPath("listField").Index(1), "field is immutable"),
-		field.Forbidden(field.NewPath("listTypedefField").Index(0), "field is immutable"),
-		field.Forbidden(field.NewPath("listTypedefField").Index(1), "field is immutable"),
-		field.Forbidden(field.NewPath("typedefField").Index(0), "field is immutable"),
-		field.Forbidden(field.NewPath("typedefField").Index(1), "field is immutable"),
-	)
-
-	st.Value(&structB).OldValue(&structA1).ExpectInvalid(
-		field.Forbidden(field.NewPath("listField").Index(0), "field is immutable"),
-		field.Forbidden(field.NewPath("listField").Index(1), "field is immutable"),
-		field.Forbidden(field.NewPath("listField").Index(2), "field is immutable"),
-		field.Forbidden(field.NewPath("listTypedefField").Index(0), "field is immutable"),
-		field.Forbidden(field.NewPath("listTypedefField").Index(1), "field is immutable"),
-		field.Forbidden(field.NewPath("listTypedefField").Index(2), "field is immutable"),
-		field.Forbidden(field.NewPath("typedefField").Index(0), "field is immutable"),
-		field.Forbidden(field.NewPath("typedefField").Index(1), "field is immutable"),
-		field.Forbidden(field.NewPath("typedefField").Index(2), "field is immutable"),
-	)
-
-	// Test validation ratcheting.
-	structC := Struct{
+	st.Value(&structA1).OldValue(&structB).ExpectMatches(field.ErrorMatcher{}.ByType().ByField().ByDetailSubstring().ByOrigin(), field.ErrorList{
+		field.Invalid(field.NewPath("listField").Index(0), nil, "immutable").WithOrigin("immutable"),
+		field.Invalid(field.NewPath("listField").Index(1), nil, "immutable").WithOrigin("immutable"),
+		field.Invalid(field.NewPath("listTypedefField").Index(0), nil, "immutable").WithOrigin("immutable"),
+		field.Invalid(field.NewPath("listTypedefField").Index(1), nil, "immutable").WithOrigin("immutable"),
+		field.Invalid(field.NewPath("typedefField").Index(0), nil, "immutable").WithOrigin("immutable"),
+		field.Invalid(field.NewPath("typedefField").Index(1), nil, "immutable").WithOrigin("immutable"),
+	})
+
+	st.Value(&structB).OldValue(&structA1).ExpectMatches(field.ErrorMatcher{}.ByType().ByField().ByDetailSubstring().ByOrigin(), field.ErrorList{
+		field.Invalid(field.NewPath("listField").Index(0), nil, "immutable").WithOrigin("immutable"),
+		field.Invalid(field.NewPath("listField").Index(1), nil, "immutable").WithOrigin("immutable"),
+		field.Invalid(field.NewPath("listField").Index(2), nil, "immutable").WithOrigin("immutable"),
+		field.Invalid(field.NewPath("listTypedefField").Index(0), nil, "immutable").WithOrigin("immutable"),
+		field.Invalid(field.NewPath("listTypedefField").Index(1), nil, "immutable").WithOrigin("immutable"),
+		field.Invalid(field.NewPath("listTypedefField").Index(2), nil, "immutable").WithOrigin("immutable"),
+		field.Invalid(field.NewPath("typedefField").Index(0), nil, "immutable").WithOrigin("immutable"),
+		field.Invalid(field.NewPath("typedefField").Index(1), nil, "immutable").WithOrigin("immutable"),
+		field.Invalid(field.NewPath("typedefField").Index(2), nil, "immutable").WithOrigin("immutable"),
+	})
+}
+
+func TestRatcheting(t *testing.T) {
+	st := localSchemeBuilder.Test(t)
+
+	struct1 := Struct{
 		ListComparableField: []OtherStruct{
 			{"key1", 1, "one"},
 			{"key2", 2, "two"},
@@ -113,7 +143,7 @@ func Test(t *testing.T) {
 	}
 
 	// Same data, different order.
-	structC2 := Struct{
+	struct2 := Struct{
 		ListComparableField: []OtherStruct{
 			{"key2", 2, "two"},
 			{"key1", 1, "one"},
@@ -124,37 +154,48 @@ func Test(t *testing.T) {
 		},
 	}
 
-	st.Value(&structC2).ExpectValidateFalseByPath(map[string][]string{
+	st.Value(&struct1).ExpectValidateFalseByPath(map[string][]string{
 		"listComparableField[0]":    {"field Struct.ListComparableField[*]"},
 		"listComparableField[1]":    {"field Struct.ListComparableField[*]"},
 		"listNonComparableField[0]": {"field Struct.ListNonComparableField[*]"},
 		"listNonComparableField[1]": {"field Struct.ListNonComparableField[*]"},
 	})
-	st.Value(&structC).OldValue(&structC2).ExpectValid()
+	st.Value(&struct1).OldValue(&struct2).ExpectValid()
+	st.Value(&struct2).OldValue(&struct1).ExpectValid()
 }
 
-// TODO: enable this once we have a way to either opt-out from this validation
-// or settle the decision on how to handle the ratcheting cases.
-// func TestUniqueKey(t *testing.T) {
-// 	st := localSchemeBuilder.Test(t)
-
-// 	structA := Struct{
-// 		ListField: []OtherStruct{
-// 			{"key1", 1, "one"},
-// 			{"key1", 1, "two"},
-// 		},
-// 		ListTypedefField: []OtherTypedefStruct{
-// 			{"key1", 1, "one"},
-// 			{"key1", 1, "two"},
-// 		},
-// 		TypedefField: ListType{
-// 			{"key1", 1, "one"},
-// 			{"key1", 1, "two"},
-// 		},
-// 	}
-// 	st.Value(&structA).ExpectMatches(field.ErrorMatcher{}.ByType().ByField(), field.ErrorList{
-// 		field.Duplicate(field.NewPath("listField[1]"), nil),
-// 		field.Duplicate(field.NewPath("listTypedefField[1]"), nil),
-// 		field.Duplicate(field.NewPath("typedefField[1]"), nil),
-// 	})
-// }
+func TestItemWithPtrKey(t *testing.T) {
+	st := localSchemeBuilder.Test(t)
+
+	st.Value(&Struct{
+		ListPtrKeyField: []PtrKeyStruct{
+			{Key1Field: ptr.To("target-ptr"), Key2Field: 42, DataField: "match"},
+			{Key1Field: ptr.To("target-ptr"), Key2Field: 99, DataField: "no match, int differs"},
+			{Key1Field: ptr.To("other"), Key2Field: 42, DataField: "no match, string differs"},
+			{Key1Field: nil, Key2Field: 42, DataField: "no match, nil string"},
+		},
+	}).ExpectValidateFalseByPath(map[string][]string{
+		`listPtrKeyField[0]`: {
+			"item ListPtrKeyField[key1Field=target-ptr,key2Field=42]",
+		},
+	})
+
+	st.Value(&Struct{
+		ListPtrKeyField: []PtrKeyStruct{
+			{Key1Field: ptr.To("other"), Key2Field: 42, DataField: "d1"},
+			{Key1Field: nil, Key2Field: 99, DataField: "d2"},
+		},
+	}).ExpectValid()
+
+	st.Value(&Struct{
+		ListMixedPtrKeyField: []MixedPtrKeyStruct{
+			{StringPtrKey: ptr.To("target-ptr"), StringKey: "target", DataField: "match"},
+			{StringPtrKey: ptr.To("target-ptr"), StringKey: "other", DataField: "no match"},
+			{StringPtrKey: nil, StringKey: "target", DataField: "no match"},
+		},
+	}).ExpectValidateFalseByPath(map[string][]string{
+		`listMixedPtrKeyField[0]`: {
+			"item ListMixedPtrKeyField",
+		},
+	})
+}
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/listmap/multiple_keys/zz_generated.validations.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/listmap/multiple_keys/zz_generated.validations.go
index f80111131bfef..5c72158fa3d1a 100644
--- a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/listmap/multiple_keys/zz_generated.validations.go
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/listmap/multiple_keys/zz_generated.validations.go
@@ -38,6 +38,7 @@ func init() { localSchemeBuilder.Register(RegisterValidations) }
 // RegisterValidations adds validation functions to the given scheme.
 // Public to allow building arbitrary schemes.
 func RegisterValidations(scheme *testscheme.Scheme) error {
+	// type Struct
 	scheme.AddValidationFunc((*Struct)(nil), func(ctx context.Context, op operation.Operation, obj, oldObj interface{}) field.ErrorList {
 		switch op.Request.SubresourcePath() {
 		case "/":
@@ -48,72 +49,178 @@ func RegisterValidations(scheme *testscheme.Scheme) error {
 	return nil
 }
 
+// Validate_ListType validates an instance of ListType according
+// to declarative validation rules in the API schema.
+func Validate_ListType(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj ListType) (errs field.ErrorList) {
+	// lists with map semantics require unique keys
+	errs = append(errs, validate.Unique(ctx, op, fldPath, obj, oldObj, func(a OtherStruct, b OtherStruct) bool {
+		return a.Key1Field == b.Key1Field && a.Key2Field == b.Key2Field
+	})...)
+
+	return errs
+}
+
+// Validate_Struct validates an instance of Struct according
+// to declarative validation rules in the API schema.
 func Validate_Struct(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *Struct) (errs field.ErrorList) {
 	// field Struct.TypeMeta has no validation
 
 	// field Struct.ListField
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj []OtherStruct) (errs field.ErrorList) {
-			if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj []OtherStruct, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
 			}
-			errs = append(errs, validate.EachSliceVal(ctx, op, fldPath, obj, oldObj, func(a OtherStruct, b OtherStruct) bool {
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.EachSliceVal(ctx, op, fldPath, obj, oldObj, func(a OtherStruct, b OtherStruct) bool {
+				return a.Key1Field == b.Key1Field && a.Key2Field == b.Key2Field
+			}, validate.DirectEqual, validate.Immutable); len(e) != 0 {
+				errs = append(errs, e...)
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
+			}
+			// lists with map semantics require unique keys
+			errs = append(errs, validate.Unique(ctx, op, fldPath, obj, oldObj, func(a OtherStruct, b OtherStruct) bool {
 				return a.Key1Field == b.Key1Field && a.Key2Field == b.Key2Field
-			}, validate.DirectEqual, validate.ImmutableByCompare)...)
+			})...)
 			return
-		}(fldPath.Child("listField"), obj.ListField, safe.Field(oldObj, func(oldObj *Struct) []OtherStruct { return oldObj.ListField }))...)
+		}(fldPath.Child("listField"), obj.ListField, safe.Field(oldObj, func(oldObj *Struct) []OtherStruct { return oldObj.ListField }), oldObj != nil)...)
 
 	// field Struct.ListTypedefField
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj []OtherTypedefStruct) (errs field.ErrorList) {
-			if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj []OtherTypedefStruct, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.EachSliceVal(ctx, op, fldPath, obj, oldObj, func(a OtherTypedefStruct, b OtherTypedefStruct) bool {
+				return a.Key1Field == b.Key1Field && a.Key2Field == b.Key2Field
+			}, validate.DirectEqual, validate.Immutable); len(e) != 0 {
+				errs = append(errs, e...)
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
 			}
-			errs = append(errs, validate.EachSliceVal(ctx, op, fldPath, obj, oldObj, func(a OtherTypedefStruct, b OtherTypedefStruct) bool {
+			// lists with map semantics require unique keys
+			errs = append(errs, validate.Unique(ctx, op, fldPath, obj, oldObj, func(a OtherTypedefStruct, b OtherTypedefStruct) bool {
 				return a.Key1Field == b.Key1Field && a.Key2Field == b.Key2Field
-			}, validate.DirectEqual, validate.ImmutableByCompare)...)
+			})...)
 			return
-		}(fldPath.Child("listTypedefField"), obj.ListTypedefField, safe.Field(oldObj, func(oldObj *Struct) []OtherTypedefStruct { return oldObj.ListTypedefField }))...)
+		}(fldPath.Child("listTypedefField"), obj.ListTypedefField, safe.Field(oldObj, func(oldObj *Struct) []OtherTypedefStruct { return oldObj.ListTypedefField }), oldObj != nil)...)
 
 	// field Struct.TypedefField
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj ListType) (errs field.ErrorList) {
-			if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj ListType, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
 			}
-			errs = append(errs, validate.EachSliceVal(ctx, op, fldPath, obj, oldObj, func(a OtherStruct, b OtherStruct) bool {
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.EachSliceVal(ctx, op, fldPath, obj, oldObj, func(a OtherStruct, b OtherStruct) bool {
 				return a.Key1Field == b.Key1Field && a.Key2Field == b.Key2Field
-			}, validate.DirectEqual, validate.ImmutableByCompare)...)
+			}, validate.DirectEqual, validate.Immutable); len(e) != 0 {
+				errs = append(errs, e...)
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
+			}
+			// call the type's validation function
+			errs = append(errs, Validate_ListType(ctx, op, fldPath, obj, oldObj)...)
 			return
-		}(fldPath.Child("typedefField"), obj.TypedefField, safe.Field(oldObj, func(oldObj *Struct) ListType { return oldObj.TypedefField }))...)
+		}(fldPath.Child("typedefField"), obj.TypedefField, safe.Field(oldObj, func(oldObj *Struct) ListType { return oldObj.TypedefField }), oldObj != nil)...)
 
 	// field Struct.ListComparableField
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj []OtherStruct) (errs field.ErrorList) {
-			if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj []OtherStruct, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.EachSliceVal(ctx, op, fldPath, obj, oldObj, func(a OtherStruct, b OtherStruct) bool {
 				return a.Key1Field == b.Key1Field && a.Key2Field == b.Key2Field
 			}, validate.DirectEqual, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *OtherStruct) field.ErrorList {
 				return validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field Struct.ListComparableField[*]")
 			})...)
+			// lists with map semantics require unique keys
+			errs = append(errs, validate.Unique(ctx, op, fldPath, obj, oldObj, func(a OtherStruct, b OtherStruct) bool {
+				return a.Key1Field == b.Key1Field && a.Key2Field == b.Key2Field
+			})...)
 			return
-		}(fldPath.Child("listComparableField"), obj.ListComparableField, safe.Field(oldObj, func(oldObj *Struct) []OtherStruct { return oldObj.ListComparableField }))...)
+		}(fldPath.Child("listComparableField"), obj.ListComparableField, safe.Field(oldObj, func(oldObj *Struct) []OtherStruct { return oldObj.ListComparableField }), oldObj != nil)...)
 
 	// field Struct.ListNonComparableField
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj []NonComparableStruct) (errs field.ErrorList) {
-			if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj []NonComparableStruct, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.EachSliceVal(ctx, op, fldPath, obj, oldObj, func(a NonComparableStruct, b NonComparableStruct) bool {
 				return a.Key1Field == b.Key1Field && a.Key2Field == b.Key2Field
 			}, validate.SemanticDeepEqual, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *NonComparableStruct) field.ErrorList {
 				return validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field Struct.ListNonComparableField[*]")
 			})...)
+			// lists with map semantics require unique keys
+			errs = append(errs, validate.Unique(ctx, op, fldPath, obj, oldObj, func(a NonComparableStruct, b NonComparableStruct) bool {
+				return a.Key1Field == b.Key1Field && a.Key2Field == b.Key2Field
+			})...)
+			return
+		}(fldPath.Child("listNonComparableField"), obj.ListNonComparableField, safe.Field(oldObj, func(oldObj *Struct) []NonComparableStruct { return oldObj.ListNonComparableField }), oldObj != nil)...)
+
+	// field Struct.ListPtrKeyField
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj []PtrKeyStruct, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// call field-attached validations
+			// lists with map semantics require unique keys
+			errs = append(errs, validate.Unique(ctx, op, fldPath, obj, oldObj, func(a PtrKeyStruct, b PtrKeyStruct) bool {
+				return ((a.Key1Field == nil && b.Key1Field == nil) || (a.Key1Field != nil && b.Key1Field != nil && *a.Key1Field == *b.Key1Field)) && a.Key2Field == b.Key2Field
+			})...)
+			func() { // cohort {"key1Field": "target-ptr", "key2Field": 42}
+				errs = append(errs, validate.SliceItem(ctx, op, fldPath, obj, oldObj, func(item *PtrKeyStruct) bool {
+					return item.Key1Field != nil && *item.Key1Field == "target-ptr" && item.Key2Field == 42
+				}, validate.SemanticDeepEqual, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *PtrKeyStruct) field.ErrorList {
+					return validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "item ListPtrKeyField[key1Field=target-ptr,key2Field=42]")
+				})...)
+			}()
+			return
+		}(fldPath.Child("listPtrKeyField"), obj.ListPtrKeyField, safe.Field(oldObj, func(oldObj *Struct) []PtrKeyStruct { return oldObj.ListPtrKeyField }), oldObj != nil)...)
+
+	// field Struct.ListMixedPtrKeyField
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj []MixedPtrKeyStruct, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// call field-attached validations
+			// lists with map semantics require unique keys
+			errs = append(errs, validate.Unique(ctx, op, fldPath, obj, oldObj, func(a MixedPtrKeyStruct, b MixedPtrKeyStruct) bool {
+				return ((a.StringPtrKey == nil && b.StringPtrKey == nil) || (a.StringPtrKey != nil && b.StringPtrKey != nil && *a.StringPtrKey == *b.StringPtrKey)) && a.StringKey == b.StringKey
+			})...)
+			func() { // cohort {"stringPtrKey": "target-ptr", "stringKey": "target"}
+				errs = append(errs, validate.SliceItem(ctx, op, fldPath, obj, oldObj, func(item *MixedPtrKeyStruct) bool {
+					return item.StringPtrKey != nil && *item.StringPtrKey == "target-ptr" && item.StringKey == "target"
+				}, validate.SemanticDeepEqual, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *MixedPtrKeyStruct) field.ErrorList {
+					return validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "item ListMixedPtrKeyField")
+				})...)
+			}()
 			return
-		}(fldPath.Child("listNonComparableField"), obj.ListNonComparableField, safe.Field(oldObj, func(oldObj *Struct) []NonComparableStruct { return oldObj.ListNonComparableField }))...)
+		}(fldPath.Child("listMixedPtrKeyField"), obj.ListMixedPtrKeyField, safe.Field(oldObj, func(oldObj *Struct) []MixedPtrKeyStruct { return oldObj.ListMixedPtrKeyField }), oldObj != nil)...)
 
 	return errs
 }
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/listmap/single_key/doc.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/listmap/single_key/doc.go
index d32f335557b24..5627f4f7dafbc 100644
--- a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/listmap/single_key/doc.go
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/listmap/single_key/doc.go
@@ -49,6 +49,10 @@ type Struct struct {
 	// +k8s:listMapKey=keyField
 	// +k8s:eachVal=+k8s:validateFalse="field Struct.ListNonComparableField[*]"
 	ListNonComparableField []NonComparableStruct `json:"listNonComparableField"`
+
+	// +k8s:listType=map
+	// +k8s:listMapKey=keyField
+	ListPtrKeyField []PtrKeyStruct `json:"listPtrKeyField"`
 }
 
 type OtherStruct struct {
@@ -63,6 +67,11 @@ type NonComparableStruct struct {
 	StringPtrField *string `json:"stringPtrField"`
 }
 
+type PtrKeyStruct struct {
+	KeyField  *string `json:"keyField"`
+	DataField string  `json:"dataField"`
+}
+
 // +k8s:listType=map
 // +k8s:listMapKey=keyField
 type ListType []OtherStruct
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/listmap/single_key/doc_test.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/listmap/single_key/doc_test.go
index 12ee3335aea26..01a2a782a9b66 100644
--- a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/listmap/single_key/doc_test.go
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/listmap/single_key/doc_test.go
@@ -23,7 +23,33 @@ import (
 	"k8s.io/utils/ptr"
 )
 
-func Test(t *testing.T) {
+func TestUniqueness(t *testing.T) {
+	st := localSchemeBuilder.Test(t)
+
+	st.Value(&Struct{
+		ListField: []OtherStruct{
+			{"key1", "one"},
+			{"key2", "two"},
+			{"key2", "two"},
+		},
+		ListTypedefField: []OtherTypedefStruct{
+			{"key1", "one"},
+			{"key2", "two"},
+			{"key2", "two"},
+		},
+		TypedefField: ListType{
+			{"key1", "one"},
+			{"key2", "two"},
+			{"key2", "two"},
+		},
+	}).ExpectMatches(field.ErrorMatcher{}.ByType().ByField(), field.ErrorList{
+		field.Duplicate(field.NewPath("listField").Index(2), nil),
+		field.Duplicate(field.NewPath("listTypedefField").Index(2), nil),
+		field.Duplicate(field.NewPath("typedefField").Index(2), nil),
+	})
+}
+
+func TestUpdateCorrelation(t *testing.T) {
 	st := localSchemeBuilder.Test(t)
 
 	structA1 := Struct{
@@ -80,29 +106,32 @@ func Test(t *testing.T) {
 
 	st.Value(&structA2).OldValue(&structA1).ExpectValid()
 
-	st.Value(&structA1).OldValue(&structB).ExpectInvalid(
-		field.Forbidden(field.NewPath("listField").Index(0), "field is immutable"),
-		field.Forbidden(field.NewPath("listField").Index(1), "field is immutable"),
-		field.Forbidden(field.NewPath("listTypedefField").Index(0), "field is immutable"),
-		field.Forbidden(field.NewPath("listTypedefField").Index(1), "field is immutable"),
-		field.Forbidden(field.NewPath("typedefField").Index(0), "field is immutable"),
-		field.Forbidden(field.NewPath("typedefField").Index(1), "field is immutable"),
-	)
-
-	st.Value(&structB).OldValue(&structA1).ExpectInvalid(
-		field.Forbidden(field.NewPath("listField").Index(0), "field is immutable"),
-		field.Forbidden(field.NewPath("listField").Index(1), "field is immutable"),
-		field.Forbidden(field.NewPath("listField").Index(2), "field is immutable"),
-		field.Forbidden(field.NewPath("listTypedefField").Index(0), "field is immutable"),
-		field.Forbidden(field.NewPath("listTypedefField").Index(1), "field is immutable"),
-		field.Forbidden(field.NewPath("listTypedefField").Index(2), "field is immutable"),
-		field.Forbidden(field.NewPath("typedefField").Index(0), "field is immutable"),
-		field.Forbidden(field.NewPath("typedefField").Index(1), "field is immutable"),
-		field.Forbidden(field.NewPath("typedefField").Index(2), "field is immutable"),
-	)
-
-	// Test validation ratcheting.
-	structC := Struct{
+	st.Value(&structA1).OldValue(&structB).ExpectMatches(field.ErrorMatcher{}.ByType().ByField().ByDetailSubstring().ByOrigin(), field.ErrorList{
+		field.Invalid(field.NewPath("listField").Index(0), nil, "immutable").WithOrigin("immutable"),
+		field.Invalid(field.NewPath("listField").Index(1), nil, "immutable").WithOrigin("immutable"),
+		field.Invalid(field.NewPath("listTypedefField").Index(0), nil, "immutable").WithOrigin("immutable"),
+		field.Invalid(field.NewPath("listTypedefField").Index(1), nil, "immutable").WithOrigin("immutable"),
+		field.Invalid(field.NewPath("typedefField").Index(0), nil, "immutable").WithOrigin("immutable"),
+		field.Invalid(field.NewPath("typedefField").Index(1), nil, "immutable").WithOrigin("immutable"),
+	})
+
+	st.Value(&structB).OldValue(&structA1).ExpectMatches(field.ErrorMatcher{}.ByType().ByField().ByDetailSubstring().ByOrigin(), field.ErrorList{
+		field.Invalid(field.NewPath("listField").Index(0), nil, "immutable").WithOrigin("immutable"),
+		field.Invalid(field.NewPath("listField").Index(1), nil, "immutable").WithOrigin("immutable"),
+		field.Invalid(field.NewPath("listField").Index(2), nil, "immutable").WithOrigin("immutable"),
+		field.Invalid(field.NewPath("listTypedefField").Index(0), nil, "immutable").WithOrigin("immutable"),
+		field.Invalid(field.NewPath("listTypedefField").Index(1), nil, "immutable").WithOrigin("immutable"),
+		field.Invalid(field.NewPath("listTypedefField").Index(2), nil, "immutable").WithOrigin("immutable"),
+		field.Invalid(field.NewPath("typedefField").Index(0), nil, "immutable").WithOrigin("immutable"),
+		field.Invalid(field.NewPath("typedefField").Index(1), nil, "immutable").WithOrigin("immutable"),
+		field.Invalid(field.NewPath("typedefField").Index(2), nil, "immutable").WithOrigin("immutable"),
+	})
+}
+
+func TestRatcheting(t *testing.T) {
+	st := localSchemeBuilder.Test(t)
+
+	struct1 := Struct{
 		ListComparableField: []OtherStruct{
 			{"key1", "one"},
 			{"key2", "two"},
@@ -114,7 +143,7 @@ func Test(t *testing.T) {
 	}
 
 	// Same data, different order.
-	structC2 := Struct{
+	struct2 := Struct{
 		ListComparableField: []OtherStruct{
 			{"key2", "two"},
 			{"key1", "one"},
@@ -124,37 +153,29 @@ func Test(t *testing.T) {
 			{"key1", ptr.To("one")},
 		},
 	}
-	st.Value(&structC2).ExpectValidateFalseByPath(map[string][]string{
+	st.Value(&struct1).ExpectValidateFalseByPath(map[string][]string{
 		"listComparableField[0]":    {"field Struct.ListComparableField[*]"},
 		"listComparableField[1]":    {"field Struct.ListComparableField[*]"},
 		"listNonComparableField[0]": {"field Struct.ListNonComparableField[*]"},
 		"listNonComparableField[1]": {"field Struct.ListNonComparableField[*]"},
 	})
-	st.Value(&structC).OldValue(&structC2).ExpectValid()
+	st.Value(&struct1).OldValue(&struct2).ExpectValid()
+	st.Value(&struct2).OldValue(&struct1).ExpectValid()
 }
 
-// TODO: enable this once we have a way to either opt-out from this validation
-// or settle the decision on how to handle the ratcheting cases.
-// func TestUniqueKey(t *testing.T) {
-// 	st := localSchemeBuilder.Test(t)
-
-// 	structA := Struct{
-// 		ListField: []OtherStruct{
-// 			{"key1", "one"},
-// 			{"key1", "two"},
-// 		},
-// 		ListTypedefField: []OtherTypedefStruct{
-// 			{"key1", "one"},
-// 			{"key1", "two"},
-// 		},
-// 		TypedefField: ListType{
-// 			{"key1", "one"},
-// 			{"key1", "two"},
-// 		},
-// 	}
-// 	st.Value(&structA).ExpectMatches(field.ErrorMatcher{}.ByType().ByField(), field.ErrorList{
-// 		field.Duplicate(field.NewPath("listField[1]"), nil),
-// 		field.Duplicate(field.NewPath("listTypedefField[1]"), nil),
-// 		field.Duplicate(field.NewPath("typedefField[1]"), nil),
-// 	})
-// }
+func TestUniquenessPtrKey(t *testing.T) {
+	st := localSchemeBuilder.Test(t)
+
+	st.Value(&Struct{
+		ListPtrKeyField: []PtrKeyStruct{
+			{ptr.To("key1"), "one"},
+			{ptr.To("key2"), "two"},
+			{ptr.To("key2"), "three"}, // duplicate key
+			{nil, "four"},
+			{nil, "five"}, // duplicate nil key
+		},
+	}).ExpectMatches(field.ErrorMatcher{}.ByType().ByField(), field.ErrorList{
+		field.Duplicate(field.NewPath("listPtrKeyField").Index(2), nil),
+		field.Duplicate(field.NewPath("listPtrKeyField").Index(4), nil),
+	})
+}
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/listmap/single_key/zz_generated.validations.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/listmap/single_key/zz_generated.validations.go
index 9d5b11c9f42c5..d3e10565ba480 100644
--- a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/listmap/single_key/zz_generated.validations.go
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/listmap/single_key/zz_generated.validations.go
@@ -38,6 +38,7 @@ func init() { localSchemeBuilder.Register(RegisterValidations) }
 // RegisterValidations adds validation functions to the given scheme.
 // Public to allow building arbitrary schemes.
 func RegisterValidations(scheme *testscheme.Scheme) error {
+	// type Struct
 	scheme.AddValidationFunc((*Struct)(nil), func(ctx context.Context, op operation.Operation, obj, oldObj interface{}) field.ErrorList {
 		switch op.Request.SubresourcePath() {
 		case "/":
@@ -48,62 +49,129 @@ func RegisterValidations(scheme *testscheme.Scheme) error {
 	return nil
 }
 
+// Validate_ListType validates an instance of ListType according
+// to declarative validation rules in the API schema.
+func Validate_ListType(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj ListType) (errs field.ErrorList) {
+	// lists with map semantics require unique keys
+	errs = append(errs, validate.Unique(ctx, op, fldPath, obj, oldObj, func(a OtherStruct, b OtherStruct) bool { return a.KeyField == b.KeyField })...)
+
+	return errs
+}
+
+// Validate_Struct validates an instance of Struct according
+// to declarative validation rules in the API schema.
 func Validate_Struct(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *Struct) (errs field.ErrorList) {
 	// field Struct.TypeMeta has no validation
 
 	// field Struct.ListField
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj []OtherStruct) (errs field.ErrorList) {
-			if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj []OtherStruct, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
 			}
-			errs = append(errs, validate.EachSliceVal(ctx, op, fldPath, obj, oldObj, func(a OtherStruct, b OtherStruct) bool { return a.KeyField == b.KeyField }, validate.DirectEqual, validate.ImmutableByCompare)...)
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.EachSliceVal(ctx, op, fldPath, obj, oldObj, func(a OtherStruct, b OtherStruct) bool { return a.KeyField == b.KeyField }, validate.DirectEqual, validate.Immutable); len(e) != 0 {
+				errs = append(errs, e...)
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
+			}
+			// lists with map semantics require unique keys
+			errs = append(errs, validate.Unique(ctx, op, fldPath, obj, oldObj, func(a OtherStruct, b OtherStruct) bool { return a.KeyField == b.KeyField })...)
 			return
-		}(fldPath.Child("listField"), obj.ListField, safe.Field(oldObj, func(oldObj *Struct) []OtherStruct { return oldObj.ListField }))...)
+		}(fldPath.Child("listField"), obj.ListField, safe.Field(oldObj, func(oldObj *Struct) []OtherStruct { return oldObj.ListField }), oldObj != nil)...)
 
 	// field Struct.ListTypedefField
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj []OtherTypedefStruct) (errs field.ErrorList) {
-			if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj []OtherTypedefStruct, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.EachSliceVal(ctx, op, fldPath, obj, oldObj, func(a OtherTypedefStruct, b OtherTypedefStruct) bool { return a.KeyField == b.KeyField }, validate.DirectEqual, validate.Immutable); len(e) != 0 {
+				errs = append(errs, e...)
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
 			}
-			errs = append(errs, validate.EachSliceVal(ctx, op, fldPath, obj, oldObj, func(a OtherTypedefStruct, b OtherTypedefStruct) bool { return a.KeyField == b.KeyField }, validate.DirectEqual, validate.ImmutableByCompare)...)
+			// lists with map semantics require unique keys
+			errs = append(errs, validate.Unique(ctx, op, fldPath, obj, oldObj, func(a OtherTypedefStruct, b OtherTypedefStruct) bool { return a.KeyField == b.KeyField })...)
 			return
-		}(fldPath.Child("listTypedefField"), obj.ListTypedefField, safe.Field(oldObj, func(oldObj *Struct) []OtherTypedefStruct { return oldObj.ListTypedefField }))...)
+		}(fldPath.Child("listTypedefField"), obj.ListTypedefField, safe.Field(oldObj, func(oldObj *Struct) []OtherTypedefStruct { return oldObj.ListTypedefField }), oldObj != nil)...)
 
 	// field Struct.TypedefField
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj ListType) (errs field.ErrorList) {
-			if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj ListType, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
 			}
-			errs = append(errs, validate.EachSliceVal(ctx, op, fldPath, obj, oldObj, func(a OtherStruct, b OtherStruct) bool { return a.KeyField == b.KeyField }, validate.DirectEqual, validate.ImmutableByCompare)...)
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.EachSliceVal(ctx, op, fldPath, obj, oldObj, func(a OtherStruct, b OtherStruct) bool { return a.KeyField == b.KeyField }, validate.DirectEqual, validate.Immutable); len(e) != 0 {
+				errs = append(errs, e...)
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
+			}
+			// call the type's validation function
+			errs = append(errs, Validate_ListType(ctx, op, fldPath, obj, oldObj)...)
 			return
-		}(fldPath.Child("typedefField"), obj.TypedefField, safe.Field(oldObj, func(oldObj *Struct) ListType { return oldObj.TypedefField }))...)
+		}(fldPath.Child("typedefField"), obj.TypedefField, safe.Field(oldObj, func(oldObj *Struct) ListType { return oldObj.TypedefField }), oldObj != nil)...)
 
 	// field Struct.ListComparableField
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj []OtherStruct) (errs field.ErrorList) {
-			if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj []OtherStruct, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.EachSliceVal(ctx, op, fldPath, obj, oldObj, func(a OtherStruct, b OtherStruct) bool { return a.KeyField == b.KeyField }, validate.DirectEqual, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *OtherStruct) field.ErrorList {
 				return validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field Struct.ListComparableField[*]")
 			})...)
+			// lists with map semantics require unique keys
+			errs = append(errs, validate.Unique(ctx, op, fldPath, obj, oldObj, func(a OtherStruct, b OtherStruct) bool { return a.KeyField == b.KeyField })...)
 			return
-		}(fldPath.Child("listComparableField"), obj.ListComparableField, safe.Field(oldObj, func(oldObj *Struct) []OtherStruct { return oldObj.ListComparableField }))...)
+		}(fldPath.Child("listComparableField"), obj.ListComparableField, safe.Field(oldObj, func(oldObj *Struct) []OtherStruct { return oldObj.ListComparableField }), oldObj != nil)...)
 
 	// field Struct.ListNonComparableField
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj []NonComparableStruct) (errs field.ErrorList) {
-			if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj []NonComparableStruct, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.EachSliceVal(ctx, op, fldPath, obj, oldObj, func(a NonComparableStruct, b NonComparableStruct) bool { return a.KeyField == b.KeyField }, validate.SemanticDeepEqual, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *NonComparableStruct) field.ErrorList {
 				return validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field Struct.ListNonComparableField[*]")
 			})...)
+			// lists with map semantics require unique keys
+			errs = append(errs, validate.Unique(ctx, op, fldPath, obj, oldObj, func(a NonComparableStruct, b NonComparableStruct) bool { return a.KeyField == b.KeyField })...)
+			return
+		}(fldPath.Child("listNonComparableField"), obj.ListNonComparableField, safe.Field(oldObj, func(oldObj *Struct) []NonComparableStruct { return oldObj.ListNonComparableField }), oldObj != nil)...)
+
+	// field Struct.ListPtrKeyField
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj []PtrKeyStruct, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// call field-attached validations
+			// lists with map semantics require unique keys
+			errs = append(errs, validate.Unique(ctx, op, fldPath, obj, oldObj, func(a PtrKeyStruct, b PtrKeyStruct) bool {
+				return ((a.KeyField == nil && b.KeyField == nil) || (a.KeyField != nil && b.KeyField != nil && *a.KeyField == *b.KeyField))
+			})...)
 			return
-		}(fldPath.Child("listNonComparableField"), obj.ListNonComparableField, safe.Field(oldObj, func(oldObj *Struct) []NonComparableStruct { return oldObj.ListNonComparableField }))...)
+		}(fldPath.Child("listPtrKeyField"), obj.ListPtrKeyField, safe.Field(oldObj, func(oldObj *Struct) []PtrKeyStruct { return oldObj.ListPtrKeyField }), oldObj != nil)...)
 
 	return errs
 }
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/listset/doc_test.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/listset/doc_test.go
index 3acf78740e7dd..a04c007b0edb7 100644
--- a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/listset/doc_test.go
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/listset/doc_test.go
@@ -56,21 +56,21 @@ func Test(t *testing.T) {
 			{StringPtrField: ptrS1},
 			{StringPtrField: ptrS2},
 		},
-	}).ExpectInvalid(
-		field.Duplicate(field.NewPath("sliceStringField").Index(3), "ccc"),
-		field.Duplicate(field.NewPath("sliceStringField").Index(4), "bbb"),
-		field.Duplicate(field.NewPath("sliceStringField").Index(5), "aaa"),
-		field.Duplicate(field.NewPath("sliceIntField").Index(3), 3),
-		field.Duplicate(field.NewPath("sliceIntField").Index(4), 2),
-		field.Duplicate(field.NewPath("sliceIntField").Index(5), 1),
-		field.Duplicate(field.NewPath("sliceComparableField").Index(3), ComparableStruct{"ccc"}),
-		field.Duplicate(field.NewPath("sliceComparableField").Index(4), ComparableStruct{"bbb"}),
-		field.Duplicate(field.NewPath("sliceComparableField").Index(5), ComparableStruct{"aaa"}),
-		field.Duplicate(field.NewPath("sliceNonComparableField").Index(3), NonComparableStruct{[]string{"ccc", "333"}}),
-		field.Duplicate(field.NewPath("sliceNonComparableField").Index(4), NonComparableStruct{[]string{"bbb", "222"}}),
-		field.Duplicate(field.NewPath("sliceNonComparableField").Index(5), NonComparableStruct{[]string{"aaa", "111"}}),
-		field.Duplicate(field.NewPath("sliceFalselyComparableField").Index(1), FalselyComparableStruct{StringPtrField: ptrS2}),
-	)
+	}).ExpectMatches(field.ErrorMatcher{}.ByType().ByField().ByDetailSubstring().ByOrigin(), field.ErrorList{
+		field.Duplicate(field.NewPath("sliceStringField").Index(3), nil),
+		field.Duplicate(field.NewPath("sliceStringField").Index(4), nil),
+		field.Duplicate(field.NewPath("sliceStringField").Index(5), nil),
+		field.Duplicate(field.NewPath("sliceIntField").Index(3), nil),
+		field.Duplicate(field.NewPath("sliceIntField").Index(4), nil),
+		field.Duplicate(field.NewPath("sliceIntField").Index(5), nil),
+		field.Duplicate(field.NewPath("sliceComparableField").Index(3), nil),
+		field.Duplicate(field.NewPath("sliceComparableField").Index(4), nil),
+		field.Duplicate(field.NewPath("sliceComparableField").Index(5), nil),
+		field.Duplicate(field.NewPath("sliceNonComparableField").Index(3), nil),
+		field.Duplicate(field.NewPath("sliceNonComparableField").Index(4), nil),
+		field.Duplicate(field.NewPath("sliceNonComparableField").Index(5), nil),
+		field.Duplicate(field.NewPath("sliceFalselyComparableField").Index(1), nil),
+	})
 }
 
 func TestSetCorrelation(t *testing.T) {
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/listset/zz_generated.validations.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/listset/zz_generated.validations.go
index dc313a65d3d27..59c8ea9c77a08 100644
--- a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/listset/zz_generated.validations.go
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/listset/zz_generated.validations.go
@@ -38,6 +38,7 @@ func init() { localSchemeBuilder.Register(RegisterValidations) }
 // RegisterValidations adds validation functions to the given scheme.
 // Public to allow building arbitrary schemes.
 func RegisterValidations(scheme *testscheme.Scheme) error {
+	// type ImmutableStruct
 	scheme.AddValidationFunc((*ImmutableStruct)(nil), func(ctx context.Context, op operation.Operation, obj, oldObj interface{}) field.ErrorList {
 		switch op.Request.SubresourcePath() {
 		case "/":
@@ -45,6 +46,7 @@ func RegisterValidations(scheme *testscheme.Scheme) error {
 		}
 		return field.ErrorList{field.InternalError(nil, fmt.Errorf("no validation found for %T, subresource: %v", obj, op.Request.SubresourcePath()))}
 	})
+	// type Struct
 	scheme.AddValidationFunc((*Struct)(nil), func(ctx context.Context, op operation.Operation, obj, oldObj interface{}) field.ErrorList {
 		switch op.Request.SubresourcePath() {
 		case "/":
@@ -55,138 +57,224 @@ func RegisterValidations(scheme *testscheme.Scheme) error {
 	return nil
 }
 
+// Validate_ImmutableStruct validates an instance of ImmutableStruct according
+// to declarative validation rules in the API schema.
 func Validate_ImmutableStruct(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *ImmutableStruct) (errs field.ErrorList) {
 	// field ImmutableStruct.TypeMeta has no validation
 
 	// field ImmutableStruct.SliceComparableField
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj []ComparableStruct) (errs field.ErrorList) {
-			if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj []ComparableStruct, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.EachSliceVal(ctx, op, fldPath, obj, oldObj, nil, nil, validate.Immutable); len(e) != 0 {
+				errs = append(errs, e...)
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
 			}
-			errs = append(errs, validate.EachSliceVal(ctx, op, fldPath, obj, oldObj, nil, nil, validate.ImmutableByCompare)...)
 			return
-		}(fldPath.Child("sliceComparableField"), obj.SliceComparableField, safe.Field(oldObj, func(oldObj *ImmutableStruct) []ComparableStruct { return oldObj.SliceComparableField }))...)
+		}(fldPath.Child("sliceComparableField"), obj.SliceComparableField, safe.Field(oldObj, func(oldObj *ImmutableStruct) []ComparableStruct { return oldObj.SliceComparableField }), oldObj != nil)...)
 
 	// field ImmutableStruct.SliceSetComparableField
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj []ComparableStruct) (errs field.ErrorList) {
-			if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj []ComparableStruct, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.EachSliceVal(ctx, op, fldPath, obj, oldObj, validate.DirectEqual, nil, validate.Immutable); len(e) != 0 {
+				errs = append(errs, e...)
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
 			}
-			errs = append(errs, validate.EachSliceVal(ctx, op, fldPath, obj, oldObj, validate.DirectEqual, nil, validate.ImmutableByCompare)...)
+			// lists with set semantics require unique values
 			errs = append(errs, validate.Unique(ctx, op, fldPath, obj, oldObj, validate.DirectEqual)...)
 			return
-		}(fldPath.Child("sliceSetComparableField"), obj.SliceSetComparableField, safe.Field(oldObj, func(oldObj *ImmutableStruct) []ComparableStruct { return oldObj.SliceSetComparableField }))...)
+		}(fldPath.Child("sliceSetComparableField"), obj.SliceSetComparableField, safe.Field(oldObj, func(oldObj *ImmutableStruct) []ComparableStruct { return oldObj.SliceSetComparableField }), oldObj != nil)...)
 
 	// field ImmutableStruct.SliceNonComparableField
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj []NonComparableStruct) (errs field.ErrorList) {
-			if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj []NonComparableStruct, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.EachSliceVal(ctx, op, fldPath, obj, oldObj, nil, nil, validate.Immutable); len(e) != 0 {
+				errs = append(errs, e...)
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
 			}
-			errs = append(errs, validate.EachSliceVal(ctx, op, fldPath, obj, oldObj, nil, nil, validate.ImmutableByReflect)...)
 			return
-		}(fldPath.Child("sliceNonComparableField"), obj.SliceNonComparableField, safe.Field(oldObj, func(oldObj *ImmutableStruct) []NonComparableStruct { return oldObj.SliceNonComparableField }))...)
+		}(fldPath.Child("sliceNonComparableField"), obj.SliceNonComparableField, safe.Field(oldObj, func(oldObj *ImmutableStruct) []NonComparableStruct { return oldObj.SliceNonComparableField }), oldObj != nil)...)
 
 	// field ImmutableStruct.SliceSetNonComparableField
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj []NonComparableStruct) (errs field.ErrorList) {
-			if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj []NonComparableStruct, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.EachSliceVal(ctx, op, fldPath, obj, oldObj, validate.SemanticDeepEqual, nil, validate.Immutable); len(e) != 0 {
+				errs = append(errs, e...)
+				earlyReturn = true
 			}
-			errs = append(errs, validate.EachSliceVal(ctx, op, fldPath, obj, oldObj, validate.SemanticDeepEqual, nil, validate.ImmutableByReflect)...)
+			if earlyReturn {
+				return // do not proceed
+			}
+			// lists with set semantics require unique values
 			errs = append(errs, validate.Unique(ctx, op, fldPath, obj, oldObj, validate.SemanticDeepEqual)...)
 			return
-		}(fldPath.Child("sliceSetNonComparableField"), obj.SliceSetNonComparableField, safe.Field(oldObj, func(oldObj *ImmutableStruct) []NonComparableStruct { return oldObj.SliceSetNonComparableField }))...)
+		}(fldPath.Child("sliceSetNonComparableField"), obj.SliceSetNonComparableField, safe.Field(oldObj, func(oldObj *ImmutableStruct) []NonComparableStruct { return oldObj.SliceSetNonComparableField }), oldObj != nil)...)
 
 	// field ImmutableStruct.SlicePrimitiveField
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj []int) (errs field.ErrorList) {
-			if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj []int, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.EachSliceVal(ctx, op, fldPath, obj, oldObj, nil, nil, validate.Immutable); len(e) != 0 {
+				errs = append(errs, e...)
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
 			}
-			errs = append(errs, validate.EachSliceVal(ctx, op, fldPath, obj, oldObj, nil, nil, validate.ImmutableByCompare)...)
 			return
-		}(fldPath.Child("slicePrimitiveField"), obj.SlicePrimitiveField, safe.Field(oldObj, func(oldObj *ImmutableStruct) []int { return oldObj.SlicePrimitiveField }))...)
+		}(fldPath.Child("slicePrimitiveField"), obj.SlicePrimitiveField, safe.Field(oldObj, func(oldObj *ImmutableStruct) []int { return oldObj.SlicePrimitiveField }), oldObj != nil)...)
 
 	// field ImmutableStruct.SliceSetPrimitiveField
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj []int) (errs field.ErrorList) {
-			if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj []int, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.EachSliceVal(ctx, op, fldPath, obj, oldObj, validate.DirectEqual, nil, validate.Immutable); len(e) != 0 {
+				errs = append(errs, e...)
+				earlyReturn = true
 			}
-			errs = append(errs, validate.EachSliceVal(ctx, op, fldPath, obj, oldObj, validate.DirectEqual, nil, validate.ImmutableByCompare)...)
+			if earlyReturn {
+				return // do not proceed
+			}
+			// lists with set semantics require unique values
 			errs = append(errs, validate.Unique(ctx, op, fldPath, obj, oldObj, validate.DirectEqual)...)
 			return
-		}(fldPath.Child("sliceSetPrimitiveField"), obj.SliceSetPrimitiveField, safe.Field(oldObj, func(oldObj *ImmutableStruct) []int { return oldObj.SliceSetPrimitiveField }))...)
+		}(fldPath.Child("sliceSetPrimitiveField"), obj.SliceSetPrimitiveField, safe.Field(oldObj, func(oldObj *ImmutableStruct) []int { return oldObj.SliceSetPrimitiveField }), oldObj != nil)...)
 
 	// field ImmutableStruct.SliceSetFalselyComparableField
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj []FalselyComparableStruct) (errs field.ErrorList) {
-			if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj []FalselyComparableStruct, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.EachSliceVal(ctx, op, fldPath, obj, oldObj, validate.SemanticDeepEqual, nil, validate.Immutable); len(e) != 0 {
+				errs = append(errs, e...)
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
 			}
-			errs = append(errs, validate.EachSliceVal(ctx, op, fldPath, obj, oldObj, validate.SemanticDeepEqual, nil, validate.ImmutableByReflect)...)
+			// lists with set semantics require unique values
 			errs = append(errs, validate.Unique(ctx, op, fldPath, obj, oldObj, validate.SemanticDeepEqual)...)
 			return
-		}(fldPath.Child("sliceSetFalselyComparableField"), obj.SliceSetFalselyComparableField, safe.Field(oldObj, func(oldObj *ImmutableStruct) []FalselyComparableStruct { return oldObj.SliceSetFalselyComparableField }))...)
+		}(fldPath.Child("sliceSetFalselyComparableField"), obj.SliceSetFalselyComparableField, safe.Field(oldObj, func(oldObj *ImmutableStruct) []FalselyComparableStruct { return oldObj.SliceSetFalselyComparableField }), oldObj != nil)...)
 
 	return errs
 }
 
+// Validate_Struct validates an instance of Struct according
+// to declarative validation rules in the API schema.
 func Validate_Struct(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *Struct) (errs field.ErrorList) {
 	// field Struct.TypeMeta has no validation
 
 	// field Struct.SliceStringField
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj []string) (errs field.ErrorList) {
-			if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj []string, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
 			}
+			// call field-attached validations
+			// lists with set semantics require unique values
 			errs = append(errs, validate.Unique(ctx, op, fldPath, obj, oldObj, validate.DirectEqual)...)
 			return
-		}(fldPath.Child("sliceStringField"), obj.SliceStringField, safe.Field(oldObj, func(oldObj *Struct) []string { return oldObj.SliceStringField }))...)
+		}(fldPath.Child("sliceStringField"), obj.SliceStringField, safe.Field(oldObj, func(oldObj *Struct) []string { return oldObj.SliceStringField }), oldObj != nil)...)
 
 	// field Struct.SliceIntField
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj []int) (errs field.ErrorList) {
-			if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj []int, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
 			}
+			// call field-attached validations
+			// lists with set semantics require unique values
 			errs = append(errs, validate.Unique(ctx, op, fldPath, obj, oldObj, validate.DirectEqual)...)
 			return
-		}(fldPath.Child("sliceIntField"), obj.SliceIntField, safe.Field(oldObj, func(oldObj *Struct) []int { return oldObj.SliceIntField }))...)
+		}(fldPath.Child("sliceIntField"), obj.SliceIntField, safe.Field(oldObj, func(oldObj *Struct) []int { return oldObj.SliceIntField }), oldObj != nil)...)
 
 	// field Struct.SliceComparableField
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj []ComparableStruct) (errs field.ErrorList) {
-			if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj []ComparableStruct, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
 			}
+			// call field-attached validations
+			// lists with set semantics require unique values
 			errs = append(errs, validate.Unique(ctx, op, fldPath, obj, oldObj, validate.DirectEqual)...)
 			return
-		}(fldPath.Child("sliceComparableField"), obj.SliceComparableField, safe.Field(oldObj, func(oldObj *Struct) []ComparableStruct { return oldObj.SliceComparableField }))...)
+		}(fldPath.Child("sliceComparableField"), obj.SliceComparableField, safe.Field(oldObj, func(oldObj *Struct) []ComparableStruct { return oldObj.SliceComparableField }), oldObj != nil)...)
 
 	// field Struct.SliceNonComparableField
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj []NonComparableStruct) (errs field.ErrorList) {
-			if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj []NonComparableStruct, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
 			}
+			// call field-attached validations
+			// lists with set semantics require unique values
 			errs = append(errs, validate.Unique(ctx, op, fldPath, obj, oldObj, validate.SemanticDeepEqual)...)
 			return
-		}(fldPath.Child("sliceNonComparableField"), obj.SliceNonComparableField, safe.Field(oldObj, func(oldObj *Struct) []NonComparableStruct { return oldObj.SliceNonComparableField }))...)
+		}(fldPath.Child("sliceNonComparableField"), obj.SliceNonComparableField, safe.Field(oldObj, func(oldObj *Struct) []NonComparableStruct { return oldObj.SliceNonComparableField }), oldObj != nil)...)
 
 	// field Struct.SliceFalselyComparableField
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj []FalselyComparableStruct) (errs field.ErrorList) {
-			if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj []FalselyComparableStruct, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
 			}
+			// call field-attached validations
+			// lists with set semantics require unique values
 			errs = append(errs, validate.Unique(ctx, op, fldPath, obj, oldObj, validate.SemanticDeepEqual)...)
 			return
-		}(fldPath.Child("sliceFalselyComparableField"), obj.SliceFalselyComparableField, safe.Field(oldObj, func(oldObj *Struct) []FalselyComparableStruct { return oldObj.SliceFalselyComparableField }))...)
+		}(fldPath.Child("sliceFalselyComparableField"), obj.SliceFalselyComparableField, safe.Field(oldObj, func(oldObj *Struct) []FalselyComparableStruct { return oldObj.SliceFalselyComparableField }), oldObj != nil)...)
 
 	return errs
 }
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/maxitems/slice_of_primitive/doc.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/maxitems/slice_of_primitive/doc.go
new file mode 100644
index 0000000000000..fd7f085c7cb11
--- /dev/null
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/maxitems/slice_of_primitive/doc.go
@@ -0,0 +1,43 @@
+/*
+Copyright 2024 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// +k8s:validation-gen=TypeMeta
+// +k8s:validation-gen-scheme-registry=k8s.io/code-generator/cmd/validation-gen/testscheme.Scheme
+
+// This is a test package.
+package sliceofprimitive
+
+import "k8s.io/code-generator/cmd/validation-gen/testscheme"
+
+var localSchemeBuilder = testscheme.New()
+
+type Struct struct {
+	TypeMeta int
+
+	// +k8s:maxItems=0
+	Max0Field []int `json:"max0Field"`
+
+	// +k8s:maxItems=10
+	Max10Field []int `json:"max10Field"`
+
+	// +k8s:maxItems=0
+	Max0TypedefField []IntType `json:"max0TypedefField"`
+
+	// +k8s:maxItems=10
+	Max10TypedefField []IntType `json:"max10TypedefField"`
+}
+
+type IntType int
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/maxitems/slice_of_primitive/doc_test.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/maxitems/slice_of_primitive/doc_test.go
new file mode 100644
index 0000000000000..6611443de03d9
--- /dev/null
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/maxitems/slice_of_primitive/doc_test.go
@@ -0,0 +1,79 @@
+/*
+Copyright 2024 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package sliceofprimitive
+
+import (
+	"testing"
+
+	"k8s.io/apimachinery/pkg/util/validation/field"
+)
+
+func Test(t *testing.T) {
+	st := localSchemeBuilder.Test(t)
+
+	st.Value(&Struct{
+		// All zero values
+	}).ExpectValid()
+
+	st.Value(&Struct{
+		Max0Field:         make([]int, 0),
+		Max10Field:        make([]int, 0),
+		Max0TypedefField:  make([]IntType, 0),
+		Max10TypedefField: make([]IntType, 0),
+	}).ExpectValid()
+
+	st.Value(&Struct{
+		Max10Field:        make([]int, 1),
+		Max10TypedefField: make([]IntType, 1),
+	}).ExpectValid()
+
+	st.Value(&Struct{
+		Max10Field:        make([]int, 9),
+		Max10TypedefField: make([]IntType, 9),
+	}).ExpectValid()
+
+	st.Value(&Struct{
+		Max10Field:        make([]int, 10),
+		Max10TypedefField: make([]IntType, 10),
+	}).ExpectValid()
+
+	testVal := &Struct{
+		Max0Field:         make([]int, 1),
+		Max10Field:        make([]int, 11),
+		Max0TypedefField:  make([]IntType, 1),
+		Max10TypedefField: make([]IntType, 11),
+	}
+	st.Value(testVal).ExpectMatches(field.ErrorMatcher{}.ByType().ByField(), field.ErrorList{
+		field.TooMany(field.NewPath("max0Field"), 1, 0),
+		field.TooMany(field.NewPath("max10Field"), 11, 10),
+		field.TooMany(field.NewPath("max0TypedefField"), 1, 0),
+		field.TooMany(field.NewPath("max10TypedefField"), 11, 10),
+	})
+	// Test validation ratcheting
+	st.Value(&Struct{
+		Max0Field:         make([]int, 1),
+		Max10Field:        make([]int, 11),
+		Max0TypedefField:  make([]IntType, 1),
+		Max10TypedefField: make([]IntType, 11),
+	}).OldValue(&Struct{
+		Max0Field:         make([]int, 1),
+		Max10Field:        make([]int, 11),
+		Max0TypedefField:  make([]IntType, 1),
+		Max10TypedefField: make([]IntType, 11),
+	}).ExpectValid()
+
+}
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/maxitems/slice_of_primitive/zz_generated.validations.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/maxitems/slice_of_primitive/zz_generated.validations.go
new file mode 100644
index 0000000000000..31cba4d93f13c
--- /dev/null
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/maxitems/slice_of_primitive/zz_generated.validations.go
@@ -0,0 +1,134 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by validation-gen. DO NOT EDIT.
+
+package sliceofprimitive
+
+import (
+	context "context"
+	fmt "fmt"
+
+	equality "k8s.io/apimachinery/pkg/api/equality"
+	operation "k8s.io/apimachinery/pkg/api/operation"
+	safe "k8s.io/apimachinery/pkg/api/safe"
+	validate "k8s.io/apimachinery/pkg/api/validate"
+	field "k8s.io/apimachinery/pkg/util/validation/field"
+	testscheme "k8s.io/code-generator/cmd/validation-gen/testscheme"
+)
+
+func init() { localSchemeBuilder.Register(RegisterValidations) }
+
+// RegisterValidations adds validation functions to the given scheme.
+// Public to allow building arbitrary schemes.
+func RegisterValidations(scheme *testscheme.Scheme) error {
+	// type Struct
+	scheme.AddValidationFunc((*Struct)(nil), func(ctx context.Context, op operation.Operation, obj, oldObj interface{}) field.ErrorList {
+		switch op.Request.SubresourcePath() {
+		case "/":
+			return Validate_Struct(ctx, op, nil /* fldPath */, obj.(*Struct), safe.Cast[*Struct](oldObj))
+		}
+		return field.ErrorList{field.InternalError(nil, fmt.Errorf("no validation found for %T, subresource: %v", obj, op.Request.SubresourcePath()))}
+	})
+	return nil
+}
+
+// Validate_Struct validates an instance of Struct according
+// to declarative validation rules in the API schema.
+func Validate_Struct(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *Struct) (errs field.ErrorList) {
+	// field Struct.TypeMeta has no validation
+
+	// field Struct.Max0Field
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj []int, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.MaxItems(ctx, op, fldPath, obj, oldObj, 0); len(e) != 0 {
+				errs = append(errs, e...)
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
+			}
+			return
+		}(fldPath.Child("max0Field"), obj.Max0Field, safe.Field(oldObj, func(oldObj *Struct) []int { return oldObj.Max0Field }), oldObj != nil)...)
+
+	// field Struct.Max10Field
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj []int, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.MaxItems(ctx, op, fldPath, obj, oldObj, 10); len(e) != 0 {
+				errs = append(errs, e...)
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
+			}
+			return
+		}(fldPath.Child("max10Field"), obj.Max10Field, safe.Field(oldObj, func(oldObj *Struct) []int { return oldObj.Max10Field }), oldObj != nil)...)
+
+	// field Struct.Max0TypedefField
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj []IntType, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.MaxItems(ctx, op, fldPath, obj, oldObj, 0); len(e) != 0 {
+				errs = append(errs, e...)
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
+			}
+			return
+		}(fldPath.Child("max0TypedefField"), obj.Max0TypedefField, safe.Field(oldObj, func(oldObj *Struct) []IntType { return oldObj.Max0TypedefField }), oldObj != nil)...)
+
+	// field Struct.Max10TypedefField
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj []IntType, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.MaxItems(ctx, op, fldPath, obj, oldObj, 10); len(e) != 0 {
+				errs = append(errs, e...)
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
+			}
+			return
+		}(fldPath.Child("max10TypedefField"), obj.Max10TypedefField, safe.Field(oldObj, func(oldObj *Struct) []IntType { return oldObj.Max10TypedefField }), oldObj != nil)...)
+
+	return errs
+}
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/maxitems/slice_of_struct/doc.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/maxitems/slice_of_struct/doc.go
new file mode 100644
index 0000000000000..b8bf98fc13ab9
--- /dev/null
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/maxitems/slice_of_struct/doc.go
@@ -0,0 +1,45 @@
+/*
+Copyright 2024 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// +k8s:validation-gen=TypeMeta
+// +k8s:validation-gen-scheme-registry=k8s.io/code-generator/cmd/validation-gen/testscheme.Scheme
+
+// This is a test package.
+package sliceofstruct
+
+import "k8s.io/code-generator/cmd/validation-gen/testscheme"
+
+var localSchemeBuilder = testscheme.New()
+
+type Struct struct {
+	TypeMeta int
+
+	// +k8s:maxItems=0
+	Max0Field []OtherStruct `json:"max0Field"`
+
+	// +k8s:maxItems=10
+	Max10Field []OtherStruct `json:"max10Field"`
+
+	// +k8s:maxItems=0
+	Max0TypedefField []OtherTypedefStruct `json:"max0TypedefField"`
+
+	// +k8s:maxItems=10
+	Max10TypedefField []OtherTypedefStruct `json:"max10TypedefField"`
+}
+
+type OtherStruct struct{}
+
+type OtherTypedefStruct OtherStruct
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/maxitems/slice_of_struct/doc_test.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/maxitems/slice_of_struct/doc_test.go
new file mode 100644
index 0000000000000..ce38b50a75b8d
--- /dev/null
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/maxitems/slice_of_struct/doc_test.go
@@ -0,0 +1,78 @@
+/*
+Copyright 2024 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package sliceofstruct
+
+import (
+	"testing"
+
+	"k8s.io/apimachinery/pkg/util/validation/field"
+)
+
+func Test(t *testing.T) {
+	st := localSchemeBuilder.Test(t)
+
+	st.Value(&Struct{
+		// All zero values
+	}).ExpectValid()
+
+	st.Value(&Struct{
+		Max0Field:         make([]OtherStruct, 0),
+		Max10Field:        make([]OtherStruct, 0),
+		Max0TypedefField:  make([]OtherTypedefStruct, 0),
+		Max10TypedefField: make([]OtherTypedefStruct, 0),
+	}).ExpectValid()
+
+	st.Value(&Struct{
+		Max10Field:        make([]OtherStruct, 1),
+		Max10TypedefField: make([]OtherTypedefStruct, 1),
+	}).ExpectValid()
+
+	st.Value(&Struct{
+		Max10Field:        make([]OtherStruct, 9),
+		Max10TypedefField: make([]OtherTypedefStruct, 9),
+	}).ExpectValid()
+
+	st.Value(&Struct{
+		Max10Field:        make([]OtherStruct, 10),
+		Max10TypedefField: make([]OtherTypedefStruct, 10),
+	}).ExpectValid()
+
+	testVal := &Struct{
+		Max0Field:         make([]OtherStruct, 1),
+		Max10Field:        make([]OtherStruct, 11),
+		Max0TypedefField:  make([]OtherTypedefStruct, 1),
+		Max10TypedefField: make([]OtherTypedefStruct, 11),
+	}
+	st.Value(testVal).ExpectMatches(field.ErrorMatcher{}.ByType().ByField(), field.ErrorList{
+		field.TooMany(field.NewPath("max0Field"), 1, 0),
+		field.TooMany(field.NewPath("max10Field"), 11, 10),
+		field.TooMany(field.NewPath("max0TypedefField"), 1, 0),
+		field.TooMany(field.NewPath("max10TypedefField"), 11, 10),
+	})
+	// Test validation ratcheting
+	st.Value(&Struct{
+		Max0Field:         make([]OtherStruct, 1),
+		Max10Field:        make([]OtherStruct, 11),
+		Max0TypedefField:  make([]OtherTypedefStruct, 1),
+		Max10TypedefField: make([]OtherTypedefStruct, 11),
+	}).OldValue(&Struct{
+		Max0Field:         make([]OtherStruct, 1),
+		Max10Field:        make([]OtherStruct, 11),
+		Max0TypedefField:  make([]OtherTypedefStruct, 1),
+		Max10TypedefField: make([]OtherTypedefStruct, 11),
+	}).ExpectValid()
+}
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/maxitems/slice_of_struct/zz_generated.validations.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/maxitems/slice_of_struct/zz_generated.validations.go
new file mode 100644
index 0000000000000..aeed32b4ac1f2
--- /dev/null
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/maxitems/slice_of_struct/zz_generated.validations.go
@@ -0,0 +1,134 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by validation-gen. DO NOT EDIT.
+
+package sliceofstruct
+
+import (
+	context "context"
+	fmt "fmt"
+
+	equality "k8s.io/apimachinery/pkg/api/equality"
+	operation "k8s.io/apimachinery/pkg/api/operation"
+	safe "k8s.io/apimachinery/pkg/api/safe"
+	validate "k8s.io/apimachinery/pkg/api/validate"
+	field "k8s.io/apimachinery/pkg/util/validation/field"
+	testscheme "k8s.io/code-generator/cmd/validation-gen/testscheme"
+)
+
+func init() { localSchemeBuilder.Register(RegisterValidations) }
+
+// RegisterValidations adds validation functions to the given scheme.
+// Public to allow building arbitrary schemes.
+func RegisterValidations(scheme *testscheme.Scheme) error {
+	// type Struct
+	scheme.AddValidationFunc((*Struct)(nil), func(ctx context.Context, op operation.Operation, obj, oldObj interface{}) field.ErrorList {
+		switch op.Request.SubresourcePath() {
+		case "/":
+			return Validate_Struct(ctx, op, nil /* fldPath */, obj.(*Struct), safe.Cast[*Struct](oldObj))
+		}
+		return field.ErrorList{field.InternalError(nil, fmt.Errorf("no validation found for %T, subresource: %v", obj, op.Request.SubresourcePath()))}
+	})
+	return nil
+}
+
+// Validate_Struct validates an instance of Struct according
+// to declarative validation rules in the API schema.
+func Validate_Struct(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *Struct) (errs field.ErrorList) {
+	// field Struct.TypeMeta has no validation
+
+	// field Struct.Max0Field
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj []OtherStruct, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.MaxItems(ctx, op, fldPath, obj, oldObj, 0); len(e) != 0 {
+				errs = append(errs, e...)
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
+			}
+			return
+		}(fldPath.Child("max0Field"), obj.Max0Field, safe.Field(oldObj, func(oldObj *Struct) []OtherStruct { return oldObj.Max0Field }), oldObj != nil)...)
+
+	// field Struct.Max10Field
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj []OtherStruct, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.MaxItems(ctx, op, fldPath, obj, oldObj, 10); len(e) != 0 {
+				errs = append(errs, e...)
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
+			}
+			return
+		}(fldPath.Child("max10Field"), obj.Max10Field, safe.Field(oldObj, func(oldObj *Struct) []OtherStruct { return oldObj.Max10Field }), oldObj != nil)...)
+
+	// field Struct.Max0TypedefField
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj []OtherTypedefStruct, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.MaxItems(ctx, op, fldPath, obj, oldObj, 0); len(e) != 0 {
+				errs = append(errs, e...)
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
+			}
+			return
+		}(fldPath.Child("max0TypedefField"), obj.Max0TypedefField, safe.Field(oldObj, func(oldObj *Struct) []OtherTypedefStruct { return oldObj.Max0TypedefField }), oldObj != nil)...)
+
+	// field Struct.Max10TypedefField
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj []OtherTypedefStruct, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.MaxItems(ctx, op, fldPath, obj, oldObj, 10); len(e) != 0 {
+				errs = append(errs, e...)
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
+			}
+			return
+		}(fldPath.Child("max10TypedefField"), obj.Max10TypedefField, safe.Field(oldObj, func(oldObj *Struct) []OtherTypedefStruct { return oldObj.Max10TypedefField }), oldObj != nil)...)
+
+	return errs
+}
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/maxitems/typedef_to_slice/doc.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/maxitems/typedef_to_slice/doc.go
new file mode 100644
index 0000000000000..c8cc890c44527
--- /dev/null
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/maxitems/typedef_to_slice/doc.go
@@ -0,0 +1,59 @@
+/*
+Copyright 2024 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// +k8s:validation-gen=TypeMeta
+// +k8s:validation-gen-scheme-registry=k8s.io/code-generator/cmd/validation-gen/testscheme.Scheme
+
+// This is a test package.
+package typedeftoslice
+
+import "k8s.io/code-generator/cmd/validation-gen/testscheme"
+
+var localSchemeBuilder = testscheme.New()
+
+// Note: no validation here
+type UnvalidatedType []int
+
+// +k8s:maxItems=0
+type Max0Type []int
+
+// +k8s:maxItems=10
+type Max10Type []int
+
+// Note: no validation here
+type UnvalidatedPtrType []*int
+
+type SliceType []int
+
+// +k8s:maxItems=0
+type Max0TypedefType SliceType
+
+// +k8s:maxItems=10
+type Max10TypedefType SliceType
+
+type Struct struct {
+	TypeMeta int
+
+	UnvalidatedField UnvalidatedType `json:"unvalidatedField"`
+
+	Max0Field Max0Type `json:"max0Field"`
+
+	Max10Field Max10Type `json:"max10Field"`
+
+	Max0TypedefField Max0TypedefType `json:"max0TypedefField"`
+
+	Max10TypedefField Max10TypedefType `json:"max10TypedefField"`
+}
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/maxitems/typedef_to_slice/doc_test.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/maxitems/typedef_to_slice/doc_test.go
new file mode 100644
index 0000000000000..b5fe133e2d458
--- /dev/null
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/maxitems/typedef_to_slice/doc_test.go
@@ -0,0 +1,85 @@
+/*
+Copyright 2024 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package typedeftoslice
+
+import (
+	"testing"
+
+	"k8s.io/apimachinery/pkg/util/validation/field"
+)
+
+func Test(t *testing.T) {
+	st := localSchemeBuilder.Test(t)
+
+	st.Value(&Struct{
+		// All zero values
+	}).ExpectValid()
+
+	st.Value(&Struct{
+		UnvalidatedField:  make(UnvalidatedType, 0),
+		Max0Field:         make(Max0Type, 0),
+		Max10Field:        make(Max10Type, 0),
+		Max0TypedefField:  make(Max0TypedefType, 0),
+		Max10TypedefField: make(Max10TypedefType, 0),
+	}).ExpectValid()
+
+	st.Value(&Struct{
+		UnvalidatedField:  make(UnvalidatedType, 1),
+		Max10Field:        make(Max10Type, 1),
+		Max10TypedefField: make(Max10TypedefType, 1),
+	}).ExpectValid()
+
+	st.Value(&Struct{
+		UnvalidatedField:  make(UnvalidatedType, 9),
+		Max10Field:        make(Max10Type, 9),
+		Max10TypedefField: make(Max10TypedefType, 9),
+	}).ExpectValid()
+
+	st.Value(&Struct{
+		UnvalidatedField:  make(UnvalidatedType, 10),
+		Max10Field:        make(Max10Type, 10),
+		Max10TypedefField: make(Max10TypedefType, 10),
+	}).ExpectValid()
+
+	testVal := &Struct{
+		UnvalidatedField:  make(UnvalidatedType, 11),
+		Max0Field:         make(Max0Type, 1),
+		Max10Field:        make(Max10Type, 11),
+		Max0TypedefField:  make(Max0TypedefType, 1),
+		Max10TypedefField: make(Max10TypedefType, 11),
+	}
+	st.Value(testVal).ExpectMatches(field.ErrorMatcher{}.ByType().ByField(), field.ErrorList{
+		field.TooMany(field.NewPath("max0Field"), 1, 0),
+		field.TooMany(field.NewPath("max10Field"), 11, 10),
+		field.TooMany(field.NewPath("max0TypedefField"), 1, 0),
+		field.TooMany(field.NewPath("max10TypedefField"), 11, 10),
+	})
+	// Test validation ratcheting
+	st.Value(&Struct{
+		UnvalidatedField:  make(UnvalidatedType, 1),
+		Max0Field:         make(Max0Type, 1),
+		Max10Field:        make(Max10Type, 11),
+		Max0TypedefField:  make(Max0TypedefType, 1),
+		Max10TypedefField: make(Max10TypedefType, 11),
+	}).OldValue(&Struct{
+		UnvalidatedField:  make(UnvalidatedType, 1),
+		Max0Field:         make(Max0Type, 1),
+		Max10Field:        make(Max10Type, 11),
+		Max0TypedefField:  make(Max0TypedefType, 1),
+		Max10TypedefField: make(Max10TypedefType, 11),
+	}).ExpectValid()
+}
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/maxitems/typedef_to_slice/zz_generated.validations.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/maxitems/typedef_to_slice/zz_generated.validations.go
new file mode 100644
index 0000000000000..f4d9e47ea7159
--- /dev/null
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/maxitems/typedef_to_slice/zz_generated.validations.go
@@ -0,0 +1,167 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by validation-gen. DO NOT EDIT.
+
+package typedeftoslice
+
+import (
+	context "context"
+	fmt "fmt"
+
+	equality "k8s.io/apimachinery/pkg/api/equality"
+	operation "k8s.io/apimachinery/pkg/api/operation"
+	safe "k8s.io/apimachinery/pkg/api/safe"
+	validate "k8s.io/apimachinery/pkg/api/validate"
+	field "k8s.io/apimachinery/pkg/util/validation/field"
+	testscheme "k8s.io/code-generator/cmd/validation-gen/testscheme"
+)
+
+func init() { localSchemeBuilder.Register(RegisterValidations) }
+
+// RegisterValidations adds validation functions to the given scheme.
+// Public to allow building arbitrary schemes.
+func RegisterValidations(scheme *testscheme.Scheme) error {
+	// type Struct
+	scheme.AddValidationFunc((*Struct)(nil), func(ctx context.Context, op operation.Operation, obj, oldObj interface{}) field.ErrorList {
+		switch op.Request.SubresourcePath() {
+		case "/":
+			return Validate_Struct(ctx, op, nil /* fldPath */, obj.(*Struct), safe.Cast[*Struct](oldObj))
+		}
+		return field.ErrorList{field.InternalError(nil, fmt.Errorf("no validation found for %T, subresource: %v", obj, op.Request.SubresourcePath()))}
+	})
+	return nil
+}
+
+// Validate_Max0Type validates an instance of Max0Type according
+// to declarative validation rules in the API schema.
+func Validate_Max0Type(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj Max0Type) (errs field.ErrorList) {
+	earlyReturn := false
+	if e := validate.MaxItems(ctx, op, fldPath, obj, oldObj, 0); len(e) != 0 {
+		errs = append(errs, e...)
+		earlyReturn = true
+	}
+	if earlyReturn {
+		return // do not proceed
+	}
+
+	return errs
+}
+
+// Validate_Max0TypedefType validates an instance of Max0TypedefType according
+// to declarative validation rules in the API schema.
+func Validate_Max0TypedefType(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj Max0TypedefType) (errs field.ErrorList) {
+	earlyReturn := false
+	if e := validate.MaxItems(ctx, op, fldPath, obj, oldObj, 0); len(e) != 0 {
+		errs = append(errs, e...)
+		earlyReturn = true
+	}
+	if earlyReturn {
+		return // do not proceed
+	}
+
+	return errs
+}
+
+// Validate_Max10Type validates an instance of Max10Type according
+// to declarative validation rules in the API schema.
+func Validate_Max10Type(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj Max10Type) (errs field.ErrorList) {
+	earlyReturn := false
+	if e := validate.MaxItems(ctx, op, fldPath, obj, oldObj, 10); len(e) != 0 {
+		errs = append(errs, e...)
+		earlyReturn = true
+	}
+	if earlyReturn {
+		return // do not proceed
+	}
+
+	return errs
+}
+
+// Validate_Max10TypedefType validates an instance of Max10TypedefType according
+// to declarative validation rules in the API schema.
+func Validate_Max10TypedefType(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj Max10TypedefType) (errs field.ErrorList) {
+	earlyReturn := false
+	if e := validate.MaxItems(ctx, op, fldPath, obj, oldObj, 10); len(e) != 0 {
+		errs = append(errs, e...)
+		earlyReturn = true
+	}
+	if earlyReturn {
+		return // do not proceed
+	}
+
+	return errs
+}
+
+// Validate_Struct validates an instance of Struct according
+// to declarative validation rules in the API schema.
+func Validate_Struct(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *Struct) (errs field.ErrorList) {
+	// field Struct.TypeMeta has no validation
+	// field Struct.UnvalidatedField has no validation
+
+	// field Struct.Max0Field
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj Max0Type, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// call the type's validation function
+			errs = append(errs, Validate_Max0Type(ctx, op, fldPath, obj, oldObj)...)
+			return
+		}(fldPath.Child("max0Field"), obj.Max0Field, safe.Field(oldObj, func(oldObj *Struct) Max0Type { return oldObj.Max0Field }), oldObj != nil)...)
+
+	// field Struct.Max10Field
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj Max10Type, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// call the type's validation function
+			errs = append(errs, Validate_Max10Type(ctx, op, fldPath, obj, oldObj)...)
+			return
+		}(fldPath.Child("max10Field"), obj.Max10Field, safe.Field(oldObj, func(oldObj *Struct) Max10Type { return oldObj.Max10Field }), oldObj != nil)...)
+
+	// field Struct.Max0TypedefField
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj Max0TypedefType, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// call the type's validation function
+			errs = append(errs, Validate_Max0TypedefType(ctx, op, fldPath, obj, oldObj)...)
+			return
+		}(fldPath.Child("max0TypedefField"), obj.Max0TypedefField, safe.Field(oldObj, func(oldObj *Struct) Max0TypedefType { return oldObj.Max0TypedefField }), oldObj != nil)...)
+
+	// field Struct.Max10TypedefField
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj Max10TypedefType, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// call the type's validation function
+			errs = append(errs, Validate_Max10TypedefType(ctx, op, fldPath, obj, oldObj)...)
+			return
+		}(fldPath.Child("max10TypedefField"), obj.Max10TypedefField, safe.Field(oldObj, func(oldObj *Struct) Max10TypedefType { return oldObj.Max10TypedefField }), oldObj != nil)...)
+
+	return errs
+}
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/maxlength/doc.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/maxlength/doc.go
new file mode 100644
index 0000000000000..6d3109a89671a
--- /dev/null
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/maxlength/doc.go
@@ -0,0 +1,74 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// +k8s:validation-gen=TypeMeta
+// +k8s:validation-gen-scheme-registry=k8s.io/code-generator/cmd/validation-gen/testscheme.Scheme
+
+// This is a test package.
+package maxlength
+
+import "k8s.io/code-generator/cmd/validation-gen/testscheme"
+
+var localSchemeBuilder = testscheme.New()
+
+type Struct struct {
+	TypeMeta int
+
+	// +k8s:maxLength=0
+	Max0Field string `json:"max0Field"`
+
+	// +k8s:maxLength=0
+	Max0PtrField *string `json:"max0PtrField"`
+
+	// +k8s:maxLength=10
+	Max10Field string `json:"max10Field"`
+
+	// +k8s:maxLength=10
+	Max10PtrField *string `json:"max10PtrField"`
+
+	// +k8s:maxLength=0
+	Max0UnvalidatedTypedefField UnvalidatedStringType `json:"max0UnvalidatedTypedefField"`
+
+	// +k8s:maxLength=0
+	Max0UnvalidatedTypedefPtrField *UnvalidatedStringType `json:"max0UnvalidatedTypedefPtrField"`
+
+	// +k8s:maxLength=10
+	Max10UnvalidatedTypedefField UnvalidatedStringType `json:"max10UnvalidatedTypedefField"`
+
+	// +k8s:maxLength=10
+	Max10UnvalidatedTypedefPtrField *UnvalidatedStringType `json:"max10UnvalidatedTypedefPtrField"`
+
+	// Note: no validation here
+	Max0ValidatedTypedefField Max0Type `json:"max0ValidatedTypedefField"`
+
+	// Note: no validation here
+	Max0ValidatedTypedefPtrField *Max0Type `json:"max0ValidatedTypedefPtrField"`
+
+	// Note: no validation here
+	Max10ValidatedTypedefField Max10Type `json:"max10ValidatedTypedefField"`
+
+	// Note: no validation here
+	Max10ValidatedTypedefPtrField *Max10Type `json:"max10ValidatedTypedefPtrField"`
+}
+
+// Note: no validation here
+type UnvalidatedStringType string
+
+// +k8s:maxLength=0
+type Max0Type string
+
+// +k8s:maxLength=10
+type Max10Type string
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/maxlength/doc_test.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/maxlength/doc_test.go
new file mode 100644
index 0000000000000..6524a47142583
--- /dev/null
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/maxlength/doc_test.go
@@ -0,0 +1,118 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package maxlength
+
+import (
+	"strings"
+	"testing"
+
+	"k8s.io/apimachinery/pkg/util/validation/field"
+	"k8s.io/utils/ptr"
+)
+
+func Test(t *testing.T) {
+	st := localSchemeBuilder.Test(t)
+
+	st.Value(&Struct{
+		// All zero values
+	}).ExpectValid()
+
+	st.Value(&Struct{
+		Max10Field:                      strings.Repeat("x", 1),
+		Max10PtrField:                   ptr.To(strings.Repeat("x", 1)),
+		Max10UnvalidatedTypedefField:    UnvalidatedStringType(strings.Repeat("x", 1)),
+		Max10UnvalidatedTypedefPtrField: ptr.To(UnvalidatedStringType(strings.Repeat("x", 1))),
+		Max10ValidatedTypedefField:      Max10Type(strings.Repeat("x", 1)),
+		Max10ValidatedTypedefPtrField:   ptr.To(Max10Type(strings.Repeat("x", 1))),
+	}).ExpectValid()
+
+	st.Value(&Struct{
+		Max10Field:                      strings.Repeat("x", 9),
+		Max10PtrField:                   ptr.To(strings.Repeat("x", 9)),
+		Max10UnvalidatedTypedefField:    UnvalidatedStringType(strings.Repeat("x", 9)),
+		Max10UnvalidatedTypedefPtrField: ptr.To(UnvalidatedStringType(strings.Repeat("x", 9))),
+		Max10ValidatedTypedefField:      Max10Type(strings.Repeat("x", 9)),
+		Max10ValidatedTypedefPtrField:   ptr.To(Max10Type(strings.Repeat("x", 9))),
+	}).ExpectValid()
+
+	st.Value(&Struct{
+		Max10Field:                      strings.Repeat("x", 10),
+		Max10PtrField:                   ptr.To(strings.Repeat("x", 10)),
+		Max10UnvalidatedTypedefField:    UnvalidatedStringType(strings.Repeat("x", 10)),
+		Max10UnvalidatedTypedefPtrField: ptr.To(UnvalidatedStringType(strings.Repeat("x", 10))),
+		Max10ValidatedTypedefField:      Max10Type(strings.Repeat("x", 10)),
+		Max10ValidatedTypedefPtrField:   ptr.To(Max10Type(strings.Repeat("x", 10))),
+	}).ExpectValid()
+
+	testVal := &Struct{
+		Max0Field:                       strings.Repeat("x", 1),
+		Max0PtrField:                    ptr.To(strings.Repeat("x", 1)),
+		Max10Field:                      strings.Repeat("x", 11),
+		Max10PtrField:                   ptr.To(strings.Repeat("x", 11)),
+		Max0UnvalidatedTypedefField:     UnvalidatedStringType(strings.Repeat("x", 1)),
+		Max0UnvalidatedTypedefPtrField:  ptr.To(UnvalidatedStringType(strings.Repeat("x", 1))),
+		Max10UnvalidatedTypedefField:    UnvalidatedStringType(strings.Repeat("x", 11)),
+		Max10UnvalidatedTypedefPtrField: ptr.To(UnvalidatedStringType(strings.Repeat("x", 11))),
+		Max0ValidatedTypedefField:       Max0Type(strings.Repeat("x", 1)),
+		Max0ValidatedTypedefPtrField:    ptr.To(Max0Type(strings.Repeat("x", 1))),
+		Max10ValidatedTypedefField:      Max10Type(strings.Repeat("x", 11)),
+		Max10ValidatedTypedefPtrField:   ptr.To(Max10Type(strings.Repeat("x", 11))),
+	}
+	st.Value(testVal).ExpectMatches(field.ErrorMatcher{}.ByType().ByField(), field.ErrorList{
+		field.TooLong(field.NewPath("max0Field"), nil, 0),
+		field.TooLong(field.NewPath("max0PtrField"), nil, 0),
+		field.TooLong(field.NewPath("max10Field"), nil, 10),
+		field.TooLong(field.NewPath("max10PtrField"), nil, 10),
+		field.TooLong(field.NewPath("max0UnvalidatedTypedefField"), nil, 0),
+		field.TooLong(field.NewPath("max0UnvalidatedTypedefPtrField"), nil, 0),
+		field.TooLong(field.NewPath("max10UnvalidatedTypedefField"), nil, 10),
+		field.TooLong(field.NewPath("max10UnvalidatedTypedefPtrField"), nil, 10),
+		field.TooLong(field.NewPath("max0ValidatedTypedefField"), nil, 0),
+		field.TooLong(field.NewPath("max0ValidatedTypedefPtrField"), nil, 0),
+		field.TooLong(field.NewPath("max10ValidatedTypedefField"), nil, 10),
+		field.TooLong(field.NewPath("max10ValidatedTypedefPtrField"), nil, 10),
+	})
+
+	// Test validation ratcheting
+	st.Value(&Struct{
+		Max0Field:                       strings.Repeat("x", 1),
+		Max0PtrField:                    ptr.To(strings.Repeat("x", 1)),
+		Max10Field:                      strings.Repeat("x", 11),
+		Max10PtrField:                   ptr.To(strings.Repeat("x", 11)),
+		Max0UnvalidatedTypedefField:     UnvalidatedStringType(strings.Repeat("x", 1)),
+		Max0UnvalidatedTypedefPtrField:  ptr.To(UnvalidatedStringType(strings.Repeat("x", 1))),
+		Max10UnvalidatedTypedefField:    UnvalidatedStringType(strings.Repeat("x", 11)),
+		Max10UnvalidatedTypedefPtrField: ptr.To(UnvalidatedStringType(strings.Repeat("x", 11))),
+		Max0ValidatedTypedefField:       Max0Type(strings.Repeat("x", 1)),
+		Max0ValidatedTypedefPtrField:    ptr.To(Max0Type(strings.Repeat("x", 1))),
+		Max10ValidatedTypedefField:      Max10Type(strings.Repeat("x", 11)),
+		Max10ValidatedTypedefPtrField:   ptr.To(Max10Type(strings.Repeat("x", 11))),
+	}).OldValue(&Struct{
+		Max0Field:                       strings.Repeat("x", 1),
+		Max0PtrField:                    ptr.To(strings.Repeat("x", 1)),
+		Max10Field:                      strings.Repeat("x", 11),
+		Max10PtrField:                   ptr.To(strings.Repeat("x", 11)),
+		Max0UnvalidatedTypedefField:     UnvalidatedStringType(strings.Repeat("x", 1)),
+		Max0UnvalidatedTypedefPtrField:  ptr.To(UnvalidatedStringType(strings.Repeat("x", 1))),
+		Max10UnvalidatedTypedefField:    UnvalidatedStringType(strings.Repeat("x", 11)),
+		Max10UnvalidatedTypedefPtrField: ptr.To(UnvalidatedStringType(strings.Repeat("x", 11))),
+		Max0ValidatedTypedefField:       Max0Type(strings.Repeat("x", 1)),
+		Max0ValidatedTypedefPtrField:    ptr.To(Max0Type(strings.Repeat("x", 1))),
+		Max10ValidatedTypedefField:      Max10Type(strings.Repeat("x", 11)),
+		Max10ValidatedTypedefPtrField:   ptr.To(Max10Type(strings.Repeat("x", 11))),
+	}).ExpectValid()
+}
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/maxlength/zz_generated.validations.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/maxlength/zz_generated.validations.go
new file mode 100644
index 0000000000000..3ae14972d82d4
--- /dev/null
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/maxlength/zz_generated.validations.go
@@ -0,0 +1,217 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by validation-gen. DO NOT EDIT.
+
+package maxlength
+
+import (
+	context "context"
+	fmt "fmt"
+
+	operation "k8s.io/apimachinery/pkg/api/operation"
+	safe "k8s.io/apimachinery/pkg/api/safe"
+	validate "k8s.io/apimachinery/pkg/api/validate"
+	field "k8s.io/apimachinery/pkg/util/validation/field"
+	testscheme "k8s.io/code-generator/cmd/validation-gen/testscheme"
+)
+
+func init() { localSchemeBuilder.Register(RegisterValidations) }
+
+// RegisterValidations adds validation functions to the given scheme.
+// Public to allow building arbitrary schemes.
+func RegisterValidations(scheme *testscheme.Scheme) error {
+	// type Struct
+	scheme.AddValidationFunc((*Struct)(nil), func(ctx context.Context, op operation.Operation, obj, oldObj interface{}) field.ErrorList {
+		switch op.Request.SubresourcePath() {
+		case "/":
+			return Validate_Struct(ctx, op, nil /* fldPath */, obj.(*Struct), safe.Cast[*Struct](oldObj))
+		}
+		return field.ErrorList{field.InternalError(nil, fmt.Errorf("no validation found for %T, subresource: %v", obj, op.Request.SubresourcePath()))}
+	})
+	return nil
+}
+
+// Validate_Max0Type validates an instance of Max0Type according
+// to declarative validation rules in the API schema.
+func Validate_Max0Type(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *Max0Type) (errs field.ErrorList) {
+	errs = append(errs, validate.MaxLength(ctx, op, fldPath, obj, oldObj, 0)...)
+
+	return errs
+}
+
+// Validate_Max10Type validates an instance of Max10Type according
+// to declarative validation rules in the API schema.
+func Validate_Max10Type(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *Max10Type) (errs field.ErrorList) {
+	errs = append(errs, validate.MaxLength(ctx, op, fldPath, obj, oldObj, 10)...)
+
+	return errs
+}
+
+// Validate_Struct validates an instance of Struct according
+// to declarative validation rules in the API schema.
+func Validate_Struct(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *Struct) (errs field.ErrorList) {
+	// field Struct.TypeMeta has no validation
+
+	// field Struct.Max0Field
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *string, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call field-attached validations
+			errs = append(errs, validate.MaxLength(ctx, op, fldPath, obj, oldObj, 0)...)
+			return
+		}(fldPath.Child("max0Field"), &obj.Max0Field, safe.Field(oldObj, func(oldObj *Struct) *string { return &oldObj.Max0Field }), oldObj != nil)...)
+
+	// field Struct.Max0PtrField
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *string, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call field-attached validations
+			errs = append(errs, validate.MaxLength(ctx, op, fldPath, obj, oldObj, 0)...)
+			return
+		}(fldPath.Child("max0PtrField"), obj.Max0PtrField, safe.Field(oldObj, func(oldObj *Struct) *string { return oldObj.Max0PtrField }), oldObj != nil)...)
+
+	// field Struct.Max10Field
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *string, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call field-attached validations
+			errs = append(errs, validate.MaxLength(ctx, op, fldPath, obj, oldObj, 10)...)
+			return
+		}(fldPath.Child("max10Field"), &obj.Max10Field, safe.Field(oldObj, func(oldObj *Struct) *string { return &oldObj.Max10Field }), oldObj != nil)...)
+
+	// field Struct.Max10PtrField
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *string, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call field-attached validations
+			errs = append(errs, validate.MaxLength(ctx, op, fldPath, obj, oldObj, 10)...)
+			return
+		}(fldPath.Child("max10PtrField"), obj.Max10PtrField, safe.Field(oldObj, func(oldObj *Struct) *string { return oldObj.Max10PtrField }), oldObj != nil)...)
+
+	// field Struct.Max0UnvalidatedTypedefField
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *UnvalidatedStringType, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call field-attached validations
+			errs = append(errs, validate.MaxLength(ctx, op, fldPath, obj, oldObj, 0)...)
+			return
+		}(fldPath.Child("max0UnvalidatedTypedefField"), &obj.Max0UnvalidatedTypedefField, safe.Field(oldObj, func(oldObj *Struct) *UnvalidatedStringType { return &oldObj.Max0UnvalidatedTypedefField }), oldObj != nil)...)
+
+	// field Struct.Max0UnvalidatedTypedefPtrField
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *UnvalidatedStringType, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call field-attached validations
+			errs = append(errs, validate.MaxLength(ctx, op, fldPath, obj, oldObj, 0)...)
+			return
+		}(fldPath.Child("max0UnvalidatedTypedefPtrField"), obj.Max0UnvalidatedTypedefPtrField, safe.Field(oldObj, func(oldObj *Struct) *UnvalidatedStringType { return oldObj.Max0UnvalidatedTypedefPtrField }), oldObj != nil)...)
+
+	// field Struct.Max10UnvalidatedTypedefField
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *UnvalidatedStringType, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call field-attached validations
+			errs = append(errs, validate.MaxLength(ctx, op, fldPath, obj, oldObj, 10)...)
+			return
+		}(fldPath.Child("max10UnvalidatedTypedefField"), &obj.Max10UnvalidatedTypedefField, safe.Field(oldObj, func(oldObj *Struct) *UnvalidatedStringType { return &oldObj.Max10UnvalidatedTypedefField }), oldObj != nil)...)
+
+	// field Struct.Max10UnvalidatedTypedefPtrField
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *UnvalidatedStringType, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call field-attached validations
+			errs = append(errs, validate.MaxLength(ctx, op, fldPath, obj, oldObj, 10)...)
+			return
+		}(fldPath.Child("max10UnvalidatedTypedefPtrField"), obj.Max10UnvalidatedTypedefPtrField, safe.Field(oldObj, func(oldObj *Struct) *UnvalidatedStringType { return oldObj.Max10UnvalidatedTypedefPtrField }), oldObj != nil)...)
+
+	// field Struct.Max0ValidatedTypedefField
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *Max0Type, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call the type's validation function
+			errs = append(errs, Validate_Max0Type(ctx, op, fldPath, obj, oldObj)...)
+			return
+		}(fldPath.Child("max0ValidatedTypedefField"), &obj.Max0ValidatedTypedefField, safe.Field(oldObj, func(oldObj *Struct) *Max0Type { return &oldObj.Max0ValidatedTypedefField }), oldObj != nil)...)
+
+	// field Struct.Max0ValidatedTypedefPtrField
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *Max0Type, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call the type's validation function
+			errs = append(errs, Validate_Max0Type(ctx, op, fldPath, obj, oldObj)...)
+			return
+		}(fldPath.Child("max0ValidatedTypedefPtrField"), obj.Max0ValidatedTypedefPtrField, safe.Field(oldObj, func(oldObj *Struct) *Max0Type { return oldObj.Max0ValidatedTypedefPtrField }), oldObj != nil)...)
+
+	// field Struct.Max10ValidatedTypedefField
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *Max10Type, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call the type's validation function
+			errs = append(errs, Validate_Max10Type(ctx, op, fldPath, obj, oldObj)...)
+			return
+		}(fldPath.Child("max10ValidatedTypedefField"), &obj.Max10ValidatedTypedefField, safe.Field(oldObj, func(oldObj *Struct) *Max10Type { return &oldObj.Max10ValidatedTypedefField }), oldObj != nil)...)
+
+	// field Struct.Max10ValidatedTypedefPtrField
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *Max10Type, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call the type's validation function
+			errs = append(errs, Validate_Max10Type(ctx, op, fldPath, obj, oldObj)...)
+			return
+		}(fldPath.Child("max10ValidatedTypedefPtrField"), obj.Max10ValidatedTypedefPtrField, safe.Field(oldObj, func(oldObj *Struct) *Max10Type { return oldObj.Max10ValidatedTypedefPtrField }), oldObj != nil)...)
+
+	return errs
+}
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/minimum/doc.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/minimum/doc.go
index b9bd2b9276df1..082320aef4e8b 100644
--- a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/minimum/doc.go
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/minimum/doc.go
@@ -53,9 +53,7 @@ type Struct struct {
 	// +k8s:minimum=1
 	Uint64Field uint64 `json:"uint64Field"`
 
-	// +k8s:minimum=1
-	TypedefField IntType `json:"typedefField"`
-	// +k8s:minimum=1
+	TypedefField    IntType  `json:"typedefField"`
 	TypedefPtrField *IntType `json:"typedefPtrField"`
 }
 
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/minimum/doc_test.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/minimum/doc_test.go
index 46d416e2f28e2..971228d6aaf6d 100644
--- a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/minimum/doc_test.go
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/minimum/doc_test.go
@@ -19,7 +19,6 @@ package minimum
 import (
 	"testing"
 
-	"k8s.io/apimachinery/pkg/api/validate/content"
 	"k8s.io/apimachinery/pkg/util/validation/field"
 	"k8s.io/utils/ptr"
 )
@@ -32,20 +31,20 @@ func Test(t *testing.T) {
 		IntPtrField:     ptr.To(0),
 		UintPtrField:    ptr.To(uint(0)),
 		TypedefPtrField: ptr.To(IntType(0)),
-	}).ExpectInvalid(
-		field.Invalid(field.NewPath("intField"), 0, content.MinError(1)),
-		field.Invalid(field.NewPath("intPtrField"), 0, content.MinError(1)),
-		field.Invalid(field.NewPath("int16Field"), 0, content.MinError(1)),
-		field.Invalid(field.NewPath("int32Field"), 0, content.MinError(1)),
-		field.Invalid(field.NewPath("int64Field"), 0, content.MinError(1)),
-		field.Invalid(field.NewPath("uintField"), uint(0), content.MinError(1)),
-		field.Invalid(field.NewPath("uintPtrField"), uint(0), content.MinError(1)),
-		field.Invalid(field.NewPath("uint16Field"), uint(0), content.MinError(1)),
-		field.Invalid(field.NewPath("uint32Field"), uint(0), content.MinError(1)),
-		field.Invalid(field.NewPath("uint64Field"), uint(0), content.MinError(1)),
-		field.Invalid(field.NewPath("typedefField"), 0, content.MinError(1)),
-		field.Invalid(field.NewPath("typedefPtrField"), 0, content.MinError(1)),
-	)
+	}).ExpectMatches(field.ErrorMatcher{}.ByType().ByField().ByDetailSubstring(), field.ErrorList{
+		field.Invalid(field.NewPath("intField"), nil, ""),
+		field.Invalid(field.NewPath("intPtrField"), nil, ""),
+		field.Invalid(field.NewPath("int16Field"), nil, ""),
+		field.Invalid(field.NewPath("int32Field"), nil, ""),
+		field.Invalid(field.NewPath("int64Field"), nil, ""),
+		field.Invalid(field.NewPath("uintField"), nil, ""),
+		field.Invalid(field.NewPath("uintPtrField"), nil, ""),
+		field.Invalid(field.NewPath("uint16Field"), nil, ""),
+		field.Invalid(field.NewPath("uint32Field"), nil, ""),
+		field.Invalid(field.NewPath("uint64Field"), nil, ""),
+		field.Invalid(field.NewPath("typedefField"), nil, ""),
+		field.Invalid(field.NewPath("typedefPtrField"), nil, ""),
+	})
 	// Test validation ratcheting
 	st.Value(&Struct{
 		IntPtrField:     ptr.To(0),
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/minimum/zz_generated.validations.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/minimum/zz_generated.validations.go
index 214956651418b..30f89bbe4a652 100644
--- a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/minimum/zz_generated.validations.go
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/minimum/zz_generated.validations.go
@@ -37,6 +37,7 @@ func init() { localSchemeBuilder.Register(RegisterValidations) }
 // RegisterValidations adds validation functions to the given scheme.
 // Public to allow building arbitrary schemes.
 func RegisterValidations(scheme *testscheme.Scheme) error {
+	// type Struct
 	scheme.AddValidationFunc((*Struct)(nil), func(ctx context.Context, op operation.Operation, obj, oldObj interface{}) field.ErrorList {
 		switch op.Request.SubresourcePath() {
 		case "/":
@@ -47,140 +48,162 @@ func RegisterValidations(scheme *testscheme.Scheme) error {
 	return nil
 }
 
+// Validate_IntType validates an instance of IntType according
+// to declarative validation rules in the API schema.
 func Validate_IntType(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *IntType) (errs field.ErrorList) {
-	// type IntType
-	if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-		return nil // no changes
-	}
 	errs = append(errs, validate.Minimum(ctx, op, fldPath, obj, oldObj, 1)...)
 
 	return errs
 }
 
+// Validate_Struct validates an instance of Struct according
+// to declarative validation rules in the API schema.
 func Validate_Struct(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *Struct) (errs field.ErrorList) {
 	// field Struct.TypeMeta has no validation
 
 	// field Struct.IntField
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *int) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *int, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.Minimum(ctx, op, fldPath, obj, oldObj, 1)...)
 			return
-		}(fldPath.Child("intField"), &obj.IntField, safe.Field(oldObj, func(oldObj *Struct) *int { return &oldObj.IntField }))...)
+		}(fldPath.Child("intField"), &obj.IntField, safe.Field(oldObj, func(oldObj *Struct) *int { return &oldObj.IntField }), oldObj != nil)...)
 
 	// field Struct.IntPtrField
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *int) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *int, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.Minimum(ctx, op, fldPath, obj, oldObj, 1)...)
 			return
-		}(fldPath.Child("intPtrField"), obj.IntPtrField, safe.Field(oldObj, func(oldObj *Struct) *int { return oldObj.IntPtrField }))...)
+		}(fldPath.Child("intPtrField"), obj.IntPtrField, safe.Field(oldObj, func(oldObj *Struct) *int { return oldObj.IntPtrField }), oldObj != nil)...)
 
 	// field Struct.Int16Field
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *int16) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *int16, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.Minimum(ctx, op, fldPath, obj, oldObj, 1)...)
 			return
-		}(fldPath.Child("int16Field"), &obj.Int16Field, safe.Field(oldObj, func(oldObj *Struct) *int16 { return &oldObj.Int16Field }))...)
+		}(fldPath.Child("int16Field"), &obj.Int16Field, safe.Field(oldObj, func(oldObj *Struct) *int16 { return &oldObj.Int16Field }), oldObj != nil)...)
 
 	// field Struct.Int32Field
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *int32) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *int32, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.Minimum(ctx, op, fldPath, obj, oldObj, 1)...)
 			return
-		}(fldPath.Child("int32Field"), &obj.Int32Field, safe.Field(oldObj, func(oldObj *Struct) *int32 { return &oldObj.Int32Field }))...)
+		}(fldPath.Child("int32Field"), &obj.Int32Field, safe.Field(oldObj, func(oldObj *Struct) *int32 { return &oldObj.Int32Field }), oldObj != nil)...)
 
 	// field Struct.Int64Field
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *int64) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *int64, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.Minimum(ctx, op, fldPath, obj, oldObj, 1)...)
 			return
-		}(fldPath.Child("int64Field"), &obj.Int64Field, safe.Field(oldObj, func(oldObj *Struct) *int64 { return &oldObj.Int64Field }))...)
+		}(fldPath.Child("int64Field"), &obj.Int64Field, safe.Field(oldObj, func(oldObj *Struct) *int64 { return &oldObj.Int64Field }), oldObj != nil)...)
 
 	// field Struct.UintField
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *uint) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *uint, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.Minimum(ctx, op, fldPath, obj, oldObj, 1)...)
 			return
-		}(fldPath.Child("uintField"), &obj.UintField, safe.Field(oldObj, func(oldObj *Struct) *uint { return &oldObj.UintField }))...)
+		}(fldPath.Child("uintField"), &obj.UintField, safe.Field(oldObj, func(oldObj *Struct) *uint { return &oldObj.UintField }), oldObj != nil)...)
 
 	// field Struct.UintPtrField
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *uint) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *uint, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.Minimum(ctx, op, fldPath, obj, oldObj, 1)...)
 			return
-		}(fldPath.Child("uintPtrField"), obj.UintPtrField, safe.Field(oldObj, func(oldObj *Struct) *uint { return oldObj.UintPtrField }))...)
+		}(fldPath.Child("uintPtrField"), obj.UintPtrField, safe.Field(oldObj, func(oldObj *Struct) *uint { return oldObj.UintPtrField }), oldObj != nil)...)
 
 	// field Struct.Uint16Field
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *uint16) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *uint16, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.Minimum(ctx, op, fldPath, obj, oldObj, 1)...)
 			return
-		}(fldPath.Child("uint16Field"), &obj.Uint16Field, safe.Field(oldObj, func(oldObj *Struct) *uint16 { return &oldObj.Uint16Field }))...)
+		}(fldPath.Child("uint16Field"), &obj.Uint16Field, safe.Field(oldObj, func(oldObj *Struct) *uint16 { return &oldObj.Uint16Field }), oldObj != nil)...)
 
 	// field Struct.Uint32Field
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *uint32) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *uint32, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.Minimum(ctx, op, fldPath, obj, oldObj, 1)...)
 			return
-		}(fldPath.Child("uint32Field"), &obj.Uint32Field, safe.Field(oldObj, func(oldObj *Struct) *uint32 { return &oldObj.Uint32Field }))...)
+		}(fldPath.Child("uint32Field"), &obj.Uint32Field, safe.Field(oldObj, func(oldObj *Struct) *uint32 { return &oldObj.Uint32Field }), oldObj != nil)...)
 
 	// field Struct.Uint64Field
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *uint64) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *uint64, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.Minimum(ctx, op, fldPath, obj, oldObj, 1)...)
 			return
-		}(fldPath.Child("uint64Field"), &obj.Uint64Field, safe.Field(oldObj, func(oldObj *Struct) *uint64 { return &oldObj.Uint64Field }))...)
+		}(fldPath.Child("uint64Field"), &obj.Uint64Field, safe.Field(oldObj, func(oldObj *Struct) *uint64 { return &oldObj.Uint64Field }), oldObj != nil)...)
 
 	// field Struct.TypedefField
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *IntType) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *IntType, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
 			}
-			errs = append(errs, validate.Minimum(ctx, op, fldPath, obj, oldObj, 1)...)
+			// call the type's validation function
 			errs = append(errs, Validate_IntType(ctx, op, fldPath, obj, oldObj)...)
 			return
-		}(fldPath.Child("typedefField"), &obj.TypedefField, safe.Field(oldObj, func(oldObj *Struct) *IntType { return &oldObj.TypedefField }))...)
+		}(fldPath.Child("typedefField"), &obj.TypedefField, safe.Field(oldObj, func(oldObj *Struct) *IntType { return &oldObj.TypedefField }), oldObj != nil)...)
 
 	// field Struct.TypedefPtrField
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *IntType) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *IntType, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
 			}
-			errs = append(errs, validate.Minimum(ctx, op, fldPath, obj, oldObj, 1)...)
+			// call the type's validation function
 			errs = append(errs, Validate_IntType(ctx, op, fldPath, obj, oldObj)...)
 			return
-		}(fldPath.Child("typedefPtrField"), obj.TypedefPtrField, safe.Field(oldObj, func(oldObj *Struct) *IntType { return oldObj.TypedefPtrField }))...)
+		}(fldPath.Child("typedefPtrField"), obj.TypedefPtrField, safe.Field(oldObj, func(oldObj *Struct) *IntType { return oldObj.TypedefPtrField }), oldObj != nil)...)
 
 	return errs
 }
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/neq/neq/neqchained/zz_generated.validations.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/neq/neq/neqchained/zz_generated.validations.go
index 1c24977a64f50..c220d01acbdfb 100644
--- a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/neq/neq/neqchained/zz_generated.validations.go
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/neq/neq/neqchained/zz_generated.validations.go
@@ -38,6 +38,7 @@ func init() { localSchemeBuilder.Register(RegisterValidations) }
 // RegisterValidations adds validation functions to the given scheme.
 // Public to allow building arbitrary schemes.
 func RegisterValidations(scheme *testscheme.Scheme) error {
+	// type Struct
 	scheme.AddValidationFunc((*Struct)(nil), func(ctx context.Context, op operation.Operation, obj, oldObj interface{}) field.ErrorList {
 		switch op.Request.SubresourcePath() {
 		case "/":
@@ -48,107 +49,135 @@ func RegisterValidations(scheme *testscheme.Scheme) error {
 	return nil
 }
 
+// Validate_Struct validates an instance of Struct according
+// to declarative validation rules in the API schema.
 func Validate_Struct(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *Struct) (errs field.ErrorList) {
 	// field Struct.TypeMeta has no validation
 
 	// field Struct.StructField
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *InnerStruct) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *InnerStruct, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
 			}
-			errs = append(errs, validate.Subfield(ctx, op, fldPath, obj, oldObj, "stringField", func(o *InnerStruct) *string { return &o.StringField }, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *string) field.ErrorList {
-				return validate.NEQ(ctx, op, fldPath, obj, oldObj, "disallowed-subfield")
-			})...)
+			// call field-attached validations
+			func() { // cohort stringField
+				errs = append(errs, validate.Subfield(ctx, op, fldPath, obj, oldObj, "stringField", func(o *InnerStruct) *string { return &o.StringField }, validate.DirectEqualPtr, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *string) field.ErrorList {
+					return validate.NEQ(ctx, op, fldPath, obj, oldObj, "disallowed-subfield")
+				})...)
+			}()
 			return
-		}(fldPath.Child("structField"), &obj.StructField, safe.Field(oldObj, func(oldObj *Struct) *InnerStruct { return &oldObj.StructField }))...)
+		}(fldPath.Child("structField"), &obj.StructField, safe.Field(oldObj, func(oldObj *Struct) *InnerStruct { return &oldObj.StructField }), oldObj != nil)...)
 
 	// field Struct.StructPtrField
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *InnerStruct) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *InnerStruct, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
 			}
+			// call field-attached validations
+			earlyReturn := false
 			if e := validate.OptionalPointer(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				earlyReturn = true
+			}
+			if earlyReturn {
 				return // do not proceed
 			}
-			errs = append(errs, validate.Subfield(ctx, op, fldPath, obj, oldObj, "stringField", func(o *InnerStruct) *string { return &o.StringField }, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *string) field.ErrorList {
-				return validate.NEQ(ctx, op, fldPath, obj, oldObj, "disallowed-subfield-ptr")
-			})...)
+			func() { // cohort stringField
+				errs = append(errs, validate.Subfield(ctx, op, fldPath, obj, oldObj, "stringField", func(o *InnerStruct) *string { return &o.StringField }, validate.DirectEqualPtr, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *string) field.ErrorList {
+					return validate.NEQ(ctx, op, fldPath, obj, oldObj, "disallowed-subfield-ptr")
+				})...)
+			}()
 			return
-		}(fldPath.Child("structPtrField"), obj.StructPtrField, safe.Field(oldObj, func(oldObj *Struct) *InnerStruct { return oldObj.StructPtrField }))...)
+		}(fldPath.Child("structPtrField"), obj.StructPtrField, safe.Field(oldObj, func(oldObj *Struct) *InnerStruct { return oldObj.StructPtrField }), oldObj != nil)...)
 
 	// field Struct.StringSliceField
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj []string) (errs field.ErrorList) {
-			if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj []string, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.EachSliceVal(ctx, op, fldPath, obj, oldObj, nil, nil, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *string) field.ErrorList {
 				return validate.NEQ(ctx, op, fldPath, obj, oldObj, "disallowed-slice")
 			})...)
 			return
-		}(fldPath.Child("stringSliceField"), obj.StringSliceField, safe.Field(oldObj, func(oldObj *Struct) []string { return oldObj.StringSliceField }))...)
+		}(fldPath.Child("stringSliceField"), obj.StringSliceField, safe.Field(oldObj, func(oldObj *Struct) []string { return oldObj.StringSliceField }), oldObj != nil)...)
 
 	// field Struct.StringMapField
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj map[string]string) (errs field.ErrorList) {
-			if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj map[string]string, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.EachMapVal(ctx, op, fldPath, obj, oldObj, validate.DirectEqual, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *string) field.ErrorList {
 				return validate.NEQ(ctx, op, fldPath, obj, oldObj, "disallowed-map-val")
 			})...)
 			return
-		}(fldPath.Child("stringMapField"), obj.StringMapField, safe.Field(oldObj, func(oldObj *Struct) map[string]string { return oldObj.StringMapField }))...)
+		}(fldPath.Child("stringMapField"), obj.StringMapField, safe.Field(oldObj, func(oldObj *Struct) map[string]string { return oldObj.StringMapField }), oldObj != nil)...)
 
 	// field Struct.StringMapKeyField
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj map[string]string) (errs field.ErrorList) {
-			if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj map[string]string, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.EachMapKey(ctx, op, fldPath, obj, oldObj, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *string) field.ErrorList {
 				return validate.NEQ(ctx, op, fldPath, obj, oldObj, "disallowed-key")
 			})...)
 			return
-		}(fldPath.Child("stringMapKeyField"), obj.StringMapKeyField, safe.Field(oldObj, func(oldObj *Struct) map[string]string { return oldObj.StringMapKeyField }))...)
+		}(fldPath.Child("stringMapKeyField"), obj.StringMapKeyField, safe.Field(oldObj, func(oldObj *Struct) map[string]string { return oldObj.StringMapKeyField }), oldObj != nil)...)
 
 	// field Struct.ValidatedSliceField
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj ValidatedStringSlice) (errs field.ErrorList) {
+		func(fldPath *field.Path, obj, oldObj ValidatedStringSlice, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// call the type's validation function
 			errs = append(errs, Validate_ValidatedStringSlice(ctx, op, fldPath, obj, oldObj)...)
 			return
-		}(fldPath.Child("validatedSliceField"), obj.ValidatedSliceField, safe.Field(oldObj, func(oldObj *Struct) ValidatedStringSlice { return oldObj.ValidatedSliceField }))...)
+		}(fldPath.Child("validatedSliceField"), obj.ValidatedSliceField, safe.Field(oldObj, func(oldObj *Struct) ValidatedStringSlice { return oldObj.ValidatedSliceField }), oldObj != nil)...)
 
 	// field Struct.ValidatedStructField
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *ValidatedInnerStruct) (errs field.ErrorList) {
+		func(fldPath *field.Path, obj, oldObj *ValidatedInnerStruct, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call the type's validation function
 			errs = append(errs, Validate_ValidatedInnerStruct(ctx, op, fldPath, obj, oldObj)...)
 			return
-		}(fldPath.Child("validatedStructField"), &obj.ValidatedStructField, safe.Field(oldObj, func(oldObj *Struct) *ValidatedInnerStruct { return &oldObj.ValidatedStructField }))...)
+		}(fldPath.Child("validatedStructField"), &obj.ValidatedStructField, safe.Field(oldObj, func(oldObj *Struct) *ValidatedInnerStruct { return &oldObj.ValidatedStructField }), oldObj != nil)...)
 
 	return errs
 }
 
+// Validate_ValidatedInnerStruct validates an instance of ValidatedInnerStruct according
+// to declarative validation rules in the API schema.
 func Validate_ValidatedInnerStruct(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *ValidatedInnerStruct) (errs field.ErrorList) {
-	// type ValidatedInnerStruct
-	if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-		return nil // no changes
-	}
-	errs = append(errs, validate.Subfield(ctx, op, fldPath, obj, oldObj, "stringField", func(o *ValidatedInnerStruct) *string { return &o.StringField }, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *string) field.ErrorList {
-		return validate.NEQ(ctx, op, fldPath, obj, oldObj, "disallowed-typedef-struct")
-	})...)
+	func() { // cohort stringField
+		errs = append(errs, validate.Subfield(ctx, op, fldPath, obj, oldObj, "stringField", func(o *ValidatedInnerStruct) *string { return &o.StringField }, validate.DirectEqualPtr, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *string) field.ErrorList {
+			return validate.NEQ(ctx, op, fldPath, obj, oldObj, "disallowed-typedef-struct")
+		})...)
+	}()
 
 	// field ValidatedInnerStruct.StringField has no validation
 	return errs
 }
 
+// Validate_ValidatedStringSlice validates an instance of ValidatedStringSlice according
+// to declarative validation rules in the API schema.
 func Validate_ValidatedStringSlice(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj ValidatedStringSlice) (errs field.ErrorList) {
-	// type ValidatedStringSlice
-	if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-		return nil // no changes
-	}
 	errs = append(errs, validate.EachSliceVal(ctx, op, fldPath, obj, oldObj, nil, nil, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *string) field.ErrorList {
 		return validate.NEQ(ctx, op, fldPath, obj, oldObj, "disallowed-typedef")
 	})...)
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/neq/neqbool/zz_generated.validations.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/neq/neqbool/zz_generated.validations.go
index 9c8ff56b822a6..3eb857925bf5f 100644
--- a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/neq/neqbool/zz_generated.validations.go
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/neq/neqbool/zz_generated.validations.go
@@ -37,6 +37,7 @@ func init() { localSchemeBuilder.Register(RegisterValidations) }
 // RegisterValidations adds validation functions to the given scheme.
 // Public to allow building arbitrary schemes.
 func RegisterValidations(scheme *testscheme.Scheme) error {
+	// type Struct
 	scheme.AddValidationFunc((*Struct)(nil), func(ctx context.Context, op operation.Operation, obj, oldObj interface{}) field.ErrorList {
 		switch op.Request.SubresourcePath() {
 		case "/":
@@ -47,44 +48,53 @@ func RegisterValidations(scheme *testscheme.Scheme) error {
 	return nil
 }
 
+// Validate_Struct validates an instance of Struct according
+// to declarative validation rules in the API schema.
 func Validate_Struct(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *Struct) (errs field.ErrorList) {
 	// field Struct.TypeMeta has no validation
 
 	// field Struct.NeqTrueField
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *bool) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *bool, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.NEQ(ctx, op, fldPath, obj, oldObj, true)...)
 			return
-		}(fldPath.Child("neqTrueField"), &obj.NeqTrueField, safe.Field(oldObj, func(oldObj *Struct) *bool { return &oldObj.NeqTrueField }))...)
+		}(fldPath.Child("neqTrueField"), &obj.NeqTrueField, safe.Field(oldObj, func(oldObj *Struct) *bool { return &oldObj.NeqTrueField }), oldObj != nil)...)
 
 	// field Struct.NeqFalsePtrField
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *bool) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *bool, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.NEQ(ctx, op, fldPath, obj, oldObj, false)...)
 			return
-		}(fldPath.Child("neqFalsePtrField"), obj.NeqFalsePtrField, safe.Field(oldObj, func(oldObj *Struct) *bool { return oldObj.NeqFalsePtrField }))...)
+		}(fldPath.Child("neqFalsePtrField"), obj.NeqFalsePtrField, safe.Field(oldObj, func(oldObj *Struct) *bool { return oldObj.NeqFalsePtrField }), oldObj != nil)...)
 
 	// field Struct.ValidatedTypedefField
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *ValidatedBoolType) (errs field.ErrorList) {
+		func(fldPath *field.Path, obj, oldObj *ValidatedBoolType, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call the type's validation function
 			errs = append(errs, Validate_ValidatedBoolType(ctx, op, fldPath, obj, oldObj)...)
 			return
-		}(fldPath.Child("validatedTypedefField"), &obj.ValidatedTypedefField, safe.Field(oldObj, func(oldObj *Struct) *ValidatedBoolType { return &oldObj.ValidatedTypedefField }))...)
+		}(fldPath.Child("validatedTypedefField"), &obj.ValidatedTypedefField, safe.Field(oldObj, func(oldObj *Struct) *ValidatedBoolType { return &oldObj.ValidatedTypedefField }), oldObj != nil)...)
 
 	return errs
 }
 
+// Validate_ValidatedBoolType validates an instance of ValidatedBoolType according
+// to declarative validation rules in the API schema.
 func Validate_ValidatedBoolType(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *ValidatedBoolType) (errs field.ErrorList) {
-	// type ValidatedBoolType
-	if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-		return nil // no changes
-	}
 	errs = append(errs, validate.NEQ(ctx, op, fldPath, obj, oldObj, true)...)
 
 	return errs
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/neq/neqint/zz_generated.validations.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/neq/neqint/zz_generated.validations.go
index e2d07749be58d..6bbd8079a5481 100644
--- a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/neq/neqint/zz_generated.validations.go
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/neq/neqint/zz_generated.validations.go
@@ -37,6 +37,7 @@ func init() { localSchemeBuilder.Register(RegisterValidations) }
 // RegisterValidations adds validation functions to the given scheme.
 // Public to allow building arbitrary schemes.
 func RegisterValidations(scheme *testscheme.Scheme) error {
+	// type Struct
 	scheme.AddValidationFunc((*Struct)(nil), func(ctx context.Context, op operation.Operation, obj, oldObj interface{}) field.ErrorList {
 		switch op.Request.SubresourcePath() {
 		case "/":
@@ -47,54 +48,65 @@ func RegisterValidations(scheme *testscheme.Scheme) error {
 	return nil
 }
 
+// Validate_Struct validates an instance of Struct according
+// to declarative validation rules in the API schema.
 func Validate_Struct(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *Struct) (errs field.ErrorList) {
 	// field Struct.TypeMeta has no validation
 
 	// field Struct.IntField
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *int) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *int, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.NEQ(ctx, op, fldPath, obj, oldObj, 0)...)
 			return
-		}(fldPath.Child("intField"), &obj.IntField, safe.Field(oldObj, func(oldObj *Struct) *int { return &oldObj.IntField }))...)
+		}(fldPath.Child("intField"), &obj.IntField, safe.Field(oldObj, func(oldObj *Struct) *int { return &oldObj.IntField }), oldObj != nil)...)
 
 	// field Struct.IntPtrField
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *int) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *int, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.NEQ(ctx, op, fldPath, obj, oldObj, -1)...)
 			return
-		}(fldPath.Child("intPtrField"), obj.IntPtrField, safe.Field(oldObj, func(oldObj *Struct) *int { return oldObj.IntPtrField }))...)
+		}(fldPath.Child("intPtrField"), obj.IntPtrField, safe.Field(oldObj, func(oldObj *Struct) *int { return oldObj.IntPtrField }), oldObj != nil)...)
 
 	// field Struct.IntTypedefField
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *IntType) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *IntType, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.NEQ(ctx, op, fldPath, obj, oldObj, 42)...)
 			return
-		}(fldPath.Child("intTypedefField"), &obj.IntTypedefField, safe.Field(oldObj, func(oldObj *Struct) *IntType { return &oldObj.IntTypedefField }))...)
+		}(fldPath.Child("intTypedefField"), &obj.IntTypedefField, safe.Field(oldObj, func(oldObj *Struct) *IntType { return &oldObj.IntTypedefField }), oldObj != nil)...)
 
 	// field Struct.ValidatedTypedefField
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *ValidatedIntType) (errs field.ErrorList) {
+		func(fldPath *field.Path, obj, oldObj *ValidatedIntType, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call the type's validation function
 			errs = append(errs, Validate_ValidatedIntType(ctx, op, fldPath, obj, oldObj)...)
 			return
-		}(fldPath.Child("validatedTypedefField"), &obj.ValidatedTypedefField, safe.Field(oldObj, func(oldObj *Struct) *ValidatedIntType { return &oldObj.ValidatedTypedefField }))...)
+		}(fldPath.Child("validatedTypedefField"), &obj.ValidatedTypedefField, safe.Field(oldObj, func(oldObj *Struct) *ValidatedIntType { return &oldObj.ValidatedTypedefField }), oldObj != nil)...)
 
 	return errs
 }
 
+// Validate_ValidatedIntType validates an instance of ValidatedIntType according
+// to declarative validation rules in the API schema.
 func Validate_ValidatedIntType(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *ValidatedIntType) (errs field.ErrorList) {
-	// type ValidatedIntType
-	if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-		return nil // no changes
-	}
 	errs = append(errs, validate.NEQ(ctx, op, fldPath, obj, oldObj, 100)...)
 
 	return errs
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/neq/neqstring/zz_generated.validations.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/neq/neqstring/zz_generated.validations.go
index c83680d0c3719..1f6f9c40990a9 100644
--- a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/neq/neqstring/zz_generated.validations.go
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/neq/neqstring/zz_generated.validations.go
@@ -37,6 +37,7 @@ func init() { localSchemeBuilder.Register(RegisterValidations) }
 // RegisterValidations adds validation functions to the given scheme.
 // Public to allow building arbitrary schemes.
 func RegisterValidations(scheme *testscheme.Scheme) error {
+	// type Struct
 	scheme.AddValidationFunc((*Struct)(nil), func(ctx context.Context, op operation.Operation, obj, oldObj interface{}) field.ErrorList {
 		switch op.Request.SubresourcePath() {
 		case "/":
@@ -47,71 +48,89 @@ func RegisterValidations(scheme *testscheme.Scheme) error {
 	return nil
 }
 
+// Validate_Struct validates an instance of Struct according
+// to declarative validation rules in the API schema.
 func Validate_Struct(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *Struct) (errs field.ErrorList) {
 	// field Struct.TypeMeta has no validation
 
 	// field Struct.StringField
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *string) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *string, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.NEQ(ctx, op, fldPath, obj, oldObj, "disallowed-string")...)
 			return
-		}(fldPath.Child("stringField"), &obj.StringField, safe.Field(oldObj, func(oldObj *Struct) *string { return &oldObj.StringField }))...)
+		}(fldPath.Child("stringField"), &obj.StringField, safe.Field(oldObj, func(oldObj *Struct) *string { return &oldObj.StringField }), oldObj != nil)...)
 
 	// field Struct.StringPtrField
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *string) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *string, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.NEQ(ctx, op, fldPath, obj, oldObj, "disallowed-pointer")...)
 			return
-		}(fldPath.Child("stringPtrField"), obj.StringPtrField, safe.Field(oldObj, func(oldObj *Struct) *string { return oldObj.StringPtrField }))...)
+		}(fldPath.Child("stringPtrField"), obj.StringPtrField, safe.Field(oldObj, func(oldObj *Struct) *string { return oldObj.StringPtrField }), oldObj != nil)...)
 
 	// field Struct.StringTypedefField
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *StringType) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *StringType, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.NEQ(ctx, op, fldPath, obj, oldObj, "disallowed-typedef")...)
 			return
-		}(fldPath.Child("stringTypedefField"), &obj.StringTypedefField, safe.Field(oldObj, func(oldObj *Struct) *StringType { return &oldObj.StringTypedefField }))...)
+		}(fldPath.Child("stringTypedefField"), &obj.StringTypedefField, safe.Field(oldObj, func(oldObj *Struct) *StringType { return &oldObj.StringTypedefField }), oldObj != nil)...)
 
 	// field Struct.StringTypedefPtrField
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *StringType) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *StringType, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.NEQ(ctx, op, fldPath, obj, oldObj, "disallowed-typedef-pointer")...)
 			return
-		}(fldPath.Child("stringTypedefPtrField"), obj.StringTypedefPtrField, safe.Field(oldObj, func(oldObj *Struct) *StringType { return oldObj.StringTypedefPtrField }))...)
+		}(fldPath.Child("stringTypedefPtrField"), obj.StringTypedefPtrField, safe.Field(oldObj, func(oldObj *Struct) *StringType { return oldObj.StringTypedefPtrField }), oldObj != nil)...)
 
 	// field Struct.ValidatedTypedefField
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *ValidatedStringType) (errs field.ErrorList) {
+		func(fldPath *field.Path, obj, oldObj *ValidatedStringType, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call the type's validation function
 			errs = append(errs, Validate_ValidatedStringType(ctx, op, fldPath, obj, oldObj)...)
 			return
-		}(fldPath.Child("validatedTypedefField"), &obj.ValidatedTypedefField, safe.Field(oldObj, func(oldObj *Struct) *ValidatedStringType { return &oldObj.ValidatedTypedefField }))...)
+		}(fldPath.Child("validatedTypedefField"), &obj.ValidatedTypedefField, safe.Field(oldObj, func(oldObj *Struct) *ValidatedStringType { return &oldObj.ValidatedTypedefField }), oldObj != nil)...)
 
 	// field Struct.ValidatedTypedefPtrField
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *ValidatedStringType) (errs field.ErrorList) {
+		func(fldPath *field.Path, obj, oldObj *ValidatedStringType, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call the type's validation function
 			errs = append(errs, Validate_ValidatedStringType(ctx, op, fldPath, obj, oldObj)...)
 			return
-		}(fldPath.Child("validatedTypedefPtrField"), obj.ValidatedTypedefPtrField, safe.Field(oldObj, func(oldObj *Struct) *ValidatedStringType { return oldObj.ValidatedTypedefPtrField }))...)
+		}(fldPath.Child("validatedTypedefPtrField"), obj.ValidatedTypedefPtrField, safe.Field(oldObj, func(oldObj *Struct) *ValidatedStringType { return oldObj.ValidatedTypedefPtrField }), oldObj != nil)...)
 
 	return errs
 }
 
+// Validate_ValidatedStringType validates an instance of ValidatedStringType according
+// to declarative validation rules in the API schema.
 func Validate_ValidatedStringType(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *ValidatedStringType) (errs field.ErrorList) {
-	// type ValidatedStringType
-	if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-		return nil // no changes
-	}
 	errs = append(errs, validate.NEQ(ctx, op, fldPath, obj, oldObj, "disallowed-on-type")...)
 
 	return errs
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/opaque/zz_generated.validations.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/opaque/zz_generated.validations.go
index f431a2c11d4bf..932b5fc900a2e 100644
--- a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/opaque/zz_generated.validations.go
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/opaque/zz_generated.validations.go
@@ -38,6 +38,7 @@ func init() { localSchemeBuilder.Register(RegisterValidations) }
 // RegisterValidations adds validation functions to the given scheme.
 // Public to allow building arbitrary schemes.
 func RegisterValidations(scheme *testscheme.Scheme) error {
+	// type OtherString
 	scheme.AddValidationFunc((*OtherString)(nil), func(ctx context.Context, op operation.Operation, obj, oldObj interface{}) field.ErrorList {
 		switch op.Request.SubresourcePath() {
 		case "/":
@@ -45,6 +46,7 @@ func RegisterValidations(scheme *testscheme.Scheme) error {
 		}
 		return field.ErrorList{field.InternalError(nil, fmt.Errorf("no validation found for %T, subresource: %v", obj, op.Request.SubresourcePath()))}
 	})
+	// type OtherStruct
 	scheme.AddValidationFunc((*OtherStruct)(nil), func(ctx context.Context, op operation.Operation, obj, oldObj interface{}) field.ErrorList {
 		switch op.Request.SubresourcePath() {
 		case "/":
@@ -52,6 +54,7 @@ func RegisterValidations(scheme *testscheme.Scheme) error {
 		}
 		return field.ErrorList{field.InternalError(nil, fmt.Errorf("no validation found for %T, subresource: %v", obj, op.Request.SubresourcePath()))}
 	})
+	// type Struct
 	scheme.AddValidationFunc((*Struct)(nil), func(ctx context.Context, op operation.Operation, obj, oldObj interface{}) field.ErrorList {
 		switch op.Request.SubresourcePath() {
 		case "/":
@@ -59,6 +62,7 @@ func RegisterValidations(scheme *testscheme.Scheme) error {
 		}
 		return field.ErrorList{field.InternalError(nil, fmt.Errorf("no validation found for %T, subresource: %v", obj, op.Request.SubresourcePath()))}
 	})
+	// type TypedefMapOther
 	scheme.AddValidationFunc((TypedefMapOther)(nil), func(ctx context.Context, op operation.Operation, obj, oldObj interface{}) field.ErrorList {
 		switch op.Request.SubresourcePath() {
 		case "/":
@@ -66,6 +70,7 @@ func RegisterValidations(scheme *testscheme.Scheme) error {
 		}
 		return field.ErrorList{field.InternalError(nil, fmt.Errorf("no validation found for %T, subresource: %v", obj, op.Request.SubresourcePath()))}
 	})
+	// type TypedefSliceOther
 	scheme.AddValidationFunc((TypedefSliceOther)(nil), func(ctx context.Context, op operation.Operation, obj, oldObj interface{}) field.ErrorList {
 		switch op.Request.SubresourcePath() {
 		case "/":
@@ -76,149 +81,183 @@ func RegisterValidations(scheme *testscheme.Scheme) error {
 	return nil
 }
 
+// Validate_OtherString validates an instance of OtherString according
+// to declarative validation rules in the API schema.
 func Validate_OtherString(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *OtherString) (errs field.ErrorList) {
-	// type OtherString
-	if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-		return nil // no changes
-	}
 	errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "type OtherString")...)
 
 	return errs
 }
 
+// Validate_OtherStruct validates an instance of OtherStruct according
+// to declarative validation rules in the API schema.
 func Validate_OtherStruct(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *OtherStruct) (errs field.ErrorList) {
-	// type OtherStruct
-	if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-		return nil // no changes
-	}
 	errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "type OtherStruct")...)
 
 	// field OtherStruct.StringField
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *string) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *string, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field OtherStruct.StringField")...)
 			return
-		}(fldPath.Child("stringField"), &obj.StringField, safe.Field(oldObj, func(oldObj *OtherStruct) *string { return &oldObj.StringField }))...)
+		}(fldPath.Child("stringField"), &obj.StringField, safe.Field(oldObj, func(oldObj *OtherStruct) *string { return &oldObj.StringField }), oldObj != nil)...)
 
 	return errs
 }
 
+// Validate_Struct validates an instance of Struct according
+// to declarative validation rules in the API schema.
 func Validate_Struct(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *Struct) (errs field.ErrorList) {
 	// field Struct.TypeMeta has no validation
 
 	// field Struct.StructField
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *OtherStruct) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *OtherStruct, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field Struct.StructField")...)
+			// call the type's validation function
 			errs = append(errs, Validate_OtherStruct(ctx, op, fldPath, obj, oldObj)...)
 			return
-		}(fldPath.Child("structField"), &obj.StructField, safe.Field(oldObj, func(oldObj *Struct) *OtherStruct { return &oldObj.StructField }))...)
+		}(fldPath.Child("structField"), &obj.StructField, safe.Field(oldObj, func(oldObj *Struct) *OtherStruct { return &oldObj.StructField }), oldObj != nil)...)
 
 	// field Struct.StructPtrField
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *OtherStruct) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *OtherStruct, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
 			}
+			// call field-attached validations
+			earlyReturn := false
 			if e := validate.RequiredPointer(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
 				errs = append(errs, e...)
+				earlyReturn = true
+			}
+			if earlyReturn {
 				return // do not proceed
 			}
 			errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field Struct.StructPtrField")...)
+			// call the type's validation function
 			errs = append(errs, Validate_OtherStruct(ctx, op, fldPath, obj, oldObj)...)
 			return
-		}(fldPath.Child("structPtrField"), obj.StructPtrField, safe.Field(oldObj, func(oldObj *Struct) *OtherStruct { return oldObj.StructPtrField }))...)
+		}(fldPath.Child("structPtrField"), obj.StructPtrField, safe.Field(oldObj, func(oldObj *Struct) *OtherStruct { return oldObj.StructPtrField }), oldObj != nil)...)
 
 	// field Struct.OpaqueStructField
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *OtherStruct) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *OtherStruct, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field Struct.OpaqueStructField")...)
 			return
-		}(fldPath.Child("opaqueStructField"), &obj.OpaqueStructField, safe.Field(oldObj, func(oldObj *Struct) *OtherStruct { return &oldObj.OpaqueStructField }))...)
+		}(fldPath.Child("opaqueStructField"), &obj.OpaqueStructField, safe.Field(oldObj, func(oldObj *Struct) *OtherStruct { return &oldObj.OpaqueStructField }), oldObj != nil)...)
 
 	// field Struct.OpaqueStructPtrField
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *OtherStruct) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *OtherStruct, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
 			}
+			// call field-attached validations
+			earlyReturn := false
 			if e := validate.RequiredPointer(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
 				errs = append(errs, e...)
+				earlyReturn = true
+			}
+			if earlyReturn {
 				return // do not proceed
 			}
 			errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field Struct.OpaqueStructPtrField")...)
 			return
-		}(fldPath.Child("opaqueStructPtrField"), obj.OpaqueStructPtrField, safe.Field(oldObj, func(oldObj *Struct) *OtherStruct { return oldObj.OpaqueStructPtrField }))...)
+		}(fldPath.Child("opaqueStructPtrField"), obj.OpaqueStructPtrField, safe.Field(oldObj, func(oldObj *Struct) *OtherStruct { return oldObj.OpaqueStructPtrField }), oldObj != nil)...)
 
 	// field Struct.SliceOfStructField
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj []OtherStruct) (errs field.ErrorList) {
-			if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj []OtherStruct, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field Struct.SliceOfStructField")...)
 			errs = append(errs, validate.EachSliceVal(ctx, op, fldPath, obj, oldObj, nil, nil, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *OtherStruct) field.ErrorList {
 				return validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field Struct.SliceOfStructField vals")
 			})...)
+			// iterate the list and call the type's validation function
 			errs = append(errs, validate.EachSliceVal(ctx, op, fldPath, obj, oldObj, nil, nil, Validate_OtherStruct)...)
 			return
-		}(fldPath.Child("sliceOfStructField"), obj.SliceOfStructField, safe.Field(oldObj, func(oldObj *Struct) []OtherStruct { return oldObj.SliceOfStructField }))...)
+		}(fldPath.Child("sliceOfStructField"), obj.SliceOfStructField, safe.Field(oldObj, func(oldObj *Struct) []OtherStruct { return oldObj.SliceOfStructField }), oldObj != nil)...)
 
 	// field Struct.SliceOfOpaqueStructField
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj []OtherStruct) (errs field.ErrorList) {
-			if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj []OtherStruct, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field Struct.SliceOfOpaqueStructField")...)
 			errs = append(errs, validate.EachSliceVal(ctx, op, fldPath, obj, oldObj, nil, nil, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *OtherStruct) field.ErrorList {
 				return validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field Struct.SliceOfOpaqueStructField vals")
 			})...)
 			return
-		}(fldPath.Child("sliceOfOpaqueStructField"), obj.SliceOfOpaqueStructField, safe.Field(oldObj, func(oldObj *Struct) []OtherStruct { return oldObj.SliceOfOpaqueStructField }))...)
+		}(fldPath.Child("sliceOfOpaqueStructField"), obj.SliceOfOpaqueStructField, safe.Field(oldObj, func(oldObj *Struct) []OtherStruct { return oldObj.SliceOfOpaqueStructField }), oldObj != nil)...)
 
 	// field Struct.ListMapOfStructField
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj []OtherStruct) (errs field.ErrorList) {
-			if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj []OtherStruct, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field Struct.ListMapOfStructField")...)
 			errs = append(errs, validate.EachSliceVal(ctx, op, fldPath, obj, oldObj, func(a OtherStruct, b OtherStruct) bool { return a.StringField == b.StringField }, validate.DirectEqual, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *OtherStruct) field.ErrorList {
 				return validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field Struct.ListMapOfStructField vals")
 			})...)
+			// lists with map semantics require unique keys
+			errs = append(errs, validate.Unique(ctx, op, fldPath, obj, oldObj, func(a OtherStruct, b OtherStruct) bool { return a.StringField == b.StringField })...)
+			// iterate the list and call the type's validation function
 			errs = append(errs, validate.EachSliceVal(ctx, op, fldPath, obj, oldObj, func(a OtherStruct, b OtherStruct) bool { return a.StringField == b.StringField }, validate.DirectEqual, Validate_OtherStruct)...)
 			return
-		}(fldPath.Child("listMapOfStructField"), obj.ListMapOfStructField, safe.Field(oldObj, func(oldObj *Struct) []OtherStruct { return oldObj.ListMapOfStructField }))...)
+		}(fldPath.Child("listMapOfStructField"), obj.ListMapOfStructField, safe.Field(oldObj, func(oldObj *Struct) []OtherStruct { return oldObj.ListMapOfStructField }), oldObj != nil)...)
 
 	// field Struct.ListMapOfOpaqueStructField
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj []OtherStruct) (errs field.ErrorList) {
-			if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj []OtherStruct, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field Struct.ListMapOfOpaqueStructField")...)
 			errs = append(errs, validate.EachSliceVal(ctx, op, fldPath, obj, oldObj, func(a OtherStruct, b OtherStruct) bool { return a.StringField == b.StringField }, validate.DirectEqual, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *OtherStruct) field.ErrorList {
 				return validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field Struct.ListMapOfOpaqueStructField vals")
 			})...)
+			// lists with map semantics require unique keys
+			errs = append(errs, validate.Unique(ctx, op, fldPath, obj, oldObj, func(a OtherStruct, b OtherStruct) bool { return a.StringField == b.StringField })...)
 			return
-		}(fldPath.Child("listMapOfOpaqueStructField"), obj.ListMapOfOpaqueStructField, safe.Field(oldObj, func(oldObj *Struct) []OtherStruct { return oldObj.ListMapOfOpaqueStructField }))...)
+		}(fldPath.Child("listMapOfOpaqueStructField"), obj.ListMapOfOpaqueStructField, safe.Field(oldObj, func(oldObj *Struct) []OtherStruct { return oldObj.ListMapOfOpaqueStructField }), oldObj != nil)...)
 
 	// field Struct.MapOfStringToStructField
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj map[OtherString]OtherStruct) (errs field.ErrorList) {
-			if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj map[OtherString]OtherStruct, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.EachMapKey(ctx, op, fldPath, obj, oldObj, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *OtherString) field.ErrorList {
 				return validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field Struct.MapOfStringToStructField keys")
 			})...)
@@ -226,17 +265,21 @@ func Validate_Struct(ctx context.Context, op operation.Operation, fldPath *field
 			errs = append(errs, validate.EachMapVal(ctx, op, fldPath, obj, oldObj, validate.DirectEqual, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *OtherStruct) field.ErrorList {
 				return validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field Struct.MapOfStringToStructField vals")
 			})...)
+			// iterate the map and call the key type's validation function
 			errs = append(errs, validate.EachMapKey(ctx, op, fldPath, obj, oldObj, Validate_OtherString)...)
+			// iterate the map and call the value type's validation function
 			errs = append(errs, validate.EachMapVal(ctx, op, fldPath, obj, oldObj, validate.DirectEqual, Validate_OtherStruct)...)
 			return
-		}(fldPath.Child("mapOfStringToStructField"), obj.MapOfStringToStructField, safe.Field(oldObj, func(oldObj *Struct) map[OtherString]OtherStruct { return oldObj.MapOfStringToStructField }))...)
+		}(fldPath.Child("mapOfStringToStructField"), obj.MapOfStringToStructField, safe.Field(oldObj, func(oldObj *Struct) map[OtherString]OtherStruct { return oldObj.MapOfStringToStructField }), oldObj != nil)...)
 
 	// field Struct.MapOfStringToOpaqueStructField
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj map[OtherString]OtherStruct) (errs field.ErrorList) {
-			if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj map[OtherString]OtherStruct, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.EachMapKey(ctx, op, fldPath, obj, oldObj, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *OtherString) field.ErrorList {
 				return validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field Struct.MapOfStringToOpaqueStructField keys")
 			})...)
@@ -245,26 +288,22 @@ func Validate_Struct(ctx context.Context, op operation.Operation, fldPath *field
 				return validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field Struct.MapOfStringToOpaqueStructField vals")
 			})...)
 			return
-		}(fldPath.Child("mapOfStringToOpaqueStructField"), obj.MapOfStringToOpaqueStructField, safe.Field(oldObj, func(oldObj *Struct) map[OtherString]OtherStruct { return oldObj.MapOfStringToOpaqueStructField }))...)
+		}(fldPath.Child("mapOfStringToOpaqueStructField"), obj.MapOfStringToOpaqueStructField, safe.Field(oldObj, func(oldObj *Struct) map[OtherString]OtherStruct { return oldObj.MapOfStringToOpaqueStructField }), oldObj != nil)...)
 
 	return errs
 }
 
+// Validate_TypedefMapOther validates an instance of TypedefMapOther according
+// to declarative validation rules in the API schema.
 func Validate_TypedefMapOther(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj TypedefMapOther) (errs field.ErrorList) {
-	// type TypedefMapOther
-	if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-		return nil // no changes
-	}
 	errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, true, "type TypedefMapOther")...)
 
 	return errs
 }
 
+// Validate_TypedefSliceOther validates an instance of TypedefSliceOther according
+// to declarative validation rules in the API schema.
 func Validate_TypedefSliceOther(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj TypedefSliceOther) (errs field.ErrorList) {
-	// type TypedefSliceOther
-	if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-		return nil // no changes
-	}
 	errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, true, "type TypedefSliceOther")...)
 
 	return errs
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/optional/nonzero_defaults/doc_test.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/optional/nonzero_defaults/doc_test.go
index 18841fe4f7f1c..798a24c3bf8fc 100644
--- a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/optional/nonzero_defaults/doc_test.go
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/optional/nonzero_defaults/doc_test.go
@@ -19,6 +19,7 @@ package nonzerodefaults
 import (
 	"testing"
 
+	"k8s.io/apimachinery/pkg/util/validation/field"
 	"k8s.io/utils/ptr"
 )
 
@@ -27,13 +28,13 @@ func Test(t *testing.T) {
 
 	st.Value(&Struct{
 		// All zero-values.
-	}).ExpectRegexpsByPath(map[string][]string{
-		"stringField":    {"Required value"},
-		"stringPtrField": {"Required value"},
-		"intField":       {"Required value"},
-		"intPtrField":    {"Required value"},
-		"boolField":      {"Required value"},
-		"boolPtrField":   {"Required value"},
+	}).ExpectMatches(field.ErrorMatcher{}.ByType().ByField(), field.ErrorList{
+		field.Required(field.NewPath("stringField"), ""),
+		field.Required(field.NewPath("stringPtrField"), ""),
+		field.Required(field.NewPath("intField"), ""),
+		field.Required(field.NewPath("intPtrField"), ""),
+		field.Required(field.NewPath("boolField"), ""),
+		field.Required(field.NewPath("boolPtrField"), ""),
 	})
 
 	st.Value(&Struct{
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/optional/nonzero_defaults/zz_generated.validations.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/optional/nonzero_defaults/zz_generated.validations.go
index 996057dcd705a..992a631b8857e 100644
--- a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/optional/nonzero_defaults/zz_generated.validations.go
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/optional/nonzero_defaults/zz_generated.validations.go
@@ -37,6 +37,7 @@ func init() { localSchemeBuilder.Register(RegisterValidations) }
 // RegisterValidations adds validation functions to the given scheme.
 // Public to allow building arbitrary schemes.
 func RegisterValidations(scheme *testscheme.Scheme) error {
+	// type Struct
 	scheme.AddValidationFunc((*Struct)(nil), func(ctx context.Context, op operation.Operation, obj, oldObj interface{}) field.ErrorList {
 		switch op.Request.SubresourcePath() {
 		case "/":
@@ -47,92 +48,130 @@ func RegisterValidations(scheme *testscheme.Scheme) error {
 	return nil
 }
 
+// Validate_Struct validates an instance of Struct according
+// to declarative validation rules in the API schema.
 func Validate_Struct(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *Struct) (errs field.ErrorList) {
 	// field Struct.TypeMeta has no validation
 
 	// field Struct.StringField
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *string) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *string, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
 			}
+			// call field-attached validations
+			earlyReturn := false
 			// optional fields with default values are effectively required
 			if e := validate.RequiredValue(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
 				errs = append(errs, e...)
+				earlyReturn = true
+			}
+			if earlyReturn {
 				return // do not proceed
 			}
 			return
-		}(fldPath.Child("stringField"), &obj.StringField, safe.Field(oldObj, func(oldObj *Struct) *string { return &oldObj.StringField }))...)
+		}(fldPath.Child("stringField"), &obj.StringField, safe.Field(oldObj, func(oldObj *Struct) *string { return &oldObj.StringField }), oldObj != nil)...)
 
 	// field Struct.StringPtrField
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *string) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *string, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
 			}
+			// call field-attached validations
+			earlyReturn := false
 			// optional fields with default values are effectively required
 			if e := validate.RequiredPointer(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
 				errs = append(errs, e...)
+				earlyReturn = true
+			}
+			if earlyReturn {
 				return // do not proceed
 			}
 			return
-		}(fldPath.Child("stringPtrField"), obj.StringPtrField, safe.Field(oldObj, func(oldObj *Struct) *string { return oldObj.StringPtrField }))...)
+		}(fldPath.Child("stringPtrField"), obj.StringPtrField, safe.Field(oldObj, func(oldObj *Struct) *string { return oldObj.StringPtrField }), oldObj != nil)...)
 
 	// field Struct.IntField
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *int) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *int, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
 			}
+			// call field-attached validations
+			earlyReturn := false
 			// optional fields with default values are effectively required
 			if e := validate.RequiredValue(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
 				errs = append(errs, e...)
+				earlyReturn = true
+			}
+			if earlyReturn {
 				return // do not proceed
 			}
 			return
-		}(fldPath.Child("intField"), &obj.IntField, safe.Field(oldObj, func(oldObj *Struct) *int { return &oldObj.IntField }))...)
+		}(fldPath.Child("intField"), &obj.IntField, safe.Field(oldObj, func(oldObj *Struct) *int { return &oldObj.IntField }), oldObj != nil)...)
 
 	// field Struct.IntPtrField
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *int) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *int, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
 			}
+			// call field-attached validations
+			earlyReturn := false
 			// optional fields with default values are effectively required
 			if e := validate.RequiredPointer(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
 				errs = append(errs, e...)
+				earlyReturn = true
+			}
+			if earlyReturn {
 				return // do not proceed
 			}
 			return
-		}(fldPath.Child("intPtrField"), obj.IntPtrField, safe.Field(oldObj, func(oldObj *Struct) *int { return oldObj.IntPtrField }))...)
+		}(fldPath.Child("intPtrField"), obj.IntPtrField, safe.Field(oldObj, func(oldObj *Struct) *int { return oldObj.IntPtrField }), oldObj != nil)...)
 
 	// field Struct.BoolField
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *bool) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *bool, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
 			}
+			// call field-attached validations
+			earlyReturn := false
 			// optional fields with default values are effectively required
 			if e := validate.RequiredValue(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
 				errs = append(errs, e...)
+				earlyReturn = true
+			}
+			if earlyReturn {
 				return // do not proceed
 			}
 			return
-		}(fldPath.Child("boolField"), &obj.BoolField, safe.Field(oldObj, func(oldObj *Struct) *bool { return &oldObj.BoolField }))...)
+		}(fldPath.Child("boolField"), &obj.BoolField, safe.Field(oldObj, func(oldObj *Struct) *bool { return &oldObj.BoolField }), oldObj != nil)...)
 
 	// field Struct.BoolPtrField
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *bool) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *bool, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
 			}
+			// call field-attached validations
+			earlyReturn := false
 			// optional fields with default values are effectively required
 			if e := validate.RequiredPointer(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
 				errs = append(errs, e...)
+				earlyReturn = true
+			}
+			if earlyReturn {
 				return // do not proceed
 			}
 			return
-		}(fldPath.Child("boolPtrField"), obj.BoolPtrField, safe.Field(oldObj, func(oldObj *Struct) *bool { return oldObj.BoolPtrField }))...)
+		}(fldPath.Child("boolPtrField"), obj.BoolPtrField, safe.Field(oldObj, func(oldObj *Struct) *bool { return oldObj.BoolPtrField }), oldObj != nil)...)
 
 	return errs
 }
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/optional/zero_defaults/doc_test.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/optional/zero_defaults/doc_test.go
index 1a09a9418e06f..886b0829e5061 100644
--- a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/optional/zero_defaults/doc_test.go
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/optional/zero_defaults/doc_test.go
@@ -19,6 +19,7 @@ package zerodefaults
 import (
 	"testing"
 
+	"k8s.io/apimachinery/pkg/util/validation/field"
 	"k8s.io/utils/ptr"
 )
 
@@ -27,13 +28,13 @@ func Test(t *testing.T) {
 
 	st.Value(&Struct{
 		// All zero-values.
-	}).ExpectRegexpsByPath(map[string][]string{
+	}).ExpectMatches(field.ErrorMatcher{}.ByType().ByField(), field.ErrorList{
 		// "stringField": optional value fields with zero defaults are just docs
 		// "intField": optional value fields with zero defaults are just docs
 		// "boolField": optional value fields with zero defaults are just docs
-		"stringPtrField": {"Required value"},
-		"intPtrField":    {"Required value"},
-		"boolPtrField":   {"Required value"},
+		field.Required(field.NewPath("stringPtrField"), ""),
+		field.Required(field.NewPath("intPtrField"), ""),
+		field.Required(field.NewPath("boolPtrField"), ""),
 	})
 
 	st.Value(&Struct{
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/optional/zero_defaults/zz_generated.validations.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/optional/zero_defaults/zz_generated.validations.go
index 2cbb773d7b324..dbf159a1eb807 100644
--- a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/optional/zero_defaults/zz_generated.validations.go
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/optional/zero_defaults/zz_generated.validations.go
@@ -37,6 +37,7 @@ func init() { localSchemeBuilder.Register(RegisterValidations) }
 // RegisterValidations adds validation functions to the given scheme.
 // Public to allow building arbitrary schemes.
 func RegisterValidations(scheme *testscheme.Scheme) error {
+	// type Struct
 	scheme.AddValidationFunc((*Struct)(nil), func(ctx context.Context, op operation.Operation, obj, oldObj interface{}) field.ErrorList {
 		switch op.Request.SubresourcePath() {
 		case "/":
@@ -47,80 +48,91 @@ func RegisterValidations(scheme *testscheme.Scheme) error {
 	return nil
 }
 
+// Validate_Struct validates an instance of Struct according
+// to declarative validation rules in the API schema.
 func Validate_Struct(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *Struct) (errs field.ErrorList) {
 	// field Struct.TypeMeta has no validation
 
 	// field Struct.StringField
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *string) (errs field.ErrorList) {
+		func(fldPath *field.Path, obj, oldObj *string, oldValueCorrelated bool) (errs field.ErrorList) {
 			// optional value-type fields with zero-value defaults are purely documentation
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
-			}
 			return
-		}(fldPath.Child("stringField"), &obj.StringField, safe.Field(oldObj, func(oldObj *Struct) *string { return &oldObj.StringField }))...)
+		}(fldPath.Child("stringField"), &obj.StringField, safe.Field(oldObj, func(oldObj *Struct) *string { return &oldObj.StringField }), oldObj != nil)...)
 
 	// field Struct.StringPtrField
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *string) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *string, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
 			}
+			// call field-attached validations
+			earlyReturn := false
 			// optional fields with default values are effectively required
 			if e := validate.RequiredPointer(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
 				errs = append(errs, e...)
+				earlyReturn = true
+			}
+			if earlyReturn {
 				return // do not proceed
 			}
 			return
-		}(fldPath.Child("stringPtrField"), obj.StringPtrField, safe.Field(oldObj, func(oldObj *Struct) *string { return oldObj.StringPtrField }))...)
+		}(fldPath.Child("stringPtrField"), obj.StringPtrField, safe.Field(oldObj, func(oldObj *Struct) *string { return oldObj.StringPtrField }), oldObj != nil)...)
 
 	// field Struct.IntField
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *int) (errs field.ErrorList) {
+		func(fldPath *field.Path, obj, oldObj *int, oldValueCorrelated bool) (errs field.ErrorList) {
 			// optional value-type fields with zero-value defaults are purely documentation
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
-			}
 			return
-		}(fldPath.Child("intField"), &obj.IntField, safe.Field(oldObj, func(oldObj *Struct) *int { return &oldObj.IntField }))...)
+		}(fldPath.Child("intField"), &obj.IntField, safe.Field(oldObj, func(oldObj *Struct) *int { return &oldObj.IntField }), oldObj != nil)...)
 
 	// field Struct.IntPtrField
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *int) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *int, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
 			}
+			// call field-attached validations
+			earlyReturn := false
 			// optional fields with default values are effectively required
 			if e := validate.RequiredPointer(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
 				errs = append(errs, e...)
+				earlyReturn = true
+			}
+			if earlyReturn {
 				return // do not proceed
 			}
 			return
-		}(fldPath.Child("intPtrField"), obj.IntPtrField, safe.Field(oldObj, func(oldObj *Struct) *int { return oldObj.IntPtrField }))...)
+		}(fldPath.Child("intPtrField"), obj.IntPtrField, safe.Field(oldObj, func(oldObj *Struct) *int { return oldObj.IntPtrField }), oldObj != nil)...)
 
 	// field Struct.BoolField
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *bool) (errs field.ErrorList) {
+		func(fldPath *field.Path, obj, oldObj *bool, oldValueCorrelated bool) (errs field.ErrorList) {
 			// optional value-type fields with zero-value defaults are purely documentation
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
-			}
 			return
-		}(fldPath.Child("boolField"), &obj.BoolField, safe.Field(oldObj, func(oldObj *Struct) *bool { return &oldObj.BoolField }))...)
+		}(fldPath.Child("boolField"), &obj.BoolField, safe.Field(oldObj, func(oldObj *Struct) *bool { return &oldObj.BoolField }), oldObj != nil)...)
 
 	// field Struct.BoolPtrField
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *bool) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *bool, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
 			}
+			// call field-attached validations
+			earlyReturn := false
 			// optional fields with default values are effectively required
 			if e := validate.RequiredPointer(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
 				errs = append(errs, e...)
+				earlyReturn = true
+			}
+			if earlyReturn {
 				return // do not proceed
 			}
 			return
-		}(fldPath.Child("boolPtrField"), obj.BoolPtrField, safe.Field(oldObj, func(oldObj *Struct) *bool { return oldObj.BoolPtrField }))...)
+		}(fldPath.Child("boolPtrField"), obj.BoolPtrField, safe.Field(oldObj, func(oldObj *Struct) *bool { return oldObj.BoolPtrField }), oldObj != nil)...)
 
 	return errs
 }
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/optional/zz_generated.validations.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/optional/zz_generated.validations.go
index 9f187794952c3..71a430d50c6b5 100644
--- a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/optional/zz_generated.validations.go
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/optional/zz_generated.validations.go
@@ -38,6 +38,7 @@ func init() { localSchemeBuilder.Register(RegisterValidations) }
 // RegisterValidations adds validation functions to the given scheme.
 // Public to allow building arbitrary schemes.
 func RegisterValidations(scheme *testscheme.Scheme) error {
+	// type Struct
 	scheme.AddValidationFunc((*Struct)(nil), func(ctx context.Context, op operation.Operation, obj, oldObj interface{}) field.ErrorList {
 		switch op.Request.SubresourcePath() {
 		case "/":
@@ -48,234 +49,311 @@ func RegisterValidations(scheme *testscheme.Scheme) error {
 	return nil
 }
 
+// Validate_IntType validates an instance of IntType according
+// to declarative validation rules in the API schema.
 func Validate_IntType(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *IntType) (errs field.ErrorList) {
-	// type IntType
-	if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-		return nil // no changes
-	}
 	errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "type IntType")...)
 
 	return errs
 }
 
+// Validate_MapType validates an instance of MapType according
+// to declarative validation rules in the API schema.
 func Validate_MapType(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj MapType) (errs field.ErrorList) {
-	// type MapType
-	if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-		return nil // no changes
-	}
 	errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "type MapType")...)
 
 	return errs
 }
 
+// Validate_OtherStruct validates an instance of OtherStruct according
+// to declarative validation rules in the API schema.
 func Validate_OtherStruct(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *OtherStruct) (errs field.ErrorList) {
-	// type OtherStruct
-	if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-		return nil // no changes
-	}
 	errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "type OtherStruct")...)
 
 	return errs
 }
 
+// Validate_SliceType validates an instance of SliceType according
+// to declarative validation rules in the API schema.
 func Validate_SliceType(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj SliceType) (errs field.ErrorList) {
-	// type SliceType
-	if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-		return nil // no changes
-	}
 	errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "type SliceType")...)
 
 	return errs
 }
 
+// Validate_StringType validates an instance of StringType according
+// to declarative validation rules in the API schema.
 func Validate_StringType(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *StringType) (errs field.ErrorList) {
-	// type StringType
-	if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-		return nil // no changes
-	}
 	errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "type StringType")...)
 
 	return errs
 }
 
+// Validate_Struct validates an instance of Struct according
+// to declarative validation rules in the API schema.
 func Validate_Struct(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *Struct) (errs field.ErrorList) {
 	// field Struct.TypeMeta has no validation
 
 	// field Struct.StringField
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *string) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *string, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
 			}
+			// call field-attached validations
+			earlyReturn := false
 			if e := validate.OptionalValue(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				earlyReturn = true
+			}
+			if earlyReturn {
 				return // do not proceed
 			}
 			errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field Struct.StringField")...)
 			return
-		}(fldPath.Child("stringField"), &obj.StringField, safe.Field(oldObj, func(oldObj *Struct) *string { return &oldObj.StringField }))...)
+		}(fldPath.Child("stringField"), &obj.StringField, safe.Field(oldObj, func(oldObj *Struct) *string { return &oldObj.StringField }), oldObj != nil)...)
 
 	// field Struct.StringPtrField
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *string) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *string, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
 			}
+			// call field-attached validations
+			earlyReturn := false
 			if e := validate.OptionalPointer(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				earlyReturn = true
+			}
+			if earlyReturn {
 				return // do not proceed
 			}
 			errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field Struct.StringPtrField")...)
 			return
-		}(fldPath.Child("stringPtrField"), obj.StringPtrField, safe.Field(oldObj, func(oldObj *Struct) *string { return oldObj.StringPtrField }))...)
+		}(fldPath.Child("stringPtrField"), obj.StringPtrField, safe.Field(oldObj, func(oldObj *Struct) *string { return oldObj.StringPtrField }), oldObj != nil)...)
 
 	// field Struct.StringTypedefField
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *StringType) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *StringType, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
 			}
+			// call field-attached validations
+			earlyReturn := false
 			if e := validate.OptionalValue(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				earlyReturn = true
+			}
+			if earlyReturn {
 				return // do not proceed
 			}
 			errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field Struct.StringTypedefField")...)
+			// call the type's validation function
 			errs = append(errs, Validate_StringType(ctx, op, fldPath, obj, oldObj)...)
 			return
-		}(fldPath.Child("stringTypedefField"), &obj.StringTypedefField, safe.Field(oldObj, func(oldObj *Struct) *StringType { return &oldObj.StringTypedefField }))...)
+		}(fldPath.Child("stringTypedefField"), &obj.StringTypedefField, safe.Field(oldObj, func(oldObj *Struct) *StringType { return &oldObj.StringTypedefField }), oldObj != nil)...)
 
 	// field Struct.StringTypedefPtrField
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *StringType) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *StringType, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
 			}
+			// call field-attached validations
+			earlyReturn := false
 			if e := validate.OptionalPointer(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				earlyReturn = true
+			}
+			if earlyReturn {
 				return // do not proceed
 			}
 			errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field Struct.StringTypedefPtrField")...)
+			// call the type's validation function
 			errs = append(errs, Validate_StringType(ctx, op, fldPath, obj, oldObj)...)
 			return
-		}(fldPath.Child("stringTypedefPtrField"), obj.StringTypedefPtrField, safe.Field(oldObj, func(oldObj *Struct) *StringType { return oldObj.StringTypedefPtrField }))...)
+		}(fldPath.Child("stringTypedefPtrField"), obj.StringTypedefPtrField, safe.Field(oldObj, func(oldObj *Struct) *StringType { return oldObj.StringTypedefPtrField }), oldObj != nil)...)
 
 	// field Struct.IntField
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *int) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *int, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
 			}
+			// call field-attached validations
+			earlyReturn := false
 			if e := validate.OptionalValue(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				earlyReturn = true
+			}
+			if earlyReturn {
 				return // do not proceed
 			}
 			errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field Struct.IntField")...)
 			return
-		}(fldPath.Child("intField"), &obj.IntField, safe.Field(oldObj, func(oldObj *Struct) *int { return &oldObj.IntField }))...)
+		}(fldPath.Child("intField"), &obj.IntField, safe.Field(oldObj, func(oldObj *Struct) *int { return &oldObj.IntField }), oldObj != nil)...)
 
 	// field Struct.IntPtrField
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *int) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *int, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
 			}
+			// call field-attached validations
+			earlyReturn := false
 			if e := validate.OptionalPointer(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				earlyReturn = true
+			}
+			if earlyReturn {
 				return // do not proceed
 			}
 			errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field Struct.IntPtrField")...)
 			return
-		}(fldPath.Child("intPtrField"), obj.IntPtrField, safe.Field(oldObj, func(oldObj *Struct) *int { return oldObj.IntPtrField }))...)
+		}(fldPath.Child("intPtrField"), obj.IntPtrField, safe.Field(oldObj, func(oldObj *Struct) *int { return oldObj.IntPtrField }), oldObj != nil)...)
 
 	// field Struct.IntTypedefField
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *IntType) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *IntType, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
 			}
+			// call field-attached validations
+			earlyReturn := false
 			if e := validate.OptionalValue(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				earlyReturn = true
+			}
+			if earlyReturn {
 				return // do not proceed
 			}
 			errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field Struct.IntTypedefField")...)
+			// call the type's validation function
 			errs = append(errs, Validate_IntType(ctx, op, fldPath, obj, oldObj)...)
 			return
-		}(fldPath.Child("intTypedefField"), &obj.IntTypedefField, safe.Field(oldObj, func(oldObj *Struct) *IntType { return &oldObj.IntTypedefField }))...)
+		}(fldPath.Child("intTypedefField"), &obj.IntTypedefField, safe.Field(oldObj, func(oldObj *Struct) *IntType { return &oldObj.IntTypedefField }), oldObj != nil)...)
 
 	// field Struct.IntTypedefPtrField
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *IntType) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *IntType, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
 			}
+			// call field-attached validations
+			earlyReturn := false
 			if e := validate.OptionalPointer(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				earlyReturn = true
+			}
+			if earlyReturn {
 				return // do not proceed
 			}
 			errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field Struct.IntTypedefPtrField")...)
+			// call the type's validation function
 			errs = append(errs, Validate_IntType(ctx, op, fldPath, obj, oldObj)...)
 			return
-		}(fldPath.Child("intTypedefPtrField"), obj.IntTypedefPtrField, safe.Field(oldObj, func(oldObj *Struct) *IntType { return oldObj.IntTypedefPtrField }))...)
+		}(fldPath.Child("intTypedefPtrField"), obj.IntTypedefPtrField, safe.Field(oldObj, func(oldObj *Struct) *IntType { return oldObj.IntTypedefPtrField }), oldObj != nil)...)
 
 	// field Struct.OtherStructPtrField
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *OtherStruct) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *OtherStruct, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
 			}
+			// call field-attached validations
+			earlyReturn := false
 			if e := validate.OptionalPointer(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				earlyReturn = true
+			}
+			if earlyReturn {
 				return // do not proceed
 			}
 			errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field Struct.OtherStructPtrField")...)
+			// call the type's validation function
 			errs = append(errs, Validate_OtherStruct(ctx, op, fldPath, obj, oldObj)...)
 			return
-		}(fldPath.Child("otherStructPtrField"), obj.OtherStructPtrField, safe.Field(oldObj, func(oldObj *Struct) *OtherStruct { return oldObj.OtherStructPtrField }))...)
+		}(fldPath.Child("otherStructPtrField"), obj.OtherStructPtrField, safe.Field(oldObj, func(oldObj *Struct) *OtherStruct { return oldObj.OtherStructPtrField }), oldObj != nil)...)
 
 	// field Struct.SliceField
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj []string) (errs field.ErrorList) {
-			if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj []string, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
 			}
+			// call field-attached validations
+			earlyReturn := false
 			if e := validate.OptionalSlice(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				earlyReturn = true
+			}
+			if earlyReturn {
 				return // do not proceed
 			}
 			errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field Struct.SliceField")...)
 			return
-		}(fldPath.Child("sliceField"), obj.SliceField, safe.Field(oldObj, func(oldObj *Struct) []string { return oldObj.SliceField }))...)
+		}(fldPath.Child("sliceField"), obj.SliceField, safe.Field(oldObj, func(oldObj *Struct) []string { return oldObj.SliceField }), oldObj != nil)...)
 
 	// field Struct.SliceTypedefField
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj SliceType) (errs field.ErrorList) {
-			if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj SliceType, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
 			}
+			// call field-attached validations
+			earlyReturn := false
 			if e := validate.OptionalSlice(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				earlyReturn = true
+			}
+			if earlyReturn {
 				return // do not proceed
 			}
 			errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field Struct.SliceTypedefField")...)
+			// call the type's validation function
 			errs = append(errs, Validate_SliceType(ctx, op, fldPath, obj, oldObj)...)
 			return
-		}(fldPath.Child("sliceTypedefField"), obj.SliceTypedefField, safe.Field(oldObj, func(oldObj *Struct) SliceType { return oldObj.SliceTypedefField }))...)
+		}(fldPath.Child("sliceTypedefField"), obj.SliceTypedefField, safe.Field(oldObj, func(oldObj *Struct) SliceType { return oldObj.SliceTypedefField }), oldObj != nil)...)
 
 	// field Struct.MapField
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj map[string]string) (errs field.ErrorList) {
-			if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj map[string]string, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
 			}
+			// call field-attached validations
+			earlyReturn := false
 			if e := validate.OptionalMap(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				earlyReturn = true
+			}
+			if earlyReturn {
 				return // do not proceed
 			}
 			errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field Struct.MapField")...)
 			return
-		}(fldPath.Child("mapField"), obj.MapField, safe.Field(oldObj, func(oldObj *Struct) map[string]string { return oldObj.MapField }))...)
+		}(fldPath.Child("mapField"), obj.MapField, safe.Field(oldObj, func(oldObj *Struct) map[string]string { return oldObj.MapField }), oldObj != nil)...)
 
 	// field Struct.MapTypedefField
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj MapType) (errs field.ErrorList) {
-			if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj MapType, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
 			}
+			// call field-attached validations
+			earlyReturn := false
 			if e := validate.OptionalMap(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				earlyReturn = true
+			}
+			if earlyReturn {
 				return // do not proceed
 			}
 			errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field Struct.MapTypedefField")...)
+			// call the type's validation function
 			errs = append(errs, Validate_MapType(ctx, op, fldPath, obj, oldObj)...)
 			return
-		}(fldPath.Child("mapTypedefField"), obj.MapTypedefField, safe.Field(oldObj, func(oldObj *Struct) MapType { return oldObj.MapTypedefField }))...)
+		}(fldPath.Child("mapTypedefField"), obj.MapTypedefField, safe.Field(oldObj, func(oldObj *Struct) MapType { return oldObj.MapTypedefField }), oldObj != nil)...)
 
 	return errs
 }
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/options/doc.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/options/doc.go
new file mode 100644
index 0000000000000..45f95f7b072b6
--- /dev/null
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/options/doc.go
@@ -0,0 +1,52 @@
+/*
+Copyright 2024 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// +k8s:validation-gen=TypeMeta
+// +k8s:validation-gen-scheme-registry=k8s.io/code-generator/cmd/validation-gen/testscheme.Scheme
+
+// This is a test package.
+package options
+
+import "k8s.io/code-generator/cmd/validation-gen/testscheme"
+
+var localSchemeBuilder = testscheme.New()
+
+type Struct struct {
+	TypeMeta int
+
+	// +k8s:ifEnabled(FeatureX)=+k8s:subfield(xEnabledField)=+k8s:validateFalse="field Struct.ObjectMeta.XEnabledField"
+	ObjectMeta `json:"metadata,omitempty"`
+
+	// +k8s:ifEnabled(FeatureX)=+k8s:validateFalse="field Struct.XEnabledField"
+	XEnabledField string `json:"xEnabledField"`
+
+	// +k8s:ifDisabled(FeatureX)=+k8s:validateFalse="field Struct.XDisabledField"
+	XDisabledField string `json:"xDisabledField"`
+
+	// +k8s:ifEnabled(FeatureY)=+k8s:validateFalse="field Struct.YEnabledField"
+	YEnabledField string `json:"yEnabledField"`
+
+	// +k8s:ifDisabled(FeatureY)=+k8s:validateFalse="field Struct.YDisabledField"
+	YDisabledField string `json:"yDisabledField"`
+
+	// +k8s:ifEnabled(FeatureX)=+k8s:validateFalse="field Struct.XYMixedField/X"
+	// +k8s:ifDisabled(FeatureY)=+k8s:validateFalse="field Struct.XYMixedField/Y"
+	XYMixedField string `json:"xyMixedField"`
+}
+
+type ObjectMeta struct {
+	XEnabledField string `json:"xEnabledField"`
+}
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/options/doc_test.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/options/doc_test.go
new file mode 100644
index 0000000000000..bb574676d80d5
--- /dev/null
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/options/doc_test.go
@@ -0,0 +1,64 @@
+/*
+Copyright 2024 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package options
+
+import (
+	"testing"
+)
+
+func Test(t *testing.T) {
+	st := localSchemeBuilder.Test(t)
+
+	st.Value(&Struct{
+		// All zero values
+	}).ExpectValidateFalseByPath(map[string][]string{
+		// All ifDisabled validations should trigger
+		"xDisabledField": {"field Struct.XDisabledField"},
+		"yDisabledField": {"field Struct.YDisabledField"},
+		"xyMixedField":   {"field Struct.XYMixedField/Y"},
+	})
+
+	st.Value(&Struct{
+		// All zero values
+	}).Opts([]string{"FeatureX", "FeatureY"}).ExpectValidateFalseByPath(map[string][]string{
+		// All ifEnabled validations should trigger
+		"metadata.xEnabledField": {"field Struct.ObjectMeta.XEnabledField"},
+		"xEnabledField":          {"field Struct.XEnabledField"},
+		"yEnabledField":          {"field Struct.YEnabledField"},
+		"xyMixedField":           {"field Struct.XYMixedField/X"},
+	})
+
+	st.Value(&Struct{
+		// All zero values
+	}).Opts([]string{"FeatureX"}).ExpectValidateFalseByPath(map[string][]string{
+		// All ifEnabled validations should trigger
+		"metadata.xEnabledField": {"field Struct.ObjectMeta.XEnabledField"},
+		"xEnabledField":          {"field Struct.XEnabledField"},
+		"yDisabledField":         {"field Struct.YDisabledField"},
+		"xyMixedField": {
+			"field Struct.XYMixedField/X",
+			"field Struct.XYMixedField/Y"},
+	})
+
+	st.Value(&Struct{
+		// All zero values
+	}).Opts([]string{"FeatureY"}).ExpectValidateFalseByPath(map[string][]string{
+		// All ifEnabled validations should trigger
+		"xDisabledField": {"field Struct.XDisabledField"},
+		"yEnabledField":  {"field Struct.YEnabledField"},
+	})
+}
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/options/zz_generated.validations.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/options/zz_generated.validations.go
new file mode 100644
index 0000000000000..4270e882181d9
--- /dev/null
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/options/zz_generated.validations.go
@@ -0,0 +1,146 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by validation-gen. DO NOT EDIT.
+
+package options
+
+import (
+	context "context"
+	fmt "fmt"
+
+	operation "k8s.io/apimachinery/pkg/api/operation"
+	safe "k8s.io/apimachinery/pkg/api/safe"
+	validate "k8s.io/apimachinery/pkg/api/validate"
+	field "k8s.io/apimachinery/pkg/util/validation/field"
+	testscheme "k8s.io/code-generator/cmd/validation-gen/testscheme"
+)
+
+func init() { localSchemeBuilder.Register(RegisterValidations) }
+
+// RegisterValidations adds validation functions to the given scheme.
+// Public to allow building arbitrary schemes.
+func RegisterValidations(scheme *testscheme.Scheme) error {
+	// type Struct
+	scheme.AddValidationFunc((*Struct)(nil), func(ctx context.Context, op operation.Operation, obj, oldObj interface{}) field.ErrorList {
+		switch op.Request.SubresourcePath() {
+		case "/":
+			return Validate_Struct(ctx, op, nil /* fldPath */, obj.(*Struct), safe.Cast[*Struct](oldObj))
+		}
+		return field.ErrorList{field.InternalError(nil, fmt.Errorf("no validation found for %T, subresource: %v", obj, op.Request.SubresourcePath()))}
+	})
+	return nil
+}
+
+// Validate_Struct validates an instance of Struct according
+// to declarative validation rules in the API schema.
+func Validate_Struct(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *Struct) (errs field.ErrorList) {
+	// field Struct.TypeMeta has no validation
+
+	// field Struct.ObjectMeta
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *ObjectMeta, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call field-attached validations
+			errs = append(errs, validate.IfOption(ctx, op, fldPath, obj, oldObj, "FeatureX", true, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *ObjectMeta) field.ErrorList {
+				return validate.Subfield(ctx, op, fldPath, obj, oldObj, "xEnabledField", func(o *ObjectMeta) *string { return &o.XEnabledField }, validate.DirectEqualPtr, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *string) field.ErrorList {
+					return validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field Struct.ObjectMeta.XEnabledField")
+				})
+			})...)
+			return
+		}(fldPath.Child("metadata"), &obj.ObjectMeta, safe.Field(oldObj, func(oldObj *Struct) *ObjectMeta { return &oldObj.ObjectMeta }), oldObj != nil)...)
+
+	// field Struct.XEnabledField
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *string, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call field-attached validations
+			errs = append(errs, validate.IfOption(ctx, op, fldPath, obj, oldObj, "FeatureX", true, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *string) field.ErrorList {
+				return validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field Struct.XEnabledField")
+			})...)
+			return
+		}(fldPath.Child("xEnabledField"), &obj.XEnabledField, safe.Field(oldObj, func(oldObj *Struct) *string { return &oldObj.XEnabledField }), oldObj != nil)...)
+
+	// field Struct.XDisabledField
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *string, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call field-attached validations
+			errs = append(errs, validate.IfOption(ctx, op, fldPath, obj, oldObj, "FeatureX", false, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *string) field.ErrorList {
+				return validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field Struct.XDisabledField")
+			})...)
+			return
+		}(fldPath.Child("xDisabledField"), &obj.XDisabledField, safe.Field(oldObj, func(oldObj *Struct) *string { return &oldObj.XDisabledField }), oldObj != nil)...)
+
+	// field Struct.YEnabledField
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *string, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call field-attached validations
+			errs = append(errs, validate.IfOption(ctx, op, fldPath, obj, oldObj, "FeatureY", true, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *string) field.ErrorList {
+				return validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field Struct.YEnabledField")
+			})...)
+			return
+		}(fldPath.Child("yEnabledField"), &obj.YEnabledField, safe.Field(oldObj, func(oldObj *Struct) *string { return &oldObj.YEnabledField }), oldObj != nil)...)
+
+	// field Struct.YDisabledField
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *string, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call field-attached validations
+			errs = append(errs, validate.IfOption(ctx, op, fldPath, obj, oldObj, "FeatureY", false, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *string) field.ErrorList {
+				return validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field Struct.YDisabledField")
+			})...)
+			return
+		}(fldPath.Child("yDisabledField"), &obj.YDisabledField, safe.Field(oldObj, func(oldObj *Struct) *string { return &oldObj.YDisabledField }), oldObj != nil)...)
+
+	// field Struct.XYMixedField
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *string, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call field-attached validations
+			errs = append(errs, validate.IfOption(ctx, op, fldPath, obj, oldObj, "FeatureY", false, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *string) field.ErrorList {
+				return validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field Struct.XYMixedField/Y")
+			})...)
+			errs = append(errs, validate.IfOption(ctx, op, fldPath, obj, oldObj, "FeatureX", true, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *string) field.ErrorList {
+				return validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field Struct.XYMixedField/X")
+			})...)
+			return
+		}(fldPath.Child("xyMixedField"), &obj.XYMixedField, safe.Field(oldObj, func(oldObj *Struct) *string { return &oldObj.XYMixedField }), oldObj != nil)...)
+
+	return errs
+}
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/subfield/deep/doc.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/subfield/deep/doc.go
index f785c668dee88..84dc92b4d5a4c 100644
--- a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/subfield/deep/doc.go
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/subfield/deep/doc.go
@@ -28,14 +28,16 @@ var localSchemeBuilder = testscheme.New()
 type Struct struct {
 	TypeMeta int `json:"typeMeta"`
 
-	// +k8s:subfield(structField)=+k8s:subfield(stringField)=+k8s:validateFalse="StructField.StructField"
-	// +k8s:subfield(sliceField)=+k8s:eachVal=+k8s:subfield(stringField)=+k8s:validateFalse="StructField.SliceField"
-	// +k8s:subfield(mapField)=+k8s:eachVal=+k8s:subfield(stringField)=+k8s:validateFalse="StructField.MapField"
+	// +k8s:subfield(structField)=+k8s:subfield(stringField)=+k8s:validateFalse="Struct.StructField.StructField 1"
+	// +k8s:subfield(structField)=+k8s:subfield(stringField)=+k8s:validateFalse="Struct.StructField.StructField 2"
+	// +k8s:subfield(sliceField)=+k8s:eachVal=+k8s:subfield(stringField)=+k8s:validateFalse="Struct.StructField.SliceField"
+	// +k8s:subfield(mapField)=+k8s:eachVal=+k8s:subfield(stringField)=+k8s:validateFalse="Struct.StructField.MapField"
 	StructField OtherStruct `json:"structField"`
 
-	// +k8s:subfield(structField)=+k8s:subfield(stringField)=+k8s:validateFalse="StructPtrField.StructField"
-	// +k8s:subfield(sliceField)=+k8s:eachVal=+k8s:subfield(stringField)=+k8s:validateFalse="StructPtrField.SliceField"
-	// +k8s:subfield(mapField)=+k8s:eachVal=+k8s:subfield(stringField)=+k8s:validateFalse="StructPtrField.MapField"
+	// +k8s:subfield(structField)=+k8s:subfield(stringField)=+k8s:validateFalse="Struct.StructPtrField.StructField 1"
+	// +k8s:subfield(structField)=+k8s:subfield(stringField)=+k8s:validateFalse="Struct.StructPtrField.StructField 2"
+	// +k8s:subfield(sliceField)=+k8s:eachVal=+k8s:subfield(stringField)=+k8s:validateFalse="Struct.StructPtrField.SliceField"
+	// +k8s:subfield(mapField)=+k8s:eachVal=+k8s:subfield(stringField)=+k8s:validateFalse="Struct.StructPtrField.MapField"
 	StructPtrField *OtherStruct `json:"structPtrField"`
 }
 
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/subfield/deep/doc_test.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/subfield/deep/doc_test.go
index b738b6ffe97fb..6958e7577a50d 100644
--- a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/subfield/deep/doc_test.go
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/subfield/deep/doc_test.go
@@ -49,15 +49,15 @@ func Test(t *testing.T) {
 			},
 		},
 	}).ExpectValidateFalseByPath(map[string][]string{
-		"structField.structField.stringField":      {"StructField.StructField"},
-		"structField.sliceField[0].stringField":    {"StructField.SliceField"},
-		"structField.sliceField[1].stringField":    {"StructField.SliceField"},
-		"structField.mapField[a].stringField":      {"StructField.MapField"},
-		"structField.mapField[b].stringField":      {"StructField.MapField"},
-		"structPtrField.structField.stringField":   {"StructPtrField.StructField"},
-		"structPtrField.sliceField[0].stringField": {"StructPtrField.SliceField"},
-		"structPtrField.sliceField[1].stringField": {"StructPtrField.SliceField"},
-		"structPtrField.mapField[a].stringField":   {"StructPtrField.MapField"},
-		"structPtrField.mapField[b].stringField":   {"StructPtrField.MapField"},
+		"structField.structField.stringField":      {"Struct.StructField.StructField 1", "Struct.StructField.StructField 2"},
+		"structField.sliceField[0].stringField":    {"Struct.StructField.SliceField"},
+		"structField.sliceField[1].stringField":    {"Struct.StructField.SliceField"},
+		"structField.mapField[a].stringField":      {"Struct.StructField.MapField"},
+		"structField.mapField[b].stringField":      {"Struct.StructField.MapField"},
+		"structPtrField.structField.stringField":   {"Struct.StructPtrField.StructField 1", "Struct.StructPtrField.StructField 2"},
+		"structPtrField.sliceField[0].stringField": {"Struct.StructPtrField.SliceField"},
+		"structPtrField.sliceField[1].stringField": {"Struct.StructPtrField.SliceField"},
+		"structPtrField.mapField[a].stringField":   {"Struct.StructPtrField.MapField"},
+		"structPtrField.mapField[b].stringField":   {"Struct.StructPtrField.MapField"},
 	})
 }
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/subfield/deep/zz_generated.validations.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/subfield/deep/zz_generated.validations.go
index c348acdd28616..dc4408587c9b0 100644
--- a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/subfield/deep/zz_generated.validations.go
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/subfield/deep/zz_generated.validations.go
@@ -38,6 +38,7 @@ func init() { localSchemeBuilder.Register(RegisterValidations) }
 // RegisterValidations adds validation functions to the given scheme.
 // Public to allow building arbitrary schemes.
 func RegisterValidations(scheme *testscheme.Scheme) error {
+	// type Struct
 	scheme.AddValidationFunc((*Struct)(nil), func(ctx context.Context, op operation.Operation, obj, oldObj interface{}) field.ErrorList {
 		switch op.Request.SubresourcePath() {
 		case "/":
@@ -48,64 +49,92 @@ func RegisterValidations(scheme *testscheme.Scheme) error {
 	return nil
 }
 
+// Validate_Struct validates an instance of Struct according
+// to declarative validation rules in the API schema.
 func Validate_Struct(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *Struct) (errs field.ErrorList) {
 	// field Struct.TypeMeta has no validation
 
 	// field Struct.StructField
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *OtherStruct) (errs field.ErrorList) {
-			if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *OtherStruct, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
 			}
-			errs = append(errs, validate.Subfield(ctx, op, fldPath, obj, oldObj, "structField", func(o *OtherStruct) *SmallStruct { return &o.StructField }, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *SmallStruct) field.ErrorList {
-				return validate.Subfield(ctx, op, fldPath, obj, oldObj, "stringField", func(o *SmallStruct) *string { return &o.StringField }, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *string) field.ErrorList {
-					return validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "StructField.StructField")
-				})
-			})...)
-			errs = append(errs, validate.Subfield(ctx, op, fldPath, obj, oldObj, "sliceField", func(o *OtherStruct) []SmallStruct { return o.SliceField }, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj []SmallStruct) field.ErrorList {
-				return validate.EachSliceVal(ctx, op, fldPath, obj, oldObj, nil, nil, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *SmallStruct) field.ErrorList {
-					return validate.Subfield(ctx, op, fldPath, obj, oldObj, "stringField", func(o *SmallStruct) *string { return &o.StringField }, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *string) field.ErrorList {
-						return validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "StructField.SliceField")
+			// call field-attached validations
+			func() { // cohort structField
+				errs = append(errs, validate.Subfield(ctx, op, fldPath, obj, oldObj, "structField", func(o *OtherStruct) *SmallStruct { return &o.StructField }, validate.DirectEqualPtr, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *SmallStruct) field.ErrorList {
+					return validate.Subfield(ctx, op, fldPath, obj, oldObj, "stringField", func(o *SmallStruct) *string { return &o.StringField }, validate.DirectEqualPtr, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *string) field.ErrorList {
+						return validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "Struct.StructField.StructField 1")
 					})
-				})
-			})...)
-			errs = append(errs, validate.Subfield(ctx, op, fldPath, obj, oldObj, "mapField", func(o *OtherStruct) map[string]SmallStruct { return o.MapField }, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj map[string]SmallStruct) field.ErrorList {
-				return validate.EachMapVal(ctx, op, fldPath, obj, oldObj, validate.DirectEqual, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *SmallStruct) field.ErrorList {
-					return validate.Subfield(ctx, op, fldPath, obj, oldObj, "stringField", func(o *SmallStruct) *string { return &o.StringField }, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *string) field.ErrorList {
-						return validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "StructField.MapField")
+				})...)
+				errs = append(errs, validate.Subfield(ctx, op, fldPath, obj, oldObj, "structField", func(o *OtherStruct) *SmallStruct { return &o.StructField }, validate.DirectEqualPtr, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *SmallStruct) field.ErrorList {
+					return validate.Subfield(ctx, op, fldPath, obj, oldObj, "stringField", func(o *SmallStruct) *string { return &o.StringField }, validate.DirectEqualPtr, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *string) field.ErrorList {
+						return validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "Struct.StructField.StructField 2")
 					})
-				})
-			})...)
+				})...)
+			}()
+			func() { // cohort sliceField
+				errs = append(errs, validate.Subfield(ctx, op, fldPath, obj, oldObj, "sliceField", func(o *OtherStruct) []SmallStruct { return o.SliceField }, validate.SemanticDeepEqual, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj []SmallStruct) field.ErrorList {
+					return validate.EachSliceVal(ctx, op, fldPath, obj, oldObj, nil, nil, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *SmallStruct) field.ErrorList {
+						return validate.Subfield(ctx, op, fldPath, obj, oldObj, "stringField", func(o *SmallStruct) *string { return &o.StringField }, validate.DirectEqualPtr, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *string) field.ErrorList {
+							return validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "Struct.StructField.SliceField")
+						})
+					})
+				})...)
+			}()
+			func() { // cohort mapField
+				errs = append(errs, validate.Subfield(ctx, op, fldPath, obj, oldObj, "mapField", func(o *OtherStruct) map[string]SmallStruct { return o.MapField }, validate.SemanticDeepEqual, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj map[string]SmallStruct) field.ErrorList {
+					return validate.EachMapVal(ctx, op, fldPath, obj, oldObj, validate.DirectEqual, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *SmallStruct) field.ErrorList {
+						return validate.Subfield(ctx, op, fldPath, obj, oldObj, "stringField", func(o *SmallStruct) *string { return &o.StringField }, validate.DirectEqualPtr, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *string) field.ErrorList {
+							return validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "Struct.StructField.MapField")
+						})
+					})
+				})...)
+			}()
 			return
-		}(fldPath.Child("structField"), &obj.StructField, safe.Field(oldObj, func(oldObj *Struct) *OtherStruct { return &oldObj.StructField }))...)
+		}(fldPath.Child("structField"), &obj.StructField, safe.Field(oldObj, func(oldObj *Struct) *OtherStruct { return &oldObj.StructField }), oldObj != nil)...)
 
 	// field Struct.StructPtrField
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *OtherStruct) (errs field.ErrorList) {
-			if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *OtherStruct, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
 			}
-			errs = append(errs, validate.Subfield(ctx, op, fldPath, obj, oldObj, "structField", func(o *OtherStruct) *SmallStruct { return &o.StructField }, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *SmallStruct) field.ErrorList {
-				return validate.Subfield(ctx, op, fldPath, obj, oldObj, "stringField", func(o *SmallStruct) *string { return &o.StringField }, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *string) field.ErrorList {
-					return validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "StructPtrField.StructField")
-				})
-			})...)
-			errs = append(errs, validate.Subfield(ctx, op, fldPath, obj, oldObj, "sliceField", func(o *OtherStruct) []SmallStruct { return o.SliceField }, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj []SmallStruct) field.ErrorList {
-				return validate.EachSliceVal(ctx, op, fldPath, obj, oldObj, nil, nil, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *SmallStruct) field.ErrorList {
-					return validate.Subfield(ctx, op, fldPath, obj, oldObj, "stringField", func(o *SmallStruct) *string { return &o.StringField }, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *string) field.ErrorList {
-						return validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "StructPtrField.SliceField")
+			// call field-attached validations
+			func() { // cohort structField
+				errs = append(errs, validate.Subfield(ctx, op, fldPath, obj, oldObj, "structField", func(o *OtherStruct) *SmallStruct { return &o.StructField }, validate.DirectEqualPtr, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *SmallStruct) field.ErrorList {
+					return validate.Subfield(ctx, op, fldPath, obj, oldObj, "stringField", func(o *SmallStruct) *string { return &o.StringField }, validate.DirectEqualPtr, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *string) field.ErrorList {
+						return validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "Struct.StructPtrField.StructField 1")
+					})
+				})...)
+				errs = append(errs, validate.Subfield(ctx, op, fldPath, obj, oldObj, "structField", func(o *OtherStruct) *SmallStruct { return &o.StructField }, validate.DirectEqualPtr, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *SmallStruct) field.ErrorList {
+					return validate.Subfield(ctx, op, fldPath, obj, oldObj, "stringField", func(o *SmallStruct) *string { return &o.StringField }, validate.DirectEqualPtr, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *string) field.ErrorList {
+						return validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "Struct.StructPtrField.StructField 2")
+					})
+				})...)
+			}()
+			func() { // cohort sliceField
+				errs = append(errs, validate.Subfield(ctx, op, fldPath, obj, oldObj, "sliceField", func(o *OtherStruct) []SmallStruct { return o.SliceField }, validate.SemanticDeepEqual, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj []SmallStruct) field.ErrorList {
+					return validate.EachSliceVal(ctx, op, fldPath, obj, oldObj, nil, nil, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *SmallStruct) field.ErrorList {
+						return validate.Subfield(ctx, op, fldPath, obj, oldObj, "stringField", func(o *SmallStruct) *string { return &o.StringField }, validate.DirectEqualPtr, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *string) field.ErrorList {
+							return validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "Struct.StructPtrField.SliceField")
+						})
 					})
-				})
-			})...)
-			errs = append(errs, validate.Subfield(ctx, op, fldPath, obj, oldObj, "mapField", func(o *OtherStruct) map[string]SmallStruct { return o.MapField }, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj map[string]SmallStruct) field.ErrorList {
-				return validate.EachMapVal(ctx, op, fldPath, obj, oldObj, validate.DirectEqual, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *SmallStruct) field.ErrorList {
-					return validate.Subfield(ctx, op, fldPath, obj, oldObj, "stringField", func(o *SmallStruct) *string { return &o.StringField }, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *string) field.ErrorList {
-						return validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "StructPtrField.MapField")
+				})...)
+			}()
+			func() { // cohort mapField
+				errs = append(errs, validate.Subfield(ctx, op, fldPath, obj, oldObj, "mapField", func(o *OtherStruct) map[string]SmallStruct { return o.MapField }, validate.SemanticDeepEqual, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj map[string]SmallStruct) field.ErrorList {
+					return validate.EachMapVal(ctx, op, fldPath, obj, oldObj, validate.DirectEqual, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *SmallStruct) field.ErrorList {
+						return validate.Subfield(ctx, op, fldPath, obj, oldObj, "stringField", func(o *SmallStruct) *string { return &o.StringField }, validate.DirectEqualPtr, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *string) field.ErrorList {
+							return validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "Struct.StructPtrField.MapField")
+						})
 					})
-				})
-			})...)
+				})...)
+			}()
 			return
-		}(fldPath.Child("structPtrField"), obj.StructPtrField, safe.Field(oldObj, func(oldObj *Struct) *OtherStruct { return oldObj.StructPtrField }))...)
+		}(fldPath.Child("structPtrField"), obj.StructPtrField, safe.Field(oldObj, func(oldObj *Struct) *OtherStruct { return oldObj.StructPtrField }), oldObj != nil)...)
 
 	return errs
 }
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/subfield/nonincluded/zz_generated.validations.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/subfield/nonincluded/zz_generated.validations.go
index 5683425365922..07de680b9a80e 100644
--- a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/subfield/nonincluded/zz_generated.validations.go
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/subfield/nonincluded/zz_generated.validations.go
@@ -38,6 +38,7 @@ func init() { localSchemeBuilder.Register(RegisterValidations) }
 // RegisterValidations adds validation functions to the given scheme.
 // Public to allow building arbitrary schemes.
 func RegisterValidations(scheme *testscheme.Scheme) error {
+	// type Struct
 	scheme.AddValidationFunc((*Struct)(nil), func(ctx context.Context, op operation.Operation, obj, oldObj interface{}) field.ErrorList {
 		switch op.Request.SubresourcePath() {
 		case "/":
@@ -48,18 +49,24 @@ func RegisterValidations(scheme *testscheme.Scheme) error {
 	return nil
 }
 
+// Validate_Struct validates an instance of Struct according
+// to declarative validation rules in the API schema.
 func Validate_Struct(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *Struct) (errs field.ErrorList) {
 	// field Struct.StructType
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *other.StructType) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *other.StructType, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
 			}
-			errs = append(errs, validate.Subfield(ctx, op, fldPath, obj, oldObj, "stringField", func(o *other.StructType) *string { return &o.StringField }, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *string) field.ErrorList {
-				return validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "subfield Struct.(other.StructType).StringField")
-			})...)
+			// call field-attached validations
+			func() { // cohort stringField
+				errs = append(errs, validate.Subfield(ctx, op, fldPath, obj, oldObj, "stringField", func(o *other.StructType) *string { return &o.StringField }, validate.DirectEqualPtr, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *string) field.ErrorList {
+					return validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "subfield Struct.(other.StructType).StringField")
+				})...)
+			}()
 			return
-		}(safe.Value(fldPath, func() *field.Path { return fldPath.Child("other.StructType") }), &obj.StructType, safe.Field(oldObj, func(oldObj *Struct) *other.StructType { return &oldObj.StructType }))...)
+		}(safe.Value(fldPath, func() *field.Path { return fldPath.Child("other.StructType") }), &obj.StructType, safe.Field(oldObj, func(oldObj *Struct) *other.StructType { return &oldObj.StructType }), oldObj != nil)...)
 
 	return errs
 }
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/subfield/shallow/doc.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/subfield/shallow/doc.go
index 7aa7696e61ad1..91259e34090b7 100644
--- a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/subfield/shallow/doc.go
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/subfield/shallow/doc.go
@@ -28,14 +28,16 @@ var localSchemeBuilder = testscheme.New()
 type Struct struct {
 	TypeMeta int `json:"typeMeta"`
 
-	// +k8s:subfield(stringField)=+k8s:validateFalse="subfield Struct.StructField.StringField"
+	// +k8s:subfield(stringField)=+k8s:validateFalse="subfield Struct.StructField.StringField 1"
+	// +k8s:subfield(stringField)=+k8s:validateFalse="subfield Struct.StructField.StringField 2"
 	// +k8s:subfield(pointerField)=+k8s:validateFalse="subfield Struct.StructField.PointerField"
 	// +k8s:subfield(structField)=+k8s:validateFalse="subfield Struct.StructField.StructField"
 	// +k8s:subfield(sliceField)=+k8s:validateFalse="subfield Struct.StructField.SliceField"
 	// +k8s:subfield(mapField)=+k8s:validateFalse="subfield Struct.StructField.MapField"
 	StructField OtherStruct `json:"structField"`
 
-	// +k8s:subfield(stringField)=+k8s:validateFalse="subfield Struct.StructPtrField.StringField"
+	// +k8s:subfield(stringField)=+k8s:validateFalse="subfield Struct.StructPtrField.StringField 1"
+	// +k8s:subfield(stringField)=+k8s:validateFalse="subfield Struct.StructPtrField.StringField 2"
 	// +k8s:subfield(pointerField)=+k8s:validateFalse="subfield Struct.StructPtrField.PointerField"
 	// +k8s:subfield(structField)=+k8s:validateFalse="subfield Struct.StructPtrField.StructField"
 	// +k8s:subfield(sliceField)=+k8s:validateFalse="subfield Struct.StructPtrField.SliceField"
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/subfield/shallow/doc_test.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/subfield/shallow/doc_test.go
index e11f0b50ac163..6bd1d93ea982c 100644
--- a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/subfield/shallow/doc_test.go
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/subfield/shallow/doc_test.go
@@ -41,15 +41,15 @@ func Test(t *testing.T) {
 			MapField:     map[string]string{},
 		},
 	}).ExpectValidateFalseByPath(map[string][]string{
-		"structField.stringField":     {"subfield Struct.StructField.StringField"},
-		"structPtrField.stringField":  {"subfield Struct.StructPtrField.StringField"},
+		"structField.stringField":     {"subfield Struct.StructField.StringField 1", "subfield Struct.StructField.StringField 2"},
 		"structField.pointerField":    {"subfield Struct.StructField.PointerField"},
-		"structPtrField.pointerField": {"subfield Struct.StructPtrField.PointerField"},
 		"structField.structField":     {"subfield Struct.StructField.StructField"},
-		"structPtrField.structField":  {"subfield Struct.StructPtrField.StructField"},
 		"structField.sliceField":      {"subfield Struct.StructField.SliceField"},
-		"structPtrField.sliceField":   {"subfield Struct.StructPtrField.SliceField"},
 		"structField.mapField":        {"subfield Struct.StructField.MapField"},
+		"structPtrField.stringField":  {"subfield Struct.StructPtrField.StringField 1", "subfield Struct.StructPtrField.StringField 2"},
+		"structPtrField.pointerField": {"subfield Struct.StructPtrField.PointerField"},
+		"structPtrField.structField":  {"subfield Struct.StructPtrField.StructField"},
+		"structPtrField.sliceField":   {"subfield Struct.StructPtrField.SliceField"},
 		"structPtrField.mapField":     {"subfield Struct.StructPtrField.MapField"},
 	})
 }
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/subfield/shallow/zz_generated.validations.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/subfield/shallow/zz_generated.validations.go
index 00bc98497f317..69256650d56bc 100644
--- a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/subfield/shallow/zz_generated.validations.go
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/subfield/shallow/zz_generated.validations.go
@@ -38,6 +38,7 @@ func init() { localSchemeBuilder.Register(RegisterValidations) }
 // RegisterValidations adds validation functions to the given scheme.
 // Public to allow building arbitrary schemes.
 func RegisterValidations(scheme *testscheme.Scheme) error {
+	// type Struct
 	scheme.AddValidationFunc((*Struct)(nil), func(ctx context.Context, op operation.Operation, obj, oldObj interface{}) field.ErrorList {
 		switch op.Request.SubresourcePath() {
 		case "/":
@@ -48,56 +49,88 @@ func RegisterValidations(scheme *testscheme.Scheme) error {
 	return nil
 }
 
+// Validate_Struct validates an instance of Struct according
+// to declarative validation rules in the API schema.
 func Validate_Struct(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *Struct) (errs field.ErrorList) {
 	// field Struct.TypeMeta has no validation
 
 	// field Struct.StructField
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *OtherStruct) (errs field.ErrorList) {
-			if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *OtherStruct, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
 			}
-			errs = append(errs, validate.Subfield(ctx, op, fldPath, obj, oldObj, "stringField", func(o *OtherStruct) *string { return &o.StringField }, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *string) field.ErrorList {
-				return validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "subfield Struct.StructField.StringField")
-			})...)
-			errs = append(errs, validate.Subfield(ctx, op, fldPath, obj, oldObj, "pointerField", func(o *OtherStruct) *string { return o.PointerField }, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *string) field.ErrorList {
-				return validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "subfield Struct.StructField.PointerField")
-			})...)
-			errs = append(errs, validate.Subfield(ctx, op, fldPath, obj, oldObj, "structField", func(o *OtherStruct) *SmallStruct { return &o.StructField }, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *SmallStruct) field.ErrorList {
-				return validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "subfield Struct.StructField.StructField")
-			})...)
-			errs = append(errs, validate.Subfield(ctx, op, fldPath, obj, oldObj, "sliceField", func(o *OtherStruct) []string { return o.SliceField }, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj []string) field.ErrorList {
-				return validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "subfield Struct.StructField.SliceField")
-			})...)
-			errs = append(errs, validate.Subfield(ctx, op, fldPath, obj, oldObj, "mapField", func(o *OtherStruct) map[string]string { return o.MapField }, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj map[string]string) field.ErrorList {
-				return validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "subfield Struct.StructField.MapField")
-			})...)
+			// call field-attached validations
+			func() { // cohort stringField
+				errs = append(errs, validate.Subfield(ctx, op, fldPath, obj, oldObj, "stringField", func(o *OtherStruct) *string { return &o.StringField }, validate.DirectEqualPtr, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *string) field.ErrorList {
+					return validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "subfield Struct.StructField.StringField 1")
+				})...)
+				errs = append(errs, validate.Subfield(ctx, op, fldPath, obj, oldObj, "stringField", func(o *OtherStruct) *string { return &o.StringField }, validate.DirectEqualPtr, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *string) field.ErrorList {
+					return validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "subfield Struct.StructField.StringField 2")
+				})...)
+			}()
+			func() { // cohort pointerField
+				errs = append(errs, validate.Subfield(ctx, op, fldPath, obj, oldObj, "pointerField", func(o *OtherStruct) *string { return o.PointerField }, validate.DirectEqualPtr, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *string) field.ErrorList {
+					return validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "subfield Struct.StructField.PointerField")
+				})...)
+			}()
+			func() { // cohort structField
+				errs = append(errs, validate.Subfield(ctx, op, fldPath, obj, oldObj, "structField", func(o *OtherStruct) *SmallStruct { return &o.StructField }, validate.DirectEqualPtr, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *SmallStruct) field.ErrorList {
+					return validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "subfield Struct.StructField.StructField")
+				})...)
+			}()
+			func() { // cohort sliceField
+				errs = append(errs, validate.Subfield(ctx, op, fldPath, obj, oldObj, "sliceField", func(o *OtherStruct) []string { return o.SliceField }, validate.SemanticDeepEqual, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj []string) field.ErrorList {
+					return validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "subfield Struct.StructField.SliceField")
+				})...)
+			}()
+			func() { // cohort mapField
+				errs = append(errs, validate.Subfield(ctx, op, fldPath, obj, oldObj, "mapField", func(o *OtherStruct) map[string]string { return o.MapField }, validate.SemanticDeepEqual, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj map[string]string) field.ErrorList {
+					return validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "subfield Struct.StructField.MapField")
+				})...)
+			}()
 			return
-		}(fldPath.Child("structField"), &obj.StructField, safe.Field(oldObj, func(oldObj *Struct) *OtherStruct { return &oldObj.StructField }))...)
+		}(fldPath.Child("structField"), &obj.StructField, safe.Field(oldObj, func(oldObj *Struct) *OtherStruct { return &oldObj.StructField }), oldObj != nil)...)
 
 	// field Struct.StructPtrField
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *OtherStruct) (errs field.ErrorList) {
-			if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *OtherStruct, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
 			}
-			errs = append(errs, validate.Subfield(ctx, op, fldPath, obj, oldObj, "stringField", func(o *OtherStruct) *string { return &o.StringField }, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *string) field.ErrorList {
-				return validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "subfield Struct.StructPtrField.StringField")
-			})...)
-			errs = append(errs, validate.Subfield(ctx, op, fldPath, obj, oldObj, "pointerField", func(o *OtherStruct) *string { return o.PointerField }, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *string) field.ErrorList {
-				return validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "subfield Struct.StructPtrField.PointerField")
-			})...)
-			errs = append(errs, validate.Subfield(ctx, op, fldPath, obj, oldObj, "structField", func(o *OtherStruct) *SmallStruct { return &o.StructField }, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *SmallStruct) field.ErrorList {
-				return validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "subfield Struct.StructPtrField.StructField")
-			})...)
-			errs = append(errs, validate.Subfield(ctx, op, fldPath, obj, oldObj, "sliceField", func(o *OtherStruct) []string { return o.SliceField }, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj []string) field.ErrorList {
-				return validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "subfield Struct.StructPtrField.SliceField")
-			})...)
-			errs = append(errs, validate.Subfield(ctx, op, fldPath, obj, oldObj, "mapField", func(o *OtherStruct) map[string]string { return o.MapField }, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj map[string]string) field.ErrorList {
-				return validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "subfield Struct.StructPtrField.MapField")
-			})...)
+			// call field-attached validations
+			func() { // cohort stringField
+				errs = append(errs, validate.Subfield(ctx, op, fldPath, obj, oldObj, "stringField", func(o *OtherStruct) *string { return &o.StringField }, validate.DirectEqualPtr, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *string) field.ErrorList {
+					return validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "subfield Struct.StructPtrField.StringField 1")
+				})...)
+				errs = append(errs, validate.Subfield(ctx, op, fldPath, obj, oldObj, "stringField", func(o *OtherStruct) *string { return &o.StringField }, validate.DirectEqualPtr, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *string) field.ErrorList {
+					return validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "subfield Struct.StructPtrField.StringField 2")
+				})...)
+			}()
+			func() { // cohort pointerField
+				errs = append(errs, validate.Subfield(ctx, op, fldPath, obj, oldObj, "pointerField", func(o *OtherStruct) *string { return o.PointerField }, validate.DirectEqualPtr, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *string) field.ErrorList {
+					return validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "subfield Struct.StructPtrField.PointerField")
+				})...)
+			}()
+			func() { // cohort structField
+				errs = append(errs, validate.Subfield(ctx, op, fldPath, obj, oldObj, "structField", func(o *OtherStruct) *SmallStruct { return &o.StructField }, validate.DirectEqualPtr, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *SmallStruct) field.ErrorList {
+					return validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "subfield Struct.StructPtrField.StructField")
+				})...)
+			}()
+			func() { // cohort sliceField
+				errs = append(errs, validate.Subfield(ctx, op, fldPath, obj, oldObj, "sliceField", func(o *OtherStruct) []string { return o.SliceField }, validate.SemanticDeepEqual, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj []string) field.ErrorList {
+					return validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "subfield Struct.StructPtrField.SliceField")
+				})...)
+			}()
+			func() { // cohort mapField
+				errs = append(errs, validate.Subfield(ctx, op, fldPath, obj, oldObj, "mapField", func(o *OtherStruct) map[string]string { return o.MapField }, validate.SemanticDeepEqual, func(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj map[string]string) field.ErrorList {
+					return validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "subfield Struct.StructPtrField.MapField")
+				})...)
+			}()
 			return
-		}(fldPath.Child("structPtrField"), obj.StructPtrField, safe.Field(oldObj, func(oldObj *Struct) *OtherStruct { return oldObj.StructPtrField }))...)
+		}(fldPath.Child("structPtrField"), obj.StructPtrField, safe.Field(oldObj, func(oldObj *Struct) *OtherStruct { return oldObj.StructPtrField }), oldObj != nil)...)
 
 	return errs
 }
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/supported_resources/issubresource/doc_test.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/supported_resources/issubresource/doc_test.go
index f69a3c284d5ed..0dbe831864afa 100644
--- a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/supported_resources/issubresource/doc_test.go
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/supported_resources/issubresource/doc_test.go
@@ -27,13 +27,13 @@ func TestRegisterValidations(t *testing.T) {
 	st := localSchemeBuilder.Test(t)
 
 	t1 := &T1{}
-	st.Value(t1).ExpectInvalid(
-		field.InternalError(nil, fmt.Errorf("no validation found for %T, subresource: %v", t1, "/")),
-	)
+	st.Value(t1).ExpectMatches(field.ErrorMatcher{}.ByType().ByField().ByDetailSubstring().ByOrigin(), field.ErrorList{
+		field.InternalError(nil, fmt.Errorf("")),
+	})
 
 	st.Value(t1).Subresources([]string{"scale"}).ExpectValid()
 
-	st.Value(t1).Subresources([]string{"unknown"}).ExpectInvalid(
-		field.InternalError(nil, fmt.Errorf("no validation found for %T, subresource: %v", t1, "/unknown")),
-	)
+	st.Value(t1).Subresources([]string{"unknown"}).ExpectMatches(field.ErrorMatcher{}.ByType().ByField().ByDetailSubstring().ByOrigin(), field.ErrorList{
+		field.InternalError(nil, fmt.Errorf("")),
+	})
 }
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/supported_resources/issubresource/zz_generated.validations.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/supported_resources/issubresource/zz_generated.validations.go
index 4882154469813..dfe38b14d796c 100644
--- a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/supported_resources/issubresource/zz_generated.validations.go
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/supported_resources/issubresource/zz_generated.validations.go
@@ -37,6 +37,7 @@ func init() { localSchemeBuilder.Register(RegisterValidations) }
 // RegisterValidations adds validation functions to the given scheme.
 // Public to allow building arbitrary schemes.
 func RegisterValidations(scheme *testscheme.Scheme) error {
+	// type T1
 	scheme.AddValidationFunc((*T1)(nil), func(ctx context.Context, op operation.Operation, obj, oldObj interface{}) field.ErrorList {
 		switch op.Request.SubresourcePath() {
 		case "/scale":
@@ -47,16 +48,20 @@ func RegisterValidations(scheme *testscheme.Scheme) error {
 	return nil
 }
 
+// Validate_T1 validates an instance of T1 according
+// to declarative validation rules in the API schema.
 func Validate_T1(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *T1) (errs field.ErrorList) {
 	// field T1.S
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *string) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *string, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, true, "field T1.S")...)
 			return
-		}(fldPath.Child("s"), &obj.S, safe.Field(oldObj, func(oldObj *T1) *string { return &oldObj.S }))...)
+		}(fldPath.Child("s"), &obj.S, safe.Field(oldObj, func(oldObj *T1) *string { return &oldObj.S }), oldObj != nil)...)
 
 	return errs
 }
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/supported_resources/root/doc_test.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/supported_resources/root/doc_test.go
index 44d1d484783bd..cceeda6dca632 100644
--- a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/supported_resources/root/doc_test.go
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/supported_resources/root/doc_test.go
@@ -30,11 +30,11 @@ func TestRegisterValidations(t *testing.T) {
 
 	st.Value(t1).ExpectValid()
 
-	st.Value(t1).Subresources([]string{"scale"}).ExpectInvalid(
-		field.InternalError(nil, fmt.Errorf("no validation found for %T, subresource: %v", t1, "/scale")),
-	)
+	st.Value(t1).Subresources([]string{"scale"}).ExpectMatches(field.ErrorMatcher{}.ByType().ByField().ByDetailSubstring().ByOrigin(), field.ErrorList{
+		field.InternalError(nil, fmt.Errorf("")),
+	})
 
-	st.Value(t1).Subresources([]string{"x", "y"}).ExpectInvalid(
-		field.InternalError(nil, fmt.Errorf("no validation found for %T, subresource: %v", t1, "/x/y")),
-	)
+	st.Value(t1).Subresources([]string{"x", "y"}).ExpectMatches(field.ErrorMatcher{}.ByType().ByField().ByDetailSubstring().ByOrigin(), field.ErrorList{
+		field.InternalError(nil, fmt.Errorf("")),
+	})
 }
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/supported_resources/root/zz_generated.validations.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/supported_resources/root/zz_generated.validations.go
index 20f7445020c6c..d71be3825794f 100644
--- a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/supported_resources/root/zz_generated.validations.go
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/supported_resources/root/zz_generated.validations.go
@@ -37,6 +37,7 @@ func init() { localSchemeBuilder.Register(RegisterValidations) }
 // RegisterValidations adds validation functions to the given scheme.
 // Public to allow building arbitrary schemes.
 func RegisterValidations(scheme *testscheme.Scheme) error {
+	// type T1
 	scheme.AddValidationFunc((*T1)(nil), func(ctx context.Context, op operation.Operation, obj, oldObj interface{}) field.ErrorList {
 		switch op.Request.SubresourcePath() {
 		case "/":
@@ -47,16 +48,20 @@ func RegisterValidations(scheme *testscheme.Scheme) error {
 	return nil
 }
 
+// Validate_T1 validates an instance of T1 according
+// to declarative validation rules in the API schema.
 func Validate_T1(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *T1) (errs field.ErrorList) {
 	// field T1.S
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *string) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *string, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, true, "field T1.S")...)
 			return
-		}(fldPath.Child("s"), &obj.S, safe.Field(oldObj, func(oldObj *T1) *string { return &oldObj.S }))...)
+		}(fldPath.Child("s"), &obj.S, safe.Field(oldObj, func(oldObj *T1) *string { return &oldObj.S }), oldObj != nil)...)
 
 	return errs
 }
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/supported_resources/subresource/doc_test.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/supported_resources/subresource/doc_test.go
index 17ddb42ee9ac0..8bf631a70ea85 100644
--- a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/supported_resources/subresource/doc_test.go
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/supported_resources/subresource/doc_test.go
@@ -34,17 +34,17 @@ func TestRegisterValidations(t *testing.T) {
 	st.Value(t1).Subresources([]string{"scale"}).ExpectValid()
 	st.Value(t1).Subresources([]string{"x", "y"}).ExpectValid()
 
-	st.Value(t1).Subresources([]string{"status", "unknown"}).ExpectInvalid(
-		field.InternalError(nil, fmt.Errorf("no validation found for %T, subresource: %v", t1, "/status/unknown")),
-	)
-
-	st.Value(t1).Subresources([]string{"unknown"}).ExpectInvalid(
-		field.InternalError(nil, fmt.Errorf("no validation found for %T, subresource: %v", t1, "/unknown")),
-	)
-	st.Value(t1).Subresources([]string{"x", "unknown"}).ExpectInvalid(
-		field.InternalError(nil, fmt.Errorf("no validation found for %T, subresource: %v", t1, "/x/unknown")),
-	)
-	st.Value(t1).Subresources([]string{"x", "y", "unknown"}).ExpectInvalid(
-		field.InternalError(nil, fmt.Errorf("no validation found for %T, subresource: %v", t1, "/x/y/unknown")),
-	)
+	st.Value(t1).Subresources([]string{"status", "unknown"}).ExpectMatches(field.ErrorMatcher{}.ByType().ByField().ByDetailSubstring().ByOrigin(), field.ErrorList{
+		field.InternalError(nil, fmt.Errorf("")),
+	})
+
+	st.Value(t1).Subresources([]string{"unknown"}).ExpectMatches(field.ErrorMatcher{}.ByType().ByField().ByDetailSubstring().ByOrigin(), field.ErrorList{
+		field.InternalError(nil, fmt.Errorf("")),
+	})
+	st.Value(t1).Subresources([]string{"x", "unknown"}).ExpectMatches(field.ErrorMatcher{}.ByType().ByField().ByDetailSubstring().ByOrigin(), field.ErrorList{
+		field.InternalError(nil, fmt.Errorf("")),
+	})
+	st.Value(t1).Subresources([]string{"x", "y", "unknown"}).ExpectMatches(field.ErrorMatcher{}.ByType().ByField().ByDetailSubstring().ByOrigin(), field.ErrorList{
+		field.InternalError(nil, fmt.Errorf("")),
+	})
 }
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/supported_resources/subresource/zz_generated.validations.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/supported_resources/subresource/zz_generated.validations.go
index 3ca113b5f1a7f..ee6cba998ce4a 100644
--- a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/supported_resources/subresource/zz_generated.validations.go
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/supported_resources/subresource/zz_generated.validations.go
@@ -37,6 +37,7 @@ func init() { localSchemeBuilder.Register(RegisterValidations) }
 // RegisterValidations adds validation functions to the given scheme.
 // Public to allow building arbitrary schemes.
 func RegisterValidations(scheme *testscheme.Scheme) error {
+	// type T1
 	scheme.AddValidationFunc((*T1)(nil), func(ctx context.Context, op operation.Operation, obj, oldObj interface{}) field.ErrorList {
 		switch op.Request.SubresourcePath() {
 		case "/", "/scale", "/status", "/x/y":
@@ -47,16 +48,20 @@ func RegisterValidations(scheme *testscheme.Scheme) error {
 	return nil
 }
 
+// Validate_T1 validates an instance of T1 according
+// to declarative validation rules in the API schema.
 func Validate_T1(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *T1) (errs field.ErrorList) {
 	// field T1.S
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *string) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *string, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, true, "field T1.S")...)
 			return
-		}(fldPath.Child("s"), &obj.S, safe.Field(oldObj, func(oldObj *T1) *string { return &oldObj.S }))...)
+		}(fldPath.Child("s"), &obj.S, safe.Field(oldObj, func(oldObj *T1) *string { return &oldObj.S }), oldObj != nil)...)
 
 	return errs
 }
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/union/union/discriminated/custom_members/doc_test.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/union/union/discriminated/custom_members/doc_test.go
index 116d101f8c1d7..bd5487edc9e19 100644
--- a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/union/union/discriminated/custom_members/doc_test.go
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/union/union/discriminated/custom_members/doc_test.go
@@ -28,13 +28,13 @@ func Test(t *testing.T) {
 	st.Value(&Struct{D: DM1, M1: &M1{}}).ExpectValid()
 	st.Value(&Struct{D: DM2, M2: &M2{}}).ExpectValid()
 
-	st.Value(&Struct{D: DM2, M1: &M1{}, M2: &M2{}}).ExpectInvalid(
-		field.Invalid(field.NewPath("m1"), "", "may only be specified when `d` is \"CustomM1\""),
-	)
+	st.Value(&Struct{D: DM2, M1: &M1{}, M2: &M2{}}).ExpectMatches(field.ErrorMatcher{}.ByType().ByField().ByDetailSubstring().ByOrigin(), field.ErrorList{
+		field.Invalid(field.NewPath("m1"), nil, "may only be specified when"),
+	})
 
-	st.Value(&Struct{D: DM1}).ExpectInvalid(
-		field.Invalid(field.NewPath("m1"), "", "must be specified when `d` is \"CustomM1\""),
-	)
+	st.Value(&Struct{D: DM1}).ExpectMatches(field.ErrorMatcher{}.ByType().ByField().ByDetailSubstring().ByOrigin(), field.ErrorList{
+		field.Invalid(field.NewPath("m1"), nil, "must be specified when"),
+	})
 
 	// Test validation ratcheting
 	st.Value(&Struct{D: DM2, M1: &M1{}, M2: &M2{}}).OldValue(&Struct{D: DM2, M1: &M1{}, M2: &M2{}}).ExpectValid()
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/union/union/discriminated/custom_members/zz_generated.validations.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/union/union/discriminated/custom_members/zz_generated.validations.go
index b45e661b460d5..4b600682e9b6e 100644
--- a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/union/union/discriminated/custom_members/zz_generated.validations.go
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/union/union/discriminated/custom_members/zz_generated.validations.go
@@ -25,7 +25,6 @@ import (
 	context "context"
 	fmt "fmt"
 
-	equality "k8s.io/apimachinery/pkg/api/equality"
 	operation "k8s.io/apimachinery/pkg/api/operation"
 	safe "k8s.io/apimachinery/pkg/api/safe"
 	validate "k8s.io/apimachinery/pkg/api/validate"
@@ -38,6 +37,7 @@ func init() { localSchemeBuilder.Register(RegisterValidations) }
 // RegisterValidations adds validation functions to the given scheme.
 // Public to allow building arbitrary schemes.
 func RegisterValidations(scheme *testscheme.Scheme) error {
+	// type Struct
 	scheme.AddValidationFunc((*Struct)(nil), func(ctx context.Context, op operation.Operation, obj, oldObj interface{}) field.ErrorList {
 		switch op.Request.SubresourcePath() {
 		case "/":
@@ -48,13 +48,11 @@ func RegisterValidations(scheme *testscheme.Scheme) error {
 	return nil
 }
 
-var unionMembershipFor_k8s_io_code_generator_cmd_validation_gen_output_tests_tags_union_union_discriminated_custom_members_Struct_ = validate.NewDiscriminatedUnionMembership("d", [2]string{"m1", "CustomM1"}, [2]string{"m2", "CustomM2"})
+var unionMembershipFor_k8s_io_code_generator_cmd_validation_gen_output_tests_tags_union_union_discriminated_custom_members_Struct_ = validate.NewDiscriminatedUnionMembership("d", validate.NewDiscriminatedUnionMember("m1", "CustomM1"), validate.NewDiscriminatedUnionMember("m2", "CustomM2"))
 
+// Validate_Struct validates an instance of Struct according
+// to declarative validation rules in the API schema.
 func Validate_Struct(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *Struct) (errs field.ErrorList) {
-	// type Struct
-	if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-		return nil // no changes
-	}
 	errs = append(errs, validate.DiscriminatedUnion(ctx, op, fldPath, obj, oldObj, unionMembershipFor_k8s_io_code_generator_cmd_validation_gen_output_tests_tags_union_union_discriminated_custom_members_Struct_, func(obj *Struct) string {
 		if obj == nil {
 			return ""
@@ -77,27 +75,39 @@ func Validate_Struct(ctx context.Context, op operation.Operation, fldPath *field
 
 	// field Struct.M1
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *M1) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *M1, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
 			}
+			// call field-attached validations
+			earlyReturn := false
 			if e := validate.OptionalPointer(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				earlyReturn = true
+			}
+			if earlyReturn {
 				return // do not proceed
 			}
 			return
-		}(fldPath.Child("m1"), obj.M1, safe.Field(oldObj, func(oldObj *Struct) *M1 { return oldObj.M1 }))...)
+		}(fldPath.Child("m1"), obj.M1, safe.Field(oldObj, func(oldObj *Struct) *M1 { return oldObj.M1 }), oldObj != nil)...)
 
 	// field Struct.M2
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *M2) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *M2, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
 			}
+			// call field-attached validations
+			earlyReturn := false
 			if e := validate.OptionalPointer(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				earlyReturn = true
+			}
+			if earlyReturn {
 				return // do not proceed
 			}
 			return
-		}(fldPath.Child("m2"), obj.M2, safe.Field(oldObj, func(oldObj *Struct) *M2 { return oldObj.M2 }))...)
+		}(fldPath.Child("m2"), obj.M2, safe.Field(oldObj, func(oldObj *Struct) *M2 { return oldObj.M2 }), oldObj != nil)...)
 
 	return errs
 }
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/union/union/discriminated/empty/zz_generated.validations.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/union/union/discriminated/empty/zz_generated.validations.go
index 158f7bf4892ba..d7e9f36d156ce 100644
--- a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/union/union/discriminated/empty/zz_generated.validations.go
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/union/union/discriminated/empty/zz_generated.validations.go
@@ -37,6 +37,7 @@ func init() { localSchemeBuilder.Register(RegisterValidations) }
 // RegisterValidations adds validation functions to the given scheme.
 // Public to allow building arbitrary schemes.
 func RegisterValidations(scheme *testscheme.Scheme) error {
+	// type Struct
 	scheme.AddValidationFunc((*Struct)(nil), func(ctx context.Context, op operation.Operation, obj, oldObj interface{}) field.ErrorList {
 		switch op.Request.SubresourcePath() {
 		case "/":
@@ -49,11 +50,9 @@ func RegisterValidations(scheme *testscheme.Scheme) error {
 
 var unionMembershipFor_k8s_io_code_generator_cmd_validation_gen_output_tests_tags_union_union_discriminated_empty_Struct_ = validate.NewDiscriminatedUnionMembership("d")
 
+// Validate_Struct validates an instance of Struct according
+// to declarative validation rules in the API schema.
 func Validate_Struct(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *Struct) (errs field.ErrorList) {
-	// type Struct
-	if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-		return nil // no changes
-	}
 	errs = append(errs, validate.DiscriminatedUnion(ctx, op, fldPath, obj, oldObj, unionMembershipFor_k8s_io_code_generator_cmd_validation_gen_output_tests_tags_union_union_discriminated_empty_Struct_, func(obj *Struct) string {
 		if obj == nil {
 			return ""
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/union/union/discriminated/multiple/doc_test.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/union/union/discriminated/multiple/doc_test.go
index eed30841e4233..4d1ad466f80fa 100644
--- a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/union/union/discriminated/multiple/doc_test.go
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/union/union/discriminated/multiple/doc_test.go
@@ -40,26 +40,26 @@ func Test(t *testing.T) {
 	st.Value(&Struct{
 		D1: U1M2, U1M1: &M1{}, U1M2: &M2{},
 		D2: U2M2, // no value
-	}).ExpectInvalid(
-		field.Invalid(field.NewPath("u1m1"), "", "may only be specified when `d1` is \"U1M1\""),
-		field.Invalid(field.NewPath("u2m2"), "", "must be specified when `d2` is \"U2M2\""),
-	)
+	}).ExpectMatches(field.ErrorMatcher{}.ByType().ByField().ByDetailSubstring().ByOrigin(), field.ErrorList{
+		field.Invalid(field.NewPath("u1m1"), nil, "may only be specified when"),
+		field.Invalid(field.NewPath("u2m2"), nil, "must be specified when"),
+	})
 
 	st.Value(&Struct{
 		D1: U1M2, // no value
 		D2: U2M2, U2M1: &M1{}, U2M2: &M2{},
-	}).ExpectInvalid(
-		field.Invalid(field.NewPath("u1m2"), "", "must be specified when `d1` is \"U1M2\""),
-		field.Invalid(field.NewPath("u2m1"), "", "may only be specified when `d2` is \"U2M1\""),
-	)
+	}).ExpectMatches(field.ErrorMatcher{}.ByType().ByField().ByDetailSubstring().ByOrigin(), field.ErrorList{
+		field.Invalid(field.NewPath("u1m2"), nil, "must be specified when"),
+		field.Invalid(field.NewPath("u2m1"), nil, "may only be specified when"),
+	})
 
 	st.Value(&Struct{
 		D1: U1M2, // no value
 		D2: U2M2, // no value
-	}).ExpectInvalid(
-		field.Invalid(field.NewPath("u1m2"), "", "must be specified when `d1` is \"U1M2\""),
-		field.Invalid(field.NewPath("u2m2"), "", "must be specified when `d2` is \"U2M2\""),
-	)
+	}).ExpectMatches(field.ErrorMatcher{}.ByType().ByField().ByDetailSubstring().ByOrigin(), field.ErrorList{
+		field.Invalid(field.NewPath("u1m2"), nil, "must be specified when"),
+		field.Invalid(field.NewPath("u2m2"), nil, "must be specified when"),
+	})
 
 	// Test validation ratcheting
 	st.Value(&Struct{
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/union/union/discriminated/multiple/zz_generated.validations.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/union/union/discriminated/multiple/zz_generated.validations.go
index 0b728bcc67ac4..02a8f459dbb00 100644
--- a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/union/union/discriminated/multiple/zz_generated.validations.go
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/union/union/discriminated/multiple/zz_generated.validations.go
@@ -25,7 +25,6 @@ import (
 	context "context"
 	fmt "fmt"
 
-	equality "k8s.io/apimachinery/pkg/api/equality"
 	operation "k8s.io/apimachinery/pkg/api/operation"
 	safe "k8s.io/apimachinery/pkg/api/safe"
 	validate "k8s.io/apimachinery/pkg/api/validate"
@@ -38,6 +37,7 @@ func init() { localSchemeBuilder.Register(RegisterValidations) }
 // RegisterValidations adds validation functions to the given scheme.
 // Public to allow building arbitrary schemes.
 func RegisterValidations(scheme *testscheme.Scheme) error {
+	// type Struct
 	scheme.AddValidationFunc((*Struct)(nil), func(ctx context.Context, op operation.Operation, obj, oldObj interface{}) field.ErrorList {
 		switch op.Request.SubresourcePath() {
 		case "/":
@@ -48,14 +48,12 @@ func RegisterValidations(scheme *testscheme.Scheme) error {
 	return nil
 }
 
-var unionMembershipFor_k8s_io_code_generator_cmd_validation_gen_output_tests_tags_union_union_discriminated_multiple_Struct_union1 = validate.NewDiscriminatedUnionMembership("d1", [2]string{"u1m1", "U1M1"}, [2]string{"u1m2", "U1M2"})
-var unionMembershipFor_k8s_io_code_generator_cmd_validation_gen_output_tests_tags_union_union_discriminated_multiple_Struct_union2 = validate.NewDiscriminatedUnionMembership("d2", [2]string{"u2m1", "U2M1"}, [2]string{"u2m2", "U2M2"})
+var unionMembershipFor_k8s_io_code_generator_cmd_validation_gen_output_tests_tags_union_union_discriminated_multiple_Struct_union1 = validate.NewDiscriminatedUnionMembership("d1", validate.NewDiscriminatedUnionMember("u1m1", "U1M1"), validate.NewDiscriminatedUnionMember("u1m2", "U1M2"))
+var unionMembershipFor_k8s_io_code_generator_cmd_validation_gen_output_tests_tags_union_union_discriminated_multiple_Struct_union2 = validate.NewDiscriminatedUnionMembership("d2", validate.NewDiscriminatedUnionMember("u2m1", "U2M1"), validate.NewDiscriminatedUnionMember("u2m2", "U2M2"))
 
+// Validate_Struct validates an instance of Struct according
+// to declarative validation rules in the API schema.
 func Validate_Struct(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *Struct) (errs field.ErrorList) {
-	// type Struct
-	if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-		return nil // no changes
-	}
 	errs = append(errs, validate.DiscriminatedUnion(ctx, op, fldPath, obj, oldObj, unionMembershipFor_k8s_io_code_generator_cmd_validation_gen_output_tests_tags_union_union_discriminated_multiple_Struct_union1, func(obj *Struct) string {
 		if obj == nil {
 			return ""
@@ -94,53 +92,77 @@ func Validate_Struct(ctx context.Context, op operation.Operation, fldPath *field
 
 	// field Struct.U1M1
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *M1) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *M1, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
 			}
+			// call field-attached validations
+			earlyReturn := false
 			if e := validate.OptionalPointer(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				earlyReturn = true
+			}
+			if earlyReturn {
 				return // do not proceed
 			}
 			return
-		}(fldPath.Child("u1m1"), obj.U1M1, safe.Field(oldObj, func(oldObj *Struct) *M1 { return oldObj.U1M1 }))...)
+		}(fldPath.Child("u1m1"), obj.U1M1, safe.Field(oldObj, func(oldObj *Struct) *M1 { return oldObj.U1M1 }), oldObj != nil)...)
 
 	// field Struct.U1M2
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *M2) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *M2, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
 			}
+			// call field-attached validations
+			earlyReturn := false
 			if e := validate.OptionalPointer(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				earlyReturn = true
+			}
+			if earlyReturn {
 				return // do not proceed
 			}
 			return
-		}(fldPath.Child("u1m2"), obj.U1M2, safe.Field(oldObj, func(oldObj *Struct) *M2 { return oldObj.U1M2 }))...)
+		}(fldPath.Child("u1m2"), obj.U1M2, safe.Field(oldObj, func(oldObj *Struct) *M2 { return oldObj.U1M2 }), oldObj != nil)...)
 
 	// field Struct.D2 has no validation
 
 	// field Struct.U2M1
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *M1) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *M1, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
 			}
+			// call field-attached validations
+			earlyReturn := false
 			if e := validate.OptionalPointer(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				earlyReturn = true
+			}
+			if earlyReturn {
 				return // do not proceed
 			}
 			return
-		}(fldPath.Child("u2m1"), obj.U2M1, safe.Field(oldObj, func(oldObj *Struct) *M1 { return oldObj.U2M1 }))...)
+		}(fldPath.Child("u2m1"), obj.U2M1, safe.Field(oldObj, func(oldObj *Struct) *M1 { return oldObj.U2M1 }), oldObj != nil)...)
 
 	// field Struct.U2M2
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *M2) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *M2, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
 			}
+			// call field-attached validations
+			earlyReturn := false
 			if e := validate.OptionalPointer(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				earlyReturn = true
+			}
+			if earlyReturn {
 				return // do not proceed
 			}
 			return
-		}(fldPath.Child("u2m2"), obj.U2M2, safe.Field(oldObj, func(oldObj *Struct) *M2 { return oldObj.U2M2 }))...)
+		}(fldPath.Child("u2m2"), obj.U2M2, safe.Field(oldObj, func(oldObj *Struct) *M2 { return oldObj.U2M2 }), oldObj != nil)...)
 
 	return errs
 }
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/union/union/discriminated/simple/doc_test.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/union/union/discriminated/simple/doc_test.go
index d606dc9d18039..bd2885ffb04cf 100644
--- a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/union/union/discriminated/simple/doc_test.go
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/union/union/discriminated/simple/doc_test.go
@@ -30,13 +30,13 @@ func Test(t *testing.T) {
 	st.Value(&Struct{D: DM1, M1: &M1{}}).ExpectValid()
 	st.Value(&Struct{D: DM2, M2: &M2{}}).ExpectValid()
 
-	st.Value(&Struct{D: DM2, M1: &M1{}, M2: &M2{}}).ExpectInvalid(
-		field.Invalid(field.NewPath("m1"), "", "may only be specified when `d` is \"M1\""),
-	)
+	st.Value(&Struct{D: DM2, M1: &M1{}, M2: &M2{}}).ExpectMatches(field.ErrorMatcher{}.ByType().ByField().ByDetailSubstring().ByOrigin(), field.ErrorList{
+		field.Invalid(field.NewPath("m1"), nil, "may only be specified when"),
+	})
 
-	st.Value(&Struct{D: DM1}).ExpectInvalid(
-		field.Invalid(field.NewPath("m1"), "", "must be specified when `d` is \"M1\""),
-	)
+	st.Value(&Struct{D: DM1}).ExpectMatches(field.ErrorMatcher{}.ByType().ByField().ByDetailSubstring().ByOrigin(), field.ErrorList{
+		field.Invalid(field.NewPath("m1"), nil, "must be specified when"),
+	})
 
 	// Test validation ratcheting
 	st.Value(&Struct{D: DM2, M1: &M1{}, M2: &M2{}}).OldValue(&Struct{D: DM2, M1: &M1{}, M2: &M2{}}).ExpectValid()
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/union/union/discriminated/simple/zz_generated.validations.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/union/union/discriminated/simple/zz_generated.validations.go
index 31cc396238651..f54d8805d4cd6 100644
--- a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/union/union/discriminated/simple/zz_generated.validations.go
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/union/union/discriminated/simple/zz_generated.validations.go
@@ -25,7 +25,6 @@ import (
 	context "context"
 	fmt "fmt"
 
-	equality "k8s.io/apimachinery/pkg/api/equality"
 	operation "k8s.io/apimachinery/pkg/api/operation"
 	safe "k8s.io/apimachinery/pkg/api/safe"
 	validate "k8s.io/apimachinery/pkg/api/validate"
@@ -38,6 +37,7 @@ func init() { localSchemeBuilder.Register(RegisterValidations) }
 // RegisterValidations adds validation functions to the given scheme.
 // Public to allow building arbitrary schemes.
 func RegisterValidations(scheme *testscheme.Scheme) error {
+	// type Struct
 	scheme.AddValidationFunc((*Struct)(nil), func(ctx context.Context, op operation.Operation, obj, oldObj interface{}) field.ErrorList {
 		switch op.Request.SubresourcePath() {
 		case "/":
@@ -48,13 +48,11 @@ func RegisterValidations(scheme *testscheme.Scheme) error {
 	return nil
 }
 
-var unionMembershipFor_k8s_io_code_generator_cmd_validation_gen_output_tests_tags_union_union_discriminated_simple_Struct_ = validate.NewDiscriminatedUnionMembership("d", [2]string{"m1", "M1"}, [2]string{"m2", "M2"})
+var unionMembershipFor_k8s_io_code_generator_cmd_validation_gen_output_tests_tags_union_union_discriminated_simple_Struct_ = validate.NewDiscriminatedUnionMembership("d", validate.NewDiscriminatedUnionMember("m1", "M1"), validate.NewDiscriminatedUnionMember("m2", "M2"))
 
+// Validate_Struct validates an instance of Struct according
+// to declarative validation rules in the API schema.
 func Validate_Struct(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *Struct) (errs field.ErrorList) {
-	// type Struct
-	if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-		return nil // no changes
-	}
 	errs = append(errs, validate.DiscriminatedUnion(ctx, op, fldPath, obj, oldObj, unionMembershipFor_k8s_io_code_generator_cmd_validation_gen_output_tests_tags_union_union_discriminated_simple_Struct_, func(obj *Struct) string {
 		if obj == nil {
 			return ""
@@ -77,27 +75,39 @@ func Validate_Struct(ctx context.Context, op operation.Operation, fldPath *field
 
 	// field Struct.M1
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *M1) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *M1, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
 			}
+			// call field-attached validations
+			earlyReturn := false
 			if e := validate.OptionalPointer(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				earlyReturn = true
+			}
+			if earlyReturn {
 				return // do not proceed
 			}
 			return
-		}(fldPath.Child("m1"), obj.M1, safe.Field(oldObj, func(oldObj *Struct) *M1 { return oldObj.M1 }))...)
+		}(fldPath.Child("m1"), obj.M1, safe.Field(oldObj, func(oldObj *Struct) *M1 { return oldObj.M1 }), oldObj != nil)...)
 
 	// field Struct.M2
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *M2) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *M2, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
 			}
+			// call field-attached validations
+			earlyReturn := false
 			if e := validate.OptionalPointer(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				earlyReturn = true
+			}
+			if earlyReturn {
 				return // do not proceed
 			}
 			return
-		}(fldPath.Child("m2"), obj.M2, safe.Field(oldObj, func(oldObj *Struct) *M2 { return oldObj.M2 }))...)
+		}(fldPath.Child("m2"), obj.M2, safe.Field(oldObj, func(oldObj *Struct) *M2 { return oldObj.M2 }), oldObj != nil)...)
 
 	return errs
 }
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/union/union/discriminated/sparse/doc_test.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/union/union/discriminated/sparse/doc_test.go
index 1c78641737179..66068b71467f8 100644
--- a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/union/union/discriminated/sparse/doc_test.go
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/union/union/discriminated/sparse/doc_test.go
@@ -30,13 +30,13 @@ func Test(t *testing.T) {
 	st.Value(&Struct{D: DM1, M1: &M1{}}).ExpectValid()
 	st.Value(&Struct{D: DM2}).ExpectValid()
 
-	st.Value(&Struct{D: DM2, M1: &M1{}}).ExpectInvalid(
-		field.Invalid(field.NewPath("m1"), "", "may only be specified when `d` is \"M1\""),
-	)
+	st.Value(&Struct{D: DM2, M1: &M1{}}).ExpectMatches(field.ErrorMatcher{}.ByType().ByField().ByDetailSubstring().ByOrigin(), field.ErrorList{
+		field.Invalid(field.NewPath("m1"), nil, "may only be specified when"),
+	})
 
-	st.Value(&Struct{D: DM1}).ExpectInvalid(
-		field.Invalid(field.NewPath("m1"), "", "must be specified when `d` is \"M1\""),
-	)
+	st.Value(&Struct{D: DM1}).ExpectMatches(field.ErrorMatcher{}.ByType().ByField().ByDetailSubstring().ByOrigin(), field.ErrorList{
+		field.Invalid(field.NewPath("m1"), nil, "must be specified when"),
+	})
 
 	// Test validation ratcheting
 	st.Value(&Struct{D: DM2, M1: &M1{}}).OldValue(&Struct{D: DM2, M1: &M1{}}).ExpectValid()
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/union/union/discriminated/sparse/zz_generated.validations.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/union/union/discriminated/sparse/zz_generated.validations.go
index 0b859c6717ae6..d2afbed6e2082 100644
--- a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/union/union/discriminated/sparse/zz_generated.validations.go
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/union/union/discriminated/sparse/zz_generated.validations.go
@@ -25,7 +25,6 @@ import (
 	context "context"
 	fmt "fmt"
 
-	equality "k8s.io/apimachinery/pkg/api/equality"
 	operation "k8s.io/apimachinery/pkg/api/operation"
 	safe "k8s.io/apimachinery/pkg/api/safe"
 	validate "k8s.io/apimachinery/pkg/api/validate"
@@ -38,6 +37,7 @@ func init() { localSchemeBuilder.Register(RegisterValidations) }
 // RegisterValidations adds validation functions to the given scheme.
 // Public to allow building arbitrary schemes.
 func RegisterValidations(scheme *testscheme.Scheme) error {
+	// type Struct
 	scheme.AddValidationFunc((*Struct)(nil), func(ctx context.Context, op operation.Operation, obj, oldObj interface{}) field.ErrorList {
 		switch op.Request.SubresourcePath() {
 		case "/":
@@ -48,13 +48,11 @@ func RegisterValidations(scheme *testscheme.Scheme) error {
 	return nil
 }
 
-var unionMembershipFor_k8s_io_code_generator_cmd_validation_gen_output_tests_tags_union_union_discriminated_sparse_Struct_ = validate.NewDiscriminatedUnionMembership("d", [2]string{"m1", "M1"})
+var unionMembershipFor_k8s_io_code_generator_cmd_validation_gen_output_tests_tags_union_union_discriminated_sparse_Struct_ = validate.NewDiscriminatedUnionMembership("d", validate.NewDiscriminatedUnionMember("m1", "M1"))
 
+// Validate_Struct validates an instance of Struct according
+// to declarative validation rules in the API schema.
 func Validate_Struct(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *Struct) (errs field.ErrorList) {
-	// type Struct
-	if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-		return nil // no changes
-	}
 	errs = append(errs, validate.DiscriminatedUnion(ctx, op, fldPath, obj, oldObj, unionMembershipFor_k8s_io_code_generator_cmd_validation_gen_output_tests_tags_union_union_discriminated_sparse_Struct_, func(obj *Struct) string {
 		if obj == nil {
 			return ""
@@ -72,15 +70,21 @@ func Validate_Struct(ctx context.Context, op operation.Operation, fldPath *field
 
 	// field Struct.M1
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *M1) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *M1, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
 			}
+			// call field-attached validations
+			earlyReturn := false
 			if e := validate.OptionalPointer(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				earlyReturn = true
+			}
+			if earlyReturn {
 				return // do not proceed
 			}
 			return
-		}(fldPath.Child("m1"), obj.M1, safe.Field(oldObj, func(oldObj *Struct) *M1 { return oldObj.M1 }))...)
+		}(fldPath.Child("m1"), obj.M1, safe.Field(oldObj, func(oldObj *Struct) *M1 { return oldObj.M1 }), oldObj != nil)...)
 
 	return errs
 }
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/union/union/undiscriminated/custom_members/doc_test.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/union/union/undiscriminated/custom_members/doc_test.go
index 8a52021c607c6..7aef1de0ce47b 100644
--- a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/union/union/undiscriminated/custom_members/doc_test.go
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/union/union/undiscriminated/custom_members/doc_test.go
@@ -28,12 +28,12 @@ func Test(t *testing.T) {
 	st.Value(&Struct{M1: &M1{}}).ExpectValid()
 	st.Value(&Struct{M2: &M2{}}).ExpectValid()
 
-	st.Value(&Struct{M1: &M1{}, M2: &M2{}}).ExpectInvalid(
-		field.Invalid(nil, "{m1, m2}", "must specify exactly one of: `m1`, `m2`"),
-	)
-	st.Value(&Struct{}).ExpectInvalid(
-		field.Invalid(nil, "", "must specify one of: `m1`, `m2`"),
-	)
+	st.Value(&Struct{M1: &M1{}, M2: &M2{}}).ExpectMatches(field.ErrorMatcher{}.ByType().ByField().ByDetailSubstring().ByOrigin(), field.ErrorList{
+		field.Invalid(nil, nil, "must specify exactly one of"),
+	})
+	st.Value(&Struct{}).ExpectMatches(field.ErrorMatcher{}.ByType().ByField().ByDetailSubstring().ByOrigin(), field.ErrorList{
+		field.Invalid(nil, nil, "must specify one of"),
+	})
 
 	// Test validation ratcheting
 	st.Value(&Struct{M1: &M1{}, M2: &M2{}}).OldValue(&Struct{M1: &M1{}, M2: &M2{}}).ExpectValid()
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/union/union/undiscriminated/custom_members/zz_generated.validations.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/union/union/undiscriminated/custom_members/zz_generated.validations.go
index 2746b7a08894b..f0076bf9ba393 100644
--- a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/union/union/undiscriminated/custom_members/zz_generated.validations.go
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/union/union/undiscriminated/custom_members/zz_generated.validations.go
@@ -25,7 +25,6 @@ import (
 	context "context"
 	fmt "fmt"
 
-	equality "k8s.io/apimachinery/pkg/api/equality"
 	operation "k8s.io/apimachinery/pkg/api/operation"
 	safe "k8s.io/apimachinery/pkg/api/safe"
 	validate "k8s.io/apimachinery/pkg/api/validate"
@@ -38,6 +37,7 @@ func init() { localSchemeBuilder.Register(RegisterValidations) }
 // RegisterValidations adds validation functions to the given scheme.
 // Public to allow building arbitrary schemes.
 func RegisterValidations(scheme *testscheme.Scheme) error {
+	// type Struct
 	scheme.AddValidationFunc((*Struct)(nil), func(ctx context.Context, op operation.Operation, obj, oldObj interface{}) field.ErrorList {
 		switch op.Request.SubresourcePath() {
 		case "/":
@@ -48,13 +48,11 @@ func RegisterValidations(scheme *testscheme.Scheme) error {
 	return nil
 }
 
-var unionMembershipFor_k8s_io_code_generator_cmd_validation_gen_output_tests_tags_union_union_undiscriminated_custom_members_Struct_ = validate.NewUnionMembership([2]string{"m1", "CustomM1"}, [2]string{"m2", "CustomM2"})
+var unionMembershipFor_k8s_io_code_generator_cmd_validation_gen_output_tests_tags_union_union_undiscriminated_custom_members_Struct_ = validate.NewUnionMembership(validate.NewUnionMember("m1"), validate.NewUnionMember("m2"))
 
+// Validate_Struct validates an instance of Struct according
+// to declarative validation rules in the API schema.
 func Validate_Struct(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *Struct) (errs field.ErrorList) {
-	// type Struct
-	if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-		return nil // no changes
-	}
 	errs = append(errs, validate.Union(ctx, op, fldPath, obj, oldObj, unionMembershipFor_k8s_io_code_generator_cmd_validation_gen_output_tests_tags_union_union_undiscriminated_custom_members_Struct_, func(obj *Struct) bool {
 		if obj == nil {
 			return false
@@ -72,27 +70,39 @@ func Validate_Struct(ctx context.Context, op operation.Operation, fldPath *field
 
 	// field Struct.M1
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *M1) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *M1, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
 			}
+			// call field-attached validations
+			earlyReturn := false
 			if e := validate.OptionalPointer(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				earlyReturn = true
+			}
+			if earlyReturn {
 				return // do not proceed
 			}
 			return
-		}(fldPath.Child("m1"), obj.M1, safe.Field(oldObj, func(oldObj *Struct) *M1 { return oldObj.M1 }))...)
+		}(fldPath.Child("m1"), obj.M1, safe.Field(oldObj, func(oldObj *Struct) *M1 { return oldObj.M1 }), oldObj != nil)...)
 
 	// field Struct.M2
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *M2) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *M2, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
 			}
+			// call field-attached validations
+			earlyReturn := false
 			if e := validate.OptionalPointer(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				earlyReturn = true
+			}
+			if earlyReturn {
 				return // do not proceed
 			}
 			return
-		}(fldPath.Child("m2"), obj.M2, safe.Field(oldObj, func(oldObj *Struct) *M2 { return oldObj.M2 }))...)
+		}(fldPath.Child("m2"), obj.M2, safe.Field(oldObj, func(oldObj *Struct) *M2 { return oldObj.M2 }), oldObj != nil)...)
 
 	return errs
 }
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/union/union/undiscriminated/multiple/doc_test.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/union/union/undiscriminated/multiple/doc_test.go
index 4539c2cc3f97b..cac9528c1586a 100644
--- a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/union/union/undiscriminated/multiple/doc_test.go
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/union/union/undiscriminated/multiple/doc_test.go
@@ -25,31 +25,31 @@ import (
 func Test(t *testing.T) {
 	st := localSchemeBuilder.Test(t)
 
-	st.Value(&Struct{}).ExpectInvalid(
-		field.Invalid(nil, "", "must specify one of: `u1m1`, `u1m2`"),
-		field.Invalid(nil, "", "must specify one of: `u2m1`, `u2m2`"),
-	)
+	st.Value(&Struct{}).ExpectMatches(field.ErrorMatcher{}.ByType().ByField().ByDetailSubstring().ByOrigin(), field.ErrorList{
+		field.Invalid(nil, nil, "must specify one of"),
+		field.Invalid(nil, nil, "must specify one of"),
+	})
 
 	st.Value(&Struct{U1M1: &M1{}, U2M1: &M1{}}).ExpectValid()
 	st.Value(&Struct{U1M2: &M2{}, U2M2: &M2{}}).ExpectValid()
 
-	st.Value(&Struct{U1M1: &M1{}, U1M2: &M2{}}).ExpectInvalid(
-		field.Invalid(nil, "{u1m1, u1m2}", "must specify exactly one of: `u1m1`, `u1m2`"),
-		field.Invalid(nil, "", "must specify one of: `u2m1`, `u2m2`"),
-	)
+	st.Value(&Struct{U1M1: &M1{}, U1M2: &M2{}}).ExpectMatches(field.ErrorMatcher{}.ByType().ByField().ByDetailSubstring().ByOrigin(), field.ErrorList{
+		field.Invalid(nil, nil, "must specify exactly one of"),
+		field.Invalid(nil, nil, "must specify one of"),
+	})
 
-	st.Value(&Struct{U2M1: &M1{}, U2M2: &M2{}}).ExpectInvalid(
-		field.Invalid(nil, "", "must specify one of: `u1m1`, `u1m2`"),
-		field.Invalid(nil, "{u2m1, u2m2}", "must specify exactly one of: `u2m1`, `u2m2`"),
-	)
+	st.Value(&Struct{U2M1: &M1{}, U2M2: &M2{}}).ExpectMatches(field.ErrorMatcher{}.ByType().ByField().ByDetailSubstring().ByOrigin(), field.ErrorList{
+		field.Invalid(nil, nil, "must specify one of"),
+		field.Invalid(nil, nil, "must specify exactly one of"),
+	})
 
 	st.Value(&Struct{
 		U1M1: &M1{}, U1M2: &M2{},
 		U2M1: &M1{}, U2M2: &M2{},
-	}).ExpectInvalid(
-		field.Invalid(nil, "{u1m1, u1m2}", "must specify exactly one of: `u1m1`, `u1m2`"),
-		field.Invalid(nil, "{u2m1, u2m2}", "must specify exactly one of: `u2m1`, `u2m2`"),
-	)
+	}).ExpectMatches(field.ErrorMatcher{}.ByType().ByField().ByDetailSubstring().ByOrigin(), field.ErrorList{
+		field.Invalid(nil, nil, "must specify exactly one of"),
+		field.Invalid(nil, nil, "must specify exactly one of"),
+	})
 
 	// Test validation ratcheting
 	st.Value(&Struct{}).OldValue(&Struct{}).ExpectValid()
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/union/union/undiscriminated/multiple/zz_generated.validations.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/union/union/undiscriminated/multiple/zz_generated.validations.go
index 206d5741f35f9..029fa4534949d 100644
--- a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/union/union/undiscriminated/multiple/zz_generated.validations.go
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/union/union/undiscriminated/multiple/zz_generated.validations.go
@@ -25,7 +25,6 @@ import (
 	context "context"
 	fmt "fmt"
 
-	equality "k8s.io/apimachinery/pkg/api/equality"
 	operation "k8s.io/apimachinery/pkg/api/operation"
 	safe "k8s.io/apimachinery/pkg/api/safe"
 	validate "k8s.io/apimachinery/pkg/api/validate"
@@ -38,6 +37,7 @@ func init() { localSchemeBuilder.Register(RegisterValidations) }
 // RegisterValidations adds validation functions to the given scheme.
 // Public to allow building arbitrary schemes.
 func RegisterValidations(scheme *testscheme.Scheme) error {
+	// type Struct
 	scheme.AddValidationFunc((*Struct)(nil), func(ctx context.Context, op operation.Operation, obj, oldObj interface{}) field.ErrorList {
 		switch op.Request.SubresourcePath() {
 		case "/":
@@ -48,14 +48,12 @@ func RegisterValidations(scheme *testscheme.Scheme) error {
 	return nil
 }
 
-var unionMembershipFor_k8s_io_code_generator_cmd_validation_gen_output_tests_tags_union_union_undiscriminated_multiple_Struct_union1 = validate.NewUnionMembership([2]string{"u1m1", "U1M1"}, [2]string{"u1m2", "U1M2"})
-var unionMembershipFor_k8s_io_code_generator_cmd_validation_gen_output_tests_tags_union_union_undiscriminated_multiple_Struct_union2 = validate.NewUnionMembership([2]string{"u2m1", "U2M1"}, [2]string{"u2m2", "U2M2"})
+var unionMembershipFor_k8s_io_code_generator_cmd_validation_gen_output_tests_tags_union_union_undiscriminated_multiple_Struct_union1 = validate.NewUnionMembership(validate.NewUnionMember("u1m1"), validate.NewUnionMember("u1m2"))
+var unionMembershipFor_k8s_io_code_generator_cmd_validation_gen_output_tests_tags_union_union_undiscriminated_multiple_Struct_union2 = validate.NewUnionMembership(validate.NewUnionMember("u2m1"), validate.NewUnionMember("u2m2"))
 
+// Validate_Struct validates an instance of Struct according
+// to declarative validation rules in the API schema.
 func Validate_Struct(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *Struct) (errs field.ErrorList) {
-	// type Struct
-	if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-		return nil // no changes
-	}
 	errs = append(errs, validate.Union(ctx, op, fldPath, obj, oldObj, unionMembershipFor_k8s_io_code_generator_cmd_validation_gen_output_tests_tags_union_union_undiscriminated_multiple_Struct_union1, func(obj *Struct) bool {
 		if obj == nil {
 			return false
@@ -84,51 +82,75 @@ func Validate_Struct(ctx context.Context, op operation.Operation, fldPath *field
 
 	// field Struct.U1M1
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *M1) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *M1, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
 			}
+			// call field-attached validations
+			earlyReturn := false
 			if e := validate.OptionalPointer(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				earlyReturn = true
+			}
+			if earlyReturn {
 				return // do not proceed
 			}
 			return
-		}(fldPath.Child("u1m1"), obj.U1M1, safe.Field(oldObj, func(oldObj *Struct) *M1 { return oldObj.U1M1 }))...)
+		}(fldPath.Child("u1m1"), obj.U1M1, safe.Field(oldObj, func(oldObj *Struct) *M1 { return oldObj.U1M1 }), oldObj != nil)...)
 
 	// field Struct.U1M2
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *M2) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *M2, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
 			}
+			// call field-attached validations
+			earlyReturn := false
 			if e := validate.OptionalPointer(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				earlyReturn = true
+			}
+			if earlyReturn {
 				return // do not proceed
 			}
 			return
-		}(fldPath.Child("u1m2"), obj.U1M2, safe.Field(oldObj, func(oldObj *Struct) *M2 { return oldObj.U1M2 }))...)
+		}(fldPath.Child("u1m2"), obj.U1M2, safe.Field(oldObj, func(oldObj *Struct) *M2 { return oldObj.U1M2 }), oldObj != nil)...)
 
 	// field Struct.U2M1
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *M1) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *M1, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
 			}
+			// call field-attached validations
+			earlyReturn := false
 			if e := validate.OptionalPointer(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				earlyReturn = true
+			}
+			if earlyReturn {
 				return // do not proceed
 			}
 			return
-		}(fldPath.Child("u2m1"), obj.U2M1, safe.Field(oldObj, func(oldObj *Struct) *M1 { return oldObj.U2M1 }))...)
+		}(fldPath.Child("u2m1"), obj.U2M1, safe.Field(oldObj, func(oldObj *Struct) *M1 { return oldObj.U2M1 }), oldObj != nil)...)
 
 	// field Struct.U2M2
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *M2) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *M2, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
 			}
+			// call field-attached validations
+			earlyReturn := false
 			if e := validate.OptionalPointer(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				earlyReturn = true
+			}
+			if earlyReturn {
 				return // do not proceed
 			}
 			return
-		}(fldPath.Child("u2m2"), obj.U2M2, safe.Field(oldObj, func(oldObj *Struct) *M2 { return oldObj.U2M2 }))...)
+		}(fldPath.Child("u2m2"), obj.U2M2, safe.Field(oldObj, func(oldObj *Struct) *M2 { return oldObj.U2M2 }), oldObj != nil)...)
 
 	return errs
 }
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/union/union/undiscriminated/simple/doc_test.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/union/union/undiscriminated/simple/doc_test.go
index be0d9320eaca2..f00b41b546f0b 100644
--- a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/union/union/undiscriminated/simple/doc_test.go
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/union/union/undiscriminated/simple/doc_test.go
@@ -26,24 +26,24 @@ import (
 func Test(t *testing.T) {
 	st := localSchemeBuilder.Test(t)
 
-	st.Value(&Struct{}).ExpectInvalid(
-		field.Invalid(nil, "", "must specify one of: `m1`, `m2`, `m3`, `m4`"),
-	)
+	st.Value(&Struct{}).ExpectMatches(field.ErrorMatcher{}.ByType().ByField().ByDetailSubstring().ByOrigin(), field.ErrorList{
+		field.Invalid(nil, nil, "must specify one of"),
+	})
 
 	st.Value(&Struct{M1: &M1{}}).ExpectValid()
 	st.Value(&Struct{M2: &M2{}}).ExpectValid()
 	st.Value(&Struct{M3: "a string"}).ExpectValid()
 	st.Value(&Struct{M4: ptr.To("a string")}).ExpectValid()
 
-	st.Value(&Struct{M1: &M1{}, M2: &M2{}}).ExpectInvalid(
-		field.Invalid(nil, "{m1, m2}", "must specify exactly one of: `m1`, `m2`, `m3`, `m4`"),
-	)
-	st.Value(&Struct{M1: &M1{}, M3: "a string"}).ExpectInvalid(
-		field.Invalid(nil, "{m1, m3}", "must specify exactly one of: `m1`, `m2`, `m3`, `m4`"),
-	)
-	st.Value(&Struct{M1: &M1{}, M4: ptr.To("a string")}).ExpectInvalid(
-		field.Invalid(nil, "{m1, m4}", "must specify exactly one of: `m1`, `m2`, `m3`, `m4`"),
-	)
+	st.Value(&Struct{M1: &M1{}, M2: &M2{}}).ExpectMatches(field.ErrorMatcher{}.ByType().ByField().ByDetailSubstring().ByOrigin(), field.ErrorList{
+		field.Invalid(nil, nil, "must specify exactly one of"),
+	})
+	st.Value(&Struct{M1: &M1{}, M3: "a string"}).ExpectMatches(field.ErrorMatcher{}.ByType().ByField().ByDetailSubstring().ByOrigin(), field.ErrorList{
+		field.Invalid(nil, nil, "must specify exactly one of"),
+	})
+	st.Value(&Struct{M1: &M1{}, M4: ptr.To("a string")}).ExpectMatches(field.ErrorMatcher{}.ByType().ByField().ByDetailSubstring().ByOrigin(), field.ErrorList{
+		field.Invalid(nil, nil, "must specify exactly one of"),
+	})
 
 	// Update only considers whether a field was set, not the value.
 	st.Value(&Struct{M3: "a string"}).OldValue(&Struct{M3: "different string"}).ExpectValid()
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/union/union/undiscriminated/simple/zz_generated.validations.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/union/union/undiscriminated/simple/zz_generated.validations.go
index 19aef10af9103..80c81dc083dce 100644
--- a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/union/union/undiscriminated/simple/zz_generated.validations.go
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/union/union/undiscriminated/simple/zz_generated.validations.go
@@ -25,7 +25,6 @@ import (
 	context "context"
 	fmt "fmt"
 
-	equality "k8s.io/apimachinery/pkg/api/equality"
 	operation "k8s.io/apimachinery/pkg/api/operation"
 	safe "k8s.io/apimachinery/pkg/api/safe"
 	validate "k8s.io/apimachinery/pkg/api/validate"
@@ -38,6 +37,7 @@ func init() { localSchemeBuilder.Register(RegisterValidations) }
 // RegisterValidations adds validation functions to the given scheme.
 // Public to allow building arbitrary schemes.
 func RegisterValidations(scheme *testscheme.Scheme) error {
+	// type Struct
 	scheme.AddValidationFunc((*Struct)(nil), func(ctx context.Context, op operation.Operation, obj, oldObj interface{}) field.ErrorList {
 		switch op.Request.SubresourcePath() {
 		case "/":
@@ -48,13 +48,11 @@ func RegisterValidations(scheme *testscheme.Scheme) error {
 	return nil
 }
 
-var unionMembershipFor_k8s_io_code_generator_cmd_validation_gen_output_tests_tags_union_union_undiscriminated_simple_Struct_ = validate.NewUnionMembership([2]string{"m1", "M1"}, [2]string{"m2", "M2"}, [2]string{"m3", "M3"}, [2]string{"m4", "M4"})
+var unionMembershipFor_k8s_io_code_generator_cmd_validation_gen_output_tests_tags_union_union_undiscriminated_simple_Struct_ = validate.NewUnionMembership(validate.NewUnionMember("m1"), validate.NewUnionMember("m2"), validate.NewUnionMember("m3"), validate.NewUnionMember("m4"))
 
+// Validate_Struct validates an instance of Struct according
+// to declarative validation rules in the API schema.
 func Validate_Struct(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *Struct) (errs field.ErrorList) {
-	// type Struct
-	if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-		return nil // no changes
-	}
 	errs = append(errs, validate.Union(ctx, op, fldPath, obj, oldObj, unionMembershipFor_k8s_io_code_generator_cmd_validation_gen_output_tests_tags_union_union_undiscriminated_simple_Struct_, func(obj *Struct) bool {
 		if obj == nil {
 			return false
@@ -83,51 +81,75 @@ func Validate_Struct(ctx context.Context, op operation.Operation, fldPath *field
 
 	// field Struct.M1
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *M1) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *M1, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
 			}
+			// call field-attached validations
+			earlyReturn := false
 			if e := validate.OptionalPointer(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				earlyReturn = true
+			}
+			if earlyReturn {
 				return // do not proceed
 			}
 			return
-		}(fldPath.Child("m1"), obj.M1, safe.Field(oldObj, func(oldObj *Struct) *M1 { return oldObj.M1 }))...)
+		}(fldPath.Child("m1"), obj.M1, safe.Field(oldObj, func(oldObj *Struct) *M1 { return oldObj.M1 }), oldObj != nil)...)
 
 	// field Struct.M2
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *M2) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *M2, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
 			}
+			// call field-attached validations
+			earlyReturn := false
 			if e := validate.OptionalPointer(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				earlyReturn = true
+			}
+			if earlyReturn {
 				return // do not proceed
 			}
 			return
-		}(fldPath.Child("m2"), obj.M2, safe.Field(oldObj, func(oldObj *Struct) *M2 { return oldObj.M2 }))...)
+		}(fldPath.Child("m2"), obj.M2, safe.Field(oldObj, func(oldObj *Struct) *M2 { return oldObj.M2 }), oldObj != nil)...)
 
 	// field Struct.M3
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *string) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *string, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
 			}
+			// call field-attached validations
+			earlyReturn := false
 			if e := validate.OptionalValue(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				earlyReturn = true
+			}
+			if earlyReturn {
 				return // do not proceed
 			}
 			return
-		}(fldPath.Child("m3"), &obj.M3, safe.Field(oldObj, func(oldObj *Struct) *string { return &oldObj.M3 }))...)
+		}(fldPath.Child("m3"), &obj.M3, safe.Field(oldObj, func(oldObj *Struct) *string { return &oldObj.M3 }), oldObj != nil)...)
 
 	// field Struct.M4
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *string) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *string, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
 			}
+			// call field-attached validations
+			earlyReturn := false
 			if e := validate.OptionalPointer(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				earlyReturn = true
+			}
+			if earlyReturn {
 				return // do not proceed
 			}
 			return
-		}(fldPath.Child("m4"), obj.M4, safe.Field(oldObj, func(oldObj *Struct) *string { return oldObj.M4 }))...)
+		}(fldPath.Child("m4"), obj.M4, safe.Field(oldObj, func(oldObj *Struct) *string { return oldObj.M4 }), oldObj != nil)...)
 
 	return errs
 }
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/unique/doc.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/unique/doc.go
new file mode 100644
index 0000000000000..2fa2b69df239c
--- /dev/null
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/unique/doc.go
@@ -0,0 +1,111 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// +k8s:validation-gen=TypeMeta
+// +k8s:validation-gen-scheme-registry=k8s.io/code-generator/cmd/validation-gen/testscheme.Scheme
+
+// This is a test package.
+package unique
+
+import "k8s.io/code-generator/cmd/validation-gen/testscheme"
+
+var localSchemeBuilder = testscheme.New()
+
+type Struct struct {
+	TypeMeta int
+
+	// Basic unique=set on primitive slice
+	// +k8s:listType=atomic
+	// +k8s:unique=set
+	PrimitiveListUniqueSet []string `json:"primitiveListUniqueSet"`
+
+	// unique=map with multiple keys
+	// +k8s:listType=atomic
+	// +k8s:unique=map
+	// +k8s:listMapKey=key1
+	// +k8s:listMapKey=key2
+	SliceMapFieldWithMultipleKeys []ItemWithMultipleKeys `json:"sliceMapFieldWithMultipleKeys"`
+
+	// atomic + unique=set combination
+	// +k8s:listType=atomic
+	// +k8s:unique=set
+	AtomicListUniqueSet []Item `json:"atomicListUniqueSet"`
+
+	// atomic + unique=map combination
+	// +k8s:listType=atomic
+	// +k8s:unique=map
+	// +k8s:listMapKey=key
+	AtomicListUniqueMap []Item `json:"atomicListUniqueMap"`
+
+	// customUnique with listType=set
+	// +k8s:listType=set
+	// +k8s:customUnique
+	CustomUniqueListWithTypeSet []string `json:"customUniqueListWithTypeSet"`
+
+	// customUnique with listType=map
+	// +k8s:listType=map
+	// +k8s:listMapKey=key
+	// +k8s:customUnique
+	CustomUniqueListWithTypeMap []Item `json:"customUniqueListWithTypeMap"`
+
+	// unique=map with pointer key
+	// +k8s:listType=atomic
+	// +k8s:unique=map
+	// +k8s:listMapKey=key
+	SliceMapFieldWithPtrKey []PtrKeyStruct `json:"sliceMapFieldWithPtrKey"`
+
+	// unique=map with mixed (pointer and primitive) keys
+	// +k8s:listType=atomic
+	// +k8s:unique=map
+	// +k8s:listMapKey=key1
+	// +k8s:listMapKey=key2
+	SliceMapFieldWithMixedKeys []ItemWithMixedKeys `json:"sliceMapFieldWithMixedKeys"`
+
+	// unique=map with multiple pointer keys
+	// +k8s:listType=atomic
+	// +k8s:unique=map
+	// +k8s:listMapKey=key1
+	// +k8s:listMapKey=key2
+	SliceMapFieldWithMultiplePtrKeys []ItemWithMultiplePtrKeys `json:"sliceMapFieldWithMultiplePtrKeys"`
+}
+
+type Item struct {
+	Key  string `json:"key"`
+	Data string `json:"data"`
+}
+
+type ItemWithMultipleKeys struct {
+	Key1 string `json:"key1"`
+	Key2 string `json:"key2"`
+	Data string `json:"data"`
+}
+
+type PtrKeyStruct struct {
+	Key  *string `json:"key"`
+	Data string  `json:"data"`
+}
+
+type ItemWithMixedKeys struct {
+	Key1 *string `json:"key1"`
+	Key2 string  `json:"key2"`
+	Data string  `json:"data"`
+}
+
+type ItemWithMultiplePtrKeys struct {
+	Key1 *string `json:"key1"`
+	Key2 *string `json:"key2"`
+	Data string  `json:"data"`
+}
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/unique/doc_test.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/unique/doc_test.go
new file mode 100644
index 0000000000000..a523d247ba468
--- /dev/null
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/unique/doc_test.go
@@ -0,0 +1,221 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package unique
+
+import (
+	"testing"
+
+	"k8s.io/apimachinery/pkg/util/validation/field"
+	"k8s.io/utils/ptr"
+)
+
+func TestUnique(t *testing.T) {
+	st := localSchemeBuilder.Test(t)
+
+	// Test empty struct (should be valid)
+	st.Value(&Struct{}).ExpectValid()
+
+	// Test valid cases with no duplicates
+	st.Value(&Struct{
+		PrimitiveListUniqueSet: []string{"aaa", "bbb"},
+		SliceMapFieldWithMultipleKeys: []ItemWithMultipleKeys{
+			{Key1: "a", Key2: "x", Data: "first"},
+			{Key1: "a", Key2: "y", Data: "second"},
+		},
+		AtomicListUniqueSet: []Item{
+			{Key: "key1", Data: "one"},
+			{Key: "key2", Data: "two"},
+		},
+		AtomicListUniqueMap: []Item{
+			{Key: "key1", Data: "one"},
+			{Key: "key2", Data: "two"},
+		},
+		CustomUniqueListWithTypeSet: []string{"a", "b", "a"},
+		CustomUniqueListWithTypeMap: []Item{{Key: "a"}, {Key: "b"}, {Key: "a"}},
+		SliceMapFieldWithPtrKey: []PtrKeyStruct{
+			{Key: ptr.To("a"), Data: "first"},
+			{Key: ptr.To("b"), Data: "second"},
+		},
+		SliceMapFieldWithMixedKeys: []ItemWithMixedKeys{
+			{Key1: ptr.To("a"), Key2: "x", Data: "first"},
+			{Key1: ptr.To("a"), Key2: "y", Data: "second"},
+		},
+		SliceMapFieldWithMultiplePtrKeys: []ItemWithMultiplePtrKeys{
+			{Key1: ptr.To("a"), Key2: ptr.To("x"), Data: "first"},
+			{Key1: ptr.To("a"), Key2: ptr.To("y"), Data: "second"},
+		},
+	}).ExpectValid()
+
+	// Test empty lists
+	st.Value(&Struct{
+		PrimitiveListUniqueSet:           []string{},
+		SliceMapFieldWithMultipleKeys:    []ItemWithMultipleKeys{},
+		AtomicListUniqueSet:              []Item{},
+		AtomicListUniqueMap:              []Item{},
+		CustomUniqueListWithTypeSet:      []string{},
+		CustomUniqueListWithTypeMap:      []Item{},
+		SliceMapFieldWithMixedKeys:       []ItemWithMixedKeys{},
+		SliceMapFieldWithMultiplePtrKeys: []ItemWithMultiplePtrKeys{},
+	}).ExpectValid()
+
+	// Test single element lists
+	st.Value(&Struct{
+		PrimitiveListUniqueSet:           []string{"single"},
+		SliceMapFieldWithMultipleKeys:    []ItemWithMultipleKeys{{Key1: "a", Key2: "b", Data: "one"}},
+		AtomicListUniqueSet:              []Item{{Key: "single", Data: "one"}},
+		AtomicListUniqueMap:              []Item{{Key: "single", Data: "one"}},
+		CustomUniqueListWithTypeSet:      []string{"single"},
+		CustomUniqueListWithTypeMap:      []Item{{Key: "single"}},
+		SliceMapFieldWithMixedKeys:       []ItemWithMixedKeys{{Key1: ptr.To("a"), Key2: "b", Data: "one"}},
+		SliceMapFieldWithMultiplePtrKeys: []ItemWithMultiplePtrKeys{{Key1: ptr.To("a"), Key2: ptr.To("b"), Data: "one"}},
+	}).ExpectValid()
+
+	// Test duplicate values (should fail validation)
+	st.Value(&Struct{
+		PrimitiveListUniqueSet: []string{"aaa", "bbb", "ccc", "ccc", "bbb", "aaa"},
+		SliceMapFieldWithMultipleKeys: []ItemWithMultipleKeys{
+			{Key1: "a", Key2: "x", Data: "first"},
+			{Key1: "a", Key2: "y", Data: "second"},
+			{Key1: "a", Key2: "x", Data: "third"},
+		},
+		AtomicListUniqueSet: []Item{
+			{Key: "key1", Data: "one"},
+			{Key: "key2", Data: "two"},
+			{Key: "key1", Data: "one"},
+		},
+		AtomicListUniqueMap: []Item{
+			{Key: "key1", Data: "one"},
+			{Key: "key2", Data: "two"},
+			{Key: "key1", Data: "three"},
+		},
+		CustomUniqueListWithTypeSet: []string{"a", "b", "a"},
+		CustomUniqueListWithTypeMap: []Item{{Key: "a"}, {Key: "b"}, {Key: "a"}},
+		SliceMapFieldWithPtrKey: []PtrKeyStruct{
+			{Key: ptr.To("a"), Data: "first"},
+			{Key: ptr.To("b"), Data: "second"},
+			{Key: ptr.To("a"), Data: "third"},
+		},
+		SliceMapFieldWithMixedKeys: []ItemWithMixedKeys{
+			{Key1: ptr.To("a"), Key2: "x", Data: "first"},
+			{Key1: ptr.To("a"), Key2: "y", Data: "second"},
+			{Key1: ptr.To("a"), Key2: "x", Data: "third"},
+		},
+		SliceMapFieldWithMultiplePtrKeys: []ItemWithMultiplePtrKeys{
+			{Key1: ptr.To("a"), Key2: ptr.To("x"), Data: "first"},
+			{Key1: ptr.To("a"), Key2: ptr.To("y"), Data: "second"},
+			{Key1: ptr.To("a"), Key2: ptr.To("x"), Data: "third"},
+		},
+	}).ExpectMatches(field.ErrorMatcher{}.ByType().ByField(), field.ErrorList{
+		field.Duplicate(field.NewPath("primitiveListUniqueSet").Index(3), nil),
+		field.Duplicate(field.NewPath("primitiveListUniqueSet").Index(4), nil),
+		field.Duplicate(field.NewPath("primitiveListUniqueSet").Index(5), nil),
+		field.Duplicate(field.NewPath("sliceMapFieldWithMultipleKeys").Index(2), nil),
+		field.Duplicate(field.NewPath("atomicListUniqueSet").Index(2), nil),
+		field.Duplicate(field.NewPath("atomicListUniqueMap").Index(2), nil),
+		field.Duplicate(field.NewPath("sliceMapFieldWithPtrKey").Index(2), nil),
+		field.Duplicate(field.NewPath("sliceMapFieldWithMixedKeys").Index(2), nil),
+		field.Duplicate(field.NewPath("sliceMapFieldWithMultiplePtrKeys").Index(2), nil),
+	})
+
+	// Test with zero values and empty strings
+	st.Value(&Struct{
+		PrimitiveListUniqueSet: []string{"", "a", ""},
+		AtomicListUniqueMap: []Item{
+			{Key: "", Data: "one"},
+			{Key: "a", Data: "two"},
+			{Key: "", Data: "three"},
+		},
+		CustomUniqueListWithTypeSet: []string{"", "a", ""},
+		CustomUniqueListWithTypeMap: []Item{{Key: ""}, {Key: "a"}, {Key: ""}},
+	}).ExpectMatches(field.ErrorMatcher{}.ByType().ByField(), field.ErrorList{
+		field.Duplicate(field.NewPath("primitiveListUniqueSet").Index(2), nil),
+		field.Duplicate(field.NewPath("atomicListUniqueMap").Index(2), nil),
+	})
+}
+
+func TestRatcheting(t *testing.T) {
+	st := localSchemeBuilder.Test(t)
+
+	struct1 := Struct{
+		PrimitiveListUniqueSet: []string{"aaa", "bbb"},
+		SliceMapFieldWithMultipleKeys: []ItemWithMultipleKeys{
+			{Key1: "a", Key2: "x", Data: "first"},
+			{Key1: "a", Key2: "y", Data: "second"},
+		},
+		AtomicListUniqueSet: []Item{
+			{Key: "key1", Data: "one"},
+			{Key: "key2", Data: "two"},
+		},
+		AtomicListUniqueMap: []Item{
+			{Key: "key1", Data: "one"},
+			{Key: "key2", Data: "two"},
+		},
+		CustomUniqueListWithTypeSet: []string{"a", "b", "a"},
+		CustomUniqueListWithTypeMap: []Item{{Key: "a"}, {Key: "b"}, {Key: "a"}},
+		SliceMapFieldWithPtrKey: []PtrKeyStruct{
+			{Key: ptr.To("a"), Data: "first"},
+			{Key: ptr.To("b"), Data: "second"},
+		},
+		SliceMapFieldWithMixedKeys: []ItemWithMixedKeys{
+			{Key1: ptr.To("a"), Key2: "x", Data: "first"},
+			{Key1: ptr.To("a"), Key2: "y", Data: "second"},
+		},
+		SliceMapFieldWithMultiplePtrKeys: []ItemWithMultiplePtrKeys{
+			{Key1: ptr.To("a"), Key2: ptr.To("x"), Data: "first"},
+			{Key1: ptr.To("a"), Key2: ptr.To("y"), Data: "second"},
+		},
+	}
+
+	// Same data, different order.
+	struct2 := Struct{
+		PrimitiveListUniqueSet: []string{"bbb", "aaa"},
+		SliceMapFieldWithMultipleKeys: []ItemWithMultipleKeys{
+			{Key1: "a", Key2: "y", Data: "second"},
+			{Key1: "a", Key2: "x", Data: "first"},
+		},
+		AtomicListUniqueSet: []Item{
+			{Key: "key2", Data: "two"},
+			{Key: "key1", Data: "one"},
+		},
+		AtomicListUniqueMap: []Item{
+			{Key: "key2", Data: "two"},
+			{Key: "key1", Data: "one"},
+		},
+		CustomUniqueListWithTypeSet: []string{"a", "a", "b"},
+		CustomUniqueListWithTypeMap: []Item{{Key: "a"}, {Key: "a"}, {Key: "b"}},
+		SliceMapFieldWithPtrKey: []PtrKeyStruct{
+			{Key: ptr.To("b"), Data: "second"},
+			{Key: ptr.To("a"), Data: "first"},
+		},
+		SliceMapFieldWithMixedKeys: []ItemWithMixedKeys{
+			{Key1: ptr.To("a"), Key2: "y", Data: "second"},
+			{Key1: ptr.To("a"), Key2: "x", Data: "first"},
+		},
+		SliceMapFieldWithMultiplePtrKeys: []ItemWithMultiplePtrKeys{
+			{Key1: ptr.To("a"), Key2: ptr.To("y"), Data: "second"},
+			{Key1: ptr.To("a"), Key2: ptr.To("x"), Data: "first"},
+		},
+	}
+
+	// Test that reordering doesn't trigger validation errors
+	st.Value(&struct1).OldValue(&struct2).ExpectValid()
+	st.Value(&struct2).OldValue(&struct1).ExpectValid()
+
+	// Test that the same data is considered valid regardless of order
+	st.Value(&struct1).ExpectValid()
+	st.Value(&struct2).ExpectValid()
+}
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/unique/zz_generated.validations.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/unique/zz_generated.validations.go
new file mode 100644
index 0000000000000..f7dd76b8d224d
--- /dev/null
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/unique/zz_generated.validations.go
@@ -0,0 +1,169 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by validation-gen. DO NOT EDIT.
+
+package unique
+
+import (
+	context "context"
+	fmt "fmt"
+
+	equality "k8s.io/apimachinery/pkg/api/equality"
+	operation "k8s.io/apimachinery/pkg/api/operation"
+	safe "k8s.io/apimachinery/pkg/api/safe"
+	validate "k8s.io/apimachinery/pkg/api/validate"
+	field "k8s.io/apimachinery/pkg/util/validation/field"
+	testscheme "k8s.io/code-generator/cmd/validation-gen/testscheme"
+)
+
+func init() { localSchemeBuilder.Register(RegisterValidations) }
+
+// RegisterValidations adds validation functions to the given scheme.
+// Public to allow building arbitrary schemes.
+func RegisterValidations(scheme *testscheme.Scheme) error {
+	// type Struct
+	scheme.AddValidationFunc((*Struct)(nil), func(ctx context.Context, op operation.Operation, obj, oldObj interface{}) field.ErrorList {
+		switch op.Request.SubresourcePath() {
+		case "/":
+			return Validate_Struct(ctx, op, nil /* fldPath */, obj.(*Struct), safe.Cast[*Struct](oldObj))
+		}
+		return field.ErrorList{field.InternalError(nil, fmt.Errorf("no validation found for %T, subresource: %v", obj, op.Request.SubresourcePath()))}
+	})
+	return nil
+}
+
+// Validate_Struct validates an instance of Struct according
+// to declarative validation rules in the API schema.
+func Validate_Struct(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *Struct) (errs field.ErrorList) {
+	// field Struct.TypeMeta has no validation
+
+	// field Struct.PrimitiveListUniqueSet
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj []string, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// call field-attached validations
+			// lists with set semantics require unique values
+			errs = append(errs, validate.Unique(ctx, op, fldPath, obj, oldObj, validate.DirectEqual)...)
+			return
+		}(fldPath.Child("primitiveListUniqueSet"), obj.PrimitiveListUniqueSet, safe.Field(oldObj, func(oldObj *Struct) []string { return oldObj.PrimitiveListUniqueSet }), oldObj != nil)...)
+
+	// field Struct.SliceMapFieldWithMultipleKeys
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj []ItemWithMultipleKeys, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// call field-attached validations
+			// lists with map semantics require unique keys
+			errs = append(errs, validate.Unique(ctx, op, fldPath, obj, oldObj, func(a ItemWithMultipleKeys, b ItemWithMultipleKeys) bool { return a.Key1 == b.Key1 && a.Key2 == b.Key2 })...)
+			return
+		}(fldPath.Child("sliceMapFieldWithMultipleKeys"), obj.SliceMapFieldWithMultipleKeys, safe.Field(oldObj, func(oldObj *Struct) []ItemWithMultipleKeys { return oldObj.SliceMapFieldWithMultipleKeys }), oldObj != nil)...)
+
+	// field Struct.AtomicListUniqueSet
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj []Item, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// call field-attached validations
+			// lists with set semantics require unique values
+			errs = append(errs, validate.Unique(ctx, op, fldPath, obj, oldObj, validate.DirectEqual)...)
+			return
+		}(fldPath.Child("atomicListUniqueSet"), obj.AtomicListUniqueSet, safe.Field(oldObj, func(oldObj *Struct) []Item { return oldObj.AtomicListUniqueSet }), oldObj != nil)...)
+
+	// field Struct.AtomicListUniqueMap
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj []Item, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// call field-attached validations
+			// lists with map semantics require unique keys
+			errs = append(errs, validate.Unique(ctx, op, fldPath, obj, oldObj, func(a Item, b Item) bool { return a.Key == b.Key })...)
+			return
+		}(fldPath.Child("atomicListUniqueMap"), obj.AtomicListUniqueMap, safe.Field(oldObj, func(oldObj *Struct) []Item { return oldObj.AtomicListUniqueMap }), oldObj != nil)...)
+
+	// field Struct.CustomUniqueListWithTypeSet
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj []string, oldValueCorrelated bool) (errs field.ErrorList) {
+			// Uniqueness validation is implemented via custom, handwritten validation
+			return
+		}(fldPath.Child("customUniqueListWithTypeSet"), obj.CustomUniqueListWithTypeSet, safe.Field(oldObj, func(oldObj *Struct) []string { return oldObj.CustomUniqueListWithTypeSet }), oldObj != nil)...)
+
+	// field Struct.CustomUniqueListWithTypeMap
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj []Item, oldValueCorrelated bool) (errs field.ErrorList) {
+			// Uniqueness validation is implemented via custom, handwritten validation
+			return
+		}(fldPath.Child("customUniqueListWithTypeMap"), obj.CustomUniqueListWithTypeMap, safe.Field(oldObj, func(oldObj *Struct) []Item { return oldObj.CustomUniqueListWithTypeMap }), oldObj != nil)...)
+
+	// field Struct.SliceMapFieldWithPtrKey
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj []PtrKeyStruct, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// call field-attached validations
+			// lists with map semantics require unique keys
+			errs = append(errs, validate.Unique(ctx, op, fldPath, obj, oldObj, func(a PtrKeyStruct, b PtrKeyStruct) bool {
+				return ((a.Key == nil && b.Key == nil) || (a.Key != nil && b.Key != nil && *a.Key == *b.Key))
+			})...)
+			return
+		}(fldPath.Child("sliceMapFieldWithPtrKey"), obj.SliceMapFieldWithPtrKey, safe.Field(oldObj, func(oldObj *Struct) []PtrKeyStruct { return oldObj.SliceMapFieldWithPtrKey }), oldObj != nil)...)
+
+	// field Struct.SliceMapFieldWithMixedKeys
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj []ItemWithMixedKeys, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// call field-attached validations
+			// lists with map semantics require unique keys
+			errs = append(errs, validate.Unique(ctx, op, fldPath, obj, oldObj, func(a ItemWithMixedKeys, b ItemWithMixedKeys) bool {
+				return ((a.Key1 == nil && b.Key1 == nil) || (a.Key1 != nil && b.Key1 != nil && *a.Key1 == *b.Key1)) && a.Key2 == b.Key2
+			})...)
+			return
+		}(fldPath.Child("sliceMapFieldWithMixedKeys"), obj.SliceMapFieldWithMixedKeys, safe.Field(oldObj, func(oldObj *Struct) []ItemWithMixedKeys { return oldObj.SliceMapFieldWithMixedKeys }), oldObj != nil)...)
+
+	// field Struct.SliceMapFieldWithMultiplePtrKeys
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj []ItemWithMultiplePtrKeys, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// call field-attached validations
+			// lists with map semantics require unique keys
+			errs = append(errs, validate.Unique(ctx, op, fldPath, obj, oldObj, func(a ItemWithMultiplePtrKeys, b ItemWithMultiplePtrKeys) bool {
+				return ((a.Key1 == nil && b.Key1 == nil) || (a.Key1 != nil && b.Key1 != nil && *a.Key1 == *b.Key1)) && ((a.Key2 == nil && b.Key2 == nil) || (a.Key2 != nil && b.Key2 != nil && *a.Key2 == *b.Key2))
+			})...)
+			return
+		}(fldPath.Child("sliceMapFieldWithMultiplePtrKeys"), obj.SliceMapFieldWithMultiplePtrKeys, safe.Field(oldObj, func(oldObj *Struct) []ItemWithMultiplePtrKeys { return oldObj.SliceMapFieldWithMultiplePtrKeys }), oldObj != nil)...)
+
+	return errs
+}
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/update/doc.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/update/doc.go
new file mode 100644
index 0000000000000..5c73543910769
--- /dev/null
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/update/doc.go
@@ -0,0 +1,125 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// +k8s:validation-gen=TypeMeta
+// +k8s:validation-gen-scheme-registry=k8s.io/code-generator/cmd/validation-gen/testscheme.Scheme
+
+// This is a test package for the +k8s:update tag.
+package update
+
+import "k8s.io/code-generator/cmd/validation-gen/testscheme"
+
+var localSchemeBuilder = testscheme.New()
+
+type UpdateTestStruct struct {
+	TypeMeta int
+
+	// +k8s:update=NoSet
+	StringNoSet string `json:"stringNoSet"`
+
+	// +k8s:update=NoUnset
+	StringNoUnset string `json:"stringNoUnset"`
+
+	// +k8s:update=NoModify
+	StringNoModify string `json:"stringNoModify"`
+
+	// +k8s:update=NoSet
+	// +k8s:update=NoModify
+	// +k8s:update=NoUnset
+	StringFullyRestricted string `json:"stringFullyRestricted"`
+
+	// +k8s:update=NoModify
+	// +k8s:update=NoUnset
+	StringSetOnce string `json:"stringSetOnce"`
+
+	// +k8s:update=NoModify
+	IntNoModify int `json:"intNoModify"`
+
+	// +k8s:update=NoModify
+	Int32NoModify int32 `json:"int32NoModify"`
+
+	// +k8s:update=NoModify
+	Int64NoModify int64 `json:"int64NoModify"`
+
+	// +k8s:update=NoModify
+	UintNoModify uint `json:"uintNoModify"`
+
+	// +k8s:update=NoModify
+	BoolNoModify bool `json:"boolNoModify"`
+
+	// +k8s:update=NoModify
+	Float32NoModify float32 `json:"float32NoModify"`
+
+	// +k8s:update=NoModify
+	Float64NoModify float64 `json:"float64NoModify"`
+
+	// +k8s:update=NoModify
+	ByteNoModify byte `json:"byteNoModify"`
+
+	// +k8s:update=NoModify
+	StructNoModify TestStruct `json:"structNoModify"`
+
+	// +k8s:update=NoModify
+	NonComparableStructNoModify NonComparableStruct `json:"nonComparableStructNoModify"`
+
+	// Pointer field tests
+
+	// +k8s:update=NoSet
+	PointerNoSet *string `json:"pointerNoSet"`
+
+	// +k8s:update=NoUnset
+	PointerNoUnset *string `json:"pointerNoUnset"`
+
+	// +k8s:update=NoModify
+	PointerNoModify *string `json:"pointerNoModify"`
+
+	// +k8s:update=NoSet
+	// +k8s:update=NoModify
+	// +k8s:update=NoUnset
+	PointerFullyRestricted *string `json:"pointerFullyRestricted"`
+
+	// +k8s:update=NoModify
+	IntPointerNoModify *int `json:"intPointerNoModify"`
+
+	// +k8s:update=NoModify
+	BoolPointerNoModify *bool `json:"boolPointerNoModify"`
+
+	// +k8s:update=NoModify
+	StructPointerNoModify *TestStruct `json:"structPointerNoModify"`
+
+	// Type alias tests
+
+	// +k8s:update=NoModify
+	CustomTypeNoModify CustomString `json:"customTypeNoModify"`
+
+	// +k8s:update=NoSet
+	CustomTypeNoSet CustomInt `json:"customTypeNoSet"`
+}
+
+type TestStruct struct {
+	StringField string `json:"stringField"`
+	IntField    int    `json:"intField"`
+}
+
+// NonComparableStruct contains a slice which makes it non-comparable
+type NonComparableStruct struct {
+	SliceField []string `json:"sliceField"`
+	IntField   int      `json:"intField"`
+}
+
+// Custom types to test type aliases
+type CustomString string
+type CustomInt int
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/update/doc_test.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/update/doc_test.go
new file mode 100644
index 0000000000000..9f6539848b081
--- /dev/null
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/update/doc_test.go
@@ -0,0 +1,401 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package update
+
+import (
+	"testing"
+
+	"k8s.io/apimachinery/pkg/util/validation/field"
+	"k8s.io/utils/ptr"
+)
+
+func TestUpdateTags(t *testing.T) {
+	st := localSchemeBuilder.Test(t)
+
+	baseStruct := UpdateTestStruct{}
+
+	// String NoSet
+	old := baseStruct
+	old.StringNoSet = "" // unset
+
+	new := baseStruct
+	new.StringNoSet = "value"
+
+	st.Value(&new).OldValue(&old).ExpectMatches(field.ErrorMatcher{}.ByType().ByField().ByDetailSubstring().ByOrigin(), field.ErrorList{
+		field.Invalid(field.NewPath("stringNoSet"), nil, "field cannot be set once created").WithOrigin("update"),
+	})
+
+	st.Value(&old).OldValue(&old).ExpectValid()
+
+	// String NoUnset
+	oldWithValue := baseStruct
+	oldWithValue.StringNoUnset = "value"
+
+	newUnset := baseStruct
+	newUnset.StringNoUnset = ""
+
+	// Can set initially (empty to non-empty)
+	st.Value(&oldWithValue).OldValue(&baseStruct).ExpectValid()
+
+	// Cannot unset (non-empty to empty)
+	st.Value(&newUnset).OldValue(&oldWithValue).ExpectMatches(field.ErrorMatcher{}.ByType().ByField().ByDetailSubstring().ByOrigin(), field.ErrorList{
+		field.Invalid(field.NewPath("stringNoUnset"), nil, "field cannot be cleared once set").WithOrigin("update"),
+	})
+
+	// String NoModify
+	oldEmpty := baseStruct
+	withValue := baseStruct
+	withValue.StringNoModify = "value"
+	modified := baseStruct
+	modified.StringNoModify = "different"
+
+	// Can set initially (empty to non-empty)
+	st.Value(&withValue).OldValue(&oldEmpty).ExpectValid()
+
+	// Can unset (non-empty to empty)
+	st.Value(&oldEmpty).OldValue(&withValue).ExpectValid()
+
+	// Cannot modify (non-empty to different non-empty)
+	st.Value(&modified).OldValue(&withValue).ExpectMatches(field.ErrorMatcher{}.ByType().ByField().ByDetailSubstring().ByOrigin(), field.ErrorList{
+		field.Invalid(field.NewPath("stringNoModify"), nil, "field cannot be modified once set").WithOrigin("update"),
+	})
+
+	// String Fully Restricted
+	oldEmpty = baseStruct
+	withValue = baseStruct
+	withValue.StringFullyRestricted = "value"
+	modified = baseStruct
+	modified.StringFullyRestricted = "different"
+
+	// Cannot set (NoSet)
+	st.Value(&withValue).OldValue(&oldEmpty).ExpectMatches(field.ErrorMatcher{}.ByType().ByField().ByDetailSubstring().ByOrigin(), field.ErrorList{
+		field.Invalid(field.NewPath("stringFullyRestricted"), nil, "field cannot be set once created").WithOrigin("update"),
+	})
+
+	// Cannot unset (NoUnset)
+	st.Value(&oldEmpty).OldValue(&withValue).ExpectMatches(field.ErrorMatcher{}.ByType().ByField().ByDetailSubstring().ByOrigin(), field.ErrorList{
+		field.Invalid(field.NewPath("stringFullyRestricted"), nil, "field cannot be cleared once set").WithOrigin("update"),
+	})
+
+	// Cannot modify (NoModify)
+	st.Value(&modified).OldValue(&withValue).ExpectMatches(field.ErrorMatcher{}.ByType().ByField().ByDetailSubstring().ByOrigin(), field.ErrorList{
+		field.Invalid(field.NewPath("stringFullyRestricted"), nil, "field cannot be modified once set").WithOrigin("update"),
+	})
+
+	// String Set-Once Pattern
+	oldEmpty = baseStruct
+	withValue = baseStruct
+	withValue.StringSetOnce = "value"
+	modified = baseStruct
+	modified.StringSetOnce = "different"
+
+	// Can set once (empty to non-empty)
+	st.Value(&withValue).OldValue(&oldEmpty).ExpectValid()
+
+	// Cannot unset (NoUnset)
+	st.Value(&oldEmpty).OldValue(&withValue).ExpectMatches(field.ErrorMatcher{}.ByType().ByField().ByDetailSubstring().ByOrigin(), field.ErrorList{
+		field.Invalid(field.NewPath("stringSetOnce"), nil, "field cannot be cleared once set").WithOrigin("update"),
+	})
+
+	// Cannot modify (NoModify)
+	st.Value(&modified).OldValue(&withValue).ExpectMatches(field.ErrorMatcher{}.ByType().ByField().ByDetailSubstring().ByOrigin(), field.ErrorList{
+		field.Invalid(field.NewPath("stringSetOnce"), nil, "field cannot be modified once set").WithOrigin("update"),
+	})
+
+	// Int NoModify
+	oldZero := baseStruct
+	withValue = baseStruct
+	withValue.IntNoModify = 10
+
+	// Can transition from 0 to 10 (unset to set is allowed)
+	st.Value(&withValue).OldValue(&oldZero).ExpectValid()
+
+	// Cannot modify from one non-zero to another
+	modified = baseStruct
+	modified.IntNoModify = 20
+	st.Value(&modified).OldValue(&withValue).ExpectMatches(field.ErrorMatcher{}.ByType().ByField().ByDetailSubstring().ByOrigin(), field.ErrorList{
+		field.Invalid(field.NewPath("intNoModify"), nil, "field cannot be modified once set").WithOrigin("update"),
+	})
+
+	// Int32 NoModify
+	old = baseStruct
+	withValue = baseStruct
+	withValue.Int32NoModify = 42
+
+	// Can set initially
+	st.Value(&withValue).OldValue(&old).ExpectValid()
+
+	// Cannot modify
+	modified = baseStruct
+	modified.Int32NoModify = 100
+	st.Value(&modified).OldValue(&withValue).ExpectMatches(field.ErrorMatcher{}.ByType().ByField().ByDetailSubstring().ByOrigin(), field.ErrorList{
+		field.Invalid(field.NewPath("int32NoModify"), nil, "field cannot be modified once set").WithOrigin("update"),
+	})
+
+	// Uint NoModify
+	old = baseStruct
+	withValue = baseStruct
+	withValue.UintNoModify = 42
+
+	// Can set initially
+	st.Value(&withValue).OldValue(&old).ExpectValid()
+
+	// Cannot modify
+	modified = baseStruct
+	modified.UintNoModify = 100
+	st.Value(&modified).OldValue(&withValue).ExpectMatches(field.ErrorMatcher{}.ByType().ByField().ByDetailSubstring().ByOrigin(), field.ErrorList{
+		field.Invalid(field.NewPath("uintNoModify"), nil, "field cannot be modified once set").WithOrigin("update"),
+	})
+
+	// Bool NoModify
+	oldFalse := baseStruct
+	withTrue := baseStruct
+	withTrue.BoolNoModify = true
+
+	// Can transition from false to true (unset to set)
+	st.Value(&withTrue).OldValue(&oldFalse).ExpectValid()
+
+	// Cannot modify back to false
+	st.Value(&oldFalse).OldValue(&withTrue).ExpectValid() // This is allowed as it's set->unset
+
+	// Float32 NoModify
+	old = baseStruct
+	withValue = baseStruct
+	withValue.Float32NoModify = 3.14
+
+	// Can set initially
+	st.Value(&withValue).OldValue(&old).ExpectValid()
+
+	// Cannot modify
+	modified = baseStruct
+	modified.Float32NoModify = 2.71
+	st.Value(&modified).OldValue(&withValue).ExpectMatches(field.ErrorMatcher{}.ByType().ByField().ByDetailSubstring().ByOrigin(), field.ErrorList{
+		field.Invalid(field.NewPath("float32NoModify"), nil, "field cannot be modified once set").WithOrigin("update"),
+	})
+
+	// Float64 NoModify
+	oldZero = baseStruct
+	withValue = baseStruct
+	withValue.Float64NoModify = 3.14
+
+	// Can transition from 0.0 to 3.14
+	st.Value(&withValue).OldValue(&oldZero).ExpectValid()
+
+	// Cannot modify to different value
+	modified = baseStruct
+	modified.Float64NoModify = 2.71
+	st.Value(&modified).OldValue(&withValue).ExpectMatches(field.ErrorMatcher{}.ByType().ByField().ByDetailSubstring().ByOrigin(), field.ErrorList{
+		field.Invalid(field.NewPath("float64NoModify"), nil, "field cannot be modified once set").WithOrigin("update"),
+	})
+
+	// Byte NoModify
+	old = baseStruct
+	withValue = baseStruct
+	withValue.ByteNoModify = 255
+
+	// Can set initially
+	st.Value(&withValue).OldValue(&old).ExpectValid()
+
+	// Cannot modify
+	modified = baseStruct
+	modified.ByteNoModify = 128
+	st.Value(&modified).OldValue(&withValue).ExpectMatches(field.ErrorMatcher{}.ByType().ByField().ByDetailSubstring().ByOrigin(), field.ErrorList{
+		field.Invalid(field.NewPath("byteNoModify"), nil, "field cannot be modified once set").WithOrigin("update"),
+	})
+
+	// Struct NoModify
+	withStruct := baseStruct
+	withStruct.StructNoModify = TestStruct{StringField: "value", IntField: 42}
+
+	modifiedStruct := baseStruct
+	modifiedStruct.StructNoModify = TestStruct{StringField: "different", IntField: 100}
+
+	// Cannot modify (struct fields are always set, never unset)
+	st.Value(&modifiedStruct).OldValue(&withStruct).ExpectMatches(field.ErrorMatcher{}.ByType().ByField().ByDetailSubstring().ByOrigin(), field.ErrorList{
+		field.Invalid(field.NewPath("structNoModify"), nil, "field cannot be modified once set").WithOrigin("update"),
+	})
+
+	// NonComparable Struct NoModify - uses reflection
+	// For non-pointer structs, even zero value is considered "set"
+	// So any change is a modification
+	old = baseStruct
+	old.NonComparableStructNoModify = NonComparableStruct{} // zero value
+
+	withValue = baseStruct
+	withValue.NonComparableStructNoModify = NonComparableStruct{
+		SliceField: []string{"a", "b"},
+		IntField:   42,
+	}
+
+	// Cannot change from zero value to non-zero (both are "set")
+	st.Value(&withValue).OldValue(&old).ExpectMatches(field.ErrorMatcher{}.ByType().ByField().ByDetailSubstring().ByOrigin(), field.ErrorList{
+		field.Invalid(field.NewPath("nonComparableStructNoModify"), nil, "field cannot be modified once set").WithOrigin("update"),
+	})
+
+	// Also cannot modify between two non-zero values
+	modified = baseStruct
+	modified.NonComparableStructNoModify = NonComparableStruct{
+		SliceField: []string{"c", "d"},
+		IntField:   100,
+	}
+	st.Value(&modified).OldValue(&withValue).ExpectMatches(field.ErrorMatcher{}.ByType().ByField().ByDetailSubstring().ByOrigin(), field.ErrorList{
+		field.Invalid(field.NewPath("nonComparableStructNoModify"), nil, "field cannot be modified once set").WithOrigin("update"),
+	})
+
+	// Can keep the same value
+	st.Value(&withValue).OldValue(&withValue).ExpectValid()
+
+	// Pointer NoSet
+	withSet := baseStruct
+	withSet.PointerNoSet = ptr.To("value")
+
+	// Cannot set after creation (nil to non-nil)
+	st.Value(&withSet).OldValue(&baseStruct).ExpectMatches(field.ErrorMatcher{}.ByType().ByField().ByDetailSubstring().ByOrigin(), field.ErrorList{
+		field.Invalid(field.NewPath("pointerNoSet"), nil, "field cannot be set once created").WithOrigin("update"),
+	})
+
+	// Pointer NoUnset
+	withPointer := baseStruct
+	withPointer.PointerNoUnset = ptr.To("value")
+
+	// Can set initially
+	st.Value(&withPointer).OldValue(&baseStruct).ExpectValid()
+
+	// Cannot unset (non-nil to nil)
+	st.Value(&baseStruct).OldValue(&withPointer).ExpectMatches(field.ErrorMatcher{}.ByType().ByField().ByDetailSubstring().ByOrigin(), field.ErrorList{
+		field.Invalid(field.NewPath("pointerNoUnset"), nil, "field cannot be cleared once set").WithOrigin("update"),
+	})
+
+	// Pointer NoModify
+	withPointer = baseStruct
+	withPointer.PointerNoModify = ptr.To("value")
+
+	modifiedPointer := baseStruct
+	modifiedPointer.PointerNoModify = ptr.To("different")
+
+	// Can set initially
+	st.Value(&withPointer).OldValue(&baseStruct).ExpectValid()
+
+	// Can unset (NoModify allows set/unset transitions)
+	st.Value(&baseStruct).OldValue(&withPointer).ExpectValid()
+
+	// Cannot modify content
+	st.Value(&modifiedPointer).OldValue(&withPointer).ExpectMatches(field.ErrorMatcher{}.ByType().ByField().ByDetailSubstring().ByOrigin(), field.ErrorList{
+		field.Invalid(field.NewPath("pointerNoModify"), nil, "field cannot be modified once set").WithOrigin("update"),
+	})
+
+	// Pointer Fully Restricted
+	withPointer = baseStruct
+	withPointer.PointerFullyRestricted = ptr.To("value")
+
+	modifiedPointer = baseStruct
+	modifiedPointer.PointerFullyRestricted = ptr.To("different")
+
+	// Cannot set (NoSet)
+	st.Value(&withPointer).OldValue(&baseStruct).ExpectMatches(field.ErrorMatcher{}.ByType().ByField().ByDetailSubstring().ByOrigin(), field.ErrorList{
+		field.Invalid(field.NewPath("pointerFullyRestricted"), nil, "field cannot be set once created").WithOrigin("update"),
+	})
+
+	// Cannot unset (NoUnset)
+	st.Value(&baseStruct).OldValue(&withPointer).ExpectMatches(field.ErrorMatcher{}.ByType().ByField().ByDetailSubstring().ByOrigin(), field.ErrorList{
+		field.Invalid(field.NewPath("pointerFullyRestricted"), nil, "field cannot be cleared once set").WithOrigin("update"),
+	})
+
+	// Cannot modify (NoModify)
+	st.Value(&modifiedPointer).OldValue(&withPointer).ExpectMatches(field.ErrorMatcher{}.ByType().ByField().ByDetailSubstring().ByOrigin(), field.ErrorList{
+		field.Invalid(field.NewPath("pointerFullyRestricted"), nil, "field cannot be modified once set").WithOrigin("update"),
+	})
+
+	// Int Pointer NoModify
+	withPointer = baseStruct
+	withPointer.IntPointerNoModify = ptr.To(42)
+
+	modifiedPointer = baseStruct
+	modifiedPointer.IntPointerNoModify = ptr.To(100)
+
+	// Can set initially
+	st.Value(&withPointer).OldValue(&baseStruct).ExpectValid()
+
+	// Can unset
+	st.Value(&baseStruct).OldValue(&withPointer).ExpectValid()
+
+	// Cannot modify content
+	st.Value(&modifiedPointer).OldValue(&withPointer).ExpectMatches(field.ErrorMatcher{}.ByType().ByField().ByDetailSubstring().ByOrigin(), field.ErrorList{
+		field.Invalid(field.NewPath("intPointerNoModify"), nil, "field cannot be modified once set").WithOrigin("update"),
+	})
+
+	// Bool Pointer NoModify
+	falseVal := false
+	trueVal := true
+
+	withFalse := baseStruct
+	withFalse.BoolPointerNoModify = &falseVal
+
+	withTrue = baseStruct
+	withTrue.BoolPointerNoModify = &trueVal
+
+	// Can set initially
+	st.Value(&withFalse).OldValue(&baseStruct).ExpectValid()
+
+	// Cannot modify content
+	st.Value(&withTrue).OldValue(&withFalse).ExpectMatches(field.ErrorMatcher{}.ByType().ByField().ByDetailSubstring().ByOrigin(), field.ErrorList{
+		field.Invalid(field.NewPath("boolPointerNoModify"), nil, "field cannot be modified once set").WithOrigin("update"),
+	})
+
+	// Struct Pointer NoModify
+	withPointer = baseStruct
+	withPointer.StructPointerNoModify = &TestStruct{StringField: "value", IntField: 42}
+
+	modifiedPointer = baseStruct
+	modifiedPointer.StructPointerNoModify = &TestStruct{StringField: "different", IntField: 100}
+
+	// Can set initially
+	st.Value(&withPointer).OldValue(&baseStruct).ExpectValid()
+
+	// Can unset
+	st.Value(&baseStruct).OldValue(&withPointer).ExpectValid()
+
+	// Cannot modify content
+	st.Value(&modifiedPointer).OldValue(&withPointer).ExpectMatches(field.ErrorMatcher{}.ByType().ByField().ByDetailSubstring().ByOrigin(), field.ErrorList{
+		field.Invalid(field.NewPath("structPointerNoModify"), nil, "field cannot be modified once set").WithOrigin("update"),
+	})
+
+	// Custom Type NoModify
+	old = baseStruct
+	withValue = baseStruct
+	withValue.CustomTypeNoModify = "custom-value"
+
+	// Can set initially
+	st.Value(&withValue).OldValue(&old).ExpectValid()
+
+	// Cannot modify
+	modified = baseStruct
+	modified.CustomTypeNoModify = "different-value"
+	st.Value(&modified).OldValue(&withValue).ExpectMatches(field.ErrorMatcher{}.ByType().ByField().ByDetailSubstring().ByOrigin(), field.ErrorList{
+		field.Invalid(field.NewPath("customTypeNoModify"), nil, "field cannot be modified once set").WithOrigin("update"),
+	})
+
+	// Custom Type NoSet
+	old = baseStruct
+	withValue = baseStruct
+	withValue.CustomTypeNoSet = 42
+
+	// Cannot set
+	st.Value(&withValue).OldValue(&old).ExpectMatches(field.ErrorMatcher{}.ByType().ByField().ByDetailSubstring().ByOrigin(), field.ErrorList{
+		field.Invalid(field.NewPath("customTypeNoSet"), nil, "field cannot be set once created").WithOrigin("update"),
+	})
+}
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/update/zz_generated.validations.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/update/zz_generated.validations.go
new file mode 100644
index 0000000000000..3fe9bad19598e
--- /dev/null
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/update/zz_generated.validations.go
@@ -0,0 +1,514 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by validation-gen. DO NOT EDIT.
+
+package update
+
+import (
+	context "context"
+	fmt "fmt"
+
+	equality "k8s.io/apimachinery/pkg/api/equality"
+	operation "k8s.io/apimachinery/pkg/api/operation"
+	safe "k8s.io/apimachinery/pkg/api/safe"
+	validate "k8s.io/apimachinery/pkg/api/validate"
+	field "k8s.io/apimachinery/pkg/util/validation/field"
+	testscheme "k8s.io/code-generator/cmd/validation-gen/testscheme"
+)
+
+func init() { localSchemeBuilder.Register(RegisterValidations) }
+
+// RegisterValidations adds validation functions to the given scheme.
+// Public to allow building arbitrary schemes.
+func RegisterValidations(scheme *testscheme.Scheme) error {
+	// type UpdateTestStruct
+	scheme.AddValidationFunc((*UpdateTestStruct)(nil), func(ctx context.Context, op operation.Operation, obj, oldObj interface{}) field.ErrorList {
+		switch op.Request.SubresourcePath() {
+		case "/":
+			return Validate_UpdateTestStruct(ctx, op, nil /* fldPath */, obj.(*UpdateTestStruct), safe.Cast[*UpdateTestStruct](oldObj))
+		}
+		return field.ErrorList{field.InternalError(nil, fmt.Errorf("no validation found for %T, subresource: %v", obj, op.Request.SubresourcePath()))}
+	})
+	return nil
+}
+
+// Validate_UpdateTestStruct validates an instance of UpdateTestStruct according
+// to declarative validation rules in the API schema.
+func Validate_UpdateTestStruct(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *UpdateTestStruct) (errs field.ErrorList) {
+	// field UpdateTestStruct.TypeMeta has no validation
+
+	// field UpdateTestStruct.StringNoSet
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *string, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.UpdateValueByCompare(ctx, op, fldPath, obj, oldObj, validate.NoSet); len(e) != 0 {
+				errs = append(errs, e...)
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
+			}
+			return
+		}(fldPath.Child("stringNoSet"), &obj.StringNoSet, safe.Field(oldObj, func(oldObj *UpdateTestStruct) *string { return &oldObj.StringNoSet }), oldObj != nil)...)
+
+	// field UpdateTestStruct.StringNoUnset
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *string, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.UpdateValueByCompare(ctx, op, fldPath, obj, oldObj, validate.NoUnset); len(e) != 0 {
+				errs = append(errs, e...)
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
+			}
+			return
+		}(fldPath.Child("stringNoUnset"), &obj.StringNoUnset, safe.Field(oldObj, func(oldObj *UpdateTestStruct) *string { return &oldObj.StringNoUnset }), oldObj != nil)...)
+
+	// field UpdateTestStruct.StringNoModify
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *string, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.UpdateValueByCompare(ctx, op, fldPath, obj, oldObj, validate.NoModify); len(e) != 0 {
+				errs = append(errs, e...)
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
+			}
+			return
+		}(fldPath.Child("stringNoModify"), &obj.StringNoModify, safe.Field(oldObj, func(oldObj *UpdateTestStruct) *string { return &oldObj.StringNoModify }), oldObj != nil)...)
+
+	// field UpdateTestStruct.StringFullyRestricted
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *string, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.UpdateValueByCompare(ctx, op, fldPath, obj, oldObj, validate.NoSet, validate.NoUnset, validate.NoModify); len(e) != 0 {
+				errs = append(errs, e...)
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
+			}
+			return
+		}(fldPath.Child("stringFullyRestricted"), &obj.StringFullyRestricted, safe.Field(oldObj, func(oldObj *UpdateTestStruct) *string { return &oldObj.StringFullyRestricted }), oldObj != nil)...)
+
+	// field UpdateTestStruct.StringSetOnce
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *string, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.UpdateValueByCompare(ctx, op, fldPath, obj, oldObj, validate.NoUnset, validate.NoModify); len(e) != 0 {
+				errs = append(errs, e...)
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
+			}
+			return
+		}(fldPath.Child("stringSetOnce"), &obj.StringSetOnce, safe.Field(oldObj, func(oldObj *UpdateTestStruct) *string { return &oldObj.StringSetOnce }), oldObj != nil)...)
+
+	// field UpdateTestStruct.IntNoModify
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *int, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.UpdateValueByCompare(ctx, op, fldPath, obj, oldObj, validate.NoModify); len(e) != 0 {
+				errs = append(errs, e...)
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
+			}
+			return
+		}(fldPath.Child("intNoModify"), &obj.IntNoModify, safe.Field(oldObj, func(oldObj *UpdateTestStruct) *int { return &oldObj.IntNoModify }), oldObj != nil)...)
+
+	// field UpdateTestStruct.Int32NoModify
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *int32, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.UpdateValueByCompare(ctx, op, fldPath, obj, oldObj, validate.NoModify); len(e) != 0 {
+				errs = append(errs, e...)
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
+			}
+			return
+		}(fldPath.Child("int32NoModify"), &obj.Int32NoModify, safe.Field(oldObj, func(oldObj *UpdateTestStruct) *int32 { return &oldObj.Int32NoModify }), oldObj != nil)...)
+
+	// field UpdateTestStruct.Int64NoModify
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *int64, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.UpdateValueByCompare(ctx, op, fldPath, obj, oldObj, validate.NoModify); len(e) != 0 {
+				errs = append(errs, e...)
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
+			}
+			return
+		}(fldPath.Child("int64NoModify"), &obj.Int64NoModify, safe.Field(oldObj, func(oldObj *UpdateTestStruct) *int64 { return &oldObj.Int64NoModify }), oldObj != nil)...)
+
+	// field UpdateTestStruct.UintNoModify
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *uint, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.UpdateValueByCompare(ctx, op, fldPath, obj, oldObj, validate.NoModify); len(e) != 0 {
+				errs = append(errs, e...)
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
+			}
+			return
+		}(fldPath.Child("uintNoModify"), &obj.UintNoModify, safe.Field(oldObj, func(oldObj *UpdateTestStruct) *uint { return &oldObj.UintNoModify }), oldObj != nil)...)
+
+	// field UpdateTestStruct.BoolNoModify
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *bool, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.UpdateValueByCompare(ctx, op, fldPath, obj, oldObj, validate.NoModify); len(e) != 0 {
+				errs = append(errs, e...)
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
+			}
+			return
+		}(fldPath.Child("boolNoModify"), &obj.BoolNoModify, safe.Field(oldObj, func(oldObj *UpdateTestStruct) *bool { return &oldObj.BoolNoModify }), oldObj != nil)...)
+
+	// field UpdateTestStruct.Float32NoModify
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *float32, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.UpdateValueByCompare(ctx, op, fldPath, obj, oldObj, validate.NoModify); len(e) != 0 {
+				errs = append(errs, e...)
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
+			}
+			return
+		}(fldPath.Child("float32NoModify"), &obj.Float32NoModify, safe.Field(oldObj, func(oldObj *UpdateTestStruct) *float32 { return &oldObj.Float32NoModify }), oldObj != nil)...)
+
+	// field UpdateTestStruct.Float64NoModify
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *float64, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.UpdateValueByCompare(ctx, op, fldPath, obj, oldObj, validate.NoModify); len(e) != 0 {
+				errs = append(errs, e...)
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
+			}
+			return
+		}(fldPath.Child("float64NoModify"), &obj.Float64NoModify, safe.Field(oldObj, func(oldObj *UpdateTestStruct) *float64 { return &oldObj.Float64NoModify }), oldObj != nil)...)
+
+	// field UpdateTestStruct.ByteNoModify
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *byte, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.UpdateValueByCompare(ctx, op, fldPath, obj, oldObj, validate.NoModify); len(e) != 0 {
+				errs = append(errs, e...)
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
+			}
+			return
+		}(fldPath.Child("byteNoModify"), &obj.ByteNoModify, safe.Field(oldObj, func(oldObj *UpdateTestStruct) *byte { return &oldObj.ByteNoModify }), oldObj != nil)...)
+
+	// field UpdateTestStruct.StructNoModify
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *TestStruct, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.UpdateStruct(ctx, op, fldPath, obj, oldObj, validate.NoModify); len(e) != 0 {
+				errs = append(errs, e...)
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
+			}
+			return
+		}(fldPath.Child("structNoModify"), &obj.StructNoModify, safe.Field(oldObj, func(oldObj *UpdateTestStruct) *TestStruct { return &oldObj.StructNoModify }), oldObj != nil)...)
+
+	// field UpdateTestStruct.NonComparableStructNoModify
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *NonComparableStruct, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.UpdateStruct(ctx, op, fldPath, obj, oldObj, validate.NoModify); len(e) != 0 {
+				errs = append(errs, e...)
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
+			}
+			return
+		}(fldPath.Child("nonComparableStructNoModify"), &obj.NonComparableStructNoModify, safe.Field(oldObj, func(oldObj *UpdateTestStruct) *NonComparableStruct { return &oldObj.NonComparableStructNoModify }), oldObj != nil)...)
+
+	// field UpdateTestStruct.PointerNoSet
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *string, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.UpdatePointer(ctx, op, fldPath, obj, oldObj, validate.NoSet); len(e) != 0 {
+				errs = append(errs, e...)
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
+			}
+			return
+		}(fldPath.Child("pointerNoSet"), obj.PointerNoSet, safe.Field(oldObj, func(oldObj *UpdateTestStruct) *string { return oldObj.PointerNoSet }), oldObj != nil)...)
+
+	// field UpdateTestStruct.PointerNoUnset
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *string, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.UpdatePointer(ctx, op, fldPath, obj, oldObj, validate.NoUnset); len(e) != 0 {
+				errs = append(errs, e...)
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
+			}
+			return
+		}(fldPath.Child("pointerNoUnset"), obj.PointerNoUnset, safe.Field(oldObj, func(oldObj *UpdateTestStruct) *string { return oldObj.PointerNoUnset }), oldObj != nil)...)
+
+	// field UpdateTestStruct.PointerNoModify
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *string, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.UpdatePointer(ctx, op, fldPath, obj, oldObj, validate.NoModify); len(e) != 0 {
+				errs = append(errs, e...)
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
+			}
+			return
+		}(fldPath.Child("pointerNoModify"), obj.PointerNoModify, safe.Field(oldObj, func(oldObj *UpdateTestStruct) *string { return oldObj.PointerNoModify }), oldObj != nil)...)
+
+	// field UpdateTestStruct.PointerFullyRestricted
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *string, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.UpdatePointer(ctx, op, fldPath, obj, oldObj, validate.NoSet, validate.NoUnset, validate.NoModify); len(e) != 0 {
+				errs = append(errs, e...)
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
+			}
+			return
+		}(fldPath.Child("pointerFullyRestricted"), obj.PointerFullyRestricted, safe.Field(oldObj, func(oldObj *UpdateTestStruct) *string { return oldObj.PointerFullyRestricted }), oldObj != nil)...)
+
+	// field UpdateTestStruct.IntPointerNoModify
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *int, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.UpdatePointer(ctx, op, fldPath, obj, oldObj, validate.NoModify); len(e) != 0 {
+				errs = append(errs, e...)
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
+			}
+			return
+		}(fldPath.Child("intPointerNoModify"), obj.IntPointerNoModify, safe.Field(oldObj, func(oldObj *UpdateTestStruct) *int { return oldObj.IntPointerNoModify }), oldObj != nil)...)
+
+	// field UpdateTestStruct.BoolPointerNoModify
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *bool, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.UpdatePointer(ctx, op, fldPath, obj, oldObj, validate.NoModify); len(e) != 0 {
+				errs = append(errs, e...)
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
+			}
+			return
+		}(fldPath.Child("boolPointerNoModify"), obj.BoolPointerNoModify, safe.Field(oldObj, func(oldObj *UpdateTestStruct) *bool { return oldObj.BoolPointerNoModify }), oldObj != nil)...)
+
+	// field UpdateTestStruct.StructPointerNoModify
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *TestStruct, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.UpdatePointer(ctx, op, fldPath, obj, oldObj, validate.NoModify); len(e) != 0 {
+				errs = append(errs, e...)
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
+			}
+			return
+		}(fldPath.Child("structPointerNoModify"), obj.StructPointerNoModify, safe.Field(oldObj, func(oldObj *UpdateTestStruct) *TestStruct { return oldObj.StructPointerNoModify }), oldObj != nil)...)
+
+	// field UpdateTestStruct.CustomTypeNoModify
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *CustomString, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.UpdateValueByCompare(ctx, op, fldPath, obj, oldObj, validate.NoModify); len(e) != 0 {
+				errs = append(errs, e...)
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
+			}
+			return
+		}(fldPath.Child("customTypeNoModify"), &obj.CustomTypeNoModify, safe.Field(oldObj, func(oldObj *UpdateTestStruct) *CustomString { return &oldObj.CustomTypeNoModify }), oldObj != nil)...)
+
+	// field UpdateTestStruct.CustomTypeNoSet
+	errs = append(errs,
+		func(fldPath *field.Path, obj, oldObj *CustomInt, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.UpdateValueByCompare(ctx, op, fldPath, obj, oldObj, validate.NoSet); len(e) != 0 {
+				errs = append(errs, e...)
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
+			}
+			return
+		}(fldPath.Child("customTypeNoSet"), &obj.CustomTypeNoSet, safe.Field(oldObj, func(oldObj *UpdateTestStruct) *CustomInt { return &oldObj.CustomTypeNoSet }), oldObj != nil)...)
+
+	return errs
+}
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/validate_false/zz_generated.validations.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/validate_false/zz_generated.validations.go
index 81e19cd3c087e..f2f535af98606 100644
--- a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/validate_false/zz_generated.validations.go
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/validate_false/zz_generated.validations.go
@@ -37,6 +37,7 @@ func init() { localSchemeBuilder.Register(RegisterValidations) }
 // RegisterValidations adds validation functions to the given scheme.
 // Public to allow building arbitrary schemes.
 func RegisterValidations(scheme *testscheme.Scheme) error {
+	// type Struct
 	scheme.AddValidationFunc((*Struct)(nil), func(ctx context.Context, op operation.Operation, obj, oldObj interface{}) field.ErrorList {
 		switch op.Request.SubresourcePath() {
 		case "/":
@@ -47,18 +48,22 @@ func RegisterValidations(scheme *testscheme.Scheme) error {
 	return nil
 }
 
+// Validate_Struct validates an instance of Struct according
+// to declarative validation rules in the API schema.
 func Validate_Struct(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *Struct) (errs field.ErrorList) {
 	// field Struct.TypeMeta has no validation
 
 	// field Struct.StringField
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *string) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *string, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field Struct.StringField")...)
 			return
-		}(fldPath.Child("stringField"), &obj.StringField, safe.Field(oldObj, func(oldObj *Struct) *string { return &oldObj.StringField }))...)
+		}(fldPath.Child("stringField"), &obj.StringField, safe.Field(oldObj, func(oldObj *Struct) *string { return &oldObj.StringField }), oldObj != nil)...)
 
 	return errs
 }
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/validate_true/zz_generated.validations.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/validate_true/zz_generated.validations.go
index 5a425c89556df..64edd69dd3ae5 100644
--- a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/validate_true/zz_generated.validations.go
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/validate_true/zz_generated.validations.go
@@ -37,6 +37,7 @@ func init() { localSchemeBuilder.Register(RegisterValidations) }
 // RegisterValidations adds validation functions to the given scheme.
 // Public to allow building arbitrary schemes.
 func RegisterValidations(scheme *testscheme.Scheme) error {
+	// type Struct
 	scheme.AddValidationFunc((*Struct)(nil), func(ctx context.Context, op operation.Operation, obj, oldObj interface{}) field.ErrorList {
 		switch op.Request.SubresourcePath() {
 		case "/":
@@ -47,18 +48,22 @@ func RegisterValidations(scheme *testscheme.Scheme) error {
 	return nil
 }
 
+// Validate_Struct validates an instance of Struct according
+// to declarative validation rules in the API schema.
 func Validate_Struct(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *Struct) (errs field.ErrorList) {
 	// field Struct.TypeMeta has no validation
 
 	// field Struct.StringField
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *string) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *string, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, true, "field Struct.StringField")...)
 			return
-		}(fldPath.Child("stringField"), &obj.StringField, safe.Field(oldObj, func(oldObj *Struct) *string { return &oldObj.StringField }))...)
+		}(fldPath.Child("stringField"), &obj.StringField, safe.Field(oldObj, func(oldObj *Struct) *string { return &oldObj.StringField }), oldObj != nil)...)
 
 	return errs
 }
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/zerooroneof/zerooroneof/custom_members/doc_test.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/zerooroneof/zerooroneof/custom_members/doc_test.go
index 9707ab935c417..a8d559372e9f7 100644
--- a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/zerooroneof/zerooroneof/custom_members/doc_test.go
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/zerooroneof/zerooroneof/custom_members/doc_test.go
@@ -31,9 +31,9 @@ func Test(t *testing.T) {
 	st.Value(&Struct{M1: &M1{}}).ExpectValid()
 	st.Value(&Struct{M2: &M2{}}).ExpectValid()
 
-	st.Value(&Struct{M1: &M1{}, M2: &M2{}}).ExpectInvalid(
-		field.Invalid(nil, "{m1, m2}", "must specify at most one of: `m1`, `m2`"),
-	)
+	st.Value(&Struct{M1: &M1{}, M2: &M2{}}).ExpectMatches(field.ErrorMatcher{}.ByType().ByField().ByDetailSubstring(), field.ErrorList{
+		field.Invalid(nil, nil, "must specify at most one of"),
+	})
 
 	// Test validation ratcheting
 	st.Value(&Struct{M1: &M1{}, M2: &M2{}}).OldValue(&Struct{M1: &M1{}, M2: &M2{}}).ExpectValid()
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/zerooroneof/zerooroneof/custom_members/zz_generated.validations.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/zerooroneof/zerooroneof/custom_members/zz_generated.validations.go
index 42838db0f8467..90cdf50da3269 100644
--- a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/zerooroneof/zerooroneof/custom_members/zz_generated.validations.go
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/zerooroneof/zerooroneof/custom_members/zz_generated.validations.go
@@ -25,7 +25,6 @@ import (
 	context "context"
 	fmt "fmt"
 
-	equality "k8s.io/apimachinery/pkg/api/equality"
 	operation "k8s.io/apimachinery/pkg/api/operation"
 	safe "k8s.io/apimachinery/pkg/api/safe"
 	validate "k8s.io/apimachinery/pkg/api/validate"
@@ -38,6 +37,7 @@ func init() { localSchemeBuilder.Register(RegisterValidations) }
 // RegisterValidations adds validation functions to the given scheme.
 // Public to allow building arbitrary schemes.
 func RegisterValidations(scheme *testscheme.Scheme) error {
+	// type Struct
 	scheme.AddValidationFunc((*Struct)(nil), func(ctx context.Context, op operation.Operation, obj, oldObj interface{}) field.ErrorList {
 		switch op.Request.SubresourcePath() {
 		case "/":
@@ -48,13 +48,11 @@ func RegisterValidations(scheme *testscheme.Scheme) error {
 	return nil
 }
 
-var zeroOrOneOfMembershipFor_k8s_io_code_generator_cmd_validation_gen_output_tests_tags_zerooroneof_zerooroneof_custom_members_Struct_ = validate.NewUnionMembership([2]string{"m1", "CustomM1"}, [2]string{"m2", "CustomM2"})
+var zeroOrOneOfMembershipFor_k8s_io_code_generator_cmd_validation_gen_output_tests_tags_zerooroneof_zerooroneof_custom_members_Struct_ = validate.NewUnionMembership(validate.NewUnionMember("m1"), validate.NewUnionMember("m2"))
 
+// Validate_Struct validates an instance of Struct according
+// to declarative validation rules in the API schema.
 func Validate_Struct(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *Struct) (errs field.ErrorList) {
-	// type Struct
-	if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-		return nil // no changes
-	}
 	errs = append(errs, validate.ZeroOrOneOfUnion(ctx, op, fldPath, obj, oldObj, zeroOrOneOfMembershipFor_k8s_io_code_generator_cmd_validation_gen_output_tests_tags_zerooroneof_zerooroneof_custom_members_Struct_, func(obj *Struct) bool {
 		if obj == nil {
 			return false
@@ -72,27 +70,39 @@ func Validate_Struct(ctx context.Context, op operation.Operation, fldPath *field
 
 	// field Struct.M1
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *M1) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *M1, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
 			}
+			// call field-attached validations
+			earlyReturn := false
 			if e := validate.OptionalPointer(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				earlyReturn = true
+			}
+			if earlyReturn {
 				return // do not proceed
 			}
 			return
-		}(fldPath.Child("m1"), obj.M1, safe.Field(oldObj, func(oldObj *Struct) *M1 { return oldObj.M1 }))...)
+		}(fldPath.Child("m1"), obj.M1, safe.Field(oldObj, func(oldObj *Struct) *M1 { return oldObj.M1 }), oldObj != nil)...)
 
 	// field Struct.M2
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *M2) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *M2, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
 			}
+			// call field-attached validations
+			earlyReturn := false
 			if e := validate.OptionalPointer(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				earlyReturn = true
+			}
+			if earlyReturn {
 				return // do not proceed
 			}
 			return
-		}(fldPath.Child("m2"), obj.M2, safe.Field(oldObj, func(oldObj *Struct) *M2 { return oldObj.M2 }))...)
+		}(fldPath.Child("m2"), obj.M2, safe.Field(oldObj, func(oldObj *Struct) *M2 { return oldObj.M2 }), oldObj != nil)...)
 
 	return errs
 }
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/zerooroneof/zerooroneof/multiple/doc_test.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/zerooroneof/zerooroneof/multiple/doc_test.go
index d1f1155149f02..2be31c9563a1b 100644
--- a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/zerooroneof/zerooroneof/multiple/doc_test.go
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/zerooroneof/zerooroneof/multiple/doc_test.go
@@ -37,21 +37,20 @@ func Test(t *testing.T) {
 	st.Value(&Struct{U2M2: &M2{}}).ExpectValid()
 
 	// Multiple members in one union
-	st.Value(&Struct{U1M1: &M1{}, U1M2: &M2{}}).ExpectInvalid(
-		field.Invalid(nil, "{u1m1, u1m2}", "must specify at most one of: `u1m1`, `u1m2`"),
-	)
+	st.Value(&Struct{U1M1: &M1{}, U1M2: &M2{}}).ExpectMatches(field.ErrorMatcher{}.ByType().ByField().ByDetailSubstring().ByOrigin(), field.ErrorList{
+		field.Invalid(nil, nil, "must specify at most one of").WithOrigin("zeroOrOneOf"),
+	})
 
-	st.Value(&Struct{U2M1: &M1{}, U2M2: &M2{}}).ExpectInvalid(
-		field.Invalid(nil, "{u2m1, u2m2}", "must specify at most one of: `u2m1`, `u2m2`"),
-	)
+	st.Value(&Struct{U2M1: &M1{}, U2M2: &M2{}}).ExpectMatches(field.ErrorMatcher{}.ByType().ByField().ByDetailSubstring().ByOrigin(), field.ErrorList{
+		field.Invalid(nil, nil, "must specify at most one of").WithOrigin("zeroOrOneOf"),
+	})
 
 	st.Value(&Struct{
 		U1M1: &M1{}, U1M2: &M2{},
 		U2M1: &M1{}, U2M2: &M2{},
-	}).ExpectInvalid(
-		field.Invalid(nil, "{u1m1, u1m2}", "must specify at most one of: `u1m1`, `u1m2`"),
-		field.Invalid(nil, "{u2m1, u2m2}", "must specify at most one of: `u2m1`, `u2m2`"),
-	)
+	}).ExpectMatches(field.ErrorMatcher{}.ByType().ByField().ByDetailSubstring().ByOrigin(), field.ErrorList{
+		field.Invalid(nil, nil, "must specify at most one of").WithOrigin("zeroOrOneOf"),
+	})
 
 	// Test validation ratcheting
 	st.Value(&Struct{}).OldValue(&Struct{}).ExpectValid()
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/zerooroneof/zerooroneof/multiple/zz_generated.validations.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/zerooroneof/zerooroneof/multiple/zz_generated.validations.go
index 453e46b41c6a3..4e73c44d4fc27 100644
--- a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/zerooroneof/zerooroneof/multiple/zz_generated.validations.go
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/zerooroneof/zerooroneof/multiple/zz_generated.validations.go
@@ -25,7 +25,6 @@ import (
 	context "context"
 	fmt "fmt"
 
-	equality "k8s.io/apimachinery/pkg/api/equality"
 	operation "k8s.io/apimachinery/pkg/api/operation"
 	safe "k8s.io/apimachinery/pkg/api/safe"
 	validate "k8s.io/apimachinery/pkg/api/validate"
@@ -38,6 +37,7 @@ func init() { localSchemeBuilder.Register(RegisterValidations) }
 // RegisterValidations adds validation functions to the given scheme.
 // Public to allow building arbitrary schemes.
 func RegisterValidations(scheme *testscheme.Scheme) error {
+	// type Struct
 	scheme.AddValidationFunc((*Struct)(nil), func(ctx context.Context, op operation.Operation, obj, oldObj interface{}) field.ErrorList {
 		switch op.Request.SubresourcePath() {
 		case "/":
@@ -48,14 +48,12 @@ func RegisterValidations(scheme *testscheme.Scheme) error {
 	return nil
 }
 
-var zeroOrOneOfMembershipFor_k8s_io_code_generator_cmd_validation_gen_output_tests_tags_zerooroneof_zerooroneof_multiple_Struct_union1 = validate.NewUnionMembership([2]string{"u1m1", "U1M1"}, [2]string{"u1m2", "U1M2"})
-var zeroOrOneOfMembershipFor_k8s_io_code_generator_cmd_validation_gen_output_tests_tags_zerooroneof_zerooroneof_multiple_Struct_union2 = validate.NewUnionMembership([2]string{"u2m1", "U2M1"}, [2]string{"u2m2", "U2M2"})
+var zeroOrOneOfMembershipFor_k8s_io_code_generator_cmd_validation_gen_output_tests_tags_zerooroneof_zerooroneof_multiple_Struct_union1 = validate.NewUnionMembership(validate.NewUnionMember("u1m1"), validate.NewUnionMember("u1m2"))
+var zeroOrOneOfMembershipFor_k8s_io_code_generator_cmd_validation_gen_output_tests_tags_zerooroneof_zerooroneof_multiple_Struct_union2 = validate.NewUnionMembership(validate.NewUnionMember("u2m1"), validate.NewUnionMember("u2m2"))
 
+// Validate_Struct validates an instance of Struct according
+// to declarative validation rules in the API schema.
 func Validate_Struct(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *Struct) (errs field.ErrorList) {
-	// type Struct
-	if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-		return nil // no changes
-	}
 	errs = append(errs, validate.ZeroOrOneOfUnion(ctx, op, fldPath, obj, oldObj, zeroOrOneOfMembershipFor_k8s_io_code_generator_cmd_validation_gen_output_tests_tags_zerooroneof_zerooroneof_multiple_Struct_union1, func(obj *Struct) bool {
 		if obj == nil {
 			return false
@@ -84,51 +82,75 @@ func Validate_Struct(ctx context.Context, op operation.Operation, fldPath *field
 
 	// field Struct.U1M1
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *M1) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *M1, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
 			}
+			// call field-attached validations
+			earlyReturn := false
 			if e := validate.OptionalPointer(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				earlyReturn = true
+			}
+			if earlyReturn {
 				return // do not proceed
 			}
 			return
-		}(fldPath.Child("u1m1"), obj.U1M1, safe.Field(oldObj, func(oldObj *Struct) *M1 { return oldObj.U1M1 }))...)
+		}(fldPath.Child("u1m1"), obj.U1M1, safe.Field(oldObj, func(oldObj *Struct) *M1 { return oldObj.U1M1 }), oldObj != nil)...)
 
 	// field Struct.U1M2
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *M2) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *M2, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
 			}
+			// call field-attached validations
+			earlyReturn := false
 			if e := validate.OptionalPointer(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				earlyReturn = true
+			}
+			if earlyReturn {
 				return // do not proceed
 			}
 			return
-		}(fldPath.Child("u1m2"), obj.U1M2, safe.Field(oldObj, func(oldObj *Struct) *M2 { return oldObj.U1M2 }))...)
+		}(fldPath.Child("u1m2"), obj.U1M2, safe.Field(oldObj, func(oldObj *Struct) *M2 { return oldObj.U1M2 }), oldObj != nil)...)
 
 	// field Struct.U2M1
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *M1) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *M1, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
 			}
+			// call field-attached validations
+			earlyReturn := false
 			if e := validate.OptionalPointer(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				earlyReturn = true
+			}
+			if earlyReturn {
 				return // do not proceed
 			}
 			return
-		}(fldPath.Child("u2m1"), obj.U2M1, safe.Field(oldObj, func(oldObj *Struct) *M1 { return oldObj.U2M1 }))...)
+		}(fldPath.Child("u2m1"), obj.U2M1, safe.Field(oldObj, func(oldObj *Struct) *M1 { return oldObj.U2M1 }), oldObj != nil)...)
 
 	// field Struct.U2M2
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *M2) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *M2, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
 			}
+			// call field-attached validations
+			earlyReturn := false
 			if e := validate.OptionalPointer(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				earlyReturn = true
+			}
+			if earlyReturn {
 				return // do not proceed
 			}
 			return
-		}(fldPath.Child("u2m2"), obj.U2M2, safe.Field(oldObj, func(oldObj *Struct) *M2 { return oldObj.U2M2 }))...)
+		}(fldPath.Child("u2m2"), obj.U2M2, safe.Field(oldObj, func(oldObj *Struct) *M2 { return oldObj.U2M2 }), oldObj != nil)...)
 
 	return errs
 }
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/zerooroneof/zerooroneof/simple/doc_test.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/zerooroneof/zerooroneof/simple/doc_test.go
index f2024c936c181..01a92457af988 100644
--- a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/zerooroneof/zerooroneof/simple/doc_test.go
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/zerooroneof/zerooroneof/simple/doc_test.go
@@ -34,15 +34,15 @@ func Test(t *testing.T) {
 	st.Value(&Struct{M3: "a string"}).ExpectValid()
 	st.Value(&Struct{M4: ptr.To("a string")}).ExpectValid()
 
-	st.Value(&Struct{M1: &M1{}, M2: &M2{}}).ExpectInvalid(
-		field.Invalid(nil, "{m1, m2}", "must specify at most one of: `m1`, `m2`, `m3`, `m4`"),
-	)
-	st.Value(&Struct{M1: &M1{}, M3: "a string"}).ExpectInvalid(
-		field.Invalid(nil, "{m1, m3}", "must specify at most one of: `m1`, `m2`, `m3`, `m4`"),
-	)
-	st.Value(&Struct{M1: &M1{}, M4: ptr.To("a string")}).ExpectInvalid(
-		field.Invalid(nil, "{m1, m4}", "must specify at most one of: `m1`, `m2`, `m3`, `m4`"),
-	)
+	st.Value(&Struct{M1: &M1{}, M2: &M2{}}).ExpectMatches(field.ErrorMatcher{}.ByType().ByField().ByDetailSubstring().ByOrigin(), field.ErrorList{
+		field.Invalid(nil, nil, "must specify at most one of").WithOrigin("zeroOrOneOf"),
+	})
+	st.Value(&Struct{M1: &M1{}, M3: "a string"}).ExpectMatches(field.ErrorMatcher{}.ByType().ByField().ByDetailSubstring().ByOrigin(), field.ErrorList{
+		field.Invalid(nil, nil, "must specify at most one of").WithOrigin("zeroOrOneOf"),
+	})
+	st.Value(&Struct{M1: &M1{}, M4: ptr.To("a string")}).ExpectMatches(field.ErrorMatcher{}.ByType().ByField().ByDetailSubstring().ByOrigin(), field.ErrorList{
+		field.Invalid(nil, nil, "must specify at most one of").WithOrigin("zeroOrOneOf"),
+	})
 
 	// Update only considers whether a field was set, not the value.
 	st.Value(&Struct{M3: "a string"}).OldValue(&Struct{M3: "different string"}).ExpectValid()
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/zerooroneof/zerooroneof/simple/zz_generated.validations.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/zerooroneof/zerooroneof/simple/zz_generated.validations.go
index b93470cc83ad0..3a2d4ee6d400a 100644
--- a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/zerooroneof/zerooroneof/simple/zz_generated.validations.go
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/tags/zerooroneof/zerooroneof/simple/zz_generated.validations.go
@@ -25,7 +25,6 @@ import (
 	context "context"
 	fmt "fmt"
 
-	equality "k8s.io/apimachinery/pkg/api/equality"
 	operation "k8s.io/apimachinery/pkg/api/operation"
 	safe "k8s.io/apimachinery/pkg/api/safe"
 	validate "k8s.io/apimachinery/pkg/api/validate"
@@ -38,6 +37,7 @@ func init() { localSchemeBuilder.Register(RegisterValidations) }
 // RegisterValidations adds validation functions to the given scheme.
 // Public to allow building arbitrary schemes.
 func RegisterValidations(scheme *testscheme.Scheme) error {
+	// type Struct
 	scheme.AddValidationFunc((*Struct)(nil), func(ctx context.Context, op operation.Operation, obj, oldObj interface{}) field.ErrorList {
 		switch op.Request.SubresourcePath() {
 		case "/":
@@ -48,13 +48,11 @@ func RegisterValidations(scheme *testscheme.Scheme) error {
 	return nil
 }
 
-var zeroOrOneOfMembershipFor_k8s_io_code_generator_cmd_validation_gen_output_tests_tags_zerooroneof_zerooroneof_simple_Struct_ = validate.NewUnionMembership([2]string{"m1", "M1"}, [2]string{"m2", "M2"}, [2]string{"m3", "M3"}, [2]string{"m4", "M4"})
+var zeroOrOneOfMembershipFor_k8s_io_code_generator_cmd_validation_gen_output_tests_tags_zerooroneof_zerooroneof_simple_Struct_ = validate.NewUnionMembership(validate.NewUnionMember("m1"), validate.NewUnionMember("m2"), validate.NewUnionMember("m3"), validate.NewUnionMember("m4"))
 
+// Validate_Struct validates an instance of Struct according
+// to declarative validation rules in the API schema.
 func Validate_Struct(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *Struct) (errs field.ErrorList) {
-	// type Struct
-	if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-		return nil // no changes
-	}
 	errs = append(errs, validate.ZeroOrOneOfUnion(ctx, op, fldPath, obj, oldObj, zeroOrOneOfMembershipFor_k8s_io_code_generator_cmd_validation_gen_output_tests_tags_zerooroneof_zerooroneof_simple_Struct_, func(obj *Struct) bool {
 		if obj == nil {
 			return false
@@ -83,51 +81,75 @@ func Validate_Struct(ctx context.Context, op operation.Operation, fldPath *field
 
 	// field Struct.M1
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *M1) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *M1, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
 			}
+			// call field-attached validations
+			earlyReturn := false
 			if e := validate.OptionalPointer(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				earlyReturn = true
+			}
+			if earlyReturn {
 				return // do not proceed
 			}
 			return
-		}(fldPath.Child("m1"), obj.M1, safe.Field(oldObj, func(oldObj *Struct) *M1 { return oldObj.M1 }))...)
+		}(fldPath.Child("m1"), obj.M1, safe.Field(oldObj, func(oldObj *Struct) *M1 { return oldObj.M1 }), oldObj != nil)...)
 
 	// field Struct.M2
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *M2) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *M2, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
 			}
+			// call field-attached validations
+			earlyReturn := false
 			if e := validate.OptionalPointer(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				earlyReturn = true
+			}
+			if earlyReturn {
 				return // do not proceed
 			}
 			return
-		}(fldPath.Child("m2"), obj.M2, safe.Field(oldObj, func(oldObj *Struct) *M2 { return oldObj.M2 }))...)
+		}(fldPath.Child("m2"), obj.M2, safe.Field(oldObj, func(oldObj *Struct) *M2 { return oldObj.M2 }), oldObj != nil)...)
 
 	// field Struct.M3
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *string) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *string, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
 			}
+			// call field-attached validations
+			earlyReturn := false
 			if e := validate.OptionalValue(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				earlyReturn = true
+			}
+			if earlyReturn {
 				return // do not proceed
 			}
 			return
-		}(fldPath.Child("m3"), &obj.M3, safe.Field(oldObj, func(oldObj *Struct) *string { return &oldObj.M3 }))...)
+		}(fldPath.Child("m3"), &obj.M3, safe.Field(oldObj, func(oldObj *Struct) *string { return &oldObj.M3 }), oldObj != nil)...)
 
 	// field Struct.M4
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *string) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *string, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
 			}
+			// call field-attached validations
+			earlyReturn := false
 			if e := validate.OptionalPointer(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				earlyReturn = true
+			}
+			if earlyReturn {
 				return // do not proceed
 			}
 			return
-		}(fldPath.Child("m4"), obj.M4, safe.Field(oldObj, func(oldObj *Struct) *string { return oldObj.M4 }))...)
+		}(fldPath.Child("m4"), obj.M4, safe.Field(oldObj, func(oldObj *Struct) *string { return oldObj.M4 }), oldObj != nil)...)
 
 	return errs
 }
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/type_args/zz_generated.validations.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/type_args/zz_generated.validations.go
index 7707e9a900585..afe42d55a1fe8 100644
--- a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/type_args/zz_generated.validations.go
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/type_args/zz_generated.validations.go
@@ -38,6 +38,7 @@ func init() { localSchemeBuilder.Register(RegisterValidations) }
 // RegisterValidations adds validation functions to the given scheme.
 // Public to allow building arbitrary schemes.
 func RegisterValidations(scheme *testscheme.Scheme) error {
+	// type T1
 	scheme.AddValidationFunc((*T1)(nil), func(ctx context.Context, op operation.Operation, obj, oldObj interface{}) field.ErrorList {
 		switch op.Request.SubresourcePath() {
 		case "/":
@@ -48,82 +49,98 @@ func RegisterValidations(scheme *testscheme.Scheme) error {
 	return nil
 }
 
+// Validate_E1 validates an instance of E1 according
+// to declarative validation rules in the API schema.
 func Validate_E1(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *E1) (errs field.ErrorList) {
-	// type E1
-	if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-		return nil // no changes
-	}
 	errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "type E1")...)
 
 	return errs
 }
 
+// Validate_T1 validates an instance of T1 according
+// to declarative validation rules in the API schema.
 func Validate_T1(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *T1) (errs field.ErrorList) {
 	// field T1.TypeMeta has no validation
 
 	// field T1.S1
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *primitives.T1) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *primitives.T1, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.FixedResult[*primitives.T1](ctx, op, fldPath, obj, oldObj, false, "T1.S1")...)
+			// call the type's validation function
 			errs = append(errs, primitives.Validate_T1(ctx, op, fldPath, obj, oldObj)...)
 			return
-		}(fldPath.Child("s1"), obj.S1, safe.Field(oldObj, func(oldObj *T1) *primitives.T1 { return oldObj.S1 }))...)
+		}(fldPath.Child("s1"), obj.S1, safe.Field(oldObj, func(oldObj *T1) *primitives.T1 { return oldObj.S1 }), oldObj != nil)...)
 
 	// field T1.PS1
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *primitives.T1) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *primitives.T1, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.FixedResult[*primitives.T1](ctx, op, fldPath, obj, oldObj, false, "PT1.PS1")...)
+			// call the type's validation function
 			errs = append(errs, primitives.Validate_T1(ctx, op, fldPath, obj, oldObj)...)
 			return
-		}(fldPath.Child("ps1"), obj.PS1, safe.Field(oldObj, func(oldObj *T1) *primitives.T1 { return oldObj.PS1 }))...)
+		}(fldPath.Child("ps1"), obj.PS1, safe.Field(oldObj, func(oldObj *T1) *primitives.T1 { return oldObj.PS1 }), oldObj != nil)...)
 
 	// field T1.E1
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *E1) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *E1, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.FixedResult[*E1](ctx, op, fldPath, obj, oldObj, false, "T1.E1")...)
+			// call the type's validation function
 			errs = append(errs, Validate_E1(ctx, op, fldPath, obj, oldObj)...)
 			return
-		}(fldPath.Child("e1"), &obj.E1, safe.Field(oldObj, func(oldObj *T1) *E1 { return &oldObj.E1 }))...)
+		}(fldPath.Child("e1"), &obj.E1, safe.Field(oldObj, func(oldObj *T1) *E1 { return &oldObj.E1 }), oldObj != nil)...)
 
 	// field T1.PE1
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *E1) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *E1, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.FixedResult[*E1](ctx, op, fldPath, obj, oldObj, true, "T1.PE1")...)
+			// call the type's validation function
 			errs = append(errs, Validate_E1(ctx, op, fldPath, obj, oldObj)...)
 			return
-		}(fldPath.Child("pe1"), obj.PE1, safe.Field(oldObj, func(oldObj *T1) *E1 { return oldObj.PE1 }))...)
+		}(fldPath.Child("pe1"), obj.PE1, safe.Field(oldObj, func(oldObj *T1) *E1 { return oldObj.PE1 }), oldObj != nil)...)
 
 	// field T1.I1
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *int) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *int, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.FixedResult[*int](ctx, op, fldPath, obj, oldObj, false, "T1.I1")...)
 			return
-		}(fldPath.Child("i1"), &obj.I1, safe.Field(oldObj, func(oldObj *T1) *int { return &oldObj.I1 }))...)
+		}(fldPath.Child("i1"), &obj.I1, safe.Field(oldObj, func(oldObj *T1) *int { return &oldObj.I1 }), oldObj != nil)...)
 
 	// field T1.PI1
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *int) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *int, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.FixedResult[*int](ctx, op, fldPath, obj, oldObj, true, "T1.PI1")...)
 			return
-		}(fldPath.Child("pi1"), obj.PI1, safe.Field(oldObj, func(oldObj *T1) *int { return oldObj.PI1 }))...)
+		}(fldPath.Child("pi1"), obj.PI1, safe.Field(oldObj, func(oldObj *T1) *int { return oldObj.PI1 }), oldObj != nil)...)
 
 	return errs
 }
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/typedefs/zz_generated.validations.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/typedefs/zz_generated.validations.go
index 90ace8690220b..d0dc30ea08046 100644
--- a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/typedefs/zz_generated.validations.go
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/typedefs/zz_generated.validations.go
@@ -25,7 +25,6 @@ import (
 	context "context"
 	fmt "fmt"
 
-	equality "k8s.io/apimachinery/pkg/api/equality"
 	operation "k8s.io/apimachinery/pkg/api/operation"
 	safe "k8s.io/apimachinery/pkg/api/safe"
 	validate "k8s.io/apimachinery/pkg/api/validate"
@@ -38,6 +37,7 @@ func init() { localSchemeBuilder.Register(RegisterValidations) }
 // RegisterValidations adds validation functions to the given scheme.
 // Public to allow building arbitrary schemes.
 func RegisterValidations(scheme *testscheme.Scheme) error {
+	// type T1
 	scheme.AddValidationFunc((*T1)(nil), func(ctx context.Context, op operation.Operation, obj, oldObj interface{}) field.ErrorList {
 		switch op.Request.SubresourcePath() {
 		case "/":
@@ -48,194 +48,216 @@ func RegisterValidations(scheme *testscheme.Scheme) error {
 	return nil
 }
 
+// Validate_E1 validates an instance of E1 according
+// to declarative validation rules in the API schema.
 func Validate_E1(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *E1) (errs field.ErrorList) {
-	// type E1
-	if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-		return nil // no changes
-	}
 	errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "type E1")...)
 
 	return errs
 }
 
+// Validate_E2 validates an instance of E2 according
+// to declarative validation rules in the API schema.
 func Validate_E2(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *E2) (errs field.ErrorList) {
-	// type E2
-	if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-		return nil // no changes
-	}
 	errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "type E2")...)
 
 	return errs
 }
 
+// Validate_E3 validates an instance of E3 according
+// to declarative validation rules in the API schema.
 func Validate_E3(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *E3) (errs field.ErrorList) {
-	// type E3
-	if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-		return nil // no changes
-	}
 	errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "type E3")...)
 
 	return errs
 }
 
+// Validate_E4 validates an instance of E4 according
+// to declarative validation rules in the API schema.
 func Validate_E4(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *E4) (errs field.ErrorList) {
-	// type E4
-	if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-		return nil // no changes
-	}
 	errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "type E4")...)
 
 	// field E4.S
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *string) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *string, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field T2.S")...)
 			return
-		}(fldPath.Child("s"), &obj.S, safe.Field(oldObj, func(oldObj *E4) *string { return &oldObj.S }))...)
+		}(fldPath.Child("s"), &obj.S, safe.Field(oldObj, func(oldObj *E4) *string { return &oldObj.S }), oldObj != nil)...)
 
 	return errs
 }
 
+// Validate_T1 validates an instance of T1 according
+// to declarative validation rules in the API schema.
 func Validate_T1(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *T1) (errs field.ErrorList) {
-	// type T1
-	if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-		return nil // no changes
-	}
 	errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "type T1")...)
 
 	// field T1.TypeMeta has no validation
 
 	// field T1.E1
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *E1) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *E1, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field T1.E1")...)
+			// call the type's validation function
 			errs = append(errs, Validate_E1(ctx, op, fldPath, obj, oldObj)...)
 			return
-		}(fldPath.Child("e1"), &obj.E1, safe.Field(oldObj, func(oldObj *T1) *E1 { return &oldObj.E1 }))...)
+		}(fldPath.Child("e1"), &obj.E1, safe.Field(oldObj, func(oldObj *T1) *E1 { return &oldObj.E1 }), oldObj != nil)...)
 
 	// field T1.PE1
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *E1) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *E1, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field T1.PE1")...)
+			// call the type's validation function
 			errs = append(errs, Validate_E1(ctx, op, fldPath, obj, oldObj)...)
 			return
-		}(fldPath.Child("pe1"), obj.PE1, safe.Field(oldObj, func(oldObj *T1) *E1 { return oldObj.PE1 }))...)
+		}(fldPath.Child("pe1"), obj.PE1, safe.Field(oldObj, func(oldObj *T1) *E1 { return oldObj.PE1 }), oldObj != nil)...)
 
 	// field T1.E2
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *E2) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *E2, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field T1.E2")...)
+			// call the type's validation function
 			errs = append(errs, Validate_E2(ctx, op, fldPath, obj, oldObj)...)
 			return
-		}(fldPath.Child("e2"), &obj.E2, safe.Field(oldObj, func(oldObj *T1) *E2 { return &oldObj.E2 }))...)
+		}(fldPath.Child("e2"), &obj.E2, safe.Field(oldObj, func(oldObj *T1) *E2 { return &oldObj.E2 }), oldObj != nil)...)
 
 	// field T1.PE2
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *E2) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *E2, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field T1.PE2")...)
+			// call the type's validation function
 			errs = append(errs, Validate_E2(ctx, op, fldPath, obj, oldObj)...)
 			return
-		}(fldPath.Child("pe2"), obj.PE2, safe.Field(oldObj, func(oldObj *T1) *E2 { return oldObj.PE2 }))...)
+		}(fldPath.Child("pe2"), obj.PE2, safe.Field(oldObj, func(oldObj *T1) *E2 { return oldObj.PE2 }), oldObj != nil)...)
 
 	// field T1.E3
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *E3) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *E3, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field T1.E3")...)
+			// call the type's validation function
 			errs = append(errs, Validate_E3(ctx, op, fldPath, obj, oldObj)...)
 			return
-		}(fldPath.Child("e3"), &obj.E3, safe.Field(oldObj, func(oldObj *T1) *E3 { return &oldObj.E3 }))...)
+		}(fldPath.Child("e3"), &obj.E3, safe.Field(oldObj, func(oldObj *T1) *E3 { return &oldObj.E3 }), oldObj != nil)...)
 
 	// field T1.PE3
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *E3) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *E3, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field T1.PE3")...)
+			// call the type's validation function
 			errs = append(errs, Validate_E3(ctx, op, fldPath, obj, oldObj)...)
 			return
-		}(fldPath.Child("pe3"), obj.PE3, safe.Field(oldObj, func(oldObj *T1) *E3 { return oldObj.PE3 }))...)
+		}(fldPath.Child("pe3"), obj.PE3, safe.Field(oldObj, func(oldObj *T1) *E3 { return oldObj.PE3 }), oldObj != nil)...)
 
 	// field T1.E4
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *E4) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *E4, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field T1.E4")...)
+			// call the type's validation function
 			errs = append(errs, Validate_E4(ctx, op, fldPath, obj, oldObj)...)
 			return
-		}(fldPath.Child("e4"), &obj.E4, safe.Field(oldObj, func(oldObj *T1) *E4 { return &oldObj.E4 }))...)
+		}(fldPath.Child("e4"), &obj.E4, safe.Field(oldObj, func(oldObj *T1) *E4 { return &oldObj.E4 }), oldObj != nil)...)
 
 	// field T1.PE4
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *E4) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *E4, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field T1.PE4")...)
+			// call the type's validation function
 			errs = append(errs, Validate_E4(ctx, op, fldPath, obj, oldObj)...)
 			return
-		}(fldPath.Child("pe4"), obj.PE4, safe.Field(oldObj, func(oldObj *T1) *E4 { return oldObj.PE4 }))...)
+		}(fldPath.Child("pe4"), obj.PE4, safe.Field(oldObj, func(oldObj *T1) *E4 { return oldObj.PE4 }), oldObj != nil)...)
 
 	// field T1.T2
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *T2) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *T2, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field T1.T2")...)
+			// call the type's validation function
 			errs = append(errs, Validate_T2(ctx, op, fldPath, obj, oldObj)...)
 			return
-		}(fldPath.Child("t2"), &obj.T2, safe.Field(oldObj, func(oldObj *T1) *T2 { return &oldObj.T2 }))...)
+		}(fldPath.Child("t2"), &obj.T2, safe.Field(oldObj, func(oldObj *T1) *T2 { return &oldObj.T2 }), oldObj != nil)...)
 
 	// field T1.PT2
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *T2) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *T2, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field T1.PT2")...)
+			// call the type's validation function
 			errs = append(errs, Validate_T2(ctx, op, fldPath, obj, oldObj)...)
 			return
-		}(fldPath.Child("pt2"), obj.PT2, safe.Field(oldObj, func(oldObj *T1) *T2 { return oldObj.PT2 }))...)
+		}(fldPath.Child("pt2"), obj.PT2, safe.Field(oldObj, func(oldObj *T1) *T2 { return oldObj.PT2 }), oldObj != nil)...)
 
 	return errs
 }
 
+// Validate_T2 validates an instance of T2 according
+// to declarative validation rules in the API schema.
 func Validate_T2(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *T2) (errs field.ErrorList) {
-	// type T2
-	if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-		return nil // no changes
-	}
 	errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "type T2")...)
 
 	// field T2.S
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *string) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *string, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "field T2.S")...)
 			return
-		}(fldPath.Child("s"), &obj.S, safe.Field(oldObj, func(oldObj *T2) *string { return &oldObj.S }))...)
+		}(fldPath.Child("s"), &obj.S, safe.Field(oldObj, func(oldObj *T2) *string { return &oldObj.S }), oldObj != nil)...)
 
 	return errs
 }
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/update_validations/lists/zz_generated.validations.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/update_validations/lists/zz_generated.validations.go
index dd11abd4d5d93..530fe6e7602e8 100644
--- a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/update_validations/lists/zz_generated.validations.go
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/update_validations/lists/zz_generated.validations.go
@@ -38,6 +38,7 @@ func init() { localSchemeBuilder.Register(RegisterValidations) }
 // RegisterValidations adds validation functions to the given scheme.
 // Public to allow building arbitrary schemes.
 func RegisterValidations(scheme *testscheme.Scheme) error {
+	// type M1
 	scheme.AddValidationFunc((*M1)(nil), func(ctx context.Context, op operation.Operation, obj, oldObj interface{}) field.ErrorList {
 		switch op.Request.SubresourcePath() {
 		case "/":
@@ -45,6 +46,7 @@ func RegisterValidations(scheme *testscheme.Scheme) error {
 		}
 		return field.ErrorList{field.InternalError(nil, fmt.Errorf("no validation found for %T, subresource: %v", obj, op.Request.SubresourcePath()))}
 	})
+	// type T1
 	scheme.AddValidationFunc((*T1)(nil), func(ctx context.Context, op operation.Operation, obj, oldObj interface{}) field.ErrorList {
 		switch op.Request.SubresourcePath() {
 		case "/":
@@ -55,30 +57,38 @@ func RegisterValidations(scheme *testscheme.Scheme) error {
 	return nil
 }
 
+// Validate_M1 validates an instance of M1 according
+// to declarative validation rules in the API schema.
 func Validate_M1(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *M1) (errs field.ErrorList) {
 	// field M1.S
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *string) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *string, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "M1.S")...)
 			return
-		}(fldPath.Child("s"), &obj.S, safe.Field(oldObj, func(oldObj *M1) *string { return &oldObj.S }))...)
+		}(fldPath.Child("s"), &obj.S, safe.Field(oldObj, func(oldObj *M1) *string { return &oldObj.S }), oldObj != nil)...)
 
 	return errs
 }
 
+// Validate_T1 validates an instance of T1 according
+// to declarative validation rules in the API schema.
 func Validate_T1(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *T1) (errs field.ErrorList) {
 	// field T1.LM1
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj []M1) (errs field.ErrorList) {
-			if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj []M1, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
 			}
+			// iterate the list and call the type's validation function
 			errs = append(errs, validate.EachSliceVal(ctx, op, fldPath, obj, oldObj, nil, nil, Validate_M1)...)
 			return
-		}(fldPath.Child("lm1"), obj.LM1, safe.Field(oldObj, func(oldObj *T1) []M1 { return oldObj.LM1 }))...)
+		}(fldPath.Child("lm1"), obj.LM1, safe.Field(oldObj, func(oldObj *T1) []M1 { return oldObj.LM1 }), oldObj != nil)...)
 
 	return errs
 }
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/update_validations/maps/zz_generated.validations.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/update_validations/maps/zz_generated.validations.go
index 6452a643a0f61..0540e426e3eef 100644
--- a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/update_validations/maps/zz_generated.validations.go
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/update_validations/maps/zz_generated.validations.go
@@ -38,6 +38,7 @@ func init() { localSchemeBuilder.Register(RegisterValidations) }
 // RegisterValidations adds validation functions to the given scheme.
 // Public to allow building arbitrary schemes.
 func RegisterValidations(scheme *testscheme.Scheme) error {
+	// type M1
 	scheme.AddValidationFunc((*M1)(nil), func(ctx context.Context, op operation.Operation, obj, oldObj interface{}) field.ErrorList {
 		switch op.Request.SubresourcePath() {
 		case "/":
@@ -45,6 +46,7 @@ func RegisterValidations(scheme *testscheme.Scheme) error {
 		}
 		return field.ErrorList{field.InternalError(nil, fmt.Errorf("no validation found for %T, subresource: %v", obj, op.Request.SubresourcePath()))}
 	})
+	// type T1
 	scheme.AddValidationFunc((*T1)(nil), func(ctx context.Context, op operation.Operation, obj, oldObj interface{}) field.ErrorList {
 		switch op.Request.SubresourcePath() {
 		case "/":
@@ -55,30 +57,38 @@ func RegisterValidations(scheme *testscheme.Scheme) error {
 	return nil
 }
 
+// Validate_M1 validates an instance of M1 according
+// to declarative validation rules in the API schema.
 func Validate_M1(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *M1) (errs field.ErrorList) {
 	// field M1.S
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *string) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *string, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
 			}
+			// call field-attached validations
 			errs = append(errs, validate.FixedResult(ctx, op, fldPath, obj, oldObj, false, "M1.S")...)
 			return
-		}(fldPath.Child("s"), &obj.S, safe.Field(oldObj, func(oldObj *M1) *string { return &oldObj.S }))...)
+		}(fldPath.Child("s"), &obj.S, safe.Field(oldObj, func(oldObj *M1) *string { return &oldObj.S }), oldObj != nil)...)
 
 	return errs
 }
 
+// Validate_T1 validates an instance of T1 according
+// to declarative validation rules in the API schema.
 func Validate_T1(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *T1) (errs field.ErrorList) {
 	// field T1.MSM1
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj map[string]M1) (errs field.ErrorList) {
-			if op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj map[string]M1, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && equality.Semantic.DeepEqual(obj, oldObj) {
+				return nil
 			}
+			// iterate the map and call the value type's validation function
 			errs = append(errs, validate.EachMapVal(ctx, op, fldPath, obj, oldObj, validate.DirectEqual, Validate_M1)...)
 			return
-		}(fldPath.Child("msm1"), obj.MSM1, safe.Field(oldObj, func(oldObj *T1) map[string]M1 { return oldObj.MSM1 }))...)
+		}(fldPath.Child("msm1"), obj.MSM1, safe.Field(oldObj, func(oldObj *T1) map[string]M1 { return oldObj.MSM1 }), oldObj != nil)...)
 
 	return errs
 }
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/update_validations/primitive_pointers/doc_test.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/update_validations/primitive_pointers/doc_test.go
index f6022bbe1f14d..fb0e735218e21 100644
--- a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/update_validations/primitive_pointers/doc_test.go
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/update_validations/primitive_pointers/doc_test.go
@@ -52,10 +52,10 @@ func Test(t *testing.T) {
 
 	st.Value(&structA1).OldValue(&structA2).ExpectValid()
 
-	st.Value(&structA1).OldValue(&structB).ExpectInvalid(
-		field.Forbidden(field.NewPath("sp"), "field is immutable"),
-		field.Forbidden(field.NewPath("ip"), "field is immutable"),
-		field.Forbidden(field.NewPath("bp"), "field is immutable"),
-		field.Forbidden(field.NewPath("fp"), "field is immutable"),
-	)
+	st.Value(&structA1).OldValue(&structB).ExpectMatches(field.ErrorMatcher{}.ByType().ByField().ByDetailSubstring().ByOrigin(), field.ErrorList{
+		field.Invalid(field.NewPath("sp"), nil, "").WithOrigin("immutable"),
+		field.Invalid(field.NewPath("ip"), nil, "").WithOrigin("immutable"),
+		field.Invalid(field.NewPath("bp"), nil, "").WithOrigin("immutable"),
+		field.Invalid(field.NewPath("fp"), nil, "").WithOrigin("immutable"),
+	})
 }
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/update_validations/primitive_pointers/zz_generated.validations.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/update_validations/primitive_pointers/zz_generated.validations.go
index 2b92cfb9acee2..d67280723b7c1 100644
--- a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/update_validations/primitive_pointers/zz_generated.validations.go
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/update_validations/primitive_pointers/zz_generated.validations.go
@@ -37,6 +37,7 @@ func init() { localSchemeBuilder.Register(RegisterValidations) }
 // RegisterValidations adds validation functions to the given scheme.
 // Public to allow building arbitrary schemes.
 func RegisterValidations(scheme *testscheme.Scheme) error {
+	// type Struct
 	scheme.AddValidationFunc((*Struct)(nil), func(ctx context.Context, op operation.Operation, obj, oldObj interface{}) field.ErrorList {
 		switch op.Request.SubresourcePath() {
 		case "/":
@@ -47,46 +48,84 @@ func RegisterValidations(scheme *testscheme.Scheme) error {
 	return nil
 }
 
+// Validate_Struct validates an instance of Struct according
+// to declarative validation rules in the API schema.
 func Validate_Struct(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *Struct) (errs field.ErrorList) {
 	// field Struct.SP
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *string) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *string, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.Immutable(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				errs = append(errs, e...)
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
 			}
-			errs = append(errs, validate.ImmutableByCompare(ctx, op, fldPath, obj, oldObj)...)
 			return
-		}(fldPath.Child("sp"), obj.SP, safe.Field(oldObj, func(oldObj *Struct) *string { return oldObj.SP }))...)
+		}(fldPath.Child("sp"), obj.SP, safe.Field(oldObj, func(oldObj *Struct) *string { return oldObj.SP }), oldObj != nil)...)
 
 	// field Struct.IP
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *int) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *int, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.Immutable(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				errs = append(errs, e...)
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
 			}
-			errs = append(errs, validate.ImmutableByCompare(ctx, op, fldPath, obj, oldObj)...)
 			return
-		}(fldPath.Child("ip"), obj.IP, safe.Field(oldObj, func(oldObj *Struct) *int { return oldObj.IP }))...)
+		}(fldPath.Child("ip"), obj.IP, safe.Field(oldObj, func(oldObj *Struct) *int { return oldObj.IP }), oldObj != nil)...)
 
 	// field Struct.BP
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *bool) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *bool, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.Immutable(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				errs = append(errs, e...)
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
 			}
-			errs = append(errs, validate.ImmutableByCompare(ctx, op, fldPath, obj, oldObj)...)
 			return
-		}(fldPath.Child("bp"), obj.BP, safe.Field(oldObj, func(oldObj *Struct) *bool { return oldObj.BP }))...)
+		}(fldPath.Child("bp"), obj.BP, safe.Field(oldObj, func(oldObj *Struct) *bool { return oldObj.BP }), oldObj != nil)...)
 
 	// field Struct.FP
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *float64) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *float64, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.Immutable(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				errs = append(errs, e...)
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
 			}
-			errs = append(errs, validate.ImmutableByCompare(ctx, op, fldPath, obj, oldObj)...)
 			return
-		}(fldPath.Child("fp"), obj.FP, safe.Field(oldObj, func(oldObj *Struct) *float64 { return oldObj.FP }))...)
+		}(fldPath.Child("fp"), obj.FP, safe.Field(oldObj, func(oldObj *Struct) *float64 { return oldObj.FP }), oldObj != nil)...)
 
 	return errs
 }
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/update_validations/primitives/doc_test.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/update_validations/primitives/doc_test.go
index 93ccc70ff5750..1a2ac506d3e7b 100644
--- a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/update_validations/primitives/doc_test.go
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/update_validations/primitives/doc_test.go
@@ -42,10 +42,10 @@ func Test(t *testing.T) {
 
 	st.Value(&structA).OldValue(&structA).ExpectValid()
 
-	st.Value(&structA).OldValue(&structB).ExpectInvalid(
-		field.Forbidden(field.NewPath("s"), "field is immutable"),
-		field.Forbidden(field.NewPath("i"), "field is immutable"),
-		field.Forbidden(field.NewPath("b"), "field is immutable"),
-		field.Forbidden(field.NewPath("f"), "field is immutable"),
-	)
+	st.Value(&structA).OldValue(&structB).ExpectMatches(field.ErrorMatcher{}.ByType().ByField().ByDetailSubstring().ByOrigin(), field.ErrorList{
+		field.Invalid(field.NewPath("s"), nil, "").WithOrigin("immutable"),
+		field.Invalid(field.NewPath("i"), nil, "").WithOrigin("immutable"),
+		field.Invalid(field.NewPath("b"), nil, "").WithOrigin("immutable"),
+		field.Invalid(field.NewPath("f"), nil, "").WithOrigin("immutable"),
+	})
 }
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/update_validations/primitives/zz_generated.validations.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/update_validations/primitives/zz_generated.validations.go
index 3bad101b1880c..029e994e89ba3 100644
--- a/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/update_validations/primitives/zz_generated.validations.go
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/output_tests/update_validations/primitives/zz_generated.validations.go
@@ -37,6 +37,7 @@ func init() { localSchemeBuilder.Register(RegisterValidations) }
 // RegisterValidations adds validation functions to the given scheme.
 // Public to allow building arbitrary schemes.
 func RegisterValidations(scheme *testscheme.Scheme) error {
+	// type Struct
 	scheme.AddValidationFunc((*Struct)(nil), func(ctx context.Context, op operation.Operation, obj, oldObj interface{}) field.ErrorList {
 		switch op.Request.SubresourcePath() {
 		case "/":
@@ -47,46 +48,84 @@ func RegisterValidations(scheme *testscheme.Scheme) error {
 	return nil
 }
 
+// Validate_Struct validates an instance of Struct according
+// to declarative validation rules in the API schema.
 func Validate_Struct(ctx context.Context, op operation.Operation, fldPath *field.Path, obj, oldObj *Struct) (errs field.ErrorList) {
 	// field Struct.S
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *string) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *string, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.Immutable(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				errs = append(errs, e...)
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
 			}
-			errs = append(errs, validate.ImmutableByCompare(ctx, op, fldPath, obj, oldObj)...)
 			return
-		}(fldPath.Child("s"), &obj.S, safe.Field(oldObj, func(oldObj *Struct) *string { return &oldObj.S }))...)
+		}(fldPath.Child("s"), &obj.S, safe.Field(oldObj, func(oldObj *Struct) *string { return &oldObj.S }), oldObj != nil)...)
 
 	// field Struct.I
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *int) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *int, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.Immutable(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				errs = append(errs, e...)
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
 			}
-			errs = append(errs, validate.ImmutableByCompare(ctx, op, fldPath, obj, oldObj)...)
 			return
-		}(fldPath.Child("i"), &obj.I, safe.Field(oldObj, func(oldObj *Struct) *int { return &oldObj.I }))...)
+		}(fldPath.Child("i"), &obj.I, safe.Field(oldObj, func(oldObj *Struct) *int { return &oldObj.I }), oldObj != nil)...)
 
 	// field Struct.B
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *bool) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *bool, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.Immutable(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				errs = append(errs, e...)
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
 			}
-			errs = append(errs, validate.ImmutableByCompare(ctx, op, fldPath, obj, oldObj)...)
 			return
-		}(fldPath.Child("b"), &obj.B, safe.Field(oldObj, func(oldObj *Struct) *bool { return &oldObj.B }))...)
+		}(fldPath.Child("b"), &obj.B, safe.Field(oldObj, func(oldObj *Struct) *bool { return &oldObj.B }), oldObj != nil)...)
 
 	// field Struct.F
 	errs = append(errs,
-		func(fldPath *field.Path, obj, oldObj *float64) (errs field.ErrorList) {
-			if op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
-				return nil // no changes
+		func(fldPath *field.Path, obj, oldObj *float64, oldValueCorrelated bool) (errs field.ErrorList) {
+			// don't revalidate unchanged data
+			if oldValueCorrelated && op.Type == operation.Update && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {
+				return nil
+			}
+			// call field-attached validations
+			earlyReturn := false
+			if e := validate.Immutable(ctx, op, fldPath, obj, oldObj); len(e) != 0 {
+				errs = append(errs, e...)
+				earlyReturn = true
+			}
+			if earlyReturn {
+				return // do not proceed
 			}
-			errs = append(errs, validate.ImmutableByCompare(ctx, op, fldPath, obj, oldObj)...)
 			return
-		}(fldPath.Child("f"), &obj.F, safe.Field(oldObj, func(oldObj *Struct) *float64 { return &oldObj.F }))...)
+		}(fldPath.Child("f"), &obj.F, safe.Field(oldObj, func(oldObj *Struct) *float64 { return &oldObj.F }), oldObj != nil)...)
 
 	return errs
 }
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/targets.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/targets.go
index 3e7416f271437..8ed228c109299 100644
--- a/staging/src/k8s.io/code-generator/cmd/validation-gen/targets.go
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/targets.go
@@ -287,6 +287,9 @@ func GetTargets(context *generator.Context, args *Args) []generator.Target {
 
 	// Create a type discoverer for all types of all inputs.
 	td := NewTypeDiscoverer(validator, inputToPkg)
+	if err := td.Init(context); err != nil {
+		klog.Fatalf("Error discovering constants: %v", err)
+	}
 
 	// Create a linter to collect errors as we go.
 	linter := newLinter()
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/testscheme/doc.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/testscheme/doc.go
index 5d0f21e167231..618fb7f72cd3c 100644
--- a/staging/src/k8s.io/code-generator/cmd/validation-gen/testscheme/doc.go
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/testscheme/doc.go
@@ -34,7 +34,9 @@ limitations under the License.
 // by generated test fixtures.
 //
 // For example, to test by hand. The testschema provides utilities to create a value and assert
-// that the expected errors are returned when the value is validated:
+// that the expected errors are returned when the value is validated.
+// Note that if `OldValue()` or `OldValueFuzzed()` is called on the `ValidationTester`, subsequent
+// validation calls will implicitly use update validation.
 //
 //	 func Test(t *testing.T) {
 //		  st := localSchemeBuilder.Test(t)
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/testscheme/testscheme.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/testscheme/testscheme.go
index 07211c6e85d8a..5261c73dfe983 100644
--- a/staging/src/k8s.io/code-generator/cmd/validation-gen/testscheme/testscheme.go
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/testscheme/testscheme.go
@@ -28,7 +28,6 @@ import (
 	"os"
 	"path"
 	"reflect"
-	"regexp"
 	"sort"
 	"strings"
 	"testing"
@@ -246,16 +245,18 @@ type ValidationTester struct {
 	*ValidationTestBuilder
 	value        any
 	oldValue     any
+	isUpdate     bool
 	options      []string
 	subresources []string
 }
 
-// OldValue sets the oldValue for this ValidationTester. When oldValue is set to
-// a non-nil value, update validation will be used to test validation.
+// OldValue sets the oldValue for this ValidationTester. When oldValue is set,
+// update validation will be used to test validation.
 // oldValue must be the same type as value.
 // Returns ValidationTester to support call chaining.
 func (v *ValidationTester) OldValue(oldValue any) *ValidationTester {
 	v.oldValue = oldValue
+	v.isUpdate = true
 	return v
 }
 
@@ -264,6 +265,7 @@ func (v *ValidationTester) OldValue(oldValue any) *ValidationTester {
 func (v *ValidationTester) OldValueFuzzed(oldValue any) *ValidationTester {
 	randfiller().Fill(oldValue)
 	v.oldValue = oldValue
+	v.isUpdate = true
 	return v
 }
 
@@ -311,14 +313,11 @@ func (v *ValidationTester) ExpectValid() *ValidationTester {
 	return v
 }
 
-// ExpectInvalid validates the value and calls t.Errorf if want does not match the actual errors.
-// Returns ValidationTester to support call chaining.
-func (v *ValidationTester) ExpectInvalid(want ...*field.Error) *ValidationTester {
-	v.T.Helper()
-
-	return v.expectInvalid(byFullError, want...)
-}
-
+// ExpectValidateFalseByPath validates the value and looks for the errors
+// specifically produced by `+k8s:validateFalse` tags. Each field (the map key)
+// can have multiple error strings (the map value). Test which are trying
+// to prove that the validation logic itself (e.g. validation-gen) produces the
+// expected errors should use this method.
 func (v *ValidationTester) ExpectValidateFalseByPath(expectedByPath map[string][]string) *ValidationTester {
 	v.T.Helper()
 
@@ -358,65 +357,10 @@ func (v *ValidationTester) validateFalseArgsByPath() map[string][]string {
 	return byPath
 }
 
-func (v *ValidationTester) ExpectRegexpsByPath(regexpStringsByPath map[string][]string) *ValidationTester {
-	v.T.Helper()
-
-	v.T.Run(fmt.Sprintf("%T", v.value), func(t *testing.T) {
-		t.Helper()
-
-		errorsByPath := v.getErrorsByPath()
-
-		// sanity check
-		if want, got := len(regexpStringsByPath), len(errorsByPath); got != want {
-			t.Fatalf("wrong number of error-fields: expected %d, got %d:\nwanted:\n%sgot:\n%s",
-				want, got, renderByPath(regexpStringsByPath), renderByPath(errorsByPath))
-		}
-
-		// compile regexps
-		regexpsByPath := map[string][]*regexp.Regexp{}
-		for field, strs := range regexpStringsByPath {
-			regexps := make([]*regexp.Regexp, 0, len(strs))
-			for _, str := range strs {
-				regexps = append(regexps, regexp.MustCompile(str))
-			}
-			regexpsByPath[field] = regexps
-		}
-
-		for field := range errorsByPath {
-			errors := errorsByPath[field]
-			regexps := regexpsByPath[field]
-
-			// sanity check
-			if want, got := len(regexps), len(errors); got != want {
-				t.Fatalf("field %q: wrong number of errors: expected %d, got %d:\nwanted:\n%sgot:\n%s",
-					field, want, got, renderList(regexpStringsByPath[field]), renderList(errors))
-			}
-
-			// build a set of errors and expectations, so we can track them,
-			expSet := sets.New(regexps...)
-
-			for _, err := range errors {
-				var found *regexp.Regexp
-				for _, re := range regexps {
-					if re.MatchString(err) {
-						found = re
-						break // done with regexps
-					}
-				}
-				if found != nil {
-					expSet.Delete(found)
-					continue // next error
-				}
-				t.Errorf("field %q, error %q did not match any expectation", field, err)
-			}
-			if len(expSet) != 0 {
-				t.Errorf("field %q had unsatisfied expectations: %q", field, expSet.UnsortedList())
-			}
-		}
-	})
-	return v
-}
-
+// ExpectMatches compares the expected errors with the actual errors returned
+// by the validation, using the provided ErrorMatcher. Tests which are trying
+// to prove that a use-case of validation (e.g. testing pod validation)
+// produces the expected errors should use this method.
 func (v *ValidationTester) ExpectMatches(matcher field.ErrorMatcher, expected field.ErrorList) *ValidationTester {
 	v.Helper()
 
@@ -428,90 +372,9 @@ func (v *ValidationTester) ExpectMatches(matcher field.ErrorMatcher, expected fi
 	return v
 }
 
-func (v *ValidationTester) getErrorsByPath() map[string][]string {
-	byPath := map[string][]string{}
-	errs := v.validate()
-	for _, e := range errs {
-		f := e.Field
-		if f == "<nil>" {
-			f = ""
-		}
-		byPath[f] = append(byPath[f], e.ErrorBody())
-	}
-	// ensure args are sorted
-	for _, args := range byPath {
-		sort.Strings(args)
-	}
-	return byPath
-}
-
-func renderByPath(byPath map[string][]string) string {
-	keys := []string{}
-	for key := range byPath {
-		keys = append(keys, key)
-	}
-	sort.Strings(keys)
-
-	for _, vals := range byPath {
-		sort.Strings(vals)
-	}
-
-	buf := strings.Builder{}
-	for _, key := range keys {
-		vals := byPath[key]
-		for _, val := range vals {
-			buf.WriteString(fmt.Sprintf("\t%s: %q\n", key, val))
-		}
-	}
-	return buf.String()
-}
-
-func renderList(list []string) string {
-	buf := strings.Builder{}
-	for _, item := range list {
-		buf.WriteString(fmt.Sprintf("\t%q\n", item))
-	}
-	return buf.String()
-}
-
-func (v *ValidationTester) expectInvalid(matcher matcher, errs ...*field.Error) *ValidationTester {
-	v.T.Helper()
-
-	v.T.Run(fmt.Sprintf("%T", v.value), func(t *testing.T) {
-		t.Helper()
-
-		want := sets.New[string]()
-		for _, e := range errs {
-			want.Insert(matcher(e))
-		}
-
-		got := sets.New[string]()
-		for _, e := range v.validate() {
-			got.Insert(matcher(e))
-		}
-		if !got.Equal(want) {
-			t.Errorf("validation errors differed from expected:\n%v\n", cmp.Diff(want, got, cmpopts.SortMaps(stdcmp.Less[string])))
-
-			for x := range got.Difference(want) {
-				fmt.Printf("%q,\n", strings.TrimPrefix(x, "forced failure: "))
-			}
-		}
-	})
-	return v
-}
-
-type matcher func(err *field.Error) string
-
-func byFullError(err *field.Error) string {
-	return err.Error()
-}
-
 func (v *ValidationTester) validate() field.ErrorList {
-	var errs field.ErrorList
-	if v.oldValue == nil {
-		errs = v.s.Validate(context.Background(), v.options, v.value, v.subresources...)
-	} else {
-		errs = v.s.ValidateUpdate(context.Background(), v.options, v.value, v.oldValue, v.subresources...)
+	if v.isUpdate {
+		return v.s.ValidateUpdate(context.Background(), v.options, v.value, v.oldValue, v.subresources...)
 	}
-	return errs
+	return v.s.Validate(context.Background(), v.options, v.value, v.subresources...)
 }
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/validation.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/validation.go
index 830ed4dfb19f6..c755706edb66b 100644
--- a/staging/src/k8s.io/code-generator/cmd/validation-gen/validation.go
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/validation.go
@@ -148,21 +148,60 @@ func (g *genValidations) GenerateType(c *generator.Context, t *types.Type, w io.
 
 // typeDiscoverer contains fields necessary to build graphs of types.
 type typeDiscoverer struct {
-	validator  validators.Validator
-	inputToPkg map[string]string
+	initialized bool
+	validator   validators.Validator
+	inputToPkg  map[string]string
+
+	// constantsByType holds a map of type to constants of that type.
+	constantsByType map[*types.Type][]*validators.Constant
 
 	// typeNodes holds a map of gengo Type to typeNode for all of the types
 	// encountered during discovery.
 	typeNodes map[*types.Type]*typeNode
 }
 
-// NewTypeDiscoverer creates and initializes a NewTypeDiscoverer.
+// NewTypeDiscoverer creates a NewTypeDiscoverer.
+// Init must be called before calling DiscoverType.
 func NewTypeDiscoverer(validator validators.Validator, inputToPkg map[string]string) *typeDiscoverer {
 	return &typeDiscoverer{
-		validator:  validator,
-		inputToPkg: inputToPkg,
-		typeNodes:  map[*types.Type]*typeNode{},
+		validator:       validator,
+		inputToPkg:      inputToPkg,
+		constantsByType: map[*types.Type][]*validators.Constant{},
+		typeNodes:       map[*types.Type]*typeNode{},
+	}
+}
+
+// Init uses the generator context to prepare for type discovery.
+func (td *typeDiscoverer) Init(c *generator.Context) error {
+	packages := c.Universe
+	for _, pkg := range packages {
+		// We only care about packages we are generating for or are readonly.
+		if _, ok := td.inputToPkg[pkg.Path]; !ok {
+			continue
+		}
+		for _, cnst := range pkg.Constants {
+			context := validators.Context{
+				Scope:      validators.ScopeConst,
+				Type:       cnst.Underlying,
+				Path:       nil, // NA when discovering a constant
+				Member:     nil, // NA when discovering a constant
+				ParentPath: nil, // NA when discovering a constant
+			}
+			tgs, err := td.validator.ExtractTags(context, cnst.CommentLines)
+			if err != nil {
+				return fmt.Errorf("constant %s: %w", cnst.Name, err)
+			}
+			if len(tgs) > 0 {
+				// Also check that the tgs are valid.
+				if _, err := td.validator.ExtractValidations(context, tgs...); err != nil {
+					return fmt.Errorf("constant %s: %w", cnst.Name, err)
+				}
+			}
+			td.constantsByType[cnst.Underlying] = append(td.constantsByType[cnst.Underlying], &validators.Constant{Constant: cnst, Tags: tgs})
+		}
 	}
+	td.initialized = true
+	return nil
 }
 
 // childNode represents a type which is used in another type (e.g. a struct
@@ -210,6 +249,9 @@ type typeNode struct {
 // typeDiscoverer.  If this is called multiple times for different types, the
 // graphs will be will be merged.
 func (td *typeDiscoverer) DiscoverType(t *types.Type) error {
+	if !td.initialized {
+		return fmt.Errorf("typeDiscoverer not initialized")
+	}
 	if t.Kind == types.Pointer {
 		return fmt.Errorf("type %v: pointer root-types are not supported", t)
 	}
@@ -349,11 +391,14 @@ func (td *typeDiscoverer) discoverType(t *types.Type, fldPath *field.Path) (*typ
 		if fldPath.String() != t.String() {
 			panic(fmt.Sprintf("path for type != the type name: %s, %s", t.String(), fldPath.String()))
 		}
+		consts := td.constantsByType[t]
 		context := validators.Context{
 			Scope:      validators.ScopeType,
 			Type:       t,
-			ParentPath: nil,
 			Path:       fldPath,
+			Member:     nil, // NA when discovering a type
+			ParentPath: nil, // NA when discovering a type
+			Constants:  consts,
 		}
 		extractedTags, err := td.validator.ExtractTags(context, t.CommentLines)
 		if err != nil {
@@ -406,7 +451,8 @@ func (td *typeDiscoverer) discoverType(t *types.Type, fldPath *field.Path) (*typ
 						// Note: the first argument to Function() is really
 						// only for debugging.
 						v, err := validators.ForEachVal(fldPath, thisNode.valueType,
-							validators.Function("iterateListValues", validators.DefaultFlags, funcName))
+							validators.Function("iterateListValues", validators.DefaultFlags, funcName).
+								WithComment("iterate the list and call the type's validation function"))
 						if err != nil {
 							return nil, fmt.Errorf("generating list iteration: %w", err)
 						} else {
@@ -437,7 +483,8 @@ func (td *typeDiscoverer) discoverType(t *types.Type, fldPath *field.Path) (*typ
 						// Note: the first argument to Function() is really
 						// only for debugging.
 						v, err := validators.ForEachKey(fldPath, underlying.childType,
-							validators.Function("iterateMapKeys", validators.DefaultFlags, funcName))
+							validators.Function("iterateMapKeys", validators.DefaultFlags, funcName).
+								WithComment("iterate the map and call the key type's validation function"))
 						if err != nil {
 							return nil, fmt.Errorf("generating map key iteration: %w", err)
 						} else {
@@ -467,7 +514,8 @@ func (td *typeDiscoverer) discoverType(t *types.Type, fldPath *field.Path) (*typ
 						// Note: the first argument to Function() is really
 						// only for debugging.
 						v, err := validators.ForEachVal(fldPath, underlying.childType,
-							validators.Function("iterateMapValues", validators.DefaultFlags, funcName))
+							validators.Function("iterateMapValues", validators.DefaultFlags, funcName).
+								WithComment("iterate the map and call the value type's validation function"))
 						if err != nil {
 							return nil, fmt.Errorf("generating map value iteration: %w", err)
 						} else {
@@ -559,8 +607,14 @@ func (td *typeDiscoverer) discoverStruct(thisNode *typeNode, fldPath *field.Path
 			jsonName = commentTags.Name
 		}
 
+		var childPath *field.Path
+		if jsonName != "" {
+			childPath = fldPath.Child(jsonName)
+		} else {
+			childPath = fldPath.Child(name)
+		}
+
 		// Discover the field type.
-		childPath := fldPath.Child(name)
 		klog.V(5).InfoS("field", "name", name, "jsonName", jsonName, "type", memb.Type, "path", childPath)
 		childType := memb.Type
 		var child *childNode
@@ -579,9 +633,9 @@ func (td *typeDiscoverer) discoverStruct(thisNode *typeNode, fldPath *field.Path
 		context := validators.Context{
 			Scope:      validators.ScopeField,
 			Type:       childType,
-			ParentPath: fldPath,
-			Member:     &memb,
 			Path:       childPath,
+			Member:     &memb,
+			ParentPath: fldPath,
 		}
 
 		tags, err := td.validator.ExtractTags(context, memb.CommentLines)
@@ -650,7 +704,8 @@ func (td *typeDiscoverer) discoverStruct(thisNode *typeNode, fldPath *field.Path
 					// Note: the first argument to Function() is really
 					// only for debugging.
 					v, err := validators.ForEachVal(childPath, childType,
-						validators.Function("iterateListValues", validators.DefaultFlags, funcName))
+						validators.Function("iterateListValues", validators.DefaultFlags, funcName).
+							WithComment("iterate the list and call the type's validation function"))
 					if err != nil {
 						return fmt.Errorf("generating list iteration: %w", err)
 					} else {
@@ -681,7 +736,8 @@ func (td *typeDiscoverer) discoverStruct(thisNode *typeNode, fldPath *field.Path
 					// Note: the first argument to Function() is really
 					// only for debugging.
 					v, err := validators.ForEachKey(childPath, childType,
-						validators.Function("iterateMapKeys", validators.DefaultFlags, funcName))
+						validators.Function("iterateMapKeys", validators.DefaultFlags, funcName).
+							WithComment("iterate the map and call the key type's validation function"))
 					if err != nil {
 						return fmt.Errorf("generating map key iteration: %w", err)
 					} else {
@@ -711,7 +767,8 @@ func (td *typeDiscoverer) discoverStruct(thisNode *typeNode, fldPath *field.Path
 					// Note: the first argument to Function() is really
 					// only for debugging.
 					v, err := validators.ForEachVal(childPath, childType,
-						validators.Function("iterateMapValues", validators.DefaultFlags, funcName))
+						validators.Function("iterateMapValues", validators.DefaultFlags, funcName).
+							WithComment("iterate the map and call the value type's validation function"))
 					if err != nil {
 						return fmt.Errorf("generating map value iteration: %w", err)
 					} else {
@@ -834,6 +891,7 @@ func (g *genValidations) emitRegisterFunction(c *generator.Context, schemeRegist
 
 		// This uses a typed nil pointer, rather than a real instance because
 		// we need the type information, but not an instance of the type.
+		sw.Do("// type $.rootType|name$\n", targs)
 		sw.Do("scheme.AddValidationFunc(", targs)
 		sw.Do("    ($.typePfx$$.rootType|raw$)(nil), ", targs)
 		sw.Do("    func(ctx $.context.Context$, op $.operation.Operation|raw$, obj, oldObj interface{}) $.field.ErrorList|raw$ {\n", targs)
@@ -903,6 +961,8 @@ func (g *genValidations) emitValidationFunction(c *generator.Context, t *types.T
 	if node == nil {
 		panic(fmt.Sprintf("found nil node for root-type %v", t))
 	}
+	sw.Do("// $.inType|objectvalidationfn$ validates an instance of $.inType|name$ according\n", targs)
+	sw.Do("// to declarative validation rules in the API schema.\n", targs)
 	sw.Do("func $.inType|objectvalidationfn$(", targs)
 	sw.Do("    ctx $.context.Context|raw$, ", targs)
 	sw.Do("    op $.operation.Operation|raw$, ", targs)
@@ -946,9 +1006,7 @@ func (g *genValidations) emitValidationForChild(c *generator.Context, thisChild
 		default:
 			panic(fmt.Sprintf("unexpected type-validations on type %v, kind %s", thisNode.valueType, thisNode.valueType.Kind))
 		}
-		sw.Do("// type $.inType|raw$\n", targs)
 		emitComments(validations.Comments, sw)
-		emitRatchetingCheck(c, thisNode.valueType, sw)
 		emitCallsToValidators(c, validations.Functions, sw)
 		if thisNode.valueType.Kind == types.Alias {
 			underlyingNode := thisNode.underlying.node
@@ -1000,13 +1058,59 @@ func (g *genValidations) emitValidationForChild(c *generator.Context, thisChild
 			buf := bytes.NewBuffer(nil)
 			bufsw := sw.Dup(buf)
 
+			// On ratcheting checks:
+			//
+			// We emit ratcheting checks ONLY for struct fields and ONLY when
+			// that field has some validations to call.
+			//
+			// We DO NOT emit ratchet checks inside type-specific validation
+			// functions, because that leads to repeated ratchet checking which
+			// is almost never useful work (keep reading).
+			//
+			// The consequence of this is that a caller of a type's validation
+			// function is assumed to have already done a ratchet check (which
+			// is true for all generated code (except root types, keep
+			// reading)). For struct types (our most common case), the type's
+			// function will do ratchet checks on each sub-field anyway.
+			//
+			// This leaves one case where validation is executed unilaterally:
+			// non-pre-checked calls of validation functions for types which have
+			// type-attached validations.  This can happen in two cases:
+			//   1. an external caller of a type's validation function
+			//   2. the generated register function for a package which calls a
+			//      root-type's validation function
+			//
+			// TODO: We are leaving this as a problem for the future. If we
+			// find that we have a root type which has type-attached validation
+			// AND that validation is being ratcheted, then we will need to
+			// address this. Some options:
+			//   1. emit a ratchet check in the package's register function
+			//   2. emit a ratchet check in the type's validation function
+			//      (IFF it has type-attached validation, perhaps only for root
+			//      types)
+			//   3. emit both "safe" (ratchet check the whole object) and
+			//      "fast" (assume the object was already ratchet checked)
+			//      forms of each type's validation function, so that the
+			//      generated code can call the "fast" form while external code
+			//      calls the "safe" form.
+			//   4. implement depth-first traversal of validation, where each
+			//      function returns an additional bool indicating "something
+			//      changed", which gets propagated up the caller to decide if
+			//      it needs to do higher-level validations (e.g. if any field
+			//      in a struct changes, the struct's type-attached validations
+			//      need to be executed, but if no fields changed they can be
+			//      skipped).
+
 			validations := fld.fieldValidations
 			fldRatchetingChecked := false
 			if !validations.Empty() {
 				emitComments(validations.Comments, bufsw)
-				emitRatchetingCheck(c, fld.childType, bufsw)
-				emitCallsToValidators(c, validations.Functions, bufsw)
-				fldRatchetingChecked = true
+				if len(validations.Functions) > 0 {
+					emitRatchetingCheck(c, fld.childType, bufsw)
+					fldRatchetingChecked = true
+					bufsw.Do("// call field-attached validations\n", nil)
+					emitCallsToValidators(c, validations.Functions, bufsw)
+				}
 			}
 
 			// If the node is nil, this must be a type in a package we are not
@@ -1015,18 +1119,29 @@ func (g *genValidations) emitValidationForChild(c *generator.Context, thisChild
 				// Get to the real type.
 				switch fld.node.valueType.Kind {
 				case types.Alias, types.Struct:
-					// If this field is another type, call its validation function.
-					g.emitCallToOtherTypeFunc(c, fld.node, bufsw)
+					// If this field is another type, we may need to call its
+					// validation function. If it has no validations
+					// (transitively) then we don't need to do anything.
+					if g.hasValidations(fld.node) {
+						if !fldRatchetingChecked {
+							emitRatchetingCheck(c, fld.childType, bufsw)
+							fldRatchetingChecked = true
+						}
+						g.emitCallToOtherTypeFunc(c, fld.node, bufsw)
+					}
 				case types.Slice:
 					// If this field is a list and the value-type has
 					// validations, call its validation function.
 					if validations := fld.fieldValIterations; g.hasValidations(fld.node.elem.node) && !validations.Empty() {
 						emitComments(validations.Comments, bufsw)
-						if !fldRatchetingChecked {
-							emitRatchetingCheck(c, fld.childType, bufsw)
-							fldRatchetingChecked = true
+						if len(validations.Functions) > 0 {
+							if !fldRatchetingChecked {
+								emitRatchetingCheck(c, fld.childType, bufsw)
+								fldRatchetingChecked = true
+							}
+							emitCallsToValidators(c, validations.Functions, bufsw)
 						}
-						emitCallsToValidators(c, validations.Functions, bufsw)
+
 					}
 					// Descend into this field.
 					g.emitValidationForChild(c, fld, bufsw)
@@ -1035,21 +1150,25 @@ func (g *genValidations) emitValidationForChild(c *generator.Context, thisChild
 					// validations, call its validation function.
 					if validations := fld.fieldKeyIterations; g.hasValidations(fld.node.key.node) && !validations.Empty() {
 						emitComments(validations.Comments, bufsw)
-						if !fldRatchetingChecked {
-							emitRatchetingCheck(c, fld.childType, bufsw)
-							fldRatchetingChecked = true
+						if len(validations.Functions) > 0 {
+							if !fldRatchetingChecked {
+								emitRatchetingCheck(c, fld.childType, bufsw)
+								fldRatchetingChecked = true
+							}
+							emitCallsToValidators(c, validations.Functions, bufsw)
 						}
-						emitCallsToValidators(c, validations.Functions, bufsw)
 					}
 					// If this field is a map and the value-type has
 					// validations, call its validation function.
 					if validations := fld.fieldValIterations; g.hasValidations(fld.node.elem.node) && !validations.Empty() {
 						emitComments(validations.Comments, bufsw)
-						if !fldRatchetingChecked {
-							emitRatchetingCheck(c, fld.childType, bufsw)
-							fldRatchetingChecked = true
+						if len(validations.Functions) > 0 {
+							if !fldRatchetingChecked {
+								emitRatchetingCheck(c, fld.childType, bufsw)
+								fldRatchetingChecked = true
+							}
+							emitCallsToValidators(c, validations.Functions, bufsw)
 						}
-						emitCallsToValidators(c, validations.Functions, bufsw)
 					}
 					// Descend into this field.
 					g.emitValidationForChild(c, fld, bufsw)
@@ -1074,7 +1193,7 @@ func (g *genValidations) emitValidationForChild(c *generator.Context, thisChild
 				}
 				sw.Do("// field $.inType|raw$.$.fieldName$\n", targs)
 				sw.Do("errs = append(errs,\n", targs)
-				sw.Do("  func(fldPath *$.field.Path|raw$, obj, oldObj $.fieldTypePfx$$.fieldType|raw$) (errs $.field.ErrorList|raw$) {\n", targs)
+				sw.Do("  func(fldPath *$.field.Path|raw$, obj, oldObj $.fieldTypePfx$$.fieldType|raw$, oldValueCorrelated bool) (errs $.field.ErrorList|raw$) {\n", targs)
 				if err := sw.Merge(buf, bufsw); err != nil {
 					panic(fmt.Sprintf("failed to merge buffer: %v", err))
 				}
@@ -1088,10 +1207,28 @@ func (g *genValidations) emitValidationForChild(c *generator.Context, thisChild
 					sw.Do("$.safe.Value|raw$(fldPath, func() *$.field.Path|raw$ { return fldPath.Child(\"$.fieldType|raw$\") }), ", targs)
 				}
 				sw.Do("    $.fieldExprPfx$obj.$.fieldName$, ", targs)
+				// safe.Field returns a nil if the old object does not have a correlatable
+				// value, such as a map.
+				// This is ambiguous with the case where the field exists and is nil.
+				// This ambiguity is a problem for ratcheting, which needs to distinguish
+				// these cases. For example, if a required field is removed from a map,
+				// safe.Field will return nil for the old value, and the new value is also
+				// nil (because it doesn't exist). Ratcheting would normally allow this,
+				// but it's a validation failure because a required field is missing.
+				//
+				// To solve this, we pass an extra boolean parameter to the validation
+				// function, indicating whether the old value was correlated. If the old
+				// value was uncorrelated, it means the field was not present in the old
+				// object, and we should not apply ratcheting logic. `oldObj != nil`
+				// provides this bit of information.
+				//
+				// This bit is not currently propagated down to deeper levels of
+				// validation, but since the code generator only ever looks one level
+				// down, this is sufficient for now.
 				sw.Do("    $.safe.Field|raw$(oldObj, ", targs)
 				sw.Do("        func(oldObj *$.inType|raw$) $.fieldTypePfx$$.fieldType|raw$ {", targs)
 				sw.Do("            return $.fieldExprPfx$oldObj.$.fieldName$", targs)
-				sw.Do("        }),", targs)
+				sw.Do("        }), oldObj != nil", targs)
 				sw.Do("    )...)\n", targs)
 				sw.Do("\n", nil)
 			} else {
@@ -1114,15 +1251,10 @@ func (g *genValidations) emitValidationForChild(c *generator.Context, thisChild
 // variables named "obj" and "oldObj", and the field path to this value is
 // named "fldPath".
 func (g *genValidations) emitCallToOtherTypeFunc(c *generator.Context, node *typeNode, sw *generator.SnippetWriter) {
-	// If this type has no validations (transitively) then we don't need to do
-	// anything.
-	if !g.hasValidations(node) {
-		return
-	}
-
 	targs := generator.Args{
 		"funcName": c.Universe.Type(node.funcName),
 	}
+	sw.Do("// call the type's validation function\n", nil)
 	sw.Do("errs = append(errs, $.funcName|raw$(ctx, op, fldPath, obj, oldObj)...)\n", targs)
 }
 
@@ -1132,6 +1264,7 @@ func emitRatchetingCheck(c *generator.Context, t *types.Type, sw *generator.Snip
 	targs := generator.Args{
 		"operation": mkSymbolArgs(c, operationPkgSymbols),
 	}
+	sw.Do("// don't revalidate unchanged data\n", nil)
 	// If the type is a builtin, we can use a simpler equality check when they are not nil.
 	if util.IsDirectComparable(util.NonPointer(util.NativeType(t))) {
 		// We should never get anything but pointers here, since every other
@@ -1142,12 +1275,12 @@ func emitRatchetingCheck(c *generator.Context, t *types.Type, sw *generator.Snip
 		// - obj != nil : handle optional fields which are updated to nil
 		// - oldObj != nil : handle optional fields which are updated from nil
 		// - *obj == *oldObj : compare values
-		sw.Do("if op.Type == $.operation.Update|raw$ && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {\n", targs)
+		sw.Do("if oldValueCorrelated && op.Type == $.operation.Update|raw$ && (obj == oldObj || (obj != nil && oldObj != nil && *obj == *oldObj)) {\n", targs)
 	} else {
 		targs["equality"] = mkSymbolArgs(c, equalityPkgSymbols)
-		sw.Do("if op.Type == $.operation.Update|raw$ && $.equality.Semantic|raw$.DeepEqual(obj, oldObj) {\n", targs)
+		sw.Do("if oldValueCorrelated && op.Type == $.operation.Update|raw$ && $.equality.Semantic|raw$.DeepEqual(obj, oldObj) {\n", targs)
 	}
-	sw.Do("   return nil // no changes\n", nil)
+	sw.Do("   return nil\n", nil)
 	sw.Do("}\n", nil)
 }
 
@@ -1165,106 +1298,172 @@ func emitRatchetingCheck(c *generator.Context, t *types.Type, sw *generator.Snip
 // variables named "obj" and "oldObj", and the field path to this value is
 // named "fldPath".
 func emitCallsToValidators(c *generator.Context, validations []validators.FunctionGen, sw *generator.SnippetWriter) {
-	// Helper func
-	sort := func(in []validators.FunctionGen) []validators.FunctionGen {
-		sooner := make([]validators.FunctionGen, 0, len(in))
-		later := make([]validators.FunctionGen, 0, len(in))
+	// Group and sort the inputs.
+	cohorts := sortIntoCohorts(validations)
 
-		for _, fg := range in {
-			isShortCircuit := (fg.Flags.IsSet(validators.ShortCircuit))
+	for _, validations := range cohorts {
+		cohortName := validations[0].Cohort
+		if cohortName != "" {
+			sw.Do("func() { // cohort $.$\n", cohortName)
+		}
 
-			if isShortCircuit {
-				sooner = append(sooner, fg)
-			} else {
-				later = append(later, fg)
+		hasShortCircuits := false
+		lastShortCircuitIdx := -1
+		for i, v := range validations {
+			if v.Flags.IsSet(validators.ShortCircuit) {
+				hasShortCircuits = true
+				lastShortCircuitIdx = i
 			}
 		}
-		result := sooner
-		result = append(result, later...)
-		return result
-	}
 
-	validations = sort(validations)
+		if hasShortCircuits {
+			sw.Do("earlyReturn := false\n", nil)
+		}
 
-	for _, v := range validations {
-		isShortCircuit := v.Flags.IsSet(validators.ShortCircuit)
-		isNonError := v.Flags.IsSet(validators.NonError)
+		for i, v := range validations {
+			isShortCircuit := v.Flags.IsSet(validators.ShortCircuit)
+			isNonError := v.Flags.IsSet(validators.NonError)
 
-		targs := generator.Args{
-			"funcName": c.Universe.Type(v.Function),
-			"field":    mkSymbolArgs(c, fieldPkgSymbols),
-		}
+			targs := generator.Args{
+				"funcName": c.Universe.Type(v.Function),
+				"field":    mkSymbolArgs(c, fieldPkgSymbols),
+			}
 
-		emitCall := func() {
-			sw.Do("$.funcName|raw$", targs)
-			if typeArgs := v.TypeArgs; len(typeArgs) > 0 {
-				sw.Do("[", nil)
-				for i, typeArg := range typeArgs {
-					sw.Do("$.|raw$", c.Universe.Type(typeArg))
-					if i < len(typeArgs)-1 {
-						sw.Do(",", nil)
+			emitCall := func() {
+				sw.Do("$.funcName|raw$", targs)
+				if typeArgs := v.TypeArgs; len(typeArgs) > 0 {
+					sw.Do("[", nil)
+					for i, typeArg := range typeArgs {
+						sw.Do("$.|raw$", c.Universe.Type(typeArg))
+						if i < len(typeArgs)-1 {
+							sw.Do(",", nil)
+						}
 					}
+					sw.Do("]", nil)
+				}
+				sw.Do("(ctx, op, fldPath, obj, oldObj", targs)
+				for _, arg := range v.Args {
+					sw.Do(", ", nil)
+					toGolangSourceDataLiteral(sw, c, arg)
 				}
-				sw.Do("]", nil)
+				sw.Do(")", targs)
 			}
-			sw.Do("(ctx, op, fldPath, obj, oldObj", targs)
-			for _, arg := range v.Args {
-				sw.Do(", ", nil)
-				toGolangSourceDataLiteral(sw, c, arg)
+
+			// If validation is conditional, wrap the validation function with a conditions check.
+			if !v.Conditions.Empty() {
+				emitBaseFunction := emitCall
+				emitCall = func() {
+					sw.Do("func() $.field.ErrorList|raw$ {\n", targs)
+					sw.Do("  if ", nil)
+					firstCondition := true
+					if len(v.Conditions.OptionEnabled) > 0 {
+						sw.Do("op.HasOption($.$)", strconv.Quote(v.Conditions.OptionEnabled))
+						firstCondition = false
+					}
+					if len(v.Conditions.OptionDisabled) > 0 {
+						if !firstCondition {
+							sw.Do(" && ", nil)
+						}
+						sw.Do("!op.HasOption($.$)", strconv.Quote(v.Conditions.OptionDisabled))
+					}
+					sw.Do(" {\n", nil)
+					sw.Do("    return ", nil)
+					emitBaseFunction()
+					sw.Do("\n", nil)
+					sw.Do("  } else {\n", nil)
+					sw.Do("    return nil // skip validation\n", nil)
+					sw.Do("  }\n", nil)
+					sw.Do("}()", nil)
+				}
 			}
-			sw.Do(")", targs)
-		}
-
-		// If validation is conditional, wrap the validation function with a conditions check.
-		if !v.Conditions.Empty() {
-			emitBaseFunction := emitCall
-			emitCall = func() {
-				sw.Do("func() $.field.ErrorList|raw$ {\n", targs)
-				sw.Do("  if ", nil)
-				firstCondition := true
-				if len(v.Conditions.OptionEnabled) > 0 {
-					sw.Do("op.HasOption($.$)", strconv.Quote(v.Conditions.OptionEnabled))
-					firstCondition = false
+
+			for _, comment := range v.Comments {
+				sw.Do("// $.$\n", comment)
+			}
+			if isShortCircuit {
+				sw.Do("if e := ", nil)
+				emitCall()
+				sw.Do("; len(e) != 0 {\n", nil)
+				if !isNonError {
+					sw.Do("  errs = append(errs, e...)\n", nil)
 				}
-				if len(v.Conditions.OptionDisabled) > 0 {
-					if !firstCondition {
-						sw.Do(" && ", nil)
-					}
-					sw.Do("!op.HasOption($.$)", strconv.Quote(v.Conditions.OptionDisabled))
+				sw.Do("  earlyReturn = true\n", nil)
+				sw.Do("}\n", nil)
+
+				// Check for early return ONLY after the LAST short-circuit
+				if hasShortCircuits && i == lastShortCircuitIdx {
+					sw.Do("if earlyReturn {\n", nil)
+					sw.Do("  return // do not proceed\n", nil)
+					sw.Do("}\n", nil)
+				}
+			} else {
+				if isNonError {
+					emitCall()
+				} else {
+					sw.Do("errs = append(errs, ", nil)
+					emitCall()
+					sw.Do("...)\n", nil)
 				}
-				sw.Do(" {\n", nil)
-				sw.Do("    return ", nil)
-				emitBaseFunction()
-				sw.Do("\n", nil)
-				sw.Do("  } else {\n", nil)
-				sw.Do("    return nil // skip validation\n", nil)
-				sw.Do("  }\n", nil)
-				sw.Do("}()", nil)
 			}
 		}
+		if cohortName != "" {
+			sw.Do("}()\n", nil)
+		}
+	}
+}
 
-		for _, comment := range v.Comments {
-			sw.Do("// $.$\n", comment)
-		}
-		if isShortCircuit {
-			sw.Do("if e := ", nil)
-			emitCall()
-			sw.Do("; len(e) != 0 {\n", nil)
-			if !isNonError {
-				sw.Do("errs = append(errs, e...)\n", nil)
+// sortIntoCohorts groups the inputs into a list of cohorts. Within each
+// cohort, function calls are sorted such that short-circuiting function
+// calls are handled before others. The first cohort is always the
+// default cohort (named "") if it exists. Other cohorts are returned in
+// the order they were defined in the input.
+func sortIntoCohorts(in []validators.FunctionGen) [][]validators.FunctionGen {
+	defaultCohort := make([]validators.FunctionGen, 0, len(in))
+	namedCohorts := map[string][]validators.FunctionGen{}
+	idx := make([]string, 0, len(in))
+	for _, fg := range in {
+		key := fg.Cohort
+		if key == "" {
+			defaultCohort = append(defaultCohort, fg)
+		} else {
+			if !slices.Contains(idx, key) {
+				idx = append(idx, key)
 			}
-			sw.Do("    return // do not proceed\n", nil)
-			sw.Do("}\n", nil)
+			namedCohorts[key] = append(namedCohorts[key], fg)
+		}
+	}
+	if len(defaultCohort) > 0 {
+		idx = append([]string{""}, idx...)
+	}
+	// NOTE: we do not sort cohorts by name, because we want to preserve
+	// their definition order.
+
+	result := make([][]validators.FunctionGen, 0, len(in))
+	for _, key := range idx {
+		var cohort []validators.FunctionGen
+		if key == "" {
+			cohort = defaultCohort
 		} else {
-			if isNonError {
-				emitCall()
+			cohort = namedCohorts[key]
+		}
+
+		sooner := make([]validators.FunctionGen, 0, len(cohort))
+		later := make([]validators.FunctionGen, 0, len(cohort))
+
+		for _, fg := range cohort {
+			isShortCircuit := (fg.Flags.IsSet(validators.ShortCircuit))
+
+			if isShortCircuit {
+				sooner = append(sooner, fg)
 			} else {
-				sw.Do("errs = append(errs, ", nil)
-				emitCall()
-				sw.Do("...)\n", nil)
+				later = append(later, fg)
 			}
 		}
+		sorted := sooner
+		sorted = append(sorted, later...)
+		result = append(result, sorted)
 	}
+	return result
 }
 
 func emitComments(comments []string, sw *generator.SnippetWriter) {
@@ -1286,33 +1485,13 @@ func (g *genValidations) emitValidationVariables(c *generator.Context, t *types.
 			return cmp.Compare(a.Variable.Name, b.Variable.Name)
 		})
 		for _, variable := range variables {
-			fn := variable.InitFunc
 			targs := generator.Args{
 				"varName": c.Universe.Type(types.Name(variable.Variable)),
-				"initFn":  c.Universe.Type(fn.Function),
-			}
-			for _, comment := range fn.Comments {
-				sw.Do("// $.$\n", comment)
-			}
-			sw.Do("var $.varName|private$ = $.initFn|raw$", targs)
-			if typeArgs := fn.TypeArgs; len(typeArgs) > 0 {
-				sw.Do("[", nil)
-				for i, typeArg := range typeArgs {
-					sw.Do("$.|raw$", c.Universe.Type(typeArg))
-					if i < len(typeArgs)-1 {
-						sw.Do(",", nil)
-					}
-				}
-				sw.Do("]", nil)
 			}
-			sw.Do("(", targs)
-			for i, arg := range fn.Args {
-				if i != 0 {
-					sw.Do(", ", nil)
-				}
-				toGolangSourceDataLiteral(sw, c, arg)
-			}
-			sw.Do(")\n", nil)
+
+			sw.Do("var $.varName|private$ = ", targs)
+			toGolangSourceDataLiteral(sw, c, variable.Initializer)
+			sw.Do("\n", nil)
 		}
 	}
 	// TODO: Handle potential variable name collisions when multiple validators
@@ -1379,37 +1558,23 @@ func toGolangSourceDataLiteral(sw *generator.SnippetWriter, c *generator.Context
 				targs["objTypePfx"] = ""
 			}
 
-			emitCall := func() {
-				sw.Do("return $.funcName|raw$", targs)
-				typeArgs := v.Function.TypeArgs
-				if len(typeArgs) > 0 {
-					sw.Do("[", nil)
-					for i, typeArg := range typeArgs {
-						sw.Do("$.|raw$", c.Universe.Type(typeArg))
-						if i < len(typeArgs)-1 {
-							sw.Do(",", nil)
-						}
-					}
-					sw.Do("]", nil)
-				}
-				sw.Do("(ctx, op, fldPath, obj, oldObj", targs)
-				for _, arg := range extraArgs {
-					sw.Do(", ", nil)
-					toGolangSourceDataLiteral(sw, c, arg)
-				}
-				sw.Do(")", targs)
-			}
 			sw.Do("func(", targs)
 			sw.Do("    ctx $.context.Context|raw$, ", targs)
 			sw.Do("    op $.operation.Operation|raw$, ", targs)
 			sw.Do("    fldPath *$.field.Path|raw$, ", targs)
 			sw.Do("    obj, oldObj $.objTypePfx$$.objType|raw$ ", targs)
 			sw.Do(")    $.field.ErrorList|raw$ {\n", targs)
-			emitCall()
+			sw.Do("return ", nil)
+			emitFunctionCall(sw, c, v.Function, "ctx", "op", "fldPath", "obj", "oldObj")
 			sw.Do("\n}", targs)
 		}
 	case validators.Literal:
 		sw.Do("$.$", v)
+	case validators.FunctionGen:
+		for _, comment := range v.Comments {
+			sw.Do("// $.$\\n", comment)
+		}
+		emitFunctionCall(sw, c, v)
 	case validators.FunctionLiteral:
 		sw.Do("func(", nil)
 		for i, param := range v.Parameters {
@@ -1440,10 +1605,55 @@ func toGolangSourceDataLiteral(sw *generator.SnippetWriter, c *generator.Context
 			sw.Do(")", nil)
 		}
 		sw.Do(" { $.$ }", v.Body)
+	case validators.StructLiteral:
+		targs := generator.Args{
+			"type": c.Universe.Type(v.Type),
+		}
+		sw.Do("$.type|raw$", targs)
+		if len(v.TypeArgs) > 0 {
+			sw.Do("[", nil)
+			for i, typeArg := range v.TypeArgs {
+				if i > 0 {
+					sw.Do(", ", nil)
+				}
+				sw.Do("$.|raw$", typeArg)
+			}
+			sw.Do("]", nil)
+		}
+		sw.Do("{\n", nil)
+		for _, f := range v.Fields {
+			sw.Do(f.Name, nil)
+			sw.Do(": ", nil)
+			toGolangSourceDataLiteral(sw, c, f.Value)
+			sw.Do(", ", nil)
+		}
+		sw.Do("}", targs)
+	case validators.SliceLiteral:
+		sw.Do("[]", nil)
+		targs := generator.Args{
+			"type": c.Universe.Type(v.ElementType),
+		}
+		sw.Do("$.type|raw$", targs)
+		if len(v.ElementTypeArgs) > 0 {
+			sw.Do("[", nil)
+			for i, typeArg := range v.ElementTypeArgs {
+				if i > 0 {
+					sw.Do(", ", nil)
+				}
+				sw.Do("$.|raw$", typeArg)
+			}
+			sw.Do("]", nil)
+		}
+		sw.Do("{\n", nil)
+		for _, e := range v.Elements {
+			toGolangSourceDataLiteral(sw, c, e)
+			sw.Do(",\n", nil)
+		}
+		sw.Do("}", nil)
 	default:
 		rv := reflect.ValueOf(value)
 		switch rv.Kind() {
-		case reflect.Slice, reflect.Array:
+		case reflect.Array:
 			arraySize := ""
 			if rv.Kind() == reflect.Array {
 				arraySize = strconv.Itoa(rv.Len())
@@ -1472,6 +1682,37 @@ func toGolangSourceDataLiteral(sw *generator.SnippetWriter, c *generator.Context
 	}
 }
 
+func emitFunctionCall(sw *generator.SnippetWriter, c *generator.Context, v validators.FunctionGen, leadingArgs ...string) {
+	targs := generator.Args{
+		"funcName": c.Universe.Type(v.Function),
+	}
+	sw.Do("$.funcName|raw$", targs)
+	if typeArgs := v.TypeArgs; len(typeArgs) > 0 {
+		sw.Do("[", nil)
+		for i, typeArg := range typeArgs {
+			sw.Do("$.|raw$", c.Universe.Type(typeArg))
+			if i < len(typeArgs)-1 {
+				sw.Do(",", nil)
+			}
+		}
+		sw.Do("]", nil)
+	}
+	sw.Do("(", nil)
+	if len(leadingArgs) > 0 {
+		sw.Do(strings.Join(leadingArgs, ", "), nil)
+	}
+	if len(leadingArgs) > 0 && len(v.Args) > 0 {
+		sw.Do(", ", nil)
+	}
+	for i, arg := range v.Args {
+		if i != 0 {
+			sw.Do(", ", nil)
+		}
+		toGolangSourceDataLiteral(sw, c, arg)
+	}
+	sw.Do(")", nil)
+}
+
 // getLeafTypeAndPrefixes returns the "leaf value type" for a given type, as
 // well as type and expression prefix strings for the input type.  The type
 // prefix can be prepended to the given type's name to produce the nilable form
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/validation_test.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/validation_test.go
index 5debd0856e88a..5d53a9309a97f 100644
--- a/staging/src/k8s.io/code-generator/cmd/validation-gen/validation_test.go
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/validation_test.go
@@ -17,8 +17,10 @@ limitations under the License.
 package main
 
 import (
+	"reflect"
 	"testing"
 
+	"k8s.io/code-generator/cmd/validation-gen/validators"
 	"k8s.io/gengo/v2/types"
 )
 
@@ -366,3 +368,111 @@ func TestGetLeafTypeAndPrefixes(t *testing.T) {
 		}
 	}
 }
+
+func TestSortIntoCohorts(t *testing.T) {
+	cases := []struct {
+		in       []validators.FunctionGen
+		expected [][]validators.FunctionGen
+	}{{
+		// empty
+		in:       []validators.FunctionGen{},
+		expected: [][]validators.FunctionGen{},
+	}, {
+		// default cohort
+		in: []validators.FunctionGen{
+			{TagName: "a", Cohort: "", Flags: validators.DefaultFlags},
+			{TagName: "b", Cohort: "", Flags: validators.DefaultFlags},
+			{TagName: "c", Cohort: "", Flags: validators.DefaultFlags},
+		},
+		expected: [][]validators.FunctionGen{{
+			{TagName: "a", Cohort: "", Flags: validators.DefaultFlags},
+			{TagName: "b", Cohort: "", Flags: validators.DefaultFlags},
+			{TagName: "c", Cohort: "", Flags: validators.DefaultFlags},
+		}},
+	}, {
+		// default cohort, not already sorted by name
+		in: []validators.FunctionGen{
+			{TagName: "c", Cohort: "", Flags: validators.DefaultFlags},
+			{TagName: "b", Cohort: "", Flags: validators.DefaultFlags},
+			{TagName: "a", Cohort: "", Flags: validators.DefaultFlags},
+		},
+		expected: [][]validators.FunctionGen{{
+			{TagName: "c", Cohort: "", Flags: validators.DefaultFlags},
+			{TagName: "b", Cohort: "", Flags: validators.DefaultFlags},
+			{TagName: "a", Cohort: "", Flags: validators.DefaultFlags},
+		}},
+	}, {
+		// default cohort, with a short-circuit
+		in: []validators.FunctionGen{
+			{TagName: "a", Cohort: "", Flags: validators.DefaultFlags},
+			{TagName: "b", Cohort: "", Flags: validators.ShortCircuit},
+			{TagName: "c", Cohort: "", Flags: validators.DefaultFlags},
+		},
+		expected: [][]validators.FunctionGen{{
+			{TagName: "b", Cohort: "", Flags: validators.ShortCircuit},
+			{TagName: "a", Cohort: "", Flags: validators.DefaultFlags},
+			{TagName: "c", Cohort: "", Flags: validators.DefaultFlags},
+		}},
+	}, {
+		// default cohort, with 2 short-circuits
+		in: []validators.FunctionGen{
+			{TagName: "a", Cohort: "", Flags: validators.DefaultFlags},
+			{TagName: "b", Cohort: "", Flags: validators.ShortCircuit},
+			{TagName: "c", Cohort: "", Flags: validators.DefaultFlags},
+			{TagName: "d", Cohort: "", Flags: validators.ShortCircuit},
+		},
+		expected: [][]validators.FunctionGen{{
+			{TagName: "b", Cohort: "", Flags: validators.ShortCircuit},
+			{TagName: "d", Cohort: "", Flags: validators.ShortCircuit},
+			{TagName: "a", Cohort: "", Flags: validators.DefaultFlags},
+			{TagName: "c", Cohort: "", Flags: validators.DefaultFlags},
+		}},
+	}, {
+		// default and non-default cohorts
+		in: []validators.FunctionGen{
+			{TagName: "a", Cohort: "foo", Flags: validators.DefaultFlags},
+			{TagName: "b", Cohort: "bar", Flags: validators.DefaultFlags},
+			{TagName: "c", Cohort: "", Flags: validators.DefaultFlags},
+			{TagName: "d", Cohort: "foo", Flags: validators.DefaultFlags},
+			{TagName: "e", Cohort: "bar", Flags: validators.DefaultFlags},
+			{TagName: "f", Cohort: "", Flags: validators.DefaultFlags},
+		},
+		expected: [][]validators.FunctionGen{{
+			{TagName: "c", Cohort: "", Flags: validators.DefaultFlags},
+			{TagName: "f", Cohort: "", Flags: validators.DefaultFlags},
+		}, {
+			{TagName: "a", Cohort: "foo", Flags: validators.DefaultFlags},
+			{TagName: "d", Cohort: "foo", Flags: validators.DefaultFlags},
+		}, {
+			{TagName: "b", Cohort: "bar", Flags: validators.DefaultFlags},
+			{TagName: "e", Cohort: "bar", Flags: validators.DefaultFlags},
+		}},
+	}, {
+		// default and non-default cohorts with short-circuit
+		in: []validators.FunctionGen{
+			{TagName: "a", Cohort: "foo", Flags: validators.DefaultFlags},
+			{TagName: "b", Cohort: "bar", Flags: validators.DefaultFlags},
+			{TagName: "c", Cohort: "", Flags: validators.DefaultFlags},
+			{TagName: "d", Cohort: "foo", Flags: validators.ShortCircuit},
+			{TagName: "e", Cohort: "bar", Flags: validators.ShortCircuit},
+			{TagName: "f", Cohort: "", Flags: validators.ShortCircuit},
+		},
+		expected: [][]validators.FunctionGen{{
+			{TagName: "f", Cohort: "", Flags: validators.ShortCircuit},
+			{TagName: "c", Cohort: "", Flags: validators.DefaultFlags},
+		}, {
+			{TagName: "d", Cohort: "foo", Flags: validators.ShortCircuit},
+			{TagName: "a", Cohort: "foo", Flags: validators.DefaultFlags},
+		}, {
+			{TagName: "e", Cohort: "bar", Flags: validators.ShortCircuit},
+			{TagName: "b", Cohort: "bar", Flags: validators.DefaultFlags},
+		}},
+	}}
+
+	for _, tc := range cases {
+		out := sortIntoCohorts(tc.in)
+		if !reflect.DeepEqual(out, tc.expected) {
+			t.Errorf("expected %v, got %v", tc.expected, out)
+		}
+	}
+}
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/validators/each.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/validators/each.go
index eae401f7ea212..4961f46d26dbc 100644
--- a/staging/src/k8s.io/code-generator/cmd/validation-gen/validators/each.go
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/validators/each.go
@@ -18,7 +18,6 @@ package validators
 
 import (
 	"fmt"
-	"strings"
 
 	"k8s.io/apimachinery/pkg/util/sets"
 	"k8s.io/apimachinery/pkg/util/validation/field"
@@ -28,10 +27,8 @@ import (
 )
 
 const (
-	listTypeTagName   = "k8s:listType"
-	ListMapKeyTagName = "k8s:listMapKey"
-	eachValTagName    = "k8s:eachVal"
-	eachKeyTagName    = "k8s:eachKey"
+	eachValTagName = "k8s:eachVal"
+	eachKeyTagName = "k8s:eachKey"
 )
 
 // We keep the eachVal and eachKey validators around because the main
@@ -41,37 +38,9 @@ var globalEachVal *eachValTagValidator
 var globalEachKey *eachKeyTagValidator
 
 func init() {
-	// Lists with list-map semantics are comprised of multiple tags, which need
-	// to share metadata about the list between them.
-	listMeta := map[string]*listMetadata{} // keyed by the field or type path
-
-	// Accumulate list metadata via tags.
-	RegisterTagValidator(listTypeTagValidator{byPath: listMeta})
-	RegisterTagValidator(listMapKeyTagValidator{byPath: listMeta})
-
-	// Finish work on the accumulated list metadata.
-	RegisterFieldValidator(listValidator{byPath: listMeta})
-	RegisterTypeValidator(listValidator{byPath: listMeta})
-
-	// List-map item validator uses shared listType and listMapKey information
-	itemMeta := make(map[string]*itemMetadata) // keyed by the fieldpath
-
-	// Accumulate item metadata via tags.
-	RegisterTagValidator(&itemTagValidator{byPath: itemMeta})
-
-	// Finish work on the accumulated item metadata.
-	RegisterTypeValidator(&itemValidator{
-		listByPath: listMeta,
-		itemByPath: itemMeta,
-	})
-	RegisterFieldValidator(&itemValidator{
-		listByPath: listMeta,
-		itemByPath: itemMeta,
-	})
-
 	// Iterating values of lists and maps is a special tag, which can be called
 	// directly by the code-generator logic.
-	globalEachVal = &eachValTagValidator{byPath: listMeta, validator: nil}
+	globalEachVal = &eachValTagValidator{byPath: globalListMeta, validator: nil}
 	RegisterTagValidator(globalEachVal)
 
 	// Iterating keys of maps is a special tag, which can be called directly by
@@ -80,291 +49,6 @@ func init() {
 	RegisterTagValidator(globalEachKey)
 }
 
-// This applies to all tags in this file.
-var listTagsValidScopes = sets.New(ScopeAny)
-
-// listMetadata collects information about a single list with map or set semantics.
-type listMetadata struct {
-	// These will be checked for correctness elsewhere.
-	declaredAsAtomic bool
-	declaredAsSet    bool
-	declaredAsMap    bool
-	keyFields        []string // iff declaredAsMap
-	keyNames         []string // iff declaredAsMap
-}
-
-// makeListMapMatchFunc generates a function that compares two list-map
-// elements by their list-map key fields.
-func (lm *listMetadata) makeListMapMatchFunc(t *types.Type) FunctionLiteral {
-	if !lm.declaredAsMap {
-		panic("makeListMapMatchFunc called on a non-map list")
-	}
-	// If no keys are defined, we will throw a good error later.
-
-	matchFn := FunctionLiteral{
-		Parameters: []ParamResult{{"a", t}, {"b", t}},
-		Results:    []ParamResult{{"", types.Bool}},
-	}
-	buf := strings.Builder{}
-	buf.WriteString("return ")
-	// Note: this does not handle pointer fields, which are not
-	// supposed to be used as listMap keys.
-	for i, fld := range lm.keyFields {
-		if i > 0 {
-			buf.WriteString(" && ")
-		}
-		buf.WriteString(fmt.Sprintf("a.%s == b.%s", fld, fld))
-	}
-	matchFn.Body = buf.String()
-	return matchFn
-}
-
-type listTypeTagValidator struct {
-	byPath map[string]*listMetadata
-}
-
-func (listTypeTagValidator) Init(Config) {}
-
-func (listTypeTagValidator) TagName() string {
-	return listTypeTagName
-}
-
-func (listTypeTagValidator) ValidScopes() sets.Set[Scope] {
-	return listTagsValidScopes
-}
-
-func (lttv listTypeTagValidator) GetValidations(context Context, tag codetags.Tag) (Validations, error) {
-	// NOTE: pointers to lists are not supported, so we should never see a pointer here.
-	t := util.NativeType(context.Type)
-	if t.Kind != types.Slice && t.Kind != types.Array {
-		return Validations{}, fmt.Errorf("can only be used on list types (%s)", t.Kind)
-	}
-
-	switch tag.Value {
-	case "atomic":
-		// We don't do much with atomic, but this ensures no conflicts between
-		// tags on typedefs and tags on fields which use those typedefs.
-		if lttv.byPath[context.Path.String()] == nil {
-			lttv.byPath[context.Path.String()] = &listMetadata{}
-		}
-		lm := lttv.byPath[context.Path.String()]
-		lm.declaredAsAtomic = true
-	case "set":
-		if lttv.byPath[context.Path.String()] == nil {
-			lttv.byPath[context.Path.String()] = &listMetadata{}
-		}
-		lm := lttv.byPath[context.Path.String()]
-		lm.declaredAsSet = true
-		// NOTE: we validate uniqueness in the listValidator.
-	case "map":
-		// NOTE: maps of pointers are not supported, so we should never see a pointer here.
-		if util.NativeType(t.Elem).Kind != types.Struct {
-			return Validations{}, fmt.Errorf("only lists of structs can be list-maps")
-		}
-
-		// Save the fact that this list is a map.
-		if lttv.byPath[context.Path.String()] == nil {
-			lttv.byPath[context.Path.String()] = &listMetadata{}
-		}
-		lm := lttv.byPath[context.Path.String()]
-		lm.declaredAsMap = true
-		// NOTE: we validate uniqueness of the keys in the listValidator.
-	default:
-		return Validations{}, fmt.Errorf("unknown list type %q", tag.Value)
-	}
-
-	// This tag doesn't generate any validations.  It just accumulates
-	// information for other tags to use.
-	return Validations{}, nil
-}
-
-func (lttv listTypeTagValidator) Docs() TagDoc {
-	doc := TagDoc{
-		Tag:         lttv.TagName(),
-		Scopes:      lttv.ValidScopes().UnsortedList(),
-		Description: "Declares a list field's semantic type.",
-		Payloads: []TagPayloadDoc{{
-			Description: "<type>",
-			Docs:        "atomic | map | set",
-		}},
-		PayloadsType:     codetags.ValueTypeString,
-		PayloadsRequired: true,
-	}
-	return doc
-}
-
-type listMapKeyTagValidator struct {
-	byPath map[string]*listMetadata
-}
-
-func (listMapKeyTagValidator) Init(Config) {}
-
-func (listMapKeyTagValidator) TagName() string {
-	return ListMapKeyTagName
-}
-
-func (listMapKeyTagValidator) ValidScopes() sets.Set[Scope] {
-	return listTagsValidScopes
-}
-
-func (lmktv listMapKeyTagValidator) GetValidations(context Context, tag codetags.Tag) (Validations, error) {
-	// NOTE: pointers to lists are not supported, so we should never see a pointer here.
-	t := util.NativeType(context.Type)
-	if t.Kind != types.Slice && t.Kind != types.Array {
-		return Validations{}, fmt.Errorf("can only be used on list types (%s)", t.Kind)
-	}
-	// NOTE: lists of pointers are not supported, so we should never see a pointer here.
-	if util.NativeType(t.Elem).Kind != types.Struct {
-		return Validations{}, fmt.Errorf("only lists of structs can be list-maps")
-	}
-
-	var fieldName string
-	if memb := util.GetMemberByJSON(util.NativeType(t.Elem), tag.Value); memb == nil {
-		return Validations{}, fmt.Errorf("no field for JSON name %q", tag.Value)
-	} else if k := util.NativeType(memb.Type).Kind; k != types.Builtin {
-		return Validations{}, fmt.Errorf("only primitive types can be list-map keys (%s)", k)
-	} else {
-		fieldName = memb.Name
-	}
-
-	if lmktv.byPath[context.Path.String()] == nil {
-		lmktv.byPath[context.Path.String()] = &listMetadata{}
-	}
-	lm := lmktv.byPath[context.Path.String()]
-	lm.keyFields = append(lm.keyFields, fieldName)
-	lm.keyNames = append(lm.keyNames, tag.Value)
-
-	// This tag doesn't generate any validations.  It just accumulates
-	// information for other tags to use.
-	return Validations{}, nil
-}
-
-func (lmktv listMapKeyTagValidator) Docs() TagDoc {
-	doc := TagDoc{
-		Tag:         lmktv.TagName(),
-		Scopes:      lmktv.ValidScopes().UnsortedList(),
-		Description: "Declares a named sub-field of a list's value-type to be part of the list-map key.",
-		Payloads: []TagPayloadDoc{{
-			Description: "<field-json-name>",
-			Docs:        "The name of the field.",
-		}},
-		PayloadsType:     codetags.ValueTypeString,
-		PayloadsRequired: true,
-	}
-	return doc
-}
-
-type listValidator struct {
-	byPath map[string]*listMetadata
-}
-
-func (listValidator) Init(_ Config) {}
-
-func (listValidator) Name() string {
-	return "listValidator"
-}
-
-var (
-	validateUnique = types.Name{Package: libValidationPkg, Name: "Unique"}
-)
-
-func (lv listValidator) GetValidations(context Context) (Validations, error) {
-	lm := lv.byPath[context.Path.String()]
-	if err := lv.check(lm); err != nil {
-		return Validations{}, err
-	}
-	// NOTE: We don't really support list-of-list or map-of-list, so this does
-	// not consider the case of ScopeListVal or ScopeMapVal. If we want to
-	// support those, we need to look at this and make sure the paths work the
-	// way we need.
-	if context.Scope == ScopeField {
-		tm := lv.byPath[context.Type.String()]
-		if lm != nil && tm != nil {
-			return Validations{}, fmt.Errorf("found list metadata for both a field and its type: %s", context.Path)
-		}
-		// For the purpose of emitting validations, we can use the
-		// type's metadata if the field's metadata is not set.
-		//
-		// TypeValidators happen before FieldValidators, so if we end
-		// up here, we can rely on this having been checked already.
-		if lm == nil && tm != nil {
-			lm = tm
-		}
-	}
-	if lm == nil {
-		// TODO(thockin): enable this once the whole codebase is converted or
-		// if we only run against fields which are opted-in.
-		// if context.Type.Kind == types.Slice || context.Type.Kind == types.Array {
-		// 	return Validations{}, fmt.Errorf("found list field without a listType")
-		// }
-		return Validations{}, nil
-	}
-
-	result := Validations{}
-
-	// Generate uniqueness checks for lists with higher-order semantics.
-	nt := util.NativeType(context.Type)
-	if lm.declaredAsSet {
-		// Only compare primitive values when possible. Slices and maps are not
-		// comparable, and structs might hold pointer fields, which are directly
-		// comparable but not what we need.
-		//
-		// NOTE: lists of pointers are not supported, so we should never see a pointer here.
-		matchArg := validateSemanticDeepEqual
-		if util.IsDirectComparable(util.NonPointer(util.NativeType(nt.Elem))) {
-			matchArg = validateDirectEqual
-		}
-		f := Function("listValidator", DefaultFlags, validateUnique, Identifier(matchArg))
-		result.AddFunction(f)
-	}
-	// TODO: enable the following once we have a way to either opt-out from this validation
-	// or settle the decision on how to handle the ratcheting cases.
-	// if lm.declaredAsMap {
-	// TODO: There are some fields which are declared as maps which do not
-	// enforce uniqueness in manual validation. Those either need to not be
-	// maps or we need to allow types to opt-out from this validation.  SSA
-	// is also not able to handle these well.
-
-	// matchArg := lm.makeListMapMatchFunc(nt.Elem)
-	// f := Function("listValidator", DefaultFlags, validateUnique, matchArg).
-	// 	WithComment("listType=map requires unique keys")
-	// result.AddFunction(f)
-	// }
-
-	return result, nil
-}
-
-// make sure a given listMetadata makes sense.
-func (lv listValidator) check(lm *listMetadata) error {
-	if lm != nil {
-		// Check some fundamental constraints on list tags.
-		decls := []string{}
-		if lm.declaredAsAtomic {
-			decls = append(decls, "atomic")
-		}
-		if lm.declaredAsSet {
-			decls = append(decls, "set")
-		}
-		if lm.declaredAsMap {
-			decls = append(decls, "map")
-		}
-		if len(decls) > 1 {
-			return fmt.Errorf("listType cannot have multiple types (%s)", strings.Join(decls, ", "))
-		}
-		if lm.declaredAsMap && len(lm.keyFields) == 0 {
-			return fmt.Errorf("found listType=map without listMapKey")
-		}
-		if len(lm.keyFields) > 0 && !lm.declaredAsMap {
-			return fmt.Errorf("found listMapKey without listType=map")
-		}
-		// Check for missing listType (after the other checks so the more specific errors take priority)
-		if len(decls) == 0 {
-			return fmt.Errorf("found list metadata without a listType")
-		}
-	}
-	return nil
-}
-
 type eachValTagValidator struct {
 	byPath    map[string]*listMetadata
 	validator Validator
@@ -387,10 +71,9 @@ func (eachValTagValidator) ValidScopes() sets.Set[Scope] {
 func (eachValTagValidator) LateTagValidator() {}
 
 var (
-	validateEachSliceVal      = types.Name{Package: libValidationPkg, Name: "EachSliceVal"}
-	validateEachMapVal        = types.Name{Package: libValidationPkg, Name: "EachMapVal"}
-	validateSemanticDeepEqual = types.Name{Package: libValidationPkg, Name: "SemanticDeepEqual"}
-	validateDirectEqual       = types.Name{Package: libValidationPkg, Name: "DirectEqual"}
+	validateEachSliceVal   = types.Name{Package: libValidationPkg, Name: "EachSliceVal"}
+	validateEachMapVal     = types.Name{Package: libValidationPkg, Name: "EachMapVal"}
+	validateDirectEqualPtr = types.Name{Package: libValidationPkg, Name: "DirectEqualPtr"}
 )
 
 func (evtv eachValTagValidator) GetValidations(context Context, tag codetags.Tag) (Validations, error) {
@@ -400,19 +83,23 @@ func (evtv eachValTagValidator) GetValidations(context Context, tag codetags.Tag
 	switch nt.Kind {
 	case types.Slice, types.Array, types.Map:
 	default:
-		return Validations{}, fmt.Errorf("can only be used on list or map types (%s)", t.Kind)
+		return Validations{}, fmt.Errorf("can only be used on list or map types (%s)", nt.Kind)
 	}
 
 	elemContext := Context{
+		// Scope is initialized below.
 		Type:       nt.Elem,
+		Path:       context.Path.Key("(vals)"),
+		Member:     nil, // NA for list/map values
 		ParentPath: context.Path,
-		Path:       context.Path.Key("*"),
 	}
 	switch nt.Kind {
 	case types.Slice, types.Array:
 		elemContext.Scope = ScopeListVal
+		elemContext.ListSelector = []ListSelectorTerm{} // empty == "all"
 	case types.Map:
 		elemContext.Scope = ScopeMapVal
+		// TODO: We may need map selectors at some point.
 	}
 	if tag.ValueTag == nil {
 		return Validations{}, fmt.Errorf("missing validation tag")
@@ -481,29 +168,34 @@ func (evtv eachValTagValidator) getListValidations(fldPath *field.Path, t *types
 	// looking up and comparing correlated list elements for validation ratcheting.
 	directComparable := util.IsDirectComparable(util.NonPointer(util.NativeType(nt.Elem)))
 
-	switch {
-	case listMetadata != nil && listMetadata.declaredAsMap:
-		// For listType=map, we use key to lookup the correlated element in the old list.
-		// And use equivFunc to compare the correlated elements in the old and new lists.
-		matchArg = listMetadata.makeListMapMatchFunc(nt.Elem)
-		if directComparable {
-			equivArg = Identifier(validateDirectEqual)
-		} else {
-			equivArg = Identifier(validateSemanticDeepEqual)
-		}
-	case listMetadata != nil && listMetadata.declaredAsSet:
-		// For listType=set, matchArg is the equivalence check, so equivArg is nil.
-		if directComparable {
-			matchArg = Identifier(validateDirectEqual)
-		} else {
-			matchArg = Identifier(validateSemanticDeepEqual)
+	if listMetadata != nil {
+		switch listMetadata.semantic {
+		case semanticMap:
+			// For listType=map, we use key to lookup the correlated element in the old list.
+			// And use equivFunc to compare the correlated elements in the old and new lists.
+			matchArg = listMetadata.makeListMapMatchFunc(nt.Elem)
+			if directComparable {
+				equivArg = Identifier(validateDirectEqual)
+			} else {
+				equivArg = Identifier(validateSemanticDeepEqual)
+			}
+		case semanticSet:
+			// For listType=set, matchArg is the equivalence check, so equivArg is nil.
+			if directComparable {
+				matchArg = Identifier(validateDirectEqual)
+			} else {
+				matchArg = Identifier(validateSemanticDeepEqual)
+			}
+		default:
+			// For non-map and non-set list, we don't lookup the correlated element in the old list.
+			// The matchArg and equivArg are both nil.
 		}
-	default:
-		// For non-map and non-set list, we don't lookup the correlated element in the old list.
-		// The matchArg and equivArg are both nil.
 	}
+
 	for _, vfn := range validations.Functions {
-		f := Function(eachValTagName, vfn.Flags, validateEachSliceVal, matchArg, equivArg, WrapperFunction{vfn, nt.Elem})
+		comm := vfn.Comments
+		vfn.Comments = nil
+		f := Function(eachValTagName, vfn.Flags, validateEachSliceVal, matchArg, equivArg, WrapperFunction{vfn, nt.Elem}).WithComments(comm...)
 		result.AddFunction(f)
 	}
 
@@ -522,7 +214,9 @@ func (evtv eachValTagValidator) getMapValidations(t *types.Type, validations Val
 		equivArg = Identifier(validateDirectEqual)
 	}
 	for _, vfn := range validations.Functions {
-		f := Function(eachValTagName, vfn.Flags, validateEachMapVal, equivArg, WrapperFunction{vfn, nt.Elem})
+		comm := vfn.Comments
+		vfn.Comments = nil
+		f := Function(eachValTagName, vfn.Flags, validateEachMapVal, equivArg, WrapperFunction{vfn, nt.Elem}).WithComments(comm...)
 		result.AddFunction(f)
 	}
 
@@ -531,9 +225,10 @@ func (evtv eachValTagValidator) getMapValidations(t *types.Type, validations Val
 
 func (evtv eachValTagValidator) Docs() TagDoc {
 	doc := TagDoc{
-		Tag:         evtv.TagName(),
-		Scopes:      evtv.ValidScopes().UnsortedList(),
-		Description: "Declares a validation for each value in a map or list.",
+		Tag:            evtv.TagName(),
+		StabilityLevel: Alpha,
+		Scopes:         evtv.ValidScopes().UnsortedList(),
+		Description:    "Declares a validation for each value in a map or list.",
 		Payloads: []TagPayloadDoc{{
 			Description: "<validation-tag>",
 			Docs:        "The tag to evaluate for each value.",
@@ -566,16 +261,18 @@ var (
 
 func (ektv eachKeyTagValidator) GetValidations(context Context, tag codetags.Tag) (Validations, error) {
 	// NOTE: pointers to lists are not supported, so we should never see a pointer here.
-	t := util.NativeType(context.Type)
-	if t.Kind != types.Map {
-		return Validations{}, fmt.Errorf("can only be used on map types (%s)", t.Kind)
+	t := context.Type
+	nt := util.NativeType(t)
+	if nt.Kind != types.Map {
+		return Validations{}, fmt.Errorf("can only be used on map types (%s)", nt.Kind)
 	}
 
 	elemContext := Context{
 		Scope:      ScopeMapKey,
-		Type:       t.Elem,
+		Type:       nt.Elem,
+		Path:       context.Path.Key("(keys)"),
+		Member:     nil, // NA for map keys
 		ParentPath: context.Path,
-		Path:       context.Path.Child("(keys)"),
 	}
 
 	if validations, err := ektv.validator.ExtractValidations(elemContext, *tag.ValueTag); err != nil {
@@ -590,10 +287,13 @@ func (ektv eachKeyTagValidator) GetValidations(context Context, tag codetags.Tag
 }
 
 func (ektv eachKeyTagValidator) getValidations(t *types.Type, validations Validations) (Validations, error) {
+	nt := util.NativeType(t)
 	result := Validations{}
 	result.OpaqueKeyType = validations.OpaqueType
 	for _, vfn := range validations.Functions {
-		f := Function(eachKeyTagName, vfn.Flags, validateEachMapKey, WrapperFunction{vfn, t.Key})
+		comm := vfn.Comments
+		vfn.Comments = nil
+		f := Function(eachKeyTagName, vfn.Flags, validateEachMapKey, WrapperFunction{vfn, nt.Key}).WithComments(comm...)
 		result.AddFunction(f)
 	}
 	return result, nil
@@ -607,12 +307,13 @@ func ForEachKey(_ *field.Path, t *types.Type, fn FunctionGen) (Validations, erro
 
 func (ektv eachKeyTagValidator) Docs() TagDoc {
 	doc := TagDoc{
-		Tag:         ektv.TagName(),
-		Scopes:      ektv.ValidScopes().UnsortedList(),
-		Description: "Declares a validation for each value in a map or list.",
+		Tag:            ektv.TagName(),
+		Scopes:         ektv.ValidScopes().UnsortedList(),
+		StabilityLevel: Alpha,
+		Description:    "Declares a validation for each value in a map or list.",
 		Payloads: []TagPayloadDoc{{
 			Description: "<validation-tag>",
-			Docs:        "The tag to evaluate for each value.",
+			Docs:        "The tag to evaluate for each key.",
 		}},
 		PayloadsType:     codetags.ValueTypeTag,
 		PayloadsRequired: true,
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/validators/enum.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/validators/enum.go
index e6d7952ee13e0..ffc7ff27d10ff 100644
--- a/staging/src/k8s.io/code-generator/cmd/validation-gen/validators/enum.go
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/validators/enum.go
@@ -26,22 +26,56 @@ import (
 	"k8s.io/apimachinery/pkg/util/sets"
 	"k8s.io/code-generator/cmd/validation-gen/util"
 	"k8s.io/gengo/v2/codetags"
-	"k8s.io/gengo/v2/generator"
 	"k8s.io/gengo/v2/types"
 )
 
-const enumTagName = "k8s:enum"
+const (
+	enumTagName        = "k8s:enum"
+	enumExcludeTagName = "k8s:enumExclude"
+)
 
 func init() {
 	RegisterTagValidator(&enumTagValidator{})
+	RegisterTagValidator(&enumExcludeTagValidator{})
+}
+
+type enumExcludeTagValidator struct {
+}
+
+func (*enumExcludeTagValidator) Init(_ Config) {
+}
+
+func (*enumExcludeTagValidator) TagName() string {
+	return enumExcludeTagName
+}
+
+var enumExcludeValidScope = sets.New(ScopeConst)
+
+func (*enumExcludeTagValidator) ValidScopes() sets.Set[Scope] {
+	return enumExcludeValidScope
+}
+
+func (*enumExcludeTagValidator) GetValidations(_ Context, _ codetags.Tag) (Validations, error) {
+	return Validations{}, nil
+}
+
+func (eetv *enumExcludeTagValidator) Docs() TagDoc {
+	return TagDoc{
+		Tag:            eetv.TagName(),
+		StabilityLevel: Alpha,
+		Scopes:         eetv.ValidScopes().UnsortedList(),
+		Description: `Indicates that an constant value is not part of an enum, even if the constant's type is tagged with k8s:enum.
+May be conditionally excluded via +k8s:ifEnabled(Option)=+k8s:enumExclude or +k8s:ifDisabled(Option)=+k8s:enumExclude.
+If multiple +k8s:ifEnabled/+k8s:ifDisabled tags are used, the value is excluded if any of the exclude conditions are met.`,
+	}
 }
 
 type enumTagValidator struct {
-	enumContext *enumContext
+	validator Validator
 }
 
 func (etv *enumTagValidator) Init(cfg Config) {
-	etv.enumContext = newEnumContext(cfg.GengoContext)
+	etv.validator = cfg.Validator
 }
 
 func (enumTagValidator) TagName() string {
@@ -55,38 +89,114 @@ func (enumTagValidator) ValidScopes() sets.Set[Scope] {
 }
 
 var (
-	enumValidator = types.Name{Package: libValidationPkg, Name: "Enum"}
+	enumValidator     = types.Name{Package: libValidationPkg, Name: "Enum"}
+	enumExclusionType = types.Name{Package: libValidationPkg, Name: "EnumExclusion"}
+	setsNew           = types.Name{Package: "k8s.io/apimachinery/pkg/util/sets", Name: "New"}
 )
 
-var setsNew = types.Name{Package: "k8s.io/apimachinery/pkg/util/sets", Name: "New"}
-
 func (etv *enumTagValidator) GetValidations(context Context, _ codetags.Tag) (Validations, error) {
 	// NOTE: typedefs to pointers are not supported, so we should never see a pointer here.
 	if t := util.NativeType(context.Type); t != types.String {
 		return Validations{}, fmt.Errorf("can only be used on string types (%s)", rootTypeString(context.Type, t))
 	}
 
+	enum := &enumType{Name: context.Type.Name}
+	for _, c := range context.Constants {
+		var exclusions []enumExclude
+		isExcluded := false
+		for _, tag := range c.Tags {
+			switch tag.Name {
+			case enumExcludeTagName:
+				isExcluded = true
+			case ifEnabledTag, ifDisabledTag:
+				if tag.ValueTag != nil && tag.ValueTag.Name == enumExcludeTagName {
+					if option, ok := tag.PositionalArg(); ok {
+						exclusions = append(exclusions, enumExclude{
+							excludeWhen: tag.Name == ifEnabledTag,
+							option:      option.Value,
+						})
+					}
+				}
+			}
+		}
+		if isExcluded {
+			continue
+		}
+
+		value := &enumValue{
+			Name:       c.Constant.Name,
+			Value:      *c.Constant.ConstValue,
+			Comment:    strings.Join(c.Constant.CommentLines, " "),
+			Exclusions: exclusions,
+		}
+		enum.addIfNotPresent(value)
+	}
+
+	// Sort the values for the codegen that happens later.
+	slices.SortFunc(enum.Values, func(a, b *enumValue) int {
+		return cmp.Compare(a.Name.Name, b.Name.Name)
+	})
+	for _, v := range enum.Values {
+		slices.SortFunc(v.Exclusions, func(a, b enumExclude) int {
+			if a.excludeWhen == b.excludeWhen {
+				return cmp.Compare(a.option, b.option)
+			}
+			if a.excludeWhen {
+				return 1
+			}
+			return -1
+		})
+	}
+
 	var result Validations
 
-	if enum, ok := etv.enumContext.EnumType(context.Type); ok {
-		// TODO: Avoid the "local" here. This was added to avoid errors caused when the package is an empty string.
-		//       The correct package would be the output package but is not known here. This does not show up in generated code.
-		// TODO: Append a consistent hash suffix to avoid generated name conflicts?
-		supportVarName := PrivateVar{Name: "SymbolsFor" + context.Type.Name.Name, Package: "local"}
-		supportVar := Variable(supportVarName, Function(enumTagName, DefaultFlags, setsNew, enum.ValueArgs()...).WithTypeArgs(enum.Name))
-		result.AddVariable(supportVar)
-		fn := Function(enumTagName, DefaultFlags, enumValidator, supportVarName)
-		result.AddFunction(fn)
+	// TODO: Avoid the "local" here. This was added to avoid errors caused when the package is an empty string.
+	//       The correct package would be the output package but is not known here. This does not show up in generated code.
+	// TODO: Append a consistent hash suffix to avoid generated name conflicts?
+	symbolsVarName := PrivateVar{Name: "SymbolsFor" + context.Type.Name.Name, Package: "local"}
+	var allValues []any
+	var exclusionRules []any
+	for _, v := range enum.Values {
+		allValues = append(allValues, Identifier(v.Name))
+		for _, exclusion := range v.Exclusions {
+			exclusionRules = append(exclusionRules, StructLiteral{
+				Type:     enumExclusionType,
+				TypeArgs: []*types.Type{context.Type},
+				Fields: []StructLiteralField{
+					{"Value", Identifier(v.Name)},
+					{"Option", exclusion.option},
+					{"ExcludeWhen", exclusion.excludeWhen},
+				},
+			})
+		}
+	}
+	initFn := Function("setsNew", DefaultFlags, setsNew, allValues...)
+	if len(allValues) == 0 {
+		initFn = initFn.WithTypeArgs(enum.Name)
+	}
+	result.AddVariable(Variable(symbolsVarName, initFn))
+	var exclusions any = Literal("nil")
+	if len(exclusionRules) > 0 {
+		exclusionsVar := PrivateVar{Name: "ExclusionsFor" + context.Type.Name.Name, Package: "local"}
+		result.AddVariable(Variable(exclusionsVar, SliceLiteral{
+			ElementType:     enumExclusionType,
+			ElementTypeArgs: []*types.Type{context.Type},
+			Elements:        exclusionRules,
+		}))
+		exclusions = exclusionsVar
 	}
+	fn := Function(enumTagName, DefaultFlags, enumValidator, symbolsVarName, exclusions)
+	result.AddFunction(fn)
 
 	return result, nil
 }
 
 func (etv *enumTagValidator) Docs() TagDoc {
 	return TagDoc{
-		Tag:         etv.TagName(),
-		Scopes:      etv.ValidScopes().UnsortedList(),
-		Description: "Indicates that a string type is an enum. All const values of this type are considered values in the enum.",
+		Tag:            etv.TagName(),
+		StabilityLevel: Beta,
+		Scopes:         etv.ValidScopes().UnsortedList(),
+		Description:    "Indicates that a string type is an enum. All constant values of this type are considered values in the enum unless excluded using +k8s:enumExclude.",
 	}
 }
 
@@ -111,38 +221,25 @@ func (et *enumType) SymbolConstants() []Identifier {
 
 // TODO: Everything below this comment is copied from kube-openapi's enum.go.
 
-type enumValue struct {
-	Name    types.Name
-	Value   string
-	Comment string
-}
-
 type enumType struct {
 	Name   types.Name
 	Values []*enumValue
 }
 
-// enumMap is a map from the name to the matching enum type.
-type enumMap map[types.Name]*enumType
-
-type enumContext struct {
-	enumTypes enumMap
-}
-
-func newEnumContext(c *generator.Context) *enumContext {
-	return &enumContext{enumTypes: parseEnums(c)}
+type enumValue struct {
+	Name       types.Name
+	Value      string
+	Comment    string
+	Exclusions []enumExclude
 }
 
-// EnumType checks and finds the enumType for a given type.
-// If the given type is a known enum type, returns the enumType, true
-// Otherwise, returns nil, false
-func (ec *enumContext) EnumType(t *types.Type) (enum *enumType, isEnum bool) {
-	// if t is a pointer, use its underlying type instead
-	if t.Kind == types.Pointer {
-		t = t.Elem
-	}
-	enum, ok := ec.enumTypes[t.Name]
-	return enum, ok
+type enumExclude struct {
+	// excludeWhen determines the condition for exclusion.
+	// If true, the value is excluded if the option is present.
+	// If false, the value is excluded if the option is NOT present.
+	excludeWhen bool
+	// option is the name of the feature option that controls the exclusion.
+	option string
 }
 
 // ValueStrings returns all possible values of the enum type as strings
@@ -157,39 +254,6 @@ func (et *enumType) ValueStrings() []string {
 	return values
 }
 
-func parseEnums(c *generator.Context) enumMap {
-	// find all enum types.
-	enumTypes := make(enumMap)
-	for _, p := range c.Universe {
-		for _, t := range p.Types {
-			if isEnumType(t) {
-				if _, ok := enumTypes[t.Name]; !ok {
-					enumTypes[t.Name] = &enumType{
-						Name: t.Name,
-					}
-				}
-			}
-		}
-	}
-
-	// find all enum values from constants, and try to match each with its type.
-	for _, p := range c.Universe {
-		for _, c := range p.Constants {
-			enumType := c.Underlying
-			if _, ok := enumTypes[enumType.Name]; ok {
-				value := &enumValue{
-					Name:    c.Name,
-					Value:   *c.ConstValue,
-					Comment: strings.Join(c.CommentLines, " "),
-				}
-				enumTypes[enumType.Name].addIfNotPresent(value)
-			}
-		}
-	}
-
-	return enumTypes
-}
-
 func (et *enumType) addIfNotPresent(value *enumValue) {
 	// If we already have an enum case with the same value, then ignore this new
 	// one. This can happen if an enum aliases one from another package and
@@ -207,14 +271,3 @@ func (et *enumType) addIfNotPresent(value *enumValue) {
 	}
 	et.Values = append(et.Values, value)
 }
-
-// isEnumType checks if a given type is an enum by the definition
-// An enum type should be an alias of string and has tag '+enum' in its comment.
-// Additionally, pass the type of builtin 'string' to check against.
-func isEnumType(t *types.Type) bool {
-	return t.Kind == types.Alias && t.Underlying == types.String && hasEnumTag(t)
-}
-
-func hasEnumTag(t *types.Type) bool {
-	return codetags.Extract("+", t.CommentLines)[enumTagName] != nil
-}
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/validators/equality.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/validators/equality.go
index 30d1b99c2e1df..005213b466720 100644
--- a/staging/src/k8s.io/code-generator/cmd/validation-gen/validators/equality.go
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/validators/equality.go
@@ -42,7 +42,7 @@ func (neqTagValidator) TagName() string {
 	return neqTagName
 }
 
-var neqTagValidScopes = sets.New(ScopeAny)
+var neqTagValidScopes = sets.New(ScopeType, ScopeField, ScopeListVal, ScopeMapKey, ScopeMapVal)
 
 func (neqTagValidator) ValidScopes() sets.Set[Scope] {
 	return neqTagValidScopes
@@ -98,6 +98,7 @@ func (v neqTagValidator) GetValidations(context Context, tag codetags.Tag) (Vali
 func (v neqTagValidator) Docs() TagDoc {
 	return TagDoc{
 		Tag:              v.TagName(),
+		StabilityLevel:   Alpha,
 		Scopes:           v.ValidScopes().UnsortedList(),
 		Description:      "Verifies the field's value is not equal to a specific disallowed value. Supports string, integer, and boolean types.",
 		PayloadsRequired: true,
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/validators/format.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/validators/format.go
new file mode 100644
index 0000000000000..54322e05626b8
--- /dev/null
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/validators/format.go
@@ -0,0 +1,160 @@
+/*
+Copyright 2024 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package validators
+
+import (
+	"fmt"
+
+	"k8s.io/apimachinery/pkg/util/sets"
+	"k8s.io/code-generator/cmd/validation-gen/util"
+	"k8s.io/gengo/v2/codetags"
+	"k8s.io/gengo/v2/types"
+)
+
+const (
+	formatTagName = "k8s:format"
+)
+
+func init() {
+	RegisterTagValidator(formatTagValidator{})
+}
+
+type formatTagValidator struct{}
+
+func (formatTagValidator) Init(_ Config) {}
+
+func (formatTagValidator) TagName() string {
+	return formatTagName
+}
+
+var formatTagValidScopes = sets.New(ScopeType, ScopeField, ScopeListVal, ScopeMapKey, ScopeMapVal)
+
+func (formatTagValidator) ValidScopes() sets.Set[Scope] {
+	return formatTagValidScopes
+}
+
+var (
+	// Keep this list alphabetized.
+	// TODO: uncomment the following when we've done the homework
+	// to be sure it works the current state of IP manual-ratcheting
+	// ipSloppyValidator         = types.Name{Package: libValidationPkg, Name: "IPSloppy"}
+	extendedResourceNameValidator       = types.Name{Package: libValidationPkg, Name: "ExtendedResourceName"}
+	labelKeyValidator                   = types.Name{Package: libValidationPkg, Name: "LabelKey"}
+	labelValueValidator                 = types.Name{Package: libValidationPkg, Name: "LabelValue"}
+	longNameCaselessValidator           = types.Name{Package: libValidationPkg, Name: "LongNameCaseless"}
+	longNameValidator                   = types.Name{Package: libValidationPkg, Name: "LongName"}
+	resourceFullyQualifiedNameValidator = types.Name{Package: libValidationPkg, Name: "ResourceFullyQualifiedName"}
+	resourcePoolNameValidator           = types.Name{Package: libValidationPkg, Name: "ResourcePoolName"}
+	shortNameValidator                  = types.Name{Package: libValidationPkg, Name: "ShortName"}
+	uuidValidator                       = types.Name{Package: libValidationPkg, Name: "UUID"}
+)
+
+func (formatTagValidator) GetValidations(context Context, tag codetags.Tag) (Validations, error) {
+	// This tag can apply to value and pointer fields, as well as typedefs
+	// (which should never be pointers). We need to check the concrete type.
+	if t := util.NonPointer(util.NativeType(context.Type)); t != types.String {
+		return Validations{}, fmt.Errorf("can only be used on string types (%s)", rootTypeString(context.Type, t))
+	}
+
+	var result Validations
+	if formatFunction, err := getFormatValidationFunction(tag.Value); err != nil {
+		return result, err
+	} else {
+		result.AddFunction(formatFunction)
+	}
+	return result, nil
+}
+
+func getFormatValidationFunction(format string) (FunctionGen, error) {
+	// The naming convention for these formats follows the JSON schema style:
+	// all lower-case, dashes between words. See
+	// https://json-schema.org/draft/2020-12/json-schema-validation#name-defined-formats
+	// for more examples.
+
+	switch format {
+	// Keep this sequence alphabetized.
+	case "k8s-extended-resource-name":
+		return Function(formatTagName, DefaultFlags, extendedResourceNameValidator), nil
+	// TODO: uncomment the following when we've done the homework
+	// to be sure it works the current state of IP manual-ratcheting
+	/*
+		case "k8s-ip":
+			return Function(formatTagName, DefaultFlags, ipSloppyValidator), nil
+	*/
+	case "k8s-label-key":
+		return Function(formatTagName, DefaultFlags, labelKeyValidator), nil
+	case "k8s-label-value":
+		return Function(formatTagName, DefaultFlags, labelValueValidator), nil
+	case "k8s-long-name":
+		return Function(formatTagName, DefaultFlags, longNameValidator), nil
+	case "k8s-long-name-caseless":
+		return Function(formatTagName, DefaultFlags, longNameCaselessValidator), nil
+	case "k8s-resource-fully-qualified-name":
+		return Function(formatTagName, DefaultFlags, resourceFullyQualifiedNameValidator), nil
+	case "k8s-resource-pool-name":
+		return Function(formatTagName, DefaultFlags, resourcePoolNameValidator), nil
+	case "k8s-short-name":
+		return Function(formatTagName, DefaultFlags, shortNameValidator), nil
+	case "k8s-uuid":
+		return Function(formatTagName, DefaultFlags, uuidValidator), nil
+	}
+	// TODO: Flesh out the list of validation functions
+
+	return FunctionGen{}, fmt.Errorf("unsupported validation format %q", format)
+}
+
+func (ftv formatTagValidator) Docs() TagDoc {
+	return TagDoc{
+		Tag:            ftv.TagName(),
+		StabilityLevel: Beta,
+		Scopes:         ftv.ValidScopes().UnsortedList(),
+		Description:    "Indicates that a string field has a particular format.",
+		Payloads: []TagPayloadDoc{{ // Keep this list alphabetized.
+			Description: "k8s-extended-resource-name",
+			Docs:        "This field holds a Kubernetes extended resource name. This is a domain-prefixed name that must not have a `kubernetes.io` or `requests.` prefix. When `requests.` is prepended, the result must be a valid label key, as used by quota.",
+		}, {
+			Description: "k8s-ip",
+			Docs:        "This field holds an IPv4 or IPv6 address value. IPv4 octets may have leading zeros.",
+		}, {
+			Description: "k8s-label-key",
+			Docs:        "This field holds a Kubernetes label key.",
+		}, {
+			Description: "k8s-label-value",
+			Docs:        "This field holds a Kubernetes label value.",
+		}, {
+			Description: "k8s-long-name",
+			Docs:        "This field holds a Kubernetes \"long name\", aka a \"DNS subdomain\" value.",
+		}, {
+			Description: "k8s-long-name-caseless",
+			Docs:        "Deprecated: This field holds a case-insensitive Kubernetes \"long name\", aka a \"DNS subdomain\" value.",
+		}, {
+			Description: "k8s-resource-fully-qualified-name",
+			Docs:        "This field holds a Kubernetes resource \"fully qualified name\" value. A fully qualified name must not be empty and must be composed of a prefix and a name, separated by a slash (e.g., \"prefix/name\"). The prefix must be a DNS subdomain, and the name part must be a C identifier with no more than 32 characters.",
+		}, {
+			Description: "k8s-resource-pool-name",
+			Docs:        "This field holds value with one or more Kubernetes \"long name\" parts separated by `/` and no longer than 253 characters.",
+		}, {
+			Description: "k8s-short-name",
+			Docs:        "This field holds a Kubernetes \"short name\", aka a \"DNS label\" value.",
+		}, {
+			Description: "k8s-uuid",
+			Docs:        "This field holds a Kubernetes UUID, which conforms to RFC 4122.",
+		}},
+		PayloadsType:     codetags.ValueTypeString,
+		PayloadsRequired: true,
+	}
+}
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/validators/immutable.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/validators/immutable.go
index a2343f3d304a5..82cdf4d2df5f2 100644
--- a/staging/src/k8s.io/code-generator/cmd/validation-gen/validators/immutable.go
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/validators/immutable.go
@@ -18,7 +18,6 @@ package validators
 
 import (
 	"k8s.io/apimachinery/pkg/util/sets"
-	"k8s.io/code-generator/cmd/validation-gen/util"
 	"k8s.io/gengo/v2/codetags"
 	"k8s.io/gengo/v2/types"
 )
@@ -46,31 +45,22 @@ func (immutableTagValidator) ValidScopes() sets.Set[Scope] {
 }
 
 var (
-	immutableCompareValidator = types.Name{Package: libValidationPkg, Name: "ImmutableByCompare"}
-	immutableReflectValidator = types.Name{Package: libValidationPkg, Name: "ImmutableByReflect"}
+	immutableValidator = types.Name{Package: libValidationPkg, Name: "Immutable"}
 )
 
 func (immutableTagValidator) GetValidations(context Context, _ codetags.Tag) (Validations, error) {
 	var result Validations
 
-	if util.IsDirectComparable(util.NonPointer(util.NativeType(context.Type))) {
-		// This is a minor optimization to just compare primitive values when
-		// possible. Slices and maps are not comparable, and structs might hold
-		// pointer fields, which are directly comparable but not what we need.
-		//
-		// Note: This compares the pointee, not the pointer itself.
-		result.AddFunction(Function(immutableTagName, DefaultFlags, immutableCompareValidator))
-	} else {
-		result.AddFunction(Function(immutableTagName, DefaultFlags, immutableReflectValidator))
-	}
-
+	// Use ShortCircuit flag so immutable runs in the same group as +k8s:optional.
+	result.AddFunction(Function(immutableTagName, ShortCircuit, immutableValidator))
 	return result, nil
 }
 
 func (itv immutableTagValidator) Docs() TagDoc {
 	return TagDoc{
-		Tag:         itv.TagName(),
-		Scopes:      itv.ValidScopes().UnsortedList(),
-		Description: "Indicates that a field may not be updated.",
+		Tag:            itv.TagName(),
+		StabilityLevel: Alpha,
+		Scopes:         itv.ValidScopes().UnsortedList(),
+		Description:    "Indicates that a field may not be updated.",
 	}
 }
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/validators/item.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/validators/item.go
index ae3d53fe5f161..8fc98e33f9054 100644
--- a/staging/src/k8s.io/code-generator/cmd/validation-gen/validators/item.go
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/validators/item.go
@@ -31,34 +31,31 @@ const (
 	itemTagName = "k8s:item"
 )
 
+func init() {
+	// Processing item tags requires the list metadata.
+	RegisterTagValidator(&itemTagValidator{listByPath: globalListMeta})
+}
+
 type keyValuePair struct {
 	key       string
 	value     any
 	valueType codetags.ValueType
 }
 
-type itemValidation struct {
-	// criteria contains the field(s) on which to match
-	criteria []keyValuePair
-	// valueTag is the validation tag to apply to a matched item
-	valueTag codetags.Tag
-}
-
-type itemMetadata struct {
-	items []itemValidation
-}
-
 type itemTagValidator struct {
-	byPath map[string]*itemMetadata
+	validator  Validator
+	listByPath map[string]*listMetadata
 }
 
-func (itv *itemTagValidator) Init(cfg Config) {}
+func (itv *itemTagValidator) Init(cfg Config) {
+	itv.validator = cfg.Validator
+}
 
 func (itemTagValidator) TagName() string {
 	return itemTagName
 }
 
-var itemTagValidScopes = sets.New(ScopeAny)
+var itemTagValidScopes = sets.New(ScopeType, ScopeField, ScopeListVal, ScopeMapKey, ScopeMapVal)
 
 func (itemTagValidator) ValidScopes() sets.Set[Scope] {
 	return itemTagValidScopes
@@ -68,68 +65,163 @@ func (itemTagValidator) ValidScopes() sets.Set[Scope] {
 // and listMapKey tags.
 func (itemTagValidator) LateTagValidator() {}
 
+var (
+	validateSliceItem = types.Name{Package: libValidationPkg, Name: "SliceItem"}
+)
+
 func (itv *itemTagValidator) GetValidations(context Context, tag codetags.Tag) (Validations, error) {
 	// TODO: Support regular maps with syntax like:
 	// +k8s:item("map-key")=+k8s:immutable
 
-	// Parse key-value pairs from named args.
-	criteria := []keyValuePair{}
-	processedKeys := sets.NewString()
-
-	for _, arg := range tag.Args {
-		if arg.Name == "" {
-			return Validations{}, fmt.Errorf("all arguments must be named (ex: fieldName:value)")
-		}
-		if processedKeys.Has(arg.Name) {
-			return Validations{}, fmt.Errorf("duplicate key %q", arg.Name)
-		}
-		processedKeys.Insert(arg.Name)
+	// This tag can apply to value and pointer fields, as well as typedefs
+	// (which should never be pointers). We need to check the concrete type.
+	nt := util.NonPointer(util.NativeType(context.Type))
+	if nt.Kind != types.Slice {
+		return Validations{}, fmt.Errorf("can only be used on list types")
+	}
+	elemT := util.NonPointer(util.NativeType(nt.Elem))
+	if elemT.Kind != types.Struct {
+		return Validations{}, fmt.Errorf("can only be used on lists of structs")
+	}
+	if tag.ValueType != codetags.ValueTypeTag || tag.ValueTag == nil {
+		return Validations{}, fmt.Errorf("requires a validation tag as its value payload")
+	}
 
-		parsedValue, valueType, err := parseTypedValue(arg.Value, arg.Type)
-		if err != nil {
-			return Validations{}, fmt.Errorf("invalid value for key %q: %w", arg.Name, err)
+	// For fields, list metadata can fall back to the type.
+	// For types, list metadata must be defined on the type itself.
+	listMeta, ok := itv.listByPath[context.Path.String()]
+	if !ok {
+		if context.Scope == ScopeField {
+			typePath := context.Type.String()
+			listMeta, ok = itv.listByPath[typePath]
 		}
+	}
 
-		criteria = append(criteria, keyValuePair{
-			key:       arg.Name,
-			value:     parsedValue,
-			valueType: valueType,
-		})
+	// Fields inherit list metadata from typedefs, but not vice-versa.
+	// If we find no listMetadata then something is wrong.
+	// The item tag requires map semantics, which can come from either listType=map or unique=map
+	if !ok || listMeta.semantic != semanticMap || len(listMeta.keyMembers) == 0 {
+		return Validations{}, fmt.Errorf("found items with no list metadata - item tags require listType=map or unique=map with listMapKey")
 	}
 
+	// Parse key-value pairs from named args.
+	criteria, err := criteriaFromArgs(tag.Args)
+	if err != nil {
+		return Validations{}, err
+	}
 	if len(criteria) == 0 {
 		return Validations{}, fmt.Errorf("no selection criteria was specified")
 	}
+	if narg, nkey := len(criteria), len(listMeta.keyNames); narg != nkey {
+		return Validations{}, fmt.Errorf("number of arguments (%d) does not match number of listMapKey fields (%d)", narg, nkey)
+	}
 
-	if tag.ValueType != codetags.ValueTypeTag || tag.ValueTag == nil {
-		return Validations{}, fmt.Errorf("requires a validation tag as its value payload")
+	// Validate that all listMapKeys are provided and types match
+	foundKeys := make(map[string]bool)
+	sortedCriteria := make([]keyValuePair, 0, len(listMeta.keyNames))
+	for _, keyName := range listMeta.keyNames {
+		for _, pair := range criteria {
+			if pair.key == keyName {
+				member := util.GetMemberByJSON(elemT, pair.key)
+				if member == nil {
+					return Validations{}, fmt.Errorf("no field with JSON name %q", pair.key)
+				}
+				if err := validateTypeMatch(member.Type, pair.value); err != nil {
+					return Validations{}, fmt.Errorf("key %q: %w", pair.key, err)
+				}
+				foundKeys[keyName] = true
+				sortedCriteria = append(sortedCriteria, pair)
+				break
+			}
+		}
 	}
+	if len(foundKeys) != len(listMeta.keyNames) {
+		missing := []string{}
+		for _, k := range listMeta.keyNames {
+			if !foundKeys[k] {
+				missing = append(missing, k)
+			}
+		}
+		return Validations{}, fmt.Errorf("missing required listMapKey fields: %v", missing)
+	}
+	criteria = sortedCriteria
 
-	// This tag can apply to value and pointer fields, as well as typedefs
-	// (which should never be pointers). We need to check the concrete type.
-	t := util.NonPointer(util.NativeType(context.Type))
+	result := Validations{}
 
-	if t.Kind != types.Slice {
-		return Validations{}, fmt.Errorf("can only be used on list types")
+	// Extract validations from the stored tag
+	itemKey := selectorString(criteria)
+	itemPath := context.Path.Key(itemKey)
+	itemSelector := generateSelector(criteria)
+	subContext := Context{
+		Scope:        ScopeListVal,
+		Type:         elemT,
+		Path:         itemPath,
+		ListSelector: itemSelector,
+		ParentPath:   context.Path,
 	}
 
-	elemT := util.NonPointer(util.NativeType(t.Elem))
-	if elemT.Kind != types.Struct {
-		return Validations{}, fmt.Errorf("can only be used on lists of structs")
+	validations, err := itv.validator.ExtractValidations(subContext, *tag.ValueTag)
+	if err != nil {
+		return Validations{}, err
+	}
+
+	result.Variables = append(result.Variables, validations.Variables...)
+
+	// matchArg is the function that is used to select the item in new and
+	// old lists.
+	matchArg, err := createMatchFn(elemT, criteria)
+	if err != nil {
+		return Validations{}, err
 	}
 
-	// Store metadata for the field validator to use.
-	if itv.byPath[context.Path.String()] == nil {
-		itv.byPath[context.Path.String()] = &itemMetadata{}
+	// equivArg is the function that is used to compare the correlated
+	// elements in the old and new lists, for ratcheting.
+	var equivArg any
+
+	// directComparable is used to determine whether we can use the direct
+	// comparison operator "==" or need to use the semantic DeepEqual when
+	// looking up and comparing correlated list elements for validation ratcheting.
+	directComparable := util.IsDirectComparable(util.NonPointer(util.NativeType(elemT)))
+	if directComparable {
+		equivArg = Identifier(validateDirectEqual)
+	} else {
+		equivArg = Identifier(validateSemanticDeepEqual)
 	}
 
-	itv.byPath[context.Path.String()].items = append(itv.byPath[context.Path.String()].items, itemValidation{
-		criteria: criteria,
-		valueTag: *tag.ValueTag,
-	})
+	for _, vfn := range validations.Functions {
+		f := Function(itemTagName, vfn.Flags, validateSliceItem, matchArg, equivArg, WrapperFunction{vfn, elemT})
+		f.Cohort = itemKey
+		result.AddFunction(f)
+	}
+
+	return result, nil
+}
+
+func criteriaFromArgs(args []codetags.Arg) ([]keyValuePair, error) {
+	criteria := []keyValuePair{}
+	keysSeen := sets.Set[string]{}
+
+	for _, arg := range args {
+		if arg.Name == "" {
+			return nil, fmt.Errorf("all arguments must be named")
+		}
+		if keysSeen.Has(arg.Name) {
+			return nil, fmt.Errorf("duplicate argument: %q", arg.Name)
+		}
+		keysSeen.Insert(arg.Name)
+
+		parsedValue, valueType, err := parseTypedValue(arg.Value, arg.Type)
+		if err != nil {
+			return nil, fmt.Errorf("invalid value for argument %q: %w", arg.Name, err)
+		}
 
-	// This tag doesn't generate validations directly, the itemFieldValidator does.
-	return Validations{}, nil
+		criteria = append(criteria, keyValuePair{
+			key:       arg.Name,
+			value:     parsedValue,
+			valueType: valueType,
+		})
+	}
+	return criteria, nil
 }
 
 // parseTypedValue parses a value based on its detected type
@@ -150,15 +242,15 @@ func parseTypedValue(value string, argType codetags.ArgType) (any, codetags.Valu
 		}
 		return boolVal, codetags.ValueTypeBool, nil
 	default:
-		// Default to string
-		return value, codetags.ValueTypeString, nil
+		return nil, "", fmt.Errorf("unsupported argument type: %q", argType)
 	}
 }
 
 func (itv itemTagValidator) Docs() TagDoc {
 	doc := TagDoc{
-		Tag:    itv.TagName(),
-		Scopes: itv.ValidScopes().UnsortedList(),
+		Tag:            itv.TagName(),
+		StabilityLevel: Alpha,
+		Scopes:         itv.ValidScopes().UnsortedList(),
 		Description: "Declares a validation for an item of a slice declared as a +k8s:listType=map. " +
 			"The item to match is declared by providing field-value pair arguments. All key fields must be specified.",
 		Usage: "+k8s:item(stringKey: \"value\", intKey: 42, boolKey: true)=<validation-tag>",
@@ -176,135 +268,9 @@ func (itv itemTagValidator) Docs() TagDoc {
 	return doc
 }
 
-type itemValidator struct {
-	validator  Validator
-	listByPath map[string]*listMetadata
-	itemByPath map[string]*itemMetadata
-}
-
-func (iv *itemValidator) Init(cfg Config) {
-	iv.validator = cfg.Validator
-}
-
-func (itemValidator) Name() string {
-	return "itemFieldValidator"
-}
-
-var (
-	validateSliceItem = types.Name{Package: libValidationPkg, Name: "SliceItem"}
-)
-
-func (iv itemValidator) GetValidations(context Context) (Validations, error) {
-	itemMeta, ok := iv.itemByPath[context.Path.String()]
-	if !ok {
-		return Validations{}, nil
-	}
-	if len(itemMeta.items) == 0 {
-		return Validations{}, fmt.Errorf("found item metadata with no items")
-	}
-
-	// For fields, list metadata can fall back to the type.
-	// For types, list metadata must be defined on the type itself.
-	listMeta, ok := iv.listByPath[context.Path.String()]
-	if !ok {
-		if context.Scope == ScopeField {
-			typePath := context.Type.String()
-			listMeta, ok = iv.listByPath[typePath]
-		}
-	}
-
-	// Fields inherit list metadata from typedefs, but not vice-versa.
-	// If we find no listMetadata then something is wrong.
-	if !ok || !listMeta.declaredAsMap || len(listMeta.keyFields) == 0 {
-		return Validations{}, fmt.Errorf("found items with no list metadata")
-	}
-
-	t := util.NonPointer(util.NativeType(context.Type))
-	elemT := util.NonPointer(util.NativeType(t.Elem))
-
-	result := Validations{}
-
-	for _, item := range itemMeta.items {
-		if len(item.criteria) != len(listMeta.keyNames) {
-			return Validations{}, fmt.Errorf("number of arguments does not match number of listMapKey fields")
-		}
-
-		// Validate that all listMapKeys are provided and types match
-		foundKeys := make(map[string]bool)
-		for _, keyName := range listMeta.keyNames {
-			for _, pair := range item.criteria {
-				if pair.key == keyName {
-					member := util.GetMemberByJSON(elemT, pair.key)
-					if member != nil {
-						if err := validateTypeMatch(member.Type, pair.value); err != nil {
-							return Validations{}, fmt.Errorf("key %q: %w", pair.key, err)
-						}
-					}
-					foundKeys[keyName] = true
-					break
-				}
-			}
-		}
-		if len(foundKeys) != len(listMeta.keyNames) {
-			missing := []string{}
-			for _, k := range listMeta.keyNames {
-				if !foundKeys[k] {
-					missing = append(missing, k)
-				}
-			}
-			return Validations{}, fmt.Errorf("missing required listMapKey fields: %v", missing)
-		}
-
-		// Extract validations from the stored tag
-		subContextPath := generateFieldPathForMap(item.criteria)
-		subContext := Context{
-			Scope:      ScopeListVal,
-			Type:       elemT,
-			Path:       context.Path.Key(subContextPath),
-			ParentPath: context.Path,
-			Member:     nil,
-		}
-
-		validations, err := iv.validator.ExtractValidations(subContext, item.valueTag)
-		if err != nil {
-			return Validations{}, err
-		}
-
-		result.Variables = append(result.Variables, validations.Variables...)
-
-		// matchArg is the function that is used to select the item in new and
-		// old lists.
-		matchArg, err := createMatchFn(elemT, item.criteria)
-		if err != nil {
-			return Validations{}, err
-		}
-
-		// equivArg is the function that is used to compare the correlated
-		// elements in the old and new lists, for ratcheting.
-		var equivArg any
-
-		// directComparable is used to determine whether we can use the direct
-		// comparison operator "==" or need to use the semantic DeepEqual when
-		// looking up and comparing correlated list elements for validation ratcheting.
-		directComparable := util.IsDirectComparable(util.NonPointer(util.NativeType(elemT)))
-		if directComparable {
-			equivArg = Identifier(validateDirectEqual)
-		} else {
-			equivArg = Identifier(validateSemanticDeepEqual)
-		}
-
-		for _, vfn := range validations.Functions {
-			f := Function(itemTagName, vfn.Flags, validateSliceItem, matchArg, equivArg, WrapperFunction{vfn, elemT})
-			result.AddFunction(f)
-		}
-	}
-
-	return result, nil
-}
-
 // validateTypeMatch ensures the provided value matches the field's type
 func validateTypeMatch(fieldType *types.Type, value any) error {
-	nativeType := util.NativeType(fieldType)
+	nativeType := util.NonPointer(util.NativeType(fieldType))
 
 	switch {
 	case nativeType == types.String:
@@ -338,7 +304,11 @@ func buildMatchConditions(elemT *types.Type, criteria []keyValuePair, itemRef st
 		if err != nil {
 			return "", err
 		}
-		conditions = append(conditions, fmt.Sprintf("%s.%s == %s", itemRef, member.Name, rhs))
+		if member.Type.Kind == types.Pointer {
+			conditions = append(conditions, fmt.Sprintf("%s.%s != nil && *%s.%s == %s", itemRef, member.Name, itemRef, member.Name, rhs))
+		} else {
+			conditions = append(conditions, fmt.Sprintf("%s.%s == %s", itemRef, member.Name, rhs))
+		}
 	}
 
 	return strings.Join(conditions, " && "), nil
@@ -358,26 +328,26 @@ func createMatchFn(elemT *types.Type, criteria []keyValuePair) (FunctionLiteral,
 }
 
 func generateComparisonRHS(member *types.Member, value any) (string, error) {
-	memberType := util.NativeType(member.Type)
+	memberType := util.NonPointer(util.NativeType(member.Type))
 	switch {
 	case memberType == types.String:
 		strVal, ok := value.(string)
 		if !ok {
-			return "", fmt.Errorf("type mismatch, field is string but value is not")
+			return "", fmt.Errorf("type mismatch, field is string but value is not: %v", value)
 		}
 		return fmt.Sprintf("%q", strVal), nil
 
 	case memberType == types.Bool:
 		boolVal, ok := value.(bool)
 		if !ok {
-			return "", fmt.Errorf("type mismatch, field is bool but value is not")
+			return "", fmt.Errorf("type mismatch, field is bool but value is not: %v", value)
 		}
 		return fmt.Sprintf("%t", boolVal), nil
 
 	case types.IsInteger(memberType):
 		intVal, ok := value.(int)
 		if !ok {
-			return "", fmt.Errorf("type mismatch, field is int but value is not")
+			return "", fmt.Errorf("type mismatch, field is int but value is not: %v", value)
 		}
 		return fmt.Sprintf("%d", intVal), nil
 
@@ -386,9 +356,10 @@ func generateComparisonRHS(member *types.Member, value any) (string, error) {
 	}
 }
 
-// generateFieldPathForMap creates a field path for list map items using a JSON-like syntax.
-// The format is {"key": "value", "key2": 42, "key3": true} with quoted keys and appropriately formatted values.
-func generateFieldPathForMap(criteria []keyValuePair) string {
+// selectorString creates a field path for list map items using a JSON-like
+// syntax. The format is {"key": "value", "key2": 42, "key3": true} with quoted
+// keys and appropriately formatted values.
+func selectorString(criteria []keyValuePair) string {
 	var pairs []string
 	for _, fld := range criteria {
 		valueStr := formatValueForPath(fld.value)
@@ -409,3 +380,14 @@ func formatValueForPath(value any) string {
 		return fmt.Sprintf("%v", v)
 	}
 }
+
+func generateSelector(criteria []keyValuePair) []ListSelectorTerm {
+	terms := make([]ListSelectorTerm, len(criteria))
+	for i, pair := range criteria {
+		terms[i] = ListSelectorTerm{
+			Field: pair.key,
+			Value: pair.value,
+		}
+	}
+	return terms
+}
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/validators/limits.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/validators/limits.go
index ff35f1163f6cb..84ccc17946403 100644
--- a/staging/src/k8s.io/code-generator/cmd/validation-gen/validators/limits.go
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/validators/limits.go
@@ -27,11 +27,126 @@ import (
 )
 
 const (
-	minimumTagName = "k8s:minimum"
+	maxItemsTagName  = "k8s:maxItems"
+	minimumTagName   = "k8s:minimum"
+	maxLengthTagName = "k8s:maxLength"
 )
 
 func init() {
+	RegisterTagValidator(maxItemsTagValidator{})
 	RegisterTagValidator(minimumTagValidator{})
+	RegisterTagValidator(maxLengthTagValidator{})
+}
+
+type maxLengthTagValidator struct{}
+
+func (maxLengthTagValidator) Init(_ Config) {}
+
+func (maxLengthTagValidator) TagName() string {
+	return maxLengthTagName
+}
+
+var maxLengthTagValidScopes = sets.New(ScopeType, ScopeField, ScopeListVal, ScopeMapKey, ScopeMapVal)
+
+func (maxLengthTagValidator) ValidScopes() sets.Set[Scope] {
+	return maxLengthTagValidScopes
+}
+
+var (
+	maxLengthValidator = types.Name{Package: libValidationPkg, Name: "MaxLength"}
+)
+
+func (maxLengthTagValidator) GetValidations(context Context, tag codetags.Tag) (Validations, error) {
+	var result Validations
+
+	// This tag can apply to value and pointer fields, as well as typedefs
+	// (which should never be pointers). We need to check the concrete type.
+	if t := util.NonPointer(util.NativeType(context.Type)); t != types.String {
+		return Validations{}, fmt.Errorf("can only be used on string types (%s)", rootTypeString(context.Type, t))
+	}
+
+	intVal, err := strconv.Atoi(tag.Value)
+	if err != nil {
+		return result, fmt.Errorf("failed to parse tag payload as int: %w", err)
+	}
+	if intVal < 0 {
+		return result, fmt.Errorf("must be greater than or equal to zero")
+	}
+	result.AddFunction(Function(maxLengthTagName, DefaultFlags, maxLengthValidator, intVal))
+	return result, nil
+}
+
+func (mltv maxLengthTagValidator) Docs() TagDoc {
+	return TagDoc{
+		Tag:            mltv.TagName(),
+		StabilityLevel: Beta,
+		Scopes:         mltv.ValidScopes().UnsortedList(),
+		Description:    "Indicates that a string field has a limit on its length.",
+		Payloads: []TagPayloadDoc{{
+			Description: "<non-negative integer>",
+			Docs:        "This field must be no more than X characters long.",
+		}},
+		PayloadsType:     codetags.ValueTypeInt,
+		PayloadsRequired: true,
+	}
+}
+
+type maxItemsTagValidator struct{}
+
+func (maxItemsTagValidator) Init(_ Config) {}
+
+func (maxItemsTagValidator) TagName() string {
+	return maxItemsTagName
+}
+
+var maxItemsTagValidScopes = sets.New(
+	ScopeType,
+	ScopeField,
+	ScopeListVal,
+	ScopeMapVal,
+)
+
+func (maxItemsTagValidator) ValidScopes() sets.Set[Scope] {
+	return maxItemsTagValidScopes
+}
+
+var (
+	maxItemsValidator = types.Name{Package: libValidationPkg, Name: "MaxItems"}
+)
+
+func (maxItemsTagValidator) GetValidations(context Context, tag codetags.Tag) (Validations, error) {
+	var result Validations
+
+	// NOTE: pointers to lists are not supported, so we should never see a pointer here.
+	if t := util.NativeType(context.Type); t.Kind != types.Slice && t.Kind != types.Array {
+		return Validations{}, fmt.Errorf("can only be used on list types (%s)", rootTypeString(context.Type, t))
+	}
+
+	intVal, err := strconv.Atoi(tag.Value)
+	if err != nil {
+		return result, fmt.Errorf("failed to parse tag payload as int: %w", err)
+	}
+	if intVal < 0 {
+		return result, fmt.Errorf("must be greater than or equal to zero")
+	}
+	// Note: maxItems short-circuits other validations.
+	result.AddFunction(Function(maxItemsTagName, ShortCircuit, maxItemsValidator, intVal))
+	return result, nil
+}
+
+func (mitv maxItemsTagValidator) Docs() TagDoc {
+	return TagDoc{
+		Tag:            mitv.TagName(),
+		StabilityLevel: Beta,
+		Scopes:         mitv.ValidScopes().UnsortedList(),
+		Description:    "Indicates that a list has a limit on its size.",
+		Payloads: []TagPayloadDoc{{
+			Description: "<non-negative integer>",
+			Docs:        "This list must be no more than X items long.",
+		}},
+		PayloadsType:     codetags.ValueTypeInt,
+		PayloadsRequired: true,
+	}
 }
 
 type minimumTagValidator struct{}
@@ -42,9 +157,7 @@ func (minimumTagValidator) TagName() string {
 	return minimumTagName
 }
 
-var minimumTagValidScopes = sets.New(
-	ScopeAny,
-)
+var minimumTagValidScopes = sets.New(ScopeType, ScopeField, ScopeListVal, ScopeMapKey, ScopeMapVal)
 
 func (minimumTagValidator) ValidScopes() sets.Set[Scope] {
 	return minimumTagValidScopes
@@ -73,9 +186,10 @@ func (minimumTagValidator) GetValidations(context Context, tag codetags.Tag) (Va
 
 func (mtv minimumTagValidator) Docs() TagDoc {
 	return TagDoc{
-		Tag:         mtv.TagName(),
-		Scopes:      mtv.ValidScopes().UnsortedList(),
-		Description: "Indicates that a numeric field has a minimum value.",
+		Tag:            mtv.TagName(),
+		StabilityLevel: Beta,
+		Scopes:         mtv.ValidScopes().UnsortedList(),
+		Description:    "Indicates that a numeric field has a minimum value.",
 		Payloads: []TagPayloadDoc{{
 			Description: "<integer>",
 			Docs:        "This field must be greater than or equal to x.",
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/validators/list.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/validators/list.go
new file mode 100644
index 0000000000000..1cf86a609996c
--- /dev/null
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/validators/list.go
@@ -0,0 +1,494 @@
+/*
+Copyright 2024 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package validators
+
+import (
+	"fmt"
+	"strings"
+
+	"k8s.io/apimachinery/pkg/util/sets"
+	"k8s.io/code-generator/cmd/validation-gen/util"
+	"k8s.io/gengo/v2/codetags"
+	"k8s.io/gengo/v2/types"
+)
+
+const (
+	listTypeTagName     = "k8s:listType"
+	ListMapKeyTagName   = "k8s:listMapKey"
+	uniqueTagName       = "k8s:unique"
+	customUniqueTagName = "k8s:customUnique"
+)
+
+// globalListMeta is shared between list-related validators.
+var globalListMeta = map[string]*listMetadata{} // keyed by the field or type path
+
+func init() {
+	// Accumulate list metadata via tags.
+	RegisterTagValidator(listTypeTagValidator{byPath: globalListMeta})
+	RegisterTagValidator(listMapKeyTagValidator{byPath: globalListMeta})
+	RegisterTagValidator(uniqueTagValidator{byPath: globalListMeta})
+	RegisterTagValidator(customUniqueTagValidator{byPath: globalListMeta})
+
+	// Finish work on the accumulated list metadata.
+	RegisterFieldValidator(listValidator{byPath: globalListMeta})
+	RegisterTypeValidator(listValidator{byPath: globalListMeta})
+}
+
+// This applies to all tags in this file.
+var listTagsValidScopes = sets.New(ScopeType, ScopeField, ScopeListVal, ScopeMapKey, ScopeMapVal)
+
+type listOwnership string
+
+const (
+	ownershipSingle listOwnership = "single" // from listType=atomic
+	ownershipShared listOwnership = "shared" // from listType=set/map
+)
+
+type listSemantic string
+
+const (
+	semanticAtomic listSemantic = "atomic" // No uniqueness check
+	semanticSet    listSemantic = "set"    // uniqueness check
+	semanticMap    listSemantic = "map"    // uniqueness check based on key(s)
+)
+
+// listMetadata collects information about a single list with map or set semantics.
+type listMetadata struct {
+	ownership  listOwnership // For now we don't use it for generation.
+	semantic   listSemantic
+	keyMembers []*types.Member // For semantic == map.
+	keyNames   []string        // For semantic == map.
+
+	// customUnique indicates that k8s:customUnique is set on this list.
+	// It disables generation of uniqueness validation for this list.
+	customUnique bool
+}
+
+// makeListMapMatchFunc generates a function that compares two list-map
+// elements by their list-map key fields.
+func (lm *listMetadata) makeListMapMatchFunc(t *types.Type) FunctionLiteral {
+	if lm.semantic != semanticMap {
+		panic("makeListMapMatchFunc called on a non-map list")
+	}
+	// If no keys are defined, we will throw a good error later.
+
+	matchFn := FunctionLiteral{
+		Parameters: []ParamResult{{"a", t}, {"b", t}},
+		Results:    []ParamResult{{"", types.Bool}},
+	}
+	buf := strings.Builder{}
+	buf.WriteString("return ")
+
+	for i, memb := range lm.keyMembers {
+		if i > 0 {
+			buf.WriteString(" && ")
+		}
+		fldName := memb.Name
+
+		if memb.Type.Kind == types.Pointer {
+			// Dereference pointers for comparison.
+			// This is tricky because they could be nil.
+			// Two keys are equal if all their fields are equal.
+			// For pointer fields, that means either both are nil,
+			// or neither is nil and the pointed-to values are equal.
+			buf.WriteString(fmt.Sprintf("((a.%s == nil && b.%s == nil) || (a.%s != nil && b.%s != nil && *a.%s == *b.%s))", fldName, fldName, fldName, fldName, fldName, fldName))
+		} else {
+			buf.WriteString(fmt.Sprintf("a.%s == b.%s", fldName, fldName))
+		}
+	}
+	matchFn.Body = buf.String()
+	return matchFn
+}
+
+type listTypeTagValidator struct {
+	byPath map[string]*listMetadata
+}
+
+func (listTypeTagValidator) Init(Config) {}
+
+func (listTypeTagValidator) TagName() string {
+	return listTypeTagName
+}
+
+func (listTypeTagValidator) ValidScopes() sets.Set[Scope] {
+	return listTagsValidScopes
+}
+
+func (lttv listTypeTagValidator) GetValidations(context Context, tag codetags.Tag) (Validations, error) {
+	// NOTE: pointers to lists are not supported, so we should never see a pointer here.
+	t := util.NativeType(context.Type)
+	if t.Kind != types.Slice && t.Kind != types.Array {
+		return Validations{}, fmt.Errorf("can only be used on list types (%s)", t.Kind)
+	}
+
+	lm := lttv.byPath[context.Path.String()]
+	if lm == nil {
+		lm = &listMetadata{}
+		lttv.byPath[context.Path.String()] = lm
+	}
+	if lm.ownership != "" {
+		return Validations{}, fmt.Errorf("listType cannot be specified more than once")
+	}
+
+	switch tag.Value {
+	case "atomic":
+		lm.ownership = ownershipSingle
+		// Do not overwrite a more specific semantic from uniqueTagValidator
+		if lm.semantic == "" {
+			lm.semantic = semanticAtomic
+		}
+	case "set":
+		lm.ownership = ownershipShared
+		// If uniqueTagValidator has run for `unique=set` or `unique=map`,
+		// lm.semantic will be non-empty and non-atomic.
+		if lm.semantic != "" && lm.semantic != semanticAtomic {
+			return Validations{}, fmt.Errorf("unique tag is redundant for listType=%q", tag.Value)
+		}
+		lm.semantic = semanticSet
+	case "map":
+		lm.ownership = ownershipShared
+		// If uniqueTagValidator has run for `unique=set` or `unique=map`,
+		// lm.semantic will be non-empty and non-atomic.
+		if lm.semantic != "" && lm.semantic != semanticAtomic {
+			return Validations{}, fmt.Errorf("unique tag is redundant for listType=%q", tag.Value)
+		}
+		if util.NativeType(t.Elem).Kind != types.Struct {
+			return Validations{}, fmt.Errorf("only lists of structs can be list-maps")
+		}
+		lm.semantic = semanticMap
+	default:
+		return Validations{}, fmt.Errorf("unknown list type %q", tag.Value)
+	}
+
+	// This tag doesn't generate any validations.  It just accumulates
+	// information for other tags to use.
+	return Validations{}, nil
+}
+
+func (lttv listTypeTagValidator) Docs() TagDoc {
+	doc := TagDoc{
+		Tag:            lttv.TagName(),
+		StabilityLevel: Beta,
+		Scopes:         lttv.ValidScopes().UnsortedList(),
+		Description:    "Declares a list field's semantic type and ownership behavior. atomic: single ownership, set: shared ownership with uniqueness, map: shared ownership with key-based uniqueness.",
+		Payloads: []TagPayloadDoc{{
+			Description: "<type>",
+			Docs:        "atomic | map | set",
+		}},
+		PayloadsType:     codetags.ValueTypeString,
+		PayloadsRequired: true,
+	}
+	return doc
+}
+
+type listMapKeyTagValidator struct {
+	byPath map[string]*listMetadata
+}
+
+func (listMapKeyTagValidator) Init(Config) {}
+
+func (listMapKeyTagValidator) TagName() string {
+	return ListMapKeyTagName
+}
+
+func (listMapKeyTagValidator) ValidScopes() sets.Set[Scope] {
+	return listTagsValidScopes
+}
+
+func (lmktv listMapKeyTagValidator) GetValidations(context Context, tag codetags.Tag) (Validations, error) {
+	// NOTE: pointers to lists are not supported, so we should never see a pointer here.
+	t := util.NativeType(context.Type)
+	if t.Kind != types.Slice && t.Kind != types.Array {
+		return Validations{}, fmt.Errorf("can only be used on list types (%s)", t.Kind)
+	}
+	// NOTE: lists of pointers are not supported, so we should never see a pointer here.
+	if util.NativeType(t.Elem).Kind != types.Struct {
+		return Validations{}, fmt.Errorf("only lists of structs can be list-maps")
+	}
+
+	var memb *types.Member
+	if m := util.GetMemberByJSON(util.NativeType(t.Elem), tag.Value); m == nil {
+		return Validations{}, fmt.Errorf("no field for JSON name %q", tag.Value)
+	} else {
+		keyType := m.Type
+		if keyType.Kind == types.Pointer {
+			keyType = keyType.Elem
+		}
+		if util.NativeType(keyType).Kind != types.Builtin {
+			return Validations{}, fmt.Errorf("only primitive types and pointers to primitive types can be list-map keys, not %s", m.Type.String())
+		}
+		memb = m
+	}
+
+	lm := lmktv.byPath[context.Path.String()]
+	if lm == nil {
+		lm = &listMetadata{}
+		lmktv.byPath[context.Path.String()] = lm
+	}
+	lm.keyMembers = append(lm.keyMembers, memb)
+	lm.keyNames = append(lm.keyNames, tag.Value)
+
+	// This tag doesn't generate any validations.  It just accumulates
+	// information for other tags to use.
+	return Validations{}, nil
+}
+
+func (lmktv listMapKeyTagValidator) Docs() TagDoc {
+	doc := TagDoc{
+		Tag:            lmktv.TagName(),
+		StabilityLevel: Beta,
+		Scopes:         lmktv.ValidScopes().UnsortedList(),
+		Description:    "Declares a named sub-field of a list's value-type to be part of the list-map key.",
+		Payloads: []TagPayloadDoc{{
+			Description: "<field-json-name>",
+			Docs:        "The name of the field.",
+		}},
+		PayloadsType:     codetags.ValueTypeString,
+		PayloadsRequired: true,
+	}
+	return doc
+}
+
+type uniqueTagValidator struct {
+	byPath map[string]*listMetadata
+}
+
+func (uniqueTagValidator) Init(Config) {}
+
+func (uniqueTagValidator) TagName() string {
+	return uniqueTagName
+}
+
+func (uniqueTagValidator) ValidScopes() sets.Set[Scope] {
+	return listTagsValidScopes
+}
+
+func (utv uniqueTagValidator) GetValidations(context Context, tag codetags.Tag) (Validations, error) {
+	// NOTE: pointers to lists are not supported, so we should never see a pointer here.
+	t := util.NativeType(context.Type)
+	if t.Kind != types.Slice && t.Kind != types.Array {
+		return Validations{}, fmt.Errorf("can only be used on list types (%s)", t.Kind)
+	}
+
+	lm := utv.byPath[context.Path.String()]
+	if lm == nil {
+		lm = &listMetadata{}
+		utv.byPath[context.Path.String()] = lm
+	}
+
+	// If listType has already run and set a non-atomic ownership, this is an error.
+	if lm.ownership != "" && lm.ownership != ownershipSingle {
+		return Validations{}, fmt.Errorf("unique tag may not be used with listType=set or listType=map")
+	}
+
+	if lm.semantic != "" && lm.semantic != semanticAtomic {
+		return Validations{}, fmt.Errorf("unique tag cannot be specified more than once")
+	}
+
+	switch tag.Value {
+	case "set":
+		lm.semantic = semanticSet
+	case "map":
+		if util.NativeType(t.Elem).Kind != types.Struct {
+			return Validations{}, fmt.Errorf("only lists of structs can be list-maps")
+		}
+		lm.semantic = semanticMap
+	default:
+		return Validations{}, fmt.Errorf("unknown unique type %q", tag.Value)
+	}
+
+	// This tag doesn't generate any validations.  It just accumulates
+	// information for other tags to use.
+	return Validations{}, nil
+}
+
+func (utv uniqueTagValidator) Docs() TagDoc {
+	doc := TagDoc{
+		Tag:            utv.TagName(),
+		StabilityLevel: Alpha,
+		Scopes:         utv.ValidScopes().UnsortedList(),
+		Description:    "Declares that a list field's elements are unique. This tag can be used with listType=atomic to add uniqueness constraints, or independently to specify uniqueness semantics.",
+		Payloads: []TagPayloadDoc{{
+			Description: "<type>",
+			Docs:        "map | set",
+		}},
+		PayloadsType:     codetags.ValueTypeString,
+		PayloadsRequired: true,
+	}
+	return doc
+}
+
+type customUniqueTagValidator struct {
+	byPath map[string]*listMetadata
+}
+
+func (customUniqueTagValidator) Init(Config) {}
+
+func (customUniqueTagValidator) TagName() string {
+	return customUniqueTagName
+}
+
+func (customUniqueTagValidator) ValidScopes() sets.Set[Scope] {
+	return listTagsValidScopes
+}
+
+func (cutv customUniqueTagValidator) GetValidations(context Context, tag codetags.Tag) (Validations, error) {
+	// NOTE: pointers to lists are not supported, so we should never see a pointer here.
+	t := util.NativeType(context.Type)
+	if t.Kind != types.Slice && t.Kind != types.Array {
+		return Validations{}, fmt.Errorf("can only be used on list types (%s)", t.Kind)
+	}
+
+	lm := cutv.byPath[context.Path.String()]
+	if lm == nil {
+		lm = &listMetadata{}
+		cutv.byPath[context.Path.String()] = lm
+	}
+
+	lm.customUnique = true
+
+	// This tag doesn't generate any validations.  It just accumulates
+	// information for other tags to use.
+	return Validations{}, nil
+}
+
+func (cutv customUniqueTagValidator) Docs() TagDoc {
+	doc := TagDoc{
+		Tag:            cutv.TagName(),
+		StabilityLevel: Alpha,
+		Scopes:         cutv.ValidScopes().UnsortedList(),
+		Description:    "Indicates that uniqueness validation for this list is implemented via custom, handwritten validation. This disables generation of uniqueness validation for this list.",
+		Payloads:       nil,
+	}
+	return doc
+}
+
+type listValidator struct {
+	byPath map[string]*listMetadata
+}
+
+func (listValidator) Init(_ Config) {}
+
+func (listValidator) Name() string {
+	return "listValidator"
+}
+
+var (
+	validateUnique            = types.Name{Package: libValidationPkg, Name: "Unique"}
+	validateSemanticDeepEqual = types.Name{Package: libValidationPkg, Name: "SemanticDeepEqual"}
+	validateDirectEqual       = types.Name{Package: libValidationPkg, Name: "DirectEqual"}
+)
+
+func (lv listValidator) GetValidations(context Context) (Validations, error) {
+	nt := util.NativeType(context.Type)
+	if nt.Kind != types.Slice && nt.Kind != types.Array {
+		return Validations{}, nil
+	}
+
+	// Look up the list metadata which is defined on this field or type.
+	lm := lv.byPath[context.Path.String()]
+
+	// NOTE: We don't really support list-of-list or map-of-list, so this does
+	// not consider the case of ScopeListVal or ScopeMapVal. If we want to
+	// support those, we need to look at this and make sure the paths work the
+	// way we need.
+	if context.Scope == ScopeField {
+		// If this is a field, look up the list metadata for the type.
+		// TypeValidators happen before FieldValidators, so this is safe.
+		tm := lv.byPath[context.Type.String()]
+		if lm != nil && tm != nil {
+			return Validations{}, fmt.Errorf("found list metadata for both a field and its type: %s", context.Path)
+		}
+		// TODO(thockin): enable this once the whole codebase is converted or
+		// if we only run against fields which are opted-in.
+		// if lm == nil && tm == nil {
+		// 	 return Validations{}, fmt.Errorf("found a list field without list metadata")
+		// }
+	}
+
+	if lm == nil {
+		// If we don't have metadata for this field, we might have it for the
+		// field's type.
+		return Validations{}, nil
+	}
+
+	// Do this after the above - if we only get one error, the one(s) above
+	// this are more important.
+	if err := lv.check(lm); err != nil {
+		return Validations{}, err
+	}
+	result := Validations{}
+	if lm.customUnique {
+		// Uniqueness validation is disabled in generated validation for this list.
+		// It would defer to handwritten validation to check the uniqueness.
+		result.AddComment("Uniqueness validation is implemented via custom, handwritten validation")
+		return result, nil
+	}
+
+	// Generate uniqueness checks for lists with higher-order semantics.
+	if lm.semantic == semanticSet {
+		// Only compare primitive values when possible. Slices and maps are not
+		// comparable, and structs might hold pointer fields, which are directly
+		// comparable but not what we need.
+		//
+		// NOTE: lists of pointers are not supported, so we should never see a pointer here.
+		matchArg := validateSemanticDeepEqual
+		if util.IsDirectComparable(util.NonPointer(util.NativeType(nt.Elem))) {
+			matchArg = validateDirectEqual
+		}
+		comment := "lists with set semantics require unique values"
+		f := Function("listValidator", DefaultFlags, validateUnique, Identifier(matchArg)).
+			WithComment(comment)
+		result.AddFunction(f)
+	}
+	if lm.semantic == semanticMap {
+		// TODO: There are some fields which are declared as maps which do not
+		// enforce uniqueness in manual validation. Those either need to not be
+		// maps or we need to allow types to opt-out from this validation.  SSA
+		// is also not able to handle these well.
+		matchArg := lm.makeListMapMatchFunc(nt.Elem)
+		comment := "lists with map semantics require unique keys"
+
+		f := Function("listValidator", DefaultFlags, validateUnique, matchArg).
+			WithComment(comment)
+		result.AddFunction(f)
+	}
+
+	return result, nil
+}
+
+// make sure a given listMetadata makes sense.
+func (lv listValidator) check(lm *listMetadata) error {
+	// Check some fundamental constraints on list tags.
+
+	// If we have listMapKey but no map semantics, that's an error
+	if len(lm.keyMembers) > 0 && lm.semantic != semanticMap {
+		return fmt.Errorf("found listMapKey without listType=map or unique=map")
+	}
+
+	// If we have map semantics but no keys, that's an error
+	if lm.semantic == semanticMap && len(lm.keyMembers) == 0 {
+		return fmt.Errorf("found listType=map or unique=map without listMapKey")
+	}
+
+	// listType is mandatory.
+	if lm.ownership == "" {
+		return fmt.Errorf("listType must be specified - use listType=atomic, listType=set, or listType=map")
+	}
+
+	return nil
+}
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/validators/opaque.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/validators/opaque.go
index 441ab87c027b3..2b4124be68c88 100644
--- a/staging/src/k8s.io/code-generator/cmd/validation-gen/validators/opaque.go
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/validators/opaque.go
@@ -38,7 +38,7 @@ func (opaqueTypeTagValidator) TagName() string {
 }
 
 func (opaqueTypeTagValidator) ValidScopes() sets.Set[Scope] {
-	return sets.New(ScopeAny)
+	return sets.New(ScopeType, ScopeField, ScopeListVal, ScopeMapKey, ScopeMapVal)
 }
 
 func (opaqueTypeTagValidator) GetValidations(_ Context, _ codetags.Tag) (Validations, error) {
@@ -47,8 +47,9 @@ func (opaqueTypeTagValidator) GetValidations(_ Context, _ codetags.Tag) (Validat
 
 func (opaqueTypeTagValidator) Docs() TagDoc {
 	doc := TagDoc{
-		Tag:    opaqueTypeTagName,
-		Scopes: []Scope{ScopeField},
+		Tag:            opaqueTypeTagName,
+		StabilityLevel: Alpha,
+		Scopes:         []Scope{ScopeField},
 		Description: "Indicates that any validations declared on the referenced type will be ignored. " +
 			"If a referenced type's package is not included in the generator's current " +
 			"flags, this tag must be set, or code generation will fail (preventing silent " +
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/validators/options.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/validators/options.go
new file mode 100644
index 0000000000000..71037240764b5
--- /dev/null
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/validators/options.go
@@ -0,0 +1,109 @@
+/*
+Copyright 2024 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package validators
+
+import (
+	"fmt"
+
+	"k8s.io/apimachinery/pkg/util/sets"
+	"k8s.io/gengo/v2/codetags"
+	"k8s.io/gengo/v2/types"
+)
+
+const (
+	ifEnabledTag  = "k8s:ifEnabled"
+	ifDisabledTag = "k8s:ifDisabled"
+)
+
+func init() {
+	RegisterTagValidator(&ifTagValidator{true, nil})
+	RegisterTagValidator(&ifTagValidator{false, nil})
+}
+
+type ifTagValidator struct {
+	enabled   bool
+	validator Validator
+}
+
+func (itv *ifTagValidator) Init(cfg Config) {
+	itv.validator = cfg.Validator
+}
+
+func (itv ifTagValidator) TagName() string {
+	if itv.enabled {
+		return ifEnabledTag
+	}
+	return ifDisabledTag
+}
+
+var ifEnabledDisabledTagValidScopes = sets.New(ScopeType, ScopeField, ScopeListVal, ScopeMapKey, ScopeMapVal, ScopeConst)
+
+func (ifTagValidator) ValidScopes() sets.Set[Scope] {
+	return ifEnabledDisabledTagValidScopes
+}
+
+var (
+	ifOption = types.Name{Package: libValidationPkg, Name: "IfOption"}
+)
+
+func (itv ifTagValidator) GetValidations(context Context, tag codetags.Tag) (Validations, error) {
+	optionArg, ok := tag.PositionalArg()
+	if !ok {
+		return Validations{}, fmt.Errorf("missing required option name positional argument")
+	}
+	result := Validations{}
+	if validations, err := itv.validator.ExtractValidations(context, *tag.ValueTag); err != nil {
+		return Validations{}, err
+	} else {
+		for _, fn := range validations.Functions {
+			f := Function(itv.TagName(), fn.Flags, ifOption, optionArg.Value, itv.enabled, WrapperFunction{Function: fn, ObjType: context.Type})
+			result.Variables = append(result.Variables, validations.Variables...)
+			result.AddFunction(f)
+		}
+		return result, nil
+	}
+}
+
+func (itv ifTagValidator) Docs() TagDoc {
+	doc := TagDoc{
+		Tag:            itv.TagName(),
+		StabilityLevel: Alpha,
+		Args: []TagArgDoc{{
+			Description: "<option>",
+			Type:        codetags.ArgTypeString,
+			Required:    true,
+		}},
+		Scopes: itv.ValidScopes().UnsortedList(),
+	}
+
+	doc.PayloadsType = codetags.ValueTypeTag
+	doc.PayloadsRequired = true
+	if itv.enabled {
+		doc.Description = "Declares a validation that only applies when an option is enabled."
+		doc.Payloads = []TagPayloadDoc{{
+			Description: "<validation-tag>",
+			Docs:        "This validation tag will be evaluated only if the validation option is enabled.",
+		}}
+	} else {
+		doc.Description = "Declares a validation that only applies when an option is disabled."
+		doc.Payloads = []TagPayloadDoc{{
+			Description: "<validation-tag>",
+			Docs:        "This validation tag will be evaluated only if the validation option is disabled.",
+		}}
+	}
+	return doc
+}
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/validators/registry.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/validators/registry.go
index 779ad82eb4f38..fa37bab8b8aba 100644
--- a/staging/src/k8s.io/code-generator/cmd/validation-gen/validators/registry.go
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/validators/registry.go
@@ -58,6 +58,14 @@ func (reg *registry) addTagValidator(tv TagValidator) {
 	if _, exists := globalRegistry.tagValidators[name]; exists {
 		panic(fmt.Sprintf("tag %q was registered twice", name))
 	}
+	switch level := tv.Docs().StabilityLevel; level {
+	case Alpha, Beta, Stable:
+		// valid
+	case "":
+		panic(fmt.Sprintf("tag %q is missing stability level", name))
+	default:
+		panic(fmt.Sprintf("tag %q has invalid stability level %q", name, level))
+	}
 	globalRegistry.tagValidators[name] = tv
 }
 
@@ -152,7 +160,8 @@ func (reg *registry) ExtractValidations(context Context, tags ...codetags.Tag) (
 	for _, tags := range phases {
 		for _, tag := range tags {
 			tv := reg.tagValidators[tag.Name]
-			if scopes := tv.ValidScopes(); !scopes.Has(context.Scope) && !scopes.Has(ScopeAny) {
+			// At this point we know tv exists and is not nil due to the upfront check
+			if scopes := tv.ValidScopes(); !scopes.Has(context.Scope) {
 				return Validations{}, fmt.Errorf("tag %q cannot be specified on %s", tv.TagName(), context.Scope)
 			}
 			if err := typeCheck(tag, tv.Docs()); err != nil {
@@ -195,28 +204,24 @@ func (reg *registry) ExtractValidations(context Context, tags ...codetags.Tag) (
 
 func (reg *registry) sortTagsIntoPhases(tags []codetags.Tag) [][]codetags.Tag {
 	// First sort all tags by their name, so the final output is deterministic.
+	// It is important to do this before validations are generated.
 	//
-	// It makes more sense to sort here, rather than when emitting because:
-	//
-	// Consider a type or field with the following comments:
+	// Some tags are "meta" tags which wrap other tags. For example:
 	//
-	//    // +k8s:validateFalse="111"
-	//    // +k8s:validateFalse="222"
-	//    // +k8s:ifOptionEnabled(Foo)=+k8s:validateFalse="333"
+	//   // +k8s:validateFalse="111"
+	//   // +k8s:validateFalse="222"
+	//   // +k8s:ifEnabled(Foo)=+k8s:validateFalse="333"
 	//
-	// Tag extraction will retain the relative order between 111 and 222, but
-	// 333 is extracted as tag "k8s:ifOptionEnabled".  Those are all in a map,
-	// which we iterate (in a random order).  When it reaches the emit stage,
-	// the "ifOptionEnabled" part is gone, and we will have 3 FunctionGen
-	// objects, all with tag "k8s:validateFalse", in a non-deterministic order
-	// because of the map iteration.  If we sort them at that point, we won't
-	// have enough information to do something smart, unless we look at the
-	// args, which are opaque to us.
+	// Tag extraction will group these by tag name. The first two are
+	// instances of "k8s:validateFalse", while the third is an instance of
+	// "k8s:ifEnabled".
 	//
-	// Sorting it earlier means we can sort "k8s:ifOptionEnabled" against
-	// "k8s:validateFalse".  All of the records within each of those is
-	// relatively ordered, so the result here would be to put "ifOptionEnabled"
-	// before "validateFalse" (lexicographical is better than random).
+	// Without sorting, the order in which tag validators are called is not defined
+	// (map iteration). This can lead to non-deterministic order of the generated
+	// validations. By sorting the tags by name first, we ensure that "k8s:ifEnabled"
+	// is processed before or after "k8s:validateFalse" consistently, allowing the
+	// "k8s:validateFalse" tags to remain grouped together. The tags for each name
+	// are processed in order of appearance, so relative ordering is preserved.
 	sortedTags := make([]codetags.Tag, len(tags))
 	copy(sortedTags, tags)
 	slices.SortFunc(sortedTags, func(a, b codetags.Tag) int {
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/validators/required.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/validators/required.go
index 9a1b1583d677b..a6546c46b17db 100644
--- a/staging/src/k8s.io/code-generator/cmd/validation-gen/validators/required.go
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/validators/required.go
@@ -309,10 +309,13 @@ func (rtv requirednessTagValidator) Docs() TagDoc {
 
 	switch rtv.mode {
 	case requirednessRequired:
+		doc.StabilityLevel = Beta
 		doc.Description = "Indicates that a field must be specified by clients."
 	case requirednessOptional:
+		doc.StabilityLevel = Beta
 		doc.Description = "Indicates that a field is optional to clients."
 	case requirednessForbidden:
+		doc.StabilityLevel = Alpha
 		doc.Description = "Indicates that a field may not be specified."
 	default:
 		panic(fmt.Sprintf("unknown requiredness mode: %q", rtv.mode))
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/validators/subfield.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/validators/subfield.go
index b857d3a1420e6..cfee23617094d 100644
--- a/staging/src/k8s.io/code-generator/cmd/validation-gen/validators/subfield.go
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/validators/subfield.go
@@ -45,7 +45,7 @@ func (subfieldTagValidator) TagName() string {
 	return subfieldTagName
 }
 
-var subfieldTagValidScopes = sets.New(ScopeAny)
+var subfieldTagValidScopes = sets.New(ScopeType, ScopeField, ScopeListVal, ScopeMapKey, ScopeMapVal)
 
 func (subfieldTagValidator) ValidScopes() sets.Set[Scope] {
 	return subfieldTagValidScopes
@@ -59,12 +59,13 @@ func (stv subfieldTagValidator) GetValidations(context Context, tag codetags.Tag
 	args := tag.Args
 	// This tag can apply to value and pointer fields, as well as typedefs
 	// (which should never be pointers). We need to check the concrete type.
-	t := util.NonPointer(util.NativeType(context.Type))
-	if t.Kind != types.Struct {
-		return Validations{}, fmt.Errorf("can only be used on struct types")
+	t := context.Type
+	nt := util.NonPointer(util.NativeType(t))
+	if nt.Kind != types.Struct {
+		return Validations{}, fmt.Errorf("can only be used on struct types: %v", nt.Kind)
 	}
 	subname := args[0].Value
-	submemb := util.GetMemberByJSON(t, subname)
+	submemb := util.GetMemberByJSON(nt, subname)
 	if submemb == nil {
 		return Validations{}, fmt.Errorf("no field for json name %q", subname)
 	}
@@ -72,9 +73,9 @@ func (stv subfieldTagValidator) GetValidations(context Context, tag codetags.Tag
 	subContext := Context{
 		Scope:      ScopeField,
 		Type:       submemb.Type,
-		ParentPath: context.Path,
-		Member:     submemb,
 		Path:       context.Path.Child(subname),
+		Member:     submemb,
+		ParentPath: context.Path,
 	}
 	if validations, err := stv.validator.ExtractValidations(subContext, *tag.ValueTag); err != nil {
 		return Validations{}, err
@@ -83,26 +84,48 @@ func (stv subfieldTagValidator) GetValidations(context Context, tag codetags.Tag
 			return Validations{}, fmt.Errorf("variable generation is not supported")
 		}
 
+		result.Variables = append(result.Variables, validations.Variables...)
+
+		nilableStructType := context.Type
+		if !util.IsNilableType(nilableStructType) {
+			nilableStructType = types.PointerTo(nilableStructType)
+		}
+
+		nilableFieldType := submemb.Type
+		fieldExprPrefix := ""
+		if !util.IsNilableType(nilableFieldType) {
+			nilableFieldType = types.PointerTo(nilableFieldType)
+			fieldExprPrefix = "&"
+		}
+
+		// getFn is the function that retrieves the subfield value from the
+		// struct.
+		getFn := FunctionLiteral{
+			Parameters: []ParamResult{{"o", nilableStructType}},
+			Results:    []ParamResult{{"", nilableFieldType}},
+		}
+		getFn.Body = fmt.Sprintf("return %so.%s", fieldExprPrefix, submemb.Name)
+
+		// equivArg is the function that is used to compare the correlated
+		// elements in the old and new lists, for ratcheting.
+		var equivArg any
+
+		// directComparable is used to determine whether we can use the direct
+		// comparison operator "==" or need to use the semantic DeepEqual when
+		// looking up and comparing correlated list elements for validation ratcheting.
+		directComparable := util.IsDirectComparable(util.NonPointer(util.NativeType(submemb.Type)))
+		if directComparable {
+			// It must be a pointer, since other nilable types are not directly
+			// comparable.
+			equivArg = Identifier(validateDirectEqualPtr)
+		} else {
+			equivArg = Identifier(validateSemanticDeepEqual)
+		}
+
 		for _, vfn := range validations.Functions {
-			nilableStructType := context.Type
-			if !util.IsNilableType(nilableStructType) {
-				nilableStructType = types.PointerTo(nilableStructType)
-			}
-			nilableFieldType := submemb.Type
-			fieldExprPrefix := ""
-			if !util.IsNilableType(nilableFieldType) {
-				nilableFieldType = types.PointerTo(nilableFieldType)
-				fieldExprPrefix = "&"
-			}
-
-			getFn := FunctionLiteral{
-				Parameters: []ParamResult{{"o", nilableStructType}},
-				Results:    []ParamResult{{"", nilableFieldType}},
-			}
-			getFn.Body = fmt.Sprintf("return %so.%s", fieldExprPrefix, submemb.Name)
-			f := Function(subfieldTagName, vfn.Flags, validateSubfield, subname, getFn, WrapperFunction{vfn, submemb.Type})
-			result.Functions = append(result.Functions, f)
-			result.Variables = append(result.Variables, validations.Variables...)
+			f := Function(subfieldTagName, vfn.Flags, validateSubfield, subname, getFn, equivArg, WrapperFunction{vfn, submemb.Type})
+			f.Cohort = subname
+			result.AddFunction(f)
 		}
 	}
 	return result, nil
@@ -110,9 +133,10 @@ func (stv subfieldTagValidator) GetValidations(context Context, tag codetags.Tag
 
 func (stv subfieldTagValidator) Docs() TagDoc {
 	doc := TagDoc{
-		Tag:         stv.TagName(),
-		Scopes:      stv.ValidScopes().UnsortedList(),
-		Description: "Declares a validation for a subfield of a struct.",
+		Tag:            stv.TagName(),
+		StabilityLevel: Beta,
+		Scopes:         stv.ValidScopes().UnsortedList(),
+		Description:    "Declares a validation for a subfield of a struct.",
 		Args: []TagArgDoc{{
 			Description: "<field-json-name>",
 			Type:        codetags.ArgTypeString,
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/validators/testing.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/validators/testing.go
index adc873ef38bf5..8471c34630db4 100644
--- a/staging/src/k8s.io/code-generator/cmd/validation-gen/validators/testing.go
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/validators/testing.go
@@ -56,7 +56,7 @@ func (frtv fixedResultTagValidator) TagName() string {
 	return validateFalseTagName
 }
 
-var fixedResultTagValidScopes = sets.New(ScopeAny)
+var fixedResultTagValidScopes = sets.New(ScopeType, ScopeField, ScopeListVal, ScopeMapKey, ScopeMapVal)
 
 func (fixedResultTagValidator) ValidScopes() sets.Set[Scope] {
 	return fixedResultTagValidScopes
@@ -73,7 +73,9 @@ func (frtv fixedResultTagValidator) GetValidations(context Context, tag codetags
 	if err != nil {
 		return result, fmt.Errorf("can't decode tag payload: %w", err)
 	}
-	result.AddFunction(Function(frtv.TagName(), args.flags, fixedResultValidator, frtv.result, args.msg).WithTypeArgs(args.typeArgs...))
+	fn := Function(frtv.TagName(), args.flags, fixedResultValidator, frtv.result, args.msg).WithTypeArgs(args.typeArgs...)
+	fn.Cohort = args.cohort
+	result.AddFunction(fn)
 
 	return result, nil
 }
@@ -86,6 +88,7 @@ type fixedResultArgs struct {
 	flags    FunctionFlags
 	msg      string
 	typeArgs []types.Name
+	cohort   string
 }
 
 func (fixedResultTagValidator) toFixedResultArgs(in codetags.Tag) (fixedResultArgs, error) {
@@ -111,6 +114,8 @@ func (fixedResultTagValidator) toFixedResultArgs(in codetags.Tag) (fixedResultAr
 				}
 				result.typeArgs = []types.Name{{Package: "", Name: tn}}
 			}
+		case "cohort":
+			result.cohort = a.Value
 		}
 	}
 	if in.ValueType == codetags.ValueTypeString {
@@ -121,8 +126,9 @@ func (fixedResultTagValidator) toFixedResultArgs(in codetags.Tag) (fixedResultAr
 
 func (frtv fixedResultTagValidator) Docs() TagDoc {
 	doc := TagDoc{
-		Tag:    frtv.TagName(),
-		Scopes: frtv.ValidScopes().UnsortedList(),
+		Tag:            frtv.TagName(),
+		StabilityLevel: Alpha,
+		Scopes:         frtv.ValidScopes().UnsortedList(),
 	}
 	doc.PayloadsType = codetags.ValueTypeString
 	if frtv.error {
@@ -149,6 +155,11 @@ func (frtv fixedResultTagValidator) Docs() TagDoc {
 			Description: "<string>",
 			Docs:        "The type arg in generated code (must be the value-type, not pointer).",
 			Type:        codetags.ArgTypeString,
+		}, {
+			Name:        "cohort",
+			Description: "<string>",
+			Docs:        "An optional cohort name to group multiple validations.",
+			Type:        codetags.ArgTypeString,
 		}}
 		if frtv.result {
 			doc.Description = "Always passes validation (useful for testing)."
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/validators/union.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/validators/union.go
index 8eb94a05544b1..49e7aa5d60af5 100644
--- a/staging/src/k8s.io/code-generator/cmd/validation-gen/validators/union.go
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/validators/union.go
@@ -17,13 +17,13 @@ limitations under the License.
 package validators
 
 import (
-	"encoding/json"
 	"fmt"
 	"regexp"
 	"slices"
 	"strings"
 
 	"k8s.io/apimachinery/pkg/util/sets"
+	"k8s.io/apimachinery/pkg/util/validation/field"
 	"k8s.io/code-generator/cmd/validation-gen/util"
 	"k8s.io/gengo/v2/codetags"
 	"k8s.io/gengo/v2/parser/tags"
@@ -33,7 +33,9 @@ import (
 var discriminatedUnionValidator = types.Name{Package: libValidationPkg, Name: "DiscriminatedUnion"}
 var unionValidator = types.Name{Package: libValidationPkg, Name: "Union"}
 
+var newDiscriminatedUnionMember = types.Name{Package: libValidationPkg, Name: "NewDiscriminatedUnionMember"}
 var newDiscriminatedUnionMembership = types.Name{Package: libValidationPkg, Name: "NewDiscriminatedUnionMembership"}
+var newUnionMember = types.Name{Package: libValidationPkg, Name: "NewUnionMember"}
 var newUnionMembership = types.Name{Package: libValidationPkg, Name: "NewUnionMembership"}
 var unionVariablePrefix = "unionMembershipFor"
 
@@ -80,14 +82,6 @@ func (utfv unionTypeOrFieldValidator) GetValidations(context Context) (Validatio
 		unionMemberTagName, unionValidator, discriminatedUnionValidator)
 }
 
-func toSliceAny[T any](t []T) []any {
-	result := make([]any, len(t))
-	for i, v := range t {
-		result[i] = v
-	}
-	return result
-}
-
 const (
 	unionDiscriminatorTagName = "k8s:unionDiscriminator"
 	unionMemberTagName        = "k8s:unionMember"
@@ -122,9 +116,10 @@ func (udtv unionDiscriminatorTagValidator) GetValidations(context Context, tag c
 
 func (udtv unionDiscriminatorTagValidator) Docs() TagDoc {
 	return TagDoc{
-		Tag:         udtv.TagName(),
-		Scopes:      udtv.ValidScopes().UnsortedList(),
-		Description: "Indicates that this field is the discriminator for a union.",
+		Tag:            udtv.TagName(),
+		StabilityLevel: Beta,
+		Scopes:         udtv.ValidScopes().UnsortedList(),
+		Description:    "Indicates that this field is the discriminator for a union.",
 		Args: []TagArgDoc{{
 			Name:        "union",
 			Description: "<string>",
@@ -160,9 +155,10 @@ func (umtv unionMemberTagValidator) GetValidations(context Context, tag codetags
 
 func (umtv unionMemberTagValidator) Docs() TagDoc {
 	return TagDoc{
-		Tag:         umtv.TagName(),
-		Scopes:      umtv.ValidScopes().UnsortedList(),
-		Description: "Indicates that this field is a member of a union.",
+		Tag:            umtv.TagName(),
+		StabilityLevel: Beta,
+		Scopes:         umtv.ValidScopes().UnsortedList(),
+		Description:    "Indicates that this field is a member of a union.",
 		Args: []TagArgDoc{{
 			Name:        "union",
 			Description: "<string>",
@@ -178,28 +174,36 @@ func (umtv unionMemberTagValidator) Docs() TagDoc {
 	}
 }
 
-// union defines how a union validation will be generated, based
-// on +k8s:unionMember and +k8s:unionDiscriminator tags found in a go struct.
+// union defines how a union validation will be generated. Unions can be
+// composed of either a set of struct fields (with an optional disctriminator),
+// or a set of list items (stored as selection criteria).
 type union struct {
-	// fields provides field information about all the members of the union.
-	// Each item provides a fieldName and memberName pair, where [0] identifies
-	// the field name and [1] identifies the union member Name. fields is index
-	// aligned with fieldMembers.
-	// If member name is not set, it defaults to the go struct field name.
-	fields [][2]string
-	// fieldMembers describes all the members of the union.
+	// members provides field information about all the members of the union.
+	// Each item provides a fieldName and discriminatorValue pair, where the
+	// name identifies the field or selector (for use in errors) and the
+	// discriminatorValue indicates the value which should be used in a
+	// discriminated union to name this member.
+	members []unionMember
+
+	// fieldMembers describes all the members of a struct-field union.  This is
+	// mutually exclusive with itemMembers.
 	fieldMembers []*types.Member
 
-	// discriminator is the name of the discriminator field
+	// discriminator is the name of the discriminator field.
 	discriminator *string
 	// discriminatorMember describes the discriminator field.
 	discriminatorMember *types.Member
 
-	// itemMatchers stores matcher criteria for list item unions.
-	// key is the virtual field path (eg: "<path>/Pipeline.Tasks[{"name": "succeeded"}]"),
-	// value is the parsed matcher map (eg: {"name": "succeeded"}).
-	// Represents union members that are list items matching specific criteria
-	itemMatchers map[string]map[string]any
+	// itemMembers stores selection criteria for all the members of a list-item
+	// union. This is mutually exclusive with fieldMembers. The map key is the
+	// "field name" (eg: `field[{"name": "succeeded"}]`), and the value is a
+	// list of selection criteria.
+	itemMembers map[string][]ListSelectorTerm
+}
+
+type unionMember struct {
+	fieldName          string
+	discriminatorValue string
 }
 
 // unions represents all the unions for a go struct.
@@ -208,9 +212,8 @@ type unions map[string]*union
 // newUnion initializes a new union instance
 func newUnion() *union {
 	return &union{
-		fields:       make([][2]string, 0),
-		fieldMembers: make([]*types.Member, 0),
-		itemMatchers: make(map[string]map[string]any),
+		// slice fields can be nil
+		itemMembers: make(map[string][]ListSelectorTerm),
 	}
 }
 
@@ -238,13 +241,13 @@ func processUnionValidations(context Context, unions unions, varPrefix string,
 	slices.Sort(keys)
 	for _, unionName := range keys {
 		u := unions[unionName]
-		if len(u.fieldMembers) > 0 || u.discriminator != nil || len(u.itemMatchers) > 0 {
-			if len(u.fieldMembers) > 0 && len(u.itemMatchers) > 0 {
-				return Validations{}, fmt.Errorf("cannot have both field members and item matchers")
+		if len(u.fieldMembers) > 0 || u.discriminator != nil || len(u.itemMembers) > 0 {
+			if len(u.fieldMembers) > 0 && len(u.itemMembers) > 0 {
+				return Validations{}, fmt.Errorf("cannot have both field members and item members")
 			}
 			nativeType := util.NonPointer(util.NativeType(context.Type))
-			if nativeType.Kind == types.Struct && len(u.itemMatchers) > 0 {
-				return Validations{}, fmt.Errorf("struct type cannot have item matchers")
+			if nativeType.Kind == types.Struct && len(u.itemMembers) > 0 {
+				return Validations{}, fmt.Errorf("struct type cannot have item members")
 			}
 			if nativeType.Kind == types.Slice && len(u.fieldMembers) > 0 {
 				return Validations{}, fmt.Errorf("slice type cannot have field members")
@@ -266,19 +269,19 @@ func processUnionValidations(context Context, unions unions, varPrefix string,
 			}
 
 			// Handle list item unions for lists
-			if nativeType.Kind == types.Slice && len(u.itemMatchers) > 0 {
+			if nativeType.Kind == types.Slice && len(u.itemMembers) > 0 {
 				elemType := util.NonPointer(nativeType.Elem)
 
-				// Sort matcher paths for stable output
-				matcherPaths := make([]string, 0, len(u.itemMatchers))
-				for path := range u.itemMatchers {
-					matcherPaths = append(matcherPaths, path)
+				// Sort keys for stable output
+				keys := make([]string, 0, len(u.itemMembers))
+				for key := range u.itemMembers {
+					keys = append(keys, key)
 				}
-				slices.Sort(matcherPaths)
+				slices.Sort(keys)
 
-				for _, fullPath := range matcherPaths {
-					matcher := u.itemMatchers[fullPath]
-					extractor, err := createItemExtractor(context.Type, elemType, matcher)
+				for _, fullPath := range keys {
+					selector := u.itemMembers[fullPath]
+					extractor, err := createItemExtractor(context.Type, elemType, selector)
 					if err != nil {
 						return Validations{}, err
 					}
@@ -289,7 +292,7 @@ func processUnionValidations(context Context, unions unions, varPrefix string,
 			if u.discriminator != nil {
 				supportVar := Variable(supportVarName,
 					Function(tagName, DefaultFlags, newDiscriminatedUnionMembership,
-						append([]any{*u.discriminator}, toSliceAny(getDisplayFields(u, context))...)...))
+						append([]any{*u.discriminator}, getMemberArgs(u, context, true)...)...))
 				result.Variables = append(result.Variables, supportVar)
 
 				discriminatorExtractor := FunctionLiteral{
@@ -302,7 +305,7 @@ func processUnionValidations(context Context, unions unions, varPrefix string,
 				fn := Function(tagName, DefaultFlags, discriminatedValidator, extraArgs...)
 				result.Functions = append(result.Functions, fn)
 			} else {
-				supportVar := Variable(supportVarName, Function(tagName, DefaultFlags, newUnionMembership, toSliceAny(getDisplayFields(u, context))...))
+				supportVar := Variable(supportVarName, Function(tagName, DefaultFlags, newUnionMembership, getMemberArgs(u, context, false)...))
 				result.Variables = append(result.Variables, supportVar)
 
 				extraArgs := append([]any{supportVarName}, extractorArgs...)
@@ -333,14 +336,15 @@ func createMemberExtractor(ptrType *types.Type, member *types.Member) FunctionLi
 	return extractor
 }
 
-// createItemExtractor creates an extractor function for list item union members.
-// It generates code that loops through the list to check if an item matching the criteria exists.
-func createItemExtractor(listType *types.Type, elemType *types.Type, matcher map[string]any) (FunctionLiteral, error) {
+// createItemExtractor creates an extractor function for list item union
+// members. It generates code that loops through the list to check if an item
+// matching the criteria exists.
+func createItemExtractor(listType *types.Type, elemType *types.Type, selector []ListSelectorTerm) (FunctionLiteral, error) {
 	var criteria []keyValuePair
-	for key, value := range matcher {
+	for _, term := range selector {
 		criteria = append(criteria, keyValuePair{
-			key:   key,
-			value: fmt.Sprint(value),
+			key:   term.Field,
+			value: fmt.Sprint(term.Value),
 		})
 	}
 
@@ -357,17 +361,21 @@ func createItemExtractor(listType *types.Type, elemType *types.Type, matcher map
 	extractor := FunctionLiteral{
 		Parameters: []ParamResult{{Name: "list", Type: listType}},
 		Results:    []ParamResult{{Type: types.Bool}},
-		Body: fmt.Sprintf(`for i := range list {
-	if %s {
-		return true
-	}
-}
-return false`, condition),
+		Body: fmt.Sprintf(
+			`for i := range list {
+				if %s {
+					return true
+				}
+			 }
+			 return false`, condition),
 	}
 
 	return extractor, nil
 }
 
+// processDiscriminatorValidations processes union discriminator tags. It is a
+// free function, rather than a method so that it can be called from other
+// union-like tags.
 func processDiscriminatorValidations(shared map[string]unions, context Context, tag codetags.Tag) error {
 	// This tag can apply to value and pointer fields, as well as typedefs
 	// (which should never be pointers). We need to check the concrete type.
@@ -390,88 +398,119 @@ func processDiscriminatorValidations(shared map[string]unions, context Context,
 	return nil
 }
 
+// processMemberValidations processes union member tags for fields and list
+// items.  It is a free function, rather than a method so that it can be called
+// from other union-like tags.
 func processMemberValidations(shared map[string]unions, context Context, tag codetags.Tag) error {
-	var fieldName string
-	var unionArg codetags.Arg
+	switch context.Scope {
+	case ScopeField:
+		return processFieldMemberValidations(shared, context, tag)
+	case ScopeListVal:
+		return processListMemberValidations(shared, context, tag)
+	}
+	return fmt.Errorf("can only be used on fields and list items: %v", context.Scope)
+}
 
-	unionArg, _ = tag.NamedArg("union") // optional
+// processFieldMemberValidations processes union member tags for struct fields.
+// It is a free function, rather than a method so that it can be called from
+// other union-like tags.
+func processFieldMemberValidations(shared map[string]unions, context Context, tag codetags.Tag) error {
+	nt := util.NativeType(context.Member.Type)
+	switch nt.Kind {
+	case types.Pointer, types.Map, types.Slice, types.Builtin:
+		// OK
+	default:
+		// In particular non-pointer structs are not supported.
+		return fmt.Errorf("can only be used on nilable and primitive types (%s)", nt.Kind)
+	}
+	if context.Member == nil {
+		return fmt.Errorf("struct-field union member has no member info in context")
+	}
 
-	if context.Scope == ScopeListVal {
-		if context.Path == nil {
-			return fmt.Errorf("no path for list val union member")
-		}
-		fieldName = context.Path.String() // eg: "<path>/Pipeline.Tasks[{"name": "succeeded"}]"
-	} else {
-		nt := util.NativeType(context.Member.Type)
-		switch nt.Kind {
-		case types.Pointer, types.Map, types.Slice, types.Builtin:
-			// OK
-		default:
-			// In particular non-pointer structs are not supported.
-			return fmt.Errorf("can only be used on nilable and primitive types (%s)", nt.Kind)
-		}
+	jsonTag, ok := tags.LookupJSON(*context.Member)
+	if !ok {
+		return fmt.Errorf("field %q is a union member but has no JSON struct field tag", context.Member)
+	}
+	fieldName := jsonTag.Name
+	if len(fieldName) == 0 {
+		return fmt.Errorf("field %q is a union member but has no JSON name", context.Member)
+	}
 
-		jsonTag, ok := tags.LookupJSON(*context.Member)
-		if !ok {
-			return fmt.Errorf("field %q is a union member but has no JSON struct field tag", context.Member)
-		}
-		fieldName = jsonTag.Name
-		if len(fieldName) == 0 {
-			return fmt.Errorf("field %q is a union member but has no JSON name", context.Member)
-		}
+	if shared[context.ParentPath.String()] == nil {
+		shared[context.ParentPath.String()] = unions{}
+	}
+
+	// See if the tag specified a member name.
+	memberName := context.Member.Name                        // default
+	if memberNameArg, ok := tag.NamedArg("memberName"); ok { // optional
+		memberName = memberNameArg.Value
+	}
+
+	unionArg, _ := tag.NamedArg("union") // optional
+	u := shared[context.ParentPath.String()].getOrCreate(unionArg.Value)
+	u.members = append(u.members, unionMember{fieldName, memberName})
+
+	u.fieldMembers = append(u.fieldMembers, context.Member)
+
+	return nil
+}
+
+// processListMemberValidations processes union member tags for list items.  It
+// is a free function, rather than a method so that it can be called from other
+// union-like tags.
+func processListMemberValidations(shared map[string]unions, context Context, tag codetags.Tag) error {
+	if context.ListSelector == nil {
+		return fmt.Errorf("list-item union member has no list selector in context")
 	}
 
+	// It's not really a "field", but close enough. We don't really NEED the
+	// field name, since it is present in the error message, but it is more
+	// human-friendly. eg: `field[{"name": "succeeded"}]`
+	fieldName := lastPathElement(context.Path)
+
 	if shared[context.ParentPath.String()] == nil {
 		shared[context.ParentPath.String()] = unions{}
 	}
 
-	var memberName string
+	// See if the tag specified a member name.
+	memberName := ""
 	if memberNameArg, ok := tag.NamedArg("memberName"); ok { // optional
 		memberName = memberNameArg.Value
-	} else if context.Scope != ScopeListVal {
-		memberName = context.Member.Name // default
 	}
 
+	unionArg, _ := tag.NamedArg("union") // optional
 	u := shared[context.ParentPath.String()].getOrCreate(unionArg.Value)
-	u.fields = append(u.fields, [2]string{fieldName, memberName})
+	u.members = append(u.members, unionMember{fieldName, memberName})
 
-	if context.Scope == ScopeListVal {
-		matcher, err := extractMatcherFromPath(fieldName)
-		if err != nil {
-			return fmt.Errorf("failed to extract matcher from path %s: %w", fieldName, err)
-		}
-		u.itemMatchers[fieldName] = matcher
-	} else {
-		u.fieldMembers = append(u.fieldMembers, context.Member)
+	if _, found := u.itemMembers[fieldName]; found {
+		return fmt.Errorf("list-item union member %q already exists", fieldName)
 	}
+	u.itemMembers[fieldName] = context.ListSelector
 
 	return nil
 }
 
-// getDisplayFields formats union field names for user-friendly error messages.
-// For list item unions, it converts paths like "<path>/Pipeline.Tasks[{\"name\": \"succeeded\"}]"
-// to readable formats like "Tasks[{\"name\": \"succeeded\"}]".
-func getDisplayFields(u *union, context Context) [][2]string {
-	displayFields := make([][2]string, len(u.fields))
-	listFieldName := context.Path.String()
-	pathParts := strings.Split(listFieldName, ".")
-	if len(pathParts) > 0 {
-		listFieldName = pathParts[len(pathParts)-1]
+func lastPathElement(path *field.Path) string {
+	parts := strings.Split(path.String(), ".")
+	if len(parts) > 0 {
+		return parts[len(parts)-1]
 	}
-	for i, f := range u.fields {
-		fieldName := f[0]
-		memberName := f[1]
-		if _, isItem := u.itemMatchers[fieldName]; isItem {
-			// Extract the JSON part from the input
-			bracketIndex := strings.Index(fieldName, "[")
-			if bracketIndex != -1 {
-				jsonPart := fieldName[bracketIndex:]
-				fieldName = listFieldName + jsonPart
-			}
+	return ""
+}
+
+// getMemberArgs gets a list of arguments which construct union members.
+func getMemberArgs(u *union, context Context, discrim bool) []any {
+	members := make([]any, 0, len(u.members))
+	for _, f := range u.members {
+		fieldName := f.fieldName
+		memberName := f.discriminatorValue
+		if discrim {
+			members = append(members, Function("unused", 0, newDiscriminatedUnionMember, fieldName, memberName))
+		} else {
+			members = append(members, Function("unused", 0, newUnionMember, fieldName))
 		}
-		displayFields[i] = [2]string{fieldName, memberName}
 	}
-	return displayFields
+	return members
 }
 
 // sanitizeName converts a string into a valid Go identifier
@@ -480,18 +519,3 @@ func sanitizeName(name string) string {
 	re := regexp.MustCompile(`[^a-zA-Z0-9_]`)
 	return re.ReplaceAllString(name, "_")
 }
-
-// extractMatcherFromPath extracts the matcher criteria from a path like "Pipeline.Tasks[{"name": "succeeded"}]"
-func extractMatcherFromPath(path string) (map[string]any, error) {
-	re := regexp.MustCompile(`\[({.*?})\]`)
-	matches := re.FindStringSubmatch(path)
-	if len(matches) < 2 {
-		return nil, fmt.Errorf("no matcher criteria found in path")
-	}
-
-	var matcher map[string]any
-	if err := json.Unmarshal([]byte(matches[1]), &matcher); err != nil {
-		return nil, fmt.Errorf("failed to parse matcher JSON: %w", err)
-	}
-	return matcher, nil
-}
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/validators/update.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/validators/update.go
new file mode 100644
index 0000000000000..056f9a81b5ca8
--- /dev/null
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/validators/update.go
@@ -0,0 +1,226 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package validators
+
+import (
+	"fmt"
+	"sort"
+
+	"k8s.io/apimachinery/pkg/api/validate"
+	"k8s.io/apimachinery/pkg/util/sets"
+	"k8s.io/code-generator/cmd/validation-gen/util"
+	"k8s.io/gengo/v2/codetags"
+	"k8s.io/gengo/v2/types"
+)
+
+const (
+	updateTagName = "k8s:update"
+)
+
+func init() {
+	shared := map[string]sets.Set[validate.UpdateConstraint]{}
+	RegisterFieldValidator(updateFieldValidator{byFieldPath: shared})
+	RegisterTagValidator(updateTagCollector{byFieldPath: shared})
+}
+
+// updateTagCollector collects +k8s:update tags
+type updateTagCollector struct {
+	byFieldPath map[string]sets.Set[validate.UpdateConstraint]
+}
+
+func (updateTagCollector) Init(_ Config) {}
+
+func (updateTagCollector) TagName() string {
+	return updateTagName
+}
+
+var updateTagValidScopes = sets.New(ScopeField)
+
+func (updateTagCollector) ValidScopes() sets.Set[Scope] {
+	return updateTagValidScopes
+}
+
+func (utc updateTagCollector) GetValidations(context Context, tag codetags.Tag) (Validations, error) {
+	// Parse constraint from this tag
+	var constraint validate.UpdateConstraint
+	switch tag.Value {
+	case "NoSet":
+		constraint = validate.NoSet
+	case "NoUnset":
+		constraint = validate.NoUnset
+	case "NoModify":
+		constraint = validate.NoModify
+	default:
+		return Validations{}, fmt.Errorf("unknown +k8s:update constraint: %s", tag.Value)
+	}
+
+	// Initialize set if doesn't exist
+	fieldPath := context.Path.String()
+	if utc.byFieldPath[fieldPath] == nil {
+		utc.byFieldPath[fieldPath] = sets.New[validate.UpdateConstraint]()
+	}
+
+	// Add this constraint to the set for this field
+	utc.byFieldPath[fieldPath].Insert(constraint)
+
+	if err := utc.validateConstraintsForType(context, utc.byFieldPath[fieldPath].UnsortedList()); err != nil {
+		return Validations{}, err
+	}
+
+	// Don't generate validations here, just collect
+	return Validations{}, nil
+}
+
+func (utc updateTagCollector) validateConstraintsForType(context Context, constraints []validate.UpdateConstraint) error {
+	t := util.NonPointer(util.NativeType(context.Type))
+	isCompound := t.Kind == types.Slice || t.Kind == types.Map
+	isPointer := context.Type.Kind == types.Pointer
+	isStruct := t.Kind == types.Struct
+
+	if isCompound {
+		for _, constraint := range constraints {
+			return fmt.Errorf("+k8s:update=%s is currently not supported on list or map fields", constraintName(constraint))
+		}
+	}
+
+	// For non-pointer struct fields, only NoModify is applicable
+	if isStruct && !isPointer {
+		for _, constraint := range constraints {
+			if constraint == validate.NoSet || constraint == validate.NoUnset {
+				return fmt.Errorf("+k8s:update=%s cannot be used on non-pointer struct fields (they cannot be unset)", constraintName(constraint))
+			}
+		}
+	}
+
+	return nil
+}
+
+func constraintName(c validate.UpdateConstraint) string {
+	switch c {
+	case validate.NoSet:
+		return "NoSet"
+	case validate.NoUnset:
+		return "NoUnset"
+	case validate.NoModify:
+		return "NoModify"
+	default:
+		return fmt.Sprintf("Unknown(%d)", c)
+	}
+}
+
+func (utc updateTagCollector) Docs() TagDoc {
+	return TagDoc{
+		Tag:            utc.TagName(),
+		StabilityLevel: Alpha,
+		Scopes:         utc.ValidScopes().UnsortedList(),
+		PayloadsType:   codetags.ValueTypeString,
+		Description: "Provides constraints on the allowed update operations of a field. " +
+			"Currently supports non-list and non-map fields only. " +
+			"Constraints: NoSet (prevents unset->set transitions), NoUnset (prevents set->unset transitions), " +
+			"NoModify (prevents value changes but allows set/unset transitions). " +
+			"Multiple constraints can be specified using multiple tags. " +
+			"For non-pointer structs, NoSet and NoUnset have no effect as these fields cannot be unset. " +
+			"Future support planned for lists/maps with NoAddItem and NoRemoveItem constraints. " +
+			"Examples: +k8s:update=NoModify +k8s:update=NoUnset for set-once fields; " +
+			"+k8s:update=NoSet for fields that must be set at creation or never.",
+	}
+}
+
+// updateFieldValidator processes all collected update tags and generates validations
+type updateFieldValidator struct {
+	byFieldPath map[string]sets.Set[validate.UpdateConstraint]
+}
+
+func (updateFieldValidator) Init(_ Config) {}
+
+func (updateFieldValidator) Name() string {
+	return "updateFieldValidator"
+}
+
+var (
+	updateValueValidator          = types.Name{Package: libValidationPkg, Name: "UpdateValueByCompare"}
+	updatePointerValidator        = types.Name{Package: libValidationPkg, Name: "UpdatePointer"}
+	updateValueByReflectValidator = types.Name{Package: libValidationPkg, Name: "UpdateValueByReflect"}
+	updateStructValidator         = types.Name{Package: libValidationPkg, Name: "UpdateStruct"}
+
+	// Constraint constants that will be used as arguments
+	noSetConstraint    = types.Name{Package: libValidationPkg, Name: "NoSet"}
+	noUnsetConstraint  = types.Name{Package: libValidationPkg, Name: "NoUnset"}
+	noModifyConstraint = types.Name{Package: libValidationPkg, Name: "NoModify"}
+)
+
+func (ufv updateFieldValidator) GetValidations(context Context) (Validations, error) {
+	constraintSet, ok := ufv.byFieldPath[context.Path.String()]
+	if !ok || constraintSet.Len() == 0 {
+		return Validations{}, nil
+	}
+
+	constraints := constraintSet.UnsortedList()
+
+	t := util.NonPointer(util.NativeType(context.Type))
+	if t.Kind == types.Slice || t.Kind == types.Map {
+		// TODO: add support for list and map fields
+		return Validations{}, fmt.Errorf("update constraints are currently not supported on list or map fields")
+	}
+
+	return ufv.generateValidation(context, constraints)
+}
+
+func (ufv updateFieldValidator) generateValidation(context Context, constraints []validate.UpdateConstraint) (Validations, error) {
+	var result Validations
+
+	// Determine the appropriate validator function based on field type
+	t := util.NonPointer(util.NativeType(context.Type))
+	isPointer := context.Type.Kind == types.Pointer
+	isStruct := t.Kind == types.Struct
+	isComparable := util.IsDirectComparable(t)
+
+	var validatorFunc types.Name
+	if isPointer {
+		validatorFunc = updatePointerValidator
+	} else if isStruct {
+		validatorFunc = updateStructValidator
+	} else if isComparable {
+		validatorFunc = updateValueValidator
+	} else {
+		validatorFunc = updateValueByReflectValidator
+	}
+
+	// Sort constraints to ensure deterministic order
+	sort.Slice(constraints, func(i, j int) bool {
+		return constraints[i] < constraints[j]
+	})
+
+	// Build the constraint arguments in deterministic order
+	var constraintArgs []any
+	for _, constraint := range constraints {
+		switch constraint {
+		case validate.NoSet:
+			constraintArgs = append(constraintArgs, Identifier(noSetConstraint))
+		case validate.NoUnset:
+			constraintArgs = append(constraintArgs, Identifier(noUnsetConstraint))
+		case validate.NoModify:
+			constraintArgs = append(constraintArgs, Identifier(noModifyConstraint))
+		}
+	}
+
+	// Use ShortCircuit flag so these run in the same group as +k8s:optional
+	fn := Function(updateTagName, ShortCircuit, validatorFunc, constraintArgs...)
+	result.AddFunction(fn)
+
+	return result, nil
+}
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/validators/validators.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/validators/validators.go
index f3227b46c9cd5..1aa4f3c8db016 100644
--- a/staging/src/k8s.io/code-generator/cmd/validation-gen/validators/validators.go
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/validators/validators.go
@@ -152,11 +152,6 @@ type Scope string
 // Note: All of these values should be strings which can be used in an error
 // message such as "may not be used in %s".
 const (
-	// ScopeAny indicates that a validator may be use in any context.  This value
-	// should never appear in a Context struct, since that indicates a
-	// specific use.
-	ScopeAny Scope = "anywhere"
-
 	// ScopeType indicates a validation on a type definition, which applies to
 	// all instances of that type.
 	ScopeType Scope = "type definitions"
@@ -177,6 +172,9 @@ const (
 	// field or type.
 	ScopeMapVal Scope = "map values"
 
+	// ScopeConst indicates a validation which applies to constant values only.
+	ScopeConst Scope = "constant values"
+
 	// TODO: It's not clear if we need to distinguish (e.g.) list values of
 	// fields from list values of typedefs.  We could make {type,field} be
 	// orthogonal to {scalar, list, list-value, map, map-key, map-value} (and
@@ -195,28 +193,80 @@ type Context struct {
 	// this is the field's type (which may be a pointer, an alias, or both).
 	// When Scope indicates a list-value, map-key, or map-value, this is the
 	// type of that key or value (which, again, may be a pointer, and alias, or
-	// both).
+	// both). When Scope is ScopeConst this is the constant's type.
 	Type *types.Type
 
-	// ParentPath provides the field path to the parent type or field, enabling
-	// unique identification of validation contexts for the same type in
-	// different locations.
-	ParentPath *field.Path
+	// Path provides a path to the type or field being validated. This is
+	// useful for identifying an exact context, e.g. to track information
+	// between related tags. When Scope is ScopeType, this is the Go package
+	// path and type name (e.g. "k8s.io/api/core/v1.Pod"). When Scope is
+	// ScopeField, this is the field path (e.g. "spec.containers[*].image").
+	// When Scope indicates a list-value, map-key, or map-value, this is the
+	// type or field path, as described above, with a suffix indicating
+	// that it refers to the keys or values. For ScopeConst, this will be nil.
+	Path *field.Path
 
 	// Member provides details about a field within a struct when Scope is
 	// ScopeField.  For all other values of Scope, this will be nil.
 	Member *types.Member
 
-	// Path provides the field path to the type or field being validated. This
-	// is useful for identifying an exact context, e.g. to track information
-	// between related tags.
-	Path *field.Path
+	// ListSelector provides a list of key-value pairs that represent criteria
+	// for selecting one or more items from a list.  When Scope is
+	// ScopeListVal, this will be non-nil.  An empty selector means that
+	// all items in the list should be selected.  For all other values of
+	// Scope, this will be nil.
+	ListSelector []ListSelectorTerm
+
+	// ParentPath provides a path to the parent type or field of the object
+	// being validated, when applicable. enabling unique identification of
+	// validation contexts for the same type in different locations.  When
+	// Scope is ScopeField, this is the path to the containing struct type or
+	// field (depending on where the validation tag was sepcified).  When Scope
+	// indicates a list-value, map-key, or map-value, this is the path to the
+	// list or map type or field (depending on where the validation tag was
+	// specified). When Scope is ScopeType, this is nil.
+	ParentPath *field.Path
+
+	// Constants provides access to all constants of the type being
+	// validated.  Only set when Scope is ScopeType.
+	Constants []*Constant
+}
+
+// Constant represents a constant value.
+type Constant struct {
+	Constant *types.Type
+	Tags     []codetags.Tag
 }
 
+// ListSelectorTerm represents a field name and value pair.
+type ListSelectorTerm struct {
+	// Field is the JSON name of the field to match.
+	Field string
+	// Value is the value to match.  This must be a primitive type which can
+	// be used as list-map keys: string, int, or bool.
+	Value any
+}
+
+// StabilityLevel indicates the stability of a validation tag.
+type StabilityLevel string
+
+const (
+	// Alpha indicates that a tag's semantics may change in the future.
+	Alpha StabilityLevel = "Alpha"
+	// Beta indicates that a tag's semantics will remain unchanged for the
+	// foreseeable future. This is used for soaking tags before qualifying to stable.
+	Beta StabilityLevel = "Beta"
+	// Stable indicates that a tag's semantics will remain unchanged for the
+	// foreseeable future.
+	Stable StabilityLevel = "Stable"
+)
+
 // TagDoc describes a comment-tag and its usage.
 type TagDoc struct {
 	// Tag is the tag name, without the leading '+'.
 	Tag string
+	// StabilityLevel is the stability level of the tag.
+	StabilityLevel StabilityLevel
 	// Args lists any arguments this tag might take.
 	Args []TagArgDoc
 	// Usage is how the tag is used, including arguments.
@@ -365,7 +415,9 @@ const (
 	DefaultFlags FunctionFlags = 0
 
 	// ShortCircuit indicates that further validations should be skipped if
-	// this validator fails. Most validators are not fatal.
+	// this validator fails. If there are multiple validators with this flag
+	// set, they will ALL run, and if any of them fail, any non-short-circuit
+	// validators will be skipped.  Most validators are not fatal.
 	ShortCircuit FunctionFlags = 1 << iota
 
 	// NonError indicates that a failure of this validator should not be
@@ -411,6 +463,10 @@ type FunctionGen struct {
 	// TagName is the tag which triggered this function.
 	TagName string
 
+	// Cohort indicates a set of related functions which are processed
+	// together.
+	Cohort string
+
 	// Flags holds the options for this validator function.
 	Flags FunctionFlags
 
@@ -455,17 +511,22 @@ func (fg FunctionGen) WithConditions(conditions Conditions) FunctionGen {
 	return fg
 }
 
+// WithComments returns a new FunctionGen with a comment.
+func (fg FunctionGen) WithComments(comments ...string) FunctionGen {
+	fg.Comments = append(fg.Comments, comments...)
+	return fg
+}
+
 // WithComment returns a new FunctionGen with a comment.
 func (fg FunctionGen) WithComment(comment string) FunctionGen {
-	fg.Comments = append(fg.Comments, comment)
-	return fg
+	return fg.WithComments(comment)
 }
 
-// Variable creates a VariableGen for a given function name and extraArgs.
-func Variable(variable PrivateVar, initFunc FunctionGen) VariableGen {
+// Variable creates a VariableGen for a given variable name and init value.
+func Variable(variable PrivateVar, initializer any) VariableGen {
 	return VariableGen{
-		Variable: variable,
-		InitFunc: initFunc,
+		Variable:    variable,
+		Initializer: initializer,
 	}
 }
 
@@ -473,8 +534,9 @@ type VariableGen struct {
 	// Variable holds the variable identifier.
 	Variable PrivateVar
 
-	// InitFunc describes the function call that the variable is assigned to.
-	InitFunc FunctionGen
+	// Initializer is the value to initialize the variable with.
+	// Initializer may be any function call or literal type supported by toGolangSourceDataLiteral.
+	Initializer any
 }
 
 // WrapperFunction describes a function literal which has the fingerprint of a
@@ -499,6 +561,31 @@ type FunctionLiteral struct {
 	Body       string
 }
 
+// StructLiteral represents a struct literal expression that can be used as
+// an argument to a validator.
+type StructLiteral struct {
+	// Type is the type of the struct literal to be generated.
+	Type types.Name
+	// TypeArgs are the generic type arguments for the struct type.
+	TypeArgs []*types.Type
+	Fields   []StructLiteralField
+}
+
+// SliceLiteral represents a slice literal expression that can be used as
+// an argument to a validator.
+type SliceLiteral struct {
+	// ElementType is the type of the elements in the slice.
+	ElementType types.Name
+	// ElementTypeArgs are the generic type arguments for the element type.
+	ElementTypeArgs []*types.Type
+	Elements        []any
+}
+
+type StructLiteralField struct {
+	Name  string
+	Value any
+}
+
 // ParamResult represents a parameter or a result of a function.
 type ParamResult struct {
 	Name string
diff --git a/staging/src/k8s.io/code-generator/cmd/validation-gen/validators/zeroorone.go b/staging/src/k8s.io/code-generator/cmd/validation-gen/validators/zeroorone.go
index 3c37963b2daf7..5e5fff7edfb2a 100644
--- a/staging/src/k8s.io/code-generator/cmd/validation-gen/validators/zeroorone.go
+++ b/staging/src/k8s.io/code-generator/cmd/validation-gen/validators/zeroorone.go
@@ -94,10 +94,11 @@ func (zmtv zeroOrOneOfMemberTagValidator) GetValidations(context Context, tag co
 
 func (zmtv zeroOrOneOfMemberTagValidator) Docs() TagDoc {
 	return TagDoc{
-		Tag:         zmtv.TagName(),
-		Scopes:      zmtv.ValidScopes().UnsortedList(),
-		Description: "Indicates that this field is a member of a zero-or-one-of union.",
-		Docs:        "A zero-or-one-of union allows at most one member to be set. Unlike regular unions, having no members set is valid.",
+		Tag:            zmtv.TagName(),
+		Scopes:         zmtv.ValidScopes().UnsortedList(),
+		StabilityLevel: Beta,
+		Description:    "Indicates that this field is a member of a zero-or-one-of union.",
+		Docs:           "A zero-or-one-of union allows at most one member to be set. Unlike regular unions, having no members set is valid.",
 		Args: []TagArgDoc{{
 			Name:        "union",
 			Description: "<string>",
diff --git a/staging/src/k8s.io/code-generator/examples/HyphenGroup/apis/example/v1/zz_generated.register.go b/staging/src/k8s.io/code-generator/examples/HyphenGroup/apis/example/v1/zz_generated.register.go
index bf9e0062fd146..e628aec0573ae 100644
--- a/staging/src/k8s.io/code-generator/examples/HyphenGroup/apis/example/v1/zz_generated.register.go
+++ b/staging/src/k8s.io/code-generator/examples/HyphenGroup/apis/example/v1/zz_generated.register.go
@@ -34,6 +34,7 @@ const GroupName = "example-group.hyphens.code-generator.k8s.io"
 var GroupVersion = metav1.GroupVersion{Group: GroupName, Version: "v1"}
 
 // SchemeGroupVersion is group version used to register these objects
+//
 // Deprecated: use GroupVersion instead.
 var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1"}
 
diff --git a/staging/src/k8s.io/code-generator/examples/HyphenGroup/applyconfiguration/example/v1/clustertesttype.go b/staging/src/k8s.io/code-generator/examples/HyphenGroup/applyconfiguration/example/v1/clustertesttype.go
index 34031f0994a09..65ca68e01eaa8 100644
--- a/staging/src/k8s.io/code-generator/examples/HyphenGroup/applyconfiguration/example/v1/clustertesttype.go
+++ b/staging/src/k8s.io/code-generator/examples/HyphenGroup/applyconfiguration/example/v1/clustertesttype.go
@@ -41,6 +41,7 @@ func ClusterTestType(name string) *ClusterTestTypeApplyConfiguration {
 	b.WithAPIVersion("example-group.hyphens.code-generator.k8s.io/v1")
 	return b
 }
+
 func (b ClusterTestTypeApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/staging/src/k8s.io/code-generator/examples/HyphenGroup/applyconfiguration/example/v1/testtype.go b/staging/src/k8s.io/code-generator/examples/HyphenGroup/applyconfiguration/example/v1/testtype.go
index ba125f36986dd..a4f7197f6d2be 100644
--- a/staging/src/k8s.io/code-generator/examples/HyphenGroup/applyconfiguration/example/v1/testtype.go
+++ b/staging/src/k8s.io/code-generator/examples/HyphenGroup/applyconfiguration/example/v1/testtype.go
@@ -26,6 +26,8 @@ import (
 
 // TestTypeApplyConfiguration represents a declarative configuration of the TestType type for use
 // with apply.
+//
+// TestType is a top-level type. A client is created for it.
 type TestTypeApplyConfiguration struct {
 	metav1.TypeMetaApplyConfiguration    `json:",inline"`
 	*metav1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
@@ -42,6 +44,7 @@ func TestType(name, namespace string) *TestTypeApplyConfiguration {
 	b.WithAPIVersion("example-group.hyphens.code-generator.k8s.io/v1")
 	return b
 }
+
 func (b TestTypeApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/staging/src/k8s.io/code-generator/examples/HyphenGroup/clientset/versioned/fake/clientset_generated.go b/staging/src/k8s.io/code-generator/examples/HyphenGroup/clientset/versioned/fake/clientset_generated.go
index 3b8c5e66c39b4..e7219ba44e293 100644
--- a/staging/src/k8s.io/code-generator/examples/HyphenGroup/clientset/versioned/fake/clientset_generated.go
+++ b/staging/src/k8s.io/code-generator/examples/HyphenGroup/clientset/versioned/fake/clientset_generated.go
@@ -36,7 +36,7 @@ import (
 // without applying any field management, validations and/or defaults. It shouldn't be considered a replacement
 // for a real clientset and is mostly useful in simple unit tests.
 //
-// DEPRECATED: NewClientset replaces this with support for field management, which significantly improves
+// Deprecated: NewClientset replaces this with support for field management, which significantly improves
 // server side apply testing. NewClientset is only available when apply configurations are generated (e.g.
 // via --with-applyconfig).
 func NewSimpleClientset(objects ...runtime.Object) *Clientset {
@@ -52,8 +52,8 @@ func NewSimpleClientset(objects ...runtime.Object) *Clientset {
 	cs.AddReactor("*", "*", testing.ObjectReaction(o))
 	cs.AddWatchReactor("*", func(action testing.Action) (handled bool, ret watch.Interface, err error) {
 		var opts metav1.ListOptions
-		if watchActcion, ok := action.(testing.WatchActionImpl); ok {
-			opts = watchActcion.ListOptions
+		if watchAction, ok := action.(testing.WatchActionImpl); ok {
+			opts = watchAction.ListOptions
 		}
 		gvr := action.GetResource()
 		ns := action.GetNamespace()
@@ -84,6 +84,17 @@ func (c *Clientset) Tracker() testing.ObjectTracker {
 	return c.tracker
 }
 
+// IsWatchListSemanticsSupported informs the reflector that this client
+// doesn't support WatchList semantics.
+//
+// This is a synthetic method whose sole purpose is to satisfy the optional
+// interface check performed by the reflector.
+// Returning true signals that WatchList can NOT be used.
+// No additional logic is implemented here.
+func (c *Clientset) IsWatchListSemanticsUnSupported() bool {
+	return true
+}
+
 // NewClientset returns a clientset that will respond with the provided objects.
 // It's backed by a very simple object tracker that processes creates, updates and deletions as-is,
 // without applying any validations and/or defaults. It shouldn't be considered a replacement
diff --git a/staging/src/k8s.io/code-generator/examples/HyphenGroup/informers/externalversions/example/v1/clustertesttype.go b/staging/src/k8s.io/code-generator/examples/HyphenGroup/informers/externalversions/example/v1/clustertesttype.go
index 000d00bf94e0f..b114bd56a54c2 100644
--- a/staging/src/k8s.io/code-generator/examples/HyphenGroup/informers/externalversions/example/v1/clustertesttype.go
+++ b/staging/src/k8s.io/code-generator/examples/HyphenGroup/informers/externalversions/example/v1/clustertesttype.go
@@ -56,7 +56,7 @@ func NewClusterTestTypeInformer(client versioned.Interface, resyncPeriod time.Du
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredClusterTestTypeInformer(client versioned.Interface, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options metav1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -81,7 +81,7 @@ func NewFilteredClusterTestTypeInformer(client versioned.Interface, resyncPeriod
 				}
 				return client.ExampleGroupV1().ClusterTestTypes().Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apisexamplev1.ClusterTestType{},
 		resyncPeriod,
 		indexers,
diff --git a/staging/src/k8s.io/code-generator/examples/HyphenGroup/informers/externalversions/example/v1/testtype.go b/staging/src/k8s.io/code-generator/examples/HyphenGroup/informers/externalversions/example/v1/testtype.go
index 98aef64dbc335..2e674e0edfa26 100644
--- a/staging/src/k8s.io/code-generator/examples/HyphenGroup/informers/externalversions/example/v1/testtype.go
+++ b/staging/src/k8s.io/code-generator/examples/HyphenGroup/informers/externalversions/example/v1/testtype.go
@@ -57,7 +57,7 @@ func NewTestTypeInformer(client versioned.Interface, namespace string, resyncPer
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredTestTypeInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options metav1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -82,7 +82,7 @@ func NewFilteredTestTypeInformer(client versioned.Interface, namespace string, r
 				}
 				return client.ExampleGroupV1().TestTypes(namespace).Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apisexamplev1.TestType{},
 		resyncPeriod,
 		indexers,
diff --git a/staging/src/k8s.io/code-generator/examples/HyphenGroup/informers/externalversions/factory.go b/staging/src/k8s.io/code-generator/examples/HyphenGroup/informers/externalversions/factory.go
index a3cd3f40e4bfe..c017a25f2057d 100644
--- a/staging/src/k8s.io/code-generator/examples/HyphenGroup/informers/externalversions/factory.go
+++ b/staging/src/k8s.io/code-generator/examples/HyphenGroup/informers/externalversions/factory.go
@@ -97,6 +97,7 @@ func NewSharedInformerFactory(client versioned.Interface, defaultResync time.Dur
 // NewFilteredSharedInformerFactory constructs a new instance of sharedInformerFactory.
 // Listers obtained via this SharedInformerFactory will be subject to the same filters
 // as specified here.
+//
 // Deprecated: Please use NewSharedInformerFactoryWithOptions instead
 func NewFilteredSharedInformerFactory(client versioned.Interface, defaultResync time.Duration, namespace string, tweakListOptions internalinterfaces.TweakListOptionsFunc) SharedInformerFactory {
 	return NewSharedInformerFactoryWithOptions(client, defaultResync, WithNamespace(namespace), WithTweakListOptions(tweakListOptions))
@@ -204,7 +205,7 @@ func (f *sharedInformerFactory) InformerFor(obj runtime.Object, newFunc internal
 //
 // It is typically used like this:
 //
-//	ctx, cancel := context.Background()
+//	ctx, cancel := context.WithCancel(context.Background())
 //	defer cancel()
 //	factory := NewSharedInformerFactory(client, resyncPeriod)
 //	defer factory.WaitForStop()    // Returns immediately if nothing was started.
diff --git a/staging/src/k8s.io/code-generator/examples/MixedCase/apis/example/v1/zz_generated.register.go b/staging/src/k8s.io/code-generator/examples/MixedCase/apis/example/v1/zz_generated.register.go
index 386efdf2a48af..a587c37bc97a2 100644
--- a/staging/src/k8s.io/code-generator/examples/MixedCase/apis/example/v1/zz_generated.register.go
+++ b/staging/src/k8s.io/code-generator/examples/MixedCase/apis/example/v1/zz_generated.register.go
@@ -34,6 +34,7 @@ const GroupName = "example.crd.code-generator.k8s.io"
 var GroupVersion = metav1.GroupVersion{Group: GroupName, Version: "v1"}
 
 // SchemeGroupVersion is group version used to register these objects
+//
 // Deprecated: use GroupVersion instead.
 var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1"}
 
diff --git a/staging/src/k8s.io/code-generator/examples/MixedCase/applyconfiguration/example/v1/clustertesttype.go b/staging/src/k8s.io/code-generator/examples/MixedCase/applyconfiguration/example/v1/clustertesttype.go
index 9a07a639daaf5..b09b655d80f12 100644
--- a/staging/src/k8s.io/code-generator/examples/MixedCase/applyconfiguration/example/v1/clustertesttype.go
+++ b/staging/src/k8s.io/code-generator/examples/MixedCase/applyconfiguration/example/v1/clustertesttype.go
@@ -41,6 +41,7 @@ func ClusterTestType(name string) *ClusterTestTypeApplyConfiguration {
 	b.WithAPIVersion("example.crd.code-generator.k8s.io/v1")
 	return b
 }
+
 func (b ClusterTestTypeApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/staging/src/k8s.io/code-generator/examples/MixedCase/applyconfiguration/example/v1/testtype.go b/staging/src/k8s.io/code-generator/examples/MixedCase/applyconfiguration/example/v1/testtype.go
index 5e32019e58dc9..a8239f2849a63 100644
--- a/staging/src/k8s.io/code-generator/examples/MixedCase/applyconfiguration/example/v1/testtype.go
+++ b/staging/src/k8s.io/code-generator/examples/MixedCase/applyconfiguration/example/v1/testtype.go
@@ -26,6 +26,8 @@ import (
 
 // TestTypeApplyConfiguration represents a declarative configuration of the TestType type for use
 // with apply.
+//
+// TestType is a top-level type. A client is created for it.
 type TestTypeApplyConfiguration struct {
 	metav1.TypeMetaApplyConfiguration    `json:",inline"`
 	*metav1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
@@ -42,6 +44,7 @@ func TestType(name, namespace string) *TestTypeApplyConfiguration {
 	b.WithAPIVersion("example.crd.code-generator.k8s.io/v1")
 	return b
 }
+
 func (b TestTypeApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/staging/src/k8s.io/code-generator/examples/MixedCase/clientset/versioned/fake/clientset_generated.go b/staging/src/k8s.io/code-generator/examples/MixedCase/clientset/versioned/fake/clientset_generated.go
index fe8e92b0a414f..7f3eae52a79c3 100644
--- a/staging/src/k8s.io/code-generator/examples/MixedCase/clientset/versioned/fake/clientset_generated.go
+++ b/staging/src/k8s.io/code-generator/examples/MixedCase/clientset/versioned/fake/clientset_generated.go
@@ -36,7 +36,7 @@ import (
 // without applying any field management, validations and/or defaults. It shouldn't be considered a replacement
 // for a real clientset and is mostly useful in simple unit tests.
 //
-// DEPRECATED: NewClientset replaces this with support for field management, which significantly improves
+// Deprecated: NewClientset replaces this with support for field management, which significantly improves
 // server side apply testing. NewClientset is only available when apply configurations are generated (e.g.
 // via --with-applyconfig).
 func NewSimpleClientset(objects ...runtime.Object) *Clientset {
@@ -52,8 +52,8 @@ func NewSimpleClientset(objects ...runtime.Object) *Clientset {
 	cs.AddReactor("*", "*", testing.ObjectReaction(o))
 	cs.AddWatchReactor("*", func(action testing.Action) (handled bool, ret watch.Interface, err error) {
 		var opts metav1.ListOptions
-		if watchActcion, ok := action.(testing.WatchActionImpl); ok {
-			opts = watchActcion.ListOptions
+		if watchAction, ok := action.(testing.WatchActionImpl); ok {
+			opts = watchAction.ListOptions
 		}
 		gvr := action.GetResource()
 		ns := action.GetNamespace()
@@ -84,6 +84,17 @@ func (c *Clientset) Tracker() testing.ObjectTracker {
 	return c.tracker
 }
 
+// IsWatchListSemanticsSupported informs the reflector that this client
+// doesn't support WatchList semantics.
+//
+// This is a synthetic method whose sole purpose is to satisfy the optional
+// interface check performed by the reflector.
+// Returning true signals that WatchList can NOT be used.
+// No additional logic is implemented here.
+func (c *Clientset) IsWatchListSemanticsUnSupported() bool {
+	return true
+}
+
 // NewClientset returns a clientset that will respond with the provided objects.
 // It's backed by a very simple object tracker that processes creates, updates and deletions as-is,
 // without applying any validations and/or defaults. It shouldn't be considered a replacement
diff --git a/staging/src/k8s.io/code-generator/examples/MixedCase/informers/externalversions/example/v1/clustertesttype.go b/staging/src/k8s.io/code-generator/examples/MixedCase/informers/externalversions/example/v1/clustertesttype.go
index ed733e3fc2a69..5aa93a643c153 100644
--- a/staging/src/k8s.io/code-generator/examples/MixedCase/informers/externalversions/example/v1/clustertesttype.go
+++ b/staging/src/k8s.io/code-generator/examples/MixedCase/informers/externalversions/example/v1/clustertesttype.go
@@ -56,7 +56,7 @@ func NewClusterTestTypeInformer(client versioned.Interface, resyncPeriod time.Du
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredClusterTestTypeInformer(client versioned.Interface, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options metav1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -81,7 +81,7 @@ func NewFilteredClusterTestTypeInformer(client versioned.Interface, resyncPeriod
 				}
 				return client.ExampleV1().ClusterTestTypes().Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apisexamplev1.ClusterTestType{},
 		resyncPeriod,
 		indexers,
diff --git a/staging/src/k8s.io/code-generator/examples/MixedCase/informers/externalversions/example/v1/testtype.go b/staging/src/k8s.io/code-generator/examples/MixedCase/informers/externalversions/example/v1/testtype.go
index 16baa5ac4c295..4e13b0148abfc 100644
--- a/staging/src/k8s.io/code-generator/examples/MixedCase/informers/externalversions/example/v1/testtype.go
+++ b/staging/src/k8s.io/code-generator/examples/MixedCase/informers/externalversions/example/v1/testtype.go
@@ -57,7 +57,7 @@ func NewTestTypeInformer(client versioned.Interface, namespace string, resyncPer
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredTestTypeInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options metav1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -82,7 +82,7 @@ func NewFilteredTestTypeInformer(client versioned.Interface, namespace string, r
 				}
 				return client.ExampleV1().TestTypes(namespace).Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apisexamplev1.TestType{},
 		resyncPeriod,
 		indexers,
diff --git a/staging/src/k8s.io/code-generator/examples/MixedCase/informers/externalversions/factory.go b/staging/src/k8s.io/code-generator/examples/MixedCase/informers/externalversions/factory.go
index 4628bbb862d59..132304b07a5b1 100644
--- a/staging/src/k8s.io/code-generator/examples/MixedCase/informers/externalversions/factory.go
+++ b/staging/src/k8s.io/code-generator/examples/MixedCase/informers/externalversions/factory.go
@@ -97,6 +97,7 @@ func NewSharedInformerFactory(client versioned.Interface, defaultResync time.Dur
 // NewFilteredSharedInformerFactory constructs a new instance of sharedInformerFactory.
 // Listers obtained via this SharedInformerFactory will be subject to the same filters
 // as specified here.
+//
 // Deprecated: Please use NewSharedInformerFactoryWithOptions instead
 func NewFilteredSharedInformerFactory(client versioned.Interface, defaultResync time.Duration, namespace string, tweakListOptions internalinterfaces.TweakListOptionsFunc) SharedInformerFactory {
 	return NewSharedInformerFactoryWithOptions(client, defaultResync, WithNamespace(namespace), WithTweakListOptions(tweakListOptions))
@@ -204,7 +205,7 @@ func (f *sharedInformerFactory) InformerFor(obj runtime.Object, newFunc internal
 //
 // It is typically used like this:
 //
-//	ctx, cancel := context.Background()
+//	ctx, cancel := context.WithCancel(context.Background())
 //	defer cancel()
 //	factory := NewSharedInformerFactory(client, resyncPeriod)
 //	defer factory.WaitForStop()    // Returns immediately if nothing was started.
diff --git a/staging/src/k8s.io/code-generator/examples/apiserver/apis/core/v1/doc.go b/staging/src/k8s.io/code-generator/examples/apiserver/apis/core/v1/doc.go
index d59731bcf1cb9..985e8d019a907 100644
--- a/staging/src/k8s.io/code-generator/examples/apiserver/apis/core/v1/doc.go
+++ b/staging/src/k8s.io/code-generator/examples/apiserver/apis/core/v1/doc.go
@@ -19,5 +19,6 @@ limitations under the License.
 // +k8s:defaulter-gen=TypeMeta
 // +k8s:conversion-gen=k8s.io/code-generator/examples/apiserver/apis/core
 // +groupName=
+// +k8s:openapi-model-package=io.k8s.code-generator.examples.apiserver.apis.core.v1
 
 package v1
diff --git a/staging/src/k8s.io/code-generator/examples/apiserver/apis/core/v1/zz_generated.model_name.go b/staging/src/k8s.io/code-generator/examples/apiserver/apis/core/v1/zz_generated.model_name.go
new file mode 100644
index 0000000000000..dc5df910422ff
--- /dev/null
+++ b/staging/src/k8s.io/code-generator/examples/apiserver/apis/core/v1/zz_generated.model_name.go
@@ -0,0 +1,37 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by openapi-gen. DO NOT EDIT.
+
+package v1
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in TestType) OpenAPIModelName() string {
+	return "io.k8s.code-generator.examples.apiserver.apis.core.v1.TestType"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in TestTypeList) OpenAPIModelName() string {
+	return "io.k8s.code-generator.examples.apiserver.apis.core.v1.TestTypeList"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in TestTypeStatus) OpenAPIModelName() string {
+	return "io.k8s.code-generator.examples.apiserver.apis.core.v1.TestTypeStatus"
+}
diff --git a/staging/src/k8s.io/code-generator/examples/apiserver/apis/core/v1/zz_generated.register.go b/staging/src/k8s.io/code-generator/examples/apiserver/apis/core/v1/zz_generated.register.go
index 009b60ca87607..4580878e6353b 100644
--- a/staging/src/k8s.io/code-generator/examples/apiserver/apis/core/v1/zz_generated.register.go
+++ b/staging/src/k8s.io/code-generator/examples/apiserver/apis/core/v1/zz_generated.register.go
@@ -34,6 +34,7 @@ const GroupName = ""
 var GroupVersion = metav1.GroupVersion{Group: GroupName, Version: "v1"}
 
 // SchemeGroupVersion is group version used to register these objects
+//
 // Deprecated: use GroupVersion instead.
 var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1"}
 
diff --git a/staging/src/k8s.io/code-generator/examples/apiserver/apis/example/types.go b/staging/src/k8s.io/code-generator/examples/apiserver/apis/example/types.go
index 6ec6ac6fe754f..72ef357022604 100644
--- a/staging/src/k8s.io/code-generator/examples/apiserver/apis/example/types.go
+++ b/staging/src/k8s.io/code-generator/examples/apiserver/apis/example/types.go
@@ -62,3 +62,21 @@ type MemoryDifferent struct {
 	AllOf      []MemoryDifferent
 	Bool       bool // differs from external representation
 }
+
+type ConversionPrivate struct {
+	PublicField  string
+	privateField string
+}
+
+type ConversionCustomContainer struct {
+	Slice   []ConversionCustom
+	SliceP  []*ConversionCustom
+	Map     map[string]ConversionCustom
+	MapP    map[string]*ConversionCustom
+	Struct  ConversionCustom
+	StructP *ConversionCustom
+}
+type ConversionCustom struct {
+	PublicField  string
+	privateField string
+}
diff --git a/staging/src/k8s.io/code-generator/examples/apiserver/apis/example/v1/conversion.go b/staging/src/k8s.io/code-generator/examples/apiserver/apis/example/v1/conversion.go
new file mode 100644
index 0000000000000..3bd40eba2632e
--- /dev/null
+++ b/staging/src/k8s.io/code-generator/examples/apiserver/apis/example/v1/conversion.go
@@ -0,0 +1,42 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1
+
+import (
+	conversion "k8s.io/apimachinery/pkg/conversion"
+	example "k8s.io/code-generator/examples/apiserver/apis/example"
+)
+
+// manually created final conversion function required because the object contains private fields that cannot be auto-converted
+func Convert_v1_ConversionPrivate_To_example_ConversionPrivate(in *ConversionPrivate, out *example.ConversionPrivate, scope conversion.Scope) error {
+	return autoConvert_v1_ConversionPrivate_To_example_ConversionPrivate(in, out, scope)
+}
+
+// manually created final conversion function required because the object contains private fields that cannot be auto-converted
+func Convert_example_ConversionPrivate_To_v1_ConversionPrivate(in *example.ConversionPrivate, out *ConversionPrivate, scope conversion.Scope) error {
+	return autoConvert_example_ConversionPrivate_To_v1_ConversionPrivate(in, out, scope)
+}
+
+// custom conversion function to exercise use of custom functions in slice/map/pointer fields
+func Convert_v1_ConversionCustom_To_example_ConversionCustom(in *ConversionCustom, out *example.ConversionCustom, scope conversion.Scope) error {
+	return autoConvert_v1_ConversionCustom_To_example_ConversionCustom(in, out, scope)
+}
+
+// custom conversion function to exercise use of custom functions in slice/map/pointer fields
+func Convert_example_ConversionCustom_To_v1_ConversionCustom(in *example.ConversionCustom, out *ConversionCustom, scope conversion.Scope) error {
+	return autoConvert_example_ConversionCustom_To_v1_ConversionCustom(in, out, scope)
+}
diff --git a/staging/src/k8s.io/code-generator/examples/apiserver/apis/example/v1/conversion_test.go b/staging/src/k8s.io/code-generator/examples/apiserver/apis/example/v1/conversion_test.go
new file mode 100644
index 0000000000000..27a5e9429f100
--- /dev/null
+++ b/staging/src/k8s.io/code-generator/examples/apiserver/apis/example/v1/conversion_test.go
@@ -0,0 +1,87 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1
+
+import (
+	"reflect"
+	"testing"
+
+	"k8s.io/code-generator/examples/apiserver/apis/example"
+)
+
+func TestConversion(t *testing.T) {
+	testcases := []struct {
+		name string
+		in   *ConversionCustomContainer
+	}{
+		{
+			name: "nil",
+			in:   &ConversionCustomContainer{},
+		},
+		{
+			name: "empty",
+			in: &ConversionCustomContainer{
+				Slice:   []ConversionCustom{},
+				SliceP:  []*ConversionCustom{},
+				Map:     map[string]ConversionCustom{},
+				MapP:    map[string]*ConversionCustom{},
+				Struct:  ConversionCustom{},
+				StructP: &ConversionCustom{},
+			},
+		},
+		{
+			name: "nil_entries",
+			in: &ConversionCustomContainer{
+				Slice:  []ConversionCustom{{}},
+				SliceP: []*ConversionCustom{nil},
+				Map:    map[string]ConversionCustom{"key": {}},
+				MapP:   map[string]*ConversionCustom{"key": nil},
+			},
+		},
+		{
+			name: "set_entries",
+			in: &ConversionCustomContainer{
+				Slice:   []ConversionCustom{{PublicField: "test1"}},
+				SliceP:  []*ConversionCustom{{PublicField: "test2"}},
+				Map:     map[string]ConversionCustom{"key": {PublicField: "test3"}},
+				MapP:    map[string]*ConversionCustom{"key": {PublicField: "test4"}},
+				Struct:  ConversionCustom{PublicField: "test5"},
+				StructP: &ConversionCustom{PublicField: "test6"},
+			},
+		},
+	}
+
+	for _, tc := range testcases {
+		t.Run(tc.name, func(t *testing.T) {
+			original := tc.in.DeepCopy()
+
+			out := &example.ConversionCustomContainer{}
+			if err := Convert_v1_ConversionCustomContainer_To_example_ConversionCustomContainer(tc.in, out, nil); err != nil {
+				t.Fatal(err)
+			}
+
+			roundtrip := &ConversionCustomContainer{}
+			if err := Convert_example_ConversionCustomContainer_To_v1_ConversionCustomContainer(out, roundtrip, nil); err != nil {
+				t.Fatal(err)
+			}
+
+			if !reflect.DeepEqual(original, roundtrip) {
+				t.Fatalf("expected:\n%#v\ngot:\n%#v", original, roundtrip)
+			}
+		})
+	}
+}
diff --git a/staging/src/k8s.io/code-generator/examples/apiserver/apis/example/v1/doc.go b/staging/src/k8s.io/code-generator/examples/apiserver/apis/example/v1/doc.go
index 9e4436f5c466b..0d1407e0b6237 100644
--- a/staging/src/k8s.io/code-generator/examples/apiserver/apis/example/v1/doc.go
+++ b/staging/src/k8s.io/code-generator/examples/apiserver/apis/example/v1/doc.go
@@ -19,5 +19,6 @@ limitations under the License.
 // +k8s:defaulter-gen=TypeMeta
 // +k8s:conversion-gen=k8s.io/code-generator/examples/apiserver/apis/example
 // +groupName=example.apiserver.code-generator.k8s.io
+// +k8s:openapi-model-package=io.k8s.code-generator.examples.apiserver.apis.example.v1
 
 package v1
diff --git a/staging/src/k8s.io/code-generator/examples/apiserver/apis/example/v1/types.go b/staging/src/k8s.io/code-generator/examples/apiserver/apis/example/v1/types.go
index ec40584b96796..44226c30f58e2 100644
--- a/staging/src/k8s.io/code-generator/examples/apiserver/apis/example/v1/types.go
+++ b/staging/src/k8s.io/code-generator/examples/apiserver/apis/example/v1/types.go
@@ -70,3 +70,23 @@ type MemoryDifferent struct {
 
 	Bool *bool `json:"bool"` // differs from internal representation
 }
+
+type ConversionPrivate struct {
+	PublicField  string `json:"publicField"`
+	privateField string `json:"privateField"`
+}
+
+type ConversionCustomContainer struct {
+	// +listType=atomic
+	Slice []ConversionCustom `json:"slice"`
+	// +listType=atomic
+	SliceP  []*ConversionCustom          `json:"sliceP"`
+	Map     map[string]ConversionCustom  `json:"map"`
+	MapP    map[string]*ConversionCustom `json:"mapP"`
+	Struct  ConversionCustom             `json:"struct"`
+	StructP *ConversionCustom            `json:"structP"`
+}
+type ConversionCustom struct {
+	PublicField  string `json:"publicField"`
+	privateField string `json:"privateField"`
+}
diff --git a/staging/src/k8s.io/code-generator/examples/apiserver/apis/example/v1/zz_generated.conversion.go b/staging/src/k8s.io/code-generator/examples/apiserver/apis/example/v1/zz_generated.conversion.go
index 5795e0cc2d9ad..30f6741b98b2e 100644
--- a/staging/src/k8s.io/code-generator/examples/apiserver/apis/example/v1/zz_generated.conversion.go
+++ b/staging/src/k8s.io/code-generator/examples/apiserver/apis/example/v1/zz_generated.conversion.go
@@ -47,6 +47,16 @@ func RegisterConversions(s *runtime.Scheme) error {
 	}); err != nil {
 		return err
 	}
+	if err := s.AddGeneratedConversionFunc((*ConversionCustomContainer)(nil), (*example.ConversionCustomContainer)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_v1_ConversionCustomContainer_To_example_ConversionCustomContainer(a.(*ConversionCustomContainer), b.(*example.ConversionCustomContainer), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddGeneratedConversionFunc((*example.ConversionCustomContainer)(nil), (*ConversionCustomContainer)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_example_ConversionCustomContainer_To_v1_ConversionCustomContainer(a.(*example.ConversionCustomContainer), b.(*ConversionCustomContainer), scope)
+	}); err != nil {
+		return err
+	}
 	if err := s.AddGeneratedConversionFunc((*MemoryDifferent)(nil), (*example.MemoryDifferent)(nil), func(a, b interface{}, scope conversion.Scope) error {
 		return Convert_v1_MemoryDifferent_To_example_MemoryDifferent(a.(*MemoryDifferent), b.(*example.MemoryDifferent), scope)
 	}); err != nil {
@@ -97,6 +107,26 @@ func RegisterConversions(s *runtime.Scheme) error {
 	}); err != nil {
 		return err
 	}
+	if err := s.AddConversionFunc((*example.ConversionCustom)(nil), (*ConversionCustom)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_example_ConversionCustom_To_v1_ConversionCustom(a.(*example.ConversionCustom), b.(*ConversionCustom), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddConversionFunc((*example.ConversionPrivate)(nil), (*ConversionPrivate)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_example_ConversionPrivate_To_v1_ConversionPrivate(a.(*example.ConversionPrivate), b.(*ConversionPrivate), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddConversionFunc((*ConversionCustom)(nil), (*example.ConversionCustom)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_v1_ConversionCustom_To_example_ConversionCustom(a.(*ConversionCustom), b.(*example.ConversionCustom), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddConversionFunc((*ConversionPrivate)(nil), (*example.ConversionPrivate)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_v1_ConversionPrivate_To_example_ConversionPrivate(a.(*ConversionPrivate), b.(*example.ConversionPrivate), scope)
+	}); err != nil {
+		return err
+	}
 	return nil
 }
 
@@ -130,6 +160,180 @@ func Convert_example_Conversion_To_v1_Conversion(in *example.Conversion, out *Co
 	return autoConvert_example_Conversion_To_v1_Conversion(in, out, s)
 }
 
+func autoConvert_v1_ConversionCustom_To_example_ConversionCustom(in *ConversionCustom, out *example.ConversionCustom, s conversion.Scope) error {
+	out.PublicField = in.PublicField
+	// WARNING: out.privateField is not exported and cannot be set
+	return nil
+}
+
+func autoConvert_example_ConversionCustom_To_v1_ConversionCustom(in *example.ConversionCustom, out *ConversionCustom, s conversion.Scope) error {
+	out.PublicField = in.PublicField
+	// WARNING: in.privateField is not exported and cannot be read
+	return nil
+}
+
+func autoConvert_v1_ConversionCustomContainer_To_example_ConversionCustomContainer(in *ConversionCustomContainer, out *example.ConversionCustomContainer, s conversion.Scope) error {
+	if in.Slice != nil {
+		in, out := &in.Slice, &out.Slice
+		*out = make([]example.ConversionCustom, len(*in))
+		for i := range *in {
+			if err := Convert_v1_ConversionCustom_To_example_ConversionCustom(&(*in)[i], &(*out)[i], s); err != nil {
+				return err
+			}
+		}
+	} else {
+		out.Slice = nil
+	}
+	if in.SliceP != nil {
+		in, out := &in.SliceP, &out.SliceP
+		*out = make([]*example.ConversionCustom, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				(*out)[i] = new(example.ConversionCustom)
+				if err := Convert_v1_ConversionCustom_To_example_ConversionCustom((*in)[i], (*out)[i], s); err != nil {
+					return err
+				}
+			}
+		}
+	} else {
+		out.SliceP = nil
+	}
+	if in.Map != nil {
+		in, out := &in.Map, &out.Map
+		*out = make(map[string]example.ConversionCustom, len(*in))
+		for key, val := range *in {
+			newVal := new(example.ConversionCustom)
+			if err := Convert_v1_ConversionCustom_To_example_ConversionCustom(&val, newVal, s); err != nil {
+				return err
+			}
+			(*out)[key] = *newVal
+		}
+	} else {
+		out.Map = nil
+	}
+	if in.MapP != nil {
+		in, out := &in.MapP, &out.MapP
+		*out = make(map[string]*example.ConversionCustom, len(*in))
+		for key, val := range *in {
+			newVal := new(*example.ConversionCustom)
+			if val != nil {
+				*newVal = new(example.ConversionCustom)
+				if err := Convert_v1_ConversionCustom_To_example_ConversionCustom(val, *newVal, s); err != nil {
+					return err
+				}
+			}
+			(*out)[key] = *newVal
+		}
+	} else {
+		out.MapP = nil
+	}
+	if err := Convert_v1_ConversionCustom_To_example_ConversionCustom(&in.Struct, &out.Struct, s); err != nil {
+		return err
+	}
+	if in.StructP != nil {
+		in, out := &in.StructP, &out.StructP
+		*out = new(example.ConversionCustom)
+		if err := Convert_v1_ConversionCustom_To_example_ConversionCustom(*in, *out, s); err != nil {
+			return err
+		}
+	} else {
+		out.StructP = nil
+	}
+	return nil
+}
+
+// Convert_v1_ConversionCustomContainer_To_example_ConversionCustomContainer is an autogenerated conversion function.
+func Convert_v1_ConversionCustomContainer_To_example_ConversionCustomContainer(in *ConversionCustomContainer, out *example.ConversionCustomContainer, s conversion.Scope) error {
+	return autoConvert_v1_ConversionCustomContainer_To_example_ConversionCustomContainer(in, out, s)
+}
+
+func autoConvert_example_ConversionCustomContainer_To_v1_ConversionCustomContainer(in *example.ConversionCustomContainer, out *ConversionCustomContainer, s conversion.Scope) error {
+	if in.Slice != nil {
+		in, out := &in.Slice, &out.Slice
+		*out = make([]ConversionCustom, len(*in))
+		for i := range *in {
+			if err := Convert_example_ConversionCustom_To_v1_ConversionCustom(&(*in)[i], &(*out)[i], s); err != nil {
+				return err
+			}
+		}
+	} else {
+		out.Slice = nil
+	}
+	if in.SliceP != nil {
+		in, out := &in.SliceP, &out.SliceP
+		*out = make([]*ConversionCustom, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				(*out)[i] = new(ConversionCustom)
+				if err := Convert_example_ConversionCustom_To_v1_ConversionCustom((*in)[i], (*out)[i], s); err != nil {
+					return err
+				}
+			}
+		}
+	} else {
+		out.SliceP = nil
+	}
+	if in.Map != nil {
+		in, out := &in.Map, &out.Map
+		*out = make(map[string]ConversionCustom, len(*in))
+		for key, val := range *in {
+			newVal := new(ConversionCustom)
+			if err := Convert_example_ConversionCustom_To_v1_ConversionCustom(&val, newVal, s); err != nil {
+				return err
+			}
+			(*out)[key] = *newVal
+		}
+	} else {
+		out.Map = nil
+	}
+	if in.MapP != nil {
+		in, out := &in.MapP, &out.MapP
+		*out = make(map[string]*ConversionCustom, len(*in))
+		for key, val := range *in {
+			newVal := new(*ConversionCustom)
+			if val != nil {
+				*newVal = new(ConversionCustom)
+				if err := Convert_example_ConversionCustom_To_v1_ConversionCustom(val, *newVal, s); err != nil {
+					return err
+				}
+			}
+			(*out)[key] = *newVal
+		}
+	} else {
+		out.MapP = nil
+	}
+	if err := Convert_example_ConversionCustom_To_v1_ConversionCustom(&in.Struct, &out.Struct, s); err != nil {
+		return err
+	}
+	if in.StructP != nil {
+		in, out := &in.StructP, &out.StructP
+		*out = new(ConversionCustom)
+		if err := Convert_example_ConversionCustom_To_v1_ConversionCustom(*in, *out, s); err != nil {
+			return err
+		}
+	} else {
+		out.StructP = nil
+	}
+	return nil
+}
+
+// Convert_example_ConversionCustomContainer_To_v1_ConversionCustomContainer is an autogenerated conversion function.
+func Convert_example_ConversionCustomContainer_To_v1_ConversionCustomContainer(in *example.ConversionCustomContainer, out *ConversionCustomContainer, s conversion.Scope) error {
+	return autoConvert_example_ConversionCustomContainer_To_v1_ConversionCustomContainer(in, out, s)
+}
+
+func autoConvert_v1_ConversionPrivate_To_example_ConversionPrivate(in *ConversionPrivate, out *example.ConversionPrivate, s conversion.Scope) error {
+	out.PublicField = in.PublicField
+	// WARNING: out.privateField is not exported and cannot be set
+	return nil
+}
+
+func autoConvert_example_ConversionPrivate_To_v1_ConversionPrivate(in *example.ConversionPrivate, out *ConversionPrivate, s conversion.Scope) error {
+	out.PublicField = in.PublicField
+	// WARNING: in.privateField is not exported and cannot be read
+	return nil
+}
+
 func autoConvert_v1_MemoryDifferent_To_example_MemoryDifferent(in *MemoryDifferent, out *example.MemoryDifferent, s conversion.Scope) error {
 	if in.Items != nil {
 		in, out := &in.Items, &out.Items
diff --git a/staging/src/k8s.io/code-generator/examples/apiserver/apis/example/v1/zz_generated.deepcopy.go b/staging/src/k8s.io/code-generator/examples/apiserver/apis/example/v1/zz_generated.deepcopy.go
index 4966ea006b6ae..4d0ad6cec8a1f 100644
--- a/staging/src/k8s.io/code-generator/examples/apiserver/apis/example/v1/zz_generated.deepcopy.go
+++ b/staging/src/k8s.io/code-generator/examples/apiserver/apis/example/v1/zz_generated.deepcopy.go
@@ -43,6 +43,98 @@ func (in *Conversion) DeepCopy() *Conversion {
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ConversionCustom) DeepCopyInto(out *ConversionCustom) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ConversionCustom.
+func (in *ConversionCustom) DeepCopy() *ConversionCustom {
+	if in == nil {
+		return nil
+	}
+	out := new(ConversionCustom)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ConversionCustomContainer) DeepCopyInto(out *ConversionCustomContainer) {
+	*out = *in
+	if in.Slice != nil {
+		in, out := &in.Slice, &out.Slice
+		*out = make([]ConversionCustom, len(*in))
+		copy(*out, *in)
+	}
+	if in.SliceP != nil {
+		in, out := &in.SliceP, &out.SliceP
+		*out = make([]*ConversionCustom, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(ConversionCustom)
+				**out = **in
+			}
+		}
+	}
+	if in.Map != nil {
+		in, out := &in.Map, &out.Map
+		*out = make(map[string]ConversionCustom, len(*in))
+		for key, val := range *in {
+			(*out)[key] = val
+		}
+	}
+	if in.MapP != nil {
+		in, out := &in.MapP, &out.MapP
+		*out = make(map[string]*ConversionCustom, len(*in))
+		for key, val := range *in {
+			var outVal *ConversionCustom
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(ConversionCustom)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
+	out.Struct = in.Struct
+	if in.StructP != nil {
+		in, out := &in.StructP, &out.StructP
+		*out = new(ConversionCustom)
+		**out = **in
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ConversionCustomContainer.
+func (in *ConversionCustomContainer) DeepCopy() *ConversionCustomContainer {
+	if in == nil {
+		return nil
+	}
+	out := new(ConversionCustomContainer)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ConversionPrivate) DeepCopyInto(out *ConversionPrivate) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ConversionPrivate.
+func (in *ConversionPrivate) DeepCopy() *ConversionPrivate {
+	if in == nil {
+		return nil
+	}
+	out := new(ConversionPrivate)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *MemoryDifferent) DeepCopyInto(out *MemoryDifferent) {
 	*out = *in
diff --git a/staging/src/k8s.io/code-generator/examples/apiserver/apis/example/v1/zz_generated.model_name.go b/staging/src/k8s.io/code-generator/examples/apiserver/apis/example/v1/zz_generated.model_name.go
new file mode 100644
index 0000000000000..ce0d1aa552521
--- /dev/null
+++ b/staging/src/k8s.io/code-generator/examples/apiserver/apis/example/v1/zz_generated.model_name.go
@@ -0,0 +1,67 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by openapi-gen. DO NOT EDIT.
+
+package v1
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in Conversion) OpenAPIModelName() string {
+	return "io.k8s.code-generator.examples.apiserver.apis.example.v1.Conversion"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ConversionCustom) OpenAPIModelName() string {
+	return "io.k8s.code-generator.examples.apiserver.apis.example.v1.ConversionCustom"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ConversionCustomContainer) OpenAPIModelName() string {
+	return "io.k8s.code-generator.examples.apiserver.apis.example.v1.ConversionCustomContainer"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ConversionPrivate) OpenAPIModelName() string {
+	return "io.k8s.code-generator.examples.apiserver.apis.example.v1.ConversionPrivate"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in MemoryDifferent) OpenAPIModelName() string {
+	return "io.k8s.code-generator.examples.apiserver.apis.example.v1.MemoryDifferent"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in MemoryIdentical) OpenAPIModelName() string {
+	return "io.k8s.code-generator.examples.apiserver.apis.example.v1.MemoryIdentical"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in TestType) OpenAPIModelName() string {
+	return "io.k8s.code-generator.examples.apiserver.apis.example.v1.TestType"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in TestTypeList) OpenAPIModelName() string {
+	return "io.k8s.code-generator.examples.apiserver.apis.example.v1.TestTypeList"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in TestTypeStatus) OpenAPIModelName() string {
+	return "io.k8s.code-generator.examples.apiserver.apis.example.v1.TestTypeStatus"
+}
diff --git a/staging/src/k8s.io/code-generator/examples/apiserver/apis/example/v1/zz_generated.register.go b/staging/src/k8s.io/code-generator/examples/apiserver/apis/example/v1/zz_generated.register.go
index 29a9b7ad0d85c..fa02e7b1f14c6 100644
--- a/staging/src/k8s.io/code-generator/examples/apiserver/apis/example/v1/zz_generated.register.go
+++ b/staging/src/k8s.io/code-generator/examples/apiserver/apis/example/v1/zz_generated.register.go
@@ -34,6 +34,7 @@ const GroupName = "example.apiserver.code-generator.k8s.io"
 var GroupVersion = metav1.GroupVersion{Group: GroupName, Version: "v1"}
 
 // SchemeGroupVersion is group version used to register these objects
+//
 // Deprecated: use GroupVersion instead.
 var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1"}
 
diff --git a/staging/src/k8s.io/code-generator/examples/apiserver/apis/example/zz_generated.deepcopy.go b/staging/src/k8s.io/code-generator/examples/apiserver/apis/example/zz_generated.deepcopy.go
index 6b58e28c87830..a27cd80336dc5 100644
--- a/staging/src/k8s.io/code-generator/examples/apiserver/apis/example/zz_generated.deepcopy.go
+++ b/staging/src/k8s.io/code-generator/examples/apiserver/apis/example/zz_generated.deepcopy.go
@@ -43,6 +43,98 @@ func (in *Conversion) DeepCopy() *Conversion {
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ConversionCustom) DeepCopyInto(out *ConversionCustom) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ConversionCustom.
+func (in *ConversionCustom) DeepCopy() *ConversionCustom {
+	if in == nil {
+		return nil
+	}
+	out := new(ConversionCustom)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ConversionCustomContainer) DeepCopyInto(out *ConversionCustomContainer) {
+	*out = *in
+	if in.Slice != nil {
+		in, out := &in.Slice, &out.Slice
+		*out = make([]ConversionCustom, len(*in))
+		copy(*out, *in)
+	}
+	if in.SliceP != nil {
+		in, out := &in.SliceP, &out.SliceP
+		*out = make([]*ConversionCustom, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(ConversionCustom)
+				**out = **in
+			}
+		}
+	}
+	if in.Map != nil {
+		in, out := &in.Map, &out.Map
+		*out = make(map[string]ConversionCustom, len(*in))
+		for key, val := range *in {
+			(*out)[key] = val
+		}
+	}
+	if in.MapP != nil {
+		in, out := &in.MapP, &out.MapP
+		*out = make(map[string]*ConversionCustom, len(*in))
+		for key, val := range *in {
+			var outVal *ConversionCustom
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(ConversionCustom)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
+	out.Struct = in.Struct
+	if in.StructP != nil {
+		in, out := &in.StructP, &out.StructP
+		*out = new(ConversionCustom)
+		**out = **in
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ConversionCustomContainer.
+func (in *ConversionCustomContainer) DeepCopy() *ConversionCustomContainer {
+	if in == nil {
+		return nil
+	}
+	out := new(ConversionCustomContainer)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ConversionPrivate) DeepCopyInto(out *ConversionPrivate) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ConversionPrivate.
+func (in *ConversionPrivate) DeepCopy() *ConversionPrivate {
+	if in == nil {
+		return nil
+	}
+	out := new(ConversionPrivate)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *MemoryDifferent) DeepCopyInto(out *MemoryDifferent) {
 	*out = *in
diff --git a/staging/src/k8s.io/code-generator/examples/apiserver/apis/example2/v1/doc.go b/staging/src/k8s.io/code-generator/examples/apiserver/apis/example2/v1/doc.go
index 42353ffd045b2..e1d68f6cb44e5 100644
--- a/staging/src/k8s.io/code-generator/examples/apiserver/apis/example2/v1/doc.go
+++ b/staging/src/k8s.io/code-generator/examples/apiserver/apis/example2/v1/doc.go
@@ -20,5 +20,6 @@ limitations under the License.
 // +groupName=example.test.apiserver.code-generator.k8s.io
 // +k8s:conversion-gen=k8s.io/code-generator/examples/apiserver/apis/example2
 // +groupGoName=SecondExample
+// +k8s:openapi-model-package=io.k8s.code-generator.examples.apiserver.apis.example2.v1
 
 package v1
diff --git a/staging/src/k8s.io/code-generator/examples/apiserver/apis/example2/v1/zz_generated.model_name.go b/staging/src/k8s.io/code-generator/examples/apiserver/apis/example2/v1/zz_generated.model_name.go
new file mode 100644
index 0000000000000..51b9bb896689b
--- /dev/null
+++ b/staging/src/k8s.io/code-generator/examples/apiserver/apis/example2/v1/zz_generated.model_name.go
@@ -0,0 +1,37 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by openapi-gen. DO NOT EDIT.
+
+package v1
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in TestType) OpenAPIModelName() string {
+	return "io.k8s.code-generator.examples.apiserver.apis.example2.v1.TestType"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in TestTypeList) OpenAPIModelName() string {
+	return "io.k8s.code-generator.examples.apiserver.apis.example2.v1.TestTypeList"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in TestTypeStatus) OpenAPIModelName() string {
+	return "io.k8s.code-generator.examples.apiserver.apis.example2.v1.TestTypeStatus"
+}
diff --git a/staging/src/k8s.io/code-generator/examples/apiserver/apis/example2/v1/zz_generated.register.go b/staging/src/k8s.io/code-generator/examples/apiserver/apis/example2/v1/zz_generated.register.go
index 031f94bb611ca..a1c3dcd081996 100644
--- a/staging/src/k8s.io/code-generator/examples/apiserver/apis/example2/v1/zz_generated.register.go
+++ b/staging/src/k8s.io/code-generator/examples/apiserver/apis/example2/v1/zz_generated.register.go
@@ -34,6 +34,7 @@ const GroupName = "example.test.apiserver.code-generator.k8s.io"
 var GroupVersion = metav1.GroupVersion{Group: GroupName, Version: "v1"}
 
 // SchemeGroupVersion is group version used to register these objects
+//
 // Deprecated: use GroupVersion instead.
 var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1"}
 
diff --git a/staging/src/k8s.io/code-generator/examples/apiserver/apis/example3.io/v1/doc.go b/staging/src/k8s.io/code-generator/examples/apiserver/apis/example3.io/v1/doc.go
index cd598d47ad1b0..5756ae11ceba8 100644
--- a/staging/src/k8s.io/code-generator/examples/apiserver/apis/example3.io/v1/doc.go
+++ b/staging/src/k8s.io/code-generator/examples/apiserver/apis/example3.io/v1/doc.go
@@ -20,5 +20,6 @@ limitations under the License.
 // +groupName=example.dots.apiserver.code-generator.k8s.io
 // +k8s:conversion-gen=k8s.io/code-generator/examples/apiserver/apis/example3.io
 // +groupGoName=ThirdExample
+// +k8s:openapi-model-package=io.k8s.code-generator.examples.apiserver.apis.example3.io.v1
 
 package v1
diff --git a/staging/src/k8s.io/code-generator/examples/apiserver/apis/example3.io/v1/zz_generated.model_name.go b/staging/src/k8s.io/code-generator/examples/apiserver/apis/example3.io/v1/zz_generated.model_name.go
new file mode 100644
index 0000000000000..e9fddb1c5acac
--- /dev/null
+++ b/staging/src/k8s.io/code-generator/examples/apiserver/apis/example3.io/v1/zz_generated.model_name.go
@@ -0,0 +1,37 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by openapi-gen. DO NOT EDIT.
+
+package v1
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in TestType) OpenAPIModelName() string {
+	return "io.k8s.code-generator.examples.apiserver.apis.example3.io.v1.TestType"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in TestTypeList) OpenAPIModelName() string {
+	return "io.k8s.code-generator.examples.apiserver.apis.example3.io.v1.TestTypeList"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in TestTypeStatus) OpenAPIModelName() string {
+	return "io.k8s.code-generator.examples.apiserver.apis.example3.io.v1.TestTypeStatus"
+}
diff --git a/staging/src/k8s.io/code-generator/examples/apiserver/apis/example3.io/v1/zz_generated.register.go b/staging/src/k8s.io/code-generator/examples/apiserver/apis/example3.io/v1/zz_generated.register.go
index 4b932d8035947..b4b5585dc3855 100644
--- a/staging/src/k8s.io/code-generator/examples/apiserver/apis/example3.io/v1/zz_generated.register.go
+++ b/staging/src/k8s.io/code-generator/examples/apiserver/apis/example3.io/v1/zz_generated.register.go
@@ -34,6 +34,7 @@ const GroupName = "example.dots.apiserver.code-generator.k8s.io"
 var GroupVersion = metav1.GroupVersion{Group: GroupName, Version: "v1"}
 
 // SchemeGroupVersion is group version used to register these objects
+//
 // Deprecated: use GroupVersion instead.
 var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1"}
 
diff --git a/staging/src/k8s.io/code-generator/examples/apiserver/clientset/versioned/fake/clientset_generated.go b/staging/src/k8s.io/code-generator/examples/apiserver/clientset/versioned/fake/clientset_generated.go
index 57df8005b14b8..0ac684823a826 100644
--- a/staging/src/k8s.io/code-generator/examples/apiserver/clientset/versioned/fake/clientset_generated.go
+++ b/staging/src/k8s.io/code-generator/examples/apiserver/clientset/versioned/fake/clientset_generated.go
@@ -41,7 +41,7 @@ import (
 // without applying any field management, validations and/or defaults. It shouldn't be considered a replacement
 // for a real clientset and is mostly useful in simple unit tests.
 //
-// DEPRECATED: NewClientset replaces this with support for field management, which significantly improves
+// Deprecated: NewClientset replaces this with support for field management, which significantly improves
 // server side apply testing. NewClientset is only available when apply configurations are generated (e.g.
 // via --with-applyconfig).
 func NewSimpleClientset(objects ...runtime.Object) *Clientset {
@@ -57,8 +57,8 @@ func NewSimpleClientset(objects ...runtime.Object) *Clientset {
 	cs.AddReactor("*", "*", testing.ObjectReaction(o))
 	cs.AddWatchReactor("*", func(action testing.Action) (handled bool, ret watch.Interface, err error) {
 		var opts metav1.ListOptions
-		if watchActcion, ok := action.(testing.WatchActionImpl); ok {
-			opts = watchActcion.ListOptions
+		if watchAction, ok := action.(testing.WatchActionImpl); ok {
+			opts = watchAction.ListOptions
 		}
 		gvr := action.GetResource()
 		ns := action.GetNamespace()
@@ -89,6 +89,17 @@ func (c *Clientset) Tracker() testing.ObjectTracker {
 	return c.tracker
 }
 
+// IsWatchListSemanticsSupported informs the reflector that this client
+// doesn't support WatchList semantics.
+//
+// This is a synthetic method whose sole purpose is to satisfy the optional
+// interface check performed by the reflector.
+// Returning true signals that WatchList can NOT be used.
+// No additional logic is implemented here.
+func (c *Clientset) IsWatchListSemanticsUnSupported() bool {
+	return true
+}
+
 var (
 	_ clientset.Interface = &Clientset{}
 	_ testing.FakeClient  = &Clientset{}
diff --git a/staging/src/k8s.io/code-generator/examples/apiserver/informers/externalversions/core/v1/testtype.go b/staging/src/k8s.io/code-generator/examples/apiserver/informers/externalversions/core/v1/testtype.go
index be813616c499e..4992048f62a94 100644
--- a/staging/src/k8s.io/code-generator/examples/apiserver/informers/externalversions/core/v1/testtype.go
+++ b/staging/src/k8s.io/code-generator/examples/apiserver/informers/externalversions/core/v1/testtype.go
@@ -57,7 +57,7 @@ func NewTestTypeInformer(client versioned.Interface, namespace string, resyncPer
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredTestTypeInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options metav1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -82,7 +82,7 @@ func NewFilteredTestTypeInformer(client versioned.Interface, namespace string, r
 				}
 				return client.CoreV1().TestTypes(namespace).Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apiscorev1.TestType{},
 		resyncPeriod,
 		indexers,
diff --git a/staging/src/k8s.io/code-generator/examples/apiserver/informers/externalversions/example/v1/testtype.go b/staging/src/k8s.io/code-generator/examples/apiserver/informers/externalversions/example/v1/testtype.go
index 0ec29bdb8084a..dc36475825b5b 100644
--- a/staging/src/k8s.io/code-generator/examples/apiserver/informers/externalversions/example/v1/testtype.go
+++ b/staging/src/k8s.io/code-generator/examples/apiserver/informers/externalversions/example/v1/testtype.go
@@ -57,7 +57,7 @@ func NewTestTypeInformer(client versioned.Interface, namespace string, resyncPer
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredTestTypeInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options metav1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -82,7 +82,7 @@ func NewFilteredTestTypeInformer(client versioned.Interface, namespace string, r
 				}
 				return client.ExampleV1().TestTypes(namespace).Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apisexamplev1.TestType{},
 		resyncPeriod,
 		indexers,
diff --git a/staging/src/k8s.io/code-generator/examples/apiserver/informers/externalversions/example2/v1/testtype.go b/staging/src/k8s.io/code-generator/examples/apiserver/informers/externalversions/example2/v1/testtype.go
index b1344e61e1c38..19dde2590cc1a 100644
--- a/staging/src/k8s.io/code-generator/examples/apiserver/informers/externalversions/example2/v1/testtype.go
+++ b/staging/src/k8s.io/code-generator/examples/apiserver/informers/externalversions/example2/v1/testtype.go
@@ -57,7 +57,7 @@ func NewTestTypeInformer(client versioned.Interface, namespace string, resyncPer
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredTestTypeInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options metav1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -82,7 +82,7 @@ func NewFilteredTestTypeInformer(client versioned.Interface, namespace string, r
 				}
 				return client.SecondExampleV1().TestTypes(namespace).Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apisexample2v1.TestType{},
 		resyncPeriod,
 		indexers,
diff --git a/staging/src/k8s.io/code-generator/examples/apiserver/informers/externalversions/example3.io/v1/testtype.go b/staging/src/k8s.io/code-generator/examples/apiserver/informers/externalversions/example3.io/v1/testtype.go
index 183e373b2e33d..c81d60102c149 100644
--- a/staging/src/k8s.io/code-generator/examples/apiserver/informers/externalversions/example3.io/v1/testtype.go
+++ b/staging/src/k8s.io/code-generator/examples/apiserver/informers/externalversions/example3.io/v1/testtype.go
@@ -57,7 +57,7 @@ func NewTestTypeInformer(client versioned.Interface, namespace string, resyncPer
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredTestTypeInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options metav1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -82,7 +82,7 @@ func NewFilteredTestTypeInformer(client versioned.Interface, namespace string, r
 				}
 				return client.ThirdExampleV1().TestTypes(namespace).Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apisexample3iov1.TestType{},
 		resyncPeriod,
 		indexers,
diff --git a/staging/src/k8s.io/code-generator/examples/apiserver/informers/externalversions/factory.go b/staging/src/k8s.io/code-generator/examples/apiserver/informers/externalversions/factory.go
index 5efa771d5eb6b..89972ed8a631f 100644
--- a/staging/src/k8s.io/code-generator/examples/apiserver/informers/externalversions/factory.go
+++ b/staging/src/k8s.io/code-generator/examples/apiserver/informers/externalversions/factory.go
@@ -100,6 +100,7 @@ func NewSharedInformerFactory(client versioned.Interface, defaultResync time.Dur
 // NewFilteredSharedInformerFactory constructs a new instance of sharedInformerFactory.
 // Listers obtained via this SharedInformerFactory will be subject to the same filters
 // as specified here.
+//
 // Deprecated: Please use NewSharedInformerFactoryWithOptions instead
 func NewFilteredSharedInformerFactory(client versioned.Interface, defaultResync time.Duration, namespace string, tweakListOptions internalinterfaces.TweakListOptionsFunc) SharedInformerFactory {
 	return NewSharedInformerFactoryWithOptions(client, defaultResync, WithNamespace(namespace), WithTweakListOptions(tweakListOptions))
@@ -207,7 +208,7 @@ func (f *sharedInformerFactory) InformerFor(obj runtime.Object, newFunc internal
 //
 // It is typically used like this:
 //
-//	ctx, cancel := context.Background()
+//	ctx, cancel := context.WithCancel(context.Background())
 //	defer cancel()
 //	factory := NewSharedInformerFactory(client, resyncPeriod)
 //	defer factory.WaitForStop()    // Returns immediately if nothing was started.
diff --git a/staging/src/k8s.io/code-generator/examples/apiserver/openapi/zz_generated.openapi.go b/staging/src/k8s.io/code-generator/examples/apiserver/openapi/zz_generated.openapi.go
index 18c65f22e685b..4e2dad81a1b5b 100644
--- a/staging/src/k8s.io/code-generator/examples/apiserver/openapi/zz_generated.openapi.go
+++ b/staging/src/k8s.io/code-generator/examples/apiserver/openapi/zz_generated.openapi.go
@@ -22,81 +22,140 @@ limitations under the License.
 package openapi
 
 import (
+	resource "k8s.io/apimachinery/pkg/api/resource"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	runtime "k8s.io/apimachinery/pkg/runtime"
+	version "k8s.io/apimachinery/pkg/version"
+	corev1 "k8s.io/code-generator/examples/apiserver/apis/core/v1"
+	examplev1 "k8s.io/code-generator/examples/apiserver/apis/example/v1"
+	example2v1 "k8s.io/code-generator/examples/apiserver/apis/example2/v1"
+	example3iov1 "k8s.io/code-generator/examples/apiserver/apis/example3.io/v1"
 	common "k8s.io/kube-openapi/pkg/common"
 	spec "k8s.io/kube-openapi/pkg/validation/spec"
 )
 
 func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenAPIDefinition {
 	return map[string]common.OpenAPIDefinition{
-		"k8s.io/apimachinery/pkg/apis/meta/v1.APIGroup":                               schema_pkg_apis_meta_v1_APIGroup(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.APIGroupList":                           schema_pkg_apis_meta_v1_APIGroupList(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.APIResource":                            schema_pkg_apis_meta_v1_APIResource(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.APIResourceList":                        schema_pkg_apis_meta_v1_APIResourceList(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.APIVersions":                            schema_pkg_apis_meta_v1_APIVersions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.ApplyOptions":                           schema_pkg_apis_meta_v1_ApplyOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Condition":                              schema_pkg_apis_meta_v1_Condition(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.CreateOptions":                          schema_pkg_apis_meta_v1_CreateOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.DeleteOptions":                          schema_pkg_apis_meta_v1_DeleteOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Duration":                               schema_pkg_apis_meta_v1_Duration(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.FieldSelectorRequirement":               schema_pkg_apis_meta_v1_FieldSelectorRequirement(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.FieldsV1":                               schema_pkg_apis_meta_v1_FieldsV1(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GetOptions":                             schema_pkg_apis_meta_v1_GetOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupKind":                              schema_pkg_apis_meta_v1_GroupKind(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupResource":                          schema_pkg_apis_meta_v1_GroupResource(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersion":                           schema_pkg_apis_meta_v1_GroupVersion(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionForDiscovery":               schema_pkg_apis_meta_v1_GroupVersionForDiscovery(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionKind":                       schema_pkg_apis_meta_v1_GroupVersionKind(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionResource":                   schema_pkg_apis_meta_v1_GroupVersionResource(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.InternalEvent":                          schema_pkg_apis_meta_v1_InternalEvent(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector":                          schema_pkg_apis_meta_v1_LabelSelector(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelectorRequirement":               schema_pkg_apis_meta_v1_LabelSelectorRequirement(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.List":                                   schema_pkg_apis_meta_v1_List(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta":                               schema_pkg_apis_meta_v1_ListMeta(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.ListOptions":                            schema_pkg_apis_meta_v1_ListOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.ManagedFieldsEntry":                     schema_pkg_apis_meta_v1_ManagedFieldsEntry(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.MicroTime":                              schema_pkg_apis_meta_v1_MicroTime(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta":                             schema_pkg_apis_meta_v1_ObjectMeta(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.OwnerReference":                         schema_pkg_apis_meta_v1_OwnerReference(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.PartialObjectMetadata":                  schema_pkg_apis_meta_v1_PartialObjectMetadata(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.PartialObjectMetadataList":              schema_pkg_apis_meta_v1_PartialObjectMetadataList(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Patch":                                  schema_pkg_apis_meta_v1_Patch(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.PatchOptions":                           schema_pkg_apis_meta_v1_PatchOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Preconditions":                          schema_pkg_apis_meta_v1_Preconditions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.RootPaths":                              schema_pkg_apis_meta_v1_RootPaths(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.ServerAddressByClientCIDR":              schema_pkg_apis_meta_v1_ServerAddressByClientCIDR(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Status":                                 schema_pkg_apis_meta_v1_Status(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.StatusCause":                            schema_pkg_apis_meta_v1_StatusCause(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.StatusDetails":                          schema_pkg_apis_meta_v1_StatusDetails(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Table":                                  schema_pkg_apis_meta_v1_Table(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.TableColumnDefinition":                  schema_pkg_apis_meta_v1_TableColumnDefinition(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.TableOptions":                           schema_pkg_apis_meta_v1_TableOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.TableRow":                               schema_pkg_apis_meta_v1_TableRow(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.TableRowCondition":                      schema_pkg_apis_meta_v1_TableRowCondition(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Time":                                   schema_pkg_apis_meta_v1_Time(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Timestamp":                              schema_pkg_apis_meta_v1_Timestamp(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.TypeMeta":                               schema_pkg_apis_meta_v1_TypeMeta(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.UpdateOptions":                          schema_pkg_apis_meta_v1_UpdateOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.WatchEvent":                             schema_pkg_apis_meta_v1_WatchEvent(ref),
-		"k8s.io/apimachinery/pkg/runtime.RawExtension":                                schema_k8sio_apimachinery_pkg_runtime_RawExtension(ref),
-		"k8s.io/apimachinery/pkg/runtime.TypeMeta":                                    schema_k8sio_apimachinery_pkg_runtime_TypeMeta(ref),
-		"k8s.io/apimachinery/pkg/runtime.Unknown":                                     schema_k8sio_apimachinery_pkg_runtime_Unknown(ref),
-		"k8s.io/apimachinery/pkg/version.Info":                                        schema_k8sio_apimachinery_pkg_version_Info(ref),
-		"k8s.io/code-generator/examples/apiserver/apis/core/v1.TestType":              schema_apiserver_apis_core_v1_TestType(ref),
-		"k8s.io/code-generator/examples/apiserver/apis/core/v1.TestTypeList":          schema_apiserver_apis_core_v1_TestTypeList(ref),
-		"k8s.io/code-generator/examples/apiserver/apis/core/v1.TestTypeStatus":        schema_apiserver_apis_core_v1_TestTypeStatus(ref),
-		"k8s.io/code-generator/examples/apiserver/apis/example/v1.Conversion":         schema_apiserver_apis_example_v1_Conversion(ref),
-		"k8s.io/code-generator/examples/apiserver/apis/example/v1.MemoryDifferent":    schema_apiserver_apis_example_v1_MemoryDifferent(ref),
-		"k8s.io/code-generator/examples/apiserver/apis/example/v1.MemoryIdentical":    schema_apiserver_apis_example_v1_MemoryIdentical(ref),
-		"k8s.io/code-generator/examples/apiserver/apis/example/v1.TestType":           schema_apiserver_apis_example_v1_TestType(ref),
-		"k8s.io/code-generator/examples/apiserver/apis/example/v1.TestTypeList":       schema_apiserver_apis_example_v1_TestTypeList(ref),
-		"k8s.io/code-generator/examples/apiserver/apis/example/v1.TestTypeStatus":     schema_apiserver_apis_example_v1_TestTypeStatus(ref),
-		"k8s.io/code-generator/examples/apiserver/apis/example2/v1.TestType":          schema_apiserver_apis_example2_v1_TestType(ref),
-		"k8s.io/code-generator/examples/apiserver/apis/example2/v1.TestTypeList":      schema_apiserver_apis_example2_v1_TestTypeList(ref),
-		"k8s.io/code-generator/examples/apiserver/apis/example2/v1.TestTypeStatus":    schema_apiserver_apis_example2_v1_TestTypeStatus(ref),
-		"k8s.io/code-generator/examples/apiserver/apis/example3.io/v1.TestType":       schema_apiserver_apis_example3io_v1_TestType(ref),
-		"k8s.io/code-generator/examples/apiserver/apis/example3.io/v1.TestTypeList":   schema_apiserver_apis_example3io_v1_TestTypeList(ref),
-		"k8s.io/code-generator/examples/apiserver/apis/example3.io/v1.TestTypeStatus": schema_apiserver_apis_example3io_v1_TestTypeStatus(ref),
+		resource.Quantity{}.OpenAPIModelName():                   schema_apimachinery_pkg_api_resource_Quantity(ref),
+		v1.APIGroup{}.OpenAPIModelName():                         schema_pkg_apis_meta_v1_APIGroup(ref),
+		v1.APIGroupList{}.OpenAPIModelName():                     schema_pkg_apis_meta_v1_APIGroupList(ref),
+		v1.APIResource{}.OpenAPIModelName():                      schema_pkg_apis_meta_v1_APIResource(ref),
+		v1.APIResourceList{}.OpenAPIModelName():                  schema_pkg_apis_meta_v1_APIResourceList(ref),
+		v1.APIVersions{}.OpenAPIModelName():                      schema_pkg_apis_meta_v1_APIVersions(ref),
+		v1.ApplyOptions{}.OpenAPIModelName():                     schema_pkg_apis_meta_v1_ApplyOptions(ref),
+		v1.Condition{}.OpenAPIModelName():                        schema_pkg_apis_meta_v1_Condition(ref),
+		v1.CreateOptions{}.OpenAPIModelName():                    schema_pkg_apis_meta_v1_CreateOptions(ref),
+		v1.DeleteOptions{}.OpenAPIModelName():                    schema_pkg_apis_meta_v1_DeleteOptions(ref),
+		v1.Duration{}.OpenAPIModelName():                         schema_pkg_apis_meta_v1_Duration(ref),
+		v1.FieldSelectorRequirement{}.OpenAPIModelName():         schema_pkg_apis_meta_v1_FieldSelectorRequirement(ref),
+		v1.FieldsV1{}.OpenAPIModelName():                         schema_pkg_apis_meta_v1_FieldsV1(ref),
+		v1.GetOptions{}.OpenAPIModelName():                       schema_pkg_apis_meta_v1_GetOptions(ref),
+		v1.GroupKind{}.OpenAPIModelName():                        schema_pkg_apis_meta_v1_GroupKind(ref),
+		v1.GroupResource{}.OpenAPIModelName():                    schema_pkg_apis_meta_v1_GroupResource(ref),
+		v1.GroupVersion{}.OpenAPIModelName():                     schema_pkg_apis_meta_v1_GroupVersion(ref),
+		v1.GroupVersionForDiscovery{}.OpenAPIModelName():         schema_pkg_apis_meta_v1_GroupVersionForDiscovery(ref),
+		v1.GroupVersionKind{}.OpenAPIModelName():                 schema_pkg_apis_meta_v1_GroupVersionKind(ref),
+		v1.GroupVersionResource{}.OpenAPIModelName():             schema_pkg_apis_meta_v1_GroupVersionResource(ref),
+		v1.InternalEvent{}.OpenAPIModelName():                    schema_pkg_apis_meta_v1_InternalEvent(ref),
+		v1.LabelSelector{}.OpenAPIModelName():                    schema_pkg_apis_meta_v1_LabelSelector(ref),
+		v1.LabelSelectorRequirement{}.OpenAPIModelName():         schema_pkg_apis_meta_v1_LabelSelectorRequirement(ref),
+		v1.List{}.OpenAPIModelName():                             schema_pkg_apis_meta_v1_List(ref),
+		v1.ListMeta{}.OpenAPIModelName():                         schema_pkg_apis_meta_v1_ListMeta(ref),
+		v1.ListOptions{}.OpenAPIModelName():                      schema_pkg_apis_meta_v1_ListOptions(ref),
+		v1.ManagedFieldsEntry{}.OpenAPIModelName():               schema_pkg_apis_meta_v1_ManagedFieldsEntry(ref),
+		v1.MicroTime{}.OpenAPIModelName():                        schema_pkg_apis_meta_v1_MicroTime(ref),
+		v1.ObjectMeta{}.OpenAPIModelName():                       schema_pkg_apis_meta_v1_ObjectMeta(ref),
+		v1.OwnerReference{}.OpenAPIModelName():                   schema_pkg_apis_meta_v1_OwnerReference(ref),
+		v1.PartialObjectMetadata{}.OpenAPIModelName():            schema_pkg_apis_meta_v1_PartialObjectMetadata(ref),
+		v1.PartialObjectMetadataList{}.OpenAPIModelName():        schema_pkg_apis_meta_v1_PartialObjectMetadataList(ref),
+		v1.Patch{}.OpenAPIModelName():                            schema_pkg_apis_meta_v1_Patch(ref),
+		v1.PatchOptions{}.OpenAPIModelName():                     schema_pkg_apis_meta_v1_PatchOptions(ref),
+		v1.Preconditions{}.OpenAPIModelName():                    schema_pkg_apis_meta_v1_Preconditions(ref),
+		v1.RootPaths{}.OpenAPIModelName():                        schema_pkg_apis_meta_v1_RootPaths(ref),
+		v1.ServerAddressByClientCIDR{}.OpenAPIModelName():        schema_pkg_apis_meta_v1_ServerAddressByClientCIDR(ref),
+		v1.Status{}.OpenAPIModelName():                           schema_pkg_apis_meta_v1_Status(ref),
+		v1.StatusCause{}.OpenAPIModelName():                      schema_pkg_apis_meta_v1_StatusCause(ref),
+		v1.StatusDetails{}.OpenAPIModelName():                    schema_pkg_apis_meta_v1_StatusDetails(ref),
+		v1.Table{}.OpenAPIModelName():                            schema_pkg_apis_meta_v1_Table(ref),
+		v1.TableColumnDefinition{}.OpenAPIModelName():            schema_pkg_apis_meta_v1_TableColumnDefinition(ref),
+		v1.TableOptions{}.OpenAPIModelName():                     schema_pkg_apis_meta_v1_TableOptions(ref),
+		v1.TableRow{}.OpenAPIModelName():                         schema_pkg_apis_meta_v1_TableRow(ref),
+		v1.TableRowCondition{}.OpenAPIModelName():                schema_pkg_apis_meta_v1_TableRowCondition(ref),
+		v1.Time{}.OpenAPIModelName():                             schema_pkg_apis_meta_v1_Time(ref),
+		v1.Timestamp{}.OpenAPIModelName():                        schema_pkg_apis_meta_v1_Timestamp(ref),
+		v1.TypeMeta{}.OpenAPIModelName():                         schema_pkg_apis_meta_v1_TypeMeta(ref),
+		v1.UpdateOptions{}.OpenAPIModelName():                    schema_pkg_apis_meta_v1_UpdateOptions(ref),
+		v1.WatchEvent{}.OpenAPIModelName():                       schema_pkg_apis_meta_v1_WatchEvent(ref),
+		runtime.RawExtension{}.OpenAPIModelName():                schema_k8sio_apimachinery_pkg_runtime_RawExtension(ref),
+		runtime.TypeMeta{}.OpenAPIModelName():                    schema_k8sio_apimachinery_pkg_runtime_TypeMeta(ref),
+		runtime.Unknown{}.OpenAPIModelName():                     schema_k8sio_apimachinery_pkg_runtime_Unknown(ref),
+		version.Info{}.OpenAPIModelName():                        schema_k8sio_apimachinery_pkg_version_Info(ref),
+		corev1.TestType{}.OpenAPIModelName():                     schema_apiserver_apis_core_v1_TestType(ref),
+		corev1.TestTypeList{}.OpenAPIModelName():                 schema_apiserver_apis_core_v1_TestTypeList(ref),
+		corev1.TestTypeStatus{}.OpenAPIModelName():               schema_apiserver_apis_core_v1_TestTypeStatus(ref),
+		examplev1.Conversion{}.OpenAPIModelName():                schema_apiserver_apis_example_v1_Conversion(ref),
+		examplev1.ConversionCustom{}.OpenAPIModelName():          schema_apiserver_apis_example_v1_ConversionCustom(ref),
+		examplev1.ConversionCustomContainer{}.OpenAPIModelName(): schema_apiserver_apis_example_v1_ConversionCustomContainer(ref),
+		examplev1.ConversionPrivate{}.OpenAPIModelName():         schema_apiserver_apis_example_v1_ConversionPrivate(ref),
+		examplev1.MemoryDifferent{}.OpenAPIModelName():           schema_apiserver_apis_example_v1_MemoryDifferent(ref),
+		examplev1.MemoryIdentical{}.OpenAPIModelName():           schema_apiserver_apis_example_v1_MemoryIdentical(ref),
+		examplev1.TestType{}.OpenAPIModelName():                  schema_apiserver_apis_example_v1_TestType(ref),
+		examplev1.TestTypeList{}.OpenAPIModelName():              schema_apiserver_apis_example_v1_TestTypeList(ref),
+		examplev1.TestTypeStatus{}.OpenAPIModelName():            schema_apiserver_apis_example_v1_TestTypeStatus(ref),
+		example2v1.TestType{}.OpenAPIModelName():                 schema_apiserver_apis_example2_v1_TestType(ref),
+		example2v1.TestTypeList{}.OpenAPIModelName():             schema_apiserver_apis_example2_v1_TestTypeList(ref),
+		example2v1.TestTypeStatus{}.OpenAPIModelName():           schema_apiserver_apis_example2_v1_TestTypeStatus(ref),
+		example3iov1.TestType{}.OpenAPIModelName():               schema_apiserver_apis_example3io_v1_TestType(ref),
+		example3iov1.TestTypeList{}.OpenAPIModelName():           schema_apiserver_apis_example3io_v1_TestTypeList(ref),
+		example3iov1.TestTypeStatus{}.OpenAPIModelName():         schema_apiserver_apis_example3io_v1_TestTypeStatus(ref),
+	}
+}
+
+func schema_apimachinery_pkg_api_resource_Quantity(ref common.ReferenceCallback) common.OpenAPIDefinition {
+	return common.EmbedOpenAPIDefinitionIntoV2Extension(common.OpenAPIDefinition{
+		Schema: spec.Schema{
+			SchemaProps: spec.SchemaProps{
+				Description: "Quantity is a fixed-point representation of a number. It provides convenient marshaling/unmarshaling in JSON and YAML, in addition to String() and AsInt64() accessors.\n\nThe serialization format is:\n\n``` <quantity>        ::= <signedNumber><suffix>\n\n\t(Note that <suffix> may be empty, from the \"\" case in <decimalSI>.)\n\n<digit>           ::= 0 | 1 | ... | 9 <digits>          ::= <digit> | <digit><digits> <number>          ::= <digits> | <digits>.<digits> | <digits>. | .<digits> <sign>            ::= \"+\" | \"-\" <signedNumber>    ::= <number> | <sign><number> <suffix>          ::= <binarySI> | <decimalExponent> | <decimalSI> <binarySI>        ::= Ki | Mi | Gi | Ti | Pi | Ei\n\n\t(International System of units; See: http://physics.nist.gov/cuu/Units/binary.html)\n\n<decimalSI>       ::= m | \"\" | k | M | G | T | P | E\n\n\t(Note that 1024 = 1Ki but 1000 = 1k; I didn't choose the capitalization.)\n\n<decimalExponent> ::= \"e\" <signedNumber> | \"E\" <signedNumber> ```\n\nNo matter which of the three exponent forms is used, no quantity may represent a number greater than 2^63-1 in magnitude, nor may it have more than 3 decimal places. Numbers larger or more precise will be capped or rounded up. (E.g.: 0.1m will rounded up to 1m.) This may be extended in the future if we require larger or smaller quantities.\n\nWhen a Quantity is parsed from a string, it will remember the type of suffix it had, and will use the same type again when it is serialized.\n\nBefore serializing, Quantity will be put in \"canonical form\". This means that Exponent/suffix will be adjusted up or down (with a corresponding increase or decrease in Mantissa) such that:\n\n- No precision is lost - No fractional digits will be emitted - The exponent (or suffix) is as large as possible.\n\nThe sign will be omitted unless the number is negative.\n\nExamples:\n\n- 1.5 will be serialized as \"1500m\" - 1.5Gi will be serialized as \"1536Mi\"\n\nNote that the quantity will NEVER be internally represented by a floating point number. That is the whole point of this exercise.\n\nNon-canonical values will still parse as long as they are well formed, but will be re-emitted in their canonical form. (So always use canonical form, or don't diff.)\n\nThis format is intended to make it difficult to use these numbers without writing some sort of special handling code in the hopes that that will cause implementors to also use a fixed point implementation.",
+				OneOf:       common.GenerateOpenAPIV3OneOfSchema(resource.Quantity{}.OpenAPIV3OneOfTypes()),
+				Format:      resource.Quantity{}.OpenAPISchemaFormat(),
+			},
+		},
+	}, common.OpenAPIDefinition{
+		Schema: spec.Schema{
+			SchemaProps: spec.SchemaProps{
+				Description: "Quantity is a fixed-point representation of a number. It provides convenient marshaling/unmarshaling in JSON and YAML, in addition to String() and AsInt64() accessors.\n\nThe serialization format is:\n\n``` <quantity>        ::= <signedNumber><suffix>\n\n\t(Note that <suffix> may be empty, from the \"\" case in <decimalSI>.)\n\n<digit>           ::= 0 | 1 | ... | 9 <digits>          ::= <digit> | <digit><digits> <number>          ::= <digits> | <digits>.<digits> | <digits>. | .<digits> <sign>            ::= \"+\" | \"-\" <signedNumber>    ::= <number> | <sign><number> <suffix>          ::= <binarySI> | <decimalExponent> | <decimalSI> <binarySI>        ::= Ki | Mi | Gi | Ti | Pi | Ei\n\n\t(International System of units; See: http://physics.nist.gov/cuu/Units/binary.html)\n\n<decimalSI>       ::= m | \"\" | k | M | G | T | P | E\n\n\t(Note that 1024 = 1Ki but 1000 = 1k; I didn't choose the capitalization.)\n\n<decimalExponent> ::= \"e\" <signedNumber> | \"E\" <signedNumber> ```\n\nNo matter which of the three exponent forms is used, no quantity may represent a number greater than 2^63-1 in magnitude, nor may it have more than 3 decimal places. Numbers larger or more precise will be capped or rounded up. (E.g.: 0.1m will rounded up to 1m.) This may be extended in the future if we require larger or smaller quantities.\n\nWhen a Quantity is parsed from a string, it will remember the type of suffix it had, and will use the same type again when it is serialized.\n\nBefore serializing, Quantity will be put in \"canonical form\". This means that Exponent/suffix will be adjusted up or down (with a corresponding increase or decrease in Mantissa) such that:\n\n- No precision is lost - No fractional digits will be emitted - The exponent (or suffix) is as large as possible.\n\nThe sign will be omitted unless the number is negative.\n\nExamples:\n\n- 1.5 will be serialized as \"1500m\" - 1.5Gi will be serialized as \"1536Mi\"\n\nNote that the quantity will NEVER be internally represented by a floating point number. That is the whole point of this exercise.\n\nNon-canonical values will still parse as long as they are well formed, but will be re-emitted in their canonical form. (So always use canonical form, or don't diff.)\n\nThis format is intended to make it difficult to use these numbers without writing some sort of special handling code in the hopes that that will cause implementors to also use a fixed point implementation.",
+				Type:        resource.Quantity{}.OpenAPISchemaType(),
+				Format:      resource.Quantity{}.OpenAPISchemaFormat(),
+			},
+		},
+	})
+}
+
+func schema_apimachinery_pkg_api_resource_int64Amount(ref common.ReferenceCallback) common.OpenAPIDefinition {
+	return common.OpenAPIDefinition{
+		Schema: spec.Schema{
+			SchemaProps: spec.SchemaProps{
+				Description: "int64Amount represents a fixed precision numerator and arbitrary scale exponent. It is faster than operations on inf.Dec for values that can be represented as int64.",
+				Type:        []string{"object"},
+				Properties: map[string]spec.Schema{
+					"value": {
+						SchemaProps: spec.SchemaProps{
+							Default: 0,
+							Type:    []string{"integer"},
+							Format:  "int64",
+						},
+					},
+					"scale": {
+						SchemaProps: spec.SchemaProps{
+							Default: 0,
+							Type:    []string{"integer"},
+							Format:  "int32",
+						},
+					},
+				},
+				Required: []string{"value", "scale"},
+			},
+		},
 	}
 }
 
@@ -142,7 +201,7 @@ func schema_pkg_apis_meta_v1_APIGroup(ref common.ReferenceCallback) common.OpenA
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionForDiscovery"),
+										Ref:     ref(v1.GroupVersionForDiscovery{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -152,7 +211,7 @@ func schema_pkg_apis_meta_v1_APIGroup(ref common.ReferenceCallback) common.OpenA
 						SchemaProps: spec.SchemaProps{
 							Description: "preferredVersion is the version preferred by the API server, which probably is the storage version.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionForDiscovery"),
+							Ref:         ref(v1.GroupVersionForDiscovery{}.OpenAPIModelName()),
 						},
 					},
 					"serverAddressByClientCIDRs": {
@@ -168,7 +227,7 @@ func schema_pkg_apis_meta_v1_APIGroup(ref common.ReferenceCallback) common.OpenA
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/apimachinery/pkg/apis/meta/v1.ServerAddressByClientCIDR"),
+										Ref:     ref(v1.ServerAddressByClientCIDR{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -179,7 +238,7 @@ func schema_pkg_apis_meta_v1_APIGroup(ref common.ReferenceCallback) common.OpenA
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionForDiscovery", "k8s.io/apimachinery/pkg/apis/meta/v1.ServerAddressByClientCIDR"},
+			v1.GroupVersionForDiscovery{}.OpenAPIModelName(), v1.ServerAddressByClientCIDR{}.OpenAPIModelName()},
 	}
 }
 
@@ -217,7 +276,7 @@ func schema_pkg_apis_meta_v1_APIGroupList(ref common.ReferenceCallback) common.O
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/apimachinery/pkg/apis/meta/v1.APIGroup"),
+										Ref:     ref(v1.APIGroup{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -228,7 +287,7 @@ func schema_pkg_apis_meta_v1_APIGroupList(ref common.ReferenceCallback) common.O
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.APIGroup"},
+			v1.APIGroup{}.OpenAPIModelName()},
 	}
 }
 
@@ -396,7 +455,7 @@ func schema_pkg_apis_meta_v1_APIResourceList(ref common.ReferenceCallback) commo
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/apimachinery/pkg/apis/meta/v1.APIResource"),
+										Ref:     ref(v1.APIResource{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -407,7 +466,7 @@ func schema_pkg_apis_meta_v1_APIResourceList(ref common.ReferenceCallback) commo
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.APIResource"},
+			v1.APIResource{}.OpenAPIModelName()},
 	}
 }
 
@@ -465,7 +524,7 @@ func schema_pkg_apis_meta_v1_APIVersions(ref common.ReferenceCallback) common.Op
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/apimachinery/pkg/apis/meta/v1.ServerAddressByClientCIDR"),
+										Ref:     ref(v1.ServerAddressByClientCIDR{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -476,7 +535,7 @@ func schema_pkg_apis_meta_v1_APIVersions(ref common.ReferenceCallback) common.Op
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.ServerAddressByClientCIDR"},
+			v1.ServerAddressByClientCIDR{}.OpenAPIModelName()},
 	}
 }
 
@@ -577,7 +636,7 @@ func schema_pkg_apis_meta_v1_Condition(ref common.ReferenceCallback) common.Open
 					"lastTransitionTime": {
 						SchemaProps: spec.SchemaProps{
 							Description: "lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Time"),
+							Ref:         ref(v1.Time{}.OpenAPIModelName()),
 						},
 					},
 					"reason": {
@@ -601,7 +660,7 @@ func schema_pkg_apis_meta_v1_Condition(ref common.ReferenceCallback) common.Open
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.Time"},
+			v1.Time{}.OpenAPIModelName()},
 	}
 }
 
@@ -697,7 +756,7 @@ func schema_pkg_apis_meta_v1_DeleteOptions(ref common.ReferenceCallback) common.
 					"preconditions": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Must be fulfilled before a deletion is carried out. If not possible, a 409 Conflict status will be returned.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Preconditions"),
+							Ref:         ref(v1.Preconditions{}.OpenAPIModelName()),
 						},
 					},
 					"orphanDependents": {
@@ -745,7 +804,7 @@ func schema_pkg_apis_meta_v1_DeleteOptions(ref common.ReferenceCallback) common.
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.Preconditions"},
+			v1.Preconditions{}.OpenAPIModelName()},
 	}
 }
 
@@ -1057,15 +1116,12 @@ func schema_pkg_apis_meta_v1_InternalEvent(ref common.ReferenceCallback) common.
 					"Object": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Object is:\n * If Type is Added or Modified: the new state of the object.\n * If Type is Deleted: the state of the object immediately before deletion.\n * If Type is Bookmark: the object (instance of a type being watched) where\n   only ResourceVersion field is set. On successful restart of watch from a\n   bookmark resourceVersion, client is guaranteed to not get repeat event\n   nor miss any events.\n * If Type is Error: *api.Status is recommended; other types may make sense\n   depending on context.",
-							Ref:         ref("k8s.io/apimachinery/pkg/runtime.Object"),
 						},
 					},
 				},
 				Required: []string{"Type", "Object"},
 			},
 		},
-		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/runtime.Object"},
 	}
 }
 
@@ -1105,7 +1161,7 @@ func schema_pkg_apis_meta_v1_LabelSelector(ref common.ReferenceCallback) common.
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelectorRequirement"),
+										Ref:     ref(v1.LabelSelectorRequirement{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -1120,7 +1176,7 @@ func schema_pkg_apis_meta_v1_LabelSelector(ref common.ReferenceCallback) common.
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelectorRequirement"},
+			v1.LabelSelectorRequirement{}.OpenAPIModelName()},
 	}
 }
 
@@ -1199,7 +1255,7 @@ func schema_pkg_apis_meta_v1_List(ref common.ReferenceCallback) common.OpenAPIDe
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+							Ref:         ref(v1.ListMeta{}.OpenAPIModelName()),
 						},
 					},
 					"items": {
@@ -1209,7 +1265,7 @@ func schema_pkg_apis_meta_v1_List(ref common.ReferenceCallback) common.OpenAPIDe
 							Items: &spec.SchemaOrArray{
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
-										Ref: ref("k8s.io/apimachinery/pkg/runtime.RawExtension"),
+										Ref: ref(runtime.RawExtension{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -1220,7 +1276,7 @@ func schema_pkg_apis_meta_v1_List(ref common.ReferenceCallback) common.OpenAPIDe
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta", "k8s.io/apimachinery/pkg/runtime.RawExtension"},
+			v1.ListMeta{}.OpenAPIModelName(), runtime.RawExtension{}.OpenAPIModelName()},
 	}
 }
 
@@ -1393,7 +1449,7 @@ func schema_pkg_apis_meta_v1_ManagedFieldsEntry(ref common.ReferenceCallback) co
 					"time": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Time is the timestamp of when the ManagedFields entry was added. The timestamp will also be updated if a field is added, the manager changes any of the owned fields value or removes a field. The timestamp does not update when a field is removed from the entry because another manager took it over.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Time"),
+							Ref:         ref(v1.Time{}.OpenAPIModelName()),
 						},
 					},
 					"fieldsType": {
@@ -1406,7 +1462,7 @@ func schema_pkg_apis_meta_v1_ManagedFieldsEntry(ref common.ReferenceCallback) co
 					"fieldsV1": {
 						SchemaProps: spec.SchemaProps{
 							Description: "FieldsV1 holds the first JSON version format as described in the \"FieldsV1\" type.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.FieldsV1"),
+							Ref:         ref(v1.FieldsV1{}.OpenAPIModelName()),
 						},
 					},
 					"subresource": {
@@ -1420,7 +1476,7 @@ func schema_pkg_apis_meta_v1_ManagedFieldsEntry(ref common.ReferenceCallback) co
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.FieldsV1", "k8s.io/apimachinery/pkg/apis/meta/v1.Time"},
+			v1.FieldsV1{}.OpenAPIModelName(), v1.Time{}.OpenAPIModelName()},
 	}
 }
 
@@ -1495,13 +1551,13 @@ func schema_pkg_apis_meta_v1_ObjectMeta(ref common.ReferenceCallback) common.Ope
 					"creationTimestamp": {
 						SchemaProps: spec.SchemaProps{
 							Description: "CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.\n\nPopulated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Time"),
+							Ref:         ref(v1.Time{}.OpenAPIModelName()),
 						},
 					},
 					"deletionTimestamp": {
 						SchemaProps: spec.SchemaProps{
 							Description: "DeletionTimestamp is RFC 3339 date and time at which this resource will be deleted. This field is set by the server when a graceful deletion is requested by the user, and is not directly settable by a client. The resource is expected to be deleted (no longer visible from resource lists, and not reachable by name) after the time in this field, once the finalizers list is empty. As long as the finalizers list contains items, deletion is blocked. Once the deletionTimestamp is set, this value may not be unset or be set further into the future, although it may be shortened or the resource may be deleted prior to this time. For example, a user may request that a pod is deleted in 30 seconds. The Kubelet will react by sending a graceful termination signal to the containers in the pod. After that 30 seconds, the Kubelet will send a hard termination signal (SIGKILL) to the container and after cleanup, remove the pod from the API. In the presence of network partitions, this object may still exist after this timestamp, until an administrator or automated process can determine the resource is fully terminated. If not set, graceful deletion of the object has not been requested.\n\nPopulated by the system when a graceful deletion is requested. Read-only. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Time"),
+							Ref:         ref(v1.Time{}.OpenAPIModelName()),
 						},
 					},
 					"deletionGracePeriodSeconds": {
@@ -1561,7 +1617,7 @@ func schema_pkg_apis_meta_v1_ObjectMeta(ref common.ReferenceCallback) common.Ope
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/apimachinery/pkg/apis/meta/v1.OwnerReference"),
+										Ref:     ref(v1.OwnerReference{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -1601,7 +1657,7 @@ func schema_pkg_apis_meta_v1_ObjectMeta(ref common.ReferenceCallback) common.Ope
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/apimachinery/pkg/apis/meta/v1.ManagedFieldsEntry"),
+										Ref:     ref(v1.ManagedFieldsEntry{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -1611,7 +1667,7 @@ func schema_pkg_apis_meta_v1_ObjectMeta(ref common.ReferenceCallback) common.Ope
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.ManagedFieldsEntry", "k8s.io/apimachinery/pkg/apis/meta/v1.OwnerReference", "k8s.io/apimachinery/pkg/apis/meta/v1.Time"},
+			v1.ManagedFieldsEntry{}.OpenAPIModelName(), v1.OwnerReference{}.OpenAPIModelName(), v1.Time{}.OpenAPIModelName()},
 	}
 }
 
@@ -1705,14 +1761,14 @@ func schema_pkg_apis_meta_v1_PartialObjectMetadata(ref common.ReferenceCallback)
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Ref:         ref(v1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			v1.ObjectMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -1741,7 +1797,7 @@ func schema_pkg_apis_meta_v1_PartialObjectMetadataList(ref common.ReferenceCallb
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+							Ref:         ref(v1.ListMeta{}.OpenAPIModelName()),
 						},
 					},
 					"items": {
@@ -1752,7 +1808,7 @@ func schema_pkg_apis_meta_v1_PartialObjectMetadataList(ref common.ReferenceCallb
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/apimachinery/pkg/apis/meta/v1.PartialObjectMetadata"),
+										Ref:     ref(v1.PartialObjectMetadata{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -1763,7 +1819,7 @@ func schema_pkg_apis_meta_v1_PartialObjectMetadataList(ref common.ReferenceCallb
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta", "k8s.io/apimachinery/pkg/apis/meta/v1.PartialObjectMetadata"},
+			v1.ListMeta{}.OpenAPIModelName(), v1.PartialObjectMetadata{}.OpenAPIModelName()},
 	}
 }
 
@@ -1962,7 +2018,7 @@ func schema_pkg_apis_meta_v1_Status(ref common.ReferenceCallback) common.OpenAPI
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+							Ref:         ref(v1.ListMeta{}.OpenAPIModelName()),
 						},
 					},
 					"status": {
@@ -1987,14 +2043,9 @@ func schema_pkg_apis_meta_v1_Status(ref common.ReferenceCallback) common.OpenAPI
 						},
 					},
 					"details": {
-						VendorExtensible: spec.VendorExtensible{
-							Extensions: spec.Extensions{
-								"x-kubernetes-list-type": "atomic",
-							},
-						},
 						SchemaProps: spec.SchemaProps{
 							Description: "Extended data associated with the reason.  Each reason may define its own extended details. This field is optional and the data returned is not guaranteed to conform to any schema except that defined by the reason type.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.StatusDetails"),
+							Ref:         ref(v1.StatusDetails{}.OpenAPIModelName()),
 						},
 					},
 					"code": {
@@ -2008,7 +2059,7 @@ func schema_pkg_apis_meta_v1_Status(ref common.ReferenceCallback) common.OpenAPI
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta", "k8s.io/apimachinery/pkg/apis/meta/v1.StatusDetails"},
+			v1.ListMeta{}.OpenAPIModelName(), v1.StatusDetails{}.OpenAPIModelName()},
 	}
 }
 
@@ -2094,7 +2145,7 @@ func schema_pkg_apis_meta_v1_StatusDetails(ref common.ReferenceCallback) common.
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/apimachinery/pkg/apis/meta/v1.StatusCause"),
+										Ref:     ref(v1.StatusCause{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -2111,7 +2162,7 @@ func schema_pkg_apis_meta_v1_StatusDetails(ref common.ReferenceCallback) common.
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.StatusCause"},
+			v1.StatusCause{}.OpenAPIModelName()},
 	}
 }
 
@@ -2140,7 +2191,7 @@ func schema_pkg_apis_meta_v1_Table(ref common.ReferenceCallback) common.OpenAPID
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+							Ref:         ref(v1.ListMeta{}.OpenAPIModelName()),
 						},
 					},
 					"columnDefinitions": {
@@ -2156,7 +2207,7 @@ func schema_pkg_apis_meta_v1_Table(ref common.ReferenceCallback) common.OpenAPID
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/apimachinery/pkg/apis/meta/v1.TableColumnDefinition"),
+										Ref:     ref(v1.TableColumnDefinition{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -2175,7 +2226,7 @@ func schema_pkg_apis_meta_v1_Table(ref common.ReferenceCallback) common.OpenAPID
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/apimachinery/pkg/apis/meta/v1.TableRow"),
+										Ref:     ref(v1.TableRow{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -2186,7 +2237,7 @@ func schema_pkg_apis_meta_v1_Table(ref common.ReferenceCallback) common.OpenAPID
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta", "k8s.io/apimachinery/pkg/apis/meta/v1.TableColumnDefinition", "k8s.io/apimachinery/pkg/apis/meta/v1.TableRow"},
+			v1.ListMeta{}.OpenAPIModelName(), v1.TableColumnDefinition{}.OpenAPIModelName(), v1.TableRow{}.OpenAPIModelName()},
 	}
 }
 
@@ -2317,7 +2368,7 @@ func schema_pkg_apis_meta_v1_TableRow(ref common.ReferenceCallback) common.OpenA
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/apimachinery/pkg/apis/meta/v1.TableRowCondition"),
+										Ref:     ref(v1.TableRowCondition{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -2326,7 +2377,7 @@ func schema_pkg_apis_meta_v1_TableRow(ref common.ReferenceCallback) common.OpenA
 					"object": {
 						SchemaProps: spec.SchemaProps{
 							Description: "This field contains the requested additional information about each object based on the includeObject policy when requesting the Table. If \"None\", this field is empty, if \"Object\" this will be the default serialization of the object for the current API version, and if \"Metadata\" (the default) will contain the object metadata. Check the returned kind and apiVersion of the object before parsing. The media type of the object will always match the enclosing list - if this as a JSON table, these will be JSON encoded objects.",
-							Ref:         ref("k8s.io/apimachinery/pkg/runtime.RawExtension"),
+							Ref:         ref(runtime.RawExtension{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -2334,7 +2385,7 @@ func schema_pkg_apis_meta_v1_TableRow(ref common.ReferenceCallback) common.OpenA
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.TableRowCondition", "k8s.io/apimachinery/pkg/runtime.RawExtension"},
+			v1.TableRowCondition{}.OpenAPIModelName(), runtime.RawExtension{}.OpenAPIModelName()},
 	}
 }
 
@@ -2529,7 +2580,7 @@ func schema_pkg_apis_meta_v1_WatchEvent(ref common.ReferenceCallback) common.Ope
 					"object": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Object is:\n * If Type is Added or Modified: the new state of the object.\n * If Type is Deleted: the state of the object immediately before deletion.\n * If Type is Error: *Status is recommended; other types may make sense\n   depending on context.",
-							Ref:         ref("k8s.io/apimachinery/pkg/runtime.RawExtension"),
+							Ref:         ref(runtime.RawExtension{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -2537,7 +2588,7 @@ func schema_pkg_apis_meta_v1_WatchEvent(ref common.ReferenceCallback) common.Ope
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/runtime.RawExtension"},
+			runtime.RawExtension{}.OpenAPIModelName()},
 	}
 }
 
@@ -2750,20 +2801,20 @@ func schema_apiserver_apis_core_v1_TestType(ref common.ReferenceCallback) common
 					"metadata": {
 						SchemaProps: spec.SchemaProps{
 							Default: map[string]interface{}{},
-							Ref:     ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Ref:     ref(v1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 					"status": {
 						SchemaProps: spec.SchemaProps{
 							Default: map[string]interface{}{},
-							Ref:     ref("k8s.io/code-generator/examples/apiserver/apis/core/v1.TestTypeStatus"),
+							Ref:     ref(corev1.TestTypeStatus{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta", "k8s.io/code-generator/examples/apiserver/apis/core/v1.TestTypeStatus"},
+			v1.ObjectMeta{}.OpenAPIModelName(), corev1.TestTypeStatus{}.OpenAPIModelName()},
 	}
 }
 
@@ -2791,7 +2842,7 @@ func schema_apiserver_apis_core_v1_TestTypeList(ref common.ReferenceCallback) co
 					"metadata": {
 						SchemaProps: spec.SchemaProps{
 							Default: map[string]interface{}{},
-							Ref:     ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+							Ref:     ref(v1.ListMeta{}.OpenAPIModelName()),
 						},
 					},
 					"items": {
@@ -2801,7 +2852,7 @@ func schema_apiserver_apis_core_v1_TestTypeList(ref common.ReferenceCallback) co
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/code-generator/examples/apiserver/apis/core/v1.TestType"),
+										Ref:     ref(corev1.TestType{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -2812,7 +2863,7 @@ func schema_apiserver_apis_core_v1_TestTypeList(ref common.ReferenceCallback) co
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta", "k8s.io/code-generator/examples/apiserver/apis/core/v1.TestType"},
+			v1.ListMeta{}.OpenAPIModelName(), corev1.TestType{}.OpenAPIModelName()},
 	}
 }
 
@@ -2845,13 +2896,13 @@ func schema_apiserver_apis_example_v1_Conversion(ref common.ReferenceCallback) c
 					"identical": {
 						SchemaProps: spec.SchemaProps{
 							Default: map[string]interface{}{},
-							Ref:     ref("k8s.io/code-generator/examples/apiserver/apis/example/v1.MemoryIdentical"),
+							Ref:     ref(examplev1.MemoryIdentical{}.OpenAPIModelName()),
 						},
 					},
 					"different": {
 						SchemaProps: spec.SchemaProps{
 							Default: map[string]interface{}{},
-							Ref:     ref("k8s.io/code-generator/examples/apiserver/apis/example/v1.MemoryDifferent"),
+							Ref:     ref(examplev1.MemoryDifferent{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -2859,7 +2910,149 @@ func schema_apiserver_apis_example_v1_Conversion(ref common.ReferenceCallback) c
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/code-generator/examples/apiserver/apis/example/v1.MemoryDifferent", "k8s.io/code-generator/examples/apiserver/apis/example/v1.MemoryIdentical"},
+			examplev1.MemoryDifferent{}.OpenAPIModelName(), examplev1.MemoryIdentical{}.OpenAPIModelName()},
+	}
+}
+
+func schema_apiserver_apis_example_v1_ConversionCustom(ref common.ReferenceCallback) common.OpenAPIDefinition {
+	return common.OpenAPIDefinition{
+		Schema: spec.Schema{
+			SchemaProps: spec.SchemaProps{
+				Type: []string{"object"},
+				Properties: map[string]spec.Schema{
+					"publicField": {
+						SchemaProps: spec.SchemaProps{
+							Default: "",
+							Type:    []string{"string"},
+							Format:  "",
+						},
+					},
+					"privateField": {
+						SchemaProps: spec.SchemaProps{
+							Default: "",
+							Type:    []string{"string"},
+							Format:  "",
+						},
+					},
+				},
+				Required: []string{"publicField", "privateField"},
+			},
+		},
+	}
+}
+
+func schema_apiserver_apis_example_v1_ConversionCustomContainer(ref common.ReferenceCallback) common.OpenAPIDefinition {
+	return common.OpenAPIDefinition{
+		Schema: spec.Schema{
+			SchemaProps: spec.SchemaProps{
+				Type: []string{"object"},
+				Properties: map[string]spec.Schema{
+					"slice": {
+						VendorExtensible: spec.VendorExtensible{
+							Extensions: spec.Extensions{
+								"x-kubernetes-list-type": "atomic",
+							},
+						},
+						SchemaProps: spec.SchemaProps{
+							Type: []string{"array"},
+							Items: &spec.SchemaOrArray{
+								Schema: &spec.Schema{
+									SchemaProps: spec.SchemaProps{
+										Default: map[string]interface{}{},
+										Ref:     ref(examplev1.ConversionCustom{}.OpenAPIModelName()),
+									},
+								},
+							},
+						},
+					},
+					"sliceP": {
+						VendorExtensible: spec.VendorExtensible{
+							Extensions: spec.Extensions{
+								"x-kubernetes-list-type": "atomic",
+							},
+						},
+						SchemaProps: spec.SchemaProps{
+							Type: []string{"array"},
+							Items: &spec.SchemaOrArray{
+								Schema: &spec.Schema{
+									SchemaProps: spec.SchemaProps{
+										Ref: ref(examplev1.ConversionCustom{}.OpenAPIModelName()),
+									},
+								},
+							},
+						},
+					},
+					"map": {
+						SchemaProps: spec.SchemaProps{
+							Type: []string{"object"},
+							AdditionalProperties: &spec.SchemaOrBool{
+								Allows: true,
+								Schema: &spec.Schema{
+									SchemaProps: spec.SchemaProps{
+										Default: map[string]interface{}{},
+										Ref:     ref(examplev1.ConversionCustom{}.OpenAPIModelName()),
+									},
+								},
+							},
+						},
+					},
+					"mapP": {
+						SchemaProps: spec.SchemaProps{
+							Type: []string{"object"},
+							AdditionalProperties: &spec.SchemaOrBool{
+								Allows: true,
+								Schema: &spec.Schema{
+									SchemaProps: spec.SchemaProps{
+										Ref: ref(examplev1.ConversionCustom{}.OpenAPIModelName()),
+									},
+								},
+							},
+						},
+					},
+					"struct": {
+						SchemaProps: spec.SchemaProps{
+							Default: map[string]interface{}{},
+							Ref:     ref(examplev1.ConversionCustom{}.OpenAPIModelName()),
+						},
+					},
+					"structP": {
+						SchemaProps: spec.SchemaProps{
+							Ref: ref(examplev1.ConversionCustom{}.OpenAPIModelName()),
+						},
+					},
+				},
+				Required: []string{"slice", "sliceP", "map", "mapP", "struct", "structP"},
+			},
+		},
+		Dependencies: []string{
+			examplev1.ConversionCustom{}.OpenAPIModelName()},
+	}
+}
+
+func schema_apiserver_apis_example_v1_ConversionPrivate(ref common.ReferenceCallback) common.OpenAPIDefinition {
+	return common.OpenAPIDefinition{
+		Schema: spec.Schema{
+			SchemaProps: spec.SchemaProps{
+				Type: []string{"object"},
+				Properties: map[string]spec.Schema{
+					"publicField": {
+						SchemaProps: spec.SchemaProps{
+							Default: "",
+							Type:    []string{"string"},
+							Format:  "",
+						},
+					},
+					"privateField": {
+						SchemaProps: spec.SchemaProps{
+							Default: "",
+							Type:    []string{"string"},
+							Format:  "",
+						},
+					},
+				},
+				Required: []string{"publicField", "privateField"},
+			},
+		},
 	}
 }
 
@@ -2871,7 +3064,7 @@ func schema_apiserver_apis_example_v1_MemoryDifferent(ref common.ReferenceCallba
 				Properties: map[string]spec.Schema{
 					"items": {
 						SchemaProps: spec.SchemaProps{
-							Ref: ref("k8s.io/code-generator/examples/apiserver/apis/example/v1.MemoryDifferent"),
+							Ref: ref(examplev1.MemoryDifferent{}.OpenAPIModelName()),
 						},
 					},
 					"properties": {
@@ -2882,7 +3075,7 @@ func schema_apiserver_apis_example_v1_MemoryDifferent(ref common.ReferenceCallba
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/code-generator/examples/apiserver/apis/example/v1.MemoryDifferent"),
+										Ref:     ref(examplev1.MemoryDifferent{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -2900,7 +3093,7 @@ func schema_apiserver_apis_example_v1_MemoryDifferent(ref common.ReferenceCallba
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/code-generator/examples/apiserver/apis/example/v1.MemoryDifferent"),
+										Ref:     ref(examplev1.MemoryDifferent{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -2917,7 +3110,7 @@ func schema_apiserver_apis_example_v1_MemoryDifferent(ref common.ReferenceCallba
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/code-generator/examples/apiserver/apis/example/v1.MemoryDifferent"},
+			examplev1.MemoryDifferent{}.OpenAPIModelName()},
 	}
 }
 
@@ -2929,7 +3122,7 @@ func schema_apiserver_apis_example_v1_MemoryIdentical(ref common.ReferenceCallba
 				Properties: map[string]spec.Schema{
 					"items": {
 						SchemaProps: spec.SchemaProps{
-							Ref: ref("k8s.io/code-generator/examples/apiserver/apis/example/v1.MemoryIdentical"),
+							Ref: ref(examplev1.MemoryIdentical{}.OpenAPIModelName()),
 						},
 					},
 					"properties": {
@@ -2940,7 +3133,7 @@ func schema_apiserver_apis_example_v1_MemoryIdentical(ref common.ReferenceCallba
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/code-generator/examples/apiserver/apis/example/v1.MemoryIdentical"),
+										Ref:     ref(examplev1.MemoryIdentical{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -2958,7 +3151,7 @@ func schema_apiserver_apis_example_v1_MemoryIdentical(ref common.ReferenceCallba
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/code-generator/examples/apiserver/apis/example/v1.MemoryIdentical"),
+										Ref:     ref(examplev1.MemoryIdentical{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -2976,7 +3169,7 @@ func schema_apiserver_apis_example_v1_MemoryIdentical(ref common.ReferenceCallba
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/code-generator/examples/apiserver/apis/example/v1.MemoryIdentical"},
+			examplev1.MemoryIdentical{}.OpenAPIModelName()},
 	}
 }
 
@@ -3004,20 +3197,20 @@ func schema_apiserver_apis_example_v1_TestType(ref common.ReferenceCallback) com
 					"metadata": {
 						SchemaProps: spec.SchemaProps{
 							Default: map[string]interface{}{},
-							Ref:     ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Ref:     ref(v1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 					"status": {
 						SchemaProps: spec.SchemaProps{
 							Default: map[string]interface{}{},
-							Ref:     ref("k8s.io/code-generator/examples/apiserver/apis/example/v1.TestTypeStatus"),
+							Ref:     ref(examplev1.TestTypeStatus{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta", "k8s.io/code-generator/examples/apiserver/apis/example/v1.TestTypeStatus"},
+			v1.ObjectMeta{}.OpenAPIModelName(), examplev1.TestTypeStatus{}.OpenAPIModelName()},
 	}
 }
 
@@ -3045,7 +3238,7 @@ func schema_apiserver_apis_example_v1_TestTypeList(ref common.ReferenceCallback)
 					"metadata": {
 						SchemaProps: spec.SchemaProps{
 							Default: map[string]interface{}{},
-							Ref:     ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+							Ref:     ref(v1.ListMeta{}.OpenAPIModelName()),
 						},
 					},
 					"items": {
@@ -3055,7 +3248,7 @@ func schema_apiserver_apis_example_v1_TestTypeList(ref common.ReferenceCallback)
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/code-generator/examples/apiserver/apis/example/v1.TestType"),
+										Ref:     ref(examplev1.TestType{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -3066,7 +3259,7 @@ func schema_apiserver_apis_example_v1_TestTypeList(ref common.ReferenceCallback)
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta", "k8s.io/code-generator/examples/apiserver/apis/example/v1.TestType"},
+			v1.ListMeta{}.OpenAPIModelName(), examplev1.TestType{}.OpenAPIModelName()},
 	}
 }
 
@@ -3114,20 +3307,20 @@ func schema_apiserver_apis_example2_v1_TestType(ref common.ReferenceCallback) co
 					"metadata": {
 						SchemaProps: spec.SchemaProps{
 							Default: map[string]interface{}{},
-							Ref:     ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Ref:     ref(v1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 					"status": {
 						SchemaProps: spec.SchemaProps{
 							Default: map[string]interface{}{},
-							Ref:     ref("k8s.io/code-generator/examples/apiserver/apis/example2/v1.TestTypeStatus"),
+							Ref:     ref(example2v1.TestTypeStatus{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta", "k8s.io/code-generator/examples/apiserver/apis/example2/v1.TestTypeStatus"},
+			v1.ObjectMeta{}.OpenAPIModelName(), example2v1.TestTypeStatus{}.OpenAPIModelName()},
 	}
 }
 
@@ -3155,7 +3348,7 @@ func schema_apiserver_apis_example2_v1_TestTypeList(ref common.ReferenceCallback
 					"metadata": {
 						SchemaProps: spec.SchemaProps{
 							Default: map[string]interface{}{},
-							Ref:     ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+							Ref:     ref(v1.ListMeta{}.OpenAPIModelName()),
 						},
 					},
 					"items": {
@@ -3165,7 +3358,7 @@ func schema_apiserver_apis_example2_v1_TestTypeList(ref common.ReferenceCallback
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/code-generator/examples/apiserver/apis/example2/v1.TestType"),
+										Ref:     ref(example2v1.TestType{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -3176,7 +3369,7 @@ func schema_apiserver_apis_example2_v1_TestTypeList(ref common.ReferenceCallback
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta", "k8s.io/code-generator/examples/apiserver/apis/example2/v1.TestType"},
+			v1.ListMeta{}.OpenAPIModelName(), example2v1.TestType{}.OpenAPIModelName()},
 	}
 }
 
@@ -3224,20 +3417,20 @@ func schema_apiserver_apis_example3io_v1_TestType(ref common.ReferenceCallback)
 					"metadata": {
 						SchemaProps: spec.SchemaProps{
 							Default: map[string]interface{}{},
-							Ref:     ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Ref:     ref(v1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 					"status": {
 						SchemaProps: spec.SchemaProps{
 							Default: map[string]interface{}{},
-							Ref:     ref("k8s.io/code-generator/examples/apiserver/apis/example3.io/v1.TestTypeStatus"),
+							Ref:     ref(example3iov1.TestTypeStatus{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta", "k8s.io/code-generator/examples/apiserver/apis/example3.io/v1.TestTypeStatus"},
+			v1.ObjectMeta{}.OpenAPIModelName(), example3iov1.TestTypeStatus{}.OpenAPIModelName()},
 	}
 }
 
@@ -3265,7 +3458,7 @@ func schema_apiserver_apis_example3io_v1_TestTypeList(ref common.ReferenceCallba
 					"metadata": {
 						SchemaProps: spec.SchemaProps{
 							Default: map[string]interface{}{},
-							Ref:     ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+							Ref:     ref(v1.ListMeta{}.OpenAPIModelName()),
 						},
 					},
 					"items": {
@@ -3275,7 +3468,7 @@ func schema_apiserver_apis_example3io_v1_TestTypeList(ref common.ReferenceCallba
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/code-generator/examples/apiserver/apis/example3.io/v1.TestType"),
+										Ref:     ref(example3iov1.TestType{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -3286,7 +3479,7 @@ func schema_apiserver_apis_example3io_v1_TestTypeList(ref common.ReferenceCallba
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta", "k8s.io/code-generator/examples/apiserver/apis/example3.io/v1.TestType"},
+			v1.ListMeta{}.OpenAPIModelName(), example3iov1.TestType{}.OpenAPIModelName()},
 	}
 }
 
diff --git a/staging/src/k8s.io/code-generator/examples/crd/apis/conflicting/v1/zz_generated.register.go b/staging/src/k8s.io/code-generator/examples/crd/apis/conflicting/v1/zz_generated.register.go
index 4870dad6688f6..778075a0729b3 100644
--- a/staging/src/k8s.io/code-generator/examples/crd/apis/conflicting/v1/zz_generated.register.go
+++ b/staging/src/k8s.io/code-generator/examples/crd/apis/conflicting/v1/zz_generated.register.go
@@ -34,6 +34,7 @@ const GroupName = "conflicting.test.crd.code-generator.k8s.io"
 var GroupVersion = metav1.GroupVersion{Group: GroupName, Version: "v1"}
 
 // SchemeGroupVersion is group version used to register these objects
+//
 // Deprecated: use GroupVersion instead.
 var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1"}
 
diff --git a/staging/src/k8s.io/code-generator/examples/crd/apis/example/v1/types.go b/staging/src/k8s.io/code-generator/examples/crd/apis/example/v1/types.go
index 0fc1edb41c9fb..4a5dc0e00047a 100644
--- a/staging/src/k8s.io/code-generator/examples/crd/apis/example/v1/types.go
+++ b/staging/src/k8s.io/code-generator/examples/crd/apis/example/v1/types.go
@@ -72,6 +72,8 @@ type ClusterTestType struct {
 	Status ClusterTestTypeStatus `json:"status,omitempty"`
 }
 
+// Struct level comment
 type ClusterTestTypeStatus struct {
+	// Field level comment
 	Blah string `json:"blah"`
 }
diff --git a/staging/src/k8s.io/code-generator/examples/crd/apis/example/v1/zz_generated.register.go b/staging/src/k8s.io/code-generator/examples/crd/apis/example/v1/zz_generated.register.go
index 386efdf2a48af..a587c37bc97a2 100644
--- a/staging/src/k8s.io/code-generator/examples/crd/apis/example/v1/zz_generated.register.go
+++ b/staging/src/k8s.io/code-generator/examples/crd/apis/example/v1/zz_generated.register.go
@@ -34,6 +34,7 @@ const GroupName = "example.crd.code-generator.k8s.io"
 var GroupVersion = metav1.GroupVersion{Group: GroupName, Version: "v1"}
 
 // SchemeGroupVersion is group version used to register these objects
+//
 // Deprecated: use GroupVersion instead.
 var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1"}
 
diff --git a/staging/src/k8s.io/code-generator/examples/crd/apis/example2/v1/zz_generated.register.go b/staging/src/k8s.io/code-generator/examples/crd/apis/example2/v1/zz_generated.register.go
index 88a3a51729668..89a9645666a2e 100644
--- a/staging/src/k8s.io/code-generator/examples/crd/apis/example2/v1/zz_generated.register.go
+++ b/staging/src/k8s.io/code-generator/examples/crd/apis/example2/v1/zz_generated.register.go
@@ -34,6 +34,7 @@ const GroupName = "example.test.crd.code-generator.k8s.io"
 var GroupVersion = metav1.GroupVersion{Group: GroupName, Version: "v1"}
 
 // SchemeGroupVersion is group version used to register these objects
+//
 // Deprecated: use GroupVersion instead.
 var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1"}
 
diff --git a/staging/src/k8s.io/code-generator/examples/crd/apis/extensions/v1/zz_generated.register.go b/staging/src/k8s.io/code-generator/examples/crd/apis/extensions/v1/zz_generated.register.go
index 03ef971a502d0..1fd0f578b1282 100644
--- a/staging/src/k8s.io/code-generator/examples/crd/apis/extensions/v1/zz_generated.register.go
+++ b/staging/src/k8s.io/code-generator/examples/crd/apis/extensions/v1/zz_generated.register.go
@@ -34,6 +34,7 @@ const GroupName = "extensions.test.crd.code-generator.k8s.io"
 var GroupVersion = metav1.GroupVersion{Group: GroupName, Version: "v1"}
 
 // SchemeGroupVersion is group version used to register these objects
+//
 // Deprecated: use GroupVersion instead.
 var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1"}
 
diff --git a/staging/src/k8s.io/code-generator/examples/crd/applyconfiguration/conflicting/v1/testembeddedtype.go b/staging/src/k8s.io/code-generator/examples/crd/applyconfiguration/conflicting/v1/testembeddedtype.go
index c3ed08e1868fa..f5c25b17ed8a3 100644
--- a/staging/src/k8s.io/code-generator/examples/crd/applyconfiguration/conflicting/v1/testembeddedtype.go
+++ b/staging/src/k8s.io/code-generator/examples/crd/applyconfiguration/conflicting/v1/testembeddedtype.go
@@ -20,6 +20,9 @@ package v1
 
 // TestEmbeddedTypeApplyConfiguration represents a declarative configuration of the TestEmbeddedType type for use
 // with apply.
+//
+// TestEmbeddedType is a type intended to create conflicts with other embedded structs:
+// Kind conflicts with TypeMeta (inlined), and Namespace conflicts with ObjectMeta (embedded).
 type TestEmbeddedTypeApplyConfiguration struct {
 	Kind      *string `json:"kind,omitempty"`
 	Namespace *string `json:"namespace,omitempty"`
diff --git a/staging/src/k8s.io/code-generator/examples/crd/applyconfiguration/conflicting/v1/testtype.go b/staging/src/k8s.io/code-generator/examples/crd/applyconfiguration/conflicting/v1/testtype.go
index 8c359c7b02bbf..48f17f755846c 100644
--- a/staging/src/k8s.io/code-generator/examples/crd/applyconfiguration/conflicting/v1/testtype.go
+++ b/staging/src/k8s.io/code-generator/examples/crd/applyconfiguration/conflicting/v1/testtype.go
@@ -26,6 +26,8 @@ import (
 
 // TestTypeApplyConfiguration represents a declarative configuration of the TestType type for use
 // with apply.
+//
+// TestType is a top-level type. A client is created for it.
 type TestTypeApplyConfiguration struct {
 	metav1.TypeMetaApplyConfiguration    `json:",inline"`
 	*metav1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
@@ -43,6 +45,7 @@ func TestType(name, namespace string) *TestTypeApplyConfiguration {
 	b.WithAPIVersion("conflicting.test.crd.code-generator.k8s.io/v1")
 	return b
 }
+
 func (b TestTypeApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/staging/src/k8s.io/code-generator/examples/crd/applyconfiguration/example/v1/clustertesttype.go b/staging/src/k8s.io/code-generator/examples/crd/applyconfiguration/example/v1/clustertesttype.go
index 9a07a639daaf5..b09b655d80f12 100644
--- a/staging/src/k8s.io/code-generator/examples/crd/applyconfiguration/example/v1/clustertesttype.go
+++ b/staging/src/k8s.io/code-generator/examples/crd/applyconfiguration/example/v1/clustertesttype.go
@@ -41,6 +41,7 @@ func ClusterTestType(name string) *ClusterTestTypeApplyConfiguration {
 	b.WithAPIVersion("example.crd.code-generator.k8s.io/v1")
 	return b
 }
+
 func (b ClusterTestTypeApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/staging/src/k8s.io/code-generator/examples/crd/applyconfiguration/example/v1/clustertesttypestatus.go b/staging/src/k8s.io/code-generator/examples/crd/applyconfiguration/example/v1/clustertesttypestatus.go
index c2ccfa581176e..be3302c9302b6 100644
--- a/staging/src/k8s.io/code-generator/examples/crd/applyconfiguration/example/v1/clustertesttypestatus.go
+++ b/staging/src/k8s.io/code-generator/examples/crd/applyconfiguration/example/v1/clustertesttypestatus.go
@@ -20,7 +20,10 @@ package v1
 
 // ClusterTestTypeStatusApplyConfiguration represents a declarative configuration of the ClusterTestTypeStatus type for use
 // with apply.
+//
+// Struct level comment
 type ClusterTestTypeStatusApplyConfiguration struct {
+	// Field level comment
 	Blah *string `json:"blah,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/code-generator/examples/crd/applyconfiguration/example/v1/testtype.go b/staging/src/k8s.io/code-generator/examples/crd/applyconfiguration/example/v1/testtype.go
index 5e32019e58dc9..a8239f2849a63 100644
--- a/staging/src/k8s.io/code-generator/examples/crd/applyconfiguration/example/v1/testtype.go
+++ b/staging/src/k8s.io/code-generator/examples/crd/applyconfiguration/example/v1/testtype.go
@@ -26,6 +26,8 @@ import (
 
 // TestTypeApplyConfiguration represents a declarative configuration of the TestType type for use
 // with apply.
+//
+// TestType is a top-level type. A client is created for it.
 type TestTypeApplyConfiguration struct {
 	metav1.TypeMetaApplyConfiguration    `json:",inline"`
 	*metav1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
@@ -42,6 +44,7 @@ func TestType(name, namespace string) *TestTypeApplyConfiguration {
 	b.WithAPIVersion("example.crd.code-generator.k8s.io/v1")
 	return b
 }
+
 func (b TestTypeApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/staging/src/k8s.io/code-generator/examples/crd/applyconfiguration/example2/v1/testtype.go b/staging/src/k8s.io/code-generator/examples/crd/applyconfiguration/example2/v1/testtype.go
index 9efed55b5e9d5..e75cad1b98a70 100644
--- a/staging/src/k8s.io/code-generator/examples/crd/applyconfiguration/example2/v1/testtype.go
+++ b/staging/src/k8s.io/code-generator/examples/crd/applyconfiguration/example2/v1/testtype.go
@@ -26,6 +26,8 @@ import (
 
 // TestTypeApplyConfiguration represents a declarative configuration of the TestType type for use
 // with apply.
+//
+// TestType is a top-level type. A client is created for it.
 type TestTypeApplyConfiguration struct {
 	metav1.TypeMetaApplyConfiguration    `json:",inline"`
 	*metav1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
@@ -42,6 +44,7 @@ func TestType(name, namespace string) *TestTypeApplyConfiguration {
 	b.WithAPIVersion("example.test.crd.code-generator.k8s.io/v1")
 	return b
 }
+
 func (b TestTypeApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/staging/src/k8s.io/code-generator/examples/crd/applyconfiguration/extensions/v1/testsubresource.go b/staging/src/k8s.io/code-generator/examples/crd/applyconfiguration/extensions/v1/testsubresource.go
index a0698815201d0..272fec6e4f482 100644
--- a/staging/src/k8s.io/code-generator/examples/crd/applyconfiguration/extensions/v1/testsubresource.go
+++ b/staging/src/k8s.io/code-generator/examples/crd/applyconfiguration/extensions/v1/testsubresource.go
@@ -37,6 +37,7 @@ func TestSubresource() *TestSubresourceApplyConfiguration {
 	b.WithAPIVersion("extensions.test.crd.code-generator.k8s.io/v1")
 	return b
 }
+
 func (b TestSubresourceApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/staging/src/k8s.io/code-generator/examples/crd/applyconfiguration/extensions/v1/testtype.go b/staging/src/k8s.io/code-generator/examples/crd/applyconfiguration/extensions/v1/testtype.go
index 1713f63574cbe..0e089e6f90131 100644
--- a/staging/src/k8s.io/code-generator/examples/crd/applyconfiguration/extensions/v1/testtype.go
+++ b/staging/src/k8s.io/code-generator/examples/crd/applyconfiguration/extensions/v1/testtype.go
@@ -26,6 +26,8 @@ import (
 
 // TestTypeApplyConfiguration represents a declarative configuration of the TestType type for use
 // with apply.
+//
+// TestType is a top-level type. A client is created for it.
 type TestTypeApplyConfiguration struct {
 	metav1.TypeMetaApplyConfiguration    `json:",inline"`
 	*metav1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
@@ -42,6 +44,7 @@ func TestType(name, namespace string) *TestTypeApplyConfiguration {
 	b.WithAPIVersion("extensions.test.crd.code-generator.k8s.io/v1")
 	return b
 }
+
 func (b TestTypeApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/staging/src/k8s.io/code-generator/examples/crd/clientset/versioned/fake/clientset_generated.go b/staging/src/k8s.io/code-generator/examples/crd/clientset/versioned/fake/clientset_generated.go
index 36709318bfbf3..982ffd605cc2c 100644
--- a/staging/src/k8s.io/code-generator/examples/crd/clientset/versioned/fake/clientset_generated.go
+++ b/staging/src/k8s.io/code-generator/examples/crd/clientset/versioned/fake/clientset_generated.go
@@ -42,7 +42,7 @@ import (
 // without applying any field management, validations and/or defaults. It shouldn't be considered a replacement
 // for a real clientset and is mostly useful in simple unit tests.
 //
-// DEPRECATED: NewClientset replaces this with support for field management, which significantly improves
+// Deprecated: NewClientset replaces this with support for field management, which significantly improves
 // server side apply testing. NewClientset is only available when apply configurations are generated (e.g.
 // via --with-applyconfig).
 func NewSimpleClientset(objects ...runtime.Object) *Clientset {
@@ -58,8 +58,8 @@ func NewSimpleClientset(objects ...runtime.Object) *Clientset {
 	cs.AddReactor("*", "*", testing.ObjectReaction(o))
 	cs.AddWatchReactor("*", func(action testing.Action) (handled bool, ret watch.Interface, err error) {
 		var opts metav1.ListOptions
-		if watchActcion, ok := action.(testing.WatchActionImpl); ok {
-			opts = watchActcion.ListOptions
+		if watchAction, ok := action.(testing.WatchActionImpl); ok {
+			opts = watchAction.ListOptions
 		}
 		gvr := action.GetResource()
 		ns := action.GetNamespace()
@@ -90,6 +90,17 @@ func (c *Clientset) Tracker() testing.ObjectTracker {
 	return c.tracker
 }
 
+// IsWatchListSemanticsSupported informs the reflector that this client
+// doesn't support WatchList semantics.
+//
+// This is a synthetic method whose sole purpose is to satisfy the optional
+// interface check performed by the reflector.
+// Returning true signals that WatchList can NOT be used.
+// No additional logic is implemented here.
+func (c *Clientset) IsWatchListSemanticsUnSupported() bool {
+	return true
+}
+
 // NewClientset returns a clientset that will respond with the provided objects.
 // It's backed by a very simple object tracker that processes creates, updates and deletions as-is,
 // without applying any validations and/or defaults. It shouldn't be considered a replacement
diff --git a/staging/src/k8s.io/code-generator/examples/crd/informers/externalversions/conflicting/v1/testtype.go b/staging/src/k8s.io/code-generator/examples/crd/informers/externalversions/conflicting/v1/testtype.go
index 918998cb4dc51..bbfd5af450e5e 100644
--- a/staging/src/k8s.io/code-generator/examples/crd/informers/externalversions/conflicting/v1/testtype.go
+++ b/staging/src/k8s.io/code-generator/examples/crd/informers/externalversions/conflicting/v1/testtype.go
@@ -57,7 +57,7 @@ func NewTestTypeInformer(client versioned.Interface, namespace string, resyncPer
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredTestTypeInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options metav1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -82,7 +82,7 @@ func NewFilteredTestTypeInformer(client versioned.Interface, namespace string, r
 				}
 				return client.ConflictingExampleV1().TestTypes(namespace).Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apisconflictingv1.TestType{},
 		resyncPeriod,
 		indexers,
diff --git a/staging/src/k8s.io/code-generator/examples/crd/informers/externalversions/example/v1/clustertesttype.go b/staging/src/k8s.io/code-generator/examples/crd/informers/externalversions/example/v1/clustertesttype.go
index fa1a6a963f943..56124f89a728a 100644
--- a/staging/src/k8s.io/code-generator/examples/crd/informers/externalversions/example/v1/clustertesttype.go
+++ b/staging/src/k8s.io/code-generator/examples/crd/informers/externalversions/example/v1/clustertesttype.go
@@ -56,7 +56,7 @@ func NewClusterTestTypeInformer(client versioned.Interface, resyncPeriod time.Du
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredClusterTestTypeInformer(client versioned.Interface, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options metav1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -81,7 +81,7 @@ func NewFilteredClusterTestTypeInformer(client versioned.Interface, resyncPeriod
 				}
 				return client.ExampleV1().ClusterTestTypes().Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apisexamplev1.ClusterTestType{},
 		resyncPeriod,
 		indexers,
diff --git a/staging/src/k8s.io/code-generator/examples/crd/informers/externalversions/example/v1/testtype.go b/staging/src/k8s.io/code-generator/examples/crd/informers/externalversions/example/v1/testtype.go
index 1de4b5b39baaf..fab30223b13fb 100644
--- a/staging/src/k8s.io/code-generator/examples/crd/informers/externalversions/example/v1/testtype.go
+++ b/staging/src/k8s.io/code-generator/examples/crd/informers/externalversions/example/v1/testtype.go
@@ -57,7 +57,7 @@ func NewTestTypeInformer(client versioned.Interface, namespace string, resyncPer
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredTestTypeInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options metav1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -82,7 +82,7 @@ func NewFilteredTestTypeInformer(client versioned.Interface, namespace string, r
 				}
 				return client.ExampleV1().TestTypes(namespace).Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apisexamplev1.TestType{},
 		resyncPeriod,
 		indexers,
diff --git a/staging/src/k8s.io/code-generator/examples/crd/informers/externalversions/example2/v1/testtype.go b/staging/src/k8s.io/code-generator/examples/crd/informers/externalversions/example2/v1/testtype.go
index d85abda8018af..8355be8b7f446 100644
--- a/staging/src/k8s.io/code-generator/examples/crd/informers/externalversions/example2/v1/testtype.go
+++ b/staging/src/k8s.io/code-generator/examples/crd/informers/externalversions/example2/v1/testtype.go
@@ -57,7 +57,7 @@ func NewTestTypeInformer(client versioned.Interface, namespace string, resyncPer
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredTestTypeInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options metav1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -82,7 +82,7 @@ func NewFilteredTestTypeInformer(client versioned.Interface, namespace string, r
 				}
 				return client.SecondExampleV1().TestTypes(namespace).Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apisexample2v1.TestType{},
 		resyncPeriod,
 		indexers,
diff --git a/staging/src/k8s.io/code-generator/examples/crd/informers/externalversions/extensions/v1/testtype.go b/staging/src/k8s.io/code-generator/examples/crd/informers/externalversions/extensions/v1/testtype.go
index b614dc802a105..94a81b02a181f 100644
--- a/staging/src/k8s.io/code-generator/examples/crd/informers/externalversions/extensions/v1/testtype.go
+++ b/staging/src/k8s.io/code-generator/examples/crd/informers/externalversions/extensions/v1/testtype.go
@@ -57,7 +57,7 @@ func NewTestTypeInformer(client versioned.Interface, namespace string, resyncPer
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredTestTypeInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options metav1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -82,7 +82,7 @@ func NewFilteredTestTypeInformer(client versioned.Interface, namespace string, r
 				}
 				return client.ExtensionsExampleV1().TestTypes(namespace).Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apisextensionsv1.TestType{},
 		resyncPeriod,
 		indexers,
diff --git a/staging/src/k8s.io/code-generator/examples/crd/informers/externalversions/factory.go b/staging/src/k8s.io/code-generator/examples/crd/informers/externalversions/factory.go
index 7723edb85b698..b0729cff5f354 100644
--- a/staging/src/k8s.io/code-generator/examples/crd/informers/externalversions/factory.go
+++ b/staging/src/k8s.io/code-generator/examples/crd/informers/externalversions/factory.go
@@ -100,6 +100,7 @@ func NewSharedInformerFactory(client versioned.Interface, defaultResync time.Dur
 // NewFilteredSharedInformerFactory constructs a new instance of sharedInformerFactory.
 // Listers obtained via this SharedInformerFactory will be subject to the same filters
 // as specified here.
+//
 // Deprecated: Please use NewSharedInformerFactoryWithOptions instead
 func NewFilteredSharedInformerFactory(client versioned.Interface, defaultResync time.Duration, namespace string, tweakListOptions internalinterfaces.TweakListOptionsFunc) SharedInformerFactory {
 	return NewSharedInformerFactoryWithOptions(client, defaultResync, WithNamespace(namespace), WithTweakListOptions(tweakListOptions))
@@ -207,7 +208,7 @@ func (f *sharedInformerFactory) InformerFor(obj runtime.Object, newFunc internal
 //
 // It is typically used like this:
 //
-//	ctx, cancel := context.Background()
+//	ctx, cancel := context.WithCancel(context.Background())
 //	defer cancel()
 //	factory := NewSharedInformerFactory(client, resyncPeriod)
 //	defer factory.WaitForStop()    // Returns immediately if nothing was started.
diff --git a/staging/src/k8s.io/code-generator/examples/go.mod b/staging/src/k8s.io/code-generator/examples/go.mod
index 192f8954837f8..c25e4e216bc2d 100644
--- a/staging/src/k8s.io/code-generator/examples/go.mod
+++ b/staging/src/k8s.io/code-generator/examples/go.mod
@@ -2,15 +2,15 @@
 
 module k8s.io/code-generator/examples
 
-go 1.24.0
+go 1.25.0
 
-godebug default=go1.24
+godebug default=go1.25
 
 require (
-	k8s.io/api v0.34.1
-	k8s.io/apimachinery v0.34.1
+	k8s.io/api v0.35.1
+	k8s.io/apimachinery v0.35.1
 	k8s.io/client-go v0.0.0
-	k8s.io/kube-openapi v0.0.0-20250710124328-f3f2b991d03b
+	k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912
 	sigs.k8s.io/structured-merge-diff/v6 v6.3.0
 )
 
@@ -18,11 +18,10 @@ require (
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/emicklei/go-restful/v3 v3.12.2 // indirect
 	github.com/fxamacker/cbor/v2 v2.9.0 // indirect
-	github.com/go-logr/logr v1.4.2 // indirect
+	github.com/go-logr/logr v1.4.3 // indirect
 	github.com/go-openapi/jsonpointer v0.21.0 // indirect
 	github.com/go-openapi/jsonreference v0.20.2 // indirect
 	github.com/go-openapi/swag v0.23.0 // indirect
-	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/google/gnostic-models v0.7.0 // indirect
 	github.com/google/go-cmp v0.7.0 // indirect
 	github.com/google/uuid v1.6.0 // indirect
@@ -32,24 +31,23 @@ require (
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
-	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
 	github.com/x448/float16 v0.8.4 // indirect
-	go.yaml.in/yaml/v2 v2.4.2 // indirect
+	go.yaml.in/yaml/v2 v2.4.3 // indirect
 	go.yaml.in/yaml/v3 v3.0.4 // indirect
-	golang.org/x/net v0.43.0 // indirect
-	golang.org/x/oauth2 v0.27.0 // indirect
-	golang.org/x/sys v0.36.0 // indirect
-	golang.org/x/term v0.35.0 // indirect
-	golang.org/x/text v0.29.0 // indirect
+	golang.org/x/net v0.47.0 // indirect
+	golang.org/x/oauth2 v0.30.0 // indirect
+	golang.org/x/sys v0.38.0 // indirect
+	golang.org/x/term v0.37.0 // indirect
+	golang.org/x/text v0.31.0 // indirect
 	golang.org/x/time v0.9.0 // indirect
-	google.golang.org/protobuf v1.36.5 // indirect
-	gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect
+	google.golang.org/protobuf v1.36.8 // indirect
+	gopkg.in/evanphx/json-patch.v4 v4.13.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 	k8s.io/klog/v2 v2.130.1 // indirect
-	k8s.io/utils v0.0.0-20250604170112-4c0f3b243397 // indirect
-	sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 // indirect
+	k8s.io/utils v0.0.0-20251002143259-bc988d571ff4 // indirect
+	sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 // indirect
 	sigs.k8s.io/randfill v1.0.0 // indirect
 	sigs.k8s.io/yaml v1.6.0 // indirect
 )
@@ -60,4 +58,12 @@ replace (
 	k8s.io/client-go => ../../client-go
 )
 
-replace github.com/onsi/ginkgo/v2 => github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251001123353-fd5b1fb35db1
+replace github.com/onsi/ginkgo/v2 => github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251120221002-696928a6a0d7
+
+replace github.com/openshift/api => github.com/jacobsee/openshift-api v0.0.0-20260211194905-f62f47eaf03d
+
+replace github.com/openshift/client-go => github.com/jacobsee/client-go v0.0.0-20260211200652-3585e10bcc17
+
+replace github.com/openshift/library-go => github.com/jacobsee/library-go v0.0.0-20260211202355-e615a1f60a34
+
+replace github.com/openshift/apiserver-library-go => github.com/jacobsee/apiserver-library-go v0.0.0-20260211203915-ee5ba89cd34b
diff --git a/staging/src/k8s.io/code-generator/examples/go.sum b/staging/src/k8s.io/code-generator/examples/go.sum
index aef1269d9cbbe..fa78873811d99 100644
--- a/staging/src/k8s.io/code-generator/examples/go.sum
+++ b/staging/src/k8s.io/code-generator/examples/go.sum
@@ -1,3 +1,5 @@
+github.com/Masterminds/semver/v3 v3.4.0 h1:Zog+i5UMtVoCU8oKka5P7i9q9HgrJeGzI9SA1Xbatp0=
+github.com/Masterminds/semver/v3 v3.4.0/go.mod h1:4V+yj/TJE1HU9XfppCwVMZq3I84lprf4nC11bSS5beM=
 github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
@@ -7,8 +9,8 @@ github.com/emicklei/go-restful/v3 v3.12.2 h1:DhwDP0vY3k8ZzE0RunuJy8GhNpPL6zqLkDf
 github.com/emicklei/go-restful/v3 v3.12.2/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc=
 github.com/fxamacker/cbor/v2 v2.9.0 h1:NpKPmjDBgUfBms6tr6JZkTHtfFGcMKsw3eGcmD/sapM=
 github.com/fxamacker/cbor/v2 v2.9.0/go.mod h1:vM4b+DJCtHn+zz7h3FFp/hDAI9WNWCsZj23V5ytsSxQ=
-github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY=
-github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
+github.com/go-logr/logr v1.4.3 h1:CjnDlHq8ikf6E492q6eKboGOC0T8CDaOvkHCIg8idEI=
+github.com/go-logr/logr v1.4.3/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
 github.com/go-openapi/jsonpointer v0.19.6/go.mod h1:osyAmYz/mB/C3I+WsTTSgw1ONzaLJoLCyoi6/zppojs=
 github.com/go-openapi/jsonpointer v0.21.0 h1:YgdVicSA9vH5RiHs9TZW5oyafXZFc6+2Vc1rr/O9oNQ=
 github.com/go-openapi/jsonpointer v0.21.0/go.mod h1:IUyH9l/+uyhIYQ/PXVA41Rexl+kOkAPDdXEYns6fzUY=
@@ -19,23 +21,19 @@ github.com/go-openapi/swag v0.23.0 h1:vsEVJDUo2hPJ2tu0/Xc+4noaxyEffXNIs3cOULZ+Gr
 github.com/go-openapi/swag v0.23.0/go.mod h1:esZ8ITTYEsH1V2trKHjAN8Ai7xHb8RV+YSZ577vPjgQ=
 github.com/go-task/slim-sprig/v3 v3.0.0 h1:sUs3vkvUymDpBKi3qH1YSqBQk9+9D/8M2mN1vB6EwHI=
 github.com/go-task/slim-sprig/v3 v3.0.0/go.mod h1:W848ghGpv3Qj3dhTPRyJypKRiqCdHZiAzKg9hl15HA8=
-github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
-github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
 github.com/google/gnostic-models v0.7.0 h1:qwTtogB15McXDaNqTZdzPJRHvaVJlAl+HVQnLmJEJxo=
 github.com/google/gnostic-models v0.7.0/go.mod h1:whL5G0m6dmc5cPxKc5bdKdEN3UjI7OUGxBlw57miDrQ=
 github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
 github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
-github.com/google/pprof v0.0.0-20241029153458-d1b30febd7db h1:097atOisP2aRj7vFgYQBbFN4U4JNXUNYpxael3UzMyo=
-github.com/google/pprof v0.0.0-20241029153458-d1b30febd7db/go.mod h1:vavhavw2zAxS5dIdcRluK6cSGGPlZynqzFM8NdvU144=
+github.com/google/pprof v0.0.0-20250403155104-27863c87afa6 h1:BHT72Gu3keYf3ZEu2J0b1vyeLSOYI8bm5wbJM/8yDe8=
+github.com/google/pprof v0.0.0-20250403155104-27863c87afa6/go.mod h1:boTsfXsheKC2y+lKOCMpSfarhxDeIzfZG1jqGcPl3cA=
 github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY=
 github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y=
 github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM=
 github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo=
-github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
-github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
 github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
 github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
 github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
@@ -53,19 +51,17 @@ github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee h1:W5t00kpgFd
 github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk=
 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA=
 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
-github.com/onsi/gomega v1.35.1 h1:Cwbd75ZBPxFSuZ6T+rN/WCb/gOc6YgFBXLlZLhC7Ds4=
-github.com/onsi/gomega v1.35.1/go.mod h1:PvZbdDc8J6XJEpDK4HCuRBm8a6Fzp9/DmhC9C7yFlog=
-github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251001123353-fd5b1fb35db1 h1:PMTgifBcBRLJJiM+LgSzPDTk9/Rx4qS09OUrfpY6GBQ=
-github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251001123353-fd5b1fb35db1/go.mod h1:7Du3c42kxCUegi0IImZ1wUQzMBVecgIHjR1C+NkhLQo=
-github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
-github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
+github.com/onsi/gomega v1.38.2 h1:eZCjf2xjZAqe+LeWvKb5weQ+NcPwX84kqJ0cZNxok2A=
+github.com/onsi/gomega v1.38.2/go.mod h1:W2MJcYxRGV63b418Ai34Ud0hEdTVXq9NW9+Sx6uXf3k=
+github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251120221002-696928a6a0d7 h1:02E4Ttpu+7yCQLQxtY42JfcfHU7TBGnje6uB2ytBSdU=
+github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251120221002-696928a6a0d7/go.mod h1:ArE1D/XhNXBXCBkKOLkbsb2c81dQHCRcF5zwn/ykDRo=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U=
 github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/rogpeppe/go-internal v1.13.1 h1:KvO1DLK/DRN07sQ1LQKScxyZJuNnedQ5/wKSR38lUII=
-github.com/rogpeppe/go-internal v1.13.1/go.mod h1:uMEvuHeurkdAXX61udpOXGD/AzZDWNMNyH2VO9fmH0o=
-github.com/spf13/pflag v1.0.6 h1:jFzHGLGAlb3ruxLB8MhbI6A8+AQX/2eW4qeyNZXNp2o=
-github.com/spf13/pflag v1.0.6/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
+github.com/rogpeppe/go-internal v1.14.1 h1:UQB4HGPB6osV0SQTLymcB4TgvyWu6ZyliaW0tI/otEQ=
+github.com/rogpeppe/go-internal v1.14.1/go.mod h1:MaRKkUm5W0goXpeCfT7UZI6fk/L7L7so1lCWt35ZSgc=
+github.com/spf13/pflag v1.0.9 h1:9exaQaMOCwffKiiiYk6/BndUBv+iRViNW+4lEMi0PvY=
+github.com/spf13/pflag v1.0.9/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
 github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
@@ -75,64 +71,41 @@ github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UV
 github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
 github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
-github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
-github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
+github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
+github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
 github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM=
 github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg=
-github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
-github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
 go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
-go.yaml.in/yaml/v2 v2.4.2 h1:DzmwEr2rDGHl7lsFgAHxmNz/1NlQ7xLIrlN2h5d1eGI=
-go.yaml.in/yaml/v2 v2.4.2/go.mod h1:081UH+NErpNdqlCXm3TtEran0rJZGxAYx9hb/ELlsPU=
+go.yaml.in/yaml/v2 v2.4.3 h1:6gvOSjQoTB3vt1l+CU+tSyi/HOjfOjRLJ4YwYZGwRO0=
+go.yaml.in/yaml/v2 v2.4.3/go.mod h1:zSxWcmIDjOzPXpjlTTbAsKokqkDNAVtZO0WOMiT90s8=
 go.yaml.in/yaml/v3 v3.0.4 h1:tfq32ie2Jv2UxXFdLJdh3jXuOzWiL1fo0bu/FbuKpbc=
 go.yaml.in/yaml/v3 v3.0.4/go.mod h1:DhzuOOF2ATzADvBadXxruRBLzYTpT36CKvDb3+aBEFg=
-golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
-golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
-golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
-golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
-golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
-golang.org/x/net v0.43.0 h1:lat02VYK2j4aLzMzecihNvTlJNQUq316m2Mr9rnM6YE=
-golang.org/x/net v0.43.0/go.mod h1:vhO1fvI4dGsIjh73sWfUVjj3N7CA9WkKJNQm2svM6Jg=
-golang.org/x/oauth2 v0.27.0 h1:da9Vo7/tDv5RH/7nZDz1eMGS/q1Vv1N/7FCrBhI9I3M=
-golang.org/x/oauth2 v0.27.0/go.mod h1:onh5ek6nERTohokkhCD/y2cV4Do3fxFHFuAejCkRWT8=
-golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.36.0 h1:KVRy2GtZBrk1cBYA7MKu5bEZFxQk4NIDV6RLVcC8o0k=
-golang.org/x/sys v0.36.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
-golang.org/x/term v0.35.0 h1:bZBVKBudEyhRcajGcNc3jIfWPqV4y/Kt2XcoigOWtDQ=
-golang.org/x/term v0.35.0/go.mod h1:TPGtkTLesOwf2DE8CgVYiZinHAOuy5AYUYT1lENIZnA=
-golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
-golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.29.0 h1:1neNs90w9YzJ9BocxfsQNHKuAT4pkghyXc4nhZ6sJvk=
-golang.org/x/text v0.29.0/go.mod h1:7MhJOA9CD2qZyOKYazxdYMF85OwPdEr9jTtBpO7ydH4=
+golang.org/x/mod v0.29.0 h1:HV8lRxZC4l2cr3Zq1LvtOsi/ThTgWnUk/y64QSs8GwA=
+golang.org/x/mod v0.29.0/go.mod h1:NyhrlYXJ2H4eJiRy/WDBO6HMqZQ6q9nk4JzS3NuCK+w=
+golang.org/x/net v0.47.0 h1:Mx+4dIFzqraBXUugkia1OOvlD6LemFo1ALMHjrXDOhY=
+golang.org/x/net v0.47.0/go.mod h1:/jNxtkgq5yWUGYkaZGqo27cfGZ1c5Nen03aYrrKpVRU=
+golang.org/x/oauth2 v0.30.0 h1:dnDm7JmhM45NNpd8FDDeLhK6FwqbOf4MLCM9zb1BOHI=
+golang.org/x/oauth2 v0.30.0/go.mod h1:B++QgG3ZKulg6sRPGD/mqlHQs5rB3Ml9erfeDY7xKlU=
+golang.org/x/sync v0.18.0 h1:kr88TuHDroi+UVf+0hZnirlk8o8T+4MrK6mr60WkH/I=
+golang.org/x/sync v0.18.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
+golang.org/x/sys v0.38.0 h1:3yZWxaJjBmCWXqhN1qh02AkOnCQ1poK6oF+a7xWL6Gc=
+golang.org/x/sys v0.38.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
+golang.org/x/term v0.37.0 h1:8EGAD0qCmHYZg6J17DvsMy9/wJ7/D/4pV/wfnld5lTU=
+golang.org/x/term v0.37.0/go.mod h1:5pB4lxRNYYVZuTLmy8oR2BH8dflOR+IbTYFD8fi3254=
+golang.org/x/text v0.31.0 h1:aC8ghyu4JhP8VojJ2lEHBnochRno1sgL6nEi9WGFGMM=
+golang.org/x/text v0.31.0/go.mod h1:tKRAlv61yKIjGGHX/4tP1LTbc13YSec1pxVEWXzfoeM=
 golang.org/x/time v0.9.0 h1:EsRrnYcQiGH+5FfbgvV4AP7qEZstoyrHB0DzarOQ4ZY=
 golang.org/x/time v0.9.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
-golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
-golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
-golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
-golang.org/x/tools v0.36.0 h1:kWS0uv/zsvHEle1LbV5LE8QujrxB3wfQyxHfhOk0Qkg=
-golang.org/x/tools v0.36.0/go.mod h1:WBDiHKJK8YgLHlcQPYQzNCkUxUypCaa5ZegCVutKm+s=
-golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-google.golang.org/protobuf v1.36.5 h1:tPhr+woSbjfYvY6/GPufUoYizxw1cF/yFoxJ2fmpwlM=
-google.golang.org/protobuf v1.36.5/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE=
+golang.org/x/tools v0.38.0 h1:Hx2Xv8hISq8Lm16jvBZ2VQf+RLmbd7wVUsALibYI/IQ=
+golang.org/x/tools v0.38.0/go.mod h1:yEsQ/d/YK8cjh0L6rZlY8tgtlKiBNTL14pGDJPJpYQs=
+google.golang.org/protobuf v1.36.8 h1:xHScyCOEuuwZEc6UtSOvPbAT4zRh0xcNRYekJwfqyMc=
+google.golang.org/protobuf v1.36.8/go.mod h1:fuxRtAxBytpl4zzqUh6/eyUujkJdNiuEkXntxiD/uRU=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
-gopkg.in/evanphx/json-patch.v4 v4.12.0 h1:n6jtcsulIzXPJaxegRbvFNNrZDjbij7ny3gmSPG+6V4=
-gopkg.in/evanphx/json-patch.v4 v4.12.0/go.mod h1:p8EYWUEYMpynmqDbY58zCKCFZw8pRWMG4EsWvDvM72M=
+gopkg.in/evanphx/json-patch.v4 v4.13.0 h1:czT3CmqEaQ1aanPc5SdlgQrrEIb8w/wwCvWWnfEbYzo=
+gopkg.in/evanphx/json-patch.v4 v4.13.0/go.mod h1:p8EYWUEYMpynmqDbY58zCKCFZw8pRWMG4EsWvDvM72M=
 gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc=
 gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
@@ -140,12 +113,12 @@ gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk=
 k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE=
-k8s.io/kube-openapi v0.0.0-20250710124328-f3f2b991d03b h1:MloQ9/bdJyIu9lb1PzujOPolHyvO06MXG5TUIj2mNAA=
-k8s.io/kube-openapi v0.0.0-20250710124328-f3f2b991d03b/go.mod h1:UZ2yyWbFTpuhSbFhv24aGNOdoRdJZgsIObGBUaYVsts=
-k8s.io/utils v0.0.0-20250604170112-4c0f3b243397 h1:hwvWFiBzdWw1FhfY1FooPn3kzWuJ8tmbZBHi4zVsl1Y=
-k8s.io/utils v0.0.0-20250604170112-4c0f3b243397/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
-sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 h1:gBQPwqORJ8d8/YNZWEjoZs7npUVDpVXUUOFfW6CgAqE=
-sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8/go.mod h1:mdzfpAEoE6DHQEN0uh9ZbOCuHbLK5wOm7dK4ctXE9Tg=
+k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912 h1:Y3gxNAuB0OBLImH611+UDZcmKS3g6CthxToOb37KgwE=
+k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912/go.mod h1:kdmbQkyfwUagLfXIad1y2TdrjPFWp2Q89B3qkRwf/pQ=
+k8s.io/utils v0.0.0-20251002143259-bc988d571ff4 h1:SjGebBtkBqHFOli+05xYbK8YF1Dzkbzn+gDM4X9T4Ck=
+k8s.io/utils v0.0.0-20251002143259-bc988d571ff4/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
+sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 h1:IpInykpT6ceI+QxKBbEflcR5EXP7sU1kvOlxwZh5txg=
+sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730/go.mod h1:mdzfpAEoE6DHQEN0uh9ZbOCuHbLK5wOm7dK4ctXE9Tg=
 sigs.k8s.io/randfill v1.0.0 h1:JfjMILfT8A6RbawdsK2JXGBR5AQVfd+9TbzrlneTyrU=
 sigs.k8s.io/randfill v1.0.0/go.mod h1:XeLlZ/jmk4i1HRopwe7/aU3H5n1zNUcX6TM94b3QxOY=
 sigs.k8s.io/structured-merge-diff/v6 v6.3.0 h1:jTijUJbW353oVOd9oTlifJqOGEkUw2jB/fXCbTiQEco=
diff --git a/staging/src/k8s.io/code-generator/examples/go.work b/staging/src/k8s.io/code-generator/examples/go.work
index bc4290def2c27..ebdf3df29addb 100644
--- a/staging/src/k8s.io/code-generator/examples/go.work
+++ b/staging/src/k8s.io/code-generator/examples/go.work
@@ -1,8 +1,8 @@
 // This is a hack, but it prevents go from climbing further and trying to
 // reconcile the various deps across the "real" modules and this one.
 
-go 1.24.0
+go 1.25.0
 
-godebug default=go1.24
+godebug default=go1.25
 
 use .
diff --git a/staging/src/k8s.io/code-generator/examples/hack/update-codegen.sh b/staging/src/k8s.io/code-generator/examples/hack/update-codegen.sh
index c04bc344e8674..663360e1071d9 100755
--- a/staging/src/k8s.io/code-generator/examples/hack/update-codegen.sh
+++ b/staging/src/k8s.io/code-generator/examples/hack/update-codegen.sh
@@ -45,6 +45,7 @@ kube::codegen::gen_openapi \
     --output-dir "${SCRIPT_ROOT}/apiserver/openapi" \
     --output-pkg "k8s.io/${THIS_PKG}/apiserver/openapi" \
     --report-filename "${report_filename:-"/dev/null"}" \
+    --output-model-name-file "zz_generated.model_name.go" \
     ${update_report:+"${update_report}"} \
     --boilerplate "${SCRIPT_ROOT}/hack/boilerplate.go.txt" \
     "${SCRIPT_ROOT}/apiserver/apis"
diff --git a/staging/src/k8s.io/code-generator/examples/single/api/v1/zz_generated.register.go b/staging/src/k8s.io/code-generator/examples/single/api/v1/zz_generated.register.go
index 386efdf2a48af..a587c37bc97a2 100644
--- a/staging/src/k8s.io/code-generator/examples/single/api/v1/zz_generated.register.go
+++ b/staging/src/k8s.io/code-generator/examples/single/api/v1/zz_generated.register.go
@@ -34,6 +34,7 @@ const GroupName = "example.crd.code-generator.k8s.io"
 var GroupVersion = metav1.GroupVersion{Group: GroupName, Version: "v1"}
 
 // SchemeGroupVersion is group version used to register these objects
+//
 // Deprecated: use GroupVersion instead.
 var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1"}
 
diff --git a/staging/src/k8s.io/code-generator/examples/single/applyconfiguration/api/v1/clustertesttype.go b/staging/src/k8s.io/code-generator/examples/single/applyconfiguration/api/v1/clustertesttype.go
index 9a07a639daaf5..b09b655d80f12 100644
--- a/staging/src/k8s.io/code-generator/examples/single/applyconfiguration/api/v1/clustertesttype.go
+++ b/staging/src/k8s.io/code-generator/examples/single/applyconfiguration/api/v1/clustertesttype.go
@@ -41,6 +41,7 @@ func ClusterTestType(name string) *ClusterTestTypeApplyConfiguration {
 	b.WithAPIVersion("example.crd.code-generator.k8s.io/v1")
 	return b
 }
+
 func (b ClusterTestTypeApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/staging/src/k8s.io/code-generator/examples/single/applyconfiguration/api/v1/testtype.go b/staging/src/k8s.io/code-generator/examples/single/applyconfiguration/api/v1/testtype.go
index 5e32019e58dc9..a8239f2849a63 100644
--- a/staging/src/k8s.io/code-generator/examples/single/applyconfiguration/api/v1/testtype.go
+++ b/staging/src/k8s.io/code-generator/examples/single/applyconfiguration/api/v1/testtype.go
@@ -26,6 +26,8 @@ import (
 
 // TestTypeApplyConfiguration represents a declarative configuration of the TestType type for use
 // with apply.
+//
+// TestType is a top-level type. A client is created for it.
 type TestTypeApplyConfiguration struct {
 	metav1.TypeMetaApplyConfiguration    `json:",inline"`
 	*metav1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
@@ -42,6 +44,7 @@ func TestType(name, namespace string) *TestTypeApplyConfiguration {
 	b.WithAPIVersion("example.crd.code-generator.k8s.io/v1")
 	return b
 }
+
 func (b TestTypeApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/staging/src/k8s.io/code-generator/examples/single/clientset/versioned/fake/clientset_generated.go b/staging/src/k8s.io/code-generator/examples/single/clientset/versioned/fake/clientset_generated.go
index 0b2413008cce3..14c4a2df62ac8 100644
--- a/staging/src/k8s.io/code-generator/examples/single/clientset/versioned/fake/clientset_generated.go
+++ b/staging/src/k8s.io/code-generator/examples/single/clientset/versioned/fake/clientset_generated.go
@@ -36,7 +36,7 @@ import (
 // without applying any field management, validations and/or defaults. It shouldn't be considered a replacement
 // for a real clientset and is mostly useful in simple unit tests.
 //
-// DEPRECATED: NewClientset replaces this with support for field management, which significantly improves
+// Deprecated: NewClientset replaces this with support for field management, which significantly improves
 // server side apply testing. NewClientset is only available when apply configurations are generated (e.g.
 // via --with-applyconfig).
 func NewSimpleClientset(objects ...runtime.Object) *Clientset {
@@ -52,8 +52,8 @@ func NewSimpleClientset(objects ...runtime.Object) *Clientset {
 	cs.AddReactor("*", "*", testing.ObjectReaction(o))
 	cs.AddWatchReactor("*", func(action testing.Action) (handled bool, ret watch.Interface, err error) {
 		var opts metav1.ListOptions
-		if watchActcion, ok := action.(testing.WatchActionImpl); ok {
-			opts = watchActcion.ListOptions
+		if watchAction, ok := action.(testing.WatchActionImpl); ok {
+			opts = watchAction.ListOptions
 		}
 		gvr := action.GetResource()
 		ns := action.GetNamespace()
@@ -84,6 +84,17 @@ func (c *Clientset) Tracker() testing.ObjectTracker {
 	return c.tracker
 }
 
+// IsWatchListSemanticsSupported informs the reflector that this client
+// doesn't support WatchList semantics.
+//
+// This is a synthetic method whose sole purpose is to satisfy the optional
+// interface check performed by the reflector.
+// Returning true signals that WatchList can NOT be used.
+// No additional logic is implemented here.
+func (c *Clientset) IsWatchListSemanticsUnSupported() bool {
+	return true
+}
+
 // NewClientset returns a clientset that will respond with the provided objects.
 // It's backed by a very simple object tracker that processes creates, updates and deletions as-is,
 // without applying any validations and/or defaults. It shouldn't be considered a replacement
diff --git a/staging/src/k8s.io/code-generator/examples/single/informers/externalversions/api/v1/clustertesttype.go b/staging/src/k8s.io/code-generator/examples/single/informers/externalversions/api/v1/clustertesttype.go
index 0f80f48906735..994975101359d 100644
--- a/staging/src/k8s.io/code-generator/examples/single/informers/externalversions/api/v1/clustertesttype.go
+++ b/staging/src/k8s.io/code-generator/examples/single/informers/externalversions/api/v1/clustertesttype.go
@@ -56,7 +56,7 @@ func NewClusterTestTypeInformer(client versioned.Interface, resyncPeriod time.Du
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredClusterTestTypeInformer(client versioned.Interface, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options metav1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -81,7 +81,7 @@ func NewFilteredClusterTestTypeInformer(client versioned.Interface, resyncPeriod
 				}
 				return client.ExampleV1().ClusterTestTypes().Watch(ctx, options)
 			},
-		},
+		}, client),
 		&singleapiv1.ClusterTestType{},
 		resyncPeriod,
 		indexers,
diff --git a/staging/src/k8s.io/code-generator/examples/single/informers/externalversions/api/v1/testtype.go b/staging/src/k8s.io/code-generator/examples/single/informers/externalversions/api/v1/testtype.go
index 49c9a65b530b2..c20ddeeece3ef 100644
--- a/staging/src/k8s.io/code-generator/examples/single/informers/externalversions/api/v1/testtype.go
+++ b/staging/src/k8s.io/code-generator/examples/single/informers/externalversions/api/v1/testtype.go
@@ -57,7 +57,7 @@ func NewTestTypeInformer(client versioned.Interface, namespace string, resyncPer
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredTestTypeInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options metav1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -82,7 +82,7 @@ func NewFilteredTestTypeInformer(client versioned.Interface, namespace string, r
 				}
 				return client.ExampleV1().TestTypes(namespace).Watch(ctx, options)
 			},
-		},
+		}, client),
 		&singleapiv1.TestType{},
 		resyncPeriod,
 		indexers,
diff --git a/staging/src/k8s.io/code-generator/examples/single/informers/externalversions/factory.go b/staging/src/k8s.io/code-generator/examples/single/informers/externalversions/factory.go
index f282ac17b61a7..65ce6a9e27165 100644
--- a/staging/src/k8s.io/code-generator/examples/single/informers/externalversions/factory.go
+++ b/staging/src/k8s.io/code-generator/examples/single/informers/externalversions/factory.go
@@ -97,6 +97,7 @@ func NewSharedInformerFactory(client versioned.Interface, defaultResync time.Dur
 // NewFilteredSharedInformerFactory constructs a new instance of sharedInformerFactory.
 // Listers obtained via this SharedInformerFactory will be subject to the same filters
 // as specified here.
+//
 // Deprecated: Please use NewSharedInformerFactoryWithOptions instead
 func NewFilteredSharedInformerFactory(client versioned.Interface, defaultResync time.Duration, namespace string, tweakListOptions internalinterfaces.TweakListOptionsFunc) SharedInformerFactory {
 	return NewSharedInformerFactoryWithOptions(client, defaultResync, WithNamespace(namespace), WithTweakListOptions(tweakListOptions))
@@ -204,7 +205,7 @@ func (f *sharedInformerFactory) InformerFor(obj runtime.Object, newFunc internal
 //
 // It is typically used like this:
 //
-//	ctx, cancel := context.Background()
+//	ctx, cancel := context.WithCancel(context.Background())
 //	defer cancel()
 //	factory := NewSharedInformerFactory(client, resyncPeriod)
 //	defer factory.WaitForStop()    // Returns immediately if nothing was started.
diff --git a/staging/src/k8s.io/code-generator/go.mod b/staging/src/k8s.io/code-generator/go.mod
index d42e33f0844fd..4e3f68e55f899 100644
--- a/staging/src/k8s.io/code-generator/go.mod
+++ b/staging/src/k8s.io/code-generator/go.mod
@@ -2,34 +2,35 @@
 
 module k8s.io/code-generator
 
-go 1.24.0
+go 1.25.0
 
-godebug default=go1.24
+godebug default=go1.25
 
 require (
 	github.com/gogo/protobuf v1.3.2
 	github.com/google/gnostic-models v0.7.0
 	github.com/google/go-cmp v0.7.0
-	github.com/spf13/pflag v1.0.6
-	go.yaml.in/yaml/v2 v2.4.2
-	golang.org/x/text v0.29.0
+	github.com/spf13/pflag v1.0.9
+	go.yaml.in/yaml/v2 v2.4.3
+	golang.org/x/text v0.31.0
 	k8s.io/apimachinery v0.0.0
-	k8s.io/gengo/v2 v2.0.0-20250604051438-85fd79dbfd9f
+	k8s.io/gengo/v2 v2.0.0-20250922181213-ec3ebc5fd46b
 	k8s.io/klog/v2 v2.130.1
-	k8s.io/kube-openapi v0.0.0-20250710124328-f3f2b991d03b
-	k8s.io/utils v0.0.0-20250604170112-4c0f3b243397
+	k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912
+	k8s.io/utils v0.0.0-20251002143259-bc988d571ff4
 	sigs.k8s.io/randfill v1.0.0
 )
 
 require (
+	github.com/Masterminds/semver/v3 v3.4.0 // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/emicklei/go-restful/v3 v3.12.2 // indirect
 	github.com/fxamacker/cbor/v2 v2.9.0 // indirect
-	github.com/go-logr/logr v1.4.2 // indirect
+	github.com/go-logr/logr v1.4.3 // indirect
 	github.com/go-openapi/jsonpointer v0.21.0 // indirect
 	github.com/go-openapi/jsonreference v0.20.2 // indirect
 	github.com/go-openapi/swag v0.23.0 // indirect
-	github.com/google/pprof v0.0.0-20241029153458-d1b30febd7db // indirect
+	github.com/google/pprof v0.0.0-20250403155104-27863c87afa6 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/mailru/easyjson v0.7.7 // indirect
@@ -37,19 +38,19 @@ require (
 	github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee // indirect
 	github.com/x448/float16 v0.8.4 // indirect
 	go.yaml.in/yaml/v3 v3.0.4 // indirect
-	golang.org/x/mod v0.27.0 // indirect
-	golang.org/x/net v0.43.0 // indirect
-	golang.org/x/sync v0.17.0 // indirect
-	golang.org/x/tools v0.36.0 // indirect
-	golang.org/x/tools/go/packages/packagestest v0.1.1-deprecated // indirect
-	google.golang.org/protobuf v1.36.5 // indirect
+	golang.org/x/mod v0.29.0 // indirect
+	golang.org/x/net v0.47.0 // indirect
+	golang.org/x/sync v0.18.0 // indirect
+	golang.org/x/tools v0.38.0 // indirect
+	golang.org/x/tools/go/expect v0.1.1-deprecated // indirect
+	google.golang.org/protobuf v1.36.8 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
-	sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 // indirect
+	sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 // indirect
 	sigs.k8s.io/structured-merge-diff/v6 v6.3.0 // indirect
 )
 
 replace (
-	github.com/onsi/ginkgo/v2 => github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251001123353-fd5b1fb35db1
+	github.com/onsi/ginkgo/v2 => github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251120221002-696928a6a0d7
 	k8s.io/apimachinery => ../apimachinery
 )
diff --git a/staging/src/k8s.io/code-generator/go.sum b/staging/src/k8s.io/code-generator/go.sum
index 8470e09a2a228..6ca272c786eda 100644
--- a/staging/src/k8s.io/code-generator/go.sum
+++ b/staging/src/k8s.io/code-generator/go.sum
@@ -1,3 +1,5 @@
+github.com/Masterminds/semver/v3 v3.4.0 h1:Zog+i5UMtVoCU8oKka5P7i9q9HgrJeGzI9SA1Xbatp0=
+github.com/Masterminds/semver/v3 v3.4.0/go.mod h1:4V+yj/TJE1HU9XfppCwVMZq3I84lprf4nC11bSS5beM=
 github.com/NYTimes/gziphandler v1.1.1/go.mod h1:n/CVRwUEOgIxrgPvAQhUUr9oeUtvrhMomdKFjzJNB0c=
 github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkYZB8zMSxRWpUBQtwG5a7fFgvEO+odwuTv2gs=
 github.com/chzyer/readline v1.5.1/go.mod h1:Eh+b79XXUwfKfcPLepksvw2tcLE/Ct21YObkaSkeBlk=
@@ -10,8 +12,8 @@ github.com/emicklei/go-restful/v3 v3.12.2 h1:DhwDP0vY3k8ZzE0RunuJy8GhNpPL6zqLkDf
 github.com/emicklei/go-restful/v3 v3.12.2/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc=
 github.com/fxamacker/cbor/v2 v2.9.0 h1:NpKPmjDBgUfBms6tr6JZkTHtfFGcMKsw3eGcmD/sapM=
 github.com/fxamacker/cbor/v2 v2.9.0/go.mod h1:vM4b+DJCtHn+zz7h3FFp/hDAI9WNWCsZj23V5ytsSxQ=
-github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY=
-github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
+github.com/go-logr/logr v1.4.3 h1:CjnDlHq8ikf6E492q6eKboGOC0T8CDaOvkHCIg8idEI=
+github.com/go-logr/logr v1.4.3/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
 github.com/go-openapi/jsonpointer v0.19.6/go.mod h1:osyAmYz/mB/C3I+WsTTSgw1ONzaLJoLCyoi6/zppojs=
 github.com/go-openapi/jsonpointer v0.21.0 h1:YgdVicSA9vH5RiHs9TZW5oyafXZFc6+2Vc1rr/O9oNQ=
 github.com/go-openapi/jsonpointer v0.21.0/go.mod h1:IUyH9l/+uyhIYQ/PXVA41Rexl+kOkAPDdXEYns6fzUY=
@@ -30,8 +32,8 @@ github.com/google/gnostic-models v0.7.0/go.mod h1:whL5G0m6dmc5cPxKc5bdKdEN3UjI7O
 github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
 github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
-github.com/google/pprof v0.0.0-20241029153458-d1b30febd7db h1:097atOisP2aRj7vFgYQBbFN4U4JNXUNYpxael3UzMyo=
-github.com/google/pprof v0.0.0-20241029153458-d1b30febd7db/go.mod h1:vavhavw2zAxS5dIdcRluK6cSGGPlZynqzFM8NdvU144=
+github.com/google/pprof v0.0.0-20250403155104-27863c87afa6 h1:BHT72Gu3keYf3ZEu2J0b1vyeLSOYI8bm5wbJM/8yDe8=
+github.com/google/pprof v0.0.0-20250403155104-27863c87afa6/go.mod h1:boTsfXsheKC2y+lKOCMpSfarhxDeIzfZG1jqGcPl3cA=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/ianlancetaylor/demangle v0.0.0-20240312041847-bd984b5ce465/go.mod h1:gx7rwoVhcfuVKG5uya9Hs3Sxj7EIvldVofAWIUtGouw=
 github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY=
@@ -58,18 +60,17 @@ github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee h1:W5t00kpgFd
 github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk=
 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
 github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+o7JKHSa8/e818NopupXU1YMK5fe1lsApnBw=
-github.com/onsi/gomega v1.35.1 h1:Cwbd75ZBPxFSuZ6T+rN/WCb/gOc6YgFBXLlZLhC7Ds4=
-github.com/onsi/gomega v1.35.1/go.mod h1:PvZbdDc8J6XJEpDK4HCuRBm8a6Fzp9/DmhC9C7yFlog=
-github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251001123353-fd5b1fb35db1 h1:PMTgifBcBRLJJiM+LgSzPDTk9/Rx4qS09OUrfpY6GBQ=
-github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251001123353-fd5b1fb35db1/go.mod h1:7Du3c42kxCUegi0IImZ1wUQzMBVecgIHjR1C+NkhLQo=
-github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
+github.com/onsi/gomega v1.38.2 h1:eZCjf2xjZAqe+LeWvKb5weQ+NcPwX84kqJ0cZNxok2A=
+github.com/onsi/gomega v1.38.2/go.mod h1:W2MJcYxRGV63b418Ai34Ud0hEdTVXq9NW9+Sx6uXf3k=
+github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251120221002-696928a6a0d7 h1:02E4Ttpu+7yCQLQxtY42JfcfHU7TBGnje6uB2ytBSdU=
+github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251120221002-696928a6a0d7/go.mod h1:ArE1D/XhNXBXCBkKOLkbsb2c81dQHCRcF5zwn/ykDRo=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U=
 github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/rogpeppe/go-internal v1.13.1 h1:KvO1DLK/DRN07sQ1LQKScxyZJuNnedQ5/wKSR38lUII=
-github.com/rogpeppe/go-internal v1.13.1/go.mod h1:uMEvuHeurkdAXX61udpOXGD/AzZDWNMNyH2VO9fmH0o=
-github.com/spf13/pflag v1.0.6 h1:jFzHGLGAlb3ruxLB8MhbI6A8+AQX/2eW4qeyNZXNp2o=
-github.com/spf13/pflag v1.0.6/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
+github.com/rogpeppe/go-internal v1.14.1 h1:UQB4HGPB6osV0SQTLymcB4TgvyWu6ZyliaW0tI/otEQ=
+github.com/rogpeppe/go-internal v1.14.1/go.mod h1:MaRKkUm5W0goXpeCfT7UZI6fk/L7L7so1lCWt35ZSgc=
+github.com/spf13/pflag v1.0.9 h1:9exaQaMOCwffKiiiYk6/BndUBv+iRViNW+4lEMi0PvY=
+github.com/spf13/pflag v1.0.9/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
 github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
@@ -77,83 +78,83 @@ github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UV
 github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
 github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
-github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
-github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
+github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
+github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
 github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM=
 github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg=
 github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
-go.yaml.in/yaml/v2 v2.4.2 h1:DzmwEr2rDGHl7lsFgAHxmNz/1NlQ7xLIrlN2h5d1eGI=
-go.yaml.in/yaml/v2 v2.4.2/go.mod h1:081UH+NErpNdqlCXm3TtEran0rJZGxAYx9hb/ELlsPU=
+go.yaml.in/yaml/v2 v2.4.3 h1:6gvOSjQoTB3vt1l+CU+tSyi/HOjfOjRLJ4YwYZGwRO0=
+go.yaml.in/yaml/v2 v2.4.3/go.mod h1:zSxWcmIDjOzPXpjlTTbAsKokqkDNAVtZO0WOMiT90s8=
 go.yaml.in/yaml/v3 v3.0.4 h1:tfq32ie2Jv2UxXFdLJdh3jXuOzWiL1fo0bu/FbuKpbc=
 go.yaml.in/yaml/v3 v3.0.4/go.mod h1:DhzuOOF2ATzADvBadXxruRBLzYTpT36CKvDb3+aBEFg=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
-golang.org/x/crypto v0.41.0/go.mod h1:pO5AFd7FA68rFak7rOAGVuygIISepHftHnr8dr6+sUc=
+golang.org/x/crypto v0.44.0/go.mod h1:013i+Nw79BMiQiMsOPcVCB5ZIJbYkerPrGnOa00tvmc=
 golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.27.0 h1:kb+q2PyFnEADO2IEF935ehFUXlWiNjJWtRNgBLSfbxQ=
-golang.org/x/mod v0.27.0/go.mod h1:rWI627Fq0DEoudcK+MBkNkCe0EetEaDSwJJkCcjpazc=
+golang.org/x/mod v0.29.0 h1:HV8lRxZC4l2cr3Zq1LvtOsi/ThTgWnUk/y64QSs8GwA=
+golang.org/x/mod v0.29.0/go.mod h1:NyhrlYXJ2H4eJiRy/WDBO6HMqZQ6q9nk4JzS3NuCK+w=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
-golang.org/x/net v0.43.0 h1:lat02VYK2j4aLzMzecihNvTlJNQUq316m2Mr9rnM6YE=
-golang.org/x/net v0.43.0/go.mod h1:vhO1fvI4dGsIjh73sWfUVjj3N7CA9WkKJNQm2svM6Jg=
+golang.org/x/net v0.47.0 h1:Mx+4dIFzqraBXUugkia1OOvlD6LemFo1ALMHjrXDOhY=
+golang.org/x/net v0.47.0/go.mod h1:/jNxtkgq5yWUGYkaZGqo27cfGZ1c5Nen03aYrrKpVRU=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.17.0 h1:l60nONMj9l5drqw6jlhIELNv9I0A4OFgRsG9k2oT9Ug=
-golang.org/x/sync v0.17.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
+golang.org/x/sync v0.18.0 h1:kr88TuHDroi+UVf+0hZnirlk8o8T+4MrK6mr60WkH/I=
+golang.org/x/sync v0.18.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.36.0 h1:KVRy2GtZBrk1cBYA7MKu5bEZFxQk4NIDV6RLVcC8o0k=
-golang.org/x/sys v0.36.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
-golang.org/x/telemetry v0.0.0-20250807160809-1a19826ec488/go.mod h1:fGb/2+tgXXjhjHsTNdVEEMZNWA0quBnfrO+AfoDSAKw=
-golang.org/x/term v0.34.0/go.mod h1:5jC53AEywhIVebHgPVeg0mj8OD3VO9OzclacVrqpaAw=
+golang.org/x/sys v0.38.0 h1:3yZWxaJjBmCWXqhN1qh02AkOnCQ1poK6oF+a7xWL6Gc=
+golang.org/x/sys v0.38.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
+golang.org/x/telemetry v0.0.0-20251008203120-078029d740a8/go.mod h1:Pi4ztBfryZoJEkyFTI5/Ocsu2jXyDr6iSdgJiYE/uwE=
+golang.org/x/term v0.37.0/go.mod h1:5pB4lxRNYYVZuTLmy8oR2BH8dflOR+IbTYFD8fi3254=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.29.0 h1:1neNs90w9YzJ9BocxfsQNHKuAT4pkghyXc4nhZ6sJvk=
-golang.org/x/text v0.29.0/go.mod h1:7MhJOA9CD2qZyOKYazxdYMF85OwPdEr9jTtBpO7ydH4=
+golang.org/x/text v0.31.0 h1:aC8ghyu4JhP8VojJ2lEHBnochRno1sgL6nEi9WGFGMM=
+golang.org/x/text v0.31.0/go.mod h1:tKRAlv61yKIjGGHX/4tP1LTbc13YSec1pxVEWXzfoeM=
 golang.org/x/time v0.9.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
 golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
-golang.org/x/tools v0.36.0 h1:kWS0uv/zsvHEle1LbV5LE8QujrxB3wfQyxHfhOk0Qkg=
-golang.org/x/tools v0.36.0/go.mod h1:WBDiHKJK8YgLHlcQPYQzNCkUxUypCaa5ZegCVutKm+s=
-golang.org/x/tools/go/expect v0.1.0-deprecated h1:jY2C5HGYR5lqex3gEniOQL0r7Dq5+VGVgY1nudX5lXY=
-golang.org/x/tools/go/expect v0.1.0-deprecated/go.mod h1:eihoPOH+FgIqa3FpoTwguz/bVUSGBlGQU67vpBeOrBY=
+golang.org/x/tools v0.38.0 h1:Hx2Xv8hISq8Lm16jvBZ2VQf+RLmbd7wVUsALibYI/IQ=
+golang.org/x/tools v0.38.0/go.mod h1:yEsQ/d/YK8cjh0L6rZlY8tgtlKiBNTL14pGDJPJpYQs=
+golang.org/x/tools/go/expect v0.1.1-deprecated h1:jpBZDwmgPhXsKZC6WhL20P4b/wmnpsEAGHaNy0n/rJM=
+golang.org/x/tools/go/expect v0.1.1-deprecated/go.mod h1:eihoPOH+FgIqa3FpoTwguz/bVUSGBlGQU67vpBeOrBY=
 golang.org/x/tools/go/packages/packagestest v0.1.1-deprecated h1:1h2MnaIAIXISqTFKdENegdpAgUXz6NrPEsbIeWaBRvM=
 golang.org/x/tools/go/packages/packagestest v0.1.1-deprecated/go.mod h1:RVAQXBGNv1ib0J382/DPCRS/BPnsGebyM1Gj5VSDpG8=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-google.golang.org/protobuf v1.36.5 h1:tPhr+woSbjfYvY6/GPufUoYizxw1cF/yFoxJ2fmpwlM=
-google.golang.org/protobuf v1.36.5/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE=
+google.golang.org/protobuf v1.36.8 h1:xHScyCOEuuwZEc6UtSOvPbAT4zRh0xcNRYekJwfqyMc=
+google.golang.org/protobuf v1.36.8/go.mod h1:fuxRtAxBytpl4zzqUh6/eyUujkJdNiuEkXntxiD/uRU=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
-gopkg.in/evanphx/json-patch.v4 v4.12.0/go.mod h1:p8EYWUEYMpynmqDbY58zCKCFZw8pRWMG4EsWvDvM72M=
+gopkg.in/evanphx/json-patch.v4 v4.13.0/go.mod h1:p8EYWUEYMpynmqDbY58zCKCFZw8pRWMG4EsWvDvM72M=
 gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc=
 gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
-k8s.io/gengo/v2 v2.0.0-20250604051438-85fd79dbfd9f h1:SLb+kxmzfA87x4E4brQzB33VBbT2+x7Zq9ROIHmGn9Q=
-k8s.io/gengo/v2 v2.0.0-20250604051438-85fd79dbfd9f/go.mod h1:EJykeLsmFC60UQbYJezXkEsG2FLrt0GPNkU5iK5GWxU=
+k8s.io/gengo/v2 v2.0.0-20250922181213-ec3ebc5fd46b h1:gMplByicHV/TJBizHd9aVEsTYoJBnnUAT5MHlTkbjhQ=
+k8s.io/gengo/v2 v2.0.0-20250922181213-ec3ebc5fd46b/go.mod h1:CgujABENc3KuTrcsdpGmrrASjtQsWCT7R99mEV4U/fM=
 k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk=
 k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE=
-k8s.io/kube-openapi v0.0.0-20250710124328-f3f2b991d03b h1:MloQ9/bdJyIu9lb1PzujOPolHyvO06MXG5TUIj2mNAA=
-k8s.io/kube-openapi v0.0.0-20250710124328-f3f2b991d03b/go.mod h1:UZ2yyWbFTpuhSbFhv24aGNOdoRdJZgsIObGBUaYVsts=
-k8s.io/utils v0.0.0-20250604170112-4c0f3b243397 h1:hwvWFiBzdWw1FhfY1FooPn3kzWuJ8tmbZBHi4zVsl1Y=
-k8s.io/utils v0.0.0-20250604170112-4c0f3b243397/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
-sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 h1:gBQPwqORJ8d8/YNZWEjoZs7npUVDpVXUUOFfW6CgAqE=
-sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8/go.mod h1:mdzfpAEoE6DHQEN0uh9ZbOCuHbLK5wOm7dK4ctXE9Tg=
+k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912 h1:Y3gxNAuB0OBLImH611+UDZcmKS3g6CthxToOb37KgwE=
+k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912/go.mod h1:kdmbQkyfwUagLfXIad1y2TdrjPFWp2Q89B3qkRwf/pQ=
+k8s.io/utils v0.0.0-20251002143259-bc988d571ff4 h1:SjGebBtkBqHFOli+05xYbK8YF1Dzkbzn+gDM4X9T4Ck=
+k8s.io/utils v0.0.0-20251002143259-bc988d571ff4/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
+sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 h1:IpInykpT6ceI+QxKBbEflcR5EXP7sU1kvOlxwZh5txg=
+sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730/go.mod h1:mdzfpAEoE6DHQEN0uh9ZbOCuHbLK5wOm7dK4ctXE9Tg=
 sigs.k8s.io/randfill v1.0.0 h1:JfjMILfT8A6RbawdsK2JXGBR5AQVfd+9TbzrlneTyrU=
 sigs.k8s.io/randfill v1.0.0/go.mod h1:XeLlZ/jmk4i1HRopwe7/aU3H5n1zNUcX6TM94b3QxOY=
 sigs.k8s.io/structured-merge-diff/v6 v6.3.0 h1:jTijUJbW353oVOd9oTlifJqOGEkUw2jB/fXCbTiQEco=
diff --git a/staging/src/k8s.io/code-generator/kube_codegen.sh b/staging/src/k8s.io/code-generator/kube_codegen.sh
index ebb44c03b9ad4..3fb0478932587 100755
--- a/staging/src/k8s.io/code-generator/kube_codegen.sh
+++ b/staging/src/k8s.io/code-generator/kube_codegen.sh
@@ -306,6 +306,7 @@ function kube::codegen::gen_openapi() {
     local out_pkg=""
     local extra_pkgs=()
     local report="/dev/null"
+    local output_model_name_file=""
     local update_report=""
     local boilerplate="${KUBE_CODEGEN_ROOT}/hack/boilerplate.go.txt"
     local v="${KUBE_VERBOSE:-0}"
@@ -328,6 +329,10 @@ function kube::codegen::gen_openapi() {
                 report="$2"
                 shift 2
                 ;;
+            "--output-model-name-file")
+              output_model_name_file="$2"
+              shift 2
+              ;;
             "--update-report")
                 update_report="true"
                 shift
@@ -387,7 +392,7 @@ function kube::codegen::gen_openapi() {
         input_pkgs+=("${pkg}")
     done < <(
         ( kube::codegen::internal::grep -l --null \
-            -e '^\s*//\s*+k8s:openapi-gen=' \
+            -e '^\s*//\s*+k8s:openapi' \
             -r "${in_dir}" \
             --include '*.go' \
             || true \
@@ -411,9 +416,11 @@ function kube::codegen::gen_openapi() {
             --output-dir "${out_dir}" \
             --output-pkg "${out_pkg}" \
             --report-filename "${new_report}" \
+            --output-model-name-file="${output_model_name_file}" \
             "k8s.io/apimachinery/pkg/apis/meta/v1" \
             "k8s.io/apimachinery/pkg/runtime" \
             "k8s.io/apimachinery/pkg/version" \
+            "k8s.io/apimachinery/pkg/api/resource" \
             "${input_pkgs[@]}"
     fi
 
diff --git a/staging/src/k8s.io/component-base/cli/run.go b/staging/src/k8s.io/component-base/cli/run.go
index d62a66b61b213..21cb3bdf4315d 100644
--- a/staging/src/k8s.io/component-base/cli/run.go
+++ b/staging/src/k8s.io/component-base/cli/run.go
@@ -117,13 +117,14 @@ func run(cmd *cobra.Command) (logsInitialized bool, err error) {
 	logs.AddFlags(cmd.PersistentFlags())
 
 	// Inject logs.InitLogs after command line parsing into one of the
-	// PersistentPre* functions.
+	// PersistentPre* functions. Also inform about race detection, if enabled.
 	switch {
 	case cmd.PersistentPreRun != nil:
 		pre := cmd.PersistentPreRun
 		cmd.PersistentPreRun = func(cmd *cobra.Command, args []string) {
 			logs.InitLogs()
 			logsInitialized = true
+			logRaceDetection()
 			pre(cmd, args)
 		}
 	case cmd.PersistentPreRunE != nil:
@@ -131,12 +132,14 @@ func run(cmd *cobra.Command) (logsInitialized bool, err error) {
 		cmd.PersistentPreRunE = func(cmd *cobra.Command, args []string) error {
 			logs.InitLogs()
 			logsInitialized = true
+			logRaceDetection()
 			return pre(cmd, args)
 		}
 	default:
 		cmd.PersistentPreRun = func(cmd *cobra.Command, args []string) {
 			logs.InitLogs()
 			logsInitialized = true
+			logRaceDetection()
 		}
 	}
 
diff --git a/staging/src/k8s.io/component-base/cli/withoutrace.go b/staging/src/k8s.io/component-base/cli/withoutrace.go
new file mode 100644
index 0000000000000..4ae2749a134b2
--- /dev/null
+++ b/staging/src/k8s.io/component-base/cli/withoutrace.go
@@ -0,0 +1,24 @@
+//go:build !race
+// +build !race
+
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package cli
+
+func logRaceDetection() {
+	// NOP. The variant in withrace.go prints a message if race detection is built in.
+}
diff --git a/staging/src/k8s.io/component-base/cli/withrace.go b/staging/src/k8s.io/component-base/cli/withrace.go
new file mode 100644
index 0000000000000..a71cec991d99f
--- /dev/null
+++ b/staging/src/k8s.io/component-base/cli/withrace.go
@@ -0,0 +1,29 @@
+//go:build race
+// +build race
+
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package cli
+
+import (
+	"k8s.io/klog/v2"
+)
+
+func logRaceDetection() {
+	// Only called if race detection is built in.
+	klog.Info("Data race detection enabled")
+}
diff --git a/staging/src/k8s.io/component-base/compatibility/OWNERS b/staging/src/k8s.io/component-base/compatibility/OWNERS
index fab38d8073e79..283b80fe39b08 100644
--- a/staging/src/k8s.io/component-base/compatibility/OWNERS
+++ b/staging/src/k8s.io/component-base/compatibility/OWNERS
@@ -9,5 +9,6 @@ approvers:
 reviewers:
   - sig-api-machinery-api-reviewers
   - siyuanfoundation
+  - jefftree
 labels:
   - sig/api-machinery
diff --git a/staging/src/k8s.io/component-base/compatibility/registry.go b/staging/src/k8s.io/component-base/compatibility/registry.go
index fdadff7358030..78c8269e94cc5 100644
--- a/staging/src/k8s.io/component-base/compatibility/registry.go
+++ b/staging/src/k8s.io/component-base/compatibility/registry.go
@@ -46,18 +46,12 @@ type ComponentGlobals struct {
 	effectiveVersion MutableEffectiveVersion
 	featureGate      featuregate.MutableVersionedFeatureGate
 
-	// emulationVersionMapping contains the mapping from the emulation version of this component
-	// to the emulation version of another component.
-	emulationVersionMapping map[string]VersionMapping
-	// dependentEmulationVersion stores whether or not this component's EmulationVersion is dependent through mapping on another component.
-	// If true, the emulation version cannot be set from the flag, or version mapping from another component.
-	dependentEmulationVersion bool
-	// minCompatibilityVersionMapping contains the mapping from the min compatibility version of this component
-	// to the min compatibility version of another component.
-	minCompatibilityVersionMapping map[string]VersionMapping
-	// dependentMinCompatibilityVersion stores whether or not this component's MinCompatibilityVersion is dependent through mapping on another component
-	// If true, the min compatibility version cannot be set from the flag, or version mapping from another component.
-	dependentMinCompatibilityVersion bool
+	// componentVersionMapping contains the mapping from the version of this component
+	// to the version of another component.
+	componentVersionMapping map[string]VersionMapping
+	// dependentComponentVersion stores whether or not this component's version is dependent through mapping on another component.
+	// If true, the emulation/minCompatibility version cannot be set from the flag, or version mapping from another component.
+	dependentComponentVersion bool
 }
 
 // ComponentGlobalsRegistry stores the global variables for different components for easy access, including feature gate and effective version of each component.
@@ -74,7 +68,7 @@ type ComponentGlobalsRegistry interface {
 	// ComponentGlobalsOrRegister would return the registered global variables for the component if it already exists in the registry.
 	// Otherwise, the provided variables would be registered under the component, and the same variables would be returned.
 	ComponentGlobalsOrRegister(component string, effectiveVersion MutableEffectiveVersion, featureGate featuregate.MutableVersionedFeatureGate) (MutableEffectiveVersion, featuregate.MutableVersionedFeatureGate)
-	// AddFlags adds flags of "--emulated-version" and "--feature-gates"
+	// AddFlags adds flags of "--emulated-version", "--min-compatibility-version" and "--feature-gates"
 	AddFlags(fs *pflag.FlagSet)
 	// Set sets the flags for all global variables for all components registered.
 	// A component's feature gate and effective version would not be updated until Set() is called.
@@ -85,12 +79,12 @@ type ComponentGlobalsRegistry interface {
 	Validate() []error
 	// Reset removes all stored ComponentGlobals, configurations, and version mappings.
 	Reset()
-	// SetEmulationVersionMapping sets the mapping from the emulation version of one component
-	// to the emulation version of another component.
-	// Once set, the emulation version of the toComponent will be determined by the emulation version of the fromComponent,
+	// SetVersionMapping sets the mapping from the emulation/minCompatibility version of one component
+	// to the emulation/minCompatibility version of another component.
+	// Once set, the emulation/minCompatibility version of the toComponent will be determined by the emulation/minCompatibility version of the fromComponent,
 	// and cannot be set from cmd flags anymore.
-	// For a given component, its emulation version can only depend on one other component, no multiple dependency is allowed.
-	SetEmulationVersionMapping(fromComponent, toComponent string, f VersionMapping) error
+	// For a given component, its emulation/minCompatibility version can only depend on one other component, no multiple dependency is allowed.
+	SetVersionMapping(fromComponent, toComponent string, f VersionMapping) error
 	// AddMetrics adds metrics for the emulation version of a component.
 	AddMetrics()
 }
@@ -100,11 +94,15 @@ type componentGlobalsRegistry struct {
 	mutex            sync.RWMutex
 	// emulationVersionConfig stores the list of component name to emulation version set from the flag.
 	// When the `--emulated-version` flag is parsed, it would not take effect until Set() is called,
-	// because the emulation version needs to be set before the feature gate is set.
+	// because we have to enforce of order of setting the emulation version first, then min compatibility version, and last the feature gate.
 	emulationVersionConfig []string
+	// minCompatibilityVersionConfig stores the list of component name to min compatibility version set from the flag.
+	// When the `--min-compatibility-version` flag is parsed, it would not take effect until Set() is called,
+	// because we have to enforce of order of setting the emulation version first, then min compatibility version, and last the feature gate.
+	minCompatibilityVersionConfig []string
 	// featureGatesConfig stores the map of component name to the list of feature gates set from the flag.
 	// When the `--feature-gates` flag is parsed, it would not take effect until Set() is called,
-	// because the emulation version needs to be set before the feature gate is set.
+	// because we have to enforce of order of setting the emulation version first, then min compatibility version, and last the feature gate.
 	featureGatesConfig map[string][]string
 	// featureGatesConfigFlags stores a pointer to the flag value, allowing other commands
 	// to append to the feature gates configuration rather than overwriting it
@@ -115,9 +113,10 @@ type componentGlobalsRegistry struct {
 
 func NewComponentGlobalsRegistry() *componentGlobalsRegistry {
 	return &componentGlobalsRegistry{
-		componentGlobals:       make(map[string]*ComponentGlobals),
-		emulationVersionConfig: nil,
-		featureGatesConfig:     nil,
+		componentGlobals:              make(map[string]*ComponentGlobals),
+		emulationVersionConfig:        nil,
+		minCompatibilityVersionConfig: nil,
+		featureGatesConfig:            nil,
 	}
 }
 
@@ -136,6 +135,7 @@ func (r *componentGlobalsRegistry) Reset() {
 	defer r.mutex.Unlock()
 	r.componentGlobals = make(map[string]*ComponentGlobals)
 	r.emulationVersionConfig = nil
+	r.minCompatibilityVersionConfig = nil
 	r.featureGatesConfig = nil
 	r.featureGatesConfigFlags = nil
 	r.set = false
@@ -166,15 +166,15 @@ func (r *componentGlobalsRegistry) unsafeRegister(component string, effectiveVer
 		return fmt.Errorf("component globals of %s already registered", component)
 	}
 	if featureGate != nil {
-		if err := featureGate.SetEmulationVersion(effectiveVersion.EmulationVersion()); err != nil {
+		if err := featureGate.SetEmulationVersionAndMinCompatibilityVersion(
+			effectiveVersion.EmulationVersion(), effectiveVersion.MinCompatibilityVersion()); err != nil {
 			return err
 		}
 	}
 	c := ComponentGlobals{
-		effectiveVersion:               effectiveVersion,
-		featureGate:                    featureGate,
-		emulationVersionMapping:        make(map[string]VersionMapping),
-		minCompatibilityVersionMapping: make(map[string]VersionMapping),
+		effectiveVersion:        effectiveVersion,
+		featureGate:             featureGate,
+		componentVersionMapping: make(map[string]VersionMapping),
 	}
 	r.componentGlobals[component] = &c
 	return nil
@@ -217,15 +217,12 @@ func (r *componentGlobalsRegistry) unsafeKnownFeatures() []string {
 func (r *componentGlobalsRegistry) unsafeVersionFlagOptions(isEmulation bool) []string {
 	var vs []string
 	for component, globals := range r.componentGlobals {
+		if globals.dependentComponentVersion {
+			continue
+		}
 		if isEmulation {
-			if globals.dependentEmulationVersion {
-				continue
-			}
 			vs = append(vs, fmt.Sprintf("%s=%s", component, globals.effectiveVersion.AllowedEmulationVersionRange()))
 		} else {
-			if globals.dependentMinCompatibilityVersion {
-				continue
-			}
 			vs = append(vs, fmt.Sprintf("%s=%s", component, globals.effectiveVersion.AllowedMinCompatibilityVersionRange()))
 		}
 	}
@@ -251,6 +248,16 @@ func (r *componentGlobalsRegistry) AddFlags(fs *pflag.FlagSet) {
 		"Version format could only be major.minor, for example: '--emulated-version=wardle=1.2,kube=1.31'.\nOptions are: "+strings.Join(r.unsafeVersionFlagOptions(true), ",")+
 		"\nIf the component is not specified, defaults to \"kube\"")
 
+	// min-compatibility-version is typically the minimal binary version of all control plane components the server expects to coexist with throughout the lifecycle of this server.
+	// If set to smaller than the server emulated version, the newest CEL features/libraries/parameters introduced after the min compatibility version would not be turned on,
+	// feature stages with a MinCompatibilityVersion higher than this value will be skipped, and the resource storage version will be set based on the min compatibility version.
+	// It can be set to equal to the binary version after all control plane components are upgraded, after which features with compatibility implications could be enabled, the newest CEL features/libraries/parameters would turned on, but rollbacks are no longer supported.
+	fs.StringSliceVar(&r.minCompatibilityVersionConfig, "min-compatibility-version", r.minCompatibilityVersionConfig, ""+
+		"The min version of control plane components the server should be compatible with.\n"+
+		"Must be less or equal to the emulated-version. Version format could only be major.minor, for example: '--min-compatibility-version=wardle=1.2,kube=1.31'.\n"+
+		"Options are: "+strings.Join(r.unsafeVersionFlagOptions(false), ",")+
+		"\nIf the component is not specified, defaults to \"kube\"")
+
 	if r.featureGatesConfigFlags == nil {
 		r.featureGatesConfigFlags = cliflag.NewColonSeparatedMultimapStringStringAllowDefaultEmptyKey(&r.featureGatesConfig)
 	}
@@ -264,9 +271,9 @@ type componentVersion struct {
 	ver       *version.Version
 }
 
-// getFullEmulationVersionConfig expands the given version config with version registered version mapping,
+// getFullVersionConfig expands the given version config with registered version mapping,
 // and returns the map of component to Version.
-func (r *componentGlobalsRegistry) getFullEmulationVersionConfig(
+func (r *componentGlobalsRegistry) getFullVersionConfig(
 	versionConfigMap map[string]*version.Version) (map[string]*version.Version, error) {
 	result := map[string]*version.Version{}
 	setQueue := []componentVersion{}
@@ -284,7 +291,7 @@ func (r *componentGlobalsRegistry) getFullEmulationVersionConfig(
 		}
 		setQueue = setQueue[1:]
 		result[cv.component] = cv.ver
-		for toComp, f := range r.componentGlobals[cv.component].emulationVersionMapping {
+		for toComp, f := range r.componentGlobals[cv.component].componentVersionMapping {
 			toVer := f(cv.ver)
 			if toVer == nil {
 				return result, fmt.Errorf("got nil version from mapping of %s=%s to component:%s", cv.component, cv.ver.String(), toComp)
@@ -350,24 +357,45 @@ func (r *componentGlobalsRegistry) Set() error {
 			return fmt.Errorf("component not registered: %s", comp)
 		}
 		// only components without any dependencies can be set from the flag.
-		if r.componentGlobals[comp].dependentEmulationVersion {
+		if r.componentGlobals[comp].dependentComponentVersion {
 			return fmt.Errorf("EmulationVersion of %s is set by mapping, cannot set it by flag", comp)
 		}
 	}
-	if emulationVersions, err := r.getFullEmulationVersionConfig(emulationVersionConfigMap); err != nil {
+	if emulationVersions, err := r.getFullVersionConfig(emulationVersionConfigMap); err != nil {
 		return err
 	} else {
 		for comp, ver := range emulationVersions {
 			r.componentGlobals[comp].effectiveVersion.SetEmulationVersion(ver)
 		}
 	}
+
+	minCompatibilityVersionConfigMap, err := toVersionMap(r.minCompatibilityVersionConfig)
+	if err != nil {
+		return err
+	}
+	for comp := range minCompatibilityVersionConfigMap {
+		if _, ok := r.componentGlobals[comp]; !ok {
+			return fmt.Errorf("component not registered: %s", comp)
+		}
+		// only components without any dependencies can be set from the flag.
+		if r.componentGlobals[comp].dependentComponentVersion {
+			return fmt.Errorf("MinCompatibilityVersion of %s is set by mapping, cannot set it by flag", comp)
+		}
+	}
+	if minCompatibilityVersions, err := r.getFullVersionConfig(minCompatibilityVersionConfigMap); err != nil {
+		return err
+	} else {
+		for comp, ver := range minCompatibilityVersions {
+			r.componentGlobals[comp].effectiveVersion.SetMinCompatibilityVersion(ver)
+		}
+	}
 	// Set feature gate emulation version before setting feature gate flag values.
 	for comp, globals := range r.componentGlobals {
 		if globals.featureGate == nil {
 			continue
 		}
-		klog.V(klogLevel).Infof("setting %s:feature gate emulation version to %s", comp, globals.effectiveVersion.EmulationVersion().String())
-		if err := globals.featureGate.SetEmulationVersion(globals.effectiveVersion.EmulationVersion()); err != nil {
+		klog.V(klogLevel).Infof("setting %s:feature gate emulation version to %s, min compatibility version to %s", comp, globals.effectiveVersion.EmulationVersion().String(), globals.effectiveVersion.MinCompatibilityVersion().String())
+		if err := globals.featureGate.SetEmulationVersionAndMinCompatibilityVersion(globals.effectiveVersion.EmulationVersion(), globals.effectiveVersion.MinCompatibilityVersion()); err != nil {
 			return err
 		}
 	}
@@ -426,7 +454,7 @@ func enabledAlphaFeatures(features map[featuregate.Feature]featuregate.FeatureSp
 	return enabled
 }
 
-func (r *componentGlobalsRegistry) SetEmulationVersionMapping(fromComponent, toComponent string, f VersionMapping) error {
+func (r *componentGlobalsRegistry) SetVersionMapping(fromComponent, toComponent string, f VersionMapping) error {
 	if f == nil {
 		return nil
 	}
@@ -440,19 +468,19 @@ func (r *componentGlobalsRegistry) SetEmulationVersionMapping(fromComponent, toC
 		return fmt.Errorf("component not registered: %s", toComponent)
 	}
 	// check multiple dependency
-	if r.componentGlobals[toComponent].dependentEmulationVersion {
+	if r.componentGlobals[toComponent].dependentComponentVersion {
 		return fmt.Errorf("mapping of %s already exists from another component", toComponent)
 	}
-	r.componentGlobals[toComponent].dependentEmulationVersion = true
+	r.componentGlobals[toComponent].dependentComponentVersion = true
 
-	versionMapping := r.componentGlobals[fromComponent].emulationVersionMapping
+	versionMapping := r.componentGlobals[fromComponent].componentVersionMapping
 	if _, ok := versionMapping[toComponent]; ok {
 		return fmt.Errorf("EmulationVersion from %s to %s already exists", fromComponent, toComponent)
 	}
 	versionMapping[toComponent] = f
 	klog.V(klogLevel).Infof("setting the default EmulationVersion of %s based on mapping from the default EmulationVersion of %s", toComponent, fromComponent)
 	defaultFromVersion := r.componentGlobals[fromComponent].effectiveVersion.EmulationVersion()
-	emulationVersions, err := r.getFullEmulationVersionConfig(map[string]*version.Version{fromComponent: defaultFromVersion})
+	emulationVersions, err := r.getFullVersionConfig(map[string]*version.Version{fromComponent: defaultFromVersion})
 	if err != nil {
 		return err
 	}
diff --git a/staging/src/k8s.io/component-base/compatibility/registry_test.go b/staging/src/k8s.io/component-base/compatibility/registry_test.go
index 7f67eeee44478..e69ab29554dad 100644
--- a/staging/src/k8s.io/component-base/compatibility/registry_test.go
+++ b/staging/src/k8s.io/component-base/compatibility/registry_test.go
@@ -17,7 +17,6 @@ limitations under the License.
 package compatibility
 
 import (
-	"fmt"
 	"reflect"
 	"strings"
 	"testing"
@@ -119,7 +118,7 @@ func TestVersionFlagOptions(t *testing.T) {
 
 func TestVersionFlagOptionsWithMapping(t *testing.T) {
 	r := testRegistry(t)
-	utilruntime.Must(r.SetEmulationVersionMapping(testComponent, DefaultKubeComponent,
+	utilruntime.Must(r.SetVersionMapping(testComponent, DefaultKubeComponent,
 		func(from *version.Version) *version.Version { return version.MajorMinor(1, from.Minor()+23) }))
 	emuVers := strings.Join(r.unsafeVersionFlagOptions(true), ",")
 	expectedEmuVers := "test=2.8..2.8(default:2.8)"
@@ -127,7 +126,7 @@ func TestVersionFlagOptionsWithMapping(t *testing.T) {
 		t.Errorf("wanted emulation version flag options to be: %s, got %s", expectedEmuVers, emuVers)
 	}
 	minCompVers := strings.Join(r.unsafeVersionFlagOptions(false), ",")
-	expectedMinCompVers := "kube=1.30..1.31(default:1.30),test=2.7..2.8(default:2.7)"
+	expectedMinCompVers := "test=2.7..2.8(default:2.7)"
 	if minCompVers != expectedMinCompVers {
 		t.Errorf("wanted min compatibility version flag options to be: %s, got %s", expectedMinCompVers, minCompVers)
 	}
@@ -151,19 +150,22 @@ func TestVersionedFeatureGateFlags(t *testing.T) {
 
 func TestFlags(t *testing.T) {
 	tests := []struct {
-		name                         string
-		setupRegistry                func(r *componentGlobalsRegistry) error
-		flags                        []string
-		parseError                   string
-		expectedKubeEmulationVersion string
-		expectedTestEmulationVersion string
-		expectedKubeFeatureValues    map[featuregate.Feature]bool
-		expectedTestFeatureValues    map[featuregate.Feature]bool
+		name                                string
+		setupRegistry                       func(r *componentGlobalsRegistry) error
+		flags                               []string
+		parseError                          string
+		expectedKubeEmulationVersion        string
+		expectedTestEmulationVersion        string
+		expectedKubeMinCompatibilityVersion string
+		expectedTestMinCompatibilityVersion string
+		expectedKubeFeatureValues           map[featuregate.Feature]bool
+		expectedTestFeatureValues           map[featuregate.Feature]bool
 	}{
 		{
-			name:                         "setting kube emulation version",
-			flags:                        []string{"--emulated-version=kube=1.30"},
-			expectedKubeEmulationVersion: "1.30",
+			name:                                "setting kube emulation version",
+			flags:                               []string{"--emulated-version=kube=1.30", "--min-compatibility-version=kube=1.28"},
+			expectedKubeEmulationVersion:        "1.30",
+			expectedKubeMinCompatibilityVersion: "1.28",
 		},
 		{
 			name: "setting kube emulation version twice",
@@ -174,9 +176,18 @@ func TestFlags(t *testing.T) {
 			parseError: "duplicate version flag, kube=1.30 and kube=1.32",
 		},
 		{
-			name:                         "prefix v ok",
-			flags:                        []string{"--emulated-version=kube=v1.30"},
-			expectedKubeEmulationVersion: "1.30",
+			name: "setting min compatibility version twice",
+			flags: []string{
+				"--min-compatibility-version=kube=1.30",
+				"--min-compatibility-version=kube=1.29",
+			},
+			parseError: "duplicate version flag, kube=1.30 and kube=1.29",
+		},
+		{
+			name:                                "prefix v ok",
+			flags:                               []string{"--emulated-version=kube=v1.30", "--min-compatibility-version=kube=v1.28"},
+			expectedKubeEmulationVersion:        "1.30",
+			expectedKubeMinCompatibilityVersion: "1.28",
 		},
 		{
 			name:       "patch version not ok",
@@ -184,15 +195,23 @@ func TestFlags(t *testing.T) {
 			parseError: "patch version not allowed, got: kube=1.30.2",
 		},
 		{
-			name:                         "setting test emulation version",
-			flags:                        []string{"--emulated-version=test=2.7"},
-			expectedKubeEmulationVersion: "1.31",
-			expectedTestEmulationVersion: "2.7",
+			name:       "patch min compatibility version not ok",
+			flags:      []string{"--min-compatibility-version=kube=1.30.2"},
+			parseError: "patch version not allowed, got: kube=1.30.2",
 		},
 		{
-			name:                         "version missing component default to kube",
-			flags:                        []string{"--emulated-version=1.30"},
-			expectedKubeEmulationVersion: "1.30",
+			name:                                "setting test emulation version",
+			flags:                               []string{"--emulated-version=test=2.7", "--min-compatibility-version=test=v2.5"},
+			expectedKubeEmulationVersion:        "1.31",
+			expectedTestEmulationVersion:        "2.7",
+			expectedKubeMinCompatibilityVersion: "1.30",
+			expectedTestMinCompatibilityVersion: "2.5",
+		},
+		{
+			name:                                "version missing component default to kube",
+			flags:                               []string{"--emulated-version=1.30", "--min-compatibility-version=v1.28"},
+			expectedKubeEmulationVersion:        "1.30",
+			expectedKubeMinCompatibilityVersion: "1.28",
 		},
 		{
 			name:       "version missing component default to kube with duplicate",
@@ -209,6 +228,21 @@ func TestFlags(t *testing.T) {
 			flags:      []string{"--emulated-version=test=1.foo"},
 			parseError: "illegal version string \"1.foo\"",
 		},
+		{
+			name:       "min compatibility version missing component default to kube with duplicate",
+			flags:      []string{"--min-compatibility-version=1.30", "--min-compatibility-version=kube=1.30"},
+			parseError: "duplicate version flag, kube=1.30 and kube=1.30",
+		},
+		{
+			name:       "min compatibility version unregistered component",
+			flags:      []string{"--min-compatibility-version=test3=1.31"},
+			parseError: "component not registered: test3",
+		},
+		{
+			name:       "invalid min compatibility version",
+			flags:      []string{"--min-compatibility-version=test=1.foo"},
+			parseError: "illegal version string \"1.foo\"",
+		},
 		{
 			name: "setting test feature flag",
 			flags: []string{
@@ -332,6 +366,12 @@ func TestFlags(t *testing.T) {
 			if len(test.expectedTestEmulationVersion) > 0 {
 				assertVersionEqualTo(t, r.EffectiveVersionFor(testComponent).EmulationVersion(), test.expectedTestEmulationVersion)
 			}
+			if len(test.expectedKubeMinCompatibilityVersion) > 0 {
+				assertVersionEqualTo(t, r.EffectiveVersionFor(DefaultKubeComponent).MinCompatibilityVersion(), test.expectedKubeMinCompatibilityVersion)
+			}
+			if len(test.expectedTestMinCompatibilityVersion) > 0 {
+				assertVersionEqualTo(t, r.EffectiveVersionFor(testComponent).MinCompatibilityVersion(), test.expectedTestMinCompatibilityVersion)
+			}
 			for f, v := range test.expectedKubeFeatureValues {
 				if r.FeatureGateFor(DefaultKubeComponent).Enabled(f) != v {
 					t.Errorf("%d: expected kube feature Enabled(%s)=%v", i, f, v)
@@ -357,25 +397,31 @@ func TestVersionMapping(t *testing.T) {
 	utilruntime.Must(r.Register("test3", ver3, nil))
 
 	assertVersionEqualTo(t, r.EffectiveVersionFor("test1").EmulationVersion(), "0.58")
+	assertVersionEqualTo(t, r.EffectiveVersionFor("test1").MinCompatibilityVersion(), "0.57")
 	assertVersionEqualTo(t, r.EffectiveVersionFor("test2").EmulationVersion(), "1.28")
+	assertVersionEqualTo(t, r.EffectiveVersionFor("test2").MinCompatibilityVersion(), "1.27")
 	assertVersionEqualTo(t, r.EffectiveVersionFor("test3").EmulationVersion(), "2.10")
+	assertVersionEqualTo(t, r.EffectiveVersionFor("test3").MinCompatibilityVersion(), "2.9")
 
-	utilruntime.Must(r.SetEmulationVersionMapping("test2", "test3",
+	utilruntime.Must(r.SetVersionMapping("test2", "test3",
 		func(from *version.Version) *version.Version {
 			return version.MajorMinor(from.Major()+1, from.Minor()-19)
 		}))
-	utilruntime.Must(r.SetEmulationVersionMapping("test1", "test2",
+	utilruntime.Must(r.SetVersionMapping("test1", "test2",
 		func(from *version.Version) *version.Version {
 			return version.MajorMinor(from.Major()+1, from.Minor()-28)
 		}))
 	assertVersionEqualTo(t, r.EffectiveVersionFor("test1").EmulationVersion(), "0.58")
+	assertVersionEqualTo(t, r.EffectiveVersionFor("test1").MinCompatibilityVersion(), "0.57")
 	assertVersionEqualTo(t, r.EffectiveVersionFor("test2").EmulationVersion(), "1.30")
+	assertVersionEqualTo(t, r.EffectiveVersionFor("test2").MinCompatibilityVersion(), "1.29")
 	assertVersionEqualTo(t, r.EffectiveVersionFor("test3").EmulationVersion(), "2.11")
+	assertVersionEqualTo(t, r.EffectiveVersionFor("test3").MinCompatibilityVersion(), "2.10")
 
 	fs := pflag.NewFlagSet("testflag", pflag.ContinueOnError)
 	r.AddFlags(fs)
 
-	if err := fs.Parse([]string{fmt.Sprintf("--emulated-version=%s", "test1=0.56")}); err != nil {
+	if err := fs.Parse([]string{"--emulated-version=test1=0.56", "--min-compatibility-version=test1=0.54"}); err != nil {
 		t.Fatal(err)
 		return
 	}
@@ -384,8 +430,11 @@ func TestVersionMapping(t *testing.T) {
 		return
 	}
 	assertVersionEqualTo(t, r.EffectiveVersionFor("test1").EmulationVersion(), "0.56")
+	assertVersionEqualTo(t, r.EffectiveVersionFor("test1").MinCompatibilityVersion(), "0.54")
 	assertVersionEqualTo(t, r.EffectiveVersionFor("test2").EmulationVersion(), "1.28")
-	assertVersionEqualTo(t, r.EffectiveVersionFor("test3").EmulationVersion(), "2.09")
+	assertVersionEqualTo(t, r.EffectiveVersionFor("test2").MinCompatibilityVersion(), "1.26")
+	assertVersionEqualTo(t, r.EffectiveVersionFor("test3").EmulationVersion(), "2.9")
+	assertVersionEqualTo(t, r.EffectiveVersionFor("test3").MinCompatibilityVersion(), "2.7")
 }
 
 func TestVersionMappingWithMultipleDependency(t *testing.T) {
@@ -401,12 +450,15 @@ func TestVersionMappingWithMultipleDependency(t *testing.T) {
 	assertVersionEqualTo(t, r.EffectiveVersionFor("test1").EmulationVersion(), "0.58")
 	assertVersionEqualTo(t, r.EffectiveVersionFor("test2").EmulationVersion(), "1.28")
 	assertVersionEqualTo(t, r.EffectiveVersionFor("test3").EmulationVersion(), "2.10")
+	assertVersionEqualTo(t, r.EffectiveVersionFor("test1").MinCompatibilityVersion(), "0.57")
+	assertVersionEqualTo(t, r.EffectiveVersionFor("test2").MinCompatibilityVersion(), "1.27")
+	assertVersionEqualTo(t, r.EffectiveVersionFor("test3").MinCompatibilityVersion(), "2.9")
 
-	utilruntime.Must(r.SetEmulationVersionMapping("test1", "test2",
+	utilruntime.Must(r.SetVersionMapping("test1", "test2",
 		func(from *version.Version) *version.Version {
 			return version.MajorMinor(from.Major()+1, from.Minor()-28)
 		}))
-	err := r.SetEmulationVersionMapping("test3", "test2",
+	err := r.SetVersionMapping("test3", "test2",
 		func(from *version.Version) *version.Version {
 			return version.MajorMinor(from.Major()-1, from.Minor()+19)
 		})
@@ -428,16 +480,19 @@ func TestVersionMappingWithCyclicDependency(t *testing.T) {
 	assertVersionEqualTo(t, r.EffectiveVersionFor("test1").EmulationVersion(), "0.58")
 	assertVersionEqualTo(t, r.EffectiveVersionFor("test2").EmulationVersion(), "1.28")
 	assertVersionEqualTo(t, r.EffectiveVersionFor("test3").EmulationVersion(), "2.10")
+	assertVersionEqualTo(t, r.EffectiveVersionFor("test1").MinCompatibilityVersion(), "0.57")
+	assertVersionEqualTo(t, r.EffectiveVersionFor("test2").MinCompatibilityVersion(), "1.27")
+	assertVersionEqualTo(t, r.EffectiveVersionFor("test3").MinCompatibilityVersion(), "2.9")
 
-	utilruntime.Must(r.SetEmulationVersionMapping("test1", "test2",
+	utilruntime.Must(r.SetVersionMapping("test1", "test2",
 		func(from *version.Version) *version.Version {
 			return version.MajorMinor(from.Major()+1, from.Minor()-28)
 		}))
-	utilruntime.Must(r.SetEmulationVersionMapping("test2", "test3",
+	utilruntime.Must(r.SetVersionMapping("test2", "test3",
 		func(from *version.Version) *version.Version {
 			return version.MajorMinor(from.Major()+1, from.Minor()-19)
 		}))
-	err := r.SetEmulationVersionMapping("test3", "test1",
+	err := r.SetVersionMapping("test3", "test1",
 		func(from *version.Version) *version.Version {
 			return version.MajorMinor(from.Major()-2, from.Minor()+48)
 		})
diff --git a/staging/src/k8s.io/component-base/compatibility/version_test.go b/staging/src/k8s.io/component-base/compatibility/version_test.go
index e7042778f8650..0c1fc3e77f2cd 100644
--- a/staging/src/k8s.io/component-base/compatibility/version_test.go
+++ b/staging/src/k8s.io/component-base/compatibility/version_test.go
@@ -147,6 +147,67 @@ func TestSetEmulationVersion(t *testing.T) {
 	}
 }
 
+func TestSetMinCompatibilityVersion(t *testing.T) {
+	tests := []struct {
+		name                         string
+		binaryVersion                string
+		emulationVersion             string
+		minCompatibilityVersion      string
+		emulationVersionFloor        string
+		minCompatibilityVersionFloor string
+	}{
+		{
+			name:                         "normal case",
+			binaryVersion:                "v1.34",
+			emulationVersion:             "v1.32",
+			minCompatibilityVersion:      "v1.30",
+			emulationVersionFloor:        "v1.31",
+			minCompatibilityVersionFloor: "v1.30",
+		},
+		{
+			name:                         "minCompatibilityVersion equal to emulationVersion",
+			binaryVersion:                "v1.34",
+			emulationVersion:             "v1.34",
+			minCompatibilityVersion:      "v1.34",
+			emulationVersionFloor:        "v1.31",
+			minCompatibilityVersionFloor: "v1.31",
+		},
+	}
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			effective := NewEffectiveVersionFromString(test.binaryVersion, test.emulationVersionFloor, test.minCompatibilityVersionFloor)
+
+			emulationVersion := version.MustParseGeneric(test.emulationVersion)
+			effective.SetEmulationVersion(emulationVersion)
+			if !effective.EmulationVersion().EqualTo(emulationVersion) {
+				t.Errorf("expected emulationVersion %s, got %s", emulationVersion.String(), effective.EmulationVersion().String())
+			}
+			minCompatibilityVersion := version.MustParseGeneric(test.minCompatibilityVersion)
+			effective.SetMinCompatibilityVersion(minCompatibilityVersion)
+			if !effective.MinCompatibilityVersion().EqualTo(minCompatibilityVersion) {
+				t.Errorf("expected minCompatibilityVersion %s, got %s", minCompatibilityVersion.String(), effective.MinCompatibilityVersion().String())
+			}
+			// verify emulationVersion is not changed
+			if !effective.EmulationVersion().EqualTo(emulationVersion) {
+				t.Errorf("expected emulationVersion %s, got %s", emulationVersion.String(), effective.EmulationVersion().String())
+			}
+			errs := effective.Validate()
+			if len(errs) > 0 {
+				t.Fatalf("expected no Validate errors, errors found %+v", errs)
+				return
+			}
+			// if SetEmulationVersion is called again, it would change the minCompatibilityVersion back to emulationVersion - 1
+			effective.SetEmulationVersion(emulationVersion)
+			if !effective.EmulationVersion().EqualTo(emulationVersion) {
+				t.Errorf("expected emulationVersion %s, got %s", emulationVersion.String(), effective.EmulationVersion().String())
+			}
+			if !effective.MinCompatibilityVersion().EqualTo(emulationVersion.SubtractMinor(1)) {
+				t.Errorf("expected minCompatibilityVersion %s, got %s", emulationVersion.SubtractMinor(1).String(), effective.MinCompatibilityVersion().String())
+			}
+		})
+	}
+}
+
 func TestInfo(t *testing.T) {
 	tests := []struct {
 		name                          string
diff --git a/staging/src/k8s.io/component-base/config/testing/apigroup.go b/staging/src/k8s.io/component-base/config/testing/apigroup.go
index ead01ad2bc690..863cab16ad6b1 100644
--- a/staging/src/k8s.io/component-base/config/testing/apigroup.go
+++ b/staging/src/k8s.io/component-base/config/testing/apigroup.go
@@ -22,6 +22,8 @@ import (
 	"regexp"
 	"strings"
 
+	"golang.org/x/text/cases"
+	"golang.org/x/text/language"
 	apinamingtest "k8s.io/apimachinery/pkg/api/apitesting/naming"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/runtime/schema"
@@ -201,7 +203,7 @@ func dashesToCapitalCase(str string) string {
 	segments := strings.Split(str, "-")
 	result := ""
 	for _, segment := range segments {
-		result += strings.Title(segment)
+		result += cases.Title(language.English).String(segment)
 	}
 	return result
 }
diff --git a/staging/src/k8s.io/component-base/config/v1alpha1/doc.go b/staging/src/k8s.io/component-base/config/v1alpha1/doc.go
index 7e4d6e8904e2c..d1ef3491d6c8e 100644
--- a/staging/src/k8s.io/component-base/config/v1alpha1/doc.go
+++ b/staging/src/k8s.io/component-base/config/v1alpha1/doc.go
@@ -16,5 +16,7 @@ limitations under the License.
 
 // +k8s:deepcopy-gen=package
 // +k8s:conversion-gen=k8s.io/component-base/config
+// +k8s:openapi-gen=true
+// +k8s:openapi-model-package=io.k8s.component-base.config.v1alpha1
 
 package v1alpha1
diff --git a/staging/src/k8s.io/component-base/config/v1alpha1/zz_generated.model_name.go b/staging/src/k8s.io/component-base/config/v1alpha1/zz_generated.model_name.go
new file mode 100644
index 0000000000000..587e63802c2ce
--- /dev/null
+++ b/staging/src/k8s.io/component-base/config/v1alpha1/zz_generated.model_name.go
@@ -0,0 +1,37 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by openapi-gen. DO NOT EDIT.
+
+package v1alpha1
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ClientConnectionConfiguration) OpenAPIModelName() string {
+	return "io.k8s.component-base.config.v1alpha1.ClientConnectionConfiguration"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in DebuggingConfiguration) OpenAPIModelName() string {
+	return "io.k8s.component-base.config.v1alpha1.DebuggingConfiguration"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in LeaderElectionConfiguration) OpenAPIModelName() string {
+	return "io.k8s.component-base.config.v1alpha1.LeaderElectionConfiguration"
+}
diff --git a/staging/src/k8s.io/component-base/featuregate/feature_gate.go b/staging/src/k8s.io/component-base/featuregate/feature_gate.go
index f40a8d77d19ed..79c51ad51fcb8 100644
--- a/staging/src/k8s.io/component-base/featuregate/feature_gate.go
+++ b/staging/src/k8s.io/component-base/featuregate/feature_gate.go
@@ -19,7 +19,9 @@ package featuregate
 import (
 	"context"
 	"fmt"
+	"maps"
 	"reflect"
+	"slices"
 	"sort"
 	"strconv"
 	"strings"
@@ -63,7 +65,7 @@ var (
 	}
 
 	// Special handling for a few gates.
-	specialFeatures = map[Feature]func(known map[Feature]VersionedSpecs, enabled map[Feature]bool, val bool, cVer *version.Version){
+	specialFeatures = map[Feature]func(known map[Feature]VersionedSpecs, enabled map[Feature]bool, val bool, emuVer, minCompatVer *version.Version){
 		allAlphaGate: setUnsetAlphaGates,
 		allBetaGate:  setUnsetBetaGates,
 	}
@@ -80,6 +82,39 @@ type FeatureSpec struct {
 	// If multiple FeatureSpecs exist for a Feature, the one with the highest version that is less
 	// than or equal to the effective version of the component is used.
 	Version *version.Version
+	// MinCompatibilityVersion indicates the lowest version that this feature spec is compatible with.
+	// The component's minimum compatibility version must be greater than or equal to this version for this spec to be used.
+	// This allows features with skew compatibility implications to be introduced as Beta,
+	// but only on by default once the minimum compatibility version is high enough.
+	// If unspecified, it is inherited from the previous feature stage.
+	// If specified, it must be preceded by another FeatureSpec with the same version and different default but without the MinCompatibilityVersion.
+	// i.e. MinCompatibilityVersion should only be used to specify a different default value at the same version.
+	//
+	// Version vs. MinCompatibilityVersion:
+	//  - Version determines the stability of the feature based on the server's emulation version.
+	//  - MinCompatibilityVersion adds a further check based on the version compatibility
+	// with all servers in the control plane this server expects to communicate with.
+	//
+	// Example:
+	// 	FeatureA: []FeatureSpec{
+	// 		{Version: version.MustParse("1.35"), Default: false, PreRelease: Beta},
+	// 		{Version: version.MustParse("1.35"), Default: true, PreRelease: Beta, MinCompatibilityVersion: version.MustParse("1.35")},
+	// 	}
+	// In a server running version 1.35:
+	//  - With --min-compatibility-version=1.34 (default), FeatureA is Beta and disabled by default.
+	//  - With --min-compatibility-version=1.35, FeatureA becomes enabled by default.
+	MinCompatibilityVersion *version.Version
+}
+
+func (spec *FeatureSpec) HelpString(featureName Feature, includeCompatVer bool) string {
+	if spec.PreRelease == GA || spec.PreRelease == Deprecated || spec.PreRelease == PreAlpha {
+		return ""
+	}
+	s := fmt.Sprintf("%s=true|false (%s - default=%t)", featureName, spec.PreRelease, spec.Default)
+	if includeCompatVer && spec.MinCompatibilityVersion != nil {
+		return s + fmt.Sprintf(" if --min-compatibility-version>=%s", spec.MinCompatibilityVersion)
+	}
+	return s
 }
 
 type VersionedSpecs []FeatureSpec
@@ -111,6 +146,8 @@ type FeatureGate interface {
 	Enabled(key Feature) bool
 	// KnownFeatures returns a slice of strings describing the FeatureGate's known features.
 	KnownFeatures() []string
+	// Dependencies returns a copy of the known feature dependencies.
+	Dependencies() map[Feature][]Feature
 	// DeepCopy returns a deep copy of the FeatureGate object, such that gates can be
 	// set on the copy without mutating the original. This is useful for validating
 	// config against potential feature gate changes before committing those changes.
@@ -161,14 +198,26 @@ type MutableVersionedFeatureGate interface {
 	// If set, the feature gate would enable/disable features based on
 	// feature availability and pre-release at the emulated version instead of the binary version.
 	EmulationVersion() *version.Version
-	// SetEmulationVersion overrides the emulationVersion of the feature gate.
+	// MinCompatibilityVersion returns the minimum version of all control plane components
+	// that the current server must maintain compatibility with.
+	// This is used to gate features that have cross-component compatibility concerns, for example, during cluster upgrades/rollbacks.
+	// If not explicitly set, it defaults to one minor version prior to EmulationVersion().
+	// A feature stage is disabled if its FeatureSpec.MinCompatibilityVersion is greater than this version.
+	MinCompatibilityVersion() *version.Version
+	// SetEmulationVersion overrides the emulationVersion of the feature gate, and
+	// overrides the minCompatibilityVersion to 1 minor before emulationVersion.`
 	// Otherwise, the emulationVersion will be the same as the binary version.
 	// If set, the feature defaults and availability will be as if the binary is at the emulated version.
 	SetEmulationVersion(emulationVersion *version.Version) error
+	// SetEmulationVersion overrides the emulationVersion and minCompatibilityVersion of the feature gate.
+	SetEmulationVersionAndMinCompatibilityVersion(emulationVersion *version.Version, minCompatibilityVersion *version.Version) error
 	// GetAll returns a copy of the map of known feature names to versioned feature specs.
 	GetAllVersioned() map[Feature]VersionedSpecs
 	// AddVersioned adds versioned feature specs to the featureGate.
 	AddVersioned(features map[Feature]VersionedSpecs) error
+	// AddDependencies marks features that depend on other features. Must be called after all
+	// referenced features have already been added (dependents & depnedencies). Cycles are forbidden.
+	AddDependencies(features map[Feature][]Feature) error
 	// OverrideDefaultAtVersion sets a local override for the registered default value of a named
 	// feature for the prerelease lifecycle the given version is at.
 	// If the feature has not been previously registered (e.g. by a call to Add),
@@ -196,14 +245,15 @@ type MutableVersionedFeatureGate interface {
 type featureGate struct {
 	featureGateName string
 
-	special map[Feature]func(map[Feature]VersionedSpecs, map[Feature]bool, bool, *version.Version)
+	special map[Feature]func(map[Feature]VersionedSpecs, map[Feature]bool, bool, *version.Version, *version.Version)
 
 	// lock guards writes to all below fields.
 	lock sync.Mutex
 	// known holds a map[Feature]FeatureSpec
 	known atomic.Value
 	// enabled holds a map[Feature]bool
-	enabled atomic.Value
+	enabled      atomic.Value
+	dependencies atomic.Pointer[map[Feature][]Feature]
 	// enabledRaw holds a raw map[string]bool of the parsed flag.
 	// It keeps the original values of "special" features like "all alpha gates",
 	// while enabled keeps the values of all resolved features.
@@ -212,16 +262,17 @@ type featureGate struct {
 	closed bool
 	// queriedFeatures stores all the features that have been queried through the Enabled interface.
 	// It is reset when SetEmulationVersion is called.
-	queriedFeatures  atomic.Value
-	emulationVersion atomic.Pointer[version.Version]
+	queriedFeatures         atomic.Value
+	emulationVersion        atomic.Pointer[version.Version]
+	minCompatibilityVersion atomic.Pointer[version.Version]
 }
 
-func setUnsetAlphaGates(known map[Feature]VersionedSpecs, enabled map[Feature]bool, val bool, cVer *version.Version) {
+func setUnsetAlphaGates(known map[Feature]VersionedSpecs, enabled map[Feature]bool, val bool, emuVer, minCompatVer *version.Version) {
 	for k, v := range known {
 		if k == "AllAlpha" || k == "AllBeta" {
 			continue
 		}
-		featureSpec := featureSpecAtEmulationVersion(v, cVer)
+		featureSpec := featureSpecAtEmulationAndMinCompatVersion(v, emuVer, minCompatVer)
 		if featureSpec.PreRelease == Alpha {
 			if _, found := enabled[k]; !found {
 				enabled[k] = val
@@ -230,12 +281,12 @@ func setUnsetAlphaGates(known map[Feature]VersionedSpecs, enabled map[Feature]bo
 	}
 }
 
-func setUnsetBetaGates(known map[Feature]VersionedSpecs, enabled map[Feature]bool, val bool, cVer *version.Version) {
+func setUnsetBetaGates(known map[Feature]VersionedSpecs, enabled map[Feature]bool, val bool, emuVer, minCompatVer *version.Version) {
 	for k, v := range known {
 		if k == "AllAlpha" || k == "AllBeta" {
 			continue
 		}
-		featureSpec := featureSpecAtEmulationVersion(v, cVer)
+		featureSpec := featureSpecAtEmulationAndMinCompatVersion(v, emuVer, minCompatVer)
 		if featureSpec.PreRelease == Beta {
 			if _, found := enabled[k]; !found {
 				enabled[k] = val
@@ -252,8 +303,13 @@ var _ pflag.Value = &featureGate{}
 var internalPackages = []string{"k8s.io/component-base/featuregate/feature_gate.go"}
 
 // NewVersionedFeatureGate creates a feature gate with the emulation version set to the provided version.
+// Equivalent to calling NewVersionedFeatureGateWithMinCompatibility with emulationVersion, emulationVersion-1.
 // SetEmulationVersion can be called after to change emulation version to a desired value.
 func NewVersionedFeatureGate(emulationVersion *version.Version) *featureGate {
+	return NewVersionedFeatureGateWithMinCompatibility(emulationVersion, emulationVersion.SubtractMinor(1))
+}
+
+func NewVersionedFeatureGateWithMinCompatibility(emulationVersion, minCompatibilityVersion *version.Version) *featureGate {
 	known := map[Feature]VersionedSpecs{}
 	for k, v := range defaultFeatures {
 		known[k] = v
@@ -264,9 +320,11 @@ func NewVersionedFeatureGate(emulationVersion *version.Version) *featureGate {
 		special:         specialFeatures,
 	}
 	f.known.Store(known)
+	f.dependencies.Store(new(map[Feature][]Feature))
 	f.enabled.Store(map[Feature]bool{})
 	f.enabledRaw.Store(map[string]bool{})
 	f.emulationVersion.Store(emulationVersion)
+	f.minCompatibilityVersion.Store(minCompatibilityVersion)
 	f.queriedFeatures.Store(sets.Set[Feature]{})
 	return f
 }
@@ -309,11 +367,11 @@ func (f *featureGate) Validate() []error {
 		return []error{fmt.Errorf("cannot cast enabledRaw to map[string]bool")}
 	}
 	enabled := map[Feature]bool{}
-	return f.unsafeSetFromMap(enabled, m, f.EmulationVersion())
+	return f.unsafeSetFromMap(enabled, m, f.EmulationVersion(), f.MinCompatibilityVersion())
 }
 
 // unsafeSetFromMap stores flag gates for known features from a map[string]bool into an enabled map.
-func (f *featureGate) unsafeSetFromMap(enabled map[Feature]bool, m map[string]bool, emulationVersion *version.Version) []error {
+func (f *featureGate) unsafeSetFromMap(enabled map[Feature]bool, m map[string]bool, emulationVersion, minCompatibilityVersion *version.Version) []error {
 	var errs []error
 	// Copy existing state
 	known := map[Feature]VersionedSpecs{}
@@ -328,19 +386,19 @@ func (f *featureGate) unsafeSetFromMap(enabled map[Feature]bool, m map[string]bo
 			klog.Warningf("unrecognized feature gate: %s", k)
 			continue
 		}
-		featureSpec := featureSpecAtEmulationVersion(versionedSpecs, emulationVersion)
+		featureSpec := featureSpecAtEmulationAndMinCompatVersion(versionedSpecs, emulationVersion, minCompatibilityVersion)
 		if featureSpec.LockToDefault && featureSpec.Default != v {
 			errs = append(errs, fmt.Errorf("cannot set feature gate %v to %v, feature is locked to %v", k, v, featureSpec.Default))
 			continue
 		}
 		// Handle "special" features like "all alpha gates"
 		if fn, found := f.special[key]; found {
-			fn(known, enabled, v, emulationVersion)
+			fn(known, enabled, v, emulationVersion, minCompatibilityVersion)
 			enabled[key] = v
 			continue
 		}
 		if featureSpec.PreRelease == PreAlpha {
-			errs = append(errs, fmt.Errorf("cannot set feature gate %v to %v, feature is PreAlpha at emulated version %s", k, v, emulationVersion.String()))
+			errs = append(errs, fmt.Errorf("cannot set feature gate %v to %v, feature is PreAlpha at emulated version %s, min compatibility version %s", k, v, emulationVersion, minCompatibilityVersion))
 			continue
 		}
 		enabled[key] = v
@@ -351,6 +409,29 @@ func (f *featureGate) unsafeSetFromMap(enabled map[Feature]bool, m map[string]bo
 			klog.Warningf("Setting GA feature gate %s=%t. It will be removed in a future release.", k, v)
 		}
 	}
+
+	if len(errs) > 0 {
+		return errs
+	}
+
+	// If enabled features were set successfully, validate them against the dependencies.
+	dependencies := *f.dependencies.Load()
+	for feature, deps := range dependencies {
+		if !featureEnabled(feature, enabled, known, emulationVersion, minCompatibilityVersion) {
+			continue
+		}
+
+		var disabledDeps []Feature
+		for _, dep := range deps {
+			if !featureEnabled(dep, enabled, known, emulationVersion, minCompatibilityVersion) {
+				disabledDeps = append(disabledDeps, dep)
+			}
+		}
+		if len(disabledDeps) > 0 {
+			errs = append(errs, fmt.Errorf("%s is enabled, but depends on features that are disabled: %v", feature, disabledDeps))
+		}
+	}
+
 	return errs
 }
 
@@ -377,7 +458,7 @@ func (f *featureGate) SetFromMap(m map[string]bool) error {
 	}
 	f.enabledRaw.Store(enabledRaw)
 
-	errs := f.unsafeSetFromMap(enabled, enabledRaw, f.EmulationVersion())
+	errs := f.unsafeSetFromMap(enabled, enabledRaw, f.EmulationVersion(), f.MinCompatibilityVersion())
 	if len(errs) == 0 {
 		// Persist changes
 		f.enabled.Store(enabled)
@@ -423,31 +504,56 @@ func (f *featureGate) AddVersioned(features map[Feature]VersionedSpecs) error {
 	known := f.GetAllVersioned()
 
 	for name, specs := range features {
-		if existingSpec, found := known[name]; found {
-			if reflect.DeepEqual(existingSpec, specs) {
-				continue
-			}
-			return fmt.Errorf("feature gate %q with different spec already exists: %v", name, existingSpec)
-		}
+		var completedSpecs VersionedSpecs
 		// Validate new specs are well-formed
-		var lastVersion *version.Version
-		var wasBeta, wasGA, wasDeprecated bool
+		var lastSpec FeatureSpec
+		var wasBeta, wasGA, wasDeprecated, wasLockedToDefault bool
 		for i, spec := range specs {
 			if spec.Version == nil {
 				return fmt.Errorf("feature %q did not provide a version", name)
 			}
 			if len(spec.Version.Components()) != 2 {
-				return fmt.Errorf("feature %q specified patch version: %s", name, spec.Version.String())
-
+				return fmt.Errorf("feature %q specified patch version: %s", name, spec.Version)
+			}
+			if spec.MinCompatibilityVersion != nil {
+				if i == 0 || !spec.Version.EqualTo(lastSpec.Version) {
+					return fmt.Errorf("feature %q specified MinCompatibilityVersion: %s without a preceding entry at the same Version without MinCompatibilityVersion set", name, spec.MinCompatibilityVersion)
+				}
+				if len(spec.MinCompatibilityVersion.Components()) != 2 {
+					return fmt.Errorf("feature %q specified patch MinCompatibilityVersion: %s", name, spec.MinCompatibilityVersion)
+				}
+				if spec.MinCompatibilityVersion.GreaterThan(spec.Version) {
+					return fmt.Errorf("feature %q MinCompatibilityVersion %s greater than Version %s", name, spec.MinCompatibilityVersion, spec.Version)
+				}
 			}
 			// gates that begin as deprecated must indicate their prior state
 			if i == 0 && spec.PreRelease == Deprecated && spec.Version.Minor() != 0 {
 				return fmt.Errorf("feature %q introduced as deprecated must provide a 1.0 entry indicating initial state", name)
 			}
 			if i > 0 {
-				// versions must strictly increase
-				if !lastVersion.LessThan(spec.Version) {
-					return fmt.Errorf("feature %q lists version transitions in non-increasing order (%s <= %s)", name, spec.Version, lastVersion)
+				// either versions or minCompatibilityVersions have to increase
+				if spec.Version.LessThan(lastSpec.Version) {
+					return fmt.Errorf("feature %q lists version transitions in decreasing order (%s < %s)", name, spec.Version, lastSpec.Version)
+				}
+				if spec.MinCompatibilityVersion != nil && lastSpec.MinCompatibilityVersion != nil && spec.MinCompatibilityVersion.LessThan(lastSpec.MinCompatibilityVersion) {
+					return fmt.Errorf("feature %q lists min compatibility version transitions in decreasing order (%s < %s)", name, spec.MinCompatibilityVersion, lastSpec.MinCompatibilityVersion)
+				}
+				if spec.Version.EqualTo(lastSpec.Version) {
+					if spec.MinCompatibilityVersion.EqualTo(lastSpec.MinCompatibilityVersion) {
+						return fmt.Errorf("feature %q lists duplicate entries with the same versions (%s = %s)", name, spec.Version, lastSpec.Version)
+					}
+					if spec.PreRelease != lastSpec.PreRelease {
+						return fmt.Errorf("feature %q lists stability changes with the same version (%s -> %s)", name, lastSpec.PreRelease, spec.PreRelease)
+					}
+					if spec.LockToDefault != lastSpec.LockToDefault {
+						return fmt.Errorf("feature %q lists locked to default changes with the same version (%v -> %v)", name, lastSpec.LockToDefault, spec.LockToDefault)
+					}
+				}
+				if spec.PreRelease == lastSpec.PreRelease && spec.Default == lastSpec.Default && spec.LockToDefault == lastSpec.LockToDefault {
+					return fmt.Errorf("feature %q lists transition without stability change (%s -> %s)", name, lastSpec.Version, spec.Version)
+				}
+				if wasLockedToDefault && !spec.LockToDefault {
+					return fmt.Errorf("feature %q must not unlock after locking to default", name)
 				}
 				// stability must not regress from ga --> {beta,alpha} or beta --> alpha, and
 				// Deprecated state must be the terminal state
@@ -460,25 +566,160 @@ func (f *featureGate) AddVersioned(features map[Feature]VersionedSpecs) error {
 					return fmt.Errorf("feature %q regresses stability from more stable level to %s in %s", name, spec.PreRelease, spec.Version)
 				}
 			}
-			lastVersion = spec.Version
+			completedSpec := spec
+			// set MinCompatibilityVersion to the last MinCompatibilityVersion if unspecified.
+			// this makes sure MinCompatibilityVersion does not decrease.
+			// For example:
+			// 	FeatureA: {
+			// 		{Version: version.MustParse("1.35"), Default: false, PreRelease: Beta},
+			// 		{Version: version.MustParse("1.35"), Default: true, PreRelease: Beta, MinCompatibilityVersion: 1.35},
+			//      {Version: version.MustParse("1.37"), Default: true, PreRelease: GA},
+			// 	},
+			// FeatureA should have MinCompatibilityVersion at least 1.35 at GA.
+			if completedSpec.MinCompatibilityVersion == nil && i > 0 {
+				completedSpec.MinCompatibilityVersion = lastSpec.MinCompatibilityVersion
+			}
+			completedSpecs = append(completedSpecs, completedSpec)
+			lastSpec = completedSpec
 			wasBeta = wasBeta || spec.PreRelease == Beta
 			wasGA = wasGA || spec.PreRelease == GA
 			wasDeprecated = wasDeprecated || spec.PreRelease == Deprecated
+			wasLockedToDefault = wasLockedToDefault || spec.LockToDefault
+		}
+		if existingSpec, found := known[name]; found {
+			if reflect.DeepEqual(existingSpec, completedSpecs) {
+				continue
+			}
+			return fmt.Errorf("feature gate %q with different spec already exists: %v", name, existingSpec)
 		}
-		known[name] = specs
+		known[name] = completedSpecs
 	}
-
 	// Persist updated state
 	f.known.Store(known)
 
 	return nil
 }
 
+// AddDependencies adds feature gate dependencies.
+func (f *featureGate) AddDependencies(dependencies map[Feature][]Feature) error {
+	f.lock.Lock()
+	defer f.lock.Unlock()
+
+	if f.closed {
+		return fmt.Errorf("cannot add a feature gate dependency after adding it to the flag set")
+	}
+	// Copy existing state
+	known := f.GetAllVersioned()
+
+	// Merge existing dependencies in.
+	existing := *f.dependencies.Load()
+	for k, v := range existing {
+		dependencies[k] = append(dependencies[k], v...)
+	}
+
+	// Sort and compact all dependency lists.
+	for k, v := range dependencies {
+		slices.Sort(v)
+		dependencies[k] = slices.Compact(v)
+	}
+
+	// Validate dependencies for each emulated version:
+	// 1. Features & dependencies must be known
+	// 2. Features cannot depend on features with a lower prerelease level
+	// 3. Enabled features cannot depend on disabled features
+	// 4. Locked-to-default featurs cannot depend on unlocked features
+	for feature, deps := range dependencies {
+		versionedFeature, ok := known[feature]
+		if !ok {
+			return fmt.Errorf("cannot add dependency for unknown feature %s", feature)
+		}
+
+		for _, dep := range deps {
+			versionedDep, ok := known[dep]
+			if !ok {
+				return fmt.Errorf("cannot add dependency from %s to unknown feature %s", feature, dep)
+			}
+
+			// Check versions starting with the most recent for more intuitive error messages.
+			for _, spec := range slices.Backward(versionedFeature) {
+				// depSpec is the effective FeatureSpec for the dependency at the version declared by the dependent FeatureSpec.
+				depSpec := featureSpecAtEmulationAndMinCompatVersion(versionedDep, spec.Version, spec.MinCompatibilityVersion)
+
+				if stabilityOrder(spec.PreRelease) > stabilityOrder(depSpec.PreRelease) {
+					return fmt.Errorf("%s feature %s cannot depend on %s feature %s at version %s", spec.PreRelease, feature, depSpec.PreRelease, dep, spec.Version)
+				}
+				if spec.Default && !depSpec.Default {
+					return fmt.Errorf("default-enabled feature %s cannot depend on default-disabled feature %s at version %s", feature, dep, spec.Version)
+				}
+				if spec.LockToDefault && !depSpec.LockToDefault {
+					return fmt.Errorf("locked-to-default feature %s cannot depend on unlocked feature %s at version %s", feature, dep, spec.Version)
+				}
+			}
+		}
+	}
+
+	// Check for cycles
+	visited := map[Feature]bool{}
+	finished := map[Feature]bool{}
+	var detectCycles func(Feature) error
+	detectCycles = func(feature Feature) error {
+		if finished[feature] {
+			return nil
+		}
+		if visited[feature] {
+			return fmt.Errorf("cycle detected with feature %s", feature)
+		}
+		visited[feature] = true
+		for _, dep := range dependencies[feature] {
+			if err := detectCycles(dep); err != nil {
+				return err
+			}
+		}
+		finished[feature] = true
+		return nil
+	}
+	for feature := range dependencies {
+		if err := detectCycles(feature); err != nil {
+			return err
+		}
+	}
+
+	// Persist updated state
+	f.dependencies.Store(&dependencies)
+
+	return nil
+}
+
+// stabilityOrder converts prereleases to a numerical value for dependency comparison.
+// Features cannot depend on features with a lower prerelease level.
+func stabilityOrder(p prerelease) int {
+	switch p {
+	case Deprecated:
+		return 0 // Non-deprecated features cannot depend on deprecated features.
+	case PreAlpha, Alpha: // Alpha features are allowed to depend on pre-alpha features.
+		return 1
+	case Beta:
+		return 2
+	case GA:
+		return 3
+	default:
+		return -1 // Unknown prerelease
+	}
+}
+
+func (f *featureGate) Dependencies() map[Feature][]Feature {
+	return maps.Clone(*f.dependencies.Load())
+}
+
 func (f *featureGate) OverrideDefault(name Feature, override bool) error {
-	return f.OverrideDefaultAtVersion(name, override, f.EmulationVersion())
+	return f.overrideDefaultAtEmulationAndMinCompatVersion(name, override, f.EmulationVersion(), f.MinCompatibilityVersion())
 }
 
 func (f *featureGate) OverrideDefaultAtVersion(name Feature, override bool, ver *version.Version) error {
+	return f.overrideDefaultAtEmulationAndMinCompatVersion(name, override, ver, nil)
+}
+
+func (f *featureGate) overrideDefaultAtEmulationAndMinCompatVersion(name Feature, override bool, emuVer, minCompatVer *version.Version) error {
 	f.lock.Lock()
 	defer f.lock.Unlock()
 
@@ -493,12 +734,12 @@ func (f *featureGate) OverrideDefaultAtVersion(name Feature, override bool, ver
 	if !ok {
 		return fmt.Errorf("cannot override default: feature %q is not registered", name)
 	}
-	spec := featureSpecAtEmulationVersion(specs, ver)
+	spec := featureSpecAtEmulationAndMinCompatVersion(specs, emuVer, minCompatVer)
 	switch {
 	case spec.LockToDefault:
 		return fmt.Errorf("cannot override default: feature %q default is locked to %t", name, spec.Default)
 	case spec.PreRelease == PreAlpha:
-		return fmt.Errorf("cannot override default: feature %q is not available before version %s", name, ver.String())
+		return fmt.Errorf("cannot override default: feature %q is not available before version %s", name, emuVer)
 	case spec.PreRelease == Deprecated:
 		klog.Warningf("Overriding default of deprecated feature gate %s=%t. It will be removed in a future release.", name, override)
 	case spec.PreRelease == GA:
@@ -518,9 +759,10 @@ func (f *featureGate) GetAll() map[Feature]FeatureSpec {
 	f.lock.Lock()
 	versionedSpecs := f.GetAllVersioned()
 	emuVer := f.EmulationVersion()
+	minCompatVer := f.MinCompatibilityVersion()
 	f.lock.Unlock()
 	for k, v := range versionedSpecs {
-		spec := featureSpecAtEmulationVersion(v, emuVer)
+		spec := featureSpecAtEmulationAndMinCompatVersion(v, emuVer, minCompatVer)
 		if spec.PreRelease == PreAlpha {
 			// The feature is not available at the emulation version.
 			continue
@@ -542,12 +784,16 @@ func (f *featureGate) GetAllVersioned() map[Feature]VersionedSpecs {
 }
 
 func (f *featureGate) SetEmulationVersion(emulationVersion *version.Version) error {
-	if emulationVersion.EqualTo(f.EmulationVersion()) {
+	return f.SetEmulationVersionAndMinCompatibilityVersion(emulationVersion, emulationVersion.SubtractMinor(1))
+}
+
+func (f *featureGate) SetEmulationVersionAndMinCompatibilityVersion(emulationVersion *version.Version, minCompatibilityVersion *version.Version) error {
+	if emulationVersion.EqualTo(f.EmulationVersion()) && minCompatibilityVersion.EqualTo(f.MinCompatibilityVersion()) {
 		return nil
 	}
 	f.lock.Lock()
 	defer f.lock.Unlock()
-	klog.V(1).Infof("set feature gate emulationVersion to %s", emulationVersion.String())
+	klog.V(1).Infof("set feature gate emulationVersion to %s, minCompatibilityVersion to %s", emulationVersion, minCompatibilityVersion)
 
 	// Copy existing state
 	enabledRaw := map[string]bool{}
@@ -556,15 +802,15 @@ func (f *featureGate) SetEmulationVersion(emulationVersion *version.Version) err
 	}
 	// enabled map should be reset whenever emulationVersion is changed.
 	enabled := map[Feature]bool{}
-	errs := f.unsafeSetFromMap(enabled, enabledRaw, emulationVersion)
+	errs := f.unsafeSetFromMap(enabled, enabledRaw, emulationVersion, minCompatibilityVersion)
 
 	queriedFeatures := f.queriedFeatures.Load().(sets.Set[Feature])
 	known := f.known.Load().(map[Feature]VersionedSpecs)
 	for feature := range queriedFeatures {
-		newVal := featureEnabled(feature, enabled, known, emulationVersion)
-		oldVal := featureEnabled(feature, f.enabled.Load().(map[Feature]bool), known, f.EmulationVersion())
+		newVal := featureEnabled(feature, enabled, known, emulationVersion, minCompatibilityVersion)
+		oldVal := featureEnabled(feature, f.enabled.Load().(map[Feature]bool), known, f.EmulationVersion(), f.MinCompatibilityVersion())
 		if newVal != oldVal {
-			klog.Warningf("SetEmulationVersion will change already queried feature:%s from %v to %v", feature, oldVal, newVal)
+			klog.Warningf("SetEmulationVersionAndMinCompatibilityVersion will change already queried feature:%s from %v to %v", feature, oldVal, newVal)
 		}
 	}
 
@@ -572,6 +818,7 @@ func (f *featureGate) SetEmulationVersion(emulationVersion *version.Version) err
 		// Persist changes
 		f.enabled.Store(enabled)
 		f.emulationVersion.Store(emulationVersion)
+		f.minCompatibilityVersion.Store(minCompatibilityVersion)
 		f.queriedFeatures.Store(sets.Set[Feature]{})
 	}
 	return utilerrors.NewAggregate(errs)
@@ -581,11 +828,15 @@ func (f *featureGate) EmulationVersion() *version.Version {
 	return f.emulationVersion.Load()
 }
 
+func (f *featureGate) MinCompatibilityVersion() *version.Version {
+	return f.minCompatibilityVersion.Load()
+}
+
 // featureSpec returns the featureSpec at the EmulationVersion if the key exists, an error otherwise.
 // This is useful to keep multiple implementations of a feature based on the PreRelease or Version info.
 func (f *featureGate) featureSpec(key Feature) (FeatureSpec, error) {
 	if v, ok := f.known.Load().(map[Feature]VersionedSpecs)[key]; ok {
-		featureSpec := f.featureSpecAtEmulationVersion(v)
+		featureSpec := f.featureSpecAtEmulationAndMinCompatVersion(v)
 		return *featureSpec, nil
 	}
 	return FeatureSpec{}, fmt.Errorf("feature %q is not registered in FeatureGate %q", key, f.featureGateName)
@@ -602,13 +853,14 @@ func (f *featureGate) unsafeRecordQueried(key Feature) {
 	f.queriedFeatures.Store(newQueriedFeatures)
 }
 
-func featureEnabled(key Feature, enabled map[Feature]bool, known map[Feature]VersionedSpecs, emulationVersion *version.Version) bool {
+func featureEnabled(key Feature, enabled map[Feature]bool, known map[Feature]VersionedSpecs, emulationVersion, minCompatibilityVersion *version.Version) bool {
 	// check explicitly set enabled list
 	if v, ok := enabled[key]; ok {
 		return v
 	}
 	if v, ok := known[key]; ok {
-		return featureSpecAtEmulationVersion(v, emulationVersion).Default
+		featureSpec := featureSpecAtEmulationAndMinCompatVersion(v, emulationVersion, minCompatibilityVersion)
+		return featureSpec.Default
 	}
 
 	panic(fmt.Errorf("feature %q is not registered in FeatureGate", key))
@@ -617,21 +869,28 @@ func featureEnabled(key Feature, enabled map[Feature]bool, known map[Feature]Ver
 // Enabled returns true if the key is enabled.  If the key is not known, this call will panic.
 func (f *featureGate) Enabled(key Feature) bool {
 	// TODO: ideally we should lock the feature gate in this call to be safe, need to evaluate how much performance impact locking would have.
-	v := featureEnabled(key, f.enabled.Load().(map[Feature]bool), f.known.Load().(map[Feature]VersionedSpecs), f.EmulationVersion())
+	v := featureEnabled(key, f.enabled.Load().(map[Feature]bool), f.known.Load().(map[Feature]VersionedSpecs), f.EmulationVersion(), f.MinCompatibilityVersion())
 	f.unsafeRecordQueried(key)
 	return v
 }
 
-func (f *featureGate) featureSpecAtEmulationVersion(v VersionedSpecs) *FeatureSpec {
-	return featureSpecAtEmulationVersion(v, f.EmulationVersion())
+func (f *featureGate) featureSpecAtEmulationAndMinCompatVersion(v VersionedSpecs) *FeatureSpec {
+	return featureSpecAtEmulationAndMinCompatVersion(v, f.EmulationVersion(), f.MinCompatibilityVersion())
 }
 
-func featureSpecAtEmulationVersion(v VersionedSpecs, emulationVersion *version.Version) *FeatureSpec {
+func featureSpecAtEmulationAndMinCompatVersion(v VersionedSpecs, emulationVersion, minCompatibilityVersion *version.Version) *FeatureSpec {
 	i := len(v) - 1
+	if minCompatibilityVersion == nil {
+		minCompatibilityVersion = emulationVersion.SubtractMinor(1)
+	}
 	for ; i >= 0; i-- {
 		if v[i].Version.GreaterThan(emulationVersion) {
 			continue
 		}
+		specMinCompatibilityVersion := v[i].MinCompatibilityVersion
+		if specMinCompatibilityVersion != nil && !minCompatibilityVersion.AtLeast(specMinCompatibilityVersion) {
+			continue
+		}
 		return &v[i]
 	}
 	return &FeatureSpec{
@@ -677,11 +936,26 @@ func (f *featureGate) KnownFeatures() []string {
 			known = append(known, fmt.Sprintf("%s=true|false (%s - default=%t)", k, v[0].PreRelease, v[0].Default))
 			continue
 		}
-		featureSpec := f.featureSpecAtEmulationVersion(v)
-		if featureSpec.PreRelease == GA || featureSpec.PreRelease == Deprecated || featureSpec.PreRelease == PreAlpha {
+		featureSpec := f.featureSpecAtEmulationAndMinCompatVersion(v)
+		featureSpecStr := featureSpec.HelpString(k, false)
+		featureSpecMinCompatMode := featureSpecAtEmulationAndMinCompatVersion(v, f.EmulationVersion(), f.EmulationVersion())
+		featureSpecMinCompatModeStr := featureSpecMinCompatMode.HelpString(k, true)
+		if reflect.DeepEqual(featureSpec, featureSpecMinCompatMode) {
+			if featureSpecStr != "" {
+				known = append(known, featureSpecStr)
+			}
 			continue
 		}
-		known = append(known, fmt.Sprintf("%s=true|false (%s - default=%t)", k, featureSpec.PreRelease, featureSpec.Default))
+		components := []string{}
+		if featureSpecStr != "" {
+			components = append(components, featureSpecStr)
+		}
+		if featureSpecMinCompatModeStr != "" {
+			components = append(components, featureSpecMinCompatModeStr)
+		}
+		if len(components) > 0 {
+			known = append(known, strings.Join(components, ", or "))
+		}
 	}
 	sort.Strings(known)
 	return known
@@ -691,7 +965,7 @@ func (f *featureGate) KnownFeatures() []string {
 // and resets all the enabled status of the new feature gate.
 // This is useful for creating a new instance of feature gate without inheriting all the enabled configurations of the base feature gate.
 func (f *featureGate) DeepCopyAndReset() MutableVersionedFeatureGate {
-	fg := NewVersionedFeatureGate(f.EmulationVersion())
+	fg := NewVersionedFeatureGateWithMinCompatibility(f.EmulationVersion(), f.MinCompatibilityVersion())
 	known := f.GetAllVersioned()
 	fg.known.Store(known)
 	return fg
@@ -713,6 +987,10 @@ func (f *featureGate) DeepCopy() MutableVersionedFeatureGate {
 	for k, v := range f.enabledRaw.Load().(map[string]bool) {
 		enabledRaw[k] = v
 	}
+	dependencies := map[Feature][]Feature{}
+	for k, v := range *f.dependencies.Load() {
+		dependencies[k] = append([]Feature{}, v...)
+	}
 
 	// Construct a new featureGate around the copied state.
 	// Note that specialFeatures is treated as immutable by convention,
@@ -722,8 +1000,10 @@ func (f *featureGate) DeepCopy() MutableVersionedFeatureGate {
 		closed:  f.closed,
 	}
 	fg.emulationVersion.Store(f.EmulationVersion())
+	fg.minCompatibilityVersion.Store(f.MinCompatibilityVersion())
 	fg.known.Store(known)
 	fg.enabled.Store(enabled)
+	fg.dependencies.Store(&dependencies)
 	fg.enabledRaw.Store(enabledRaw)
 	fg.queriedFeatures.Store(sets.Set[Feature]{})
 	return fg
diff --git a/staging/src/k8s.io/component-base/featuregate/feature_gate_test.go b/staging/src/k8s.io/component-base/featuregate/feature_gate_test.go
index 7b45e7f6cd5fb..777a66332df25 100644
--- a/staging/src/k8s.io/component-base/featuregate/feature_gate_test.go
+++ b/staging/src/k8s.io/component-base/featuregate/feature_gate_test.go
@@ -721,6 +721,7 @@ func TestVersionedFeatureGateFlag(t *testing.T) {
 	const testLockedFalseGate Feature = "TestLockedFalse"
 	const testAlphaGateNoVersion Feature = "TestAlphaNoVersion"
 	const testBetaGateNoVersion Feature = "TestBetaNoVersion"
+	const testCompatibilityGate Feature = "TestCompatibility"
 
 	tests := []struct {
 		arg        string
@@ -738,6 +739,7 @@ func TestVersionedFeatureGateFlag(t *testing.T) {
 				testLockedFalseGate:    false,
 				testAlphaGateNoVersion: false,
 				testBetaGateNoVersion:  false,
+				testCompatibilityGate:  false,
 			},
 		},
 		{
@@ -750,6 +752,7 @@ func TestVersionedFeatureGateFlag(t *testing.T) {
 				testLockedFalseGate:    true,
 				testAlphaGateNoVersion: false,
 				testBetaGateNoVersion:  false,
+				testCompatibilityGate:  false,
 			},
 		},
 		{
@@ -763,6 +766,7 @@ func TestVersionedFeatureGateFlag(t *testing.T) {
 				testLockedFalseGate:    false,
 				testAlphaGateNoVersion: false,
 				testBetaGateNoVersion:  false,
+				testCompatibilityGate:  false,
 			},
 			// parseError: "unrecognized feature gate: fooBarBaz",
 		},
@@ -777,6 +781,7 @@ func TestVersionedFeatureGateFlag(t *testing.T) {
 				testLockedFalseGate:    false,
 				testAlphaGateNoVersion: false,
 				testBetaGateNoVersion:  false,
+				testCompatibilityGate:  false,
 			},
 		},
 		{
@@ -790,6 +795,7 @@ func TestVersionedFeatureGateFlag(t *testing.T) {
 				testLockedFalseGate:    false,
 				testAlphaGateNoVersion: true,
 				testBetaGateNoVersion:  false,
+				testCompatibilityGate:  false,
 			},
 		},
 		{
@@ -803,21 +809,12 @@ func TestVersionedFeatureGateFlag(t *testing.T) {
 				testLockedFalseGate:    false,
 				testAlphaGateNoVersion: false,
 				testBetaGateNoVersion:  false,
+				testCompatibilityGate:  false,
 			},
 			parseError: "invalid value of AllAlpha",
 		},
 		{
-			arg: "AllAlpha=false,TestAlpha=true,TestAlphaNoVersion=true",
-			expect: map[Feature]bool{
-				allAlphaGate:           false,
-				allBetaGate:            false,
-				testGAGate:             false,
-				testAlphaGate:          false,
-				testBetaGate:           false,
-				testLockedFalseGate:    false,
-				testAlphaGateNoVersion: true,
-				testBetaGateNoVersion:  false,
-			},
+			arg:        "AllAlpha=false,TestAlpha=true,TestAlphaNoVersion=true",
 			parseError: "cannot set feature gate TestAlpha to true, feature is PreAlpha at emulated version 1.28",
 		},
 		{
@@ -831,34 +828,15 @@ func TestVersionedFeatureGateFlag(t *testing.T) {
 				testLockedFalseGate:    false,
 				testAlphaGateNoVersion: true,
 				testBetaGateNoVersion:  false,
+				testCompatibilityGate:  false,
 			},
 		},
 		{
-			arg: "TestAlpha=true,TestAlphaNoVersion=true,AllAlpha=false",
-			expect: map[Feature]bool{
-				allAlphaGate:           false,
-				allBetaGate:            false,
-				testGAGate:             false,
-				testAlphaGate:          false,
-				testBetaGate:           false,
-				testLockedFalseGate:    false,
-				testAlphaGateNoVersion: true,
-				testBetaGateNoVersion:  false,
-			},
+			arg:        "TestAlpha=true,TestAlphaNoVersion=true,AllAlpha=false",
 			parseError: "cannot set feature gate TestAlpha to true, feature is PreAlpha at emulated version 1.28",
 		},
 		{
-			arg: "AllAlpha=true,TestAlpha=false,TestAlphaNoVersion=false",
-			expect: map[Feature]bool{
-				allAlphaGate:           true,
-				allBetaGate:            false,
-				testGAGate:             false,
-				testAlphaGate:          false,
-				testBetaGate:           true,
-				testLockedFalseGate:    false,
-				testAlphaGateNoVersion: false,
-				testBetaGateNoVersion:  false,
-			},
+			arg:        "AllAlpha=true,TestAlpha=false,TestAlphaNoVersion=false",
 			parseError: "cannot set feature gate TestAlpha to false, feature is PreAlpha at emulated version 1.28",
 		},
 		{
@@ -872,20 +850,11 @@ func TestVersionedFeatureGateFlag(t *testing.T) {
 				testLockedFalseGate:    false,
 				testAlphaGateNoVersion: false,
 				testBetaGateNoVersion:  false,
+				testCompatibilityGate:  false,
 			},
 		},
 		{
-			arg: "TestAlpha=false,TestAlphaNoVersion=false,AllAlpha=true",
-			expect: map[Feature]bool{
-				allAlphaGate:           true,
-				allBetaGate:            false,
-				testGAGate:             false,
-				testAlphaGate:          false,
-				testBetaGate:           true,
-				testLockedFalseGate:    false,
-				testAlphaGateNoVersion: false,
-				testBetaGateNoVersion:  false,
-			},
+			arg:        "TestAlpha=false,TestAlphaNoVersion=false,AllAlpha=true",
 			parseError: "cannot set feature gate TestAlpha to false, feature is PreAlpha at emulated version 1.28",
 		},
 		{
@@ -899,6 +868,7 @@ func TestVersionedFeatureGateFlag(t *testing.T) {
 				testLockedFalseGate:    false,
 				testAlphaGateNoVersion: false,
 				testBetaGateNoVersion:  true,
+				testCompatibilityGate:  false,
 			},
 		},
 
@@ -913,6 +883,7 @@ func TestVersionedFeatureGateFlag(t *testing.T) {
 				testLockedFalseGate:    false,
 				testAlphaGateNoVersion: false,
 				testBetaGateNoVersion:  false,
+				testCompatibilityGate:  false,
 			},
 		},
 		{
@@ -926,19 +897,11 @@ func TestVersionedFeatureGateFlag(t *testing.T) {
 				testLockedFalseGate:    false,
 				testAlphaGateNoVersion: false,
 				testBetaGateNoVersion:  true,
+				testCompatibilityGate:  true,
 			},
 		},
 		{
-			arg: "AllBeta=banana",
-			expect: map[Feature]bool{
-				allAlphaGate:           false,
-				allBetaGate:            false,
-				testGAGate:             false,
-				testAlphaGate:          false,
-				testBetaGate:           false,
-				testAlphaGateNoVersion: false,
-				testBetaGateNoVersion:  false,
-			},
+			arg:        "AllBeta=banana",
 			parseError: "invalid value of AllBeta",
 		},
 		{
@@ -952,6 +915,7 @@ func TestVersionedFeatureGateFlag(t *testing.T) {
 				testLockedFalseGate:    false,
 				testAlphaGateNoVersion: false,
 				testBetaGateNoVersion:  true,
+				testCompatibilityGate:  false,
 			},
 		},
 		{
@@ -965,6 +929,7 @@ func TestVersionedFeatureGateFlag(t *testing.T) {
 				testLockedFalseGate:    false,
 				testAlphaGateNoVersion: false,
 				testBetaGateNoVersion:  true,
+				testCompatibilityGate:  false,
 			},
 		},
 		{
@@ -978,6 +943,7 @@ func TestVersionedFeatureGateFlag(t *testing.T) {
 				testLockedFalseGate:    false,
 				testAlphaGateNoVersion: false,
 				testBetaGateNoVersion:  false,
+				testCompatibilityGate:  true,
 			},
 		},
 		{
@@ -991,21 +957,26 @@ func TestVersionedFeatureGateFlag(t *testing.T) {
 				testLockedFalseGate:    false,
 				testAlphaGateNoVersion: false,
 				testBetaGateNoVersion:  false,
+				testCompatibilityGate:  true,
 			},
 		},
 		{
-			arg: "TestAlpha=true,AllBeta=false",
+			arg:        "TestAlpha=true,AllBeta=false",
+			parseError: "cannot set feature gate TestAlpha to true, feature is PreAlpha at emulated version 1.28",
+		},
+		{
+			arg: "TestCompatibility=true",
 			expect: map[Feature]bool{
 				allAlphaGate:           false,
 				allBetaGate:            false,
 				testGAGate:             false,
-				testAlphaGate:          true,
+				testAlphaGate:          false,
 				testBetaGate:           false,
 				testLockedFalseGate:    false,
 				testAlphaGateNoVersion: false,
 				testBetaGateNoVersion:  false,
+				testCompatibilityGate:  true,
 			},
-			parseError: "cannot set feature gate TestAlpha to true, feature is PreAlpha at emulated version 1.28",
 		},
 	}
 	for i, test := range tests {
@@ -1032,6 +1003,11 @@ func TestVersionedFeatureGateFlag(t *testing.T) {
 					{Version: version.MustParse("1.28"), Default: false, PreRelease: GA},
 					{Version: version.MustParse("1.29"), Default: false, PreRelease: GA, LockToDefault: true},
 				},
+				testCompatibilityGate: {
+					{Version: version.MustParse("1.28"), Default: false, PreRelease: Beta},
+					{Version: version.MustParse("1.28"), Default: true, PreRelease: Beta, MinCompatibilityVersion: version.MustParse("1.28")},
+					{Version: version.MustParse("1.29"), Default: true, PreRelease: GA, LockToDefault: true},
+				},
 			})
 			require.NoError(t, err)
 			err = f.Add(map[Feature]FeatureSpec{
@@ -1185,6 +1161,8 @@ func TestVersionedFeatureGateKnownFeatures(t *testing.T) {
 		testPreAlphaGate            Feature = "TestPreAlpha"
 		testAlphaGate               Feature = "TestAlpha"
 		testBetaGate                Feature = "TestBeta"
+		testFastBetaGate            Feature = "TestFastBeta"
+		testLatestFastBetaGate      Feature = "TestLatestFastBeta"
 		testGAGate                  Feature = "TestGA"
 		testDeprecatedGate          Feature = "TestDeprecated"
 		testGAGateNoVersion         Feature = "TestGANoVersion"
@@ -1210,6 +1188,14 @@ func TestVersionedFeatureGateKnownFeatures(t *testing.T) {
 		testBetaGate: {
 			{Version: version.MustParse("1.28"), Default: false, PreRelease: Beta},
 		},
+		testFastBetaGate: {
+			{Version: version.MustParse("1.28"), Default: false, PreRelease: Beta},
+			{Version: version.MustParse("1.28"), Default: true, PreRelease: Beta, MinCompatibilityVersion: version.MustParse("1.28")},
+		},
+		testLatestFastBetaGate: {
+			{Version: version.MustParse("1.29"), Default: false, PreRelease: Beta},
+			{Version: version.MustParse("1.29"), Default: true, PreRelease: Beta, MinCompatibilityVersion: version.MustParse("1.29")},
+		},
 		testDeprecatedGate: {
 			{Version: version.MustParse("1.26"), Default: false, PreRelease: Alpha},
 			{Version: version.MustParse("1.28"), Default: true, PreRelease: Deprecated},
@@ -1229,6 +1215,8 @@ func TestVersionedFeatureGateKnownFeatures(t *testing.T) {
 	assert.NotContains(t, known, testPreAlphaGate)
 	assert.Contains(t, known, testAlphaGate)
 	assert.Contains(t, known, testBetaGate)
+	assert.Contains(t, known, "TestFastBeta=true|false (BETA - default=true) if --min-compatibility-version>=1.28")
+	assert.NotContains(t, known, testLatestFastBetaGate)
 	assert.NotContains(t, known, testGAGate)
 	assert.NotContains(t, known, testDeprecatedGate)
 	assert.Contains(t, known, testAlphaGateNoVersion)
@@ -1237,6 +1225,98 @@ func TestVersionedFeatureGateKnownFeatures(t *testing.T) {
 	assert.NotContains(t, known, testDeprecatedGateNoVersion)
 }
 
+func TestVersionedFeatureGateKnownFeaturesWithMinCompatVersion(t *testing.T) {
+	// gates for testing
+	const (
+		testPreAlphaGate            Feature = "TestPreAlpha"
+		testAlphaGate               Feature = "TestAlpha"
+		testBetaGate                Feature = "TestBeta"
+		testFastBetaGate            Feature = "TestFastBeta"
+		testLatestFastBetaGate      Feature = "TestLatestFastBeta"
+		testGAGate                  Feature = "TestGA"
+		testDeprecatedGate          Feature = "TestDeprecated"
+		testGAGateNoVersion         Feature = "TestGANoVersion"
+		testAlphaGateNoVersion      Feature = "TestAlphaNoVersion"
+		testBetaGateNoVersion       Feature = "TestBetaNoVersion"
+		testDeprecatedGateNoVersion Feature = "TestDeprecatedNoVersion"
+	)
+	// Don't parse the flag, assert defaults are used.
+	f := NewVersionedFeatureGate(version.MustParse("1.29"))
+	err := f.AddVersioned(map[Feature]VersionedSpecs{
+		testGAGate: {
+			{Version: version.MustParse("1.26"), Default: false, PreRelease: Beta},
+			{Version: version.MustParse("1.26"), Default: true, PreRelease: Beta, MinCompatibilityVersion: version.MustParse("1.26")},
+			{Version: version.MustParse("1.28"), Default: true, PreRelease: GA},
+		},
+		testPreAlphaGate: {
+			{Version: version.MustParse("1.29"), Default: false, PreRelease: Alpha},
+		},
+		testAlphaGate: {
+			{Version: version.MustParse("1.28"), Default: false, PreRelease: Alpha},
+		},
+		testBetaGate: {
+			{Version: version.MustParse("1.28"), Default: false, PreRelease: Beta},
+		},
+		testFastBetaGate: {
+			{Version: version.MustParse("1.28"), Default: false, PreRelease: Beta},
+			{Version: version.MustParse("1.28"), Default: true, PreRelease: Beta, MinCompatibilityVersion: version.MustParse("1.28")},
+		},
+		testLatestFastBetaGate: {
+			{Version: version.MustParse("1.29"), Default: false, PreRelease: Beta},
+			{Version: version.MustParse("1.29"), Default: true, PreRelease: Beta, MinCompatibilityVersion: version.MustParse("1.29")},
+		},
+		testDeprecatedGate: {
+			{Version: version.MustParse("1.26"), Default: false, PreRelease: Alpha},
+			{Version: version.MustParse("1.28"), Default: true, PreRelease: Deprecated},
+		},
+	})
+	require.NoError(t, err)
+	err = f.Add(map[Feature]FeatureSpec{
+		testAlphaGateNoVersion:      {Default: false, PreRelease: Alpha},
+		testBetaGateNoVersion:       {Default: false, PreRelease: Beta},
+		testGAGateNoVersion:         {Default: false, PreRelease: GA},
+		testDeprecatedGateNoVersion: {Default: false, PreRelease: Deprecated},
+	})
+	require.NoError(t, err)
+
+	knownExpected := []string{
+		"AllAlpha=true|false (ALPHA - default=false)",
+		"AllBeta=true|false (BETA - default=false)",
+		"TestAlpha=true|false (ALPHA - default=false)",
+		"TestAlphaNoVersion=true|false (ALPHA - default=false)",
+		"TestBeta=true|false (BETA - default=false)",
+		"TestBetaNoVersion=true|false (BETA - default=false)",
+		"TestFastBeta=true|false (BETA - default=true)",
+		"TestLatestFastBeta=true|false (BETA - default=false), or TestLatestFastBeta=true|false (BETA - default=true) if --min-compatibility-version>=1.29",
+		"TestPreAlpha=true|false (ALPHA - default=false)",
+	}
+	assert.ElementsMatch(t, f.KnownFeatures(), knownExpected)
+
+	require.NoError(t, f.SetEmulationVersionAndMinCompatibilityVersion(version.MustParse("1.28"), version.MustParse("1.28")))
+	knownExpected = []string{
+		"AllAlpha=true|false (ALPHA - default=false)",
+		"AllBeta=true|false (BETA - default=false)",
+		"TestAlpha=true|false (ALPHA - default=false)",
+		"TestAlphaNoVersion=true|false (ALPHA - default=false)",
+		"TestBeta=true|false (BETA - default=false)",
+		"TestBetaNoVersion=true|false (BETA - default=false)",
+		"TestFastBeta=true|false (BETA - default=true)",
+	}
+	assert.ElementsMatch(t, f.KnownFeatures(), knownExpected)
+
+	require.NoError(t, f.SetEmulationVersionAndMinCompatibilityVersion(version.MustParse("1.28"), version.MustParse("1.26")))
+	knownExpected = []string{
+		"AllAlpha=true|false (ALPHA - default=false)",
+		"AllBeta=true|false (BETA - default=false)",
+		"TestAlpha=true|false (ALPHA - default=false)",
+		"TestAlphaNoVersion=true|false (ALPHA - default=false)",
+		"TestBeta=true|false (BETA - default=false)",
+		"TestBetaNoVersion=true|false (BETA - default=false)",
+		"TestFastBeta=true|false (BETA - default=false), or TestFastBeta=true|false (BETA - default=true) if --min-compatibility-version>=1.28",
+	}
+	assert.ElementsMatch(t, f.KnownFeatures(), knownExpected)
+}
+
 func TestVersionedFeatureGateMetrics(t *testing.T) {
 	// gates for testing
 	featuremetrics.ResetFeatureInfoMetric()
@@ -1315,11 +1395,11 @@ func TestVersionedFeatureGateOverrideDefault(t *testing.T) {
 		require.NoError(t, f.SetEmulationVersion(version.MustParse("1.28")))
 		if err := f.AddVersioned(map[Feature]VersionedSpecs{
 			"TestFeature1": {
-				{Version: version.MustParse("1.28"), Default: true},
+				{Version: version.MustParse("1.28"), Default: true, PreRelease: Beta},
 			},
 			"TestFeature2": {
-				{Version: version.MustParse("1.26"), Default: false},
-				{Version: version.MustParse("1.29"), Default: false},
+				{Version: version.MustParse("1.26"), Default: false, PreRelease: Alpha},
+				{Version: version.MustParse("1.29"), Default: false, PreRelease: Beta},
 			},
 		}); err != nil {
 			t.Fatal(err)
@@ -1531,47 +1611,148 @@ func TestVersionedFeatureGateOverrideDefault(t *testing.T) {
 	})
 }
 
-func TestFeatureSpecAtEmulationVersion(t *testing.T) {
+func TestFeatureGateMinCompatibilityVersion(t *testing.T) {
+	const testCompatGateA Feature = "TestCompatA"
+	const testCompatGateB Feature = "TestCompatB"
+	const testCompatGateC Feature = "TestCompatC"
+
+	f := NewVersionedFeatureGateWithMinCompatibility(version.MustParse("1.30"), version.MustParse("1.27"))
+	err := f.AddVersioned(map[Feature]VersionedSpecs{
+		testCompatGateA: {
+			{Version: version.MustParse("1.29"), Default: false, PreRelease: Alpha},
+			{Version: version.MustParse("1.30"), Default: false, PreRelease: Beta},
+			{Version: version.MustParse("1.30"), Default: true, PreRelease: Beta, MinCompatibilityVersion: version.MustParse("1.30")},
+		},
+		testCompatGateB: {
+			{Version: version.MustParse("1.30"), Default: false, PreRelease: Beta},
+			{Version: version.MustParse("1.30"), Default: true, PreRelease: Beta, MinCompatibilityVersion: version.MustParse("1.30")},
+		},
+		testCompatGateC: {
+			{Version: version.MustParse("1.28"), Default: false, PreRelease: Beta},
+			{Version: version.MustParse("1.28"), Default: true, PreRelease: Beta, MinCompatibilityVersion: version.MustParse("1.28")},
+			{Version: version.MustParse("1.30"), Default: true, PreRelease: GA, LockToDefault: true},
+		},
+	})
+	require.NoError(t, err)
+
+	// KnownFeatures should show min-compatibility-version requirement.
+	knownExpected := []string{
+		"AllAlpha=true|false (ALPHA - default=false)",
+		"AllBeta=true|false (BETA - default=false)",
+		"TestCompatA=true|false (BETA - default=false), or TestCompatA=true|false (BETA - default=true) if --min-compatibility-version>=1.30",
+		"TestCompatB=true|false (BETA - default=false), or TestCompatB=true|false (BETA - default=true) if --min-compatibility-version>=1.30",
+		"TestCompatC=true|false (BETA - default=false)",
+	}
+	assert.ElementsMatch(t, f.KnownFeatures(), knownExpected)
+
+	// Gate is Alpha min compat version is 1.29, feature's is 1.30. Feature should be disabled.
+	assert.False(t, f.Enabled(testCompatGateA), "TestCompatA should be disabled at Alpha stage")
+	assert.False(t, f.Enabled(testCompatGateB), "TestCompatB should be disabled when its min compat version is too high")
+	assert.False(t, f.Enabled(testCompatGateC), "TestCompatC should be disabled when its min compat version is too high")
+	// Trying to override TestCompatA default should work.
+	require.NoError(t, f.OverrideDefault(testCompatGateA, true))
+	assert.True(t, f.Enabled(testCompatGateA), "TestCompatA should be enabled after overriding default")
+	// Trying to enable TestCompatA should work.
+	require.NoError(t, f.Set(string(testCompatGateA)+"=false"))
+	assert.False(t, f.Enabled(testCompatGateA), "TestCompatA should be enabled after setting it explicitly")
+	// Trying to override TestCompatB, TestCompatC default should fail.
+	require.NoError(t, f.OverrideDefault(testCompatGateB, false))
+	require.NoError(t, f.OverrideDefault(testCompatGateC, false))
+	// Trying to enable TestCompatB, TestCompatC should work.
+	require.NoError(t, f.Set(string(testCompatGateB)+"=true"))
+	require.NoError(t, f.Set(string(testCompatGateC)+"=true"))
+
+	// reset the feature gate first so no overrides or raw flags are carried over.
+	f = f.DeepCopyAndReset().(*featureGate)
+	// Now, update the gate's min compat version.
+	require.NoError(t, f.SetEmulationVersionAndMinCompatibilityVersion(version.MustParse("1.30"), version.MustParse("1.30")))
+	// KnownFeatures should not show the min-compatibility-version requirement anymore.
+	knownExpected = []string{
+		"AllAlpha=true|false (ALPHA - default=false)",
+		"AllBeta=true|false (BETA - default=false)",
+		"TestCompatA=true|false (BETA - default=true)",
+		"TestCompatB=true|false (BETA - default=true)",
+	}
+	assert.ElementsMatch(t, f.KnownFeatures(), knownExpected)
+
+	// Feature should now be enabled by default.
+	assert.True(t, f.Enabled(testCompatGateA), "TestCompatA should be Beta and enabled when its min compat version is met")
+	assert.True(t, f.Enabled(testCompatGateB), "TestCompatB should be enabled when its min compat version is met")
+	assert.True(t, f.Enabled(testCompatGateC), "TestCompatC should be enabled when its min compat version is met")
+
+	// Trying to disable feature should succeed.
+	require.NoError(t, f.Set(string(testCompatGateA)+"=false"))
+	assert.False(t, f.Enabled(testCompatGateA), "feature should be disabled")
+	require.NoError(t, f.Set(string(testCompatGateB)+"=false"))
+	assert.False(t, f.Enabled(testCompatGateB), "feature should be disabled")
+
+	require.NoError(t, f.ResetFeatureValueToDefault(testCompatGateB))
+	assert.True(t, f.Enabled(testCompatGateB), "feature should be enabled after resetting to default")
+	// Trying to override default should now succeed.
+	require.NoError(t, f.OverrideDefault(testCompatGateB, false))
+	assert.False(t, f.Enabled(testCompatGateB), "feature should be disabled by default after override default to false")
+	// Trying to override GA default should fail.
+	require.Error(t, f.OverrideDefault(testCompatGateC, false))
+	require.Error(t, f.Set(string(testCompatGateC)+"=false"))
+}
+
+func TestFeatureSpecAtEmulationAndMinCompatVersion(t *testing.T) {
 	specs := VersionedSpecs{
 		{Version: version.MustParse("1.25"), Default: false, PreRelease: Alpha},
-		{Version: version.MustParse("1.28"), Default: false, PreRelease: Beta},
-		{Version: version.MustParse("1.29"), Default: true, PreRelease: GA},
+		{Version: version.MustParse("1.25"), Default: false, PreRelease: Beta, MinCompatibilityVersion: version.MustParse("1.25")},
+		{Version: version.MustParse("1.29"), Default: true, PreRelease: GA, MinCompatibilityVersion: version.MustParse("1.25")},
 	}
 	sort.Sort(specs)
 	tests := []struct {
-		cVersion string
-		expect   FeatureSpec
+		emuVer       *version.Version
+		minCompatVer *version.Version
+		expect       FeatureSpec
 	}{
 		{
-			cVersion: "1.30",
-			expect:   FeatureSpec{Version: version.MustParse("1.29"), Default: true, PreRelease: GA},
+			emuVer: version.MustParse("1.30"),
+			expect: FeatureSpec{Version: version.MustParse("1.29"), Default: true, PreRelease: GA, MinCompatibilityVersion: version.MustParse("1.25")},
+		},
+		{
+			emuVer: version.MustParse("1.29"),
+			expect: FeatureSpec{Version: version.MustParse("1.29"), Default: true, PreRelease: GA, MinCompatibilityVersion: version.MustParse("1.25")},
+		},
+		{
+			emuVer: version.MustParse("1.28"),
+			expect: FeatureSpec{Version: version.MustParse("1.25"), Default: false, PreRelease: Beta, MinCompatibilityVersion: version.MustParse("1.25")},
 		},
 		{
-			cVersion: "1.29",
-			expect:   FeatureSpec{Version: version.MustParse("1.29"), Default: true, PreRelease: GA},
+			emuVer: version.MustParse("1.26"),
+			expect: FeatureSpec{Version: version.MustParse("1.25"), Default: false, PreRelease: Beta, MinCompatibilityVersion: version.MustParse("1.25")},
 		},
 		{
-			cVersion: "1.28",
-			expect:   FeatureSpec{Version: version.MustParse("1.28"), Default: false, PreRelease: Beta},
+			emuVer:       version.MustParse("1.25"),
+			minCompatVer: version.MustParse("1.25"),
+			expect:       FeatureSpec{Version: version.MustParse("1.25"), Default: false, PreRelease: Beta, MinCompatibilityVersion: version.MustParse("1.25")},
 		},
 		{
-			cVersion: "1.27",
-			expect:   FeatureSpec{Version: version.MustParse("1.25"), Default: false, PreRelease: Alpha},
+			emuVer: version.MustParse("1.25"),
+			expect: FeatureSpec{Version: version.MustParse("1.25"), Default: false, PreRelease: Alpha},
 		},
 		{
-			cVersion: "1.25",
-			expect:   FeatureSpec{Version: version.MustParse("1.25"), Default: false, PreRelease: Alpha},
+			emuVer: version.MustParse("1.24"),
+			expect: FeatureSpec{Version: version.MajorMinor(0, 0), Default: false, PreRelease: PreAlpha},
 		},
 		{
-			cVersion: "1.24",
-			expect:   FeatureSpec{Version: version.MajorMinor(0, 0), Default: false, PreRelease: PreAlpha},
+			emuVer:       version.MustParse("1.26"),
+			minCompatVer: version.MustParse("1.23"),
+			expect:       FeatureSpec{Version: version.MustParse("1.25"), Default: false, PreRelease: Alpha},
+		},
+		{
+			emuVer:       version.MustParse("1.29"),
+			minCompatVer: version.MustParse("1.23"),
+			expect:       FeatureSpec{Version: version.MustParse("1.25"), Default: false, PreRelease: Alpha},
 		},
 	}
 	for i, test := range tests {
-		t.Run(fmt.Sprintf("featureSpecAtEmulationVersion for emulationVersion %s", test.cVersion), func(t *testing.T) {
-			result := featureSpecAtEmulationVersion(specs, version.MustParse(test.cVersion))
+		t.Run(fmt.Sprintf("featureSpecAtEmulationVersion for emulationVersion %s", test.emuVer), func(t *testing.T) {
+			result := featureSpecAtEmulationAndMinCompatVersion(specs, test.emuVer, test.minCompatVer)
 			if !reflect.DeepEqual(*result, test.expect) {
-				t.Errorf("%d: featureSpecAtEmulationVersion(, %s) Expected %v, Got %v", i, test.cVersion, test.expect, result)
+				t.Errorf("%d: featureSpecAtEmulationVersion(, %s) Expected %v, Got %v", i, test.emuVer, test.expect, result)
 			}
 		})
 	}
@@ -1888,6 +2069,191 @@ func TestAddVersioned(t *testing.T) {
 				},
 			},
 		},
+		{
+			name:        "patch min compat version",
+			expectError: true,
+			features: map[Feature]VersionedSpecs{
+				testAGate: {
+					{Version: version.MustParse("1.30"), Default: false, PreRelease: Beta, MinCompatibilityVersion: version.MustParse("1.30.1")},
+				},
+			},
+		},
+		{
+			name: "Alpha to GA",
+			features: map[Feature]VersionedSpecs{
+				testAGate: {
+					{Version: version.MustParse("1.29"), Default: false, PreRelease: Alpha},
+					{Version: version.MustParse("1.30"), Default: true, PreRelease: GA},
+				},
+			},
+		},
+		{
+			name: "GA with default false",
+			features: map[Feature]VersionedSpecs{
+				testAGate: {
+					{Version: version.MustParse("1.29"), Default: false, PreRelease: Alpha},
+					{Version: version.MustParse("1.30"), Default: false, PreRelease: GA},
+				},
+			},
+		},
+		{
+			name: "Beta to Deprecated",
+			features: map[Feature]VersionedSpecs{
+				testAGate: {
+					{Version: version.MustParse("1.29"), Default: false, PreRelease: Beta},
+					{Version: version.MustParse("1.30"), Default: false, PreRelease: Deprecated},
+				},
+			},
+		},
+		{
+			name: "Alpha to Deprecated",
+			features: map[Feature]VersionedSpecs{
+				testAGate: {
+					{Version: version.MustParse("1.29"), Default: false, PreRelease: Alpha},
+					{Version: version.MustParse("1.30"), Default: false, PreRelease: Deprecated},
+				},
+			},
+		},
+		{
+			name:        "MinCompatibilityVersion > Version",
+			expectError: true,
+			features: map[Feature]VersionedSpecs{
+				testAGate: {
+					{Version: version.MustParse("1.29"), Default: false, PreRelease: Beta, MinCompatibilityVersion: version.MustParse("1.30")},
+				},
+			},
+		},
+		{
+			name:        "decreasing minCompatibilityVersion",
+			expectError: true,
+			features: map[Feature]VersionedSpecs{
+				testAGate: {
+					{Version: version.MustParse("1.29"), Default: false, PreRelease: Alpha},
+					{Version: version.MustParse("1.29"), Default: true, PreRelease: Alpha, MinCompatibilityVersion: version.MustParse("1.28")},
+					{Version: version.MustParse("1.30"), Default: false, PreRelease: Beta},
+					{Version: version.MustParse("1.30"), Default: true, PreRelease: Beta, MinCompatibilityVersion: version.MustParse("1.27")},
+				},
+			},
+		},
+		{
+			name:        "transition without stability change",
+			expectError: true,
+			features: map[Feature]VersionedSpecs{
+				testAGate: {
+					{Version: version.MustParse("1.29"), Default: false, PreRelease: Alpha},
+					{Version: version.MustParse("1.30"), Default: false, PreRelease: Alpha},
+				},
+			},
+		},
+		{
+			name:        "resurrect from locked",
+			expectError: true,
+			features: map[Feature]VersionedSpecs{
+				testAGate: {
+					{Version: version.MustParse("1.29"), Default: true, PreRelease: GA, LockToDefault: true},
+					{Version: version.MustParse("1.30"), Default: true, PreRelease: GA, LockToDefault: false},
+				},
+			},
+		},
+		{
+			name:        "no version provided",
+			expectError: true,
+			features: map[Feature]VersionedSpecs{
+				testAGate: {
+					{Default: false, PreRelease: Alpha},
+				},
+			},
+		},
+		{
+			name:        "direct to Beta with minCompatibilityVersion, no preceding entry",
+			expectError: true,
+			features: map[Feature]VersionedSpecs{
+				testAGate: {
+					{Version: version.MustParse("1.29"), Default: true, PreRelease: Beta, MinCompatibilityVersion: version.MustParse("1.29")},
+				},
+			},
+		},
+		{
+			name: "direct to Beta with minCompatibilityVersion",
+			features: map[Feature]VersionedSpecs{
+				testAGate: {
+					{Version: version.MustParse("1.29"), Default: false, PreRelease: Beta},
+					{Version: version.MustParse("1.29"), Default: true, PreRelease: Beta, MinCompatibilityVersion: version.MustParse("1.29")},
+				},
+			},
+		},
+		{
+			name:        "minCompatibilityVersion greater than version",
+			expectError: true,
+			features: map[Feature]VersionedSpecs{
+				testAGate: {
+					{Version: version.MustParse("1.29"), Default: false, PreRelease: Beta},
+					{Version: version.MustParse("1.29"), Default: true, PreRelease: Beta, MinCompatibilityVersion: version.MustParse("1.30")},
+				},
+			},
+		},
+		{
+			name: "same version with different minCompatibilityVersion",
+			features: map[Feature]VersionedSpecs{
+				testAGate: {
+					{Version: version.MustParse("1.29"), Default: false, PreRelease: Beta},
+					{Version: version.MustParse("1.29"), Default: true, PreRelease: Beta, MinCompatibilityVersion: version.MustParse("1.29")},
+					{Version: version.MustParse("1.30"), Default: true, PreRelease: GA},
+				},
+			},
+		},
+		{
+			name:        "different version with different minCompatibilityVersion",
+			expectError: true,
+			features: map[Feature]VersionedSpecs{
+				testAGate: {
+					{Version: version.MustParse("1.28"), Default: false, PreRelease: Beta},
+					{Version: version.MustParse("1.29"), Default: true, PreRelease: Beta, MinCompatibilityVersion: version.MustParse("1.29")},
+					{Version: version.MustParse("1.30"), Default: true, PreRelease: GA},
+				},
+			},
+		},
+		{
+			name:        "same version with different stability",
+			expectError: true,
+			features: map[Feature]VersionedSpecs{
+				testAGate: {
+					{Version: version.MustParse("1.29"), Default: false, PreRelease: Alpha},
+					{Version: version.MustParse("1.29"), Default: true, PreRelease: Beta, MinCompatibilityVersion: version.MustParse("1.29")},
+					{Version: version.MustParse("1.30"), Default: true, PreRelease: GA},
+				},
+			},
+		},
+		{
+			name:        "same version with different lockToDefault",
+			expectError: true,
+			features: map[Feature]VersionedSpecs{
+				testAGate: {
+					{Version: version.MustParse("1.29"), Default: false, PreRelease: Beta},
+					{Version: version.MustParse("1.29"), Default: true, PreRelease: Beta, LockToDefault: true, MinCompatibilityVersion: version.MustParse("1.29")},
+				},
+			},
+		},
+		{
+			name:        "only minCompatibilityVersion different",
+			expectError: true,
+			features: map[Feature]VersionedSpecs{
+				testAGate: {
+					{Version: version.MustParse("1.29"), Default: false, PreRelease: Alpha},
+					{Version: version.MustParse("1.29"), Default: false, PreRelease: Alpha, MinCompatibilityVersion: version.MustParse("1.29")},
+				},
+			},
+		},
+		{
+			name:        "multiple entries for the same version and minCompatibilityVersion",
+			expectError: true,
+			features: map[Feature]VersionedSpecs{
+				testAGate: {
+					{Version: version.MustParse("1.29"), Default: false, PreRelease: Alpha, MinCompatibilityVersion: version.MustParse("1.29")},
+					{Version: version.MustParse("1.29"), Default: true, PreRelease: Beta, MinCompatibilityVersion: version.MustParse("1.29")},
+				},
+			},
+		},
 	}
 	for _, test := range tests {
 		t.Run(fmt.Sprintf("AddVersioned-%s", test.name), func(t *testing.T) {
@@ -1909,3 +2275,321 @@ func TestAddVersioned(t *testing.T) {
 		})
 	}
 }
+
+func TestAddDependencies(t *testing.T) {
+	const (
+		// Test features
+		fA       Feature = "FeatureA"
+		fB       Feature = "FeatureB"
+		fC       Feature = "FeatureC"
+		fUnknown Feature = "FeatureUnknown"
+	)
+
+	var (
+		v129 = version.MustParse("1.29")
+		v130 = version.MustParse("1.30")
+		v131 = version.MustParse("1.31")
+		v132 = version.MustParse("1.32")
+	)
+
+	testCases := []struct {
+		name        string
+		features    map[Feature]VersionedSpecs
+		initialDeps map[Feature][]Feature
+		newDeps     map[Feature][]Feature
+		expectedErr string
+		finalDeps   map[Feature][]Feature
+		closeGate   bool
+	}{
+		{
+			name: "dependency on unknown feature",
+			features: map[Feature]VersionedSpecs{
+				fA: {{Version: v129}},
+			},
+			newDeps:     map[Feature][]Feature{fA: {fUnknown}},
+			expectedErr: "cannot add dependency from FeatureA to unknown feature FeatureUnknown",
+		},
+		{
+			name: "unknown feature has dependency",
+			features: map[Feature]VersionedSpecs{
+				fA: {{Version: v129}},
+			},
+			newDeps:     map[Feature][]Feature{fUnknown: {fA}},
+			expectedErr: "cannot add dependency for unknown feature FeatureUnknown",
+		},
+		{
+			name: "cycle",
+			features: map[Feature]VersionedSpecs{
+				fA: {{Version: v129}},
+				fB: {{Version: v129}},
+				fC: {{Version: v129}},
+			},
+			newDeps: map[Feature][]Feature{
+				fA: {fB},
+				fB: {fC},
+				fC: {fA},
+			},
+			expectedErr: "cycle detected with feature",
+		},
+		{
+			name: "valid: no cycle with overlapping dependencies",
+			features: map[Feature]VersionedSpecs{
+				fA: {{Version: v129}},
+				fB: {{Version: v129}},
+				fC: {{Version: v129}},
+			},
+			newDeps: map[Feature][]Feature{
+				fA: {fB, fC},
+				fB: {fC},
+			},
+		},
+		{
+			name: "self cycle",
+			features: map[Feature]VersionedSpecs{
+				fA: {{Version: v129}},
+			},
+			newDeps:     map[Feature][]Feature{fA: {fA}},
+			expectedErr: "cycle detected with feature FeatureA",
+		},
+		{
+			name: "merge dependencies",
+			features: map[Feature]VersionedSpecs{
+				fA: {{Version: v129}},
+				fB: {{Version: v129}},
+				fC: {{Version: v129}},
+			},
+			initialDeps: map[Feature][]Feature{fA: {fB}},
+			newDeps:     map[Feature][]Feature{fA: {fC}},
+			finalDeps:   map[Feature][]Feature{fA: {fB, fC}},
+		},
+		{
+			name: "add after close",
+			features: map[Feature]VersionedSpecs{
+				fA: {{Version: v129}},
+				fB: {{Version: v129}},
+			},
+			newDeps:     map[Feature][]Feature{fA: {fB}},
+			closeGate:   true,
+			expectedErr: "cannot add a feature gate dependency after adding it to the flag set",
+		},
+		{
+			name: "valid: dependency is valid across all versions",
+			features: map[Feature]VersionedSpecs{
+				fA: {{Version: v129, PreRelease: Beta}, {Version: v130, PreRelease: GA}},
+				fB: {{Version: v129, PreRelease: Beta}, {Version: v130, PreRelease: GA}},
+			},
+			newDeps: map[Feature][]Feature{fA: {fB}},
+		},
+		{
+			name: "invalid: stability inversion",
+			features: map[Feature]VersionedSpecs{
+				fA: {{Version: v129, PreRelease: Beta}},
+				fB: {{Version: v129, PreRelease: Alpha}},
+			},
+			newDeps:     map[Feature][]Feature{fA: {fB}},
+			expectedErr: "BETA feature FeatureA cannot depend on ALPHA feature FeatureB at version 1.29",
+		},
+		{
+			name: "invalid: stability inversion at later version",
+			features: map[Feature]VersionedSpecs{
+				fA: {{Version: v129, PreRelease: Alpha}, {Version: v130, PreRelease: Beta}},
+				fB: {{Version: v129, PreRelease: Alpha}, {Version: v130, PreRelease: Alpha, Default: true}},
+			},
+			newDeps:     map[Feature][]Feature{fA: {fB}},
+			expectedErr: "BETA feature FeatureA cannot depend on ALPHA feature FeatureB at version 1.30",
+		},
+		{
+			name: "invalid: stability inversion at earlier version",
+			features: map[Feature]VersionedSpecs{
+				fA: {{Version: v129, PreRelease: Alpha}, {Version: v130, PreRelease: Beta}, {Version: v132, PreRelease: GA}},
+				fB: {{Version: v129, PreRelease: Alpha}, {Version: v131, PreRelease: Beta}, {Version: v132, PreRelease: GA}},
+			},
+			newDeps:     map[Feature][]Feature{fA: {fB}},
+			expectedErr: "BETA feature FeatureA cannot depend on ALPHA feature FeatureB at version 1.30",
+		},
+		{
+			name: "valid: alpha feature depending on pre-alpha",
+			features: map[Feature]VersionedSpecs{
+				fA: {{Version: v129, PreRelease: Alpha}, {Version: v131, PreRelease: Beta}},
+				fB: {{Version: v130, PreRelease: Alpha}, {Version: v131, PreRelease: Beta}},
+			},
+			newDeps: map[Feature][]Feature{fA: {fB}},
+		},
+		{
+			name: "valid: default-enabled depends on default-enabled",
+			features: map[Feature]VersionedSpecs{
+				fA: {{Version: v129, PreRelease: Beta, Default: true}},
+				fB: {{Version: v129, PreRelease: Beta, Default: true}},
+			},
+			newDeps: map[Feature][]Feature{fA: {fB}},
+		},
+		{
+			name: "valid: default-disabled depends on default-enabled",
+			features: map[Feature]VersionedSpecs{
+				fA: {{Version: v129, PreRelease: Beta, Default: false}},
+				fB: {{Version: v129, PreRelease: Beta, Default: true}},
+			},
+			newDeps: map[Feature][]Feature{fA: {fB}},
+		},
+		{
+			name: "invalid: default-enabled depends on default-disabled",
+			features: map[Feature]VersionedSpecs{
+				fA: {{Version: v129, PreRelease: Beta, Default: true}},
+				fB: {{Version: v129, PreRelease: Beta, Default: false}},
+			},
+			newDeps:     map[Feature][]Feature{fA: {fB}},
+			expectedErr: "default-enabled feature FeatureA cannot depend on default-disabled feature FeatureB at version 1.29",
+		},
+		{
+			name: "invalid: default-enabled depends on default-disabled at a later version",
+			features: map[Feature]VersionedSpecs{
+				fA: {{Version: v129, PreRelease: Alpha, Default: false}, {Version: v130, PreRelease: Beta, Default: true}},
+				fB: {{Version: v129, PreRelease: Alpha, Default: false}, {Version: v130, PreRelease: Beta, Default: false}},
+			},
+			newDeps:     map[Feature][]Feature{fA: {fB}},
+			expectedErr: "default-enabled feature FeatureA cannot depend on default-disabled feature FeatureB at version 1.30",
+		},
+		{
+			name: "invalid: default-enabled depends on default-disabled at an earlier version",
+			features: map[Feature]VersionedSpecs{
+				fA: {{Version: v129, PreRelease: Beta, Default: true}},
+				fB: {{Version: v129, PreRelease: Beta, Default: false}, {Version: v130, PreRelease: Beta, Default: true}},
+			},
+			newDeps:     map[Feature][]Feature{fA: {fB}},
+			expectedErr: "default-enabled feature FeatureA cannot depend on default-disabled feature FeatureB at version 1.29",
+		},
+		{
+			name: "valid: locked depends on locked",
+			features: map[Feature]VersionedSpecs{
+				fA: {{Version: v129, PreRelease: GA, Default: true, LockToDefault: true}},
+				fB: {{Version: v129, PreRelease: GA, Default: true, LockToDefault: true}},
+			},
+			newDeps: map[Feature][]Feature{fA: {fB}},
+		},
+		{
+			name: "invalid: locked depends on unlocked",
+			features: map[Feature]VersionedSpecs{
+				fA: {{Version: v129, PreRelease: GA, Default: true, LockToDefault: true}},
+				fB: {{Version: v129, PreRelease: GA, Default: true, LockToDefault: false}},
+			},
+			newDeps:     map[Feature][]Feature{fA: {fB}},
+			expectedErr: "locked-to-default feature FeatureA cannot depend on unlocked feature FeatureB at version 1.29",
+		},
+		{
+			name: "invalid: locked depends on unlocked at a later version",
+			features: map[Feature]VersionedSpecs{
+				fA: {{Version: v129, PreRelease: GA, Default: true, LockToDefault: false}, {Version: v130, PreRelease: GA, Default: true, LockToDefault: true}},
+				fB: {{Version: v129, PreRelease: GA, Default: true, LockToDefault: false}},
+			},
+			newDeps:     map[Feature][]Feature{fA: {fB}},
+			expectedErr: "locked-to-default feature FeatureA cannot depend on unlocked feature FeatureB at version 1.30",
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			f := NewFeatureGate()
+			require.NoError(t, f.AddVersioned(tc.features))
+			if tc.initialDeps != nil {
+				require.NoError(t, f.AddDependencies(tc.initialDeps))
+			}
+			if tc.closeGate {
+				f.Close()
+			}
+
+			err := f.AddDependencies(tc.newDeps)
+
+			if tc.expectedErr != "" {
+				assert.ErrorContains(t, err, tc.expectedErr)
+			} else {
+				require.NoError(t, err)
+
+				deps := f.Dependencies()
+				finalDeps := tc.finalDeps
+				if finalDeps == nil {
+					finalDeps = tc.newDeps
+				}
+				assert.Equal(t, finalDeps, deps)
+
+				// Verify that DeepCopy clones dependencies.
+				clone := f.DeepCopy().Dependencies()
+				assert.Equal(t, deps, clone, "dependencies should identical after DeepCopy")
+			}
+		})
+	}
+}
+
+func TestValidateDependencies(t *testing.T) {
+	const (
+		featureA Feature = "FeatureA"
+		featureB Feature = "FeatureB"
+		featureC Feature = "FeatureC"
+		featureD Feature = "FeatureD"
+	)
+
+	features := map[Feature]FeatureSpec{
+		featureA: {Default: false, PreRelease: Alpha},
+		featureB: {Default: false, PreRelease: Alpha},
+		featureC: {Default: false, PreRelease: Alpha},
+		featureD: {Default: false, PreRelease: Alpha},
+	}
+
+	dependencies := map[Feature][]Feature{
+		featureA: {featureB, featureC},
+		featureB: {featureD},
+	}
+
+	testCases := []struct {
+		name        string
+		set         string
+		expectedErr string
+	}{
+		{
+			name: "all enabled",
+			set:  "FeatureA=true,FeatureB=true,FeatureC=true,FeatureD=true",
+		},
+		{
+			name:        "one dependency disabled",
+			set:         "FeatureA=true,FeatureB=false,FeatureC=true,FeatureD=true",
+			expectedErr: "FeatureA is enabled, but depends on features that are disabled: [FeatureB]",
+		},
+		{
+			name:        "another dependency disabled",
+			set:         "FeatureA=true,FeatureB=true,FeatureC=false,FeatureD=true",
+			expectedErr: "FeatureA is enabled, but depends on features that are disabled: [FeatureC]",
+		},
+		{
+			name:        "multiple dependencies disabled",
+			set:         "FeatureA=true,FeatureB=false,FeatureC=false,FeatureD=true",
+			expectedErr: "FeatureA is enabled, but depends on features that are disabled: [FeatureB FeatureC]",
+		},
+		{
+			name:        "transitive dependency disabled",
+			set:         "FeatureA=true,FeatureB=true,FeatureC=true,FeatureD=false",
+			expectedErr: "FeatureB is enabled, but depends on features that are disabled: [FeatureD]",
+		},
+		{
+			name: "feature disabled",
+			set:  "FeatureA=false,FeatureB=false,FeatureC=true,FeatureD=true",
+		},
+		{
+			name: "all disabled",
+			set:  "",
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			f := NewFeatureGate()
+			require.NoError(t, f.Add(features))
+			require.NoError(t, f.AddDependencies(dependencies))
+
+			err := f.Set(tc.set)
+			if tc.expectedErr == "" {
+				require.NoError(t, err)
+			} else {
+				assert.EqualError(t, err, tc.expectedErr)
+			}
+		})
+	}
+}
diff --git a/staging/src/k8s.io/component-base/featuregate/testing/feature_gate.go b/staging/src/k8s.io/component-base/featuregate/testing/feature_gate.go
index 1d7fc46768ee8..fa72773fd283d 100644
--- a/staging/src/k8s.io/component-base/featuregate/testing/feature_gate.go
+++ b/staging/src/k8s.io/component-base/featuregate/testing/feature_gate.go
@@ -26,18 +26,21 @@ import (
 )
 
 var (
-	overrideLock                  sync.Mutex
-	featureFlagOverride           map[featuregate.Feature]string
-	emulationVersionOverride      string
-	emulationVersionOverrideValue *version.Version
+	overrideLock          sync.Mutex
+	featureFlagOverride   map[featuregate.Feature]string
+	versionsOverride      string
+	versionsOverrideValue string
 )
 
 func init() {
 	featureFlagOverride = map[featuregate.Feature]string{}
 }
 
+type FeatureOverrides = map[featuregate.Feature]bool
+
 // SetFeatureGateDuringTest sets the specified gate to the specified value for duration of the test.
 // Fails when it detects second call to the same flag or is unable to set or restore feature flag.
+// When disabling a feature, this automatically disables all dependents.
 //
 // WARNING: Can leak set variable when called in test calling t.Parallel(), however second attempt to set the same feature flag will cause fatal.
 //
@@ -46,52 +49,120 @@ func init() {
 // featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.<FeatureName>, true)
 func SetFeatureGateDuringTest(tb TB, gate featuregate.FeatureGate, f featuregate.Feature, value bool) {
 	tb.Helper()
-	detectParallelOverrideCleanup := detectParallelOverride(tb, f)
-	originalValue := gate.Enabled(f)
+	SetFeatureGatesDuringTest(tb, gate, FeatureOverrides{f: value})
+}
+
+// SetFeatureGatesDuringTest sets the specified map of feature gate values for duration of the test.
+// Fails when it detects second call to the same flag or is unable to set or restore feature flag.
+// When disabling a feature, this automatically disables all dependents that weren't explicitly set.
+//
+// WARNING: Can leak set variable when called in test calling t.Parallel(), however second attempt to set the same feature flag will cause fatal.
+//
+// Example use:
+//
+//	featuregatetesting.SetFeatureGatesDuringTest(t, utilfeature.DefaultFeatureGate, featuregatetesting.FeatureOverrides{
+//		features.<FeatureName>: true,
+//	    features.<FeatureName>: false,
+//	})
+func SetFeatureGatesDuringTest(tb TB, gate featuregate.FeatureGate, features FeatureOverrides) {
+	tb.Helper()
 	originalEmuVer := gate.(featuregate.MutableVersionedFeatureGate).EmulationVersion()
-	originalExplicitlySet := gate.(featuregate.MutableVersionedFeatureGate).ExplicitlySet(f)
+	originalValues := map[string]bool{}
+	var originalUnset []featuregate.Feature
+	overrides := FeatureOverrides{}
 
 	// Specially handle AllAlpha and AllBeta
-	if f == "AllAlpha" || f == "AllBeta" {
+	allAlphaValue, allAlpha := features["AllAlpha"]
+	allBetaValue, allBeta := features["AllBeta"]
+	if allAlpha || allBeta {
 		// Iterate over individual gates so their individual values get restored
 		for k, v := range gate.(featuregate.MutableFeatureGate).GetAll() {
-			if k == "AllAlpha" || k == "AllBeta" {
-				continue
-			}
-			if (f == "AllAlpha" && v.PreRelease == featuregate.Alpha) || (f == "AllBeta" && v.PreRelease == featuregate.Beta) {
-				SetFeatureGateDuringTest(tb, gate, k, value)
+			if (allAlpha && v.PreRelease == featuregate.Alpha) || (allBeta && v.PreRelease == featuregate.Beta) {
+				// Setting AllAlpha or AllBeta on their own only sets unset features, but for
+				// testing we want to override ALL alpha/beta features. So we explicitly set each
+				// alpha/beta feature in addition to AllAlpha/AllBeta
+				if v.PreRelease == featuregate.Alpha {
+					overrides[k] = allAlphaValue
+				} else {
+					overrides[k] = allBetaValue
+				}
 			}
 		}
 	}
 
-	if err := gate.(featuregate.MutableFeatureGate).Set(fmt.Sprintf("%s=%v", f, value)); err != nil {
-		if s := suggestChangeEmulationVersion(tb, gate, f, value); s != "" {
-			tb.Errorf("error setting %s=%v: %v. %s", f, value, err, s)
-		} else {
-			tb.Errorf("error setting %s=%v: %v", f, value, err)
+	// Explicit features take precedence, so merge them in now.
+	for f, v := range features {
+		overrides[f] = v
+	}
+
+	// Automatically disable dependents when disabling a dependency.
+	dependencies := gate.Dependencies()
+	for f := range dependencies {
+		if _, overridden := overrides[f]; overridden || !gate.Enabled(f) {
+			continue // Don't automatically disable features that have been explicitly set.
+		}
+		// If the feature gate was default-enabled and has an explicitly
+		// disabled dependency, then automatically disable it.
+		if disabled, disabledDep := hasDisabledDependency(f, dependencies, features); disabled {
+			tb.Logf("Disabling feature %s since it depends on disabled feature %s", f, disabledDep)
+			overrides[f] = false
+		}
+	}
+
+	for f := range overrides {
+		originalValues[string(f)] = gate.Enabled(f)
+		if !gate.(featuregate.MutableVersionedFeatureGate).ExplicitlySet(f) {
+			originalUnset = append(originalUnset, f)
+		}
+		tb.Cleanup(detectParallelOverride(tb, featuregate.Feature(f)))
+	}
+
+	m := map[string]bool{}
+	for f, v := range overrides {
+		m[string(f)] = v
+	}
+	if err := gate.(featuregate.MutableFeatureGate).SetFromMap(m); err != nil {
+		tb.Errorf("Failed to set feature gates: %v", err)
+		for f, v := range features {
+			if s := suggestChangeEmulationVersion(tb, gate, f, v); s != "" {
+				tb.Errorf("error setting %s=%v: %v. %s", f, v, err, s)
+			}
 		}
 	}
 
 	tb.Cleanup(func() {
 		tb.Helper()
-		detectParallelOverrideCleanup()
 		emuVer := gate.(featuregate.MutableVersionedFeatureGate).EmulationVersion()
 		if !emuVer.EqualTo(originalEmuVer) {
 			tb.Fatalf("change of feature gate emulation version from %s to %s in the chain of SetFeatureGateDuringTest is not allowed\nuse SetFeatureGateEmulationVersionDuringTest to change emulation version in tests",
 				originalEmuVer.String(), emuVer.String())
 		}
-		if originalExplicitlySet {
-			if err := gate.(featuregate.MutableFeatureGate).Set(fmt.Sprintf("%s=%v", f, originalValue)); err != nil {
-				tb.Errorf("error restoring %s=%v: %v", f, originalValue, err)
-			}
-		} else {
+		// To avoid violating feature dependencies, first atomicaly restore all original values,
+		// then reset features that were unset (the value should be unchanged).
+		if err := gate.(featuregate.MutableVersionedFeatureGate).SetFromMap(originalValues); err != nil {
+			tb.Errorf("error restoring features %v: %v", originalValues, err)
+		}
+		for _, f := range originalUnset {
 			if err := gate.(featuregate.MutableVersionedFeatureGate).ResetFeatureValueToDefault(f); err != nil {
-				tb.Errorf("error restoring %s=%v: %v", f, originalValue, err)
+				tb.Errorf("error resetting %s: %v", f, err)
 			}
 		}
 	})
 }
 
+// hasDisabledDependency recursively walks the dependencies for feature f, and checks whether any are explicitly disabled in the features map.
+func hasDisabledDependency(f featuregate.Feature, dependencies map[featuregate.Feature][]featuregate.Feature, features map[featuregate.Feature]bool) (bool, featuregate.Feature) {
+	if enabled, set := features[f]; set {
+		return !enabled, f
+	}
+	for _, dep := range dependencies[f] {
+		if disabled, disabledDep := hasDisabledDependency(dep, dependencies, features); disabled {
+			return disabled, disabledDep
+		}
+	}
+	return false, ""
+}
+
 func suggestChangeEmulationVersion(tb TB, gate featuregate.FeatureGate, f featuregate.Feature, value bool) string {
 	mutableVersionedFeatureGate, ok := gate.(featuregate.MutableVersionedFeatureGate)
 	if !ok {
@@ -114,28 +185,45 @@ func suggestChangeEmulationVersion(tb TB, gate featuregate.FeatureGate, f featur
 	return ""
 }
 
-// SetFeatureGateEmulationVersionDuringTest sets the specified gate to the specified emulation version for duration of the test.
-// Fails when it detects second call to set a different emulation version or is unable to set or restore emulation version.
-// WARNING: Can leak set variable when called in test calling t.Parallel(), however second attempt to set a different emulation version will cause fatal.
+// SetFeatureGateVersionsDuringTest sets the specified gate to the specified emulation version and min compatibility version for duration of the test.
+// Fails when it detects second call to set a different emulation version or min compatibility version, or is unable to set or restore emulation version and min compatibility version.
+// WARNING: Can leak set variable when called in test calling t.Parallel(), however second attempt to set a different emulation version or min compatibility version will cause fatal.
 // Example use:
 
-// featuregatetesting.SetFeatureGateEmulationVersionDuringTest(t, utilfeature.DefaultFeatureGate, version.MustParse("1.31"))
-func SetFeatureGateEmulationVersionDuringTest(tb TB, gate featuregate.FeatureGate, ver *version.Version) {
+// featuregatetesting.SetFeatureGateVersionsDuringTest(t, utilfeature.DefaultFeatureGate, version.MustParse("1.31"), version.MustParse("1.31"))
+func SetFeatureGateVersionsDuringTest(tb TB, gate featuregate.FeatureGate, emuVer, minCompatVer *version.Version) {
 	tb.Helper()
-	detectParallelOverrideCleanup := detectParallelOverrideEmulationVersion(tb, ver)
-	originalEmuVer := gate.(featuregate.MutableVersionedFeatureGate).EmulationVersion()
-	if err := gate.(featuregate.MutableVersionedFeatureGate).SetEmulationVersion(ver); err != nil {
-		tb.Fatalf("failed to set emulation version to %s during test: %v", ver.String(), err)
+	versions := fmt.Sprintf("emu=%s,min=%s", emuVer.String(), minCompatVer.String())
+	detectParallelOverrideCleanup := detectParallelOverrideVersions(tb, versions)
+
+	mutableGate := gate.(featuregate.MutableVersionedFeatureGate)
+	originalEmuVer := mutableGate.EmulationVersion()
+	originalMinCompatVer := mutableGate.MinCompatibilityVersion()
+
+	if err := mutableGate.SetEmulationVersionAndMinCompatibilityVersion(emuVer, minCompatVer); err != nil {
+		tb.Fatalf("failed to set versions (emu=%s, min=%s) during test: %v", emuVer.String(), minCompatVer.String(), err)
 	}
+
 	tb.Cleanup(func() {
 		tb.Helper()
 		detectParallelOverrideCleanup()
-		if err := gate.(featuregate.MutableVersionedFeatureGate).SetEmulationVersion(originalEmuVer); err != nil {
-			tb.Fatalf("failed to restore emulation version to %s during test", originalEmuVer.String())
+		if err := mutableGate.SetEmulationVersionAndMinCompatibilityVersion(originalEmuVer, originalMinCompatVer); err != nil {
+			tb.Fatalf("failed to restore versions (emu=%s, min=%s) during test: %v", originalEmuVer.String(), originalMinCompatVer.String(), err)
 		}
 	})
 }
 
+// SetFeatureGateEmulationVersionDuringTest sets the specified gate to the specified emulation version for duration of the test.
+// Fails when it detects second call to set a different emulation version or is unable to set or restore emulation version.
+// WARNING: Can leak set variable when called in test calling t.Parallel(), however second attempt to set a different emulation version will cause fatal.
+// Example use:
+
+// featuregatetesting.SetFeatureGateEmulationVersionDuringTest(t, utilfeature.DefaultFeatureGate, version.MustParse("1.31"))
+func SetFeatureGateEmulationVersionDuringTest(tb TB, gate featuregate.FeatureGate, ver *version.Version) {
+	tb.Helper()
+	SetFeatureGateVersionsDuringTest(tb, gate, ver, ver.SubtractMinor(1))
+}
+
 func detectParallelOverride(tb TB, f featuregate.Feature) func() {
 	tb.Helper()
 	overrideLock.Lock()
@@ -157,30 +245,30 @@ func detectParallelOverride(tb TB, f featuregate.Feature) func() {
 	}
 }
 
-func detectParallelOverrideEmulationVersion(tb TB, ver *version.Version) func() {
+func detectParallelOverrideVersions(tb TB, vers string) func() {
 	tb.Helper()
 	overrideLock.Lock()
 	defer overrideLock.Unlock()
-	beforeOverrideTestName := emulationVersionOverride
-	beforeOverrideValue := emulationVersionOverrideValue
-	if ver.EqualTo(beforeOverrideValue) {
+	beforeOverrideTestName := versionsOverride
+	beforeOverrideValue := versionsOverrideValue
+	if vers == beforeOverrideValue {
 		return func() {}
 	}
 	if beforeOverrideTestName != "" && !sameTestOrSubtest(tb, beforeOverrideTestName) {
-		tb.Fatalf("Detected parallel setting of a feature gate emulation version by both %q and %q", beforeOverrideTestName, tb.Name())
+		tb.Fatalf("Detected parallel setting of feature gate versions by both %q and %q", beforeOverrideTestName, tb.Name())
 	}
-	emulationVersionOverride = tb.Name()
-	emulationVersionOverrideValue = ver
+	versionsOverride = tb.Name()
+	versionsOverrideValue = vers
 
 	return func() {
 		tb.Helper()
 		overrideLock.Lock()
 		defer overrideLock.Unlock()
-		if afterOverrideTestName := emulationVersionOverride; afterOverrideTestName != tb.Name() {
-			tb.Fatalf("Detected parallel setting of a feature gate emulation version between both %q and %q", afterOverrideTestName, tb.Name())
+		if afterOverrideTestName := versionsOverride; afterOverrideTestName != tb.Name() {
+			tb.Fatalf("Detected parallel setting of feature gate versions between both %q and %q", afterOverrideTestName, tb.Name())
 		}
-		emulationVersionOverride = beforeOverrideTestName
-		emulationVersionOverrideValue = beforeOverrideValue
+		versionsOverride = beforeOverrideTestName
+		versionsOverrideValue = beforeOverrideValue
 	}
 }
 
@@ -191,6 +279,7 @@ func sameTestOrSubtest(tb TB, testName string) bool {
 
 type TB interface {
 	Cleanup(func())
+	Logf(format string, args ...any)
 	Error(args ...any)
 	Errorf(format string, args ...any)
 	Fatal(args ...any)
diff --git a/staging/src/k8s.io/component-base/featuregate/testing/feature_gate_test.go b/staging/src/k8s.io/component-base/featuregate/testing/feature_gate_test.go
index 376d721341c38..627e86da677f7 100644
--- a/staging/src/k8s.io/component-base/featuregate/testing/feature_gate_test.go
+++ b/staging/src/k8s.io/component-base/featuregate/testing/feature_gate_test.go
@@ -17,6 +17,7 @@ limitations under the License.
 package testing
 
 import (
+	"maps"
 	gotest "testing"
 
 	"github.com/stretchr/testify/assert"
@@ -159,6 +160,134 @@ func TestSetFeatureGateInTest(t *gotest.T) {
 	assert.True(t, gate.Enabled("feature"))
 }
 
+func TestSetFeatureGatesInTestWithDependencies(t *gotest.T) {
+	const (
+		alphaFeature      = "AlphaFeature"
+		alphaFeatureDep   = "AlphaFeatureDep"
+		betaOffFeature    = "BetaOffFeature"
+		betaOffFeatureDep = "BetaOffFeatureDep"
+		betaOnFeature     = "BetaOnFeature"
+		betaOnFeatureDep  = "BetaOnFeatureDep"
+		gaFeature         = "GAFeature"
+	)
+	gate := featuregate.NewFeatureGate()
+	require.NoError(t, gate.Add(map[featuregate.Feature]featuregate.FeatureSpec{
+		alphaFeature:      {PreRelease: featuregate.Alpha, Default: false},
+		alphaFeatureDep:   {PreRelease: featuregate.Alpha, Default: false},
+		betaOffFeature:    {PreRelease: featuregate.Beta, Default: false},
+		betaOffFeatureDep: {PreRelease: featuregate.Beta, Default: false},
+		betaOnFeature:     {PreRelease: featuregate.Beta, Default: true},
+		betaOnFeatureDep:  {PreRelease: featuregate.Beta, Default: true},
+		gaFeature:         {PreRelease: featuregate.GA, Default: true},
+	}))
+	require.NoError(t, gate.AddDependencies(map[featuregate.Feature][]featuregate.Feature{
+		alphaFeature:   {betaOnFeatureDep, betaOffFeatureDep, alphaFeatureDep},
+		betaOffFeature: {betaOnFeatureDep, betaOffFeatureDep},
+		betaOnFeature:  {betaOnFeatureDep},
+		gaFeature:      {},
+	}))
+
+	initialState := map[featuregate.Feature]bool{
+		"AllAlpha": false,
+		"AllBeta":  false,
+
+		alphaFeature:      false,
+		alphaFeatureDep:   false,
+		betaOffFeature:    false,
+		betaOffFeatureDep: false,
+		betaOnFeature:     true,
+		betaOnFeatureDep:  true,
+		gaFeature:         true,
+	}
+	expect(t, gate, initialState)
+
+	tests := []struct {
+		name              string
+		overrides         FeatureOverrides
+		expectedOverrides FeatureOverrides
+		expectError       bool
+	}{{
+		name:      "AllBeta",
+		overrides: FeatureOverrides{"AllBeta": true},
+		expectedOverrides: FeatureOverrides{
+			"AllBeta":         true,
+			betaOffFeature:    true,
+			betaOffFeatureDep: true,
+		},
+	}, {
+		name:      "AllBeta=false",
+		overrides: FeatureOverrides{"AllBeta": false},
+		expectedOverrides: FeatureOverrides{
+			"AllBeta":        false,
+			betaOnFeature:    false,
+			betaOnFeatureDep: false,
+		},
+	}, {
+		name:      "AllBeta+AllAlpha",
+		overrides: FeatureOverrides{"AllBeta": true, "AllAlpha": true},
+		expectedOverrides: FeatureOverrides{
+			"AllAlpha":        true,
+			"AllBeta":         true,
+			alphaFeature:      true,
+			alphaFeatureDep:   true,
+			betaOffFeature:    true,
+			betaOffFeatureDep: true,
+		},
+	}, {
+		name:        "AllAlpha",
+		overrides:   FeatureOverrides{"AllAlpha": true},
+		expectError: true,
+	}, {
+		name:      "Automatically disable deps",
+		overrides: FeatureOverrides{betaOnFeatureDep: false},
+		expectedOverrides: FeatureOverrides{
+			betaOnFeature:    false,
+			betaOnFeatureDep: false,
+		},
+	}, {
+		name:      "Don't automatically enable deps",
+		overrides: FeatureOverrides{betaOffFeatureDep: true},
+		expectedOverrides: FeatureOverrides{
+			betaOffFeatureDep: true,
+			betaOffFeature:    false,
+		},
+	}, {
+		name: "Error when disabling dependency",
+		overrides: FeatureOverrides{
+			betaOnFeature:    true, // Explicitly enabled so it's not automatically disabled.
+			betaOnFeatureDep: false,
+		},
+		expectError: true,
+	}, {
+		name: "Error when enabling dependent",
+		overrides: FeatureOverrides{
+			betaOffFeature: true,
+		},
+		expectError: true,
+	}}
+
+	for _, test := range tests {
+		t.Run(test.name, func(t *gotest.T) {
+			// Separate inner test so we can verify cleanup in the outer test.
+			t.Run("Set", func(t *gotest.T) {
+				if test.expectError {
+					fakeT := &ignoreErrorT{ignoreFatalT: &ignoreFatalT{T: t}}
+					SetFeatureGatesDuringTest(fakeT, gate, test.overrides)
+					require.True(t, fakeT.errorRecorded, "should capture error")
+					expect(t, gate, initialState)
+				} else {
+					SetFeatureGatesDuringTest(t, gate, test.overrides)
+					expectedState := maps.Clone(initialState)
+					maps.Copy(expectedState, test.expectedOverrides)
+					expect(t, gate, expectedState)
+				}
+			})
+			// Verify revert in cleanup.
+			expect(t, gate, initialState)
+		})
+	}
+}
+
 func TestSpecialGatesVersioned(t *gotest.T) {
 	originalEmulationVersion := version.MustParse("1.31")
 	gate := featuregate.NewVersionedFeatureGate(originalEmulationVersion)
@@ -427,6 +556,130 @@ func TestDetectEmulationVersionLeakToOtherSubtest(t *gotest.T) {
 	})
 }
 
+func TestSetFeatureGateVersionsInTest(t *gotest.T) {
+	t.Cleanup(cleanup)
+	originalEmuVer := version.MustParse("1.31")
+	originalMinCompatVer := version.MustParse("1.30")
+	gate := featuregate.NewVersionedFeatureGateWithMinCompatibility(originalEmuVer, originalMinCompatVer)
+
+	assert.True(t, gate.EmulationVersion().EqualTo(originalEmuVer))
+	assert.True(t, gate.MinCompatibilityVersion().EqualTo(originalMinCompatVer))
+
+	newEmuVer := version.MustParse("1.29")
+	newMinCompatVer := version.MustParse("1.27")
+
+	SetFeatureGateVersionsDuringTest(t, gate, newEmuVer, newMinCompatVer)
+	assert.True(t, gate.EmulationVersion().EqualTo(newEmuVer))
+	assert.True(t, gate.MinCompatibilityVersion().EqualTo(newMinCompatVer))
+
+	t.Run("Subtest", func(t *gotest.T) {
+		assert.True(t, gate.EmulationVersion().EqualTo(newEmuVer))
+		assert.True(t, gate.MinCompatibilityVersion().EqualTo(newMinCompatVer))
+		newerEmuVer := version.MustParse("1.27")
+		newerMinCompatVer := version.MustParse("1.26")
+		SetFeatureGateVersionsDuringTest(t, gate, newerEmuVer, newerMinCompatVer)
+		assert.True(t, gate.EmulationVersion().EqualTo(newerEmuVer))
+		assert.True(t, gate.MinCompatibilityVersion().EqualTo(newerMinCompatVer))
+	})
+	assert.True(t, gate.EmulationVersion().EqualTo(newEmuVer))
+	assert.True(t, gate.MinCompatibilityVersion().EqualTo(newMinCompatVer))
+
+	t.Run("ParallelSubtest", func(t *gotest.T) {
+		assert.True(t, gate.EmulationVersion().EqualTo(newEmuVer))
+		assert.True(t, gate.MinCompatibilityVersion().EqualTo(newMinCompatVer))
+		t.Parallel()
+		assert.True(t, gate.EmulationVersion().EqualTo(newEmuVer))
+		assert.True(t, gate.MinCompatibilityVersion().EqualTo(newMinCompatVer))
+	})
+	assert.True(t, gate.EmulationVersion().EqualTo(newEmuVer))
+	assert.True(t, gate.MinCompatibilityVersion().EqualTo(newMinCompatVer))
+}
+
+func TestDetectVersionsLeakToMainTest(t *gotest.T) {
+	t.Cleanup(cleanup)
+	originalEmuVer := version.MustParse("1.31")
+	originalMinCompatVer := version.MustParse("1.30")
+	gate := featuregate.NewVersionedFeatureGateWithMinCompatibility(originalEmuVer, originalMinCompatVer)
+	assert.True(t, gate.EmulationVersion().EqualTo(originalEmuVer))
+	assert.True(t, gate.MinCompatibilityVersion().EqualTo(originalMinCompatVer))
+
+	newEmuVer := version.MustParse("1.29")
+	newMinCompatVer := version.MustParse("1.28")
+
+	// Subtest setting feature gate and calling parallel will leak it out
+	t.Run("LeakingSubtest", func(t *gotest.T) {
+		fakeT := &ignoreFatalT{T: t}
+		SetFeatureGateVersionsDuringTest(fakeT, gate, newEmuVer, newMinCompatVer)
+		// Calling t.Parallel in subtest will resume the main test body
+		t.Parallel()
+		// Leaked from main test
+		assert.True(t, gate.EmulationVersion().EqualTo(originalEmuVer))
+		assert.True(t, gate.MinCompatibilityVersion().EqualTo(originalMinCompatVer))
+	})
+	// Leaked from subtest
+	assert.True(t, gate.EmulationVersion().EqualTo(newEmuVer))
+	assert.True(t, gate.MinCompatibilityVersion().EqualTo(newMinCompatVer))
+	fakeT := &ignoreFatalT{T: t}
+	SetFeatureGateVersionsDuringTest(fakeT, gate, originalEmuVer, originalMinCompatVer)
+	assert.True(t, fakeT.fatalRecorded)
+}
+
+func TestNoLeakFromSameVersionsToMainTest(t *gotest.T) {
+	t.Cleanup(cleanup)
+	originalEmuVer := version.MustParse("1.31")
+	originalMinCompatVer := version.MustParse("1.30")
+	gate := featuregate.NewVersionedFeatureGateWithMinCompatibility(originalEmuVer, originalMinCompatVer)
+	assert.True(t, gate.EmulationVersion().EqualTo(originalEmuVer))
+	assert.True(t, gate.MinCompatibilityVersion().EqualTo(originalMinCompatVer))
+
+	newEmuVer := version.MustParse("1.31")
+	newMinCompatVer := version.MustParse("1.30")
+
+	// Subtest setting feature gate and calling parallel will leak it out
+	t.Run("LeakingSubtest", func(t *gotest.T) {
+		SetFeatureGateVersionsDuringTest(t, gate, newEmuVer, newMinCompatVer)
+		// Calling t.Parallel in subtest will resume the main test body
+		t.Parallel()
+		// Leaked from main test
+		assert.True(t, gate.EmulationVersion().EqualTo(originalEmuVer))
+		assert.True(t, gate.MinCompatibilityVersion().EqualTo(originalMinCompatVer))
+	})
+	// Leaked from subtest
+	assert.True(t, gate.EmulationVersion().EqualTo(newEmuVer))
+	assert.True(t, gate.MinCompatibilityVersion().EqualTo(newMinCompatVer))
+	SetFeatureGateVersionsDuringTest(t, gate, originalEmuVer, originalMinCompatVer)
+}
+
+func TestDetectVersionsLeakToOtherSubtest(t *gotest.T) {
+	t.Cleanup(cleanup)
+	originalEmuVer := version.MustParse("1.31")
+	originalMinCompatVer := version.MustParse("1.30")
+	gate := featuregate.NewVersionedFeatureGateWithMinCompatibility(originalEmuVer, originalMinCompatVer)
+	assert.True(t, gate.EmulationVersion().EqualTo(originalEmuVer))
+	assert.True(t, gate.MinCompatibilityVersion().EqualTo(originalMinCompatVer))
+
+	subtestName := "Subtest"
+	newEmuVer := version.MustParse("1.29")
+	newMinCompatVer := version.MustParse("1.28")
+
+	// Subtest setting feature gate and calling parallel will leak it out
+	t.Run(subtestName, func(t *gotest.T) {
+		fakeT := &ignoreFatalT{T: t}
+		SetFeatureGateVersionsDuringTest(fakeT, gate, newEmuVer, newMinCompatVer)
+		t.Parallel()
+	})
+	// Add suffix to name to prevent tests with the same prefix.
+	t.Run(subtestName+"Suffix", func(t *gotest.T) {
+		// Leaked newEmulationVersion and newMinCompatibilityVersion
+		assert.True(t, gate.EmulationVersion().EqualTo(newEmuVer))
+		assert.True(t, gate.MinCompatibilityVersion().EqualTo(newMinCompatVer))
+
+		fakeT := &ignoreFatalT{T: t}
+		SetFeatureGateVersionsDuringTest(fakeT, gate, originalEmuVer, originalMinCompatVer)
+		assert.True(t, fakeT.fatalRecorded)
+	})
+}
+
 type ignoreFatalT struct {
 	*gotest.T
 	fatalRecorded bool
@@ -435,7 +688,7 @@ type ignoreFatalT struct {
 func (f *ignoreFatalT) Fatal(args ...any) {
 	f.T.Helper()
 	f.fatalRecorded = true
-	newArgs := []any{"[IGNORED]"}
+	newArgs := []any{"[IGNORED Fatal]"}
 	newArgs = append(newArgs, args...)
 	f.T.Log(newArgs...)
 }
@@ -443,11 +696,30 @@ func (f *ignoreFatalT) Fatal(args ...any) {
 func (f *ignoreFatalT) Fatalf(format string, args ...any) {
 	f.T.Helper()
 	f.fatalRecorded = true
-	f.T.Logf("[IGNORED] "+format, args...)
+	f.T.Logf("[IGNORED Fatalf] "+format, args...)
+}
+
+type ignoreErrorT struct {
+	*ignoreFatalT
+	errorRecorded bool
+}
+
+func (f *ignoreErrorT) Error(args ...any) {
+	f.T.Helper()
+	f.errorRecorded = true
+	newArgs := []any{"[IGNORED Error]"}
+	newArgs = append(newArgs, args...)
+	f.T.Log(newArgs...)
+}
+
+func (f *ignoreErrorT) Errorf(format string, args ...any) {
+	f.T.Helper()
+	f.errorRecorded = true
+	f.T.Logf("[IGNORED Errorf] "+format, args...)
 }
 
 func cleanup() {
 	featureFlagOverride = map[featuregate.Feature]string{}
-	emulationVersionOverride = ""
-	emulationVersionOverrideValue = nil
+	versionsOverride = ""
+	versionsOverrideValue = ""
 }
diff --git a/staging/src/k8s.io/component-base/go.mod b/staging/src/k8s.io/component-base/go.mod
index a61d1f857602d..9dbeab3e8f169 100644
--- a/staging/src/k8s.io/component-base/go.mod
+++ b/staging/src/k8s.io/component-base/go.mod
@@ -2,37 +2,37 @@
 
 module k8s.io/component-base
 
-go 1.24.0
+go 1.25.0
 
-godebug default=go1.24
+godebug default=go1.25
 
 require (
 	github.com/blang/semver/v4 v4.0.0
-	github.com/go-logr/logr v1.4.2
+	github.com/go-logr/logr v1.4.3
 	github.com/go-logr/zapr v1.3.0
 	github.com/google/go-cmp v0.7.0
 	github.com/moby/term v0.5.0
-	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822
-	github.com/prometheus/client_golang v1.22.0
-	github.com/prometheus/client_model v0.6.1
-	github.com/prometheus/common v0.62.0
-	github.com/prometheus/procfs v0.15.1
-	github.com/spf13/cobra v1.9.1
-	github.com/spf13/pflag v1.0.6
-	github.com/stretchr/testify v1.10.0
-	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.58.0
-	go.opentelemetry.io/otel v1.35.0
+	github.com/prometheus/client_golang v1.23.2
+	github.com/prometheus/client_model v0.6.2
+	github.com/prometheus/common v0.66.1
+	github.com/prometheus/procfs v0.16.1
+	github.com/spf13/cobra v1.10.0
+	github.com/spf13/pflag v1.0.9
+	github.com/stretchr/testify v1.11.1
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.61.0
+	go.opentelemetry.io/otel v1.36.0
 	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.34.0
-	go.opentelemetry.io/otel/sdk v1.34.0
-	go.opentelemetry.io/otel/trace v1.35.0
+	go.opentelemetry.io/otel/sdk v1.36.0
+	go.opentelemetry.io/otel/trace v1.36.0
 	go.uber.org/zap v1.27.0
-	go.yaml.in/yaml/v2 v2.4.2
-	golang.org/x/sys v0.36.0
+	go.yaml.in/yaml/v2 v2.4.3
+	golang.org/x/sys v0.38.0
+	golang.org/x/text v0.31.0
 	k8s.io/apimachinery v0.0.0
 	k8s.io/client-go v0.0.0
 	k8s.io/klog/v2 v2.130.1
-	k8s.io/utils v0.0.0-20250604170112-4c0f3b243397
-	sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8
+	k8s.io/utils v0.0.0-20251002143259-bc988d571ff4
+	sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730
 )
 
 require (
@@ -48,7 +48,6 @@ require (
 	github.com/go-openapi/jsonpointer v0.21.0 // indirect
 	github.com/go-openapi/jsonreference v0.20.2 // indirect
 	github.com/go-openapi/swag v0.23.0 // indirect
-	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/google/gnostic-models v0.7.0 // indirect
 	github.com/google/uuid v1.6.0 // indirect
 	github.com/grpc-ecosystem/grpc-gateway/v2 v2.26.3 // indirect
@@ -59,36 +58,35 @@ require (
 	github.com/mailru/easyjson v0.7.7 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee // indirect
-	github.com/pkg/errors v0.9.1 // indirect
+	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
 	github.com/x448/float16 v0.8.4 // indirect
 	go.opentelemetry.io/auto/sdk v1.1.0 // indirect
 	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.34.0 // indirect
-	go.opentelemetry.io/otel/metric v1.35.0 // indirect
+	go.opentelemetry.io/otel/metric v1.36.0 // indirect
 	go.opentelemetry.io/proto/otlp v1.5.0 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
 	go.yaml.in/yaml/v3 v3.0.4 // indirect
-	golang.org/x/net v0.43.0 // indirect
-	golang.org/x/oauth2 v0.27.0 // indirect
-	golang.org/x/term v0.35.0 // indirect
-	golang.org/x/text v0.29.0 // indirect
+	golang.org/x/net v0.47.0 // indirect
+	golang.org/x/oauth2 v0.30.0 // indirect
+	golang.org/x/term v0.37.0 // indirect
 	golang.org/x/time v0.9.0 // indirect
 	google.golang.org/genproto/googleapis/api v0.0.0-20250303144028-a0af3efb3deb // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20250303144028-a0af3efb3deb // indirect
-	google.golang.org/grpc v1.72.1 // indirect
-	google.golang.org/protobuf v1.36.5 // indirect
-	gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20250528174236-200df99c418a // indirect
+	google.golang.org/grpc v1.72.2 // indirect
+	google.golang.org/protobuf v1.36.8 // indirect
+	gopkg.in/evanphx/json-patch.v4 v4.13.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 	k8s.io/api v0.0.0 // indirect
-	k8s.io/kube-openapi v0.0.0-20250710124328-f3f2b991d03b // indirect
+	k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912 // indirect
 	sigs.k8s.io/randfill v1.0.0 // indirect
 	sigs.k8s.io/structured-merge-diff/v6 v6.3.0 // indirect
 	sigs.k8s.io/yaml v1.6.0 // indirect
 )
 
 replace (
-	github.com/onsi/ginkgo/v2 => github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251001123353-fd5b1fb35db1
+	github.com/onsi/ginkgo/v2 => github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251120221002-696928a6a0d7
 	k8s.io/api => ../api
 	k8s.io/apimachinery => ../apimachinery
 	k8s.io/client-go => ../client-go
diff --git a/staging/src/k8s.io/component-base/go.sum b/staging/src/k8s.io/component-base/go.sum
index a0ef2d39436c8..a08f14f8078e3 100644
--- a/staging/src/k8s.io/component-base/go.sum
+++ b/staging/src/k8s.io/component-base/go.sum
@@ -3,6 +3,8 @@ cloud.google.com/go/compute/metadata v0.6.0/go.mod h1:FjyFAW1MW0C203CEOMDTu3Dk1F
 github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161 h1:L/gRVlceqvL25UVaW/CKtUDjefjrs0SPonmDGUVOYP0=
 github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E=
 github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp v1.26.0/go.mod h1:2bIszWvQRlJVmJLiuLhukLImRjKPcYdzzsx6darK02A=
+github.com/Masterminds/semver/v3 v3.4.0 h1:Zog+i5UMtVoCU8oKka5P7i9q9HgrJeGzI9SA1Xbatp0=
+github.com/Masterminds/semver/v3 v3.4.0/go.mod h1:4V+yj/TJE1HU9XfppCwVMZq3I84lprf4nC11bSS5beM=
 github.com/NYTimes/gziphandler v1.1.1/go.mod h1:n/CVRwUEOgIxrgPvAQhUUr9oeUtvrhMomdKFjzJNB0c=
 github.com/alecthomas/kingpin/v2 v2.4.0/go.mod h1:0gyi0zQnjuFk8xrkNKamJoyUo382HRL7ATRpFZCw6tE=
 github.com/alecthomas/units v0.0.0-20211218093645-b94a6e3cc137/go.mod h1:OMCwj8VM1Kc9e19TLln2VL61YJF0x1XFtfdL4JdbSyE=
@@ -37,8 +39,8 @@ github.com/fxamacker/cbor/v2 v2.9.0 h1:NpKPmjDBgUfBms6tr6JZkTHtfFGcMKsw3eGcmD/sa
 github.com/fxamacker/cbor/v2 v2.9.0/go.mod h1:vM4b+DJCtHn+zz7h3FFp/hDAI9WNWCsZj23V5ytsSxQ=
 github.com/go-jose/go-jose/v4 v4.0.4/go.mod h1:NKb5HO1EZccyMpiZNbdUw/14tiXNyUJh188dfnMCAfc=
 github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
-github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY=
-github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
+github.com/go-logr/logr v1.4.3 h1:CjnDlHq8ikf6E492q6eKboGOC0T8CDaOvkHCIg8idEI=
+github.com/go-logr/logr v1.4.3/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
 github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
 github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE=
 github.com/go-logr/zapr v1.3.0 h1:XGdV8XW8zdwFiwOA2Dryh1gj2KRQyOOoNmBy4EplIcQ=
@@ -53,8 +55,6 @@ github.com/go-openapi/swag v0.23.0 h1:vsEVJDUo2hPJ2tu0/Xc+4noaxyEffXNIs3cOULZ+Gr
 github.com/go-openapi/swag v0.23.0/go.mod h1:esZ8ITTYEsH1V2trKHjAN8Ai7xHb8RV+YSZ577vPjgQ=
 github.com/go-task/slim-sprig/v3 v3.0.0 h1:sUs3vkvUymDpBKi3qH1YSqBQk9+9D/8M2mN1vB6EwHI=
 github.com/go-task/slim-sprig/v3 v3.0.0/go.mod h1:W848ghGpv3Qj3dhTPRyJypKRiqCdHZiAzKg9hl15HA8=
-github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
-github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
 github.com/golang/glog v1.2.4/go.mod h1:6AhwSGph0fcJtXVM/PEHPqZlFeoLxhs7/t5UDAwmO+w=
 github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek=
 github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps=
@@ -64,8 +64,8 @@ github.com/google/gnostic-models v0.7.0/go.mod h1:whL5G0m6dmc5cPxKc5bdKdEN3UjI7O
 github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
 github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
-github.com/google/pprof v0.0.0-20241029153458-d1b30febd7db h1:097atOisP2aRj7vFgYQBbFN4U4JNXUNYpxael3UzMyo=
-github.com/google/pprof v0.0.0-20241029153458-d1b30febd7db/go.mod h1:vavhavw2zAxS5dIdcRluK6cSGGPlZynqzFM8NdvU144=
+github.com/google/pprof v0.0.0-20250403155104-27863c87afa6 h1:BHT72Gu3keYf3ZEu2J0b1vyeLSOYI8bm5wbJM/8yDe8=
+github.com/google/pprof v0.0.0-20250403155104-27863c87afa6/go.mod h1:boTsfXsheKC2y+lKOCMpSfarhxDeIzfZG1jqGcPl3cA=
 github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/gorilla/websocket v1.5.4-0.20250319132907-e064f32e3674/go.mod h1:r4w70xmWCQKmi1ONH4KIaBptdivuRPyosB9RmPlGEwA=
@@ -80,8 +80,6 @@ github.com/jpillora/backoff v1.0.0/go.mod h1:J/6gKK9jxlEcS3zixgDgUAsiuZ7yrSoa/FX
 github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM=
 github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo=
 github.com/julienschmidt/httprouter v1.3.0/go.mod h1:JR6WtHb+2LUe8TCKY3cZOxFyyO8IZAc4RVcycCCAKdM=
-github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
-github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
 github.com/klauspost/compress v1.18.0 h1:c/Cqfb0r+Yi+JtIEq73FWXVkRonBlf0CRNYc8Zttxdo=
 github.com/klauspost/compress v1.18.0/go.mod h1:2Pp+KzxcywXVXMr50+X0Q/Lsb43OQHYWRCY2AiWywWQ=
 github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
@@ -108,33 +106,32 @@ github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq
 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
 github.com/mwitkow/go-conntrack v0.0.0-20190716064945-2f068394615f/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U=
 github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+o7JKHSa8/e818NopupXU1YMK5fe1lsApnBw=
-github.com/onsi/gomega v1.35.1 h1:Cwbd75ZBPxFSuZ6T+rN/WCb/gOc6YgFBXLlZLhC7Ds4=
-github.com/onsi/gomega v1.35.1/go.mod h1:PvZbdDc8J6XJEpDK4HCuRBm8a6Fzp9/DmhC9C7yFlog=
-github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251001123353-fd5b1fb35db1 h1:PMTgifBcBRLJJiM+LgSzPDTk9/Rx4qS09OUrfpY6GBQ=
-github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251001123353-fd5b1fb35db1/go.mod h1:7Du3c42kxCUegi0IImZ1wUQzMBVecgIHjR1C+NkhLQo=
+github.com/onsi/gomega v1.38.2 h1:eZCjf2xjZAqe+LeWvKb5weQ+NcPwX84kqJ0cZNxok2A=
+github.com/onsi/gomega v1.38.2/go.mod h1:W2MJcYxRGV63b418Ai34Ud0hEdTVXq9NW9+Sx6uXf3k=
+github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251120221002-696928a6a0d7 h1:02E4Ttpu+7yCQLQxtY42JfcfHU7TBGnje6uB2ytBSdU=
+github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251120221002-696928a6a0d7/go.mod h1:ArE1D/XhNXBXCBkKOLkbsb2c81dQHCRcF5zwn/ykDRo=
 github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU=
-github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
-github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10/go.mod h1:t/avpk3KcrXxUnYOhZhMXJlSEyie6gQbtLq5NM3loB8=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U=
 github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/prometheus/client_golang v1.22.0 h1:rb93p9lokFEsctTys46VnV1kLCDpVZ0a/Y92Vm0Zc6Q=
-github.com/prometheus/client_golang v1.22.0/go.mod h1:R7ljNsLXhuQXYZYtw6GAE9AZg8Y7vEW5scdCXrWRXC0=
-github.com/prometheus/client_model v0.6.1 h1:ZKSh/rekM+n3CeS952MLRAdFwIKqeY8b62p8ais2e9E=
-github.com/prometheus/client_model v0.6.1/go.mod h1:OrxVMOVHjw3lKMa8+x6HeMGkHMQyHDk9E3jmP2AmGiY=
-github.com/prometheus/common v0.62.0 h1:xasJaQlnWAeyHdUBeGjXmutelfJHWMRr+Fg4QszZ2Io=
-github.com/prometheus/common v0.62.0/go.mod h1:vyBcEuLSvWos9B1+CyL7JZ2up+uFzXhkqml0W5zIY1I=
-github.com/prometheus/procfs v0.15.1 h1:YagwOFzUgYfKKHX6Dr+sHT7km/hxC76UB0learggepc=
-github.com/prometheus/procfs v0.15.1/go.mod h1:fB45yRUv8NstnjriLhBQLuOUt+WW4BsoGhij/e3PBqk=
+github.com/prometheus/client_golang v1.23.2 h1:Je96obch5RDVy3FDMndoUsjAhG5Edi49h0RJWRi/o0o=
+github.com/prometheus/client_golang v1.23.2/go.mod h1:Tb1a6LWHB3/SPIzCoaDXI4I8UHKeFTEQ1YCr+0Gyqmg=
+github.com/prometheus/client_model v0.6.2 h1:oBsgwpGs7iVziMvrGhE53c/GrLUsZdHnqNwqPLxwZyk=
+github.com/prometheus/client_model v0.6.2/go.mod h1:y3m2F6Gdpfy6Ut/GBsUqTWZqCUvMVzSfMLjcu6wAwpE=
+github.com/prometheus/common v0.66.1 h1:h5E0h5/Y8niHc5DlaLlWLArTQI7tMrsfQjHV+d9ZoGs=
+github.com/prometheus/common v0.66.1/go.mod h1:gcaUsgf3KfRSwHY4dIMXLPV0K/Wg1oZ8+SbZk/HH/dA=
+github.com/prometheus/procfs v0.16.1 h1:hZ15bTNuirocR6u0JZ6BAHHmwS1p8B4P6MRqxtzMyRg=
+github.com/prometheus/procfs v0.16.1/go.mod h1:teAbpZRB1iIAJYREa1LsoWUXykVXA1KlTmWl8x/U+Is=
 github.com/rogpeppe/fastuuid v1.2.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6LYCDYWNEvQ=
-github.com/rogpeppe/go-internal v1.13.1 h1:KvO1DLK/DRN07sQ1LQKScxyZJuNnedQ5/wKSR38lUII=
-github.com/rogpeppe/go-internal v1.13.1/go.mod h1:uMEvuHeurkdAXX61udpOXGD/AzZDWNMNyH2VO9fmH0o=
+github.com/rogpeppe/go-internal v1.14.1 h1:UQB4HGPB6osV0SQTLymcB4TgvyWu6ZyliaW0tI/otEQ=
+github.com/rogpeppe/go-internal v1.14.1/go.mod h1:MaRKkUm5W0goXpeCfT7UZI6fk/L7L7so1lCWt35ZSgc=
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
-github.com/spf13/cobra v1.9.1 h1:CXSaggrXdbHK9CF+8ywj8Amf7PBRmPCOJugH954Nnlo=
-github.com/spf13/cobra v1.9.1/go.mod h1:nDyEzZ8ogv936Cinf6g1RU9MRY64Ir93oCnqb9wxYW0=
-github.com/spf13/pflag v1.0.6 h1:jFzHGLGAlb3ruxLB8MhbI6A8+AQX/2eW4qeyNZXNp2o=
-github.com/spf13/pflag v1.0.6/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
+github.com/spf13/cobra v1.10.0 h1:a5/WeUlSDCvV5a45ljW2ZFtV0bTDpkfSAj3uqB6Sc+0=
+github.com/spf13/cobra v1.10.0/go.mod h1:9dhySC7dnTtEiqzmqfkLj47BslqLCUPMXjG2lj/NgoE=
+github.com/spf13/pflag v1.0.8/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
+github.com/spf13/pflag v1.0.9 h1:9exaQaMOCwffKiiiYk6/BndUBv+iRViNW+4lEMi0PvY=
+github.com/spf13/pflag v1.0.9/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/spiffe/go-spiffe/v2 v2.5.0/go.mod h1:P+NxobPc6wXhVtINNtFjNWGBTreew1GBUCwT2wPmb7g=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
@@ -145,33 +142,31 @@ github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UV
 github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
 github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
-github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
-github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
+github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
+github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
 github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM=
 github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg=
 github.com/xhit/go-str2duration/v2 v2.1.0/go.mod h1:ohY8p+0f07DiV6Em5LKB0s2YpLtXVyJfNt1+BlmyAsU=
-github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
-github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/zeebo/errs v1.4.0/go.mod h1:sgbWHsvVuTPHcqJJGQ1WhI5KbWlHYz+2+2C/LSEtCw4=
 go.opentelemetry.io/auto/sdk v1.1.0 h1:cH53jehLUN6UFLY71z+NDOiNJqDdPRaXzTel0sJySYA=
 go.opentelemetry.io/auto/sdk v1.1.0/go.mod h1:3wSPjt5PWp2RhlCcmmOial7AvC4DQqZb7a7wCow3W8A=
 go.opentelemetry.io/contrib/detectors/gcp v1.34.0/go.mod h1:cV4BMFcscUR/ckqLkbfQmF0PRsq8w/lMGzdbCSveBHo=
-go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.58.0 h1:yd02MEjBdJkG3uabWP9apV+OuWRIXGDuJEUJbOHmCFU=
-go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.58.0/go.mod h1:umTcuxiv1n/s/S6/c2AT/g2CQ7u5C59sHDNmfSwgz7Q=
-go.opentelemetry.io/otel v1.35.0 h1:xKWKPxrxB6OtMCbmMY021CqC45J+3Onta9MqjhnusiQ=
-go.opentelemetry.io/otel v1.35.0/go.mod h1:UEqy8Zp11hpkUrL73gSlELM0DupHoiq72dR+Zqel/+Y=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.61.0 h1:F7Jx+6hwnZ41NSFTO5q4LYDtJRXBf2PD0rNBkeB/lus=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.61.0/go.mod h1:UHB22Z8QsdRDrnAtX4PntOl36ajSxcdUMt1sF7Y6E7Q=
+go.opentelemetry.io/otel v1.36.0 h1:UumtzIklRBY6cI/lllNZlALOF5nNIzJVb16APdvgTXg=
+go.opentelemetry.io/otel v1.36.0/go.mod h1:/TcFMXYjyRNh8khOAO9ybYkqaDBb/70aVwkNML4pP8E=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.34.0 h1:OeNbIYk/2C15ckl7glBlOBp5+WlYsOElzTNmiPW/x60=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.34.0/go.mod h1:7Bept48yIeqxP2OZ9/AqIpYS94h2or0aB4FypJTc8ZM=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.34.0 h1:tgJ0uaNS4c98WRNUEx5U3aDlrDOI5Rs+1Vifcw4DJ8U=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.34.0/go.mod h1:U7HYyW0zt/a9x5J1Kjs+r1f/d4ZHnYFclhYY2+YbeoE=
-go.opentelemetry.io/otel/metric v1.35.0 h1:0znxYu2SNyuMSQT4Y9WDWej0VpcsxkuklLa4/siN90M=
-go.opentelemetry.io/otel/metric v1.35.0/go.mod h1:nKVFgxBZ2fReX6IlyW28MgZojkoAkJGaE8CpgeAU3oE=
-go.opentelemetry.io/otel/sdk v1.34.0 h1:95zS4k/2GOy069d321O8jWgYsW3MzVV+KuSPKp7Wr1A=
-go.opentelemetry.io/otel/sdk v1.34.0/go.mod h1:0e/pNiaMAqaykJGKbi+tSjWfNNHMTxoC9qANsCzbyxU=
-go.opentelemetry.io/otel/sdk/metric v1.34.0 h1:5CeK9ujjbFVL5c1PhLuStg1wxA7vQv7ce1EK0Gyvahk=
-go.opentelemetry.io/otel/sdk/metric v1.34.0/go.mod h1:jQ/r8Ze28zRKoNRdkjCZxfs6YvBTG1+YIqyFVFYec5w=
-go.opentelemetry.io/otel/trace v1.35.0 h1:dPpEfJu1sDIqruz7BHFG3c7528f6ddfSWfFDVt/xgMs=
-go.opentelemetry.io/otel/trace v1.35.0/go.mod h1:WUk7DtFp1Aw2MkvqGdwiXYDZZNvA/1J8o6xRXLrIkyc=
+go.opentelemetry.io/otel/metric v1.36.0 h1:MoWPKVhQvJ+eeXWHFBOPoBOi20jh6Iq2CcCREuTYufE=
+go.opentelemetry.io/otel/metric v1.36.0/go.mod h1:zC7Ks+yeyJt4xig9DEw9kuUFe5C3zLbVjV2PzT6qzbs=
+go.opentelemetry.io/otel/sdk v1.36.0 h1:b6SYIuLRs88ztox4EyrvRti80uXIFy+Sqzoh9kFULbs=
+go.opentelemetry.io/otel/sdk v1.36.0/go.mod h1:+lC+mTgD+MUWfjJubi2vvXWcVxyr9rmlshZni72pXeY=
+go.opentelemetry.io/otel/sdk/metric v1.36.0 h1:r0ntwwGosWGaa0CrSt8cuNuTcccMXERFwHX4dThiPis=
+go.opentelemetry.io/otel/sdk/metric v1.36.0/go.mod h1:qTNOhFDfKRwX0yXOqJYegL5WRaW376QbB7P4Pb0qva4=
+go.opentelemetry.io/otel/trace v1.36.0 h1:ahxWNuqZjpdiFAyrIoQ4GIiAIhxAunQR6MUoKrsNd4w=
+go.opentelemetry.io/otel/trace v1.36.0/go.mod h1:gQ+OnDZzrybY4k4seLzPAWNwVBBVlF2szhehOBB/tGA=
 go.opentelemetry.io/proto/otlp v1.5.0 h1:xJvq7gMzB31/d406fB8U5CBdyQGw4P399D1aQWU/3i4=
 go.opentelemetry.io/proto/otlp v1.5.0/go.mod h1:keN8WnHxOy8PG0rQZjJJ5A2ebUoafqWp0eVQ4yIXvJ4=
 go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
@@ -180,81 +175,60 @@ go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0=
 go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y=
 go.uber.org/zap v1.27.0 h1:aJMhYGrd5QSmlpLMr2MftRKl7t8J8PTZPA732ud/XR8=
 go.uber.org/zap v1.27.0/go.mod h1:GB2qFLM7cTU87MWRP2mPIjqfIDnGu+VIO4V/SdhGo2E=
-go.yaml.in/yaml/v2 v2.4.2 h1:DzmwEr2rDGHl7lsFgAHxmNz/1NlQ7xLIrlN2h5d1eGI=
-go.yaml.in/yaml/v2 v2.4.2/go.mod h1:081UH+NErpNdqlCXm3TtEran0rJZGxAYx9hb/ELlsPU=
+go.yaml.in/yaml/v2 v2.4.3 h1:6gvOSjQoTB3vt1l+CU+tSyi/HOjfOjRLJ4YwYZGwRO0=
+go.yaml.in/yaml/v2 v2.4.3/go.mod h1:zSxWcmIDjOzPXpjlTTbAsKokqkDNAVtZO0WOMiT90s8=
 go.yaml.in/yaml/v3 v3.0.4 h1:tfq32ie2Jv2UxXFdLJdh3jXuOzWiL1fo0bu/FbuKpbc=
 go.yaml.in/yaml/v3 v3.0.4/go.mod h1:DhzuOOF2ATzADvBadXxruRBLzYTpT36CKvDb3+aBEFg=
-golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
-golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
-golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
-golang.org/x/crypto v0.41.0/go.mod h1:pO5AFd7FA68rFak7rOAGVuygIISepHftHnr8dr6+sUc=
-golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.27.0/go.mod h1:rWI627Fq0DEoudcK+MBkNkCe0EetEaDSwJJkCcjpazc=
-golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
-golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
-golang.org/x/net v0.43.0 h1:lat02VYK2j4aLzMzecihNvTlJNQUq316m2Mr9rnM6YE=
-golang.org/x/net v0.43.0/go.mod h1:vhO1fvI4dGsIjh73sWfUVjj3N7CA9WkKJNQm2svM6Jg=
-golang.org/x/oauth2 v0.27.0 h1:da9Vo7/tDv5RH/7nZDz1eMGS/q1Vv1N/7FCrBhI9I3M=
-golang.org/x/oauth2 v0.27.0/go.mod h1:onh5ek6nERTohokkhCD/y2cV4Do3fxFHFuAejCkRWT8=
-golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.17.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
-golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/crypto v0.44.0/go.mod h1:013i+Nw79BMiQiMsOPcVCB5ZIJbYkerPrGnOa00tvmc=
+golang.org/x/mod v0.29.0 h1:HV8lRxZC4l2cr3Zq1LvtOsi/ThTgWnUk/y64QSs8GwA=
+golang.org/x/mod v0.29.0/go.mod h1:NyhrlYXJ2H4eJiRy/WDBO6HMqZQ6q9nk4JzS3NuCK+w=
+golang.org/x/net v0.47.0 h1:Mx+4dIFzqraBXUugkia1OOvlD6LemFo1ALMHjrXDOhY=
+golang.org/x/net v0.47.0/go.mod h1:/jNxtkgq5yWUGYkaZGqo27cfGZ1c5Nen03aYrrKpVRU=
+golang.org/x/oauth2 v0.30.0 h1:dnDm7JmhM45NNpd8FDDeLhK6FwqbOf4MLCM9zb1BOHI=
+golang.org/x/oauth2 v0.30.0/go.mod h1:B++QgG3ZKulg6sRPGD/mqlHQs5rB3Ml9erfeDY7xKlU=
+golang.org/x/sync v0.18.0 h1:kr88TuHDroi+UVf+0hZnirlk8o8T+4MrK6mr60WkH/I=
+golang.org/x/sync v0.18.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
 golang.org/x/sys v0.0.0-20210616094352-59db8d763f22/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.36.0 h1:KVRy2GtZBrk1cBYA7MKu5bEZFxQk4NIDV6RLVcC8o0k=
-golang.org/x/sys v0.36.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
-golang.org/x/term v0.35.0 h1:bZBVKBudEyhRcajGcNc3jIfWPqV4y/Kt2XcoigOWtDQ=
-golang.org/x/term v0.35.0/go.mod h1:TPGtkTLesOwf2DE8CgVYiZinHAOuy5AYUYT1lENIZnA=
-golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
-golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.29.0 h1:1neNs90w9YzJ9BocxfsQNHKuAT4pkghyXc4nhZ6sJvk=
-golang.org/x/text v0.29.0/go.mod h1:7MhJOA9CD2qZyOKYazxdYMF85OwPdEr9jTtBpO7ydH4=
+golang.org/x/sys v0.38.0 h1:3yZWxaJjBmCWXqhN1qh02AkOnCQ1poK6oF+a7xWL6Gc=
+golang.org/x/sys v0.38.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
+golang.org/x/term v0.37.0 h1:8EGAD0qCmHYZg6J17DvsMy9/wJ7/D/4pV/wfnld5lTU=
+golang.org/x/term v0.37.0/go.mod h1:5pB4lxRNYYVZuTLmy8oR2BH8dflOR+IbTYFD8fi3254=
+golang.org/x/text v0.31.0 h1:aC8ghyu4JhP8VojJ2lEHBnochRno1sgL6nEi9WGFGMM=
+golang.org/x/text v0.31.0/go.mod h1:tKRAlv61yKIjGGHX/4tP1LTbc13YSec1pxVEWXzfoeM=
 golang.org/x/time v0.9.0 h1:EsRrnYcQiGH+5FfbgvV4AP7qEZstoyrHB0DzarOQ4ZY=
 golang.org/x/time v0.9.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
-golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
-golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
-golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
-golang.org/x/tools v0.36.0 h1:kWS0uv/zsvHEle1LbV5LE8QujrxB3wfQyxHfhOk0Qkg=
-golang.org/x/tools v0.36.0/go.mod h1:WBDiHKJK8YgLHlcQPYQzNCkUxUypCaa5ZegCVutKm+s=
-golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/tools v0.38.0 h1:Hx2Xv8hISq8Lm16jvBZ2VQf+RLmbd7wVUsALibYI/IQ=
+golang.org/x/tools v0.38.0/go.mod h1:yEsQ/d/YK8cjh0L6rZlY8tgtlKiBNTL14pGDJPJpYQs=
+golang.org/x/tools/go/expect v0.1.0-deprecated/go.mod h1:eihoPOH+FgIqa3FpoTwguz/bVUSGBlGQU67vpBeOrBY=
+golang.org/x/tools/go/packages/packagestest v0.1.1-deprecated/go.mod h1:RVAQXBGNv1ib0J382/DPCRS/BPnsGebyM1Gj5VSDpG8=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 google.golang.org/genproto/googleapis/api v0.0.0-20250303144028-a0af3efb3deb h1:p31xT4yrYrSM/G4Sn2+TNUkVhFCbG9y8itM2S6Th950=
 google.golang.org/genproto/googleapis/api v0.0.0-20250303144028-a0af3efb3deb/go.mod h1:jbe3Bkdp+Dh2IrslsFCklNhweNTBgSYanP1UXhJDhKg=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20250303144028-a0af3efb3deb h1:TLPQVbx1GJ8VKZxz52VAxl1EBgKXXbTiU9Fc5fZeLn4=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20250303144028-a0af3efb3deb/go.mod h1:LuRYeWDFV6WOn90g357N17oMCaxpgCnbi/44qJvDn2I=
-google.golang.org/grpc v1.72.1 h1:HR03wO6eyZ7lknl75XlxABNVLLFc2PAb6mHlYh756mA=
-google.golang.org/grpc v1.72.1/go.mod h1:wH5Aktxcg25y1I3w7H69nHfXdOG3UiadoBtjh3izSDM=
-google.golang.org/protobuf v1.36.5 h1:tPhr+woSbjfYvY6/GPufUoYizxw1cF/yFoxJ2fmpwlM=
-google.golang.org/protobuf v1.36.5/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20250528174236-200df99c418a h1:v2PbRU4K3llS09c7zodFpNePeamkAwG3mPrAery9VeE=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20250528174236-200df99c418a/go.mod h1:qQ0YXyHHx3XkvlzUtpXDkS29lDSafHMZBAZDc03LQ3A=
+google.golang.org/grpc v1.72.2 h1:TdbGzwb82ty4OusHWepvFWGLgIbNo1/SUynEN0ssqv8=
+google.golang.org/grpc v1.72.2/go.mod h1:wH5Aktxcg25y1I3w7H69nHfXdOG3UiadoBtjh3izSDM=
+google.golang.org/protobuf v1.36.8 h1:xHScyCOEuuwZEc6UtSOvPbAT4zRh0xcNRYekJwfqyMc=
+google.golang.org/protobuf v1.36.8/go.mod h1:fuxRtAxBytpl4zzqUh6/eyUujkJdNiuEkXntxiD/uRU=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
-gopkg.in/evanphx/json-patch.v4 v4.12.0 h1:n6jtcsulIzXPJaxegRbvFNNrZDjbij7ny3gmSPG+6V4=
-gopkg.in/evanphx/json-patch.v4 v4.12.0/go.mod h1:p8EYWUEYMpynmqDbY58zCKCFZw8pRWMG4EsWvDvM72M=
+gopkg.in/evanphx/json-patch.v4 v4.13.0 h1:czT3CmqEaQ1aanPc5SdlgQrrEIb8w/wwCvWWnfEbYzo=
+gopkg.in/evanphx/json-patch.v4 v4.13.0/go.mod h1:p8EYWUEYMpynmqDbY58zCKCFZw8pRWMG4EsWvDvM72M=
 gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc=
 gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
-gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 k8s.io/gengo/v2 v2.0.0-20250604051438-85fd79dbfd9f/go.mod h1:EJykeLsmFC60UQbYJezXkEsG2FLrt0GPNkU5iK5GWxU=
 k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk=
 k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE=
-k8s.io/kube-openapi v0.0.0-20250710124328-f3f2b991d03b h1:MloQ9/bdJyIu9lb1PzujOPolHyvO06MXG5TUIj2mNAA=
-k8s.io/kube-openapi v0.0.0-20250710124328-f3f2b991d03b/go.mod h1:UZ2yyWbFTpuhSbFhv24aGNOdoRdJZgsIObGBUaYVsts=
-k8s.io/utils v0.0.0-20250604170112-4c0f3b243397 h1:hwvWFiBzdWw1FhfY1FooPn3kzWuJ8tmbZBHi4zVsl1Y=
-k8s.io/utils v0.0.0-20250604170112-4c0f3b243397/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
-sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 h1:gBQPwqORJ8d8/YNZWEjoZs7npUVDpVXUUOFfW6CgAqE=
-sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8/go.mod h1:mdzfpAEoE6DHQEN0uh9ZbOCuHbLK5wOm7dK4ctXE9Tg=
+k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912 h1:Y3gxNAuB0OBLImH611+UDZcmKS3g6CthxToOb37KgwE=
+k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912/go.mod h1:kdmbQkyfwUagLfXIad1y2TdrjPFWp2Q89B3qkRwf/pQ=
+k8s.io/utils v0.0.0-20251002143259-bc988d571ff4 h1:SjGebBtkBqHFOli+05xYbK8YF1Dzkbzn+gDM4X9T4Ck=
+k8s.io/utils v0.0.0-20251002143259-bc988d571ff4/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
+sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 h1:IpInykpT6ceI+QxKBbEflcR5EXP7sU1kvOlxwZh5txg=
+sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730/go.mod h1:mdzfpAEoE6DHQEN0uh9ZbOCuHbLK5wOm7dK4ctXE9Tg=
 sigs.k8s.io/randfill v1.0.0 h1:JfjMILfT8A6RbawdsK2JXGBR5AQVfd+9TbzrlneTyrU=
 sigs.k8s.io/randfill v1.0.0/go.mod h1:XeLlZ/jmk4i1HRopwe7/aU3H5n1zNUcX6TM94b3QxOY=
 sigs.k8s.io/structured-merge-diff/v6 v6.3.0 h1:jTijUJbW353oVOd9oTlifJqOGEkUw2jB/fXCbTiQEco=
diff --git a/staging/src/k8s.io/component-base/logs/api/v1/doc.go b/staging/src/k8s.io/component-base/logs/api/v1/doc.go
index dee5335fa8e9f..fe5367f997acf 100644
--- a/staging/src/k8s.io/component-base/logs/api/v1/doc.go
+++ b/staging/src/k8s.io/component-base/logs/api/v1/doc.go
@@ -15,6 +15,7 @@ limitations under the License.
 */
 
 // +k8s:deepcopy-gen=package
+// +k8s:openapi-model-package=io.k8s.component-base.logs.api.v1
 
 // Package v1 contains the configuration API for logging.
 //
diff --git a/staging/src/k8s.io/component-base/logs/api/v1/options.go b/staging/src/k8s.io/component-base/logs/api/v1/options.go
index 4c8a0d2c53f89..a61d142c562c6 100644
--- a/staging/src/k8s.io/component-base/logs/api/v1/options.go
+++ b/staging/src/k8s.io/component-base/logs/api/v1/options.go
@@ -138,6 +138,9 @@ func validateAndApply(c *LoggingConfiguration, options *LoggingOptions, featureG
 // can be passed when the struct is not embedded in some larger struct.
 func Validate(c *LoggingConfiguration, featureGate featuregate.FeatureGate, fldPath *field.Path) field.ErrorList {
 	errs := field.ErrorList{}
+	if c.FlushFrequency.Duration.Duration <= 0 {
+		errs = append(errs, field.Invalid(fldPath.Child("flushFrequency"), c.FlushFrequency, "Must be greater than zero"))
+	}
 	if c.Format != DefaultLogFormat {
 		// WordSepNormalizeFunc is just a guess. Commands should use it,
 		// but we cannot know for sure.
diff --git a/staging/src/k8s.io/component-base/logs/api/v1/validate_test.go b/staging/src/k8s.io/component-base/logs/api/v1/validate_test.go
index 956f225c23288..2ca4588c9fc60 100644
--- a/staging/src/k8s.io/component-base/logs/api/v1/validate_test.go
+++ b/staging/src/k8s.io/component-base/logs/api/v1/validate_test.go
@@ -19,9 +19,11 @@ package v1
 import (
 	"math"
 	"testing"
+	"time"
 
 	"github.com/stretchr/testify/assert"
 	"k8s.io/apimachinery/pkg/api/resource"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/util/validation/field"
 	"k8s.io/component-base/featuregate"
 )
@@ -145,6 +147,15 @@ func TestValidation(t *testing.T) {
 			config:      jsonOptionsEnabled,
 			featureGate: enabledFeatureGate,
 		},
+		"Invalid flush frequency": {
+			config: LoggingConfiguration{
+				Format: "text",
+				FlushFrequency: TimeOrMetaDuration{
+					Duration: metav1.Duration{Duration: -1 * time.Second},
+				},
+			},
+			expectErrors: `flushFrequency: Invalid value: -1000000000: Must be greater than zero`,
+		},
 	}
 
 	for name, test := range testcases {
@@ -153,6 +164,7 @@ func TestValidation(t *testing.T) {
 			if featureGate == nil {
 				featureGate = defaultFeatureGate
 			}
+			SetRecommendedLoggingConfiguration(&test.config)
 			err := Validate(&test.config, featureGate, test.path)
 			if len(err) == 0 {
 				if test.expectErrors != "" {
diff --git a/staging/src/k8s.io/component-base/logs/api/v1/zz_generated.model_name.go b/staging/src/k8s.io/component-base/logs/api/v1/zz_generated.model_name.go
new file mode 100644
index 0000000000000..e5dd5c6939ebe
--- /dev/null
+++ b/staging/src/k8s.io/component-base/logs/api/v1/zz_generated.model_name.go
@@ -0,0 +1,67 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by openapi-gen. DO NOT EDIT.
+
+package v1
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in FormatOptions) OpenAPIModelName() string {
+	return "io.k8s.component-base.logs.api.v1.FormatOptions"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in JSONOptions) OpenAPIModelName() string {
+	return "io.k8s.component-base.logs.api.v1.JSONOptions"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in LoggingConfiguration) OpenAPIModelName() string {
+	return "io.k8s.component-base.logs.api.v1.LoggingConfiguration"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in LoggingOptions) OpenAPIModelName() string {
+	return "io.k8s.component-base.logs.api.v1.LoggingOptions"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in OutputRoutingOptions) OpenAPIModelName() string {
+	return "io.k8s.component-base.logs.api.v1.OutputRoutingOptions"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in RuntimeControl) OpenAPIModelName() string {
+	return "io.k8s.component-base.logs.api.v1.RuntimeControl"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in TextOptions) OpenAPIModelName() string {
+	return "io.k8s.component-base.logs.api.v1.TextOptions"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in TimeOrMetaDuration) OpenAPIModelName() string {
+	return "io.k8s.component-base.logs.api.v1.TimeOrMetaDuration"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in VModuleItem) OpenAPIModelName() string {
+	return "io.k8s.component-base.logs.api.v1.VModuleItem"
+}
diff --git a/staging/src/k8s.io/component-base/logs/logreduction/logreduction.go b/staging/src/k8s.io/component-base/logs/logreduction/logreduction.go
index 6534a5a64b8ae..7146535811964 100644
--- a/staging/src/k8s.io/component-base/logs/logreduction/logreduction.go
+++ b/staging/src/k8s.io/component-base/logs/logreduction/logreduction.go
@@ -21,7 +21,7 @@ import (
 	"time"
 )
 
-var nowfunc = func() time.Time { return time.Now() }
+var nowfunc = time.Now
 
 // LogReduction provides a filter for consecutive identical log messages;
 // a message will be printed no more than once per interval.
diff --git a/staging/src/k8s.io/component-base/metrics/collector_test.go b/staging/src/k8s.io/component-base/metrics/collector_test.go
index e946171c589dd..3f779014ef605 100644
--- a/staging/src/k8s.io/component-base/metrics/collector_test.go
+++ b/staging/src/k8s.io/component-base/metrics/collector_test.go
@@ -70,7 +70,7 @@ func TestBaseCustomCollector(t *testing.T) {
 		deprecatedDesc = NewDesc("metric_deprecated", "stable deprecated metrics", []string{"name"}, nil,
 			STABLE, "1.17.0")
 		hiddenDesc = NewDesc("metric_hidden", "stable hidden metrics", []string{"name"}, nil,
-			STABLE, "1.16.0")
+			STABLE, "1.14.0")
 	)
 
 	registry := newKubeRegistry(currentVersion)
diff --git a/staging/src/k8s.io/component-base/metrics/counter.go b/staging/src/k8s.io/component-base/metrics/counter.go
index e41d5383bee64..6805bf9401768 100644
--- a/staging/src/k8s.io/component-base/metrics/counter.go
+++ b/staging/src/k8s.io/component-base/metrics/counter.go
@@ -30,7 +30,6 @@ import (
 // Counter is our internal representation for our wrapping struct around prometheus
 // counters. Counter implements both kubeCollector and CounterMetric.
 type Counter struct {
-	ctx context.Context
 	CounterMetric
 	*CounterOpts
 	lazyMetric
@@ -40,12 +39,10 @@ type Counter struct {
 // The implementation of the Metric interface is expected by testutil.GetCounterMetricValue.
 var _ Metric = &Counter{}
 
-// All supported exemplar metric types implement the metricWithExemplar interface.
-var _ metricWithExemplar = &Counter{}
-
 // exemplarCounterMetric holds a context to extract exemplar labels from, and a counter metric to attach them to. It implements the metricWithExemplar interface.
 type exemplarCounterMetric struct {
-	*Counter
+	ctx      context.Context
+	delegate CounterMetric
 }
 
 // NewCounter returns an object which satisfies the kubeCollector and CounterMetric interfaces.
@@ -107,26 +104,12 @@ func (c *Counter) initializeDeprecatedMetric() {
 
 // WithContext allows the normal Counter metric to pass in context.
 func (c *Counter) WithContext(ctx context.Context) CounterMetric {
-	c.ctx = ctx
-	return c.CounterMetric
-}
-
-// withExemplar initializes the exemplarMetric object and sets the exemplar value.
-func (c *Counter) withExemplar(v float64) {
-	(&exemplarCounterMetric{c}).withExemplar(v)
-}
-
-func (c *Counter) Add(v float64) {
-	c.withExemplar(v)
-}
-
-func (c *Counter) Inc() {
-	c.withExemplar(1)
+	return &exemplarCounterMetric{ctx: ctx, delegate: c.CounterMetric}
 }
 
-// withExemplar attaches an exemplar to the metric.
-func (e *exemplarCounterMetric) withExemplar(v float64) {
-	if m, ok := e.CounterMetric.(prometheus.ExemplarAdder); ok {
+// Add attaches an exemplar to the metric and then calls the delegate.
+func (e *exemplarCounterMetric) Add(v float64) {
+	if m, ok := e.delegate.(prometheus.ExemplarAdder); ok {
 		maybeSpanCtx := trace.SpanContextFromContext(e.ctx)
 		if maybeSpanCtx.IsValid() && maybeSpanCtx.IsSampled() {
 			exemplarLabels := prometheus.Labels{
@@ -138,7 +121,12 @@ func (e *exemplarCounterMetric) withExemplar(v float64) {
 		}
 	}
 
-	e.CounterMetric.Add(v)
+	e.delegate.Add(v)
+}
+
+// Inc attaches an exemplar to the metric and then calls the delegate.
+func (e *exemplarCounterMetric) Inc() {
+	e.Add(1)
 }
 
 // CounterVec is the internal representation of our wrapping struct around prometheus
diff --git a/staging/src/k8s.io/component-base/metrics/counter_test.go b/staging/src/k8s.io/component-base/metrics/counter_test.go
index 2afcc4d63044c..66162c38e3ad8 100644
--- a/staging/src/k8s.io/component-base/metrics/counter_test.go
+++ b/staging/src/k8s.io/component-base/metrics/counter_test.go
@@ -19,27 +19,36 @@ package metrics
 import (
 	"bytes"
 	"context"
+	"sync"
 	"testing"
 
-	"github.com/blang/semver/v4"
 	dto "github.com/prometheus/client_model/go"
 	"github.com/prometheus/common/expfmt"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"go.opentelemetry.io/otel/trace"
+	tracenoop "go.opentelemetry.io/otel/trace/noop"
 
 	apimachineryversion "k8s.io/apimachinery/pkg/version"
 )
 
 func TestCounter(t *testing.T) {
+	version1_15Alpha1 := apimachineryversion.Info{
+		Major:      "1",
+		Minor:      "15",
+		GitVersion: "v1.15.0-alpha-1.12345",
+	}
+
 	var tests = []struct {
 		desc string
 		*CounterOpts
+		currentVersion      apimachineryversion.Info
 		expectedMetricCount int
 		expectedHelp        string
 	}{
+		// Non-deprecated metrics
 		{
-			desc: "Test non deprecated",
+			desc: "ALPHA metric non deprecated",
 			CounterOpts: &CounterOpts{
 				Namespace:      "namespace",
 				Name:           "metric_test_name",
@@ -51,7 +60,32 @@ func TestCounter(t *testing.T) {
 			expectedHelp:        "[ALPHA] counter help",
 		},
 		{
-			desc: "Test deprecated",
+			desc: "BETA metric non deprecated",
+			CounterOpts: &CounterOpts{
+				Namespace:      "namespace",
+				Name:           "metric_test_name",
+				Subsystem:      "subsystem",
+				StabilityLevel: BETA,
+				Help:           "counter help",
+			},
+			expectedMetricCount: 1,
+			expectedHelp:        "[BETA] counter help",
+		},
+		{
+			desc: "STABLE metric non deprecated",
+			CounterOpts: &CounterOpts{
+				Namespace:      "namespace",
+				Name:           "metric_test_name",
+				Subsystem:      "subsystem",
+				StabilityLevel: STABLE,
+				Help:           "counter help",
+			},
+			expectedMetricCount: 1,
+			expectedHelp:        "[STABLE] counter help",
+		},
+		// Deprecated metrics
+		{
+			desc: "ALPHA metric deprecated",
 			CounterOpts: &CounterOpts{
 				Namespace:         "namespace",
 				Name:              "metric_test_name",
@@ -60,30 +94,78 @@ func TestCounter(t *testing.T) {
 				StabilityLevel:    ALPHA,
 				DeprecatedVersion: "1.15.0",
 			},
+			expectedMetricCount: 0,
+			expectedHelp:        "counter help",
+		},
+		{
+			desc: "BETA metric deprecated",
+			CounterOpts: &CounterOpts{
+				Namespace:         "namespace",
+				Name:              "metric_test_name",
+				Subsystem:         "subsystem",
+				Help:              "counter help",
+				StabilityLevel:    BETA,
+				DeprecatedVersion: "1.15.0",
+			},
 			expectedMetricCount: 1,
-			expectedHelp:        "[ALPHA] (Deprecated since 1.15.0) counter help",
+			expectedHelp:        "[BETA] (Deprecated since 1.15.0) counter help",
 		},
 		{
-			desc: "Test hidden",
+			desc: "STABLE metric deprecated",
+			CounterOpts: &CounterOpts{
+				Namespace:         "namespace",
+				Name:              "metric_test_name",
+				Subsystem:         "subsystem",
+				Help:              "counter help",
+				StabilityLevel:    STABLE,
+				DeprecatedVersion: "1.14.0",
+			},
+			expectedMetricCount: 1,
+			expectedHelp:        "[STABLE] (Deprecated since 1.14.0) counter help",
+		},
+		// Hidden metrics
+		{
+			desc: "ALPHA metric hidden",
 			CounterOpts: &CounterOpts{
 				Namespace:         "namespace",
 				Name:              "metric_test_name",
 				Subsystem:         "subsystem",
 				Help:              "counter help",
 				StabilityLevel:    ALPHA,
+				DeprecatedVersion: "1.15.0",
+			},
+			expectedMetricCount: 0,
+			expectedHelp:        "counter help",
+		},
+		{
+			desc: "BETA metric hidden",
+			CounterOpts: &CounterOpts{
+				Namespace:         "namespace",
+				Name:              "metric_test_name",
+				Subsystem:         "subsystem",
+				Help:              "counter help",
+				StabilityLevel:    BETA,
 				DeprecatedVersion: "1.14.0",
 			},
+			expectedMetricCount: 0},
+		{
+			desc: "STABLE metric hidden",
+			CounterOpts: &CounterOpts{
+				Namespace:         "namespace",
+				Name:              "metric_test_name",
+				Subsystem:         "subsystem",
+				Help:              "counter help",
+				StabilityLevel:    STABLE,
+				DeprecatedVersion: "1.12.0",
+			},
 			expectedMetricCount: 0,
+			expectedHelp:        "counter help",
 		},
 	}
 
 	for _, test := range tests {
 		t.Run(test.desc, func(t *testing.T) {
-			registry := newKubeRegistry(apimachineryversion.Info{
-				Major:      "1",
-				Minor:      "15",
-				GitVersion: "v1.15.0-alpha-1.12345",
-			})
+			registry := newKubeRegistry(version1_15Alpha1)
 			// c is a pointer to a Counter
 			c := NewCounter(test.CounterOpts)
 			registry.MustRegister(c)
@@ -118,45 +200,110 @@ func TestCounter(t *testing.T) {
 }
 
 func TestCounterVec(t *testing.T) {
+	version1_15Alpha1 := apimachineryversion.Info{
+		Major:      "1",
+		Minor:      "15",
+		GitVersion: "v1.15.0-alpha-1.12345",
+	}
+
 	var tests = []struct {
 		desc string
 		*CounterOpts
 		labels                    []string
-		registryVersion           *semver.Version
 		expectedMetricFamilyCount int
 		expectedHelp              string
 	}{
+		// Non-deprecated metrics
 		{
-			desc: "Test non deprecated",
+			desc: "ALPHA metric non deprecated",
 			CounterOpts: &CounterOpts{
-				Namespace: "namespace",
-				Name:      "metric_test_name",
-				Subsystem: "subsystem",
-				Help:      "counter help",
+				Namespace:      "namespace",
+				Name:           "metric_test_name",
+				Subsystem:      "subsystem",
+				StabilityLevel: ALPHA,
+				Help:           "counter help",
 			},
 			labels:                    []string{"label_a", "label_b"},
 			expectedMetricFamilyCount: 1,
 			expectedHelp:              "[ALPHA] counter help",
 		},
 		{
-			desc: "Test deprecated",
+			desc: "BETA metric non deprecated",
+			CounterOpts: &CounterOpts{
+				Namespace:      "namespace",
+				Name:           "metric_test_name",
+				Subsystem:      "subsystem",
+				StabilityLevel: BETA,
+				Help:           "counter help",
+			},
+			labels:                    []string{"label_a", "label_b"},
+			expectedMetricFamilyCount: 1,
+			expectedHelp:              "[BETA] counter help",
+		},
+		{
+			desc: "STABLE metric non deprecated",
+			CounterOpts: &CounterOpts{
+				Namespace:      "namespace",
+				Name:           "metric_test_name",
+				Subsystem:      "subsystem",
+				StabilityLevel: STABLE,
+				Help:           "counter help",
+			},
+			labels:                    []string{"label_a", "label_b"},
+			expectedMetricFamilyCount: 1,
+			expectedHelp:              "[STABLE] counter help",
+		},
+		// Deprecated metrics
+		{
+			desc: "ALPHA metric deprecated",
+			CounterOpts: &CounterOpts{
+				Namespace:         "namespace",
+				Name:              "metric_test_name",
+				Subsystem:         "subsystem",
+				StabilityLevel:    ALPHA,
+				Help:              "counter help",
+				DeprecatedVersion: "1.15.0",
+			},
+			labels:                    []string{"label_a", "label_b"},
+			expectedMetricFamilyCount: 0,
+			expectedHelp:              "counter help",
+		},
+		{
+			desc: "BETA metric deprecated",
+			CounterOpts: &CounterOpts{
+				Namespace:         "namespace",
+				Name:              "metric_test_name",
+				Subsystem:         "subsystem",
+				StabilityLevel:    BETA,
+				Help:              "counter help",
+				DeprecatedVersion: "1.15.0",
+			},
+			labels:                    []string{"label_a", "label_b"},
+			expectedMetricFamilyCount: 1,
+			expectedHelp:              "[BETA] (Deprecated since 1.15.0) counter help",
+		},
+		{
+			desc: "STABLE metric deprecated",
 			CounterOpts: &CounterOpts{
 				Namespace:         "namespace",
 				Name:              "metric_test_name",
 				Subsystem:         "subsystem",
+				StabilityLevel:    STABLE,
 				Help:              "counter help",
 				DeprecatedVersion: "1.15.0",
 			},
 			labels:                    []string{"label_a", "label_b"},
 			expectedMetricFamilyCount: 1,
-			expectedHelp:              "[ALPHA] (Deprecated since 1.15.0) counter help",
+			expectedHelp:              "[STABLE] (Deprecated since 1.15.0) counter help",
 		},
+		// Hidden metrics
 		{
-			desc: "Test hidden",
+			desc: "ALPHA metric hidden",
 			CounterOpts: &CounterOpts{
 				Namespace:         "namespace",
 				Name:              "metric_test_name",
 				Subsystem:         "subsystem",
+				StabilityLevel:    ALPHA,
 				Help:              "counter help",
 				DeprecatedVersion: "1.14.0",
 			},
@@ -165,27 +312,38 @@ func TestCounterVec(t *testing.T) {
 			expectedHelp:              "counter help",
 		},
 		{
-			desc: "Test alpha",
+			desc: "BETA metric hidden",
 			CounterOpts: &CounterOpts{
-				StabilityLevel: ALPHA,
-				Namespace:      "namespace",
-				Name:           "metric_test_name",
-				Subsystem:      "subsystem",
-				Help:           "counter help",
+				Namespace:         "namespace",
+				Name:              "metric_test_name",
+				Subsystem:         "subsystem",
+				StabilityLevel:    BETA,
+				Help:              "counter help",
+				DeprecatedVersion: "1.14.0",
 			},
 			labels:                    []string{"label_a", "label_b"},
-			expectedMetricFamilyCount: 1,
-			expectedHelp:              "[ALPHA] counter help",
+			expectedMetricFamilyCount: 0,
+			expectedHelp:              "counter help",
+		},
+		{
+			desc: "STABLE metric hidden",
+			CounterOpts: &CounterOpts{
+				Namespace:         "namespace",
+				Name:              "metric_test_name",
+				Subsystem:         "subsystem",
+				StabilityLevel:    STABLE,
+				Help:              "counter help",
+				DeprecatedVersion: "1.12.0",
+			},
+			labels:                    []string{"label_a", "label_b"},
+			expectedMetricFamilyCount: 0,
+			expectedHelp:              "counter help",
 		},
 	}
 
 	for _, test := range tests {
 		t.Run(test.desc, func(t *testing.T) {
-			registry := newKubeRegistry(apimachineryversion.Info{
-				Major:      "1",
-				Minor:      "15",
-				GitVersion: "v1.15.0-alpha-1.12345",
-			})
+			registry := newKubeRegistry(version1_15Alpha1)
 			c := NewCounterVec(test.CounterOpts, test.labels)
 			registry.MustRegister(c)
 			c.WithLabelValues("1", "2").Inc()
@@ -314,7 +472,6 @@ func TestCounterWithExemplar(t *testing.T) {
 		Name: "metric_exemplar_test",
 		Help: "helpless",
 	})
-	_ = counter.WithContext(ctxForSpanCtx)
 
 	// Register counter.
 	registry := newKubeRegistry(apimachineryversion.Info{
@@ -325,9 +482,9 @@ func TestCounterWithExemplar(t *testing.T) {
 	registry.MustRegister(counter)
 
 	// Call underlying exemplar methods.
-	counter.Add(toAdd)
-	counter.Inc()
-	counter.Inc()
+	counter.WithContext(ctxForSpanCtx).Add(toAdd)
+	counter.WithContext(ctxForSpanCtx).Inc()
+	counter.WithContext(ctxForSpanCtx).Inc()
 
 	// Gather.
 	mfs, err := registry.Gather()
@@ -382,3 +539,118 @@ func TestCounterWithExemplar(t *testing.T) {
 		}
 	}
 }
+
+// TestCounterConcurrentWithContextRace reproduces the race condition in Counter.WithContext
+// where c.ctx is written concurrently with reads in withExemplar method.
+// This test simulates the real authentication flow that triggers the race:
+// x509.AuthenticateRequest -> union.AuthenticateRequest -> group.AuthenticateRequest
+func TestCounterConcurrentWithContextRace(t *testing.T) {
+	opts := &CounterOpts{
+		Namespace: "apiserver",
+		Subsystem: "authentication",
+		Name:      "requests_total",
+		Help:      "Authentication requests counter for race condition testing",
+	}
+
+	c := NewCounter(opts)
+
+	// Force initialization by calling initializeMetric directly
+	c.initializeMetric()
+
+	// Create contexts with trace spans to trigger exemplar code path
+	ctx1, span1 := createContextWithSpanCounter("x509-auth", "authenticate-request")
+	defer span1.End()
+	ctx2, span2 := createContextWithSpanCounter("union-auth", "union-authenticate")
+	defer span2.End()
+
+	var wg sync.WaitGroup
+	iterations := 10000 // Increase iterations to make race more likely
+
+	// Goroutine 1: Simulate x509 Authenticator calling WithContext
+	// This matches: x509.(*Authenticator).AuthenticateRequest() calling WithContext
+	wg.Add(1)
+	go func() {
+		defer wg.Done()
+		for i := 0; i < iterations; i++ {
+			// Simulate authentication request processing
+			simulateX509AuthenticateRequestCounter(c, ctx1, i)
+		}
+	}()
+
+	// Goroutine 2: Simulate concurrent Add/Inc calls (metrics collection)
+	// This matches the withExemplar/Add path that reads c.ctx
+	wg.Add(1)
+	go func() {
+		defer wg.Done()
+		for i := 0; i < iterations; i++ {
+			c.Add(float64(i % 10))
+			if i%2 == 0 {
+				c.Inc()
+			}
+		}
+	}()
+
+	// Goroutine 3: Simulate union AuthenticateRequest calling WithContext
+	// This matches: union.(*unionAuthRequestHandler).AuthenticateRequest()
+	wg.Add(1)
+	go func() {
+		defer wg.Done()
+		for i := 0; i < iterations; i++ {
+			// Simulate union authentication processing
+			simulateUnionAuthenticateRequestCounter(c, ctx2, i)
+		}
+	}()
+
+	// Goroutine 4: Simulate group AuthenticateRequest calling WithContext
+	// This matches: group.(*AuthenticatedGroupAdder).AuthenticateRequest()
+	wg.Add(1)
+	go func() {
+		defer wg.Done()
+		for i := 0; i < iterations; i++ {
+			// Simulate group authentication processing
+			simulateGroupAuthenticateRequestCounter(c, ctx1, ctx2, i)
+		}
+	}()
+
+	wg.Wait()
+}
+
+// simulateX509AuthenticateRequestCounter simulates the call path from x509 authenticator
+func simulateX509AuthenticateRequestCounter(c CounterMetric, ctx context.Context, iteration int) {
+	// Simulate the authentication request processing that calls WithContext
+	if cWithCtx, ok := c.(*Counter); ok {
+		cWithCtx.WithContext(ctx)
+	}
+}
+
+// simulateUnionAuthenticateRequestCounter simulates the call path from union authenticator
+func simulateUnionAuthenticateRequestCounter(c CounterMetric, ctx context.Context, iteration int) {
+	// Simulate union authentication processing
+	if cWithCtx, ok := c.(*Counter); ok {
+		cWithCtx.WithContext(ctx)
+	}
+}
+
+// simulateGroupAuthenticateRequestCounter simulates the call path from group authenticator
+func simulateGroupAuthenticateRequestCounter(c CounterMetric, ctx1, ctx2 context.Context, iteration int) {
+	// Alternate between contexts to simulate different authentication scenarios
+	ctx := ctx1
+	if iteration%3 == 0 {
+		ctx = ctx2
+	}
+
+	if cWithCtx, ok := c.(*Counter); ok {
+		cWithCtx.WithContext(ctx)
+	}
+}
+
+// Helper function to create a context with a valid trace span
+func createContextWithSpanCounter(traceID, spanID string) (context.Context, trace.Span) {
+	ctx := context.Background()
+
+	// Create a noop tracer and span for testing
+	tracer := tracenoop.NewTracerProvider().Tracer("test")
+	ctx, span := tracer.Start(ctx, "test-span")
+
+	return ctx, span
+}
diff --git a/staging/src/k8s.io/component-base/metrics/desc.go b/staging/src/k8s.io/component-base/metrics/desc.go
index 2ca9cfa7c2184..f921be6156cfb 100644
--- a/staging/src/k8s.io/component-base/metrics/desc.go
+++ b/staging/src/k8s.io/component-base/metrics/desc.go
@@ -107,20 +107,18 @@ func (d *Desc) DeprecatedVersion() *semver.Version {
 
 }
 
-func (d *Desc) determineDeprecationStatus(version semver.Version) {
-	selfVersion := d.DeprecatedVersion()
-	if selfVersion == nil {
+func (d *Desc) determineDeprecationStatus(currentVersion semver.Version) {
+	deprecatedVersion := d.DeprecatedVersion()
+	if deprecatedVersion == nil {
 		return
 	}
 	d.markDeprecationOnce.Do(func() {
-		if selfVersion.LTE(version) {
-			d.isDeprecated = true
-		}
-		if ShouldShowHidden() {
-			klog.Warningf("Hidden metrics(%s) have been manually overridden, showing this very deprecated metric.", d.fqName)
-			return
-		}
-		if shouldHide(&version, selfVersion) {
+		d.isDeprecated = isDeprecated(currentVersion, *deprecatedVersion)
+		if shouldHide(d.stabilityLevel, &currentVersion, deprecatedVersion) {
+			if shouldShowHidden() {
+				klog.Warningf("Hidden metrics(%s) have been manually overridden, showing this very deprecated metric.", d.fqName)
+				return
+			}
 			// TODO(RainbowMango): Remove this log temporarily. https://github.com/kubernetes/kubernetes/issues/85369
 			// klog.Warningf("This metric(%s) has been deprecated for more than one release, hiding.", d.fqName)
 			d.isHidden = true
diff --git a/staging/src/k8s.io/component-base/metrics/desc_test.go b/staging/src/k8s.io/component-base/metrics/desc_test.go
index b96791bcb4d05..17102a131ae0e 100644
--- a/staging/src/k8s.io/component-base/metrics/desc_test.go
+++ b/staging/src/k8s.io/component-base/metrics/desc_test.go
@@ -72,7 +72,7 @@ func TestDescCreate(t *testing.T) {
 			fqName:                "hidden_stable_descriptor",
 			help:                  "this is a hidden descriptor",
 			stabilityLevel:        STABLE,
-			deprecatedVersion:     "1.16.0",
+			deprecatedVersion:     "1.14.0",
 			shouldCreate:          false,
 			expectedAnnotatedHelp: "this is a hidden descriptor", // hidden descriptor shall not be annotated.
 		},
diff --git a/staging/src/k8s.io/component-base/metrics/features/kube_features.go b/staging/src/k8s.io/component-base/metrics/features/kube_features.go
index 5f41802cba203..b2f8c65275f49 100644
--- a/staging/src/k8s.io/component-base/metrics/features/kube_features.go
+++ b/staging/src/k8s.io/component-base/metrics/features/kube_features.go
@@ -17,26 +17,11 @@ limitations under the License.
 package features
 
 import (
-	"k8s.io/apimachinery/pkg/util/version"
 	"k8s.io/component-base/featuregate"
 )
 
-const (
-	// owner: @logicalhan
-	// kep: https://kep.k8s.io/3466
-	ComponentSLIs featuregate.Feature = "ComponentSLIs"
-)
-
 func featureGates() map[featuregate.Feature]featuregate.VersionedSpecs {
-	return map[featuregate.Feature]featuregate.VersionedSpecs{
-		ComponentSLIs: {
-			{Version: version.MustParse("1.26"), Default: false, PreRelease: featuregate.Alpha},
-			{Version: version.MustParse("1.27"), Default: true, PreRelease: featuregate.Beta},
-			// ComponentSLIs officially graduated to GA in v1.29 but the gate was not updated until v1.32.
-			// To support emulated versions, keep the gate until v1.35.
-			{Version: version.MustParse("1.32"), Default: true, PreRelease: featuregate.GA, LockToDefault: true},
-		},
-	}
+	return map[featuregate.Feature]featuregate.VersionedSpecs{}
 }
 
 // AddFeatureGates adds all feature gates used by this package.
diff --git a/staging/src/k8s.io/component-base/metrics/gauge.go b/staging/src/k8s.io/component-base/metrics/gauge.go
index 0d6c8b7fbfd18..20982f67df45f 100644
--- a/staging/src/k8s.io/component-base/metrics/gauge.go
+++ b/staging/src/k8s.io/component-base/metrics/gauge.go
@@ -161,6 +161,17 @@ func (v *GaugeVec) WithLabelValuesChecked(lvs ...string) (GaugeMetric, error) {
 	return v.GetMetricWithLabelValues(lvs...)
 }
 
+func (v *GaugeVec) DeleteLabelValuesChecked(lvs ...string) (bool, error) {
+	if !v.IsCreated() {
+		if v.IsHidden() {
+			return false, nil
+		}
+		return false, errNotRegistered
+	}
+
+	return v.GaugeVec.DeleteLabelValues(lvs...), nil
+}
+
 // Default Prometheus Vec behavior is that member extraction results in creation of a new element
 // if one with the unique label values is not found in the underlying stored metricMap.
 // This means  that if this function is called but the underlying metric is not registered
@@ -184,6 +195,14 @@ func (v *GaugeVec) WithLabelValues(lvs ...string) GaugeMetric {
 	panic(err)
 }
 
+func (v *GaugeVec) DeleteLabelValues(lvs ...string) bool {
+	ans, err := v.DeleteLabelValuesChecked(lvs...)
+	if err == nil || ErrIsNotRegistered(err) {
+		return ans
+	}
+	panic(err)
+}
+
 func (v *GaugeVec) WithChecked(labels map[string]string) (GaugeMetric, error) {
 	if !v.IsCreated() {
 		if v.IsHidden() {
diff --git a/staging/src/k8s.io/component-base/metrics/gauge_test.go b/staging/src/k8s.io/component-base/metrics/gauge_test.go
index d41baebb8f1dc..f20be35244f2a 100644
--- a/staging/src/k8s.io/component-base/metrics/gauge_test.go
+++ b/staging/src/k8s.io/component-base/metrics/gauge_test.go
@@ -20,7 +20,6 @@ import (
 	"strings"
 	"testing"
 
-	"github.com/blang/semver/v4"
 	"github.com/prometheus/client_golang/prometheus/testutil"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
@@ -29,49 +28,132 @@ import (
 )
 
 func TestGauge(t *testing.T) {
-	v115 := semver.MustParse("1.15.0")
+	version1_15Alpha1 := apimachineryversion.Info{
+		Major:      "1",
+		Minor:      "15",
+		GitVersion: "v1.15.0-alpha-1.12345",
+	}
+
 	var tests = []struct {
 		desc string
 		*GaugeOpts
-		registryVersion     *semver.Version
 		expectedMetricCount int
 		expectedHelp        string
 	}{
+		// Non-deprecated metrics
 		{
-			desc: "Test non deprecated",
+			desc: "ALPHA metric non deprecated",
 			GaugeOpts: &GaugeOpts{
-				Namespace: "namespace",
-				Name:      "metric_test_name",
-				Subsystem: "subsystem",
-				Help:      "gauge help",
+				Namespace:      "namespace",
+				Name:           "metric_test_name",
+				Subsystem:      "subsystem",
+				StabilityLevel: ALPHA,
+				Help:           "gauge help",
 			},
-			registryVersion:     &v115,
 			expectedMetricCount: 1,
 			expectedHelp:        "[ALPHA] gauge help",
 		},
 		{
-			desc: "Test deprecated",
+			desc: "BETA metric non deprecated",
+			GaugeOpts: &GaugeOpts{
+				Namespace:      "namespace",
+				Name:           "metric_test_name",
+				Subsystem:      "subsystem",
+				Help:           "gauge help",
+				StabilityLevel: BETA,
+			},
+			expectedMetricCount: 1,
+			expectedHelp:        "[BETA] gauge help",
+		},
+		{
+			desc: "STABLE metric non deprecated",
+			GaugeOpts: &GaugeOpts{
+				Namespace:      "namespace",
+				Name:           "metric_test_name",
+				Subsystem:      "subsystem",
+				Help:           "gauge help",
+				StabilityLevel: STABLE,
+			},
+			expectedMetricCount: 1,
+			expectedHelp:        "[STABLE] gauge help",
+		},
+		// Deprecated metrics
+		{
+			desc: "ALPHA metric deprecated",
+			GaugeOpts: &GaugeOpts{
+				Namespace:         "namespace",
+				Name:              "metric_test_name",
+				Subsystem:         "subsystem",
+				StabilityLevel:    ALPHA,
+				Help:              "gauge help",
+				DeprecatedVersion: "1.15.0",
+			},
+			expectedMetricCount: 0,
+			expectedHelp:        "gauge help",
+		},
+		{
+			desc: "BETA metric deprecated",
+			GaugeOpts: &GaugeOpts{
+				Namespace:         "namespace",
+				Name:              "metric_test_name",
+				Subsystem:         "subsystem",
+				StabilityLevel:    BETA,
+				Help:              "gauge help",
+				DeprecatedVersion: "1.15.0",
+			},
+			expectedMetricCount: 1,
+			expectedHelp:        "[BETA] (Deprecated since 1.15.0) gauge help",
+		},
+		{
+			desc: "STABLE metric deprecated",
 			GaugeOpts: &GaugeOpts{
 				Namespace:         "namespace",
 				Name:              "metric_test_name",
 				Subsystem:         "subsystem",
 				Help:              "gauge help",
+				StabilityLevel:    STABLE,
 				DeprecatedVersion: "1.15.0",
 			},
-			registryVersion:     &v115,
 			expectedMetricCount: 1,
-			expectedHelp:        "[ALPHA] (Deprecated since 1.15.0) gauge help",
+			expectedHelp:        "[STABLE] (Deprecated since 1.15.0) gauge help",
+		},
+		// Hidden metrics
+		{
+			desc: "ALPHA metric hidden",
+			GaugeOpts: &GaugeOpts{
+				Namespace:         "namespace",
+				Name:              "metric_test_name",
+				Subsystem:         "subsystem",
+				StabilityLevel:    ALPHA,
+				Help:              "gauge help",
+				DeprecatedVersion: "1.14.0",
+			},
+			expectedMetricCount: 0,
+			expectedHelp:        "gauge help",
 		},
 		{
-			desc: "Test hidden",
+			desc: "BETA metric hidden",
 			GaugeOpts: &GaugeOpts{
 				Namespace:         "namespace",
 				Name:              "metric_test_name",
 				Subsystem:         "subsystem",
+				StabilityLevel:    BETA,
 				Help:              "gauge help",
 				DeprecatedVersion: "1.14.0",
 			},
-			registryVersion:     &v115,
+			expectedMetricCount: 0,
+			expectedHelp:        "gauge help",
+		},
+		{
+			desc: "STABLE metric hidden",
+			GaugeOpts: &GaugeOpts{
+				Namespace:         "namespace",
+				Name:              "metric_test_name",
+				Subsystem:         "subsystem",
+				Help:              "gauge help",
+				StabilityLevel:    STABLE,
+				DeprecatedVersion: "1.12.0",
+			},
 			expectedMetricCount: 0,
 			expectedHelp:        "gauge help",
 		},
@@ -79,11 +161,7 @@ func TestGauge(t *testing.T) {
 
 	for _, test := range tests {
 		t.Run(test.desc, func(t *testing.T) {
-			registry := newKubeRegistry(apimachineryversion.Info{
-				Major:      "1",
-				Minor:      "15",
-				GitVersion: "v1.15.0-alpha-1.12345",
-			})
+			registry := newKubeRegistry(version1_15Alpha1)
 			c := NewGauge(test.GaugeOpts)
 			registry.MustRegister(c)
 
@@ -113,17 +191,22 @@ func TestGauge(t *testing.T) {
 }
 
 func TestGaugeVec(t *testing.T) {
-	v115 := semver.MustParse("1.15.0")
+	version1_15Alpha1 := apimachineryversion.Info{
+		Major:      "1",
+		Minor:      "15",
+		GitVersion: "v1.15.0-alpha-1.12345",
+	}
+
 	var tests = []struct {
 		desc string
 		*GaugeOpts
 		labels              []string
-		registryVersion     *semver.Version
 		expectedMetricCount int
 		expectedHelp        string
 	}{
+		// Non-deprecated metrics
 		{
-			desc: "Test non deprecated",
+			desc: "ALPHA metric non deprecated",
 			GaugeOpts: &GaugeOpts{
 				Namespace: "namespace",
 				Name:      "metric_test_name",
@@ -131,12 +214,38 @@ func TestGaugeVec(t *testing.T) {
 				Help:      "gauge help",
 			},
 			labels:              []string{"label_a", "label_b"},
-			registryVersion:     &v115,
 			expectedMetricCount: 1,
 			expectedHelp:        "[ALPHA] gauge help",
 		},
 		{
-			desc: "Test deprecated",
+			desc: "BETA metric non deprecated",
+			GaugeOpts: &GaugeOpts{
+				Namespace:      "namespace",
+				Name:           "metric_test_name",
+				Subsystem:      "subsystem",
+				Help:           "gauge help",
+				StabilityLevel: BETA,
+			},
+			labels:              []string{"label_a", "label_b"},
+			expectedMetricCount: 1,
+			expectedHelp:        "[BETA] gauge help",
+		},
+		{
+			desc: "STABLE metric non deprecated",
+			GaugeOpts: &GaugeOpts{
+				Namespace:      "namespace",
+				Name:           "metric_test_name",
+				Subsystem:      "subsystem",
+				Help:           "gauge help",
+				StabilityLevel: STABLE,
+			},
+			labels:              []string{"label_a", "label_b"},
+			expectedMetricCount: 1,
+			expectedHelp:        "[STABLE] gauge help",
+		},
+		// Deprecated metrics
+		{
+			desc: "ALPHA metric deprecated",
 			GaugeOpts: &GaugeOpts{
 				Namespace:         "namespace",
 				Name:              "metric_test_name",
@@ -145,21 +254,76 @@ func TestGaugeVec(t *testing.T) {
 				DeprecatedVersion: "1.15.0",
 			},
 			labels:              []string{"label_a", "label_b"},
-			registryVersion:     &v115,
+			expectedMetricCount: 0,
+			expectedHelp:        "gauge help",
+		},
+		{
+			desc: "BETA metric deprecated",
+			GaugeOpts: &GaugeOpts{
+				Namespace:         "namespace",
+				Name:              "metric_test_name",
+				Subsystem:         "subsystem",
+				Help:              "gauge help",
+				StabilityLevel:    BETA,
+				DeprecatedVersion: "1.15.0",
+			},
+			labels:              []string{"label_a", "label_b"},
+			expectedMetricCount: 1,
+			expectedHelp:        "[BETA] (Deprecated since 1.15.0) gauge help",
+		},
+		{
+			desc: "STABLE metric deprecated",
+			GaugeOpts: &GaugeOpts{
+				Namespace:         "namespace",
+				Name:              "metric_test_name",
+				Subsystem:         "subsystem",
+				Help:              "gauge help",
+				StabilityLevel:    STABLE,
+				DeprecatedVersion: "1.15.0",
+			},
+			labels:              []string{"label_a", "label_b"},
 			expectedMetricCount: 1,
-			expectedHelp:        "[ALPHA] (Deprecated since 1.15.0) gauge help",
+			expectedHelp:        "[STABLE] (Deprecated since 1.15.0) gauge help",
+		},
+		// Hidden metrics
+		{
+			desc: "ALPHA metric hidden",
+			GaugeOpts: &GaugeOpts{
+				Namespace:         "namespace",
+				Name:              "metric_test_name",
+				Subsystem:         "subsystem",
+				Help:              "gauge help",
+				DeprecatedVersion: "1.14.0",
+			},
+			labels:              []string{"label_a", "label_b"},
+			expectedMetricCount: 0,
+			expectedHelp:        "gauge help",
 		},
 		{
-			desc: "Test hidden",
+			desc: "BETA metric hidden",
 			GaugeOpts: &GaugeOpts{
 				Namespace:         "namespace",
 				Name:              "metric_test_name",
 				Subsystem:         "subsystem",
 				Help:              "gauge help",
+				StabilityLevel:    BETA,
 				DeprecatedVersion: "1.14.0",
 			},
 			labels:              []string{"label_a", "label_b"},
-			registryVersion:     &v115,
+			expectedMetricCount: 0,
+			expectedHelp:        "gauge help",
+		},
+		{
+			desc: "STABLE metric hidden",
+			GaugeOpts: &GaugeOpts{
+				Namespace:         "namespace",
+				Name:              "metric_test_name",
+				Subsystem:         "subsystem",
+				Help:              "gauge help",
+				StabilityLevel:    STABLE,
+				DeprecatedVersion: "1.12.0",
+			},
+			labels:              []string{"label_a", "label_b"},
 			expectedMetricCount: 0,
 			expectedHelp:        "gauge help",
 		},
@@ -167,11 +331,7 @@ func TestGaugeVec(t *testing.T) {
 
 	for _, test := range tests {
 		t.Run(test.desc, func(t *testing.T) {
-			registry := newKubeRegistry(apimachineryversion.Info{
-				Major:      "1",
-				Minor:      "15",
-				GitVersion: "v1.15.0-alpha-1.12345",
-			})
+			registry := newKubeRegistry(version1_15Alpha1)
 			c := NewGaugeVec(test.GaugeOpts, test.labels)
 			registry.MustRegister(c)
 			c.WithLabelValues("1", "2").Set(1.0)
@@ -196,7 +356,7 @@ func TestGaugeVec(t *testing.T) {
 }
 
 func TestGaugeFunc(t *testing.T) {
-	currentVersion := apimachineryversion.Info{
+	version1_15Alpha1 := apimachineryversion.Info{
 		Major:      "1",
 		Minor:      "17",
 		GitVersion: "v1.17.0-alpha-1.12345",
@@ -211,13 +371,15 @@ func TestGaugeFunc(t *testing.T) {
 		*GaugeOpts
 		expectedMetrics string
 	}{
+		// Non-deprecated metrics
 		{
-			desc: "Test non deprecated",
+			desc: "ALPHA metric non deprecated",
 			GaugeOpts: &GaugeOpts{
-				Namespace: "namespace",
-				Subsystem: "subsystem",
-				Name:      "metric_non_deprecated",
-				Help:      "gauge help",
+				Namespace:      "namespace",
+				Subsystem:      "subsystem",
+				StabilityLevel: ALPHA,
+				Name:           "metric_non_deprecated",
+				Help:           "gauge help",
 			},
 			expectedMetrics: `
 # HELP namespace_subsystem_metric_non_deprecated [ALPHA] gauge help
@@ -226,38 +388,122 @@ namespace_subsystem_metric_non_deprecated 1
 			`,
 		},
 		{
-			desc: "Test deprecated",
+			desc: "BETA metric non deprecated",
+			GaugeOpts: &GaugeOpts{
+				Namespace:      "namespace",
+				Subsystem:      "subsystem",
+				StabilityLevel: BETA,
+				Name:           "metric_non_deprecated",
+				Help:           "gauge help",
+			},
+			expectedMetrics: `
+# HELP namespace_subsystem_metric_non_deprecated [BETA] gauge help
+# TYPE namespace_subsystem_metric_non_deprecated gauge
+namespace_subsystem_metric_non_deprecated 1
+			`,
+		},
+		{
+			desc: "STABLE metric non deprecated",
+			GaugeOpts: &GaugeOpts{
+				Namespace:      "namespace",
+				Subsystem:      "subsystem",
+				StabilityLevel: STABLE,
+				Name:           "metric_non_deprecated",
+				Help:           "gauge help",
+			},
+			expectedMetrics: `
+# HELP namespace_subsystem_metric_non_deprecated [STABLE] gauge help
+# TYPE namespace_subsystem_metric_non_deprecated gauge
+namespace_subsystem_metric_non_deprecated 1
+			`,
+		},
+		// Deprecated metrics
+		{
+			desc: "ALPHA metric deprecated",
 			GaugeOpts: &GaugeOpts{
 				Namespace:         "namespace",
 				Subsystem:         "subsystem",
 				Name:              "metric_deprecated",
 				Help:              "gauge help",
+				StabilityLevel:    ALPHA,
 				DeprecatedVersion: "1.17.0",
 			},
-			expectedMetrics: `
-# HELP namespace_subsystem_metric_deprecated [ALPHA] (Deprecated since 1.17.0) gauge help
+			expectedMetrics: "",
+		},
+		{
+			desc: "BETA metric deprecated",
+			GaugeOpts: &GaugeOpts{
+				Namespace:         "namespace",
+				Subsystem:         "subsystem",
+				Name:              "metric_deprecated",
+				Help:              "gauge help",
+				StabilityLevel:    BETA,
+				DeprecatedVersion: "1.17.0",
+			},
+			expectedMetrics: `# HELP namespace_subsystem_metric_deprecated [BETA] (Deprecated since 1.17.0) gauge help
 # TYPE namespace_subsystem_metric_deprecated gauge
 namespace_subsystem_metric_deprecated 1
-`,
+			`,
 		},
 		{
-			desc: "Test hidden",
+			desc: "STABLE metric deprecated",
+			GaugeOpts: &GaugeOpts{
+				Namespace:         "namespace",
+				Subsystem:         "subsystem",
+				Name:              "metric_deprecated",
+				Help:              "gauge help",
+				StabilityLevel:    STABLE,
+				DeprecatedVersion: "1.17.0",
+			},
+			expectedMetrics: `# HELP namespace_subsystem_metric_deprecated [STABLE] (Deprecated since 1.17.0) gauge help
+# TYPE namespace_subsystem_metric_deprecated gauge
+namespace_subsystem_metric_deprecated 1
+			`,
+		},
+		// Hidden metrics
+		{
+			desc: "ALPHA metric hidden",
 			GaugeOpts: &GaugeOpts{
 				Namespace:         "namespace",
 				Subsystem:         "subsystem",
 				Name:              "metric_hidden",
 				Help:              "gauge help",
+				StabilityLevel:    ALPHA,
+				DeprecatedVersion: "1.17.0",
+			},
+			expectedMetrics: "",
+		},
+		{
+			desc: "BETA metric hidden",
+			GaugeOpts: &GaugeOpts{
+				Namespace:         "namespace",
+				Subsystem:         "subsystem",
+				Name:              "metric_hidden",
+				Help:              "gauge help",
+				StabilityLevel:    BETA,
 				DeprecatedVersion: "1.16.0",
 			},
 			expectedMetrics: "",
 		},
+		{
+			desc: "STABLE metric hidden",
+			GaugeOpts: &GaugeOpts{
+				Namespace:         "namespace",
+				Subsystem:         "subsystem",
+				Name:              "metric_hidden",
+				Help:              "gauge help",
+				StabilityLevel:    STABLE,
+				DeprecatedVersion: "1.14.0",
+			},
+			expectedMetrics: "",
+		},
 	}
 
 	for _, test := range tests {
 		tc := test
 		t.Run(test.desc, func(t *testing.T) {
-			registry := newKubeRegistry(currentVersion)
-			gauge := newGaugeFunc(tc.GaugeOpts, function, parseVersion(currentVersion))
+			registry := newKubeRegistry(version1_15Alpha1)
+			gauge := newGaugeFunc(tc.GaugeOpts, function, parseVersion(version1_15Alpha1))
 			if gauge != nil { // hidden metrics will not be initialize, register is not allowed
 				registry.RawMustRegister(gauge)
 			}
@@ -347,3 +593,378 @@ func TestGaugeWithLabelValueAllowList(t *testing.T) {
 		})
 	}
 }
+
+func TestGaugeVecDeleteLabelValues(t *testing.T) {
+	version := apimachineryversion.Info{
+		Major:      "1",
+		Minor:      "15",
+		GitVersion: "v1.15.0-alpha-1.12345",
+	}
+	var tests = []struct {
+		desc               string
+		opts               *GaugeOpts
+		labels             []string
+		expectMetricExists bool
+		expectDelete       bool
+	}{
+		// Non-deprecated metrics
+		{
+			desc: "ALPHA metric non deprecated",
+			opts: &GaugeOpts{
+				Namespace:      "namespace",
+				Name:           "metric_delete_table",
+				Subsystem:      "subsystem",
+				Help:           "gauge help",
+				StabilityLevel: ALPHA,
+			},
+			labels:             []string{"label_a", "label_b"},
+			expectMetricExists: true,
+			expectDelete:       true,
+		},
+		{
+			desc: "BETA metric non deprecated",
+			opts: &GaugeOpts{
+				Namespace:      "namespace",
+				Name:           "metric_delete_table",
+				Subsystem:      "subsystem",
+				Help:           "gauge help",
+				StabilityLevel: BETA,
+			},
+			labels:             []string{"label_a", "label_b"},
+			expectMetricExists: true,
+			expectDelete:       true,
+		},
+		{
+			desc: "STABLE metric non deprecated",
+			opts: &GaugeOpts{
+				Namespace:      "namespace",
+				Name:           "metric_delete_table",
+				Subsystem:      "subsystem",
+				Help:           "gauge help",
+				StabilityLevel: STABLE,
+			},
+			labels:             []string{"label_a", "label_b"},
+			expectMetricExists: true,
+			expectDelete:       true,
+		},
+		// Deprecated metrics
+		{
+			desc: "ALPHA metric deprecated",
+			opts: &GaugeOpts{
+				Namespace:         "namespace",
+				Name:              "metric_delete_table",
+				Subsystem:         "subsystem",
+				Help:              "gauge help",
+				StabilityLevel:    ALPHA,
+				DeprecatedVersion: "1.15.0",
+			},
+			labels:             []string{"label_a", "label_b"},
+			expectMetricExists: false,
+			expectDelete:       false,
+		},
+		{
+			desc: "BETA metric deprecated",
+			opts: &GaugeOpts{
+				Namespace:         "namespace",
+				Name:              "metric_delete_table",
+				Subsystem:         "subsystem",
+				Help:              "gauge help",
+				StabilityLevel:    BETA,
+				DeprecatedVersion: "1.15.0",
+			},
+			labels:             []string{"label_a", "label_b"},
+			expectMetricExists: true,
+			expectDelete:       true,
+		},
+		{
+			desc: "STABLE metric deprecated",
+			opts: &GaugeOpts{
+				Namespace:         "namespace",
+				Name:              "metric_delete_table",
+				Subsystem:         "subsystem",
+				Help:              "gauge help",
+				StabilityLevel:    STABLE,
+				DeprecatedVersion: "1.15.0",
+			},
+			labels:             []string{"label_a", "label_b"},
+			expectMetricExists: true,
+			expectDelete:       true,
+		},
+		// Hidden metrics
+		{
+			desc: "ALPHA metric hidden",
+			opts: &GaugeOpts{
+				Namespace:         "namespace",
+				Name:              "metric_delete_table",
+				Subsystem:         "subsystem",
+				Help:              "gauge help",
+				StabilityLevel:    ALPHA,
+				DeprecatedVersion: "1.14.0",
+			},
+			labels:             []string{"label_a", "label_b"},
+			expectMetricExists: false,
+			expectDelete:       false,
+		},
+		{
+			desc: "BETA metric hidden",
+			opts: &GaugeOpts{
+				Namespace:         "namespace",
+				Name:              "metric_delete_table",
+				Subsystem:         "subsystem",
+				Help:              "gauge help",
+				StabilityLevel:    BETA,
+				DeprecatedVersion: "1.14.0",
+			},
+			labels:             []string{"label_a", "label_b"},
+			expectMetricExists: false,
+			expectDelete:       false,
+		},
+		{
+			desc: "STABLE metric hidden",
+			opts: &GaugeOpts{
+				Namespace:         "namespace",
+				Name:              "metric_delete_table",
+				Subsystem:         "subsystem",
+				Help:              "gauge help",
+				StabilityLevel:    STABLE,
+				DeprecatedVersion: "1.12.0",
+			},
+			labels:             []string{"label_a", "label_b"},
+			expectMetricExists: false,
+			expectDelete:       false,
+		},
+	}
+
+	for _, test := range tests {
+		t.Run(test.desc, func(t *testing.T) {
+			registry := newKubeRegistry(version)
+			gv := NewGaugeVec(test.opts, test.labels)
+			registry.MustRegister(gv)
+			gv.WithLabelValues("foo", "bar").Set(42)
+
+			ms, err := registry.Gather()
+			require.NoError(t, err)
+			found := false
+			for _, mf := range ms {
+				if *mf.Name == BuildFQName(test.opts.Namespace, test.opts.Subsystem, test.opts.Name) {
+					for _, m := range mf.GetMetric() {
+						for _, l := range m.Label {
+							if *l.Name == "label_a" && *l.Value == "foo" {
+								found = true
+							}
+						}
+					}
+				}
+			}
+			assert.Equal(t, test.expectMetricExists, found, "Metric existence mismatch before deletion")
+
+			deleted := gv.DeleteLabelValues("foo", "bar")
+			assert.Equal(t, test.expectDelete, deleted, "DeleteLabelValues return mismatch")
+
+			// Confirm it no longer exists
+			ms, err = registry.Gather()
+			require.NoError(t, err)
+			found = false
+			for _, mf := range ms {
+				if *mf.Name == BuildFQName(test.opts.Namespace, test.opts.Subsystem, test.opts.Name) {
+					for _, m := range mf.GetMetric() {
+						for _, l := range m.Label {
+							if *l.Name == "label_a" && *l.Value == "foo" {
+								found = true
+							}
+						}
+					}
+				}
+			}
+			assert.False(t, found, "Metric with label values should not exist after deletion")
+		})
+	}
+}
+
+func TestGaugeVecDeleteLabelValuesChecked(t *testing.T) {
+	version := apimachineryversion.Info{
+		Major:      "1",
+		Minor:      "15",
+		GitVersion: "v1.15.0-alpha-1.12345",
+	}
+	var tests = []struct {
+		desc               string
+		opts               *GaugeOpts
+		labels             []string
+		expectMetricExists bool
+		expectDelete       bool
+	}{
+		// Non-deprecated metrics
+		{
+			desc: "ALPHA metric non deprecated",
+			opts: &GaugeOpts{
+				Namespace:      "namespace",
+				Name:           "metric_delete_checked_table",
+				Subsystem:      "subsystem",
+				Help:           "gauge help",
+				StabilityLevel: ALPHA,
+			},
+			labels:             []string{"label_a", "label_b"},
+			expectMetricExists: true,
+			expectDelete:       true,
+		},
+		{
+			desc: "BETA metric non deprecated",
+			opts: &GaugeOpts{
+				Namespace:      "namespace",
+				Name:           "metric_delete_checked_table",
+				Subsystem:      "subsystem",
+				Help:           "gauge help",
+				StabilityLevel: BETA,
+			},
+			labels:             []string{"label_a", "label_b"},
+			expectMetricExists: true,
+			expectDelete:       true,
+		},
+		{
+			desc: "STABLE metric non deprecated",
+			opts: &GaugeOpts{
+				Namespace:      "namespace",
+				Name:           "metric_delete_checked_table",
+				Subsystem:      "subsystem",
+				Help:           "gauge help",
+				StabilityLevel: STABLE,
+			},
+			labels:             []string{"label_a", "label_b"},
+			expectMetricExists: true,
+			expectDelete:       true,
+		},
+		// Deprecated metrics
+		{
+			desc: "ALPHA metric deprecated",
+			opts: &GaugeOpts{
+				Namespace:         "namespace",
+				Name:              "metric_delete_checked_table",
+				Subsystem:         "subsystem",
+				Help:              "gauge help",
+				StabilityLevel:    ALPHA,
+				DeprecatedVersion: "1.15.0",
+			},
+			labels:             []string{"label_a", "label_b"},
+			expectMetricExists: false,
+			expectDelete:       false,
+		},
+		{
+			desc: "BETA metric deprecated",
+			opts: &GaugeOpts{
+				Namespace:         "namespace",
+				Name:              "metric_delete_checked_table",
+				Subsystem:         "subsystem",
+				Help:              "gauge help",
+				StabilityLevel:    BETA,
+				DeprecatedVersion: "1.15.0",
+			},
+			labels:             []string{"label_a", "label_b"},
+			expectMetricExists: true,
+			expectDelete:       true,
+		},
+		{
+			desc: "STABLE metric deprecated",
+			opts: &GaugeOpts{
+				Namespace:         "namespace",
+				Name:              "metric_delete_checked_table",
+				Subsystem:         "subsystem",
+				Help:              "gauge help",
+				StabilityLevel:    STABLE,
+				DeprecatedVersion: "1.15.0",
+			},
+			labels:             []string{"label_a", "label_b"},
+			expectMetricExists: true,
+			expectDelete:       true,
+		},
+		// Hidden metrics
+		{
+			desc: "ALPHA metric hidden",
+			opts: &GaugeOpts{
+				Namespace:         "namespace",
+				Name:              "metric_delete_checked_table",
+				Subsystem:         "subsystem",
+				Help:              "gauge help",
+				StabilityLevel:    ALPHA,
+				DeprecatedVersion: "1.14.0",
+			},
+			labels:             []string{"label_a", "label_b"},
+			expectMetricExists: false,
+			expectDelete:       false,
+		},
+		{
+			desc: "BETA metric hidden",
+			opts: &GaugeOpts{
+				Namespace:         "namespace",
+				Name:              "metric_delete_checked_table",
+				Subsystem:         "subsystem",
+				Help:              "gauge help",
+				StabilityLevel:    BETA,
+				DeprecatedVersion: "1.14.0",
+			},
+			labels:             []string{"label_a", "label_b"},
+			expectMetricExists: false,
+			expectDelete:       false,
+		},
+		{
+			desc: "STABLE metric hidden",
+			opts: &GaugeOpts{
+				Namespace:         "namespace",
+				Name:              "metric_delete_checked_table",
+				Subsystem:         "subsystem",
+				Help:              "gauge help",
+				StabilityLevel:    STABLE,
+				DeprecatedVersion: "1.12.0",
+			},
+			labels:             []string{"label_a", "label_b"},
+			expectMetricExists: false,
+			expectDelete:       false,
+		},
+	}
+
+	for _, test := range tests {
+		t.Run(test.desc, func(t *testing.T) {
+			registry := newKubeRegistry(version)
+			gv := NewGaugeVec(test.opts, test.labels)
+			registry.MustRegister(gv)
+			gv.WithLabelValues("foo", "bar").Set(42)
+
+			ms, err := registry.Gather()
+			require.NoError(t, err)
+			found := false
+			for _, mf := range ms {
+				if *mf.Name == BuildFQName(test.opts.Namespace, test.opts.Subsystem, test.opts.Name) {
+					for _, m := range mf.GetMetric() {
+						for _, l := range m.Label {
+							if *l.Name == "label_a" && *l.Value == "foo" {
+								found = true
+							}
+						}
+					}
+				}
+			}
+			assert.Equal(t, test.expectMetricExists, found, "Metric existence mismatch before deletion")
+
+			deleted, err := gv.DeleteLabelValuesChecked("foo", "bar")
+			assert.Equal(t, test.expectDelete, deleted, "DeleteLabelValuesChecked return mismatch")
+			require.NoError(t, err, "DeleteLabelValuesChecked should not return error")
+
+			// Confirm it no longer exists
+			ms, err = registry.Gather()
+			require.NoError(t, err)
+			found = false
+			for _, mf := range ms {
+				if *mf.Name == BuildFQName(test.opts.Namespace, test.opts.Subsystem, test.opts.Name) {
+					for _, m := range mf.GetMetric() {
+						for _, l := range m.Label {
+							if *l.Name == "label_a" && *l.Value == "foo" {
+								found = true
+							}
+						}
+					}
+				}
+			}
+			assert.False(t, found, "Metric with label values should not exist after deletion")
+		})
+	}
+}
diff --git a/staging/src/k8s.io/component-base/metrics/histogram.go b/staging/src/k8s.io/component-base/metrics/histogram.go
index b410951b67832..73b56d1b80e0e 100644
--- a/staging/src/k8s.io/component-base/metrics/histogram.go
+++ b/staging/src/k8s.io/component-base/metrics/histogram.go
@@ -28,7 +28,6 @@ import (
 // Histogram is our internal representation for our wrapping struct around prometheus
 // histograms. Summary implements both kubeCollector and ObserverMetric
 type Histogram struct {
-	ctx context.Context
 	ObserverMetric
 	*HistogramOpts
 	lazyMetric
@@ -37,7 +36,8 @@ type Histogram struct {
 
 // exemplarHistogramMetric holds a context to extract exemplar labels from, and a historgram metric to attach them to. It implements the metricWithExemplar interface.
 type exemplarHistogramMetric struct {
-	*Histogram
+	ctx      context.Context
+	delegate ObserverMetric
 }
 
 type exemplarHistogramVec struct {
@@ -45,18 +45,9 @@ type exemplarHistogramVec struct {
 	observer prometheus.Observer
 }
 
-func (h *Histogram) Observe(v float64) {
-	h.withExemplar(v)
-}
-
-// withExemplar initializes the exemplarMetric object and sets the exemplar value.
-func (h *Histogram) withExemplar(v float64) {
-	(&exemplarHistogramMetric{h}).withExemplar(v)
-}
-
-// withExemplar attaches an exemplar to the metric.
-func (e *exemplarHistogramMetric) withExemplar(v float64) {
-	if m, ok := e.Histogram.ObserverMetric.(prometheus.ExemplarObserver); ok {
+// Observe attaches an exemplar to the metric and then calls the delegate.
+func (e *exemplarHistogramMetric) Observe(v float64) {
+	if m, ok := e.delegate.(prometheus.ExemplarObserver); ok {
 		maybeSpanCtx := trace.SpanContextFromContext(e.ctx)
 		if maybeSpanCtx.IsValid() && maybeSpanCtx.IsSampled() {
 			exemplarLabels := prometheus.Labels{
@@ -68,7 +59,7 @@ func (e *exemplarHistogramMetric) withExemplar(v float64) {
 		}
 	}
 
-	e.ObserverMetric.Observe(v)
+	e.delegate.Observe(v)
 }
 
 // NewHistogram returns an object which is Histogram-like. However, nothing
@@ -113,8 +104,7 @@ func (h *Histogram) initializeDeprecatedMetric() {
 
 // WithContext allows the normal Histogram metric to pass in context. The context is no-op now.
 func (h *Histogram) WithContext(ctx context.Context) ObserverMetric {
-	h.ctx = ctx
-	return h.ObserverMetric
+	return &exemplarHistogramMetric{ctx: ctx, delegate: h.ObserverMetric}
 }
 
 // HistogramVec is the internal representation of our wrapping struct around prometheus
diff --git a/staging/src/k8s.io/component-base/metrics/histogram_test.go b/staging/src/k8s.io/component-base/metrics/histogram_test.go
index 5efbfb6eeae2d..44df0f1f71569 100644
--- a/staging/src/k8s.io/component-base/metrics/histogram_test.go
+++ b/staging/src/k8s.io/component-base/metrics/histogram_test.go
@@ -18,65 +18,155 @@ package metrics
 
 import (
 	"context"
+	"sync"
 	"testing"
 
-	"github.com/blang/semver/v4"
 	"github.com/prometheus/client_golang/prometheus"
 	dto "github.com/prometheus/client_model/go"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"go.opentelemetry.io/otel/trace"
+	tracenoop "go.opentelemetry.io/otel/trace/noop"
 
 	apimachineryversion "k8s.io/apimachinery/pkg/version"
 )
 
 func TestHistogram(t *testing.T) {
-	v115 := semver.MustParse("1.15.0")
+	version1_15Alpha1 := apimachineryversion.Info{
+		Major:      "1",
+		Minor:      "15",
+		GitVersion: "v1.15.0-alpha-1.12345",
+	}
+
 	var tests = []struct {
 		desc string
 		*HistogramOpts
-		registryVersion     *semver.Version
 		expectedMetricCount int
 		expectedHelp        string
 	}{
+		// Non-deprecated metrics
 		{
-			desc: "Test non deprecated",
+			desc: "ALPHA metric non deprecated",
 			HistogramOpts: &HistogramOpts{
-				Namespace: "namespace",
-				Name:      "metric_test_name",
-				Subsystem: "subsystem",
-				Help:      "histogram help message",
-				Buckets:   prometheus.DefBuckets,
+				Namespace:      "namespace",
+				Name:           "metric_test_name",
+				Subsystem:      "subsystem",
+				StabilityLevel: ALPHA,
+				Help:           "histogram help message",
+				Buckets:        prometheus.DefBuckets,
 			},
-			registryVersion:     &v115,
 			expectedMetricCount: 1,
 			expectedHelp:        "[ALPHA] histogram help message",
 		},
 		{
-			desc: "Test deprecated",
+			desc: "BETA metric non deprecated",
+			HistogramOpts: &HistogramOpts{
+				Namespace:      "namespace",
+				Name:           "metric_test_name",
+				Subsystem:      "subsystem",
+				StabilityLevel: BETA,
+				Help:           "histogram help message",
+				Buckets:        prometheus.DefBuckets,
+			},
+			expectedMetricCount: 1,
+			expectedHelp:        "[BETA] histogram help message",
+		},
+		{
+			desc: "STABLE metric non deprecated",
+			HistogramOpts: &HistogramOpts{
+				Namespace:      "namespace",
+				Name:           "metric_test_name",
+				Subsystem:      "subsystem",
+				StabilityLevel: STABLE,
+				Help:           "histogram help message",
+				Buckets:        prometheus.DefBuckets,
+			},
+			expectedMetricCount: 1,
+			expectedHelp:        "[STABLE] histogram help message",
+		},
+		// Deprecated metrics
+		{
+			desc: "ALPHA metric deprecated",
+			HistogramOpts: &HistogramOpts{
+				Namespace:         "namespace",
+				Name:              "metric_test_name",
+				Subsystem:         "subsystem",
+				StabilityLevel:    ALPHA,
+				Help:              "histogram help message",
+				DeprecatedVersion: "1.15.0",
+				Buckets:           prometheus.DefBuckets,
+			},
+			expectedMetricCount: 0,
+			expectedHelp:        "histogram help message",
+		},
+		{
+			desc: "BETA metric deprecated",
+			HistogramOpts: &HistogramOpts{
+				Namespace:         "namespace",
+				Name:              "metric_test_name",
+				Subsystem:         "subsystem",
+				StabilityLevel:    BETA,
+				Help:              "histogram help message",
+				DeprecatedVersion: "1.15.0",
+				Buckets:           prometheus.DefBuckets,
+			},
+			expectedMetricCount: 1,
+			expectedHelp:        "[BETA] (Deprecated since 1.15.0) histogram help message",
+		},
+		{
+			desc: "STABLE metric deprecated",
 			HistogramOpts: &HistogramOpts{
 				Namespace:         "namespace",
 				Name:              "metric_test_name",
 				Subsystem:         "subsystem",
+				StabilityLevel:    STABLE,
 				Help:              "histogram help message",
 				DeprecatedVersion: "1.15.0",
 				Buckets:           prometheus.DefBuckets,
 			},
-			registryVersion:     &v115,
 			expectedMetricCount: 1,
-			expectedHelp:        "[ALPHA] (Deprecated since 1.15.0) histogram help message",
+			expectedHelp:        "[STABLE] (Deprecated since 1.15.0) histogram help message",
+		},
+		// Hidden metrics
+		{
+			desc: "ALPHA metric hidden",
+			HistogramOpts: &HistogramOpts{
+				Namespace:         "namespace",
+				Name:              "metric_test_name",
+				Subsystem:         "subsystem",
+				StabilityLevel:    ALPHA,
+				Help:              "histogram help message",
+				DeprecatedVersion: "1.15.0",
+				Buckets:           prometheus.DefBuckets,
+			},
+			expectedMetricCount: 0,
+			expectedHelp:        "histogram help message",
 		},
 		{
-			desc: "Test hidden",
+			desc: "BETA metric hidden",
 			HistogramOpts: &HistogramOpts{
 				Namespace:         "namespace",
 				Name:              "metric_test_name",
 				Subsystem:         "subsystem",
+				StabilityLevel:    BETA,
 				Help:              "histogram help message",
 				DeprecatedVersion: "1.14.0",
 				Buckets:           prometheus.DefBuckets,
 			},
-			registryVersion:     &v115,
+			expectedMetricCount: 0,
+			expectedHelp:        "histogram help message",
+		},
+		{
+			desc: "STABLE metric hidden",
+			HistogramOpts: &HistogramOpts{
+				Namespace:         "namespace",
+				Name:              "metric_test_name",
+				Subsystem:         "subsystem",
+				StabilityLevel:    STABLE,
+				Help:              "histogram help message",
+				DeprecatedVersion: "1.12.0",
+				Buckets:           prometheus.DefBuckets,
+			},
 			expectedMetricCount: 0,
 			expectedHelp:        "histogram help message",
 		},
@@ -84,11 +174,7 @@ func TestHistogram(t *testing.T) {
 
 	for _, test := range tests {
 		t.Run(test.desc, func(t *testing.T) {
-			registry := newKubeRegistry(apimachineryversion.Info{
-				Major:      "1",
-				Minor:      "15",
-				GitVersion: "v1.15.0-alpha-1.12345",
-			})
+			registry := newKubeRegistry(version1_15Alpha1)
 			c := NewHistogram(test.HistogramOpts)
 			registry.MustRegister(c)
 			cm := c.ObserverMetric.(prometheus.Metric)
@@ -132,17 +218,22 @@ func TestHistogram(t *testing.T) {
 }
 
 func TestHistogramVec(t *testing.T) {
-	v115 := semver.MustParse("1.15.0")
+	version1_15Alpha1 := apimachineryversion.Info{
+		Major:      "1",
+		Minor:      "15",
+		GitVersion: "v1.15.0-alpha-1.12345",
+	}
+
 	var tests = []struct {
 		desc string
 		*HistogramOpts
 		labels              []string
-		registryVersion     *semver.Version
 		expectedMetricCount int
 		expectedHelp        string
 	}{
+		// Non-deprecated metrics
 		{
-			desc: "Test non deprecated",
+			desc: "ALPHA metric non deprecated",
 			HistogramOpts: &HistogramOpts{
 				Namespace: "namespace",
 				Name:      "metric_test_name",
@@ -151,37 +242,115 @@ func TestHistogramVec(t *testing.T) {
 				Buckets:   prometheus.DefBuckets,
 			},
 			labels:              []string{"label_a", "label_b"},
-			registryVersion:     &v115,
 			expectedMetricCount: 1,
 			expectedHelp:        "[ALPHA] histogram help message",
 		},
 		{
-			desc: "Test deprecated",
+			desc: "BETA metric non deprecated",
+			HistogramOpts: &HistogramOpts{
+				Namespace:      "namespace",
+				Name:           "metric_test_name",
+				Subsystem:      "subsystem",
+				StabilityLevel: BETA,
+				Help:           "histogram help message",
+				Buckets:        prometheus.DefBuckets,
+			},
+			labels:              []string{"label_a", "label_b"},
+			expectedMetricCount: 1,
+			expectedHelp:        "[BETA] histogram help message",
+		},
+		{
+			desc: "STABLE metric non deprecated",
+			HistogramOpts: &HistogramOpts{
+				Namespace:      "namespace",
+				Name:           "metric_test_name",
+				Subsystem:      "subsystem",
+				StabilityLevel: STABLE,
+				Help:           "histogram help message",
+				Buckets:        prometheus.DefBuckets,
+			},
+			labels:              []string{"label_a", "label_b"},
+			expectedMetricCount: 1,
+			expectedHelp:        "[STABLE] histogram help message",
+		},
+		// Deprecated metrics
+		{
+			desc: "ALPHA metric deprecated",
+			HistogramOpts: &HistogramOpts{
+				Namespace:         "namespace",
+				Name:              "metric_test_name",
+				Subsystem:         "subsystem",
+				StabilityLevel:    ALPHA,
+				Help:              "histogram help message",
+				DeprecatedVersion: "1.15.0",
+				Buckets:           prometheus.DefBuckets,
+			},
+			labels:              []string{"label_a", "label_b"},
+			expectedMetricCount: 0,
+			expectedHelp:        "histogram help message",
+		},
+		{
+			desc: "BETA metric deprecated",
 			HistogramOpts: &HistogramOpts{
 				Namespace:         "namespace",
 				Name:              "metric_test_name",
 				Subsystem:         "subsystem",
+				StabilityLevel:    BETA,
 				Help:              "histogram help message",
 				DeprecatedVersion: "1.15.0",
 				Buckets:           prometheus.DefBuckets,
 			},
 			labels:              []string{"label_a", "label_b"},
-			registryVersion:     &v115,
 			expectedMetricCount: 1,
-			expectedHelp:        "[ALPHA] (Deprecated since 1.15.0) histogram help message",
+			expectedHelp:        "[BETA] (Deprecated since 1.15.0) histogram help message",
+		},
+		{
+			desc: "STABLE metric deprecated",
+			HistogramOpts: &HistogramOpts{
+				Namespace:      "namespace",
+				Name:           "metric_test_name",
+				Subsystem:      "subsystem",
+				StabilityLevel: STABLE,
+				Help:           "histogram help message",
+
+				DeprecatedVersion: "1.15.0",
+				Buckets:           prometheus.DefBuckets,
+			},
+			labels:              []string{"label_a", "label_b"},
+			expectedMetricCount: 1,
+			expectedHelp:        "[STABLE] (Deprecated since 1.15.0) histogram help message",
 		},
+		// Hidden metrics
 		{
-			desc: "Test hidden",
+			desc: "ALPHA metric hidden",
 			HistogramOpts: &HistogramOpts{
 				Namespace:         "namespace",
 				Name:              "metric_test_name",
 				Subsystem:         "subsystem",
+				StabilityLevel:    ALPHA,
 				Help:              "histogram help message",
 				DeprecatedVersion: "1.14.0",
 				Buckets:           prometheus.DefBuckets,
 			},
 			labels:              []string{"label_a", "label_b"},
-			registryVersion:     &v115,
+			expectedMetricCount: 0,
+			expectedHelp:        "histogram help message",
+		},
+		{
+			desc: "BETA metric hidden",
+			HistogramOpts: &HistogramOpts{
+				Namespace: "namespace",
+				Name:      "metric_test_name",
+
+				Subsystem:      "subsystem",
+				StabilityLevel: BETA,
+
+				Help:              "histogram help message",
+				DeprecatedVersion: "1.14.0",
+				Buckets:           prometheus.DefBuckets,
+			},
+
+			labels:              []string{"label_a", "label_b"},
 			expectedMetricCount: 0,
 			expectedHelp:        "histogram help message",
 		},
@@ -189,11 +358,7 @@ func TestHistogramVec(t *testing.T) {
 
 	for _, test := range tests {
 		t.Run(test.desc, func(t *testing.T) {
-			registry := newKubeRegistry(apimachineryversion.Info{
-				Major:      "1",
-				Minor:      "15",
-				GitVersion: "v1.15.0-alpha-1.12345",
-			})
+			registry := newKubeRegistry(version1_15Alpha1)
 			c := NewHistogramVec(test.HistogramOpts, test.labels)
 			registry.MustRegister(c)
 			ov12 := c.WithLabelValues("1", "2")
@@ -333,7 +498,6 @@ func TestHistogramWithExemplar(t *testing.T) {
 		Help:    "helpless",
 		Buckets: []float64{100},
 	})
-	_ = histogram.WithContext(ctxForSpanCtx)
 
 	registry := newKubeRegistry(apimachineryversion.Info{
 		Major:      "1",
@@ -343,7 +507,7 @@ func TestHistogramWithExemplar(t *testing.T) {
 	registry.MustRegister(histogram)
 
 	// Act.
-	histogram.Observe(value)
+	histogram.WithContext(ctxForSpanCtx).Observe(value)
 
 	// Assert.
 	mfs, err := registry.Gather()
@@ -492,3 +656,116 @@ func TestHistogramVecWithExemplar(t *testing.T) {
 		}
 	}
 }
+
+// TestHistogramConcurrentWithContextRace reproduces the race condition in Histogram.WithContext
+// where h.ctx is written concurrently with reads in withExemplar method.
+// This test simulates the real authentication flow that triggers the race:
+// x509.AuthenticateRequest -> union.AuthenticateRequest -> group.AuthenticateRequest
+func TestHistogramConcurrentWithContextRace(t *testing.T) {
+	opts := &HistogramOpts{
+		Namespace: "apiserver",
+		Subsystem: "authentication",
+		Name:      "requests_total",
+		Help:      "Authentication requests histogram for race condition testing",
+		Buckets:   prometheus.DefBuckets,
+	}
+
+	h := NewHistogram(opts)
+
+	// Force initialization by calling initializeMetric directly
+	h.initializeMetric()
+
+	// Create contexts with trace spans to trigger exemplar code path
+	ctx1, span1 := createContextWithSpan("x509-auth", "authenticate-request")
+	defer span1.End()
+	ctx2, span2 := createContextWithSpan("union-auth", "union-authenticate")
+	defer span2.End()
+
+	var wg sync.WaitGroup
+	iterations := 10000 // Increase iterations to make race more likely
+
+	// Goroutine 1: Simulate x509 Authenticator calling WithContext
+	// This matches: x509.(*Authenticator).AuthenticateRequest() calling WithContext
+	wg.Add(1)
+	go func() {
+		defer wg.Done()
+		for i := 0; i < iterations; i++ {
+			// Simulate authentication request processing
+			simulateX509AuthenticateRequest(h, ctx1, i)
+		}
+	}()
+
+	// Goroutine 2: Simulate concurrent Observe calls (metrics collection)
+	// This matches the withExemplar/Observe path that reads h.ctx
+	wg.Add(1)
+	go func() {
+		defer wg.Done()
+		for i := 0; i < iterations; i++ {
+			h.Observe(float64(i % 10))
+		}
+	}()
+
+	// Goroutine 3: Simulate union AuthenticateRequest calling WithContext
+	// This matches: union.(*unionAuthRequestHandler).AuthenticateRequest()
+	wg.Add(1)
+	go func() {
+		defer wg.Done()
+		for i := 0; i < iterations; i++ {
+			// Simulate union authentication processing
+			simulateUnionAuthenticateRequest(h, ctx2, i)
+		}
+	}()
+
+	// Goroutine 4: Simulate group AuthenticateRequest calling WithContext
+	// This matches: group.(*AuthenticatedGroupAdder).AuthenticateRequest()
+	wg.Add(1)
+	go func() {
+		defer wg.Done()
+		for i := 0; i < iterations; i++ {
+			// Simulate group authentication processing
+			simulateGroupAuthenticateRequest(h, ctx1, ctx2, i)
+		}
+	}()
+
+	wg.Wait()
+}
+
+// simulateX509AuthenticateRequest simulates the call path from x509 authenticator
+func simulateX509AuthenticateRequest(h ObserverMetric, ctx context.Context, iteration int) {
+	// Simulate the authentication request processing that calls WithContext
+	if hWithCtx, ok := h.(*Histogram); ok {
+		hWithCtx.WithContext(ctx)
+	}
+}
+
+// simulateUnionAuthenticateRequest simulates the call path from union authenticator
+func simulateUnionAuthenticateRequest(h ObserverMetric, ctx context.Context, iteration int) {
+	// Simulate union authentication processing
+	if hWithCtx, ok := h.(*Histogram); ok {
+		hWithCtx.WithContext(ctx)
+	}
+}
+
+// simulateGroupAuthenticateRequest simulates the call path from group authenticator
+func simulateGroupAuthenticateRequest(h ObserverMetric, ctx1, ctx2 context.Context, iteration int) {
+	// Alternate between contexts to simulate different authentication scenarios
+	ctx := ctx1
+	if iteration%3 == 0 {
+		ctx = ctx2
+	}
+
+	if hWithCtx, ok := h.(*Histogram); ok {
+		hWithCtx.WithContext(ctx)
+	}
+}
+
+// Helper function to create a context with a valid trace span
+func createContextWithSpan(traceID, spanID string) (context.Context, trace.Span) {
+	ctx := context.Background()
+
+	// Create a noop tracer and span for testing
+	tracer := tracenoop.NewTracerProvider().Tracer("test")
+	ctx, span := tracer.Start(ctx, "test-span")
+
+	return ctx, span
+}
diff --git a/staging/src/k8s.io/component-base/metrics/legacyregistry/registry.go b/staging/src/k8s.io/component-base/metrics/legacyregistry/registry.go
index 64a430b796449..c8c0bc08f022d 100644
--- a/staging/src/k8s.io/component-base/metrics/legacyregistry/registry.go
+++ b/staging/src/k8s.io/component-base/metrics/legacyregistry/registry.go
@@ -90,3 +90,8 @@ func CustomMustRegister(cs ...metrics.StableCollector) {
 		prometheus.MustRegister(c)
 	}
 }
+
+// GetProcessStart return processStart value
+func GetProcessStart() time.Time {
+	return processStart
+}
diff --git a/staging/src/k8s.io/component-base/metrics/legacyregistry/registry_test.go b/staging/src/k8s.io/component-base/metrics/legacyregistry/registry_test.go
index fa279c35a931d..a17d571dcbb9a 100644
--- a/staging/src/k8s.io/component-base/metrics/legacyregistry/registry_test.go
+++ b/staging/src/k8s.io/component-base/metrics/legacyregistry/registry_test.go
@@ -21,18 +21,21 @@ import (
 	"net/http/httptest"
 	"strconv"
 	"testing"
-	"time"
 )
 
 const (
 	processStartTimeHeader = "Process-Start-Time-Unix"
 )
 
+var (
+	processStartTestCopy = &processStart
+)
+
 func TestProcessStartTimeHeader(t *testing.T) {
-	now := time.Now()
+	now := GetProcessStart()
 	handler := Handler()
 
-	request, _ := http.NewRequest("GET", "/", nil)
+	request, _ := http.NewRequest(http.MethodGet, "/", nil)
 	writer := httptest.NewRecorder()
 	handler.ServeHTTP(writer, request)
 	got := writer.Header().Get(processStartTimeHeader)
@@ -41,3 +44,11 @@ func TestProcessStartTimeHeader(t *testing.T) {
 		t.Errorf("got %d, wanted %d", gotInt, now.Unix())
 	}
 }
+
+// processStart must never be reassigned after init.
+// This test ensures processStart doesn't change across calls
+func TestProcessStartImmutable(t *testing.T) {
+	if *processStartTestCopy != processStart {
+		t.Errorf("processStart test values differ: %v != %v", processStartTestCopy, processStart)
+	}
+}
diff --git a/staging/src/k8s.io/component-base/metrics/metric.go b/staging/src/k8s.io/component-base/metrics/metric.go
index c8b083995af21..cb40a856c6156 100644
--- a/staging/src/k8s.io/component-base/metrics/metric.go
+++ b/staging/src/k8s.io/component-base/metrics/metric.go
@@ -18,6 +18,7 @@ package metrics
 
 import (
 	"sync"
+	"sync/atomic"
 
 	"github.com/blang/semver/v4"
 	"github.com/prometheus/client_golang/prometheus"
@@ -65,8 +66,8 @@ with the kubeCollector itself as an argument.
 */
 type lazyMetric struct {
 	fqName              string
-	isDeprecated        bool
-	isHidden            bool
+	isDeprecated        atomic.Bool
+	isHidden            atomic.Bool
 	isCreated           bool
 	createLock          sync.RWMutex
 	markDeprecationOnce sync.Once
@@ -99,41 +100,39 @@ func (r *lazyMetric) lazyInit(self kubeCollector, fqName string) {
 // Disclaimer:  disabling a metric via a CLI flag has higher precedence than
 // deprecation and will override show-hidden-metrics for the explicitly
 // disabled metric.
-func (r *lazyMetric) preprocessMetric(version semver.Version) {
+func (r *lazyMetric) preprocessMetric(currentVersion semver.Version) {
 	disabledMetricsLock.RLock()
 	defer disabledMetricsLock.RUnlock()
 	// disabling metrics is higher in precedence than showing hidden metrics
 	if _, ok := disabledMetrics[r.fqName]; ok {
-		r.isHidden = true
+		r.isHidden.Store(true)
 		return
 	}
-	selfVersion := r.self.DeprecatedVersion()
-	if selfVersion == nil {
+	deprecatedVersion := r.self.DeprecatedVersion()
+	if deprecatedVersion == nil {
 		return
 	}
 	r.markDeprecationOnce.Do(func() {
-		if selfVersion.LTE(version) {
-			r.isDeprecated = true
-		}
+		r.isDeprecated.Store(isDeprecated(currentVersion, *deprecatedVersion))
 
-		if ShouldShowHidden() {
-			klog.Warningf("Hidden metrics (%s) have been manually overridden, showing this very deprecated metric.", r.fqName)
-			return
-		}
-		if shouldHide(&version, selfVersion) {
+		if shouldHide(r.stabilityLevel, &currentVersion, deprecatedVersion) {
+			if shouldShowHidden() {
+				klog.Warningf("Hidden metrics (%s) have been manually overridden, showing this very deprecated metric.", r.fqName)
+				return
+			}
 			// TODO(RainbowMango): Remove this log temporarily. https://github.com/kubernetes/kubernetes/issues/85369
 			// klog.Warningf("This metric has been deprecated for more than one release, hiding.")
-			r.isHidden = true
+			r.isHidden.Store(true)
 		}
 	})
 }
 
 func (r *lazyMetric) IsHidden() bool {
-	return r.isHidden
+	return r.isHidden.Load()
 }
 
 func (r *lazyMetric) IsDeprecated() bool {
-	return r.isDeprecated
+	return r.isDeprecated.Load()
 }
 
 // Create forces the initialization of metric which has been deferred until
@@ -176,8 +175,8 @@ func (r *lazyMetric) ClearState() {
 	r.createLock.Lock()
 	defer r.createLock.Unlock()
 
-	r.isDeprecated = false
-	r.isHidden = false
+	r.isDeprecated.Store(false)
+	r.isHidden.Store(false)
 	r.isCreated = false
 	r.markDeprecationOnce = sync.Once{}
 	r.createOnce = sync.Once{}
@@ -210,11 +209,6 @@ func (c *selfCollector) Collect(ch chan<- prometheus.Metric) {
 	ch <- c.metric
 }
 
-// metricWithExemplar is an interface that knows how to attach an exemplar to certain supported metric types.
-type metricWithExemplar interface {
-	withExemplar(v float64)
-}
-
 // no-op vecs for convenience
 var noopCounterVec = &prometheus.CounterVec{}
 var noopHistogramVec = &prometheus.HistogramVec{}
diff --git a/staging/src/k8s.io/component-base/metrics/prometheus/restclient/metrics.go b/staging/src/k8s.io/component-base/metrics/prometheus/restclient/metrics.go
index d0c80de03fa93..fd2c5f754cb1d 100644
--- a/staging/src/k8s.io/component-base/metrics/prometheus/restclient/metrics.go
+++ b/staging/src/k8s.io/component-base/metrics/prometheus/restclient/metrics.go
@@ -165,6 +165,17 @@ var (
 		[]string{"code", "call_status"},
 	)
 
+	execPluginPolicyCalls = k8smetrics.NewCounterVec(
+		&k8smetrics.CounterOpts{
+			StabilityLevel: k8smetrics.ALPHA,
+			Name:           "rest_client_exec_plugin_policy_call_total",
+			Help: "Number of comparisons of an exec plugin to the plugin policy " +
+				"and allowlist (if any), partitioned by whether or not the policy " +
+				"permits the plugin",
+		},
+		[]string{"allowed", "denied"},
+	)
+
 	transportCacheEntries = k8smetrics.NewGauge(
 		&k8smetrics.GaugeOpts{
 			Name:           "rest_client_transport_cache_entries",
@@ -208,6 +219,7 @@ func init() {
 		RequestResult:         &resultAdapter{requestResult},
 		RequestRetry:          &retryAdapter{requestRetry},
 		ExecPluginCalls:       &callsAdapter{m: execPluginCalls},
+		ExecPluginPolicyCalls: &policyAdapter{m: execPluginPolicyCalls},
 		TransportCacheEntries: &transportCacheAdapter{m: transportCacheEntries},
 		TransportCreateCalls:  &transportCacheCallsAdapter{m: transportCacheCalls},
 	})
@@ -269,6 +281,14 @@ func (r *callsAdapter) Increment(code int, callStatus string) {
 	r.m.WithLabelValues(fmt.Sprintf("%d", code), callStatus).Inc()
 }
 
+type policyAdapter struct {
+	m *k8smetrics.CounterVec
+}
+
+func (r *policyAdapter) Increment(status string) {
+	r.m.WithLabelValues(status).Inc()
+}
+
 type retryAdapter struct {
 	m *k8smetrics.CounterVec
 }
diff --git a/staging/src/k8s.io/component-base/metrics/registry.go b/staging/src/k8s.io/component-base/metrics/registry.go
index 203813e814318..aa12f2e2c86c2 100644
--- a/staging/src/k8s.io/component-base/metrics/registry.go
+++ b/staging/src/k8s.io/component-base/metrics/registry.go
@@ -17,7 +17,7 @@ limitations under the License.
 package metrics
 
 import (
-	"fmt"
+	"strings"
 	"sync"
 	"sync/atomic"
 
@@ -71,19 +71,58 @@ var (
 	)
 )
 
-// shouldHide be used to check if a specific metric with deprecated version should be hidden
+// shouldHide is used to check if a specific metric with deprecated version should be hidden
 // according to metrics deprecation lifecycle.
-func shouldHide(currentVersion *semver.Version, deprecatedVersion *semver.Version) bool {
-	guardVersion, err := semver.Make(fmt.Sprintf("%d.%d.0", currentVersion.Major, currentVersion.Minor))
-	if err != nil {
-		panic("failed to make version from current version")
+func shouldHide(stabilityLevel StabilityLevel, currentVersion *semver.Version, deprecatedVersion *semver.Version) bool {
+	hiddenMinor := deprecatedVersion.Minor + deprecationPeriodMinorVersions(stabilityLevel)
+
+	switch {
+	case deprecatedVersion.Major < currentVersion.Major:
+		return true
+	case deprecatedVersion.Major > currentVersion.Major:
+		return false
+
+	// deprecatedVersion.Major == currentVersion.Major
+	case hiddenMinor < currentVersion.Minor:
+		return true
+	case hiddenMinor > currentVersion.Minor:
+		return false
+
+	// deprecatedVersion.Minor == currentVersion.Minor
+	case strings.Contains(currentVersion.String(), "alpha.0"):
+		// Wait until we're past the alpha.0 period of a minor development cycle to hide metrics whose deprecation period ends in that minor version.
+		// See discussion in https://github.com/kubernetes/kubernetes/issues/133429#issuecomment-3165551443
+		return false
+	default:
+		return true
 	}
+}
+
+// getDeprecationReleaseWindow returns the number of minor releases a metric should be served
+// after its deprecated version, based on its stability level.
+func deprecationPeriodMinorVersions(stabilityLevel StabilityLevel) uint64 {
+	switch stabilityLevel {
+	case STABLE:
+		return 3
+	case BETA:
+		return 1
+	default: // ALPHA, INTERNAL
+		return 0
+	}
+}
 
-	if deprecatedVersion.LT(guardVersion) {
+// isDeprecated returns true if the current version, ignoring pre-release tags,
+// is greater than or equal to the deprecated version.
+func isDeprecated(currentVersion, deprecatedVersion semver.Version) bool {
+	switch {
+	case currentVersion.Major < deprecatedVersion.Major:
+		return false
+	case currentVersion.Major > deprecatedVersion.Major:
 		return true
 	}
 
-	return false
+	// currentVersion.Major == deprecatedVersion.Major
+	return currentVersion.Minor >= deprecatedVersion.Minor
 }
 
 // ValidateShowHiddenMetricsVersion checks invalid version for which show hidden metrics.
@@ -117,10 +156,10 @@ func SetShowHidden() {
 	})
 }
 
-// ShouldShowHidden returns whether showing hidden deprecated metrics
+// shouldShowHidden returns whether showing hidden deprecated metrics
 // is enabled. While the primary usecase for this is internal (to determine
 // registration behavior) this can also be used to introspect
-func ShouldShowHidden() bool {
+func shouldShowHidden() bool {
 	return showHidden.Load()
 }
 
diff --git a/staging/src/k8s.io/component-base/metrics/registry_test.go b/staging/src/k8s.io/component-base/metrics/registry_test.go
index ff607dd8a6e4d..9be044e1e5a9d 100644
--- a/staging/src/k8s.io/component-base/metrics/registry_test.go
+++ b/staging/src/k8s.io/component-base/metrics/registry_test.go
@@ -51,6 +51,16 @@ var (
 			DeprecatedVersion: "1.15.0",
 		},
 	)
+	betaDeprecatedCounter = NewCounter(
+		&CounterOpts{
+			Namespace:         "some_namespace",
+			Name:              "test_beta_dep_counter",
+			Subsystem:         "subsystem",
+			StabilityLevel:    BETA,
+			Help:              "counter help",
+			DeprecatedVersion: "1.15.0",
+		},
+	)
 	alphaHiddenCounter = NewCounter(
 		&CounterOpts{
 			Namespace:         "some_namespace",
@@ -64,33 +74,194 @@ var (
 )
 
 func TestShouldHide(t *testing.T) {
-	currentVersion := parseVersion(apimachineryversion.Info{
-		Major:      "1",
-		Minor:      "17",
-		GitVersion: "v1.17.1-alpha-1.12345",
-	})
+	currentV1_17 := parseSemver("1.17.0")
+	currentV1_18Alpha0 := parseSemver("1.18.0-alpha.0")
+	currentV1_18Alpha1 := parseSemver("1.18.0-alpha.1")
 
 	var tests = []struct {
 		desc              string
+		currentVersion    *semver.Version
+		stabilityLevel    StabilityLevel
 		deprecatedVersion string
 		shouldHide        bool
 	}{
 		{
-			desc:              "current minor release should not be hidden",
+			desc:              "INTERNAL metric deprecated in the current release - should be hidden",
+			currentVersion:    currentV1_17,
+			stabilityLevel:    INTERNAL,
+			deprecatedVersion: "1.17.0",
+			shouldHide:        true,
+		},
+		{
+			desc:              "INTERNAL metric deprecated 1 release ago - should be hidden",
+			currentVersion:    currentV1_17,
+			stabilityLevel:    INTERNAL,
+			deprecatedVersion: "1.16.0",
+			shouldHide:        true,
+		},
+		{
+			desc:              "INTERNAL metric to be deprecated 1 release later - should not be hidden",
+			currentVersion:    currentV1_17,
+			stabilityLevel:    INTERNAL,
+			deprecatedVersion: "1.18.0",
+			shouldHide:        false,
+		},
+		{
+			desc:              "BETA metric deprecated in the current release - should not be hidden",
+			currentVersion:    currentV1_17,
+			stabilityLevel:    BETA,
 			deprecatedVersion: "1.17.0",
 			shouldHide:        false,
 		},
 		{
-			desc:              "older minor release should be hidden",
+			desc:              "BETA metric deprecated 1 release ago - should be hidden",
+			currentVersion:    currentV1_17,
+			stabilityLevel:    BETA,
 			deprecatedVersion: "1.16.0",
 			shouldHide:        true,
 		},
+		{
+			desc:              "BETA metric to be deprecated 1 release later - should not be hidden",
+			currentVersion:    currentV1_17,
+			stabilityLevel:    BETA,
+			deprecatedVersion: "1.18.0",
+			shouldHide:        false,
+		},
+		{
+			desc:              "STABLE metric deprecated in the current release - should not be hidden",
+			currentVersion:    parseSemver("1.17.0"),
+			stabilityLevel:    STABLE,
+			deprecatedVersion: "1.17.0",
+			shouldHide:        false,
+		},
+		{
+			desc:              "STABLE metric deprecated 3 releases ago - should be hidden",
+			currentVersion:    currentV1_17,
+			stabilityLevel:    STABLE,
+			deprecatedVersion: "1.14.0",
+			shouldHide:        true,
+		},
+		{
+			desc:              "STABLE metric deprecated 2 releases ago - should not be hidden",
+			currentVersion:    currentV1_17,
+			stabilityLevel:    STABLE,
+			deprecatedVersion: "1.15.0",
+			shouldHide:        false,
+		},
+		{
+			desc:              "STABLE metric to be deprecated 1 release later - should not be hidden",
+			currentVersion:    currentV1_17,
+			stabilityLevel:    STABLE,
+			deprecatedVersion: "1.18.0",
+			shouldHide:        false,
+		},
+		// --- Pre-Alpha.0 Tests ---
+		{
+			desc:              "INTERNAL metric deprecated in the current minor - should not be hidden",
+			currentVersion:    currentV1_18Alpha0,
+			stabilityLevel:    INTERNAL,
+			deprecatedVersion: "1.18.0",
+			shouldHide:        false,
+		},
+		{
+			desc:              "INTERNAL metric deprecated 1 release ago - should be hidden",
+			currentVersion:    currentV1_18Alpha0,
+			stabilityLevel:    INTERNAL,
+			deprecatedVersion: "1.17.0",
+			shouldHide:        true,
+		},
+		{
+			desc:              "BETA metric deprecated in the current minor - should not be hidden",
+			currentVersion:    currentV1_18Alpha0,
+			stabilityLevel:    BETA,
+			deprecatedVersion: "1.18.0",
+			shouldHide:        false,
+		},
+		{
+			desc:              "BETA metric deprecated 1 release ago - should not be hidden",
+			currentVersion:    currentV1_18Alpha0,
+			stabilityLevel:    BETA,
+			deprecatedVersion: "1.17.0",
+			shouldHide:        false,
+		},
+		{
+			desc:              "STABLE metric deprecated in the current minor - should be hidden",
+			currentVersion:    currentV1_18Alpha0,
+			stabilityLevel:    STABLE,
+			deprecatedVersion: "1.18.0",
+			shouldHide:        false,
+		},
+		{
+			desc:              "STABLE metric deprecated 1 release ago - should not be hidden",
+			currentVersion:    currentV1_18Alpha0,
+			stabilityLevel:    STABLE,
+			deprecatedVersion: "1.17.0",
+			shouldHide:        false,
+		},
+		// --- Pre-Alpha.1 Tests ---
+		{
+
+			desc:              "INTERNAL metric in the current minor - should be hidden",
+			currentVersion:    currentV1_18Alpha1,
+			stabilityLevel:    INTERNAL,
+			deprecatedVersion: "1.18.0",
+			shouldHide:        true,
+		},
+		{
+			desc:              "INTERNAL metric deprecated in prior patch - should be hidden",
+			currentVersion:    currentV1_18Alpha1,
+			stabilityLevel:    INTERNAL,
+			deprecatedVersion: "1.18.0",
+			shouldHide:        true,
+		},
+		{
+			desc:              "BETA metric deprecated in the current minor - should not be hidden",
+			currentVersion:    currentV1_18Alpha1,
+			stabilityLevel:    BETA,
+			deprecatedVersion: "1.18.0",
+			shouldHide:        false,
+		},
+		{
+			desc:              "BETA metric deprecated in prior patch - should not be hidden",
+			currentVersion:    currentV1_18Alpha1,
+			stabilityLevel:    BETA,
+			deprecatedVersion: "1.18.0",
+			shouldHide:        false,
+		},
+		{
+			desc:              "BETA metric deprecated 1 release ago - should be hidden",
+			currentVersion:    currentV1_18Alpha1,
+			stabilityLevel:    BETA,
+			deprecatedVersion: "1.17.0",
+			shouldHide:        true,
+		},
+		{
+			desc:              "STABLE metric deprecated in the current minor - should not be hidden",
+			currentVersion:    currentV1_18Alpha1,
+			stabilityLevel:    STABLE,
+			deprecatedVersion: "1.18.0",
+			shouldHide:        false,
+		},
+		{
+			desc:              "STABLE metric deprecated in prior patch - should not be hidden",
+			currentVersion:    currentV1_18Alpha1,
+			stabilityLevel:    STABLE,
+			deprecatedVersion: "1.18.0",
+			shouldHide:        false,
+		},
+		{
+			desc:              "STABLE metric deprecated 3 minors ago - should be hidden",
+			currentVersion:    currentV1_18Alpha1,
+			stabilityLevel:    STABLE,
+			deprecatedVersion: "1.15.0",
+			shouldHide:        true,
+		},
 	}
 
 	for _, test := range tests {
 		tc := test
 		t.Run(tc.desc, func(t *testing.T) {
-			result := shouldHide(&currentVersion, parseSemver(tc.deprecatedVersion))
+			result := shouldHide(tc.stabilityLevel, tc.currentVersion, parseSemver(tc.deprecatedVersion))
 			assert.Equalf(t, tc.shouldHide, result, "expected should hide %v, but got %v", tc.shouldHide, result)
 		})
 	}
@@ -125,9 +296,9 @@ func TestRegister(t *testing.T) {
 			desc:                    "test alpha deprecated metric",
 			metrics:                 []*Counter{alphaDeprecatedCounter},
 			expectedErrors:          []error{nil},
-			expectedIsCreatedValues: []bool{true},
+			expectedIsCreatedValues: []bool{false},
 			expectedIsDeprecated:    []bool{true},
-			expectedIsHidden:        []bool{false},
+			expectedIsHidden:        []bool{true},
 		},
 		{
 			desc:                    "test alpha hidden metric",
@@ -192,7 +363,7 @@ func TestMustRegister(t *testing.T) {
 		},
 		{
 			desc:            "test must registering same deprecated metric",
-			metrics:         []*Counter{alphaDeprecatedCounter, alphaDeprecatedCounter},
+			metrics:         []*Counter{betaDeprecatedCounter, betaDeprecatedCounter},
 			registryVersion: &v115,
 			expectedPanics:  []bool{false, true},
 		},
@@ -331,11 +502,11 @@ func TestEnableHiddenMetrics(t *testing.T) {
 				Name:              "hidden_metric_register",
 				Help:              "counter help",
 				StabilityLevel:    STABLE,
-				DeprecatedVersion: "1.16.0",
+				DeprecatedVersion: "1.14.0",
 			}),
 			mustRegister: false,
 			expectedMetric: `
-				# HELP hidden_metric_register [STABLE] (Deprecated since 1.16.0) counter help
+				# HELP hidden_metric_register [STABLE] (Deprecated since 1.14.0) counter help
 				# TYPE hidden_metric_register counter
 				hidden_metric_register 1
 				`,
@@ -347,11 +518,11 @@ func TestEnableHiddenMetrics(t *testing.T) {
 				Name:              "hidden_metric_must_register",
 				Help:              "counter help",
 				StabilityLevel:    STABLE,
-				DeprecatedVersion: "1.16.0",
+				DeprecatedVersion: "1.14.0",
 			}),
 			mustRegister: true,
 			expectedMetric: `
-				# HELP hidden_metric_must_register [STABLE] (Deprecated since 1.16.0) counter help
+				# HELP hidden_metric_must_register [STABLE] (Deprecated since 1.14.0) counter help
 				# TYPE hidden_metric_must_register counter
 				hidden_metric_must_register 1
 				`,
@@ -394,8 +565,8 @@ func TestEnableHiddenStableCollector(t *testing.T) {
 		GitVersion: "v1.17.0-alpha-1.12345",
 	}
 	var normal = NewDesc("test_enable_hidden_custom_metric_normal", "this is a normal metric", []string{"name"}, nil, STABLE, "")
-	var hiddenA = NewDesc("test_enable_hidden_custom_metric_hidden_a", "this is the hidden metric A", []string{"name"}, nil, STABLE, "1.16.0")
-	var hiddenB = NewDesc("test_enable_hidden_custom_metric_hidden_b", "this is the hidden metric B", []string{"name"}, nil, STABLE, "1.16.0")
+	var hiddenA = NewDesc("test_enable_hidden_custom_metric_hidden_a", "this is the hidden metric A", []string{"name"}, nil, STABLE, "1.14.0")
+	var hiddenB = NewDesc("test_enable_hidden_custom_metric_hidden_b", "this is the hidden metric B", []string{"name"}, nil, STABLE, "1.14.0")
 
 	var tests = []struct {
 		name                      string
@@ -411,10 +582,10 @@ func TestEnableHiddenStableCollector(t *testing.T) {
 				"test_enable_hidden_custom_metric_hidden_b"},
 			expectMetricsBeforeEnable: "",
 			expectMetricsAfterEnable: `
-        		# HELP test_enable_hidden_custom_metric_hidden_a [STABLE] (Deprecated since 1.16.0) this is the hidden metric A
+        		# HELP test_enable_hidden_custom_metric_hidden_a [STABLE] (Deprecated since 1.14.0) this is the hidden metric A
         		# TYPE test_enable_hidden_custom_metric_hidden_a gauge
         		test_enable_hidden_custom_metric_hidden_a{name="value"} 1
-        		# HELP test_enable_hidden_custom_metric_hidden_b [STABLE] (Deprecated since 1.16.0) this is the hidden metric B
+        		# HELP test_enable_hidden_custom_metric_hidden_b [STABLE] (Deprecated since 1.14.0) this is the hidden metric B
         		# TYPE test_enable_hidden_custom_metric_hidden_b gauge
         		test_enable_hidden_custom_metric_hidden_b{name="value"} 1
 			`,
@@ -434,10 +605,10 @@ func TestEnableHiddenStableCollector(t *testing.T) {
         		# HELP test_enable_hidden_custom_metric_normal [STABLE] this is a normal metric
         		# TYPE test_enable_hidden_custom_metric_normal gauge
         		test_enable_hidden_custom_metric_normal{name="value"} 1
-        		# HELP test_enable_hidden_custom_metric_hidden_a [STABLE] (Deprecated since 1.16.0) this is the hidden metric A
+        		# HELP test_enable_hidden_custom_metric_hidden_a [STABLE] (Deprecated since 1.14.0) this is the hidden metric A
         		# TYPE test_enable_hidden_custom_metric_hidden_a gauge
         		test_enable_hidden_custom_metric_hidden_a{name="value"} 1
-        		# HELP test_enable_hidden_custom_metric_hidden_b [STABLE] (Deprecated since 1.16.0) this is the hidden metric B
+        		# HELP test_enable_hidden_custom_metric_hidden_b [STABLE] (Deprecated since 1.14.0) this is the hidden metric B
         		# TYPE test_enable_hidden_custom_metric_hidden_b gauge
         		test_enable_hidden_custom_metric_hidden_b{name="value"} 1
 			`,
diff --git a/staging/src/k8s.io/component-base/metrics/summary.go b/staging/src/k8s.io/component-base/metrics/summary.go
index 3654e4ea09965..82898e60e2741 100644
--- a/staging/src/k8s.io/component-base/metrics/summary.go
+++ b/staging/src/k8s.io/component-base/metrics/summary.go
@@ -33,7 +33,7 @@ const (
 // Summary is our internal representation for our wrapping struct around prometheus
 // summaries. Summary implements both kubeCollector and ObserverMetric
 //
-// DEPRECATED: as per the metrics overhaul KEP
+// Deprecated: as per the metrics overhaul KEP
 type Summary struct {
 	ObserverMetric
 	*SummaryOpts
@@ -44,7 +44,7 @@ type Summary struct {
 // NewSummary returns an object which is Summary-like. However, nothing
 // will be measured until the summary is registered somewhere.
 //
-// DEPRECATED: as per the metrics overhaul KEP
+// Deprecated: as per the metrics overhaul KEP
 func NewSummary(opts *SummaryOpts) *Summary {
 	opts.StabilityLevel.setDefaults()
 
@@ -91,7 +91,7 @@ func (s *Summary) WithContext(ctx context.Context) ObserverMetric {
 // SummaryVec is the internal representation of our wrapping struct around prometheus
 // summaryVecs.
 //
-// DEPRECATED: as per the metrics overhaul KEP
+// Deprecated: as per the metrics overhaul KEP
 type SummaryVec struct {
 	*prometheus.SummaryVec
 	*SummaryOpts
@@ -105,7 +105,7 @@ type SummaryVec struct {
 // and only members extracted after
 // registration will actually measure anything.
 //
-// DEPRECATED: as per the metrics overhaul KEP
+// Deprecated: as per the metrics overhaul KEP
 func NewSummaryVec(opts *SummaryOpts, labels []string) *SummaryVec {
 	opts.StabilityLevel.setDefaults()
 
diff --git a/staging/src/k8s.io/component-base/metrics/summary_test.go b/staging/src/k8s.io/component-base/metrics/summary_test.go
index 02fa895e7a204..ae3848a93d402 100644
--- a/staging/src/k8s.io/component-base/metrics/summary_test.go
+++ b/staging/src/k8s.io/component-base/metrics/summary_test.go
@@ -19,7 +19,6 @@ package metrics
 import (
 	"testing"
 
-	"github.com/blang/semver/v4"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 
@@ -27,16 +26,21 @@ import (
 )
 
 func TestSummary(t *testing.T) {
-	v115 := semver.MustParse("1.15.0")
+	version1_15Alpha1 := apimachineryversion.Info{
+		Major:      "1",
+		Minor:      "15",
+		GitVersion: "v1.15.0-alpha-1.12345",
+	}
+
 	var tests = []struct {
 		desc string
 		*SummaryOpts
-		registryVersion     *semver.Version
 		expectedMetricCount int
 		expectedHelp        string
 	}{
+		// Non-deprecated metrics
 		{
-			desc: "Test non deprecated",
+			desc: "ALPHA metric non deprecated",
 			SummaryOpts: &SummaryOpts{
 				Namespace:      "namespace",
 				Name:           "metric_test_name",
@@ -44,12 +48,36 @@ func TestSummary(t *testing.T) {
 				Help:           "summary help message",
 				StabilityLevel: ALPHA,
 			},
-			registryVersion:     &v115,
 			expectedMetricCount: 1,
 			expectedHelp:        "[ALPHA] summary help message",
 		},
 		{
-			desc: "Test deprecated",
+			desc: "BETA metric non deprecated",
+			SummaryOpts: &SummaryOpts{
+				Namespace:      "namespace",
+				Name:           "metric_test_name",
+				Subsystem:      "subsystem",
+				Help:           "summary help message",
+				StabilityLevel: BETA,
+			},
+			expectedMetricCount: 1,
+			expectedHelp:        "[BETA] summary help message",
+		},
+		{
+			desc: "STABLE metric non deprecated",
+			SummaryOpts: &SummaryOpts{
+				Namespace:      "namespace",
+				Name:           "metric_test_name",
+				Subsystem:      "subsystem",
+				Help:           "summary help message",
+				StabilityLevel: STABLE,
+			},
+			expectedMetricCount: 1,
+			expectedHelp:        "[STABLE] summary help message",
+		},
+		// Deprecated metrics
+		{
+			desc: "ALPHA metric deprecated",
 			SummaryOpts: &SummaryOpts{
 				Namespace:         "namespace",
 				Name:              "metric_test_name",
@@ -58,20 +86,72 @@ func TestSummary(t *testing.T) {
 				DeprecatedVersion: "1.15.0",
 				StabilityLevel:    ALPHA,
 			},
-			registryVersion:     &v115,
+			expectedMetricCount: 0,
+			expectedHelp:        "summary help message",
+		},
+		{
+			desc: "BETA metric deprecated",
+			SummaryOpts: &SummaryOpts{
+				Namespace:         "namespace",
+				Name:              "metric_test_name",
+				Subsystem:         "subsystem",
+				Help:              "summary help message",
+				DeprecatedVersion: "1.15.0",
+				StabilityLevel:    BETA,
+			},
+			expectedMetricCount: 1,
+			expectedHelp:        "[BETA] (Deprecated since 1.15.0) summary help message",
+		},
+		{
+			desc: "STABLE metric deprecated",
+			SummaryOpts: &SummaryOpts{
+				Namespace:         "namespace",
+				Name:              "metric_test_name",
+				Subsystem:         "subsystem",
+				Help:              "summary help message",
+				DeprecatedVersion: "1.15.0",
+				StabilityLevel:    STABLE,
+			},
 			expectedMetricCount: 1,
-			expectedHelp:        "[ALPHA] (Deprecated since 1.15.0) summary help message",
+			expectedHelp:        "[STABLE] (Deprecated since 1.15.0) summary help message",
 		},
+		// Hidden metrics
 		{
-			desc: "Test hidden",
+			desc: "ALPHA metric hidden",
 			SummaryOpts: &SummaryOpts{
 				Namespace:         "namespace",
 				Name:              "metric_test_name",
 				Subsystem:         "subsystem",
+				StabilityLevel:    ALPHA,
 				Help:              "summary help message",
 				DeprecatedVersion: "1.14.0",
 			},
-			registryVersion:     &v115,
+			expectedMetricCount: 0,
+			expectedHelp:        "summary help message",
+		},
+		{
+			desc: "BETA metric hidden",
+			SummaryOpts: &SummaryOpts{
+				Namespace:         "namespace",
+				Name:              "metric_test_name",
+				Subsystem:         "subsystem",
+				StabilityLevel:    BETA,
+				Help:              "summary help message",
+				DeprecatedVersion: "1.14.0",
+			},
+			expectedMetricCount: 0,
+			expectedHelp:        "summary help message",
+		},
+		{
+			desc: "STABLE metric hidden",
+			SummaryOpts: &SummaryOpts{
+				Namespace:         "namespace",
+				Name:              "metric_test_name",
+				Subsystem:         "subsystem",
+				StabilityLevel:    STABLE,
+				Help:              "summary help message",
+				DeprecatedVersion: "1.12.0",
+			},
 			expectedMetricCount: 0,
 			expectedHelp:        "summary help message",
 		},
@@ -79,11 +159,7 @@ func TestSummary(t *testing.T) {
 
 	for _, test := range tests {
 		t.Run(test.desc, func(t *testing.T) {
-			registry := newKubeRegistry(apimachineryversion.Info{
-				Major:      "1",
-				Minor:      "15",
-				GitVersion: "v1.15.0-alpha-1.12345",
-			})
+			registry := newKubeRegistry(version1_15Alpha1)
 			c := NewSummary(test.SummaryOpts)
 			registry.MustRegister(c)
 
@@ -114,53 +190,141 @@ func TestSummary(t *testing.T) {
 }
 
 func TestSummaryVec(t *testing.T) {
-	v115 := semver.MustParse("1.15.0")
+	version1_15Alpha1 := apimachineryversion.Info{
+		Major:      "1",
+		Minor:      "15",
+		GitVersion: "v1.15.0-alpha-1.12345",
+	}
+
 	var tests = []struct {
 		desc string
 		*SummaryOpts
 		labels              []string
-		registryVersion     *semver.Version
 		expectedMetricCount int
 		expectedHelp        string
 	}{
+		// Non-deprecated metrics
 		{
-			desc: "Test non deprecated",
+			desc: "ALPHA metric non deprecated",
 			SummaryOpts: &SummaryOpts{
-				Namespace: "namespace",
-				Name:      "metric_test_name",
-				Subsystem: "subsystem",
-				Help:      "summary help message",
+				Namespace:      "namespace",
+				Name:           "metric_test_name",
+				Subsystem:      "subsystem",
+				StabilityLevel: ALPHA,
+				Help:           "summary help message",
 			},
 			labels:              []string{"label_a", "label_b"},
-			registryVersion:     &v115,
 			expectedMetricCount: 1,
 			expectedHelp:        "[ALPHA] summary help message",
 		},
 		{
-			desc: "Test deprecated",
+			desc: "BETA metric non deprecated",
+			SummaryOpts: &SummaryOpts{
+				Namespace:      "namespace",
+				Name:           "metric_test_name",
+				Subsystem:      "subsystem",
+				StabilityLevel: BETA,
+				Help:           "summary help message",
+			},
+			labels:              []string{"label_a", "label_b"},
+			expectedMetricCount: 1,
+			expectedHelp:        "[BETA] summary help message",
+		},
+		{
+			desc: "STABLE metric non deprecated",
+			SummaryOpts: &SummaryOpts{
+				Namespace:      "namespace",
+				Name:           "metric_test_name",
+				Subsystem:      "subsystem",
+				StabilityLevel: STABLE,
+				Help:           "summary help message",
+			},
+			labels:              []string{"label_a", "label_b"},
+			expectedMetricCount: 1,
+			expectedHelp:        "[STABLE] summary help message",
+		},
+		// Deprecated metrics
+		{
+			desc: "ALPHA metric deprecated",
+			SummaryOpts: &SummaryOpts{
+				Namespace:         "namespace",
+				Name:              "metric_test_name",
+				Subsystem:         "subsystem",
+				Help:              "summary help message",
+				DeprecatedVersion: "1.15.0",
+			},
+			labels:              []string{"label_a", "label_b"},
+			expectedMetricCount: 0,
+			expectedHelp:        "summary help message",
+		},
+		{
+			desc: "BETA metric deprecated",
 			SummaryOpts: &SummaryOpts{
 				Namespace:         "namespace",
 				Name:              "metric_test_name",
 				Subsystem:         "subsystem",
 				Help:              "summary help message",
 				DeprecatedVersion: "1.15.0",
+				StabilityLevel:    BETA,
 			},
 			labels:              []string{"label_a", "label_b"},
-			registryVersion:     &v115,
 			expectedMetricCount: 1,
-			expectedHelp:        "[ALPHA] (Deprecated since 1.15.0) summary help message",
+			expectedHelp:        "[BETA] (Deprecated since 1.15.0) summary help message",
 		},
 		{
-			desc: "Test hidden",
+			desc: "STABLE metric deprecated",
 			SummaryOpts: &SummaryOpts{
 				Namespace:         "namespace",
 				Name:              "metric_test_name",
 				Subsystem:         "subsystem",
 				Help:              "summary help message",
+				DeprecatedVersion: "1.15.0",
+				StabilityLevel:    STABLE,
+			},
+			labels:              []string{"label_a", "label_b"},
+			expectedMetricCount: 1,
+			expectedHelp:        "[STABLE] (Deprecated since 1.15.0) summary help message",
+		},
+		// Hidden metrics
+		{
+			desc: "ALPHA metric hidden",
+			SummaryOpts: &SummaryOpts{
+				Namespace:         "namespace",
+				Name:              "metric_test_name",
+				Subsystem:         "subsystem",
+				StabilityLevel:    ALPHA,
+				Help:              "summary help message",
+				DeprecatedVersion: "1.14.0",
+			},
+			labels:              []string{"label_a", "label_b"},
+			expectedMetricCount: 0,
+			expectedHelp:        "summary help message",
+		},
+		{
+			desc: "BETA metric hidden",
+			SummaryOpts: &SummaryOpts{
+				Namespace:         "namespace",
+				Name:              "metric_test_name",
+				Subsystem:         "subsystem",
+				StabilityLevel:    BETA,
+				Help:              "summary help message",
 				DeprecatedVersion: "1.14.0",
 			},
 			labels:              []string{"label_a", "label_b"},
-			registryVersion:     &v115,
+			expectedMetricCount: 0,
+			expectedHelp:        "summary help message",
+		},
+		{
+			desc: "STABLE metric hidden",
+			SummaryOpts: &SummaryOpts{
+				Namespace:         "namespace",
+				Name:              "metric_test_name",
+				Subsystem:         "subsystem",
+				StabilityLevel:    STABLE,
+				Help:              "summary help message",
+				DeprecatedVersion: "1.12.0",
+			},
+			labels:              []string{"label_a", "label_b"},
 			expectedMetricCount: 0,
 			expectedHelp:        "summary help message",
 		},
@@ -168,11 +332,7 @@ func TestSummaryVec(t *testing.T) {
 
 	for _, test := range tests {
 		t.Run(test.desc, func(t *testing.T) {
-			registry := newKubeRegistry(apimachineryversion.Info{
-				Major:      "1",
-				Minor:      "15",
-				GitVersion: "v1.15.0-alpha-1.12345",
-			})
+			registry := newKubeRegistry(version1_15Alpha1)
 			c := NewSummaryVec(test.SummaryOpts, test.labels)
 			registry.MustRegister(c)
 			c.WithLabelValues("1", "2").Observe(1.0)
diff --git a/staging/src/k8s.io/component-base/metrics/testutil/metrics.go b/staging/src/k8s.io/component-base/metrics/testutil/metrics.go
index c729ac4937a8a..a8d710aff59b4 100644
--- a/staging/src/k8s.io/component-base/metrics/testutil/metrics.go
+++ b/staging/src/k8s.io/component-base/metrics/testutil/metrics.go
@@ -109,7 +109,7 @@ func ParseMetrics(data string, output *Metrics) error {
 // proto messages in a map where the metric names are the keys, along with any
 // error encountered.
 func TextToMetricFamilies(in io.Reader) (map[string]*dto.MetricFamily, error) {
-	var textParser expfmt.TextParser
+	textParser := expfmt.NewTextParser(model.UTF8Validation)
 	return textParser.TextToMetricFamilies(in)
 }
 
diff --git a/staging/src/k8s.io/component-base/metrics/testutil/testutil_test.go b/staging/src/k8s.io/component-base/metrics/testutil/testutil_test.go
index 61af603aee845..083b978e62cc4 100644
--- a/staging/src/k8s.io/component-base/metrics/testutil/testutil_test.go
+++ b/staging/src/k8s.io/component-base/metrics/testutil/testutil_test.go
@@ -31,11 +31,12 @@ func TestNewFakeKubeRegistry(t *testing.T) {
 			Help: "counter help",
 		},
 	)
-	deprecatedCounter := metrics.NewCounter(
+	deprecatedBetaCounter := metrics.NewCounter(
 		&metrics.CounterOpts{
 			Name:              "test_deprecated_total",
 			Help:              "counter help",
 			DeprecatedVersion: "1.18.0",
+			StabilityLevel:    metrics.BETA,
 		},
 	)
 	hiddenCounter := metrics.NewCounter(
@@ -62,9 +63,9 @@ func TestNewFakeKubeRegistry(t *testing.T) {
 		},
 		{
 			name:   "deprecated",
-			metric: deprecatedCounter,
+			metric: deprecatedBetaCounter,
 			expected: `
-				# HELP test_deprecated_total [ALPHA] (Deprecated since 1.18.0) counter help
+				# HELP test_deprecated_total [BETA] (Deprecated since 1.18.0) counter help
 				# TYPE test_deprecated_total counter
 				test_deprecated_total 0
 				`,
diff --git a/staging/src/k8s.io/component-base/metrics/timing_histogram_test.go b/staging/src/k8s.io/component-base/metrics/timing_histogram_test.go
index 80fcb6340c040..0b88810fda81a 100644
--- a/staging/src/k8s.io/component-base/metrics/timing_histogram_test.go
+++ b/staging/src/k8s.io/component-base/metrics/timing_histogram_test.go
@@ -20,7 +20,6 @@ import (
 	"testing"
 	"time"
 
-	"github.com/blang/semver/v4"
 	"github.com/prometheus/client_golang/prometheus"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
@@ -30,55 +29,150 @@ import (
 )
 
 func TestTimingHistogram(t *testing.T) {
-	v115 := semver.MustParse("1.15.0")
+	version1_15Alpha1 := apimachineryversion.Info{
+		Major:      "1",
+		Minor:      "15",
+		GitVersion: "v1.15.0-alpha-1.12345",
+	}
+
 	var tests = []struct {
 		desc string
 		*TimingHistogramOpts
-		registryVersion     *semver.Version
 		expectedMetricCount int
 		expectedHelp        string
 	}{
+		// Non-deprecated metrics
 		{
-			desc: "Test non deprecated",
+			desc: "ALPHA metric non deprecated",
 			TimingHistogramOpts: &TimingHistogramOpts{
-				Namespace:    "namespace",
-				Name:         "metric_test_name",
-				Subsystem:    "subsystem",
-				Help:         "histogram help message",
-				Buckets:      DefBuckets,
-				InitialValue: 13,
+				Namespace:      "namespace",
+				Name:           "metric_test_name",
+				Subsystem:      "subsystem",
+				StabilityLevel: ALPHA,
+				Help:           "histogram help message",
+				Buckets:        DefBuckets,
+				InitialValue:   13,
 			},
-			registryVersion:     &v115,
 			expectedMetricCount: 1,
 			expectedHelp:        "EXPERIMENTAL: [ALPHA] histogram help message",
 		},
 		{
-			desc: "Test deprecated",
+			desc: "BETA metric non deprecated",
+			TimingHistogramOpts: &TimingHistogramOpts{
+				Namespace:      "namespace",
+				Name:           "metric_test_name",
+				Subsystem:      "subsystem",
+				StabilityLevel: BETA,
+				Help:           "histogram help message",
+				Buckets:        DefBuckets,
+				InitialValue:   17,
+			},
+			expectedMetricCount: 1,
+			expectedHelp:        "EXPERIMENTAL: [BETA] histogram help message",
+		},
+		{
+			desc: "STABLE metric non deprecated",
+			TimingHistogramOpts: &TimingHistogramOpts{
+				Namespace:      "namespace",
+				Name:           "metric_test_name",
+				Subsystem:      "subsystem",
+				StabilityLevel: STABLE,
+				Help:           "histogram help message",
+				Buckets:        DefBuckets,
+				InitialValue:   19,
+			},
+			expectedMetricCount: 1,
+			expectedHelp:        "EXPERIMENTAL: [STABLE] histogram help message",
+		},
+		// Deprecated metrics
+		{
+			desc: "ALPHA metric deprecated",
 			TimingHistogramOpts: &TimingHistogramOpts{
 				Namespace:         "namespace",
 				Name:              "metric_test_name",
 				Subsystem:         "subsystem",
+				StabilityLevel:    ALPHA,
 				Help:              "histogram help message",
 				DeprecatedVersion: "1.15.0",
 				Buckets:           DefBuckets,
 				InitialValue:      3,
 			},
-			registryVersion:     &v115,
+			expectedMetricCount: 0,
+			expectedHelp:        "histogram help message",
+		},
+		{
+			desc: "BETA metric deprecated",
+			TimingHistogramOpts: &TimingHistogramOpts{
+				Namespace:         "namespace",
+				Name:              "metric_test_name",
+				Subsystem:         "subsystem",
+				StabilityLevel:    BETA,
+				Help:              "histogram help message",
+				DeprecatedVersion: "1.15.0",
+				Buckets:           DefBuckets,
+				InitialValue:      11,
+			},
 			expectedMetricCount: 1,
-			expectedHelp:        "EXPERIMENTAL: [ALPHA] (Deprecated since 1.15.0) histogram help message",
+			expectedHelp:        "EXPERIMENTAL: [BETA] (Deprecated since 1.15.0) histogram help message",
 		},
 		{
-			desc: "Test hidden",
+			desc: "STABLE metric deprecated",
 			TimingHistogramOpts: &TimingHistogramOpts{
 				Namespace:         "namespace",
 				Name:              "metric_test_name",
 				Subsystem:         "subsystem",
+				StabilityLevel:    STABLE,
+				Help:              "histogram help message",
+				DeprecatedVersion: "1.15.0",
+				Buckets:           DefBuckets,
+				InitialValue:      23,
+			},
+			expectedMetricCount: 1,
+			expectedHelp:        "EXPERIMENTAL: [STABLE] (Deprecated since 1.15.0) histogram help message",
+		},
+		// Hidden metrics
+		{
+			desc: "ALPHA metric hidden",
+			TimingHistogramOpts: &TimingHistogramOpts{
+				Namespace:         "namespace",
+				Name:              "metric_test_name",
+				Subsystem:         "subsystem",
+				StabilityLevel:    ALPHA,
 				Help:              "histogram help message",
 				DeprecatedVersion: "1.14.0",
 				Buckets:           DefBuckets,
 				InitialValue:      5,
 			},
-			registryVersion:     &v115,
+			expectedMetricCount: 0,
+			expectedHelp:        "EXPERIMENTAL: histogram help message",
+		},
+		{
+			desc: "BETA metric hidden",
+			TimingHistogramOpts: &TimingHistogramOpts{
+				Namespace:         "namespace",
+				Name:              "metric_test_name",
+				Subsystem:         "subsystem",
+				StabilityLevel:    BETA,
+				Help:              "histogram help message",
+				DeprecatedVersion: "1.14.0",
+				Buckets:           DefBuckets,
+				InitialValue:      7,
+			},
+			expectedMetricCount: 0,
+			expectedHelp:        "EXPERIMENTAL: histogram help message",
+		},
+		{
+			desc: "STABLE metric hidden",
+			TimingHistogramOpts: &TimingHistogramOpts{
+				Namespace:         "namespace",
+				Name:              "metric_test_name",
+				Subsystem:         "subsystem",
+				StabilityLevel:    STABLE,
+				Help:              "histogram help message",
+				DeprecatedVersion: "1.12.0",
+				Buckets:           DefBuckets,
+				InitialValue:      9,
+			},
 			expectedMetricCount: 0,
 			expectedHelp:        "EXPERIMENTAL: histogram help message",
 		},
@@ -86,11 +180,7 @@ func TestTimingHistogram(t *testing.T) {
 
 	for _, test := range tests {
 		t.Run(test.desc, func(t *testing.T) {
-			registry := newKubeRegistry(apimachineryversion.Info{
-				Major:      "1",
-				Minor:      "15",
-				GitVersion: "v1.15.0-alpha-1.12345",
-			})
+			registry := newKubeRegistry(version1_15Alpha1)
 			t0 := time.Now()
 			clk := testclock.NewFakePassiveClock(t0)
 			c := NewTestableTimingHistogram(clk.Now, test.TimingHistogramOpts)
@@ -152,59 +242,161 @@ func TestTimingHistogram(t *testing.T) {
 }
 
 func TestTimingHistogramVec(t *testing.T) {
-	v115 := semver.MustParse("1.15.0")
+	version1_15Alpha1 := apimachineryversion.Info{
+		Major:      "1",
+		Minor:      "15",
+		GitVersion: "v1.15.0-alpha-1.12345",
+	}
+
 	var tests = []struct {
 		desc string
 		*TimingHistogramOpts
 		labels              []string
-		registryVersion     *semver.Version
 		expectedMetricCount int
 		expectedHelp        string
 	}{
+		// Non-deprecated metrics
 		{
-			desc: "Test non deprecated",
+			desc: "ALPHA metric non deprecated",
 			TimingHistogramOpts: &TimingHistogramOpts{
-				Namespace:    "namespace",
-				Name:         "metric_test_name",
-				Subsystem:    "subsystem",
-				Help:         "histogram help message",
-				Buckets:      DefBuckets,
-				InitialValue: 5,
+				Namespace:      "namespace",
+				Name:           "metric_test_name",
+				Subsystem:      "subsystem",
+				StabilityLevel: ALPHA,
+				Help:           "histogram help message",
+				Buckets:        DefBuckets,
+				InitialValue:   5,
 			},
 			labels:              []string{"label_a", "label_b"},
-			registryVersion:     &v115,
 			expectedMetricCount: 1,
 			expectedHelp:        "EXPERIMENTAL: [ALPHA] histogram help message",
 		},
 		{
-			desc: "Test deprecated",
+			desc: "BETA metric non deprecated",
+			TimingHistogramOpts: &TimingHistogramOpts{
+				Namespace:      "namespace",
+				Name:           "metric_test_name",
+				Subsystem:      "subsystem",
+				StabilityLevel: BETA,
+				Help:           "histogram help message",
+				Buckets:        DefBuckets,
+				InitialValue:   7,
+			},
+			labels:              []string{"label_a", "label_b"},
+			expectedMetricCount: 1,
+			expectedHelp:        "EXPERIMENTAL: [BETA] histogram help message",
+		},
+		{
+			desc: "STABLE metric non deprecated",
+			TimingHistogramOpts: &TimingHistogramOpts{
+				Namespace:      "namespace",
+				Name:           "metric_test_name",
+				Subsystem:      "subsystem",
+				StabilityLevel: STABLE,
+				Help:           "histogram help message",
+				Buckets:        DefBuckets,
+				InitialValue:   9,
+			},
+			labels: []string{"label_a", "label_b"},
+
+			expectedMetricCount: 1,
+			expectedHelp:        "EXPERIMENTAL: [STABLE] histogram help message",
+		},
+		// Deprecated metrics
+		{
+			desc: "ALPHA metric deprecated",
 			TimingHistogramOpts: &TimingHistogramOpts{
 				Namespace:         "namespace",
 				Name:              "metric_test_name",
 				Subsystem:         "subsystem",
+				StabilityLevel:    ALPHA,
 				Help:              "histogram help message",
 				DeprecatedVersion: "1.15.0",
 				Buckets:           DefBuckets,
 				InitialValue:      13,
 			},
 			labels:              []string{"label_a", "label_b"},
-			registryVersion:     &v115,
+			expectedMetricCount: 0,
+			expectedHelp:        "histogram help message",
+		},
+		{
+			desc: "BETA metric deprecated",
+			TimingHistogramOpts: &TimingHistogramOpts{
+				Namespace:         "namespace",
+				Name:              "metric_test_name",
+				Subsystem:         "subsystem",
+				StabilityLevel:    BETA,
+				Help:              "histogram help message",
+				DeprecatedVersion: "1.15.0",
+				Buckets:           DefBuckets,
+				InitialValue:      11,
+			},
+			labels:              []string{"label_a", "label_b"},
 			expectedMetricCount: 1,
-			expectedHelp:        "EXPERIMENTAL: [ALPHA] (Deprecated since 1.15.0) histogram help message",
+			expectedHelp:        "EXPERIMENTAL: [BETA] (Deprecated since 1.15.0) histogram help message",
 		},
 		{
-			desc: "Test hidden",
+			desc: "STABLE metric deprecated",
 			TimingHistogramOpts: &TimingHistogramOpts{
 				Namespace:         "namespace",
 				Name:              "metric_test_name",
 				Subsystem:         "subsystem",
+				StabilityLevel:    STABLE,
+				Help:              "histogram help message",
+				DeprecatedVersion: "1.15.0",
+				Buckets:           DefBuckets,
+				InitialValue:      17,
+			},
+			labels:              []string{"label_a", "label_b"},
+			expectedMetricCount: 1,
+			expectedHelp:        "EXPERIMENTAL: [STABLE] (Deprecated since 1.15.0) histogram help message",
+		},
+		// Hidden metrics
+		{
+			desc: "ALPHA metric hidden",
+			TimingHistogramOpts: &TimingHistogramOpts{
+				Namespace:         "namespace",
+				Name:              "metric_test_name",
+				Subsystem:         "subsystem",
+				StabilityLevel:    ALPHA,
 				Help:              "histogram help message",
 				DeprecatedVersion: "1.14.0",
 				Buckets:           DefBuckets,
 				InitialValue:      42,
 			},
 			labels:              []string{"label_a", "label_b"},
-			registryVersion:     &v115,
+			expectedMetricCount: 0,
+			expectedHelp:        "EXPERIMENTAL: histogram help message",
+		},
+		{
+			desc: "BETA metric hidden",
+			TimingHistogramOpts: &TimingHistogramOpts{
+				Namespace:         "namespace",
+				Name:              "metric_test_name",
+				Subsystem:         "subsystem",
+				StabilityLevel:    BETA,
+				Help:              "histogram help message",
+				DeprecatedVersion: "1.14.0",
+				Buckets:           DefBuckets,
+				InitialValue:      19,
+			},
+			labels:              []string{"label_a", "label_b"},
+			expectedMetricCount: 0,
+			expectedHelp:        "EXPERIMENTAL: histogram help message",
+		},
+		{
+			desc: "STABLE metric hidden",
+			TimingHistogramOpts: &TimingHistogramOpts{
+				Namespace:         "namespace",
+				Name:              "metric_test_name",
+				Subsystem:         "subsystem",
+				StabilityLevel:    STABLE,
+				Help:              "histogram help message",
+				DeprecatedVersion: "1.12.0",
+				Buckets:           DefBuckets,
+				InitialValue:      23,
+			},
+			labels:              []string{"label_a", "label_b"},
 			expectedMetricCount: 0,
 			expectedHelp:        "EXPERIMENTAL: histogram help message",
 		},
@@ -212,11 +404,7 @@ func TestTimingHistogramVec(t *testing.T) {
 
 	for _, test := range tests {
 		t.Run(test.desc, func(t *testing.T) {
-			registry := newKubeRegistry(apimachineryversion.Info{
-				Major:      "1",
-				Minor:      "15",
-				GitVersion: "v1.15.0-alpha-1.12345",
-			})
+			registry := newKubeRegistry(version1_15Alpha1)
 			t0 := time.Now()
 			clk := testclock.NewFakePassiveClock(t0)
 			c := NewTestableTimingHistogramVec(clk.Now, test.TimingHistogramOpts, test.labels)
diff --git a/staging/src/k8s.io/component-base/tracing/api/v1/doc.go b/staging/src/k8s.io/component-base/tracing/api/v1/doc.go
index 48e6e20f3f095..29f9451d9e7f6 100644
--- a/staging/src/k8s.io/component-base/tracing/api/v1/doc.go
+++ b/staging/src/k8s.io/component-base/tracing/api/v1/doc.go
@@ -15,6 +15,8 @@ limitations under the License.
 */
 
 // +k8s:deepcopy-gen=package
+// +k8s:openapi-gen=true
+// +k8s:openapi-model-package=io.k8s.component-base.tracing.api.v1
 
 // Package v1 contains the configuration API for tracing.
 //
diff --git a/staging/src/k8s.io/component-base/tracing/api/v1/zz_generated.model_name.go b/staging/src/k8s.io/component-base/tracing/api/v1/zz_generated.model_name.go
new file mode 100644
index 0000000000000..3efcbf1ac861b
--- /dev/null
+++ b/staging/src/k8s.io/component-base/tracing/api/v1/zz_generated.model_name.go
@@ -0,0 +1,27 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by openapi-gen. DO NOT EDIT.
+
+package v1
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in TracingConfiguration) OpenAPIModelName() string {
+	return "io.k8s.component-base.tracing.api.v1.TracingConfiguration"
+}
diff --git a/staging/src/k8s.io/component-base/version/base.go b/staging/src/k8s.io/component-base/version/base.go
index b5e889019e899..94da79c081840 100644
--- a/staging/src/k8s.io/component-base/version/base.go
+++ b/staging/src/k8s.io/component-base/version/base.go
@@ -60,5 +60,5 @@ const (
 	// DefaultKubeBinaryVersion is the hard coded k8 binary version based on the latest K8s release.
 	// It is supposed to be consistent with gitMajor and gitMinor, except for local tests, where gitMajor and gitMinor are "".
 	// Should update for each minor release!
-	DefaultKubeBinaryVersion = "1.34"
+	DefaultKubeBinaryVersion = "1.35"
 )
diff --git a/staging/src/k8s.io/component-base/zpages/flagz/flagz.go b/staging/src/k8s.io/component-base/zpages/flagz/flagz.go
deleted file mode 100644
index 99a2f44824ddf..0000000000000
--- a/staging/src/k8s.io/component-base/zpages/flagz/flagz.go
+++ /dev/null
@@ -1,102 +0,0 @@
-/*
-Copyright 2024 The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package flagz
-
-import (
-	"bytes"
-	"fmt"
-	"io"
-	"math/rand"
-	"net/http"
-	"sort"
-	"sync"
-
-	"k8s.io/component-base/zpages/httputil"
-	"k8s.io/klog/v2"
-)
-
-const (
-	DefaultFlagzPath = "/flagz"
-
-	flagzHeaderFmt = `
-%s flags
-Warning: This endpoint is not meant to be machine parseable, has no formatting compatibility guarantees and is for debugging purposes only.
-
-`
-)
-
-var (
-	delimiters = []string{":", ": ", "=", " "}
-)
-
-type registry struct {
-	response bytes.Buffer
-	once     sync.Once
-}
-
-type mux interface {
-	Handle(path string, handler http.Handler)
-}
-
-func Install(m mux, componentName string, flagReader Reader) {
-	var reg registry
-	reg.installHandler(m, componentName, flagReader)
-}
-
-func (reg *registry) installHandler(m mux, componentName string, flagReader Reader) {
-	m.Handle(DefaultFlagzPath, reg.handleFlags(componentName, flagReader))
-}
-
-func (reg *registry) handleFlags(componentName string, flagReader Reader) http.HandlerFunc {
-	return func(w http.ResponseWriter, r *http.Request) {
-		if !httputil.AcceptableMediaType(r) {
-			http.Error(w, httputil.ErrUnsupportedMediaType.Error(), http.StatusNotAcceptable)
-			return
-		}
-
-		reg.once.Do(func() {
-			fmt.Fprintf(&reg.response, flagzHeaderFmt, componentName)
-			if flagReader == nil {
-				klog.Error("received nil flagReader")
-				return
-			}
-
-			randomIndex := rand.Intn(len(delimiters))
-			separator := delimiters[randomIndex]
-			// Randomize the delimiter for printing to prevent scraping of the response.
-			printSortedFlags(&reg.response, flagReader.GetFlagz(), separator)
-		})
-		w.Header().Set("Content-Type", "text/plain; charset=utf-8")
-		_, err := w.Write(reg.response.Bytes())
-		if err != nil {
-			klog.Errorf("error writing response: %v", err)
-			http.Error(w, "error writing response", http.StatusInternalServerError)
-		}
-	}
-}
-
-func printSortedFlags(w io.Writer, flags map[string]string, separator string) {
-	var sortedKeys []string
-	for key := range flags {
-		sortedKeys = append(sortedKeys, key)
-	}
-
-	sort.Strings(sortedKeys)
-	for _, key := range sortedKeys {
-		fmt.Fprintf(w, "%s%s%s\n", key, separator, flags[key])
-	}
-}
diff --git a/staging/src/k8s.io/component-base/zpages/flagz/flagz_test.go b/staging/src/k8s.io/component-base/zpages/flagz/flagz_test.go
deleted file mode 100644
index c8568c8b52734..0000000000000
--- a/staging/src/k8s.io/component-base/zpages/flagz/flagz_test.go
+++ /dev/null
@@ -1,126 +0,0 @@
-/*
-Copyright 2024 The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package flagz
-
-import (
-	"fmt"
-	"net/http"
-	"net/http/httptest"
-	"sort"
-	"strings"
-	"testing"
-
-	"github.com/spf13/pflag"
-	"github.com/stretchr/testify/assert"
-	cliflag "k8s.io/component-base/cli/flag"
-)
-
-const wantTmpl = `%s flags
-Warning: This endpoint is not meant to be machine parseable, has no formatting compatibility guarantees and is for debugging purposes only.
-`
-
-func TestFlagz(t *testing.T) {
-	componentName := "test-server"
-	delimiters = []string{"="}
-	wantHeaderLines := strings.Split(fmt.Sprintf(wantTmpl, componentName), "\n")
-	tests := []struct {
-		name        string
-		header      string
-		flagzReader Reader
-		wantStatus  int
-		wantResp    []string
-	}{
-		{
-			name:       "nil flags",
-			wantStatus: http.StatusOK,
-			wantResp:   wantHeaderLines,
-		},
-		{
-			name:       "unaccepted header",
-			header:     "some header",
-			wantStatus: http.StatusNotAcceptable,
-		},
-		{
-			name: "test flags",
-			flagzReader: NamedFlagSetsReader{
-				FlagSets: cliflag.NamedFlagSets{
-					FlagSets: map[string]*pflag.FlagSet{
-						"test": flagSet(t, map[string]flagValue{
-							"test-flag-bar": {
-								value:     "test-value-bar",
-								sensitive: false,
-							},
-							"test-flag-foo": {
-								value:     "test-value-foo",
-								sensitive: false,
-							},
-						}),
-					},
-				},
-			},
-			wantStatus: http.StatusOK,
-			wantResp: append(wantHeaderLines,
-				"test-flag-bar=test-value-bar",
-				"test-flag-foo=test-value-foo",
-			),
-		},
-	}
-
-	for i, test := range tests {
-		t.Run(test.name, func(t *testing.T) {
-			mux := http.NewServeMux()
-			Install(mux, componentName, test.flagzReader)
-
-			req, err := http.NewRequest(http.MethodGet, fmt.Sprintf("http://example.com%s", DefaultFlagzPath), nil)
-			if err != nil {
-				t.Fatalf("case[%d] Unexpected error: %v", i, err)
-			}
-
-			req.Header.Set("Accept", "text/plain; charset=utf-8")
-			if test.header != "" {
-				req.Header.Set("Accept", test.header)
-			}
-
-			w := httptest.NewRecorder()
-			mux.ServeHTTP(w, req)
-			assert.Equal(t, test.wantStatus, w.Code, "case[%s] Expected status code %d, got %d", test.name, test.wantStatus, w.Code)
-
-			if test.wantStatus == http.StatusOK {
-				assert.Equal(t, "text/plain; charset=utf-8", w.Header().Get("Content-Type"), "case[%s] Incorrect Content-Type header", test.name)
-
-				gotLines := strings.Split(w.Body.String(), "\n")
-				gotLines = trimEmptyLines(gotLines)
-				sort.Strings(gotLines)
-
-				sort.Strings(test.wantResp)
-				wantLines := trimEmptyLines(test.wantResp)
-
-				assert.Equal(t, wantLines, gotLines, "case[%s] Response body mismatch", test.name)
-			}
-		})
-	}
-}
-
-func trimEmptyLines(lines []string) []string {
-	var result []string
-	for _, line := range lines {
-		if line != "" {
-			result = append(result, line)
-		}
-	}
-	return result
-}
diff --git a/staging/src/k8s.io/component-base/zpages/httputil/httputil.go b/staging/src/k8s.io/component-base/zpages/httputil/httputil.go
deleted file mode 100644
index da49474ba89f2..0000000000000
--- a/staging/src/k8s.io/component-base/zpages/httputil/httputil.go
+++ /dev/null
@@ -1,54 +0,0 @@
-/*
-Copyright 2024 The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package httputil
-
-import (
-	"fmt"
-	"net/http"
-	"strings"
-
-	"github.com/munnerz/goautoneg"
-)
-
-// ErrUnsupportedMediaType is the error returned when the request's
-// Accept header does not contain "text/plain".
-var ErrUnsupportedMediaType = fmt.Errorf("media type not acceptable, must be: text/plain")
-
-// AcceptableMediaType checks if the request's Accept header contains
-// a supported media type with optional "charset=utf-8" parameter.
-func AcceptableMediaType(r *http.Request) bool {
-	accepts := goautoneg.ParseAccept(r.Header.Get("Accept"))
-	for _, accept := range accepts {
-		if !mediaTypeMatches(accept) {
-			continue
-		}
-		if len(accept.Params) == 0 {
-			return true
-		}
-		if len(accept.Params) == 1 {
-			if charset, ok := accept.Params["charset"]; ok && strings.EqualFold(charset, "utf-8") {
-				return true
-			}
-		}
-	}
-	return false
-}
-
-func mediaTypeMatches(a goautoneg.Accept) bool {
-	return (a.Type == "text" || a.Type == "*") &&
-		(a.SubType == "plain" || a.SubType == "*")
-}
diff --git a/staging/src/k8s.io/component-base/zpages/httputil/httputil_test.go b/staging/src/k8s.io/component-base/zpages/httputil/httputil_test.go
deleted file mode 100644
index ab15cd27fc5fb..0000000000000
--- a/staging/src/k8s.io/component-base/zpages/httputil/httputil_test.go
+++ /dev/null
@@ -1,74 +0,0 @@
-/*
-Copyright 2024 The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package httputil
-
-import (
-	"net/http"
-	"testing"
-)
-
-func TestAcceptableMediaTypes(t *testing.T) {
-	tests := []struct {
-		name      string
-		reqHeader string
-		want      bool
-	}{
-		{
-			name:      "valid text/plain header",
-			reqHeader: "text/plain",
-			want:      true,
-		},
-		{
-			name:      "valid text/* header",
-			reqHeader: "text/*",
-			want:      true,
-		},
-		{
-			name:      "valid */plain header",
-			reqHeader: "*/plain",
-			want:      true,
-		},
-		{
-			name:      "valid accept args",
-			reqHeader: "text/plain; charset=utf-8",
-			want:      true,
-		},
-		{
-			name:      "invalid text/foo header",
-			reqHeader: "text/foo",
-			want:      false,
-		},
-		{
-			name:      "invalid text/plain params",
-			reqHeader: "text/plain; foo=bar",
-			want:      false,
-		},
-	}
-	for _, tt := range tests {
-		req, err := http.NewRequest(http.MethodGet, "http://example.com/statusz", nil)
-		if err != nil {
-			t.Fatalf("Unexpected error while creating request: %v", err)
-		}
-
-		req.Header.Set("Accept", tt.reqHeader)
-		got := AcceptableMediaType(req)
-
-		if got != tt.want {
-			t.Errorf("Unexpected response from AcceptableMediaType(), want %v, got = %v", tt.want, got)
-		}
-	}
-}
diff --git a/staging/src/k8s.io/component-base/zpages/statusz/registry.go b/staging/src/k8s.io/component-base/zpages/statusz/registry.go
deleted file mode 100644
index 92f468e52d717..0000000000000
--- a/staging/src/k8s.io/component-base/zpages/statusz/registry.go
+++ /dev/null
@@ -1,90 +0,0 @@
-/*
-Copyright 2024 The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package statusz
-
-import (
-	"time"
-
-	"k8s.io/apimachinery/pkg/util/version"
-	"k8s.io/klog/v2"
-
-	"k8s.io/component-base/compatibility"
-	compbasemetrics "k8s.io/component-base/metrics"
-	utilversion "k8s.io/component-base/version"
-)
-
-type statuszRegistry interface {
-	processStartTime() time.Time
-	goVersion() string
-	binaryVersion() *version.Version
-	emulationVersion() *version.Version
-	paths() []string
-}
-
-type registry struct {
-	// componentGlobalsRegistry compatibility.ComponentGlobalsRegistry
-	effectiveVersion compatibility.EffectiveVersion
-	// listedPaths is an alphabetically sorted list of paths to be reported at /.
-	listedPaths []string
-}
-
-// Option is a function to configure registry.
-type Option func(reg *registry)
-
-// WithListedPaths returns an Option to configure the ListedPaths.
-func WithListedPaths(listedPaths []string) Option {
-	cpyListedPaths := make([]string, len(listedPaths))
-	copy(cpyListedPaths, listedPaths)
-
-	return func(reg *registry) { reg.listedPaths = cpyListedPaths }
-}
-
-func (*registry) processStartTime() time.Time {
-	start, err := compbasemetrics.GetProcessStart()
-	if err != nil {
-		klog.Errorf("Could not get process start time, %v", err)
-	}
-
-	return time.Unix(int64(start), 0)
-}
-
-func (*registry) goVersion() string {
-	return utilversion.Get().GoVersion
-}
-
-func (r *registry) binaryVersion() *version.Version {
-	if r.effectiveVersion != nil {
-		return r.effectiveVersion.BinaryVersion()
-	}
-	return version.MustParse(utilversion.Get().String())
-}
-
-func (r *registry) emulationVersion() *version.Version {
-	if r.effectiveVersion != nil {
-		return r.effectiveVersion.EmulationVersion()
-	}
-
-	return nil
-}
-
-func (r *registry) paths() []string {
-	if r.listedPaths != nil {
-		return r.listedPaths
-	}
-
-	return nil
-}
diff --git a/staging/src/k8s.io/component-base/zpages/statusz/statusz.go b/staging/src/k8s.io/component-base/zpages/statusz/statusz.go
deleted file mode 100644
index f001a63c62aad..0000000000000
--- a/staging/src/k8s.io/component-base/zpages/statusz/statusz.go
+++ /dev/null
@@ -1,146 +0,0 @@
-/*
-Copyright 2024 The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package statusz
-
-import (
-	"fmt"
-	"html"
-	"math/rand"
-	"net/http"
-	"sort"
-	"strings"
-	"time"
-
-	"k8s.io/component-base/compatibility"
-	"k8s.io/component-base/zpages/httputil"
-	"k8s.io/klog/v2"
-)
-
-var (
-	delimiters            = []string{":", ": ", "=", " "}
-	nonDebuggingEndpoints = map[string]bool{
-		"/apis":        true,
-		"/api":         true,
-		"/openid":      true,
-		"/openapi":     true,
-		"/.well-known": true,
-	}
-)
-
-const DefaultStatuszPath = "/statusz"
-
-const headerFmt = `
-%s statusz
-Warning: This endpoint is not meant to be machine parseable, has no formatting compatibility guarantees and is for debugging purposes only.
-`
-
-type mux interface {
-	Handle(path string, handler http.Handler)
-}
-
-type ListedPathsOption []string
-
-func NewRegistry(effectiveVersion compatibility.EffectiveVersion, opts ...func(*registry)) statuszRegistry {
-	r := &registry{effectiveVersion: effectiveVersion}
-	for _, opt := range opts {
-		opt(r)
-	}
-
-	return r
-}
-
-func Install(m mux, componentName string, reg statuszRegistry) {
-	m.Handle(DefaultStatuszPath, handleStatusz(componentName, reg))
-}
-
-func handleStatusz(componentName string, reg statuszRegistry) http.HandlerFunc {
-	return func(w http.ResponseWriter, r *http.Request) {
-		if !httputil.AcceptableMediaType(r) {
-			http.Error(w, httputil.ErrUnsupportedMediaType.Error(), http.StatusNotAcceptable)
-			return
-		}
-
-		fmt.Fprintf(w, headerFmt, componentName)
-		data, err := populateStatuszData(reg, componentName)
-		if err != nil {
-			klog.Errorf("error while populating statusz data: %v", err)
-			http.Error(w, "error while populating statusz data", http.StatusInternalServerError)
-			return
-		}
-
-		w.Header().Set("Content-Type", "text/plain; charset=utf-8")
-		fmt.Fprint(w, data)
-	}
-}
-
-func populateStatuszData(reg statuszRegistry, componentName string) (string, error) {
-	randomIndex := rand.Intn(len(delimiters))
-	delim := html.EscapeString(delimiters[randomIndex])
-	startTime := html.EscapeString(reg.processStartTime().Format(time.UnixDate))
-	uptime := html.EscapeString(uptime(reg.processStartTime()))
-	goVersion := html.EscapeString(reg.goVersion())
-	binaryVersion := html.EscapeString(reg.binaryVersion().String())
-
-	var emulationVersion string
-	if reg.emulationVersion() != nil {
-		emulationVersion = fmt.Sprintf(`Emulation version%s %s`, delim, html.EscapeString(reg.emulationVersion().String()))
-	}
-	paths := aggregatePaths(reg.paths())
-	if paths != "" {
-		paths = fmt.Sprintf(`Paths%s %s`, delim, html.EscapeString(paths))
-	}
-
-	status := fmt.Sprintf(`
-Started%[1]s %[2]s
-Up%[1]s %[3]s
-Go version%[1]s %[4]s
-Binary version%[1]s %[5]s
-%[6]s
-%[7]s
-`, delim, startTime, uptime, goVersion, binaryVersion, emulationVersion, paths)
-
-	return status, nil
-}
-
-func uptime(t time.Time) string {
-	upSince := int64(time.Since(t).Seconds())
-	return fmt.Sprintf("%d hr %02d min %02d sec",
-		upSince/3600, (upSince/60)%60, upSince%60)
-}
-
-func aggregatePaths(listedPaths []string) string {
-	paths := make(map[string]bool)
-	for _, listedPath := range listedPaths {
-		folder := "/" + strings.Split(listedPath, "/")[1]
-		if !paths[folder] && !nonDebuggingEndpoints[folder] {
-			paths[folder] = true
-		}
-	}
-
-	var sortedPaths []string
-	for p := range paths {
-		sortedPaths = append(sortedPaths, p)
-	}
-	sort.Strings(sortedPaths)
-
-	var path string
-	for _, p := range sortedPaths {
-		path += " " + p
-	}
-
-	return path
-}
diff --git a/staging/src/k8s.io/component-base/zpages/statusz/statusz_test.go b/staging/src/k8s.io/component-base/zpages/statusz/statusz_test.go
deleted file mode 100644
index 8d9f5d0e93358..0000000000000
--- a/staging/src/k8s.io/component-base/zpages/statusz/statusz_test.go
+++ /dev/null
@@ -1,228 +0,0 @@
-/*
-Copyright 2024 The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package statusz
-
-import (
-	"fmt"
-	"net/http"
-	"net/http/httptest"
-	"testing"
-	"time"
-
-	"github.com/google/go-cmp/cmp"
-	"k8s.io/apimachinery/pkg/util/version"
-)
-
-const wantTmpl = `
-%s statusz
-Warning: This endpoint is not meant to be machine parseable, has no formatting compatibility guarantees and is for debugging purposes only.
-
-Started: %v
-Up: %s
-Go version: %s
-Binary version: %v
-Emulation version: %v
-Paths:  /livez /readyz
-`
-
-const wantTmplWithoutEmulation = `
-%s statusz
-Warning: This endpoint is not meant to be machine parseable, has no formatting compatibility guarantees and is for debugging purposes only.
-
-Started: %v
-Up: %s
-Go version: %s
-Binary version: %v
-
-Paths:  /livez /readyz
-`
-
-const wantTmplWithKubeApiserverComp = `
-%s statusz
-Warning: This endpoint is not meant to be machine parseable, has no formatting compatibility guarantees and is for debugging purposes only.
-
-Started: %v
-Up: %s
-Go version: %s
-Binary version: %v
-
-Paths:  /livez /readyz
-`
-
-func TestStatusz(t *testing.T) {
-	delimiters = []string{":"}
-	fakeStartTime := time.Now()
-	fakeUptime := uptime(fakeStartTime)
-	fakeGoVersion := "1.21"
-	fakeBvStr := "1.31"
-	fakeEvStr := "1.30"
-	fakeBinaryVersion := parseVersion(t, fakeBvStr)
-	fakeEmulationVersion := parseVersion(t, fakeEvStr)
-	fakeListedPaths := []string{"/livez/poststarthook/peer-discovery-cache-sync", "/livez/post", "/readyz/informer-sync", "/readyz/log", "/readyz/ping"}
-	tests := []struct {
-		name           string
-		componentName  string
-		reqHeader      string
-		registry       fakeRegistry
-		wantStatusCode int
-		wantBody       string
-	}{
-		{
-			name:           "invalid header",
-			reqHeader:      "some header",
-			wantStatusCode: http.StatusNotAcceptable,
-		},
-		{
-			name:          "valid request",
-			componentName: "test-server",
-			reqHeader:     "text/plain; charset=utf-8",
-			registry: fakeRegistry{
-				startTime:    fakeStartTime,
-				goVer:        fakeGoVersion,
-				binaryVer:    fakeBinaryVersion,
-				emulationVer: fakeEmulationVersion,
-				listedPaths:  fakeListedPaths,
-			},
-			wantStatusCode: http.StatusOK,
-			wantBody: fmt.Sprintf(
-				wantTmpl,
-				"test-server",
-				fakeStartTime.Format(time.UnixDate),
-				fakeUptime,
-				fakeGoVersion,
-				fakeBinaryVersion,
-				fakeEmulationVersion,
-			),
-		},
-		{
-			name:          "missing emulation version",
-			componentName: "test-server",
-			reqHeader:     "text/plain; charset=utf-8",
-			registry: fakeRegistry{
-				startTime:    fakeStartTime,
-				goVer:        fakeGoVersion,
-				binaryVer:    fakeBinaryVersion,
-				emulationVer: nil,
-				listedPaths:  fakeListedPaths,
-			},
-			wantStatusCode: http.StatusOK,
-			wantBody: fmt.Sprintf(
-				wantTmplWithoutEmulation,
-				"test-server",
-				fakeStartTime.Format(time.UnixDate),
-				fakeUptime,
-				fakeGoVersion,
-				fakeBinaryVersion,
-			),
-		},
-		{
-			name:          "valid request for kube-apiserver",
-			componentName: "kube-apiserver",
-			reqHeader:     "text/plain; charset=utf-8",
-			registry: fakeRegistry{
-				startTime:    fakeStartTime,
-				goVer:        fakeGoVersion,
-				binaryVer:    fakeBinaryVersion,
-				emulationVer: nil,
-				listedPaths:  fakeListedPaths,
-			},
-			wantStatusCode: http.StatusOK,
-			wantBody: fmt.Sprintf(
-				wantTmplWithKubeApiserverComp,
-				"kube-apiserver",
-				fakeStartTime.Format(time.UnixDate),
-				fakeUptime,
-				fakeGoVersion,
-				fakeBinaryVersion,
-			),
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			mux := http.NewServeMux()
-
-			Install(mux, tt.componentName, tt.registry)
-
-			path := "/statusz"
-			req, err := http.NewRequest(http.MethodGet, fmt.Sprintf("http://example.com%s", path), nil)
-			if err != nil {
-				t.Fatalf("unexpected error while creating request: %v", err)
-			}
-
-			req.Header.Set("Accept", "text/plain; charset=utf-8")
-			if tt.reqHeader != "" {
-				req.Header.Set("Accept", tt.reqHeader)
-			}
-
-			w := httptest.NewRecorder()
-			mux.ServeHTTP(w, req)
-
-			if w.Code != tt.wantStatusCode {
-				t.Fatalf("want status code: %v, got: %v", tt.wantStatusCode, w.Code)
-			}
-
-			if tt.wantStatusCode == http.StatusOK {
-				c := w.Header().Get("Content-Type")
-				if c != "text/plain; charset=utf-8" {
-					t.Fatalf("want header: %v, got: %v", "text/plain", c)
-				}
-
-				if diff := cmp.Diff(tt.wantBody, string(w.Body.String())); diff != "" {
-					t.Errorf("Unexpected diff on response (-want,+got):\n%s", diff)
-				}
-			}
-		})
-	}
-}
-
-func parseVersion(t *testing.T, v string) *version.Version {
-	parsed, err := version.ParseMajorMinor(v)
-	if err != nil {
-		t.Fatalf("error parsing binary version: %s", v)
-	}
-
-	return parsed
-}
-
-type fakeRegistry struct {
-	startTime    time.Time
-	goVer        string
-	binaryVer    *version.Version
-	emulationVer *version.Version
-	listedPaths  []string
-}
-
-func (f fakeRegistry) processStartTime() time.Time {
-	return f.startTime
-}
-
-func (f fakeRegistry) goVersion() string {
-	return f.goVer
-}
-
-func (f fakeRegistry) binaryVersion() *version.Version {
-	return f.binaryVer
-}
-
-func (f fakeRegistry) emulationVersion() *version.Version {
-	return f.emulationVer
-}
-
-func (f fakeRegistry) paths() []string {
-	return f.listedPaths
-}
diff --git a/staging/src/k8s.io/component-helpers/apimachinery/lease/controller.go b/staging/src/k8s.io/component-helpers/apimachinery/lease/controller.go
index 85be9faa34307..1a1678dc70c22 100644
--- a/staging/src/k8s.io/component-helpers/apimachinery/lease/controller.go
+++ b/staging/src/k8s.io/component-helpers/apimachinery/lease/controller.go
@@ -19,6 +19,8 @@ package lease
 import (
 	"context"
 	"fmt"
+	"sync"
+	"sync/atomic"
 	"time"
 
 	coordinationv1 "k8s.io/api/coordination/v1"
@@ -40,11 +42,15 @@ const (
 	maxUpdateRetries = 5
 	// maxBackoff is the maximum sleep time during backoff (e.g. in backoffEnsureLease)
 	maxBackoff = 7 * time.Second
+	// shutdownTimeout is the timeout for deleting the lease on shutdown.
+	shutdownTimeout = 10 * time.Second
 )
 
 // Controller manages creating and renewing the lease for this component (kube-apiserver, kubelet, etc.)
 type Controller interface {
 	Run(ctx context.Context)
+	Start(stopCh <-chan struct{}) error
+	Stop()
 }
 
 // ProcessLeaseFunc processes the given lease in-place
@@ -68,6 +74,9 @@ type controller struct {
 	// before every time the lease is created/refreshed(updated).
 	// Note that an error will block the lease operation.
 	newLeasePostProcessFunc ProcessLeaseFunc
+
+	reconcilingLock sync.Mutex
+	stopCalled      atomic.Bool
 }
 
 // NewController constructs and returns a controller
@@ -90,6 +99,46 @@ func NewController(clock clock.Clock, client clientset.Interface, holderIdentity
 	}
 }
 
+// Start performs setup actions, and then starts the lease controller.
+func (c *controller) Start(stopCh <-chan struct{}) error {
+	if c.leaseClient == nil {
+		return nil
+	}
+
+	// We delete the lease on startup to ensure that if a new apiserver starts up,
+	// it removes any stale lease from a previous instance. This is important to
+	// prevent other components from discovering and communicating with a dead peer.
+	ctx, cancel := context.WithTimeout(context.Background(), shutdownTimeout)
+	defer cancel()
+	klog.FromContext(ctx).Info("Deleting old lease on startup", "lease", klog.KRef(c.leaseNamespace, c.leaseName))
+	if err := c.leaseClient.Delete(ctx, c.leaseName, metav1.DeleteOptions{}); err != nil && !apierrors.IsNotFound(err) {
+		// The lease controller will eventually take over and update the lease.
+		klog.FromContext(ctx).Error(err, "error deleting old lease", "lease", klog.KRef(c.leaseNamespace, c.leaseName))
+	}
+
+	go c.Run(wait.ContextForChannel(stopCh))
+	return nil
+}
+
+// Stop gracefully shuts down the controller.
+func (c *controller) Stop() {
+	if c.leaseClient == nil {
+		return
+	}
+
+	c.stopCalled.Store(true)
+	// Ensure that there will be no race condition with the sync.
+	c.reconcilingLock.Lock()
+	defer c.reconcilingLock.Unlock()
+
+	ctx, cancel := context.WithTimeout(context.Background(), shutdownTimeout)
+	defer cancel()
+	klog.FromContext(ctx).Info("Cleaning up lease on exit", "lease", klog.KRef(c.leaseNamespace, c.leaseName))
+	if err := c.leaseClient.Delete(ctx, c.leaseName, metav1.DeleteOptions{}); err != nil && !apierrors.IsNotFound(err) {
+		klog.FromContext(ctx).Error(err, "Unable to delete lease", "lease", klog.KRef(c.leaseNamespace, c.leaseName))
+	}
+}
+
 // Run runs the controller
 func (c *controller) Run(ctx context.Context) {
 	if c.leaseClient == nil {
@@ -100,6 +149,13 @@ func (c *controller) Run(ctx context.Context) {
 }
 
 func (c *controller) sync(ctx context.Context) {
+	if c.stopCalled.Load() {
+		return
+	}
+
+	c.reconcilingLock.Lock()
+	defer c.reconcilingLock.Unlock()
+
 	if c.latestLease != nil {
 		// As long as the lease is not (or very rarely) updated by any other agent than the component itself,
 		// we can optimistically assume it didn't change since our last update and try updating
diff --git a/staging/src/k8s.io/component-helpers/go.mod b/staging/src/k8s.io/component-helpers/go.mod
index 4c2091c933da7..9dbccc6926c8a 100644
--- a/staging/src/k8s.io/component-helpers/go.mod
+++ b/staging/src/k8s.io/component-helpers/go.mod
@@ -2,29 +2,28 @@
 
 module k8s.io/component-helpers
 
-go 1.24.0
+go 1.25.0
 
-godebug default=go1.24
+godebug default=go1.25
 
 require (
 	github.com/google/go-cmp v0.7.0
-	github.com/stretchr/testify v1.10.0
+	github.com/stretchr/testify v1.11.1
 	k8s.io/api v0.0.0
 	k8s.io/apimachinery v0.0.0
 	k8s.io/client-go v0.0.0
 	k8s.io/klog/v2 v2.130.1
-	k8s.io/utils v0.0.0-20250604170112-4c0f3b243397
+	k8s.io/utils v0.0.0-20251002143259-bc988d571ff4
 )
 
 require (
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/emicklei/go-restful/v3 v3.12.2 // indirect
 	github.com/fxamacker/cbor/v2 v2.9.0 // indirect
-	github.com/go-logr/logr v1.4.2 // indirect
+	github.com/go-logr/logr v1.4.3 // indirect
 	github.com/go-openapi/jsonpointer v0.21.0 // indirect
 	github.com/go-openapi/jsonreference v0.20.2 // indirect
 	github.com/go-openapi/swag v0.23.0 // indirect
-	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/google/gnostic-models v0.7.0 // indirect
 	github.com/google/uuid v1.6.0 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
@@ -33,30 +32,30 @@ require (
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
-	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
+	github.com/stretchr/objx v0.5.2 // indirect
 	github.com/x448/float16 v0.8.4 // indirect
-	go.yaml.in/yaml/v2 v2.4.2 // indirect
+	go.yaml.in/yaml/v2 v2.4.3 // indirect
 	go.yaml.in/yaml/v3 v3.0.4 // indirect
-	golang.org/x/net v0.43.0 // indirect
-	golang.org/x/oauth2 v0.27.0 // indirect
-	golang.org/x/sys v0.36.0 // indirect
-	golang.org/x/term v0.35.0 // indirect
-	golang.org/x/text v0.29.0 // indirect
+	golang.org/x/net v0.47.0 // indirect
+	golang.org/x/oauth2 v0.30.0 // indirect
+	golang.org/x/sys v0.38.0 // indirect
+	golang.org/x/term v0.37.0 // indirect
+	golang.org/x/text v0.31.0 // indirect
 	golang.org/x/time v0.9.0 // indirect
-	google.golang.org/protobuf v1.36.5 // indirect
-	gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect
+	google.golang.org/protobuf v1.36.8 // indirect
+	gopkg.in/evanphx/json-patch.v4 v4.13.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
-	k8s.io/kube-openapi v0.0.0-20250710124328-f3f2b991d03b // indirect
-	sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 // indirect
+	k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912 // indirect
+	sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 // indirect
 	sigs.k8s.io/randfill v1.0.0 // indirect
 	sigs.k8s.io/structured-merge-diff/v6 v6.3.0 // indirect
 	sigs.k8s.io/yaml v1.6.0 // indirect
 )
 
 replace (
-	github.com/onsi/ginkgo/v2 => github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251001123353-fd5b1fb35db1
+	github.com/onsi/ginkgo/v2 => github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251120221002-696928a6a0d7
 	k8s.io/api => ../api
 	k8s.io/apimachinery => ../apimachinery
 	k8s.io/client-go => ../client-go
diff --git a/staging/src/k8s.io/component-helpers/go.sum b/staging/src/k8s.io/component-helpers/go.sum
index 0931e3ca33a02..4c6a9ecb89339 100644
--- a/staging/src/k8s.io/component-helpers/go.sum
+++ b/staging/src/k8s.io/component-helpers/go.sum
@@ -1,4 +1,6 @@
 cloud.google.com/go/compute/metadata v0.3.0/go.mod h1:zFmK7XCadkQkj6TtorcaGlCW1hT1fIilQDwofLpJ20k=
+github.com/Masterminds/semver/v3 v3.4.0 h1:Zog+i5UMtVoCU8oKka5P7i9q9HgrJeGzI9SA1Xbatp0=
+github.com/Masterminds/semver/v3 v3.4.0/go.mod h1:4V+yj/TJE1HU9XfppCwVMZq3I84lprf4nC11bSS5beM=
 github.com/NYTimes/gziphandler v1.1.1/go.mod h1:n/CVRwUEOgIxrgPvAQhUUr9oeUtvrhMomdKFjzJNB0c=
 github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkYZB8zMSxRWpUBQtwG5a7fFgvEO+odwuTv2gs=
 github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
@@ -10,8 +12,8 @@ github.com/emicklei/go-restful/v3 v3.12.2 h1:DhwDP0vY3k8ZzE0RunuJy8GhNpPL6zqLkDf
 github.com/emicklei/go-restful/v3 v3.12.2/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc=
 github.com/fxamacker/cbor/v2 v2.9.0 h1:NpKPmjDBgUfBms6tr6JZkTHtfFGcMKsw3eGcmD/sapM=
 github.com/fxamacker/cbor/v2 v2.9.0/go.mod h1:vM4b+DJCtHn+zz7h3FFp/hDAI9WNWCsZj23V5ytsSxQ=
-github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY=
-github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
+github.com/go-logr/logr v1.4.3 h1:CjnDlHq8ikf6E492q6eKboGOC0T8CDaOvkHCIg8idEI=
+github.com/go-logr/logr v1.4.3/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
 github.com/go-openapi/jsonpointer v0.19.6/go.mod h1:osyAmYz/mB/C3I+WsTTSgw1ONzaLJoLCyoi6/zppojs=
 github.com/go-openapi/jsonpointer v0.21.0 h1:YgdVicSA9vH5RiHs9TZW5oyafXZFc6+2Vc1rr/O9oNQ=
 github.com/go-openapi/jsonpointer v0.21.0/go.mod h1:IUyH9l/+uyhIYQ/PXVA41Rexl+kOkAPDdXEYns6fzUY=
@@ -22,8 +24,6 @@ github.com/go-openapi/swag v0.23.0 h1:vsEVJDUo2hPJ2tu0/Xc+4noaxyEffXNIs3cOULZ+Gr
 github.com/go-openapi/swag v0.23.0/go.mod h1:esZ8ITTYEsH1V2trKHjAN8Ai7xHb8RV+YSZ577vPjgQ=
 github.com/go-task/slim-sprig/v3 v3.0.0 h1:sUs3vkvUymDpBKi3qH1YSqBQk9+9D/8M2mN1vB6EwHI=
 github.com/go-task/slim-sprig/v3 v3.0.0/go.mod h1:W848ghGpv3Qj3dhTPRyJypKRiqCdHZiAzKg9hl15HA8=
-github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
-github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
 github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk=
 github.com/google/btree v1.1.3/go.mod h1:qOPhT0dTNdNzV6Z/lhRX0YXUafgPLFUh+gZMl761Gm4=
 github.com/google/gnostic-models v0.7.0 h1:qwTtogB15McXDaNqTZdzPJRHvaVJlAl+HVQnLmJEJxo=
@@ -31,8 +31,8 @@ github.com/google/gnostic-models v0.7.0/go.mod h1:whL5G0m6dmc5cPxKc5bdKdEN3UjI7O
 github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
 github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
-github.com/google/pprof v0.0.0-20241029153458-d1b30febd7db h1:097atOisP2aRj7vFgYQBbFN4U4JNXUNYpxael3UzMyo=
-github.com/google/pprof v0.0.0-20241029153458-d1b30febd7db/go.mod h1:vavhavw2zAxS5dIdcRluK6cSGGPlZynqzFM8NdvU144=
+github.com/google/pprof v0.0.0-20250403155104-27863c87afa6 h1:BHT72Gu3keYf3ZEu2J0b1vyeLSOYI8bm5wbJM/8yDe8=
+github.com/google/pprof v0.0.0-20250403155104-27863c87afa6/go.mod h1:boTsfXsheKC2y+lKOCMpSfarhxDeIzfZG1jqGcPl3cA=
 github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/gorilla/websocket v1.5.4-0.20250319132907-e064f32e3674/go.mod h1:r4w70xmWCQKmi1ONH4KIaBptdivuRPyosB9RmPlGEwA=
@@ -41,8 +41,6 @@ github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8Hm
 github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y=
 github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM=
 github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo=
-github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
-github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
 github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
 github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
 github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
@@ -62,20 +60,18 @@ github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee/go.mod h1:yWu
 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA=
 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
 github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+o7JKHSa8/e818NopupXU1YMK5fe1lsApnBw=
-github.com/onsi/gomega v1.35.1 h1:Cwbd75ZBPxFSuZ6T+rN/WCb/gOc6YgFBXLlZLhC7Ds4=
-github.com/onsi/gomega v1.35.1/go.mod h1:PvZbdDc8J6XJEpDK4HCuRBm8a6Fzp9/DmhC9C7yFlog=
-github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251001123353-fd5b1fb35db1 h1:PMTgifBcBRLJJiM+LgSzPDTk9/Rx4qS09OUrfpY6GBQ=
-github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251001123353-fd5b1fb35db1/go.mod h1:7Du3c42kxCUegi0IImZ1wUQzMBVecgIHjR1C+NkhLQo=
+github.com/onsi/gomega v1.38.2 h1:eZCjf2xjZAqe+LeWvKb5weQ+NcPwX84kqJ0cZNxok2A=
+github.com/onsi/gomega v1.38.2/go.mod h1:W2MJcYxRGV63b418Ai34Ud0hEdTVXq9NW9+Sx6uXf3k=
+github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251120221002-696928a6a0d7 h1:02E4Ttpu+7yCQLQxtY42JfcfHU7TBGnje6uB2ytBSdU=
+github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251120221002-696928a6a0d7/go.mod h1:ArE1D/XhNXBXCBkKOLkbsb2c81dQHCRcF5zwn/ykDRo=
 github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU=
-github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
-github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U=
 github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/rogpeppe/go-internal v1.13.1 h1:KvO1DLK/DRN07sQ1LQKScxyZJuNnedQ5/wKSR38lUII=
-github.com/rogpeppe/go-internal v1.13.1/go.mod h1:uMEvuHeurkdAXX61udpOXGD/AzZDWNMNyH2VO9fmH0o=
-github.com/spf13/pflag v1.0.6 h1:jFzHGLGAlb3ruxLB8MhbI6A8+AQX/2eW4qeyNZXNp2o=
-github.com/spf13/pflag v1.0.6/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
+github.com/rogpeppe/go-internal v1.14.1 h1:UQB4HGPB6osV0SQTLymcB4TgvyWu6ZyliaW0tI/otEQ=
+github.com/rogpeppe/go-internal v1.14.1/go.mod h1:MaRKkUm5W0goXpeCfT7UZI6fk/L7L7so1lCWt35ZSgc=
+github.com/spf13/pflag v1.0.9 h1:9exaQaMOCwffKiiiYk6/BndUBv+iRViNW+4lEMi0PvY=
+github.com/spf13/pflag v1.0.9/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
 github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
@@ -85,67 +81,45 @@ github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UV
 github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
 github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
-github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
-github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
+github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
+github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
 github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM=
 github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg=
-github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
-github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
 go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
-go.yaml.in/yaml/v2 v2.4.2 h1:DzmwEr2rDGHl7lsFgAHxmNz/1NlQ7xLIrlN2h5d1eGI=
-go.yaml.in/yaml/v2 v2.4.2/go.mod h1:081UH+NErpNdqlCXm3TtEran0rJZGxAYx9hb/ELlsPU=
+go.yaml.in/yaml/v2 v2.4.3 h1:6gvOSjQoTB3vt1l+CU+tSyi/HOjfOjRLJ4YwYZGwRO0=
+go.yaml.in/yaml/v2 v2.4.3/go.mod h1:zSxWcmIDjOzPXpjlTTbAsKokqkDNAVtZO0WOMiT90s8=
 go.yaml.in/yaml/v3 v3.0.4 h1:tfq32ie2Jv2UxXFdLJdh3jXuOzWiL1fo0bu/FbuKpbc=
 go.yaml.in/yaml/v3 v3.0.4/go.mod h1:DhzuOOF2ATzADvBadXxruRBLzYTpT36CKvDb3+aBEFg=
-golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
-golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
-golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
-golang.org/x/crypto v0.41.0/go.mod h1:pO5AFd7FA68rFak7rOAGVuygIISepHftHnr8dr6+sUc=
-golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.27.0/go.mod h1:rWI627Fq0DEoudcK+MBkNkCe0EetEaDSwJJkCcjpazc=
-golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
-golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
-golang.org/x/net v0.43.0 h1:lat02VYK2j4aLzMzecihNvTlJNQUq316m2Mr9rnM6YE=
-golang.org/x/net v0.43.0/go.mod h1:vhO1fvI4dGsIjh73sWfUVjj3N7CA9WkKJNQm2svM6Jg=
-golang.org/x/oauth2 v0.27.0 h1:da9Vo7/tDv5RH/7nZDz1eMGS/q1Vv1N/7FCrBhI9I3M=
-golang.org/x/oauth2 v0.27.0/go.mod h1:onh5ek6nERTohokkhCD/y2cV4Do3fxFHFuAejCkRWT8=
-golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.17.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
-golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.36.0 h1:KVRy2GtZBrk1cBYA7MKu5bEZFxQk4NIDV6RLVcC8o0k=
-golang.org/x/sys v0.36.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
-golang.org/x/term v0.35.0 h1:bZBVKBudEyhRcajGcNc3jIfWPqV4y/Kt2XcoigOWtDQ=
-golang.org/x/term v0.35.0/go.mod h1:TPGtkTLesOwf2DE8CgVYiZinHAOuy5AYUYT1lENIZnA=
-golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
-golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.29.0 h1:1neNs90w9YzJ9BocxfsQNHKuAT4pkghyXc4nhZ6sJvk=
-golang.org/x/text v0.29.0/go.mod h1:7MhJOA9CD2qZyOKYazxdYMF85OwPdEr9jTtBpO7ydH4=
+golang.org/x/crypto v0.44.0/go.mod h1:013i+Nw79BMiQiMsOPcVCB5ZIJbYkerPrGnOa00tvmc=
+golang.org/x/mod v0.29.0 h1:HV8lRxZC4l2cr3Zq1LvtOsi/ThTgWnUk/y64QSs8GwA=
+golang.org/x/mod v0.29.0/go.mod h1:NyhrlYXJ2H4eJiRy/WDBO6HMqZQ6q9nk4JzS3NuCK+w=
+golang.org/x/net v0.47.0 h1:Mx+4dIFzqraBXUugkia1OOvlD6LemFo1ALMHjrXDOhY=
+golang.org/x/net v0.47.0/go.mod h1:/jNxtkgq5yWUGYkaZGqo27cfGZ1c5Nen03aYrrKpVRU=
+golang.org/x/oauth2 v0.30.0 h1:dnDm7JmhM45NNpd8FDDeLhK6FwqbOf4MLCM9zb1BOHI=
+golang.org/x/oauth2 v0.30.0/go.mod h1:B++QgG3ZKulg6sRPGD/mqlHQs5rB3Ml9erfeDY7xKlU=
+golang.org/x/sync v0.18.0 h1:kr88TuHDroi+UVf+0hZnirlk8o8T+4MrK6mr60WkH/I=
+golang.org/x/sync v0.18.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
+golang.org/x/sys v0.38.0 h1:3yZWxaJjBmCWXqhN1qh02AkOnCQ1poK6oF+a7xWL6Gc=
+golang.org/x/sys v0.38.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
+golang.org/x/term v0.37.0 h1:8EGAD0qCmHYZg6J17DvsMy9/wJ7/D/4pV/wfnld5lTU=
+golang.org/x/term v0.37.0/go.mod h1:5pB4lxRNYYVZuTLmy8oR2BH8dflOR+IbTYFD8fi3254=
+golang.org/x/text v0.31.0 h1:aC8ghyu4JhP8VojJ2lEHBnochRno1sgL6nEi9WGFGMM=
+golang.org/x/text v0.31.0/go.mod h1:tKRAlv61yKIjGGHX/4tP1LTbc13YSec1pxVEWXzfoeM=
 golang.org/x/time v0.9.0 h1:EsRrnYcQiGH+5FfbgvV4AP7qEZstoyrHB0DzarOQ4ZY=
 golang.org/x/time v0.9.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
-golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
-golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
-golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
-golang.org/x/tools v0.36.0 h1:kWS0uv/zsvHEle1LbV5LE8QujrxB3wfQyxHfhOk0Qkg=
-golang.org/x/tools v0.36.0/go.mod h1:WBDiHKJK8YgLHlcQPYQzNCkUxUypCaa5ZegCVutKm+s=
-golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/tools v0.38.0 h1:Hx2Xv8hISq8Lm16jvBZ2VQf+RLmbd7wVUsALibYI/IQ=
+golang.org/x/tools v0.38.0/go.mod h1:yEsQ/d/YK8cjh0L6rZlY8tgtlKiBNTL14pGDJPJpYQs=
+golang.org/x/tools/go/expect v0.1.0-deprecated/go.mod h1:eihoPOH+FgIqa3FpoTwguz/bVUSGBlGQU67vpBeOrBY=
+golang.org/x/tools/go/packages/packagestest v0.1.1-deprecated/go.mod h1:RVAQXBGNv1ib0J382/DPCRS/BPnsGebyM1Gj5VSDpG8=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-google.golang.org/protobuf v1.36.5 h1:tPhr+woSbjfYvY6/GPufUoYizxw1cF/yFoxJ2fmpwlM=
-google.golang.org/protobuf v1.36.5/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE=
+google.golang.org/protobuf v1.36.8 h1:xHScyCOEuuwZEc6UtSOvPbAT4zRh0xcNRYekJwfqyMc=
+google.golang.org/protobuf v1.36.8/go.mod h1:fuxRtAxBytpl4zzqUh6/eyUujkJdNiuEkXntxiD/uRU=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
-gopkg.in/evanphx/json-patch.v4 v4.12.0 h1:n6jtcsulIzXPJaxegRbvFNNrZDjbij7ny3gmSPG+6V4=
-gopkg.in/evanphx/json-patch.v4 v4.12.0/go.mod h1:p8EYWUEYMpynmqDbY58zCKCFZw8pRWMG4EsWvDvM72M=
+gopkg.in/evanphx/json-patch.v4 v4.13.0 h1:czT3CmqEaQ1aanPc5SdlgQrrEIb8w/wwCvWWnfEbYzo=
+gopkg.in/evanphx/json-patch.v4 v4.13.0/go.mod h1:p8EYWUEYMpynmqDbY58zCKCFZw8pRWMG4EsWvDvM72M=
 gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc=
 gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
@@ -154,12 +128,12 @@ gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 k8s.io/gengo/v2 v2.0.0-20250604051438-85fd79dbfd9f/go.mod h1:EJykeLsmFC60UQbYJezXkEsG2FLrt0GPNkU5iK5GWxU=
 k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk=
 k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE=
-k8s.io/kube-openapi v0.0.0-20250710124328-f3f2b991d03b h1:MloQ9/bdJyIu9lb1PzujOPolHyvO06MXG5TUIj2mNAA=
-k8s.io/kube-openapi v0.0.0-20250710124328-f3f2b991d03b/go.mod h1:UZ2yyWbFTpuhSbFhv24aGNOdoRdJZgsIObGBUaYVsts=
-k8s.io/utils v0.0.0-20250604170112-4c0f3b243397 h1:hwvWFiBzdWw1FhfY1FooPn3kzWuJ8tmbZBHi4zVsl1Y=
-k8s.io/utils v0.0.0-20250604170112-4c0f3b243397/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
-sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 h1:gBQPwqORJ8d8/YNZWEjoZs7npUVDpVXUUOFfW6CgAqE=
-sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8/go.mod h1:mdzfpAEoE6DHQEN0uh9ZbOCuHbLK5wOm7dK4ctXE9Tg=
+k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912 h1:Y3gxNAuB0OBLImH611+UDZcmKS3g6CthxToOb37KgwE=
+k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912/go.mod h1:kdmbQkyfwUagLfXIad1y2TdrjPFWp2Q89B3qkRwf/pQ=
+k8s.io/utils v0.0.0-20251002143259-bc988d571ff4 h1:SjGebBtkBqHFOli+05xYbK8YF1Dzkbzn+gDM4X9T4Ck=
+k8s.io/utils v0.0.0-20251002143259-bc988d571ff4/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
+sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 h1:IpInykpT6ceI+QxKBbEflcR5EXP7sU1kvOlxwZh5txg=
+sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730/go.mod h1:mdzfpAEoE6DHQEN0uh9ZbOCuHbLK5wOm7dK4ctXE9Tg=
 sigs.k8s.io/randfill v1.0.0 h1:JfjMILfT8A6RbawdsK2JXGBR5AQVfd+9TbzrlneTyrU=
 sigs.k8s.io/randfill v1.0.0/go.mod h1:XeLlZ/jmk4i1HRopwe7/aU3H5n1zNUcX6TM94b3QxOY=
 sigs.k8s.io/structured-merge-diff/v6 v6.3.0 h1:jTijUJbW353oVOd9oTlifJqOGEkUw2jB/fXCbTiQEco=
diff --git a/staging/src/k8s.io/component-helpers/nodedeclaredfeatures/.mockery.yaml b/staging/src/k8s.io/component-helpers/nodedeclaredfeatures/.mockery.yaml
new file mode 100644
index 0000000000000..bb07cc3ad5680
--- /dev/null
+++ b/staging/src/k8s.io/component-helpers/nodedeclaredfeatures/.mockery.yaml
@@ -0,0 +1,13 @@
+---
+dir: testing
+pkgname: testing
+template: testify
+template-data:
+  boilerplate-file: ../../../../../hack/boilerplate/boilerplate.generatego.txt
+packages:
+  k8s.io/component-helpers/nodedeclaredfeatures:
+    config:
+      filename: mocks.go # New file name
+    interfaces:
+      Feature: {}
+      FeatureGate: {}
\ No newline at end of file
diff --git a/staging/src/k8s.io/component-helpers/nodedeclaredfeatures/features/inplacepodresize/guaranteed_cpu_resize.go b/staging/src/k8s.io/component-helpers/nodedeclaredfeatures/features/inplacepodresize/guaranteed_cpu_resize.go
new file mode 100644
index 0000000000000..4372df64d4344
--- /dev/null
+++ b/staging/src/k8s.io/component-helpers/nodedeclaredfeatures/features/inplacepodresize/guaranteed_cpu_resize.go
@@ -0,0 +1,85 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package inplacepodresize
+
+import (
+	v1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/util/version"
+	"k8s.io/component-helpers/nodedeclaredfeatures"
+)
+
+// Ensure the feature struct implements the unified Feature interface.
+var _ nodedeclaredfeatures.Feature = &guaranteedQoSPodCPUResizeFeature{}
+
+const (
+	// IPPRExclusiveCPUsFeatureGate is the feature gate for IPPRExclusiveCPUsFeatureGate.
+	IPPRExclusiveCPUsFeatureGate = "InPlacePodVerticalScalingExclusiveCPUs"
+	// CPUManagerPolicyStatic is the value for the static CPUManagerPolicy.
+	CPUManagerPolicyStatic = "static"
+	// CPUManagerPolicyNone is the value for the none CPUManagerPolicy.
+	CPUManagerPolicyNone = "none"
+	// GuaranteedQoSPodCPUResize is a declared feature that indicates a node supports in-place pod resize for guaranteed QoS pods with exclusive CPUs.
+	GuaranteedQoSPodCPUResize = "GuaranteedQoSPodCPUResize"
+)
+
+// GuaranteedQoSPodCPUResizeFeature is the implementation of the `GuaranteedQoSPodCPUResize` feature.
+var GuaranteedQoSPodCPUResizeFeature = &guaranteedQoSPodCPUResizeFeature{}
+
+type guaranteedQoSPodCPUResizeFeature struct{}
+
+func (f *guaranteedQoSPodCPUResizeFeature) Name() string {
+	return GuaranteedQoSPodCPUResize
+}
+
+func (f *guaranteedQoSPodCPUResizeFeature) Discover(cfg *nodedeclaredfeatures.NodeConfiguration) bool {
+	featureGateEnabled := cfg.FeatureGates.Enabled(IPPRExclusiveCPUsFeatureGate)
+	cpuManagerPolicy := cfg.StaticConfig.CPUManagerPolicy
+	if (featureGateEnabled && cpuManagerPolicy == CPUManagerPolicyStatic) || (cpuManagerPolicy == CPUManagerPolicyNone) {
+		return true
+	}
+	return false
+}
+
+func (f *guaranteedQoSPodCPUResizeFeature) InferForScheduling(podInfo *nodedeclaredfeatures.PodInfo) bool {
+	// This feature is only relevant for pod updates (resizes).
+	return false
+}
+
+func (f *guaranteedQoSPodCPUResizeFeature) InferForUpdate(oldPodInfo, newPodInfo *nodedeclaredfeatures.PodInfo) bool {
+	// Since this is an update, the QOS class must already be se ans must be the same for old and new pod spec.
+	if oldPodInfo.Status != nil && oldPodInfo.Status.QOSClass != v1.PodQOSGuaranteed {
+		return false
+	}
+
+	oldPodSpec := oldPodInfo.Spec
+	newPodSpec := newPodInfo.Spec
+
+	// Check if CPU request is changing for any container.
+	for i := range oldPodSpec.Containers {
+		oldCPU := oldPodSpec.Containers[i].Resources.Requests.Cpu()
+		newCPU := newPodSpec.Containers[i].Resources.Requests.Cpu()
+		if oldCPU != nil && newCPU != nil && !oldCPU.Equal(*newCPU) {
+			return true
+		}
+	}
+
+	return false
+}
+
+func (f *guaranteedQoSPodCPUResizeFeature) MaxVersion() *version.Version {
+	return nil
+}
diff --git a/staging/src/k8s.io/component-helpers/nodedeclaredfeatures/features/inplacepodresize/guaranteed_cpu_resize_test.go b/staging/src/k8s.io/component-helpers/nodedeclaredfeatures/features/inplacepodresize/guaranteed_cpu_resize_test.go
new file mode 100644
index 0000000000000..2cd986a8eadae
--- /dev/null
+++ b/staging/src/k8s.io/component-helpers/nodedeclaredfeatures/features/inplacepodresize/guaranteed_cpu_resize_test.go
@@ -0,0 +1,153 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package inplacepodresize
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	v1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/api/resource"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/component-helpers/nodedeclaredfeatures"
+	test "k8s.io/component-helpers/nodedeclaredfeatures/testing"
+)
+
+func TestGuaranteedQoSPodCPUResizeFeature_Discover(t *testing.T) {
+	testCases := []struct {
+		name             string
+		cpuManagerPolicy string
+		gateEnabled      bool
+		expected         bool
+	}{
+		{
+			name:             "feature gate enabled, static policy",
+			cpuManagerPolicy: CPUManagerPolicyStatic,
+			gateEnabled:      true,
+			expected:         true,
+		},
+		{
+			name:             "feature gate disabled, static policy",
+			cpuManagerPolicy: CPUManagerPolicyStatic,
+			gateEnabled:      false,
+			expected:         false,
+		},
+		{
+			name:             "none policy",
+			cpuManagerPolicy: CPUManagerPolicyNone,
+			gateEnabled:      true,
+			expected:         true,
+		},
+		{
+			name:             "feature gate missing",
+			cpuManagerPolicy: CPUManagerPolicyStatic,
+			gateEnabled:      false, // Effectively disabled if not found
+			expected:         false,
+		},
+	}
+
+	feature := &guaranteedQoSPodCPUResizeFeature{}
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			mockFG := test.NewMockFeatureGate(t)
+			mockFG.EXPECT().Enabled(IPPRExclusiveCPUsFeatureGate).Return(tc.gateEnabled)
+
+			config := &nodedeclaredfeatures.NodeConfiguration{
+				FeatureGates: mockFG,
+				StaticConfig: nodedeclaredfeatures.StaticConfiguration{CPUManagerPolicy: tc.cpuManagerPolicy},
+			}
+			enabled := feature.Discover(config)
+			assert.Equal(t, tc.expected, enabled)
+		})
+	}
+}
+
+func TestGuaranteedQoSPodCPUResizeFeature_InferForScheduling(t *testing.T) {
+	feature := &guaranteedQoSPodCPUResizeFeature{}
+	assert.False(t, feature.InferForScheduling(&nodedeclaredfeatures.PodInfo{Spec: &v1.PodSpec{}, Status: &v1.PodStatus{}}), "InferForScheduling should always be false")
+}
+
+func TestGuaranteedQoSPodCPUResizeFeature_InferFromUpdate(t *testing.T) {
+	basePod := func() *v1.Pod {
+		return &v1.Pod{
+			ObjectMeta: metav1.ObjectMeta{Name: "test-pod"},
+			Spec: v1.PodSpec{
+				Containers: []v1.Container{
+					{
+						Name: "c1",
+						Resources: v1.ResourceRequirements{
+							Requests: v1.ResourceList{v1.ResourceCPU: resource.MustParse("1")},
+							Limits:   v1.ResourceList{v1.ResourceCPU: resource.MustParse("1")},
+						},
+					},
+				},
+			},
+			Status: v1.PodStatus{
+				QOSClass: v1.PodQOSGuaranteed,
+			},
+		}
+	}
+
+	testCases := []struct {
+		name     string
+		oldPod   *v1.Pod
+		newPod   *v1.Pod
+		expected bool
+	}{
+		{
+			name:     "not guaranteed QOS",
+			oldPod:   func() *v1.Pod { p := basePod(); p.Status.QOSClass = v1.PodQOSBurstable; return p }(),
+			newPod:   func() *v1.Pod { p := basePod(); p.Status.QOSClass = v1.PodQOSBurstable; return p }(),
+			expected: false,
+		},
+		{
+			name:     "no CPU request change",
+			oldPod:   basePod(),
+			newPod:   basePod(),
+			expected: false,
+		},
+		{
+			name:   "CPU request changed",
+			oldPod: basePod(),
+			newPod: func() *v1.Pod {
+				p := basePod()
+				p.Spec.Containers[0].Resources.Requests[v1.ResourceCPU] = resource.MustParse("2")
+				return p
+			}(),
+			expected: true,
+		},
+		{
+			name:   "CPU limit changed, but not request",
+			oldPod: basePod(),
+			newPod: func() *v1.Pod {
+				p := basePod()
+				p.Spec.Containers[0].Resources.Limits[v1.ResourceCPU] = resource.MustParse("2")
+				return p
+			}(),
+			expected: false, // Only request changes matter for this feature
+		},
+	}
+
+	feature := &guaranteedQoSPodCPUResizeFeature{}
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			oldPodInfo := &nodedeclaredfeatures.PodInfo{Spec: &tc.oldPod.Spec, Status: &tc.oldPod.Status}
+			newPodInfo := &nodedeclaredfeatures.PodInfo{Spec: &tc.newPod.Spec, Status: &tc.newPod.Status}
+			assert.Equal(t, tc.expected, feature.InferForUpdate(oldPodInfo, newPodInfo))
+		})
+	}
+}
diff --git a/staging/src/k8s.io/component-helpers/nodedeclaredfeatures/features/inplacepodresize/pod_level_resource_resize.go b/staging/src/k8s.io/component-helpers/nodedeclaredfeatures/features/inplacepodresize/pod_level_resource_resize.go
new file mode 100644
index 0000000000000..a1f65d53ee762
--- /dev/null
+++ b/staging/src/k8s.io/component-helpers/nodedeclaredfeatures/features/inplacepodresize/pod_level_resource_resize.go
@@ -0,0 +1,59 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package inplacepodresize
+
+import (
+	"reflect"
+
+	"k8s.io/apimachinery/pkg/util/version"
+	"k8s.io/component-helpers/nodedeclaredfeatures"
+)
+
+// Ensure the feature struct implements the unified Feature interface.
+var _ nodedeclaredfeatures.Feature = &podLevelResourcesResizeFeature{}
+
+// IPPRPodLevelResourcesFeatureGate is the feature gate for IPPRPodLevelResourcesVerticalScaling.
+const IPPRPodLevelResourcesFeatureGate = "InPlacePodLevelResourcesVerticalScaling"
+
+// Feature is the implementation of the `PodLevelResourcesResize` feature.
+var PodLevelResourcesResizeFeature = &podLevelResourcesResizeFeature{}
+
+type podLevelResourcesResizeFeature struct{}
+
+func (f *podLevelResourcesResizeFeature) Name() string {
+	return IPPRPodLevelResourcesFeatureGate
+}
+
+func (f *podLevelResourcesResizeFeature) Discover(cfg *nodedeclaredfeatures.NodeConfiguration) bool {
+	return cfg.FeatureGates.Enabled(IPPRPodLevelResourcesFeatureGate)
+}
+
+func (f *podLevelResourcesResizeFeature) InferForScheduling(podInfo *nodedeclaredfeatures.PodInfo) bool {
+	// This feature is only relevant for pod updates.
+	return false
+}
+
+func (f *podLevelResourcesResizeFeature) InferForUpdate(oldPodInfo, newPodInfo *nodedeclaredfeatures.PodInfo) bool {
+	if oldPodInfo.Spec.Resources == nil && newPodInfo.Spec.Resources == nil {
+		return false
+	}
+	return !reflect.DeepEqual(oldPodInfo.Spec.Resources, newPodInfo.Spec.Resources)
+}
+
+func (f *podLevelResourcesResizeFeature) MaxVersion() *version.Version {
+	return nil
+}
diff --git a/staging/src/k8s.io/component-helpers/nodedeclaredfeatures/features/inplacepodresize/pod_level_resource_resize_test.go b/staging/src/k8s.io/component-helpers/nodedeclaredfeatures/features/inplacepodresize/pod_level_resource_resize_test.go
new file mode 100644
index 0000000000000..fc5643e9f0d9e
--- /dev/null
+++ b/staging/src/k8s.io/component-helpers/nodedeclaredfeatures/features/inplacepodresize/pod_level_resource_resize_test.go
@@ -0,0 +1,168 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package inplacepodresize
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	v1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/api/resource"
+	"k8s.io/component-helpers/nodedeclaredfeatures"
+	test "k8s.io/component-helpers/nodedeclaredfeatures/testing"
+)
+
+func TestPodLevelResourcesResizeFeatureDiscover(t *testing.T) {
+	tests := []struct {
+		name        string
+		featureGate bool
+		expected    bool
+	}{
+		{
+			name:        "FeatureGateEnabled",
+			featureGate: true,
+			expected:    true,
+		},
+		{
+			name:        "FeatureGateDisabled",
+			featureGate: false,
+			expected:    false,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			mockFG := test.NewMockFeatureGate(t)
+			mockFG.EXPECT().Enabled(IPPRPodLevelResourcesFeatureGate).Return(tt.featureGate)
+
+			cfg := &nodedeclaredfeatures.NodeConfiguration{FeatureGates: mockFG}
+			enabled := PodLevelResourcesResizeFeature.Discover(cfg)
+			assert.Equal(t, tt.expected, enabled)
+		})
+	}
+}
+
+func TestPodLevelResourcesResizeFeatureInferForScheduling(t *testing.T) {
+	podInfo := &nodedeclaredfeatures.PodInfo{Spec: &v1.PodSpec{}, Status: &v1.PodStatus{}}
+	assert.False(t, PodLevelResourcesResizeFeature.InferForScheduling(podInfo), "InferForScheduling should always be false")
+}
+
+func TestPodLevelResourcesResizeFeatureInferForUpdate(t *testing.T) {
+	tests := []struct {
+		name       string
+		oldPodInfo *nodedeclaredfeatures.PodInfo
+		newPodInfo *nodedeclaredfeatures.PodInfo
+		expected   bool
+	}{
+		{
+			name: "NoResourcesChanged",
+			oldPodInfo: &nodedeclaredfeatures.PodInfo{
+				Spec: &v1.PodSpec{
+					Resources: &v1.ResourceRequirements{
+						Requests: v1.ResourceList{v1.ResourceCPU: resource.MustParse("1")},
+						Limits:   v1.ResourceList{v1.ResourceCPU: resource.MustParse("1")},
+					},
+				},
+				Status: &v1.PodStatus{},
+			},
+			newPodInfo: &nodedeclaredfeatures.PodInfo{
+				Spec: &v1.PodSpec{
+					Resources: &v1.ResourceRequirements{
+						Requests: v1.ResourceList{v1.ResourceCPU: resource.MustParse("1")},
+						Limits:   v1.ResourceList{v1.ResourceCPU: resource.MustParse("1")},
+					},
+				},
+				Status: &v1.PodStatus{},
+			},
+			expected: false,
+		},
+		{
+			name: "ResourcesAdded",
+			oldPodInfo: &nodedeclaredfeatures.PodInfo{
+				Spec:   &v1.PodSpec{},
+				Status: &v1.PodStatus{},
+			},
+			newPodInfo: &nodedeclaredfeatures.PodInfo{
+				Spec: &v1.PodSpec{
+					Resources: &v1.ResourceRequirements{
+						Requests: v1.ResourceList{v1.ResourceCPU: resource.MustParse("1")},
+						Limits:   v1.ResourceList{v1.ResourceCPU: resource.MustParse("1")},
+					},
+				},
+				Status: &v1.PodStatus{},
+			},
+			expected: true,
+		},
+		{
+			name: "ResourcesRemoved",
+			oldPodInfo: &nodedeclaredfeatures.PodInfo{
+				Spec: &v1.PodSpec{
+					Resources: &v1.ResourceRequirements{
+						Requests: v1.ResourceList{v1.ResourceCPU: resource.MustParse("1")},
+						Limits:   v1.ResourceList{v1.ResourceCPU: resource.MustParse("1")},
+					},
+				},
+				Status: &v1.PodStatus{},
+			},
+			newPodInfo: &nodedeclaredfeatures.PodInfo{
+				Spec:   &v1.PodSpec{},
+				Status: &v1.PodStatus{},
+			},
+			expected: true,
+		},
+		{
+			name: "ResourcesChanged",
+			oldPodInfo: &nodedeclaredfeatures.PodInfo{
+				Spec: &v1.PodSpec{
+					Resources: &v1.ResourceRequirements{
+						Requests: v1.ResourceList{v1.ResourceCPU: resource.MustParse("1")},
+						Limits:   v1.ResourceList{v1.ResourceCPU: resource.MustParse("1")},
+					},
+				},
+				Status: &v1.PodStatus{},
+			},
+			newPodInfo: &nodedeclaredfeatures.PodInfo{
+				Spec: &v1.PodSpec{
+					Resources: &v1.ResourceRequirements{
+						Requests: v1.ResourceList{v1.ResourceCPU: resource.MustParse("2")},
+						Limits:   v1.ResourceList{v1.ResourceCPU: resource.MustParse("1")},
+					},
+				},
+				Status: &v1.PodStatus{},
+			},
+			expected: true,
+		},
+		{
+			name: "NilResources",
+			oldPodInfo: &nodedeclaredfeatures.PodInfo{
+				Spec:   &v1.PodSpec{},
+				Status: &v1.PodStatus{},
+			},
+			newPodInfo: &nodedeclaredfeatures.PodInfo{
+				Spec:   &v1.PodSpec{},
+				Status: &v1.PodStatus{},
+			},
+			expected: false,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			assert.Equal(t, tt.expected, PodLevelResourcesResizeFeature.InferForUpdate(tt.oldPodInfo, tt.newPodInfo))
+		})
+	}
+}
diff --git a/staging/src/k8s.io/component-helpers/nodedeclaredfeatures/features/registry.go b/staging/src/k8s.io/component-helpers/nodedeclaredfeatures/features/registry.go
new file mode 100644
index 0000000000000..953a655e2306b
--- /dev/null
+++ b/staging/src/k8s.io/component-helpers/nodedeclaredfeatures/features/registry.go
@@ -0,0 +1,32 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package features
+
+import (
+	"k8s.io/component-helpers/nodedeclaredfeatures"
+	"k8s.io/component-helpers/nodedeclaredfeatures/features/inplacepodresize"
+	"k8s.io/component-helpers/nodedeclaredfeatures/features/restartallcontainers"
+)
+
+// AllFeatures is the central registry for all declared features.
+// New features are added to this list to be automatically included in both
+// discovery and inference logic.
+var AllFeatures = []nodedeclaredfeatures.Feature{
+	restartallcontainers.Feature,
+	inplacepodresize.GuaranteedQoSPodCPUResizeFeature,
+	inplacepodresize.PodLevelResourcesResizeFeature,
+}
diff --git a/staging/src/k8s.io/component-helpers/nodedeclaredfeatures/features/restartallcontainers/restart_all_containers.go b/staging/src/k8s.io/component-helpers/nodedeclaredfeatures/features/restartallcontainers/restart_all_containers.go
new file mode 100644
index 0000000000000..db496d307924b
--- /dev/null
+++ b/staging/src/k8s.io/component-helpers/nodedeclaredfeatures/features/restartallcontainers/restart_all_containers.go
@@ -0,0 +1,71 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package restartallcontainers
+
+import (
+	v1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/util/version"
+	"k8s.io/component-helpers/nodedeclaredfeatures"
+)
+
+// Ensure the feature struct implements the unified Feature interface.
+var _ nodedeclaredfeatures.Feature = &restartAllContainersFeature{}
+
+const (
+	RestartRulesFeatureGate              = "ContainerRestartRules"
+	RestartAllContainersOnContainerExits = "RestartAllContainersOnContainerExits"
+)
+
+// Feature is the implementation of the `GuaranteedQoSPodCPUResize` feature.
+var Feature = &restartAllContainersFeature{}
+
+type restartAllContainersFeature struct{}
+
+func (f *restartAllContainersFeature) Name() string {
+	return RestartAllContainersOnContainerExits
+}
+
+func (f *restartAllContainersFeature) Discover(cfg *nodedeclaredfeatures.NodeConfiguration) bool {
+	return cfg.FeatureGates.Enabled(RestartAllContainersOnContainerExits)
+}
+
+func (f *restartAllContainersFeature) InferForScheduling(podInfo *nodedeclaredfeatures.PodInfo) bool {
+	for _, c := range podInfo.Spec.Containers {
+		for _, rule := range c.RestartPolicyRules {
+			if rule.Action == v1.ContainerRestartRuleActionRestartAllContainers {
+				return true
+			}
+		}
+	}
+	for _, c := range podInfo.Spec.InitContainers {
+		for _, rule := range c.RestartPolicyRules {
+			if rule.Action == v1.ContainerRestartRuleActionRestartAllContainers {
+				return true
+			}
+		}
+	}
+	return false
+}
+
+func (f *restartAllContainersFeature) InferForUpdate(oldPodInfo, newPodInfo *nodedeclaredfeatures.PodInfo) bool {
+	// container.restartPolicy and container.restartPolicyRules are not mutable.
+	return false
+}
+
+func (f *restartAllContainersFeature) MaxVersion() *version.Version {
+	return nil
+}
diff --git a/staging/src/k8s.io/component-helpers/nodedeclaredfeatures/features/restartallcontainers/restart_all_containers_test.go b/staging/src/k8s.io/component-helpers/nodedeclaredfeatures/features/restartallcontainers/restart_all_containers_test.go
new file mode 100644
index 0000000000000..5865f566bda2f
--- /dev/null
+++ b/staging/src/k8s.io/component-helpers/nodedeclaredfeatures/features/restartallcontainers/restart_all_containers_test.go
@@ -0,0 +1,138 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package restartallcontainers
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	v1 "k8s.io/api/core/v1"
+	"k8s.io/component-helpers/nodedeclaredfeatures"
+	test "k8s.io/component-helpers/nodedeclaredfeatures/testing"
+)
+
+func TestDiscover(t *testing.T) {
+	tests := []struct {
+		name               string
+		featureGateEnabled bool
+		expected           bool
+	}{
+		{
+			name:               "both feature enabled",
+			featureGateEnabled: true,
+			expected:           true,
+		},
+		{
+			name:               "restartAllContainers feature disabled",
+			featureGateEnabled: false,
+			expected:           false,
+		},
+	}
+
+	feature := &restartAllContainersFeature{}
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			mockFG := test.NewMockFeatureGate(t)
+			mockFG.EXPECT().Enabled(RestartAllContainersOnContainerExits).Return(tc.featureGateEnabled)
+
+			config := &nodedeclaredfeatures.NodeConfiguration{
+				FeatureGates: mockFG,
+			}
+			enabled := feature.Discover(config)
+			assert.Equal(t, tc.expected, enabled)
+		})
+	}
+}
+
+func TestInferForScheduling(t *testing.T) {
+	tests := []struct {
+		name     string
+		pod      *v1.PodSpec
+		expected bool
+	}{
+		{
+			name: "init container with rules",
+			pod: &v1.PodSpec{
+				InitContainers: []v1.Container{
+					containerWithRestartAllContainersAction(),
+				},
+				Containers: []v1.Container{{
+					Name:  "name",
+					Image: "image",
+				}},
+			},
+			expected: true,
+		},
+		{
+			name: "regular container with rules",
+			pod: &v1.PodSpec{
+				InitContainers: []v1.Container{{
+					Name:  "name",
+					Image: "image",
+				}},
+				Containers: []v1.Container{containerWithRestartAllContainersAction()},
+			},
+			expected: true,
+		},
+		{
+			name: "no rules",
+			pod: &v1.PodSpec{
+				InitContainers: []v1.Container{{
+					Name:  "name",
+					Image: "image",
+				}},
+				Containers: []v1.Container{{
+					Name:  "name2",
+					Image: "image",
+				}},
+			},
+			expected: false,
+		},
+	}
+
+	feature := &restartAllContainersFeature{}
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			podInfo := &nodedeclaredfeatures.PodInfo{Spec: tc.pod}
+			assert.Equal(t, tc.expected, feature.InferForScheduling(podInfo))
+		})
+	}
+}
+
+func TestInferForUpdate(t *testing.T) {
+	feature := &restartAllContainersFeature{}
+	podInfo := &nodedeclaredfeatures.PodInfo{Spec: &v1.PodSpec{}}
+	assert.False(t, feature.InferForUpdate(nil, podInfo), "expect InferForUpdate to be false")
+}
+
+func containerWithRestartAllContainersAction() v1.Container {
+	restartPolicy := v1.ContainerRestartPolicyNever
+	return v1.Container{
+		Name:          "container",
+		Image:         "image",
+		RestartPolicy: &restartPolicy,
+		RestartPolicyRules: []v1.ContainerRestartRule{
+			{
+				Action: v1.ContainerRestartRuleActionRestartAllContainers,
+				ExitCodes: &v1.ContainerRestartRuleOnExitCodes{
+					Operator: v1.ContainerRestartRuleOnExitCodesOpIn,
+					Values:   []int32{1},
+				},
+			},
+		},
+	}
+}
diff --git a/staging/src/k8s.io/component-helpers/nodedeclaredfeatures/framework.go b/staging/src/k8s.io/component-helpers/nodedeclaredfeatures/framework.go
new file mode 100644
index 0000000000000..fa4986e088319
--- /dev/null
+++ b/staging/src/k8s.io/component-helpers/nodedeclaredfeatures/framework.go
@@ -0,0 +1,158 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package nodedeclaredfeatures
+
+import (
+	"fmt"
+	"slices"
+
+	v1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/util/sets"
+	"k8s.io/apimachinery/pkg/util/version"
+)
+
+// Framework provides functions for discovering node features and inferring pod feature requirements.
+// It is stateful and holds the feature registry.
+type Framework struct {
+	registry []Feature
+}
+
+// FeatureSet is a set of node features.
+type FeatureSet struct {
+	sets.Set[string]
+}
+
+// NewFeatureSet creates a FeatureSet from a list of feature names.
+func NewFeatureSet(features ...string) FeatureSet {
+	return FeatureSet{Set: sets.New(features...)}
+}
+
+// Equal returns true if both the sets have the same features.
+func (s *FeatureSet) Equal(other FeatureSet) bool {
+	return s.Set.Equal(other.Set)
+}
+
+// Clone returns a copy of the FeatureSet.
+func (s *FeatureSet) Clone() FeatureSet {
+	if s.Set == nil {
+		return FeatureSet{Set: nil}
+	}
+	return FeatureSet{Set: s.Set.Clone()}
+}
+
+// New creates a new instance of the Framework.
+func New(registry []Feature) (*Framework, error) {
+	if registry == nil {
+		return nil, fmt.Errorf("registry must not be nil")
+	}
+	return &Framework{
+		registry: registry,
+	}, nil
+}
+
+// DiscoverNodeFeatures determines which features from the registry are enabled
+// for a specific node configuration. It returns a sorted, unique list of feature names.
+func (f *Framework) DiscoverNodeFeatures(cfg *NodeConfiguration) []string {
+	var enabledFeatures []string
+	for _, f := range f.registry {
+		if f.Discover(cfg) {
+			if cfg.Version != nil && f.MaxVersion() != nil && cfg.Version.GreaterThan(f.MaxVersion()) {
+				continue
+			}
+			enabledFeatures = append(enabledFeatures, f.Name())
+		}
+	}
+	slices.Sort(enabledFeatures)
+	return enabledFeatures
+}
+
+// InferForPodScheduling determines which features from the registry are required by a pod scheduling for a given target version.
+func (f *Framework) InferForPodScheduling(podInfo *PodInfo, targetVersion *version.Version) (FeatureSet, error) {
+	if targetVersion == nil {
+		return FeatureSet{}, fmt.Errorf("target version cannot be nil")
+	}
+	reqs := NewFeatureSet()
+	for _, f := range f.registry {
+		if f.MaxVersion() != nil && targetVersion.GreaterThan(f.MaxVersion()) {
+			// If target version is greater than the feature's max version, no need to require the feature
+			continue
+		}
+		if f.InferForScheduling(podInfo) {
+			reqs.Insert(f.Name())
+		}
+	}
+	return reqs, nil
+}
+
+// InferForPodUpdate determines which features are required by a pod update operation for a given target version.
+func (f *Framework) InferForPodUpdate(oldPodInfo, newPodInfo *PodInfo, targetVersion *version.Version) (FeatureSet, error) {
+	if targetVersion == nil {
+		return FeatureSet{}, fmt.Errorf("target version cannot be nil")
+	}
+	reqs := NewFeatureSet()
+	for _, f := range f.registry {
+		if f.MaxVersion() != nil && targetVersion.GreaterThan(f.MaxVersion()) {
+			// If target version is greater than the feature's max version, no need to require the feature
+			continue
+		}
+		if f.InferForUpdate(oldPodInfo, newPodInfo) {
+			reqs.Insert(f.Name())
+		}
+	}
+	return reqs, nil
+}
+
+// MatchResult encapsulates the result of a feature match check.
+type MatchResult struct {
+	// IsMatch is true if the node satisfies all feature requirements.
+	IsMatch bool
+	// UnsatisfiedRequirements lists the specific features that were not met.
+	// This field is only populated if IsMatch is false.
+	UnsatisfiedRequirements []string
+}
+
+// MatchNode checks if a node's declared features satisfy the pod's pre-computed requirements.
+// It returns a MatchResult:
+// - IsMatch is true if all requiredFeatures are present in node.status.declaredFeatures.
+// - UnsatisfiedRequirements lists features in requiredFeatures but not in node.status.declaredFeatures.
+func MatchNode(requiredFeatures FeatureSet, node *v1.Node) (*MatchResult, error) {
+	if node == nil {
+		return nil, fmt.Errorf("node cannot be nil")
+	}
+	return MatchNodeFeatureSet(requiredFeatures, NewFeatureSet(node.Status.DeclaredFeatures...))
+}
+
+// MatchNodeFeatureSet compares a set of required features against a set of features present on a node.
+// It returns a MatchResult:
+// - IsMatch is true if all requiredFeatures are present in nodeFeatures.
+// - UnsatisfiedRequirements lists features in requiredFeatures but not in nodeFeatures.
+func MatchNodeFeatureSet(requiredFeatures FeatureSet, nodeFeatures FeatureSet) (*MatchResult, error) {
+	if requiredFeatures.Len() == 0 {
+		return &MatchResult{IsMatch: true}, nil // No requirements to match.
+	}
+	var mismatched []string
+	for req := range requiredFeatures.Set {
+		if !nodeFeatures.Has(req) {
+			mismatched = append(mismatched, req)
+			continue
+		}
+	}
+	if len(mismatched) > 0 {
+		return &MatchResult{IsMatch: false, UnsatisfiedRequirements: mismatched}, nil
+	}
+	return &MatchResult{IsMatch: true}, nil
+}
diff --git a/staging/src/k8s.io/component-helpers/nodedeclaredfeatures/framework_test.go b/staging/src/k8s.io/component-helpers/nodedeclaredfeatures/framework_test.go
new file mode 100644
index 0000000000000..81e13b15a1bac
--- /dev/null
+++ b/staging/src/k8s.io/component-helpers/nodedeclaredfeatures/framework_test.go
@@ -0,0 +1,477 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package nodedeclaredfeatures
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	v1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/api/resource"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/util/version"
+)
+
+// mockFeature is a mock implementation of the Feature interface for testing.
+type mockFeature struct {
+	name               string
+	discover           func(cfg *NodeConfiguration) bool
+	inferForScheduling func(podInfo *PodInfo) bool
+	inferForUpdate     func(oldPodInfo, newPodInfo *PodInfo) bool
+	maxVersion         *version.Version
+}
+
+func (f *mockFeature) Name() string                             { return f.name }
+func (f *mockFeature) Discover(cfg *NodeConfiguration) bool     { return f.discover(cfg) }
+func (f *mockFeature) InferForScheduling(podInfo *PodInfo) bool { return f.inferForScheduling(podInfo) }
+func (f *mockFeature) InferForUpdate(oldPodInfo, newPodInfo *PodInfo) bool {
+	return f.inferForUpdate(oldPodInfo, newPodInfo)
+}
+func (f *mockFeature) MaxVersion() *version.Version { return f.maxVersion }
+
+type mockFeatureGate struct {
+	features map[string]bool
+}
+
+func (m *mockFeatureGate) Enabled(key string) bool {
+	if m.features == nil {
+		return false
+	}
+	return m.features[key]
+}
+
+func newMockFeatureGate(features map[string]bool) *mockFeatureGate {
+	return &mockFeatureGate{features: features}
+}
+
+func TestNewFramework(t *testing.T) {
+	_, err := New(nil)
+	require.Error(t, err, "NewFramework should return an error with a nil registry")
+
+	_, err = New([]Feature{})
+	require.NoError(t, err, "NewFramework should not return an error with an empty registry")
+}
+
+func TestDiscoverNodeFeatures(t *testing.T) {
+	featureMaxVersion := version.MustParse("1.38.0")
+	registry := []Feature{
+		&mockFeature{
+			name: "FeatureA",
+			discover: func(cfg *NodeConfiguration) bool {
+				return cfg.FeatureGates.Enabled("feature-a")
+			},
+			maxVersion: featureMaxVersion,
+		},
+		&mockFeature{
+			name: "FeatureBWithStaticConfig",
+			discover: func(cfg *NodeConfiguration) bool {
+				return cfg.FeatureGates.Enabled("feature-b") && cfg.StaticConfig.CPUManagerPolicy == "static"
+			},
+			maxVersion: featureMaxVersion,
+		},
+	}
+
+	framework, _ := New(registry)
+
+	testCases := []struct {
+		name     string
+		config   *NodeConfiguration
+		expected []string
+	}{
+		{
+			name: "Feature Enabled",
+			config: &NodeConfiguration{
+				FeatureGates: newMockFeatureGate(map[string]bool{string("feature-a"): true}),
+				StaticConfig: StaticConfiguration{},
+			},
+			expected: []string{"FeatureA"},
+		},
+		{
+			name: "multiple features enabled",
+			config: &NodeConfiguration{
+				FeatureGates: newMockFeatureGate(map[string]bool{
+					string("feature-a"): true,
+					string("feature-b"): true,
+				}),
+				StaticConfig: StaticConfiguration{CPUManagerPolicy: "static"},
+			},
+			expected: []string{"FeatureA", "FeatureBWithStaticConfig"}, // Should be sorted
+		},
+		{
+			name: "no features enabled",
+			config: &NodeConfiguration{
+				FeatureGates: newMockFeatureGate(map[string]bool{
+					string("feature-a"): false,
+					string("feature-b"): true,
+				}),
+				StaticConfig: StaticConfiguration{CPUManagerPolicy: "none"},
+			},
+			expected: []string{},
+		},
+		{
+			name: "feature past max version",
+			config: &NodeConfiguration{
+				FeatureGates: newMockFeatureGate(map[string]bool{string("feature-a"): true}),
+				StaticConfig: StaticConfiguration{},
+				Version:      featureMaxVersion.AddMinor(1),
+			},
+			expected: []string{}, // Not published
+		},
+		{
+			name: "feature past max version - pre-release version",
+			config: &NodeConfiguration{
+				FeatureGates: newMockFeatureGate(map[string]bool{string("feature-a"): true}),
+				StaticConfig: StaticConfiguration{},
+				Version:      version.MustParse("1.39.0-alpha.2.39+049eafd34dfbd2"),
+			},
+			expected: []string{}, // Not published
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			features := framework.DiscoverNodeFeatures(tc.config)
+			if len(tc.expected) == 0 {
+				assert.Empty(t, features)
+			} else {
+				assert.Equal(t, tc.expected, features)
+			}
+		})
+	}
+}
+
+func TestInferForPodScheduling(t *testing.T) {
+	inferPodlevelResources := func(p *PodInfo) bool {
+		return p.Spec.Resources != nil
+	}
+	podWithPodLevelResources := &v1.Pod{
+		ObjectMeta: metav1.ObjectMeta{Name: "pod-with-podlevelresources"},
+		Spec: v1.PodSpec{
+			Resources: &v1.ResourceRequirements{
+				Requests: v1.ResourceList{
+					v1.ResourceCPU: resource.MustParse("500m"),
+				},
+			},
+		},
+	}
+	podWithoutPodLevelResources := &v1.Pod{
+		ObjectMeta: metav1.ObjectMeta{Name: "pod-without-podlevelresources"},
+		Spec:       v1.PodSpec{},
+	}
+
+	testCases := []struct {
+		name          string
+		registry      []Feature
+		newPod        *v1.Pod
+		targetVersion *version.Version
+		expectedReqs  FeatureSet
+		expectErr     bool
+		errContains   string
+	}{
+		{
+			name: "pod with feature, inferred during scheduling",
+			registry: []Feature{
+				&mockFeature{
+					name:               "PodLevelResources",
+					inferForScheduling: inferPodlevelResources,
+				},
+			},
+			newPod:        podWithPodLevelResources,
+			targetVersion: version.MustParse("1.30.0"),
+			expectedReqs:  NewFeatureSet("PodLevelResources"),
+			expectErr:     false,
+		},
+		{
+			name: "pod without feature",
+			registry: []Feature{
+				&mockFeature{
+					name:               "PodLevelResources",
+					inferForScheduling: inferPodlevelResources,
+				},
+			},
+			newPod:        podWithoutPodLevelResources,
+			targetVersion: version.MustParse("1.30.0"),
+			expectedReqs:  NewFeatureSet(),
+			expectErr:     false,
+		},
+		{
+			name: "feature universally available, not inferred during create",
+			registry: []Feature{
+				&mockFeature{
+					name:               "PodLevelResources",
+					inferForScheduling: inferPodlevelResources,
+					maxVersion:         version.MustParse("1.30.0"),
+				},
+			},
+			newPod:        podWithPodLevelResources,
+			targetVersion: version.MustParse("1.31.0"),
+			expectedReqs:  NewFeatureSet(),
+			expectErr:     false,
+		},
+		{
+			name: "pre-release target version",
+			registry: []Feature{
+				&mockFeature{
+					name:               "PodLevelResources",
+					inferForScheduling: inferPodlevelResources,
+					maxVersion:         version.MustParse("1.30.0"),
+				},
+			},
+			newPod:        podWithPodLevelResources,
+			targetVersion: version.MustParse("0.0.0-alpha.2.39+049eafd34dfbd2"),
+			expectedReqs:  NewFeatureSet("PodLevelResources"),
+			expectErr:     false,
+		},
+		{
+			name: "target version nil",
+			registry: []Feature{
+				&mockFeature{
+					name:               "PodLevelResources",
+					inferForScheduling: inferPodlevelResources,
+				},
+			},
+			newPod:        podWithPodLevelResources,
+			targetVersion: nil,
+			expectedReqs:  NewFeatureSet(),
+			expectErr:     true,
+			errContains:   "target version cannot be nil",
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			framework, _ := New(tc.registry)
+			reqs, err := framework.InferForPodScheduling(&PodInfo{Spec: &tc.newPod.Spec, Status: &tc.newPod.Status}, tc.targetVersion)
+
+			if tc.expectErr {
+				require.Error(t, err)
+				assert.Contains(t, err.Error(), tc.errContains)
+			} else {
+				require.NoError(t, err)
+				assert.Equal(t, tc.expectedReqs, reqs)
+			}
+		})
+	}
+}
+
+func TestInferForPodUpdate(t *testing.T) {
+	inferResize := func(oldPodInfo, newPodInfo *PodInfo) bool {
+		oldCPU := oldPodInfo.Spec.Containers[0].Resources.Requests.Cpu()
+		newCPU := newPodInfo.Spec.Containers[0].Resources.Requests.Cpu()
+		if oldCPU != nil && newCPU != nil && !oldCPU.Equal(*newCPU) {
+			return true
+		}
+		return false
+	}
+
+	basePod := func(cpuRequest string) *v1.Pod {
+		return &v1.Pod{
+			ObjectMeta: metav1.ObjectMeta{Name: "test-pod"},
+			Spec: v1.PodSpec{
+				Containers: []v1.Container{
+					{
+						Name: "c1",
+						Resources: v1.ResourceRequirements{
+							Requests: v1.ResourceList{v1.ResourceCPU: resource.MustParse(cpuRequest)},
+						},
+					},
+				},
+			},
+		}
+	}
+
+	podWith1CPU := basePod("1")
+	podWith2CPU := basePod("2")
+
+	testCases := []struct {
+		name          string
+		registry      []Feature
+		oldPod        *v1.Pod
+		newPod        *v1.Pod
+		targetVersion *version.Version
+		expectedReqs  FeatureSet
+		expectErr     bool
+		errContains   string
+	}{
+		{
+			name: "pod update requires feature",
+			registry: []Feature{
+				&mockFeature{
+					name:           "InPlacePodResize",
+					inferForUpdate: inferResize,
+				},
+			},
+			oldPod:        podWith1CPU,
+			newPod:        podWith2CPU,
+			targetVersion: version.MustParse("1.30.0"),
+			expectedReqs:  NewFeatureSet("InPlacePodResize"),
+			expectErr:     false,
+		},
+		{
+			name: "pod update requires feature with pre-release version",
+			registry: []Feature{
+				&mockFeature{
+					name:           "InPlacePodResize",
+					inferForUpdate: inferResize,
+				},
+			},
+			oldPod:        podWith1CPU,
+			newPod:        podWith2CPU,
+			targetVersion: version.MustParse("1.35.0-alpha.2.39+049eafd34dfbd2"),
+			expectedReqs:  NewFeatureSet("InPlacePodResize"),
+			expectErr:     false,
+		},
+		{
+			name: "pod update does not require feature",
+			registry: []Feature{
+				&mockFeature{
+					name:           "InPlacePodResize",
+					inferForUpdate: inferResize,
+				},
+			},
+			oldPod:        podWith1CPU,
+			newPod:        podWith1CPU,
+			targetVersion: version.MustParse("1.30.0"),
+			expectedReqs:  NewFeatureSet(),
+			expectErr:     false,
+		},
+		{
+			name: "feature universally available, not inferred during update",
+			registry: []Feature{
+				&mockFeature{
+					name:           "InPlacePodResize",
+					inferForUpdate: inferResize,
+					maxVersion:     version.MustParse("1.30.0"),
+				},
+			},
+			oldPod:        podWith1CPU,
+			newPod:        podWith2CPU,
+			targetVersion: version.MustParse("1.31.0"),
+			expectedReqs:  NewFeatureSet(),
+			expectErr:     false,
+		},
+		{
+			name: "target version nil",
+			registry: []Feature{
+				&mockFeature{
+					name:           "InPlacePodResize",
+					inferForUpdate: inferResize,
+				},
+			},
+			oldPod:        podWith1CPU,
+			newPod:        podWith2CPU,
+			targetVersion: nil,
+			expectedReqs:  NewFeatureSet(),
+			expectErr:     true,
+			errContains:   "target version cannot be nil",
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			framework, _ := New(tc.registry)
+			reqs, err := framework.InferForPodUpdate(&PodInfo{Spec: &tc.oldPod.Spec, Status: &tc.oldPod.Status}, &PodInfo{Spec: &tc.newPod.Spec, Status: &tc.newPod.Status}, tc.targetVersion)
+
+			if tc.expectErr {
+				require.Error(t, err)
+				assert.Contains(t, err.Error(), tc.errContains)
+			} else {
+				require.NoError(t, err)
+				assert.Equal(t, tc.expectedReqs, reqs)
+			}
+		})
+	}
+}
+
+func TestMatchNode(t *testing.T) {
+	testCases := []struct {
+		name                   string
+		podFeatureRequirements FeatureSet
+		nodeFeatures           []string
+		expectedMatch          bool
+		expectedUnsatisfied    []string
+	}{
+		{
+			name:                   "all features match",
+			podFeatureRequirements: NewFeatureSet("feature-a", "feature-b"),
+			nodeFeatures:           []string{"feature-a", "feature-b", "feature-c"},
+			expectedMatch:          true,
+			expectedUnsatisfied:    nil,
+		},
+		{
+			name:                   "some features missing",
+			podFeatureRequirements: NewFeatureSet("feature-a", "feature-b"),
+			nodeFeatures:           []string{"feature-a", "feature-c"},
+			expectedMatch:          false,
+			expectedUnsatisfied:    []string{"feature-b"},
+		},
+		{
+			name:                   "all features missing",
+			podFeatureRequirements: NewFeatureSet("feature-a", "feature-b"),
+			nodeFeatures:           []string{"feature-c"},
+			expectedMatch:          false,
+			expectedUnsatisfied:    []string{"feature-a", "feature-b"},
+		},
+		{
+			name:                   "no node features",
+			podFeatureRequirements: NewFeatureSet("feature-a", "feature-b"),
+			nodeFeatures:           []string{},
+			expectedMatch:          false,
+			expectedUnsatisfied:    []string{"feature-a", "feature-b"},
+		},
+		{
+			name:                   "no requirements",
+			podFeatureRequirements: NewFeatureSet(),
+			nodeFeatures:           []string{"feature-a", "feature-b", "feature-c"},
+			expectedMatch:          true,
+			expectedUnsatisfied:    nil,
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			matchVariations := []string{"MatchNode", "MatchNodeFeatureSet"}
+			for _, variationName := range matchVariations {
+				t.Run(variationName, func(t *testing.T) {
+					var result *MatchResult
+					var err error
+
+					switch variationName {
+					case "MatchNode":
+						node := &v1.Node{Status: v1.NodeStatus{DeclaredFeatures: tc.nodeFeatures}}
+						result, err = MatchNode(tc.podFeatureRequirements, node)
+					case "MatchNodeFeatureSet":
+						result, err = MatchNodeFeatureSet(tc.podFeatureRequirements, NewFeatureSet(tc.nodeFeatures...))
+					default:
+						t.Fatalf("unknown match variation: %s", variationName)
+					}
+
+					require.NoError(t, err)
+					assert.Equal(t, tc.expectedMatch, result.IsMatch)
+					if !tc.expectedMatch {
+						assert.ElementsMatch(t, tc.expectedUnsatisfied, result.UnsatisfiedRequirements)
+					}
+				})
+			}
+		})
+	}
+
+	// Test nil node
+	_, err := MatchNode(NewFeatureSet("feature-a"), nil)
+	require.Error(t, err, "MatchNode should return an error for a nil node")
+}
diff --git a/staging/src/k8s.io/component-helpers/nodedeclaredfeatures/testing/mocks.go b/staging/src/k8s.io/component-helpers/nodedeclaredfeatures/testing/mocks.go
new file mode 100644
index 0000000000000..e40a048e8e4d1
--- /dev/null
+++ b/staging/src/k8s.io/component-helpers/nodedeclaredfeatures/testing/mocks.go
@@ -0,0 +1,381 @@
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by mockery; DO NOT EDIT.
+// github.com/vektra/mockery
+// template: testify
+
+package testing
+
+import (
+	mock "github.com/stretchr/testify/mock"
+	"k8s.io/apimachinery/pkg/util/version"
+	"k8s.io/component-helpers/nodedeclaredfeatures"
+)
+
+// NewMockFeature creates a new instance of MockFeature. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
+// The first argument is typically a *testing.T value.
+func NewMockFeature(t interface {
+	mock.TestingT
+	Cleanup(func())
+}) *MockFeature {
+	mock := &MockFeature{}
+	mock.Mock.Test(t)
+
+	t.Cleanup(func() { mock.AssertExpectations(t) })
+
+	return mock
+}
+
+// MockFeature is an autogenerated mock type for the Feature type
+type MockFeature struct {
+	mock.Mock
+}
+
+type MockFeature_Expecter struct {
+	mock *mock.Mock
+}
+
+func (_m *MockFeature) EXPECT() *MockFeature_Expecter {
+	return &MockFeature_Expecter{mock: &_m.Mock}
+}
+
+// Discover provides a mock function for the type MockFeature
+func (_mock *MockFeature) Discover(cfg *nodedeclaredfeatures.NodeConfiguration) bool {
+	ret := _mock.Called(cfg)
+
+	if len(ret) == 0 {
+		panic("no return value specified for Discover")
+	}
+
+	var r0 bool
+	if returnFunc, ok := ret.Get(0).(func(*nodedeclaredfeatures.NodeConfiguration) bool); ok {
+		r0 = returnFunc(cfg)
+	} else {
+		r0 = ret.Get(0).(bool)
+	}
+	return r0
+}
+
+// MockFeature_Discover_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Discover'
+type MockFeature_Discover_Call struct {
+	*mock.Call
+}
+
+// Discover is a helper method to define mock.On call
+//   - cfg *nodedeclaredfeatures.NodeConfiguration
+func (_e *MockFeature_Expecter) Discover(cfg interface{}) *MockFeature_Discover_Call {
+	return &MockFeature_Discover_Call{Call: _e.mock.On("Discover", cfg)}
+}
+
+func (_c *MockFeature_Discover_Call) Run(run func(cfg *nodedeclaredfeatures.NodeConfiguration)) *MockFeature_Discover_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 *nodedeclaredfeatures.NodeConfiguration
+		if args[0] != nil {
+			arg0 = args[0].(*nodedeclaredfeatures.NodeConfiguration)
+		}
+		run(
+			arg0,
+		)
+	})
+	return _c
+}
+
+func (_c *MockFeature_Discover_Call) Return(b bool) *MockFeature_Discover_Call {
+	_c.Call.Return(b)
+	return _c
+}
+
+func (_c *MockFeature_Discover_Call) RunAndReturn(run func(cfg *nodedeclaredfeatures.NodeConfiguration) bool) *MockFeature_Discover_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// InferForScheduling provides a mock function for the type MockFeature
+func (_mock *MockFeature) InferForScheduling(podInfo *nodedeclaredfeatures.PodInfo) bool {
+	ret := _mock.Called(podInfo)
+
+	if len(ret) == 0 {
+		panic("no return value specified for InferForScheduling")
+	}
+
+	var r0 bool
+	if returnFunc, ok := ret.Get(0).(func(*nodedeclaredfeatures.PodInfo) bool); ok {
+		r0 = returnFunc(podInfo)
+	} else {
+		r0 = ret.Get(0).(bool)
+	}
+	return r0
+}
+
+// MockFeature_InferForScheduling_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'InferForScheduling'
+type MockFeature_InferForScheduling_Call struct {
+	*mock.Call
+}
+
+// InferForScheduling is a helper method to define mock.On call
+//   - podInfo *nodedeclaredfeatures.PodInfo
+func (_e *MockFeature_Expecter) InferForScheduling(podInfo interface{}) *MockFeature_InferForScheduling_Call {
+	return &MockFeature_InferForScheduling_Call{Call: _e.mock.On("InferForScheduling", podInfo)}
+}
+
+func (_c *MockFeature_InferForScheduling_Call) Run(run func(podInfo *nodedeclaredfeatures.PodInfo)) *MockFeature_InferForScheduling_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 *nodedeclaredfeatures.PodInfo
+		if args[0] != nil {
+			arg0 = args[0].(*nodedeclaredfeatures.PodInfo)
+		}
+		run(
+			arg0,
+		)
+	})
+	return _c
+}
+
+func (_c *MockFeature_InferForScheduling_Call) Return(b bool) *MockFeature_InferForScheduling_Call {
+	_c.Call.Return(b)
+	return _c
+}
+
+func (_c *MockFeature_InferForScheduling_Call) RunAndReturn(run func(podInfo *nodedeclaredfeatures.PodInfo) bool) *MockFeature_InferForScheduling_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// InferForUpdate provides a mock function for the type MockFeature
+func (_mock *MockFeature) InferForUpdate(oldPodInfo *nodedeclaredfeatures.PodInfo, newPodInfo *nodedeclaredfeatures.PodInfo) bool {
+	ret := _mock.Called(oldPodInfo, newPodInfo)
+
+	if len(ret) == 0 {
+		panic("no return value specified for InferForUpdate")
+	}
+
+	var r0 bool
+	if returnFunc, ok := ret.Get(0).(func(*nodedeclaredfeatures.PodInfo, *nodedeclaredfeatures.PodInfo) bool); ok {
+		r0 = returnFunc(oldPodInfo, newPodInfo)
+	} else {
+		r0 = ret.Get(0).(bool)
+	}
+	return r0
+}
+
+// MockFeature_InferForUpdate_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'InferForUpdate'
+type MockFeature_InferForUpdate_Call struct {
+	*mock.Call
+}
+
+// InferForUpdate is a helper method to define mock.On call
+//   - oldPodInfo *nodedeclaredfeatures.PodInfo
+//   - newPodInfo *nodedeclaredfeatures.PodInfo
+func (_e *MockFeature_Expecter) InferForUpdate(oldPodInfo interface{}, newPodInfo interface{}) *MockFeature_InferForUpdate_Call {
+	return &MockFeature_InferForUpdate_Call{Call: _e.mock.On("InferForUpdate", oldPodInfo, newPodInfo)}
+}
+
+func (_c *MockFeature_InferForUpdate_Call) Run(run func(oldPodInfo *nodedeclaredfeatures.PodInfo, newPodInfo *nodedeclaredfeatures.PodInfo)) *MockFeature_InferForUpdate_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 *nodedeclaredfeatures.PodInfo
+		if args[0] != nil {
+			arg0 = args[0].(*nodedeclaredfeatures.PodInfo)
+		}
+		var arg1 *nodedeclaredfeatures.PodInfo
+		if args[1] != nil {
+			arg1 = args[1].(*nodedeclaredfeatures.PodInfo)
+		}
+		run(
+			arg0,
+			arg1,
+		)
+	})
+	return _c
+}
+
+func (_c *MockFeature_InferForUpdate_Call) Return(b bool) *MockFeature_InferForUpdate_Call {
+	_c.Call.Return(b)
+	return _c
+}
+
+func (_c *MockFeature_InferForUpdate_Call) RunAndReturn(run func(oldPodInfo *nodedeclaredfeatures.PodInfo, newPodInfo *nodedeclaredfeatures.PodInfo) bool) *MockFeature_InferForUpdate_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// MaxVersion provides a mock function for the type MockFeature
+func (_mock *MockFeature) MaxVersion() *version.Version {
+	ret := _mock.Called()
+
+	if len(ret) == 0 {
+		panic("no return value specified for MaxVersion")
+	}
+
+	var r0 *version.Version
+	if returnFunc, ok := ret.Get(0).(func() *version.Version); ok {
+		r0 = returnFunc()
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(*version.Version)
+		}
+	}
+	return r0
+}
+
+// MockFeature_MaxVersion_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'MaxVersion'
+type MockFeature_MaxVersion_Call struct {
+	*mock.Call
+}
+
+// MaxVersion is a helper method to define mock.On call
+func (_e *MockFeature_Expecter) MaxVersion() *MockFeature_MaxVersion_Call {
+	return &MockFeature_MaxVersion_Call{Call: _e.mock.On("MaxVersion")}
+}
+
+func (_c *MockFeature_MaxVersion_Call) Run(run func()) *MockFeature_MaxVersion_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run()
+	})
+	return _c
+}
+
+func (_c *MockFeature_MaxVersion_Call) Return(version1 *version.Version) *MockFeature_MaxVersion_Call {
+	_c.Call.Return(version1)
+	return _c
+}
+
+func (_c *MockFeature_MaxVersion_Call) RunAndReturn(run func() *version.Version) *MockFeature_MaxVersion_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// Name provides a mock function for the type MockFeature
+func (_mock *MockFeature) Name() string {
+	ret := _mock.Called()
+
+	if len(ret) == 0 {
+		panic("no return value specified for Name")
+	}
+
+	var r0 string
+	if returnFunc, ok := ret.Get(0).(func() string); ok {
+		r0 = returnFunc()
+	} else {
+		r0 = ret.Get(0).(string)
+	}
+	return r0
+}
+
+// MockFeature_Name_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Name'
+type MockFeature_Name_Call struct {
+	*mock.Call
+}
+
+// Name is a helper method to define mock.On call
+func (_e *MockFeature_Expecter) Name() *MockFeature_Name_Call {
+	return &MockFeature_Name_Call{Call: _e.mock.On("Name")}
+}
+
+func (_c *MockFeature_Name_Call) Run(run func()) *MockFeature_Name_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run()
+	})
+	return _c
+}
+
+func (_c *MockFeature_Name_Call) Return(s string) *MockFeature_Name_Call {
+	_c.Call.Return(s)
+	return _c
+}
+
+func (_c *MockFeature_Name_Call) RunAndReturn(run func() string) *MockFeature_Name_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// NewMockFeatureGate creates a new instance of MockFeatureGate. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
+// The first argument is typically a *testing.T value.
+func NewMockFeatureGate(t interface {
+	mock.TestingT
+	Cleanup(func())
+}) *MockFeatureGate {
+	mock := &MockFeatureGate{}
+	mock.Mock.Test(t)
+
+	t.Cleanup(func() { mock.AssertExpectations(t) })
+
+	return mock
+}
+
+// MockFeatureGate is an autogenerated mock type for the FeatureGate type
+type MockFeatureGate struct {
+	mock.Mock
+}
+
+type MockFeatureGate_Expecter struct {
+	mock *mock.Mock
+}
+
+func (_m *MockFeatureGate) EXPECT() *MockFeatureGate_Expecter {
+	return &MockFeatureGate_Expecter{mock: &_m.Mock}
+}
+
+// Enabled provides a mock function for the type MockFeatureGate
+func (_mock *MockFeatureGate) Enabled(key string) bool {
+	ret := _mock.Called(key)
+
+	if len(ret) == 0 {
+		panic("no return value specified for Enabled")
+	}
+
+	var r0 bool
+	if returnFunc, ok := ret.Get(0).(func(string) bool); ok {
+		r0 = returnFunc(key)
+	} else {
+		r0 = ret.Get(0).(bool)
+	}
+	return r0
+}
+
+// MockFeatureGate_Enabled_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Enabled'
+type MockFeatureGate_Enabled_Call struct {
+	*mock.Call
+}
+
+// Enabled is a helper method to define mock.On call
+//   - key string
+func (_e *MockFeatureGate_Expecter) Enabled(key interface{}) *MockFeatureGate_Enabled_Call {
+	return &MockFeatureGate_Enabled_Call{Call: _e.mock.On("Enabled", key)}
+}
+
+func (_c *MockFeatureGate_Enabled_Call) Run(run func(key string)) *MockFeatureGate_Enabled_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 string
+		if args[0] != nil {
+			arg0 = args[0].(string)
+		}
+		run(
+			arg0,
+		)
+	})
+	return _c
+}
+
+func (_c *MockFeatureGate_Enabled_Call) Return(b bool) *MockFeatureGate_Enabled_Call {
+	_c.Call.Return(b)
+	return _c
+}
+
+func (_c *MockFeatureGate_Enabled_Call) RunAndReturn(run func(key string) bool) *MockFeatureGate_Enabled_Call {
+	_c.Call.Return(run)
+	return _c
+}
diff --git a/staging/src/k8s.io/component-helpers/nodedeclaredfeatures/types.go b/staging/src/k8s.io/component-helpers/nodedeclaredfeatures/types.go
new file mode 100644
index 0000000000000..c56fa0c1c5f99
--- /dev/null
+++ b/staging/src/k8s.io/component-helpers/nodedeclaredfeatures/types.go
@@ -0,0 +1,81 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+//go:generate mockery
+package nodedeclaredfeatures
+
+import (
+	v1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/util/version"
+)
+
+// PodInfo is an extensible data structure that wraps the pod object
+// and can be expanded in the future to include ancillary resources
+// like ResourceClaims or PVCs.
+type PodInfo struct {
+	// Spec is the Pod's specification.
+	Spec *v1.PodSpec
+	// Status is the Pod's current status. This field can be nil, for example,
+	// when this struct represents a pod not yet created.
+	// (e.g., during scheduling).
+	Status *v1.PodStatus
+	// Add other ancillary resources here in the future as needed.
+	// Example: ResourceClaims []*v1.ResourceClaim
+}
+
+// Feature encapsulates all logic for a given declared feature.
+type Feature interface {
+	// Name returns the feature's well-known name.
+	Name() string
+
+	// Discover checks if a node provides the feature based on its configuration.
+	Discover(cfg *NodeConfiguration) bool
+
+	// InferForScheduling checks if pod scheduling requires the feature.
+	InferForScheduling(podInfo *PodInfo) bool
+
+	// InferForUpdate checks if a pod update requires the feature.
+	InferForUpdate(oldPodInfo, newPodInfo *PodInfo) bool
+
+	// MaxVersion specifies the upper bound Kubernetes version (inclusive) for this feature's relevance
+	// as a scheduling factor. Should be set based on the feature's GA version
+	// and the cluster's version skew policy. Nil means no upper version bound.
+	// Comparisons use the full semantic versioning scheme.
+	MaxVersion() *version.Version
+}
+
+// FeatureGate is an interface that abstracts feature gate checking.
+type FeatureGate interface {
+	// Enabled returns true if the named feature gate is enabled.
+	Enabled(key string) bool
+}
+
+// StaticConfiguration provides a view of a node's static configuration.
+type StaticConfiguration struct {
+	// Kubelet's CPU Manager policy
+	CPUManagerPolicy string
+}
+
+// NodeConfiguration provides a generic view of a node's static configuration.
+type NodeConfiguration struct {
+	// FeatureGates holds an implementation of the FeatureGate interface.
+	FeatureGates FeatureGate
+	// StaticConfig holds node static configuration.
+	StaticConfig StaticConfiguration
+	// Version holds the current node version. This is used for full semantic version comparisons
+	// with Feature.MaxVersion() to determine if a feature needs to be reported.
+	Version *version.Version
+}
diff --git a/staging/src/k8s.io/component-helpers/resource/helpers.go b/staging/src/k8s.io/component-helpers/resource/helpers.go
index c37945f4b1e64..c8b3c7ece6f38 100644
--- a/staging/src/k8s.io/component-helpers/resource/helpers.go
+++ b/staging/src/k8s.io/component-helpers/resource/helpers.go
@@ -42,6 +42,11 @@ type PodResourcesOptions struct {
 	// when evaluating the pod resources. This MUST be false if the InPlacePodVerticalScaling
 	// feature is not enabled.
 	UseStatusResources bool
+	// InPlacePodLevelResourcesVerticalScalingEnabled indicates whether resources reported by the
+	// PodStatus should be considered when evaluating the pod resources.
+	// This MUST be false if the InPlacePodLevelResourcesVerticalScaling
+	// feature is not enabled.
+	InPlacePodLevelResourcesVerticalScalingEnabled bool
 	// ExcludeOverhead controls if pod overhead is excluded from the calculation.
 	ExcludeOverhead bool
 	// ContainerFn is called with the effective resources required for each container within the pod.
@@ -148,9 +153,25 @@ func PodRequests(pod *v1.Pod, opts PodResourcesOptions) v1.ResourceList {
 	}
 
 	if !opts.SkipPodLevelResources && IsPodLevelRequestsSet(pod) {
+
+		var effectiveReqs v1.ResourceList
+		if opts.InPlacePodLevelResourcesVerticalScalingEnabled && opts.UseStatusResources {
+			if pod.Status.Resources != nil {
+				effectiveReqs = determineEffectiveRequests(pod, &ResourceState{
+					Spec:      pod.Spec.Resources.Requests,
+					Actuated:  pod.Status.Resources.Requests,
+					Allocated: pod.Status.AllocatedResources,
+				})
+			}
+		}
+
 		for resourceName, quantity := range pod.Spec.Resources.Requests {
 			if IsSupportedPodLevelResource(resourceName) {
 				reqs[resourceName] = quantity
+				if effectiveReqs != nil {
+					reqs[resourceName] = effectiveReqs[resourceName]
+				}
+
 			}
 		}
 	}
@@ -186,7 +207,11 @@ func AggregateContainerRequests(pod *v1.Pod, opts PodResourcesOptions) v1.Resour
 		if opts.UseStatusResources {
 			cs, found := containerStatuses[container.Name]
 			if found && cs.Resources != nil {
-				containerReqs = determineContainerReqs(pod, &container, cs)
+				containerReqs = determineEffectiveRequests(pod, &ResourceState{
+					Spec:      container.Resources.Requests,
+					Actuated:  cs.Resources.Requests,
+					Allocated: cs.AllocatedResources,
+				})
 			}
 		}
 
@@ -216,7 +241,11 @@ func AggregateContainerRequests(pod *v1.Pod, opts PodResourcesOptions) v1.Resour
 			if container.RestartPolicy != nil && *container.RestartPolicy == v1.ContainerRestartPolicyAlways {
 				cs, found := containerStatuses[container.Name]
 				if found && cs.Resources != nil {
-					containerReqs = determineContainerReqs(pod, &container, cs)
+					containerReqs = determineEffectiveRequests(pod, &ResourceState{
+						Spec:      container.Resources.Requests,
+						Actuated:  cs.Resources.Requests,
+						Allocated: cs.AllocatedResources,
+					})
 				}
 			}
 		}
@@ -249,20 +278,24 @@ func AggregateContainerRequests(pod *v1.Pod, opts PodResourcesOptions) v1.Resour
 	return reqs
 }
 
-// determineContainerReqs will return a copy of the container requests based on if resizing is feasible or not.
-func determineContainerReqs(pod *v1.Pod, container *v1.Container, cs *v1.ContainerStatus) v1.ResourceList {
+type ResourceState struct {
+	Spec      v1.ResourceList
+	Actuated  v1.ResourceList
+	Allocated v1.ResourceList
+}
+
+func determineEffectiveRequests(pod *v1.Pod, rs *ResourceState) v1.ResourceList {
 	if IsPodResizeInfeasible(pod) {
-		return max(cs.Resources.Requests, cs.AllocatedResources)
+		return max(rs.Actuated, rs.Allocated)
 	}
-	return max(container.Resources.Requests, cs.Resources.Requests, cs.AllocatedResources)
+	return max(rs.Spec, rs.Actuated, rs.Allocated)
 }
 
-// determineContainerLimits will return a copy of the container limits based on if resizing is feasible or not.
-func determineContainerLimits(pod *v1.Pod, container *v1.Container, cs *v1.ContainerStatus) v1.ResourceList {
+func determineEffectiveLimits(pod *v1.Pod, rs *ResourceState) v1.ResourceList {
 	if IsPodResizeInfeasible(pod) {
-		return cs.Resources.Limits.DeepCopy()
+		return rs.Actuated.DeepCopy()
 	}
-	return max(container.Resources.Limits, cs.Resources.Limits)
+	return max(rs.Spec, rs.Actuated)
 }
 
 // IsPodResizeInfeasible returns true if the pod condition PodResizePending is set to infeasible.
@@ -309,9 +342,22 @@ func PodLimits(pod *v1.Pod, opts PodResourcesOptions) v1.ResourceList {
 	// attempt to reuse the maps if passed, or allocate otherwise
 	limits := AggregateContainerLimits(pod, opts)
 	if !opts.SkipPodLevelResources && IsPodLevelResourcesSet(pod) {
+
+		var effectiveLims v1.ResourceList
+		if opts.InPlacePodLevelResourcesVerticalScalingEnabled && opts.UseStatusResources {
+			if pod.Status.Resources != nil {
+				effectiveLims = determineEffectiveLimits(pod, &ResourceState{
+					Spec:     pod.Spec.Resources.Limits,
+					Actuated: pod.Status.Resources.Limits,
+				})
+			}
+		}
 		for resourceName, quantity := range pod.Spec.Resources.Limits {
 			if IsSupportedPodLevelResource(resourceName) {
 				limits[resourceName] = quantity
+				if effectiveLims != nil {
+					limits[resourceName] = effectiveLims[resourceName]
+				}
 			}
 		}
 	}
@@ -352,7 +398,10 @@ func AggregateContainerLimits(pod *v1.Pod, opts PodResourcesOptions) v1.Resource
 		if opts.UseStatusResources {
 			cs, found := containerStatuses[container.Name]
 			if found && cs.Resources != nil {
-				containerLimits = determineContainerLimits(pod, &container, cs)
+				containerLimits = determineEffectiveLimits(pod, &ResourceState{
+					Spec:     containerLimits,
+					Actuated: cs.Resources.Limits,
+				})
 			}
 		}
 
@@ -377,7 +426,10 @@ func AggregateContainerLimits(pod *v1.Pod, opts PodResourcesOptions) v1.Resource
 			if container.RestartPolicy != nil && *container.RestartPolicy == v1.ContainerRestartPolicyAlways {
 				cs, found := containerStatuses[container.Name]
 				if found && cs.Resources != nil {
-					containerLimits = determineContainerLimits(pod, &container, cs)
+					containerLimits = determineEffectiveLimits(pod, &ResourceState{
+						Spec:     containerLimits,
+						Actuated: cs.Resources.Limits,
+					})
 				}
 			}
 		}
diff --git a/staging/src/k8s.io/component-helpers/scheduling/corev1/helpers.go b/staging/src/k8s.io/component-helpers/scheduling/corev1/helpers.go
index 23a94bd7bcd6c..5e311df9843f0 100644
--- a/staging/src/k8s.io/component-helpers/scheduling/corev1/helpers.go
+++ b/staging/src/k8s.io/component-helpers/scheduling/corev1/helpers.go
@@ -21,6 +21,7 @@ import (
 
 	v1 "k8s.io/api/core/v1"
 	"k8s.io/component-helpers/scheduling/corev1/nodeaffinity"
+	"k8s.io/klog/v2"
 )
 
 // PodPriority returns priority of the given pod.
@@ -60,9 +61,9 @@ func GetAvoidPodsFromNodeAnnotations(annotations map[string]string) (v1.AvoidPod
 }
 
 // TolerationsTolerateTaint checks if taint is tolerated by any of the tolerations.
-func TolerationsTolerateTaint(tolerations []v1.Toleration, taint *v1.Taint) bool {
+func TolerationsTolerateTaint(logger klog.Logger, tolerations []v1.Toleration, taint *v1.Taint, enableComparisonOperators bool) bool {
 	for i := range tolerations {
-		if tolerations[i].ToleratesTaint(taint) {
+		if tolerations[i].ToleratesTaint(logger, taint, enableComparisonOperators) {
 			return true
 		}
 	}
@@ -75,10 +76,10 @@ type taintsFilterFunc func(*v1.Taint) bool
 // all the filtered taints, and returns the first taint without a toleration
 // Returns true if there is an untolerated taint
 // Returns false if all taints are tolerated
-func FindMatchingUntoleratedTaint(taints []v1.Taint, tolerations []v1.Toleration, inclusionFilter taintsFilterFunc) (v1.Taint, bool) {
+func FindMatchingUntoleratedTaint(logger klog.Logger, taints []v1.Taint, tolerations []v1.Toleration, inclusionFilter taintsFilterFunc, enableComparisonOperators bool) (v1.Taint, bool) {
 	filteredTaints := getFilteredTaints(taints, inclusionFilter)
 	for _, taint := range filteredTaints {
-		if !TolerationsTolerateTaint(tolerations, &taint) {
+		if !TolerationsTolerateTaint(logger, tolerations, &taint, enableComparisonOperators) {
 			return taint, true
 		}
 	}
diff --git a/staging/src/k8s.io/component-helpers/scheduling/corev1/helpers_test.go b/staging/src/k8s.io/component-helpers/scheduling/corev1/helpers_test.go
index 54679d17e949f..6afc5e02ede31 100644
--- a/staging/src/k8s.io/component-helpers/scheduling/corev1/helpers_test.go
+++ b/staging/src/k8s.io/component-helpers/scheduling/corev1/helpers_test.go
@@ -23,6 +23,7 @@ import (
 	v1 "k8s.io/api/core/v1"
 	apiequality "k8s.io/apimachinery/pkg/api/equality"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/klog/v2/ktesting"
 )
 
 // TestPodPriority tests PodPriority function.
@@ -644,12 +645,15 @@ func TestGetAvoidPodsFromNode(t *testing.T) {
 }
 
 func TestFindMatchingUntoleratedTaint(t *testing.T) {
+	logger, _ := ktesting.NewTestContext(t)
 	testCases := []struct {
-		description     string
-		tolerations     []v1.Toleration
-		taints          []v1.Taint
-		applyFilter     taintsFilterFunc
-		expectTolerated bool
+		description                 string
+		tolerations                 []v1.Toleration
+		taints                      []v1.Taint
+		applyFilter                 taintsFilterFunc
+		expectTolerated             bool
+		expectError                 bool
+		enableComparisonOperatorsFG bool
 	}{
 		{
 			description:     "empty tolerations tolerate empty taints",
@@ -747,10 +751,95 @@ func TestFindMatchingUntoleratedTaint(t *testing.T) {
 			applyFilter:     func(t *v1.Taint) bool { return t.Effect == v1.TaintEffectNoExecute },
 			expectTolerated: true,
 		},
+		{
+			description: "numeric Gt operator with taint value below threshold, expect not tolerated",
+			tolerations: []v1.Toleration{
+				{
+					Key:      "node.kubernetes.io/sla",
+					Operator: "Gt",
+					Value:    "950",
+					Effect:   v1.TaintEffectNoSchedule,
+				},
+			},
+			taints: []v1.Taint{
+				{
+					Key:    "node.kubernetes.io/sla",
+					Value:  "800",
+					Effect: v1.TaintEffectNoSchedule,
+				},
+			},
+			applyFilter:                 func(t *v1.Taint) bool { return true },
+			expectTolerated:             false,
+			enableComparisonOperatorsFG: true,
+		},
+		{
+			description: "numeric Gt operator with taint value above threshold, expect tolerated",
+			tolerations: []v1.Toleration{
+				{
+					Key:      "node.kubernetes.io/sla",
+					Operator: "Gt",
+					Value:    "750",
+					Effect:   v1.TaintEffectNoSchedule,
+				},
+			},
+			taints: []v1.Taint{
+				{
+					Key:    "node.kubernetes.io/sla",
+					Value:  "950",
+					Effect: v1.TaintEffectNoSchedule,
+				},
+			},
+			applyFilter:                 func(t *v1.Taint) bool { return true },
+			expectTolerated:             true,
+			enableComparisonOperatorsFG: true,
+		},
+		{
+			description: "numeric Lt operator with taint value above threshold, expect not tolerated",
+			tolerations: []v1.Toleration{
+				{
+					Key:      "node.kubernetes.io/sla",
+					Operator: "Lt",
+					Value:    "800",
+					Effect:   v1.TaintEffectNoSchedule,
+				},
+			},
+			taints: []v1.Taint{
+				{
+					Key:    "node.kubernetes.io/sla",
+					Value:  "950",
+					Effect: v1.TaintEffectNoSchedule,
+				},
+			},
+			applyFilter:                 func(t *v1.Taint) bool { return true },
+			expectTolerated:             false,
+			enableComparisonOperatorsFG: true,
+		},
+		{
+			description: "numeric Gt operator with non-numeric taint value, expect not tolerated",
+			tolerations: []v1.Toleration{
+				{
+					Key:      "node.kubernetes.io/sla",
+					Operator: "Gt",
+					Value:    "950",
+					Effect:   v1.TaintEffectNoSchedule,
+				},
+			},
+			taints: []v1.Taint{
+				{
+					Key:    "node.kubernetes.io/sla",
+					Value:  "high",
+					Effect: v1.TaintEffectNoSchedule,
+				},
+			},
+			applyFilter:                 func(t *v1.Taint) bool { return true },
+			expectTolerated:             false,
+			expectError:                 true,
+			enableComparisonOperatorsFG: true,
+		},
 	}
 
 	for _, tc := range testCases {
-		_, untolerated := FindMatchingUntoleratedTaint(tc.taints, tc.tolerations, tc.applyFilter)
+		_, untolerated := FindMatchingUntoleratedTaint(logger, tc.taints, tc.tolerations, tc.applyFilter, tc.enableComparisonOperatorsFG)
 		if tc.expectTolerated != !untolerated {
 			filteredTaints := []v1.Taint{}
 			for _, taint := range tc.taints {
diff --git a/staging/src/k8s.io/controller-manager/config/v1alpha1/doc.go b/staging/src/k8s.io/controller-manager/config/v1alpha1/doc.go
index 72d1f3cf6b0a0..79a719d6b6c2b 100644
--- a/staging/src/k8s.io/controller-manager/config/v1alpha1/doc.go
+++ b/staging/src/k8s.io/controller-manager/config/v1alpha1/doc.go
@@ -18,6 +18,8 @@ limitations under the License.
 // +k8s:conversion-gen=k8s.io/controller-manager/config
 // +k8s:conversion-gen=k8s.io/controller-manager/config/v1alpha1
 // +k8s:openapi-gen=true
+// +k8s:openapi-model-package=io.k8s.controller-manager.config.v1alpha1
+
 // +groupName=controllermanager.config.k8s.io
 
 package v1alpha1
diff --git a/staging/src/k8s.io/controller-manager/config/v1alpha1/zz_generated.model_name.go b/staging/src/k8s.io/controller-manager/config/v1alpha1/zz_generated.model_name.go
new file mode 100644
index 0000000000000..57a2079a6b372
--- /dev/null
+++ b/staging/src/k8s.io/controller-manager/config/v1alpha1/zz_generated.model_name.go
@@ -0,0 +1,37 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by openapi-gen. DO NOT EDIT.
+
+package v1alpha1
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ControllerLeaderConfiguration) OpenAPIModelName() string {
+	return "io.k8s.controller-manager.config.v1alpha1.ControllerLeaderConfiguration"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in GenericControllerManagerConfiguration) OpenAPIModelName() string {
+	return "io.k8s.controller-manager.config.v1alpha1.GenericControllerManagerConfiguration"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in LeaderMigrationConfiguration) OpenAPIModelName() string {
+	return "io.k8s.controller-manager.config.v1alpha1.LeaderMigrationConfiguration"
+}
diff --git a/staging/src/k8s.io/controller-manager/config/v1beta1/doc.go b/staging/src/k8s.io/controller-manager/config/v1beta1/doc.go
index 0af8864a88178..a9e76bc0908a4 100644
--- a/staging/src/k8s.io/controller-manager/config/v1beta1/doc.go
+++ b/staging/src/k8s.io/controller-manager/config/v1beta1/doc.go
@@ -17,6 +17,8 @@ limitations under the License.
 // +k8s:deepcopy-gen=package
 // +k8s:conversion-gen=k8s.io/controller-manager/config
 // +k8s:openapi-gen=true
+// +k8s:openapi-model-package=io.k8s.controller-manager.config.v1beta1
+
 // +groupName=controllermanager.config.k8s.io
 
 package v1beta1
diff --git a/staging/src/k8s.io/controller-manager/config/v1beta1/zz_generated.model_name.go b/staging/src/k8s.io/controller-manager/config/v1beta1/zz_generated.model_name.go
new file mode 100644
index 0000000000000..b8065c894615d
--- /dev/null
+++ b/staging/src/k8s.io/controller-manager/config/v1beta1/zz_generated.model_name.go
@@ -0,0 +1,32 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by openapi-gen. DO NOT EDIT.
+
+package v1beta1
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ControllerLeaderConfiguration) OpenAPIModelName() string {
+	return "io.k8s.controller-manager.config.v1beta1.ControllerLeaderConfiguration"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in LeaderMigrationConfiguration) OpenAPIModelName() string {
+	return "io.k8s.controller-manager.config.v1beta1.LeaderMigrationConfiguration"
+}
diff --git a/staging/src/k8s.io/controller-manager/go.mod b/staging/src/k8s.io/controller-manager/go.mod
index 0586a1e5d2b0f..7296c06b3c4db 100644
--- a/staging/src/k8s.io/controller-manager/go.mod
+++ b/staging/src/k8s.io/controller-manager/go.mod
@@ -2,21 +2,21 @@
 
 module k8s.io/controller-manager
 
-go 1.24.0
+go 1.25.0
 
-godebug default=go1.24
+godebug default=go1.25
 
 require (
-	github.com/spf13/pflag v1.0.6
-	github.com/stretchr/testify v1.10.0
-	golang.org/x/oauth2 v0.27.0
-	k8s.io/api v0.34.1
-	k8s.io/apimachinery v0.34.1
+	github.com/spf13/pflag v1.0.9
+	github.com/stretchr/testify v1.11.1
+	golang.org/x/oauth2 v0.30.0
+	k8s.io/api v0.35.1
+	k8s.io/apimachinery v0.35.1
 	k8s.io/apiserver v0.0.0
-	k8s.io/client-go v0.34.1
-	k8s.io/component-base v0.34.1
+	k8s.io/client-go v0.35.1
+	k8s.io/component-base v0.35.1
 	k8s.io/klog/v2 v2.130.1
-	k8s.io/utils v0.0.0-20250604170112-4c0f3b243397
+	k8s.io/utils v0.0.0-20251002143259-bc988d571ff4
 )
 
 require (
@@ -34,7 +34,7 @@ require (
 	github.com/felixge/httpsnoop v1.0.4 // indirect
 	github.com/fsnotify/fsnotify v1.9.0 // indirect
 	github.com/fxamacker/cbor/v2 v2.9.0 // indirect
-	github.com/go-logr/logr v1.4.2 // indirect
+	github.com/go-logr/logr v1.4.3 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-openapi/jsonpointer v0.21.0 // indirect
 	github.com/go-openapi/jsonreference v0.20.2 // indirect
@@ -55,58 +55,58 @@ require (
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
-	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
-	github.com/prometheus/client_golang v1.22.0 // indirect
-	github.com/prometheus/client_model v0.6.1 // indirect
-	github.com/prometheus/common v0.62.0 // indirect
-	github.com/prometheus/procfs v0.15.1 // indirect
-	github.com/spf13/cobra v1.9.1 // indirect
+	github.com/prometheus/client_golang v1.23.2 // indirect
+	github.com/prometheus/client_model v0.6.2 // indirect
+	github.com/prometheus/common v0.66.1 // indirect
+	github.com/prometheus/procfs v0.16.1 // indirect
+	github.com/spf13/cobra v1.10.0 // indirect
 	github.com/stoewer/go-strcase v1.3.0 // indirect
 	github.com/x448/float16 v0.8.4 // indirect
-	go.etcd.io/etcd/api/v3 v3.6.4 // indirect
-	go.etcd.io/etcd/client/pkg/v3 v3.6.4 // indirect
-	go.etcd.io/etcd/client/v3 v3.6.4 // indirect
+	go.etcd.io/etcd/api/v3 v3.6.5 // indirect
+	go.etcd.io/etcd/client/pkg/v3 v3.6.5 // indirect
+	go.etcd.io/etcd/client/v3 v3.6.5 // indirect
 	go.opentelemetry.io/auto/sdk v1.1.0 // indirect
 	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.60.0 // indirect
-	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.58.0 // indirect
-	go.opentelemetry.io/otel v1.35.0 // indirect
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.61.0 // indirect
+	go.opentelemetry.io/otel v1.36.0 // indirect
 	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.34.0 // indirect
 	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.34.0 // indirect
-	go.opentelemetry.io/otel/metric v1.35.0 // indirect
-	go.opentelemetry.io/otel/sdk v1.34.0 // indirect
-	go.opentelemetry.io/otel/trace v1.35.0 // indirect
+	go.opentelemetry.io/otel/metric v1.36.0 // indirect
+	go.opentelemetry.io/otel/sdk v1.36.0 // indirect
+	go.opentelemetry.io/otel/trace v1.36.0 // indirect
 	go.opentelemetry.io/proto/otlp v1.5.0 // indirect
 	go.uber.org/atomic v1.11.0 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
 	go.uber.org/zap v1.27.0 // indirect
-	go.yaml.in/yaml/v2 v2.4.2 // indirect
+	go.yaml.in/yaml/v2 v2.4.3 // indirect
 	go.yaml.in/yaml/v3 v3.0.4 // indirect
-	golang.org/x/crypto v0.42.0 // indirect
+	golang.org/x/crypto v0.45.0 // indirect
 	golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 // indirect
-	golang.org/x/net v0.43.0 // indirect
-	golang.org/x/sync v0.17.0 // indirect
-	golang.org/x/sys v0.36.0 // indirect
-	golang.org/x/term v0.35.0 // indirect
-	golang.org/x/text v0.29.0 // indirect
+	golang.org/x/net v0.47.0 // indirect
+	golang.org/x/sync v0.18.0 // indirect
+	golang.org/x/sys v0.38.0 // indirect
+	golang.org/x/term v0.37.0 // indirect
+	golang.org/x/text v0.31.0 // indirect
 	golang.org/x/time v0.9.0 // indirect
 	google.golang.org/genproto/googleapis/api v0.0.0-20250303144028-a0af3efb3deb // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20250303144028-a0af3efb3deb // indirect
-	google.golang.org/grpc v1.72.1 // indirect
-	google.golang.org/protobuf v1.36.5 // indirect
-	gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20250528174236-200df99c418a // indirect
+	google.golang.org/grpc v1.72.2 // indirect
+	google.golang.org/protobuf v1.36.8 // indirect
+	gopkg.in/evanphx/json-patch.v4 v4.13.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
-	k8s.io/kube-openapi v0.0.0-20250710124328-f3f2b991d03b // indirect
+	k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912 // indirect
 	sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.31.2 // indirect
-	sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 // indirect
+	sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 // indirect
 	sigs.k8s.io/randfill v1.0.0 // indirect
 	sigs.k8s.io/structured-merge-diff/v6 v6.3.0 // indirect
 	sigs.k8s.io/yaml v1.6.0 // indirect
 )
 
 replace (
-	github.com/onsi/ginkgo/v2 => github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251001123353-fd5b1fb35db1
+	github.com/onsi/ginkgo/v2 => github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251120221002-696928a6a0d7
+	github.com/openshift/library-go => github.com/jacobsee/library-go v0.0.0-20260211202355-e615a1f60a34
 	k8s.io/api => ../api
 	k8s.io/apimachinery => ../apimachinery
 	k8s.io/apiserver => ../apiserver
diff --git a/staging/src/k8s.io/controller-manager/go.sum b/staging/src/k8s.io/controller-manager/go.sum
index c67023fbeed55..227b3cbbe7e3f 100644
--- a/staging/src/k8s.io/controller-manager/go.sum
+++ b/staging/src/k8s.io/controller-manager/go.sum
@@ -3,6 +3,8 @@ cel.dev/expr v0.24.0/go.mod h1:hLPLo1W4QUmuYdA72RBX06QTs6MXw941piREPl3Yfiw=
 cloud.google.com/go/compute/metadata v0.6.0/go.mod h1:FjyFAW1MW0C203CEOMDTu3Dk1FlqW3Rga40jzHL4hfg=
 github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E=
 github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp v1.26.0/go.mod h1:2bIszWvQRlJVmJLiuLhukLImRjKPcYdzzsx6darK02A=
+github.com/Masterminds/semver/v3 v3.4.0 h1:Zog+i5UMtVoCU8oKka5P7i9q9HgrJeGzI9SA1Xbatp0=
+github.com/Masterminds/semver/v3 v3.4.0/go.mod h1:4V+yj/TJE1HU9XfppCwVMZq3I84lprf4nC11bSS5beM=
 github.com/NYTimes/gziphandler v1.1.1 h1:ZUDjpQae29j0ryrS0u/B8HZfJBtBQHjqw2rQ2cqUQ3I=
 github.com/NYTimes/gziphandler v1.1.1/go.mod h1:n/CVRwUEOgIxrgPvAQhUUr9oeUtvrhMomdKFjzJNB0c=
 github.com/alecthomas/kingpin/v2 v2.4.0/go.mod h1:0gyi0zQnjuFk8xrkNKamJoyUo382HRL7ATRpFZCw6tE=
@@ -47,8 +49,8 @@ github.com/fxamacker/cbor/v2 v2.9.0 h1:NpKPmjDBgUfBms6tr6JZkTHtfFGcMKsw3eGcmD/sa
 github.com/fxamacker/cbor/v2 v2.9.0/go.mod h1:vM4b+DJCtHn+zz7h3FFp/hDAI9WNWCsZj23V5ytsSxQ=
 github.com/go-jose/go-jose/v4 v4.0.4/go.mod h1:NKb5HO1EZccyMpiZNbdUw/14tiXNyUJh188dfnMCAfc=
 github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
-github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY=
-github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
+github.com/go-logr/logr v1.4.3 h1:CjnDlHq8ikf6E492q6eKboGOC0T8CDaOvkHCIg8idEI=
+github.com/go-logr/logr v1.4.3/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
 github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
 github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE=
 github.com/go-logr/zapr v1.3.0 h1:XGdV8XW8zdwFiwOA2Dryh1gj2KRQyOOoNmBy4EplIcQ=
@@ -80,8 +82,8 @@ github.com/google/gnostic-models v0.7.0/go.mod h1:whL5G0m6dmc5cPxKc5bdKdEN3UjI7O
 github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
 github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
-github.com/google/pprof v0.0.0-20241029153458-d1b30febd7db h1:097atOisP2aRj7vFgYQBbFN4U4JNXUNYpxael3UzMyo=
-github.com/google/pprof v0.0.0-20241029153458-d1b30febd7db/go.mod h1:vavhavw2zAxS5dIdcRluK6cSGGPlZynqzFM8NdvU144=
+github.com/google/pprof v0.0.0-20250403155104-27863c87afa6 h1:BHT72Gu3keYf3ZEu2J0b1vyeLSOYI8bm5wbJM/8yDe8=
+github.com/google/pprof v0.0.0-20250403155104-27863c87afa6/go.mod h1:boTsfXsheKC2y+lKOCMpSfarhxDeIzfZG1jqGcPl3cA=
 github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/gorilla/websocket v1.5.4-0.20250319132907-e064f32e3674 h1:JeSE6pjso5THxAzdVpqr6/geYxZytqFMBCOtn/ujyeo=
@@ -97,6 +99,7 @@ github.com/grpc-ecosystem/grpc-gateway/v2 v2.26.3 h1:5ZPtiqj0JL5oKWmcsq4VMaAW5uk
 github.com/grpc-ecosystem/grpc-gateway/v2 v2.26.3/go.mod h1:ndYquD05frm2vACXE1nsccT4oJzjhw2arTS2cpUD1PI=
 github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
 github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
+github.com/jacobsee/library-go v0.0.0-20260211202355-e615a1f60a34/go.mod h1:mp92ELYoE9GHXRj+jJhp4I9KsFfS5c7WIi5k4RmkPYY=
 github.com/jonboulle/clockwork v0.5.0 h1:Hyh9A8u51kptdkR+cqRpT1EebBwTn1oK9YfGYbdFz6I=
 github.com/jonboulle/clockwork v0.5.0/go.mod h1:3mZlmanh0g2NDKO5TWZVJAfofYk64M7XN3SzBPjZF60=
 github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY=
@@ -133,39 +136,37 @@ github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq
 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
 github.com/mwitkow/go-conntrack v0.0.0-20190716064945-2f068394615f/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U=
 github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+o7JKHSa8/e818NopupXU1YMK5fe1lsApnBw=
-github.com/onsi/gomega v1.35.1 h1:Cwbd75ZBPxFSuZ6T+rN/WCb/gOc6YgFBXLlZLhC7Ds4=
-github.com/onsi/gomega v1.35.1/go.mod h1:PvZbdDc8J6XJEpDK4HCuRBm8a6Fzp9/DmhC9C7yFlog=
-github.com/openshift/library-go v0.0.0-20251015151611-6fc7a74b67c5/go.mod h1:OlFFws1AO51uzfc48MsStGE4SFMWlMZD0+f5a/zCtKI=
-github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251001123353-fd5b1fb35db1 h1:PMTgifBcBRLJJiM+LgSzPDTk9/Rx4qS09OUrfpY6GBQ=
-github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251001123353-fd5b1fb35db1/go.mod h1:7Du3c42kxCUegi0IImZ1wUQzMBVecgIHjR1C+NkhLQo=
+github.com/onsi/gomega v1.38.2 h1:eZCjf2xjZAqe+LeWvKb5weQ+NcPwX84kqJ0cZNxok2A=
+github.com/onsi/gomega v1.38.2/go.mod h1:W2MJcYxRGV63b418Ai34Ud0hEdTVXq9NW9+Sx6uXf3k=
+github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251120221002-696928a6a0d7 h1:02E4Ttpu+7yCQLQxtY42JfcfHU7TBGnje6uB2ytBSdU=
+github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251120221002-696928a6a0d7/go.mod h1:ArE1D/XhNXBXCBkKOLkbsb2c81dQHCRcF5zwn/ykDRo=
 github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU=
-github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
-github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10/go.mod h1:t/avpk3KcrXxUnYOhZhMXJlSEyie6gQbtLq5NM3loB8=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U=
 github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/pquerna/cachecontrol v0.1.0/go.mod h1:NrUG3Z7Rdu85UNR3vm7SOsl1nFIeSiQnrHV5K9mBcUI=
-github.com/prometheus/client_golang v1.22.0 h1:rb93p9lokFEsctTys46VnV1kLCDpVZ0a/Y92Vm0Zc6Q=
-github.com/prometheus/client_golang v1.22.0/go.mod h1:R7ljNsLXhuQXYZYtw6GAE9AZg8Y7vEW5scdCXrWRXC0=
-github.com/prometheus/client_model v0.6.1 h1:ZKSh/rekM+n3CeS952MLRAdFwIKqeY8b62p8ais2e9E=
-github.com/prometheus/client_model v0.6.1/go.mod h1:OrxVMOVHjw3lKMa8+x6HeMGkHMQyHDk9E3jmP2AmGiY=
-github.com/prometheus/common v0.62.0 h1:xasJaQlnWAeyHdUBeGjXmutelfJHWMRr+Fg4QszZ2Io=
-github.com/prometheus/common v0.62.0/go.mod h1:vyBcEuLSvWos9B1+CyL7JZ2up+uFzXhkqml0W5zIY1I=
-github.com/prometheus/procfs v0.15.1 h1:YagwOFzUgYfKKHX6Dr+sHT7km/hxC76UB0learggepc=
-github.com/prometheus/procfs v0.15.1/go.mod h1:fB45yRUv8NstnjriLhBQLuOUt+WW4BsoGhij/e3PBqk=
+github.com/prometheus/client_golang v1.23.2 h1:Je96obch5RDVy3FDMndoUsjAhG5Edi49h0RJWRi/o0o=
+github.com/prometheus/client_golang v1.23.2/go.mod h1:Tb1a6LWHB3/SPIzCoaDXI4I8UHKeFTEQ1YCr+0Gyqmg=
+github.com/prometheus/client_model v0.6.2 h1:oBsgwpGs7iVziMvrGhE53c/GrLUsZdHnqNwqPLxwZyk=
+github.com/prometheus/client_model v0.6.2/go.mod h1:y3m2F6Gdpfy6Ut/GBsUqTWZqCUvMVzSfMLjcu6wAwpE=
+github.com/prometheus/common v0.66.1 h1:h5E0h5/Y8niHc5DlaLlWLArTQI7tMrsfQjHV+d9ZoGs=
+github.com/prometheus/common v0.66.1/go.mod h1:gcaUsgf3KfRSwHY4dIMXLPV0K/Wg1oZ8+SbZk/HH/dA=
+github.com/prometheus/procfs v0.16.1 h1:hZ15bTNuirocR6u0JZ6BAHHmwS1p8B4P6MRqxtzMyRg=
+github.com/prometheus/procfs v0.16.1/go.mod h1:teAbpZRB1iIAJYREa1LsoWUXykVXA1KlTmWl8x/U+Is=
 github.com/rogpeppe/fastuuid v1.2.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6LYCDYWNEvQ=
-github.com/rogpeppe/go-internal v1.13.1 h1:KvO1DLK/DRN07sQ1LQKScxyZJuNnedQ5/wKSR38lUII=
-github.com/rogpeppe/go-internal v1.13.1/go.mod h1:uMEvuHeurkdAXX61udpOXGD/AzZDWNMNyH2VO9fmH0o=
+github.com/rogpeppe/go-internal v1.14.1 h1:UQB4HGPB6osV0SQTLymcB4TgvyWu6ZyliaW0tI/otEQ=
+github.com/rogpeppe/go-internal v1.14.1/go.mod h1:MaRKkUm5W0goXpeCfT7UZI6fk/L7L7so1lCWt35ZSgc=
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
 github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ=
 github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
 github.com/soheilhy/cmux v0.1.5 h1:jjzc5WVemNEDTLwv9tlmemhC73tI08BNOIGwBOo10Js=
 github.com/soheilhy/cmux v0.1.5/go.mod h1:T7TcVDs9LWfQgPlPsdngu6I6QIoyIFZDDC6sNE1GqG0=
-github.com/spf13/cobra v1.9.1 h1:CXSaggrXdbHK9CF+8ywj8Amf7PBRmPCOJugH954Nnlo=
-github.com/spf13/cobra v1.9.1/go.mod h1:nDyEzZ8ogv936Cinf6g1RU9MRY64Ir93oCnqb9wxYW0=
-github.com/spf13/pflag v1.0.6 h1:jFzHGLGAlb3ruxLB8MhbI6A8+AQX/2eW4qeyNZXNp2o=
-github.com/spf13/pflag v1.0.6/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
+github.com/spf13/cobra v1.10.0 h1:a5/WeUlSDCvV5a45ljW2ZFtV0bTDpkfSAj3uqB6Sc+0=
+github.com/spf13/cobra v1.10.0/go.mod h1:9dhySC7dnTtEiqzmqfkLj47BslqLCUPMXjG2lj/NgoE=
+github.com/spf13/pflag v1.0.8/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
+github.com/spf13/pflag v1.0.9 h1:9exaQaMOCwffKiiiYk6/BndUBv+iRViNW+4lEMi0PvY=
+github.com/spf13/pflag v1.0.9/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/spiffe/go-spiffe/v2 v2.5.0/go.mod h1:P+NxobPc6wXhVtINNtFjNWGBTreew1GBUCwT2wPmb7g=
 github.com/stoewer/go-strcase v1.3.0 h1:g0eASXYtp+yvN9fK8sH94oCIk0fau9uV1/ZdJ0AVEzs=
 github.com/stoewer/go-strcase v1.3.0/go.mod h1:fAH5hQ5pehh+j3nZfvwdk2RgEgQjAoM8wodgtPmh1xo=
@@ -178,8 +179,8 @@ github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UV
 github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
 github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
-github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
-github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
+github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
+github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
 github.com/tmc/grpc-websocket-proxy v0.0.0-20220101234140-673ab2c3ae75 h1:6fotK7otjonDflCTK0BCfls4SPy3NcCVb5dqqmbRknE=
 github.com/tmc/grpc-websocket-proxy v0.0.0-20220101234140-673ab2c3ae75/go.mod h1:KO6IkyS8Y3j8OdNO85qEYBsRPuteD+YciPomcXdrMnk=
 github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM=
@@ -190,18 +191,18 @@ github.com/xiang90/probing v0.0.0-20221125231312-a49e3df8f510/go.mod h1:UETIi67q
 github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/zeebo/errs v1.4.0/go.mod h1:sgbWHsvVuTPHcqJJGQ1WhI5KbWlHYz+2+2C/LSEtCw4=
-go.etcd.io/bbolt v1.4.2 h1:IrUHp260R8c+zYx/Tm8QZr04CX+qWS5PGfPdevhdm1I=
-go.etcd.io/bbolt v1.4.2/go.mod h1:Is8rSHO/b4f3XigBC0lL0+4FwAQv3HXEEIgFMuKHceM=
-go.etcd.io/etcd/api/v3 v3.6.4 h1:7F6N7toCKcV72QmoUKa23yYLiiljMrT4xCeBL9BmXdo=
-go.etcd.io/etcd/api/v3 v3.6.4/go.mod h1:eFhhvfR8Px1P6SEuLT600v+vrhdDTdcfMzmnxVXXSbk=
-go.etcd.io/etcd/client/pkg/v3 v3.6.4 h1:9HBYrjppeOfFjBjaMTRxT3R7xT0GLK8EJMVC4xg6ok0=
-go.etcd.io/etcd/client/pkg/v3 v3.6.4/go.mod h1:sbdzr2cl3HzVmxNw//PH7aLGVtY4QySjQFuaCgcRFAI=
-go.etcd.io/etcd/client/v3 v3.6.4 h1:YOMrCfMhRzY8NgtzUsHl8hC2EBSnuqbR3dh84Uryl7A=
-go.etcd.io/etcd/client/v3 v3.6.4/go.mod h1:jaNNHCyg2FdALyKWnd7hxZXZxZANb0+KGY+YQaEMISo=
-go.etcd.io/etcd/pkg/v3 v3.6.4 h1:fy8bmXIec1Q35/jRZ0KOes8vuFxbvdN0aAFqmEfJZWA=
-go.etcd.io/etcd/pkg/v3 v3.6.4/go.mod h1:kKcYWP8gHuBRcteyv6MXWSN0+bVMnfgqiHueIZnKMtE=
-go.etcd.io/etcd/server/v3 v3.6.4 h1:LsCA7CzjVt+8WGrdsnh6RhC0XqCsLkBly3ve5rTxMAU=
-go.etcd.io/etcd/server/v3 v3.6.4/go.mod h1:aYCL/h43yiONOv0QIR82kH/2xZ7m+IWYjzRmyQfnCAg=
+go.etcd.io/bbolt v1.4.3 h1:dEadXpI6G79deX5prL3QRNP6JB8UxVkqo4UPnHaNXJo=
+go.etcd.io/bbolt v1.4.3/go.mod h1:tKQlpPaYCVFctUIgFKFnAlvbmB3tpy1vkTnDWohtc0E=
+go.etcd.io/etcd/api/v3 v3.6.5 h1:pMMc42276sgR1j1raO/Qv3QI9Af/AuyQUW6CBAWuntA=
+go.etcd.io/etcd/api/v3 v3.6.5/go.mod h1:ob0/oWA/UQQlT1BmaEkWQzI0sJ1M0Et0mMpaABxguOQ=
+go.etcd.io/etcd/client/pkg/v3 v3.6.5 h1:Duz9fAzIZFhYWgRjp/FgNq2gO1jId9Yae/rLn3RrBP8=
+go.etcd.io/etcd/client/pkg/v3 v3.6.5/go.mod h1:8Wx3eGRPiy0qOFMZT/hfvdos+DjEaPxdIDiCDUv/FQk=
+go.etcd.io/etcd/client/v3 v3.6.5 h1:yRwZNFBx/35VKHTcLDeO7XVLbCBFbPi+XV4OC3QJf2U=
+go.etcd.io/etcd/client/v3 v3.6.5/go.mod h1:ZqwG/7TAFZ0BJ0jXRPoJjKQJtbFo/9NIY8uoFFKcCyo=
+go.etcd.io/etcd/pkg/v3 v3.6.5 h1:byxWB4AqIKI4SBmquZUG1WGtvMfMaorXFoCcFbVeoxM=
+go.etcd.io/etcd/pkg/v3 v3.6.5/go.mod h1:uqrXrzmMIJDEy5j00bCqhVLzR5jEJIwDp5wTlLwPGOU=
+go.etcd.io/etcd/server/v3 v3.6.5 h1:4RbUb1Bd4y1WkBHmuF+cZII83JNQMuNXzyjwigQ06y0=
+go.etcd.io/etcd/server/v3 v3.6.5/go.mod h1:PLuhyVXz8WWRhzXDsl3A3zv/+aK9e4A9lpQkqawIaH0=
 go.etcd.io/raft/v3 v3.6.0 h1:5NtvbDVYpnfZWcIHgGRk9DyzkBIXOi8j+DDp1IcnUWQ=
 go.etcd.io/raft/v3 v3.6.0/go.mod h1:nLvLevg6+xrVtHUmVaTcTz603gQPHfh7kUAwV6YpfGo=
 go.opentelemetry.io/auto/sdk v1.1.0 h1:cH53jehLUN6UFLY71z+NDOiNJqDdPRaXzTel0sJySYA=
@@ -209,22 +210,22 @@ go.opentelemetry.io/auto/sdk v1.1.0/go.mod h1:3wSPjt5PWp2RhlCcmmOial7AvC4DQqZb7a
 go.opentelemetry.io/contrib/detectors/gcp v1.34.0/go.mod h1:cV4BMFcscUR/ckqLkbfQmF0PRsq8w/lMGzdbCSveBHo=
 go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.60.0 h1:x7wzEgXfnzJcHDwStJT+mxOz4etr2EcexjqhBvmoakw=
 go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.60.0/go.mod h1:rg+RlpR5dKwaS95IyyZqj5Wd4E13lk/msnTS0Xl9lJM=
-go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.58.0 h1:yd02MEjBdJkG3uabWP9apV+OuWRIXGDuJEUJbOHmCFU=
-go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.58.0/go.mod h1:umTcuxiv1n/s/S6/c2AT/g2CQ7u5C59sHDNmfSwgz7Q=
-go.opentelemetry.io/otel v1.35.0 h1:xKWKPxrxB6OtMCbmMY021CqC45J+3Onta9MqjhnusiQ=
-go.opentelemetry.io/otel v1.35.0/go.mod h1:UEqy8Zp11hpkUrL73gSlELM0DupHoiq72dR+Zqel/+Y=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.61.0 h1:F7Jx+6hwnZ41NSFTO5q4LYDtJRXBf2PD0rNBkeB/lus=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.61.0/go.mod h1:UHB22Z8QsdRDrnAtX4PntOl36ajSxcdUMt1sF7Y6E7Q=
+go.opentelemetry.io/otel v1.36.0 h1:UumtzIklRBY6cI/lllNZlALOF5nNIzJVb16APdvgTXg=
+go.opentelemetry.io/otel v1.36.0/go.mod h1:/TcFMXYjyRNh8khOAO9ybYkqaDBb/70aVwkNML4pP8E=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.34.0 h1:OeNbIYk/2C15ckl7glBlOBp5+WlYsOElzTNmiPW/x60=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.34.0/go.mod h1:7Bept48yIeqxP2OZ9/AqIpYS94h2or0aB4FypJTc8ZM=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.34.0 h1:tgJ0uaNS4c98WRNUEx5U3aDlrDOI5Rs+1Vifcw4DJ8U=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.34.0/go.mod h1:U7HYyW0zt/a9x5J1Kjs+r1f/d4ZHnYFclhYY2+YbeoE=
-go.opentelemetry.io/otel/metric v1.35.0 h1:0znxYu2SNyuMSQT4Y9WDWej0VpcsxkuklLa4/siN90M=
-go.opentelemetry.io/otel/metric v1.35.0/go.mod h1:nKVFgxBZ2fReX6IlyW28MgZojkoAkJGaE8CpgeAU3oE=
-go.opentelemetry.io/otel/sdk v1.34.0 h1:95zS4k/2GOy069d321O8jWgYsW3MzVV+KuSPKp7Wr1A=
-go.opentelemetry.io/otel/sdk v1.34.0/go.mod h1:0e/pNiaMAqaykJGKbi+tSjWfNNHMTxoC9qANsCzbyxU=
-go.opentelemetry.io/otel/sdk/metric v1.34.0 h1:5CeK9ujjbFVL5c1PhLuStg1wxA7vQv7ce1EK0Gyvahk=
-go.opentelemetry.io/otel/sdk/metric v1.34.0/go.mod h1:jQ/r8Ze28zRKoNRdkjCZxfs6YvBTG1+YIqyFVFYec5w=
-go.opentelemetry.io/otel/trace v1.35.0 h1:dPpEfJu1sDIqruz7BHFG3c7528f6ddfSWfFDVt/xgMs=
-go.opentelemetry.io/otel/trace v1.35.0/go.mod h1:WUk7DtFp1Aw2MkvqGdwiXYDZZNvA/1J8o6xRXLrIkyc=
+go.opentelemetry.io/otel/metric v1.36.0 h1:MoWPKVhQvJ+eeXWHFBOPoBOi20jh6Iq2CcCREuTYufE=
+go.opentelemetry.io/otel/metric v1.36.0/go.mod h1:zC7Ks+yeyJt4xig9DEw9kuUFe5C3zLbVjV2PzT6qzbs=
+go.opentelemetry.io/otel/sdk v1.36.0 h1:b6SYIuLRs88ztox4EyrvRti80uXIFy+Sqzoh9kFULbs=
+go.opentelemetry.io/otel/sdk v1.36.0/go.mod h1:+lC+mTgD+MUWfjJubi2vvXWcVxyr9rmlshZni72pXeY=
+go.opentelemetry.io/otel/sdk/metric v1.36.0 h1:r0ntwwGosWGaa0CrSt8cuNuTcccMXERFwHX4dThiPis=
+go.opentelemetry.io/otel/sdk/metric v1.36.0/go.mod h1:qTNOhFDfKRwX0yXOqJYegL5WRaW376QbB7P4Pb0qva4=
+go.opentelemetry.io/otel/trace v1.36.0 h1:ahxWNuqZjpdiFAyrIoQ4GIiAIhxAunQR6MUoKrsNd4w=
+go.opentelemetry.io/otel/trace v1.36.0/go.mod h1:gQ+OnDZzrybY4k4seLzPAWNwVBBVlF2szhehOBB/tGA=
 go.opentelemetry.io/proto/otlp v1.5.0 h1:xJvq7gMzB31/d406fB8U5CBdyQGw4P399D1aQWU/3i4=
 go.opentelemetry.io/proto/otlp v1.5.0/go.mod h1:keN8WnHxOy8PG0rQZjJJ5A2ebUoafqWp0eVQ4yIXvJ4=
 go.uber.org/atomic v1.11.0 h1:ZvwS0R+56ePWxUNi+Atn9dWONBPp/AUETXlHW0DxSjE=
@@ -235,89 +236,91 @@ go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0=
 go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y=
 go.uber.org/zap v1.27.0 h1:aJMhYGrd5QSmlpLMr2MftRKl7t8J8PTZPA732ud/XR8=
 go.uber.org/zap v1.27.0/go.mod h1:GB2qFLM7cTU87MWRP2mPIjqfIDnGu+VIO4V/SdhGo2E=
-go.yaml.in/yaml/v2 v2.4.2 h1:DzmwEr2rDGHl7lsFgAHxmNz/1NlQ7xLIrlN2h5d1eGI=
-go.yaml.in/yaml/v2 v2.4.2/go.mod h1:081UH+NErpNdqlCXm3TtEran0rJZGxAYx9hb/ELlsPU=
+go.yaml.in/yaml/v2 v2.4.3 h1:6gvOSjQoTB3vt1l+CU+tSyi/HOjfOjRLJ4YwYZGwRO0=
+go.yaml.in/yaml/v2 v2.4.3/go.mod h1:zSxWcmIDjOzPXpjlTTbAsKokqkDNAVtZO0WOMiT90s8=
 go.yaml.in/yaml/v3 v3.0.4 h1:tfq32ie2Jv2UxXFdLJdh3jXuOzWiL1fo0bu/FbuKpbc=
 go.yaml.in/yaml/v3 v3.0.4/go.mod h1:DhzuOOF2ATzADvBadXxruRBLzYTpT36CKvDb3+aBEFg=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
-golang.org/x/crypto v0.42.0 h1:chiH31gIWm57EkTXpwnqf8qeuMUi0yekh6mT2AvFlqI=
-golang.org/x/crypto v0.42.0/go.mod h1:4+rDnOTJhQCx2q7/j6rAN5XDw8kPjeaXEUR2eL94ix8=
+golang.org/x/crypto v0.45.0 h1:jMBrvKuj23MTlT0bQEOBcAE0mjg8mK9RXFhRH6nyF3Q=
+golang.org/x/crypto v0.45.0/go.mod h1:XTGrrkGJve7CYK7J8PEww4aY7gM3qMCElcJQ8n8JdX4=
 golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 h1:2dVuKD2vS7b0QIHQbpyTISPd0LeHDbnYEryqj5Q1ug8=
 golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56/go.mod h1:M4RDyNAINzryxdtnbRXRL/OHtkFuWGRjvuhBJpk2IlY=
 golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.27.0/go.mod h1:rWI627Fq0DEoudcK+MBkNkCe0EetEaDSwJJkCcjpazc=
+golang.org/x/mod v0.29.0 h1:HV8lRxZC4l2cr3Zq1LvtOsi/ThTgWnUk/y64QSs8GwA=
+golang.org/x/mod v0.29.0/go.mod h1:NyhrlYXJ2H4eJiRy/WDBO6HMqZQ6q9nk4JzS3NuCK+w=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
-golang.org/x/net v0.43.0 h1:lat02VYK2j4aLzMzecihNvTlJNQUq316m2Mr9rnM6YE=
-golang.org/x/net v0.43.0/go.mod h1:vhO1fvI4dGsIjh73sWfUVjj3N7CA9WkKJNQm2svM6Jg=
-golang.org/x/oauth2 v0.27.0 h1:da9Vo7/tDv5RH/7nZDz1eMGS/q1Vv1N/7FCrBhI9I3M=
-golang.org/x/oauth2 v0.27.0/go.mod h1:onh5ek6nERTohokkhCD/y2cV4Do3fxFHFuAejCkRWT8=
+golang.org/x/net v0.47.0 h1:Mx+4dIFzqraBXUugkia1OOvlD6LemFo1ALMHjrXDOhY=
+golang.org/x/net v0.47.0/go.mod h1:/jNxtkgq5yWUGYkaZGqo27cfGZ1c5Nen03aYrrKpVRU=
+golang.org/x/oauth2 v0.30.0 h1:dnDm7JmhM45NNpd8FDDeLhK6FwqbOf4MLCM9zb1BOHI=
+golang.org/x/oauth2 v0.30.0/go.mod h1:B++QgG3ZKulg6sRPGD/mqlHQs5rB3Ml9erfeDY7xKlU=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.17.0 h1:l60nONMj9l5drqw6jlhIELNv9I0A4OFgRsG9k2oT9Ug=
-golang.org/x/sync v0.17.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
+golang.org/x/sync v0.18.0 h1:kr88TuHDroi+UVf+0hZnirlk8o8T+4MrK6mr60WkH/I=
+golang.org/x/sync v0.18.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.36.0 h1:KVRy2GtZBrk1cBYA7MKu5bEZFxQk4NIDV6RLVcC8o0k=
-golang.org/x/sys v0.36.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
-golang.org/x/term v0.35.0 h1:bZBVKBudEyhRcajGcNc3jIfWPqV4y/Kt2XcoigOWtDQ=
-golang.org/x/term v0.35.0/go.mod h1:TPGtkTLesOwf2DE8CgVYiZinHAOuy5AYUYT1lENIZnA=
+golang.org/x/sys v0.38.0 h1:3yZWxaJjBmCWXqhN1qh02AkOnCQ1poK6oF+a7xWL6Gc=
+golang.org/x/sys v0.38.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
+golang.org/x/term v0.37.0 h1:8EGAD0qCmHYZg6J17DvsMy9/wJ7/D/4pV/wfnld5lTU=
+golang.org/x/term v0.37.0/go.mod h1:5pB4lxRNYYVZuTLmy8oR2BH8dflOR+IbTYFD8fi3254=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.29.0 h1:1neNs90w9YzJ9BocxfsQNHKuAT4pkghyXc4nhZ6sJvk=
-golang.org/x/text v0.29.0/go.mod h1:7MhJOA9CD2qZyOKYazxdYMF85OwPdEr9jTtBpO7ydH4=
+golang.org/x/text v0.31.0 h1:aC8ghyu4JhP8VojJ2lEHBnochRno1sgL6nEi9WGFGMM=
+golang.org/x/text v0.31.0/go.mod h1:tKRAlv61yKIjGGHX/4tP1LTbc13YSec1pxVEWXzfoeM=
 golang.org/x/time v0.9.0 h1:EsRrnYcQiGH+5FfbgvV4AP7qEZstoyrHB0DzarOQ4ZY=
 golang.org/x/time v0.9.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
 golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
-golang.org/x/tools v0.36.0 h1:kWS0uv/zsvHEle1LbV5LE8QujrxB3wfQyxHfhOk0Qkg=
-golang.org/x/tools v0.36.0/go.mod h1:WBDiHKJK8YgLHlcQPYQzNCkUxUypCaa5ZegCVutKm+s=
+golang.org/x/tools v0.38.0 h1:Hx2Xv8hISq8Lm16jvBZ2VQf+RLmbd7wVUsALibYI/IQ=
+golang.org/x/tools v0.38.0/go.mod h1:yEsQ/d/YK8cjh0L6rZlY8tgtlKiBNTL14pGDJPJpYQs=
+golang.org/x/tools/go/expect v0.1.0-deprecated/go.mod h1:eihoPOH+FgIqa3FpoTwguz/bVUSGBlGQU67vpBeOrBY=
+golang.org/x/tools/go/packages/packagestest v0.1.1-deprecated/go.mod h1:RVAQXBGNv1ib0J382/DPCRS/BPnsGebyM1Gj5VSDpG8=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 google.golang.org/genproto/googleapis/api v0.0.0-20250303144028-a0af3efb3deb h1:p31xT4yrYrSM/G4Sn2+TNUkVhFCbG9y8itM2S6Th950=
 google.golang.org/genproto/googleapis/api v0.0.0-20250303144028-a0af3efb3deb/go.mod h1:jbe3Bkdp+Dh2IrslsFCklNhweNTBgSYanP1UXhJDhKg=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20250303144028-a0af3efb3deb h1:TLPQVbx1GJ8VKZxz52VAxl1EBgKXXbTiU9Fc5fZeLn4=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20250303144028-a0af3efb3deb/go.mod h1:LuRYeWDFV6WOn90g357N17oMCaxpgCnbi/44qJvDn2I=
-google.golang.org/grpc v1.72.1 h1:HR03wO6eyZ7lknl75XlxABNVLLFc2PAb6mHlYh756mA=
-google.golang.org/grpc v1.72.1/go.mod h1:wH5Aktxcg25y1I3w7H69nHfXdOG3UiadoBtjh3izSDM=
-google.golang.org/protobuf v1.36.5 h1:tPhr+woSbjfYvY6/GPufUoYizxw1cF/yFoxJ2fmpwlM=
-google.golang.org/protobuf v1.36.5/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20250528174236-200df99c418a h1:v2PbRU4K3llS09c7zodFpNePeamkAwG3mPrAery9VeE=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20250528174236-200df99c418a/go.mod h1:qQ0YXyHHx3XkvlzUtpXDkS29lDSafHMZBAZDc03LQ3A=
+google.golang.org/grpc v1.72.2 h1:TdbGzwb82ty4OusHWepvFWGLgIbNo1/SUynEN0ssqv8=
+google.golang.org/grpc v1.72.2/go.mod h1:wH5Aktxcg25y1I3w7H69nHfXdOG3UiadoBtjh3izSDM=
+google.golang.org/protobuf v1.36.8 h1:xHScyCOEuuwZEc6UtSOvPbAT4zRh0xcNRYekJwfqyMc=
+google.golang.org/protobuf v1.36.8/go.mod h1:fuxRtAxBytpl4zzqUh6/eyUujkJdNiuEkXntxiD/uRU=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
-gopkg.in/evanphx/json-patch.v4 v4.12.0 h1:n6jtcsulIzXPJaxegRbvFNNrZDjbij7ny3gmSPG+6V4=
-gopkg.in/evanphx/json-patch.v4 v4.12.0/go.mod h1:p8EYWUEYMpynmqDbY58zCKCFZw8pRWMG4EsWvDvM72M=
+gopkg.in/evanphx/json-patch.v4 v4.13.0 h1:czT3CmqEaQ1aanPc5SdlgQrrEIb8w/wwCvWWnfEbYzo=
+gopkg.in/evanphx/json-patch.v4 v4.13.0/go.mod h1:p8EYWUEYMpynmqDbY58zCKCFZw8pRWMG4EsWvDvM72M=
 gopkg.in/go-jose/go-jose.v2 v2.6.3/go.mod h1:zzZDPkNNw/c9IE7Z9jr11mBZQhKQTMzoEEIoEdZlFBI=
 gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc=
 gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
 gopkg.in/natefinch/lumberjack.v2 v2.2.1 h1:bBRl1b0OH9s/DuPhuXpNl+VtCaJXFZ5/uEFST95x9zc=
 gopkg.in/natefinch/lumberjack.v2 v2.2.1/go.mod h1:YD8tP3GAjkrDg1eZH7EGmyESg/lsYskCTPBJVb9jqSc=
-gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 k8s.io/gengo/v2 v2.0.0-20250604051438-85fd79dbfd9f/go.mod h1:EJykeLsmFC60UQbYJezXkEsG2FLrt0GPNkU5iK5GWxU=
 k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk=
 k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE=
-k8s.io/kube-openapi v0.0.0-20250710124328-f3f2b991d03b h1:MloQ9/bdJyIu9lb1PzujOPolHyvO06MXG5TUIj2mNAA=
-k8s.io/kube-openapi v0.0.0-20250710124328-f3f2b991d03b/go.mod h1:UZ2yyWbFTpuhSbFhv24aGNOdoRdJZgsIObGBUaYVsts=
-k8s.io/utils v0.0.0-20250604170112-4c0f3b243397 h1:hwvWFiBzdWw1FhfY1FooPn3kzWuJ8tmbZBHi4zVsl1Y=
-k8s.io/utils v0.0.0-20250604170112-4c0f3b243397/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
+k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912 h1:Y3gxNAuB0OBLImH611+UDZcmKS3g6CthxToOb37KgwE=
+k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912/go.mod h1:kdmbQkyfwUagLfXIad1y2TdrjPFWp2Q89B3qkRwf/pQ=
+k8s.io/utils v0.0.0-20251002143259-bc988d571ff4 h1:SjGebBtkBqHFOli+05xYbK8YF1Dzkbzn+gDM4X9T4Ck=
+k8s.io/utils v0.0.0-20251002143259-bc988d571ff4/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
 sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.31.2 h1:jpcvIRr3GLoUoEKRkHKSmGjxb6lWwrBlJsXc+eUYQHM=
 sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.31.2/go.mod h1:Ve9uj1L+deCXFrPOk1LpFXqTg7LCFzFso6PA48q/XZw=
-sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 h1:gBQPwqORJ8d8/YNZWEjoZs7npUVDpVXUUOFfW6CgAqE=
-sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8/go.mod h1:mdzfpAEoE6DHQEN0uh9ZbOCuHbLK5wOm7dK4ctXE9Tg=
+sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 h1:IpInykpT6ceI+QxKBbEflcR5EXP7sU1kvOlxwZh5txg=
+sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730/go.mod h1:mdzfpAEoE6DHQEN0uh9ZbOCuHbLK5wOm7dK4ctXE9Tg=
 sigs.k8s.io/randfill v1.0.0 h1:JfjMILfT8A6RbawdsK2JXGBR5AQVfd+9TbzrlneTyrU=
 sigs.k8s.io/randfill v1.0.0/go.mod h1:XeLlZ/jmk4i1HRopwe7/aU3H5n1zNUcX6TM94b3QxOY=
 sigs.k8s.io/structured-merge-diff/v6 v6.3.0 h1:jTijUJbW353oVOd9oTlifJqOGEkUw2jB/fXCbTiQEco=
diff --git a/staging/src/k8s.io/controller-manager/pkg/features/kube_features.go b/staging/src/k8s.io/controller-manager/pkg/features/kube_features.go
index e6a1f0067fa5d..da82429bc58ca 100644
--- a/staging/src/k8s.io/controller-manager/pkg/features/kube_features.go
+++ b/staging/src/k8s.io/controller-manager/pkg/features/kube_features.go
@@ -31,6 +31,11 @@ import (
 // of code conflicts because changes are more likely to be scattered
 // across the file.
 const (
+	// owner: @lukasmetzner
+	// kep:  http://kep.k8s.io/5237
+	// Use watch based route controller reconciliation instead of frequent periodic reconciliation.
+	CloudControllerManagerWatchBasedRoutesReconciliation featuregate.Feature = "CloudControllerManagerWatchBasedRoutesReconciliation"
+
 	// owner: @nckturner
 	// kep:  http://kep.k8s.io/2699
 	// Enable webhook in cloud controller manager
@@ -44,6 +49,9 @@ func SetupCurrentKubernetesSpecificFeatureGates(featuregates featuregate.Mutable
 // versionedCloudPublicFeatureGates consists of versioned cloud-specific feature keys.
 // To add a new feature, define a key for it above and add it here.
 var versionedCloudPublicFeatureGates = map[featuregate.Feature]featuregate.VersionedSpecs{
+	CloudControllerManagerWatchBasedRoutesReconciliation: {
+		{Version: version.MustParse("1.35"), Default: false, PreRelease: featuregate.Alpha},
+	},
 	CloudControllerManagerWebhook: {
 		{Version: version.MustParse("1.27"), Default: false, PreRelease: featuregate.Alpha},
 	},
diff --git a/staging/src/k8s.io/cri-api/OWNERS b/staging/src/k8s.io/cri-api/OWNERS
index f5adb9c7a9445..4d1a87eaa627b 100644
--- a/staging/src/k8s.io/cri-api/OWNERS
+++ b/staging/src/k8s.io/cri-api/OWNERS
@@ -21,9 +21,9 @@ filters:
       - area/kubelet
     emeritus_approvers:
       - resouer
-  # go.{mod,sum} files relate to go dependencies, and should be reviewed by the
-  # dep-approvers
-  "go\\.(mod|sum)$":
+  # go.{mod,sum,work,work.sum} files relate to go dependencies,
+  # and should be reviewed by the dep-approvers
+  "go\\.(mod|sum|work|work\\.sum)$":
     approvers:
       - dep-approvers
     reviewers:
diff --git a/staging/src/k8s.io/cri-api/README.md b/staging/src/k8s.io/cri-api/README.md
index 938c5ab6e142e..a98c8f3bdef7f 100644
--- a/staging/src/k8s.io/cri-api/README.md
+++ b/staging/src/k8s.io/cri-api/README.md
@@ -57,76 +57,121 @@ is a readonly mirror repository, all development is done at [kubernetes/kubernet
 
 Here is the change history of the Container Runtime Interface protocol. The change history is maintained manually:
 
-### v1.20
+### v1.34
 
-`git diff v1.19.0 v1.20.0 -- staging/src/k8s.io/cri-api/pkg/apis/runtime/v1/api.proto`
+`git diff v1.33.0 v1.34.0 -- staging/src/k8s.io/cri-api/pkg/apis/runtime/v1/api.proto`
 
-- CRI [v1 introduced](https://github.com/kubernetes/kubernetes/pull/96387)
+- Removed the [gogo dependency](https://github.com/kubernetes/kubernetes/pull/128653)
+- [Added `debug_redact` flags](https://github.com/kubernetes/kubernetes/pull/133135) to the following fields of `AuthConfig`: `password`, `auth`, `identity_token`, `registry_token`.
 
-### v1.21
+### v1.33
 
-`git diff v1.20.0 v1.21.0 -- staging/src/k8s.io/cri-api/pkg/apis/runtime/v1/api.proto`
+`git diff v1.32.0 v1.33.0 -- staging/src/k8s.io/cri-api/pkg/apis/runtime/v1/api.proto`
 
-No changes
+- [Clarify the behavior when the host_port value is set to 0 in CRI](https://github.com/kubernetes/kubernetes/pull/130512)
+  - Added clarifying comment to the [host_port] field of [PortMapping].
 
-### v1.22
+- [\[KEP-4639\] Graduate image volume sources to beta](https://github.com/kubernetes/kubernetes/pull/130135)
+  - Added `image_sub_path` to the  type `Mount` to represent the subpath inside the image to mount.
 
-`git diff v1.21.0 v1.22.0 -- staging/src/k8s.io/cri-api/pkg/apis/runtime/v1/api.proto`
+- [\[FG:InPlacePodVerticalScaling\] Add UpdatePodSandboxResources CRI method](https://github.com/kubernetes/kubernetes/pull/128123)
+  - New method `UpdatePodSandboxResources` to synchronously updates the PodSandboxConfig with the pod-level resource configuration.
+  - Added the `UpdatePodSandboxResourcesRequest` type to pass as an argument to `UpdatePodSandboxResources`.
+  - Added the `UpdatePodSandboxResourcesResponse` empty type to return from the `UpdatePodSandboxResources`.
 
-- [Windows host process support](https://github.com/kubernetes/kubernetes/pull/99576)
-  - `PodSandboxConfig` has `windows` field  of type `WindowsPodSandboxConfig`
-  - New type `WindowsPodSandboxConfig` introduced
-  - New type `WindowsSandboxSecurityContext` introduced
-  - The type `WindowsContainerSecurityContext` has a new `host_process` boolean field
+- [Withdraw alpha support for HostNetwork containers on Windows](https://github.com/kubernetes/kubernetes/pull/130250)
+  - Added clarifying comment on the `network` field of the type `WindowsNamespaceOption` as HostNetwork containers are not supported.
 
-- [Feature: add unified on CRI to support cgroup v2](https://github.com/kubernetes/kubernetes/pull/102578)
- - The type `LinuxContainerResources` has a new field `unified` which is a map of strings
+- [Surface Pressure Stall Information (PSI) metrics](https://github.com/kubernetes/kubernetes/pull/130701)
+  - Added `io` field to the types `LinuxPodSandboxStats` and `ContainerStats` to represent the IO usage.
+  - Added  `psi` field to the type `CpuUsage`.
+  - Added types `IoUsage`, `PsiStats`, and `PsiData` to represent IO usage and PSI statistics.
 
-- [Alpha node swap support](https://github.com/kubernetes/kubernetes/pull/102823)
-  - The type `LinuxContainerResources` has a new `memory_swap_limit_in_bytes` int64 field
+- [KEP 4960: Container Stop Signals](https://github.com/kubernetes/kubernetes/pull/130556)
+  - Added the field `stop_signal` to the `ContainerConfig` type.
+  - Added the enum `Signal` listing all possible stop signals.
 
-### v1.23
+### v1.32
 
-`git diff v1.22.0 v1.23.0 -- staging/src/k8s.io/cri-api/pkg/apis/runtime/v1/api.proto`
+`git diff v1.31.0 v1.32.0 -- staging/src/k8s.io/cri-api/pkg/apis/runtime/v1/api.proto`
 
-- [CRI: add fields for pod level stats to satisfy the /stats/summary API](https://github.com/kubernetes/kubernetes/pull/102789)
-  - New functions `PodSandboxStats`, `ListPodSandboxStats` with the corresponding types of request and response objects are introduced
+- [CRI: Add field to support CPU affinity on Windows](https://github.com/kubernetes/kubernetes/pull/124285)
+  - CRI field `affinity_cpus` to `WindowsContainerResources` struct to support CPU affinity on Windows.
+    This field will be used by Windows CPU manager to set the logical processors to affinitize
+    for a particular container down to containerd/hcsshim.
 
-- [pass sandbox resource requirements over CRI](https://github.com/kubernetes/kubernetes/pull/104886)
-  - New fields on `LinuxPodSandboxConfig`: `overhead` and `resources` of type `LinuxContainerResources`.
+### v1.31
 
-- [prevents garbage collection from removing pinned images](https://github.com/kubernetes/kubernetes/pull/103299)
-  - The type `Image` has a new boolean field `pinned`
+`git diff v1.30.0 v1.31.0 -- staging/src/k8s.io/cri-api/pkg/apis/runtime/v1/api.proto`
 
-### v1.24
+- [KEP-3619: Add NodeStatus.Features.SupplementalGroupsPolicy API and e2e](https://github.com/kubernetes/kubernetes/pull/125470)
+  - Added `features` field to the type `StatusResponse` for the runtime to kubelet handshake on what features are supported
 
-`git diff v1.23.0 v1.24.0 -- staging/src/k8s.io/cri-api/pkg/apis/runtime/v1/api.proto`
+- [KEP-3619: Fine-grained SupplementalGroups control](https://github.com/kubernetes/kubernetes/pull/117842)
+  - Added `supplemental_groups_policy` field to types `LinuxContainerSecurityContext` and `LinuxSandboxSecurityContext`
+  - Added `user` field to the type `ContainerStatus` to represent actual user for the container 
 
-- [Update CRI-API Capabilities to include a field that allows us to set ambient capabilities](https://github.com/kubernetes/kubernetes/pull/104620)
-  - The type `Capability` has a new string field `add_ambient_capabilities`
+- [[KEP-4639] Add OCI VolumeSource CRI API](https://github.com/kubernetes/kubernetes/pull/125659)
+  - Added `image` field to the type `Mount` to represent the OCI VolumeSource 
 
-- [CRI-API - Add rootfs size to WindowsContainerResources](https://github.com/kubernetes/kubernetes/pull/108894)
-  - The type `WindowsContainerResources` has a new int64 field `rootfs_size_in_bytes`
+### v1.30
 
-### v1.25
+`git diff v1.29.0 v1.30.0 -- staging/src/k8s.io/cri-api/pkg/apis/runtime/v1/api.proto`
 
-`git diff v1.24.0 v1.25.0 -- staging/src/k8s.io/cri-api/pkg/apis/runtime/v1/api.proto`
+- [Recursive Read-only (RRO) mounts](https://github.com/kubernetes/kubernetes/pull/123272)
+  - Added RuntimeHandler and RuntimeHandlerFeatures type
+  - Added `recursive_read_only` field to type `Mount`
+  - Added `runtime_handlers` field to type `StatusResponse`
 
+- [Add user_namespaces field to RuntimeHandlerFeatures](https://github.com/kubernetes/kubernetes/pull/123356)
+  - Added `user_namespaces` field to type `RuntimeHandlerFeatures`
 
-- [kubelet: add CRI definitions for user namespaces](https://github.com/kubernetes/kubernetes/pull/110535)
-  - The new type `UserNamespace` introduced to represent user namespaces id mapping
-  - The type `NamespaceOption` has a new field `userns_options` of type `UserNamespace`
+- [Add image_id to CRI Container message](https://github.com/kubernetes/kubernetes/pull/123508)
+  - Added `image_id` field to type `Container`
 
-- [Minimal checkpointing support](https://github.com/kubernetes/kubernetes/pull/104907)
-  - The new method `CheckpointContainer` introduced with the corresponding request and response types
+- [Add image_id to CRI ContainerStatus message](https://github.com/kubernetes/kubernetes/pull/123583)
+  - Added `image_id` field to type `ContainerStatus`
 
-- [Update CRI API to support Evented PLEG](https://github.com/kubernetes/kubernetes/pull/111642)
-  - The new streaming method `GetContainerEvents` is introduced with the corresponding request and response types
+### v1.29
 
-- [CRI changes to support in-place pod resize](https://github.com/kubernetes/kubernetes/pull/111645)
-  - The new type `ContainerResources` is introduced
-  - The type `ContainerStatus` has a new field `resources` of type `ContainerResources`
-  - The semantic of `UpdateContainerResources` updated. The method must be implemented as synchronous and return error on failure
+`git diff v1.28.0 v1.29.0 -- staging/src/k8s.io/cri-api/pkg/apis/runtime/v1/api.proto`
+
+- [Add runtime handler field to ImageSpec struct](https://github.com/kubernetes/kubernetes/pull/121121)
+  - Added `runtime_handler` field to type `ImageSpec`
+
+- [Add container filesystem to the ImageFsInfoResponse](https://github.com/kubernetes/kubernetes/pull/120914)
+  - Added `container_filesystems` field to type `ImageFsInfoResponse`
+
+### v1.28
+
+`git diff v1.27.0 v1.28.0 -- staging/src/k8s.io/cri-api/pkg/apis/runtime/v1/api.proto`
+
+- [cri-api: fix comment lines about PROPAGATION_PRIVATE](https://github.com/kubernetes/kubernetes/pull/115704)
+  - Fixed comment lines about PROPAGATION_PRIVATE
+
+- [Add user specified image to CRI ContainerConfig](https://github.com/kubernetes/kubernetes/pull/118652)
+  - Added the `user_specified_image` field to type `ImageSpec`
+
+- [kubelet: get cgroup driver config from CRI ](https://github.com/kubernetes/kubernetes/pull/118770)
+  - Added rpc for querying runtime configuration
+  - Added cavieats about cgroup driver field
+
+- [Add swap to stats to Summary API and Prometheus endpoints (/stats/summary and /metrics/resource)](https://github.com/kubernetes/kubernetes/pull/118865)
+  - Added `SwapUsage` type
+  - Added `SwapUsage` field to `ContainerStats` type
+
+- [Expose commit memory used in WindowsMemoryUsage struct](https://github.com/kubernetes/kubernetes/pull/119238)
+  - Added the `commit_memory_bytes` field to type `WindowsMemoryUsage`
+
+### v1.27
+
+`git diff v1.26.0 v1.27.0 -- staging/src/k8s.io/cri-api/pkg/apis/runtime/v1/api.proto`
+
+- [CRI: Add CDI device info for containers](https://github.com/kubernetes/kubernetes/pull/115891/)
+  - New type `CDIDevice` was introduced and added to container config
+
+- [Add mappings for volumes](https://github.com/kubernetes/kubernetes/pull/116377)
+  - Added new fields to the type `Mount` expressing runtime UID/GID mappings for the mount.
 
 ### v1.26
 
@@ -146,84 +191,72 @@ No changes
   - The type `ContainerEventResponse` updated: the field `pod_sandbox_metadata` removed and fields `pod_sandbox_status` and `containers_statuses` added.
   - The type `PodSandboxStatusResponse` has a new fields `containers_statuses` and `timestamp`
 
-### v1.27
-
-`git diff v1.26.0 v1.27.0 -- staging/src/k8s.io/cri-api/pkg/apis/runtime/v1/api.proto`
-
-- [CRI: Add CDI device info for containers](https://github.com/kubernetes/kubernetes/pull/115891/)
-  - New type `CDIDevice` was introduced and added to container config
-
-- [Add mappings for volumes](https://github.com/kubernetes/kubernetes/pull/116377)
-  - Added new fields to the type `Mount` expressing runtime UID/GID mappings for the mount.
+### v1.25
 
-### v1.28
+`git diff v1.24.0 v1.25.0 -- staging/src/k8s.io/cri-api/pkg/apis/runtime/v1/api.proto`
 
-`git diff v1.27.0 v1.28.0 -- staging/src/k8s.io/cri-api/pkg/apis/runtime/v1/api.proto`
+- [kubelet: add CRI definitions for user namespaces](https://github.com/kubernetes/kubernetes/pull/110535)
+  - The new type `UserNamespace` introduced to represent user namespaces id mapping
+  - The type `NamespaceOption` has a new field `userns_options` of type `UserNamespace`
 
-- [cri-api: fix comment lines about PROPAGATION_PRIVATE](https://github.com/kubernetes/kubernetes/pull/115704)
-  - Fixed comment lines about PROPAGATION_PRIVATE
+- [Minimal checkpointing support](https://github.com/kubernetes/kubernetes/pull/104907)
+  - The new method `CheckpointContainer` introduced with the corresponding request and response types
 
-- [Add user specified image to CRI ContainerConfig](https://github.com/kubernetes/kubernetes/pull/118652)
-  - Added the `user_specified_image` field to type `ImageSpec`
+- [Update CRI API to support Evented PLEG](https://github.com/kubernetes/kubernetes/pull/111642)
+  - The new streaming method `GetContainerEvents` is introduced with the corresponding request and response types
 
-- [kubelet: get cgroup driver config from CRI ](https://github.com/kubernetes/kubernetes/pull/118770)
-  - Added rpc for querying runtime configuration
-  - Added cavieats about cgroup driver field
+- [CRI changes to support in-place pod resize](https://github.com/kubernetes/kubernetes/pull/111645)
+  - The new type `ContainerResources` is introduced
+  - The type `ContainerStatus` has a new field `resources` of type `ContainerResources`
+  - The semantic of `UpdateContainerResources` updated. The method must be implemented as synchronous and return error on failure
 
-- [Add swap to stats to Summary API and Prometheus endpoints (/stats/summary and /metrics/resource)](https://github.com/kubernetes/kubernetes/pull/118865)
-  - Added `SwapUsage` type
-  - Added `SwapUsage` field to `ContainerStats` type
+### v1.24
 
-- [Expose commit memory used in WindowsMemoryUsage struct](https://github.com/kubernetes/kubernetes/pull/119238)
-  - Added the `commit_memory_bytes` field to type `WindowsMemoryUsage`
+`git diff v1.23.0 v1.24.0 -- staging/src/k8s.io/cri-api/pkg/apis/runtime/v1/api.proto`
 
-### v1.29
+- [Update CRI-API Capabilities to include a field that allows us to set ambient capabilities](https://github.com/kubernetes/kubernetes/pull/104620)
+  - The type `Capability` has a new string field `add_ambient_capabilities`
 
-`git diff v1.28.0 v1.29.0 -- staging/src/k8s.io/cri-api/pkg/apis/runtime/v1/api.proto`
+- [CRI-API - Add rootfs size to WindowsContainerResources](https://github.com/kubernetes/kubernetes/pull/108894)
+  - The type `WindowsContainerResources` has a new int64 field `rootfs_size_in_bytes`
 
-- [Add runtime handler field to ImageSpec struct](https://github.com/kubernetes/kubernetes/pull/121121)
-  - Added `runtime_handler` field to type `ImageSpec`
+### v1.23
 
-- [Add container filesystem to the ImageFsInfoResponse](https://github.com/kubernetes/kubernetes/pull/120914)
-  - Added `container_filesystems` field to type `ImageFsInfoResponse`
+`git diff v1.22.0 v1.23.0 -- staging/src/k8s.io/cri-api/pkg/apis/runtime/v1/api.proto`
 
-### v1.30
+- [CRI: add fields for pod level stats to satisfy the /stats/summary API](https://github.com/kubernetes/kubernetes/pull/102789)
+  - New functions `PodSandboxStats`, `ListPodSandboxStats` with the corresponding types of request and response objects are introduced
 
-`git diff v1.29.0 v1.30.0 -- staging/src/k8s.io/cri-api/pkg/apis/runtime/v1/api.proto`
+- [pass sandbox resource requirements over CRI](https://github.com/kubernetes/kubernetes/pull/104886)
+  - New fields on `LinuxPodSandboxConfig`: `overhead` and `resources` of type `LinuxContainerResources`.
 
-- [Recursive Read-only (RRO) mounts](https://github.com/kubernetes/kubernetes/pull/123272)
-  - Added RuntimeHandler and RuntimeHandlerFeatures type
-  - Added `recursive_read_only` field to type `Mount`
-  - Added `runtime_handlers` field to type `StatusResponse`
+- [prevents garbage collection from removing pinned images](https://github.com/kubernetes/kubernetes/pull/103299)
+  - The type `Image` has a new boolean field `pinned`
 
-- [Add user_namespaces field to RuntimeHandlerFeatures](https://github.com/kubernetes/kubernetes/pull/123356)
-  - Added `user_namespaces` field to type `RuntimeHandlerFeatures`
+### v1.22
 
-- [Add image_id to CRI Container message](https://github.com/kubernetes/kubernetes/pull/123508)
-  - Added `image_id` field to type `Container`
+`git diff v1.21.0 v1.22.0 -- staging/src/k8s.io/cri-api/pkg/apis/runtime/v1/api.proto`
 
-- [Add image_id to CRI ContainerStatus message](https://github.com/kubernetes/kubernetes/pull/123583)
-  - Added `image_id` field to type `ContainerStatus`
+- [Windows host process support](https://github.com/kubernetes/kubernetes/pull/99576)
+  - `PodSandboxConfig` has `windows` field  of type `WindowsPodSandboxConfig`
+  - New type `WindowsPodSandboxConfig` introduced
+  - New type `WindowsSandboxSecurityContext` introduced
+  - The type `WindowsContainerSecurityContext` has a new `host_process` boolean field
 
-### v1.31
+- [Feature: add unified on CRI to support cgroup v2](https://github.com/kubernetes/kubernetes/pull/102578)
+  - The type `LinuxContainerResources` has a new field `unified` which is a map of strings
 
-`git diff v1.30.0 v1.31.0 -- staging/src/k8s.io/cri-api/pkg/apis/runtime/v1/api.proto`
+- [Alpha node swap support](https://github.com/kubernetes/kubernetes/pull/102823)
+  - The type `LinuxContainerResources` has a new `memory_swap_limit_in_bytes` int64 field
 
-- [KEP-3619: Add NodeStatus.Features.SupplementalGroupsPolicy API and e2e](https://github.com/kubernetes/kubernetes/pull/125470)
-  - Added `features` field to the type `StatusResponse` for the runtime to kubelet handshake on what features are supported
+### v1.21
 
-- [KEP-3619: Fine-grained SupplementalGroups control](https://github.com/kubernetes/kubernetes/pull/117842)
-  - Added `supplemental_groups_policy` field to types `LinuxContainerSecurityContext` and `LinuxSandboxSecurityContext`
-  - Added `user` field to the type `ContainerStatus` to represent actual user for the container 
+`git diff v1.20.0 v1.21.0 -- staging/src/k8s.io/cri-api/pkg/apis/runtime/v1/api.proto`
 
-- [[KEP-4639] Add OCI VolumeSource CRI API](https://github.com/kubernetes/kubernetes/pull/125659)
-  - Added `image` field to the type `Mount` to represent the OCI VolumeSource 
+No changes
 
-### v1.32
+### v1.20
 
-`git diff v1.31.0 v1.32.0 -- staging/src/k8s.io/cri-api/pkg/apis/runtime/v1/api.proto`
+`git diff v1.19.0 v1.20.0 -- staging/src/k8s.io/cri-api/pkg/apis/runtime/v1/api.proto`
 
-- [CRI: Add field to support CPU affinity on Windows](https://github.com/kubernetes/kubernetes/pull/124285)
-  - CRI field `affinity_cpus` to `WindowsContainerResources` struct to support CPU affinity on Windows.
-    This field will be used by Windows CPU manager to set the logical processors to affinitize
-    for a particular container down to containerd/hcsshim.
+- CRI [v1 introduced](https://github.com/kubernetes/kubernetes/pull/96387)
diff --git a/staging/src/k8s.io/cri-api/go.mod b/staging/src/k8s.io/cri-api/go.mod
index 64f499cc7897a..777a8c101821f 100644
--- a/staging/src/k8s.io/cri-api/go.mod
+++ b/staging/src/k8s.io/cri-api/go.mod
@@ -2,27 +2,29 @@
 
 module k8s.io/cri-api
 
-go 1.24.0
+go 1.25.0
 
-godebug default=go1.24
+godebug default=go1.25
 
 require (
-	github.com/stretchr/testify v1.10.0
-	google.golang.org/grpc v1.72.1
-	google.golang.org/protobuf v1.36.5
+	github.com/stretchr/testify v1.11.1
+	google.golang.org/grpc v1.72.2
+	google.golang.org/protobuf v1.36.8
 )
 
 require (
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
+	github.com/go-logr/logr v1.4.3 // indirect
 	github.com/google/go-cmp v0.7.0 // indirect
 	github.com/kr/pretty v0.3.1 // indirect
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
-	github.com/rogpeppe/go-internal v1.13.1 // indirect
-	go.opentelemetry.io/otel v1.35.0 // indirect
-	golang.org/x/net v0.43.0 // indirect
-	golang.org/x/sys v0.36.0 // indirect
-	golang.org/x/text v0.29.0 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20250303144028-a0af3efb3deb // indirect
+	github.com/rogpeppe/go-internal v1.14.1 // indirect
+	go.opentelemetry.io/otel v1.36.0 // indirect
+	go.opentelemetry.io/otel/sdk/metric v1.36.0 // indirect
+	golang.org/x/net v0.47.0 // indirect
+	golang.org/x/sys v0.38.0 // indirect
+	golang.org/x/text v0.31.0 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20250528174236-200df99c418a // indirect
 	gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )
diff --git a/staging/src/k8s.io/cri-api/go.sum b/staging/src/k8s.io/cri-api/go.sum
index 7cf36122352b1..5645ab39392f3 100644
--- a/staging/src/k8s.io/cri-api/go.sum
+++ b/staging/src/k8s.io/cri-api/go.sum
@@ -11,8 +11,8 @@ github.com/envoyproxy/go-control-plane/envoy v1.32.4/go.mod h1:Gzjc5k8JcJswLjAx1
 github.com/envoyproxy/go-control-plane/ratelimit v0.1.0/go.mod h1:Wk+tMFAFbCXaJPzVVHnPgRKdUdwW/KdbRt94AzgRee4=
 github.com/envoyproxy/protoc-gen-validate v1.2.1/go.mod h1:d/C80l/jxXLdfEIhX1W2TmLfsJ31lvEjwamM4DxlWXU=
 github.com/go-jose/go-jose/v4 v4.0.4/go.mod h1:NKb5HO1EZccyMpiZNbdUw/14tiXNyUJh188dfnMCAfc=
-github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY=
-github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
+github.com/go-logr/logr v1.4.3 h1:CjnDlHq8ikf6E492q6eKboGOC0T8CDaOvkHCIg8idEI=
+github.com/go-logr/logr v1.4.3/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
 github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
 github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE=
 github.com/golang/glog v1.2.4/go.mod h1:6AhwSGph0fcJtXVM/PEHPqZlFeoLxhs7/t5UDAwmO+w=
@@ -34,46 +34,46 @@ github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10/go.mod h1
 github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U=
 github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/rogpeppe/go-internal v1.9.0/go.mod h1:WtVeX8xhTBvf0smdhujwtBcq4Qrzq/fJaraNFVN+nFs=
-github.com/rogpeppe/go-internal v1.13.1 h1:KvO1DLK/DRN07sQ1LQKScxyZJuNnedQ5/wKSR38lUII=
-github.com/rogpeppe/go-internal v1.13.1/go.mod h1:uMEvuHeurkdAXX61udpOXGD/AzZDWNMNyH2VO9fmH0o=
+github.com/rogpeppe/go-internal v1.14.1 h1:UQB4HGPB6osV0SQTLymcB4TgvyWu6ZyliaW0tI/otEQ=
+github.com/rogpeppe/go-internal v1.14.1/go.mod h1:MaRKkUm5W0goXpeCfT7UZI6fk/L7L7so1lCWt35ZSgc=
 github.com/spiffe/go-spiffe/v2 v2.5.0/go.mod h1:P+NxobPc6wXhVtINNtFjNWGBTreew1GBUCwT2wPmb7g=
 github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/8L+MA=
-github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
-github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
+github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
+github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
 github.com/zeebo/errs v1.4.0/go.mod h1:sgbWHsvVuTPHcqJJGQ1WhI5KbWlHYz+2+2C/LSEtCw4=
 go.opentelemetry.io/auto/sdk v1.1.0 h1:cH53jehLUN6UFLY71z+NDOiNJqDdPRaXzTel0sJySYA=
 go.opentelemetry.io/auto/sdk v1.1.0/go.mod h1:3wSPjt5PWp2RhlCcmmOial7AvC4DQqZb7a7wCow3W8A=
 go.opentelemetry.io/contrib/detectors/gcp v1.34.0/go.mod h1:cV4BMFcscUR/ckqLkbfQmF0PRsq8w/lMGzdbCSveBHo=
-go.opentelemetry.io/otel v1.35.0 h1:xKWKPxrxB6OtMCbmMY021CqC45J+3Onta9MqjhnusiQ=
-go.opentelemetry.io/otel v1.35.0/go.mod h1:UEqy8Zp11hpkUrL73gSlELM0DupHoiq72dR+Zqel/+Y=
-go.opentelemetry.io/otel/metric v1.35.0 h1:0znxYu2SNyuMSQT4Y9WDWej0VpcsxkuklLa4/siN90M=
-go.opentelemetry.io/otel/metric v1.35.0/go.mod h1:nKVFgxBZ2fReX6IlyW28MgZojkoAkJGaE8CpgeAU3oE=
-go.opentelemetry.io/otel/sdk v1.34.0 h1:95zS4k/2GOy069d321O8jWgYsW3MzVV+KuSPKp7Wr1A=
-go.opentelemetry.io/otel/sdk v1.34.0/go.mod h1:0e/pNiaMAqaykJGKbi+tSjWfNNHMTxoC9qANsCzbyxU=
-go.opentelemetry.io/otel/sdk/metric v1.34.0 h1:5CeK9ujjbFVL5c1PhLuStg1wxA7vQv7ce1EK0Gyvahk=
-go.opentelemetry.io/otel/sdk/metric v1.34.0/go.mod h1:jQ/r8Ze28zRKoNRdkjCZxfs6YvBTG1+YIqyFVFYec5w=
-go.opentelemetry.io/otel/trace v1.35.0 h1:dPpEfJu1sDIqruz7BHFG3c7528f6ddfSWfFDVt/xgMs=
-go.opentelemetry.io/otel/trace v1.35.0/go.mod h1:WUk7DtFp1Aw2MkvqGdwiXYDZZNvA/1J8o6xRXLrIkyc=
-golang.org/x/crypto v0.41.0/go.mod h1:pO5AFd7FA68rFak7rOAGVuygIISepHftHnr8dr6+sUc=
-golang.org/x/mod v0.27.0/go.mod h1:rWI627Fq0DEoudcK+MBkNkCe0EetEaDSwJJkCcjpazc=
-golang.org/x/net v0.43.0 h1:lat02VYK2j4aLzMzecihNvTlJNQUq316m2Mr9rnM6YE=
-golang.org/x/net v0.43.0/go.mod h1:vhO1fvI4dGsIjh73sWfUVjj3N7CA9WkKJNQm2svM6Jg=
+go.opentelemetry.io/otel v1.36.0 h1:UumtzIklRBY6cI/lllNZlALOF5nNIzJVb16APdvgTXg=
+go.opentelemetry.io/otel v1.36.0/go.mod h1:/TcFMXYjyRNh8khOAO9ybYkqaDBb/70aVwkNML4pP8E=
+go.opentelemetry.io/otel/metric v1.36.0 h1:MoWPKVhQvJ+eeXWHFBOPoBOi20jh6Iq2CcCREuTYufE=
+go.opentelemetry.io/otel/metric v1.36.0/go.mod h1:zC7Ks+yeyJt4xig9DEw9kuUFe5C3zLbVjV2PzT6qzbs=
+go.opentelemetry.io/otel/sdk v1.36.0 h1:b6SYIuLRs88ztox4EyrvRti80uXIFy+Sqzoh9kFULbs=
+go.opentelemetry.io/otel/sdk v1.36.0/go.mod h1:+lC+mTgD+MUWfjJubi2vvXWcVxyr9rmlshZni72pXeY=
+go.opentelemetry.io/otel/sdk/metric v1.36.0 h1:r0ntwwGosWGaa0CrSt8cuNuTcccMXERFwHX4dThiPis=
+go.opentelemetry.io/otel/sdk/metric v1.36.0/go.mod h1:qTNOhFDfKRwX0yXOqJYegL5WRaW376QbB7P4Pb0qva4=
+go.opentelemetry.io/otel/trace v1.36.0 h1:ahxWNuqZjpdiFAyrIoQ4GIiAIhxAunQR6MUoKrsNd4w=
+go.opentelemetry.io/otel/trace v1.36.0/go.mod h1:gQ+OnDZzrybY4k4seLzPAWNwVBBVlF2szhehOBB/tGA=
+golang.org/x/crypto v0.44.0/go.mod h1:013i+Nw79BMiQiMsOPcVCB5ZIJbYkerPrGnOa00tvmc=
+golang.org/x/mod v0.29.0/go.mod h1:NyhrlYXJ2H4eJiRy/WDBO6HMqZQ6q9nk4JzS3NuCK+w=
+golang.org/x/net v0.47.0 h1:Mx+4dIFzqraBXUugkia1OOvlD6LemFo1ALMHjrXDOhY=
+golang.org/x/net v0.47.0/go.mod h1:/jNxtkgq5yWUGYkaZGqo27cfGZ1c5Nen03aYrrKpVRU=
 golang.org/x/oauth2 v0.26.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI=
-golang.org/x/sync v0.17.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
-golang.org/x/sys v0.36.0 h1:KVRy2GtZBrk1cBYA7MKu5bEZFxQk4NIDV6RLVcC8o0k=
-golang.org/x/sys v0.36.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
-golang.org/x/term v0.34.0/go.mod h1:5jC53AEywhIVebHgPVeg0mj8OD3VO9OzclacVrqpaAw=
-golang.org/x/text v0.29.0 h1:1neNs90w9YzJ9BocxfsQNHKuAT4pkghyXc4nhZ6sJvk=
-golang.org/x/text v0.29.0/go.mod h1:7MhJOA9CD2qZyOKYazxdYMF85OwPdEr9jTtBpO7ydH4=
-golang.org/x/tools v0.36.0/go.mod h1:WBDiHKJK8YgLHlcQPYQzNCkUxUypCaa5ZegCVutKm+s=
+golang.org/x/sync v0.18.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
+golang.org/x/sys v0.38.0 h1:3yZWxaJjBmCWXqhN1qh02AkOnCQ1poK6oF+a7xWL6Gc=
+golang.org/x/sys v0.38.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
+golang.org/x/term v0.37.0/go.mod h1:5pB4lxRNYYVZuTLmy8oR2BH8dflOR+IbTYFD8fi3254=
+golang.org/x/text v0.31.0 h1:aC8ghyu4JhP8VojJ2lEHBnochRno1sgL6nEi9WGFGMM=
+golang.org/x/text v0.31.0/go.mod h1:tKRAlv61yKIjGGHX/4tP1LTbc13YSec1pxVEWXzfoeM=
+golang.org/x/tools v0.38.0/go.mod h1:yEsQ/d/YK8cjh0L6rZlY8tgtlKiBNTL14pGDJPJpYQs=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 google.golang.org/genproto/googleapis/api v0.0.0-20250218202821-56aae31c358a/go.mod h1:3kWAYMk1I75K4vykHtKt2ycnOgpA6974V7bREqbsenU=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20250303144028-a0af3efb3deb h1:TLPQVbx1GJ8VKZxz52VAxl1EBgKXXbTiU9Fc5fZeLn4=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20250303144028-a0af3efb3deb/go.mod h1:LuRYeWDFV6WOn90g357N17oMCaxpgCnbi/44qJvDn2I=
-google.golang.org/grpc v1.72.1 h1:HR03wO6eyZ7lknl75XlxABNVLLFc2PAb6mHlYh756mA=
-google.golang.org/grpc v1.72.1/go.mod h1:wH5Aktxcg25y1I3w7H69nHfXdOG3UiadoBtjh3izSDM=
-google.golang.org/protobuf v1.36.5 h1:tPhr+woSbjfYvY6/GPufUoYizxw1cF/yFoxJ2fmpwlM=
-google.golang.org/protobuf v1.36.5/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20250528174236-200df99c418a h1:v2PbRU4K3llS09c7zodFpNePeamkAwG3mPrAery9VeE=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20250528174236-200df99c418a/go.mod h1:qQ0YXyHHx3XkvlzUtpXDkS29lDSafHMZBAZDc03LQ3A=
+google.golang.org/grpc v1.72.2 h1:TdbGzwb82ty4OusHWepvFWGLgIbNo1/SUynEN0ssqv8=
+google.golang.org/grpc v1.72.2/go.mod h1:wH5Aktxcg25y1I3w7H69nHfXdOG3UiadoBtjh3izSDM=
+google.golang.org/protobuf v1.36.8 h1:xHScyCOEuuwZEc6UtSOvPbAT4zRh0xcNRYekJwfqyMc=
+google.golang.org/protobuf v1.36.8/go.mod h1:fuxRtAxBytpl4zzqUh6/eyUujkJdNiuEkXntxiD/uRU=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
diff --git a/staging/src/k8s.io/cri-api/pkg/apis/services.go b/staging/src/k8s.io/cri-api/pkg/apis/services.go
index 58cee8c14c892..2bbd35b2d470e 100644
--- a/staging/src/k8s.io/cri-api/pkg/apis/services.go
+++ b/staging/src/k8s.io/cri-api/pkg/apis/services.go
@@ -123,6 +123,8 @@ type RuntimeService interface {
 	Status(ctx context.Context, verbose bool) (*runtimeapi.StatusResponse, error)
 	// RuntimeConfig returns the configuration information of the runtime.
 	RuntimeConfig(ctx context.Context) (*runtimeapi.RuntimeConfigResponse, error)
+	// Close will shutdown the internal gRPC client connection.
+	Close() error
 }
 
 // ImageManagerService interface should be implemented by a container image
@@ -139,4 +141,6 @@ type ImageManagerService interface {
 	RemoveImage(ctx context.Context, image *runtimeapi.ImageSpec) error
 	// ImageFsInfo returns information of the filesystem(s) used to store the read-only layers and the writeable layer.
 	ImageFsInfo(ctx context.Context) (*runtimeapi.ImageFsInfoResponse, error)
+	// Close will shutdown the internal gRPC client connection.
+	Close() error
 }
diff --git a/staging/src/k8s.io/cri-api/pkg/apis/testing/fake_image_service.go b/staging/src/k8s.io/cri-api/pkg/apis/testing/fake_image_service.go
index f2834a7db2421..b83b57f8cacf2 100644
--- a/staging/src/k8s.io/cri-api/pkg/apis/testing/fake_image_service.go
+++ b/staging/src/k8s.io/cri-api/pkg/apis/testing/fake_image_service.go
@@ -254,3 +254,16 @@ type pulledImage struct {
 	imageSpec  *runtimeapi.ImageSpec
 	authConfig *runtimeapi.AuthConfig
 }
+
+// Close will shutdown the internal gRPC client connection.
+func (r *FakeImageService) Close() error {
+	r.Lock()
+	defer r.Unlock()
+
+	r.Called = append(r.Called, "Close")
+	if err := r.popError("Close"); err != nil {
+		return err
+	}
+
+	return nil
+}
diff --git a/staging/src/k8s.io/cri-api/pkg/apis/testing/fake_runtime_service.go b/staging/src/k8s.io/cri-api/pkg/apis/testing/fake_runtime_service.go
index 95e45f99a4de2..f4e808d7aa573 100644
--- a/staging/src/k8s.io/cri-api/pkg/apis/testing/fake_runtime_service.go
+++ b/staging/src/k8s.io/cri-api/pkg/apis/testing/fake_runtime_service.go
@@ -808,3 +808,16 @@ func (r *FakeRuntimeService) UpdatePodSandboxResources(context.Context, *runtime
 
 	return &runtimeapi.UpdatePodSandboxResourcesResponse{}, nil
 }
+
+// Close will shutdown the internal gRPC client connection.
+func (r *FakeRuntimeService) Close() error {
+	r.Lock()
+	defer r.Unlock()
+
+	r.Called = append(r.Called, "Close")
+	if err := r.popError("Close"); err != nil {
+		return err
+	}
+
+	return nil
+}
diff --git a/staging/src/k8s.io/cri-client/OWNERS b/staging/src/k8s.io/cri-client/OWNERS
index fce6c4db5eac7..dfc88c60fbaa5 100644
--- a/staging/src/k8s.io/cri-client/OWNERS
+++ b/staging/src/k8s.io/cri-client/OWNERS
@@ -16,9 +16,9 @@ filters:
     labels:
       - sig/node
       - area/kubelet
-  # go.{mod,sum} files relate to go dependencies, and should be reviewed by the
-  # dep-approvers
-  "go\\.(mod|sum)$":
+  # go.{mod,sum,work,work.sum} files relate to go dependencies,
+  # and should be reviewed by the dep-approvers
+  "go\\.(mod|sum|work|work\\.sum)$":
     approvers:
       - dep-approvers
     reviewers:
diff --git a/staging/src/k8s.io/cri-client/go.mod b/staging/src/k8s.io/cri-client/go.mod
index 65b812c314f7d..201a8413408fb 100644
--- a/staging/src/k8s.io/cri-client/go.mod
+++ b/staging/src/k8s.io/cri-client/go.mod
@@ -2,26 +2,26 @@
 
 module k8s.io/cri-client
 
-go 1.24.0
+go 1.25.0
 
-godebug default=go1.24
+godebug default=go1.25
 
 require (
 	github.com/Microsoft/go-winio v0.6.2
 	github.com/fsnotify/fsnotify v1.9.0
-	github.com/stretchr/testify v1.10.0
+	github.com/stretchr/testify v1.11.1
 	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.60.0
-	go.opentelemetry.io/otel/sdk v1.34.0
-	go.opentelemetry.io/otel/trace v1.35.0
-	golang.org/x/sys v0.36.0
-	google.golang.org/grpc v1.72.1
+	go.opentelemetry.io/otel/sdk v1.36.0
+	go.opentelemetry.io/otel/trace v1.36.0
+	golang.org/x/sys v0.38.0
+	google.golang.org/grpc v1.72.2
 	k8s.io/api v0.0.0
 	k8s.io/apimachinery v0.0.0
 	k8s.io/client-go v0.0.0
 	k8s.io/component-base v0.0.0
 	k8s.io/cri-api v0.0.0
 	k8s.io/klog/v2 v2.130.1
-	k8s.io/utils v0.0.0-20250604170112-4c0f3b243397
+	k8s.io/utils v0.0.0-20251002143259-bc988d571ff4
 )
 
 require (
@@ -33,12 +33,11 @@ require (
 	github.com/emicklei/go-restful/v3 v3.12.2 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
 	github.com/fxamacker/cbor/v2 v2.9.0 // indirect
-	github.com/go-logr/logr v1.4.2 // indirect
+	github.com/go-logr/logr v1.4.3 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-openapi/jsonpointer v0.21.0 // indirect
 	github.com/go-openapi/jsonreference v0.20.2 // indirect
 	github.com/go-openapi/swag v0.23.0 // indirect
-	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/google/gnostic-models v0.7.0 // indirect
 	github.com/google/uuid v1.6.0 // indirect
 	github.com/grpc-ecosystem/grpc-gateway/v2 v2.26.3 // indirect
@@ -49,38 +48,38 @@ require (
 	github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
-	github.com/prometheus/client_golang v1.22.0 // indirect
-	github.com/prometheus/client_model v0.6.1 // indirect
-	github.com/prometheus/common v0.62.0 // indirect
-	github.com/prometheus/procfs v0.15.1 // indirect
-	github.com/spf13/pflag v1.0.6 // indirect
+	github.com/prometheus/client_golang v1.23.2 // indirect
+	github.com/prometheus/client_model v0.6.2 // indirect
+	github.com/prometheus/common v0.66.1 // indirect
+	github.com/prometheus/procfs v0.16.1 // indirect
+	github.com/spf13/pflag v1.0.9 // indirect
 	github.com/x448/float16 v0.8.4 // indirect
 	go.opentelemetry.io/auto/sdk v1.1.0 // indirect
-	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.58.0 // indirect
-	go.opentelemetry.io/otel v1.35.0 // indirect
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.61.0 // indirect
+	go.opentelemetry.io/otel v1.36.0 // indirect
 	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.34.0 // indirect
 	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.34.0 // indirect
-	go.opentelemetry.io/otel/metric v1.35.0 // indirect
+	go.opentelemetry.io/otel/metric v1.36.0 // indirect
 	go.opentelemetry.io/proto/otlp v1.5.0 // indirect
-	go.yaml.in/yaml/v2 v2.4.2 // indirect
+	go.yaml.in/yaml/v2 v2.4.3 // indirect
 	go.yaml.in/yaml/v3 v3.0.4 // indirect
-	golang.org/x/net v0.43.0 // indirect
-	golang.org/x/oauth2 v0.27.0 // indirect
-	golang.org/x/text v0.29.0 // indirect
+	golang.org/x/net v0.47.0 // indirect
+	golang.org/x/oauth2 v0.30.0 // indirect
+	golang.org/x/text v0.31.0 // indirect
 	golang.org/x/time v0.9.0 // indirect
 	google.golang.org/genproto/googleapis/api v0.0.0-20250303144028-a0af3efb3deb // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20250303144028-a0af3efb3deb // indirect
-	google.golang.org/protobuf v1.36.5 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20250528174236-200df99c418a // indirect
+	google.golang.org/protobuf v1.36.8 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
-	k8s.io/kube-openapi v0.0.0-20250710124328-f3f2b991d03b // indirect
-	sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 // indirect
+	k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912 // indirect
+	sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 // indirect
 	sigs.k8s.io/randfill v1.0.0 // indirect
 	sigs.k8s.io/structured-merge-diff/v6 v6.3.0 // indirect
 )
 
 replace (
-	github.com/onsi/ginkgo/v2 => github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251001123353-fd5b1fb35db1
+	github.com/onsi/ginkgo/v2 => github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251120221002-696928a6a0d7
 	k8s.io/api => ../api
 	k8s.io/apimachinery => ../apimachinery
 	k8s.io/client-go => ../client-go
diff --git a/staging/src/k8s.io/cri-client/go.sum b/staging/src/k8s.io/cri-client/go.sum
index 9c72227e841fd..40221c647afc0 100644
--- a/staging/src/k8s.io/cri-client/go.sum
+++ b/staging/src/k8s.io/cri-client/go.sum
@@ -2,6 +2,7 @@ cel.dev/expr v0.20.0/go.mod h1:MrpN08Q+lEBs+bGYdLxxHkZoUSsCp0nSKTs0nTymJgw=
 cloud.google.com/go/compute/metadata v0.6.0/go.mod h1:FjyFAW1MW0C203CEOMDTu3Dk1FlqW3Rga40jzHL4hfg=
 github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E=
 github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp v1.26.0/go.mod h1:2bIszWvQRlJVmJLiuLhukLImRjKPcYdzzsx6darK02A=
+github.com/Masterminds/semver/v3 v3.4.0/go.mod h1:4V+yj/TJE1HU9XfppCwVMZq3I84lprf4nC11bSS5beM=
 github.com/Microsoft/go-winio v0.6.2 h1:F2VQgta7ecxGYO8k3ZZz3RS8fVIXVxONVUPlNERoyfY=
 github.com/Microsoft/go-winio v0.6.2/go.mod h1:yd8OoFMLzJbo9gZq8j5qaps8bJ9aShtEA8Ipt1oGCvU=
 github.com/NYTimes/gziphandler v1.1.1/go.mod h1:n/CVRwUEOgIxrgPvAQhUUr9oeUtvrhMomdKFjzJNB0c=
@@ -37,8 +38,8 @@ github.com/fxamacker/cbor/v2 v2.9.0 h1:NpKPmjDBgUfBms6tr6JZkTHtfFGcMKsw3eGcmD/sa
 github.com/fxamacker/cbor/v2 v2.9.0/go.mod h1:vM4b+DJCtHn+zz7h3FFp/hDAI9WNWCsZj23V5ytsSxQ=
 github.com/go-jose/go-jose/v4 v4.0.4/go.mod h1:NKb5HO1EZccyMpiZNbdUw/14tiXNyUJh188dfnMCAfc=
 github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
-github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY=
-github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
+github.com/go-logr/logr v1.4.3 h1:CjnDlHq8ikf6E492q6eKboGOC0T8CDaOvkHCIg8idEI=
+github.com/go-logr/logr v1.4.3/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
 github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
 github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE=
 github.com/go-logr/zapr v1.3.0/go.mod h1:YKepepNBd1u/oyhd/yQmtjVXmm9uML4IXUgMOwR8/Gg=
@@ -51,8 +52,6 @@ github.com/go-openapi/swag v0.22.3/go.mod h1:UzaqsxGiab7freDnrUUra0MwWfN/q7tE4j+
 github.com/go-openapi/swag v0.23.0 h1:vsEVJDUo2hPJ2tu0/Xc+4noaxyEffXNIs3cOULZ+GrE=
 github.com/go-openapi/swag v0.23.0/go.mod h1:esZ8ITTYEsH1V2trKHjAN8Ai7xHb8RV+YSZ577vPjgQ=
 github.com/go-task/slim-sprig/v3 v3.0.0/go.mod h1:W848ghGpv3Qj3dhTPRyJypKRiqCdHZiAzKg9hl15HA8=
-github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
-github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
 github.com/golang/glog v1.2.4/go.mod h1:6AhwSGph0fcJtXVM/PEHPqZlFeoLxhs7/t5UDAwmO+w=
 github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek=
 github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps=
@@ -62,7 +61,7 @@ github.com/google/gnostic-models v0.7.0/go.mod h1:whL5G0m6dmc5cPxKc5bdKdEN3UjI7O
 github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
 github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
-github.com/google/pprof v0.0.0-20241029153458-d1b30febd7db/go.mod h1:vavhavw2zAxS5dIdcRluK6cSGGPlZynqzFM8NdvU144=
+github.com/google/pprof v0.0.0-20250403155104-27863c87afa6/go.mod h1:boTsfXsheKC2y+lKOCMpSfarhxDeIzfZG1jqGcPl3cA=
 github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/gorilla/websocket v1.5.4-0.20250319132907-e064f32e3674/go.mod h1:r4w70xmWCQKmi1ONH4KIaBptdivuRPyosB9RmPlGEwA=
@@ -76,8 +75,6 @@ github.com/jpillora/backoff v1.0.0/go.mod h1:J/6gKK9jxlEcS3zixgDgUAsiuZ7yrSoa/FX
 github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM=
 github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo=
 github.com/julienschmidt/httprouter v1.3.0/go.mod h1:JR6WtHb+2LUe8TCKY3cZOxFyyO8IZAc4RVcycCCAKdM=
-github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
-github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
 github.com/klauspost/compress v1.18.0 h1:c/Cqfb0r+Yi+JtIEq73FWXVkRonBlf0CRNYc8Zttxdo=
 github.com/klauspost/compress v1.18.0/go.mod h1:2Pp+KzxcywXVXMr50+X0Q/Lsb43OQHYWRCY2AiWywWQ=
 github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
@@ -103,29 +100,28 @@ github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq
 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
 github.com/mwitkow/go-conntrack v0.0.0-20190716064945-2f068394615f/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U=
 github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+o7JKHSa8/e818NopupXU1YMK5fe1lsApnBw=
-github.com/onsi/gomega v1.35.1/go.mod h1:PvZbdDc8J6XJEpDK4HCuRBm8a6Fzp9/DmhC9C7yFlog=
-github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251001123353-fd5b1fb35db1/go.mod h1:7Du3c42kxCUegi0IImZ1wUQzMBVecgIHjR1C+NkhLQo=
+github.com/onsi/gomega v1.38.2/go.mod h1:W2MJcYxRGV63b418Ai34Ud0hEdTVXq9NW9+Sx6uXf3k=
+github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251120221002-696928a6a0d7/go.mod h1:ArE1D/XhNXBXCBkKOLkbsb2c81dQHCRcF5zwn/ykDRo=
 github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU=
-github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10/go.mod h1:t/avpk3KcrXxUnYOhZhMXJlSEyie6gQbtLq5NM3loB8=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U=
 github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/prometheus/client_golang v1.22.0 h1:rb93p9lokFEsctTys46VnV1kLCDpVZ0a/Y92Vm0Zc6Q=
-github.com/prometheus/client_golang v1.22.0/go.mod h1:R7ljNsLXhuQXYZYtw6GAE9AZg8Y7vEW5scdCXrWRXC0=
-github.com/prometheus/client_model v0.6.1 h1:ZKSh/rekM+n3CeS952MLRAdFwIKqeY8b62p8ais2e9E=
-github.com/prometheus/client_model v0.6.1/go.mod h1:OrxVMOVHjw3lKMa8+x6HeMGkHMQyHDk9E3jmP2AmGiY=
-github.com/prometheus/common v0.62.0 h1:xasJaQlnWAeyHdUBeGjXmutelfJHWMRr+Fg4QszZ2Io=
-github.com/prometheus/common v0.62.0/go.mod h1:vyBcEuLSvWos9B1+CyL7JZ2up+uFzXhkqml0W5zIY1I=
-github.com/prometheus/procfs v0.15.1 h1:YagwOFzUgYfKKHX6Dr+sHT7km/hxC76UB0learggepc=
-github.com/prometheus/procfs v0.15.1/go.mod h1:fB45yRUv8NstnjriLhBQLuOUt+WW4BsoGhij/e3PBqk=
+github.com/prometheus/client_golang v1.23.2 h1:Je96obch5RDVy3FDMndoUsjAhG5Edi49h0RJWRi/o0o=
+github.com/prometheus/client_golang v1.23.2/go.mod h1:Tb1a6LWHB3/SPIzCoaDXI4I8UHKeFTEQ1YCr+0Gyqmg=
+github.com/prometheus/client_model v0.6.2 h1:oBsgwpGs7iVziMvrGhE53c/GrLUsZdHnqNwqPLxwZyk=
+github.com/prometheus/client_model v0.6.2/go.mod h1:y3m2F6Gdpfy6Ut/GBsUqTWZqCUvMVzSfMLjcu6wAwpE=
+github.com/prometheus/common v0.66.1 h1:h5E0h5/Y8niHc5DlaLlWLArTQI7tMrsfQjHV+d9ZoGs=
+github.com/prometheus/common v0.66.1/go.mod h1:gcaUsgf3KfRSwHY4dIMXLPV0K/Wg1oZ8+SbZk/HH/dA=
+github.com/prometheus/procfs v0.16.1 h1:hZ15bTNuirocR6u0JZ6BAHHmwS1p8B4P6MRqxtzMyRg=
+github.com/prometheus/procfs v0.16.1/go.mod h1:teAbpZRB1iIAJYREa1LsoWUXykVXA1KlTmWl8x/U+Is=
 github.com/rogpeppe/fastuuid v1.2.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6LYCDYWNEvQ=
-github.com/rogpeppe/go-internal v1.13.1 h1:KvO1DLK/DRN07sQ1LQKScxyZJuNnedQ5/wKSR38lUII=
-github.com/rogpeppe/go-internal v1.13.1/go.mod h1:uMEvuHeurkdAXX61udpOXGD/AzZDWNMNyH2VO9fmH0o=
+github.com/rogpeppe/go-internal v1.14.1 h1:UQB4HGPB6osV0SQTLymcB4TgvyWu6ZyliaW0tI/otEQ=
+github.com/rogpeppe/go-internal v1.14.1/go.mod h1:MaRKkUm5W0goXpeCfT7UZI6fk/L7L7so1lCWt35ZSgc=
 github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
-github.com/spf13/cobra v1.9.1/go.mod h1:nDyEzZ8ogv936Cinf6g1RU9MRY64Ir93oCnqb9wxYW0=
-github.com/spf13/pflag v1.0.6 h1:jFzHGLGAlb3ruxLB8MhbI6A8+AQX/2eW4qeyNZXNp2o=
-github.com/spf13/pflag v1.0.6/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
+github.com/spf13/cobra v1.10.0/go.mod h1:9dhySC7dnTtEiqzmqfkLj47BslqLCUPMXjG2lj/NgoE=
+github.com/spf13/pflag v1.0.9 h1:9exaQaMOCwffKiiiYk6/BndUBv+iRViNW+4lEMi0PvY=
+github.com/spf13/pflag v1.0.9/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/spiffe/go-spiffe/v2 v2.5.0/go.mod h1:P+NxobPc6wXhVtINNtFjNWGBTreew1GBUCwT2wPmb7g=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
@@ -135,112 +131,87 @@ github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UV
 github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
 github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
-github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
-github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
+github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
+github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
 github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM=
 github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg=
 github.com/xhit/go-str2duration/v2 v2.1.0/go.mod h1:ohY8p+0f07DiV6Em5LKB0s2YpLtXVyJfNt1+BlmyAsU=
-github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
-github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/zeebo/errs v1.4.0/go.mod h1:sgbWHsvVuTPHcqJJGQ1WhI5KbWlHYz+2+2C/LSEtCw4=
 go.opentelemetry.io/auto/sdk v1.1.0 h1:cH53jehLUN6UFLY71z+NDOiNJqDdPRaXzTel0sJySYA=
 go.opentelemetry.io/auto/sdk v1.1.0/go.mod h1:3wSPjt5PWp2RhlCcmmOial7AvC4DQqZb7a7wCow3W8A=
 go.opentelemetry.io/contrib/detectors/gcp v1.34.0/go.mod h1:cV4BMFcscUR/ckqLkbfQmF0PRsq8w/lMGzdbCSveBHo=
 go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.60.0 h1:x7wzEgXfnzJcHDwStJT+mxOz4etr2EcexjqhBvmoakw=
 go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.60.0/go.mod h1:rg+RlpR5dKwaS95IyyZqj5Wd4E13lk/msnTS0Xl9lJM=
-go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.58.0 h1:yd02MEjBdJkG3uabWP9apV+OuWRIXGDuJEUJbOHmCFU=
-go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.58.0/go.mod h1:umTcuxiv1n/s/S6/c2AT/g2CQ7u5C59sHDNmfSwgz7Q=
-go.opentelemetry.io/otel v1.35.0 h1:xKWKPxrxB6OtMCbmMY021CqC45J+3Onta9MqjhnusiQ=
-go.opentelemetry.io/otel v1.35.0/go.mod h1:UEqy8Zp11hpkUrL73gSlELM0DupHoiq72dR+Zqel/+Y=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.61.0 h1:F7Jx+6hwnZ41NSFTO5q4LYDtJRXBf2PD0rNBkeB/lus=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.61.0/go.mod h1:UHB22Z8QsdRDrnAtX4PntOl36ajSxcdUMt1sF7Y6E7Q=
+go.opentelemetry.io/otel v1.36.0 h1:UumtzIklRBY6cI/lllNZlALOF5nNIzJVb16APdvgTXg=
+go.opentelemetry.io/otel v1.36.0/go.mod h1:/TcFMXYjyRNh8khOAO9ybYkqaDBb/70aVwkNML4pP8E=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.34.0 h1:OeNbIYk/2C15ckl7glBlOBp5+WlYsOElzTNmiPW/x60=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.34.0/go.mod h1:7Bept48yIeqxP2OZ9/AqIpYS94h2or0aB4FypJTc8ZM=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.34.0 h1:tgJ0uaNS4c98WRNUEx5U3aDlrDOI5Rs+1Vifcw4DJ8U=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.34.0/go.mod h1:U7HYyW0zt/a9x5J1Kjs+r1f/d4ZHnYFclhYY2+YbeoE=
-go.opentelemetry.io/otel/metric v1.35.0 h1:0znxYu2SNyuMSQT4Y9WDWej0VpcsxkuklLa4/siN90M=
-go.opentelemetry.io/otel/metric v1.35.0/go.mod h1:nKVFgxBZ2fReX6IlyW28MgZojkoAkJGaE8CpgeAU3oE=
-go.opentelemetry.io/otel/sdk v1.34.0 h1:95zS4k/2GOy069d321O8jWgYsW3MzVV+KuSPKp7Wr1A=
-go.opentelemetry.io/otel/sdk v1.34.0/go.mod h1:0e/pNiaMAqaykJGKbi+tSjWfNNHMTxoC9qANsCzbyxU=
-go.opentelemetry.io/otel/sdk/metric v1.34.0 h1:5CeK9ujjbFVL5c1PhLuStg1wxA7vQv7ce1EK0Gyvahk=
-go.opentelemetry.io/otel/sdk/metric v1.34.0/go.mod h1:jQ/r8Ze28zRKoNRdkjCZxfs6YvBTG1+YIqyFVFYec5w=
-go.opentelemetry.io/otel/trace v1.35.0 h1:dPpEfJu1sDIqruz7BHFG3c7528f6ddfSWfFDVt/xgMs=
-go.opentelemetry.io/otel/trace v1.35.0/go.mod h1:WUk7DtFp1Aw2MkvqGdwiXYDZZNvA/1J8o6xRXLrIkyc=
+go.opentelemetry.io/otel/metric v1.36.0 h1:MoWPKVhQvJ+eeXWHFBOPoBOi20jh6Iq2CcCREuTYufE=
+go.opentelemetry.io/otel/metric v1.36.0/go.mod h1:zC7Ks+yeyJt4xig9DEw9kuUFe5C3zLbVjV2PzT6qzbs=
+go.opentelemetry.io/otel/sdk v1.36.0 h1:b6SYIuLRs88ztox4EyrvRti80uXIFy+Sqzoh9kFULbs=
+go.opentelemetry.io/otel/sdk v1.36.0/go.mod h1:+lC+mTgD+MUWfjJubi2vvXWcVxyr9rmlshZni72pXeY=
+go.opentelemetry.io/otel/sdk/metric v1.36.0 h1:r0ntwwGosWGaa0CrSt8cuNuTcccMXERFwHX4dThiPis=
+go.opentelemetry.io/otel/sdk/metric v1.36.0/go.mod h1:qTNOhFDfKRwX0yXOqJYegL5WRaW376QbB7P4Pb0qva4=
+go.opentelemetry.io/otel/trace v1.36.0 h1:ahxWNuqZjpdiFAyrIoQ4GIiAIhxAunQR6MUoKrsNd4w=
+go.opentelemetry.io/otel/trace v1.36.0/go.mod h1:gQ+OnDZzrybY4k4seLzPAWNwVBBVlF2szhehOBB/tGA=
 go.opentelemetry.io/proto/otlp v1.5.0 h1:xJvq7gMzB31/d406fB8U5CBdyQGw4P399D1aQWU/3i4=
 go.opentelemetry.io/proto/otlp v1.5.0/go.mod h1:keN8WnHxOy8PG0rQZjJJ5A2ebUoafqWp0eVQ4yIXvJ4=
 go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
 go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
 go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y=
 go.uber.org/zap v1.27.0/go.mod h1:GB2qFLM7cTU87MWRP2mPIjqfIDnGu+VIO4V/SdhGo2E=
-go.yaml.in/yaml/v2 v2.4.2 h1:DzmwEr2rDGHl7lsFgAHxmNz/1NlQ7xLIrlN2h5d1eGI=
-go.yaml.in/yaml/v2 v2.4.2/go.mod h1:081UH+NErpNdqlCXm3TtEran0rJZGxAYx9hb/ELlsPU=
+go.yaml.in/yaml/v2 v2.4.3 h1:6gvOSjQoTB3vt1l+CU+tSyi/HOjfOjRLJ4YwYZGwRO0=
+go.yaml.in/yaml/v2 v2.4.3/go.mod h1:zSxWcmIDjOzPXpjlTTbAsKokqkDNAVtZO0WOMiT90s8=
 go.yaml.in/yaml/v3 v3.0.4 h1:tfq32ie2Jv2UxXFdLJdh3jXuOzWiL1fo0bu/FbuKpbc=
 go.yaml.in/yaml/v3 v3.0.4/go.mod h1:DhzuOOF2ATzADvBadXxruRBLzYTpT36CKvDb3+aBEFg=
-golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
-golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
-golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
-golang.org/x/crypto v0.41.0/go.mod h1:pO5AFd7FA68rFak7rOAGVuygIISepHftHnr8dr6+sUc=
-golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.27.0/go.mod h1:rWI627Fq0DEoudcK+MBkNkCe0EetEaDSwJJkCcjpazc=
-golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
-golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
-golang.org/x/net v0.43.0 h1:lat02VYK2j4aLzMzecihNvTlJNQUq316m2Mr9rnM6YE=
-golang.org/x/net v0.43.0/go.mod h1:vhO1fvI4dGsIjh73sWfUVjj3N7CA9WkKJNQm2svM6Jg=
-golang.org/x/oauth2 v0.27.0 h1:da9Vo7/tDv5RH/7nZDz1eMGS/q1Vv1N/7FCrBhI9I3M=
-golang.org/x/oauth2 v0.27.0/go.mod h1:onh5ek6nERTohokkhCD/y2cV4Do3fxFHFuAejCkRWT8=
-golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.17.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
-golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.36.0 h1:KVRy2GtZBrk1cBYA7MKu5bEZFxQk4NIDV6RLVcC8o0k=
-golang.org/x/sys v0.36.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
-golang.org/x/term v0.35.0/go.mod h1:TPGtkTLesOwf2DE8CgVYiZinHAOuy5AYUYT1lENIZnA=
-golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
-golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.29.0 h1:1neNs90w9YzJ9BocxfsQNHKuAT4pkghyXc4nhZ6sJvk=
-golang.org/x/text v0.29.0/go.mod h1:7MhJOA9CD2qZyOKYazxdYMF85OwPdEr9jTtBpO7ydH4=
+golang.org/x/crypto v0.44.0/go.mod h1:013i+Nw79BMiQiMsOPcVCB5ZIJbYkerPrGnOa00tvmc=
+golang.org/x/mod v0.29.0/go.mod h1:NyhrlYXJ2H4eJiRy/WDBO6HMqZQ6q9nk4JzS3NuCK+w=
+golang.org/x/net v0.47.0 h1:Mx+4dIFzqraBXUugkia1OOvlD6LemFo1ALMHjrXDOhY=
+golang.org/x/net v0.47.0/go.mod h1:/jNxtkgq5yWUGYkaZGqo27cfGZ1c5Nen03aYrrKpVRU=
+golang.org/x/oauth2 v0.30.0 h1:dnDm7JmhM45NNpd8FDDeLhK6FwqbOf4MLCM9zb1BOHI=
+golang.org/x/oauth2 v0.30.0/go.mod h1:B++QgG3ZKulg6sRPGD/mqlHQs5rB3Ml9erfeDY7xKlU=
+golang.org/x/sync v0.18.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
+golang.org/x/sys v0.38.0 h1:3yZWxaJjBmCWXqhN1qh02AkOnCQ1poK6oF+a7xWL6Gc=
+golang.org/x/sys v0.38.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
+golang.org/x/term v0.37.0/go.mod h1:5pB4lxRNYYVZuTLmy8oR2BH8dflOR+IbTYFD8fi3254=
+golang.org/x/text v0.31.0 h1:aC8ghyu4JhP8VojJ2lEHBnochRno1sgL6nEi9WGFGMM=
+golang.org/x/text v0.31.0/go.mod h1:tKRAlv61yKIjGGHX/4tP1LTbc13YSec1pxVEWXzfoeM=
 golang.org/x/time v0.9.0 h1:EsRrnYcQiGH+5FfbgvV4AP7qEZstoyrHB0DzarOQ4ZY=
 golang.org/x/time v0.9.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
-golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
-golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
-golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
-golang.org/x/tools v0.36.0/go.mod h1:WBDiHKJK8YgLHlcQPYQzNCkUxUypCaa5ZegCVutKm+s=
-golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/tools v0.38.0/go.mod h1:yEsQ/d/YK8cjh0L6rZlY8tgtlKiBNTL14pGDJPJpYQs=
+golang.org/x/tools/go/expect v0.1.0-deprecated/go.mod h1:eihoPOH+FgIqa3FpoTwguz/bVUSGBlGQU67vpBeOrBY=
+golang.org/x/tools/go/packages/packagestest v0.1.1-deprecated/go.mod h1:RVAQXBGNv1ib0J382/DPCRS/BPnsGebyM1Gj5VSDpG8=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 google.golang.org/genproto/googleapis/api v0.0.0-20250303144028-a0af3efb3deb h1:p31xT4yrYrSM/G4Sn2+TNUkVhFCbG9y8itM2S6Th950=
 google.golang.org/genproto/googleapis/api v0.0.0-20250303144028-a0af3efb3deb/go.mod h1:jbe3Bkdp+Dh2IrslsFCklNhweNTBgSYanP1UXhJDhKg=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20250303144028-a0af3efb3deb h1:TLPQVbx1GJ8VKZxz52VAxl1EBgKXXbTiU9Fc5fZeLn4=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20250303144028-a0af3efb3deb/go.mod h1:LuRYeWDFV6WOn90g357N17oMCaxpgCnbi/44qJvDn2I=
-google.golang.org/grpc v1.72.1 h1:HR03wO6eyZ7lknl75XlxABNVLLFc2PAb6mHlYh756mA=
-google.golang.org/grpc v1.72.1/go.mod h1:wH5Aktxcg25y1I3w7H69nHfXdOG3UiadoBtjh3izSDM=
-google.golang.org/protobuf v1.36.5 h1:tPhr+woSbjfYvY6/GPufUoYizxw1cF/yFoxJ2fmpwlM=
-google.golang.org/protobuf v1.36.5/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20250528174236-200df99c418a h1:v2PbRU4K3llS09c7zodFpNePeamkAwG3mPrAery9VeE=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20250528174236-200df99c418a/go.mod h1:qQ0YXyHHx3XkvlzUtpXDkS29lDSafHMZBAZDc03LQ3A=
+google.golang.org/grpc v1.72.2 h1:TdbGzwb82ty4OusHWepvFWGLgIbNo1/SUynEN0ssqv8=
+google.golang.org/grpc v1.72.2/go.mod h1:wH5Aktxcg25y1I3w7H69nHfXdOG3UiadoBtjh3izSDM=
+google.golang.org/protobuf v1.36.8 h1:xHScyCOEuuwZEc6UtSOvPbAT4zRh0xcNRYekJwfqyMc=
+google.golang.org/protobuf v1.36.8/go.mod h1:fuxRtAxBytpl4zzqUh6/eyUujkJdNiuEkXntxiD/uRU=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
-gopkg.in/evanphx/json-patch.v4 v4.12.0/go.mod h1:p8EYWUEYMpynmqDbY58zCKCFZw8pRWMG4EsWvDvM72M=
+gopkg.in/evanphx/json-patch.v4 v4.13.0/go.mod h1:p8EYWUEYMpynmqDbY58zCKCFZw8pRWMG4EsWvDvM72M=
 gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc=
 gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
-gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 k8s.io/gengo/v2 v2.0.0-20250604051438-85fd79dbfd9f/go.mod h1:EJykeLsmFC60UQbYJezXkEsG2FLrt0GPNkU5iK5GWxU=
 k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk=
 k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE=
-k8s.io/kube-openapi v0.0.0-20250710124328-f3f2b991d03b h1:MloQ9/bdJyIu9lb1PzujOPolHyvO06MXG5TUIj2mNAA=
-k8s.io/kube-openapi v0.0.0-20250710124328-f3f2b991d03b/go.mod h1:UZ2yyWbFTpuhSbFhv24aGNOdoRdJZgsIObGBUaYVsts=
-k8s.io/utils v0.0.0-20250604170112-4c0f3b243397 h1:hwvWFiBzdWw1FhfY1FooPn3kzWuJ8tmbZBHi4zVsl1Y=
-k8s.io/utils v0.0.0-20250604170112-4c0f3b243397/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
-sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 h1:gBQPwqORJ8d8/YNZWEjoZs7npUVDpVXUUOFfW6CgAqE=
-sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8/go.mod h1:mdzfpAEoE6DHQEN0uh9ZbOCuHbLK5wOm7dK4ctXE9Tg=
+k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912 h1:Y3gxNAuB0OBLImH611+UDZcmKS3g6CthxToOb37KgwE=
+k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912/go.mod h1:kdmbQkyfwUagLfXIad1y2TdrjPFWp2Q89B3qkRwf/pQ=
+k8s.io/utils v0.0.0-20251002143259-bc988d571ff4 h1:SjGebBtkBqHFOli+05xYbK8YF1Dzkbzn+gDM4X9T4Ck=
+k8s.io/utils v0.0.0-20251002143259-bc988d571ff4/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
+sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 h1:IpInykpT6ceI+QxKBbEflcR5EXP7sU1kvOlxwZh5txg=
+sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730/go.mod h1:mdzfpAEoE6DHQEN0uh9ZbOCuHbLK5wOm7dK4ctXE9Tg=
 sigs.k8s.io/randfill v1.0.0 h1:JfjMILfT8A6RbawdsK2JXGBR5AQVfd+9TbzrlneTyrU=
 sigs.k8s.io/randfill v1.0.0/go.mod h1:XeLlZ/jmk4i1HRopwe7/aU3H5n1zNUcX6TM94b3QxOY=
 sigs.k8s.io/structured-merge-diff/v6 v6.3.0 h1:jTijUJbW353oVOd9oTlifJqOGEkUw2jB/fXCbTiQEco=
diff --git a/staging/src/k8s.io/cri-client/pkg/fake/fake_runtime.go b/staging/src/k8s.io/cri-client/pkg/fake/fake_runtime.go
index c226c8709222a..64e45683bddb4 100644
--- a/staging/src/k8s.io/cri-client/pkg/fake/fake_runtime.go
+++ b/staging/src/k8s.io/cri-client/pkg/fake/fake_runtime.go
@@ -373,3 +373,8 @@ func (f *RemoteRuntime) RuntimeConfig(ctx context.Context, req *kubeapi.RuntimeC
 func (f *RemoteRuntime) UpdatePodSandboxResources(ctx context.Context, req *kubeapi.UpdatePodSandboxResourcesRequest) (*kubeapi.UpdatePodSandboxResourcesResponse, error) {
 	return f.RuntimeService.UpdatePodSandboxResources(ctx, req)
 }
+
+// Close will shutdown the internal gRPC client connection.
+func (f *RemoteRuntime) Close() error {
+	return f.RuntimeService.Close()
+}
diff --git a/staging/src/k8s.io/cri-client/pkg/remote_image.go b/staging/src/k8s.io/cri-client/pkg/remote_image.go
index f441330568988..ca27143a0ee2b 100644
--- a/staging/src/k8s.io/cri-client/pkg/remote_image.go
+++ b/staging/src/k8s.io/cri-client/pkg/remote_image.go
@@ -44,6 +44,7 @@ type remoteImageService struct {
 	timeout     time.Duration
 	imageClient runtimeapi.ImageServiceClient
 	logger      *klog.Logger
+	conn        *grpc.ClientConn
 }
 
 // NewRemoteImageService creates a new internalapi.ImageManagerService.
@@ -94,6 +95,7 @@ func NewRemoteImageService(endpoint string, connectionTimeout time.Duration, tp
 	service := &remoteImageService{
 		timeout: connectionTimeout,
 		logger:  logger,
+		conn:    conn,
 	}
 	if err := service.validateServiceConnection(ctx, conn, endpoint); err != nil {
 		return nil, fmt.Errorf("validate service connection: %w", err)
@@ -103,6 +105,12 @@ func NewRemoteImageService(endpoint string, connectionTimeout time.Duration, tp
 
 }
 
+// Close will shutdown the internal gRPC client connection.
+func (r *remoteImageService) Close() error {
+	r.log(3, "Closing image service connection")
+	return r.conn.Close()
+}
+
 func (r *remoteImageService) log(level int, msg string, keyAndValues ...any) {
 	internal.Log(r.logger, level, msg, keyAndValues...)
 }
diff --git a/staging/src/k8s.io/cri-client/pkg/remote_runtime.go b/staging/src/k8s.io/cri-client/pkg/remote_runtime.go
index 7fcaf43496801..6afa04f2c86f6 100644
--- a/staging/src/k8s.io/cri-client/pkg/remote_runtime.go
+++ b/staging/src/k8s.io/cri-client/pkg/remote_runtime.go
@@ -50,6 +50,7 @@ type remoteRuntimeService struct {
 	// Cache last per-container error message to reduce log spam
 	logReduction *logreduction.LogReduction
 	logger       *klog.Logger
+	conn         *grpc.ClientConn
 }
 
 const (
@@ -127,6 +128,7 @@ func NewRemoteRuntimeService(endpoint string, connectionTimeout time.Duration, t
 		timeout:      connectionTimeout,
 		logReduction: logreduction.NewLogReduction(identicalErrorDelay),
 		logger:       logger,
+		conn:         conn,
 	}
 
 	if err := service.validateServiceConnection(ctx, conn, endpoint); err != nil {
@@ -136,6 +138,12 @@ func NewRemoteRuntimeService(endpoint string, connectionTimeout time.Duration, t
 	return service, nil
 }
 
+// Close will shutdown the internal gRPC client connection.
+func (r *remoteRuntimeService) Close() error {
+	r.log(3, "Closing runtime service connection")
+	return r.conn.Close()
+}
+
 func (r *remoteRuntimeService) log(level int, msg string, keyAndValues ...any) {
 	internal.Log(r.logger, level, msg, keyAndValues...)
 }
diff --git a/staging/src/k8s.io/csi-translation-lib/go.mod b/staging/src/k8s.io/csi-translation-lib/go.mod
index 72487ad4b86c8..1c2e1788e5a38 100644
--- a/staging/src/k8s.io/csi-translation-lib/go.mod
+++ b/staging/src/k8s.io/csi-translation-lib/go.mod
@@ -2,12 +2,12 @@
 
 module k8s.io/csi-translation-lib
 
-go 1.24.0
+go 1.25.0
 
-godebug default=go1.24
+godebug default=go1.25
 
 require (
-	github.com/stretchr/testify v1.10.0
+	github.com/stretchr/testify v1.11.1
 	k8s.io/api v0.0.0
 	k8s.io/apimachinery v0.0.0
 	k8s.io/klog/v2 v2.130.1
@@ -16,8 +16,7 @@ require (
 require (
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/fxamacker/cbor/v2 v2.9.0 // indirect
-	github.com/go-logr/logr v1.4.2 // indirect
-	github.com/gogo/protobuf v1.3.2 // indirect
+	github.com/go-logr/logr v1.4.3 // indirect
 	github.com/google/uuid v1.6.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/kr/text v0.2.0 // indirect
@@ -25,19 +24,20 @@ require (
 	github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee // indirect
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
 	github.com/x448/float16 v0.8.4 // indirect
-	go.yaml.in/yaml/v2 v2.4.2 // indirect
-	golang.org/x/net v0.43.0 // indirect
-	golang.org/x/text v0.29.0 // indirect
+	go.yaml.in/yaml/v2 v2.4.3 // indirect
+	golang.org/x/net v0.47.0 // indirect
+	golang.org/x/text v0.31.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
-	k8s.io/utils v0.0.0-20250604170112-4c0f3b243397 // indirect
-	sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 // indirect
+	k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912 // indirect
+	k8s.io/utils v0.0.0-20251002143259-bc988d571ff4 // indirect
+	sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 // indirect
 	sigs.k8s.io/randfill v1.0.0 // indirect
 	sigs.k8s.io/structured-merge-diff/v6 v6.3.0 // indirect
 )
 
 replace (
-	github.com/onsi/ginkgo/v2 => github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251001123353-fd5b1fb35db1
+	github.com/onsi/ginkgo/v2 => github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251120221002-696928a6a0d7
 	k8s.io/api => ../api
 	k8s.io/apimachinery => ../apimachinery
 )
diff --git a/staging/src/k8s.io/csi-translation-lib/go.sum b/staging/src/k8s.io/csi-translation-lib/go.sum
index 865d2ee2c66ab..317f863d3a763 100644
--- a/staging/src/k8s.io/csi-translation-lib/go.sum
+++ b/staging/src/k8s.io/csi-translation-lib/go.sum
@@ -1,29 +1,29 @@
+github.com/NYTimes/gziphandler v1.1.1/go.mod h1:n/CVRwUEOgIxrgPvAQhUUr9oeUtvrhMomdKFjzJNB0c=
 github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkYZB8zMSxRWpUBQtwG5a7fFgvEO+odwuTv2gs=
 github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM=
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/emicklei/go-restful/v3 v3.11.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc=
 github.com/fxamacker/cbor/v2 v2.9.0 h1:NpKPmjDBgUfBms6tr6JZkTHtfFGcMKsw3eGcmD/sapM=
 github.com/fxamacker/cbor/v2 v2.9.0/go.mod h1:vM4b+DJCtHn+zz7h3FFp/hDAI9WNWCsZj23V5ytsSxQ=
-github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY=
-github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
+github.com/go-logr/logr v1.4.3 h1:CjnDlHq8ikf6E492q6eKboGOC0T8CDaOvkHCIg8idEI=
+github.com/go-logr/logr v1.4.3/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
 github.com/go-openapi/jsonpointer v0.21.0/go.mod h1:IUyH9l/+uyhIYQ/PXVA41Rexl+kOkAPDdXEYns6fzUY=
 github.com/go-openapi/jsonreference v0.20.2/go.mod h1:Bl1zwGIM8/wsvqjsOQLJ/SH+En5Ap4rVB5KVcIDZG2k=
 github.com/go-openapi/swag v0.23.0/go.mod h1:esZ8ITTYEsH1V2trKHjAN8Ai7xHb8RV+YSZ577vPjgQ=
-github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
-github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
+github.com/go-task/slim-sprig/v3 v3.0.0/go.mod h1:W848ghGpv3Qj3dhTPRyJypKRiqCdHZiAzKg9hl15HA8=
 github.com/google/gnostic-models v0.7.0/go.mod h1:whL5G0m6dmc5cPxKc5bdKdEN3UjI7OUGxBlw57miDrQ=
 github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
 github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
+github.com/google/pprof v0.0.0-20240727154555-813a5fbdbec8/go.mod h1:K1liHPHnj73Fdn/EKuT8nrFqBihUSKXoLYU0BuatOYo=
 github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y=
 github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM=
 github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo=
-github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
-github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
 github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
 github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
@@ -36,81 +36,58 @@ github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJ
 github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk=
 github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee h1:W5t00kpgFdJifH4BDsTlE89Zl93FEloxaWZfGcifgq8=
 github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk=
+github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
 github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+o7JKHSa8/e818NopupXU1YMK5fe1lsApnBw=
-github.com/onsi/gomega v1.35.1/go.mod h1:PvZbdDc8J6XJEpDK4HCuRBm8a6Fzp9/DmhC9C7yFlog=
-github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251001123353-fd5b1fb35db1/go.mod h1:7Du3c42kxCUegi0IImZ1wUQzMBVecgIHjR1C+NkhLQo=
-github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
+github.com/onsi/gomega v1.38.2/go.mod h1:W2MJcYxRGV63b418Ai34Ud0hEdTVXq9NW9+Sx6uXf3k=
+github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251120221002-696928a6a0d7/go.mod h1:ArE1D/XhNXBXCBkKOLkbsb2c81dQHCRcF5zwn/ykDRo=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U=
 github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/rogpeppe/go-internal v1.13.1 h1:KvO1DLK/DRN07sQ1LQKScxyZJuNnedQ5/wKSR38lUII=
-github.com/rogpeppe/go-internal v1.13.1/go.mod h1:uMEvuHeurkdAXX61udpOXGD/AzZDWNMNyH2VO9fmH0o=
-github.com/spf13/pflag v1.0.6 h1:jFzHGLGAlb3ruxLB8MhbI6A8+AQX/2eW4qeyNZXNp2o=
-github.com/spf13/pflag v1.0.6/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
+github.com/rogpeppe/go-internal v1.14.1 h1:UQB4HGPB6osV0SQTLymcB4TgvyWu6ZyliaW0tI/otEQ=
+github.com/rogpeppe/go-internal v1.14.1/go.mod h1:MaRKkUm5W0goXpeCfT7UZI6fk/L7L7so1lCWt35ZSgc=
+github.com/spf13/pflag v1.0.9 h1:9exaQaMOCwffKiiiYk6/BndUBv+iRViNW+4lEMi0PvY=
+github.com/spf13/pflag v1.0.9/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/8L+MA=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
-github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
-github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
+github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
+github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
 github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM=
 github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg=
-github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
-github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
-go.yaml.in/yaml/v2 v2.4.2 h1:DzmwEr2rDGHl7lsFgAHxmNz/1NlQ7xLIrlN2h5d1eGI=
-go.yaml.in/yaml/v2 v2.4.2/go.mod h1:081UH+NErpNdqlCXm3TtEran0rJZGxAYx9hb/ELlsPU=
+go.yaml.in/yaml/v2 v2.4.3 h1:6gvOSjQoTB3vt1l+CU+tSyi/HOjfOjRLJ4YwYZGwRO0=
+go.yaml.in/yaml/v2 v2.4.3/go.mod h1:zSxWcmIDjOzPXpjlTTbAsKokqkDNAVtZO0WOMiT90s8=
 go.yaml.in/yaml/v3 v3.0.4/go.mod h1:DhzuOOF2ATzADvBadXxruRBLzYTpT36CKvDb3+aBEFg=
-golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
-golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
-golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
-golang.org/x/crypto v0.41.0/go.mod h1:pO5AFd7FA68rFak7rOAGVuygIISepHftHnr8dr6+sUc=
-golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.27.0/go.mod h1:rWI627Fq0DEoudcK+MBkNkCe0EetEaDSwJJkCcjpazc=
-golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
-golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
-golang.org/x/net v0.43.0 h1:lat02VYK2j4aLzMzecihNvTlJNQUq316m2Mr9rnM6YE=
-golang.org/x/net v0.43.0/go.mod h1:vhO1fvI4dGsIjh73sWfUVjj3N7CA9WkKJNQm2svM6Jg=
-golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.17.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
-golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.36.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
-golang.org/x/term v0.34.0/go.mod h1:5jC53AEywhIVebHgPVeg0mj8OD3VO9OzclacVrqpaAw=
-golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
-golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.29.0 h1:1neNs90w9YzJ9BocxfsQNHKuAT4pkghyXc4nhZ6sJvk=
-golang.org/x/text v0.29.0/go.mod h1:7MhJOA9CD2qZyOKYazxdYMF85OwPdEr9jTtBpO7ydH4=
+golang.org/x/crypto v0.44.0/go.mod h1:013i+Nw79BMiQiMsOPcVCB5ZIJbYkerPrGnOa00tvmc=
+golang.org/x/mod v0.29.0/go.mod h1:NyhrlYXJ2H4eJiRy/WDBO6HMqZQ6q9nk4JzS3NuCK+w=
+golang.org/x/net v0.47.0 h1:Mx+4dIFzqraBXUugkia1OOvlD6LemFo1ALMHjrXDOhY=
+golang.org/x/net v0.47.0/go.mod h1:/jNxtkgq5yWUGYkaZGqo27cfGZ1c5Nen03aYrrKpVRU=
+golang.org/x/sync v0.18.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
+golang.org/x/sys v0.38.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
+golang.org/x/term v0.37.0/go.mod h1:5pB4lxRNYYVZuTLmy8oR2BH8dflOR+IbTYFD8fi3254=
+golang.org/x/text v0.31.0 h1:aC8ghyu4JhP8VojJ2lEHBnochRno1sgL6nEi9WGFGMM=
+golang.org/x/text v0.31.0/go.mod h1:tKRAlv61yKIjGGHX/4tP1LTbc13YSec1pxVEWXzfoeM=
 golang.org/x/time v0.9.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
-golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
-golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
-golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
-golang.org/x/tools v0.36.0/go.mod h1:WBDiHKJK8YgLHlcQPYQzNCkUxUypCaa5ZegCVutKm+s=
-golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-google.golang.org/protobuf v1.36.5/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE=
+golang.org/x/tools v0.38.0/go.mod h1:yEsQ/d/YK8cjh0L6rZlY8tgtlKiBNTL14pGDJPJpYQs=
+golang.org/x/tools/go/expect v0.1.0-deprecated/go.mod h1:eihoPOH+FgIqa3FpoTwguz/bVUSGBlGQU67vpBeOrBY=
+golang.org/x/tools/go/packages/packagestest v0.1.1-deprecated/go.mod h1:RVAQXBGNv1ib0J382/DPCRS/BPnsGebyM1Gj5VSDpG8=
+google.golang.org/protobuf v1.36.8/go.mod h1:fuxRtAxBytpl4zzqUh6/eyUujkJdNiuEkXntxiD/uRU=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
-gopkg.in/evanphx/json-patch.v4 v4.12.0/go.mod h1:p8EYWUEYMpynmqDbY58zCKCFZw8pRWMG4EsWvDvM72M=
+gopkg.in/evanphx/json-patch.v4 v4.13.0/go.mod h1:p8EYWUEYMpynmqDbY58zCKCFZw8pRWMG4EsWvDvM72M=
 gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc=
 gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+k8s.io/gengo/v2 v2.0.0-20250604051438-85fd79dbfd9f/go.mod h1:EJykeLsmFC60UQbYJezXkEsG2FLrt0GPNkU5iK5GWxU=
 k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk=
 k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE=
-k8s.io/kube-openapi v0.0.0-20250710124328-f3f2b991d03b/go.mod h1:UZ2yyWbFTpuhSbFhv24aGNOdoRdJZgsIObGBUaYVsts=
-k8s.io/utils v0.0.0-20250604170112-4c0f3b243397 h1:hwvWFiBzdWw1FhfY1FooPn3kzWuJ8tmbZBHi4zVsl1Y=
-k8s.io/utils v0.0.0-20250604170112-4c0f3b243397/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
-sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 h1:gBQPwqORJ8d8/YNZWEjoZs7npUVDpVXUUOFfW6CgAqE=
-sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8/go.mod h1:mdzfpAEoE6DHQEN0uh9ZbOCuHbLK5wOm7dK4ctXE9Tg=
+k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912 h1:Y3gxNAuB0OBLImH611+UDZcmKS3g6CthxToOb37KgwE=
+k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912/go.mod h1:kdmbQkyfwUagLfXIad1y2TdrjPFWp2Q89B3qkRwf/pQ=
+k8s.io/utils v0.0.0-20251002143259-bc988d571ff4 h1:SjGebBtkBqHFOli+05xYbK8YF1Dzkbzn+gDM4X9T4Ck=
+k8s.io/utils v0.0.0-20251002143259-bc988d571ff4/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
+sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 h1:IpInykpT6ceI+QxKBbEflcR5EXP7sU1kvOlxwZh5txg=
+sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730/go.mod h1:mdzfpAEoE6DHQEN0uh9ZbOCuHbLK5wOm7dK4ctXE9Tg=
 sigs.k8s.io/randfill v1.0.0 h1:JfjMILfT8A6RbawdsK2JXGBR5AQVfd+9TbzrlneTyrU=
 sigs.k8s.io/randfill v1.0.0/go.mod h1:XeLlZ/jmk4i1HRopwe7/aU3H5n1zNUcX6TM94b3QxOY=
 sigs.k8s.io/structured-merge-diff/v6 v6.3.0 h1:jTijUJbW353oVOd9oTlifJqOGEkUw2jB/fXCbTiQEco=
diff --git a/staging/src/k8s.io/dynamic-resource-allocation/api/type_test.go b/staging/src/k8s.io/dynamic-resource-allocation/api/type_test.go
new file mode 100644
index 0000000000000..6e41bcab604aa
--- /dev/null
+++ b/staging/src/k8s.io/dynamic-resource-allocation/api/type_test.go
@@ -0,0 +1,43 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package api
+
+import (
+	"testing"
+
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/klog/v2"
+)
+
+var slice = ResourceSlice{
+	TypeMeta: metav1.TypeMeta{
+		Kind: "ResourceSlice",
+	},
+	ObjectMeta: metav1.ObjectMeta{
+		Name: "slice",
+	},
+	Spec: ResourceSliceSpec{
+		Driver: MakeUniqueString("driver-name"),
+		Devices: []Device{{
+			Name: MakeUniqueString("device-name"),
+		}},
+	},
+}
+
+func TestKlog(t *testing.T) {
+	t.Logf("slice:\n%s", klog.Format(slice))
+}
diff --git a/staging/src/k8s.io/dynamic-resource-allocation/api/types.go b/staging/src/k8s.io/dynamic-resource-allocation/api/types.go
index b73cf0a53fa4a..1d26a81e019bc 100644
--- a/staging/src/k8s.io/dynamic-resource-allocation/api/types.go
+++ b/staging/src/k8s.io/dynamic-resource-allocation/api/types.go
@@ -19,30 +19,38 @@ package api
 import (
 	v1 "k8s.io/api/core/v1"
 	resourceapi "k8s.io/api/resource/v1"
-	"k8s.io/apimachinery/pkg/api/resource"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
+// JSON tags exist to make the output more readable (klog, diff.Diff).
+// They are intentionally not compatible with the normal encoding
+// of a ResourceSlice to avoid accidentally using them with an apiserver
+// request:
+// - TypeMeta does not get encoded.
+// - Fields from this package use upper case whereas types from the
+//   real API use lower case.
+
 type ResourceSlice struct {
-	metav1.TypeMeta
+	metav1.TypeMeta `json:"-"` // Not needed, not set consistently.
 	metav1.ObjectMeta
+
 	Spec ResourceSliceSpec
 }
 
 type ResourceSliceSpec struct {
 	Driver                 UniqueString
 	Pool                   ResourcePool
-	NodeName               *string
-	NodeSelector           *v1.NodeSelector
-	AllNodes               bool
-	Devices                []Device
-	PerDeviceNodeSelection *bool
-	SharedCounters         []CounterSet
+	NodeName               *string          `json:",omitempty"`
+	NodeSelector           *v1.NodeSelector `json:",omitempty"`
+	AllNodes               bool             `json:",omitempty"`
+	Devices                []Device         `json:",omitempty"`
+	PerDeviceNodeSelection *bool            `json:",omitempty"`
+	SharedCounters         []CounterSet     `json:",omitempty"`
 }
 
 type CounterSet struct {
 	Name     UniqueString
-	Counters map[string]Counter
+	Counters map[string]resourceapi.Counter `json:",omitempty"`
 }
 
 type ResourcePool struct {
@@ -50,69 +58,23 @@ type ResourcePool struct {
 	Generation         int64
 	ResourceSliceCount int64
 }
+
 type Device struct {
 	Name                     UniqueString
-	Attributes               map[QualifiedName]DeviceAttribute
-	Capacity                 map[QualifiedName]DeviceCapacity
-	ConsumesCounters         []DeviceCounterConsumption
-	NodeName                 *string
-	NodeSelector             *v1.NodeSelector
-	AllNodes                 *bool
-	Taints                   []resourceapi.DeviceTaint
-	BindsToNode              bool
-	BindingConditions        []string
-	BindingFailureConditions []string
-	AllowMultipleAllocations *bool
+	Attributes               map[resourceapi.QualifiedName]resourceapi.DeviceAttribute `json:",omitempty"`
+	Capacity                 map[resourceapi.QualifiedName]resourceapi.DeviceCapacity  `json:",omitempty"`
+	ConsumesCounters         []DeviceCounterConsumption                                `json:",omitempty"`
+	NodeName                 *string                                                   `json:",omitempty"`
+	NodeSelector             *v1.NodeSelector                                          `json:",omitempty"`
+	AllNodes                 *bool                                                     `json:",omitempty"`
+	Taints                   []resourceapi.DeviceTaint                                 `json:",omitempty"`
+	BindsToNode              bool                                                      `json:",omitempty"`
+	BindingConditions        []string                                                  `json:",omitempty"`
+	BindingFailureConditions []string                                                  `json:",omitempty"`
+	AllowMultipleAllocations *bool                                                     `json:",omitempty"`
 }
 
 type DeviceCounterConsumption struct {
 	CounterSet UniqueString
-	Counters   map[string]Counter
-}
-
-type QualifiedName string
-
-type FullyQualifiedName string
-
-type DeviceAttribute struct {
-	IntValue     *int64
-	BoolValue    *bool
-	StringValue  *string
-	VersionValue *string
-}
-
-type DeviceCapacity struct {
-	Value         resource.Quantity
-	RequestPolicy *CapacityRequestPolicy
-}
-
-type CapacityRequestPolicy struct {
-	Default     *resource.Quantity
-	ValidValues []resource.Quantity
-	ValidRange  *CapacityRequestPolicyRange
+	Counters   map[string]resourceapi.Counter `json:",omitempty"`
 }
-
-type CapacityRequestPolicyRange struct {
-	Min  *resource.Quantity
-	Max  *resource.Quantity
-	Step *resource.Quantity
-}
-
-type Counter struct {
-	Value resource.Quantity
-}
-
-type DeviceTaint struct {
-	Key       string
-	Value     string
-	Effect    DeviceTaintEffect
-	TimeAdded *metav1.Time
-}
-
-type DeviceTaintEffect string
-
-const (
-	DeviceTaintEffectNoSchedule DeviceTaintEffect = "NoSchedule"
-
-	DeviceTaintEffectNoExecute DeviceTaintEffect = "NoExecute"
-)
diff --git a/staging/src/k8s.io/dynamic-resource-allocation/api/uniquestring.go b/staging/src/k8s.io/dynamic-resource-allocation/api/uniquestring.go
index 34d413743ac86..46547d34e7bc3 100644
--- a/staging/src/k8s.io/dynamic-resource-allocation/api/uniquestring.go
+++ b/staging/src/k8s.io/dynamic-resource-allocation/api/uniquestring.go
@@ -17,6 +17,7 @@ limitations under the License.
 package api
 
 import (
+	"encoding/json"
 	"unique"
 )
 
@@ -35,6 +36,17 @@ func (us UniqueString) String() string {
 	return unique.Handle[string](us).Value()
 }
 
+// MarshalJSON is primarily useful for pretty-printing as JSON or YAML.
+func (us UniqueString) MarshalJSON() ([]byte, error) {
+	return json.Marshal(us.String())
+}
+
+// MarshalText allows UniqueString to be used as the key in maps
+// without causing problems for logging.
+func (us UniqueString) MarshalText() ([]byte, error) {
+	return []byte(us.String()), nil
+}
+
 // MakeUniqueString constructs a new unique string.
 func MakeUniqueString(str string) UniqueString {
 	return UniqueString(unique.Make(str))
diff --git a/staging/src/k8s.io/dynamic-resource-allocation/api/zz_generated.conversion.go b/staging/src/k8s.io/dynamic-resource-allocation/api/zz_generated.conversion.go
index 7c356fdf51731..cac65c36c31a3 100644
--- a/staging/src/k8s.io/dynamic-resource-allocation/api/zz_generated.conversion.go
+++ b/staging/src/k8s.io/dynamic-resource-allocation/api/zz_generated.conversion.go
@@ -26,7 +26,6 @@ import (
 
 	corev1 "k8s.io/api/core/v1"
 	v1 "k8s.io/api/resource/v1"
-	resource "k8s.io/apimachinery/pkg/api/resource"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	conversion "k8s.io/apimachinery/pkg/conversion"
 	runtime "k8s.io/apimachinery/pkg/runtime"
@@ -39,36 +38,6 @@ func init() {
 // RegisterConversions adds conversion functions to the given scheme.
 // Public to allow building arbitrary schemes.
 func RegisterConversions(s *runtime.Scheme) error {
-	if err := s.AddGeneratedConversionFunc((*CapacityRequestPolicy)(nil), (*v1.CapacityRequestPolicy)(nil), func(a, b interface{}, scope conversion.Scope) error {
-		return Convert_api_CapacityRequestPolicy_To_v1_CapacityRequestPolicy(a.(*CapacityRequestPolicy), b.(*v1.CapacityRequestPolicy), scope)
-	}); err != nil {
-		return err
-	}
-	if err := s.AddGeneratedConversionFunc((*v1.CapacityRequestPolicy)(nil), (*CapacityRequestPolicy)(nil), func(a, b interface{}, scope conversion.Scope) error {
-		return Convert_v1_CapacityRequestPolicy_To_api_CapacityRequestPolicy(a.(*v1.CapacityRequestPolicy), b.(*CapacityRequestPolicy), scope)
-	}); err != nil {
-		return err
-	}
-	if err := s.AddGeneratedConversionFunc((*CapacityRequestPolicyRange)(nil), (*v1.CapacityRequestPolicyRange)(nil), func(a, b interface{}, scope conversion.Scope) error {
-		return Convert_api_CapacityRequestPolicyRange_To_v1_CapacityRequestPolicyRange(a.(*CapacityRequestPolicyRange), b.(*v1.CapacityRequestPolicyRange), scope)
-	}); err != nil {
-		return err
-	}
-	if err := s.AddGeneratedConversionFunc((*v1.CapacityRequestPolicyRange)(nil), (*CapacityRequestPolicyRange)(nil), func(a, b interface{}, scope conversion.Scope) error {
-		return Convert_v1_CapacityRequestPolicyRange_To_api_CapacityRequestPolicyRange(a.(*v1.CapacityRequestPolicyRange), b.(*CapacityRequestPolicyRange), scope)
-	}); err != nil {
-		return err
-	}
-	if err := s.AddGeneratedConversionFunc((*Counter)(nil), (*v1.Counter)(nil), func(a, b interface{}, scope conversion.Scope) error {
-		return Convert_api_Counter_To_v1_Counter(a.(*Counter), b.(*v1.Counter), scope)
-	}); err != nil {
-		return err
-	}
-	if err := s.AddGeneratedConversionFunc((*v1.Counter)(nil), (*Counter)(nil), func(a, b interface{}, scope conversion.Scope) error {
-		return Convert_v1_Counter_To_api_Counter(a.(*v1.Counter), b.(*Counter), scope)
-	}); err != nil {
-		return err
-	}
 	if err := s.AddGeneratedConversionFunc((*CounterSet)(nil), (*v1.CounterSet)(nil), func(a, b interface{}, scope conversion.Scope) error {
 		return Convert_api_CounterSet_To_v1_CounterSet(a.(*CounterSet), b.(*v1.CounterSet), scope)
 	}); err != nil {
@@ -89,26 +58,6 @@ func RegisterConversions(s *runtime.Scheme) error {
 	}); err != nil {
 		return err
 	}
-	if err := s.AddGeneratedConversionFunc((*DeviceAttribute)(nil), (*v1.DeviceAttribute)(nil), func(a, b interface{}, scope conversion.Scope) error {
-		return Convert_api_DeviceAttribute_To_v1_DeviceAttribute(a.(*DeviceAttribute), b.(*v1.DeviceAttribute), scope)
-	}); err != nil {
-		return err
-	}
-	if err := s.AddGeneratedConversionFunc((*v1.DeviceAttribute)(nil), (*DeviceAttribute)(nil), func(a, b interface{}, scope conversion.Scope) error {
-		return Convert_v1_DeviceAttribute_To_api_DeviceAttribute(a.(*v1.DeviceAttribute), b.(*DeviceAttribute), scope)
-	}); err != nil {
-		return err
-	}
-	if err := s.AddGeneratedConversionFunc((*DeviceCapacity)(nil), (*v1.DeviceCapacity)(nil), func(a, b interface{}, scope conversion.Scope) error {
-		return Convert_api_DeviceCapacity_To_v1_DeviceCapacity(a.(*DeviceCapacity), b.(*v1.DeviceCapacity), scope)
-	}); err != nil {
-		return err
-	}
-	if err := s.AddGeneratedConversionFunc((*v1.DeviceCapacity)(nil), (*DeviceCapacity)(nil), func(a, b interface{}, scope conversion.Scope) error {
-		return Convert_v1_DeviceCapacity_To_api_DeviceCapacity(a.(*v1.DeviceCapacity), b.(*DeviceCapacity), scope)
-	}); err != nil {
-		return err
-	}
 	if err := s.AddGeneratedConversionFunc((*DeviceCounterConsumption)(nil), (*v1.DeviceCounterConsumption)(nil), func(a, b interface{}, scope conversion.Scope) error {
 		return Convert_api_DeviceCounterConsumption_To_v1_DeviceCounterConsumption(a.(*DeviceCounterConsumption), b.(*v1.DeviceCounterConsumption), scope)
 	}); err != nil {
@@ -119,16 +68,6 @@ func RegisterConversions(s *runtime.Scheme) error {
 	}); err != nil {
 		return err
 	}
-	if err := s.AddGeneratedConversionFunc((*DeviceTaint)(nil), (*v1.DeviceTaint)(nil), func(a, b interface{}, scope conversion.Scope) error {
-		return Convert_api_DeviceTaint_To_v1_DeviceTaint(a.(*DeviceTaint), b.(*v1.DeviceTaint), scope)
-	}); err != nil {
-		return err
-	}
-	if err := s.AddGeneratedConversionFunc((*v1.DeviceTaint)(nil), (*DeviceTaint)(nil), func(a, b interface{}, scope conversion.Scope) error {
-		return Convert_v1_DeviceTaint_To_api_DeviceTaint(a.(*v1.DeviceTaint), b.(*DeviceTaint), scope)
-	}); err != nil {
-		return err
-	}
 	if err := s.AddGeneratedConversionFunc((*ResourcePool)(nil), (*v1.ResourcePool)(nil), func(a, b interface{}, scope conversion.Scope) error {
 		return Convert_api_ResourcePool_To_v1_ResourcePool(a.(*ResourcePool), b.(*v1.ResourcePool), scope)
 	}); err != nil {
@@ -172,74 +111,6 @@ func RegisterConversions(s *runtime.Scheme) error {
 	return nil
 }
 
-func autoConvert_api_CapacityRequestPolicy_To_v1_CapacityRequestPolicy(in *CapacityRequestPolicy, out *v1.CapacityRequestPolicy, s conversion.Scope) error {
-	out.Default = (*resource.Quantity)(unsafe.Pointer(in.Default))
-	out.ValidValues = *(*[]resource.Quantity)(unsafe.Pointer(&in.ValidValues))
-	out.ValidRange = (*v1.CapacityRequestPolicyRange)(unsafe.Pointer(in.ValidRange))
-	return nil
-}
-
-// Convert_api_CapacityRequestPolicy_To_v1_CapacityRequestPolicy is an autogenerated conversion function.
-func Convert_api_CapacityRequestPolicy_To_v1_CapacityRequestPolicy(in *CapacityRequestPolicy, out *v1.CapacityRequestPolicy, s conversion.Scope) error {
-	return autoConvert_api_CapacityRequestPolicy_To_v1_CapacityRequestPolicy(in, out, s)
-}
-
-func autoConvert_v1_CapacityRequestPolicy_To_api_CapacityRequestPolicy(in *v1.CapacityRequestPolicy, out *CapacityRequestPolicy, s conversion.Scope) error {
-	out.Default = (*resource.Quantity)(unsafe.Pointer(in.Default))
-	out.ValidValues = *(*[]resource.Quantity)(unsafe.Pointer(&in.ValidValues))
-	out.ValidRange = (*CapacityRequestPolicyRange)(unsafe.Pointer(in.ValidRange))
-	return nil
-}
-
-// Convert_v1_CapacityRequestPolicy_To_api_CapacityRequestPolicy is an autogenerated conversion function.
-func Convert_v1_CapacityRequestPolicy_To_api_CapacityRequestPolicy(in *v1.CapacityRequestPolicy, out *CapacityRequestPolicy, s conversion.Scope) error {
-	return autoConvert_v1_CapacityRequestPolicy_To_api_CapacityRequestPolicy(in, out, s)
-}
-
-func autoConvert_api_CapacityRequestPolicyRange_To_v1_CapacityRequestPolicyRange(in *CapacityRequestPolicyRange, out *v1.CapacityRequestPolicyRange, s conversion.Scope) error {
-	out.Min = (*resource.Quantity)(unsafe.Pointer(in.Min))
-	out.Max = (*resource.Quantity)(unsafe.Pointer(in.Max))
-	out.Step = (*resource.Quantity)(unsafe.Pointer(in.Step))
-	return nil
-}
-
-// Convert_api_CapacityRequestPolicyRange_To_v1_CapacityRequestPolicyRange is an autogenerated conversion function.
-func Convert_api_CapacityRequestPolicyRange_To_v1_CapacityRequestPolicyRange(in *CapacityRequestPolicyRange, out *v1.CapacityRequestPolicyRange, s conversion.Scope) error {
-	return autoConvert_api_CapacityRequestPolicyRange_To_v1_CapacityRequestPolicyRange(in, out, s)
-}
-
-func autoConvert_v1_CapacityRequestPolicyRange_To_api_CapacityRequestPolicyRange(in *v1.CapacityRequestPolicyRange, out *CapacityRequestPolicyRange, s conversion.Scope) error {
-	out.Min = (*resource.Quantity)(unsafe.Pointer(in.Min))
-	out.Max = (*resource.Quantity)(unsafe.Pointer(in.Max))
-	out.Step = (*resource.Quantity)(unsafe.Pointer(in.Step))
-	return nil
-}
-
-// Convert_v1_CapacityRequestPolicyRange_To_api_CapacityRequestPolicyRange is an autogenerated conversion function.
-func Convert_v1_CapacityRequestPolicyRange_To_api_CapacityRequestPolicyRange(in *v1.CapacityRequestPolicyRange, out *CapacityRequestPolicyRange, s conversion.Scope) error {
-	return autoConvert_v1_CapacityRequestPolicyRange_To_api_CapacityRequestPolicyRange(in, out, s)
-}
-
-func autoConvert_api_Counter_To_v1_Counter(in *Counter, out *v1.Counter, s conversion.Scope) error {
-	out.Value = in.Value
-	return nil
-}
-
-// Convert_api_Counter_To_v1_Counter is an autogenerated conversion function.
-func Convert_api_Counter_To_v1_Counter(in *Counter, out *v1.Counter, s conversion.Scope) error {
-	return autoConvert_api_Counter_To_v1_Counter(in, out, s)
-}
-
-func autoConvert_v1_Counter_To_api_Counter(in *v1.Counter, out *Counter, s conversion.Scope) error {
-	out.Value = in.Value
-	return nil
-}
-
-// Convert_v1_Counter_To_api_Counter is an autogenerated conversion function.
-func Convert_v1_Counter_To_api_Counter(in *v1.Counter, out *Counter, s conversion.Scope) error {
-	return autoConvert_v1_Counter_To_api_Counter(in, out, s)
-}
-
 func autoConvert_api_CounterSet_To_v1_CounterSet(in *CounterSet, out *v1.CounterSet, s conversion.Scope) error {
 	if err := Convert_api_UniqueString_To_string(&in.Name, &out.Name, s); err != nil {
 		return err
@@ -257,7 +128,7 @@ func autoConvert_v1_CounterSet_To_api_CounterSet(in *v1.CounterSet, out *Counter
 	if err := Convert_string_To_api_UniqueString(&in.Name, &out.Name, s); err != nil {
 		return err
 	}
-	out.Counters = *(*map[string]Counter)(unsafe.Pointer(&in.Counters))
+	out.Counters = *(*map[string]v1.Counter)(unsafe.Pointer(&in.Counters))
 	return nil
 }
 
@@ -305,8 +176,8 @@ func autoConvert_v1_Device_To_api_Device(in *v1.Device, out *Device, s conversio
 	if err := Convert_string_To_api_UniqueString(&in.Name, &out.Name, s); err != nil {
 		return err
 	}
-	out.Attributes = *(*map[QualifiedName]DeviceAttribute)(unsafe.Pointer(&in.Attributes))
-	out.Capacity = *(*map[QualifiedName]DeviceCapacity)(unsafe.Pointer(&in.Capacity))
+	out.Attributes = *(*map[v1.QualifiedName]v1.DeviceAttribute)(unsafe.Pointer(&in.Attributes))
+	out.Capacity = *(*map[v1.QualifiedName]v1.DeviceCapacity)(unsafe.Pointer(&in.Capacity))
 	if in.ConsumesCounters != nil {
 		in, out := &in.ConsumesCounters, &out.ConsumesCounters
 		*out = make([]DeviceCounterConsumption, len(*in))
@@ -336,54 +207,6 @@ func Convert_v1_Device_To_api_Device(in *v1.Device, out *Device, s conversion.Sc
 	return autoConvert_v1_Device_To_api_Device(in, out, s)
 }
 
-func autoConvert_api_DeviceAttribute_To_v1_DeviceAttribute(in *DeviceAttribute, out *v1.DeviceAttribute, s conversion.Scope) error {
-	out.IntValue = (*int64)(unsafe.Pointer(in.IntValue))
-	out.BoolValue = (*bool)(unsafe.Pointer(in.BoolValue))
-	out.StringValue = (*string)(unsafe.Pointer(in.StringValue))
-	out.VersionValue = (*string)(unsafe.Pointer(in.VersionValue))
-	return nil
-}
-
-// Convert_api_DeviceAttribute_To_v1_DeviceAttribute is an autogenerated conversion function.
-func Convert_api_DeviceAttribute_To_v1_DeviceAttribute(in *DeviceAttribute, out *v1.DeviceAttribute, s conversion.Scope) error {
-	return autoConvert_api_DeviceAttribute_To_v1_DeviceAttribute(in, out, s)
-}
-
-func autoConvert_v1_DeviceAttribute_To_api_DeviceAttribute(in *v1.DeviceAttribute, out *DeviceAttribute, s conversion.Scope) error {
-	out.IntValue = (*int64)(unsafe.Pointer(in.IntValue))
-	out.BoolValue = (*bool)(unsafe.Pointer(in.BoolValue))
-	out.StringValue = (*string)(unsafe.Pointer(in.StringValue))
-	out.VersionValue = (*string)(unsafe.Pointer(in.VersionValue))
-	return nil
-}
-
-// Convert_v1_DeviceAttribute_To_api_DeviceAttribute is an autogenerated conversion function.
-func Convert_v1_DeviceAttribute_To_api_DeviceAttribute(in *v1.DeviceAttribute, out *DeviceAttribute, s conversion.Scope) error {
-	return autoConvert_v1_DeviceAttribute_To_api_DeviceAttribute(in, out, s)
-}
-
-func autoConvert_api_DeviceCapacity_To_v1_DeviceCapacity(in *DeviceCapacity, out *v1.DeviceCapacity, s conversion.Scope) error {
-	out.Value = in.Value
-	out.RequestPolicy = (*v1.CapacityRequestPolicy)(unsafe.Pointer(in.RequestPolicy))
-	return nil
-}
-
-// Convert_api_DeviceCapacity_To_v1_DeviceCapacity is an autogenerated conversion function.
-func Convert_api_DeviceCapacity_To_v1_DeviceCapacity(in *DeviceCapacity, out *v1.DeviceCapacity, s conversion.Scope) error {
-	return autoConvert_api_DeviceCapacity_To_v1_DeviceCapacity(in, out, s)
-}
-
-func autoConvert_v1_DeviceCapacity_To_api_DeviceCapacity(in *v1.DeviceCapacity, out *DeviceCapacity, s conversion.Scope) error {
-	out.Value = in.Value
-	out.RequestPolicy = (*CapacityRequestPolicy)(unsafe.Pointer(in.RequestPolicy))
-	return nil
-}
-
-// Convert_v1_DeviceCapacity_To_api_DeviceCapacity is an autogenerated conversion function.
-func Convert_v1_DeviceCapacity_To_api_DeviceCapacity(in *v1.DeviceCapacity, out *DeviceCapacity, s conversion.Scope) error {
-	return autoConvert_v1_DeviceCapacity_To_api_DeviceCapacity(in, out, s)
-}
-
 func autoConvert_api_DeviceCounterConsumption_To_v1_DeviceCounterConsumption(in *DeviceCounterConsumption, out *v1.DeviceCounterConsumption, s conversion.Scope) error {
 	if err := Convert_api_UniqueString_To_string(&in.CounterSet, &out.CounterSet, s); err != nil {
 		return err
@@ -401,7 +224,7 @@ func autoConvert_v1_DeviceCounterConsumption_To_api_DeviceCounterConsumption(in
 	if err := Convert_string_To_api_UniqueString(&in.CounterSet, &out.CounterSet, s); err != nil {
 		return err
 	}
-	out.Counters = *(*map[string]Counter)(unsafe.Pointer(&in.Counters))
+	out.Counters = *(*map[string]v1.Counter)(unsafe.Pointer(&in.Counters))
 	return nil
 }
 
@@ -410,32 +233,6 @@ func Convert_v1_DeviceCounterConsumption_To_api_DeviceCounterConsumption(in *v1.
 	return autoConvert_v1_DeviceCounterConsumption_To_api_DeviceCounterConsumption(in, out, s)
 }
 
-func autoConvert_api_DeviceTaint_To_v1_DeviceTaint(in *DeviceTaint, out *v1.DeviceTaint, s conversion.Scope) error {
-	out.Key = in.Key
-	out.Value = in.Value
-	out.Effect = v1.DeviceTaintEffect(in.Effect)
-	out.TimeAdded = (*metav1.Time)(unsafe.Pointer(in.TimeAdded))
-	return nil
-}
-
-// Convert_api_DeviceTaint_To_v1_DeviceTaint is an autogenerated conversion function.
-func Convert_api_DeviceTaint_To_v1_DeviceTaint(in *DeviceTaint, out *v1.DeviceTaint, s conversion.Scope) error {
-	return autoConvert_api_DeviceTaint_To_v1_DeviceTaint(in, out, s)
-}
-
-func autoConvert_v1_DeviceTaint_To_api_DeviceTaint(in *v1.DeviceTaint, out *DeviceTaint, s conversion.Scope) error {
-	out.Key = in.Key
-	out.Value = in.Value
-	out.Effect = DeviceTaintEffect(in.Effect)
-	out.TimeAdded = (*metav1.Time)(unsafe.Pointer(in.TimeAdded))
-	return nil
-}
-
-// Convert_v1_DeviceTaint_To_api_DeviceTaint is an autogenerated conversion function.
-func Convert_v1_DeviceTaint_To_api_DeviceTaint(in *v1.DeviceTaint, out *DeviceTaint, s conversion.Scope) error {
-	return autoConvert_v1_DeviceTaint_To_api_DeviceTaint(in, out, s)
-}
-
 func autoConvert_api_ResourcePool_To_v1_ResourcePool(in *ResourcePool, out *v1.ResourcePool, s conversion.Scope) error {
 	if err := Convert_api_UniqueString_To_string(&in.Name, &out.Name, s); err != nil {
 		return err
diff --git a/staging/src/k8s.io/dynamic-resource-allocation/cel/compile.go b/staging/src/k8s.io/dynamic-resource-allocation/cel/compile.go
index 938188c73e314..7d34a4a17f5cd 100644
--- a/staging/src/k8s.io/dynamic-resource-allocation/cel/compile.go
+++ b/staging/src/k8s.io/dynamic-resource-allocation/cel/compile.go
@@ -300,7 +300,7 @@ func (c CompilationResult) DeviceMatches(ctx context.Context, input Device) (boo
 }
 
 func newCompiler(features Features) *compiler {
-	envset := environment.MustBaseEnvSet(environment.DefaultCompatibilityVersion(), true /* strictCost */)
+	envset := environment.MustBaseEnvSet(environment.DefaultCompatibilityVersion())
 	field := func(name string, declType *apiservercel.DeclType, required bool) *apiservercel.DeclField {
 		return apiservercel.NewDeclField(name, declType, required, nil, nil)
 	}
diff --git a/staging/src/k8s.io/dynamic-resource-allocation/client/client.go b/staging/src/k8s.io/dynamic-resource-allocation/client/client.go
index 9a02424b0adda..43676d5d258d6 100644
--- a/staging/src/k8s.io/dynamic-resource-allocation/client/client.go
+++ b/staging/src/k8s.io/dynamic-resource-allocation/client/client.go
@@ -23,6 +23,7 @@ import (
 	"k8s.io/client-go/kubernetes"
 	cgoresource "k8s.io/client-go/kubernetes/typed/resource/v1"
 	rest "k8s.io/client-go/rest"
+	"k8s.io/client-go/util/watchlist"
 )
 
 // Enumerate all supported APIs, most preferred first.
@@ -102,3 +103,14 @@ func (c *Client) ResourceSlices() cgoresource.ResourceSliceInterface {
 		c.clientSet.ResourceV1beta2().ResourceSlices(),
 	)
 }
+
+// IsWatchListSemanticsSupported informs the reflector that this client
+// doesn't support WatchList semantics.
+//
+// This is a synthetic method whose sole purpose is to satisfy the optional
+// interface check performed by the reflector.
+// Returning true signals that WatchList can NOT be used.
+// No additional logic is implemented here.
+func (c *Client) IsWatchListSemanticsUnSupported() bool {
+	return watchlist.DoesClientNotSupportWatchListSemantics(c.clientSet)
+}
diff --git a/staging/src/k8s.io/dynamic-resource-allocation/client/client_test.go b/staging/src/k8s.io/dynamic-resource-allocation/client/client_test.go
new file mode 100644
index 0000000000000..c8ec55ecdb237
--- /dev/null
+++ b/staging/src/k8s.io/dynamic-resource-allocation/client/client_test.go
@@ -0,0 +1,55 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package client
+
+import (
+	"testing"
+
+	"k8s.io/client-go/kubernetes"
+	"k8s.io/client-go/kubernetes/fake"
+	restclient "k8s.io/client-go/rest"
+	"k8s.io/client-go/util/watchlist"
+)
+
+func TestDoesClientSupportWatchListSemantics(t *testing.T) {
+	scenarios := []struct {
+		name                                           string
+		clientSet                                      kubernetes.Interface
+		expectedDoesClientNotSupportWatchListSemantics bool
+	}{
+		{
+			name:      "DR with real kube client supports WatchList semantics",
+			clientSet: kubernetes.NewForConfigOrDie(&restclient.Config{}),
+			expectedDoesClientNotSupportWatchListSemantics: false,
+		},
+		{
+			name:      "DR with fake kube client does NOT support WatchList semantics",
+			clientSet: fake.NewClientset(),
+			expectedDoesClientNotSupportWatchListSemantics: true,
+		},
+	}
+
+	for _, scenario := range scenarios {
+		t.Run(scenario.name, func(t *testing.T) {
+			target := New(scenario.clientSet)
+			actual := watchlist.DoesClientNotSupportWatchListSemantics(target)
+			if actual != scenario.expectedDoesClientNotSupportWatchListSemantics {
+				t.Fatalf("watchlist.DoesClientNotSupportWatchListSemantics, got: %v, want: %v", actual, scenario.expectedDoesClientNotSupportWatchListSemantics)
+			}
+		})
+	}
+}
diff --git a/staging/src/k8s.io/dynamic-resource-allocation/deviceattribute/pci_linux.go b/staging/src/k8s.io/dynamic-resource-allocation/deviceattribute/pci_linux.go
index b13c687b57de3..bed59d52a34d4 100644
--- a/staging/src/k8s.io/dynamic-resource-allocation/deviceattribute/pci_linux.go
+++ b/staging/src/k8s.io/dynamic-resource-allocation/deviceattribute/pci_linux.go
@@ -68,12 +68,12 @@ func GetPCIeRootAttributeByPCIBusID(pciBusID string) (DeviceAttribute, error) {
 // But, fortunately, /sys/bus/pci/devices/<address> is a symlink to the actual device path in /sys/devices.
 // So we can resolve the actual device path by reading the symlink at /sys/bus/pci/devices/<address>.
 //
-// For example, if the PCIAddress is "0000:00:1f.0",
-// /sys/bus/pci/devices/0000:00:1f.0 points to
-// /sys/devices/pci0000:01/...<intermediate PCI devices>.../0000:00:1f.0,
-// where "pci0000:01" is the PCIe Root.
+// For example, if the PCIAddress is "0000:04:1f.0",
+// /sys/bus/pci/devices/0000:04:1f.0 points to
+// /sys/devices/pci0000:00/...<intermediate PCI devices>.../0000:04:1f.0,
+// where "pci0000:00" is the PCIe Root.
 func resolvePCIeRoot(pciBusID string) (string, error) {
-	// e.g. /sys/bus/pci/devices/0000:00:1f.0
+	// e.g. /sys/bus/pci/devices/0000:04:1f.0
 	sysBusPath := sysfs.bus(filepath.Join("pci", "devices", pciBusID))
 
 	target, err := os.Readlink(sysBusPath)
@@ -86,7 +86,7 @@ func resolvePCIeRoot(pciBusID string) (string, error) {
 		target = filepath.Join(filepath.Dir(sysBusPath), target)
 	}
 
-	// targetAbs must be /sys/devices/pci0000:01/...<intermediate PCI devices>.../0000:00:1f.0
+	// targetAbs must be /sys/devices/pci0000:00/...<intermediate PCI devices>.../0000:04:1f.0
 	devicePathPrefix := sysfs.devices("pci")
 	if !strings.HasPrefix(target, devicePathPrefix) {
 		return "", fmt.Errorf("symlink target for PCI Bus ID %s is invalid: it must start with %s: %s", pciBusID, devicePathPrefix, target)
diff --git a/staging/src/k8s.io/dynamic-resource-allocation/deviceattribute/pci_linux_test.go b/staging/src/k8s.io/dynamic-resource-allocation/deviceattribute/pci_linux_test.go
index 8a49be7e1cf0f..d3fdf3ed15998 100644
--- a/staging/src/k8s.io/dynamic-resource-allocation/deviceattribute/pci_linux_test.go
+++ b/staging/src/k8s.io/dynamic-resource-allocation/deviceattribute/pci_linux_test.go
@@ -29,9 +29,10 @@ import (
 	resourceapi "k8s.io/api/resource/v1"
 )
 
-func TestGetPCIeRootBAttributeyPCIBusID(t *testing.T) {
-	pciBusID := "0000:01:02.3"
-	pcieRoot := "pci0000:01"
+func TestGetPCIeRootAttributePCIBusID(t *testing.T) {
+	pcieRoot := "pci0000:00"
+	intermediateBusID := "0000:01:00.0"
+	pciBusID := "0000:02:00.0"
 	expectedAttribute := DeviceAttribute{
 		Name:  StandardDeviceAttributePCIeRoot,
 		Value: resourceapi.DeviceAttribute{StringValue: ptr.To(pcieRoot)},
@@ -46,7 +47,7 @@ func TestGetPCIeRootBAttributeyPCIBusID(t *testing.T) {
 	}{
 		"valid": {
 			mockSysfsSetup: func(t *testing.T, mockSysfs sysfsPath) {
-				devicePath := mockSysfs.devices(filepath.Join(pcieRoot, "0000:00:13.1", pciBusID))
+				devicePath := mockSysfs.devices(filepath.Join(pcieRoot, intermediateBusID, pciBusID))
 				touchFile(t, devicePath)
 				busPath := mockSysfs.bus(filepath.Join("pci", "devices", pciBusID))
 				createSymlink(t, devicePath, busPath)
@@ -75,7 +76,7 @@ func TestGetPCIeRootBAttributeyPCIBusID(t *testing.T) {
 		},
 		"invalid symlink (invalid prefix)": {
 			mockSysfsSetup: func(t *testing.T, mockSysfs sysfsPath) {
-				devicePath := mockSysfs.devices(filepath.Join("invalid-pci-root", "0000:00:13.1", pciBusID))
+				devicePath := mockSysfs.devices(filepath.Join("invalid-pci-root", intermediateBusID, pciBusID))
 				touchFile(t, devicePath)
 				busPath := mockSysfs.bus(filepath.Join("pci", "devices", pciBusID))
 				createSymlink(t, devicePath, busPath)
@@ -87,7 +88,7 @@ func TestGetPCIeRootBAttributeyPCIBusID(t *testing.T) {
 		},
 		"invalid symlink (invalid suffix)": {
 			mockSysfsSetup: func(t *testing.T, mockSysfs sysfsPath) {
-				devicePath := mockSysfs.devices(filepath.Join(pcieRoot, "0000:00:13.1", "0000:01:02.4")) // different PCI Bus ID
+				devicePath := mockSysfs.devices(filepath.Join(pcieRoot, intermediateBusID, "0000:00:13.1")) // different PCI Bus ID
 				touchFile(t, devicePath)
 				busPath := mockSysfs.bus(filepath.Join("pci", "devices", pciBusID))
 				createSymlink(t, devicePath, busPath)
diff --git a/staging/src/k8s.io/dynamic-resource-allocation/deviceclass/extendedresourcecache/extendedresourcecache.go b/staging/src/k8s.io/dynamic-resource-allocation/deviceclass/extendedresourcecache/extendedresourcecache.go
new file mode 100644
index 0000000000000..f70124fd343ce
--- /dev/null
+++ b/staging/src/k8s.io/dynamic-resource-allocation/deviceclass/extendedresourcecache/extendedresourcecache.go
@@ -0,0 +1,247 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package extendedresourcecache
+
+import (
+	"cmp"
+	"fmt"
+	"sync"
+
+	v1 "k8s.io/api/core/v1"
+	resourceapi "k8s.io/api/resource/v1"
+	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
+	"k8s.io/client-go/tools/cache"
+	klog "k8s.io/klog/v2"
+)
+
+// ExtendedResourceCache maintains a global cache of extended resource to device class mappings,
+// based on informer events. For that it implements the cache.ResourceEventHandler interface.
+type ExtendedResourceCache struct {
+	logger   klog.Logger
+	handlers []cache.ResourceEventHandler
+
+	mutex sync.RWMutex
+	// resourceName2class maps extended resource name to device class
+	resourceName2class map[v1.ResourceName]*resourceapi.DeviceClass
+	// class2ResourceName maps device class name to extended resource name
+	class2ResourceName map[string]string
+}
+
+var _ cache.ResourceEventHandler = &ExtendedResourceCache{}
+
+// NewExtendedResourceCache creates a new ExtendedResourceCache instance. The caller
+// is responsible for registering the instance as a handler of DeviceClass events.
+//
+// Additional event handlers may be registered here or via AddEventHandler.
+func NewExtendedResourceCache(logger klog.Logger, handlers ...cache.ResourceEventHandler) *ExtendedResourceCache {
+	cache := &ExtendedResourceCache{
+		logger:             logger,
+		handlers:           handlers,
+		resourceName2class: make(map[v1.ResourceName]*resourceapi.DeviceClass),
+		class2ResourceName: make(map[string]string),
+	}
+
+	return cache
+}
+
+// AddEventHandler adds an event handler which gets called after the cache
+// has processed some incoming event. More than one additional event handler
+// may be added. They will be called in the order in which they were registered.
+// GetDeviceClass may be called from those event handlers.
+//
+// Not thread-safe, must be called *before* adding the cache itself to an
+// informer.
+func (c *ExtendedResourceCache) AddEventHandler(handler cache.ResourceEventHandler) {
+	c.handlers = append(c.handlers, handler)
+}
+
+// GetDeviceClass returns the device class for the given extended resource name.
+// Returns nil if the resource name is not found in the cache.
+//
+// This (and only this) method may be called on a nil ExtendedResourceCache. The nil
+// instance always returns nil.
+func (c *ExtendedResourceCache) GetDeviceClass(resourceName v1.ResourceName) *resourceapi.DeviceClass {
+	if c == nil {
+		return nil
+	}
+	c.mutex.RLock()
+	defer c.mutex.RUnlock()
+	return c.resourceName2class[resourceName]
+}
+
+// GetExtendedResource returns the extended resource name for the given device class name.
+// Returns empty string if the class name is not found in the cache.
+func (c *ExtendedResourceCache) GetExtendedResource(className string) string {
+	if c == nil {
+		return ""
+	}
+	c.mutex.RLock()
+	defer c.mutex.RUnlock()
+
+	return c.class2ResourceName[className]
+}
+
+// OnAdd handles the addition of a new device class.
+func (c *ExtendedResourceCache) OnAdd(obj interface{}, isInInitialList bool) {
+	deviceClass, ok := obj.(*resourceapi.DeviceClass)
+	if !ok {
+		utilruntime.HandleErrorWithLogger(c.logger, nil, "Expected DeviceClass", "actual", fmt.Sprintf("%T", obj))
+		return
+	}
+	c.updateResourceName2class(deviceClass, nil)
+	c.updateClass2ResourceName(deviceClass)
+
+	for _, handler := range c.handlers {
+		handler.OnAdd(obj, isInInitialList)
+	}
+}
+
+// OnUpdate handles updates to an existing device class.
+func (c *ExtendedResourceCache) OnUpdate(oldObj, newObj interface{}) {
+	deviceClass, ok := newObj.(*resourceapi.DeviceClass)
+	if !ok {
+		utilruntime.HandleErrorWithLogger(c.logger, nil, "Expected DeviceClass", "actual", fmt.Sprintf("%T", newObj))
+		return
+	}
+	oldDeviceClass, ok := oldObj.(*resourceapi.DeviceClass)
+	if !ok {
+		utilruntime.HandleErrorWithLogger(c.logger, nil, "Expected DeviceClass", "actual", fmt.Sprintf("%T", oldObj))
+		return
+	}
+	c.updateResourceName2class(deviceClass, oldDeviceClass)
+	c.updateClass2ResourceName(deviceClass)
+
+	for _, handler := range c.handlers {
+		handler.OnUpdate(oldObj, newObj)
+	}
+}
+
+// OnDelete handles deletion of a device class.
+func (c *ExtendedResourceCache) OnDelete(obj interface{}) {
+	if tombstone, ok := obj.(cache.DeletedFinalStateUnknown); ok {
+		obj = tombstone.Obj
+	}
+	deviceClass, ok := obj.(*resourceapi.DeviceClass)
+	if !ok {
+		utilruntime.HandleErrorWithLogger(c.logger, nil, "Expected DeviceClass", "actual", fmt.Sprintf("%T", obj))
+		return
+	}
+	c.removeResourceName2class(deviceClass)
+	c.removeClass2ResourceName(deviceClass)
+
+	for _, handler := range c.handlers {
+		handler.OnDelete(obj)
+	}
+}
+
+// updateResourceName2class updates the cache with the device class mapping.
+// It first removes any existing mappings for this device class to handle
+// ExtendedResourceName changes, then adds the new mappings.
+func (c *ExtendedResourceCache) updateResourceName2class(newDeviceClass, oldDeviceClass *resourceapi.DeviceClass) {
+	c.mutex.Lock()
+	defer c.mutex.Unlock()
+
+	// Different DeviceClasses could specify the same ExtendedResourceName.
+	// If we find such a clash, we need to pick one of them.
+	//
+	// Such a clash should be rare, but can occur while migrating from one
+	// DeviceClass to another. To support such a migration, we prefer the
+	// newer DeviceClass. The name serves as tie-breaker.
+	//
+	// The implicit deviceclass.resource.kubernetes.io/<class name> is always
+	// unique and also cannot appear in a different class as ExtendedResourceName
+	// (prevented by validation), so we don't need to do the same check for
+	// implicit mappings.
+	var classWithSameExtendedResourceName *resourceapi.DeviceClass
+	if newDeviceClass.Spec.ExtendedResourceName != nil {
+		classWithSameExtendedResourceName = c.resourceName2class[v1.ResourceName(*newDeviceClass.Spec.ExtendedResourceName)]
+	}
+	if classWithSameExtendedResourceName != nil {
+		switch cmp.Compare(newDeviceClass.CreationTimestamp.UnixNano(), classWithSameExtendedResourceName.CreationTimestamp.UnixNano()) {
+		case -1:
+			// New class is older, keep the current more recent one.
+			return
+		case 0:
+			// Equal, arbitrarily prefer "lower" name.
+			if newDeviceClass.Name >= classWithSameExtendedResourceName.Name {
+				return
+			}
+		}
+	}
+
+	// Remove old mappings first to handle ExtendedResourceName changes
+	if oldDeviceClass != nil {
+		delete(c.resourceName2class, v1.ResourceName(resourceapi.ResourceDeviceClassPrefix+oldDeviceClass.Name))
+		if oldDeviceClass.Spec.ExtendedResourceName != nil {
+			delete(c.resourceName2class, v1.ResourceName(*oldDeviceClass.Spec.ExtendedResourceName))
+		}
+	}
+
+	// Add new mappings
+	if newDeviceClass.Spec.ExtendedResourceName != nil {
+		c.resourceName2class[v1.ResourceName(*newDeviceClass.Spec.ExtendedResourceName)] = newDeviceClass
+		c.logger.V(5).Info("Updated extended resource cache for explicit mapping",
+			"extendedResource", *newDeviceClass.Spec.ExtendedResourceName,
+			"deviceClass", newDeviceClass.Name)
+	}
+	// Always add the default mapping
+	defaultResourceName := v1.ResourceName(resourceapi.ResourceDeviceClassPrefix + newDeviceClass.Name)
+	c.resourceName2class[defaultResourceName] = newDeviceClass
+	c.logger.V(5).Info("Updated extended resource cache for default mapping",
+		"extendedResource", defaultResourceName,
+		"deviceClass", newDeviceClass.Name)
+}
+
+// updateClass2ResourceName updates the cache with the device class mapping.
+func (c *ExtendedResourceCache) updateClass2ResourceName(deviceClass *resourceapi.DeviceClass) {
+	c.mutex.Lock()
+	defer c.mutex.Unlock()
+
+	if deviceClass.Spec.ExtendedResourceName == nil {
+		delete(c.class2ResourceName, deviceClass.Name)
+		return
+	}
+
+	c.class2ResourceName[deviceClass.Name] = *deviceClass.Spec.ExtendedResourceName
+	c.logger.V(5).Info("Updated device class mapping", "deviceClass", deviceClass.Name, "extendedResource", *deviceClass.Spec.ExtendedResourceName)
+}
+
+// removeResourceName2class removes the device class mapping from the cache.
+// It searches for all mappings to the given device class name and removes them,
+// because the ExtendedResourceName in the deviceClass object may be stale.
+func (c *ExtendedResourceCache) removeResourceName2class(deviceClass *resourceapi.DeviceClass) {
+	c.mutex.Lock()
+	defer c.mutex.Unlock()
+
+	// Remove the default mapping
+	delete(c.resourceName2class, v1.ResourceName(resourceapi.ResourceDeviceClassPrefix+deviceClass.Name))
+	// Remove the explicit mapping
+	if deviceClass.Spec.ExtendedResourceName != nil {
+		delete(c.resourceName2class, v1.ResourceName(*deviceClass.Spec.ExtendedResourceName))
+	}
+	c.logger.V(5).Info("Removed extended resource from cache",
+		"deviceClass", deviceClass.Name)
+}
+
+// removeClass2ResourceName removes the device class mapping from the cache.
+func (c *ExtendedResourceCache) removeClass2ResourceName(deviceClass *resourceapi.DeviceClass) {
+	c.mutex.Lock()
+	defer c.mutex.Unlock()
+
+	delete(c.class2ResourceName, deviceClass.Name)
+	c.logger.V(5).Info("Removed device class", "deviceClass", deviceClass.Name)
+}
diff --git a/staging/src/k8s.io/dynamic-resource-allocation/deviceclass/extendedresourcecache/extendedresourcecache_test.go b/staging/src/k8s.io/dynamic-resource-allocation/deviceclass/extendedresourcecache/extendedresourcecache_test.go
new file mode 100644
index 0000000000000..58171d77d2666
--- /dev/null
+++ b/staging/src/k8s.io/dynamic-resource-allocation/deviceclass/extendedresourcecache/extendedresourcecache_test.go
@@ -0,0 +1,406 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package extendedresourcecache
+
+import (
+	"context"
+	"testing"
+	"time"
+
+	v1 "k8s.io/api/core/v1"
+	resourceapi "k8s.io/api/resource/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/client-go/informers"
+	"k8s.io/client-go/kubernetes/fake"
+	"k8s.io/client-go/tools/cache"
+	"k8s.io/klog/v2/ktesting"
+	"k8s.io/utils/ptr"
+)
+
+type deviceClassResolver interface {
+	GetDeviceClass(resourceName v1.ResourceName) *resourceapi.DeviceClass
+}
+
+func TestNil(t *testing.T) {
+	var cache *ExtendedResourceCache
+	var resolver deviceClassResolver = cache
+	if class := resolver.GetDeviceClass("example.com/gpu"); class != nil {
+		t.Errorf("Expected the nil class from a nil instance, got instead: %q", class.Name)
+	}
+}
+
+func TestHandlers(t *testing.T) {
+	logger, _ := ktesting.NewTestContext(t)
+	var numAdd, numUpdate, numDelete int
+
+	resourceName := v1.ResourceName("example.com/gpu")
+	class := &resourceapi.DeviceClass{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: "gpu-class",
+		},
+		Spec: resourceapi.DeviceClassSpec{
+			ExtendedResourceName: (*string)(&resourceName),
+		},
+	}
+	updatedClass := class.DeepCopy()
+	updatedClass.Spec.ExtendedResourceName = nil
+
+	firstHandler := &cache.ResourceEventHandlerFuncs{
+		AddFunc: func(obj interface{}) {
+			if obj != class {
+				t.Errorf("first handler expected added object %v, got %v", class, obj)
+			}
+			numAdd++
+			if numAdd != 1 {
+				t.Errorf("first handler expected Add to be called first once, actual add #%d", numAdd)
+			}
+		},
+		UpdateFunc: func(oldObj, newObj interface{}) {
+			if oldObj != class {
+				t.Errorf("first handler expected old object %v, got %v", class, oldObj)
+			}
+			if newObj != updatedClass {
+				t.Errorf("first handler expected new object %v, got %v", class, newObj)
+			}
+			numUpdate++
+			if numUpdate != 1 {
+				t.Errorf("first handler expected Update to be called first once, actual update #%d", numUpdate)
+			}
+		},
+		DeleteFunc: func(obj interface{}) {
+			if obj != updatedClass {
+				t.Errorf("first handler expected deleted object %v, got %v", class, obj)
+			}
+			numDelete++
+			if numDelete != 1 {
+				t.Errorf("first handler expected Delete to be called first once, actual delete #%d", numDelete)
+			}
+		},
+	}
+	erCache := NewExtendedResourceCache(logger, firstHandler)
+	secondHandler := &cache.ResourceEventHandlerFuncs{
+		AddFunc: func(obj interface{}) {
+			if obj != class {
+				t.Errorf("second handler expected added object %v, got %v", class, obj)
+			}
+			numAdd++
+			if numAdd != 2 {
+				t.Errorf("second handler expected Add to be called last once, actual add #%d", numAdd)
+			}
+			if deviceClass := erCache.GetDeviceClass(resourceName); deviceClass == nil || deviceClass.Name != class.Name {
+				t.Errorf("expected %q, got %q", class.Name, deviceClass)
+			}
+		},
+		UpdateFunc: func(oldObj, newObj interface{}) {
+			if oldObj != class {
+				t.Errorf("second handler expected old object %v, got %v", class, oldObj)
+			}
+			if newObj != updatedClass {
+				t.Errorf("second handler expected new object %v, got %v", class, newObj)
+			}
+			numUpdate++
+			if numUpdate != 2 {
+				t.Errorf("second handler expected Update to be called last once, actual update #%d", numUpdate)
+			}
+			if class := erCache.GetDeviceClass(resourceName); class != nil {
+				t.Errorf("expected %q, got %v", "", class)
+			}
+		},
+		DeleteFunc: func(obj interface{}) {
+			if obj != updatedClass {
+				t.Errorf("second handler expected deleted object %v, got %v", class, obj)
+			}
+			numDelete++
+			if numDelete != 2 {
+				t.Errorf("second handler expected Delete to be called last once, actual delete #%d", numDelete)
+			}
+			if class := erCache.GetDeviceClass(resourceName); class != nil {
+				t.Errorf("expected %q, got %q", "", class)
+			}
+		},
+	}
+	erCache.AddEventHandler(secondHandler)
+
+	erCache.OnAdd(class, false)
+	erCache.OnUpdate(class, updatedClass)
+	erCache.OnDelete(updatedClass)
+}
+
+func TestExtendedResourceCache(t *testing.T) {
+	logger, ctx := ktesting.NewTestContext(t)
+	tCtx, tCancel := context.WithCancel(ctx)
+	client := fake.NewClientset()
+	informerFactory := informers.NewSharedInformerFactory(client, 0)
+
+	deviceClassInformer := informerFactory.Resource().V1().DeviceClasses()
+	cache := NewExtendedResourceCache(logger)
+	if _, err := deviceClassInformer.Informer().AddEventHandler(cache); err != nil {
+		logger.Error(err, "Failed to add event handler for device classes")
+	}
+	informerFactory.Start(tCtx.Done())
+	t.Cleanup(func() {
+		// Need to cancel before waiting for the shutdown.
+		tCancel()
+		// Now we can wait for all goroutines to stop.
+		informerFactory.Shutdown()
+	})
+	informerFactory.WaitForCacheSync(tCtx.Done())
+
+	// Test with a device class that has an explicit extended resource name
+	now := time.Now()
+	deviceClass1 := &resourceapi.DeviceClass{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: "gpu-class",
+			CreationTimestamp: metav1.Time{
+				Time: now,
+			},
+		},
+		Spec: resourceapi.DeviceClassSpec{
+			ExtendedResourceName: ptr.To("example.com/gpu"),
+		},
+	}
+
+	// Test with a device class that uses the default mapping
+	deviceClass2 := &resourceapi.DeviceClass{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: "fpga-class",
+		},
+		Spec: resourceapi.DeviceClassSpec{
+			// No explicit extended resource name
+		},
+	}
+	deviceClass3 := &resourceapi.DeviceClass{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: "gpu-class-3",
+			CreationTimestamp: metav1.Time{
+				Time: now.Add(-24 * time.Hour),
+			},
+		},
+		Spec: resourceapi.DeviceClassSpec{
+			ExtendedResourceName: ptr.To("example.com/gpu"),
+		},
+	}
+	deviceClass4 := &resourceapi.DeviceClass{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: "gpu-class-4",
+			CreationTimestamp: metav1.Time{
+				Time: now.Add(time.Hour),
+			},
+		},
+		Spec: resourceapi.DeviceClassSpec{
+			ExtendedResourceName: ptr.To("example.com/gpu"),
+		},
+	}
+	deviceClass0 := &resourceapi.DeviceClass{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: "gpu-class-0",
+			CreationTimestamp: metav1.Time{
+				Time: now.Add(time.Hour),
+			},
+		},
+		Spec: resourceapi.DeviceClassSpec{
+			ExtendedResourceName: ptr.To("example.com/gpu"),
+		},
+	}
+
+	// Test adding device classes
+	_, err := client.ResourceV1().DeviceClasses().Create(tCtx, deviceClass1, metav1.CreateOptions{})
+	if err != nil {
+		t.Fatalf("Failed to create device class: %v", err)
+	}
+	_, err = client.ResourceV1().DeviceClasses().Create(tCtx, deviceClass2, metav1.CreateOptions{})
+	if err != nil {
+		t.Fatalf("Failed to create device class: %v", err)
+	}
+	time.Sleep(1 * time.Second)
+
+	// Verify explicit mapping
+	deviceClass := cache.GetDeviceClass("example.com/gpu")
+	if deviceClass == nil || deviceClass.Name != "gpu-class" {
+		t.Errorf("Expected to find device class 'gpu-class' for 'example.com/gpu', got %v", deviceClass)
+	}
+
+	// Verify default mapping
+	defaultResourceName := v1.ResourceName("deviceclass.resource.kubernetes.io/fpga-class")
+	deviceClass = cache.GetDeviceClass(defaultResourceName)
+	if deviceClass == nil || deviceClass.Name != "fpga-class" {
+		t.Errorf("Expected to find device class 'fpga-class' for '%s', got %v", defaultResourceName, deviceClass)
+	}
+
+	// Verify both device classes have default mappings
+	deviceClass = cache.GetDeviceClass("deviceclass.resource.kubernetes.io/gpu-class")
+	if deviceClass == nil || deviceClass.Name != "gpu-class" {
+		t.Error("Expected default mapping for gpu-class")
+	}
+
+	// deviceClass3 is older than deviceClass1, hence it won't replace deviceClass1
+	_, err = client.ResourceV1().DeviceClasses().Create(tCtx, deviceClass3, metav1.CreateOptions{})
+	if err != nil {
+		t.Fatalf("Failed to create device class: %v", err)
+	}
+	time.Sleep(1 * time.Second)
+
+	// should keep deviceClass1, since it is newer than deviceClass3
+	deviceClass = cache.GetDeviceClass("example.com/gpu")
+	if deviceClass == nil || deviceClass.Name != "gpu-class" {
+		t.Errorf("Expected to find device class 'gpu-class' for 'example.com/gpu', got %v", deviceClass)
+	}
+
+	// deviceClass4 is newer than deviceClass1, hence it will replace deviceClass1
+	_, err = client.ResourceV1().DeviceClasses().Create(tCtx, deviceClass4, metav1.CreateOptions{})
+	if err != nil {
+		t.Fatalf("Failed to create device class: %v", err)
+	}
+	time.Sleep(1 * time.Second)
+
+	// deviceClass4 replaces deviceClass1, since it is newer with the same example.com/gpu extended resource name
+	deviceClass = cache.GetDeviceClass("example.com/gpu")
+	if deviceClass == nil || deviceClass.Name != "gpu-class-4" {
+		t.Errorf("Expected to find device class 'gpu-class' for 'example.com/gpu', got %v", deviceClass)
+	}
+
+	// deviceClass0 is created at the same time as deviceClass4, but its name is alphabetically ordered earlier,
+	//  hence it will replace deviceClass4
+	_, err = client.ResourceV1().DeviceClasses().Create(tCtx, deviceClass0, metav1.CreateOptions{})
+	if err != nil {
+		t.Fatalf("Failed to create device class: %v", err)
+	}
+	time.Sleep(1 * time.Second)
+
+	// deviceClass0 replaces deviceClass4, it is created at the same time as deviceClass4, but its name is
+	// alphabetically ordered earlier
+	deviceClass = cache.GetDeviceClass("example.com/gpu")
+	if deviceClass == nil || deviceClass.Name != "gpu-class-0" {
+		t.Errorf("Expected to find device class 'gpu-class' for 'example.com/gpu', got %v", deviceClass)
+	}
+
+	// Test modifying a device class
+	deviceClass0Modified := deviceClass0.DeepCopy()
+	deviceClass0Modified.Spec.ExtendedResourceName = ptr.To("test.com/gpu")
+	_, err = client.ResourceV1().DeviceClasses().Update(tCtx, deviceClass0Modified, metav1.UpdateOptions{})
+	if err != nil {
+		t.Fatalf("Failed to update device class: %v", err)
+	}
+	time.Sleep(1 * time.Second)
+
+	// Should have the new mapping
+	deviceClass = cache.GetDeviceClass("test.com/gpu")
+	if deviceClass == nil || deviceClass.Name != "gpu-class-0" {
+		t.Errorf("Expected to find device class 'gpu-class-0' for 'test.com/gpu' after modification, got %v", deviceClass)
+	}
+	// Should not have the old mapping for example.com/gpu
+	if cache.GetDeviceClass("example.com/gpu") != nil {
+		t.Errorf("Expected 'example.com/gpu' to be removed after modification, got %s", cache.GetDeviceClass("example.com/gpu"))
+	}
+
+	// Test deleting a device class
+	err = client.ResourceV1().DeviceClasses().Delete(tCtx, deviceClass0.Name, metav1.DeleteOptions{})
+	if err != nil {
+		t.Fatalf("Failed to delete device class: %v", err)
+	}
+	time.Sleep(1 * time.Second)
+
+	deviceClass = cache.GetDeviceClass("test.com/gpu")
+	if deviceClass != nil {
+		t.Errorf("Expected 'test.com/gpu' to be removed after deleting device class, got %s", deviceClass)
+	}
+	// Verify the default mapping is removed
+	if cache.GetDeviceClass("deviceclass.resource.kubernetes.io/gpu-class-0") != nil {
+		t.Errorf("Expected 'deviceclass.resource.kubernetes.io/gpu-class-0' to be removed after deleting device class, got %s", cache.GetDeviceClass("deviceclass.resource.kubernetes.io/gpu-class"))
+	}
+}
+
+func TestDeviceClassMapping(t *testing.T) {
+	logger, ctx := ktesting.NewTestContext(t)
+	tCtx, tCancel := context.WithCancel(ctx)
+
+	client := fake.NewClientset()
+	informerFactory := informers.NewSharedInformerFactory(client, 0)
+	cache := NewExtendedResourceCache(logger)
+	if _, err := informerFactory.Resource().V1().DeviceClasses().Informer().AddEventHandler(cache); err != nil {
+		logger.Error(err, "failed to add device class informer event handler")
+	}
+	informerFactory.Start(tCtx.Done())
+	t.Cleanup(func() {
+		// Need to cancel before waiting for the shutdown.
+		tCancel()
+		// Now we can wait for all goroutines to stop.
+		informerFactory.Shutdown()
+	})
+	informerFactory.WaitForCacheSync(tCtx.Done())
+
+	deviceClass1 := &resourceapi.DeviceClass{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: "gpu-class",
+		},
+		Spec: resourceapi.DeviceClassSpec{
+			ExtendedResourceName: ptr.To("example.com/gpu"),
+		},
+	}
+
+	deviceClass2 := &resourceapi.DeviceClass{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: "tpu-class",
+		},
+	}
+
+	// Test adding device classes
+	_, err := client.ResourceV1().DeviceClasses().Create(tCtx, deviceClass1, metav1.CreateOptions{})
+	if err != nil {
+		t.Fatalf("Failed to create device class: %v", err)
+	}
+	_, err = client.ResourceV1().DeviceClasses().Create(tCtx, deviceClass2, metav1.CreateOptions{})
+	if err != nil {
+		t.Fatalf("Failed to create device class: %v", err)
+	}
+
+	time.Sleep(1 * time.Second)
+	name := cache.GetExtendedResource("gpu-class")
+	if name != "example.com/gpu" {
+		t.Errorf("Expected to find device class 'gpu-class', got %s", name)
+	}
+	name = cache.GetExtendedResource("tpu-class")
+	if name != "" {
+		t.Errorf("Expected device class 'tpu-class' not found")
+	}
+
+	// Test updating device classes
+	deviceClass1Modified := deviceClass1.DeepCopy()
+	deviceClass1Modified.Spec.ExtendedResourceName = ptr.To("my.com/gpu")
+	_, err = client.ResourceV1().DeviceClasses().Update(tCtx, deviceClass1Modified, metav1.UpdateOptions{})
+	if err != nil {
+		t.Fatalf("Failed to update device class: %v", err)
+	}
+
+	time.Sleep(1 * time.Second)
+	name = cache.GetExtendedResource("gpu-class")
+	if name != "my.com/gpu" {
+		t.Errorf("Expected to find device class 'gpu-class' with  'my.com/gpu' after modification, got %s", name)
+	}
+
+	// Test deleting device classes
+	err = client.ResourceV1().DeviceClasses().Delete(tCtx, deviceClass1.Name, metav1.DeleteOptions{})
+	if err != nil {
+		t.Fatalf("Failed to delete device class: %v", err)
+	}
+
+	time.Sleep(1 * time.Second)
+	name = cache.GetExtendedResource("gpu-class")
+	if name != "" {
+		t.Error("Expected 'gpu-class' not found after deletion")
+	}
+}
diff --git a/staging/src/k8s.io/dynamic-resource-allocation/go.mod b/staging/src/k8s.io/dynamic-resource-allocation/go.mod
index a8ac386398a25..5cf35d11fc217 100644
--- a/staging/src/k8s.io/dynamic-resource-allocation/go.mod
+++ b/staging/src/k8s.io/dynamic-resource-allocation/go.mod
@@ -2,26 +2,26 @@
 
 module k8s.io/dynamic-resource-allocation
 
-go 1.24.0
+go 1.25.0
 
-godebug default=go1.24
+godebug default=go1.25
 
 require (
 	github.com/blang/semver/v4 v4.0.0
 	github.com/google/cel-go v0.26.0
 	github.com/google/go-cmp v0.7.0
-	github.com/onsi/gomega v1.35.1
-	github.com/stretchr/testify v1.10.0
-	go.etcd.io/etcd/client/pkg/v3 v3.6.4
-	google.golang.org/grpc v1.72.1
-	k8s.io/api v0.34.1
-	k8s.io/apimachinery v0.34.1
+	github.com/onsi/gomega v1.38.2
+	github.com/stretchr/testify v1.11.1
+	go.etcd.io/etcd/client/pkg/v3 v3.6.5
+	google.golang.org/grpc v1.72.2
+	k8s.io/api v0.35.1
+	k8s.io/apimachinery v0.35.1
 	k8s.io/apiserver v0.0.0
-	k8s.io/client-go v0.34.1
+	k8s.io/client-go v0.35.1
 	k8s.io/component-helpers v0.0.0
 	k8s.io/klog/v2 v2.130.1
 	k8s.io/kubelet v0.0.0
-	k8s.io/utils v0.0.0-20250604170112-4c0f3b243397
+	k8s.io/utils v0.0.0-20251002143259-bc988d571ff4
 )
 
 require (
@@ -32,11 +32,10 @@ require (
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/emicklei/go-restful/v3 v3.12.2 // indirect
 	github.com/fxamacker/cbor/v2 v2.9.0 // indirect
-	github.com/go-logr/logr v1.4.2 // indirect
+	github.com/go-logr/logr v1.4.3 // indirect
 	github.com/go-openapi/jsonpointer v0.21.0 // indirect
 	github.com/go-openapi/jsonreference v0.20.2 // indirect
 	github.com/go-openapi/swag v0.23.0 // indirect
-	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/google/gnostic-models v0.7.0 // indirect
 	github.com/google/uuid v1.6.0 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
@@ -46,46 +45,47 @@ require (
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
-	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
-	github.com/prometheus/client_golang v1.22.0 // indirect
-	github.com/prometheus/client_model v0.6.1 // indirect
-	github.com/prometheus/common v0.62.0 // indirect
-	github.com/prometheus/procfs v0.15.1 // indirect
-	github.com/spf13/cobra v1.9.1 // indirect
-	github.com/spf13/pflag v1.0.6 // indirect
+	github.com/prometheus/client_golang v1.23.2 // indirect
+	github.com/prometheus/client_model v0.6.2 // indirect
+	github.com/prometheus/common v0.66.1 // indirect
+	github.com/prometheus/procfs v0.16.1 // indirect
+	github.com/spf13/cobra v1.10.0 // indirect
+	github.com/spf13/pflag v1.0.9 // indirect
 	github.com/stoewer/go-strcase v1.3.0 // indirect
 	github.com/x448/float16 v0.8.4 // indirect
-	go.opentelemetry.io/otel v1.35.0 // indirect
-	go.opentelemetry.io/otel/trace v1.35.0 // indirect
+	go.opentelemetry.io/otel v1.36.0 // indirect
+	go.opentelemetry.io/otel/sdk/metric v1.36.0 // indirect
+	go.opentelemetry.io/otel/trace v1.36.0 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
 	go.uber.org/zap v1.27.0 // indirect
-	go.yaml.in/yaml/v2 v2.4.2 // indirect
+	go.yaml.in/yaml/v2 v2.4.3 // indirect
 	go.yaml.in/yaml/v3 v3.0.4 // indirect
 	golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 // indirect
-	golang.org/x/net v0.43.0 // indirect
-	golang.org/x/oauth2 v0.27.0 // indirect
-	golang.org/x/sync v0.17.0 // indirect
-	golang.org/x/sys v0.36.0 // indirect
-	golang.org/x/term v0.35.0 // indirect
-	golang.org/x/text v0.29.0 // indirect
+	golang.org/x/net v0.47.0 // indirect
+	golang.org/x/oauth2 v0.30.0 // indirect
+	golang.org/x/sync v0.18.0 // indirect
+	golang.org/x/sys v0.38.0 // indirect
+	golang.org/x/term v0.37.0 // indirect
+	golang.org/x/text v0.31.0 // indirect
 	golang.org/x/time v0.9.0 // indirect
 	google.golang.org/genproto/googleapis/api v0.0.0-20250303144028-a0af3efb3deb // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20250303144028-a0af3efb3deb // indirect
-	google.golang.org/protobuf v1.36.5 // indirect
-	gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20250528174236-200df99c418a // indirect
+	google.golang.org/protobuf v1.36.8 // indirect
+	gopkg.in/evanphx/json-patch.v4 v4.13.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
-	k8s.io/component-base v0.34.1 // indirect
-	k8s.io/kube-openapi v0.0.0-20250710124328-f3f2b991d03b // indirect
-	sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 // indirect
+	k8s.io/component-base v0.35.1 // indirect
+	k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912 // indirect
+	sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 // indirect
 	sigs.k8s.io/randfill v1.0.0 // indirect
 	sigs.k8s.io/structured-merge-diff/v6 v6.3.0 // indirect
 	sigs.k8s.io/yaml v1.6.0 // indirect
 )
 
 replace (
-	github.com/onsi/ginkgo/v2 => github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251001123353-fd5b1fb35db1
+	github.com/onsi/ginkgo/v2 => github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251120221002-696928a6a0d7
+	github.com/openshift/library-go => github.com/jacobsee/library-go v0.0.0-20260211202355-e615a1f60a34
 	k8s.io/api => ../api
 	k8s.io/apimachinery => ../apimachinery
 	k8s.io/apiserver => ../apiserver
diff --git a/staging/src/k8s.io/dynamic-resource-allocation/go.sum b/staging/src/k8s.io/dynamic-resource-allocation/go.sum
index 4601fa588758e..163c1cf0766a5 100644
--- a/staging/src/k8s.io/dynamic-resource-allocation/go.sum
+++ b/staging/src/k8s.io/dynamic-resource-allocation/go.sum
@@ -3,6 +3,8 @@ cel.dev/expr v0.24.0/go.mod h1:hLPLo1W4QUmuYdA72RBX06QTs6MXw941piREPl3Yfiw=
 cloud.google.com/go/compute/metadata v0.6.0/go.mod h1:FjyFAW1MW0C203CEOMDTu3Dk1FlqW3Rga40jzHL4hfg=
 github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E=
 github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp v1.26.0/go.mod h1:2bIszWvQRlJVmJLiuLhukLImRjKPcYdzzsx6darK02A=
+github.com/Masterminds/semver/v3 v3.4.0 h1:Zog+i5UMtVoCU8oKka5P7i9q9HgrJeGzI9SA1Xbatp0=
+github.com/Masterminds/semver/v3 v3.4.0/go.mod h1:4V+yj/TJE1HU9XfppCwVMZq3I84lprf4nC11bSS5beM=
 github.com/NYTimes/gziphandler v1.1.1/go.mod h1:n/CVRwUEOgIxrgPvAQhUUr9oeUtvrhMomdKFjzJNB0c=
 github.com/alecthomas/kingpin/v2 v2.4.0/go.mod h1:0gyi0zQnjuFk8xrkNKamJoyUo382HRL7ATRpFZCw6tE=
 github.com/alecthomas/units v0.0.0-20211218093645-b94a6e3cc137/go.mod h1:OMCwj8VM1Kc9e19TLln2VL61YJF0x1XFtfdL4JdbSyE=
@@ -38,8 +40,8 @@ github.com/fsnotify/fsnotify v1.9.0/go.mod h1:8jBTzvmWwFyi3Pb8djgCCO5IBqzKJ/Jwo8
 github.com/fxamacker/cbor/v2 v2.9.0 h1:NpKPmjDBgUfBms6tr6JZkTHtfFGcMKsw3eGcmD/sapM=
 github.com/fxamacker/cbor/v2 v2.9.0/go.mod h1:vM4b+DJCtHn+zz7h3FFp/hDAI9WNWCsZj23V5ytsSxQ=
 github.com/go-jose/go-jose/v4 v4.0.4/go.mod h1:NKb5HO1EZccyMpiZNbdUw/14tiXNyUJh188dfnMCAfc=
-github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY=
-github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
+github.com/go-logr/logr v1.4.3 h1:CjnDlHq8ikf6E492q6eKboGOC0T8CDaOvkHCIg8idEI=
+github.com/go-logr/logr v1.4.3/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
 github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
 github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE=
 github.com/go-logr/zapr v1.3.0/go.mod h1:YKepepNBd1u/oyhd/yQmtjVXmm9uML4IXUgMOwR8/Gg=
@@ -53,7 +55,6 @@ github.com/go-openapi/swag v0.23.0 h1:vsEVJDUo2hPJ2tu0/Xc+4noaxyEffXNIs3cOULZ+Gr
 github.com/go-openapi/swag v0.23.0/go.mod h1:esZ8ITTYEsH1V2trKHjAN8Ai7xHb8RV+YSZ577vPjgQ=
 github.com/go-task/slim-sprig/v3 v3.0.0 h1:sUs3vkvUymDpBKi3qH1YSqBQk9+9D/8M2mN1vB6EwHI=
 github.com/go-task/slim-sprig/v3 v3.0.0/go.mod h1:W848ghGpv3Qj3dhTPRyJypKRiqCdHZiAzKg9hl15HA8=
-github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
 github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
 github.com/golang-jwt/jwt/v5 v5.2.2/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=
 github.com/golang/glog v1.2.4/go.mod h1:6AhwSGph0fcJtXVM/PEHPqZlFeoLxhs7/t5UDAwmO+w=
@@ -67,8 +68,8 @@ github.com/google/gnostic-models v0.7.0/go.mod h1:whL5G0m6dmc5cPxKc5bdKdEN3UjI7O
 github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
 github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
-github.com/google/pprof v0.0.0-20241029153458-d1b30febd7db h1:097atOisP2aRj7vFgYQBbFN4U4JNXUNYpxael3UzMyo=
-github.com/google/pprof v0.0.0-20241029153458-d1b30febd7db/go.mod h1:vavhavw2zAxS5dIdcRluK6cSGGPlZynqzFM8NdvU144=
+github.com/google/pprof v0.0.0-20250403155104-27863c87afa6 h1:BHT72Gu3keYf3ZEu2J0b1vyeLSOYI8bm5wbJM/8yDe8=
+github.com/google/pprof v0.0.0-20250403155104-27863c87afa6/go.mod h1:boTsfXsheKC2y+lKOCMpSfarhxDeIzfZG1jqGcPl3cA=
 github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/gorilla/websocket v1.5.4-0.20250319132907-e064f32e3674/go.mod h1:r4w70xmWCQKmi1ONH4KIaBptdivuRPyosB9RmPlGEwA=
@@ -79,6 +80,7 @@ github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0/go.mod h1:8NvIoxWQoOIhqOTXgf
 github.com/grpc-ecosystem/grpc-gateway/v2 v2.26.3/go.mod h1:ndYquD05frm2vACXE1nsccT4oJzjhw2arTS2cpUD1PI=
 github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
 github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
+github.com/jacobsee/library-go v0.0.0-20260211202355-e615a1f60a34/go.mod h1:mp92ELYoE9GHXRj+jJhp4I9KsFfS5c7WIi5k4RmkPYY=
 github.com/jonboulle/clockwork v0.5.0/go.mod h1:3mZlmanh0g2NDKO5TWZVJAfofYk64M7XN3SzBPjZF60=
 github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY=
 github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y=
@@ -86,8 +88,6 @@ github.com/jpillora/backoff v1.0.0/go.mod h1:J/6gKK9jxlEcS3zixgDgUAsiuZ7yrSoa/FX
 github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM=
 github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo=
 github.com/julienschmidt/httprouter v1.3.0/go.mod h1:JR6WtHb+2LUe8TCKY3cZOxFyyO8IZAc4RVcycCCAKdM=
-github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
-github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
 github.com/klauspost/compress v1.18.0 h1:c/Cqfb0r+Yi+JtIEq73FWXVkRonBlf0CRNYc8Zttxdo=
 github.com/klauspost/compress v1.18.0/go.mod h1:2Pp+KzxcywXVXMr50+X0Q/Lsb43OQHYWRCY2AiWywWQ=
 github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
@@ -113,36 +113,34 @@ github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq
 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
 github.com/mwitkow/go-conntrack v0.0.0-20190716064945-2f068394615f/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U=
 github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+o7JKHSa8/e818NopupXU1YMK5fe1lsApnBw=
-github.com/onsi/gomega v1.35.1 h1:Cwbd75ZBPxFSuZ6T+rN/WCb/gOc6YgFBXLlZLhC7Ds4=
-github.com/onsi/gomega v1.35.1/go.mod h1:PvZbdDc8J6XJEpDK4HCuRBm8a6Fzp9/DmhC9C7yFlog=
-github.com/openshift/library-go v0.0.0-20251015151611-6fc7a74b67c5/go.mod h1:OlFFws1AO51uzfc48MsStGE4SFMWlMZD0+f5a/zCtKI=
-github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251001123353-fd5b1fb35db1 h1:PMTgifBcBRLJJiM+LgSzPDTk9/Rx4qS09OUrfpY6GBQ=
-github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251001123353-fd5b1fb35db1/go.mod h1:7Du3c42kxCUegi0IImZ1wUQzMBVecgIHjR1C+NkhLQo=
+github.com/onsi/gomega v1.38.2 h1:eZCjf2xjZAqe+LeWvKb5weQ+NcPwX84kqJ0cZNxok2A=
+github.com/onsi/gomega v1.38.2/go.mod h1:W2MJcYxRGV63b418Ai34Ud0hEdTVXq9NW9+Sx6uXf3k=
+github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251120221002-696928a6a0d7 h1:02E4Ttpu+7yCQLQxtY42JfcfHU7TBGnje6uB2ytBSdU=
+github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251120221002-696928a6a0d7/go.mod h1:ArE1D/XhNXBXCBkKOLkbsb2c81dQHCRcF5zwn/ykDRo=
 github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU=
-github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
-github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10/go.mod h1:t/avpk3KcrXxUnYOhZhMXJlSEyie6gQbtLq5NM3loB8=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U=
 github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/pquerna/cachecontrol v0.1.0/go.mod h1:NrUG3Z7Rdu85UNR3vm7SOsl1nFIeSiQnrHV5K9mBcUI=
-github.com/prometheus/client_golang v1.22.0 h1:rb93p9lokFEsctTys46VnV1kLCDpVZ0a/Y92Vm0Zc6Q=
-github.com/prometheus/client_golang v1.22.0/go.mod h1:R7ljNsLXhuQXYZYtw6GAE9AZg8Y7vEW5scdCXrWRXC0=
-github.com/prometheus/client_model v0.6.1 h1:ZKSh/rekM+n3CeS952MLRAdFwIKqeY8b62p8ais2e9E=
-github.com/prometheus/client_model v0.6.1/go.mod h1:OrxVMOVHjw3lKMa8+x6HeMGkHMQyHDk9E3jmP2AmGiY=
-github.com/prometheus/common v0.62.0 h1:xasJaQlnWAeyHdUBeGjXmutelfJHWMRr+Fg4QszZ2Io=
-github.com/prometheus/common v0.62.0/go.mod h1:vyBcEuLSvWos9B1+CyL7JZ2up+uFzXhkqml0W5zIY1I=
-github.com/prometheus/procfs v0.15.1 h1:YagwOFzUgYfKKHX6Dr+sHT7km/hxC76UB0learggepc=
-github.com/prometheus/procfs v0.15.1/go.mod h1:fB45yRUv8NstnjriLhBQLuOUt+WW4BsoGhij/e3PBqk=
-github.com/rogpeppe/go-internal v1.13.1 h1:KvO1DLK/DRN07sQ1LQKScxyZJuNnedQ5/wKSR38lUII=
-github.com/rogpeppe/go-internal v1.13.1/go.mod h1:uMEvuHeurkdAXX61udpOXGD/AzZDWNMNyH2VO9fmH0o=
+github.com/prometheus/client_golang v1.23.2 h1:Je96obch5RDVy3FDMndoUsjAhG5Edi49h0RJWRi/o0o=
+github.com/prometheus/client_golang v1.23.2/go.mod h1:Tb1a6LWHB3/SPIzCoaDXI4I8UHKeFTEQ1YCr+0Gyqmg=
+github.com/prometheus/client_model v0.6.2 h1:oBsgwpGs7iVziMvrGhE53c/GrLUsZdHnqNwqPLxwZyk=
+github.com/prometheus/client_model v0.6.2/go.mod h1:y3m2F6Gdpfy6Ut/GBsUqTWZqCUvMVzSfMLjcu6wAwpE=
+github.com/prometheus/common v0.66.1 h1:h5E0h5/Y8niHc5DlaLlWLArTQI7tMrsfQjHV+d9ZoGs=
+github.com/prometheus/common v0.66.1/go.mod h1:gcaUsgf3KfRSwHY4dIMXLPV0K/Wg1oZ8+SbZk/HH/dA=
+github.com/prometheus/procfs v0.16.1 h1:hZ15bTNuirocR6u0JZ6BAHHmwS1p8B4P6MRqxtzMyRg=
+github.com/prometheus/procfs v0.16.1/go.mod h1:teAbpZRB1iIAJYREa1LsoWUXykVXA1KlTmWl8x/U+Is=
+github.com/rogpeppe/go-internal v1.14.1 h1:UQB4HGPB6osV0SQTLymcB4TgvyWu6ZyliaW0tI/otEQ=
+github.com/rogpeppe/go-internal v1.14.1/go.mod h1:MaRKkUm5W0goXpeCfT7UZI6fk/L7L7so1lCWt35ZSgc=
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
 github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
 github.com/soheilhy/cmux v0.1.5/go.mod h1:T7TcVDs9LWfQgPlPsdngu6I6QIoyIFZDDC6sNE1GqG0=
-github.com/spf13/cobra v1.9.1 h1:CXSaggrXdbHK9CF+8ywj8Amf7PBRmPCOJugH954Nnlo=
-github.com/spf13/cobra v1.9.1/go.mod h1:nDyEzZ8ogv936Cinf6g1RU9MRY64Ir93oCnqb9wxYW0=
-github.com/spf13/pflag v1.0.6 h1:jFzHGLGAlb3ruxLB8MhbI6A8+AQX/2eW4qeyNZXNp2o=
-github.com/spf13/pflag v1.0.6/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
+github.com/spf13/cobra v1.10.0 h1:a5/WeUlSDCvV5a45ljW2ZFtV0bTDpkfSAj3uqB6Sc+0=
+github.com/spf13/cobra v1.10.0/go.mod h1:9dhySC7dnTtEiqzmqfkLj47BslqLCUPMXjG2lj/NgoE=
+github.com/spf13/pflag v1.0.8/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
+github.com/spf13/pflag v1.0.9 h1:9exaQaMOCwffKiiiYk6/BndUBv+iRViNW+4lEMi0PvY=
+github.com/spf13/pflag v1.0.9/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/spiffe/go-spiffe/v2 v2.5.0/go.mod h1:P+NxobPc6wXhVtINNtFjNWGBTreew1GBUCwT2wPmb7g=
 github.com/stoewer/go-strcase v1.3.0 h1:g0eASXYtp+yvN9fK8sH94oCIk0fau9uV1/ZdJ0AVEzs=
 github.com/stoewer/go-strcase v1.3.0/go.mod h1:fAH5hQ5pehh+j3nZfvwdk2RgEgQjAoM8wodgtPmh1xo=
@@ -155,129 +153,106 @@ github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UV
 github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
 github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
-github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
-github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
+github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
+github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
 github.com/tmc/grpc-websocket-proxy v0.0.0-20220101234140-673ab2c3ae75/go.mod h1:KO6IkyS8Y3j8OdNO85qEYBsRPuteD+YciPomcXdrMnk=
 github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM=
 github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg=
 github.com/xhit/go-str2duration/v2 v2.1.0/go.mod h1:ohY8p+0f07DiV6Em5LKB0s2YpLtXVyJfNt1+BlmyAsU=
 github.com/xiang90/probing v0.0.0-20221125231312-a49e3df8f510/go.mod h1:UETIi67q53MR2AWcXfiuqkDkRtnGDLqkBTpCHuJHxtU=
-github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
-github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/zeebo/errs v1.4.0/go.mod h1:sgbWHsvVuTPHcqJJGQ1WhI5KbWlHYz+2+2C/LSEtCw4=
-go.etcd.io/bbolt v1.4.2/go.mod h1:Is8rSHO/b4f3XigBC0lL0+4FwAQv3HXEEIgFMuKHceM=
-go.etcd.io/etcd/api/v3 v3.6.4/go.mod h1:eFhhvfR8Px1P6SEuLT600v+vrhdDTdcfMzmnxVXXSbk=
-go.etcd.io/etcd/client/pkg/v3 v3.6.4 h1:9HBYrjppeOfFjBjaMTRxT3R7xT0GLK8EJMVC4xg6ok0=
-go.etcd.io/etcd/client/pkg/v3 v3.6.4/go.mod h1:sbdzr2cl3HzVmxNw//PH7aLGVtY4QySjQFuaCgcRFAI=
-go.etcd.io/etcd/client/v3 v3.6.4/go.mod h1:jaNNHCyg2FdALyKWnd7hxZXZxZANb0+KGY+YQaEMISo=
-go.etcd.io/etcd/pkg/v3 v3.6.4/go.mod h1:kKcYWP8gHuBRcteyv6MXWSN0+bVMnfgqiHueIZnKMtE=
-go.etcd.io/etcd/server/v3 v3.6.4/go.mod h1:aYCL/h43yiONOv0QIR82kH/2xZ7m+IWYjzRmyQfnCAg=
+go.etcd.io/bbolt v1.4.3/go.mod h1:tKQlpPaYCVFctUIgFKFnAlvbmB3tpy1vkTnDWohtc0E=
+go.etcd.io/etcd/api/v3 v3.6.5/go.mod h1:ob0/oWA/UQQlT1BmaEkWQzI0sJ1M0Et0mMpaABxguOQ=
+go.etcd.io/etcd/client/pkg/v3 v3.6.5 h1:Duz9fAzIZFhYWgRjp/FgNq2gO1jId9Yae/rLn3RrBP8=
+go.etcd.io/etcd/client/pkg/v3 v3.6.5/go.mod h1:8Wx3eGRPiy0qOFMZT/hfvdos+DjEaPxdIDiCDUv/FQk=
+go.etcd.io/etcd/client/v3 v3.6.5/go.mod h1:ZqwG/7TAFZ0BJ0jXRPoJjKQJtbFo/9NIY8uoFFKcCyo=
+go.etcd.io/etcd/pkg/v3 v3.6.5/go.mod h1:uqrXrzmMIJDEy5j00bCqhVLzR5jEJIwDp5wTlLwPGOU=
+go.etcd.io/etcd/server/v3 v3.6.5/go.mod h1:PLuhyVXz8WWRhzXDsl3A3zv/+aK9e4A9lpQkqawIaH0=
 go.etcd.io/raft/v3 v3.6.0/go.mod h1:nLvLevg6+xrVtHUmVaTcTz603gQPHfh7kUAwV6YpfGo=
 go.opentelemetry.io/auto/sdk v1.1.0 h1:cH53jehLUN6UFLY71z+NDOiNJqDdPRaXzTel0sJySYA=
 go.opentelemetry.io/auto/sdk v1.1.0/go.mod h1:3wSPjt5PWp2RhlCcmmOial7AvC4DQqZb7a7wCow3W8A=
 go.opentelemetry.io/contrib/detectors/gcp v1.34.0/go.mod h1:cV4BMFcscUR/ckqLkbfQmF0PRsq8w/lMGzdbCSveBHo=
 go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.60.0/go.mod h1:rg+RlpR5dKwaS95IyyZqj5Wd4E13lk/msnTS0Xl9lJM=
-go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.58.0/go.mod h1:umTcuxiv1n/s/S6/c2AT/g2CQ7u5C59sHDNmfSwgz7Q=
-go.opentelemetry.io/otel v1.35.0 h1:xKWKPxrxB6OtMCbmMY021CqC45J+3Onta9MqjhnusiQ=
-go.opentelemetry.io/otel v1.35.0/go.mod h1:UEqy8Zp11hpkUrL73gSlELM0DupHoiq72dR+Zqel/+Y=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.61.0/go.mod h1:UHB22Z8QsdRDrnAtX4PntOl36ajSxcdUMt1sF7Y6E7Q=
+go.opentelemetry.io/otel v1.36.0 h1:UumtzIklRBY6cI/lllNZlALOF5nNIzJVb16APdvgTXg=
+go.opentelemetry.io/otel v1.36.0/go.mod h1:/TcFMXYjyRNh8khOAO9ybYkqaDBb/70aVwkNML4pP8E=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.34.0/go.mod h1:7Bept48yIeqxP2OZ9/AqIpYS94h2or0aB4FypJTc8ZM=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.34.0/go.mod h1:U7HYyW0zt/a9x5J1Kjs+r1f/d4ZHnYFclhYY2+YbeoE=
-go.opentelemetry.io/otel/metric v1.35.0 h1:0znxYu2SNyuMSQT4Y9WDWej0VpcsxkuklLa4/siN90M=
-go.opentelemetry.io/otel/metric v1.35.0/go.mod h1:nKVFgxBZ2fReX6IlyW28MgZojkoAkJGaE8CpgeAU3oE=
-go.opentelemetry.io/otel/sdk v1.34.0 h1:95zS4k/2GOy069d321O8jWgYsW3MzVV+KuSPKp7Wr1A=
-go.opentelemetry.io/otel/sdk v1.34.0/go.mod h1:0e/pNiaMAqaykJGKbi+tSjWfNNHMTxoC9qANsCzbyxU=
-go.opentelemetry.io/otel/sdk/metric v1.34.0 h1:5CeK9ujjbFVL5c1PhLuStg1wxA7vQv7ce1EK0Gyvahk=
-go.opentelemetry.io/otel/sdk/metric v1.34.0/go.mod h1:jQ/r8Ze28zRKoNRdkjCZxfs6YvBTG1+YIqyFVFYec5w=
-go.opentelemetry.io/otel/trace v1.35.0 h1:dPpEfJu1sDIqruz7BHFG3c7528f6ddfSWfFDVt/xgMs=
-go.opentelemetry.io/otel/trace v1.35.0/go.mod h1:WUk7DtFp1Aw2MkvqGdwiXYDZZNvA/1J8o6xRXLrIkyc=
+go.opentelemetry.io/otel/metric v1.36.0 h1:MoWPKVhQvJ+eeXWHFBOPoBOi20jh6Iq2CcCREuTYufE=
+go.opentelemetry.io/otel/metric v1.36.0/go.mod h1:zC7Ks+yeyJt4xig9DEw9kuUFe5C3zLbVjV2PzT6qzbs=
+go.opentelemetry.io/otel/sdk v1.36.0 h1:b6SYIuLRs88ztox4EyrvRti80uXIFy+Sqzoh9kFULbs=
+go.opentelemetry.io/otel/sdk v1.36.0/go.mod h1:+lC+mTgD+MUWfjJubi2vvXWcVxyr9rmlshZni72pXeY=
+go.opentelemetry.io/otel/sdk/metric v1.36.0 h1:r0ntwwGosWGaa0CrSt8cuNuTcccMXERFwHX4dThiPis=
+go.opentelemetry.io/otel/sdk/metric v1.36.0/go.mod h1:qTNOhFDfKRwX0yXOqJYegL5WRaW376QbB7P4Pb0qva4=
+go.opentelemetry.io/otel/trace v1.36.0 h1:ahxWNuqZjpdiFAyrIoQ4GIiAIhxAunQR6MUoKrsNd4w=
+go.opentelemetry.io/otel/trace v1.36.0/go.mod h1:gQ+OnDZzrybY4k4seLzPAWNwVBBVlF2szhehOBB/tGA=
 go.opentelemetry.io/proto/otlp v1.5.0/go.mod h1:keN8WnHxOy8PG0rQZjJJ5A2ebUoafqWp0eVQ4yIXvJ4=
 go.uber.org/atomic v1.11.0/go.mod h1:LUxbIzbOniOlMKjJjyPfpl4v+PKK2cNJn91OQbhoJI0=
+go.uber.org/automaxprocs v1.6.0/go.mod h1:ifeIMSnPZuznNm6jmdzmU3/bfk01Fe2fotchwEFJ8r8=
 go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
 go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
 go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0=
 go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y=
 go.uber.org/zap v1.27.0 h1:aJMhYGrd5QSmlpLMr2MftRKl7t8J8PTZPA732ud/XR8=
 go.uber.org/zap v1.27.0/go.mod h1:GB2qFLM7cTU87MWRP2mPIjqfIDnGu+VIO4V/SdhGo2E=
-go.yaml.in/yaml/v2 v2.4.2 h1:DzmwEr2rDGHl7lsFgAHxmNz/1NlQ7xLIrlN2h5d1eGI=
-go.yaml.in/yaml/v2 v2.4.2/go.mod h1:081UH+NErpNdqlCXm3TtEran0rJZGxAYx9hb/ELlsPU=
+go.yaml.in/yaml/v2 v2.4.3 h1:6gvOSjQoTB3vt1l+CU+tSyi/HOjfOjRLJ4YwYZGwRO0=
+go.yaml.in/yaml/v2 v2.4.3/go.mod h1:zSxWcmIDjOzPXpjlTTbAsKokqkDNAVtZO0WOMiT90s8=
 go.yaml.in/yaml/v3 v3.0.4 h1:tfq32ie2Jv2UxXFdLJdh3jXuOzWiL1fo0bu/FbuKpbc=
 go.yaml.in/yaml/v3 v3.0.4/go.mod h1:DhzuOOF2ATzADvBadXxruRBLzYTpT36CKvDb3+aBEFg=
-golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
-golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
-golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
-golang.org/x/crypto v0.42.0/go.mod h1:4+rDnOTJhQCx2q7/j6rAN5XDw8kPjeaXEUR2eL94ix8=
+golang.org/x/crypto v0.45.0/go.mod h1:XTGrrkGJve7CYK7J8PEww4aY7gM3qMCElcJQ8n8JdX4=
 golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 h1:2dVuKD2vS7b0QIHQbpyTISPd0LeHDbnYEryqj5Q1ug8=
 golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56/go.mod h1:M4RDyNAINzryxdtnbRXRL/OHtkFuWGRjvuhBJpk2IlY=
-golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.27.0/go.mod h1:rWI627Fq0DEoudcK+MBkNkCe0EetEaDSwJJkCcjpazc=
-golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
-golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
-golang.org/x/net v0.43.0 h1:lat02VYK2j4aLzMzecihNvTlJNQUq316m2Mr9rnM6YE=
-golang.org/x/net v0.43.0/go.mod h1:vhO1fvI4dGsIjh73sWfUVjj3N7CA9WkKJNQm2svM6Jg=
-golang.org/x/oauth2 v0.27.0 h1:da9Vo7/tDv5RH/7nZDz1eMGS/q1Vv1N/7FCrBhI9I3M=
-golang.org/x/oauth2 v0.27.0/go.mod h1:onh5ek6nERTohokkhCD/y2cV4Do3fxFHFuAejCkRWT8=
-golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.17.0 h1:l60nONMj9l5drqw6jlhIELNv9I0A4OFgRsG9k2oT9Ug=
-golang.org/x/sync v0.17.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
-golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.36.0 h1:KVRy2GtZBrk1cBYA7MKu5bEZFxQk4NIDV6RLVcC8o0k=
-golang.org/x/sys v0.36.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
-golang.org/x/term v0.35.0 h1:bZBVKBudEyhRcajGcNc3jIfWPqV4y/Kt2XcoigOWtDQ=
-golang.org/x/term v0.35.0/go.mod h1:TPGtkTLesOwf2DE8CgVYiZinHAOuy5AYUYT1lENIZnA=
-golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
-golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.29.0 h1:1neNs90w9YzJ9BocxfsQNHKuAT4pkghyXc4nhZ6sJvk=
-golang.org/x/text v0.29.0/go.mod h1:7MhJOA9CD2qZyOKYazxdYMF85OwPdEr9jTtBpO7ydH4=
+golang.org/x/mod v0.29.0 h1:HV8lRxZC4l2cr3Zq1LvtOsi/ThTgWnUk/y64QSs8GwA=
+golang.org/x/mod v0.29.0/go.mod h1:NyhrlYXJ2H4eJiRy/WDBO6HMqZQ6q9nk4JzS3NuCK+w=
+golang.org/x/net v0.47.0 h1:Mx+4dIFzqraBXUugkia1OOvlD6LemFo1ALMHjrXDOhY=
+golang.org/x/net v0.47.0/go.mod h1:/jNxtkgq5yWUGYkaZGqo27cfGZ1c5Nen03aYrrKpVRU=
+golang.org/x/oauth2 v0.30.0 h1:dnDm7JmhM45NNpd8FDDeLhK6FwqbOf4MLCM9zb1BOHI=
+golang.org/x/oauth2 v0.30.0/go.mod h1:B++QgG3ZKulg6sRPGD/mqlHQs5rB3Ml9erfeDY7xKlU=
+golang.org/x/sync v0.18.0 h1:kr88TuHDroi+UVf+0hZnirlk8o8T+4MrK6mr60WkH/I=
+golang.org/x/sync v0.18.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
+golang.org/x/sys v0.38.0 h1:3yZWxaJjBmCWXqhN1qh02AkOnCQ1poK6oF+a7xWL6Gc=
+golang.org/x/sys v0.38.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
+golang.org/x/term v0.37.0 h1:8EGAD0qCmHYZg6J17DvsMy9/wJ7/D/4pV/wfnld5lTU=
+golang.org/x/term v0.37.0/go.mod h1:5pB4lxRNYYVZuTLmy8oR2BH8dflOR+IbTYFD8fi3254=
+golang.org/x/text v0.31.0 h1:aC8ghyu4JhP8VojJ2lEHBnochRno1sgL6nEi9WGFGMM=
+golang.org/x/text v0.31.0/go.mod h1:tKRAlv61yKIjGGHX/4tP1LTbc13YSec1pxVEWXzfoeM=
 golang.org/x/time v0.9.0 h1:EsRrnYcQiGH+5FfbgvV4AP7qEZstoyrHB0DzarOQ4ZY=
 golang.org/x/time v0.9.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
-golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
-golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
-golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
-golang.org/x/tools v0.36.0 h1:kWS0uv/zsvHEle1LbV5LE8QujrxB3wfQyxHfhOk0Qkg=
-golang.org/x/tools v0.36.0/go.mod h1:WBDiHKJK8YgLHlcQPYQzNCkUxUypCaa5ZegCVutKm+s=
-golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/tools v0.38.0 h1:Hx2Xv8hISq8Lm16jvBZ2VQf+RLmbd7wVUsALibYI/IQ=
+golang.org/x/tools v0.38.0/go.mod h1:yEsQ/d/YK8cjh0L6rZlY8tgtlKiBNTL14pGDJPJpYQs=
+golang.org/x/tools/go/expect v0.1.0-deprecated/go.mod h1:eihoPOH+FgIqa3FpoTwguz/bVUSGBlGQU67vpBeOrBY=
+golang.org/x/tools/go/packages/packagestest v0.1.1-deprecated/go.mod h1:RVAQXBGNv1ib0J382/DPCRS/BPnsGebyM1Gj5VSDpG8=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 google.golang.org/genproto/googleapis/api v0.0.0-20250303144028-a0af3efb3deb h1:p31xT4yrYrSM/G4Sn2+TNUkVhFCbG9y8itM2S6Th950=
 google.golang.org/genproto/googleapis/api v0.0.0-20250303144028-a0af3efb3deb/go.mod h1:jbe3Bkdp+Dh2IrslsFCklNhweNTBgSYanP1UXhJDhKg=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20250303144028-a0af3efb3deb h1:TLPQVbx1GJ8VKZxz52VAxl1EBgKXXbTiU9Fc5fZeLn4=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20250303144028-a0af3efb3deb/go.mod h1:LuRYeWDFV6WOn90g357N17oMCaxpgCnbi/44qJvDn2I=
-google.golang.org/grpc v1.72.1 h1:HR03wO6eyZ7lknl75XlxABNVLLFc2PAb6mHlYh756mA=
-google.golang.org/grpc v1.72.1/go.mod h1:wH5Aktxcg25y1I3w7H69nHfXdOG3UiadoBtjh3izSDM=
-google.golang.org/protobuf v1.36.5 h1:tPhr+woSbjfYvY6/GPufUoYizxw1cF/yFoxJ2fmpwlM=
-google.golang.org/protobuf v1.36.5/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20250528174236-200df99c418a h1:v2PbRU4K3llS09c7zodFpNePeamkAwG3mPrAery9VeE=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20250528174236-200df99c418a/go.mod h1:qQ0YXyHHx3XkvlzUtpXDkS29lDSafHMZBAZDc03LQ3A=
+google.golang.org/grpc v1.72.2 h1:TdbGzwb82ty4OusHWepvFWGLgIbNo1/SUynEN0ssqv8=
+google.golang.org/grpc v1.72.2/go.mod h1:wH5Aktxcg25y1I3w7H69nHfXdOG3UiadoBtjh3izSDM=
+google.golang.org/protobuf v1.36.8 h1:xHScyCOEuuwZEc6UtSOvPbAT4zRh0xcNRYekJwfqyMc=
+google.golang.org/protobuf v1.36.8/go.mod h1:fuxRtAxBytpl4zzqUh6/eyUujkJdNiuEkXntxiD/uRU=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
-gopkg.in/evanphx/json-patch.v4 v4.12.0 h1:n6jtcsulIzXPJaxegRbvFNNrZDjbij7ny3gmSPG+6V4=
-gopkg.in/evanphx/json-patch.v4 v4.12.0/go.mod h1:p8EYWUEYMpynmqDbY58zCKCFZw8pRWMG4EsWvDvM72M=
+gopkg.in/evanphx/json-patch.v4 v4.13.0 h1:czT3CmqEaQ1aanPc5SdlgQrrEIb8w/wwCvWWnfEbYzo=
+gopkg.in/evanphx/json-patch.v4 v4.13.0/go.mod h1:p8EYWUEYMpynmqDbY58zCKCFZw8pRWMG4EsWvDvM72M=
 gopkg.in/go-jose/go-jose.v2 v2.6.3/go.mod h1:zzZDPkNNw/c9IE7Z9jr11mBZQhKQTMzoEEIoEdZlFBI=
 gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc=
 gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
 gopkg.in/natefinch/lumberjack.v2 v2.2.1/go.mod h1:YD8tP3GAjkrDg1eZH7EGmyESg/lsYskCTPBJVb9jqSc=
-gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 k8s.io/gengo/v2 v2.0.0-20250604051438-85fd79dbfd9f/go.mod h1:EJykeLsmFC60UQbYJezXkEsG2FLrt0GPNkU5iK5GWxU=
 k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk=
 k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE=
-k8s.io/kube-openapi v0.0.0-20250710124328-f3f2b991d03b h1:MloQ9/bdJyIu9lb1PzujOPolHyvO06MXG5TUIj2mNAA=
-k8s.io/kube-openapi v0.0.0-20250710124328-f3f2b991d03b/go.mod h1:UZ2yyWbFTpuhSbFhv24aGNOdoRdJZgsIObGBUaYVsts=
-k8s.io/utils v0.0.0-20250604170112-4c0f3b243397 h1:hwvWFiBzdWw1FhfY1FooPn3kzWuJ8tmbZBHi4zVsl1Y=
-k8s.io/utils v0.0.0-20250604170112-4c0f3b243397/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
+k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912 h1:Y3gxNAuB0OBLImH611+UDZcmKS3g6CthxToOb37KgwE=
+k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912/go.mod h1:kdmbQkyfwUagLfXIad1y2TdrjPFWp2Q89B3qkRwf/pQ=
+k8s.io/utils v0.0.0-20251002143259-bc988d571ff4 h1:SjGebBtkBqHFOli+05xYbK8YF1Dzkbzn+gDM4X9T4Ck=
+k8s.io/utils v0.0.0-20251002143259-bc988d571ff4/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
 sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.31.2/go.mod h1:Ve9uj1L+deCXFrPOk1LpFXqTg7LCFzFso6PA48q/XZw=
-sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 h1:gBQPwqORJ8d8/YNZWEjoZs7npUVDpVXUUOFfW6CgAqE=
-sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8/go.mod h1:mdzfpAEoE6DHQEN0uh9ZbOCuHbLK5wOm7dK4ctXE9Tg=
+sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 h1:IpInykpT6ceI+QxKBbEflcR5EXP7sU1kvOlxwZh5txg=
+sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730/go.mod h1:mdzfpAEoE6DHQEN0uh9ZbOCuHbLK5wOm7dK4ctXE9Tg=
 sigs.k8s.io/randfill v1.0.0 h1:JfjMILfT8A6RbawdsK2JXGBR5AQVfd+9TbzrlneTyrU=
 sigs.k8s.io/randfill v1.0.0/go.mod h1:XeLlZ/jmk4i1HRopwe7/aU3H5n1zNUcX6TM94b3QxOY=
 sigs.k8s.io/structured-merge-diff/v6 v6.3.0 h1:jTijUJbW353oVOd9oTlifJqOGEkUw2jB/fXCbTiQEco=
diff --git a/staging/src/k8s.io/dynamic-resource-allocation/internal/workqueue/mockqueue.go b/staging/src/k8s.io/dynamic-resource-allocation/internal/workqueue/mockqueue.go
index bf6b6f15b6969..a8579d8d4b201 100644
--- a/staging/src/k8s.io/dynamic-resource-allocation/internal/workqueue/mockqueue.go
+++ b/staging/src/k8s.io/dynamic-resource-allocation/internal/workqueue/mockqueue.go
@@ -216,6 +216,16 @@ func (m *Mock[T]) AddAfter(item T, duration time.Duration) {
 	m.state.Later = append(m.state.Later, MockDelayedItem[T]{Item: item, Duration: duration})
 }
 
+// CancelAfter is an extension of the TypedDelayingInterface: it allows a test to remove an item that may or may not have been added before via AddAfter.
+func (m *Mock[T]) CancelAfter(item T) {
+	m.mutex.Lock()
+	defer m.mutex.Unlock()
+
+	m.state.Later = slices.DeleteFunc(m.state.Later, func(later MockDelayedItem[T]) bool {
+		return later.Item == item
+	})
+}
+
 // AddRateLimited implements [TypedRateLimitingInterface.AddRateLimited].
 func (m *Mock[T]) AddRateLimited(item T) {
 	m.mutex.Lock()
diff --git a/staging/src/k8s.io/dynamic-resource-allocation/kubeletplugin/draplugin.go b/staging/src/k8s.io/dynamic-resource-allocation/kubeletplugin/draplugin.go
index 33f31aaa83474..966df3d43df0a 100644
--- a/staging/src/k8s.io/dynamic-resource-allocation/kubeletplugin/draplugin.go
+++ b/staging/src/k8s.io/dynamic-resource-allocation/kubeletplugin/draplugin.go
@@ -58,8 +58,8 @@ type DRAPlugin interface {
 	// for the given ResourceClaims. This is used to implement
 	// the gRPC NodePrepareResources call.
 	//
-	// It gets called with the complete list of claims that are needed
-	// by some pod. In contrast to the gRPC call, the helper has
+	// It gets called with the complete list of claims handled by this DRA driver
+	// that are needed by some pod. In contrast to the gRPC call, the helper has
 	// already retrieved the actual ResourceClaim objects.
 	//
 	// In addition to that, the helper also:
@@ -199,13 +199,18 @@ type Device struct {
 	// Each ID must be of the form "<vendor ID>/<class>=<unique name>".
 	// May be empty.
 	CDIDeviceIDs []string
+
+	// ShareID identifes the device share.
+	// May be empty.
+	ShareID *types.UID
 }
 
 // Option implements the functional options pattern for Start.
 type Option func(o *options) error
 
 // DriverName defines the driver name for the dynamic resource allocation driver.
-// Must be set.
+// Must be set. Must be a DNS subdomain and should end with a DNS domain
+// owned by the vendor of the driver. It should use only lower case characters.
 func DriverName(driverName string) Option {
 	return func(o *options) error {
 		o.driverName = driverName
@@ -838,6 +843,7 @@ func (d *Helper) serializeGRPCIfEnabled() (func(), error) {
 // It prevents polluting the public API with these implementation details.
 type nodePluginImplementation struct {
 	*Helper
+	drapbv1.UnsafeDRAPluginServer
 }
 
 // NodePrepareResources implements [drapbv1.NodePrepareResources].
@@ -867,7 +873,8 @@ func (d *nodePluginImplementation) NodePrepareResources(ctx context.Context, req
 				RequestNames: stripSubrequestNames(result.Requests),
 				PoolName:     result.PoolName,
 				DeviceName:   result.DeviceName,
-				CDIDeviceIDs: result.CDIDeviceIDs,
+				CdiDeviceIds: result.CDIDeviceIDs,
+				ShareId:      (*string)(result.ShareID),
 			}
 			devices = append(devices, device)
 		}
@@ -904,7 +911,7 @@ func (d *nodePluginImplementation) getResourceClaims(ctx context.Context, claims
 		if claim.Status.Allocation == nil {
 			return resourceClaims, fmt.Errorf("claim %s/%s not allocated", claimReq.Namespace, claimReq.Name)
 		}
-		if claim.UID != types.UID(claimReq.UID) {
+		if claim.UID != types.UID(claimReq.Uid) {
 			return resourceClaims, fmt.Errorf("claim %s/%s got replaced", claimReq.Namespace, claimReq.Name)
 		}
 		resourceClaims = append(resourceClaims, claim)
@@ -922,7 +929,7 @@ func (d *nodePluginImplementation) NodeUnprepareResources(ctx context.Context, r
 
 	claims := make([]NamespacedObject, 0, len(req.Claims))
 	for _, claim := range req.Claims {
-		claims = append(claims, NamespacedObject{UID: types.UID(claim.UID), NamespacedName: types.NamespacedName{Name: claim.Name, Namespace: claim.Namespace}})
+		claims = append(claims, NamespacedObject{UID: types.UID(claim.Uid), NamespacedName: types.NamespacedName{Name: claim.Name, Namespace: claim.Namespace}})
 	}
 	result, err := d.plugin.UnprepareResourceClaims(ctx, claims)
 	if err != nil {
diff --git a/staging/src/k8s.io/dynamic-resource-allocation/resourceclaim/devicetoleration.go b/staging/src/k8s.io/dynamic-resource-allocation/resourceclaim/devicetoleration.go
index 3158b581b9adf..0a09835dd562c 100644
--- a/staging/src/k8s.io/dynamic-resource-allocation/resourceclaim/devicetoleration.go
+++ b/staging/src/k8s.io/dynamic-resource-allocation/resourceclaim/devicetoleration.go
@@ -29,6 +29,9 @@ import (
 //  3. Empty toleration.key means to match all taint keys.
 //     If toleration.key is empty, toleration.operator must be 'Exists';
 //     this combination means to match all taint values and all taint keys.
+//
+// Callers must check separately what the effect is and only react to
+// known effects. Unknown effects and the None effect must be ignored.
 func ToleratesTaint(toleration resourceapi.DeviceToleration, taint resourceapi.DeviceTaint) bool {
 	// This code was copied from https://github.com/kubernetes/kubernetes/blob/f007012f5fe49e40ae0596cf463a8e7b247b3357/staging/src/k8s.io/api/core/v1/toleration.go#L39-L56.
 	// It wasn't placed in the resourceapi package because code related to logic
diff --git a/staging/src/k8s.io/dynamic-resource-allocation/resourceclaim/resourceclaim.go b/staging/src/k8s.io/dynamic-resource-allocation/resourceclaim/resourceclaim.go
index 489b461f5bd69..97ff1a4b4a905 100644
--- a/staging/src/k8s.io/dynamic-resource-allocation/resourceclaim/resourceclaim.go
+++ b/staging/src/k8s.io/dynamic-resource-allocation/resourceclaim/resourceclaim.go
@@ -116,6 +116,19 @@ func BaseRequestRef(requestRef string) string {
 	return segments[0]
 }
 
+// CreateSubRequestRef combines the names from a request and a subrequest into
+// a reference to the subrequest.
+func CreateSubRequestRef(requestName, subRequestName string) string {
+	return fmt.Sprintf("%s/%s", requestName, subRequestName)
+}
+
+// IsSubRequestRef checks if the provided reference is to a subrequest and returns
+// true if it is. Otherwise it returns false.
+func IsSubRequestRef(requestRef string) bool {
+	segments := strings.Split(requestRef, "/")
+	return len(segments) == 2
+}
+
 // ConfigForResult returns the configs that are applicable to device
 // allocated for the provided result.
 func ConfigForResult(deviceConfigurations []resourceapi.DeviceAllocationConfiguration, result resourceapi.DeviceRequestAllocationResult) []resourceapi.DeviceAllocationConfiguration {
diff --git a/staging/src/k8s.io/dynamic-resource-allocation/resourceslice/resourceslicecontroller.go b/staging/src/k8s.io/dynamic-resource-allocation/resourceslice/resourceslicecontroller.go
index 271cbd7adf341..52a0281bc7f10 100644
--- a/staging/src/k8s.io/dynamic-resource-allocation/resourceslice/resourceslicecontroller.go
+++ b/staging/src/k8s.io/dynamic-resource-allocation/resourceslice/resourceslicecontroller.go
@@ -194,6 +194,8 @@ func StartController(ctx context.Context, options Options) (*Controller, error)
 // Options contains various optional settings for [StartController].
 type Options struct {
 	// DriverName is the required name of the DRA driver.
+	// Must be a DNS subdomain and should end with a DNS domain
+	// owned by the vendor of the driver. It should use only lower case characters.
 	DriverName string
 
 	// KubeClient is used to read Node objects (if necessary) and to access
@@ -279,10 +281,18 @@ func (err *DroppedFieldsError) DisabledFeatures() []string {
 		}
 	}
 
-	// Dropped fields for partitionable devices can be detected without looking at the devices themselves.
+	// Dropped fields for partitionable devices can be found either directly on the ResourceSlice spec
+	// or within devices.
 	if ptr.Deref(err.DesiredSlice.Spec.PerDeviceNodeSelection, false) && !ptr.Deref(err.ActualSlice.Spec.PerDeviceNodeSelection, false) ||
 		len(err.DesiredSlice.Spec.SharedCounters) > len(err.ActualSlice.Spec.SharedCounters) {
 		disabled = append(disabled, "DRAPartitionableDevices")
+	} else {
+		for i := 0; i < len(err.DesiredSlice.Spec.Devices) && i < len(err.ActualSlice.Spec.Devices); i++ {
+			if len(err.DesiredSlice.Spec.Devices[i].ConsumesCounters) != len(err.ActualSlice.Spec.Devices[i].ConsumesCounters) {
+				disabled = append(disabled, "DRAPartitionableDevices")
+				break
+			}
+		}
 	}
 
 	// The number of binding conditions for both slices should be the same. If they differ,
@@ -450,7 +460,7 @@ func (c *Controller) initInformer(ctx context.Context) error {
 		},
 	}
 	informer := cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListWithContextFunc: func(ctx context.Context, options metav1.ListOptions) (runtime.Object, error) {
 				tweakListOptions(&options)
 				slices, err := c.resourceClient.ResourceSlices().List(ctx, options)
@@ -467,7 +477,7 @@ func (c *Controller) initInformer(ctx context.Context) error {
 				logger.V(5).Info("Started watching ResourceSlices", "resourceAPI", c.resourceClient.CurrentAPI(), "err", err)
 				return w, err
 			},
-		},
+		}, c.resourceClient),
 		&resourceapi.ResourceSlice{},
 		// No resync because all it would do is periodically trigger syncing pools
 		// again by reporting all slices as updated with the object as old/new.
@@ -477,7 +487,7 @@ func (c *Controller) initInformer(ctx context.Context) error {
 		indexers,
 	)
 	c.sliceStore = cache.NewIntegerResourceVersionMutationCache(logger, informer.GetStore(), informer.GetIndexer(), c.mutationCacheTTL, true /* includeAdds */)
-	handler, err := informer.AddEventHandler(cache.ResourceEventHandlerFuncs{
+	handler, err := informer.AddEventHandlerWithOptions(cache.ResourceEventHandlerFuncs{
 		AddFunc: func(obj any) {
 			slice, ok := obj.(*resourceapi.ResourceSlice)
 			if !ok {
@@ -520,7 +530,7 @@ func (c *Controller) initInformer(ctx context.Context) error {
 			c.queue.AddAfter(slice.Spec.Pool.Name, c.syncDelay)
 			logger.V(5).Info("Scheduled sync", "poolName", slice.Spec.Pool.Name, "at", time.Now().Add(c.syncDelay))
 		},
-	})
+	}, cache.HandlerOptions{Logger: &logger})
 	if err != nil {
 		return fmt.Errorf("registering event handler on the ResourceSlice informer: %w", err)
 	}
@@ -531,7 +541,7 @@ func (c *Controller) initInformer(ctx context.Context) error {
 		defer c.wg.Done()
 		defer logger.V(3).Info("ResourceSlice informer has stopped")
 		defer c.queue.ShutDown() // Once we get here, we must have been asked to stop.
-		informer.Run(ctx.Done())
+		informer.RunWithContext(ctx)
 	}()
 	for !handler.HasSynced() {
 		select {
@@ -567,7 +577,6 @@ func (c *Controller) processNextWorkItem(ctx context.Context) bool {
 		// It will be retried.
 		return true
 	}
-
 	c.queue.Forget(poolName)
 	return true
 }
@@ -594,6 +603,12 @@ func (c *Controller) syncPool(ctx context.Context, poolName string) error {
 	c.mutex.RLock()
 	resources = c.resources
 	c.mutex.RUnlock()
+	if err := validateDriverResources(resources); err != nil {
+		c.errorHandler(ctx, err, "pool validation failed")
+		// We only report the error through the error handler to prevent
+		// the controller from retrying.
+		return nil
+	}
 
 	pool, ok := resources.Pools[poolName]
 	if !ok {
diff --git a/staging/src/k8s.io/dynamic-resource-allocation/resourceslice/resourceslicecontroller_test.go b/staging/src/k8s.io/dynamic-resource-allocation/resourceslice/resourceslicecontroller_test.go
index 7a31a1e9ae9ba..14a472cb0a84d 100644
--- a/staging/src/k8s.io/dynamic-resource-allocation/resourceslice/resourceslicecontroller_test.go
+++ b/staging/src/k8s.io/dynamic-resource-allocation/resourceslice/resourceslicecontroller_test.go
@@ -37,6 +37,7 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/apimachinery/pkg/util/sets"
 	"k8s.io/client-go/kubernetes/fake"
 	k8stesting "k8s.io/client-go/testing"
 	"k8s.io/dynamic-resource-allocation/internal/workqueue"
@@ -69,6 +70,7 @@ func TestControllerSyncPool(t *testing.T) {
 		resourceSlice3 = "resource-slice-3"
 		generateName   = ownerName + "-" + driverName + "-"
 		generatedName1 = generateName + "0"
+		generatedName2 = generateName + "1"
 		attrs          = map[resourceapi.QualifiedName]resourceapi.DeviceAttribute{
 			"new-attribute": {StringValue: ptr.To("value")},
 		}
@@ -107,7 +109,7 @@ func TestControllerSyncPool(t *testing.T) {
 		inputDriverResources   *DriverResources
 		expectedResourceSlices []resourceapi.ResourceSlice
 		expectedStats          Stats
-		expectedError          string
+		expectedErrors         []string
 	}{
 		"create-slice": {
 			nodeUID:        nodeUID,
@@ -316,7 +318,7 @@ func TestControllerSyncPool(t *testing.T) {
 					Pool(resourceapi.ResourcePool{Name: poolName, Generation: 1, ResourceSliceCount: 1}).
 					Obj(),
 			},
-			expectedError: `update ResourceSlice: pool "pool", slice #0: some fields were dropped by the apiserver, probably because these features are disabled: DRADeviceTaints`,
+			expectedErrors: []string{`update ResourceSlice: pool "pool", slice #0: some fields were dropped by the apiserver, probably because these features are disabled: DRADeviceTaints`},
 		},
 		"drop-consumable-capacity-field": {
 			features: features{disableConsumableCapacity: true},
@@ -354,7 +356,7 @@ func TestControllerSyncPool(t *testing.T) {
 					Pool(resourceapi.ResourcePool{Name: poolName, Generation: 1, ResourceSliceCount: 1}).
 					Obj(),
 			},
-			expectedError: `update ResourceSlice: pool "pool", slice #0: some fields were dropped by the apiserver, probably because these features are disabled: DRAConsumableCapacity`,
+			expectedErrors: []string{`update ResourceSlice: pool "pool", slice #0: some fields were dropped by the apiserver, probably because these features are disabled: DRAConsumableCapacity`},
 		},
 		"remove-pool": {
 			nodeUID:   nodeUID,
@@ -858,38 +860,43 @@ func TestControllerSyncPool(t *testing.T) {
 					Pool(resourceapi.ResourcePool{Name: poolName, Generation: 1, ResourceSliceCount: 1}).Obj(),
 			},
 		},
-		"create-partitionable-device": {
+		"create-partitionable-devices": {
 			nodeUID: nodeUID,
 			inputDriverResources: &DriverResources{
 				Pools: map[string]Pool{
 					poolName: {
 						Generation: 1,
-						Slices: []Slice{{
-							PerDeviceNodeSelection: ptr.To(true),
-							SharedCounters: []resourceapi.CounterSet{{
-								Name: "gpu-0",
-								Counters: map[string]resourceapi.Counter{
-									"mem": {Value: resource.MustParse("1")},
+						Slices: []Slice{
+							{
+								PerDeviceNodeSelection: ptr.To(true),
+								SharedCounters: []resourceapi.CounterSet{{
+									Name: "gpu-0",
+									Counters: map[string]resourceapi.Counter{
+										"mem": {Value: resource.MustParse("1")},
+									},
+								}},
+							},
+							{
+								PerDeviceNodeSelection: ptr.To(true),
+								Devices: []resourceapi.Device{
+									newDevice(
+										deviceName,
+										nodeNameField(ownerName),
+										[]resourceapi.DeviceCounterConsumption{{
+											CounterSet: "gpu-0",
+											Counters: map[string]resourceapi.Counter{
+												"mem": {Value: resource.MustParse("1")},
+											},
+										}},
+									),
 								},
-							}},
-							Devices: []resourceapi.Device{
-								newDevice(
-									deviceName,
-									nodeNameField(ownerName),
-									[]resourceapi.DeviceCounterConsumption{{
-										CounterSet: "gpu-0",
-										Counters: map[string]resourceapi.Counter{
-											"mem": {Value: resource.MustParse("1")},
-										},
-									}},
-								),
 							},
-						}},
+						},
 					},
 				},
 			},
 			expectedStats: Stats{
-				NumCreates: 1,
+				NumCreates: 2,
 			},
 			expectedResourceSlices: []resourceapi.ResourceSlice{
 				*MakeResourceSlice().Name(generatedName1).GenerateName(generateName).
@@ -902,6 +909,12 @@ func TestControllerSyncPool(t *testing.T) {
 						},
 					}}).
 					Driver(driverName).
+					Pool(resourceapi.ResourcePool{Name: poolName, Generation: 1, ResourceSliceCount: 2}).
+					Obj(),
+				*MakeResourceSlice().Name(generatedName2).GenerateName(generateName).
+					NodeOwnerReferences(ownerName, string(nodeUID)).NodeName(ownerName).
+					PerDeviceNodeSelection(true).
+					Driver(driverName).
 					Devices([]resourceapi.Device{
 						newDevice(
 							deviceName,
@@ -914,53 +927,66 @@ func TestControllerSyncPool(t *testing.T) {
 							},
 						),
 					}).
-					Pool(resourceapi.ResourcePool{Name: poolName, Generation: 1, ResourceSliceCount: 1}).
+					Pool(resourceapi.ResourcePool{Name: poolName, Generation: 1, ResourceSliceCount: 2}).
 					Obj(),
 			},
 		},
-		"drop-partitionable-device": {
+		"drop-partitionable-devices": {
 			features: features{disablePartitionableDevices: true},
 			nodeUID:  nodeUID,
 			inputDriverResources: &DriverResources{
 				Pools: map[string]Pool{
 					poolName: {
 						Generation: 1,
-						Slices: []Slice{{
-							PerDeviceNodeSelection: ptr.To(true),
-							SharedCounters: []resourceapi.CounterSet{{
-								Name: "gpu-0",
-								Counters: map[string]resourceapi.Counter{
-									"mem": {Value: resource.MustParse("1")},
-								},
-							}},
-							Devices: []resourceapi.Device{
-								newDevice(
-									deviceName,
-									nodeNameField(ownerName),
-									resourceapi.DeviceCounterConsumption{
-										CounterSet: "gpu-0",
-										Counters: map[string]resourceapi.Counter{
-											"mem": {Value: resource.MustParse("1")},
-										},
+						Slices: []Slice{
+							{
+								PerDeviceNodeSelection: ptr.To(true),
+								SharedCounters: []resourceapi.CounterSet{{
+									Name: "gpu-0",
+									Counters: map[string]resourceapi.Counter{
+										"mem": {Value: resource.MustParse("1")},
 									},
-								),
+								}},
 							},
-						}},
+							{
+								PerDeviceNodeSelection: ptr.To(true),
+								Devices: []resourceapi.Device{
+									newDevice(
+										deviceName,
+										nodeNameField(ownerName),
+										resourceapi.DeviceCounterConsumption{
+											CounterSet: "gpu-0",
+											Counters: map[string]resourceapi.Counter{
+												"mem": {Value: resource.MustParse("1")},
+											},
+										},
+									),
+								},
+							},
+						},
 					},
 				},
 			},
 			expectedStats: Stats{
-				NumCreates: 1,
+				NumCreates: 2,
 			},
 			expectedResourceSlices: []resourceapi.ResourceSlice{
 				*MakeResourceSlice().Name(generatedName1).GenerateName(generateName).
+					NodeOwnerReferences(ownerName, string(nodeUID)).NodeName(ownerName).
+					Driver(driverName).
+					Pool(resourceapi.ResourcePool{Name: poolName, Generation: 1, ResourceSliceCount: 2}).
+					Obj(),
+				*MakeResourceSlice().Name(generatedName2).GenerateName(generateName).
 					NodeOwnerReferences(ownerName, string(nodeUID)).NodeName(ownerName).
 					Driver(driverName).
 					Devices([]resourceapi.Device{newDevice(deviceName)}).
-					Pool(resourceapi.ResourcePool{Name: poolName, Generation: 1, ResourceSliceCount: 1}).
+					Pool(resourceapi.ResourcePool{Name: poolName, Generation: 1, ResourceSliceCount: 2}).
 					Obj(),
 			},
-			expectedError: `create ResourceSlice: pool "pool", slice #0: some fields were dropped by the apiserver, probably because these features are disabled: DRAPartitionableDevices`,
+			expectedErrors: []string{
+				`create ResourceSlice: pool "pool", slice #0: some fields were dropped by the apiserver, probably because these features are disabled: DRAPartitionableDevices`,
+				`create ResourceSlice: pool "pool", slice #1: some fields were dropped by the apiserver, probably because these features are disabled: DRAPartitionableDevices`,
+			},
 		},
 		"create-device-with-binding-condition": {
 			nodeUID: nodeUID,
@@ -1028,7 +1054,140 @@ func TestControllerSyncPool(t *testing.T) {
 					Pool(resourceapi.ResourcePool{Name: poolName, Generation: 1, ResourceSliceCount: 1}).
 					Obj(),
 			},
-			expectedError: `create ResourceSlice: pool "pool", slice #0: some fields were dropped by the apiserver, probably because these features are disabled: DRADeviceBindingConditions`,
+			expectedErrors: []string{`create ResourceSlice: pool "pool", slice #0: some fields were dropped by the apiserver, probably because these features are disabled: DRADeviceBindingConditions`},
+		},
+		"detect-resource-pools-with-duplicate-counter-sets": {
+			nodeUID: nodeUID,
+			inputDriverResources: &DriverResources{
+				Pools: map[string]Pool{
+					poolName: {
+						Generation: 1,
+						Slices: []Slice{
+							{
+								SharedCounters: []resourceapi.CounterSet{
+									{
+										Name: "counterset",
+									},
+								},
+							},
+							{
+								SharedCounters: []resourceapi.CounterSet{
+									{
+										Name: "counterset",
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+			expectedStats: Stats{
+				NumCreates: 0,
+			},
+			expectedErrors: []string{`pool validation failed: found duplicate counter set "counterset" in pool "pool"`},
+		},
+		"detect-duplicate-devices": {
+			nodeUID: nodeUID,
+			inputDriverResources: &DriverResources{
+				Pools: map[string]Pool{
+					poolName: {
+						Generation: 1,
+						Slices: []Slice{
+							{
+								Devices: []resourceapi.Device{
+									{
+										Name: deviceName,
+									},
+								},
+							},
+							{
+								Devices: []resourceapi.Device{
+									{
+										Name: deviceName,
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+			expectedStats: Stats{
+				NumCreates: 0,
+			},
+			expectedErrors: []string{`pool validation failed: found duplicate device "device" in pool "pool"`},
+		},
+		"detect-device-referencing-unknown-counter-set": {
+			nodeUID: nodeUID,
+			inputDriverResources: &DriverResources{
+				Pools: map[string]Pool{
+					poolName: {
+						Generation: 1,
+						Slices: []Slice{
+							{
+								Devices: []resourceapi.Device{
+									{
+										Name: deviceName,
+										ConsumesCounters: []resourceapi.DeviceCounterConsumption{
+											{
+												CounterSet: "counterset",
+											},
+										},
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+			expectedStats: Stats{
+				NumCreates: 0,
+			},
+			expectedErrors: []string{`pool validation failed: counter set "counterset" referenced by device "device" not found`},
+		},
+		"detect-device-referencing-unknown-counter-in-counter-set": {
+			nodeUID: nodeUID,
+			inputDriverResources: &DriverResources{
+				Pools: map[string]Pool{
+					poolName: {
+						Generation: 1,
+						Slices: []Slice{
+							{
+								SharedCounters: []resourceapi.CounterSet{
+									{
+										Name: "counterset",
+										Counters: map[string]resourceapi.Counter{
+											"memory": {
+												Value: resource.MustParse("8Gi"),
+											},
+										},
+									},
+								},
+							},
+							{
+								Devices: []resourceapi.Device{
+									{
+										Name: "device",
+										ConsumesCounters: []resourceapi.DeviceCounterConsumption{
+											{
+												CounterSet: "counterset",
+												Counters: map[string]resourceapi.Counter{
+													"cpu": {
+														Value: resource.MustParse("4"),
+													},
+												},
+											},
+										},
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+			expectedStats: Stats{
+				NumCreates: 0,
+			},
+			expectedErrors: []string{`pool validation failed: counter "cpu" referenced by device "device" not found in counter set "counterset"`},
 		},
 	}
 	for name, test := range testCases {
@@ -1115,32 +1274,62 @@ func TestControllerSyncPool(t *testing.T) {
 				assert.Equal(t, test.expectedStats, ctrl.GetStats(), "statistics after re-sync")
 			}
 
+			// Dedup the list of errors since we synced the pool twice.
+			var dedupedControllerErrors []error
+			errorMsgs := sets.New[string]()
+			for _, err := range controllerErrors {
+				errorMsg := err.Error()
+				if errorMsgs.Has(errorMsg) {
+					continue
+				}
+				errorMsgs.Insert(errorMsg)
+				dedupedControllerErrors = append(dedupedControllerErrors, err)
+			}
+
 			ctrl.Stop()
 			switch {
-			case test.expectedError != "" && len(controllerErrors) == 0:
-				t.Errorf("expected error, got none: %s", test.expectedError)
-			case test.expectedError == "" && len(controllerErrors) > 0:
-				t.Errorf("expected no error, got:\n  %s", strings.Join(formatErrors(controllerErrors), "\n  "))
-			case test.expectedError != "" && len(controllerErrors) != 1:
-				t.Errorf("expected one error %q, got:\n  %s", test.expectedError, strings.Join(formatErrors(controllerErrors), "\n  "))
-			case test.expectedError != "":
-				assert.Equal(t, test.expectedError, controllerErrors[0].Error())
+			case len(test.expectedErrors) != 0 && len(dedupedControllerErrors) == 0:
+				t.Errorf("expected errors, got none: %s", joinErrors(test.expectedErrors))
+			case len(test.expectedErrors) == 0 && len(dedupedControllerErrors) > 0:
+				t.Errorf("expected no error, got:\n  %s", joinErrors(formatErrors(controllerErrors)))
+			case len(test.expectedErrors) != len(dedupedControllerErrors):
+				t.Errorf("expected %d errors, got %d:\n  %s", len(test.expectedErrors), len(dedupedControllerErrors), joinErrors(formatErrors(dedupedControllerErrors)))
+			default:
+				expectedErrorsSet := sets.New(test.expectedErrors...)
+				actualErrorsSet := sets.New(errsToStrings(dedupedControllerErrors)...)
+				if !expectedErrorsSet.Equal(actualErrorsSet) {
+					t.Errorf("expected errors:\n  %s\ngot:\n  %s", joinErrors(test.expectedErrors), joinErrors(formatErrors(dedupedControllerErrors)))
+				}
 			}
 		})
 	}
 }
 
+func joinErrors(errors []string) string {
+	return strings.Join(errors, "\n  ")
+}
+
+func errsToStrings(errs []error) []string {
+	var strings []string
+	for _, err := range errs {
+		strings = append(strings, err.Error())
+	}
+	return strings
+}
+
+func formatError(err error) string {
+	var droppedFields *DroppedFieldsError
+	if errors.As(err, &droppedFields) {
+		return fmt.Sprintf("%v\n%s", err, cmp.Diff(droppedFields.DesiredSlice.Spec, droppedFields.ActualSlice.Spec))
+	} else {
+		return err.Error()
+	}
+}
+
 func formatErrors(errs []error) []string {
 	var errMsgs []string
 	for _, err := range errs {
-		var droppedFields *DroppedFieldsError
-		var errMsg string
-		if errors.As(err, &droppedFields) {
-			errMsg = fmt.Sprintf("%v\n%s", err, cmp.Diff(droppedFields.DesiredSlice.Spec, droppedFields.ActualSlice.Spec))
-		} else {
-			errMsg = err.Error()
-		}
-		errMsgs = append(errMsgs, errMsg)
+		errMsgs = append(errMsgs, formatError(err))
 	}
 	return errMsgs
 }
@@ -1259,8 +1448,7 @@ func MakeResourceSlice() *ResourceSliceWrapper {
 		resourceapi.ResourceSlice{
 			ObjectMeta: metav1.ObjectMeta{},
 			Spec: resourceapi.ResourceSliceSpec{
-				Pool:    resourceapi.ResourcePool{},
-				Devices: []resourceapi.Device{},
+				Pool: resourceapi.ResourcePool{},
 			},
 		},
 	}
diff --git a/staging/src/k8s.io/dynamic-resource-allocation/resourceslice/tracker/tracker.go b/staging/src/k8s.io/dynamic-resource-allocation/resourceslice/tracker/tracker.go
index 62938d807f3c9..5ca9719b28897 100644
--- a/staging/src/k8s.io/dynamic-resource-allocation/resourceslice/tracker/tracker.go
+++ b/staging/src/k8s.io/dynamic-resource-allocation/resourceslice/tracker/tracker.go
@@ -38,7 +38,6 @@ import (
 	resourcelisters "k8s.io/client-go/listers/resource/v1"
 	"k8s.io/client-go/tools/cache"
 	"k8s.io/client-go/tools/record"
-	"k8s.io/dynamic-resource-allocation/cel"
 	"k8s.io/klog/v2"
 	"k8s.io/utils/buffer"
 	"k8s.io/utils/ptr"
@@ -56,7 +55,7 @@ const (
 // DeviceTaintRules applied. It is backed by informers to process
 // potential changes to resolved ResourceSlices asynchronously.
 type Tracker struct {
-	enableDeviceTaints bool
+	enableDeviceTaintRules bool
 
 	resourceSliceLister   resourcelisters.ResourceSliceLister
 	resourceSlices        cache.SharedIndexInformer
@@ -65,7 +64,6 @@ type Tracker struct {
 	deviceTaintsHandle    cache.ResourceEventHandlerRegistration
 	deviceClasses         cache.SharedIndexInformer
 	deviceClassesHandle   cache.ResourceEventHandlerRegistration
-	celCache              *cel.Cache
 	patchedResourceSlices cache.Store
 	broadcaster           record.EventBroadcaster
 	recorder              record.EventRecorder
@@ -101,14 +99,14 @@ type Tracker struct {
 
 // Options configure a [Tracker].
 type Options struct {
-	// EnableDeviceTaints controls whether DeviceTaintRules
+	// EnableDeviceTaintRules controls whether DeviceTaintRules
 	// will be reflected in ResourceSlices reported by the tracker.
 	//
 	// If false, then TaintInformer and ClassInformer
 	// are not needed. The tracker turns into
 	// a thin wrapper around the underlying
 	// SliceInformer, with no processing of its own.
-	EnableDeviceTaints bool
+	EnableDeviceTaintRules bool
 	// EnableConsumableCapacity defines whether the CEL compiler supports the DRAConsumableCapacity feature.
 	EnableConsumableCapacity bool
 
@@ -123,7 +121,7 @@ type Options struct {
 
 // StartTracker creates and initializes informers for a new [Tracker].
 func StartTracker(ctx context.Context, opts Options) (finalT *Tracker, finalErr error) {
-	if !opts.EnableDeviceTaints {
+	if !opts.EnableDeviceTaintRules {
 		// Minimal wrapper. All public methods shortcut by calling the underlying informer.
 		return &Tracker{
 			resourceSliceLister: opts.SliceInformer.Lister(),
@@ -150,15 +148,14 @@ func StartTracker(ctx context.Context, opts Options) (finalT *Tracker, finalErr
 // newTracker is used in testing to construct a tracker without informer event handlers.
 func newTracker(ctx context.Context, opts Options) (finalT *Tracker, finalErr error) {
 	t := &Tracker{
-		enableDeviceTaints:    opts.EnableDeviceTaints,
-		resourceSliceLister:   opts.SliceInformer.Lister(),
-		resourceSlices:        opts.SliceInformer.Informer(),
-		deviceTaints:          opts.TaintInformer.Informer(),
-		deviceClasses:         opts.ClassInformer.Informer(),
-		celCache:              cel.NewCache(10, cel.Features{EnableConsumableCapacity: opts.EnableConsumableCapacity}),
-		patchedResourceSlices: cache.NewStore(cache.MetaNamespaceKeyFunc),
-		handleError:           utilruntime.HandleErrorWithContext,
-		eventQueue:            *buffer.NewRing[func()](buffer.RingOptions{InitialSize: 0, NormalSize: 4}),
+		enableDeviceTaintRules: opts.EnableDeviceTaintRules,
+		resourceSliceLister:    opts.SliceInformer.Lister(),
+		resourceSlices:         opts.SliceInformer.Informer(),
+		deviceTaints:           opts.TaintInformer.Informer(),
+		deviceClasses:          opts.ClassInformer.Informer(),
+		patchedResourceSlices:  cache.NewStore(cache.MetaNamespaceKeyFunc),
+		handleError:            utilruntime.HandleErrorWithContext,
+		eventQueue:             *buffer.NewRing[func()](buffer.RingOptions{InitialSize: 0, NormalSize: 4}),
 	}
 	defer func() {
 		// If we don't return the tracker, stop the partially initialized instance.
@@ -223,7 +220,7 @@ func (t *Tracker) initInformers(ctx context.Context) error {
 // point is possible and will emit events with up-to-date ResourceSlice
 // objects.
 func (t *Tracker) HasSynced() bool {
-	if !t.enableDeviceTaints {
+	if !t.enableDeviceTaintRules {
 		return t.resourceSlices.HasSynced()
 	}
 
@@ -242,7 +239,7 @@ func (t *Tracker) HasSynced() bool {
 
 // Stop ends all background activity and blocks until that shutdown is complete.
 func (t *Tracker) Stop() {
-	if !t.enableDeviceTaints {
+	if !t.enableDeviceTaintRules {
 		return
 	}
 
@@ -257,7 +254,7 @@ func (t *Tracker) Stop() {
 // ListPatchedResourceSlices returns all ResourceSlices in the cluster with
 // modifications from DeviceTaints applied.
 func (t *Tracker) ListPatchedResourceSlices() ([]*resourceapi.ResourceSlice, error) {
-	if !t.enableDeviceTaints {
+	if !t.enableDeviceTaintRules {
 		return t.resourceSliceLister.List(labels.Everything())
 	}
 
@@ -273,7 +270,7 @@ func (t *Tracker) ListPatchedResourceSlices() ([]*resourceapi.ResourceSlice, err
 // All currently know ResourceSlices get delivered via Add events
 // before this method returns.
 func (t *Tracker) AddEventHandler(handler cache.ResourceEventHandler) (cache.ResourceEventHandlerRegistration, error) {
-	if !t.enableDeviceTaints {
+	if !t.enableDeviceTaintRules {
 		return t.resourceSlices.AddEventHandler(handler)
 	}
 
@@ -387,7 +384,11 @@ func (t *Tracker) resourceSliceAdd(ctx context.Context) func(obj any) {
 		if !ok {
 			return
 		}
-		logger.V(5).Info("ResourceSlice add", "slice", klog.KObj(slice))
+		if loggerV := logger.V(6); loggerV.Enabled() {
+			loggerV.Info("ResourceSlice added", "slice", klog.Format(slice))
+		} else {
+			logger.V(5).Info("ResourceSlice added", "slice", klog.KObj(slice))
+		}
 		t.syncSlice(ctx, slice.Name, true)
 	}
 }
@@ -406,9 +407,9 @@ func (t *Tracker) resourceSliceUpdate(ctx context.Context) func(oldObj, newObj a
 		if loggerV := logger.V(6); loggerV.Enabled() {
 			// While debugging, one needs a full dump of the objects for context *and*
 			// a diff because otherwise small changes would be hard to spot.
-			loggerV.Info("ResourceSlice update", "slice", klog.Format(oldSlice), "oldSlice", klog.Format(newSlice), "diff", diff.Diff(oldSlice, newSlice))
+			loggerV.Info("ResourceSlice updated", "diff", diff.Diff(oldSlice, newSlice), "slice", klog.Format(newSlice))
 		} else {
-			logger.V(5).Info("ResourceSlice update", "slice", klog.KObj(newSlice))
+			logger.V(5).Info("ResourceSlice updated", "slice", klog.KObj(newSlice))
 		}
 		t.syncSlice(ctx, newSlice.Name, true)
 	}
@@ -424,7 +425,7 @@ func (t *Tracker) resourceSliceDelete(ctx context.Context) func(obj any) {
 		if !ok {
 			return
 		}
-		logger.V(5).Info("ResourceSlice delete", "slice", klog.KObj(slice))
+		logger.V(5).Info("ResourceSlice deleted", "slice", klog.KObj(slice))
 		t.syncSlice(ctx, slice.Name, true)
 	}
 }
@@ -432,12 +433,16 @@ func (t *Tracker) resourceSliceDelete(ctx context.Context) func(obj any) {
 func (t *Tracker) deviceTaintAdd(ctx context.Context) func(obj any) {
 	logger := klog.FromContext(ctx)
 	return func(obj any) {
-		patch, ok := obj.(*resourcealphaapi.DeviceTaintRule)
+		rule, ok := obj.(*resourcealphaapi.DeviceTaintRule)
 		if !ok {
 			return
 		}
-		logger.V(5).Info("DeviceTaintRule add", "patch", klog.KObj(patch))
-		for _, sliceName := range t.sliceNamesForPatch(ctx, patch) {
+		if loggerV := logger.V(6); loggerV.Enabled() {
+			loggerV.Info("DeviceTaintRule added", "deviceTaintRule", klog.Format(rule))
+		} else {
+			logger.V(5).Info("DeviceTaintRule added", "deviceTaintRule", klog.KObj(rule))
+		}
+		for _, sliceName := range t.sliceNamesForPatch(ctx, rule) {
 			t.syncSlice(ctx, sliceName, false)
 		}
 	}
@@ -446,26 +451,26 @@ func (t *Tracker) deviceTaintAdd(ctx context.Context) func(obj any) {
 func (t *Tracker) deviceTaintUpdate(ctx context.Context) func(oldObj, newObj any) {
 	logger := klog.FromContext(ctx)
 	return func(oldObj, newObj any) {
-		oldPatch, ok := oldObj.(*resourcealphaapi.DeviceTaintRule)
+		oldRule, ok := oldObj.(*resourcealphaapi.DeviceTaintRule)
 		if !ok {
 			return
 		}
-		newPatch, ok := newObj.(*resourcealphaapi.DeviceTaintRule)
+		newRule, ok := newObj.(*resourcealphaapi.DeviceTaintRule)
 		if !ok {
 			return
 		}
 		if loggerV := logger.V(6); loggerV.Enabled() {
-			loggerV.Info("DeviceTaintRule update", "patch", klog.KObj(newPatch), "diff", diff.Diff(oldPatch, newPatch))
+			loggerV.Info("DeviceTaintRule updated", "diff", diff.Diff(oldRule, newRule), "deviceTaintRule", klog.KObj(newRule))
 		} else {
-			logger.V(5).Info("DeviceTaintRule update", "patch", klog.KObj(newPatch))
+			logger.V(5).Info("DeviceTaintRule updated", "deviceTaintRule", klog.KObj(newRule))
 		}
 
 		// Slices that matched the old patch may need to be updated, in
 		// case they no longer match the new patch and need to have the
 		// patch's changes reverted.
 		slicesToSync := sets.New[string]()
-		slicesToSync.Insert(t.sliceNamesForPatch(ctx, oldPatch)...)
-		slicesToSync.Insert(t.sliceNamesForPatch(ctx, newPatch)...)
+		slicesToSync.Insert(t.sliceNamesForPatch(ctx, oldRule)...)
+		slicesToSync.Insert(t.sliceNamesForPatch(ctx, newRule)...)
 		for _, sliceName := range slicesToSync.UnsortedList() {
 			t.syncSlice(ctx, sliceName, false)
 		}
@@ -482,7 +487,7 @@ func (t *Tracker) deviceTaintDelete(ctx context.Context) func(obj any) {
 		if !ok {
 			return
 		}
-		logger.V(5).Info("DeviceTaintRule delete", "patch", klog.KObj(patch))
+		logger.V(5).Info("DeviceTaintRule deleted", "patch", klog.KObj(patch))
 		for _, sliceName := range t.sliceNamesForPatch(ctx, patch) {
 			t.syncSlice(ctx, sliceName, false)
 		}
@@ -636,8 +641,6 @@ func (t *Tracker) applyPatches(ctx context.Context, slice *resourceapi.ResourceS
 		logger.V(6).Info("processing DeviceTaintRule")
 
 		deviceSelector := taintRule.Spec.DeviceSelector
-		var deviceClassExprs []cel.CompilationResult
-		var selectorExprs []cel.CompilationResult
 		var deviceName *string
 		if deviceSelector != nil {
 			if deviceSelector.Driver != nil && *deviceSelector.Driver != slice.Spec.Driver {
@@ -649,32 +652,7 @@ func (t *Tracker) applyPatches(ctx context.Context, slice *resourceapi.ResourceS
 				continue
 			}
 			deviceName = deviceSelector.Device
-			if deviceSelector.DeviceClassName != nil {
-				logger := logger.WithValues("deviceClassName", *deviceSelector.DeviceClassName)
-				classObj, exists, err := t.deviceClasses.GetIndexer().GetByKey(*deviceSelector.DeviceClassName)
-				if err != nil {
-					return nil, fmt.Errorf("failed to get device class %s for DeviceTaintRule %s", *deviceSelector.DeviceClassName, taintRule.Name)
-				}
-				if !exists {
-					logger.V(7).Info("DeviceTaintRule does not apply, DeviceClass does not exist")
-					continue
-				}
-				class := classObj.(*resourceapi.DeviceClass)
-				for _, selector := range class.Spec.Selectors {
-					if selector.CEL != nil {
-						expr := t.celCache.GetOrCompile(selector.CEL.Expression)
-						deviceClassExprs = append(deviceClassExprs, expr)
-					}
-				}
-			}
-			for _, selector := range deviceSelector.Selectors {
-				if selector.CEL != nil {
-					expr := t.celCache.GetOrCompile(selector.CEL.Expression)
-					selectorExprs = append(selectorExprs, expr)
-				}
-			}
 		}
-	devices:
 		for dIndex, device := range slice.Spec.Devices {
 			deviceID := deviceID(slice.Spec.Driver, slice.Spec.Pool.Name, device.Name)
 			logger := logger.WithValues("device", deviceID)
@@ -684,47 +662,6 @@ func (t *Tracker) applyPatches(ctx context.Context, slice *resourceapi.ResourceS
 				continue
 			}
 
-			for i, expr := range deviceClassExprs {
-				if expr.Error != nil {
-					// Could happen if some future apiserver accepted some
-					// future expression and then got downgraded. Normally
-					// the "stored expression" mechanism prevents that, but
-					// this code here might be more than one release older
-					// than the cluster it runs in.
-					return nil, fmt.Errorf("DeviceTaintRule %s: class %s: selector #%d: CEL compile error: %w", taintRule.Name, *deviceSelector.DeviceClassName, i, expr.Error)
-				}
-				matches, details, err := expr.DeviceMatches(ctx, cel.Device{Driver: slice.Spec.Driver, Attributes: device.Attributes, Capacity: device.Capacity})
-				logger.V(7).Info("CEL result", "class", *deviceSelector.DeviceClassName, "selector", i, "expression", expr.Expression, "matches", matches, "actualCost", ptr.Deref(details.ActualCost(), 0), "err", err)
-				if err != nil {
-					continue devices
-				}
-				if !matches {
-					continue devices
-				}
-			}
-
-			for i, expr := range selectorExprs {
-				if expr.Error != nil {
-					// Could happen if some future apiserver accepted some
-					// future expression and then got downgraded. Normally
-					// the "stored expression" mechanism prevents that, but
-					// this code here might be more than one release older
-					// than the cluster it runs in.
-					return nil, fmt.Errorf("DeviceTaintRule %s: selector #%d: CEL compile error: %w", taintRule.Name, i, expr.Error)
-				}
-				matches, details, err := expr.DeviceMatches(ctx, cel.Device{Driver: slice.Spec.Driver, Attributes: device.Attributes, Capacity: device.Capacity})
-				logger.V(7).Info("CEL result", "selector", i, "expression", expr.Expression, "matches", matches, "actualCost", ptr.Deref(details.ActualCost(), 0), "err", err)
-				if err != nil {
-					if t.recorder != nil {
-						t.recorder.Eventf(taintRule, v1.EventTypeWarning, "CELRuntimeError", "selector #%d: runtime error: %v", i, err)
-					}
-					continue devices
-				}
-				if !matches {
-					continue devices
-				}
-			}
-
 			logger.V(6).Info("applying matching DeviceTaintRule")
 
 			// TODO: remove conversion once taint is already in the right API package.
diff --git a/staging/src/k8s.io/dynamic-resource-allocation/resourceslice/tracker/tracker_test.go b/staging/src/k8s.io/dynamic-resource-allocation/resourceslice/tracker/tracker_test.go
index 5726320eec392..e9233c23f98fc 100644
--- a/staging/src/k8s.io/dynamic-resource-allocation/resourceslice/tracker/tracker_test.go
+++ b/staging/src/k8s.io/dynamic-resource-allocation/resourceslice/tracker/tracker_test.go
@@ -67,17 +67,35 @@ func update[T any](oldObj, newObj *T) [2]*T {
 	return [2]*T{oldObj, newObj}
 }
 
-func runInputEvents(tCtx *testContext, events []any) {
-	for _, event := range events {
-		switch event := event.(type) {
-		case []any:
-			for _, event := range event {
-				applyEventPair(tCtx, event)
+func runInputEvents(tCtx *testContext, events []any, permutation []int) {
+	for _, i := range permutation {
+		event, name := lookupEvent(events, i)
+		stepCtx := tCtx.withLoggerName(fmt.Sprintf("event #%s", name))
+		applyEventPair(stepCtx, event)
+	}
+}
+
+// lookupEvent is the opposite of flatten: it takes an index
+// after flattening and maps it back to the event in the original
+// event hierarchy. To do so, it descends into the second level where necessary.
+func lookupEvent(events []any, index int) (any, string) {
+	numEvents := 0
+	for i := range events {
+		if e, ok := events[i].([]any); ok {
+			for j := range e {
+				if numEvents == index {
+					return e[j], fmt.Sprintf("%d/%d", i, j)
+				}
+				numEvents++
 			}
-		default:
-			applyEventPair(tCtx, event)
+		} else {
+			if numEvents == index {
+				return events[i], fmt.Sprintf("%d", i)
+			}
+			numEvents++
 		}
 	}
+	panic(fmt.Sprintf("invalid event index #%d", index))
 }
 
 func applyEventPair(tCtx *testContext, event any) {
@@ -140,6 +158,18 @@ type testContext struct {
 	*fake.Clientset
 }
 
+func (t *testContext) withLoggerName(name string) *testContext {
+	logger := klog.FromContext(t.Context)
+	logger = klog.LoggerWithName(logger, name)
+	t = &testContext{
+		T:         t.T,
+		Context:   klog.NewContext(t.Context, logger),
+		Tracker:   t.Tracker,
+		Clientset: t.Clientset,
+	}
+	return t
+}
+
 var (
 	now, _      = time.Parse(time.RFC3339, "2006-01-02T15:04:05Z")
 	driver1     = "driver1.example.com"
@@ -286,37 +316,10 @@ var (
 		}
 		return rule
 	}
-	taintCELSelectedDevicesRule = func(rule *resourcealphaapi.DeviceTaintRule, exprs ...string) *resourcealphaapi.DeviceTaintRule {
-		rule = rule.DeepCopy()
-		var selectors []resourcealphaapi.DeviceSelector
-		for _, expr := range exprs {
-			selectors = append(selectors, resourcealphaapi.DeviceSelector{
-				CEL: &resourcealphaapi.CELDeviceSelector{
-					Expression: expr,
-				},
-			})
-		}
-		rule.Spec.DeviceSelector = &resourcealphaapi.DeviceTaintSelector{
-			Selectors: selectors,
-		}
-		return rule
-	}
-	taintDeviceClassRule = func(rule *resourcealphaapi.DeviceTaintRule, deviceClassName string) *resourcealphaapi.DeviceTaintRule {
-		rule = rule.DeepCopy()
-		rule.Spec.DeviceSelector = &resourcealphaapi.DeviceTaintSelector{
-			DeviceClassName: &deviceClassName,
-		}
-		return rule
-	}
-	taintPool1DevicesRule             = taintPoolDevicesRule(taintAllDevicesRule, pool1)
-	taintPool2DevicesRule             = taintPoolDevicesRule(taintAllDevicesRule, pool2)
-	taintDriver1DevicesRule           = taintDriverDevicesRule(taintAllDevicesRule, driver1)
-	taintDevice1Rule                  = taintNamedDevicesRule(taintAllDevicesRule, device1Name)
-	taintDriver1DevicesCELRule        = taintCELSelectedDevicesRule(taintAllDevicesRule, `device.driver == "`+driver1+`"`)
-	taintNoDevicesCELRule             = taintCELSelectedDevicesRule(taintAllDevicesRule, `true`, `false`, `true`)
-	taintNoDevicesCELRuntimeErrorRule = taintCELSelectedDevicesRule(taintAllDevicesRule, `device.attributes["test.example.com"].deviceAttr`)
-	taintNoDevicesInvalidCELRule      = taintCELSelectedDevicesRule(taintAllDevicesRule, `invalid`)
-	taintDeviceClass1Rule             = taintDeviceClassRule(taintAllDevicesRule, deviceClass1.Name)
+	taintPool1DevicesRule   = taintPoolDevicesRule(taintAllDevicesRule, pool1)
+	taintPool2DevicesRule   = taintPoolDevicesRule(taintAllDevicesRule, pool2)
+	taintDriver1DevicesRule = taintDriverDevicesRule(taintAllDevicesRule, driver1)
+	taintDevice1Rule        = taintNamedDevicesRule(taintAllDevicesRule, device1Name)
 )
 
 func TestListPatchedResourceSlices(t *testing.T) {
@@ -335,6 +338,11 @@ func TestListPatchedResourceSlices(t *testing.T) {
 		// the order in those nested lists is preserved.
 		events                []any
 		expectedPatchedSlices []*resourceapi.ResourceSlice
+		// The exact events that are emitted for a sequence of events is
+		// highly dependent on the order in which those events are received.
+		// We punt on determining a set of validation criteria for every
+		// possible sequence and only check them against the first
+		// permutation: the order in which the events are defined.
 		expectedHandlerEvents []handlerEvent
 		expectEvents          func(t *assert.CollectT, events *v1.EventList)
 		expectUnhandledErrors func(t *testing.T, errs []error)
@@ -484,102 +492,19 @@ func TestListPatchedResourceSlices(t *testing.T) {
 				{event: handlerEventAdd, newObj: slice2},
 			},
 		},
-		"add-attribute-for-selector": {
-			events: []any{
-				add(taintDriver1DevicesCELRule),
-				add(slice1),
-				add(slice2),
-			},
-			expectedPatchedSlices: []*resourceapi.ResourceSlice{
-				slice1Tainted,
-				slice2,
-			},
-			expectedHandlerEvents: []handlerEvent{
-				{event: handlerEventAdd, newObj: slice1Tainted},
-				{event: handlerEventAdd, newObj: slice2},
-			},
-		},
-		"selector-does-not-match": {
-			events: []any{
-				add(taintNoDevicesCELRule),
-				add(slice1),
-			},
-			expectedPatchedSlices: []*resourceapi.ResourceSlice{
-				slice1,
-			},
-			expectedHandlerEvents: []handlerEvent{
-				{event: handlerEventAdd, newObj: slice1},
-			},
-		},
-		"runtime-CEL-errors-skip-devices": {
-			events: []any{
-				add(taintNoDevicesCELRuntimeErrorRule),
-				add(slice1),
-			},
-			expectedPatchedSlices: []*resourceapi.ResourceSlice{
-				slice1,
-			},
-			expectEvents: func(t *assert.CollectT, events *v1.EventList) {
-				if !assert.Len(t, events.Items, 1) {
-					return
-				}
-				assert.Equal(t, taintNoDevicesCELRuntimeErrorRule.Name, events.Items[0].InvolvedObject.Name)
-				assert.Equal(t, "CELRuntimeError", events.Items[0].Reason)
-			},
-			expectedHandlerEvents: []handlerEvent{
-				{event: handlerEventAdd, newObj: slice1},
-			},
-		},
-		"invalid-CEL-expression-throws-error": {
-			events: []any{
-				[]any{
-					add(taintNoDevicesInvalidCELRule),
-					add(slice1),
-				},
-			},
-			expectedPatchedSlices: []*resourceapi.ResourceSlice{},
-			expectUnhandledErrors: func(t *testing.T, errs []error) {
-				if !assert.Len(t, errs, 1) {
-					return
-				}
-				assert.ErrorContains(t, errs[0], "CEL compile error")
-			},
-		},
-		"add-taint-for-device-class": {
-			events: []any{
-				add(deviceClass1),
-				add(taintDeviceClass1Rule),
-				add(slice1),
-				add(slice2),
-			},
-			expectedPatchedSlices: []*resourceapi.ResourceSlice{
-				slice1Tainted,
-				slice2,
-			},
-			expectedHandlerEvents: []handlerEvent{
-				{event: handlerEventAdd, newObj: slice1Tainted},
-				{event: handlerEventAdd, newObj: slice2},
-			},
-		},
 		"filter-all-criteria": {
 			events: []any{
 				add(deviceClass1),
 				add(
-					taintDeviceClassRule(
-						taintDriverDevicesRule(
-							taintPoolDevicesRule(
-								taintNamedDevicesRule(
-									taintCELSelectedDevicesRule(
-										taintAllDevicesRule,
-										`true`,
-									),
-									device1Name,
-								),
-								pool1,
+					taintDriverDevicesRule(
+						taintPoolDevicesRule(
+							taintNamedDevicesRule(
+								taintAllDevicesRule,
+								device1Name,
 							),
-							driver1,
+							pool1,
 						),
-						deviceClass1.Name,
+						driver1,
 					),
 				),
 				add(slice1),
@@ -626,11 +551,11 @@ func TestListPatchedResourceSlices(t *testing.T) {
 		informerFactory := informers.NewSharedInformerFactoryWithOptions(kubeClient, 10*time.Minute)
 
 		opts := Options{
-			EnableDeviceTaints: true,
-			SliceInformer:      informerFactory.Resource().V1().ResourceSlices(),
-			TaintInformer:      informerFactory.Resource().V1alpha3().DeviceTaintRules(),
-			ClassInformer:      informerFactory.Resource().V1().DeviceClasses(),
-			KubeClient:         kubeClient,
+			EnableDeviceTaintRules: true,
+			SliceInformer:          informerFactory.Resource().V1().ResourceSlices(),
+			TaintInformer:          informerFactory.Resource().V1alpha3().DeviceTaintRules(),
+			ClassInformer:          informerFactory.Resource().V1().DeviceClasses(),
+			KubeClient:             kubeClient,
 		}
 		tracker, err := newTracker(ctx, opts)
 		require.NoError(t, err)
@@ -643,7 +568,15 @@ func TestListPatchedResourceSlices(t *testing.T) {
 		}
 	}
 
-	testHandlers := func(tCtx *testContext, test test, testExpectedEmittedEvents bool) {
+	testHandlers := func(tCtx *testContext, test test, permutation []int) {
+		isPermutated := false
+		for i, j := range permutation {
+			if i != j {
+				isPermutated = true
+				break
+			}
+		}
+
 		var handlerEvents []handlerEvent
 		handler := cache.ResourceEventHandlerFuncs{
 			AddFunc: func(obj interface{}) {
@@ -663,9 +596,9 @@ func TestListPatchedResourceSlices(t *testing.T) {
 			unhandledErrors = append(unhandledErrors, err)
 		}
 
-		runInputEvents(tCtx, test.events)
+		runInputEvents(tCtx, test.events, permutation)
 
-		if testExpectedEmittedEvents {
+		if !isPermutated {
 			assert.Equal(tCtx, test.expectedHandlerEvents, handlerEvents)
 		}
 
@@ -709,60 +642,47 @@ func TestListPatchedResourceSlices(t *testing.T) {
 
 	for name, tc := range tests {
 		t.Run(name, func(t *testing.T) {
-			// The exact events that are emitted for a sequence of events is
-			// highly dependent on the order in which those events are received.
-			// We punt on determining a set of validation criteria for every
-			// possible sequence and only check them against the first
-			// permutation: the order in which the events are defined.
-			testExpectedEmittedEvents := true
-
-			numEvents := len(tc.events)
-			if numEvents <= 1 {
-				// No permutations.
-				tContext := setup(t)
-				testHandlers(tContext, tc, testExpectedEmittedEvents)
-				return
-			}
-
-			// flatten does one level of flattening of events. It also returns
-			// another slice of pairs of indices representing ranges which were
-			// flattened.
-			flatten := func(events []any) ([]any, [][2]int) {
-				var ret []any
+			// flatten does one level of flattening of events, counting all events.
+			// It also returns a slice of pairs of indices representing ranges which were
+			// flattened (= came from the second level) and which therefore must
+			// remain in that order.
+			flatten := func(events []any) (int, [][2]int) {
+				numEvents := 0
 				var ranges [][2]int
 				for _, e := range events {
 					switch e := e.(type) {
 					case []any:
-						ranges = append(ranges, [2]int{len(ret), len(ret) + len(e)})
-						ret = append(ret, e...)
+						ranges = append(ranges, [2]int{numEvents, numEvents + len(e)})
+						numEvents += len(e)
 					default:
-						ret = append(ret, e)
+						numEvents++
 					}
 				}
-				return ret, ranges
+				return numEvents, ranges
 			}
+			numEvents, constraints := flatten(tc.events)
 
-			var constraints [][2]int
-			tc.events, constraints = flatten(tc.events)
-			numEvents = len(tc.events)
+			if len(tc.events) <= 1 {
+				// No permutations possible.
+				var permutation []int
+				for i := 0; i < numEvents; i++ {
+					permutation = append(permutation, i)
+				}
+				tContext := setup(t)
+				testHandlers(tContext, tc, permutation)
+				return
+			}
 
 			permutation := make([]int, numEvents)
 			var permutate func(depth int)
 			permutate = func(depth int) {
 				if depth >= numEvents {
 					// Define a sub-test which runs the current permutation of events.
-					events := make([]any, numEvents)
-					for i := range numEvents {
-						events[i] = tc.events[permutation[i]]
-					}
-					tc := tc
-					tc.events = events
 					name := strings.Trim(fmt.Sprintf("%v", permutation), "[]")
 					t.Run(name, func(t *testing.T) {
 						tContext := setup(t)
-						testHandlers(tContext, tc, testExpectedEmittedEvents)
-
-						testExpectedEmittedEvents = false
+						// No need to clone the slice, we don't run in parallel.
+						testHandlers(tContext, tc, permutation)
 					})
 					return
 				}
@@ -778,10 +698,13 @@ func TestListPatchedResourceSlices(t *testing.T) {
 						}
 						for j := i + 1; j < constraint[1]; j++ {
 							if slices.Contains(permutation[0:depth], j) {
+								// Invalid permutation, would change order
+								// of sub-events.
 								continue nexti
 							}
 						}
 					}
+
 					// Pick it for the current position in permutation,
 					// continue with next position.
 					permutation[depth] = i
@@ -1036,11 +959,11 @@ func BenchmarkEventHandlers(b *testing.B) {
 		kubeClient := fake.NewSimpleClientset()
 		informerFactory := informers.NewSharedInformerFactoryWithOptions(kubeClient, 10*time.Minute)
 		opts := Options{
-			EnableDeviceTaints: true,
-			SliceInformer:      informerFactory.Resource().V1().ResourceSlices(),
-			TaintInformer:      informerFactory.Resource().V1alpha3().DeviceTaintRules(),
-			ClassInformer:      informerFactory.Resource().V1().DeviceClasses(),
-			KubeClient:         kubeClient,
+			EnableDeviceTaintRules: true,
+			SliceInformer:          informerFactory.Resource().V1().ResourceSlices(),
+			TaintInformer:          informerFactory.Resource().V1alpha3().DeviceTaintRules(),
+			ClassInformer:          informerFactory.Resource().V1().DeviceClasses(),
+			KubeClient:             kubeClient,
 		}
 		tracker, err := newTracker(ctx, opts)
 		require.NoError(b, err)
diff --git a/staging/src/k8s.io/dynamic-resource-allocation/resourceslice/validation.go b/staging/src/k8s.io/dynamic-resource-allocation/resourceslice/validation.go
new file mode 100644
index 0000000000000..4bfdb65cd3c77
--- /dev/null
+++ b/staging/src/k8s.io/dynamic-resource-allocation/resourceslice/validation.go
@@ -0,0 +1,79 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package resourceslice
+
+import (
+	"fmt"
+
+	resourceapi "k8s.io/api/resource/v1"
+	"k8s.io/apimachinery/pkg/util/sets"
+)
+
+// validateDriverResources identifies problems that cannot be caught by
+// the server-side validation and that would prevent using the published
+// ResourceSlices, like incorrect cross-references. We do validation here
+// so any issues can be discovered as early as possible. This is also
+// checked in the allocator before allocating any devices.
+func validateDriverResources(resources *DriverResources) error {
+	for poolName, pool := range resources.Pools {
+		if err := validatePool(poolName, pool); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+// validatePool checks that there aren't any pool-wide issues that
+// can't be caught in the API-server per-ResourceSlice validation.
+//
+// This logic is very similar to what we do in the allocator when we
+// gather the pools. We might want to see if there is a good way to
+// put this logic in one place.
+func validatePool(name string, pool Pool) error {
+	counterSets := make(map[string]resourceapi.CounterSet)
+	for _, slice := range pool.Slices {
+		for _, counterSet := range slice.SharedCounters {
+			if _, found := counterSets[counterSet.Name]; found {
+				return fmt.Errorf("found duplicate counter set %q in pool %q", counterSet.Name, name)
+			}
+			counterSets[counterSet.Name] = counterSet
+		}
+	}
+
+	devices := sets.New[string]()
+	for _, slice := range pool.Slices {
+		for _, device := range slice.Devices {
+			if _, found := devices[device.Name]; found {
+				return fmt.Errorf("found duplicate device %q in pool %q", device.Name, name)
+			}
+			devices.Insert(device.Name)
+
+			for _, dcc := range device.ConsumesCounters {
+				counterSet, found := counterSets[dcc.CounterSet]
+				if !found {
+					return fmt.Errorf("counter set %q referenced by device %q not found", dcc.CounterSet, device.Name)
+				}
+				for counterName := range dcc.Counters {
+					if _, found := counterSet.Counters[counterName]; !found {
+						return fmt.Errorf("counter %q referenced by device %q not found in counter set %q", counterName, device.Name, counterSet.Name)
+					}
+				}
+			}
+		}
+	}
+	return nil
+}
diff --git a/staging/src/k8s.io/dynamic-resource-allocation/structured/allocator.go b/staging/src/k8s.io/dynamic-resource-allocation/structured/allocator.go
index aa629cde8b4dc..82b9d153d5344 100644
--- a/staging/src/k8s.io/dynamic-resource-allocation/structured/allocator.go
+++ b/staging/src/k8s.io/dynamic-resource-allocation/structured/allocator.go
@@ -19,18 +19,35 @@ package structured
 import (
 	"context"
 	"fmt"
+	"strings"
 
 	v1 "k8s.io/api/core/v1"
 	resourceapi "k8s.io/api/resource/v1"
 	"k8s.io/apimachinery/pkg/api/resource"
 	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/apimachinery/pkg/util/sets"
 	"k8s.io/dynamic-resource-allocation/cel"
 	"k8s.io/dynamic-resource-allocation/structured/internal"
 	"k8s.io/dynamic-resource-allocation/structured/internal/experimental"
 	"k8s.io/dynamic-resource-allocation/structured/internal/incubating"
 	"k8s.io/dynamic-resource-allocation/structured/internal/stable"
+	"k8s.io/dynamic-resource-allocation/structured/schedulerapi"
 )
 
+// ErrFailedAllocationOnNode is the base error for errors returned by Allocate
+// which, in contrast to other errors, only affect the one node and not
+// the entire scheduling attempt.
+//
+// The scheduler is expected to check for this with
+//
+//	errors.Is(err, structured.ErrFailedAllocation)
+//
+// and then use the error string as explanation for
+// the unscheduable status.
+//
+// It has no text of its own and can be used with fmt.Errorf("%wsome other error", ErrFailedAllocationOnNode).
+var ErrFailedAllocationOnNode = internal.ErrFailedAllocationOnNode
+
 // To keep the code in different packages simple, type aliases are used everywhere.
 // Functions are wrappers instead of variables to enable compiler optimization.
 // The Allocator interface is defined twice intentionally: that way, the docs
@@ -38,30 +55,32 @@ import (
 
 type DeviceClassLister = internal.DeviceClassLister
 type Features = internal.Features
-type DeviceID = internal.DeviceID
+
+// Type aliases to schedulerapi package for types that are part of the
+// scheduler and autoscaler contract. This ensures that changes to these
+// types require autoscaler approval.
+type DeviceID = schedulerapi.DeviceID
+type AllocatedState = schedulerapi.AllocatedState
+type SharedDeviceID = schedulerapi.SharedDeviceID
+type DeviceConsumedCapacity = schedulerapi.DeviceConsumedCapacity
+type ConsumedCapacityCollection = schedulerapi.ConsumedCapacityCollection
+type ConsumedCapacity = schedulerapi.ConsumedCapacity
 
 func MakeDeviceID(driver, pool, device string) DeviceID {
-	return internal.MakeDeviceID(driver, pool, device)
+	return schedulerapi.MakeDeviceID(driver, pool, device)
 }
 
-// types_experimental
-type AllocatedState = internal.AllocatedState
-type SharedDeviceID = internal.SharedDeviceID
-type DeviceConsumedCapacity = internal.DeviceConsumedCapacity
-type ConsumedCapacityCollection = internal.ConsumedCapacityCollection
-type ConsumedCapacity = internal.ConsumedCapacity
-
 func MakeSharedDeviceID(deviceID DeviceID, shareID *types.UID) SharedDeviceID {
-	return internal.MakeSharedDeviceID(deviceID, shareID)
+	return schedulerapi.MakeSharedDeviceID(deviceID, shareID)
 }
 
 func NewConsumedCapacityCollection() ConsumedCapacityCollection {
-	return internal.NewConsumedCapacityCollection()
+	return schedulerapi.NewConsumedCapacityCollection()
 }
 
 func NewDeviceConsumedCapacity(deviceID DeviceID,
 	consumedCapacity map[resourceapi.QualifiedName]resource.Quantity) DeviceConsumedCapacity {
-	return internal.NewDeviceConsumedCapacity(deviceID, consumedCapacity)
+	return schedulerapi.NewDeviceConsumedCapacity(deviceID, consumedCapacity)
 }
 
 // Allocator calculates how to allocate a set of unallocated claims which use
@@ -135,17 +154,40 @@ func NewAllocator(ctx context.Context,
 	// file name!) into "stable", or individual chunks can be copied over.
 	//
 	// Unit tests are shared between all implementations.
+	var enabledAllocators []string
 	for _, allocator := range availableAllocators {
+		// Disabled?
+		if !allocatorEnabled(allocator.name) {
+			continue
+		}
+		enabledAllocators = append(enabledAllocators, allocator.name)
+
 		// All required features supported?
 		if allocator.supportedFeatures.Set().IsSuperset(features.Set()) {
 			// Use it!
 			return allocator.newAllocator(ctx, features, allocatedState, classLister, slices, celCache)
 		}
 	}
-	return nil, fmt.Errorf("internal error: no allocator available for feature set %v", features)
+	return nil, fmt.Errorf("internal error: no allocator available for feature set %+v, enabled allocators: %s", features, strings.Join(enabledAllocators, ", "))
+}
+
+// EnableAllocators, if passed a non-empty list, controls which allocators may get picked by NewAllocator.
+// The entries are the names of the implementing package ("stable", "incubating", "experimental").
+// Not thread-safe, meant for use during testing.
+func EnableAllocators(names ...string) {
+	explicitlyEnabledAllocators = sets.New(names...)
+}
+
+// explicitlyEnabledAllocators stores the result of EnableAllocators.
+// If empty (the default), all available allocators are enabled.
+var explicitlyEnabledAllocators sets.Set[string]
+
+func allocatorEnabled(name string) bool {
+	return len(explicitlyEnabledAllocators) == 0 || explicitlyEnabledAllocators.Has(name)
 }
 
 var availableAllocators = []struct {
+	name              string
 	supportedFeatures Features
 	newAllocator      func(ctx context.Context,
 		features Features,
@@ -154,9 +196,15 @@ var availableAllocators = []struct {
 		slices []*resourceapi.ResourceSlice,
 		celCache *cel.Cache,
 	) (Allocator, error)
+	nodeMatches func(node *v1.Node,
+		nodeNameToMatch string,
+		allNodesMatch bool,
+		nodeSelector *v1.NodeSelector,
+	) (bool, error)
 }{
 	// Most stable first.
 	{
+		name:              "stable",
 		supportedFeatures: stable.SupportedFeatures,
 		newAllocator: func(ctx context.Context,
 			features Features,
@@ -167,8 +215,10 @@ var availableAllocators = []struct {
 		) (Allocator, error) {
 			return stable.NewAllocator(ctx, features, allocatedState.AllocatedDevices, classLister, slices, celCache)
 		},
+		nodeMatches: stable.NodeMatches,
 	},
 	{
+		name:              "incubating",
 		supportedFeatures: incubating.SupportedFeatures,
 		newAllocator: func(ctx context.Context,
 			features Features,
@@ -179,8 +229,10 @@ var availableAllocators = []struct {
 		) (Allocator, error) {
 			return incubating.NewAllocator(ctx, features, allocatedState.AllocatedDevices, classLister, slices, celCache)
 		},
+		nodeMatches: incubating.NodeMatches,
 	},
 	{
+		name:              "experimental",
 		supportedFeatures: experimental.SupportedFeatures,
 		newAllocator: func(ctx context.Context,
 			features Features,
@@ -191,5 +243,49 @@ var availableAllocators = []struct {
 		) (Allocator, error) {
 			return experimental.NewAllocator(ctx, features, allocateState, classLister, slices, celCache)
 		},
+		nodeMatches: experimental.NodeMatches,
 	},
 }
+
+// NodeMatches determines whether a given Kubernetes node matches the specified criteria.
+// It calls one of the available implementations(stable, incubating, experimental) based
+// on the provided DRA features.
+func NodeMatches(features Features, node *v1.Node, nodeNameToMatch string, allNodesMatch bool, nodeSelector *v1.NodeSelector) (bool, error) {
+	for _, allocator := range availableAllocators {
+		if allocator.supportedFeatures.Set().IsSuperset(features.Set()) {
+			return allocator.nodeMatches(node, nodeNameToMatch, allNodesMatch, nodeSelector)
+		}
+	}
+
+	return false, fmt.Errorf("internal error: no NodeMatches implementation available for feature set %v", features)
+}
+
+// IsDeviceAllocated checks if a device is allocated, considering both fully allocated devices
+// and partially consumed devices when consumable capacity is enabled.
+func IsDeviceAllocated(deviceID DeviceID, allocatedState *AllocatedState) bool {
+	// Check if device is fully allocated (traditional case)
+	if allocatedState.AllocatedDevices.Has(deviceID) {
+		return true
+	}
+
+	// Check if device is partially consumed via shared allocations (consumable capacity case).
+	// We need to check if any shared device ID corresponds to our device.
+	for sharedDeviceID := range allocatedState.AllocatedSharedDeviceIDs {
+		// Extract the base device ID from the shared device ID by recreating it
+		baseDeviceID := MakeDeviceID(
+			sharedDeviceID.Driver.String(),
+			sharedDeviceID.Pool.String(),
+			sharedDeviceID.Device.String(),
+		)
+		if baseDeviceID == deviceID {
+			return true
+		}
+	}
+
+	// Check if device has consumed capacity tracked (consumable capacity case)
+	if _, hasConsumedCapacity := allocatedState.AggregatedCapacity[deviceID]; hasConsumedCapacity {
+		return true
+	}
+
+	return false
+}
diff --git a/staging/src/k8s.io/dynamic-resource-allocation/structured/internal/README.md b/staging/src/k8s.io/dynamic-resource-allocation/structured/internal/README.md
new file mode 100644
index 0000000000000..81c68ee5ce7e3
--- /dev/null
+++ b/staging/src/k8s.io/dynamic-resource-allocation/structured/internal/README.md
@@ -0,0 +1,28 @@
+The allocator code exists in three variants which get picked depending on which
+features are enabled:
+- stable: for a "GA only" feature configuration, minimal changes going forward
+- incubating: the default implementation, adds support for beta features
+- experimental: under active development, including alpha features
+
+This structure serves as a safety net because experimental changes cannot break
+more stable Kubernetes configurations, something that happened already once
+despite careful reviews.
+
+The goal is to rotate the implementations wholesale instead of copying
+individual code chunks, i.e. at some point "incubating" replaces "stable",
+"experimental" replaces "incubating", and "experimental" becomes a copy of
+"incubating" until new changes get added to it again.
+
+Ideally changes should be limited to "experimental", but sometimes changes have
+to be applied the same way across different variants, for example bug fixes
+or changes to the package API.
+
+Tests are shared between all implementations, with test cases applied depending
+on what features they require. Further testing is covered by
+test/integration/scheduler_perf. When promoting implementations, the selection
+of implementations which support certain features there needs to be
+updated. For example `[]string{"experimental"}` in `TestSchedulerPerf` of
+`test/integration/scheduler_perf/dra/consumablecapacity/consumablecapacity_test.go`
+will eventually become `[]string{"incubating", "experimental"}`. The explicit
+selection of the implementation for benchmarking in
+`EnableAllocators("experimental")` then becomes `EnableAllocators("incubating")`.
diff --git a/staging/src/k8s.io/dynamic-resource-allocation/structured/internal/allocatedstate.go b/staging/src/k8s.io/dynamic-resource-allocation/structured/internal/allocatedstate.go
index 468dfcb7b86ee..ad7ec44585867 100644
--- a/staging/src/k8s.io/dynamic-resource-allocation/structured/internal/allocatedstate.go
+++ b/staging/src/k8s.io/dynamic-resource-allocation/structured/internal/allocatedstate.go
@@ -23,182 +23,44 @@ import (
 	resourceapi "k8s.io/api/resource/v1"
 	"k8s.io/apimachinery/pkg/api/resource"
 	"k8s.io/apimachinery/pkg/types"
-	"k8s.io/apimachinery/pkg/util/sets"
 	"k8s.io/apimachinery/pkg/util/uuid"
-	draapi "k8s.io/dynamic-resource-allocation/api"
+	"k8s.io/dynamic-resource-allocation/structured/schedulerapi"
 )
 
-type DeviceID struct {
-	Driver, Pool, Device draapi.UniqueString
-}
-
-func (d DeviceID) String() string {
-	return d.Driver.String() + "/" + d.Pool.String() + "/" + d.Device.String()
-}
-
+// Type aliases pointing to the schedulerapi package where the actual
+// definitions are maintained. This ensures that any changes to these types
+// require autoscaler approval.
+type DeviceID = schedulerapi.DeviceID
+type SharedDeviceID = schedulerapi.SharedDeviceID
+type AllocatedState = schedulerapi.AllocatedState
+type ConsumedCapacity = schedulerapi.ConsumedCapacity
+type ConsumedCapacityCollection = schedulerapi.ConsumedCapacityCollection
+type DeviceConsumedCapacity = schedulerapi.DeviceConsumedCapacity
+
+// Wrapper functions that delegate to the schedulerapi package
 func MakeDeviceID(driver, pool, device string) DeviceID {
-	return DeviceID{
-		Driver: draapi.MakeUniqueString(driver),
-		Pool:   draapi.MakeUniqueString(pool),
-		Device: draapi.MakeUniqueString(device),
-	}
-}
-
-type SharedDeviceID struct {
-	Driver, Pool, Device, ShareID draapi.UniqueString
+	return schedulerapi.MakeDeviceID(driver, pool, device)
 }
 
-// MakeSharedDeviceID creates a SharedDeviceID by extending MakeDeviceID with shareID.
 func MakeSharedDeviceID(deviceID DeviceID, shareID *types.UID) SharedDeviceID {
-	// This function avoids disruptive changes to MakeDeviceID
-	// while enabling ShareID as part of the device key.
-	var shareIDStr string
-	if shareID != nil {
-		shareIDStr = string(*shareID)
-	}
-	return SharedDeviceID{
-		Driver:  deviceID.Driver,
-		Pool:    deviceID.Pool,
-		Device:  deviceID.Device,
-		ShareID: draapi.MakeUniqueString(shareIDStr),
-	}
-}
-
-func (d SharedDeviceID) String() string {
-	deviceIDStr := d.Driver.String() + "/" + d.Pool.String() + "/" + d.Device.String()
-	if d.ShareID.String() != "" {
-		deviceIDStr += "/" + d.ShareID.String()
-	}
-	return deviceIDStr
+	return schedulerapi.MakeSharedDeviceID(deviceID, shareID)
 }
 
-func GenerateShareID() *types.UID {
-	newUID := uuid.NewUUID()
-	return &newUID
-}
-
-// AllocatedState packs information of allocated devices which is gathered from allocated resource claims.
-type AllocatedState struct {
-	AllocatedDevices         sets.Set[DeviceID]
-	AllocatedSharedDeviceIDs sets.Set[SharedDeviceID]
-	AggregatedCapacity       ConsumedCapacityCollection
-}
-
-// ConsumedCapacity defines consumable capacity values
-type ConsumedCapacity map[resourceapi.QualifiedName]*resource.Quantity
-
-// ConsumedCapacityCollection collects consumable capacity values of each device
-type ConsumedCapacityCollection map[DeviceID]ConsumedCapacity
-
-// NewConsumedCapacity initiates a new map of consumable capacity values
 func NewConsumedCapacity() ConsumedCapacity {
-	return make(ConsumedCapacity)
+	return schedulerapi.NewConsumedCapacity()
 }
 
-// NewConsumedCapacity initiates a new map of device's consumable capacity values
 func NewConsumedCapacityCollection() ConsumedCapacityCollection {
-	return make(ConsumedCapacityCollection)
-}
-
-// Clone makes a copy of consumed capacity values
-func (s ConsumedCapacity) Clone() ConsumedCapacity {
-	clone := make(ConsumedCapacity)
-	for name, quantity := range s {
-		q := quantity.DeepCopy()
-		clone[name] = &q
-	}
-	return clone
+	return schedulerapi.NewConsumedCapacityCollection()
 }
 
-// Add adds quantity to corresponding consumable capacity,
-// and creates a new entry if no capacity created yet.
-func (s ConsumedCapacity) Add(addedCapacity ConsumedCapacity) {
-	for name, quantity := range addedCapacity {
-		val := quantity.DeepCopy()
-		if _, found := s[name]; found {
-			s[name].Add(val)
-		} else {
-			s[name] = &val
-		}
-	}
-}
-
-// Sub subtracts quantity,
-// and ignore if no capacity entry found.
-func (s ConsumedCapacity) Sub(subtractedCapacity ConsumedCapacity) {
-	for name, quantity := range subtractedCapacity {
-		if _, found := s[name]; found {
-			s[name].Sub(*quantity)
-		}
-	}
-}
-
-// Empty return true if all quantity is zero.
-func (s ConsumedCapacity) Empty() bool {
-	for _, quantity := range s {
-		if !quantity.IsZero() {
-			return false
-		}
-	}
-	return true
-}
-
-// Clone makes a copy of ConsumedCapacity of each capacity.
-func (c ConsumedCapacityCollection) Clone() ConsumedCapacityCollection {
-	clone := NewConsumedCapacityCollection()
-	for deviceID, share := range c {
-		clone[deviceID] = share.Clone()
-	}
-	return clone
-}
-
-// Insert adds a new allocated capacity to the collection.
-func (c ConsumedCapacityCollection) Insert(cap DeviceConsumedCapacity) {
-	consumedCapacity := cap.ConsumedCapacity
-	if _, found := c[cap.DeviceID]; found {
-		c[cap.DeviceID].Add(consumedCapacity)
-	} else {
-		c[cap.DeviceID] = consumedCapacity.Clone()
-	}
-}
-
-// Remove removes an allocated capacity from the collection.
-func (c ConsumedCapacityCollection) Remove(cap DeviceConsumedCapacity) {
-	if _, found := c[cap.DeviceID]; found {
-		c[cap.DeviceID].Sub(cap.ConsumedCapacity)
-		if c[cap.DeviceID].Empty() {
-			delete(c, cap.DeviceID)
-		}
-	}
-}
-
-// DeviceConsumedCapacity contains consumed capacity result within device allocation.
-type DeviceConsumedCapacity struct {
-	DeviceID
-	ConsumedCapacity
-}
-
-// NewDeviceConsumedCapacity creates DeviceConsumedCapacity instance from device ID and its consumed capacity.
 func NewDeviceConsumedCapacity(deviceID DeviceID, consumedCapacity map[resourceapi.QualifiedName]resource.Quantity) DeviceConsumedCapacity {
-	allocatedCapacity := NewConsumedCapacity()
-	for name, quantity := range consumedCapacity {
-		allocatedCapacity[name] = &quantity
-	}
-	return DeviceConsumedCapacity{
-		DeviceID:         deviceID,
-		ConsumedCapacity: allocatedCapacity,
-	}
+	return schedulerapi.NewDeviceConsumedCapacity(deviceID, consumedCapacity)
 }
 
-// Clone makes a copy of DeviceConsumedCapacity.
-func (a DeviceConsumedCapacity) Clone() DeviceConsumedCapacity {
-	return DeviceConsumedCapacity{
-		DeviceID:         a.DeviceID,
-		ConsumedCapacity: a.ConsumedCapacity.Clone(),
-	}
-}
-
-// String returns formatted device ID.
-func (a DeviceConsumedCapacity) String() string {
-	return a.DeviceID.String()
+// GenerateShareID is a helper function that generates a new share ID.
+// This remains in the internal package as it's a utility function.
+func GenerateShareID() *types.UID {
+	newUID := uuid.NewUUID()
+	return &newUID
 }
diff --git a/staging/src/k8s.io/dynamic-resource-allocation/structured/internal/allocatortesting/allocator_testing.go b/staging/src/k8s.io/dynamic-resource-allocation/structured/internal/allocatortesting/allocator_testing.go
index f145e76c5ad1f..9a62ae4b98403 100644
--- a/staging/src/k8s.io/dynamic-resource-allocation/structured/internal/allocatortesting/allocator_testing.go
+++ b/staging/src/k8s.io/dynamic-resource-allocation/structured/internal/allocatortesting/allocator_testing.go
@@ -83,10 +83,13 @@ const (
 	req0SubReq1 = "req-0/subReq-1"
 	req1SubReq0 = "req-1/subReq-0"
 	req1SubReq1 = "req-1/subReq-1"
+	req2SubReq0 = "req-2/subReq-0"
 	claim0      = "claim-0"
 	claim1      = "claim-1"
 	slice1      = "slice-1"
 	slice2      = "slice-2"
+	slice3      = "slice-3"
+	slice4      = "slice-4"
 	device0     = "device-0"
 	device1     = "device-1"
 	device2     = "device-2"
@@ -247,14 +250,26 @@ func allDeviceRequest(name, class string) wrapDeviceRequest {
 	}
 }
 
-func subRequest(name, class string, count int64, selectors ...resourceapi.DeviceSelector) resourceapi.DeviceSubRequest {
-	return resourceapi.DeviceSubRequest{
+func subRequest(name, class string, count int64, fields ...any) wrapDeviceSubRequest {
+	subRequest := resourceapi.DeviceSubRequest{
 		Name:            name,
 		Count:           count,
 		AllocationMode:  resourceapi.DeviceAllocationModeExactCount,
 		DeviceClassName: class,
-		Selectors:       selectors,
 	}
+
+	for _, field := range fields {
+		switch typedField := field.(type) {
+		case resourceapi.DeviceSelector:
+			subRequest.Selectors = append(subRequest.Selectors, typedField)
+		case resourceapi.DeviceToleration:
+			subRequest.Tolerations = append(subRequest.Tolerations, typedField)
+		default:
+			panic(fmt.Sprintf("unsupported field for DeviceSubRequest: %T", field))
+		}
+	}
+
+	return wrapDeviceSubRequest{subRequest}
 }
 
 type wrapDeviceRequest struct{ resourceapi.DeviceRequest }
@@ -269,12 +284,24 @@ func (in wrapDeviceRequest) withCapacityRequest(quantity *resource.Quantity) wra
 	return wrapDeviceRequest{*out}
 }
 
+func (in wrapDeviceRequest) withSelectors(selectors ...resourceapi.DeviceSelector) wrapDeviceRequest {
+	out := in.DeepCopy()
+	out.Exactly.Selectors = selectors
+	return wrapDeviceRequest{*out}
+}
+
 type wrapDeviceSubRequest struct{ resourceapi.DeviceSubRequest }
 
 func (in wrapDeviceSubRequest) obj() resourceapi.DeviceSubRequest {
 	return in.DeviceSubRequest
 }
 
+func (in wrapDeviceSubRequest) withAllocationMode(mode resourceapi.DeviceAllocationMode) wrapDeviceSubRequest {
+	out := in.DeepCopy()
+	out.AllocationMode = mode
+	return wrapDeviceSubRequest{*out}
+}
+
 func (in wrapDeviceSubRequest) withCapacityRequest(quantity *resource.Quantity) wrapDeviceSubRequest {
 	out := in.DeepCopy()
 	out.Capacity = capacityRequests(quantity)
@@ -282,19 +309,32 @@ func (in wrapDeviceSubRequest) withCapacityRequest(quantity *resource.Quantity)
 }
 
 // genereate a DeviceRequest with the given name and list of prioritized requests.
-func requestWithPrioritizedList(name string, prioritizedRequests ...resourceapi.DeviceSubRequest) resourceapi.DeviceRequest {
-	return resourceapi.DeviceRequest{
-		Name:           name,
-		FirstAvailable: prioritizedRequests,
+func requestWithPrioritizedList(name string, prioritizedRequests ...wrapDeviceSubRequest) wrapDeviceRequest {
+	var subreqs []resourceapi.DeviceSubRequest
+	for _, subreq := range prioritizedRequests {
+		subreqs = append(subreqs, subreq.obj())
 	}
+	return wrapDeviceRequest{resourceapi.DeviceRequest{
+		Name:           name,
+		FirstAvailable: subreqs,
+	}}
 }
 
-// generate a ResourceClaim object with the given name, request and class.
-func claim(name, req, class string, constraints ...resourceapi.DeviceConstraint) wrapResourceClaim {
+// generate a ResourceClaim object with the given name and with a single request with given class and constraints.
+func claimWithRequest(name, req, class string, constraints ...resourceapi.DeviceConstraint) wrapResourceClaim {
 	claim := claimWithRequests(name, constraints, request(req, class, 1))
 	return claim
 }
 
+// generate a ResourceClaim object with the given name.
+func claim(name string) wrapResourceClaim {
+	return wrapResourceClaim{&resourceapi.ResourceClaim{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: name,
+		},
+	}}
+}
+
 type wrapResourceClaim struct{ *resourceapi.ResourceClaim }
 
 func (in wrapResourceClaim) obj() *resourceapi.ResourceClaim {
@@ -318,10 +358,22 @@ func (in wrapResourceClaim) withRequests(requests ...wrapDeviceRequest) wrapReso
 	return wrapResourceClaim{out}
 }
 
+func (in wrapResourceClaim) withConstraints(constraints ...resourceapi.DeviceConstraint) wrapResourceClaim {
+	out := in.DeepCopy()
+	out.Spec.Devices.Constraints = constraints
+	return wrapResourceClaim{out}
+}
+
+func (in wrapResourceClaim) withConfigs(configs []resourceapi.DeviceClaimConfiguration) wrapResourceClaim {
+	out := in.DeepCopy()
+	out.Spec.Devices.Config = configs
+	return wrapResourceClaim{out}
+}
+
 // generate a ResourceClaim object with the given name, request, class, and attribute.
 // attribute is used to generate parameters in a form of JSON {attribute: attributeValue}.
 func claimWithDeviceConfig(name, request, class, driver, attribute string) wrapResourceClaim {
-	claim := claim(name, request, class)
+	claim := claimWithRequest(name, request, class)
 	claim.Spec.Devices.Config = []resourceapi.DeviceClaimConfiguration{
 		{
 			DeviceConfiguration: deviceConfiguration(driver, attribute),
@@ -330,12 +382,6 @@ func claimWithDeviceConfig(name, request, class, driver, attribute string) wrapR
 	return claim
 }
 
-func claimWithAll(name string, requests []resourceapi.DeviceRequest, constraints []resourceapi.DeviceConstraint, configs []resourceapi.DeviceClaimConfiguration) wrapResourceClaim {
-	claim := claimWithRequests(name, constraints, requests...)
-	claim.Spec.Devices.Config = configs
-	return claim
-}
-
 func deviceClaimConfig(requests []string, deviceConfig resourceapi.DeviceConfiguration) resourceapi.DeviceClaimConfiguration {
 	return resourceapi.DeviceClaimConfiguration{
 		Requests:            requests,
@@ -510,28 +556,35 @@ const (
 )
 
 // generate a ResourceSlice object with the given name, node,
-// driver and pool names, generation and a list of devices.
+// driver and pool names and generation.
 // The nodeSelection parameter may be a string with the value
 // nodeSelectionAll for all nodes, the value nodeSelectionPerDevice
 // for per device node selection, or any other value to set the
 // node name. Providing a node selectors sets the NodeSelector field.
-func slice(name string, nodeSelection any, pool, driver string, devices ...wrapDevice) wrapResourceSlice {
+func slice(name string, nodeSelection, pool any, driver string) *resourceapi.ResourceSlice {
+	var resourcePool resourceapi.ResourcePool
+	switch poolSelection := pool.(type) {
+	case resourceapi.ResourcePool:
+		resourcePool = poolSelection
+	case string:
+		resourcePool = resourceapi.ResourcePool{
+			Name:               poolSelection,
+			ResourceSliceCount: 1,
+			Generation:         1,
+		}
+	default:
+		panic(fmt.Sprintf("unexpected pool type %T: %+v", poolSelection, poolSelection))
+	}
+
 	slice := &resourceapi.ResourceSlice{
 		ObjectMeta: metav1.ObjectMeta{
 			Name: name,
 		},
 		Spec: resourceapi.ResourceSliceSpec{
 			Driver: driver,
-			Pool: resourceapi.ResourcePool{
-				Name:               pool,
-				ResourceSliceCount: 1,
-				Generation:         1,
-			},
+			Pool:   resourcePool,
 		},
 	}
-	for _, device := range devices {
-		slice.Spec.Devices = append(slice.Spec.Devices, resourceapi.Device(device.Device))
-	}
 	switch nodeSelection := nodeSelection.(type) {
 	case *v1.NodeSelector:
 		slice.Spec.NodeSelector = nodeSelection
@@ -550,29 +603,54 @@ func slice(name string, nodeSelection any, pool, driver string, devices ...wrapD
 		panic(fmt.Sprintf("unexpected nodeSelection type %T: %+v", nodeSelection, nodeSelection))
 	}
 
-	return wrapResourceSlice{ResourceSlice: slice}
+	return slice
+}
+
+func sliceWithDevices(name string, nodeSelection, pool any, driver string, devices ...wrapDevice) wrapResourceSliceWithDevices {
+	slice := slice(name, nodeSelection, pool, driver)
+	for _, device := range devices {
+		slice.Spec.Devices = append(slice.Spec.Devices, resourceapi.Device(device.Device))
+	}
+	return wrapResourceSliceWithDevices{ResourceSlice: slice}
+}
+
+type wrapResourceSliceWithDevices struct {
+	*resourceapi.ResourceSlice
+}
+
+func (in wrapResourceSliceWithDevices) obj() *resourceapi.ResourceSlice {
+	return in.ResourceSlice
+}
+
+func sliceWithCounterSets(name string, nodeSelection, pool any, driver string, counterSets ...resourceapi.CounterSet) wrapResourceSliceWithCounterSets {
+	slice := slice(name, nodeSelection, pool, driver)
+	slice.Spec.SharedCounters = counterSets
+	return wrapResourceSliceWithCounterSets{ResourceSlice: slice}
 }
 
-type wrapResourceSlice struct {
+type wrapResourceSliceWithCounterSets struct {
 	*resourceapi.ResourceSlice
 }
 
-func (in wrapResourceSlice) obj() *resourceapi.ResourceSlice {
+func (in wrapResourceSliceWithCounterSets) obj() *resourceapi.ResourceSlice {
 	return in.ResourceSlice
 }
 
-func (in wrapResourceSlice) withCounterSet(counterSets ...resourceapi.CounterSet) wrapResourceSlice {
-	inResourceSlice := in.DeepCopy()
-	inResourceSlice.Spec.SharedCounters = append(inResourceSlice.Spec.SharedCounters, counterSets...)
-	return wrapResourceSlice{ResourceSlice: inResourceSlice}
+func resourcePool(name string, count int64) resourceapi.ResourcePool {
+	return resourceapi.ResourcePool{
+		Name:               name,
+		ResourceSliceCount: count,
+		Generation:         1,
+	}
 }
 
-func deviceAllocationResult(request, driver, pool, device string, adminAccess bool) resourceapi.DeviceRequestAllocationResult {
+func deviceAllocationResult(request, driver, pool, device string, adminAccess bool, tolerations ...resourceapi.DeviceToleration) resourceapi.DeviceRequestAllocationResult {
 	r := resourceapi.DeviceRequestAllocationResult{
-		Request: request,
-		Driver:  driver,
-		Pool:    pool,
-		Device:  device,
+		Request:     request,
+		Driver:      driver,
+		Pool:        pool,
+		Device:      device,
+		Tolerations: tolerations,
 	}
 	if adminAccess {
 		r.AdminAccess = &adminAccess
@@ -747,23 +825,36 @@ type wrapper[T any] interface {
 	obj() T
 }
 
+// convert a list of wrapper objects to a slice
+func unwrapResourceSlices(objs ...resourceSliceWrapper) []*resourceapi.ResourceSlice {
+	out := make([]*resourceapi.ResourceSlice, len(objs))
+	for i, obj := range objs {
+		out[i] = obj.obj()
+	}
+	return out
+}
+
+type resourceSliceWrapper interface {
+	obj() *resourceapi.ResourceSlice
+}
+
 // generate a ResourceSlice object with the given parameters and no devices
-func sliceWithNoDevices(name string, nodeSelection any, pool, driver string) wrapResourceSlice {
-	return slice(name, nodeSelection, pool, driver)
+func sliceWithNoDevices(name string, nodeSelection, pool any, driver string) wrapResourceSliceWithDevices {
+	return sliceWithDevices(name, nodeSelection, pool, driver)
 }
 
 // generate a ResourceSlice object with the given parameters and one device "device-1"
-func sliceWithOneDevice(name string, nodeSelection any, pool, driver string) wrapResourceSlice {
-	return slice(name, nodeSelection, pool, driver, device(device1, nil, nil))
+func sliceWithOneDevice(name string, nodeSelection, pool any, driver string) wrapResourceSliceWithDevices {
+	return sliceWithDevices(name, nodeSelection, pool, driver, device(device1, nil, nil))
 }
 
 // generate a ResourceSclie object with the given parameters and the specified number of devices.
-func sliceWithMultipleDevices(name string, nodeSelection any, pool, driver string, count int) wrapResourceSlice {
+func sliceWithMultipleDevices(name string, nodeSelection, pool any, driver string, count int) wrapResourceSliceWithDevices {
 	var devices []wrapDevice
 	for i := 0; i < count; i++ {
 		devices = append(devices, device(fmt.Sprintf("device-%d", i), nil, nil))
 	}
-	return slice(name, nodeSelection, pool, driver, devices...)
+	return sliceWithDevices(name, nodeSelection, pool, driver, devices...)
 }
 
 func counterSet(name string, counters map[string]resource.Quantity) resourceapi.CounterSet {
@@ -792,7 +883,7 @@ func toCounters(counters map[string]resource.Quantity) map[string]resourceapi.Co
 // deviceRequestAllocationResultWithBindingConditions returns an DeviceRequestAllocationResult object for testing purposes,
 // specifying the driver, pool, device, usage restriction, binding conditions,
 // binding failure conditions, and binding timeout.
-func deviceRequestAllocationResultWithBindingConditions(request, driver, pool, device string, bindingConditions, bindingFailureConditions []string) resourceapi.DeviceRequestAllocationResult {
+func deviceRequestAllocationResultWithBindingConditions(request, driver, pool, device string, bindingConditions, bindingFailureConditions []string, tolerations ...resourceapi.DeviceToleration) resourceapi.DeviceRequestAllocationResult {
 	return resourceapi.DeviceRequestAllocationResult{
 		Request:                  request,
 		Driver:                   driver,
@@ -800,6 +891,7 @@ func deviceRequestAllocationResultWithBindingConditions(request, driver, pool, d
 		Device:                   device,
 		BindingConditions:        bindingConditions,
 		BindingFailureConditions: bindingFailureConditions,
+		Tolerations:              tolerations,
 	}
 }
 
@@ -823,6 +915,11 @@ func TestAllocator(t *testing.T,
 	taintKey := "taint-key"
 	taintValue := "taint-value"
 	taintValue2 := "taint-value-2"
+	taintNone := resourceapi.DeviceTaint{
+		Key:    taintKey,
+		Value:  taintValue,
+		Effect: resourceapi.DeviceTaintEffectNone,
+	}
 	taintNoSchedule := resourceapi.DeviceTaint{
 		Key:    taintKey,
 		Value:  taintValue,
@@ -844,6 +941,11 @@ func TestAllocator(t *testing.T,
 		Value:    taintValue2,
 		Effect:   resourceapi.DeviceTaintEffectNoExecute,
 	}
+	tolerationNoScheduleKey1 := resourceapi.DeviceToleration{
+		Operator: resourceapi.DeviceTolerationOpExists,
+		Key:      "key1",
+		Effect:   resourceapi.DeviceTaintEffectNoSchedule,
+	}
 
 	testcases := map[string]struct {
 		features                 Features
@@ -865,9 +967,9 @@ func TestAllocator(t *testing.T,
 
 		"empty": {},
 		"simple": {
-			claimsToAllocate: objects(claim(claim0, req0, classA)),
+			claimsToAllocate: objects(claimWithRequest(claim0, req0, classA)),
 			classes:          objects(class(classA, driverA)),
-			slices:           unwrap(sliceWithOneDevice(slice1, node1, pool1, driverA)),
+			slices:           unwrapResourceSlices(sliceWithOneDevice(slice1, node1, pool1, driverA)),
 			node:             node(node1, region1),
 
 			expectResults: []any{allocationResult(
@@ -876,9 +978,9 @@ func TestAllocator(t *testing.T,
 			)},
 		},
 		"other-node": {
-			claimsToAllocate: objects(claim(claim0, req0, classA)),
+			claimsToAllocate: objects(claimWithRequest(claim0, req0, classA)),
 			classes:          objects(class(classA, driverA)),
-			slices: unwrap(
+			slices: unwrapResourceSlices(
 				sliceWithOneDevice(slice1, node1, pool1, driverB),
 				sliceWithOneDevice(slice2, node2, pool2, driverA),
 			),
@@ -903,7 +1005,7 @@ func TestAllocator(t *testing.T,
 					}}),
 			)),
 			classes: objects(class(classA, driverA)),
-			slices: unwrap(slice(slice1, node1, pool1, driverA,
+			slices: unwrapResourceSlices(sliceWithDevices(slice1, node1, pool1, driverA,
 				device(device1, map[resourceapi.QualifiedName]resource.Quantity{
 					"memory": resource.MustParse("1Gi"),
 				}, nil),
@@ -936,7 +1038,7 @@ func TestAllocator(t *testing.T,
 			// Reversing the order in which the devices are listed causes the "large" device to
 			// be allocated for the "small" request, leaving the "large" request unsatisfied.
 			// The initial decision needs to be undone before a solution is found.
-			slices: unwrap(slice(slice1, node1, pool1, driverA,
+			slices: unwrapResourceSlices(sliceWithDevices(slice1, node1, pool1, driverA,
 				device(device2, map[resourceapi.QualifiedName]resource.Quantity{
 					"memory": resource.MustParse("2Gi"),
 				}, nil),
@@ -973,7 +1075,7 @@ func TestAllocator(t *testing.T,
 			// Reversing the order in which the devices are listed causes the "large" device to
 			// be allocated for the "small" request, leaving the "large" request unsatisfied.
 			// The initial decision needs to be undone before a solution is found.
-			slices: unwrap(slice(slice1, node1, pool1, driverA,
+			slices: unwrapResourceSlices(sliceWithDevices(slice1, node1, pool1, driverA,
 				device(device2, map[resourceapi.QualifiedName]resource.Quantity{
 					"memory": resource.MustParse("2Gi"),
 				}, nil),
@@ -998,7 +1100,7 @@ func TestAllocator(t *testing.T,
 				},
 			})),
 			classes: objects(class(classA, driverA)),
-			slices: unwrap(
+			slices: unwrapResourceSlices(
 				sliceWithOneDevice(slice1, node1, pool1, driverA),
 				sliceWithOneDevice(slice2, node1, pool2, driverA),
 			),
@@ -1011,12 +1113,16 @@ func TestAllocator(t *testing.T,
 			)},
 		},
 		"obsolete-slice": {
-			claimsToAllocate: objects(claim(claim0, req0, classA)),
+			claimsToAllocate: objects(claimWithRequest(claim0, req0, classA)),
 			classes:          objects(class(classA, driverA)),
-			slices: unwrap(
-				sliceWithOneDevice("slice-1-obsolete", node1, pool1, driverA),
-				func() wrapResourceSlice {
-					slice := sliceWithOneDevice(slice1, node1, pool1, driverA)
+			slices: unwrapResourceSlices(
+				sliceWithDevices("slice-1-obsolete", node1, resourcePool(pool1, 2), driverA,
+					device(device1, nil, nil),
+				),
+				func() wrapResourceSliceWithDevices {
+					slice := sliceWithDevices("slice-1-obsolete", node1, resourcePool(pool1, 2), driverA,
+						device(device2, nil, nil),
+					)
 					// This makes the other slice obsolete.
 					slice.Spec.Pool.Generation++
 					return slice
@@ -1024,13 +1130,10 @@ func TestAllocator(t *testing.T,
 			),
 			node: node(node1, region1),
 
-			expectResults: []any{allocationResult(
-				localNodeSelector(node1),
-				deviceAllocationResult(req0, driverA, pool1, device1, false),
-			)},
+			expectResults: []any{},
 		},
 		"duplicate-slice": {
-			claimsToAllocate: objects(claim(claim0, req0, classA)),
+			claimsToAllocate: objects(claimWithRequest(claim0, req0, classA)),
 			classes:          objects(class(classA, driverA)),
 			slices: func() []*resourceapi.ResourceSlice {
 				// This simulates the problem that can
@@ -1049,10 +1152,10 @@ func TestAllocator(t *testing.T,
 			}(),
 			node: node(node1, region1),
 
-			expectError: gomega.MatchError(gomega.ContainSubstring(fmt.Sprintf("pool %s is invalid: duplicate device name %s", pool1, device1))),
+			expectError: gomega.MatchError(gomega.ContainSubstring("invalid resource pools were encountered")),
 		},
 		"no-slices": {
-			claimsToAllocate: objects(claim(claim0, req0, classA)),
+			claimsToAllocate: objects(claimWithRequest(claim0, req0, classA)),
 			classes:          objects(class(classA, driverA)),
 			slices:           nil,
 			node:             node(node1, region1),
@@ -1060,36 +1163,36 @@ func TestAllocator(t *testing.T,
 			expectResults: nil,
 		},
 		"not-enough-suitable-devices": {
-			claimsToAllocate: objects(claim(claim0, req0, classA), claim(claim0, req1, classA)),
+			claimsToAllocate: objects(claimWithRequest(claim0, req0, classA), claimWithRequest(claim0, req1, classA)),
 			classes:          objects(class(classA, driverA)),
-			slices:           unwrap(sliceWithOneDevice(slice1, node1, pool1, driverA)),
+			slices:           unwrapResourceSlices(sliceWithOneDevice(slice1, node1, pool1, driverA)),
 
 			node: node(node1, region1),
 
 			expectResults: nil,
 		},
 		"no-classes": {
-			claimsToAllocate: objects(claim(claim0, req0, classA)),
+			claimsToAllocate: objects(claimWithRequest(claim0, req0, classA)),
 			classes:          nil,
-			slices:           unwrap(sliceWithOneDevice(slice1, node1, pool1, driverA)),
+			slices:           unwrapResourceSlices(sliceWithOneDevice(slice1, node1, pool1, driverA)),
 			node:             node(node1, region1),
 
 			expectResults: nil,
 			expectError:   gomega.MatchError(gomega.ContainSubstring("could not retrieve device class class-a")),
 		},
 		"unknown-class": {
-			claimsToAllocate: objects(claim(claim0, req0, "unknown-class")),
+			claimsToAllocate: objects(claimWithRequest(claim0, req0, "unknown-class")),
 			classes:          objects(class(classA, driverA)),
-			slices:           unwrap(sliceWithOneDevice(slice1, node1, pool1, driverA)),
+			slices:           unwrapResourceSlices(sliceWithOneDevice(slice1, node1, pool1, driverA)),
 			node:             node(node1, region1),
 
 			expectResults: nil,
 			expectError:   gomega.MatchError(gomega.ContainSubstring("could not retrieve device class unknown-class")),
 		},
 		"empty-class": {
-			claimsToAllocate: objects(claim(claim0, req0, "")),
+			claimsToAllocate: objects(claimWithRequest(claim0, req0, "")),
 			classes:          objects(class(classA, driverA)),
-			slices:           unwrap(sliceWithOneDevice(slice1, node1, pool1, driverA)),
+			slices:           unwrapResourceSlices(sliceWithOneDevice(slice1, node1, pool1, driverA)),
 			node:             node(node1, region1),
 
 			expectResults: nil,
@@ -1098,7 +1201,7 @@ func TestAllocator(t *testing.T,
 		"no-claims-to-allocate": {
 			claimsToAllocate: nil,
 			classes:          objects(class(classA, driverA)),
-			slices:           unwrap(sliceWithOneDevice(slice1, node1, pool1, driverA)),
+			slices:           unwrapResourceSlices(sliceWithOneDevice(slice1, node1, pool1, driverA)),
 			node:             node(node1, region1),
 
 			expectResults: nil,
@@ -1112,7 +1215,7 @@ func TestAllocator(t *testing.T,
 				},
 			})),
 			classes: objects(class(classA, driverA)),
-			slices:  unwrap(sliceWithOneDevice(slice1, node1, pool1, driverA)),
+			slices:  unwrapResourceSlices(sliceWithOneDevice(slice1, node1, pool1, driverA)),
 			node:    node(node1, region1),
 
 			expectResults: []any{allocationResult(
@@ -1129,7 +1232,7 @@ func TestAllocator(t *testing.T,
 				},
 			})),
 			classes: objects(class(classA, driverA)),
-			slices: unwrap(
+			slices: unwrapResourceSlices(
 				sliceWithOneDevice(slice1, node1, pool1, driverA),
 				sliceWithOneDevice(slice1, node1, pool2, driverA),
 			),
@@ -1151,8 +1254,8 @@ func TestAllocator(t *testing.T,
 				},
 			})),
 			classes: objects(class(classA, driverA)),
-			slices: unwrap(
-				func() wrapResourceSlice {
+			slices: unwrapResourceSlices(
+				func() wrapResourceSliceWithDevices {
 					slice := sliceWithOneDevice(slice1, node1, pool1, driverA)
 					// This makes the pool incomplete, one other slice is missing.
 					slice.Spec.Pool.ResourceSliceCount++
@@ -1186,7 +1289,7 @@ func TestAllocator(t *testing.T,
 				class(classA, driverA),
 				class(classB, driverB),
 			),
-			slices: unwrap(
+			slices: unwrapResourceSlices(
 				sliceWithOneDevice(slice1, node1, pool1, driverA),
 				sliceWithOneDevice(slice1, node1, pool1, driverB),
 			),
@@ -1225,7 +1328,7 @@ func TestAllocator(t *testing.T,
 				class(classA, driverA),
 				class(classB, driverB),
 			),
-			slices: unwrap(
+			slices: unwrapResourceSlices(
 				sliceWithOneDevice(slice1, node1, pool1, driverA),
 				sliceWithOneDevice(slice1, node1, pool1, driverB),
 			),
@@ -1264,8 +1367,8 @@ func TestAllocator(t *testing.T,
 				class(classA, driverA),
 				class(classB, driverB),
 			),
-			slices: unwrap(
-				slice(slice1, node1, pool1, driverA,
+			slices: unwrapResourceSlices(
+				sliceWithDevices(slice1, node1, pool1, driverA,
 					device(device1, nil, nil),
 					device(device2, nil, nil),
 				),
@@ -1307,8 +1410,8 @@ func TestAllocator(t *testing.T,
 				class(classA, driverA),
 				class(classB, driverB),
 			),
-			slices: unwrap(
-				slice(slice1, node1, pool1, driverA,
+			slices: unwrapResourceSlices(
+				sliceWithDevices(slice1, node1, pool1, driverA,
 					device(device1, nil, nil),
 					device(device2, nil, nil),
 				),
@@ -1350,7 +1453,7 @@ func TestAllocator(t *testing.T,
 			classes: objects(
 				class(classA, driverA),
 			),
-			slices: unwrap(
+			slices: unwrapResourceSlices(
 				sliceWithOneDevice(slice1, node1, pool1, driverA),
 			),
 			node: node(node1, region1),
@@ -1377,7 +1480,7 @@ func TestAllocator(t *testing.T,
 			classes: objects(
 				class(classA, driverA),
 			),
-			slices: unwrap(
+			slices: unwrapResourceSlices(
 				sliceWithOneDevice(slice1, node1, pool1, driverA),
 			),
 			node: node(node1, region1),
@@ -1391,7 +1494,7 @@ func TestAllocator(t *testing.T,
 				},
 			})),
 			classes:       objects(class(classA, driverA)),
-			slices:        unwrap(sliceWithNoDevices(slice1, node1, pool1, driverA)),
+			slices:        unwrapResourceSlices(sliceWithNoDevices(slice1, node1, pool1, driverA)),
 			node:          node(node1, region1),
 			expectResults: nil,
 		},
@@ -1420,8 +1523,8 @@ func TestAllocator(t *testing.T,
 				MakeDeviceID(driverA, pool1, device1),
 			},
 			classes: objects(class(classA, driverA)),
-			slices: unwrap(
-				slice(slice1, node1, pool1, driverA, device(device1, nil, nil), device(device2, nil, nil)),
+			slices: unwrapResourceSlices(
+				sliceWithDevices(slice1, node1, pool1, driverA, device(device1, nil, nil), device(device2, nil, nil)),
 			),
 			node:          node(node1, region1),
 			expectResults: nil,
@@ -1431,7 +1534,7 @@ func TestAllocator(t *testing.T,
 				AdminAccess: true,
 			},
 			claimsToAllocate: func() []wrapResourceClaim {
-				c := claim(claim0, req0, classA)
+				c := claimWithRequest(claim0, req0, classA)
 				c.Spec.Devices.Requests[0].Exactly.AdminAccess = ptr.To(true)
 				c.Spec.Devices.Requests[0].Exactly.AllocationMode = resourceapi.DeviceAllocationModeAll
 				return []wrapResourceClaim{c}
@@ -1440,8 +1543,8 @@ func TestAllocator(t *testing.T,
 				MakeDeviceID(driverA, pool1, device1),
 			},
 			classes: objects(class(classA, driverA)),
-			slices: unwrap(
-				slice(slice1, node1, pool1, driverA, device(device1, nil, nil), device(device2, nil, nil)),
+			slices: unwrapResourceSlices(
+				sliceWithDevices(slice1, node1, pool1, driverA, device(device1, nil, nil), device(device2, nil, nil)),
 			),
 			node: node(node1, region1),
 			expectResults: []any{allocationResult(
@@ -1464,8 +1567,8 @@ func TestAllocator(t *testing.T,
 				return []wrapResourceClaim{c}
 			}(),
 			classes: objects(class(classA, driverA)),
-			slices: unwrap(
-				slice(slice1, node1, pool1, driverA, device(device1, nil, nil), device(device2, nil, nil)),
+			slices: unwrapResourceSlices(
+				sliceWithDevices(slice1, node1, pool1, driverA, device(device1, nil, nil), device(device2, nil, nil)),
 			),
 			node:          node(node1, region1),
 			expectResults: nil,
@@ -1475,7 +1578,7 @@ func TestAllocator(t *testing.T,
 				AdminAccess: true,
 			},
 			claimsToAllocate: func() []wrapResourceClaim {
-				c := claim(claim0, req0, classA)
+				c := claimWithRequest(claim0, req0, classA)
 				c.Spec.Devices.Requests[0].Exactly.AdminAccess = ptr.To(true)
 				c.Spec.Devices.Requests[0].Exactly.AllocationMode = resourceapi.DeviceAllocationModeExactCount
 				c.Spec.Devices.Requests[0].Exactly.Count = 2
@@ -1485,8 +1588,8 @@ func TestAllocator(t *testing.T,
 				MakeDeviceID(driverA, pool1, device1),
 			},
 			classes: objects(class(classA, driverA)),
-			slices: unwrap(
-				slice(slice1, node1, pool1, driverA, device(device1, nil, nil), device(device2, nil, nil)),
+			slices: unwrapResourceSlices(
+				sliceWithDevices(slice1, node1, pool1, driverA, device(device1, nil, nil), device(device2, nil, nil)),
 			),
 			node: node(node1, region1),
 			expectResults: []any{allocationResult(
@@ -1500,16 +1603,16 @@ func TestAllocator(t *testing.T,
 				AdminAccess: true,
 			},
 			claimsToAllocate: func() []wrapResourceClaim {
-				c1 := claim(claim0, req0, classA)
+				c1 := claimWithRequest(claim0, req0, classA)
 				c1.Spec.Devices.Requests[0].Exactly.AdminAccess = ptr.To(true)
 
-				c2 := claim(claim1, req0, classA)
+				c2 := claimWithRequest(claim1, req0, classA)
 				c2.Spec.Devices.Requests[0].Exactly.AdminAccess = ptr.To(true)
 				return []wrapResourceClaim{c1, c2}
 			}(),
 			classes: objects(class(classA, driverA)),
-			slices: unwrap(
-				slice(slice1, node1, pool1, driverA, device(device1, nil, nil), device(device2, nil, nil)),
+			slices: unwrapResourceSlices(
+				sliceWithDevices(slice1, node1, pool1, driverA, device(device1, nil, nil), device(device2, nil, nil)),
 			),
 			node: node(node1, region1),
 			expectResults: []any{
@@ -1528,13 +1631,13 @@ func TestAllocator(t *testing.T,
 				AdminAccess: true,
 			},
 			claimsToAllocate: func() []wrapResourceClaim {
-				admin := claim(claim1, req0, classA)
+				admin := claimWithRequest(claim1, req0, classA)
 				admin.Spec.Devices.Requests[0].Exactly.AdminAccess = ptr.To(true)
-				return []wrapResourceClaim{claim(claim0, req0, classA), admin}
+				return []wrapResourceClaim{claimWithRequest(claim0, req0, classA), admin}
 			}(),
 			classes: objects(class(classA, driverA)),
-			slices: unwrap(
-				slice(slice1, node1, pool1, driverA, device(device1, nil, nil), device(device2, nil, nil)),
+			slices: unwrapResourceSlices(
+				sliceWithDevices(slice1, node1, pool1, driverA, device(device1, nil, nil), device(device2, nil, nil)),
 			),
 			node: node(node1, region1),
 			expectResults: []any{
@@ -1554,7 +1657,7 @@ func TestAllocator(t *testing.T,
 			},
 			claimsToAllocate: objects(
 				func() wrapResourceClaim {
-					claim := claimWithRequests(claim0, nil,
+					claim := claim(claim0).withRequests(
 						requestWithPrioritizedList(req0,
 							subRequest(subReq0, classA, 1),
 							subRequest(subReq1, classB, 1),
@@ -1566,7 +1669,7 @@ func TestAllocator(t *testing.T,
 				}(),
 			),
 			classes: objects(class(classA, driverA), class(classB, driverB)),
-			slices: unwrap(
+			slices: unwrapResourceSlices(
 				sliceWithNoDevices(slice1, node1, pool1, driverA),
 				sliceWithOneDevice(slice2, node1, pool2, driverB),
 			),
@@ -1582,7 +1685,7 @@ func TestAllocator(t *testing.T,
 			},
 			claimsToAllocate: objects(
 				func() wrapResourceClaim {
-					claim := claimWithRequests(claim0, nil,
+					claim := claim(claim0).withRequests(
 						requestWithPrioritizedList(req0,
 							subRequest(subReq0, classA, 1),
 							subRequest(subReq1, classB, 1),
@@ -1594,7 +1697,7 @@ func TestAllocator(t *testing.T,
 				}(),
 			),
 			classes: objects(class(classA, driverA), class(classB, driverB)),
-			slices: unwrap(
+			slices: unwrapResourceSlices(
 				sliceWithOneDevice(slice2, node1, pool2, driverB),
 			),
 			node: node(node1, region1),
@@ -1609,7 +1712,7 @@ func TestAllocator(t *testing.T,
 			},
 			claimsToAllocate: objects(
 				func() wrapResourceClaim {
-					claim := claimWithRequests(claim0, nil,
+					claim := claim(claim0).withRequests(
 						requestWithPrioritizedList(req0,
 							subRequest(subReq0, classA, 1),
 							subRequest(subReq1, classB, 1),
@@ -1624,8 +1727,8 @@ func TestAllocator(t *testing.T,
 				MakeDeviceID(driverA, pool1, device1),
 			},
 			classes: objects(class(classA, driverA), class(classB, driverB)),
-			slices: unwrap(
-				slice(slice1, node1, pool1, driverA, device(device1, nil, nil), device(device2, nil, nil)),
+			slices: unwrapResourceSlices(
+				sliceWithDevices(slice1, node1, pool1, driverA, device(device1, nil, nil), device(device2, nil, nil)),
 				sliceWithOneDevice(slice2, node1, pool2, driverB),
 			),
 			node: node(node1, region1),
@@ -1635,9 +1738,9 @@ func TestAllocator(t *testing.T,
 			)},
 		},
 		"network-attached-device": {
-			claimsToAllocate: objects(claim(claim0, req0, classA)),
+			claimsToAllocate: objects(claimWithRequest(claim0, req0, classA)),
 			classes:          objects(class(classA, driverA)),
-			slices:           unwrap(sliceWithOneDevice(slice1, nodeLabelSelector(regionKey, region1), pool1, driverA)),
+			slices:           unwrapResourceSlices(sliceWithOneDevice(slice1, nodeLabelSelector(regionKey, region1), pool1, driverA)),
 			node:             node(node1, region1),
 
 			expectResults: []any{allocationResult(
@@ -1646,9 +1749,9 @@ func TestAllocator(t *testing.T,
 			)},
 		},
 		"unsuccessful-allocation-network-attached-device": {
-			claimsToAllocate: objects(claim(claim0, req0, classA)),
+			claimsToAllocate: objects(claimWithRequest(claim0, req0, classA)),
 			classes:          objects(class(classA, driverA)),
-			slices:           unwrap(sliceWithOneDevice(slice1, nodeLabelSelector(regionKey, region1), pool1, driverA)),
+			slices:           unwrapResourceSlices(sliceWithOneDevice(slice1, nodeLabelSelector(regionKey, region1), pool1, driverA)),
 			// Wrong region, no devices available.
 			node: node(node2, region2),
 
@@ -1657,7 +1760,7 @@ func TestAllocator(t *testing.T,
 		"many-network-attached-devices": {
 			claimsToAllocate: objects(claimWithRequests(claim0, nil, request(req0, classA, 4))),
 			classes:          objects(class(classA, driverA)),
-			slices: unwrap(
+			slices: unwrapResourceSlices(
 				sliceWithOneDevice(slice1, nodeLabelSelector(regionKey, region1), pool1, driverA),
 				sliceWithOneDevice(slice1, nodeSelectionAll, pool2, driverA),
 				sliceWithOneDevice(slice1, nodeLabelSelector(planetKey, planetValueEarth), pool3, driverA),
@@ -1687,7 +1790,7 @@ func TestAllocator(t *testing.T,
 		"local-and-network-attached-devices": {
 			claimsToAllocate: objects(claimWithRequests(claim0, nil, request(req0, classA, 2))),
 			classes:          objects(class(classA, driverA)),
-			slices: unwrap(
+			slices: unwrapResourceSlices(
 				sliceWithOneDevice(slice1, nodeLabelSelector(regionKey, region1), pool1, driverA),
 				sliceWithOneDevice(slice1, node1, pool2, driverA),
 			),
@@ -1701,10 +1804,10 @@ func TestAllocator(t *testing.T,
 			)},
 		},
 		"several-different-drivers": {
-			claimsToAllocate: objects(claim(claim0, req0, classA), claim(claim0, req0, classB)),
+			claimsToAllocate: objects(claimWithRequest(claim0, req0, classA), claimWithRequest(claim0, req0, classB)),
 			classes:          objects(class(classA, driverA), class(classB, driverB)),
-			slices: unwrap(
-				slice(slice1, node1, pool1, driverA,
+			slices: unwrapResourceSlices(
+				sliceWithDevices(slice1, node1, pool1, driverA,
 					device(device1, nil, nil),
 					device(device2, nil, nil),
 				),
@@ -1718,13 +1821,13 @@ func TestAllocator(t *testing.T,
 			},
 		},
 		"already-allocated-devices": {
-			claimsToAllocate: objects(claim(claim0, req0, classA)),
+			claimsToAllocate: objects(claimWithRequest(claim0, req0, classA)),
 			allocatedDevices: []DeviceID{
 				MakeDeviceID(driverA, pool1, device1),
 				MakeDeviceID(driverA, pool1, device2),
 			},
 			classes: objects(class(classA, driverA)),
-			slices:  unwrap(sliceWithOneDevice(slice1, node1, pool1, driverA)),
+			slices:  unwrapResourceSlices(sliceWithOneDevice(slice1, node1, pool1, driverA)),
 			node:    node(node1, region1),
 
 			expectResults: nil,
@@ -1734,12 +1837,12 @@ func TestAllocator(t *testing.T,
 				AdminAccess: false,
 			},
 			claimsToAllocate: func() []wrapResourceClaim {
-				c := claim(claim0, req0, classA)
+				c := claimWithRequest(claim0, req0, classA)
 				c.Spec.Devices.Requests[0].Exactly.AdminAccess = ptr.To(true)
 				return []wrapResourceClaim{c}
 			}(),
 			classes: objects(class(classA, driverA)),
-			slices:  unwrap(sliceWithOneDevice(slice1, node1, pool1, driverA)),
+			slices:  unwrapResourceSlices(sliceWithOneDevice(slice1, node1, pool1, driverA)),
 			node:    node(node1, region1),
 
 			expectResults: nil,
@@ -1750,7 +1853,7 @@ func TestAllocator(t *testing.T,
 				AdminAccess: true,
 			},
 			claimsToAllocate: func() []wrapResourceClaim {
-				c := claim(claim0, req0, classA)
+				c := claimWithRequest(claim0, req0, classA)
 				c.Spec.Devices.Requests[0].Exactly.AdminAccess = ptr.To(true)
 				return []wrapResourceClaim{c}
 			}(),
@@ -1759,7 +1862,7 @@ func TestAllocator(t *testing.T,
 				MakeDeviceID(driverA, pool1, device2),
 			},
 			classes: objects(class(classA, driverA)),
-			slices:  unwrap(sliceWithOneDevice(slice1, node1, pool1, driverA)),
+			slices:  unwrapResourceSlices(sliceWithOneDevice(slice1, node1, pool1, driverA)),
 			node:    node(node1, region1),
 
 			expectResults: []any{
@@ -1780,7 +1883,7 @@ func TestAllocator(t *testing.T,
 			),
 			),
 			classes: objects(class(classA, driverA)),
-			slices: unwrap(slice(slice1, node1, pool1, driverA,
+			slices: unwrapResourceSlices(sliceWithDevices(slice1, node1, pool1, driverA,
 				device(device1, nil, map[resourceapi.QualifiedName]resourceapi.DeviceAttribute{
 					"driverVersion":   {VersionValue: ptr.To("1.0.0")},
 					"numa":            {IntValue: ptr.To(int64(1))},
@@ -1803,11 +1906,11 @@ func TestAllocator(t *testing.T,
 			)},
 		},
 		"with-constraint-non-existent-attribute": {
-			claimsToAllocate: objects(claim(claim0, req0, classA, resourceapi.DeviceConstraint{
+			claimsToAllocate: objects(claimWithRequest(claim0, req0, classA, resourceapi.DeviceConstraint{
 				MatchAttribute: &nonExistentAttribute,
 			})),
 			classes: objects(class(classA, driverA)),
-			slices:  unwrap(sliceWithOneDevice(slice1, node1, pool1, driverA)),
+			slices:  unwrapResourceSlices(sliceWithOneDevice(slice1, node1, pool1, driverA)),
 			node:    node(node1, region1),
 
 			expectResults: nil,
@@ -1819,7 +1922,7 @@ func TestAllocator(t *testing.T,
 				request(req0, classA, 2)),
 			),
 			classes: objects(class(classA, driverA), class(classB, driverB)),
-			slices: unwrap(slice(slice1, node1, pool1, driverA,
+			slices: unwrapResourceSlices(sliceWithDevices(slice1, node1, pool1, driverA,
 				device(device1, nil, map[resourceapi.QualifiedName]resourceapi.DeviceAttribute{
 					"numa": {IntValue: ptr.To(int64(1))},
 				}),
@@ -1844,7 +1947,7 @@ func TestAllocator(t *testing.T,
 				}(),
 			),
 			classes: objects(class(classA, driverA), class(classB, driverB)),
-			slices: unwrap(slice(slice1, node1, pool1, driverA,
+			slices: unwrapResourceSlices(sliceWithDevices(slice1, node1, pool1, driverA,
 				device(device1, nil, map[resourceapi.QualifiedName]resourceapi.DeviceAttribute{
 					"numa": {IntValue: ptr.To(int64(1))},
 				}),
@@ -1863,7 +1966,7 @@ func TestAllocator(t *testing.T,
 				request(req0, classA, 2)),
 			),
 			classes: objects(class(classA, driverA), class(classB, driverB)),
-			slices: unwrap(slice(slice1, node1, pool1, driverA,
+			slices: unwrapResourceSlices(sliceWithDevices(slice1, node1, pool1, driverA,
 				device(device1, nil, map[resourceapi.QualifiedName]resourceapi.DeviceAttribute{
 					"stringAttribute": {StringValue: ptr.To("stringAttributeValue")},
 				}),
@@ -1882,7 +1985,7 @@ func TestAllocator(t *testing.T,
 				request(req0, classA, 2)),
 			),
 			classes: objects(class(classA, driverA), class(classB, driverB)),
-			slices: unwrap(slice(slice1, node1, pool1, driverA,
+			slices: unwrapResourceSlices(sliceWithDevices(slice1, node1, pool1, driverA,
 				device(device1, nil, map[resourceapi.QualifiedName]resourceapi.DeviceAttribute{
 					"boolAttribute": {BoolValue: ptr.To(true)},
 				}),
@@ -1901,7 +2004,7 @@ func TestAllocator(t *testing.T,
 				request(req0, classA, 2)),
 			),
 			classes: objects(class(classA, driverA), class(classB, driverB)),
-			slices: unwrap(slice(slice1, node1, pool1, driverA,
+			slices: unwrapResourceSlices(sliceWithDevices(slice1, node1, pool1, driverA,
 				device(device1, nil, map[resourceapi.QualifiedName]resourceapi.DeviceAttribute{
 					"driverVersion": {VersionValue: ptr.To("1.0.0")},
 				}),
@@ -1926,7 +2029,7 @@ func TestAllocator(t *testing.T,
 				request(req1, classA, 1),
 			)),
 			classes: objects(class(classA, driverA), class(classB, driverB)),
-			slices: unwrap(slice(slice1, node1, pool1, driverA,
+			slices: unwrapResourceSlices(sliceWithDevices(slice1, node1, pool1, driverA,
 				device(device1, nil, map[resourceapi.QualifiedName]resourceapi.DeviceAttribute{
 					"driverVersion": {VersionValue: ptr.To("1.0.0")},
 				}),
@@ -1958,7 +2061,7 @@ func TestAllocator(t *testing.T,
 				request(req1, classA, 1),
 			)),
 			classes: objects(class(classA, driverA), class(classB, driverB)),
-			slices: unwrap(slice(slice1, node1, pool1, driverA,
+			slices: unwrapResourceSlices(sliceWithDevices(slice1, node1, pool1, driverA,
 				// This device does not satisfy the second
 				// match attribute, so the allocator must
 				// backtrack.
@@ -1984,9 +2087,9 @@ func TestAllocator(t *testing.T,
 			)},
 		},
 		"with-class-device-config": {
-			claimsToAllocate: objects(claim(claim0, req0, classA)),
+			claimsToAllocate: objects(claimWithRequest(claim0, req0, classA)),
 			classes:          objects(classWithConfig(classA, driverA, "classAttribute")),
-			slices:           unwrap(sliceWithOneDevice(slice1, node1, pool1, driverA)),
+			slices:           unwrapResourceSlices(sliceWithOneDevice(slice1, node1, pool1, driverA)),
 			node:             node(node1, region1),
 
 			expectResults: []any{
@@ -2041,7 +2144,7 @@ func TestAllocator(t *testing.T,
 		"claim-with-device-config": {
 			claimsToAllocate: objects(claimWithDeviceConfig(claim0, req0, classA, driverA, "deviceAttribute")),
 			classes:          objects(class(classA, driverA)),
-			slices:           unwrap(sliceWithOneDevice(slice1, node1, pool1, driverA)),
+			slices:           unwrapResourceSlices(sliceWithOneDevice(slice1, node1, pool1, driverA)),
 			node:             node(node1, region1),
 
 			expectResults: []any{
@@ -2057,7 +2160,7 @@ func TestAllocator(t *testing.T,
 		"unknown-selector": {
 			claimsToAllocate: objects(
 				func() wrapResourceClaim {
-					claim := claim(claim0, req0, classA)
+					claim := claimWithRequest(claim0, req0, classA)
 					claim.Spec.Devices.Requests[0].Exactly.Selectors = []resourceapi.DeviceSelector{
 						{ /* empty = unknown future selector */ },
 					}
@@ -2065,7 +2168,7 @@ func TestAllocator(t *testing.T,
 				}(),
 			),
 			classes: objects(class(classA, driverA)),
-			slices:  unwrap(sliceWithOneDevice(slice1, node1, pool1, driverA)),
+			slices:  unwrapResourceSlices(sliceWithOneDevice(slice1, node1, pool1, driverA)),
 			node:    node(node1, region1),
 
 			expectError: gomega.MatchError(gomega.ContainSubstring("CEL expression empty (unsupported selector type?)")),
@@ -2073,13 +2176,13 @@ func TestAllocator(t *testing.T,
 		"unknown-allocation-mode": {
 			claimsToAllocate: objects(
 				func() wrapResourceClaim {
-					claim := claim(claim0, req0, classA)
+					claim := claimWithRequest(claim0, req0, classA)
 					claim.Spec.Devices.Requests[0].Exactly.AllocationMode = resourceapi.DeviceAllocationMode("future-mode")
 					return claim
 				}(),
 			),
 			classes: objects(class(classA, driverA)),
-			slices:  unwrap(sliceWithOneDevice(slice1, node1, pool1, driverA)),
+			slices:  unwrapResourceSlices(sliceWithOneDevice(slice1, node1, pool1, driverA)),
 			node:    node(node1, region1),
 
 			expectError: gomega.MatchError(gomega.ContainSubstring("unsupported count mode future-mode")),
@@ -2087,7 +2190,7 @@ func TestAllocator(t *testing.T,
 		"unknown-constraint": {
 			claimsToAllocate: objects(
 				func() wrapResourceClaim {
-					claim := claim(claim0, req0, classA)
+					claim := claimWithRequest(claim0, req0, classA)
 					claim.Spec.Devices.Constraints = []resourceapi.DeviceConstraint{
 						{ /* empty = unknown */ },
 					}
@@ -2095,7 +2198,7 @@ func TestAllocator(t *testing.T,
 				}(),
 			),
 			classes: objects(class(classA, driverA)),
-			slices:  unwrap(sliceWithOneDevice(slice1, node1, pool1, driverA)),
+			slices:  unwrapResourceSlices(sliceWithOneDevice(slice1, node1, pool1, driverA)),
 			node:    node(node1, region1),
 
 			expectError: gomega.MatchError(gomega.ContainSubstring("empty constraint (unsupported constraint type?)")),
@@ -2103,7 +2206,7 @@ func TestAllocator(t *testing.T,
 		"invalid-CEL-one-device": {
 			claimsToAllocate: objects(
 				func() wrapResourceClaim {
-					claim := claim(claim0, req0, classA)
+					claim := claimWithRequest(claim0, req0, classA)
 					claim.Spec.Devices.Requests[0].Exactly.Selectors = []resourceapi.DeviceSelector{
 						{CEL: &resourceapi.CELDeviceSelector{Expression: "noSuchVar"}},
 					}
@@ -2111,13 +2214,13 @@ func TestAllocator(t *testing.T,
 				}(),
 			),
 			classes: objects(class(classA, driverA)),
-			slices:  unwrap(sliceWithOneDevice(slice1, node1, pool1, driverA)),
+			slices:  unwrapResourceSlices(sliceWithOneDevice(slice1, node1, pool1, driverA)),
 			node:    node(node1, region1),
 
 			expectError: gomega.MatchError(gomega.ContainSubstring("undeclared reference")),
 		},
 		"invalid-CEL-one-device-class": {
-			claimsToAllocate: objects(claim(claim0, req0, classA)),
+			claimsToAllocate: objects(claimWithRequest(claim0, req0, classA)),
 			classes: objects(
 				func() *resourceapi.DeviceClass {
 					c := class(classA, driverA)
@@ -2125,7 +2228,7 @@ func TestAllocator(t *testing.T,
 					return c
 				}(),
 			),
-			slices: unwrap(sliceWithOneDevice(slice1, node1, pool1, driverA)),
+			slices: unwrapResourceSlices(sliceWithOneDevice(slice1, node1, pool1, driverA)),
 			node:   node(node1, region1),
 
 			expectError: gomega.MatchError(gomega.ContainSubstring("undeclared reference")),
@@ -2133,7 +2236,7 @@ func TestAllocator(t *testing.T,
 		"invalid-CEL-all-devices": {
 			claimsToAllocate: objects(
 				func() wrapResourceClaim {
-					claim := claim(claim0, req0, classA)
+					claim := claimWithRequest(claim0, req0, classA)
 					claim.Spec.Devices.Requests[0].Exactly.Selectors = []resourceapi.DeviceSelector{
 						{CEL: &resourceapi.CELDeviceSelector{Expression: "noSuchVar"}},
 					}
@@ -2142,7 +2245,7 @@ func TestAllocator(t *testing.T,
 				}(),
 			),
 			classes: objects(class(classA, driverA)),
-			slices:  unwrap(sliceWithOneDevice(slice1, node1, pool1, driverA)),
+			slices:  unwrapResourceSlices(sliceWithOneDevice(slice1, node1, pool1, driverA)),
 			node:    node(node1, region1),
 
 			expectError: gomega.MatchError(gomega.ContainSubstring("undeclared reference")),
@@ -2165,7 +2268,7 @@ func TestAllocator(t *testing.T,
 				),
 			),
 			classes: objects(class(classA, driverA)),
-			slices:  unwrap(sliceWithMultipleDevices(slice1, node1, pool1, driverA, resourceapi.AllocationResultsMaxSize+1)),
+			slices:  unwrapResourceSlices(sliceWithMultipleDevices(slice1, node1, pool1, driverA, resourceapi.AllocationResultsMaxSize+1)),
 			node:    node(node1, region1),
 
 			expectError: gomega.MatchError(gomega.ContainSubstring("exceeds the claim limit")),
@@ -2180,12 +2283,14 @@ func TestAllocator(t *testing.T,
 			features: Features{
 				PrioritizedList: true,
 			},
-			claimsToAllocate: objects(claimWithRequests(claim0, nil, requestWithPrioritizedList(req0,
-				subRequest(subReq0, classB, 1),
-				subRequest(subReq1, classA, 1),
-			))),
+			claimsToAllocate: objects(
+				claim(claim0).withRequests(
+					requestWithPrioritizedList(req0,
+						subRequest(subReq0, classB, 1),
+						subRequest(subReq1, classA, 1),
+					))),
 			classes: objects(class(classA, driverA), class(classB, driverB)),
-			slices:  unwrap(sliceWithOneDevice(slice1, node1, pool1, driverA)),
+			slices:  unwrapResourceSlices(sliceWithOneDevice(slice1, node1, pool1, driverA)),
 			node:    node(node1, region1),
 
 			expectResults: []any{allocationResult(
@@ -2197,12 +2302,14 @@ func TestAllocator(t *testing.T,
 			features: Features{
 				PrioritizedList: true,
 			},
-			claimsToAllocate: objects(claimWithRequests(claim0, nil, requestWithPrioritizedList(req0,
-				subRequest(subReq0, classB, 2),
-				subRequest(subReq1, classA, 2),
-			))),
+			claimsToAllocate: objects(
+				claim(claim0).withRequests(
+					requestWithPrioritizedList(req0,
+						subRequest(subReq0, classB, 2),
+						subRequest(subReq1, classA, 2),
+					))),
 			classes: objects(class(classA, driverA), class(classB, driverB)),
-			slices: unwrap(
+			slices: unwrapResourceSlices(
 				sliceWithOneDevice(slice1, node1, pool1, driverA),
 				sliceWithOneDevice(slice2, node1, pool2, driverB),
 			),
@@ -2215,14 +2322,12 @@ func TestAllocator(t *testing.T,
 				PrioritizedList: true,
 			},
 			claimsToAllocate: objects(
-				claimWithAll(claim0,
-					objects(
-						requestWithPrioritizedList(req0,
-							subRequest(subReq0, classA, 1),
-							subRequest(subReq1, classB, 2),
-						),
+				claim(claim0).withRequests(
+					requestWithPrioritizedList(req0,
+						subRequest(subReq0, classA, 1),
+						subRequest(subReq1, classB, 2),
 					),
-					nil,
+				).withConfigs(
 					objects(
 						deviceClaimConfig([]string{req0SubReq0}, deviceConfiguration(driverA, "foo")),
 						deviceClaimConfig([]string{req0SubReq1}, deviceConfiguration(driverB, "bar")),
@@ -2230,7 +2335,7 @@ func TestAllocator(t *testing.T,
 				),
 			),
 			classes: objects(class(classA, driverA), class(classB, driverB)),
-			slices: unwrap(slice(slice1, node1, pool1, driverB,
+			slices: unwrapResourceSlices(sliceWithDevices(slice1, node1, pool1, driverB,
 				device(device1, nil, map[resourceapi.QualifiedName]resourceapi.DeviceAttribute{}),
 				device(device2, nil, map[resourceapi.QualifiedName]resourceapi.DeviceAttribute{}),
 			)),
@@ -2257,20 +2362,22 @@ func TestAllocator(t *testing.T,
 			features: Features{
 				PrioritizedList: true,
 			},
-			claimsToAllocate: objects(claimWithRequests(claim0, nil, requestWithPrioritizedList(req0,
-				subRequest(subReq0, classA, 2),
-				subRequest(subReq1, classB, 2),
-			))),
+			claimsToAllocate: objects(
+				claim(claim0).withRequests(
+					requestWithPrioritizedList(req0,
+						subRequest(subReq0, classA, 2),
+						subRequest(subReq1, classB, 2),
+					))),
 			classes: objects(
 				classWithConfig(classA, driverA, "foo"),
 				classWithConfig(classB, driverB, "bar"),
 			),
-			slices: unwrap(
-				slice(slice1, node1, pool1, driverB,
+			slices: unwrapResourceSlices(
+				sliceWithDevices(slice1, node1, pool1, driverB,
 					device(device1, nil, nil),
 					device(device2, nil, nil),
 				),
-				slice(slice2, node1, pool2, driverA,
+				sliceWithDevices(slice2, node1, pool2, driverA,
 					device(device3, nil, nil),
 				),
 			),
@@ -2296,11 +2403,13 @@ func TestAllocator(t *testing.T,
 				PrioritizedList: true,
 			},
 			claimsToAllocate: objects(
-				claimWithRequests(claim0, nil,
-					request(req0, classA, 1, resourceapi.DeviceSelector{
-						CEL: &resourceapi.CELDeviceSelector{
-							Expression: fmt.Sprintf(`device.capacity["%s"].memory.compareTo(quantity("1Gi")) >= 0`, driverA),
-						}},
+				claim(claim0).withRequests(
+					deviceRequest(req0, classA, 1).withSelectors(
+						resourceapi.DeviceSelector{
+							CEL: &resourceapi.CELDeviceSelector{
+								Expression: fmt.Sprintf(`device.capacity["%s"].memory.compareTo(quantity("1Gi")) >= 0`, driverA),
+							},
+						},
 					),
 					requestWithPrioritizedList(req1,
 						subRequest(subReq0, classA, 1, resourceapi.DeviceSelector{
@@ -2315,7 +2424,7 @@ func TestAllocator(t *testing.T,
 				),
 			),
 			classes: objects(class(classA, driverA)),
-			slices: unwrap(slice(slice1, node1, pool1, driverA,
+			slices: unwrapResourceSlices(sliceWithDevices(slice1, node1, pool1, driverA,
 				device(device1, map[resourceapi.QualifiedName]resource.Quantity{
 					"memory": resource.MustParse("2Gi"),
 				}, nil),
@@ -2340,14 +2449,13 @@ func TestAllocator(t *testing.T,
 				PrioritizedList: true,
 			},
 			claimsToAllocate: objects(
-				claimWithRequests(claim0,
-					[]resourceapi.DeviceConstraint{
-						{
-							Requests:       []string{req0, req1},
-							MatchAttribute: &versionAttribute,
-						},
+				claim(claim0).withConstraints(
+					resourceapi.DeviceConstraint{
+						Requests:       []string{req0, req1},
+						MatchAttribute: &versionAttribute,
 					},
-					request(req0, classA, 1, resourceapi.DeviceSelector{
+				).withRequests(
+					deviceRequest(req0, classA, 1).withSelectors(resourceapi.DeviceSelector{
 						CEL: &resourceapi.CELDeviceSelector{
 							Expression: fmt.Sprintf(`device.capacity["%s"].memory.compareTo(quantity("8Gi")) >= 0`, driverA),
 						}},
@@ -2367,8 +2475,8 @@ func TestAllocator(t *testing.T,
 				),
 			),
 			classes: objects(class(classA, driverA)),
-			slices: unwrap(
-				slice(slice1, node1, pool1, driverA,
+			slices: unwrapResourceSlices(
+				sliceWithDevices(slice1, node1, pool1, driverA,
 					device(device1,
 						map[resourceapi.QualifiedName]resource.Quantity{
 							"memory": resource.MustParse("8Gi"),
@@ -2378,7 +2486,7 @@ func TestAllocator(t *testing.T,
 						},
 					),
 				),
-				slice(slice2, node1, pool2, driverA,
+				sliceWithDevices(slice2, node1, pool2, driverA,
 					device(device2,
 						map[resourceapi.QualifiedName]resource.Quantity{
 							"memory": resource.MustParse("2Gi"),
@@ -2410,14 +2518,13 @@ func TestAllocator(t *testing.T,
 				PrioritizedList: true,
 			},
 			claimsToAllocate: objects(
-				claimWithRequests(claim0,
-					[]resourceapi.DeviceConstraint{
-						{
-							Requests:       []string{req0, req1SubReq0},
-							MatchAttribute: &versionAttribute,
-						},
+				claim(claim0).withConstraints(
+					resourceapi.DeviceConstraint{
+						Requests:       []string{req0, req1SubReq0},
+						MatchAttribute: &versionAttribute,
 					},
-					request(req0, classA, 1, resourceapi.DeviceSelector{
+				).withRequests(
+					deviceRequest(req0, classA, 1).withSelectors(resourceapi.DeviceSelector{
 						CEL: &resourceapi.CELDeviceSelector{
 							Expression: fmt.Sprintf(`device.capacity["%s"].memory.compareTo(quantity("8Gi")) >= 0`, driverA),
 						}},
@@ -2437,8 +2544,8 @@ func TestAllocator(t *testing.T,
 				),
 			),
 			classes: objects(class(classA, driverA)),
-			slices: unwrap(
-				slice(slice1, node1, pool1, driverA,
+			slices: unwrapResourceSlices(
+				sliceWithDevices(slice1, node1, pool1, driverA,
 					device(device1,
 						map[resourceapi.QualifiedName]resource.Quantity{
 							"memory": resource.MustParse("8Gi"),
@@ -2448,7 +2555,7 @@ func TestAllocator(t *testing.T,
 						},
 					),
 				),
-				slice(slice2, node1, pool2, driverA,
+				sliceWithDevices(slice2, node1, pool2, driverA,
 					device(device2,
 						map[resourceapi.QualifiedName]resource.Quantity{
 							"memory": resource.MustParse("2Gi"),
@@ -2473,7 +2580,7 @@ func TestAllocator(t *testing.T,
 			},
 			claimsToAllocate: objects(
 				func() wrapResourceClaim {
-					claim := claimWithRequests(claim0, nil,
+					claim := claim(claim0).withRequests(
 						requestWithPrioritizedList(req0,
 							subRequest(subReq0, classA, 1),
 							subRequest(subReq1, classA, 1),
@@ -2485,8 +2592,8 @@ func TestAllocator(t *testing.T,
 				}(),
 			),
 			classes: objects(class(classA, driverA)),
-			slices: unwrap(
-				slice(slice1, node1, pool1, driverA,
+			slices: unwrapResourceSlices(
+				sliceWithDevices(slice1, node1, pool1, driverA,
 					device(device1, nil, nil),
 					device(device2, nil, nil),
 				),
@@ -2506,22 +2613,17 @@ func TestAllocator(t *testing.T,
 				PrioritizedList: true,
 			},
 			claimsToAllocate: objects(
-				claimWithRequests(claim0, nil,
-					request(req0, classA, 1),
+				claim(claim0).withRequests(
+					deviceRequest(req0, classA, 1),
 					requestWithPrioritizedList(req1,
-						func() resourceapi.DeviceSubRequest {
-							subReq := subRequest(subReq0, classA, 1)
-							subReq.AllocationMode = resourceapi.DeviceAllocationModeAll
-							subReq.Count = 0
-							return subReq
-						}(),
+						subRequest(subReq0, classA, 0).withAllocationMode(resourceapi.DeviceAllocationModeAll),
 						subRequest(subReq1, classA, 1),
 					),
 				),
 			),
 			classes: objects(class(classA, driverA)),
-			slices: unwrap(
-				slice(slice1, node1, pool1, driverA,
+			slices: unwrapResourceSlices(
+				sliceWithDevices(slice1, node1, pool1, driverA,
 					device(device1, nil, nil),
 					device(device2, nil, nil),
 				),
@@ -2540,7 +2642,7 @@ func TestAllocator(t *testing.T,
 			},
 			claimsToAllocate: objects(
 				func() wrapResourceClaim {
-					claim := claimWithRequests(claim0, nil,
+					claim := claim(claim0).withRequests(
 						requestWithPrioritizedList(req0,
 							subRequest(subReq0, classA, 1),
 						),
@@ -2549,7 +2651,7 @@ func TestAllocator(t *testing.T,
 				}(),
 			),
 			classes: objects(class(classA, driverA)),
-			slices:  unwrap(sliceWithOneDevice(slice1, node1, pool1, driverA)),
+			slices:  unwrapResourceSlices(sliceWithOneDevice(slice1, node1, pool1, driverA)),
 			node:    node(node1, region1),
 
 			expectResults: nil,
@@ -2560,11 +2662,12 @@ func TestAllocator(t *testing.T,
 				PrioritizedList: true,
 			},
 			claimsToAllocate: objects(
-				claimWithRequests(claim0, nil,
-					request(req1, classA, 1, resourceapi.DeviceSelector{
-						CEL: &resourceapi.CELDeviceSelector{
-							Expression: fmt.Sprintf(`device.capacity["%s"].memory.compareTo(quantity("8Gi")) >= 0`, driverA),
-						}},
+				claim(claim0).withRequests(
+					deviceRequest(req1, classA, 1).withSelectors(
+						resourceapi.DeviceSelector{
+							CEL: &resourceapi.CELDeviceSelector{
+								Expression: fmt.Sprintf(`device.capacity["%s"].memory.compareTo(quantity("8Gi")) >= 0`, driverA),
+							}},
 					),
 					requestWithPrioritizedList(req0,
 						subRequest(subReq0, classA, 1, resourceapi.DeviceSelector{
@@ -2581,8 +2684,8 @@ func TestAllocator(t *testing.T,
 				),
 			),
 			classes: objects(class(classA, driverA)),
-			slices: unwrap(
-				slice(slice1, node1, pool1, driverA,
+			slices: unwrapResourceSlices(
+				sliceWithDevices(slice1, node1, pool1, driverA,
 					device(device1,
 						map[resourceapi.QualifiedName]resource.Quantity{
 							"memory": resource.MustParse("8Gi"),
@@ -2590,7 +2693,7 @@ func TestAllocator(t *testing.T,
 						map[resourceapi.QualifiedName]resourceapi.DeviceAttribute{},
 					),
 				),
-				slice(slice2, node1, pool2, driverA,
+				sliceWithDevices(slice2, node1, pool2, driverA,
 					device(device2,
 						map[resourceapi.QualifiedName]resource.Quantity{
 							"memory": resource.MustParse("4Gi"),
@@ -2611,7 +2714,7 @@ func TestAllocator(t *testing.T,
 				PrioritizedList: true,
 			},
 			claimsToAllocate: objects(
-				claimWithRequests(claim0, nil,
+				claim(claim0).withRequests(
 					requestWithPrioritizedList(req0,
 						subRequest(subReq0, classA, 1, resourceapi.DeviceSelector{
 							CEL: &resourceapi.CELDeviceSelector{
@@ -2624,16 +2727,17 @@ func TestAllocator(t *testing.T,
 							}},
 						),
 					),
-					request(req1, classA, 1, resourceapi.DeviceSelector{
-						CEL: &resourceapi.CELDeviceSelector{
-							Expression: fmt.Sprintf(`device.capacity["%s"].memory.compareTo(quantity("8Gi")) >= 0`, driverA),
-						}},
+					deviceRequest(req1, classA, 1).withSelectors(
+						resourceapi.DeviceSelector{
+							CEL: &resourceapi.CELDeviceSelector{
+								Expression: fmt.Sprintf(`device.capacity["%s"].memory.compareTo(quantity("8Gi")) >= 0`, driverA),
+							}},
 					),
 				),
 			),
 			classes: objects(class(classA, driverA)),
-			slices: unwrap(
-				slice(slice1, node1, pool1, driverA,
+			slices: unwrapResourceSlices(
+				sliceWithDevices(slice1, node1, pool1, driverA,
 					device(device1,
 						map[resourceapi.QualifiedName]resource.Quantity{
 							"memory": resource.MustParse("8Gi"),
@@ -2641,7 +2745,7 @@ func TestAllocator(t *testing.T,
 						map[resourceapi.QualifiedName]resourceapi.DeviceAttribute{},
 					),
 				),
-				slice(slice2, node1, pool2, driverA,
+				sliceWithDevices(slice2, node1, pool2, driverA,
 					device(device2,
 						map[resourceapi.QualifiedName]resource.Quantity{
 							"memory": resource.MustParse("4Gi"),
@@ -2661,12 +2765,13 @@ func TestAllocator(t *testing.T,
 			features: Features{
 				PrioritizedList: true,
 			},
-			claimsToAllocate: objects(claimWithRequests(claim0, nil, requestWithPrioritizedList(req0,
-				subRequest(subReq0, classB, 500),
-				subRequest(subReq1, classA, 1),
-			))),
+			claimsToAllocate: objects(
+				claim(claim0).withRequests(requestWithPrioritizedList(req0,
+					subRequest(subReq0, classB, 500),
+					subRequest(subReq1, classA, 1),
+				))),
 			classes: objects(class(classA, driverA), class(classB, driverB)),
-			slices:  unwrap(sliceWithOneDevice(slice1, node1, pool1, driverA)),
+			slices:  unwrapResourceSlices(sliceWithOneDevice(slice1, node1, pool1, driverA)),
 			node:    node(node1, region1),
 
 			expectResults: []any{allocationResult(
@@ -2682,8 +2787,8 @@ func TestAllocator(t *testing.T,
 				claimWithRequests(claim0, nil, request(req0, classA, 1)),
 			),
 			classes: objects(class(classA, driverA)),
-			slices: unwrap(
-				slice(slice1, node1, pool1, driverA,
+			slices: unwrapResourceSlices(
+				sliceWithDevices(slice1, node1, resourcePool(pool1, 2), driverA,
 					device(device1, nil, nil).withDeviceCounterConsumption(
 						deviceCounterConsumption(counterSet1,
 							map[string]resource.Quantity{
@@ -2691,7 +2796,8 @@ func TestAllocator(t *testing.T,
 							},
 						),
 					),
-				).withCounterSet(
+				),
+				sliceWithCounterSets(slice2, node1, resourcePool(pool1, 2), driverA,
 					counterSet(counterSet1,
 						map[string]resource.Quantity{
 							"memory": resource.MustParse("8Gi"),
@@ -2711,8 +2817,8 @@ func TestAllocator(t *testing.T,
 				PartitionableDevices: true,
 			},
 			claimsToAllocate: objects(
-				claimWithRequests(claim0, nil,
-					request(req0, classA, 1),
+				claim(claim0).withRequests(
+					deviceRequest(req0, classA, 1),
 					requestWithPrioritizedList(req1,
 						subRequest(subReq0, classA, 1, resourceapi.DeviceSelector{
 							CEL: &resourceapi.CELDeviceSelector{
@@ -2728,8 +2834,8 @@ func TestAllocator(t *testing.T,
 				),
 			),
 			classes: objects(class(classA, driverA)),
-			slices: unwrap(
-				slice(slice1, node1, pool1, driverA,
+			slices: unwrapResourceSlices(
+				sliceWithDevices(slice1, node1, resourcePool(pool1, 2), driverA,
 					device(device1, fromCounters, nil).withDeviceCounterConsumption(
 						deviceCounterConsumption(counterSet1,
 							map[string]resource.Quantity{
@@ -2751,7 +2857,8 @@ func TestAllocator(t *testing.T,
 							},
 						),
 					),
-				).withCounterSet(
+				),
+				sliceWithCounterSets(slice2, node1, resourcePool(pool1, 2), driverA,
 					counterSet(counterSet1,
 						map[string]resource.Quantity{
 							"memory": resource.MustParse("8Gi"),
@@ -2777,8 +2884,8 @@ func TestAllocator(t *testing.T,
 				),
 			),
 			classes: objects(class(classA, driverA)),
-			slices: unwrap(
-				slice(slice1, node1, pool1, driverA,
+			slices: unwrapResourceSlices(
+				sliceWithDevices(slice1, node1, resourcePool(pool1, 2), driverA,
 					device(device1, fromCounters, nil).withDeviceCounterConsumption(
 						deviceCounterConsumption(counterSet1,
 							map[string]resource.Quantity{
@@ -2800,7 +2907,8 @@ func TestAllocator(t *testing.T,
 							},
 						),
 					),
-				).withCounterSet(
+				),
+				sliceWithCounterSets(slice2, node1, resourcePool(pool1, 2), driverA,
 					counterSet(counterSet1,
 						map[string]resource.Quantity{
 							"memory": resource.MustParse("8Gi"),
@@ -2821,8 +2929,8 @@ func TestAllocator(t *testing.T,
 				PartitionableDevices: true,
 			},
 			claimsToAllocate: objects(
-				claimWithRequests(claim0, nil,
-					request(req0, classA, 1),
+				claim(claim0).withRequests(
+					deviceRequest(req0, classA, 1),
 					requestWithPrioritizedList(req1,
 						subRequest(subReq0, classA, 1, resourceapi.DeviceSelector{
 							CEL: &resourceapi.CELDeviceSelector{
@@ -2838,8 +2946,8 @@ func TestAllocator(t *testing.T,
 				),
 			),
 			classes: objects(class(classA, driverA)),
-			slices: unwrap(
-				slice(slice1, node1, pool1, driverA,
+			slices: unwrapResourceSlices(
+				sliceWithDevices(slice1, node1, resourcePool(pool1, 2), driverA,
 					device(device1, fromCounters, nil).withDeviceCounterConsumption(
 						deviceCounterConsumption(counterSet1,
 							map[string]resource.Quantity{
@@ -2876,7 +2984,8 @@ func TestAllocator(t *testing.T,
 							},
 						),
 					),
-				).withCounterSet(
+				),
+				sliceWithCounterSets(slice2, node1, resourcePool(pool1, 2), driverA,
 					counterSet(counterSet1,
 						map[string]resource.Quantity{
 							"memory": resource.MustParse("18Gi"),
@@ -2907,8 +3016,8 @@ func TestAllocator(t *testing.T,
 				),
 			),
 			classes: objects(class(classA, driverA)),
-			slices: unwrap(
-				slice(slice1, node1, pool1, driverA,
+			slices: unwrapResourceSlices(
+				sliceWithDevices(slice1, node1, resourcePool(pool1, 2), driverA,
 					device(device1, fromCounters, nil).withDeviceCounterConsumption(
 						deviceCounterConsumption(counterSet1,
 							map[string]resource.Quantity{
@@ -2951,7 +3060,8 @@ func TestAllocator(t *testing.T,
 							},
 						),
 					),
-				).withCounterSet(
+				),
+				sliceWithCounterSets(slice2, node1, resourcePool(pool1, 2), driverA,
 					counterSet(counterSet1,
 						map[string]resource.Quantity{
 							"cpus":   resource.MustParse("8"),
@@ -2984,8 +3094,8 @@ func TestAllocator(t *testing.T,
 				),
 			),
 			classes: objects(class(classA, driverA)),
-			slices: unwrap(
-				slice(slice1, node1, pool1, driverA,
+			slices: unwrapResourceSlices(
+				sliceWithDevices(slice1, node1, resourcePool(pool1, 2), driverA,
 					device(device1, fromCounters, nil).withDeviceCounterConsumption(
 						deviceCounterConsumption(counterSet1,
 							map[string]resource.Quantity{
@@ -3010,7 +3120,8 @@ func TestAllocator(t *testing.T,
 							},
 						),
 					),
-				).withCounterSet(
+				),
+				sliceWithCounterSets(slice2, node1, resourcePool(pool1, 2), driverA,
 					counterSet(counterSet1,
 						map[string]resource.Quantity{
 							"cpus":   resource.MustParse("8"),
@@ -3018,7 +3129,7 @@ func TestAllocator(t *testing.T,
 						},
 					),
 				),
-				slice(slice2, node1, pool2, driverA,
+				sliceWithDevices(slice3, node1, resourcePool(pool2, 2), driverA,
 					device(device1, fromCounters, nil).withDeviceCounterConsumption(
 						deviceCounterConsumption(counterSet1,
 							map[string]resource.Quantity{
@@ -3043,7 +3154,8 @@ func TestAllocator(t *testing.T,
 							},
 						),
 					),
-				).withCounterSet(
+				),
+				sliceWithCounterSets(slice4, node1, resourcePool(pool2, 2), driverA,
 					counterSet(counterSet1,
 						map[string]resource.Quantity{
 							"cpus":   resource.MustParse("8"),
@@ -3072,8 +3184,8 @@ func TestAllocator(t *testing.T,
 				claimWithRequests(claim0, nil, request(req0, classA, 2)),
 			),
 			classes: objects(class(classA, driverA)),
-			slices: unwrap(
-				slice(slice1, node1, pool1, driverA,
+			slices: unwrapResourceSlices(
+				sliceWithDevices(slice1, node1, resourcePool(pool1, 2), driverA,
 					device(device1, nil, nil).withDeviceCounterConsumption(
 						deviceCounterConsumption(counterSet1,
 							map[string]resource.Quantity{
@@ -3095,7 +3207,8 @@ func TestAllocator(t *testing.T,
 							},
 						),
 					),
-				).withCounterSet(
+				),
+				sliceWithCounterSets(slice2, node1, resourcePool(pool1, 2), driverA,
 					counterSet(counterSet1,
 						map[string]resource.Quantity{
 							"memory": resource.MustParse("8Gi"),
@@ -3121,8 +3234,8 @@ func TestAllocator(t *testing.T,
 				),
 			),
 			classes: objects(class(classA, driverA)),
-			slices: unwrap(
-				slice(slice1, node1, pool1, driverA,
+			slices: unwrapResourceSlices(
+				sliceWithDevices(slice1, node1, pool1, driverA,
 					device(device1, fromCounters, nil).withDeviceCounterConsumption(
 						deviceCounterConsumption(counterSet1,
 							map[string]resource.Quantity{
@@ -3137,7 +3250,8 @@ func TestAllocator(t *testing.T,
 							},
 						),
 					),
-				).withCounterSet(
+				),
+				sliceWithCounterSets(slice2, node1, pool1, driverA,
 					counterSet(counterSet1,
 						map[string]resource.Quantity{
 							"memory": resource.MustParse("18Gi"),
@@ -3161,8 +3275,8 @@ func TestAllocator(t *testing.T,
 				),
 			),
 			classes: objects(class(classA, driverA)),
-			slices: unwrap(
-				slice(slice1, node1, pool1, driverA,
+			slices: unwrapResourceSlices(
+				sliceWithDevices(slice1, node1, pool1, driverA,
 					device(device1, fromCounters, nil).withDeviceCounterConsumption(
 						deviceCounterConsumption(counterSet1,
 							map[string]resource.Quantity{
@@ -3177,7 +3291,8 @@ func TestAllocator(t *testing.T,
 							},
 						),
 					),
-				).withCounterSet(
+				),
+				sliceWithCounterSets(slice2, node1, pool1, driverA,
 					counterSet(counterSet1,
 						map[string]resource.Quantity{
 							"memory": resource.MustParse("18Gi"),
@@ -3201,8 +3316,8 @@ func TestAllocator(t *testing.T,
 				),
 			),
 			classes: objects(class(classA, driverA)),
-			slices: unwrap(
-				slice(slice1, node1, pool1, driverA,
+			slices: unwrapResourceSlices(
+				sliceWithDevices(slice1, node1, pool1, driverA,
 					device(device1, nil, nil).withDeviceCounterConsumption(
 						deviceCounterConsumption(counterSet1,
 							map[string]resource.Quantity{
@@ -3210,7 +3325,8 @@ func TestAllocator(t *testing.T,
 							},
 						),
 					),
-				).withCounterSet(
+				),
+				sliceWithCounterSets(slice2, node1, pool1, driverA,
 					counterSet(counterSet1,
 						map[string]resource.Quantity{
 							"memory": resource.MustParse("18Gi"),
@@ -3231,8 +3347,8 @@ func TestAllocator(t *testing.T,
 				),
 			),
 			classes: objects(class(classA, driverA)),
-			slices: unwrap(
-				slice(slice1, node1, pool1, driverA,
+			slices: unwrapResourceSlices(
+				sliceWithDevices(slice1, node1, resourcePool(pool1, 2), driverA,
 					device(device1, nil, nil).withDeviceCounterConsumption(
 						deviceCounterConsumption(counterSet1,
 							map[string]resource.Quantity{
@@ -3241,7 +3357,8 @@ func TestAllocator(t *testing.T,
 						),
 					),
 					device(device2, nil, nil),
-				).withCounterSet(
+				),
+				sliceWithCounterSets(slice2, node1, resourcePool(pool1, 2), driverA,
 					counterSet(counterSet1,
 						map[string]resource.Quantity{
 							"memory": resource.MustParse("18Gi"),
@@ -3265,8 +3382,8 @@ func TestAllocator(t *testing.T,
 				),
 			),
 			classes: objects(class(classA, driverA)),
-			slices: unwrap(
-				slice(slice1, nodeSelectionPerDevice, pool1, driverA,
+			slices: unwrapResourceSlices(
+				sliceWithDevices(slice1, nodeSelectionPerDevice, pool1, driverA,
 					device(device2, nil, nil).withNodeSelection(node1),
 				),
 			),
@@ -3279,7 +3396,7 @@ func TestAllocator(t *testing.T,
 				PrioritizedList:      true,
 			},
 			claimsToAllocate: objects(
-				claimWithRequests(claim0, nil,
+				claim(claim0).withRequests(
 					requestWithPrioritizedList(req0,
 						subRequest(subReq0, classA, 1, resourceapi.DeviceSelector{
 							CEL: &resourceapi.CELDeviceSelector{
@@ -3295,8 +3412,8 @@ func TestAllocator(t *testing.T,
 				),
 			),
 			classes: objects(class(classA, driverA)),
-			slices: unwrap(
-				slice(slice1, nodeSelectionPerDevice, pool1, driverA,
+			slices: unwrapResourceSlices(
+				sliceWithDevices(slice1, nodeSelectionPerDevice, resourcePool(pool1, 2), driverA,
 					device(device1, fromCounters, nil).withDeviceCounterConsumption(
 						deviceCounterConsumption(counterSet1,
 							map[string]resource.Quantity{
@@ -3311,7 +3428,8 @@ func TestAllocator(t *testing.T,
 							},
 						),
 					).withNodeSelection(node2),
-				).withCounterSet(
+				),
+				sliceWithCounterSets(slice2, nodeSelectionPerDevice, resourcePool(pool1, 2), driverA,
 					counterSet(counterSet1,
 						map[string]resource.Quantity{
 							"memory": resource.MustParse("18Gi"),
@@ -3334,8 +3452,8 @@ func TestAllocator(t *testing.T,
 				claimWithRequests(claim0, nil, request(req0, classA, 1)),
 			),
 			classes: objects(class(classA, driverA)),
-			slices: unwrap(
-				slice(slice1, nodeSelectionPerDevice, pool1, driverA,
+			slices: unwrapResourceSlices(
+				sliceWithDevices(slice1, nodeSelectionPerDevice, resourcePool(pool1, 2), driverA,
 					device(device1, fromCounters, nil).withDeviceCounterConsumption(
 						deviceCounterConsumption(counterSet1,
 							map[string]resource.Quantity{
@@ -3343,7 +3461,8 @@ func TestAllocator(t *testing.T,
 							},
 						),
 					).withNodeSelection(nodeLabelSelector(regionKey, region1)),
-				).withCounterSet(
+				),
+				sliceWithCounterSets(slice2, nodeSelectionPerDevice, resourcePool(pool1, 2), driverA,
 					counterSet(counterSet1,
 						map[string]resource.Quantity{
 							"memory": resource.MustParse("18Gi"),
@@ -3375,8 +3494,8 @@ func TestAllocator(t *testing.T,
 				),
 			),
 			classes: objects(class(classA, driverA), class(classB, driverB)),
-			slices: unwrap(
-				slice(slice1, nodeSelectionPerDevice, pool1, driverA,
+			slices: unwrapResourceSlices(
+				sliceWithDevices(slice1, nodeSelectionPerDevice, resourcePool(pool1, 2), driverA,
 					device(device1, fromCounters, nil).withDeviceCounterConsumption(
 						deviceCounterConsumption(counterSet1,
 							map[string]resource.Quantity{
@@ -3398,14 +3517,15 @@ func TestAllocator(t *testing.T,
 							},
 						),
 					).withNodeSelection(nodeSelectionAll),
-				).withCounterSet(
+				),
+				sliceWithCounterSets(slice2, nodeSelectionPerDevice, resourcePool(pool1, 2), driverA,
 					counterSet(counterSet1,
 						map[string]resource.Quantity{
 							"memory": resource.MustParse("18Gi"),
 						},
 					),
 				),
-				slice(slice2, node1, pool2, driverB,
+				sliceWithDevices(slice3, node1, resourcePool(pool2, 2), driverB,
 					device(device1, fromCounters, nil).withDeviceCounterConsumption(
 						deviceCounterConsumption(counterSet2,
 							map[string]resource.Quantity{
@@ -3427,7 +3547,8 @@ func TestAllocator(t *testing.T,
 							},
 						),
 					),
-				).withCounterSet(
+				),
+				sliceWithCounterSets(slice4, node1, resourcePool(pool2, 2), driverB,
 					counterSet(counterSet2,
 						map[string]resource.Quantity{
 							"memory": resource.MustParse("12Gi"),
@@ -3456,9 +3577,9 @@ func TestAllocator(t *testing.T,
 			features: Features{
 				DeviceTaints: true,
 			},
-			claimsToAllocate: objects(claim(claim0, req0, classA)),
+			claimsToAllocate: objects(claimWithRequest(claim0, req0, classA)),
 			classes:          objects(class(classA, driverA)),
-			slices: unwrap(slice(slice1, node1, pool1, driverA,
+			slices: unwrapResourceSlices(sliceWithDevices(slice1, node1, pool1, driverA,
 				device(device1, nil, nil).withTaints(taintNoSchedule),
 				device(device2, nil, nil).withTaints(taintNoExecute),
 			)),
@@ -3468,9 +3589,9 @@ func TestAllocator(t *testing.T,
 			features: Features{
 				DeviceTaints: true,
 			},
-			claimsToAllocate: objects(claim(claim0, req0, classA)),
+			claimsToAllocate: objects(claimWithRequest(claim0, req0, classA)),
 			classes:          objects(class(classA, driverA)),
-			slices: unwrap(slice(slice1, node1, pool1, driverA,
+			slices: unwrapResourceSlices(sliceWithDevices(slice1, node1, pool1, driverA,
 				device(device1, nil, nil).withTaints(taintNoSchedule, taintNoExecute),
 			)),
 			node: node(node1, region1),
@@ -3479,40 +3600,76 @@ func TestAllocator(t *testing.T,
 			features: Features{
 				DeviceTaints: true,
 			},
-			claimsToAllocate: objects(claim(claim0, req0, classA).withTolerations(tolerationNoExecute)),
+			claimsToAllocate: objects(claimWithRequest(claim0, req0, classA).withTolerations(tolerationNoExecute)),
 			classes:          objects(class(classA, driverA)),
-			slices: unwrap(slice(slice1, node1, pool1, driverA,
+			slices: unwrapResourceSlices(sliceWithDevices(slice1, node1, pool1, driverA,
+				device(device1, nil, nil).withTaints(taintNoSchedule),
+				device(device2, nil, nil).withTaints(taintNoExecute),
+			)),
+			node: node(node1, region1),
+			expectResults: []any{allocationResult(
+				localNodeSelector(node1),
+				deviceAllocationResult(req0, driverA, pool1, device2, false, tolerationNoExecute), // Only second device's taints are tolerated.
+			)},
+		},
+		"tainted-two-devices-prioritized-list-tolerated": {
+			features: Features{
+				DeviceTaints:    true,
+				PrioritizedList: true,
+			},
+			claimsToAllocate: objects(
+				claim(claim0).withRequests(requestWithPrioritizedList(req0,
+					subRequest(subReq0, classA, 1),
+					subRequest(subReq1, classA, 1, tolerationNoExecute),
+				))),
+			classes: objects(class(classA, driverA)),
+			slices: unwrapResourceSlices(sliceWithDevices(slice1, node1, pool1, driverA,
 				device(device1, nil, nil).withTaints(taintNoSchedule),
 				device(device2, nil, nil).withTaints(taintNoExecute),
 			)),
 			node: node(node1, region1),
 			expectResults: []any{allocationResult(
 				localNodeSelector(node1),
-				deviceAllocationResult(req0, driverA, pool1, device2, false), // Only second device's taints are tolerated.
+				deviceAllocationResult(req0SubReq1, driverA, pool1, device2, false, tolerationNoExecute), // Only second device's taints are tolerated.
+			)},
+		},
+		"tainted-no-effect": {
+			features: Features{
+				DeviceTaints: true,
+			},
+			claimsToAllocate: objects(claimWithRequest(claim0, req0, classA)),
+			classes:          objects(class(classA, driverA)),
+			slices: unwrapResourceSlices(sliceWithDevices(slice1, node1, pool1, driverA,
+				device(device1, nil, nil).withTaints(taintNone),
+			)),
+			node: node(node1, region1),
+			expectResults: []any{allocationResult(
+				localNodeSelector(node1),
+				deviceAllocationResult(req0, driverA, pool1, device1, false),
 			)},
 		},
 		"tainted-one-device-two-taints-both-tolerated": {
 			features: Features{
 				DeviceTaints: true,
 			},
-			claimsToAllocate: objects(claim(claim0, req0, classA).withTolerations(tolerationNoSchedule, tolerationNoExecute)),
+			claimsToAllocate: objects(claimWithRequest(claim0, req0, classA).withTolerations(tolerationNoSchedule, tolerationNoExecute)),
 			classes:          objects(class(classA, driverA)),
-			slices: unwrap(slice(slice1, node1, pool1, driverA,
+			slices: unwrapResourceSlices(sliceWithDevices(slice1, node1, pool1, driverA,
 				device(device1, nil, nil).withTaints(taintNoSchedule, taintNoExecute),
 			)),
 			node: node(node1, region1),
 			expectResults: []any{allocationResult(
 				localNodeSelector(node1),
-				deviceAllocationResult(req0, driverA, pool1, device1, false),
+				deviceAllocationResult(req0, driverA, pool1, device1, false, tolerationNoSchedule, tolerationNoExecute),
 			)},
 		},
 		"tainted-disabled": {
 			features: Features{
 				DeviceTaints: false,
 			},
-			claimsToAllocate: objects(claim(claim0, req0, classA)),
+			claimsToAllocate: objects(claimWithRequest(claim0, req0, classA)),
 			classes:          objects(class(classA, driverA)),
-			slices: unwrap(slice(slice1, node1, pool1, driverA,
+			slices: unwrapResourceSlices(sliceWithDevices(slice1, node1, pool1, driverA,
 				device(device1, nil, nil).withTaints(taintNoSchedule, taintNoExecute),
 			)),
 			node: node(node1, region1),
@@ -3526,12 +3683,14 @@ func TestAllocator(t *testing.T,
 				DeviceTaints:    true,
 				PrioritizedList: true,
 			},
-			claimsToAllocate: objects(claimWithRequests(claim0, nil, requestWithPrioritizedList(req0,
-				subRequest(subReq0, classB, 1),
-				subRequest(subReq1, classA, 1),
-			))),
+			claimsToAllocate: objects(
+				claim(claim0).withRequests(
+					requestWithPrioritizedList(req0,
+						subRequest(subReq0, classB, 1),
+						subRequest(subReq1, classA, 1),
+					))),
 			classes: objects(class(classA, driverA), class(classB, driverB)),
-			slices: unwrap(slice(slice1, node1, pool1, driverA,
+			slices: unwrapResourceSlices(sliceWithDevices(slice1, node1, pool1, driverA,
 				device(device1, nil, nil).withTaints(taintNoSchedule),
 			)),
 			node: node(node1, region1),
@@ -3541,12 +3700,14 @@ func TestAllocator(t *testing.T,
 				DeviceTaints:    false,
 				PrioritizedList: true,
 			},
-			claimsToAllocate: objects(claimWithRequests(claim0, nil, requestWithPrioritizedList(req0,
-				subRequest(subReq0, classB, 1),
-				subRequest(subReq1, classA, 1),
-			))),
+			claimsToAllocate: objects(
+				claim(claim0).withRequests(
+					requestWithPrioritizedList(req0,
+						subRequest(subReq0, classB, 1),
+						subRequest(subReq1, classA, 1),
+					))),
 			classes: objects(class(classA, driverA), class(classB, driverB)),
-			slices: unwrap(slice(slice1, node1, pool1, driverA,
+			slices: unwrapResourceSlices(sliceWithDevices(slice1, node1, pool1, driverA,
 				device(device1, nil, nil).withTaints(taintNoSchedule),
 			)),
 			node: node(node1, region1),
@@ -3562,7 +3723,7 @@ func TestAllocator(t *testing.T,
 				AdminAccess:  true,
 			},
 			claimsToAllocate: func() []wrapResourceClaim {
-				c := claim(claim0, req0, classA)
+				c := claimWithRequest(claim0, req0, classA)
 				c.Spec.Devices.Requests[0].Exactly.AdminAccess = ptr.To(true)
 				return []wrapResourceClaim{c}
 			}(),
@@ -3571,7 +3732,7 @@ func TestAllocator(t *testing.T,
 				MakeDeviceID(driverA, pool1, device2),
 			},
 			classes: objects(class(classA, driverA)),
-			slices: unwrap(slice(slice1, node1, pool1, driverA,
+			slices: unwrapResourceSlices(sliceWithDevices(slice1, node1, pool1, driverA,
 				device(device1, nil, nil).withTaints(taintNoSchedule),
 			)),
 			node: node(node1, region1),
@@ -3582,7 +3743,7 @@ func TestAllocator(t *testing.T,
 				AdminAccess:  true,
 			},
 			claimsToAllocate: func() []wrapResourceClaim {
-				c := claim(claim0, req0, classA)
+				c := claimWithRequest(claim0, req0, classA)
 				c.Spec.Devices.Requests[0].Exactly.AdminAccess = ptr.To(true)
 				return []wrapResourceClaim{c}
 			}(),
@@ -3591,7 +3752,7 @@ func TestAllocator(t *testing.T,
 				MakeDeviceID(driverA, pool1, device2),
 			},
 			classes: objects(class(classA, driverA)),
-			slices: unwrap(slice(slice1, node1, pool1, driverA,
+			slices: unwrapResourceSlices(sliceWithDevices(slice1, node1, pool1, driverA,
 				device(device1, nil, nil).withTaints(taintNoSchedule),
 			)),
 			node: node(node1, region1),
@@ -3613,7 +3774,7 @@ func TestAllocator(t *testing.T,
 				},
 			})),
 			classes: objects(class(classA, driverA)),
-			slices: unwrap(slice(slice1, node1, pool1, driverA,
+			slices: unwrapResourceSlices(sliceWithDevices(slice1, node1, pool1, driverA,
 				device(device1, nil, nil).withTaints(taintNoSchedule),
 			)),
 			node: node(node1, region1),
@@ -3630,7 +3791,7 @@ func TestAllocator(t *testing.T,
 				},
 			})),
 			classes: objects(class(classA, driverA)),
-			slices: unwrap(slice(slice1, node1, pool1, driverA,
+			slices: unwrapResourceSlices(sliceWithDevices(slice1, node1, pool1, driverA,
 				device(device1, nil, nil).withTaints(taintNoSchedule),
 			)),
 			node: node(node1, region1),
@@ -3645,19 +3806,15 @@ func TestAllocator(t *testing.T,
 				PrioritizedList: true,
 			},
 			claimsToAllocate: objects(
-				claimWithRequests(claim0, nil,
+				claim(claim0).withRequests(
 					requestWithPrioritizedList(req0,
-						resourceapi.DeviceSubRequest{
-							Name:            subReq0,
-							AllocationMode:  resourceapi.DeviceAllocationModeAll,
-							DeviceClassName: classA,
-						},
+						subRequest(subReq0, classA, 0).withAllocationMode(resourceapi.DeviceAllocationModeAll),
 						subRequest(subReq1, classA, 1),
 					),
 				),
 			),
 			classes: objects(class(classA, driverA)),
-			slices: unwrap(slice(slice1, node1, pool1, driverA,
+			slices: unwrapResourceSlices(sliceWithDevices(slice1, node1, pool1, driverA,
 				device(device1, nil, nil),
 				device(device2, nil, nil),
 			)),
@@ -3677,7 +3834,7 @@ func TestAllocator(t *testing.T,
 				),
 			),
 			classes: objects(class(classA, driverA)),
-			slices:  unwrap(sliceWithMultipleDevices(slice1, node1, pool1, driverA, resourceapi.AllocationResultsMaxSize)),
+			slices:  unwrapResourceSlices(sliceWithMultipleDevices(slice1, node1, pool1, driverA, resourceapi.AllocationResultsMaxSize)),
 			node:    node(node1, region1),
 
 			expectResults: []any{allocationResult(
@@ -3700,8 +3857,8 @@ func TestAllocator(t *testing.T,
 				),
 			),
 			classes: objects(class(classA, driverA)),
-			slices: unwrap(
-				slice(slice1, node1, pool1, driverA,
+			slices: unwrapResourceSlices(
+				sliceWithDevices(slice1, node1, resourcePool(pool1, 2), driverA,
 					device(device1, nil,
 						map[resourceapi.QualifiedName]resourceapi.DeviceAttribute{
 							"special": {
@@ -3756,7 +3913,8 @@ func TestAllocator(t *testing.T,
 							},
 						),
 					),
-				).withCounterSet(
+				),
+				sliceWithCounterSets(slice2, node1, resourcePool(pool1, 2), driverA,
 					counterSet(counterSet1,
 						map[string]resource.Quantity{
 							"cpu1": resource.MustParse("1"),
@@ -3784,7 +3942,7 @@ func TestAllocator(t *testing.T,
 				PrioritizedList: true,
 			},
 			claimsToAllocate: objects(
-				claimWithRequests(claim0, nil,
+				claim(claim0).withRequests(
 					requestWithPrioritizedList(req0,
 						subRequest(subReq0, classA, resourceapi.AllocationResultsMaxSize),
 						subRequest(subReq1, classA, resourceapi.AllocationResultsMaxSize/2),
@@ -3796,7 +3954,7 @@ func TestAllocator(t *testing.T,
 				),
 			),
 			classes: objects(class(classA, driverA)),
-			slices:  unwrap(sliceWithMultipleDevices(slice1, node1, pool1, driverA, resourceapi.AllocationResultsMaxSize*2)),
+			slices:  unwrapResourceSlices(sliceWithMultipleDevices(slice1, node1, pool1, driverA, resourceapi.AllocationResultsMaxSize*2)),
 			node:    node(node1, region1),
 
 			expectResults: []any{allocationResult(
@@ -3813,20 +3971,16 @@ func TestAllocator(t *testing.T,
 				PrioritizedList: true,
 			},
 			claimsToAllocate: objects(
-				claimWithRequests(claim0, nil,
+				claim(claim0).withRequests(
 					requestWithPrioritizedList(req0,
-						resourceapi.DeviceSubRequest{
-							Name:            subReq0,
-							AllocationMode:  resourceapi.DeviceAllocationModeAll,
-							DeviceClassName: classA,
-						},
+						subRequest(subReq0, classA, 0).withAllocationMode(resourceapi.DeviceAllocationModeAll),
 						subRequest(subReq1, classA, 2),
 					),
-					request(req1, classB, 2),
+					deviceRequest(req1, classB, 2),
 				),
 			),
 			classes: objects(class(classA, driverA), class(classB, driverB)),
-			slices: unwrap(
+			slices: unwrapResourceSlices(
 				sliceWithMultipleDevices(slice1, node1, pool1, driverA, resourceapi.AllocationResultsMaxSize-1),
 				sliceWithMultipleDevices(slice2, node1, pool2, driverB, 2),
 			),
@@ -3842,13 +3996,12 @@ func TestAllocator(t *testing.T,
 		},
 		"device-binding-conditions": {
 			features: Features{
-				DeviceBinding: true,
-				DeviceStatus:  true,
+				DeviceBindingAndStatus: true,
 			},
 			claimsToAllocate: objects(
 				claimWithRequests(claim0, nil, request(req0, classA, 1))),
 			classes: objects(class(classA, driverA)),
-			slices: unwrap(slice(slice1, node1, pool1, driverA,
+			slices: unwrapResourceSlices(sliceWithDevices(slice1, node1, pool1, driverA,
 				device(device1, nil, nil).withBindingConditions([]string{"IsPrepare"}, []string{"BindingFailed"}))),
 			node: node(node1, region1),
 
@@ -3865,15 +4018,14 @@ func TestAllocator(t *testing.T,
 		},
 		"binding-conditions-multiple-devices": {
 			features: Features{
-				DeviceBinding: true,
-				DeviceStatus:  true,
+				DeviceBindingAndStatus: true,
 			},
 			claimsToAllocate: objects(
 				claimWithRequests(claim0, nil,
 					request(req0, classA, 2),
 					request(req1, classA, 1))),
 			classes: objects(class(classA, driverA)),
-			slices: unwrap(slice(slice1, node1, pool1, driverA,
+			slices: unwrapResourceSlices(sliceWithDevices(slice1, node1, pool1, driverA,
 				device(device1, nil, nil).withBindingConditions([]string{"IsPrepare"}, []string{"BindingFailed"}),
 				device(device2, nil, nil).withBindingConditions([]string{"IsPrepare2"}, []string{"BindingFailed2"}),
 				device(device3, nil, nil).withBindingConditions([]string{"IsPrepare3"}, []string{"BindingFailed3"}),
@@ -3892,53 +4044,51 @@ func TestAllocator(t *testing.T,
 				},
 			},
 		},
-		"binding-conditions-without-feature-gate": {
-			features: Features{
-				DeviceBinding: false,
-				DeviceStatus:  false,
-			},
-			claimsToAllocate: objects(
-				claimWithRequests(claim0, nil, request(req0, classA, 1))),
-			classes: objects(class(classA, driverA)),
-			slices: unwrap(slice(slice1, node1, pool1, driverA,
-				device(device1, nil, nil).withBindingConditions([]string{"IsPrepare"}, []string{"BindingFailed"}))),
-			node:          node(node1, region1),
-			expectResults: nil,
-		},
-		"device-binding-conditions-without-binding-conditions-feature-gate": {
+		"binding-conditions-with-and-without": {
 			features: Features{
-				DeviceBinding: false,
-				DeviceStatus:  true,
+				DeviceBindingAndStatus: true,
 			},
 			claimsToAllocate: objects(
-				claimWithRequests(claim0, nil, request(req0, classA, 1))),
+				claimWithRequests(claim0, nil,
+					request(req0, classA, 1),
+					request(req1, classA, 1))),
 			classes: objects(class(classA, driverA)),
-			slices: unwrap(slice(slice1, node1, pool1, driverA,
-				device(device1, nil, nil).withBindingConditions([]string{"IsPrepare"}, []string{"BindingFailed"}))),
-			node:          node(node1, region1),
-			expectResults: nil,
-		},
-		"device-binding-conditions-without-device-status-feature-gate": {
+			slices: unwrapResourceSlices(sliceWithDevices(slice1, node1, pool1, driverA,
+				device(device1, nil, nil),
+				device(device2, nil, nil).withBindingConditions([]string{"IsPrepare"}, []string{"BindingFailed"}),
+			)),
+			node: node(node1, region1),
+			expectResults: []any{
+				resourceapi.AllocationResult{
+					Devices: resourceapi.DeviceAllocationResult{
+						Results: []resourceapi.DeviceRequestAllocationResult{
+							deviceAllocationResult(req0, driverA, pool1, device1, false),
+							deviceRequestAllocationResultWithBindingConditions(req1, driverA, pool1, device2, []string{"IsPrepare"}, []string{"BindingFailed"}),
+						},
+					},
+					NodeSelector: localNodeSelector(node1),
+				},
+			},
+		},
+		"binding-conditions-without-feature-gate": {
 			features: Features{
-				DeviceBinding: true,
-				DeviceStatus:  false,
+				DeviceBindingAndStatus: false,
 			},
 			claimsToAllocate: objects(
 				claimWithRequests(claim0, nil, request(req0, classA, 1))),
 			classes: objects(class(classA, driverA)),
-			slices: unwrap(slice(slice1, node1, pool1, driverA,
+			slices: unwrapResourceSlices(sliceWithDevices(slice1, node1, pool1, driverA,
 				device(device1, nil, nil).withBindingConditions([]string{"IsPrepare"}, []string{"BindingFailed"}))),
 			node:          node(node1, region1),
 			expectResults: nil,
 		},
 		"node-restriction": {
 			features: Features{
-				DeviceBinding: true,
-				DeviceStatus:  true,
+				DeviceBindingAndStatus: true,
 			},
-			claimsToAllocate: objects(claim(claim0, req0, classA)),
+			claimsToAllocate: objects(claimWithRequest(claim0, req0, classA)),
 			classes:          objects(class(classA, driverA)),
-			slices: unwrap(slice(slice1, nodeLabelSelector(planetKey, planetValueEarth), pool1, driverA,
+			slices: unwrapResourceSlices(sliceWithDevices(slice1, nodeLabelSelector(planetKey, planetValueEarth), pool1, driverA,
 				device(device1, nil, nil).withBindsToNode(true))),
 			node: node(node1, region1),
 			expectResults: []any{allocationResult(
@@ -3948,16 +4098,15 @@ func TestAllocator(t *testing.T,
 		},
 		"partitionable-devices-with-binding-conditions": {
 			features: Features{
-				PartitionableDevices: true,
-				DeviceBinding:        true,
-				DeviceStatus:         true,
+				PartitionableDevices:   true,
+				DeviceBindingAndStatus: true,
 			},
 			claimsToAllocate: objects(
 				claimWithRequests(claim0, nil, request(req0, classA, 1)),
 			),
 			classes: objects(class(classA, driverA)),
-			slices: unwrap(
-				slice(slice1, node1, pool1, driverA,
+			slices: unwrapResourceSlices(
+				sliceWithDevices(slice1, node1, resourcePool(pool1, 2), driverA,
 					device(device1, fromCounters, nil).
 						withDeviceCounterConsumption(
 							deviceCounterConsumption(counterSet1, map[string]resource.Quantity{
@@ -3965,7 +4114,8 @@ func TestAllocator(t *testing.T,
 							}),
 						).
 						withBindingConditions([]string{"IsPrepare"}, []string{"BindingFailed"}),
-				).withCounterSet(
+				),
+				sliceWithCounterSets(slice2, node1, resourcePool(pool1, 2), driverA,
 					counterSet(counterSet1, map[string]resource.Quantity{
 						"memory": resource.MustParse("8Gi"),
 					}),
@@ -3985,9 +4135,8 @@ func TestAllocator(t *testing.T,
 		},
 		"partitionable-devices-with-binding-conditions-multiple": {
 			features: Features{
-				PartitionableDevices: true,
-				DeviceBinding:        true,
-				DeviceStatus:         true,
+				PartitionableDevices:   true,
+				DeviceBindingAndStatus: true,
 			},
 			claimsToAllocate: objects(
 				claimWithRequests(claim0, nil,
@@ -3995,8 +4144,8 @@ func TestAllocator(t *testing.T,
 				),
 			),
 			classes: objects(class(classA, driverA)),
-			slices: unwrap(
-				slice(slice1, node1, pool1, driverA,
+			slices: unwrapResourceSlices(
+				sliceWithDevices(slice1, node1, resourcePool(pool1, 2), driverA,
 					device(device1, fromCounters, nil).
 						withDeviceCounterConsumption(
 							deviceCounterConsumption(counterSet1, map[string]resource.Quantity{
@@ -4011,7 +4160,8 @@ func TestAllocator(t *testing.T,
 							}),
 						).
 						withBindingConditions([]string{"IsPrepare2"}, []string{"BindingFailed2"}),
-				).withCounterSet(
+				),
+				sliceWithCounterSets(slice2, node1, resourcePool(pool1, 2), driverA,
 					counterSet(counterSet1, map[string]resource.Quantity{
 						"memory": resource.MustParse("8Gi"),
 					}),
@@ -4032,9 +4182,8 @@ func TestAllocator(t *testing.T,
 		},
 		"partitionable-devices-with-binding-conditions-some-devices-no-conditions": {
 			features: Features{
-				PartitionableDevices: true,
-				DeviceBinding:        true,
-				DeviceStatus:         true,
+				PartitionableDevices:   true,
+				DeviceBindingAndStatus: true,
 			},
 			claimsToAllocate: objects(
 				claimWithRequests(claim0, nil,
@@ -4042,8 +4191,8 @@ func TestAllocator(t *testing.T,
 				),
 			),
 			classes: objects(class(classA, driverA)),
-			slices: unwrap(
-				slice(slice1, node1, pool1, driverA,
+			slices: unwrapResourceSlices(
+				sliceWithDevices(slice1, node1, resourcePool(pool1, 2), driverA,
 					device(device1, fromCounters, nil).
 						withDeviceCounterConsumption(
 							deviceCounterConsumption(counterSet1, map[string]resource.Quantity{
@@ -4064,7 +4213,8 @@ func TestAllocator(t *testing.T,
 							}),
 						).
 						withBindingConditions([]string{"IsReady"}, []string{"BindingTimeout"}),
-				).withCounterSet(
+				),
+				sliceWithCounterSets(slice2, node1, resourcePool(pool1, 2), driverA,
 					counterSet(counterSet1, map[string]resource.Quantity{
 						"memory": resource.MustParse("8Gi"),
 					}),
@@ -4086,16 +4236,15 @@ func TestAllocator(t *testing.T,
 		},
 		"partitionable-devices-with-binding-conditions-multi-slices": {
 			features: Features{
-				PartitionableDevices: true,
-				DeviceBinding:        true,
-				DeviceStatus:         true,
+				PartitionableDevices:   true,
+				DeviceBindingAndStatus: true,
 			},
 			claimsToAllocate: objects(
 				claimWithRequests(claim0, nil, request(req0, classA, 2)),
 			),
 			classes: objects(class(classA, driverA)),
-			slices: unwrap(
-				slice(slice1, node1, pool1, driverA,
+			slices: unwrapResourceSlices(
+				sliceWithDevices(slice1, node1, resourcePool(pool1, 4), driverA,
 					device(device1, fromCounters, nil).
 						withDeviceCounterConsumption(
 							deviceCounterConsumption(counterSet1, map[string]resource.Quantity{
@@ -4103,20 +4252,22 @@ func TestAllocator(t *testing.T,
 							}),
 						).
 						withBindingConditions([]string{"IsPrepare"}, []string{"BindingFailed"}),
-				).withCounterSet(
+				),
+				sliceWithCounterSets(slice2, node1, resourcePool(pool1, 4), driverA,
 					counterSet(counterSet1, map[string]resource.Quantity{
 						"memory": resource.MustParse("8Gi"),
 					}),
 				),
-				slice(slice2, node1, pool1, driverA,
+				sliceWithDevices(slice3, node1, resourcePool(pool1, 4), driverA,
 					device(device2, fromCounters, nil).
 						withDeviceCounterConsumption(
-							deviceCounterConsumption(counterSet1, map[string]resource.Quantity{
+							deviceCounterConsumption(counterSet2, map[string]resource.Quantity{
 								"memory": resource.MustParse("4Gi"),
 							}),
 						),
-				).withCounterSet(
-					counterSet(counterSet1, map[string]resource.Quantity{
+				),
+				sliceWithCounterSets(slice4, node1, resourcePool(pool1, 4), driverA,
+					counterSet(counterSet2, map[string]resource.Quantity{
 						"memory": resource.MustParse("8Gi"),
 					}),
 				),
@@ -4136,17 +4287,16 @@ func TestAllocator(t *testing.T,
 		},
 		"partitionable-devices-with-binding-conditions-and-taints": {
 			features: Features{
-				PartitionableDevices: true,
-				DeviceBinding:        true,
-				DeviceStatus:         true,
-				DeviceTaints:         true,
+				PartitionableDevices:   true,
+				DeviceBindingAndStatus: true,
+				DeviceTaints:           true,
 			},
 			claimsToAllocate: objects(
 				claimWithRequests(claim0, nil, request(req0, classA, 2)),
 			),
 			classes: objects(class(classA, driverA)),
-			slices: unwrap(
-				slice(slice1, node1, pool1, driverA,
+			slices: unwrapResourceSlices(
+				sliceWithDevices(slice1, node1, pool1, driverA,
 					device(device1, fromCounters, nil).
 						withDeviceCounterConsumption(
 							deviceCounterConsumption(counterSet1, map[string]resource.Quantity{
@@ -4165,7 +4315,8 @@ func TestAllocator(t *testing.T,
 								"memory": resource.MustParse("4Gi"),
 							}),
 						),
-				).withCounterSet(
+				),
+				sliceWithCounterSets(slice2, node1, pool1, driverA,
 					counterSet(counterSet1, map[string]resource.Quantity{
 						"memory": resource.MustParse("8Gi"),
 					}),
@@ -4176,21 +4327,16 @@ func TestAllocator(t *testing.T,
 		},
 		"partitionable-devices-with-binding-conditions-and-taints-tolerated": {
 			features: Features{
-				PartitionableDevices: true,
-				DeviceBinding:        true,
-				DeviceStatus:         true,
-				DeviceTaints:         true,
+				PartitionableDevices:   true,
+				DeviceBindingAndStatus: true,
+				DeviceTaints:           true,
 			},
 			claimsToAllocate: objects(
-				claimWithRequests(claim0, nil, request(req0, classA, 2)).withTolerations(resourceapi.DeviceToleration{
-					Operator: resourceapi.DeviceTolerationOpExists,
-					Key:      "key1",
-					Effect:   resourceapi.DeviceTaintEffectNoSchedule,
-				}),
+				claimWithRequests(claim0, nil, request(req0, classA, 2)).withTolerations(tolerationNoScheduleKey1),
 			),
 			classes: objects(class(classA, driverA)),
-			slices: unwrap(
-				slice(slice1, node1, pool1, driverA,
+			slices: unwrapResourceSlices(
+				sliceWithDevices(slice1, node1, resourcePool(pool1, 2), driverA,
 					device(device1, fromCounters, nil).
 						withDeviceCounterConsumption(
 							deviceCounterConsumption(counterSet1, map[string]resource.Quantity{
@@ -4209,7 +4355,8 @@ func TestAllocator(t *testing.T,
 								"memory": resource.MustParse("4Gi"),
 							}),
 						),
-				).withCounterSet(
+				),
+				sliceWithCounterSets(slice2, node1, resourcePool(pool1, 2), driverA,
 					counterSet(counterSet1, map[string]resource.Quantity{
 						"memory": resource.MustParse("8Gi"),
 					}),
@@ -4220,25 +4367,116 @@ func TestAllocator(t *testing.T,
 				resourceapi.AllocationResult{
 					Devices: resourceapi.DeviceAllocationResult{
 						Results: []resourceapi.DeviceRequestAllocationResult{
-							deviceRequestAllocationResultWithBindingConditions(req0, driverA, pool1, device1, []string{"IsPrepare"}, []string{"BindingFailed"}),
-							deviceRequestAllocationResultWithBindingConditions(req0, driverA, pool1, device2, nil, nil),
+							deviceRequestAllocationResultWithBindingConditions(req0, driverA, pool1, device1, []string{"IsPrepare"}, []string{"BindingFailed"}, tolerationNoScheduleKey1),
+							deviceRequestAllocationResultWithBindingConditions(req0, driverA, pool1, device2, nil, nil, tolerationNoScheduleKey1),
 						},
 					},
 					NodeSelector: localNodeSelector(node1),
 				},
 			},
 		},
+		"consumable-capacity-disabled-feature": {
+			features: Features{
+				DeviceBindingAndStatus: true, // add to forcefully use experimenting allocator
+			},
+			claimsToAllocate: objects(
+				claim(claim0).withRequests(deviceRequest(req0, classA, 1).withCapacityRequest(ptr.To(one))),
+			),
+			classes:       objects(class(classA, driverA)),
+			slices:        unwrap(sliceWithOneDevice(slice1, node1, pool1, driverA)),
+			node:          node(node1, region1),
+			expectResults: nil,
+			expectError:   gomega.MatchError(gomega.ContainSubstring("claim claim-0, request req-0: has capacity requests, but the DRAConsumableCapacity feature is disabled")),
+		},
+		"consumable-capacity-disabled-feature-with-prioritized-list": {
+			features: Features{
+				PrioritizedList:        true,
+				DeviceBindingAndStatus: true, // add to forcefully use experimenting allocator
+			},
+			claimsToAllocate: objects(
+				claim(claim0).withRequests(
+					requestWithPrioritizedList(
+						req0,
+						subRequest(subReq0, classA, 1).withCapacityRequest(ptr.To(one)),
+						subRequest(subReq1, classA, 1).withCapacityRequest(ptr.To(one)),
+					),
+				),
+			),
+			classes:       objects(class(classA, driverA)),
+			slices:        unwrap(sliceWithOneDevice(slice1, node1, pool1, driverA)),
+			node:          node(node1, region1),
+			expectResults: nil,
+			expectError:   gomega.MatchError(gomega.ContainSubstring("claim claim-0, subrequest subReq-0: has capacity requests, but the DRAConsumableCapacity feature is disabled")),
+		},
+		"consumable-capacity-multi-allocatable-device-with-missing-capacity-request": {
+			features: Features{
+				ConsumableCapacity: true,
+			},
+			claimsToAllocate: objects(
+				claim(claim0).withRequests(deviceRequest(req0, classA, 1).withCapacityRequest(ptr.To(one))),
+			),
+			classes: objects(class(classA, driverA)),
+			slices: unwrapResourceSlices(
+				sliceWithDevices(slice1, node1, pool1, driverA,
+					device(device1, map[resourceapi.QualifiedName]resource.Quantity{capacity1: one}, nil).withAllowMultipleAllocations(),
+				),
+			),
+			node:          node(node1, region1),
+			expectResults: []any{},
+		},
+		"consumable-capacity-multi-allocatable-device-allocation-mode-all-with-missing-capacity-request": {
+			features: Features{
+				ConsumableCapacity: true,
+			},
+			claimsToAllocate: objects(
+				claim(claim0).withRequests(allDeviceRequest(req0, classA).withCapacityRequest(ptr.To(one))),
+			),
+			classes: objects(classWithAllowMultipleAllocations(classA, driverA, true)),
+			slices: unwrapResourceSlices(
+				sliceWithDevices(slice1, node1, pool1, driverA,
+					device(device1, map[resourceapi.QualifiedName]resource.Quantity{capacity1: one}, nil).withAllowMultipleAllocations(),
+				),
+			),
+			node:          node(node1, region1),
+			expectResults: []any{},
+		},
+		"consumable-capacity-multi-allocatable-device-without-capacity-without-capacity-request": {
+			features: Features{
+				ConsumableCapacity: true,
+			},
+			claimsToAllocate: objects(
+				claim(claim0).withRequests(deviceRequest(req0, classA, 1)),
+				claim(claim1).withRequests(deviceRequest(req0, classA, 1)),
+			),
+			classes: objects(classWithAllowMultipleAllocations(classA, driverA, true)),
+			slices: unwrapResourceSlices(
+				sliceWithDevices(slice1, node1, pool1, driverA,
+					device(device1, nil, nil).withAllowMultipleAllocations(),
+				),
+			),
+			node: node(node1, region1),
+			expectResults: []any{ // both share the same device; no capacity is consumed since none is defined.
+				allocationResult(
+					localNodeSelector(node1),
+					deviceRequestAllocationResult(req0, driverA, pool1, device1).withConsumedCapacity(&fixedShareID, nil),
+				),
+				allocationResult(
+					localNodeSelector(node1),
+					deviceRequestAllocationResult(req0, driverA, pool1, device1).withConsumedCapacity(&fixedShareID, nil),
+				),
+			},
+		},
 		"consumable-capacity-multi-allocatable-device-without-policy-without-capacity-request": {
 			features: Features{
 				ConsumableCapacity: true,
 			},
 			claimsToAllocate: objects(
-				claim(claim0, "", classA).withRequests(deviceRequest(req0, classA, 1)),
-				claim(claim1, "", classA).withRequests(deviceRequest(req0, classA, 1)),
+				claim(claim0).withRequests(deviceRequest(req0, classA, 1)),
+				claim(claim1).withRequests(deviceRequest(req0, classA, 1)),
 			),
 			classes: objects(classWithAllowMultipleAllocations(classA, driverA, true)),
-			slices: unwrap(
-				slice(slice1, node1, pool1, driverA,
+			slices: unwrapResourceSlices(
+				sliceWithDevices(slice1, node1, pool1, driverA,
 					device(device1, map[resourceapi.QualifiedName]resource.Quantity{capacity0: one}, nil).withAllowMultipleAllocations(),
 					device(device2, map[resourceapi.QualifiedName]resource.Quantity{capacity0: one}, nil).withAllowMultipleAllocations(),
 				),
@@ -4260,12 +4498,12 @@ func TestAllocator(t *testing.T,
 				ConsumableCapacity: true,
 			},
 			claimsToAllocate: objects(
-				claim(claim0, "", classA).withRequests(deviceRequest(req0, classA, 1)),
-				claim(claim1, "", classA).withRequests(deviceRequest(req0, classA, 1)),
+				claim(claim0).withRequests(deviceRequest(req0, classA, 1)),
+				claim(claim1).withRequests(deviceRequest(req0, classA, 1)),
 			),
 			classes: objects(classWithAllowMultipleAllocations(classA, driverA, true)),
-			slices: unwrap(
-				slice(slice1, node1, pool1, driverA,
+			slices: unwrapResourceSlices(
+				sliceWithDevices(slice1, node1, pool1, driverA,
 					device(device1, map[resourceapi.QualifiedName]resource.Quantity{capacity0: two}, nil).withAllowMultipleAllocations(),
 				),
 			),
@@ -4277,12 +4515,12 @@ func TestAllocator(t *testing.T,
 				ConsumableCapacity: true,
 			},
 			claimsToAllocate: objects(
-				claim(claim0, "", classA).withRequests(deviceRequest(req0, classA, 1).withCapacityRequest(ptr.To(one))),
-				claim(claim1, "", classA).withRequests(deviceRequest(req0, classA, 1).withCapacityRequest(ptr.To(one))),
+				claim(claim0).withRequests(deviceRequest(req0, classA, 1).withCapacityRequest(ptr.To(one))),
+				claim(claim1).withRequests(deviceRequest(req0, classA, 1).withCapacityRequest(ptr.To(one))),
 			),
 			classes: objects(classWithAllowMultipleAllocations(classA, driverA, true)),
-			slices: unwrap(
-				slice(slice1, node1, pool1, driverA,
+			slices: unwrapResourceSlices(
+				sliceWithDevices(slice1, node1, pool1, driverA,
 					device(device1, map[resourceapi.QualifiedName]resource.Quantity{capacity0: two}, nil).withAllowMultipleAllocations(),
 				),
 			),
@@ -4307,8 +4545,8 @@ func TestAllocator(t *testing.T,
 				claimWithRequests(claim1, nil, request(req0, classA, 1)),
 			),
 			classes: objects(classWithAllowMultipleAllocations(classA, driverA, true)),
-			slices: unwrap(
-				slice(slice1, node1, pool1, driverA,
+			slices: unwrapResourceSlices(
+				sliceWithDevices(slice1, node1, pool1, driverA,
 					device(device1, nil, nil).withAllowMultipleAllocations().withCapacityRequestPolicyRange(map[resourceapi.QualifiedName]resource.Quantity{capacity0: four}),
 				),
 			),
@@ -4334,8 +4572,8 @@ func TestAllocator(t *testing.T,
 				claimWithRequests(claim1, nil, request(req0, classA, 1)),
 			),
 			classes: objects(classWithAllowMultipleAllocations(classA, driverA, true)),
-			slices: unwrap(
-				slice(slice1, node1, pool1, driverA,
+			slices: unwrapResourceSlices(
+				sliceWithDevices(slice1, node1, pool1, driverA,
 					device(device1, nil, nil).withAllowMultipleAllocations().withCapacityRequestPolicyValidValues(zero, map[resourceapi.QualifiedName]resource.Quantity{capacity0: one}, nil),
 				),
 			),
@@ -4357,11 +4595,11 @@ func TestAllocator(t *testing.T,
 				ConsumableCapacity: true,
 			},
 			claimsToAllocate: objects(
-				claim(claim0, "", classA).withRequests(deviceRequest(req0, classA, 1).withCapacityRequest(ptr.To(one))),
+				claim(claim0).withRequests(deviceRequest(req0, classA, 1).withCapacityRequest(ptr.To(one))),
 			),
 			classes: objects(classWithAllowMultipleAllocations(classA, driverA, true)),
-			slices: unwrap(
-				slice(slice1, node1, pool1, driverA,
+			slices: unwrapResourceSlices(
+				sliceWithDevices(slice1, node1, pool1, driverA,
 					device(device1, nil, nil).withAllowMultipleAllocations().withCapacityRequestPolicyValidValues(zero, map[resourceapi.QualifiedName]resource.Quantity{capacity0: one}, nil),
 				),
 			),
@@ -4374,12 +4612,12 @@ func TestAllocator(t *testing.T,
 				ConsumableCapacity: true,
 			},
 			claimsToAllocate: objects(
-				claim(claim0, "", classA).withRequests(deviceRequest(req0, classA, 1).withCapacityRequest(ptr.To(one))),
-				claim(claim1, "", classA).withRequests(deviceRequest(req0, classA, 1).withCapacityRequest(ptr.To(one))),
+				claim(claim0).withRequests(deviceRequest(req0, classA, 1).withCapacityRequest(ptr.To(one))),
+				claim(claim1).withRequests(deviceRequest(req0, classA, 1).withCapacityRequest(ptr.To(one))),
 			),
 			classes: objects(classWithAllowMultipleAllocations(classA, driverA, true)),
-			slices: unwrap(
-				slice(slice1, node1, pool1, driverA,
+			slices: unwrapResourceSlices(
+				sliceWithDevices(slice1, node1, pool1, driverA,
 					device(device1, nil, nil).withAllowMultipleAllocations().withCapacityRequestPolicyRange(map[resourceapi.QualifiedName]resource.Quantity{capacity0: four}),
 				),
 			),
@@ -4402,11 +4640,11 @@ func TestAllocator(t *testing.T,
 				ConsumableCapacity: true,
 			},
 			claimsToAllocate: objects(
-				claim(claim0, "", classA).withRequests(deviceRequest(req0, classA, 1).withCapacityRequest(resource.NewQuantity(3, resource.BinarySI))),
+				claim(claim0).withRequests(deviceRequest(req0, classA, 1).withCapacityRequest(resource.NewQuantity(3, resource.BinarySI))),
 			),
 			classes: objects(classWithAllowMultipleAllocations(classA, driverA, true)),
-			slices: unwrap(
-				slice(slice1, node1, pool1, driverA,
+			slices: unwrapResourceSlices(
+				sliceWithDevices(slice1, node1, pool1, driverA,
 					device(device1, nil, nil).withAllowMultipleAllocations().withCapacityRequestPolicyRange(map[resourceapi.QualifiedName]resource.Quantity{capacity0: four}),
 				),
 			),
@@ -4424,11 +4662,11 @@ func TestAllocator(t *testing.T,
 				ConsumableCapacity: true,
 			},
 			claimsToAllocate: objects(
-				claim(claim0, "", classA).withRequests(deviceRequest(req0, classA, 1).withCapacityRequest(resource.NewQuantity(2, resource.BinarySI))),
+				claim(claim0).withRequests(deviceRequest(req0, classA, 1).withCapacityRequest(resource.NewQuantity(2, resource.BinarySI))),
 			),
 			classes: objects(classWithAllowMultipleAllocations(classA, driverA, true)),
-			slices: unwrap(
-				slice(slice1, node1, pool1, driverA,
+			slices: unwrapResourceSlices(
+				sliceWithDevices(slice1, node1, pool1, driverA,
 					device(device1, nil, nil).withAllowMultipleAllocations().withCapacityRequestPolicyValidValues(one, map[resourceapi.QualifiedName]resource.Quantity{capacity0: four},
 						[]resource.Quantity{two}),
 				),
@@ -4446,11 +4684,11 @@ func TestAllocator(t *testing.T,
 				ConsumableCapacity: true,
 			},
 			claimsToAllocate: objects(
-				claim(claim0, "", classA).withRequests(deviceRequest(req0, classA, 1).withCapacityRequest(resource.NewQuantity(2, resource.BinarySI))),
+				claim(claim0).withRequests(deviceRequest(req0, classA, 1).withCapacityRequest(resource.NewQuantity(2, resource.BinarySI))),
 			),
 			classes: objects(classWithAllowMultipleAllocations(classA, driverA, true)),
-			slices: unwrap(
-				slice(slice1, node1, pool1, driverA,
+			slices: unwrapResourceSlices(
+				sliceWithDevices(slice1, node1, pool1, driverA,
 					device(device1, nil, nil).withAllowMultipleAllocations().withCapacityRequestPolicyValidValues(one, map[resourceapi.QualifiedName]resource.Quantity{capacity0: three},
 						[]resource.Quantity{three}), // capacity value must be explicitly added
 				),
@@ -4468,12 +4706,12 @@ func TestAllocator(t *testing.T,
 				ConsumableCapacity: true,
 			},
 			claimsToAllocate: objects(
-				claim(claim0, "", classA).withRequests(deviceRequest(req0, classA, 1).withCapacityRequest(ptr.To(one))),
-				claim(claim0, "", classA).withRequests(deviceRequest(req0, classA, 1).withCapacityRequest(ptr.To(two))),
+				claim(claim0).withRequests(deviceRequest(req0, classA, 1).withCapacityRequest(ptr.To(one))),
+				claim(claim1).withRequests(deviceRequest(req0, classA, 1).withCapacityRequest(ptr.To(two))),
 			),
 			classes: objects(classWithAllowMultipleAllocations(classA, driverA, true)),
-			slices: unwrap(
-				slice(slice1, node1, pool1, driverA,
+			slices: unwrapResourceSlices(
+				sliceWithDevices(slice1, node1, pool1, driverA,
 					device(device1, nil, nil).withAllowMultipleAllocations().withCapacityRequestPolicyRange(map[resourceapi.QualifiedName]resource.Quantity{capacity0: two}),
 				),
 			),
@@ -4486,11 +4724,11 @@ func TestAllocator(t *testing.T,
 				ConsumableCapacity: true,
 			},
 			claimsToAllocate: objects(
-				claim(claim0, "", classA).withRequests(deviceRequest(req0, classA, 1).withCapacityRequest(resource.NewQuantity(6, resource.BinarySI))),
+				claim(claim0).withRequests(deviceRequest(req0, classA, 1).withCapacityRequest(resource.NewQuantity(6, resource.BinarySI))),
 			),
 			classes: objects(classWithAllowMultipleAllocations(classA, driverA, true)),
-			slices: unwrap(
-				slice(slice1, node1, pool1, driverA,
+			slices: unwrapResourceSlices(
+				sliceWithDevices(slice1, node1, pool1, driverA,
 					device(device1, nil, nil).withAllowMultipleAllocations().withCapacityRequestPolicyRange(map[resourceapi.QualifiedName]resource.Quantity{capacity0: *resource.NewQuantity(10, resource.BinarySI)}),
 				),
 			),
@@ -4498,12 +4736,12 @@ func TestAllocator(t *testing.T,
 
 			expectResults: []any{}, // default max requestPolicy is 4, should not allocate even though 6 < 10
 		},
-		"consumable-capacity-multi-allocatable-device-with-some-remaining-consumable-capacity": {
+		"consumable-capacity-multi-allocatable-device-with-allocated-capacity-use-remaining": {
 			features: Features{
 				ConsumableCapacity: true,
 			},
 			claimsToAllocate: objects(
-				claim(claim0, "", classA).withRequests(deviceRequest(req0, classA, 1).withCapacityRequest(ptr.To(two))),
+				claim(claim0).withRequests(deviceRequest(req0, classA, 1).withCapacityRequest(ptr.To(two))),
 			),
 			allocatedCapacityDevices: map[DeviceID]ConsumedCapacity{
 				MakeDeviceID(driverA, pool1, device1): {
@@ -4511,8 +4749,8 @@ func TestAllocator(t *testing.T,
 				},
 			},
 			classes: objects(classWithAllowMultipleAllocations(classA, driverA, true)),
-			slices: unwrap(
-				slice(slice1, node1, pool1, driverA,
+			slices: unwrapResourceSlices(
+				sliceWithDevices(slice1, node1, pool1, driverA,
 					device(device1, nil, nil).withAllowMultipleAllocations().withCapacityRequestPolicyRange(map[resourceapi.QualifiedName]resource.Quantity{capacity0: four}),
 				),
 			),
@@ -4525,21 +4763,49 @@ func TestAllocator(t *testing.T,
 				),
 			},
 		},
+		"consumable-capacity-multi-allocatable-device-with-allocated-capacity-next-device": {
+			features: Features{
+				ConsumableCapacity: true,
+			},
+			claimsToAllocate: objects(
+				claim(claim0).withRequests(deviceRequest(req0, classA, 1).withCapacityRequest(ptr.To(two))),
+			),
+			allocatedCapacityDevices: map[DeviceID]ConsumedCapacity{
+				MakeDeviceID(driverA, pool1, device1): {
+					capacity0: ptr.To(two),
+				},
+			},
+			classes: objects(classWithAllowMultipleAllocations(classA, driverA, true)),
+			slices: unwrapResourceSlices(
+				sliceWithDevices(slice1, node1, pool1, driverA,
+					device(device1, nil, nil).withAllowMultipleAllocations().withCapacityRequestPolicyRange(map[resourceapi.QualifiedName]resource.Quantity{capacity0: two}),
+					device(device2, nil, nil).withAllowMultipleAllocations().withCapacityRequestPolicyRange(map[resourceapi.QualifiedName]resource.Quantity{capacity0: two}),
+				),
+			),
+			node: node(node1, region1),
+
+			expectResults: []any{
+				allocationResult(
+					localNodeSelector(node1),
+					deviceRequestAllocationResult(req0, driverA, pool1, device2).withConsumedCapacity(&fixedShareID, map[resourceapi.QualifiedName]resource.Quantity{capacity0: two}),
+				),
+			},
+		},
 		"consumable-capacity-with-multi-allocatable-device-backtrack": {
 			features: Features{
 				ConsumableCapacity: true,
 			},
 			claimsToAllocate: objects(
 				// 2 requests with two per each
-				claim(claim0, "", classA, resourceapi.DeviceConstraint{MatchAttribute: &stringAttribute}).withRequests(
+				claim(claim0).withConstraints(resourceapi.DeviceConstraint{MatchAttribute: &stringAttribute}).withRequests(
 					deviceRequest(req0, classA, 1).withCapacityRequest(ptr.To(two)),
 					deviceRequest(req1, classA, 1).withCapacityRequest(ptr.To(two)),
 				),
-				claim(claim1, "", classA).withRequests(deviceRequest(req0, classA, 1).withCapacityRequest(ptr.To(two))),
+				claim(claim1).withRequests(deviceRequest(req0, classA, 1).withCapacityRequest(ptr.To(two))),
 			),
 			classes: objects(class(classA, driverA)),
-			slices: unwrap(
-				slice(slice1, node1, pool1, driverA,
+			slices: unwrapResourceSlices(
+				sliceWithDevices(slice1, node1, pool1, driverA,
 					device(device2, nil,
 						map[resourceapi.QualifiedName]resourceapi.DeviceAttribute{
 							"stringAttribute": {StringValue: ptr.To("stringAttributeValue1")},
@@ -4565,17 +4831,17 @@ func TestAllocator(t *testing.T,
 				PrioritizedList:    true,
 			},
 			claimsToAllocate: objects(
-				claimWithRequests(claim0, nil,
+				claim(claim0).withRequests(
 					requestWithPrioritizedList(req0,
-						wrapDeviceSubRequest{subRequest(subReq0, classA, 1)}.withCapacityRequest(ptr.To(four)).obj(),
-						wrapDeviceSubRequest{subRequest(subReq1, classA, 1)}.withCapacityRequest(ptr.To(two)).obj(),
+						subRequest(subReq0, classA, 1).withCapacityRequest(ptr.To(four)),
+						subRequest(subReq1, classA, 1).withCapacityRequest(ptr.To(two)),
 						subRequest(subReq1, classA, 1),
 					),
 				),
 			),
 			classes: objects(classWithAllowMultipleAllocations(classA, driverA, true)),
-			slices: unwrap(
-				slice(slice1, node1, pool1, driverA,
+			slices: unwrapResourceSlices(
+				sliceWithDevices(slice1, node1, pool1, driverA,
 					device(device1, nil, nil).withAllowMultipleAllocations().withCapacityRequestPolicyRange(map[resourceapi.QualifiedName]resource.Quantity{capacity0: two}),
 				),
 			),
@@ -4592,7 +4858,7 @@ func TestAllocator(t *testing.T,
 				ConsumableCapacity: true,
 			},
 			claimsToAllocate: objects(
-				claim(claim0, "", classA).withRequests(deviceRequest(req0, classA, 1).withCapacityRequest(ptr.To(two))),
+				claim(claim0).withRequests(deviceRequest(req0, classA, 1).withCapacityRequest(ptr.To(two))),
 			),
 			allocatedCapacityDevices: map[DeviceID]ConsumedCapacity{
 				MakeDeviceID(driverA, pool1, device1): {
@@ -4600,8 +4866,8 @@ func TestAllocator(t *testing.T,
 				},
 			},
 			classes: objects(classWithAllowMultipleAllocations(classA, driverA, true)),
-			slices: unwrap(
-				slice(slice1, node1, pool1, driverA,
+			slices: unwrapResourceSlices(
+				sliceWithDevices(slice1, node1, pool1, driverA,
 					device(device1, nil, nil).withAllowMultipleAllocations().withCapacityRequestPolicyRange(map[resourceapi.QualifiedName]resource.Quantity{capacity0: two}),
 				),
 			),
@@ -4614,11 +4880,11 @@ func TestAllocator(t *testing.T,
 				ConsumableCapacity: true,
 			},
 			claimsToAllocate: objects(
-				claim(claim0, "", classA).withRequests(allDeviceRequest(req0, classA).withCapacityRequest(ptr.To(two))),
+				claim(claim0).withRequests(allDeviceRequest(req0, classA).withCapacityRequest(ptr.To(two))),
 			),
 			classes: objects(classWithAllowMultipleAllocations(classA, driverA, true)),
-			slices: unwrap(
-				slice(slice1, node1, pool1, driverA,
+			slices: unwrapResourceSlices(
+				sliceWithDevices(slice1, node1, pool1, driverA,
 					device(device1, map[resourceapi.QualifiedName]resource.Quantity{capacity0: two}, nil).withAllowMultipleAllocations(),
 					device(device2, nil, nil).withAllowMultipleAllocations(),
 				),
@@ -4636,11 +4902,11 @@ func TestAllocator(t *testing.T,
 				ConsumableCapacity: true,
 			},
 			claimsToAllocate: objects(
-				claim(claim0, "", classA).withRequests(allDeviceRequest(req0, classA).withCapacityRequest(ptr.To(two))),
+				claim(claim0).withRequests(allDeviceRequest(req0, classA).withCapacityRequest(ptr.To(two))),
 			),
 			classes: objects(classWithAllowMultipleAllocations(classA, driverA, true)),
-			slices: unwrap(
-				slice(slice1, node1, pool1, driverA,
+			slices: unwrapResourceSlices(
+				sliceWithDevices(slice1, node1, pool1, driverA,
 					device(device1, map[resourceapi.QualifiedName]resource.Quantity{capacity0: two}, nil).withAllowMultipleAllocations(),
 					device(device2, map[resourceapi.QualifiedName]resource.Quantity{capacity0: one}, nil).withAllowMultipleAllocations(),
 				),
@@ -4658,14 +4924,14 @@ func TestAllocator(t *testing.T,
 				ConsumableCapacity: true,
 			},
 			claimsToAllocate: objects(
-				claim(claim0, "", classA).withRequests(
+				claim(claim0).withRequests(
 					deviceRequest(req0, classA, 1).withCapacityRequest(ptr.To(one)),
 					allDeviceRequest(req1, classA).withCapacityRequest(ptr.To(one)),
 				),
 			),
 			classes: objects(class(classA, driverA)),
-			slices: unwrap(
-				slice(slice1, node1, pool1, driverA,
+			slices: unwrapResourceSlices(
+				sliceWithDevices(slice1, node1, pool1, driverA,
 					device(device1, map[resourceapi.QualifiedName]resource.Quantity{capacity0: two}, nil).withAllowMultipleAllocations(),
 					device(device2, map[resourceapi.QualifiedName]resource.Quantity{capacity0: one}, nil).withAllowMultipleAllocations(),
 				),
@@ -4690,13 +4956,13 @@ func TestAllocator(t *testing.T,
 				},
 			},
 			claimsToAllocate: objects(
-				claim(claim0, "", classA).withRequests(
+				claim(claim0).withRequests(
 					allDeviceRequest(req0, classA).withCapacityRequest(ptr.To(one)),
 				),
 			),
 			classes: objects(class(classA, driverA)),
-			slices: unwrap(
-				slice(slice1, node1, pool1, driverA,
+			slices: unwrapResourceSlices(
+				sliceWithDevices(slice1, node1, pool1, driverA,
 					device(device1, map[resourceapi.QualifiedName]resource.Quantity{capacity0: two}, nil).withAllowMultipleAllocations(),
 					device(device2, map[resourceapi.QualifiedName]resource.Quantity{capacity0: one}, nil).withAllowMultipleAllocations(),
 				),
@@ -4715,14 +4981,14 @@ func TestAllocator(t *testing.T,
 				ConsumableCapacity: true,
 			},
 			claimsToAllocate: objects(
-				claim(claim0, "", classA).withRequests(
+				claim(claim0).withRequests(
 					deviceRequest(req0, classA, 1).withCapacityRequest(ptr.To(one)),
 					allDeviceRequest(req1, classA).withCapacityRequest(ptr.To(one)),
 				),
 			),
 			classes: objects(class(classA, driverA)),
-			slices: unwrap(
-				slice(slice1, node1, pool1, driverA,
+			slices: unwrapResourceSlices(
+				sliceWithDevices(slice1, node1, pool1, driverA,
 					device(device1, map[resourceapi.QualifiedName]resource.Quantity{capacity0: one}, nil).withAllowMultipleAllocations(),
 					device(device2, map[resourceapi.QualifiedName]resource.Quantity{capacity0: one}, nil).withAllowMultipleAllocations(),
 				),
@@ -4740,30 +5006,35 @@ func TestAllocator(t *testing.T,
 				},
 			},
 			claimsToAllocate: objects(
-				claim(claim0, "", classA).withRequests(
+				claim(claim0).withRequests(
 					allDeviceRequest(req0, classA).withCapacityRequest(ptr.To(one)),
 				),
 			),
 			classes: objects(class(classA, driverA)),
-			slices: unwrap(
-				slice(slice1, node1, pool1, driverA,
+			slices: unwrapResourceSlices(
+				sliceWithDevices(slice1, node1, pool1, driverA,
 					device(device1, map[resourceapi.QualifiedName]resource.Quantity{capacity0: one}, nil).withAllowMultipleAllocations(),
 					device(device2, map[resourceapi.QualifiedName]resource.Quantity{capacity0: one}, nil).withAllowMultipleAllocations(),
 				),
 			),
-			node:          node(node1, region1),
-			expectResults: []any{},
+			node: node(node1, region1),
+			expectResults: []any{
+				allocationResult(
+					localNodeSelector(node1),
+					deviceRequestAllocationResult(req0, driverA, pool1, device2).withConsumedCapacity(&fixedShareID, map[resourceapi.QualifiedName]resource.Quantity{capacity0: one}),
+				),
+			},
 		},
 		"consumable-capacity-dedicated-device-with-consumable-capacity-request": {
 			features: Features{
 				ConsumableCapacity: true,
 			},
 			claimsToAllocate: objects(
-				claim(claim0, "", classA).withRequests(deviceRequest(req0, classA, 1).withCapacityRequest(ptr.To(one))),
+				claim(claim0).withRequests(deviceRequest(req0, classA, 1).withCapacityRequest(ptr.To(one))),
 			),
 			classes: objects(classWithAllowMultipleAllocations(classA, driverA, false)),
-			slices: unwrap(
-				slice(slice1, node1, pool1, driverA,
+			slices: unwrapResourceSlices(
+				sliceWithDevices(slice1, node1, pool1, driverA,
 					device(device1, map[resourceapi.QualifiedName]resource.Quantity{capacity0: one}, nil),
 				),
 			),
@@ -4781,12 +5052,12 @@ func TestAllocator(t *testing.T,
 				ConsumableCapacity: true,
 			},
 			claimsToAllocate: objects(
-				claim(claim0, "", classA).withRequests(deviceRequest(req0, classA, 1).withCapacityRequest(ptr.To(one))),
-				claim(claim1, "", classA).withRequests(deviceRequest(req0, classA, 1).withCapacityRequest(ptr.To(one))),
+				claim(claim0).withRequests(deviceRequest(req0, classA, 1).withCapacityRequest(ptr.To(one))),
+				claim(claim1).withRequests(deviceRequest(req0, classA, 1).withCapacityRequest(ptr.To(one))),
 			),
 			classes: objects(classWithAllowMultipleAllocations(classA, driverA, false)),
-			slices: unwrap(
-				slice(slice1, node1, pool1, driverA,
+			slices: unwrapResourceSlices(
+				sliceWithDevices(slice1, node1, pool1, driverA,
 					device(device1, nil, nil).withCapacityRequestPolicyRange(map[resourceapi.QualifiedName]resource.Quantity{capacity0: two}),
 				),
 			),
@@ -4798,11 +5069,11 @@ func TestAllocator(t *testing.T,
 				ConsumableCapacity: true,
 			},
 			claimsToAllocate: objects(
-				claim(claim0, "", classA).withRequests(deviceRequest(req0, classA, 1).withCapacityRequest(ptr.To(one))),
+				claim(claim0).withRequests(deviceRequest(req0, classA, 1).withCapacityRequest(ptr.To(one))),
 			),
 			classes: objects(classWithAllowMultipleAllocations(classA, driverA, false)),
-			slices: unwrap(
-				slice(slice1, node1, pool1, driverA,
+			slices: unwrapResourceSlices(
+				sliceWithDevices(slice1, node1, pool1, driverA,
 					device(device1, map[resourceapi.QualifiedName]resource.Quantity{capacity0: one}, nil).withAllowMultipleAllocations(),
 				),
 			),
@@ -4818,11 +5089,11 @@ func TestAllocator(t *testing.T,
 				MakeDeviceID(driverA, pool1, device1),
 			},
 			claimsToAllocate: objects(
-				claim(claim0, "", classA).withRequests(deviceRequest(req0, classA, 1).withCapacityRequest(ptr.To(one))),
+				claim(claim0).withRequests(deviceRequest(req0, classA, 1).withCapacityRequest(ptr.To(one))),
 			),
 			classes: objects(classWithAllowMultipleAllocations(classA, driverA, true)),
-			slices: unwrap(
-				slice(slice1, node1, pool1, driverA,
+			slices: unwrapResourceSlices(
+				sliceWithDevices(slice1, node1, pool1, driverA,
 					device(device1, nil, nil).withAllowMultipleAllocations().withCapacityRequestPolicyRange(map[resourceapi.QualifiedName]resource.Quantity{capacity0: two}),
 				),
 			),
@@ -4835,7 +5106,7 @@ func TestAllocator(t *testing.T,
 				ConsumableCapacity: true,
 			},
 			claimsToAllocate: objects(
-				claim(claim0, "", classA).withRequests(deviceRequest(req0, classA, 1).withCapacityRequest(ptr.To(one))),
+				claim(claim0).withRequests(deviceRequest(req0, classA, 1).withCapacityRequest(ptr.To(one))),
 			),
 			allocatedCapacityDevices: map[DeviceID]ConsumedCapacity{
 				MakeDeviceID(driverA, pool1, device1): {
@@ -4843,8 +5114,8 @@ func TestAllocator(t *testing.T,
 				},
 			},
 			classes: objects(classWithAllowMultipleAllocations(classA, driverA, true)),
-			slices: unwrap(
-				slice(slice1, node1, pool1, driverA,
+			slices: unwrapResourceSlices(
+				sliceWithDevices(slice1, node1, pool1, driverA,
 					device(device1, nil, nil).withCapacityRequestPolicyRange(map[resourceapi.QualifiedName]resource.Quantity{capacity0: two}),
 				),
 			),
@@ -4854,24 +5125,53 @@ func TestAllocator(t *testing.T,
 		},
 		"allow-multiple-allocations-with-partitionable-device": {
 			features: Features{
+				PrioritizedList:      true,
 				PartitionableDevices: true,
 				ConsumableCapacity:   true,
 			},
 			claimsToAllocate: objects(
-				claimWithRequests(claim0, nil, request(req0, classA, 1)),
-				claimWithRequests(claim1, nil, request(req0, classA, 1)),
+				claim(claim0).withRequests(
+					deviceRequest(req0, classA, 1),
+					requestWithPrioritizedList(req1,
+						subRequest(subReq0, classA, 1, resourceapi.DeviceSelector{
+							CEL: &resourceapi.CELDeviceSelector{
+								Expression: fmt.Sprintf(`device.capacity["%s"].memory.compareTo(quantity("6Gi")) >= 0`, driverA),
+							}},
+						),
+						subRequest(subReq1, classA, 1, resourceapi.DeviceSelector{
+							CEL: &resourceapi.CELDeviceSelector{
+								Expression: fmt.Sprintf(`device.capacity["%s"].memory.compareTo(quantity("4Gi")) >= 0`, driverA),
+							}},
+						),
+					),
+				),
 			),
-			classes: objects(class(classA, driverA)),
-			slices: unwrap(
-				slice(slice1, node1, pool1, driverA,
-					device(device1, nil, nil).withDeviceCounterConsumption(
+			classes: objects(classWithAllowMultipleAllocations(classA, driverA, true)),
+			slices: unwrapResourceSlices(
+				sliceWithDevices(slice1, node1, resourcePool(pool1, 2), driverA,
+					device(device1, fromCounters, nil).withDeviceCounterConsumption(
+						deviceCounterConsumption(counterSet1,
+							map[string]resource.Quantity{
+								"memory": resource.MustParse("4Gi"),
+							},
+						),
+					).withAllowMultipleAllocations(),
+					device(device2, fromCounters, nil).withDeviceCounterConsumption(
+						deviceCounterConsumption(counterSet1,
+							map[string]resource.Quantity{
+								"memory": resource.MustParse("6Gi"),
+							},
+						),
+					).withAllowMultipleAllocations(),
+					device(device3, fromCounters, nil).withDeviceCounterConsumption(
 						deviceCounterConsumption(counterSet1,
 							map[string]resource.Quantity{
 								"memory": resource.MustParse("4Gi"),
 							},
 						),
 					).withAllowMultipleAllocations(),
-				).withCounterSet(
+				),
+				sliceWithCounterSets(slice2, node1, resourcePool(pool1, 2), driverA,
 					counterSet(counterSet1,
 						map[string]resource.Quantity{
 							"memory": resource.MustParse("8Gi"),
@@ -4880,69 +5180,839 @@ func TestAllocator(t *testing.T,
 				),
 			),
 			node: node(node1, region1),
-			expectResults: []any{
-				allocationResult(
-					localNodeSelector(node1),
-					deviceRequestAllocationResult(req0, driverA, pool1, device1).withConsumedCapacity(&fixedShareID, nil),
-				),
-				allocationResult(
-					localNodeSelector(node1),
-					deviceRequestAllocationResult(req0, driverA, pool1, device1).withConsumedCapacity(&fixedShareID, nil),
-				),
-			},
+			expectResults: []any{allocationResult(
+				localNodeSelector(node1),
+				deviceRequestAllocationResult(req0, driverA, pool1, device1).withConsumedCapacity(&fixedShareID, map[resourceapi.QualifiedName]resource.Quantity{"memory": resource.MustParse("4Gi")}),
+				deviceRequestAllocationResult(req1SubReq1, driverA, pool1, device3).withConsumedCapacity(&fixedShareID, map[resourceapi.QualifiedName]resource.Quantity{"memory": resource.MustParse("4Gi")}),
+			)},
 		},
-		"distinct-constraint-one-multi-allocatable-device-with-distinct-constraint": {
+		"consumable-capacity-with-partitionable-device-multiple-capacity-pools": {
+			// This test case combines integration of PrioritizedList, PartitionableDevices, and ConsumableCapacity features.
 			features: Features{
-				ConsumableCapacity: true,
+				PrioritizedList:      true,
+				PartitionableDevices: true,
+				ConsumableCapacity:   true,
 			},
+			// There are two basic requests (req0 and req2), requesting 1 and 2 units of capacity0, respectively.
+			// In addition, there is one request (req1) with a prioritized list.
+			// The prioritized request prefers devices with capacity0 >= 4 over those with capacity0 >= 2.
 			claimsToAllocate: objects(
-				claim(claim0, "", classA, resourceapi.DeviceConstraint{DistinctAttribute: &stringAttribute}).withRequests(
+				claim(claim0).withRequests(
 					deviceRequest(req0, classA, 1).withCapacityRequest(ptr.To(one)),
-					deviceRequest(req1, classA, 1).withCapacityRequest(ptr.To(one)),
-				)),
-			classes: objects(classWithAllowMultipleAllocations(classA, driverA, true)),
-			slices: unwrap(
-				slice(slice1, node1, pool1, driverA,
-					device(device1, nil,
-						map[resourceapi.QualifiedName]resourceapi.DeviceAttribute{"stringAttribute": {StringValue: ptr.To("stringAttributeValue")}},
-					).withAllowMultipleAllocations().withCapacityRequestPolicyRange(map[resourceapi.QualifiedName]resource.Quantity{capacity0: two}),
-				),
-			),
-			node:          node(node1, region1),
-			expectResults: []any{},
-		},
-		"distinct-constraint-two-multi-allocatable-devices-with-distinct-constraint": {
-			features: Features{
-				ConsumableCapacity: true,
-			},
-			claimsToAllocate: objects(
-				claim(claim0, "", classA, resourceapi.DeviceConstraint{DistinctAttribute: &stringAttribute}).withRequests(
-					deviceRequest(req0, classA, 1).withCapacityRequest(ptr.To(two)),
-					deviceRequest(req1, classA, 1).withCapacityRequest(ptr.To(two)),
-				),
-			),
-			classes: objects(classWithAllowMultipleAllocations(classA, driverA, true)),
-			slices: unwrap(
-				slice(slice1, node1, pool1, driverA,
-					device(device1, nil,
-						map[resourceapi.QualifiedName]resourceapi.DeviceAttribute{"stringAttribute": {StringValue: ptr.To("stringAttributeValue1")}},
-					).withAllowMultipleAllocations().withCapacityRequestPolicyRange(map[resourceapi.QualifiedName]resource.Quantity{capacity0: four}),
-				),
-				slice(slice1, node1, pool1, driverA,
-					device(device2, nil,
-						map[resourceapi.QualifiedName]resourceapi.DeviceAttribute{"stringAttribute": {StringValue: ptr.To("stringAttributeValue2")}},
-					).withAllowMultipleAllocations().withCapacityRequestPolicyRange(map[resourceapi.QualifiedName]resource.Quantity{capacity0: four}),
+					deviceRequest(req2, classA, 1).withCapacityRequest(ptr.To(two)),
+					requestWithPrioritizedList(req1,
+						subRequest(subReq0, classA, 1, resourceapi.DeviceSelector{
+							CEL: &resourceapi.CELDeviceSelector{
+								Expression: fmt.Sprintf(`device.capacity["%s"]["%s"].compareTo(quantity("4")) >= 0`, driverA, capacity0),
+							}}).withCapacityRequest(ptr.To(one)),
+						subRequest(subReq1, classA, 1, resourceapi.DeviceSelector{
+							CEL: &resourceapi.CELDeviceSelector{
+								Expression: fmt.Sprintf(`device.capacity["%s"]["%s"].compareTo(quantity("2")) >= 0`, driverA, capacity0),
+							}}).withCapacityRequest(ptr.To(one)),
+					),
 				),
 			),
-			node: node(node1, region1),
-
-			expectResults: []any{
-				allocationResult(
-					localNodeSelector(node1),
-					deviceRequestAllocationResult(req0, driverA, pool1, device1).withConsumedCapacity(&fixedShareID, map[resourceapi.QualifiedName]resource.Quantity{capacity0: two}),
-					deviceRequestAllocationResult(req1, driverA, pool1, device2).withConsumedCapacity(&fixedShareID, map[resourceapi.QualifiedName]resource.Quantity{capacity0: two}),
-				),
-			},
+			classes: objects(class(classA, driverA)),
+			// There three device option consuming counters from the PartitionableDevices's CounterSet.
+			// All devices can be allocated multiple times with `allowMultipleAllocations=true`.
+			// CounterSet (4, 8)
+			//   device1, device2, and device3 consume (2,4), (4,4), and (2,4) for (capacity0, capacity1) respectively.
+			//   i.e., only two options are valid those are [device1, device3] or [device2].
+			// Capacity.RequestPolicy of ConsumableCapacity forces the capacity1 consuming with range policy (min,step,max)=(2,2,4).
+			slices: unwrapResourceSlices(
+				sliceWithDevices(slice1, node1, resourcePool(pool1, 2), driverA,
+					device(device1, fromCounters, nil).withDeviceCounterConsumption(
+						deviceCounterConsumption(counterSet1,
+							map[string]resource.Quantity{
+								capacity0: two,
+							},
+						),
+						deviceCounterConsumption(counterSet2,
+							map[string]resource.Quantity{
+								capacity1: four,
+							},
+						),
+					).withAllowMultipleAllocations().withCapacityRequestPolicyRange((map[resourceapi.QualifiedName]resource.Quantity{capacity1: four})),
+					device(device2, fromCounters, nil).withDeviceCounterConsumption(
+						deviceCounterConsumption(counterSet1,
+							map[string]resource.Quantity{
+								capacity0: four,
+							},
+						),
+						deviceCounterConsumption(counterSet2,
+							map[string]resource.Quantity{
+								capacity1: four,
+							},
+						),
+					).withAllowMultipleAllocations().withCapacityRequestPolicyRange((map[resourceapi.QualifiedName]resource.Quantity{capacity1: four})),
+					device(device3, fromCounters, nil).withDeviceCounterConsumption(
+						deviceCounterConsumption(counterSet1,
+							map[string]resource.Quantity{
+								capacity0: two,
+							},
+						),
+						deviceCounterConsumption(counterSet2,
+							map[string]resource.Quantity{
+								capacity1: four,
+							},
+						),
+					).withAllowMultipleAllocations().withCapacityRequestPolicyRange((map[resourceapi.QualifiedName]resource.Quantity{capacity1: four})),
+				),
+				sliceWithCounterSets(slice2, node1, resourcePool(pool1, 2), driverA,
+					counterSet(counterSet1,
+						map[string]resource.Quantity{
+							capacity0: four,
+						},
+					),
+					counterSet(counterSet2,
+						map[string]resource.Quantity{
+							capacity1: resource.MustParse("8"),
+						},
+					),
+				),
+			),
+			node: node(node1, region1),
+			// Expected results:
+			//   - [req0] The scheduler should be able to allocate device1 to req0.
+			//     1 unit of capacity0 is consumed according to the requested capacity, and 2 units of capacity1 are consumed according to the RequestPolicy.
+			//   - [req2] device1 does not have enough capacity0 remaining for req2, which requests 2 units (only 1 unit remains).
+			//     The scheduler must also skip device2 due to the CounterSet constraint.
+			//     Therefore, device3 is allocated to req2, providing 2 units of capacity0 and 2 units of capacity1.
+			//   - [req1] The first prioritized subrequest of req1 cannot find a device because device2 cannot be selected.
+			//     The second prioritized subrequest is then chosen and consumes the remaining 1 unit of capacity0 on device1.
+			//     Consequently, device1 is allocated to subreq1 of req1 with 1 unit of capacity0 and 2 units of capacity1.
+			expectResults: []any{allocationResult(
+				localNodeSelector(node1),
+				deviceRequestAllocationResult(req0, driverA, pool1, device1).withConsumedCapacity(&fixedShareID, map[resourceapi.QualifiedName]resource.Quantity{capacity0: one, capacity1: two}),
+				deviceRequestAllocationResult(req2, driverA, pool1, device3).withConsumedCapacity(&fixedShareID, map[resourceapi.QualifiedName]resource.Quantity{capacity0: two, capacity1: two}),
+				deviceRequestAllocationResult(req1SubReq1, driverA, pool1, device1).withConsumedCapacity(&fixedShareID, map[resourceapi.QualifiedName]resource.Quantity{capacity0: one, capacity1: two}),
+			)},
+		},
+		"with-distinct-constraints": {
+			features: Features{
+				ConsumableCapacity: true,
+			},
+			claimsToAllocate: objects(
+				claim(claim0).withConstraints(
+					resourceapi.DeviceConstraint{DistinctAttribute: &boolAttribute, Requests: []string{req0, req1}},
+					resourceapi.DeviceConstraint{DistinctAttribute: &versionAttribute, Requests: []string{req0, req1, req2}},
+					resourceapi.DeviceConstraint{DistinctAttribute: &intAttribute, Requests: []string{req0, req1, req2, req3}},
+				).withRequests(
+					deviceRequest(req0, classA, 1),
+					deviceRequest(req1, classA, 1),
+					deviceRequest(req2, classA, 1),
+					deviceRequest(req3, classA, 1),
+				),
+			),
+			classes: objects(class(classA, driverA)),
+			slices: unwrapResourceSlices(
+				sliceWithDevices(slice1, node1, pool1, driverA,
+					device(device1, nil, map[resourceapi.QualifiedName]resourceapi.DeviceAttribute{
+						"driverVersion": {VersionValue: ptr.To("1.0.0")},
+						"numa":          {IntValue: ptr.To(int64(0))},
+						"boolAttribute": {BoolValue: ptr.To(true)},
+					}).withAllowMultipleAllocations(),
+					device(device2, nil, map[resourceapi.QualifiedName]resourceapi.DeviceAttribute{
+						"driverVersion": {VersionValue: ptr.To("1.0.1")},
+						"numa":          {IntValue: ptr.To(int64(1))},
+						"boolAttribute": {BoolValue: ptr.To(false)},
+					}).withAllowMultipleAllocations(),
+					device(device3, nil, map[resourceapi.QualifiedName]resourceapi.DeviceAttribute{
+						"driverVersion": {VersionValue: ptr.To("1.0.2")},
+						"numa":          {IntValue: ptr.To(int64(2))},
+						"boolAttribute": {BoolValue: ptr.To(true)},
+					}).withAllowMultipleAllocations(),
+					device(device4, nil, map[resourceapi.QualifiedName]resourceapi.DeviceAttribute{
+						"driverVersion": {VersionValue: ptr.To("1.0.0")},
+						"numa":          {IntValue: ptr.To(int64(3))},
+						"boolAttribute": {BoolValue: ptr.To(true)},
+					}).withAllowMultipleAllocations(),
+				),
+			),
+			node: node(node1, region1),
+
+			expectResults: []any{allocationResult(
+				localNodeSelector(node1),
+				deviceRequestAllocationResult(req0, driverA, pool1, device1).withConsumedCapacity(&fixedShareID, nil),
+				deviceRequestAllocationResult(req1, driverA, pool1, device2).withConsumedCapacity(&fixedShareID, nil),
+				deviceRequestAllocationResult(req2, driverA, pool1, device3).withConsumedCapacity(&fixedShareID, nil),
+				deviceRequestAllocationResult(req3, driverA, pool1, device4).withConsumedCapacity(&fixedShareID, nil),
+			)},
+		},
+		"with-distinct-constraints-attribute-not-set": {
+			features: Features{
+				ConsumableCapacity: true,
+			},
+			claimsToAllocate: objects(
+				claim(claim0).withConstraints(
+					resourceapi.DeviceConstraint{DistinctAttribute: &boolAttribute, Requests: []string{req0}},
+				).withRequests(
+					deviceRequest(req0, classA, 1),
+				),
+			),
+			classes: objects(class(classA, driverA)),
+			slices: unwrapResourceSlices(
+				sliceWithDevices(slice1, node1, pool1, driverA,
+					device(device1, nil, nil).withAllowMultipleAllocations(),
+				),
+			),
+			node: node(node1, region1),
+
+			expectResults: []any{},
+		},
+		"with-distinct-constraints-unknown-type-attribute": {
+			features: Features{
+				ConsumableCapacity: true,
+			},
+			claimsToAllocate: objects(
+				claim(claim0).withConstraints(
+					resourceapi.DeviceConstraint{DistinctAttribute: &boolAttribute, Requests: []string{req0}},
+				).withRequests(
+					deviceRequest(req0, classA, 1),
+				),
+			),
+			classes: objects(class(classA, driverA)),
+			slices: unwrapResourceSlices(
+				sliceWithDevices(slice1, node1, pool1, driverA,
+					device(device1, nil, map[resourceapi.QualifiedName]resourceapi.DeviceAttribute{"boolAttribute": {}}).withAllowMultipleAllocations(),
+				),
+			),
+			node:          node(node1, region1),
+			expectResults: []any{},
+			expectError:   gomega.MatchError(gomega.ContainSubstring("unsupported attribute value")),
+		},
+		"with-distinct-constraints-with-subrequests": {
+			features: Features{
+				ConsumableCapacity: true,
+				PrioritizedList:    true,
+			},
+			// There are three requests, all preferring the boolAttribute.
+			// However, the DeviceConstraint applies only to the first two requests.
+			claimsToAllocate: objects(
+				claim(claim0).withConstraints(
+					resourceapi.DeviceConstraint{DistinctAttribute: &boolAttribute, Requests: []string{req0, req1}}).
+					withRequests(
+						requestWithPrioritizedList(req0,
+							subRequest(subReq0, classA, 1, resourceapi.DeviceSelector{
+								CEL: &resourceapi.CELDeviceSelector{
+									Expression: fmt.Sprintf(`device.attributes["%s"].boolAttribute`, driverA),
+								}}),
+							subRequest(subReq1, classA, 1),
+						),
+						requestWithPrioritizedList(req1,
+							subRequest(subReq0, classA, 1, resourceapi.DeviceSelector{
+								CEL: &resourceapi.CELDeviceSelector{
+									Expression: fmt.Sprintf(`device.attributes["%s"].boolAttribute`, driverA),
+								}}),
+							subRequest(subReq1, classA, 1),
+						),
+						requestWithPrioritizedList(req2,
+							subRequest(subReq0, classA, 1, resourceapi.DeviceSelector{
+								CEL: &resourceapi.CELDeviceSelector{
+									Expression: fmt.Sprintf(`device.attributes["%s"].boolAttribute`, driverA),
+								}}),
+							subRequest(subReq1, classA, 1),
+						),
+					),
+			),
+			classes: objects(class(classA, driverA)),
+			slices: unwrapResourceSlices(
+				sliceWithDevices(slice1, node1, pool1, driverA,
+					device(device1, nil, map[resourceapi.QualifiedName]resourceapi.DeviceAttribute{
+						"boolAttribute": {BoolValue: ptr.To(true)},
+					}).withAllowMultipleAllocations(),
+					device(device2, nil, map[resourceapi.QualifiedName]resourceapi.DeviceAttribute{
+						"boolAttribute": {BoolValue: ptr.To(false)},
+					}).withAllowMultipleAllocations(),
+				),
+			),
+			node: node(node1, region1),
+			// Because the constraint applies only to req0 and req1,
+			// subreq0 cannot satisfy req1, so device2 (subreq1) is allocated instead.
+			// However, req2 has no such constraint and can use device1 (subreq0).
+			expectResults: []any{allocationResult(
+				localNodeSelector(node1),
+				deviceRequestAllocationResult(req0SubReq0, driverA, pool1, device1).withConsumedCapacity(&fixedShareID, nil),
+				deviceRequestAllocationResult(req1SubReq1, driverA, pool1, device2).withConsumedCapacity(&fixedShareID, nil),
+				deviceRequestAllocationResult(req2SubReq0, driverA, pool1, device1).withConsumedCapacity(&fixedShareID, nil),
+			)},
+		},
+		"distinct-constraint-one-multi-allocatable-device-with-distinct-constraint": {
+			features: Features{
+				ConsumableCapacity: true,
+			},
+			claimsToAllocate: objects(
+				claim(claim0).withConstraints(resourceapi.DeviceConstraint{DistinctAttribute: &stringAttribute}).withRequests(
+					deviceRequest(req0, classA, 1).withCapacityRequest(ptr.To(one)),
+					deviceRequest(req1, classA, 1).withCapacityRequest(ptr.To(one)),
+				)),
+			classes: objects(classWithAllowMultipleAllocations(classA, driverA, true)),
+			slices: unwrapResourceSlices(
+				sliceWithDevices(slice1, node1, pool1, driverA,
+					device(device1, nil,
+						map[resourceapi.QualifiedName]resourceapi.DeviceAttribute{"stringAttribute": {StringValue: ptr.To("stringAttributeValue")}},
+					).withAllowMultipleAllocations().withCapacityRequestPolicyRange(map[resourceapi.QualifiedName]resource.Quantity{capacity0: two}),
+				),
+			),
+			node:          node(node1, region1),
+			expectResults: []any{},
+		},
+		"distinct-constraint-two-multi-allocatable-devices-with-distinct-constraint": {
+			features: Features{
+				ConsumableCapacity: true,
+			},
+			claimsToAllocate: objects(
+				claim(claim0).withConstraints(resourceapi.DeviceConstraint{DistinctAttribute: &stringAttribute}).withRequests(
+					deviceRequest(req0, classA, 1).withCapacityRequest(ptr.To(two)),
+					deviceRequest(req1, classA, 1).withCapacityRequest(ptr.To(two)),
+				),
+			),
+			classes: objects(classWithAllowMultipleAllocations(classA, driverA, true)),
+			slices: unwrapResourceSlices(
+				sliceWithDevices(slice1, node1, resourcePool(pool1, 2), driverA,
+					device(device1, nil,
+						map[resourceapi.QualifiedName]resourceapi.DeviceAttribute{"stringAttribute": {StringValue: ptr.To("stringAttributeValue1")}},
+					).withAllowMultipleAllocations().withCapacityRequestPolicyRange(map[resourceapi.QualifiedName]resource.Quantity{capacity0: four}),
+				),
+				sliceWithDevices(slice1, node1, resourcePool(pool1, 2), driverA,
+					device(device2, nil,
+						map[resourceapi.QualifiedName]resourceapi.DeviceAttribute{"stringAttribute": {StringValue: ptr.To("stringAttributeValue2")}},
+					).withAllowMultipleAllocations().withCapacityRequestPolicyRange(map[resourceapi.QualifiedName]resource.Quantity{capacity0: four}),
+				),
+			),
+			node: node(node1, region1),
+
+			expectResults: []any{
+				allocationResult(
+					localNodeSelector(node1),
+					deviceRequestAllocationResult(req0, driverA, pool1, device1).withConsumedCapacity(&fixedShareID, map[resourceapi.QualifiedName]resource.Quantity{capacity0: two}),
+					deviceRequestAllocationResult(req1, driverA, pool1, device2).withConsumedCapacity(&fixedShareID, map[resourceapi.QualifiedName]resource.Quantity{capacity0: two}),
+				),
+			},
+		},
+
+		"allocation-mode-all-with-multi-host-resource-pool": {
+			claimsToAllocate: objects(claimWithRequests(claim0, nil, resourceapi.DeviceRequest{
+				Name: req0,
+				Exactly: &resourceapi.ExactDeviceRequest{
+					AllocationMode:  resourceapi.DeviceAllocationModeAll,
+					DeviceClassName: classA,
+				},
+			})),
+			classes: objects(class(classA, driverA)),
+			slices: unwrapResourceSlices(
+				sliceWithDevices(slice1, node1, resourcePool(pool1, 2), driverA,
+					device(device1, nil, nil),
+				),
+				sliceWithDevices(slice2, node2, resourcePool(pool1, 2), driverA,
+					device(device2, nil, nil),
+				),
+			),
+			node: node(node1, region1),
+
+			expectResults: []any{
+				allocationResult(
+					localNodeSelector(node1),
+					deviceAllocationResult(req0, driverA, pool1, device1, false),
+				),
+			},
+		},
+		"multi-host-resource-pool-with-stale-slice-for-current-node": {
+			claimsToAllocate: objects(claimWithRequest(claim0, req0, classA)),
+			classes:          objects(class(classA, driverA)),
+			slices: unwrapResourceSlices(
+				func() wrapResourceSliceWithDevices {
+					s := sliceWithDevices(slice1, node1, pool1, driverA,
+						device(device1, nil, nil),
+					)
+					s.Spec.Pool.Generation = 1
+					s.Spec.Pool.ResourceSliceCount = 2
+					return s
+				}(),
+				func() wrapResourceSliceWithDevices {
+					s := sliceWithDevices(slice2, node2, pool1, driverA,
+						device(device2, nil, nil),
+					)
+					s.Spec.Pool.Generation = 2
+					s.Spec.Pool.ResourceSliceCount = 2
+					return s
+				}(),
+			),
+			node: node(node1, region1),
+		},
+
+		// update-from-node-1-to-node-2 and vice-versa is dangerous,
+		// DRA drivers should not do this: there is no guarantee that
+		// the scheduler sees the change and then might allocate a
+		// device for a node where it is no longer available.
+		//
+		// We do not have to support such a change exactly as expected
+		// by these test cases if it makes the implementation too
+		// expensive because of additional checks.
+		//
+		// The support for allocation from incomplete pools is also under
+		// debate. It's currently done because without scoring it makes
+		// no difference how many slices are available, as long as one
+		// device can be found.
+
+		"multi-host-resource-pool-complete-update-from-node-1-to-node-2": {
+			claimsToAllocate: objects(claimWithRequest(claim0, req0, classA)),
+			classes:          objects(class(classA, driverA)),
+			slices: unwrapResourceSlices(
+				// Node 1, generation 1.
+				func() wrapResourceSliceWithDevices {
+					s := sliceWithDevices(slice1, node1, pool1, driverA,
+						device(device1, nil, nil),
+					)
+					s.Spec.Pool.Generation = 1
+					s.Spec.Pool.ResourceSliceCount = 2
+					return s
+				}(),
+				func() wrapResourceSliceWithDevices {
+					s := sliceWithDevices(slice1, node1, pool1, driverA,
+						device(device2, nil, nil),
+					)
+					s.Spec.Pool.Generation = 1
+					s.Spec.Pool.ResourceSliceCount = 2
+					return s
+				}(),
+				// Node 2, generation 2.
+				func() wrapResourceSliceWithDevices {
+					s := sliceWithDevices(slice2, node2, pool1, driverA,
+						device(device1, nil, nil),
+					)
+					s.Spec.Pool.Generation = 2
+					s.Spec.Pool.ResourceSliceCount = 2
+					return s
+				}(),
+				func() wrapResourceSliceWithDevices {
+					s := sliceWithDevices(slice2, node2, pool1, driverA,
+						device(device2, nil, nil),
+					)
+					s.Spec.Pool.Generation = 2
+					s.Spec.Pool.ResourceSliceCount = 2
+					return s
+				}(),
+			),
+			node: node(node1, region1),
+
+			// We'd like this to *not* be allocated, but the current implementation ignores
+			// the updated slices. Allocating from the old pool is also what would happen
+			// if the scheduler hadn't received the update yet, so DRA drivers shouldn't
+			// depend on better handling of this situation.
+			expectResults: []any{
+				allocationResult(
+					localNodeSelector(node1),
+					deviceAllocationResult(req0, driverA, pool1, device1, false),
+				),
+			},
+		},
+
+		"multi-host-resource-pool-complete-update-from-node-2-to-node-1": {
+			claimsToAllocate: objects(claimWithRequest(claim0, req0, classA)),
+			classes:          objects(class(classA, driverA)),
+			slices: unwrapResourceSlices(
+				// Node 2, generation 1.
+				func() wrapResourceSliceWithDevices {
+					s := sliceWithDevices(slice1, node2, pool1, driverA,
+						device(device1, nil, nil),
+					)
+					s.Spec.Pool.Generation = 1
+					s.Spec.Pool.ResourceSliceCount = 2
+					return s
+				}(),
+				func() wrapResourceSliceWithDevices {
+					s := sliceWithDevices(slice1, node2, pool1, driverA,
+						device(device2, nil, nil),
+					)
+					s.Spec.Pool.Generation = 1
+					s.Spec.Pool.ResourceSliceCount = 2
+					return s
+				}(),
+				// Node 1, generation 2.
+				func() wrapResourceSliceWithDevices {
+					s := sliceWithDevices(slice2, node1, pool1, driverA,
+						device(device1, nil, nil),
+					)
+					s.Spec.Pool.Generation = 2
+					s.Spec.Pool.ResourceSliceCount = 2
+					return s
+				}(),
+				func() wrapResourceSliceWithDevices {
+					s := sliceWithDevices(slice2, node1, pool1, driverA,
+						device(device2, nil, nil),
+					)
+					s.Spec.Pool.Generation = 2
+					s.Spec.Pool.ResourceSliceCount = 2
+					return s
+				}(),
+			),
+			node: node(node1, region1),
+
+			expectResults: []any{
+				allocationResult(
+					localNodeSelector(node1),
+					deviceAllocationResult(req0, driverA, pool1, device1, false),
+				),
+			},
+		},
+
+		"multi-host-resource-pool-incomplete-update-from-node-1-to-node-2": {
+			claimsToAllocate: objects(claimWithRequest(claim0, req0, classA)),
+			classes:          objects(class(classA, driverA)),
+			slices: unwrapResourceSlices(
+				// Node 1, generation 1.
+				func() wrapResourceSliceWithDevices {
+					s := sliceWithDevices(slice1, node1, pool1, driverA,
+						device(device1, nil, nil),
+					)
+					s.Spec.Pool.Generation = 1
+					s.Spec.Pool.ResourceSliceCount = 2
+					return s
+				}(),
+				func() wrapResourceSliceWithDevices {
+					s := sliceWithDevices(slice1, node1, pool1, driverA,
+						device(device2, nil, nil),
+					)
+					s.Spec.Pool.Generation = 1
+					s.Spec.Pool.ResourceSliceCount = 2
+					return s
+				}(),
+				// Node 2, generation 2.
+				func() wrapResourceSliceWithDevices {
+					s := sliceWithDevices(slice2, node2, pool1, driverA,
+						device(device1, nil, nil),
+					)
+					s.Spec.Pool.Generation = 2
+					s.Spec.Pool.ResourceSliceCount = 2
+					return s
+				}(),
+			),
+			node: node(node1, region1),
+
+			// We'd like this to *not* be allocated, but the current implementation ignores
+			// the updated slices. Allocating from the old pool is also what would happen
+			// if the scheduler hadn't received the update yet, so DRA drivers shouldn't
+			// depend on better handling of this situation.
+			expectResults: []any{
+				allocationResult(
+					localNodeSelector(node1),
+					deviceAllocationResult(req0, driverA, pool1, device1, false),
+				),
+			},
+		},
+
+		"multi-host-resource-pool-incomplete-update-from-node-2-to-node-1": {
+			claimsToAllocate: objects(claimWithRequest(claim0, req0, classA)),
+			classes:          objects(class(classA, driverA)),
+			slices: unwrapResourceSlices(
+				// Node 2, generation 1.
+				func() wrapResourceSliceWithDevices {
+					s := sliceWithDevices(slice1, node2, pool1, driverA,
+						device(device1, nil, nil),
+					)
+					s.Spec.Pool.Generation = 1
+					s.Spec.Pool.ResourceSliceCount = 2
+					return s
+				}(),
+				func() wrapResourceSliceWithDevices {
+					s := sliceWithDevices(slice1, node2, pool1, driverA,
+						device(device2, nil, nil),
+					)
+					s.Spec.Pool.Generation = 1
+					s.Spec.Pool.ResourceSliceCount = 2
+					return s
+				}(),
+				// Node 1, generation 2.
+				func() wrapResourceSliceWithDevices {
+					s := sliceWithDevices(slice2, node1, pool1, driverA,
+						device(device1, nil, nil),
+					)
+					s.Spec.Pool.Generation = 2
+					s.Spec.Pool.ResourceSliceCount = 2
+					return s
+				}(),
+			),
+			node: node(node1, region1),
+			// This does not get allocated since slice2 is incomplete.
+		},
+		"partitionable-devices-same-counter-set-name-in-different-resource-slices": {
+			features: Features{
+				PartitionableDevices: true,
+			},
+			claimsToAllocate: objects(
+				claim(claim0).withRequests(
+					deviceRequest(req0, classA, 1),
+				),
+			),
+			classes: objects(class(classA, driverA)),
+			slices: unwrapResourceSlices(
+				sliceWithDevices(slice1, node1, resourcePool(pool1, 4), driverA,
+					device(device1, nil, nil),
+				),
+				sliceWithCounterSets(slice2, node1, resourcePool(pool1, 4), driverA,
+					counterSet(counterSet1, nil),
+				),
+				sliceWithDevices(slice3, node1, resourcePool(pool1, 4), driverA,
+					device(device2, nil, nil),
+				),
+				sliceWithCounterSets(slice4, node1, resourcePool(pool1, 4), driverA,
+					counterSet(counterSet1, nil),
+				),
+			),
+			node:        node(node1, region1),
+			expectError: gomega.MatchError(gomega.ContainSubstring("invalid resource pools were encountered")),
+		},
+		"partitionable-devices-device-counter-consumption-references-unknown-counter-set": {
+			features: Features{
+				PartitionableDevices: true,
+			},
+			claimsToAllocate: objects(
+				claim(claim0).withRequests(
+					deviceRequest(req0, classA, 1),
+				),
+			),
+			classes: objects(class(classA, driverA)),
+			slices: unwrapResourceSlices(
+				sliceWithDevices(slice1, node1, resourcePool(pool1, 2), driverA,
+					device(device1, nil, nil).withDeviceCounterConsumption(
+						deviceCounterConsumption(counterSet2, nil),
+					),
+				),
+				sliceWithCounterSets(slice2, node1, resourcePool(pool1, 2), driverA,
+					counterSet(counterSet1, nil),
+				),
+			),
+			node:        node(node1, region1),
+			expectError: gomega.MatchError(gomega.ContainSubstring("invalid resource pools were encountered")),
+		},
+		"partitionable-devices-device-counter-consumption-references-unknown-counter-in-counter-set": {
+			features: Features{
+				PartitionableDevices: true,
+			},
+			claimsToAllocate: objects(
+				claim(claim0).withRequests(
+					deviceRequest(req0, classA, 1),
+				),
+			),
+			classes: objects(class(classA, driverA)),
+			slices: unwrapResourceSlices(
+				sliceWithDevices(slice1, node1, resourcePool(pool1, 2), driverA,
+					device(device1, nil, nil).withDeviceCounterConsumption(
+						deviceCounterConsumption(counterSet1, map[string]resource.Quantity{
+							"memory": resource.MustParse("8Gi"),
+						}),
+					),
+				),
+				sliceWithCounterSets(slice2, node1, resourcePool(pool1, 2), driverA,
+					counterSet(counterSet1, map[string]resource.Quantity{
+						"other-memory": resource.MustParse("8Gi"),
+					}),
+				),
+			),
+			node:        node(node1, region1),
+			expectError: gomega.MatchError(gomega.ContainSubstring("invalid resource pools were encountered")),
+		},
+		"partitionable-devices-device-counter-consumption-references-counter-set-in-other-pool": {
+			features: Features{
+				PartitionableDevices: true,
+			},
+			claimsToAllocate: objects(
+				claim(claim0).withRequests(
+					deviceRequest(req0, classA, 1),
+				),
+			),
+			classes: objects(class(classA, driverA)),
+			slices: unwrapResourceSlices(
+				sliceWithDevices(slice1, node1, pool1, driverA,
+					device(device1, nil, nil).withDeviceCounterConsumption(
+						deviceCounterConsumption(counterSet1, map[string]resource.Quantity{
+							"memory": resource.MustParse("8Gi"),
+						}),
+					),
+				),
+				sliceWithCounterSets(slice2, node1, pool2, driverA,
+					counterSet(counterSet1, map[string]resource.Quantity{
+						"memory": resource.MustParse("8Gi"),
+					}),
+				),
+			),
+			node:        node(node1, region1),
+			expectError: gomega.MatchError(gomega.ContainSubstring("invalid resource pools were encountered")),
+		},
+		"partitionable-devices-devices-on-different-nodes-consume-same-counter-set": {
+			features: Features{
+				PartitionableDevices: true,
+				PrioritizedList:      true,
+			},
+			claimsToAllocate: objects(
+				claim(claim0).withRequests(
+					requestWithPrioritizedList(req0,
+						subRequest(subReq0, classA, 1, resourceapi.DeviceSelector{
+							CEL: &resourceapi.CELDeviceSelector{
+								Expression: fmt.Sprintf(`device.capacity["%s"].memory.compareTo(quantity("6Gi")) >= 0`, driverA),
+							},
+						}),
+						subRequest(subReq1, classA, 1, resourceapi.DeviceSelector{
+							CEL: &resourceapi.CELDeviceSelector{
+								Expression: fmt.Sprintf(`device.capacity["%s"].memory.compareTo(quantity("2Gi")) >= 0`, driverA),
+							},
+						}),
+					),
+				),
+			),
+			classes: objects(class(classA, driverA)),
+			slices: unwrapResourceSlices(
+				sliceWithCounterSets(slice1, node1, resourcePool(pool1, 3), driverA,
+					counterSet(counterSet1, map[string]resource.Quantity{
+						"memory": resource.MustParse("8Gi"),
+					}),
+				),
+				sliceWithDevices(slice2, node1, resourcePool(pool1, 3), driverA,
+					device(device1, fromCounters, nil).withDeviceCounterConsumption(
+						deviceCounterConsumption(counterSet1, map[string]resource.Quantity{
+							"memory": resource.MustParse("6Gi"),
+						}),
+					),
+					device(device2, fromCounters, nil).withDeviceCounterConsumption(
+						deviceCounterConsumption(counterSet1, map[string]resource.Quantity{
+							"memory": resource.MustParse("2Gi"),
+						}),
+					),
+				),
+				sliceWithDevices(slice3, node2, resourcePool(pool1, 3), driverA,
+					device(device3, nil, nil).withDeviceCounterConsumption(
+						deviceCounterConsumption(counterSet1, map[string]resource.Quantity{
+							"memory": resource.MustParse("6Gi"),
+						}),
+					),
+				),
+			),
+			allocatedDevices: []DeviceID{
+				MakeDeviceID(driverA, pool1, device3),
+			},
+			node: node(node1, region1),
+			expectResults: []any{allocationResult(
+				localNodeSelector(node1),
+				deviceAllocationResult(req0SubReq1, driverA, pool1, device2, false),
+			)},
+		},
+		"partitionable-devices-validation-error-on-non-targeting-slice": {
+			features: Features{
+				PartitionableDevices: true,
+			},
+			claimsToAllocate: objects(
+				claimWithRequests(claim0, nil,
+					request(req0, classA, 1),
+				),
+			),
+			classes: objects(class(classA, driverA)),
+			slices: unwrapResourceSlices(
+				sliceWithCounterSets(slice1, node1, resourcePool(pool1, 3), driverA,
+					counterSet(counterSet1, map[string]resource.Quantity{
+						"memory": resource.MustParse("8Gi"),
+					}),
+				),
+				sliceWithDevices(slice2, node1, resourcePool(pool1, 3), driverA,
+					device(device1, fromCounters, nil).withDeviceCounterConsumption(
+						deviceCounterConsumption(counterSet1, map[string]resource.Quantity{
+							"memory": resource.MustParse("6Gi"),
+						}),
+					),
+				),
+				sliceWithDevices(slice3, node2, resourcePool(pool1, 3), driverA,
+					device(device3, nil, nil).withDeviceCounterConsumption(
+						deviceCounterConsumption(counterSet2, map[string]resource.Quantity{
+							"memory": resource.MustParse("6Gi"),
+						}),
+					),
+				),
+			),
+			node:        node(node1, region1),
+			expectError: gomega.MatchError(gomega.ContainSubstring("invalid resource pools were encountered")),
+		},
+		"different-resourceslices-in-pool-can-target-different-nodes": {
+			claimsToAllocate: objects(
+				claimWithRequests(claim0, nil,
+					request(req0, classA, 1),
+				),
+			),
+			classes: objects(class(classA, driverA)),
+			slices: unwrapResourceSlices(
+				sliceWithDevices(slice1, node2, resourcePool(pool1, 2), driverA,
+					device(device1, nil, nil),
+				),
+				sliceWithDevices(slice2, node1, resourcePool(pool1, 2), driverA,
+					device(device2, nil, nil),
+				),
+			),
+			node: node(node1, region1),
+			expectResults: []any{allocationResult(
+				localNodeSelector(node1),
+				deviceAllocationResult(req0, driverA, pool1, device2, false),
+			)},
+		},
+		"invalid-pool-is-ok-if-devices-can-be-allocated-from-other": {
+			claimsToAllocate: objects(
+				claimWithRequests(claim0, nil,
+					request(req0, classA, 1),
+				),
+			),
+			classes: objects(class(classA, driverA)),
+			slices: unwrapResourceSlices(
+				sliceWithDevices(slice1, node1, resourcePool(pool1, 2), driverA,
+					device(device1, nil, nil),
+				),
+				sliceWithDevices(slice2, node1, resourcePool(pool1, 2), driverA,
+					device(device1, nil, nil),
+				),
+				sliceWithDevices(slice3, node1, resourcePool(pool2, 1), driverA,
+					device(device2, nil, nil),
+				),
+			),
+			node: node(node1, region1),
+			expectResults: []any{allocationResult(
+				localNodeSelector(node1),
+				deviceAllocationResult(req0, driverA, pool2, device2, false),
+			)},
+		},
+		"invalid-pool-is-error-if-no-other-device-can-be-allocated": {
+			claimsToAllocate: objects(
+				claimWithRequests(claim0, nil,
+					request(req0, classA, 1),
+				),
+			),
+			classes: objects(class(classA, driverA)),
+			slices: unwrapResourceSlices(
+				sliceWithDevices(slice1, node1, resourcePool(pool1, 2), driverA,
+					device(device1, nil, nil),
+				),
+				sliceWithDevices(slice2, node1, resourcePool(pool1, 2), driverA,
+					device(device1, nil, nil),
+				),
+				sliceWithDevices(slice3, node1, resourcePool(pool2, 1), driverA,
+					device(device2, nil, nil),
+				),
+			),
+			allocatedDevices: []DeviceID{
+				MakeDeviceID(driverA, pool2, device2),
+			},
+			node:        node(node1, region1),
+			expectError: gomega.MatchError(gomega.ContainSubstring("invalid resource pools were encountered")),
+		},
+		"no-allocation-from-incomplete-pools": {
+			claimsToAllocate: objects(
+				claimWithRequests(claim0, nil,
+					request(req0, classA, 1),
+				),
+			),
+			classes: objects(class(classA, driverA)),
+			slices: unwrapResourceSlices(
+				sliceWithDevices(slice1, node1, resourcePool(pool1, 2), driverA,
+					device(device1, nil, nil),
+				),
+			),
+			node: node(node1, region1),
 		},
 	}
 
@@ -5031,7 +6101,7 @@ func TestAllocator(t *testing.T,
 				claimsToAllocate := unwrap(claimWithRequests(claim0, nil,
 					request(req0, classA, 6),
 				))
-				slices := unwrap(slice(slice1, node1, pool1, driverA,
+				slices := unwrapResourceSlices(sliceWithDevices(slice1, node1, pool1, driverA,
 					device(device1, nil, nil),
 					device(device2, nil, nil),
 					device(device3, nil, nil),
diff --git a/staging/src/k8s.io/dynamic-resource-allocation/structured/internal/experimental/allocator_experimental.go b/staging/src/k8s.io/dynamic-resource-allocation/structured/internal/experimental/allocator_experimental.go
index 6b3c69b791641..fd63fff1e8e3f 100644
--- a/staging/src/k8s.io/dynamic-resource-allocation/structured/internal/experimental/allocator_experimental.go
+++ b/staging/src/k8s.io/dynamic-resource-allocation/structured/internal/experimental/allocator_experimental.go
@@ -76,13 +76,12 @@ func NewConsumedCapacityCollection() ConsumedCapacityCollection {
 // making this the variant that is used when any of those
 // are enabled.
 var SupportedFeatures = internal.Features{
-	AdminAccess:          true,
-	PrioritizedList:      true,
-	PartitionableDevices: true,
-	DeviceTaints:         true,
-	DeviceBinding:        true,
-	DeviceStatus:         true,
-	ConsumableCapacity:   true,
+	AdminAccess:            true,
+	PrioritizedList:        true,
+	PartitionableDevices:   true,
+	DeviceTaints:           true,
+	DeviceBindingAndStatus: true,
+	ConsumableCapacity:     true,
 }
 
 type Allocator struct {
@@ -91,16 +90,16 @@ type Allocator struct {
 	classLister    DeviceClassLister
 	slices         []*resourceapi.ResourceSlice
 	celCache       *cel.Cache
-	// availableCounters contains the available counters for individual
-	// ResourceSlices. It acts as a cache that is updated the first time
-	// the available counters are needed for each ResourceSlice. The information
-	// about each slice is never updated once set the first time.
+	// availableCounters contains the available counters for each
+	// resource pool. It acts as a cache that is updated the first time
+	// the available counters are needed for each pool. The information
+	// about each pool is never updated once set the first time.
 	// This is computed bsed on information on the Allocator, so it will
 	// be correct even for multiple usages of the Allocator.
-	// The keys in the map are ResourceSlice names.
+	// The keys in the map are resource pool names.
 	// The allocator might be accessed by different goroutines, so
 	// access to this map must be synchronized.
-	availableCounters map[string]counterSets
+	availableCounters map[draapi.UniqueString]counterSets
 	mutex             sync.RWMutex
 	// numAllocateOneInvocations counts the number of times the allocateOne
 	// function is called for the allocator. This is a measurement of the
@@ -128,7 +127,7 @@ func NewAllocator(ctx context.Context,
 		classLister:       classLister,
 		slices:            slices,
 		celCache:          celCache,
-		availableCounters: make(map[string]counterSets),
+		availableCounters: make(map[draapi.UniqueString]counterSets),
 	}, nil
 }
 
@@ -141,13 +140,15 @@ func (a *Allocator) Allocate(ctx context.Context, node *v1.Node, claims []*resou
 		claimsToAllocate:     claims,
 		deviceMatchesRequest: make(map[matchKey]bool),
 		constraints:          make([][]constraint, len(claims)),
-		consumedCounters:     make(map[string]counterSets),
+		consumedCounters:     make(map[draapi.UniqueString]counterSets),
 		requestData:          make(map[requestIndices]requestData),
 		result:               make([]internalAllocationResult, len(claims)),
 		allocatingCapacity:   NewConsumedCapacityCollection(),
 	}
-	alloc.logger.V(5).Info("Starting allocation", "numClaims", len(alloc.claimsToAllocate))
-	defer alloc.logger.V(5).Info("Done with allocation", "success", len(finalResult) == len(alloc.claimsToAllocate), "err", finalErr)
+	alloc.logger.V(5).Info("Starting allocation", "numClaims", len(alloc.claimsToAllocate), "numSlices", len(alloc.slices))
+	defer func() {
+		alloc.logger.V(5).Info("Done with allocation", "success", len(finalResult) == len(alloc.claimsToAllocate), "err", finalErr)
+	}()
 
 	alloc.logger.V(5).Info("Gathering pools", "slices", alloc.slices)
 	// First determine all eligible pools.
@@ -206,20 +207,17 @@ func (a *Allocator) Allocate(ctx context.Context, node *v1.Node, claims []*resou
 			// Error out if the consumableCapacity feature is not enabled
 			// and the request contains capacity requests.
 			if !a.features.ConsumableCapacity {
-				containsCapacityRequest := false
 				if request.Exactly != nil && request.Exactly.Capacity != nil {
-					containsCapacityRequest = true
-				}
-				for _, request := range request.FirstAvailable {
-					if request.Capacity != nil {
-						containsCapacityRequest = true
-						break
-					}
-				}
-				if containsCapacityRequest {
 					return nil, fmt.Errorf("claim %s, request %s: has capacity requests, but the DRAConsumableCapacity feature is disabled",
 						klog.KObj(claim), request.Name)
 				}
+				for _, subReq := range request.FirstAvailable {
+					// Error out if any subrequest contains capacity requests.
+					if subReq.Capacity != nil {
+						return nil, fmt.Errorf("claim %s, subrequest %s: has capacity requests, but the DRAConsumableCapacity feature is disabled",
+							klog.KObj(claim), subReq.Name)
+					}
+				}
 			}
 
 			if hasSubRequests {
@@ -227,17 +225,10 @@ func (a *Allocator) Allocate(ctx context.Context, node *v1.Node, claims []*resou
 				// for the request, so setting this to a high number so we can do the
 				// easy comparison in the loop.
 				minDevicesPerRequest := math.MaxInt
-
 				// A request with subrequests gets one entry per subrequest in alloc.requestData.
 				// We can only predict a lower number of devices because it depends on which
 				// subrequest gets chosen.
 				for i, subReq := range request.FirstAvailable {
-					// Error out if the consumableCapacity feature is not enabled
-					// and the subrequest contains capacity requests.
-					if !a.features.ConsumableCapacity && subReq.Capacity != nil {
-						return nil, fmt.Errorf("claim %s, subrequest %s: has capacity requests, but the DRAConsumableCapacity feature is disabled",
-							klog.KObj(claim), subReq.Name)
-					}
 					reqData, err := alloc.validateDeviceRequest(&deviceSubRequestAccessor{subRequest: &subReq},
 						&exactDeviceRequestAccessor{request: request}, requestKey, pools)
 					if err != nil {
@@ -278,7 +269,7 @@ func (a *Allocator) Allocate(ctx context.Context, node *v1.Node, claims []*resou
 		for i, constraint := range claim.Spec.Devices.Constraints {
 			switch {
 			case constraint.MatchAttribute != nil:
-				matchAttribute := draapi.FullyQualifiedName(*constraint.MatchAttribute)
+				matchAttribute := resourceapi.FullyQualifiedName(*constraint.MatchAttribute)
 				logger := alloc.logger
 				if loggerV := alloc.logger.V(6); loggerV.Enabled() {
 					logger = klog.LoggerWithName(logger, "matchAttributeConstraint")
@@ -291,7 +282,7 @@ func (a *Allocator) Allocate(ctx context.Context, node *v1.Node, claims []*resou
 				}
 				constraints[i] = m
 			case constraint.DistinctAttribute != nil:
-				distinctAttribute := draapi.FullyQualifiedName(*constraint.DistinctAttribute)
+				distinctAttribute := resourceapi.FullyQualifiedName(*constraint.DistinctAttribute)
 				logger := alloc.logger
 				if loggerV := alloc.logger.V(6); loggerV.Enabled() {
 					logger = klog.LoggerWithName(logger, "distinctAttributeConstraint")
@@ -301,7 +292,7 @@ func (a *Allocator) Allocate(ctx context.Context, node *v1.Node, claims []*resou
 					logger:        logger,
 					requestNames:  sets.New(constraint.Requests...),
 					attributeName: distinctAttribute,
-					attributes:    make(map[string]draapi.DeviceAttribute),
+					attributes:    make(map[string]resourceapi.DeviceAttribute),
 				}
 				constraints[i] = m
 			default:
@@ -346,6 +337,17 @@ func (a *Allocator) Allocate(ctx context.Context, node *v1.Node, claims []*resou
 		return nil, err
 	}
 	if !done {
+		// If no devices could be allocated, but we found one or more
+		// invalid pools, return an error here. We didn't do it during
+		// allocation since there might be valid pools from which the
+		// claims could be satisfied.
+		for _, pool := range pools {
+			if pool.IsInvalid {
+				// Not a fatal error, allocation on other nodes may proceed.
+				// The error is only surfaced if allocation fails on all nodes.
+				return nil, fmt.Errorf("invalid resource pools were encountered%w", internal.ErrFailedAllocationOnNode)
+			}
+		}
 		return nil, nil
 	}
 
@@ -368,20 +370,21 @@ func (a *Allocator) Allocate(ctx context.Context, node *v1.Node, claims []*resou
 				Pool:             internal.id.Pool.String(),
 				Device:           internal.id.Device.String(),
 				AdminAccess:      internal.adminAccess,
+				Tolerations:      internal.lookupRequest(claim).tolerations(),
 				ShareID:          internal.shareID,
 				ConsumedCapacity: consumedCapacity,
 			}
 			// Performance optimization: skip the for loop if the feature is off.
 			// Not needed for correctness because if the feature is off, the selected
 			// device should not have binding conditions.
-			if a.features.DeviceBinding {
+			if a.features.DeviceBindingAndStatus {
 				allocationResult.Devices.Results[i].BindingConditions = internal.BindingConditions
 				allocationResult.Devices.Results[i].BindingFailureConditions = internal.BindingFailureConditions
 			}
 			// Performance optimization: skip the for loop if the feature is off.
 			// Not needed for correctness because if the feature is off, the selected
 			// device should not have binding conditions.
-			if a.features.DeviceBinding {
+			if a.features.DeviceBindingAndStatus {
 				allocationResult.Devices.Results[i].BindingConditions = internal.BindingConditions
 				allocationResult.Devices.Results[i].BindingFailureConditions = internal.BindingFailureConditions
 			}
@@ -538,8 +541,7 @@ func (alloc *allocator) validateDeviceRequest(request requestAccessor, parentReq
 			if pool.IsInvalid {
 				return requestData, fmt.Errorf("claim %s, request %s: asks for all devices, but resource pool %s is currently invalid", klog.KObj(claim), request.name(), pool.PoolID)
 			}
-
-			for _, slice := range pool.Slices {
+			for _, slice := range pool.DeviceSlicesTargetingNode {
 				for deviceIndex := range slice.Spec.Devices {
 					selectable, err := alloc.isSelectable(requestKey, requestData, slice, deviceIndex)
 					if err != nil {
@@ -553,7 +555,8 @@ func (alloc *allocator) validateDeviceRequest(request requestAccessor, parentReq
 						}
 						if alloc.features.ConsumableCapacity {
 							// Next validate whether resource request over capacity
-							success, err := alloc.CmpRequestOverCapacity(requestData.request, slice, deviceIndex)
+							device := slice.Spec.Devices[deviceIndex]
+							success, err := alloc.CmpRequestOverCapacity(requestData.request, slice, device)
 							if err != nil {
 								alloc.logger.V(7).Info("Skip comparing device capacity request",
 									"device", device, "request", requestData.request.name(), "err", err)
@@ -601,8 +604,8 @@ type allocator struct {
 	constraints          [][]constraint // one list of constraints per claim
 	// consumedCounters keeps track of the counters consumed by all devices
 	// that are in the process of being allocated.
-	// The keys in the map are ResourceSlice names.
-	consumedCounters map[string]counterSets
+	// The keys in the map are resource pool names.
+	consumedCounters map[draapi.UniqueString]counterSets
 	requestData      map[requestIndices]requestData // one entry per request with no subrequests and one entry per subrequest
 	// allocatingDevices tracks which devices will be newly allocated for a
 	// particular attempt to find a solution. The map is indexed by device
@@ -620,7 +623,7 @@ type allocator struct {
 
 // counterSets is a map with the name of counter sets to the counters in
 // the set.
-type counterSets map[draapi.UniqueString]map[string]draapi.Counter
+type counterSets map[draapi.UniqueString]map[string]resourceapi.Counter
 
 // matchKey identifies a device/request pair.
 type matchKey struct {
@@ -676,6 +679,7 @@ type deviceWithID struct {
 	*draapi.Device
 	id    DeviceID
 	slice *draapi.ResourceSlice
+	pool  *Pool
 }
 
 type internalAllocationResult struct {
@@ -693,11 +697,36 @@ type internalDeviceResult struct {
 	adminAccess      *bool
 }
 
-func (i internalDeviceResult) requestName() string {
-	if i.parentRequest == "" {
-		return i.request
+func (idr internalDeviceResult) requestName() string {
+	if idr.parentRequest == "" {
+		return idr.request
+	}
+	return fmt.Sprintf("%s/%s", idr.parentRequest, idr.request)
+}
+
+func (idr internalDeviceResult) lookupRequest(claim *resourceapi.ResourceClaim) requestAccessor {
+	requestName := idr.request
+	if idr.parentRequest != "" {
+		requestName = idr.parentRequest
+	}
+	for i := range claim.Spec.Devices.Requests {
+		request := &claim.Spec.Devices.Requests[i]
+		if request.Name != requestName {
+			continue
+		}
+		if idr.parentRequest == "" {
+			// No need to check sub-requests.
+			return &exactDeviceRequestAccessor{request}
+		}
+		for j := range request.FirstAvailable {
+			subRequest := &request.FirstAvailable[j]
+			if subRequest.Name != idr.request {
+				continue
+			}
+			return &deviceSubRequestAccessor{subRequest}
+		}
 	}
-	return fmt.Sprintf("%s/%s", i.parentRequest, i.request)
+	return nil
 }
 
 type constraint interface {
@@ -721,9 +750,9 @@ type constraint interface {
 type matchAttributeConstraint struct {
 	logger        klog.Logger // Includes name and attribute name, so no need to repeat in log messages.
 	requestNames  sets.Set[string]
-	attributeName draapi.FullyQualifiedName
+	attributeName resourceapi.FullyQualifiedName
 
-	attribute  *draapi.DeviceAttribute
+	attribute  *resourceapi.DeviceAttribute
 	numDevices int
 }
 
@@ -803,9 +832,9 @@ func (m *matchAttributeConstraint) matches(requestName, subRequestName string) b
 	}
 }
 
-func lookupAttribute(device *draapi.Device, deviceID DeviceID, attributeName draapi.FullyQualifiedName) *draapi.DeviceAttribute {
+func lookupAttribute(device *draapi.Device, deviceID DeviceID, attributeName resourceapi.FullyQualifiedName) *resourceapi.DeviceAttribute {
 	// Fully-qualified match?
-	if attr, ok := device.Attributes[draapi.QualifiedName(attributeName)]; ok {
+	if attr, ok := device.Attributes[resourceapi.QualifiedName(attributeName)]; ok {
 		return &attr
 	}
 	index := strings.Index(string(attributeName), "/")
@@ -821,7 +850,7 @@ func lookupAttribute(device *draapi.Device, deviceID DeviceID, attributeName dra
 	}
 
 	// Domain matches the driver, so let's check just the ID.
-	if attr, ok := device.Attributes[draapi.QualifiedName(attributeName[index+1:])]; ok {
+	if attr, ok := device.Attributes[resourceapi.QualifiedName(attributeName[index+1:])]; ok {
 		return &attr
 	}
 
@@ -993,13 +1022,13 @@ func (alloc *allocator) allocateOne(r deviceIndices, allocateSubRequest bool) (b
 
 	// We need to find suitable devices.
 	for _, pool := range alloc.pools {
-		// If the pool is not valid, then fail now. It's okay when pools of one driver
-		// are invalid if we allocate from some other pool, but it's not safe to
-		// allocated from an invalid pool.
-		if pool.IsInvalid {
-			return false, fmt.Errorf("pool %s is invalid: %s", pool.Pool, pool.InvalidReason)
+		// We don't allocate devices from invalid or incomplete pools, but
+		// don't error out here since there might be available devices in other
+		// pools.
+		if pool.IsIncomplete || pool.IsInvalid {
+			continue
 		}
-		for _, slice := range pool.Slices {
+		for _, slice := range pool.DeviceSlicesTargetingNode {
 			for deviceIndex := range slice.Spec.Devices {
 				deviceID := DeviceID{Driver: pool.Driver, Pool: pool.Pool, Device: slice.Spec.Devices[deviceIndex].Name}
 
@@ -1025,7 +1054,8 @@ func (alloc *allocator) allocateOne(r deviceIndices, allocateSubRequest bool) (b
 				}
 				if alloc.features.ConsumableCapacity {
 					// Next validate whether resource request over capacity
-					success, err := alloc.CmpRequestOverCapacity(requestData.request, slice, deviceIndex)
+					device := slice.Spec.Devices[deviceIndex]
+					success, err := alloc.CmpRequestOverCapacity(requestData.request, slice, device)
 					if err != nil {
 						alloc.logger.V(7).Info("Skip comparing device capacity request",
 							"device", deviceID, "request", requestData.request.name(), "err", err)
@@ -1042,6 +1072,7 @@ func (alloc *allocator) allocateOne(r deviceIndices, allocateSubRequest bool) (b
 					id:     deviceID,
 					Device: &slice.Spec.Devices[deviceIndex],
 					slice:  slice,
+					pool:   pool,
 				}
 				allocated, deallocate, err := alloc.allocateDevice(r, device, false)
 				if err != nil {
@@ -1086,7 +1117,7 @@ func (alloc *allocator) allocateOne(r deviceIndices, allocateSubRequest bool) (b
 // isSelectable checks whether a device satisfies the request and class selectors.
 func (alloc *allocator) isSelectable(r requestIndices, requestData requestData, slice *draapi.ResourceSlice, deviceIndex int) (bool, error) {
 	device := &slice.Spec.Devices[deviceIndex]
-	if (!alloc.features.DeviceBinding || !alloc.features.DeviceStatus) &&
+	if !alloc.features.DeviceBindingAndStatus &&
 		len(device.BindingConditions) > 0 {
 		// Devices with binding conditions are not supported, feature is off.
 		return false, nil
@@ -1121,7 +1152,7 @@ func (alloc *allocator) isSelectable(r requestIndices, requestData requestData,
 	}
 
 	if ptr.Deref(slice.Spec.PerDeviceNodeSelection, false) {
-		matches, err := nodeMatches(alloc.node, ptr.Deref(device.NodeName, ""), ptr.Deref(device.AllNodes, false), device.NodeSelector)
+		matches, err := NodeMatches(alloc.node, ptr.Deref(device.NodeName, ""), ptr.Deref(device.AllNodes, false), device.NodeSelector)
 		if err != nil {
 			return false, err
 		}
@@ -1136,13 +1167,14 @@ func (alloc *allocator) isSelectable(r requestIndices, requestData requestData,
 
 }
 
-// CmpRequestOverCapacity checks whether a device with remaining resources is consumable by the request.
+// CmpRequestOverCapacity checks if the given device has sufficient remaining capacity
+// to satisfy the resource request.
 // Return true if success.
-func (alloc *allocator) CmpRequestOverCapacity(request requestAccessor, slice *draapi.ResourceSlice, deviceIndex int) (bool, error) {
-	deviceID := DeviceID{Driver: slice.Spec.Driver, Pool: slice.Spec.Pool.Name, Device: slice.Spec.Devices[deviceIndex].Name}
+func (alloc *allocator) CmpRequestOverCapacity(request requestAccessor, slice *draapi.ResourceSlice, device draapi.Device) (bool, error) {
+	deviceID := DeviceID{Driver: slice.Spec.Driver, Pool: slice.Spec.Pool.Name, Device: device.Name}
 	allocatingCapacity := alloc.allocatingCapacity[deviceID]
-	allowMultipleAllocations := slice.Spec.Devices[deviceIndex].AllowMultipleAllocations
-	capacities := slice.Spec.Devices[deviceIndex].Capacity
+	allowMultipleAllocations := device.AllowMultipleAllocations
+	capacities := device.Capacity
 	if allocatedCapacity, found := alloc.allocatedState.AggregatedCapacity[deviceID]; found {
 		return CmpRequestOverCapacity(allocatedCapacity, request.capacities(), allowMultipleAllocations, capacities, allocatingCapacity)
 	}
@@ -1196,6 +1228,11 @@ func (alloc *allocator) selectorsMatch(r requestIndices, device *draapi.Device,
 // allocateDevice checks device availability and constraints for one
 // candidate. The device must be selectable.
 //
+// r identifies the request for which allocation is attempted.
+// The device is the candidate under consideration.
+// If "must" is true, then it is okay (but not required) to return an error which describes in more detail why allocation wasn't possible.
+// This is used when the caller wants exactly this device and will give up if it cannot allocate it.
+//
 // If that candidate works out okay, the shared state gets updated
 // as if that candidate had been allocated. If allocation cannot continue later
 // and must try something else, then the rollback function can be invoked to
@@ -1228,8 +1265,11 @@ func (alloc *allocator) allocateDevice(r deviceIndices, device deviceWithID, mus
 		return false, nil, nil
 	}
 
+	// Skip counter availability check for devices that allow multiple allocation and some capacity has already in-use.
+	skipCounterCheck := allowMultipleAllocations && alloc.deviceCapacityInUse(device.id)
+
 	// The API validation logic has checked the ConsumesCounters referred should exist inside SharedCounters.
-	if len(device.ConsumesCounters) > 0 {
+	if !skipCounterCheck && len(device.ConsumesCounters) > 0 {
 		// If a device consumes counters from a counter set, verify that
 		// there is sufficient counters available.
 		ok, err := alloc.checkAvailableCounters(device)
@@ -1255,7 +1295,7 @@ func (alloc *allocator) allocateDevice(r deviceIndices, device deviceWithID, mus
 
 	// Might be tainted, in which case the taint has to be tolerated.
 	// The check is skipped if the feature is disabled.
-	if alloc.features.DeviceTaints && !allTaintsTolerated(device.Device, request) {
+	if alloc.features.DeviceTaints && taintPreventsAllocation(device.Device, request) {
 		return false, nil, nil
 	}
 
@@ -1292,9 +1332,10 @@ func (alloc *allocator) allocateDevice(r deviceIndices, device deviceWithID, mus
 	var shareID *types.UID
 	if alloc.features.ConsumableCapacity {
 		// Validate whether resource request over capacity
-		success, err := alloc.CmpRequestOverCapacity(requestData.request, device.slice, r.deviceIndex)
+		success, err := alloc.CmpRequestOverCapacity(requestData.request, device.slice, *device.Device)
+		// The error should not occur at this point as it should be detected in the previous step.
 		if err != nil {
-			alloc.logger.V(7).Info("Failed to compare device capacity request",
+			alloc.logger.V(7).Info("Failed to compare device capacity request on allocateDevice",
 				"device", device, "request", requestData.request.name(), "err", err)
 			return false, nil, nil
 		}
@@ -1304,19 +1345,9 @@ func (alloc *allocator) allocateDevice(r deviceIndices, device deviceWithID, mus
 		}
 
 		if allowMultipleAllocations {
-			convertedCapacities := make(map[resourceapi.QualifiedName]resourceapi.DeviceCapacity)
-			for key, value := range device.Capacity {
-				var convertedCapacity resourceapi.DeviceCapacity
-				err := draapi.Convert_api_DeviceCapacity_To_v1_DeviceCapacity(&value, &convertedCapacity, nil)
-				if err != nil {
-					return false, nil, fmt.Errorf("convert DeviceCapacity: %w", err)
-				}
-				convertedCapacities[resourceapi.QualifiedName(key)] = convertedCapacity
-			}
-			consumedCapacity = GetConsumedCapacityFromRequest(request.capacities(), convertedCapacities)
+			consumedCapacity = GetConsumedCapacityFromRequest(request.capacities(), device.Capacity)
 			shareID = GenerateNewShareID()
 			alloc.logger.V(7).Info("Device capacity allocated", "device", device.id,
-				"converted capacity", klog.Format(convertedCapacities),
 				"consumed capacity", klog.Format(consumedCapacity))
 			alloc.allocatingCapacity.Insert(NewDeviceConsumedCapacity(device.id, consumedCapacity))
 		}
@@ -1361,13 +1392,17 @@ func (alloc *allocator) allocateDevice(r deviceIndices, device deviceWithID, mus
 	}, nil
 }
 
-func allTaintsTolerated(device *draapi.Device, request requestAccessor) bool {
+func taintPreventsAllocation(device *draapi.Device, request requestAccessor) bool {
 	for _, taint := range device.Taints {
-		if !taintTolerated(taint, request) {
-			return false
+		switch taint.Effect {
+		// Only known effects prevent allocation, others (including None) are ignored.
+		case resourceapi.DeviceTaintEffectNoExecute, resourceapi.DeviceTaintEffectNoSchedule:
+			if !taintTolerated(taint, request) {
+				return true
+			}
 		}
 	}
-	return true
+	return false
 }
 
 func taintTolerated(taint resourceapi.DeviceTaint, request requestAccessor) bool {
@@ -1385,13 +1420,13 @@ func taintTolerated(taint resourceapi.DeviceTaint, request requestAccessor) bool
 // Gets called only if the partitionable devices feature is enabled and the device
 // consumes counters.
 func (alloc *allocator) checkAvailableCounters(device deviceWithID) (bool, error) {
-	slice := device.slice
-	sliceName := slice.Name
+	pool := device.pool
+	poolName := pool.PoolID.Pool
 
-	// Check first if the available counters for this slice have already been
+	// Check first if the available counters for this pool have already been
 	// calculated.
 	alloc.mutex.RLock()
-	availableCountersForSlice, found := alloc.availableCounters[sliceName]
+	availableCountersForPool, found := alloc.availableCounters[poolName]
 	alloc.mutex.RUnlock()
 	// If not, we need to do it now. But we store the result so it doesn't need
 	// to be calculated again.
@@ -1399,69 +1434,73 @@ func (alloc *allocator) checkAvailableCounters(device deviceWithID) (bool, error
 	// might also do this work. But the input will be the same to all of them, so
 	// the result will also always be the same.
 	if !found {
-		availableCountersForSlice = make(counterSets, len(slice.Spec.SharedCounters))
-		for _, counterSet := range slice.Spec.SharedCounters {
-			availableCountersForCounterSet := make(map[string]draapi.Counter, len(counterSet.Counters))
+		availableCountersForPool = make(counterSets, len(pool.CounterSets))
+		for _, counterSet := range pool.CounterSets {
+			availableCountersForCounterSet := make(map[string]resourceapi.Counter, len(counterSet.Counters))
 			for name, c := range counterSet.Counters {
 				availableCountersForCounterSet[name] = c
 			}
-			availableCountersForSlice[counterSet.Name] = availableCountersForCounterSet
+			availableCountersForPool[counterSet.Name] = availableCountersForCounterSet
 		}
 
 		// Update the data structure to reflect counters already consumed by allocated devices. This
 		// only includes devices where the allocation process has completed, so this will never
 		// change during the allocation process.
-		for _, device := range slice.Spec.Devices {
-			deviceID := DeviceID{
-				Driver: slice.Spec.Driver,
-				Pool:   slice.Spec.Pool.Name,
-				Device: device.Name,
-			}
-			// Devices that aren't allocated doesn't consume any counters, so we don't
-			// need to consider them.
-			if !alloc.allocatedState.AllocatedDevices.Has(deviceID) {
-				continue
-			}
-			for _, deviceCounterConsumption := range device.ConsumesCounters {
-				availableCountersForCounterSet := availableCountersForSlice[deviceCounterConsumption.CounterSet]
-				for name, c := range deviceCounterConsumption.Counters {
-					existingCounter, ok := availableCountersForCounterSet[name]
-					if !ok {
-						// the API validation logic has been added to make sure the counters referred should exist in counter sets.
+		for _, resourceSlices := range [][]*draapi.ResourceSlice{pool.DeviceSlicesTargetingNode, pool.DeviceSlicesNotTargetingNode} {
+			for _, slice := range resourceSlices {
+				for _, device := range slice.Spec.Devices {
+					deviceID := DeviceID{
+						Driver: slice.Spec.Driver,
+						Pool:   slice.Spec.Pool.Name,
+						Device: device.Name,
+					}
+					// Devices that aren't allocated doesn't consume any counters, so we don't
+					// need to consider them.
+					if !alloc.allocatedState.AllocatedDevices.Has(deviceID) {
 						continue
 					}
-					// This can potentially result in negative available counters. That is fine,
-					// we just treat it as no counters available.
-					existingCounter.Value.Sub(c.Value)
-					availableCountersForCounterSet[name] = existingCounter
+					for _, deviceCounterConsumption := range device.ConsumesCounters {
+						availableCountersForCounterSet := availableCountersForPool[deviceCounterConsumption.CounterSet]
+						for name, c := range deviceCounterConsumption.Counters {
+							existingCounter, ok := availableCountersForCounterSet[name]
+							if !ok {
+								// the API validation logic has been added to make sure the counters referred should exist in counter sets.
+								continue
+							}
+							// This can potentially result in negative available counters. That is fine,
+							// we just treat it as no counters available.
+							existingCounter.Value.Sub(c.Value)
+							availableCountersForCounterSet[name] = existingCounter
+						}
+					}
+					// Note that we don't include devices in the alloc.allocatingDevices here since
+					// counters consumed by devices for the current claims are tracked in
+					// alloc.consumedCounters
 				}
 			}
-			// Note that we don't include devices in the alloc.allocatingDevices here since
-			// counters consumed by devices for the current claims are tracked in
-			// alloc.consumedCounters
 		}
 
 		// Set the available counters on the allocator so we don't have to
 		// compute this again.
 		alloc.mutex.Lock()
-		alloc.availableCounters[sliceName] = availableCountersForSlice
+		alloc.availableCounters[poolName] = availableCountersForPool
 		alloc.mutex.Unlock()
 	}
 
 	// Update the consumedCounters data structure with the counters consumed
 	// by the current device.
-	consumedCountersForSlice, found := alloc.consumedCounters[sliceName]
+	consumedCountersForPool, found := alloc.consumedCounters[poolName]
 	// If no devices in the allocating state have consumed any counters from the current
-	// slice, initialize the data structure.
+	// pool, initialize the data structure.
 	if !found {
-		consumedCountersForSlice = make(counterSets)
-		alloc.consumedCounters[sliceName] = consumedCountersForSlice
+		consumedCountersForPool = make(counterSets)
+		alloc.consumedCounters[poolName] = consumedCountersForPool
 	}
 	for _, deviceCounterConsumption := range device.ConsumesCounters {
-		consumedCountersForCounterSet, found := consumedCountersForSlice[deviceCounterConsumption.CounterSet]
+		consumedCountersForCounterSet, found := consumedCountersForPool[deviceCounterConsumption.CounterSet]
 		if !found {
-			consumedCountersForCounterSet = make(map[string]draapi.Counter)
-			consumedCountersForSlice[deviceCounterConsumption.CounterSet] = consumedCountersForCounterSet
+			consumedCountersForCounterSet = make(map[string]resourceapi.Counter)
+			consumedCountersForPool[deviceCounterConsumption.CounterSet] = consumedCountersForCounterSet
 		}
 		for name, c := range deviceCounterConsumption.Counters {
 			consumedCounters, found := consumedCountersForCounterSet[name]
@@ -1477,8 +1516,8 @@ func (alloc *allocator) checkAvailableCounters(device deviceWithID) (bool, error
 	// Check that we didn't exceed the availability of any counters by allocating
 	// the current device. If we did, the current set of devices doesn't work, so we
 	// update the consumed counters to no longer reflect the current device.
-	for availableCounterSetName, availableCounters := range availableCountersForSlice {
-		consumedCounters := consumedCountersForSlice[availableCounterSetName]
+	for availableCounterSetName, availableCounters := range availableCountersForPool {
+		consumedCounters := consumedCountersForPool[availableCounterSetName]
 		for availableCounterName, availableCounter := range availableCounters {
 			consumedCounter := consumedCounters[availableCounterName]
 			if availableCounter.Value.Cmp(consumedCounter.Value) < 0 {
@@ -1495,6 +1534,11 @@ func (alloc *allocator) deviceInUse(deviceID DeviceID) bool {
 	return alloc.allocatedState.AllocatedDevices.Has(deviceID) || alloc.allocatingDeviceForAnyClaim(deviceID)
 }
 
+func (alloc *allocator) deviceCapacityInUse(deviceID DeviceID) bool {
+	_, found := alloc.allocatedState.AggregatedCapacity[deviceID]
+	return found || alloc.allocatingCapacityForAnyClaim(deviceID)
+}
+
 func (alloc *allocator) allocatingDeviceForAnyClaim(deviceID DeviceID) bool {
 	return alloc.allocatingDevices[deviceID].Len() > 0
 }
@@ -1503,16 +1547,20 @@ func (alloc *allocator) allocatingDeviceForClaim(deviceID DeviceID, claimIndex i
 	return alloc.allocatingDevices[deviceID].Has(claimIndex)
 }
 
+func (alloc *allocator) allocatingCapacityForAnyClaim(deviceID DeviceID) bool {
+	_, found := alloc.allocatingCapacity[deviceID]
+	return found
+}
+
 // deallocateCountersForDevice subtracts the consumed counters of the provided
 // device from the consumedCounters data structure.
 func (alloc *allocator) deallocateCountersForDevice(device deviceWithID) {
-	slice := device.slice
-	sliceName := slice.Name
+	poolName := device.pool.PoolID.Pool
 
-	consumedCountersForSlice := alloc.consumedCounters[sliceName]
+	consumedCountersForPool := alloc.consumedCounters[poolName]
 	for _, deviceCounterConsumption := range device.ConsumesCounters {
 		counterSetName := deviceCounterConsumption.CounterSet
-		consumedCounterSet := consumedCountersForSlice[counterSetName]
+		consumedCounterSet := consumedCountersForPool[counterSetName]
 		for name, c := range deviceCounterConsumption.Counters {
 			consumedCounter := consumedCounterSet[name]
 			consumedCounter.Value.Sub(c.Value)
diff --git a/staging/src/k8s.io/dynamic-resource-allocation/structured/internal/experimental/constraint.go b/staging/src/k8s.io/dynamic-resource-allocation/structured/internal/experimental/constraint.go
index 5ca115e0ef4ca..f528832faa7f4 100644
--- a/staging/src/k8s.io/dynamic-resource-allocation/structured/internal/experimental/constraint.go
+++ b/staging/src/k8s.io/dynamic-resource-allocation/structured/internal/experimental/constraint.go
@@ -19,6 +19,7 @@ package experimental
 import (
 	"fmt"
 
+	resourceapi "k8s.io/api/resource/v1"
 	"k8s.io/apimachinery/pkg/util/sets"
 	draapi "k8s.io/dynamic-resource-allocation/api"
 	"k8s.io/klog/v2"
@@ -34,9 +35,9 @@ import (
 type distinctAttributeConstraint struct {
 	logger        klog.Logger // Includes name and attribute name, so no need to repeat in log messages.
 	requestNames  sets.Set[string]
-	attributeName draapi.FullyQualifiedName
+	attributeName resourceapi.FullyQualifiedName
 
-	attributes map[string]draapi.DeviceAttribute
+	attributes map[string]resourceapi.DeviceAttribute
 	numDevices int
 }
 
@@ -62,7 +63,7 @@ func (m *distinctAttributeConstraint) add(requestName, subRequestName string, de
 	}
 
 	if !m.matchesAttribute(*attribute) {
-		m.logger.V(7).Info("Constraint not satisfied, duplicated attribute")
+		m.logger.V(7).Info("Constraint not satisfied, has some duplicated attributes")
 		return false
 	}
 	m.attributes[requestName] = *attribute
@@ -91,21 +92,21 @@ func (m *distinctAttributeConstraint) matches(requestName, subRequestName string
 	}
 }
 
-func (m *distinctAttributeConstraint) matchesAttribute(attribute draapi.DeviceAttribute) bool {
+func (m *distinctAttributeConstraint) matchesAttribute(attribute resourceapi.DeviceAttribute) bool {
 	for _, attr := range m.attributes {
 		switch {
 		case attribute.StringValue != nil:
-			if attr.StringValue != nil && attribute.StringValue == attr.StringValue {
+			if attr.StringValue != nil && *attribute.StringValue == *attr.StringValue {
 				m.logger.V(7).Info("String values duplicated")
 				return false
 			}
 		case attribute.IntValue != nil:
-			if attr.IntValue != nil && attribute.IntValue == attr.IntValue {
+			if attr.IntValue != nil && *attribute.IntValue == *attr.IntValue {
 				m.logger.V(7).Info("Int values duplicated")
 				return false
 			}
 		case attribute.BoolValue != nil:
-			if attr.BoolValue != nil && attribute.BoolValue == attr.BoolValue {
+			if attr.BoolValue != nil && *attribute.BoolValue == *attr.BoolValue {
 				m.logger.V(7).Info("Bool values duplicated")
 				return false
 			}
@@ -113,15 +114,18 @@ func (m *distinctAttributeConstraint) matchesAttribute(attribute draapi.DeviceAt
 			// semver 2.0.0 requires that version strings are in their
 			// minimal form (in particular, no leading zeros). Therefore a
 			// strict "exact equal" check can do a string comparison.
-			if attr.VersionValue != nil && attribute.VersionValue == attr.VersionValue {
+			if attr.VersionValue != nil && *attribute.VersionValue == *attr.VersionValue {
 				m.logger.V(7).Info("Version values duplicated")
 				return false
 			}
 		default:
 			// Unknown value type, cannot match.
+			// This condition should not be reached
+			// as the unknown value type should be failed on CEL compile (getAttributeValue).
 			m.logger.V(7).Info("Distinct attribute type unknown")
 			return false
 		}
 	}
+	// All distinct
 	return true
 }
diff --git a/staging/src/k8s.io/dynamic-resource-allocation/structured/internal/experimental/consumable_capacity.go b/staging/src/k8s.io/dynamic-resource-allocation/structured/internal/experimental/consumable_capacity.go
index 8b663fddeec57..1df17186c2721 100644
--- a/staging/src/k8s.io/dynamic-resource-allocation/structured/internal/experimental/consumable_capacity.go
+++ b/staging/src/k8s.io/dynamic-resource-allocation/structured/internal/experimental/consumable_capacity.go
@@ -18,51 +18,43 @@ package experimental
 
 import (
 	"errors"
-	"fmt"
 
 	resourceapi "k8s.io/api/resource/v1"
 	"k8s.io/apimachinery/pkg/api/resource"
-	draapi "k8s.io/dynamic-resource-allocation/api"
 	"k8s.io/utils/ptr"
 )
 
 // CmpRequestOverCapacity checks whether the new capacity request can be added within the given capacity,
 // and checks whether the requested value is against the capacity requestPolicy.
 func CmpRequestOverCapacity(currentConsumedCapacity ConsumedCapacity, deviceRequestCapacity *resourceapi.CapacityRequirements,
-	allowMultipleAllocations *bool, capacity map[draapi.QualifiedName]draapi.DeviceCapacity, allocatingCapacity ConsumedCapacity) (bool, error) {
+	allowMultipleAllocations *bool, capacity map[resourceapi.QualifiedName]resourceapi.DeviceCapacity, allocatingCapacity ConsumedCapacity) (bool, error) {
 	if requestsContainNonExistCapacity(deviceRequestCapacity, capacity) {
 		return false, errors.New("some requested capacity has not been defined")
 	}
 	clone := currentConsumedCapacity.Clone()
 	for name, cap := range capacity {
-		convertedName := resourceapi.QualifiedName(name)
-		var convertedCapacity resourceapi.DeviceCapacity
-		err := draapi.Convert_api_DeviceCapacity_To_v1_DeviceCapacity(&cap, &convertedCapacity, nil)
-		if err != nil {
-			return false, fmt.Errorf("failed to convert DeviceCapacity %w", err)
-		}
 		var requestedValPtr *resource.Quantity
 		if deviceRequestCapacity != nil && deviceRequestCapacity.Requests != nil {
-			if requestedVal, requestedFound := deviceRequestCapacity.Requests[convertedName]; requestedFound {
+			if requestedVal, requestedFound := deviceRequestCapacity.Requests[name]; requestedFound {
 				requestedValPtr = &requestedVal
 			}
 		}
-		consumedCapacity := calculateConsumedCapacity(requestedValPtr, convertedCapacity)
-		if violatesPolicy(consumedCapacity, convertedCapacity.RequestPolicy) {
+		consumedCapacity := calculateConsumedCapacity(requestedValPtr, cap)
+		if violatesPolicy(consumedCapacity, cap.RequestPolicy) {
 			return false, nil
 		}
 		// If the current clone already contains an entry for this capacity, add the consumedCapacity to it.
 		// Otherwise, initialize it with calculated consumedCapacity.
-		if _, allocatedFound := clone[convertedName]; allocatedFound {
-			clone[convertedName].Add(consumedCapacity)
+		if _, allocatedFound := clone[name]; allocatedFound {
+			clone[name].Add(consumedCapacity)
 		} else {
-			clone[convertedName] = ptr.To(consumedCapacity)
+			clone[name] = ptr.To(consumedCapacity)
 		}
 		// If allocatingCapacity contains an entry for this capacity, add its value to clone as well.
-		if allocatingVal, allocatingFound := allocatingCapacity[convertedName]; allocatingFound {
-			clone[convertedName].Add(*allocatingVal)
+		if allocatingVal, allocatingFound := allocatingCapacity[name]; allocatingFound {
+			clone[name].Add(*allocatingVal)
 		}
-		if clone[convertedName].Cmp(cap.Value) > 0 {
+		if clone[name].Cmp(cap.Value) > 0 {
 			return false, nil
 		}
 	}
@@ -71,13 +63,12 @@ func CmpRequestOverCapacity(currentConsumedCapacity ConsumedCapacity, deviceRequ
 
 // requestsNonExistCapacity returns true if requests contain non-exist capacity.
 func requestsContainNonExistCapacity(deviceRequestCapacity *resourceapi.CapacityRequirements,
-	capacity map[draapi.QualifiedName]draapi.DeviceCapacity) bool {
+	capacity map[resourceapi.QualifiedName]resourceapi.DeviceCapacity) bool {
 	if deviceRequestCapacity == nil || deviceRequestCapacity.Requests == nil {
 		return false
 	}
 	for name := range deviceRequestCapacity.Requests {
-		convertedName := draapi.QualifiedName(name)
-		if _, found := capacity[convertedName]; !found {
+		if _, found := capacity[name]; !found {
 			return true
 		}
 	}
diff --git a/staging/src/k8s.io/dynamic-resource-allocation/structured/internal/experimental/pools_experimental.go b/staging/src/k8s.io/dynamic-resource-allocation/structured/internal/experimental/pools_experimental.go
index 20a70810e0fe6..bd265d69c6fc9 100644
--- a/staging/src/k8s.io/dynamic-resource-allocation/structured/internal/experimental/pools_experimental.go
+++ b/staging/src/k8s.io/dynamic-resource-allocation/structured/internal/experimental/pools_experimental.go
@@ -28,7 +28,7 @@ import (
 	"k8s.io/utils/ptr"
 )
 
-func nodeMatches(node *v1.Node, nodeNameToMatch string, allNodesMatch bool, nodeSelector *v1.NodeSelector) (bool, error) {
+func NodeMatches(node *v1.Node, nodeNameToMatch string, allNodesMatch bool, nodeSelector *v1.NodeSelector) (bool, error) {
 	switch {
 	case nodeNameToMatch != "":
 		return node != nil && node.Name == nodeNameToMatch, nil
@@ -52,16 +52,22 @@ func nodeMatches(node *v1.Node, nodeNameToMatch string, allNodesMatch bool, node
 // required slices available) or invalid (for example, device names not unique).
 // Both is recorded in the result.
 func GatherPools(ctx context.Context, slices []*resourceapi.ResourceSlice, node *v1.Node, features Features) ([]*Pool, error) {
-	pools := make(map[PoolID]*Pool)
+	pools := make(map[PoolID][]*draapi.ResourceSlice)
 	var slicesWithBindingConditions []*resourceapi.ResourceSlice
 
 	for _, slice := range slices {
-		if !features.PartitionableDevices && slice.Spec.PerDeviceNodeSelection != nil {
+		if !features.PartitionableDevices && (slice.Spec.PerDeviceNodeSelection != nil || len(slice.Spec.SharedCounters) > 0) {
 			continue
 		}
 
-		if nodeName, allNodes := ptr.Deref(slice.Spec.NodeName, ""), ptr.Deref(slice.Spec.AllNodes, false); nodeName != "" || allNodes || slice.Spec.NodeSelector != nil {
-			match, err := nodeMatches(node, nodeName, allNodes, slice.Spec.NodeSelector)
+		// Always include slices with SharedCounters since they are needed to use a pool
+		// regardless of their node selector.
+		if len(slice.Spec.SharedCounters) > 0 {
+			if err := addSlice(pools, slice); err != nil {
+				return nil, fmt.Errorf("failed to add node slice %s: %w", slice.Name, err)
+			}
+		} else if nodeName, allNodes := ptr.Deref(slice.Spec.NodeName, ""), ptr.Deref(slice.Spec.AllNodes, false); nodeName != "" || allNodes || slice.Spec.NodeSelector != nil {
+			match, err := NodeMatches(node, nodeName, allNodes, slice.Spec.NodeSelector)
 			if err != nil {
 				return nil, fmt.Errorf("failed to perform node selection for slice %s: %w", slice.Name, err)
 			}
@@ -80,7 +86,7 @@ func GatherPools(ctx context.Context, slices []*resourceapi.ResourceSlice, node
 			}
 		} else if ptr.Deref(slice.Spec.PerDeviceNodeSelection, false) {
 			for _, device := range slice.Spec.Devices {
-				match, err := nodeMatches(node, ptr.Deref(device.NodeName, ""), ptr.Deref(device.AllNodes, false), device.NodeSelector)
+				match, err := NodeMatches(node, ptr.Deref(device.NodeName, ""), ptr.Deref(device.AllNodes, false), device.NodeSelector)
 				if err != nil {
 					return nil, fmt.Errorf("failed to perform node selection for device %s in slice %s: %w",
 						device.String(), slice.Name, err)
@@ -118,11 +124,63 @@ func GatherPools(ctx context.Context, slices []*resourceapi.ResourceSlice, node
 	}
 
 	// Find incomplete pools and flatten into a single slice.
+	//
+	// When we get here, we only have slices relevant for the node.
+	// There is at least one.
+	// We may have skipped slices with a higher generation
+	// if they are not relevant for the node, so we have to be
+	// careful with the "is incomplete" check.
 	result := make([]*Pool, 0, len(pools))
 	var resultWithBindingConditions []*Pool
-	for _, pool := range pools {
-		pool.IsIncomplete = int64(len(pool.Slices)) != pool.Slices[0].Spec.Pool.ResourceSliceCount
-		pool.IsInvalid, pool.InvalidReason = poolIsInvalid(pool)
+	for poolID, slicesForPool := range pools {
+		// If we have all slices, we are done.
+		isComplete := int64(len(slicesForPool)) == slicesForPool[0].Spec.Pool.ResourceSliceCount
+		if isComplete {
+			pool, err := buildPool(poolID, slicesForPool, features, nil)
+			if err != nil {
+				return nil, err
+			}
+			if poolHasBindingConditions(*pool) {
+				resultWithBindingConditions = append(resultWithBindingConditions, pool)
+				continue
+			}
+			result = append(result, pool)
+			continue
+		}
+		// If not, then we need to start looking for slices
+		// which were filtered out above because their node selection made them look irrelevant
+		// for the current node. This is necessary for "allocate all" mode (it rejects incomplete
+		// pools).
+		isObsolete, allSlicesForPool := checkSlicesInPool(slices, poolID, slicesForPool[0].Spec.Pool.Generation)
+		if isObsolete {
+			// A more thorough check determined that the DRA driver is in the process
+			// of replacing the current generation. The newer one didn't have any slice
+			// which devices for the node, or we would have noticed sooner.
+			//
+			// Let's ignore the old device information by ignoring the pool.
+			continue
+		}
+		// Use the more complete number of slices to check for "incomplete pool".
+		//
+		// The slices that we return to the caller still don't represent the whole
+		// pool, but that's okay: we *want* to limit the result to relevant devices
+		// so the caller doesn't need to check node selectors unnecessarily.
+		isComplete = int64(len(allSlicesForPool)) == slicesForPool[0].Spec.Pool.ResourceSliceCount
+		// If a pool is incomplete, we don't allow allocation so we don't need
+		// to do any validation. We need to keep track of the incomplete pools here
+		// to make sure allocationMode: All doesn't succeed without considering all
+		// devices.
+		if !isComplete {
+			result = append(result, &Pool{
+				PoolID:       poolID,
+				IsIncomplete: true,
+			})
+			continue
+		}
+		pool, err := buildPool(poolID, slicesForPool, features, allSlicesForPool)
+		if err != nil {
+			return nil, err
+		}
 		// if pool has binding conditions, add the pool to the end of the result
 		if poolHasBindingConditions(*pool) {
 			resultWithBindingConditions = append(resultWithBindingConditions, pool)
@@ -137,50 +195,183 @@ func GatherPools(ctx context.Context, slices []*resourceapi.ResourceSlice, node
 	return result, nil
 }
 
-func addSlice(pools map[PoolID]*Pool, s *resourceapi.ResourceSlice) error {
+func addSlice(pools map[PoolID][]*draapi.ResourceSlice, s *resourceapi.ResourceSlice) error {
 	var slice draapi.ResourceSlice
 	if err := draapi.Convert_v1_ResourceSlice_To_api_ResourceSlice(s, &slice, nil); err != nil {
 		return fmt.Errorf("convert ResourceSlice: %w", err)
 	}
 
 	id := PoolID{Driver: slice.Spec.Driver, Pool: slice.Spec.Pool.Name}
-	pool := pools[id]
-	if pool == nil {
+	slicesForPool := pools[id]
+	if slicesForPool == nil {
 		// New pool.
-		pool = &Pool{
-			PoolID: id,
-			Slices: []*draapi.ResourceSlice{&slice},
-		}
-		pools[id] = pool
+		pools[id] = []*draapi.ResourceSlice{&slice}
 		return nil
 	}
 
-	if slice.Spec.Pool.Generation < pool.Slices[0].Spec.Pool.Generation {
+	if slice.Spec.Pool.Generation < slicesForPool[0].Spec.Pool.Generation {
 		// Out-dated.
 		return nil
 	}
 
-	if slice.Spec.Pool.Generation > pool.Slices[0].Spec.Pool.Generation {
+	if slice.Spec.Pool.Generation > slicesForPool[0].Spec.Pool.Generation {
 		// Newer, replaces all old slices.
-		pool.Slices = nil
+		pools[id] = []*draapi.ResourceSlice{&slice}
+		return nil
 	}
 
 	// Add to pool.
-	pool.Slices = append(pool.Slices, &slice)
+	slicesForPool = append(slicesForPool, &slice)
+	pools[id] = slicesForPool
 	return nil
 }
 
-func poolIsInvalid(pool *Pool) (bool, string) {
-	devices := sets.New[draapi.UniqueString]()
-	for _, slice := range pool.Slices {
+func buildPool(id PoolID, slices []*draapi.ResourceSlice, features Features, allSlicesForPool []*resourceapi.ResourceSlice) (*Pool, error) {
+	var deviceSlices []*draapi.ResourceSlice
+	var counterSetSlices []*draapi.ResourceSlice
+	if features.PartitionableDevices {
+		for _, slice := range slices {
+			if len(slice.Spec.SharedCounters) > 0 {
+				counterSetSlices = append(counterSetSlices, slice)
+			} else {
+				deviceSlices = append(deviceSlices, slice)
+			}
+		}
+	} else {
+		deviceSlices = slices
+	}
+	if err := validateDeviceNames(deviceSlices); err != nil {
+		return &Pool{
+			PoolID:        id,
+			IsInvalid:     true,
+			InvalidReason: err.Error(),
+		}, nil
+	}
+	// If the partitionable devices feature is not enabled, we don't need to
+	// validate counter sets and consumed counters, so we are done.
+	if !features.PartitionableDevices {
+		return &Pool{
+			PoolID:                    id,
+			DeviceSlicesTargetingNode: deviceSlices,
+		}, nil
+	}
+
+	counterSets, err := getAndValidateCounterSets(counterSetSlices)
+	if err != nil {
+		return &Pool{
+			PoolID:        id,
+			IsInvalid:     true,
+			InvalidReason: err.Error(),
+		}, nil
+	}
+
+	if err := validateDeviceCounterConsumption(counterSets, slices); err != nil {
+		return &Pool{
+			PoolID:        id,
+			IsInvalid:     true,
+			InvalidReason: err.Error(),
+		}, nil
+	}
+	// If we have already seen all slices (both with counter sets and devices),
+	// we don't need to do any more validation.
+	if allSlicesForPool == nil || len(slices) == len(allSlicesForPool) {
+		return &Pool{
+			PoolID:                    id,
+			DeviceSlicesTargetingNode: deviceSlices,
+			CounterSets:               counterSets,
+		}, nil
+	}
+
+	// If we have slices that were discarded earlier because they didn't target the current node
+	// we need to check them now. They might include devices that consume counters in the pool and
+	// the allocator needs to know about them to correctly determine available counters.
+	//
+	// We only want to convert the slices we haven't already converted, so make it easy to
+	// look up the names of converted slices.
+	slicesTargetingNodeNames := sets.New[string]()
+	for _, slice := range slices {
+		slicesTargetingNodeNames.Insert(slice.Name)
+	}
+	var slicesNotTargetingNode []*draapi.ResourceSlice
+	for _, slice := range allSlicesForPool {
+		if slicesTargetingNodeNames.Has(slice.Name) {
+			continue
+		}
+		var convertedSlice draapi.ResourceSlice
+		if err := draapi.Convert_v1_ResourceSlice_To_api_ResourceSlice(slice, &convertedSlice, nil); err != nil {
+			return nil, fmt.Errorf("convert ResourceSlice: %w", err)
+		}
+		slicesNotTargetingNode = append(slicesNotTargetingNode, &convertedSlice)
+	}
+	// We need to make sure the devices here are correctly consuming counters and counter
+	// sets. Otherwise the allocator might make incorrect decisions.
+	// We don't validate the device names here. It might be that we should do that, but
+	// this is consistent with existing behavior where we don't validate slices that
+	// we don't allocate from.
+	if err := validateDeviceCounterConsumption(counterSets, slicesNotTargetingNode); err != nil {
+		return &Pool{
+			PoolID:        id,
+			IsInvalid:     true,
+			InvalidReason: err.Error(),
+		}, nil
+	}
+	return &Pool{
+		PoolID:                       id,
+		DeviceSlicesTargetingNode:    deviceSlices,
+		DeviceSlicesNotTargetingNode: slicesNotTargetingNode,
+		CounterSets:                  counterSets,
+	}, nil
+}
+
+func getAndValidateCounterSets(slices []*draapi.ResourceSlice) (map[draapi.UniqueString]*draapi.CounterSet, error) {
+	counterSets := make(map[draapi.UniqueString]*draapi.CounterSet)
+	// We only capture the first error we encounter.
+	for _, slice := range slices {
+		for i := range slice.Spec.SharedCounters {
+			counterSet := slice.Spec.SharedCounters[i]
+			if _, found := counterSets[counterSet.Name]; found {
+				return nil, fmt.Errorf("duplicate counter set name %s", counterSet.Name)
+			}
+			counterSets[counterSet.Name] = &counterSet
+		}
+	}
+	return counterSets, nil
+}
+
+func validateDeviceNames(resourceSlices []*draapi.ResourceSlice) error {
+	deviceNames := sets.New[draapi.UniqueString]()
+	for _, slice := range resourceSlices {
+		for _, device := range slice.Spec.Devices {
+			// Make sure we don't have duplicate device names
+			if deviceNames.Has(device.Name) {
+				return fmt.Errorf("duplicate device name %s", device.Name)
+			}
+			deviceNames.Insert(device.Name)
+		}
+	}
+	return nil
+}
+
+func validateDeviceCounterConsumption(counterSets map[draapi.UniqueString]*draapi.CounterSet, resourceSlices []*draapi.ResourceSlice) error {
+	for _, slice := range resourceSlices {
 		for _, device := range slice.Spec.Devices {
-			if devices.Has(device.Name) {
-				return true, fmt.Sprintf("duplicate device name %s", device.Name)
+			// Make sure all consumed counters for the device references counter sets that exists and
+			// that they consume counters that exists within those counter sets.
+			for _, deviceCounterConsumption := range device.ConsumesCounters {
+				counterSet, found := counterSets[deviceCounterConsumption.CounterSet]
+				if !found {
+					return fmt.Errorf("counter set %s not found", deviceCounterConsumption.CounterSet)
+				}
+
+				for counterName := range deviceCounterConsumption.Counters {
+					if _, found := counterSet.Counters[counterName]; !found {
+						return fmt.Errorf("counter %s not found in counter set %s", counterName, counterSet.Name)
+					}
+				}
 			}
-			devices.Insert(device.Name)
 		}
 	}
-	return false, ""
+	return nil
 }
 
 func hasBindingConditions(slice *resourceapi.ResourceSlice) bool {
@@ -193,7 +384,7 @@ func hasBindingConditions(slice *resourceapi.ResourceSlice) bool {
 }
 
 func poolHasBindingConditions(pool Pool) bool {
-	for _, slice := range pool.Slices {
+	for _, slice := range pool.DeviceSlicesTargetingNode {
 		for _, device := range slice.Spec.Devices {
 			if device.BindingConditions != nil {
 				return true
@@ -203,12 +394,47 @@ func poolHasBindingConditions(pool Pool) bool {
 	return false
 }
 
+// checkSlicesInPool is an expensive check of all slices in the pool.
+// The generation is what the caller wants to move ahead with.
+//
+// It returns:
+// - current generation is obsolete -> no further checking
+// - all slices with the generation in the pool
+//
+// Future TODO: detect inconsistent ResourceSliceCount, also in poolIsInvalid.
+func checkSlicesInPool(slices []*resourceapi.ResourceSlice, poolID PoolID, generation int64) (bool, []*resourceapi.ResourceSlice) {
+	// A cached index by pool ID would make this more efficient.
+	// It may be needed long-term to support features which always have to consider all slices.
+	var allSlicesForPool []*resourceapi.ResourceSlice
+	for i := range slices {
+		slice := slices[i]
+		if slice.Spec.Driver != poolID.Driver.String() ||
+			slice.Spec.Pool.Name != poolID.Pool.String() {
+			// Different pool.
+			continue
+		}
+		switch {
+		case slice.Spec.Pool.Generation == generation:
+			allSlicesForPool = append(allSlicesForPool, slice)
+		case slice.Spec.Pool.Generation > generation:
+			// The caller must have missed some other slice in the pool.
+			// Abort!
+			return true, nil
+		default:
+			// Older generation, ignore.
+		}
+	}
+	return false, allSlicesForPool
+}
+
 type Pool struct {
 	PoolID
-	IsIncomplete  bool
-	IsInvalid     bool
-	InvalidReason string
-	Slices        []*draapi.ResourceSlice
+	IsIncomplete                 bool
+	IsInvalid                    bool
+	InvalidReason                string
+	DeviceSlicesTargetingNode    []*draapi.ResourceSlice
+	DeviceSlicesNotTargetingNode []*draapi.ResourceSlice
+	CounterSets                  map[draapi.UniqueString]*draapi.CounterSet
 }
 
 type PoolID struct {
diff --git a/staging/src/k8s.io/dynamic-resource-allocation/structured/internal/incubating/allocator_incubating.go b/staging/src/k8s.io/dynamic-resource-allocation/structured/internal/incubating/allocator_incubating.go
index b3b4f7d2c662d..a051dd9640ca2 100644
--- a/staging/src/k8s.io/dynamic-resource-allocation/structured/internal/incubating/allocator_incubating.go
+++ b/staging/src/k8s.io/dynamic-resource-allocation/structured/internal/incubating/allocator_incubating.go
@@ -62,16 +62,16 @@ type Allocator struct {
 	classLister      DeviceClassLister
 	slices           []*resourceapi.ResourceSlice
 	celCache         *cel.Cache
-	// availableCounters contains the available counters for individual
-	// ResourceSlices. It acts as a cache that is updated the first time
-	// the available counters are needed for each ResourceSlice. The information
-	// about each slice is never updated once set the first time.
+	// availableCounters contains the available counters for each
+	// resource pool. It acts as a cache that is updated the first time
+	// the available counters are needed for each pool. The information
+	// about each pool is never updated once set the first time.
 	// This is computed bsed on information on the Allocator, so it will
 	// be correct even for multiple usages of the Allocator.
-	// The keys in the map are ResourceSlice names.
+	// The keys in the map are resource pool names.
 	// The allocator might be accessed by different goroutines, so
 	// access to this map must be synchronized.
-	availableCounters map[string]counterSets
+	availableCounters map[draapi.UniqueString]counterSets
 	mutex             sync.RWMutex
 	// numAllocateOneInvocations counts the number of times the allocateOne
 	// function is called for the allocator. This is a measurement of the
@@ -99,7 +99,7 @@ func NewAllocator(ctx context.Context,
 		classLister:       classLister,
 		slices:            slices,
 		celCache:          celCache,
-		availableCounters: make(map[string]counterSets),
+		availableCounters: make(map[draapi.UniqueString]counterSets),
 	}, nil
 }
 
@@ -112,12 +112,14 @@ func (a *Allocator) Allocate(ctx context.Context, node *v1.Node, claims []*resou
 		claimsToAllocate:     claims,
 		deviceMatchesRequest: make(map[matchKey]bool),
 		constraints:          make([][]constraint, len(claims)),
-		consumedCounters:     make(map[string]counterSets),
+		consumedCounters:     make(map[draapi.UniqueString]counterSets),
 		requestData:          make(map[requestIndices]requestData),
 		result:               make([]internalAllocationResult, len(claims)),
 	}
-	alloc.logger.V(5).Info("Starting allocation", "numClaims", len(alloc.claimsToAllocate))
-	defer alloc.logger.V(5).Info("Done with allocation", "success", len(finalResult) == len(alloc.claimsToAllocate), "err", finalErr)
+	alloc.logger.V(5).Info("Starting allocation", "numClaims", len(alloc.claimsToAllocate), "numSlices", len(alloc.slices))
+	defer func() {
+		alloc.logger.V(5).Info("Done with allocation", "success", len(finalResult) == len(alloc.claimsToAllocate), "err", finalErr)
+	}()
 
 	// First determine all eligible pools.
 	pools, err := GatherPools(ctx, alloc.slices, node, a.features)
@@ -222,7 +224,7 @@ func (a *Allocator) Allocate(ctx context.Context, node *v1.Node, claims []*resou
 		for i, constraint := range claim.Spec.Devices.Constraints {
 			switch {
 			case constraint.MatchAttribute != nil:
-				matchAttribute := draapi.FullyQualifiedName(*constraint.MatchAttribute)
+				matchAttribute := resourceapi.FullyQualifiedName(*constraint.MatchAttribute)
 				logger := alloc.logger
 				if loggerV := alloc.logger.V(6); loggerV.Enabled() {
 					logger = klog.LoggerWithName(logger, "matchAttributeConstraint")
@@ -276,6 +278,17 @@ func (a *Allocator) Allocate(ctx context.Context, node *v1.Node, claims []*resou
 		return nil, err
 	}
 	if !done {
+		// If no devices could be allocated, but we found one or more
+		// invalid pools, return an error here. We didn't do it during
+		// allocation since there might be valid pools from which the
+		// claims could be satisfied.
+		for _, pool := range pools {
+			if pool.IsInvalid {
+				// Not a fatal error, allocation on other nodes may proceed.
+				// The error is only surfaced if allocation fails on all nodes.
+				return nil, fmt.Errorf("invalid resource pools were encountered%w", internal.ErrFailedAllocationOnNode)
+			}
+		}
 		return nil, nil
 	}
 
@@ -291,6 +304,7 @@ func (a *Allocator) Allocate(ctx context.Context, node *v1.Node, claims []*resou
 				Pool:        internal.id.Pool.String(),
 				Device:      internal.id.Device.String(),
 				AdminAccess: internal.adminAccess,
+				Tolerations: internal.lookupRequest(claim).tolerations(),
 			}
 		}
 
@@ -446,7 +460,7 @@ func (alloc *allocator) validateDeviceRequest(request requestAccessor, parentReq
 				return requestData, fmt.Errorf("claim %s, request %s: asks for all devices, but resource pool %s is currently invalid", klog.KObj(claim), request.name(), pool.PoolID)
 			}
 
-			for _, slice := range pool.Slices {
+			for _, slice := range pool.DeviceSlicesTargetingNode {
 				for deviceIndex := range slice.Spec.Devices {
 					selectable, err := alloc.isSelectable(requestKey, requestData, slice, deviceIndex)
 					if err != nil {
@@ -495,8 +509,8 @@ type allocator struct {
 	constraints          [][]constraint // one list of constraints per claim
 	// consumedCounters keeps track of the counters consumed by all devices
 	// that are in the process of being allocated.
-	// The keys in the map are ResourceSlice names.
-	consumedCounters map[string]counterSets
+	// The keys in the map are resource pool names.
+	consumedCounters map[draapi.UniqueString]counterSets
 	requestData      map[requestIndices]requestData // one entry per request with no subrequests and one entry per subrequest
 	// allocatingDevices tracks which devices will be newly allocated for a
 	// particular attempt to find a solution. The map is indexed by device
@@ -509,7 +523,7 @@ type allocator struct {
 
 // counterSets is a map with the name of counter sets to the counters in
 // the set.
-type counterSets map[draapi.UniqueString]map[string]draapi.Counter
+type counterSets map[draapi.UniqueString]map[string]resourceapi.Counter
 
 // matchKey identifies a device/request pair.
 type matchKey struct {
@@ -565,6 +579,7 @@ type deviceWithID struct {
 	*draapi.Device
 	id    DeviceID
 	slice *draapi.ResourceSlice
+	pool  *Pool
 }
 
 type internalAllocationResult struct {
@@ -580,11 +595,36 @@ type internalDeviceResult struct {
 	adminAccess   *bool
 }
 
-func (i internalDeviceResult) requestName() string {
-	if i.parentRequest == "" {
-		return i.request
+func (idr internalDeviceResult) requestName() string {
+	if idr.parentRequest == "" {
+		return idr.request
+	}
+	return fmt.Sprintf("%s/%s", idr.parentRequest, idr.request)
+}
+
+func (idr internalDeviceResult) lookupRequest(claim *resourceapi.ResourceClaim) requestAccessor {
+	requestName := idr.request
+	if idr.parentRequest != "" {
+		requestName = idr.parentRequest
+	}
+	for i := range claim.Spec.Devices.Requests {
+		request := &claim.Spec.Devices.Requests[i]
+		if request.Name != requestName {
+			continue
+		}
+		if idr.parentRequest == "" {
+			// No need to check sub-requests.
+			return &exactDeviceRequestAccessor{request}
+		}
+		for j := range request.FirstAvailable {
+			subRequest := &request.FirstAvailable[j]
+			if subRequest.Name != idr.request {
+				continue
+			}
+			return &deviceSubRequestAccessor{subRequest}
+		}
 	}
-	return fmt.Sprintf("%s/%s", i.parentRequest, i.request)
+	return nil
 }
 
 type constraint interface {
@@ -608,9 +648,9 @@ type constraint interface {
 type matchAttributeConstraint struct {
 	logger        klog.Logger // Includes name and attribute name, so no need to repeat in log messages.
 	requestNames  sets.Set[string]
-	attributeName draapi.FullyQualifiedName
+	attributeName resourceapi.FullyQualifiedName
 
-	attribute  *draapi.DeviceAttribute
+	attribute  *resourceapi.DeviceAttribute
 	numDevices int
 }
 
@@ -690,9 +730,9 @@ func (m *matchAttributeConstraint) matches(requestName, subRequestName string) b
 	}
 }
 
-func lookupAttribute(device *draapi.Device, deviceID DeviceID, attributeName draapi.FullyQualifiedName) *draapi.DeviceAttribute {
+func lookupAttribute(device *draapi.Device, deviceID DeviceID, attributeName resourceapi.FullyQualifiedName) *resourceapi.DeviceAttribute {
 	// Fully-qualified match?
-	if attr, ok := device.Attributes[draapi.QualifiedName(attributeName)]; ok {
+	if attr, ok := device.Attributes[resourceapi.QualifiedName(attributeName)]; ok {
 		return &attr
 	}
 	index := strings.Index(string(attributeName), "/")
@@ -708,7 +748,7 @@ func lookupAttribute(device *draapi.Device, deviceID DeviceID, attributeName dra
 	}
 
 	// Domain matches the driver, so let's check just the ID.
-	if attr, ok := device.Attributes[draapi.QualifiedName(attributeName[index+1:])]; ok {
+	if attr, ok := device.Attributes[resourceapi.QualifiedName(attributeName[index+1:])]; ok {
 		return &attr
 	}
 
@@ -876,13 +916,13 @@ func (alloc *allocator) allocateOne(r deviceIndices, allocateSubRequest bool) (b
 
 	// We need to find suitable devices.
 	for _, pool := range alloc.pools {
-		// If the pool is not valid, then fail now. It's okay when pools of one driver
-		// are invalid if we allocate from some other pool, but it's not safe to
-		// allocated from an invalid pool.
-		if pool.IsInvalid {
-			return false, fmt.Errorf("pool %s is invalid: %s", pool.Pool, pool.InvalidReason)
+		// We don't allocate devices from invalid or incomplete pools, but
+		// don't error out here since there might be available devices in other
+		// pools.
+		if pool.IsIncomplete || pool.IsInvalid {
+			continue
 		}
-		for _, slice := range pool.Slices {
+		for _, slice := range pool.DeviceSlicesTargetingNode {
 			for deviceIndex := range slice.Spec.Devices {
 				deviceID := DeviceID{Driver: pool.Driver, Pool: pool.Pool, Device: slice.Spec.Devices[deviceIndex].Name}
 
@@ -912,6 +952,7 @@ func (alloc *allocator) allocateOne(r deviceIndices, allocateSubRequest bool) (b
 					id:     deviceID,
 					Device: &slice.Spec.Devices[deviceIndex],
 					slice:  slice,
+					pool:   pool,
 				}
 				allocated, deallocate, err := alloc.allocateDevice(r, device, false)
 				if err != nil {
@@ -956,7 +997,7 @@ func (alloc *allocator) allocateOne(r deviceIndices, allocateSubRequest bool) (b
 // isSelectable checks whether a device satisfies the request and class selectors.
 func (alloc *allocator) isSelectable(r requestIndices, requestData requestData, slice *draapi.ResourceSlice, deviceIndex int) (bool, error) {
 	device := &slice.Spec.Devices[deviceIndex]
-	if (!alloc.features.DeviceBinding || !alloc.features.DeviceStatus) &&
+	if !alloc.features.DeviceBindingAndStatus &&
 		len(device.BindingConditions) > 0 {
 		// Devices with binding conditions are not supported, feature is off.
 		return false, nil
@@ -991,7 +1032,7 @@ func (alloc *allocator) isSelectable(r requestIndices, requestData requestData,
 	}
 
 	if ptr.Deref(slice.Spec.PerDeviceNodeSelection, false) {
-		matches, err := nodeMatches(alloc.node, ptr.Deref(device.NodeName, ""), ptr.Deref(device.AllNodes, false), device.NodeSelector)
+		matches, err := NodeMatches(alloc.node, ptr.Deref(device.NodeName, ""), ptr.Deref(device.AllNodes, false), device.NodeSelector)
 		if err != nil {
 			return false, err
 		}
@@ -1108,7 +1149,7 @@ func (alloc *allocator) allocateDevice(r deviceIndices, device deviceWithID, mus
 
 	// Might be tainted, in which case the taint has to be tolerated.
 	// The check is skipped if the feature is disabled.
-	if alloc.features.DeviceTaints && !allTaintsTolerated(device.Device, request) {
+	if alloc.features.DeviceTaints && taintPreventsAllocation(device.Device, request) {
 		return false, nil, nil
 	}
 
@@ -1166,13 +1207,17 @@ func (alloc *allocator) allocateDevice(r deviceIndices, device deviceWithID, mus
 	}, nil
 }
 
-func allTaintsTolerated(device *draapi.Device, request requestAccessor) bool {
+func taintPreventsAllocation(device *draapi.Device, request requestAccessor) bool {
 	for _, taint := range device.Taints {
-		if !taintTolerated(taint, request) {
-			return false
+		switch taint.Effect {
+		// Only known effects prevent allocation, others (including None) are ignored.
+		case resourceapi.DeviceTaintEffectNoExecute, resourceapi.DeviceTaintEffectNoSchedule:
+			if !taintTolerated(taint, request) {
+				return true
+			}
 		}
 	}
-	return true
+	return false
 }
 
 func taintTolerated(taint resourceapi.DeviceTaint, request requestAccessor) bool {
@@ -1190,13 +1235,13 @@ func taintTolerated(taint resourceapi.DeviceTaint, request requestAccessor) bool
 // Gets called only if the partitionable devices feature is enabled and the device
 // consumes counters.
 func (alloc *allocator) checkAvailableCounters(device deviceWithID) (bool, error) {
-	slice := device.slice
-	sliceName := slice.Name
+	pool := device.pool
+	poolName := pool.PoolID.Pool
 
-	// Check first if the available counters for this slice have already been
+	// Check first if the available counters for this pool have already been
 	// calculated.
 	alloc.mutex.RLock()
-	availableCountersForSlice, found := alloc.availableCounters[sliceName]
+	availableCountersForPool, found := alloc.availableCounters[poolName]
 	alloc.mutex.RUnlock()
 	// If not, we need to do it now. But we store the result so it doesn't need
 	// to be calculated again.
@@ -1204,69 +1249,73 @@ func (alloc *allocator) checkAvailableCounters(device deviceWithID) (bool, error
 	// might also do this work. But the input will be the same to all of them, so
 	// the result will also always be the same.
 	if !found {
-		availableCountersForSlice = make(counterSets, len(slice.Spec.SharedCounters))
-		for _, counterSet := range slice.Spec.SharedCounters {
-			availableCountersForCounterSet := make(map[string]draapi.Counter, len(counterSet.Counters))
+		availableCountersForPool = make(counterSets, len(pool.CounterSets))
+		for _, counterSet := range pool.CounterSets {
+			availableCountersForCounterSet := make(map[string]resourceapi.Counter, len(counterSet.Counters))
 			for name, c := range counterSet.Counters {
 				availableCountersForCounterSet[name] = c
 			}
-			availableCountersForSlice[counterSet.Name] = availableCountersForCounterSet
+			availableCountersForPool[counterSet.Name] = availableCountersForCounterSet
 		}
 
 		// Update the data structure to reflect counters already consumed by allocated devices. This
 		// only includes devices where the allocation process has completed, so this will never
 		// change during the allocation process.
-		for _, device := range slice.Spec.Devices {
-			deviceID := DeviceID{
-				Driver: slice.Spec.Driver,
-				Pool:   slice.Spec.Pool.Name,
-				Device: device.Name,
-			}
-			// Devices that aren't allocated doesn't consume any counters, so we don't
-			// need to consider them.
-			if !alloc.allocatedDevices.Has(deviceID) {
-				continue
-			}
-			for _, deviceCounterConsumption := range device.ConsumesCounters {
-				availableCountersForCounterSet := availableCountersForSlice[deviceCounterConsumption.CounterSet]
-				for name, c := range deviceCounterConsumption.Counters {
-					existingCounter, ok := availableCountersForCounterSet[name]
-					if !ok {
-						// the API validation logic has been added to make sure the counters referred should exist in counter sets.
+		for _, resourceSlices := range [][]*draapi.ResourceSlice{pool.DeviceSlicesTargetingNode, pool.DeviceSlicesNotTargetingNode} {
+			for _, slice := range resourceSlices {
+				for _, device := range slice.Spec.Devices {
+					deviceID := DeviceID{
+						Driver: slice.Spec.Driver,
+						Pool:   slice.Spec.Pool.Name,
+						Device: device.Name,
+					}
+					// Devices that aren't allocated doesn't consume any counters, so we don't
+					// need to consider them.
+					if !alloc.allocatedDevices.Has(deviceID) {
 						continue
 					}
-					// This can potentially result in negative available counters. That is fine,
-					// we just treat it as no counters available.
-					existingCounter.Value.Sub(c.Value)
-					availableCountersForCounterSet[name] = existingCounter
+					for _, deviceCounterConsumption := range device.ConsumesCounters {
+						availableCountersForCounterSet := availableCountersForPool[deviceCounterConsumption.CounterSet]
+						for name, c := range deviceCounterConsumption.Counters {
+							existingCounter, ok := availableCountersForCounterSet[name]
+							if !ok {
+								// the API validation logic has been added to make sure the counters referred should exist in counter sets.
+								continue
+							}
+							// This can potentially result in negative available counters. That is fine,
+							// we just treat it as no counters available.
+							existingCounter.Value.Sub(c.Value)
+							availableCountersForCounterSet[name] = existingCounter
+						}
+					}
+					// Note that we don't include devices in the alloc.allocatingDevices here since
+					// counters consumed by devices for the current claims are tracked in
+					// alloc.consumedCounters
 				}
 			}
-			// Note that we don't include devices in the alloc.allocatingDevices here since
-			// counters consumed by devices for the current claims are tracked in
-			// alloc.consumedCounters
 		}
 
 		// Set the available counters on the allocator so we don't have to
 		// compute this again.
 		alloc.mutex.Lock()
-		alloc.availableCounters[sliceName] = availableCountersForSlice
+		alloc.availableCounters[poolName] = availableCountersForPool
 		alloc.mutex.Unlock()
 	}
 
 	// Update the consumedCounters data structure with the counters consumed
 	// by the current device.
-	consumedCountersForSlice, found := alloc.consumedCounters[sliceName]
+	consumedCountersForPool, found := alloc.consumedCounters[poolName]
 	// If no devices in the allocating state have consumed any counters from the current
-	// slice, initialize the data structure.
+	// pool, initialize the data structure.
 	if !found {
-		consumedCountersForSlice = make(counterSets)
-		alloc.consumedCounters[sliceName] = consumedCountersForSlice
+		consumedCountersForPool = make(counterSets)
+		alloc.consumedCounters[poolName] = consumedCountersForPool
 	}
 	for _, deviceCounterConsumption := range device.ConsumesCounters {
-		consumedCountersForCounterSet, found := consumedCountersForSlice[deviceCounterConsumption.CounterSet]
+		consumedCountersForCounterSet, found := consumedCountersForPool[deviceCounterConsumption.CounterSet]
 		if !found {
-			consumedCountersForCounterSet = make(map[string]draapi.Counter)
-			consumedCountersForSlice[deviceCounterConsumption.CounterSet] = consumedCountersForCounterSet
+			consumedCountersForCounterSet = make(map[string]resourceapi.Counter)
+			consumedCountersForPool[deviceCounterConsumption.CounterSet] = consumedCountersForCounterSet
 		}
 		for name, c := range deviceCounterConsumption.Counters {
 			consumedCounters, found := consumedCountersForCounterSet[name]
@@ -1282,8 +1331,8 @@ func (alloc *allocator) checkAvailableCounters(device deviceWithID) (bool, error
 	// Check that we didn't exceed the availability of any counters by allocating
 	// the current device. If we did, the current set of devices doesn't work, so we
 	// update the consumed counters to no longer reflect the current device.
-	for availableCounterSetName, availableCounters := range availableCountersForSlice {
-		consumedCounters := consumedCountersForSlice[availableCounterSetName]
+	for availableCounterSetName, availableCounters := range availableCountersForPool {
+		consumedCounters := consumedCountersForPool[availableCounterSetName]
 		for availableCounterName, availableCounter := range availableCounters {
 			consumedCounter := consumedCounters[availableCounterName]
 			if availableCounter.Value.Cmp(consumedCounter.Value) < 0 {
@@ -1311,13 +1360,12 @@ func (alloc *allocator) allocatingDeviceForClaim(deviceID DeviceID, claimIndex i
 // deallocateCountersForDevice subtracts the consumed counters of the provided
 // device from the consumedCounters data structure.
 func (alloc *allocator) deallocateCountersForDevice(device deviceWithID) {
-	slice := device.slice
-	sliceName := slice.Name
+	poolName := device.pool.PoolID.Pool
 
-	consumedCountersForSlice := alloc.consumedCounters[sliceName]
+	consumedCountersForPool := alloc.consumedCounters[poolName]
 	for _, deviceCounterConsumption := range device.ConsumesCounters {
 		counterSetName := deviceCounterConsumption.CounterSet
-		consumedCounterSet := consumedCountersForSlice[counterSetName]
+		consumedCounterSet := consumedCountersForPool[counterSetName]
 		for name, c := range deviceCounterConsumption.Counters {
 			consumedCounter := consumedCounterSet[name]
 			consumedCounter.Value.Sub(c.Value)
diff --git a/staging/src/k8s.io/dynamic-resource-allocation/structured/internal/incubating/pools_incubating.go b/staging/src/k8s.io/dynamic-resource-allocation/structured/internal/incubating/pools_incubating.go
index e41cdcadb0e24..5522b1a8fde78 100644
--- a/staging/src/k8s.io/dynamic-resource-allocation/structured/internal/incubating/pools_incubating.go
+++ b/staging/src/k8s.io/dynamic-resource-allocation/structured/internal/incubating/pools_incubating.go
@@ -28,7 +28,7 @@ import (
 	"k8s.io/utils/ptr"
 )
 
-func nodeMatches(node *v1.Node, nodeNameToMatch string, allNodesMatch bool, nodeSelector *v1.NodeSelector) (bool, error) {
+func NodeMatches(node *v1.Node, nodeNameToMatch string, allNodesMatch bool, nodeSelector *v1.NodeSelector) (bool, error) {
 	switch {
 	case nodeNameToMatch != "":
 		return node != nil && node.Name == nodeNameToMatch, nil
@@ -52,15 +52,21 @@ func nodeMatches(node *v1.Node, nodeNameToMatch string, allNodesMatch bool, node
 // required slices available) or invalid (for example, device names not unique).
 // Both is recorded in the result.
 func GatherPools(ctx context.Context, slices []*resourceapi.ResourceSlice, node *v1.Node, features Features) ([]*Pool, error) {
-	pools := make(map[PoolID]*Pool)
+	pools := make(map[PoolID][]*draapi.ResourceSlice)
 
 	for _, slice := range slices {
-		if !features.PartitionableDevices && slice.Spec.PerDeviceNodeSelection != nil {
+		if !features.PartitionableDevices && (slice.Spec.PerDeviceNodeSelection != nil || len(slice.Spec.SharedCounters) > 0) {
 			continue
 		}
 
-		if nodeName, allNodes := ptr.Deref(slice.Spec.NodeName, ""), ptr.Deref(slice.Spec.AllNodes, false); nodeName != "" || allNodes || slice.Spec.NodeSelector != nil {
-			match, err := nodeMatches(node, nodeName, allNodes, slice.Spec.NodeSelector)
+		// Always include slices with SharedCounters since they are needed to use a pool
+		// regardless of their node selector.
+		if len(slice.Spec.SharedCounters) > 0 {
+			if err := addSlice(pools, slice); err != nil {
+				return nil, fmt.Errorf("failed to add node slice %s: %w", slice.Name, err)
+			}
+		} else if nodeName, allNodes := ptr.Deref(slice.Spec.NodeName, ""), ptr.Deref(slice.Spec.AllNodes, false); nodeName != "" || allNodes || slice.Spec.NodeSelector != nil {
+			match, err := NodeMatches(node, nodeName, allNodes, slice.Spec.NodeSelector)
 			if err != nil {
 				return nil, fmt.Errorf("failed to perform node selection for slice %s: %w", slice.Name, err)
 			}
@@ -71,7 +77,7 @@ func GatherPools(ctx context.Context, slices []*resourceapi.ResourceSlice, node
 			}
 		} else if ptr.Deref(slice.Spec.PerDeviceNodeSelection, false) {
 			for _, device := range slice.Spec.Devices {
-				match, err := nodeMatches(node, ptr.Deref(device.NodeName, ""), ptr.Deref(device.AllNodes, false), device.NodeSelector)
+				match, err := NodeMatches(node, ptr.Deref(device.NodeName, ""), ptr.Deref(device.AllNodes, false), device.NodeSelector)
 				if err != nil {
 					return nil, fmt.Errorf("failed to perform node selection for device %s in slice %s: %w",
 						device.String(), slice.Name, err)
@@ -97,68 +103,284 @@ func GatherPools(ctx context.Context, slices []*resourceapi.ResourceSlice, node
 	}
 
 	// Find incomplete pools and flatten into a single slice.
+	//
+	// When we get here, we only have slices relevant for the node.
+	// There is at least one.
+	// We may have skipped slices with a higher generation
+	// if they are not relevant for the node, so we have to be
+	// careful with the "is incomplete" check.
 	result := make([]*Pool, 0, len(pools))
-	for _, pool := range pools {
-		pool.IsIncomplete = int64(len(pool.Slices)) != pool.Slices[0].Spec.Pool.ResourceSliceCount
-		pool.IsInvalid, pool.InvalidReason = poolIsInvalid(pool)
+	for poolID, slicesForPool := range pools {
+		// If we have all slices, we are done.
+		isComplete := int64(len(slicesForPool)) == slicesForPool[0].Spec.Pool.ResourceSliceCount
+		if isComplete {
+			pool, err := buildPool(poolID, slicesForPool, features, nil)
+			if err != nil {
+				return nil, err
+			}
+			result = append(result, pool)
+			continue
+		}
+		// If not, then we need to start looking for slices
+		// which were filtered out above because their node selection made them look irrelevant
+		// for the current node. This is necessary for "allocate all" mode (it rejects incomplete
+		// pools).
+		isObsolete, allSlicesForPool := checkSlicesInPool(slices, poolID, slicesForPool[0].Spec.Pool.Generation)
+		if isObsolete {
+			// A more thorough check determined that the DRA driver is in the process
+			// of replacing the current generation. The newer one didn't have any slice
+			// which devices for the node, or we would have noticed sooner.
+			//
+			// Let's ignore the old device information by ignoring the pool.
+			continue
+		}
+		// Use the more complete number of slices to check for "incomplete pool".
+		//
+		// The slices that we return to the caller still don't represent the whole
+		// pool, but that's okay: we *want* to limit the result to relevant devices
+		// so the caller doesn't need to check node selectors unnecessarily.
+		isComplete = int64(len(allSlicesForPool)) == slicesForPool[0].Spec.Pool.ResourceSliceCount
+		// If a pool is incomplete, we don't allow allocation so we don't need
+		// to do any validation. We need to keep track of the incomplete pools here
+		// to make sure allocationMode: All doesn't succeed without considering all
+		// devices.
+		if !isComplete {
+			result = append(result, &Pool{
+				PoolID:       poolID,
+				IsIncomplete: true,
+			})
+			continue
+		}
+		pool, err := buildPool(poolID, slicesForPool, features, allSlicesForPool)
+		if err != nil {
+			return nil, err
+		}
 		result = append(result, pool)
 	}
 
 	return result, nil
 }
 
-func addSlice(pools map[PoolID]*Pool, s *resourceapi.ResourceSlice) error {
+func addSlice(pools map[PoolID][]*draapi.ResourceSlice, s *resourceapi.ResourceSlice) error {
 	var slice draapi.ResourceSlice
 	if err := draapi.Convert_v1_ResourceSlice_To_api_ResourceSlice(s, &slice, nil); err != nil {
 		return fmt.Errorf("convert ResourceSlice: %w", err)
 	}
 
 	id := PoolID{Driver: slice.Spec.Driver, Pool: slice.Spec.Pool.Name}
-	pool := pools[id]
-	if pool == nil {
+	slicesForPool := pools[id]
+	if slicesForPool == nil {
 		// New pool.
-		pool = &Pool{
-			PoolID: id,
-			Slices: []*draapi.ResourceSlice{&slice},
-		}
-		pools[id] = pool
+		pools[id] = []*draapi.ResourceSlice{&slice}
 		return nil
 	}
 
-	if slice.Spec.Pool.Generation < pool.Slices[0].Spec.Pool.Generation {
+	if slice.Spec.Pool.Generation < slicesForPool[0].Spec.Pool.Generation {
 		// Out-dated.
 		return nil
 	}
 
-	if slice.Spec.Pool.Generation > pool.Slices[0].Spec.Pool.Generation {
+	if slice.Spec.Pool.Generation > slicesForPool[0].Spec.Pool.Generation {
 		// Newer, replaces all old slices.
-		pool.Slices = nil
+		pools[id] = []*draapi.ResourceSlice{&slice}
+		return nil
 	}
 
 	// Add to pool.
-	pool.Slices = append(pool.Slices, &slice)
+	slicesForPool = append(slicesForPool, &slice)
+	pools[id] = slicesForPool
+	return nil
+}
+
+func buildPool(id PoolID, slices []*draapi.ResourceSlice, features Features, allSlicesForPool []*resourceapi.ResourceSlice) (*Pool, error) {
+	var deviceSlices []*draapi.ResourceSlice
+	var counterSetSlices []*draapi.ResourceSlice
+	if features.PartitionableDevices {
+		for _, slice := range slices {
+			if len(slice.Spec.SharedCounters) > 0 {
+				counterSetSlices = append(counterSetSlices, slice)
+			} else {
+				deviceSlices = append(deviceSlices, slice)
+			}
+		}
+	} else {
+		deviceSlices = slices
+	}
+	if err := validateDeviceNames(deviceSlices); err != nil {
+		return &Pool{
+			PoolID:        id,
+			IsInvalid:     true,
+			InvalidReason: err.Error(),
+		}, nil
+	}
+	// If the partitionable devices feature is not enabled, we don't need to
+	// validate counter sets and consumed counters, so we are done.
+	if !features.PartitionableDevices {
+		return &Pool{
+			PoolID:                    id,
+			DeviceSlicesTargetingNode: deviceSlices,
+		}, nil
+	}
+
+	counterSets, err := getAndValidateCounterSets(counterSetSlices)
+	if err != nil {
+		return &Pool{
+			PoolID:        id,
+			IsInvalid:     true,
+			InvalidReason: err.Error(),
+		}, nil
+	}
+
+	if err := validateDeviceCounterConsumption(counterSets, slices); err != nil {
+		return &Pool{
+			PoolID:        id,
+			IsInvalid:     true,
+			InvalidReason: err.Error(),
+		}, nil
+	}
+	// If we have already seen all slices (both with counter sets and devices),
+	// we don't need to do any more validation.
+	if allSlicesForPool == nil || len(slices) == len(allSlicesForPool) {
+		return &Pool{
+			PoolID:                    id,
+			DeviceSlicesTargetingNode: deviceSlices,
+			CounterSets:               counterSets,
+		}, nil
+	}
+
+	// If we have slices that were discarded earlier because they didn't target the current node
+	// we need to check them now. They might include devices that consume counters in the pool and
+	// the allocator needs to know about them to correctly determine available counters.
+	//
+	// We only want to convert the slices we haven't already converted, so make it easy to
+	// look up the names of converted slices.
+	slicesTargetingNodeNames := sets.New[string]()
+	for _, slice := range slices {
+		slicesTargetingNodeNames.Insert(slice.Name)
+	}
+	var slicesNotTargetingNode []*draapi.ResourceSlice
+	for _, slice := range allSlicesForPool {
+		if slicesTargetingNodeNames.Has(slice.Name) {
+			continue
+		}
+		var convertedSlice draapi.ResourceSlice
+		if err := draapi.Convert_v1_ResourceSlice_To_api_ResourceSlice(slice, &convertedSlice, nil); err != nil {
+			return nil, fmt.Errorf("convert ResourceSlice: %w", err)
+		}
+		slicesNotTargetingNode = append(slicesNotTargetingNode, &convertedSlice)
+	}
+	// We need to make sure the devices here are correctly consuming counters and counter
+	// sets. Otherwise the allocator might make incorrect decisions.
+	// We don't validate the device names here. It might be that we should do that, but
+	// this is consistent with existing behavior where we don't validate slices that
+	// we don't allocate from.
+	if err := validateDeviceCounterConsumption(counterSets, slicesNotTargetingNode); err != nil {
+		return &Pool{
+			PoolID:        id,
+			IsInvalid:     true,
+			InvalidReason: err.Error(),
+		}, nil
+	}
+	return &Pool{
+		PoolID:                       id,
+		DeviceSlicesTargetingNode:    deviceSlices,
+		DeviceSlicesNotTargetingNode: slicesNotTargetingNode,
+		CounterSets:                  counterSets,
+	}, nil
+}
+
+func getAndValidateCounterSets(slices []*draapi.ResourceSlice) (map[draapi.UniqueString]*draapi.CounterSet, error) {
+	counterSets := make(map[draapi.UniqueString]*draapi.CounterSet)
+	// We only capture the first error we encounter.
+	for _, slice := range slices {
+		for i := range slice.Spec.SharedCounters {
+			counterSet := slice.Spec.SharedCounters[i]
+			if _, found := counterSets[counterSet.Name]; found {
+				return nil, fmt.Errorf("duplicate counter set name %s", counterSet.Name)
+			}
+			counterSets[counterSet.Name] = &counterSet
+		}
+	}
+	return counterSets, nil
+}
+
+func validateDeviceNames(resourceSlices []*draapi.ResourceSlice) error {
+	deviceNames := sets.New[draapi.UniqueString]()
+	for _, slice := range resourceSlices {
+		for _, device := range slice.Spec.Devices {
+			// Make sure we don't have duplicate device names
+			if deviceNames.Has(device.Name) {
+				return fmt.Errorf("duplicate device name %s", device.Name)
+			}
+			deviceNames.Insert(device.Name)
+		}
+	}
 	return nil
 }
 
-func poolIsInvalid(pool *Pool) (bool, string) {
-	devices := sets.New[draapi.UniqueString]()
-	for _, slice := range pool.Slices {
+func validateDeviceCounterConsumption(counterSets map[draapi.UniqueString]*draapi.CounterSet, resourceSlices []*draapi.ResourceSlice) error {
+	for _, slice := range resourceSlices {
 		for _, device := range slice.Spec.Devices {
-			if devices.Has(device.Name) {
-				return true, fmt.Sprintf("duplicate device name %s", device.Name)
+			// Make sure all consumed counters for the device references counter sets that exists and
+			// that they consume counters that exists within those counter sets.
+			for _, deviceCounterConsumption := range device.ConsumesCounters {
+				counterSet, found := counterSets[deviceCounterConsumption.CounterSet]
+				if !found {
+					return fmt.Errorf("counter set %s not found", deviceCounterConsumption.CounterSet)
+				}
+
+				for counterName := range deviceCounterConsumption.Counters {
+					if _, found := counterSet.Counters[counterName]; !found {
+						return fmt.Errorf("counter %s not found in counter set %s", counterName, counterSet.Name)
+					}
+				}
 			}
-			devices.Insert(device.Name)
 		}
 	}
-	return false, ""
+	return nil
+}
+
+// checkSlicesInPool is an expensive check of all slices in the pool.
+// The generation is what the caller wants to move ahead with.
+//
+// It returns:
+// - current generation is obsolete -> no further checking
+// - all slices with the generation in the pool
+//
+// Future TODO: detect inconsistent ResourceSliceCount, also in poolIsInvalid.
+func checkSlicesInPool(slices []*resourceapi.ResourceSlice, poolID PoolID, generation int64) (bool, []*resourceapi.ResourceSlice) {
+	// A cached index by pool ID would make this more efficient.
+	// It may be needed long-term to support features which always have to consider all slices.
+	var allSlicesForPool []*resourceapi.ResourceSlice
+	for i := range slices {
+		slice := slices[i]
+		if slice.Spec.Driver != poolID.Driver.String() ||
+			slice.Spec.Pool.Name != poolID.Pool.String() {
+			// Different pool.
+			continue
+		}
+		switch {
+		case slice.Spec.Pool.Generation == generation:
+			allSlicesForPool = append(allSlicesForPool, slice)
+		case slice.Spec.Pool.Generation > generation:
+			// The caller must have missed some other slice in the pool.
+			// Abort!
+			return true, nil
+		default:
+			// Older generation, ignore.
+		}
+	}
+	return false, allSlicesForPool
 }
 
 type Pool struct {
 	PoolID
-	IsIncomplete  bool
-	IsInvalid     bool
-	InvalidReason string
-	Slices        []*draapi.ResourceSlice
+	IsIncomplete                 bool
+	IsInvalid                    bool
+	InvalidReason                string
+	DeviceSlicesTargetingNode    []*draapi.ResourceSlice
+	DeviceSlicesNotTargetingNode []*draapi.ResourceSlice
+	CounterSets                  map[draapi.UniqueString]*draapi.CounterSet
 }
 
 type PoolID struct {
diff --git a/staging/src/k8s.io/dynamic-resource-allocation/structured/internal/stable/allocator_stable.go b/staging/src/k8s.io/dynamic-resource-allocation/structured/internal/stable/allocator_stable.go
index 54440746b784f..eb513552474fe 100644
--- a/staging/src/k8s.io/dynamic-resource-allocation/structured/internal/stable/allocator_stable.go
+++ b/staging/src/k8s.io/dynamic-resource-allocation/structured/internal/stable/allocator_stable.go
@@ -107,8 +107,10 @@ func (a *Allocator) Allocate(ctx context.Context, node *v1.Node, claims []*resou
 		requestData:          make(map[requestIndices]requestData),
 		result:               make([]internalAllocationResult, len(claims)),
 	}
-	alloc.logger.V(5).Info("Starting allocation", "numClaims", len(alloc.claimsToAllocate))
-	defer alloc.logger.V(5).Info("Done with allocation", "success", len(finalResult) == len(alloc.claimsToAllocate), "err", finalErr)
+	alloc.logger.V(5).Info("Starting allocation", "numClaims", len(alloc.claimsToAllocate), "numSlices", len(alloc.slices))
+	defer func() {
+		alloc.logger.V(5).Info("Done with allocation", "success", len(finalResult) == len(alloc.claimsToAllocate), "err", finalErr)
+	}()
 
 	// First determine all eligible pools.
 	pools, err := GatherPools(ctx, alloc.slices, node, a.features)
@@ -213,7 +215,7 @@ func (a *Allocator) Allocate(ctx context.Context, node *v1.Node, claims []*resou
 		for i, constraint := range claim.Spec.Devices.Constraints {
 			switch {
 			case constraint.MatchAttribute != nil:
-				matchAttribute := draapi.FullyQualifiedName(*constraint.MatchAttribute)
+				matchAttribute := resourceapi.FullyQualifiedName(*constraint.MatchAttribute)
 				logger := alloc.logger
 				if loggerV := alloc.logger.V(6); loggerV.Enabled() {
 					logger = klog.LoggerWithName(logger, "matchAttributeConstraint")
@@ -267,6 +269,17 @@ func (a *Allocator) Allocate(ctx context.Context, node *v1.Node, claims []*resou
 		return nil, err
 	}
 	if !done {
+		// If no devices could be allocated, but we found one or more
+		// invalid pools, return an error here. We didn't do it during
+		// allocation since there might be valid pools from which the
+		// claims could be satisfied.
+		for _, pool := range pools {
+			if pool.IsInvalid {
+				// Not a fatal error, allocation on other nodes may proceed.
+				// The error is only surfaced if allocation fails on all nodes.
+				return nil, fmt.Errorf("invalid resource pools were encountered%w", internal.ErrFailedAllocationOnNode)
+			}
+		}
 		return nil, nil
 	}
 
@@ -491,7 +504,7 @@ type allocator struct {
 
 // counterSets is a map with the name of counter sets to the counters in
 // the set.
-type counterSets map[draapi.UniqueString]map[string]draapi.Counter
+type counterSets map[draapi.UniqueString]map[string]resourceapi.Counter
 
 // matchKey identifies a device/request pair.
 type matchKey struct {
@@ -590,9 +603,9 @@ type constraint interface {
 type matchAttributeConstraint struct {
 	logger        klog.Logger // Includes name and attribute name, so no need to repeat in log messages.
 	requestNames  sets.Set[string]
-	attributeName draapi.FullyQualifiedName
+	attributeName resourceapi.FullyQualifiedName
 
-	attribute  *draapi.DeviceAttribute
+	attribute  *resourceapi.DeviceAttribute
 	numDevices int
 }
 
@@ -672,9 +685,9 @@ func (m *matchAttributeConstraint) matches(requestName, subRequestName string) b
 	}
 }
 
-func lookupAttribute(device *draapi.Device, deviceID DeviceID, attributeName draapi.FullyQualifiedName) *draapi.DeviceAttribute {
+func lookupAttribute(device *draapi.Device, deviceID DeviceID, attributeName resourceapi.FullyQualifiedName) *resourceapi.DeviceAttribute {
 	// Fully-qualified match?
-	if attr, ok := device.Attributes[draapi.QualifiedName(attributeName)]; ok {
+	if attr, ok := device.Attributes[resourceapi.QualifiedName(attributeName)]; ok {
 		return &attr
 	}
 	index := strings.Index(string(attributeName), "/")
@@ -690,7 +703,7 @@ func lookupAttribute(device *draapi.Device, deviceID DeviceID, attributeName dra
 	}
 
 	// Domain matches the driver, so let's check just the ID.
-	if attr, ok := device.Attributes[draapi.QualifiedName(attributeName[index+1:])]; ok {
+	if attr, ok := device.Attributes[resourceapi.QualifiedName(attributeName[index+1:])]; ok {
 		return &attr
 	}
 
@@ -816,11 +829,11 @@ func (alloc *allocator) allocateOne(r deviceIndices, allocateSubRequest bool) (b
 
 	// We need to find suitable devices.
 	for _, pool := range alloc.pools {
-		// If the pool is not valid, then fail now. It's okay when pools of one driver
-		// are invalid if we allocate from some other pool, but it's not safe to
-		// allocated from an invalid pool.
-		if pool.IsInvalid {
-			return false, fmt.Errorf("pool %s is invalid: %s", pool.Pool, pool.InvalidReason)
+		// We don't allocate devices from invalid or incomplete pools, but
+		// don't error out here since there might be available devices in other
+		// pools.
+		if pool.IsIncomplete || pool.IsInvalid {
+			continue
 		}
 		for _, slice := range pool.Slices {
 			for deviceIndex := range slice.Spec.Devices {
@@ -891,7 +904,7 @@ func (alloc *allocator) allocateOne(r deviceIndices, allocateSubRequest bool) (b
 // isSelectable checks whether a device satisfies the request and class selectors.
 func (alloc *allocator) isSelectable(r requestIndices, requestData requestData, slice *draapi.ResourceSlice, deviceIndex int) (bool, error) {
 	device := &slice.Spec.Devices[deviceIndex]
-	if (!alloc.features.DeviceBinding || !alloc.features.DeviceStatus) &&
+	if !alloc.features.DeviceBindingAndStatus &&
 		len(device.BindingConditions) > 0 {
 		// Devices with binding conditions are not supported, feature is off.
 		return false, nil
@@ -926,7 +939,7 @@ func (alloc *allocator) isSelectable(r requestIndices, requestData requestData,
 	}
 
 	if ptr.Deref(slice.Spec.PerDeviceNodeSelection, false) {
-		matches, err := nodeMatches(alloc.node, ptr.Deref(device.NodeName, ""), ptr.Deref(device.AllNodes, false), device.NodeSelector)
+		matches, err := NodeMatches(alloc.node, ptr.Deref(device.NodeName, ""), ptr.Deref(device.AllNodes, false), device.NodeSelector)
 		if err != nil {
 			return false, err
 		}
@@ -1138,7 +1151,7 @@ func (alloc *allocator) checkAvailableCounters(device deviceWithID) (bool, error
 	if !found {
 		availableCountersForSlice = make(counterSets, len(slice.Spec.SharedCounters))
 		for _, counterSet := range slice.Spec.SharedCounters {
-			availableCountersForCounterSet := make(map[string]draapi.Counter, len(counterSet.Counters))
+			availableCountersForCounterSet := make(map[string]resourceapi.Counter, len(counterSet.Counters))
 			for name, c := range counterSet.Counters {
 				availableCountersForCounterSet[name] = c
 			}
@@ -1197,7 +1210,7 @@ func (alloc *allocator) checkAvailableCounters(device deviceWithID) (bool, error
 	for _, deviceCounterConsumption := range device.ConsumesCounters {
 		consumedCountersForCounterSet, found := consumedCountersForSlice[deviceCounterConsumption.CounterSet]
 		if !found {
-			consumedCountersForCounterSet = make(map[string]draapi.Counter)
+			consumedCountersForCounterSet = make(map[string]resourceapi.Counter)
 			consumedCountersForSlice[deviceCounterConsumption.CounterSet] = consumedCountersForCounterSet
 		}
 		for name, c := range deviceCounterConsumption.Counters {
diff --git a/staging/src/k8s.io/dynamic-resource-allocation/structured/internal/stable/pools_stable.go b/staging/src/k8s.io/dynamic-resource-allocation/structured/internal/stable/pools_stable.go
index 57dbf31260e66..951c72342193e 100644
--- a/staging/src/k8s.io/dynamic-resource-allocation/structured/internal/stable/pools_stable.go
+++ b/staging/src/k8s.io/dynamic-resource-allocation/structured/internal/stable/pools_stable.go
@@ -28,7 +28,7 @@ import (
 	"k8s.io/utils/ptr"
 )
 
-func nodeMatches(node *v1.Node, nodeNameToMatch string, allNodesMatch bool, nodeSelector *v1.NodeSelector) (bool, error) {
+func NodeMatches(node *v1.Node, nodeNameToMatch string, allNodesMatch bool, nodeSelector *v1.NodeSelector) (bool, error) {
 	switch {
 	case nodeNameToMatch != "":
 		return node != nil && node.Name == nodeNameToMatch, nil
@@ -60,7 +60,7 @@ func GatherPools(ctx context.Context, slices []*resourceapi.ResourceSlice, node
 		}
 
 		if nodeName, allNodes := ptr.Deref(slice.Spec.NodeName, ""), ptr.Deref(slice.Spec.AllNodes, false); nodeName != "" || allNodes || slice.Spec.NodeSelector != nil {
-			match, err := nodeMatches(node, nodeName, allNodes, slice.Spec.NodeSelector)
+			match, err := NodeMatches(node, nodeName, allNodes, slice.Spec.NodeSelector)
 			if err != nil {
 				return nil, fmt.Errorf("failed to perform node selection for slice %s: %w", slice.Name, err)
 			}
@@ -71,7 +71,7 @@ func GatherPools(ctx context.Context, slices []*resourceapi.ResourceSlice, node
 			}
 		} else if ptr.Deref(slice.Spec.PerDeviceNodeSelection, false) {
 			for _, device := range slice.Spec.Devices {
-				match, err := nodeMatches(node, ptr.Deref(device.NodeName, ""), ptr.Deref(device.AllNodes, false), device.NodeSelector)
+				match, err := NodeMatches(node, ptr.Deref(device.NodeName, ""), ptr.Deref(device.AllNodes, false), device.NodeSelector)
 				if err != nil {
 					return nil, fmt.Errorf("failed to perform node selection for device %s in slice %s: %w",
 						device.String(), slice.Name, err)
@@ -97,9 +97,37 @@ func GatherPools(ctx context.Context, slices []*resourceapi.ResourceSlice, node
 	}
 
 	// Find incomplete pools and flatten into a single slice.
+	//
+	// When we get here, we only have slices relevant for the node.
+	// There is at least one.
+	// We may have skipped slices with a higher generation
+	// if they are not relevant for the node, so we have to be
+	// careful with the "is incomplete" check.
 	result := make([]*Pool, 0, len(pools))
-	for _, pool := range pools {
-		pool.IsIncomplete = int64(len(pool.Slices)) != pool.Slices[0].Spec.Pool.ResourceSliceCount
+	for poolID, pool := range pools {
+		// If we have all slices, we are done. If not, then we need to start looking for slices
+		// which were filtered out above because their node selection made them look irrelevant
+		// for the current node. This is necessary for "allocate all" mode (it rejects incomplete
+		// pools).
+		isComplete := int64(len(pool.Slices)) == pool.Slices[0].Spec.Pool.ResourceSliceCount
+		if !isComplete {
+			isObsolete, numSlices := checkSlicesInPool(slices, poolID, pool.Slices[0].Spec.Pool.Generation)
+			if isObsolete {
+				// A more thorough check determined that the DRA driver is in the process
+				// of replacing the current generation. The newer one didn't have any slice
+				// which devices for the node, or we would have noticed sooner.
+				//
+				// Let's ignore the old device information by ignoring the pool.
+				continue
+			}
+			// Use the more complete number of slices to check for "incomplete pool".
+			//
+			// The slices that we return to the caller still don't represent the whole
+			// pool, but that's okay: we *want* to limit the result to relevant devices
+			// so the caller doesn't need to check node selectors unnecessarily.
+			isComplete = numSlices == pool.Slices[0].Spec.Pool.ResourceSliceCount
+		}
+		pool.IsIncomplete = !isComplete
 		pool.IsInvalid, pool.InvalidReason = poolIsInvalid(pool)
 		result = append(result, pool)
 	}
@@ -153,6 +181,37 @@ func poolIsInvalid(pool *Pool) (bool, string) {
 	return false, ""
 }
 
+// checkSlicesInPool is an expensive check of all slices in the pool.
+// The generation is what the caller wants to move ahead with.
+//
+// It returns:
+// - current generation is obsolete -> no further checking
+// - total number of slices with the generation
+//
+// Future TODO: detect inconsistent ResourceSliceCount, also in poolIsInvalid.
+func checkSlicesInPool(slices []*resourceapi.ResourceSlice, poolID PoolID, generation int64) (isObsolete bool, numSlices int64) {
+	// A cached index by pool ID would make this more efficient.
+	// It may be needed long-term to support features which always have to consider all slices.
+	for _, slice := range slices {
+		if slice.Spec.Driver != poolID.Driver.String() ||
+			slice.Spec.Pool.Name != poolID.Pool.String() {
+			// Different pool.
+			continue
+		}
+		switch {
+		case slice.Spec.Pool.Generation == generation:
+			numSlices++
+		case slice.Spec.Pool.Generation > generation:
+			// The caller must have missed some other slice in the pool.
+			// Abort!
+			return true, 0
+		default:
+			// Older generation, ignore.
+		}
+	}
+	return false, numSlices
+}
+
 type Pool struct {
 	PoolID
 	IsIncomplete  bool
diff --git a/staging/src/k8s.io/dynamic-resource-allocation/structured/internal/types.go b/staging/src/k8s.io/dynamic-resource-allocation/structured/internal/types.go
index eb8243ce2c1fa..a1f2ad9878d14 100644
--- a/staging/src/k8s.io/dynamic-resource-allocation/structured/internal/types.go
+++ b/staging/src/k8s.io/dynamic-resource-allocation/structured/internal/types.go
@@ -18,12 +18,17 @@ package internal
 
 import (
 	"context"
+	"errors"
 
 	v1 "k8s.io/api/core/v1"
 	resourceapi "k8s.io/api/resource/v1"
 	"k8s.io/apimachinery/pkg/util/sets"
 )
 
+// ErrFailedAllocationOnNode is an empty sentinel for errors.Is.
+// See allocator.go for details.
+var ErrFailedAllocationOnNode = errors.New("")
+
 type DeviceClassLister interface {
 	// List returns a list of all DeviceClasses.
 	List() ([]*resourceapi.DeviceClass, error)
@@ -52,17 +57,23 @@ type Stats struct {
 	NumAllocateOneInvocations int64
 }
 
-// Features contains all feature gates that may influence the behavior of ResourceClaim allocation.
+// Features control optional functionality during ResourceClaim allocation.
+// Each entry must correspond to at least one control flow change. Entries can
+// be removed when the control flow change is no longer necessary (= feature is
+// considered stable and always enabled).
+//
+// This often corresponds to feature gates, but not always: if a KEP implementation
+// depends on a set of feature gates, then a single entry here should control whether
+// that implementation is active.
 type Features struct {
 	// Sorted alphabetically. When adding a new entry, also extend Set and FeaturesAll.
 
-	AdminAccess          bool
-	ConsumableCapacity   bool
-	DeviceBinding        bool
-	DeviceStatus         bool
-	DeviceTaints         bool
-	PartitionableDevices bool
-	PrioritizedList      bool
+	AdminAccess            bool
+	ConsumableCapacity     bool
+	DeviceBindingAndStatus bool
+	DeviceTaints           bool
+	PartitionableDevices   bool
+	PrioritizedList        bool
 }
 
 // Set returns all features which are set to true.
@@ -88,21 +99,17 @@ func (f Features) Set() sets.Set[string] {
 	if f.PrioritizedList {
 		enabled.Insert("DRAPrioritizedList")
 	}
-	if f.DeviceBinding {
-		enabled.Insert("DRADeviceBindingConditions")
-	}
-	if f.DeviceStatus {
-		enabled.Insert("DRAResourceClaimDeviceStatus")
+	if f.DeviceBindingAndStatus {
+		enabled.Insert("DRADeviceBindingConditions+DRAResourceClaimDeviceStatus")
 	}
 	return enabled
 }
 
 var FeaturesAll = Features{
-	AdminAccess:          true,
-	ConsumableCapacity:   true,
-	DeviceBinding:        true,
-	DeviceStatus:         true,
-	DeviceTaints:         true,
-	PartitionableDevices: true,
-	PrioritizedList:      true,
+	AdminAccess:            true,
+	ConsumableCapacity:     true,
+	DeviceBindingAndStatus: true,
+	DeviceTaints:           true,
+	PartitionableDevices:   true,
+	PrioritizedList:        true,
 }
diff --git a/staging/src/k8s.io/dynamic-resource-allocation/structured/schedulerapi/OWNERS b/staging/src/k8s.io/dynamic-resource-allocation/structured/schedulerapi/OWNERS
new file mode 100644
index 0000000000000..274ff4a4e66e7
--- /dev/null
+++ b/staging/src/k8s.io/dynamic-resource-allocation/structured/schedulerapi/OWNERS
@@ -0,0 +1,6 @@
+# See the OWNERS file documentation: https://git.k8s.io/community/contributors/guide/owners.md
+# Disable inheritance as code changes under this package should be known to sig-autoscaling team.
+options:
+  no_parent_owners: true
+approvers:
+  - sig-autoscaling-maintainers
diff --git a/staging/src/k8s.io/dynamic-resource-allocation/structured/schedulerapi/types.go b/staging/src/k8s.io/dynamic-resource-allocation/structured/schedulerapi/types.go
new file mode 100644
index 0000000000000..a401a8e1aa830
--- /dev/null
+++ b/staging/src/k8s.io/dynamic-resource-allocation/structured/schedulerapi/types.go
@@ -0,0 +1,216 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package schedulerapi
+
+import (
+	resourceapi "k8s.io/api/resource/v1"
+	"k8s.io/apimachinery/pkg/api/resource"
+	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/apimachinery/pkg/util/sets"
+	draapi "k8s.io/dynamic-resource-allocation/api"
+)
+
+// DeviceID represents a unique identifier for a device in the DRA system.
+// This type is used in the scheduler and autoscaler contract.
+type DeviceID struct {
+	Driver, Pool, Device draapi.UniqueString
+}
+
+func (d DeviceID) String() string {
+	return d.Driver.String() + "/" + d.Pool.String() + "/" + d.Device.String()
+}
+
+// MakeDeviceID creates a new DeviceID from driver, pool, and device names.
+// This function is used in the scheduler and autoscaler contract.
+func MakeDeviceID(driver, pool, device string) DeviceID {
+	return DeviceID{
+		Driver: draapi.MakeUniqueString(driver),
+		Pool:   draapi.MakeUniqueString(pool),
+		Device: draapi.MakeUniqueString(device),
+	}
+}
+
+// SharedDeviceID represents a shared device allocation.
+// This type is used in consumable capacity features and the scheduler.
+type SharedDeviceID struct {
+	Driver, Pool, Device, ShareID draapi.UniqueString
+}
+
+func (d SharedDeviceID) String() string {
+	deviceIDStr := d.Driver.String() + "/" + d.Pool.String() + "/" + d.Device.String()
+	if d.ShareID.String() != "" {
+		deviceIDStr += "/" + d.ShareID.String()
+	}
+	return deviceIDStr
+}
+
+// MakeSharedDeviceID creates a new SharedDeviceID from a DeviceID and share ID.
+// This function is used in consumable capacity features and the scheduler.
+func MakeSharedDeviceID(deviceID DeviceID, shareID *types.UID) SharedDeviceID {
+	// This function avoids disruptive changes to MakeDeviceID
+	// while enabling ShareID as part of the device key.
+	var shareIDStr string
+	if shareID != nil {
+		shareIDStr = string(*shareID)
+	}
+	return SharedDeviceID{
+		Driver:  deviceID.Driver,
+		Pool:    deviceID.Pool,
+		Device:  deviceID.Device,
+		ShareID: draapi.MakeUniqueString(shareIDStr),
+	}
+}
+
+// AllocatedState represents the current state of allocated resources.
+// This type is used in the scheduler and autoscaler contract.
+// AllocatedState packs information of allocated devices which is gathered from allocated resource claims.
+type AllocatedState struct {
+	AllocatedDevices         sets.Set[DeviceID]
+	AllocatedSharedDeviceIDs sets.Set[SharedDeviceID]
+	AggregatedCapacity       ConsumedCapacityCollection
+}
+
+// ConsumedCapacity represents the consumed capacity of a specific resource.
+// This type is used in consumable capacity features and the scheduler.
+// ConsumedCapacity defines consumable capacity values
+type ConsumedCapacity map[resourceapi.QualifiedName]*resource.Quantity
+
+// NewConsumedCapacity creates a new ConsumedCapacity.
+// This function is used in consumable capacity features and the scheduler.
+// NewConsumedCapacity initiates a new map of consumable capacity values
+func NewConsumedCapacity() ConsumedCapacity {
+	return make(ConsumedCapacity)
+}
+
+// Clone makes a copy of consumed capacity values
+func (s ConsumedCapacity) Clone() ConsumedCapacity {
+	clone := make(ConsumedCapacity)
+	for name, quantity := range s {
+		q := quantity.DeepCopy()
+		clone[name] = &q
+	}
+	return clone
+}
+
+// Add adds quantity to corresponding consumable capacity,
+// and creates a new entry if no capacity created yet.
+func (s ConsumedCapacity) Add(addedCapacity ConsumedCapacity) {
+	for name, quantity := range addedCapacity {
+		val := quantity.DeepCopy()
+		if _, found := s[name]; found {
+			s[name].Add(val)
+		} else {
+			s[name] = &val
+		}
+	}
+}
+
+// Sub subtracts quantity,
+// and ignore if no capacity entry found.
+func (s ConsumedCapacity) Sub(subtractedCapacity ConsumedCapacity) {
+	for name, quantity := range subtractedCapacity {
+		if _, found := s[name]; found {
+			s[name].Sub(*quantity)
+		}
+	}
+}
+
+// Empty return true if all quantity is zero.
+func (s ConsumedCapacity) Empty() bool {
+	for _, quantity := range s {
+		if !quantity.IsZero() {
+			return false
+		}
+	}
+	return true
+}
+
+// ConsumedCapacityCollection represents a collection of consumed capacities.
+// This type is used in consumable capacity features and the scheduler.
+// ConsumedCapacityCollection collects consumable capacity values of each device
+type ConsumedCapacityCollection map[DeviceID]ConsumedCapacity
+
+// NewConsumedCapacityCollection creates a new ConsumedCapacityCollection.
+// This function is used in consumable capacity features and the scheduler.
+// NewConsumedCapacityCollection initiates a new map of device's consumable capacity values
+func NewConsumedCapacityCollection() ConsumedCapacityCollection {
+	return make(ConsumedCapacityCollection)
+}
+
+// Clone makes a copy of ConsumedCapacity of each capacity.
+func (c ConsumedCapacityCollection) Clone() ConsumedCapacityCollection {
+	clone := NewConsumedCapacityCollection()
+	for deviceID, share := range c {
+		clone[deviceID] = share.Clone()
+	}
+	return clone
+}
+
+// Insert adds a new allocated capacity to the collection.
+func (c ConsumedCapacityCollection) Insert(cap DeviceConsumedCapacity) {
+	consumedCapacity := cap.ConsumedCapacity
+	if _, found := c[cap.DeviceID]; found {
+		c[cap.DeviceID].Add(consumedCapacity)
+	} else {
+		c[cap.DeviceID] = consumedCapacity.Clone()
+	}
+}
+
+// Remove removes an allocated capacity from the collection.
+func (c ConsumedCapacityCollection) Remove(cap DeviceConsumedCapacity) {
+	if _, found := c[cap.DeviceID]; found {
+		c[cap.DeviceID].Sub(cap.ConsumedCapacity)
+		if c[cap.DeviceID].Empty() {
+			delete(c, cap.DeviceID)
+		}
+	}
+}
+
+// DeviceConsumedCapacity represents the consumed capacity of a device.
+// This type is used in consumable capacity features and the scheduler.
+// DeviceConsumedCapacity contains consumed capacity result within device allocation.
+type DeviceConsumedCapacity struct {
+	DeviceID
+	ConsumedCapacity
+}
+
+// NewDeviceConsumedCapacity creates a new DeviceConsumedCapacity.
+// This function is used in consumable capacity features and the scheduler.
+// NewDeviceConsumedCapacity creates DeviceConsumedCapacity instance from device ID and its consumed capacity.
+func NewDeviceConsumedCapacity(deviceID DeviceID, consumedCapacity map[resourceapi.QualifiedName]resource.Quantity) DeviceConsumedCapacity {
+	allocatedCapacity := NewConsumedCapacity()
+	for name, quantity := range consumedCapacity {
+		allocatedCapacity[name] = &quantity
+	}
+	return DeviceConsumedCapacity{
+		DeviceID:         deviceID,
+		ConsumedCapacity: allocatedCapacity,
+	}
+}
+
+// Clone makes a copy of DeviceConsumedCapacity.
+func (a DeviceConsumedCapacity) Clone() DeviceConsumedCapacity {
+	return DeviceConsumedCapacity{
+		DeviceID:         a.DeviceID,
+		ConsumedCapacity: a.ConsumedCapacity.Clone(),
+	}
+}
+
+// String returns formatted device ID.
+func (a DeviceConsumedCapacity) String() string {
+	return a.DeviceID.String()
+}
diff --git a/staging/src/k8s.io/endpointslice/go.mod b/staging/src/k8s.io/endpointslice/go.mod
index d860b62bb4465..210400ac0824b 100644
--- a/staging/src/k8s.io/endpointslice/go.mod
+++ b/staging/src/k8s.io/endpointslice/go.mod
@@ -2,19 +2,19 @@
 
 module k8s.io/endpointslice
 
-go 1.24.0
+go 1.25.0
 
-godebug default=go1.24
+godebug default=go1.25
 
 require (
 	github.com/google/go-cmp v0.7.0
-	github.com/stretchr/testify v1.10.0
+	github.com/stretchr/testify v1.11.1
 	k8s.io/api v0.0.0
 	k8s.io/apimachinery v0.0.0
 	k8s.io/client-go v0.0.0
 	k8s.io/component-base v0.0.0
 	k8s.io/klog/v2 v2.130.1
-	k8s.io/utils v0.0.0-20250604170112-4c0f3b243397
+	k8s.io/utils v0.0.0-20251002143259-bc988d571ff4
 )
 
 require (
@@ -24,11 +24,10 @@ require (
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/emicklei/go-restful/v3 v3.12.2 // indirect
 	github.com/fxamacker/cbor/v2 v2.9.0 // indirect
-	github.com/go-logr/logr v1.4.2 // indirect
+	github.com/go-logr/logr v1.4.3 // indirect
 	github.com/go-openapi/jsonpointer v0.21.0 // indirect
 	github.com/go-openapi/jsonreference v0.20.2 // indirect
 	github.com/go-openapi/swag v0.23.0 // indirect
-	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/google/gnostic-models v0.7.0 // indirect
 	github.com/google/uuid v1.6.0 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
@@ -38,37 +37,36 @@ require (
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
-	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
-	github.com/prometheus/client_golang v1.22.0 // indirect
-	github.com/prometheus/client_model v0.6.1 // indirect
-	github.com/prometheus/common v0.62.0 // indirect
-	github.com/prometheus/procfs v0.15.1 // indirect
-	github.com/spf13/pflag v1.0.6 // indirect
+	github.com/prometheus/client_golang v1.23.2 // indirect
+	github.com/prometheus/client_model v0.6.2 // indirect
+	github.com/prometheus/common v0.66.1 // indirect
+	github.com/prometheus/procfs v0.16.1 // indirect
+	github.com/spf13/pflag v1.0.9 // indirect
 	github.com/x448/float16 v0.8.4 // indirect
-	go.opentelemetry.io/otel v1.35.0 // indirect
-	go.opentelemetry.io/otel/trace v1.35.0 // indirect
-	go.yaml.in/yaml/v2 v2.4.2 // indirect
+	go.opentelemetry.io/otel v1.36.0 // indirect
+	go.opentelemetry.io/otel/trace v1.36.0 // indirect
+	go.yaml.in/yaml/v2 v2.4.3 // indirect
 	go.yaml.in/yaml/v3 v3.0.4 // indirect
-	golang.org/x/net v0.43.0 // indirect
-	golang.org/x/oauth2 v0.27.0 // indirect
-	golang.org/x/sys v0.36.0 // indirect
-	golang.org/x/term v0.35.0 // indirect
-	golang.org/x/text v0.29.0 // indirect
+	golang.org/x/net v0.47.0 // indirect
+	golang.org/x/oauth2 v0.30.0 // indirect
+	golang.org/x/sys v0.38.0 // indirect
+	golang.org/x/term v0.37.0 // indirect
+	golang.org/x/text v0.31.0 // indirect
 	golang.org/x/time v0.9.0 // indirect
-	google.golang.org/protobuf v1.36.5 // indirect
-	gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect
+	google.golang.org/protobuf v1.36.8 // indirect
+	gopkg.in/evanphx/json-patch.v4 v4.13.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
-	k8s.io/kube-openapi v0.0.0-20250710124328-f3f2b991d03b // indirect
-	sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 // indirect
+	k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912 // indirect
+	sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 // indirect
 	sigs.k8s.io/randfill v1.0.0 // indirect
 	sigs.k8s.io/structured-merge-diff/v6 v6.3.0 // indirect
 	sigs.k8s.io/yaml v1.6.0 // indirect
 )
 
 replace (
-	github.com/onsi/ginkgo/v2 => github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251001123353-fd5b1fb35db1
+	github.com/onsi/ginkgo/v2 => github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251120221002-696928a6a0d7
 	k8s.io/api => ../api
 	k8s.io/apimachinery => ../apimachinery
 	k8s.io/client-go => ../client-go
diff --git a/staging/src/k8s.io/endpointslice/go.sum b/staging/src/k8s.io/endpointslice/go.sum
index eb0fc666fc231..e7ec67d4e8152 100644
--- a/staging/src/k8s.io/endpointslice/go.sum
+++ b/staging/src/k8s.io/endpointslice/go.sum
@@ -1,5 +1,7 @@
 cloud.google.com/go/compute/metadata v0.3.0/go.mod h1:zFmK7XCadkQkj6TtorcaGlCW1hT1fIilQDwofLpJ20k=
 github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E=
+github.com/Masterminds/semver/v3 v3.4.0 h1:Zog+i5UMtVoCU8oKka5P7i9q9HgrJeGzI9SA1Xbatp0=
+github.com/Masterminds/semver/v3 v3.4.0/go.mod h1:4V+yj/TJE1HU9XfppCwVMZq3I84lprf4nC11bSS5beM=
 github.com/NYTimes/gziphandler v1.1.1/go.mod h1:n/CVRwUEOgIxrgPvAQhUUr9oeUtvrhMomdKFjzJNB0c=
 github.com/alecthomas/kingpin/v2 v2.4.0/go.mod h1:0gyi0zQnjuFk8xrkNKamJoyUo382HRL7ATRpFZCw6tE=
 github.com/alecthomas/units v0.0.0-20211218093645-b94a6e3cc137/go.mod h1:OMCwj8VM1Kc9e19TLln2VL61YJF0x1XFtfdL4JdbSyE=
@@ -21,8 +23,8 @@ github.com/emicklei/go-restful/v3 v3.12.2/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRr
 github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
 github.com/fxamacker/cbor/v2 v2.9.0 h1:NpKPmjDBgUfBms6tr6JZkTHtfFGcMKsw3eGcmD/sapM=
 github.com/fxamacker/cbor/v2 v2.9.0/go.mod h1:vM4b+DJCtHn+zz7h3FFp/hDAI9WNWCsZj23V5ytsSxQ=
-github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY=
-github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
+github.com/go-logr/logr v1.4.3 h1:CjnDlHq8ikf6E492q6eKboGOC0T8CDaOvkHCIg8idEI=
+github.com/go-logr/logr v1.4.3/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
 github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE=
 github.com/go-logr/zapr v1.3.0/go.mod h1:YKepepNBd1u/oyhd/yQmtjVXmm9uML4IXUgMOwR8/Gg=
 github.com/go-openapi/jsonpointer v0.19.6/go.mod h1:osyAmYz/mB/C3I+WsTTSgw1ONzaLJoLCyoi6/zppojs=
@@ -35,8 +37,6 @@ github.com/go-openapi/swag v0.23.0 h1:vsEVJDUo2hPJ2tu0/Xc+4noaxyEffXNIs3cOULZ+Gr
 github.com/go-openapi/swag v0.23.0/go.mod h1:esZ8ITTYEsH1V2trKHjAN8Ai7xHb8RV+YSZ577vPjgQ=
 github.com/go-task/slim-sprig/v3 v3.0.0 h1:sUs3vkvUymDpBKi3qH1YSqBQk9+9D/8M2mN1vB6EwHI=
 github.com/go-task/slim-sprig/v3 v3.0.0/go.mod h1:W848ghGpv3Qj3dhTPRyJypKRiqCdHZiAzKg9hl15HA8=
-github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
-github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
 github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk=
 github.com/google/btree v1.1.3/go.mod h1:qOPhT0dTNdNzV6Z/lhRX0YXUafgPLFUh+gZMl761Gm4=
 github.com/google/gnostic-models v0.7.0 h1:qwTtogB15McXDaNqTZdzPJRHvaVJlAl+HVQnLmJEJxo=
@@ -44,8 +44,8 @@ github.com/google/gnostic-models v0.7.0/go.mod h1:whL5G0m6dmc5cPxKc5bdKdEN3UjI7O
 github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
 github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
-github.com/google/pprof v0.0.0-20241029153458-d1b30febd7db h1:097atOisP2aRj7vFgYQBbFN4U4JNXUNYpxael3UzMyo=
-github.com/google/pprof v0.0.0-20241029153458-d1b30febd7db/go.mod h1:vavhavw2zAxS5dIdcRluK6cSGGPlZynqzFM8NdvU144=
+github.com/google/pprof v0.0.0-20250403155104-27863c87afa6 h1:BHT72Gu3keYf3ZEu2J0b1vyeLSOYI8bm5wbJM/8yDe8=
+github.com/google/pprof v0.0.0-20250403155104-27863c87afa6/go.mod h1:boTsfXsheKC2y+lKOCMpSfarhxDeIzfZG1jqGcPl3cA=
 github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/gorilla/websocket v1.5.4-0.20250319132907-e064f32e3674/go.mod h1:r4w70xmWCQKmi1ONH4KIaBptdivuRPyosB9RmPlGEwA=
@@ -58,8 +58,6 @@ github.com/jpillora/backoff v1.0.0/go.mod h1:J/6gKK9jxlEcS3zixgDgUAsiuZ7yrSoa/FX
 github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM=
 github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo=
 github.com/julienschmidt/httprouter v1.3.0/go.mod h1:JR6WtHb+2LUe8TCKY3cZOxFyyO8IZAc4RVcycCCAKdM=
-github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
-github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
 github.com/klauspost/compress v1.18.0 h1:c/Cqfb0r+Yi+JtIEq73FWXVkRonBlf0CRNYc8Zttxdo=
 github.com/klauspost/compress v1.18.0/go.mod h1:2Pp+KzxcywXVXMr50+X0Q/Lsb43OQHYWRCY2AiWywWQ=
 github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
@@ -85,29 +83,27 @@ github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq
 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
 github.com/mwitkow/go-conntrack v0.0.0-20190716064945-2f068394615f/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U=
 github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+o7JKHSa8/e818NopupXU1YMK5fe1lsApnBw=
-github.com/onsi/gomega v1.35.1 h1:Cwbd75ZBPxFSuZ6T+rN/WCb/gOc6YgFBXLlZLhC7Ds4=
-github.com/onsi/gomega v1.35.1/go.mod h1:PvZbdDc8J6XJEpDK4HCuRBm8a6Fzp9/DmhC9C7yFlog=
-github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251001123353-fd5b1fb35db1 h1:PMTgifBcBRLJJiM+LgSzPDTk9/Rx4qS09OUrfpY6GBQ=
-github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251001123353-fd5b1fb35db1/go.mod h1:7Du3c42kxCUegi0IImZ1wUQzMBVecgIHjR1C+NkhLQo=
+github.com/onsi/gomega v1.38.2 h1:eZCjf2xjZAqe+LeWvKb5weQ+NcPwX84kqJ0cZNxok2A=
+github.com/onsi/gomega v1.38.2/go.mod h1:W2MJcYxRGV63b418Ai34Ud0hEdTVXq9NW9+Sx6uXf3k=
+github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251120221002-696928a6a0d7 h1:02E4Ttpu+7yCQLQxtY42JfcfHU7TBGnje6uB2ytBSdU=
+github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251120221002-696928a6a0d7/go.mod h1:ArE1D/XhNXBXCBkKOLkbsb2c81dQHCRcF5zwn/ykDRo=
 github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU=
-github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
-github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U=
 github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/prometheus/client_golang v1.22.0 h1:rb93p9lokFEsctTys46VnV1kLCDpVZ0a/Y92Vm0Zc6Q=
-github.com/prometheus/client_golang v1.22.0/go.mod h1:R7ljNsLXhuQXYZYtw6GAE9AZg8Y7vEW5scdCXrWRXC0=
-github.com/prometheus/client_model v0.6.1 h1:ZKSh/rekM+n3CeS952MLRAdFwIKqeY8b62p8ais2e9E=
-github.com/prometheus/client_model v0.6.1/go.mod h1:OrxVMOVHjw3lKMa8+x6HeMGkHMQyHDk9E3jmP2AmGiY=
-github.com/prometheus/common v0.62.0 h1:xasJaQlnWAeyHdUBeGjXmutelfJHWMRr+Fg4QszZ2Io=
-github.com/prometheus/common v0.62.0/go.mod h1:vyBcEuLSvWos9B1+CyL7JZ2up+uFzXhkqml0W5zIY1I=
-github.com/prometheus/procfs v0.15.1 h1:YagwOFzUgYfKKHX6Dr+sHT7km/hxC76UB0learggepc=
-github.com/prometheus/procfs v0.15.1/go.mod h1:fB45yRUv8NstnjriLhBQLuOUt+WW4BsoGhij/e3PBqk=
-github.com/rogpeppe/go-internal v1.13.1 h1:KvO1DLK/DRN07sQ1LQKScxyZJuNnedQ5/wKSR38lUII=
-github.com/rogpeppe/go-internal v1.13.1/go.mod h1:uMEvuHeurkdAXX61udpOXGD/AzZDWNMNyH2VO9fmH0o=
-github.com/spf13/cobra v1.9.1/go.mod h1:nDyEzZ8ogv936Cinf6g1RU9MRY64Ir93oCnqb9wxYW0=
-github.com/spf13/pflag v1.0.6 h1:jFzHGLGAlb3ruxLB8MhbI6A8+AQX/2eW4qeyNZXNp2o=
-github.com/spf13/pflag v1.0.6/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
+github.com/prometheus/client_golang v1.23.2 h1:Je96obch5RDVy3FDMndoUsjAhG5Edi49h0RJWRi/o0o=
+github.com/prometheus/client_golang v1.23.2/go.mod h1:Tb1a6LWHB3/SPIzCoaDXI4I8UHKeFTEQ1YCr+0Gyqmg=
+github.com/prometheus/client_model v0.6.2 h1:oBsgwpGs7iVziMvrGhE53c/GrLUsZdHnqNwqPLxwZyk=
+github.com/prometheus/client_model v0.6.2/go.mod h1:y3m2F6Gdpfy6Ut/GBsUqTWZqCUvMVzSfMLjcu6wAwpE=
+github.com/prometheus/common v0.66.1 h1:h5E0h5/Y8niHc5DlaLlWLArTQI7tMrsfQjHV+d9ZoGs=
+github.com/prometheus/common v0.66.1/go.mod h1:gcaUsgf3KfRSwHY4dIMXLPV0K/Wg1oZ8+SbZk/HH/dA=
+github.com/prometheus/procfs v0.16.1 h1:hZ15bTNuirocR6u0JZ6BAHHmwS1p8B4P6MRqxtzMyRg=
+github.com/prometheus/procfs v0.16.1/go.mod h1:teAbpZRB1iIAJYREa1LsoWUXykVXA1KlTmWl8x/U+Is=
+github.com/rogpeppe/go-internal v1.14.1 h1:UQB4HGPB6osV0SQTLymcB4TgvyWu6ZyliaW0tI/otEQ=
+github.com/rogpeppe/go-internal v1.14.1/go.mod h1:MaRKkUm5W0goXpeCfT7UZI6fk/L7L7so1lCWt35ZSgc=
+github.com/spf13/cobra v1.10.0/go.mod h1:9dhySC7dnTtEiqzmqfkLj47BslqLCUPMXjG2lj/NgoE=
+github.com/spf13/pflag v1.0.9 h1:9exaQaMOCwffKiiiYk6/BndUBv+iRViNW+4lEMi0PvY=
+github.com/spf13/pflag v1.0.9/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
 github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
@@ -117,99 +113,76 @@ github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UV
 github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
 github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
-github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
-github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
+github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
+github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
 github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM=
 github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg=
 github.com/xhit/go-str2duration/v2 v2.1.0/go.mod h1:ohY8p+0f07DiV6Em5LKB0s2YpLtXVyJfNt1+BlmyAsU=
-github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
-github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 go.opentelemetry.io/auto/sdk v1.1.0/go.mod h1:3wSPjt5PWp2RhlCcmmOial7AvC4DQqZb7a7wCow3W8A=
-go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.58.0/go.mod h1:umTcuxiv1n/s/S6/c2AT/g2CQ7u5C59sHDNmfSwgz7Q=
-go.opentelemetry.io/otel v1.35.0 h1:xKWKPxrxB6OtMCbmMY021CqC45J+3Onta9MqjhnusiQ=
-go.opentelemetry.io/otel v1.35.0/go.mod h1:UEqy8Zp11hpkUrL73gSlELM0DupHoiq72dR+Zqel/+Y=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.61.0/go.mod h1:UHB22Z8QsdRDrnAtX4PntOl36ajSxcdUMt1sF7Y6E7Q=
+go.opentelemetry.io/otel v1.36.0 h1:UumtzIklRBY6cI/lllNZlALOF5nNIzJVb16APdvgTXg=
+go.opentelemetry.io/otel v1.36.0/go.mod h1:/TcFMXYjyRNh8khOAO9ybYkqaDBb/70aVwkNML4pP8E=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.34.0/go.mod h1:7Bept48yIeqxP2OZ9/AqIpYS94h2or0aB4FypJTc8ZM=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.34.0/go.mod h1:U7HYyW0zt/a9x5J1Kjs+r1f/d4ZHnYFclhYY2+YbeoE=
-go.opentelemetry.io/otel/metric v1.35.0/go.mod h1:nKVFgxBZ2fReX6IlyW28MgZojkoAkJGaE8CpgeAU3oE=
-go.opentelemetry.io/otel/sdk v1.34.0/go.mod h1:0e/pNiaMAqaykJGKbi+tSjWfNNHMTxoC9qANsCzbyxU=
-go.opentelemetry.io/otel/trace v1.35.0 h1:dPpEfJu1sDIqruz7BHFG3c7528f6ddfSWfFDVt/xgMs=
-go.opentelemetry.io/otel/trace v1.35.0/go.mod h1:WUk7DtFp1Aw2MkvqGdwiXYDZZNvA/1J8o6xRXLrIkyc=
+go.opentelemetry.io/otel/metric v1.36.0/go.mod h1:zC7Ks+yeyJt4xig9DEw9kuUFe5C3zLbVjV2PzT6qzbs=
+go.opentelemetry.io/otel/sdk v1.36.0/go.mod h1:+lC+mTgD+MUWfjJubi2vvXWcVxyr9rmlshZni72pXeY=
+go.opentelemetry.io/otel/trace v1.36.0 h1:ahxWNuqZjpdiFAyrIoQ4GIiAIhxAunQR6MUoKrsNd4w=
+go.opentelemetry.io/otel/trace v1.36.0/go.mod h1:gQ+OnDZzrybY4k4seLzPAWNwVBBVlF2szhehOBB/tGA=
 go.opentelemetry.io/proto/otlp v1.5.0/go.mod h1:keN8WnHxOy8PG0rQZjJJ5A2ebUoafqWp0eVQ4yIXvJ4=
 go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
 go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
 go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y=
 go.uber.org/zap v1.27.0/go.mod h1:GB2qFLM7cTU87MWRP2mPIjqfIDnGu+VIO4V/SdhGo2E=
-go.yaml.in/yaml/v2 v2.4.2 h1:DzmwEr2rDGHl7lsFgAHxmNz/1NlQ7xLIrlN2h5d1eGI=
-go.yaml.in/yaml/v2 v2.4.2/go.mod h1:081UH+NErpNdqlCXm3TtEran0rJZGxAYx9hb/ELlsPU=
+go.yaml.in/yaml/v2 v2.4.3 h1:6gvOSjQoTB3vt1l+CU+tSyi/HOjfOjRLJ4YwYZGwRO0=
+go.yaml.in/yaml/v2 v2.4.3/go.mod h1:zSxWcmIDjOzPXpjlTTbAsKokqkDNAVtZO0WOMiT90s8=
 go.yaml.in/yaml/v3 v3.0.4 h1:tfq32ie2Jv2UxXFdLJdh3jXuOzWiL1fo0bu/FbuKpbc=
 go.yaml.in/yaml/v3 v3.0.4/go.mod h1:DhzuOOF2ATzADvBadXxruRBLzYTpT36CKvDb3+aBEFg=
-golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
-golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
-golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
-golang.org/x/crypto v0.41.0/go.mod h1:pO5AFd7FA68rFak7rOAGVuygIISepHftHnr8dr6+sUc=
-golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.27.0/go.mod h1:rWI627Fq0DEoudcK+MBkNkCe0EetEaDSwJJkCcjpazc=
-golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
-golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
-golang.org/x/net v0.43.0 h1:lat02VYK2j4aLzMzecihNvTlJNQUq316m2Mr9rnM6YE=
-golang.org/x/net v0.43.0/go.mod h1:vhO1fvI4dGsIjh73sWfUVjj3N7CA9WkKJNQm2svM6Jg=
-golang.org/x/oauth2 v0.27.0 h1:da9Vo7/tDv5RH/7nZDz1eMGS/q1Vv1N/7FCrBhI9I3M=
-golang.org/x/oauth2 v0.27.0/go.mod h1:onh5ek6nERTohokkhCD/y2cV4Do3fxFHFuAejCkRWT8=
-golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.17.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
-golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.36.0 h1:KVRy2GtZBrk1cBYA7MKu5bEZFxQk4NIDV6RLVcC8o0k=
-golang.org/x/sys v0.36.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
-golang.org/x/term v0.35.0 h1:bZBVKBudEyhRcajGcNc3jIfWPqV4y/Kt2XcoigOWtDQ=
-golang.org/x/term v0.35.0/go.mod h1:TPGtkTLesOwf2DE8CgVYiZinHAOuy5AYUYT1lENIZnA=
-golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
-golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.29.0 h1:1neNs90w9YzJ9BocxfsQNHKuAT4pkghyXc4nhZ6sJvk=
-golang.org/x/text v0.29.0/go.mod h1:7MhJOA9CD2qZyOKYazxdYMF85OwPdEr9jTtBpO7ydH4=
+golang.org/x/crypto v0.44.0/go.mod h1:013i+Nw79BMiQiMsOPcVCB5ZIJbYkerPrGnOa00tvmc=
+golang.org/x/mod v0.29.0 h1:HV8lRxZC4l2cr3Zq1LvtOsi/ThTgWnUk/y64QSs8GwA=
+golang.org/x/mod v0.29.0/go.mod h1:NyhrlYXJ2H4eJiRy/WDBO6HMqZQ6q9nk4JzS3NuCK+w=
+golang.org/x/net v0.47.0 h1:Mx+4dIFzqraBXUugkia1OOvlD6LemFo1ALMHjrXDOhY=
+golang.org/x/net v0.47.0/go.mod h1:/jNxtkgq5yWUGYkaZGqo27cfGZ1c5Nen03aYrrKpVRU=
+golang.org/x/oauth2 v0.30.0 h1:dnDm7JmhM45NNpd8FDDeLhK6FwqbOf4MLCM9zb1BOHI=
+golang.org/x/oauth2 v0.30.0/go.mod h1:B++QgG3ZKulg6sRPGD/mqlHQs5rB3Ml9erfeDY7xKlU=
+golang.org/x/sync v0.18.0 h1:kr88TuHDroi+UVf+0hZnirlk8o8T+4MrK6mr60WkH/I=
+golang.org/x/sync v0.18.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
+golang.org/x/sys v0.38.0 h1:3yZWxaJjBmCWXqhN1qh02AkOnCQ1poK6oF+a7xWL6Gc=
+golang.org/x/sys v0.38.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
+golang.org/x/term v0.37.0 h1:8EGAD0qCmHYZg6J17DvsMy9/wJ7/D/4pV/wfnld5lTU=
+golang.org/x/term v0.37.0/go.mod h1:5pB4lxRNYYVZuTLmy8oR2BH8dflOR+IbTYFD8fi3254=
+golang.org/x/text v0.31.0 h1:aC8ghyu4JhP8VojJ2lEHBnochRno1sgL6nEi9WGFGMM=
+golang.org/x/text v0.31.0/go.mod h1:tKRAlv61yKIjGGHX/4tP1LTbc13YSec1pxVEWXzfoeM=
 golang.org/x/time v0.9.0 h1:EsRrnYcQiGH+5FfbgvV4AP7qEZstoyrHB0DzarOQ4ZY=
 golang.org/x/time v0.9.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
-golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
-golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
-golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
-golang.org/x/tools v0.36.0 h1:kWS0uv/zsvHEle1LbV5LE8QujrxB3wfQyxHfhOk0Qkg=
-golang.org/x/tools v0.36.0/go.mod h1:WBDiHKJK8YgLHlcQPYQzNCkUxUypCaa5ZegCVutKm+s=
-golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/tools v0.38.0 h1:Hx2Xv8hISq8Lm16jvBZ2VQf+RLmbd7wVUsALibYI/IQ=
+golang.org/x/tools v0.38.0/go.mod h1:yEsQ/d/YK8cjh0L6rZlY8tgtlKiBNTL14pGDJPJpYQs=
+golang.org/x/tools/go/expect v0.1.0-deprecated/go.mod h1:eihoPOH+FgIqa3FpoTwguz/bVUSGBlGQU67vpBeOrBY=
+golang.org/x/tools/go/packages/packagestest v0.1.1-deprecated/go.mod h1:RVAQXBGNv1ib0J382/DPCRS/BPnsGebyM1Gj5VSDpG8=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 google.golang.org/genproto/googleapis/api v0.0.0-20250303144028-a0af3efb3deb/go.mod h1:jbe3Bkdp+Dh2IrslsFCklNhweNTBgSYanP1UXhJDhKg=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20250303144028-a0af3efb3deb/go.mod h1:LuRYeWDFV6WOn90g357N17oMCaxpgCnbi/44qJvDn2I=
-google.golang.org/grpc v1.72.1/go.mod h1:wH5Aktxcg25y1I3w7H69nHfXdOG3UiadoBtjh3izSDM=
-google.golang.org/protobuf v1.36.5 h1:tPhr+woSbjfYvY6/GPufUoYizxw1cF/yFoxJ2fmpwlM=
-google.golang.org/protobuf v1.36.5/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20250528174236-200df99c418a/go.mod h1:qQ0YXyHHx3XkvlzUtpXDkS29lDSafHMZBAZDc03LQ3A=
+google.golang.org/grpc v1.72.2/go.mod h1:wH5Aktxcg25y1I3w7H69nHfXdOG3UiadoBtjh3izSDM=
+google.golang.org/protobuf v1.36.8 h1:xHScyCOEuuwZEc6UtSOvPbAT4zRh0xcNRYekJwfqyMc=
+google.golang.org/protobuf v1.36.8/go.mod h1:fuxRtAxBytpl4zzqUh6/eyUujkJdNiuEkXntxiD/uRU=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
-gopkg.in/evanphx/json-patch.v4 v4.12.0 h1:n6jtcsulIzXPJaxegRbvFNNrZDjbij7ny3gmSPG+6V4=
-gopkg.in/evanphx/json-patch.v4 v4.12.0/go.mod h1:p8EYWUEYMpynmqDbY58zCKCFZw8pRWMG4EsWvDvM72M=
+gopkg.in/evanphx/json-patch.v4 v4.13.0 h1:czT3CmqEaQ1aanPc5SdlgQrrEIb8w/wwCvWWnfEbYzo=
+gopkg.in/evanphx/json-patch.v4 v4.13.0/go.mod h1:p8EYWUEYMpynmqDbY58zCKCFZw8pRWMG4EsWvDvM72M=
 gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc=
 gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
-gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 k8s.io/gengo/v2 v2.0.0-20250604051438-85fd79dbfd9f/go.mod h1:EJykeLsmFC60UQbYJezXkEsG2FLrt0GPNkU5iK5GWxU=
 k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk=
 k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE=
-k8s.io/kube-openapi v0.0.0-20250710124328-f3f2b991d03b h1:MloQ9/bdJyIu9lb1PzujOPolHyvO06MXG5TUIj2mNAA=
-k8s.io/kube-openapi v0.0.0-20250710124328-f3f2b991d03b/go.mod h1:UZ2yyWbFTpuhSbFhv24aGNOdoRdJZgsIObGBUaYVsts=
-k8s.io/utils v0.0.0-20250604170112-4c0f3b243397 h1:hwvWFiBzdWw1FhfY1FooPn3kzWuJ8tmbZBHi4zVsl1Y=
-k8s.io/utils v0.0.0-20250604170112-4c0f3b243397/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
-sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 h1:gBQPwqORJ8d8/YNZWEjoZs7npUVDpVXUUOFfW6CgAqE=
-sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8/go.mod h1:mdzfpAEoE6DHQEN0uh9ZbOCuHbLK5wOm7dK4ctXE9Tg=
+k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912 h1:Y3gxNAuB0OBLImH611+UDZcmKS3g6CthxToOb37KgwE=
+k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912/go.mod h1:kdmbQkyfwUagLfXIad1y2TdrjPFWp2Q89B3qkRwf/pQ=
+k8s.io/utils v0.0.0-20251002143259-bc988d571ff4 h1:SjGebBtkBqHFOli+05xYbK8YF1Dzkbzn+gDM4X9T4Ck=
+k8s.io/utils v0.0.0-20251002143259-bc988d571ff4/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
+sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 h1:IpInykpT6ceI+QxKBbEflcR5EXP7sU1kvOlxwZh5txg=
+sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730/go.mod h1:mdzfpAEoE6DHQEN0uh9ZbOCuHbLK5wOm7dK4ctXE9Tg=
 sigs.k8s.io/randfill v1.0.0 h1:JfjMILfT8A6RbawdsK2JXGBR5AQVfd+9TbzrlneTyrU=
 sigs.k8s.io/randfill v1.0.0/go.mod h1:XeLlZ/jmk4i1HRopwe7/aU3H5n1zNUcX6TM94b3QxOY=
 sigs.k8s.io/structured-merge-diff/v6 v6.3.0 h1:jTijUJbW353oVOd9oTlifJqOGEkUw2jB/fXCbTiQEco=
diff --git a/staging/src/k8s.io/endpointslice/reconciler_test.go b/staging/src/k8s.io/endpointslice/reconciler_test.go
index d050f0c0712d9..d22754ac9d83d 100644
--- a/staging/src/k8s.io/endpointslice/reconciler_test.go
+++ b/staging/src/k8s.io/endpointslice/reconciler_test.go
@@ -700,7 +700,7 @@ func TestReconcile1EndpointSlicePublishNotReadyAddresses(t *testing.T) {
 	// start with 50 pods, 1/3 not ready
 	pods := []*corev1.Pod{}
 	for i := 0; i < 50; i++ {
-		ready := !(i%3 == 0)
+		ready := i%3 != 0
 		pods = append(pods, newPod(i, namespace, ready, 1, false))
 	}
 
@@ -734,7 +734,7 @@ func TestReconcileManyPods(t *testing.T) {
 	// start with 250 pods
 	pods := []*corev1.Pod{}
 	for i := 0; i < 250; i++ {
-		ready := !(i%3 == 0)
+		ready := i%3 != 0
 		pods = append(pods, newPod(i, namespace, ready, 1, false))
 	}
 
@@ -767,7 +767,7 @@ func TestReconcileEndpointSlicesSomePreexisting(t *testing.T) {
 	// start with 250 pods
 	pods := []*corev1.Pod{}
 	for i := 0; i < 250; i++ {
-		ready := !(i%3 == 0)
+		ready := i%3 != 0
 		pods = append(pods, newPod(i, namespace, ready, 1, false))
 	}
 
@@ -823,7 +823,7 @@ func TestReconcileEndpointSlicesSomePreexistingWorseAllocation(t *testing.T) {
 	// start with 300 pods
 	pods := []*corev1.Pod{}
 	for i := 0; i < 300; i++ {
-		ready := !(i%3 == 0)
+		ready := i%3 != 0
 		pods = append(pods, newPod(i, namespace, ready, 1, false))
 	}
 
@@ -869,7 +869,7 @@ func TestReconcileEndpointSlicesUpdating(t *testing.T) {
 	// start with 250 pods
 	pods := []*corev1.Pod{}
 	for i := 0; i < 250; i++ {
-		ready := !(i%3 == 0)
+		ready := i%3 != 0
 		pods = append(pods, newPod(i, namespace, ready, 1, false))
 	}
 
@@ -902,7 +902,7 @@ func TestReconcileEndpointSlicesServicesLabelsUpdating(t *testing.T) {
 	// start with 250 pods
 	pods := []*corev1.Pod{}
 	for i := 0; i < 250; i++ {
-		ready := !(i%3 == 0)
+		ready := i%3 != 0
 		pods = append(pods, newPod(i, namespace, ready, 1, false))
 	}
 
@@ -946,7 +946,7 @@ func TestReconcileEndpointSlicesServicesReservedLabels(t *testing.T) {
 	// start with 250 pods
 	pods := []*corev1.Pod{}
 	for i := 0; i < 250; i++ {
-		ready := !(i%3 == 0)
+		ready := i%3 != 0
 		pods = append(pods, newPod(i, namespace, ready, 1, false))
 	}
 
@@ -980,7 +980,7 @@ func TestReconcileEndpointSlicesRecycling(t *testing.T) {
 	// start with 300 pods
 	pods := []*corev1.Pod{}
 	for i := 0; i < 300; i++ {
-		ready := !(i%3 == 0)
+		ready := i%3 != 0
 		pods = append(pods, newPod(i, namespace, ready, 1, false))
 	}
 
@@ -1227,7 +1227,7 @@ func TestReconcileEndpointSlicesNamedPorts(t *testing.T) {
 	// start with 300 pods
 	pods := []*corev1.Pod{}
 	for i := 0; i < 300; i++ {
-		ready := !(i%3 == 0)
+		ready := i%3 != 0
 		portOffset := i % 5
 		pod := newPod(i, namespace, ready, 1, false)
 		pod.Spec.Containers[0].Ports = []corev1.ContainerPort{{
@@ -1277,7 +1277,7 @@ func TestReconcileMaxEndpointsPerSlice(t *testing.T) {
 	// start with 250 pods
 	pods := []*corev1.Pod{}
 	for i := 0; i < 250; i++ {
-		ready := !(i%3 == 0)
+		ready := i%3 != 0
 		pods = append(pods, newPod(i, namespace, ready, 1, false))
 	}
 
diff --git a/staging/src/k8s.io/endpointslice/util/controller_utils.go b/staging/src/k8s.io/endpointslice/util/controller_utils.go
index 2a1f1cc144aa3..2d9a8746a19f3 100644
--- a/staging/src/k8s.io/endpointslice/util/controller_utils.go
+++ b/staging/src/k8s.io/endpointslice/util/controller_utils.go
@@ -17,10 +17,10 @@ limitations under the License.
 package util
 
 import (
-	"crypto/md5"
 	"encoding/hex"
 	"fmt"
 	"hash"
+	"hash/fnv"
 	"reflect"
 	"sort"
 
@@ -47,22 +47,103 @@ var semanticIgnoreResourceVersion = conversion.EqualitiesOrDie(
 	},
 )
 
-// GetPodServiceMemberships returns a set of Service keys for Services that have
-// a selector matching the given pod.
-func GetPodServiceMemberships(serviceLister v1listers.ServiceLister, pod *v1.Pod) (sets.String, error) {
-	set := sets.String{}
-	services, err := serviceLister.Services(pod.Namespace).List(labels.Everything())
+// PodProjectionKey encapsulates all pod information required to find services that may need their endpoints to be updated.
+type PodProjectionKey struct {
+	Namespace  string
+	Labels     labels.Set // this is set to the pod's current labels
+	OldLabels  labels.Set // this is set if the pod's labels changed (in an Update event)
+	PodChanged bool       // set to true if the pod's fields changed in a way that may affect its endpoints membership
+}
+
+func GetPodUpdateProjectionKey(oldObj, newObj interface{}) *PodProjectionKey {
+	newPod := getPodFromObject(newObj)
+	oldPod := getPodFromObject(oldObj)
+	if newPod == nil && oldPod == nil {
+		utilruntime.HandleError(fmt.Errorf("unexpected pod event with both old/new values as nil, ignoring"))
+		return nil
+	}
+	if oldPod == nil {
+		return &PodProjectionKey{
+			Namespace: newPod.Namespace,
+			Labels:    labels.Set(newPod.Labels),
+		}
+	}
+	if newPod == nil {
+		return &PodProjectionKey{
+			Namespace: oldPod.Namespace,
+			Labels:    labels.Set(oldPod.Labels),
+		}
+	}
+
+	// If we reached here, both old/new pod objects are non-nil, so it's an update event.
+	// Safe to ignore pod informer resync events as service informer already handles resync for all services.
+	if newPod.ResourceVersion == oldPod.ResourceVersion {
+		return nil
+	}
+
+	podChanged, labelsChanged := podEndpointsChanged(oldPod, newPod)
+
+	// If both the pod and labels are unchanged, no update is needed.
+	if !podChanged && !labelsChanged {
+		return nil
+	}
+
+	// If only the pod has changed, projection key can be created with just the new pod.
+	if !labelsChanged {
+		return &PodProjectionKey{
+			Namespace: newPod.Namespace,
+			Labels:    labels.Set(newPod.Labels),
+		}
+	}
+
+	// The pod labels have changed, so the projection key needs to include both its old/new labels.
+	// Additionally, PodChanged field indicates if union/diff of matching services should be reconciled.
+	return &PodProjectionKey{
+		Namespace:  newPod.Namespace,
+		Labels:     labels.Set(newPod.Labels),
+		OldLabels:  labels.Set(oldPod.Labels),
+		PodChanged: podChanged,
+	}
+}
+
+func GetServicesToUpdate(serviceLister v1listers.ServiceLister, key *PodProjectionKey) (sets.String, error) {
+	if key == nil {
+		return nil, nil
+	}
+
+	services, err := getServicesForPod(serviceLister, key.Namespace, key.Labels)
 	if err != nil {
-		return set, err
+		return nil, err
 	}
 
+	// If the pod's labels changed in an update event, we'll need to consider all the affected services.
+	if key.OldLabels != nil {
+		oldServices, err := getServicesForPod(serviceLister, key.Namespace, key.OldLabels)
+		if err != nil {
+			return nil, err
+		}
+
+		services = determineNeededServiceUpdates(oldServices, services, key.PodChanged)
+	}
+
+	return services, nil
+}
+
+// getServicesForPod returns a set of services matching the given pod's namespace and labels (via service selector).
+func getServicesForPod(serviceLister v1listers.ServiceLister, namespace string, podLabels labels.Set) (sets.String, error) {
+	services, err := serviceLister.Services(namespace).List(labels.Everything())
+	if err != nil {
+		return nil, err
+	}
+
+	set := sets.String{}
 	for _, service := range services {
 		if service.Spec.Selector == nil {
-			// if the service has a nil selector this means selectors match nothing, not everything.
+			// If the service has a nil selector this means selectors match nothing, not everything.
 			continue
 		}
 
-		if labels.ValidatedSetSelector(service.Spec.Selector).Matches(labels.Set(pod.Labels)) {
+		if labels.ValidatedSetSelector(service.Spec.Selector).Matches(podLabels) {
 			key, err := cache.DeletionHandlingMetaNamespaceKeyFunc(service)
 			if err != nil {
 				return nil, err
@@ -84,7 +165,7 @@ func NewPortMapKey(endpointPorts []discovery.EndpointPort) PortMapKey {
 
 // deepHashObjectToString creates a unique hash string from a go object.
 func deepHashObjectToString(objectToWrite interface{}) string {
-	hasher := md5.New()
+	hasher := fnv.New128a()
 	deepHashObject(hasher, objectToWrite)
 	return hex.EncodeToString(hasher.Sum(nil)[0:])
 }
@@ -158,47 +239,11 @@ func podEndpointsChanged(oldPod, newPod *v1.Pod) (bool, bool) {
 	return false, labelsChanged
 }
 
-// GetServicesToUpdateOnPodChange returns a set of Service keys for Services
-// that have potentially been affected by a change to this pod.
-func GetServicesToUpdateOnPodChange(serviceLister v1listers.ServiceLister, old, cur interface{}) sets.String {
-	newPod := cur.(*v1.Pod)
-	oldPod := old.(*v1.Pod)
-	if newPod.ResourceVersion == oldPod.ResourceVersion {
-		// Periodic resync will send update events for all known pods.
-		// Two different versions of the same pod will always have different RVs
-		return sets.String{}
-	}
-
-	podChanged, labelsChanged := podEndpointsChanged(oldPod, newPod)
-
-	// If both the pod and labels are unchanged, no update is needed
-	if !podChanged && !labelsChanged {
-		return sets.String{}
-	}
-
-	services, err := GetPodServiceMemberships(serviceLister, newPod)
-	if err != nil {
-		utilruntime.HandleError(fmt.Errorf("unable to get pod %s/%s's service memberships: %v", newPod.Namespace, newPod.Name, err))
-		return sets.String{}
-	}
-
-	if labelsChanged {
-		oldServices, err := GetPodServiceMemberships(serviceLister, oldPod)
-		if err != nil {
-			utilruntime.HandleError(fmt.Errorf("unable to get pod %s/%s's service memberships: %v", oldPod.Namespace, oldPod.Name, err))
-		}
-		services = determineNeededServiceUpdates(oldServices, services, podChanged)
+func getPodFromObject(obj interface{}) *v1.Pod {
+	if obj == nil {
+		return nil
 	}
-
-	return services
-}
-
-// GetPodFromDeleteAction returns a pointer to a pod if one can be derived from
-// obj (could be a *v1.Pod, or a DeletionFinalStateUnknown marker item).
-func GetPodFromDeleteAction(obj interface{}) *v1.Pod {
 	if pod, ok := obj.(*v1.Pod); ok {
-		// Enqueue all the services that the pod used to be a member of.
-		// This is the same thing we do when we add a pod.
 		return pod
 	}
 	// If we reached here it means the pod was deleted but its final state is unrecorded.
diff --git a/staging/src/k8s.io/endpointslice/util/controller_utils_test.go b/staging/src/k8s.io/endpointslice/util/controller_utils_test.go
index 7fa8fe1e8877f..c7705b66b618a 100644
--- a/staging/src/k8s.io/endpointslice/util/controller_utils_test.go
+++ b/staging/src/k8s.io/endpointslice/util/controller_utils_test.go
@@ -330,7 +330,7 @@ func genSimpleSvc(namespace, name string) *v1.Service {
 	}
 }
 
-func TestGetPodServiceMemberships(t *testing.T) {
+func TestGetPodServicesToUpdate(t *testing.T) {
 	fakeInformerFactory := informers.NewSharedInformerFactory(&fake.Clientset{}, 0*time.Second)
 	for i := 0; i < 3; i++ {
 		service := &v1.Service{
@@ -394,9 +394,9 @@ func TestGetPodServiceMemberships(t *testing.T) {
 	}
 	for _, test := range tests {
 		t.Run(test.name, func(t *testing.T) {
-			services, err := GetPodServiceMemberships(fakeInformerFactory.Core().V1().Services().Lister(), test.pod)
+			services, err := GetServicesToUpdate(fakeInformerFactory.Core().V1().Services().Lister(), GetPodUpdateProjectionKey(test.pod, nil))
 			if err != nil {
-				t.Errorf("Error from cache.GetPodServiceMemberships: %v", err)
+				t.Errorf("Error from cache.GetServicesToUpdate: %v", err)
 			} else if !services.Equal(test.expect) {
 				t.Errorf("Expect service %v, but got %v", test.expect, services)
 			}
@@ -404,7 +404,7 @@ func TestGetPodServiceMemberships(t *testing.T) {
 	}
 }
 
-func BenchmarkGetPodServiceMemberships(b *testing.B) {
+func BenchmarkGetPodServicesToUpdate(b *testing.B) {
 	// init fake service informer.
 	fakeInformerFactory := informers.NewSharedInformerFactory(&fake.Clientset{}, 0*time.Second)
 	for i := 0; i < 1000; i++ {
@@ -435,9 +435,9 @@ func BenchmarkGetPodServiceMemberships(b *testing.B) {
 	expect := sets.NewString("test/service-0")
 	b.ResetTimer()
 	for i := 0; i < b.N; i++ {
-		services, err := GetPodServiceMemberships(fakeInformerFactory.Core().V1().Services().Lister(), pod)
+		services, err := GetServicesToUpdate(fakeInformerFactory.Core().V1().Services().Lister(), GetPodUpdateProjectionKey(pod, nil))
 		if err != nil {
-			b.Fatalf("Error from GetPodServiceMemberships(): %v", err)
+			b.Fatalf("Error from GetServicesToUpdate(): %v", err)
 		}
 		if len(services) != len(expect) {
 			b.Errorf("Expect services size %d, but got: %v", len(expect), len(services))
diff --git a/staging/src/k8s.io/externaljwt/go.mod b/staging/src/k8s.io/externaljwt/go.mod
index 9cd613e103c18..fde34b0ba8959 100644
--- a/staging/src/k8s.io/externaljwt/go.mod
+++ b/staging/src/k8s.io/externaljwt/go.mod
@@ -2,20 +2,22 @@
 
 module k8s.io/externaljwt
 
-go 1.24.0
+go 1.25.0
 
-godebug default=go1.24
+godebug default=go1.25
 
 require (
-	google.golang.org/grpc v1.72.1
-	google.golang.org/protobuf v1.36.5
+	google.golang.org/grpc v1.72.2
+	google.golang.org/protobuf v1.36.8
 )
 
 require (
+	github.com/go-logr/logr v1.4.3 // indirect
 	github.com/google/go-cmp v0.7.0 // indirect
-	go.opentelemetry.io/otel v1.35.0 // indirect
-	golang.org/x/net v0.43.0 // indirect
-	golang.org/x/sys v0.36.0 // indirect
-	golang.org/x/text v0.29.0 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20250303144028-a0af3efb3deb // indirect
+	go.opentelemetry.io/otel v1.36.0 // indirect
+	go.opentelemetry.io/otel/sdk/metric v1.36.0 // indirect
+	golang.org/x/net v0.47.0 // indirect
+	golang.org/x/sys v0.38.0 // indirect
+	golang.org/x/text v0.31.0 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20250528174236-200df99c418a // indirect
 )
diff --git a/staging/src/k8s.io/externaljwt/go.sum b/staging/src/k8s.io/externaljwt/go.sum
index 61c9e6f4bc54f..4bf22c401ed67 100644
--- a/staging/src/k8s.io/externaljwt/go.sum
+++ b/staging/src/k8s.io/externaljwt/go.sum
@@ -9,8 +9,8 @@ github.com/envoyproxy/go-control-plane/envoy v1.32.4/go.mod h1:Gzjc5k8JcJswLjAx1
 github.com/envoyproxy/go-control-plane/ratelimit v0.1.0/go.mod h1:Wk+tMFAFbCXaJPzVVHnPgRKdUdwW/KdbRt94AzgRee4=
 github.com/envoyproxy/protoc-gen-validate v1.2.1/go.mod h1:d/C80l/jxXLdfEIhX1W2TmLfsJ31lvEjwamM4DxlWXU=
 github.com/go-jose/go-jose/v4 v4.0.4/go.mod h1:NKb5HO1EZccyMpiZNbdUw/14tiXNyUJh188dfnMCAfc=
-github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY=
-github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
+github.com/go-logr/logr v1.4.3 h1:CjnDlHq8ikf6E492q6eKboGOC0T8CDaOvkHCIg8idEI=
+github.com/go-logr/logr v1.4.3/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
 github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
 github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE=
 github.com/golang/glog v1.2.4/go.mod h1:6AhwSGph0fcJtXVM/PEHPqZlFeoLxhs7/t5UDAwmO+w=
@@ -29,34 +29,34 @@ github.com/zeebo/errs v1.4.0/go.mod h1:sgbWHsvVuTPHcqJJGQ1WhI5KbWlHYz+2+2C/LSEtC
 go.opentelemetry.io/auto/sdk v1.1.0 h1:cH53jehLUN6UFLY71z+NDOiNJqDdPRaXzTel0sJySYA=
 go.opentelemetry.io/auto/sdk v1.1.0/go.mod h1:3wSPjt5PWp2RhlCcmmOial7AvC4DQqZb7a7wCow3W8A=
 go.opentelemetry.io/contrib/detectors/gcp v1.34.0/go.mod h1:cV4BMFcscUR/ckqLkbfQmF0PRsq8w/lMGzdbCSveBHo=
-go.opentelemetry.io/otel v1.35.0 h1:xKWKPxrxB6OtMCbmMY021CqC45J+3Onta9MqjhnusiQ=
-go.opentelemetry.io/otel v1.35.0/go.mod h1:UEqy8Zp11hpkUrL73gSlELM0DupHoiq72dR+Zqel/+Y=
-go.opentelemetry.io/otel/metric v1.35.0 h1:0znxYu2SNyuMSQT4Y9WDWej0VpcsxkuklLa4/siN90M=
-go.opentelemetry.io/otel/metric v1.35.0/go.mod h1:nKVFgxBZ2fReX6IlyW28MgZojkoAkJGaE8CpgeAU3oE=
-go.opentelemetry.io/otel/sdk v1.34.0 h1:95zS4k/2GOy069d321O8jWgYsW3MzVV+KuSPKp7Wr1A=
-go.opentelemetry.io/otel/sdk v1.34.0/go.mod h1:0e/pNiaMAqaykJGKbi+tSjWfNNHMTxoC9qANsCzbyxU=
-go.opentelemetry.io/otel/sdk/metric v1.34.0 h1:5CeK9ujjbFVL5c1PhLuStg1wxA7vQv7ce1EK0Gyvahk=
-go.opentelemetry.io/otel/sdk/metric v1.34.0/go.mod h1:jQ/r8Ze28zRKoNRdkjCZxfs6YvBTG1+YIqyFVFYec5w=
-go.opentelemetry.io/otel/trace v1.35.0 h1:dPpEfJu1sDIqruz7BHFG3c7528f6ddfSWfFDVt/xgMs=
-go.opentelemetry.io/otel/trace v1.35.0/go.mod h1:WUk7DtFp1Aw2MkvqGdwiXYDZZNvA/1J8o6xRXLrIkyc=
-golang.org/x/crypto v0.41.0/go.mod h1:pO5AFd7FA68rFak7rOAGVuygIISepHftHnr8dr6+sUc=
-golang.org/x/mod v0.27.0/go.mod h1:rWI627Fq0DEoudcK+MBkNkCe0EetEaDSwJJkCcjpazc=
-golang.org/x/net v0.43.0 h1:lat02VYK2j4aLzMzecihNvTlJNQUq316m2Mr9rnM6YE=
-golang.org/x/net v0.43.0/go.mod h1:vhO1fvI4dGsIjh73sWfUVjj3N7CA9WkKJNQm2svM6Jg=
+go.opentelemetry.io/otel v1.36.0 h1:UumtzIklRBY6cI/lllNZlALOF5nNIzJVb16APdvgTXg=
+go.opentelemetry.io/otel v1.36.0/go.mod h1:/TcFMXYjyRNh8khOAO9ybYkqaDBb/70aVwkNML4pP8E=
+go.opentelemetry.io/otel/metric v1.36.0 h1:MoWPKVhQvJ+eeXWHFBOPoBOi20jh6Iq2CcCREuTYufE=
+go.opentelemetry.io/otel/metric v1.36.0/go.mod h1:zC7Ks+yeyJt4xig9DEw9kuUFe5C3zLbVjV2PzT6qzbs=
+go.opentelemetry.io/otel/sdk v1.36.0 h1:b6SYIuLRs88ztox4EyrvRti80uXIFy+Sqzoh9kFULbs=
+go.opentelemetry.io/otel/sdk v1.36.0/go.mod h1:+lC+mTgD+MUWfjJubi2vvXWcVxyr9rmlshZni72pXeY=
+go.opentelemetry.io/otel/sdk/metric v1.36.0 h1:r0ntwwGosWGaa0CrSt8cuNuTcccMXERFwHX4dThiPis=
+go.opentelemetry.io/otel/sdk/metric v1.36.0/go.mod h1:qTNOhFDfKRwX0yXOqJYegL5WRaW376QbB7P4Pb0qva4=
+go.opentelemetry.io/otel/trace v1.36.0 h1:ahxWNuqZjpdiFAyrIoQ4GIiAIhxAunQR6MUoKrsNd4w=
+go.opentelemetry.io/otel/trace v1.36.0/go.mod h1:gQ+OnDZzrybY4k4seLzPAWNwVBBVlF2szhehOBB/tGA=
+golang.org/x/crypto v0.44.0/go.mod h1:013i+Nw79BMiQiMsOPcVCB5ZIJbYkerPrGnOa00tvmc=
+golang.org/x/mod v0.29.0/go.mod h1:NyhrlYXJ2H4eJiRy/WDBO6HMqZQ6q9nk4JzS3NuCK+w=
+golang.org/x/net v0.47.0 h1:Mx+4dIFzqraBXUugkia1OOvlD6LemFo1ALMHjrXDOhY=
+golang.org/x/net v0.47.0/go.mod h1:/jNxtkgq5yWUGYkaZGqo27cfGZ1c5Nen03aYrrKpVRU=
 golang.org/x/oauth2 v0.26.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI=
-golang.org/x/sync v0.17.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
-golang.org/x/sys v0.36.0 h1:KVRy2GtZBrk1cBYA7MKu5bEZFxQk4NIDV6RLVcC8o0k=
-golang.org/x/sys v0.36.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
-golang.org/x/term v0.34.0/go.mod h1:5jC53AEywhIVebHgPVeg0mj8OD3VO9OzclacVrqpaAw=
-golang.org/x/text v0.29.0 h1:1neNs90w9YzJ9BocxfsQNHKuAT4pkghyXc4nhZ6sJvk=
-golang.org/x/text v0.29.0/go.mod h1:7MhJOA9CD2qZyOKYazxdYMF85OwPdEr9jTtBpO7ydH4=
-golang.org/x/tools v0.36.0/go.mod h1:WBDiHKJK8YgLHlcQPYQzNCkUxUypCaa5ZegCVutKm+s=
+golang.org/x/sync v0.18.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
+golang.org/x/sys v0.38.0 h1:3yZWxaJjBmCWXqhN1qh02AkOnCQ1poK6oF+a7xWL6Gc=
+golang.org/x/sys v0.38.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
+golang.org/x/term v0.37.0/go.mod h1:5pB4lxRNYYVZuTLmy8oR2BH8dflOR+IbTYFD8fi3254=
+golang.org/x/text v0.31.0 h1:aC8ghyu4JhP8VojJ2lEHBnochRno1sgL6nEi9WGFGMM=
+golang.org/x/text v0.31.0/go.mod h1:tKRAlv61yKIjGGHX/4tP1LTbc13YSec1pxVEWXzfoeM=
+golang.org/x/tools v0.38.0/go.mod h1:yEsQ/d/YK8cjh0L6rZlY8tgtlKiBNTL14pGDJPJpYQs=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 google.golang.org/genproto/googleapis/api v0.0.0-20250218202821-56aae31c358a/go.mod h1:3kWAYMk1I75K4vykHtKt2ycnOgpA6974V7bREqbsenU=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20250303144028-a0af3efb3deb h1:TLPQVbx1GJ8VKZxz52VAxl1EBgKXXbTiU9Fc5fZeLn4=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20250303144028-a0af3efb3deb/go.mod h1:LuRYeWDFV6WOn90g357N17oMCaxpgCnbi/44qJvDn2I=
-google.golang.org/grpc v1.72.1 h1:HR03wO6eyZ7lknl75XlxABNVLLFc2PAb6mHlYh756mA=
-google.golang.org/grpc v1.72.1/go.mod h1:wH5Aktxcg25y1I3w7H69nHfXdOG3UiadoBtjh3izSDM=
-google.golang.org/protobuf v1.36.5 h1:tPhr+woSbjfYvY6/GPufUoYizxw1cF/yFoxJ2fmpwlM=
-google.golang.org/protobuf v1.36.5/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20250528174236-200df99c418a h1:v2PbRU4K3llS09c7zodFpNePeamkAwG3mPrAery9VeE=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20250528174236-200df99c418a/go.mod h1:qQ0YXyHHx3XkvlzUtpXDkS29lDSafHMZBAZDc03LQ3A=
+google.golang.org/grpc v1.72.2 h1:TdbGzwb82ty4OusHWepvFWGLgIbNo1/SUynEN0ssqv8=
+google.golang.org/grpc v1.72.2/go.mod h1:wH5Aktxcg25y1I3w7H69nHfXdOG3UiadoBtjh3izSDM=
+google.golang.org/protobuf v1.36.8 h1:xHScyCOEuuwZEc6UtSOvPbAT4zRh0xcNRYekJwfqyMc=
+google.golang.org/protobuf v1.36.8/go.mod h1:fuxRtAxBytpl4zzqUh6/eyUujkJdNiuEkXntxiD/uRU=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
diff --git a/staging/src/k8s.io/kms/go.mod b/staging/src/k8s.io/kms/go.mod
index 6e68a694e2d4f..1137ae3a11de8 100644
--- a/staging/src/k8s.io/kms/go.mod
+++ b/staging/src/k8s.io/kms/go.mod
@@ -2,20 +2,22 @@
 
 module k8s.io/kms
 
-go 1.24.0
+go 1.25.0
 
-godebug default=go1.24
+godebug default=go1.25
 
 require (
-	google.golang.org/grpc v1.72.1
-	google.golang.org/protobuf v1.36.5
+	google.golang.org/grpc v1.72.2
+	google.golang.org/protobuf v1.36.8
 )
 
 require (
+	github.com/go-logr/logr v1.4.3 // indirect
 	github.com/google/go-cmp v0.7.0 // indirect
-	go.opentelemetry.io/otel v1.35.0 // indirect
-	golang.org/x/net v0.43.0 // indirect
-	golang.org/x/sys v0.36.0 // indirect
-	golang.org/x/text v0.29.0 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20250303144028-a0af3efb3deb // indirect
+	go.opentelemetry.io/otel v1.36.0 // indirect
+	go.opentelemetry.io/otel/sdk/metric v1.36.0 // indirect
+	golang.org/x/net v0.47.0 // indirect
+	golang.org/x/sys v0.38.0 // indirect
+	golang.org/x/text v0.31.0 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20250528174236-200df99c418a // indirect
 )
diff --git a/staging/src/k8s.io/kms/go.sum b/staging/src/k8s.io/kms/go.sum
index 61c9e6f4bc54f..4bf22c401ed67 100644
--- a/staging/src/k8s.io/kms/go.sum
+++ b/staging/src/k8s.io/kms/go.sum
@@ -9,8 +9,8 @@ github.com/envoyproxy/go-control-plane/envoy v1.32.4/go.mod h1:Gzjc5k8JcJswLjAx1
 github.com/envoyproxy/go-control-plane/ratelimit v0.1.0/go.mod h1:Wk+tMFAFbCXaJPzVVHnPgRKdUdwW/KdbRt94AzgRee4=
 github.com/envoyproxy/protoc-gen-validate v1.2.1/go.mod h1:d/C80l/jxXLdfEIhX1W2TmLfsJ31lvEjwamM4DxlWXU=
 github.com/go-jose/go-jose/v4 v4.0.4/go.mod h1:NKb5HO1EZccyMpiZNbdUw/14tiXNyUJh188dfnMCAfc=
-github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY=
-github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
+github.com/go-logr/logr v1.4.3 h1:CjnDlHq8ikf6E492q6eKboGOC0T8CDaOvkHCIg8idEI=
+github.com/go-logr/logr v1.4.3/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
 github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
 github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE=
 github.com/golang/glog v1.2.4/go.mod h1:6AhwSGph0fcJtXVM/PEHPqZlFeoLxhs7/t5UDAwmO+w=
@@ -29,34 +29,34 @@ github.com/zeebo/errs v1.4.0/go.mod h1:sgbWHsvVuTPHcqJJGQ1WhI5KbWlHYz+2+2C/LSEtC
 go.opentelemetry.io/auto/sdk v1.1.0 h1:cH53jehLUN6UFLY71z+NDOiNJqDdPRaXzTel0sJySYA=
 go.opentelemetry.io/auto/sdk v1.1.0/go.mod h1:3wSPjt5PWp2RhlCcmmOial7AvC4DQqZb7a7wCow3W8A=
 go.opentelemetry.io/contrib/detectors/gcp v1.34.0/go.mod h1:cV4BMFcscUR/ckqLkbfQmF0PRsq8w/lMGzdbCSveBHo=
-go.opentelemetry.io/otel v1.35.0 h1:xKWKPxrxB6OtMCbmMY021CqC45J+3Onta9MqjhnusiQ=
-go.opentelemetry.io/otel v1.35.0/go.mod h1:UEqy8Zp11hpkUrL73gSlELM0DupHoiq72dR+Zqel/+Y=
-go.opentelemetry.io/otel/metric v1.35.0 h1:0znxYu2SNyuMSQT4Y9WDWej0VpcsxkuklLa4/siN90M=
-go.opentelemetry.io/otel/metric v1.35.0/go.mod h1:nKVFgxBZ2fReX6IlyW28MgZojkoAkJGaE8CpgeAU3oE=
-go.opentelemetry.io/otel/sdk v1.34.0 h1:95zS4k/2GOy069d321O8jWgYsW3MzVV+KuSPKp7Wr1A=
-go.opentelemetry.io/otel/sdk v1.34.0/go.mod h1:0e/pNiaMAqaykJGKbi+tSjWfNNHMTxoC9qANsCzbyxU=
-go.opentelemetry.io/otel/sdk/metric v1.34.0 h1:5CeK9ujjbFVL5c1PhLuStg1wxA7vQv7ce1EK0Gyvahk=
-go.opentelemetry.io/otel/sdk/metric v1.34.0/go.mod h1:jQ/r8Ze28zRKoNRdkjCZxfs6YvBTG1+YIqyFVFYec5w=
-go.opentelemetry.io/otel/trace v1.35.0 h1:dPpEfJu1sDIqruz7BHFG3c7528f6ddfSWfFDVt/xgMs=
-go.opentelemetry.io/otel/trace v1.35.0/go.mod h1:WUk7DtFp1Aw2MkvqGdwiXYDZZNvA/1J8o6xRXLrIkyc=
-golang.org/x/crypto v0.41.0/go.mod h1:pO5AFd7FA68rFak7rOAGVuygIISepHftHnr8dr6+sUc=
-golang.org/x/mod v0.27.0/go.mod h1:rWI627Fq0DEoudcK+MBkNkCe0EetEaDSwJJkCcjpazc=
-golang.org/x/net v0.43.0 h1:lat02VYK2j4aLzMzecihNvTlJNQUq316m2Mr9rnM6YE=
-golang.org/x/net v0.43.0/go.mod h1:vhO1fvI4dGsIjh73sWfUVjj3N7CA9WkKJNQm2svM6Jg=
+go.opentelemetry.io/otel v1.36.0 h1:UumtzIklRBY6cI/lllNZlALOF5nNIzJVb16APdvgTXg=
+go.opentelemetry.io/otel v1.36.0/go.mod h1:/TcFMXYjyRNh8khOAO9ybYkqaDBb/70aVwkNML4pP8E=
+go.opentelemetry.io/otel/metric v1.36.0 h1:MoWPKVhQvJ+eeXWHFBOPoBOi20jh6Iq2CcCREuTYufE=
+go.opentelemetry.io/otel/metric v1.36.0/go.mod h1:zC7Ks+yeyJt4xig9DEw9kuUFe5C3zLbVjV2PzT6qzbs=
+go.opentelemetry.io/otel/sdk v1.36.0 h1:b6SYIuLRs88ztox4EyrvRti80uXIFy+Sqzoh9kFULbs=
+go.opentelemetry.io/otel/sdk v1.36.0/go.mod h1:+lC+mTgD+MUWfjJubi2vvXWcVxyr9rmlshZni72pXeY=
+go.opentelemetry.io/otel/sdk/metric v1.36.0 h1:r0ntwwGosWGaa0CrSt8cuNuTcccMXERFwHX4dThiPis=
+go.opentelemetry.io/otel/sdk/metric v1.36.0/go.mod h1:qTNOhFDfKRwX0yXOqJYegL5WRaW376QbB7P4Pb0qva4=
+go.opentelemetry.io/otel/trace v1.36.0 h1:ahxWNuqZjpdiFAyrIoQ4GIiAIhxAunQR6MUoKrsNd4w=
+go.opentelemetry.io/otel/trace v1.36.0/go.mod h1:gQ+OnDZzrybY4k4seLzPAWNwVBBVlF2szhehOBB/tGA=
+golang.org/x/crypto v0.44.0/go.mod h1:013i+Nw79BMiQiMsOPcVCB5ZIJbYkerPrGnOa00tvmc=
+golang.org/x/mod v0.29.0/go.mod h1:NyhrlYXJ2H4eJiRy/WDBO6HMqZQ6q9nk4JzS3NuCK+w=
+golang.org/x/net v0.47.0 h1:Mx+4dIFzqraBXUugkia1OOvlD6LemFo1ALMHjrXDOhY=
+golang.org/x/net v0.47.0/go.mod h1:/jNxtkgq5yWUGYkaZGqo27cfGZ1c5Nen03aYrrKpVRU=
 golang.org/x/oauth2 v0.26.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI=
-golang.org/x/sync v0.17.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
-golang.org/x/sys v0.36.0 h1:KVRy2GtZBrk1cBYA7MKu5bEZFxQk4NIDV6RLVcC8o0k=
-golang.org/x/sys v0.36.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
-golang.org/x/term v0.34.0/go.mod h1:5jC53AEywhIVebHgPVeg0mj8OD3VO9OzclacVrqpaAw=
-golang.org/x/text v0.29.0 h1:1neNs90w9YzJ9BocxfsQNHKuAT4pkghyXc4nhZ6sJvk=
-golang.org/x/text v0.29.0/go.mod h1:7MhJOA9CD2qZyOKYazxdYMF85OwPdEr9jTtBpO7ydH4=
-golang.org/x/tools v0.36.0/go.mod h1:WBDiHKJK8YgLHlcQPYQzNCkUxUypCaa5ZegCVutKm+s=
+golang.org/x/sync v0.18.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
+golang.org/x/sys v0.38.0 h1:3yZWxaJjBmCWXqhN1qh02AkOnCQ1poK6oF+a7xWL6Gc=
+golang.org/x/sys v0.38.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
+golang.org/x/term v0.37.0/go.mod h1:5pB4lxRNYYVZuTLmy8oR2BH8dflOR+IbTYFD8fi3254=
+golang.org/x/text v0.31.0 h1:aC8ghyu4JhP8VojJ2lEHBnochRno1sgL6nEi9WGFGMM=
+golang.org/x/text v0.31.0/go.mod h1:tKRAlv61yKIjGGHX/4tP1LTbc13YSec1pxVEWXzfoeM=
+golang.org/x/tools v0.38.0/go.mod h1:yEsQ/d/YK8cjh0L6rZlY8tgtlKiBNTL14pGDJPJpYQs=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 google.golang.org/genproto/googleapis/api v0.0.0-20250218202821-56aae31c358a/go.mod h1:3kWAYMk1I75K4vykHtKt2ycnOgpA6974V7bREqbsenU=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20250303144028-a0af3efb3deb h1:TLPQVbx1GJ8VKZxz52VAxl1EBgKXXbTiU9Fc5fZeLn4=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20250303144028-a0af3efb3deb/go.mod h1:LuRYeWDFV6WOn90g357N17oMCaxpgCnbi/44qJvDn2I=
-google.golang.org/grpc v1.72.1 h1:HR03wO6eyZ7lknl75XlxABNVLLFc2PAb6mHlYh756mA=
-google.golang.org/grpc v1.72.1/go.mod h1:wH5Aktxcg25y1I3w7H69nHfXdOG3UiadoBtjh3izSDM=
-google.golang.org/protobuf v1.36.5 h1:tPhr+woSbjfYvY6/GPufUoYizxw1cF/yFoxJ2fmpwlM=
-google.golang.org/protobuf v1.36.5/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20250528174236-200df99c418a h1:v2PbRU4K3llS09c7zodFpNePeamkAwG3mPrAery9VeE=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20250528174236-200df99c418a/go.mod h1:qQ0YXyHHx3XkvlzUtpXDkS29lDSafHMZBAZDc03LQ3A=
+google.golang.org/grpc v1.72.2 h1:TdbGzwb82ty4OusHWepvFWGLgIbNo1/SUynEN0ssqv8=
+google.golang.org/grpc v1.72.2/go.mod h1:wH5Aktxcg25y1I3w7H69nHfXdOG3UiadoBtjh3izSDM=
+google.golang.org/protobuf v1.36.8 h1:xHScyCOEuuwZEc6UtSOvPbAT4zRh0xcNRYekJwfqyMc=
+google.golang.org/protobuf v1.36.8/go.mod h1:fuxRtAxBytpl4zzqUh6/eyUujkJdNiuEkXntxiD/uRU=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
diff --git a/staging/src/k8s.io/kms/internal/plugins/_mock/go.mod b/staging/src/k8s.io/kms/internal/plugins/_mock/go.mod
index 1658e998c9190..9f40e7ef3d11f 100644
--- a/staging/src/k8s.io/kms/internal/plugins/_mock/go.mod
+++ b/staging/src/k8s.io/kms/internal/plugins/_mock/go.mod
@@ -1,8 +1,8 @@
 module k8s.io/kms/plugins/mock
 
-go 1.24.0
+go 1.25.0
 
-godebug default=go1.24
+godebug default=go1.25
 
 require (
 	github.com/ThalesIgnite/crypto11 v1.2.5
@@ -13,14 +13,22 @@ require (
 	github.com/miekg/pkcs11 v1.0.3-0.20190429190417-a667d056470f // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/thales-e-security/pool v0.0.2 // indirect
-	golang.org/x/net v0.43.0 // indirect
-	golang.org/x/sys v0.36.0 // indirect
-	golang.org/x/text v0.29.0 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20250303144028-a0af3efb3deb // indirect
-	google.golang.org/grpc v1.72.1 // indirect
-	google.golang.org/protobuf v1.36.5 // indirect
+	golang.org/x/net v0.47.0 // indirect
+	golang.org/x/sys v0.38.0 // indirect
+	golang.org/x/text v0.31.0 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20250528174236-200df99c418a // indirect
+	google.golang.org/grpc v1.72.2 // indirect
+	google.golang.org/protobuf v1.36.8 // indirect
 )
 
 replace k8s.io/kms => ../../../../kms
 
-replace github.com/onsi/ginkgo/v2 => github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251001123353-fd5b1fb35db1
+replace github.com/onsi/ginkgo/v2 => github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251120221002-696928a6a0d7
+
+replace github.com/openshift/api => github.com/jacobsee/openshift-api v0.0.0-20260211194905-f62f47eaf03d
+
+replace github.com/openshift/client-go => github.com/jacobsee/client-go v0.0.0-20260211200652-3585e10bcc17
+
+replace github.com/openshift/library-go => github.com/jacobsee/library-go v0.0.0-20260211202355-e615a1f60a34
+
+replace github.com/openshift/apiserver-library-go => github.com/jacobsee/apiserver-library-go v0.0.0-20260211203915-ee5ba89cd34b
diff --git a/staging/src/k8s.io/kms/internal/plugins/_mock/go.sum b/staging/src/k8s.io/kms/internal/plugins/_mock/go.sum
index 17a198354eb87..acf9ae1d6dc2c 100644
--- a/staging/src/k8s.io/kms/internal/plugins/_mock/go.sum
+++ b/staging/src/k8s.io/kms/internal/plugins/_mock/go.sum
@@ -2,8 +2,8 @@ github.com/ThalesIgnite/crypto11 v1.2.5 h1:1IiIIEqYmBvUYFeMnHqRft4bwf/O36jryEUpY
 github.com/ThalesIgnite/crypto11 v1.2.5/go.mod h1:ILDKtnCKiQ7zRoNxcp36Y1ZR8LBPmR2E23+wTQe/MlE=
 github.com/davecgh/go-spew v1.1.0 h1:ZDRjVQ15GmhC3fiQ8ni8+OwkZQO4DARzQgrnXU1Liz8=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY=
-github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
+github.com/go-logr/logr v1.4.3 h1:CjnDlHq8ikf6E492q6eKboGOC0T8CDaOvkHCIg8idEI=
+github.com/go-logr/logr v1.4.3/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
 github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
 github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE=
 github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek=
@@ -26,25 +26,25 @@ github.com/thales-e-security/pool v0.0.2 h1:RAPs4q2EbWsTit6tpzuvTFlgFRJ3S8Evf5gt
 github.com/thales-e-security/pool v0.0.2/go.mod h1:qtpMm2+thHtqhLzTwgDBj/OuNnMpupY8mv0Phz0gjhU=
 go.opentelemetry.io/auto/sdk v1.1.0 h1:cH53jehLUN6UFLY71z+NDOiNJqDdPRaXzTel0sJySYA=
 go.opentelemetry.io/auto/sdk v1.1.0/go.mod h1:3wSPjt5PWp2RhlCcmmOial7AvC4DQqZb7a7wCow3W8A=
-go.opentelemetry.io/otel v1.35.0 h1:xKWKPxrxB6OtMCbmMY021CqC45J+3Onta9MqjhnusiQ=
-go.opentelemetry.io/otel v1.35.0/go.mod h1:UEqy8Zp11hpkUrL73gSlELM0DupHoiq72dR+Zqel/+Y=
+go.opentelemetry.io/otel v1.36.0 h1:UumtzIklRBY6cI/lllNZlALOF5nNIzJVb16APdvgTXg=
+go.opentelemetry.io/otel v1.36.0/go.mod h1:/TcFMXYjyRNh8khOAO9ybYkqaDBb/70aVwkNML4pP8E=
 go.opentelemetry.io/otel/metric v1.34.0 h1:+eTR3U0MyfWjRDhmFMxe2SsW64QrZ84AOhvqS7Y+PoQ=
 go.opentelemetry.io/otel/metric v1.34.0/go.mod h1:CEDrp0fy2D0MvkXE+dPV7cMi8tWZwX3dmaIhwPOaqHE=
 go.opentelemetry.io/otel/sdk v1.34.0 h1:95zS4k/2GOy069d321O8jWgYsW3MzVV+KuSPKp7Wr1A=
 go.opentelemetry.io/otel/sdk v1.34.0/go.mod h1:0e/pNiaMAqaykJGKbi+tSjWfNNHMTxoC9qANsCzbyxU=
-go.opentelemetry.io/otel/sdk/metric v1.34.0 h1:5CeK9ujjbFVL5c1PhLuStg1wxA7vQv7ce1EK0Gyvahk=
-go.opentelemetry.io/otel/sdk/metric v1.34.0/go.mod h1:jQ/r8Ze28zRKoNRdkjCZxfs6YvBTG1+YIqyFVFYec5w=
+go.opentelemetry.io/otel/sdk/metric v1.36.0 h1:r0ntwwGosWGaa0CrSt8cuNuTcccMXERFwHX4dThiPis=
+go.opentelemetry.io/otel/sdk/metric v1.36.0/go.mod h1:qTNOhFDfKRwX0yXOqJYegL5WRaW376QbB7P4Pb0qva4=
 go.opentelemetry.io/otel/trace v1.34.0 h1:+ouXS2V8Rd4hp4580a8q23bg0azF2nI8cqLYnC8mh/k=
 go.opentelemetry.io/otel/trace v1.34.0/go.mod h1:Svm7lSjQD7kG7KJ/MUHPVXSDGz2OX4h0M2jHBhmSfRE=
-golang.org/x/net v0.43.0 h1:lat02VYK2j4aLzMzecihNvTlJNQUq316m2Mr9rnM6YE=
-golang.org/x/net v0.43.0/go.mod h1:vhO1fvI4dGsIjh73sWfUVjj3N7CA9WkKJNQm2svM6Jg=
-golang.org/x/sys v0.36.0 h1:KVRy2GtZBrk1cBYA7MKu5bEZFxQk4NIDV6RLVcC8o0k=
-golang.org/x/sys v0.36.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
-golang.org/x/text v0.29.0 h1:1neNs90w9YzJ9BocxfsQNHKuAT4pkghyXc4nhZ6sJvk=
-golang.org/x/text v0.29.0/go.mod h1:7MhJOA9CD2qZyOKYazxdYMF85OwPdEr9jTtBpO7ydH4=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20250303144028-a0af3efb3deb h1:TLPQVbx1GJ8VKZxz52VAxl1EBgKXXbTiU9Fc5fZeLn4=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20250303144028-a0af3efb3deb/go.mod h1:LuRYeWDFV6WOn90g357N17oMCaxpgCnbi/44qJvDn2I=
-google.golang.org/grpc v1.72.1 h1:HR03wO6eyZ7lknl75XlxABNVLLFc2PAb6mHlYh756mA=
-google.golang.org/grpc v1.72.1/go.mod h1:wH5Aktxcg25y1I3w7H69nHfXdOG3UiadoBtjh3izSDM=
-google.golang.org/protobuf v1.36.5 h1:tPhr+woSbjfYvY6/GPufUoYizxw1cF/yFoxJ2fmpwlM=
-google.golang.org/protobuf v1.36.5/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE=
+golang.org/x/net v0.47.0 h1:Mx+4dIFzqraBXUugkia1OOvlD6LemFo1ALMHjrXDOhY=
+golang.org/x/net v0.47.0/go.mod h1:/jNxtkgq5yWUGYkaZGqo27cfGZ1c5Nen03aYrrKpVRU=
+golang.org/x/sys v0.38.0 h1:3yZWxaJjBmCWXqhN1qh02AkOnCQ1poK6oF+a7xWL6Gc=
+golang.org/x/sys v0.38.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
+golang.org/x/text v0.31.0 h1:aC8ghyu4JhP8VojJ2lEHBnochRno1sgL6nEi9WGFGMM=
+golang.org/x/text v0.31.0/go.mod h1:tKRAlv61yKIjGGHX/4tP1LTbc13YSec1pxVEWXzfoeM=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20250528174236-200df99c418a h1:v2PbRU4K3llS09c7zodFpNePeamkAwG3mPrAery9VeE=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20250528174236-200df99c418a/go.mod h1:qQ0YXyHHx3XkvlzUtpXDkS29lDSafHMZBAZDc03LQ3A=
+google.golang.org/grpc v1.72.2 h1:TdbGzwb82ty4OusHWepvFWGLgIbNo1/SUynEN0ssqv8=
+google.golang.org/grpc v1.72.2/go.mod h1:wH5Aktxcg25y1I3w7H69nHfXdOG3UiadoBtjh3izSDM=
+google.golang.org/protobuf v1.36.8 h1:xHScyCOEuuwZEc6UtSOvPbAT4zRh0xcNRYekJwfqyMc=
+google.golang.org/protobuf v1.36.8/go.mod h1:fuxRtAxBytpl4zzqUh6/eyUujkJdNiuEkXntxiD/uRU=
diff --git a/staging/src/k8s.io/kms/internal/plugins/_mock/go.work b/staging/src/k8s.io/kms/internal/plugins/_mock/go.work
index bc4290def2c27..ebdf3df29addb 100644
--- a/staging/src/k8s.io/kms/internal/plugins/_mock/go.work
+++ b/staging/src/k8s.io/kms/internal/plugins/_mock/go.work
@@ -1,8 +1,8 @@
 // This is a hack, but it prevents go from climbing further and trying to
 // reconcile the various deps across the "real" modules and this one.
 
-go 1.24.0
+go 1.25.0
 
-godebug default=go1.24
+godebug default=go1.25
 
 use .
diff --git a/staging/src/k8s.io/kube-aggregator/go.mod b/staging/src/k8s.io/kube-aggregator/go.mod
index c790a06c57b08..1a1eff6ef6003 100644
--- a/staging/src/k8s.io/kube-aggregator/go.mod
+++ b/staging/src/k8s.io/kube-aggregator/go.mod
@@ -2,31 +2,30 @@
 
 module k8s.io/kube-aggregator
 
-go 1.24.0
+go 1.25.0
 
-godebug default=go1.24
+godebug default=go1.25
 
 require (
 	github.com/emicklei/go-restful/v3 v3.12.2
-	github.com/gogo/protobuf v1.3.2
 	github.com/google/go-cmp v0.7.0
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822
-	github.com/spf13/cobra v1.9.1
-	github.com/spf13/pflag v1.0.6
-	github.com/stretchr/testify v1.10.0
-	go.opentelemetry.io/otel v1.35.0
-	go.opentelemetry.io/otel/sdk v1.34.0
-	go.opentelemetry.io/otel/trace v1.35.0
-	golang.org/x/net v0.43.0
-	k8s.io/api v0.34.1
-	k8s.io/apimachinery v0.34.1
-	k8s.io/apiserver v0.34.1
-	k8s.io/client-go v0.34.1
+	github.com/spf13/cobra v1.10.0
+	github.com/spf13/pflag v1.0.9
+	github.com/stretchr/testify v1.11.1
+	go.opentelemetry.io/otel v1.36.0
+	go.opentelemetry.io/otel/sdk v1.36.0
+	go.opentelemetry.io/otel/trace v1.36.0
+	golang.org/x/net v0.47.0
+	k8s.io/api v0.35.1
+	k8s.io/apimachinery v0.35.1
+	k8s.io/apiserver v0.35.1
+	k8s.io/client-go v0.35.1
 	k8s.io/code-generator v0.0.0
-	k8s.io/component-base v0.34.1
+	k8s.io/component-base v0.35.1
 	k8s.io/klog/v2 v2.130.1
-	k8s.io/kube-openapi v0.0.0-20250710124328-f3f2b991d03b
-	k8s.io/utils v0.0.0-20250604170112-4c0f3b243397
+	k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912
+	k8s.io/utils v0.0.0-20251002143259-bc988d571ff4
 	sigs.k8s.io/randfill v1.0.0
 	sigs.k8s.io/structured-merge-diff/v6 v6.3.0
 )
@@ -45,11 +44,12 @@ require (
 	github.com/felixge/httpsnoop v1.0.4 // indirect
 	github.com/fsnotify/fsnotify v1.9.0 // indirect
 	github.com/fxamacker/cbor/v2 v2.9.0 // indirect
-	github.com/go-logr/logr v1.4.2 // indirect
+	github.com/go-logr/logr v1.4.3 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-openapi/jsonpointer v0.21.0 // indirect
 	github.com/go-openapi/jsonreference v0.20.2 // indirect
 	github.com/go-openapi/swag v0.23.0 // indirect
+	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang/protobuf v1.5.4 // indirect
 	github.com/google/btree v1.1.3 // indirect
 	github.com/google/cel-go v0.26.0 // indirect
@@ -67,58 +67,59 @@ require (
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee // indirect
 	github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f // indirect
-	github.com/openshift/library-go v0.0.0-20251015151611-6fc7a74b67c5 // indirect
-	github.com/pkg/errors v0.9.1 // indirect
+	github.com/openshift/library-go v0.0.0-20260211202355-e615a1f60a34 // indirect
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
-	github.com/prometheus/client_golang v1.22.0 // indirect
-	github.com/prometheus/client_model v0.6.1 // indirect
-	github.com/prometheus/common v0.62.0 // indirect
-	github.com/prometheus/procfs v0.15.1 // indirect
+	github.com/prometheus/client_golang v1.23.2 // indirect
+	github.com/prometheus/client_model v0.6.2 // indirect
+	github.com/prometheus/common v0.66.1 // indirect
+	github.com/prometheus/procfs v0.16.1 // indirect
 	github.com/stoewer/go-strcase v1.3.0 // indirect
 	github.com/x448/float16 v0.8.4 // indirect
-	go.etcd.io/etcd/api/v3 v3.6.4 // indirect
-	go.etcd.io/etcd/client/pkg/v3 v3.6.4 // indirect
-	go.etcd.io/etcd/client/v3 v3.6.4 // indirect
+	go.etcd.io/etcd/api/v3 v3.6.5 // indirect
+	go.etcd.io/etcd/client/pkg/v3 v3.6.5 // indirect
+	go.etcd.io/etcd/client/v3 v3.6.5 // indirect
 	go.opentelemetry.io/auto/sdk v1.1.0 // indirect
 	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.60.0 // indirect
-	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.58.0 // indirect
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.61.0 // indirect
 	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.34.0 // indirect
 	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.34.0 // indirect
-	go.opentelemetry.io/otel/metric v1.35.0 // indirect
+	go.opentelemetry.io/otel/metric v1.36.0 // indirect
 	go.opentelemetry.io/proto/otlp v1.5.0 // indirect
 	go.uber.org/atomic v1.11.0 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
 	go.uber.org/zap v1.27.0 // indirect
-	go.yaml.in/yaml/v2 v2.4.2 // indirect
+	go.yaml.in/yaml/v2 v2.4.3 // indirect
 	go.yaml.in/yaml/v3 v3.0.4 // indirect
-	golang.org/x/crypto v0.42.0 // indirect
+	golang.org/x/crypto v0.45.0 // indirect
 	golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 // indirect
-	golang.org/x/mod v0.27.0 // indirect
-	golang.org/x/oauth2 v0.27.0 // indirect
-	golang.org/x/sync v0.17.0 // indirect
-	golang.org/x/sys v0.36.0 // indirect
-	golang.org/x/term v0.35.0 // indirect
-	golang.org/x/text v0.29.0 // indirect
+	golang.org/x/mod v0.29.0 // indirect
+	golang.org/x/oauth2 v0.30.0 // indirect
+	golang.org/x/sync v0.18.0 // indirect
+	golang.org/x/sys v0.38.0 // indirect
+	golang.org/x/term v0.37.0 // indirect
+	golang.org/x/text v0.31.0 // indirect
 	golang.org/x/time v0.9.0 // indirect
-	golang.org/x/tools v0.36.0 // indirect
-	golang.org/x/tools/go/expect v0.1.0-deprecated // indirect
+	golang.org/x/tools v0.38.0 // indirect
 	google.golang.org/genproto/googleapis/api v0.0.0-20250303144028-a0af3efb3deb // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20250303144028-a0af3efb3deb // indirect
-	google.golang.org/grpc v1.72.1 // indirect
-	google.golang.org/protobuf v1.36.5 // indirect
-	gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20250528174236-200df99c418a // indirect
+	google.golang.org/grpc v1.72.2 // indirect
+	google.golang.org/protobuf v1.36.8 // indirect
+	gopkg.in/evanphx/json-patch.v4 v4.13.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/natefinch/lumberjack.v2 v2.2.1 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
-	k8s.io/gengo/v2 v2.0.0-20250604051438-85fd79dbfd9f // indirect
-	k8s.io/kms v0.34.1 // indirect
+	k8s.io/gengo/v2 v2.0.0-20250922181213-ec3ebc5fd46b // indirect
+	k8s.io/kms v0.35.1 // indirect
 	sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.31.2 // indirect
-	sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 // indirect
+	sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 // indirect
 	sigs.k8s.io/yaml v1.6.0 // indirect
 )
 
 replace (
-	github.com/onsi/ginkgo/v2 => github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251001123353-fd5b1fb35db1
+	github.com/onsi/ginkgo/v2 => github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251120221002-696928a6a0d7
+	github.com/openshift/api => github.com/jacobsee/openshift-api v0.0.0-20260211194905-f62f47eaf03d
+	github.com/openshift/client-go => github.com/jacobsee/client-go v0.0.0-20260211200652-3585e10bcc17
+	github.com/openshift/library-go => github.com/jacobsee/library-go v0.0.0-20260211202355-e615a1f60a34
 	k8s.io/api => ../api
 	k8s.io/apiextensions-apiserver => ../apiextensions-apiserver
 	k8s.io/apimachinery => ../apimachinery
diff --git a/staging/src/k8s.io/kube-aggregator/go.sum b/staging/src/k8s.io/kube-aggregator/go.sum
index 3e47fe92c9d6c..58b6d6887eec4 100644
--- a/staging/src/k8s.io/kube-aggregator/go.sum
+++ b/staging/src/k8s.io/kube-aggregator/go.sum
@@ -1,9 +1,12 @@
 cel.dev/expr v0.24.0 h1:56OvJKSH3hDGL0ml5uSxZmz3/3Pq4tJ+fb1unVLAFcY=
 cel.dev/expr v0.24.0/go.mod h1:hLPLo1W4QUmuYdA72RBX06QTs6MXw941piREPl3Yfiw=
 cloud.google.com/go/compute/metadata v0.6.0/go.mod h1:FjyFAW1MW0C203CEOMDTu3Dk1FlqW3Rga40jzHL4hfg=
+cyphar.com/go-pathrs v0.2.1/go.mod h1:y8f1EMG7r+hCuFf/rXsKqMJrJAUoADZGNh5/vZPKcGc=
 github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E=
 github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358/go.mod h1:chxPXzSsl7ZWRAuOIE23GDNzjWuZquvFlgA8xmpunjU=
 github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp v1.26.0/go.mod h1:2bIszWvQRlJVmJLiuLhukLImRjKPcYdzzsx6darK02A=
+github.com/Masterminds/semver/v3 v3.4.0 h1:Zog+i5UMtVoCU8oKka5P7i9q9HgrJeGzI9SA1Xbatp0=
+github.com/Masterminds/semver/v3 v3.4.0/go.mod h1:4V+yj/TJE1HU9XfppCwVMZq3I84lprf4nC11bSS5beM=
 github.com/NYTimes/gziphandler v1.1.1 h1:ZUDjpQae29j0ryrS0u/B8HZfJBtBQHjqw2rQ2cqUQ3I=
 github.com/NYTimes/gziphandler v1.1.1/go.mod h1:n/CVRwUEOgIxrgPvAQhUUr9oeUtvrhMomdKFjzJNB0c=
 github.com/RangelReale/osincli v0.0.0-20160924135400-fababb0555f2/go.mod h1:XyjUkMA8GN+tOOPXvnbi3XuRxWFvTJntqvTFnjmhzbk=
@@ -30,6 +33,7 @@ github.com/coreos/go-systemd/v22 v22.5.0 h1:RrqgGjYQKalulkV8NGVIfkXQf6YYmOyiJKk8
 github.com/coreos/go-systemd/v22 v22.5.0/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc=
 github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g=
 github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
+github.com/cyphar/filepath-securejoin v0.6.0/go.mod h1:A8hd4EnAeyujCJRrICiOWqjS1AX0a9kM5XL+NwKoYSc=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM=
@@ -57,8 +61,8 @@ github.com/go-asn1-ber/asn1-ber v1.5.8-0.20250403174932-29230038a667/go.mod h1:h
 github.com/go-jose/go-jose/v4 v4.0.4/go.mod h1:NKb5HO1EZccyMpiZNbdUw/14tiXNyUJh188dfnMCAfc=
 github.com/go-ldap/ldap/v3 v3.4.11/go.mod h1:bY7t0FLK8OAVpp/vV6sSlpz3EQDGcQwc8pF0ujLgKvM=
 github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
-github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY=
-github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
+github.com/go-logr/logr v1.4.3 h1:CjnDlHq8ikf6E492q6eKboGOC0T8CDaOvkHCIg8idEI=
+github.com/go-logr/logr v1.4.3/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
 github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
 github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE=
 github.com/go-logr/zapr v1.3.0 h1:XGdV8XW8zdwFiwOA2Dryh1gj2KRQyOOoNmBy4EplIcQ=
@@ -96,8 +100,8 @@ github.com/google/gnostic-models v0.7.0/go.mod h1:whL5G0m6dmc5cPxKc5bdKdEN3UjI7O
 github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
 github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
-github.com/google/pprof v0.0.0-20241029153458-d1b30febd7db h1:097atOisP2aRj7vFgYQBbFN4U4JNXUNYpxael3UzMyo=
-github.com/google/pprof v0.0.0-20241029153458-d1b30febd7db/go.mod h1:vavhavw2zAxS5dIdcRluK6cSGGPlZynqzFM8NdvU144=
+github.com/google/pprof v0.0.0-20250403155104-27863c87afa6 h1:BHT72Gu3keYf3ZEu2J0b1vyeLSOYI8bm5wbJM/8yDe8=
+github.com/google/pprof v0.0.0-20250403155104-27863c87afa6/go.mod h1:boTsfXsheKC2y+lKOCMpSfarhxDeIzfZG1jqGcPl3cA=
 github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/gorilla/mux v1.8.1/go.mod h1:AKf9I4AEqPTmMytcMc0KkNouC66V3BtZ4qD5fmWSiMQ=
@@ -116,6 +120,10 @@ github.com/hashicorp/golang-lru v0.5.4/go.mod h1:iADmTwqILo4mZ8BN3D2Q6+9jd8WM5uG
 github.com/imdario/mergo v0.3.7/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA=
 github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
 github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
+github.com/jacobsee/client-go v0.0.0-20260211200652-3585e10bcc17/go.mod h1:mCcIpR1nUVJvuLFKl7etbRLixUhJn4XjufJdfzv8Xsc=
+github.com/jacobsee/library-go v0.0.0-20260211202355-e615a1f60a34 h1:iCDeH9PliuQ4IL5NhQhZ1GcXxdlIiuiIed7hK5d5shw=
+github.com/jacobsee/library-go v0.0.0-20260211202355-e615a1f60a34/go.mod h1:mp92ELYoE9GHXRj+jJhp4I9KsFfS5c7WIi5k4RmkPYY=
+github.com/jacobsee/openshift-api v0.0.0-20260211194905-f62f47eaf03d/go.mod h1:u/qMsjN4RliFQwfk4bMEdF1lTjkagrlxPcZ/G9KIVuE=
 github.com/jonboulle/clockwork v0.5.0 h1:Hyh9A8u51kptdkR+cqRpT1EebBwTn1oK9YfGYbdFz6I=
 github.com/jonboulle/clockwork v0.5.0/go.mod h1:3mZlmanh0g2NDKO5TWZVJAfofYk64M7XN3SzBPjZF60=
 github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY=
@@ -155,20 +163,15 @@ github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8m
 github.com/mwitkow/go-conntrack v0.0.0-20190716064945-2f068394615f/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U=
 github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f h1:y5//uYreIhSUg3J1GEMiLbxo1LJaP8RfCpH6pymGZus=
 github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+o7JKHSa8/e818NopupXU1YMK5fe1lsApnBw=
-github.com/onsi/gomega v1.35.1 h1:Cwbd75ZBPxFSuZ6T+rN/WCb/gOc6YgFBXLlZLhC7Ds4=
-github.com/onsi/gomega v1.35.1/go.mod h1:PvZbdDc8J6XJEpDK4HCuRBm8a6Fzp9/DmhC9C7yFlog=
+github.com/onsi/gomega v1.38.2 h1:eZCjf2xjZAqe+LeWvKb5weQ+NcPwX84kqJ0cZNxok2A=
+github.com/onsi/gomega v1.38.2/go.mod h1:W2MJcYxRGV63b418Ai34Ud0hEdTVXq9NW9+Sx6uXf3k=
 github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
 github.com/opencontainers/image-spec v1.0.2/go.mod h1:BtxoFyWECRxE4U/7sNtV5W15zMzWCbyJoFRP3s7yZA0=
-github.com/opencontainers/selinux v1.11.0/go.mod h1:E5dMC3VPuVvVHDYmi78qvhJp8+M586T4DlDRYpFkyec=
-github.com/openshift/api v0.0.0-20251015095338-264e80a2b6e7/go.mod h1:d5uzF0YN2nQQFA0jIEWzzOZ+edmo6wzlGLvx5Fhz4uY=
+github.com/opencontainers/selinux v1.13.0/go.mod h1:XxWTed+A/s5NNq4GmYScVy+9jzXhGBVEOAyucdRUY8s=
 github.com/openshift/build-machinery-go v0.0.0-20250530140348-dc5b2804eeee/go.mod h1:8jcm8UPtg2mCAsxfqKil1xrmRMI3a+XU2TZ9fF8A7TE=
-github.com/openshift/client-go v0.0.0-20251015124057-db0dee36e235/go.mod h1:L49W6pfrZkfOE5iC1PqEkuLkXG4W0BX4w8b+L2Bv7fM=
-github.com/openshift/library-go v0.0.0-20251015151611-6fc7a74b67c5 h1:bANtDc8SgetSK4nQehf59x3+H9FqVJCprgjs49/OTg0=
-github.com/openshift/library-go v0.0.0-20251015151611-6fc7a74b67c5/go.mod h1:OlFFws1AO51uzfc48MsStGE4SFMWlMZD0+f5a/zCtKI=
-github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251001123353-fd5b1fb35db1 h1:PMTgifBcBRLJJiM+LgSzPDTk9/Rx4qS09OUrfpY6GBQ=
-github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251001123353-fd5b1fb35db1/go.mod h1:7Du3c42kxCUegi0IImZ1wUQzMBVecgIHjR1C+NkhLQo=
+github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251120221002-696928a6a0d7 h1:02E4Ttpu+7yCQLQxtY42JfcfHU7TBGnje6uB2ytBSdU=
+github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251120221002-696928a6a0d7/go.mod h1:ArE1D/XhNXBXCBkKOLkbsb2c81dQHCRcF5zwn/ykDRo=
 github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU=
-github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/profile v1.7.0/go.mod h1:8Uer0jas47ZQMJ7VD+OHknK4YDY07LPUC6dEvqDjvNo=
 github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10/go.mod h1:t/avpk3KcrXxUnYOhZhMXJlSEyie6gQbtLq5NM3loB8=
@@ -177,27 +180,28 @@ github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRI
 github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/pquerna/cachecontrol v0.1.0/go.mod h1:NrUG3Z7Rdu85UNR3vm7SOsl1nFIeSiQnrHV5K9mBcUI=
 github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring v0.74.0/go.mod h1:wAR5JopumPtAZnu0Cjv2PSqV4p4QB09LMhc6fZZTXuA=
-github.com/prometheus/client_golang v1.22.0 h1:rb93p9lokFEsctTys46VnV1kLCDpVZ0a/Y92Vm0Zc6Q=
-github.com/prometheus/client_golang v1.22.0/go.mod h1:R7ljNsLXhuQXYZYtw6GAE9AZg8Y7vEW5scdCXrWRXC0=
-github.com/prometheus/client_model v0.6.1 h1:ZKSh/rekM+n3CeS952MLRAdFwIKqeY8b62p8ais2e9E=
-github.com/prometheus/client_model v0.6.1/go.mod h1:OrxVMOVHjw3lKMa8+x6HeMGkHMQyHDk9E3jmP2AmGiY=
-github.com/prometheus/common v0.62.0 h1:xasJaQlnWAeyHdUBeGjXmutelfJHWMRr+Fg4QszZ2Io=
-github.com/prometheus/common v0.62.0/go.mod h1:vyBcEuLSvWos9B1+CyL7JZ2up+uFzXhkqml0W5zIY1I=
-github.com/prometheus/procfs v0.15.1 h1:YagwOFzUgYfKKHX6Dr+sHT7km/hxC76UB0learggepc=
-github.com/prometheus/procfs v0.15.1/go.mod h1:fB45yRUv8NstnjriLhBQLuOUt+WW4BsoGhij/e3PBqk=
+github.com/prometheus/client_golang v1.23.2 h1:Je96obch5RDVy3FDMndoUsjAhG5Edi49h0RJWRi/o0o=
+github.com/prometheus/client_golang v1.23.2/go.mod h1:Tb1a6LWHB3/SPIzCoaDXI4I8UHKeFTEQ1YCr+0Gyqmg=
+github.com/prometheus/client_model v0.6.2 h1:oBsgwpGs7iVziMvrGhE53c/GrLUsZdHnqNwqPLxwZyk=
+github.com/prometheus/client_model v0.6.2/go.mod h1:y3m2F6Gdpfy6Ut/GBsUqTWZqCUvMVzSfMLjcu6wAwpE=
+github.com/prometheus/common v0.66.1 h1:h5E0h5/Y8niHc5DlaLlWLArTQI7tMrsfQjHV+d9ZoGs=
+github.com/prometheus/common v0.66.1/go.mod h1:gcaUsgf3KfRSwHY4dIMXLPV0K/Wg1oZ8+SbZk/HH/dA=
+github.com/prometheus/procfs v0.16.1 h1:hZ15bTNuirocR6u0JZ6BAHHmwS1p8B4P6MRqxtzMyRg=
+github.com/prometheus/procfs v0.16.1/go.mod h1:teAbpZRB1iIAJYREa1LsoWUXykVXA1KlTmWl8x/U+Is=
 github.com/robfig/cron v1.2.0/go.mod h1:JGuDeoQd7Z6yL4zQhZ3OPEVHB7fL6Ka6skscFHfmt2k=
 github.com/rogpeppe/fastuuid v1.2.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6LYCDYWNEvQ=
-github.com/rogpeppe/go-internal v1.13.1 h1:KvO1DLK/DRN07sQ1LQKScxyZJuNnedQ5/wKSR38lUII=
-github.com/rogpeppe/go-internal v1.13.1/go.mod h1:uMEvuHeurkdAXX61udpOXGD/AzZDWNMNyH2VO9fmH0o=
+github.com/rogpeppe/go-internal v1.14.1 h1:UQB4HGPB6osV0SQTLymcB4TgvyWu6ZyliaW0tI/otEQ=
+github.com/rogpeppe/go-internal v1.14.1/go.mod h1:MaRKkUm5W0goXpeCfT7UZI6fk/L7L7so1lCWt35ZSgc=
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
 github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ=
 github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
 github.com/soheilhy/cmux v0.1.5 h1:jjzc5WVemNEDTLwv9tlmemhC73tI08BNOIGwBOo10Js=
 github.com/soheilhy/cmux v0.1.5/go.mod h1:T7TcVDs9LWfQgPlPsdngu6I6QIoyIFZDDC6sNE1GqG0=
-github.com/spf13/cobra v1.9.1 h1:CXSaggrXdbHK9CF+8ywj8Amf7PBRmPCOJugH954Nnlo=
-github.com/spf13/cobra v1.9.1/go.mod h1:nDyEzZ8ogv936Cinf6g1RU9MRY64Ir93oCnqb9wxYW0=
-github.com/spf13/pflag v1.0.6 h1:jFzHGLGAlb3ruxLB8MhbI6A8+AQX/2eW4qeyNZXNp2o=
-github.com/spf13/pflag v1.0.6/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
+github.com/spf13/cobra v1.10.0 h1:a5/WeUlSDCvV5a45ljW2ZFtV0bTDpkfSAj3uqB6Sc+0=
+github.com/spf13/cobra v1.10.0/go.mod h1:9dhySC7dnTtEiqzmqfkLj47BslqLCUPMXjG2lj/NgoE=
+github.com/spf13/pflag v1.0.8/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
+github.com/spf13/pflag v1.0.9 h1:9exaQaMOCwffKiiiYk6/BndUBv+iRViNW+4lEMi0PvY=
+github.com/spf13/pflag v1.0.9/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/spiffe/go-spiffe/v2 v2.5.0/go.mod h1:P+NxobPc6wXhVtINNtFjNWGBTreew1GBUCwT2wPmb7g=
 github.com/stoewer/go-strcase v1.3.0 h1:g0eASXYtp+yvN9fK8sH94oCIk0fau9uV1/ZdJ0AVEzs=
 github.com/stoewer/go-strcase v1.3.0/go.mod h1:fAH5hQ5pehh+j3nZfvwdk2RgEgQjAoM8wodgtPmh1xo=
@@ -210,8 +214,8 @@ github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UV
 github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
 github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
-github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
-github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
+github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
+github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
 github.com/tmc/grpc-websocket-proxy v0.0.0-20220101234140-673ab2c3ae75 h1:6fotK7otjonDflCTK0BCfls4SPy3NcCVb5dqqmbRknE=
 github.com/tmc/grpc-websocket-proxy v0.0.0-20220101234140-673ab2c3ae75/go.mod h1:KO6IkyS8Y3j8OdNO85qEYBsRPuteD+YciPomcXdrMnk=
 github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM=
@@ -223,18 +227,18 @@ github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9de
 github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
 github.com/zeebo/errs v1.4.0/go.mod h1:sgbWHsvVuTPHcqJJGQ1WhI5KbWlHYz+2+2C/LSEtCw4=
-go.etcd.io/bbolt v1.4.2 h1:IrUHp260R8c+zYx/Tm8QZr04CX+qWS5PGfPdevhdm1I=
-go.etcd.io/bbolt v1.4.2/go.mod h1:Is8rSHO/b4f3XigBC0lL0+4FwAQv3HXEEIgFMuKHceM=
-go.etcd.io/etcd/api/v3 v3.6.4 h1:7F6N7toCKcV72QmoUKa23yYLiiljMrT4xCeBL9BmXdo=
-go.etcd.io/etcd/api/v3 v3.6.4/go.mod h1:eFhhvfR8Px1P6SEuLT600v+vrhdDTdcfMzmnxVXXSbk=
-go.etcd.io/etcd/client/pkg/v3 v3.6.4 h1:9HBYrjppeOfFjBjaMTRxT3R7xT0GLK8EJMVC4xg6ok0=
-go.etcd.io/etcd/client/pkg/v3 v3.6.4/go.mod h1:sbdzr2cl3HzVmxNw//PH7aLGVtY4QySjQFuaCgcRFAI=
-go.etcd.io/etcd/client/v3 v3.6.4 h1:YOMrCfMhRzY8NgtzUsHl8hC2EBSnuqbR3dh84Uryl7A=
-go.etcd.io/etcd/client/v3 v3.6.4/go.mod h1:jaNNHCyg2FdALyKWnd7hxZXZxZANb0+KGY+YQaEMISo=
-go.etcd.io/etcd/pkg/v3 v3.6.4 h1:fy8bmXIec1Q35/jRZ0KOes8vuFxbvdN0aAFqmEfJZWA=
-go.etcd.io/etcd/pkg/v3 v3.6.4/go.mod h1:kKcYWP8gHuBRcteyv6MXWSN0+bVMnfgqiHueIZnKMtE=
-go.etcd.io/etcd/server/v3 v3.6.4 h1:LsCA7CzjVt+8WGrdsnh6RhC0XqCsLkBly3ve5rTxMAU=
-go.etcd.io/etcd/server/v3 v3.6.4/go.mod h1:aYCL/h43yiONOv0QIR82kH/2xZ7m+IWYjzRmyQfnCAg=
+go.etcd.io/bbolt v1.4.3 h1:dEadXpI6G79deX5prL3QRNP6JB8UxVkqo4UPnHaNXJo=
+go.etcd.io/bbolt v1.4.3/go.mod h1:tKQlpPaYCVFctUIgFKFnAlvbmB3tpy1vkTnDWohtc0E=
+go.etcd.io/etcd/api/v3 v3.6.5 h1:pMMc42276sgR1j1raO/Qv3QI9Af/AuyQUW6CBAWuntA=
+go.etcd.io/etcd/api/v3 v3.6.5/go.mod h1:ob0/oWA/UQQlT1BmaEkWQzI0sJ1M0Et0mMpaABxguOQ=
+go.etcd.io/etcd/client/pkg/v3 v3.6.5 h1:Duz9fAzIZFhYWgRjp/FgNq2gO1jId9Yae/rLn3RrBP8=
+go.etcd.io/etcd/client/pkg/v3 v3.6.5/go.mod h1:8Wx3eGRPiy0qOFMZT/hfvdos+DjEaPxdIDiCDUv/FQk=
+go.etcd.io/etcd/client/v3 v3.6.5 h1:yRwZNFBx/35VKHTcLDeO7XVLbCBFbPi+XV4OC3QJf2U=
+go.etcd.io/etcd/client/v3 v3.6.5/go.mod h1:ZqwG/7TAFZ0BJ0jXRPoJjKQJtbFo/9NIY8uoFFKcCyo=
+go.etcd.io/etcd/pkg/v3 v3.6.5 h1:byxWB4AqIKI4SBmquZUG1WGtvMfMaorXFoCcFbVeoxM=
+go.etcd.io/etcd/pkg/v3 v3.6.5/go.mod h1:uqrXrzmMIJDEy5j00bCqhVLzR5jEJIwDp5wTlLwPGOU=
+go.etcd.io/etcd/server/v3 v3.6.5 h1:4RbUb1Bd4y1WkBHmuF+cZII83JNQMuNXzyjwigQ06y0=
+go.etcd.io/etcd/server/v3 v3.6.5/go.mod h1:PLuhyVXz8WWRhzXDsl3A3zv/+aK9e4A9lpQkqawIaH0=
 go.etcd.io/raft/v3 v3.6.0 h1:5NtvbDVYpnfZWcIHgGRk9DyzkBIXOi8j+DDp1IcnUWQ=
 go.etcd.io/raft/v3 v3.6.0/go.mod h1:nLvLevg6+xrVtHUmVaTcTz603gQPHfh7kUAwV6YpfGo=
 go.opentelemetry.io/auto/sdk v1.1.0 h1:cH53jehLUN6UFLY71z+NDOiNJqDdPRaXzTel0sJySYA=
@@ -242,22 +246,22 @@ go.opentelemetry.io/auto/sdk v1.1.0/go.mod h1:3wSPjt5PWp2RhlCcmmOial7AvC4DQqZb7a
 go.opentelemetry.io/contrib/detectors/gcp v1.34.0/go.mod h1:cV4BMFcscUR/ckqLkbfQmF0PRsq8w/lMGzdbCSveBHo=
 go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.60.0 h1:x7wzEgXfnzJcHDwStJT+mxOz4etr2EcexjqhBvmoakw=
 go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.60.0/go.mod h1:rg+RlpR5dKwaS95IyyZqj5Wd4E13lk/msnTS0Xl9lJM=
-go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.58.0 h1:yd02MEjBdJkG3uabWP9apV+OuWRIXGDuJEUJbOHmCFU=
-go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.58.0/go.mod h1:umTcuxiv1n/s/S6/c2AT/g2CQ7u5C59sHDNmfSwgz7Q=
-go.opentelemetry.io/otel v1.35.0 h1:xKWKPxrxB6OtMCbmMY021CqC45J+3Onta9MqjhnusiQ=
-go.opentelemetry.io/otel v1.35.0/go.mod h1:UEqy8Zp11hpkUrL73gSlELM0DupHoiq72dR+Zqel/+Y=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.61.0 h1:F7Jx+6hwnZ41NSFTO5q4LYDtJRXBf2PD0rNBkeB/lus=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.61.0/go.mod h1:UHB22Z8QsdRDrnAtX4PntOl36ajSxcdUMt1sF7Y6E7Q=
+go.opentelemetry.io/otel v1.36.0 h1:UumtzIklRBY6cI/lllNZlALOF5nNIzJVb16APdvgTXg=
+go.opentelemetry.io/otel v1.36.0/go.mod h1:/TcFMXYjyRNh8khOAO9ybYkqaDBb/70aVwkNML4pP8E=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.34.0 h1:OeNbIYk/2C15ckl7glBlOBp5+WlYsOElzTNmiPW/x60=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.34.0/go.mod h1:7Bept48yIeqxP2OZ9/AqIpYS94h2or0aB4FypJTc8ZM=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.34.0 h1:tgJ0uaNS4c98WRNUEx5U3aDlrDOI5Rs+1Vifcw4DJ8U=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.34.0/go.mod h1:U7HYyW0zt/a9x5J1Kjs+r1f/d4ZHnYFclhYY2+YbeoE=
-go.opentelemetry.io/otel/metric v1.35.0 h1:0znxYu2SNyuMSQT4Y9WDWej0VpcsxkuklLa4/siN90M=
-go.opentelemetry.io/otel/metric v1.35.0/go.mod h1:nKVFgxBZ2fReX6IlyW28MgZojkoAkJGaE8CpgeAU3oE=
-go.opentelemetry.io/otel/sdk v1.34.0 h1:95zS4k/2GOy069d321O8jWgYsW3MzVV+KuSPKp7Wr1A=
-go.opentelemetry.io/otel/sdk v1.34.0/go.mod h1:0e/pNiaMAqaykJGKbi+tSjWfNNHMTxoC9qANsCzbyxU=
-go.opentelemetry.io/otel/sdk/metric v1.34.0 h1:5CeK9ujjbFVL5c1PhLuStg1wxA7vQv7ce1EK0Gyvahk=
-go.opentelemetry.io/otel/sdk/metric v1.34.0/go.mod h1:jQ/r8Ze28zRKoNRdkjCZxfs6YvBTG1+YIqyFVFYec5w=
-go.opentelemetry.io/otel/trace v1.35.0 h1:dPpEfJu1sDIqruz7BHFG3c7528f6ddfSWfFDVt/xgMs=
-go.opentelemetry.io/otel/trace v1.35.0/go.mod h1:WUk7DtFp1Aw2MkvqGdwiXYDZZNvA/1J8o6xRXLrIkyc=
+go.opentelemetry.io/otel/metric v1.36.0 h1:MoWPKVhQvJ+eeXWHFBOPoBOi20jh6Iq2CcCREuTYufE=
+go.opentelemetry.io/otel/metric v1.36.0/go.mod h1:zC7Ks+yeyJt4xig9DEw9kuUFe5C3zLbVjV2PzT6qzbs=
+go.opentelemetry.io/otel/sdk v1.36.0 h1:b6SYIuLRs88ztox4EyrvRti80uXIFy+Sqzoh9kFULbs=
+go.opentelemetry.io/otel/sdk v1.36.0/go.mod h1:+lC+mTgD+MUWfjJubi2vvXWcVxyr9rmlshZni72pXeY=
+go.opentelemetry.io/otel/sdk/metric v1.36.0 h1:r0ntwwGosWGaa0CrSt8cuNuTcccMXERFwHX4dThiPis=
+go.opentelemetry.io/otel/sdk/metric v1.36.0/go.mod h1:qTNOhFDfKRwX0yXOqJYegL5WRaW376QbB7P4Pb0qva4=
+go.opentelemetry.io/otel/trace v1.36.0 h1:ahxWNuqZjpdiFAyrIoQ4GIiAIhxAunQR6MUoKrsNd4w=
+go.opentelemetry.io/otel/trace v1.36.0/go.mod h1:gQ+OnDZzrybY4k4seLzPAWNwVBBVlF2szhehOBB/tGA=
 go.opentelemetry.io/proto/otlp v1.5.0 h1:xJvq7gMzB31/d406fB8U5CBdyQGw4P399D1aQWU/3i4=
 go.opentelemetry.io/proto/otlp v1.5.0/go.mod h1:keN8WnHxOy8PG0rQZjJJ5A2ebUoafqWp0eVQ4yIXvJ4=
 go.uber.org/atomic v1.11.0 h1:ZvwS0R+56ePWxUNi+Atn9dWONBPp/AUETXlHW0DxSjE=
@@ -268,56 +272,56 @@ go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0=
 go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y=
 go.uber.org/zap v1.27.0 h1:aJMhYGrd5QSmlpLMr2MftRKl7t8J8PTZPA732ud/XR8=
 go.uber.org/zap v1.27.0/go.mod h1:GB2qFLM7cTU87MWRP2mPIjqfIDnGu+VIO4V/SdhGo2E=
-go.yaml.in/yaml/v2 v2.4.2 h1:DzmwEr2rDGHl7lsFgAHxmNz/1NlQ7xLIrlN2h5d1eGI=
-go.yaml.in/yaml/v2 v2.4.2/go.mod h1:081UH+NErpNdqlCXm3TtEran0rJZGxAYx9hb/ELlsPU=
+go.yaml.in/yaml/v2 v2.4.3 h1:6gvOSjQoTB3vt1l+CU+tSyi/HOjfOjRLJ4YwYZGwRO0=
+go.yaml.in/yaml/v2 v2.4.3/go.mod h1:zSxWcmIDjOzPXpjlTTbAsKokqkDNAVtZO0WOMiT90s8=
 go.yaml.in/yaml/v3 v3.0.4 h1:tfq32ie2Jv2UxXFdLJdh3jXuOzWiL1fo0bu/FbuKpbc=
 go.yaml.in/yaml/v3 v3.0.4/go.mod h1:DhzuOOF2ATzADvBadXxruRBLzYTpT36CKvDb3+aBEFg=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
-golang.org/x/crypto v0.42.0 h1:chiH31gIWm57EkTXpwnqf8qeuMUi0yekh6mT2AvFlqI=
-golang.org/x/crypto v0.42.0/go.mod h1:4+rDnOTJhQCx2q7/j6rAN5XDw8kPjeaXEUR2eL94ix8=
+golang.org/x/crypto v0.45.0 h1:jMBrvKuj23MTlT0bQEOBcAE0mjg8mK9RXFhRH6nyF3Q=
+golang.org/x/crypto v0.45.0/go.mod h1:XTGrrkGJve7CYK7J8PEww4aY7gM3qMCElcJQ8n8JdX4=
 golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 h1:2dVuKD2vS7b0QIHQbpyTISPd0LeHDbnYEryqj5Q1ug8=
 golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56/go.mod h1:M4RDyNAINzryxdtnbRXRL/OHtkFuWGRjvuhBJpk2IlY=
 golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.27.0 h1:kb+q2PyFnEADO2IEF935ehFUXlWiNjJWtRNgBLSfbxQ=
-golang.org/x/mod v0.27.0/go.mod h1:rWI627Fq0DEoudcK+MBkNkCe0EetEaDSwJJkCcjpazc=
+golang.org/x/mod v0.29.0 h1:HV8lRxZC4l2cr3Zq1LvtOsi/ThTgWnUk/y64QSs8GwA=
+golang.org/x/mod v0.29.0/go.mod h1:NyhrlYXJ2H4eJiRy/WDBO6HMqZQ6q9nk4JzS3NuCK+w=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
-golang.org/x/net v0.43.0 h1:lat02VYK2j4aLzMzecihNvTlJNQUq316m2Mr9rnM6YE=
-golang.org/x/net v0.43.0/go.mod h1:vhO1fvI4dGsIjh73sWfUVjj3N7CA9WkKJNQm2svM6Jg=
-golang.org/x/oauth2 v0.27.0 h1:da9Vo7/tDv5RH/7nZDz1eMGS/q1Vv1N/7FCrBhI9I3M=
-golang.org/x/oauth2 v0.27.0/go.mod h1:onh5ek6nERTohokkhCD/y2cV4Do3fxFHFuAejCkRWT8=
+golang.org/x/net v0.47.0 h1:Mx+4dIFzqraBXUugkia1OOvlD6LemFo1ALMHjrXDOhY=
+golang.org/x/net v0.47.0/go.mod h1:/jNxtkgq5yWUGYkaZGqo27cfGZ1c5Nen03aYrrKpVRU=
+golang.org/x/oauth2 v0.30.0 h1:dnDm7JmhM45NNpd8FDDeLhK6FwqbOf4MLCM9zb1BOHI=
+golang.org/x/oauth2 v0.30.0/go.mod h1:B++QgG3ZKulg6sRPGD/mqlHQs5rB3Ml9erfeDY7xKlU=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.17.0 h1:l60nONMj9l5drqw6jlhIELNv9I0A4OFgRsG9k2oT9Ug=
-golang.org/x/sync v0.17.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
+golang.org/x/sync v0.18.0 h1:kr88TuHDroi+UVf+0hZnirlk8o8T+4MrK6mr60WkH/I=
+golang.org/x/sync v0.18.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.36.0 h1:KVRy2GtZBrk1cBYA7MKu5bEZFxQk4NIDV6RLVcC8o0k=
-golang.org/x/sys v0.36.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
-golang.org/x/telemetry v0.0.0-20250807160809-1a19826ec488/go.mod h1:fGb/2+tgXXjhjHsTNdVEEMZNWA0quBnfrO+AfoDSAKw=
-golang.org/x/term v0.35.0 h1:bZBVKBudEyhRcajGcNc3jIfWPqV4y/Kt2XcoigOWtDQ=
-golang.org/x/term v0.35.0/go.mod h1:TPGtkTLesOwf2DE8CgVYiZinHAOuy5AYUYT1lENIZnA=
+golang.org/x/sys v0.38.0 h1:3yZWxaJjBmCWXqhN1qh02AkOnCQ1poK6oF+a7xWL6Gc=
+golang.org/x/sys v0.38.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
+golang.org/x/telemetry v0.0.0-20251008203120-078029d740a8/go.mod h1:Pi4ztBfryZoJEkyFTI5/Ocsu2jXyDr6iSdgJiYE/uwE=
+golang.org/x/term v0.37.0 h1:8EGAD0qCmHYZg6J17DvsMy9/wJ7/D/4pV/wfnld5lTU=
+golang.org/x/term v0.37.0/go.mod h1:5pB4lxRNYYVZuTLmy8oR2BH8dflOR+IbTYFD8fi3254=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.29.0 h1:1neNs90w9YzJ9BocxfsQNHKuAT4pkghyXc4nhZ6sJvk=
-golang.org/x/text v0.29.0/go.mod h1:7MhJOA9CD2qZyOKYazxdYMF85OwPdEr9jTtBpO7ydH4=
+golang.org/x/text v0.31.0 h1:aC8ghyu4JhP8VojJ2lEHBnochRno1sgL6nEi9WGFGMM=
+golang.org/x/text v0.31.0/go.mod h1:tKRAlv61yKIjGGHX/4tP1LTbc13YSec1pxVEWXzfoeM=
 golang.org/x/time v0.9.0 h1:EsRrnYcQiGH+5FfbgvV4AP7qEZstoyrHB0DzarOQ4ZY=
 golang.org/x/time v0.9.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
 golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
-golang.org/x/tools v0.36.0 h1:kWS0uv/zsvHEle1LbV5LE8QujrxB3wfQyxHfhOk0Qkg=
-golang.org/x/tools v0.36.0/go.mod h1:WBDiHKJK8YgLHlcQPYQzNCkUxUypCaa5ZegCVutKm+s=
-golang.org/x/tools/go/expect v0.1.0-deprecated h1:jY2C5HGYR5lqex3gEniOQL0r7Dq5+VGVgY1nudX5lXY=
-golang.org/x/tools/go/expect v0.1.0-deprecated/go.mod h1:eihoPOH+FgIqa3FpoTwguz/bVUSGBlGQU67vpBeOrBY=
+golang.org/x/tools v0.38.0 h1:Hx2Xv8hISq8Lm16jvBZ2VQf+RLmbd7wVUsALibYI/IQ=
+golang.org/x/tools v0.38.0/go.mod h1:yEsQ/d/YK8cjh0L6rZlY8tgtlKiBNTL14pGDJPJpYQs=
+golang.org/x/tools/go/expect v0.1.1-deprecated h1:jpBZDwmgPhXsKZC6WhL20P4b/wmnpsEAGHaNy0n/rJM=
+golang.org/x/tools/go/expect v0.1.1-deprecated/go.mod h1:eihoPOH+FgIqa3FpoTwguz/bVUSGBlGQU67vpBeOrBY=
 golang.org/x/tools/go/packages/packagestest v0.1.1-deprecated h1:1h2MnaIAIXISqTFKdENegdpAgUXz6NrPEsbIeWaBRvM=
 golang.org/x/tools/go/packages/packagestest v0.1.1-deprecated/go.mod h1:RVAQXBGNv1ib0J382/DPCRS/BPnsGebyM1Gj5VSDpG8=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
@@ -326,38 +330,37 @@ golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8T
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 google.golang.org/genproto/googleapis/api v0.0.0-20250303144028-a0af3efb3deb h1:p31xT4yrYrSM/G4Sn2+TNUkVhFCbG9y8itM2S6Th950=
 google.golang.org/genproto/googleapis/api v0.0.0-20250303144028-a0af3efb3deb/go.mod h1:jbe3Bkdp+Dh2IrslsFCklNhweNTBgSYanP1UXhJDhKg=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20250303144028-a0af3efb3deb h1:TLPQVbx1GJ8VKZxz52VAxl1EBgKXXbTiU9Fc5fZeLn4=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20250303144028-a0af3efb3deb/go.mod h1:LuRYeWDFV6WOn90g357N17oMCaxpgCnbi/44qJvDn2I=
-google.golang.org/grpc v1.72.1 h1:HR03wO6eyZ7lknl75XlxABNVLLFc2PAb6mHlYh756mA=
-google.golang.org/grpc v1.72.1/go.mod h1:wH5Aktxcg25y1I3w7H69nHfXdOG3UiadoBtjh3izSDM=
-google.golang.org/protobuf v1.36.5 h1:tPhr+woSbjfYvY6/GPufUoYizxw1cF/yFoxJ2fmpwlM=
-google.golang.org/protobuf v1.36.5/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20250528174236-200df99c418a h1:v2PbRU4K3llS09c7zodFpNePeamkAwG3mPrAery9VeE=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20250528174236-200df99c418a/go.mod h1:qQ0YXyHHx3XkvlzUtpXDkS29lDSafHMZBAZDc03LQ3A=
+google.golang.org/grpc v1.72.2 h1:TdbGzwb82ty4OusHWepvFWGLgIbNo1/SUynEN0ssqv8=
+google.golang.org/grpc v1.72.2/go.mod h1:wH5Aktxcg25y1I3w7H69nHfXdOG3UiadoBtjh3izSDM=
+google.golang.org/protobuf v1.36.8 h1:xHScyCOEuuwZEc6UtSOvPbAT4zRh0xcNRYekJwfqyMc=
+google.golang.org/protobuf v1.36.8/go.mod h1:fuxRtAxBytpl4zzqUh6/eyUujkJdNiuEkXntxiD/uRU=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
-gopkg.in/evanphx/json-patch.v4 v4.12.0 h1:n6jtcsulIzXPJaxegRbvFNNrZDjbij7ny3gmSPG+6V4=
-gopkg.in/evanphx/json-patch.v4 v4.12.0/go.mod h1:p8EYWUEYMpynmqDbY58zCKCFZw8pRWMG4EsWvDvM72M=
+gopkg.in/evanphx/json-patch.v4 v4.13.0 h1:czT3CmqEaQ1aanPc5SdlgQrrEIb8w/wwCvWWnfEbYzo=
+gopkg.in/evanphx/json-patch.v4 v4.13.0/go.mod h1:p8EYWUEYMpynmqDbY58zCKCFZw8pRWMG4EsWvDvM72M=
 gopkg.in/go-jose/go-jose.v2 v2.6.3/go.mod h1:zzZDPkNNw/c9IE7Z9jr11mBZQhKQTMzoEEIoEdZlFBI=
 gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc=
 gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
 gopkg.in/natefinch/lumberjack.v2 v2.2.1 h1:bBRl1b0OH9s/DuPhuXpNl+VtCaJXFZ5/uEFST95x9zc=
 gopkg.in/natefinch/lumberjack.v2 v2.2.1/go.mod h1:YD8tP3GAjkrDg1eZH7EGmyESg/lsYskCTPBJVb9jqSc=
-gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
-k8s.io/gengo/v2 v2.0.0-20250604051438-85fd79dbfd9f h1:SLb+kxmzfA87x4E4brQzB33VBbT2+x7Zq9ROIHmGn9Q=
-k8s.io/gengo/v2 v2.0.0-20250604051438-85fd79dbfd9f/go.mod h1:EJykeLsmFC60UQbYJezXkEsG2FLrt0GPNkU5iK5GWxU=
+k8s.io/gengo/v2 v2.0.0-20250922181213-ec3ebc5fd46b h1:gMplByicHV/TJBizHd9aVEsTYoJBnnUAT5MHlTkbjhQ=
+k8s.io/gengo/v2 v2.0.0-20250922181213-ec3ebc5fd46b/go.mod h1:CgujABENc3KuTrcsdpGmrrASjtQsWCT7R99mEV4U/fM=
 k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk=
 k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE=
-k8s.io/kube-openapi v0.0.0-20250710124328-f3f2b991d03b h1:MloQ9/bdJyIu9lb1PzujOPolHyvO06MXG5TUIj2mNAA=
-k8s.io/kube-openapi v0.0.0-20250710124328-f3f2b991d03b/go.mod h1:UZ2yyWbFTpuhSbFhv24aGNOdoRdJZgsIObGBUaYVsts=
-k8s.io/utils v0.0.0-20250604170112-4c0f3b243397 h1:hwvWFiBzdWw1FhfY1FooPn3kzWuJ8tmbZBHi4zVsl1Y=
-k8s.io/utils v0.0.0-20250604170112-4c0f3b243397/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
+k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912 h1:Y3gxNAuB0OBLImH611+UDZcmKS3g6CthxToOb37KgwE=
+k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912/go.mod h1:kdmbQkyfwUagLfXIad1y2TdrjPFWp2Q89B3qkRwf/pQ=
+k8s.io/utils v0.0.0-20251002143259-bc988d571ff4 h1:SjGebBtkBqHFOli+05xYbK8YF1Dzkbzn+gDM4X9T4Ck=
+k8s.io/utils v0.0.0-20251002143259-bc988d571ff4/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
 sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.31.2 h1:jpcvIRr3GLoUoEKRkHKSmGjxb6lWwrBlJsXc+eUYQHM=
 sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.31.2/go.mod h1:Ve9uj1L+deCXFrPOk1LpFXqTg7LCFzFso6PA48q/XZw=
-sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 h1:gBQPwqORJ8d8/YNZWEjoZs7npUVDpVXUUOFfW6CgAqE=
-sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8/go.mod h1:mdzfpAEoE6DHQEN0uh9ZbOCuHbLK5wOm7dK4ctXE9Tg=
+sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 h1:IpInykpT6ceI+QxKBbEflcR5EXP7sU1kvOlxwZh5txg=
+sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730/go.mod h1:mdzfpAEoE6DHQEN0uh9ZbOCuHbLK5wOm7dK4ctXE9Tg=
 sigs.k8s.io/kube-storage-version-migrator v0.0.6-0.20230721195810-5c8923c5ff96/go.mod h1:EOBQyBowOUsd7U4CJnMHNE0ri+zCXyouGdLwC/jZU+I=
 sigs.k8s.io/randfill v1.0.0 h1:JfjMILfT8A6RbawdsK2JXGBR5AQVfd+9TbzrlneTyrU=
 sigs.k8s.io/randfill v1.0.0/go.mod h1:XeLlZ/jmk4i1HRopwe7/aU3H5n1zNUcX6TM94b3QxOY=
diff --git a/staging/src/k8s.io/kube-aggregator/hack/update-codegen.sh b/staging/src/k8s.io/kube-aggregator/hack/update-codegen.sh
index a58ff7ffad362..ff703db8c9cdb 100755
--- a/staging/src/k8s.io/kube-aggregator/hack/update-codegen.sh
+++ b/staging/src/k8s.io/kube-aggregator/hack/update-codegen.sh
@@ -40,6 +40,7 @@ kube::codegen::gen_openapi \
     --output-dir "${SCRIPT_ROOT}/pkg/generated/openapi" \
     --output-pkg "${THIS_PKG}/pkg/generated/openapi" \
     --report-filename "${report_filename:-"/dev/null"}" \
+    --output-model-name-file "zz_generated.model_name.go" \
     ${update_report:+"${update_report}"} \
     --boilerplate "${SCRIPT_ROOT}/hack/boilerplate.go.txt" \
     "${SCRIPT_ROOT}/pkg/apis"
diff --git a/staging/src/k8s.io/kube-aggregator/pkg/apis/apiregistration/v1/doc.go b/staging/src/k8s.io/kube-aggregator/pkg/apis/apiregistration/v1/doc.go
index d3dfe0689e0a4..95e92cb8df05c 100644
--- a/staging/src/k8s.io/kube-aggregator/pkg/apis/apiregistration/v1/doc.go
+++ b/staging/src/k8s.io/kube-aggregator/pkg/apis/apiregistration/v1/doc.go
@@ -18,9 +18,11 @@ limitations under the License.
 // +k8s:protobuf-gen=package
 // +k8s:conversion-gen=k8s.io/kube-aggregator/pkg/apis/apiregistration
 // +k8s:openapi-gen=true
-// +groupName=apiregistration.k8s.io
 // +k8s:defaulter-gen=TypeMeta
 // +k8s:prerelease-lifecycle-gen=true
+// +k8s:openapi-model-package=io.k8s.kube-aggregator.pkg.apis.apiregistration.v1
+
+// +groupName=apiregistration.k8s.io
 
 // Package v1 contains the API Registration API, which is responsible for
 // registering an API `Group`/`Version` with another kubernetes like API server.
diff --git a/staging/src/k8s.io/kube-aggregator/pkg/apis/apiregistration/v1/generated.pb.go b/staging/src/k8s.io/kube-aggregator/pkg/apis/apiregistration/v1/generated.pb.go
index 690810e8bb6de..2fe94e4095f13 100644
--- a/staging/src/k8s.io/kube-aggregator/pkg/apis/apiregistration/v1/generated.pb.go
+++ b/staging/src/k8s.io/kube-aggregator/pkg/apis/apiregistration/v1/generated.pb.go
@@ -24,261 +24,22 @@ import (
 
 	io "io"
 
-	proto "github.com/gogo/protobuf/proto"
-
-	math "math"
 	math_bits "math/bits"
 	reflect "reflect"
 	strings "strings"
 )
 
-// Reference imports to suppress errors if they are not otherwise used.
-var _ = proto.Marshal
-var _ = fmt.Errorf
-var _ = math.Inf
+func (m *APIService) Reset() { *m = APIService{} }
 
-// This is a compile-time assertion to ensure that this generated file
-// is compatible with the proto package it is being compiled against.
-// A compilation error at this line likely means your copy of the
-// proto package needs to be updated.
-const _ = proto.GoGoProtoPackageIsVersion3 // please upgrade the proto package
+func (m *APIServiceCondition) Reset() { *m = APIServiceCondition{} }
 
-func (m *APIService) Reset()      { *m = APIService{} }
-func (*APIService) ProtoMessage() {}
-func (*APIService) Descriptor() ([]byte, []int) {
-	return fileDescriptor_93cf925561aed99f, []int{0}
-}
-func (m *APIService) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *APIService) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *APIService) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_APIService.Merge(m, src)
-}
-func (m *APIService) XXX_Size() int {
-	return m.Size()
-}
-func (m *APIService) XXX_DiscardUnknown() {
-	xxx_messageInfo_APIService.DiscardUnknown(m)
-}
+func (m *APIServiceList) Reset() { *m = APIServiceList{} }
 
-var xxx_messageInfo_APIService proto.InternalMessageInfo
+func (m *APIServiceSpec) Reset() { *m = APIServiceSpec{} }
 
-func (m *APIServiceCondition) Reset()      { *m = APIServiceCondition{} }
-func (*APIServiceCondition) ProtoMessage() {}
-func (*APIServiceCondition) Descriptor() ([]byte, []int) {
-	return fileDescriptor_93cf925561aed99f, []int{1}
-}
-func (m *APIServiceCondition) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *APIServiceCondition) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *APIServiceCondition) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_APIServiceCondition.Merge(m, src)
-}
-func (m *APIServiceCondition) XXX_Size() int {
-	return m.Size()
-}
-func (m *APIServiceCondition) XXX_DiscardUnknown() {
-	xxx_messageInfo_APIServiceCondition.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_APIServiceCondition proto.InternalMessageInfo
+func (m *APIServiceStatus) Reset() { *m = APIServiceStatus{} }
 
-func (m *APIServiceList) Reset()      { *m = APIServiceList{} }
-func (*APIServiceList) ProtoMessage() {}
-func (*APIServiceList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_93cf925561aed99f, []int{2}
-}
-func (m *APIServiceList) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *APIServiceList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *APIServiceList) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_APIServiceList.Merge(m, src)
-}
-func (m *APIServiceList) XXX_Size() int {
-	return m.Size()
-}
-func (m *APIServiceList) XXX_DiscardUnknown() {
-	xxx_messageInfo_APIServiceList.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_APIServiceList proto.InternalMessageInfo
-
-func (m *APIServiceSpec) Reset()      { *m = APIServiceSpec{} }
-func (*APIServiceSpec) ProtoMessage() {}
-func (*APIServiceSpec) Descriptor() ([]byte, []int) {
-	return fileDescriptor_93cf925561aed99f, []int{3}
-}
-func (m *APIServiceSpec) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *APIServiceSpec) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *APIServiceSpec) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_APIServiceSpec.Merge(m, src)
-}
-func (m *APIServiceSpec) XXX_Size() int {
-	return m.Size()
-}
-func (m *APIServiceSpec) XXX_DiscardUnknown() {
-	xxx_messageInfo_APIServiceSpec.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_APIServiceSpec proto.InternalMessageInfo
-
-func (m *APIServiceStatus) Reset()      { *m = APIServiceStatus{} }
-func (*APIServiceStatus) ProtoMessage() {}
-func (*APIServiceStatus) Descriptor() ([]byte, []int) {
-	return fileDescriptor_93cf925561aed99f, []int{4}
-}
-func (m *APIServiceStatus) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *APIServiceStatus) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *APIServiceStatus) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_APIServiceStatus.Merge(m, src)
-}
-func (m *APIServiceStatus) XXX_Size() int {
-	return m.Size()
-}
-func (m *APIServiceStatus) XXX_DiscardUnknown() {
-	xxx_messageInfo_APIServiceStatus.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_APIServiceStatus proto.InternalMessageInfo
-
-func (m *ServiceReference) Reset()      { *m = ServiceReference{} }
-func (*ServiceReference) ProtoMessage() {}
-func (*ServiceReference) Descriptor() ([]byte, []int) {
-	return fileDescriptor_93cf925561aed99f, []int{5}
-}
-func (m *ServiceReference) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ServiceReference) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ServiceReference) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ServiceReference.Merge(m, src)
-}
-func (m *ServiceReference) XXX_Size() int {
-	return m.Size()
-}
-func (m *ServiceReference) XXX_DiscardUnknown() {
-	xxx_messageInfo_ServiceReference.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_ServiceReference proto.InternalMessageInfo
-
-func init() {
-	proto.RegisterType((*APIService)(nil), "k8s.io.kube_aggregator.pkg.apis.apiregistration.v1.APIService")
-	proto.RegisterType((*APIServiceCondition)(nil), "k8s.io.kube_aggregator.pkg.apis.apiregistration.v1.APIServiceCondition")
-	proto.RegisterType((*APIServiceList)(nil), "k8s.io.kube_aggregator.pkg.apis.apiregistration.v1.APIServiceList")
-	proto.RegisterType((*APIServiceSpec)(nil), "k8s.io.kube_aggregator.pkg.apis.apiregistration.v1.APIServiceSpec")
-	proto.RegisterType((*APIServiceStatus)(nil), "k8s.io.kube_aggregator.pkg.apis.apiregistration.v1.APIServiceStatus")
-	proto.RegisterType((*ServiceReference)(nil), "k8s.io.kube_aggregator.pkg.apis.apiregistration.v1.ServiceReference")
-}
-
-func init() {
-	proto.RegisterFile("k8s.io/kube-aggregator/pkg/apis/apiregistration/v1/generated.proto", fileDescriptor_93cf925561aed99f)
-}
-
-var fileDescriptor_93cf925561aed99f = []byte{
-	// 826 bytes of a gzipped FileDescriptorProto
-	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xa4, 0x55, 0x5d, 0x6b, 0x2b, 0x45,
-	0x18, 0xce, 0xb6, 0x49, 0x9b, 0x4e, 0xeb, 0x69, 0x1d, 0xcf, 0xe1, 0x2c, 0xe5, 0xb8, 0xad, 0x11,
-	0x34, 0x0a, 0x67, 0xd7, 0x06, 0x11, 0x45, 0x10, 0xba, 0x47, 0x28, 0x85, 0x56, 0xc3, 0xa4, 0x14,
-	0x11, 0x41, 0x27, 0x9b, 0xb7, 0xdb, 0x31, 0xdd, 0x0f, 0x66, 0x66, 0x03, 0xc1, 0x1b, 0xc1, 0x1f,
-	0xa0, 0xbf, 0xc9, 0xab, 0x5e, 0x1e, 0xf0, 0xa6, 0x57, 0xc1, 0xc4, 0x7f, 0x71, 0xae, 0x64, 0x66,
-	0x67, 0x77, 0xd3, 0x34, 0xe2, 0xe9, 0xe9, 0x4d, 0xc8, 0xfb, 0xf1, 0x3c, 0xcf, 0x3b, 0xef, 0x3c,
-	0x99, 0x20, 0x7f, 0xf8, 0xb9, 0x70, 0x59, 0xe2, 0x0d, 0xb3, 0x3e, 0x3c, 0xa7, 0x61, 0xc8, 0x21,
-	0xa4, 0x32, 0xe1, 0x5e, 0x3a, 0x0c, 0x3d, 0x9a, 0x32, 0xa1, 0x3e, 0x38, 0x84, 0x4c, 0x48, 0x4e,
-	0x25, 0x4b, 0x62, 0x6f, 0x74, 0xe0, 0x85, 0x10, 0x03, 0xa7, 0x12, 0x06, 0x6e, 0xca, 0x13, 0x99,
-	0xe0, 0x4e, 0xce, 0xe1, 0x2a, 0x8e, 0x1f, 0x2b, 0x0e, 0x37, 0x1d, 0x86, 0xae, 0xe2, 0x70, 0x17,
-	0x38, 0xdc, 0xd1, 0xc1, 0xee, 0xf3, 0x90, 0xc9, 0xcb, 0xac, 0xef, 0x06, 0x49, 0xe4, 0x85, 0x49,
-	0x98, 0x78, 0x9a, 0xaa, 0x9f, 0x5d, 0xe8, 0x48, 0x07, 0xfa, 0x5b, 0x2e, 0xb1, 0xfb, 0xa9, 0x19,
-	0x93, 0xa6, 0x2c, 0xa2, 0xc1, 0x25, 0x8b, 0x81, 0x8f, 0xab, 0x19, 0x23, 0x90, 0x74, 0xc9, 0x60,
-	0xbb, 0xde, 0x7f, 0xa1, 0x78, 0x16, 0x4b, 0x16, 0xc1, 0x1d, 0xc0, 0x67, 0xff, 0x07, 0x10, 0xc1,
-	0x25, 0x44, 0x74, 0x11, 0xd7, 0xfa, 0x73, 0x05, 0xa1, 0xc3, 0xee, 0x71, 0x0f, 0xf8, 0x88, 0x05,
-	0x80, 0x7f, 0x42, 0x4d, 0x35, 0xd2, 0x80, 0x4a, 0x6a, 0x5b, 0xfb, 0x56, 0x7b, 0xb3, 0xf3, 0x89,
-	0x6b, 0x76, 0x34, 0xcf, 0x5c, 0x2d, 0x48, 0x75, 0xbb, 0xa3, 0x03, 0xf7, 0xdb, 0xfe, 0xcf, 0x10,
-	0xc8, 0x53, 0x90, 0xd4, 0xc7, 0xd7, 0x93, 0xbd, 0xda, 0x6c, 0xb2, 0x87, 0xaa, 0x1c, 0x29, 0x59,
-	0xf1, 0x00, 0xd5, 0x45, 0x0a, 0x81, 0xbd, 0xa2, 0xd9, 0x7d, 0xf7, 0xfe, 0x37, 0xe0, 0x56, 0xf3,
-	0xf6, 0x52, 0x08, 0xfc, 0x2d, 0xa3, 0x57, 0x57, 0x11, 0xd1, 0xec, 0xf8, 0x0a, 0xad, 0x09, 0x49,
-	0x65, 0x26, 0xec, 0x55, 0xad, 0xf3, 0xf5, 0x03, 0x75, 0x34, 0x97, 0xff, 0xc8, 0x28, 0xad, 0xe5,
-	0x31, 0x31, 0x1a, 0xad, 0x9b, 0x15, 0xf4, 0x4e, 0xd5, 0xfc, 0x22, 0x89, 0x07, 0x4c, 0x71, 0xe0,
-	0x2f, 0x51, 0x5d, 0x8e, 0x53, 0xd0, 0x9b, 0xdc, 0xf0, 0x3f, 0x2c, 0xe6, 0x3c, 0x1b, 0xa7, 0xf0,
-	0x6a, 0xb2, 0xf7, 0x74, 0x09, 0x44, 0x95, 0x88, 0x06, 0xe1, 0x2f, 0xca, 0x23, 0xac, 0x68, 0xf8,
-	0x7b, 0xb7, 0xc5, 0x5f, 0x4d, 0xf6, 0xb6, 0x4b, 0xd8, 0xed, 0x79, 0xf0, 0x08, 0xe1, 0x2b, 0x2a,
-	0xe4, 0x19, 0xa7, 0xb1, 0xc8, 0x69, 0x59, 0x04, 0x66, 0x13, 0x1f, 0xbf, 0xde, 0x7d, 0x2a, 0x84,
-	0xbf, 0x6b, 0x24, 0xf1, 0xc9, 0x1d, 0x36, 0xb2, 0x44, 0x01, 0x7f, 0x80, 0xd6, 0x38, 0x50, 0x91,
-	0xc4, 0x76, 0x5d, 0x8f, 0x5c, 0xee, 0x8b, 0xe8, 0x2c, 0x31, 0x55, 0xfc, 0x11, 0x5a, 0x8f, 0x40,
-	0x08, 0x1a, 0x82, 0xdd, 0xd0, 0x8d, 0xdb, 0xa6, 0x71, 0xfd, 0x34, 0x4f, 0x93, 0xa2, 0xde, 0xfa,
-	0xcb, 0x42, 0x8f, 0xaa, 0x3d, 0x9d, 0x30, 0x21, 0xf1, 0x0f, 0x77, 0x3c, 0xea, 0xbe, 0xde, 0x99,
-	0x14, 0x5a, 0x3b, 0x74, 0xc7, 0xc8, 0x35, 0x8b, 0xcc, 0x9c, 0x3f, 0x03, 0xd4, 0x60, 0x12, 0x22,
-	0xb5, 0xf5, 0xd5, 0xf6, 0x66, 0xe7, 0xab, 0x87, 0x19, 0xc7, 0x7f, 0xcb, 0x48, 0x35, 0x8e, 0x15,
-	0x29, 0xc9, 0xb9, 0x5b, 0xd3, 0xd5, 0xf9, 0x53, 0x29, 0xdf, 0xe2, 0x21, 0x5a, 0x17, 0x79, 0x68,
-	0x0e, 0xf5, 0x46, 0x96, 0x35, 0x8c, 0x04, 0x2e, 0x80, 0x43, 0x1c, 0x80, 0xbf, 0xa9, 0xb6, 0x5a,
-	0x64, 0x0b, 0x05, 0xfc, 0x3e, 0x6a, 0x84, 0x3c, 0xc9, 0x52, 0x63, 0xad, 0x72, 0xc8, 0x23, 0x95,
-	0x24, 0x79, 0x4d, 0xdd, 0xd2, 0x08, 0xb8, 0x60, 0x49, 0xac, 0xad, 0x33, 0x77, 0x4b, 0xe7, 0x79,
-	0x9a, 0x14, 0x75, 0xdc, 0x43, 0x4f, 0x58, 0x2c, 0x20, 0xc8, 0x38, 0xf4, 0x86, 0x2c, 0x3d, 0x3b,
-	0xe9, 0x9d, 0x03, 0x67, 0x17, 0x63, 0xed, 0x83, 0xa6, 0xff, 0xae, 0x01, 0x3e, 0x39, 0x5e, 0xd6,
-	0x44, 0x96, 0x63, 0x71, 0x1b, 0x35, 0x03, 0xea, 0x67, 0xf1, 0xe0, 0x2a, 0xb7, 0xc9, 0x96, 0xbf,
-	0xa5, 0xee, 0xec, 0xc5, 0x61, 0x9e, 0x23, 0x65, 0x15, 0x77, 0xd1, 0x63, 0x3d, 0x72, 0x97, 0xb3,
-	0x84, 0x33, 0x39, 0x3e, 0x65, 0x31, 0x8b, 0xb2, 0xc8, 0x5e, 0xdf, 0xb7, 0xda, 0x0d, 0xff, 0x99,
-	0x51, 0x7f, 0x7c, 0xb4, 0xa4, 0x87, 0x2c, 0x45, 0xe2, 0x43, 0xb4, 0x6d, 0xce, 0x56, 0x54, 0xec,
-	0xa6, 0x26, 0x7b, 0x6a, 0xc8, 0xb6, 0xcf, 0x6f, 0x97, 0xc9, 0x62, 0x7f, 0xeb, 0x77, 0x0b, 0xed,
-	0x2c, 0xbe, 0x20, 0xf8, 0x17, 0x84, 0x82, 0xe2, 0x47, 0x2b, 0x6c, 0x4b, 0x5b, 0xec, 0xe8, 0x61,
-	0x16, 0x2b, 0x1f, 0x81, 0xea, 0xe1, 0x2d, 0x53, 0x82, 0xcc, 0xc9, 0xb5, 0x7e, 0xb3, 0xd0, 0xce,
-	0xa2, 0x41, 0xb0, 0x87, 0x36, 0x62, 0x1a, 0x81, 0x48, 0x69, 0x50, 0x3c, 0x54, 0x6f, 0x1b, 0x9e,
-	0x8d, 0x6f, 0x8a, 0x02, 0xa9, 0x7a, 0xf0, 0x3e, 0xaa, 0xab, 0xc0, 0x58, 0xa7, 0x7c, 0x7c, 0x55,
-	0x2f, 0xd1, 0x15, 0xfc, 0x0c, 0xd5, 0xd3, 0x84, 0x4b, 0xed, 0x9a, 0x86, 0xdf, 0x54, 0xd5, 0x6e,
-	0xc2, 0x25, 0xd1, 0x59, 0xff, 0xbb, 0xeb, 0xa9, 0x53, 0x7b, 0x39, 0x75, 0x6a, 0x37, 0x53, 0xa7,
-	0xf6, 0xeb, 0xcc, 0xb1, 0xae, 0x67, 0x8e, 0xf5, 0x72, 0xe6, 0x58, 0x37, 0x33, 0xc7, 0xfa, 0x7b,
-	0xe6, 0x58, 0x7f, 0xfc, 0xe3, 0xd4, 0xbe, 0xef, 0xdc, 0xff, 0xdf, 0xfd, 0xdf, 0x00, 0x00, 0x00,
-	0xff, 0xff, 0x19, 0x6e, 0x3d, 0x66, 0x12, 0x08, 0x00, 0x00,
-}
+func (m *ServiceReference) Reset() { *m = ServiceReference{} }
 
 func (m *APIService) Marshal() (dAtA []byte, err error) {
 	size := m.Size()
diff --git a/staging/src/k8s.io/kube-aggregator/pkg/apis/apiregistration/v1/generated.protomessage.pb.go b/staging/src/k8s.io/kube-aggregator/pkg/apis/apiregistration/v1/generated.protomessage.pb.go
new file mode 100644
index 0000000000000..f72b7ec30bd2f
--- /dev/null
+++ b/staging/src/k8s.io/kube-aggregator/pkg/apis/apiregistration/v1/generated.protomessage.pb.go
@@ -0,0 +1,34 @@
+//go:build kubernetes_protomessage_one_more_release
+// +build kubernetes_protomessage_one_more_release
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by go-to-protobuf. DO NOT EDIT.
+
+package v1
+
+func (*APIService) ProtoMessage() {}
+
+func (*APIServiceCondition) ProtoMessage() {}
+
+func (*APIServiceList) ProtoMessage() {}
+
+func (*APIServiceSpec) ProtoMessage() {}
+
+func (*APIServiceStatus) ProtoMessage() {}
+
+func (*ServiceReference) ProtoMessage() {}
diff --git a/staging/src/k8s.io/kube-aggregator/pkg/apis/apiregistration/v1/zz_generated.model_name.go b/staging/src/k8s.io/kube-aggregator/pkg/apis/apiregistration/v1/zz_generated.model_name.go
new file mode 100644
index 0000000000000..5a46c2cb5d5db
--- /dev/null
+++ b/staging/src/k8s.io/kube-aggregator/pkg/apis/apiregistration/v1/zz_generated.model_name.go
@@ -0,0 +1,52 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by openapi-gen. DO NOT EDIT.
+
+package v1
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in APIService) OpenAPIModelName() string {
+	return "io.k8s.kube-aggregator.pkg.apis.apiregistration.v1.APIService"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in APIServiceCondition) OpenAPIModelName() string {
+	return "io.k8s.kube-aggregator.pkg.apis.apiregistration.v1.APIServiceCondition"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in APIServiceList) OpenAPIModelName() string {
+	return "io.k8s.kube-aggregator.pkg.apis.apiregistration.v1.APIServiceList"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in APIServiceSpec) OpenAPIModelName() string {
+	return "io.k8s.kube-aggregator.pkg.apis.apiregistration.v1.APIServiceSpec"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in APIServiceStatus) OpenAPIModelName() string {
+	return "io.k8s.kube-aggregator.pkg.apis.apiregistration.v1.APIServiceStatus"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ServiceReference) OpenAPIModelName() string {
+	return "io.k8s.kube-aggregator.pkg.apis.apiregistration.v1.ServiceReference"
+}
diff --git a/staging/src/k8s.io/kube-aggregator/pkg/apis/apiregistration/v1beta1/doc.go b/staging/src/k8s.io/kube-aggregator/pkg/apis/apiregistration/v1beta1/doc.go
index 40d1131ca08dd..07ee950de8f3a 100644
--- a/staging/src/k8s.io/kube-aggregator/pkg/apis/apiregistration/v1beta1/doc.go
+++ b/staging/src/k8s.io/kube-aggregator/pkg/apis/apiregistration/v1beta1/doc.go
@@ -18,9 +18,11 @@ limitations under the License.
 // +k8s:protobuf-gen=package
 // +k8s:conversion-gen=k8s.io/kube-aggregator/pkg/apis/apiregistration
 // +k8s:openapi-gen=true
-// +groupName=apiregistration.k8s.io
 // +k8s:defaulter-gen=TypeMeta
 // +k8s:prerelease-lifecycle-gen=true
+// +k8s:openapi-model-package=io.k8s.kube-aggregator.pkg.apis.apiregistration.v1beta1
+
+// +groupName=apiregistration.k8s.io
 
 // Package v1beta1 contains the API Registration API, which is responsible for
 // registering an API `Group`/`Version` with another kubernetes like API server.
diff --git a/staging/src/k8s.io/kube-aggregator/pkg/apis/apiregistration/v1beta1/generated.pb.go b/staging/src/k8s.io/kube-aggregator/pkg/apis/apiregistration/v1beta1/generated.pb.go
index 8f1a4c5ff4623..5ae842edcd073 100644
--- a/staging/src/k8s.io/kube-aggregator/pkg/apis/apiregistration/v1beta1/generated.pb.go
+++ b/staging/src/k8s.io/kube-aggregator/pkg/apis/apiregistration/v1beta1/generated.pb.go
@@ -24,262 +24,22 @@ import (
 
 	io "io"
 
-	proto "github.com/gogo/protobuf/proto"
-
-	math "math"
 	math_bits "math/bits"
 	reflect "reflect"
 	strings "strings"
 )
 
-// Reference imports to suppress errors if they are not otherwise used.
-var _ = proto.Marshal
-var _ = fmt.Errorf
-var _ = math.Inf
+func (m *APIService) Reset() { *m = APIService{} }
 
-// This is a compile-time assertion to ensure that this generated file
-// is compatible with the proto package it is being compiled against.
-// A compilation error at this line likely means your copy of the
-// proto package needs to be updated.
-const _ = proto.GoGoProtoPackageIsVersion3 // please upgrade the proto package
+func (m *APIServiceCondition) Reset() { *m = APIServiceCondition{} }
 
-func (m *APIService) Reset()      { *m = APIService{} }
-func (*APIService) ProtoMessage() {}
-func (*APIService) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6acc79c5d169026d, []int{0}
-}
-func (m *APIService) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *APIService) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *APIService) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_APIService.Merge(m, src)
-}
-func (m *APIService) XXX_Size() int {
-	return m.Size()
-}
-func (m *APIService) XXX_DiscardUnknown() {
-	xxx_messageInfo_APIService.DiscardUnknown(m)
-}
+func (m *APIServiceList) Reset() { *m = APIServiceList{} }
 
-var xxx_messageInfo_APIService proto.InternalMessageInfo
+func (m *APIServiceSpec) Reset() { *m = APIServiceSpec{} }
 
-func (m *APIServiceCondition) Reset()      { *m = APIServiceCondition{} }
-func (*APIServiceCondition) ProtoMessage() {}
-func (*APIServiceCondition) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6acc79c5d169026d, []int{1}
-}
-func (m *APIServiceCondition) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *APIServiceCondition) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *APIServiceCondition) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_APIServiceCondition.Merge(m, src)
-}
-func (m *APIServiceCondition) XXX_Size() int {
-	return m.Size()
-}
-func (m *APIServiceCondition) XXX_DiscardUnknown() {
-	xxx_messageInfo_APIServiceCondition.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_APIServiceCondition proto.InternalMessageInfo
+func (m *APIServiceStatus) Reset() { *m = APIServiceStatus{} }
 
-func (m *APIServiceList) Reset()      { *m = APIServiceList{} }
-func (*APIServiceList) ProtoMessage() {}
-func (*APIServiceList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6acc79c5d169026d, []int{2}
-}
-func (m *APIServiceList) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *APIServiceList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *APIServiceList) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_APIServiceList.Merge(m, src)
-}
-func (m *APIServiceList) XXX_Size() int {
-	return m.Size()
-}
-func (m *APIServiceList) XXX_DiscardUnknown() {
-	xxx_messageInfo_APIServiceList.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_APIServiceList proto.InternalMessageInfo
-
-func (m *APIServiceSpec) Reset()      { *m = APIServiceSpec{} }
-func (*APIServiceSpec) ProtoMessage() {}
-func (*APIServiceSpec) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6acc79c5d169026d, []int{3}
-}
-func (m *APIServiceSpec) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *APIServiceSpec) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *APIServiceSpec) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_APIServiceSpec.Merge(m, src)
-}
-func (m *APIServiceSpec) XXX_Size() int {
-	return m.Size()
-}
-func (m *APIServiceSpec) XXX_DiscardUnknown() {
-	xxx_messageInfo_APIServiceSpec.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_APIServiceSpec proto.InternalMessageInfo
-
-func (m *APIServiceStatus) Reset()      { *m = APIServiceStatus{} }
-func (*APIServiceStatus) ProtoMessage() {}
-func (*APIServiceStatus) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6acc79c5d169026d, []int{4}
-}
-func (m *APIServiceStatus) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *APIServiceStatus) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *APIServiceStatus) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_APIServiceStatus.Merge(m, src)
-}
-func (m *APIServiceStatus) XXX_Size() int {
-	return m.Size()
-}
-func (m *APIServiceStatus) XXX_DiscardUnknown() {
-	xxx_messageInfo_APIServiceStatus.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_APIServiceStatus proto.InternalMessageInfo
-
-func (m *ServiceReference) Reset()      { *m = ServiceReference{} }
-func (*ServiceReference) ProtoMessage() {}
-func (*ServiceReference) Descriptor() ([]byte, []int) {
-	return fileDescriptor_6acc79c5d169026d, []int{5}
-}
-func (m *ServiceReference) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ServiceReference) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ServiceReference) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ServiceReference.Merge(m, src)
-}
-func (m *ServiceReference) XXX_Size() int {
-	return m.Size()
-}
-func (m *ServiceReference) XXX_DiscardUnknown() {
-	xxx_messageInfo_ServiceReference.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_ServiceReference proto.InternalMessageInfo
-
-func init() {
-	proto.RegisterType((*APIService)(nil), "k8s.io.kube_aggregator.pkg.apis.apiregistration.v1beta1.APIService")
-	proto.RegisterType((*APIServiceCondition)(nil), "k8s.io.kube_aggregator.pkg.apis.apiregistration.v1beta1.APIServiceCondition")
-	proto.RegisterType((*APIServiceList)(nil), "k8s.io.kube_aggregator.pkg.apis.apiregistration.v1beta1.APIServiceList")
-	proto.RegisterType((*APIServiceSpec)(nil), "k8s.io.kube_aggregator.pkg.apis.apiregistration.v1beta1.APIServiceSpec")
-	proto.RegisterType((*APIServiceStatus)(nil), "k8s.io.kube_aggregator.pkg.apis.apiregistration.v1beta1.APIServiceStatus")
-	proto.RegisterType((*ServiceReference)(nil), "k8s.io.kube_aggregator.pkg.apis.apiregistration.v1beta1.ServiceReference")
-}
-
-func init() {
-	proto.RegisterFile("k8s.io/kube-aggregator/pkg/apis/apiregistration/v1beta1/generated.proto", fileDescriptor_6acc79c5d169026d)
-}
-
-var fileDescriptor_6acc79c5d169026d = []byte{
-	// 833 bytes of a gzipped FileDescriptorProto
-	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xac, 0x56, 0x4d, 0x6f, 0xe3, 0x44,
-	0x18, 0x8e, 0xdb, 0xa4, 0x4d, 0xa7, 0x65, 0x5b, 0x86, 0x5d, 0xad, 0x55, 0x2d, 0x6e, 0x09, 0x12,
-	0x14, 0xa4, 0xb5, 0xe9, 0x0a, 0xb1, 0x20, 0x4e, 0x75, 0x0f, 0x55, 0xa5, 0x16, 0xa2, 0x49, 0xd5,
-	0x03, 0x02, 0xc1, 0xc4, 0x79, 0xeb, 0x0c, 0x59, 0x7f, 0x30, 0x33, 0x8e, 0x94, 0xdb, 0x4a, 0xfc,
-	0x01, 0x2e, 0xfc, 0xa7, 0x1e, 0x38, 0xec, 0x31, 0xa7, 0x88, 0x06, 0x89, 0x1f, 0xb1, 0x27, 0x34,
-	0xe3, 0xb1, 0x9d, 0x26, 0x41, 0x5b, 0x55, 0xbd, 0x44, 0x79, 0x3f, 0x9e, 0xe7, 0x79, 0xe7, 0x9d,
-	0x27, 0xa3, 0xa0, 0x93, 0xc1, 0xd7, 0xc2, 0x65, 0x89, 0x37, 0xc8, 0xba, 0xf0, 0x9c, 0x86, 0x21,
-	0x87, 0x90, 0xca, 0x84, 0x7b, 0xe9, 0x20, 0xf4, 0x68, 0xca, 0x84, 0xfa, 0xe0, 0x10, 0x32, 0x21,
-	0x39, 0x95, 0x2c, 0x89, 0xbd, 0xe1, 0x61, 0x17, 0x24, 0x3d, 0xf4, 0x42, 0x88, 0x81, 0x53, 0x09,
-	0x3d, 0x37, 0xe5, 0x89, 0x4c, 0xf0, 0xcb, 0x9c, 0xc8, 0x55, 0x44, 0x3f, 0x57, 0x44, 0x6e, 0x3a,
-	0x08, 0x5d, 0x45, 0xe4, 0xce, 0x11, 0xb9, 0x86, 0x68, 0xf7, 0x79, 0xc8, 0x64, 0x3f, 0xeb, 0xba,
-	0x41, 0x12, 0x79, 0x61, 0x12, 0x26, 0x9e, 0xe6, 0xeb, 0x66, 0x57, 0x3a, 0xd2, 0x81, 0xfe, 0x96,
-	0xeb, 0xec, 0x7e, 0x69, 0x06, 0xa6, 0x29, 0x8b, 0x68, 0xd0, 0x67, 0x31, 0xf0, 0x51, 0x35, 0x6d,
-	0x04, 0x92, 0x7a, 0xc3, 0x85, 0xe9, 0x76, 0xbd, 0xff, 0x43, 0xf1, 0x2c, 0x96, 0x2c, 0x82, 0x05,
-	0xc0, 0x57, 0xef, 0x02, 0x88, 0xa0, 0x0f, 0x11, 0x9d, 0xc7, 0xb5, 0xfe, 0x5a, 0x41, 0xe8, 0xa8,
-	0x7d, 0xda, 0x01, 0x3e, 0x64, 0x01, 0xe0, 0x5f, 0x50, 0x53, 0x8d, 0xd4, 0xa3, 0x92, 0xda, 0xd6,
-	0xbe, 0x75, 0xb0, 0xf9, 0xe2, 0x0b, 0xd7, 0x2c, 0x6a, 0x96, 0xb9, 0xda, 0x92, 0xea, 0x76, 0x87,
-	0x87, 0xee, 0xf7, 0xdd, 0x5f, 0x21, 0x90, 0xe7, 0x20, 0xa9, 0x8f, 0xaf, 0x27, 0x7b, 0xb5, 0xe9,
-	0x64, 0x0f, 0x55, 0x39, 0x52, 0xb2, 0x62, 0x86, 0xea, 0x22, 0x85, 0xc0, 0x5e, 0xd1, 0xec, 0x27,
-	0xee, 0x3d, 0xaf, 0xc1, 0xad, 0x86, 0xee, 0xa4, 0x10, 0xf8, 0x5b, 0x46, 0xb4, 0xae, 0x22, 0xa2,
-	0x25, 0xf0, 0x6f, 0x68, 0x4d, 0x48, 0x2a, 0x33, 0x61, 0xaf, 0x6a, 0xb1, 0xd3, 0x87, 0x10, 0xd3,
-	0x84, 0xfe, 0x23, 0x23, 0xb7, 0x96, 0xc7, 0xc4, 0x08, 0xb5, 0xc6, 0x2b, 0xe8, 0x83, 0xaa, 0xf9,
-	0x38, 0x89, 0x7b, 0x4c, 0x11, 0xe1, 0x6f, 0x51, 0x5d, 0x8e, 0x52, 0xd0, 0x3b, 0xdd, 0xf0, 0x3f,
-	0x2d, 0x86, 0xbd, 0x18, 0xa5, 0xf0, 0x76, 0xb2, 0xf7, 0x74, 0x09, 0x44, 0x95, 0x88, 0x06, 0xe1,
-	0x6f, 0xca, 0x73, 0xac, 0x68, 0xf8, 0x47, 0xb7, 0xc5, 0xdf, 0x4e, 0xf6, 0xb6, 0x4b, 0xd8, 0xed,
-	0x79, 0xf0, 0x10, 0xe1, 0x57, 0x54, 0xc8, 0x0b, 0x4e, 0x63, 0x91, 0xd3, 0xb2, 0x08, 0xcc, 0x3a,
-	0x3e, 0xbf, 0xdb, 0xcd, 0x2a, 0x84, 0xbf, 0x6b, 0x24, 0xf1, 0xd9, 0x02, 0x1b, 0x59, 0xa2, 0x80,
-	0x3f, 0x41, 0x6b, 0x1c, 0xa8, 0x48, 0x62, 0xbb, 0xae, 0x47, 0x2e, 0xf7, 0x45, 0x74, 0x96, 0x98,
-	0x2a, 0xfe, 0x0c, 0xad, 0x47, 0x20, 0x04, 0x0d, 0xc1, 0x6e, 0xe8, 0xc6, 0x6d, 0xd3, 0xb8, 0x7e,
-	0x9e, 0xa7, 0x49, 0x51, 0x6f, 0x8d, 0x2d, 0xf4, 0xa8, 0xda, 0xd3, 0x19, 0x13, 0x12, 0xff, 0xb8,
-	0xe0, 0x56, 0xf7, 0x6e, 0x67, 0x52, 0x68, 0xed, 0xd5, 0x1d, 0x23, 0xd7, 0x2c, 0x32, 0x33, 0x4e,
-	0xed, 0xa3, 0x06, 0x93, 0x10, 0xa9, 0xad, 0xaf, 0x1e, 0x6c, 0xbe, 0x38, 0x7e, 0x00, 0xf7, 0xf8,
-	0xef, 0x19, 0xbd, 0xc6, 0xa9, 0x62, 0x26, 0xb9, 0x40, 0xeb, 0xdf, 0xd5, 0xd9, 0xa3, 0x29, 0x07,
-	0xe3, 0x14, 0xad, 0x8b, 0x3c, 0x34, 0x27, 0xbb, 0xbf, 0x79, 0x0d, 0x2d, 0x81, 0x2b, 0xe0, 0x10,
-	0x07, 0xe0, 0x6f, 0xaa, 0xfd, 0x16, 0xd9, 0x42, 0x06, 0x7f, 0x8c, 0x1a, 0x21, 0x4f, 0xb2, 0xd4,
-	0x98, 0xac, 0x9c, 0xf4, 0x44, 0x25, 0x49, 0x5e, 0x53, 0xf7, 0x35, 0x04, 0x2e, 0x58, 0x12, 0x6b,
-	0x13, 0xcd, 0xdc, 0xd7, 0x65, 0x9e, 0x26, 0x45, 0x1d, 0x77, 0xd0, 0x13, 0x16, 0x0b, 0x08, 0x32,
-	0x0e, 0x9d, 0x01, 0x4b, 0x2f, 0xce, 0x3a, 0x97, 0xc0, 0xd9, 0xd5, 0x48, 0x3b, 0xa2, 0xe9, 0x7f,
-	0x68, 0x80, 0x4f, 0x4e, 0x97, 0x35, 0x91, 0xe5, 0x58, 0x7c, 0x80, 0x9a, 0x01, 0xf5, 0xb3, 0xb8,
-	0xf7, 0x2a, 0x37, 0xcc, 0x96, 0xbf, 0xa5, 0x6e, 0xef, 0xf8, 0x28, 0xcf, 0x91, 0xb2, 0x8a, 0xdb,
-	0xe8, 0xb1, 0x1e, 0xb9, 0xcd, 0x59, 0xc2, 0x99, 0x1c, 0x9d, 0xb3, 0x98, 0x45, 0x59, 0x64, 0xaf,
-	0xef, 0x5b, 0x07, 0x0d, 0xff, 0x99, 0x51, 0x7f, 0x7c, 0xb2, 0xa4, 0x87, 0x2c, 0x45, 0xe2, 0x23,
-	0xb4, 0x6d, 0xce, 0x56, 0x54, 0xec, 0xa6, 0x26, 0x7b, 0x6a, 0xc8, 0xb6, 0x2f, 0x6f, 0x97, 0xc9,
-	0x7c, 0x7f, 0xeb, 0x4f, 0x0b, 0xed, 0xcc, 0xbf, 0x25, 0xf8, 0xb5, 0x85, 0x50, 0x50, 0xfc, 0x7e,
-	0x85, 0x6d, 0x69, 0xb7, 0x9d, 0x3d, 0x80, 0xdb, 0xca, 0x47, 0xa1, 0x7a, 0x92, 0xcb, 0x94, 0x20,
-	0x33, 0x9a, 0xad, 0xdf, 0x2d, 0xb4, 0x33, 0x6f, 0x13, 0xec, 0xa1, 0x8d, 0x98, 0x46, 0x20, 0x52,
-	0x1a, 0x14, 0x0f, 0xd7, 0xfb, 0x86, 0x67, 0xe3, 0xbb, 0xa2, 0x40, 0xaa, 0x1e, 0xbc, 0x8f, 0xea,
-	0x2a, 0x30, 0x06, 0x2a, 0x5f, 0x64, 0xd5, 0x4b, 0x74, 0x05, 0x3f, 0x43, 0xf5, 0x34, 0xe1, 0x52,
-	0x7b, 0xa7, 0xe1, 0x37, 0x55, 0xb5, 0x9d, 0x70, 0x49, 0x74, 0xd6, 0xff, 0xe9, 0xfa, 0xc6, 0xa9,
-	0xbd, 0xb9, 0x71, 0x6a, 0xe3, 0x1b, 0xa7, 0xf6, 0x7a, 0xea, 0x58, 0xd7, 0x53, 0xc7, 0x7a, 0x33,
-	0x75, 0xac, 0xf1, 0xd4, 0xb1, 0xfe, 0x9e, 0x3a, 0xd6, 0x1f, 0xff, 0x38, 0xb5, 0x1f, 0x5e, 0xde,
-	0xf3, 0x1f, 0xc0, 0x7f, 0x01, 0x00, 0x00, 0xff, 0xff, 0x5f, 0x50, 0xda, 0x9b, 0x3b, 0x08, 0x00,
-	0x00,
-}
+func (m *ServiceReference) Reset() { *m = ServiceReference{} }
 
 func (m *APIService) Marshal() (dAtA []byte, err error) {
 	size := m.Size()
diff --git a/staging/src/k8s.io/kube-aggregator/pkg/apis/apiregistration/v1beta1/generated.protomessage.pb.go b/staging/src/k8s.io/kube-aggregator/pkg/apis/apiregistration/v1beta1/generated.protomessage.pb.go
new file mode 100644
index 0000000000000..23dd6b3aa1e5a
--- /dev/null
+++ b/staging/src/k8s.io/kube-aggregator/pkg/apis/apiregistration/v1beta1/generated.protomessage.pb.go
@@ -0,0 +1,34 @@
+//go:build kubernetes_protomessage_one_more_release
+// +build kubernetes_protomessage_one_more_release
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by go-to-protobuf. DO NOT EDIT.
+
+package v1beta1
+
+func (*APIService) ProtoMessage() {}
+
+func (*APIServiceCondition) ProtoMessage() {}
+
+func (*APIServiceList) ProtoMessage() {}
+
+func (*APIServiceSpec) ProtoMessage() {}
+
+func (*APIServiceStatus) ProtoMessage() {}
+
+func (*ServiceReference) ProtoMessage() {}
diff --git a/staging/src/k8s.io/kube-aggregator/pkg/apis/apiregistration/v1beta1/zz_generated.model_name.go b/staging/src/k8s.io/kube-aggregator/pkg/apis/apiregistration/v1beta1/zz_generated.model_name.go
new file mode 100644
index 0000000000000..490a39e886dd4
--- /dev/null
+++ b/staging/src/k8s.io/kube-aggregator/pkg/apis/apiregistration/v1beta1/zz_generated.model_name.go
@@ -0,0 +1,52 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by openapi-gen. DO NOT EDIT.
+
+package v1beta1
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in APIService) OpenAPIModelName() string {
+	return "io.k8s.kube-aggregator.pkg.apis.apiregistration.v1beta1.APIService"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in APIServiceCondition) OpenAPIModelName() string {
+	return "io.k8s.kube-aggregator.pkg.apis.apiregistration.v1beta1.APIServiceCondition"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in APIServiceList) OpenAPIModelName() string {
+	return "io.k8s.kube-aggregator.pkg.apis.apiregistration.v1beta1.APIServiceList"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in APIServiceSpec) OpenAPIModelName() string {
+	return "io.k8s.kube-aggregator.pkg.apis.apiregistration.v1beta1.APIServiceSpec"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in APIServiceStatus) OpenAPIModelName() string {
+	return "io.k8s.kube-aggregator.pkg.apis.apiregistration.v1beta1.APIServiceStatus"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ServiceReference) OpenAPIModelName() string {
+	return "io.k8s.kube-aggregator.pkg.apis.apiregistration.v1beta1.ServiceReference"
+}
diff --git a/staging/src/k8s.io/kube-aggregator/pkg/apis/openapi_models_test.go b/staging/src/k8s.io/kube-aggregator/pkg/apis/openapi_models_test.go
new file mode 100644
index 0000000000000..bad90b73dc73d
--- /dev/null
+++ b/staging/src/k8s.io/kube-aggregator/pkg/apis/openapi_models_test.go
@@ -0,0 +1,68 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package apis
+
+import (
+	"reflect"
+	"testing"
+
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/kube-openapi/pkg/util"
+
+	apiregistrationv1 "k8s.io/kube-aggregator/pkg/apis/apiregistration/v1"
+	apiregistrationv1beta1 "k8s.io/kube-aggregator/pkg/apis/apiregistration/v1beta1"
+)
+
+var groups = []runtime.SchemeBuilder{
+	apiregistrationv1.SchemeBuilder,
+	apiregistrationv1beta1.SchemeBuilder,
+}
+
+func TestOpenAPIDefinitionNames(t *testing.T) {
+	scheme := runtime.NewScheme()
+	for _, builder := range groups {
+		if err := builder.AddToScheme(scheme); err != nil {
+			t.Fatalf("unexpected error adding to scheme: %v", err)
+		}
+	}
+
+	kinds := scheme.AllKnownTypes()
+	for gvk := range kinds {
+		if gvk.Version == runtime.APIVersionInternal {
+			continue
+		}
+		t.Run(gvk.String(), func(t *testing.T) {
+			example, err := scheme.New(gvk)
+			if err != nil {
+				t.Fatalf("unexpected error creating example: %v", err)
+			}
+
+			namer, ok := example.(util.OpenAPIModelNamer)
+			if !ok {
+				t.Fatalf("type %v does not implement OpenAPICanonicalTypeName\n", gvk)
+			}
+			lookupName := namer.OpenAPIModelName()
+
+			rtype := reflect.TypeOf(example).Elem()
+			reflectName := util.ToRESTFriendlyName(rtype.PkgPath() + "." + rtype.Name())
+
+			if lookupName != reflectName {
+				t.Errorf("expected %v, got %v", reflectName, lookupName)
+			}
+		})
+	}
+}
diff --git a/staging/src/k8s.io/kube-aggregator/pkg/apiserver/apiserver.go b/staging/src/k8s.io/kube-aggregator/pkg/apiserver/apiserver.go
index e8f639ed0bb66..61b7d7fea0242 100644
--- a/staging/src/k8s.io/kube-aggregator/pkg/apiserver/apiserver.go
+++ b/staging/src/k8s.io/kube-aggregator/pkg/apiserver/apiserver.go
@@ -39,6 +39,7 @@ import (
 	"k8s.io/apiserver/pkg/server/egressselector"
 	serverstorage "k8s.io/apiserver/pkg/server/storage"
 	utilfeature "k8s.io/apiserver/pkg/util/feature"
+	utilpeerproxy "k8s.io/apiserver/pkg/util/peerproxy"
 	"k8s.io/client-go/kubernetes"
 	"k8s.io/client-go/transport"
 	"k8s.io/component-base/metrics/legacyregistry"
@@ -112,6 +113,10 @@ type ExtraConfig struct {
 	// the concept of services and endpoints might differ, and might require another implementation of this
 	// controller. Local APIService are reconciled nevertheless.
 	DisableRemoteAvailableConditionController bool
+
+	// PeerProxy, if not nil, sets proxy transport between kube-apiserver peers for requests
+	// that can not be served locally
+	PeerProxy utilpeerproxy.Interface
 }
 
 // Config represents the configuration needed to create an APIAggregator.
@@ -283,7 +288,16 @@ func (c completedConfig) NewWithDelegate(delegationTarget genericapiserver.Deleg
 		discoveryGroup: discoveryGroup(enabledVersions),
 	}
 
-	apisHandlerWithAggregationSupport := aggregated.WrapAggregatedDiscoveryToHandler(apisHandler, s.GenericAPIServer.AggregatedDiscoveryGroupManager)
+	if utilfeature.DefaultFeatureGate.Enabled(genericfeatures.UnknownVersionInteroperabilityProxy) && c.ExtraConfig.PeerProxy != nil {
+		s.GenericAPIServer.PeerAggregatedDiscoveryManager = aggregated.NewPeerAggregatedDiscoveryHandler(s.GenericAPIServer.APIServerID, s.GenericAPIServer.AggregatedDiscoveryGroupManager, c.ExtraConfig.PeerProxy, "apis")
+
+		// Register cache invalidation callback to the peer proxy handler
+		if s.GenericAPIServer.PeerAggregatedDiscoveryManager != nil {
+			c.ExtraConfig.PeerProxy.RegisterCacheInvalidationCallback(s.GenericAPIServer.PeerAggregatedDiscoveryManager.InvalidateCache)
+		}
+	}
+
+	apisHandlerWithAggregationSupport := aggregated.WrapAggregatedDiscoveryToHandler(apisHandler, s.GenericAPIServer.AggregatedDiscoveryGroupManager, s.GenericAPIServer.PeerAggregatedDiscoveryManager)
 	s.GenericAPIServer.Handler.NonGoRestfulMux.Handle("/apis", apisHandlerWithAggregationSupport)
 	s.GenericAPIServer.Handler.NonGoRestfulMux.UnlistedHandle("/apis/", apisHandler)
 
diff --git a/staging/src/k8s.io/kube-aggregator/pkg/apiserver/apiservice_controller.go b/staging/src/k8s.io/kube-aggregator/pkg/apiserver/apiservice_controller.go
index d70e906f9853a..3526ec2bf5c62 100644
--- a/staging/src/k8s.io/kube-aggregator/pkg/apiserver/apiservice_controller.go
+++ b/staging/src/k8s.io/kube-aggregator/pkg/apiserver/apiservice_controller.go
@@ -118,7 +118,7 @@ func (c *APIServiceRegistrationController) Run(stopCh <-chan struct{}, handlerSy
 			}
 		}
 		return true, nil
-	}, stopCh); err == wait.ErrWaitTimeout {
+	}, stopCh); wait.Interrupted(err) {
 		utilruntime.HandleError(fmt.Errorf("timed out waiting for proxy handler to initialize"))
 		return
 	} else if err != nil {
diff --git a/staging/src/k8s.io/kube-aggregator/pkg/client/clientset_generated/clientset/fake/clientset_generated.go b/staging/src/k8s.io/kube-aggregator/pkg/client/clientset_generated/clientset/fake/clientset_generated.go
index e2941c231bfd8..534d62d119505 100644
--- a/staging/src/k8s.io/kube-aggregator/pkg/client/clientset_generated/clientset/fake/clientset_generated.go
+++ b/staging/src/k8s.io/kube-aggregator/pkg/client/clientset_generated/clientset/fake/clientset_generated.go
@@ -37,7 +37,7 @@ import (
 // without applying any field management, validations and/or defaults. It shouldn't be considered a replacement
 // for a real clientset and is mostly useful in simple unit tests.
 //
-// DEPRECATED: NewClientset replaces this with support for field management, which significantly improves
+// Deprecated: NewClientset replaces this with support for field management, which significantly improves
 // server side apply testing. NewClientset is only available when apply configurations are generated (e.g.
 // via --with-applyconfig).
 func NewSimpleClientset(objects ...runtime.Object) *Clientset {
@@ -53,8 +53,8 @@ func NewSimpleClientset(objects ...runtime.Object) *Clientset {
 	cs.AddReactor("*", "*", testing.ObjectReaction(o))
 	cs.AddWatchReactor("*", func(action testing.Action) (handled bool, ret watch.Interface, err error) {
 		var opts metav1.ListOptions
-		if watchActcion, ok := action.(testing.WatchActionImpl); ok {
-			opts = watchActcion.ListOptions
+		if watchAction, ok := action.(testing.WatchActionImpl); ok {
+			opts = watchAction.ListOptions
 		}
 		gvr := action.GetResource()
 		ns := action.GetNamespace()
@@ -85,6 +85,17 @@ func (c *Clientset) Tracker() testing.ObjectTracker {
 	return c.tracker
 }
 
+// IsWatchListSemanticsSupported informs the reflector that this client
+// doesn't support WatchList semantics.
+//
+// This is a synthetic method whose sole purpose is to satisfy the optional
+// interface check performed by the reflector.
+// Returning true signals that WatchList can NOT be used.
+// No additional logic is implemented here.
+func (c *Clientset) IsWatchListSemanticsUnSupported() bool {
+	return true
+}
+
 var (
 	_ clientset.Interface = &Clientset{}
 	_ testing.FakeClient  = &Clientset{}
diff --git a/staging/src/k8s.io/kube-aggregator/pkg/client/informers/externalversions/apiregistration/v1/apiservice.go b/staging/src/k8s.io/kube-aggregator/pkg/client/informers/externalversions/apiregistration/v1/apiservice.go
index 53cee55483162..7e656561ddb22 100644
--- a/staging/src/k8s.io/kube-aggregator/pkg/client/informers/externalversions/apiregistration/v1/apiservice.go
+++ b/staging/src/k8s.io/kube-aggregator/pkg/client/informers/externalversions/apiregistration/v1/apiservice.go
@@ -56,7 +56,7 @@ func NewAPIServiceInformer(client clientset.Interface, resyncPeriod time.Duratio
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredAPIServiceInformer(client clientset.Interface, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options metav1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -81,7 +81,7 @@ func NewFilteredAPIServiceInformer(client clientset.Interface, resyncPeriod time
 				}
 				return client.ApiregistrationV1().APIServices().Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apisapiregistrationv1.APIService{},
 		resyncPeriod,
 		indexers,
diff --git a/staging/src/k8s.io/kube-aggregator/pkg/client/informers/externalversions/apiregistration/v1beta1/apiservice.go b/staging/src/k8s.io/kube-aggregator/pkg/client/informers/externalversions/apiregistration/v1beta1/apiservice.go
index 79db28f2ad3db..1799207684e69 100644
--- a/staging/src/k8s.io/kube-aggregator/pkg/client/informers/externalversions/apiregistration/v1beta1/apiservice.go
+++ b/staging/src/k8s.io/kube-aggregator/pkg/client/informers/externalversions/apiregistration/v1beta1/apiservice.go
@@ -56,7 +56,7 @@ func NewAPIServiceInformer(client clientset.Interface, resyncPeriod time.Duratio
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredAPIServiceInformer(client clientset.Interface, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -81,7 +81,7 @@ func NewFilteredAPIServiceInformer(client clientset.Interface, resyncPeriod time
 				}
 				return client.ApiregistrationV1beta1().APIServices().Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apisapiregistrationv1beta1.APIService{},
 		resyncPeriod,
 		indexers,
diff --git a/staging/src/k8s.io/kube-aggregator/pkg/client/informers/externalversions/factory.go b/staging/src/k8s.io/kube-aggregator/pkg/client/informers/externalversions/factory.go
index 9774cfb8857e6..93bafa3bbe12c 100644
--- a/staging/src/k8s.io/kube-aggregator/pkg/client/informers/externalversions/factory.go
+++ b/staging/src/k8s.io/kube-aggregator/pkg/client/informers/externalversions/factory.go
@@ -97,6 +97,7 @@ func NewSharedInformerFactory(client clientset.Interface, defaultResync time.Dur
 // NewFilteredSharedInformerFactory constructs a new instance of sharedInformerFactory.
 // Listers obtained via this SharedInformerFactory will be subject to the same filters
 // as specified here.
+//
 // Deprecated: Please use NewSharedInformerFactoryWithOptions instead
 func NewFilteredSharedInformerFactory(client clientset.Interface, defaultResync time.Duration, namespace string, tweakListOptions internalinterfaces.TweakListOptionsFunc) SharedInformerFactory {
 	return NewSharedInformerFactoryWithOptions(client, defaultResync, WithNamespace(namespace), WithTweakListOptions(tweakListOptions))
@@ -204,7 +205,7 @@ func (f *sharedInformerFactory) InformerFor(obj runtime.Object, newFunc internal
 //
 // It is typically used like this:
 //
-//	ctx, cancel := context.Background()
+//	ctx, cancel := context.WithCancel(context.Background())
 //	defer cancel()
 //	factory := NewSharedInformerFactory(client, resyncPeriod)
 //	defer factory.WaitForStop()    // Returns immediately if nothing was started.
diff --git a/staging/src/k8s.io/kube-aggregator/pkg/controllers/openapiv3/aggregator/aggregator_test.go b/staging/src/k8s.io/kube-aggregator/pkg/controllers/openapiv3/aggregator/aggregator_test.go
index 6b9ee6939a022..a2d34d271f88b 100644
--- a/staging/src/k8s.io/kube-aggregator/pkg/controllers/openapiv3/aggregator/aggregator_test.go
+++ b/staging/src/k8s.io/kube-aggregator/pkg/controllers/openapiv3/aggregator/aggregator_test.go
@@ -309,7 +309,7 @@ func sendReq(t *testing.T, handler http.Handler, path string) []byte {
 
 func getTestAPIServiceOpenAPIDefinitions(_ openapicommon.ReferenceCallback) map[string]openapicommon.OpenAPIDefinition {
 	return map[string]openapicommon.OpenAPIDefinition{
-		"k8s.io/kube-aggregator/pkg/apis/apiregistration/v1.APIService": buildTestAPIServiceOpenAPIDefinition(),
+		"io.k8s.kube-aggregator.pkg.apis.apiregistration.v1.APIService": buildTestAPIServiceOpenAPIDefinition(),
 	}
 }
 
diff --git a/staging/src/k8s.io/kube-aggregator/pkg/generated/openapi/zz_generated.openapi.go b/staging/src/k8s.io/kube-aggregator/pkg/generated/openapi/zz_generated.openapi.go
index 44fd7107ac48c..385d1efb12cf4 100644
--- a/staging/src/k8s.io/kube-aggregator/pkg/generated/openapi/zz_generated.openapi.go
+++ b/staging/src/k8s.io/kube-aggregator/pkg/generated/openapi/zz_generated.openapi.go
@@ -22,78 +22,132 @@ limitations under the License.
 package openapi
 
 import (
+	resource "k8s.io/apimachinery/pkg/api/resource"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	runtime "k8s.io/apimachinery/pkg/runtime"
+	version "k8s.io/apimachinery/pkg/version"
+	apiregistrationv1 "k8s.io/kube-aggregator/pkg/apis/apiregistration/v1"
+	v1beta1 "k8s.io/kube-aggregator/pkg/apis/apiregistration/v1beta1"
 	common "k8s.io/kube-openapi/pkg/common"
 	spec "k8s.io/kube-openapi/pkg/validation/spec"
 )
 
 func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenAPIDefinition {
 	return map[string]common.OpenAPIDefinition{
-		"k8s.io/apimachinery/pkg/apis/meta/v1.APIGroup":                               schema_pkg_apis_meta_v1_APIGroup(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.APIGroupList":                           schema_pkg_apis_meta_v1_APIGroupList(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.APIResource":                            schema_pkg_apis_meta_v1_APIResource(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.APIResourceList":                        schema_pkg_apis_meta_v1_APIResourceList(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.APIVersions":                            schema_pkg_apis_meta_v1_APIVersions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.ApplyOptions":                           schema_pkg_apis_meta_v1_ApplyOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Condition":                              schema_pkg_apis_meta_v1_Condition(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.CreateOptions":                          schema_pkg_apis_meta_v1_CreateOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.DeleteOptions":                          schema_pkg_apis_meta_v1_DeleteOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Duration":                               schema_pkg_apis_meta_v1_Duration(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.FieldSelectorRequirement":               schema_pkg_apis_meta_v1_FieldSelectorRequirement(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.FieldsV1":                               schema_pkg_apis_meta_v1_FieldsV1(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GetOptions":                             schema_pkg_apis_meta_v1_GetOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupKind":                              schema_pkg_apis_meta_v1_GroupKind(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupResource":                          schema_pkg_apis_meta_v1_GroupResource(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersion":                           schema_pkg_apis_meta_v1_GroupVersion(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionForDiscovery":               schema_pkg_apis_meta_v1_GroupVersionForDiscovery(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionKind":                       schema_pkg_apis_meta_v1_GroupVersionKind(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionResource":                   schema_pkg_apis_meta_v1_GroupVersionResource(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.InternalEvent":                          schema_pkg_apis_meta_v1_InternalEvent(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector":                          schema_pkg_apis_meta_v1_LabelSelector(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelectorRequirement":               schema_pkg_apis_meta_v1_LabelSelectorRequirement(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.List":                                   schema_pkg_apis_meta_v1_List(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta":                               schema_pkg_apis_meta_v1_ListMeta(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.ListOptions":                            schema_pkg_apis_meta_v1_ListOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.ManagedFieldsEntry":                     schema_pkg_apis_meta_v1_ManagedFieldsEntry(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.MicroTime":                              schema_pkg_apis_meta_v1_MicroTime(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta":                             schema_pkg_apis_meta_v1_ObjectMeta(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.OwnerReference":                         schema_pkg_apis_meta_v1_OwnerReference(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.PartialObjectMetadata":                  schema_pkg_apis_meta_v1_PartialObjectMetadata(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.PartialObjectMetadataList":              schema_pkg_apis_meta_v1_PartialObjectMetadataList(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Patch":                                  schema_pkg_apis_meta_v1_Patch(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.PatchOptions":                           schema_pkg_apis_meta_v1_PatchOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Preconditions":                          schema_pkg_apis_meta_v1_Preconditions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.RootPaths":                              schema_pkg_apis_meta_v1_RootPaths(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.ServerAddressByClientCIDR":              schema_pkg_apis_meta_v1_ServerAddressByClientCIDR(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Status":                                 schema_pkg_apis_meta_v1_Status(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.StatusCause":                            schema_pkg_apis_meta_v1_StatusCause(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.StatusDetails":                          schema_pkg_apis_meta_v1_StatusDetails(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Table":                                  schema_pkg_apis_meta_v1_Table(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.TableColumnDefinition":                  schema_pkg_apis_meta_v1_TableColumnDefinition(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.TableOptions":                           schema_pkg_apis_meta_v1_TableOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.TableRow":                               schema_pkg_apis_meta_v1_TableRow(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.TableRowCondition":                      schema_pkg_apis_meta_v1_TableRowCondition(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Time":                                   schema_pkg_apis_meta_v1_Time(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Timestamp":                              schema_pkg_apis_meta_v1_Timestamp(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.TypeMeta":                               schema_pkg_apis_meta_v1_TypeMeta(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.UpdateOptions":                          schema_pkg_apis_meta_v1_UpdateOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.WatchEvent":                             schema_pkg_apis_meta_v1_WatchEvent(ref),
-		"k8s.io/apimachinery/pkg/runtime.RawExtension":                                schema_k8sio_apimachinery_pkg_runtime_RawExtension(ref),
-		"k8s.io/apimachinery/pkg/runtime.TypeMeta":                                    schema_k8sio_apimachinery_pkg_runtime_TypeMeta(ref),
-		"k8s.io/apimachinery/pkg/runtime.Unknown":                                     schema_k8sio_apimachinery_pkg_runtime_Unknown(ref),
-		"k8s.io/apimachinery/pkg/version.Info":                                        schema_k8sio_apimachinery_pkg_version_Info(ref),
-		"k8s.io/kube-aggregator/pkg/apis/apiregistration/v1.APIService":               schema_pkg_apis_apiregistration_v1_APIService(ref),
-		"k8s.io/kube-aggregator/pkg/apis/apiregistration/v1.APIServiceCondition":      schema_pkg_apis_apiregistration_v1_APIServiceCondition(ref),
-		"k8s.io/kube-aggregator/pkg/apis/apiregistration/v1.APIServiceList":           schema_pkg_apis_apiregistration_v1_APIServiceList(ref),
-		"k8s.io/kube-aggregator/pkg/apis/apiregistration/v1.APIServiceSpec":           schema_pkg_apis_apiregistration_v1_APIServiceSpec(ref),
-		"k8s.io/kube-aggregator/pkg/apis/apiregistration/v1.APIServiceStatus":         schema_pkg_apis_apiregistration_v1_APIServiceStatus(ref),
-		"k8s.io/kube-aggregator/pkg/apis/apiregistration/v1.ServiceReference":         schema_pkg_apis_apiregistration_v1_ServiceReference(ref),
-		"k8s.io/kube-aggregator/pkg/apis/apiregistration/v1beta1.APIService":          schema_pkg_apis_apiregistration_v1beta1_APIService(ref),
-		"k8s.io/kube-aggregator/pkg/apis/apiregistration/v1beta1.APIServiceCondition": schema_pkg_apis_apiregistration_v1beta1_APIServiceCondition(ref),
-		"k8s.io/kube-aggregator/pkg/apis/apiregistration/v1beta1.APIServiceList":      schema_pkg_apis_apiregistration_v1beta1_APIServiceList(ref),
-		"k8s.io/kube-aggregator/pkg/apis/apiregistration/v1beta1.APIServiceSpec":      schema_pkg_apis_apiregistration_v1beta1_APIServiceSpec(ref),
-		"k8s.io/kube-aggregator/pkg/apis/apiregistration/v1beta1.APIServiceStatus":    schema_pkg_apis_apiregistration_v1beta1_APIServiceStatus(ref),
-		"k8s.io/kube-aggregator/pkg/apis/apiregistration/v1beta1.ServiceReference":    schema_pkg_apis_apiregistration_v1beta1_ServiceReference(ref),
+		resource.Quantity{}.OpenAPIModelName():                     schema_apimachinery_pkg_api_resource_Quantity(ref),
+		v1.APIGroup{}.OpenAPIModelName():                           schema_pkg_apis_meta_v1_APIGroup(ref),
+		v1.APIGroupList{}.OpenAPIModelName():                       schema_pkg_apis_meta_v1_APIGroupList(ref),
+		v1.APIResource{}.OpenAPIModelName():                        schema_pkg_apis_meta_v1_APIResource(ref),
+		v1.APIResourceList{}.OpenAPIModelName():                    schema_pkg_apis_meta_v1_APIResourceList(ref),
+		v1.APIVersions{}.OpenAPIModelName():                        schema_pkg_apis_meta_v1_APIVersions(ref),
+		v1.ApplyOptions{}.OpenAPIModelName():                       schema_pkg_apis_meta_v1_ApplyOptions(ref),
+		v1.Condition{}.OpenAPIModelName():                          schema_pkg_apis_meta_v1_Condition(ref),
+		v1.CreateOptions{}.OpenAPIModelName():                      schema_pkg_apis_meta_v1_CreateOptions(ref),
+		v1.DeleteOptions{}.OpenAPIModelName():                      schema_pkg_apis_meta_v1_DeleteOptions(ref),
+		v1.Duration{}.OpenAPIModelName():                           schema_pkg_apis_meta_v1_Duration(ref),
+		v1.FieldSelectorRequirement{}.OpenAPIModelName():           schema_pkg_apis_meta_v1_FieldSelectorRequirement(ref),
+		v1.FieldsV1{}.OpenAPIModelName():                           schema_pkg_apis_meta_v1_FieldsV1(ref),
+		v1.GetOptions{}.OpenAPIModelName():                         schema_pkg_apis_meta_v1_GetOptions(ref),
+		v1.GroupKind{}.OpenAPIModelName():                          schema_pkg_apis_meta_v1_GroupKind(ref),
+		v1.GroupResource{}.OpenAPIModelName():                      schema_pkg_apis_meta_v1_GroupResource(ref),
+		v1.GroupVersion{}.OpenAPIModelName():                       schema_pkg_apis_meta_v1_GroupVersion(ref),
+		v1.GroupVersionForDiscovery{}.OpenAPIModelName():           schema_pkg_apis_meta_v1_GroupVersionForDiscovery(ref),
+		v1.GroupVersionKind{}.OpenAPIModelName():                   schema_pkg_apis_meta_v1_GroupVersionKind(ref),
+		v1.GroupVersionResource{}.OpenAPIModelName():               schema_pkg_apis_meta_v1_GroupVersionResource(ref),
+		v1.InternalEvent{}.OpenAPIModelName():                      schema_pkg_apis_meta_v1_InternalEvent(ref),
+		v1.LabelSelector{}.OpenAPIModelName():                      schema_pkg_apis_meta_v1_LabelSelector(ref),
+		v1.LabelSelectorRequirement{}.OpenAPIModelName():           schema_pkg_apis_meta_v1_LabelSelectorRequirement(ref),
+		v1.List{}.OpenAPIModelName():                               schema_pkg_apis_meta_v1_List(ref),
+		v1.ListMeta{}.OpenAPIModelName():                           schema_pkg_apis_meta_v1_ListMeta(ref),
+		v1.ListOptions{}.OpenAPIModelName():                        schema_pkg_apis_meta_v1_ListOptions(ref),
+		v1.ManagedFieldsEntry{}.OpenAPIModelName():                 schema_pkg_apis_meta_v1_ManagedFieldsEntry(ref),
+		v1.MicroTime{}.OpenAPIModelName():                          schema_pkg_apis_meta_v1_MicroTime(ref),
+		v1.ObjectMeta{}.OpenAPIModelName():                         schema_pkg_apis_meta_v1_ObjectMeta(ref),
+		v1.OwnerReference{}.OpenAPIModelName():                     schema_pkg_apis_meta_v1_OwnerReference(ref),
+		v1.PartialObjectMetadata{}.OpenAPIModelName():              schema_pkg_apis_meta_v1_PartialObjectMetadata(ref),
+		v1.PartialObjectMetadataList{}.OpenAPIModelName():          schema_pkg_apis_meta_v1_PartialObjectMetadataList(ref),
+		v1.Patch{}.OpenAPIModelName():                              schema_pkg_apis_meta_v1_Patch(ref),
+		v1.PatchOptions{}.OpenAPIModelName():                       schema_pkg_apis_meta_v1_PatchOptions(ref),
+		v1.Preconditions{}.OpenAPIModelName():                      schema_pkg_apis_meta_v1_Preconditions(ref),
+		v1.RootPaths{}.OpenAPIModelName():                          schema_pkg_apis_meta_v1_RootPaths(ref),
+		v1.ServerAddressByClientCIDR{}.OpenAPIModelName():          schema_pkg_apis_meta_v1_ServerAddressByClientCIDR(ref),
+		v1.Status{}.OpenAPIModelName():                             schema_pkg_apis_meta_v1_Status(ref),
+		v1.StatusCause{}.OpenAPIModelName():                        schema_pkg_apis_meta_v1_StatusCause(ref),
+		v1.StatusDetails{}.OpenAPIModelName():                      schema_pkg_apis_meta_v1_StatusDetails(ref),
+		v1.Table{}.OpenAPIModelName():                              schema_pkg_apis_meta_v1_Table(ref),
+		v1.TableColumnDefinition{}.OpenAPIModelName():              schema_pkg_apis_meta_v1_TableColumnDefinition(ref),
+		v1.TableOptions{}.OpenAPIModelName():                       schema_pkg_apis_meta_v1_TableOptions(ref),
+		v1.TableRow{}.OpenAPIModelName():                           schema_pkg_apis_meta_v1_TableRow(ref),
+		v1.TableRowCondition{}.OpenAPIModelName():                  schema_pkg_apis_meta_v1_TableRowCondition(ref),
+		v1.Time{}.OpenAPIModelName():                               schema_pkg_apis_meta_v1_Time(ref),
+		v1.Timestamp{}.OpenAPIModelName():                          schema_pkg_apis_meta_v1_Timestamp(ref),
+		v1.TypeMeta{}.OpenAPIModelName():                           schema_pkg_apis_meta_v1_TypeMeta(ref),
+		v1.UpdateOptions{}.OpenAPIModelName():                      schema_pkg_apis_meta_v1_UpdateOptions(ref),
+		v1.WatchEvent{}.OpenAPIModelName():                         schema_pkg_apis_meta_v1_WatchEvent(ref),
+		runtime.RawExtension{}.OpenAPIModelName():                  schema_k8sio_apimachinery_pkg_runtime_RawExtension(ref),
+		runtime.TypeMeta{}.OpenAPIModelName():                      schema_k8sio_apimachinery_pkg_runtime_TypeMeta(ref),
+		runtime.Unknown{}.OpenAPIModelName():                       schema_k8sio_apimachinery_pkg_runtime_Unknown(ref),
+		version.Info{}.OpenAPIModelName():                          schema_k8sio_apimachinery_pkg_version_Info(ref),
+		apiregistrationv1.APIService{}.OpenAPIModelName():          schema_pkg_apis_apiregistration_v1_APIService(ref),
+		apiregistrationv1.APIServiceCondition{}.OpenAPIModelName(): schema_pkg_apis_apiregistration_v1_APIServiceCondition(ref),
+		apiregistrationv1.APIServiceList{}.OpenAPIModelName():      schema_pkg_apis_apiregistration_v1_APIServiceList(ref),
+		apiregistrationv1.APIServiceSpec{}.OpenAPIModelName():      schema_pkg_apis_apiregistration_v1_APIServiceSpec(ref),
+		apiregistrationv1.APIServiceStatus{}.OpenAPIModelName():    schema_pkg_apis_apiregistration_v1_APIServiceStatus(ref),
+		apiregistrationv1.ServiceReference{}.OpenAPIModelName():    schema_pkg_apis_apiregistration_v1_ServiceReference(ref),
+		v1beta1.APIService{}.OpenAPIModelName():                    schema_pkg_apis_apiregistration_v1beta1_APIService(ref),
+		v1beta1.APIServiceCondition{}.OpenAPIModelName():           schema_pkg_apis_apiregistration_v1beta1_APIServiceCondition(ref),
+		v1beta1.APIServiceList{}.OpenAPIModelName():                schema_pkg_apis_apiregistration_v1beta1_APIServiceList(ref),
+		v1beta1.APIServiceSpec{}.OpenAPIModelName():                schema_pkg_apis_apiregistration_v1beta1_APIServiceSpec(ref),
+		v1beta1.APIServiceStatus{}.OpenAPIModelName():              schema_pkg_apis_apiregistration_v1beta1_APIServiceStatus(ref),
+		v1beta1.ServiceReference{}.OpenAPIModelName():              schema_pkg_apis_apiregistration_v1beta1_ServiceReference(ref),
+	}
+}
+
+func schema_apimachinery_pkg_api_resource_Quantity(ref common.ReferenceCallback) common.OpenAPIDefinition {
+	return common.EmbedOpenAPIDefinitionIntoV2Extension(common.OpenAPIDefinition{
+		Schema: spec.Schema{
+			SchemaProps: spec.SchemaProps{
+				Description: "Quantity is a fixed-point representation of a number. It provides convenient marshaling/unmarshaling in JSON and YAML, in addition to String() and AsInt64() accessors.\n\nThe serialization format is:\n\n``` <quantity>        ::= <signedNumber><suffix>\n\n\t(Note that <suffix> may be empty, from the \"\" case in <decimalSI>.)\n\n<digit>           ::= 0 | 1 | ... | 9 <digits>          ::= <digit> | <digit><digits> <number>          ::= <digits> | <digits>.<digits> | <digits>. | .<digits> <sign>            ::= \"+\" | \"-\" <signedNumber>    ::= <number> | <sign><number> <suffix>          ::= <binarySI> | <decimalExponent> | <decimalSI> <binarySI>        ::= Ki | Mi | Gi | Ti | Pi | Ei\n\n\t(International System of units; See: http://physics.nist.gov/cuu/Units/binary.html)\n\n<decimalSI>       ::= m | \"\" | k | M | G | T | P | E\n\n\t(Note that 1024 = 1Ki but 1000 = 1k; I didn't choose the capitalization.)\n\n<decimalExponent> ::= \"e\" <signedNumber> | \"E\" <signedNumber> ```\n\nNo matter which of the three exponent forms is used, no quantity may represent a number greater than 2^63-1 in magnitude, nor may it have more than 3 decimal places. Numbers larger or more precise will be capped or rounded up. (E.g.: 0.1m will rounded up to 1m.) This may be extended in the future if we require larger or smaller quantities.\n\nWhen a Quantity is parsed from a string, it will remember the type of suffix it had, and will use the same type again when it is serialized.\n\nBefore serializing, Quantity will be put in \"canonical form\". This means that Exponent/suffix will be adjusted up or down (with a corresponding increase or decrease in Mantissa) such that:\n\n- No precision is lost - No fractional digits will be emitted - The exponent (or suffix) is as large as possible.\n\nThe sign will be omitted unless the number is negative.\n\nExamples:\n\n- 1.5 will be serialized as \"1500m\" - 1.5Gi will be serialized as \"1536Mi\"\n\nNote that the quantity will NEVER be internally represented by a floating point number. That is the whole point of this exercise.\n\nNon-canonical values will still parse as long as they are well formed, but will be re-emitted in their canonical form. (So always use canonical form, or don't diff.)\n\nThis format is intended to make it difficult to use these numbers without writing some sort of special handling code in the hopes that that will cause implementors to also use a fixed point implementation.",
+				OneOf:       common.GenerateOpenAPIV3OneOfSchema(resource.Quantity{}.OpenAPIV3OneOfTypes()),
+				Format:      resource.Quantity{}.OpenAPISchemaFormat(),
+			},
+		},
+	}, common.OpenAPIDefinition{
+		Schema: spec.Schema{
+			SchemaProps: spec.SchemaProps{
+				Description: "Quantity is a fixed-point representation of a number. It provides convenient marshaling/unmarshaling in JSON and YAML, in addition to String() and AsInt64() accessors.\n\nThe serialization format is:\n\n``` <quantity>        ::= <signedNumber><suffix>\n\n\t(Note that <suffix> may be empty, from the \"\" case in <decimalSI>.)\n\n<digit>           ::= 0 | 1 | ... | 9 <digits>          ::= <digit> | <digit><digits> <number>          ::= <digits> | <digits>.<digits> | <digits>. | .<digits> <sign>            ::= \"+\" | \"-\" <signedNumber>    ::= <number> | <sign><number> <suffix>          ::= <binarySI> | <decimalExponent> | <decimalSI> <binarySI>        ::= Ki | Mi | Gi | Ti | Pi | Ei\n\n\t(International System of units; See: http://physics.nist.gov/cuu/Units/binary.html)\n\n<decimalSI>       ::= m | \"\" | k | M | G | T | P | E\n\n\t(Note that 1024 = 1Ki but 1000 = 1k; I didn't choose the capitalization.)\n\n<decimalExponent> ::= \"e\" <signedNumber> | \"E\" <signedNumber> ```\n\nNo matter which of the three exponent forms is used, no quantity may represent a number greater than 2^63-1 in magnitude, nor may it have more than 3 decimal places. Numbers larger or more precise will be capped or rounded up. (E.g.: 0.1m will rounded up to 1m.) This may be extended in the future if we require larger or smaller quantities.\n\nWhen a Quantity is parsed from a string, it will remember the type of suffix it had, and will use the same type again when it is serialized.\n\nBefore serializing, Quantity will be put in \"canonical form\". This means that Exponent/suffix will be adjusted up or down (with a corresponding increase or decrease in Mantissa) such that:\n\n- No precision is lost - No fractional digits will be emitted - The exponent (or suffix) is as large as possible.\n\nThe sign will be omitted unless the number is negative.\n\nExamples:\n\n- 1.5 will be serialized as \"1500m\" - 1.5Gi will be serialized as \"1536Mi\"\n\nNote that the quantity will NEVER be internally represented by a floating point number. That is the whole point of this exercise.\n\nNon-canonical values will still parse as long as they are well formed, but will be re-emitted in their canonical form. (So always use canonical form, or don't diff.)\n\nThis format is intended to make it difficult to use these numbers without writing some sort of special handling code in the hopes that that will cause implementors to also use a fixed point implementation.",
+				Type:        resource.Quantity{}.OpenAPISchemaType(),
+				Format:      resource.Quantity{}.OpenAPISchemaFormat(),
+			},
+		},
+	})
+}
+
+func schema_apimachinery_pkg_api_resource_int64Amount(ref common.ReferenceCallback) common.OpenAPIDefinition {
+	return common.OpenAPIDefinition{
+		Schema: spec.Schema{
+			SchemaProps: spec.SchemaProps{
+				Description: "int64Amount represents a fixed precision numerator and arbitrary scale exponent. It is faster than operations on inf.Dec for values that can be represented as int64.",
+				Type:        []string{"object"},
+				Properties: map[string]spec.Schema{
+					"value": {
+						SchemaProps: spec.SchemaProps{
+							Default: 0,
+							Type:    []string{"integer"},
+							Format:  "int64",
+						},
+					},
+					"scale": {
+						SchemaProps: spec.SchemaProps{
+							Default: 0,
+							Type:    []string{"integer"},
+							Format:  "int32",
+						},
+					},
+				},
+				Required: []string{"value", "scale"},
+			},
+		},
 	}
 }
 
@@ -139,7 +193,7 @@ func schema_pkg_apis_meta_v1_APIGroup(ref common.ReferenceCallback) common.OpenA
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionForDiscovery"),
+										Ref:     ref(v1.GroupVersionForDiscovery{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -149,7 +203,7 @@ func schema_pkg_apis_meta_v1_APIGroup(ref common.ReferenceCallback) common.OpenA
 						SchemaProps: spec.SchemaProps{
 							Description: "preferredVersion is the version preferred by the API server, which probably is the storage version.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionForDiscovery"),
+							Ref:         ref(v1.GroupVersionForDiscovery{}.OpenAPIModelName()),
 						},
 					},
 					"serverAddressByClientCIDRs": {
@@ -165,7 +219,7 @@ func schema_pkg_apis_meta_v1_APIGroup(ref common.ReferenceCallback) common.OpenA
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/apimachinery/pkg/apis/meta/v1.ServerAddressByClientCIDR"),
+										Ref:     ref(v1.ServerAddressByClientCIDR{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -176,7 +230,7 @@ func schema_pkg_apis_meta_v1_APIGroup(ref common.ReferenceCallback) common.OpenA
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionForDiscovery", "k8s.io/apimachinery/pkg/apis/meta/v1.ServerAddressByClientCIDR"},
+			v1.GroupVersionForDiscovery{}.OpenAPIModelName(), v1.ServerAddressByClientCIDR{}.OpenAPIModelName()},
 	}
 }
 
@@ -214,7 +268,7 @@ func schema_pkg_apis_meta_v1_APIGroupList(ref common.ReferenceCallback) common.O
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/apimachinery/pkg/apis/meta/v1.APIGroup"),
+										Ref:     ref(v1.APIGroup{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -225,7 +279,7 @@ func schema_pkg_apis_meta_v1_APIGroupList(ref common.ReferenceCallback) common.O
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.APIGroup"},
+			v1.APIGroup{}.OpenAPIModelName()},
 	}
 }
 
@@ -393,7 +447,7 @@ func schema_pkg_apis_meta_v1_APIResourceList(ref common.ReferenceCallback) commo
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/apimachinery/pkg/apis/meta/v1.APIResource"),
+										Ref:     ref(v1.APIResource{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -404,7 +458,7 @@ func schema_pkg_apis_meta_v1_APIResourceList(ref common.ReferenceCallback) commo
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.APIResource"},
+			v1.APIResource{}.OpenAPIModelName()},
 	}
 }
 
@@ -462,7 +516,7 @@ func schema_pkg_apis_meta_v1_APIVersions(ref common.ReferenceCallback) common.Op
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/apimachinery/pkg/apis/meta/v1.ServerAddressByClientCIDR"),
+										Ref:     ref(v1.ServerAddressByClientCIDR{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -473,7 +527,7 @@ func schema_pkg_apis_meta_v1_APIVersions(ref common.ReferenceCallback) common.Op
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.ServerAddressByClientCIDR"},
+			v1.ServerAddressByClientCIDR{}.OpenAPIModelName()},
 	}
 }
 
@@ -574,7 +628,7 @@ func schema_pkg_apis_meta_v1_Condition(ref common.ReferenceCallback) common.Open
 					"lastTransitionTime": {
 						SchemaProps: spec.SchemaProps{
 							Description: "lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Time"),
+							Ref:         ref(v1.Time{}.OpenAPIModelName()),
 						},
 					},
 					"reason": {
@@ -598,7 +652,7 @@ func schema_pkg_apis_meta_v1_Condition(ref common.ReferenceCallback) common.Open
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.Time"},
+			v1.Time{}.OpenAPIModelName()},
 	}
 }
 
@@ -694,7 +748,7 @@ func schema_pkg_apis_meta_v1_DeleteOptions(ref common.ReferenceCallback) common.
 					"preconditions": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Must be fulfilled before a deletion is carried out. If not possible, a 409 Conflict status will be returned.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Preconditions"),
+							Ref:         ref(v1.Preconditions{}.OpenAPIModelName()),
 						},
 					},
 					"orphanDependents": {
@@ -742,7 +796,7 @@ func schema_pkg_apis_meta_v1_DeleteOptions(ref common.ReferenceCallback) common.
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.Preconditions"},
+			v1.Preconditions{}.OpenAPIModelName()},
 	}
 }
 
@@ -1054,15 +1108,12 @@ func schema_pkg_apis_meta_v1_InternalEvent(ref common.ReferenceCallback) common.
 					"Object": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Object is:\n * If Type is Added or Modified: the new state of the object.\n * If Type is Deleted: the state of the object immediately before deletion.\n * If Type is Bookmark: the object (instance of a type being watched) where\n   only ResourceVersion field is set. On successful restart of watch from a\n   bookmark resourceVersion, client is guaranteed to not get repeat event\n   nor miss any events.\n * If Type is Error: *api.Status is recommended; other types may make sense\n   depending on context.",
-							Ref:         ref("k8s.io/apimachinery/pkg/runtime.Object"),
 						},
 					},
 				},
 				Required: []string{"Type", "Object"},
 			},
 		},
-		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/runtime.Object"},
 	}
 }
 
@@ -1102,7 +1153,7 @@ func schema_pkg_apis_meta_v1_LabelSelector(ref common.ReferenceCallback) common.
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelectorRequirement"),
+										Ref:     ref(v1.LabelSelectorRequirement{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -1117,7 +1168,7 @@ func schema_pkg_apis_meta_v1_LabelSelector(ref common.ReferenceCallback) common.
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelectorRequirement"},
+			v1.LabelSelectorRequirement{}.OpenAPIModelName()},
 	}
 }
 
@@ -1196,7 +1247,7 @@ func schema_pkg_apis_meta_v1_List(ref common.ReferenceCallback) common.OpenAPIDe
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+							Ref:         ref(v1.ListMeta{}.OpenAPIModelName()),
 						},
 					},
 					"items": {
@@ -1206,7 +1257,7 @@ func schema_pkg_apis_meta_v1_List(ref common.ReferenceCallback) common.OpenAPIDe
 							Items: &spec.SchemaOrArray{
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
-										Ref: ref("k8s.io/apimachinery/pkg/runtime.RawExtension"),
+										Ref: ref(runtime.RawExtension{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -1217,7 +1268,7 @@ func schema_pkg_apis_meta_v1_List(ref common.ReferenceCallback) common.OpenAPIDe
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta", "k8s.io/apimachinery/pkg/runtime.RawExtension"},
+			v1.ListMeta{}.OpenAPIModelName(), runtime.RawExtension{}.OpenAPIModelName()},
 	}
 }
 
@@ -1390,7 +1441,7 @@ func schema_pkg_apis_meta_v1_ManagedFieldsEntry(ref common.ReferenceCallback) co
 					"time": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Time is the timestamp of when the ManagedFields entry was added. The timestamp will also be updated if a field is added, the manager changes any of the owned fields value or removes a field. The timestamp does not update when a field is removed from the entry because another manager took it over.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Time"),
+							Ref:         ref(v1.Time{}.OpenAPIModelName()),
 						},
 					},
 					"fieldsType": {
@@ -1403,7 +1454,7 @@ func schema_pkg_apis_meta_v1_ManagedFieldsEntry(ref common.ReferenceCallback) co
 					"fieldsV1": {
 						SchemaProps: spec.SchemaProps{
 							Description: "FieldsV1 holds the first JSON version format as described in the \"FieldsV1\" type.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.FieldsV1"),
+							Ref:         ref(v1.FieldsV1{}.OpenAPIModelName()),
 						},
 					},
 					"subresource": {
@@ -1417,7 +1468,7 @@ func schema_pkg_apis_meta_v1_ManagedFieldsEntry(ref common.ReferenceCallback) co
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.FieldsV1", "k8s.io/apimachinery/pkg/apis/meta/v1.Time"},
+			v1.FieldsV1{}.OpenAPIModelName(), v1.Time{}.OpenAPIModelName()},
 	}
 }
 
@@ -1492,13 +1543,13 @@ func schema_pkg_apis_meta_v1_ObjectMeta(ref common.ReferenceCallback) common.Ope
 					"creationTimestamp": {
 						SchemaProps: spec.SchemaProps{
 							Description: "CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.\n\nPopulated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Time"),
+							Ref:         ref(v1.Time{}.OpenAPIModelName()),
 						},
 					},
 					"deletionTimestamp": {
 						SchemaProps: spec.SchemaProps{
 							Description: "DeletionTimestamp is RFC 3339 date and time at which this resource will be deleted. This field is set by the server when a graceful deletion is requested by the user, and is not directly settable by a client. The resource is expected to be deleted (no longer visible from resource lists, and not reachable by name) after the time in this field, once the finalizers list is empty. As long as the finalizers list contains items, deletion is blocked. Once the deletionTimestamp is set, this value may not be unset or be set further into the future, although it may be shortened or the resource may be deleted prior to this time. For example, a user may request that a pod is deleted in 30 seconds. The Kubelet will react by sending a graceful termination signal to the containers in the pod. After that 30 seconds, the Kubelet will send a hard termination signal (SIGKILL) to the container and after cleanup, remove the pod from the API. In the presence of network partitions, this object may still exist after this timestamp, until an administrator or automated process can determine the resource is fully terminated. If not set, graceful deletion of the object has not been requested.\n\nPopulated by the system when a graceful deletion is requested. Read-only. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Time"),
+							Ref:         ref(v1.Time{}.OpenAPIModelName()),
 						},
 					},
 					"deletionGracePeriodSeconds": {
@@ -1558,7 +1609,7 @@ func schema_pkg_apis_meta_v1_ObjectMeta(ref common.ReferenceCallback) common.Ope
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/apimachinery/pkg/apis/meta/v1.OwnerReference"),
+										Ref:     ref(v1.OwnerReference{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -1598,7 +1649,7 @@ func schema_pkg_apis_meta_v1_ObjectMeta(ref common.ReferenceCallback) common.Ope
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/apimachinery/pkg/apis/meta/v1.ManagedFieldsEntry"),
+										Ref:     ref(v1.ManagedFieldsEntry{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -1608,7 +1659,7 @@ func schema_pkg_apis_meta_v1_ObjectMeta(ref common.ReferenceCallback) common.Ope
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.ManagedFieldsEntry", "k8s.io/apimachinery/pkg/apis/meta/v1.OwnerReference", "k8s.io/apimachinery/pkg/apis/meta/v1.Time"},
+			v1.ManagedFieldsEntry{}.OpenAPIModelName(), v1.OwnerReference{}.OpenAPIModelName(), v1.Time{}.OpenAPIModelName()},
 	}
 }
 
@@ -1702,14 +1753,14 @@ func schema_pkg_apis_meta_v1_PartialObjectMetadata(ref common.ReferenceCallback)
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Ref:         ref(v1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			v1.ObjectMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -1738,7 +1789,7 @@ func schema_pkg_apis_meta_v1_PartialObjectMetadataList(ref common.ReferenceCallb
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+							Ref:         ref(v1.ListMeta{}.OpenAPIModelName()),
 						},
 					},
 					"items": {
@@ -1749,7 +1800,7 @@ func schema_pkg_apis_meta_v1_PartialObjectMetadataList(ref common.ReferenceCallb
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/apimachinery/pkg/apis/meta/v1.PartialObjectMetadata"),
+										Ref:     ref(v1.PartialObjectMetadata{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -1760,7 +1811,7 @@ func schema_pkg_apis_meta_v1_PartialObjectMetadataList(ref common.ReferenceCallb
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta", "k8s.io/apimachinery/pkg/apis/meta/v1.PartialObjectMetadata"},
+			v1.ListMeta{}.OpenAPIModelName(), v1.PartialObjectMetadata{}.OpenAPIModelName()},
 	}
 }
 
@@ -1959,7 +2010,7 @@ func schema_pkg_apis_meta_v1_Status(ref common.ReferenceCallback) common.OpenAPI
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+							Ref:         ref(v1.ListMeta{}.OpenAPIModelName()),
 						},
 					},
 					"status": {
@@ -1984,14 +2035,9 @@ func schema_pkg_apis_meta_v1_Status(ref common.ReferenceCallback) common.OpenAPI
 						},
 					},
 					"details": {
-						VendorExtensible: spec.VendorExtensible{
-							Extensions: spec.Extensions{
-								"x-kubernetes-list-type": "atomic",
-							},
-						},
 						SchemaProps: spec.SchemaProps{
 							Description: "Extended data associated with the reason.  Each reason may define its own extended details. This field is optional and the data returned is not guaranteed to conform to any schema except that defined by the reason type.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.StatusDetails"),
+							Ref:         ref(v1.StatusDetails{}.OpenAPIModelName()),
 						},
 					},
 					"code": {
@@ -2005,7 +2051,7 @@ func schema_pkg_apis_meta_v1_Status(ref common.ReferenceCallback) common.OpenAPI
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta", "k8s.io/apimachinery/pkg/apis/meta/v1.StatusDetails"},
+			v1.ListMeta{}.OpenAPIModelName(), v1.StatusDetails{}.OpenAPIModelName()},
 	}
 }
 
@@ -2091,7 +2137,7 @@ func schema_pkg_apis_meta_v1_StatusDetails(ref common.ReferenceCallback) common.
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/apimachinery/pkg/apis/meta/v1.StatusCause"),
+										Ref:     ref(v1.StatusCause{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -2108,7 +2154,7 @@ func schema_pkg_apis_meta_v1_StatusDetails(ref common.ReferenceCallback) common.
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.StatusCause"},
+			v1.StatusCause{}.OpenAPIModelName()},
 	}
 }
 
@@ -2137,7 +2183,7 @@ func schema_pkg_apis_meta_v1_Table(ref common.ReferenceCallback) common.OpenAPID
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+							Ref:         ref(v1.ListMeta{}.OpenAPIModelName()),
 						},
 					},
 					"columnDefinitions": {
@@ -2153,7 +2199,7 @@ func schema_pkg_apis_meta_v1_Table(ref common.ReferenceCallback) common.OpenAPID
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/apimachinery/pkg/apis/meta/v1.TableColumnDefinition"),
+										Ref:     ref(v1.TableColumnDefinition{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -2172,7 +2218,7 @@ func schema_pkg_apis_meta_v1_Table(ref common.ReferenceCallback) common.OpenAPID
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/apimachinery/pkg/apis/meta/v1.TableRow"),
+										Ref:     ref(v1.TableRow{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -2183,7 +2229,7 @@ func schema_pkg_apis_meta_v1_Table(ref common.ReferenceCallback) common.OpenAPID
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta", "k8s.io/apimachinery/pkg/apis/meta/v1.TableColumnDefinition", "k8s.io/apimachinery/pkg/apis/meta/v1.TableRow"},
+			v1.ListMeta{}.OpenAPIModelName(), v1.TableColumnDefinition{}.OpenAPIModelName(), v1.TableRow{}.OpenAPIModelName()},
 	}
 }
 
@@ -2314,7 +2360,7 @@ func schema_pkg_apis_meta_v1_TableRow(ref common.ReferenceCallback) common.OpenA
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/apimachinery/pkg/apis/meta/v1.TableRowCondition"),
+										Ref:     ref(v1.TableRowCondition{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -2323,7 +2369,7 @@ func schema_pkg_apis_meta_v1_TableRow(ref common.ReferenceCallback) common.OpenA
 					"object": {
 						SchemaProps: spec.SchemaProps{
 							Description: "This field contains the requested additional information about each object based on the includeObject policy when requesting the Table. If \"None\", this field is empty, if \"Object\" this will be the default serialization of the object for the current API version, and if \"Metadata\" (the default) will contain the object metadata. Check the returned kind and apiVersion of the object before parsing. The media type of the object will always match the enclosing list - if this as a JSON table, these will be JSON encoded objects.",
-							Ref:         ref("k8s.io/apimachinery/pkg/runtime.RawExtension"),
+							Ref:         ref(runtime.RawExtension{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -2331,7 +2377,7 @@ func schema_pkg_apis_meta_v1_TableRow(ref common.ReferenceCallback) common.OpenA
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.TableRowCondition", "k8s.io/apimachinery/pkg/runtime.RawExtension"},
+			v1.TableRowCondition{}.OpenAPIModelName(), runtime.RawExtension{}.OpenAPIModelName()},
 	}
 }
 
@@ -2526,7 +2572,7 @@ func schema_pkg_apis_meta_v1_WatchEvent(ref common.ReferenceCallback) common.Ope
 					"object": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Object is:\n * If Type is Added or Modified: the new state of the object.\n * If Type is Deleted: the state of the object immediately before deletion.\n * If Type is Error: *Status is recommended; other types may make sense\n   depending on context.",
-							Ref:         ref("k8s.io/apimachinery/pkg/runtime.RawExtension"),
+							Ref:         ref(runtime.RawExtension{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -2534,7 +2580,7 @@ func schema_pkg_apis_meta_v1_WatchEvent(ref common.ReferenceCallback) common.Ope
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/runtime.RawExtension"},
+			runtime.RawExtension{}.OpenAPIModelName()},
 	}
 }
 
@@ -2748,28 +2794,28 @@ func schema_pkg_apis_apiregistration_v1_APIService(ref common.ReferenceCallback)
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Ref:         ref(v1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 					"spec": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Spec contains information for locating and communicating with a server",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/kube-aggregator/pkg/apis/apiregistration/v1.APIServiceSpec"),
+							Ref:         ref(apiregistrationv1.APIServiceSpec{}.OpenAPIModelName()),
 						},
 					},
 					"status": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Status contains derived information about an API server",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/kube-aggregator/pkg/apis/apiregistration/v1.APIServiceStatus"),
+							Ref:         ref(apiregistrationv1.APIServiceStatus{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta", "k8s.io/kube-aggregator/pkg/apis/apiregistration/v1.APIServiceSpec", "k8s.io/kube-aggregator/pkg/apis/apiregistration/v1.APIServiceStatus"},
+			v1.ObjectMeta{}.OpenAPIModelName(), apiregistrationv1.APIServiceSpec{}.OpenAPIModelName(), apiregistrationv1.APIServiceStatus{}.OpenAPIModelName()},
 	}
 }
 
@@ -2799,7 +2845,7 @@ func schema_pkg_apis_apiregistration_v1_APIServiceCondition(ref common.Reference
 					"lastTransitionTime": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Last time the condition transitioned from one status to another.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Time"),
+							Ref:         ref(v1.Time{}.OpenAPIModelName()),
 						},
 					},
 					"reason": {
@@ -2821,7 +2867,7 @@ func schema_pkg_apis_apiregistration_v1_APIServiceCondition(ref common.Reference
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.Time"},
+			v1.Time{}.OpenAPIModelName()},
 	}
 }
 
@@ -2850,7 +2896,7 @@ func schema_pkg_apis_apiregistration_v1_APIServiceList(ref common.ReferenceCallb
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard list metadata More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+							Ref:         ref(v1.ListMeta{}.OpenAPIModelName()),
 						},
 					},
 					"items": {
@@ -2861,7 +2907,7 @@ func schema_pkg_apis_apiregistration_v1_APIServiceList(ref common.ReferenceCallb
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/kube-aggregator/pkg/apis/apiregistration/v1.APIService"),
+										Ref:     ref(apiregistrationv1.APIService{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -2872,7 +2918,7 @@ func schema_pkg_apis_apiregistration_v1_APIServiceList(ref common.ReferenceCallb
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta", "k8s.io/kube-aggregator/pkg/apis/apiregistration/v1.APIService"},
+			v1.ListMeta{}.OpenAPIModelName(), apiregistrationv1.APIService{}.OpenAPIModelName()},
 	}
 }
 
@@ -2886,7 +2932,7 @@ func schema_pkg_apis_apiregistration_v1_APIServiceSpec(ref common.ReferenceCallb
 					"service": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Service is a reference to the service for this API server.  It must communicate on port 443. If the Service is nil, that means the handling for the API groupversion is handled locally on this server. The call will simply delegate to the normal handler chain to be fulfilled.",
-							Ref:         ref("k8s.io/kube-aggregator/pkg/apis/apiregistration/v1.ServiceReference"),
+							Ref:         ref(apiregistrationv1.ServiceReference{}.OpenAPIModelName()),
 						},
 					},
 					"group": {
@@ -2943,7 +2989,7 @@ func schema_pkg_apis_apiregistration_v1_APIServiceSpec(ref common.ReferenceCallb
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/kube-aggregator/pkg/apis/apiregistration/v1.ServiceReference"},
+			apiregistrationv1.ServiceReference{}.OpenAPIModelName()},
 	}
 }
 
@@ -2972,7 +3018,7 @@ func schema_pkg_apis_apiregistration_v1_APIServiceStatus(ref common.ReferenceCal
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/kube-aggregator/pkg/apis/apiregistration/v1.APIServiceCondition"),
+										Ref:     ref(apiregistrationv1.APIServiceCondition{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -2982,7 +3028,7 @@ func schema_pkg_apis_apiregistration_v1_APIServiceStatus(ref common.ReferenceCal
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/kube-aggregator/pkg/apis/apiregistration/v1.APIServiceCondition"},
+			apiregistrationv1.APIServiceCondition{}.OpenAPIModelName()},
 	}
 }
 
@@ -3045,28 +3091,28 @@ func schema_pkg_apis_apiregistration_v1beta1_APIService(ref common.ReferenceCall
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Ref:         ref(v1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 					"spec": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Spec contains information for locating and communicating with a server",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/kube-aggregator/pkg/apis/apiregistration/v1beta1.APIServiceSpec"),
+							Ref:         ref(v1beta1.APIServiceSpec{}.OpenAPIModelName()),
 						},
 					},
 					"status": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Status contains derived information about an API server",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/kube-aggregator/pkg/apis/apiregistration/v1beta1.APIServiceStatus"),
+							Ref:         ref(v1beta1.APIServiceStatus{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta", "k8s.io/kube-aggregator/pkg/apis/apiregistration/v1beta1.APIServiceSpec", "k8s.io/kube-aggregator/pkg/apis/apiregistration/v1beta1.APIServiceStatus"},
+			v1.ObjectMeta{}.OpenAPIModelName(), v1beta1.APIServiceSpec{}.OpenAPIModelName(), v1beta1.APIServiceStatus{}.OpenAPIModelName()},
 	}
 }
 
@@ -3096,7 +3142,7 @@ func schema_pkg_apis_apiregistration_v1beta1_APIServiceCondition(ref common.Refe
 					"lastTransitionTime": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Last time the condition transitioned from one status to another.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Time"),
+							Ref:         ref(v1.Time{}.OpenAPIModelName()),
 						},
 					},
 					"reason": {
@@ -3118,7 +3164,7 @@ func schema_pkg_apis_apiregistration_v1beta1_APIServiceCondition(ref common.Refe
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.Time"},
+			v1.Time{}.OpenAPIModelName()},
 	}
 }
 
@@ -3147,7 +3193,7 @@ func schema_pkg_apis_apiregistration_v1beta1_APIServiceList(ref common.Reference
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard list metadata More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+							Ref:         ref(v1.ListMeta{}.OpenAPIModelName()),
 						},
 					},
 					"items": {
@@ -3158,7 +3204,7 @@ func schema_pkg_apis_apiregistration_v1beta1_APIServiceList(ref common.Reference
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/kube-aggregator/pkg/apis/apiregistration/v1beta1.APIService"),
+										Ref:     ref(v1beta1.APIService{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -3169,7 +3215,7 @@ func schema_pkg_apis_apiregistration_v1beta1_APIServiceList(ref common.Reference
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta", "k8s.io/kube-aggregator/pkg/apis/apiregistration/v1beta1.APIService"},
+			v1.ListMeta{}.OpenAPIModelName(), v1beta1.APIService{}.OpenAPIModelName()},
 	}
 }
 
@@ -3183,7 +3229,7 @@ func schema_pkg_apis_apiregistration_v1beta1_APIServiceSpec(ref common.Reference
 					"service": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Service is a reference to the service for this API server.  It must communicate on port 443. If the Service is nil, that means the handling for the API groupversion is handled locally on this server. The call will simply delegate to the normal handler chain to be fulfilled.",
-							Ref:         ref("k8s.io/kube-aggregator/pkg/apis/apiregistration/v1beta1.ServiceReference"),
+							Ref:         ref(v1beta1.ServiceReference{}.OpenAPIModelName()),
 						},
 					},
 					"group": {
@@ -3240,7 +3286,7 @@ func schema_pkg_apis_apiregistration_v1beta1_APIServiceSpec(ref common.Reference
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/kube-aggregator/pkg/apis/apiregistration/v1beta1.ServiceReference"},
+			v1beta1.ServiceReference{}.OpenAPIModelName()},
 	}
 }
 
@@ -3269,7 +3315,7 @@ func schema_pkg_apis_apiregistration_v1beta1_APIServiceStatus(ref common.Referen
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/kube-aggregator/pkg/apis/apiregistration/v1beta1.APIServiceCondition"),
+										Ref:     ref(v1beta1.APIServiceCondition{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -3279,7 +3325,7 @@ func schema_pkg_apis_apiregistration_v1beta1_APIServiceStatus(ref common.Referen
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/kube-aggregator/pkg/apis/apiregistration/v1beta1.APIServiceCondition"},
+			v1beta1.APIServiceCondition{}.OpenAPIModelName()},
 	}
 }
 
diff --git a/staging/src/k8s.io/kube-controller-manager/config/v1alpha1/doc.go b/staging/src/k8s.io/kube-controller-manager/config/v1alpha1/doc.go
index 9017efebb1a63..e3d2069cfe5b3 100644
--- a/staging/src/k8s.io/kube-controller-manager/config/v1alpha1/doc.go
+++ b/staging/src/k8s.io/kube-controller-manager/config/v1alpha1/doc.go
@@ -16,6 +16,8 @@ limitations under the License.
 
 // +k8s:deepcopy-gen=package
 // +k8s:openapi-gen=true
+// +k8s:openapi-model-package=io.k8s.kube-controller-manager.config.v1alpha1
+
 // +groupName=kubecontrollermanager.config.k8s.io
 
 package v1alpha1
diff --git a/staging/src/k8s.io/kube-controller-manager/config/v1alpha1/types.go b/staging/src/k8s.io/kube-controller-manager/config/v1alpha1/types.go
index bb2ad0ecd48af..3de443940b744 100644
--- a/staging/src/k8s.io/kube-controller-manager/config/v1alpha1/types.go
+++ b/staging/src/k8s.io/kube-controller-manager/config/v1alpha1/types.go
@@ -168,6 +168,8 @@ type KubeControllerManagerConfiguration struct {
 	// ValidatingAdmissionPolicyStatusControllerConfiguration holds configuration for
 	// ValidatingAdmissionPolicyStatusController related features.
 	ValidatingAdmissionPolicyStatusController ValidatingAdmissionPolicyStatusControllerConfiguration
+	// DeviceTaintEvictionControllerConfiguration contains elements configuring the device taint eviction controller.
+	DeviceTaintEvictionController DeviceTaintEvictionControllerConfiguration
 }
 
 // AttachDetachControllerConfiguration contains elements describing AttachDetachController.
@@ -488,3 +490,12 @@ type ValidatingAdmissionPolicyStatusControllerConfiguration struct {
 	// The default value is 5.
 	ConcurrentPolicySyncs int32
 }
+
+// DeviceTaintEvictionControllerConfiguration contains elements configuring the device taint eviction controller.
+type DeviceTaintEvictionControllerConfiguration struct {
+	// ConcurrentSyncs is the number of operations (deleting a pod, updating a ResourcClaim status, etc.)
+	// that will be done concurrently. Larger number = processing, but more CPU (and network) load.
+	//
+	// The default is 10.
+	ConcurrentSyncs int32
+}
diff --git a/staging/src/k8s.io/kube-controller-manager/config/v1alpha1/zz_generated.deepcopy.go b/staging/src/k8s.io/kube-controller-manager/config/v1alpha1/zz_generated.deepcopy.go
index 0ac9b6690e631..9715eca85bffb 100644
--- a/staging/src/k8s.io/kube-controller-manager/config/v1alpha1/zz_generated.deepcopy.go
+++ b/staging/src/k8s.io/kube-controller-manager/config/v1alpha1/zz_generated.deepcopy.go
@@ -143,6 +143,22 @@ func (in *DeprecatedControllerConfiguration) DeepCopy() *DeprecatedControllerCon
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *DeviceTaintEvictionControllerConfiguration) DeepCopyInto(out *DeviceTaintEvictionControllerConfiguration) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DeviceTaintEvictionControllerConfiguration.
+func (in *DeviceTaintEvictionControllerConfiguration) DeepCopy() *DeviceTaintEvictionControllerConfiguration {
+	if in == nil {
+		return nil
+	}
+	out := new(DeviceTaintEvictionControllerConfiguration)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *EndpointControllerConfiguration) DeepCopyInto(out *EndpointControllerConfiguration) {
 	*out = *in
@@ -321,6 +337,7 @@ func (in *KubeControllerManagerConfiguration) DeepCopyInto(out *KubeControllerMa
 	out.ServiceController = in.ServiceController
 	out.TTLAfterFinishedController = in.TTLAfterFinishedController
 	out.ValidatingAdmissionPolicyStatusController = in.ValidatingAdmissionPolicyStatusController
+	out.DeviceTaintEvictionController = in.DeviceTaintEvictionController
 	return
 }
 
diff --git a/staging/src/k8s.io/kube-controller-manager/config/v1alpha1/zz_generated.model_name.go b/staging/src/k8s.io/kube-controller-manager/config/v1alpha1/zz_generated.model_name.go
new file mode 100644
index 0000000000000..9a5598f39db25
--- /dev/null
+++ b/staging/src/k8s.io/kube-controller-manager/config/v1alpha1/zz_generated.model_name.go
@@ -0,0 +1,182 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by openapi-gen. DO NOT EDIT.
+
+package v1alpha1
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in AttachDetachControllerConfiguration) OpenAPIModelName() string {
+	return "io.k8s.kube-controller-manager.config.v1alpha1.AttachDetachControllerConfiguration"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in CSRSigningConfiguration) OpenAPIModelName() string {
+	return "io.k8s.kube-controller-manager.config.v1alpha1.CSRSigningConfiguration"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in CSRSigningControllerConfiguration) OpenAPIModelName() string {
+	return "io.k8s.kube-controller-manager.config.v1alpha1.CSRSigningControllerConfiguration"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in CronJobControllerConfiguration) OpenAPIModelName() string {
+	return "io.k8s.kube-controller-manager.config.v1alpha1.CronJobControllerConfiguration"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in DaemonSetControllerConfiguration) OpenAPIModelName() string {
+	return "io.k8s.kube-controller-manager.config.v1alpha1.DaemonSetControllerConfiguration"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in DeploymentControllerConfiguration) OpenAPIModelName() string {
+	return "io.k8s.kube-controller-manager.config.v1alpha1.DeploymentControllerConfiguration"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in DeprecatedControllerConfiguration) OpenAPIModelName() string {
+	return "io.k8s.kube-controller-manager.config.v1alpha1.DeprecatedControllerConfiguration"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in DeviceTaintEvictionControllerConfiguration) OpenAPIModelName() string {
+	return "io.k8s.kube-controller-manager.config.v1alpha1.DeviceTaintEvictionControllerConfiguration"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in EndpointControllerConfiguration) OpenAPIModelName() string {
+	return "io.k8s.kube-controller-manager.config.v1alpha1.EndpointControllerConfiguration"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in EndpointSliceControllerConfiguration) OpenAPIModelName() string {
+	return "io.k8s.kube-controller-manager.config.v1alpha1.EndpointSliceControllerConfiguration"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in EndpointSliceMirroringControllerConfiguration) OpenAPIModelName() string {
+	return "io.k8s.kube-controller-manager.config.v1alpha1.EndpointSliceMirroringControllerConfiguration"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in EphemeralVolumeControllerConfiguration) OpenAPIModelName() string {
+	return "io.k8s.kube-controller-manager.config.v1alpha1.EphemeralVolumeControllerConfiguration"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in GarbageCollectorControllerConfiguration) OpenAPIModelName() string {
+	return "io.k8s.kube-controller-manager.config.v1alpha1.GarbageCollectorControllerConfiguration"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in GroupResource) OpenAPIModelName() string {
+	return "io.k8s.kube-controller-manager.config.v1alpha1.GroupResource"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in HPAControllerConfiguration) OpenAPIModelName() string {
+	return "io.k8s.kube-controller-manager.config.v1alpha1.HPAControllerConfiguration"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in JobControllerConfiguration) OpenAPIModelName() string {
+	return "io.k8s.kube-controller-manager.config.v1alpha1.JobControllerConfiguration"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in KubeControllerManagerConfiguration) OpenAPIModelName() string {
+	return "io.k8s.kube-controller-manager.config.v1alpha1.KubeControllerManagerConfiguration"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in LegacySATokenCleanerConfiguration) OpenAPIModelName() string {
+	return "io.k8s.kube-controller-manager.config.v1alpha1.LegacySATokenCleanerConfiguration"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in NamespaceControllerConfiguration) OpenAPIModelName() string {
+	return "io.k8s.kube-controller-manager.config.v1alpha1.NamespaceControllerConfiguration"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in NodeIPAMControllerConfiguration) OpenAPIModelName() string {
+	return "io.k8s.kube-controller-manager.config.v1alpha1.NodeIPAMControllerConfiguration"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in NodeLifecycleControllerConfiguration) OpenAPIModelName() string {
+	return "io.k8s.kube-controller-manager.config.v1alpha1.NodeLifecycleControllerConfiguration"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in PersistentVolumeBinderControllerConfiguration) OpenAPIModelName() string {
+	return "io.k8s.kube-controller-manager.config.v1alpha1.PersistentVolumeBinderControllerConfiguration"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in PersistentVolumeRecyclerConfiguration) OpenAPIModelName() string {
+	return "io.k8s.kube-controller-manager.config.v1alpha1.PersistentVolumeRecyclerConfiguration"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in PodGCControllerConfiguration) OpenAPIModelName() string {
+	return "io.k8s.kube-controller-manager.config.v1alpha1.PodGCControllerConfiguration"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ReplicaSetControllerConfiguration) OpenAPIModelName() string {
+	return "io.k8s.kube-controller-manager.config.v1alpha1.ReplicaSetControllerConfiguration"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ReplicationControllerConfiguration) OpenAPIModelName() string {
+	return "io.k8s.kube-controller-manager.config.v1alpha1.ReplicationControllerConfiguration"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ResourceQuotaControllerConfiguration) OpenAPIModelName() string {
+	return "io.k8s.kube-controller-manager.config.v1alpha1.ResourceQuotaControllerConfiguration"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in SAControllerConfiguration) OpenAPIModelName() string {
+	return "io.k8s.kube-controller-manager.config.v1alpha1.SAControllerConfiguration"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in StatefulSetControllerConfiguration) OpenAPIModelName() string {
+	return "io.k8s.kube-controller-manager.config.v1alpha1.StatefulSetControllerConfiguration"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in TTLAfterFinishedControllerConfiguration) OpenAPIModelName() string {
+	return "io.k8s.kube-controller-manager.config.v1alpha1.TTLAfterFinishedControllerConfiguration"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ValidatingAdmissionPolicyStatusControllerConfiguration) OpenAPIModelName() string {
+	return "io.k8s.kube-controller-manager.config.v1alpha1.ValidatingAdmissionPolicyStatusControllerConfiguration"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in VolumeConfiguration) OpenAPIModelName() string {
+	return "io.k8s.kube-controller-manager.config.v1alpha1.VolumeConfiguration"
+}
diff --git a/staging/src/k8s.io/kube-controller-manager/go.mod b/staging/src/k8s.io/kube-controller-manager/go.mod
index 257947303486b..77e66a84da8eb 100644
--- a/staging/src/k8s.io/kube-controller-manager/go.mod
+++ b/staging/src/k8s.io/kube-controller-manager/go.mod
@@ -2,40 +2,41 @@
 
 module k8s.io/kube-controller-manager
 
-go 1.24.0
+go 1.25.0
 
-godebug default=go1.24
+godebug default=go1.25
 
 require (
-	k8s.io/apimachinery v0.34.1
+	k8s.io/apimachinery v0.35.1
 	k8s.io/cloud-provider v0.0.0
 	k8s.io/controller-manager v0.0.0
 )
 
 require (
 	github.com/fxamacker/cbor/v2 v2.9.0 // indirect
-	github.com/go-logr/logr v1.4.2 // indirect
-	github.com/gogo/protobuf v1.3.2 // indirect
+	github.com/go-logr/logr v1.4.3 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/kr/pretty v0.3.1 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee // indirect
 	github.com/x448/float16 v0.8.4 // indirect
-	go.yaml.in/yaml/v2 v2.4.2 // indirect
-	golang.org/x/net v0.43.0 // indirect
-	golang.org/x/text v0.29.0 // indirect
+	go.yaml.in/yaml/v2 v2.4.3 // indirect
+	golang.org/x/net v0.47.0 // indirect
+	golang.org/x/text v0.31.0 // indirect
 	gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
-	k8s.io/component-base v0.34.1 // indirect
+	k8s.io/component-base v0.35.1 // indirect
 	k8s.io/klog/v2 v2.130.1 // indirect
-	k8s.io/utils v0.0.0-20250604170112-4c0f3b243397 // indirect
-	sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 // indirect
+	k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912 // indirect
+	k8s.io/utils v0.0.0-20251002143259-bc988d571ff4 // indirect
+	sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 // indirect
 	sigs.k8s.io/randfill v1.0.0 // indirect
 	sigs.k8s.io/structured-merge-diff/v6 v6.3.0 // indirect
 )
 
 replace (
-	github.com/onsi/ginkgo/v2 => github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251001123353-fd5b1fb35db1
+	github.com/onsi/ginkgo/v2 => github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251120221002-696928a6a0d7
+	github.com/openshift/library-go => github.com/jacobsee/library-go v0.0.0-20260211202355-e615a1f60a34
 	k8s.io/api => ../api
 	k8s.io/apimachinery => ../apimachinery
 	k8s.io/apiserver => ../apiserver
diff --git a/staging/src/k8s.io/kube-controller-manager/go.sum b/staging/src/k8s.io/kube-controller-manager/go.sum
index 68c64e70610a4..86a2602afcc76 100644
--- a/staging/src/k8s.io/kube-controller-manager/go.sum
+++ b/staging/src/k8s.io/kube-controller-manager/go.sum
@@ -19,14 +19,14 @@ github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSw
 github.com/fsnotify/fsnotify v1.9.0/go.mod h1:8jBTzvmWwFyi3Pb8djgCCO5IBqzKJ/Jwo8TRcHyHii0=
 github.com/fxamacker/cbor/v2 v2.9.0 h1:NpKPmjDBgUfBms6tr6JZkTHtfFGcMKsw3eGcmD/sapM=
 github.com/fxamacker/cbor/v2 v2.9.0/go.mod h1:vM4b+DJCtHn+zz7h3FFp/hDAI9WNWCsZj23V5ytsSxQ=
-github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY=
-github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
+github.com/go-logr/logr v1.4.3 h1:CjnDlHq8ikf6E492q6eKboGOC0T8CDaOvkHCIg8idEI=
+github.com/go-logr/logr v1.4.3/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
 github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE=
 github.com/go-logr/zapr v1.3.0/go.mod h1:YKepepNBd1u/oyhd/yQmtjVXmm9uML4IXUgMOwR8/Gg=
 github.com/go-openapi/jsonpointer v0.21.0/go.mod h1:IUyH9l/+uyhIYQ/PXVA41Rexl+kOkAPDdXEYns6fzUY=
 github.com/go-openapi/jsonreference v0.20.2/go.mod h1:Bl1zwGIM8/wsvqjsOQLJ/SH+En5Ap4rVB5KVcIDZG2k=
 github.com/go-openapi/swag v0.23.0/go.mod h1:esZ8ITTYEsH1V2trKHjAN8Ai7xHb8RV+YSZ577vPjgQ=
-github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
+github.com/go-task/slim-sprig/v3 v3.0.0/go.mod h1:W848ghGpv3Qj3dhTPRyJypKRiqCdHZiAzKg9hl15HA8=
 github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
 github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps=
 github.com/google/btree v1.1.3/go.mod h1:qOPhT0dTNdNzV6Z/lhRX0YXUafgPLFUh+gZMl761Gm4=
@@ -35,15 +35,15 @@ github.com/google/gnostic-models v0.7.0/go.mod h1:whL5G0m6dmc5cPxKc5bdKdEN3UjI7O
 github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
 github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
+github.com/google/pprof v0.0.0-20240727154555-813a5fbdbec8/go.mod h1:K1liHPHnj73Fdn/EKuT8nrFqBihUSKXoLYU0BuatOYo=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0/go.mod h1:8NvIoxWQoOIhqOTXgfV/d3M/q6VIi02HzZEHgUlZvzk=
 github.com/grpc-ecosystem/grpc-gateway/v2 v2.26.3/go.mod h1:ndYquD05frm2vACXE1nsccT4oJzjhw2arTS2cpUD1PI=
 github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
+github.com/jacobsee/library-go v0.0.0-20260211202355-e615a1f60a34/go.mod h1:mp92ELYoE9GHXRj+jJhp4I9KsFfS5c7WIi5k4RmkPYY=
 github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y=
 github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM=
 github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo=
-github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
-github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
 github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
 github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
 github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
@@ -63,111 +63,86 @@ github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee h1:W5t00kpgFd
 github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk=
 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
 github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+o7JKHSa8/e818NopupXU1YMK5fe1lsApnBw=
-github.com/onsi/gomega v1.35.1/go.mod h1:PvZbdDc8J6XJEpDK4HCuRBm8a6Fzp9/DmhC9C7yFlog=
-github.com/openshift/library-go v0.0.0-20251015151611-6fc7a74b67c5/go.mod h1:OlFFws1AO51uzfc48MsStGE4SFMWlMZD0+f5a/zCtKI=
-github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251001123353-fd5b1fb35db1/go.mod h1:7Du3c42kxCUegi0IImZ1wUQzMBVecgIHjR1C+NkhLQo=
+github.com/onsi/gomega v1.38.2/go.mod h1:W2MJcYxRGV63b418Ai34Ud0hEdTVXq9NW9+Sx6uXf3k=
+github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251120221002-696928a6a0d7/go.mod h1:ArE1D/XhNXBXCBkKOLkbsb2c81dQHCRcF5zwn/ykDRo=
 github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e/go.mod h1:pJLUxLENpZxwdsKMEsNbx1VGcRFpLqf3715MtcvvzbA=
-github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U=
 github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/prometheus/client_golang v1.22.0/go.mod h1:R7ljNsLXhuQXYZYtw6GAE9AZg8Y7vEW5scdCXrWRXC0=
-github.com/prometheus/client_model v0.6.1/go.mod h1:OrxVMOVHjw3lKMa8+x6HeMGkHMQyHDk9E3jmP2AmGiY=
-github.com/prometheus/common v0.62.0/go.mod h1:vyBcEuLSvWos9B1+CyL7JZ2up+uFzXhkqml0W5zIY1I=
-github.com/prometheus/procfs v0.15.1/go.mod h1:fB45yRUv8NstnjriLhBQLuOUt+WW4BsoGhij/e3PBqk=
+github.com/prometheus/client_golang v1.23.2/go.mod h1:Tb1a6LWHB3/SPIzCoaDXI4I8UHKeFTEQ1YCr+0Gyqmg=
+github.com/prometheus/client_model v0.6.2/go.mod h1:y3m2F6Gdpfy6Ut/GBsUqTWZqCUvMVzSfMLjcu6wAwpE=
+github.com/prometheus/common v0.66.1/go.mod h1:gcaUsgf3KfRSwHY4dIMXLPV0K/Wg1oZ8+SbZk/HH/dA=
+github.com/prometheus/procfs v0.16.1/go.mod h1:teAbpZRB1iIAJYREa1LsoWUXykVXA1KlTmWl8x/U+Is=
 github.com/rogpeppe/go-internal v1.9.0/go.mod h1:WtVeX8xhTBvf0smdhujwtBcq4Qrzq/fJaraNFVN+nFs=
-github.com/rogpeppe/go-internal v1.13.1 h1:KvO1DLK/DRN07sQ1LQKScxyZJuNnedQ5/wKSR38lUII=
-github.com/rogpeppe/go-internal v1.13.1/go.mod h1:uMEvuHeurkdAXX61udpOXGD/AzZDWNMNyH2VO9fmH0o=
-github.com/spf13/cobra v1.9.1/go.mod h1:nDyEzZ8ogv936Cinf6g1RU9MRY64Ir93oCnqb9wxYW0=
-github.com/spf13/pflag v1.0.6 h1:jFzHGLGAlb3ruxLB8MhbI6A8+AQX/2eW4qeyNZXNp2o=
-github.com/spf13/pflag v1.0.6/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
+github.com/rogpeppe/go-internal v1.14.1 h1:UQB4HGPB6osV0SQTLymcB4TgvyWu6ZyliaW0tI/otEQ=
+github.com/rogpeppe/go-internal v1.14.1/go.mod h1:MaRKkUm5W0goXpeCfT7UZI6fk/L7L7so1lCWt35ZSgc=
+github.com/spf13/cobra v1.10.0/go.mod h1:9dhySC7dnTtEiqzmqfkLj47BslqLCUPMXjG2lj/NgoE=
+github.com/spf13/pflag v1.0.9 h1:9exaQaMOCwffKiiiYk6/BndUBv+iRViNW+4lEMi0PvY=
+github.com/spf13/pflag v1.0.9/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/stoewer/go-strcase v1.3.0/go.mod h1:fAH5hQ5pehh+j3nZfvwdk2RgEgQjAoM8wodgtPmh1xo=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
-github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
-github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
+github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
+github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
 github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM=
 github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg=
-github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
-github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
-go.etcd.io/etcd/api/v3 v3.6.4/go.mod h1:eFhhvfR8Px1P6SEuLT600v+vrhdDTdcfMzmnxVXXSbk=
-go.etcd.io/etcd/client/pkg/v3 v3.6.4/go.mod h1:sbdzr2cl3HzVmxNw//PH7aLGVtY4QySjQFuaCgcRFAI=
-go.etcd.io/etcd/client/v3 v3.6.4/go.mod h1:jaNNHCyg2FdALyKWnd7hxZXZxZANb0+KGY+YQaEMISo=
+go.etcd.io/etcd/api/v3 v3.6.5/go.mod h1:ob0/oWA/UQQlT1BmaEkWQzI0sJ1M0Et0mMpaABxguOQ=
+go.etcd.io/etcd/client/pkg/v3 v3.6.5/go.mod h1:8Wx3eGRPiy0qOFMZT/hfvdos+DjEaPxdIDiCDUv/FQk=
+go.etcd.io/etcd/client/v3 v3.6.5/go.mod h1:ZqwG/7TAFZ0BJ0jXRPoJjKQJtbFo/9NIY8uoFFKcCyo=
 go.opentelemetry.io/auto/sdk v1.1.0/go.mod h1:3wSPjt5PWp2RhlCcmmOial7AvC4DQqZb7a7wCow3W8A=
 go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.60.0/go.mod h1:rg+RlpR5dKwaS95IyyZqj5Wd4E13lk/msnTS0Xl9lJM=
-go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.58.0/go.mod h1:umTcuxiv1n/s/S6/c2AT/g2CQ7u5C59sHDNmfSwgz7Q=
-go.opentelemetry.io/otel v1.35.0/go.mod h1:UEqy8Zp11hpkUrL73gSlELM0DupHoiq72dR+Zqel/+Y=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.61.0/go.mod h1:UHB22Z8QsdRDrnAtX4PntOl36ajSxcdUMt1sF7Y6E7Q=
+go.opentelemetry.io/otel v1.36.0/go.mod h1:/TcFMXYjyRNh8khOAO9ybYkqaDBb/70aVwkNML4pP8E=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.34.0/go.mod h1:7Bept48yIeqxP2OZ9/AqIpYS94h2or0aB4FypJTc8ZM=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.34.0/go.mod h1:U7HYyW0zt/a9x5J1Kjs+r1f/d4ZHnYFclhYY2+YbeoE=
-go.opentelemetry.io/otel/metric v1.35.0/go.mod h1:nKVFgxBZ2fReX6IlyW28MgZojkoAkJGaE8CpgeAU3oE=
-go.opentelemetry.io/otel/sdk v1.34.0/go.mod h1:0e/pNiaMAqaykJGKbi+tSjWfNNHMTxoC9qANsCzbyxU=
-go.opentelemetry.io/otel/trace v1.35.0/go.mod h1:WUk7DtFp1Aw2MkvqGdwiXYDZZNvA/1J8o6xRXLrIkyc=
+go.opentelemetry.io/otel/metric v1.36.0/go.mod h1:zC7Ks+yeyJt4xig9DEw9kuUFe5C3zLbVjV2PzT6qzbs=
+go.opentelemetry.io/otel/sdk v1.36.0/go.mod h1:+lC+mTgD+MUWfjJubi2vvXWcVxyr9rmlshZni72pXeY=
+go.opentelemetry.io/otel/trace v1.36.0/go.mod h1:gQ+OnDZzrybY4k4seLzPAWNwVBBVlF2szhehOBB/tGA=
 go.opentelemetry.io/proto/otlp v1.5.0/go.mod h1:keN8WnHxOy8PG0rQZjJJ5A2ebUoafqWp0eVQ4yIXvJ4=
 go.uber.org/atomic v1.11.0/go.mod h1:LUxbIzbOniOlMKjJjyPfpl4v+PKK2cNJn91OQbhoJI0=
 go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y=
 go.uber.org/zap v1.27.0/go.mod h1:GB2qFLM7cTU87MWRP2mPIjqfIDnGu+VIO4V/SdhGo2E=
-go.yaml.in/yaml/v2 v2.4.2 h1:DzmwEr2rDGHl7lsFgAHxmNz/1NlQ7xLIrlN2h5d1eGI=
-go.yaml.in/yaml/v2 v2.4.2/go.mod h1:081UH+NErpNdqlCXm3TtEran0rJZGxAYx9hb/ELlsPU=
+go.yaml.in/yaml/v2 v2.4.3 h1:6gvOSjQoTB3vt1l+CU+tSyi/HOjfOjRLJ4YwYZGwRO0=
+go.yaml.in/yaml/v2 v2.4.3/go.mod h1:zSxWcmIDjOzPXpjlTTbAsKokqkDNAVtZO0WOMiT90s8=
 go.yaml.in/yaml/v3 v3.0.4/go.mod h1:DhzuOOF2ATzADvBadXxruRBLzYTpT36CKvDb3+aBEFg=
-golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
-golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
-golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
-golang.org/x/crypto v0.42.0/go.mod h1:4+rDnOTJhQCx2q7/j6rAN5XDw8kPjeaXEUR2eL94ix8=
+golang.org/x/crypto v0.45.0/go.mod h1:XTGrrkGJve7CYK7J8PEww4aY7gM3qMCElcJQ8n8JdX4=
 golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56/go.mod h1:M4RDyNAINzryxdtnbRXRL/OHtkFuWGRjvuhBJpk2IlY=
-golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.27.0/go.mod h1:rWI627Fq0DEoudcK+MBkNkCe0EetEaDSwJJkCcjpazc=
-golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
-golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
-golang.org/x/net v0.43.0 h1:lat02VYK2j4aLzMzecihNvTlJNQUq316m2Mr9rnM6YE=
-golang.org/x/net v0.43.0/go.mod h1:vhO1fvI4dGsIjh73sWfUVjj3N7CA9WkKJNQm2svM6Jg=
-golang.org/x/oauth2 v0.27.0/go.mod h1:onh5ek6nERTohokkhCD/y2cV4Do3fxFHFuAejCkRWT8=
-golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.17.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
-golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.36.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
-golang.org/x/term v0.35.0/go.mod h1:TPGtkTLesOwf2DE8CgVYiZinHAOuy5AYUYT1lENIZnA=
-golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
-golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.29.0 h1:1neNs90w9YzJ9BocxfsQNHKuAT4pkghyXc4nhZ6sJvk=
-golang.org/x/text v0.29.0/go.mod h1:7MhJOA9CD2qZyOKYazxdYMF85OwPdEr9jTtBpO7ydH4=
+golang.org/x/mod v0.29.0/go.mod h1:NyhrlYXJ2H4eJiRy/WDBO6HMqZQ6q9nk4JzS3NuCK+w=
+golang.org/x/net v0.47.0 h1:Mx+4dIFzqraBXUugkia1OOvlD6LemFo1ALMHjrXDOhY=
+golang.org/x/net v0.47.0/go.mod h1:/jNxtkgq5yWUGYkaZGqo27cfGZ1c5Nen03aYrrKpVRU=
+golang.org/x/oauth2 v0.30.0/go.mod h1:B++QgG3ZKulg6sRPGD/mqlHQs5rB3Ml9erfeDY7xKlU=
+golang.org/x/sync v0.18.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
+golang.org/x/sys v0.38.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
+golang.org/x/term v0.37.0/go.mod h1:5pB4lxRNYYVZuTLmy8oR2BH8dflOR+IbTYFD8fi3254=
+golang.org/x/text v0.31.0 h1:aC8ghyu4JhP8VojJ2lEHBnochRno1sgL6nEi9WGFGMM=
+golang.org/x/text v0.31.0/go.mod h1:tKRAlv61yKIjGGHX/4tP1LTbc13YSec1pxVEWXzfoeM=
 golang.org/x/time v0.9.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
-golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
-golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
-golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
-golang.org/x/tools v0.36.0/go.mod h1:WBDiHKJK8YgLHlcQPYQzNCkUxUypCaa5ZegCVutKm+s=
-golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/tools v0.38.0/go.mod h1:yEsQ/d/YK8cjh0L6rZlY8tgtlKiBNTL14pGDJPJpYQs=
+golang.org/x/tools/go/expect v0.1.0-deprecated/go.mod h1:eihoPOH+FgIqa3FpoTwguz/bVUSGBlGQU67vpBeOrBY=
+golang.org/x/tools/go/packages/packagestest v0.1.1-deprecated/go.mod h1:RVAQXBGNv1ib0J382/DPCRS/BPnsGebyM1Gj5VSDpG8=
 google.golang.org/genproto/googleapis/api v0.0.0-20250303144028-a0af3efb3deb/go.mod h1:jbe3Bkdp+Dh2IrslsFCklNhweNTBgSYanP1UXhJDhKg=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20250303144028-a0af3efb3deb/go.mod h1:LuRYeWDFV6WOn90g357N17oMCaxpgCnbi/44qJvDn2I=
-google.golang.org/grpc v1.72.1/go.mod h1:wH5Aktxcg25y1I3w7H69nHfXdOG3UiadoBtjh3izSDM=
-google.golang.org/protobuf v1.36.5/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20250528174236-200df99c418a/go.mod h1:qQ0YXyHHx3XkvlzUtpXDkS29lDSafHMZBAZDc03LQ3A=
+google.golang.org/grpc v1.72.2/go.mod h1:wH5Aktxcg25y1I3w7H69nHfXdOG3UiadoBtjh3izSDM=
+google.golang.org/protobuf v1.36.8/go.mod h1:fuxRtAxBytpl4zzqUh6/eyUujkJdNiuEkXntxiD/uRU=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
-gopkg.in/evanphx/json-patch.v4 v4.12.0/go.mod h1:p8EYWUEYMpynmqDbY58zCKCFZw8pRWMG4EsWvDvM72M=
+gopkg.in/evanphx/json-patch.v4 v4.13.0/go.mod h1:p8EYWUEYMpynmqDbY58zCKCFZw8pRWMG4EsWvDvM72M=
 gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc=
 gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
 gopkg.in/natefinch/lumberjack.v2 v2.2.1/go.mod h1:YD8tP3GAjkrDg1eZH7EGmyESg/lsYskCTPBJVb9jqSc=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+k8s.io/gengo/v2 v2.0.0-20250604051438-85fd79dbfd9f/go.mod h1:EJykeLsmFC60UQbYJezXkEsG2FLrt0GPNkU5iK5GWxU=
 k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk=
 k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE=
-k8s.io/kube-openapi v0.0.0-20250710124328-f3f2b991d03b/go.mod h1:UZ2yyWbFTpuhSbFhv24aGNOdoRdJZgsIObGBUaYVsts=
-k8s.io/utils v0.0.0-20250604170112-4c0f3b243397 h1:hwvWFiBzdWw1FhfY1FooPn3kzWuJ8tmbZBHi4zVsl1Y=
-k8s.io/utils v0.0.0-20250604170112-4c0f3b243397/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
+k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912 h1:Y3gxNAuB0OBLImH611+UDZcmKS3g6CthxToOb37KgwE=
+k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912/go.mod h1:kdmbQkyfwUagLfXIad1y2TdrjPFWp2Q89B3qkRwf/pQ=
+k8s.io/utils v0.0.0-20251002143259-bc988d571ff4 h1:SjGebBtkBqHFOli+05xYbK8YF1Dzkbzn+gDM4X9T4Ck=
+k8s.io/utils v0.0.0-20251002143259-bc988d571ff4/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
 sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.31.2/go.mod h1:Ve9uj1L+deCXFrPOk1LpFXqTg7LCFzFso6PA48q/XZw=
-sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 h1:gBQPwqORJ8d8/YNZWEjoZs7npUVDpVXUUOFfW6CgAqE=
-sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8/go.mod h1:mdzfpAEoE6DHQEN0uh9ZbOCuHbLK5wOm7dK4ctXE9Tg=
+sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 h1:IpInykpT6ceI+QxKBbEflcR5EXP7sU1kvOlxwZh5txg=
+sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730/go.mod h1:mdzfpAEoE6DHQEN0uh9ZbOCuHbLK5wOm7dK4ctXE9Tg=
 sigs.k8s.io/randfill v1.0.0 h1:JfjMILfT8A6RbawdsK2JXGBR5AQVfd+9TbzrlneTyrU=
 sigs.k8s.io/randfill v1.0.0/go.mod h1:XeLlZ/jmk4i1HRopwe7/aU3H5n1zNUcX6TM94b3QxOY=
 sigs.k8s.io/structured-merge-diff/v6 v6.3.0 h1:jTijUJbW353oVOd9oTlifJqOGEkUw2jB/fXCbTiQEco=
diff --git a/staging/src/k8s.io/kube-proxy/config/v1alpha1/doc.go b/staging/src/k8s.io/kube-proxy/config/v1alpha1/doc.go
index 5937b74cf0e73..be101fa91fd25 100644
--- a/staging/src/k8s.io/kube-proxy/config/v1alpha1/doc.go
+++ b/staging/src/k8s.io/kube-proxy/config/v1alpha1/doc.go
@@ -16,6 +16,8 @@ limitations under the License.
 
 // +k8s:deepcopy-gen=package
 // +k8s:openapi-gen=true
+// +k8s:openapi-model-package=io.k8s.kube-proxy.config.v1alpha1
+
 // +groupName=kubeproxy.config.k8s.io
 
 package v1alpha1
diff --git a/staging/src/k8s.io/kube-proxy/config/v1alpha1/zz_generated.model_name.go b/staging/src/k8s.io/kube-proxy/config/v1alpha1/zz_generated.model_name.go
new file mode 100644
index 0000000000000..81f3b104234e1
--- /dev/null
+++ b/staging/src/k8s.io/kube-proxy/config/v1alpha1/zz_generated.model_name.go
@@ -0,0 +1,57 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by openapi-gen. DO NOT EDIT.
+
+package v1alpha1
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in DetectLocalConfiguration) OpenAPIModelName() string {
+	return "io.k8s.kube-proxy.config.v1alpha1.DetectLocalConfiguration"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in KubeProxyConfiguration) OpenAPIModelName() string {
+	return "io.k8s.kube-proxy.config.v1alpha1.KubeProxyConfiguration"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in KubeProxyConntrackConfiguration) OpenAPIModelName() string {
+	return "io.k8s.kube-proxy.config.v1alpha1.KubeProxyConntrackConfiguration"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in KubeProxyIPTablesConfiguration) OpenAPIModelName() string {
+	return "io.k8s.kube-proxy.config.v1alpha1.KubeProxyIPTablesConfiguration"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in KubeProxyIPVSConfiguration) OpenAPIModelName() string {
+	return "io.k8s.kube-proxy.config.v1alpha1.KubeProxyIPVSConfiguration"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in KubeProxyNFTablesConfiguration) OpenAPIModelName() string {
+	return "io.k8s.kube-proxy.config.v1alpha1.KubeProxyNFTablesConfiguration"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in KubeProxyWinkernelConfiguration) OpenAPIModelName() string {
+	return "io.k8s.kube-proxy.config.v1alpha1.KubeProxyWinkernelConfiguration"
+}
diff --git a/staging/src/k8s.io/kube-proxy/go.mod b/staging/src/k8s.io/kube-proxy/go.mod
index 46df762712e4b..0a83b8a482823 100644
--- a/staging/src/k8s.io/kube-proxy/go.mod
+++ b/staging/src/k8s.io/kube-proxy/go.mod
@@ -2,9 +2,9 @@
 
 module k8s.io/kube-proxy
 
-go 1.24.0
+go 1.25.0
 
-godebug default=go1.24
+godebug default=go1.25
 
 require (
 	k8s.io/apimachinery v0.0.0
@@ -17,8 +17,7 @@ require (
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/fxamacker/cbor/v2 v2.9.0 // indirect
-	github.com/go-logr/logr v1.4.2 // indirect
-	github.com/gogo/protobuf v1.3.2 // indirect
+	github.com/go-logr/logr v1.4.3 // indirect
 	github.com/google/go-cmp v0.7.0 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
@@ -26,31 +25,32 @@ require (
 	github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
-	github.com/prometheus/client_golang v1.22.0 // indirect
-	github.com/prometheus/client_model v0.6.1 // indirect
-	github.com/prometheus/common v0.62.0 // indirect
-	github.com/prometheus/procfs v0.15.1 // indirect
-	github.com/spf13/cobra v1.9.1 // indirect
-	github.com/spf13/pflag v1.0.6 // indirect
+	github.com/prometheus/client_golang v1.23.2 // indirect
+	github.com/prometheus/client_model v0.6.2 // indirect
+	github.com/prometheus/common v0.66.1 // indirect
+	github.com/prometheus/procfs v0.16.1 // indirect
+	github.com/spf13/cobra v1.10.0 // indirect
+	github.com/spf13/pflag v1.0.9 // indirect
 	github.com/x448/float16 v0.8.4 // indirect
-	go.opentelemetry.io/otel v1.35.0 // indirect
-	go.opentelemetry.io/otel/trace v1.35.0 // indirect
-	go.yaml.in/yaml/v2 v2.4.2 // indirect
-	golang.org/x/net v0.43.0 // indirect
-	golang.org/x/sys v0.36.0 // indirect
-	golang.org/x/text v0.29.0 // indirect
-	google.golang.org/protobuf v1.36.5 // indirect
+	go.opentelemetry.io/otel v1.36.0 // indirect
+	go.opentelemetry.io/otel/trace v1.36.0 // indirect
+	go.yaml.in/yaml/v2 v2.4.3 // indirect
+	golang.org/x/net v0.47.0 // indirect
+	golang.org/x/sys v0.38.0 // indirect
+	golang.org/x/text v0.31.0 // indirect
+	google.golang.org/protobuf v1.36.8 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	k8s.io/klog/v2 v2.130.1 // indirect
-	k8s.io/utils v0.0.0-20250604170112-4c0f3b243397 // indirect
-	sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 // indirect
+	k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912 // indirect
+	k8s.io/utils v0.0.0-20251002143259-bc988d571ff4 // indirect
+	sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 // indirect
 	sigs.k8s.io/randfill v1.0.0 // indirect
 	sigs.k8s.io/structured-merge-diff/v6 v6.3.0 // indirect
 	sigs.k8s.io/yaml v1.6.0 // indirect
 )
 
 replace (
-	github.com/onsi/ginkgo/v2 => github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251001123353-fd5b1fb35db1
+	github.com/onsi/ginkgo/v2 => github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251120221002-696928a6a0d7
 	k8s.io/api => ../api
 	k8s.io/apimachinery => ../apimachinery
 	k8s.io/client-go => ../client-go
diff --git a/staging/src/k8s.io/kube-proxy/go.sum b/staging/src/k8s.io/kube-proxy/go.sum
index 5457344d0dd7f..11765aa05538a 100644
--- a/staging/src/k8s.io/kube-proxy/go.sum
+++ b/staging/src/k8s.io/kube-proxy/go.sum
@@ -1,4 +1,5 @@
 github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E=
+github.com/NYTimes/gziphandler v1.1.1/go.mod h1:n/CVRwUEOgIxrgPvAQhUUr9oeUtvrhMomdKFjzJNB0c=
 github.com/alecthomas/kingpin/v2 v2.4.0/go.mod h1:0gyi0zQnjuFk8xrkNKamJoyUo382HRL7ATRpFZCw6tE=
 github.com/alecthomas/units v0.0.0-20211218093645-b94a6e3cc137/go.mod h1:OMCwj8VM1Kc9e19TLln2VL61YJF0x1XFtfdL4JdbSyE=
 github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkYZB8zMSxRWpUBQtwG5a7fFgvEO+odwuTv2gs=
@@ -18,20 +19,20 @@ github.com/emicklei/go-restful/v3 v3.12.2/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRr
 github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
 github.com/fxamacker/cbor/v2 v2.9.0 h1:NpKPmjDBgUfBms6tr6JZkTHtfFGcMKsw3eGcmD/sapM=
 github.com/fxamacker/cbor/v2 v2.9.0/go.mod h1:vM4b+DJCtHn+zz7h3FFp/hDAI9WNWCsZj23V5ytsSxQ=
-github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY=
-github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
+github.com/go-logr/logr v1.4.3 h1:CjnDlHq8ikf6E492q6eKboGOC0T8CDaOvkHCIg8idEI=
+github.com/go-logr/logr v1.4.3/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
 github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE=
 github.com/go-logr/zapr v1.3.0/go.mod h1:YKepepNBd1u/oyhd/yQmtjVXmm9uML4IXUgMOwR8/Gg=
 github.com/go-openapi/jsonpointer v0.21.0/go.mod h1:IUyH9l/+uyhIYQ/PXVA41Rexl+kOkAPDdXEYns6fzUY=
 github.com/go-openapi/jsonreference v0.20.2/go.mod h1:Bl1zwGIM8/wsvqjsOQLJ/SH+En5Ap4rVB5KVcIDZG2k=
 github.com/go-openapi/swag v0.23.0/go.mod h1:esZ8ITTYEsH1V2trKHjAN8Ai7xHb8RV+YSZ577vPjgQ=
-github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
-github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
+github.com/go-task/slim-sprig/v3 v3.0.0/go.mod h1:W848ghGpv3Qj3dhTPRyJypKRiqCdHZiAzKg9hl15HA8=
 github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk=
 github.com/google/gnostic-models v0.7.0/go.mod h1:whL5G0m6dmc5cPxKc5bdKdEN3UjI7OUGxBlw57miDrQ=
 github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
 github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
+github.com/google/pprof v0.0.0-20240727154555-813a5fbdbec8/go.mod h1:K1liHPHnj73Fdn/EKuT8nrFqBihUSKXoLYU0BuatOYo=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/grpc-ecosystem/grpc-gateway/v2 v2.26.3/go.mod h1:ndYquD05frm2vACXE1nsccT4oJzjhw2arTS2cpUD1PI=
 github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
@@ -41,8 +42,6 @@ github.com/jpillora/backoff v1.0.0/go.mod h1:J/6gKK9jxlEcS3zixgDgUAsiuZ7yrSoa/FX
 github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM=
 github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo=
 github.com/julienschmidt/httprouter v1.3.0/go.mod h1:JR6WtHb+2LUe8TCKY3cZOxFyyO8IZAc4RVcycCCAKdM=
-github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
-github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
 github.com/klauspost/compress v1.18.0 h1:c/Cqfb0r+Yi+JtIEq73FWXVkRonBlf0CRNYc8Zttxdo=
 github.com/klauspost/compress v1.18.0/go.mod h1:2Pp+KzxcywXVXMr50+X0Q/Lsb43OQHYWRCY2AiWywWQ=
 github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
@@ -64,112 +63,91 @@ github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq
 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
 github.com/mwitkow/go-conntrack v0.0.0-20190716064945-2f068394615f/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U=
 github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+o7JKHSa8/e818NopupXU1YMK5fe1lsApnBw=
-github.com/onsi/gomega v1.35.1/go.mod h1:PvZbdDc8J6XJEpDK4HCuRBm8a6Fzp9/DmhC9C7yFlog=
-github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251001123353-fd5b1fb35db1/go.mod h1:7Du3c42kxCUegi0IImZ1wUQzMBVecgIHjR1C+NkhLQo=
-github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
+github.com/onsi/gomega v1.38.2/go.mod h1:W2MJcYxRGV63b418Ai34Ud0hEdTVXq9NW9+Sx6uXf3k=
+github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251120221002-696928a6a0d7/go.mod h1:ArE1D/XhNXBXCBkKOLkbsb2c81dQHCRcF5zwn/ykDRo=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U=
 github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/prometheus/client_golang v1.22.0 h1:rb93p9lokFEsctTys46VnV1kLCDpVZ0a/Y92Vm0Zc6Q=
-github.com/prometheus/client_golang v1.22.0/go.mod h1:R7ljNsLXhuQXYZYtw6GAE9AZg8Y7vEW5scdCXrWRXC0=
-github.com/prometheus/client_model v0.6.1 h1:ZKSh/rekM+n3CeS952MLRAdFwIKqeY8b62p8ais2e9E=
-github.com/prometheus/client_model v0.6.1/go.mod h1:OrxVMOVHjw3lKMa8+x6HeMGkHMQyHDk9E3jmP2AmGiY=
-github.com/prometheus/common v0.62.0 h1:xasJaQlnWAeyHdUBeGjXmutelfJHWMRr+Fg4QszZ2Io=
-github.com/prometheus/common v0.62.0/go.mod h1:vyBcEuLSvWos9B1+CyL7JZ2up+uFzXhkqml0W5zIY1I=
-github.com/prometheus/procfs v0.15.1 h1:YagwOFzUgYfKKHX6Dr+sHT7km/hxC76UB0learggepc=
-github.com/prometheus/procfs v0.15.1/go.mod h1:fB45yRUv8NstnjriLhBQLuOUt+WW4BsoGhij/e3PBqk=
-github.com/rogpeppe/go-internal v1.13.1 h1:KvO1DLK/DRN07sQ1LQKScxyZJuNnedQ5/wKSR38lUII=
-github.com/rogpeppe/go-internal v1.13.1/go.mod h1:uMEvuHeurkdAXX61udpOXGD/AzZDWNMNyH2VO9fmH0o=
+github.com/prometheus/client_golang v1.23.2 h1:Je96obch5RDVy3FDMndoUsjAhG5Edi49h0RJWRi/o0o=
+github.com/prometheus/client_golang v1.23.2/go.mod h1:Tb1a6LWHB3/SPIzCoaDXI4I8UHKeFTEQ1YCr+0Gyqmg=
+github.com/prometheus/client_model v0.6.2 h1:oBsgwpGs7iVziMvrGhE53c/GrLUsZdHnqNwqPLxwZyk=
+github.com/prometheus/client_model v0.6.2/go.mod h1:y3m2F6Gdpfy6Ut/GBsUqTWZqCUvMVzSfMLjcu6wAwpE=
+github.com/prometheus/common v0.66.1 h1:h5E0h5/Y8niHc5DlaLlWLArTQI7tMrsfQjHV+d9ZoGs=
+github.com/prometheus/common v0.66.1/go.mod h1:gcaUsgf3KfRSwHY4dIMXLPV0K/Wg1oZ8+SbZk/HH/dA=
+github.com/prometheus/procfs v0.16.1 h1:hZ15bTNuirocR6u0JZ6BAHHmwS1p8B4P6MRqxtzMyRg=
+github.com/prometheus/procfs v0.16.1/go.mod h1:teAbpZRB1iIAJYREa1LsoWUXykVXA1KlTmWl8x/U+Is=
+github.com/rogpeppe/go-internal v1.14.1 h1:UQB4HGPB6osV0SQTLymcB4TgvyWu6ZyliaW0tI/otEQ=
+github.com/rogpeppe/go-internal v1.14.1/go.mod h1:MaRKkUm5W0goXpeCfT7UZI6fk/L7L7so1lCWt35ZSgc=
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
-github.com/spf13/cobra v1.9.1 h1:CXSaggrXdbHK9CF+8ywj8Amf7PBRmPCOJugH954Nnlo=
-github.com/spf13/cobra v1.9.1/go.mod h1:nDyEzZ8ogv936Cinf6g1RU9MRY64Ir93oCnqb9wxYW0=
-github.com/spf13/pflag v1.0.6 h1:jFzHGLGAlb3ruxLB8MhbI6A8+AQX/2eW4qeyNZXNp2o=
-github.com/spf13/pflag v1.0.6/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
+github.com/spf13/cobra v1.10.0 h1:a5/WeUlSDCvV5a45ljW2ZFtV0bTDpkfSAj3uqB6Sc+0=
+github.com/spf13/cobra v1.10.0/go.mod h1:9dhySC7dnTtEiqzmqfkLj47BslqLCUPMXjG2lj/NgoE=
+github.com/spf13/pflag v1.0.8/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
+github.com/spf13/pflag v1.0.9 h1:9exaQaMOCwffKiiiYk6/BndUBv+iRViNW+4lEMi0PvY=
+github.com/spf13/pflag v1.0.9/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
-github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
-github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
+github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
+github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
 github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM=
 github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg=
 github.com/xhit/go-str2duration/v2 v2.1.0/go.mod h1:ohY8p+0f07DiV6Em5LKB0s2YpLtXVyJfNt1+BlmyAsU=
-github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
-github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 go.opentelemetry.io/auto/sdk v1.1.0/go.mod h1:3wSPjt5PWp2RhlCcmmOial7AvC4DQqZb7a7wCow3W8A=
-go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.58.0/go.mod h1:umTcuxiv1n/s/S6/c2AT/g2CQ7u5C59sHDNmfSwgz7Q=
-go.opentelemetry.io/otel v1.35.0 h1:xKWKPxrxB6OtMCbmMY021CqC45J+3Onta9MqjhnusiQ=
-go.opentelemetry.io/otel v1.35.0/go.mod h1:UEqy8Zp11hpkUrL73gSlELM0DupHoiq72dR+Zqel/+Y=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.61.0/go.mod h1:UHB22Z8QsdRDrnAtX4PntOl36ajSxcdUMt1sF7Y6E7Q=
+go.opentelemetry.io/otel v1.36.0 h1:UumtzIklRBY6cI/lllNZlALOF5nNIzJVb16APdvgTXg=
+go.opentelemetry.io/otel v1.36.0/go.mod h1:/TcFMXYjyRNh8khOAO9ybYkqaDBb/70aVwkNML4pP8E=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.34.0/go.mod h1:7Bept48yIeqxP2OZ9/AqIpYS94h2or0aB4FypJTc8ZM=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.34.0/go.mod h1:U7HYyW0zt/a9x5J1Kjs+r1f/d4ZHnYFclhYY2+YbeoE=
-go.opentelemetry.io/otel/metric v1.35.0/go.mod h1:nKVFgxBZ2fReX6IlyW28MgZojkoAkJGaE8CpgeAU3oE=
-go.opentelemetry.io/otel/sdk v1.34.0/go.mod h1:0e/pNiaMAqaykJGKbi+tSjWfNNHMTxoC9qANsCzbyxU=
-go.opentelemetry.io/otel/trace v1.35.0 h1:dPpEfJu1sDIqruz7BHFG3c7528f6ddfSWfFDVt/xgMs=
-go.opentelemetry.io/otel/trace v1.35.0/go.mod h1:WUk7DtFp1Aw2MkvqGdwiXYDZZNvA/1J8o6xRXLrIkyc=
+go.opentelemetry.io/otel/metric v1.36.0/go.mod h1:zC7Ks+yeyJt4xig9DEw9kuUFe5C3zLbVjV2PzT6qzbs=
+go.opentelemetry.io/otel/sdk v1.36.0/go.mod h1:+lC+mTgD+MUWfjJubi2vvXWcVxyr9rmlshZni72pXeY=
+go.opentelemetry.io/otel/trace v1.36.0 h1:ahxWNuqZjpdiFAyrIoQ4GIiAIhxAunQR6MUoKrsNd4w=
+go.opentelemetry.io/otel/trace v1.36.0/go.mod h1:gQ+OnDZzrybY4k4seLzPAWNwVBBVlF2szhehOBB/tGA=
 go.opentelemetry.io/proto/otlp v1.5.0/go.mod h1:keN8WnHxOy8PG0rQZjJJ5A2ebUoafqWp0eVQ4yIXvJ4=
+go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
+go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
 go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y=
 go.uber.org/zap v1.27.0/go.mod h1:GB2qFLM7cTU87MWRP2mPIjqfIDnGu+VIO4V/SdhGo2E=
-go.yaml.in/yaml/v2 v2.4.2 h1:DzmwEr2rDGHl7lsFgAHxmNz/1NlQ7xLIrlN2h5d1eGI=
-go.yaml.in/yaml/v2 v2.4.2/go.mod h1:081UH+NErpNdqlCXm3TtEran0rJZGxAYx9hb/ELlsPU=
+go.yaml.in/yaml/v2 v2.4.3 h1:6gvOSjQoTB3vt1l+CU+tSyi/HOjfOjRLJ4YwYZGwRO0=
+go.yaml.in/yaml/v2 v2.4.3/go.mod h1:zSxWcmIDjOzPXpjlTTbAsKokqkDNAVtZO0WOMiT90s8=
 go.yaml.in/yaml/v3 v3.0.4 h1:tfq32ie2Jv2UxXFdLJdh3jXuOzWiL1fo0bu/FbuKpbc=
 go.yaml.in/yaml/v3 v3.0.4/go.mod h1:DhzuOOF2ATzADvBadXxruRBLzYTpT36CKvDb3+aBEFg=
-golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
-golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
-golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
-golang.org/x/crypto v0.41.0/go.mod h1:pO5AFd7FA68rFak7rOAGVuygIISepHftHnr8dr6+sUc=
-golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.27.0/go.mod h1:rWI627Fq0DEoudcK+MBkNkCe0EetEaDSwJJkCcjpazc=
-golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
-golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
-golang.org/x/net v0.43.0 h1:lat02VYK2j4aLzMzecihNvTlJNQUq316m2Mr9rnM6YE=
-golang.org/x/net v0.43.0/go.mod h1:vhO1fvI4dGsIjh73sWfUVjj3N7CA9WkKJNQm2svM6Jg=
-golang.org/x/oauth2 v0.27.0/go.mod h1:onh5ek6nERTohokkhCD/y2cV4Do3fxFHFuAejCkRWT8=
-golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.17.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
-golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.36.0 h1:KVRy2GtZBrk1cBYA7MKu5bEZFxQk4NIDV6RLVcC8o0k=
-golang.org/x/sys v0.36.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
-golang.org/x/term v0.35.0/go.mod h1:TPGtkTLesOwf2DE8CgVYiZinHAOuy5AYUYT1lENIZnA=
-golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
-golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.29.0 h1:1neNs90w9YzJ9BocxfsQNHKuAT4pkghyXc4nhZ6sJvk=
-golang.org/x/text v0.29.0/go.mod h1:7MhJOA9CD2qZyOKYazxdYMF85OwPdEr9jTtBpO7ydH4=
+golang.org/x/crypto v0.44.0/go.mod h1:013i+Nw79BMiQiMsOPcVCB5ZIJbYkerPrGnOa00tvmc=
+golang.org/x/mod v0.29.0/go.mod h1:NyhrlYXJ2H4eJiRy/WDBO6HMqZQ6q9nk4JzS3NuCK+w=
+golang.org/x/net v0.47.0 h1:Mx+4dIFzqraBXUugkia1OOvlD6LemFo1ALMHjrXDOhY=
+golang.org/x/net v0.47.0/go.mod h1:/jNxtkgq5yWUGYkaZGqo27cfGZ1c5Nen03aYrrKpVRU=
+golang.org/x/oauth2 v0.30.0/go.mod h1:B++QgG3ZKulg6sRPGD/mqlHQs5rB3Ml9erfeDY7xKlU=
+golang.org/x/sync v0.18.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
+golang.org/x/sys v0.38.0 h1:3yZWxaJjBmCWXqhN1qh02AkOnCQ1poK6oF+a7xWL6Gc=
+golang.org/x/sys v0.38.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
+golang.org/x/term v0.37.0/go.mod h1:5pB4lxRNYYVZuTLmy8oR2BH8dflOR+IbTYFD8fi3254=
+golang.org/x/text v0.31.0 h1:aC8ghyu4JhP8VojJ2lEHBnochRno1sgL6nEi9WGFGMM=
+golang.org/x/text v0.31.0/go.mod h1:tKRAlv61yKIjGGHX/4tP1LTbc13YSec1pxVEWXzfoeM=
 golang.org/x/time v0.9.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
-golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
-golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
-golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
-golang.org/x/tools v0.36.0/go.mod h1:WBDiHKJK8YgLHlcQPYQzNCkUxUypCaa5ZegCVutKm+s=
-golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/tools v0.38.0/go.mod h1:yEsQ/d/YK8cjh0L6rZlY8tgtlKiBNTL14pGDJPJpYQs=
+golang.org/x/tools/go/expect v0.1.0-deprecated/go.mod h1:eihoPOH+FgIqa3FpoTwguz/bVUSGBlGQU67vpBeOrBY=
+golang.org/x/tools/go/packages/packagestest v0.1.1-deprecated/go.mod h1:RVAQXBGNv1ib0J382/DPCRS/BPnsGebyM1Gj5VSDpG8=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 google.golang.org/genproto/googleapis/api v0.0.0-20250303144028-a0af3efb3deb/go.mod h1:jbe3Bkdp+Dh2IrslsFCklNhweNTBgSYanP1UXhJDhKg=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20250303144028-a0af3efb3deb/go.mod h1:LuRYeWDFV6WOn90g357N17oMCaxpgCnbi/44qJvDn2I=
-google.golang.org/grpc v1.72.1/go.mod h1:wH5Aktxcg25y1I3w7H69nHfXdOG3UiadoBtjh3izSDM=
-google.golang.org/protobuf v1.36.5 h1:tPhr+woSbjfYvY6/GPufUoYizxw1cF/yFoxJ2fmpwlM=
-google.golang.org/protobuf v1.36.5/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20250528174236-200df99c418a/go.mod h1:qQ0YXyHHx3XkvlzUtpXDkS29lDSafHMZBAZDc03LQ3A=
+google.golang.org/grpc v1.72.2/go.mod h1:wH5Aktxcg25y1I3w7H69nHfXdOG3UiadoBtjh3izSDM=
+google.golang.org/protobuf v1.36.8 h1:xHScyCOEuuwZEc6UtSOvPbAT4zRh0xcNRYekJwfqyMc=
+google.golang.org/protobuf v1.36.8/go.mod h1:fuxRtAxBytpl4zzqUh6/eyUujkJdNiuEkXntxiD/uRU=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
-gopkg.in/evanphx/json-patch.v4 v4.12.0/go.mod h1:p8EYWUEYMpynmqDbY58zCKCFZw8pRWMG4EsWvDvM72M=
+gopkg.in/evanphx/json-patch.v4 v4.13.0/go.mod h1:p8EYWUEYMpynmqDbY58zCKCFZw8pRWMG4EsWvDvM72M=
 gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc=
 gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
-gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+k8s.io/gengo/v2 v2.0.0-20250604051438-85fd79dbfd9f/go.mod h1:EJykeLsmFC60UQbYJezXkEsG2FLrt0GPNkU5iK5GWxU=
 k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk=
 k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE=
-k8s.io/kube-openapi v0.0.0-20250710124328-f3f2b991d03b/go.mod h1:UZ2yyWbFTpuhSbFhv24aGNOdoRdJZgsIObGBUaYVsts=
-k8s.io/utils v0.0.0-20250604170112-4c0f3b243397 h1:hwvWFiBzdWw1FhfY1FooPn3kzWuJ8tmbZBHi4zVsl1Y=
-k8s.io/utils v0.0.0-20250604170112-4c0f3b243397/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
-sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 h1:gBQPwqORJ8d8/YNZWEjoZs7npUVDpVXUUOFfW6CgAqE=
-sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8/go.mod h1:mdzfpAEoE6DHQEN0uh9ZbOCuHbLK5wOm7dK4ctXE9Tg=
+k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912 h1:Y3gxNAuB0OBLImH611+UDZcmKS3g6CthxToOb37KgwE=
+k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912/go.mod h1:kdmbQkyfwUagLfXIad1y2TdrjPFWp2Q89B3qkRwf/pQ=
+k8s.io/utils v0.0.0-20251002143259-bc988d571ff4 h1:SjGebBtkBqHFOli+05xYbK8YF1Dzkbzn+gDM4X9T4Ck=
+k8s.io/utils v0.0.0-20251002143259-bc988d571ff4/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
+sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 h1:IpInykpT6ceI+QxKBbEflcR5EXP7sU1kvOlxwZh5txg=
+sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730/go.mod h1:mdzfpAEoE6DHQEN0uh9ZbOCuHbLK5wOm7dK4ctXE9Tg=
 sigs.k8s.io/randfill v1.0.0 h1:JfjMILfT8A6RbawdsK2JXGBR5AQVfd+9TbzrlneTyrU=
 sigs.k8s.io/randfill v1.0.0/go.mod h1:XeLlZ/jmk4i1HRopwe7/aU3H5n1zNUcX6TM94b3QxOY=
 sigs.k8s.io/structured-merge-diff/v6 v6.3.0 h1:jTijUJbW353oVOd9oTlifJqOGEkUw2jB/fXCbTiQEco=
diff --git a/staging/src/k8s.io/kube-scheduler/config/v1/doc.go b/staging/src/k8s.io/kube-scheduler/config/v1/doc.go
index 2d0e79e132fea..08f9a7ecd7185 100644
--- a/staging/src/k8s.io/kube-scheduler/config/v1/doc.go
+++ b/staging/src/k8s.io/kube-scheduler/config/v1/doc.go
@@ -16,6 +16,8 @@ limitations under the License.
 
 // +k8s:deepcopy-gen=package
 // +k8s:openapi-gen=true
+// +k8s:openapi-model-package=io.k8s.kube-scheduler.config.v1
+
 // +groupName=kubescheduler.config.k8s.io
 
 package v1
diff --git a/staging/src/k8s.io/kube-scheduler/config/v1/types.go b/staging/src/k8s.io/kube-scheduler/config/v1/types.go
index 81e6354db11b2..8ff68a6ef028b 100644
--- a/staging/src/k8s.io/kube-scheduler/config/v1/types.go
+++ b/staging/src/k8s.io/kube-scheduler/config/v1/types.go
@@ -432,6 +432,33 @@ type DynamicResourcesArgs struct {
 	//
 	// Setting it to zero completely disables the timeout.
 	FilterTimeout *metav1.Duration `json:"filterTimeout"`
+
+	// BindingTimeout limits how long the PreBind extension point may wait for
+	// ResourceClaim device BindingConditions to become satisfied when such
+	// conditions are present. While waiting, the scheduler periodically checks
+	// device status. If the timeout elapses before all required conditions are
+	// true (or any bindingFailureConditions become true), the allocation is
+	// cleared and the Pod re-enters scheduling queue. Note that the same or other node may be
+	// chosen if feasible; otherwise the Pod is placed in the unschedulable queue and
+	// retried based on cluster changes and backoff.
+	//
+	// Defaults & feature gates:
+	//   - Defaults to 10 minutes when the DRADeviceBindingConditions feature gate is enabled.
+	//   - Has effect only when BOTH DRADeviceBindingConditions and
+	//     DRAResourceClaimDeviceStatus are enabled; otherwise omit this field.
+	//   - When DRADeviceBindingConditions is disabled, setting this field is considered an error.
+	//
+	// Valid values:
+	//   - >=1s (non-zero). No upper bound is enforced.
+	//
+	// Tuning guidance:
+	//   - Lower values reduce time-to-retry when devices aren’t ready but can
+	//     increase churn if drivers typically need longer to report readiness.
+	//   - Review scheduler latency metrics (e.g. PreBind duration in
+	//     `scheduler_framework_extension_point_duration_seconds`) and driver
+	//     readiness behavior before tightening this timeout.
+	BindingTimeout *metav1.Duration `json:"bindingTimeout,omitempty"`
 }
 
 const DynamicResourcesFilterTimeoutDefault = 10 * time.Second
+const DynamicResourcesBindingTimeoutDefault = 600 * time.Second
diff --git a/staging/src/k8s.io/kube-scheduler/config/v1/zz_generated.deepcopy.go b/staging/src/k8s.io/kube-scheduler/config/v1/zz_generated.deepcopy.go
index 840fb650e3604..788a60279076a 100644
--- a/staging/src/k8s.io/kube-scheduler/config/v1/zz_generated.deepcopy.go
+++ b/staging/src/k8s.io/kube-scheduler/config/v1/zz_generated.deepcopy.go
@@ -71,6 +71,11 @@ func (in *DynamicResourcesArgs) DeepCopyInto(out *DynamicResourcesArgs) {
 		*out = new(metav1.Duration)
 		**out = **in
 	}
+	if in.BindingTimeout != nil {
+		in, out := &in.BindingTimeout, &out.BindingTimeout
+		*out = new(metav1.Duration)
+		**out = **in
+	}
 	return
 }
 
diff --git a/staging/src/k8s.io/kube-scheduler/config/v1/zz_generated.model_name.go b/staging/src/k8s.io/kube-scheduler/config/v1/zz_generated.model_name.go
new file mode 100644
index 0000000000000..523034dac5ce4
--- /dev/null
+++ b/staging/src/k8s.io/kube-scheduler/config/v1/zz_generated.model_name.go
@@ -0,0 +1,127 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by openapi-gen. DO NOT EDIT.
+
+package v1
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in DefaultPreemptionArgs) OpenAPIModelName() string {
+	return "io.k8s.kube-scheduler.config.v1.DefaultPreemptionArgs"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in DynamicResourcesArgs) OpenAPIModelName() string {
+	return "io.k8s.kube-scheduler.config.v1.DynamicResourcesArgs"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in Extender) OpenAPIModelName() string {
+	return "io.k8s.kube-scheduler.config.v1.Extender"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ExtenderManagedResource) OpenAPIModelName() string {
+	return "io.k8s.kube-scheduler.config.v1.ExtenderManagedResource"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ExtenderTLSConfig) OpenAPIModelName() string {
+	return "io.k8s.kube-scheduler.config.v1.ExtenderTLSConfig"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in InterPodAffinityArgs) OpenAPIModelName() string {
+	return "io.k8s.kube-scheduler.config.v1.InterPodAffinityArgs"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in KubeSchedulerConfiguration) OpenAPIModelName() string {
+	return "io.k8s.kube-scheduler.config.v1.KubeSchedulerConfiguration"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in KubeSchedulerProfile) OpenAPIModelName() string {
+	return "io.k8s.kube-scheduler.config.v1.KubeSchedulerProfile"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in NodeAffinityArgs) OpenAPIModelName() string {
+	return "io.k8s.kube-scheduler.config.v1.NodeAffinityArgs"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in NodeResourcesBalancedAllocationArgs) OpenAPIModelName() string {
+	return "io.k8s.kube-scheduler.config.v1.NodeResourcesBalancedAllocationArgs"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in NodeResourcesFitArgs) OpenAPIModelName() string {
+	return "io.k8s.kube-scheduler.config.v1.NodeResourcesFitArgs"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in Plugin) OpenAPIModelName() string {
+	return "io.k8s.kube-scheduler.config.v1.Plugin"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in PluginConfig) OpenAPIModelName() string {
+	return "io.k8s.kube-scheduler.config.v1.PluginConfig"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in PluginSet) OpenAPIModelName() string {
+	return "io.k8s.kube-scheduler.config.v1.PluginSet"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in Plugins) OpenAPIModelName() string {
+	return "io.k8s.kube-scheduler.config.v1.Plugins"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in PodTopologySpreadArgs) OpenAPIModelName() string {
+	return "io.k8s.kube-scheduler.config.v1.PodTopologySpreadArgs"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in RequestedToCapacityRatioParam) OpenAPIModelName() string {
+	return "io.k8s.kube-scheduler.config.v1.RequestedToCapacityRatioParam"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ResourceSpec) OpenAPIModelName() string {
+	return "io.k8s.kube-scheduler.config.v1.ResourceSpec"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ScoringStrategy) OpenAPIModelName() string {
+	return "io.k8s.kube-scheduler.config.v1.ScoringStrategy"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in UtilizationShapePoint) OpenAPIModelName() string {
+	return "io.k8s.kube-scheduler.config.v1.UtilizationShapePoint"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in VolumeBindingArgs) OpenAPIModelName() string {
+	return "io.k8s.kube-scheduler.config.v1.VolumeBindingArgs"
+}
diff --git a/staging/src/k8s.io/kube-scheduler/framework/api_calls.go b/staging/src/k8s.io/kube-scheduler/framework/api_calls.go
new file mode 100644
index 0000000000000..923a731d303f2
--- /dev/null
+++ b/staging/src/k8s.io/kube-scheduler/framework/api_calls.go
@@ -0,0 +1,57 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package framework
+
+import (
+	"context"
+
+	v1 "k8s.io/api/core/v1"
+)
+
+// APICacher defines methods that send API calls through the scheduler's cache
+// before they are executed asynchronously by the APIDispatcher.
+// This ensures the scheduler's internal state is updated optimistically,
+// reflecting the intended outcome of the call.
+// This methods should be used only if the SchedulerAsyncAPICalls feature gate is enabled.
+type APICacher interface {
+	// PatchPodStatus sends a patch request for a Pod's status.
+	// The patch could be first applied to the cached Pod object and then the API call is executed asynchronously.
+	// It returns a channel that can be used to wait for the call's completion.
+	PatchPodStatus(pod *v1.Pod, condition *v1.PodCondition, nominatingInfo *NominatingInfo) (<-chan error, error)
+
+	// BindPod sends a binding request. The binding could be first applied to the cached Pod object
+	// and then the API call is executed asynchronously.
+	// It returns a channel that can be used to wait for the call's completion.
+	BindPod(binding *v1.Binding) (<-chan error, error)
+
+	// WaitOnFinish blocks until the result of an API call is sent to the given onFinish channel
+	// (returned by methods BindPod or PreemptPod).
+	//
+	// It returns the error received from the channel.
+	// It also returns nil if the call was skipped or overwritten,
+	// as these are considered successful lifecycle outcomes.
+	// Direct onFinish channel read can be used to access these results.
+	WaitOnFinish(ctx context.Context, onFinish <-chan error) error
+}
+
+// APICallImplementations define constructors for each APICall that is used by the scheduler internally.
+type APICallImplementations[T, K APICall] struct {
+	// PodStatusPatch is a constructor used to create APICall object for pod status patch.
+	PodStatusPatch func(pod *v1.Pod, condition *v1.PodCondition, nominatingInfo *NominatingInfo) T
+	// PodBinding is a constructor used to create APICall object for pod binding.
+	PodBinding func(binding *v1.Binding) K
+}
diff --git a/pkg/scheduler/framework/extender.go b/staging/src/k8s.io/kube-scheduler/framework/extender.go
similarity index 90%
rename from pkg/scheduler/framework/extender.go
rename to staging/src/k8s.io/kube-scheduler/framework/extender.go
index 2a4ea267cdda3..3cfef949717e1 100644
--- a/pkg/scheduler/framework/extender.go
+++ b/staging/src/k8s.io/kube-scheduler/framework/extender.go
@@ -19,7 +19,6 @@ package framework
 import (
 	v1 "k8s.io/api/core/v1"
 	extenderv1 "k8s.io/kube-scheduler/extender/v1"
-	fwk "k8s.io/kube-scheduler/framework"
 )
 
 // Extender is an interface for external processes to influence scheduling
@@ -34,12 +33,12 @@ type Extender interface {
 	// The failedNodes and failedAndUnresolvableNodes optionally contains the list
 	// of failed nodes and failure reasons, except nodes in the latter are
 	// unresolvable.
-	Filter(pod *v1.Pod, nodes []fwk.NodeInfo) (filteredNodes []fwk.NodeInfo, failedNodesMap extenderv1.FailedNodesMap, failedAndUnresolvable extenderv1.FailedNodesMap, err error)
+	Filter(pod *v1.Pod, nodes []NodeInfo) (filteredNodes []NodeInfo, failedNodesMap extenderv1.FailedNodesMap, failedAndUnresolvable extenderv1.FailedNodesMap, err error)
 
 	// Prioritize based on extender-implemented priority functions. The returned scores & weight
 	// are used to compute the weighted score for an extender. The weighted scores are added to
 	// the scores computed by Kubernetes scheduler. The total scores are used to do the host selection.
-	Prioritize(pod *v1.Pod, nodes []fwk.NodeInfo) (hostPriorities *extenderv1.HostPriorityList, weight int64, err error)
+	Prioritize(pod *v1.Pod, nodes []NodeInfo) (hostPriorities *extenderv1.HostPriorityList, weight int64, err error)
 
 	// Bind delegates the action of binding a pod to a node to the extender.
 	Bind(binding *v1.Binding) error
diff --git a/staging/src/k8s.io/kube-scheduler/framework/interface.go b/staging/src/k8s.io/kube-scheduler/framework/interface.go
index 529272b5dab4b..dff535cb4c6b3 100644
--- a/staging/src/k8s.io/kube-scheduler/framework/interface.go
+++ b/staging/src/k8s.io/kube-scheduler/framework/interface.go
@@ -19,11 +19,23 @@ limitations under the License.
 package framework
 
 import (
+	"context"
 	"errors"
+	"math"
 	"strings"
+	"time"
 
 	"github.com/google/go-cmp/cmp"         //nolint:depguard
 	"github.com/google/go-cmp/cmp/cmpopts" //nolint:depguard
+	v1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/apimachinery/pkg/util/sets"
+	"k8s.io/client-go/informers"
+	clientset "k8s.io/client-go/kubernetes"
+	restclient "k8s.io/client-go/rest"
+	"k8s.io/client-go/tools/events"
+	"k8s.io/client-go/util/workqueue"
+	"k8s.io/klog/v2"
 )
 
 // Code is the Status code/type which is returned from plugins.
@@ -233,3 +245,580 @@ func AsStatus(err error) *Status {
 		err:  err,
 	}
 }
+
+// NodeToStatusReader is a read-only interface of NodeToStatus passed to each PostFilter plugin.
+type NodeToStatusReader interface {
+	// Get returns the status for given nodeName.
+	// If the node is not in the map, the AbsentNodesStatus is returned.
+	Get(nodeName string) *Status
+	// NodesForStatusCode returns a list of NodeInfos for the nodes that have a given status code.
+	// It returns the NodeInfos for all matching nodes denoted by AbsentNodesStatus as well.
+	NodesForStatusCode(nodeLister NodeInfoLister, code Code) ([]NodeInfo, error)
+}
+
+// NodeScoreList declares a list of nodes and their scores.
+type NodeScoreList []NodeScore
+
+// NodeScore is a struct with node name and score.
+type NodeScore struct {
+	Name  string
+	Score int64
+}
+
+// NodePluginScores is a struct with node name and scores for that node.
+type NodePluginScores struct {
+	// Name is node name.
+	Name string
+	// Scores is scores from plugins and extenders.
+	Scores []PluginScore
+	// TotalScore is the total score in Scores.
+	TotalScore int64
+	// Randomizer is used to provide randomness
+	// when randomizing nodes within a common score.
+	Randomizer int
+}
+
+// PluginScore is a struct with plugin/extender name and score.
+type PluginScore struct {
+	// Name is the name of plugin or extender.
+	Name  string
+	Score int64
+}
+
+const (
+	// MaxNodeScore is the maximum score a Score plugin is expected to return.
+	MaxNodeScore int64 = 100
+
+	// MinNodeScore is the minimum score a Score plugin is expected to return.
+	MinNodeScore int64 = 0
+
+	// MaxTotalScore is the maximum total score.
+	MaxTotalScore int64 = math.MaxInt64
+)
+
+type NominatingMode int
+
+const (
+	ModeNoop NominatingMode = iota
+	ModeOverride
+)
+
+type NominatingInfo struct {
+	NominatedNodeName string
+	NominatingMode    NominatingMode
+}
+
+func (ni *NominatingInfo) Mode() NominatingMode {
+	if ni == nil {
+		return ModeNoop
+	}
+	return ni.NominatingMode
+}
+
+// WaitingPod represents a pod currently waiting in the permit phase.
+type WaitingPod interface {
+	// GetPod returns a reference to the waiting pod.
+	GetPod() *v1.Pod
+	// GetPendingPlugins returns a list of pending Permit plugin's name.
+	GetPendingPlugins() []string
+	// Allow declares the waiting pod is allowed to be scheduled by the plugin named as "pluginName".
+	// If this is the last remaining plugin to allow, then a success signal is delivered
+	// to unblock the pod.
+	Allow(pluginName string)
+	// Reject declares the waiting pod unschedulable.
+	Reject(pluginName, msg string)
+}
+
+// PreFilterResult wraps needed info for scheduler framework to act upon PreFilter phase.
+type PreFilterResult struct {
+	// The set of nodes that should be considered downstream; if nil then
+	// all nodes are eligible.
+	NodeNames sets.Set[string]
+}
+
+func (p *PreFilterResult) AllNodes() bool {
+	return p == nil || p.NodeNames == nil
+}
+
+func (p *PreFilterResult) Merge(in *PreFilterResult) *PreFilterResult {
+	if p.AllNodes() && in.AllNodes() {
+		return nil
+	}
+
+	r := PreFilterResult{}
+	if p.AllNodes() {
+		r.NodeNames = in.NodeNames.Clone()
+		return &r
+	}
+	if in.AllNodes() {
+		r.NodeNames = p.NodeNames.Clone()
+		return &r
+	}
+
+	r.NodeNames = p.NodeNames.Intersection(in.NodeNames)
+	return &r
+}
+
+// PostFilterResult wraps needed info for scheduler framework to act upon PostFilter phase.
+type PostFilterResult struct {
+	*NominatingInfo
+}
+
+// Plugin is the parent type for all the scheduling framework plugins.
+type Plugin interface {
+	Name() string
+}
+
+// PreEnqueuePlugin is an interface that must be implemented by "PreEnqueue" plugins.
+// These plugins are called prior to adding Pods to activeQ or backoffQ.
+// Note: an preEnqueue plugin is expected to be lightweight and efficient, so it's not expected to
+// involve expensive calls like accessing external endpoints; otherwise it'd block other
+// Pods' enqueuing in event handlers.
+type PreEnqueuePlugin interface {
+	Plugin
+	// PreEnqueue is called prior to adding Pods to activeQ or backoffQ.
+	PreEnqueue(ctx context.Context, p *v1.Pod) *Status
+}
+
+// LessFunc is the function to sort pod info
+type LessFunc func(podInfo1, podInfo2 QueuedPodInfo) bool
+
+// QueueSortPlugin is an interface that must be implemented by "QueueSort" plugins.
+// These plugins are used to sort pods in the scheduling queue. Only one queue sort
+// plugin may be enabled at a time.
+type QueueSortPlugin interface {
+	Plugin
+	// Less are used to sort pods in the scheduling queue.
+	Less(QueuedPodInfo, QueuedPodInfo) bool
+}
+
+// EnqueueExtensions is an optional interface that plugins can implement to efficiently
+// move unschedulable Pods in internal scheduling queues.
+// In the scheduler, Pods can be unschedulable by PreEnqueue, PreFilter, Filter, Reserve, and Permit plugins,
+// and Pods rejected by these plugins are requeued based on this extension point.
+// Failures from other extension points are regarded as temporal errors (e.g., network failure),
+// and the scheduler requeue Pods without this extension point - always requeue Pods to activeQ after backoff.
+// This is because such temporal errors cannot be resolved by specific cluster events,
+// and we have no choose but keep retrying scheduling until the failure is resolved.
+//
+// Plugins that make pod unschedulable (PreEnqueue, PreFilter, Filter, Reserve, and Permit plugins) must implement this interface,
+// otherwise the default implementation will be used, which is less efficient in requeueing Pods rejected by the plugin.
+//
+// Also, if EventsToRegister returns an empty list, that means the Pods failed by the plugin are not requeued by any events,
+// which doesn't make sense in most cases (very likely misuse)
+// since the pods rejected by the plugin could be stuck in the unschedulable pod pool forever.
+//
+// If plugins other than above extension points support this interface, they are just ignored.
+type EnqueueExtensions interface {
+	Plugin
+	// EventsToRegister returns a series of possible events that may cause a Pod
+	// failed by this plugin schedulable. Each event has a callback function that
+	// filters out events to reduce useless retry of Pod's scheduling.
+	// The events will be registered when instantiating the internal scheduling queue,
+	// and leveraged to build event handlers dynamically.
+	// When it returns an error, the scheduler fails to start.
+	// Note: the returned list needs to be determined at a startup,
+	// and the scheduler only evaluates it once during start up.
+	// Do not change the result during runtime, for example, based on the cluster's state etc.
+	//
+	// Appropriate implementation of this function will make Pod's re-scheduling accurate and performant.
+	EventsToRegister(context.Context) ([]ClusterEventWithHint, error)
+}
+
+// PreFilterExtensions is an interface that is included in plugins that allow specifying
+// callbacks to make incremental updates to its supposedly pre-calculated
+// state.
+type PreFilterExtensions interface {
+	// AddPod is called by the framework while trying to evaluate the impact
+	// of adding podToAdd to the node while scheduling podToSchedule.
+	AddPod(ctx context.Context, state CycleState, podToSchedule *v1.Pod, podInfoToAdd PodInfo, nodeInfo NodeInfo) *Status
+	// RemovePod is called by the framework while trying to evaluate the impact
+	// of removing podToRemove from the node while scheduling podToSchedule.
+	RemovePod(ctx context.Context, state CycleState, podToSchedule *v1.Pod, podInfoToRemove PodInfo, nodeInfo NodeInfo) *Status
+}
+
+// PreFilterPlugin is an interface that must be implemented by "PreFilter" plugins.
+// These plugins are called at the beginning of the scheduling cycle. Plugins that implement PreFilterPlugin should
+// also implement SignPlugin to enable batching optimizations.
+type PreFilterPlugin interface {
+	Plugin
+	// PreFilter is called at the beginning of the scheduling cycle. All PreFilter
+	// plugins must return success or the pod will be rejected. PreFilter could optionally
+	// return a PreFilterResult to influence which nodes to evaluate downstream. This is useful
+	// for cases where it is possible to determine the subset of nodes to process in O(1) time.
+	// When PreFilterResult filters out some Nodes, the framework considers Nodes that are filtered out as getting "UnschedulableAndUnresolvable".
+	// i.e., those Nodes will be out of the candidates of the preemption.
+	//
+	// When it returns Skip status, returned PreFilterResult and other fields in status are just ignored,
+	// and coupled Filter plugin/PreFilterExtensions() will be skipped in this scheduling cycle.
+	PreFilter(ctx context.Context, state CycleState, p *v1.Pod, nodes []NodeInfo) (*PreFilterResult, *Status)
+	// PreFilterExtensions returns a PreFilterExtensions interface if the plugin implements one,
+	// or nil if it does not. A Pre-filter plugin can provide extensions to incrementally
+	// modify its pre-processed info. The framework guarantees that the extensions
+	// AddPod/RemovePod will only be called after PreFilter, possibly on a cloned
+	// CycleState, and may call those functions more than once before calling
+	// Filter again on a specific node.
+	PreFilterExtensions() PreFilterExtensions
+}
+
+// FilterPlugin is an interface for Filter plugins. These plugins are called at the
+// filter extension point for filtering out hosts that cannot run a pod.
+// This concept used to be called 'predicate' in the original scheduler.
+// These plugins should return "Success", "Unschedulable" or "Error" in Status.code.
+// However, the scheduler accepts other valid codes as well.
+// Anything other than "Success" will lead to exclusion of the given host from
+// running the pod. Plugins that implement FilterPlugin should
+// also implement SignPlugin to enable batching optimizations.
+type FilterPlugin interface {
+	Plugin
+	// Filter is called by the scheduling framework.
+	// All FilterPlugins should return "Success" to declare that
+	// the given node fits the pod. If Filter doesn't return "Success",
+	// it will return "Unschedulable", "UnschedulableAndUnresolvable" or "Error".
+	//
+	// "Error" aborts pod scheduling and puts the pod into the backoff queue.
+	//
+	// For the node being evaluated, Filter plugins should look at the passed
+	// nodeInfo reference for this particular node's information (e.g., pods
+	// considered to be running on the node) instead of looking it up in the
+	// NodeInfoSnapshot because we don't guarantee that they will be the same.
+	// For example, during preemption, we may pass a copy of the original
+	// nodeInfo object that has some pods removed from it to evaluate the
+	// possibility of preempting them to schedule the target pod.
+	//
+	// Plugins are encouraged to check the context for cancellation.
+	// Once canceled, they should return as soon as possible with
+	// an UnschedulableAndUnresolvable status that includes the
+	// `context.Cause(ctx)` error explanation. For example, the
+	// context gets canceled when a sufficient number of suitable
+	// nodes have been found and searching for more isn't necessary
+	// anymore.
+	Filter(ctx context.Context, state CycleState, pod *v1.Pod, nodeInfo NodeInfo) *Status
+}
+
+// PostFilterPlugin is an interface for "PostFilter" plugins. These plugins are called
+// after a pod cannot be scheduled.
+type PostFilterPlugin interface {
+	Plugin
+	// PostFilter is called by the scheduling framework
+	// when the scheduling cycle failed at PreFilter or Filter by Unschedulable or UnschedulableAndUnresolvable.
+	// NodeToStatusReader has statuses that each Node got in PreFilter or Filter phase.
+	//
+	// If you're implementing a custom preemption with PostFilter, ignoring Nodes with UnschedulableAndUnresolvable is the responsibility of your plugin,
+	// meaning NodeToStatusReader could have Nodes with UnschedulableAndUnresolvable
+	// and the scheduling framework does call PostFilter plugins even when all Nodes in NodeToStatusReader are UnschedulableAndUnresolvable.
+	//
+	// A PostFilter plugin should return one of the following statuses:
+	// - Unschedulable: the plugin gets executed successfully but the pod cannot be made schedulable.
+	// - Success: the plugin gets executed successfully and the pod can be made schedulable.
+	// - Error: the plugin aborts due to some internal error.
+	//
+	// Informational plugins should be configured ahead of other ones, and always return Unschedulable status.
+	// Optionally, a non-nil PostFilterResult may be returned along with a Success status. For example,
+	// a preemption plugin may choose to return nominatedNodeName, so that framework can reuse that to update the
+	// preemptor pod's .spec.status.nominatedNodeName field.
+	PostFilter(ctx context.Context, state CycleState, pod *v1.Pod, filteredNodeStatusMap NodeToStatusReader) (*PostFilterResult, *Status)
+}
+
+// PreScorePlugin is an interface for "PreScore" plugin. PreScore is an
+// informational extension point. Plugins will be called with a list of nodes
+// that passed the filtering phase. A plugin may use this data to update internal
+// state or to generate logs/metrics. Plugins that implement PreScorePlugin should
+// also implement SignPlugin to enable batching optimizations.
+type PreScorePlugin interface {
+	Plugin
+	// PreScore is called by the scheduling framework after a list of nodes
+	// passed the filtering phase. All prescore plugins must return success or
+	// the pod will be rejected
+	// When it returns Skip status, other fields in status are just ignored,
+	// and coupled Score plugin will be skipped in this scheduling cycle.
+	PreScore(ctx context.Context, state CycleState, pod *v1.Pod, nodes []NodeInfo) *Status
+}
+
+// ScoreExtensions is an interface for Score extended functionality.
+type ScoreExtensions interface {
+	// NormalizeScore is called for all node scores produced by the same plugin's "Score"
+	// method. A successful run of NormalizeScore will update the scores list and return
+	// a success status.
+	NormalizeScore(ctx context.Context, state CycleState, p *v1.Pod, scores NodeScoreList) *Status
+}
+
+// ScorePlugin is an interface that must be implemented by "Score" plugins to rank
+// nodes that passed the filtering phase. Plugins that implement ScorePlugin should
+// also implement SignPlugin to enable batching optimizations.
+type ScorePlugin interface {
+	Plugin
+	// Score is called on each filtered node. It must return success and an integer
+	// indicating the rank of the node. All scoring plugins must return success or
+	// the pod will be rejected.
+	Score(ctx context.Context, state CycleState, p *v1.Pod, nodeInfo NodeInfo) (int64, *Status)
+
+	// ScoreExtensions returns a ScoreExtensions interface if it implements one, or nil if does not.
+	ScoreExtensions() ScoreExtensions
+}
+
+// ReservePlugin is an interface for plugins with Reserve and Unreserve
+// methods. These are meant to update the state of the plugin. This concept
+// used to be called 'assume' in the original scheduler. These plugins should
+// return only Success or Error in Status.code. However, the scheduler accepts
+// other valid codes as well. Anything other than Success will lead to
+// rejection of the pod.
+type ReservePlugin interface {
+	Plugin
+	// Reserve is called by the scheduling framework when the scheduler cache is
+	// updated. If this method returns a failed Status, the scheduler will call
+	// the Unreserve method for all enabled ReservePlugins.
+	Reserve(ctx context.Context, state CycleState, p *v1.Pod, nodeName string) *Status
+	// Unreserve is called by the scheduling framework when a reserved pod was
+	// rejected, an error occurred during reservation of subsequent plugins, or
+	// in a later phase. The Unreserve method implementation must be idempotent
+	// and may be called by the scheduler even if the corresponding Reserve
+	// method for the same plugin was not called.
+	Unreserve(ctx context.Context, state CycleState, p *v1.Pod, nodeName string)
+}
+
+// PreBindPlugin is an interface that must be implemented by "PreBind" plugins.
+// These plugins are called before a pod being scheduled.
+type PreBindPlugin interface {
+	Plugin
+	// PreBindPreFlight is called before PreBind, and the plugin is supposed to return Success, Skip, or Error status.
+	// If it returns Success, it means this PreBind plugin will handle this pod.
+	// If it returns Skip, it means this PreBind plugin has nothing to do with the pod, and PreBind will be skipped.
+	// This function should be lightweight, and shouldn't do any actual operation, e.g., creating a volume etc.
+	PreBindPreFlight(ctx context.Context, state CycleState, p *v1.Pod, nodeName string) *Status
+
+	// PreBind is called before binding a pod. All prebind plugins must return
+	// success or the pod will be rejected and won't be sent for binding.
+	PreBind(ctx context.Context, state CycleState, p *v1.Pod, nodeName string) *Status
+}
+
+// PostBindPlugin is an interface that must be implemented by "PostBind" plugins.
+// These plugins are called after a pod is successfully bound to a node.
+type PostBindPlugin interface {
+	Plugin
+	// PostBind is called after a pod is successfully bound. These plugins are
+	// informational. A common application of this extension point is for cleaning
+	// up. If a plugin needs to clean-up its state after a pod is scheduled and
+	// bound, PostBind is the extension point that it should register.
+	PostBind(ctx context.Context, state CycleState, p *v1.Pod, nodeName string)
+}
+
+// PermitPlugin is an interface that must be implemented by "Permit" plugins.
+// These plugins are called before a pod is bound to a node.
+type PermitPlugin interface {
+	Plugin
+	// Permit is called before binding a pod (and before prebind plugins). Permit
+	// plugins are used to prevent or delay the binding of a Pod. A permit plugin
+	// must return success or wait with timeout duration, or the pod will be rejected.
+	// The pod will also be rejected if the wait timeout or the pod is rejected while
+	// waiting. Note that if the plugin returns "wait", the framework will wait only
+	// after running the remaining plugins given that no other plugin rejects the pod.
+	Permit(ctx context.Context, state CycleState, p *v1.Pod, nodeName string) (*Status, time.Duration)
+}
+
+// BindPlugin is an interface that must be implemented by "Bind" plugins. Bind
+// plugins are used to bind a pod to a Node.
+type BindPlugin interface {
+	Plugin
+	// Bind plugins will not be called until all pre-bind plugins have completed. Each
+	// bind plugin is called in the configured order. A bind plugin may choose whether
+	// or not to handle the given Pod. If a bind plugin chooses to handle a Pod, the
+	// remaining bind plugins are skipped. When a bind plugin does not handle a pod,
+	// it must return Skip in its Status code. If a bind plugin returns an Error, the
+	// pod is rejected and will not be bound.
+	Bind(ctx context.Context, state CycleState, p *v1.Pod, nodeName string) *Status
+}
+
+// A portion of a pod signature. The sign fragments from all plugins are combined
+// together to create a unified signature.
+type SignFragment struct {
+	// Pod signature fragments are identified by a key, i.e., fragments with the same key
+	// should contain the same value for the same pod. Plugin authors can return the same SignFragment
+	// from multiple plugins, the framework just ignores duplicates. This allows plugins to share signers easily.
+	//
+	// Fragment names can be found in k8s.io/kube-scheduler/framework/signers.go. New fragment names for
+	// in-tree plugins should be added there, and custom plugins can also use them.
+	// Simple SignFragments which return a field should have names that follow the field name they return.
+	// So a SignFragment that returns NodeName would have the key:
+	//
+	//	"v1.Pod.Spec.NodeName"
+	//
+	// If a SignFragment does some processing on the resource, its name should include the path to the base of the state it uses,
+	// and then suffix this with a descriptive function name followed by (). So, for example, a SignFragment that only returns
+	// Ephemeral volumes might use the key:
+	//
+	//	"v1.Pod.Volumes.EphemeralVolumes()"
+	Key string
+
+	// The value of a SignFragment must be a json-marshallable object. Remember that we need to compare these across pods, so
+	// plugins should ensure that lists where order doesn't matter are sorted, for example.
+	Value any
+}
+
+// The signature for a given pod after all of the results from plugins are consolidated.
+type PodSignature []byte
+
+// SignPlugin is an interface that should be implemented by plugins that either filter or score
+// pods to enable batching and gang scheduling optimizations.
+// Each plugin returns SignFragments used to build a single signature per pod entering the scheduling cycle,
+// and the scheduler uses signatures to determine whether it can use a cached scheduling result, or needs to
+// recompute the prioritized nodes.
+//
+// If an enabled plugin that does Scoring, Prescoring, Filtering or Prefiltering does not implement this interface we will turn off batching for all pods.
+type SignPlugin interface {
+	Plugin
+	// SignPod returns SignFragments for use in batching. This is called at every scheduling cycle
+	// and is used to construct a signature builder used for pods. (KEP-5598).
+	//
+	// The sign fragments from all the plugins are combined to create a single signature. Only one fragment
+	// with a given key will be included.
+	//
+	// Status means:
+	//   - Success: the signer can sign the pod, accompanied by a set of signature fragments to be included.
+	//   - Unschedulable: the signer refuses to sign the pod, meaning the pod is not eligible for opportunistic batching optimization.
+	//   - Error: the signer hits something _unexpected_ and cannot build sign(s). A framework runtime just
+	//     proceeds with scheduling this pod without opportunistic batching optimization like Unschedulable,
+	//     but just report errors to logs.
+	SignPod(ctx context.Context, pod *v1.Pod) ([]SignFragment, *Status)
+}
+
+// Handle provides data and some tools that plugins can use. It is
+// passed to the plugin factories at the time of plugin initialization. Plugins
+// must store and use this handle to call framework functions.
+type Handle interface {
+	// PodNominator abstracts operations to maintain nominated Pods.
+	PodNominator
+	// PluginsRunner abstracts operations to run some plugins.
+	PluginsRunner
+	// PodActivator abstracts operations in the scheduling queue.
+	PodActivator
+	// SnapshotSharedLister returns listers from the latest NodeInfo Snapshot. The snapshot
+	// is taken at the beginning of a scheduling cycle and remains unchanged until
+	// a pod finishes "Permit" point.
+	//
+	// It should be used only during scheduling cycle:
+	// - There is no guarantee that the information remains unchanged in the binding phase of scheduling.
+	//   So, plugins shouldn't use it in the binding cycle (pre-bind/bind/post-bind/un-reserve plugin)
+	//   otherwise, a concurrent read/write error might occur.
+	// - There is no guarantee that the information is always up-to-date.
+	//   So, plugins shouldn't use it in QueueingHint and PreEnqueue
+	//   otherwise, they might make a decision based on stale information.
+	//
+	// Instead, they should use the resources getting from Informer created from SharedInformerFactory().
+	SnapshotSharedLister() SharedLister
+
+	// IterateOverWaitingPods acquires a read lock and iterates over the WaitingPods map.
+	IterateOverWaitingPods(callback func(WaitingPod))
+
+	// GetWaitingPod returns a waiting pod given its UID.
+	GetWaitingPod(uid types.UID) WaitingPod
+
+	// RejectWaitingPod rejects a waiting pod given its UID.
+	// The return value indicates if the pod is waiting or not.
+	RejectWaitingPod(uid types.UID) bool
+
+	// ClientSet returns a kubernetes clientSet.
+	ClientSet() clientset.Interface
+
+	// KubeConfig returns the raw kube config.
+	KubeConfig() *restclient.Config
+
+	// EventRecorder returns an event recorder.
+	EventRecorder() events.EventRecorder
+
+	SharedInformerFactory() informers.SharedInformerFactory
+
+	// SharedDRAManager can be used to obtain DRA objects, and track modifications to them in-memory - mainly by the DRA plugin.
+	// A non-default implementation can be plugged into the framework to simulate the state of DRA objects.
+	SharedDRAManager() SharedDRAManager
+
+	// SharedCSIManager can be used to obtain CSINode objects, and track changes to them in-memory.
+	// A non-default implementation can be plugged into the framework to simulate the state of CSINode objects.
+	SharedCSIManager() CSIManager
+
+	// RunFilterPluginsWithNominatedPods runs the set of configured filter plugins for nominated pod on the given node.
+	RunFilterPluginsWithNominatedPods(ctx context.Context, state CycleState, pod *v1.Pod, info NodeInfo) *Status
+
+	// Extenders returns registered scheduler extenders.
+	Extenders() []Extender
+
+	// Parallelizer returns a parallelizer holding parallelism for scheduler.
+	Parallelizer() Parallelizer
+
+	// APIDispatcher returns a APIDispatcher that can be used to dispatch API calls directly.
+	// This is non-nil if the SchedulerAsyncAPICalls feature gate is enabled.
+	APIDispatcher() APIDispatcher
+
+	// APICacher returns an APICacher that coordinates API calls with the scheduler's internal cache.
+	// Use this to ensure the scheduler's view of the cluster remains consistent.
+	// This is non-nil if the SchedulerAsyncAPICalls feature gate is enabled.
+	APICacher() APICacher
+
+	// ProfileName returns the profile name associated to a profile.
+	ProfileName() string
+
+	// WorkloadManager can be used to provide workload-aware scheduling.
+	WorkloadManager() WorkloadManager
+
+	// Sign a pod.
+	SignPod(ctx context.Context, pod *v1.Pod, recordPluginStats bool) PodSignature
+}
+
+// Parallelizer helps run scheduling operations in parallel chunks where possible, to improve performance and CPU utilization.
+type Parallelizer interface {
+	// Until executes the given func doWorkPiece in parallel chunks, if applicable. Max number of chunks is param pieces.
+	Until(ctx context.Context, pieces int, doWorkPiece workqueue.DoWorkPieceFunc, operation string)
+}
+
+// PodActivator abstracts operations in the scheduling queue.
+type PodActivator interface {
+	// Activate moves the given pods to activeQ.
+	// If a pod isn't found in unschedulablePods or backoffQ and it's in-flight,
+	// the wildcard event is registered so that the pod will be requeued when it comes back.
+	// But, if a pod isn't found in unschedulablePods or backoffQ and it's not in-flight (i.e., completely unknown pod),
+	// Activate would ignore the pod.
+	Activate(logger klog.Logger, pods map[string]*v1.Pod)
+}
+
+// PodNominator abstracts operations to maintain nominated Pods.
+type PodNominator interface {
+	// AddNominatedPod adds the given pod to the nominator or
+	// updates it if it already exists.
+	AddNominatedPod(logger klog.Logger, pod PodInfo, nominatingInfo *NominatingInfo)
+	// DeleteNominatedPodIfExists deletes nominatedPod from internal cache. It's a no-op if it doesn't exist.
+	DeleteNominatedPodIfExists(pod *v1.Pod)
+	// UpdateNominatedPod updates the <oldPod> with <newPod>.
+	UpdateNominatedPod(logger klog.Logger, oldPod *v1.Pod, newPodInfo PodInfo)
+	// NominatedPodsForNode returns nominatedPods on the given node.
+	NominatedPodsForNode(nodeName string) []PodInfo
+}
+
+// PluginsRunner abstracts operations to run some plugins.
+// This is used by preemption PostFilter plugins when evaluating the feasibility of
+// scheduling the pod on nodes when certain running pods get evicted.
+type PluginsRunner interface {
+	// RunPreScorePlugins runs the set of configured PreScore plugins. If any
+	// of these plugins returns any status other than "Success", the given pod is rejected.
+	RunPreScorePlugins(context.Context, CycleState, *v1.Pod, []NodeInfo) *Status
+	// RunScorePlugins runs the set of configured scoring plugins.
+	// It returns a list that stores scores from each plugin and total score for each Node.
+	// It also returns *Status, which is set to non-success if any of the plugins returns
+	// a non-success status.
+	RunScorePlugins(context.Context, CycleState, *v1.Pod, []NodeInfo) ([]NodePluginScores, *Status)
+	// RunFilterPlugins runs the set of configured Filter plugins for pod on
+	// the given node. Note that for the node being evaluated, the passed nodeInfo
+	// reference could be different from the one in NodeInfoSnapshot map (e.g., pods
+	// considered to be running on the node could be different). For example, during
+	// preemption, we may pass a copy of the original nodeInfo object that has some pods
+	// removed from it to evaluate the possibility of preempting them to
+	// schedule the target pod.
+	RunFilterPlugins(context.Context, CycleState, *v1.Pod, NodeInfo) *Status
+	// RunPreFilterExtensionAddPod calls the AddPod interface for the set of configured
+	// PreFilter plugins. It returns directly if any of the plugins return any
+	// status other than Success.
+	RunPreFilterExtensionAddPod(ctx context.Context, state CycleState, podToSchedule *v1.Pod, podInfoToAdd PodInfo, nodeInfo NodeInfo) *Status
+	// RunPreFilterExtensionRemovePod calls the RemovePod interface for the set of configured
+	// PreFilter plugins. It returns directly if any of the plugins return any
+	// status other than Success.
+	RunPreFilterExtensionRemovePod(ctx context.Context, state CycleState, podToSchedule *v1.Pod, podInfoToRemove PodInfo, nodeInfo NodeInfo) *Status
+}
diff --git a/staging/src/k8s.io/kube-scheduler/framework/interface_test.go b/staging/src/k8s.io/kube-scheduler/framework/interface_test.go
new file mode 100644
index 0000000000000..117f7802a9470
--- /dev/null
+++ b/staging/src/k8s.io/kube-scheduler/framework/interface_test.go
@@ -0,0 +1,262 @@
+/*
+Copyright 2019 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package framework
+
+import (
+	"errors"
+	"fmt"
+	"testing"
+
+	"github.com/google/go-cmp/cmp"
+
+	"k8s.io/apimachinery/pkg/util/sets"
+)
+
+var errorStatus = NewStatus(Error, "internal error")
+var statusWithErr = AsStatus(errors.New("internal error"))
+
+func TestStatus(t *testing.T) {
+	tests := []struct {
+		name              string
+		status            *Status
+		expectedCode      Code
+		expectedMessage   string
+		expectedIsSuccess bool
+		expectedIsWait    bool
+		expectedIsSkip    bool
+		expectedAsError   error
+	}{
+		{
+			name:              "success status",
+			status:            NewStatus(Success, ""),
+			expectedCode:      Success,
+			expectedMessage:   "",
+			expectedIsSuccess: true,
+			expectedIsWait:    false,
+			expectedIsSkip:    false,
+			expectedAsError:   nil,
+		},
+		{
+			name:              "wait status",
+			status:            NewStatus(Wait, ""),
+			expectedCode:      Wait,
+			expectedMessage:   "",
+			expectedIsSuccess: false,
+			expectedIsWait:    true,
+			expectedIsSkip:    false,
+			expectedAsError:   nil,
+		},
+		{
+			name:              "error status",
+			status:            NewStatus(Error, "unknown error"),
+			expectedCode:      Error,
+			expectedMessage:   "unknown error",
+			expectedIsSuccess: false,
+			expectedIsWait:    false,
+			expectedIsSkip:    false,
+			expectedAsError:   errors.New("unknown error"),
+		},
+		{
+			name:              "skip status",
+			status:            NewStatus(Skip, ""),
+			expectedCode:      Skip,
+			expectedMessage:   "",
+			expectedIsSuccess: false,
+			expectedIsWait:    false,
+			expectedIsSkip:    true,
+			expectedAsError:   nil,
+		},
+		{
+			name:              "nil status",
+			status:            nil,
+			expectedCode:      Success,
+			expectedMessage:   "",
+			expectedIsSuccess: true,
+			expectedIsSkip:    false,
+			expectedAsError:   nil,
+		},
+	}
+
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			if test.status.Code() != test.expectedCode {
+				t.Errorf("expect status.Code() returns %v, but %v", test.expectedCode, test.status.Code())
+			}
+
+			if test.status.Message() != test.expectedMessage {
+				t.Errorf("expect status.Message() returns %v, but %v", test.expectedMessage, test.status.Message())
+			}
+
+			if test.status.IsSuccess() != test.expectedIsSuccess {
+				t.Errorf("expect status.IsSuccess() returns %v, but %v", test.expectedIsSuccess, test.status.IsSuccess())
+			}
+
+			if test.status.IsWait() != test.expectedIsWait {
+				t.Errorf("status.IsWait() returns %v, but want %v", test.status.IsWait(), test.expectedIsWait)
+			}
+
+			if test.status.IsSkip() != test.expectedIsSkip {
+				t.Errorf("status.IsSkip() returns %v, but want %v", test.status.IsSkip(), test.expectedIsSkip)
+			}
+
+			if errors.Is(test.status.AsError(), test.expectedAsError) {
+				return
+			}
+
+			if test.status.AsError().Error() != test.expectedAsError.Error() {
+				t.Errorf("expect status.AsError() returns %v, but %v", test.expectedAsError, test.status.AsError())
+			}
+		})
+	}
+}
+
+func TestPreFilterResultMerge(t *testing.T) {
+	tests := map[string]struct {
+		receiver *PreFilterResult
+		in       *PreFilterResult
+		want     *PreFilterResult
+	}{
+		"all nil": {},
+		"nil receiver empty input": {
+			in:   &PreFilterResult{NodeNames: sets.New[string]()},
+			want: &PreFilterResult{NodeNames: sets.New[string]()},
+		},
+		"empty receiver nil input": {
+			receiver: &PreFilterResult{NodeNames: sets.New[string]()},
+			want:     &PreFilterResult{NodeNames: sets.New[string]()},
+		},
+		"empty receiver empty input": {
+			receiver: &PreFilterResult{NodeNames: sets.New[string]()},
+			in:       &PreFilterResult{NodeNames: sets.New[string]()},
+			want:     &PreFilterResult{NodeNames: sets.New[string]()},
+		},
+		"nil receiver populated input": {
+			in:   &PreFilterResult{NodeNames: sets.New("node1")},
+			want: &PreFilterResult{NodeNames: sets.New("node1")},
+		},
+		"empty receiver populated input": {
+			receiver: &PreFilterResult{NodeNames: sets.New[string]()},
+			in:       &PreFilterResult{NodeNames: sets.New("node1")},
+			want:     &PreFilterResult{NodeNames: sets.New[string]()},
+		},
+
+		"populated receiver nil input": {
+			receiver: &PreFilterResult{NodeNames: sets.New("node1")},
+			want:     &PreFilterResult{NodeNames: sets.New("node1")},
+		},
+		"populated receiver empty input": {
+			receiver: &PreFilterResult{NodeNames: sets.New("node1")},
+			in:       &PreFilterResult{NodeNames: sets.New[string]()},
+			want:     &PreFilterResult{NodeNames: sets.New[string]()},
+		},
+		"populated receiver and input": {
+			receiver: &PreFilterResult{NodeNames: sets.New("node1", "node2")},
+			in:       &PreFilterResult{NodeNames: sets.New("node2", "node3")},
+			want:     &PreFilterResult{NodeNames: sets.New("node2")},
+		},
+	}
+	for name, test := range tests {
+		t.Run(name, func(t *testing.T) {
+			got := test.receiver.Merge(test.in)
+			if diff := cmp.Diff(test.want, got); diff != "" {
+				t.Errorf("unexpected diff (-want, +got):\n%s", diff)
+			}
+		})
+	}
+}
+
+func TestIsStatusEqual(t *testing.T) {
+	tests := []struct {
+		name string
+		x, y *Status
+		want bool
+	}{
+		{
+			name: "two nil should be equal",
+			x:    nil,
+			y:    nil,
+			want: true,
+		},
+		{
+			name: "nil should be equal to success status",
+			x:    nil,
+			y:    NewStatus(Success),
+			want: true,
+		},
+		{
+			name: "nil should not be equal with status except success",
+			x:    nil,
+			y:    NewStatus(Error, "internal error"),
+			want: false,
+		},
+		{
+			name: "one status should be equal to itself",
+			x:    errorStatus,
+			y:    errorStatus,
+			want: true,
+		},
+		{
+			name: "same type statuses without reasons should be equal",
+			x:    NewStatus(Success),
+			y:    NewStatus(Success),
+			want: true,
+		},
+		{
+			name: "statuses with same message should be equal",
+			x:    NewStatus(Unschedulable, "unschedulable"),
+			y:    NewStatus(Unschedulable, "unschedulable"),
+			want: true,
+		},
+		{
+			name: "error statuses with same message should be equal",
+			x:    NewStatus(Error, "error"),
+			y:    NewStatus(Error, "error"),
+			want: true,
+		},
+		{
+			name: "statuses with different reasons should not be equal",
+			x:    NewStatus(Unschedulable, "unschedulable"),
+			y:    NewStatus(Unschedulable, "unschedulable", "injected filter status"),
+			want: false,
+		},
+		{
+			name: "statuses with different codes should not be equal",
+			x:    NewStatus(Error, "internal error"),
+			y:    NewStatus(Unschedulable, "internal error"),
+			want: false,
+		},
+		{
+			name: "wrap error status should be equal with original one",
+			x:    statusWithErr,
+			y:    AsStatus(fmt.Errorf("error: %w", statusWithErr.AsError())),
+			want: true,
+		},
+		{
+			name: "statues with different errors that have the same message shouldn't be equal",
+			x:    AsStatus(errors.New("error")),
+			y:    AsStatus(errors.New("error")),
+			want: false,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if got := tt.x.Equal(tt.y); got != tt.want {
+				t.Errorf("cmp.Equal() = %v, want %v", got, tt.want)
+			}
+		})
+	}
+}
diff --git a/staging/src/k8s.io/kube-scheduler/framework/listers.go b/staging/src/k8s.io/kube-scheduler/framework/listers.go
new file mode 100644
index 0000000000000..98796329e76d0
--- /dev/null
+++ b/staging/src/k8s.io/kube-scheduler/framework/listers.go
@@ -0,0 +1,176 @@
+/*
+Copyright 2019 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package framework
+
+import (
+	"time"
+
+	v1 "k8s.io/api/core/v1"
+	resourceapi "k8s.io/api/resource/v1"
+	storagev1 "k8s.io/api/storage/v1"
+	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/apimachinery/pkg/util/sets"
+	"k8s.io/dynamic-resource-allocation/structured"
+)
+
+// NodeInfoLister interface represents anything that can list/get NodeInfo objects from node name.
+type NodeInfoLister interface {
+	// List returns the list of NodeInfos.
+	List() ([]NodeInfo, error)
+	// HavePodsWithAffinityList returns the list of NodeInfos of nodes with pods with affinity terms.
+	HavePodsWithAffinityList() ([]NodeInfo, error)
+	// HavePodsWithRequiredAntiAffinityList returns the list of NodeInfos of nodes with pods with required anti-affinity terms.
+	HavePodsWithRequiredAntiAffinityList() ([]NodeInfo, error)
+	// Get returns the NodeInfo of the given node name.
+	Get(nodeName string) (NodeInfo, error)
+}
+
+// StorageInfoLister interface represents anything that handles storage-related operations and resources.
+type StorageInfoLister interface {
+	// IsPVCUsedByPods returns true/false on whether the PVC is used by one or more scheduled pods,
+	// keyed in the format "namespace/name".
+	IsPVCUsedByPods(key string) bool
+}
+
+// SharedLister groups scheduler-specific listers.
+type SharedLister interface {
+	NodeInfos() NodeInfoLister
+	StorageInfos() StorageInfoLister
+}
+
+type CSINodeLister interface {
+	// List returns a list of all CSINodes.
+	List() ([]*storagev1.CSINode, error)
+	// Get returns the CSINode with the given name.
+	Get(name string) (*storagev1.CSINode, error)
+}
+
+// ResourceSliceLister can be used to obtain ResourceSlices.
+type ResourceSliceLister interface {
+	// ListWithDeviceTaintRules returns a list of all ResourceSlices with DeviceTaintRules applied
+	// if the DRADeviceTaints feature is enabled, otherwise without them.
+	//
+	// k8s.io/dynamic-resource-allocation/resourceslice/tracker provides an implementation
+	// of the necessary logic. That tracker can be instantiated as a replacement for
+	// a normal ResourceSlice informer and provides a ListPatchedResourceSlices method.
+	ListWithDeviceTaintRules() ([]*resourceapi.ResourceSlice, error)
+}
+
+// DeviceClassLister can be used to obtain DeviceClasses.
+type DeviceClassLister interface {
+	// List returns a list of all DeviceClasses.
+	List() ([]*resourceapi.DeviceClass, error)
+	// Get returns the DeviceClass with the given className.
+	Get(className string) (*resourceapi.DeviceClass, error)
+}
+
+// ResourceClaimTracker can be used to obtain ResourceClaims, and track changes to ResourceClaims in-memory.
+//
+// If the claims are meant to be allocated in the API during the binding phase (when used by scheduler), the tracker helps avoid
+// race conditions between scheduling and binding phases (as well as between the binding phase and the informer cache update).
+//
+// If the binding phase is not run (e.g. when used by Cluster Autoscaler which only runs the scheduling phase, and simulates binding in-memory),
+// the tracker allows the framework user to obtain the claim allocations produced by the DRA plugin, and persist them outside of the API (e.g. in-memory).
+type ResourceClaimTracker interface {
+	// List lists ResourceClaims. The result is guaranteed to immediately include any changes made via AssumeClaimAfterAPICall(),
+	// and SignalClaimPendingAllocation().
+	List() ([]*resourceapi.ResourceClaim, error)
+	// Get works like List(), but for a single claim.
+	Get(namespace, claimName string) (*resourceapi.ResourceClaim, error)
+	// ListAllAllocatedDevices lists all allocated Devices from allocated ResourceClaims. The result is guaranteed to immediately include
+	// any changes made via AssumeClaimAfterAPICall(), and SignalClaimPendingAllocation().
+	ListAllAllocatedDevices() (sets.Set[structured.DeviceID], error)
+	// GatherAllocatedState gathers information about allocated devices from allocated ResourceClaims. The result is guaranteed to immediately include
+	// any changes made via AssumeClaimAfterAPICall(), and SignalClaimPendingAllocation().
+	GatherAllocatedState() (*structured.AllocatedState, error)
+
+	// SignalClaimPendingAllocation signals to the tracker that the given ResourceClaim will be allocated via an API call in the
+	// binding phase. This change is immediately reflected in the result of List() and the other accessors.
+	SignalClaimPendingAllocation(claimUID types.UID, allocatedClaim *resourceapi.ResourceClaim) error
+	// ClaimHasPendingAllocation answers whether a given claim has a pending allocation during the binding phase. It can be used to avoid
+	// race conditions in subsequent scheduling phases.
+	ClaimHasPendingAllocation(claimUID types.UID) bool
+	// RemoveClaimPendingAllocation removes the pending allocation for the given ResourceClaim from the tracker if any was signaled via
+	// SignalClaimPendingAllocation(). Returns whether there was a pending allocation to remove. List() and the other accessors immediately
+	// stop reflecting the pending allocation in the results.
+	RemoveClaimPendingAllocation(claimUID types.UID) (deleted bool)
+
+	// AssumeClaimAfterAPICall signals to the tracker that an API call modifying the given ResourceClaim was made in the binding phase, and the
+	// changes should be reflected in informers very soon. This change is immediately reflected in the result of List() and the other accessors.
+	// This mechanism can be used to avoid race conditions between the informer update and subsequent scheduling phases.
+	AssumeClaimAfterAPICall(claim *resourceapi.ResourceClaim) error
+	// AssumedClaimRestore signals to the tracker that something went wrong with the API call modifying the given ResourceClaim, and
+	// the changes won't be reflected in informers after all. List() and the other accessors immediately stop reflecting the assumed change,
+	// and go back to the informer version.
+	AssumedClaimRestore(namespace, claimName string)
+}
+
+// DeviceClassResolver resolves device class names from extended resource names.
+type DeviceClassResolver interface {
+	// GetDeviceClass returns the device class for the given extended resource name.
+	// Returns nil if no mapping exists for the resource name or
+	// the DRAExtendedResource feature is disabled.
+	GetDeviceClass(resourceName v1.ResourceName) *resourceapi.DeviceClass
+}
+
+// SharedDRAManager can be used to obtain DRA objects, and track modifications to them in-memory - mainly by the DRA plugin.
+// The plugin's default implementation obtains the objects from the API. A different implementation can be
+// plugged into the framework in order to simulate the state of DRA objects. For example, Cluster Autoscaler
+// can use this to provide the correct DRA object state to the DRA plugin when simulating scheduling changes in-memory.
+type SharedDRAManager interface {
+	ResourceClaims() ResourceClaimTracker
+	ResourceSlices() ResourceSliceLister
+	DeviceClasses() DeviceClassLister
+	DeviceClassResolver() DeviceClassResolver
+}
+
+// CSIManager can be used to obtain CSINode objects, and track changes to CSINode objects in-memory.
+// The plugin's default implementation obtains the objects from the API. A different implementation can be
+// plugged into the framework in order to simulate the state of CSINode objects. For example, Cluster Autoscaler
+// can use this to provide the correct CSINode object state to the CSINode plugin when simulating scheduling changes in-memory.
+type CSIManager interface {
+	CSINodes() CSINodeLister
+}
+
+// WorkloadManager provides an interface for scheduling plugins to provide workload-aware scheduling.
+// It acts as the central source of truth for runtime information about workloads.
+type WorkloadManager interface {
+	// PodGroupInfo retrieves the runtime state for a specific pod group, identified by workload's namespace and reference.
+	PodGroupInfo(namespace string, workloadRef *v1.WorkloadReference) (PodGroupInfo, error)
+}
+
+// PodGroupInfo provides an interface to view and modify the state of a single pod group.
+type PodGroupInfo interface {
+	// AllPods returns the UIDs of all pods known to the scheduler for this group.
+	AllPods() sets.Set[types.UID]
+	// UnscheduledPods returns all pods that are unscheduled for this group,
+	// i.e., are neither assumed nor assigned.
+	// The returned map type corresponds to the argument of the PodActivator.Activate method.
+	UnscheduledPods() map[string]*v1.Pod
+	// AssumedPods returns the UIDs of all pods for this group in the "assumed" state,
+	// i.e., passed the Reserve gate.
+	AssumedPods() sets.Set[types.UID]
+	// AssignedPods returns the UIDs of all pods already assigned (bound) for this group.
+	AssignedPods() sets.Set[types.UID]
+	// AssumePod marks a pod as having reached the Reserve stage.
+	AssumePod(podUID types.UID)
+	// ForgetPod removes a pod from the assumed state.
+	ForgetPod(podUID types.UID)
+	// SchedulingTimeout returns the remaining time until the pod group scheduling times out.
+	// A new deadline is created if one doesn't exist, or if the previous one has expired.
+	SchedulingTimeout() time.Duration
+}
diff --git a/staging/src/k8s.io/kube-scheduler/framework/signers.go b/staging/src/k8s.io/kube-scheduler/framework/signers.go
new file mode 100644
index 0000000000000..934864aa754ff
--- /dev/null
+++ b/staging/src/k8s.io/kube-scheduler/framework/signers.go
@@ -0,0 +1,217 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package framework
+
+import (
+	"encoding/json"
+	"sort"
+
+	v1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/util/sets"
+)
+
+// This file contains the names and implementations of various functions used
+// to compute pod signatures for use in batching and other scheduling optimizations.
+// See the definition of BatchablePlugin for more details.
+
+// Signer names
+const (
+	DynamicResourcesSignerName = "v1.Pod.Spec.DynamicResources"
+	ImageNamesSignerName       = "v1.Pod.Spec.CanonicalImageNames()"
+	LabelsSignerName           = "v1.Pod.Labels"
+	NodeNameSignerName         = "v1.Pod.Spec.NodeName"
+	NodeAffinitySignerName     = "v1.Pod.Spec.Affinity.NodeAffinity"
+	NodeSelectorSignerName     = "v1.Pod.Spec.Affinity.NodeSelector"
+	HostPortsSignerName        = "v1.Pod.Spec.HostPorts()"
+	ResourcesSignerName        = "v1.Pod.Spec.ContainerRequestsAndOverheads()"
+	SchedulerNameSignerName    = "v1.Pod.Spec.SchedulerName"
+	TolerationsSignerName      = "v1.Pod.Spec.Tolerations"
+	VolumesSignerName          = "v1.Pod.Spec.Volumes.NonSyntheticSources()"
+	FeaturesSignerName         = "v1.Pod.Spec.RequiredFeatures()"
+)
+
+// Common signers. These are either generic or shared across plugins.
+
+func HostPortsSigner(pod *v1.Pod) any {
+	portSet := sets.New[int32]()
+	containers := []v1.Container{}
+	containers = append(containers, pod.Spec.Containers...)
+	containers = append(containers, pod.Spec.InitContainers...)
+	for _, container := range containers {
+		for _, port := range container.Ports {
+			if port.HostPort != 0 {
+				portSet.Insert(port.HostPort)
+			}
+		}
+	}
+	ports := portSet.UnsortedList()
+	sort.Slice(ports, func(i, j int) bool {
+		return ports[i] < ports[j]
+	})
+	return ports
+}
+
+func NodeSelectorRequirementsSigner(reqs []v1.NodeSelectorRequirement) ([]string, error) {
+	ret := make([]string, len(reqs))
+	for i, req := range reqs {
+		t := req.DeepCopy()
+		sort.Slice(t.Values, func(i, j int) bool {
+			return t.Values[i] < t.Values[j]
+		})
+		v, err := json.Marshal(t)
+		if err != nil {
+			return nil, err
+		}
+		ret[i] = string(v)
+	}
+	sort.Slice(ret, func(i, j int) bool {
+		return ret[i] < ret[j]
+	})
+	return ret, nil
+}
+
+type nodeSelTermSignResult struct {
+	MatchExpressions []string
+	MatchFields      []string
+}
+
+func NodeSelectorTermSigner(t *v1.NodeSelectorTerm) (nodeSelTermSignResult, error) {
+	exp, err := NodeSelectorRequirementsSigner(t.MatchExpressions)
+	if err != nil {
+		return nodeSelTermSignResult{}, err
+	}
+	fld, err := NodeSelectorRequirementsSigner(t.MatchFields)
+	if err != nil {
+		return nodeSelTermSignResult{}, err
+	}
+	return nodeSelTermSignResult{
+		MatchExpressions: exp,
+		MatchFields:      fld,
+	}, nil
+}
+
+type prefSchedTermSignResult struct {
+	Weight     int32
+	Preference nodeSelTermSignResult
+}
+
+func PreferredSchedulingTermSigner(terms []v1.PreferredSchedulingTerm) ([]string, error) {
+	newTerms := make([]string, len(terms))
+	for i, t := range terms {
+		pref, err := NodeSelectorTermSigner(&t.Preference)
+		if err != nil {
+			return nil, err
+		}
+		termStr, err := json.Marshal(prefSchedTermSignResult{
+			Weight:     t.Weight,
+			Preference: pref,
+		})
+		if err != nil {
+			return nil, err
+		}
+		newTerms[i] = string(termStr)
+	}
+	sort.Slice(newTerms, func(i, j int) bool {
+		return newTerms[i] < newTerms[j]
+	})
+	return newTerms, nil
+}
+
+func NodeSelectorTermsSigner(terms []v1.NodeSelectorTerm) ([]string, error) {
+	req := make([]string, len(terms))
+	for i, t := range terms {
+		nst, err := NodeSelectorTermSigner(&t)
+		if err != nil {
+			return nil, err
+		}
+		tStr, err := json.Marshal(nst)
+		if err != nil {
+			return nil, err
+		}
+		req[i] = string(tStr)
+	}
+
+	sort.Slice(req, func(i, j int) bool {
+		return req[i] < req[j]
+	})
+
+	return req, nil
+}
+
+type nodeAffinitySignerResult struct {
+	Required  []string
+	Preferred []string
+}
+
+func NodeAffinitySigner(pod *v1.Pod) (any, error) {
+	if pod.Spec.Affinity != nil {
+		if pod.Spec.Affinity.NodeAffinity != nil {
+			n := pod.Spec.Affinity.NodeAffinity
+			pref := []string{}
+			var err error
+			if n.PreferredDuringSchedulingIgnoredDuringExecution != nil {
+				pref, err = PreferredSchedulingTermSigner(n.PreferredDuringSchedulingIgnoredDuringExecution)
+				if err != nil {
+					return nil, err
+				}
+			}
+
+			req := []string{}
+			if n.RequiredDuringSchedulingIgnoredDuringExecution != nil {
+				req, err = NodeSelectorTermsSigner(n.RequiredDuringSchedulingIgnoredDuringExecution.NodeSelectorTerms)
+				if err != nil {
+					return nil, err
+				}
+			}
+
+			return nodeAffinitySignerResult{
+				Required:  req,
+				Preferred: pref,
+			}, nil
+		}
+	}
+	return nil, nil
+}
+
+func TolerationsSigner(pod *v1.Pod) any {
+	ret := []v1.Toleration{}
+	ret = append(ret, pod.Spec.Tolerations...)
+	sort.Slice(ret, func(i, j int) bool {
+		return ret[i].Key < ret[j].Key || (ret[i].Key == ret[j].Key && ret[i].Value < ret[j].Value)
+	})
+	return ret
+}
+
+// We special case volumes because config and secret volumes don't
+// impact scheduling but are very specific to individual pods. If we
+// don't exclude them no pods will have matching signatures.
+func VolumesSigner(pod *v1.Pod) any {
+	ret := []string{}
+	for _, vol := range pod.Spec.Volumes {
+		if vol.VolumeSource.ConfigMap == nil && vol.VolumeSource.Secret == nil {
+			volStr, err := json.Marshal(vol.VolumeSource)
+			if err != nil {
+				return nil
+			}
+			ret = append(ret, string(volStr))
+		}
+	}
+	sort.Slice(ret, func(i, j int) bool {
+		return ret[i] < ret[j]
+	})
+	return ret
+}
diff --git a/staging/src/k8s.io/kube-scheduler/framework/signers_test.go b/staging/src/k8s.io/kube-scheduler/framework/signers_test.go
new file mode 100644
index 0000000000000..79881ffc19f8f
--- /dev/null
+++ b/staging/src/k8s.io/kube-scheduler/framework/signers_test.go
@@ -0,0 +1,309 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package framework
+
+import (
+	"encoding/json"
+	"errors"
+	"reflect"
+	"testing"
+
+	"github.com/google/go-cmp/cmp"
+	v1 "k8s.io/api/core/v1"
+)
+
+func TestHostPortsSigner(t *testing.T) {
+	tests := []struct {
+		name string
+		pod  *v1.Pod
+		want []int32
+	}{
+		{
+			name: "no containers",
+			pod:  &v1.Pod{},
+			want: []int32{},
+		},
+		{
+			name: "containers without host ports",
+			pod: &v1.Pod{
+				Spec: v1.PodSpec{
+					Containers: []v1.Container{
+						{Ports: []v1.ContainerPort{{ContainerPort: 80}}},
+					},
+				},
+			},
+			want: []int32{},
+		},
+		{
+			name: "single container with host port",
+			pod: &v1.Pod{
+				Spec: v1.PodSpec{
+					Containers: []v1.Container{
+						{Ports: []v1.ContainerPort{{HostPort: 8080}}},
+					},
+				},
+			},
+			want: []int32{8080},
+		},
+		{
+			name: "multiple containers, unsorted host ports, duplicates",
+			pod: &v1.Pod{
+				Spec: v1.PodSpec{
+					InitContainers: []v1.Container{
+						{Ports: []v1.ContainerPort{{HostPort: 9090}}},
+					},
+					Containers: []v1.Container{
+						{Ports: []v1.ContainerPort{{HostPort: 80}}},
+						{Ports: []v1.ContainerPort{{HostPort: 443}, {HostPort: 80}}}, // duplicate 80
+					},
+				},
+			},
+			want: []int32{80, 443, 9090},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got := HostPortsSigner(tt.pod)
+			if !reflect.DeepEqual(got, tt.want) {
+				t.Errorf("HostPortsSigner() = %v, want %v", got, tt.want)
+			}
+		})
+	}
+}
+
+func TestTolerationsSigner(t *testing.T) {
+	tests := []struct {
+		name string
+		pod  *v1.Pod
+		want []v1.Toleration
+	}{
+		{
+			name: "no tolerations",
+			pod:  &v1.Pod{},
+			want: []v1.Toleration{},
+		},
+		{
+			name: "single toleration",
+			pod: &v1.Pod{
+				Spec: v1.PodSpec{
+					Tolerations: []v1.Toleration{
+						{Key: "key1", Value: "value1", Effect: v1.TaintEffectNoSchedule},
+					},
+				},
+			},
+			want: []v1.Toleration{
+				{Key: "key1", Value: "value1", Effect: v1.TaintEffectNoSchedule},
+			},
+		},
+		{
+			name: "multiple tolerations, unsorted",
+			pod: &v1.Pod{
+				Spec: v1.PodSpec{
+					Tolerations: []v1.Toleration{
+						{Key: "b", Value: "2"},
+						{Key: "a", Value: "1"},
+						{Key: "b", Value: "1"},
+					},
+				},
+			},
+			want: []v1.Toleration{
+				{Key: "a", Value: "1"},
+				{Key: "b", Value: "1"},
+				{Key: "b", Value: "2"},
+			},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got := TolerationsSigner(tt.pod)
+			if !reflect.DeepEqual(got, tt.want) {
+				t.Errorf("TolerationsSigner() = %v, want %v", got, tt.want)
+			}
+		})
+	}
+}
+
+func TestVolumesSigner(t *testing.T) {
+	hostPath := v1.VolumeSource{HostPath: &v1.HostPathVolumeSource{Path: "/tmp"}}
+	emptyDir := v1.VolumeSource{EmptyDir: &v1.EmptyDirVolumeSource{}}
+	configMap := v1.VolumeSource{ConfigMap: &v1.ConfigMapVolumeSource{LocalObjectReference: v1.LocalObjectReference{Name: "cm"}}}
+	secret := v1.VolumeSource{Secret: &v1.SecretVolumeSource{SecretName: "secret"}}
+
+	marshal := func(vs v1.VolumeSource) string {
+		b, _ := json.Marshal(vs)
+		return string(b)
+	}
+
+	tests := []struct {
+		name string
+		pod  *v1.Pod
+		want []string
+	}{
+		{
+			name: "no volumes",
+			pod:  &v1.Pod{},
+			want: []string{},
+		},
+		{
+			name: "only ignored volumes (ConfigMap, Secret)",
+			pod: &v1.Pod{
+				Spec: v1.PodSpec{
+					Volumes: []v1.Volume{
+						{Name: "v1", VolumeSource: configMap},
+						{Name: "v2", VolumeSource: secret},
+					},
+				},
+			},
+			want: []string{},
+		},
+		{
+			name: "mixed volumes, should be filtered and sorted",
+			pod: &v1.Pod{
+				Spec: v1.PodSpec{
+					Volumes: []v1.Volume{
+						{Name: "v1", VolumeSource: hostPath},  // e.g. {"hostPath":{"path":"/tmp"}}
+						{Name: "v2", VolumeSource: configMap}, // ignored
+						{Name: "v3", VolumeSource: emptyDir},  // e.g. {"emptyDir":{}}
+					},
+				},
+			},
+			// Expected sort order depends on the exact JSON string.
+			// {"emptyDir":{}} comes before {"hostPath":...} alphabetically.
+			want: []string{marshal(emptyDir), marshal(hostPath)},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got := VolumesSigner(tt.pod)
+			if !reflect.DeepEqual(got, tt.want) {
+				t.Errorf("VolumesSigner() = %v, want %v", got, tt.want)
+			}
+		})
+	}
+}
+
+func TestNodeAffinitySigner(t *testing.T) {
+	table := []struct {
+		name        string
+		input       *v1.Pod
+		expected    any
+		expectedErr error
+	}{
+		{
+			name:        "nil affinity",
+			input:       &v1.Pod{},
+			expected:    nil,
+			expectedErr: nil,
+		},
+		{
+			name: "empty affinity",
+			input: &v1.Pod{
+				Spec: v1.PodSpec{
+					Affinity: &v1.Affinity{
+						NodeAffinity: &v1.NodeAffinity{
+							RequiredDuringSchedulingIgnoredDuringExecution: &v1.NodeSelector{},
+						},
+					},
+				},
+			},
+			expected:    nodeAffinitySignerResult{Required: []string{}, Preferred: []string{}},
+			expectedErr: nil,
+		},
+		{
+			name: "affinity unsorted",
+			input: &v1.Pod{
+				Spec: v1.PodSpec{
+					Affinity: &v1.Affinity{
+						NodeAffinity: &v1.NodeAffinity{
+							RequiredDuringSchedulingIgnoredDuringExecution: &v1.NodeSelector{
+								NodeSelectorTerms: []v1.NodeSelectorTerm{
+									{
+										MatchExpressions: []v1.NodeSelectorRequirement{
+											{Key: "kk3", Operator: v1.NodeSelectorOpIn, Values: []string{"v3", "kv4"}},
+											{Key: "kk2", Operator: v1.NodeSelectorOpIn, Values: []string{"kv1", "v2"}},
+										},
+										MatchFields: []v1.NodeSelectorRequirement{
+											{Key: "kk1", Operator: v1.NodeSelectorOpIn, Values: []string{"kv3", "v4"}},
+										},
+									},
+									{
+										MatchExpressions: []v1.NodeSelectorRequirement{
+											{Key: "k2", Operator: v1.NodeSelectorOpIn, Values: []string{"v1", "v2"}},
+										},
+										MatchFields: []v1.NodeSelectorRequirement{
+											{Key: "k1", Operator: v1.NodeSelectorOpIn, Values: []string{"v3", "v4"}},
+										},
+									},
+								},
+							},
+							PreferredDuringSchedulingIgnoredDuringExecution: []v1.PreferredSchedulingTerm{
+								{
+									Weight: 3,
+									Preference: v1.NodeSelectorTerm{
+										MatchExpressions: []v1.NodeSelectorRequirement{
+											{Key: "ppk2", Operator: v1.NodeSelectorOpIn, Values: []string{"ppv1", "v2"}},
+										},
+										MatchFields: []v1.NodeSelectorRequirement{
+											{Key: "ppk1", Operator: v1.NodeSelectorOpIn, Values: []string{"ppv3", "v4"}},
+										},
+									},
+								},
+								{
+									Weight: 1,
+									Preference: v1.NodeSelectorTerm{
+										MatchExpressions: []v1.NodeSelectorRequirement{
+											{Key: "pk2", Operator: v1.NodeSelectorOpIn, Values: []string{"pv1", "v2"}},
+										},
+										MatchFields: []v1.NodeSelectorRequirement{
+											{Key: "pk1", Operator: v1.NodeSelectorOpIn, Values: []string{"pv3", "v4"}},
+										},
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+			expected: nodeAffinitySignerResult{
+				Required: []string{
+					`{"MatchExpressions":["{\"key\":\"k2\",\"operator\":\"In\",\"values\":[\"v1\",\"v2\"]}"],"MatchFields":["{\"key\":\"k1\",\"operator\":\"In\",\"values\":[\"v3\",\"v4\"]}"]}`,
+					`{"MatchExpressions":["{\"key\":\"kk2\",\"operator\":\"In\",\"values\":[\"kv1\",\"v2\"]}","{\"key\":\"kk3\",\"operator\":\"In\",\"values\":[\"kv4\",\"v3\"]}"],"MatchFields":["{\"key\":\"kk1\",\"operator\":\"In\",\"values\":[\"kv3\",\"v4\"]}"]}`,
+				},
+				Preferred: []string{
+					`{"Weight":1,"Preference":{"MatchExpressions":["{\"key\":\"pk2\",\"operator\":\"In\",\"values\":[\"pv1\",\"v2\"]}"],"MatchFields":["{\"key\":\"pk1\",\"operator\":\"In\",\"values\":[\"pv3\",\"v4\"]}"]}}`,
+					`{"Weight":3,"Preference":{"MatchExpressions":["{\"key\":\"ppk2\",\"operator\":\"In\",\"values\":[\"ppv1\",\"v2\"]}"],"MatchFields":["{\"key\":\"ppk1\",\"operator\":\"In\",\"values\":[\"ppv3\",\"v4\"]}"]}}`,
+				},
+			},
+			expectedErr: nil,
+		},
+	}
+
+	for _, tt := range table {
+		t.Run(tt.name, func(t *testing.T) {
+			res, err := NodeAffinitySigner(tt.input)
+			if !errors.Is(err, tt.expectedErr) {
+				t.Fatalf("unexpected error %v, expected %v", err, tt.expectedErr)
+			}
+			if diff := cmp.Diff(res, tt.expected); diff != "" {
+				t.Fatalf("unexpected result %s", diff)
+			}
+		})
+	}
+}
diff --git a/staging/src/k8s.io/kube-scheduler/framework/types.go b/staging/src/k8s.io/kube-scheduler/framework/types.go
index 8b9a7e1dfbb76..eb463c8ee4729 100644
--- a/staging/src/k8s.io/kube-scheduler/framework/types.go
+++ b/staging/src/k8s.io/kube-scheduler/framework/types.go
@@ -21,9 +21,10 @@ import (
 	"time"
 
 	v1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/labels"
 	"k8s.io/apimachinery/pkg/util/sets"
-
+	ndf "k8s.io/component-helpers/nodedeclaredfeatures"
 	"k8s.io/klog/v2"
 )
 
@@ -50,6 +51,8 @@ const (
 	UpdateNodeTaint
 	UpdateNodeCondition
 	UpdateNodeAnnotation
+	// UpdateNodeDeclaredFeature is an update for node's declared features.
+	UpdateNodeDeclaredFeature
 
 	// UpdatePodXYZ is only applicable for Pod events.
 	// If you use UpdatePodXYZ,
@@ -71,7 +74,7 @@ const (
 	All ActionType = 1<<iota - 1
 
 	// Use the general Update type if you don't either know or care the specific sub-Update type to use.
-	Update = UpdateNodeAllocatable | UpdateNodeLabel | UpdateNodeTaint | UpdateNodeCondition | UpdateNodeAnnotation | UpdatePodLabel | UpdatePodScaleDown | UpdatePodToleration | UpdatePodSchedulingGatesEliminated | UpdatePodGeneratedResourceClaim
+	Update = UpdateNodeAllocatable | UpdateNodeLabel | UpdateNodeTaint | UpdateNodeCondition | UpdateNodeAnnotation | UpdateNodeDeclaredFeature | UpdatePodLabel | UpdatePodScaleDown | UpdatePodToleration | UpdatePodSchedulingGatesEliminated | UpdatePodGeneratedResourceClaim
 
 	// None is a special ActionType that is only used internally.
 	None ActionType = 0
@@ -93,6 +96,8 @@ func (a ActionType) String() string {
 		return "UpdateNodeCondition"
 	case UpdateNodeAnnotation:
 		return "UpdateNodeAnnotation"
+	case UpdateNodeDeclaredFeature:
+		return "UpdateNodeDeclaredFeature"
 	case UpdatePodLabel:
 		return "UpdatePodLabel"
 	case UpdatePodScaleDown:
@@ -165,6 +170,7 @@ const (
 	ResourceClaim         EventResource = "resource.k8s.io/ResourceClaim"
 	ResourceSlice         EventResource = "resource.k8s.io/ResourceSlice"
 	DeviceClass           EventResource = "resource.k8s.io/DeviceClass"
+	Workload              EventResource = "scheduling.k8s.io/Workload"
 
 	// WildCard is a special EventResource to match all resources.
 	// e.g., If you register `{Resource: "*", ActionType: All}` in EventsToRegister,
@@ -275,6 +281,8 @@ type NodeInfo interface {
 	// Whenever NodeInfo changes, generation is bumped.
 	// This is used to avoid cloning it if the object didn't change.
 	GetGeneration() int64
+	// GetNodeDeclaredFeatures returns the declared feature set of the node.
+	GetNodeDeclaredFeatures() ndf.FeatureSet
 	// Snapshot returns a copy of this node, Except that ImageStates is copied without the Nodes field.
 	Snapshot() NodeInfo
 	// String returns representation of human readable format of this NodeInfo.
@@ -389,6 +397,98 @@ type WeightedAffinityTerm struct {
 	Weight int32
 }
 
+// GetAffinityTerms receives a Pod and affinity terms and returns the namespaces and
+// selectors of the terms.
+func GetAffinityTerms(pod *v1.Pod, v1Terms []v1.PodAffinityTerm) ([]AffinityTerm, error) {
+	if v1Terms == nil {
+		return nil, nil
+	}
+
+	var terms []AffinityTerm
+	for i := range v1Terms {
+		t, err := newAffinityTerm(pod, &v1Terms[i])
+		if err != nil {
+			// We get here if the label selector failed to process
+			return nil, err
+		}
+		terms = append(terms, *t)
+	}
+	return terms, nil
+}
+
+func newAffinityTerm(pod *v1.Pod, term *v1.PodAffinityTerm) (*AffinityTerm, error) {
+	selector, err := metav1.LabelSelectorAsSelector(term.LabelSelector)
+	if err != nil {
+		return nil, err
+	}
+
+	namespaces := getNamespacesFromPodAffinityTerm(pod, term)
+	nsSelector, err := metav1.LabelSelectorAsSelector(term.NamespaceSelector)
+	if err != nil {
+		return nil, err
+	}
+
+	return &AffinityTerm{Namespaces: namespaces, Selector: selector, TopologyKey: term.TopologyKey, NamespaceSelector: nsSelector}, nil
+}
+
+// getNamespacesFromPodAffinityTerm returns a set of names according to the namespaces indicated in podAffinityTerm.
+// If namespaces is empty it considers the given pod's namespace.
+func getNamespacesFromPodAffinityTerm(pod *v1.Pod, podAffinityTerm *v1.PodAffinityTerm) sets.Set[string] {
+	names := sets.Set[string]{}
+	if len(podAffinityTerm.Namespaces) == 0 && podAffinityTerm.NamespaceSelector == nil {
+		names.Insert(pod.Namespace)
+	} else {
+		names.Insert(podAffinityTerm.Namespaces...)
+	}
+	return names
+}
+
+// GetPodAffinityTerms returns the list of PodAffinityTerms specified in the PodAffinity.RequiredDuringSchedulingIgnoredDuringExecution field.
+func GetPodAffinityTerms(affinity *v1.Affinity) (terms []v1.PodAffinityTerm) {
+	if affinity != nil && affinity.PodAffinity != nil {
+		if len(affinity.PodAffinity.RequiredDuringSchedulingIgnoredDuringExecution) != 0 {
+			terms = affinity.PodAffinity.RequiredDuringSchedulingIgnoredDuringExecution
+		}
+		// TODO: Uncomment this block when implement RequiredDuringSchedulingRequiredDuringExecution.
+		// if len(affinity.PodAffinity.RequiredDuringSchedulingRequiredDuringExecution) != 0 {
+		//	terms = append(terms, affinity.PodAffinity.RequiredDuringSchedulingRequiredDuringExecution...)
+		// }
+	}
+	return terms
+}
+
+// GetWeightedAffinityTerms returns affinity terms with weights, namespaces and selectors of the terms.
+func GetWeightedAffinityTerms(pod *v1.Pod, v1Terms []v1.WeightedPodAffinityTerm) ([]WeightedAffinityTerm, error) {
+	if v1Terms == nil {
+		return nil, nil
+	}
+
+	var terms []WeightedAffinityTerm
+	for i := range v1Terms {
+		t, err := newAffinityTerm(pod, &v1Terms[i].PodAffinityTerm)
+		if err != nil {
+			// We get here if the label selector failed to process
+			return nil, err
+		}
+		terms = append(terms, WeightedAffinityTerm{AffinityTerm: *t, Weight: v1Terms[i].Weight})
+	}
+	return terms, nil
+}
+
+// GetPodAntiAffinityTerms returns the list of PodAffinityTerms specified in the PodAntiAffinity.RequiredDuringSchedulingIgnoredDuringExecution field.
+func GetPodAntiAffinityTerms(affinity *v1.Affinity) (terms []v1.PodAffinityTerm) {
+	if affinity != nil && affinity.PodAntiAffinity != nil {
+		if len(affinity.PodAntiAffinity.RequiredDuringSchedulingIgnoredDuringExecution) != 0 {
+			terms = affinity.PodAntiAffinity.RequiredDuringSchedulingIgnoredDuringExecution
+		}
+		// TODO: Uncomment this block when implement RequiredDuringSchedulingRequiredDuringExecution.
+		// if len(affinity.PodAntiAffinity.RequiredDuringSchedulingRequiredDuringExecution) != 0 {
+		//	terms = append(terms, affinity.PodAntiAffinity.RequiredDuringSchedulingRequiredDuringExecution...)
+		// }
+	}
+	return terms
+}
+
 // Resource is a collection of compute resources.
 type Resource interface {
 	GetMilliCPU() int64
diff --git a/staging/src/k8s.io/kube-scheduler/framework/types_test.go b/staging/src/k8s.io/kube-scheduler/framework/types_test.go
index d9ae25340fe60..8f4bfc3f4ac15 100644
--- a/staging/src/k8s.io/kube-scheduler/framework/types_test.go
+++ b/staging/src/k8s.io/kube-scheduler/framework/types_test.go
@@ -16,7 +16,15 @@ limitations under the License.
 
 package framework
 
-import "testing"
+import (
+	"testing"
+
+	"github.com/google/go-cmp/cmp"
+
+	v1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/util/sets"
+)
 
 type hostPortInfoParam struct {
 	protocol, ip string
@@ -231,3 +239,45 @@ func TestHostPortInfo_Check(t *testing.T) {
 		})
 	}
 }
+
+func TestGetNamespacesFromPodAffinityTerm(t *testing.T) {
+	tests := []struct {
+		name string
+		term *v1.PodAffinityTerm
+		want sets.Set[string]
+	}{
+		{
+			name: "podAffinityTerm_namespace_empty",
+			term: &v1.PodAffinityTerm{},
+			want: sets.Set[string]{metav1.NamespaceDefault: sets.Empty{}},
+		},
+		{
+			name: "podAffinityTerm_namespace_not_empty",
+			term: &v1.PodAffinityTerm{
+				Namespaces: []string{metav1.NamespacePublic, metav1.NamespaceSystem},
+			},
+			want: sets.New(metav1.NamespacePublic, metav1.NamespaceSystem),
+		},
+		{
+			name: "podAffinityTerm_namespace_selector_not_nil",
+			term: &v1.PodAffinityTerm{
+				NamespaceSelector: &metav1.LabelSelector{},
+			},
+			want: sets.Set[string]{},
+		},
+	}
+
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			got := getNamespacesFromPodAffinityTerm(&v1.Pod{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      "topologies_pod",
+					Namespace: metav1.NamespaceDefault,
+				},
+			}, test.term)
+			if diff := cmp.Diff(test.want, got); diff != "" {
+				t.Errorf("Unexpected namespaces (-want, +got):\n%s", diff)
+			}
+		})
+	}
+}
diff --git a/staging/src/k8s.io/kube-scheduler/go.mod b/staging/src/k8s.io/kube-scheduler/go.mod
index fb5956f01cfbb..561df6dfa8870 100644
--- a/staging/src/k8s.io/kube-scheduler/go.mod
+++ b/staging/src/k8s.io/kube-scheduler/go.mod
@@ -2,62 +2,90 @@
 
 module k8s.io/kube-scheduler
 
-go 1.24.0
+go 1.25.0
 
-godebug default=go1.24
+godebug default=go1.25
 
 require (
 	github.com/google/go-cmp v0.7.0
-	k8s.io/api v0.0.0
-	k8s.io/apimachinery v0.0.0
-	k8s.io/client-go v0.0.0
-	k8s.io/component-base v0.0.0
+	k8s.io/api v0.35.1
+	k8s.io/apimachinery v0.35.1
+	k8s.io/client-go v0.35.1
+	k8s.io/component-base v0.35.1
+	k8s.io/component-helpers v0.0.0
+	k8s.io/dynamic-resource-allocation v0.0.0
 	k8s.io/klog/v2 v2.130.1
 	sigs.k8s.io/yaml v1.6.0
 )
 
 require (
+	cel.dev/expr v0.24.0 // indirect
+	github.com/antlr4-go/antlr/v4 v4.13.0 // indirect
+	github.com/beorn7/perks v1.0.1 // indirect
+	github.com/blang/semver/v4 v4.0.0 // indirect
+	github.com/cespare/xxhash/v2 v2.3.0 // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/emicklei/go-restful/v3 v3.12.2 // indirect
 	github.com/fxamacker/cbor/v2 v2.9.0 // indirect
-	github.com/go-logr/logr v1.4.2 // indirect
+	github.com/go-logr/logr v1.4.3 // indirect
 	github.com/go-openapi/jsonpointer v0.21.0 // indirect
 	github.com/go-openapi/jsonreference v0.20.2 // indirect
 	github.com/go-openapi/swag v0.23.0 // indirect
-	github.com/gogo/protobuf v1.3.2 // indirect
+	github.com/google/cel-go v0.26.0 // indirect
 	github.com/google/gnostic-models v0.7.0 // indirect
 	github.com/google/uuid v1.6.0 // indirect
+	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/mailru/easyjson v0.7.7 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
-	github.com/pkg/errors v0.9.1 // indirect
+	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
+	github.com/prometheus/client_golang v1.23.2 // indirect
+	github.com/prometheus/client_model v0.6.2 // indirect
+	github.com/prometheus/common v0.66.1 // indirect
+	github.com/prometheus/procfs v0.16.1 // indirect
+	github.com/spf13/cobra v1.10.0 // indirect
+	github.com/spf13/pflag v1.0.9 // indirect
+	github.com/stoewer/go-strcase v1.3.0 // indirect
 	github.com/x448/float16 v0.8.4 // indirect
-	go.yaml.in/yaml/v2 v2.4.2 // indirect
+	go.opentelemetry.io/otel v1.36.0 // indirect
+	go.opentelemetry.io/otel/trace v1.36.0 // indirect
+	go.yaml.in/yaml/v2 v2.4.3 // indirect
 	go.yaml.in/yaml/v3 v3.0.4 // indirect
-	golang.org/x/net v0.43.0 // indirect
-	golang.org/x/oauth2 v0.27.0 // indirect
-	golang.org/x/sys v0.36.0 // indirect
-	golang.org/x/term v0.35.0 // indirect
-	golang.org/x/text v0.29.0 // indirect
+	golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 // indirect
+	golang.org/x/net v0.47.0 // indirect
+	golang.org/x/oauth2 v0.30.0 // indirect
+	golang.org/x/sync v0.18.0 // indirect
+	golang.org/x/sys v0.38.0 // indirect
+	golang.org/x/term v0.37.0 // indirect
+	golang.org/x/text v0.31.0 // indirect
 	golang.org/x/time v0.9.0 // indirect
-	google.golang.org/protobuf v1.36.5 // indirect
-	gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20250303144028-a0af3efb3deb // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20250528174236-200df99c418a // indirect
+	google.golang.org/protobuf v1.36.8 // indirect
+	gopkg.in/evanphx/json-patch.v4 v4.13.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
-	k8s.io/kube-openapi v0.0.0-20250710124328-f3f2b991d03b // indirect
-	k8s.io/utils v0.0.0-20250604170112-4c0f3b243397 // indirect
-	sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 // indirect
+	k8s.io/apiserver v0.0.0 // indirect
+	k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912 // indirect
+	k8s.io/utils v0.0.0-20251002143259-bc988d571ff4 // indirect
+	sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 // indirect
 	sigs.k8s.io/randfill v1.0.0 // indirect
 	sigs.k8s.io/structured-merge-diff/v6 v6.3.0 // indirect
 )
 
 replace (
-	github.com/onsi/ginkgo/v2 => github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251001123353-fd5b1fb35db1
+	github.com/onsi/ginkgo/v2 => github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251120221002-696928a6a0d7
+	github.com/openshift/library-go => github.com/jacobsee/library-go v0.0.0-20260211202355-e615a1f60a34
 	k8s.io/api => ../api
 	k8s.io/apimachinery => ../apimachinery
+	k8s.io/apiserver => ../apiserver
 	k8s.io/client-go => ../client-go
 	k8s.io/component-base => ../component-base
+	k8s.io/component-helpers => ../component-helpers
+	k8s.io/dynamic-resource-allocation => ../dynamic-resource-allocation
+	k8s.io/kms => ../kms
+	k8s.io/kubelet => ../kubelet
 )
diff --git a/staging/src/k8s.io/kube-scheduler/go.sum b/staging/src/k8s.io/kube-scheduler/go.sum
index 7d2e7ecf31b25..499a7abd8afa0 100644
--- a/staging/src/k8s.io/kube-scheduler/go.sum
+++ b/staging/src/k8s.io/kube-scheduler/go.sum
@@ -1,23 +1,40 @@
+cel.dev/expr v0.24.0 h1:56OvJKSH3hDGL0ml5uSxZmz3/3Pq4tJ+fb1unVLAFcY=
+cel.dev/expr v0.24.0/go.mod h1:hLPLo1W4QUmuYdA72RBX06QTs6MXw941piREPl3Yfiw=
 cloud.google.com/go/compute/metadata v0.3.0/go.mod h1:zFmK7XCadkQkj6TtorcaGlCW1hT1fIilQDwofLpJ20k=
 github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E=
+github.com/Masterminds/semver/v3 v3.4.0 h1:Zog+i5UMtVoCU8oKka5P7i9q9HgrJeGzI9SA1Xbatp0=
+github.com/Masterminds/semver/v3 v3.4.0/go.mod h1:4V+yj/TJE1HU9XfppCwVMZq3I84lprf4nC11bSS5beM=
 github.com/NYTimes/gziphandler v1.1.1/go.mod h1:n/CVRwUEOgIxrgPvAQhUUr9oeUtvrhMomdKFjzJNB0c=
+github.com/alecthomas/kingpin/v2 v2.4.0/go.mod h1:0gyi0zQnjuFk8xrkNKamJoyUo382HRL7ATRpFZCw6tE=
+github.com/alecthomas/units v0.0.0-20211218093645-b94a6e3cc137/go.mod h1:OMCwj8VM1Kc9e19TLln2VL61YJF0x1XFtfdL4JdbSyE=
+github.com/antlr4-go/antlr/v4 v4.13.0 h1:lxCg3LAv+EUK6t1i0y1V6/SLeUi0eKEKdhQAlS8TVTI=
+github.com/antlr4-go/antlr/v4 v4.13.0/go.mod h1:pfChB/xh/Unjila75QW7+VU4TSnWnnk9UTnmpPaOR2g=
 github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkYZB8zMSxRWpUBQtwG5a7fFgvEO+odwuTv2gs=
+github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
 github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
+github.com/blang/semver/v4 v4.0.0 h1:1PFHFE6yCCTv8C1TeyNNarDzntLi7wMI5i/pzqYIsAM=
 github.com/blang/semver/v4 v4.0.0/go.mod h1:IbckMUScFkM3pff0VJDNKRiT6TG/YpiHIM2yvyW5YoQ=
 github.com/cenkalti/backoff/v4 v4.3.0/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE=
+github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs=
 github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
+github.com/coreos/go-oidc v2.3.0+incompatible/go.mod h1:CgnwVTmzoESiwO9qyAFEMiHoZ1nMCKZlZ9V6mm3/LKc=
+github.com/coreos/go-semver v0.3.1/go.mod h1:irMmmIw/7yzSRPWryHsK7EYSg09caPQL03VsM8rvUec=
+github.com/coreos/go-systemd/v22 v22.5.0/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc=
+github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g=
 github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM=
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/dustin/go-humanize v1.0.1/go.mod h1:Mu1zIs6XwVuF/gI1OepvI0qD18qycQx+mFykh5fBlto=
 github.com/emicklei/go-restful/v3 v3.12.2 h1:DhwDP0vY3k8ZzE0RunuJy8GhNpPL6zqLkDf9B/a0/xU=
 github.com/emicklei/go-restful/v3 v3.12.2/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc=
 github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
+github.com/fsnotify/fsnotify v1.9.0/go.mod h1:8jBTzvmWwFyi3Pb8djgCCO5IBqzKJ/Jwo8TRcHyHii0=
 github.com/fxamacker/cbor/v2 v2.9.0 h1:NpKPmjDBgUfBms6tr6JZkTHtfFGcMKsw3eGcmD/sapM=
 github.com/fxamacker/cbor/v2 v2.9.0/go.mod h1:vM4b+DJCtHn+zz7h3FFp/hDAI9WNWCsZj23V5ytsSxQ=
-github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY=
-github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
+github.com/go-logr/logr v1.4.3 h1:CjnDlHq8ikf6E492q6eKboGOC0T8CDaOvkHCIg8idEI=
+github.com/go-logr/logr v1.4.3/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
 github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE=
 github.com/go-logr/zapr v1.3.0/go.mod h1:YKepepNBd1u/oyhd/yQmtjVXmm9uML4IXUgMOwR8/Gg=
 github.com/go-openapi/jsonpointer v0.19.6/go.mod h1:osyAmYz/mB/C3I+WsTTSgw1ONzaLJoLCyoi6/zppojs=
@@ -30,29 +47,39 @@ github.com/go-openapi/swag v0.23.0 h1:vsEVJDUo2hPJ2tu0/Xc+4noaxyEffXNIs3cOULZ+Gr
 github.com/go-openapi/swag v0.23.0/go.mod h1:esZ8ITTYEsH1V2trKHjAN8Ai7xHb8RV+YSZ577vPjgQ=
 github.com/go-task/slim-sprig/v3 v3.0.0 h1:sUs3vkvUymDpBKi3qH1YSqBQk9+9D/8M2mN1vB6EwHI=
 github.com/go-task/slim-sprig/v3 v3.0.0/go.mod h1:W848ghGpv3Qj3dhTPRyJypKRiqCdHZiAzKg9hl15HA8=
-github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
 github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
-github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk=
+github.com/golang-jwt/jwt/v5 v5.2.2/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=
+github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps=
 github.com/google/btree v1.1.3/go.mod h1:qOPhT0dTNdNzV6Z/lhRX0YXUafgPLFUh+gZMl761Gm4=
+github.com/google/cel-go v0.26.0 h1:DPGjXackMpJWH680oGY4lZhYjIameYmR+/6RBdDGmaI=
+github.com/google/cel-go v0.26.0/go.mod h1:A9O8OU9rdvrK5MQyrqfIxo1a0u4g3sF8KB6PUIaryMM=
 github.com/google/gnostic-models v0.7.0 h1:qwTtogB15McXDaNqTZdzPJRHvaVJlAl+HVQnLmJEJxo=
 github.com/google/gnostic-models v0.7.0/go.mod h1:whL5G0m6dmc5cPxKc5bdKdEN3UjI7OUGxBlw57miDrQ=
 github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
 github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
-github.com/google/pprof v0.0.0-20241029153458-d1b30febd7db h1:097atOisP2aRj7vFgYQBbFN4U4JNXUNYpxael3UzMyo=
-github.com/google/pprof v0.0.0-20241029153458-d1b30febd7db/go.mod h1:vavhavw2zAxS5dIdcRluK6cSGGPlZynqzFM8NdvU144=
+github.com/google/pprof v0.0.0-20250403155104-27863c87afa6 h1:BHT72Gu3keYf3ZEu2J0b1vyeLSOYI8bm5wbJM/8yDe8=
+github.com/google/pprof v0.0.0-20250403155104-27863c87afa6/go.mod h1:boTsfXsheKC2y+lKOCMpSfarhxDeIzfZG1jqGcPl3cA=
 github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/gorilla/websocket v1.5.4-0.20250319132907-e064f32e3674/go.mod h1:r4w70xmWCQKmi1ONH4KIaBptdivuRPyosB9RmPlGEwA=
 github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79/go.mod h1:FecbI9+v66THATjSRHfNgh1IVFe/9kFxbXtjV0ctIMA=
+github.com/grpc-ecosystem/go-grpc-middleware/providers/prometheus v1.0.1/go.mod h1:lXGCsh6c22WGtjr+qGHj1otzZpV/1kwTMAqkwZsnWRU=
+github.com/grpc-ecosystem/go-grpc-middleware/v2 v2.3.0/go.mod h1:qOchhhIlmRcqk/O9uCo/puJlyo07YINaIqdZfZG3Jkc=
+github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0/go.mod h1:8NvIoxWQoOIhqOTXgfV/d3M/q6VIi02HzZEHgUlZvzk=
 github.com/grpc-ecosystem/grpc-gateway/v2 v2.26.3/go.mod h1:ndYquD05frm2vACXE1nsccT4oJzjhw2arTS2cpUD1PI=
+github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
 github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
+github.com/jacobsee/library-go v0.0.0-20260211202355-e615a1f60a34/go.mod h1:mp92ELYoE9GHXRj+jJhp4I9KsFfS5c7WIi5k4RmkPYY=
+github.com/jonboulle/clockwork v0.5.0/go.mod h1:3mZlmanh0g2NDKO5TWZVJAfofYk64M7XN3SzBPjZF60=
 github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY=
 github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y=
+github.com/jpillora/backoff v1.0.0/go.mod h1:J/6gKK9jxlEcS3zixgDgUAsiuZ7yrSoa/FX5e0EB2j4=
 github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM=
 github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo=
-github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
-github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
+github.com/julienschmidt/httprouter v1.3.0/go.mod h1:JR6WtHb+2LUe8TCKY3cZOxFyyO8IZAc4RVcycCCAKdM=
+github.com/klauspost/compress v1.18.0 h1:c/Cqfb0r+Yi+JtIEq73FWXVkRonBlf0CRNYc8Zttxdo=
+github.com/klauspost/compress v1.18.0/go.mod h1:2Pp+KzxcywXVXMr50+X0Q/Lsb43OQHYWRCY2AiWywWQ=
 github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
 github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
 github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
@@ -60,6 +87,7 @@ github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
 github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
+github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc=
 github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw=
 github.com/mailru/easyjson v0.7.7 h1:UGYAvKxe3sBsEDzO8ZeWOSlIQfWFlxbzLZe7hwFURr0=
 github.com/mailru/easyjson v0.7.7/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc=
@@ -73,26 +101,37 @@ github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee h1:W5t00kpgFd
 github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk=
 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA=
 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
+github.com/mwitkow/go-conntrack v0.0.0-20190716064945-2f068394615f/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U=
 github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+o7JKHSa8/e818NopupXU1YMK5fe1lsApnBw=
-github.com/onsi/gomega v1.35.1 h1:Cwbd75ZBPxFSuZ6T+rN/WCb/gOc6YgFBXLlZLhC7Ds4=
-github.com/onsi/gomega v1.35.1/go.mod h1:PvZbdDc8J6XJEpDK4HCuRBm8a6Fzp9/DmhC9C7yFlog=
-github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251001123353-fd5b1fb35db1 h1:PMTgifBcBRLJJiM+LgSzPDTk9/Rx4qS09OUrfpY6GBQ=
-github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251001123353-fd5b1fb35db1/go.mod h1:7Du3c42kxCUegi0IImZ1wUQzMBVecgIHjR1C+NkhLQo=
+github.com/onsi/gomega v1.38.2 h1:eZCjf2xjZAqe+LeWvKb5weQ+NcPwX84kqJ0cZNxok2A=
+github.com/onsi/gomega v1.38.2/go.mod h1:W2MJcYxRGV63b418Ai34Ud0hEdTVXq9NW9+Sx6uXf3k=
+github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251120221002-696928a6a0d7 h1:02E4Ttpu+7yCQLQxtY42JfcfHU7TBGnje6uB2ytBSdU=
+github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251120221002-696928a6a0d7/go.mod h1:ArE1D/XhNXBXCBkKOLkbsb2c81dQHCRcF5zwn/ykDRo=
 github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU=
-github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
-github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U=
 github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/prometheus/client_golang v1.22.0/go.mod h1:R7ljNsLXhuQXYZYtw6GAE9AZg8Y7vEW5scdCXrWRXC0=
-github.com/prometheus/client_model v0.6.1/go.mod h1:OrxVMOVHjw3lKMa8+x6HeMGkHMQyHDk9E3jmP2AmGiY=
-github.com/prometheus/common v0.62.0/go.mod h1:vyBcEuLSvWos9B1+CyL7JZ2up+uFzXhkqml0W5zIY1I=
-github.com/prometheus/procfs v0.15.1/go.mod h1:fB45yRUv8NstnjriLhBQLuOUt+WW4BsoGhij/e3PBqk=
-github.com/rogpeppe/go-internal v1.13.1 h1:KvO1DLK/DRN07sQ1LQKScxyZJuNnedQ5/wKSR38lUII=
-github.com/rogpeppe/go-internal v1.13.1/go.mod h1:uMEvuHeurkdAXX61udpOXGD/AzZDWNMNyH2VO9fmH0o=
-github.com/spf13/cobra v1.9.1/go.mod h1:nDyEzZ8ogv936Cinf6g1RU9MRY64Ir93oCnqb9wxYW0=
-github.com/spf13/pflag v1.0.6 h1:jFzHGLGAlb3ruxLB8MhbI6A8+AQX/2eW4qeyNZXNp2o=
-github.com/spf13/pflag v1.0.6/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
+github.com/pquerna/cachecontrol v0.1.0/go.mod h1:NrUG3Z7Rdu85UNR3vm7SOsl1nFIeSiQnrHV5K9mBcUI=
+github.com/prometheus/client_golang v1.23.2 h1:Je96obch5RDVy3FDMndoUsjAhG5Edi49h0RJWRi/o0o=
+github.com/prometheus/client_golang v1.23.2/go.mod h1:Tb1a6LWHB3/SPIzCoaDXI4I8UHKeFTEQ1YCr+0Gyqmg=
+github.com/prometheus/client_model v0.6.2 h1:oBsgwpGs7iVziMvrGhE53c/GrLUsZdHnqNwqPLxwZyk=
+github.com/prometheus/client_model v0.6.2/go.mod h1:y3m2F6Gdpfy6Ut/GBsUqTWZqCUvMVzSfMLjcu6wAwpE=
+github.com/prometheus/common v0.66.1 h1:h5E0h5/Y8niHc5DlaLlWLArTQI7tMrsfQjHV+d9ZoGs=
+github.com/prometheus/common v0.66.1/go.mod h1:gcaUsgf3KfRSwHY4dIMXLPV0K/Wg1oZ8+SbZk/HH/dA=
+github.com/prometheus/procfs v0.16.1 h1:hZ15bTNuirocR6u0JZ6BAHHmwS1p8B4P6MRqxtzMyRg=
+github.com/prometheus/procfs v0.16.1/go.mod h1:teAbpZRB1iIAJYREa1LsoWUXykVXA1KlTmWl8x/U+Is=
+github.com/rogpeppe/go-internal v1.14.1 h1:UQB4HGPB6osV0SQTLymcB4TgvyWu6ZyliaW0tI/otEQ=
+github.com/rogpeppe/go-internal v1.14.1/go.mod h1:MaRKkUm5W0goXpeCfT7UZI6fk/L7L7so1lCWt35ZSgc=
+github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
+github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
+github.com/soheilhy/cmux v0.1.5/go.mod h1:T7TcVDs9LWfQgPlPsdngu6I6QIoyIFZDDC6sNE1GqG0=
+github.com/spf13/cobra v1.10.0 h1:a5/WeUlSDCvV5a45ljW2ZFtV0bTDpkfSAj3uqB6Sc+0=
+github.com/spf13/cobra v1.10.0/go.mod h1:9dhySC7dnTtEiqzmqfkLj47BslqLCUPMXjG2lj/NgoE=
+github.com/spf13/pflag v1.0.8/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
+github.com/spf13/pflag v1.0.9 h1:9exaQaMOCwffKiiiYk6/BndUBv+iRViNW+4lEMi0PvY=
+github.com/spf13/pflag v1.0.9/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
+github.com/stoewer/go-strcase v1.3.0 h1:g0eASXYtp+yvN9fK8sH94oCIk0fau9uV1/ZdJ0AVEzs=
+github.com/stoewer/go-strcase v1.3.0/go.mod h1:fAH5hQ5pehh+j3nZfvwdk2RgEgQjAoM8wodgtPmh1xo=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
 github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
@@ -102,94 +141,95 @@ github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UV
 github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
 github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
-github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
-github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
+github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
+github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
+github.com/tmc/grpc-websocket-proxy v0.0.0-20220101234140-673ab2c3ae75/go.mod h1:KO6IkyS8Y3j8OdNO85qEYBsRPuteD+YciPomcXdrMnk=
 github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM=
 github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg=
-github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
-github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
+github.com/xhit/go-str2duration/v2 v2.1.0/go.mod h1:ohY8p+0f07DiV6Em5LKB0s2YpLtXVyJfNt1+BlmyAsU=
+github.com/xiang90/probing v0.0.0-20221125231312-a49e3df8f510/go.mod h1:UETIi67q53MR2AWcXfiuqkDkRtnGDLqkBTpCHuJHxtU=
+go.etcd.io/bbolt v1.4.3/go.mod h1:tKQlpPaYCVFctUIgFKFnAlvbmB3tpy1vkTnDWohtc0E=
+go.etcd.io/etcd/api/v3 v3.6.5/go.mod h1:ob0/oWA/UQQlT1BmaEkWQzI0sJ1M0Et0mMpaABxguOQ=
+go.etcd.io/etcd/client/pkg/v3 v3.6.5/go.mod h1:8Wx3eGRPiy0qOFMZT/hfvdos+DjEaPxdIDiCDUv/FQk=
+go.etcd.io/etcd/client/v3 v3.6.5/go.mod h1:ZqwG/7TAFZ0BJ0jXRPoJjKQJtbFo/9NIY8uoFFKcCyo=
+go.etcd.io/etcd/pkg/v3 v3.6.5/go.mod h1:uqrXrzmMIJDEy5j00bCqhVLzR5jEJIwDp5wTlLwPGOU=
+go.etcd.io/etcd/server/v3 v3.6.5/go.mod h1:PLuhyVXz8WWRhzXDsl3A3zv/+aK9e4A9lpQkqawIaH0=
+go.etcd.io/raft/v3 v3.6.0/go.mod h1:nLvLevg6+xrVtHUmVaTcTz603gQPHfh7kUAwV6YpfGo=
 go.opentelemetry.io/auto/sdk v1.1.0/go.mod h1:3wSPjt5PWp2RhlCcmmOial7AvC4DQqZb7a7wCow3W8A=
-go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.58.0/go.mod h1:umTcuxiv1n/s/S6/c2AT/g2CQ7u5C59sHDNmfSwgz7Q=
-go.opentelemetry.io/otel v1.35.0/go.mod h1:UEqy8Zp11hpkUrL73gSlELM0DupHoiq72dR+Zqel/+Y=
+go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.60.0/go.mod h1:rg+RlpR5dKwaS95IyyZqj5Wd4E13lk/msnTS0Xl9lJM=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.61.0/go.mod h1:UHB22Z8QsdRDrnAtX4PntOl36ajSxcdUMt1sF7Y6E7Q=
+go.opentelemetry.io/otel v1.36.0 h1:UumtzIklRBY6cI/lllNZlALOF5nNIzJVb16APdvgTXg=
+go.opentelemetry.io/otel v1.36.0/go.mod h1:/TcFMXYjyRNh8khOAO9ybYkqaDBb/70aVwkNML4pP8E=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.34.0/go.mod h1:7Bept48yIeqxP2OZ9/AqIpYS94h2or0aB4FypJTc8ZM=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.34.0/go.mod h1:U7HYyW0zt/a9x5J1Kjs+r1f/d4ZHnYFclhYY2+YbeoE=
-go.opentelemetry.io/otel/metric v1.35.0/go.mod h1:nKVFgxBZ2fReX6IlyW28MgZojkoAkJGaE8CpgeAU3oE=
-go.opentelemetry.io/otel/sdk v1.34.0/go.mod h1:0e/pNiaMAqaykJGKbi+tSjWfNNHMTxoC9qANsCzbyxU=
-go.opentelemetry.io/otel/trace v1.35.0/go.mod h1:WUk7DtFp1Aw2MkvqGdwiXYDZZNvA/1J8o6xRXLrIkyc=
+go.opentelemetry.io/otel/metric v1.36.0/go.mod h1:zC7Ks+yeyJt4xig9DEw9kuUFe5C3zLbVjV2PzT6qzbs=
+go.opentelemetry.io/otel/sdk v1.36.0/go.mod h1:+lC+mTgD+MUWfjJubi2vvXWcVxyr9rmlshZni72pXeY=
+go.opentelemetry.io/otel/sdk/metric v1.36.0/go.mod h1:qTNOhFDfKRwX0yXOqJYegL5WRaW376QbB7P4Pb0qva4=
+go.opentelemetry.io/otel/trace v1.36.0 h1:ahxWNuqZjpdiFAyrIoQ4GIiAIhxAunQR6MUoKrsNd4w=
+go.opentelemetry.io/otel/trace v1.36.0/go.mod h1:gQ+OnDZzrybY4k4seLzPAWNwVBBVlF2szhehOBB/tGA=
 go.opentelemetry.io/proto/otlp v1.5.0/go.mod h1:keN8WnHxOy8PG0rQZjJJ5A2ebUoafqWp0eVQ4yIXvJ4=
+go.uber.org/atomic v1.11.0/go.mod h1:LUxbIzbOniOlMKjJjyPfpl4v+PKK2cNJn91OQbhoJI0=
+go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
 go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
 go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y=
 go.uber.org/zap v1.27.0/go.mod h1:GB2qFLM7cTU87MWRP2mPIjqfIDnGu+VIO4V/SdhGo2E=
-go.yaml.in/yaml/v2 v2.4.2 h1:DzmwEr2rDGHl7lsFgAHxmNz/1NlQ7xLIrlN2h5d1eGI=
-go.yaml.in/yaml/v2 v2.4.2/go.mod h1:081UH+NErpNdqlCXm3TtEran0rJZGxAYx9hb/ELlsPU=
+go.yaml.in/yaml/v2 v2.4.3 h1:6gvOSjQoTB3vt1l+CU+tSyi/HOjfOjRLJ4YwYZGwRO0=
+go.yaml.in/yaml/v2 v2.4.3/go.mod h1:zSxWcmIDjOzPXpjlTTbAsKokqkDNAVtZO0WOMiT90s8=
 go.yaml.in/yaml/v3 v3.0.4 h1:tfq32ie2Jv2UxXFdLJdh3jXuOzWiL1fo0bu/FbuKpbc=
 go.yaml.in/yaml/v3 v3.0.4/go.mod h1:DhzuOOF2ATzADvBadXxruRBLzYTpT36CKvDb3+aBEFg=
-golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
-golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
-golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
-golang.org/x/crypto v0.41.0/go.mod h1:pO5AFd7FA68rFak7rOAGVuygIISepHftHnr8dr6+sUc=
-golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.27.0/go.mod h1:rWI627Fq0DEoudcK+MBkNkCe0EetEaDSwJJkCcjpazc=
-golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
-golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
-golang.org/x/net v0.43.0 h1:lat02VYK2j4aLzMzecihNvTlJNQUq316m2Mr9rnM6YE=
-golang.org/x/net v0.43.0/go.mod h1:vhO1fvI4dGsIjh73sWfUVjj3N7CA9WkKJNQm2svM6Jg=
-golang.org/x/oauth2 v0.27.0 h1:da9Vo7/tDv5RH/7nZDz1eMGS/q1Vv1N/7FCrBhI9I3M=
-golang.org/x/oauth2 v0.27.0/go.mod h1:onh5ek6nERTohokkhCD/y2cV4Do3fxFHFuAejCkRWT8=
-golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.17.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
-golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.36.0 h1:KVRy2GtZBrk1cBYA7MKu5bEZFxQk4NIDV6RLVcC8o0k=
-golang.org/x/sys v0.36.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
-golang.org/x/term v0.35.0 h1:bZBVKBudEyhRcajGcNc3jIfWPqV4y/Kt2XcoigOWtDQ=
-golang.org/x/term v0.35.0/go.mod h1:TPGtkTLesOwf2DE8CgVYiZinHAOuy5AYUYT1lENIZnA=
-golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
-golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.29.0 h1:1neNs90w9YzJ9BocxfsQNHKuAT4pkghyXc4nhZ6sJvk=
-golang.org/x/text v0.29.0/go.mod h1:7MhJOA9CD2qZyOKYazxdYMF85OwPdEr9jTtBpO7ydH4=
+golang.org/x/crypto v0.45.0/go.mod h1:XTGrrkGJve7CYK7J8PEww4aY7gM3qMCElcJQ8n8JdX4=
+golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 h1:2dVuKD2vS7b0QIHQbpyTISPd0LeHDbnYEryqj5Q1ug8=
+golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56/go.mod h1:M4RDyNAINzryxdtnbRXRL/OHtkFuWGRjvuhBJpk2IlY=
+golang.org/x/mod v0.29.0 h1:HV8lRxZC4l2cr3Zq1LvtOsi/ThTgWnUk/y64QSs8GwA=
+golang.org/x/mod v0.29.0/go.mod h1:NyhrlYXJ2H4eJiRy/WDBO6HMqZQ6q9nk4JzS3NuCK+w=
+golang.org/x/net v0.47.0 h1:Mx+4dIFzqraBXUugkia1OOvlD6LemFo1ALMHjrXDOhY=
+golang.org/x/net v0.47.0/go.mod h1:/jNxtkgq5yWUGYkaZGqo27cfGZ1c5Nen03aYrrKpVRU=
+golang.org/x/oauth2 v0.30.0 h1:dnDm7JmhM45NNpd8FDDeLhK6FwqbOf4MLCM9zb1BOHI=
+golang.org/x/oauth2 v0.30.0/go.mod h1:B++QgG3ZKulg6sRPGD/mqlHQs5rB3Ml9erfeDY7xKlU=
+golang.org/x/sync v0.18.0 h1:kr88TuHDroi+UVf+0hZnirlk8o8T+4MrK6mr60WkH/I=
+golang.org/x/sync v0.18.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
+golang.org/x/sys v0.38.0 h1:3yZWxaJjBmCWXqhN1qh02AkOnCQ1poK6oF+a7xWL6Gc=
+golang.org/x/sys v0.38.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
+golang.org/x/term v0.37.0 h1:8EGAD0qCmHYZg6J17DvsMy9/wJ7/D/4pV/wfnld5lTU=
+golang.org/x/term v0.37.0/go.mod h1:5pB4lxRNYYVZuTLmy8oR2BH8dflOR+IbTYFD8fi3254=
+golang.org/x/text v0.31.0 h1:aC8ghyu4JhP8VojJ2lEHBnochRno1sgL6nEi9WGFGMM=
+golang.org/x/text v0.31.0/go.mod h1:tKRAlv61yKIjGGHX/4tP1LTbc13YSec1pxVEWXzfoeM=
 golang.org/x/time v0.9.0 h1:EsRrnYcQiGH+5FfbgvV4AP7qEZstoyrHB0DzarOQ4ZY=
 golang.org/x/time v0.9.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
-golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
-golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
-golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
-golang.org/x/tools v0.36.0 h1:kWS0uv/zsvHEle1LbV5LE8QujrxB3wfQyxHfhOk0Qkg=
-golang.org/x/tools v0.36.0/go.mod h1:WBDiHKJK8YgLHlcQPYQzNCkUxUypCaa5ZegCVutKm+s=
-golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/tools v0.38.0 h1:Hx2Xv8hISq8Lm16jvBZ2VQf+RLmbd7wVUsALibYI/IQ=
+golang.org/x/tools v0.38.0/go.mod h1:yEsQ/d/YK8cjh0L6rZlY8tgtlKiBNTL14pGDJPJpYQs=
+golang.org/x/tools/go/expect v0.1.0-deprecated/go.mod h1:eihoPOH+FgIqa3FpoTwguz/bVUSGBlGQU67vpBeOrBY=
+golang.org/x/tools/go/packages/packagestest v0.1.1-deprecated/go.mod h1:RVAQXBGNv1ib0J382/DPCRS/BPnsGebyM1Gj5VSDpG8=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+google.golang.org/genproto/googleapis/api v0.0.0-20250303144028-a0af3efb3deb h1:p31xT4yrYrSM/G4Sn2+TNUkVhFCbG9y8itM2S6Th950=
 google.golang.org/genproto/googleapis/api v0.0.0-20250303144028-a0af3efb3deb/go.mod h1:jbe3Bkdp+Dh2IrslsFCklNhweNTBgSYanP1UXhJDhKg=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20250303144028-a0af3efb3deb/go.mod h1:LuRYeWDFV6WOn90g357N17oMCaxpgCnbi/44qJvDn2I=
-google.golang.org/grpc v1.72.1/go.mod h1:wH5Aktxcg25y1I3w7H69nHfXdOG3UiadoBtjh3izSDM=
-google.golang.org/protobuf v1.36.5 h1:tPhr+woSbjfYvY6/GPufUoYizxw1cF/yFoxJ2fmpwlM=
-google.golang.org/protobuf v1.36.5/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20250528174236-200df99c418a h1:v2PbRU4K3llS09c7zodFpNePeamkAwG3mPrAery9VeE=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20250528174236-200df99c418a/go.mod h1:qQ0YXyHHx3XkvlzUtpXDkS29lDSafHMZBAZDc03LQ3A=
+google.golang.org/grpc v1.72.2/go.mod h1:wH5Aktxcg25y1I3w7H69nHfXdOG3UiadoBtjh3izSDM=
+google.golang.org/protobuf v1.36.8 h1:xHScyCOEuuwZEc6UtSOvPbAT4zRh0xcNRYekJwfqyMc=
+google.golang.org/protobuf v1.36.8/go.mod h1:fuxRtAxBytpl4zzqUh6/eyUujkJdNiuEkXntxiD/uRU=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
-gopkg.in/evanphx/json-patch.v4 v4.12.0 h1:n6jtcsulIzXPJaxegRbvFNNrZDjbij7ny3gmSPG+6V4=
-gopkg.in/evanphx/json-patch.v4 v4.12.0/go.mod h1:p8EYWUEYMpynmqDbY58zCKCFZw8pRWMG4EsWvDvM72M=
+gopkg.in/evanphx/json-patch.v4 v4.13.0 h1:czT3CmqEaQ1aanPc5SdlgQrrEIb8w/wwCvWWnfEbYzo=
+gopkg.in/evanphx/json-patch.v4 v4.13.0/go.mod h1:p8EYWUEYMpynmqDbY58zCKCFZw8pRWMG4EsWvDvM72M=
+gopkg.in/go-jose/go-jose.v2 v2.6.3/go.mod h1:zzZDPkNNw/c9IE7Z9jr11mBZQhKQTMzoEEIoEdZlFBI=
 gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc=
 gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
+gopkg.in/natefinch/lumberjack.v2 v2.2.1/go.mod h1:YD8tP3GAjkrDg1eZH7EGmyESg/lsYskCTPBJVb9jqSc=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 k8s.io/gengo/v2 v2.0.0-20250604051438-85fd79dbfd9f/go.mod h1:EJykeLsmFC60UQbYJezXkEsG2FLrt0GPNkU5iK5GWxU=
 k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk=
 k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE=
-k8s.io/kube-openapi v0.0.0-20250710124328-f3f2b991d03b h1:MloQ9/bdJyIu9lb1PzujOPolHyvO06MXG5TUIj2mNAA=
-k8s.io/kube-openapi v0.0.0-20250710124328-f3f2b991d03b/go.mod h1:UZ2yyWbFTpuhSbFhv24aGNOdoRdJZgsIObGBUaYVsts=
-k8s.io/utils v0.0.0-20250604170112-4c0f3b243397 h1:hwvWFiBzdWw1FhfY1FooPn3kzWuJ8tmbZBHi4zVsl1Y=
-k8s.io/utils v0.0.0-20250604170112-4c0f3b243397/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
-sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 h1:gBQPwqORJ8d8/YNZWEjoZs7npUVDpVXUUOFfW6CgAqE=
-sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8/go.mod h1:mdzfpAEoE6DHQEN0uh9ZbOCuHbLK5wOm7dK4ctXE9Tg=
+k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912 h1:Y3gxNAuB0OBLImH611+UDZcmKS3g6CthxToOb37KgwE=
+k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912/go.mod h1:kdmbQkyfwUagLfXIad1y2TdrjPFWp2Q89B3qkRwf/pQ=
+k8s.io/utils v0.0.0-20251002143259-bc988d571ff4 h1:SjGebBtkBqHFOli+05xYbK8YF1Dzkbzn+gDM4X9T4Ck=
+k8s.io/utils v0.0.0-20251002143259-bc988d571ff4/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
+sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.31.2/go.mod h1:Ve9uj1L+deCXFrPOk1LpFXqTg7LCFzFso6PA48q/XZw=
+sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 h1:IpInykpT6ceI+QxKBbEflcR5EXP7sU1kvOlxwZh5txg=
+sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730/go.mod h1:mdzfpAEoE6DHQEN0uh9ZbOCuHbLK5wOm7dK4ctXE9Tg=
 sigs.k8s.io/randfill v1.0.0 h1:JfjMILfT8A6RbawdsK2JXGBR5AQVfd+9TbzrlneTyrU=
 sigs.k8s.io/randfill v1.0.0/go.mod h1:XeLlZ/jmk4i1HRopwe7/aU3H5n1zNUcX6TM94b3QxOY=
 sigs.k8s.io/structured-merge-diff/v6 v6.3.0 h1:jTijUJbW353oVOd9oTlifJqOGEkUw2jB/fXCbTiQEco=
diff --git a/staging/src/k8s.io/kubectl/go.mod b/staging/src/k8s.io/kubectl/go.mod
index 8bf8b37888e41..4fc2a51143fb8 100644
--- a/staging/src/k8s.io/kubectl/go.mod
+++ b/staging/src/k8s.io/kubectl/go.mod
@@ -2,9 +2,9 @@
 
 module k8s.io/kubectl
 
-go 1.24.0
+go 1.25.0
 
-godebug default=go1.24
+godebug default=go1.25
 
 require (
 	github.com/MakeNowJust/heredoc v1.0.0
@@ -20,15 +20,16 @@ require (
 	github.com/lithammer/dedent v1.1.0
 	github.com/mitchellh/go-wordwrap v1.0.1
 	github.com/moby/term v0.5.0
-	github.com/onsi/ginkgo/v2 v2.21.0
-	github.com/onsi/gomega v1.35.1
+	github.com/onsi/ginkgo/v2 v2.25.1
+	github.com/onsi/gomega v1.38.2
 	github.com/russross/blackfriday/v2 v2.1.0
-	github.com/spf13/cobra v1.9.1
-	github.com/spf13/pflag v1.0.6
-	github.com/stretchr/testify v1.10.0
-	go.yaml.in/yaml/v2 v2.4.2
-	golang.org/x/sys v0.36.0
-	gopkg.in/evanphx/json-patch.v4 v4.12.0
+	github.com/spf13/cobra v1.10.0
+	github.com/spf13/pflag v1.0.9
+	github.com/stretchr/testify v1.11.1
+	go.yaml.in/yaml/v2 v2.4.3
+	golang.org/x/sys v0.38.0
+	golang.org/x/text v0.31.0
+	gopkg.in/evanphx/json-patch.v4 v4.13.0
 	k8s.io/api v0.0.0
 	k8s.io/apimachinery v0.0.0
 	k8s.io/cli-runtime v0.0.0
@@ -36,10 +37,10 @@ require (
 	k8s.io/component-base v0.0.0
 	k8s.io/component-helpers v0.0.0
 	k8s.io/klog/v2 v2.130.1
-	k8s.io/kube-openapi v0.0.0-20250710124328-f3f2b991d03b
+	k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912
 	k8s.io/metrics v0.0.0
-	k8s.io/utils v0.0.0-20250604170112-4c0f3b243397
-	sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8
+	k8s.io/utils v0.0.0-20251002143259-bc988d571ff4
+	sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730
 	sigs.k8s.io/kustomize/kustomize/v5 v5.7.1
 	sigs.k8s.io/kustomize/kyaml v0.20.1
 	sigs.k8s.io/randfill v1.0.0
@@ -49,18 +50,18 @@ require (
 
 require (
 	github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161 // indirect
+	github.com/Masterminds/semver/v3 v3.4.0 // indirect
 	github.com/blang/semver/v4 v4.0.0 // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/emicklei/go-restful/v3 v3.12.2 // indirect
 	github.com/fxamacker/cbor/v2 v2.9.0 // indirect
 	github.com/go-errors/errors v1.4.2 // indirect
-	github.com/go-logr/logr v1.4.2 // indirect
+	github.com/go-logr/logr v1.4.3 // indirect
 	github.com/go-openapi/jsonpointer v0.21.0 // indirect
 	github.com/go-openapi/swag v0.23.0 // indirect
 	github.com/go-task/slim-sprig/v3 v3.0.0 // indirect
-	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/google/btree v1.1.3 // indirect
-	github.com/google/pprof v0.0.0-20241029153458-d1b30febd7db // indirect
+	github.com/google/pprof v0.0.0-20250403155104-27863c87afa6 // indirect
 	github.com/google/uuid v1.6.0 // indirect
 	github.com/gorilla/websocket v1.5.4-0.20250319132907-e064f32e3674 // indirect
 	github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79 // indirect
@@ -76,26 +77,25 @@ require (
 	github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
 	github.com/peterbourgon/diskv v2.0.1+incompatible // indirect
-	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
 	github.com/x448/float16 v0.8.4 // indirect
 	github.com/xlab/treeprint v1.2.0 // indirect
 	go.yaml.in/yaml/v3 v3.0.4 // indirect
-	golang.org/x/net v0.43.0 // indirect
-	golang.org/x/oauth2 v0.27.0 // indirect
-	golang.org/x/sync v0.17.0 // indirect
-	golang.org/x/term v0.35.0 // indirect
-	golang.org/x/text v0.29.0 // indirect
+	golang.org/x/mod v0.29.0 // indirect
+	golang.org/x/net v0.47.0 // indirect
+	golang.org/x/oauth2 v0.30.0 // indirect
+	golang.org/x/sync v0.18.0 // indirect
+	golang.org/x/term v0.37.0 // indirect
 	golang.org/x/time v0.9.0 // indirect
-	golang.org/x/tools v0.36.0 // indirect
-	google.golang.org/protobuf v1.36.5 // indirect
+	golang.org/x/tools v0.38.0 // indirect
+	google.golang.org/protobuf v1.36.8 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 	sigs.k8s.io/kustomize/api v0.20.1 // indirect
 )
 
 replace (
-	github.com/onsi/ginkgo/v2 => github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251001123353-fd5b1fb35db1
+	github.com/onsi/ginkgo/v2 => github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251120221002-696928a6a0d7
 	k8s.io/api => ../api
 	k8s.io/apimachinery => ../apimachinery
 	k8s.io/cli-runtime => ../cli-runtime
diff --git a/staging/src/k8s.io/kubectl/go.sum b/staging/src/k8s.io/kubectl/go.sum
index eb0905e60256c..b3b3036dfdb68 100644
--- a/staging/src/k8s.io/kubectl/go.sum
+++ b/staging/src/k8s.io/kubectl/go.sum
@@ -3,6 +3,8 @@ github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161 h1:L/gRVlceqvL25
 github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E=
 github.com/MakeNowJust/heredoc v1.0.0 h1:cXCdzVdstXyiTqTvfqk9SDHpKNjxuom+DOlyEeQ4pzQ=
 github.com/MakeNowJust/heredoc v1.0.0/go.mod h1:mG5amYoWBHf8vpLOuehzbGGw0EHxpZZ6lCpQ4fNJ8LE=
+github.com/Masterminds/semver/v3 v3.4.0 h1:Zog+i5UMtVoCU8oKka5P7i9q9HgrJeGzI9SA1Xbatp0=
+github.com/Masterminds/semver/v3 v3.4.0/go.mod h1:4V+yj/TJE1HU9XfppCwVMZq3I84lprf4nC11bSS5beM=
 github.com/NYTimes/gziphandler v1.1.1/go.mod h1:n/CVRwUEOgIxrgPvAQhUUr9oeUtvrhMomdKFjzJNB0c=
 github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5 h1:0CwZNZbxp69SHPdPJAN/hZIm0C4OItdklCFmMRWYpio=
 github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkYZB8zMSxRWpUBQtwG5a7fFgvEO+odwuTv2gs=
@@ -33,10 +35,16 @@ github.com/fatih/camelcase v1.0.0/go.mod h1:yN2Sb0lFhZJUdVvtELVWefmrXpuZESvPmqwo
 github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
 github.com/fxamacker/cbor/v2 v2.9.0 h1:NpKPmjDBgUfBms6tr6JZkTHtfFGcMKsw3eGcmD/sapM=
 github.com/fxamacker/cbor/v2 v2.9.0/go.mod h1:vM4b+DJCtHn+zz7h3FFp/hDAI9WNWCsZj23V5ytsSxQ=
+github.com/gkampitakis/ciinfo v0.3.2 h1:JcuOPk8ZU7nZQjdUhctuhQofk7BGHuIy0c9Ez8BNhXs=
+github.com/gkampitakis/ciinfo v0.3.2/go.mod h1:1NIwaOcFChN4fa/B0hEBdAb6npDlFL8Bwx4dfRLRqAo=
+github.com/gkampitakis/go-diff v1.3.2 h1:Qyn0J9XJSDTgnsgHRdz9Zp24RaJeKMUHg2+PDZZdC4M=
+github.com/gkampitakis/go-diff v1.3.2/go.mod h1:LLgOrpqleQe26cte8s36HTWcTmMEur6OPYerdAAS9tk=
+github.com/gkampitakis/go-snaps v0.5.15 h1:amyJrvM1D33cPHwVrjo9jQxX8g/7E2wYdZ+01KS3zGE=
+github.com/gkampitakis/go-snaps v0.5.15/go.mod h1:HNpx/9GoKisdhw9AFOBT1N7DBs9DiHo/hGheFGBZ+mc=
 github.com/go-errors/errors v1.4.2 h1:J6MZopCL4uSllY1OfXM374weqZFFItUbrImctkmUxIA=
 github.com/go-errors/errors v1.4.2/go.mod h1:sIVyrIiJhuEF+Pj9Ebtd6P/rEYROXFi3BopGUQ5a5Og=
-github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY=
-github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
+github.com/go-logr/logr v1.4.3 h1:CjnDlHq8ikf6E492q6eKboGOC0T8CDaOvkHCIg8idEI=
+github.com/go-logr/logr v1.4.3/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
 github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE=
 github.com/go-logr/zapr v1.3.0/go.mod h1:YKepepNBd1u/oyhd/yQmtjVXmm9uML4IXUgMOwR8/Gg=
 github.com/go-openapi/jsonpointer v0.19.6/go.mod h1:osyAmYz/mB/C3I+WsTTSgw1ONzaLJoLCyoi6/zppojs=
@@ -49,8 +57,8 @@ github.com/go-openapi/swag v0.23.0 h1:vsEVJDUo2hPJ2tu0/Xc+4noaxyEffXNIs3cOULZ+Gr
 github.com/go-openapi/swag v0.23.0/go.mod h1:esZ8ITTYEsH1V2trKHjAN8Ai7xHb8RV+YSZ577vPjgQ=
 github.com/go-task/slim-sprig/v3 v3.0.0 h1:sUs3vkvUymDpBKi3qH1YSqBQk9+9D/8M2mN1vB6EwHI=
 github.com/go-task/slim-sprig/v3 v3.0.0/go.mod h1:W848ghGpv3Qj3dhTPRyJypKRiqCdHZiAzKg9hl15HA8=
-github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
-github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
+github.com/goccy/go-yaml v1.18.0 h1:8W7wMFS12Pcas7KU+VVkaiCng+kG8QiFeFwzFb+rwuw=
+github.com/goccy/go-yaml v1.18.0/go.mod h1:XBurs7gK8ATbW4ZPGKgcbrY1Br56PdM69F7LkFRi1kA=
 github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk=
 github.com/google/btree v1.1.3 h1:CVpQJjYgC4VbzxeGVHfvZrv1ctoYCAI8vbl07Fcxlyg=
 github.com/google/btree v1.1.3/go.mod h1:qOPhT0dTNdNzV6Z/lhRX0YXUafgPLFUh+gZMl761Gm4=
@@ -59,8 +67,8 @@ github.com/google/gnostic-models v0.7.0/go.mod h1:whL5G0m6dmc5cPxKc5bdKdEN3UjI7O
 github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
 github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
-github.com/google/pprof v0.0.0-20241029153458-d1b30febd7db h1:097atOisP2aRj7vFgYQBbFN4U4JNXUNYpxael3UzMyo=
-github.com/google/pprof v0.0.0-20241029153458-d1b30febd7db/go.mod h1:vavhavw2zAxS5dIdcRluK6cSGGPlZynqzFM8NdvU144=
+github.com/google/pprof v0.0.0-20250403155104-27863c87afa6 h1:BHT72Gu3keYf3ZEu2J0b1vyeLSOYI8bm5wbJM/8yDe8=
+github.com/google/pprof v0.0.0-20250403155104-27863c87afa6/go.mod h1:boTsfXsheKC2y+lKOCMpSfarhxDeIzfZG1jqGcPl3cA=
 github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/gorilla/websocket v1.5.4-0.20250319132907-e064f32e3674 h1:JeSE6pjso5THxAzdVpqr6/geYxZytqFMBCOtn/ujyeo=
@@ -75,10 +83,10 @@ github.com/jonboulle/clockwork v0.5.0 h1:Hyh9A8u51kptdkR+cqRpT1EebBwTn1oK9YfGYbd
 github.com/jonboulle/clockwork v0.5.0/go.mod h1:3mZlmanh0g2NDKO5TWZVJAfofYk64M7XN3SzBPjZF60=
 github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY=
 github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y=
+github.com/joshdk/go-junit v1.0.0 h1:S86cUKIdwBHWwA6xCmFlf3RTLfVXYQfvanM5Uh+K6GE=
+github.com/joshdk/go-junit v1.0.0/go.mod h1:TiiV0PqkaNfFXjEiyjWM3XXrhVyCa1K4Zfga6W52ung=
 github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM=
 github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo=
-github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
-github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
 github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
 github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
 github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
@@ -93,6 +101,10 @@ github.com/lithammer/dedent v1.1.0 h1:VNzHMVCBNG1j0fh3OrsFRkVUwStdDArbgBWoPAffkt
 github.com/lithammer/dedent v1.1.0/go.mod h1:jrXYCQtgg0nJiN+StA2KgR7w6CiQNv9Fd/Z9BP0jIOc=
 github.com/mailru/easyjson v0.7.7 h1:UGYAvKxe3sBsEDzO8ZeWOSlIQfWFlxbzLZe7hwFURr0=
 github.com/mailru/easyjson v0.7.7/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc=
+github.com/maruel/natural v1.1.1 h1:Hja7XhhmvEFhcByqDoHz9QZbkWey+COd9xWfCfn1ioo=
+github.com/maruel/natural v1.1.1/go.mod h1:v+Rfd79xlw1AgVBjbO0BEQmptqb5HvL/k9GRHB7ZKEg=
+github.com/mfridman/tparse v0.18.0 h1:wh6dzOKaIwkUGyKgOntDW4liXSo37qg5AXbIhkMV3vE=
+github.com/mfridman/tparse v0.18.0/go.mod h1:gEvqZTuCgEhPbYk/2lS3Kcxg1GmTxxU7kTC8DvP0i/A=
 github.com/mitchellh/go-wordwrap v1.0.1 h1:TLuKupo69TCn6TQSyGxwI1EblZZEsQ0vMlAFQflz0v0=
 github.com/mitchellh/go-wordwrap v1.0.1/go.mod h1:R62XHJLzvMFRBbcrT7m7WgmE1eOyTSsCt+hzestvNj0=
 github.com/moby/spdystream v0.5.0 h1:7r0J1Si3QO/kjRitvSLVVFUjxMEb/YLj6S9FF62JBCU=
@@ -111,33 +123,33 @@ github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq
 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
 github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f h1:y5//uYreIhSUg3J1GEMiLbxo1LJaP8RfCpH6pymGZus=
 github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+o7JKHSa8/e818NopupXU1YMK5fe1lsApnBw=
-github.com/onsi/gomega v1.35.1 h1:Cwbd75ZBPxFSuZ6T+rN/WCb/gOc6YgFBXLlZLhC7Ds4=
-github.com/onsi/gomega v1.35.1/go.mod h1:PvZbdDc8J6XJEpDK4HCuRBm8a6Fzp9/DmhC9C7yFlog=
+github.com/onsi/gomega v1.38.2 h1:eZCjf2xjZAqe+LeWvKb5weQ+NcPwX84kqJ0cZNxok2A=
+github.com/onsi/gomega v1.38.2/go.mod h1:W2MJcYxRGV63b418Ai34Ud0hEdTVXq9NW9+Sx6uXf3k=
 github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
 github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
-github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251001123353-fd5b1fb35db1 h1:PMTgifBcBRLJJiM+LgSzPDTk9/Rx4qS09OUrfpY6GBQ=
-github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251001123353-fd5b1fb35db1/go.mod h1:7Du3c42kxCUegi0IImZ1wUQzMBVecgIHjR1C+NkhLQo=
+github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251120221002-696928a6a0d7 h1:02E4Ttpu+7yCQLQxtY42JfcfHU7TBGnje6uB2ytBSdU=
+github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251120221002-696928a6a0d7/go.mod h1:ArE1D/XhNXBXCBkKOLkbsb2c81dQHCRcF5zwn/ykDRo=
 github.com/peterbourgon/diskv v2.0.1+incompatible h1:UBdAOUP5p4RWqPBg048CAvpKN+vxiaj6gdUUzhl4XmI=
 github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU=
-github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U=
 github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/prometheus/client_golang v1.22.0/go.mod h1:R7ljNsLXhuQXYZYtw6GAE9AZg8Y7vEW5scdCXrWRXC0=
-github.com/prometheus/client_model v0.6.1/go.mod h1:OrxVMOVHjw3lKMa8+x6HeMGkHMQyHDk9E3jmP2AmGiY=
-github.com/prometheus/common v0.62.0/go.mod h1:vyBcEuLSvWos9B1+CyL7JZ2up+uFzXhkqml0W5zIY1I=
-github.com/prometheus/procfs v0.15.1/go.mod h1:fB45yRUv8NstnjriLhBQLuOUt+WW4BsoGhij/e3PBqk=
-github.com/rogpeppe/go-internal v1.13.1 h1:KvO1DLK/DRN07sQ1LQKScxyZJuNnedQ5/wKSR38lUII=
-github.com/rogpeppe/go-internal v1.13.1/go.mod h1:uMEvuHeurkdAXX61udpOXGD/AzZDWNMNyH2VO9fmH0o=
+github.com/prometheus/client_golang v1.23.2/go.mod h1:Tb1a6LWHB3/SPIzCoaDXI4I8UHKeFTEQ1YCr+0Gyqmg=
+github.com/prometheus/client_model v0.6.2/go.mod h1:y3m2F6Gdpfy6Ut/GBsUqTWZqCUvMVzSfMLjcu6wAwpE=
+github.com/prometheus/common v0.66.1/go.mod h1:gcaUsgf3KfRSwHY4dIMXLPV0K/Wg1oZ8+SbZk/HH/dA=
+github.com/prometheus/procfs v0.16.1/go.mod h1:teAbpZRB1iIAJYREa1LsoWUXykVXA1KlTmWl8x/U+Is=
+github.com/rogpeppe/go-internal v1.14.1 h1:UQB4HGPB6osV0SQTLymcB4TgvyWu6ZyliaW0tI/otEQ=
+github.com/rogpeppe/go-internal v1.14.1/go.mod h1:MaRKkUm5W0goXpeCfT7UZI6fk/L7L7so1lCWt35ZSgc=
 github.com/russross/blackfriday/v2 v2.1.0 h1:JIOH55/0cWyOuilr9/qlrm0BSXldqnqwMsf35Ld67mk=
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
 github.com/sergi/go-diff v1.2.0 h1:XU+rvMAioB0UC3q1MFrIQy4Vo5/4VsRDQQXHsEya6xQ=
 github.com/sergi/go-diff v1.2.0/go.mod h1:STckp+ISIX8hZLjrqAeVduY0gWCT9IjLuqbuNXdaHfM=
-github.com/spf13/cobra v1.9.1 h1:CXSaggrXdbHK9CF+8ywj8Amf7PBRmPCOJugH954Nnlo=
-github.com/spf13/cobra v1.9.1/go.mod h1:nDyEzZ8ogv936Cinf6g1RU9MRY64Ir93oCnqb9wxYW0=
-github.com/spf13/pflag v1.0.6 h1:jFzHGLGAlb3ruxLB8MhbI6A8+AQX/2eW4qeyNZXNp2o=
-github.com/spf13/pflag v1.0.6/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
+github.com/spf13/cobra v1.10.0 h1:a5/WeUlSDCvV5a45ljW2ZFtV0bTDpkfSAj3uqB6Sc+0=
+github.com/spf13/cobra v1.10.0/go.mod h1:9dhySC7dnTtEiqzmqfkLj47BslqLCUPMXjG2lj/NgoE=
+github.com/spf13/pflag v1.0.8/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
+github.com/spf13/pflag v1.0.9 h1:9exaQaMOCwffKiiiYk6/BndUBv+iRViNW+4lEMi0PvY=
+github.com/spf13/pflag v1.0.9/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
 github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
@@ -149,102 +161,87 @@ github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/
 github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
 github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
-github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
-github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
+github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
+github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
+github.com/tidwall/gjson v1.18.0 h1:FIDeeyB800efLX89e5a8Y0BNH+LOngJyGrIWxG2FKQY=
+github.com/tidwall/gjson v1.18.0/go.mod h1:/wbyibRr2FHMks5tjHJ5F8dMZh3AcwJEMf5vlfC0lxk=
+github.com/tidwall/match v1.1.1 h1:+Ho715JplO36QYgwN9PGYNhgZvoUSc9X2c80KVTi+GA=
+github.com/tidwall/match v1.1.1/go.mod h1:eRSPERbgtNPcGhD8UCthc6PmLEQXEWd3PRB5JTxsfmM=
+github.com/tidwall/pretty v1.2.1 h1:qjsOFOWWQl+N3RsoF5/ssm1pHmJJwhjlSbZ51I6wMl4=
+github.com/tidwall/pretty v1.2.1/go.mod h1:ITEVvHYasfjBbM0u2Pg8T2nJnzm8xPwvNhhsoaGGjNU=
+github.com/tidwall/sjson v1.2.5 h1:kLy8mja+1c9jlljvWTlSazM7cKDRfJuR/bOJhcY5NcY=
+github.com/tidwall/sjson v1.2.5/go.mod h1:Fvgq9kS/6ociJEDnK0Fk1cpYF4FIW6ZF7LAe+6jwd28=
 github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM=
 github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg=
 github.com/xlab/treeprint v1.2.0 h1:HzHnuAF1plUN2zGlAFHbSQP2qJ0ZAD3XF5XD7OesXRQ=
 github.com/xlab/treeprint v1.2.0/go.mod h1:gj5Gd3gPdKtR1ikdDK6fnFLdmIS0X30kTTuNd/WEJu0=
-github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
-github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
 go.opentelemetry.io/auto/sdk v1.1.0/go.mod h1:3wSPjt5PWp2RhlCcmmOial7AvC4DQqZb7a7wCow3W8A=
-go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.58.0/go.mod h1:umTcuxiv1n/s/S6/c2AT/g2CQ7u5C59sHDNmfSwgz7Q=
-go.opentelemetry.io/otel v1.35.0/go.mod h1:UEqy8Zp11hpkUrL73gSlELM0DupHoiq72dR+Zqel/+Y=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.61.0/go.mod h1:UHB22Z8QsdRDrnAtX4PntOl36ajSxcdUMt1sF7Y6E7Q=
+go.opentelemetry.io/otel v1.36.0/go.mod h1:/TcFMXYjyRNh8khOAO9ybYkqaDBb/70aVwkNML4pP8E=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.34.0/go.mod h1:7Bept48yIeqxP2OZ9/AqIpYS94h2or0aB4FypJTc8ZM=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.34.0/go.mod h1:U7HYyW0zt/a9x5J1Kjs+r1f/d4ZHnYFclhYY2+YbeoE=
-go.opentelemetry.io/otel/metric v1.35.0/go.mod h1:nKVFgxBZ2fReX6IlyW28MgZojkoAkJGaE8CpgeAU3oE=
-go.opentelemetry.io/otel/sdk v1.34.0/go.mod h1:0e/pNiaMAqaykJGKbi+tSjWfNNHMTxoC9qANsCzbyxU=
-go.opentelemetry.io/otel/trace v1.35.0/go.mod h1:WUk7DtFp1Aw2MkvqGdwiXYDZZNvA/1J8o6xRXLrIkyc=
+go.opentelemetry.io/otel/metric v1.36.0/go.mod h1:zC7Ks+yeyJt4xig9DEw9kuUFe5C3zLbVjV2PzT6qzbs=
+go.opentelemetry.io/otel/sdk v1.36.0/go.mod h1:+lC+mTgD+MUWfjJubi2vvXWcVxyr9rmlshZni72pXeY=
+go.opentelemetry.io/otel/trace v1.36.0/go.mod h1:gQ+OnDZzrybY4k4seLzPAWNwVBBVlF2szhehOBB/tGA=
 go.opentelemetry.io/proto/otlp v1.5.0/go.mod h1:keN8WnHxOy8PG0rQZjJJ5A2ebUoafqWp0eVQ4yIXvJ4=
+go.uber.org/automaxprocs v1.6.0/go.mod h1:ifeIMSnPZuznNm6jmdzmU3/bfk01Fe2fotchwEFJ8r8=
 go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
 go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
 go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y=
 go.uber.org/zap v1.27.0/go.mod h1:GB2qFLM7cTU87MWRP2mPIjqfIDnGu+VIO4V/SdhGo2E=
-go.yaml.in/yaml/v2 v2.4.2 h1:DzmwEr2rDGHl7lsFgAHxmNz/1NlQ7xLIrlN2h5d1eGI=
-go.yaml.in/yaml/v2 v2.4.2/go.mod h1:081UH+NErpNdqlCXm3TtEran0rJZGxAYx9hb/ELlsPU=
+go.yaml.in/yaml/v2 v2.4.3 h1:6gvOSjQoTB3vt1l+CU+tSyi/HOjfOjRLJ4YwYZGwRO0=
+go.yaml.in/yaml/v2 v2.4.3/go.mod h1:zSxWcmIDjOzPXpjlTTbAsKokqkDNAVtZO0WOMiT90s8=
 go.yaml.in/yaml/v3 v3.0.4 h1:tfq32ie2Jv2UxXFdLJdh3jXuOzWiL1fo0bu/FbuKpbc=
 go.yaml.in/yaml/v3 v3.0.4/go.mod h1:DhzuOOF2ATzADvBadXxruRBLzYTpT36CKvDb3+aBEFg=
-golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
-golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
-golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
-golang.org/x/crypto v0.41.0/go.mod h1:pO5AFd7FA68rFak7rOAGVuygIISepHftHnr8dr6+sUc=
-golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.27.0/go.mod h1:rWI627Fq0DEoudcK+MBkNkCe0EetEaDSwJJkCcjpazc=
-golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
-golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
-golang.org/x/net v0.43.0 h1:lat02VYK2j4aLzMzecihNvTlJNQUq316m2Mr9rnM6YE=
-golang.org/x/net v0.43.0/go.mod h1:vhO1fvI4dGsIjh73sWfUVjj3N7CA9WkKJNQm2svM6Jg=
-golang.org/x/oauth2 v0.27.0 h1:da9Vo7/tDv5RH/7nZDz1eMGS/q1Vv1N/7FCrBhI9I3M=
-golang.org/x/oauth2 v0.27.0/go.mod h1:onh5ek6nERTohokkhCD/y2cV4Do3fxFHFuAejCkRWT8=
-golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.17.0 h1:l60nONMj9l5drqw6jlhIELNv9I0A4OFgRsG9k2oT9Ug=
-golang.org/x/sync v0.17.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
-golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/crypto v0.44.0/go.mod h1:013i+Nw79BMiQiMsOPcVCB5ZIJbYkerPrGnOa00tvmc=
+golang.org/x/mod v0.29.0 h1:HV8lRxZC4l2cr3Zq1LvtOsi/ThTgWnUk/y64QSs8GwA=
+golang.org/x/mod v0.29.0/go.mod h1:NyhrlYXJ2H4eJiRy/WDBO6HMqZQ6q9nk4JzS3NuCK+w=
+golang.org/x/net v0.47.0 h1:Mx+4dIFzqraBXUugkia1OOvlD6LemFo1ALMHjrXDOhY=
+golang.org/x/net v0.47.0/go.mod h1:/jNxtkgq5yWUGYkaZGqo27cfGZ1c5Nen03aYrrKpVRU=
+golang.org/x/oauth2 v0.30.0 h1:dnDm7JmhM45NNpd8FDDeLhK6FwqbOf4MLCM9zb1BOHI=
+golang.org/x/oauth2 v0.30.0/go.mod h1:B++QgG3ZKulg6sRPGD/mqlHQs5rB3Ml9erfeDY7xKlU=
+golang.org/x/sync v0.18.0 h1:kr88TuHDroi+UVf+0hZnirlk8o8T+4MrK6mr60WkH/I=
+golang.org/x/sync v0.18.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
 golang.org/x/sys v0.0.0-20210616094352-59db8d763f22/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.36.0 h1:KVRy2GtZBrk1cBYA7MKu5bEZFxQk4NIDV6RLVcC8o0k=
-golang.org/x/sys v0.36.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
-golang.org/x/telemetry v0.0.0-20250807160809-1a19826ec488/go.mod h1:fGb/2+tgXXjhjHsTNdVEEMZNWA0quBnfrO+AfoDSAKw=
-golang.org/x/term v0.35.0 h1:bZBVKBudEyhRcajGcNc3jIfWPqV4y/Kt2XcoigOWtDQ=
-golang.org/x/term v0.35.0/go.mod h1:TPGtkTLesOwf2DE8CgVYiZinHAOuy5AYUYT1lENIZnA=
-golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
-golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.29.0 h1:1neNs90w9YzJ9BocxfsQNHKuAT4pkghyXc4nhZ6sJvk=
-golang.org/x/text v0.29.0/go.mod h1:7MhJOA9CD2qZyOKYazxdYMF85OwPdEr9jTtBpO7ydH4=
+golang.org/x/sys v0.38.0 h1:3yZWxaJjBmCWXqhN1qh02AkOnCQ1poK6oF+a7xWL6Gc=
+golang.org/x/sys v0.38.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
+golang.org/x/telemetry v0.0.0-20251008203120-078029d740a8/go.mod h1:Pi4ztBfryZoJEkyFTI5/Ocsu2jXyDr6iSdgJiYE/uwE=
+golang.org/x/term v0.37.0 h1:8EGAD0qCmHYZg6J17DvsMy9/wJ7/D/4pV/wfnld5lTU=
+golang.org/x/term v0.37.0/go.mod h1:5pB4lxRNYYVZuTLmy8oR2BH8dflOR+IbTYFD8fi3254=
+golang.org/x/text v0.31.0 h1:aC8ghyu4JhP8VojJ2lEHBnochRno1sgL6nEi9WGFGMM=
+golang.org/x/text v0.31.0/go.mod h1:tKRAlv61yKIjGGHX/4tP1LTbc13YSec1pxVEWXzfoeM=
 golang.org/x/time v0.9.0 h1:EsRrnYcQiGH+5FfbgvV4AP7qEZstoyrHB0DzarOQ4ZY=
 golang.org/x/time v0.9.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
-golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
-golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
-golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
-golang.org/x/tools v0.36.0 h1:kWS0uv/zsvHEle1LbV5LE8QujrxB3wfQyxHfhOk0Qkg=
-golang.org/x/tools v0.36.0/go.mod h1:WBDiHKJK8YgLHlcQPYQzNCkUxUypCaa5ZegCVutKm+s=
+golang.org/x/tools v0.38.0 h1:Hx2Xv8hISq8Lm16jvBZ2VQf+RLmbd7wVUsALibYI/IQ=
+golang.org/x/tools v0.38.0/go.mod h1:yEsQ/d/YK8cjh0L6rZlY8tgtlKiBNTL14pGDJPJpYQs=
 golang.org/x/tools/go/expect v0.1.0-deprecated/go.mod h1:eihoPOH+FgIqa3FpoTwguz/bVUSGBlGQU67vpBeOrBY=
-golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/tools/go/packages/packagestest v0.1.1-deprecated/go.mod h1:RVAQXBGNv1ib0J382/DPCRS/BPnsGebyM1Gj5VSDpG8=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 google.golang.org/genproto/googleapis/api v0.0.0-20250303144028-a0af3efb3deb/go.mod h1:jbe3Bkdp+Dh2IrslsFCklNhweNTBgSYanP1UXhJDhKg=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20250303144028-a0af3efb3deb/go.mod h1:LuRYeWDFV6WOn90g357N17oMCaxpgCnbi/44qJvDn2I=
-google.golang.org/grpc v1.72.1/go.mod h1:wH5Aktxcg25y1I3w7H69nHfXdOG3UiadoBtjh3izSDM=
-google.golang.org/protobuf v1.36.5 h1:tPhr+woSbjfYvY6/GPufUoYizxw1cF/yFoxJ2fmpwlM=
-google.golang.org/protobuf v1.36.5/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20250528174236-200df99c418a/go.mod h1:qQ0YXyHHx3XkvlzUtpXDkS29lDSafHMZBAZDc03LQ3A=
+google.golang.org/grpc v1.72.2/go.mod h1:wH5Aktxcg25y1I3w7H69nHfXdOG3UiadoBtjh3izSDM=
+google.golang.org/protobuf v1.36.8 h1:xHScyCOEuuwZEc6UtSOvPbAT4zRh0xcNRYekJwfqyMc=
+google.golang.org/protobuf v1.36.8/go.mod h1:fuxRtAxBytpl4zzqUh6/eyUujkJdNiuEkXntxiD/uRU=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
-gopkg.in/evanphx/json-patch.v4 v4.12.0 h1:n6jtcsulIzXPJaxegRbvFNNrZDjbij7ny3gmSPG+6V4=
-gopkg.in/evanphx/json-patch.v4 v4.12.0/go.mod h1:p8EYWUEYMpynmqDbY58zCKCFZw8pRWMG4EsWvDvM72M=
+gopkg.in/evanphx/json-patch.v4 v4.13.0 h1:czT3CmqEaQ1aanPc5SdlgQrrEIb8w/wwCvWWnfEbYzo=
+gopkg.in/evanphx/json-patch.v4 v4.13.0/go.mod h1:p8EYWUEYMpynmqDbY58zCKCFZw8pRWMG4EsWvDvM72M=
 gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc=
 gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
-k8s.io/gengo/v2 v2.0.0-20250604051438-85fd79dbfd9f/go.mod h1:EJykeLsmFC60UQbYJezXkEsG2FLrt0GPNkU5iK5GWxU=
+k8s.io/gengo/v2 v2.0.0-20250922181213-ec3ebc5fd46b/go.mod h1:CgujABENc3KuTrcsdpGmrrASjtQsWCT7R99mEV4U/fM=
 k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk=
 k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE=
-k8s.io/kube-openapi v0.0.0-20250710124328-f3f2b991d03b h1:MloQ9/bdJyIu9lb1PzujOPolHyvO06MXG5TUIj2mNAA=
-k8s.io/kube-openapi v0.0.0-20250710124328-f3f2b991d03b/go.mod h1:UZ2yyWbFTpuhSbFhv24aGNOdoRdJZgsIObGBUaYVsts=
-k8s.io/utils v0.0.0-20250604170112-4c0f3b243397 h1:hwvWFiBzdWw1FhfY1FooPn3kzWuJ8tmbZBHi4zVsl1Y=
-k8s.io/utils v0.0.0-20250604170112-4c0f3b243397/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
-sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 h1:gBQPwqORJ8d8/YNZWEjoZs7npUVDpVXUUOFfW6CgAqE=
-sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8/go.mod h1:mdzfpAEoE6DHQEN0uh9ZbOCuHbLK5wOm7dK4ctXE9Tg=
+k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912 h1:Y3gxNAuB0OBLImH611+UDZcmKS3g6CthxToOb37KgwE=
+k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912/go.mod h1:kdmbQkyfwUagLfXIad1y2TdrjPFWp2Q89B3qkRwf/pQ=
+k8s.io/utils v0.0.0-20251002143259-bc988d571ff4 h1:SjGebBtkBqHFOli+05xYbK8YF1Dzkbzn+gDM4X9T4Ck=
+k8s.io/utils v0.0.0-20251002143259-bc988d571ff4/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
+sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 h1:IpInykpT6ceI+QxKBbEflcR5EXP7sU1kvOlxwZh5txg=
+sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730/go.mod h1:mdzfpAEoE6DHQEN0uh9ZbOCuHbLK5wOm7dK4ctXE9Tg=
 sigs.k8s.io/kustomize/api v0.20.1 h1:iWP1Ydh3/lmldBnH/S5RXgT98vWYMaTUL1ADcr+Sv7I=
 sigs.k8s.io/kustomize/api v0.20.1/go.mod h1:t6hUFxO+Ph0VxIk1sKp1WS0dOjbPCtLJ4p8aADLwqjM=
 sigs.k8s.io/kustomize/cmd/config v0.20.1/go.mod h1:R7rQ8kxknVlXWVUIbxWtMgu8DCCNVtl8V0KrmeVd/KE=
diff --git a/staging/src/k8s.io/kubectl/pkg/cmd/alpha.go b/staging/src/k8s.io/kubectl/pkg/cmd/alpha.go
index a5ad73e23f3bd..bc32cee0eb06b 100644
--- a/staging/src/k8s.io/kubectl/pkg/cmd/alpha.go
+++ b/staging/src/k8s.io/kubectl/pkg/cmd/alpha.go
@@ -21,6 +21,7 @@ import (
 
 	"k8s.io/cli-runtime/pkg/genericiooptions"
 
+	cmdkuberc "k8s.io/kubectl/pkg/cmd/kuberc"
 	cmdutil "k8s.io/kubectl/pkg/cmd/util"
 	"k8s.io/kubectl/pkg/util/i18n"
 	"k8s.io/kubectl/pkg/util/templates"
@@ -34,6 +35,11 @@ func NewCmdAlpha(f cmdutil.Factory, streams genericiooptions.IOStreams) *cobra.C
 		Long:  templates.LongDesc(i18n.T("These commands correspond to alpha features that are not enabled in Kubernetes clusters by default.")),
 	}
 
+	// Add alpha commands
+	if !cmdutil.KubeRC.IsDisabled() {
+		cmd.AddCommand(cmdkuberc.NewCmdKubeRC(streams))
+	}
+
 	// NewKubeletCommand() will hide the alpha command if it has no subcommands. Overriding
 	// the help function ensures a reasonable message if someone types the hidden command anyway.
 	if !cmd.HasAvailableSubCommands() {
diff --git a/staging/src/k8s.io/kubectl/pkg/cmd/apiresources/apiresources_test.go b/staging/src/k8s.io/kubectl/pkg/cmd/apiresources/apiresources_test.go
index f5081aa5dab7e..d2ddc60e55af9 100644
--- a/staging/src/k8s.io/kubectl/pkg/cmd/apiresources/apiresources_test.go
+++ b/staging/src/k8s.io/kubectl/pkg/cmd/apiresources/apiresources_test.go
@@ -18,6 +18,7 @@ package apiresources
 
 import (
 	"encoding/json"
+	"strings"
 	"testing"
 
 	"github.com/spf13/cobra"
@@ -57,8 +58,8 @@ See 'kubectl api-resources -h' for help and examples`
 	if err == nil {
 		t.Fatalf("An error was expected but not returned")
 	}
-	expectedError = `unable to match a printer suitable for the output format "foo", allowed formats are: json,name,wide,yaml`
-	if err.Error() != expectedError {
+	expectedError = `unable to match a printer suitable for the output format "foo", allowed formats are:`
+	if !strings.HasPrefix(err.Error(), expectedError) {
 		t.Fatalf("Unexpected error: %v\n expected: %v", err, expectedError)
 	}
 }
diff --git a/staging/src/k8s.io/kubectl/pkg/cmd/apply/apply.go b/staging/src/k8s.io/kubectl/pkg/cmd/apply/apply.go
index 1ecc7c9d83a91..d509b90f3e36c 100644
--- a/staging/src/k8s.io/kubectl/pkg/cmd/apply/apply.go
+++ b/staging/src/k8s.io/kubectl/pkg/cmd/apply/apply.go
@@ -284,13 +284,11 @@ func (flags *ApplyFlags) ToOptions(f cmdutil.Factory, cmd *cobra.Command, baseNa
 	}
 
 	var openAPIV3Root openapi3.Root
-	if !cmdutil.OpenAPIV3Patch.IsDisabled() {
-		openAPIV3Client, err := f.OpenAPIV3Client()
-		if err == nil {
-			openAPIV3Root = openapi3.NewRoot(openAPIV3Client)
-		} else {
-			klog.V(4).Infof("warning: OpenAPI V3 Patch is enabled but is unable to be loaded. Will fall back to OpenAPI V2")
-		}
+	openAPIV3Client, err := f.OpenAPIV3Client()
+	if err == nil {
+		openAPIV3Root = openapi3.NewRoot(openAPIV3Client)
+	} else {
+		klog.V(4).Infof("warning: OpenAPI V3 Patch is enabled but is unable to be loaded. Will fall back to OpenAPI V2")
 	}
 
 	validationDirective, err := cmdutil.GetValidationDirective(cmd)
diff --git a/staging/src/k8s.io/kubectl/pkg/cmd/apply/apply_test.go b/staging/src/k8s.io/kubectl/pkg/cmd/apply/apply_test.go
index 66992cdda41d6..50e1f56899379 100644
--- a/staging/src/k8s.io/kubectl/pkg/cmd/apply/apply_test.go
+++ b/staging/src/k8s.io/kubectl/pkg/cmd/apply/apply_test.go
@@ -114,11 +114,8 @@ func (o *OpenAPIV3ClientAlwaysPanic) Paths() (map[string]openapiclient.GroupVers
 func noopOpenAPIV3Patch(t *testing.T, f func(t *testing.T)) {
 	f(t)
 }
-func disableOpenAPIV3Patch(t *testing.T, f func(t *testing.T)) {
-	cmdtesting.WithAlphaEnvsDisabled([]cmdutil.FeatureGate{cmdutil.OpenAPIV3Patch}, t, f)
-}
 
-var applyFeatureToggles = []func(*testing.T, func(t *testing.T)){noopOpenAPIV3Patch, disableOpenAPIV3Patch}
+var applyFeatureToggles = []func(*testing.T, func(t *testing.T)){noopOpenAPIV3Patch}
 
 type testOpenAPISchema struct {
 	OpenAPISchemaFn     func() (openapi.Resources, error)
@@ -742,60 +739,6 @@ func TestApplyObjectWithoutAnnotation(t *testing.T) {
 	}
 }
 
-func TestOpenAPIV3PatchFeatureFlag(t *testing.T) {
-	// OpenAPIV3 smp apply is on by default.
-	// Test that users can disable it to use OpenAPI V2 smp
-	// An OpenAPI V3 root that always panics is used to ensure
-	// the v3 code path is never exercised when the feature is disabled
-	cmdtesting.InitTestErrorHandler(t)
-	nameRC, currentRC := readAndAnnotateReplicationController(t, filenameRC)
-	pathRC := "/namespaces/test/replicationcontrollers/" + nameRC
-
-	t.Run("test apply when a local object is specified - openapi v2 smp", func(t *testing.T) {
-		disableOpenAPIV3Patch(t, func(t *testing.T) {
-			tf := cmdtesting.NewTestFactory().WithNamespace("test")
-			defer tf.Cleanup()
-
-			tf.UnstructuredClient = &fake.RESTClient{
-				NegotiatedSerializer: resource.UnstructuredPlusDefaultContentConfig().NegotiatedSerializer,
-				Client: fake.CreateHTTPClient(func(req *http.Request) (*http.Response, error) {
-					switch p, m := req.URL.Path, req.Method; {
-					case p == pathRC && m == "GET":
-						bodyRC := io.NopCloser(bytes.NewReader(currentRC))
-						return &http.Response{StatusCode: http.StatusOK, Header: cmdtesting.DefaultHeader(), Body: bodyRC}, nil
-					case p == pathRC && m == "PATCH":
-						validatePatchApplication(t, req, types.StrategicMergePatchType)
-						bodyRC := io.NopCloser(bytes.NewReader(currentRC))
-						return &http.Response{StatusCode: http.StatusOK, Header: cmdtesting.DefaultHeader(), Body: bodyRC}, nil
-					default:
-						t.Fatalf("unexpected request: %#v\n%#v", req.URL, req)
-						return nil, nil
-					}
-				}),
-			}
-			tf.OpenAPISchemaFunc = FakeOpenAPISchema.OpenAPISchemaFn
-			tf.OpenAPIV3ClientFunc = AlwaysPanicSchema.OpenAPIV3ClientFunc
-			tf.ClientConfigVal = cmdtesting.DefaultClientConfig()
-
-			ioStreams, _, buf, errBuf := genericiooptions.NewTestIOStreams()
-			cmd := NewCmdApply("kubectl", tf, ioStreams)
-			cmd.Flags().Set("filename", filenameRC)
-			cmd.Flags().Set("output", "name")
-			cmd.Run(cmd, []string{})
-
-			// uses the name from the file, not the response
-			expectRC := "replicationcontroller/" + nameRC + "\n"
-			if buf.String() != expectRC {
-				t.Fatalf("unexpected output: %s\nexpected: %s", buf.String(), expectRC)
-			}
-			if errBuf.String() != "" {
-				t.Fatalf("unexpected error output: %s", errBuf.String())
-			}
-		})
-	})
-
-}
-
 func TestOpenAPIV3DoesNotLoadV2(t *testing.T) {
 	cmdtesting.InitTestErrorHandler(t)
 	nameRC, currentRC := readAndAnnotateReplicationController(t, filenameRC)
diff --git a/staging/src/k8s.io/kubectl/pkg/cmd/attach/attach.go b/staging/src/k8s.io/kubectl/pkg/cmd/attach/attach.go
index caf6ec7f125fa..62b1f6411a629 100644
--- a/staging/src/k8s.io/kubectl/pkg/cmd/attach/attach.go
+++ b/staging/src/k8s.io/kubectl/pkg/cmd/attach/attach.go
@@ -42,6 +42,7 @@ import (
 	"k8s.io/kubectl/pkg/util/completion"
 	"k8s.io/kubectl/pkg/util/i18n"
 	"k8s.io/kubectl/pkg/util/templates"
+	"k8s.io/kubectl/pkg/util/term"
 )
 
 var (
@@ -300,7 +301,9 @@ func (o *AttachOptions) Run() error {
 			sizePlusOne.Height++
 
 			// this call spawns a goroutine to monitor/update the terminal size
-			sizeQueue = t.MonitorSize(&sizePlusOne, size)
+			sizeQueue = &terminalSizeQueueAdapter{
+				delegate: t.MonitorSize(&sizePlusOne, size),
+			}
 		}
 
 		o.DisableStderr = true
@@ -357,3 +360,18 @@ func (o *AttachOptions) reattachMessage(containerName string, rawTTY bool) strin
 	}
 	return fmt.Sprintf("Session ended, resume using '%s %s -c %s -i -t' command when the pod is running", o.CommandName, o.Pod.Name, containerName)
 }
+
+type terminalSizeQueueAdapter struct {
+	delegate term.TerminalSizeQueue
+}
+
+func (a *terminalSizeQueueAdapter) Next() *remotecommand.TerminalSize {
+	next := a.delegate.Next()
+	if next == nil {
+		return nil
+	}
+	return &remotecommand.TerminalSize{
+		Width:  next.Width,
+		Height: next.Height,
+	}
+}
diff --git a/staging/src/k8s.io/kubectl/pkg/cmd/auth/reconcile.go b/staging/src/k8s.io/kubectl/pkg/cmd/auth/reconcile.go
index 40632df874da8..425aa3dfdc04e 100644
--- a/staging/src/k8s.io/kubectl/pkg/cmd/auth/reconcile.go
+++ b/staging/src/k8s.io/kubectl/pkg/cmd/auth/reconcile.go
@@ -22,6 +22,7 @@ import (
 
 	"github.com/spf13/cobra"
 	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/util/wait"
 	"k8s.io/klog/v2"
 
 	rbacv1 "k8s.io/api/rbac/v1"
@@ -33,6 +34,7 @@ import (
 	"k8s.io/cli-runtime/pkg/resource"
 	corev1client "k8s.io/client-go/kubernetes/typed/core/v1"
 	rbacv1client "k8s.io/client-go/kubernetes/typed/rbac/v1"
+	"k8s.io/client-go/util/retry"
 	"k8s.io/component-helpers/auth/rbac/reconciliation"
 	cmdutil "k8s.io/kubectl/pkg/cmd/util"
 	"k8s.io/kubectl/pkg/scheme"
@@ -197,6 +199,9 @@ func (o *ReconcileOptions) Validate() error {
 
 // RunReconcile performs the execution
 func (o *ReconcileOptions) RunReconcile() error {
+	// conflictBackoff retries up to 3 times on conflict, with no delay
+	conflictBackoff := wait.Backoff{Steps: 3}
+
 	return o.Visitor.Visit(func(info *resource.Info, err error) error {
 		if err != nil {
 			return err
@@ -213,7 +218,14 @@ func (o *ReconcileOptions) RunReconcile() error {
 					Client:          o.RBACClient,
 				},
 			}
-			result, err := reconcileOptions.Run()
+			var (
+				result *reconciliation.ReconcileClusterRoleResult
+				err    error
+			)
+			retry.RetryOnConflict(conflictBackoff, func() error {
+				result, err = reconcileOptions.Run()
+				return err
+			})
 			if err != nil {
 				return err
 			}
@@ -228,7 +240,14 @@ func (o *ReconcileOptions) RunReconcile() error {
 					Client: o.RBACClient.ClusterRoles(),
 				},
 			}
-			result, err := reconcileOptions.Run()
+			var (
+				result *reconciliation.ReconcileClusterRoleResult
+				err    error
+			)
+			retry.RetryOnConflict(conflictBackoff, func() error {
+				result, err = reconcileOptions.Run()
+				return err
+			})
 			if err != nil {
 				return err
 			}
@@ -244,10 +263,14 @@ func (o *ReconcileOptions) RunReconcile() error {
 					NamespaceClient: o.NamespaceClient.Namespaces(),
 				},
 			}
-			result, err := reconcileOptions.Run()
-			if err != nil {
+			var (
+				result *reconciliation.ReconcileClusterRoleBindingResult
+				err    error
+			)
+			retry.RetryOnConflict(conflictBackoff, func() error {
+				result, err = reconcileOptions.Run()
 				return err
-			}
+			})
 			o.printResults(result.RoleBinding.GetObject(), result.MissingSubjects, result.ExtraSubjects, nil, nil, result.Operation, result.Protected)
 
 		case *rbacv1.ClusterRoleBinding:
@@ -259,10 +282,14 @@ func (o *ReconcileOptions) RunReconcile() error {
 					Client: o.RBACClient.ClusterRoleBindings(),
 				},
 			}
-			result, err := reconcileOptions.Run()
-			if err != nil {
+			var (
+				result *reconciliation.ReconcileClusterRoleBindingResult
+				err    error
+			)
+			retry.RetryOnConflict(conflictBackoff, func() error {
+				result, err = reconcileOptions.Run()
 				return err
-			}
+			})
 			o.printResults(result.RoleBinding.GetObject(), result.MissingSubjects, result.ExtraSubjects, nil, nil, result.Operation, result.Protected)
 
 		case *rbacv1beta1.Role,
diff --git a/staging/src/k8s.io/kubectl/pkg/cmd/auth/whoami.go b/staging/src/k8s.io/kubectl/pkg/cmd/auth/whoami.go
index 8d1bb44e63dee..a3a83847df647 100644
--- a/staging/src/k8s.io/kubectl/pkg/cmd/auth/whoami.go
+++ b/staging/src/k8s.io/kubectl/pkg/cmd/auth/whoami.go
@@ -159,8 +159,7 @@ func NewCmdWhoAmI(restClientGetter genericclioptions.RESTClientGetter, streams g
 
 var (
 	notEnabledErr = fmt.Errorf(
-		"the selfsubjectreviews API is not enabled in the cluster\n" +
-			"enable APISelfSubjectReview feature gate and authentication.k8s.io/v1alpha1 or authentication.k8s.io/v1beta1 API")
+		"the selfsubjectreviews API is not enabled in the cluster")
 
 	forbiddenErr = fmt.Errorf(
 		"the selfsubjectreviews API is not enabled in the cluster or you do not have permission to call it")
diff --git a/staging/src/k8s.io/kubectl/pkg/cmd/autoscale/autoscale.go b/staging/src/k8s.io/kubectl/pkg/cmd/autoscale/autoscale.go
index 834902278c647..92f60b4941a5a 100644
--- a/staging/src/k8s.io/kubectl/pkg/cmd/autoscale/autoscale.go
+++ b/staging/src/k8s.io/kubectl/pkg/cmd/autoscale/autoscale.go
@@ -362,6 +362,10 @@ func (o *AutoscaleOptions) createHorizontalPodAutoscalerV2(refName string, mappi
 		scaler.Spec.MinReplicas = &o.Min
 	}
 
+	if o.enforceNamespace {
+		scaler.ObjectMeta.Namespace = o.namespace
+	}
+
 	metrics := []autoscalingv2.MetricSpec{}
 
 	// add CPU metric if any of the CPU targets are specified
@@ -470,6 +474,10 @@ func (o *AutoscaleOptions) createHorizontalPodAutoscalerV1(refName string, mappi
 		scaler.Spec.TargetCPUUtilizationPercentage = &c
 	}
 
+	if o.enforceNamespace {
+		scaler.ObjectMeta.Namespace = o.namespace
+	}
+
 	return &scaler
 }
 
diff --git a/staging/src/k8s.io/kubectl/pkg/cmd/cmd.go b/staging/src/k8s.io/kubectl/pkg/cmd/cmd.go
index ff41ff42a531e..964abeaedccb8 100644
--- a/staging/src/k8s.io/kubectl/pkg/cmd/cmd.go
+++ b/staging/src/k8s.io/kubectl/pkg/cmd/cmd.go
@@ -20,11 +20,8 @@ import (
 	"fmt"
 	"net/http"
 	"os"
-	"os/exec"
-	"path/filepath"
-	"runtime"
 	"strings"
-	"syscall"
+	"sync/atomic"
 
 	"github.com/spf13/cobra"
 
@@ -110,203 +107,65 @@ func NewDefaultKubectlCommand() *cobra.Command {
 func NewDefaultKubectlCommandWithArgs(o KubectlOptions) *cobra.Command {
 	cmd := NewKubectlCommand(o)
 
-	if o.PluginHandler == nil {
+	if o.PluginHandler == nil || len(o.Arguments) <= 1 {
 		return cmd
 	}
 
-	if len(o.Arguments) > 1 {
-		cmdPathPieces := o.Arguments[1:]
-
-		// only look for suitable extension executables if
-		// the specified command does not already exist
-		if foundCmd, foundArgs, err := cmd.Find(cmdPathPieces); err != nil {
-			// Also check the commands that will be added by Cobra.
-			// These commands are only added once rootCmd.Execute() is called, so we
-			// need to check them explicitly here.
-			var cmdName string // first "non-flag" arguments
-			for _, arg := range cmdPathPieces {
-				if !strings.HasPrefix(arg, "-") {
-					cmdName = arg
-					break
-				}
-			}
-
-			switch cmdName {
-			case "help", cobra.ShellCompRequestCmd, cobra.ShellCompNoDescRequestCmd:
-				// Don't search for a plugin
-			default:
-				if err := HandlePluginCommand(o.PluginHandler, cmdPathPieces, 1); err != nil {
-					fmt.Fprintf(o.IOStreams.ErrOut, "Error: %v\n", err)
-					os.Exit(1)
-				}
-			}
-		} else if err == nil {
-			// Command exists(e.g. kubectl create), but it is not certain that
-			// subcommand also exists (e.g. kubectl create networkpolicy)
-			// we also have to eliminate kubectl create -f
-			if IsSubcommandPluginAllowed(foundCmd.Name()) && len(foundArgs) >= 1 && !strings.HasPrefix(foundArgs[0], "-") {
-				subcommand := foundArgs[0]
-				builtinSubcmdExist := false
-				for _, subcmd := range foundCmd.Commands() {
-					if subcmd.Name() == subcommand {
-						builtinSubcmdExist = true
-						break
-					}
-				}
-
-				if !builtinSubcmdExist {
-					if err := HandlePluginCommand(o.PluginHandler, cmdPathPieces, len(cmdPathPieces)-len(foundArgs)+1); err != nil {
-						fmt.Fprintf(o.IOStreams.ErrOut, "Error: %v\n", err)
-						os.Exit(1)
-					}
-				}
+	cmdPathPieces := o.Arguments[1:]
+	// only look for suitable extension executables if
+	// the specified command does not already exist
+	foundCmd, foundArgs, err := cmd.Find(cmdPathPieces)
+	if err != nil {
+		// Also check the commands that will be added by Cobra.
+		// These commands are only added once rootCmd.Execute() is called, so we
+		// need to check them explicitly here.
+		var cmdName string // first "non-flag" arguments
+		for _, arg := range cmdPathPieces {
+			if !strings.HasPrefix(arg, "-") {
+				cmdName = arg
+				break
 			}
 		}
-	}
-
-	return cmd
-}
-
-// IsSubcommandPluginAllowed returns the given command is allowed
-// to use plugin as subcommand if the subcommand does not exist as builtin.
-func IsSubcommandPluginAllowed(foundCmd string) bool {
-	allowedCmds := map[string]struct{}{"create": {}}
-	_, ok := allowedCmds[foundCmd]
-	return ok
-}
-
-// PluginHandler is capable of parsing command line arguments
-// and performing executable filename lookups to search
-// for valid plugin files, and execute found plugins.
-type PluginHandler interface {
-	// exists at the given filename, or a boolean false.
-	// Lookup will iterate over a list of given prefixes
-	// in order to recognize valid plugin filenames.
-	// The first filepath to match a prefix is returned.
-	Lookup(filename string) (string, bool)
-	// Execute receives an executable's filepath, a slice
-	// of arguments, and a slice of environment variables
-	// to relay to the executable.
-	Execute(executablePath string, cmdArgs, environment []string) error
-}
-
-// DefaultPluginHandler implements PluginHandler
-type DefaultPluginHandler struct {
-	ValidPrefixes []string
-}
-
-// NewDefaultPluginHandler instantiates the DefaultPluginHandler with a list of
-// given filename prefixes used to identify valid plugin filenames.
-func NewDefaultPluginHandler(validPrefixes []string) *DefaultPluginHandler {
-	return &DefaultPluginHandler{
-		ValidPrefixes: validPrefixes,
-	}
-}
-
-// Lookup implements PluginHandler
-func (h *DefaultPluginHandler) Lookup(filename string) (string, bool) {
-	for _, prefix := range h.ValidPrefixes {
-		path, err := exec.LookPath(fmt.Sprintf("%s-%s", prefix, filename))
-		if shouldSkipOnLookPathErr(err) || len(path) == 0 {
-			continue
-		}
-		return path, true
-	}
-	return "", false
-}
-
-func Command(name string, arg ...string) *exec.Cmd {
-	cmd := &exec.Cmd{
-		Path: name,
-		Args: append([]string{name}, arg...),
-	}
-	if filepath.Base(name) == name {
-		lp, err := exec.LookPath(name)
-		if lp != "" && !shouldSkipOnLookPathErr(err) {
-			// Update cmd.Path even if err is non-nil.
-			// If err is ErrDot (especially on Windows), lp may include a resolved
-			// extension (like .exe or .bat) that should be preserved.
-			cmd.Path = lp
-		}
-	}
-	return cmd
-}
-
-// Execute implements PluginHandler
-func (h *DefaultPluginHandler) Execute(executablePath string, cmdArgs, environment []string) error {
-
-	// Windows does not support exec syscall.
-	if runtime.GOOS == "windows" {
-		cmd := Command(executablePath, cmdArgs...)
-		cmd.Stdout = os.Stdout
-		cmd.Stderr = os.Stderr
-		cmd.Stdin = os.Stdin
-		cmd.Env = environment
-		err := cmd.Run()
-		if err == nil {
-			os.Exit(0)
-		}
-		return err
-	}
 
-	// invoke cmd binary relaying the environment and args given
-	// append executablePath to cmdArgs, as execve will make first argument the "binary name".
-	return syscall.Exec(executablePath, append([]string{executablePath}, cmdArgs...), environment)
-}
-
-// HandlePluginCommand receives a pluginHandler and command-line arguments and attempts to find
-// a plugin executable on the PATH that satisfies the given arguments.
-func HandlePluginCommand(pluginHandler PluginHandler, cmdArgs []string, minArgs int) error {
-	var remainingArgs []string // all "non-flag" arguments
-	for _, arg := range cmdArgs {
-		if strings.HasPrefix(arg, "-") {
-			break
+		switch cmdName {
+		case "help", cobra.ShellCompRequestCmd, cobra.ShellCompNoDescRequestCmd:
+			// Don't search for a plugin
+		default:
+			if err := HandlePluginCommand(o.PluginHandler, cmdPathPieces, 1); err != nil {
+				fmt.Fprintf(o.IOStreams.ErrOut, "Error: %v\n", err)
+				os.Exit(1)
+			}
 		}
-		remainingArgs = append(remainingArgs, strings.Replace(arg, "-", "_", -1))
 	}
-
-	if len(remainingArgs) == 0 {
-		// the length of cmdArgs is at least 1
-		return fmt.Errorf("flags cannot be placed before plugin name: %s", cmdArgs[0])
-	}
-
-	foundBinaryPath := ""
-
-	// attempt to find binary, starting at longest possible name with given cmdArgs
-	for len(remainingArgs) > 0 {
-		path, found := pluginHandler.Lookup(strings.Join(remainingArgs, "-"))
-		if !found {
-			remainingArgs = remainingArgs[:len(remainingArgs)-1]
-			if len(remainingArgs) < minArgs {
-				// we shouldn't continue searching with shorter names.
-				// this is especially for not searching kubectl-create plugin
-				// when kubectl-create-foo plugin is not found.
+	// Command exists(e.g. kubectl create), but it is not certain that
+	// subcommand also exists (e.g. kubectl create networkpolicy)
+	// we also have to eliminate kubectl create -f
+	if IsSubcommandPluginAllowed(foundCmd.Name()) && len(foundArgs) >= 1 && !strings.HasPrefix(foundArgs[0], "-") {
+		subcommand := foundArgs[0]
+		builtinSubcmdExist := false
+		for _, subcmd := range foundCmd.Commands() {
+			if subcmd.Name() == subcommand {
+				builtinSubcmdExist = true
 				break
 			}
-
-			continue
 		}
 
-		foundBinaryPath = path
-		break
-	}
-
-	if len(foundBinaryPath) == 0 {
-		return nil
-	}
-
-	// invoke cmd binary relaying the current environment and args given
-	if err := pluginHandler.Execute(foundBinaryPath, cmdArgs[len(remainingArgs):], os.Environ()); err != nil {
-		return err
+		if !builtinSubcmdExist {
+			if err := HandlePluginCommand(o.PluginHandler, cmdPathPieces, len(cmdPathPieces)-len(foundArgs)+1); err != nil {
+				fmt.Fprintf(o.IOStreams.ErrOut, "Error: %v\n", err)
+				os.Exit(1)
+			}
+		}
 	}
 
-	return nil
+	return cmd
 }
 
 // NewKubectlCommand creates the `kubectl` command and its nested children.
 func NewKubectlCommand(o KubectlOptions) *cobra.Command {
 	warningHandler := rest.NewWarningWriter(o.IOStreams.ErrOut, rest.WarningWriterOptions{Deduplicate: true, Color: term.AllowsColorOutput(o.IOStreams.ErrOut)})
 	warningsAsErrors := false
+	var finishProfiling func() error
 	// Parent command to which all subcommands are added.
 	cmds := &cobra.Command{
 		Use:   "kubectl",
@@ -328,11 +187,15 @@ func NewKubectlCommand(o KubectlOptions) *cobra.Command {
 				plugin.SetupPluginCompletion(cmd, args)
 			}
 
-			return initProfiling()
+			var err error
+			finishProfiling, err = initProfiling()
+			return err
 		},
 		PersistentPostRunE: func(*cobra.Command, []string) error {
-			if err := flushProfiling(); err != nil {
-				return err
+			if finishProfiling != nil {
+				if err := finishProfiling(); err != nil {
+					return err
+				}
 			}
 			if warningsAsErrors {
 				count := warningHandler.WarningCount()
@@ -371,15 +234,17 @@ func NewKubectlCommand(o KubectlOptions) *cobra.Command {
 	matchVersionKubeConfigFlags := cmdutil.NewMatchVersionFlags(kubeConfigFlags)
 	matchVersionKubeConfigFlags.AddFlags(flags)
 	// Updates hooks to add kubectl command headers: SIG CLI KEP 859.
-	addCmdHeaderHooks(cmds, kubeConfigFlags)
+	var isProxyCmd atomic.Bool
+	addCmdHeaderHooks(cmds, kubeConfigFlags, &isProxyCmd)
 
 	f := cmdutil.NewFactory(matchVersionKubeConfigFlags)
 
-	// Proxy command is incompatible with CommandHeaderRoundTripper, so
-	// clear the WrapConfigFn before running proxy command.
+	// Proxy command is incompatible with the headers set by
+	// CommandHeaderRoundTripper, so the RoundTripper hooks set in
+	// `addCmdHeaderHooks` needs to be aware that the subcommand is `proxy`
 	proxyCmd := proxy.NewCmdProxy(f, o.IOStreams)
 	proxyCmd.PreRun = func(cmd *cobra.Command, args []string) {
-		kubeConfigFlags.WrapConfigFn = nil
+		isProxyCmd.Store(true)
 	}
 
 	// Avoid import cycle by setting ValidArgsFunction here instead of in NewCmdGet()
@@ -496,7 +361,15 @@ func NewKubectlCommand(o KubectlOptions) *cobra.Command {
 	cmds.SetGlobalNormalizationFunc(cliflag.WordSepNormalizeFunc)
 
 	if !cmdutil.KubeRC.IsDisabled() {
-		_, err := pref.Apply(cmds, o.Arguments, o.IOStreams.ErrOut)
+		existingPreRunE := cmds.PersistentPreRunE
+		cmds.PersistentPreRunE = func(cmd *cobra.Command, args []string) error {
+			if originalCommandArgs, ok := cmd.Annotations[kuberc.KubeRCOriginalCommandAnnotation]; ok {
+				originalCommand := fmt.Sprintf("%s %s", cmd.Root().Name(), originalCommandArgs)
+				klog.V(1).Info(fmt.Sprintf("original command: %q", originalCommand))
+			}
+			return existingPreRunE(cmd, args)
+		}
+		_, err := pref.Apply(cmds, kubeConfigFlags, o.Arguments, o.IOStreams.ErrOut)
 		if err != nil {
 			fmt.Fprintf(o.IOStreams.ErrOut, "error occurred while applying preferences %v\n", err)
 			os.Exit(1)
@@ -514,17 +387,10 @@ func NewKubectlCommand(o KubectlOptions) *cobra.Command {
 //     RoundTripper. CommandHeaderRoundTripper adds X-Headers then delegates
 //     to standard RoundTripper.
 //
-// For beta, these hooks are updated unless the KUBECTL_COMMAND_HEADERS environment variable
-// is set, and the value of the env var is false (or zero).
 // See SIG CLI KEP 859 for more information:
 //
 //	https://github.com/kubernetes/enhancements/tree/master/keps/sig-cli/859-kubectl-headers
-func addCmdHeaderHooks(cmds *cobra.Command, kubeConfigFlags *genericclioptions.ConfigFlags) {
-	if cmdutil.CmdHeaders.IsDisabled() {
-		klog.V(5).Infoln("kubectl command headers turned off")
-		return
-	}
-	klog.V(5).Infoln("kubectl command headers turned on")
+func addCmdHeaderHooks(cmds *cobra.Command, kubeConfigFlags *genericclioptions.ConfigFlags, isProxyCmd *atomic.Bool) {
 	crt := &genericclioptions.CommandHeaderRoundTripper{}
 	existingPreRunE := cmds.PersistentPreRunE
 	// Add command parsing to the existing persistent pre-run function.
@@ -534,7 +400,7 @@ func addCmdHeaderHooks(cmds *cobra.Command, kubeConfigFlags *genericclioptions.C
 	}
 	wrapConfigFn := kubeConfigFlags.WrapConfigFn
 	// Wraps CommandHeaderRoundTripper around standard RoundTripper.
-	kubeConfigFlags.WrapConfigFn = func(c *rest.Config) *rest.Config {
+	kubeConfigFlags.WithWrapConfigFn(func(c *rest.Config) *rest.Config {
 		if wrapConfigFn != nil {
 			c = wrapConfigFn(c)
 		}
@@ -542,12 +408,13 @@ func addCmdHeaderHooks(cmds *cobra.Command, kubeConfigFlags *genericclioptions.C
 			// Must be separate RoundTripper; not "crt" closure.
 			// Fixes: https://github.com/kubernetes/kubectl/issues/1098
 			return &genericclioptions.CommandHeaderRoundTripper{
-				Delegate: rt,
-				Headers:  crt.Headers,
+				Delegate:    rt,
+				Headers:     crt.Headers,
+				SkipHeaders: isProxyCmd, // proxy command is incompatible with these headers
 			}
 		})
 		return c
-	}
+	})
 }
 
 func runHelp(cmd *cobra.Command, args []string) {
diff --git a/staging/src/k8s.io/kubectl/pkg/cmd/cmd_test.go b/staging/src/k8s.io/kubectl/pkg/cmd/cmd_test.go
index f624d5f8fc457..787aac0ee45cd 100644
--- a/staging/src/k8s.io/kubectl/pkg/cmd/cmd_test.go
+++ b/staging/src/k8s.io/kubectl/pkg/cmd/cmd_test.go
@@ -26,10 +26,8 @@ import (
 	"github.com/google/go-cmp/cmp/cmpopts"
 	"github.com/spf13/cobra"
 
-	"k8s.io/cli-runtime/pkg/genericclioptions"
 	"k8s.io/cli-runtime/pkg/genericiooptions"
 	"k8s.io/kubectl/pkg/cmd/plugin"
-	cmdutil "k8s.io/kubectl/pkg/cmd/util"
 )
 
 func TestNormalizationFuncGlobalExistence(t *testing.T) {
@@ -360,46 +358,3 @@ func (h *testPluginHandler) Execute(executablePath string, cmdArgs, env []string
 	h.withEnv = env
 	return nil
 }
-
-func TestKubectlCommandHeadersHooks(t *testing.T) {
-	tests := map[string]struct {
-		envVar    string
-		addsHooks bool
-	}{
-		"empty environment variable; hooks added": {
-			envVar:    "",
-			addsHooks: true,
-		},
-		"random env var value; hooks added": {
-			envVar:    "foo",
-			addsHooks: true,
-		},
-		"true env var value; hooks added": {
-			envVar:    "true",
-			addsHooks: true,
-		},
-		"false env var value; hooks NOT added": {
-			envVar:    "false",
-			addsHooks: false,
-		},
-	}
-
-	for name, testCase := range tests {
-		t.Run(name, func(t *testing.T) {
-			cmds := &cobra.Command{}
-			kubeConfigFlags := genericclioptions.NewConfigFlags(true).WithDeprecatedPasswordFlag()
-			if kubeConfigFlags.WrapConfigFn != nil {
-				t.Fatal("expected initial nil WrapConfigFn")
-			}
-			t.Setenv(string(cmdutil.CmdHeaders), testCase.envVar)
-			addCmdHeaderHooks(cmds, kubeConfigFlags)
-			// Valdidate whether the hooks were added.
-			if testCase.addsHooks && kubeConfigFlags.WrapConfigFn == nil {
-				t.Error("after adding kubectl command header, expecting non-nil WrapConfigFn")
-			}
-			if !testCase.addsHooks && kubeConfigFlags.WrapConfigFn != nil {
-				t.Error("env var feature gate should have blocked setting WrapConfigFn")
-			}
-		})
-	}
-}
diff --git a/staging/src/k8s.io/kubectl/pkg/cmd/completion/completion.go b/staging/src/k8s.io/kubectl/pkg/cmd/completion/completion.go
index 8656ad806da03..1f8bd6cda6a0c 100644
--- a/staging/src/k8s.io/kubectl/pkg/cmd/completion/completion.go
+++ b/staging/src/k8s.io/kubectl/pkg/cmd/completion/completion.go
@@ -102,8 +102,8 @@ var (
 		    kubectl completion powershell | Out-String | Invoke-Expression
 		# Set kubectl completion code for powershell to run on startup
 		## Save completion code to a script and execute in the profile
-		    kubectl completion powershell > $HOME\.kube\completion.ps1
-		    Add-Content $PROFILE "$HOME\.kube\completion.ps1"
+		    kubectl completion powershell > "$HOME\.kube\completion.ps1"
+		    Add-Content $PROFILE ". '$HOME\.kube\completion.ps1'"
 		## Execute completion code in the profile
 		    Add-Content $PROFILE "if (Get-Command kubectl -ErrorAction SilentlyContinue) {
 		        kubectl completion powershell | Out-String | Invoke-Expression
diff --git a/staging/src/k8s.io/kubectl/pkg/cmd/config/set_context.go b/staging/src/k8s.io/kubectl/pkg/cmd/config/set_context.go
index 671820a763537..b7fca74068a5d 100644
--- a/staging/src/k8s.io/kubectl/pkg/cmd/config/set_context.go
+++ b/staging/src/k8s.io/kubectl/pkg/cmd/config/set_context.go
@@ -79,7 +79,7 @@ func NewCmdConfigSetContext(restClientGetter genericclioptions.RESTClientGetter,
 	cmd.Flags().BoolVar(&options.currContext, "current", options.currContext, "Modify the current context")
 	cmd.Flags().Var(&options.cluster, clientcmd.FlagClusterName, clientcmd.FlagClusterName+" for the context entry in kubeconfig")
 	cmd.Flags().Var(&options.authInfo, clientcmd.FlagAuthInfoName, clientcmd.FlagAuthInfoName+" for the context entry in kubeconfig")
-	cmd.Flags().Var(&options.namespace, clientcmd.FlagNamespace, clientcmd.FlagNamespace+" for the context entry in kubeconfig")
+	cmd.Flags().VarP(&options.namespace, clientcmd.FlagNamespace, "n", clientcmd.FlagNamespace+" for the context entry in kubeconfig")
 	cmdutil.CheckErr(cmd.RegisterFlagCompletionFunc(
 		"namespace",
 		func(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {
diff --git a/staging/src/k8s.io/kubectl/pkg/cmd/config/set_context_test.go b/staging/src/k8s.io/kubectl/pkg/cmd/config/set_context_test.go
index 5369d6319fc00..1b15190474d14 100644
--- a/staging/src/k8s.io/kubectl/pkg/cmd/config/set_context_test.go
+++ b/staging/src/k8s.io/kubectl/pkg/cmd/config/set_context_test.go
@@ -37,48 +37,71 @@ type setContextTest struct {
 	expectedConfig clientcmdapi.Config //expect kubectl config
 }
 
+var namespaceFlagCases = []struct {
+	description   string
+	namespaceFlag string
+}{
+	{
+		description:   "long namespace flag",
+		namespaceFlag: "--namespace",
+	},
+	{
+		description:   "short namespace flag",
+		namespaceFlag: "-n",
+	},
+}
+
 func TestCreateContext(t *testing.T) {
-	conf := clientcmdapi.Config{}
-	test := setContextTest{
-		testContext: "shaker-context",
-		description: "Testing for create a new context",
-		config:      conf,
-		args:        []string{"shaker-context"},
-		flags: []string{
-			"--cluster=cluster_nickname",
-			"--user=user_nickname",
-			"--namespace=namespace",
-		},
-		expected: `Context "shaker-context" created.` + "\n",
-		expectedConfig: clientcmdapi.Config{
-			Contexts: map[string]*clientcmdapi.Context{
-				"shaker-context": {AuthInfo: "user_nickname", Cluster: "cluster_nickname", Namespace: "namespace"}},
-		},
+	for _, tc := range namespaceFlagCases {
+		t.Run(tc.description, func(t *testing.T) {
+			conf := clientcmdapi.Config{}
+			test := setContextTest{
+				testContext: "shaker-context",
+				description: "Testing for create a new context",
+				config:      conf,
+				args:        []string{"shaker-context"},
+				flags: []string{
+					"--cluster=cluster_nickname",
+					"--user=user_nickname",
+					tc.namespaceFlag + "=namespace",
+				},
+				expected: `Context "shaker-context" created.` + "\n",
+				expectedConfig: clientcmdapi.Config{
+					Contexts: map[string]*clientcmdapi.Context{
+						"shaker-context": {AuthInfo: "user_nickname", Cluster: "cluster_nickname", Namespace: "namespace"}},
+				},
+			}
+			test.run(t)
+		})
 	}
-	test.run(t)
 }
+
 func TestModifyContext(t *testing.T) {
-	conf := clientcmdapi.Config{
-		Contexts: map[string]*clientcmdapi.Context{
-			"shaker-context": {AuthInfo: "blue-user", Cluster: "big-cluster", Namespace: "saw-ns"},
-			"not-this":       {AuthInfo: "blue-user", Cluster: "big-cluster", Namespace: "saw-ns"}}}
-	test := setContextTest{
-		testContext: "shaker-context",
-		description: "Testing for modify a already exist context",
-		config:      conf,
-		args:        []string{"shaker-context"},
-		flags: []string{
-			"--cluster=cluster_nickname",
-			"--user=user_nickname",
-			"--namespace=namespace",
-		},
-		expected: `Context "shaker-context" modified.` + "\n",
-		expectedConfig: clientcmdapi.Config{
-			Contexts: map[string]*clientcmdapi.Context{
-				"shaker-context": {AuthInfo: "user_nickname", Cluster: "cluster_nickname", Namespace: "namespace"},
-				"not-this":       {AuthInfo: "blue-user", Cluster: "big-cluster", Namespace: "saw-ns"}}},
+	for _, tc := range namespaceFlagCases {
+		t.Run(tc.description, func(t *testing.T) {
+			conf := clientcmdapi.Config{
+				Contexts: map[string]*clientcmdapi.Context{
+					"shaker-context": {AuthInfo: "blue-user", Cluster: "big-cluster", Namespace: "saw-ns"},
+					"not-this":       {AuthInfo: "blue-user", Cluster: "big-cluster", Namespace: "saw-ns"}}}
+			test := setContextTest{
+				testContext: "shaker-context",
+				description: "Testing for modify a already exist context",
+				config:      conf,
+				args:        []string{"shaker-context"},
+				flags: []string{
+					"--cluster=cluster_nickname",
+					"--user=user_nickname",
+					tc.namespaceFlag + "=namespace",
+				},
+				expected: `Context "shaker-context" modified.` + "\n",
+				expectedConfig: clientcmdapi.Config{
+					Contexts: map[string]*clientcmdapi.Context{
+						"shaker-context": {AuthInfo: "user_nickname", Cluster: "cluster_nickname", Namespace: "namespace"},
+						"not-this":       {AuthInfo: "blue-user", Cluster: "big-cluster", Namespace: "saw-ns"}}},
+			}
+			test.run(t)
+		})
 	}
-	test.run(t)
 }
 
 func TestModifyCurrentContext(t *testing.T) {
diff --git a/staging/src/k8s.io/kubectl/pkg/cmd/config/set_credentials.go b/staging/src/k8s.io/kubectl/pkg/cmd/config/set_credentials.go
index 2bc6896b16d9e..a9c049d86046d 100644
--- a/staging/src/k8s.io/kubectl/pkg/cmd/config/set_credentials.go
+++ b/staging/src/k8s.io/kubectl/pkg/cmd/config/set_credentials.go
@@ -129,7 +129,8 @@ func NewCmdConfigSetCredentials(out io.Writer, configAccess clientcmd.ConfigAcce
 }
 
 // NewCmdConfigSetAuthInfo returns a Command instance for 'config set-credentials' sub command
-// DEPRECATED: Use NewCmdConfigSetCredentials instead
+//
+// Deprecated: Use NewCmdConfigSetCredentials instead
 func NewCmdConfigSetAuthInfo(out io.Writer, configAccess clientcmd.ConfigAccess) *cobra.Command {
 	return NewCmdConfigSetCredentials(out, configAccess)
 }
diff --git a/staging/src/k8s.io/kubectl/pkg/cmd/create/create_job.go b/staging/src/k8s.io/kubectl/pkg/cmd/create/create_job.go
index 811720d4f126d..8ec8f41190c22 100644
--- a/staging/src/k8s.io/kubectl/pkg/cmd/create/create_job.go
+++ b/staging/src/k8s.io/kubectl/pkg/cmd/create/create_job.go
@@ -106,7 +106,7 @@ func NewCmdCreateJob(f cmdutil.Factory, ioStreams genericiooptions.IOStreams) *c
 	cmdutil.AddValidateFlags(cmd)
 	cmdutil.AddDryRunFlag(cmd)
 	cmd.Flags().StringVar(&o.Image, "image", o.Image, "Image name to run.")
-	cmd.Flags().StringVar(&o.From, "from", o.From, "The name of the resource to create a Job from (only cronjob is supported).")
+	cmd.Flags().StringVar(&o.From, "from", o.From, "The name of the resource to create a Job from (only CronJob is supported).")
 	cmdutil.AddFieldManagerFlagVar(cmd, &o.FieldManager, "kubectl-create")
 	return cmd
 }
diff --git a/staging/src/k8s.io/kubectl/pkg/cmd/diff/diff.go b/staging/src/k8s.io/kubectl/pkg/cmd/diff/diff.go
index b82e493cee830..9448cdde50ed2 100644
--- a/staging/src/k8s.io/kubectl/pkg/cmd/diff/diff.go
+++ b/staging/src/k8s.io/kubectl/pkg/cmd/diff/diff.go
@@ -642,13 +642,11 @@ func (o *DiffOptions) Complete(f cmdutil.Factory, cmd *cobra.Command, args []str
 
 	if !o.ServerSideApply {
 		o.OpenAPIGetter = f
-		if !cmdutil.OpenAPIV3Patch.IsDisabled() {
-			openAPIV3Client, err := f.OpenAPIV3Client()
-			if err == nil {
-				o.OpenAPIV3Root = openapi3.NewRoot(openAPIV3Client)
-			} else {
-				klog.V(4).Infof("warning: OpenAPI V3 Patch is enabled but is unable to be loaded. Will fall back to OpenAPI V2")
-			}
+		openAPIV3Client, err := f.OpenAPIV3Client()
+		if err == nil {
+			o.OpenAPIV3Root = openapi3.NewRoot(openAPIV3Client)
+		} else {
+			klog.V(4).Infof("warning: OpenAPI V3 Patch is enabled but is unable to be loaded. Will fall back to OpenAPI V2")
 		}
 	}
 
diff --git a/staging/src/k8s.io/kubectl/pkg/cmd/drain/drain.go b/staging/src/k8s.io/kubectl/pkg/cmd/drain/drain.go
index a4aa93fdb5c37..865191cd2a7d4 100644
--- a/staging/src/k8s.io/kubectl/pkg/cmd/drain/drain.go
+++ b/staging/src/k8s.io/kubectl/pkg/cmd/drain/drain.go
@@ -19,6 +19,7 @@ package drain
 import (
 	"errors"
 	"fmt"
+	"time"
 
 	"github.com/spf13/cobra"
 
@@ -151,10 +152,11 @@ func NewDrainCmdOptions(f cmdutil.Factory, ioStreams genericiooptions.IOStreams)
 		PrintFlags: genericclioptions.NewPrintFlags("drained").WithTypeSetter(scheme.Scheme),
 		IOStreams:  ioStreams,
 		drainer: &drain.Helper{
-			GracePeriodSeconds: -1,
-			Out:                ioStreams.Out,
-			ErrOut:             ioStreams.ErrOut,
-			ChunkSize:          cmdutil.DefaultChunkSize,
+			GracePeriodSeconds:   -1,
+			EvictErrorRetryDelay: 5 * time.Second,
+			Out:                  ioStreams.Out,
+			ErrOut:               ioStreams.ErrOut,
+			ChunkSize:            cmdutil.DefaultChunkSize,
 		},
 	}
 	o.drainer.OnPodDeletionOrEvictionFinished = o.onPodDeletionOrEvictionFinished
diff --git a/staging/src/k8s.io/kubectl/pkg/cmd/exec/exec.go b/staging/src/k8s.io/kubectl/pkg/cmd/exec/exec.go
index 64773e2ed9228..d664ae3c573d3 100644
--- a/staging/src/k8s.io/kubectl/pkg/cmd/exec/exec.go
+++ b/staging/src/k8s.io/kubectl/pkg/cmd/exec/exec.go
@@ -366,7 +366,9 @@ func (p *ExecOptions) Run() error {
 	var sizeQueue remotecommand.TerminalSizeQueue
 	if t.Raw {
 		// this call spawns a goroutine to monitor/update the terminal size
-		sizeQueue = t.MonitorSize(t.GetSize())
+		sizeQueue = &terminalSizeQueueAdapter{
+			delegate: t.MonitorSize(t.GetSize()),
+		}
 
 		// unset p.Err if it was previously set because both stdout and stderr go over p.Out when tty is
 		// true
@@ -403,3 +405,22 @@ func (p *ExecOptions) Run() error {
 
 	return nil
 }
+
+type terminalSizeQueueAdapter struct {
+	delegate term.TerminalSizeQueue
+}
+
+func (a *terminalSizeQueueAdapter) Next() *remotecommand.TerminalSize {
+	if a.delegate == nil {
+		return nil
+	}
+
+	next := a.delegate.Next()
+	if next == nil {
+		return nil
+	}
+	return &remotecommand.TerminalSize{
+		Width:  next.Width,
+		Height: next.Height,
+	}
+}
diff --git a/staging/src/k8s.io/kubectl/pkg/cmd/expose/expose.go b/staging/src/k8s.io/kubectl/pkg/cmd/expose/expose.go
index a058a64f9a4a6..29c328568017f 100644
--- a/staging/src/k8s.io/kubectl/pkg/cmd/expose/expose.go
+++ b/staging/src/k8s.io/kubectl/pkg/cmd/expose/expose.go
@@ -206,7 +206,7 @@ func (flags *ExposeServiceFlags) AddFlags(cmd *cobra.Command) {
 	cmd.Flags().StringVar(&flags.Port, "port", flags.Port, i18n.T("The port that the service should serve on. Copied from the resource being exposed, if unspecified"))
 	cmd.Flags().StringVar(&flags.Type, "type", flags.Type, i18n.T("Type for this service: ClusterIP, NodePort, LoadBalancer, or ExternalName. Default is 'ClusterIP'."))
 	cmd.Flags().StringVar(&flags.LoadBalancerIP, "load-balancer-ip", flags.LoadBalancerIP, i18n.T("IP to assign to the LoadBalancer. If empty, an ephemeral IP will be created and used (cloud-provider specific)."))
-	cmd.Flags().StringVar(&flags.Selector, "selector", flags.Selector, i18n.T("A label selector to use for this service. Only equality-based selector requirements are supported. If empty (the default) infer the selector from the replication controller or replica set.)"))
+	cmd.Flags().StringVar(&flags.Selector, "selector", flags.Selector, i18n.T("A label selector to use for this service. Only equality-based selector requirements are supported. If empty (the default) infer the selector from the resource being exposed."))
 	cmd.Flags().StringVarP(&flags.Labels, "labels", "l", flags.Labels, "Labels to apply to the service created by this call.")
 	cmd.Flags().StringVar(&flags.TargetPort, "target-port", flags.TargetPort, i18n.T("Name or number for the port on the container that the service should direct traffic to. Optional."))
 	cmd.Flags().StringVar(&flags.ExternalIP, "external-ip", flags.ExternalIP, i18n.T("Additional external IP address (not managed by Kubernetes) to accept for the service. If this IP is routed to a node, the service can be accessed by this IP in addition to its generated service IP."))
diff --git a/staging/src/k8s.io/kubectl/pkg/cmd/get/get.go b/staging/src/k8s.io/kubectl/pkg/cmd/get/get.go
index 5509158a7747e..00b991e6edf10 100644
--- a/staging/src/k8s.io/kubectl/pkg/cmd/get/get.go
+++ b/staging/src/k8s.io/kubectl/pkg/cmd/get/get.go
@@ -629,9 +629,6 @@ func (o *GetOptions) watch(f cmdutil.Factory, args []string) error {
 		}
 		return err
 	}
-	if multipleGVKsRequested(infos) {
-		return i18n.Errorf("watch is only supported on individual resources and resource collections - more than 1 resource was found")
-	}
 
 	info := infos[0]
 	mapping := info.ResourceMapping()
diff --git a/staging/src/k8s.io/kubectl/pkg/cmd/kuberc/kuberc.go b/staging/src/k8s.io/kubectl/pkg/cmd/kuberc/kuberc.go
new file mode 100644
index 0000000000000..d134fbd4c2ea9
--- /dev/null
+++ b/staging/src/k8s.io/kubectl/pkg/cmd/kuberc/kuberc.go
@@ -0,0 +1,59 @@
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package kuberc
+
+import (
+	"github.com/spf13/cobra"
+	"k8s.io/cli-runtime/pkg/genericiooptions"
+	cmdutil "k8s.io/kubectl/pkg/cmd/util"
+	"k8s.io/kubectl/pkg/util/i18n"
+	"k8s.io/kubectl/pkg/util/templates"
+)
+
+var (
+	kubercLong = templates.LongDesc(i18n.T(`
+		Manage user preferences (kuberc) file.
+
+		The kuberc file allows you to customize your kubectl experience.`))
+
+	kubercExample = templates.Examples(i18n.T(`
+		# View the current kuberc configuration
+		kubectl alpha kuberc view
+
+		# Set a default value for a command flag
+		kubectl alpha kuberc set --section defaults --command get --option output=wide
+
+		# Create an alias for a command
+		kubectl alpha kuberc set --section aliases --name getn --command get --prependarg nodes --option output=wide`))
+)
+
+// NewCmdKubeRC creates a command object for the "kuberc" action, and adds all child commands to it.
+func NewCmdKubeRC(streams genericiooptions.IOStreams) *cobra.Command {
+	cmd := &cobra.Command{
+		Use:                   "kuberc SUBCOMMAND",
+		DisableFlagsInUseLine: true,
+		Short:                 i18n.T("Manage kuberc configuration files"),
+		Long:                  kubercLong,
+		Example:               kubercExample,
+		Run:                   cmdutil.DefaultSubCommandRun(streams.ErrOut),
+	}
+
+	cmd.AddCommand(NewCmdKubeRCView(streams))
+	cmd.AddCommand(NewCmdKubeRCSet(streams))
+
+	return cmd
+}
diff --git a/staging/src/k8s.io/kubectl/pkg/cmd/kuberc/set.go b/staging/src/k8s.io/kubectl/pkg/cmd/kuberc/set.go
new file mode 100644
index 0000000000000..cd47dc150762b
--- /dev/null
+++ b/staging/src/k8s.io/kubectl/pkg/cmd/kuberc/set.go
@@ -0,0 +1,288 @@
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package kuberc
+
+import (
+	"fmt"
+	"os"
+	"strings"
+
+	"github.com/spf13/cobra"
+	"k8s.io/kubectl/pkg/kuberc"
+
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/cli-runtime/pkg/genericiooptions"
+	cmdutil "k8s.io/kubectl/pkg/cmd/util"
+	"k8s.io/kubectl/pkg/config/v1beta1"
+	"k8s.io/kubectl/pkg/util/i18n"
+	"k8s.io/kubectl/pkg/util/templates"
+	"sigs.k8s.io/yaml"
+)
+
+const (
+	sectionDefaults = "defaults"
+	sectionAliases  = "aliases"
+)
+
+var (
+	setLong = templates.LongDesc(i18n.T(`
+		Set values in the kuberc configuration file.
+
+		Use --section to specify whether to set defaults or aliases.
+
+		For defaults: Sets default flag values for kubectl commands. The --command flag
+		should specify only the command (e.g., "get", "create", "set env"), not resources.
+
+		For aliases: Creates command aliases with optional default flag values and arguments.
+		Use --prependarg and --appendarg to include resources or other arguments.`))
+
+	setExample = templates.Examples(i18n.T(`
+		# Set default output format for 'get' command
+		kubectl alpha kuberc set --section defaults --command get --option output=wide
+
+		# Set default output format for a subcommand
+		kubectl alpha kuberc set --section defaults --command "set env" --option output=yaml
+
+		# Create an alias 'getn' for 'get' command with prepended 'nodes' resource
+		kubectl alpha kuberc set --section aliases --name getn --command get --prependarg nodes --option output=wide
+
+		# Create an alias 'runx' for 'run' command with appended arguments
+		kubectl alpha kuberc set --section aliases --name runx --command run --option image=nginx --appendarg "--" --appendarg custom-arg1
+
+		# Overwrite an existing default
+		kubectl alpha kuberc set --section defaults --command get --option output=json --overwrite`))
+)
+
+// SetOptions contains the options for setting kuberc configuration
+type SetOptions struct {
+	KubeRCFile  string
+	Section     string // "defaults" or "aliases"
+	Command     string
+	AliasName   string   // for aliases
+	Options     []string // flag=value pairs
+	PrependArgs []string
+	AppendArgs  []string
+	Overwrite   bool
+
+	preferences kuberc.PreferencesHandler
+
+	genericiooptions.IOStreams
+}
+
+func NewSetOptions(ioStreams genericiooptions.IOStreams) *SetOptions {
+	return &SetOptions{
+		IOStreams:   ioStreams,
+		Options:     []string{},
+		PrependArgs: []string{},
+		AppendArgs:  []string{},
+		preferences: kuberc.NewPreferences(),
+	}
+}
+
+// NewCmdKubeRCSet returns a Command instance for 'kuberc set' sub command
+func NewCmdKubeRCSet(streams genericiooptions.IOStreams) *cobra.Command {
+	o := NewSetOptions(streams)
+
+	cmd := &cobra.Command{
+		Use:                   "set --section (defaults|aliases) --command COMMAND",
+		DisableFlagsInUseLine: true,
+		Short:                 i18n.T("Set values in the kuberc configuration"),
+		Long:                  setLong,
+		Example:               setExample,
+		Run: func(cmd *cobra.Command, args []string) {
+			cmdutil.CheckErr(o.Complete(cmd))
+			cmdutil.CheckErr(o.Validate())
+			cmdutil.CheckErr(o.Run())
+		},
+	}
+
+	o.preferences.AddFlags(cmd.Flags())
+	cmd.Flags().StringVar(&o.Section, "section", o.Section, "Section to modify: 'defaults' or 'aliases'")
+	cmd.MarkFlagRequired("section") // nolint:errcheck
+	cmd.Flags().StringVar(&o.Command, "command", o.Command, "Command to configure (e.g., 'get', 'create', 'set env')")
+	cmd.MarkFlagRequired("command") // nolint:errcheck
+	cmd.Flags().StringVar(&o.AliasName, "name", o.AliasName, "Alias name (required for --section=aliases)")
+	cmd.Flags().StringArrayVar(&o.Options, "option", o.Options, "Flag option in the form flag=value (can be specified multiple times)")
+	cmd.Flags().StringArrayVar(&o.PrependArgs, "prependarg", o.PrependArgs, "Argument to prepend to the command (can be specified multiple times, for aliases only)")
+	cmd.Flags().StringArrayVar(&o.AppendArgs, "appendarg", o.AppendArgs, "Argument to append to the command (can be specified multiple times, for aliases only)")
+	cmd.Flags().BoolVar(&o.Overwrite, "overwrite", o.Overwrite, "Allow overwriting existing entries")
+
+	return cmd
+}
+
+// Complete sets default values for SetOptions
+func (o *SetOptions) Complete(cmd *cobra.Command) error {
+	if cmd.Flags().Changed("kuberc") {
+		o.KubeRCFile = cmd.Flag("kuberc").Value.String()
+	}
+
+	kubeRCFile, _, err := kuberc.LoadKuberc(o.KubeRCFile)
+	if err != nil {
+		return err
+	}
+
+	o.KubeRCFile = kubeRCFile
+	return nil
+}
+
+// Validate validates the SetOptions
+func (o *SetOptions) Validate() error {
+	if o.KubeRCFile == "" {
+		return fmt.Errorf("KUBERC is disabled via KUBERC=off environment variable")
+	}
+
+	if o.Section != sectionDefaults && o.Section != sectionAliases {
+		return fmt.Errorf("--section must be %q or %q, got: %s", sectionDefaults, sectionAliases, o.Section)
+	}
+
+	if o.Section == sectionAliases && o.AliasName == "" {
+		return fmt.Errorf("--name is required when --section=%s", sectionAliases)
+	}
+
+	if o.Section == sectionDefaults && o.AliasName != "" {
+		return fmt.Errorf("--name should not be specified when --section=%s", sectionDefaults)
+	}
+
+	if o.Section == sectionDefaults && (len(o.PrependArgs) > 0 || len(o.AppendArgs) > 0) {
+		return fmt.Errorf("--prependarg and --appendarg are only valid for --section=%s", sectionAliases)
+	}
+
+	return nil
+}
+
+// Run executes the set command
+func (o *SetOptions) Run() error {
+	pref, err := o.loadOrCreatePreference()
+	if err != nil {
+		return err
+	}
+
+	optionDefaults, err := o.parseOptions()
+	if err != nil {
+		return err
+	}
+
+	switch o.Section {
+	case sectionDefaults:
+		err = o.setDefaults(pref, optionDefaults)
+	case sectionAliases:
+		err = o.setAlias(pref, optionDefaults)
+	}
+	if err != nil {
+		return err
+	}
+
+	return kuberc.SavePreference(pref, o.KubeRCFile, o.Out)
+}
+
+// loadOrCreatePreference loads existing preference or creates a new one
+func (o *SetOptions) loadOrCreatePreference() (*v1beta1.Preference, error) {
+	data, err := os.ReadFile(o.KubeRCFile)
+	if err != nil && !os.IsNotExist(err) {
+		return nil, fmt.Errorf("error reading kuberc file: %w", err)
+	}
+
+	if os.IsNotExist(err) || len(data) == 0 {
+		return &v1beta1.Preference{
+			TypeMeta: metav1.TypeMeta{
+				APIVersion: "kubectl.config.k8s.io/v1beta1",
+				Kind:       "Preference",
+			},
+		}, nil
+	}
+
+	var pref v1beta1.Preference
+	if err := yaml.Unmarshal(data, &pref); err != nil {
+		return nil, fmt.Errorf("error parsing kuberc file: %w", err)
+	}
+
+	return &pref, nil
+}
+
+// parseOptions parses the --option flags into CommandOptionDefault structs
+func (o *SetOptions) parseOptions() ([]v1beta1.CommandOptionDefault, error) {
+	var options []v1beta1.CommandOptionDefault
+
+	for _, opt := range o.Options {
+		parts := strings.SplitN(opt, "=", 2)
+		if len(parts) != 2 {
+			return nil, fmt.Errorf("invalid option format %q, expected flag=value", opt)
+		}
+
+		// Remove leading dashes from flag name if present
+		flagName := strings.TrimLeft(parts[0], "-")
+
+		options = append(options, v1beta1.CommandOptionDefault{
+			Name:    flagName,
+			Default: parts[1],
+		})
+	}
+
+	return options, nil
+}
+
+// setDefaults updates the defaults section of the preference
+func (o *SetOptions) setDefaults(pref *v1beta1.Preference, options []v1beta1.CommandOptionDefault) error {
+	for i, def := range pref.Defaults {
+		if def.Command == o.Command {
+			if !o.Overwrite {
+				return fmt.Errorf("defaults for command %q already exist, use --overwrite to replace", o.Command)
+			}
+
+			pref.Defaults[i].Options = options
+			return nil
+		}
+	}
+
+	pref.Defaults = append(pref.Defaults, v1beta1.CommandDefaults{
+		Command: o.Command,
+		Options: options,
+	})
+
+	return nil
+}
+
+// setAlias updates the aliases section of the preference
+func (o *SetOptions) setAlias(pref *v1beta1.Preference, options []v1beta1.CommandOptionDefault) error {
+	// Check if this alias already exists
+	for i, alias := range pref.Aliases {
+		if alias.Name == o.AliasName {
+			if !o.Overwrite {
+				return fmt.Errorf("alias %q already exists, use --overwrite to replace", o.AliasName)
+			}
+
+			pref.Aliases[i] = v1beta1.AliasOverride{
+				Name:        o.AliasName,
+				Command:     o.Command,
+				PrependArgs: o.PrependArgs,
+				AppendArgs:  o.AppendArgs,
+				Options:     options,
+			}
+			return nil
+		}
+	}
+
+	pref.Aliases = append(pref.Aliases, v1beta1.AliasOverride{
+		Name:        o.AliasName,
+		Command:     o.Command,
+		PrependArgs: o.PrependArgs,
+		AppendArgs:  o.AppendArgs,
+		Options:     options,
+	})
+
+	return nil
+}
diff --git a/staging/src/k8s.io/kubectl/pkg/cmd/kuberc/set_test.go b/staging/src/k8s.io/kubectl/pkg/cmd/kuberc/set_test.go
new file mode 100644
index 0000000000000..185a6c1b08fe8
--- /dev/null
+++ b/staging/src/k8s.io/kubectl/pkg/cmd/kuberc/set_test.go
@@ -0,0 +1,470 @@
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package kuberc
+
+import (
+	"os"
+	"path/filepath"
+	"strings"
+	"testing"
+
+	"github.com/google/go-cmp/cmp"
+
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/cli-runtime/pkg/genericiooptions"
+	"k8s.io/kubectl/pkg/config/v1beta1"
+	"sigs.k8s.io/yaml"
+)
+
+func TestSetOptions_Run_Defaults(t *testing.T) {
+	tests := []struct {
+		name           string
+		existingKuberc string
+		options        SetOptions
+		expectedPref   *v1beta1.Preference
+		expectError    bool
+		errorContains  string
+	}{
+		{
+			name:           "create new defaults",
+			existingKuberc: "",
+			options: SetOptions{
+				Section: sectionDefaults,
+				Command: "get",
+				Options: []string{"output=wide"},
+			},
+			expectedPref: &v1beta1.Preference{
+				TypeMeta: metav1.TypeMeta{
+					APIVersion: "kubectl.config.k8s.io/v1beta1",
+					Kind:       "Preference",
+				},
+				Defaults: []v1beta1.CommandDefaults{
+					{
+						Command: "get",
+						Options: []v1beta1.CommandOptionDefault{
+							{
+								Name:    "output",
+								Default: "wide",
+							},
+						},
+					},
+				},
+			},
+		},
+		{
+			name: "add defaults to existing file",
+			existingKuberc: `apiVersion: kubectl.config.k8s.io/v1beta1
+kind: Preference
+defaults:
+- command: get
+  options:
+  - name: output
+    default: wide
+`,
+			options: SetOptions{
+				Section: sectionDefaults,
+				Command: "create",
+				Options: []string{"output=yaml"},
+			},
+			expectedPref: &v1beta1.Preference{
+				TypeMeta: metav1.TypeMeta{
+					APIVersion: "kubectl.config.k8s.io/v1beta1",
+					Kind:       "Preference",
+				},
+				Defaults: []v1beta1.CommandDefaults{
+					{
+						Command: "get",
+						Options: []v1beta1.CommandOptionDefault{
+							{
+								Name:    "output",
+								Default: "wide",
+							},
+						},
+					},
+					{
+						Command: "create",
+						Options: []v1beta1.CommandOptionDefault{
+							{
+								Name:    "output",
+								Default: "yaml",
+							},
+						},
+					},
+				},
+			},
+		},
+		{
+			name: "overwrite existing defaults",
+			existingKuberc: `apiVersion: kubectl.config.k8s.io/v1beta1
+kind: Preference
+defaults:
+- command: get
+  options:
+  - name: output
+    default: wide
+`,
+			options: SetOptions{
+				Section:   sectionDefaults,
+				Command:   "get",
+				Options:   []string{"output=json"},
+				Overwrite: true,
+			},
+			expectedPref: &v1beta1.Preference{
+				TypeMeta: metav1.TypeMeta{
+					APIVersion: "kubectl.config.k8s.io/v1beta1",
+					Kind:       "Preference",
+				},
+				Defaults: []v1beta1.CommandDefaults{
+					{
+						Command: "get",
+						Options: []v1beta1.CommandOptionDefault{
+							{
+								Name:    "output",
+								Default: "json",
+							},
+						},
+					},
+				},
+			},
+		},
+		{
+			name: "error without overwrite",
+			existingKuberc: `apiVersion: kubectl.config.k8s.io/v1beta1
+kind: Preference
+defaults:
+- command: get
+  options:
+  - name: output
+    default: wide
+`,
+			options: SetOptions{
+				Section:   sectionDefaults,
+				Command:   "get",
+				Options:   []string{"output=json"},
+				Overwrite: false,
+			},
+			expectError:   true,
+			errorContains: "already exist",
+		},
+		{
+			name:           "subcommand with multiple options",
+			existingKuberc: "",
+			options: SetOptions{
+				Section: sectionDefaults,
+				Command: "set env",
+				Options: []string{"output=yaml", "local=true"},
+			},
+			expectedPref: &v1beta1.Preference{
+				TypeMeta: metav1.TypeMeta{
+					APIVersion: "kubectl.config.k8s.io/v1beta1",
+					Kind:       "Preference",
+				},
+				Defaults: []v1beta1.CommandDefaults{
+					{
+						Command: "set env",
+						Options: []v1beta1.CommandOptionDefault{
+							{
+								Name:    "output",
+								Default: "yaml",
+							},
+							{
+								Name:    "local",
+								Default: "true",
+							},
+						},
+					},
+				},
+			},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			tmpDir, err := os.MkdirTemp("", "kuberc-set-test-")
+			if err != nil {
+				t.Fatalf("failed to create temp dir: %v", err)
+			}
+			defer func() {
+				os.RemoveAll(tmpDir) // nolint:errcheck
+			}()
+
+			kubercPath := filepath.Join(tmpDir, "kuberc")
+			if tt.existingKuberc != "" {
+				if err := os.WriteFile(kubercPath, []byte(tt.existingKuberc), 0644); err != nil {
+					t.Fatalf("failed to write existing kuberc file: %v", err)
+				}
+			}
+
+			streams, _, out, _ := genericiooptions.NewTestIOStreams()
+			tt.options.KubeRCFile = kubercPath
+			tt.options.IOStreams = streams
+
+			err = tt.options.Run()
+
+			if tt.expectError {
+				if err == nil {
+					t.Fatalf("expected error but got none")
+				}
+				if !strings.Contains(err.Error(), tt.errorContains) {
+					t.Errorf("expected error to contain %q, got: %v", tt.errorContains, err)
+				}
+				return
+			}
+
+			if err != nil {
+				t.Fatalf("Run() unexpected error = %v", err)
+			}
+
+			// Verify the file was written
+			data, err := os.ReadFile(kubercPath)
+			if err != nil {
+				t.Fatalf("failed to read written kuberc file: %v", err)
+			}
+
+			var actualPref v1beta1.Preference
+			if err := yaml.Unmarshal(data, &actualPref); err != nil {
+				t.Fatalf("failed to unmarshal actual output: %v", err)
+			}
+
+			if diff := cmp.Diff(tt.expectedPref, &actualPref); diff != "" {
+				t.Errorf("Run() output mismatch (-expected +got):\n%s", diff)
+			}
+
+			// Verify output message
+			if !strings.Contains(out.String(), "Updated") {
+				t.Errorf("expected output to contain 'Updated', got: %s", out.String())
+			}
+		})
+	}
+}
+
+func TestSetOptions_Run_Aliases(t *testing.T) {
+	tests := []struct {
+		name           string
+		existingKuberc string
+		options        SetOptions
+		expectedPref   *v1beta1.Preference
+		expectError    bool
+		errorContains  string
+	}{
+		{
+			name:           "create new alias",
+			existingKuberc: "",
+			options: SetOptions{
+				Section:     sectionAliases,
+				AliasName:   "getn",
+				Command:     "get",
+				PrependArgs: []string{"nodes"},
+				Options:     []string{"output=wide"},
+			},
+			expectedPref: &v1beta1.Preference{
+				TypeMeta: metav1.TypeMeta{
+					APIVersion: "kubectl.config.k8s.io/v1beta1",
+					Kind:       "Preference",
+				},
+				Aliases: []v1beta1.AliasOverride{
+					{
+						Name:        "getn",
+						Command:     "get",
+						PrependArgs: []string{"nodes"},
+						Options: []v1beta1.CommandOptionDefault{
+							{
+								Name:    "output",
+								Default: "wide",
+							},
+						},
+					},
+				},
+			},
+		},
+		{
+			name: "add alias to existing file",
+			existingKuberc: `apiVersion: kubectl.config.k8s.io/v1beta1
+kind: Preference
+aliases:
+- name: getn
+  command: get
+  prependArgs:
+  - nodes
+`,
+			options: SetOptions{
+				Section:     sectionAliases,
+				AliasName:   "getp",
+				Command:     "get",
+				PrependArgs: []string{"pods"},
+			},
+			expectedPref: &v1beta1.Preference{
+				TypeMeta: metav1.TypeMeta{
+					APIVersion: "kubectl.config.k8s.io/v1beta1",
+					Kind:       "Preference",
+				},
+				Aliases: []v1beta1.AliasOverride{
+					{
+						Name:        "getn",
+						Command:     "get",
+						PrependArgs: []string{"nodes"},
+					},
+					{
+						Name:        "getp",
+						Command:     "get",
+						PrependArgs: []string{"pods"},
+					},
+				},
+			},
+		},
+		{
+			name: "overwrite existing alias",
+			existingKuberc: `apiVersion: kubectl.config.k8s.io/v1beta1
+kind: Preference
+aliases:
+- name: getn
+  command: get
+  prependArgs:
+  - nodes
+`,
+			options: SetOptions{
+				Section:     sectionAliases,
+				AliasName:   "getn",
+				Command:     "get",
+				PrependArgs: []string{"namespaces"},
+				Overwrite:   true,
+			},
+			expectedPref: &v1beta1.Preference{
+				TypeMeta: metav1.TypeMeta{
+					APIVersion: "kubectl.config.k8s.io/v1beta1",
+					Kind:       "Preference",
+				},
+				Aliases: []v1beta1.AliasOverride{
+					{
+						Name:        "getn",
+						Command:     "get",
+						PrependArgs: []string{"namespaces"},
+					},
+				},
+			},
+		},
+		{
+			name: "error without overwrite",
+			existingKuberc: `apiVersion: kubectl.config.k8s.io/v1beta1
+kind: Preference
+aliases:
+- name: getn
+  command: get
+  prependArgs:
+  - nodes
+`,
+			options: SetOptions{
+				Section:     sectionAliases,
+				AliasName:   "getn",
+				Command:     "get",
+				PrependArgs: []string{"namespaces"},
+				Overwrite:   false,
+			},
+			expectError:   true,
+			errorContains: "already exists",
+		},
+		{
+			name:           "alias with append args",
+			existingKuberc: "",
+			options: SetOptions{
+				Section:    sectionAliases,
+				AliasName:  "runx",
+				Command:    "run",
+				AppendArgs: []string{"--", "custom-arg1"},
+				Options:    []string{"image=nginx"},
+			},
+			expectedPref: &v1beta1.Preference{
+				TypeMeta: metav1.TypeMeta{
+					APIVersion: "kubectl.config.k8s.io/v1beta1",
+					Kind:       "Preference",
+				},
+				Aliases: []v1beta1.AliasOverride{
+					{
+						Name:       "runx",
+						Command:    "run",
+						AppendArgs: []string{"--", "custom-arg1"},
+						Options: []v1beta1.CommandOptionDefault{
+							{
+								Name:    "image",
+								Default: "nginx",
+							},
+						},
+					},
+				},
+			},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			tmpDir, err := os.MkdirTemp("", "kuberc-set-test-")
+			if err != nil {
+				t.Fatalf("failed to create temp dir: %v", err)
+			}
+			defer func() {
+				os.RemoveAll(tmpDir) // nolint:errcheck
+			}()
+
+			kubercPath := filepath.Join(tmpDir, "kuberc")
+			if tt.existingKuberc != "" {
+				if err := os.WriteFile(kubercPath, []byte(tt.existingKuberc), 0644); err != nil {
+					t.Fatalf("failed to write existing kuberc file: %v", err)
+				}
+			}
+
+			streams, _, out, _ := genericiooptions.NewTestIOStreams()
+			tt.options.KubeRCFile = kubercPath
+			tt.options.IOStreams = streams
+
+			err = tt.options.Run()
+
+			if tt.expectError {
+				if err == nil {
+					t.Fatalf("expected error but got none")
+				}
+				if !strings.Contains(err.Error(), tt.errorContains) {
+					t.Errorf("expected error to contain %q, got: %v", tt.errorContains, err)
+				}
+				return
+			}
+
+			if err != nil {
+				t.Fatalf("Run() unexpected error = %v", err)
+			}
+
+			// Verify the file was written
+			data, err := os.ReadFile(kubercPath)
+			if err != nil {
+				t.Fatalf("failed to read written kuberc file: %v", err)
+			}
+
+			var actualPref v1beta1.Preference
+			if err := yaml.Unmarshal(data, &actualPref); err != nil {
+				t.Fatalf("failed to unmarshal actual output: %v", err)
+			}
+
+			if diff := cmp.Diff(tt.expectedPref, &actualPref); diff != "" {
+				t.Errorf("Run() output mismatch (-expected +got):\n%s", diff)
+			}
+
+			// Verify output message
+			if !strings.Contains(out.String(), "Updated") {
+				t.Errorf("expected output to contain 'Updated', got: %s", out.String())
+			}
+		})
+	}
+}
diff --git a/staging/src/k8s.io/kubectl/pkg/cmd/kuberc/view.go b/staging/src/k8s.io/kubectl/pkg/cmd/kuberc/view.go
new file mode 100644
index 0000000000000..b333b1aa89b94
--- /dev/null
+++ b/staging/src/k8s.io/kubectl/pkg/cmd/kuberc/view.go
@@ -0,0 +1,155 @@
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package kuberc
+
+import (
+	"fmt"
+	"os"
+	"strings"
+
+	"github.com/spf13/cobra"
+
+	"k8s.io/cli-runtime/pkg/genericclioptions"
+	"k8s.io/cli-runtime/pkg/genericiooptions"
+	cmdutil "k8s.io/kubectl/pkg/cmd/util"
+	"k8s.io/kubectl/pkg/config/v1beta1"
+	"k8s.io/kubectl/pkg/kuberc"
+	"k8s.io/kubectl/pkg/util/i18n"
+	"k8s.io/kubectl/pkg/util/templates"
+	"sigs.k8s.io/yaml"
+)
+
+var (
+	viewLong = templates.LongDesc(i18n.T(`Display the contents of the kuberc file in the specified output format.`))
+
+	viewExample = templates.Examples(i18n.T(`
+		# View kuberc configuration in YAML format (default)
+		kubectl alpha kuberc view
+
+		# View kuberc configuration in JSON format
+		kubectl alpha kuberc view --output json
+
+		# View a specific kuberc file
+		kubectl alpha kuberc view --kuberc /path/to/kuberc`))
+)
+
+// ViewOptions contains the options for viewing kuberc configuration
+type ViewOptions struct {
+	KubeRCFile string
+	Explicit   bool
+	PrintFlags *genericclioptions.PrintFlags
+
+	preferences kuberc.PreferencesHandler
+
+	genericiooptions.IOStreams
+}
+
+// NewCmdKubeRCView returns a Command instance for 'kuberc view' sub command
+func NewCmdKubeRCView(streams genericiooptions.IOStreams) *cobra.Command {
+	o := &ViewOptions{
+		PrintFlags:  genericclioptions.NewPrintFlags("").WithDefaultOutput("yaml"),
+		IOStreams:   streams,
+		preferences: kuberc.NewPreferences(),
+	}
+
+	cmd := &cobra.Command{
+		Use:                   "view",
+		DisableFlagsInUseLine: true,
+		Short:                 i18n.T("Display the current kuberc configuration"),
+		Long:                  viewLong,
+		Example:               viewExample,
+		Run: func(cmd *cobra.Command, args []string) {
+			cmdutil.CheckErr(o.Complete(cmd))
+			cmdutil.CheckErr(o.Validate())
+			cmdutil.CheckErr(o.Run())
+		},
+	}
+
+	o.preferences.AddFlags(cmd.Flags())
+	o.PrintFlags.AddFlags(cmd)
+
+	return cmd
+}
+
+// Complete sets default values for ViewOptions
+func (o *ViewOptions) Complete(cmd *cobra.Command) error {
+	if cmd.Flags().Changed("kuberc") {
+		o.KubeRCFile = cmd.Flag("kuberc").Value.String()
+	}
+
+	kubeRCFile, explicit, err := kuberc.LoadKuberc(o.KubeRCFile)
+	if err != nil {
+		return err
+	}
+
+	o.Explicit = explicit
+	o.KubeRCFile = kubeRCFile
+	return nil
+}
+
+// Validate validates the ViewOptions
+func (o *ViewOptions) Validate() error {
+	if o.KubeRCFile == "" {
+		return fmt.Errorf("KUBERC is disabled via KUBERC=off environment variable")
+	}
+
+	return nil
+}
+
+// Run executes the view command
+func (o *ViewOptions) Run() error {
+	data, err := os.ReadFile(o.KubeRCFile)
+	if err != nil {
+		if !os.IsNotExist(err) {
+			return fmt.Errorf("error reading kuberc file: %w", err)
+		}
+		if o.Explicit {
+			return fmt.Errorf("kuberc file not found at %s", o.KubeRCFile)
+		}
+		fmt.Fprintf(o.Out, "kuberc file not found at %s\n", o.KubeRCFile)                                        //nolint:errcheck
+		fmt.Fprintf(o.Out, "Would you like to generate a default kuberc file with recommended options? (y/N): ") //nolint:errcheck
+		var input string
+		_, err := fmt.Fscanln(o.In, &input)
+		if err != nil {
+			return nil
+		}
+
+		if strings.EqualFold(input, "y") {
+			pref := kuberc.CreateDefaultPreference()
+			return kuberc.SavePreference(pref, o.KubeRCFile, o.Out)
+		}
+	}
+
+	var pref *v1beta1.Preference
+	if err := yaml.Unmarshal(data, &pref); err != nil {
+		return fmt.Errorf("error parsing kuberc file: %w", err)
+	}
+
+	if pref.Aliases == nil {
+		pref.Aliases = []v1beta1.AliasOverride{}
+	}
+	if pref.Defaults == nil {
+		pref.Defaults = []v1beta1.CommandDefaults{}
+	}
+
+	printer, err := o.PrintFlags.ToPrinter()
+	if err != nil {
+		return err
+	}
+
+	return printer.PrintObj(pref, o.Out)
+}
diff --git a/staging/src/k8s.io/kubectl/pkg/cmd/kuberc/view_test.go b/staging/src/k8s.io/kubectl/pkg/cmd/kuberc/view_test.go
new file mode 100644
index 0000000000000..555423dd4989f
--- /dev/null
+++ b/staging/src/k8s.io/kubectl/pkg/cmd/kuberc/view_test.go
@@ -0,0 +1,125 @@
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package kuberc
+
+import (
+	"os"
+	"path/filepath"
+	"testing"
+
+	"github.com/google/go-cmp/cmp"
+
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/cli-runtime/pkg/genericclioptions"
+	"k8s.io/cli-runtime/pkg/genericiooptions"
+	"k8s.io/kubectl/pkg/config/v1beta1"
+	"sigs.k8s.io/yaml"
+)
+
+func TestViewOptions_Run(t *testing.T) {
+	kubercContent := `apiVersion: kubectl.config.k8s.io/v1beta1
+kind: Preference
+defaults:
+- command: get
+  options:
+  - name: output
+    default: wide
+aliases:
+- name: getn
+  command: get
+  prependArgs:
+  - nodes
+`
+
+	expectedPref := &v1beta1.Preference{
+		TypeMeta: metav1.TypeMeta{
+			APIVersion: "kubectl.config.k8s.io/v1beta1",
+			Kind:       "Preference",
+		},
+		Defaults: []v1beta1.CommandDefaults{
+			{
+				Command: "get",
+				Options: []v1beta1.CommandOptionDefault{
+					{
+						Name:    "output",
+						Default: "wide",
+					},
+				},
+			},
+		},
+		Aliases: []v1beta1.AliasOverride{
+			{
+				Name:        "getn",
+				Command:     "get",
+				PrependArgs: []string{"nodes"},
+			},
+		},
+	}
+
+	tests := []struct {
+		name         string
+		outputFormat string
+	}{
+		{
+			name:         "yaml output",
+			outputFormat: "yaml",
+		},
+		{
+			name:         "json output",
+			outputFormat: "json",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			tmpDir, err := os.MkdirTemp("", "kuberc-test-")
+			if err != nil {
+				t.Fatalf("failed to create temp dir: %v", err)
+			}
+			defer func() {
+				os.RemoveAll(tmpDir) // nolint:errcheck
+			}()
+
+			kubercPath := filepath.Join(tmpDir, "kuberc")
+			if err := os.WriteFile(kubercPath, []byte(kubercContent), 0644); err != nil {
+				t.Fatalf("failed to write kuberc file: %v", err)
+			}
+
+			streams, _, out, _ := genericiooptions.NewTestIOStreams()
+			o := &ViewOptions{
+				KubeRCFile: kubercPath,
+				PrintFlags: genericclioptions.NewPrintFlags("").WithDefaultOutput(tt.outputFormat),
+				IOStreams:  streams,
+			}
+
+			err = o.Run()
+			if err != nil {
+				t.Fatalf("Run() unexpected error = %v", err)
+			}
+
+			// Unmarshal actual output to v1beta1.Preference
+			var actualPref v1beta1.Preference
+			if err := yaml.Unmarshal(out.Bytes(), &actualPref); err != nil {
+				t.Fatalf("failed to unmarshal actual output: %v", err)
+			}
+
+			if diff := cmp.Diff(expectedPref, &actualPref); diff != "" {
+				t.Errorf("Run() output mismatch (-expected +got):\n%s", diff)
+			}
+		})
+	}
+}
diff --git a/staging/src/k8s.io/kubectl/pkg/cmd/logs/logs.go b/staging/src/k8s.io/kubectl/pkg/cmd/logs/logs.go
index e7f9bd391ec0d..c7c31ae4c9c13 100644
--- a/staging/src/k8s.io/kubectl/pkg/cmd/logs/logs.go
+++ b/staging/src/k8s.io/kubectl/pkg/cmd/logs/logs.go
@@ -356,8 +356,21 @@ func (o LogsOptions) Validate() error {
 	return nil
 }
 
-// RunLogs retrieves a pod log
+// RunLogs wraps RunLogsContext with signal handling.
+// When a signal is received, streaming is stopped, then followed by os.Exit(1).
 func (o LogsOptions) RunLogs() error {
+	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel()
+	intr := interrupt.New(nil, cancel)
+	return intr.Run(func() error {
+		return o.RunLogsContext(ctx)
+	})
+}
+
+// RunLogsContext retrieves a pod log.
+//
+// This function does not handle signals. To interrupt streaming, cancel the context.
+func (o LogsOptions) RunLogsContext(ctx context.Context) error {
 	var requests map[corev1.ObjectReference]rest.ResponseWrapper
 	var err error
 	if o.AllPods {
@@ -378,16 +391,10 @@ func (o LogsOptions) RunLogs() error {
 		}
 	}
 
-	ctx, cancel := context.WithCancel(context.Background())
-	defer cancel()
-	intr := interrupt.New(nil, cancel)
-	return intr.Run(func() error {
-		if o.Follow && len(requests) > 1 {
-			return o.parallelConsumeRequest(ctx, requests)
-		}
-
-		return o.sequentialConsumeRequest(ctx, requests)
-	})
+	if o.Follow && len(requests) > 1 {
+		return o.parallelConsumeRequest(ctx, requests)
+	}
+	return o.sequentialConsumeRequest(ctx, requests)
 }
 
 func (o LogsOptions) parallelConsumeRequest(ctx context.Context, requests map[corev1.ObjectReference]rest.ResponseWrapper) error {
diff --git a/staging/src/k8s.io/kubectl/pkg/cmd/plugin.go b/staging/src/k8s.io/kubectl/pkg/cmd/plugin.go
new file mode 100644
index 0000000000000..36c9fcdcaffc5
--- /dev/null
+++ b/staging/src/k8s.io/kubectl/pkg/cmd/plugin.go
@@ -0,0 +1,162 @@
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package cmd
+
+import (
+	"fmt"
+	"os"
+	"os/exec"
+	"path/filepath"
+	"runtime"
+	"strings"
+	"syscall"
+)
+
+// PluginHandler is capable of parsing command line arguments
+// and performing executable filename lookups to search
+// for valid plugin files, and execute found plugins.
+type PluginHandler interface {
+	// exists at the given filename, or a boolean false.
+	// Lookup will iterate over a list of given prefixes
+	// in order to recognize valid plugin filenames.
+	// The first filepath to match a prefix is returned.
+	Lookup(filename string) (string, bool)
+	// Execute receives an executable's filepath, a slice
+	// of arguments, and a slice of environment variables
+	// to relay to the executable.
+	Execute(executablePath string, cmdArgs, environment []string) error
+}
+
+// DefaultPluginHandler implements PluginHandler
+type DefaultPluginHandler struct {
+	ValidPrefixes []string
+}
+
+// NewDefaultPluginHandler instantiates the DefaultPluginHandler with a list of
+// given filename prefixes used to identify valid plugin filenames.
+func NewDefaultPluginHandler(validPrefixes []string) *DefaultPluginHandler {
+	return &DefaultPluginHandler{
+		ValidPrefixes: validPrefixes,
+	}
+}
+
+// Lookup implements PluginHandler
+func (h *DefaultPluginHandler) Lookup(filename string) (string, bool) {
+	for _, prefix := range h.ValidPrefixes {
+		path, err := exec.LookPath(fmt.Sprintf("%s-%s", prefix, filename))
+		if shouldSkipOnLookPathErr(err) || len(path) == 0 {
+			continue
+		}
+		return path, true
+	}
+	return "", false
+}
+
+// Execute implements PluginHandler
+func (h *DefaultPluginHandler) Execute(executablePath string, cmdArgs, environment []string) error {
+	// Windows does not support exec syscall.
+	if runtime.GOOS == "windows" {
+		cmd := command(executablePath, cmdArgs...)
+		cmd.Stdout = os.Stdout
+		cmd.Stderr = os.Stderr
+		cmd.Stdin = os.Stdin
+		cmd.Env = environment
+		err := cmd.Run()
+		if err == nil {
+			os.Exit(0)
+		}
+		return err
+	}
+
+	// invoke cmd binary relaying the environment and args given
+	// append executablePath to cmdArgs, as execve will make first argument the "binary name".
+	return syscall.Exec(executablePath, append([]string{executablePath}, cmdArgs...), environment)
+}
+
+func command(name string, arg ...string) *exec.Cmd {
+	cmd := &exec.Cmd{
+		Path: name,
+		Args: append([]string{name}, arg...),
+	}
+	if filepath.Base(name) == name {
+		lp, err := exec.LookPath(name)
+		if lp != "" && !shouldSkipOnLookPathErr(err) {
+			// Update cmd.Path even if err is non-nil.
+			// If err is ErrDot (especially on Windows), lp may include a resolved
+			// extension (like .exe or .bat) that should be preserved.
+			cmd.Path = lp
+		}
+	}
+	return cmd
+}
+
+// HandlePluginCommand receives a pluginHandler and command-line arguments and attempts to find
+// a plugin executable on the PATH that satisfies the given arguments.
+func HandlePluginCommand(pluginHandler PluginHandler, cmdArgs []string, minArgs int) error {
+	var remainingArgs []string // all "non-flag" arguments
+	for _, arg := range cmdArgs {
+		if strings.HasPrefix(arg, "-") {
+			break
+		}
+		remainingArgs = append(remainingArgs, strings.Replace(arg, "-", "_", -1))
+	}
+
+	if len(remainingArgs) == 0 {
+		// the length of cmdArgs is at least 1
+		return fmt.Errorf("flags cannot be placed before plugin name: %s", cmdArgs[0])
+	}
+
+	foundBinaryPath := ""
+
+	// attempt to find binary, starting at longest possible name with given cmdArgs
+	for len(remainingArgs) > 0 {
+		path, found := pluginHandler.Lookup(strings.Join(remainingArgs, "-"))
+		if !found {
+			remainingArgs = remainingArgs[:len(remainingArgs)-1]
+			if len(remainingArgs) < minArgs {
+				// we shouldn't continue searching with shorter names.
+				// this is especially for not searching kubectl-create plugin
+				// when kubectl-create-foo plugin is not found.
+				break
+			}
+
+			continue
+		}
+
+		foundBinaryPath = path
+		break
+	}
+
+	if len(foundBinaryPath) == 0 {
+		return nil
+	}
+
+	// invoke cmd binary relaying the current environment and args given
+	if err := pluginHandler.Execute(foundBinaryPath, cmdArgs[len(remainingArgs):], os.Environ()); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+// IsSubcommandPluginAllowed returns the given command is allowed
+// to use plugin as subcommand if the subcommand does not exist as builtin.
+func IsSubcommandPluginAllowed(foundCmd string) bool {
+	allowedCmds := map[string]struct{}{"create": {}}
+	_, ok := allowedCmds[foundCmd]
+	return ok
+}
diff --git a/staging/src/k8s.io/kubectl/pkg/cmd/profiling.go b/staging/src/k8s.io/kubectl/pkg/cmd/profiling.go
index 758d7a116b38b..c54d1038a8c70 100644
--- a/staging/src/k8s.io/kubectl/pkg/cmd/profiling.go
+++ b/staging/src/k8s.io/kubectl/pkg/cmd/profiling.go
@@ -18,10 +18,12 @@ package cmd
 
 import (
 	"fmt"
+	"io"
 	"os"
 	"os/signal"
 	"runtime"
 	"runtime/pprof"
+	"runtime/trace"
 
 	"github.com/spf13/pflag"
 )
@@ -32,26 +34,29 @@ var (
 )
 
 func addProfilingFlags(flags *pflag.FlagSet) {
-	flags.StringVar(&profileName, "profile", "none", "Name of profile to capture. One of (none|cpu|heap|goroutine|threadcreate|block|mutex)")
+	flags.StringVar(&profileName, "profile", "none", "Name of profile to capture. One of (none|cpu|heap|goroutine|threadcreate|block|mutex|trace)")
 	flags.StringVar(&profileOutput, "profile-output", "profile.pprof", "Name of the file to write the profile to")
 }
 
-func initProfiling() error {
+// initProfiling inits profiling and returns a function to be called on exit to flush and close.
+func initProfiling() (func() error, error) {
 	var (
 		f   *os.File
 		err error
 	)
 	switch profileName {
 	case "none":
-		return nil
+		return nil, nil
 	case "cpu":
 		f, err = os.Create(profileOutput)
 		if err != nil {
-			return err
+			return nil, err
 		}
+
 		err = pprof.StartCPUProfile(f)
 		if err != nil {
-			return err
+			f.Close() //nolint:errcheck
+			return nil, err
 		}
 	// Block and mutex profiles need a call to Set{Block,Mutex}ProfileRate to
 	// output anything. We choose to sample all events.
@@ -59,33 +64,53 @@ func initProfiling() error {
 		runtime.SetBlockProfileRate(1)
 	case "mutex":
 		runtime.SetMutexProfileFraction(1)
+	case "trace":
+		f, err = os.Create(profileOutput)
+		if err != nil {
+			return nil, err
+		}
+
+		// Enable the CPU profiler. Samples will be captured in the execution trace.
+		// This is the same rate value as used in pprof.StartCPUProfile.
+		runtime.SetCPUProfileRate(100)
+		if err := trace.Start(f); err != nil {
+			f.Close() //nolint:errcheck
+			return nil, err
+		}
 	default:
 		// Check the profile name is valid.
 		if profile := pprof.Lookup(profileName); profile == nil {
-			return fmt.Errorf("unknown profile '%s'", profileName)
+			return nil, fmt.Errorf("unknown profile '%s'", profileName)
 		}
 	}
 
-	// If the command is interrupted before the end (ctrl-c), flush the
-	// profiling files
+	// If the command is interrupted before the end (ctrl-c), flush the profiling files
 	c := make(chan os.Signal, 1)
 	signal.Notify(c, os.Interrupt)
 	go func() {
 		<-c
-		f.Close()
-		flushProfiling()
+		flushProfiling(f) //nolint:errcheck
 		os.Exit(0)
 	}()
 
-	return nil
+	return func() error {
+		return flushProfiling(f)
+	}, nil
 }
 
-func flushProfiling() error {
+func flushProfiling(output io.Closer) error {
+	if output != nil {
+		defer output.Close() //nolint:errcheck
+	}
+
 	switch profileName {
 	case "none":
 		return nil
 	case "cpu":
 		pprof.StopCPUProfile()
+	case "trace":
+		trace.Stop()
+		runtime.SetCPUProfileRate(0)
 	case "heap":
 		runtime.GC()
 		fallthrough
@@ -94,10 +119,12 @@ func flushProfiling() error {
 		if profile == nil {
 			return nil
 		}
+
 		f, err := os.Create(profileOutput)
 		if err != nil {
 			return err
 		}
+
 		defer f.Close()
 		profile.WriteTo(f, 0)
 	}
diff --git a/staging/src/k8s.io/kubectl/pkg/cmd/rollout/rollout_status.go b/staging/src/k8s.io/kubectl/pkg/cmd/rollout/rollout_status.go
index 8248c9f1b6cff..9956373853705 100644
--- a/staging/src/k8s.io/kubectl/pkg/cmd/rollout/rollout_status.go
+++ b/staging/src/k8s.io/kubectl/pkg/cmd/rollout/rollout_status.go
@@ -184,7 +184,7 @@ func (o *RolloutStatusOptions) Run() error {
 		}
 
 		fieldSelector := fields.OneTermEqualSelector("metadata.name", info.Name).String()
-		lw := &cache.ListWatch{
+		lw := cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options metav1.ListOptions) (runtime.Object, error) {
 				options.FieldSelector = fieldSelector
 				return o.DynamicClient.Resource(info.Mapping.Resource).Namespace(info.Namespace).List(context.TODO(), options)
@@ -193,7 +193,7 @@ func (o *RolloutStatusOptions) Run() error {
 				options.FieldSelector = fieldSelector
 				return o.DynamicClient.Resource(info.Mapping.Resource).Namespace(info.Namespace).Watch(context.TODO(), options)
 			},
-		}
+		}, o.DynamicClient)
 
 		// if the rollout isn't done yet, keep watching deployment status
 		ctx, cancel := watchtools.ContextWithOptionalTimeout(context.Background(), o.Timeout)
diff --git a/staging/src/k8s.io/kubectl/pkg/cmd/scale/scale.go b/staging/src/k8s.io/kubectl/pkg/cmd/scale/scale.go
index d32f8ed976819..31d4212ec2b03 100644
--- a/staging/src/k8s.io/kubectl/pkg/cmd/scale/scale.go
+++ b/staging/src/k8s.io/kubectl/pkg/cmd/scale/scale.go
@@ -230,7 +230,7 @@ func (o *ScaleOptions) RunScale() error {
 
 	if len(infos) == 0 {
 		if infoErr != nil {
-			return fmt.Errorf("no objects passed to scale %w", infoErr)
+			return infoErr
 		}
 		return fmt.Errorf("no objects passed to scale")
 	}
diff --git a/staging/src/k8s.io/kubectl/pkg/cmd/set/set_selector.go b/staging/src/k8s.io/kubectl/pkg/cmd/set/set_selector.go
index 1068733597efa..eb8c2c8b7828c 100644
--- a/staging/src/k8s.io/kubectl/pkg/cmd/set/set_selector.go
+++ b/staging/src/k8s.io/kubectl/pkg/cmd/set/set_selector.go
@@ -74,7 +74,7 @@ var (
 	selectorExample = templates.Examples(`
         # Set the labels and selector before creating a deployment/service pair
         kubectl create service clusterip my-svc --clusterip="None" -o yaml --dry-run=client | kubectl set selector --local -f - 'environment=qa' -o yaml | kubectl create -f -
-        kubectl create deployment my-dep -o yaml --dry-run=client | kubectl label --local -f - environment=qa -o yaml | kubectl create -f -`)
+        kubectl create deployment my-dep --image=nginx -o yaml --dry-run=client | kubectl label --local -f - environment=qa -o yaml | kubectl create -f -`)
 )
 
 // NewSelectorOptions returns an initialized SelectorOptions instance
diff --git a/staging/src/k8s.io/kubectl/pkg/cmd/util/helpers.go b/staging/src/k8s.io/kubectl/pkg/cmd/util/helpers.go
index 2826820444448..755533aeb921a 100644
--- a/staging/src/k8s.io/kubectl/pkg/cmd/util/helpers.go
+++ b/staging/src/k8s.io/kubectl/pkg/cmd/util/helpers.go
@@ -425,24 +425,12 @@ func GetPodRunningTimeoutFlag(cmd *cobra.Command) (time.Duration, error) {
 type FeatureGate string
 
 const (
-	// owner: @soltysh
-	// kep: https://kep.k8s.io/859
-	//
-	// HTTP headers with command name and flags used.
-	CmdHeaders FeatureGate = "KUBECTL_COMMAND_HEADERS"
-
 	// owner: @ardaguclu
 	// kep: https://kep.k8s.io/3104
 	//
 	// Separate kubectl user preferences.
 	KubeRC FeatureGate = "KUBECTL_KUBERC"
 
-	// owner: @soltysh
-	// kep: https://kep.k8s.io/3515
-	//
-	// Improved kubectl apply --prune behavior.
-	OpenAPIV3Patch FeatureGate = "KUBECTL_OPENAPIV3_PATCH"
-
 	// owner: @justinb
 	// kep: https://kep.k8s.io/3659
 	//
@@ -544,7 +532,7 @@ func AddApplyAnnotationVarFlags(cmd *cobra.Command, applyAnnotation *bool) {
 
 func AddChunkSizeFlag(cmd *cobra.Command, value *int64) {
 	cmd.Flags().Int64Var(value, "chunk-size", *value,
-		"Return large lists in chunks rather than all at once. Pass 0 to disable. This flag is beta and may change in the future.")
+		"Return large lists in chunks rather than all at once. Pass 0 to disable.")
 }
 
 func AddLabelSelectorFlagVar(cmd *cobra.Command, p *string) {
diff --git a/staging/src/k8s.io/kubectl/pkg/cmd/wait/condition.go b/staging/src/k8s.io/kubectl/pkg/cmd/wait/condition.go
index 8d1a7aaa1e49a..26e4b108080cb 100644
--- a/staging/src/k8s.io/kubectl/pkg/cmd/wait/condition.go
+++ b/staging/src/k8s.io/kubectl/pkg/cmd/wait/condition.go
@@ -109,7 +109,7 @@ func getObjAndCheckCondition(ctx context.Context, info *resource.Info, o *WaitOp
 
 	endTime := time.Now().Add(o.Timeout)
 	timeout := time.Until(endTime)
-	errWaitTimeoutWithName := extendErrWaitTimeout(wait.ErrWaitTimeout, info) // nolint:staticcheck // SA1019
+	errWaitTimeoutWithName := extendErrWaitTimeout(wait.ErrorInterrupted(nil), info) // nolint:staticcheck // SA1019
 	if o.Timeout == 0 {
 		// If timeout is zero we will fetch the object(s) once only and check
 		gottenObj, initObjGetErr := o.DynamicClient.Resource(info.Mapping.Resource).Namespace(info.Namespace).Get(context.Background(), info.Name, metav1.GetOptions{})
@@ -135,7 +135,7 @@ func getObjAndCheckCondition(ctx context.Context, info *resource.Info, o *WaitOp
 
 	mapping := info.ResourceMapping() // used to pass back meaningful errors if object disappears
 	fieldSelector := fields.OneTermEqualSelector("metadata.name", info.Name).String()
-	lw := &cache.ListWatch{
+	lw := cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 		ListFunc: func(options metav1.ListOptions) (runtime.Object, error) {
 			options.FieldSelector = fieldSelector
 			return o.DynamicClient.Resource(info.Mapping.Resource).Namespace(info.Namespace).List(context.TODO(), options)
@@ -144,7 +144,7 @@ func getObjAndCheckCondition(ctx context.Context, info *resource.Info, o *WaitOp
 			options.FieldSelector = fieldSelector
 			return o.DynamicClient.Resource(info.Mapping.Resource).Namespace(info.Namespace).Watch(context.TODO(), options)
 		},
-	}
+	}, o.DynamicClient)
 
 	// this function is used to refresh the cache to prevent timeout waits on resources that have disappeared
 	preconditionFunc := func(store cache.Store) (bool, error) {
diff --git a/staging/src/k8s.io/kubectl/pkg/cmd/wait/delete.go b/staging/src/k8s.io/kubectl/pkg/cmd/wait/delete.go
index c9b8f9b1a0dab..a8ccd2fca7c79 100644
--- a/staging/src/k8s.io/kubectl/pkg/cmd/wait/delete.go
+++ b/staging/src/k8s.io/kubectl/pkg/cmd/wait/delete.go
@@ -63,7 +63,7 @@ func IsDeleted(ctx context.Context, info *resource.Info, o *WaitOptions) (runtim
 
 	endTime := time.Now().Add(o.Timeout)
 	timeout := time.Until(endTime)
-	errWaitTimeoutWithName := extendErrWaitTimeout(wait.ErrWaitTimeout, info) // nolint:staticcheck // SA1019
+	errWaitTimeoutWithName := extendErrWaitTimeout(wait.ErrorInterrupted(nil), info) // nolint:staticcheck // SA1019
 	if o.Timeout == 0 {
 		// If timeout is zero check if the object exists once only
 		if gottenObj == nil {
@@ -77,7 +77,7 @@ func IsDeleted(ctx context.Context, info *resource.Info, o *WaitOptions) (runtim
 	}
 
 	fieldSelector := fields.OneTermEqualSelector("metadata.name", info.Name).String()
-	lw := &cache.ListWatch{
+	lw := cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 		ListFunc: func(options metav1.ListOptions) (runtime.Object, error) {
 			options.FieldSelector = fieldSelector
 			return o.DynamicClient.Resource(info.Mapping.Resource).Namespace(info.Namespace).List(ctx, options)
@@ -86,7 +86,7 @@ func IsDeleted(ctx context.Context, info *resource.Info, o *WaitOptions) (runtim
 			options.FieldSelector = fieldSelector
 			return o.DynamicClient.Resource(info.Mapping.Resource).Namespace(info.Namespace).Watch(ctx, options)
 		},
-	}
+	}, o.DynamicClient)
 
 	// this function is used to refresh the cache to prevent timeout waits on resources that have disappeared
 	preconditionFunc := func(store cache.Store) (bool, error) {
diff --git a/staging/src/k8s.io/kubectl/pkg/cmd/wait/wait.go b/staging/src/k8s.io/kubectl/pkg/cmd/wait/wait.go
index ab37c953f0c4d..992f3c0009ac8 100644
--- a/staging/src/k8s.io/kubectl/pkg/cmd/wait/wait.go
+++ b/staging/src/k8s.io/kubectl/pkg/cmd/wait/wait.go
@@ -46,7 +46,7 @@ import (
 
 var (
 	waitLong = templates.LongDesc(i18n.T(`
-		Experimental: Wait for a specific condition on one or many resources.
+		Wait for a specific condition on one or many resources.
 
 		The command takes multiple resources and waits until the specified condition
 		is seen in the Status field of every given resource.
@@ -124,7 +124,7 @@ func NewCmdWait(restClientGetter genericclioptions.RESTClientGetter, streams gen
 
 	cmd := &cobra.Command{
 		Use:     "wait ([-f FILENAME] | resource.group/resource.name | resource.group [(-l label | --all)]) [--for=create|--for=delete|--for condition=available|--for=jsonpath='{}'[=value]]",
-		Short:   i18n.T("Experimental: Wait for a specific condition on one or many resources"),
+		Short:   i18n.T("Wait for a specific condition on one or many resources"),
 		Long:    waitLong,
 		Example: waitExample,
 
@@ -343,7 +343,7 @@ func (o *WaitOptions) RunWait() error {
 			return foundResource, nil
 		}); err != nil {
 			if errors.Is(err, context.DeadlineExceeded) {
-				return fmt.Errorf("%s", wait.ErrWaitTimeout.Error()) // nolint:staticcheck // SA1019
+				return fmt.Errorf("%s", wait.ErrorInterrupted(nil).Error()) // nolint:staticcheck // SA1019
 			}
 			return err
 		}
diff --git a/staging/src/k8s.io/kubectl/pkg/config/scheme/scheme_test.go b/staging/src/k8s.io/kubectl/pkg/config/scheme/scheme_test.go
index e14549da4ae6b..372bf2f28a9fc 100644
--- a/staging/src/k8s.io/kubectl/pkg/config/scheme/scheme_test.go
+++ b/staging/src/k8s.io/kubectl/pkg/config/scheme/scheme_test.go
@@ -19,10 +19,28 @@ package scheme
 import (
 	"testing"
 
+	"k8s.io/apimachinery/pkg/api/apitesting/fuzzer"
 	"k8s.io/apimachinery/pkg/api/apitesting/roundtrip"
-	"k8s.io/kubectl/pkg/config/fuzzer"
+	runtimeserializer "k8s.io/apimachinery/pkg/runtime/serializer"
+	"k8s.io/kubectl/pkg/config"
+	kubectlfuzzer "k8s.io/kubectl/pkg/config/fuzzer"
+	"sigs.k8s.io/randfill"
 )
 
 func TestRoundTripTypes(t *testing.T) {
-	roundtrip.RoundTripTestForScheme(t, Scheme, fuzzer.Funcs)
+	// Because v1alpha1 does not have fields of these types, the fuzzing will
+	// be incorrect, so we need to manually intervene here
+	customFuzzerFuncs := func(codecs runtimeserializer.CodecFactory) []interface{} {
+		return []interface{}{
+			func(s *config.CredentialPluginPolicy, c randfill.Continue) {
+				*s = ""
+			},
+			func(s *[]config.AllowlistEntry, c randfill.Continue) {
+				*s = nil
+			},
+		}
+	}
+
+	funcs := fuzzer.MergeFuzzerFuncs(kubectlfuzzer.Funcs, customFuzzerFuncs)
+	roundtrip.RoundTripTestForScheme(t, Scheme, funcs)
 }
diff --git a/staging/src/k8s.io/kubectl/pkg/config/types.go b/staging/src/k8s.io/kubectl/pkg/config/types.go
index df5bb2084405b..b310ceae4e879 100644
--- a/staging/src/k8s.io/kubectl/pkg/config/types.go
+++ b/staging/src/k8s.io/kubectl/pkg/config/types.go
@@ -16,7 +16,9 @@ limitations under the License.
 
 package config
 
-import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
 
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
 
@@ -62,6 +64,63 @@ type Preference struct {
 	// "kubectl getn control-plane-1 --output=json" expands to "kubectl get node --output=json control-plane-1"
 	// +optional
 	Aliases []AliasOverride
+
+	// credentialPluginPolicy specifies the policy governing which, if any, client-go
+	// credential plugins may be executed. It MUST be one of { "", "AllowAll", "DenyAll", "Allowlist" }.
+	// If the policy is "", then it falls back to "AllowAll" (this is required
+	// to maintain backward compatibility). If the policy is DenyAll, no
+	// credential plugins may run. If the policy is Allowlist, only those
+	// plugins meeting the criteria specified in the `credentialPluginAllowlist`
+	// field may run.
+	// +optional
+	CredentialPluginPolicy CredentialPluginPolicy
+
+	// Allowlist is a slice of allowlist entries. If any of them is a match,
+	// then the executable in question may execute. That is, the result is the
+	// logical OR of all entries in the allowlist. This list MUST NOT be
+	// supplied if the policy is not "Allowlist".
+	//
+	// e.g.
+	// credentialPluginAllowlist:
+	// - name: cloud-provider-plugin
+	// - name: /usr/local/bin/my-plugin
+	// In the above example, the user allows the credential plugins
+	// `cloud-provider-plugin` (found somewhere in PATH), and the plugin found
+	// at the explicit path `/usr/local/bin/my-plugin`.
+	// +optional
+	CredentialPluginAllowlist []AllowlistEntry
+}
+
+// CredentialPluginPolicy specifies the policy governing which, if any, client-go
+// credential plugins may be executed. It MUST be one of { "", "AllowAll", "DenyAll", "Allowlist" }.
+// If the policy is "", then it falls back to "AllowAll" (this is required
+// to maintain backward compatibility). If the policy is DenyAll, no
+// credential plugins may run. If the policy is Allowlist, only those
+// plugins meeting the criteria specified in the `credentialPluginAllowlist`
+// field may run. If the policy is not `Allowlist` but one is provided, it
+// is considered a configuration error.
+type CredentialPluginPolicy string
+
+const (
+	PluginPolicyAllowAll  CredentialPluginPolicy = "AllowAll"
+	PluginPolicyDenyAll   CredentialPluginPolicy = "DenyAll"
+	PluginPolicyAllowlist CredentialPluginPolicy = "Allowlist"
+)
+
+// AllowlistEntry is an entry in the allowlist. For each allowlist item, at
+// least one field must be nonempty. A struct with all empty fields is
+// considered a misconfiguration error. Each field is a criterion for
+// execution. If multiple fields are specified, then the criteria of all
+// specified fields must be met. That is, the result of an individual entry is
+// the logical AND of all checks corresponding to the specified fields within
+// the entry.
+type AllowlistEntry struct {
+	// Name matching is performed by first resolving the absolute path of both
+	// the plugin and the name in the allowlist entry using `exec.LookPath`. It
+	// will be called on both, and the resulting strings must be equal. If
+	// either call to `exec.LookPath` results in an error, the `Name` check
+	// will be considered a failure.
+	Name string
 }
 
 // AliasOverride stores the alias definitions.
diff --git a/staging/src/k8s.io/kubectl/pkg/config/v1alpha1/conversion.go b/staging/src/k8s.io/kubectl/pkg/config/v1alpha1/conversion.go
new file mode 100644
index 0000000000000..05ddfdace7fc1
--- /dev/null
+++ b/staging/src/k8s.io/kubectl/pkg/config/v1alpha1/conversion.go
@@ -0,0 +1,31 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha1
+
+import (
+	conversion "k8s.io/apimachinery/pkg/conversion"
+	config "k8s.io/kubectl/pkg/config"
+)
+
+// v1alpha1 Preference does not have `CredentialPluginPolicy` or `CredentialPluginAllowlist` fields. They can be left blank, so the autoConvert functions will suffice.
+func Convert_config_Preference_To_v1alpha1_Preference(in *config.Preference, out *Preference, s conversion.Scope) error {
+	return autoConvert_config_Preference_To_v1alpha1_Preference(in, out, s)
+}
+
+func Convert_v1alpha1_Preference_To_config_Preference(in *Preference, out *config.Preference, s conversion.Scope) error {
+	return autoConvert_v1alpha1_Preference_To_config_Preference(in, out, s)
+}
diff --git a/staging/src/k8s.io/kubectl/pkg/config/v1alpha1/doc.go b/staging/src/k8s.io/kubectl/pkg/config/v1alpha1/doc.go
index d53157c3152f2..5a05184737ba0 100644
--- a/staging/src/k8s.io/kubectl/pkg/config/v1alpha1/doc.go
+++ b/staging/src/k8s.io/kubectl/pkg/config/v1alpha1/doc.go
@@ -19,5 +19,6 @@ limitations under the License.
 // +groupName=kubectl.config.k8s.io
 // +k8s:conversion-gen=k8s.io/kubectl/pkg/config
 // +k8s:defaulter-gen=TypeMeta
+// +k8s:openapi-model-package=io.k8s.kubectl.pkg.config.v1alpha1
 
 package v1alpha1 // Package v1alpha1 import "k8s.io/kubectl/pkg/config/v1alpha1"
diff --git a/staging/src/k8s.io/kubectl/pkg/config/v1alpha1/zz_generated.conversion.go b/staging/src/k8s.io/kubectl/pkg/config/v1alpha1/zz_generated.conversion.go
index af0b9bba7f057..5ad464c8755fe 100644
--- a/staging/src/k8s.io/kubectl/pkg/config/v1alpha1/zz_generated.conversion.go
+++ b/staging/src/k8s.io/kubectl/pkg/config/v1alpha1/zz_generated.conversion.go
@@ -66,13 +66,13 @@ func RegisterConversions(s *runtime.Scheme) error {
 	}); err != nil {
 		return err
 	}
-	if err := s.AddGeneratedConversionFunc((*Preference)(nil), (*config.Preference)(nil), func(a, b interface{}, scope conversion.Scope) error {
-		return Convert_v1alpha1_Preference_To_config_Preference(a.(*Preference), b.(*config.Preference), scope)
+	if err := s.AddConversionFunc((*config.Preference)(nil), (*Preference)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_config_Preference_To_v1alpha1_Preference(a.(*config.Preference), b.(*Preference), scope)
 	}); err != nil {
 		return err
 	}
-	if err := s.AddGeneratedConversionFunc((*config.Preference)(nil), (*Preference)(nil), func(a, b interface{}, scope conversion.Scope) error {
-		return Convert_config_Preference_To_v1alpha1_Preference(a.(*config.Preference), b.(*Preference), scope)
+	if err := s.AddConversionFunc((*Preference)(nil), (*config.Preference)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_v1alpha1_Preference_To_config_Preference(a.(*Preference), b.(*config.Preference), scope)
 	}); err != nil {
 		return err
 	}
@@ -157,18 +157,10 @@ func autoConvert_v1alpha1_Preference_To_config_Preference(in *Preference, out *c
 	return nil
 }
 
-// Convert_v1alpha1_Preference_To_config_Preference is an autogenerated conversion function.
-func Convert_v1alpha1_Preference_To_config_Preference(in *Preference, out *config.Preference, s conversion.Scope) error {
-	return autoConvert_v1alpha1_Preference_To_config_Preference(in, out, s)
-}
-
 func autoConvert_config_Preference_To_v1alpha1_Preference(in *config.Preference, out *Preference, s conversion.Scope) error {
 	out.Defaults = *(*[]CommandDefaults)(unsafe.Pointer(&in.Defaults))
 	out.Aliases = *(*[]AliasOverride)(unsafe.Pointer(&in.Aliases))
+	// WARNING: in.CredentialPluginPolicy requires manual conversion: does not exist in peer-type
+	// WARNING: in.CredentialPluginAllowlist requires manual conversion: does not exist in peer-type
 	return nil
 }
-
-// Convert_config_Preference_To_v1alpha1_Preference is an autogenerated conversion function.
-func Convert_config_Preference_To_v1alpha1_Preference(in *config.Preference, out *Preference, s conversion.Scope) error {
-	return autoConvert_config_Preference_To_v1alpha1_Preference(in, out, s)
-}
diff --git a/staging/src/k8s.io/kubectl/pkg/config/v1alpha1/zz_generated.model_name.go b/staging/src/k8s.io/kubectl/pkg/config/v1alpha1/zz_generated.model_name.go
new file mode 100644
index 0000000000000..868fa12553d8b
--- /dev/null
+++ b/staging/src/k8s.io/kubectl/pkg/config/v1alpha1/zz_generated.model_name.go
@@ -0,0 +1,42 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by openapi-gen. DO NOT EDIT.
+
+package v1alpha1
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in AliasOverride) OpenAPIModelName() string {
+	return "io.k8s.kubectl.pkg.config.v1alpha1.AliasOverride"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in CommandDefaults) OpenAPIModelName() string {
+	return "io.k8s.kubectl.pkg.config.v1alpha1.CommandDefaults"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in CommandOptionDefault) OpenAPIModelName() string {
+	return "io.k8s.kubectl.pkg.config.v1alpha1.CommandOptionDefault"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in Preference) OpenAPIModelName() string {
+	return "io.k8s.kubectl.pkg.config.v1alpha1.Preference"
+}
diff --git a/staging/src/k8s.io/kubectl/pkg/config/v1beta1/doc.go b/staging/src/k8s.io/kubectl/pkg/config/v1beta1/doc.go
index 4d08d8dcb67f3..1efcf0820aeb1 100644
--- a/staging/src/k8s.io/kubectl/pkg/config/v1beta1/doc.go
+++ b/staging/src/k8s.io/kubectl/pkg/config/v1beta1/doc.go
@@ -16,6 +16,7 @@ limitations under the License.
 
 // +k8s:deepcopy-gen=package
 // +k8s:openapi-gen=true
+// +k8s:openapi-model-package=io.k8s.kubectl.pkg.config.v1beta1
 // +groupName=kubectl.config.k8s.io
 // +k8s:conversion-gen=k8s.io/kubectl/pkg/config
 // +k8s:defaulter-gen=TypeMeta
diff --git a/staging/src/k8s.io/kubectl/pkg/config/v1beta1/register.go b/staging/src/k8s.io/kubectl/pkg/config/v1beta1/register.go
index c576a0c02240b..d414d10e6ce7f 100644
--- a/staging/src/k8s.io/kubectl/pkg/config/v1beta1/register.go
+++ b/staging/src/k8s.io/kubectl/pkg/config/v1beta1/register.go
@@ -37,7 +37,7 @@ func init() {
 	// We only register manually written functions here. The registration of the
 	// generated functions takes place in the generated files. The separation
 	// makes the code compile even when the generated files are missing.
-	localSchemeBuilder.Register(addKnownTypes)
+	localSchemeBuilder.Register(addKnownTypes, RegisterDefaults)
 }
 
 // addKnownTypes registers known types to the given scheme
diff --git a/staging/src/k8s.io/kubectl/pkg/config/v1beta1/types.go b/staging/src/k8s.io/kubectl/pkg/config/v1beta1/types.go
index 219cfe5590b9a..e1d5409a185f3 100644
--- a/staging/src/k8s.io/kubectl/pkg/config/v1beta1/types.go
+++ b/staging/src/k8s.io/kubectl/pkg/config/v1beta1/types.go
@@ -16,7 +16,9 @@ limitations under the License.
 
 package v1beta1
 
-import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
 
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
 
@@ -62,6 +64,64 @@ type Preference struct {
 	// "kubectl getn control-plane-1 --output=json" expands to "kubectl get node --output=json control-plane-1"
 	// +listType=atomic
 	Aliases []AliasOverride `json:"aliases"`
+
+	// credentialPluginPolicy specifies the policy governing which, if any, client-go
+	// credential plugins may be executed. It MUST be one of { "", "AllowAll", "DenyAll", "Allowlist" }.
+	// If the policy is "", then it falls back to "AllowAll" (this is required
+	// to maintain backward compatibility). If the policy is DenyAll, no
+	// credential plugins may run. If the policy is Allowlist, only those
+	// plugins meeting the criteria specified in the `credentialPluginAllowlist`
+	// field may run.
+	// +optional
+	CredentialPluginPolicy CredentialPluginPolicy `json:"credentialPluginPolicy,omitempty"`
+
+	// Allowlist is a slice of allowlist entries. If any of them is a match,
+	// then the executable in question may execute. That is, the result is the
+	// logical OR of all entries in the allowlist. This list MUST NOT be
+	// supplied if the policy is not "Allowlist".
+	//
+	// e.g.
+	// credentialPluginAllowlist:
+	// - name: cloud-provider-plugin
+	// - name: /usr/local/bin/my-plugin
+	// In the above example, the user allows the credential plugins
+	// `cloud-provider-plugin` (found somewhere in PATH), and the plugin found
+	// at the explicit path `/usr/local/bin/my-plugin`.
+	// +optional
+	// +listType=atomic
+	CredentialPluginAllowlist []AllowlistEntry `json:"credentialPluginAllowlist,omitempty"`
+}
+
+// CredentialPluginPolicy specifies the policy governing which, if any, client-go
+// credential plugins may be executed. It MUST be one of { "", "AllowAll", "DenyAll", "Allowlist" }.
+// If the policy is "", then it falls back to "AllowAll" (this is required
+// to maintain backward compatibility). If the policy is DenyAll, no
+// credential plugins may run. If the policy is Allowlist, only those
+// plugins meeting the criteria specified in the `credentialPluginAllowlist`
+// field may run. If the policy is not `Allowlist` but one is provided, it
+// is considered a configuration error.
+type CredentialPluginPolicy string
+
+const (
+	PluginPolicyAllowAll  CredentialPluginPolicy = "AllowAll"
+	PluginPolicyDenyAll   CredentialPluginPolicy = "DenyAll"
+	PluginPolicyAllowlist CredentialPluginPolicy = "Allowlist"
+)
+
+// AllowlistEntry is an entry in the allowlist. For each allowlist item, at
+// least one field must be nonempty. A struct with all empty fields is
+// considered a misconfiguration error. Each field is a criterion for
+// execution. If multiple fields are specified, then the criteria of all
+// specified fields must be met. That is, the result of an individual entry is
+// the logical AND of all checks corresponding to the specified fields within
+// the entry.
+type AllowlistEntry struct {
+	// Name matching is performed by first resolving the absolute path of both
+	// the plugin and the name in the allowlist entry using `exec.LookPath`. It
+	// will be called on both, and the resulting strings must be equal. If
+	// either call to `exec.LookPath` results in an error, the `Name` check
+	// will be considered a failure.
+	Name string `json:"name"`
 }
 
 // AliasOverride stores the alias definitions.
diff --git a/staging/src/k8s.io/kubectl/pkg/config/v1beta1/zz_generated.conversion.go b/staging/src/k8s.io/kubectl/pkg/config/v1beta1/zz_generated.conversion.go
index fbbd951020309..dcbe9948120e8 100644
--- a/staging/src/k8s.io/kubectl/pkg/config/v1beta1/zz_generated.conversion.go
+++ b/staging/src/k8s.io/kubectl/pkg/config/v1beta1/zz_generated.conversion.go
@@ -46,6 +46,16 @@ func RegisterConversions(s *runtime.Scheme) error {
 	}); err != nil {
 		return err
 	}
+	if err := s.AddGeneratedConversionFunc((*AllowlistEntry)(nil), (*config.AllowlistEntry)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_v1beta1_AllowlistEntry_To_config_AllowlistEntry(a.(*AllowlistEntry), b.(*config.AllowlistEntry), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddGeneratedConversionFunc((*config.AllowlistEntry)(nil), (*AllowlistEntry)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_config_AllowlistEntry_To_v1beta1_AllowlistEntry(a.(*config.AllowlistEntry), b.(*AllowlistEntry), scope)
+	}); err != nil {
+		return err
+	}
 	if err := s.AddGeneratedConversionFunc((*CommandDefaults)(nil), (*config.CommandDefaults)(nil), func(a, b interface{}, scope conversion.Scope) error {
 		return Convert_v1beta1_CommandDefaults_To_config_CommandDefaults(a.(*CommandDefaults), b.(*config.CommandDefaults), scope)
 	}); err != nil {
@@ -107,6 +117,26 @@ func Convert_config_AliasOverride_To_v1beta1_AliasOverride(in *config.AliasOverr
 	return autoConvert_config_AliasOverride_To_v1beta1_AliasOverride(in, out, s)
 }
 
+func autoConvert_v1beta1_AllowlistEntry_To_config_AllowlistEntry(in *AllowlistEntry, out *config.AllowlistEntry, s conversion.Scope) error {
+	out.Name = in.Name
+	return nil
+}
+
+// Convert_v1beta1_AllowlistEntry_To_config_AllowlistEntry is an autogenerated conversion function.
+func Convert_v1beta1_AllowlistEntry_To_config_AllowlistEntry(in *AllowlistEntry, out *config.AllowlistEntry, s conversion.Scope) error {
+	return autoConvert_v1beta1_AllowlistEntry_To_config_AllowlistEntry(in, out, s)
+}
+
+func autoConvert_config_AllowlistEntry_To_v1beta1_AllowlistEntry(in *config.AllowlistEntry, out *AllowlistEntry, s conversion.Scope) error {
+	out.Name = in.Name
+	return nil
+}
+
+// Convert_config_AllowlistEntry_To_v1beta1_AllowlistEntry is an autogenerated conversion function.
+func Convert_config_AllowlistEntry_To_v1beta1_AllowlistEntry(in *config.AllowlistEntry, out *AllowlistEntry, s conversion.Scope) error {
+	return autoConvert_config_AllowlistEntry_To_v1beta1_AllowlistEntry(in, out, s)
+}
+
 func autoConvert_v1beta1_CommandDefaults_To_config_CommandDefaults(in *CommandDefaults, out *config.CommandDefaults, s conversion.Scope) error {
 	out.Command = in.Command
 	out.Options = *(*[]config.CommandOptionDefault)(unsafe.Pointer(&in.Options))
@@ -154,6 +184,8 @@ func Convert_config_CommandOptionDefault_To_v1beta1_CommandOptionDefault(in *con
 func autoConvert_v1beta1_Preference_To_config_Preference(in *Preference, out *config.Preference, s conversion.Scope) error {
 	out.Defaults = *(*[]config.CommandDefaults)(unsafe.Pointer(&in.Defaults))
 	out.Aliases = *(*[]config.AliasOverride)(unsafe.Pointer(&in.Aliases))
+	out.CredentialPluginPolicy = config.CredentialPluginPolicy(in.CredentialPluginPolicy)
+	out.CredentialPluginAllowlist = *(*[]config.AllowlistEntry)(unsafe.Pointer(&in.CredentialPluginAllowlist))
 	return nil
 }
 
@@ -165,6 +197,8 @@ func Convert_v1beta1_Preference_To_config_Preference(in *Preference, out *config
 func autoConvert_config_Preference_To_v1beta1_Preference(in *config.Preference, out *Preference, s conversion.Scope) error {
 	out.Defaults = *(*[]CommandDefaults)(unsafe.Pointer(&in.Defaults))
 	out.Aliases = *(*[]AliasOverride)(unsafe.Pointer(&in.Aliases))
+	out.CredentialPluginPolicy = CredentialPluginPolicy(in.CredentialPluginPolicy)
+	out.CredentialPluginAllowlist = *(*[]AllowlistEntry)(unsafe.Pointer(&in.CredentialPluginAllowlist))
 	return nil
 }
 
diff --git a/staging/src/k8s.io/kubectl/pkg/config/v1beta1/zz_generated.deepcopy.go b/staging/src/k8s.io/kubectl/pkg/config/v1beta1/zz_generated.deepcopy.go
index e6422ad5d2cf1..35565bee4bf59 100644
--- a/staging/src/k8s.io/kubectl/pkg/config/v1beta1/zz_generated.deepcopy.go
+++ b/staging/src/k8s.io/kubectl/pkg/config/v1beta1/zz_generated.deepcopy.go
@@ -56,6 +56,22 @@ func (in *AliasOverride) DeepCopy() *AliasOverride {
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *AllowlistEntry) DeepCopyInto(out *AllowlistEntry) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AllowlistEntry.
+func (in *AllowlistEntry) DeepCopy() *AllowlistEntry {
+	if in == nil {
+		return nil
+	}
+	out := new(AllowlistEntry)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *CommandDefaults) DeepCopyInto(out *CommandDefaults) {
 	*out = *in
@@ -111,6 +127,11 @@ func (in *Preference) DeepCopyInto(out *Preference) {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
+	if in.CredentialPluginAllowlist != nil {
+		in, out := &in.CredentialPluginAllowlist, &out.CredentialPluginAllowlist
+		*out = make([]AllowlistEntry, len(*in))
+		copy(*out, *in)
+	}
 	return
 }
 
diff --git a/staging/src/k8s.io/kubectl/pkg/config/v1beta1/zz_generated.model_name.go b/staging/src/k8s.io/kubectl/pkg/config/v1beta1/zz_generated.model_name.go
new file mode 100644
index 0000000000000..a071ba0c71a95
--- /dev/null
+++ b/staging/src/k8s.io/kubectl/pkg/config/v1beta1/zz_generated.model_name.go
@@ -0,0 +1,47 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by openapi-gen. DO NOT EDIT.
+
+package v1beta1
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in AliasOverride) OpenAPIModelName() string {
+	return "io.k8s.kubectl.pkg.config.v1beta1.AliasOverride"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in AllowlistEntry) OpenAPIModelName() string {
+	return "io.k8s.kubectl.pkg.config.v1beta1.AllowlistEntry"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in CommandDefaults) OpenAPIModelName() string {
+	return "io.k8s.kubectl.pkg.config.v1beta1.CommandDefaults"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in CommandOptionDefault) OpenAPIModelName() string {
+	return "io.k8s.kubectl.pkg.config.v1beta1.CommandOptionDefault"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in Preference) OpenAPIModelName() string {
+	return "io.k8s.kubectl.pkg.config.v1beta1.Preference"
+}
diff --git a/staging/src/k8s.io/kubectl/pkg/config/zz_generated.deepcopy.go b/staging/src/k8s.io/kubectl/pkg/config/zz_generated.deepcopy.go
index e27a15337080b..dd504ae72e509 100644
--- a/staging/src/k8s.io/kubectl/pkg/config/zz_generated.deepcopy.go
+++ b/staging/src/k8s.io/kubectl/pkg/config/zz_generated.deepcopy.go
@@ -56,6 +56,22 @@ func (in *AliasOverride) DeepCopy() *AliasOverride {
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *AllowlistEntry) DeepCopyInto(out *AllowlistEntry) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AllowlistEntry.
+func (in *AllowlistEntry) DeepCopy() *AllowlistEntry {
+	if in == nil {
+		return nil
+	}
+	out := new(AllowlistEntry)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *CommandDefaults) DeepCopyInto(out *CommandDefaults) {
 	*out = *in
@@ -111,6 +127,11 @@ func (in *Preference) DeepCopyInto(out *Preference) {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
+	if in.CredentialPluginAllowlist != nil {
+		in, out := &in.CredentialPluginAllowlist, &out.CredentialPluginAllowlist
+		*out = make([]AllowlistEntry, len(*in))
+		copy(*out, *in)
+	}
 	return
 }
 
diff --git a/staging/src/k8s.io/kubectl/pkg/describe/describe.go b/staging/src/k8s.io/kubectl/pkg/describe/describe.go
index aa23223783a5f..578bc94c2c558 100644
--- a/staging/src/k8s.io/kubectl/pkg/describe/describe.go
+++ b/staging/src/k8s.io/kubectl/pkg/describe/describe.go
@@ -35,21 +35,21 @@ import (
 	"unicode"
 
 	"github.com/fatih/camelcase"
+	"golang.org/x/text/cases"
+	"golang.org/x/text/language"
 	appsv1 "k8s.io/api/apps/v1"
 	autoscalingv1 "k8s.io/api/autoscaling/v1"
 	autoscalingv2 "k8s.io/api/autoscaling/v2"
 	batchv1 "k8s.io/api/batch/v1"
 	batchv1beta1 "k8s.io/api/batch/v1beta1"
-	certificatesv1beta1 "k8s.io/api/certificates/v1beta1"
+	certificatesv1 "k8s.io/api/certificates/v1"
 	coordinationv1 "k8s.io/api/coordination/v1"
 	corev1 "k8s.io/api/core/v1"
 	discoveryv1 "k8s.io/api/discovery/v1"
-	discoveryv1beta1 "k8s.io/api/discovery/v1beta1"
 	extensionsv1beta1 "k8s.io/api/extensions/v1beta1"
 	networkingv1 "k8s.io/api/networking/v1"
 	networkingv1beta1 "k8s.io/api/networking/v1beta1"
 	policyv1 "k8s.io/api/policy/v1"
-	policyv1beta1 "k8s.io/api/policy/v1beta1"
 	rbacv1 "k8s.io/api/rbac/v1"
 	schedulingv1 "k8s.io/api/scheduling/v1"
 	storagev1 "k8s.io/api/storage/v1"
@@ -194,51 +194,47 @@ func describerMap(clientConfig *rest.Config) (map[schema.GroupKind]ResourceDescr
 	}
 
 	m := map[schema.GroupKind]ResourceDescriber{
-		{Group: corev1.GroupName, Kind: "Pod"}:                                    &PodDescriber{c},
-		{Group: corev1.GroupName, Kind: "ReplicationController"}:                  &ReplicationControllerDescriber{c},
-		{Group: corev1.GroupName, Kind: "Secret"}:                                 &SecretDescriber{c},
-		{Group: corev1.GroupName, Kind: "Service"}:                                &ServiceDescriber{c},
-		{Group: corev1.GroupName, Kind: "ServiceAccount"}:                         &ServiceAccountDescriber{c},
-		{Group: corev1.GroupName, Kind: "Node"}:                                   &NodeDescriber{c},
-		{Group: corev1.GroupName, Kind: "LimitRange"}:                             &LimitRangeDescriber{c},
-		{Group: corev1.GroupName, Kind: "ResourceQuota"}:                          &ResourceQuotaDescriber{c},
-		{Group: corev1.GroupName, Kind: "PersistentVolume"}:                       &PersistentVolumeDescriber{c},
-		{Group: corev1.GroupName, Kind: "PersistentVolumeClaim"}:                  &PersistentVolumeClaimDescriber{c},
-		{Group: corev1.GroupName, Kind: "Namespace"}:                              &NamespaceDescriber{c},
-		{Group: corev1.GroupName, Kind: "Endpoints"}:                              &EndpointsDescriber{c},
-		{Group: corev1.GroupName, Kind: "ConfigMap"}:                              &ConfigMapDescriber{c},
-		{Group: corev1.GroupName, Kind: "PriorityClass"}:                          &PriorityClassDescriber{c},
-		{Group: discoveryv1beta1.GroupName, Kind: "EndpointSlice"}:                &EndpointSliceDescriber{c},
-		{Group: discoveryv1.GroupName, Kind: "EndpointSlice"}:                     &EndpointSliceDescriber{c},
-		{Group: autoscalingv2.GroupName, Kind: "HorizontalPodAutoscaler"}:         &HorizontalPodAutoscalerDescriber{c},
-		{Group: extensionsv1beta1.GroupName, Kind: "Ingress"}:                     &IngressDescriber{c},
-		{Group: networkingv1beta1.GroupName, Kind: "Ingress"}:                     &IngressDescriber{c},
-		{Group: networkingv1beta1.GroupName, Kind: "IngressClass"}:                &IngressClassDescriber{c},
-		{Group: networkingv1.GroupName, Kind: "Ingress"}:                          &IngressDescriber{c},
-		{Group: networkingv1.GroupName, Kind: "IngressClass"}:                     &IngressClassDescriber{c},
-		{Group: networkingv1beta1.GroupName, Kind: "ServiceCIDR"}:                 &ServiceCIDRDescriber{c},
-		{Group: networkingv1beta1.GroupName, Kind: "IPAddress"}:                   &IPAddressDescriber{c},
-		{Group: networkingv1.GroupName, Kind: "ServiceCIDR"}:                      &ServiceCIDRDescriber{c},
-		{Group: networkingv1.GroupName, Kind: "IPAddress"}:                        &IPAddressDescriber{c},
-		{Group: batchv1.GroupName, Kind: "Job"}:                                   &JobDescriber{c},
-		{Group: batchv1.GroupName, Kind: "CronJob"}:                               &CronJobDescriber{c},
-		{Group: batchv1beta1.GroupName, Kind: "CronJob"}:                          &CronJobDescriber{c},
-		{Group: appsv1.GroupName, Kind: "StatefulSet"}:                            &StatefulSetDescriber{c},
-		{Group: appsv1.GroupName, Kind: "Deployment"}:                             &DeploymentDescriber{c},
-		{Group: appsv1.GroupName, Kind: "DaemonSet"}:                              &DaemonSetDescriber{c},
-		{Group: appsv1.GroupName, Kind: "ReplicaSet"}:                             &ReplicaSetDescriber{c},
-		{Group: certificatesv1beta1.GroupName, Kind: "CertificateSigningRequest"}: &CertificateSigningRequestDescriber{c},
-		{Group: storagev1.GroupName, Kind: "StorageClass"}:                        &StorageClassDescriber{c},
-		{Group: storagev1.GroupName, Kind: "CSINode"}:                             &CSINodeDescriber{c},
-		{Group: storagev1.GroupName, Kind: "VolumeAttributesClass"}:               &VolumeAttributesClassDescriber{c},
-		{Group: policyv1beta1.GroupName, Kind: "PodDisruptionBudget"}:             &PodDisruptionBudgetDescriber{c},
-		{Group: policyv1.GroupName, Kind: "PodDisruptionBudget"}:                  &PodDisruptionBudgetDescriber{c},
-		{Group: rbacv1.GroupName, Kind: "Role"}:                                   &RoleDescriber{c},
-		{Group: rbacv1.GroupName, Kind: "ClusterRole"}:                            &ClusterRoleDescriber{c},
-		{Group: rbacv1.GroupName, Kind: "RoleBinding"}:                            &RoleBindingDescriber{c},
-		{Group: rbacv1.GroupName, Kind: "ClusterRoleBinding"}:                     &ClusterRoleBindingDescriber{c},
-		{Group: networkingv1.GroupName, Kind: "NetworkPolicy"}:                    &NetworkPolicyDescriber{c},
-		{Group: schedulingv1.GroupName, Kind: "PriorityClass"}:                    &PriorityClassDescriber{c},
+		{Group: corev1.GroupName, Kind: "Pod"}:                               &PodDescriber{c},
+		{Group: corev1.GroupName, Kind: "ReplicationController"}:             &ReplicationControllerDescriber{c},
+		{Group: corev1.GroupName, Kind: "Secret"}:                            &SecretDescriber{c},
+		{Group: corev1.GroupName, Kind: "Service"}:                           &ServiceDescriber{c},
+		{Group: corev1.GroupName, Kind: "ServiceAccount"}:                    &ServiceAccountDescriber{c},
+		{Group: corev1.GroupName, Kind: "Node"}:                              &NodeDescriber{c},
+		{Group: corev1.GroupName, Kind: "LimitRange"}:                        &LimitRangeDescriber{c},
+		{Group: corev1.GroupName, Kind: "ResourceQuota"}:                     &ResourceQuotaDescriber{c},
+		{Group: corev1.GroupName, Kind: "PersistentVolume"}:                  &PersistentVolumeDescriber{c},
+		{Group: corev1.GroupName, Kind: "PersistentVolumeClaim"}:             &PersistentVolumeClaimDescriber{c},
+		{Group: corev1.GroupName, Kind: "Namespace"}:                         &NamespaceDescriber{c},
+		{Group: corev1.GroupName, Kind: "Endpoints"}:                         &EndpointsDescriber{c},
+		{Group: corev1.GroupName, Kind: "ConfigMap"}:                         &ConfigMapDescriber{c},
+		{Group: corev1.GroupName, Kind: "PriorityClass"}:                     &PriorityClassDescriber{c},
+		{Group: discoveryv1.GroupName, Kind: "EndpointSlice"}:                &EndpointSliceDescriber{c},
+		{Group: autoscalingv2.GroupName, Kind: "HorizontalPodAutoscaler"}:    &HorizontalPodAutoscalerDescriber{c},
+		{Group: extensionsv1beta1.GroupName, Kind: "Ingress"}:                &IngressDescriber{c},
+		{Group: networkingv1.GroupName, Kind: "Ingress"}:                     &IngressDescriber{c},
+		{Group: networkingv1.GroupName, Kind: "IngressClass"}:                &IngressClassDescriber{c},
+		{Group: networkingv1beta1.GroupName, Kind: "ServiceCIDR"}:            &ServiceCIDRDescriber{c},
+		{Group: networkingv1beta1.GroupName, Kind: "IPAddress"}:              &IPAddressDescriber{c},
+		{Group: networkingv1.GroupName, Kind: "ServiceCIDR"}:                 &ServiceCIDRDescriber{c},
+		{Group: networkingv1.GroupName, Kind: "IPAddress"}:                   &IPAddressDescriber{c},
+		{Group: batchv1.GroupName, Kind: "Job"}:                              &JobDescriber{c},
+		{Group: batchv1.GroupName, Kind: "CronJob"}:                          &CronJobDescriber{c},
+		{Group: batchv1beta1.GroupName, Kind: "CronJob"}:                     &CronJobDescriber{c},
+		{Group: appsv1.GroupName, Kind: "StatefulSet"}:                       &StatefulSetDescriber{c},
+		{Group: appsv1.GroupName, Kind: "Deployment"}:                        &DeploymentDescriber{c},
+		{Group: appsv1.GroupName, Kind: "DaemonSet"}:                         &DaemonSetDescriber{c},
+		{Group: appsv1.GroupName, Kind: "ReplicaSet"}:                        &ReplicaSetDescriber{c},
+		{Group: certificatesv1.GroupName, Kind: "CertificateSigningRequest"}: &CertificateSigningRequestDescriber{c},
+		{Group: storagev1.GroupName, Kind: "StorageClass"}:                   &StorageClassDescriber{c},
+		{Group: storagev1.GroupName, Kind: "CSINode"}:                        &CSINodeDescriber{c},
+		{Group: storagev1.GroupName, Kind: "VolumeAttributesClass"}:          &VolumeAttributesClassDescriber{c},
+		{Group: policyv1.GroupName, Kind: "PodDisruptionBudget"}:             &PodDisruptionBudgetDescriber{c},
+		{Group: rbacv1.GroupName, Kind: "Role"}:                              &RoleDescriber{c},
+		{Group: rbacv1.GroupName, Kind: "ClusterRole"}:                       &ClusterRoleDescriber{c},
+		{Group: rbacv1.GroupName, Kind: "RoleBinding"}:                       &RoleBindingDescriber{c},
+		{Group: rbacv1.GroupName, Kind: "ClusterRoleBinding"}:                &ClusterRoleBindingDescriber{c},
+		{Group: networkingv1.GroupName, Kind: "NetworkPolicy"}:               &NetworkPolicyDescriber{c},
+		{Group: schedulingv1.GroupName, Kind: "PriorityClass"}:               &PriorityClassDescriber{c},
 	}
 
 	return m, nil
@@ -371,7 +367,7 @@ func smartLabelFor(field string) string {
 		if slice.Contains[string](commonAcronyms, strings.ToUpper(part), nil) {
 			part = strings.ToUpper(part)
 		} else {
-			part = strings.Title(part)
+			part = cases.Title(language.English).String(part)
 		}
 		result = append(result, part)
 	}
@@ -392,7 +388,6 @@ func init() {
 		describeDeployment,
 		describeEndpoints,
 		describeEndpointSliceV1,
-		describeEndpointSliceV1beta1,
 		describeHorizontalPodAutoscalerV1,
 		describeHorizontalPodAutoscalerV2,
 		describeJob,
@@ -404,7 +399,6 @@ func init() {
 		describePersistentVolumeClaim,
 		describePod,
 		describePodDisruptionBudgetV1,
-		describePodDisruptionBudgetV1beta1,
 		describePriorityClass,
 		describeQuota,
 		describeReplicaSet,
@@ -885,6 +879,9 @@ func describePod(pod *corev1.Pod, events *corev1.EventList) (string, error) {
 		printLabelsMultiline(w, "Node-Selectors", pod.Spec.NodeSelector)
 		printPodTolerationsMultiline(w, "Tolerations", pod.Spec.Tolerations)
 		describeTopologySpreadConstraints(pod.Spec.TopologySpreadConstraints, w, "")
+		if pod.Spec.WorkloadRef != nil {
+			describeWorkloadReference(pod.Spec.WorkloadRef, w, "")
+		}
 		if events != nil {
 			DescribeEvents(events, w)
 		}
@@ -1016,6 +1013,15 @@ func describeVolumes(volumes []corev1.Volume, w PrefixWriter, space string) {
 	}
 }
 
+func describeWorkloadReference(workloadRef *corev1.WorkloadReference, w PrefixWriter, space string) {
+	w.Write(LEVEL_0, "%sWorkloadRef:\n", space)
+	w.Write(LEVEL_1, "Name:\t%s\n", workloadRef.Name)
+	w.Write(LEVEL_1, "PodGroup:\t%s\n", workloadRef.PodGroup)
+	if workloadRef.PodGroupReplicaKey != "" {
+		w.Write(LEVEL_1, "PodGroupReplicaKey:\t%s\n", workloadRef.PodGroupReplicaKey)
+	}
+}
+
 func printHostPathVolumeSource(hostPath *corev1.HostPathVolumeSource, w PrefixWriter) {
 	hostPathType := "<none>"
 	if hostPath.Type != nil {
@@ -2246,6 +2252,9 @@ func DescribePodTemplate(template *corev1.PodTemplateSpec, w PrefixWriter) {
 	}
 	printLabelsMultiline(w, "  Node-Selectors", template.Spec.NodeSelector)
 	printPodTolerationsMultiline(w, "  Tolerations", template.Spec.Tolerations)
+	if template.Spec.WorkloadRef != nil {
+		describeWorkloadReference(template.Spec.WorkloadRef, w, "  ")
+	}
 }
 
 // ReplicaSetDescriber generates information about a ReplicaSet and the pods it has created.
@@ -2609,50 +2618,14 @@ type IngressDescriber struct {
 func (i *IngressDescriber) Describe(namespace, name string, describerSettings DescriberSettings) (string, error) {
 	var events *corev1.EventList
 
-	// try ingress/v1 first (v1.19) and fallback to ingress/v1beta if an err occurs
 	netV1, err := i.client.NetworkingV1().Ingresses(namespace).Get(context.TODO(), name, metav1.GetOptions{})
-	if err == nil {
-		if describerSettings.ShowEvents {
-			events, _ = searchEvents(i.client.CoreV1(), netV1, describerSettings.ChunkSize)
-		}
-		return i.describeIngressV1(netV1, events)
-	}
-	netV1beta1, err := i.client.NetworkingV1beta1().Ingresses(namespace).Get(context.TODO(), name, metav1.GetOptions{})
-	if err == nil {
-		if describerSettings.ShowEvents {
-			events, _ = searchEvents(i.client.CoreV1(), netV1beta1, describerSettings.ChunkSize)
-		}
-		return i.describeIngressV1beta1(netV1beta1, events)
-	}
-	return "", err
-}
-
-func (i *IngressDescriber) describeBackendV1beta1(ns string, backend *networkingv1beta1.IngressBackend) string {
-	endpointSliceList, err := i.client.DiscoveryV1().EndpointSlices(ns).List(context.TODO(), metav1.ListOptions{
-		LabelSelector: fmt.Sprintf("%s=%s", discoveryv1.LabelServiceName, backend.ServiceName),
-	})
 	if err != nil {
-		return fmt.Sprintf("<error: %v>", err)
+		return "", err
 	}
-	service, err := i.client.CoreV1().Services(ns).Get(context.TODO(), backend.ServiceName, metav1.GetOptions{})
-	if err != nil {
-		return fmt.Sprintf("<error: %v>", err)
-	}
-	spName := ""
-	for i := range service.Spec.Ports {
-		sp := &service.Spec.Ports[i]
-		switch backend.ServicePort.Type {
-		case intstr.String:
-			if backend.ServicePort.StrVal == sp.Name {
-				spName = sp.Name
-			}
-		case intstr.Int:
-			if int32(backend.ServicePort.IntVal) == sp.Port {
-				spName = sp.Name
-			}
-		}
+	if describerSettings.ShowEvents {
+		events, _ = searchEvents(i.client.CoreV1(), netV1, describerSettings.ChunkSize)
 	}
-	return formatEndpointSlices(endpointSliceList.Items, sets.New(spName))
+	return i.describeIngressV1(netV1, events)
 }
 
 func (i *IngressDescriber) describeBackendV1(ns string, backend *networkingv1.IngressBackend) string {
@@ -2744,69 +2717,6 @@ func (i *IngressDescriber) describeIngressV1(ing *networkingv1.Ingress, events *
 	})
 }
 
-func (i *IngressDescriber) describeIngressV1beta1(ing *networkingv1beta1.Ingress, events *corev1.EventList) (string, error) {
-	return tabbedString(func(out io.Writer) error {
-		w := NewPrefixWriter(out)
-		w.Write(LEVEL_0, "Name:\t%v\n", ing.Name)
-		printLabelsMultiline(w, "Labels", ing.Labels)
-		w.Write(LEVEL_0, "Namespace:\t%v\n", ing.Namespace)
-		w.Write(LEVEL_0, "Address:\t%v\n", ingressLoadBalancerStatusStringerV1beta1(ing.Status.LoadBalancer, true))
-		ingressClassName := "<none>"
-		if ing.Spec.IngressClassName != nil {
-			ingressClassName = *ing.Spec.IngressClassName
-		}
-		w.Write(LEVEL_0, "Ingress Class:\t%v\n", ingressClassName)
-		def := ing.Spec.Backend
-		ns := ing.Namespace
-		if def == nil {
-			w.Write(LEVEL_0, "Default backend:\t<default>\n")
-		} else {
-			w.Write(LEVEL_0, "Default backend:\t%s\n", i.describeBackendV1beta1(ns, def))
-		}
-		if len(ing.Spec.TLS) != 0 {
-			describeIngressTLSV1beta1(w, ing.Spec.TLS)
-		}
-		w.Write(LEVEL_0, "Rules:\n  Host\tPath\tBackends\n")
-		w.Write(LEVEL_1, "----\t----\t--------\n")
-		count := 0
-		for _, rules := range ing.Spec.Rules {
-
-			if rules.HTTP == nil {
-				continue
-			}
-			count++
-			host := rules.Host
-			if len(host) == 0 {
-				host = "*"
-			}
-			w.Write(LEVEL_1, "%s\t\n", host)
-			for _, path := range rules.HTTP.Paths {
-				w.Write(LEVEL_2, "\t%s \t%s (%s)\n", path.Path, backendStringer(&path.Backend), i.describeBackendV1beta1(ing.Namespace, &path.Backend))
-			}
-		}
-		if count == 0 {
-			w.Write(LEVEL_1, "%s\t%s \t<default>\n", "*", "*")
-		}
-		printAnnotationsMultiline(w, "Annotations", ing.Annotations)
-
-		if events != nil {
-			DescribeEvents(events, w)
-		}
-		return nil
-	})
-}
-
-func describeIngressTLSV1beta1(w PrefixWriter, ingTLS []networkingv1beta1.IngressTLS) {
-	w.Write(LEVEL_0, "TLS:\n")
-	for _, t := range ingTLS {
-		if t.SecretName == "" {
-			w.Write(LEVEL_1, "SNI routes %v\n", strings.Join(t.Hosts, ","))
-		} else {
-			w.Write(LEVEL_1, "%v terminates %v\n", t.SecretName, strings.Join(t.Hosts, ","))
-		}
-	}
-}
-
 func describeIngressTLSV1(w PrefixWriter, ingTLS []networkingv1.IngressTLS) {
 	w.Write(LEVEL_0, "TLS:\n")
 	for _, t := range ingTLS {
@@ -2824,45 +2734,14 @@ type IngressClassDescriber struct {
 
 func (i *IngressClassDescriber) Describe(namespace, name string, describerSettings DescriberSettings) (string, error) {
 	var events *corev1.EventList
-	// try IngressClass/v1 first (v1.19) and fallback to IngressClass/v1beta if an err occurs
 	netV1, err := i.client.NetworkingV1().IngressClasses().Get(context.TODO(), name, metav1.GetOptions{})
-	if err == nil {
-		if describerSettings.ShowEvents {
-			events, _ = searchEvents(i.client.CoreV1(), netV1, describerSettings.ChunkSize)
-		}
-		return i.describeIngressClassV1(netV1, events)
+	if err != nil {
+		return "", err
 	}
-	netV1beta1, err := i.client.NetworkingV1beta1().IngressClasses().Get(context.TODO(), name, metav1.GetOptions{})
-	if err == nil {
-		if describerSettings.ShowEvents {
-			events, _ = searchEvents(i.client.CoreV1(), netV1beta1, describerSettings.ChunkSize)
-		}
-		return i.describeIngressClassV1beta1(netV1beta1, events)
+	if describerSettings.ShowEvents {
+		events, _ = searchEvents(i.client.CoreV1(), netV1, describerSettings.ChunkSize)
 	}
-	return "", err
-}
-
-func (i *IngressClassDescriber) describeIngressClassV1beta1(ic *networkingv1beta1.IngressClass, events *corev1.EventList) (string, error) {
-	return tabbedString(func(out io.Writer) error {
-		w := NewPrefixWriter(out)
-		w.Write(LEVEL_0, "Name:\t%s\n", ic.Name)
-		printLabelsMultiline(w, "Labels", ic.Labels)
-		printAnnotationsMultiline(w, "Annotations", ic.Annotations)
-		w.Write(LEVEL_0, "Controller:\t%v\n", ic.Spec.Controller)
-
-		if ic.Spec.Parameters != nil {
-			w.Write(LEVEL_0, "Parameters:\n")
-			if ic.Spec.Parameters.APIGroup != nil {
-				w.Write(LEVEL_1, "APIGroup:\t%v\n", *ic.Spec.Parameters.APIGroup)
-			}
-			w.Write(LEVEL_1, "Kind:\t%v\n", ic.Spec.Parameters.Kind)
-			w.Write(LEVEL_1, "Name:\t%v\n", ic.Spec.Parameters.Name)
-		}
-		if events != nil {
-			DescribeEvents(events, w)
-		}
-		return nil
-	})
+	return i.describeIngressClassV1(netV1, events)
 }
 
 func (i *IngressClassDescriber) describeIngressClassV1(ic *networkingv1.IngressClass, events *corev1.EventList) (string, error) {
@@ -3256,26 +3135,15 @@ type EndpointSliceDescriber struct {
 
 func (d *EndpointSliceDescriber) Describe(namespace, name string, describerSettings DescriberSettings) (string, error) {
 	var events *corev1.EventList
-	// try endpointslice/v1 first (v1.21) and fallback to v1beta1 if error occurs
 
 	epsV1, err := d.DiscoveryV1().EndpointSlices(namespace).Get(context.TODO(), name, metav1.GetOptions{})
-	if err == nil {
-		if describerSettings.ShowEvents {
-			events, _ = searchEvents(d.CoreV1(), epsV1, describerSettings.ChunkSize)
-		}
-		return describeEndpointSliceV1(epsV1, events)
-	}
-
-	epsV1beta1, err := d.DiscoveryV1beta1().EndpointSlices(namespace).Get(context.TODO(), name, metav1.GetOptions{})
 	if err != nil {
 		return "", err
 	}
-
 	if describerSettings.ShowEvents {
-		events, _ = searchEvents(d.CoreV1(), epsV1beta1, describerSettings.ChunkSize)
+		events, _ = searchEvents(d.CoreV1(), epsV1, describerSettings.ChunkSize)
 	}
-
-	return describeEndpointSliceV1beta1(epsV1beta1, events)
+	return describeEndpointSliceV1(epsV1, events)
 }
 
 func describeEndpointSliceV1(eps *discoveryv1.EndpointSlice, events *corev1.EventList) (string, error) {
@@ -3360,78 +3228,6 @@ func describeEndpointSliceV1(eps *discoveryv1.EndpointSlice, events *corev1.Even
 	})
 }
 
-func describeEndpointSliceV1beta1(eps *discoveryv1beta1.EndpointSlice, events *corev1.EventList) (string, error) {
-	return tabbedString(func(out io.Writer) error {
-		w := NewPrefixWriter(out)
-		w.Write(LEVEL_0, "Name:\t%s\n", eps.Name)
-		w.Write(LEVEL_0, "Namespace:\t%s\n", eps.Namespace)
-		printLabelsMultiline(w, "Labels", eps.Labels)
-		printAnnotationsMultiline(w, "Annotations", eps.Annotations)
-
-		w.Write(LEVEL_0, "AddressType:\t%s\n", string(eps.AddressType))
-
-		if len(eps.Ports) == 0 {
-			w.Write(LEVEL_0, "Ports: <unset>\n")
-		} else {
-			w.Write(LEVEL_0, "Ports:\n")
-			w.Write(LEVEL_1, "Name\tPort\tProtocol\n")
-			w.Write(LEVEL_1, "----\t----\t--------\n")
-			for _, port := range eps.Ports {
-				portName := "<unset>"
-				if port.Name != nil && len(*port.Name) > 0 {
-					portName = *port.Name
-				}
-
-				portNum := "<unset>"
-				if port.Port != nil {
-					portNum = strconv.Itoa(int(*port.Port))
-				}
-
-				w.Write(LEVEL_1, "%s\t%s\t%s\n", portName, portNum, *port.Protocol)
-			}
-		}
-
-		if len(eps.Endpoints) == 0 {
-			w.Write(LEVEL_0, "Endpoints: <none>\n")
-		} else {
-			w.Write(LEVEL_0, "Endpoints:\n")
-			for i := range eps.Endpoints {
-				endpoint := &eps.Endpoints[i]
-
-				addressesString := strings.Join(endpoint.Addresses, ",")
-				if len(addressesString) == 0 {
-					addressesString = "<none>"
-				}
-				w.Write(LEVEL_1, "- Addresses:\t%s\n", addressesString)
-
-				w.Write(LEVEL_2, "Conditions:\n")
-				readyText := "<unset>"
-				if endpoint.Conditions.Ready != nil {
-					readyText = strconv.FormatBool(*endpoint.Conditions.Ready)
-				}
-				w.Write(LEVEL_3, "Ready:\t%s\n", readyText)
-
-				hostnameText := "<unset>"
-				if endpoint.Hostname != nil {
-					hostnameText = *endpoint.Hostname
-				}
-				w.Write(LEVEL_2, "Hostname:\t%s\n", hostnameText)
-
-				if endpoint.TargetRef != nil {
-					w.Write(LEVEL_2, "TargetRef:\t%s/%s\n", endpoint.TargetRef.Kind, endpoint.TargetRef.Name)
-				}
-
-				printLabelsMultilineWithIndent(w, "    ", "Topology", "\t", endpoint.Topology, sets.New[string]())
-			}
-		}
-
-		if events != nil {
-			DescribeEvents(events, w)
-		}
-		return nil
-	})
-}
-
 // ServiceAccountDescriber generates information about a service.
 type ServiceAccountDescriber struct {
 	clientset.Interface
@@ -3445,61 +3241,15 @@ func (d *ServiceAccountDescriber) Describe(namespace, name string, describerSett
 		return "", err
 	}
 
-	tokens := []corev1.Secret{}
-
-	// missingSecrets is the set of all secrets present in the
-	// serviceAccount but not present in the set of existing secrets.
-	missingSecrets := sets.New[string]()
-	secrets := corev1.SecretList{}
-	err = runtimeresource.FollowContinue(&metav1.ListOptions{Limit: describerSettings.ChunkSize},
-		func(options metav1.ListOptions) (runtime.Object, error) {
-			newList, err := d.CoreV1().Secrets(namespace).List(context.TODO(), options)
-			if err != nil {
-				return nil, runtimeresource.EnhanceListError(err, options, corev1.ResourceSecrets.String())
-			}
-			secrets.Items = append(secrets.Items, newList.Items...)
-			return newList, nil
-		})
-
-	// errors are tolerated here in order to describe the serviceAccount with all
-	// of the secrets that it references, even if those secrets cannot be fetched.
-	if err == nil {
-		// existingSecrets is the set of all secrets remaining on a
-		// service account that are not present in the "tokens" slice.
-		existingSecrets := sets.New[string]()
-
-		for _, s := range secrets.Items {
-			if s.Type == corev1.SecretTypeServiceAccountToken {
-				name := s.Annotations[corev1.ServiceAccountNameKey]
-				uid := s.Annotations[corev1.ServiceAccountUIDKey]
-				if name == serviceAccount.Name && uid == string(serviceAccount.UID) {
-					tokens = append(tokens, s)
-				}
-			}
-			existingSecrets.Insert(s.Name)
-		}
-
-		for _, s := range serviceAccount.Secrets {
-			if !existingSecrets.Has(s.Name) {
-				missingSecrets.Insert(s.Name)
-			}
-		}
-		for _, s := range serviceAccount.ImagePullSecrets {
-			if !existingSecrets.Has(s.Name) {
-				missingSecrets.Insert(s.Name)
-			}
-		}
-	}
-
 	var events *corev1.EventList
 	if describerSettings.ShowEvents {
 		events, _ = searchEvents(d.CoreV1(), serviceAccount, describerSettings.ChunkSize)
 	}
 
-	return describeServiceAccount(serviceAccount, tokens, missingSecrets, events)
+	return describeServiceAccount(serviceAccount, events)
 }
 
-func describeServiceAccount(serviceAccount *corev1.ServiceAccount, tokens []corev1.Secret, missingSecrets sets.Set[string], events *corev1.EventList) (string, error) {
+func describeServiceAccount(serviceAccount *corev1.ServiceAccount, events *corev1.EventList) (string, error) {
 	return tabbedString(func(out io.Writer) error {
 		w := NewPrefixWriter(out)
 		w.Write(LEVEL_0, "Name:\t%s\n", serviceAccount.Name)
@@ -3510,28 +3260,16 @@ func describeServiceAccount(serviceAccount *corev1.ServiceAccount, tokens []core
 		var (
 			emptyHeader = "                   "
 			pullHeader  = "Image pull secrets:"
-			mountHeader = "Mountable secrets: "
-			tokenHeader = "Tokens:            "
 
-			pullSecretNames  = []string{}
-			mountSecretNames = []string{}
-			tokenSecretNames = []string{}
+			pullSecretNames = []string{}
 		)
 
 		for _, s := range serviceAccount.ImagePullSecrets {
 			pullSecretNames = append(pullSecretNames, s.Name)
 		}
-		for _, s := range serviceAccount.Secrets {
-			mountSecretNames = append(mountSecretNames, s.Name)
-		}
-		for _, s := range tokens {
-			tokenSecretNames = append(tokenSecretNames, s.Name)
-		}
 
 		types := map[string][]string{
-			pullHeader:  pullSecretNames,
-			mountHeader: mountSecretNames,
-			tokenHeader: tokenSecretNames,
+			pullHeader: pullSecretNames,
 		}
 		for _, header := range sets.List(sets.KeySet(types)) {
 			names := types[header]
@@ -3540,11 +3278,7 @@ func describeServiceAccount(serviceAccount *corev1.ServiceAccount, tokens []core
 			} else {
 				prefix := header
 				for _, name := range names {
-					if missingSecrets.Has(name) {
-						w.Write(LEVEL_0, "%s\t%s (not found)\n", prefix, name)
-					} else {
-						w.Write(LEVEL_0, "%s\t%s\n", prefix, name)
-					}
+					w.Write(LEVEL_0, "%s\t%s\n", prefix, name)
 					prefix = emptyHeader
 				}
 			}
@@ -3971,40 +3705,25 @@ func (p *CertificateSigningRequestDescriber) Describe(namespace, name string, de
 		events            *corev1.EventList
 	)
 
-	if csr, err := p.client.CertificatesV1().CertificateSigningRequests().Get(context.TODO(), name, metav1.GetOptions{}); err == nil {
-		crBytes = csr.Spec.Request
-		metadata = csr.ObjectMeta
-		conditionTypes := []string{}
-		for _, c := range csr.Status.Conditions {
-			conditionTypes = append(conditionTypes, string(c.Type))
-		}
-		status = extractCSRStatus(conditionTypes, csr.Status.Certificate)
-		signerName = csr.Spec.SignerName
-		expirationSeconds = csr.Spec.ExpirationSeconds
-		username = csr.Spec.Username
-		if describerSettings.ShowEvents {
-			events, _ = searchEvents(p.client.CoreV1(), csr, describerSettings.ChunkSize)
-		}
-	} else if csr, err := p.client.CertificatesV1beta1().CertificateSigningRequests().Get(context.TODO(), name, metav1.GetOptions{}); err == nil {
-		crBytes = csr.Spec.Request
-		metadata = csr.ObjectMeta
-		conditionTypes := []string{}
-		for _, c := range csr.Status.Conditions {
-			conditionTypes = append(conditionTypes, string(c.Type))
-		}
-		status = extractCSRStatus(conditionTypes, csr.Status.Certificate)
-		if csr.Spec.SignerName != nil {
-			signerName = *csr.Spec.SignerName
-		}
-		expirationSeconds = csr.Spec.ExpirationSeconds
-		username = csr.Spec.Username
-		if describerSettings.ShowEvents {
-			events, _ = searchEvents(p.client.CoreV1(), csr, describerSettings.ChunkSize)
-		}
-	} else {
+	csr, err := p.client.CertificatesV1().CertificateSigningRequests().Get(context.TODO(), name, metav1.GetOptions{})
+	if err != nil {
 		return "", err
 	}
 
+	crBytes = csr.Spec.Request
+	metadata = csr.ObjectMeta
+	conditionTypes := []string{}
+	for _, c := range csr.Status.Conditions {
+		conditionTypes = append(conditionTypes, string(c.Type))
+	}
+	status = extractCSRStatus(conditionTypes, csr.Status.Certificate)
+	signerName = csr.Spec.SignerName
+	expirationSeconds = csr.Spec.ExpirationSeconds
+	username = csr.Spec.Username
+	if describerSettings.ShowEvents {
+		events, _ = searchEvents(p.client.CoreV1(), csr, describerSettings.ChunkSize)
+	}
+
 	cr, err := certificate.ParseCSR(crBytes)
 	if err != nil {
 		return "", fmt.Errorf("Error parsing CSR: %v", err)
@@ -4421,12 +4140,16 @@ func DescribeEvents(el *corev1.EventList, w PrefixWriter) {
 		if source == "" {
 			source = e.ReportingController
 		}
+		message := strings.TrimSpace(e.Message)
+		if len(e.InvolvedObject.FieldPath) > 0 {
+			message = fmt.Sprintf("%s: %s", e.InvolvedObject.FieldPath, message)
+		}
 		w.Write(LEVEL_1, "%v\t%v\t%s\t%v\t%v\n",
 			e.Type,
 			e.Reason,
 			interval,
 			source,
-			strings.TrimSpace(e.Message),
+			message,
 		)
 	}
 }
@@ -4937,33 +4660,20 @@ type PodDisruptionBudgetDescriber struct {
 
 func (p *PodDisruptionBudgetDescriber) Describe(namespace, name string, describerSettings DescriberSettings) (string, error) {
 	var (
-		pdbv1      *policyv1.PodDisruptionBudget
-		pdbv1beta1 *policyv1beta1.PodDisruptionBudget
-		err        error
+		pdbv1 *policyv1.PodDisruptionBudget
+		err   error
 	)
 
 	pdbv1, err = p.PolicyV1().PodDisruptionBudgets(namespace).Get(context.TODO(), name, metav1.GetOptions{})
-	if err == nil {
-		var events *corev1.EventList
-		if describerSettings.ShowEvents {
-			events, _ = searchEvents(p.CoreV1(), pdbv1, describerSettings.ChunkSize)
-		}
-		return describePodDisruptionBudgetV1(pdbv1, events)
+	if err != nil {
+		return "", err
 	}
 
-	// try falling back to v1beta1 in NotFound error cases
-	if apierrors.IsNotFound(err) {
-		pdbv1beta1, err = p.PolicyV1beta1().PodDisruptionBudgets(namespace).Get(context.TODO(), name, metav1.GetOptions{})
-	}
-	if err == nil {
-		var events *corev1.EventList
-		if describerSettings.ShowEvents {
-			events, _ = searchEvents(p.CoreV1(), pdbv1beta1, describerSettings.ChunkSize)
-		}
-		return describePodDisruptionBudgetV1beta1(pdbv1beta1, events)
+	var events *corev1.EventList
+	if describerSettings.ShowEvents {
+		events, _ = searchEvents(p.CoreV1(), pdbv1, describerSettings.ChunkSize)
 	}
-
-	return "", err
+	return describePodDisruptionBudgetV1(pdbv1, events)
 }
 
 func describePodDisruptionBudgetV1(pdb *policyv1.PodDisruptionBudget, events *corev1.EventList) (string, error) {
@@ -4996,36 +4706,6 @@ func describePodDisruptionBudgetV1(pdb *policyv1.PodDisruptionBudget, events *co
 	})
 }
 
-func describePodDisruptionBudgetV1beta1(pdb *policyv1beta1.PodDisruptionBudget, events *corev1.EventList) (string, error) {
-	return tabbedString(func(out io.Writer) error {
-		w := NewPrefixWriter(out)
-		w.Write(LEVEL_0, "Name:\t%s\n", pdb.Name)
-		w.Write(LEVEL_0, "Namespace:\t%s\n", pdb.Namespace)
-
-		if pdb.Spec.MinAvailable != nil {
-			w.Write(LEVEL_0, "Min available:\t%s\n", pdb.Spec.MinAvailable.String())
-		} else if pdb.Spec.MaxUnavailable != nil {
-			w.Write(LEVEL_0, "Max unavailable:\t%s\n", pdb.Spec.MaxUnavailable.String())
-		}
-
-		if pdb.Spec.Selector != nil {
-			w.Write(LEVEL_0, "Selector:\t%s\n", metav1.FormatLabelSelector(pdb.Spec.Selector))
-		} else {
-			w.Write(LEVEL_0, "Selector:\t<unset>\n")
-		}
-		w.Write(LEVEL_0, "Status:\n")
-		w.Write(LEVEL_2, "Allowed disruptions:\t%d\n", pdb.Status.DisruptionsAllowed)
-		w.Write(LEVEL_2, "Current:\t%d\n", pdb.Status.CurrentHealthy)
-		w.Write(LEVEL_2, "Desired:\t%d\n", pdb.Status.DesiredHealthy)
-		w.Write(LEVEL_2, "Total:\t%d\n", pdb.Status.ExpectedPods)
-		if events != nil {
-			DescribeEvents(events, w)
-		}
-
-		return nil
-	})
-}
-
 // PriorityClassDescriber generates information about a PriorityClass.
 type PriorityClassDescriber struct {
 	clientset.Interface
@@ -5597,11 +5277,11 @@ func extractCSRStatus(conditions []string, certificateBytes []byte) string {
 	var approved, denied, failed bool
 	for _, c := range conditions {
 		switch c {
-		case string(certificatesv1beta1.CertificateApproved):
+		case string(certificatesv1.CertificateApproved):
 			approved = true
-		case string(certificatesv1beta1.CertificateDenied):
+		case string(certificatesv1.CertificateDenied):
 			denied = true
-		case string(certificatesv1beta1.CertificateFailed):
+		case string(certificatesv1.CertificateFailed):
 			failed = true
 		}
 	}
@@ -5638,14 +5318,6 @@ func serviceBackendStringer(backend *networkingv1.IngressServiceBackend) string
 	return fmt.Sprintf("%v:%v", backend.Name, bPort)
 }
 
-// backendStringer behaves just like a string interface and converts the given backend to a string.
-func backendStringer(backend *networkingv1beta1.IngressBackend) string {
-	if backend == nil {
-		return ""
-	}
-	return fmt.Sprintf("%v:%v", backend.ServiceName, backend.ServicePort.String())
-}
-
 // findNodeRoles returns the roles of a given node.
 // The roles are determined by looking for:
 // * a node-role.kubernetes.io/<role>="" label
@@ -5686,26 +5358,6 @@ func ingressLoadBalancerStatusStringerV1(s networkingv1.IngressLoadBalancerStatu
 	return r
 }
 
-// ingressLoadBalancerStatusStringerV1beta1 behaves mostly like a string interface and converts the given status to a string.
-// `wide` indicates whether the returned value is meant for --o=wide output. If not, it's clipped to 16 bytes.
-func ingressLoadBalancerStatusStringerV1beta1(s networkingv1beta1.IngressLoadBalancerStatus, wide bool) string {
-	ingress := s.Ingress
-	result := sets.New[string]()
-	for i := range ingress {
-		if ingress[i].IP != "" {
-			result.Insert(ingress[i].IP)
-		} else if ingress[i].Hostname != "" {
-			result.Insert(ingress[i].Hostname)
-		}
-	}
-
-	r := strings.Join(sets.List(result), ",")
-	if !wide && len(r) > LoadBalancerWidth {
-		r = r[0:(LoadBalancerWidth-3)] + "..."
-	}
-	return r
-}
-
 // searchEvents finds events about the specified object.
 // It is very similar to CoreV1.Events.Search, but supports the Limit parameter.
 func searchEvents(client corev1client.EventsGetter, objOrRef runtime.Object, limit int64) (*corev1.EventList, error) {
diff --git a/staging/src/k8s.io/kubectl/pkg/describe/describe_test.go b/staging/src/k8s.io/kubectl/pkg/describe/describe_test.go
index e11ea73675100..bee1f11f3e9e7 100644
--- a/staging/src/k8s.io/kubectl/pkg/describe/describe_test.go
+++ b/staging/src/k8s.io/kubectl/pkg/describe/describe_test.go
@@ -36,11 +36,9 @@ import (
 	coordinationv1 "k8s.io/api/coordination/v1"
 	corev1 "k8s.io/api/core/v1"
 	discoveryv1 "k8s.io/api/discovery/v1"
-	discoveryv1beta1 "k8s.io/api/discovery/v1beta1"
 	networkingv1 "k8s.io/api/networking/v1"
 	networkingv1beta1 "k8s.io/api/networking/v1beta1"
 	policyv1 "k8s.io/api/policy/v1"
-	policyv1beta1 "k8s.io/api/policy/v1beta1"
 	schedulingv1 "k8s.io/api/scheduling/v1"
 	storagev1 "k8s.io/api/storage/v1"
 	apiequality "k8s.io/apimachinery/pkg/api/equality"
@@ -120,7 +118,7 @@ func TestDescribePod(t *testing.T) {
 	for i, test := range tests {
 		pod := runningPod.DeepCopy()
 		pod.Name, pod.Namespace, pod.Status.Phase = test.name, test.namespace, test.phase
-		fake := fake.NewSimpleClientset(pod)
+		fake := fake.NewClientset(pod)
 		c := &describeClient{T: t, Namespace: pod.Namespace, Interface: fake}
 		d := PodDescriber{c}
 		out, err := d.Describe(pod.Namespace, pod.Name, DescriberSettings{ShowEvents: true})
@@ -136,7 +134,7 @@ func TestDescribePod(t *testing.T) {
 }
 
 func TestDescribePodServiceAccount(t *testing.T) {
-	fake := fake.NewSimpleClientset(&corev1.Pod{
+	fake := fake.NewClientset(&corev1.Pod{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      "bar",
 			Namespace: "foo",
@@ -160,7 +158,7 @@ func TestDescribePodServiceAccount(t *testing.T) {
 }
 
 func TestDescribePodEphemeralContainers(t *testing.T) {
-	fake := fake.NewSimpleClientset(&corev1.Pod{
+	fake := fake.NewClientset(&corev1.Pod{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      "bar",
 			Namespace: "foo",
@@ -205,7 +203,7 @@ func TestDescribePodEphemeralContainers(t *testing.T) {
 }
 
 func TestDescribePodNode(t *testing.T) {
-	fake := fake.NewSimpleClientset(&corev1.Pod{
+	fake := fake.NewClientset(&corev1.Pod{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      "bar",
 			Namespace: "foo",
@@ -233,7 +231,7 @@ func TestDescribePodNode(t *testing.T) {
 }
 
 func TestDescribePodTolerations(t *testing.T) {
-	fake := fake.NewSimpleClientset(&corev1.Pod{
+	fake := fake.NewClientset(&corev1.Pod{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      "bar",
 			Namespace: "foo",
@@ -305,7 +303,7 @@ func TestDescribePodVolumes(t *testing.T) {
 				Events:          <none>
 			`)[1:]
 
-	fakeClient := fake.NewSimpleClientset(pod)
+	fakeClient := fake.NewClientset(pod)
 	c := &describeClient{T: t, Namespace: "foo", Interface: fakeClient}
 	d := PodDescriber{c}
 	out, err := d.Describe("foo", "bar", DescriberSettings{ShowEvents: true})
@@ -316,7 +314,7 @@ func TestDescribePodVolumes(t *testing.T) {
 }
 
 func TestDescribeTopologySpreadConstraints(t *testing.T) {
-	fake := fake.NewSimpleClientset(&corev1.Pod{
+	fake := fake.NewClientset(&corev1.Pod{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      "bar",
 			Namespace: "foo",
@@ -391,7 +389,7 @@ func TestDescribeSecret(t *testing.T) {
 				},
 				Data: testCase.data,
 			}
-			fake := fake.NewSimpleClientset(secret)
+			fake := fake.NewClientset(secret)
 			c := &describeClient{T: t, Namespace: "foo", Interface: fake}
 			d := SecretDescriber{c}
 
@@ -494,7 +492,7 @@ func TestDescribeNamespace(t *testing.T) {
 
 	for _, testCase := range testCases {
 		t.Run(testCase.name, func(t *testing.T) {
-			fake := fake.NewSimpleClientset(testCase.namespace)
+			fake := fake.NewClientset(testCase.namespace)
 			c := &describeClient{T: t, Namespace: "", Interface: fake}
 			d := NamespaceDescriber{c}
 
@@ -514,7 +512,7 @@ func TestDescribeNamespace(t *testing.T) {
 
 func TestDescribePodPriority(t *testing.T) {
 	priority := int32(1000)
-	fake := fake.NewSimpleClientset(&corev1.Pod{
+	fake := fake.NewClientset(&corev1.Pod{
 		ObjectMeta: metav1.ObjectMeta{
 			Name: "bar",
 		},
@@ -593,7 +591,7 @@ func TestDescribePodRuntimeClass(t *testing.T) {
 	}
 	for _, testCase := range testCases {
 		t.Run(testCase.name, func(t *testing.T) {
-			fake := fake.NewSimpleClientset(testCase.pod)
+			fake := fake.NewClientset(testCase.pod)
 			c := &describeClient{T: t, Interface: fake}
 			d := PodDescriber{c}
 			out, err := d.Describe("", "bar", DescriberSettings{ShowEvents: true})
@@ -614,6 +612,65 @@ func TestDescribePodRuntimeClass(t *testing.T) {
 	}
 }
 
+func TestDescribePodWorkloadReference(t *testing.T) {
+	testCases := []struct {
+		name     string
+		pod      *corev1.Pod
+		expected string
+	}{
+		{
+			name: "test1",
+			pod: &corev1.Pod{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "bar",
+				},
+				Spec: corev1.PodSpec{
+					WorkloadRef: &corev1.WorkloadReference{
+						Name:     "workload",
+						PodGroup: "pg",
+					},
+				},
+			},
+			expected: `WorkloadRef:
+  Name:      workload
+  PodGroup:  pg`,
+		},
+		{
+			name: "test2",
+			pod: &corev1.Pod{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "bar",
+				},
+				Spec: corev1.PodSpec{
+					WorkloadRef: &corev1.WorkloadReference{
+						Name:               "workload",
+						PodGroup:           "pg",
+						PodGroupReplicaKey: "pg1",
+					},
+				},
+			},
+			expected: `WorkloadRef:
+  Name:                workload
+  PodGroup:            pg
+  PodGroupReplicaKey:  pg1`,
+		},
+	}
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			fake := fake.NewClientset(tc.pod)
+			c := &describeClient{T: t, Interface: fake}
+			d := PodDescriber{c}
+			out, err := d.Describe("", "bar", DescriberSettings{ShowEvents: true})
+			if err != nil {
+				t.Errorf("Unexpected error: %v", err)
+			}
+			if !strings.Contains(out, tc.expected) {
+				t.Errorf("Expected to find %q in output: %q", tc.expected, out)
+			}
+		})
+	}
+}
+
 func TestDescribePriorityClass(t *testing.T) {
 	preemptLowerPriority := corev1.PreemptLowerPriority
 	preemptNever := corev1.PreemptNever
@@ -666,7 +723,7 @@ func TestDescribePriorityClass(t *testing.T) {
 	}
 	for _, testCase := range testCases {
 		t.Run(testCase.name, func(t *testing.T) {
-			fake := fake.NewSimpleClientset(testCase.priorityClass)
+			fake := fake.NewClientset(testCase.priorityClass)
 			c := &describeClient{T: t, Interface: fake}
 			d := PriorityClassDescriber{c}
 			out, err := d.Describe("", "bar", DescriberSettings{ShowEvents: true})
@@ -683,7 +740,7 @@ func TestDescribePriorityClass(t *testing.T) {
 }
 
 func TestDescribeConfigMap(t *testing.T) {
-	fake := fake.NewSimpleClientset(&corev1.ConfigMap{
+	fake := fake.NewClientset(&corev1.ConfigMap{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      "mycm",
 			Namespace: "foo",
@@ -741,7 +798,7 @@ Events:  <none>
 }
 
 func TestDescribeLimitRange(t *testing.T) {
-	fake := fake.NewSimpleClientset(&corev1.LimitRange{
+	fake := fake.NewClientset(&corev1.LimitRange{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      "mylr",
 			Namespace: "foo",
@@ -1220,7 +1277,7 @@ func TestDescribeService(t *testing.T) {
 			for i := range tc.endpointSlices {
 				objects = append(objects, tc.endpointSlices[i])
 			}
-			fakeClient := fake.NewSimpleClientset(objects...)
+			fakeClient := fake.NewClientset(objects...)
 			c := &describeClient{T: t, Namespace: "foo", Interface: fakeClient}
 			d := ServiceDescriber{c}
 			out, err := d.Describe("foo", "bar", DescriberSettings{ShowEvents: true})
@@ -1235,7 +1292,7 @@ func TestDescribeService(t *testing.T) {
 
 func TestPodDescribeResultsSorted(t *testing.T) {
 	// Arrange
-	fake := fake.NewSimpleClientset(
+	fake := fake.NewClientset(
 		&corev1.EventList{
 			Items: []corev1.Event{
 				{
@@ -2266,7 +2323,7 @@ func TestPersistentVolumeDescriber(t *testing.T) {
 
 	for _, test := range testCases {
 		t.Run(test.name, func(t *testing.T) {
-			fake := fake.NewSimpleClientset(test.pv)
+			fake := fake.NewClientset(test.pv)
 			c := PersistentVolumeDescriber{fake}
 			str, err := c.Describe("foo", "bar", DescriberSettings{ShowEvents: true})
 			if err != nil {
@@ -2520,7 +2577,7 @@ func TestPersistentVolumeClaimDescriber(t *testing.T) {
 
 	for _, test := range testCases {
 		t.Run(test.name, func(t *testing.T) {
-			fake := fake.NewSimpleClientset(test.pvc)
+			fake := fake.NewClientset(test.pvc)
 			c := PersistentVolumeClaimDescriber{fake}
 
 			var describerSettings DescriberSettings
@@ -2640,7 +2697,7 @@ func TestGetPodsForPVC(t *testing.T) {
 			var objects []runtime.Object
 			objects = append(objects, test.requiredObjects...)
 			objects = append(objects, test.pvc)
-			fake := fake.NewSimpleClientset(objects...)
+			fake := fake.NewClientset(objects...)
 
 			pods, err := getPodsForPVC(fake.CoreV1().Pods(test.pvc.ObjectMeta.Namespace), test.pvc, DescriberSettings{})
 			if err != nil {
@@ -3357,7 +3414,7 @@ func TestDescribeDeployment(t *testing.T) {
 	}
 	for _, testCase := range testCases {
 		t.Run(testCase.name, func(t *testing.T) {
-			fakeClient := fake.NewSimpleClientset(testCase.objects...)
+			fakeClient := fake.NewClientset(testCase.objects...)
 			d := DeploymentDescriber{fakeClient}
 			out, err := d.Describe("foo", "bar", DescriberSettings{ShowEvents: true})
 			if err != nil {
@@ -3469,7 +3526,7 @@ func TestDescribeJob(t *testing.T) {
 			client := &describeClient{
 				T:         t,
 				Namespace: tc.job.Namespace,
-				Interface: fake.NewSimpleClientset(tc.job),
+				Interface: fake.NewClientset(tc.job),
 			}
 			describer := JobDescriber{Interface: client}
 			out, err := describer.Describe(tc.job.Namespace, tc.job.Name, DescriberSettings{ShowEvents: true})
@@ -3494,38 +3551,6 @@ func TestDescribeJob(t *testing.T) {
 
 func TestDescribeIngress(t *testing.T) {
 	ingresClassName := "test"
-	backendV1beta1 := networkingv1beta1.IngressBackend{
-		ServiceName: "default-backend",
-		ServicePort: intstr.FromInt32(80),
-	}
-	v1beta1 := fake.NewSimpleClientset(&networkingv1beta1.Ingress{
-		ObjectMeta: metav1.ObjectMeta{
-			Name: "bar",
-			Labels: map[string]string{
-				"id1": "app1",
-				"id2": "app2",
-			},
-			Namespace: "foo",
-		},
-		Spec: networkingv1beta1.IngressSpec{
-			IngressClassName: &ingresClassName,
-			Rules: []networkingv1beta1.IngressRule{
-				{
-					Host: "foo.bar.com",
-					IngressRuleValue: networkingv1beta1.IngressRuleValue{
-						HTTP: &networkingv1beta1.HTTPIngressRuleValue{
-							Paths: []networkingv1beta1.HTTPIngressPath{
-								{
-									Path:    "/foo",
-									Backend: backendV1beta1,
-								},
-							},
-						},
-					},
-				},
-			},
-		},
-	})
 	backendV1 := networkingv1.IngressBackend{
 		Service: &networkingv1.IngressServiceBackend{
 			Name: "default-backend",
@@ -3535,7 +3560,7 @@ func TestDescribeIngress(t *testing.T) {
 		},
 	}
 
-	netv1 := fake.NewSimpleClientset(&networkingv1.Ingress{
+	netv1 := fake.NewClientset(&networkingv1.Ingress{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      "bar",
 			Namespace: "foo",
@@ -3578,23 +3603,6 @@ func TestDescribeIngress(t *testing.T) {
 		input  *fake.Clientset
 		output string
 	}{
-		"IngressRule.HTTP.Paths.Backend.Service v1beta1": {
-			input: v1beta1,
-			output: `Name:             bar
-Labels:           id1=app1
-                  id2=app2
-Namespace:        foo
-Address:          
-Ingress Class:    test
-Default backend:  <default>
-Rules:
-  Host         Path  Backends
-  ----         ----  --------
-  foo.bar.com  
-               /foo   default-backend:80 (<error: services "default-backend" not found>)
-Annotations:   <none>
-Events:        <none>` + "\n",
-		},
 		"IngressRule.HTTP.Paths.Backend.Service v1": {
 			input: netv1,
 			output: `Name:             bar
@@ -3612,7 +3620,7 @@ Annotations:   <none>
 Events:        <none>` + "\n",
 		},
 		"IngressRule.HTTP.Paths.Backend.Resource v1": {
-			input: fake.NewSimpleClientset(&networkingv1.Ingress{
+			input: fake.NewClientset(&networkingv1.Ingress{
 				ObjectMeta: metav1.ObjectMeta{
 					Name:      "bar",
 					Namespace: "foo",
@@ -3651,7 +3659,7 @@ Annotations:   <none>
 Events:        <none>` + "\n",
 		},
 		"IngressRule.HTTP.Paths.Backend.Resource v1 Without APIGroup": {
-			input: fake.NewSimpleClientset(&networkingv1.Ingress{
+			input: fake.NewClientset(&networkingv1.Ingress{
 				ObjectMeta: metav1.ObjectMeta{
 					Name:      "bar",
 					Namespace: "foo",
@@ -3690,7 +3698,7 @@ Annotations:   <none>
 Events:        <none>` + "\n",
 		},
 		"Spec.DefaultBackend.Service & IngressRule.HTTP.Paths.Backend.Service v1": {
-			input: fake.NewSimpleClientset(&networkingv1.Ingress{
+			input: fake.NewClientset(&networkingv1.Ingress{
 				ObjectMeta: metav1.ObjectMeta{
 					Name:      "bar",
 					Namespace: "foo",
@@ -3730,7 +3738,7 @@ Annotations:   <none>
 Events:        <none>` + "\n",
 		},
 		"Spec.DefaultBackend.Resource & IngressRule.HTTP.Paths.Backend.Resource v1": {
-			input: fake.NewSimpleClientset(&networkingv1.Ingress{
+			input: fake.NewClientset(&networkingv1.Ingress{
 				ObjectMeta: metav1.ObjectMeta{
 					Name:      "bar",
 					Namespace: "foo",
@@ -3770,7 +3778,7 @@ Annotations:   <none>
 Events:        <none>` + "\n",
 		},
 		"Spec.DefaultBackend.Resource & IngressRule.HTTP.Paths.Backend.Service v1": {
-			input: fake.NewSimpleClientset(&networkingv1.Ingress{
+			input: fake.NewClientset(&networkingv1.Ingress{
 				ObjectMeta: metav1.ObjectMeta{
 					Name:      "bar",
 					Namespace: "foo",
@@ -3810,7 +3818,7 @@ Annotations:   <none>
 Events:        <none>` + "\n",
 		},
 		"DefaultBackend": {
-			input: fake.NewSimpleClientset(&networkingv1.Ingress{
+			input: fake.NewClientset(&networkingv1.Ingress{
 				ObjectMeta: metav1.ObjectMeta{
 					Name:      "bar",
 					Namespace: "foo",
@@ -3835,7 +3843,7 @@ Events:       <none>
 `,
 		},
 		"EmptyBackend": {
-			input: fake.NewSimpleClientset(&networkingv1.Ingress{
+			input: fake.NewClientset(&networkingv1.Ingress{
 				ObjectMeta: metav1.ObjectMeta{
 					Name:      "bar",
 					Namespace: "foo",
@@ -3859,7 +3867,7 @@ Events:       <none>
 `,
 		},
 		"EmptyIngressClassName": {
-			input: fake.NewSimpleClientset(&networkingv1.Ingress{
+			input: fake.NewClientset(&networkingv1.Ingress{
 				ObjectMeta: metav1.ObjectMeta{
 					Name:      "bar",
 					Namespace: "foo",
@@ -3912,7 +3920,7 @@ func TestDescribeIngressV1(t *testing.T) {
 		},
 	}
 
-	fakeClient := fake.NewSimpleClientset(&networkingv1.Ingress{
+	fakeClient := fake.NewClientset(&networkingv1.Ingress{
 		ObjectMeta: metav1.ObjectMeta{
 			Name: "bar",
 			Labels: map[string]string{
@@ -3958,7 +3966,7 @@ func TestDescribeIngressV1(t *testing.T) {
 func TestDescribeStorageClass(t *testing.T) {
 	reclaimPolicy := corev1.PersistentVolumeReclaimRetain
 	bindingMode := storagev1.VolumeBindingMode("bindingmode")
-	f := fake.NewSimpleClientset(&storagev1.StorageClass{
+	f := fake.NewClientset(&storagev1.StorageClass{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:            "foo",
 			ResourceVersion: "4",
@@ -4031,7 +4039,7 @@ Parameters:   param1=value1,param2=value2
 Events:       <none>
 `
 
-	f := fake.NewSimpleClientset(&storagev1.VolumeAttributesClass{
+	f := fake.NewClientset(&storagev1.VolumeAttributesClass{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:            "foo",
 			ResourceVersion: "4",
@@ -4057,7 +4065,7 @@ Events:       <none>
 
 func TestDescribeCSINode(t *testing.T) {
 	limit := ptr.To[int32](2)
-	f := fake.NewSimpleClientset(&storagev1.CSINode{
+	f := fake.NewClientset(&storagev1.CSINode{
 		ObjectMeta: metav1.ObjectMeta{Name: "foo"},
 		Spec: storagev1.CSINodeSpec{
 			Drivers: []storagev1.CSINodeDriver{
@@ -4087,37 +4095,9 @@ func TestDescribeCSINode(t *testing.T) {
 	}
 }
 
-func TestDescribePodDisruptionBudgetV1beta1(t *testing.T) {
-	minAvailable := intstr.FromInt32(22)
-	f := fake.NewSimpleClientset(&policyv1beta1.PodDisruptionBudget{
-		ObjectMeta: metav1.ObjectMeta{
-			Namespace:         "ns1",
-			Name:              "pdb1",
-			CreationTimestamp: metav1.Time{Time: time.Now().Add(1.9e9)},
-		},
-		Spec: policyv1beta1.PodDisruptionBudgetSpec{
-			MinAvailable: &minAvailable,
-		},
-		Status: policyv1beta1.PodDisruptionBudgetStatus{
-			DisruptionsAllowed: 5,
-		},
-	})
-	s := PodDisruptionBudgetDescriber{f}
-	out, err := s.Describe("ns1", "pdb1", DescriberSettings{ShowEvents: true})
-	if err != nil {
-		t.Errorf("unexpected error: %v", err)
-	}
-	if !strings.Contains(out, "pdb1") ||
-		!strings.Contains(out, "ns1") ||
-		!strings.Contains(out, "22") ||
-		!strings.Contains(out, "5") {
-		t.Errorf("unexpected out: %s", out)
-	}
-}
-
 func TestDescribePodDisruptionBudgetV1(t *testing.T) {
 	minAvailable := intstr.FromInt32(22)
-	f := fake.NewSimpleClientset(&policyv1.PodDisruptionBudget{
+	f := fake.NewClientset(&policyv1.PodDisruptionBudget{
 		ObjectMeta: metav1.ObjectMeta{
 			Namespace:         "ns1",
 			Name:              "pdb1",
@@ -5015,7 +4995,7 @@ func TestDescribeHorizontalPodAutoscaler(t *testing.T) {
 				Name:      "bar",
 				Namespace: "foo",
 			}
-			fake := fake.NewSimpleClientset(&test.hpa)
+			fake := fake.NewClientset(&test.hpa)
 			desc := HorizontalPodAutoscalerDescriber{fake}
 			str, err := desc.Describe("foo", "bar", DescriberSettings{ShowEvents: true})
 			if err != nil {
@@ -5110,7 +5090,7 @@ func TestDescribeHorizontalPodAutoscaler(t *testing.T) {
 				Name:      "bar",
 				Namespace: "foo",
 			}
-			fake := fake.NewSimpleClientset(&test.hpa)
+			fake := fake.NewClientset(&test.hpa)
 			desc := HorizontalPodAutoscalerDescriber{fake}
 			str, err := desc.Describe("foo", "bar", DescriberSettings{ShowEvents: true})
 			if err != nil {
@@ -5159,7 +5139,7 @@ func TestDescribeEvents(t *testing.T) {
 
 	m := map[string]ResourceDescriber{
 		"DaemonSetDescriber": &DaemonSetDescriber{
-			fake.NewSimpleClientset(&appsv1.DaemonSet{
+			fake.NewClientset(&appsv1.DaemonSet{
 				ObjectMeta: metav1.ObjectMeta{
 					Name:      "bar",
 					Namespace: "foo",
@@ -5167,7 +5147,7 @@ func TestDescribeEvents(t *testing.T) {
 			}, events),
 		},
 		"DeploymentDescriber": &DeploymentDescriber{
-			fake.NewSimpleClientset(&appsv1.Deployment{
+			fake.NewClientset(&appsv1.Deployment{
 				ObjectMeta: metav1.ObjectMeta{
 					Name:      "bar",
 					Namespace: "foo",
@@ -5179,7 +5159,7 @@ func TestDescribeEvents(t *testing.T) {
 			}, events),
 		},
 		"EndpointsDescriber": &EndpointsDescriber{
-			fake.NewSimpleClientset(&corev1.Endpoints{
+			fake.NewClientset(&corev1.Endpoints{
 				ObjectMeta: metav1.ObjectMeta{
 					Name:      "bar",
 					Namespace: "foo",
@@ -5187,7 +5167,7 @@ func TestDescribeEvents(t *testing.T) {
 			}, events),
 		},
 		"EndpointSliceDescriber": &EndpointSliceDescriber{
-			fake.NewSimpleClientset(&discoveryv1beta1.EndpointSlice{
+			fake.NewClientset(&discoveryv1.EndpointSlice{
 				ObjectMeta: metav1.ObjectMeta{
 					Name:      "bar",
 					Namespace: "foo",
@@ -5195,7 +5175,7 @@ func TestDescribeEvents(t *testing.T) {
 			}, events),
 		},
 		"JobDescriber": &JobDescriber{
-			fake.NewSimpleClientset(&batchv1.Job{
+			fake.NewClientset(&batchv1.Job{
 				ObjectMeta: metav1.ObjectMeta{
 					Name:      "bar",
 					Namespace: "foo",
@@ -5203,7 +5183,7 @@ func TestDescribeEvents(t *testing.T) {
 			}, events),
 		},
 		"IngressDescriber": &IngressDescriber{
-			fake.NewSimpleClientset(&networkingv1beta1.Ingress{
+			fake.NewClientset(&networkingv1.Ingress{
 				ObjectMeta: metav1.ObjectMeta{
 					Name:      "bar",
 					Namespace: "foo",
@@ -5211,21 +5191,21 @@ func TestDescribeEvents(t *testing.T) {
 			}, events),
 		},
 		"NodeDescriber": &NodeDescriber{
-			fake.NewSimpleClientset(&corev1.Node{
+			fake.NewClientset(&corev1.Node{
 				ObjectMeta: metav1.ObjectMeta{
 					Name: "bar",
 				},
 			}, events),
 		},
 		"PersistentVolumeDescriber": &PersistentVolumeDescriber{
-			fake.NewSimpleClientset(&corev1.PersistentVolume{
+			fake.NewClientset(&corev1.PersistentVolume{
 				ObjectMeta: metav1.ObjectMeta{
 					Name: "bar",
 				},
 			}, events),
 		},
 		"PodDescriber": &PodDescriber{
-			fake.NewSimpleClientset(&corev1.Pod{
+			fake.NewClientset(&corev1.Pod{
 				ObjectMeta: metav1.ObjectMeta{
 					Name:      "bar",
 					Namespace: "foo",
@@ -5233,7 +5213,7 @@ func TestDescribeEvents(t *testing.T) {
 			}, events),
 		},
 		"ReplicaSetDescriber": &ReplicaSetDescriber{
-			fake.NewSimpleClientset(&appsv1.ReplicaSet{
+			fake.NewClientset(&appsv1.ReplicaSet{
 				ObjectMeta: metav1.ObjectMeta{
 					Name:      "bar",
 					Namespace: "foo",
@@ -5244,7 +5224,7 @@ func TestDescribeEvents(t *testing.T) {
 			}, events),
 		},
 		"ReplicationControllerDescriber": &ReplicationControllerDescriber{
-			fake.NewSimpleClientset(&corev1.ReplicationController{
+			fake.NewClientset(&corev1.ReplicationController{
 				ObjectMeta: metav1.ObjectMeta{
 					Name:      "bar",
 					Namespace: "foo",
@@ -5255,7 +5235,7 @@ func TestDescribeEvents(t *testing.T) {
 			}, events),
 		},
 		"Service": &ServiceDescriber{
-			fake.NewSimpleClientset(&corev1.Service{
+			fake.NewClientset(&corev1.Service{
 				ObjectMeta: metav1.ObjectMeta{
 					Name:      "bar",
 					Namespace: "foo",
@@ -5263,14 +5243,14 @@ func TestDescribeEvents(t *testing.T) {
 			}, events),
 		},
 		"StorageClass": &StorageClassDescriber{
-			fake.NewSimpleClientset(&storagev1.StorageClass{
+			fake.NewClientset(&storagev1.StorageClass{
 				ObjectMeta: metav1.ObjectMeta{
 					Name: "bar",
 				},
 			}, events),
 		},
 		"HorizontalPodAutoscaler": &HorizontalPodAutoscalerDescriber{
-			fake.NewSimpleClientset(&autoscalingv2.HorizontalPodAutoscaler{
+			fake.NewClientset(&autoscalingv2.HorizontalPodAutoscaler{
 				ObjectMeta: metav1.ObjectMeta{
 					Name:      "bar",
 					Namespace: "foo",
@@ -5278,7 +5258,7 @@ func TestDescribeEvents(t *testing.T) {
 			}, events),
 		},
 		"ConfigMap": &ConfigMapDescriber{
-			fake.NewSimpleClientset(&corev1.ConfigMap{
+			fake.NewClientset(&corev1.ConfigMap{
 				ObjectMeta: metav1.ObjectMeta{
 					Name:      "bar",
 					Namespace: "foo",
@@ -5452,7 +5432,7 @@ URL:	http://localhost
 }
 
 func TestDescribeResourceQuota(t *testing.T) {
-	fake := fake.NewSimpleClientset(&corev1.ResourceQuota{
+	fake := fake.NewClientset(&corev1.ResourceQuota{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      "bar",
 			Namespace: "foo",
@@ -5500,57 +5480,29 @@ Parameters:
   Kind:      ConfigMap
   Name:      example-parameters` + "\n"
 
-	tests := map[string]struct {
-		input  *fake.Clientset
-		output string
-	}{
-		"basic IngressClass (v1beta1)": {
-			input: fake.NewSimpleClientset(&networkingv1beta1.IngressClass{
-				ObjectMeta: metav1.ObjectMeta{
-					Name: "example-class",
-				},
-				Spec: networkingv1beta1.IngressClassSpec{
-					Controller: "example.com/controller",
-					Parameters: &networkingv1beta1.IngressClassParametersReference{
-						APIGroup: ptr.To("v1"),
-						Kind:     "ConfigMap",
-						Name:     "example-parameters",
-					},
-				},
-			}),
-			output: expectedOut,
+	input := fake.NewClientset(&networkingv1.IngressClass{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: "example-class",
 		},
-		"basic IngressClass (v1)": {
-			input: fake.NewSimpleClientset(&networkingv1.IngressClass{
-				ObjectMeta: metav1.ObjectMeta{
-					Name: "example-class",
-				},
-				Spec: networkingv1.IngressClassSpec{
-					Controller: "example.com/controller",
-					Parameters: &networkingv1.IngressClassParametersReference{
-						APIGroup: ptr.To("v1"),
-						Kind:     "ConfigMap",
-						Name:     "example-parameters",
-					},
-				},
-			}),
-			output: expectedOut,
+		Spec: networkingv1.IngressClassSpec{
+			Controller: "example.com/controller",
+			Parameters: &networkingv1.IngressClassParametersReference{
+				APIGroup: ptr.To("v1"),
+				Kind:     "ConfigMap",
+				Name:     "example-parameters",
+			},
 		},
-	}
+	})
 
-	for name, test := range tests {
-		t.Run(name, func(t *testing.T) {
-			c := &describeClient{T: t, Namespace: "foo", Interface: test.input}
-			d := IngressClassDescriber{c}
-			out, err := d.Describe("", "example-class", DescriberSettings{})
-			if err != nil {
-				t.Errorf("unexpected error: %v", err)
-			}
-			if out != expectedOut {
-				t.Log(out)
-				t.Errorf("expected : %q\n but got output:\n %q", test.output, out)
-			}
-		})
+	c := &describeClient{T: t, Namespace: "foo", Interface: input}
+	d := IngressClassDescriber{c}
+	out, err := d.Describe("", "example-class", DescriberSettings{})
+	if err != nil {
+		t.Errorf("unexpected error: %v", err)
+	}
+	if out != expectedOut {
+		t.Log(out)
+		t.Errorf("expected : %q\n but got output:\n %q", expectedOut, out)
 	}
 }
 
@@ -5611,7 +5563,7 @@ Spec:
 	port82 := intstr.FromInt32(82)
 	protoTCP := corev1.ProtocolTCP
 
-	versionedFake := fake.NewSimpleClientset(&networkingv1.NetworkPolicy{
+	versionedFake := fake.NewClientset(&networkingv1.NetworkPolicy{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:              "network-policy-1",
 			Namespace:         "default",
@@ -5796,7 +5748,7 @@ Spec:
 	port82 := intstr.FromInt32(82)
 	protoTCP := corev1.ProtocolTCP
 
-	versionedFake := fake.NewSimpleClientset(&networkingv1.NetworkPolicy{
+	versionedFake := fake.NewClientset(&networkingv1.NetworkPolicy{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:              "network-policy-1",
 			Namespace:         "default",
@@ -5924,7 +5876,7 @@ Spec:
 	port82 := intstr.FromInt32(82)
 	protoTCP := corev1.ProtocolTCP
 
-	versionedFake := fake.NewSimpleClientset(&networkingv1.NetworkPolicy{
+	versionedFake := fake.NewClientset(&networkingv1.NetworkPolicy{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:              "network-policy-1",
 			Namespace:         "default",
@@ -6067,7 +6019,7 @@ Spec:
 	port82 := int32(82)
 	protoTCP := corev1.ProtocolTCP
 
-	versionedFake := fake.NewSimpleClientset(&networkingv1.NetworkPolicy{
+	versionedFake := fake.NewClientset(&networkingv1.NetworkPolicy{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:              "network-policy-1",
 			Namespace:         "default",
@@ -6212,7 +6164,7 @@ Spec:
 }
 
 func TestDescribeServiceAccount(t *testing.T) {
-	fake := fake.NewSimpleClientset(&corev1.ServiceAccount{
+	fake := fake.NewClientset(&corev1.ServiceAccount{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      "bar",
 			Namespace: "foo",
@@ -6238,9 +6190,7 @@ func TestDescribeServiceAccount(t *testing.T) {
 Namespace:           foo
 Labels:              <none>
 Annotations:         <none>
-Image pull secrets:  test-local-ref (not found)
-Mountable secrets:   test-objectref (not found)
-Tokens:              <none>
+Image pull secrets:  test-local-ref
 Events:              <none>` + "\n"
 	if out != expectedOut {
 		t.Errorf("expected : %q\n but got output:\n %q", expectedOut, out)
@@ -6280,7 +6230,7 @@ func TestDescribeNode(t *testing.T) {
 		getHugePageResourceList("1Gi", "0"),
 	)
 
-	fake := fake.NewSimpleClientset(
+	fake := fake.NewClientset(
 		&corev1.Node{
 			ObjectMeta: metav1.ObjectMeta{
 				Name: "bar",
@@ -6414,7 +6364,7 @@ func TestDescribeNodeWithSidecar(t *testing.T) {
 	)
 
 	restartPolicy := corev1.ContainerRestartPolicyAlways
-	fake := fake.NewSimpleClientset(
+	fake := fake.NewClientset(
 		&corev1.Node{
 			ObjectMeta: metav1.ObjectMeta{
 				Name: "bar",
@@ -6553,7 +6503,7 @@ func TestDescribeNodeWithSidecar(t *testing.T) {
 func TestDescribeStatefulSet(t *testing.T) {
 	var partition int32 = 2672
 	var replicas int32 = 1
-	fake := fake.NewSimpleClientset(&appsv1.StatefulSet{
+	fake := fake.NewClientset(&appsv1.StatefulSet{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      "bar",
 			Namespace: "foo",
@@ -6593,7 +6543,7 @@ func TestDescribeStatefulSet(t *testing.T) {
 }
 
 func TestDescribeDaemonSet(t *testing.T) {
-	fake := fake.NewSimpleClientset(&appsv1.DaemonSet{
+	fake := fake.NewClientset(&appsv1.DaemonSet{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      "bar",
 			Namespace: "foo",
@@ -6631,100 +6581,35 @@ func TestDescribeEndpointSlice(t *testing.T) {
 	protocolTCP := corev1.ProtocolTCP
 	port80 := int32(80)
 
-	testcases := map[string]struct {
-		input  *fake.Clientset
-		output string
-	}{
-		"EndpointSlices v1beta1": {
-			input: fake.NewSimpleClientset(&discoveryv1beta1.EndpointSlice{
-				ObjectMeta: metav1.ObjectMeta{
-					Name:      "foo.123",
-					Namespace: "bar",
-				},
-				AddressType: discoveryv1beta1.AddressTypeIPv4,
-				Endpoints: []discoveryv1beta1.Endpoint{
-					{
-						Addresses:  []string{"1.2.3.4", "1.2.3.5"},
-						Conditions: discoveryv1beta1.EndpointConditions{Ready: ptr.To(true)},
-						TargetRef:  &corev1.ObjectReference{Kind: "Pod", Name: "test-123"},
-						Topology: map[string]string{
-							"topology.kubernetes.io/zone":   "us-central1-a",
-							"topology.kubernetes.io/region": "us-central1",
-						},
-					}, {
-						Addresses:  []string{"1.2.3.6", "1.2.3.7"},
-						Conditions: discoveryv1beta1.EndpointConditions{Ready: ptr.To(true)},
-						TargetRef:  &corev1.ObjectReference{Kind: "Pod", Name: "test-124"},
-						Topology: map[string]string{
-							"topology.kubernetes.io/zone":   "us-central1-b",
-							"topology.kubernetes.io/region": "us-central1",
-						},
-					},
-				},
-				Ports: []discoveryv1beta1.EndpointPort{
-					{
-						Protocol: &protocolTCP,
-						Port:     &port80,
-					},
-				},
-			}),
-
-			output: `Name:         foo.123
-Namespace:    bar
-Labels:       <none>
-Annotations:  <none>
-AddressType:  IPv4
-Ports:
-  Name     Port  Protocol
-  ----     ----  --------
-  <unset>  80    TCP
-Endpoints:
-  - Addresses:  1.2.3.4,1.2.3.5
-    Conditions:
-      Ready:    true
-    Hostname:   <unset>
-    TargetRef:  Pod/test-123
-    Topology:   topology.kubernetes.io/region=us-central1
-                topology.kubernetes.io/zone=us-central1-a
-  - Addresses:  1.2.3.6,1.2.3.7
-    Conditions:
-      Ready:    true
-    Hostname:   <unset>
-    TargetRef:  Pod/test-124
-    Topology:   topology.kubernetes.io/region=us-central1
-                topology.kubernetes.io/zone=us-central1-b
-Events:         <none>` + "\n",
+	input := fake.NewClientset(&discoveryv1.EndpointSlice{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "foo.123",
+			Namespace: "bar",
 		},
-		"EndpointSlices v1": {
-			input: fake.NewSimpleClientset(&discoveryv1.EndpointSlice{
-				ObjectMeta: metav1.ObjectMeta{
-					Name:      "foo.123",
-					Namespace: "bar",
-				},
-				AddressType: discoveryv1.AddressTypeIPv4,
-				Endpoints: []discoveryv1.Endpoint{
-					{
-						Addresses:  []string{"1.2.3.4", "1.2.3.5"},
-						Conditions: discoveryv1.EndpointConditions{Ready: ptr.To(true)},
-						TargetRef:  &corev1.ObjectReference{Kind: "Pod", Name: "test-123"},
-						Zone:       ptr.To("us-central1-a"),
-						NodeName:   ptr.To("node-1"),
-					}, {
-						Addresses:  []string{"1.2.3.6", "1.2.3.7"},
-						Conditions: discoveryv1.EndpointConditions{Ready: ptr.To(true)},
-						TargetRef:  &corev1.ObjectReference{Kind: "Pod", Name: "test-124"},
-						NodeName:   ptr.To("node-2"),
-					},
-				},
-				Ports: []discoveryv1.EndpointPort{
-					{
-						Protocol: &protocolTCP,
-						Port:     &port80,
-					},
-				},
-			}),
+		AddressType: discoveryv1.AddressTypeIPv4,
+		Endpoints: []discoveryv1.Endpoint{
+			{
+				Addresses:  []string{"1.2.3.4", "1.2.3.5"},
+				Conditions: discoveryv1.EndpointConditions{Ready: ptr.To(true)},
+				TargetRef:  &corev1.ObjectReference{Kind: "Pod", Name: "test-123"},
+				Zone:       ptr.To("us-central1-a"),
+				NodeName:   ptr.To("node-1"),
+			}, {
+				Addresses:  []string{"1.2.3.6", "1.2.3.7"},
+				Conditions: discoveryv1.EndpointConditions{Ready: ptr.To(true)},
+				TargetRef:  &corev1.ObjectReference{Kind: "Pod", Name: "test-124"},
+				NodeName:   ptr.To("node-2"),
+			},
+		},
+		Ports: []discoveryv1.EndpointPort{
+			{
+				Protocol: &protocolTCP,
+				Port:     &port80,
+			},
+		},
+	})
 
-			output: `Name:         foo.123
+	output := `Name:         foo.123
 Namespace:    bar
 Labels:       <none>
 Annotations:  <none>
@@ -6748,23 +6633,17 @@ Endpoints:
     TargetRef:  Pod/test-124
     NodeName:   node-2
     Zone:       <unset>
-Events:         <none>` + "\n",
-		},
-	}
+Events:         <none>` + "\n"
 
-	for name, tc := range testcases {
-		t.Run(name, func(t *testing.T) {
-			c := &describeClient{T: t, Namespace: "foo", Interface: tc.input}
-			d := EndpointSliceDescriber{c}
-			out, err := d.Describe("bar", "foo.123", DescriberSettings{ShowEvents: true})
-			if err != nil {
-				t.Errorf("unexpected error: %v", err)
-			}
-			if out != tc.output {
-				t.Log(out)
-				t.Errorf("expected :\n%s\nbut got output:\n%s", tc.output, out)
-			}
-		})
+	c := &describeClient{T: t, Namespace: "foo", Interface: input}
+	d := EndpointSliceDescriber{c}
+	out, err := d.Describe("bar", "foo.123", DescriberSettings{ShowEvents: true})
+	if err != nil {
+		t.Errorf("unexpected error: %v", err)
+	}
+	if out != output {
+		t.Log(out)
+		t.Errorf("expected :\n%s\nbut got output:\n%s", output, out)
 	}
 }
 
@@ -6775,7 +6654,7 @@ func TestDescribeServiceCIDR(t *testing.T) {
 		output string
 	}{
 		"ServiceCIDR v1beta1": {
-			input: fake.NewSimpleClientset(&networkingv1beta1.ServiceCIDR{
+			input: fake.NewClientset(&networkingv1beta1.ServiceCIDR{
 				ObjectMeta: metav1.ObjectMeta{
 					Name: "foo.123",
 				},
@@ -6791,7 +6670,7 @@ CIDRs:        10.1.0.0/16, fd00:1:1::/64
 Events:       <none>` + "\n",
 		},
 		"ServiceCIDR v1beta1 IPv4": {
-			input: fake.NewSimpleClientset(&networkingv1beta1.ServiceCIDR{
+			input: fake.NewClientset(&networkingv1beta1.ServiceCIDR{
 				ObjectMeta: metav1.ObjectMeta{
 					Name: "foo.123",
 				},
@@ -6807,7 +6686,7 @@ CIDRs:        10.1.0.0/16
 Events:       <none>` + "\n",
 		},
 		"ServiceCIDR v1beta1 IPv6": {
-			input: fake.NewSimpleClientset(&networkingv1beta1.ServiceCIDR{
+			input: fake.NewClientset(&networkingv1beta1.ServiceCIDR{
 				ObjectMeta: metav1.ObjectMeta{
 					Name: "foo.123",
 				},
@@ -6823,7 +6702,7 @@ CIDRs:        fd00:1:1::/64
 Events:       <none>` + "\n",
 		},
 		"ServiceCIDR v1": {
-			input: fake.NewSimpleClientset(&networkingv1.ServiceCIDR{
+			input: fake.NewClientset(&networkingv1.ServiceCIDR{
 				ObjectMeta: metav1.ObjectMeta{
 					Name: "foo.123",
 				},
@@ -6839,7 +6718,7 @@ CIDRs:        10.1.0.0/16, fd00:1:1::/64
 Events:       <none>` + "\n",
 		},
 		"ServiceCIDR v1 IPv4": {
-			input: fake.NewSimpleClientset(&networkingv1.ServiceCIDR{
+			input: fake.NewClientset(&networkingv1.ServiceCIDR{
 				ObjectMeta: metav1.ObjectMeta{
 					Name: "foo.123",
 				},
@@ -6855,7 +6734,7 @@ CIDRs:        10.1.0.0/16
 Events:       <none>` + "\n",
 		},
 		"ServiceCIDR v1 IPv6": {
-			input: fake.NewSimpleClientset(&networkingv1.ServiceCIDR{
+			input: fake.NewClientset(&networkingv1.ServiceCIDR{
 				ObjectMeta: metav1.ObjectMeta{
 					Name: "foo.123",
 				},
@@ -6894,7 +6773,7 @@ func TestDescribeIPAddress(t *testing.T) {
 		output string
 	}{
 		"IPAddress v1beta1": {
-			input: fake.NewSimpleClientset(&networkingv1beta1.IPAddress{
+			input: fake.NewClientset(&networkingv1beta1.IPAddress{
 				ObjectMeta: metav1.ObjectMeta{
 					Name: "foo.123",
 				},
@@ -6919,7 +6798,7 @@ Parent Reference:
 Events:       <none>` + "\n",
 		},
 		"IPAddress v1": {
-			input: fake.NewSimpleClientset(&networkingv1.IPAddress{
+			input: fake.NewClientset(&networkingv1.IPAddress{
 				ObjectMeta: metav1.ObjectMeta{
 					Name: "foo.123",
 				},
@@ -6962,7 +6841,7 @@ Events:       <none>` + "\n",
 
 func TestControllerRef(t *testing.T) {
 	var replicas int32 = 1
-	f := fake.NewSimpleClientset(
+	f := fake.NewClientset(
 		&corev1.ReplicationController{
 			ObjectMeta: metav1.ObjectMeta{
 				Name:      "bar",
@@ -7051,7 +6930,7 @@ func TestControllerRef(t *testing.T) {
 }
 
 func TestDescribeTerminalEscape(t *testing.T) {
-	fake := fake.NewSimpleClientset(&corev1.ConfigMap{
+	fake := fake.NewClientset(&corev1.ConfigMap{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:        "mycm",
 			Namespace:   "foo",
@@ -7194,7 +7073,7 @@ func TestDescribeSeccompProfile(t *testing.T) {
 	}
 	for _, testCase := range testCases {
 		t.Run(testCase.name, func(t *testing.T) {
-			fake := fake.NewSimpleClientset(testCase.pod)
+			fake := fake.NewClientset(testCase.pod)
 			c := &describeClient{T: t, Interface: fake}
 			d := PodDescriber{c}
 			out, err := d.Describe("", "", DescriberSettings{ShowEvents: true})
@@ -7211,7 +7090,7 @@ func TestDescribeSeccompProfile(t *testing.T) {
 }
 
 func TestDescribeProjectedVolumesOptionalSecret(t *testing.T) {
-	fake := fake.NewSimpleClientset(&corev1.Pod{
+	fake := fake.NewClientset(&corev1.Pod{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      "bar",
 			Namespace: "foo",
diff --git a/staging/src/k8s.io/kubectl/pkg/drain/cordon.go b/staging/src/k8s.io/kubectl/pkg/drain/cordon.go
index 006eef7625957..2820cf85c0248 100644
--- a/staging/src/k8s.io/kubectl/pkg/drain/cordon.go
+++ b/staging/src/k8s.io/kubectl/pkg/drain/cordon.go
@@ -86,9 +86,10 @@ func (c *CordonHelper) PatchOrReplaceWithContext(clientCtx context.Context, clie
 		return err, nil
 	}
 
-	c.node.Spec.Unschedulable = c.desired
+	desiredNode := c.node.DeepCopy()
+	desiredNode.Spec.Unschedulable = c.desired
 
-	newData, err := json.Marshal(c.node)
+	newData, err := json.Marshal(desiredNode)
 	if err != nil {
 		return err, nil
 	}
@@ -99,13 +100,21 @@ func (c *CordonHelper) PatchOrReplaceWithContext(clientCtx context.Context, clie
 		if serverDryRun {
 			patchOptions.DryRun = []string{metav1.DryRunAll}
 		}
-		_, err = client.Patch(clientCtx, c.node.Name, types.StrategicMergePatchType, patchBytes, patchOptions)
+		var updatedNode *corev1.Node
+		updatedNode, err = client.Patch(clientCtx, c.node.Name, types.StrategicMergePatchType, patchBytes, patchOptions)
+		if err == nil {
+			c.node.Spec.Unschedulable = updatedNode.Spec.Unschedulable
+		}
 	} else {
 		updateOptions := metav1.UpdateOptions{}
 		if serverDryRun {
 			updateOptions.DryRun = []string{metav1.DryRunAll}
 		}
-		_, err = client.Update(clientCtx, c.node, updateOptions)
+		var updatedNode *corev1.Node
+		updatedNode, err = client.Update(clientCtx, desiredNode, updateOptions)
+		if err == nil {
+			c.node.Spec.Unschedulable = updatedNode.Spec.Unschedulable
+		}
 	}
 	return err, patchErr
 }
diff --git a/staging/src/k8s.io/kubectl/pkg/drain/cordon_test.go b/staging/src/k8s.io/kubectl/pkg/drain/cordon_test.go
index f584f564f391e..c7281f6bd55a5 100644
--- a/staging/src/k8s.io/kubectl/pkg/drain/cordon_test.go
+++ b/staging/src/k8s.io/kubectl/pkg/drain/cordon_test.go
@@ -17,6 +17,8 @@ limitations under the License.
 package drain
 
 import (
+	"context"
+	"errors"
 	"testing"
 
 	"github.com/google/go-cmp/cmp"
@@ -24,6 +26,8 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/client-go/kubernetes/fake"
+	k8stesting "k8s.io/client-go/testing"
 )
 
 type newCordonHelperFromRuntimeObjectTestCase struct {
@@ -145,3 +149,95 @@ func TestUpdateIfRequired(t *testing.T) {
 		})
 	}
 }
+
+func TestCordonHelper_PatchOrReplaceWithContext(t *testing.T) {
+	tests := []struct {
+		name         string
+		node         *corev1.Node
+		clientset    *fake.Clientset
+		serverDryRun bool
+		shouldFail   bool
+	}{
+		{
+			name: "update success: local object should be updated",
+			node: &corev1.Node{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "fake-node",
+				},
+				Spec: corev1.NodeSpec{
+					Unschedulable: false,
+				},
+			},
+			clientset: fake.NewClientset(&corev1.Node{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "fake-node",
+				},
+				Spec: corev1.NodeSpec{
+					Unschedulable: false,
+				},
+			}),
+			serverDryRun: false,
+			shouldFail:   false,
+		},
+		{
+			name: "update faild: local object should not be updated",
+			node: &corev1.Node{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "fake-node",
+				},
+				Spec: corev1.NodeSpec{
+					Unschedulable: false,
+				},
+			},
+			clientset: fake.NewClientset(&corev1.Node{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "fake-node",
+				},
+				Spec: corev1.NodeSpec{
+					Unschedulable: false,
+				},
+			}),
+			serverDryRun: false,
+			shouldFail:   true,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			c := NewCordonHelper(tt.node)
+			c.desired = true
+			if tt.shouldFail {
+				tt.clientset.Fake.PrependReactor("update", "nodes", func(action k8stesting.Action) (handled bool, ret runtime.Object, err error) {
+					return true, nil, errors.New("fake update error")
+				})
+				tt.clientset.Fake.PrependReactor("patch", "nodes", func(action k8stesting.Action) (handled bool, ret runtime.Object, err error) {
+					return true, nil, errors.New("fake update error")
+				})
+			}
+
+			err, _ := c.PatchOrReplaceWithContext(context.Background(), tt.clientset, tt.serverDryRun)
+			if tt.shouldFail {
+				if err == nil {
+					t.Errorf("PatchOrReplaceWithContext() failed: update should failed but no error returned")
+					return
+				}
+			} else {
+				if err != nil {
+					t.Errorf("PatchOrReplaceWithContext() failed: update should succeed but got error: %v", err)
+					return
+				}
+			}
+
+			if err != nil {
+				t.Logf("patch/update failed, error: %v, c.node.Spec.Unschedulable shouldn't be updated", err)
+				if c.node.Spec.Unschedulable == c.desired {
+					t.Errorf("PatchOrReplaceWithContext() failed: update failed but c.node's unschedulable was updated")
+				}
+			} else {
+				t.Log("patch/update successed, c.node.Spec.Unschedulable should be updated")
+				if c.node.Spec.Unschedulable != c.desired {
+					t.Errorf("PatchOrReplaceWithContext() failed: update succeeded but c.node's unschedulable was not updated")
+				}
+			}
+		})
+	}
+}
diff --git a/staging/src/k8s.io/kubectl/pkg/drain/drain.go b/staging/src/k8s.io/kubectl/pkg/drain/drain.go
index 348fd703fe770..b280d20ba963a 100644
--- a/staging/src/k8s.io/kubectl/pkg/drain/drain.go
+++ b/staging/src/k8s.io/kubectl/pkg/drain/drain.go
@@ -74,6 +74,9 @@ type Helper struct {
 	// won't drain otherwise
 	SkipWaitForDeleteTimeoutSeconds int
 
+	// EvictErrorRetryDelay is used to control the retry delay after a pod eviction error
+	EvictErrorRetryDelay time.Duration
+
 	// AdditionalFilters are applied sequentially after base drain filters to
 	// exclude pods using custom logic.  Any filter that returns PodDeleteStatus
 	// with Delete == false will immediately stop execution of further filters.
@@ -278,37 +281,27 @@ func (d *Helper) evictPods(pods []corev1.Pod, evictionGroupVersion schema.GroupV
 	defer cancel()
 	for _, pod := range pods {
 		go func(pod corev1.Pod, returnCh chan error) {
-			refreshPod := false
+			activePod := pod
 			for {
 				switch d.DryRunStrategy {
 				case cmdutil.DryRunServer:
-					fmt.Fprintf(d.Out, "evicting pod %s/%s (server dry run)\n", pod.Namespace, pod.Name)
+					//nolint:errcheck
+					fmt.Fprintf(d.Out, "evicting pod %s/%s (server dry run)\n", activePod.Namespace, activePod.Name)
 				default:
 					if d.OnPodDeletionOrEvictionStarted != nil {
-						d.OnPodDeletionOrEvictionStarted(&pod, true)
+						d.OnPodDeletionOrEvictionStarted(&activePod, true)
 					}
-					fmt.Fprintf(d.Out, "evicting pod %s/%s\n", pod.Namespace, pod.Name)
+					//nolint:errcheck
+					fmt.Fprintf(d.Out, "evicting pod %s/%s\n", activePod.Namespace, activePod.Name)
 				}
 				select {
 				case <-ctx.Done():
 					// return here or we'll leak a goroutine.
-					returnCh <- fmt.Errorf("error when evicting pods/%q -n %q: global timeout reached: %v", pod.Name, pod.Namespace, globalTimeout)
+					returnCh <- fmt.Errorf("error when evicting pods/%q -n %q: global timeout reached: %v", activePod.Name, activePod.Namespace, globalTimeout)
 					return
 				default:
 				}
 
-				// Create a temporary pod so we don't mutate the pod in the loop.
-				activePod := pod
-				if refreshPod {
-					freshPod, err := getPodFn(pod.Namespace, pod.Name)
-					// We ignore errors and let eviction sort it out with
-					// the original pod.
-					if err == nil {
-						activePod = *freshPod
-					}
-					refreshPod = false
-				}
-
 				err := d.EvictPod(activePod, evictionGroupVersion)
 				if err == nil {
 					break
@@ -316,8 +309,9 @@ func (d *Helper) evictPods(pods []corev1.Pod, evictionGroupVersion schema.GroupV
 					returnCh <- nil
 					return
 				} else if apierrors.IsTooManyRequests(err) {
-					fmt.Fprintf(d.ErrOut, "error when evicting pods/%q -n %q (will retry after 5s): %v\n", activePod.Name, activePod.Namespace, err)
-					time.Sleep(5 * time.Second)
+					//nolint:errcheck
+					fmt.Fprintf(d.ErrOut, "error when evicting pods/%q -n %q (will retry after %v): %v\n", activePod.Name, activePod.Namespace, d.EvictErrorRetryDelay, err)
+					time.Sleep(d.EvictErrorRetryDelay)
 				} else if !activePod.ObjectMeta.DeletionTimestamp.IsZero() && apierrors.IsForbidden(err) && apierrors.HasStatusCause(err, corev1.NamespaceTerminatingCause) {
 					// an eviction request in a deleting namespace will throw a forbidden error,
 					// if the pod is already marked deleted, we can ignore this error, an eviction
@@ -326,12 +320,19 @@ func (d *Helper) evictPods(pods []corev1.Pod, evictionGroupVersion schema.GroupV
 				} else if apierrors.IsForbidden(err) && apierrors.HasStatusCause(err, corev1.NamespaceTerminatingCause) {
 					// an eviction request in a deleting namespace will throw a forbidden error,
 					// if the pod is not marked deleted, we retry until it is.
-					fmt.Fprintf(d.ErrOut, "error when evicting pod %q from terminating namespace %q (will retry after 5s): %v\n", activePod.Name, activePod.Namespace, err)
-					time.Sleep(5 * time.Second)
+					//nolint:errcheck
+					fmt.Fprintf(d.ErrOut, "error when evicting pod %q from terminating namespace %q (will retry after %v): %v\n", activePod.Name, activePod.Namespace, d.EvictErrorRetryDelay, err)
+					time.Sleep(d.EvictErrorRetryDelay)
 				} else {
 					returnCh <- fmt.Errorf("error when evicting pods/%q -n %q: %v", activePod.Name, activePod.Namespace, err)
 					return
 				}
+
+				freshPod, err := getPodFn(activePod.Namespace, activePod.Name)
+				// we ignore errors and let eviction sort it out with the original pod.
+				if err == nil {
+					activePod = *freshPod
+				}
 			}
 			if d.DryRunStrategy == cmdutil.DryRunServer {
 				returnCh <- nil
@@ -339,7 +340,7 @@ func (d *Helper) evictPods(pods []corev1.Pod, evictionGroupVersion schema.GroupV
 			}
 			params := waitForDeleteParams{
 				ctx:                             ctx,
-				pods:                            []corev1.Pod{pod},
+				pods:                            []corev1.Pod{activePod},
 				interval:                        1 * time.Second,
 				timeout:                         time.Duration(math.MaxInt64),
 				usingEviction:                   true,
diff --git a/staging/src/k8s.io/kubectl/pkg/drain/drain_test.go b/staging/src/k8s.io/kubectl/pkg/drain/drain_test.go
index 6acf2489ae3c2..373241054b6b4 100644
--- a/staging/src/k8s.io/kubectl/pkg/drain/drain_test.go
+++ b/staging/src/k8s.io/kubectl/pkg/drain/drain_test.go
@@ -529,3 +529,110 @@ func TestFilterPods(t *testing.T) {
 		})
 	}
 }
+
+func TestEvictDuringNamespaceTerminating(t *testing.T) {
+	testPodUID := types.UID("test-uid")
+	testPodName := "test-pod"
+	testNamespace := "default"
+
+	retryDelay := 5 * time.Millisecond
+	globalTimeout := 2 * retryDelay
+
+	tests := []struct {
+		description string
+		refresh     bool
+		err         error
+	}{
+		{
+			description: "Pod refreshed after NamespaceTerminating error",
+			refresh:     true,
+			err:         nil,
+		},
+		{
+			description: "Pod not refreshed after NamespaceTerminating error",
+			refresh:     false,
+			err:         fmt.Errorf("error when evicting pods/%q -n %q: global timeout reached: %v", testPodName, testNamespace, globalTimeout),
+		},
+	}
+
+	for _, test := range tests {
+		t.Run(test.description, func(t *testing.T) {
+			var retry bool
+
+			initialPod := &corev1.Pod{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      testPodName,
+					Namespace: testNamespace,
+					UID:       testPodUID,
+				},
+			}
+
+			// pod with DeletionTimestamp, indicating deletion in progress
+			deletedPod := &corev1.Pod{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:              testPodName,
+					Namespace:         testNamespace,
+					UID:               testPodUID,
+					DeletionTimestamp: &metav1.Time{Time: time.Now()},
+				},
+			}
+
+			evictPods := []corev1.Pod{*initialPod}
+
+			k := fake.NewClientset(initialPod)
+			addEvictionSupport(t, k, "v1")
+
+			// mock eviction to return NamespaceTerminating error
+			k.PrependReactor("create", "pods", func(action ktest.Action) (bool, runtime.Object, error) {
+				if action.GetSubresource() != "eviction" {
+					return false, nil, nil
+				}
+
+				err := apierrors.NewForbidden(
+					schema.GroupResource{Resource: "pods"},
+					testPodName,
+					errors.New("namespace is terminating"),
+				)
+
+				err.ErrStatus.Details.Causes = append(err.ErrStatus.Details.Causes, metav1.StatusCause{
+					Type: corev1.NamespaceTerminatingCause,
+				})
+
+				return true, nil, err
+			})
+
+			k.PrependReactor("get", "pods", func(action ktest.Action) (bool, runtime.Object, error) {
+				if !test.refresh {
+					// for non-refresh test, always return the initial pod
+					return true, initialPod, nil
+				}
+
+				if retry {
+					// second call, pod is deleted
+					return true, nil, apierrors.NewNotFound(schema.GroupResource{Resource: "pods"}, testPodName)
+				}
+
+				// first call, pod is being deleted
+				retry = true
+
+				return true, deletedPod, nil
+			})
+
+			h := &Helper{
+				Client:               k,
+				DisableEviction:      false,
+				Out:                  os.Stdout,
+				ErrOut:               os.Stderr,
+				Timeout:              globalTimeout,
+				EvictErrorRetryDelay: retryDelay,
+			}
+
+			err := h.DeleteOrEvictPods(evictPods)
+			if test.err == nil && err != nil {
+				t.Errorf("expected no error, got: %v", err)
+			} else if test.err != nil && (err == nil || err.Error() != test.err.Error()) {
+				t.Errorf("%s: unexpected eviction; actual %v; expected %v", test.description, err, test.err)
+			}
+		})
+	}
+}
diff --git a/staging/src/k8s.io/kubectl/pkg/explain/v2/funcs.go b/staging/src/k8s.io/kubectl/pkg/explain/v2/funcs.go
index 4c5e1c62be576..8fca9cbf376d7 100644
--- a/staging/src/k8s.io/kubectl/pkg/explain/v2/funcs.go
+++ b/staging/src/k8s.io/kubectl/pkg/explain/v2/funcs.go
@@ -64,9 +64,7 @@ func WithBuiltinTemplateFuncs(tmpl *template.Template) *template.Template {
 			}
 			return buf.String(), nil
 		},
-		"split": func(s string, sep string) []string {
-			return strings.Split(s, sep)
-		},
+		"split": strings.Split,
 		"join": func(sep string, strs ...string) string {
 			return strings.Join(strs, sep)
 		},
diff --git a/staging/src/k8s.io/kubectl/pkg/kuberc/kuberc.go b/staging/src/k8s.io/kubectl/pkg/kuberc/kuberc.go
index 350e57c5d9738..fed7fc8a722c9 100644
--- a/staging/src/k8s.io/kubectl/pkg/kuberc/kuberc.go
+++ b/staging/src/k8s.io/kubectl/pkg/kuberc/kuberc.go
@@ -17,6 +17,7 @@ limitations under the License.
 package kuberc
 
 import (
+	"bytes"
 	"fmt"
 	"io"
 	"os"
@@ -28,12 +29,19 @@ import (
 	"github.com/spf13/pflag"
 
 	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/cli-runtime/pkg/genericclioptions"
+	"k8s.io/client-go/plugin/pkg/client/auth/exec"
+	"k8s.io/client-go/rest"
 	"k8s.io/client-go/tools/clientcmd"
+	clientcmdapi "k8s.io/client-go/tools/clientcmd/api"
 	"k8s.io/client-go/util/homedir"
 	"k8s.io/kubectl/pkg/config"
 )
 
-const RecommendedKubeRCFileName = "kuberc"
+const (
+	RecommendedKubeRCFileName       = "kuberc"
+	KubeRCOriginalCommandAnnotation = "kubectl.kubernetes.io/original-command"
+)
 
 var (
 	RecommendedConfigDir  = filepath.Join(homedir.HomeDir(), clientcmd.RecommendedHomeDir)
@@ -43,11 +51,14 @@ var (
 	shortHandRegex = regexp.MustCompile("^-[a-zA-Z]+$")
 )
 
+// compile-time check that these two types are aligned
+var _ = clientcmdapi.AllowlistEntry(config.AllowlistEntry{})
+
 // PreferencesHandler is responsible for setting default flags
 // arguments based on user's kuberc configuration.
 type PreferencesHandler interface {
 	AddFlags(flags *pflag.FlagSet)
-	Apply(rootCmd *cobra.Command, args []string, errOut io.Writer) ([]string, error)
+	Apply(rootCmd *cobra.Command, kubeConfigFlags *genericclioptions.ConfigFlags, args []string, errOut io.Writer) ([]string, error)
 }
 
 // Preferences stores the kuberc file coming either from environment variable
@@ -56,6 +67,7 @@ type Preferences struct {
 	getPreferencesFunc func(kuberc string, errOut io.Writer) (*config.Preference, error)
 
 	aliases map[string]struct{}
+	policy  clientcmdapi.PluginPolicy
 }
 
 // NewPreferences returns initialized Prefrences object.
@@ -67,10 +79,11 @@ func NewPreferences() PreferencesHandler {
 }
 
 type aliasing struct {
-	appendArgs  []string
-	prependArgs []string
-	flags       []config.CommandOptionDefault
-	command     *cobra.Command
+	appendArgs      []string
+	prependArgs     []string
+	flags           []config.CommandOptionDefault
+	command         *cobra.Command
+	originalCommand bytes.Buffer
 }
 
 // AddFlags adds kuberc related flags into the command.
@@ -80,7 +93,7 @@ func (p *Preferences) AddFlags(flags *pflag.FlagSet) {
 
 // Apply firstly applies the aliases in the preferences file and secondly overrides
 // the default values of flags.
-func (p *Preferences) Apply(rootCmd *cobra.Command, args []string, errOut io.Writer) ([]string, error) {
+func (p *Preferences) Apply(rootCmd *cobra.Command, kubeConfigFlags *genericclioptions.ConfigFlags, args []string, errOut io.Writer) ([]string, error) {
 	if len(args) <= 1 {
 		return args, nil
 	}
@@ -98,11 +111,15 @@ func (p *Preferences) Apply(rootCmd *cobra.Command, args []string, errOut io.Wri
 		return args, nil
 	}
 
-	err = validate(kuberc)
+	p.convertPluginPolicy(kuberc)
+
+	err = p.validate(kuberc)
 	if err != nil {
 		return args, err
 	}
 
+	p.applyPluginPolicy(kubeConfigFlags, kuberc)
+
 	args, err = p.applyAliases(rootCmd, kuberc, args, errOut)
 	if err != nil {
 		return args, err
@@ -114,6 +131,38 @@ func (p *Preferences) Apply(rootCmd *cobra.Command, args []string, errOut io.Wri
 	return args, nil
 }
 
+func (p *Preferences) convertPluginPolicy(kuberc *config.Preference) {
+	var allowlist []clientcmdapi.AllowlistEntry
+	if kuberc.CredentialPluginAllowlist != nil {
+		allowlist = make([]clientcmdapi.AllowlistEntry, len(kuberc.CredentialPluginAllowlist))
+		for i := range kuberc.CredentialPluginAllowlist {
+			allowlist[i] = clientcmdapi.AllowlistEntry(kuberc.CredentialPluginAllowlist[i])
+		}
+	}
+	p.policy = clientcmdapi.PluginPolicy{
+		PolicyType: clientcmdapi.PolicyType(kuberc.CredentialPluginPolicy),
+		Allowlist:  allowlist,
+	}
+}
+
+// `applyPluginPolicy` wraps the rest client getter with one that propagates
+// the allowlist, via the rest config, to the code handling credential exec
+// plugins.
+func (p *Preferences) applyPluginPolicy(kubeConfigFlags *genericclioptions.ConfigFlags, kuberc *config.Preference) {
+	wrapConfigFn := kubeConfigFlags.WrapConfigFn
+	kubeConfigFlags.WithWrapConfigFn(func(c *rest.Config) *rest.Config {
+		if wrapConfigFn != nil {
+			c = wrapConfigFn(c)
+		}
+
+		if c.ExecProvider != nil {
+			c.ExecProvider.PluginPolicy = p.policy
+		}
+
+		return c
+	})
+}
+
 // applyOverrides finds the command and sets the defaulted flag values in kuberc.
 func (p *Preferences) applyOverrides(rootCmd *cobra.Command, kuberc *config.Preference, args []string, errOut io.Writer) error {
 	args = args[1:]
@@ -121,7 +170,7 @@ func (p *Preferences) applyOverrides(rootCmd *cobra.Command, kuberc *config.Pref
 	if err != nil {
 		return nil
 	}
-
+	originalCommand := bytes.Buffer{}
 	for _, c := range kuberc.Defaults {
 		parsedCmds := strings.Fields(c.Command)
 		overrideCmd, _, err := rootCmd.Find(parsedCmds)
@@ -160,7 +209,14 @@ func (p *Preferences) applyOverrides(rootCmd *cobra.Command, kuberc *config.Pref
 			if err != nil {
 				return fmt.Errorf("could not apply override value %s to flag %s in command %s err: %w", fl.Default, fl.Name, c.Command, err)
 			}
+			originalCommand.WriteString(fmt.Sprintf(" --%s=%s", fl.Name, fl.Default))
+		}
+		// Add annotation to trace back command built with default values set within kuberc
+		if cmd.Annotations == nil {
+			cmd.Annotations = make(map[string]string, 1)
 		}
+		cmd.Annotations[KubeRCOriginalCommandAnnotation] = strings.Join(args, " ") + originalCommand.String()
+		originalCommand.Reset()
 	}
 
 	return nil
@@ -179,7 +235,6 @@ func (p *Preferences) applyAliases(rootCmd *cobra.Command, kuberc *config.Prefer
 	}
 
 	var aliasArgs *aliasing
-
 	var commandName string // first "non-flag" arguments
 	var commandIndex int
 	for index, arg := range args[1:] {
@@ -213,85 +268,98 @@ func (p *Preferences) applyAliases(rootCmd *cobra.Command, kuberc *config.Prefer
 		newCmd.Aliases = []string{}
 		aliasCmd := &newCmd
 
-		aliasArgs = &aliasing{
-			prependArgs: alias.PrependArgs,
-			appendArgs:  alias.AppendArgs,
-			flags:       alias.Options,
-			command:     aliasCmd,
+		if alias.Name == commandName {
+			aliasArgs = &aliasing{
+				prependArgs:     alias.PrependArgs,
+				appendArgs:      alias.AppendArgs,
+				flags:           alias.Options,
+				command:         aliasCmd,
+				originalCommand: bytes.Buffer{},
+			}
+			aliasArgs.originalCommand.WriteString(alias.Command)
 		}
-		break
-	}
 
-	if aliasArgs == nil {
-		// pursue with the current behavior.
-		// This might be a built-in command, external plugin, etc.
-		return args, nil
-	}
+		if aliasArgs == nil {
+			// pursue with the current behavior.
+			// This might be a built-in command, external plugin, etc.
+			return args, nil
+		}
 
-	rootCmd.AddCommand(aliasArgs.command)
+		rootCmd.AddCommand(aliasArgs.command)
 
-	foundAliasCmd, _, err := rootCmd.Find([]string{commandName})
-	if err != nil {
-		return args, nil
-	}
+		foundAliasCmd, _, err := rootCmd.Find([]string{commandName})
+		if err != nil {
+			return args, nil
+		}
 
-	// This function triggers merging the persistent flags in the parent commands.
-	_ = foundAliasCmd.InheritedFlags()
+		// This function triggers merging the persistent flags in the parent commands.
+		_ = foundAliasCmd.InheritedFlags()
 
-	allShorthands := make(map[string]struct{})
-	foundAliasCmd.Flags().VisitAll(func(flag *pflag.Flag) {
-		if flag.Shorthand != "" {
-			allShorthands[flag.Shorthand] = struct{}{}
+		allShorthands := make(map[string]struct{})
+		foundAliasCmd.Flags().VisitAll(func(flag *pflag.Flag) {
+			if flag.Shorthand != "" {
+				allShorthands[flag.Shorthand] = struct{}{}
+			}
+		})
+
+		for _, fl := range aliasArgs.flags {
+			existingFlag := foundAliasCmd.Flag(fl.Name)
+			if existingFlag == nil {
+				return args, fmt.Errorf("invalid alias flag %s in alias %s", fl.Name, args[0])
+			}
+			if searchInArgs(existingFlag.Name, existingFlag.Shorthand, allShorthands, args) {
+				// Don't modify the value implicitly, if it is passed in args explicitly
+				continue
+			}
+			err = foundAliasCmd.Flags().Set(fl.Name, fl.Default)
+			if err != nil {
+				return args, fmt.Errorf("could not apply value %s to flag %s in alias %s err: %w", fl.Default, fl.Name, args[0], err)
+			}
+			aliasArgs.originalCommand.WriteString(fmt.Sprintf(" --%s=%s", fl.Name, fl.Default))
 		}
-	})
 
-	for _, fl := range aliasArgs.flags {
-		existingFlag := foundAliasCmd.Flag(fl.Name)
-		if existingFlag == nil {
-			return args, fmt.Errorf("invalid alias flag %s in alias %s", fl.Name, args[0])
+		if len(aliasArgs.prependArgs) > 0 {
+			// prependArgs defined in kuberc should be inserted after the alias name.
+			if commandIndex+1 >= len(args) {
+				// command is the last item, we simply append just like appendArgs
+				args = append(args, aliasArgs.prependArgs...)
+			} else {
+				args = append(args[:commandIndex+1], append(aliasArgs.prependArgs, args[commandIndex+1:]...)...)
+			}
 		}
-		if searchInArgs(existingFlag.Name, existingFlag.Shorthand, allShorthands, args) {
-			// Don't modify the value implicitly, if it is passed in args explicitly
-			continue
+		if len(aliasArgs.appendArgs) > 0 {
+			// appendArgs defined in kuberc should be appended to actual args.
+			args = append(args, aliasArgs.appendArgs...)
 		}
-		err = foundAliasCmd.Flags().Set(fl.Name, fl.Default)
-		if err != nil {
-			return args, fmt.Errorf("could not apply value %s to flag %s in alias %s err: %w", fl.Default, fl.Name, args[0], err)
+		// Cobra (command.go#L1078) appends only root command's args into the actual args and ignores the others.
+		// We are appending the additional args defined in kuberc in here and
+		// expect that it will be passed along to the actual command.
+		rootCmd.SetArgs(args[1:])
+		// Remove alias arg to add the remaining arguments that are not flags nor part of the preferences
+		sanitizedArgs := strings.ReplaceAll(strings.Join(args[1:], " "), foundAliasCmd.Name(), "")
+		if len(sanitizedArgs) > 0 {
+			aliasArgs.originalCommand.WriteString(fmt.Sprintf(" %s", sanitizedArgs))
 		}
-	}
-
-	if len(aliasArgs.prependArgs) > 0 {
-		// prependArgs defined in kuberc should be inserted after the alias name.
-		if commandIndex+1 >= len(args) {
-			// command is the last item, we simply append just like appendArgs
-			args = append(args, aliasArgs.prependArgs...)
-		} else {
-			args = append(args[:commandIndex+1], append(aliasArgs.prependArgs, args[commandIndex+1:]...)...)
+		// Add annotation to trace back command built without aliases applied
+		if aliasArgs.command.Annotations == nil {
+			aliasArgs.command.Annotations = make(map[string]string, 1)
 		}
+		aliasArgs.command.Annotations[KubeRCOriginalCommandAnnotation] = aliasArgs.originalCommand.String()
+		aliasArgs.originalCommand.Reset()
 	}
-	if len(aliasArgs.appendArgs) > 0 {
-		// appendArgs defined in kuberc should be appended to actual args.
-		args = append(args, aliasArgs.appendArgs...)
-	}
-	// Cobra (command.go#L1078) appends only root command's args into the actual args and ignores the others.
-	// We are appending the additional args defined in kuberc in here and
-	// expect that it will be passed along to the actual command.
-	rootCmd.SetArgs(args[1:])
+
 	return args, nil
 }
 
-// DefaultGetPreferences returns KubeRCConfiguration.
-// If users sets kuberc file explicitly in --kuberc flag, it has the highest
-// priority. If not specified, it looks for in KUBERC environment variable.
-// If KUBERC is also not set, it falls back to default .kuberc file at the same location
-// where kubeconfig's defaults are residing in.
-// If KUBERC is set to "off", kuberc will be turned off and original behaviors in kubectl will be applied.
-func DefaultGetPreferences(kuberc string, errOut io.Writer) (*config.Preference, error) {
+// LoadKuberc returns the correct kuberc file. Explicitly specified is always highest priority.
+// If it isn't set, KUBERC environment variable is the next choice.
+// If none of them is set, default kuberc location will be used.
+func LoadKuberc(kuberc string) (string, bool, error) {
 	if val := os.Getenv("KUBERC"); val == "off" {
 		if kuberc != "" {
-			return nil, fmt.Errorf("disabling kuberc via KUBERC=off and passing kuberc flag are mutually exclusive")
+			return "", false, fmt.Errorf("disabling kuberc via KUBERC=off and passing kuberc flag are mutually exclusive")
 		}
-		return nil, nil
+		return "", false, nil
 	}
 	kubeRCFile := RecommendedKubeRCFile
 	explicitly := false
@@ -300,11 +368,30 @@ func DefaultGetPreferences(kuberc string, errOut io.Writer) (*config.Preference,
 		explicitly = true
 	}
 
-	if kubeRCFile == "" && os.Getenv("KUBERC") != "" {
+	if kubeRCFile == RecommendedKubeRCFile && os.Getenv("KUBERC") != "" {
 		kubeRCFile = os.Getenv("KUBERC")
 		explicitly = true
 	}
 
+	return kubeRCFile, explicitly, nil
+}
+
+// DefaultGetPreferences returns KubeRCConfiguration.
+// If users sets kuberc file explicitly in --kuberc flag, it has the highest
+// priority. If not specified, it looks for in KUBERC environment variable.
+// If KUBERC is also not set, it falls back to default .kuberc file at the same location
+// where kubeconfig's defaults are residing in.
+// If KUBERC is set to "off", kuberc will be turned off and original behaviors in kubectl will be applied.
+func DefaultGetPreferences(kuberc string, errOut io.Writer) (*config.Preference, error) {
+	kubeRCFile, explicitly, err := LoadKuberc(kuberc)
+	if err != nil {
+		return nil, err
+	}
+
+	if kubeRCFile == "" {
+		return nil, nil
+	}
+
 	preference, err := decodePreference(kubeRCFile)
 	switch {
 	case preference != nil && runtime.IsStrictDecodingError(err):
@@ -412,7 +499,7 @@ func searchInArgs(flagName string, shorthand string, allShorthands map[string]st
 	return false
 }
 
-func validate(plugin *config.Preference) error {
+func (p *Preferences) validate(plugin *config.Preference) error {
 	validateFlag := func(flags []config.CommandOptionDefault) error {
 		for _, flag := range flags {
 			if strings.HasPrefix(flag.Name, "-") {
@@ -443,5 +530,9 @@ func validate(plugin *config.Preference) error {
 		}
 	}
 
+	if err := exec.ValidatePluginPolicy(p.policy); err != nil {
+		return err
+	}
+
 	return nil
 }
diff --git a/staging/src/k8s.io/kubectl/pkg/kuberc/kuberc_test.go b/staging/src/k8s.io/kubectl/pkg/kuberc/kuberc_test.go
index 134d7dbc61384..01afec489154d 100644
--- a/staging/src/k8s.io/kubectl/pkg/kuberc/kuberc_test.go
+++ b/staging/src/k8s.io/kubectl/pkg/kuberc/kuberc_test.go
@@ -23,6 +23,7 @@ import (
 	"os"
 	"path/filepath"
 	"strconv"
+	"strings"
 	"testing"
 
 	"github.com/spf13/cobra"
@@ -30,6 +31,8 @@ import (
 
 	apiequality "k8s.io/apimachinery/pkg/api/equality"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/cli-runtime/pkg/genericclioptions"
+	clientcmdapi "k8s.io/client-go/tools/clientcmd/api"
 	"k8s.io/kubectl/pkg/config"
 )
 
@@ -803,55 +806,7 @@ func TestApplyOverride(t *testing.T) {
 				},
 			},
 		},
-		{
-			name: "alias ignores command override",
-			nestedCmds: []fakeCmds[string]{
-				{
-					name: "command1",
-					flags: []fakeFlag[string]{
-						{
-							name:  "firstflag",
-							value: "test",
-						},
-					},
-				},
-			},
-			args: []string{
-				"root",
-				"alias",
-			},
-			getPreferencesFunc: func(kuberc string, errOut io.Writer) (*config.Preference, error) {
-				return &config.Preference{
-					TypeMeta: metav1.TypeMeta{
-						Kind:       "Preference",
-						APIVersion: "kubectl.config.k8s.io/v1alpha1",
-					},
-					Defaults: []config.CommandDefaults{
-						{
-							Command: "command1",
-							Options: []config.CommandOptionDefault{
-								{
-									Name:    "firstflag",
-									Default: "changed",
-								},
-							},
-						},
-					},
-					Aliases: []config.AliasOverride{
-						{
-							Name:    "alias",
-							Command: "command1",
-						},
-					},
-				}, nil
-			},
-			expectedFlags: []fakeFlag[string]{
-				{
-					name:  "firstflag",
-					value: "test",
-				},
-			},
-		},
+
 		{
 			name: "alias command override",
 			nestedCmds: []fakeCmds[string]{
@@ -903,6 +858,8 @@ func TestApplyOverride(t *testing.T) {
 			rootCmd := &cobra.Command{
 				Use: "root",
 			}
+
+			opts := genericclioptions.NewConfigFlags(false)
 			prefHandler := NewPreferences()
 			prefHandler.AddFlags(rootCmd.PersistentFlags())
 			pref, ok := prefHandler.(*Preferences)
@@ -912,10 +869,12 @@ func TestApplyOverride(t *testing.T) {
 			addCommands(rootCmd, test.nestedCmds)
 			pref.getPreferencesFunc = test.getPreferencesFunc
 			errWriter := &bytes.Buffer{}
-			_, err := pref.Apply(rootCmd, test.args, errWriter)
+
+			_, err := pref.Apply(rootCmd, opts, test.args, errWriter)
 			if test.expectedErr == nil && err != nil {
 				t.Fatalf("unexpected error %v\n", err)
 			}
+
 			if test.expectedErr != nil {
 				if test.expectedErr.Error() != err.Error() {
 					t.Fatalf("error %s expected but actual is %s", test.expectedErr, err)
@@ -936,18 +895,25 @@ func TestApplyOverride(t *testing.T) {
 			if errWriter.String() != "" {
 				t.Fatalf("unexpected error message %s\n", errWriter.String())
 			}
-
+			// Verify annotation and the original command
+			originalCommand := actualCmd.Annotations[KubeRCOriginalCommandAnnotation]
+			if !strings.Contains(originalCommand, actualCmd.Name()) {
+				t.Fatalf("missing command '%s' in original command '%s'", originalCommand, actualCmd.Name())
+			}
 			for _, expectedFlag := range test.expectedFlags {
 				actualFlag := actualCmd.Flag(expectedFlag.name)
 				if actualFlag.Value.String() != expectedFlag.value {
 					t.Fatalf("unexpected flag value expected %s actual %s", expectedFlag.value, actualFlag.Value.String())
 				}
+				if !strings.Contains(originalCommand, expectedFlag.value) {
+					t.Fatalf("missing flag '%s' in original command '%s'", expectedFlag.value, originalCommand)
+				}
 			}
 		})
 	}
 }
 
-func TestApplOverrideBool(t *testing.T) {
+func TestApplyOverrideBool(t *testing.T) {
 	tests := []testApplyOverride[bool]{
 		{
 			name: "command override",
@@ -1152,7 +1118,8 @@ func TestApplOverrideBool(t *testing.T) {
 			addCommands(rootCmd, test.nestedCmds)
 			pref.getPreferencesFunc = test.getPreferencesFunc
 			errWriter := &bytes.Buffer{}
-			_, err := pref.Apply(rootCmd, test.args, errWriter)
+			opts := genericclioptions.NewConfigFlags(false)
+			_, err := pref.Apply(rootCmd, opts, test.args, errWriter)
 			if err != nil {
 				t.Fatalf("unexpected error %v\n", err)
 			}
@@ -1160,16 +1127,17 @@ func TestApplOverrideBool(t *testing.T) {
 			if err != nil {
 				t.Fatalf("unable to find the command %v\n", err)
 			}
-
 			err = actualCmd.ParseFlags(test.args[1:])
 			if err != nil {
 				t.Fatalf("unexpected error %v\n", err)
 			}
-
 			if errWriter.String() != "" {
 				t.Fatalf("unexpected error message %s\n", errWriter.String())
 			}
-
+			originalCommand := actualCmd.Annotations[KubeRCOriginalCommandAnnotation]
+			if !strings.Contains(originalCommand, actualCmd.Name()) {
+				t.Fatalf("missing command '%s' in original command '%s'", actualCmd.Name(), originalCommand)
+			}
 			for _, expectedFlag := range test.expectedFlags {
 				actualFlag := actualCmd.Flag(expectedFlag.name)
 				actualValue, err := strconv.ParseBool(actualFlag.Value.String())
@@ -1179,6 +1147,9 @@ func TestApplOverrideBool(t *testing.T) {
 				if actualValue != expectedFlag.value {
 					t.Fatalf("unexpected flag value expected %t actual %s", expectedFlag.value, actualFlag.Value.String())
 				}
+				if !strings.Contains(originalCommand, actualFlag.Shorthand) {
+					t.Fatalf("missing flag '%s' in original command '%s'", actualFlag.Name, originalCommand)
+				}
 			}
 		})
 	}
@@ -1437,7 +1408,8 @@ func TestApplyAliasBool(t *testing.T) {
 			addCommands(rootCmd, test.nestedCmds)
 			pref.getPreferencesFunc = test.getPreferencesFunc
 			errWriter := &bytes.Buffer{}
-			lastArgs, err := pref.Apply(rootCmd, test.args, errWriter)
+			opts := genericclioptions.NewConfigFlags(false)
+			lastArgs, err := pref.Apply(rootCmd, opts, test.args, errWriter)
 			if test.expectedErr == nil && err != nil {
 				t.Fatalf("unexpected error %v\n", err)
 			}
@@ -1465,7 +1437,7 @@ func TestApplyAliasBool(t *testing.T) {
 			if test.expectedCmd != actualCmd.Name() {
 				t.Fatalf("unexpected command expected %s actual %s", test.expectedCmd, actualCmd.Name())
 			}
-
+			var originalCommand string
 			for _, expectedFlag := range test.expectedFlags {
 				actualFlag := actualCmd.Flag(expectedFlag.name)
 				actualValue, err := strconv.ParseBool(actualFlag.Value.String())
@@ -1475,6 +1447,10 @@ func TestApplyAliasBool(t *testing.T) {
 				if actualValue != expectedFlag.value {
 					t.Fatalf("unexpected flag value expected %t actual %s", expectedFlag.value, actualFlag.Value.String())
 				}
+				originalCommand = actualCmd.Annotations[KubeRCOriginalCommandAnnotation]
+				if !strings.Contains(originalCommand, expectedFlag.shorthand) {
+					t.Fatalf("missing command '%s' in original command '%s'", expectedFlag.shorthand, originalCommand)
+				}
 			}
 
 			for _, expectedArg := range test.expectedArgs {
@@ -1488,6 +1464,9 @@ func TestApplyAliasBool(t *testing.T) {
 				if !found {
 					t.Fatalf("expected arg %s can not be found", expectedArg)
 				}
+				if !strings.Contains(originalCommand, expectedArg) {
+					t.Fatalf("missing command '%s' in original command '%s'", expectedArg, originalCommand)
+				}
 			}
 		})
 	}
@@ -1779,7 +1758,7 @@ func TestApplyAlias(t *testing.T) {
 			},
 		},
 		{
-			name: "command override prependArgs with appendArgs with args with flagas",
+			name: "command override prependArgs with appendArgs with args with flags",
 			nestedCmds: []fakeCmds[string]{
 				{
 					name: "command1",
@@ -2564,6 +2543,59 @@ func TestApplyAlias(t *testing.T) {
 				"nodes",
 			},
 		},
+		{
+			name: "alias ignores command override",
+			nestedCmds: []fakeCmds[string]{
+				{
+					name: "command1",
+					flags: []fakeFlag[string]{
+						{
+							name:  "firstflag",
+							value: "test",
+						},
+					},
+				},
+			},
+			args: []string{
+				"root",
+				"alias",
+				"--firstflag",
+				"test",
+			},
+			getPreferencesFunc: func(kuberc string, errOut io.Writer) (*config.Preference, error) {
+				return &config.Preference{
+					TypeMeta: metav1.TypeMeta{
+						Kind:       "Preference",
+						APIVersion: "kubectl.config.k8s.io/v1alpha1",
+					},
+					Defaults: []config.CommandDefaults{
+						{
+							Command: "command1",
+							Options: []config.CommandOptionDefault{
+								{
+									Name:    "firstflag",
+									Default: "changed",
+								},
+							},
+						},
+					},
+					Aliases: []config.AliasOverride{
+						{
+							Name:    "alias",
+							Command: "command1",
+						},
+					},
+				}, nil
+			},
+			expectedFlags: []fakeFlag[string]{
+				{
+					name:  "firstflag",
+					value: "test",
+				},
+			},
+			expectedCmd:  "alias",
+			expectedArgs: []string{},
+		},
 	}
 
 	for _, test := range tests {
@@ -2580,7 +2612,8 @@ func TestApplyAlias(t *testing.T) {
 			addCommands(rootCmd, test.nestedCmds)
 			pref.getPreferencesFunc = test.getPreferencesFunc
 			errWriter := &bytes.Buffer{}
-			lastArgs, err := pref.Apply(rootCmd, test.args, errWriter)
+			opts := genericclioptions.NewConfigFlags(false)
+			lastArgs, err := pref.Apply(rootCmd, opts, test.args, errWriter)
 			if test.expectedErr == nil && err != nil {
 				t.Fatalf("unexpected error %v\n", err)
 			}
@@ -2608,12 +2641,16 @@ func TestApplyAlias(t *testing.T) {
 			if test.expectedCmd != actualCmd.Name() {
 				t.Fatalf("unexpected command expected %s actual %s", test.expectedCmd, actualCmd.Name())
 			}
-
+			var originalCommand string
 			for _, expectedFlag := range test.expectedFlags {
 				actualFlag := actualCmd.Flag(expectedFlag.name)
 				if actualFlag.Value.String() != expectedFlag.value {
 					t.Fatalf("unexpected flag value expected %s actual %s", expectedFlag.value, actualFlag.Value.String())
 				}
+				originalCommand = actualCmd.Annotations[KubeRCOriginalCommandAnnotation]
+				if !strings.Contains(originalCommand, actualFlag.Value.String()) {
+					t.Fatalf("missing flag '%s' in original command '%s'", actualFlag.Value.String(), originalCommand)
+				}
 			}
 
 			for _, expectedArg := range test.expectedArgs {
@@ -2627,6 +2664,9 @@ func TestApplyAlias(t *testing.T) {
 				if !found {
 					t.Fatalf("expected arg %s can not be found", expectedArg)
 				}
+				if !strings.Contains(originalCommand, expectedArg) {
+					t.Fatalf("missing command '%s' in original command '%s'", expectedArg, originalCommand)
+				}
 			}
 		})
 	}
@@ -2709,7 +2749,6 @@ func addCommands[T supportedTypes](rootCmd *cobra.Command, commands []fakeCmds[T
 				subCmd.Flags().Bool(flg.name, v, "")
 			}
 		}
-
 	}
 	rootCmd.AddCommand(subCmd)
 
@@ -2890,3 +2929,244 @@ unknownField: value`,
 		})
 	}
 }
+
+func TestApplyPluginPolicy(t *testing.T) {
+	kubeconfigData := `
+apiVersion: v1
+clusters:
+- cluster:
+    server: https://example.test:443
+  name: foo
+contexts:
+- context:
+    cluster: foo
+    user: me
+  name: foo
+current-context: foo
+kind: Config
+preferences: {}
+users:
+- name: me
+  user:
+    exec:
+      apiVersion: client.authentication.k8s.io/v1beta1
+      args:
+      - get-token
+      - --login
+      command: foo`
+
+	tmpDir := t.TempDir()
+	kubeconfig := filepath.Join(tmpDir, "kubeconfig")
+	err := os.WriteFile(kubeconfig, []byte(kubeconfigData), 0o644)
+	require.NoError(t, err, "writing fake kubeconfig")
+
+	rootCmd := &cobra.Command{
+		Use: "root",
+	}
+
+	args := []string{"placeholder", "two"}
+
+	opts := genericclioptions.NewConfigFlags(false)
+	opts.KubeConfig = &kubeconfig
+
+	p := NewPreferences()
+	pref, ok := p.(*Preferences)
+	require.True(t, ok, "preference type")
+
+	t.Run("plumbing", func(t *testing.T) {
+		pref.getPreferencesFunc = func(_ string, _ io.Writer) (*config.Preference, error) {
+			return &config.Preference{
+				CredentialPluginPolicy: config.CredentialPluginPolicy("Allowlist"),
+				CredentialPluginAllowlist: []config.AllowlistEntry{
+					{Name: "bar"},
+					{Name: "baz"},
+				},
+			}, nil
+		}
+
+		_, err = p.Apply(rootCmd, opts, args, io.Discard)
+		require.NoError(t, err, "error applying preferences")
+
+		cfg, err := opts.ToRESTConfig()
+		require.NoError(t, err, "unexpected error")
+		require.NotNil(t, cfg, "rest config")
+		require.NotNil(t, cfg.ExecProvider, "exec config")
+		require.Equal(t, clientcmdapi.PolicyType("Allowlist"), cfg.ExecProvider.PluginPolicy.PolicyType)
+		require.Equal(t, "bar", cfg.ExecProvider.PluginPolicy.Allowlist[0].Name)
+		require.Equal(t, "baz", cfg.ExecProvider.PluginPolicy.Allowlist[1].Name)
+	})
+
+	type pluginPolicyTest struct {
+		name      string
+		kuberc    string
+		shouldErr bool
+	}
+	tests := []pluginPolicyTest{
+		{
+			name:      "invalid-plugin-policy-with-nil-allowlist",
+			shouldErr: true,
+			kuberc: `kind: Preference
+apiVersion: kubectl.config.k8s.io/v1beta1
+credentialPluginPolicy: "foo"
+`,
+		},
+		{
+			name:      "invalid-policy-with-empty-allowlist",
+			shouldErr: true,
+			kuberc: `
+kind: Preference
+apiVersion: kubectl.config.k8s.io/v1beta1
+credentialPluginPolicy:    "foo"
+credentialPluginAllowlist: []
+`,
+		},
+		{
+			name:      "invalid-policy-with-allowlist",
+			shouldErr: true,
+			kuberc: `
+kind: Preference
+apiVersion: kubectl.config.k8s.io/v1beta1
+credentialPluginPolicy: "foo"
+credentialPluginAllowlist:
+- name: "bar"
+`,
+		},
+		{
+			name:      "allowlist-policy-with-nil-allowlist",
+			shouldErr: true,
+			kuberc: `
+kind: Preference
+apiVersion: kubectl.config.k8s.io/v1beta1
+credentialPluginPolicy: "Allowlist"
+`,
+		},
+		{
+			name:      "allowlist-policy-with-empty-allowlist",
+			shouldErr: true,
+			kuberc: `
+kind: Preference
+apiVersion: kubectl.config.k8s.io/v1beta1
+credentialPluginPolicy:    "Allowlist"
+credentialPluginAllowlist: []
+`,
+		},
+		{
+			name:      "unspecified-policy-with-non-nil-allowlist",
+			shouldErr: true,
+			kuberc: `
+kind: Preference
+apiVersion: kubectl.config.k8s.io/v1beta1
+credentialPluginAllowlist:
+- name: "bar"
+- name: "baz"
+`,
+		},
+		{
+			name:      "allowall-policy-with-non-nil-allowlist",
+			shouldErr: true,
+			kuberc: `
+kind: Preference
+apiVersion: kubectl.config.k8s.io/v1beta1
+credentialPluginPolicy: "AllowAll"
+credentialPluginAllowlist: []clientcmdapi.AllowlistEntry{
+- name: "bar"
+- name: "baz"
+`,
+		},
+		{
+			name:      "allowall-policy-with-non-nil-allowlist",
+			shouldErr: true,
+			kuberc: `
+kind: Preference
+apiVersion: kubectl.config.k8s.io/v1beta1
+credentialPluginPolicy: "DenyAll"
+credentialPluginAllowlist:
+- name: "bar"
+- name: "baz"
+`,
+		},
+		{
+			name:      "non-allowlist-policy-with-non-nil-empty-allowlist",
+			shouldErr: true,
+			kuberc: `
+kind: Preference
+apiVersion: kubectl.config.k8s.io/v1beta1
+credentialPluginPolicy:    "DenyAll"
+credentialPluginAllowlist: []
+`,
+		},
+		{
+			name:      "allowlist-policy-with-one-empty-allowlist-entry",
+			shouldErr: true,
+			kuberc: `
+kind: Preference
+apiVersion: kubectl.config.k8s.io/v1beta1
+credentialPluginPolicy: "Allowlist"
+credentialPluginAllowlist:
+- name: "foo"
+- name: ""
+`,
+		},
+		{
+			name:      "allowlist-policy-with-nonempty-allowlist",
+			shouldErr: false,
+			kuberc: `apiVersion: kubectl.config.k8s.io/v1beta1
+kind: Preference
+credentialPluginPolicy: "Allowlist"
+credentialPluginAllowlist:
+- name: "foo"
+`,
+		},
+		{
+			name:      "allowall-policy-with-nil-allowlist",
+			shouldErr: false,
+			kuberc: `
+kind: Preference
+apiVersion: kubectl.config.k8s.io/v1beta1
+credentialPluginPolicy: "AllowAll"
+`,
+		},
+		{
+			name:      "denyall-policy-with-nil-allowlist",
+			shouldErr: false,
+			kuberc: `
+kind: Preference
+apiVersion: kubectl.config.k8s.io/v1beta1
+credentialPluginPolicy: "DenyAll"
+`,
+		},
+		{
+			name:      "unspecified-policy-with-nil-allowlist",
+			shouldErr: false,
+			kuberc: `
+kind: Preference
+apiVersion: kubectl.config.k8s.io/v1beta1
+credentialPluginPolicy: ""
+`,
+		},
+	}
+
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			tmpDir := t.TempDir()
+			kuberc := filepath.Join(tmpDir, "kuberc")
+			require.NoError(t, os.WriteFile(kuberc, []byte(test.kuberc), 0o644))
+
+			pref.getPreferencesFunc = func(_ string, errOut io.Writer) (*config.Preference, error) {
+				pref, err := DefaultGetPreferences(kuberc, errOut)
+				if err != nil {
+					return nil, err
+				}
+
+				return pref, nil
+			}
+
+			_, err := p.Apply(rootCmd, opts, args, io.Discard)
+			if test.shouldErr {
+				require.Error(t, err, "expected error, but error was nil")
+			} else {
+				require.NoError(t, err)
+			}
+		})
+	}
+}
diff --git a/staging/src/k8s.io/kubectl/pkg/kuberc/marshal.go b/staging/src/k8s.io/kubectl/pkg/kuberc/marshal.go
index 537b6c2724f38..2f3b8a4029382 100644
--- a/staging/src/k8s.io/kubectl/pkg/kuberc/marshal.go
+++ b/staging/src/k8s.io/kubectl/pkg/kuberc/marshal.go
@@ -23,12 +23,16 @@ import (
 	"fmt"
 	"io"
 	"os"
+	"path/filepath"
 
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	utilyaml "k8s.io/apimachinery/pkg/util/yaml"
 	"k8s.io/klog/v2"
 	"k8s.io/kubectl/pkg/config"
 	"k8s.io/kubectl/pkg/config/scheme"
+	"k8s.io/kubectl/pkg/config/v1beta1"
+	"sigs.k8s.io/yaml"
 )
 
 // decodePreference iterates over the yamls in kuberc file to find the supported kuberc version.
@@ -99,3 +103,54 @@ func decodePreference(kubercFile string) (*config.Preference, error) {
 	klog.V(5).Infof("kuberc: no preferences found in %s", kubercFile)
 	return nil, nil
 }
+
+// SavePreference saves the preference to the kuberc file
+func SavePreference(pref *v1beta1.Preference, file string, out io.Writer) error {
+	dir := filepath.Dir(file)
+	if err := os.MkdirAll(dir, 0755); err != nil {
+		return fmt.Errorf("failed to create directory %s: %w", dir, err)
+	}
+
+	data, err := yaml.Marshal(pref)
+	if err != nil {
+		return fmt.Errorf("failed to marshal preferences: %w", err)
+	}
+
+	if err := os.WriteFile(file, data, 0644); err != nil {
+		return fmt.Errorf("failed to write kuberc file: %w", err)
+	}
+
+	fmt.Fprintf(out, "Updated %s\n", file) // nolint:errcheck
+	return nil
+}
+
+// CreateDefaultPreference returns Preference object with
+// some default configurations.
+func CreateDefaultPreference() *v1beta1.Preference {
+	return &v1beta1.Preference{
+		TypeMeta: metav1.TypeMeta{
+			APIVersion: "kubectl.config.k8s.io/v1beta1",
+			Kind:       "Preference",
+		},
+		Defaults: []v1beta1.CommandDefaults{
+			{
+				Command: "apply",
+				Options: []v1beta1.CommandOptionDefault{
+					{
+						Name:    "server-side",
+						Default: "true",
+					},
+				},
+			},
+			{
+				Command: "delete",
+				Options: []v1beta1.CommandOptionDefault{
+					{
+						Name:    "interactive",
+						Default: "true",
+					},
+				},
+			},
+		},
+	}
+}
diff --git a/staging/src/k8s.io/kubectl/pkg/util/term/resize.go b/staging/src/k8s.io/kubectl/pkg/util/term/resize.go
index 636b8bef4522a..a38d27f3d89e9 100644
--- a/staging/src/k8s.io/kubectl/pkg/util/term/resize.go
+++ b/staging/src/k8s.io/kubectl/pkg/util/term/resize.go
@@ -21,12 +21,28 @@ import (
 
 	"github.com/moby/term"
 	"k8s.io/apimachinery/pkg/util/runtime"
-	"k8s.io/client-go/tools/remotecommand"
 )
 
+// TerminalSize represents the width and height of a terminal.
+// It is the same as staging/src/k8s.io/client-go/tools/remotecommand.TerminalSize.
+// Copied to decouple the packages. Terminal-related package should not depend on API client and vice versa.
+type TerminalSize struct {
+	Width  uint16
+	Height uint16
+}
+
+// TerminalSizeQueue is capable of returning terminal resize events as they occur.
+// It is the same as staging/src/k8s.io/client-go/tools/remotecommand.TerminalSizeQueue.
+// Copied to decouple the packages. Terminal-related package should not depend on API client and vice versa.
+type TerminalSizeQueue interface {
+	// Next returns the new terminal size after the terminal has been resized. It returns nil when
+	// monitoring has been stopped.
+	Next() *TerminalSize
+}
+
 // GetSize returns the current size of the user's terminal. If it isn't a terminal,
 // nil is returned.
-func (t TTY) GetSize() *remotecommand.TerminalSize {
+func (t TTY) GetSize() *TerminalSize {
 	outFd, isTerminal := term.GetFdInfo(t.Out)
 	if !isTerminal {
 		return nil
@@ -35,19 +51,19 @@ func (t TTY) GetSize() *remotecommand.TerminalSize {
 }
 
 // GetSize returns the current size of the terminal associated with fd.
-func GetSize(fd uintptr) *remotecommand.TerminalSize {
+func GetSize(fd uintptr) *TerminalSize {
 	winsize, err := term.GetWinsize(fd)
 	if err != nil {
 		runtime.HandleError(fmt.Errorf("unable to get terminal size: %v", err))
 		return nil
 	}
 
-	return &remotecommand.TerminalSize{Width: winsize.Width, Height: winsize.Height}
+	return &TerminalSize{Width: winsize.Width, Height: winsize.Height}
 }
 
 // MonitorSize monitors the terminal's size. It returns a TerminalSizeQueue primed with
 // initialSizes, or nil if there's no TTY present.
-func (t *TTY) MonitorSize(initialSizes ...*remotecommand.TerminalSize) remotecommand.TerminalSizeQueue {
+func (t *TTY) MonitorSize(initialSizes ...*TerminalSize) TerminalSizeQueue {
 	outFd, isTerminal := term.GetFdInfo(t.Out)
 	if !isTerminal {
 		return nil
@@ -57,7 +73,7 @@ func (t *TTY) MonitorSize(initialSizes ...*remotecommand.TerminalSize) remotecom
 		t: *t,
 		// make it buffered so we can send the initial terminal sizes without blocking, prior to starting
 		// the streaming below
-		resizeChan:   make(chan remotecommand.TerminalSize, len(initialSizes)),
+		resizeChan:   make(chan TerminalSize, len(initialSizes)),
 		stopResizing: make(chan struct{}),
 	}
 
@@ -70,16 +86,16 @@ func (t *TTY) MonitorSize(initialSizes ...*remotecommand.TerminalSize) remotecom
 type sizeQueue struct {
 	t TTY
 	// resizeChan receives a Size each time the user's terminal is resized.
-	resizeChan   chan remotecommand.TerminalSize
+	resizeChan   chan TerminalSize
 	stopResizing chan struct{}
 }
 
-// make sure sizeQueue implements the resize.TerminalSizeQueue interface
-var _ remotecommand.TerminalSizeQueue = &sizeQueue{}
+// make sure sizeQueue implements the TerminalSizeQueue interface
+var _ TerminalSizeQueue = &sizeQueue{}
 
 // monitorSize primes resizeChan with initialSizes and then monitors for resize events. With each
 // new event, it sends the current terminal size to resizeChan.
-func (s *sizeQueue) monitorSize(outFd uintptr, initialSizes ...*remotecommand.TerminalSize) {
+func (s *sizeQueue) monitorSize(outFd uintptr, initialSizes ...*TerminalSize) {
 	// send the initial sizes
 	for i := range initialSizes {
 		if initialSizes[i] != nil {
@@ -87,7 +103,7 @@ func (s *sizeQueue) monitorSize(outFd uintptr, initialSizes ...*remotecommand.Te
 		}
 	}
 
-	resizeEvents := make(chan remotecommand.TerminalSize, 1)
+	resizeEvents := make(chan TerminalSize, 1)
 
 	monitorResizeEvents(outFd, resizeEvents, s.stopResizing)
 
@@ -118,7 +134,7 @@ func (s *sizeQueue) monitorSize(outFd uintptr, initialSizes ...*remotecommand.Te
 
 // Next returns the new terminal size after the terminal has been resized. It returns nil when
 // monitoring has been stopped.
-func (s *sizeQueue) Next() *remotecommand.TerminalSize {
+func (s *sizeQueue) Next() *TerminalSize {
 	size, ok := <-s.resizeChan
 	if !ok {
 		return nil
diff --git a/staging/src/k8s.io/kubectl/pkg/util/term/resizeevents.go b/staging/src/k8s.io/kubectl/pkg/util/term/resizeevents.go
index e361b1adb3ce9..04b8cdab24e1e 100644
--- a/staging/src/k8s.io/kubectl/pkg/util/term/resizeevents.go
+++ b/staging/src/k8s.io/kubectl/pkg/util/term/resizeevents.go
@@ -25,13 +25,12 @@ import (
 
 	"golang.org/x/sys/unix"
 	"k8s.io/apimachinery/pkg/util/runtime"
-	"k8s.io/client-go/tools/remotecommand"
 )
 
 // monitorResizeEvents spawns a goroutine that waits for SIGWINCH signals (these indicate the
 // terminal has resized). After receiving a SIGWINCH, this gets the terminal size and tries to send
 // it to the resizeEvents channel. The goroutine stops when the stop channel is closed.
-func monitorResizeEvents(fd uintptr, resizeEvents chan<- remotecommand.TerminalSize, stop chan struct{}) {
+func monitorResizeEvents(fd uintptr, resizeEvents chan<- TerminalSize, stop chan struct{}) {
 	go func() {
 		defer runtime.HandleCrash()
 
diff --git a/staging/src/k8s.io/kubectl/pkg/util/term/resizeevents_windows.go b/staging/src/k8s.io/kubectl/pkg/util/term/resizeevents_windows.go
index adccf873466a4..ae930642f5b53 100644
--- a/staging/src/k8s.io/kubectl/pkg/util/term/resizeevents_windows.go
+++ b/staging/src/k8s.io/kubectl/pkg/util/term/resizeevents_windows.go
@@ -20,13 +20,12 @@ import (
 	"time"
 
 	"k8s.io/apimachinery/pkg/util/runtime"
-	"k8s.io/client-go/tools/remotecommand"
 )
 
 // monitorResizeEvents spawns a goroutine that periodically gets the terminal size and tries to send
 // it to the resizeEvents channel if the size has changed. The goroutine stops when the stop channel
 // is closed.
-func monitorResizeEvents(fd uintptr, resizeEvents chan<- remotecommand.TerminalSize, stop chan struct{}) {
+func monitorResizeEvents(fd uintptr, resizeEvents chan<- TerminalSize, stop chan struct{}) {
 	go func() {
 		defer runtime.HandleCrash()
 
diff --git a/staging/src/k8s.io/kubectl/pkg/util/term/term_writer.go b/staging/src/k8s.io/kubectl/pkg/util/term/term_writer.go
index e3f600880260e..df85482fcd86f 100644
--- a/staging/src/k8s.io/kubectl/pkg/util/term/term_writer.go
+++ b/staging/src/k8s.io/kubectl/pkg/util/term/term_writer.go
@@ -23,8 +23,6 @@ import (
 
 	wordwrap "github.com/mitchellh/go-wordwrap"
 	"github.com/moby/term"
-
-	"k8s.io/client-go/tools/remotecommand"
 )
 
 type wordWrapWriter struct {
@@ -70,7 +68,7 @@ func NewWordWrapWriter(w io.Writer, limit uint) io.Writer {
 	}
 }
 
-func getTerminalLimitWidth(terminalSize *remotecommand.TerminalSize) uint {
+func getTerminalLimitWidth(terminalSize *TerminalSize) uint {
 	var limit uint
 	switch {
 	case terminalSize.Width >= 120:
diff --git a/staging/src/k8s.io/kubectl/pkg/util/util.go b/staging/src/k8s.io/kubectl/pkg/util/util.go
index ea57d3b39bc8c..30127f19b946f 100644
--- a/staging/src/k8s.io/kubectl/pkg/util/util.go
+++ b/staging/src/k8s.io/kubectl/pkg/util/util.go
@@ -17,7 +17,6 @@ limitations under the License.
 package util
 
 import (
-	"crypto/md5"
 	"errors"
 	"fmt"
 	"path"
@@ -26,7 +25,6 @@ import (
 	"time"
 
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/apimachinery/pkg/runtime"
 )
 
 // ParseRFC3339 parses an RFC3339 date in either RFC3339Nano or RFC3339 format.
@@ -41,15 +39,6 @@ func ParseRFC3339(s string, nowFn func() metav1.Time) (metav1.Time, error) {
 	return metav1.Time{Time: t}, nil
 }
 
-// HashObject returns the hash of a Object hash by a Codec
-func HashObject(obj runtime.Object, codec runtime.Codec) (string, error) {
-	data, err := runtime.Encode(codec, obj)
-	if err != nil {
-		return "", err
-	}
-	return fmt.Sprintf("%x", md5.Sum(data)), nil
-}
-
 // ParseFileSource parses the source given.
 //
 //	Acceptable formats include:
diff --git a/staging/src/k8s.io/kubelet/config/v1/doc.go b/staging/src/k8s.io/kubelet/config/v1/doc.go
index 2c2ec7aa3d385..2b8cbe19fe448 100644
--- a/staging/src/k8s.io/kubelet/config/v1/doc.go
+++ b/staging/src/k8s.io/kubelet/config/v1/doc.go
@@ -16,6 +16,8 @@ limitations under the License.
 
 // +k8s:deepcopy-gen=package
 // +k8s:openapi-gen=true
+// +k8s:openapi-model-package=io.k8s.kubelet.config.v1
+
 // +groupName=kubelet.config.k8s.io
 
 package v1
diff --git a/staging/src/k8s.io/kubelet/config/v1/zz_generated.model_name.go b/staging/src/k8s.io/kubelet/config/v1/zz_generated.model_name.go
new file mode 100644
index 0000000000000..bc69a465d6dc3
--- /dev/null
+++ b/staging/src/k8s.io/kubelet/config/v1/zz_generated.model_name.go
@@ -0,0 +1,42 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by openapi-gen. DO NOT EDIT.
+
+package v1
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in CredentialProvider) OpenAPIModelName() string {
+	return "io.k8s.kubelet.config.v1.CredentialProvider"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in CredentialProviderConfig) OpenAPIModelName() string {
+	return "io.k8s.kubelet.config.v1.CredentialProviderConfig"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ExecEnvVar) OpenAPIModelName() string {
+	return "io.k8s.kubelet.config.v1.ExecEnvVar"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ServiceAccountTokenAttributes) OpenAPIModelName() string {
+	return "io.k8s.kubelet.config.v1.ServiceAccountTokenAttributes"
+}
diff --git a/staging/src/k8s.io/kubelet/config/v1alpha1/doc.go b/staging/src/k8s.io/kubelet/config/v1alpha1/doc.go
index 165efbb23c627..bac345bbb2d5c 100644
--- a/staging/src/k8s.io/kubelet/config/v1alpha1/doc.go
+++ b/staging/src/k8s.io/kubelet/config/v1alpha1/doc.go
@@ -16,6 +16,8 @@ limitations under the License.
 
 // +k8s:deepcopy-gen=package
 // +k8s:openapi-gen=true
+// +k8s:openapi-model-package=io.k8s.kubelet.config.v1alpha1
+
 // +groupName=kubelet.config.k8s.io
 
 package v1alpha1
diff --git a/staging/src/k8s.io/kubelet/config/v1alpha1/types.go b/staging/src/k8s.io/kubelet/config/v1alpha1/types.go
index d999e116e5d00..a965958472dd6 100644
--- a/staging/src/k8s.io/kubelet/config/v1alpha1/types.go
+++ b/staging/src/k8s.io/kubelet/config/v1alpha1/types.go
@@ -147,7 +147,7 @@ type ImagePullCredentials struct {
 	// secrets that were used to pull the image.
 	// +optional
 	// +listType=set
-	KubernetesSecrets []ImagePullSecret `json:"kubernetesSecrets"`
+	KubernetesSecrets []ImagePullSecret `json:"kubernetesSecrets,omitempty"`
 
 	// KubernetesServiceAccounts is an index of coordinates of all the kubernetes
 	// service accounts that were used to pull the image.
diff --git a/staging/src/k8s.io/kubelet/config/v1alpha1/zz_generated.model_name.go b/staging/src/k8s.io/kubelet/config/v1alpha1/zz_generated.model_name.go
new file mode 100644
index 0000000000000..2ca4205600b8a
--- /dev/null
+++ b/staging/src/k8s.io/kubelet/config/v1alpha1/zz_generated.model_name.go
@@ -0,0 +1,62 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by openapi-gen. DO NOT EDIT.
+
+package v1alpha1
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in CredentialProvider) OpenAPIModelName() string {
+	return "io.k8s.kubelet.config.v1alpha1.CredentialProvider"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in CredentialProviderConfig) OpenAPIModelName() string {
+	return "io.k8s.kubelet.config.v1alpha1.CredentialProviderConfig"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ExecEnvVar) OpenAPIModelName() string {
+	return "io.k8s.kubelet.config.v1alpha1.ExecEnvVar"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ImagePullCredentials) OpenAPIModelName() string {
+	return "io.k8s.kubelet.config.v1alpha1.ImagePullCredentials"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ImagePullIntent) OpenAPIModelName() string {
+	return "io.k8s.kubelet.config.v1alpha1.ImagePullIntent"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ImagePullSecret) OpenAPIModelName() string {
+	return "io.k8s.kubelet.config.v1alpha1.ImagePullSecret"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ImagePullServiceAccount) OpenAPIModelName() string {
+	return "io.k8s.kubelet.config.v1alpha1.ImagePullServiceAccount"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ImagePulledRecord) OpenAPIModelName() string {
+	return "io.k8s.kubelet.config.v1alpha1.ImagePulledRecord"
+}
diff --git a/staging/src/k8s.io/kubelet/config/v1beta1/doc.go b/staging/src/k8s.io/kubelet/config/v1beta1/doc.go
index 0edffa4b691d3..e687711a6054a 100644
--- a/staging/src/k8s.io/kubelet/config/v1beta1/doc.go
+++ b/staging/src/k8s.io/kubelet/config/v1beta1/doc.go
@@ -16,6 +16,8 @@ limitations under the License.
 
 // +k8s:deepcopy-gen=package
 // +k8s:openapi-gen=true
+// +k8s:openapi-model-package=io.k8s.kubelet.config.v1beta1
+
 // +groupName=kubelet.config.k8s.io
 
 package v1beta1
diff --git a/staging/src/k8s.io/kubelet/config/v1beta1/register.go b/staging/src/k8s.io/kubelet/config/v1beta1/register.go
index 22bdfbb4cbaad..c76a568e13150 100644
--- a/staging/src/k8s.io/kubelet/config/v1beta1/register.go
+++ b/staging/src/k8s.io/kubelet/config/v1beta1/register.go
@@ -40,6 +40,8 @@ func addKnownTypes(scheme *runtime.Scheme) error {
 		&KubeletConfiguration{},
 		&SerializedNodeConfigSource{},
 		&CredentialProviderConfig{},
+		&ImagePullIntent{},
+		&ImagePulledRecord{},
 	)
 	return nil
 }
diff --git a/staging/src/k8s.io/kubelet/config/v1beta1/types.go b/staging/src/k8s.io/kubelet/config/v1beta1/types.go
index 610737c87ef1c..a7c4e21829c3b 100644
--- a/staging/src/k8s.io/kubelet/config/v1beta1/types.go
+++ b/staging/src/k8s.io/kubelet/config/v1beta1/types.go
@@ -915,10 +915,10 @@ type KubeletConfiguration struct {
 	ImageServiceEndpoint string `json:"imageServiceEndpoint,omitempty"`
 
 	// FailCgroupV1 prevents the kubelet from starting on hosts
-	// that use cgroup v1. By default, this is set to 'false', meaning
-	// the kubelet is allowed to start on cgroup v1 hosts unless this
-	// option is explicitly enabled.
-	// Default: false
+	// that use cgroup v1. By default, this is set to 'true', meaning
+	// the kubelet will not start on cgroup v1 hosts unless this
+	// option is explicitly disabled.
+	// Default: true
 	// +optional
 	FailCgroupV1 *bool `json:"failCgroupV1,omitempty"`
 
@@ -1135,3 +1135,89 @@ type UserNamespaces struct {
 	// +optional
 	IDsPerPod *int64 `json:"idsPerPod,omitempty"`
 }
+
+// ImagePullIntent is a record of the kubelet attempting to pull an image.
+//
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+type ImagePullIntent struct {
+	metav1.TypeMeta `json:",inline"`
+
+	// Image is the image spec from a Container's `image` field.
+	// The filename is a SHA-256 hash of this value. This is to avoid filename-unsafe
+	// characters like ':' and '/'.
+	Image string `json:"image"`
+}
+
+// ImagePullRecord is a record of an image that was pulled by the kubelet.
+//
+// If there are no records in the `kubernetesSecrets` field and both `nodeWideCredentials`
+// and `anonymous` are `false`, credentials must be re-checked the next time an
+// image represented by this record is being requested.
+//
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+type ImagePulledRecord struct {
+	metav1.TypeMeta `json:",inline"`
+
+	// LastUpdatedTime is the time of the last update to this record
+	LastUpdatedTime metav1.Time `json:"lastUpdatedTime"`
+
+	// ImageRef is a reference to the image represented by this file as received
+	// from the CRI.
+	// The filename is a SHA-256 hash of this value. This is to avoid filename-unsafe
+	// characters like ':' and '/'.
+	ImageRef string `json:"imageRef"`
+
+	// CredentialMapping maps `image` to the set of credentials that it was
+	// previously pulled with.
+	// `image` in this case is the content of a pod's container `image` field that's
+	// got its tag/digest removed.
+	//
+	// Example:
+	//   Container requests the `hello-world:latest@sha256:91fb4b041da273d5a3273b6d587d62d518300a6ad268b28628f74997b93171b2` image:
+	//     "credentialMapping": {
+	//       "hello-world": { "nodePodsAccessible": true }
+	//     }
+	CredentialMapping map[string]ImagePullCredentials `json:"credentialMapping,omitempty"`
+}
+
+// ImagePullCredentials describe credentials that can be used to pull an image.
+type ImagePullCredentials struct {
+	// KubernetesSecretCoordinates is an index of coordinates of all the kubernetes
+	// secrets that were used to pull the image.
+	// +optional
+	// +listType=set
+	KubernetesSecrets []ImagePullSecret `json:"kubernetesSecrets,omitempty"`
+
+	// KubernetesServiceAccounts is an index of coordinates of all the kubernetes
+	// service accounts that were used to pull the image.
+	// +optional
+	// +listType=set
+	KubernetesServiceAccounts []ImagePullServiceAccount `json:"kubernetesServiceAccounts,omitempty"`
+
+	// NodePodsAccessible is a flag denoting the pull credentials are accessible
+	// by all the pods on the node, or that no credentials are needed for the pull.
+	//
+	// If true, it is mutually exclusive with the `kubernetesSecrets` field.
+	// +optional
+	NodePodsAccessible bool `json:"nodePodsAccessible,omitempty"`
+}
+
+// ImagePullSecret is a representation of a Kubernetes secret object coordinates along
+// with a credential hash of the pull secret credentials this object contains.
+type ImagePullSecret struct {
+	UID       string `json:"uid"`
+	Namespace string `json:"namespace"`
+	Name      string `json:"name"`
+
+	// CredentialHash is a SHA-256 retrieved by hashing the image pull credentials
+	// content of the secret specified by the UID/Namespace/Name coordinates.
+	CredentialHash string `json:"credentialHash"`
+}
+
+// ImagePullServiceAccount is a representation of a Kubernetes service account object coordinates
+// for which the kubelet sent service account token to the credential provider plugin for image pull credentials.
+type ImagePullServiceAccount struct {
+	UID       string `json:"uid"`
+	Namespace string `json:"namespace"`
+	Name      string `json:"name"`
+}
diff --git a/staging/src/k8s.io/kubelet/config/v1beta1/zz_generated.deepcopy.go b/staging/src/k8s.io/kubelet/config/v1beta1/zz_generated.deepcopy.go
index ac0ba7096bc29..6a908018187b6 100644
--- a/staging/src/k8s.io/kubelet/config/v1beta1/zz_generated.deepcopy.go
+++ b/staging/src/k8s.io/kubelet/config/v1beta1/zz_generated.deepcopy.go
@@ -133,6 +133,122 @@ func (in *ExecEnvVar) DeepCopy() *ExecEnvVar {
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ImagePullCredentials) DeepCopyInto(out *ImagePullCredentials) {
+	*out = *in
+	if in.KubernetesSecrets != nil {
+		in, out := &in.KubernetesSecrets, &out.KubernetesSecrets
+		*out = make([]ImagePullSecret, len(*in))
+		copy(*out, *in)
+	}
+	if in.KubernetesServiceAccounts != nil {
+		in, out := &in.KubernetesServiceAccounts, &out.KubernetesServiceAccounts
+		*out = make([]ImagePullServiceAccount, len(*in))
+		copy(*out, *in)
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImagePullCredentials.
+func (in *ImagePullCredentials) DeepCopy() *ImagePullCredentials {
+	if in == nil {
+		return nil
+	}
+	out := new(ImagePullCredentials)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ImagePullIntent) DeepCopyInto(out *ImagePullIntent) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImagePullIntent.
+func (in *ImagePullIntent) DeepCopy() *ImagePullIntent {
+	if in == nil {
+		return nil
+	}
+	out := new(ImagePullIntent)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *ImagePullIntent) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ImagePullSecret) DeepCopyInto(out *ImagePullSecret) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImagePullSecret.
+func (in *ImagePullSecret) DeepCopy() *ImagePullSecret {
+	if in == nil {
+		return nil
+	}
+	out := new(ImagePullSecret)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ImagePullServiceAccount) DeepCopyInto(out *ImagePullServiceAccount) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImagePullServiceAccount.
+func (in *ImagePullServiceAccount) DeepCopy() *ImagePullServiceAccount {
+	if in == nil {
+		return nil
+	}
+	out := new(ImagePullServiceAccount)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ImagePulledRecord) DeepCopyInto(out *ImagePulledRecord) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.LastUpdatedTime.DeepCopyInto(&out.LastUpdatedTime)
+	if in.CredentialMapping != nil {
+		in, out := &in.CredentialMapping, &out.CredentialMapping
+		*out = make(map[string]ImagePullCredentials, len(*in))
+		for key, val := range *in {
+			(*out)[key] = *val.DeepCopy()
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImagePulledRecord.
+func (in *ImagePulledRecord) DeepCopy() *ImagePulledRecord {
+	if in == nil {
+		return nil
+	}
+	out := new(ImagePulledRecord)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *ImagePulledRecord) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *KubeletAnonymousAuthentication) DeepCopyInto(out *KubeletAnonymousAuthentication) {
 	*out = *in
diff --git a/staging/src/k8s.io/kubelet/config/v1beta1/zz_generated.model_name.go b/staging/src/k8s.io/kubelet/config/v1beta1/zz_generated.model_name.go
new file mode 100644
index 0000000000000..140a9ab201f7e
--- /dev/null
+++ b/staging/src/k8s.io/kubelet/config/v1beta1/zz_generated.model_name.go
@@ -0,0 +1,127 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by openapi-gen. DO NOT EDIT.
+
+package v1beta1
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in CrashLoopBackOffConfig) OpenAPIModelName() string {
+	return "io.k8s.kubelet.config.v1beta1.CrashLoopBackOffConfig"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in CredentialProvider) OpenAPIModelName() string {
+	return "io.k8s.kubelet.config.v1beta1.CredentialProvider"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in CredentialProviderConfig) OpenAPIModelName() string {
+	return "io.k8s.kubelet.config.v1beta1.CredentialProviderConfig"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ExecEnvVar) OpenAPIModelName() string {
+	return "io.k8s.kubelet.config.v1beta1.ExecEnvVar"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ImagePullCredentials) OpenAPIModelName() string {
+	return "io.k8s.kubelet.config.v1beta1.ImagePullCredentials"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ImagePullIntent) OpenAPIModelName() string {
+	return "io.k8s.kubelet.config.v1beta1.ImagePullIntent"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ImagePullSecret) OpenAPIModelName() string {
+	return "io.k8s.kubelet.config.v1beta1.ImagePullSecret"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ImagePullServiceAccount) OpenAPIModelName() string {
+	return "io.k8s.kubelet.config.v1beta1.ImagePullServiceAccount"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ImagePulledRecord) OpenAPIModelName() string {
+	return "io.k8s.kubelet.config.v1beta1.ImagePulledRecord"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in KubeletAnonymousAuthentication) OpenAPIModelName() string {
+	return "io.k8s.kubelet.config.v1beta1.KubeletAnonymousAuthentication"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in KubeletAuthentication) OpenAPIModelName() string {
+	return "io.k8s.kubelet.config.v1beta1.KubeletAuthentication"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in KubeletAuthorization) OpenAPIModelName() string {
+	return "io.k8s.kubelet.config.v1beta1.KubeletAuthorization"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in KubeletConfiguration) OpenAPIModelName() string {
+	return "io.k8s.kubelet.config.v1beta1.KubeletConfiguration"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in KubeletWebhookAuthentication) OpenAPIModelName() string {
+	return "io.k8s.kubelet.config.v1beta1.KubeletWebhookAuthentication"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in KubeletWebhookAuthorization) OpenAPIModelName() string {
+	return "io.k8s.kubelet.config.v1beta1.KubeletWebhookAuthorization"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in KubeletX509Authentication) OpenAPIModelName() string {
+	return "io.k8s.kubelet.config.v1beta1.KubeletX509Authentication"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in MemoryReservation) OpenAPIModelName() string {
+	return "io.k8s.kubelet.config.v1beta1.MemoryReservation"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in MemorySwapConfiguration) OpenAPIModelName() string {
+	return "io.k8s.kubelet.config.v1beta1.MemorySwapConfiguration"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in SerializedNodeConfigSource) OpenAPIModelName() string {
+	return "io.k8s.kubelet.config.v1beta1.SerializedNodeConfigSource"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ShutdownGracePeriodByPodPriority) OpenAPIModelName() string {
+	return "io.k8s.kubelet.config.v1beta1.ShutdownGracePeriodByPodPriority"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in UserNamespaces) OpenAPIModelName() string {
+	return "io.k8s.kubelet.config.v1beta1.UserNamespaces"
+}
diff --git a/staging/src/k8s.io/kubelet/go.mod b/staging/src/k8s.io/kubelet/go.mod
index ca7a02e5a5f9e..8c9e3ca3ed4e0 100644
--- a/staging/src/k8s.io/kubelet/go.mod
+++ b/staging/src/k8s.io/kubelet/go.mod
@@ -2,25 +2,24 @@
 
 module k8s.io/kubelet
 
-go 1.24.0
+go 1.25.0
 
-godebug default=go1.24
+godebug default=go1.25
 
 require (
 	github.com/emicklei/go-restful/v3 v3.12.2
-	github.com/gogo/protobuf v1.3.2
-	github.com/stretchr/testify v1.10.0
+	github.com/stretchr/testify v1.11.1
 	go.uber.org/goleak v1.3.0
-	google.golang.org/grpc v1.72.1
-	google.golang.org/protobuf v1.36.5
-	k8s.io/api v0.34.1
-	k8s.io/apimachinery v0.34.1
+	google.golang.org/grpc v1.72.2
+	google.golang.org/protobuf v1.36.8
+	k8s.io/api v0.35.1
+	k8s.io/apimachinery v0.35.1
 	k8s.io/apiserver v0.0.0
-	k8s.io/client-go v0.34.1
-	k8s.io/component-base v0.34.1
+	k8s.io/client-go v0.35.1
+	k8s.io/component-base v0.35.1
 	k8s.io/cri-api v0.0.0
 	k8s.io/klog/v2 v2.130.1
-	k8s.io/utils v0.0.0-20250604170112-4c0f3b243397
+	k8s.io/utils v0.0.0-20251002143259-bc988d571ff4
 )
 
 require (
@@ -29,7 +28,7 @@ require (
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/fxamacker/cbor/v2 v2.9.0 // indirect
-	github.com/go-logr/logr v1.4.2 // indirect
+	github.com/go-logr/logr v1.4.3 // indirect
 	github.com/google/go-cmp v0.7.0 // indirect
 	github.com/gorilla/websocket v1.5.4-0.20250319132907-e064f32e3674 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
@@ -40,33 +39,35 @@ require (
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
 	github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f // indirect
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
-	github.com/prometheus/client_golang v1.22.0 // indirect
-	github.com/prometheus/client_model v0.6.1 // indirect
-	github.com/prometheus/common v0.62.0 // indirect
-	github.com/prometheus/procfs v0.15.1 // indirect
-	github.com/spf13/cobra v1.9.1 // indirect
-	github.com/spf13/pflag v1.0.6 // indirect
+	github.com/prometheus/client_golang v1.23.2 // indirect
+	github.com/prometheus/client_model v0.6.2 // indirect
+	github.com/prometheus/common v0.66.1 // indirect
+	github.com/prometheus/procfs v0.16.1 // indirect
+	github.com/spf13/cobra v1.10.0 // indirect
+	github.com/spf13/pflag v1.0.9 // indirect
 	github.com/x448/float16 v0.8.4 // indirect
-	go.opentelemetry.io/otel v1.35.0 // indirect
-	go.opentelemetry.io/otel/trace v1.35.0 // indirect
-	go.yaml.in/yaml/v2 v2.4.2 // indirect
-	golang.org/x/net v0.43.0 // indirect
-	golang.org/x/oauth2 v0.27.0 // indirect
-	golang.org/x/sys v0.36.0 // indirect
-	golang.org/x/term v0.35.0 // indirect
-	golang.org/x/text v0.29.0 // indirect
+	go.opentelemetry.io/otel v1.36.0 // indirect
+	go.opentelemetry.io/otel/trace v1.36.0 // indirect
+	go.yaml.in/yaml/v2 v2.4.3 // indirect
+	golang.org/x/net v0.47.0 // indirect
+	golang.org/x/oauth2 v0.30.0 // indirect
+	golang.org/x/sys v0.38.0 // indirect
+	golang.org/x/term v0.37.0 // indirect
+	golang.org/x/text v0.31.0 // indirect
 	golang.org/x/time v0.9.0 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20250303144028-a0af3efb3deb // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20250528174236-200df99c418a // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
-	sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 // indirect
+	k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912 // indirect
+	sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 // indirect
 	sigs.k8s.io/randfill v1.0.0 // indirect
 	sigs.k8s.io/structured-merge-diff/v6 v6.3.0 // indirect
 	sigs.k8s.io/yaml v1.6.0 // indirect
 )
 
 replace (
-	github.com/onsi/ginkgo/v2 => github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251001123353-fd5b1fb35db1
+	github.com/onsi/ginkgo/v2 => github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251120221002-696928a6a0d7
+	github.com/openshift/library-go => github.com/jacobsee/library-go v0.0.0-20260211202355-e615a1f60a34
 	k8s.io/api => ../api
 	k8s.io/apimachinery => ../apimachinery
 	k8s.io/apiserver => ../apiserver
diff --git a/staging/src/k8s.io/kubelet/go.sum b/staging/src/k8s.io/kubelet/go.sum
index 5b59eecf308ff..226039e23659f 100644
--- a/staging/src/k8s.io/kubelet/go.sum
+++ b/staging/src/k8s.io/kubelet/go.sum
@@ -2,6 +2,7 @@ cel.dev/expr v0.24.0/go.mod h1:hLPLo1W4QUmuYdA72RBX06QTs6MXw941piREPl3Yfiw=
 cloud.google.com/go/compute/metadata v0.6.0/go.mod h1:FjyFAW1MW0C203CEOMDTu3Dk1FlqW3Rga40jzHL4hfg=
 github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E=
 github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp v1.26.0/go.mod h1:2bIszWvQRlJVmJLiuLhukLImRjKPcYdzzsx6darK02A=
+github.com/Masterminds/semver/v3 v3.4.0/go.mod h1:4V+yj/TJE1HU9XfppCwVMZq3I84lprf4nC11bSS5beM=
 github.com/NYTimes/gziphandler v1.1.1/go.mod h1:n/CVRwUEOgIxrgPvAQhUUr9oeUtvrhMomdKFjzJNB0c=
 github.com/alecthomas/kingpin/v2 v2.4.0/go.mod h1:0gyi0zQnjuFk8xrkNKamJoyUo382HRL7ATRpFZCw6tE=
 github.com/alecthomas/units v0.0.0-20211218093645-b94a6e3cc137/go.mod h1:OMCwj8VM1Kc9e19TLln2VL61YJF0x1XFtfdL4JdbSyE=
@@ -36,8 +37,8 @@ github.com/fsnotify/fsnotify v1.9.0/go.mod h1:8jBTzvmWwFyi3Pb8djgCCO5IBqzKJ/Jwo8
 github.com/fxamacker/cbor/v2 v2.9.0 h1:NpKPmjDBgUfBms6tr6JZkTHtfFGcMKsw3eGcmD/sapM=
 github.com/fxamacker/cbor/v2 v2.9.0/go.mod h1:vM4b+DJCtHn+zz7h3FFp/hDAI9WNWCsZj23V5ytsSxQ=
 github.com/go-jose/go-jose/v4 v4.0.4/go.mod h1:NKb5HO1EZccyMpiZNbdUw/14tiXNyUJh188dfnMCAfc=
-github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY=
-github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
+github.com/go-logr/logr v1.4.3 h1:CjnDlHq8ikf6E492q6eKboGOC0T8CDaOvkHCIg8idEI=
+github.com/go-logr/logr v1.4.3/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
 github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
 github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE=
 github.com/go-logr/zapr v1.3.0/go.mod h1:YKepepNBd1u/oyhd/yQmtjVXmm9uML4IXUgMOwR8/Gg=
@@ -47,7 +48,7 @@ github.com/go-openapi/jsonreference v0.20.2 h1:3sVjiK66+uXK/6oQ8xgcRKcFgQ5KXa2Kv
 github.com/go-openapi/jsonreference v0.20.2/go.mod h1:Bl1zwGIM8/wsvqjsOQLJ/SH+En5Ap4rVB5KVcIDZG2k=
 github.com/go-openapi/swag v0.23.0 h1:vsEVJDUo2hPJ2tu0/Xc+4noaxyEffXNIs3cOULZ+GrE=
 github.com/go-openapi/swag v0.23.0/go.mod h1:esZ8ITTYEsH1V2trKHjAN8Ai7xHb8RV+YSZ577vPjgQ=
-github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
+github.com/go-task/slim-sprig/v3 v3.0.0/go.mod h1:W848ghGpv3Qj3dhTPRyJypKRiqCdHZiAzKg9hl15HA8=
 github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
 github.com/golang-jwt/jwt/v5 v5.2.2/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=
 github.com/golang/glog v1.2.4/go.mod h1:6AhwSGph0fcJtXVM/PEHPqZlFeoLxhs7/t5UDAwmO+w=
@@ -60,7 +61,7 @@ github.com/google/gnostic-models v0.7.0/go.mod h1:whL5G0m6dmc5cPxKc5bdKdEN3UjI7O
 github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
 github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
-github.com/google/pprof v0.0.0-20241029153458-d1b30febd7db/go.mod h1:vavhavw2zAxS5dIdcRluK6cSGGPlZynqzFM8NdvU144=
+github.com/google/pprof v0.0.0-20250403155104-27863c87afa6/go.mod h1:boTsfXsheKC2y+lKOCMpSfarhxDeIzfZG1jqGcPl3cA=
 github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/gorilla/websocket v1.5.4-0.20250319132907-e064f32e3674 h1:JeSE6pjso5THxAzdVpqr6/geYxZytqFMBCOtn/ujyeo=
@@ -72,6 +73,7 @@ github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0/go.mod h1:8NvIoxWQoOIhqOTXgf
 github.com/grpc-ecosystem/grpc-gateway/v2 v2.26.3/go.mod h1:ndYquD05frm2vACXE1nsccT4oJzjhw2arTS2cpUD1PI=
 github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
 github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
+github.com/jacobsee/library-go v0.0.0-20260211202355-e615a1f60a34/go.mod h1:mp92ELYoE9GHXRj+jJhp4I9KsFfS5c7WIi5k4RmkPYY=
 github.com/jonboulle/clockwork v0.5.0/go.mod h1:3mZlmanh0g2NDKO5TWZVJAfofYk64M7XN3SzBPjZF60=
 github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY=
 github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y=
@@ -79,8 +81,6 @@ github.com/jpillora/backoff v1.0.0/go.mod h1:J/6gKK9jxlEcS3zixgDgUAsiuZ7yrSoa/FX
 github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM=
 github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo=
 github.com/julienschmidt/httprouter v1.3.0/go.mod h1:JR6WtHb+2LUe8TCKY3cZOxFyyO8IZAc4RVcycCCAKdM=
-github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
-github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
 github.com/klauspost/compress v1.18.0 h1:c/Cqfb0r+Yi+JtIEq73FWXVkRonBlf0CRNYc8Zttxdo=
 github.com/klauspost/compress v1.18.0/go.mod h1:2Pp+KzxcywXVXMr50+X0Q/Lsb43OQHYWRCY2AiWywWQ=
 github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
@@ -105,154 +105,128 @@ github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8m
 github.com/mwitkow/go-conntrack v0.0.0-20190716064945-2f068394615f/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U=
 github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f h1:y5//uYreIhSUg3J1GEMiLbxo1LJaP8RfCpH6pymGZus=
 github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+o7JKHSa8/e818NopupXU1YMK5fe1lsApnBw=
-github.com/onsi/gomega v1.35.1/go.mod h1:PvZbdDc8J6XJEpDK4HCuRBm8a6Fzp9/DmhC9C7yFlog=
-github.com/openshift/library-go v0.0.0-20251015151611-6fc7a74b67c5/go.mod h1:OlFFws1AO51uzfc48MsStGE4SFMWlMZD0+f5a/zCtKI=
-github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251001123353-fd5b1fb35db1/go.mod h1:7Du3c42kxCUegi0IImZ1wUQzMBVecgIHjR1C+NkhLQo=
+github.com/onsi/gomega v1.38.2/go.mod h1:W2MJcYxRGV63b418Ai34Ud0hEdTVXq9NW9+Sx6uXf3k=
+github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251120221002-696928a6a0d7/go.mod h1:ArE1D/XhNXBXCBkKOLkbsb2c81dQHCRcF5zwn/ykDRo=
 github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU=
-github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
-github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10/go.mod h1:t/avpk3KcrXxUnYOhZhMXJlSEyie6gQbtLq5NM3loB8=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U=
 github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/pquerna/cachecontrol v0.1.0/go.mod h1:NrUG3Z7Rdu85UNR3vm7SOsl1nFIeSiQnrHV5K9mBcUI=
-github.com/prometheus/client_golang v1.22.0 h1:rb93p9lokFEsctTys46VnV1kLCDpVZ0a/Y92Vm0Zc6Q=
-github.com/prometheus/client_golang v1.22.0/go.mod h1:R7ljNsLXhuQXYZYtw6GAE9AZg8Y7vEW5scdCXrWRXC0=
-github.com/prometheus/client_model v0.6.1 h1:ZKSh/rekM+n3CeS952MLRAdFwIKqeY8b62p8ais2e9E=
-github.com/prometheus/client_model v0.6.1/go.mod h1:OrxVMOVHjw3lKMa8+x6HeMGkHMQyHDk9E3jmP2AmGiY=
-github.com/prometheus/common v0.62.0 h1:xasJaQlnWAeyHdUBeGjXmutelfJHWMRr+Fg4QszZ2Io=
-github.com/prometheus/common v0.62.0/go.mod h1:vyBcEuLSvWos9B1+CyL7JZ2up+uFzXhkqml0W5zIY1I=
-github.com/prometheus/procfs v0.15.1 h1:YagwOFzUgYfKKHX6Dr+sHT7km/hxC76UB0learggepc=
-github.com/prometheus/procfs v0.15.1/go.mod h1:fB45yRUv8NstnjriLhBQLuOUt+WW4BsoGhij/e3PBqk=
-github.com/rogpeppe/go-internal v1.13.1 h1:KvO1DLK/DRN07sQ1LQKScxyZJuNnedQ5/wKSR38lUII=
-github.com/rogpeppe/go-internal v1.13.1/go.mod h1:uMEvuHeurkdAXX61udpOXGD/AzZDWNMNyH2VO9fmH0o=
+github.com/prometheus/client_golang v1.23.2 h1:Je96obch5RDVy3FDMndoUsjAhG5Edi49h0RJWRi/o0o=
+github.com/prometheus/client_golang v1.23.2/go.mod h1:Tb1a6LWHB3/SPIzCoaDXI4I8UHKeFTEQ1YCr+0Gyqmg=
+github.com/prometheus/client_model v0.6.2 h1:oBsgwpGs7iVziMvrGhE53c/GrLUsZdHnqNwqPLxwZyk=
+github.com/prometheus/client_model v0.6.2/go.mod h1:y3m2F6Gdpfy6Ut/GBsUqTWZqCUvMVzSfMLjcu6wAwpE=
+github.com/prometheus/common v0.66.1 h1:h5E0h5/Y8niHc5DlaLlWLArTQI7tMrsfQjHV+d9ZoGs=
+github.com/prometheus/common v0.66.1/go.mod h1:gcaUsgf3KfRSwHY4dIMXLPV0K/Wg1oZ8+SbZk/HH/dA=
+github.com/prometheus/procfs v0.16.1 h1:hZ15bTNuirocR6u0JZ6BAHHmwS1p8B4P6MRqxtzMyRg=
+github.com/prometheus/procfs v0.16.1/go.mod h1:teAbpZRB1iIAJYREa1LsoWUXykVXA1KlTmWl8x/U+Is=
+github.com/rogpeppe/go-internal v1.14.1 h1:UQB4HGPB6osV0SQTLymcB4TgvyWu6ZyliaW0tI/otEQ=
+github.com/rogpeppe/go-internal v1.14.1/go.mod h1:MaRKkUm5W0goXpeCfT7UZI6fk/L7L7so1lCWt35ZSgc=
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
 github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
 github.com/soheilhy/cmux v0.1.5/go.mod h1:T7TcVDs9LWfQgPlPsdngu6I6QIoyIFZDDC6sNE1GqG0=
-github.com/spf13/cobra v1.9.1 h1:CXSaggrXdbHK9CF+8ywj8Amf7PBRmPCOJugH954Nnlo=
-github.com/spf13/cobra v1.9.1/go.mod h1:nDyEzZ8ogv936Cinf6g1RU9MRY64Ir93oCnqb9wxYW0=
-github.com/spf13/pflag v1.0.6 h1:jFzHGLGAlb3ruxLB8MhbI6A8+AQX/2eW4qeyNZXNp2o=
-github.com/spf13/pflag v1.0.6/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
+github.com/spf13/cobra v1.10.0 h1:a5/WeUlSDCvV5a45ljW2ZFtV0bTDpkfSAj3uqB6Sc+0=
+github.com/spf13/cobra v1.10.0/go.mod h1:9dhySC7dnTtEiqzmqfkLj47BslqLCUPMXjG2lj/NgoE=
+github.com/spf13/pflag v1.0.8/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
+github.com/spf13/pflag v1.0.9 h1:9exaQaMOCwffKiiiYk6/BndUBv+iRViNW+4lEMi0PvY=
+github.com/spf13/pflag v1.0.9/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/spiffe/go-spiffe/v2 v2.5.0/go.mod h1:P+NxobPc6wXhVtINNtFjNWGBTreew1GBUCwT2wPmb7g=
 github.com/stoewer/go-strcase v1.3.0/go.mod h1:fAH5hQ5pehh+j3nZfvwdk2RgEgQjAoM8wodgtPmh1xo=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.5.2 h1:xuMeJ0Sdp5ZMRXx/aWO6RZxdr3beISkG5/G/aIRr3pY=
 github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/8L+MA=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
-github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
-github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
+github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
+github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
 github.com/tmc/grpc-websocket-proxy v0.0.0-20220101234140-673ab2c3ae75/go.mod h1:KO6IkyS8Y3j8OdNO85qEYBsRPuteD+YciPomcXdrMnk=
 github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM=
 github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg=
 github.com/xhit/go-str2duration/v2 v2.1.0/go.mod h1:ohY8p+0f07DiV6Em5LKB0s2YpLtXVyJfNt1+BlmyAsU=
 github.com/xiang90/probing v0.0.0-20221125231312-a49e3df8f510/go.mod h1:UETIi67q53MR2AWcXfiuqkDkRtnGDLqkBTpCHuJHxtU=
-github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
-github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/zeebo/errs v1.4.0/go.mod h1:sgbWHsvVuTPHcqJJGQ1WhI5KbWlHYz+2+2C/LSEtCw4=
-go.etcd.io/bbolt v1.4.2/go.mod h1:Is8rSHO/b4f3XigBC0lL0+4FwAQv3HXEEIgFMuKHceM=
-go.etcd.io/etcd/api/v3 v3.6.4/go.mod h1:eFhhvfR8Px1P6SEuLT600v+vrhdDTdcfMzmnxVXXSbk=
-go.etcd.io/etcd/client/pkg/v3 v3.6.4/go.mod h1:sbdzr2cl3HzVmxNw//PH7aLGVtY4QySjQFuaCgcRFAI=
-go.etcd.io/etcd/client/v3 v3.6.4/go.mod h1:jaNNHCyg2FdALyKWnd7hxZXZxZANb0+KGY+YQaEMISo=
-go.etcd.io/etcd/pkg/v3 v3.6.4/go.mod h1:kKcYWP8gHuBRcteyv6MXWSN0+bVMnfgqiHueIZnKMtE=
-go.etcd.io/etcd/server/v3 v3.6.4/go.mod h1:aYCL/h43yiONOv0QIR82kH/2xZ7m+IWYjzRmyQfnCAg=
+go.etcd.io/bbolt v1.4.3/go.mod h1:tKQlpPaYCVFctUIgFKFnAlvbmB3tpy1vkTnDWohtc0E=
+go.etcd.io/etcd/api/v3 v3.6.5/go.mod h1:ob0/oWA/UQQlT1BmaEkWQzI0sJ1M0Et0mMpaABxguOQ=
+go.etcd.io/etcd/client/pkg/v3 v3.6.5/go.mod h1:8Wx3eGRPiy0qOFMZT/hfvdos+DjEaPxdIDiCDUv/FQk=
+go.etcd.io/etcd/client/v3 v3.6.5/go.mod h1:ZqwG/7TAFZ0BJ0jXRPoJjKQJtbFo/9NIY8uoFFKcCyo=
+go.etcd.io/etcd/pkg/v3 v3.6.5/go.mod h1:uqrXrzmMIJDEy5j00bCqhVLzR5jEJIwDp5wTlLwPGOU=
+go.etcd.io/etcd/server/v3 v3.6.5/go.mod h1:PLuhyVXz8WWRhzXDsl3A3zv/+aK9e4A9lpQkqawIaH0=
 go.etcd.io/raft/v3 v3.6.0/go.mod h1:nLvLevg6+xrVtHUmVaTcTz603gQPHfh7kUAwV6YpfGo=
 go.opentelemetry.io/auto/sdk v1.1.0 h1:cH53jehLUN6UFLY71z+NDOiNJqDdPRaXzTel0sJySYA=
 go.opentelemetry.io/auto/sdk v1.1.0/go.mod h1:3wSPjt5PWp2RhlCcmmOial7AvC4DQqZb7a7wCow3W8A=
 go.opentelemetry.io/contrib/detectors/gcp v1.34.0/go.mod h1:cV4BMFcscUR/ckqLkbfQmF0PRsq8w/lMGzdbCSveBHo=
 go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.60.0/go.mod h1:rg+RlpR5dKwaS95IyyZqj5Wd4E13lk/msnTS0Xl9lJM=
-go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.58.0/go.mod h1:umTcuxiv1n/s/S6/c2AT/g2CQ7u5C59sHDNmfSwgz7Q=
-go.opentelemetry.io/otel v1.35.0 h1:xKWKPxrxB6OtMCbmMY021CqC45J+3Onta9MqjhnusiQ=
-go.opentelemetry.io/otel v1.35.0/go.mod h1:UEqy8Zp11hpkUrL73gSlELM0DupHoiq72dR+Zqel/+Y=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.61.0/go.mod h1:UHB22Z8QsdRDrnAtX4PntOl36ajSxcdUMt1sF7Y6E7Q=
+go.opentelemetry.io/otel v1.36.0 h1:UumtzIklRBY6cI/lllNZlALOF5nNIzJVb16APdvgTXg=
+go.opentelemetry.io/otel v1.36.0/go.mod h1:/TcFMXYjyRNh8khOAO9ybYkqaDBb/70aVwkNML4pP8E=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.34.0/go.mod h1:7Bept48yIeqxP2OZ9/AqIpYS94h2or0aB4FypJTc8ZM=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.34.0/go.mod h1:U7HYyW0zt/a9x5J1Kjs+r1f/d4ZHnYFclhYY2+YbeoE=
-go.opentelemetry.io/otel/metric v1.35.0 h1:0znxYu2SNyuMSQT4Y9WDWej0VpcsxkuklLa4/siN90M=
-go.opentelemetry.io/otel/metric v1.35.0/go.mod h1:nKVFgxBZ2fReX6IlyW28MgZojkoAkJGaE8CpgeAU3oE=
-go.opentelemetry.io/otel/sdk v1.34.0 h1:95zS4k/2GOy069d321O8jWgYsW3MzVV+KuSPKp7Wr1A=
-go.opentelemetry.io/otel/sdk v1.34.0/go.mod h1:0e/pNiaMAqaykJGKbi+tSjWfNNHMTxoC9qANsCzbyxU=
-go.opentelemetry.io/otel/sdk/metric v1.34.0 h1:5CeK9ujjbFVL5c1PhLuStg1wxA7vQv7ce1EK0Gyvahk=
-go.opentelemetry.io/otel/sdk/metric v1.34.0/go.mod h1:jQ/r8Ze28zRKoNRdkjCZxfs6YvBTG1+YIqyFVFYec5w=
-go.opentelemetry.io/otel/trace v1.35.0 h1:dPpEfJu1sDIqruz7BHFG3c7528f6ddfSWfFDVt/xgMs=
-go.opentelemetry.io/otel/trace v1.35.0/go.mod h1:WUk7DtFp1Aw2MkvqGdwiXYDZZNvA/1J8o6xRXLrIkyc=
+go.opentelemetry.io/otel/metric v1.36.0 h1:MoWPKVhQvJ+eeXWHFBOPoBOi20jh6Iq2CcCREuTYufE=
+go.opentelemetry.io/otel/metric v1.36.0/go.mod h1:zC7Ks+yeyJt4xig9DEw9kuUFe5C3zLbVjV2PzT6qzbs=
+go.opentelemetry.io/otel/sdk v1.36.0 h1:b6SYIuLRs88ztox4EyrvRti80uXIFy+Sqzoh9kFULbs=
+go.opentelemetry.io/otel/sdk v1.36.0/go.mod h1:+lC+mTgD+MUWfjJubi2vvXWcVxyr9rmlshZni72pXeY=
+go.opentelemetry.io/otel/sdk/metric v1.36.0 h1:r0ntwwGosWGaa0CrSt8cuNuTcccMXERFwHX4dThiPis=
+go.opentelemetry.io/otel/sdk/metric v1.36.0/go.mod h1:qTNOhFDfKRwX0yXOqJYegL5WRaW376QbB7P4Pb0qva4=
+go.opentelemetry.io/otel/trace v1.36.0 h1:ahxWNuqZjpdiFAyrIoQ4GIiAIhxAunQR6MUoKrsNd4w=
+go.opentelemetry.io/otel/trace v1.36.0/go.mod h1:gQ+OnDZzrybY4k4seLzPAWNwVBBVlF2szhehOBB/tGA=
 go.opentelemetry.io/proto/otlp v1.5.0/go.mod h1:keN8WnHxOy8PG0rQZjJJ5A2ebUoafqWp0eVQ4yIXvJ4=
 go.uber.org/atomic v1.11.0/go.mod h1:LUxbIzbOniOlMKjJjyPfpl4v+PKK2cNJn91OQbhoJI0=
 go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
 go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
 go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y=
 go.uber.org/zap v1.27.0/go.mod h1:GB2qFLM7cTU87MWRP2mPIjqfIDnGu+VIO4V/SdhGo2E=
-go.yaml.in/yaml/v2 v2.4.2 h1:DzmwEr2rDGHl7lsFgAHxmNz/1NlQ7xLIrlN2h5d1eGI=
-go.yaml.in/yaml/v2 v2.4.2/go.mod h1:081UH+NErpNdqlCXm3TtEran0rJZGxAYx9hb/ELlsPU=
+go.yaml.in/yaml/v2 v2.4.3 h1:6gvOSjQoTB3vt1l+CU+tSyi/HOjfOjRLJ4YwYZGwRO0=
+go.yaml.in/yaml/v2 v2.4.3/go.mod h1:zSxWcmIDjOzPXpjlTTbAsKokqkDNAVtZO0WOMiT90s8=
 go.yaml.in/yaml/v3 v3.0.4 h1:tfq32ie2Jv2UxXFdLJdh3jXuOzWiL1fo0bu/FbuKpbc=
 go.yaml.in/yaml/v3 v3.0.4/go.mod h1:DhzuOOF2ATzADvBadXxruRBLzYTpT36CKvDb3+aBEFg=
-golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
-golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
-golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
-golang.org/x/crypto v0.42.0/go.mod h1:4+rDnOTJhQCx2q7/j6rAN5XDw8kPjeaXEUR2eL94ix8=
+golang.org/x/crypto v0.45.0/go.mod h1:XTGrrkGJve7CYK7J8PEww4aY7gM3qMCElcJQ8n8JdX4=
 golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56/go.mod h1:M4RDyNAINzryxdtnbRXRL/OHtkFuWGRjvuhBJpk2IlY=
-golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.27.0/go.mod h1:rWI627Fq0DEoudcK+MBkNkCe0EetEaDSwJJkCcjpazc=
-golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
-golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
-golang.org/x/net v0.43.0 h1:lat02VYK2j4aLzMzecihNvTlJNQUq316m2Mr9rnM6YE=
-golang.org/x/net v0.43.0/go.mod h1:vhO1fvI4dGsIjh73sWfUVjj3N7CA9WkKJNQm2svM6Jg=
-golang.org/x/oauth2 v0.27.0 h1:da9Vo7/tDv5RH/7nZDz1eMGS/q1Vv1N/7FCrBhI9I3M=
-golang.org/x/oauth2 v0.27.0/go.mod h1:onh5ek6nERTohokkhCD/y2cV4Do3fxFHFuAejCkRWT8=
-golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.17.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
-golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.36.0 h1:KVRy2GtZBrk1cBYA7MKu5bEZFxQk4NIDV6RLVcC8o0k=
-golang.org/x/sys v0.36.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
-golang.org/x/term v0.35.0 h1:bZBVKBudEyhRcajGcNc3jIfWPqV4y/Kt2XcoigOWtDQ=
-golang.org/x/term v0.35.0/go.mod h1:TPGtkTLesOwf2DE8CgVYiZinHAOuy5AYUYT1lENIZnA=
-golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
-golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.29.0 h1:1neNs90w9YzJ9BocxfsQNHKuAT4pkghyXc4nhZ6sJvk=
-golang.org/x/text v0.29.0/go.mod h1:7MhJOA9CD2qZyOKYazxdYMF85OwPdEr9jTtBpO7ydH4=
+golang.org/x/mod v0.29.0/go.mod h1:NyhrlYXJ2H4eJiRy/WDBO6HMqZQ6q9nk4JzS3NuCK+w=
+golang.org/x/net v0.47.0 h1:Mx+4dIFzqraBXUugkia1OOvlD6LemFo1ALMHjrXDOhY=
+golang.org/x/net v0.47.0/go.mod h1:/jNxtkgq5yWUGYkaZGqo27cfGZ1c5Nen03aYrrKpVRU=
+golang.org/x/oauth2 v0.30.0 h1:dnDm7JmhM45NNpd8FDDeLhK6FwqbOf4MLCM9zb1BOHI=
+golang.org/x/oauth2 v0.30.0/go.mod h1:B++QgG3ZKulg6sRPGD/mqlHQs5rB3Ml9erfeDY7xKlU=
+golang.org/x/sync v0.18.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
+golang.org/x/sys v0.38.0 h1:3yZWxaJjBmCWXqhN1qh02AkOnCQ1poK6oF+a7xWL6Gc=
+golang.org/x/sys v0.38.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
+golang.org/x/term v0.37.0 h1:8EGAD0qCmHYZg6J17DvsMy9/wJ7/D/4pV/wfnld5lTU=
+golang.org/x/term v0.37.0/go.mod h1:5pB4lxRNYYVZuTLmy8oR2BH8dflOR+IbTYFD8fi3254=
+golang.org/x/text v0.31.0 h1:aC8ghyu4JhP8VojJ2lEHBnochRno1sgL6nEi9WGFGMM=
+golang.org/x/text v0.31.0/go.mod h1:tKRAlv61yKIjGGHX/4tP1LTbc13YSec1pxVEWXzfoeM=
 golang.org/x/time v0.9.0 h1:EsRrnYcQiGH+5FfbgvV4AP7qEZstoyrHB0DzarOQ4ZY=
 golang.org/x/time v0.9.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
-golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
-golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
-golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
-golang.org/x/tools v0.36.0/go.mod h1:WBDiHKJK8YgLHlcQPYQzNCkUxUypCaa5ZegCVutKm+s=
-golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/tools v0.38.0/go.mod h1:yEsQ/d/YK8cjh0L6rZlY8tgtlKiBNTL14pGDJPJpYQs=
+golang.org/x/tools/go/expect v0.1.0-deprecated/go.mod h1:eihoPOH+FgIqa3FpoTwguz/bVUSGBlGQU67vpBeOrBY=
+golang.org/x/tools/go/packages/packagestest v0.1.1-deprecated/go.mod h1:RVAQXBGNv1ib0J382/DPCRS/BPnsGebyM1Gj5VSDpG8=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 google.golang.org/genproto/googleapis/api v0.0.0-20250303144028-a0af3efb3deb/go.mod h1:jbe3Bkdp+Dh2IrslsFCklNhweNTBgSYanP1UXhJDhKg=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20250303144028-a0af3efb3deb h1:TLPQVbx1GJ8VKZxz52VAxl1EBgKXXbTiU9Fc5fZeLn4=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20250303144028-a0af3efb3deb/go.mod h1:LuRYeWDFV6WOn90g357N17oMCaxpgCnbi/44qJvDn2I=
-google.golang.org/grpc v1.72.1 h1:HR03wO6eyZ7lknl75XlxABNVLLFc2PAb6mHlYh756mA=
-google.golang.org/grpc v1.72.1/go.mod h1:wH5Aktxcg25y1I3w7H69nHfXdOG3UiadoBtjh3izSDM=
-google.golang.org/protobuf v1.36.5 h1:tPhr+woSbjfYvY6/GPufUoYizxw1cF/yFoxJ2fmpwlM=
-google.golang.org/protobuf v1.36.5/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20250528174236-200df99c418a h1:v2PbRU4K3llS09c7zodFpNePeamkAwG3mPrAery9VeE=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20250528174236-200df99c418a/go.mod h1:qQ0YXyHHx3XkvlzUtpXDkS29lDSafHMZBAZDc03LQ3A=
+google.golang.org/grpc v1.72.2 h1:TdbGzwb82ty4OusHWepvFWGLgIbNo1/SUynEN0ssqv8=
+google.golang.org/grpc v1.72.2/go.mod h1:wH5Aktxcg25y1I3w7H69nHfXdOG3UiadoBtjh3izSDM=
+google.golang.org/protobuf v1.36.8 h1:xHScyCOEuuwZEc6UtSOvPbAT4zRh0xcNRYekJwfqyMc=
+google.golang.org/protobuf v1.36.8/go.mod h1:fuxRtAxBytpl4zzqUh6/eyUujkJdNiuEkXntxiD/uRU=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
-gopkg.in/evanphx/json-patch.v4 v4.12.0 h1:n6jtcsulIzXPJaxegRbvFNNrZDjbij7ny3gmSPG+6V4=
-gopkg.in/evanphx/json-patch.v4 v4.12.0/go.mod h1:p8EYWUEYMpynmqDbY58zCKCFZw8pRWMG4EsWvDvM72M=
+gopkg.in/evanphx/json-patch.v4 v4.13.0 h1:czT3CmqEaQ1aanPc5SdlgQrrEIb8w/wwCvWWnfEbYzo=
+gopkg.in/evanphx/json-patch.v4 v4.13.0/go.mod h1:p8EYWUEYMpynmqDbY58zCKCFZw8pRWMG4EsWvDvM72M=
 gopkg.in/go-jose/go-jose.v2 v2.6.3/go.mod h1:zzZDPkNNw/c9IE7Z9jr11mBZQhKQTMzoEEIoEdZlFBI=
 gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc=
 gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
 gopkg.in/natefinch/lumberjack.v2 v2.2.1/go.mod h1:YD8tP3GAjkrDg1eZH7EGmyESg/lsYskCTPBJVb9jqSc=
-gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+k8s.io/gengo/v2 v2.0.0-20250604051438-85fd79dbfd9f/go.mod h1:EJykeLsmFC60UQbYJezXkEsG2FLrt0GPNkU5iK5GWxU=
 k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk=
 k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE=
-k8s.io/kube-openapi v0.0.0-20250710124328-f3f2b991d03b h1:MloQ9/bdJyIu9lb1PzujOPolHyvO06MXG5TUIj2mNAA=
-k8s.io/kube-openapi v0.0.0-20250710124328-f3f2b991d03b/go.mod h1:UZ2yyWbFTpuhSbFhv24aGNOdoRdJZgsIObGBUaYVsts=
-k8s.io/utils v0.0.0-20250604170112-4c0f3b243397 h1:hwvWFiBzdWw1FhfY1FooPn3kzWuJ8tmbZBHi4zVsl1Y=
-k8s.io/utils v0.0.0-20250604170112-4c0f3b243397/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
+k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912 h1:Y3gxNAuB0OBLImH611+UDZcmKS3g6CthxToOb37KgwE=
+k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912/go.mod h1:kdmbQkyfwUagLfXIad1y2TdrjPFWp2Q89B3qkRwf/pQ=
+k8s.io/utils v0.0.0-20251002143259-bc988d571ff4 h1:SjGebBtkBqHFOli+05xYbK8YF1Dzkbzn+gDM4X9T4Ck=
+k8s.io/utils v0.0.0-20251002143259-bc988d571ff4/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
 sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.31.2/go.mod h1:Ve9uj1L+deCXFrPOk1LpFXqTg7LCFzFso6PA48q/XZw=
-sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 h1:gBQPwqORJ8d8/YNZWEjoZs7npUVDpVXUUOFfW6CgAqE=
-sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8/go.mod h1:mdzfpAEoE6DHQEN0uh9ZbOCuHbLK5wOm7dK4ctXE9Tg=
+sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 h1:IpInykpT6ceI+QxKBbEflcR5EXP7sU1kvOlxwZh5txg=
+sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730/go.mod h1:mdzfpAEoE6DHQEN0uh9ZbOCuHbLK5wOm7dK4ctXE9Tg=
 sigs.k8s.io/randfill v1.0.0 h1:JfjMILfT8A6RbawdsK2JXGBR5AQVfd+9TbzrlneTyrU=
 sigs.k8s.io/randfill v1.0.0/go.mod h1:XeLlZ/jmk4i1HRopwe7/aU3H5n1zNUcX6TM94b3QxOY=
 sigs.k8s.io/structured-merge-diff/v6 v6.3.0 h1:jTijUJbW353oVOd9oTlifJqOGEkUw2jB/fXCbTiQEco=
diff --git a/staging/src/k8s.io/kubelet/pkg/apis/dra-health/v1alpha1/api.pb.go b/staging/src/k8s.io/kubelet/pkg/apis/dra-health/v1alpha1/api.pb.go
index dc78d8a0ade93..e2221a4c5934c 100644
--- a/staging/src/k8s.io/kubelet/pkg/apis/dra-health/v1alpha1/api.pb.go
+++ b/staging/src/k8s.io/kubelet/pkg/apis/dra-health/v1alpha1/api.pb.go
@@ -204,8 +204,12 @@ type DeviceHealth struct {
 	Health HealthStatus `protobuf:"varint,2,opt,name=health,proto3,enum=v1alpha1.HealthStatus" json:"health,omitempty"`
 	// The Unix time (in seconds) of when this health status was last determined by the plugin.
 	LastUpdatedTime int64 `protobuf:"varint,3,opt,name=last_updated_time,json=lastUpdatedTime,proto3" json:"last_updated_time,omitempty"`
-	unknownFields   protoimpl.UnknownFields
-	sizeCache       protoimpl.SizeCache
+	// Health check timeout in seconds for this device.
+	// If not specified, zero, or negative, Kubelet will use a default timeout.
+	// Negative values will be logged and treated as if not specified.
+	HealthCheckTimeoutSeconds int64 `protobuf:"varint,4,opt,name=health_check_timeout_seconds,json=healthCheckTimeoutSeconds,proto3" json:"health_check_timeout_seconds,omitempty"`
+	unknownFields             protoimpl.UnknownFields
+	sizeCache                 protoimpl.SizeCache
 }
 
 func (x *DeviceHealth) Reset() {
@@ -259,6 +263,13 @@ func (x *DeviceHealth) GetLastUpdatedTime() int64 {
 	return 0
 }
 
+func (x *DeviceHealth) GetHealthCheckTimeoutSeconds() int64 {
+	if x != nil {
+		return x.HealthCheckTimeoutSeconds
+	}
+	return 0
+}
+
 // NodeWatchResourcesResponse contains a list of devices and their current health.
 // This should be a complete list for the driver; Kubelet will reconcile this
 // state with its internal cache. Any devices managed by the driver that are
@@ -321,7 +332,7 @@ var file_staging_src_k8s_io_kubelet_pkg_apis_dra_health_v1alpha1_api_proto_rawDe
 	0x0a, 0x09, 0x70, 0x6f, 0x6f, 0x6c, 0x5f, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28,
 	0x09, 0x52, 0x08, 0x70, 0x6f, 0x6f, 0x6c, 0x4e, 0x61, 0x6d, 0x65, 0x12, 0x1f, 0x0a, 0x0b, 0x64,
 	0x65, 0x76, 0x69, 0x63, 0x65, 0x5f, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09,
-	0x52, 0x0a, 0x64, 0x65, 0x76, 0x69, 0x63, 0x65, 0x4e, 0x61, 0x6d, 0x65, 0x22, 0x9e, 0x01, 0x0a,
+	0x52, 0x0a, 0x64, 0x65, 0x76, 0x69, 0x63, 0x65, 0x4e, 0x61, 0x6d, 0x65, 0x22, 0xdf, 0x01, 0x0a,
 	0x0c, 0x44, 0x65, 0x76, 0x69, 0x63, 0x65, 0x48, 0x65, 0x61, 0x6c, 0x74, 0x68, 0x12, 0x32, 0x0a,
 	0x06, 0x64, 0x65, 0x76, 0x69, 0x63, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e,
 	0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x44, 0x65, 0x76, 0x69, 0x63, 0x65, 0x49,
@@ -331,27 +342,31 @@ var file_staging_src_k8s_io_kubelet_pkg_apis_dra_health_v1alpha1_api_proto_rawDe
 	0x6c, 0x74, 0x68, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x52, 0x06, 0x68, 0x65, 0x61, 0x6c, 0x74,
 	0x68, 0x12, 0x2a, 0x0a, 0x11, 0x6c, 0x61, 0x73, 0x74, 0x5f, 0x75, 0x70, 0x64, 0x61, 0x74, 0x65,
 	0x64, 0x5f, 0x74, 0x69, 0x6d, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x03, 0x52, 0x0f, 0x6c, 0x61,
-	0x73, 0x74, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, 0x64, 0x54, 0x69, 0x6d, 0x65, 0x22, 0x4e, 0x0a,
-	0x1a, 0x4e, 0x6f, 0x64, 0x65, 0x57, 0x61, 0x74, 0x63, 0x68, 0x52, 0x65, 0x73, 0x6f, 0x75, 0x72,
-	0x63, 0x65, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x30, 0x0a, 0x07, 0x64,
-	0x65, 0x76, 0x69, 0x63, 0x65, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x16, 0x2e, 0x76,
-	0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x44, 0x65, 0x76, 0x69, 0x63, 0x65, 0x48, 0x65,
-	0x61, 0x6c, 0x74, 0x68, 0x52, 0x07, 0x64, 0x65, 0x76, 0x69, 0x63, 0x65, 0x73, 0x2a, 0x37, 0x0a,
-	0x0c, 0x48, 0x65, 0x61, 0x6c, 0x74, 0x68, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x12, 0x0b, 0x0a,
-	0x07, 0x55, 0x4e, 0x4b, 0x4e, 0x4f, 0x57, 0x4e, 0x10, 0x00, 0x12, 0x0b, 0x0a, 0x07, 0x48, 0x45,
-	0x41, 0x4c, 0x54, 0x48, 0x59, 0x10, 0x01, 0x12, 0x0d, 0x0a, 0x09, 0x55, 0x4e, 0x48, 0x45, 0x41,
-	0x4c, 0x54, 0x48, 0x59, 0x10, 0x02, 0x32, 0x78, 0x0a, 0x11, 0x44, 0x52, 0x41, 0x52, 0x65, 0x73,
-	0x6f, 0x75, 0x72, 0x63, 0x65, 0x48, 0x65, 0x61, 0x6c, 0x74, 0x68, 0x12, 0x63, 0x0a, 0x12, 0x4e,
-	0x6f, 0x64, 0x65, 0x57, 0x61, 0x74, 0x63, 0x68, 0x52, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65,
-	0x73, 0x12, 0x23, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x4e, 0x6f, 0x64,
-	0x65, 0x57, 0x61, 0x74, 0x63, 0x68, 0x52, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x73, 0x52,
-	0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x24, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61,
-	0x31, 0x2e, 0x4e, 0x6f, 0x64, 0x65, 0x57, 0x61, 0x74, 0x63, 0x68, 0x52, 0x65, 0x73, 0x6f, 0x75,
-	0x72, 0x63, 0x65, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x30, 0x01,
-	0x42, 0x2d, 0x5a, 0x2b, 0x6b, 0x38, 0x73, 0x2e, 0x69, 0x6f, 0x2f, 0x6b, 0x75, 0x62, 0x65, 0x6c,
-	0x65, 0x74, 0x2f, 0x70, 0x6b, 0x67, 0x2f, 0x61, 0x70, 0x69, 0x73, 0x2f, 0x64, 0x72, 0x61, 0x2d,
-	0x68, 0x65, 0x61, 0x6c, 0x74, 0x68, 0x2f, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x62,
-	0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
+	0x73, 0x74, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, 0x64, 0x54, 0x69, 0x6d, 0x65, 0x12, 0x3f, 0x0a,
+	0x1c, 0x68, 0x65, 0x61, 0x6c, 0x74, 0x68, 0x5f, 0x63, 0x68, 0x65, 0x63, 0x6b, 0x5f, 0x74, 0x69,
+	0x6d, 0x65, 0x6f, 0x75, 0x74, 0x5f, 0x73, 0x65, 0x63, 0x6f, 0x6e, 0x64, 0x73, 0x18, 0x04, 0x20,
+	0x01, 0x28, 0x03, 0x52, 0x19, 0x68, 0x65, 0x61, 0x6c, 0x74, 0x68, 0x43, 0x68, 0x65, 0x63, 0x6b,
+	0x54, 0x69, 0x6d, 0x65, 0x6f, 0x75, 0x74, 0x53, 0x65, 0x63, 0x6f, 0x6e, 0x64, 0x73, 0x22, 0x4e,
+	0x0a, 0x1a, 0x4e, 0x6f, 0x64, 0x65, 0x57, 0x61, 0x74, 0x63, 0x68, 0x52, 0x65, 0x73, 0x6f, 0x75,
+	0x72, 0x63, 0x65, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x30, 0x0a, 0x07,
+	0x64, 0x65, 0x76, 0x69, 0x63, 0x65, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x16, 0x2e,
+	0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x44, 0x65, 0x76, 0x69, 0x63, 0x65, 0x48,
+	0x65, 0x61, 0x6c, 0x74, 0x68, 0x52, 0x07, 0x64, 0x65, 0x76, 0x69, 0x63, 0x65, 0x73, 0x2a, 0x37,
+	0x0a, 0x0c, 0x48, 0x65, 0x61, 0x6c, 0x74, 0x68, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x12, 0x0b,
+	0x0a, 0x07, 0x55, 0x4e, 0x4b, 0x4e, 0x4f, 0x57, 0x4e, 0x10, 0x00, 0x12, 0x0b, 0x0a, 0x07, 0x48,
+	0x45, 0x41, 0x4c, 0x54, 0x48, 0x59, 0x10, 0x01, 0x12, 0x0d, 0x0a, 0x09, 0x55, 0x4e, 0x48, 0x45,
+	0x41, 0x4c, 0x54, 0x48, 0x59, 0x10, 0x02, 0x32, 0x78, 0x0a, 0x11, 0x44, 0x52, 0x41, 0x52, 0x65,
+	0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x48, 0x65, 0x61, 0x6c, 0x74, 0x68, 0x12, 0x63, 0x0a, 0x12,
+	0x4e, 0x6f, 0x64, 0x65, 0x57, 0x61, 0x74, 0x63, 0x68, 0x52, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63,
+	0x65, 0x73, 0x12, 0x23, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x4e, 0x6f,
+	0x64, 0x65, 0x57, 0x61, 0x74, 0x63, 0x68, 0x52, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x73,
+	0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x24, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68,
+	0x61, 0x31, 0x2e, 0x4e, 0x6f, 0x64, 0x65, 0x57, 0x61, 0x74, 0x63, 0x68, 0x52, 0x65, 0x73, 0x6f,
+	0x75, 0x72, 0x63, 0x65, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x30,
+	0x01, 0x42, 0x2d, 0x5a, 0x2b, 0x6b, 0x38, 0x73, 0x2e, 0x69, 0x6f, 0x2f, 0x6b, 0x75, 0x62, 0x65,
+	0x6c, 0x65, 0x74, 0x2f, 0x70, 0x6b, 0x67, 0x2f, 0x61, 0x70, 0x69, 0x73, 0x2f, 0x64, 0x72, 0x61,
+	0x2d, 0x68, 0x65, 0x61, 0x6c, 0x74, 0x68, 0x2f, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31,
+	0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
 })
 
 var (
diff --git a/staging/src/k8s.io/kubelet/pkg/apis/dra-health/v1alpha1/api.proto b/staging/src/k8s.io/kubelet/pkg/apis/dra-health/v1alpha1/api.proto
index 08d83d89ea196..1a25781704bb7 100644
--- a/staging/src/k8s.io/kubelet/pkg/apis/dra-health/v1alpha1/api.proto
+++ b/staging/src/k8s.io/kubelet/pkg/apis/dra-health/v1alpha1/api.proto
@@ -56,6 +56,11 @@ message DeviceHealth {
 
   // The Unix time (in seconds) of when this health status was last determined by the plugin.
   int64 last_updated_time = 3;
+
+  // Health check timeout in seconds for this device.
+  // If not specified, zero, or negative, Kubelet will use a default timeout.
+  // Negative values will be logged and treated as if not specified.
+  int64 health_check_timeout_seconds = 4;
 }
 
 // NodeWatchResourcesResponse contains a list of devices and their current health.
diff --git a/staging/src/k8s.io/kubelet/pkg/apis/dra/v1/api.pb.go b/staging/src/k8s.io/kubelet/pkg/apis/dra/v1/api.pb.go
index c36e4b3018ee4..2ab66f609d70e 100644
--- a/staging/src/k8s.io/kubelet/pkg/apis/dra/v1/api.pb.go
+++ b/staging/src/k8s.io/kubelet/pkg/apis/dra/v1/api.pb.go
@@ -14,136 +14,143 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
-// Code generated by protoc-gen-gogo. DO NOT EDIT.
-// source: api.proto
+//
+//Copyright 2024 The Kubernetes Authors.
+//
+//Licensed under the Apache License, Version 2.0 (the "License");
+//you may not use this file except in compliance with the License.
+//You may obtain a copy of the License at
+//
+//http://www.apache.org/licenses/LICENSE-2.0
+//
+//Unless required by applicable law or agreed to in writing, software
+//distributed under the License is distributed on an "AS IS" BASIS,
+//WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+//See the License for the specific language governing permissions and
+//limitations under the License.
+
+// To regenerate api.pb.go run `hack/update-codegen.sh protobindings`
+
+// Code generated by protoc-gen-go. DO NOT EDIT.
+// versions:
+// 	protoc-gen-go v1.36.4
+// 	protoc        v4.23.4
+// source: staging/src/k8s.io/kubelet/pkg/apis/dra/v1/api.proto
 
 package v1
 
 import (
-	context "context"
-	fmt "fmt"
-	_ "github.com/gogo/protobuf/gogoproto"
-	proto "github.com/gogo/protobuf/proto"
-	github_com_gogo_protobuf_sortkeys "github.com/gogo/protobuf/sortkeys"
-	grpc "google.golang.org/grpc"
-	codes "google.golang.org/grpc/codes"
-	status "google.golang.org/grpc/status"
-	io "io"
-	math "math"
-	math_bits "math/bits"
+	protoreflect "google.golang.org/protobuf/reflect/protoreflect"
+	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
 	reflect "reflect"
-	strings "strings"
+	sync "sync"
+	unsafe "unsafe"
 )
 
-// Reference imports to suppress errors if they are not otherwise used.
-var _ = proto.Marshal
-var _ = fmt.Errorf
-var _ = math.Inf
-
-// This is a compile-time assertion to ensure that this generated file
-// is compatible with the proto package it is being compiled against.
-// A compilation error at this line likely means your copy of the
-// proto package needs to be updated.
-const _ = proto.GoGoProtoPackageIsVersion3 // please upgrade the proto package
+const (
+	// Verify that this generated code is sufficiently up-to-date.
+	_ = protoimpl.EnforceVersion(20 - protoimpl.MinVersion)
+	// Verify that runtime/protoimpl is sufficiently up-to-date.
+	_ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20)
+)
 
 type NodePrepareResourcesRequest struct {
+	state protoimpl.MessageState `protogen:"open.v1"`
 	// The list of ResourceClaims that are to be prepared.
-	Claims               []*Claim `protobuf:"bytes,1,rep,name=claims,proto3" json:"claims,omitempty"`
-	XXX_NoUnkeyedLiteral struct{} `json:"-"`
-	XXX_sizecache        int32    `json:"-"`
+	Claims        []*Claim `protobuf:"bytes,1,rep,name=claims,proto3" json:"claims,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
 }
 
-func (m *NodePrepareResourcesRequest) Reset()      { *m = NodePrepareResourcesRequest{} }
-func (*NodePrepareResourcesRequest) ProtoMessage() {}
-func (*NodePrepareResourcesRequest) Descriptor() ([]byte, []int) {
-	return fileDescriptor_00212fb1f9d3bf1c, []int{0}
+func (x *NodePrepareResourcesRequest) Reset() {
+	*x = NodePrepareResourcesRequest{}
+	mi := &file_staging_src_k8s_io_kubelet_pkg_apis_dra_v1_api_proto_msgTypes[0]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
-func (m *NodePrepareResourcesRequest) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
+
+func (x *NodePrepareResourcesRequest) String() string {
+	return protoimpl.X.MessageStringOf(x)
 }
-func (m *NodePrepareResourcesRequest) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	if deterministic {
-		return xxx_messageInfo_NodePrepareResourcesRequest.Marshal(b, m, deterministic)
-	} else {
-		b = b[:cap(b)]
-		n, err := m.MarshalToSizedBuffer(b)
-		if err != nil {
-			return nil, err
+
+func (*NodePrepareResourcesRequest) ProtoMessage() {}
+
+func (x *NodePrepareResourcesRequest) ProtoReflect() protoreflect.Message {
+	mi := &file_staging_src_k8s_io_kubelet_pkg_apis_dra_v1_api_proto_msgTypes[0]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
 		}
-		return b[:n], nil
+		return ms
 	}
-}
-func (m *NodePrepareResourcesRequest) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_NodePrepareResourcesRequest.Merge(m, src)
-}
-func (m *NodePrepareResourcesRequest) XXX_Size() int {
-	return m.Size()
-}
-func (m *NodePrepareResourcesRequest) XXX_DiscardUnknown() {
-	xxx_messageInfo_NodePrepareResourcesRequest.DiscardUnknown(m)
+	return mi.MessageOf(x)
 }
 
-var xxx_messageInfo_NodePrepareResourcesRequest proto.InternalMessageInfo
+// Deprecated: Use NodePrepareResourcesRequest.ProtoReflect.Descriptor instead.
+func (*NodePrepareResourcesRequest) Descriptor() ([]byte, []int) {
+	return file_staging_src_k8s_io_kubelet_pkg_apis_dra_v1_api_proto_rawDescGZIP(), []int{0}
+}
 
-func (m *NodePrepareResourcesRequest) GetClaims() []*Claim {
-	if m != nil {
-		return m.Claims
+func (x *NodePrepareResourcesRequest) GetClaims() []*Claim {
+	if x != nil {
+		return x.Claims
 	}
 	return nil
 }
 
 type NodePrepareResourcesResponse struct {
+	state protoimpl.MessageState `protogen:"open.v1"`
 	// The ResourceClaims for which preparation was done
 	// or attempted, with claim_uid as key.
 	//
 	// It is an error if some claim listed in NodePrepareResourcesRequest
 	// does not get prepared. NodePrepareResources
 	// will be called again for those that are missing.
-	Claims               map[string]*NodePrepareResourceResponse `protobuf:"bytes,1,rep,name=claims,proto3" json:"claims,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"`
-	XXX_NoUnkeyedLiteral struct{}                                `json:"-"`
-	XXX_sizecache        int32                                   `json:"-"`
+	Claims        map[string]*NodePrepareResourceResponse `protobuf:"bytes,1,rep,name=claims,proto3" json:"claims,omitempty" protobuf_key:"bytes,1,opt,name=key" protobuf_val:"bytes,2,opt,name=value"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
 }
 
-func (m *NodePrepareResourcesResponse) Reset()      { *m = NodePrepareResourcesResponse{} }
-func (*NodePrepareResourcesResponse) ProtoMessage() {}
-func (*NodePrepareResourcesResponse) Descriptor() ([]byte, []int) {
-	return fileDescriptor_00212fb1f9d3bf1c, []int{1}
+func (x *NodePrepareResourcesResponse) Reset() {
+	*x = NodePrepareResourcesResponse{}
+	mi := &file_staging_src_k8s_io_kubelet_pkg_apis_dra_v1_api_proto_msgTypes[1]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
-func (m *NodePrepareResourcesResponse) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
+
+func (x *NodePrepareResourcesResponse) String() string {
+	return protoimpl.X.MessageStringOf(x)
 }
-func (m *NodePrepareResourcesResponse) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	if deterministic {
-		return xxx_messageInfo_NodePrepareResourcesResponse.Marshal(b, m, deterministic)
-	} else {
-		b = b[:cap(b)]
-		n, err := m.MarshalToSizedBuffer(b)
-		if err != nil {
-			return nil, err
+
+func (*NodePrepareResourcesResponse) ProtoMessage() {}
+
+func (x *NodePrepareResourcesResponse) ProtoReflect() protoreflect.Message {
+	mi := &file_staging_src_k8s_io_kubelet_pkg_apis_dra_v1_api_proto_msgTypes[1]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
 		}
-		return b[:n], nil
+		return ms
 	}
-}
-func (m *NodePrepareResourcesResponse) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_NodePrepareResourcesResponse.Merge(m, src)
-}
-func (m *NodePrepareResourcesResponse) XXX_Size() int {
-	return m.Size()
-}
-func (m *NodePrepareResourcesResponse) XXX_DiscardUnknown() {
-	xxx_messageInfo_NodePrepareResourcesResponse.DiscardUnknown(m)
+	return mi.MessageOf(x)
 }
 
-var xxx_messageInfo_NodePrepareResourcesResponse proto.InternalMessageInfo
+// Deprecated: Use NodePrepareResourcesResponse.ProtoReflect.Descriptor instead.
+func (*NodePrepareResourcesResponse) Descriptor() ([]byte, []int) {
+	return file_staging_src_k8s_io_kubelet_pkg_apis_dra_v1_api_proto_rawDescGZIP(), []int{1}
+}
 
-func (m *NodePrepareResourcesResponse) GetClaims() map[string]*NodePrepareResourceResponse {
-	if m != nil {
-		return m.Claims
+func (x *NodePrepareResourcesResponse) GetClaims() map[string]*NodePrepareResourceResponse {
+	if x != nil {
+		return x.Claims
 	}
 	return nil
 }
 
 type NodePrepareResourceResponse struct {
+	state protoimpl.MessageState `protogen:"open.v1"`
 	// These are the additional devices that kubelet must
 	// make available via the container runtime. A claim
 	// may have zero or more requests and each request
@@ -151,58 +158,57 @@ type NodePrepareResourceResponse struct {
 	Devices []*Device `protobuf:"bytes,1,rep,name=devices,proto3" json:"devices,omitempty"`
 	// If non-empty, preparing the ResourceClaim failed.
 	// Devices are ignored in that case.
-	Error                string   `protobuf:"bytes,2,opt,name=error,proto3" json:"error,omitempty"`
-	XXX_NoUnkeyedLiteral struct{} `json:"-"`
-	XXX_sizecache        int32    `json:"-"`
+	Error         string `protobuf:"bytes,2,opt,name=error,proto3" json:"error,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
 }
 
-func (m *NodePrepareResourceResponse) Reset()      { *m = NodePrepareResourceResponse{} }
-func (*NodePrepareResourceResponse) ProtoMessage() {}
-func (*NodePrepareResourceResponse) Descriptor() ([]byte, []int) {
-	return fileDescriptor_00212fb1f9d3bf1c, []int{2}
+func (x *NodePrepareResourceResponse) Reset() {
+	*x = NodePrepareResourceResponse{}
+	mi := &file_staging_src_k8s_io_kubelet_pkg_apis_dra_v1_api_proto_msgTypes[2]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
-func (m *NodePrepareResourceResponse) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
+
+func (x *NodePrepareResourceResponse) String() string {
+	return protoimpl.X.MessageStringOf(x)
 }
-func (m *NodePrepareResourceResponse) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	if deterministic {
-		return xxx_messageInfo_NodePrepareResourceResponse.Marshal(b, m, deterministic)
-	} else {
-		b = b[:cap(b)]
-		n, err := m.MarshalToSizedBuffer(b)
-		if err != nil {
-			return nil, err
+
+func (*NodePrepareResourceResponse) ProtoMessage() {}
+
+func (x *NodePrepareResourceResponse) ProtoReflect() protoreflect.Message {
+	mi := &file_staging_src_k8s_io_kubelet_pkg_apis_dra_v1_api_proto_msgTypes[2]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
 		}
-		return b[:n], nil
+		return ms
 	}
-}
-func (m *NodePrepareResourceResponse) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_NodePrepareResourceResponse.Merge(m, src)
-}
-func (m *NodePrepareResourceResponse) XXX_Size() int {
-	return m.Size()
-}
-func (m *NodePrepareResourceResponse) XXX_DiscardUnknown() {
-	xxx_messageInfo_NodePrepareResourceResponse.DiscardUnknown(m)
+	return mi.MessageOf(x)
 }
 
-var xxx_messageInfo_NodePrepareResourceResponse proto.InternalMessageInfo
+// Deprecated: Use NodePrepareResourceResponse.ProtoReflect.Descriptor instead.
+func (*NodePrepareResourceResponse) Descriptor() ([]byte, []int) {
+	return file_staging_src_k8s_io_kubelet_pkg_apis_dra_v1_api_proto_rawDescGZIP(), []int{2}
+}
 
-func (m *NodePrepareResourceResponse) GetDevices() []*Device {
-	if m != nil {
-		return m.Devices
+func (x *NodePrepareResourceResponse) GetDevices() []*Device {
+	if x != nil {
+		return x.Devices
 	}
 	return nil
 }
 
-func (m *NodePrepareResourceResponse) GetError() string {
-	if m != nil {
-		return m.Error
+func (x *NodePrepareResourceResponse) GetError() string {
+	if x != nil {
+		return x.Error
 	}
 	return ""
 }
 
 type Device struct {
+	state protoimpl.MessageState `protogen:"open.v1"`
 	// The requests in the claim that this device is associated with.
 	// Optional. If empty, the device is associated with all requests.
 	RequestNames []string `protobuf:"bytes,1,rep,name=request_names,json=requestNames,proto3" json:"request_names,omitempty"`
@@ -212,2239 +218,453 @@ type Device struct {
 	DeviceName string `protobuf:"bytes,3,opt,name=device_name,json=deviceName,proto3" json:"device_name,omitempty"`
 	// A single device instance may map to several CDI device IDs.
 	// None is also valid.
-	CDIDeviceIDs         []string `protobuf:"bytes,4,rep,name=cdi_device_ids,json=cdiDeviceIds,proto3" json:"cdi_device_ids,omitempty"`
-	XXX_NoUnkeyedLiteral struct{} `json:"-"`
-	XXX_sizecache        int32    `json:"-"`
+	CdiDeviceIds []string `protobuf:"bytes,4,rep,name=cdi_device_ids,json=cdiDeviceIds,proto3" json:"cdi_device_ids,omitempty"`
+	// The share ID of device.
+	// Optional.
+	ShareId       *string `protobuf:"bytes,5,opt,name=share_id,json=shareId,proto3,oneof" json:"share_id,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
 }
 
-func (m *Device) Reset()      { *m = Device{} }
-func (*Device) ProtoMessage() {}
-func (*Device) Descriptor() ([]byte, []int) {
-	return fileDescriptor_00212fb1f9d3bf1c, []int{3}
+func (x *Device) Reset() {
+	*x = Device{}
+	mi := &file_staging_src_k8s_io_kubelet_pkg_apis_dra_v1_api_proto_msgTypes[3]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
-func (m *Device) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
+
+func (x *Device) String() string {
+	return protoimpl.X.MessageStringOf(x)
 }
-func (m *Device) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	if deterministic {
-		return xxx_messageInfo_Device.Marshal(b, m, deterministic)
-	} else {
-		b = b[:cap(b)]
-		n, err := m.MarshalToSizedBuffer(b)
-		if err != nil {
-			return nil, err
+
+func (*Device) ProtoMessage() {}
+
+func (x *Device) ProtoReflect() protoreflect.Message {
+	mi := &file_staging_src_k8s_io_kubelet_pkg_apis_dra_v1_api_proto_msgTypes[3]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
 		}
-		return b[:n], nil
+		return ms
 	}
-}
-func (m *Device) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_Device.Merge(m, src)
-}
-func (m *Device) XXX_Size() int {
-	return m.Size()
-}
-func (m *Device) XXX_DiscardUnknown() {
-	xxx_messageInfo_Device.DiscardUnknown(m)
+	return mi.MessageOf(x)
 }
 
-var xxx_messageInfo_Device proto.InternalMessageInfo
+// Deprecated: Use Device.ProtoReflect.Descriptor instead.
+func (*Device) Descriptor() ([]byte, []int) {
+	return file_staging_src_k8s_io_kubelet_pkg_apis_dra_v1_api_proto_rawDescGZIP(), []int{3}
+}
 
-func (m *Device) GetRequestNames() []string {
-	if m != nil {
-		return m.RequestNames
+func (x *Device) GetRequestNames() []string {
+	if x != nil {
+		return x.RequestNames
 	}
 	return nil
 }
 
-func (m *Device) GetPoolName() string {
-	if m != nil {
-		return m.PoolName
+func (x *Device) GetPoolName() string {
+	if x != nil {
+		return x.PoolName
 	}
 	return ""
 }
 
-func (m *Device) GetDeviceName() string {
-	if m != nil {
-		return m.DeviceName
+func (x *Device) GetDeviceName() string {
+	if x != nil {
+		return x.DeviceName
 	}
 	return ""
 }
 
-func (m *Device) GetCDIDeviceIDs() []string {
-	if m != nil {
-		return m.CDIDeviceIDs
+func (x *Device) GetCdiDeviceIds() []string {
+	if x != nil {
+		return x.CdiDeviceIds
 	}
 	return nil
 }
 
+func (x *Device) GetShareId() string {
+	if x != nil && x.ShareId != nil {
+		return *x.ShareId
+	}
+	return ""
+}
+
 type NodeUnprepareResourcesRequest struct {
+	state protoimpl.MessageState `protogen:"open.v1"`
 	// The list of ResourceClaims that are to be unprepared.
-	Claims               []*Claim `protobuf:"bytes,1,rep,name=claims,proto3" json:"claims,omitempty"`
-	XXX_NoUnkeyedLiteral struct{} `json:"-"`
-	XXX_sizecache        int32    `json:"-"`
+	Claims        []*Claim `protobuf:"bytes,1,rep,name=claims,proto3" json:"claims,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
 }
 
-func (m *NodeUnprepareResourcesRequest) Reset()      { *m = NodeUnprepareResourcesRequest{} }
-func (*NodeUnprepareResourcesRequest) ProtoMessage() {}
-func (*NodeUnprepareResourcesRequest) Descriptor() ([]byte, []int) {
-	return fileDescriptor_00212fb1f9d3bf1c, []int{4}
+func (x *NodeUnprepareResourcesRequest) Reset() {
+	*x = NodeUnprepareResourcesRequest{}
+	mi := &file_staging_src_k8s_io_kubelet_pkg_apis_dra_v1_api_proto_msgTypes[4]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
-func (m *NodeUnprepareResourcesRequest) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
+
+func (x *NodeUnprepareResourcesRequest) String() string {
+	return protoimpl.X.MessageStringOf(x)
 }
-func (m *NodeUnprepareResourcesRequest) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	if deterministic {
-		return xxx_messageInfo_NodeUnprepareResourcesRequest.Marshal(b, m, deterministic)
-	} else {
-		b = b[:cap(b)]
-		n, err := m.MarshalToSizedBuffer(b)
-		if err != nil {
-			return nil, err
+
+func (*NodeUnprepareResourcesRequest) ProtoMessage() {}
+
+func (x *NodeUnprepareResourcesRequest) ProtoReflect() protoreflect.Message {
+	mi := &file_staging_src_k8s_io_kubelet_pkg_apis_dra_v1_api_proto_msgTypes[4]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
 		}
-		return b[:n], nil
+		return ms
 	}
-}
-func (m *NodeUnprepareResourcesRequest) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_NodeUnprepareResourcesRequest.Merge(m, src)
-}
-func (m *NodeUnprepareResourcesRequest) XXX_Size() int {
-	return m.Size()
-}
-func (m *NodeUnprepareResourcesRequest) XXX_DiscardUnknown() {
-	xxx_messageInfo_NodeUnprepareResourcesRequest.DiscardUnknown(m)
+	return mi.MessageOf(x)
 }
 
-var xxx_messageInfo_NodeUnprepareResourcesRequest proto.InternalMessageInfo
+// Deprecated: Use NodeUnprepareResourcesRequest.ProtoReflect.Descriptor instead.
+func (*NodeUnprepareResourcesRequest) Descriptor() ([]byte, []int) {
+	return file_staging_src_k8s_io_kubelet_pkg_apis_dra_v1_api_proto_rawDescGZIP(), []int{4}
+}
 
-func (m *NodeUnprepareResourcesRequest) GetClaims() []*Claim {
-	if m != nil {
-		return m.Claims
+func (x *NodeUnprepareResourcesRequest) GetClaims() []*Claim {
+	if x != nil {
+		return x.Claims
 	}
 	return nil
 }
 
 type NodeUnprepareResourcesResponse struct {
+	state protoimpl.MessageState `protogen:"open.v1"`
 	// The ResourceClaims for which preparation was reverted.
 	// The same rules as for NodePrepareResourcesResponse.claims
 	// apply. In particular, all claims in the request must
 	// have an entry in the response, even if that entry is nil.
-	Claims               map[string]*NodeUnprepareResourceResponse `protobuf:"bytes,1,rep,name=claims,proto3" json:"claims,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"`
-	XXX_NoUnkeyedLiteral struct{}                                  `json:"-"`
-	XXX_sizecache        int32                                     `json:"-"`
+	Claims        map[string]*NodeUnprepareResourceResponse `protobuf:"bytes,1,rep,name=claims,proto3" json:"claims,omitempty" protobuf_key:"bytes,1,opt,name=key" protobuf_val:"bytes,2,opt,name=value"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
 }
 
-func (m *NodeUnprepareResourcesResponse) Reset()      { *m = NodeUnprepareResourcesResponse{} }
-func (*NodeUnprepareResourcesResponse) ProtoMessage() {}
-func (*NodeUnprepareResourcesResponse) Descriptor() ([]byte, []int) {
-	return fileDescriptor_00212fb1f9d3bf1c, []int{5}
+func (x *NodeUnprepareResourcesResponse) Reset() {
+	*x = NodeUnprepareResourcesResponse{}
+	mi := &file_staging_src_k8s_io_kubelet_pkg_apis_dra_v1_api_proto_msgTypes[5]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
-func (m *NodeUnprepareResourcesResponse) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
+
+func (x *NodeUnprepareResourcesResponse) String() string {
+	return protoimpl.X.MessageStringOf(x)
 }
-func (m *NodeUnprepareResourcesResponse) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	if deterministic {
-		return xxx_messageInfo_NodeUnprepareResourcesResponse.Marshal(b, m, deterministic)
-	} else {
-		b = b[:cap(b)]
-		n, err := m.MarshalToSizedBuffer(b)
-		if err != nil {
-			return nil, err
+
+func (*NodeUnprepareResourcesResponse) ProtoMessage() {}
+
+func (x *NodeUnprepareResourcesResponse) ProtoReflect() protoreflect.Message {
+	mi := &file_staging_src_k8s_io_kubelet_pkg_apis_dra_v1_api_proto_msgTypes[5]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
 		}
-		return b[:n], nil
+		return ms
 	}
-}
-func (m *NodeUnprepareResourcesResponse) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_NodeUnprepareResourcesResponse.Merge(m, src)
-}
-func (m *NodeUnprepareResourcesResponse) XXX_Size() int {
-	return m.Size()
-}
-func (m *NodeUnprepareResourcesResponse) XXX_DiscardUnknown() {
-	xxx_messageInfo_NodeUnprepareResourcesResponse.DiscardUnknown(m)
+	return mi.MessageOf(x)
 }
 
-var xxx_messageInfo_NodeUnprepareResourcesResponse proto.InternalMessageInfo
+// Deprecated: Use NodeUnprepareResourcesResponse.ProtoReflect.Descriptor instead.
+func (*NodeUnprepareResourcesResponse) Descriptor() ([]byte, []int) {
+	return file_staging_src_k8s_io_kubelet_pkg_apis_dra_v1_api_proto_rawDescGZIP(), []int{5}
+}
 
-func (m *NodeUnprepareResourcesResponse) GetClaims() map[string]*NodeUnprepareResourceResponse {
-	if m != nil {
-		return m.Claims
+func (x *NodeUnprepareResourcesResponse) GetClaims() map[string]*NodeUnprepareResourceResponse {
+	if x != nil {
+		return x.Claims
 	}
 	return nil
 }
 
 type NodeUnprepareResourceResponse struct {
+	state protoimpl.MessageState `protogen:"open.v1"`
 	// If non-empty, unpreparing the ResourceClaim failed.
-	Error                string   `protobuf:"bytes,1,opt,name=error,proto3" json:"error,omitempty"`
-	XXX_NoUnkeyedLiteral struct{} `json:"-"`
-	XXX_sizecache        int32    `json:"-"`
+	Error         string `protobuf:"bytes,1,opt,name=error,proto3" json:"error,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
 }
 
-func (m *NodeUnprepareResourceResponse) Reset()      { *m = NodeUnprepareResourceResponse{} }
-func (*NodeUnprepareResourceResponse) ProtoMessage() {}
-func (*NodeUnprepareResourceResponse) Descriptor() ([]byte, []int) {
-	return fileDescriptor_00212fb1f9d3bf1c, []int{6}
+func (x *NodeUnprepareResourceResponse) Reset() {
+	*x = NodeUnprepareResourceResponse{}
+	mi := &file_staging_src_k8s_io_kubelet_pkg_apis_dra_v1_api_proto_msgTypes[6]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
-func (m *NodeUnprepareResourceResponse) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
+
+func (x *NodeUnprepareResourceResponse) String() string {
+	return protoimpl.X.MessageStringOf(x)
 }
-func (m *NodeUnprepareResourceResponse) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	if deterministic {
-		return xxx_messageInfo_NodeUnprepareResourceResponse.Marshal(b, m, deterministic)
-	} else {
-		b = b[:cap(b)]
-		n, err := m.MarshalToSizedBuffer(b)
-		if err != nil {
-			return nil, err
+
+func (*NodeUnprepareResourceResponse) ProtoMessage() {}
+
+func (x *NodeUnprepareResourceResponse) ProtoReflect() protoreflect.Message {
+	mi := &file_staging_src_k8s_io_kubelet_pkg_apis_dra_v1_api_proto_msgTypes[6]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
 		}
-		return b[:n], nil
+		return ms
 	}
-}
-func (m *NodeUnprepareResourceResponse) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_NodeUnprepareResourceResponse.Merge(m, src)
-}
-func (m *NodeUnprepareResourceResponse) XXX_Size() int {
-	return m.Size()
-}
-func (m *NodeUnprepareResourceResponse) XXX_DiscardUnknown() {
-	xxx_messageInfo_NodeUnprepareResourceResponse.DiscardUnknown(m)
+	return mi.MessageOf(x)
 }
 
-var xxx_messageInfo_NodeUnprepareResourceResponse proto.InternalMessageInfo
+// Deprecated: Use NodeUnprepareResourceResponse.ProtoReflect.Descriptor instead.
+func (*NodeUnprepareResourceResponse) Descriptor() ([]byte, []int) {
+	return file_staging_src_k8s_io_kubelet_pkg_apis_dra_v1_api_proto_rawDescGZIP(), []int{6}
+}
 
-func (m *NodeUnprepareResourceResponse) GetError() string {
-	if m != nil {
-		return m.Error
+func (x *NodeUnprepareResourceResponse) GetError() string {
+	if x != nil {
+		return x.Error
 	}
 	return ""
 }
 
 type Claim struct {
+	state protoimpl.MessageState `protogen:"open.v1"`
 	// The ResourceClaim namespace (ResourceClaim.meta.Namespace).
 	// This field is REQUIRED.
 	Namespace string `protobuf:"bytes,1,opt,name=namespace,proto3" json:"namespace,omitempty"`
 	// The UID of the Resource claim (ResourceClaim.meta.UUID).
 	// This field is REQUIRED.
-	UID string `protobuf:"bytes,2,opt,name=uid,proto3" json:"uid,omitempty"`
+	Uid string `protobuf:"bytes,2,opt,name=uid,proto3" json:"uid,omitempty"`
 	// The name of the Resource claim (ResourceClaim.meta.Name)
 	// This field is REQUIRED.
-	Name                 string   `protobuf:"bytes,3,opt,name=name,proto3" json:"name,omitempty"`
-	XXX_NoUnkeyedLiteral struct{} `json:"-"`
-	XXX_sizecache        int32    `json:"-"`
-}
-
-func (m *Claim) Reset()      { *m = Claim{} }
-func (*Claim) ProtoMessage() {}
-func (*Claim) Descriptor() ([]byte, []int) {
-	return fileDescriptor_00212fb1f9d3bf1c, []int{7}
-}
-func (m *Claim) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *Claim) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	if deterministic {
-		return xxx_messageInfo_Claim.Marshal(b, m, deterministic)
-	} else {
-		b = b[:cap(b)]
-		n, err := m.MarshalToSizedBuffer(b)
-		if err != nil {
-			return nil, err
-		}
-		return b[:n], nil
-	}
-}
-func (m *Claim) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_Claim.Merge(m, src)
-}
-func (m *Claim) XXX_Size() int {
-	return m.Size()
-}
-func (m *Claim) XXX_DiscardUnknown() {
-	xxx_messageInfo_Claim.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_Claim proto.InternalMessageInfo
-
-func (m *Claim) GetNamespace() string {
-	if m != nil {
-		return m.Namespace
-	}
-	return ""
-}
-
-func (m *Claim) GetUID() string {
-	if m != nil {
-		return m.UID
-	}
-	return ""
-}
-
-func (m *Claim) GetName() string {
-	if m != nil {
-		return m.Name
-	}
-	return ""
-}
-
-func init() {
-	proto.RegisterType((*NodePrepareResourcesRequest)(nil), "k8s.io.kubelet.pkg.apis.dra.v1.NodePrepareResourcesRequest")
-	proto.RegisterType((*NodePrepareResourcesResponse)(nil), "k8s.io.kubelet.pkg.apis.dra.v1.NodePrepareResourcesResponse")
-	proto.RegisterMapType((map[string]*NodePrepareResourceResponse)(nil), "k8s.io.kubelet.pkg.apis.dra.v1.NodePrepareResourcesResponse.ClaimsEntry")
-	proto.RegisterType((*NodePrepareResourceResponse)(nil), "k8s.io.kubelet.pkg.apis.dra.v1.NodePrepareResourceResponse")
-	proto.RegisterType((*Device)(nil), "k8s.io.kubelet.pkg.apis.dra.v1.Device")
-	proto.RegisterType((*NodeUnprepareResourcesRequest)(nil), "k8s.io.kubelet.pkg.apis.dra.v1.NodeUnprepareResourcesRequest")
-	proto.RegisterType((*NodeUnprepareResourcesResponse)(nil), "k8s.io.kubelet.pkg.apis.dra.v1.NodeUnprepareResourcesResponse")
-	proto.RegisterMapType((map[string]*NodeUnprepareResourceResponse)(nil), "k8s.io.kubelet.pkg.apis.dra.v1.NodeUnprepareResourcesResponse.ClaimsEntry")
-	proto.RegisterType((*NodeUnprepareResourceResponse)(nil), "k8s.io.kubelet.pkg.apis.dra.v1.NodeUnprepareResourceResponse")
-	proto.RegisterType((*Claim)(nil), "k8s.io.kubelet.pkg.apis.dra.v1.Claim")
-}
-
-func init() { proto.RegisterFile("api.proto", fileDescriptor_00212fb1f9d3bf1c) }
-
-var fileDescriptor_00212fb1f9d3bf1c = []byte{
-	// 589 bytes of a gzipped FileDescriptorProto
-	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xb4, 0x55, 0x4f, 0x6f, 0xd3, 0x30,
-	0x1c, 0xad, 0xd7, 0xad, 0x23, 0xbf, 0x16, 0x34, 0x59, 0x13, 0x2a, 0xdd, 0x48, 0xab, 0x20, 0x50,
-	0x2f, 0x24, 0x5a, 0x11, 0x68, 0x62, 0x2b, 0x82, 0xae, 0x48, 0x94, 0xc3, 0x34, 0x02, 0xbb, 0x20,
-	0xc4, 0x48, 0x13, 0x13, 0xac, 0xfe, 0x71, 0xb0, 0x9b, 0x8a, 0xdd, 0xf8, 0x08, 0x48, 0x9c, 0x38,
-	0xf3, 0x39, 0xb8, 0xef, 0xc8, 0x91, 0xd3, 0xc4, 0xc2, 0x97, 0xe0, 0x84, 0x50, 0xec, 0xb4, 0x94,
-	0x29, 0x5d, 0x51, 0x27, 0x6e, 0xf6, 0xcf, 0xcf, 0xef, 0x3d, 0xfb, 0xf7, 0xe2, 0x80, 0xe6, 0x04,
-	0xd4, 0x0c, 0x38, 0x1b, 0x30, 0xac, 0x77, 0x36, 0x85, 0x49, 0x99, 0xd9, 0x09, 0xdb, 0xa4, 0x4b,
-	0x06, 0x66, 0xd0, 0xf1, 0x4d, 0x27, 0xa0, 0xc2, 0xf4, 0xb8, 0x63, 0x0e, 0x37, 0x4a, 0x37, 0x7d,
-	0x3a, 0x78, 0x13, 0xb6, 0x4d, 0x97, 0xf5, 0x2c, 0x9f, 0xf9, 0xcc, 0x92, 0xdb, 0xda, 0xe1, 0x6b,
-	0x39, 0x93, 0x13, 0x39, 0x52, 0x74, 0xc6, 0x0b, 0x58, 0xdb, 0x65, 0x1e, 0xd9, 0xe3, 0x24, 0x70,
-	0x38, 0xb1, 0x89, 0x60, 0x21, 0x77, 0x89, 0xb0, 0xc9, 0xdb, 0x90, 0x88, 0x01, 0xae, 0x43, 0xce,
-	0xed, 0x3a, 0xb4, 0x27, 0x8a, 0xa8, 0x92, 0xad, 0xe6, 0x6b, 0xd7, 0xcd, 0xb3, 0xe5, 0xcd, 0x9d,
-	0x18, 0x6d, 0x27, 0x9b, 0x8c, 0x9f, 0x08, 0xd6, 0xd3, 0xe9, 0x45, 0xc0, 0xfa, 0x82, 0xe0, 0x57,
-	0xa7, 0xf8, 0x1f, 0xcd, 0xe2, 0x3f, 0x8b, 0x4d, 0x89, 0x8b, 0x87, 0xfd, 0x01, 0x3f, 0x1c, 0x59,
-	0x28, 0x0d, 0x21, 0x3f, 0x51, 0xc6, 0x2b, 0x90, 0xed, 0x90, 0xc3, 0x22, 0xaa, 0xa0, 0xaa, 0x66,
-	0xc7, 0x43, 0xfc, 0x04, 0x96, 0x86, 0x4e, 0x37, 0x24, 0xc5, 0x85, 0x0a, 0xaa, 0xe6, 0x6b, 0x5b,
-	0x73, 0x38, 0x18, 0x19, 0xb0, 0x15, 0xd3, 0xdd, 0x85, 0x4d, 0x64, 0x84, 0xa9, 0x17, 0x3b, 0x3e,
-	0xf8, 0x7d, 0x58, 0xf6, 0xc8, 0x90, 0xba, 0x64, 0x74, 0xf2, 0x1b, 0xb3, 0x74, 0x9b, 0x12, 0x6e,
-	0x8f, 0xb6, 0xe1, 0x55, 0x58, 0x22, 0x9c, 0x33, 0x2e, 0x7d, 0x6b, 0xb6, 0x9a, 0x18, 0x9f, 0x11,
-	0xe4, 0x14, 0x12, 0x5f, 0x83, 0x8b, 0x5c, 0xb5, 0xf1, 0xa0, 0xef, 0xf4, 0x12, 0x21, 0xcd, 0x2e,
-	0x24, 0xc5, 0xdd, 0xb8, 0x86, 0xd7, 0x40, 0x0b, 0x18, 0xeb, 0x4a, 0x44, 0xc2, 0x74, 0x21, 0x2e,
-	0xc4, 0xab, 0xb8, 0x0c, 0x79, 0xa5, 0xa6, 0x96, 0xb3, 0x72, 0x19, 0x54, 0x49, 0x02, 0xee, 0xc0,
-	0x25, 0xd7, 0xa3, 0x07, 0x09, 0x88, 0x7a, 0xa2, 0xb8, 0x18, 0x6b, 0x34, 0x56, 0xa2, 0xe3, 0x72,
-	0x61, 0xa7, 0xd9, 0x52, 0x4e, 0x5a, 0x4d, 0x61, 0x17, 0x5c, 0x8f, 0x26, 0x33, 0x4f, 0x18, 0x2f,
-	0xe1, 0x6a, 0x7c, 0x39, 0xfb, 0xfd, 0xe0, 0xff, 0xe4, 0xee, 0x17, 0x02, 0x7d, 0x9a, 0x40, 0xd2,
-	0x80, 0xf6, 0x29, 0x85, 0xc7, 0xff, 0xd2, 0xf7, 0xe9, 0x7c, 0xa9, 0xd9, 0x7b, 0x37, 0x2b, 0x7b,
-	0x4f, 0xff, 0xce, 0x5e, 0x7d, 0x2e, 0x0f, 0x69, 0xe9, 0xbb, 0x3d, 0xe5, 0x82, 0xc7, 0xc7, 0x1f,
-	0xa7, 0x07, 0x4d, 0xa6, 0xe7, 0x19, 0x2c, 0x49, 0xc3, 0x78, 0x1d, 0x34, 0x99, 0x99, 0xc0, 0x71,
-	0x49, 0x02, 0xf9, 0x53, 0xc0, 0x57, 0x20, 0x1b, 0x52, 0x4f, 0xc5, 0xa5, 0xb1, 0x1c, 0x1d, 0x97,
-	0xb3, 0xfb, 0xad, 0xa6, 0x1d, 0xd7, 0x30, 0x86, 0xc5, 0x89, 0xac, 0xc8, 0x71, 0xed, 0xcb, 0x02,
-	0x68, 0x4d, 0xfb, 0xc1, 0x5e, 0x37, 0xf4, 0x69, 0x1f, 0x7f, 0x44, 0xb0, 0x9a, 0xf6, 0x15, 0xe3,
-	0xad, 0xf9, 0xbe, 0x7d, 0x19, 0x98, 0xd2, 0xf6, 0x79, 0x1e, 0x0e, 0x23, 0x83, 0x3f, 0x21, 0xb8,
-	0x9c, 0xde, 0x61, 0x5c, 0x9f, 0x37, 0x19, 0xca, 0xd9, 0xbd, 0xf3, 0x05, 0xcb, 0xc8, 0x34, 0xb6,
-	0x8f, 0x4e, 0x74, 0xf4, 0xed, 0x44, 0xcf, 0xbc, 0x8f, 0x74, 0x74, 0x14, 0xe9, 0xe8, 0x6b, 0xa4,
-	0xa3, 0xef, 0x91, 0x8e, 0x3e, 0xfc, 0xd0, 0x33, 0xcf, 0x93, 0x1f, 0x82, 0x95, 0xd0, 0x5b, 0x41,
-	0xc7, 0xb7, 0x62, 0x7a, 0xcb, 0xe3, 0x8e, 0x35, 0xdc, 0x68, 0xe7, 0xe4, 0x43, 0x7f, 0xeb, 0x77,
-	0x00, 0x00, 0x00, 0xff, 0xff, 0x80, 0x9a, 0x7f, 0xfc, 0x44, 0x06, 0x00, 0x00,
-}
-
-// Reference imports to suppress errors if they are not otherwise used.
-var _ context.Context
-var _ grpc.ClientConn
-
-// This is a compile-time assertion to ensure that this generated file
-// is compatible with the grpc package it is being compiled against.
-const _ = grpc.SupportPackageIsVersion4
-
-// DRAPluginClient is the client API for DRAPlugin service.
-//
-// For semantics around ctx use and closing/ending streaming RPCs, please refer to https://godoc.org/google.golang.org/grpc#ClientConn.NewStream.
-type DRAPluginClient interface {
-	// NodePrepareResources prepares several ResourceClaims
-	// for use on the node. If an error is returned, the
-	// response is ignored. Failures for individual claims
-	// can be reported inside NodePrepareResourcesResponse.
-	NodePrepareResources(ctx context.Context, in *NodePrepareResourcesRequest, opts ...grpc.CallOption) (*NodePrepareResourcesResponse, error)
-	// NodeUnprepareResources is the opposite of NodePrepareResources.
-	// The same error handling rules apply,
-	NodeUnprepareResources(ctx context.Context, in *NodeUnprepareResourcesRequest, opts ...grpc.CallOption) (*NodeUnprepareResourcesResponse, error)
-}
-
-type dRAPluginClient struct {
-	cc *grpc.ClientConn
-}
-
-func NewDRAPluginClient(cc *grpc.ClientConn) DRAPluginClient {
-	return &dRAPluginClient{cc}
-}
-
-func (c *dRAPluginClient) NodePrepareResources(ctx context.Context, in *NodePrepareResourcesRequest, opts ...grpc.CallOption) (*NodePrepareResourcesResponse, error) {
-	out := new(NodePrepareResourcesResponse)
-	err := c.cc.Invoke(ctx, "/k8s.io.kubelet.pkg.apis.dra.v1.DRAPlugin/NodePrepareResources", in, out, opts...)
-	if err != nil {
-		return nil, err
-	}
-	return out, nil
-}
-
-func (c *dRAPluginClient) NodeUnprepareResources(ctx context.Context, in *NodeUnprepareResourcesRequest, opts ...grpc.CallOption) (*NodeUnprepareResourcesResponse, error) {
-	out := new(NodeUnprepareResourcesResponse)
-	err := c.cc.Invoke(ctx, "/k8s.io.kubelet.pkg.apis.dra.v1.DRAPlugin/NodeUnprepareResources", in, out, opts...)
-	if err != nil {
-		return nil, err
-	}
-	return out, nil
-}
-
-// DRAPluginServer is the server API for DRAPlugin service.
-type DRAPluginServer interface {
-	// NodePrepareResources prepares several ResourceClaims
-	// for use on the node. If an error is returned, the
-	// response is ignored. Failures for individual claims
-	// can be reported inside NodePrepareResourcesResponse.
-	NodePrepareResources(context.Context, *NodePrepareResourcesRequest) (*NodePrepareResourcesResponse, error)
-	// NodeUnprepareResources is the opposite of NodePrepareResources.
-	// The same error handling rules apply,
-	NodeUnprepareResources(context.Context, *NodeUnprepareResourcesRequest) (*NodeUnprepareResourcesResponse, error)
-}
-
-// UnimplementedDRAPluginServer can be embedded to have forward compatible implementations.
-type UnimplementedDRAPluginServer struct {
-}
-
-func (*UnimplementedDRAPluginServer) NodePrepareResources(ctx context.Context, req *NodePrepareResourcesRequest) (*NodePrepareResourcesResponse, error) {
-	return nil, status.Errorf(codes.Unimplemented, "method NodePrepareResources not implemented")
-}
-func (*UnimplementedDRAPluginServer) NodeUnprepareResources(ctx context.Context, req *NodeUnprepareResourcesRequest) (*NodeUnprepareResourcesResponse, error) {
-	return nil, status.Errorf(codes.Unimplemented, "method NodeUnprepareResources not implemented")
-}
-
-func RegisterDRAPluginServer(s *grpc.Server, srv DRAPluginServer) {
-	s.RegisterService(&_DRAPlugin_serviceDesc, srv)
-}
-
-func _DRAPlugin_NodePrepareResources_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
-	in := new(NodePrepareResourcesRequest)
-	if err := dec(in); err != nil {
-		return nil, err
-	}
-	if interceptor == nil {
-		return srv.(DRAPluginServer).NodePrepareResources(ctx, in)
-	}
-	info := &grpc.UnaryServerInfo{
-		Server:     srv,
-		FullMethod: "/k8s.io.kubelet.pkg.apis.dra.v1.DRAPlugin/NodePrepareResources",
-	}
-	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
-		return srv.(DRAPluginServer).NodePrepareResources(ctx, req.(*NodePrepareResourcesRequest))
-	}
-	return interceptor(ctx, in, info, handler)
-}
-
-func _DRAPlugin_NodeUnprepareResources_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
-	in := new(NodeUnprepareResourcesRequest)
-	if err := dec(in); err != nil {
-		return nil, err
-	}
-	if interceptor == nil {
-		return srv.(DRAPluginServer).NodeUnprepareResources(ctx, in)
-	}
-	info := &grpc.UnaryServerInfo{
-		Server:     srv,
-		FullMethod: "/k8s.io.kubelet.pkg.apis.dra.v1.DRAPlugin/NodeUnprepareResources",
-	}
-	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
-		return srv.(DRAPluginServer).NodeUnprepareResources(ctx, req.(*NodeUnprepareResourcesRequest))
-	}
-	return interceptor(ctx, in, info, handler)
-}
-
-var _DRAPlugin_serviceDesc = grpc.ServiceDesc{
-	ServiceName: "k8s.io.kubelet.pkg.apis.dra.v1.DRAPlugin",
-	HandlerType: (*DRAPluginServer)(nil),
-	Methods: []grpc.MethodDesc{
-		{
-			MethodName: "NodePrepareResources",
-			Handler:    _DRAPlugin_NodePrepareResources_Handler,
-		},
-		{
-			MethodName: "NodeUnprepareResources",
-			Handler:    _DRAPlugin_NodeUnprepareResources_Handler,
-		},
-	},
-	Streams:  []grpc.StreamDesc{},
-	Metadata: "api.proto",
-}
-
-func (m *NodePrepareResourcesRequest) Marshal() (dAtA []byte, err error) {
-	size := m.Size()
-	dAtA = make([]byte, size)
-	n, err := m.MarshalToSizedBuffer(dAtA[:size])
-	if err != nil {
-		return nil, err
-	}
-	return dAtA[:n], nil
-}
-
-func (m *NodePrepareResourcesRequest) MarshalTo(dAtA []byte) (int, error) {
-	size := m.Size()
-	return m.MarshalToSizedBuffer(dAtA[:size])
-}
-
-func (m *NodePrepareResourcesRequest) MarshalToSizedBuffer(dAtA []byte) (int, error) {
-	i := len(dAtA)
-	_ = i
-	var l int
-	_ = l
-	if len(m.Claims) > 0 {
-		for iNdEx := len(m.Claims) - 1; iNdEx >= 0; iNdEx-- {
-			{
-				size, err := m.Claims[iNdEx].MarshalToSizedBuffer(dAtA[:i])
-				if err != nil {
-					return 0, err
-				}
-				i -= size
-				i = encodeVarintApi(dAtA, i, uint64(size))
-			}
-			i--
-			dAtA[i] = 0xa
-		}
-	}
-	return len(dAtA) - i, nil
-}
-
-func (m *NodePrepareResourcesResponse) Marshal() (dAtA []byte, err error) {
-	size := m.Size()
-	dAtA = make([]byte, size)
-	n, err := m.MarshalToSizedBuffer(dAtA[:size])
-	if err != nil {
-		return nil, err
-	}
-	return dAtA[:n], nil
-}
-
-func (m *NodePrepareResourcesResponse) MarshalTo(dAtA []byte) (int, error) {
-	size := m.Size()
-	return m.MarshalToSizedBuffer(dAtA[:size])
-}
-
-func (m *NodePrepareResourcesResponse) MarshalToSizedBuffer(dAtA []byte) (int, error) {
-	i := len(dAtA)
-	_ = i
-	var l int
-	_ = l
-	if len(m.Claims) > 0 {
-		for k := range m.Claims {
-			v := m.Claims[k]
-			baseI := i
-			if v != nil {
-				{
-					size, err := v.MarshalToSizedBuffer(dAtA[:i])
-					if err != nil {
-						return 0, err
-					}
-					i -= size
-					i = encodeVarintApi(dAtA, i, uint64(size))
-				}
-				i--
-				dAtA[i] = 0x12
-			}
-			i -= len(k)
-			copy(dAtA[i:], k)
-			i = encodeVarintApi(dAtA, i, uint64(len(k)))
-			i--
-			dAtA[i] = 0xa
-			i = encodeVarintApi(dAtA, i, uint64(baseI-i))
-			i--
-			dAtA[i] = 0xa
-		}
-	}
-	return len(dAtA) - i, nil
-}
-
-func (m *NodePrepareResourceResponse) Marshal() (dAtA []byte, err error) {
-	size := m.Size()
-	dAtA = make([]byte, size)
-	n, err := m.MarshalToSizedBuffer(dAtA[:size])
-	if err != nil {
-		return nil, err
-	}
-	return dAtA[:n], nil
-}
-
-func (m *NodePrepareResourceResponse) MarshalTo(dAtA []byte) (int, error) {
-	size := m.Size()
-	return m.MarshalToSizedBuffer(dAtA[:size])
-}
-
-func (m *NodePrepareResourceResponse) MarshalToSizedBuffer(dAtA []byte) (int, error) {
-	i := len(dAtA)
-	_ = i
-	var l int
-	_ = l
-	if len(m.Error) > 0 {
-		i -= len(m.Error)
-		copy(dAtA[i:], m.Error)
-		i = encodeVarintApi(dAtA, i, uint64(len(m.Error)))
-		i--
-		dAtA[i] = 0x12
-	}
-	if len(m.Devices) > 0 {
-		for iNdEx := len(m.Devices) - 1; iNdEx >= 0; iNdEx-- {
-			{
-				size, err := m.Devices[iNdEx].MarshalToSizedBuffer(dAtA[:i])
-				if err != nil {
-					return 0, err
-				}
-				i -= size
-				i = encodeVarintApi(dAtA, i, uint64(size))
-			}
-			i--
-			dAtA[i] = 0xa
-		}
-	}
-	return len(dAtA) - i, nil
-}
-
-func (m *Device) Marshal() (dAtA []byte, err error) {
-	size := m.Size()
-	dAtA = make([]byte, size)
-	n, err := m.MarshalToSizedBuffer(dAtA[:size])
-	if err != nil {
-		return nil, err
-	}
-	return dAtA[:n], nil
-}
-
-func (m *Device) MarshalTo(dAtA []byte) (int, error) {
-	size := m.Size()
-	return m.MarshalToSizedBuffer(dAtA[:size])
-}
-
-func (m *Device) MarshalToSizedBuffer(dAtA []byte) (int, error) {
-	i := len(dAtA)
-	_ = i
-	var l int
-	_ = l
-	if len(m.CDIDeviceIDs) > 0 {
-		for iNdEx := len(m.CDIDeviceIDs) - 1; iNdEx >= 0; iNdEx-- {
-			i -= len(m.CDIDeviceIDs[iNdEx])
-			copy(dAtA[i:], m.CDIDeviceIDs[iNdEx])
-			i = encodeVarintApi(dAtA, i, uint64(len(m.CDIDeviceIDs[iNdEx])))
-			i--
-			dAtA[i] = 0x22
-		}
-	}
-	if len(m.DeviceName) > 0 {
-		i -= len(m.DeviceName)
-		copy(dAtA[i:], m.DeviceName)
-		i = encodeVarintApi(dAtA, i, uint64(len(m.DeviceName)))
-		i--
-		dAtA[i] = 0x1a
-	}
-	if len(m.PoolName) > 0 {
-		i -= len(m.PoolName)
-		copy(dAtA[i:], m.PoolName)
-		i = encodeVarintApi(dAtA, i, uint64(len(m.PoolName)))
-		i--
-		dAtA[i] = 0x12
-	}
-	if len(m.RequestNames) > 0 {
-		for iNdEx := len(m.RequestNames) - 1; iNdEx >= 0; iNdEx-- {
-			i -= len(m.RequestNames[iNdEx])
-			copy(dAtA[i:], m.RequestNames[iNdEx])
-			i = encodeVarintApi(dAtA, i, uint64(len(m.RequestNames[iNdEx])))
-			i--
-			dAtA[i] = 0xa
-		}
-	}
-	return len(dAtA) - i, nil
-}
-
-func (m *NodeUnprepareResourcesRequest) Marshal() (dAtA []byte, err error) {
-	size := m.Size()
-	dAtA = make([]byte, size)
-	n, err := m.MarshalToSizedBuffer(dAtA[:size])
-	if err != nil {
-		return nil, err
-	}
-	return dAtA[:n], nil
-}
-
-func (m *NodeUnprepareResourcesRequest) MarshalTo(dAtA []byte) (int, error) {
-	size := m.Size()
-	return m.MarshalToSizedBuffer(dAtA[:size])
-}
-
-func (m *NodeUnprepareResourcesRequest) MarshalToSizedBuffer(dAtA []byte) (int, error) {
-	i := len(dAtA)
-	_ = i
-	var l int
-	_ = l
-	if len(m.Claims) > 0 {
-		for iNdEx := len(m.Claims) - 1; iNdEx >= 0; iNdEx-- {
-			{
-				size, err := m.Claims[iNdEx].MarshalToSizedBuffer(dAtA[:i])
-				if err != nil {
-					return 0, err
-				}
-				i -= size
-				i = encodeVarintApi(dAtA, i, uint64(size))
-			}
-			i--
-			dAtA[i] = 0xa
-		}
-	}
-	return len(dAtA) - i, nil
-}
-
-func (m *NodeUnprepareResourcesResponse) Marshal() (dAtA []byte, err error) {
-	size := m.Size()
-	dAtA = make([]byte, size)
-	n, err := m.MarshalToSizedBuffer(dAtA[:size])
-	if err != nil {
-		return nil, err
-	}
-	return dAtA[:n], nil
-}
-
-func (m *NodeUnprepareResourcesResponse) MarshalTo(dAtA []byte) (int, error) {
-	size := m.Size()
-	return m.MarshalToSizedBuffer(dAtA[:size])
-}
-
-func (m *NodeUnprepareResourcesResponse) MarshalToSizedBuffer(dAtA []byte) (int, error) {
-	i := len(dAtA)
-	_ = i
-	var l int
-	_ = l
-	if len(m.Claims) > 0 {
-		for k := range m.Claims {
-			v := m.Claims[k]
-			baseI := i
-			if v != nil {
-				{
-					size, err := v.MarshalToSizedBuffer(dAtA[:i])
-					if err != nil {
-						return 0, err
-					}
-					i -= size
-					i = encodeVarintApi(dAtA, i, uint64(size))
-				}
-				i--
-				dAtA[i] = 0x12
-			}
-			i -= len(k)
-			copy(dAtA[i:], k)
-			i = encodeVarintApi(dAtA, i, uint64(len(k)))
-			i--
-			dAtA[i] = 0xa
-			i = encodeVarintApi(dAtA, i, uint64(baseI-i))
-			i--
-			dAtA[i] = 0xa
-		}
-	}
-	return len(dAtA) - i, nil
-}
-
-func (m *NodeUnprepareResourceResponse) Marshal() (dAtA []byte, err error) {
-	size := m.Size()
-	dAtA = make([]byte, size)
-	n, err := m.MarshalToSizedBuffer(dAtA[:size])
-	if err != nil {
-		return nil, err
-	}
-	return dAtA[:n], nil
-}
-
-func (m *NodeUnprepareResourceResponse) MarshalTo(dAtA []byte) (int, error) {
-	size := m.Size()
-	return m.MarshalToSizedBuffer(dAtA[:size])
-}
-
-func (m *NodeUnprepareResourceResponse) MarshalToSizedBuffer(dAtA []byte) (int, error) {
-	i := len(dAtA)
-	_ = i
-	var l int
-	_ = l
-	if len(m.Error) > 0 {
-		i -= len(m.Error)
-		copy(dAtA[i:], m.Error)
-		i = encodeVarintApi(dAtA, i, uint64(len(m.Error)))
-		i--
-		dAtA[i] = 0xa
-	}
-	return len(dAtA) - i, nil
-}
-
-func (m *Claim) Marshal() (dAtA []byte, err error) {
-	size := m.Size()
-	dAtA = make([]byte, size)
-	n, err := m.MarshalToSizedBuffer(dAtA[:size])
-	if err != nil {
-		return nil, err
-	}
-	return dAtA[:n], nil
-}
-
-func (m *Claim) MarshalTo(dAtA []byte) (int, error) {
-	size := m.Size()
-	return m.MarshalToSizedBuffer(dAtA[:size])
-}
-
-func (m *Claim) MarshalToSizedBuffer(dAtA []byte) (int, error) {
-	i := len(dAtA)
-	_ = i
-	var l int
-	_ = l
-	if len(m.Name) > 0 {
-		i -= len(m.Name)
-		copy(dAtA[i:], m.Name)
-		i = encodeVarintApi(dAtA, i, uint64(len(m.Name)))
-		i--
-		dAtA[i] = 0x1a
-	}
-	if len(m.UID) > 0 {
-		i -= len(m.UID)
-		copy(dAtA[i:], m.UID)
-		i = encodeVarintApi(dAtA, i, uint64(len(m.UID)))
-		i--
-		dAtA[i] = 0x12
-	}
-	if len(m.Namespace) > 0 {
-		i -= len(m.Namespace)
-		copy(dAtA[i:], m.Namespace)
-		i = encodeVarintApi(dAtA, i, uint64(len(m.Namespace)))
-		i--
-		dAtA[i] = 0xa
-	}
-	return len(dAtA) - i, nil
+	Name          string `protobuf:"bytes,3,opt,name=name,proto3" json:"name,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
 }
 
-func encodeVarintApi(dAtA []byte, offset int, v uint64) int {
-	offset -= sovApi(v)
-	base := offset
-	for v >= 1<<7 {
-		dAtA[offset] = uint8(v&0x7f | 0x80)
-		v >>= 7
-		offset++
-	}
-	dAtA[offset] = uint8(v)
-	return base
-}
-func (m *NodePrepareResourcesRequest) Size() (n int) {
-	if m == nil {
-		return 0
-	}
-	var l int
-	_ = l
-	if len(m.Claims) > 0 {
-		for _, e := range m.Claims {
-			l = e.Size()
-			n += 1 + l + sovApi(uint64(l))
-		}
-	}
-	return n
-}
-
-func (m *NodePrepareResourcesResponse) Size() (n int) {
-	if m == nil {
-		return 0
-	}
-	var l int
-	_ = l
-	if len(m.Claims) > 0 {
-		for k, v := range m.Claims {
-			_ = k
-			_ = v
-			l = 0
-			if v != nil {
-				l = v.Size()
-				l += 1 + sovApi(uint64(l))
-			}
-			mapEntrySize := 1 + len(k) + sovApi(uint64(len(k))) + l
-			n += mapEntrySize + 1 + sovApi(uint64(mapEntrySize))
-		}
-	}
-	return n
-}
-
-func (m *NodePrepareResourceResponse) Size() (n int) {
-	if m == nil {
-		return 0
-	}
-	var l int
-	_ = l
-	if len(m.Devices) > 0 {
-		for _, e := range m.Devices {
-			l = e.Size()
-			n += 1 + l + sovApi(uint64(l))
-		}
-	}
-	l = len(m.Error)
-	if l > 0 {
-		n += 1 + l + sovApi(uint64(l))
-	}
-	return n
+func (x *Claim) Reset() {
+	*x = Claim{}
+	mi := &file_staging_src_k8s_io_kubelet_pkg_apis_dra_v1_api_proto_msgTypes[7]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
 
-func (m *Device) Size() (n int) {
-	if m == nil {
-		return 0
-	}
-	var l int
-	_ = l
-	if len(m.RequestNames) > 0 {
-		for _, s := range m.RequestNames {
-			l = len(s)
-			n += 1 + l + sovApi(uint64(l))
-		}
-	}
-	l = len(m.PoolName)
-	if l > 0 {
-		n += 1 + l + sovApi(uint64(l))
-	}
-	l = len(m.DeviceName)
-	if l > 0 {
-		n += 1 + l + sovApi(uint64(l))
-	}
-	if len(m.CDIDeviceIDs) > 0 {
-		for _, s := range m.CDIDeviceIDs {
-			l = len(s)
-			n += 1 + l + sovApi(uint64(l))
-		}
-	}
-	return n
+func (x *Claim) String() string {
+	return protoimpl.X.MessageStringOf(x)
 }
 
-func (m *NodeUnprepareResourcesRequest) Size() (n int) {
-	if m == nil {
-		return 0
-	}
-	var l int
-	_ = l
-	if len(m.Claims) > 0 {
-		for _, e := range m.Claims {
-			l = e.Size()
-			n += 1 + l + sovApi(uint64(l))
-		}
-	}
-	return n
-}
-
-func (m *NodeUnprepareResourcesResponse) Size() (n int) {
-	if m == nil {
-		return 0
-	}
-	var l int
-	_ = l
-	if len(m.Claims) > 0 {
-		for k, v := range m.Claims {
-			_ = k
-			_ = v
-			l = 0
-			if v != nil {
-				l = v.Size()
-				l += 1 + sovApi(uint64(l))
-			}
-			mapEntrySize := 1 + len(k) + sovApi(uint64(len(k))) + l
-			n += mapEntrySize + 1 + sovApi(uint64(mapEntrySize))
-		}
-	}
-	return n
-}
-
-func (m *NodeUnprepareResourceResponse) Size() (n int) {
-	if m == nil {
-		return 0
-	}
-	var l int
-	_ = l
-	l = len(m.Error)
-	if l > 0 {
-		n += 1 + l + sovApi(uint64(l))
-	}
-	return n
-}
-
-func (m *Claim) Size() (n int) {
-	if m == nil {
-		return 0
-	}
-	var l int
-	_ = l
-	l = len(m.Namespace)
-	if l > 0 {
-		n += 1 + l + sovApi(uint64(l))
-	}
-	l = len(m.UID)
-	if l > 0 {
-		n += 1 + l + sovApi(uint64(l))
-	}
-	l = len(m.Name)
-	if l > 0 {
-		n += 1 + l + sovApi(uint64(l))
-	}
-	return n
-}
-
-func sovApi(x uint64) (n int) {
-	return (math_bits.Len64(x|1) + 6) / 7
-}
-func sozApi(x uint64) (n int) {
-	return sovApi(uint64((x << 1) ^ uint64((int64(x) >> 63))))
-}
-func (this *NodePrepareResourcesRequest) String() string {
-	if this == nil {
-		return "nil"
-	}
-	repeatedStringForClaims := "[]*Claim{"
-	for _, f := range this.Claims {
-		repeatedStringForClaims += strings.Replace(f.String(), "Claim", "Claim", 1) + ","
-	}
-	repeatedStringForClaims += "}"
-	s := strings.Join([]string{`&NodePrepareResourcesRequest{`,
-		`Claims:` + repeatedStringForClaims + `,`,
-		`}`,
-	}, "")
-	return s
-}
-func (this *NodePrepareResourcesResponse) String() string {
-	if this == nil {
-		return "nil"
-	}
-	keysForClaims := make([]string, 0, len(this.Claims))
-	for k := range this.Claims {
-		keysForClaims = append(keysForClaims, k)
-	}
-	github_com_gogo_protobuf_sortkeys.Strings(keysForClaims)
-	mapStringForClaims := "map[string]*NodePrepareResourceResponse{"
-	for _, k := range keysForClaims {
-		mapStringForClaims += fmt.Sprintf("%v: %v,", k, this.Claims[k])
-	}
-	mapStringForClaims += "}"
-	s := strings.Join([]string{`&NodePrepareResourcesResponse{`,
-		`Claims:` + mapStringForClaims + `,`,
-		`}`,
-	}, "")
-	return s
-}
-func (this *NodePrepareResourceResponse) String() string {
-	if this == nil {
-		return "nil"
-	}
-	repeatedStringForDevices := "[]*Device{"
-	for _, f := range this.Devices {
-		repeatedStringForDevices += strings.Replace(f.String(), "Device", "Device", 1) + ","
-	}
-	repeatedStringForDevices += "}"
-	s := strings.Join([]string{`&NodePrepareResourceResponse{`,
-		`Devices:` + repeatedStringForDevices + `,`,
-		`Error:` + fmt.Sprintf("%v", this.Error) + `,`,
-		`}`,
-	}, "")
-	return s
-}
-func (this *Device) String() string {
-	if this == nil {
-		return "nil"
-	}
-	s := strings.Join([]string{`&Device{`,
-		`RequestNames:` + fmt.Sprintf("%v", this.RequestNames) + `,`,
-		`PoolName:` + fmt.Sprintf("%v", this.PoolName) + `,`,
-		`DeviceName:` + fmt.Sprintf("%v", this.DeviceName) + `,`,
-		`CDIDeviceIDs:` + fmt.Sprintf("%v", this.CDIDeviceIDs) + `,`,
-		`}`,
-	}, "")
-	return s
-}
-func (this *NodeUnprepareResourcesRequest) String() string {
-	if this == nil {
-		return "nil"
-	}
-	repeatedStringForClaims := "[]*Claim{"
-	for _, f := range this.Claims {
-		repeatedStringForClaims += strings.Replace(f.String(), "Claim", "Claim", 1) + ","
-	}
-	repeatedStringForClaims += "}"
-	s := strings.Join([]string{`&NodeUnprepareResourcesRequest{`,
-		`Claims:` + repeatedStringForClaims + `,`,
-		`}`,
-	}, "")
-	return s
-}
-func (this *NodeUnprepareResourcesResponse) String() string {
-	if this == nil {
-		return "nil"
-	}
-	keysForClaims := make([]string, 0, len(this.Claims))
-	for k := range this.Claims {
-		keysForClaims = append(keysForClaims, k)
-	}
-	github_com_gogo_protobuf_sortkeys.Strings(keysForClaims)
-	mapStringForClaims := "map[string]*NodeUnprepareResourceResponse{"
-	for _, k := range keysForClaims {
-		mapStringForClaims += fmt.Sprintf("%v: %v,", k, this.Claims[k])
-	}
-	mapStringForClaims += "}"
-	s := strings.Join([]string{`&NodeUnprepareResourcesResponse{`,
-		`Claims:` + mapStringForClaims + `,`,
-		`}`,
-	}, "")
-	return s
-}
-func (this *NodeUnprepareResourceResponse) String() string {
-	if this == nil {
-		return "nil"
-	}
-	s := strings.Join([]string{`&NodeUnprepareResourceResponse{`,
-		`Error:` + fmt.Sprintf("%v", this.Error) + `,`,
-		`}`,
-	}, "")
-	return s
-}
-func (this *Claim) String() string {
-	if this == nil {
-		return "nil"
-	}
-	s := strings.Join([]string{`&Claim{`,
-		`Namespace:` + fmt.Sprintf("%v", this.Namespace) + `,`,
-		`UID:` + fmt.Sprintf("%v", this.UID) + `,`,
-		`Name:` + fmt.Sprintf("%v", this.Name) + `,`,
-		`}`,
-	}, "")
-	return s
-}
-func valueToStringApi(v interface{}) string {
-	rv := reflect.ValueOf(v)
-	if rv.IsNil() {
-		return "nil"
-	}
-	pv := reflect.Indirect(rv).Interface()
-	return fmt.Sprintf("*%v", pv)
-}
-func (m *NodePrepareResourcesRequest) Unmarshal(dAtA []byte) error {
-	l := len(dAtA)
-	iNdEx := 0
-	for iNdEx < l {
-		preIndex := iNdEx
-		var wire uint64
-		for shift := uint(0); ; shift += 7 {
-			if shift >= 64 {
-				return ErrIntOverflowApi
-			}
-			if iNdEx >= l {
-				return io.ErrUnexpectedEOF
-			}
-			b := dAtA[iNdEx]
-			iNdEx++
-			wire |= uint64(b&0x7F) << shift
-			if b < 0x80 {
-				break
-			}
-		}
-		fieldNum := int32(wire >> 3)
-		wireType := int(wire & 0x7)
-		if wireType == 4 {
-			return fmt.Errorf("proto: NodePrepareResourcesRequest: wiretype end group for non-group")
-		}
-		if fieldNum <= 0 {
-			return fmt.Errorf("proto: NodePrepareResourcesRequest: illegal tag %d (wire type %d)", fieldNum, wire)
-		}
-		switch fieldNum {
-		case 1:
-			if wireType != 2 {
-				return fmt.Errorf("proto: wrong wireType = %d for field Claims", wireType)
-			}
-			var msglen int
-			for shift := uint(0); ; shift += 7 {
-				if shift >= 64 {
-					return ErrIntOverflowApi
-				}
-				if iNdEx >= l {
-					return io.ErrUnexpectedEOF
-				}
-				b := dAtA[iNdEx]
-				iNdEx++
-				msglen |= int(b&0x7F) << shift
-				if b < 0x80 {
-					break
-				}
-			}
-			if msglen < 0 {
-				return ErrInvalidLengthApi
-			}
-			postIndex := iNdEx + msglen
-			if postIndex < 0 {
-				return ErrInvalidLengthApi
-			}
-			if postIndex > l {
-				return io.ErrUnexpectedEOF
-			}
-			m.Claims = append(m.Claims, &Claim{})
-			if err := m.Claims[len(m.Claims)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
-				return err
-			}
-			iNdEx = postIndex
-		default:
-			iNdEx = preIndex
-			skippy, err := skipApi(dAtA[iNdEx:])
-			if err != nil {
-				return err
-			}
-			if (skippy < 0) || (iNdEx+skippy) < 0 {
-				return ErrInvalidLengthApi
-			}
-			if (iNdEx + skippy) > l {
-				return io.ErrUnexpectedEOF
-			}
-			iNdEx += skippy
-		}
-	}
+func (*Claim) ProtoMessage() {}
 
-	if iNdEx > l {
-		return io.ErrUnexpectedEOF
-	}
-	return nil
-}
-func (m *NodePrepareResourcesResponse) Unmarshal(dAtA []byte) error {
-	l := len(dAtA)
-	iNdEx := 0
-	for iNdEx < l {
-		preIndex := iNdEx
-		var wire uint64
-		for shift := uint(0); ; shift += 7 {
-			if shift >= 64 {
-				return ErrIntOverflowApi
-			}
-			if iNdEx >= l {
-				return io.ErrUnexpectedEOF
-			}
-			b := dAtA[iNdEx]
-			iNdEx++
-			wire |= uint64(b&0x7F) << shift
-			if b < 0x80 {
-				break
-			}
-		}
-		fieldNum := int32(wire >> 3)
-		wireType := int(wire & 0x7)
-		if wireType == 4 {
-			return fmt.Errorf("proto: NodePrepareResourcesResponse: wiretype end group for non-group")
-		}
-		if fieldNum <= 0 {
-			return fmt.Errorf("proto: NodePrepareResourcesResponse: illegal tag %d (wire type %d)", fieldNum, wire)
-		}
-		switch fieldNum {
-		case 1:
-			if wireType != 2 {
-				return fmt.Errorf("proto: wrong wireType = %d for field Claims", wireType)
-			}
-			var msglen int
-			for shift := uint(0); ; shift += 7 {
-				if shift >= 64 {
-					return ErrIntOverflowApi
-				}
-				if iNdEx >= l {
-					return io.ErrUnexpectedEOF
-				}
-				b := dAtA[iNdEx]
-				iNdEx++
-				msglen |= int(b&0x7F) << shift
-				if b < 0x80 {
-					break
-				}
-			}
-			if msglen < 0 {
-				return ErrInvalidLengthApi
-			}
-			postIndex := iNdEx + msglen
-			if postIndex < 0 {
-				return ErrInvalidLengthApi
-			}
-			if postIndex > l {
-				return io.ErrUnexpectedEOF
-			}
-			if m.Claims == nil {
-				m.Claims = make(map[string]*NodePrepareResourceResponse)
-			}
-			var mapkey string
-			var mapvalue *NodePrepareResourceResponse
-			for iNdEx < postIndex {
-				entryPreIndex := iNdEx
-				var wire uint64
-				for shift := uint(0); ; shift += 7 {
-					if shift >= 64 {
-						return ErrIntOverflowApi
-					}
-					if iNdEx >= l {
-						return io.ErrUnexpectedEOF
-					}
-					b := dAtA[iNdEx]
-					iNdEx++
-					wire |= uint64(b&0x7F) << shift
-					if b < 0x80 {
-						break
-					}
-				}
-				fieldNum := int32(wire >> 3)
-				if fieldNum == 1 {
-					var stringLenmapkey uint64
-					for shift := uint(0); ; shift += 7 {
-						if shift >= 64 {
-							return ErrIntOverflowApi
-						}
-						if iNdEx >= l {
-							return io.ErrUnexpectedEOF
-						}
-						b := dAtA[iNdEx]
-						iNdEx++
-						stringLenmapkey |= uint64(b&0x7F) << shift
-						if b < 0x80 {
-							break
-						}
-					}
-					intStringLenmapkey := int(stringLenmapkey)
-					if intStringLenmapkey < 0 {
-						return ErrInvalidLengthApi
-					}
-					postStringIndexmapkey := iNdEx + intStringLenmapkey
-					if postStringIndexmapkey < 0 {
-						return ErrInvalidLengthApi
-					}
-					if postStringIndexmapkey > l {
-						return io.ErrUnexpectedEOF
-					}
-					mapkey = string(dAtA[iNdEx:postStringIndexmapkey])
-					iNdEx = postStringIndexmapkey
-				} else if fieldNum == 2 {
-					var mapmsglen int
-					for shift := uint(0); ; shift += 7 {
-						if shift >= 64 {
-							return ErrIntOverflowApi
-						}
-						if iNdEx >= l {
-							return io.ErrUnexpectedEOF
-						}
-						b := dAtA[iNdEx]
-						iNdEx++
-						mapmsglen |= int(b&0x7F) << shift
-						if b < 0x80 {
-							break
-						}
-					}
-					if mapmsglen < 0 {
-						return ErrInvalidLengthApi
-					}
-					postmsgIndex := iNdEx + mapmsglen
-					if postmsgIndex < 0 {
-						return ErrInvalidLengthApi
-					}
-					if postmsgIndex > l {
-						return io.ErrUnexpectedEOF
-					}
-					mapvalue = &NodePrepareResourceResponse{}
-					if err := mapvalue.Unmarshal(dAtA[iNdEx:postmsgIndex]); err != nil {
-						return err
-					}
-					iNdEx = postmsgIndex
-				} else {
-					iNdEx = entryPreIndex
-					skippy, err := skipApi(dAtA[iNdEx:])
-					if err != nil {
-						return err
-					}
-					if (skippy < 0) || (iNdEx+skippy) < 0 {
-						return ErrInvalidLengthApi
-					}
-					if (iNdEx + skippy) > postIndex {
-						return io.ErrUnexpectedEOF
-					}
-					iNdEx += skippy
-				}
-			}
-			m.Claims[mapkey] = mapvalue
-			iNdEx = postIndex
-		default:
-			iNdEx = preIndex
-			skippy, err := skipApi(dAtA[iNdEx:])
-			if err != nil {
-				return err
-			}
-			if (skippy < 0) || (iNdEx+skippy) < 0 {
-				return ErrInvalidLengthApi
-			}
-			if (iNdEx + skippy) > l {
-				return io.ErrUnexpectedEOF
-			}
-			iNdEx += skippy
+func (x *Claim) ProtoReflect() protoreflect.Message {
+	mi := &file_staging_src_k8s_io_kubelet_pkg_apis_dra_v1_api_proto_msgTypes[7]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
 		}
+		return ms
 	}
-
-	if iNdEx > l {
-		return io.ErrUnexpectedEOF
-	}
-	return nil
+	return mi.MessageOf(x)
 }
-func (m *NodePrepareResourceResponse) Unmarshal(dAtA []byte) error {
-	l := len(dAtA)
-	iNdEx := 0
-	for iNdEx < l {
-		preIndex := iNdEx
-		var wire uint64
-		for shift := uint(0); ; shift += 7 {
-			if shift >= 64 {
-				return ErrIntOverflowApi
-			}
-			if iNdEx >= l {
-				return io.ErrUnexpectedEOF
-			}
-			b := dAtA[iNdEx]
-			iNdEx++
-			wire |= uint64(b&0x7F) << shift
-			if b < 0x80 {
-				break
-			}
-		}
-		fieldNum := int32(wire >> 3)
-		wireType := int(wire & 0x7)
-		if wireType == 4 {
-			return fmt.Errorf("proto: NodePrepareResourceResponse: wiretype end group for non-group")
-		}
-		if fieldNum <= 0 {
-			return fmt.Errorf("proto: NodePrepareResourceResponse: illegal tag %d (wire type %d)", fieldNum, wire)
-		}
-		switch fieldNum {
-		case 1:
-			if wireType != 2 {
-				return fmt.Errorf("proto: wrong wireType = %d for field Devices", wireType)
-			}
-			var msglen int
-			for shift := uint(0); ; shift += 7 {
-				if shift >= 64 {
-					return ErrIntOverflowApi
-				}
-				if iNdEx >= l {
-					return io.ErrUnexpectedEOF
-				}
-				b := dAtA[iNdEx]
-				iNdEx++
-				msglen |= int(b&0x7F) << shift
-				if b < 0x80 {
-					break
-				}
-			}
-			if msglen < 0 {
-				return ErrInvalidLengthApi
-			}
-			postIndex := iNdEx + msglen
-			if postIndex < 0 {
-				return ErrInvalidLengthApi
-			}
-			if postIndex > l {
-				return io.ErrUnexpectedEOF
-			}
-			m.Devices = append(m.Devices, &Device{})
-			if err := m.Devices[len(m.Devices)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
-				return err
-			}
-			iNdEx = postIndex
-		case 2:
-			if wireType != 2 {
-				return fmt.Errorf("proto: wrong wireType = %d for field Error", wireType)
-			}
-			var stringLen uint64
-			for shift := uint(0); ; shift += 7 {
-				if shift >= 64 {
-					return ErrIntOverflowApi
-				}
-				if iNdEx >= l {
-					return io.ErrUnexpectedEOF
-				}
-				b := dAtA[iNdEx]
-				iNdEx++
-				stringLen |= uint64(b&0x7F) << shift
-				if b < 0x80 {
-					break
-				}
-			}
-			intStringLen := int(stringLen)
-			if intStringLen < 0 {
-				return ErrInvalidLengthApi
-			}
-			postIndex := iNdEx + intStringLen
-			if postIndex < 0 {
-				return ErrInvalidLengthApi
-			}
-			if postIndex > l {
-				return io.ErrUnexpectedEOF
-			}
-			m.Error = string(dAtA[iNdEx:postIndex])
-			iNdEx = postIndex
-		default:
-			iNdEx = preIndex
-			skippy, err := skipApi(dAtA[iNdEx:])
-			if err != nil {
-				return err
-			}
-			if (skippy < 0) || (iNdEx+skippy) < 0 {
-				return ErrInvalidLengthApi
-			}
-			if (iNdEx + skippy) > l {
-				return io.ErrUnexpectedEOF
-			}
-			iNdEx += skippy
-		}
-	}
 
-	if iNdEx > l {
-		return io.ErrUnexpectedEOF
-	}
-	return nil
-}
-func (m *Device) Unmarshal(dAtA []byte) error {
-	l := len(dAtA)
-	iNdEx := 0
-	for iNdEx < l {
-		preIndex := iNdEx
-		var wire uint64
-		for shift := uint(0); ; shift += 7 {
-			if shift >= 64 {
-				return ErrIntOverflowApi
-			}
-			if iNdEx >= l {
-				return io.ErrUnexpectedEOF
-			}
-			b := dAtA[iNdEx]
-			iNdEx++
-			wire |= uint64(b&0x7F) << shift
-			if b < 0x80 {
-				break
-			}
-		}
-		fieldNum := int32(wire >> 3)
-		wireType := int(wire & 0x7)
-		if wireType == 4 {
-			return fmt.Errorf("proto: Device: wiretype end group for non-group")
-		}
-		if fieldNum <= 0 {
-			return fmt.Errorf("proto: Device: illegal tag %d (wire type %d)", fieldNum, wire)
-		}
-		switch fieldNum {
-		case 1:
-			if wireType != 2 {
-				return fmt.Errorf("proto: wrong wireType = %d for field RequestNames", wireType)
-			}
-			var stringLen uint64
-			for shift := uint(0); ; shift += 7 {
-				if shift >= 64 {
-					return ErrIntOverflowApi
-				}
-				if iNdEx >= l {
-					return io.ErrUnexpectedEOF
-				}
-				b := dAtA[iNdEx]
-				iNdEx++
-				stringLen |= uint64(b&0x7F) << shift
-				if b < 0x80 {
-					break
-				}
-			}
-			intStringLen := int(stringLen)
-			if intStringLen < 0 {
-				return ErrInvalidLengthApi
-			}
-			postIndex := iNdEx + intStringLen
-			if postIndex < 0 {
-				return ErrInvalidLengthApi
-			}
-			if postIndex > l {
-				return io.ErrUnexpectedEOF
-			}
-			m.RequestNames = append(m.RequestNames, string(dAtA[iNdEx:postIndex]))
-			iNdEx = postIndex
-		case 2:
-			if wireType != 2 {
-				return fmt.Errorf("proto: wrong wireType = %d for field PoolName", wireType)
-			}
-			var stringLen uint64
-			for shift := uint(0); ; shift += 7 {
-				if shift >= 64 {
-					return ErrIntOverflowApi
-				}
-				if iNdEx >= l {
-					return io.ErrUnexpectedEOF
-				}
-				b := dAtA[iNdEx]
-				iNdEx++
-				stringLen |= uint64(b&0x7F) << shift
-				if b < 0x80 {
-					break
-				}
-			}
-			intStringLen := int(stringLen)
-			if intStringLen < 0 {
-				return ErrInvalidLengthApi
-			}
-			postIndex := iNdEx + intStringLen
-			if postIndex < 0 {
-				return ErrInvalidLengthApi
-			}
-			if postIndex > l {
-				return io.ErrUnexpectedEOF
-			}
-			m.PoolName = string(dAtA[iNdEx:postIndex])
-			iNdEx = postIndex
-		case 3:
-			if wireType != 2 {
-				return fmt.Errorf("proto: wrong wireType = %d for field DeviceName", wireType)
-			}
-			var stringLen uint64
-			for shift := uint(0); ; shift += 7 {
-				if shift >= 64 {
-					return ErrIntOverflowApi
-				}
-				if iNdEx >= l {
-					return io.ErrUnexpectedEOF
-				}
-				b := dAtA[iNdEx]
-				iNdEx++
-				stringLen |= uint64(b&0x7F) << shift
-				if b < 0x80 {
-					break
-				}
-			}
-			intStringLen := int(stringLen)
-			if intStringLen < 0 {
-				return ErrInvalidLengthApi
-			}
-			postIndex := iNdEx + intStringLen
-			if postIndex < 0 {
-				return ErrInvalidLengthApi
-			}
-			if postIndex > l {
-				return io.ErrUnexpectedEOF
-			}
-			m.DeviceName = string(dAtA[iNdEx:postIndex])
-			iNdEx = postIndex
-		case 4:
-			if wireType != 2 {
-				return fmt.Errorf("proto: wrong wireType = %d for field CDIDeviceIDs", wireType)
-			}
-			var stringLen uint64
-			for shift := uint(0); ; shift += 7 {
-				if shift >= 64 {
-					return ErrIntOverflowApi
-				}
-				if iNdEx >= l {
-					return io.ErrUnexpectedEOF
-				}
-				b := dAtA[iNdEx]
-				iNdEx++
-				stringLen |= uint64(b&0x7F) << shift
-				if b < 0x80 {
-					break
-				}
-			}
-			intStringLen := int(stringLen)
-			if intStringLen < 0 {
-				return ErrInvalidLengthApi
-			}
-			postIndex := iNdEx + intStringLen
-			if postIndex < 0 {
-				return ErrInvalidLengthApi
-			}
-			if postIndex > l {
-				return io.ErrUnexpectedEOF
-			}
-			m.CDIDeviceIDs = append(m.CDIDeviceIDs, string(dAtA[iNdEx:postIndex]))
-			iNdEx = postIndex
-		default:
-			iNdEx = preIndex
-			skippy, err := skipApi(dAtA[iNdEx:])
-			if err != nil {
-				return err
-			}
-			if (skippy < 0) || (iNdEx+skippy) < 0 {
-				return ErrInvalidLengthApi
-			}
-			if (iNdEx + skippy) > l {
-				return io.ErrUnexpectedEOF
-			}
-			iNdEx += skippy
-		}
-	}
-
-	if iNdEx > l {
-		return io.ErrUnexpectedEOF
-	}
-	return nil
+// Deprecated: Use Claim.ProtoReflect.Descriptor instead.
+func (*Claim) Descriptor() ([]byte, []int) {
+	return file_staging_src_k8s_io_kubelet_pkg_apis_dra_v1_api_proto_rawDescGZIP(), []int{7}
 }
-func (m *NodeUnprepareResourcesRequest) Unmarshal(dAtA []byte) error {
-	l := len(dAtA)
-	iNdEx := 0
-	for iNdEx < l {
-		preIndex := iNdEx
-		var wire uint64
-		for shift := uint(0); ; shift += 7 {
-			if shift >= 64 {
-				return ErrIntOverflowApi
-			}
-			if iNdEx >= l {
-				return io.ErrUnexpectedEOF
-			}
-			b := dAtA[iNdEx]
-			iNdEx++
-			wire |= uint64(b&0x7F) << shift
-			if b < 0x80 {
-				break
-			}
-		}
-		fieldNum := int32(wire >> 3)
-		wireType := int(wire & 0x7)
-		if wireType == 4 {
-			return fmt.Errorf("proto: NodeUnprepareResourcesRequest: wiretype end group for non-group")
-		}
-		if fieldNum <= 0 {
-			return fmt.Errorf("proto: NodeUnprepareResourcesRequest: illegal tag %d (wire type %d)", fieldNum, wire)
-		}
-		switch fieldNum {
-		case 1:
-			if wireType != 2 {
-				return fmt.Errorf("proto: wrong wireType = %d for field Claims", wireType)
-			}
-			var msglen int
-			for shift := uint(0); ; shift += 7 {
-				if shift >= 64 {
-					return ErrIntOverflowApi
-				}
-				if iNdEx >= l {
-					return io.ErrUnexpectedEOF
-				}
-				b := dAtA[iNdEx]
-				iNdEx++
-				msglen |= int(b&0x7F) << shift
-				if b < 0x80 {
-					break
-				}
-			}
-			if msglen < 0 {
-				return ErrInvalidLengthApi
-			}
-			postIndex := iNdEx + msglen
-			if postIndex < 0 {
-				return ErrInvalidLengthApi
-			}
-			if postIndex > l {
-				return io.ErrUnexpectedEOF
-			}
-			m.Claims = append(m.Claims, &Claim{})
-			if err := m.Claims[len(m.Claims)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
-				return err
-			}
-			iNdEx = postIndex
-		default:
-			iNdEx = preIndex
-			skippy, err := skipApi(dAtA[iNdEx:])
-			if err != nil {
-				return err
-			}
-			if (skippy < 0) || (iNdEx+skippy) < 0 {
-				return ErrInvalidLengthApi
-			}
-			if (iNdEx + skippy) > l {
-				return io.ErrUnexpectedEOF
-			}
-			iNdEx += skippy
-		}
-	}
 
-	if iNdEx > l {
-		return io.ErrUnexpectedEOF
+func (x *Claim) GetNamespace() string {
+	if x != nil {
+		return x.Namespace
 	}
-	return nil
+	return ""
 }
-func (m *NodeUnprepareResourcesResponse) Unmarshal(dAtA []byte) error {
-	l := len(dAtA)
-	iNdEx := 0
-	for iNdEx < l {
-		preIndex := iNdEx
-		var wire uint64
-		for shift := uint(0); ; shift += 7 {
-			if shift >= 64 {
-				return ErrIntOverflowApi
-			}
-			if iNdEx >= l {
-				return io.ErrUnexpectedEOF
-			}
-			b := dAtA[iNdEx]
-			iNdEx++
-			wire |= uint64(b&0x7F) << shift
-			if b < 0x80 {
-				break
-			}
-		}
-		fieldNum := int32(wire >> 3)
-		wireType := int(wire & 0x7)
-		if wireType == 4 {
-			return fmt.Errorf("proto: NodeUnprepareResourcesResponse: wiretype end group for non-group")
-		}
-		if fieldNum <= 0 {
-			return fmt.Errorf("proto: NodeUnprepareResourcesResponse: illegal tag %d (wire type %d)", fieldNum, wire)
-		}
-		switch fieldNum {
-		case 1:
-			if wireType != 2 {
-				return fmt.Errorf("proto: wrong wireType = %d for field Claims", wireType)
-			}
-			var msglen int
-			for shift := uint(0); ; shift += 7 {
-				if shift >= 64 {
-					return ErrIntOverflowApi
-				}
-				if iNdEx >= l {
-					return io.ErrUnexpectedEOF
-				}
-				b := dAtA[iNdEx]
-				iNdEx++
-				msglen |= int(b&0x7F) << shift
-				if b < 0x80 {
-					break
-				}
-			}
-			if msglen < 0 {
-				return ErrInvalidLengthApi
-			}
-			postIndex := iNdEx + msglen
-			if postIndex < 0 {
-				return ErrInvalidLengthApi
-			}
-			if postIndex > l {
-				return io.ErrUnexpectedEOF
-			}
-			if m.Claims == nil {
-				m.Claims = make(map[string]*NodeUnprepareResourceResponse)
-			}
-			var mapkey string
-			var mapvalue *NodeUnprepareResourceResponse
-			for iNdEx < postIndex {
-				entryPreIndex := iNdEx
-				var wire uint64
-				for shift := uint(0); ; shift += 7 {
-					if shift >= 64 {
-						return ErrIntOverflowApi
-					}
-					if iNdEx >= l {
-						return io.ErrUnexpectedEOF
-					}
-					b := dAtA[iNdEx]
-					iNdEx++
-					wire |= uint64(b&0x7F) << shift
-					if b < 0x80 {
-						break
-					}
-				}
-				fieldNum := int32(wire >> 3)
-				if fieldNum == 1 {
-					var stringLenmapkey uint64
-					for shift := uint(0); ; shift += 7 {
-						if shift >= 64 {
-							return ErrIntOverflowApi
-						}
-						if iNdEx >= l {
-							return io.ErrUnexpectedEOF
-						}
-						b := dAtA[iNdEx]
-						iNdEx++
-						stringLenmapkey |= uint64(b&0x7F) << shift
-						if b < 0x80 {
-							break
-						}
-					}
-					intStringLenmapkey := int(stringLenmapkey)
-					if intStringLenmapkey < 0 {
-						return ErrInvalidLengthApi
-					}
-					postStringIndexmapkey := iNdEx + intStringLenmapkey
-					if postStringIndexmapkey < 0 {
-						return ErrInvalidLengthApi
-					}
-					if postStringIndexmapkey > l {
-						return io.ErrUnexpectedEOF
-					}
-					mapkey = string(dAtA[iNdEx:postStringIndexmapkey])
-					iNdEx = postStringIndexmapkey
-				} else if fieldNum == 2 {
-					var mapmsglen int
-					for shift := uint(0); ; shift += 7 {
-						if shift >= 64 {
-							return ErrIntOverflowApi
-						}
-						if iNdEx >= l {
-							return io.ErrUnexpectedEOF
-						}
-						b := dAtA[iNdEx]
-						iNdEx++
-						mapmsglen |= int(b&0x7F) << shift
-						if b < 0x80 {
-							break
-						}
-					}
-					if mapmsglen < 0 {
-						return ErrInvalidLengthApi
-					}
-					postmsgIndex := iNdEx + mapmsglen
-					if postmsgIndex < 0 {
-						return ErrInvalidLengthApi
-					}
-					if postmsgIndex > l {
-						return io.ErrUnexpectedEOF
-					}
-					mapvalue = &NodeUnprepareResourceResponse{}
-					if err := mapvalue.Unmarshal(dAtA[iNdEx:postmsgIndex]); err != nil {
-						return err
-					}
-					iNdEx = postmsgIndex
-				} else {
-					iNdEx = entryPreIndex
-					skippy, err := skipApi(dAtA[iNdEx:])
-					if err != nil {
-						return err
-					}
-					if (skippy < 0) || (iNdEx+skippy) < 0 {
-						return ErrInvalidLengthApi
-					}
-					if (iNdEx + skippy) > postIndex {
-						return io.ErrUnexpectedEOF
-					}
-					iNdEx += skippy
-				}
-			}
-			m.Claims[mapkey] = mapvalue
-			iNdEx = postIndex
-		default:
-			iNdEx = preIndex
-			skippy, err := skipApi(dAtA[iNdEx:])
-			if err != nil {
-				return err
-			}
-			if (skippy < 0) || (iNdEx+skippy) < 0 {
-				return ErrInvalidLengthApi
-			}
-			if (iNdEx + skippy) > l {
-				return io.ErrUnexpectedEOF
-			}
-			iNdEx += skippy
-		}
-	}
 
-	if iNdEx > l {
-		return io.ErrUnexpectedEOF
+func (x *Claim) GetUid() string {
+	if x != nil {
+		return x.Uid
 	}
-	return nil
+	return ""
 }
-func (m *NodeUnprepareResourceResponse) Unmarshal(dAtA []byte) error {
-	l := len(dAtA)
-	iNdEx := 0
-	for iNdEx < l {
-		preIndex := iNdEx
-		var wire uint64
-		for shift := uint(0); ; shift += 7 {
-			if shift >= 64 {
-				return ErrIntOverflowApi
-			}
-			if iNdEx >= l {
-				return io.ErrUnexpectedEOF
-			}
-			b := dAtA[iNdEx]
-			iNdEx++
-			wire |= uint64(b&0x7F) << shift
-			if b < 0x80 {
-				break
-			}
-		}
-		fieldNum := int32(wire >> 3)
-		wireType := int(wire & 0x7)
-		if wireType == 4 {
-			return fmt.Errorf("proto: NodeUnprepareResourceResponse: wiretype end group for non-group")
-		}
-		if fieldNum <= 0 {
-			return fmt.Errorf("proto: NodeUnprepareResourceResponse: illegal tag %d (wire type %d)", fieldNum, wire)
-		}
-		switch fieldNum {
-		case 1:
-			if wireType != 2 {
-				return fmt.Errorf("proto: wrong wireType = %d for field Error", wireType)
-			}
-			var stringLen uint64
-			for shift := uint(0); ; shift += 7 {
-				if shift >= 64 {
-					return ErrIntOverflowApi
-				}
-				if iNdEx >= l {
-					return io.ErrUnexpectedEOF
-				}
-				b := dAtA[iNdEx]
-				iNdEx++
-				stringLen |= uint64(b&0x7F) << shift
-				if b < 0x80 {
-					break
-				}
-			}
-			intStringLen := int(stringLen)
-			if intStringLen < 0 {
-				return ErrInvalidLengthApi
-			}
-			postIndex := iNdEx + intStringLen
-			if postIndex < 0 {
-				return ErrInvalidLengthApi
-			}
-			if postIndex > l {
-				return io.ErrUnexpectedEOF
-			}
-			m.Error = string(dAtA[iNdEx:postIndex])
-			iNdEx = postIndex
-		default:
-			iNdEx = preIndex
-			skippy, err := skipApi(dAtA[iNdEx:])
-			if err != nil {
-				return err
-			}
-			if (skippy < 0) || (iNdEx+skippy) < 0 {
-				return ErrInvalidLengthApi
-			}
-			if (iNdEx + skippy) > l {
-				return io.ErrUnexpectedEOF
-			}
-			iNdEx += skippy
-		}
-	}
 
-	if iNdEx > l {
-		return io.ErrUnexpectedEOF
+func (x *Claim) GetName() string {
+	if x != nil {
+		return x.Name
 	}
-	return nil
+	return ""
 }
-func (m *Claim) Unmarshal(dAtA []byte) error {
-	l := len(dAtA)
-	iNdEx := 0
-	for iNdEx < l {
-		preIndex := iNdEx
-		var wire uint64
-		for shift := uint(0); ; shift += 7 {
-			if shift >= 64 {
-				return ErrIntOverflowApi
-			}
-			if iNdEx >= l {
-				return io.ErrUnexpectedEOF
-			}
-			b := dAtA[iNdEx]
-			iNdEx++
-			wire |= uint64(b&0x7F) << shift
-			if b < 0x80 {
-				break
-			}
-		}
-		fieldNum := int32(wire >> 3)
-		wireType := int(wire & 0x7)
-		if wireType == 4 {
-			return fmt.Errorf("proto: Claim: wiretype end group for non-group")
-		}
-		if fieldNum <= 0 {
-			return fmt.Errorf("proto: Claim: illegal tag %d (wire type %d)", fieldNum, wire)
-		}
-		switch fieldNum {
-		case 1:
-			if wireType != 2 {
-				return fmt.Errorf("proto: wrong wireType = %d for field Namespace", wireType)
-			}
-			var stringLen uint64
-			for shift := uint(0); ; shift += 7 {
-				if shift >= 64 {
-					return ErrIntOverflowApi
-				}
-				if iNdEx >= l {
-					return io.ErrUnexpectedEOF
-				}
-				b := dAtA[iNdEx]
-				iNdEx++
-				stringLen |= uint64(b&0x7F) << shift
-				if b < 0x80 {
-					break
-				}
-			}
-			intStringLen := int(stringLen)
-			if intStringLen < 0 {
-				return ErrInvalidLengthApi
-			}
-			postIndex := iNdEx + intStringLen
-			if postIndex < 0 {
-				return ErrInvalidLengthApi
-			}
-			if postIndex > l {
-				return io.ErrUnexpectedEOF
-			}
-			m.Namespace = string(dAtA[iNdEx:postIndex])
-			iNdEx = postIndex
-		case 2:
-			if wireType != 2 {
-				return fmt.Errorf("proto: wrong wireType = %d for field UID", wireType)
-			}
-			var stringLen uint64
-			for shift := uint(0); ; shift += 7 {
-				if shift >= 64 {
-					return ErrIntOverflowApi
-				}
-				if iNdEx >= l {
-					return io.ErrUnexpectedEOF
-				}
-				b := dAtA[iNdEx]
-				iNdEx++
-				stringLen |= uint64(b&0x7F) << shift
-				if b < 0x80 {
-					break
-				}
-			}
-			intStringLen := int(stringLen)
-			if intStringLen < 0 {
-				return ErrInvalidLengthApi
-			}
-			postIndex := iNdEx + intStringLen
-			if postIndex < 0 {
-				return ErrInvalidLengthApi
-			}
-			if postIndex > l {
-				return io.ErrUnexpectedEOF
-			}
-			m.UID = string(dAtA[iNdEx:postIndex])
-			iNdEx = postIndex
-		case 3:
-			if wireType != 2 {
-				return fmt.Errorf("proto: wrong wireType = %d for field Name", wireType)
-			}
-			var stringLen uint64
-			for shift := uint(0); ; shift += 7 {
-				if shift >= 64 {
-					return ErrIntOverflowApi
-				}
-				if iNdEx >= l {
-					return io.ErrUnexpectedEOF
-				}
-				b := dAtA[iNdEx]
-				iNdEx++
-				stringLen |= uint64(b&0x7F) << shift
-				if b < 0x80 {
-					break
-				}
-			}
-			intStringLen := int(stringLen)
-			if intStringLen < 0 {
-				return ErrInvalidLengthApi
-			}
-			postIndex := iNdEx + intStringLen
-			if postIndex < 0 {
-				return ErrInvalidLengthApi
-			}
-			if postIndex > l {
-				return io.ErrUnexpectedEOF
-			}
-			m.Name = string(dAtA[iNdEx:postIndex])
-			iNdEx = postIndex
-		default:
-			iNdEx = preIndex
-			skippy, err := skipApi(dAtA[iNdEx:])
-			if err != nil {
-				return err
-			}
-			if (skippy < 0) || (iNdEx+skippy) < 0 {
-				return ErrInvalidLengthApi
-			}
-			if (iNdEx + skippy) > l {
-				return io.ErrUnexpectedEOF
-			}
-			iNdEx += skippy
-		}
-	}
 
-	if iNdEx > l {
-		return io.ErrUnexpectedEOF
-	}
-	return nil
-}
-func skipApi(dAtA []byte) (n int, err error) {
-	l := len(dAtA)
-	iNdEx := 0
-	depth := 0
-	for iNdEx < l {
-		var wire uint64
-		for shift := uint(0); ; shift += 7 {
-			if shift >= 64 {
-				return 0, ErrIntOverflowApi
-			}
-			if iNdEx >= l {
-				return 0, io.ErrUnexpectedEOF
-			}
-			b := dAtA[iNdEx]
-			iNdEx++
-			wire |= (uint64(b) & 0x7F) << shift
-			if b < 0x80 {
-				break
-			}
-		}
-		wireType := int(wire & 0x7)
-		switch wireType {
-		case 0:
-			for shift := uint(0); ; shift += 7 {
-				if shift >= 64 {
-					return 0, ErrIntOverflowApi
-				}
-				if iNdEx >= l {
-					return 0, io.ErrUnexpectedEOF
-				}
-				iNdEx++
-				if dAtA[iNdEx-1] < 0x80 {
-					break
-				}
-			}
-		case 1:
-			iNdEx += 8
-		case 2:
-			var length int
-			for shift := uint(0); ; shift += 7 {
-				if shift >= 64 {
-					return 0, ErrIntOverflowApi
-				}
-				if iNdEx >= l {
-					return 0, io.ErrUnexpectedEOF
-				}
-				b := dAtA[iNdEx]
-				iNdEx++
-				length |= (int(b) & 0x7F) << shift
-				if b < 0x80 {
-					break
-				}
-			}
-			if length < 0 {
-				return 0, ErrInvalidLengthApi
-			}
-			iNdEx += length
-		case 3:
-			depth++
-		case 4:
-			if depth == 0 {
-				return 0, ErrUnexpectedEndOfGroupApi
-			}
-			depth--
-		case 5:
-			iNdEx += 4
-		default:
-			return 0, fmt.Errorf("proto: illegal wireType %d", wireType)
-		}
-		if iNdEx < 0 {
-			return 0, ErrInvalidLengthApi
-		}
-		if depth == 0 {
-			return iNdEx, nil
-		}
-	}
-	return 0, io.ErrUnexpectedEOF
-}
+var File_staging_src_k8s_io_kubelet_pkg_apis_dra_v1_api_proto protoreflect.FileDescriptor
+
+var file_staging_src_k8s_io_kubelet_pkg_apis_dra_v1_api_proto_rawDesc = string([]byte{
+	0x0a, 0x34, 0x73, 0x74, 0x61, 0x67, 0x69, 0x6e, 0x67, 0x2f, 0x73, 0x72, 0x63, 0x2f, 0x6b, 0x38,
+	0x73, 0x2e, 0x69, 0x6f, 0x2f, 0x6b, 0x75, 0x62, 0x65, 0x6c, 0x65, 0x74, 0x2f, 0x70, 0x6b, 0x67,
+	0x2f, 0x61, 0x70, 0x69, 0x73, 0x2f, 0x64, 0x72, 0x61, 0x2f, 0x76, 0x31, 0x2f, 0x61, 0x70, 0x69,
+	0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x1e, 0x6b, 0x38, 0x73, 0x2e, 0x69, 0x6f, 0x2e, 0x6b,
+	0x75, 0x62, 0x65, 0x6c, 0x65, 0x74, 0x2e, 0x70, 0x6b, 0x67, 0x2e, 0x61, 0x70, 0x69, 0x73, 0x2e,
+	0x64, 0x72, 0x61, 0x2e, 0x76, 0x31, 0x22, 0x5c, 0x0a, 0x1b, 0x4e, 0x6f, 0x64, 0x65, 0x50, 0x72,
+	0x65, 0x70, 0x61, 0x72, 0x65, 0x52, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x73, 0x52, 0x65,
+	0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x3d, 0x0a, 0x06, 0x63, 0x6c, 0x61, 0x69, 0x6d, 0x73, 0x18,
+	0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x25, 0x2e, 0x6b, 0x38, 0x73, 0x2e, 0x69, 0x6f, 0x2e, 0x6b,
+	0x75, 0x62, 0x65, 0x6c, 0x65, 0x74, 0x2e, 0x70, 0x6b, 0x67, 0x2e, 0x61, 0x70, 0x69, 0x73, 0x2e,
+	0x64, 0x72, 0x61, 0x2e, 0x76, 0x31, 0x2e, 0x43, 0x6c, 0x61, 0x69, 0x6d, 0x52, 0x06, 0x63, 0x6c,
+	0x61, 0x69, 0x6d, 0x73, 0x22, 0xf8, 0x01, 0x0a, 0x1c, 0x4e, 0x6f, 0x64, 0x65, 0x50, 0x72, 0x65,
+	0x70, 0x61, 0x72, 0x65, 0x52, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x73, 0x52, 0x65, 0x73,
+	0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x60, 0x0a, 0x06, 0x63, 0x6c, 0x61, 0x69, 0x6d, 0x73, 0x18,
+	0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x48, 0x2e, 0x6b, 0x38, 0x73, 0x2e, 0x69, 0x6f, 0x2e, 0x6b,
+	0x75, 0x62, 0x65, 0x6c, 0x65, 0x74, 0x2e, 0x70, 0x6b, 0x67, 0x2e, 0x61, 0x70, 0x69, 0x73, 0x2e,
+	0x64, 0x72, 0x61, 0x2e, 0x76, 0x31, 0x2e, 0x4e, 0x6f, 0x64, 0x65, 0x50, 0x72, 0x65, 0x70, 0x61,
+	0x72, 0x65, 0x52, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f,
+	0x6e, 0x73, 0x65, 0x2e, 0x43, 0x6c, 0x61, 0x69, 0x6d, 0x73, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x52,
+	0x06, 0x63, 0x6c, 0x61, 0x69, 0x6d, 0x73, 0x1a, 0x76, 0x0a, 0x0b, 0x43, 0x6c, 0x61, 0x69, 0x6d,
+	0x73, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20,
+	0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, 0x51, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75,
+	0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x3b, 0x2e, 0x6b, 0x38, 0x73, 0x2e, 0x69, 0x6f,
+	0x2e, 0x6b, 0x75, 0x62, 0x65, 0x6c, 0x65, 0x74, 0x2e, 0x70, 0x6b, 0x67, 0x2e, 0x61, 0x70, 0x69,
+	0x73, 0x2e, 0x64, 0x72, 0x61, 0x2e, 0x76, 0x31, 0x2e, 0x4e, 0x6f, 0x64, 0x65, 0x50, 0x72, 0x65,
+	0x70, 0x61, 0x72, 0x65, 0x52, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x52, 0x65, 0x73, 0x70,
+	0x6f, 0x6e, 0x73, 0x65, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x3a, 0x02, 0x38, 0x01, 0x22,
+	0x75, 0x0a, 0x1b, 0x4e, 0x6f, 0x64, 0x65, 0x50, 0x72, 0x65, 0x70, 0x61, 0x72, 0x65, 0x52, 0x65,
+	0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x40,
+	0x0a, 0x07, 0x64, 0x65, 0x76, 0x69, 0x63, 0x65, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32,
+	0x26, 0x2e, 0x6b, 0x38, 0x73, 0x2e, 0x69, 0x6f, 0x2e, 0x6b, 0x75, 0x62, 0x65, 0x6c, 0x65, 0x74,
+	0x2e, 0x70, 0x6b, 0x67, 0x2e, 0x61, 0x70, 0x69, 0x73, 0x2e, 0x64, 0x72, 0x61, 0x2e, 0x76, 0x31,
+	0x2e, 0x44, 0x65, 0x76, 0x69, 0x63, 0x65, 0x52, 0x07, 0x64, 0x65, 0x76, 0x69, 0x63, 0x65, 0x73,
+	0x12, 0x14, 0x0a, 0x05, 0x65, 0x72, 0x72, 0x6f, 0x72, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52,
+	0x05, 0x65, 0x72, 0x72, 0x6f, 0x72, 0x22, 0xbe, 0x01, 0x0a, 0x06, 0x44, 0x65, 0x76, 0x69, 0x63,
+	0x65, 0x12, 0x23, 0x0a, 0x0d, 0x72, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x5f, 0x6e, 0x61, 0x6d,
+	0x65, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x09, 0x52, 0x0c, 0x72, 0x65, 0x71, 0x75, 0x65, 0x73,
+	0x74, 0x4e, 0x61, 0x6d, 0x65, 0x73, 0x12, 0x1b, 0x0a, 0x09, 0x70, 0x6f, 0x6f, 0x6c, 0x5f, 0x6e,
+	0x61, 0x6d, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x70, 0x6f, 0x6f, 0x6c, 0x4e,
+	0x61, 0x6d, 0x65, 0x12, 0x1f, 0x0a, 0x0b, 0x64, 0x65, 0x76, 0x69, 0x63, 0x65, 0x5f, 0x6e, 0x61,
+	0x6d, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0a, 0x64, 0x65, 0x76, 0x69, 0x63, 0x65,
+	0x4e, 0x61, 0x6d, 0x65, 0x12, 0x24, 0x0a, 0x0e, 0x63, 0x64, 0x69, 0x5f, 0x64, 0x65, 0x76, 0x69,
+	0x63, 0x65, 0x5f, 0x69, 0x64, 0x73, 0x18, 0x04, 0x20, 0x03, 0x28, 0x09, 0x52, 0x0c, 0x63, 0x64,
+	0x69, 0x44, 0x65, 0x76, 0x69, 0x63, 0x65, 0x49, 0x64, 0x73, 0x12, 0x1e, 0x0a, 0x08, 0x73, 0x68,
+	0x61, 0x72, 0x65, 0x5f, 0x69, 0x64, 0x18, 0x05, 0x20, 0x01, 0x28, 0x09, 0x48, 0x00, 0x52, 0x07,
+	0x73, 0x68, 0x61, 0x72, 0x65, 0x49, 0x64, 0x88, 0x01, 0x01, 0x42, 0x0b, 0x0a, 0x09, 0x5f, 0x73,
+	0x68, 0x61, 0x72, 0x65, 0x5f, 0x69, 0x64, 0x22, 0x5e, 0x0a, 0x1d, 0x4e, 0x6f, 0x64, 0x65, 0x55,
+	0x6e, 0x70, 0x72, 0x65, 0x70, 0x61, 0x72, 0x65, 0x52, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65,
+	0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x3d, 0x0a, 0x06, 0x63, 0x6c, 0x61, 0x69,
+	0x6d, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x25, 0x2e, 0x6b, 0x38, 0x73, 0x2e, 0x69,
+	0x6f, 0x2e, 0x6b, 0x75, 0x62, 0x65, 0x6c, 0x65, 0x74, 0x2e, 0x70, 0x6b, 0x67, 0x2e, 0x61, 0x70,
+	0x69, 0x73, 0x2e, 0x64, 0x72, 0x61, 0x2e, 0x76, 0x31, 0x2e, 0x43, 0x6c, 0x61, 0x69, 0x6d, 0x52,
+	0x06, 0x63, 0x6c, 0x61, 0x69, 0x6d, 0x73, 0x22, 0xfe, 0x01, 0x0a, 0x1e, 0x4e, 0x6f, 0x64, 0x65,
+	0x55, 0x6e, 0x70, 0x72, 0x65, 0x70, 0x61, 0x72, 0x65, 0x52, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63,
+	0x65, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x62, 0x0a, 0x06, 0x63, 0x6c,
+	0x61, 0x69, 0x6d, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x4a, 0x2e, 0x6b, 0x38, 0x73,
+	0x2e, 0x69, 0x6f, 0x2e, 0x6b, 0x75, 0x62, 0x65, 0x6c, 0x65, 0x74, 0x2e, 0x70, 0x6b, 0x67, 0x2e,
+	0x61, 0x70, 0x69, 0x73, 0x2e, 0x64, 0x72, 0x61, 0x2e, 0x76, 0x31, 0x2e, 0x4e, 0x6f, 0x64, 0x65,
+	0x55, 0x6e, 0x70, 0x72, 0x65, 0x70, 0x61, 0x72, 0x65, 0x52, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63,
+	0x65, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x2e, 0x43, 0x6c, 0x61, 0x69, 0x6d,
+	0x73, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x52, 0x06, 0x63, 0x6c, 0x61, 0x69, 0x6d, 0x73, 0x1a, 0x78,
+	0x0a, 0x0b, 0x43, 0x6c, 0x61, 0x69, 0x6d, 0x73, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x10, 0x0a,
+	0x03, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12,
+	0x53, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x3d,
+	0x2e, 0x6b, 0x38, 0x73, 0x2e, 0x69, 0x6f, 0x2e, 0x6b, 0x75, 0x62, 0x65, 0x6c, 0x65, 0x74, 0x2e,
+	0x70, 0x6b, 0x67, 0x2e, 0x61, 0x70, 0x69, 0x73, 0x2e, 0x64, 0x72, 0x61, 0x2e, 0x76, 0x31, 0x2e,
+	0x4e, 0x6f, 0x64, 0x65, 0x55, 0x6e, 0x70, 0x72, 0x65, 0x70, 0x61, 0x72, 0x65, 0x52, 0x65, 0x73,
+	0x6f, 0x75, 0x72, 0x63, 0x65, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x52, 0x05, 0x76,
+	0x61, 0x6c, 0x75, 0x65, 0x3a, 0x02, 0x38, 0x01, 0x22, 0x35, 0x0a, 0x1d, 0x4e, 0x6f, 0x64, 0x65,
+	0x55, 0x6e, 0x70, 0x72, 0x65, 0x70, 0x61, 0x72, 0x65, 0x52, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63,
+	0x65, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x14, 0x0a, 0x05, 0x65, 0x72, 0x72,
+	0x6f, 0x72, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x65, 0x72, 0x72, 0x6f, 0x72, 0x22,
+	0x4b, 0x0a, 0x05, 0x43, 0x6c, 0x61, 0x69, 0x6d, 0x12, 0x1c, 0x0a, 0x09, 0x6e, 0x61, 0x6d, 0x65,
+	0x73, 0x70, 0x61, 0x63, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x09, 0x6e, 0x61, 0x6d,
+	0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x12, 0x10, 0x0a, 0x03, 0x75, 0x69, 0x64, 0x18, 0x02, 0x20,
+	0x01, 0x28, 0x09, 0x52, 0x03, 0x75, 0x69, 0x64, 0x12, 0x12, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65,
+	0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x32, 0xbd, 0x02, 0x0a,
+	0x09, 0x44, 0x52, 0x41, 0x50, 0x6c, 0x75, 0x67, 0x69, 0x6e, 0x12, 0x93, 0x01, 0x0a, 0x14, 0x4e,
+	0x6f, 0x64, 0x65, 0x50, 0x72, 0x65, 0x70, 0x61, 0x72, 0x65, 0x52, 0x65, 0x73, 0x6f, 0x75, 0x72,
+	0x63, 0x65, 0x73, 0x12, 0x3b, 0x2e, 0x6b, 0x38, 0x73, 0x2e, 0x69, 0x6f, 0x2e, 0x6b, 0x75, 0x62,
+	0x65, 0x6c, 0x65, 0x74, 0x2e, 0x70, 0x6b, 0x67, 0x2e, 0x61, 0x70, 0x69, 0x73, 0x2e, 0x64, 0x72,
+	0x61, 0x2e, 0x76, 0x31, 0x2e, 0x4e, 0x6f, 0x64, 0x65, 0x50, 0x72, 0x65, 0x70, 0x61, 0x72, 0x65,
+	0x52, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74,
+	0x1a, 0x3c, 0x2e, 0x6b, 0x38, 0x73, 0x2e, 0x69, 0x6f, 0x2e, 0x6b, 0x75, 0x62, 0x65, 0x6c, 0x65,
+	0x74, 0x2e, 0x70, 0x6b, 0x67, 0x2e, 0x61, 0x70, 0x69, 0x73, 0x2e, 0x64, 0x72, 0x61, 0x2e, 0x76,
+	0x31, 0x2e, 0x4e, 0x6f, 0x64, 0x65, 0x50, 0x72, 0x65, 0x70, 0x61, 0x72, 0x65, 0x52, 0x65, 0x73,
+	0x6f, 0x75, 0x72, 0x63, 0x65, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00,
+	0x12, 0x99, 0x01, 0x0a, 0x16, 0x4e, 0x6f, 0x64, 0x65, 0x55, 0x6e, 0x70, 0x72, 0x65, 0x70, 0x61,
+	0x72, 0x65, 0x52, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x73, 0x12, 0x3d, 0x2e, 0x6b, 0x38,
+	0x73, 0x2e, 0x69, 0x6f, 0x2e, 0x6b, 0x75, 0x62, 0x65, 0x6c, 0x65, 0x74, 0x2e, 0x70, 0x6b, 0x67,
+	0x2e, 0x61, 0x70, 0x69, 0x73, 0x2e, 0x64, 0x72, 0x61, 0x2e, 0x76, 0x31, 0x2e, 0x4e, 0x6f, 0x64,
+	0x65, 0x55, 0x6e, 0x70, 0x72, 0x65, 0x70, 0x61, 0x72, 0x65, 0x52, 0x65, 0x73, 0x6f, 0x75, 0x72,
+	0x63, 0x65, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x3e, 0x2e, 0x6b, 0x38, 0x73,
+	0x2e, 0x69, 0x6f, 0x2e, 0x6b, 0x75, 0x62, 0x65, 0x6c, 0x65, 0x74, 0x2e, 0x70, 0x6b, 0x67, 0x2e,
+	0x61, 0x70, 0x69, 0x73, 0x2e, 0x64, 0x72, 0x61, 0x2e, 0x76, 0x31, 0x2e, 0x4e, 0x6f, 0x64, 0x65,
+	0x55, 0x6e, 0x70, 0x72, 0x65, 0x70, 0x61, 0x72, 0x65, 0x52, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63,
+	0x65, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x42, 0x20, 0x5a, 0x1e,
+	0x6b, 0x38, 0x73, 0x2e, 0x69, 0x6f, 0x2f, 0x6b, 0x75, 0x62, 0x65, 0x6c, 0x65, 0x74, 0x2f, 0x70,
+	0x6b, 0x67, 0x2f, 0x61, 0x70, 0x69, 0x73, 0x2f, 0x64, 0x72, 0x61, 0x2f, 0x76, 0x31, 0x62, 0x06,
+	0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
+})
 
 var (
-	ErrInvalidLengthApi        = fmt.Errorf("proto: negative length found during unmarshaling")
-	ErrIntOverflowApi          = fmt.Errorf("proto: integer overflow")
-	ErrUnexpectedEndOfGroupApi = fmt.Errorf("proto: unexpected end of group")
+	file_staging_src_k8s_io_kubelet_pkg_apis_dra_v1_api_proto_rawDescOnce sync.Once
+	file_staging_src_k8s_io_kubelet_pkg_apis_dra_v1_api_proto_rawDescData []byte
 )
+
+func file_staging_src_k8s_io_kubelet_pkg_apis_dra_v1_api_proto_rawDescGZIP() []byte {
+	file_staging_src_k8s_io_kubelet_pkg_apis_dra_v1_api_proto_rawDescOnce.Do(func() {
+		file_staging_src_k8s_io_kubelet_pkg_apis_dra_v1_api_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_staging_src_k8s_io_kubelet_pkg_apis_dra_v1_api_proto_rawDesc), len(file_staging_src_k8s_io_kubelet_pkg_apis_dra_v1_api_proto_rawDesc)))
+	})
+	return file_staging_src_k8s_io_kubelet_pkg_apis_dra_v1_api_proto_rawDescData
+}
+
+var file_staging_src_k8s_io_kubelet_pkg_apis_dra_v1_api_proto_msgTypes = make([]protoimpl.MessageInfo, 10)
+var file_staging_src_k8s_io_kubelet_pkg_apis_dra_v1_api_proto_goTypes = []any{
+	(*NodePrepareResourcesRequest)(nil),    // 0: k8s.io.kubelet.pkg.apis.dra.v1.NodePrepareResourcesRequest
+	(*NodePrepareResourcesResponse)(nil),   // 1: k8s.io.kubelet.pkg.apis.dra.v1.NodePrepareResourcesResponse
+	(*NodePrepareResourceResponse)(nil),    // 2: k8s.io.kubelet.pkg.apis.dra.v1.NodePrepareResourceResponse
+	(*Device)(nil),                         // 3: k8s.io.kubelet.pkg.apis.dra.v1.Device
+	(*NodeUnprepareResourcesRequest)(nil),  // 4: k8s.io.kubelet.pkg.apis.dra.v1.NodeUnprepareResourcesRequest
+	(*NodeUnprepareResourcesResponse)(nil), // 5: k8s.io.kubelet.pkg.apis.dra.v1.NodeUnprepareResourcesResponse
+	(*NodeUnprepareResourceResponse)(nil),  // 6: k8s.io.kubelet.pkg.apis.dra.v1.NodeUnprepareResourceResponse
+	(*Claim)(nil),                          // 7: k8s.io.kubelet.pkg.apis.dra.v1.Claim
+	nil,                                    // 8: k8s.io.kubelet.pkg.apis.dra.v1.NodePrepareResourcesResponse.ClaimsEntry
+	nil,                                    // 9: k8s.io.kubelet.pkg.apis.dra.v1.NodeUnprepareResourcesResponse.ClaimsEntry
+}
+var file_staging_src_k8s_io_kubelet_pkg_apis_dra_v1_api_proto_depIdxs = []int32{
+	7, // 0: k8s.io.kubelet.pkg.apis.dra.v1.NodePrepareResourcesRequest.claims:type_name -> k8s.io.kubelet.pkg.apis.dra.v1.Claim
+	8, // 1: k8s.io.kubelet.pkg.apis.dra.v1.NodePrepareResourcesResponse.claims:type_name -> k8s.io.kubelet.pkg.apis.dra.v1.NodePrepareResourcesResponse.ClaimsEntry
+	3, // 2: k8s.io.kubelet.pkg.apis.dra.v1.NodePrepareResourceResponse.devices:type_name -> k8s.io.kubelet.pkg.apis.dra.v1.Device
+	7, // 3: k8s.io.kubelet.pkg.apis.dra.v1.NodeUnprepareResourcesRequest.claims:type_name -> k8s.io.kubelet.pkg.apis.dra.v1.Claim
+	9, // 4: k8s.io.kubelet.pkg.apis.dra.v1.NodeUnprepareResourcesResponse.claims:type_name -> k8s.io.kubelet.pkg.apis.dra.v1.NodeUnprepareResourcesResponse.ClaimsEntry
+	2, // 5: k8s.io.kubelet.pkg.apis.dra.v1.NodePrepareResourcesResponse.ClaimsEntry.value:type_name -> k8s.io.kubelet.pkg.apis.dra.v1.NodePrepareResourceResponse
+	6, // 6: k8s.io.kubelet.pkg.apis.dra.v1.NodeUnprepareResourcesResponse.ClaimsEntry.value:type_name -> k8s.io.kubelet.pkg.apis.dra.v1.NodeUnprepareResourceResponse
+	0, // 7: k8s.io.kubelet.pkg.apis.dra.v1.DRAPlugin.NodePrepareResources:input_type -> k8s.io.kubelet.pkg.apis.dra.v1.NodePrepareResourcesRequest
+	4, // 8: k8s.io.kubelet.pkg.apis.dra.v1.DRAPlugin.NodeUnprepareResources:input_type -> k8s.io.kubelet.pkg.apis.dra.v1.NodeUnprepareResourcesRequest
+	1, // 9: k8s.io.kubelet.pkg.apis.dra.v1.DRAPlugin.NodePrepareResources:output_type -> k8s.io.kubelet.pkg.apis.dra.v1.NodePrepareResourcesResponse
+	5, // 10: k8s.io.kubelet.pkg.apis.dra.v1.DRAPlugin.NodeUnprepareResources:output_type -> k8s.io.kubelet.pkg.apis.dra.v1.NodeUnprepareResourcesResponse
+	9, // [9:11] is the sub-list for method output_type
+	7, // [7:9] is the sub-list for method input_type
+	7, // [7:7] is the sub-list for extension type_name
+	7, // [7:7] is the sub-list for extension extendee
+	0, // [0:7] is the sub-list for field type_name
+}
+
+func init() { file_staging_src_k8s_io_kubelet_pkg_apis_dra_v1_api_proto_init() }
+func file_staging_src_k8s_io_kubelet_pkg_apis_dra_v1_api_proto_init() {
+	if File_staging_src_k8s_io_kubelet_pkg_apis_dra_v1_api_proto != nil {
+		return
+	}
+	file_staging_src_k8s_io_kubelet_pkg_apis_dra_v1_api_proto_msgTypes[3].OneofWrappers = []any{}
+	type x struct{}
+	out := protoimpl.TypeBuilder{
+		File: protoimpl.DescBuilder{
+			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
+			RawDescriptor: unsafe.Slice(unsafe.StringData(file_staging_src_k8s_io_kubelet_pkg_apis_dra_v1_api_proto_rawDesc), len(file_staging_src_k8s_io_kubelet_pkg_apis_dra_v1_api_proto_rawDesc)),
+			NumEnums:      0,
+			NumMessages:   10,
+			NumExtensions: 0,
+			NumServices:   1,
+		},
+		GoTypes:           file_staging_src_k8s_io_kubelet_pkg_apis_dra_v1_api_proto_goTypes,
+		DependencyIndexes: file_staging_src_k8s_io_kubelet_pkg_apis_dra_v1_api_proto_depIdxs,
+		MessageInfos:      file_staging_src_k8s_io_kubelet_pkg_apis_dra_v1_api_proto_msgTypes,
+	}.Build()
+	File_staging_src_k8s_io_kubelet_pkg_apis_dra_v1_api_proto = out.File
+	file_staging_src_k8s_io_kubelet_pkg_apis_dra_v1_api_proto_goTypes = nil
+	file_staging_src_k8s_io_kubelet_pkg_apis_dra_v1_api_proto_depIdxs = nil
+}
diff --git a/staging/src/k8s.io/kubelet/pkg/apis/dra/v1/api.proto b/staging/src/k8s.io/kubelet/pkg/apis/dra/v1/api.proto
index a23d1a5a49a6e..95b83ce225aa5 100644
--- a/staging/src/k8s.io/kubelet/pkg/apis/dra/v1/api.proto
+++ b/staging/src/k8s.io/kubelet/pkg/apis/dra/v1/api.proto
@@ -21,16 +21,6 @@ syntax = "proto3";
 package k8s.io.kubelet.pkg.apis.dra.v1;
 option go_package = "k8s.io/kubelet/pkg/apis/dra/v1";
 
-import "github.com/gogo/protobuf/gogoproto/gogo.proto";
-
-option (gogoproto.goproto_stringer_all) = false;
-option (gogoproto.stringer_all) =  true;
-option (gogoproto.goproto_getters_all) = true;
-option (gogoproto.marshaler_all) = true;
-option (gogoproto.sizer_all) = true;
-option (gogoproto.unmarshaler_all) = true;
-option (gogoproto.goproto_unrecognized_all) = false;
-
 service DRAPlugin {
   // NodePrepareResources prepares several ResourceClaims
   // for use on the node. If an error is returned, the
@@ -84,7 +74,11 @@ message Device {
 
     // A single device instance may map to several CDI device IDs.
     // None is also valid.
-    repeated string cdi_device_ids = 4 [(gogoproto.customname) = "CDIDeviceIDs"];
+    repeated string cdi_device_ids = 4;
+
+    // The share ID of device.
+    // Optional.
+    optional string share_id = 5;
 }
 
 message NodeUnprepareResourcesRequest {
@@ -111,7 +105,7 @@ message Claim {
     string namespace = 1;
     // The UID of the Resource claim (ResourceClaim.meta.UUID).
     // This field is REQUIRED.
-    string uid = 2 [(gogoproto.customname) = "UID"];
+    string uid = 2;
     // The name of the Resource claim (ResourceClaim.meta.Name)
     // This field is REQUIRED.
     string name = 3;
diff --git a/staging/src/k8s.io/kubelet/pkg/apis/dra/v1/api_grpc.pb.go b/staging/src/k8s.io/kubelet/pkg/apis/dra/v1/api_grpc.pb.go
new file mode 100644
index 0000000000000..d6a1b16ba8934
--- /dev/null
+++ b/staging/src/k8s.io/kubelet/pkg/apis/dra/v1/api_grpc.pb.go
@@ -0,0 +1,204 @@
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+//
+//Copyright 2024 The Kubernetes Authors.
+//
+//Licensed under the Apache License, Version 2.0 (the "License");
+//you may not use this file except in compliance with the License.
+//You may obtain a copy of the License at
+//
+//http://www.apache.org/licenses/LICENSE-2.0
+//
+//Unless required by applicable law or agreed to in writing, software
+//distributed under the License is distributed on an "AS IS" BASIS,
+//WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+//See the License for the specific language governing permissions and
+//limitations under the License.
+
+// To regenerate api.pb.go run `hack/update-codegen.sh protobindings`
+
+// Code generated by protoc-gen-go-grpc. DO NOT EDIT.
+// versions:
+// - protoc-gen-go-grpc v1.5.1
+// - protoc             v4.23.4
+// source: staging/src/k8s.io/kubelet/pkg/apis/dra/v1/api.proto
+
+package v1
+
+import (
+	context "context"
+	grpc "google.golang.org/grpc"
+	codes "google.golang.org/grpc/codes"
+	status "google.golang.org/grpc/status"
+)
+
+// This is a compile-time assertion to ensure that this generated file
+// is compatible with the grpc package it is being compiled against.
+// Requires gRPC-Go v1.64.0 or later.
+const _ = grpc.SupportPackageIsVersion9
+
+const (
+	DRAPlugin_NodePrepareResources_FullMethodName   = "/k8s.io.kubelet.pkg.apis.dra.v1.DRAPlugin/NodePrepareResources"
+	DRAPlugin_NodeUnprepareResources_FullMethodName = "/k8s.io.kubelet.pkg.apis.dra.v1.DRAPlugin/NodeUnprepareResources"
+)
+
+// DRAPluginClient is the client API for DRAPlugin service.
+//
+// For semantics around ctx use and closing/ending streaming RPCs, please refer to https://pkg.go.dev/google.golang.org/grpc/?tab=doc#ClientConn.NewStream.
+type DRAPluginClient interface {
+	// NodePrepareResources prepares several ResourceClaims
+	// for use on the node. If an error is returned, the
+	// response is ignored. Failures for individual claims
+	// can be reported inside NodePrepareResourcesResponse.
+	NodePrepareResources(ctx context.Context, in *NodePrepareResourcesRequest, opts ...grpc.CallOption) (*NodePrepareResourcesResponse, error)
+	// NodeUnprepareResources is the opposite of NodePrepareResources.
+	// The same error handling rules apply,
+	NodeUnprepareResources(ctx context.Context, in *NodeUnprepareResourcesRequest, opts ...grpc.CallOption) (*NodeUnprepareResourcesResponse, error)
+}
+
+type dRAPluginClient struct {
+	cc grpc.ClientConnInterface
+}
+
+func NewDRAPluginClient(cc grpc.ClientConnInterface) DRAPluginClient {
+	return &dRAPluginClient{cc}
+}
+
+func (c *dRAPluginClient) NodePrepareResources(ctx context.Context, in *NodePrepareResourcesRequest, opts ...grpc.CallOption) (*NodePrepareResourcesResponse, error) {
+	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
+	out := new(NodePrepareResourcesResponse)
+	err := c.cc.Invoke(ctx, DRAPlugin_NodePrepareResources_FullMethodName, in, out, cOpts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+func (c *dRAPluginClient) NodeUnprepareResources(ctx context.Context, in *NodeUnprepareResourcesRequest, opts ...grpc.CallOption) (*NodeUnprepareResourcesResponse, error) {
+	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
+	out := new(NodeUnprepareResourcesResponse)
+	err := c.cc.Invoke(ctx, DRAPlugin_NodeUnprepareResources_FullMethodName, in, out, cOpts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+// DRAPluginServer is the server API for DRAPlugin service.
+// All implementations must embed UnimplementedDRAPluginServer
+// for forward compatibility.
+type DRAPluginServer interface {
+	// NodePrepareResources prepares several ResourceClaims
+	// for use on the node. If an error is returned, the
+	// response is ignored. Failures for individual claims
+	// can be reported inside NodePrepareResourcesResponse.
+	NodePrepareResources(context.Context, *NodePrepareResourcesRequest) (*NodePrepareResourcesResponse, error)
+	// NodeUnprepareResources is the opposite of NodePrepareResources.
+	// The same error handling rules apply,
+	NodeUnprepareResources(context.Context, *NodeUnprepareResourcesRequest) (*NodeUnprepareResourcesResponse, error)
+	mustEmbedUnimplementedDRAPluginServer()
+}
+
+// UnimplementedDRAPluginServer must be embedded to have
+// forward compatible implementations.
+//
+// NOTE: this should be embedded by value instead of pointer to avoid a nil
+// pointer dereference when methods are called.
+type UnimplementedDRAPluginServer struct{}
+
+func (UnimplementedDRAPluginServer) NodePrepareResources(context.Context, *NodePrepareResourcesRequest) (*NodePrepareResourcesResponse, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method NodePrepareResources not implemented")
+}
+func (UnimplementedDRAPluginServer) NodeUnprepareResources(context.Context, *NodeUnprepareResourcesRequest) (*NodeUnprepareResourcesResponse, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method NodeUnprepareResources not implemented")
+}
+func (UnimplementedDRAPluginServer) mustEmbedUnimplementedDRAPluginServer() {}
+func (UnimplementedDRAPluginServer) testEmbeddedByValue()                   {}
+
+// UnsafeDRAPluginServer may be embedded to opt out of forward compatibility for this service.
+// Use of this interface is not recommended, as added methods to DRAPluginServer will
+// result in compilation errors.
+type UnsafeDRAPluginServer interface {
+	mustEmbedUnimplementedDRAPluginServer()
+}
+
+func RegisterDRAPluginServer(s grpc.ServiceRegistrar, srv DRAPluginServer) {
+	// If the following call pancis, it indicates UnimplementedDRAPluginServer was
+	// embedded by pointer and is nil.  This will cause panics if an
+	// unimplemented method is ever invoked, so we test this at initialization
+	// time to prevent it from happening at runtime later due to I/O.
+	if t, ok := srv.(interface{ testEmbeddedByValue() }); ok {
+		t.testEmbeddedByValue()
+	}
+	s.RegisterService(&DRAPlugin_ServiceDesc, srv)
+}
+
+func _DRAPlugin_NodePrepareResources_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(NodePrepareResourcesRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(DRAPluginServer).NodePrepareResources(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: DRAPlugin_NodePrepareResources_FullMethodName,
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(DRAPluginServer).NodePrepareResources(ctx, req.(*NodePrepareResourcesRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+func _DRAPlugin_NodeUnprepareResources_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(NodeUnprepareResourcesRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(DRAPluginServer).NodeUnprepareResources(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: DRAPlugin_NodeUnprepareResources_FullMethodName,
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(DRAPluginServer).NodeUnprepareResources(ctx, req.(*NodeUnprepareResourcesRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+// DRAPlugin_ServiceDesc is the grpc.ServiceDesc for DRAPlugin service.
+// It's only intended for direct use with grpc.RegisterService,
+// and not to be introspected or modified (even as a copy)
+var DRAPlugin_ServiceDesc = grpc.ServiceDesc{
+	ServiceName: "k8s.io.kubelet.pkg.apis.dra.v1.DRAPlugin",
+	HandlerType: (*DRAPluginServer)(nil),
+	Methods: []grpc.MethodDesc{
+		{
+			MethodName: "NodePrepareResources",
+			Handler:    _DRAPlugin_NodePrepareResources_Handler,
+		},
+		{
+			MethodName: "NodeUnprepareResources",
+			Handler:    _DRAPlugin_NodeUnprepareResources_Handler,
+		},
+	},
+	Streams:  []grpc.StreamDesc{},
+	Metadata: "staging/src/k8s.io/kubelet/pkg/apis/dra/v1/api.proto",
+}
diff --git a/staging/src/k8s.io/kubelet/pkg/apis/dra/v1beta1/api.pb.go b/staging/src/k8s.io/kubelet/pkg/apis/dra/v1beta1/api.pb.go
index 4d84e530108d6..e34aed945f674 100644
--- a/staging/src/k8s.io/kubelet/pkg/apis/dra/v1beta1/api.pb.go
+++ b/staging/src/k8s.io/kubelet/pkg/apis/dra/v1beta1/api.pb.go
@@ -14,136 +14,143 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
-// Code generated by protoc-gen-gogo. DO NOT EDIT.
-// source: api.proto
+//
+//Copyright 2024 The Kubernetes Authors.
+//
+//Licensed under the Apache License, Version 2.0 (the "License");
+//you may not use this file except in compliance with the License.
+//You may obtain a copy of the License at
+//
+//http://www.apache.org/licenses/LICENSE-2.0
+//
+//Unless required by applicable law or agreed to in writing, software
+//distributed under the License is distributed on an "AS IS" BASIS,
+//WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+//See the License for the specific language governing permissions and
+//limitations under the License.
+
+// To regenerate api.pb.go run `hack/update-codegen.sh protobindings`
+
+// Code generated by protoc-gen-go. DO NOT EDIT.
+// versions:
+// 	protoc-gen-go v1.36.4
+// 	protoc        v4.23.4
+// source: staging/src/k8s.io/kubelet/pkg/apis/dra/v1beta1/api.proto
 
 package v1beta1
 
 import (
-	context "context"
-	fmt "fmt"
-	_ "github.com/gogo/protobuf/gogoproto"
-	proto "github.com/gogo/protobuf/proto"
-	github_com_gogo_protobuf_sortkeys "github.com/gogo/protobuf/sortkeys"
-	grpc "google.golang.org/grpc"
-	codes "google.golang.org/grpc/codes"
-	status "google.golang.org/grpc/status"
-	io "io"
-	math "math"
-	math_bits "math/bits"
+	protoreflect "google.golang.org/protobuf/reflect/protoreflect"
+	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
 	reflect "reflect"
-	strings "strings"
+	sync "sync"
+	unsafe "unsafe"
 )
 
-// Reference imports to suppress errors if they are not otherwise used.
-var _ = proto.Marshal
-var _ = fmt.Errorf
-var _ = math.Inf
-
-// This is a compile-time assertion to ensure that this generated file
-// is compatible with the proto package it is being compiled against.
-// A compilation error at this line likely means your copy of the
-// proto package needs to be updated.
-const _ = proto.GoGoProtoPackageIsVersion3 // please upgrade the proto package
+const (
+	// Verify that this generated code is sufficiently up-to-date.
+	_ = protoimpl.EnforceVersion(20 - protoimpl.MinVersion)
+	// Verify that runtime/protoimpl is sufficiently up-to-date.
+	_ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20)
+)
 
 type NodePrepareResourcesRequest struct {
+	state protoimpl.MessageState `protogen:"open.v1"`
 	// The list of ResourceClaims that are to be prepared.
-	Claims               []*Claim `protobuf:"bytes,1,rep,name=claims,proto3" json:"claims,omitempty"`
-	XXX_NoUnkeyedLiteral struct{} `json:"-"`
-	XXX_sizecache        int32    `json:"-"`
+	Claims        []*Claim `protobuf:"bytes,1,rep,name=claims,proto3" json:"claims,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
 }
 
-func (m *NodePrepareResourcesRequest) Reset()      { *m = NodePrepareResourcesRequest{} }
-func (*NodePrepareResourcesRequest) ProtoMessage() {}
-func (*NodePrepareResourcesRequest) Descriptor() ([]byte, []int) {
-	return fileDescriptor_00212fb1f9d3bf1c, []int{0}
+func (x *NodePrepareResourcesRequest) Reset() {
+	*x = NodePrepareResourcesRequest{}
+	mi := &file_staging_src_k8s_io_kubelet_pkg_apis_dra_v1beta1_api_proto_msgTypes[0]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
-func (m *NodePrepareResourcesRequest) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
+
+func (x *NodePrepareResourcesRequest) String() string {
+	return protoimpl.X.MessageStringOf(x)
 }
-func (m *NodePrepareResourcesRequest) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	if deterministic {
-		return xxx_messageInfo_NodePrepareResourcesRequest.Marshal(b, m, deterministic)
-	} else {
-		b = b[:cap(b)]
-		n, err := m.MarshalToSizedBuffer(b)
-		if err != nil {
-			return nil, err
+
+func (*NodePrepareResourcesRequest) ProtoMessage() {}
+
+func (x *NodePrepareResourcesRequest) ProtoReflect() protoreflect.Message {
+	mi := &file_staging_src_k8s_io_kubelet_pkg_apis_dra_v1beta1_api_proto_msgTypes[0]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
 		}
-		return b[:n], nil
+		return ms
 	}
-}
-func (m *NodePrepareResourcesRequest) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_NodePrepareResourcesRequest.Merge(m, src)
-}
-func (m *NodePrepareResourcesRequest) XXX_Size() int {
-	return m.Size()
-}
-func (m *NodePrepareResourcesRequest) XXX_DiscardUnknown() {
-	xxx_messageInfo_NodePrepareResourcesRequest.DiscardUnknown(m)
+	return mi.MessageOf(x)
 }
 
-var xxx_messageInfo_NodePrepareResourcesRequest proto.InternalMessageInfo
+// Deprecated: Use NodePrepareResourcesRequest.ProtoReflect.Descriptor instead.
+func (*NodePrepareResourcesRequest) Descriptor() ([]byte, []int) {
+	return file_staging_src_k8s_io_kubelet_pkg_apis_dra_v1beta1_api_proto_rawDescGZIP(), []int{0}
+}
 
-func (m *NodePrepareResourcesRequest) GetClaims() []*Claim {
-	if m != nil {
-		return m.Claims
+func (x *NodePrepareResourcesRequest) GetClaims() []*Claim {
+	if x != nil {
+		return x.Claims
 	}
 	return nil
 }
 
 type NodePrepareResourcesResponse struct {
+	state protoimpl.MessageState `protogen:"open.v1"`
 	// The ResourceClaims for which preparation was done
 	// or attempted, with claim_uid as key.
 	//
 	// It is an error if some claim listed in NodePrepareResourcesRequest
 	// does not get prepared. NodePrepareResources
 	// will be called again for those that are missing.
-	Claims               map[string]*NodePrepareResourceResponse `protobuf:"bytes,1,rep,name=claims,proto3" json:"claims,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"`
-	XXX_NoUnkeyedLiteral struct{}                                `json:"-"`
-	XXX_sizecache        int32                                   `json:"-"`
+	Claims        map[string]*NodePrepareResourceResponse `protobuf:"bytes,1,rep,name=claims,proto3" json:"claims,omitempty" protobuf_key:"bytes,1,opt,name=key" protobuf_val:"bytes,2,opt,name=value"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
 }
 
-func (m *NodePrepareResourcesResponse) Reset()      { *m = NodePrepareResourcesResponse{} }
-func (*NodePrepareResourcesResponse) ProtoMessage() {}
-func (*NodePrepareResourcesResponse) Descriptor() ([]byte, []int) {
-	return fileDescriptor_00212fb1f9d3bf1c, []int{1}
+func (x *NodePrepareResourcesResponse) Reset() {
+	*x = NodePrepareResourcesResponse{}
+	mi := &file_staging_src_k8s_io_kubelet_pkg_apis_dra_v1beta1_api_proto_msgTypes[1]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
-func (m *NodePrepareResourcesResponse) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
+
+func (x *NodePrepareResourcesResponse) String() string {
+	return protoimpl.X.MessageStringOf(x)
 }
-func (m *NodePrepareResourcesResponse) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	if deterministic {
-		return xxx_messageInfo_NodePrepareResourcesResponse.Marshal(b, m, deterministic)
-	} else {
-		b = b[:cap(b)]
-		n, err := m.MarshalToSizedBuffer(b)
-		if err != nil {
-			return nil, err
+
+func (*NodePrepareResourcesResponse) ProtoMessage() {}
+
+func (x *NodePrepareResourcesResponse) ProtoReflect() protoreflect.Message {
+	mi := &file_staging_src_k8s_io_kubelet_pkg_apis_dra_v1beta1_api_proto_msgTypes[1]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
 		}
-		return b[:n], nil
+		return ms
 	}
-}
-func (m *NodePrepareResourcesResponse) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_NodePrepareResourcesResponse.Merge(m, src)
-}
-func (m *NodePrepareResourcesResponse) XXX_Size() int {
-	return m.Size()
-}
-func (m *NodePrepareResourcesResponse) XXX_DiscardUnknown() {
-	xxx_messageInfo_NodePrepareResourcesResponse.DiscardUnknown(m)
+	return mi.MessageOf(x)
 }
 
-var xxx_messageInfo_NodePrepareResourcesResponse proto.InternalMessageInfo
+// Deprecated: Use NodePrepareResourcesResponse.ProtoReflect.Descriptor instead.
+func (*NodePrepareResourcesResponse) Descriptor() ([]byte, []int) {
+	return file_staging_src_k8s_io_kubelet_pkg_apis_dra_v1beta1_api_proto_rawDescGZIP(), []int{1}
+}
 
-func (m *NodePrepareResourcesResponse) GetClaims() map[string]*NodePrepareResourceResponse {
-	if m != nil {
-		return m.Claims
+func (x *NodePrepareResourcesResponse) GetClaims() map[string]*NodePrepareResourceResponse {
+	if x != nil {
+		return x.Claims
 	}
 	return nil
 }
 
 type NodePrepareResourceResponse struct {
+	state protoimpl.MessageState `protogen:"open.v1"`
 	// These are the additional devices that kubelet must
 	// make available via the container runtime. A claim
 	// may have zero or more requests and each request
@@ -151,58 +158,57 @@ type NodePrepareResourceResponse struct {
 	Devices []*Device `protobuf:"bytes,1,rep,name=devices,proto3" json:"devices,omitempty"`
 	// If non-empty, preparing the ResourceClaim failed.
 	// Devices are ignored in that case.
-	Error                string   `protobuf:"bytes,2,opt,name=error,proto3" json:"error,omitempty"`
-	XXX_NoUnkeyedLiteral struct{} `json:"-"`
-	XXX_sizecache        int32    `json:"-"`
+	Error         string `protobuf:"bytes,2,opt,name=error,proto3" json:"error,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
 }
 
-func (m *NodePrepareResourceResponse) Reset()      { *m = NodePrepareResourceResponse{} }
-func (*NodePrepareResourceResponse) ProtoMessage() {}
-func (*NodePrepareResourceResponse) Descriptor() ([]byte, []int) {
-	return fileDescriptor_00212fb1f9d3bf1c, []int{2}
+func (x *NodePrepareResourceResponse) Reset() {
+	*x = NodePrepareResourceResponse{}
+	mi := &file_staging_src_k8s_io_kubelet_pkg_apis_dra_v1beta1_api_proto_msgTypes[2]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
-func (m *NodePrepareResourceResponse) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
+
+func (x *NodePrepareResourceResponse) String() string {
+	return protoimpl.X.MessageStringOf(x)
 }
-func (m *NodePrepareResourceResponse) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	if deterministic {
-		return xxx_messageInfo_NodePrepareResourceResponse.Marshal(b, m, deterministic)
-	} else {
-		b = b[:cap(b)]
-		n, err := m.MarshalToSizedBuffer(b)
-		if err != nil {
-			return nil, err
+
+func (*NodePrepareResourceResponse) ProtoMessage() {}
+
+func (x *NodePrepareResourceResponse) ProtoReflect() protoreflect.Message {
+	mi := &file_staging_src_k8s_io_kubelet_pkg_apis_dra_v1beta1_api_proto_msgTypes[2]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
 		}
-		return b[:n], nil
+		return ms
 	}
-}
-func (m *NodePrepareResourceResponse) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_NodePrepareResourceResponse.Merge(m, src)
-}
-func (m *NodePrepareResourceResponse) XXX_Size() int {
-	return m.Size()
-}
-func (m *NodePrepareResourceResponse) XXX_DiscardUnknown() {
-	xxx_messageInfo_NodePrepareResourceResponse.DiscardUnknown(m)
+	return mi.MessageOf(x)
 }
 
-var xxx_messageInfo_NodePrepareResourceResponse proto.InternalMessageInfo
+// Deprecated: Use NodePrepareResourceResponse.ProtoReflect.Descriptor instead.
+func (*NodePrepareResourceResponse) Descriptor() ([]byte, []int) {
+	return file_staging_src_k8s_io_kubelet_pkg_apis_dra_v1beta1_api_proto_rawDescGZIP(), []int{2}
+}
 
-func (m *NodePrepareResourceResponse) GetDevices() []*Device {
-	if m != nil {
-		return m.Devices
+func (x *NodePrepareResourceResponse) GetDevices() []*Device {
+	if x != nil {
+		return x.Devices
 	}
 	return nil
 }
 
-func (m *NodePrepareResourceResponse) GetError() string {
-	if m != nil {
-		return m.Error
+func (x *NodePrepareResourceResponse) GetError() string {
+	if x != nil {
+		return x.Error
 	}
 	return ""
 }
 
 type Device struct {
+	state protoimpl.MessageState `protogen:"open.v1"`
 	// The requests in the claim that this device is associated with.
 	// Optional. If empty, the device is associated with all requests.
 	RequestNames []string `protobuf:"bytes,1,rep,name=request_names,json=requestNames,proto3" json:"request_names,omitempty"`
@@ -212,2239 +218,443 @@ type Device struct {
 	DeviceName string `protobuf:"bytes,3,opt,name=device_name,json=deviceName,proto3" json:"device_name,omitempty"`
 	// A single device instance may map to several CDI device IDs.
 	// None is also valid.
-	CDIDeviceIDs         []string `protobuf:"bytes,4,rep,name=cdi_device_ids,json=cdiDeviceIds,proto3" json:"cdi_device_ids,omitempty"`
-	XXX_NoUnkeyedLiteral struct{} `json:"-"`
-	XXX_sizecache        int32    `json:"-"`
+	CdiDeviceIds  []string `protobuf:"bytes,4,rep,name=cdi_device_ids,json=cdiDeviceIds,proto3" json:"cdi_device_ids,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
 }
 
-func (m *Device) Reset()      { *m = Device{} }
-func (*Device) ProtoMessage() {}
-func (*Device) Descriptor() ([]byte, []int) {
-	return fileDescriptor_00212fb1f9d3bf1c, []int{3}
+func (x *Device) Reset() {
+	*x = Device{}
+	mi := &file_staging_src_k8s_io_kubelet_pkg_apis_dra_v1beta1_api_proto_msgTypes[3]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
-func (m *Device) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
+
+func (x *Device) String() string {
+	return protoimpl.X.MessageStringOf(x)
 }
-func (m *Device) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	if deterministic {
-		return xxx_messageInfo_Device.Marshal(b, m, deterministic)
-	} else {
-		b = b[:cap(b)]
-		n, err := m.MarshalToSizedBuffer(b)
-		if err != nil {
-			return nil, err
+
+func (*Device) ProtoMessage() {}
+
+func (x *Device) ProtoReflect() protoreflect.Message {
+	mi := &file_staging_src_k8s_io_kubelet_pkg_apis_dra_v1beta1_api_proto_msgTypes[3]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
 		}
-		return b[:n], nil
+		return ms
 	}
-}
-func (m *Device) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_Device.Merge(m, src)
-}
-func (m *Device) XXX_Size() int {
-	return m.Size()
-}
-func (m *Device) XXX_DiscardUnknown() {
-	xxx_messageInfo_Device.DiscardUnknown(m)
+	return mi.MessageOf(x)
 }
 
-var xxx_messageInfo_Device proto.InternalMessageInfo
+// Deprecated: Use Device.ProtoReflect.Descriptor instead.
+func (*Device) Descriptor() ([]byte, []int) {
+	return file_staging_src_k8s_io_kubelet_pkg_apis_dra_v1beta1_api_proto_rawDescGZIP(), []int{3}
+}
 
-func (m *Device) GetRequestNames() []string {
-	if m != nil {
-		return m.RequestNames
+func (x *Device) GetRequestNames() []string {
+	if x != nil {
+		return x.RequestNames
 	}
 	return nil
 }
 
-func (m *Device) GetPoolName() string {
-	if m != nil {
-		return m.PoolName
+func (x *Device) GetPoolName() string {
+	if x != nil {
+		return x.PoolName
 	}
 	return ""
 }
 
-func (m *Device) GetDeviceName() string {
-	if m != nil {
-		return m.DeviceName
+func (x *Device) GetDeviceName() string {
+	if x != nil {
+		return x.DeviceName
 	}
 	return ""
 }
 
-func (m *Device) GetCDIDeviceIDs() []string {
-	if m != nil {
-		return m.CDIDeviceIDs
+func (x *Device) GetCdiDeviceIds() []string {
+	if x != nil {
+		return x.CdiDeviceIds
 	}
 	return nil
 }
 
 type NodeUnprepareResourcesRequest struct {
+	state protoimpl.MessageState `protogen:"open.v1"`
 	// The list of ResourceClaims that are to be unprepared.
-	Claims               []*Claim `protobuf:"bytes,1,rep,name=claims,proto3" json:"claims,omitempty"`
-	XXX_NoUnkeyedLiteral struct{} `json:"-"`
-	XXX_sizecache        int32    `json:"-"`
+	Claims        []*Claim `protobuf:"bytes,1,rep,name=claims,proto3" json:"claims,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
 }
 
-func (m *NodeUnprepareResourcesRequest) Reset()      { *m = NodeUnprepareResourcesRequest{} }
-func (*NodeUnprepareResourcesRequest) ProtoMessage() {}
-func (*NodeUnprepareResourcesRequest) Descriptor() ([]byte, []int) {
-	return fileDescriptor_00212fb1f9d3bf1c, []int{4}
+func (x *NodeUnprepareResourcesRequest) Reset() {
+	*x = NodeUnprepareResourcesRequest{}
+	mi := &file_staging_src_k8s_io_kubelet_pkg_apis_dra_v1beta1_api_proto_msgTypes[4]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
-func (m *NodeUnprepareResourcesRequest) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
+
+func (x *NodeUnprepareResourcesRequest) String() string {
+	return protoimpl.X.MessageStringOf(x)
 }
-func (m *NodeUnprepareResourcesRequest) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	if deterministic {
-		return xxx_messageInfo_NodeUnprepareResourcesRequest.Marshal(b, m, deterministic)
-	} else {
-		b = b[:cap(b)]
-		n, err := m.MarshalToSizedBuffer(b)
-		if err != nil {
-			return nil, err
+
+func (*NodeUnprepareResourcesRequest) ProtoMessage() {}
+
+func (x *NodeUnprepareResourcesRequest) ProtoReflect() protoreflect.Message {
+	mi := &file_staging_src_k8s_io_kubelet_pkg_apis_dra_v1beta1_api_proto_msgTypes[4]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
 		}
-		return b[:n], nil
+		return ms
 	}
-}
-func (m *NodeUnprepareResourcesRequest) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_NodeUnprepareResourcesRequest.Merge(m, src)
-}
-func (m *NodeUnprepareResourcesRequest) XXX_Size() int {
-	return m.Size()
-}
-func (m *NodeUnprepareResourcesRequest) XXX_DiscardUnknown() {
-	xxx_messageInfo_NodeUnprepareResourcesRequest.DiscardUnknown(m)
+	return mi.MessageOf(x)
 }
 
-var xxx_messageInfo_NodeUnprepareResourcesRequest proto.InternalMessageInfo
+// Deprecated: Use NodeUnprepareResourcesRequest.ProtoReflect.Descriptor instead.
+func (*NodeUnprepareResourcesRequest) Descriptor() ([]byte, []int) {
+	return file_staging_src_k8s_io_kubelet_pkg_apis_dra_v1beta1_api_proto_rawDescGZIP(), []int{4}
+}
 
-func (m *NodeUnprepareResourcesRequest) GetClaims() []*Claim {
-	if m != nil {
-		return m.Claims
+func (x *NodeUnprepareResourcesRequest) GetClaims() []*Claim {
+	if x != nil {
+		return x.Claims
 	}
 	return nil
 }
 
 type NodeUnprepareResourcesResponse struct {
+	state protoimpl.MessageState `protogen:"open.v1"`
 	// The ResourceClaims for which preparation was reverted.
 	// The same rules as for NodePrepareResourcesResponse.claims
 	// apply. In particular, all claims in the request must
 	// have an entry in the response, even if that entry is nil.
-	Claims               map[string]*NodeUnprepareResourceResponse `protobuf:"bytes,1,rep,name=claims,proto3" json:"claims,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"`
-	XXX_NoUnkeyedLiteral struct{}                                  `json:"-"`
-	XXX_sizecache        int32                                     `json:"-"`
+	Claims        map[string]*NodeUnprepareResourceResponse `protobuf:"bytes,1,rep,name=claims,proto3" json:"claims,omitempty" protobuf_key:"bytes,1,opt,name=key" protobuf_val:"bytes,2,opt,name=value"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
 }
 
-func (m *NodeUnprepareResourcesResponse) Reset()      { *m = NodeUnprepareResourcesResponse{} }
-func (*NodeUnprepareResourcesResponse) ProtoMessage() {}
-func (*NodeUnprepareResourcesResponse) Descriptor() ([]byte, []int) {
-	return fileDescriptor_00212fb1f9d3bf1c, []int{5}
+func (x *NodeUnprepareResourcesResponse) Reset() {
+	*x = NodeUnprepareResourcesResponse{}
+	mi := &file_staging_src_k8s_io_kubelet_pkg_apis_dra_v1beta1_api_proto_msgTypes[5]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
-func (m *NodeUnprepareResourcesResponse) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
+
+func (x *NodeUnprepareResourcesResponse) String() string {
+	return protoimpl.X.MessageStringOf(x)
 }
-func (m *NodeUnprepareResourcesResponse) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	if deterministic {
-		return xxx_messageInfo_NodeUnprepareResourcesResponse.Marshal(b, m, deterministic)
-	} else {
-		b = b[:cap(b)]
-		n, err := m.MarshalToSizedBuffer(b)
-		if err != nil {
-			return nil, err
+
+func (*NodeUnprepareResourcesResponse) ProtoMessage() {}
+
+func (x *NodeUnprepareResourcesResponse) ProtoReflect() protoreflect.Message {
+	mi := &file_staging_src_k8s_io_kubelet_pkg_apis_dra_v1beta1_api_proto_msgTypes[5]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
 		}
-		return b[:n], nil
+		return ms
 	}
-}
-func (m *NodeUnprepareResourcesResponse) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_NodeUnprepareResourcesResponse.Merge(m, src)
-}
-func (m *NodeUnprepareResourcesResponse) XXX_Size() int {
-	return m.Size()
-}
-func (m *NodeUnprepareResourcesResponse) XXX_DiscardUnknown() {
-	xxx_messageInfo_NodeUnprepareResourcesResponse.DiscardUnknown(m)
+	return mi.MessageOf(x)
 }
 
-var xxx_messageInfo_NodeUnprepareResourcesResponse proto.InternalMessageInfo
+// Deprecated: Use NodeUnprepareResourcesResponse.ProtoReflect.Descriptor instead.
+func (*NodeUnprepareResourcesResponse) Descriptor() ([]byte, []int) {
+	return file_staging_src_k8s_io_kubelet_pkg_apis_dra_v1beta1_api_proto_rawDescGZIP(), []int{5}
+}
 
-func (m *NodeUnprepareResourcesResponse) GetClaims() map[string]*NodeUnprepareResourceResponse {
-	if m != nil {
-		return m.Claims
+func (x *NodeUnprepareResourcesResponse) GetClaims() map[string]*NodeUnprepareResourceResponse {
+	if x != nil {
+		return x.Claims
 	}
 	return nil
 }
 
 type NodeUnprepareResourceResponse struct {
+	state protoimpl.MessageState `protogen:"open.v1"`
 	// If non-empty, unpreparing the ResourceClaim failed.
-	Error                string   `protobuf:"bytes,1,opt,name=error,proto3" json:"error,omitempty"`
-	XXX_NoUnkeyedLiteral struct{} `json:"-"`
-	XXX_sizecache        int32    `json:"-"`
+	Error         string `protobuf:"bytes,1,opt,name=error,proto3" json:"error,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
 }
 
-func (m *NodeUnprepareResourceResponse) Reset()      { *m = NodeUnprepareResourceResponse{} }
-func (*NodeUnprepareResourceResponse) ProtoMessage() {}
-func (*NodeUnprepareResourceResponse) Descriptor() ([]byte, []int) {
-	return fileDescriptor_00212fb1f9d3bf1c, []int{6}
+func (x *NodeUnprepareResourceResponse) Reset() {
+	*x = NodeUnprepareResourceResponse{}
+	mi := &file_staging_src_k8s_io_kubelet_pkg_apis_dra_v1beta1_api_proto_msgTypes[6]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
-func (m *NodeUnprepareResourceResponse) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
+
+func (x *NodeUnprepareResourceResponse) String() string {
+	return protoimpl.X.MessageStringOf(x)
 }
-func (m *NodeUnprepareResourceResponse) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	if deterministic {
-		return xxx_messageInfo_NodeUnprepareResourceResponse.Marshal(b, m, deterministic)
-	} else {
-		b = b[:cap(b)]
-		n, err := m.MarshalToSizedBuffer(b)
-		if err != nil {
-			return nil, err
+
+func (*NodeUnprepareResourceResponse) ProtoMessage() {}
+
+func (x *NodeUnprepareResourceResponse) ProtoReflect() protoreflect.Message {
+	mi := &file_staging_src_k8s_io_kubelet_pkg_apis_dra_v1beta1_api_proto_msgTypes[6]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
 		}
-		return b[:n], nil
+		return ms
 	}
-}
-func (m *NodeUnprepareResourceResponse) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_NodeUnprepareResourceResponse.Merge(m, src)
-}
-func (m *NodeUnprepareResourceResponse) XXX_Size() int {
-	return m.Size()
-}
-func (m *NodeUnprepareResourceResponse) XXX_DiscardUnknown() {
-	xxx_messageInfo_NodeUnprepareResourceResponse.DiscardUnknown(m)
+	return mi.MessageOf(x)
 }
 
-var xxx_messageInfo_NodeUnprepareResourceResponse proto.InternalMessageInfo
+// Deprecated: Use NodeUnprepareResourceResponse.ProtoReflect.Descriptor instead.
+func (*NodeUnprepareResourceResponse) Descriptor() ([]byte, []int) {
+	return file_staging_src_k8s_io_kubelet_pkg_apis_dra_v1beta1_api_proto_rawDescGZIP(), []int{6}
+}
 
-func (m *NodeUnprepareResourceResponse) GetError() string {
-	if m != nil {
-		return m.Error
+func (x *NodeUnprepareResourceResponse) GetError() string {
+	if x != nil {
+		return x.Error
 	}
 	return ""
 }
 
 type Claim struct {
+	state protoimpl.MessageState `protogen:"open.v1"`
 	// The ResourceClaim namespace (ResourceClaim.meta.Namespace).
 	// This field is REQUIRED.
 	Namespace string `protobuf:"bytes,1,opt,name=namespace,proto3" json:"namespace,omitempty"`
 	// The UID of the Resource claim (ResourceClaim.meta.UUID).
 	// This field is REQUIRED.
-	UID string `protobuf:"bytes,2,opt,name=uid,proto3" json:"uid,omitempty"`
+	Uid string `protobuf:"bytes,2,opt,name=uid,proto3" json:"uid,omitempty"`
 	// The name of the Resource claim (ResourceClaim.meta.Name)
 	// This field is REQUIRED.
-	Name                 string   `protobuf:"bytes,3,opt,name=name,proto3" json:"name,omitempty"`
-	XXX_NoUnkeyedLiteral struct{} `json:"-"`
-	XXX_sizecache        int32    `json:"-"`
-}
-
-func (m *Claim) Reset()      { *m = Claim{} }
-func (*Claim) ProtoMessage() {}
-func (*Claim) Descriptor() ([]byte, []int) {
-	return fileDescriptor_00212fb1f9d3bf1c, []int{7}
-}
-func (m *Claim) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *Claim) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	if deterministic {
-		return xxx_messageInfo_Claim.Marshal(b, m, deterministic)
-	} else {
-		b = b[:cap(b)]
-		n, err := m.MarshalToSizedBuffer(b)
-		if err != nil {
-			return nil, err
-		}
-		return b[:n], nil
-	}
-}
-func (m *Claim) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_Claim.Merge(m, src)
-}
-func (m *Claim) XXX_Size() int {
-	return m.Size()
-}
-func (m *Claim) XXX_DiscardUnknown() {
-	xxx_messageInfo_Claim.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_Claim proto.InternalMessageInfo
-
-func (m *Claim) GetNamespace() string {
-	if m != nil {
-		return m.Namespace
-	}
-	return ""
-}
-
-func (m *Claim) GetUID() string {
-	if m != nil {
-		return m.UID
-	}
-	return ""
-}
-
-func (m *Claim) GetName() string {
-	if m != nil {
-		return m.Name
-	}
-	return ""
-}
-
-func init() {
-	proto.RegisterType((*NodePrepareResourcesRequest)(nil), "k8s.io.kubelet.pkg.apis.dra.v1beta1.NodePrepareResourcesRequest")
-	proto.RegisterType((*NodePrepareResourcesResponse)(nil), "k8s.io.kubelet.pkg.apis.dra.v1beta1.NodePrepareResourcesResponse")
-	proto.RegisterMapType((map[string]*NodePrepareResourceResponse)(nil), "k8s.io.kubelet.pkg.apis.dra.v1beta1.NodePrepareResourcesResponse.ClaimsEntry")
-	proto.RegisterType((*NodePrepareResourceResponse)(nil), "k8s.io.kubelet.pkg.apis.dra.v1beta1.NodePrepareResourceResponse")
-	proto.RegisterType((*Device)(nil), "k8s.io.kubelet.pkg.apis.dra.v1beta1.Device")
-	proto.RegisterType((*NodeUnprepareResourcesRequest)(nil), "k8s.io.kubelet.pkg.apis.dra.v1beta1.NodeUnprepareResourcesRequest")
-	proto.RegisterType((*NodeUnprepareResourcesResponse)(nil), "k8s.io.kubelet.pkg.apis.dra.v1beta1.NodeUnprepareResourcesResponse")
-	proto.RegisterMapType((map[string]*NodeUnprepareResourceResponse)(nil), "k8s.io.kubelet.pkg.apis.dra.v1beta1.NodeUnprepareResourcesResponse.ClaimsEntry")
-	proto.RegisterType((*NodeUnprepareResourceResponse)(nil), "k8s.io.kubelet.pkg.apis.dra.v1beta1.NodeUnprepareResourceResponse")
-	proto.RegisterType((*Claim)(nil), "k8s.io.kubelet.pkg.apis.dra.v1beta1.Claim")
-}
-
-func init() { proto.RegisterFile("api.proto", fileDescriptor_00212fb1f9d3bf1c) }
-
-var fileDescriptor_00212fb1f9d3bf1c = []byte{
-	// 591 bytes of a gzipped FileDescriptorProto
-	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xb4, 0x55, 0x4d, 0x6f, 0xd3, 0x40,
-	0x10, 0xcd, 0x26, 0x6d, 0x8a, 0x27, 0x01, 0x55, 0xab, 0x0a, 0x85, 0xb4, 0x38, 0x91, 0x7b, 0x89,
-	0x40, 0xd8, 0x6a, 0x10, 0xa8, 0xe2, 0xd4, 0x38, 0xe9, 0x21, 0x07, 0x4a, 0x65, 0x51, 0x84, 0xb8,
-	0x54, 0x8e, 0xbd, 0x18, 0x2b, 0x1f, 0x6b, 0xbc, 0x76, 0xa4, 0x82, 0x90, 0x10, 0x27, 0x8e, 0xfc,
-	0x01, 0x4e, 0xfd, 0x33, 0x3d, 0xc2, 0x8d, 0x53, 0x45, 0xcd, 0x1f, 0x41, 0xde, 0xdd, 0x84, 0x50,
-	0x39, 0x10, 0x35, 0x70, 0xdb, 0x79, 0x3b, 0x33, 0xef, 0x79, 0xf6, 0x79, 0x17, 0x14, 0x3b, 0xf0,
-	0xf5, 0x20, 0xa4, 0x11, 0xc5, 0xdb, 0xfd, 0x5d, 0xa6, 0xfb, 0x54, 0xef, 0xc7, 0x3d, 0x32, 0x20,
-	0x91, 0x1e, 0xf4, 0x3d, 0xdd, 0x0e, 0x7c, 0xa6, 0xbb, 0xa1, 0xad, 0x8f, 0x77, 0x7a, 0x24, 0xb2,
-	0x77, 0xaa, 0xf7, 0x3c, 0x3f, 0x7a, 0x15, 0xf7, 0x74, 0x87, 0x0e, 0x0d, 0x8f, 0x7a, 0xd4, 0xe0,
-	0xb5, 0xbd, 0xf8, 0x25, 0x8f, 0x78, 0xc0, 0x57, 0xa2, 0xa7, 0x66, 0xc3, 0xe6, 0x01, 0x75, 0xc9,
-	0x61, 0x48, 0x02, 0x3b, 0x24, 0x16, 0x61, 0x34, 0x0e, 0x1d, 0xc2, 0x2c, 0xf2, 0x3a, 0x26, 0x2c,
-	0xc2, 0x26, 0x14, 0x9d, 0x81, 0xed, 0x0f, 0x59, 0x05, 0xd5, 0x0b, 0x8d, 0x52, 0xf3, 0x8e, 0xbe,
-	0x80, 0x06, 0xbd, 0x9d, 0x96, 0x58, 0xb2, 0x52, 0xfb, 0x90, 0x87, 0xad, 0x6c, 0x0e, 0x16, 0xd0,
-	0x11, 0x23, 0x98, 0x5c, 0x22, 0x79, 0xbc, 0x10, 0xc9, 0x9f, 0x5a, 0x0a, 0x05, 0x6c, 0x7f, 0x14,
-	0x85, 0x27, 0x13, 0x1d, 0xd5, 0xb7, 0x50, 0x9a, 0x81, 0xf1, 0x3a, 0x14, 0xfa, 0xe4, 0xa4, 0x82,
-	0xea, 0xa8, 0xa1, 0x58, 0xe9, 0x12, 0x3f, 0x83, 0xd5, 0xb1, 0x3d, 0x88, 0x49, 0x25, 0x5f, 0x47,
-	0x8d, 0x52, 0x73, 0xef, 0xaa, 0x32, 0x26, 0x2a, 0x2c, 0xd1, 0xee, 0x51, 0x7e, 0x17, 0x69, 0x6f,
-	0x32, 0xe7, 0x3c, 0x1d, 0xc1, 0x3e, 0xac, 0xb9, 0x64, 0xec, 0x3b, 0x64, 0x32, 0x83, 0xbb, 0x0b,
-	0x91, 0x77, 0x78, 0x8d, 0x35, 0xa9, 0xc5, 0x1b, 0xb0, 0x4a, 0xc2, 0x90, 0x86, 0xfc, 0x0b, 0x14,
-	0x4b, 0x04, 0xda, 0x29, 0x82, 0xa2, 0xc8, 0xc4, 0xdb, 0x70, 0x3d, 0x14, 0x47, 0x7b, 0x3c, 0xb2,
-	0x87, 0x92, 0x4d, 0xb1, 0xca, 0x12, 0x3c, 0x48, 0x31, 0xbc, 0x09, 0x4a, 0x40, 0xe9, 0x80, 0x67,
-	0xc8, 0x4e, 0xd7, 0x52, 0x20, 0xdd, 0xc5, 0x35, 0x28, 0x09, 0x36, 0xb1, 0x5d, 0xe0, 0xdb, 0x20,
-	0x20, 0x9e, 0xf0, 0x10, 0x6e, 0x38, 0xae, 0x7f, 0x2c, 0x93, 0x7c, 0x97, 0x55, 0x56, 0x52, 0x0e,
-	0x73, 0x3d, 0x39, 0xaf, 0x95, 0xdb, 0x9d, 0xae, 0x50, 0xd2, 0xed, 0x30, 0xab, 0xec, 0xb8, 0xbe,
-	0x8c, 0x5c, 0xa6, 0x39, 0x70, 0x3b, 0x9d, 0xd0, 0xd1, 0x28, 0xf8, 0x8f, 0x5e, 0xfc, 0x98, 0x07,
-	0x75, 0x1e, 0x8b, 0x3c, 0x0a, 0xef, 0x12, 0xcd, 0x93, 0x85, 0x6d, 0x30, 0xbf, 0x69, 0xa6, 0x1f,
-	0xdf, 0xfd, 0xcd, 0x8f, 0xcf, 0x7f, 0xf7, 0xa3, 0x79, 0x75, 0x21, 0x59, 0x8e, 0x7c, 0x30, 0x67,
-	0xde, 0xd3, 0x41, 0x4c, 0xcd, 0x84, 0x66, 0xcd, 0xf4, 0x14, 0x56, 0xb9, 0x6a, 0xbc, 0x05, 0x0a,
-	0xb7, 0x50, 0x60, 0x3b, 0x44, 0xa6, 0xfc, 0x02, 0xf0, 0x2d, 0x28, 0xc4, 0xbe, 0x2b, 0xdc, 0x63,
-	0xae, 0x25, 0xe7, 0xb5, 0xc2, 0x51, 0xb7, 0x63, 0xa5, 0x18, 0xc6, 0xb0, 0x32, 0x63, 0x1d, 0xbe,
-	0x6e, 0x7e, 0xcd, 0x83, 0xd2, 0xb1, 0x5a, 0x87, 0x83, 0xd8, 0xf3, 0x47, 0xf8, 0x33, 0x82, 0x8d,
-	0xac, 0xdf, 0x1b, 0xef, 0x2d, 0x71, 0x33, 0x70, 0x13, 0x55, 0x5b, 0x4b, 0xdf, 0x2d, 0x5a, 0x0e,
-	0x9f, 0x22, 0xb8, 0x99, 0x7d, 0xe0, 0xd8, 0x5c, 0xca, 0x2d, 0x42, 0x63, 0xfb, 0x1f, 0x38, 0x4e,
-	0xcb, 0x99, 0xad, 0xb3, 0x0b, 0x15, 0x7d, 0xbb, 0x50, 0x73, 0xef, 0x13, 0x15, 0x9d, 0x25, 0x2a,
-	0xfa, 0x92, 0xa8, 0xe8, 0x7b, 0xa2, 0xa2, 0x4f, 0x3f, 0xd4, 0xdc, 0x0b, 0xf9, 0x98, 0x18, 0x92,
-	0xc3, 0x08, 0xfa, 0x9e, 0x91, 0x72, 0x18, 0x6e, 0x68, 0x1b, 0x92, 0xa3, 0x57, 0xe4, 0x8f, 0xc4,
-	0xfd, 0x9f, 0x01, 0x00, 0x00, 0xff, 0xff, 0xda, 0x25, 0x38, 0x7d, 0x85, 0x06, 0x00, 0x00,
-}
-
-// Reference imports to suppress errors if they are not otherwise used.
-var _ context.Context
-var _ grpc.ClientConn
-
-// This is a compile-time assertion to ensure that this generated file
-// is compatible with the grpc package it is being compiled against.
-const _ = grpc.SupportPackageIsVersion4
-
-// DRAPluginClient is the client API for DRAPlugin service.
-//
-// For semantics around ctx use and closing/ending streaming RPCs, please refer to https://godoc.org/google.golang.org/grpc#ClientConn.NewStream.
-type DRAPluginClient interface {
-	// NodePrepareResources prepares several ResourceClaims
-	// for use on the node. If an error is returned, the
-	// response is ignored. Failures for individual claims
-	// can be reported inside NodePrepareResourcesResponse.
-	NodePrepareResources(ctx context.Context, in *NodePrepareResourcesRequest, opts ...grpc.CallOption) (*NodePrepareResourcesResponse, error)
-	// NodeUnprepareResources is the opposite of NodePrepareResources.
-	// The same error handling rules apply,
-	NodeUnprepareResources(ctx context.Context, in *NodeUnprepareResourcesRequest, opts ...grpc.CallOption) (*NodeUnprepareResourcesResponse, error)
-}
-
-type dRAPluginClient struct {
-	cc *grpc.ClientConn
-}
-
-func NewDRAPluginClient(cc *grpc.ClientConn) DRAPluginClient {
-	return &dRAPluginClient{cc}
-}
-
-func (c *dRAPluginClient) NodePrepareResources(ctx context.Context, in *NodePrepareResourcesRequest, opts ...grpc.CallOption) (*NodePrepareResourcesResponse, error) {
-	out := new(NodePrepareResourcesResponse)
-	err := c.cc.Invoke(ctx, "/k8s.io.kubelet.pkg.apis.dra.v1beta1.DRAPlugin/NodePrepareResources", in, out, opts...)
-	if err != nil {
-		return nil, err
-	}
-	return out, nil
-}
-
-func (c *dRAPluginClient) NodeUnprepareResources(ctx context.Context, in *NodeUnprepareResourcesRequest, opts ...grpc.CallOption) (*NodeUnprepareResourcesResponse, error) {
-	out := new(NodeUnprepareResourcesResponse)
-	err := c.cc.Invoke(ctx, "/k8s.io.kubelet.pkg.apis.dra.v1beta1.DRAPlugin/NodeUnprepareResources", in, out, opts...)
-	if err != nil {
-		return nil, err
-	}
-	return out, nil
-}
-
-// DRAPluginServer is the server API for DRAPlugin service.
-type DRAPluginServer interface {
-	// NodePrepareResources prepares several ResourceClaims
-	// for use on the node. If an error is returned, the
-	// response is ignored. Failures for individual claims
-	// can be reported inside NodePrepareResourcesResponse.
-	NodePrepareResources(context.Context, *NodePrepareResourcesRequest) (*NodePrepareResourcesResponse, error)
-	// NodeUnprepareResources is the opposite of NodePrepareResources.
-	// The same error handling rules apply,
-	NodeUnprepareResources(context.Context, *NodeUnprepareResourcesRequest) (*NodeUnprepareResourcesResponse, error)
-}
-
-// UnimplementedDRAPluginServer can be embedded to have forward compatible implementations.
-type UnimplementedDRAPluginServer struct {
-}
-
-func (*UnimplementedDRAPluginServer) NodePrepareResources(ctx context.Context, req *NodePrepareResourcesRequest) (*NodePrepareResourcesResponse, error) {
-	return nil, status.Errorf(codes.Unimplemented, "method NodePrepareResources not implemented")
-}
-func (*UnimplementedDRAPluginServer) NodeUnprepareResources(ctx context.Context, req *NodeUnprepareResourcesRequest) (*NodeUnprepareResourcesResponse, error) {
-	return nil, status.Errorf(codes.Unimplemented, "method NodeUnprepareResources not implemented")
-}
-
-func RegisterDRAPluginServer(s *grpc.Server, srv DRAPluginServer) {
-	s.RegisterService(&_DRAPlugin_serviceDesc, srv)
-}
-
-func _DRAPlugin_NodePrepareResources_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
-	in := new(NodePrepareResourcesRequest)
-	if err := dec(in); err != nil {
-		return nil, err
-	}
-	if interceptor == nil {
-		return srv.(DRAPluginServer).NodePrepareResources(ctx, in)
-	}
-	info := &grpc.UnaryServerInfo{
-		Server:     srv,
-		FullMethod: "/k8s.io.kubelet.pkg.apis.dra.v1beta1.DRAPlugin/NodePrepareResources",
-	}
-	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
-		return srv.(DRAPluginServer).NodePrepareResources(ctx, req.(*NodePrepareResourcesRequest))
-	}
-	return interceptor(ctx, in, info, handler)
-}
-
-func _DRAPlugin_NodeUnprepareResources_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
-	in := new(NodeUnprepareResourcesRequest)
-	if err := dec(in); err != nil {
-		return nil, err
-	}
-	if interceptor == nil {
-		return srv.(DRAPluginServer).NodeUnprepareResources(ctx, in)
-	}
-	info := &grpc.UnaryServerInfo{
-		Server:     srv,
-		FullMethod: "/k8s.io.kubelet.pkg.apis.dra.v1beta1.DRAPlugin/NodeUnprepareResources",
-	}
-	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
-		return srv.(DRAPluginServer).NodeUnprepareResources(ctx, req.(*NodeUnprepareResourcesRequest))
-	}
-	return interceptor(ctx, in, info, handler)
-}
-
-var _DRAPlugin_serviceDesc = grpc.ServiceDesc{
-	ServiceName: "k8s.io.kubelet.pkg.apis.dra.v1beta1.DRAPlugin",
-	HandlerType: (*DRAPluginServer)(nil),
-	Methods: []grpc.MethodDesc{
-		{
-			MethodName: "NodePrepareResources",
-			Handler:    _DRAPlugin_NodePrepareResources_Handler,
-		},
-		{
-			MethodName: "NodeUnprepareResources",
-			Handler:    _DRAPlugin_NodeUnprepareResources_Handler,
-		},
-	},
-	Streams:  []grpc.StreamDesc{},
-	Metadata: "api.proto",
-}
-
-func (m *NodePrepareResourcesRequest) Marshal() (dAtA []byte, err error) {
-	size := m.Size()
-	dAtA = make([]byte, size)
-	n, err := m.MarshalToSizedBuffer(dAtA[:size])
-	if err != nil {
-		return nil, err
-	}
-	return dAtA[:n], nil
-}
-
-func (m *NodePrepareResourcesRequest) MarshalTo(dAtA []byte) (int, error) {
-	size := m.Size()
-	return m.MarshalToSizedBuffer(dAtA[:size])
-}
-
-func (m *NodePrepareResourcesRequest) MarshalToSizedBuffer(dAtA []byte) (int, error) {
-	i := len(dAtA)
-	_ = i
-	var l int
-	_ = l
-	if len(m.Claims) > 0 {
-		for iNdEx := len(m.Claims) - 1; iNdEx >= 0; iNdEx-- {
-			{
-				size, err := m.Claims[iNdEx].MarshalToSizedBuffer(dAtA[:i])
-				if err != nil {
-					return 0, err
-				}
-				i -= size
-				i = encodeVarintApi(dAtA, i, uint64(size))
-			}
-			i--
-			dAtA[i] = 0xa
-		}
-	}
-	return len(dAtA) - i, nil
-}
-
-func (m *NodePrepareResourcesResponse) Marshal() (dAtA []byte, err error) {
-	size := m.Size()
-	dAtA = make([]byte, size)
-	n, err := m.MarshalToSizedBuffer(dAtA[:size])
-	if err != nil {
-		return nil, err
-	}
-	return dAtA[:n], nil
-}
-
-func (m *NodePrepareResourcesResponse) MarshalTo(dAtA []byte) (int, error) {
-	size := m.Size()
-	return m.MarshalToSizedBuffer(dAtA[:size])
-}
-
-func (m *NodePrepareResourcesResponse) MarshalToSizedBuffer(dAtA []byte) (int, error) {
-	i := len(dAtA)
-	_ = i
-	var l int
-	_ = l
-	if len(m.Claims) > 0 {
-		for k := range m.Claims {
-			v := m.Claims[k]
-			baseI := i
-			if v != nil {
-				{
-					size, err := v.MarshalToSizedBuffer(dAtA[:i])
-					if err != nil {
-						return 0, err
-					}
-					i -= size
-					i = encodeVarintApi(dAtA, i, uint64(size))
-				}
-				i--
-				dAtA[i] = 0x12
-			}
-			i -= len(k)
-			copy(dAtA[i:], k)
-			i = encodeVarintApi(dAtA, i, uint64(len(k)))
-			i--
-			dAtA[i] = 0xa
-			i = encodeVarintApi(dAtA, i, uint64(baseI-i))
-			i--
-			dAtA[i] = 0xa
-		}
-	}
-	return len(dAtA) - i, nil
-}
-
-func (m *NodePrepareResourceResponse) Marshal() (dAtA []byte, err error) {
-	size := m.Size()
-	dAtA = make([]byte, size)
-	n, err := m.MarshalToSizedBuffer(dAtA[:size])
-	if err != nil {
-		return nil, err
-	}
-	return dAtA[:n], nil
-}
-
-func (m *NodePrepareResourceResponse) MarshalTo(dAtA []byte) (int, error) {
-	size := m.Size()
-	return m.MarshalToSizedBuffer(dAtA[:size])
-}
-
-func (m *NodePrepareResourceResponse) MarshalToSizedBuffer(dAtA []byte) (int, error) {
-	i := len(dAtA)
-	_ = i
-	var l int
-	_ = l
-	if len(m.Error) > 0 {
-		i -= len(m.Error)
-		copy(dAtA[i:], m.Error)
-		i = encodeVarintApi(dAtA, i, uint64(len(m.Error)))
-		i--
-		dAtA[i] = 0x12
-	}
-	if len(m.Devices) > 0 {
-		for iNdEx := len(m.Devices) - 1; iNdEx >= 0; iNdEx-- {
-			{
-				size, err := m.Devices[iNdEx].MarshalToSizedBuffer(dAtA[:i])
-				if err != nil {
-					return 0, err
-				}
-				i -= size
-				i = encodeVarintApi(dAtA, i, uint64(size))
-			}
-			i--
-			dAtA[i] = 0xa
-		}
-	}
-	return len(dAtA) - i, nil
-}
-
-func (m *Device) Marshal() (dAtA []byte, err error) {
-	size := m.Size()
-	dAtA = make([]byte, size)
-	n, err := m.MarshalToSizedBuffer(dAtA[:size])
-	if err != nil {
-		return nil, err
-	}
-	return dAtA[:n], nil
-}
-
-func (m *Device) MarshalTo(dAtA []byte) (int, error) {
-	size := m.Size()
-	return m.MarshalToSizedBuffer(dAtA[:size])
-}
-
-func (m *Device) MarshalToSizedBuffer(dAtA []byte) (int, error) {
-	i := len(dAtA)
-	_ = i
-	var l int
-	_ = l
-	if len(m.CDIDeviceIDs) > 0 {
-		for iNdEx := len(m.CDIDeviceIDs) - 1; iNdEx >= 0; iNdEx-- {
-			i -= len(m.CDIDeviceIDs[iNdEx])
-			copy(dAtA[i:], m.CDIDeviceIDs[iNdEx])
-			i = encodeVarintApi(dAtA, i, uint64(len(m.CDIDeviceIDs[iNdEx])))
-			i--
-			dAtA[i] = 0x22
-		}
-	}
-	if len(m.DeviceName) > 0 {
-		i -= len(m.DeviceName)
-		copy(dAtA[i:], m.DeviceName)
-		i = encodeVarintApi(dAtA, i, uint64(len(m.DeviceName)))
-		i--
-		dAtA[i] = 0x1a
-	}
-	if len(m.PoolName) > 0 {
-		i -= len(m.PoolName)
-		copy(dAtA[i:], m.PoolName)
-		i = encodeVarintApi(dAtA, i, uint64(len(m.PoolName)))
-		i--
-		dAtA[i] = 0x12
-	}
-	if len(m.RequestNames) > 0 {
-		for iNdEx := len(m.RequestNames) - 1; iNdEx >= 0; iNdEx-- {
-			i -= len(m.RequestNames[iNdEx])
-			copy(dAtA[i:], m.RequestNames[iNdEx])
-			i = encodeVarintApi(dAtA, i, uint64(len(m.RequestNames[iNdEx])))
-			i--
-			dAtA[i] = 0xa
-		}
-	}
-	return len(dAtA) - i, nil
-}
-
-func (m *NodeUnprepareResourcesRequest) Marshal() (dAtA []byte, err error) {
-	size := m.Size()
-	dAtA = make([]byte, size)
-	n, err := m.MarshalToSizedBuffer(dAtA[:size])
-	if err != nil {
-		return nil, err
-	}
-	return dAtA[:n], nil
+	Name          string `protobuf:"bytes,3,opt,name=name,proto3" json:"name,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
 }
 
-func (m *NodeUnprepareResourcesRequest) MarshalTo(dAtA []byte) (int, error) {
-	size := m.Size()
-	return m.MarshalToSizedBuffer(dAtA[:size])
+func (x *Claim) Reset() {
+	*x = Claim{}
+	mi := &file_staging_src_k8s_io_kubelet_pkg_apis_dra_v1beta1_api_proto_msgTypes[7]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
 
-func (m *NodeUnprepareResourcesRequest) MarshalToSizedBuffer(dAtA []byte) (int, error) {
-	i := len(dAtA)
-	_ = i
-	var l int
-	_ = l
-	if len(m.Claims) > 0 {
-		for iNdEx := len(m.Claims) - 1; iNdEx >= 0; iNdEx-- {
-			{
-				size, err := m.Claims[iNdEx].MarshalToSizedBuffer(dAtA[:i])
-				if err != nil {
-					return 0, err
-				}
-				i -= size
-				i = encodeVarintApi(dAtA, i, uint64(size))
-			}
-			i--
-			dAtA[i] = 0xa
-		}
-	}
-	return len(dAtA) - i, nil
-}
-
-func (m *NodeUnprepareResourcesResponse) Marshal() (dAtA []byte, err error) {
-	size := m.Size()
-	dAtA = make([]byte, size)
-	n, err := m.MarshalToSizedBuffer(dAtA[:size])
-	if err != nil {
-		return nil, err
-	}
-	return dAtA[:n], nil
-}
-
-func (m *NodeUnprepareResourcesResponse) MarshalTo(dAtA []byte) (int, error) {
-	size := m.Size()
-	return m.MarshalToSizedBuffer(dAtA[:size])
-}
-
-func (m *NodeUnprepareResourcesResponse) MarshalToSizedBuffer(dAtA []byte) (int, error) {
-	i := len(dAtA)
-	_ = i
-	var l int
-	_ = l
-	if len(m.Claims) > 0 {
-		for k := range m.Claims {
-			v := m.Claims[k]
-			baseI := i
-			if v != nil {
-				{
-					size, err := v.MarshalToSizedBuffer(dAtA[:i])
-					if err != nil {
-						return 0, err
-					}
-					i -= size
-					i = encodeVarintApi(dAtA, i, uint64(size))
-				}
-				i--
-				dAtA[i] = 0x12
-			}
-			i -= len(k)
-			copy(dAtA[i:], k)
-			i = encodeVarintApi(dAtA, i, uint64(len(k)))
-			i--
-			dAtA[i] = 0xa
-			i = encodeVarintApi(dAtA, i, uint64(baseI-i))
-			i--
-			dAtA[i] = 0xa
-		}
-	}
-	return len(dAtA) - i, nil
+func (x *Claim) String() string {
+	return protoimpl.X.MessageStringOf(x)
 }
 
-func (m *NodeUnprepareResourceResponse) Marshal() (dAtA []byte, err error) {
-	size := m.Size()
-	dAtA = make([]byte, size)
-	n, err := m.MarshalToSizedBuffer(dAtA[:size])
-	if err != nil {
-		return nil, err
-	}
-	return dAtA[:n], nil
-}
-
-func (m *NodeUnprepareResourceResponse) MarshalTo(dAtA []byte) (int, error) {
-	size := m.Size()
-	return m.MarshalToSizedBuffer(dAtA[:size])
-}
-
-func (m *NodeUnprepareResourceResponse) MarshalToSizedBuffer(dAtA []byte) (int, error) {
-	i := len(dAtA)
-	_ = i
-	var l int
-	_ = l
-	if len(m.Error) > 0 {
-		i -= len(m.Error)
-		copy(dAtA[i:], m.Error)
-		i = encodeVarintApi(dAtA, i, uint64(len(m.Error)))
-		i--
-		dAtA[i] = 0xa
-	}
-	return len(dAtA) - i, nil
-}
-
-func (m *Claim) Marshal() (dAtA []byte, err error) {
-	size := m.Size()
-	dAtA = make([]byte, size)
-	n, err := m.MarshalToSizedBuffer(dAtA[:size])
-	if err != nil {
-		return nil, err
-	}
-	return dAtA[:n], nil
-}
-
-func (m *Claim) MarshalTo(dAtA []byte) (int, error) {
-	size := m.Size()
-	return m.MarshalToSizedBuffer(dAtA[:size])
-}
-
-func (m *Claim) MarshalToSizedBuffer(dAtA []byte) (int, error) {
-	i := len(dAtA)
-	_ = i
-	var l int
-	_ = l
-	if len(m.Name) > 0 {
-		i -= len(m.Name)
-		copy(dAtA[i:], m.Name)
-		i = encodeVarintApi(dAtA, i, uint64(len(m.Name)))
-		i--
-		dAtA[i] = 0x1a
-	}
-	if len(m.UID) > 0 {
-		i -= len(m.UID)
-		copy(dAtA[i:], m.UID)
-		i = encodeVarintApi(dAtA, i, uint64(len(m.UID)))
-		i--
-		dAtA[i] = 0x12
-	}
-	if len(m.Namespace) > 0 {
-		i -= len(m.Namespace)
-		copy(dAtA[i:], m.Namespace)
-		i = encodeVarintApi(dAtA, i, uint64(len(m.Namespace)))
-		i--
-		dAtA[i] = 0xa
-	}
-	return len(dAtA) - i, nil
-}
-
-func encodeVarintApi(dAtA []byte, offset int, v uint64) int {
-	offset -= sovApi(v)
-	base := offset
-	for v >= 1<<7 {
-		dAtA[offset] = uint8(v&0x7f | 0x80)
-		v >>= 7
-		offset++
-	}
-	dAtA[offset] = uint8(v)
-	return base
-}
-func (m *NodePrepareResourcesRequest) Size() (n int) {
-	if m == nil {
-		return 0
-	}
-	var l int
-	_ = l
-	if len(m.Claims) > 0 {
-		for _, e := range m.Claims {
-			l = e.Size()
-			n += 1 + l + sovApi(uint64(l))
-		}
-	}
-	return n
-}
-
-func (m *NodePrepareResourcesResponse) Size() (n int) {
-	if m == nil {
-		return 0
-	}
-	var l int
-	_ = l
-	if len(m.Claims) > 0 {
-		for k, v := range m.Claims {
-			_ = k
-			_ = v
-			l = 0
-			if v != nil {
-				l = v.Size()
-				l += 1 + sovApi(uint64(l))
-			}
-			mapEntrySize := 1 + len(k) + sovApi(uint64(len(k))) + l
-			n += mapEntrySize + 1 + sovApi(uint64(mapEntrySize))
-		}
-	}
-	return n
-}
-
-func (m *NodePrepareResourceResponse) Size() (n int) {
-	if m == nil {
-		return 0
-	}
-	var l int
-	_ = l
-	if len(m.Devices) > 0 {
-		for _, e := range m.Devices {
-			l = e.Size()
-			n += 1 + l + sovApi(uint64(l))
-		}
-	}
-	l = len(m.Error)
-	if l > 0 {
-		n += 1 + l + sovApi(uint64(l))
-	}
-	return n
-}
-
-func (m *Device) Size() (n int) {
-	if m == nil {
-		return 0
-	}
-	var l int
-	_ = l
-	if len(m.RequestNames) > 0 {
-		for _, s := range m.RequestNames {
-			l = len(s)
-			n += 1 + l + sovApi(uint64(l))
-		}
-	}
-	l = len(m.PoolName)
-	if l > 0 {
-		n += 1 + l + sovApi(uint64(l))
-	}
-	l = len(m.DeviceName)
-	if l > 0 {
-		n += 1 + l + sovApi(uint64(l))
-	}
-	if len(m.CDIDeviceIDs) > 0 {
-		for _, s := range m.CDIDeviceIDs {
-			l = len(s)
-			n += 1 + l + sovApi(uint64(l))
-		}
-	}
-	return n
-}
-
-func (m *NodeUnprepareResourcesRequest) Size() (n int) {
-	if m == nil {
-		return 0
-	}
-	var l int
-	_ = l
-	if len(m.Claims) > 0 {
-		for _, e := range m.Claims {
-			l = e.Size()
-			n += 1 + l + sovApi(uint64(l))
-		}
-	}
-	return n
-}
-
-func (m *NodeUnprepareResourcesResponse) Size() (n int) {
-	if m == nil {
-		return 0
-	}
-	var l int
-	_ = l
-	if len(m.Claims) > 0 {
-		for k, v := range m.Claims {
-			_ = k
-			_ = v
-			l = 0
-			if v != nil {
-				l = v.Size()
-				l += 1 + sovApi(uint64(l))
-			}
-			mapEntrySize := 1 + len(k) + sovApi(uint64(len(k))) + l
-			n += mapEntrySize + 1 + sovApi(uint64(mapEntrySize))
-		}
-	}
-	return n
-}
-
-func (m *NodeUnprepareResourceResponse) Size() (n int) {
-	if m == nil {
-		return 0
-	}
-	var l int
-	_ = l
-	l = len(m.Error)
-	if l > 0 {
-		n += 1 + l + sovApi(uint64(l))
-	}
-	return n
-}
-
-func (m *Claim) Size() (n int) {
-	if m == nil {
-		return 0
-	}
-	var l int
-	_ = l
-	l = len(m.Namespace)
-	if l > 0 {
-		n += 1 + l + sovApi(uint64(l))
-	}
-	l = len(m.UID)
-	if l > 0 {
-		n += 1 + l + sovApi(uint64(l))
-	}
-	l = len(m.Name)
-	if l > 0 {
-		n += 1 + l + sovApi(uint64(l))
-	}
-	return n
-}
-
-func sovApi(x uint64) (n int) {
-	return (math_bits.Len64(x|1) + 6) / 7
-}
-func sozApi(x uint64) (n int) {
-	return sovApi(uint64((x << 1) ^ uint64((int64(x) >> 63))))
-}
-func (this *NodePrepareResourcesRequest) String() string {
-	if this == nil {
-		return "nil"
-	}
-	repeatedStringForClaims := "[]*Claim{"
-	for _, f := range this.Claims {
-		repeatedStringForClaims += strings.Replace(f.String(), "Claim", "Claim", 1) + ","
-	}
-	repeatedStringForClaims += "}"
-	s := strings.Join([]string{`&NodePrepareResourcesRequest{`,
-		`Claims:` + repeatedStringForClaims + `,`,
-		`}`,
-	}, "")
-	return s
-}
-func (this *NodePrepareResourcesResponse) String() string {
-	if this == nil {
-		return "nil"
-	}
-	keysForClaims := make([]string, 0, len(this.Claims))
-	for k := range this.Claims {
-		keysForClaims = append(keysForClaims, k)
-	}
-	github_com_gogo_protobuf_sortkeys.Strings(keysForClaims)
-	mapStringForClaims := "map[string]*NodePrepareResourceResponse{"
-	for _, k := range keysForClaims {
-		mapStringForClaims += fmt.Sprintf("%v: %v,", k, this.Claims[k])
-	}
-	mapStringForClaims += "}"
-	s := strings.Join([]string{`&NodePrepareResourcesResponse{`,
-		`Claims:` + mapStringForClaims + `,`,
-		`}`,
-	}, "")
-	return s
-}
-func (this *NodePrepareResourceResponse) String() string {
-	if this == nil {
-		return "nil"
-	}
-	repeatedStringForDevices := "[]*Device{"
-	for _, f := range this.Devices {
-		repeatedStringForDevices += strings.Replace(f.String(), "Device", "Device", 1) + ","
-	}
-	repeatedStringForDevices += "}"
-	s := strings.Join([]string{`&NodePrepareResourceResponse{`,
-		`Devices:` + repeatedStringForDevices + `,`,
-		`Error:` + fmt.Sprintf("%v", this.Error) + `,`,
-		`}`,
-	}, "")
-	return s
-}
-func (this *Device) String() string {
-	if this == nil {
-		return "nil"
-	}
-	s := strings.Join([]string{`&Device{`,
-		`RequestNames:` + fmt.Sprintf("%v", this.RequestNames) + `,`,
-		`PoolName:` + fmt.Sprintf("%v", this.PoolName) + `,`,
-		`DeviceName:` + fmt.Sprintf("%v", this.DeviceName) + `,`,
-		`CDIDeviceIDs:` + fmt.Sprintf("%v", this.CDIDeviceIDs) + `,`,
-		`}`,
-	}, "")
-	return s
-}
-func (this *NodeUnprepareResourcesRequest) String() string {
-	if this == nil {
-		return "nil"
-	}
-	repeatedStringForClaims := "[]*Claim{"
-	for _, f := range this.Claims {
-		repeatedStringForClaims += strings.Replace(f.String(), "Claim", "Claim", 1) + ","
-	}
-	repeatedStringForClaims += "}"
-	s := strings.Join([]string{`&NodeUnprepareResourcesRequest{`,
-		`Claims:` + repeatedStringForClaims + `,`,
-		`}`,
-	}, "")
-	return s
-}
-func (this *NodeUnprepareResourcesResponse) String() string {
-	if this == nil {
-		return "nil"
-	}
-	keysForClaims := make([]string, 0, len(this.Claims))
-	for k := range this.Claims {
-		keysForClaims = append(keysForClaims, k)
-	}
-	github_com_gogo_protobuf_sortkeys.Strings(keysForClaims)
-	mapStringForClaims := "map[string]*NodeUnprepareResourceResponse{"
-	for _, k := range keysForClaims {
-		mapStringForClaims += fmt.Sprintf("%v: %v,", k, this.Claims[k])
-	}
-	mapStringForClaims += "}"
-	s := strings.Join([]string{`&NodeUnprepareResourcesResponse{`,
-		`Claims:` + mapStringForClaims + `,`,
-		`}`,
-	}, "")
-	return s
-}
-func (this *NodeUnprepareResourceResponse) String() string {
-	if this == nil {
-		return "nil"
-	}
-	s := strings.Join([]string{`&NodeUnprepareResourceResponse{`,
-		`Error:` + fmt.Sprintf("%v", this.Error) + `,`,
-		`}`,
-	}, "")
-	return s
-}
-func (this *Claim) String() string {
-	if this == nil {
-		return "nil"
-	}
-	s := strings.Join([]string{`&Claim{`,
-		`Namespace:` + fmt.Sprintf("%v", this.Namespace) + `,`,
-		`UID:` + fmt.Sprintf("%v", this.UID) + `,`,
-		`Name:` + fmt.Sprintf("%v", this.Name) + `,`,
-		`}`,
-	}, "")
-	return s
-}
-func valueToStringApi(v interface{}) string {
-	rv := reflect.ValueOf(v)
-	if rv.IsNil() {
-		return "nil"
-	}
-	pv := reflect.Indirect(rv).Interface()
-	return fmt.Sprintf("*%v", pv)
-}
-func (m *NodePrepareResourcesRequest) Unmarshal(dAtA []byte) error {
-	l := len(dAtA)
-	iNdEx := 0
-	for iNdEx < l {
-		preIndex := iNdEx
-		var wire uint64
-		for shift := uint(0); ; shift += 7 {
-			if shift >= 64 {
-				return ErrIntOverflowApi
-			}
-			if iNdEx >= l {
-				return io.ErrUnexpectedEOF
-			}
-			b := dAtA[iNdEx]
-			iNdEx++
-			wire |= uint64(b&0x7F) << shift
-			if b < 0x80 {
-				break
-			}
-		}
-		fieldNum := int32(wire >> 3)
-		wireType := int(wire & 0x7)
-		if wireType == 4 {
-			return fmt.Errorf("proto: NodePrepareResourcesRequest: wiretype end group for non-group")
-		}
-		if fieldNum <= 0 {
-			return fmt.Errorf("proto: NodePrepareResourcesRequest: illegal tag %d (wire type %d)", fieldNum, wire)
-		}
-		switch fieldNum {
-		case 1:
-			if wireType != 2 {
-				return fmt.Errorf("proto: wrong wireType = %d for field Claims", wireType)
-			}
-			var msglen int
-			for shift := uint(0); ; shift += 7 {
-				if shift >= 64 {
-					return ErrIntOverflowApi
-				}
-				if iNdEx >= l {
-					return io.ErrUnexpectedEOF
-				}
-				b := dAtA[iNdEx]
-				iNdEx++
-				msglen |= int(b&0x7F) << shift
-				if b < 0x80 {
-					break
-				}
-			}
-			if msglen < 0 {
-				return ErrInvalidLengthApi
-			}
-			postIndex := iNdEx + msglen
-			if postIndex < 0 {
-				return ErrInvalidLengthApi
-			}
-			if postIndex > l {
-				return io.ErrUnexpectedEOF
-			}
-			m.Claims = append(m.Claims, &Claim{})
-			if err := m.Claims[len(m.Claims)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
-				return err
-			}
-			iNdEx = postIndex
-		default:
-			iNdEx = preIndex
-			skippy, err := skipApi(dAtA[iNdEx:])
-			if err != nil {
-				return err
-			}
-			if (skippy < 0) || (iNdEx+skippy) < 0 {
-				return ErrInvalidLengthApi
-			}
-			if (iNdEx + skippy) > l {
-				return io.ErrUnexpectedEOF
-			}
-			iNdEx += skippy
-		}
-	}
-
-	if iNdEx > l {
-		return io.ErrUnexpectedEOF
-	}
-	return nil
-}
-func (m *NodePrepareResourcesResponse) Unmarshal(dAtA []byte) error {
-	l := len(dAtA)
-	iNdEx := 0
-	for iNdEx < l {
-		preIndex := iNdEx
-		var wire uint64
-		for shift := uint(0); ; shift += 7 {
-			if shift >= 64 {
-				return ErrIntOverflowApi
-			}
-			if iNdEx >= l {
-				return io.ErrUnexpectedEOF
-			}
-			b := dAtA[iNdEx]
-			iNdEx++
-			wire |= uint64(b&0x7F) << shift
-			if b < 0x80 {
-				break
-			}
-		}
-		fieldNum := int32(wire >> 3)
-		wireType := int(wire & 0x7)
-		if wireType == 4 {
-			return fmt.Errorf("proto: NodePrepareResourcesResponse: wiretype end group for non-group")
-		}
-		if fieldNum <= 0 {
-			return fmt.Errorf("proto: NodePrepareResourcesResponse: illegal tag %d (wire type %d)", fieldNum, wire)
-		}
-		switch fieldNum {
-		case 1:
-			if wireType != 2 {
-				return fmt.Errorf("proto: wrong wireType = %d for field Claims", wireType)
-			}
-			var msglen int
-			for shift := uint(0); ; shift += 7 {
-				if shift >= 64 {
-					return ErrIntOverflowApi
-				}
-				if iNdEx >= l {
-					return io.ErrUnexpectedEOF
-				}
-				b := dAtA[iNdEx]
-				iNdEx++
-				msglen |= int(b&0x7F) << shift
-				if b < 0x80 {
-					break
-				}
-			}
-			if msglen < 0 {
-				return ErrInvalidLengthApi
-			}
-			postIndex := iNdEx + msglen
-			if postIndex < 0 {
-				return ErrInvalidLengthApi
-			}
-			if postIndex > l {
-				return io.ErrUnexpectedEOF
-			}
-			if m.Claims == nil {
-				m.Claims = make(map[string]*NodePrepareResourceResponse)
-			}
-			var mapkey string
-			var mapvalue *NodePrepareResourceResponse
-			for iNdEx < postIndex {
-				entryPreIndex := iNdEx
-				var wire uint64
-				for shift := uint(0); ; shift += 7 {
-					if shift >= 64 {
-						return ErrIntOverflowApi
-					}
-					if iNdEx >= l {
-						return io.ErrUnexpectedEOF
-					}
-					b := dAtA[iNdEx]
-					iNdEx++
-					wire |= uint64(b&0x7F) << shift
-					if b < 0x80 {
-						break
-					}
-				}
-				fieldNum := int32(wire >> 3)
-				if fieldNum == 1 {
-					var stringLenmapkey uint64
-					for shift := uint(0); ; shift += 7 {
-						if shift >= 64 {
-							return ErrIntOverflowApi
-						}
-						if iNdEx >= l {
-							return io.ErrUnexpectedEOF
-						}
-						b := dAtA[iNdEx]
-						iNdEx++
-						stringLenmapkey |= uint64(b&0x7F) << shift
-						if b < 0x80 {
-							break
-						}
-					}
-					intStringLenmapkey := int(stringLenmapkey)
-					if intStringLenmapkey < 0 {
-						return ErrInvalidLengthApi
-					}
-					postStringIndexmapkey := iNdEx + intStringLenmapkey
-					if postStringIndexmapkey < 0 {
-						return ErrInvalidLengthApi
-					}
-					if postStringIndexmapkey > l {
-						return io.ErrUnexpectedEOF
-					}
-					mapkey = string(dAtA[iNdEx:postStringIndexmapkey])
-					iNdEx = postStringIndexmapkey
-				} else if fieldNum == 2 {
-					var mapmsglen int
-					for shift := uint(0); ; shift += 7 {
-						if shift >= 64 {
-							return ErrIntOverflowApi
-						}
-						if iNdEx >= l {
-							return io.ErrUnexpectedEOF
-						}
-						b := dAtA[iNdEx]
-						iNdEx++
-						mapmsglen |= int(b&0x7F) << shift
-						if b < 0x80 {
-							break
-						}
-					}
-					if mapmsglen < 0 {
-						return ErrInvalidLengthApi
-					}
-					postmsgIndex := iNdEx + mapmsglen
-					if postmsgIndex < 0 {
-						return ErrInvalidLengthApi
-					}
-					if postmsgIndex > l {
-						return io.ErrUnexpectedEOF
-					}
-					mapvalue = &NodePrepareResourceResponse{}
-					if err := mapvalue.Unmarshal(dAtA[iNdEx:postmsgIndex]); err != nil {
-						return err
-					}
-					iNdEx = postmsgIndex
-				} else {
-					iNdEx = entryPreIndex
-					skippy, err := skipApi(dAtA[iNdEx:])
-					if err != nil {
-						return err
-					}
-					if (skippy < 0) || (iNdEx+skippy) < 0 {
-						return ErrInvalidLengthApi
-					}
-					if (iNdEx + skippy) > postIndex {
-						return io.ErrUnexpectedEOF
-					}
-					iNdEx += skippy
-				}
-			}
-			m.Claims[mapkey] = mapvalue
-			iNdEx = postIndex
-		default:
-			iNdEx = preIndex
-			skippy, err := skipApi(dAtA[iNdEx:])
-			if err != nil {
-				return err
-			}
-			if (skippy < 0) || (iNdEx+skippy) < 0 {
-				return ErrInvalidLengthApi
-			}
-			if (iNdEx + skippy) > l {
-				return io.ErrUnexpectedEOF
-			}
-			iNdEx += skippy
-		}
-	}
+func (*Claim) ProtoMessage() {}
 
-	if iNdEx > l {
-		return io.ErrUnexpectedEOF
-	}
-	return nil
-}
-func (m *NodePrepareResourceResponse) Unmarshal(dAtA []byte) error {
-	l := len(dAtA)
-	iNdEx := 0
-	for iNdEx < l {
-		preIndex := iNdEx
-		var wire uint64
-		for shift := uint(0); ; shift += 7 {
-			if shift >= 64 {
-				return ErrIntOverflowApi
-			}
-			if iNdEx >= l {
-				return io.ErrUnexpectedEOF
-			}
-			b := dAtA[iNdEx]
-			iNdEx++
-			wire |= uint64(b&0x7F) << shift
-			if b < 0x80 {
-				break
-			}
-		}
-		fieldNum := int32(wire >> 3)
-		wireType := int(wire & 0x7)
-		if wireType == 4 {
-			return fmt.Errorf("proto: NodePrepareResourceResponse: wiretype end group for non-group")
-		}
-		if fieldNum <= 0 {
-			return fmt.Errorf("proto: NodePrepareResourceResponse: illegal tag %d (wire type %d)", fieldNum, wire)
-		}
-		switch fieldNum {
-		case 1:
-			if wireType != 2 {
-				return fmt.Errorf("proto: wrong wireType = %d for field Devices", wireType)
-			}
-			var msglen int
-			for shift := uint(0); ; shift += 7 {
-				if shift >= 64 {
-					return ErrIntOverflowApi
-				}
-				if iNdEx >= l {
-					return io.ErrUnexpectedEOF
-				}
-				b := dAtA[iNdEx]
-				iNdEx++
-				msglen |= int(b&0x7F) << shift
-				if b < 0x80 {
-					break
-				}
-			}
-			if msglen < 0 {
-				return ErrInvalidLengthApi
-			}
-			postIndex := iNdEx + msglen
-			if postIndex < 0 {
-				return ErrInvalidLengthApi
-			}
-			if postIndex > l {
-				return io.ErrUnexpectedEOF
-			}
-			m.Devices = append(m.Devices, &Device{})
-			if err := m.Devices[len(m.Devices)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
-				return err
-			}
-			iNdEx = postIndex
-		case 2:
-			if wireType != 2 {
-				return fmt.Errorf("proto: wrong wireType = %d for field Error", wireType)
-			}
-			var stringLen uint64
-			for shift := uint(0); ; shift += 7 {
-				if shift >= 64 {
-					return ErrIntOverflowApi
-				}
-				if iNdEx >= l {
-					return io.ErrUnexpectedEOF
-				}
-				b := dAtA[iNdEx]
-				iNdEx++
-				stringLen |= uint64(b&0x7F) << shift
-				if b < 0x80 {
-					break
-				}
-			}
-			intStringLen := int(stringLen)
-			if intStringLen < 0 {
-				return ErrInvalidLengthApi
-			}
-			postIndex := iNdEx + intStringLen
-			if postIndex < 0 {
-				return ErrInvalidLengthApi
-			}
-			if postIndex > l {
-				return io.ErrUnexpectedEOF
-			}
-			m.Error = string(dAtA[iNdEx:postIndex])
-			iNdEx = postIndex
-		default:
-			iNdEx = preIndex
-			skippy, err := skipApi(dAtA[iNdEx:])
-			if err != nil {
-				return err
-			}
-			if (skippy < 0) || (iNdEx+skippy) < 0 {
-				return ErrInvalidLengthApi
-			}
-			if (iNdEx + skippy) > l {
-				return io.ErrUnexpectedEOF
-			}
-			iNdEx += skippy
+func (x *Claim) ProtoReflect() protoreflect.Message {
+	mi := &file_staging_src_k8s_io_kubelet_pkg_apis_dra_v1beta1_api_proto_msgTypes[7]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
 		}
+		return ms
 	}
-
-	if iNdEx > l {
-		return io.ErrUnexpectedEOF
-	}
-	return nil
+	return mi.MessageOf(x)
 }
-func (m *Device) Unmarshal(dAtA []byte) error {
-	l := len(dAtA)
-	iNdEx := 0
-	for iNdEx < l {
-		preIndex := iNdEx
-		var wire uint64
-		for shift := uint(0); ; shift += 7 {
-			if shift >= 64 {
-				return ErrIntOverflowApi
-			}
-			if iNdEx >= l {
-				return io.ErrUnexpectedEOF
-			}
-			b := dAtA[iNdEx]
-			iNdEx++
-			wire |= uint64(b&0x7F) << shift
-			if b < 0x80 {
-				break
-			}
-		}
-		fieldNum := int32(wire >> 3)
-		wireType := int(wire & 0x7)
-		if wireType == 4 {
-			return fmt.Errorf("proto: Device: wiretype end group for non-group")
-		}
-		if fieldNum <= 0 {
-			return fmt.Errorf("proto: Device: illegal tag %d (wire type %d)", fieldNum, wire)
-		}
-		switch fieldNum {
-		case 1:
-			if wireType != 2 {
-				return fmt.Errorf("proto: wrong wireType = %d for field RequestNames", wireType)
-			}
-			var stringLen uint64
-			for shift := uint(0); ; shift += 7 {
-				if shift >= 64 {
-					return ErrIntOverflowApi
-				}
-				if iNdEx >= l {
-					return io.ErrUnexpectedEOF
-				}
-				b := dAtA[iNdEx]
-				iNdEx++
-				stringLen |= uint64(b&0x7F) << shift
-				if b < 0x80 {
-					break
-				}
-			}
-			intStringLen := int(stringLen)
-			if intStringLen < 0 {
-				return ErrInvalidLengthApi
-			}
-			postIndex := iNdEx + intStringLen
-			if postIndex < 0 {
-				return ErrInvalidLengthApi
-			}
-			if postIndex > l {
-				return io.ErrUnexpectedEOF
-			}
-			m.RequestNames = append(m.RequestNames, string(dAtA[iNdEx:postIndex]))
-			iNdEx = postIndex
-		case 2:
-			if wireType != 2 {
-				return fmt.Errorf("proto: wrong wireType = %d for field PoolName", wireType)
-			}
-			var stringLen uint64
-			for shift := uint(0); ; shift += 7 {
-				if shift >= 64 {
-					return ErrIntOverflowApi
-				}
-				if iNdEx >= l {
-					return io.ErrUnexpectedEOF
-				}
-				b := dAtA[iNdEx]
-				iNdEx++
-				stringLen |= uint64(b&0x7F) << shift
-				if b < 0x80 {
-					break
-				}
-			}
-			intStringLen := int(stringLen)
-			if intStringLen < 0 {
-				return ErrInvalidLengthApi
-			}
-			postIndex := iNdEx + intStringLen
-			if postIndex < 0 {
-				return ErrInvalidLengthApi
-			}
-			if postIndex > l {
-				return io.ErrUnexpectedEOF
-			}
-			m.PoolName = string(dAtA[iNdEx:postIndex])
-			iNdEx = postIndex
-		case 3:
-			if wireType != 2 {
-				return fmt.Errorf("proto: wrong wireType = %d for field DeviceName", wireType)
-			}
-			var stringLen uint64
-			for shift := uint(0); ; shift += 7 {
-				if shift >= 64 {
-					return ErrIntOverflowApi
-				}
-				if iNdEx >= l {
-					return io.ErrUnexpectedEOF
-				}
-				b := dAtA[iNdEx]
-				iNdEx++
-				stringLen |= uint64(b&0x7F) << shift
-				if b < 0x80 {
-					break
-				}
-			}
-			intStringLen := int(stringLen)
-			if intStringLen < 0 {
-				return ErrInvalidLengthApi
-			}
-			postIndex := iNdEx + intStringLen
-			if postIndex < 0 {
-				return ErrInvalidLengthApi
-			}
-			if postIndex > l {
-				return io.ErrUnexpectedEOF
-			}
-			m.DeviceName = string(dAtA[iNdEx:postIndex])
-			iNdEx = postIndex
-		case 4:
-			if wireType != 2 {
-				return fmt.Errorf("proto: wrong wireType = %d for field CDIDeviceIDs", wireType)
-			}
-			var stringLen uint64
-			for shift := uint(0); ; shift += 7 {
-				if shift >= 64 {
-					return ErrIntOverflowApi
-				}
-				if iNdEx >= l {
-					return io.ErrUnexpectedEOF
-				}
-				b := dAtA[iNdEx]
-				iNdEx++
-				stringLen |= uint64(b&0x7F) << shift
-				if b < 0x80 {
-					break
-				}
-			}
-			intStringLen := int(stringLen)
-			if intStringLen < 0 {
-				return ErrInvalidLengthApi
-			}
-			postIndex := iNdEx + intStringLen
-			if postIndex < 0 {
-				return ErrInvalidLengthApi
-			}
-			if postIndex > l {
-				return io.ErrUnexpectedEOF
-			}
-			m.CDIDeviceIDs = append(m.CDIDeviceIDs, string(dAtA[iNdEx:postIndex]))
-			iNdEx = postIndex
-		default:
-			iNdEx = preIndex
-			skippy, err := skipApi(dAtA[iNdEx:])
-			if err != nil {
-				return err
-			}
-			if (skippy < 0) || (iNdEx+skippy) < 0 {
-				return ErrInvalidLengthApi
-			}
-			if (iNdEx + skippy) > l {
-				return io.ErrUnexpectedEOF
-			}
-			iNdEx += skippy
-		}
-	}
 
-	if iNdEx > l {
-		return io.ErrUnexpectedEOF
-	}
-	return nil
+// Deprecated: Use Claim.ProtoReflect.Descriptor instead.
+func (*Claim) Descriptor() ([]byte, []int) {
+	return file_staging_src_k8s_io_kubelet_pkg_apis_dra_v1beta1_api_proto_rawDescGZIP(), []int{7}
 }
-func (m *NodeUnprepareResourcesRequest) Unmarshal(dAtA []byte) error {
-	l := len(dAtA)
-	iNdEx := 0
-	for iNdEx < l {
-		preIndex := iNdEx
-		var wire uint64
-		for shift := uint(0); ; shift += 7 {
-			if shift >= 64 {
-				return ErrIntOverflowApi
-			}
-			if iNdEx >= l {
-				return io.ErrUnexpectedEOF
-			}
-			b := dAtA[iNdEx]
-			iNdEx++
-			wire |= uint64(b&0x7F) << shift
-			if b < 0x80 {
-				break
-			}
-		}
-		fieldNum := int32(wire >> 3)
-		wireType := int(wire & 0x7)
-		if wireType == 4 {
-			return fmt.Errorf("proto: NodeUnprepareResourcesRequest: wiretype end group for non-group")
-		}
-		if fieldNum <= 0 {
-			return fmt.Errorf("proto: NodeUnprepareResourcesRequest: illegal tag %d (wire type %d)", fieldNum, wire)
-		}
-		switch fieldNum {
-		case 1:
-			if wireType != 2 {
-				return fmt.Errorf("proto: wrong wireType = %d for field Claims", wireType)
-			}
-			var msglen int
-			for shift := uint(0); ; shift += 7 {
-				if shift >= 64 {
-					return ErrIntOverflowApi
-				}
-				if iNdEx >= l {
-					return io.ErrUnexpectedEOF
-				}
-				b := dAtA[iNdEx]
-				iNdEx++
-				msglen |= int(b&0x7F) << shift
-				if b < 0x80 {
-					break
-				}
-			}
-			if msglen < 0 {
-				return ErrInvalidLengthApi
-			}
-			postIndex := iNdEx + msglen
-			if postIndex < 0 {
-				return ErrInvalidLengthApi
-			}
-			if postIndex > l {
-				return io.ErrUnexpectedEOF
-			}
-			m.Claims = append(m.Claims, &Claim{})
-			if err := m.Claims[len(m.Claims)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
-				return err
-			}
-			iNdEx = postIndex
-		default:
-			iNdEx = preIndex
-			skippy, err := skipApi(dAtA[iNdEx:])
-			if err != nil {
-				return err
-			}
-			if (skippy < 0) || (iNdEx+skippy) < 0 {
-				return ErrInvalidLengthApi
-			}
-			if (iNdEx + skippy) > l {
-				return io.ErrUnexpectedEOF
-			}
-			iNdEx += skippy
-		}
-	}
 
-	if iNdEx > l {
-		return io.ErrUnexpectedEOF
+func (x *Claim) GetNamespace() string {
+	if x != nil {
+		return x.Namespace
 	}
-	return nil
+	return ""
 }
-func (m *NodeUnprepareResourcesResponse) Unmarshal(dAtA []byte) error {
-	l := len(dAtA)
-	iNdEx := 0
-	for iNdEx < l {
-		preIndex := iNdEx
-		var wire uint64
-		for shift := uint(0); ; shift += 7 {
-			if shift >= 64 {
-				return ErrIntOverflowApi
-			}
-			if iNdEx >= l {
-				return io.ErrUnexpectedEOF
-			}
-			b := dAtA[iNdEx]
-			iNdEx++
-			wire |= uint64(b&0x7F) << shift
-			if b < 0x80 {
-				break
-			}
-		}
-		fieldNum := int32(wire >> 3)
-		wireType := int(wire & 0x7)
-		if wireType == 4 {
-			return fmt.Errorf("proto: NodeUnprepareResourcesResponse: wiretype end group for non-group")
-		}
-		if fieldNum <= 0 {
-			return fmt.Errorf("proto: NodeUnprepareResourcesResponse: illegal tag %d (wire type %d)", fieldNum, wire)
-		}
-		switch fieldNum {
-		case 1:
-			if wireType != 2 {
-				return fmt.Errorf("proto: wrong wireType = %d for field Claims", wireType)
-			}
-			var msglen int
-			for shift := uint(0); ; shift += 7 {
-				if shift >= 64 {
-					return ErrIntOverflowApi
-				}
-				if iNdEx >= l {
-					return io.ErrUnexpectedEOF
-				}
-				b := dAtA[iNdEx]
-				iNdEx++
-				msglen |= int(b&0x7F) << shift
-				if b < 0x80 {
-					break
-				}
-			}
-			if msglen < 0 {
-				return ErrInvalidLengthApi
-			}
-			postIndex := iNdEx + msglen
-			if postIndex < 0 {
-				return ErrInvalidLengthApi
-			}
-			if postIndex > l {
-				return io.ErrUnexpectedEOF
-			}
-			if m.Claims == nil {
-				m.Claims = make(map[string]*NodeUnprepareResourceResponse)
-			}
-			var mapkey string
-			var mapvalue *NodeUnprepareResourceResponse
-			for iNdEx < postIndex {
-				entryPreIndex := iNdEx
-				var wire uint64
-				for shift := uint(0); ; shift += 7 {
-					if shift >= 64 {
-						return ErrIntOverflowApi
-					}
-					if iNdEx >= l {
-						return io.ErrUnexpectedEOF
-					}
-					b := dAtA[iNdEx]
-					iNdEx++
-					wire |= uint64(b&0x7F) << shift
-					if b < 0x80 {
-						break
-					}
-				}
-				fieldNum := int32(wire >> 3)
-				if fieldNum == 1 {
-					var stringLenmapkey uint64
-					for shift := uint(0); ; shift += 7 {
-						if shift >= 64 {
-							return ErrIntOverflowApi
-						}
-						if iNdEx >= l {
-							return io.ErrUnexpectedEOF
-						}
-						b := dAtA[iNdEx]
-						iNdEx++
-						stringLenmapkey |= uint64(b&0x7F) << shift
-						if b < 0x80 {
-							break
-						}
-					}
-					intStringLenmapkey := int(stringLenmapkey)
-					if intStringLenmapkey < 0 {
-						return ErrInvalidLengthApi
-					}
-					postStringIndexmapkey := iNdEx + intStringLenmapkey
-					if postStringIndexmapkey < 0 {
-						return ErrInvalidLengthApi
-					}
-					if postStringIndexmapkey > l {
-						return io.ErrUnexpectedEOF
-					}
-					mapkey = string(dAtA[iNdEx:postStringIndexmapkey])
-					iNdEx = postStringIndexmapkey
-				} else if fieldNum == 2 {
-					var mapmsglen int
-					for shift := uint(0); ; shift += 7 {
-						if shift >= 64 {
-							return ErrIntOverflowApi
-						}
-						if iNdEx >= l {
-							return io.ErrUnexpectedEOF
-						}
-						b := dAtA[iNdEx]
-						iNdEx++
-						mapmsglen |= int(b&0x7F) << shift
-						if b < 0x80 {
-							break
-						}
-					}
-					if mapmsglen < 0 {
-						return ErrInvalidLengthApi
-					}
-					postmsgIndex := iNdEx + mapmsglen
-					if postmsgIndex < 0 {
-						return ErrInvalidLengthApi
-					}
-					if postmsgIndex > l {
-						return io.ErrUnexpectedEOF
-					}
-					mapvalue = &NodeUnprepareResourceResponse{}
-					if err := mapvalue.Unmarshal(dAtA[iNdEx:postmsgIndex]); err != nil {
-						return err
-					}
-					iNdEx = postmsgIndex
-				} else {
-					iNdEx = entryPreIndex
-					skippy, err := skipApi(dAtA[iNdEx:])
-					if err != nil {
-						return err
-					}
-					if (skippy < 0) || (iNdEx+skippy) < 0 {
-						return ErrInvalidLengthApi
-					}
-					if (iNdEx + skippy) > postIndex {
-						return io.ErrUnexpectedEOF
-					}
-					iNdEx += skippy
-				}
-			}
-			m.Claims[mapkey] = mapvalue
-			iNdEx = postIndex
-		default:
-			iNdEx = preIndex
-			skippy, err := skipApi(dAtA[iNdEx:])
-			if err != nil {
-				return err
-			}
-			if (skippy < 0) || (iNdEx+skippy) < 0 {
-				return ErrInvalidLengthApi
-			}
-			if (iNdEx + skippy) > l {
-				return io.ErrUnexpectedEOF
-			}
-			iNdEx += skippy
-		}
-	}
 
-	if iNdEx > l {
-		return io.ErrUnexpectedEOF
+func (x *Claim) GetUid() string {
+	if x != nil {
+		return x.Uid
 	}
-	return nil
+	return ""
 }
-func (m *NodeUnprepareResourceResponse) Unmarshal(dAtA []byte) error {
-	l := len(dAtA)
-	iNdEx := 0
-	for iNdEx < l {
-		preIndex := iNdEx
-		var wire uint64
-		for shift := uint(0); ; shift += 7 {
-			if shift >= 64 {
-				return ErrIntOverflowApi
-			}
-			if iNdEx >= l {
-				return io.ErrUnexpectedEOF
-			}
-			b := dAtA[iNdEx]
-			iNdEx++
-			wire |= uint64(b&0x7F) << shift
-			if b < 0x80 {
-				break
-			}
-		}
-		fieldNum := int32(wire >> 3)
-		wireType := int(wire & 0x7)
-		if wireType == 4 {
-			return fmt.Errorf("proto: NodeUnprepareResourceResponse: wiretype end group for non-group")
-		}
-		if fieldNum <= 0 {
-			return fmt.Errorf("proto: NodeUnprepareResourceResponse: illegal tag %d (wire type %d)", fieldNum, wire)
-		}
-		switch fieldNum {
-		case 1:
-			if wireType != 2 {
-				return fmt.Errorf("proto: wrong wireType = %d for field Error", wireType)
-			}
-			var stringLen uint64
-			for shift := uint(0); ; shift += 7 {
-				if shift >= 64 {
-					return ErrIntOverflowApi
-				}
-				if iNdEx >= l {
-					return io.ErrUnexpectedEOF
-				}
-				b := dAtA[iNdEx]
-				iNdEx++
-				stringLen |= uint64(b&0x7F) << shift
-				if b < 0x80 {
-					break
-				}
-			}
-			intStringLen := int(stringLen)
-			if intStringLen < 0 {
-				return ErrInvalidLengthApi
-			}
-			postIndex := iNdEx + intStringLen
-			if postIndex < 0 {
-				return ErrInvalidLengthApi
-			}
-			if postIndex > l {
-				return io.ErrUnexpectedEOF
-			}
-			m.Error = string(dAtA[iNdEx:postIndex])
-			iNdEx = postIndex
-		default:
-			iNdEx = preIndex
-			skippy, err := skipApi(dAtA[iNdEx:])
-			if err != nil {
-				return err
-			}
-			if (skippy < 0) || (iNdEx+skippy) < 0 {
-				return ErrInvalidLengthApi
-			}
-			if (iNdEx + skippy) > l {
-				return io.ErrUnexpectedEOF
-			}
-			iNdEx += skippy
-		}
-	}
 
-	if iNdEx > l {
-		return io.ErrUnexpectedEOF
+func (x *Claim) GetName() string {
+	if x != nil {
+		return x.Name
 	}
-	return nil
+	return ""
 }
-func (m *Claim) Unmarshal(dAtA []byte) error {
-	l := len(dAtA)
-	iNdEx := 0
-	for iNdEx < l {
-		preIndex := iNdEx
-		var wire uint64
-		for shift := uint(0); ; shift += 7 {
-			if shift >= 64 {
-				return ErrIntOverflowApi
-			}
-			if iNdEx >= l {
-				return io.ErrUnexpectedEOF
-			}
-			b := dAtA[iNdEx]
-			iNdEx++
-			wire |= uint64(b&0x7F) << shift
-			if b < 0x80 {
-				break
-			}
-		}
-		fieldNum := int32(wire >> 3)
-		wireType := int(wire & 0x7)
-		if wireType == 4 {
-			return fmt.Errorf("proto: Claim: wiretype end group for non-group")
-		}
-		if fieldNum <= 0 {
-			return fmt.Errorf("proto: Claim: illegal tag %d (wire type %d)", fieldNum, wire)
-		}
-		switch fieldNum {
-		case 1:
-			if wireType != 2 {
-				return fmt.Errorf("proto: wrong wireType = %d for field Namespace", wireType)
-			}
-			var stringLen uint64
-			for shift := uint(0); ; shift += 7 {
-				if shift >= 64 {
-					return ErrIntOverflowApi
-				}
-				if iNdEx >= l {
-					return io.ErrUnexpectedEOF
-				}
-				b := dAtA[iNdEx]
-				iNdEx++
-				stringLen |= uint64(b&0x7F) << shift
-				if b < 0x80 {
-					break
-				}
-			}
-			intStringLen := int(stringLen)
-			if intStringLen < 0 {
-				return ErrInvalidLengthApi
-			}
-			postIndex := iNdEx + intStringLen
-			if postIndex < 0 {
-				return ErrInvalidLengthApi
-			}
-			if postIndex > l {
-				return io.ErrUnexpectedEOF
-			}
-			m.Namespace = string(dAtA[iNdEx:postIndex])
-			iNdEx = postIndex
-		case 2:
-			if wireType != 2 {
-				return fmt.Errorf("proto: wrong wireType = %d for field UID", wireType)
-			}
-			var stringLen uint64
-			for shift := uint(0); ; shift += 7 {
-				if shift >= 64 {
-					return ErrIntOverflowApi
-				}
-				if iNdEx >= l {
-					return io.ErrUnexpectedEOF
-				}
-				b := dAtA[iNdEx]
-				iNdEx++
-				stringLen |= uint64(b&0x7F) << shift
-				if b < 0x80 {
-					break
-				}
-			}
-			intStringLen := int(stringLen)
-			if intStringLen < 0 {
-				return ErrInvalidLengthApi
-			}
-			postIndex := iNdEx + intStringLen
-			if postIndex < 0 {
-				return ErrInvalidLengthApi
-			}
-			if postIndex > l {
-				return io.ErrUnexpectedEOF
-			}
-			m.UID = string(dAtA[iNdEx:postIndex])
-			iNdEx = postIndex
-		case 3:
-			if wireType != 2 {
-				return fmt.Errorf("proto: wrong wireType = %d for field Name", wireType)
-			}
-			var stringLen uint64
-			for shift := uint(0); ; shift += 7 {
-				if shift >= 64 {
-					return ErrIntOverflowApi
-				}
-				if iNdEx >= l {
-					return io.ErrUnexpectedEOF
-				}
-				b := dAtA[iNdEx]
-				iNdEx++
-				stringLen |= uint64(b&0x7F) << shift
-				if b < 0x80 {
-					break
-				}
-			}
-			intStringLen := int(stringLen)
-			if intStringLen < 0 {
-				return ErrInvalidLengthApi
-			}
-			postIndex := iNdEx + intStringLen
-			if postIndex < 0 {
-				return ErrInvalidLengthApi
-			}
-			if postIndex > l {
-				return io.ErrUnexpectedEOF
-			}
-			m.Name = string(dAtA[iNdEx:postIndex])
-			iNdEx = postIndex
-		default:
-			iNdEx = preIndex
-			skippy, err := skipApi(dAtA[iNdEx:])
-			if err != nil {
-				return err
-			}
-			if (skippy < 0) || (iNdEx+skippy) < 0 {
-				return ErrInvalidLengthApi
-			}
-			if (iNdEx + skippy) > l {
-				return io.ErrUnexpectedEOF
-			}
-			iNdEx += skippy
-		}
-	}
 
-	if iNdEx > l {
-		return io.ErrUnexpectedEOF
-	}
-	return nil
-}
-func skipApi(dAtA []byte) (n int, err error) {
-	l := len(dAtA)
-	iNdEx := 0
-	depth := 0
-	for iNdEx < l {
-		var wire uint64
-		for shift := uint(0); ; shift += 7 {
-			if shift >= 64 {
-				return 0, ErrIntOverflowApi
-			}
-			if iNdEx >= l {
-				return 0, io.ErrUnexpectedEOF
-			}
-			b := dAtA[iNdEx]
-			iNdEx++
-			wire |= (uint64(b) & 0x7F) << shift
-			if b < 0x80 {
-				break
-			}
-		}
-		wireType := int(wire & 0x7)
-		switch wireType {
-		case 0:
-			for shift := uint(0); ; shift += 7 {
-				if shift >= 64 {
-					return 0, ErrIntOverflowApi
-				}
-				if iNdEx >= l {
-					return 0, io.ErrUnexpectedEOF
-				}
-				iNdEx++
-				if dAtA[iNdEx-1] < 0x80 {
-					break
-				}
-			}
-		case 1:
-			iNdEx += 8
-		case 2:
-			var length int
-			for shift := uint(0); ; shift += 7 {
-				if shift >= 64 {
-					return 0, ErrIntOverflowApi
-				}
-				if iNdEx >= l {
-					return 0, io.ErrUnexpectedEOF
-				}
-				b := dAtA[iNdEx]
-				iNdEx++
-				length |= (int(b) & 0x7F) << shift
-				if b < 0x80 {
-					break
-				}
-			}
-			if length < 0 {
-				return 0, ErrInvalidLengthApi
-			}
-			iNdEx += length
-		case 3:
-			depth++
-		case 4:
-			if depth == 0 {
-				return 0, ErrUnexpectedEndOfGroupApi
-			}
-			depth--
-		case 5:
-			iNdEx += 4
-		default:
-			return 0, fmt.Errorf("proto: illegal wireType %d", wireType)
-		}
-		if iNdEx < 0 {
-			return 0, ErrInvalidLengthApi
-		}
-		if depth == 0 {
-			return iNdEx, nil
-		}
-	}
-	return 0, io.ErrUnexpectedEOF
-}
+var File_staging_src_k8s_io_kubelet_pkg_apis_dra_v1beta1_api_proto protoreflect.FileDescriptor
+
+var file_staging_src_k8s_io_kubelet_pkg_apis_dra_v1beta1_api_proto_rawDesc = string([]byte{
+	0x0a, 0x39, 0x73, 0x74, 0x61, 0x67, 0x69, 0x6e, 0x67, 0x2f, 0x73, 0x72, 0x63, 0x2f, 0x6b, 0x38,
+	0x73, 0x2e, 0x69, 0x6f, 0x2f, 0x6b, 0x75, 0x62, 0x65, 0x6c, 0x65, 0x74, 0x2f, 0x70, 0x6b, 0x67,
+	0x2f, 0x61, 0x70, 0x69, 0x73, 0x2f, 0x64, 0x72, 0x61, 0x2f, 0x76, 0x31, 0x62, 0x65, 0x74, 0x61,
+	0x31, 0x2f, 0x61, 0x70, 0x69, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x23, 0x6b, 0x38, 0x73,
+	0x2e, 0x69, 0x6f, 0x2e, 0x6b, 0x75, 0x62, 0x65, 0x6c, 0x65, 0x74, 0x2e, 0x70, 0x6b, 0x67, 0x2e,
+	0x61, 0x70, 0x69, 0x73, 0x2e, 0x64, 0x72, 0x61, 0x2e, 0x76, 0x31, 0x62, 0x65, 0x74, 0x61, 0x31,
+	0x22, 0x61, 0x0a, 0x1b, 0x4e, 0x6f, 0x64, 0x65, 0x50, 0x72, 0x65, 0x70, 0x61, 0x72, 0x65, 0x52,
+	0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12,
+	0x42, 0x0a, 0x06, 0x63, 0x6c, 0x61, 0x69, 0x6d, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32,
+	0x2a, 0x2e, 0x6b, 0x38, 0x73, 0x2e, 0x69, 0x6f, 0x2e, 0x6b, 0x75, 0x62, 0x65, 0x6c, 0x65, 0x74,
+	0x2e, 0x70, 0x6b, 0x67, 0x2e, 0x61, 0x70, 0x69, 0x73, 0x2e, 0x64, 0x72, 0x61, 0x2e, 0x76, 0x31,
+	0x62, 0x65, 0x74, 0x61, 0x31, 0x2e, 0x43, 0x6c, 0x61, 0x69, 0x6d, 0x52, 0x06, 0x63, 0x6c, 0x61,
+	0x69, 0x6d, 0x73, 0x22, 0x82, 0x02, 0x0a, 0x1c, 0x4e, 0x6f, 0x64, 0x65, 0x50, 0x72, 0x65, 0x70,
+	0x61, 0x72, 0x65, 0x52, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x73, 0x52, 0x65, 0x73, 0x70,
+	0x6f, 0x6e, 0x73, 0x65, 0x12, 0x65, 0x0a, 0x06, 0x63, 0x6c, 0x61, 0x69, 0x6d, 0x73, 0x18, 0x01,
+	0x20, 0x03, 0x28, 0x0b, 0x32, 0x4d, 0x2e, 0x6b, 0x38, 0x73, 0x2e, 0x69, 0x6f, 0x2e, 0x6b, 0x75,
+	0x62, 0x65, 0x6c, 0x65, 0x74, 0x2e, 0x70, 0x6b, 0x67, 0x2e, 0x61, 0x70, 0x69, 0x73, 0x2e, 0x64,
+	0x72, 0x61, 0x2e, 0x76, 0x31, 0x62, 0x65, 0x74, 0x61, 0x31, 0x2e, 0x4e, 0x6f, 0x64, 0x65, 0x50,
+	0x72, 0x65, 0x70, 0x61, 0x72, 0x65, 0x52, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x73, 0x52,
+	0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x2e, 0x43, 0x6c, 0x61, 0x69, 0x6d, 0x73, 0x45, 0x6e,
+	0x74, 0x72, 0x79, 0x52, 0x06, 0x63, 0x6c, 0x61, 0x69, 0x6d, 0x73, 0x1a, 0x7b, 0x0a, 0x0b, 0x43,
+	0x6c, 0x61, 0x69, 0x6d, 0x73, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65,
+	0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, 0x56, 0x0a, 0x05,
+	0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x40, 0x2e, 0x6b, 0x38,
+	0x73, 0x2e, 0x69, 0x6f, 0x2e, 0x6b, 0x75, 0x62, 0x65, 0x6c, 0x65, 0x74, 0x2e, 0x70, 0x6b, 0x67,
+	0x2e, 0x61, 0x70, 0x69, 0x73, 0x2e, 0x64, 0x72, 0x61, 0x2e, 0x76, 0x31, 0x62, 0x65, 0x74, 0x61,
+	0x31, 0x2e, 0x4e, 0x6f, 0x64, 0x65, 0x50, 0x72, 0x65, 0x70, 0x61, 0x72, 0x65, 0x52, 0x65, 0x73,
+	0x6f, 0x75, 0x72, 0x63, 0x65, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x52, 0x05, 0x76,
+	0x61, 0x6c, 0x75, 0x65, 0x3a, 0x02, 0x38, 0x01, 0x22, 0x7a, 0x0a, 0x1b, 0x4e, 0x6f, 0x64, 0x65,
+	0x50, 0x72, 0x65, 0x70, 0x61, 0x72, 0x65, 0x52, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x52,
+	0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x45, 0x0a, 0x07, 0x64, 0x65, 0x76, 0x69, 0x63,
+	0x65, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x2b, 0x2e, 0x6b, 0x38, 0x73, 0x2e, 0x69,
+	0x6f, 0x2e, 0x6b, 0x75, 0x62, 0x65, 0x6c, 0x65, 0x74, 0x2e, 0x70, 0x6b, 0x67, 0x2e, 0x61, 0x70,
+	0x69, 0x73, 0x2e, 0x64, 0x72, 0x61, 0x2e, 0x76, 0x31, 0x62, 0x65, 0x74, 0x61, 0x31, 0x2e, 0x44,
+	0x65, 0x76, 0x69, 0x63, 0x65, 0x52, 0x07, 0x64, 0x65, 0x76, 0x69, 0x63, 0x65, 0x73, 0x12, 0x14,
+	0x0a, 0x05, 0x65, 0x72, 0x72, 0x6f, 0x72, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x65,
+	0x72, 0x72, 0x6f, 0x72, 0x22, 0x91, 0x01, 0x0a, 0x06, 0x44, 0x65, 0x76, 0x69, 0x63, 0x65, 0x12,
+	0x23, 0x0a, 0x0d, 0x72, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x5f, 0x6e, 0x61, 0x6d, 0x65, 0x73,
+	0x18, 0x01, 0x20, 0x03, 0x28, 0x09, 0x52, 0x0c, 0x72, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x4e,
+	0x61, 0x6d, 0x65, 0x73, 0x12, 0x1b, 0x0a, 0x09, 0x70, 0x6f, 0x6f, 0x6c, 0x5f, 0x6e, 0x61, 0x6d,
+	0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x70, 0x6f, 0x6f, 0x6c, 0x4e, 0x61, 0x6d,
+	0x65, 0x12, 0x1f, 0x0a, 0x0b, 0x64, 0x65, 0x76, 0x69, 0x63, 0x65, 0x5f, 0x6e, 0x61, 0x6d, 0x65,
+	0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0a, 0x64, 0x65, 0x76, 0x69, 0x63, 0x65, 0x4e, 0x61,
+	0x6d, 0x65, 0x12, 0x24, 0x0a, 0x0e, 0x63, 0x64, 0x69, 0x5f, 0x64, 0x65, 0x76, 0x69, 0x63, 0x65,
+	0x5f, 0x69, 0x64, 0x73, 0x18, 0x04, 0x20, 0x03, 0x28, 0x09, 0x52, 0x0c, 0x63, 0x64, 0x69, 0x44,
+	0x65, 0x76, 0x69, 0x63, 0x65, 0x49, 0x64, 0x73, 0x22, 0x63, 0x0a, 0x1d, 0x4e, 0x6f, 0x64, 0x65,
+	0x55, 0x6e, 0x70, 0x72, 0x65, 0x70, 0x61, 0x72, 0x65, 0x52, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63,
+	0x65, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x42, 0x0a, 0x06, 0x63, 0x6c, 0x61,
+	0x69, 0x6d, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x2a, 0x2e, 0x6b, 0x38, 0x73, 0x2e,
+	0x69, 0x6f, 0x2e, 0x6b, 0x75, 0x62, 0x65, 0x6c, 0x65, 0x74, 0x2e, 0x70, 0x6b, 0x67, 0x2e, 0x61,
+	0x70, 0x69, 0x73, 0x2e, 0x64, 0x72, 0x61, 0x2e, 0x76, 0x31, 0x62, 0x65, 0x74, 0x61, 0x31, 0x2e,
+	0x43, 0x6c, 0x61, 0x69, 0x6d, 0x52, 0x06, 0x63, 0x6c, 0x61, 0x69, 0x6d, 0x73, 0x22, 0x88, 0x02,
+	0x0a, 0x1e, 0x4e, 0x6f, 0x64, 0x65, 0x55, 0x6e, 0x70, 0x72, 0x65, 0x70, 0x61, 0x72, 0x65, 0x52,
+	0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65,
+	0x12, 0x67, 0x0a, 0x06, 0x63, 0x6c, 0x61, 0x69, 0x6d, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b,
+	0x32, 0x4f, 0x2e, 0x6b, 0x38, 0x73, 0x2e, 0x69, 0x6f, 0x2e, 0x6b, 0x75, 0x62, 0x65, 0x6c, 0x65,
+	0x74, 0x2e, 0x70, 0x6b, 0x67, 0x2e, 0x61, 0x70, 0x69, 0x73, 0x2e, 0x64, 0x72, 0x61, 0x2e, 0x76,
+	0x31, 0x62, 0x65, 0x74, 0x61, 0x31, 0x2e, 0x4e, 0x6f, 0x64, 0x65, 0x55, 0x6e, 0x70, 0x72, 0x65,
+	0x70, 0x61, 0x72, 0x65, 0x52, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x73, 0x52, 0x65, 0x73,
+	0x70, 0x6f, 0x6e, 0x73, 0x65, 0x2e, 0x43, 0x6c, 0x61, 0x69, 0x6d, 0x73, 0x45, 0x6e, 0x74, 0x72,
+	0x79, 0x52, 0x06, 0x63, 0x6c, 0x61, 0x69, 0x6d, 0x73, 0x1a, 0x7d, 0x0a, 0x0b, 0x43, 0x6c, 0x61,
+	0x69, 0x6d, 0x73, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18,
+	0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, 0x58, 0x0a, 0x05, 0x76, 0x61,
+	0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x42, 0x2e, 0x6b, 0x38, 0x73, 0x2e,
+	0x69, 0x6f, 0x2e, 0x6b, 0x75, 0x62, 0x65, 0x6c, 0x65, 0x74, 0x2e, 0x70, 0x6b, 0x67, 0x2e, 0x61,
+	0x70, 0x69, 0x73, 0x2e, 0x64, 0x72, 0x61, 0x2e, 0x76, 0x31, 0x62, 0x65, 0x74, 0x61, 0x31, 0x2e,
+	0x4e, 0x6f, 0x64, 0x65, 0x55, 0x6e, 0x70, 0x72, 0x65, 0x70, 0x61, 0x72, 0x65, 0x52, 0x65, 0x73,
+	0x6f, 0x75, 0x72, 0x63, 0x65, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x52, 0x05, 0x76,
+	0x61, 0x6c, 0x75, 0x65, 0x3a, 0x02, 0x38, 0x01, 0x22, 0x35, 0x0a, 0x1d, 0x4e, 0x6f, 0x64, 0x65,
+	0x55, 0x6e, 0x70, 0x72, 0x65, 0x70, 0x61, 0x72, 0x65, 0x52, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63,
+	0x65, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x14, 0x0a, 0x05, 0x65, 0x72, 0x72,
+	0x6f, 0x72, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x65, 0x72, 0x72, 0x6f, 0x72, 0x22,
+	0x4b, 0x0a, 0x05, 0x43, 0x6c, 0x61, 0x69, 0x6d, 0x12, 0x1c, 0x0a, 0x09, 0x6e, 0x61, 0x6d, 0x65,
+	0x73, 0x70, 0x61, 0x63, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x09, 0x6e, 0x61, 0x6d,
+	0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x12, 0x10, 0x0a, 0x03, 0x75, 0x69, 0x64, 0x18, 0x02, 0x20,
+	0x01, 0x28, 0x09, 0x52, 0x03, 0x75, 0x69, 0x64, 0x12, 0x12, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65,
+	0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x32, 0xd1, 0x02, 0x0a,
+	0x09, 0x44, 0x52, 0x41, 0x50, 0x6c, 0x75, 0x67, 0x69, 0x6e, 0x12, 0x9d, 0x01, 0x0a, 0x14, 0x4e,
+	0x6f, 0x64, 0x65, 0x50, 0x72, 0x65, 0x70, 0x61, 0x72, 0x65, 0x52, 0x65, 0x73, 0x6f, 0x75, 0x72,
+	0x63, 0x65, 0x73, 0x12, 0x40, 0x2e, 0x6b, 0x38, 0x73, 0x2e, 0x69, 0x6f, 0x2e, 0x6b, 0x75, 0x62,
+	0x65, 0x6c, 0x65, 0x74, 0x2e, 0x70, 0x6b, 0x67, 0x2e, 0x61, 0x70, 0x69, 0x73, 0x2e, 0x64, 0x72,
+	0x61, 0x2e, 0x76, 0x31, 0x62, 0x65, 0x74, 0x61, 0x31, 0x2e, 0x4e, 0x6f, 0x64, 0x65, 0x50, 0x72,
+	0x65, 0x70, 0x61, 0x72, 0x65, 0x52, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x73, 0x52, 0x65,
+	0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x41, 0x2e, 0x6b, 0x38, 0x73, 0x2e, 0x69, 0x6f, 0x2e, 0x6b,
+	0x75, 0x62, 0x65, 0x6c, 0x65, 0x74, 0x2e, 0x70, 0x6b, 0x67, 0x2e, 0x61, 0x70, 0x69, 0x73, 0x2e,
+	0x64, 0x72, 0x61, 0x2e, 0x76, 0x31, 0x62, 0x65, 0x74, 0x61, 0x31, 0x2e, 0x4e, 0x6f, 0x64, 0x65,
+	0x50, 0x72, 0x65, 0x70, 0x61, 0x72, 0x65, 0x52, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x73,
+	0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x12, 0xa3, 0x01, 0x0a, 0x16, 0x4e,
+	0x6f, 0x64, 0x65, 0x55, 0x6e, 0x70, 0x72, 0x65, 0x70, 0x61, 0x72, 0x65, 0x52, 0x65, 0x73, 0x6f,
+	0x75, 0x72, 0x63, 0x65, 0x73, 0x12, 0x42, 0x2e, 0x6b, 0x38, 0x73, 0x2e, 0x69, 0x6f, 0x2e, 0x6b,
+	0x75, 0x62, 0x65, 0x6c, 0x65, 0x74, 0x2e, 0x70, 0x6b, 0x67, 0x2e, 0x61, 0x70, 0x69, 0x73, 0x2e,
+	0x64, 0x72, 0x61, 0x2e, 0x76, 0x31, 0x62, 0x65, 0x74, 0x61, 0x31, 0x2e, 0x4e, 0x6f, 0x64, 0x65,
+	0x55, 0x6e, 0x70, 0x72, 0x65, 0x70, 0x61, 0x72, 0x65, 0x52, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63,
+	0x65, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x43, 0x2e, 0x6b, 0x38, 0x73, 0x2e,
+	0x69, 0x6f, 0x2e, 0x6b, 0x75, 0x62, 0x65, 0x6c, 0x65, 0x74, 0x2e, 0x70, 0x6b, 0x67, 0x2e, 0x61,
+	0x70, 0x69, 0x73, 0x2e, 0x64, 0x72, 0x61, 0x2e, 0x76, 0x31, 0x62, 0x65, 0x74, 0x61, 0x31, 0x2e,
+	0x4e, 0x6f, 0x64, 0x65, 0x55, 0x6e, 0x70, 0x72, 0x65, 0x70, 0x61, 0x72, 0x65, 0x52, 0x65, 0x73,
+	0x6f, 0x75, 0x72, 0x63, 0x65, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00,
+	0x42, 0x25, 0x5a, 0x23, 0x6b, 0x38, 0x73, 0x2e, 0x69, 0x6f, 0x2f, 0x6b, 0x75, 0x62, 0x65, 0x6c,
+	0x65, 0x74, 0x2f, 0x70, 0x6b, 0x67, 0x2f, 0x61, 0x70, 0x69, 0x73, 0x2f, 0x64, 0x72, 0x61, 0x2f,
+	0x76, 0x31, 0x62, 0x65, 0x74, 0x61, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
+})
 
 var (
-	ErrInvalidLengthApi        = fmt.Errorf("proto: negative length found during unmarshaling")
-	ErrIntOverflowApi          = fmt.Errorf("proto: integer overflow")
-	ErrUnexpectedEndOfGroupApi = fmt.Errorf("proto: unexpected end of group")
+	file_staging_src_k8s_io_kubelet_pkg_apis_dra_v1beta1_api_proto_rawDescOnce sync.Once
+	file_staging_src_k8s_io_kubelet_pkg_apis_dra_v1beta1_api_proto_rawDescData []byte
 )
+
+func file_staging_src_k8s_io_kubelet_pkg_apis_dra_v1beta1_api_proto_rawDescGZIP() []byte {
+	file_staging_src_k8s_io_kubelet_pkg_apis_dra_v1beta1_api_proto_rawDescOnce.Do(func() {
+		file_staging_src_k8s_io_kubelet_pkg_apis_dra_v1beta1_api_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_staging_src_k8s_io_kubelet_pkg_apis_dra_v1beta1_api_proto_rawDesc), len(file_staging_src_k8s_io_kubelet_pkg_apis_dra_v1beta1_api_proto_rawDesc)))
+	})
+	return file_staging_src_k8s_io_kubelet_pkg_apis_dra_v1beta1_api_proto_rawDescData
+}
+
+var file_staging_src_k8s_io_kubelet_pkg_apis_dra_v1beta1_api_proto_msgTypes = make([]protoimpl.MessageInfo, 10)
+var file_staging_src_k8s_io_kubelet_pkg_apis_dra_v1beta1_api_proto_goTypes = []any{
+	(*NodePrepareResourcesRequest)(nil),    // 0: k8s.io.kubelet.pkg.apis.dra.v1beta1.NodePrepareResourcesRequest
+	(*NodePrepareResourcesResponse)(nil),   // 1: k8s.io.kubelet.pkg.apis.dra.v1beta1.NodePrepareResourcesResponse
+	(*NodePrepareResourceResponse)(nil),    // 2: k8s.io.kubelet.pkg.apis.dra.v1beta1.NodePrepareResourceResponse
+	(*Device)(nil),                         // 3: k8s.io.kubelet.pkg.apis.dra.v1beta1.Device
+	(*NodeUnprepareResourcesRequest)(nil),  // 4: k8s.io.kubelet.pkg.apis.dra.v1beta1.NodeUnprepareResourcesRequest
+	(*NodeUnprepareResourcesResponse)(nil), // 5: k8s.io.kubelet.pkg.apis.dra.v1beta1.NodeUnprepareResourcesResponse
+	(*NodeUnprepareResourceResponse)(nil),  // 6: k8s.io.kubelet.pkg.apis.dra.v1beta1.NodeUnprepareResourceResponse
+	(*Claim)(nil),                          // 7: k8s.io.kubelet.pkg.apis.dra.v1beta1.Claim
+	nil,                                    // 8: k8s.io.kubelet.pkg.apis.dra.v1beta1.NodePrepareResourcesResponse.ClaimsEntry
+	nil,                                    // 9: k8s.io.kubelet.pkg.apis.dra.v1beta1.NodeUnprepareResourcesResponse.ClaimsEntry
+}
+var file_staging_src_k8s_io_kubelet_pkg_apis_dra_v1beta1_api_proto_depIdxs = []int32{
+	7, // 0: k8s.io.kubelet.pkg.apis.dra.v1beta1.NodePrepareResourcesRequest.claims:type_name -> k8s.io.kubelet.pkg.apis.dra.v1beta1.Claim
+	8, // 1: k8s.io.kubelet.pkg.apis.dra.v1beta1.NodePrepareResourcesResponse.claims:type_name -> k8s.io.kubelet.pkg.apis.dra.v1beta1.NodePrepareResourcesResponse.ClaimsEntry
+	3, // 2: k8s.io.kubelet.pkg.apis.dra.v1beta1.NodePrepareResourceResponse.devices:type_name -> k8s.io.kubelet.pkg.apis.dra.v1beta1.Device
+	7, // 3: k8s.io.kubelet.pkg.apis.dra.v1beta1.NodeUnprepareResourcesRequest.claims:type_name -> k8s.io.kubelet.pkg.apis.dra.v1beta1.Claim
+	9, // 4: k8s.io.kubelet.pkg.apis.dra.v1beta1.NodeUnprepareResourcesResponse.claims:type_name -> k8s.io.kubelet.pkg.apis.dra.v1beta1.NodeUnprepareResourcesResponse.ClaimsEntry
+	2, // 5: k8s.io.kubelet.pkg.apis.dra.v1beta1.NodePrepareResourcesResponse.ClaimsEntry.value:type_name -> k8s.io.kubelet.pkg.apis.dra.v1beta1.NodePrepareResourceResponse
+	6, // 6: k8s.io.kubelet.pkg.apis.dra.v1beta1.NodeUnprepareResourcesResponse.ClaimsEntry.value:type_name -> k8s.io.kubelet.pkg.apis.dra.v1beta1.NodeUnprepareResourceResponse
+	0, // 7: k8s.io.kubelet.pkg.apis.dra.v1beta1.DRAPlugin.NodePrepareResources:input_type -> k8s.io.kubelet.pkg.apis.dra.v1beta1.NodePrepareResourcesRequest
+	4, // 8: k8s.io.kubelet.pkg.apis.dra.v1beta1.DRAPlugin.NodeUnprepareResources:input_type -> k8s.io.kubelet.pkg.apis.dra.v1beta1.NodeUnprepareResourcesRequest
+	1, // 9: k8s.io.kubelet.pkg.apis.dra.v1beta1.DRAPlugin.NodePrepareResources:output_type -> k8s.io.kubelet.pkg.apis.dra.v1beta1.NodePrepareResourcesResponse
+	5, // 10: k8s.io.kubelet.pkg.apis.dra.v1beta1.DRAPlugin.NodeUnprepareResources:output_type -> k8s.io.kubelet.pkg.apis.dra.v1beta1.NodeUnprepareResourcesResponse
+	9, // [9:11] is the sub-list for method output_type
+	7, // [7:9] is the sub-list for method input_type
+	7, // [7:7] is the sub-list for extension type_name
+	7, // [7:7] is the sub-list for extension extendee
+	0, // [0:7] is the sub-list for field type_name
+}
+
+func init() { file_staging_src_k8s_io_kubelet_pkg_apis_dra_v1beta1_api_proto_init() }
+func file_staging_src_k8s_io_kubelet_pkg_apis_dra_v1beta1_api_proto_init() {
+	if File_staging_src_k8s_io_kubelet_pkg_apis_dra_v1beta1_api_proto != nil {
+		return
+	}
+	type x struct{}
+	out := protoimpl.TypeBuilder{
+		File: protoimpl.DescBuilder{
+			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
+			RawDescriptor: unsafe.Slice(unsafe.StringData(file_staging_src_k8s_io_kubelet_pkg_apis_dra_v1beta1_api_proto_rawDesc), len(file_staging_src_k8s_io_kubelet_pkg_apis_dra_v1beta1_api_proto_rawDesc)),
+			NumEnums:      0,
+			NumMessages:   10,
+			NumExtensions: 0,
+			NumServices:   1,
+		},
+		GoTypes:           file_staging_src_k8s_io_kubelet_pkg_apis_dra_v1beta1_api_proto_goTypes,
+		DependencyIndexes: file_staging_src_k8s_io_kubelet_pkg_apis_dra_v1beta1_api_proto_depIdxs,
+		MessageInfos:      file_staging_src_k8s_io_kubelet_pkg_apis_dra_v1beta1_api_proto_msgTypes,
+	}.Build()
+	File_staging_src_k8s_io_kubelet_pkg_apis_dra_v1beta1_api_proto = out.File
+	file_staging_src_k8s_io_kubelet_pkg_apis_dra_v1beta1_api_proto_goTypes = nil
+	file_staging_src_k8s_io_kubelet_pkg_apis_dra_v1beta1_api_proto_depIdxs = nil
+}
diff --git a/staging/src/k8s.io/kubelet/pkg/apis/dra/v1beta1/api.proto b/staging/src/k8s.io/kubelet/pkg/apis/dra/v1beta1/api.proto
index e2f7960f48602..7c3100a03dd29 100644
--- a/staging/src/k8s.io/kubelet/pkg/apis/dra/v1beta1/api.proto
+++ b/staging/src/k8s.io/kubelet/pkg/apis/dra/v1beta1/api.proto
@@ -21,16 +21,6 @@ syntax = "proto3";
 package k8s.io.kubelet.pkg.apis.dra.v1beta1;
 option go_package = "k8s.io/kubelet/pkg/apis/dra/v1beta1";
 
-import "github.com/gogo/protobuf/gogoproto/gogo.proto";
-
-option (gogoproto.goproto_stringer_all) = false;
-option (gogoproto.stringer_all) =  true;
-option (gogoproto.goproto_getters_all) = true;
-option (gogoproto.marshaler_all) = true;
-option (gogoproto.sizer_all) = true;
-option (gogoproto.unmarshaler_all) = true;
-option (gogoproto.goproto_unrecognized_all) = false;
-
 service DRAPlugin {
   // NodePrepareResources prepares several ResourceClaims
   // for use on the node. If an error is returned, the
@@ -84,7 +74,7 @@ message Device {
 
     // A single device instance may map to several CDI device IDs.
     // None is also valid.
-    repeated string cdi_device_ids = 4 [(gogoproto.customname) = "CDIDeviceIDs"];
+    repeated string cdi_device_ids = 4;
 }
 
 message NodeUnprepareResourcesRequest {
@@ -111,7 +101,7 @@ message Claim {
     string namespace = 1;
     // The UID of the Resource claim (ResourceClaim.meta.UUID).
     // This field is REQUIRED.
-    string uid = 2 [(gogoproto.customname) = "UID"];
+    string uid = 2;
     // The name of the Resource claim (ResourceClaim.meta.Name)
     // This field is REQUIRED.
     string name = 3;
diff --git a/staging/src/k8s.io/kubelet/pkg/apis/dra/v1beta1/api_grpc.pb.go b/staging/src/k8s.io/kubelet/pkg/apis/dra/v1beta1/api_grpc.pb.go
new file mode 100644
index 0000000000000..1b9d4a9eb8055
--- /dev/null
+++ b/staging/src/k8s.io/kubelet/pkg/apis/dra/v1beta1/api_grpc.pb.go
@@ -0,0 +1,204 @@
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+//
+//Copyright 2024 The Kubernetes Authors.
+//
+//Licensed under the Apache License, Version 2.0 (the "License");
+//you may not use this file except in compliance with the License.
+//You may obtain a copy of the License at
+//
+//http://www.apache.org/licenses/LICENSE-2.0
+//
+//Unless required by applicable law or agreed to in writing, software
+//distributed under the License is distributed on an "AS IS" BASIS,
+//WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+//See the License for the specific language governing permissions and
+//limitations under the License.
+
+// To regenerate api.pb.go run `hack/update-codegen.sh protobindings`
+
+// Code generated by protoc-gen-go-grpc. DO NOT EDIT.
+// versions:
+// - protoc-gen-go-grpc v1.5.1
+// - protoc             v4.23.4
+// source: staging/src/k8s.io/kubelet/pkg/apis/dra/v1beta1/api.proto
+
+package v1beta1
+
+import (
+	context "context"
+	grpc "google.golang.org/grpc"
+	codes "google.golang.org/grpc/codes"
+	status "google.golang.org/grpc/status"
+)
+
+// This is a compile-time assertion to ensure that this generated file
+// is compatible with the grpc package it is being compiled against.
+// Requires gRPC-Go v1.64.0 or later.
+const _ = grpc.SupportPackageIsVersion9
+
+const (
+	DRAPlugin_NodePrepareResources_FullMethodName   = "/k8s.io.kubelet.pkg.apis.dra.v1beta1.DRAPlugin/NodePrepareResources"
+	DRAPlugin_NodeUnprepareResources_FullMethodName = "/k8s.io.kubelet.pkg.apis.dra.v1beta1.DRAPlugin/NodeUnprepareResources"
+)
+
+// DRAPluginClient is the client API for DRAPlugin service.
+//
+// For semantics around ctx use and closing/ending streaming RPCs, please refer to https://pkg.go.dev/google.golang.org/grpc/?tab=doc#ClientConn.NewStream.
+type DRAPluginClient interface {
+	// NodePrepareResources prepares several ResourceClaims
+	// for use on the node. If an error is returned, the
+	// response is ignored. Failures for individual claims
+	// can be reported inside NodePrepareResourcesResponse.
+	NodePrepareResources(ctx context.Context, in *NodePrepareResourcesRequest, opts ...grpc.CallOption) (*NodePrepareResourcesResponse, error)
+	// NodeUnprepareResources is the opposite of NodePrepareResources.
+	// The same error handling rules apply,
+	NodeUnprepareResources(ctx context.Context, in *NodeUnprepareResourcesRequest, opts ...grpc.CallOption) (*NodeUnprepareResourcesResponse, error)
+}
+
+type dRAPluginClient struct {
+	cc grpc.ClientConnInterface
+}
+
+func NewDRAPluginClient(cc grpc.ClientConnInterface) DRAPluginClient {
+	return &dRAPluginClient{cc}
+}
+
+func (c *dRAPluginClient) NodePrepareResources(ctx context.Context, in *NodePrepareResourcesRequest, opts ...grpc.CallOption) (*NodePrepareResourcesResponse, error) {
+	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
+	out := new(NodePrepareResourcesResponse)
+	err := c.cc.Invoke(ctx, DRAPlugin_NodePrepareResources_FullMethodName, in, out, cOpts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+func (c *dRAPluginClient) NodeUnprepareResources(ctx context.Context, in *NodeUnprepareResourcesRequest, opts ...grpc.CallOption) (*NodeUnprepareResourcesResponse, error) {
+	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
+	out := new(NodeUnprepareResourcesResponse)
+	err := c.cc.Invoke(ctx, DRAPlugin_NodeUnprepareResources_FullMethodName, in, out, cOpts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+// DRAPluginServer is the server API for DRAPlugin service.
+// All implementations must embed UnimplementedDRAPluginServer
+// for forward compatibility.
+type DRAPluginServer interface {
+	// NodePrepareResources prepares several ResourceClaims
+	// for use on the node. If an error is returned, the
+	// response is ignored. Failures for individual claims
+	// can be reported inside NodePrepareResourcesResponse.
+	NodePrepareResources(context.Context, *NodePrepareResourcesRequest) (*NodePrepareResourcesResponse, error)
+	// NodeUnprepareResources is the opposite of NodePrepareResources.
+	// The same error handling rules apply,
+	NodeUnprepareResources(context.Context, *NodeUnprepareResourcesRequest) (*NodeUnprepareResourcesResponse, error)
+	mustEmbedUnimplementedDRAPluginServer()
+}
+
+// UnimplementedDRAPluginServer must be embedded to have
+// forward compatible implementations.
+//
+// NOTE: this should be embedded by value instead of pointer to avoid a nil
+// pointer dereference when methods are called.
+type UnimplementedDRAPluginServer struct{}
+
+func (UnimplementedDRAPluginServer) NodePrepareResources(context.Context, *NodePrepareResourcesRequest) (*NodePrepareResourcesResponse, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method NodePrepareResources not implemented")
+}
+func (UnimplementedDRAPluginServer) NodeUnprepareResources(context.Context, *NodeUnprepareResourcesRequest) (*NodeUnprepareResourcesResponse, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method NodeUnprepareResources not implemented")
+}
+func (UnimplementedDRAPluginServer) mustEmbedUnimplementedDRAPluginServer() {}
+func (UnimplementedDRAPluginServer) testEmbeddedByValue()                   {}
+
+// UnsafeDRAPluginServer may be embedded to opt out of forward compatibility for this service.
+// Use of this interface is not recommended, as added methods to DRAPluginServer will
+// result in compilation errors.
+type UnsafeDRAPluginServer interface {
+	mustEmbedUnimplementedDRAPluginServer()
+}
+
+func RegisterDRAPluginServer(s grpc.ServiceRegistrar, srv DRAPluginServer) {
+	// If the following call pancis, it indicates UnimplementedDRAPluginServer was
+	// embedded by pointer and is nil.  This will cause panics if an
+	// unimplemented method is ever invoked, so we test this at initialization
+	// time to prevent it from happening at runtime later due to I/O.
+	if t, ok := srv.(interface{ testEmbeddedByValue() }); ok {
+		t.testEmbeddedByValue()
+	}
+	s.RegisterService(&DRAPlugin_ServiceDesc, srv)
+}
+
+func _DRAPlugin_NodePrepareResources_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(NodePrepareResourcesRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(DRAPluginServer).NodePrepareResources(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: DRAPlugin_NodePrepareResources_FullMethodName,
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(DRAPluginServer).NodePrepareResources(ctx, req.(*NodePrepareResourcesRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+func _DRAPlugin_NodeUnprepareResources_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(NodeUnprepareResourcesRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(DRAPluginServer).NodeUnprepareResources(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: DRAPlugin_NodeUnprepareResources_FullMethodName,
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(DRAPluginServer).NodeUnprepareResources(ctx, req.(*NodeUnprepareResourcesRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+// DRAPlugin_ServiceDesc is the grpc.ServiceDesc for DRAPlugin service.
+// It's only intended for direct use with grpc.RegisterService,
+// and not to be introspected or modified (even as a copy)
+var DRAPlugin_ServiceDesc = grpc.ServiceDesc{
+	ServiceName: "k8s.io.kubelet.pkg.apis.dra.v1beta1.DRAPlugin",
+	HandlerType: (*DRAPluginServer)(nil),
+	Methods: []grpc.MethodDesc{
+		{
+			MethodName: "NodePrepareResources",
+			Handler:    _DRAPlugin_NodePrepareResources_Handler,
+		},
+		{
+			MethodName: "NodeUnprepareResources",
+			Handler:    _DRAPlugin_NodeUnprepareResources_Handler,
+		},
+	},
+	Streams:  []grpc.StreamDesc{},
+	Metadata: "staging/src/k8s.io/kubelet/pkg/apis/dra/v1beta1/api.proto",
+}
diff --git a/staging/src/k8s.io/kubelet/pkg/apis/dra/v1beta1/conversion.go b/staging/src/k8s.io/kubelet/pkg/apis/dra/v1beta1/conversion.go
index bee12052a5a2f..d37b096a614a5 100644
--- a/staging/src/k8s.io/kubelet/pkg/apis/dra/v1beta1/conversion.go
+++ b/staging/src/k8s.io/kubelet/pkg/apis/dra/v1beta1/conversion.go
@@ -33,6 +33,7 @@ var (
 
 // V1ServerWrapper implements the [NodeServer] interface by wrapping a [v1.DRAPluginServer].
 type V1ServerWrapper struct {
+	UnsafeDRAPluginServer
 	v1.DRAPluginServer
 }
 
@@ -72,6 +73,7 @@ func (w V1ServerWrapper) NodeUnprepareResources(ctx context.Context, req *NodeUn
 
 // V1Beta1ServerWrapper implements the [v1.DRAPluginServer] interface by wrapping a [NodeServer].
 type V1Beta1ServerWrapper struct {
+	v1.UnsafeDRAPluginServer
 	DRAPluginServer
 }
 
diff --git a/staging/src/k8s.io/kubelet/pkg/apis/dra/v1beta1/conversion_internal.go b/staging/src/k8s.io/kubelet/pkg/apis/dra/v1beta1/conversion_internal.go
new file mode 100644
index 0000000000000..59bd14f51783f
--- /dev/null
+++ b/staging/src/k8s.io/kubelet/pkg/apis/dra/v1beta1/conversion_internal.go
@@ -0,0 +1,102 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1beta1
+
+import (
+	conversion "k8s.io/apimachinery/pkg/conversion"
+	v1 "k8s.io/kubelet/pkg/apis/dra/v1"
+)
+
+// Convert_v1beta1_Claim_To_v1_Claim is a manually created conversion function because the object contains private fields that cannot be auto-converted.
+func Convert_v1beta1_Claim_To_v1_Claim(in *Claim, out *v1.Claim, s conversion.Scope) error {
+	return autoConvert_v1beta1_Claim_To_v1_Claim(in, out, s)
+}
+
+// Convert_v1_Claim_To_v1beta1_Claim is a manually created conversion function because the object contains private fields that cannot be auto-converted.
+func Convert_v1_Claim_To_v1beta1_Claim(in *v1.Claim, out *Claim, s conversion.Scope) error {
+	return autoConvert_v1_Claim_To_v1beta1_Claim(in, out, s)
+}
+
+// Convert_v1beta1_Device_To_v1_Device is a manually created conversion function because the object contains private fields that cannot be auto-converted.
+func Convert_v1beta1_Device_To_v1_Device(in *Device, out *v1.Device, s conversion.Scope) error {
+	return autoConvert_v1beta1_Device_To_v1_Device(in, out, s)
+}
+
+// Convert_v1_Device_To_v1beta1_Device is a manually created conversion function because the object contains private fields that cannot be auto-converted.
+func Convert_v1_Device_To_v1beta1_Device(in *v1.Device, out *Device, s conversion.Scope) error {
+	return autoConvert_v1_Device_To_v1beta1_Device(in, out, s)
+}
+
+// Convert_v1beta1_NodePrepareResourceResponse_To_v1_NodePrepareResourceResponse is a manually created conversion function because the object contains private fields that cannot be auto-converted.
+func Convert_v1beta1_NodePrepareResourceResponse_To_v1_NodePrepareResourceResponse(in *NodePrepareResourceResponse, out *v1.NodePrepareResourceResponse, s conversion.Scope) error {
+	return autoConvert_v1beta1_NodePrepareResourceResponse_To_v1_NodePrepareResourceResponse(in, out, s)
+}
+
+// Convert_v1_NodePrepareResourceResponse_To_v1beta1_NodePrepareResourceResponse is a manually created conversion function because the object contains private fields that cannot be auto-converted.
+func Convert_v1_NodePrepareResourceResponse_To_v1beta1_NodePrepareResourceResponse(in *v1.NodePrepareResourceResponse, out *NodePrepareResourceResponse, s conversion.Scope) error {
+	return autoConvert_v1_NodePrepareResourceResponse_To_v1beta1_NodePrepareResourceResponse(in, out, s)
+}
+
+// Convert_v1beta1_NodePrepareResourcesRequest_To_v1_NodePrepareResourcesRequest is a manually created conversion function because the object contains private fields that cannot be auto-converted.
+func Convert_v1beta1_NodePrepareResourcesRequest_To_v1_NodePrepareResourcesRequest(in *NodePrepareResourcesRequest, out *v1.NodePrepareResourcesRequest, s conversion.Scope) error {
+	return autoConvert_v1beta1_NodePrepareResourcesRequest_To_v1_NodePrepareResourcesRequest(in, out, s)
+}
+
+// Convert_v1_NodePrepareResourcesRequest_To_v1beta1_NodePrepareResourcesRequest is a manually created conversion function because the object contains private fields that cannot be auto-converted.
+func Convert_v1_NodePrepareResourcesRequest_To_v1beta1_NodePrepareResourcesRequest(in *v1.NodePrepareResourcesRequest, out *NodePrepareResourcesRequest, s conversion.Scope) error {
+	return autoConvert_v1_NodePrepareResourcesRequest_To_v1beta1_NodePrepareResourcesRequest(in, out, s)
+}
+
+// Convert_v1beta1_NodePrepareResourcesResponse_To_v1_NodePrepareResourcesResponse is a manually created conversion function because the object contains private fields that cannot be auto-converted.
+func Convert_v1beta1_NodePrepareResourcesResponse_To_v1_NodePrepareResourcesResponse(in *NodePrepareResourcesResponse, out *v1.NodePrepareResourcesResponse, s conversion.Scope) error {
+	return autoConvert_v1beta1_NodePrepareResourcesResponse_To_v1_NodePrepareResourcesResponse(in, out, s)
+}
+
+// Convert_v1_NodePrepareResourcesResponse_To_v1beta1_NodePrepareResourcesResponse is a manually created conversion function because the object contains private fields that cannot be auto-converted.
+func Convert_v1_NodePrepareResourcesResponse_To_v1beta1_NodePrepareResourcesResponse(in *v1.NodePrepareResourcesResponse, out *NodePrepareResourcesResponse, s conversion.Scope) error {
+	return autoConvert_v1_NodePrepareResourcesResponse_To_v1beta1_NodePrepareResourcesResponse(in, out, s)
+}
+
+// Convert_v1beta1_NodeUnprepareResourceResponse_To_v1_NodeUnprepareResourceResponse is a manually created conversion function because the object contains private fields that cannot be auto-converted.
+func Convert_v1beta1_NodeUnprepareResourceResponse_To_v1_NodeUnprepareResourceResponse(in *NodeUnprepareResourceResponse, out *v1.NodeUnprepareResourceResponse, s conversion.Scope) error {
+	return autoConvert_v1beta1_NodeUnprepareResourceResponse_To_v1_NodeUnprepareResourceResponse(in, out, s)
+}
+
+// Convert_v1_NodeUnprepareResourceResponse_To_v1beta1_NodeUnprepareResourceResponse is a manually created conversion function because the object contains private fields that cannot be auto-converted.
+func Convert_v1_NodeUnprepareResourceResponse_To_v1beta1_NodeUnprepareResourceResponse(in *v1.NodeUnprepareResourceResponse, out *NodeUnprepareResourceResponse, s conversion.Scope) error {
+	return autoConvert_v1_NodeUnprepareResourceResponse_To_v1beta1_NodeUnprepareResourceResponse(in, out, s)
+}
+
+// Convert_v1beta1_NodeUnprepareResourcesRequest_To_v1_NodeUnprepareResourcesRequest is a manually created conversion function because the object contains private fields that cannot be auto-converted.
+func Convert_v1beta1_NodeUnprepareResourcesRequest_To_v1_NodeUnprepareResourcesRequest(in *NodeUnprepareResourcesRequest, out *v1.NodeUnprepareResourcesRequest, s conversion.Scope) error {
+	return autoConvert_v1beta1_NodeUnprepareResourcesRequest_To_v1_NodeUnprepareResourcesRequest(in, out, s)
+}
+
+// Convert_v1_NodeUnprepareResourcesRequest_To_v1beta1_NodeUnprepareResourcesRequest is a manually created conversion function because the object contains private fields that cannot be auto-converted.
+func Convert_v1_NodeUnprepareResourcesRequest_To_v1beta1_NodeUnprepareResourcesRequest(in *v1.NodeUnprepareResourcesRequest, out *NodeUnprepareResourcesRequest, s conversion.Scope) error {
+	return autoConvert_v1_NodeUnprepareResourcesRequest_To_v1beta1_NodeUnprepareResourcesRequest(in, out, s)
+}
+
+// Convert_v1beta1_NodeUnprepareResourcesResponse_To_v1_NodeUnprepareResourcesResponse is a manually created conversion function because the object contains private fields that cannot be auto-converted.
+func Convert_v1beta1_NodeUnprepareResourcesResponse_To_v1_NodeUnprepareResourcesResponse(in *NodeUnprepareResourcesResponse, out *v1.NodeUnprepareResourcesResponse, s conversion.Scope) error {
+	return autoConvert_v1beta1_NodeUnprepareResourcesResponse_To_v1_NodeUnprepareResourcesResponse(in, out, s)
+}
+
+// Convert_v1_NodeUnprepareResourcesResponse_To_v1beta1_NodeUnprepareResourcesResponse is a manually created conversion function because the object contains private fields that cannot be auto-converted.
+func Convert_v1_NodeUnprepareResourcesResponse_To_v1beta1_NodeUnprepareResourcesResponse(in *v1.NodeUnprepareResourcesResponse, out *NodeUnprepareResourcesResponse, s conversion.Scope) error {
+	return autoConvert_v1_NodeUnprepareResourcesResponse_To_v1beta1_NodeUnprepareResourcesResponse(in, out, s)
+}
diff --git a/staging/src/k8s.io/kubelet/pkg/apis/dra/v1beta1/zz_generated.conversion.go b/staging/src/k8s.io/kubelet/pkg/apis/dra/v1beta1/zz_generated.conversion.go
index 4938f87e86eae..2ebde3bba5f5f 100644
--- a/staging/src/k8s.io/kubelet/pkg/apis/dra/v1beta1/zz_generated.conversion.go
+++ b/staging/src/k8s.io/kubelet/pkg/apis/dra/v1beta1/zz_generated.conversion.go
@@ -36,93 +36,93 @@ func init() {
 // RegisterConversions adds conversion functions to the given scheme.
 // Public to allow building arbitrary schemes.
 func RegisterConversions(s *runtime.Scheme) error {
-	if err := s.AddGeneratedConversionFunc((*Claim)(nil), (*v1.Claim)(nil), func(a, b interface{}, scope conversion.Scope) error {
-		return Convert_v1beta1_Claim_To_v1_Claim(a.(*Claim), b.(*v1.Claim), scope)
+	if err := s.AddGeneratedConversionFunc((*UnimplementedDRAPluginServer)(nil), (*v1.UnimplementedDRAPluginServer)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_v1beta1_UnimplementedDRAPluginServer_To_v1_UnimplementedDRAPluginServer(a.(*UnimplementedDRAPluginServer), b.(*v1.UnimplementedDRAPluginServer), scope)
 	}); err != nil {
 		return err
 	}
-	if err := s.AddGeneratedConversionFunc((*v1.Claim)(nil), (*Claim)(nil), func(a, b interface{}, scope conversion.Scope) error {
-		return Convert_v1_Claim_To_v1beta1_Claim(a.(*v1.Claim), b.(*Claim), scope)
+	if err := s.AddGeneratedConversionFunc((*v1.UnimplementedDRAPluginServer)(nil), (*UnimplementedDRAPluginServer)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_v1_UnimplementedDRAPluginServer_To_v1beta1_UnimplementedDRAPluginServer(a.(*v1.UnimplementedDRAPluginServer), b.(*UnimplementedDRAPluginServer), scope)
 	}); err != nil {
 		return err
 	}
-	if err := s.AddGeneratedConversionFunc((*Device)(nil), (*v1.Device)(nil), func(a, b interface{}, scope conversion.Scope) error {
-		return Convert_v1beta1_Device_To_v1_Device(a.(*Device), b.(*v1.Device), scope)
+	if err := s.AddConversionFunc((*v1.Claim)(nil), (*Claim)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_v1_Claim_To_v1beta1_Claim(a.(*v1.Claim), b.(*Claim), scope)
 	}); err != nil {
 		return err
 	}
-	if err := s.AddGeneratedConversionFunc((*v1.Device)(nil), (*Device)(nil), func(a, b interface{}, scope conversion.Scope) error {
+	if err := s.AddConversionFunc((*v1.Device)(nil), (*Device)(nil), func(a, b interface{}, scope conversion.Scope) error {
 		return Convert_v1_Device_To_v1beta1_Device(a.(*v1.Device), b.(*Device), scope)
 	}); err != nil {
 		return err
 	}
-	if err := s.AddGeneratedConversionFunc((*NodePrepareResourceResponse)(nil), (*v1.NodePrepareResourceResponse)(nil), func(a, b interface{}, scope conversion.Scope) error {
-		return Convert_v1beta1_NodePrepareResourceResponse_To_v1_NodePrepareResourceResponse(a.(*NodePrepareResourceResponse), b.(*v1.NodePrepareResourceResponse), scope)
+	if err := s.AddConversionFunc((*v1.NodePrepareResourceResponse)(nil), (*NodePrepareResourceResponse)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_v1_NodePrepareResourceResponse_To_v1beta1_NodePrepareResourceResponse(a.(*v1.NodePrepareResourceResponse), b.(*NodePrepareResourceResponse), scope)
 	}); err != nil {
 		return err
 	}
-	if err := s.AddGeneratedConversionFunc((*v1.NodePrepareResourceResponse)(nil), (*NodePrepareResourceResponse)(nil), func(a, b interface{}, scope conversion.Scope) error {
-		return Convert_v1_NodePrepareResourceResponse_To_v1beta1_NodePrepareResourceResponse(a.(*v1.NodePrepareResourceResponse), b.(*NodePrepareResourceResponse), scope)
+	if err := s.AddConversionFunc((*v1.NodePrepareResourcesRequest)(nil), (*NodePrepareResourcesRequest)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_v1_NodePrepareResourcesRequest_To_v1beta1_NodePrepareResourcesRequest(a.(*v1.NodePrepareResourcesRequest), b.(*NodePrepareResourcesRequest), scope)
 	}); err != nil {
 		return err
 	}
-	if err := s.AddGeneratedConversionFunc((*NodePrepareResourcesRequest)(nil), (*v1.NodePrepareResourcesRequest)(nil), func(a, b interface{}, scope conversion.Scope) error {
-		return Convert_v1beta1_NodePrepareResourcesRequest_To_v1_NodePrepareResourcesRequest(a.(*NodePrepareResourcesRequest), b.(*v1.NodePrepareResourcesRequest), scope)
+	if err := s.AddConversionFunc((*v1.NodePrepareResourcesResponse)(nil), (*NodePrepareResourcesResponse)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_v1_NodePrepareResourcesResponse_To_v1beta1_NodePrepareResourcesResponse(a.(*v1.NodePrepareResourcesResponse), b.(*NodePrepareResourcesResponse), scope)
 	}); err != nil {
 		return err
 	}
-	if err := s.AddGeneratedConversionFunc((*v1.NodePrepareResourcesRequest)(nil), (*NodePrepareResourcesRequest)(nil), func(a, b interface{}, scope conversion.Scope) error {
-		return Convert_v1_NodePrepareResourcesRequest_To_v1beta1_NodePrepareResourcesRequest(a.(*v1.NodePrepareResourcesRequest), b.(*NodePrepareResourcesRequest), scope)
+	if err := s.AddConversionFunc((*v1.NodeUnprepareResourceResponse)(nil), (*NodeUnprepareResourceResponse)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_v1_NodeUnprepareResourceResponse_To_v1beta1_NodeUnprepareResourceResponse(a.(*v1.NodeUnprepareResourceResponse), b.(*NodeUnprepareResourceResponse), scope)
 	}); err != nil {
 		return err
 	}
-	if err := s.AddGeneratedConversionFunc((*NodePrepareResourcesResponse)(nil), (*v1.NodePrepareResourcesResponse)(nil), func(a, b interface{}, scope conversion.Scope) error {
-		return Convert_v1beta1_NodePrepareResourcesResponse_To_v1_NodePrepareResourcesResponse(a.(*NodePrepareResourcesResponse), b.(*v1.NodePrepareResourcesResponse), scope)
+	if err := s.AddConversionFunc((*v1.NodeUnprepareResourcesRequest)(nil), (*NodeUnprepareResourcesRequest)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_v1_NodeUnprepareResourcesRequest_To_v1beta1_NodeUnprepareResourcesRequest(a.(*v1.NodeUnprepareResourcesRequest), b.(*NodeUnprepareResourcesRequest), scope)
 	}); err != nil {
 		return err
 	}
-	if err := s.AddGeneratedConversionFunc((*v1.NodePrepareResourcesResponse)(nil), (*NodePrepareResourcesResponse)(nil), func(a, b interface{}, scope conversion.Scope) error {
-		return Convert_v1_NodePrepareResourcesResponse_To_v1beta1_NodePrepareResourcesResponse(a.(*v1.NodePrepareResourcesResponse), b.(*NodePrepareResourcesResponse), scope)
+	if err := s.AddConversionFunc((*v1.NodeUnprepareResourcesResponse)(nil), (*NodeUnprepareResourcesResponse)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_v1_NodeUnprepareResourcesResponse_To_v1beta1_NodeUnprepareResourcesResponse(a.(*v1.NodeUnprepareResourcesResponse), b.(*NodeUnprepareResourcesResponse), scope)
 	}); err != nil {
 		return err
 	}
-	if err := s.AddGeneratedConversionFunc((*NodeUnprepareResourceResponse)(nil), (*v1.NodeUnprepareResourceResponse)(nil), func(a, b interface{}, scope conversion.Scope) error {
-		return Convert_v1beta1_NodeUnprepareResourceResponse_To_v1_NodeUnprepareResourceResponse(a.(*NodeUnprepareResourceResponse), b.(*v1.NodeUnprepareResourceResponse), scope)
+	if err := s.AddConversionFunc((*Claim)(nil), (*v1.Claim)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_v1beta1_Claim_To_v1_Claim(a.(*Claim), b.(*v1.Claim), scope)
 	}); err != nil {
 		return err
 	}
-	if err := s.AddGeneratedConversionFunc((*v1.NodeUnprepareResourceResponse)(nil), (*NodeUnprepareResourceResponse)(nil), func(a, b interface{}, scope conversion.Scope) error {
-		return Convert_v1_NodeUnprepareResourceResponse_To_v1beta1_NodeUnprepareResourceResponse(a.(*v1.NodeUnprepareResourceResponse), b.(*NodeUnprepareResourceResponse), scope)
+	if err := s.AddConversionFunc((*Device)(nil), (*v1.Device)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_v1beta1_Device_To_v1_Device(a.(*Device), b.(*v1.Device), scope)
 	}); err != nil {
 		return err
 	}
-	if err := s.AddGeneratedConversionFunc((*NodeUnprepareResourcesRequest)(nil), (*v1.NodeUnprepareResourcesRequest)(nil), func(a, b interface{}, scope conversion.Scope) error {
-		return Convert_v1beta1_NodeUnprepareResourcesRequest_To_v1_NodeUnprepareResourcesRequest(a.(*NodeUnprepareResourcesRequest), b.(*v1.NodeUnprepareResourcesRequest), scope)
+	if err := s.AddConversionFunc((*NodePrepareResourceResponse)(nil), (*v1.NodePrepareResourceResponse)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_v1beta1_NodePrepareResourceResponse_To_v1_NodePrepareResourceResponse(a.(*NodePrepareResourceResponse), b.(*v1.NodePrepareResourceResponse), scope)
 	}); err != nil {
 		return err
 	}
-	if err := s.AddGeneratedConversionFunc((*v1.NodeUnprepareResourcesRequest)(nil), (*NodeUnprepareResourcesRequest)(nil), func(a, b interface{}, scope conversion.Scope) error {
-		return Convert_v1_NodeUnprepareResourcesRequest_To_v1beta1_NodeUnprepareResourcesRequest(a.(*v1.NodeUnprepareResourcesRequest), b.(*NodeUnprepareResourcesRequest), scope)
+	if err := s.AddConversionFunc((*NodePrepareResourcesRequest)(nil), (*v1.NodePrepareResourcesRequest)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_v1beta1_NodePrepareResourcesRequest_To_v1_NodePrepareResourcesRequest(a.(*NodePrepareResourcesRequest), b.(*v1.NodePrepareResourcesRequest), scope)
 	}); err != nil {
 		return err
 	}
-	if err := s.AddGeneratedConversionFunc((*NodeUnprepareResourcesResponse)(nil), (*v1.NodeUnprepareResourcesResponse)(nil), func(a, b interface{}, scope conversion.Scope) error {
-		return Convert_v1beta1_NodeUnprepareResourcesResponse_To_v1_NodeUnprepareResourcesResponse(a.(*NodeUnprepareResourcesResponse), b.(*v1.NodeUnprepareResourcesResponse), scope)
+	if err := s.AddConversionFunc((*NodePrepareResourcesResponse)(nil), (*v1.NodePrepareResourcesResponse)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_v1beta1_NodePrepareResourcesResponse_To_v1_NodePrepareResourcesResponse(a.(*NodePrepareResourcesResponse), b.(*v1.NodePrepareResourcesResponse), scope)
 	}); err != nil {
 		return err
 	}
-	if err := s.AddGeneratedConversionFunc((*v1.NodeUnprepareResourcesResponse)(nil), (*NodeUnprepareResourcesResponse)(nil), func(a, b interface{}, scope conversion.Scope) error {
-		return Convert_v1_NodeUnprepareResourcesResponse_To_v1beta1_NodeUnprepareResourcesResponse(a.(*v1.NodeUnprepareResourcesResponse), b.(*NodeUnprepareResourcesResponse), scope)
+	if err := s.AddConversionFunc((*NodeUnprepareResourceResponse)(nil), (*v1.NodeUnprepareResourceResponse)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_v1beta1_NodeUnprepareResourceResponse_To_v1_NodeUnprepareResourceResponse(a.(*NodeUnprepareResourceResponse), b.(*v1.NodeUnprepareResourceResponse), scope)
 	}); err != nil {
 		return err
 	}
-	if err := s.AddGeneratedConversionFunc((*UnimplementedDRAPluginServer)(nil), (*v1.UnimplementedDRAPluginServer)(nil), func(a, b interface{}, scope conversion.Scope) error {
-		return Convert_v1beta1_UnimplementedDRAPluginServer_To_v1_UnimplementedDRAPluginServer(a.(*UnimplementedDRAPluginServer), b.(*v1.UnimplementedDRAPluginServer), scope)
+	if err := s.AddConversionFunc((*NodeUnprepareResourcesRequest)(nil), (*v1.NodeUnprepareResourcesRequest)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_v1beta1_NodeUnprepareResourcesRequest_To_v1_NodeUnprepareResourcesRequest(a.(*NodeUnprepareResourcesRequest), b.(*v1.NodeUnprepareResourcesRequest), scope)
 	}); err != nil {
 		return err
 	}
-	if err := s.AddGeneratedConversionFunc((*v1.UnimplementedDRAPluginServer)(nil), (*UnimplementedDRAPluginServer)(nil), func(a, b interface{}, scope conversion.Scope) error {
-		return Convert_v1_UnimplementedDRAPluginServer_To_v1beta1_UnimplementedDRAPluginServer(a.(*v1.UnimplementedDRAPluginServer), b.(*UnimplementedDRAPluginServer), scope)
+	if err := s.AddConversionFunc((*NodeUnprepareResourcesResponse)(nil), (*v1.NodeUnprepareResourcesResponse)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_v1beta1_NodeUnprepareResourcesResponse_To_v1_NodeUnprepareResourcesResponse(a.(*NodeUnprepareResourcesResponse), b.(*v1.NodeUnprepareResourcesResponse), scope)
 	}); err != nil {
 		return err
 	}
@@ -130,209 +130,284 @@ func RegisterConversions(s *runtime.Scheme) error {
 }
 
 func autoConvert_v1beta1_Claim_To_v1_Claim(in *Claim, out *v1.Claim, s conversion.Scope) error {
+	// WARNING: out.state is not exported and cannot be set
 	out.Namespace = in.Namespace
-	out.UID = in.UID
+	out.Uid = in.Uid
 	out.Name = in.Name
-	out.XXX_NoUnkeyedLiteral = in.XXX_NoUnkeyedLiteral
-	out.XXX_sizecache = in.XXX_sizecache
+	// WARNING: out.unknownFields is not exported and cannot be set
+	// WARNING: out.sizeCache is not exported and cannot be set
 	return nil
 }
 
-// Convert_v1beta1_Claim_To_v1_Claim is an autogenerated conversion function.
-func Convert_v1beta1_Claim_To_v1_Claim(in *Claim, out *v1.Claim, s conversion.Scope) error {
-	return autoConvert_v1beta1_Claim_To_v1_Claim(in, out, s)
-}
-
 func autoConvert_v1_Claim_To_v1beta1_Claim(in *v1.Claim, out *Claim, s conversion.Scope) error {
+	// WARNING: in.state is not exported and cannot be read
 	out.Namespace = in.Namespace
-	out.UID = in.UID
+	out.Uid = in.Uid
 	out.Name = in.Name
-	out.XXX_NoUnkeyedLiteral = in.XXX_NoUnkeyedLiteral
-	out.XXX_sizecache = in.XXX_sizecache
+	// WARNING: in.unknownFields is not exported and cannot be read
+	// WARNING: in.sizeCache is not exported and cannot be read
 	return nil
 }
 
-// Convert_v1_Claim_To_v1beta1_Claim is an autogenerated conversion function.
-func Convert_v1_Claim_To_v1beta1_Claim(in *v1.Claim, out *Claim, s conversion.Scope) error {
-	return autoConvert_v1_Claim_To_v1beta1_Claim(in, out, s)
-}
-
 func autoConvert_v1beta1_Device_To_v1_Device(in *Device, out *v1.Device, s conversion.Scope) error {
+	// WARNING: out.state is not exported and cannot be set
 	out.RequestNames = *(*[]string)(unsafe.Pointer(&in.RequestNames))
 	out.PoolName = in.PoolName
 	out.DeviceName = in.DeviceName
-	out.CDIDeviceIDs = *(*[]string)(unsafe.Pointer(&in.CDIDeviceIDs))
-	out.XXX_NoUnkeyedLiteral = in.XXX_NoUnkeyedLiteral
-	out.XXX_sizecache = in.XXX_sizecache
+	out.CdiDeviceIds = *(*[]string)(unsafe.Pointer(&in.CdiDeviceIds))
+	// WARNING: out.unknownFields is not exported and cannot be set
+	// WARNING: out.sizeCache is not exported and cannot be set
 	return nil
 }
 
-// Convert_v1beta1_Device_To_v1_Device is an autogenerated conversion function.
-func Convert_v1beta1_Device_To_v1_Device(in *Device, out *v1.Device, s conversion.Scope) error {
-	return autoConvert_v1beta1_Device_To_v1_Device(in, out, s)
-}
-
 func autoConvert_v1_Device_To_v1beta1_Device(in *v1.Device, out *Device, s conversion.Scope) error {
+	// WARNING: in.state is not exported and cannot be read
 	out.RequestNames = *(*[]string)(unsafe.Pointer(&in.RequestNames))
 	out.PoolName = in.PoolName
 	out.DeviceName = in.DeviceName
-	out.CDIDeviceIDs = *(*[]string)(unsafe.Pointer(&in.CDIDeviceIDs))
-	out.XXX_NoUnkeyedLiteral = in.XXX_NoUnkeyedLiteral
-	out.XXX_sizecache = in.XXX_sizecache
+	out.CdiDeviceIds = *(*[]string)(unsafe.Pointer(&in.CdiDeviceIds))
+	// WARNING: in.ShareId requires manual conversion: does not exist in peer-type
+	// WARNING: in.unknownFields is not exported and cannot be read
+	// WARNING: in.sizeCache is not exported and cannot be read
 	return nil
 }
 
-// Convert_v1_Device_To_v1beta1_Device is an autogenerated conversion function.
-func Convert_v1_Device_To_v1beta1_Device(in *v1.Device, out *Device, s conversion.Scope) error {
-	return autoConvert_v1_Device_To_v1beta1_Device(in, out, s)
-}
-
 func autoConvert_v1beta1_NodePrepareResourceResponse_To_v1_NodePrepareResourceResponse(in *NodePrepareResourceResponse, out *v1.NodePrepareResourceResponse, s conversion.Scope) error {
-	out.Devices = *(*[]*v1.Device)(unsafe.Pointer(&in.Devices))
+	// WARNING: out.state is not exported and cannot be set
+	if in.Devices != nil {
+		in, out := &in.Devices, &out.Devices
+		*out = make([]*v1.Device, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				(*out)[i] = new(v1.Device)
+				if err := Convert_v1beta1_Device_To_v1_Device((*in)[i], (*out)[i], s); err != nil {
+					return err
+				}
+			}
+		}
+	} else {
+		out.Devices = nil
+	}
 	out.Error = in.Error
-	out.XXX_NoUnkeyedLiteral = in.XXX_NoUnkeyedLiteral
-	out.XXX_sizecache = in.XXX_sizecache
+	// WARNING: out.unknownFields is not exported and cannot be set
+	// WARNING: out.sizeCache is not exported and cannot be set
 	return nil
 }
 
-// Convert_v1beta1_NodePrepareResourceResponse_To_v1_NodePrepareResourceResponse is an autogenerated conversion function.
-func Convert_v1beta1_NodePrepareResourceResponse_To_v1_NodePrepareResourceResponse(in *NodePrepareResourceResponse, out *v1.NodePrepareResourceResponse, s conversion.Scope) error {
-	return autoConvert_v1beta1_NodePrepareResourceResponse_To_v1_NodePrepareResourceResponse(in, out, s)
-}
-
 func autoConvert_v1_NodePrepareResourceResponse_To_v1beta1_NodePrepareResourceResponse(in *v1.NodePrepareResourceResponse, out *NodePrepareResourceResponse, s conversion.Scope) error {
-	out.Devices = *(*[]*Device)(unsafe.Pointer(&in.Devices))
+	// WARNING: in.state is not exported and cannot be read
+	if in.Devices != nil {
+		in, out := &in.Devices, &out.Devices
+		*out = make([]*Device, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				(*out)[i] = new(Device)
+				if err := Convert_v1_Device_To_v1beta1_Device((*in)[i], (*out)[i], s); err != nil {
+					return err
+				}
+			}
+		}
+	} else {
+		out.Devices = nil
+	}
 	out.Error = in.Error
-	out.XXX_NoUnkeyedLiteral = in.XXX_NoUnkeyedLiteral
-	out.XXX_sizecache = in.XXX_sizecache
+	// WARNING: in.unknownFields is not exported and cannot be read
+	// WARNING: in.sizeCache is not exported and cannot be read
 	return nil
 }
 
-// Convert_v1_NodePrepareResourceResponse_To_v1beta1_NodePrepareResourceResponse is an autogenerated conversion function.
-func Convert_v1_NodePrepareResourceResponse_To_v1beta1_NodePrepareResourceResponse(in *v1.NodePrepareResourceResponse, out *NodePrepareResourceResponse, s conversion.Scope) error {
-	return autoConvert_v1_NodePrepareResourceResponse_To_v1beta1_NodePrepareResourceResponse(in, out, s)
-}
-
 func autoConvert_v1beta1_NodePrepareResourcesRequest_To_v1_NodePrepareResourcesRequest(in *NodePrepareResourcesRequest, out *v1.NodePrepareResourcesRequest, s conversion.Scope) error {
-	out.Claims = *(*[]*v1.Claim)(unsafe.Pointer(&in.Claims))
-	out.XXX_NoUnkeyedLiteral = in.XXX_NoUnkeyedLiteral
-	out.XXX_sizecache = in.XXX_sizecache
+	// WARNING: out.state is not exported and cannot be set
+	if in.Claims != nil {
+		in, out := &in.Claims, &out.Claims
+		*out = make([]*v1.Claim, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				(*out)[i] = new(v1.Claim)
+				if err := Convert_v1beta1_Claim_To_v1_Claim((*in)[i], (*out)[i], s); err != nil {
+					return err
+				}
+			}
+		}
+	} else {
+		out.Claims = nil
+	}
+	// WARNING: out.unknownFields is not exported and cannot be set
+	// WARNING: out.sizeCache is not exported and cannot be set
 	return nil
 }
 
-// Convert_v1beta1_NodePrepareResourcesRequest_To_v1_NodePrepareResourcesRequest is an autogenerated conversion function.
-func Convert_v1beta1_NodePrepareResourcesRequest_To_v1_NodePrepareResourcesRequest(in *NodePrepareResourcesRequest, out *v1.NodePrepareResourcesRequest, s conversion.Scope) error {
-	return autoConvert_v1beta1_NodePrepareResourcesRequest_To_v1_NodePrepareResourcesRequest(in, out, s)
-}
-
 func autoConvert_v1_NodePrepareResourcesRequest_To_v1beta1_NodePrepareResourcesRequest(in *v1.NodePrepareResourcesRequest, out *NodePrepareResourcesRequest, s conversion.Scope) error {
-	out.Claims = *(*[]*Claim)(unsafe.Pointer(&in.Claims))
-	out.XXX_NoUnkeyedLiteral = in.XXX_NoUnkeyedLiteral
-	out.XXX_sizecache = in.XXX_sizecache
+	// WARNING: in.state is not exported and cannot be read
+	if in.Claims != nil {
+		in, out := &in.Claims, &out.Claims
+		*out = make([]*Claim, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				(*out)[i] = new(Claim)
+				if err := Convert_v1_Claim_To_v1beta1_Claim((*in)[i], (*out)[i], s); err != nil {
+					return err
+				}
+			}
+		}
+	} else {
+		out.Claims = nil
+	}
+	// WARNING: in.unknownFields is not exported and cannot be read
+	// WARNING: in.sizeCache is not exported and cannot be read
 	return nil
 }
 
-// Convert_v1_NodePrepareResourcesRequest_To_v1beta1_NodePrepareResourcesRequest is an autogenerated conversion function.
-func Convert_v1_NodePrepareResourcesRequest_To_v1beta1_NodePrepareResourcesRequest(in *v1.NodePrepareResourcesRequest, out *NodePrepareResourcesRequest, s conversion.Scope) error {
-	return autoConvert_v1_NodePrepareResourcesRequest_To_v1beta1_NodePrepareResourcesRequest(in, out, s)
-}
-
 func autoConvert_v1beta1_NodePrepareResourcesResponse_To_v1_NodePrepareResourcesResponse(in *NodePrepareResourcesResponse, out *v1.NodePrepareResourcesResponse, s conversion.Scope) error {
-	out.Claims = *(*map[string]*v1.NodePrepareResourceResponse)(unsafe.Pointer(&in.Claims))
-	out.XXX_NoUnkeyedLiteral = in.XXX_NoUnkeyedLiteral
-	out.XXX_sizecache = in.XXX_sizecache
+	// WARNING: out.state is not exported and cannot be set
+	if in.Claims != nil {
+		in, out := &in.Claims, &out.Claims
+		*out = make(map[string]*v1.NodePrepareResourceResponse, len(*in))
+		for key, val := range *in {
+			newVal := new(*v1.NodePrepareResourceResponse)
+			if val != nil {
+				*newVal = new(v1.NodePrepareResourceResponse)
+				if err := Convert_v1beta1_NodePrepareResourceResponse_To_v1_NodePrepareResourceResponse(val, *newVal, s); err != nil {
+					return err
+				}
+			}
+			(*out)[key] = *newVal
+		}
+	} else {
+		out.Claims = nil
+	}
+	// WARNING: out.unknownFields is not exported and cannot be set
+	// WARNING: out.sizeCache is not exported and cannot be set
 	return nil
 }
 
-// Convert_v1beta1_NodePrepareResourcesResponse_To_v1_NodePrepareResourcesResponse is an autogenerated conversion function.
-func Convert_v1beta1_NodePrepareResourcesResponse_To_v1_NodePrepareResourcesResponse(in *NodePrepareResourcesResponse, out *v1.NodePrepareResourcesResponse, s conversion.Scope) error {
-	return autoConvert_v1beta1_NodePrepareResourcesResponse_To_v1_NodePrepareResourcesResponse(in, out, s)
-}
-
 func autoConvert_v1_NodePrepareResourcesResponse_To_v1beta1_NodePrepareResourcesResponse(in *v1.NodePrepareResourcesResponse, out *NodePrepareResourcesResponse, s conversion.Scope) error {
-	out.Claims = *(*map[string]*NodePrepareResourceResponse)(unsafe.Pointer(&in.Claims))
-	out.XXX_NoUnkeyedLiteral = in.XXX_NoUnkeyedLiteral
-	out.XXX_sizecache = in.XXX_sizecache
+	// WARNING: in.state is not exported and cannot be read
+	if in.Claims != nil {
+		in, out := &in.Claims, &out.Claims
+		*out = make(map[string]*NodePrepareResourceResponse, len(*in))
+		for key, val := range *in {
+			newVal := new(*NodePrepareResourceResponse)
+			if val != nil {
+				*newVal = new(NodePrepareResourceResponse)
+				if err := Convert_v1_NodePrepareResourceResponse_To_v1beta1_NodePrepareResourceResponse(val, *newVal, s); err != nil {
+					return err
+				}
+			}
+			(*out)[key] = *newVal
+		}
+	} else {
+		out.Claims = nil
+	}
+	// WARNING: in.unknownFields is not exported and cannot be read
+	// WARNING: in.sizeCache is not exported and cannot be read
 	return nil
 }
 
-// Convert_v1_NodePrepareResourcesResponse_To_v1beta1_NodePrepareResourcesResponse is an autogenerated conversion function.
-func Convert_v1_NodePrepareResourcesResponse_To_v1beta1_NodePrepareResourcesResponse(in *v1.NodePrepareResourcesResponse, out *NodePrepareResourcesResponse, s conversion.Scope) error {
-	return autoConvert_v1_NodePrepareResourcesResponse_To_v1beta1_NodePrepareResourcesResponse(in, out, s)
-}
-
 func autoConvert_v1beta1_NodeUnprepareResourceResponse_To_v1_NodeUnprepareResourceResponse(in *NodeUnprepareResourceResponse, out *v1.NodeUnprepareResourceResponse, s conversion.Scope) error {
+	// WARNING: out.state is not exported and cannot be set
 	out.Error = in.Error
-	out.XXX_NoUnkeyedLiteral = in.XXX_NoUnkeyedLiteral
-	out.XXX_sizecache = in.XXX_sizecache
+	// WARNING: out.unknownFields is not exported and cannot be set
+	// WARNING: out.sizeCache is not exported and cannot be set
 	return nil
 }
 
-// Convert_v1beta1_NodeUnprepareResourceResponse_To_v1_NodeUnprepareResourceResponse is an autogenerated conversion function.
-func Convert_v1beta1_NodeUnprepareResourceResponse_To_v1_NodeUnprepareResourceResponse(in *NodeUnprepareResourceResponse, out *v1.NodeUnprepareResourceResponse, s conversion.Scope) error {
-	return autoConvert_v1beta1_NodeUnprepareResourceResponse_To_v1_NodeUnprepareResourceResponse(in, out, s)
-}
-
 func autoConvert_v1_NodeUnprepareResourceResponse_To_v1beta1_NodeUnprepareResourceResponse(in *v1.NodeUnprepareResourceResponse, out *NodeUnprepareResourceResponse, s conversion.Scope) error {
+	// WARNING: in.state is not exported and cannot be read
 	out.Error = in.Error
-	out.XXX_NoUnkeyedLiteral = in.XXX_NoUnkeyedLiteral
-	out.XXX_sizecache = in.XXX_sizecache
+	// WARNING: in.unknownFields is not exported and cannot be read
+	// WARNING: in.sizeCache is not exported and cannot be read
 	return nil
 }
 
-// Convert_v1_NodeUnprepareResourceResponse_To_v1beta1_NodeUnprepareResourceResponse is an autogenerated conversion function.
-func Convert_v1_NodeUnprepareResourceResponse_To_v1beta1_NodeUnprepareResourceResponse(in *v1.NodeUnprepareResourceResponse, out *NodeUnprepareResourceResponse, s conversion.Scope) error {
-	return autoConvert_v1_NodeUnprepareResourceResponse_To_v1beta1_NodeUnprepareResourceResponse(in, out, s)
-}
-
 func autoConvert_v1beta1_NodeUnprepareResourcesRequest_To_v1_NodeUnprepareResourcesRequest(in *NodeUnprepareResourcesRequest, out *v1.NodeUnprepareResourcesRequest, s conversion.Scope) error {
-	out.Claims = *(*[]*v1.Claim)(unsafe.Pointer(&in.Claims))
-	out.XXX_NoUnkeyedLiteral = in.XXX_NoUnkeyedLiteral
-	out.XXX_sizecache = in.XXX_sizecache
+	// WARNING: out.state is not exported and cannot be set
+	if in.Claims != nil {
+		in, out := &in.Claims, &out.Claims
+		*out = make([]*v1.Claim, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				(*out)[i] = new(v1.Claim)
+				if err := Convert_v1beta1_Claim_To_v1_Claim((*in)[i], (*out)[i], s); err != nil {
+					return err
+				}
+			}
+		}
+	} else {
+		out.Claims = nil
+	}
+	// WARNING: out.unknownFields is not exported and cannot be set
+	// WARNING: out.sizeCache is not exported and cannot be set
 	return nil
 }
 
-// Convert_v1beta1_NodeUnprepareResourcesRequest_To_v1_NodeUnprepareResourcesRequest is an autogenerated conversion function.
-func Convert_v1beta1_NodeUnprepareResourcesRequest_To_v1_NodeUnprepareResourcesRequest(in *NodeUnprepareResourcesRequest, out *v1.NodeUnprepareResourcesRequest, s conversion.Scope) error {
-	return autoConvert_v1beta1_NodeUnprepareResourcesRequest_To_v1_NodeUnprepareResourcesRequest(in, out, s)
-}
-
 func autoConvert_v1_NodeUnprepareResourcesRequest_To_v1beta1_NodeUnprepareResourcesRequest(in *v1.NodeUnprepareResourcesRequest, out *NodeUnprepareResourcesRequest, s conversion.Scope) error {
-	out.Claims = *(*[]*Claim)(unsafe.Pointer(&in.Claims))
-	out.XXX_NoUnkeyedLiteral = in.XXX_NoUnkeyedLiteral
-	out.XXX_sizecache = in.XXX_sizecache
+	// WARNING: in.state is not exported and cannot be read
+	if in.Claims != nil {
+		in, out := &in.Claims, &out.Claims
+		*out = make([]*Claim, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				(*out)[i] = new(Claim)
+				if err := Convert_v1_Claim_To_v1beta1_Claim((*in)[i], (*out)[i], s); err != nil {
+					return err
+				}
+			}
+		}
+	} else {
+		out.Claims = nil
+	}
+	// WARNING: in.unknownFields is not exported and cannot be read
+	// WARNING: in.sizeCache is not exported and cannot be read
 	return nil
 }
 
-// Convert_v1_NodeUnprepareResourcesRequest_To_v1beta1_NodeUnprepareResourcesRequest is an autogenerated conversion function.
-func Convert_v1_NodeUnprepareResourcesRequest_To_v1beta1_NodeUnprepareResourcesRequest(in *v1.NodeUnprepareResourcesRequest, out *NodeUnprepareResourcesRequest, s conversion.Scope) error {
-	return autoConvert_v1_NodeUnprepareResourcesRequest_To_v1beta1_NodeUnprepareResourcesRequest(in, out, s)
-}
-
 func autoConvert_v1beta1_NodeUnprepareResourcesResponse_To_v1_NodeUnprepareResourcesResponse(in *NodeUnprepareResourcesResponse, out *v1.NodeUnprepareResourcesResponse, s conversion.Scope) error {
-	out.Claims = *(*map[string]*v1.NodeUnprepareResourceResponse)(unsafe.Pointer(&in.Claims))
-	out.XXX_NoUnkeyedLiteral = in.XXX_NoUnkeyedLiteral
-	out.XXX_sizecache = in.XXX_sizecache
+	// WARNING: out.state is not exported and cannot be set
+	if in.Claims != nil {
+		in, out := &in.Claims, &out.Claims
+		*out = make(map[string]*v1.NodeUnprepareResourceResponse, len(*in))
+		for key, val := range *in {
+			newVal := new(*v1.NodeUnprepareResourceResponse)
+			if val != nil {
+				*newVal = new(v1.NodeUnprepareResourceResponse)
+				if err := Convert_v1beta1_NodeUnprepareResourceResponse_To_v1_NodeUnprepareResourceResponse(val, *newVal, s); err != nil {
+					return err
+				}
+			}
+			(*out)[key] = *newVal
+		}
+	} else {
+		out.Claims = nil
+	}
+	// WARNING: out.unknownFields is not exported and cannot be set
+	// WARNING: out.sizeCache is not exported and cannot be set
 	return nil
 }
 
-// Convert_v1beta1_NodeUnprepareResourcesResponse_To_v1_NodeUnprepareResourcesResponse is an autogenerated conversion function.
-func Convert_v1beta1_NodeUnprepareResourcesResponse_To_v1_NodeUnprepareResourcesResponse(in *NodeUnprepareResourcesResponse, out *v1.NodeUnprepareResourcesResponse, s conversion.Scope) error {
-	return autoConvert_v1beta1_NodeUnprepareResourcesResponse_To_v1_NodeUnprepareResourcesResponse(in, out, s)
-}
-
 func autoConvert_v1_NodeUnprepareResourcesResponse_To_v1beta1_NodeUnprepareResourcesResponse(in *v1.NodeUnprepareResourcesResponse, out *NodeUnprepareResourcesResponse, s conversion.Scope) error {
-	out.Claims = *(*map[string]*NodeUnprepareResourceResponse)(unsafe.Pointer(&in.Claims))
-	out.XXX_NoUnkeyedLiteral = in.XXX_NoUnkeyedLiteral
-	out.XXX_sizecache = in.XXX_sizecache
+	// WARNING: in.state is not exported and cannot be read
+	if in.Claims != nil {
+		in, out := &in.Claims, &out.Claims
+		*out = make(map[string]*NodeUnprepareResourceResponse, len(*in))
+		for key, val := range *in {
+			newVal := new(*NodeUnprepareResourceResponse)
+			if val != nil {
+				*newVal = new(NodeUnprepareResourceResponse)
+				if err := Convert_v1_NodeUnprepareResourceResponse_To_v1beta1_NodeUnprepareResourceResponse(val, *newVal, s); err != nil {
+					return err
+				}
+			}
+			(*out)[key] = *newVal
+		}
+	} else {
+		out.Claims = nil
+	}
+	// WARNING: in.unknownFields is not exported and cannot be read
+	// WARNING: in.sizeCache is not exported and cannot be read
 	return nil
 }
 
-// Convert_v1_NodeUnprepareResourcesResponse_To_v1beta1_NodeUnprepareResourcesResponse is an autogenerated conversion function.
-func Convert_v1_NodeUnprepareResourcesResponse_To_v1beta1_NodeUnprepareResourcesResponse(in *v1.NodeUnprepareResourcesResponse, out *NodeUnprepareResourcesResponse, s conversion.Scope) error {
-	return autoConvert_v1_NodeUnprepareResourcesResponse_To_v1beta1_NodeUnprepareResourcesResponse(in, out, s)
-}
-
 func autoConvert_v1beta1_UnimplementedDRAPluginServer_To_v1_UnimplementedDRAPluginServer(in *UnimplementedDRAPluginServer, out *v1.UnimplementedDRAPluginServer, s conversion.Scope) error {
 	return nil
 }
diff --git a/staging/src/k8s.io/kubelet/pkg/apis/podresources/v1/api.pb.go b/staging/src/k8s.io/kubelet/pkg/apis/podresources/v1/api.pb.go
index a541d198b1596..5390af4519a0f 100644
--- a/staging/src/k8s.io/kubelet/pkg/apis/podresources/v1/api.pb.go
+++ b/staging/src/k8s.io/kubelet/pkg/apis/podresources/v1/api.pb.go
@@ -641,6 +641,7 @@ type ClaimResource struct {
 	DriverName    string                 `protobuf:"bytes,2,opt,name=driver_name,json=driverName,proto3" json:"driver_name,omitempty"`
 	PoolName      string                 `protobuf:"bytes,3,opt,name=pool_name,json=poolName,proto3" json:"pool_name,omitempty"`
 	DeviceName    string                 `protobuf:"bytes,4,opt,name=device_name,json=deviceName,proto3" json:"device_name,omitempty"`
+	ShareId       *string                `protobuf:"bytes,5,opt,name=share_id,json=shareId,proto3,oneof" json:"share_id,omitempty"`
 	unknownFields protoimpl.UnknownFields
 	sizeCache     protoimpl.SizeCache
 }
@@ -703,6 +704,13 @@ func (x *ClaimResource) GetDeviceName() string {
 	return ""
 }
 
+func (x *ClaimResource) GetShareId() string {
+	if x != nil && x.ShareId != nil {
+		return *x.ShareId
+	}
+	return ""
+}
+
 // CDIDevice specifies a CDI device information
 type CDIDevice struct {
 	state protoimpl.MessageState `protogen:"open.v1"`
@@ -927,7 +935,7 @@ var file_staging_src_k8s_io_kubelet_pkg_apis_podresources_v1_api_proto_rawDesc =
 	0x0f, 0x63, 0x6c, 0x61, 0x69, 0x6d, 0x5f, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x73,
 	0x18, 0x04, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x11, 0x2e, 0x76, 0x31, 0x2e, 0x43, 0x6c, 0x61, 0x69,
 	0x6d, 0x52, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x52, 0x0e, 0x63, 0x6c, 0x61, 0x69, 0x6d,
-	0x52, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x73, 0x22, 0x9e, 0x01, 0x0a, 0x0d, 0x43, 0x6c,
+	0x52, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x73, 0x22, 0xcb, 0x01, 0x0a, 0x0d, 0x43, 0x6c,
 	0x61, 0x69, 0x6d, 0x52, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x12, 0x2e, 0x0a, 0x0b, 0x63,
 	0x64, 0x69, 0x5f, 0x64, 0x65, 0x76, 0x69, 0x63, 0x65, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b,
 	0x32, 0x0d, 0x2e, 0x76, 0x31, 0x2e, 0x43, 0x44, 0x49, 0x44, 0x65, 0x76, 0x69, 0x63, 0x65, 0x52,
@@ -937,39 +945,42 @@ var file_staging_src_k8s_io_kubelet_pkg_apis_podresources_v1_api_proto_rawDesc =
 	0x70, 0x6f, 0x6f, 0x6c, 0x5f, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52,
 	0x08, 0x70, 0x6f, 0x6f, 0x6c, 0x4e, 0x61, 0x6d, 0x65, 0x12, 0x1f, 0x0a, 0x0b, 0x64, 0x65, 0x76,
 	0x69, 0x63, 0x65, 0x5f, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0a,
-	0x64, 0x65, 0x76, 0x69, 0x63, 0x65, 0x4e, 0x61, 0x6d, 0x65, 0x22, 0x1f, 0x0a, 0x09, 0x43, 0x44,
-	0x49, 0x44, 0x65, 0x76, 0x69, 0x63, 0x65, 0x12, 0x12, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18,
-	0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x22, 0x58, 0x0a, 0x16, 0x47,
-	0x65, 0x74, 0x50, 0x6f, 0x64, 0x52, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x73, 0x52, 0x65,
-	0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x19, 0x0a, 0x08, 0x70, 0x6f, 0x64, 0x5f, 0x6e, 0x61, 0x6d,
-	0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x07, 0x70, 0x6f, 0x64, 0x4e, 0x61, 0x6d, 0x65,
-	0x12, 0x23, 0x0a, 0x0d, 0x70, 0x6f, 0x64, 0x5f, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63,
-	0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0c, 0x70, 0x6f, 0x64, 0x4e, 0x61, 0x6d, 0x65,
-	0x73, 0x70, 0x61, 0x63, 0x65, 0x22, 0x50, 0x0a, 0x17, 0x47, 0x65, 0x74, 0x50, 0x6f, 0x64, 0x52,
-	0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65,
-	0x12, 0x35, 0x0a, 0x0d, 0x70, 0x6f, 0x64, 0x5f, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65,
-	0x73, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x10, 0x2e, 0x76, 0x31, 0x2e, 0x50, 0x6f, 0x64,
-	0x52, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x73, 0x52, 0x0c, 0x70, 0x6f, 0x64, 0x52, 0x65,
-	0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x73, 0x32, 0xfb, 0x01, 0x0a, 0x12, 0x50, 0x6f, 0x64, 0x52,
-	0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x73, 0x4c, 0x69, 0x73, 0x74, 0x65, 0x72, 0x12, 0x43,
-	0x0a, 0x04, 0x4c, 0x69, 0x73, 0x74, 0x12, 0x1b, 0x2e, 0x76, 0x31, 0x2e, 0x4c, 0x69, 0x73, 0x74,
+	0x64, 0x65, 0x76, 0x69, 0x63, 0x65, 0x4e, 0x61, 0x6d, 0x65, 0x12, 0x1e, 0x0a, 0x08, 0x73, 0x68,
+	0x61, 0x72, 0x65, 0x5f, 0x69, 0x64, 0x18, 0x05, 0x20, 0x01, 0x28, 0x09, 0x48, 0x00, 0x52, 0x07,
+	0x73, 0x68, 0x61, 0x72, 0x65, 0x49, 0x64, 0x88, 0x01, 0x01, 0x42, 0x0b, 0x0a, 0x09, 0x5f, 0x73,
+	0x68, 0x61, 0x72, 0x65, 0x5f, 0x69, 0x64, 0x22, 0x1f, 0x0a, 0x09, 0x43, 0x44, 0x49, 0x44, 0x65,
+	0x76, 0x69, 0x63, 0x65, 0x12, 0x12, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x01, 0x20, 0x01,
+	0x28, 0x09, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x22, 0x58, 0x0a, 0x16, 0x47, 0x65, 0x74, 0x50,
+	0x6f, 0x64, 0x52, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65,
+	0x73, 0x74, 0x12, 0x19, 0x0a, 0x08, 0x70, 0x6f, 0x64, 0x5f, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x01,
+	0x20, 0x01, 0x28, 0x09, 0x52, 0x07, 0x70, 0x6f, 0x64, 0x4e, 0x61, 0x6d, 0x65, 0x12, 0x23, 0x0a,
+	0x0d, 0x70, 0x6f, 0x64, 0x5f, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x18, 0x02,
+	0x20, 0x01, 0x28, 0x09, 0x52, 0x0c, 0x70, 0x6f, 0x64, 0x4e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61,
+	0x63, 0x65, 0x22, 0x50, 0x0a, 0x17, 0x47, 0x65, 0x74, 0x50, 0x6f, 0x64, 0x52, 0x65, 0x73, 0x6f,
+	0x75, 0x72, 0x63, 0x65, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x35, 0x0a,
+	0x0d, 0x70, 0x6f, 0x64, 0x5f, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x73, 0x18, 0x01,
+	0x20, 0x01, 0x28, 0x0b, 0x32, 0x10, 0x2e, 0x76, 0x31, 0x2e, 0x50, 0x6f, 0x64, 0x52, 0x65, 0x73,
+	0x6f, 0x75, 0x72, 0x63, 0x65, 0x73, 0x52, 0x0c, 0x70, 0x6f, 0x64, 0x52, 0x65, 0x73, 0x6f, 0x75,
+	0x72, 0x63, 0x65, 0x73, 0x32, 0xfb, 0x01, 0x0a, 0x12, 0x50, 0x6f, 0x64, 0x52, 0x65, 0x73, 0x6f,
+	0x75, 0x72, 0x63, 0x65, 0x73, 0x4c, 0x69, 0x73, 0x74, 0x65, 0x72, 0x12, 0x43, 0x0a, 0x04, 0x4c,
+	0x69, 0x73, 0x74, 0x12, 0x1b, 0x2e, 0x76, 0x31, 0x2e, 0x4c, 0x69, 0x73, 0x74, 0x50, 0x6f, 0x64,
+	0x52, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74,
+	0x1a, 0x1c, 0x2e, 0x76, 0x31, 0x2e, 0x4c, 0x69, 0x73, 0x74, 0x50, 0x6f, 0x64, 0x52, 0x65, 0x73,
+	0x6f, 0x75, 0x72, 0x63, 0x65, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00,
+	0x12, 0x5e, 0x0a, 0x17, 0x47, 0x65, 0x74, 0x41, 0x6c, 0x6c, 0x6f, 0x63, 0x61, 0x74, 0x61, 0x62,
+	0x6c, 0x65, 0x52, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x73, 0x12, 0x1f, 0x2e, 0x76, 0x31,
+	0x2e, 0x41, 0x6c, 0x6c, 0x6f, 0x63, 0x61, 0x74, 0x61, 0x62, 0x6c, 0x65, 0x52, 0x65, 0x73, 0x6f,
+	0x75, 0x72, 0x63, 0x65, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x20, 0x2e, 0x76,
+	0x31, 0x2e, 0x41, 0x6c, 0x6c, 0x6f, 0x63, 0x61, 0x74, 0x61, 0x62, 0x6c, 0x65, 0x52, 0x65, 0x73,
+	0x6f, 0x75, 0x72, 0x63, 0x65, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00,
+	0x12, 0x40, 0x0a, 0x03, 0x47, 0x65, 0x74, 0x12, 0x1a, 0x2e, 0x76, 0x31, 0x2e, 0x47, 0x65, 0x74,
 	0x50, 0x6f, 0x64, 0x52, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x73, 0x52, 0x65, 0x71, 0x75,
-	0x65, 0x73, 0x74, 0x1a, 0x1c, 0x2e, 0x76, 0x31, 0x2e, 0x4c, 0x69, 0x73, 0x74, 0x50, 0x6f, 0x64,
-	0x52, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73,
-	0x65, 0x22, 0x00, 0x12, 0x5e, 0x0a, 0x17, 0x47, 0x65, 0x74, 0x41, 0x6c, 0x6c, 0x6f, 0x63, 0x61,
-	0x74, 0x61, 0x62, 0x6c, 0x65, 0x52, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x73, 0x12, 0x1f,
-	0x2e, 0x76, 0x31, 0x2e, 0x41, 0x6c, 0x6c, 0x6f, 0x63, 0x61, 0x74, 0x61, 0x62, 0x6c, 0x65, 0x52,
-	0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a,
-	0x20, 0x2e, 0x76, 0x31, 0x2e, 0x41, 0x6c, 0x6c, 0x6f, 0x63, 0x61, 0x74, 0x61, 0x62, 0x6c, 0x65,
-	0x52, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73,
-	0x65, 0x22, 0x00, 0x12, 0x40, 0x0a, 0x03, 0x47, 0x65, 0x74, 0x12, 0x1a, 0x2e, 0x76, 0x31, 0x2e,
-	0x47, 0x65, 0x74, 0x50, 0x6f, 0x64, 0x52, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x73, 0x52,
-	0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x1b, 0x2e, 0x76, 0x31, 0x2e, 0x47, 0x65, 0x74, 0x50,
-	0x6f, 0x64, 0x52, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f,
-	0x6e, 0x73, 0x65, 0x22, 0x00, 0x42, 0x29, 0x5a, 0x27, 0x6b, 0x38, 0x73, 0x2e, 0x69, 0x6f, 0x2f,
-	0x6b, 0x75, 0x62, 0x65, 0x6c, 0x65, 0x74, 0x2f, 0x70, 0x6b, 0x67, 0x2f, 0x61, 0x70, 0x69, 0x73,
-	0x2f, 0x70, 0x6f, 0x64, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x73, 0x2f, 0x76, 0x31,
-	0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
+	0x65, 0x73, 0x74, 0x1a, 0x1b, 0x2e, 0x76, 0x31, 0x2e, 0x47, 0x65, 0x74, 0x50, 0x6f, 0x64, 0x52,
+	0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65,
+	0x22, 0x00, 0x42, 0x29, 0x5a, 0x27, 0x6b, 0x38, 0x73, 0x2e, 0x69, 0x6f, 0x2f, 0x6b, 0x75, 0x62,
+	0x65, 0x6c, 0x65, 0x74, 0x2f, 0x70, 0x6b, 0x67, 0x2f, 0x61, 0x70, 0x69, 0x73, 0x2f, 0x70, 0x6f,
+	0x64, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x73, 0x2f, 0x76, 0x31, 0x62, 0x06, 0x70,
+	0x72, 0x6f, 0x74, 0x6f, 0x33,
 })
 
 var (
@@ -1034,6 +1045,7 @@ func file_staging_src_k8s_io_kubelet_pkg_apis_podresources_v1_api_proto_init() {
 	if File_staging_src_k8s_io_kubelet_pkg_apis_podresources_v1_api_proto != nil {
 		return
 	}
+	file_staging_src_k8s_io_kubelet_pkg_apis_podresources_v1_api_proto_msgTypes[11].OneofWrappers = []any{}
 	type x struct{}
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
diff --git a/staging/src/k8s.io/kubelet/pkg/apis/podresources/v1/api.proto b/staging/src/k8s.io/kubelet/pkg/apis/podresources/v1/api.proto
index 047ee50307d85..8b2474e718c32 100644
--- a/staging/src/k8s.io/kubelet/pkg/apis/podresources/v1/api.proto
+++ b/staging/src/k8s.io/kubelet/pkg/apis/podresources/v1/api.proto
@@ -88,6 +88,7 @@ message ClaimResource {
     string driver_name = 2;
     string pool_name = 3;
     string device_name = 4;
+    optional string share_id = 5;
 }
 
 // CDIDevice specifies a CDI device information
diff --git a/staging/src/k8s.io/kubelet/pkg/cri/streaming/remotecommand/httpstream.go b/staging/src/k8s.io/kubelet/pkg/cri/streaming/remotecommand/httpstream.go
index 62e301ae9293b..185a3db627322 100644
--- a/staging/src/k8s.io/kubelet/pkg/cri/streaming/remotecommand/httpstream.go
+++ b/staging/src/k8s.io/kubelet/pkg/cri/streaming/remotecommand/httpstream.go
@@ -126,7 +126,7 @@ func createStreams(req *http.Request, w http.ResponseWriter, opts *Options, supp
 func createHTTPStreamStreams(req *http.Request, w http.ResponseWriter, opts *Options, supportedStreamProtocols []string, idleTimeout, streamCreationTimeout time.Duration) (*connectionContext, bool) {
 	protocol, err := httpstream.Handshake(req, w, supportedStreamProtocols)
 	if err != nil {
-		http.Error(w, err.Error(), http.StatusBadRequest)
+		// Handshake writes the error to the client
 		return nil, false
 	}
 
diff --git a/staging/src/k8s.io/metrics/go.mod b/staging/src/k8s.io/metrics/go.mod
index a4ec35de3a93e..fae43851b038e 100644
--- a/staging/src/k8s.io/metrics/go.mod
+++ b/staging/src/k8s.io/metrics/go.mod
@@ -2,13 +2,12 @@
 
 module k8s.io/metrics
 
-go 1.24.0
+go 1.25.0
 
-godebug default=go1.24
+godebug default=go1.25
 
 require (
-	github.com/gogo/protobuf v1.3.2
-	github.com/stretchr/testify v1.10.0
+	github.com/stretchr/testify v1.11.1
 	k8s.io/api v0.0.0
 	k8s.io/apimachinery v0.0.0
 	k8s.io/client-go v0.0.0
@@ -19,7 +18,7 @@ require (
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/emicklei/go-restful/v3 v3.12.2 // indirect
 	github.com/fxamacker/cbor/v2 v2.9.0 // indirect
-	github.com/go-logr/logr v1.4.2 // indirect
+	github.com/go-logr/logr v1.4.3 // indirect
 	github.com/go-openapi/jsonpointer v0.21.0 // indirect
 	github.com/go-openapi/jsonreference v0.20.2 // indirect
 	github.com/go-openapi/swag v0.23.0 // indirect
@@ -32,38 +31,36 @@ require (
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
-	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
-	github.com/spf13/pflag v1.0.6 // indirect
+	github.com/spf13/pflag v1.0.9 // indirect
 	github.com/x448/float16 v0.8.4 // indirect
-	go.yaml.in/yaml/v2 v2.4.2 // indirect
+	go.yaml.in/yaml/v2 v2.4.3 // indirect
 	go.yaml.in/yaml/v3 v3.0.4 // indirect
-	golang.org/x/mod v0.27.0 // indirect
-	golang.org/x/net v0.43.0 // indirect
-	golang.org/x/oauth2 v0.27.0 // indirect
-	golang.org/x/sync v0.17.0 // indirect
-	golang.org/x/sys v0.36.0 // indirect
-	golang.org/x/term v0.35.0 // indirect
-	golang.org/x/text v0.29.0 // indirect
+	golang.org/x/mod v0.29.0 // indirect
+	golang.org/x/net v0.47.0 // indirect
+	golang.org/x/oauth2 v0.30.0 // indirect
+	golang.org/x/sync v0.18.0 // indirect
+	golang.org/x/sys v0.38.0 // indirect
+	golang.org/x/term v0.37.0 // indirect
+	golang.org/x/text v0.31.0 // indirect
 	golang.org/x/time v0.9.0 // indirect
-	golang.org/x/tools v0.36.0 // indirect
-	golang.org/x/tools/go/expect v0.1.0-deprecated // indirect
-	google.golang.org/protobuf v1.36.5 // indirect
-	gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect
+	golang.org/x/tools v0.38.0 // indirect
+	google.golang.org/protobuf v1.36.8 // indirect
+	gopkg.in/evanphx/json-patch.v4 v4.13.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
-	k8s.io/gengo/v2 v2.0.0-20250604051438-85fd79dbfd9f // indirect
+	k8s.io/gengo/v2 v2.0.0-20250922181213-ec3ebc5fd46b // indirect
 	k8s.io/klog/v2 v2.130.1 // indirect
-	k8s.io/kube-openapi v0.0.0-20250710124328-f3f2b991d03b // indirect
-	k8s.io/utils v0.0.0-20250604170112-4c0f3b243397 // indirect
-	sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 // indirect
+	k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912 // indirect
+	k8s.io/utils v0.0.0-20251002143259-bc988d571ff4 // indirect
+	sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 // indirect
 	sigs.k8s.io/randfill v1.0.0 // indirect
 	sigs.k8s.io/structured-merge-diff/v6 v6.3.0 // indirect
 	sigs.k8s.io/yaml v1.6.0 // indirect
 )
 
 replace (
-	github.com/onsi/ginkgo/v2 => github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251001123353-fd5b1fb35db1
+	github.com/onsi/ginkgo/v2 => github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251120221002-696928a6a0d7
 	k8s.io/api => ../api
 	k8s.io/apimachinery => ../apimachinery
 	k8s.io/client-go => ../client-go
diff --git a/staging/src/k8s.io/metrics/go.sum b/staging/src/k8s.io/metrics/go.sum
index 2dc3dc9b8f9db..e0af126e32a47 100644
--- a/staging/src/k8s.io/metrics/go.sum
+++ b/staging/src/k8s.io/metrics/go.sum
@@ -1,4 +1,6 @@
 cloud.google.com/go/compute/metadata v0.3.0/go.mod h1:zFmK7XCadkQkj6TtorcaGlCW1hT1fIilQDwofLpJ20k=
+github.com/Masterminds/semver/v3 v3.4.0 h1:Zog+i5UMtVoCU8oKka5P7i9q9HgrJeGzI9SA1Xbatp0=
+github.com/Masterminds/semver/v3 v3.4.0/go.mod h1:4V+yj/TJE1HU9XfppCwVMZq3I84lprf4nC11bSS5beM=
 github.com/NYTimes/gziphandler v1.1.1/go.mod h1:n/CVRwUEOgIxrgPvAQhUUr9oeUtvrhMomdKFjzJNB0c=
 github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkYZB8zMSxRWpUBQtwG5a7fFgvEO+odwuTv2gs=
 github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
@@ -10,8 +12,8 @@ github.com/emicklei/go-restful/v3 v3.12.2 h1:DhwDP0vY3k8ZzE0RunuJy8GhNpPL6zqLkDf
 github.com/emicklei/go-restful/v3 v3.12.2/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc=
 github.com/fxamacker/cbor/v2 v2.9.0 h1:NpKPmjDBgUfBms6tr6JZkTHtfFGcMKsw3eGcmD/sapM=
 github.com/fxamacker/cbor/v2 v2.9.0/go.mod h1:vM4b+DJCtHn+zz7h3FFp/hDAI9WNWCsZj23V5ytsSxQ=
-github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY=
-github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
+github.com/go-logr/logr v1.4.3 h1:CjnDlHq8ikf6E492q6eKboGOC0T8CDaOvkHCIg8idEI=
+github.com/go-logr/logr v1.4.3/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
 github.com/go-openapi/jsonpointer v0.19.6/go.mod h1:osyAmYz/mB/C3I+WsTTSgw1ONzaLJoLCyoi6/zppojs=
 github.com/go-openapi/jsonpointer v0.21.0 h1:YgdVicSA9vH5RiHs9TZW5oyafXZFc6+2Vc1rr/O9oNQ=
 github.com/go-openapi/jsonpointer v0.21.0/go.mod h1:IUyH9l/+uyhIYQ/PXVA41Rexl+kOkAPDdXEYns6fzUY=
@@ -22,7 +24,6 @@ github.com/go-openapi/swag v0.23.0 h1:vsEVJDUo2hPJ2tu0/Xc+4noaxyEffXNIs3cOULZ+Gr
 github.com/go-openapi/swag v0.23.0/go.mod h1:esZ8ITTYEsH1V2trKHjAN8Ai7xHb8RV+YSZ577vPjgQ=
 github.com/go-task/slim-sprig/v3 v3.0.0 h1:sUs3vkvUymDpBKi3qH1YSqBQk9+9D/8M2mN1vB6EwHI=
 github.com/go-task/slim-sprig/v3 v3.0.0/go.mod h1:W848ghGpv3Qj3dhTPRyJypKRiqCdHZiAzKg9hl15HA8=
-github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
 github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
 github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk=
 github.com/google/btree v1.1.3/go.mod h1:qOPhT0dTNdNzV6Z/lhRX0YXUafgPLFUh+gZMl761Gm4=
@@ -31,8 +32,8 @@ github.com/google/gnostic-models v0.7.0/go.mod h1:whL5G0m6dmc5cPxKc5bdKdEN3UjI7O
 github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
 github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
-github.com/google/pprof v0.0.0-20241029153458-d1b30febd7db h1:097atOisP2aRj7vFgYQBbFN4U4JNXUNYpxael3UzMyo=
-github.com/google/pprof v0.0.0-20241029153458-d1b30febd7db/go.mod h1:vavhavw2zAxS5dIdcRluK6cSGGPlZynqzFM8NdvU144=
+github.com/google/pprof v0.0.0-20250403155104-27863c87afa6 h1:BHT72Gu3keYf3ZEu2J0b1vyeLSOYI8bm5wbJM/8yDe8=
+github.com/google/pprof v0.0.0-20250403155104-27863c87afa6/go.mod h1:boTsfXsheKC2y+lKOCMpSfarhxDeIzfZG1jqGcPl3cA=
 github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/gorilla/websocket v1.5.4-0.20250319132907-e064f32e3674/go.mod h1:r4w70xmWCQKmi1ONH4KIaBptdivuRPyosB9RmPlGEwA=
@@ -41,8 +42,6 @@ github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8Hm
 github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y=
 github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM=
 github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo=
-github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
-github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
 github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
 github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
 github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
@@ -62,20 +61,18 @@ github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee/go.mod h1:yWu
 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA=
 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
 github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+o7JKHSa8/e818NopupXU1YMK5fe1lsApnBw=
-github.com/onsi/gomega v1.35.1 h1:Cwbd75ZBPxFSuZ6T+rN/WCb/gOc6YgFBXLlZLhC7Ds4=
-github.com/onsi/gomega v1.35.1/go.mod h1:PvZbdDc8J6XJEpDK4HCuRBm8a6Fzp9/DmhC9C7yFlog=
-github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251001123353-fd5b1fb35db1 h1:PMTgifBcBRLJJiM+LgSzPDTk9/Rx4qS09OUrfpY6GBQ=
-github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251001123353-fd5b1fb35db1/go.mod h1:7Du3c42kxCUegi0IImZ1wUQzMBVecgIHjR1C+NkhLQo=
+github.com/onsi/gomega v1.38.2 h1:eZCjf2xjZAqe+LeWvKb5weQ+NcPwX84kqJ0cZNxok2A=
+github.com/onsi/gomega v1.38.2/go.mod h1:W2MJcYxRGV63b418Ai34Ud0hEdTVXq9NW9+Sx6uXf3k=
+github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251120221002-696928a6a0d7 h1:02E4Ttpu+7yCQLQxtY42JfcfHU7TBGnje6uB2ytBSdU=
+github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251120221002-696928a6a0d7/go.mod h1:ArE1D/XhNXBXCBkKOLkbsb2c81dQHCRcF5zwn/ykDRo=
 github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU=
-github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
-github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U=
 github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/rogpeppe/go-internal v1.13.1 h1:KvO1DLK/DRN07sQ1LQKScxyZJuNnedQ5/wKSR38lUII=
-github.com/rogpeppe/go-internal v1.13.1/go.mod h1:uMEvuHeurkdAXX61udpOXGD/AzZDWNMNyH2VO9fmH0o=
-github.com/spf13/pflag v1.0.6 h1:jFzHGLGAlb3ruxLB8MhbI6A8+AQX/2eW4qeyNZXNp2o=
-github.com/spf13/pflag v1.0.6/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
+github.com/rogpeppe/go-internal v1.14.1 h1:UQB4HGPB6osV0SQTLymcB4TgvyWu6ZyliaW0tI/otEQ=
+github.com/rogpeppe/go-internal v1.14.1/go.mod h1:MaRKkUm5W0goXpeCfT7UZI6fk/L7L7so1lCWt35ZSgc=
+github.com/spf13/pflag v1.0.9 h1:9exaQaMOCwffKiiiYk6/BndUBv+iRViNW+4lEMi0PvY=
+github.com/spf13/pflag v1.0.9/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
 github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
@@ -85,89 +82,63 @@ github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UV
 github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
 github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
-github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
-github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
+github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
+github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
 github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM=
 github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg=
-github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
-github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
 go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
-go.yaml.in/yaml/v2 v2.4.2 h1:DzmwEr2rDGHl7lsFgAHxmNz/1NlQ7xLIrlN2h5d1eGI=
-go.yaml.in/yaml/v2 v2.4.2/go.mod h1:081UH+NErpNdqlCXm3TtEran0rJZGxAYx9hb/ELlsPU=
+go.yaml.in/yaml/v2 v2.4.3 h1:6gvOSjQoTB3vt1l+CU+tSyi/HOjfOjRLJ4YwYZGwRO0=
+go.yaml.in/yaml/v2 v2.4.3/go.mod h1:zSxWcmIDjOzPXpjlTTbAsKokqkDNAVtZO0WOMiT90s8=
 go.yaml.in/yaml/v3 v3.0.4 h1:tfq32ie2Jv2UxXFdLJdh3jXuOzWiL1fo0bu/FbuKpbc=
 go.yaml.in/yaml/v3 v3.0.4/go.mod h1:DhzuOOF2ATzADvBadXxruRBLzYTpT36CKvDb3+aBEFg=
-golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
-golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
-golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
-golang.org/x/crypto v0.41.0/go.mod h1:pO5AFd7FA68rFak7rOAGVuygIISepHftHnr8dr6+sUc=
-golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.27.0 h1:kb+q2PyFnEADO2IEF935ehFUXlWiNjJWtRNgBLSfbxQ=
-golang.org/x/mod v0.27.0/go.mod h1:rWI627Fq0DEoudcK+MBkNkCe0EetEaDSwJJkCcjpazc=
-golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
-golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
-golang.org/x/net v0.43.0 h1:lat02VYK2j4aLzMzecihNvTlJNQUq316m2Mr9rnM6YE=
-golang.org/x/net v0.43.0/go.mod h1:vhO1fvI4dGsIjh73sWfUVjj3N7CA9WkKJNQm2svM6Jg=
-golang.org/x/oauth2 v0.27.0 h1:da9Vo7/tDv5RH/7nZDz1eMGS/q1Vv1N/7FCrBhI9I3M=
-golang.org/x/oauth2 v0.27.0/go.mod h1:onh5ek6nERTohokkhCD/y2cV4Do3fxFHFuAejCkRWT8=
-golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.17.0 h1:l60nONMj9l5drqw6jlhIELNv9I0A4OFgRsG9k2oT9Ug=
-golang.org/x/sync v0.17.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
-golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.36.0 h1:KVRy2GtZBrk1cBYA7MKu5bEZFxQk4NIDV6RLVcC8o0k=
-golang.org/x/sys v0.36.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
-golang.org/x/telemetry v0.0.0-20250807160809-1a19826ec488/go.mod h1:fGb/2+tgXXjhjHsTNdVEEMZNWA0quBnfrO+AfoDSAKw=
-golang.org/x/term v0.35.0 h1:bZBVKBudEyhRcajGcNc3jIfWPqV4y/Kt2XcoigOWtDQ=
-golang.org/x/term v0.35.0/go.mod h1:TPGtkTLesOwf2DE8CgVYiZinHAOuy5AYUYT1lENIZnA=
-golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
-golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.29.0 h1:1neNs90w9YzJ9BocxfsQNHKuAT4pkghyXc4nhZ6sJvk=
-golang.org/x/text v0.29.0/go.mod h1:7MhJOA9CD2qZyOKYazxdYMF85OwPdEr9jTtBpO7ydH4=
+golang.org/x/crypto v0.44.0/go.mod h1:013i+Nw79BMiQiMsOPcVCB5ZIJbYkerPrGnOa00tvmc=
+golang.org/x/mod v0.29.0 h1:HV8lRxZC4l2cr3Zq1LvtOsi/ThTgWnUk/y64QSs8GwA=
+golang.org/x/mod v0.29.0/go.mod h1:NyhrlYXJ2H4eJiRy/WDBO6HMqZQ6q9nk4JzS3NuCK+w=
+golang.org/x/net v0.47.0 h1:Mx+4dIFzqraBXUugkia1OOvlD6LemFo1ALMHjrXDOhY=
+golang.org/x/net v0.47.0/go.mod h1:/jNxtkgq5yWUGYkaZGqo27cfGZ1c5Nen03aYrrKpVRU=
+golang.org/x/oauth2 v0.30.0 h1:dnDm7JmhM45NNpd8FDDeLhK6FwqbOf4MLCM9zb1BOHI=
+golang.org/x/oauth2 v0.30.0/go.mod h1:B++QgG3ZKulg6sRPGD/mqlHQs5rB3Ml9erfeDY7xKlU=
+golang.org/x/sync v0.18.0 h1:kr88TuHDroi+UVf+0hZnirlk8o8T+4MrK6mr60WkH/I=
+golang.org/x/sync v0.18.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
+golang.org/x/sys v0.38.0 h1:3yZWxaJjBmCWXqhN1qh02AkOnCQ1poK6oF+a7xWL6Gc=
+golang.org/x/sys v0.38.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
+golang.org/x/telemetry v0.0.0-20251008203120-078029d740a8/go.mod h1:Pi4ztBfryZoJEkyFTI5/Ocsu2jXyDr6iSdgJiYE/uwE=
+golang.org/x/term v0.37.0 h1:8EGAD0qCmHYZg6J17DvsMy9/wJ7/D/4pV/wfnld5lTU=
+golang.org/x/term v0.37.0/go.mod h1:5pB4lxRNYYVZuTLmy8oR2BH8dflOR+IbTYFD8fi3254=
+golang.org/x/text v0.31.0 h1:aC8ghyu4JhP8VojJ2lEHBnochRno1sgL6nEi9WGFGMM=
+golang.org/x/text v0.31.0/go.mod h1:tKRAlv61yKIjGGHX/4tP1LTbc13YSec1pxVEWXzfoeM=
 golang.org/x/time v0.9.0 h1:EsRrnYcQiGH+5FfbgvV4AP7qEZstoyrHB0DzarOQ4ZY=
 golang.org/x/time v0.9.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
-golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
-golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
-golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
-golang.org/x/tools v0.36.0 h1:kWS0uv/zsvHEle1LbV5LE8QujrxB3wfQyxHfhOk0Qkg=
-golang.org/x/tools v0.36.0/go.mod h1:WBDiHKJK8YgLHlcQPYQzNCkUxUypCaa5ZegCVutKm+s=
-golang.org/x/tools/go/expect v0.1.0-deprecated h1:jY2C5HGYR5lqex3gEniOQL0r7Dq5+VGVgY1nudX5lXY=
-golang.org/x/tools/go/expect v0.1.0-deprecated/go.mod h1:eihoPOH+FgIqa3FpoTwguz/bVUSGBlGQU67vpBeOrBY=
+golang.org/x/tools v0.38.0 h1:Hx2Xv8hISq8Lm16jvBZ2VQf+RLmbd7wVUsALibYI/IQ=
+golang.org/x/tools v0.38.0/go.mod h1:yEsQ/d/YK8cjh0L6rZlY8tgtlKiBNTL14pGDJPJpYQs=
+golang.org/x/tools/go/expect v0.1.1-deprecated h1:jpBZDwmgPhXsKZC6WhL20P4b/wmnpsEAGHaNy0n/rJM=
+golang.org/x/tools/go/expect v0.1.1-deprecated/go.mod h1:eihoPOH+FgIqa3FpoTwguz/bVUSGBlGQU67vpBeOrBY=
 golang.org/x/tools/go/packages/packagestest v0.1.1-deprecated h1:1h2MnaIAIXISqTFKdENegdpAgUXz6NrPEsbIeWaBRvM=
 golang.org/x/tools/go/packages/packagestest v0.1.1-deprecated/go.mod h1:RVAQXBGNv1ib0J382/DPCRS/BPnsGebyM1Gj5VSDpG8=
-golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-google.golang.org/protobuf v1.36.5 h1:tPhr+woSbjfYvY6/GPufUoYizxw1cF/yFoxJ2fmpwlM=
-google.golang.org/protobuf v1.36.5/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE=
+google.golang.org/protobuf v1.36.8 h1:xHScyCOEuuwZEc6UtSOvPbAT4zRh0xcNRYekJwfqyMc=
+google.golang.org/protobuf v1.36.8/go.mod h1:fuxRtAxBytpl4zzqUh6/eyUujkJdNiuEkXntxiD/uRU=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
-gopkg.in/evanphx/json-patch.v4 v4.12.0 h1:n6jtcsulIzXPJaxegRbvFNNrZDjbij7ny3gmSPG+6V4=
-gopkg.in/evanphx/json-patch.v4 v4.12.0/go.mod h1:p8EYWUEYMpynmqDbY58zCKCFZw8pRWMG4EsWvDvM72M=
+gopkg.in/evanphx/json-patch.v4 v4.13.0 h1:czT3CmqEaQ1aanPc5SdlgQrrEIb8w/wwCvWWnfEbYzo=
+gopkg.in/evanphx/json-patch.v4 v4.13.0/go.mod h1:p8EYWUEYMpynmqDbY58zCKCFZw8pRWMG4EsWvDvM72M=
 gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc=
 gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
-k8s.io/gengo/v2 v2.0.0-20250604051438-85fd79dbfd9f h1:SLb+kxmzfA87x4E4brQzB33VBbT2+x7Zq9ROIHmGn9Q=
-k8s.io/gengo/v2 v2.0.0-20250604051438-85fd79dbfd9f/go.mod h1:EJykeLsmFC60UQbYJezXkEsG2FLrt0GPNkU5iK5GWxU=
+k8s.io/gengo/v2 v2.0.0-20250922181213-ec3ebc5fd46b h1:gMplByicHV/TJBizHd9aVEsTYoJBnnUAT5MHlTkbjhQ=
+k8s.io/gengo/v2 v2.0.0-20250922181213-ec3ebc5fd46b/go.mod h1:CgujABENc3KuTrcsdpGmrrASjtQsWCT7R99mEV4U/fM=
 k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk=
 k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE=
-k8s.io/kube-openapi v0.0.0-20250710124328-f3f2b991d03b h1:MloQ9/bdJyIu9lb1PzujOPolHyvO06MXG5TUIj2mNAA=
-k8s.io/kube-openapi v0.0.0-20250710124328-f3f2b991d03b/go.mod h1:UZ2yyWbFTpuhSbFhv24aGNOdoRdJZgsIObGBUaYVsts=
-k8s.io/utils v0.0.0-20250604170112-4c0f3b243397 h1:hwvWFiBzdWw1FhfY1FooPn3kzWuJ8tmbZBHi4zVsl1Y=
-k8s.io/utils v0.0.0-20250604170112-4c0f3b243397/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
-sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 h1:gBQPwqORJ8d8/YNZWEjoZs7npUVDpVXUUOFfW6CgAqE=
-sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8/go.mod h1:mdzfpAEoE6DHQEN0uh9ZbOCuHbLK5wOm7dK4ctXE9Tg=
+k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912 h1:Y3gxNAuB0OBLImH611+UDZcmKS3g6CthxToOb37KgwE=
+k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912/go.mod h1:kdmbQkyfwUagLfXIad1y2TdrjPFWp2Q89B3qkRwf/pQ=
+k8s.io/utils v0.0.0-20251002143259-bc988d571ff4 h1:SjGebBtkBqHFOli+05xYbK8YF1Dzkbzn+gDM4X9T4Ck=
+k8s.io/utils v0.0.0-20251002143259-bc988d571ff4/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
+sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 h1:IpInykpT6ceI+QxKBbEflcR5EXP7sU1kvOlxwZh5txg=
+sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730/go.mod h1:mdzfpAEoE6DHQEN0uh9ZbOCuHbLK5wOm7dK4ctXE9Tg=
 sigs.k8s.io/randfill v1.0.0 h1:JfjMILfT8A6RbawdsK2JXGBR5AQVfd+9TbzrlneTyrU=
 sigs.k8s.io/randfill v1.0.0/go.mod h1:XeLlZ/jmk4i1HRopwe7/aU3H5n1zNUcX6TM94b3QxOY=
 sigs.k8s.io/structured-merge-diff/v6 v6.3.0 h1:jTijUJbW353oVOd9oTlifJqOGEkUw2jB/fXCbTiQEco=
diff --git a/staging/src/k8s.io/metrics/pkg/apis/custom_metrics/v1beta1/doc.go b/staging/src/k8s.io/metrics/pkg/apis/custom_metrics/v1beta1/doc.go
index b42d1c7dfbac9..0e9d313f754c4 100644
--- a/staging/src/k8s.io/metrics/pkg/apis/custom_metrics/v1beta1/doc.go
+++ b/staging/src/k8s.io/metrics/pkg/apis/custom_metrics/v1beta1/doc.go
@@ -18,6 +18,7 @@ limitations under the License.
 // +k8s:protobuf-gen=package
 // +k8s:conversion-gen=k8s.io/metrics/pkg/apis/custom_metrics
 // +k8s:openapi-gen=true
+// +k8s:openapi-model-package=io.k8s.metrics.pkg.apis.custom_metrics.v1beta1
 
 // Package v1beta1 is the v1beta1 version of the custom_metrics API.
 package v1beta1
diff --git a/staging/src/k8s.io/metrics/pkg/apis/custom_metrics/v1beta1/generated.pb.go b/staging/src/k8s.io/metrics/pkg/apis/custom_metrics/v1beta1/generated.pb.go
index fdc584e16ce77..b373434edc1bc 100644
--- a/staging/src/k8s.io/metrics/pkg/apis/custom_metrics/v1beta1/generated.pb.go
+++ b/staging/src/k8s.io/metrics/pkg/apis/custom_metrics/v1beta1/generated.pb.go
@@ -24,161 +24,18 @@ import (
 
 	io "io"
 
-	proto "github.com/gogo/protobuf/proto"
 	v11 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
-	math "math"
 	math_bits "math/bits"
 	reflect "reflect"
 	strings "strings"
 )
 
-// Reference imports to suppress errors if they are not otherwise used.
-var _ = proto.Marshal
-var _ = fmt.Errorf
-var _ = math.Inf
+func (m *MetricListOptions) Reset() { *m = MetricListOptions{} }
 
-// This is a compile-time assertion to ensure that this generated file
-// is compatible with the proto package it is being compiled against.
-// A compilation error at this line likely means your copy of the
-// proto package needs to be updated.
-const _ = proto.GoGoProtoPackageIsVersion3 // please upgrade the proto package
+func (m *MetricValue) Reset() { *m = MetricValue{} }
 
-func (m *MetricListOptions) Reset()      { *m = MetricListOptions{} }
-func (*MetricListOptions) ProtoMessage() {}
-func (*MetricListOptions) Descriptor() ([]byte, []int) {
-	return fileDescriptor_98fc7cab6d0de146, []int{0}
-}
-func (m *MetricListOptions) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *MetricListOptions) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *MetricListOptions) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_MetricListOptions.Merge(m, src)
-}
-func (m *MetricListOptions) XXX_Size() int {
-	return m.Size()
-}
-func (m *MetricListOptions) XXX_DiscardUnknown() {
-	xxx_messageInfo_MetricListOptions.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_MetricListOptions proto.InternalMessageInfo
-
-func (m *MetricValue) Reset()      { *m = MetricValue{} }
-func (*MetricValue) ProtoMessage() {}
-func (*MetricValue) Descriptor() ([]byte, []int) {
-	return fileDescriptor_98fc7cab6d0de146, []int{1}
-}
-func (m *MetricValue) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *MetricValue) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *MetricValue) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_MetricValue.Merge(m, src)
-}
-func (m *MetricValue) XXX_Size() int {
-	return m.Size()
-}
-func (m *MetricValue) XXX_DiscardUnknown() {
-	xxx_messageInfo_MetricValue.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_MetricValue proto.InternalMessageInfo
-
-func (m *MetricValueList) Reset()      { *m = MetricValueList{} }
-func (*MetricValueList) ProtoMessage() {}
-func (*MetricValueList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_98fc7cab6d0de146, []int{2}
-}
-func (m *MetricValueList) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *MetricValueList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *MetricValueList) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_MetricValueList.Merge(m, src)
-}
-func (m *MetricValueList) XXX_Size() int {
-	return m.Size()
-}
-func (m *MetricValueList) XXX_DiscardUnknown() {
-	xxx_messageInfo_MetricValueList.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_MetricValueList proto.InternalMessageInfo
-
-func init() {
-	proto.RegisterType((*MetricListOptions)(nil), "k8s.io.metrics.pkg.apis.custom_metrics.v1beta1.MetricListOptions")
-	proto.RegisterType((*MetricValue)(nil), "k8s.io.metrics.pkg.apis.custom_metrics.v1beta1.MetricValue")
-	proto.RegisterType((*MetricValueList)(nil), "k8s.io.metrics.pkg.apis.custom_metrics.v1beta1.MetricValueList")
-}
-
-func init() {
-	proto.RegisterFile("k8s.io/metrics/pkg/apis/custom_metrics/v1beta1/generated.proto", fileDescriptor_98fc7cab6d0de146)
-}
-
-var fileDescriptor_98fc7cab6d0de146 = []byte{
-	// 605 bytes of a gzipped FileDescriptorProto
-	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x94, 0x94, 0x4f, 0x4f, 0xd4, 0x4e,
-	0x1c, 0xc6, 0xb7, 0xec, 0x6f, 0xc9, 0x32, 0xfc, 0x08, 0x32, 0xc4, 0xd8, 0x60, 0x52, 0xc8, 0x7a,
-	0x41, 0x13, 0xa7, 0x01, 0x8d, 0x31, 0x21, 0xf1, 0xd0, 0x78, 0x31, 0x61, 0x25, 0x16, 0xa2, 0x89,
-	0x7f, 0xa2, 0xd3, 0xe9, 0x97, 0x32, 0xb2, 0xed, 0x34, 0x9d, 0xe9, 0x12, 0x6e, 0xbe, 0x04, 0xdf,
-	0x81, 0x6f, 0x87, 0x23, 0xde, 0x38, 0x11, 0xb7, 0xc6, 0xf7, 0x61, 0x3a, 0x9d, 0xee, 0x1f, 0x16,
-	0x95, 0xbd, 0xb5, 0xd3, 0xe7, 0xf9, 0xcc, 0x33, 0xdf, 0x67, 0x52, 0xf4, 0xec, 0xf8, 0xa9, 0x24,
-	0x5c, 0xb8, 0x31, 0xa8, 0x8c, 0x33, 0xe9, 0xa6, 0xc7, 0x91, 0x4b, 0x53, 0x2e, 0x5d, 0x96, 0x4b,
-	0x25, 0xe2, 0x8f, 0xf5, 0x7a, 0x7f, 0x2b, 0x00, 0x45, 0xb7, 0xdc, 0x08, 0x12, 0xc8, 0xa8, 0x82,
-	0x90, 0xa4, 0x99, 0x50, 0x02, 0x93, 0xca, 0x4f, 0x8c, 0x8e, 0xa4, 0xc7, 0x11, 0x29, 0xfd, 0x64,
-	0xd2, 0x4f, 0x8c, 0x7f, 0xed, 0x61, 0xc4, 0xd5, 0x51, 0x1e, 0x10, 0x26, 0x62, 0x37, 0x12, 0x91,
-	0x70, 0x35, 0x26, 0xc8, 0x0f, 0xf5, 0x9b, 0x7e, 0xd1, 0x4f, 0x15, 0x7e, 0xad, 0x63, 0xe2, 0xd1,
-	0x94, 0xbb, 0x4c, 0x64, 0xe0, 0xf6, 0xa7, 0x22, 0xac, 0x3d, 0x1e, 0x69, 0x62, 0xca, 0x8e, 0x78,
-	0x02, 0xd9, 0x69, 0x7d, 0x0e, 0x37, 0x03, 0x29, 0xf2, 0x8c, 0xc1, 0x4c, 0x2e, 0x59, 0x8e, 0x83,
-	0x5e, 0xb7, 0x97, 0xfb, 0x27, 0x57, 0x96, 0x27, 0x8a, 0xc7, 0xd3, 0xdb, 0x3c, 0xf9, 0x97, 0x41,
-	0xb2, 0x23, 0x88, 0xe9, 0x55, 0x5f, 0xe7, 0x9b, 0x85, 0x56, 0xba, 0x7a, 0x76, 0xbb, 0x5c, 0xaa,
-	0xbd, 0x54, 0x71, 0x91, 0x48, 0xbc, 0x83, 0x96, 0x7a, 0x34, 0x80, 0xde, 0x3e, 0xf4, 0x80, 0x29,
-	0x91, 0xd9, 0xd6, 0x86, 0xb5, 0xb9, 0xe0, 0xdd, 0x3e, 0xbb, 0x5c, 0x6f, 0x14, 0x97, 0xeb, 0x4b,
-	0xbb, 0xe3, 0x1f, 0xfd, 0x49, 0x2d, 0xee, 0xa2, 0xd5, 0xaa, 0x8d, 0x09, 0x95, 0x3d, 0xa7, 0x11,
-	0x77, 0x0d, 0x62, 0xb5, 0x3b, 0x2d, 0xf1, 0xaf, 0xf3, 0x75, 0x7e, 0x35, 0xd1, 0x62, 0x25, 0x7e,
-	0x4d, 0x7b, 0x39, 0xe0, 0x43, 0xb4, 0x1c, 0x82, 0x64, 0x19, 0x0f, 0x20, 0xdc, 0x0b, 0x3e, 0x03,
-	0x53, 0x3a, 0xdd, 0xe2, 0xf6, 0xbd, 0xfa, 0x8e, 0xd0, 0x94, 0x93, 0xb2, 0x44, 0xd2, 0xdf, 0x22,
-	0x95, 0xc2, 0x87, 0x43, 0xc8, 0x20, 0x61, 0xe0, 0xdd, 0x31, 0xfb, 0x2f, 0x3f, 0x9f, 0x64, 0xf8,
-	0x57, 0xa1, 0x78, 0x1b, 0xa1, 0x2a, 0xce, 0x4b, 0x1a, 0x83, 0x49, 0x8f, 0x8d, 0x1b, 0x75, 0x87,
-	0x5f, 0xfc, 0x31, 0x15, 0x7e, 0x87, 0x16, 0xca, 0x61, 0x4b, 0x45, 0xe3, 0xd4, 0x6e, 0xea, 0x54,
-	0x0f, 0xc6, 0x52, 0x0d, 0x9b, 0x19, 0x5d, 0xdf, 0xf2, 0x02, 0x94, 0x39, 0x0f, 0x78, 0x0c, 0xde,
-	0x8a, 0xc1, 0x2f, 0x1c, 0xd4, 0x10, 0x7f, 0xc4, 0xc3, 0xf7, 0xd1, 0xfc, 0x09, 0x4f, 0x42, 0x71,
-	0x62, 0xff, 0xb7, 0x61, 0x6d, 0x36, 0xbd, 0x95, 0xb2, 0x89, 0x37, 0x7a, 0x65, 0x1f, 0x98, 0x48,
-	0x42, 0xe9, 0x1b, 0x01, 0xde, 0x47, 0xad, 0x7e, 0x39, 0x2c, 0xbb, 0xa5, 0x33, 0x90, 0xbf, 0x65,
-	0x20, 0xf5, 0xd5, 0x25, 0xaf, 0x72, 0x9a, 0x28, 0xae, 0x4e, 0xbd, 0x25, 0x93, 0xa3, 0xa5, 0x27,
-	0xee, 0x57, 0x2c, 0xfc, 0x01, 0xb5, 0x65, 0x5d, 0xe6, 0xbc, 0xe6, 0x3e, 0xba, 0xd9, 0xd9, 0x26,
-	0xfa, 0xf4, 0xfe, 0x2f, 0x2e, 0xd7, 0xdb, 0xc3, 0xca, 0x87, 0xc8, 0xce, 0x77, 0x0b, 0x2d, 0x8f,
-	0xf5, 0x5c, 0x5e, 0x47, 0xfc, 0x1e, 0xb5, 0x4b, 0x48, 0x48, 0x15, 0x35, 0x25, 0x93, 0x1b, 0x6e,
-	0xc9, 0xa5, 0xea, 0x82, 0xa2, 0xde, 0x2d, 0x73, 0x94, 0x76, 0xbd, 0xe2, 0x0f, 0x89, 0xf8, 0x13,
-	0x6a, 0x71, 0x05, 0xb1, 0xb4, 0xe7, 0x36, 0x9a, 0x9b, 0x8b, 0xdb, 0x3b, 0x33, 0xfe, 0x63, 0xc8,
-	0x58, 0xda, 0xd1, 0xc8, 0x5e, 0x94, 0x44, 0xbf, 0x02, 0x7b, 0x07, 0x67, 0x03, 0xa7, 0x71, 0x3e,
-	0x70, 0x1a, 0x17, 0x03, 0xa7, 0xf1, 0xa5, 0x70, 0xac, 0xb3, 0xc2, 0xb1, 0xce, 0x0b, 0xc7, 0xba,
-	0x28, 0x1c, 0xeb, 0x47, 0xe1, 0x58, 0x5f, 0x7f, 0x3a, 0x8d, 0xb7, 0x64, 0xb6, 0x7f, 0xe3, 0xef,
-	0x00, 0x00, 0x00, 0xff, 0xff, 0xca, 0x29, 0x1e, 0x18, 0x4c, 0x05, 0x00, 0x00,
-}
+func (m *MetricValueList) Reset() { *m = MetricValueList{} }
 
 func (m *MetricListOptions) Marshal() (dAtA []byte, err error) {
 	size := m.Size()
diff --git a/staging/src/k8s.io/metrics/pkg/apis/custom_metrics/v1beta1/generated.protomessage.pb.go b/staging/src/k8s.io/metrics/pkg/apis/custom_metrics/v1beta1/generated.protomessage.pb.go
new file mode 100644
index 0000000000000..872494dc34d2a
--- /dev/null
+++ b/staging/src/k8s.io/metrics/pkg/apis/custom_metrics/v1beta1/generated.protomessage.pb.go
@@ -0,0 +1,28 @@
+//go:build kubernetes_protomessage_one_more_release
+// +build kubernetes_protomessage_one_more_release
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by go-to-protobuf. DO NOT EDIT.
+
+package v1beta1
+
+func (*MetricListOptions) ProtoMessage() {}
+
+func (*MetricValue) ProtoMessage() {}
+
+func (*MetricValueList) ProtoMessage() {}
diff --git a/staging/src/k8s.io/metrics/pkg/apis/custom_metrics/v1beta1/zz_generated.model_name.go b/staging/src/k8s.io/metrics/pkg/apis/custom_metrics/v1beta1/zz_generated.model_name.go
new file mode 100644
index 0000000000000..452a385dd0af4
--- /dev/null
+++ b/staging/src/k8s.io/metrics/pkg/apis/custom_metrics/v1beta1/zz_generated.model_name.go
@@ -0,0 +1,37 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by openapi-gen. DO NOT EDIT.
+
+package v1beta1
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in MetricListOptions) OpenAPIModelName() string {
+	return "io.k8s.metrics.pkg.apis.custom_metrics.v1beta1.MetricListOptions"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in MetricValue) OpenAPIModelName() string {
+	return "io.k8s.metrics.pkg.apis.custom_metrics.v1beta1.MetricValue"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in MetricValueList) OpenAPIModelName() string {
+	return "io.k8s.metrics.pkg.apis.custom_metrics.v1beta1.MetricValueList"
+}
diff --git a/staging/src/k8s.io/metrics/pkg/apis/custom_metrics/v1beta2/doc.go b/staging/src/k8s.io/metrics/pkg/apis/custom_metrics/v1beta2/doc.go
index d7c6d3a9a9a21..2dbe251bc1881 100644
--- a/staging/src/k8s.io/metrics/pkg/apis/custom_metrics/v1beta2/doc.go
+++ b/staging/src/k8s.io/metrics/pkg/apis/custom_metrics/v1beta2/doc.go
@@ -18,6 +18,7 @@ limitations under the License.
 // +k8s:protobuf-gen=package
 // +k8s:conversion-gen=k8s.io/metrics/pkg/apis/custom_metrics
 // +k8s:openapi-gen=true
+// +k8s:openapi-model-package=io.k8s.metrics.pkg.apis.custom_metrics.v1beta2
 
 // Package v1beta2 is the v1beta2 version of the custom_metrics API.
 package v1beta2
diff --git a/staging/src/k8s.io/metrics/pkg/apis/custom_metrics/v1beta2/generated.pb.go b/staging/src/k8s.io/metrics/pkg/apis/custom_metrics/v1beta2/generated.pb.go
index cac356eef4196..5e9fe48e0ec2b 100644
--- a/staging/src/k8s.io/metrics/pkg/apis/custom_metrics/v1beta2/generated.pb.go
+++ b/staging/src/k8s.io/metrics/pkg/apis/custom_metrics/v1beta2/generated.pb.go
@@ -24,193 +24,20 @@ import (
 
 	io "io"
 
-	proto "github.com/gogo/protobuf/proto"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
-	math "math"
 	math_bits "math/bits"
 	reflect "reflect"
 	strings "strings"
 )
 
-// Reference imports to suppress errors if they are not otherwise used.
-var _ = proto.Marshal
-var _ = fmt.Errorf
-var _ = math.Inf
+func (m *MetricIdentifier) Reset() { *m = MetricIdentifier{} }
 
-// This is a compile-time assertion to ensure that this generated file
-// is compatible with the proto package it is being compiled against.
-// A compilation error at this line likely means your copy of the
-// proto package needs to be updated.
-const _ = proto.GoGoProtoPackageIsVersion3 // please upgrade the proto package
+func (m *MetricListOptions) Reset() { *m = MetricListOptions{} }
 
-func (m *MetricIdentifier) Reset()      { *m = MetricIdentifier{} }
-func (*MetricIdentifier) ProtoMessage() {}
-func (*MetricIdentifier) Descriptor() ([]byte, []int) {
-	return fileDescriptor_b98a5b8632255b7a, []int{0}
-}
-func (m *MetricIdentifier) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *MetricIdentifier) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *MetricIdentifier) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_MetricIdentifier.Merge(m, src)
-}
-func (m *MetricIdentifier) XXX_Size() int {
-	return m.Size()
-}
-func (m *MetricIdentifier) XXX_DiscardUnknown() {
-	xxx_messageInfo_MetricIdentifier.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_MetricIdentifier proto.InternalMessageInfo
-
-func (m *MetricListOptions) Reset()      { *m = MetricListOptions{} }
-func (*MetricListOptions) ProtoMessage() {}
-func (*MetricListOptions) Descriptor() ([]byte, []int) {
-	return fileDescriptor_b98a5b8632255b7a, []int{1}
-}
-func (m *MetricListOptions) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *MetricListOptions) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *MetricListOptions) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_MetricListOptions.Merge(m, src)
-}
-func (m *MetricListOptions) XXX_Size() int {
-	return m.Size()
-}
-func (m *MetricListOptions) XXX_DiscardUnknown() {
-	xxx_messageInfo_MetricListOptions.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_MetricListOptions proto.InternalMessageInfo
-
-func (m *MetricValue) Reset()      { *m = MetricValue{} }
-func (*MetricValue) ProtoMessage() {}
-func (*MetricValue) Descriptor() ([]byte, []int) {
-	return fileDescriptor_b98a5b8632255b7a, []int{2}
-}
-func (m *MetricValue) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *MetricValue) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *MetricValue) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_MetricValue.Merge(m, src)
-}
-func (m *MetricValue) XXX_Size() int {
-	return m.Size()
-}
-func (m *MetricValue) XXX_DiscardUnknown() {
-	xxx_messageInfo_MetricValue.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_MetricValue proto.InternalMessageInfo
-
-func (m *MetricValueList) Reset()      { *m = MetricValueList{} }
-func (*MetricValueList) ProtoMessage() {}
-func (*MetricValueList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_b98a5b8632255b7a, []int{3}
-}
-func (m *MetricValueList) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *MetricValueList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *MetricValueList) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_MetricValueList.Merge(m, src)
-}
-func (m *MetricValueList) XXX_Size() int {
-	return m.Size()
-}
-func (m *MetricValueList) XXX_DiscardUnknown() {
-	xxx_messageInfo_MetricValueList.DiscardUnknown(m)
-}
+func (m *MetricValue) Reset() { *m = MetricValue{} }
 
-var xxx_messageInfo_MetricValueList proto.InternalMessageInfo
-
-func init() {
-	proto.RegisterType((*MetricIdentifier)(nil), "k8s.io.metrics.pkg.apis.custom_metrics.v1beta2.MetricIdentifier")
-	proto.RegisterType((*MetricListOptions)(nil), "k8s.io.metrics.pkg.apis.custom_metrics.v1beta2.MetricListOptions")
-	proto.RegisterType((*MetricValue)(nil), "k8s.io.metrics.pkg.apis.custom_metrics.v1beta2.MetricValue")
-	proto.RegisterType((*MetricValueList)(nil), "k8s.io.metrics.pkg.apis.custom_metrics.v1beta2.MetricValueList")
-}
-
-func init() {
-	proto.RegisterFile("k8s.io/metrics/pkg/apis/custom_metrics/v1beta2/generated.proto", fileDescriptor_b98a5b8632255b7a)
-}
-
-var fileDescriptor_b98a5b8632255b7a = []byte{
-	// 644 bytes of a gzipped FileDescriptorProto
-	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x9c, 0x54, 0x5f, 0x6b, 0x13, 0x4f,
-	0x14, 0xcd, 0x36, 0x4d, 0x49, 0x26, 0xcd, 0xaf, 0xed, 0x96, 0x1f, 0x86, 0x0a, 0xdb, 0x10, 0x5f,
-	0x82, 0xe0, 0x2c, 0x8d, 0xa2, 0x42, 0x41, 0x64, 0xf1, 0xa5, 0xd0, 0x58, 0xdc, 0x16, 0x05, 0xff,
-	0xa0, 0x93, 0xdd, 0x9b, 0x64, 0x6c, 0x76, 0x67, 0x99, 0x99, 0x4d, 0xe9, 0x9b, 0x1f, 0x41, 0xf0,
-	0x03, 0xf8, 0x75, 0x8a, 0x4f, 0xf5, 0xad, 0x4f, 0xc5, 0xae, 0x5f, 0x44, 0x76, 0x76, 0xb6, 0xf9,
-	0xd3, 0xaa, 0x8d, 0x6f, 0x99, 0x9d, 0x73, 0xce, 0x3d, 0xf7, 0x9e, 0x3b, 0x41, 0x4f, 0x0e, 0x1f,
-	0x0b, 0x4c, 0x99, 0x1d, 0x80, 0xe4, 0xd4, 0x13, 0x76, 0x74, 0xd8, 0xb7, 0x49, 0x44, 0x85, 0xed,
-	0xc5, 0x42, 0xb2, 0xe0, 0x7d, 0xfe, 0x7d, 0xb4, 0xd5, 0x05, 0x49, 0xda, 0x76, 0x1f, 0x42, 0xe0,
-	0x44, 0x82, 0x8f, 0x23, 0xce, 0x24, 0x33, 0x71, 0xc6, 0xc7, 0x1a, 0x87, 0xa3, 0xc3, 0x3e, 0x4e,
-	0xf9, 0x78, 0x9a, 0x8f, 0x35, 0x7f, 0xe3, 0x5e, 0x9f, 0xca, 0x41, 0xdc, 0xc5, 0x1e, 0x0b, 0xec,
-	0x3e, 0xeb, 0x33, 0x5b, 0xc9, 0x74, 0xe3, 0x9e, 0x3a, 0xa9, 0x83, 0xfa, 0x95, 0xc9, 0x6f, 0x34,
-	0xb5, 0x3d, 0x12, 0x51, 0xdb, 0x63, 0x1c, 0xec, 0xd1, 0xd6, 0xac, 0x85, 0x8d, 0x07, 0x63, 0x4c,
-	0x40, 0xbc, 0x01, 0x0d, 0x81, 0x1f, 0xe7, 0x7d, 0xd8, 0x1c, 0x04, 0x8b, 0xb9, 0x07, 0x73, 0xb1,
-	0x44, 0x3a, 0x0e, 0x72, 0x5d, 0x2d, 0xfb, 0x77, 0x2c, 0x1e, 0x87, 0x92, 0x06, 0x57, 0xcb, 0x3c,
-	0xfc, 0x1b, 0x41, 0x78, 0x03, 0x08, 0xc8, 0x2c, 0xaf, 0xf9, 0xc5, 0x40, 0xab, 0x1d, 0x35, 0xbb,
-	0x1d, 0x1f, 0x42, 0x49, 0x7b, 0x14, 0xb8, 0xd9, 0x40, 0x8b, 0x21, 0x09, 0xa0, 0x6e, 0x34, 0x8c,
-	0x56, 0xc5, 0x59, 0x3e, 0x39, 0xdf, 0x2c, 0x24, 0xe7, 0x9b, 0x8b, 0xcf, 0x49, 0x00, 0xae, 0xba,
-	0x31, 0xdf, 0xa1, 0xb2, 0x80, 0x21, 0x78, 0x92, 0xf1, 0xfa, 0x42, 0xc3, 0x68, 0x55, 0xdb, 0xf7,
-	0xf3, 0x84, 0x26, 0x1d, 0x8c, 0x63, 0x4a, 0x1b, 0xc5, 0xa3, 0x2d, 0xbc, 0x4b, 0xba, 0x30, 0xdc,
-	0xd7, 0x54, 0x67, 0x39, 0x39, 0xdf, 0x2c, 0xe7, 0x27, 0xf7, 0x52, 0xb2, 0xf9, 0xd5, 0x40, 0x6b,
-	0x99, 0xab, 0x5d, 0x2a, 0xe4, 0x5e, 0x24, 0x29, 0x0b, 0x85, 0xb9, 0x8d, 0x6a, 0xc3, 0x49, 0xba,
-	0xf6, 0xf7, 0xbf, 0xf6, 0x57, 0x9b, 0xd2, 0x76, 0xa7, 0xb1, 0x66, 0x07, 0xad, 0x67, 0x3b, 0x32,
-	0x85, 0x52, 0xe6, 0x2b, 0xce, 0x6d, 0x2d, 0xb1, 0xde, 0xb9, 0x0a, 0x71, 0xaf, 0xe3, 0x35, 0xbf,
-	0x15, 0x51, 0x35, 0x03, 0xbf, 0x24, 0xc3, 0x18, 0xcc, 0x1e, 0x5a, 0xf1, 0x41, 0x78, 0x9c, 0x76,
-	0xc1, 0xdf, 0xeb, 0x7e, 0x04, 0x4f, 0x2a, 0x77, 0xd5, 0xf6, 0x9d, 0x89, 0xb9, 0xe0, 0x74, 0xb5,
-	0xd2, 0x29, 0x64, 0x08, 0x17, 0x7a, 0xc0, 0x21, 0xf4, 0xc0, 0xb9, 0xa5, 0xeb, 0xaf, 0x3c, 0x9b,
-	0xd6, 0x70, 0x67, 0x45, 0xcd, 0x01, 0x5a, 0xca, 0xec, 0xe8, 0xb1, 0x3f, 0x9d, 0xf3, 0x61, 0xe0,
-	0xd9, 0xb0, 0x9d, 0xff, 0x74, 0xed, 0xa5, 0xec, 0xc6, 0xd5, 0xfa, 0xe6, 0x1b, 0x54, 0x49, 0x17,
-	0x47, 0x48, 0x12, 0x44, 0xf5, 0xa2, 0x2a, 0x76, 0xf7, 0x66, 0x19, 0x1f, 0xd0, 0x00, 0x9c, 0x35,
-	0x2d, 0x5b, 0x39, 0xc8, 0x45, 0xdc, 0xb1, 0x9e, 0xf9, 0x08, 0xd5, 0x8e, 0x68, 0xe8, 0xb3, 0xa3,
-	0x7d, 0xf0, 0x58, 0xe8, 0x8b, 0xfa, 0x62, 0xc3, 0x68, 0x15, 0x9d, 0xb5, 0x34, 0xc6, 0x57, 0x93,
-	0x17, 0xee, 0x34, 0xce, 0xdc, 0x47, 0xa5, 0x51, 0x3a, 0xf0, 0x7a, 0x49, 0x39, 0xc2, 0x7f, 0x72,
-	0x84, 0xf3, 0x47, 0x89, 0x5f, 0xc4, 0x24, 0x94, 0x54, 0x1e, 0x3b, 0x35, 0xed, 0xaa, 0xa4, 0x52,
-	0x73, 0x33, 0xad, 0xe6, 0x77, 0x03, 0xad, 0x4c, 0x84, 0x99, 0xee, 0x9c, 0xf9, 0x16, 0x95, 0xd3,
-	0x7e, 0x7c, 0x22, 0x89, 0x4e, 0x12, 0xdf, 0x70, 0xc3, 0xa9, 0x90, 0x1d, 0x90, 0xc4, 0x59, 0xd5,
-	0xb5, 0xca, 0xf9, 0x17, 0xf7, 0x52, 0xd1, 0xfc, 0x80, 0x4a, 0x54, 0x42, 0x20, 0xea, 0x0b, 0x8d,
-	0x62, 0xab, 0xda, 0xde, 0xfe, 0xb7, 0x14, 0x95, 0xdb, 0x71, 0x4f, 0x3b, 0xa9, 0xa2, 0x9b, 0x09,
-	0x3b, 0x07, 0x27, 0x17, 0x56, 0xe1, 0xf4, 0xc2, 0x2a, 0x9c, 0x5d, 0x58, 0x85, 0x4f, 0x89, 0x65,
-	0x9c, 0x24, 0x96, 0x71, 0x9a, 0x58, 0xc6, 0x59, 0x62, 0x19, 0x3f, 0x12, 0xcb, 0xf8, 0xfc, 0xd3,
-	0x2a, 0xbc, 0xc6, 0xf3, 0xfd, 0x2d, 0xff, 0x0a, 0x00, 0x00, 0xff, 0xff, 0x00, 0x18, 0x0c, 0x91,
-	0xc7, 0x05, 0x00, 0x00,
-}
+func (m *MetricValueList) Reset() { *m = MetricValueList{} }
 
 func (m *MetricIdentifier) Marshal() (dAtA []byte, err error) {
 	size := m.Size()
diff --git a/staging/src/k8s.io/metrics/pkg/apis/custom_metrics/v1beta2/generated.protomessage.pb.go b/staging/src/k8s.io/metrics/pkg/apis/custom_metrics/v1beta2/generated.protomessage.pb.go
new file mode 100644
index 0000000000000..0297549bfdc70
--- /dev/null
+++ b/staging/src/k8s.io/metrics/pkg/apis/custom_metrics/v1beta2/generated.protomessage.pb.go
@@ -0,0 +1,30 @@
+//go:build kubernetes_protomessage_one_more_release
+// +build kubernetes_protomessage_one_more_release
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by go-to-protobuf. DO NOT EDIT.
+
+package v1beta2
+
+func (*MetricIdentifier) ProtoMessage() {}
+
+func (*MetricListOptions) ProtoMessage() {}
+
+func (*MetricValue) ProtoMessage() {}
+
+func (*MetricValueList) ProtoMessage() {}
diff --git a/staging/src/k8s.io/metrics/pkg/apis/custom_metrics/v1beta2/zz_generated.model_name.go b/staging/src/k8s.io/metrics/pkg/apis/custom_metrics/v1beta2/zz_generated.model_name.go
new file mode 100644
index 0000000000000..e86039e298d62
--- /dev/null
+++ b/staging/src/k8s.io/metrics/pkg/apis/custom_metrics/v1beta2/zz_generated.model_name.go
@@ -0,0 +1,42 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by openapi-gen. DO NOT EDIT.
+
+package v1beta2
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in MetricIdentifier) OpenAPIModelName() string {
+	return "io.k8s.metrics.pkg.apis.custom_metrics.v1beta2.MetricIdentifier"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in MetricListOptions) OpenAPIModelName() string {
+	return "io.k8s.metrics.pkg.apis.custom_metrics.v1beta2.MetricListOptions"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in MetricValue) OpenAPIModelName() string {
+	return "io.k8s.metrics.pkg.apis.custom_metrics.v1beta2.MetricValue"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in MetricValueList) OpenAPIModelName() string {
+	return "io.k8s.metrics.pkg.apis.custom_metrics.v1beta2.MetricValueList"
+}
diff --git a/staging/src/k8s.io/metrics/pkg/apis/external_metrics/v1beta1/doc.go b/staging/src/k8s.io/metrics/pkg/apis/external_metrics/v1beta1/doc.go
index 7e1d6e0ababbf..f875c9a2622cb 100644
--- a/staging/src/k8s.io/metrics/pkg/apis/external_metrics/v1beta1/doc.go
+++ b/staging/src/k8s.io/metrics/pkg/apis/external_metrics/v1beta1/doc.go
@@ -18,6 +18,7 @@ limitations under the License.
 // +k8s:protobuf-gen=package
 // +k8s:conversion-gen=k8s.io/metrics/pkg/apis/external_metrics
 // +k8s:openapi-gen=true
+// +k8s:openapi-model-package=io.k8s.metrics.pkg.apis.external_metrics.v1beta1
 
 // Package v1beta1 is the v1beta1 version of the external metrics API.
 package v1beta1
diff --git a/staging/src/k8s.io/metrics/pkg/apis/external_metrics/v1beta1/generated.pb.go b/staging/src/k8s.io/metrics/pkg/apis/external_metrics/v1beta1/generated.pb.go
index d959a409e50a6..4fecc1014dbe7 100644
--- a/staging/src/k8s.io/metrics/pkg/apis/external_metrics/v1beta1/generated.pb.go
+++ b/staging/src/k8s.io/metrics/pkg/apis/external_metrics/v1beta1/generated.pb.go
@@ -23,130 +23,16 @@ import (
 	fmt "fmt"
 
 	io "io"
+	"sort"
 
-	proto "github.com/gogo/protobuf/proto"
-	github_com_gogo_protobuf_sortkeys "github.com/gogo/protobuf/sortkeys"
-
-	math "math"
 	math_bits "math/bits"
 	reflect "reflect"
 	strings "strings"
 )
 
-// Reference imports to suppress errors if they are not otherwise used.
-var _ = proto.Marshal
-var _ = fmt.Errorf
-var _ = math.Inf
-
-// This is a compile-time assertion to ensure that this generated file
-// is compatible with the proto package it is being compiled against.
-// A compilation error at this line likely means your copy of the
-// proto package needs to be updated.
-const _ = proto.GoGoProtoPackageIsVersion3 // please upgrade the proto package
+func (m *ExternalMetricValue) Reset() { *m = ExternalMetricValue{} }
 
-func (m *ExternalMetricValue) Reset()      { *m = ExternalMetricValue{} }
-func (*ExternalMetricValue) ProtoMessage() {}
-func (*ExternalMetricValue) Descriptor() ([]byte, []int) {
-	return fileDescriptor_56302cb587e818f0, []int{0}
-}
-func (m *ExternalMetricValue) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ExternalMetricValue) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ExternalMetricValue) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ExternalMetricValue.Merge(m, src)
-}
-func (m *ExternalMetricValue) XXX_Size() int {
-	return m.Size()
-}
-func (m *ExternalMetricValue) XXX_DiscardUnknown() {
-	xxx_messageInfo_ExternalMetricValue.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_ExternalMetricValue proto.InternalMessageInfo
-
-func (m *ExternalMetricValueList) Reset()      { *m = ExternalMetricValueList{} }
-func (*ExternalMetricValueList) ProtoMessage() {}
-func (*ExternalMetricValueList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_56302cb587e818f0, []int{1}
-}
-func (m *ExternalMetricValueList) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ExternalMetricValueList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ExternalMetricValueList) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ExternalMetricValueList.Merge(m, src)
-}
-func (m *ExternalMetricValueList) XXX_Size() int {
-	return m.Size()
-}
-func (m *ExternalMetricValueList) XXX_DiscardUnknown() {
-	xxx_messageInfo_ExternalMetricValueList.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_ExternalMetricValueList proto.InternalMessageInfo
-
-func init() {
-	proto.RegisterType((*ExternalMetricValue)(nil), "k8s.io.metrics.pkg.apis.external_metrics.v1beta1.ExternalMetricValue")
-	proto.RegisterMapType((map[string]string)(nil), "k8s.io.metrics.pkg.apis.external_metrics.v1beta1.ExternalMetricValue.MetricLabelsEntry")
-	proto.RegisterType((*ExternalMetricValueList)(nil), "k8s.io.metrics.pkg.apis.external_metrics.v1beta1.ExternalMetricValueList")
-}
-
-func init() {
-	proto.RegisterFile("k8s.io/metrics/pkg/apis/external_metrics/v1beta1/generated.proto", fileDescriptor_56302cb587e818f0)
-}
-
-var fileDescriptor_56302cb587e818f0 = []byte{
-	// 539 bytes of a gzipped FileDescriptorProto
-	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xac, 0x94, 0xcf, 0x6b, 0xdb, 0x30,
-	0x14, 0xc7, 0xad, 0x78, 0x19, 0x8d, 0xda, 0x42, 0xa3, 0x15, 0x66, 0x72, 0x70, 0x42, 0x4f, 0xd9,
-	0x60, 0x52, 0x13, 0xc6, 0x28, 0xbb, 0x6c, 0x18, 0x72, 0x18, 0x34, 0x83, 0xb9, 0xa5, 0x85, 0x6d,
-	0x30, 0x14, 0x47, 0x73, 0xb4, 0xc4, 0x3f, 0xb0, 0xe4, 0x74, 0xb9, 0xed, 0x4f, 0xd8, 0xfe, 0xab,
-	0x1c, 0x7b, 0xec, 0x29, 0x2c, 0xee, 0x9f, 0xb1, 0xcb, 0xb0, 0x6c, 0x37, 0x59, 0xd2, 0xb5, 0x04,
-	0x7a, 0xf3, 0x93, 0xf4, 0xbe, 0xef, 0xf3, 0xbe, 0xef, 0x61, 0xf8, 0x76, 0x78, 0x24, 0x30, 0x0f,
-	0x88, 0xc7, 0x64, 0xc4, 0x1d, 0x41, 0xc2, 0xa1, 0x4b, 0x68, 0xc8, 0x05, 0x61, 0xdf, 0x25, 0x8b,
-	0x7c, 0x3a, 0xfa, 0x52, 0xdc, 0x8c, 0x5b, 0x3d, 0x26, 0x69, 0x8b, 0xb8, 0xcc, 0x67, 0x11, 0x95,
-	0xac, 0x8f, 0xc3, 0x28, 0x90, 0x01, 0x3a, 0xcc, 0x14, 0x70, 0xfe, 0x0e, 0x87, 0x43, 0x17, 0xa7,
-	0x0a, 0x78, 0x55, 0x01, 0xe7, 0x0a, 0xb5, 0x17, 0x2e, 0x97, 0x83, 0xb8, 0x87, 0x9d, 0xc0, 0x23,
-	0x6e, 0xe0, 0x06, 0x44, 0x09, 0xf5, 0xe2, 0xaf, 0x2a, 0x52, 0x81, 0xfa, 0xca, 0x0a, 0xd4, 0x5e,
-	0xe6, 0x88, 0x34, 0xe4, 0x1e, 0x75, 0x06, 0xdc, 0x67, 0xd1, 0xa4, 0xe0, 0x24, 0x11, 0x13, 0x41,
-	0x1c, 0x39, 0x6c, 0x15, 0xeb, 0xce, 0x2c, 0x91, 0xb6, 0x4b, 0xc9, 0x78, 0xad, 0x99, 0x1a, 0xf9,
-	0x5f, 0x56, 0x14, 0xfb, 0x92, 0x7b, 0xeb, 0x65, 0x5e, 0xdd, 0x97, 0x20, 0x9c, 0x01, 0xf3, 0xe8,
-	0x6a, 0xde, 0xc1, 0x1f, 0x1d, 0x3e, 0xe9, 0xe4, 0x06, 0x75, 0x95, 0x3f, 0x67, 0x74, 0x14, 0x33,
-	0xd4, 0x86, 0x30, 0xb3, 0xeb, 0x3d, 0xf5, 0x98, 0x01, 0x1a, 0xa0, 0x59, 0xb1, 0xd0, 0x74, 0x56,
-	0xd7, 0x92, 0x59, 0x1d, 0x76, 0x6f, 0x6e, 0xec, 0xa5, 0x57, 0xe8, 0x17, 0x80, 0x3b, 0x59, 0x78,
-	0x4c, 0x7b, 0x6c, 0x24, 0x8c, 0x52, 0x43, 0x6f, 0x6e, 0xb7, 0xcf, 0xf1, 0xa6, 0x93, 0xc1, 0xb7,
-	0x10, 0xe1, 0xee, 0x92, 0x72, 0xc7, 0x97, 0xd1, 0xc4, 0xda, 0xcf, 0x79, 0x76, 0x96, 0xaf, 0xec,
-	0x7f, 0x10, 0xd0, 0x27, 0x58, 0x49, 0xdb, 0x17, 0x92, 0x7a, 0xa1, 0xa1, 0x37, 0x40, 0x73, 0xbb,
-	0xfd, 0xbc, 0xe0, 0x59, 0xf6, 0x6a, 0x01, 0x95, 0x8e, 0x04, 0x8f, 0x5b, 0xf8, 0x94, 0x7b, 0xcc,
-	0xaa, 0xe6, 0x25, 0x2a, 0xa7, 0x85, 0x88, 0xbd, 0xd0, 0x43, 0xcf, 0xe0, 0xe3, 0x0b, 0xee, 0xf7,
-	0x83, 0x0b, 0xe3, 0x51, 0x03, 0x34, 0x75, 0xab, 0x9a, 0xcc, 0xea, 0xbb, 0xe7, 0xea, 0xe4, 0x84,
-	0x39, 0x81, 0xdf, 0x17, 0x76, 0xfe, 0x00, 0x9d, 0xc0, 0xf2, 0x38, 0x6d, 0xc3, 0x28, 0x2b, 0x06,
-	0x7c, 0x17, 0x03, 0x2e, 0x96, 0x09, 0x7f, 0x88, 0xa9, 0x2f, 0xb9, 0x9c, 0x58, 0xbb, 0x39, 0x47,
-	0x59, 0x79, 0x61, 0x67, 0x5a, 0xb5, 0x37, 0xb0, 0xba, 0xe6, 0x0a, 0xda, 0x83, 0xfa, 0x90, 0x4d,
-	0xb2, 0x91, 0xd9, 0xe9, 0x27, 0xda, 0x2f, 0x6a, 0x97, 0xd4, 0x59, 0x16, 0xbc, 0x2e, 0x1d, 0x81,
-	0x83, 0x6b, 0x00, 0x9f, 0xde, 0xe2, 0xf5, 0x31, 0x17, 0x12, 0x7d, 0x86, 0x5b, 0xa9, 0x15, 0x7d,
-	0x2a, 0xa9, 0x12, 0xbb, 0x07, 0x7a, 0x61, 0x5c, 0x9a, 0xdd, 0x65, 0x92, 0x5a, 0x7b, 0x39, 0xf4,
-	0x56, 0x71, 0x62, 0xdf, 0x28, 0xa2, 0x6f, 0xb0, 0xcc, 0x25, 0xf3, 0x8a, 0x1d, 0xe9, 0x3c, 0xc8,
-	0x8e, 0x2c, 0x6c, 0x7a, 0x97, 0x6a, 0xdb, 0x59, 0x09, 0xeb, 0x6c, 0x3a, 0x37, 0xb5, 0xcb, 0xb9,
-	0xa9, 0x5d, 0xcd, 0x4d, 0xed, 0x47, 0x62, 0x82, 0x69, 0x62, 0x82, 0xcb, 0xc4, 0x04, 0x57, 0x89,
-	0x09, 0x7e, 0x27, 0x26, 0xf8, 0x79, 0x6d, 0x6a, 0x1f, 0x0f, 0x37, 0xfd, 0x03, 0xfd, 0x0d, 0x00,
-	0x00, 0xff, 0xff, 0x68, 0x2d, 0x7f, 0xed, 0xb4, 0x04, 0x00, 0x00,
-}
+func (m *ExternalMetricValueList) Reset() { *m = ExternalMetricValueList{} }
 
 func (m *ExternalMetricValue) Marshal() (dAtA []byte, err error) {
 	size := m.Size()
@@ -198,7 +84,7 @@ func (m *ExternalMetricValue) MarshalToSizedBuffer(dAtA []byte) (int, error) {
 		for k := range m.MetricLabels {
 			keysForMetricLabels = append(keysForMetricLabels, string(k))
 		}
-		github_com_gogo_protobuf_sortkeys.Strings(keysForMetricLabels)
+		sort.Strings(keysForMetricLabels)
 		for iNdEx := len(keysForMetricLabels) - 1; iNdEx >= 0; iNdEx-- {
 			v := m.MetricLabels[string(keysForMetricLabels[iNdEx])]
 			baseI := i
@@ -340,7 +226,7 @@ func (this *ExternalMetricValue) String() string {
 	for k := range this.MetricLabels {
 		keysForMetricLabels = append(keysForMetricLabels, k)
 	}
-	github_com_gogo_protobuf_sortkeys.Strings(keysForMetricLabels)
+	sort.Strings(keysForMetricLabels)
 	mapStringForMetricLabels := "map[string]string{"
 	for _, k := range keysForMetricLabels {
 		mapStringForMetricLabels += fmt.Sprintf("%v: %v,", k, this.MetricLabels[k])
diff --git a/staging/src/k8s.io/metrics/pkg/apis/external_metrics/v1beta1/generated.protomessage.pb.go b/staging/src/k8s.io/metrics/pkg/apis/external_metrics/v1beta1/generated.protomessage.pb.go
new file mode 100644
index 0000000000000..08a347c352c07
--- /dev/null
+++ b/staging/src/k8s.io/metrics/pkg/apis/external_metrics/v1beta1/generated.protomessage.pb.go
@@ -0,0 +1,26 @@
+//go:build kubernetes_protomessage_one_more_release
+// +build kubernetes_protomessage_one_more_release
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by go-to-protobuf. DO NOT EDIT.
+
+package v1beta1
+
+func (*ExternalMetricValue) ProtoMessage() {}
+
+func (*ExternalMetricValueList) ProtoMessage() {}
diff --git a/staging/src/k8s.io/metrics/pkg/apis/external_metrics/v1beta1/zz_generated.model_name.go b/staging/src/k8s.io/metrics/pkg/apis/external_metrics/v1beta1/zz_generated.model_name.go
new file mode 100644
index 0000000000000..9eee648d2b343
--- /dev/null
+++ b/staging/src/k8s.io/metrics/pkg/apis/external_metrics/v1beta1/zz_generated.model_name.go
@@ -0,0 +1,32 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by openapi-gen. DO NOT EDIT.
+
+package v1beta1
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ExternalMetricValue) OpenAPIModelName() string {
+	return "io.k8s.metrics.pkg.apis.external_metrics.v1beta1.ExternalMetricValue"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ExternalMetricValueList) OpenAPIModelName() string {
+	return "io.k8s.metrics.pkg.apis.external_metrics.v1beta1.ExternalMetricValueList"
+}
diff --git a/staging/src/k8s.io/metrics/pkg/apis/metrics/v1alpha1/doc.go b/staging/src/k8s.io/metrics/pkg/apis/metrics/v1alpha1/doc.go
index 6c84d42a205d4..88409c831c2cc 100644
--- a/staging/src/k8s.io/metrics/pkg/apis/metrics/v1alpha1/doc.go
+++ b/staging/src/k8s.io/metrics/pkg/apis/metrics/v1alpha1/doc.go
@@ -18,6 +18,8 @@ limitations under the License.
 // +k8s:protobuf-gen=package
 // +k8s:conversion-gen=k8s.io/metrics/pkg/apis/metrics
 // +k8s:openapi-gen=true
+// +k8s:openapi-model-package=io.k8s.metrics.pkg.apis.metrics.v1alpha1
+
 // +groupName=metrics.k8s.io
 
 // Package v1alpha1 is the v1alpha1 version of the metrics API.
diff --git a/staging/src/k8s.io/metrics/pkg/apis/metrics/v1alpha1/generated.pb.go b/staging/src/k8s.io/metrics/pkg/apis/metrics/v1alpha1/generated.pb.go
index 7105d0f2463ba..8e9515d5ffb84 100644
--- a/staging/src/k8s.io/metrics/pkg/apis/metrics/v1alpha1/generated.pb.go
+++ b/staging/src/k8s.io/metrics/pkg/apis/metrics/v1alpha1/generated.pb.go
@@ -23,229 +23,26 @@ import (
 	fmt "fmt"
 
 	io "io"
-
-	proto "github.com/gogo/protobuf/proto"
-	github_com_gogo_protobuf_sortkeys "github.com/gogo/protobuf/sortkeys"
+	"sort"
 
 	k8s_io_api_core_v1 "k8s.io/api/core/v1"
 	k8s_io_apimachinery_pkg_api_resource "k8s.io/apimachinery/pkg/api/resource"
 	resource "k8s.io/apimachinery/pkg/api/resource"
 
-	math "math"
 	math_bits "math/bits"
 	reflect "reflect"
 	strings "strings"
 )
 
-// Reference imports to suppress errors if they are not otherwise used.
-var _ = proto.Marshal
-var _ = fmt.Errorf
-var _ = math.Inf
+func (m *ContainerMetrics) Reset() { *m = ContainerMetrics{} }
 
-// This is a compile-time assertion to ensure that this generated file
-// is compatible with the proto package it is being compiled against.
-// A compilation error at this line likely means your copy of the
-// proto package needs to be updated.
-const _ = proto.GoGoProtoPackageIsVersion3 // please upgrade the proto package
+func (m *NodeMetrics) Reset() { *m = NodeMetrics{} }
 
-func (m *ContainerMetrics) Reset()      { *m = ContainerMetrics{} }
-func (*ContainerMetrics) ProtoMessage() {}
-func (*ContainerMetrics) Descriptor() ([]byte, []int) {
-	return fileDescriptor_5f579fa237c41fb8, []int{0}
-}
-func (m *ContainerMetrics) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ContainerMetrics) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ContainerMetrics) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ContainerMetrics.Merge(m, src)
-}
-func (m *ContainerMetrics) XXX_Size() int {
-	return m.Size()
-}
-func (m *ContainerMetrics) XXX_DiscardUnknown() {
-	xxx_messageInfo_ContainerMetrics.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_ContainerMetrics proto.InternalMessageInfo
-
-func (m *NodeMetrics) Reset()      { *m = NodeMetrics{} }
-func (*NodeMetrics) ProtoMessage() {}
-func (*NodeMetrics) Descriptor() ([]byte, []int) {
-	return fileDescriptor_5f579fa237c41fb8, []int{1}
-}
-func (m *NodeMetrics) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *NodeMetrics) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *NodeMetrics) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_NodeMetrics.Merge(m, src)
-}
-func (m *NodeMetrics) XXX_Size() int {
-	return m.Size()
-}
-func (m *NodeMetrics) XXX_DiscardUnknown() {
-	xxx_messageInfo_NodeMetrics.DiscardUnknown(m)
-}
+func (m *NodeMetricsList) Reset() { *m = NodeMetricsList{} }
 
-var xxx_messageInfo_NodeMetrics proto.InternalMessageInfo
+func (m *PodMetrics) Reset() { *m = PodMetrics{} }
 
-func (m *NodeMetricsList) Reset()      { *m = NodeMetricsList{} }
-func (*NodeMetricsList) ProtoMessage() {}
-func (*NodeMetricsList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_5f579fa237c41fb8, []int{2}
-}
-func (m *NodeMetricsList) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *NodeMetricsList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *NodeMetricsList) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_NodeMetricsList.Merge(m, src)
-}
-func (m *NodeMetricsList) XXX_Size() int {
-	return m.Size()
-}
-func (m *NodeMetricsList) XXX_DiscardUnknown() {
-	xxx_messageInfo_NodeMetricsList.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_NodeMetricsList proto.InternalMessageInfo
-
-func (m *PodMetrics) Reset()      { *m = PodMetrics{} }
-func (*PodMetrics) ProtoMessage() {}
-func (*PodMetrics) Descriptor() ([]byte, []int) {
-	return fileDescriptor_5f579fa237c41fb8, []int{3}
-}
-func (m *PodMetrics) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *PodMetrics) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *PodMetrics) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_PodMetrics.Merge(m, src)
-}
-func (m *PodMetrics) XXX_Size() int {
-	return m.Size()
-}
-func (m *PodMetrics) XXX_DiscardUnknown() {
-	xxx_messageInfo_PodMetrics.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_PodMetrics proto.InternalMessageInfo
-
-func (m *PodMetricsList) Reset()      { *m = PodMetricsList{} }
-func (*PodMetricsList) ProtoMessage() {}
-func (*PodMetricsList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_5f579fa237c41fb8, []int{4}
-}
-func (m *PodMetricsList) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *PodMetricsList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *PodMetricsList) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_PodMetricsList.Merge(m, src)
-}
-func (m *PodMetricsList) XXX_Size() int {
-	return m.Size()
-}
-func (m *PodMetricsList) XXX_DiscardUnknown() {
-	xxx_messageInfo_PodMetricsList.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_PodMetricsList proto.InternalMessageInfo
-
-func init() {
-	proto.RegisterType((*ContainerMetrics)(nil), "k8s.io.metrics.pkg.apis.metrics.v1alpha1.ContainerMetrics")
-	proto.RegisterMapType((k8s_io_api_core_v1.ResourceList)(nil), "k8s.io.metrics.pkg.apis.metrics.v1alpha1.ContainerMetrics.UsageEntry")
-	proto.RegisterType((*NodeMetrics)(nil), "k8s.io.metrics.pkg.apis.metrics.v1alpha1.NodeMetrics")
-	proto.RegisterMapType((k8s_io_api_core_v1.ResourceList)(nil), "k8s.io.metrics.pkg.apis.metrics.v1alpha1.NodeMetrics.UsageEntry")
-	proto.RegisterType((*NodeMetricsList)(nil), "k8s.io.metrics.pkg.apis.metrics.v1alpha1.NodeMetricsList")
-	proto.RegisterType((*PodMetrics)(nil), "k8s.io.metrics.pkg.apis.metrics.v1alpha1.PodMetrics")
-	proto.RegisterType((*PodMetricsList)(nil), "k8s.io.metrics.pkg.apis.metrics.v1alpha1.PodMetricsList")
-}
-
-func init() {
-	proto.RegisterFile("k8s.io/metrics/pkg/apis/metrics/v1alpha1/generated.proto", fileDescriptor_5f579fa237c41fb8)
-}
-
-var fileDescriptor_5f579fa237c41fb8 = []byte{
-	// 647 bytes of a gzipped FileDescriptorProto
-	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xec, 0x56, 0xb1, 0x6f, 0xd3, 0x4e,
-	0x18, 0xcd, 0x35, 0x49, 0xd5, 0x5e, 0x7e, 0xbf, 0x52, 0x3c, 0x55, 0x19, 0x9c, 0xca, 0x53, 0x84,
-	0xd4, 0x33, 0xad, 0x0a, 0x8a, 0x3a, 0x21, 0xd3, 0x0e, 0x48, 0x34, 0x80, 0x55, 0x40, 0x14, 0x06,
-	0x2e, 0xce, 0xe1, 0x1c, 0xa9, 0x7d, 0x96, 0x7d, 0x4e, 0x95, 0x0d, 0x01, 0x13, 0x13, 0x12, 0xff,
-	0x54, 0x10, 0x4b, 0xc7, 0x2e, 0xa4, 0xc4, 0xec, 0xfc, 0x01, 0x4c, 0xc8, 0xe7, 0x73, 0x1c, 0x9a,
-	0x90, 0x9a, 0x0e, 0x4c, 0xdd, 0xec, 0xcf, 0xf7, 0xde, 0xfb, 0xee, 0x7d, 0xef, 0x4e, 0x86, 0x8d,
-	0x6e, 0x23, 0x40, 0x94, 0xe9, 0x0e, 0xe1, 0x3e, 0xb5, 0x02, 0xdd, 0xeb, 0xda, 0x3a, 0xf6, 0x68,
-	0x30, 0x2e, 0xf4, 0x36, 0xf1, 0x91, 0xd7, 0xc1, 0x9b, 0xba, 0x4d, 0x5c, 0xe2, 0x63, 0x4e, 0xda,
-	0xc8, 0xf3, 0x19, 0x67, 0x4a, 0x3d, 0x41, 0x22, 0xb9, 0x10, 0x79, 0x5d, 0x1b, 0xc5, 0xc8, 0x71,
-	0x21, 0x45, 0x56, 0x37, 0x6c, 0xca, 0x3b, 0x61, 0x0b, 0x59, 0xcc, 0xd1, 0x6d, 0x66, 0x33, 0x5d,
-	0x10, 0xb4, 0xc2, 0x57, 0xe2, 0x4d, 0xbc, 0x88, 0xa7, 0x84, 0xb8, 0xaa, 0xc9, 0x96, 0xb0, 0x47,
-	0x75, 0x8b, 0xf9, 0x44, 0xef, 0x4d, 0x89, 0x57, 0xb7, 0xb3, 0x35, 0x0e, 0xb6, 0x3a, 0xd4, 0x25,
-	0x7e, 0x3f, 0xed, 0x5d, 0xf7, 0x49, 0xc0, 0x42, 0xdf, 0x22, 0x7f, 0x85, 0x12, 0x3b, 0xc6, 0xb3,
-	0xb4, 0xf4, 0x3f, 0xa1, 0xfc, 0xd0, 0xe5, 0xd4, 0x99, 0x96, 0xb9, 0x7d, 0x11, 0x20, 0xb0, 0x3a,
-	0xc4, 0xc1, 0xe7, 0x71, 0xda, 0xbb, 0x22, 0x5c, 0xbd, 0xcb, 0x5c, 0x8e, 0x63, 0xc4, 0x7e, 0xe2,
-	0xa2, 0xb2, 0x0e, 0x4b, 0x2e, 0x76, 0xc8, 0x1a, 0x58, 0x07, 0xf5, 0x65, 0xe3, 0xbf, 0xc1, 0xb0,
-	0x56, 0x88, 0x86, 0xb5, 0x52, 0x13, 0x3b, 0xc4, 0x14, 0x5f, 0x94, 0x08, 0xc0, 0x72, 0x18, 0x60,
-	0x9b, 0xac, 0x2d, 0xac, 0x17, 0xeb, 0x95, 0xad, 0x3d, 0x94, 0x77, 0x32, 0xe8, 0xbc, 0x1a, 0x7a,
-	0x1c, 0xf3, 0xec, 0xb9, 0xdc, 0xef, 0x1b, 0xef, 0x81, 0xd4, 0x2a, 0x8b, 0xe2, 0xcf, 0x61, 0xad,
-	0x36, 0x3d, 0x18, 0x64, 0x4a, 0xaf, 0xef, 0xd3, 0x80, 0xbf, 0x3d, 0x9b, 0xbb, 0x24, 0x6e, 0xf9,
-	0xc3, 0x59, 0x6d, 0x23, 0xcf, 0xe8, 0xd0, 0xa3, 0x10, 0xbb, 0x9c, 0xf2, 0xbe, 0x99, 0x6c, 0xad,
-	0xda, 0x81, 0x30, 0xeb, 0x4d, 0x59, 0x85, 0xc5, 0x2e, 0xe9, 0x27, 0x9e, 0x98, 0xf1, 0xa3, 0xb2,
-	0x0b, 0xcb, 0x3d, 0x7c, 0x14, 0xc6, 0x1e, 0x80, 0x7a, 0x65, 0x0b, 0xa5, 0x1e, 0x4c, 0xaa, 0xa4,
-	0x46, 0xa0, 0x19, 0x2a, 0x02, 0xbc, 0xb3, 0xd0, 0x00, 0xda, 0x8f, 0x12, 0xac, 0x34, 0x59, 0x9b,
-	0xa4, 0x03, 0x78, 0x09, 0x97, 0xe2, 0x64, 0xb4, 0x31, 0xc7, 0x42, 0xb0, 0xb2, 0x75, 0x73, 0x1e,
-	0xb9, 0x70, 0x19, 0xa3, 0xde, 0x26, 0x7a, 0xd0, 0x7a, 0x4d, 0x2c, 0xbe, 0x4f, 0x38, 0x36, 0x14,
-	0x69, 0x25, 0xcc, 0x6a, 0xe6, 0x98, 0x55, 0x79, 0x0e, 0x97, 0xe3, 0x58, 0x04, 0x1c, 0x3b, 0x9e,
-	0xec, 0xff, 0x46, 0x3e, 0x89, 0x03, 0xea, 0x10, 0xe3, 0xba, 0x24, 0x5f, 0x3e, 0x48, 0x49, 0xcc,
-	0x8c, 0x4f, 0x79, 0x02, 0x17, 0x8f, 0xa9, 0xdb, 0x66, 0xc7, 0x6b, 0xc5, 0x8b, 0x9d, 0xc9, 0x98,
-	0x77, 0x43, 0x1f, 0x73, 0xca, 0x5c, 0x63, 0x45, 0xb2, 0x2f, 0x3e, 0x15, 0x2c, 0xa6, 0x64, 0x53,
-	0xbe, 0x8e, 0x53, 0x57, 0x12, 0xa9, 0xbb, 0x93, 0x3f, 0x75, 0x13, 0xee, 0x5e, 0x05, 0x0e, 0x68,
-	0x5f, 0x00, 0xbc, 0x36, 0x61, 0x49, 0xbc, 0x31, 0xe5, 0xc5, 0x54, 0xe8, 0x72, 0xce, 0x2d, 0x46,
-	0x8b, 0xc8, 0xad, 0x4a, 0x33, 0x97, 0xd2, 0xca, 0x44, 0xe0, 0x0e, 0x61, 0x99, 0x72, 0xe2, 0x04,
-	0xf2, 0xc2, 0xb8, 0x75, 0xa9, 0xd1, 0x19, 0xff, 0xa7, 0xe3, 0xba, 0x17, 0x73, 0x99, 0x09, 0xa5,
-	0xf6, 0xa9, 0x08, 0xe1, 0x43, 0xd6, 0xbe, 0x3a, 0x3d, 0x73, 0x4f, 0x8f, 0x0b, 0xa1, 0x95, 0xde,
-	0xbd, 0x81, 0x3c, 0x41, 0x3b, 0x97, 0xbf, 0xb7, 0x33, 0x8b, 0xc6, 0x5f, 0x02, 0x73, 0x42, 0x41,
-	0xfb, 0x0c, 0xe0, 0x4a, 0x36, 0x95, 0x7f, 0x10, 0xb1, 0x67, 0xbf, 0x47, 0x6c, 0x3b, 0xff, 0xde,
-	0xb2, 0x36, 0x67, 0x27, 0xcc, 0x68, 0x0e, 0x46, 0x6a, 0xe1, 0x64, 0xa4, 0x16, 0x4e, 0x47, 0x6a,
-	0xe1, 0x4d, 0xa4, 0x82, 0x41, 0xa4, 0x82, 0x93, 0x48, 0x05, 0xa7, 0x91, 0x0a, 0xbe, 0x45, 0x2a,
-	0xf8, 0xf8, 0x5d, 0x2d, 0x1c, 0xd6, 0xf3, 0xfe, 0xd8, 0xfc, 0x0a, 0x00, 0x00, 0xff, 0xff, 0xe5,
-	0xa6, 0x17, 0xf2, 0x03, 0x09, 0x00, 0x00,
-}
+func (m *PodMetricsList) Reset() { *m = PodMetricsList{} }
 
 func (m *ContainerMetrics) Marshal() (dAtA []byte, err error) {
 	size := m.Size()
@@ -272,7 +69,7 @@ func (m *ContainerMetrics) MarshalToSizedBuffer(dAtA []byte) (int, error) {
 		for k := range m.Usage {
 			keysForUsage = append(keysForUsage, string(k))
 		}
-		github_com_gogo_protobuf_sortkeys.Strings(keysForUsage)
+		sort.Strings(keysForUsage)
 		for iNdEx := len(keysForUsage) - 1; iNdEx >= 0; iNdEx-- {
 			v := m.Usage[k8s_io_api_core_v1.ResourceName(keysForUsage[iNdEx])]
 			baseI := i
@@ -329,7 +126,7 @@ func (m *NodeMetrics) MarshalToSizedBuffer(dAtA []byte) (int, error) {
 		for k := range m.Usage {
 			keysForUsage = append(keysForUsage, string(k))
 		}
-		github_com_gogo_protobuf_sortkeys.Strings(keysForUsage)
+		sort.Strings(keysForUsage)
 		for iNdEx := len(keysForUsage) - 1; iNdEx >= 0; iNdEx-- {
 			v := m.Usage[k8s_io_api_core_v1.ResourceName(keysForUsage[iNdEx])]
 			baseI := i
@@ -671,7 +468,7 @@ func (this *ContainerMetrics) String() string {
 	for k := range this.Usage {
 		keysForUsage = append(keysForUsage, string(k))
 	}
-	github_com_gogo_protobuf_sortkeys.Strings(keysForUsage)
+	sort.Strings(keysForUsage)
 	mapStringForUsage := "k8s_io_api_core_v1.ResourceList{"
 	for _, k := range keysForUsage {
 		mapStringForUsage += fmt.Sprintf("%v: %v,", k, this.Usage[k8s_io_api_core_v1.ResourceName(k)])
@@ -692,7 +489,7 @@ func (this *NodeMetrics) String() string {
 	for k := range this.Usage {
 		keysForUsage = append(keysForUsage, string(k))
 	}
-	github_com_gogo_protobuf_sortkeys.Strings(keysForUsage)
+	sort.Strings(keysForUsage)
 	mapStringForUsage := "k8s_io_api_core_v1.ResourceList{"
 	for _, k := range keysForUsage {
 		mapStringForUsage += fmt.Sprintf("%v: %v,", k, this.Usage[k8s_io_api_core_v1.ResourceName(k)])
diff --git a/staging/src/k8s.io/metrics/pkg/apis/metrics/v1alpha1/generated.protomessage.pb.go b/staging/src/k8s.io/metrics/pkg/apis/metrics/v1alpha1/generated.protomessage.pb.go
new file mode 100644
index 0000000000000..aa2f5972dcfeb
--- /dev/null
+++ b/staging/src/k8s.io/metrics/pkg/apis/metrics/v1alpha1/generated.protomessage.pb.go
@@ -0,0 +1,32 @@
+//go:build kubernetes_protomessage_one_more_release
+// +build kubernetes_protomessage_one_more_release
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by go-to-protobuf. DO NOT EDIT.
+
+package v1alpha1
+
+func (*ContainerMetrics) ProtoMessage() {}
+
+func (*NodeMetrics) ProtoMessage() {}
+
+func (*NodeMetricsList) ProtoMessage() {}
+
+func (*PodMetrics) ProtoMessage() {}
+
+func (*PodMetricsList) ProtoMessage() {}
diff --git a/staging/src/k8s.io/metrics/pkg/apis/metrics/v1alpha1/zz_generated.model_name.go b/staging/src/k8s.io/metrics/pkg/apis/metrics/v1alpha1/zz_generated.model_name.go
new file mode 100644
index 0000000000000..566622b0a89b4
--- /dev/null
+++ b/staging/src/k8s.io/metrics/pkg/apis/metrics/v1alpha1/zz_generated.model_name.go
@@ -0,0 +1,47 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by openapi-gen. DO NOT EDIT.
+
+package v1alpha1
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ContainerMetrics) OpenAPIModelName() string {
+	return "io.k8s.metrics.pkg.apis.metrics.v1alpha1.ContainerMetrics"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in NodeMetrics) OpenAPIModelName() string {
+	return "io.k8s.metrics.pkg.apis.metrics.v1alpha1.NodeMetrics"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in NodeMetricsList) OpenAPIModelName() string {
+	return "io.k8s.metrics.pkg.apis.metrics.v1alpha1.NodeMetricsList"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in PodMetrics) OpenAPIModelName() string {
+	return "io.k8s.metrics.pkg.apis.metrics.v1alpha1.PodMetrics"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in PodMetricsList) OpenAPIModelName() string {
+	return "io.k8s.metrics.pkg.apis.metrics.v1alpha1.PodMetricsList"
+}
diff --git a/staging/src/k8s.io/metrics/pkg/apis/metrics/v1beta1/doc.go b/staging/src/k8s.io/metrics/pkg/apis/metrics/v1beta1/doc.go
index 760a9afbadfa6..324b0d0f8430b 100644
--- a/staging/src/k8s.io/metrics/pkg/apis/metrics/v1beta1/doc.go
+++ b/staging/src/k8s.io/metrics/pkg/apis/metrics/v1beta1/doc.go
@@ -19,6 +19,7 @@ limitations under the License.
 // +k8s:conversion-gen=k8s.io/metrics/pkg/apis/metrics
 // +k8s:openapi-gen=true
 // +groupName=metrics.k8s.io
+// +k8s:openapi-model-package=io.k8s.metrics.pkg.apis.metrics.v1beta1
 
 // Package v1beta1 is the v1beta1 version of the metrics API.
 package v1beta1
diff --git a/staging/src/k8s.io/metrics/pkg/apis/metrics/v1beta1/generated.pb.go b/staging/src/k8s.io/metrics/pkg/apis/metrics/v1beta1/generated.pb.go
index ae62aa8370072..5072c6f1d2861 100644
--- a/staging/src/k8s.io/metrics/pkg/apis/metrics/v1beta1/generated.pb.go
+++ b/staging/src/k8s.io/metrics/pkg/apis/metrics/v1beta1/generated.pb.go
@@ -23,229 +23,26 @@ import (
 	fmt "fmt"
 
 	io "io"
-
-	proto "github.com/gogo/protobuf/proto"
-	github_com_gogo_protobuf_sortkeys "github.com/gogo/protobuf/sortkeys"
+	"sort"
 
 	k8s_io_api_core_v1 "k8s.io/api/core/v1"
 	k8s_io_apimachinery_pkg_api_resource "k8s.io/apimachinery/pkg/api/resource"
 	resource "k8s.io/apimachinery/pkg/api/resource"
 
-	math "math"
 	math_bits "math/bits"
 	reflect "reflect"
 	strings "strings"
 )
 
-// Reference imports to suppress errors if they are not otherwise used.
-var _ = proto.Marshal
-var _ = fmt.Errorf
-var _ = math.Inf
+func (m *ContainerMetrics) Reset() { *m = ContainerMetrics{} }
 
-// This is a compile-time assertion to ensure that this generated file
-// is compatible with the proto package it is being compiled against.
-// A compilation error at this line likely means your copy of the
-// proto package needs to be updated.
-const _ = proto.GoGoProtoPackageIsVersion3 // please upgrade the proto package
+func (m *NodeMetrics) Reset() { *m = NodeMetrics{} }
 
-func (m *ContainerMetrics) Reset()      { *m = ContainerMetrics{} }
-func (*ContainerMetrics) ProtoMessage() {}
-func (*ContainerMetrics) Descriptor() ([]byte, []int) {
-	return fileDescriptor_0eb2073129c5331c, []int{0}
-}
-func (m *ContainerMetrics) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ContainerMetrics) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ContainerMetrics) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ContainerMetrics.Merge(m, src)
-}
-func (m *ContainerMetrics) XXX_Size() int {
-	return m.Size()
-}
-func (m *ContainerMetrics) XXX_DiscardUnknown() {
-	xxx_messageInfo_ContainerMetrics.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_ContainerMetrics proto.InternalMessageInfo
-
-func (m *NodeMetrics) Reset()      { *m = NodeMetrics{} }
-func (*NodeMetrics) ProtoMessage() {}
-func (*NodeMetrics) Descriptor() ([]byte, []int) {
-	return fileDescriptor_0eb2073129c5331c, []int{1}
-}
-func (m *NodeMetrics) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *NodeMetrics) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *NodeMetrics) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_NodeMetrics.Merge(m, src)
-}
-func (m *NodeMetrics) XXX_Size() int {
-	return m.Size()
-}
-func (m *NodeMetrics) XXX_DiscardUnknown() {
-	xxx_messageInfo_NodeMetrics.DiscardUnknown(m)
-}
+func (m *NodeMetricsList) Reset() { *m = NodeMetricsList{} }
 
-var xxx_messageInfo_NodeMetrics proto.InternalMessageInfo
+func (m *PodMetrics) Reset() { *m = PodMetrics{} }
 
-func (m *NodeMetricsList) Reset()      { *m = NodeMetricsList{} }
-func (*NodeMetricsList) ProtoMessage() {}
-func (*NodeMetricsList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_0eb2073129c5331c, []int{2}
-}
-func (m *NodeMetricsList) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *NodeMetricsList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *NodeMetricsList) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_NodeMetricsList.Merge(m, src)
-}
-func (m *NodeMetricsList) XXX_Size() int {
-	return m.Size()
-}
-func (m *NodeMetricsList) XXX_DiscardUnknown() {
-	xxx_messageInfo_NodeMetricsList.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_NodeMetricsList proto.InternalMessageInfo
-
-func (m *PodMetrics) Reset()      { *m = PodMetrics{} }
-func (*PodMetrics) ProtoMessage() {}
-func (*PodMetrics) Descriptor() ([]byte, []int) {
-	return fileDescriptor_0eb2073129c5331c, []int{3}
-}
-func (m *PodMetrics) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *PodMetrics) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *PodMetrics) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_PodMetrics.Merge(m, src)
-}
-func (m *PodMetrics) XXX_Size() int {
-	return m.Size()
-}
-func (m *PodMetrics) XXX_DiscardUnknown() {
-	xxx_messageInfo_PodMetrics.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_PodMetrics proto.InternalMessageInfo
-
-func (m *PodMetricsList) Reset()      { *m = PodMetricsList{} }
-func (*PodMetricsList) ProtoMessage() {}
-func (*PodMetricsList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_0eb2073129c5331c, []int{4}
-}
-func (m *PodMetricsList) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *PodMetricsList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *PodMetricsList) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_PodMetricsList.Merge(m, src)
-}
-func (m *PodMetricsList) XXX_Size() int {
-	return m.Size()
-}
-func (m *PodMetricsList) XXX_DiscardUnknown() {
-	xxx_messageInfo_PodMetricsList.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_PodMetricsList proto.InternalMessageInfo
-
-func init() {
-	proto.RegisterType((*ContainerMetrics)(nil), "k8s.io.metrics.pkg.apis.metrics.v1beta1.ContainerMetrics")
-	proto.RegisterMapType((k8s_io_api_core_v1.ResourceList)(nil), "k8s.io.metrics.pkg.apis.metrics.v1beta1.ContainerMetrics.UsageEntry")
-	proto.RegisterType((*NodeMetrics)(nil), "k8s.io.metrics.pkg.apis.metrics.v1beta1.NodeMetrics")
-	proto.RegisterMapType((k8s_io_api_core_v1.ResourceList)(nil), "k8s.io.metrics.pkg.apis.metrics.v1beta1.NodeMetrics.UsageEntry")
-	proto.RegisterType((*NodeMetricsList)(nil), "k8s.io.metrics.pkg.apis.metrics.v1beta1.NodeMetricsList")
-	proto.RegisterType((*PodMetrics)(nil), "k8s.io.metrics.pkg.apis.metrics.v1beta1.PodMetrics")
-	proto.RegisterType((*PodMetricsList)(nil), "k8s.io.metrics.pkg.apis.metrics.v1beta1.PodMetricsList")
-}
-
-func init() {
-	proto.RegisterFile("k8s.io/metrics/pkg/apis/metrics/v1beta1/generated.proto", fileDescriptor_0eb2073129c5331c)
-}
-
-var fileDescriptor_0eb2073129c5331c = []byte{
-	// 646 bytes of a gzipped FileDescriptorProto
-	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xec, 0x56, 0xbf, 0x6f, 0xd3, 0x4e,
-	0x1c, 0xcd, 0x35, 0x49, 0xd5, 0x5e, 0xbe, 0xdf, 0x52, 0x3c, 0x55, 0x19, 0x9c, 0xca, 0x4b, 0x2b,
-	0xa4, 0x9e, 0x69, 0xa8, 0xa0, 0xb0, 0x20, 0x99, 0x30, 0x20, 0x91, 0x02, 0x56, 0xf9, 0xcd, 0xc0,
-	0xc5, 0x39, 0x9c, 0x23, 0xd8, 0x67, 0xd9, 0xe7, 0x54, 0xd9, 0x50, 0xc5, 0xc4, 0x84, 0xf8, 0xab,
-	0x22, 0xa6, 0x8e, 0x1d, 0x50, 0x4a, 0xcc, 0xcc, 0x3f, 0xc0, 0x84, 0x7c, 0x3e, 0xc7, 0xa1, 0x09,
-	0xa9, 0xe9, 0xc0, 0xd4, 0xcd, 0xfe, 0xf8, 0xde, 0x7b, 0x9f, 0x7b, 0x9f, 0x77, 0x27, 0xc3, 0x1b,
-	0xdd, 0xdd, 0x00, 0x51, 0xa6, 0x3b, 0x84, 0xfb, 0xd4, 0x0a, 0x74, 0xaf, 0x6b, 0xeb, 0xd8, 0xa3,
-	0xc1, 0xb8, 0xd0, 0xdb, 0x6e, 0x11, 0x8e, 0xb7, 0x75, 0x9b, 0xb8, 0xc4, 0xc7, 0x9c, 0xb4, 0x91,
-	0xe7, 0x33, 0xce, 0x94, 0x8d, 0x04, 0x88, 0xe4, 0x3a, 0xe4, 0x75, 0x6d, 0x14, 0x03, 0xc7, 0x05,
-	0x09, 0xac, 0x6e, 0xd9, 0x94, 0x77, 0xc2, 0x16, 0xb2, 0x98, 0xa3, 0xdb, 0xcc, 0x66, 0xba, 0xc0,
-	0xb7, 0xc2, 0x37, 0xe2, 0x4d, 0xbc, 0x88, 0xa7, 0x84, 0xb7, 0xaa, 0xc9, 0x86, 0xb0, 0x47, 0x75,
-	0x8b, 0xf9, 0x44, 0xef, 0x4d, 0x69, 0x57, 0x77, 0xb2, 0x35, 0x0e, 0xb6, 0x3a, 0xd4, 0x25, 0x7e,
-	0x3f, 0xed, 0x5c, 0xf7, 0x49, 0xc0, 0x42, 0xdf, 0x22, 0x7f, 0x85, 0x12, 0xfb, 0xc5, 0xb3, 0xb4,
-	0xf4, 0x3f, 0xa1, 0xfc, 0xd0, 0xe5, 0xd4, 0x99, 0x96, 0xb9, 0x7e, 0x16, 0x20, 0xb0, 0x3a, 0xc4,
-	0xc1, 0xa7, 0x71, 0xda, 0x61, 0x11, 0xae, 0xde, 0x61, 0x2e, 0xc7, 0x31, 0xa2, 0x99, 0x98, 0xa8,
-	0xac, 0xc3, 0x92, 0x8b, 0x1d, 0xb2, 0x06, 0xd6, 0xc1, 0xe6, 0xb2, 0xf1, 0xdf, 0x60, 0x58, 0x2b,
-	0x44, 0xc3, 0x5a, 0x69, 0x0f, 0x3b, 0xc4, 0x14, 0x5f, 0x94, 0x11, 0x80, 0xe5, 0x30, 0xc0, 0x36,
-	0x59, 0x5b, 0x58, 0x2f, 0x6e, 0x56, 0xea, 0x0d, 0x94, 0x73, 0x30, 0xe8, 0xb4, 0x18, 0x7a, 0x1c,
-	0xd3, 0xdc, 0x75, 0xb9, 0xdf, 0x37, 0x3e, 0x00, 0x29, 0x55, 0x16, 0xc5, 0x9f, 0xc3, 0x5a, 0x6d,
-	0x7a, 0x2e, 0xc8, 0x94, 0x56, 0xdf, 0xa7, 0x01, 0x3f, 0x3c, 0x99, 0xbb, 0x24, 0xee, 0xf8, 0xe3,
-	0x49, 0x6d, 0x2b, 0xcf, 0xe4, 0xd0, 0xa3, 0x10, 0xbb, 0x9c, 0xf2, 0xbe, 0x99, 0xec, 0xac, 0xda,
-	0x81, 0x30, 0xeb, 0x4d, 0x59, 0x85, 0xc5, 0x2e, 0xe9, 0x27, 0x96, 0x98, 0xf1, 0xa3, 0xd2, 0x80,
-	0xe5, 0x1e, 0x7e, 0x17, 0xc6, 0x16, 0x80, 0xcd, 0x4a, 0x1d, 0xa5, 0x16, 0x4c, 0xaa, 0xa4, 0x3e,
-	0xa0, 0x19, 0x2a, 0x02, 0x7c, 0x6b, 0x61, 0x17, 0x68, 0x3f, 0x4a, 0xb0, 0xb2, 0xc7, 0xda, 0x24,
-	0xf5, 0xff, 0x35, 0x5c, 0x8a, 0x83, 0xd1, 0xc6, 0x1c, 0x0b, 0xc1, 0x4a, 0xfd, 0xea, 0x3c, 0x72,
-	0x61, 0x32, 0x46, 0xbd, 0x6d, 0xf4, 0xa0, 0xf5, 0x96, 0x58, 0xbc, 0x49, 0x38, 0x36, 0x14, 0x69,
-	0x25, 0xcc, 0x6a, 0xe6, 0x98, 0x55, 0x79, 0x09, 0x97, 0xe3, 0x54, 0x04, 0x1c, 0x3b, 0x9e, 0xec,
-	0xff, 0x4a, 0x3e, 0x89, 0x7d, 0xea, 0x10, 0xe3, 0xb2, 0x24, 0x5f, 0xde, 0x4f, 0x49, 0xcc, 0x8c,
-	0x4f, 0x79, 0x02, 0x17, 0x0f, 0xa8, 0xdb, 0x66, 0x07, 0x6b, 0xc5, 0xb3, 0x9d, 0xc9, 0x98, 0x1b,
-	0xa1, 0x8f, 0x39, 0x65, 0xae, 0xb1, 0x22, 0xd9, 0x17, 0x9f, 0x0a, 0x16, 0x53, 0xb2, 0x29, 0x5f,
-	0xc7, 0xa1, 0x2b, 0x89, 0xd0, 0xdd, 0xce, 0x1d, 0xba, 0x09, 0x73, 0x2f, 0xf2, 0x06, 0xb4, 0x2f,
-	0x00, 0x5e, 0x9a, 0xb0, 0x24, 0xde, 0x98, 0xf2, 0x6a, 0x2a, 0x73, 0x39, 0xc7, 0x16, 0xa3, 0x45,
-	0xe2, 0x56, 0xa5, 0x99, 0x4b, 0x69, 0x65, 0x22, 0x6f, 0xcf, 0x61, 0x99, 0x72, 0xe2, 0x04, 0xf2,
-	0xba, 0xd8, 0x39, 0xcf, 0xe4, 0x8c, 0xff, 0xd3, 0x69, 0xdd, 0x8b, 0xa9, 0xcc, 0x84, 0x51, 0xfb,
-	0x5c, 0x84, 0xf0, 0x21, 0x6b, 0x5f, 0x9c, 0x9d, 0xb9, 0x67, 0xc7, 0x81, 0xd0, 0x4a, 0x6f, 0xde,
-	0x40, 0x9e, 0x9f, 0x9b, 0xe7, 0xbe, 0xb4, 0x33, 0x87, 0xc6, 0x5f, 0x02, 0x73, 0x42, 0x40, 0x1b,
-	0x00, 0xb8, 0x92, 0x0d, 0xe5, 0x1f, 0x04, 0xec, 0xd9, 0xef, 0x01, 0xbb, 0x96, 0x7b, 0x6b, 0x59,
-	0x97, 0xb3, 0xf3, 0x65, 0x34, 0x07, 0x23, 0xb5, 0x70, 0x34, 0x52, 0x0b, 0xc7, 0x23, 0xb5, 0xf0,
-	0x3e, 0x52, 0xc1, 0x20, 0x52, 0xc1, 0x51, 0xa4, 0x82, 0xe3, 0x48, 0x05, 0xdf, 0x22, 0x15, 0x7c,
-	0xfa, 0xae, 0x16, 0x5e, 0x6c, 0xe4, 0xfc, 0xa3, 0xf9, 0x15, 0x00, 0x00, 0xff, 0xff, 0x11, 0x63,
-	0x3e, 0x0d, 0xfb, 0x08, 0x00, 0x00,
-}
+func (m *PodMetricsList) Reset() { *m = PodMetricsList{} }
 
 func (m *ContainerMetrics) Marshal() (dAtA []byte, err error) {
 	size := m.Size()
@@ -272,7 +69,7 @@ func (m *ContainerMetrics) MarshalToSizedBuffer(dAtA []byte) (int, error) {
 		for k := range m.Usage {
 			keysForUsage = append(keysForUsage, string(k))
 		}
-		github_com_gogo_protobuf_sortkeys.Strings(keysForUsage)
+		sort.Strings(keysForUsage)
 		for iNdEx := len(keysForUsage) - 1; iNdEx >= 0; iNdEx-- {
 			v := m.Usage[k8s_io_api_core_v1.ResourceName(keysForUsage[iNdEx])]
 			baseI := i
@@ -329,7 +126,7 @@ func (m *NodeMetrics) MarshalToSizedBuffer(dAtA []byte) (int, error) {
 		for k := range m.Usage {
 			keysForUsage = append(keysForUsage, string(k))
 		}
-		github_com_gogo_protobuf_sortkeys.Strings(keysForUsage)
+		sort.Strings(keysForUsage)
 		for iNdEx := len(keysForUsage) - 1; iNdEx >= 0; iNdEx-- {
 			v := m.Usage[k8s_io_api_core_v1.ResourceName(keysForUsage[iNdEx])]
 			baseI := i
@@ -671,7 +468,7 @@ func (this *ContainerMetrics) String() string {
 	for k := range this.Usage {
 		keysForUsage = append(keysForUsage, string(k))
 	}
-	github_com_gogo_protobuf_sortkeys.Strings(keysForUsage)
+	sort.Strings(keysForUsage)
 	mapStringForUsage := "k8s_io_api_core_v1.ResourceList{"
 	for _, k := range keysForUsage {
 		mapStringForUsage += fmt.Sprintf("%v: %v,", k, this.Usage[k8s_io_api_core_v1.ResourceName(k)])
@@ -692,7 +489,7 @@ func (this *NodeMetrics) String() string {
 	for k := range this.Usage {
 		keysForUsage = append(keysForUsage, string(k))
 	}
-	github_com_gogo_protobuf_sortkeys.Strings(keysForUsage)
+	sort.Strings(keysForUsage)
 	mapStringForUsage := "k8s_io_api_core_v1.ResourceList{"
 	for _, k := range keysForUsage {
 		mapStringForUsage += fmt.Sprintf("%v: %v,", k, this.Usage[k8s_io_api_core_v1.ResourceName(k)])
diff --git a/staging/src/k8s.io/metrics/pkg/apis/metrics/v1beta1/generated.protomessage.pb.go b/staging/src/k8s.io/metrics/pkg/apis/metrics/v1beta1/generated.protomessage.pb.go
new file mode 100644
index 0000000000000..5f2fc5ee4d694
--- /dev/null
+++ b/staging/src/k8s.io/metrics/pkg/apis/metrics/v1beta1/generated.protomessage.pb.go
@@ -0,0 +1,32 @@
+//go:build kubernetes_protomessage_one_more_release
+// +build kubernetes_protomessage_one_more_release
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by go-to-protobuf. DO NOT EDIT.
+
+package v1beta1
+
+func (*ContainerMetrics) ProtoMessage() {}
+
+func (*NodeMetrics) ProtoMessage() {}
+
+func (*NodeMetricsList) ProtoMessage() {}
+
+func (*PodMetrics) ProtoMessage() {}
+
+func (*PodMetricsList) ProtoMessage() {}
diff --git a/staging/src/k8s.io/metrics/pkg/apis/metrics/v1beta1/zz_generated.model_name.go b/staging/src/k8s.io/metrics/pkg/apis/metrics/v1beta1/zz_generated.model_name.go
new file mode 100644
index 0000000000000..52c9e8d0b7b07
--- /dev/null
+++ b/staging/src/k8s.io/metrics/pkg/apis/metrics/v1beta1/zz_generated.model_name.go
@@ -0,0 +1,47 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by openapi-gen. DO NOT EDIT.
+
+package v1beta1
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in ContainerMetrics) OpenAPIModelName() string {
+	return "io.k8s.metrics.pkg.apis.metrics.v1beta1.ContainerMetrics"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in NodeMetrics) OpenAPIModelName() string {
+	return "io.k8s.metrics.pkg.apis.metrics.v1beta1.NodeMetrics"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in NodeMetricsList) OpenAPIModelName() string {
+	return "io.k8s.metrics.pkg.apis.metrics.v1beta1.NodeMetricsList"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in PodMetrics) OpenAPIModelName() string {
+	return "io.k8s.metrics.pkg.apis.metrics.v1beta1.PodMetrics"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in PodMetricsList) OpenAPIModelName() string {
+	return "io.k8s.metrics.pkg.apis.metrics.v1beta1.PodMetricsList"
+}
diff --git a/staging/src/k8s.io/metrics/pkg/client/clientset/versioned/fake/clientset_generated.go b/staging/src/k8s.io/metrics/pkg/client/clientset/versioned/fake/clientset_generated.go
index fceffbddf063b..be4bb94e56be2 100644
--- a/staging/src/k8s.io/metrics/pkg/client/clientset/versioned/fake/clientset_generated.go
+++ b/staging/src/k8s.io/metrics/pkg/client/clientset/versioned/fake/clientset_generated.go
@@ -37,7 +37,7 @@ import (
 // without applying any field management, validations and/or defaults. It shouldn't be considered a replacement
 // for a real clientset and is mostly useful in simple unit tests.
 //
-// DEPRECATED: NewClientset replaces this with support for field management, which significantly improves
+// Deprecated: NewClientset replaces this with support for field management, which significantly improves
 // server side apply testing. NewClientset is only available when apply configurations are generated (e.g.
 // via --with-applyconfig).
 func NewSimpleClientset(objects ...runtime.Object) *Clientset {
@@ -53,8 +53,8 @@ func NewSimpleClientset(objects ...runtime.Object) *Clientset {
 	cs.AddReactor("*", "*", testing.ObjectReaction(o))
 	cs.AddWatchReactor("*", func(action testing.Action) (handled bool, ret watch.Interface, err error) {
 		var opts metav1.ListOptions
-		if watchActcion, ok := action.(testing.WatchActionImpl); ok {
-			opts = watchActcion.ListOptions
+		if watchAction, ok := action.(testing.WatchActionImpl); ok {
+			opts = watchAction.ListOptions
 		}
 		gvr := action.GetResource()
 		ns := action.GetNamespace()
@@ -85,6 +85,17 @@ func (c *Clientset) Tracker() testing.ObjectTracker {
 	return c.tracker
 }
 
+// IsWatchListSemanticsSupported informs the reflector that this client
+// doesn't support WatchList semantics.
+//
+// This is a synthetic method whose sole purpose is to satisfy the optional
+// interface check performed by the reflector.
+// Returning true signals that WatchList can NOT be used.
+// No additional logic is implemented here.
+func (c *Clientset) IsWatchListSemanticsUnSupported() bool {
+	return true
+}
+
 var (
 	_ clientset.Interface = &Clientset{}
 	_ testing.FakeClient  = &Clientset{}
diff --git a/staging/src/k8s.io/mount-utils/go.mod b/staging/src/k8s.io/mount-utils/go.mod
index 326e47d544998..d1d51a2062a20 100644
--- a/staging/src/k8s.io/mount-utils/go.mod
+++ b/staging/src/k8s.io/mount-utils/go.mod
@@ -2,24 +2,24 @@
 
 module k8s.io/mount-utils
 
-go 1.24.0
+go 1.25.0
 
-godebug default=go1.24
+godebug default=go1.25
 
 require (
 	github.com/moby/sys/mountinfo v0.7.2
-	github.com/stretchr/testify v1.10.0
-	golang.org/x/sys v0.36.0
+	github.com/stretchr/testify v1.11.1
+	golang.org/x/sys v0.38.0
 	k8s.io/klog/v2 v2.130.1
-	k8s.io/utils v0.0.0-20250604170112-4c0f3b243397
+	k8s.io/utils v0.0.0-20251002143259-bc988d571ff4
 )
 
 require (
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
-	github.com/go-logr/logr v1.4.2 // indirect
+	github.com/go-logr/logr v1.4.3 // indirect
 	github.com/kr/pretty v0.3.1 // indirect
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
-	github.com/rogpeppe/go-internal v1.13.1 // indirect
+	github.com/rogpeppe/go-internal v1.14.1 // indirect
 	gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )
diff --git a/staging/src/k8s.io/mount-utils/go.sum b/staging/src/k8s.io/mount-utils/go.sum
index f538ef0e1c38c..0bf3081d0d352 100644
--- a/staging/src/k8s.io/mount-utils/go.sum
+++ b/staging/src/k8s.io/mount-utils/go.sum
@@ -1,8 +1,8 @@
 github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM=
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY=
-github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
+github.com/go-logr/logr v1.4.3 h1:CjnDlHq8ikf6E492q6eKboGOC0T8CDaOvkHCIg8idEI=
+github.com/go-logr/logr v1.4.3/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
 github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
 github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
 github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
@@ -16,15 +16,15 @@ github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e/go.mod h1:pJLUxLENpZxwdsK
 github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U=
 github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/rogpeppe/go-internal v1.9.0/go.mod h1:WtVeX8xhTBvf0smdhujwtBcq4Qrzq/fJaraNFVN+nFs=
-github.com/rogpeppe/go-internal v1.13.1 h1:KvO1DLK/DRN07sQ1LQKScxyZJuNnedQ5/wKSR38lUII=
-github.com/rogpeppe/go-internal v1.13.1/go.mod h1:uMEvuHeurkdAXX61udpOXGD/AzZDWNMNyH2VO9fmH0o=
+github.com/rogpeppe/go-internal v1.14.1 h1:UQB4HGPB6osV0SQTLymcB4TgvyWu6ZyliaW0tI/otEQ=
+github.com/rogpeppe/go-internal v1.14.1/go.mod h1:MaRKkUm5W0goXpeCfT7UZI6fk/L7L7so1lCWt35ZSgc=
 github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/8L+MA=
-github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
-github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
-golang.org/x/mod v0.18.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
-golang.org/x/sys v0.36.0 h1:KVRy2GtZBrk1cBYA7MKu5bEZFxQk4NIDV6RLVcC8o0k=
-golang.org/x/sys v0.36.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
-golang.org/x/tools v0.22.0/go.mod h1:aCwcsjqvq7Yqt6TNyX7QMU2enbQ/Gt0bo6krSeEri+c=
+github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
+github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
+golang.org/x/mod v0.21.0/go.mod h1:6SkKJ3Xj0I0BrPOZoBy3bdMptDDU9oJrpohJ3eWZ1fY=
+golang.org/x/sys v0.38.0 h1:3yZWxaJjBmCWXqhN1qh02AkOnCQ1poK6oF+a7xWL6Gc=
+golang.org/x/sys v0.38.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
+golang.org/x/tools v0.26.0/go.mod h1:TPVVj70c7JJ3WCazhD8OdXcZg/og+b9+tH/KxylGwH0=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
@@ -32,5 +32,5 @@ gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk=
 k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE=
-k8s.io/utils v0.0.0-20250604170112-4c0f3b243397 h1:hwvWFiBzdWw1FhfY1FooPn3kzWuJ8tmbZBHi4zVsl1Y=
-k8s.io/utils v0.0.0-20250604170112-4c0f3b243397/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
+k8s.io/utils v0.0.0-20251002143259-bc988d571ff4 h1:SjGebBtkBqHFOli+05xYbK8YF1Dzkbzn+gDM4X9T4Ck=
+k8s.io/utils v0.0.0-20251002143259-bc988d571ff4/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
diff --git a/staging/src/k8s.io/pod-security-admission/admission/admission_test.go b/staging/src/k8s.io/pod-security-admission/admission/admission_test.go
index 868950ce5eebe..38bd4dac80aa2 100644
--- a/staging/src/k8s.io/pod-security-admission/admission/admission_test.go
+++ b/staging/src/k8s.io/pod-security-admission/admission/admission_test.go
@@ -702,7 +702,7 @@ func TestValidatePodAndController(t *testing.T) {
 	config.Exemptions.RuntimeClasses = []string{exemptRuntimeClass}
 	config.Exemptions.Usernames = []string{exemptUser}
 
-	evaluator, err := policy.NewEvaluator(policy.DefaultChecks())
+	evaluator, err := policy.NewEvaluator(policy.DefaultChecks(), nil)
 	assert.NoError(t, err)
 
 	type testCase struct {
diff --git a/staging/src/k8s.io/pod-security-admission/cmd/webhook/server/server.go b/staging/src/k8s.io/pod-security-admission/cmd/webhook/server/server.go
index c357ab231a776..3d71a23e3ecea 100644
--- a/staging/src/k8s.io/pod-security-admission/cmd/webhook/server/server.go
+++ b/staging/src/k8s.io/pod-security-admission/cmd/webhook/server/server.go
@@ -281,7 +281,7 @@ func Setup(c *Config) (*Server, error) {
 	namespaceInformer := s.informerFactory.Core().V1().Namespaces()
 	namespaceLister := namespaceInformer.Lister()
 
-	evaluator, err := policy.NewEvaluator(policy.DefaultChecks())
+	evaluator, err := policy.NewEvaluator(policy.DefaultChecks(), nil)
 	if err != nil {
 		return nil, fmt.Errorf("could not create PodSecurityRegistry: %w", err)
 	}
diff --git a/staging/src/k8s.io/pod-security-admission/go.mod b/staging/src/k8s.io/pod-security-admission/go.mod
index 94c1c5d75e666..c12c7105f830a 100644
--- a/staging/src/k8s.io/pod-security-admission/go.mod
+++ b/staging/src/k8s.io/pod-security-admission/go.mod
@@ -2,23 +2,23 @@
 
 module k8s.io/pod-security-admission
 
-go 1.24.0
+go 1.25.0
 
-godebug default=go1.24
+godebug default=go1.25
 
 require (
 	github.com/blang/semver/v4 v4.0.0
 	github.com/google/go-cmp v0.7.0
-	github.com/spf13/cobra v1.9.1
-	github.com/spf13/pflag v1.0.6
-	github.com/stretchr/testify v1.10.0
-	k8s.io/api v0.34.1
-	k8s.io/apimachinery v0.34.1
-	k8s.io/apiserver v0.34.1
-	k8s.io/client-go v0.34.1
-	k8s.io/component-base v0.34.1
+	github.com/spf13/cobra v1.10.0
+	github.com/spf13/pflag v1.0.9
+	github.com/stretchr/testify v1.11.1
+	k8s.io/api v0.35.1
+	k8s.io/apimachinery v0.35.1
+	k8s.io/apiserver v0.35.1
+	k8s.io/client-go v0.35.1
+	k8s.io/component-base v0.35.1
 	k8s.io/klog/v2 v2.130.1
-	k8s.io/utils v0.0.0-20250604170112-4c0f3b243397
+	k8s.io/utils v0.0.0-20251002143259-bc988d571ff4
 	sigs.k8s.io/yaml v1.6.0
 )
 
@@ -36,7 +36,7 @@ require (
 	github.com/felixge/httpsnoop v1.0.4 // indirect
 	github.com/fsnotify/fsnotify v1.9.0 // indirect
 	github.com/fxamacker/cbor/v2 v2.9.0 // indirect
-	github.com/go-logr/logr v1.4.2 // indirect
+	github.com/go-logr/logr v1.4.3 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-logr/zapr v1.3.0 // indirect
 	github.com/go-openapi/jsonpointer v0.21.0 // indirect
@@ -58,60 +58,62 @@ require (
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
-	github.com/openshift/library-go v0.0.0-20251015151611-6fc7a74b67c5 // indirect
-	github.com/pkg/errors v0.9.1 // indirect
+	github.com/openshift/library-go v0.0.0-20260211202355-e615a1f60a34 // indirect
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
-	github.com/prometheus/client_golang v1.22.0 // indirect
-	github.com/prometheus/client_model v0.6.1 // indirect
-	github.com/prometheus/common v0.62.0 // indirect
-	github.com/prometheus/procfs v0.15.1 // indirect
+	github.com/prometheus/client_golang v1.23.2 // indirect
+	github.com/prometheus/client_model v0.6.2 // indirect
+	github.com/prometheus/common v0.66.1 // indirect
+	github.com/prometheus/procfs v0.16.1 // indirect
 	github.com/stoewer/go-strcase v1.3.0 // indirect
 	github.com/x448/float16 v0.8.4 // indirect
-	go.etcd.io/etcd/api/v3 v3.6.4 // indirect
-	go.etcd.io/etcd/client/pkg/v3 v3.6.4 // indirect
-	go.etcd.io/etcd/client/v3 v3.6.4 // indirect
+	go.etcd.io/etcd/api/v3 v3.6.5 // indirect
+	go.etcd.io/etcd/client/pkg/v3 v3.6.5 // indirect
+	go.etcd.io/etcd/client/v3 v3.6.5 // indirect
 	go.opentelemetry.io/auto/sdk v1.1.0 // indirect
 	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.60.0 // indirect
-	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.58.0 // indirect
-	go.opentelemetry.io/otel v1.35.0 // indirect
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.61.0 // indirect
+	go.opentelemetry.io/otel v1.36.0 // indirect
 	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.34.0 // indirect
 	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.34.0 // indirect
-	go.opentelemetry.io/otel/metric v1.35.0 // indirect
-	go.opentelemetry.io/otel/sdk v1.34.0 // indirect
-	go.opentelemetry.io/otel/trace v1.35.0 // indirect
+	go.opentelemetry.io/otel/metric v1.36.0 // indirect
+	go.opentelemetry.io/otel/sdk v1.36.0 // indirect
+	go.opentelemetry.io/otel/trace v1.36.0 // indirect
 	go.opentelemetry.io/proto/otlp v1.5.0 // indirect
 	go.uber.org/atomic v1.11.0 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
 	go.uber.org/zap v1.27.0 // indirect
-	go.yaml.in/yaml/v2 v2.4.2 // indirect
+	go.yaml.in/yaml/v2 v2.4.3 // indirect
 	go.yaml.in/yaml/v3 v3.0.4 // indirect
-	golang.org/x/crypto v0.42.0 // indirect
+	golang.org/x/crypto v0.45.0 // indirect
 	golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 // indirect
-	golang.org/x/net v0.43.0 // indirect
-	golang.org/x/oauth2 v0.27.0 // indirect
-	golang.org/x/sync v0.17.0 // indirect
-	golang.org/x/sys v0.36.0 // indirect
-	golang.org/x/term v0.35.0 // indirect
-	golang.org/x/text v0.29.0 // indirect
+	golang.org/x/net v0.47.0 // indirect
+	golang.org/x/oauth2 v0.30.0 // indirect
+	golang.org/x/sync v0.18.0 // indirect
+	golang.org/x/sys v0.38.0 // indirect
+	golang.org/x/term v0.37.0 // indirect
+	golang.org/x/text v0.31.0 // indirect
 	golang.org/x/time v0.9.0 // indirect
 	google.golang.org/genproto/googleapis/api v0.0.0-20250303144028-a0af3efb3deb // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20250303144028-a0af3efb3deb // indirect
-	google.golang.org/grpc v1.72.1 // indirect
-	google.golang.org/protobuf v1.36.5 // indirect
-	gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20250528174236-200df99c418a // indirect
+	google.golang.org/grpc v1.72.2 // indirect
+	google.golang.org/protobuf v1.36.8 // indirect
+	gopkg.in/evanphx/json-patch.v4 v4.13.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/natefinch/lumberjack.v2 v2.2.1 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
-	k8s.io/kms v0.34.1 // indirect
-	k8s.io/kube-openapi v0.0.0-20250710124328-f3f2b991d03b // indirect
+	k8s.io/kms v0.35.1 // indirect
+	k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912 // indirect
 	sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.31.2 // indirect
-	sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 // indirect
+	sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 // indirect
 	sigs.k8s.io/randfill v1.0.0 // indirect
 	sigs.k8s.io/structured-merge-diff/v6 v6.3.0 // indirect
 )
 
 replace (
-	github.com/onsi/ginkgo/v2 => github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251001123353-fd5b1fb35db1
+	github.com/onsi/ginkgo/v2 => github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251120221002-696928a6a0d7
+	github.com/openshift/api => github.com/jacobsee/openshift-api v0.0.0-20260211194905-f62f47eaf03d
+	github.com/openshift/client-go => github.com/jacobsee/client-go v0.0.0-20260211200652-3585e10bcc17
+	github.com/openshift/library-go => github.com/jacobsee/library-go v0.0.0-20260211202355-e615a1f60a34
 	k8s.io/api => ../api
 	k8s.io/apiextensions-apiserver => ../apiextensions-apiserver
 	k8s.io/apimachinery => ../apimachinery
diff --git a/staging/src/k8s.io/pod-security-admission/go.sum b/staging/src/k8s.io/pod-security-admission/go.sum
index 6ab15e16a935b..16daaa67018ec 100644
--- a/staging/src/k8s.io/pod-security-admission/go.sum
+++ b/staging/src/k8s.io/pod-security-admission/go.sum
@@ -1,9 +1,12 @@
 cel.dev/expr v0.24.0 h1:56OvJKSH3hDGL0ml5uSxZmz3/3Pq4tJ+fb1unVLAFcY=
 cel.dev/expr v0.24.0/go.mod h1:hLPLo1W4QUmuYdA72RBX06QTs6MXw941piREPl3Yfiw=
 cloud.google.com/go/compute/metadata v0.6.0/go.mod h1:FjyFAW1MW0C203CEOMDTu3Dk1FlqW3Rga40jzHL4hfg=
+cyphar.com/go-pathrs v0.2.1/go.mod h1:y8f1EMG7r+hCuFf/rXsKqMJrJAUoADZGNh5/vZPKcGc=
 github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E=
 github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358/go.mod h1:chxPXzSsl7ZWRAuOIE23GDNzjWuZquvFlgA8xmpunjU=
 github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp v1.26.0/go.mod h1:2bIszWvQRlJVmJLiuLhukLImRjKPcYdzzsx6darK02A=
+github.com/Masterminds/semver/v3 v3.4.0 h1:Zog+i5UMtVoCU8oKka5P7i9q9HgrJeGzI9SA1Xbatp0=
+github.com/Masterminds/semver/v3 v3.4.0/go.mod h1:4V+yj/TJE1HU9XfppCwVMZq3I84lprf4nC11bSS5beM=
 github.com/NYTimes/gziphandler v1.1.1 h1:ZUDjpQae29j0ryrS0u/B8HZfJBtBQHjqw2rQ2cqUQ3I=
 github.com/NYTimes/gziphandler v1.1.1/go.mod h1:n/CVRwUEOgIxrgPvAQhUUr9oeUtvrhMomdKFjzJNB0c=
 github.com/RangelReale/osincli v0.0.0-20160924135400-fababb0555f2/go.mod h1:XyjUkMA8GN+tOOPXvnbi3XuRxWFvTJntqvTFnjmhzbk=
@@ -29,6 +32,7 @@ github.com/coreos/go-systemd/v22 v22.5.0 h1:RrqgGjYQKalulkV8NGVIfkXQf6YYmOyiJKk8
 github.com/coreos/go-systemd/v22 v22.5.0/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc=
 github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g=
 github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
+github.com/cyphar/filepath-securejoin v0.6.0/go.mod h1:A8hd4EnAeyujCJRrICiOWqjS1AX0a9kM5XL+NwKoYSc=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM=
@@ -56,8 +60,8 @@ github.com/go-asn1-ber/asn1-ber v1.5.8-0.20250403174932-29230038a667/go.mod h1:h
 github.com/go-jose/go-jose/v4 v4.0.4/go.mod h1:NKb5HO1EZccyMpiZNbdUw/14tiXNyUJh188dfnMCAfc=
 github.com/go-ldap/ldap/v3 v3.4.11/go.mod h1:bY7t0FLK8OAVpp/vV6sSlpz3EQDGcQwc8pF0ujLgKvM=
 github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
-github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY=
-github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
+github.com/go-logr/logr v1.4.3 h1:CjnDlHq8ikf6E492q6eKboGOC0T8CDaOvkHCIg8idEI=
+github.com/go-logr/logr v1.4.3/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
 github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
 github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE=
 github.com/go-logr/zapr v1.3.0 h1:XGdV8XW8zdwFiwOA2Dryh1gj2KRQyOOoNmBy4EplIcQ=
@@ -95,8 +99,8 @@ github.com/google/gnostic-models v0.7.0/go.mod h1:whL5G0m6dmc5cPxKc5bdKdEN3UjI7O
 github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
 github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
-github.com/google/pprof v0.0.0-20241029153458-d1b30febd7db h1:097atOisP2aRj7vFgYQBbFN4U4JNXUNYpxael3UzMyo=
-github.com/google/pprof v0.0.0-20241029153458-d1b30febd7db/go.mod h1:vavhavw2zAxS5dIdcRluK6cSGGPlZynqzFM8NdvU144=
+github.com/google/pprof v0.0.0-20250403155104-27863c87afa6 h1:BHT72Gu3keYf3ZEu2J0b1vyeLSOYI8bm5wbJM/8yDe8=
+github.com/google/pprof v0.0.0-20250403155104-27863c87afa6/go.mod h1:boTsfXsheKC2y+lKOCMpSfarhxDeIzfZG1jqGcPl3cA=
 github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/gorilla/mux v1.8.1/go.mod h1:AKf9I4AEqPTmMytcMc0KkNouC66V3BtZ4qD5fmWSiMQ=
@@ -115,6 +119,10 @@ github.com/hashicorp/golang-lru v0.5.4/go.mod h1:iADmTwqILo4mZ8BN3D2Q6+9jd8WM5uG
 github.com/imdario/mergo v0.3.7/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA=
 github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
 github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
+github.com/jacobsee/client-go v0.0.0-20260211200652-3585e10bcc17/go.mod h1:mCcIpR1nUVJvuLFKl7etbRLixUhJn4XjufJdfzv8Xsc=
+github.com/jacobsee/library-go v0.0.0-20260211202355-e615a1f60a34 h1:iCDeH9PliuQ4IL5NhQhZ1GcXxdlIiuiIed7hK5d5shw=
+github.com/jacobsee/library-go v0.0.0-20260211202355-e615a1f60a34/go.mod h1:mp92ELYoE9GHXRj+jJhp4I9KsFfS5c7WIi5k4RmkPYY=
+github.com/jacobsee/openshift-api v0.0.0-20260211194905-f62f47eaf03d/go.mod h1:u/qMsjN4RliFQwfk4bMEdF1lTjkagrlxPcZ/G9KIVuE=
 github.com/jonboulle/clockwork v0.5.0 h1:Hyh9A8u51kptdkR+cqRpT1EebBwTn1oK9YfGYbdFz6I=
 github.com/jonboulle/clockwork v0.5.0/go.mod h1:3mZlmanh0g2NDKO5TWZVJAfofYk64M7XN3SzBPjZF60=
 github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY=
@@ -152,20 +160,15 @@ github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq
 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
 github.com/mwitkow/go-conntrack v0.0.0-20190716064945-2f068394615f/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U=
 github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+o7JKHSa8/e818NopupXU1YMK5fe1lsApnBw=
-github.com/onsi/gomega v1.35.1 h1:Cwbd75ZBPxFSuZ6T+rN/WCb/gOc6YgFBXLlZLhC7Ds4=
-github.com/onsi/gomega v1.35.1/go.mod h1:PvZbdDc8J6XJEpDK4HCuRBm8a6Fzp9/DmhC9C7yFlog=
+github.com/onsi/gomega v1.38.2 h1:eZCjf2xjZAqe+LeWvKb5weQ+NcPwX84kqJ0cZNxok2A=
+github.com/onsi/gomega v1.38.2/go.mod h1:W2MJcYxRGV63b418Ai34Ud0hEdTVXq9NW9+Sx6uXf3k=
 github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
 github.com/opencontainers/image-spec v1.0.2/go.mod h1:BtxoFyWECRxE4U/7sNtV5W15zMzWCbyJoFRP3s7yZA0=
-github.com/opencontainers/selinux v1.11.0/go.mod h1:E5dMC3VPuVvVHDYmi78qvhJp8+M586T4DlDRYpFkyec=
-github.com/openshift/api v0.0.0-20251015095338-264e80a2b6e7/go.mod h1:d5uzF0YN2nQQFA0jIEWzzOZ+edmo6wzlGLvx5Fhz4uY=
+github.com/opencontainers/selinux v1.13.0/go.mod h1:XxWTed+A/s5NNq4GmYScVy+9jzXhGBVEOAyucdRUY8s=
 github.com/openshift/build-machinery-go v0.0.0-20250530140348-dc5b2804eeee/go.mod h1:8jcm8UPtg2mCAsxfqKil1xrmRMI3a+XU2TZ9fF8A7TE=
-github.com/openshift/client-go v0.0.0-20251015124057-db0dee36e235/go.mod h1:L49W6pfrZkfOE5iC1PqEkuLkXG4W0BX4w8b+L2Bv7fM=
-github.com/openshift/library-go v0.0.0-20251015151611-6fc7a74b67c5 h1:bANtDc8SgetSK4nQehf59x3+H9FqVJCprgjs49/OTg0=
-github.com/openshift/library-go v0.0.0-20251015151611-6fc7a74b67c5/go.mod h1:OlFFws1AO51uzfc48MsStGE4SFMWlMZD0+f5a/zCtKI=
-github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251001123353-fd5b1fb35db1 h1:PMTgifBcBRLJJiM+LgSzPDTk9/Rx4qS09OUrfpY6GBQ=
-github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251001123353-fd5b1fb35db1/go.mod h1:7Du3c42kxCUegi0IImZ1wUQzMBVecgIHjR1C+NkhLQo=
+github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251120221002-696928a6a0d7 h1:02E4Ttpu+7yCQLQxtY42JfcfHU7TBGnje6uB2ytBSdU=
+github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251120221002-696928a6a0d7/go.mod h1:ArE1D/XhNXBXCBkKOLkbsb2c81dQHCRcF5zwn/ykDRo=
 github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU=
-github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/profile v1.7.0/go.mod h1:8Uer0jas47ZQMJ7VD+OHknK4YDY07LPUC6dEvqDjvNo=
 github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10/go.mod h1:t/avpk3KcrXxUnYOhZhMXJlSEyie6gQbtLq5NM3loB8=
@@ -174,27 +177,28 @@ github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRI
 github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/pquerna/cachecontrol v0.1.0/go.mod h1:NrUG3Z7Rdu85UNR3vm7SOsl1nFIeSiQnrHV5K9mBcUI=
 github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring v0.74.0/go.mod h1:wAR5JopumPtAZnu0Cjv2PSqV4p4QB09LMhc6fZZTXuA=
-github.com/prometheus/client_golang v1.22.0 h1:rb93p9lokFEsctTys46VnV1kLCDpVZ0a/Y92Vm0Zc6Q=
-github.com/prometheus/client_golang v1.22.0/go.mod h1:R7ljNsLXhuQXYZYtw6GAE9AZg8Y7vEW5scdCXrWRXC0=
-github.com/prometheus/client_model v0.6.1 h1:ZKSh/rekM+n3CeS952MLRAdFwIKqeY8b62p8ais2e9E=
-github.com/prometheus/client_model v0.6.1/go.mod h1:OrxVMOVHjw3lKMa8+x6HeMGkHMQyHDk9E3jmP2AmGiY=
-github.com/prometheus/common v0.62.0 h1:xasJaQlnWAeyHdUBeGjXmutelfJHWMRr+Fg4QszZ2Io=
-github.com/prometheus/common v0.62.0/go.mod h1:vyBcEuLSvWos9B1+CyL7JZ2up+uFzXhkqml0W5zIY1I=
-github.com/prometheus/procfs v0.15.1 h1:YagwOFzUgYfKKHX6Dr+sHT7km/hxC76UB0learggepc=
-github.com/prometheus/procfs v0.15.1/go.mod h1:fB45yRUv8NstnjriLhBQLuOUt+WW4BsoGhij/e3PBqk=
+github.com/prometheus/client_golang v1.23.2 h1:Je96obch5RDVy3FDMndoUsjAhG5Edi49h0RJWRi/o0o=
+github.com/prometheus/client_golang v1.23.2/go.mod h1:Tb1a6LWHB3/SPIzCoaDXI4I8UHKeFTEQ1YCr+0Gyqmg=
+github.com/prometheus/client_model v0.6.2 h1:oBsgwpGs7iVziMvrGhE53c/GrLUsZdHnqNwqPLxwZyk=
+github.com/prometheus/client_model v0.6.2/go.mod h1:y3m2F6Gdpfy6Ut/GBsUqTWZqCUvMVzSfMLjcu6wAwpE=
+github.com/prometheus/common v0.66.1 h1:h5E0h5/Y8niHc5DlaLlWLArTQI7tMrsfQjHV+d9ZoGs=
+github.com/prometheus/common v0.66.1/go.mod h1:gcaUsgf3KfRSwHY4dIMXLPV0K/Wg1oZ8+SbZk/HH/dA=
+github.com/prometheus/procfs v0.16.1 h1:hZ15bTNuirocR6u0JZ6BAHHmwS1p8B4P6MRqxtzMyRg=
+github.com/prometheus/procfs v0.16.1/go.mod h1:teAbpZRB1iIAJYREa1LsoWUXykVXA1KlTmWl8x/U+Is=
 github.com/robfig/cron v1.2.0/go.mod h1:JGuDeoQd7Z6yL4zQhZ3OPEVHB7fL6Ka6skscFHfmt2k=
 github.com/rogpeppe/fastuuid v1.2.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6LYCDYWNEvQ=
-github.com/rogpeppe/go-internal v1.13.1 h1:KvO1DLK/DRN07sQ1LQKScxyZJuNnedQ5/wKSR38lUII=
-github.com/rogpeppe/go-internal v1.13.1/go.mod h1:uMEvuHeurkdAXX61udpOXGD/AzZDWNMNyH2VO9fmH0o=
+github.com/rogpeppe/go-internal v1.14.1 h1:UQB4HGPB6osV0SQTLymcB4TgvyWu6ZyliaW0tI/otEQ=
+github.com/rogpeppe/go-internal v1.14.1/go.mod h1:MaRKkUm5W0goXpeCfT7UZI6fk/L7L7so1lCWt35ZSgc=
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
 github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ=
 github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
 github.com/soheilhy/cmux v0.1.5 h1:jjzc5WVemNEDTLwv9tlmemhC73tI08BNOIGwBOo10Js=
 github.com/soheilhy/cmux v0.1.5/go.mod h1:T7TcVDs9LWfQgPlPsdngu6I6QIoyIFZDDC6sNE1GqG0=
-github.com/spf13/cobra v1.9.1 h1:CXSaggrXdbHK9CF+8ywj8Amf7PBRmPCOJugH954Nnlo=
-github.com/spf13/cobra v1.9.1/go.mod h1:nDyEzZ8ogv936Cinf6g1RU9MRY64Ir93oCnqb9wxYW0=
-github.com/spf13/pflag v1.0.6 h1:jFzHGLGAlb3ruxLB8MhbI6A8+AQX/2eW4qeyNZXNp2o=
-github.com/spf13/pflag v1.0.6/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
+github.com/spf13/cobra v1.10.0 h1:a5/WeUlSDCvV5a45ljW2ZFtV0bTDpkfSAj3uqB6Sc+0=
+github.com/spf13/cobra v1.10.0/go.mod h1:9dhySC7dnTtEiqzmqfkLj47BslqLCUPMXjG2lj/NgoE=
+github.com/spf13/pflag v1.0.8/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
+github.com/spf13/pflag v1.0.9 h1:9exaQaMOCwffKiiiYk6/BndUBv+iRViNW+4lEMi0PvY=
+github.com/spf13/pflag v1.0.9/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/spiffe/go-spiffe/v2 v2.5.0/go.mod h1:P+NxobPc6wXhVtINNtFjNWGBTreew1GBUCwT2wPmb7g=
 github.com/stoewer/go-strcase v1.3.0 h1:g0eASXYtp+yvN9fK8sH94oCIk0fau9uV1/ZdJ0AVEzs=
 github.com/stoewer/go-strcase v1.3.0/go.mod h1:fAH5hQ5pehh+j3nZfvwdk2RgEgQjAoM8wodgtPmh1xo=
@@ -207,8 +211,8 @@ github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UV
 github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
 github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
-github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
-github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
+github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
+github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
 github.com/tmc/grpc-websocket-proxy v0.0.0-20220101234140-673ab2c3ae75 h1:6fotK7otjonDflCTK0BCfls4SPy3NcCVb5dqqmbRknE=
 github.com/tmc/grpc-websocket-proxy v0.0.0-20220101234140-673ab2c3ae75/go.mod h1:KO6IkyS8Y3j8OdNO85qEYBsRPuteD+YciPomcXdrMnk=
 github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM=
@@ -219,18 +223,18 @@ github.com/xiang90/probing v0.0.0-20221125231312-a49e3df8f510/go.mod h1:UETIi67q
 github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/zeebo/errs v1.4.0/go.mod h1:sgbWHsvVuTPHcqJJGQ1WhI5KbWlHYz+2+2C/LSEtCw4=
-go.etcd.io/bbolt v1.4.2 h1:IrUHp260R8c+zYx/Tm8QZr04CX+qWS5PGfPdevhdm1I=
-go.etcd.io/bbolt v1.4.2/go.mod h1:Is8rSHO/b4f3XigBC0lL0+4FwAQv3HXEEIgFMuKHceM=
-go.etcd.io/etcd/api/v3 v3.6.4 h1:7F6N7toCKcV72QmoUKa23yYLiiljMrT4xCeBL9BmXdo=
-go.etcd.io/etcd/api/v3 v3.6.4/go.mod h1:eFhhvfR8Px1P6SEuLT600v+vrhdDTdcfMzmnxVXXSbk=
-go.etcd.io/etcd/client/pkg/v3 v3.6.4 h1:9HBYrjppeOfFjBjaMTRxT3R7xT0GLK8EJMVC4xg6ok0=
-go.etcd.io/etcd/client/pkg/v3 v3.6.4/go.mod h1:sbdzr2cl3HzVmxNw//PH7aLGVtY4QySjQFuaCgcRFAI=
-go.etcd.io/etcd/client/v3 v3.6.4 h1:YOMrCfMhRzY8NgtzUsHl8hC2EBSnuqbR3dh84Uryl7A=
-go.etcd.io/etcd/client/v3 v3.6.4/go.mod h1:jaNNHCyg2FdALyKWnd7hxZXZxZANb0+KGY+YQaEMISo=
-go.etcd.io/etcd/pkg/v3 v3.6.4 h1:fy8bmXIec1Q35/jRZ0KOes8vuFxbvdN0aAFqmEfJZWA=
-go.etcd.io/etcd/pkg/v3 v3.6.4/go.mod h1:kKcYWP8gHuBRcteyv6MXWSN0+bVMnfgqiHueIZnKMtE=
-go.etcd.io/etcd/server/v3 v3.6.4 h1:LsCA7CzjVt+8WGrdsnh6RhC0XqCsLkBly3ve5rTxMAU=
-go.etcd.io/etcd/server/v3 v3.6.4/go.mod h1:aYCL/h43yiONOv0QIR82kH/2xZ7m+IWYjzRmyQfnCAg=
+go.etcd.io/bbolt v1.4.3 h1:dEadXpI6G79deX5prL3QRNP6JB8UxVkqo4UPnHaNXJo=
+go.etcd.io/bbolt v1.4.3/go.mod h1:tKQlpPaYCVFctUIgFKFnAlvbmB3tpy1vkTnDWohtc0E=
+go.etcd.io/etcd/api/v3 v3.6.5 h1:pMMc42276sgR1j1raO/Qv3QI9Af/AuyQUW6CBAWuntA=
+go.etcd.io/etcd/api/v3 v3.6.5/go.mod h1:ob0/oWA/UQQlT1BmaEkWQzI0sJ1M0Et0mMpaABxguOQ=
+go.etcd.io/etcd/client/pkg/v3 v3.6.5 h1:Duz9fAzIZFhYWgRjp/FgNq2gO1jId9Yae/rLn3RrBP8=
+go.etcd.io/etcd/client/pkg/v3 v3.6.5/go.mod h1:8Wx3eGRPiy0qOFMZT/hfvdos+DjEaPxdIDiCDUv/FQk=
+go.etcd.io/etcd/client/v3 v3.6.5 h1:yRwZNFBx/35VKHTcLDeO7XVLbCBFbPi+XV4OC3QJf2U=
+go.etcd.io/etcd/client/v3 v3.6.5/go.mod h1:ZqwG/7TAFZ0BJ0jXRPoJjKQJtbFo/9NIY8uoFFKcCyo=
+go.etcd.io/etcd/pkg/v3 v3.6.5 h1:byxWB4AqIKI4SBmquZUG1WGtvMfMaorXFoCcFbVeoxM=
+go.etcd.io/etcd/pkg/v3 v3.6.5/go.mod h1:uqrXrzmMIJDEy5j00bCqhVLzR5jEJIwDp5wTlLwPGOU=
+go.etcd.io/etcd/server/v3 v3.6.5 h1:4RbUb1Bd4y1WkBHmuF+cZII83JNQMuNXzyjwigQ06y0=
+go.etcd.io/etcd/server/v3 v3.6.5/go.mod h1:PLuhyVXz8WWRhzXDsl3A3zv/+aK9e4A9lpQkqawIaH0=
 go.etcd.io/raft/v3 v3.6.0 h1:5NtvbDVYpnfZWcIHgGRk9DyzkBIXOi8j+DDp1IcnUWQ=
 go.etcd.io/raft/v3 v3.6.0/go.mod h1:nLvLevg6+xrVtHUmVaTcTz603gQPHfh7kUAwV6YpfGo=
 go.opentelemetry.io/auto/sdk v1.1.0 h1:cH53jehLUN6UFLY71z+NDOiNJqDdPRaXzTel0sJySYA=
@@ -238,22 +242,22 @@ go.opentelemetry.io/auto/sdk v1.1.0/go.mod h1:3wSPjt5PWp2RhlCcmmOial7AvC4DQqZb7a
 go.opentelemetry.io/contrib/detectors/gcp v1.34.0/go.mod h1:cV4BMFcscUR/ckqLkbfQmF0PRsq8w/lMGzdbCSveBHo=
 go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.60.0 h1:x7wzEgXfnzJcHDwStJT+mxOz4etr2EcexjqhBvmoakw=
 go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.60.0/go.mod h1:rg+RlpR5dKwaS95IyyZqj5Wd4E13lk/msnTS0Xl9lJM=
-go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.58.0 h1:yd02MEjBdJkG3uabWP9apV+OuWRIXGDuJEUJbOHmCFU=
-go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.58.0/go.mod h1:umTcuxiv1n/s/S6/c2AT/g2CQ7u5C59sHDNmfSwgz7Q=
-go.opentelemetry.io/otel v1.35.0 h1:xKWKPxrxB6OtMCbmMY021CqC45J+3Onta9MqjhnusiQ=
-go.opentelemetry.io/otel v1.35.0/go.mod h1:UEqy8Zp11hpkUrL73gSlELM0DupHoiq72dR+Zqel/+Y=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.61.0 h1:F7Jx+6hwnZ41NSFTO5q4LYDtJRXBf2PD0rNBkeB/lus=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.61.0/go.mod h1:UHB22Z8QsdRDrnAtX4PntOl36ajSxcdUMt1sF7Y6E7Q=
+go.opentelemetry.io/otel v1.36.0 h1:UumtzIklRBY6cI/lllNZlALOF5nNIzJVb16APdvgTXg=
+go.opentelemetry.io/otel v1.36.0/go.mod h1:/TcFMXYjyRNh8khOAO9ybYkqaDBb/70aVwkNML4pP8E=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.34.0 h1:OeNbIYk/2C15ckl7glBlOBp5+WlYsOElzTNmiPW/x60=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.34.0/go.mod h1:7Bept48yIeqxP2OZ9/AqIpYS94h2or0aB4FypJTc8ZM=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.34.0 h1:tgJ0uaNS4c98WRNUEx5U3aDlrDOI5Rs+1Vifcw4DJ8U=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.34.0/go.mod h1:U7HYyW0zt/a9x5J1Kjs+r1f/d4ZHnYFclhYY2+YbeoE=
-go.opentelemetry.io/otel/metric v1.35.0 h1:0znxYu2SNyuMSQT4Y9WDWej0VpcsxkuklLa4/siN90M=
-go.opentelemetry.io/otel/metric v1.35.0/go.mod h1:nKVFgxBZ2fReX6IlyW28MgZojkoAkJGaE8CpgeAU3oE=
-go.opentelemetry.io/otel/sdk v1.34.0 h1:95zS4k/2GOy069d321O8jWgYsW3MzVV+KuSPKp7Wr1A=
-go.opentelemetry.io/otel/sdk v1.34.0/go.mod h1:0e/pNiaMAqaykJGKbi+tSjWfNNHMTxoC9qANsCzbyxU=
-go.opentelemetry.io/otel/sdk/metric v1.34.0 h1:5CeK9ujjbFVL5c1PhLuStg1wxA7vQv7ce1EK0Gyvahk=
-go.opentelemetry.io/otel/sdk/metric v1.34.0/go.mod h1:jQ/r8Ze28zRKoNRdkjCZxfs6YvBTG1+YIqyFVFYec5w=
-go.opentelemetry.io/otel/trace v1.35.0 h1:dPpEfJu1sDIqruz7BHFG3c7528f6ddfSWfFDVt/xgMs=
-go.opentelemetry.io/otel/trace v1.35.0/go.mod h1:WUk7DtFp1Aw2MkvqGdwiXYDZZNvA/1J8o6xRXLrIkyc=
+go.opentelemetry.io/otel/metric v1.36.0 h1:MoWPKVhQvJ+eeXWHFBOPoBOi20jh6Iq2CcCREuTYufE=
+go.opentelemetry.io/otel/metric v1.36.0/go.mod h1:zC7Ks+yeyJt4xig9DEw9kuUFe5C3zLbVjV2PzT6qzbs=
+go.opentelemetry.io/otel/sdk v1.36.0 h1:b6SYIuLRs88ztox4EyrvRti80uXIFy+Sqzoh9kFULbs=
+go.opentelemetry.io/otel/sdk v1.36.0/go.mod h1:+lC+mTgD+MUWfjJubi2vvXWcVxyr9rmlshZni72pXeY=
+go.opentelemetry.io/otel/sdk/metric v1.36.0 h1:r0ntwwGosWGaa0CrSt8cuNuTcccMXERFwHX4dThiPis=
+go.opentelemetry.io/otel/sdk/metric v1.36.0/go.mod h1:qTNOhFDfKRwX0yXOqJYegL5WRaW376QbB7P4Pb0qva4=
+go.opentelemetry.io/otel/trace v1.36.0 h1:ahxWNuqZjpdiFAyrIoQ4GIiAIhxAunQR6MUoKrsNd4w=
+go.opentelemetry.io/otel/trace v1.36.0/go.mod h1:gQ+OnDZzrybY4k4seLzPAWNwVBBVlF2szhehOBB/tGA=
 go.opentelemetry.io/proto/otlp v1.5.0 h1:xJvq7gMzB31/d406fB8U5CBdyQGw4P399D1aQWU/3i4=
 go.opentelemetry.io/proto/otlp v1.5.0/go.mod h1:keN8WnHxOy8PG0rQZjJJ5A2ebUoafqWp0eVQ4yIXvJ4=
 go.uber.org/atomic v1.11.0 h1:ZvwS0R+56ePWxUNi+Atn9dWONBPp/AUETXlHW0DxSjE=
@@ -264,89 +268,91 @@ go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0=
 go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y=
 go.uber.org/zap v1.27.0 h1:aJMhYGrd5QSmlpLMr2MftRKl7t8J8PTZPA732ud/XR8=
 go.uber.org/zap v1.27.0/go.mod h1:GB2qFLM7cTU87MWRP2mPIjqfIDnGu+VIO4V/SdhGo2E=
-go.yaml.in/yaml/v2 v2.4.2 h1:DzmwEr2rDGHl7lsFgAHxmNz/1NlQ7xLIrlN2h5d1eGI=
-go.yaml.in/yaml/v2 v2.4.2/go.mod h1:081UH+NErpNdqlCXm3TtEran0rJZGxAYx9hb/ELlsPU=
+go.yaml.in/yaml/v2 v2.4.3 h1:6gvOSjQoTB3vt1l+CU+tSyi/HOjfOjRLJ4YwYZGwRO0=
+go.yaml.in/yaml/v2 v2.4.3/go.mod h1:zSxWcmIDjOzPXpjlTTbAsKokqkDNAVtZO0WOMiT90s8=
 go.yaml.in/yaml/v3 v3.0.4 h1:tfq32ie2Jv2UxXFdLJdh3jXuOzWiL1fo0bu/FbuKpbc=
 go.yaml.in/yaml/v3 v3.0.4/go.mod h1:DhzuOOF2ATzADvBadXxruRBLzYTpT36CKvDb3+aBEFg=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
-golang.org/x/crypto v0.42.0 h1:chiH31gIWm57EkTXpwnqf8qeuMUi0yekh6mT2AvFlqI=
-golang.org/x/crypto v0.42.0/go.mod h1:4+rDnOTJhQCx2q7/j6rAN5XDw8kPjeaXEUR2eL94ix8=
+golang.org/x/crypto v0.45.0 h1:jMBrvKuj23MTlT0bQEOBcAE0mjg8mK9RXFhRH6nyF3Q=
+golang.org/x/crypto v0.45.0/go.mod h1:XTGrrkGJve7CYK7J8PEww4aY7gM3qMCElcJQ8n8JdX4=
 golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 h1:2dVuKD2vS7b0QIHQbpyTISPd0LeHDbnYEryqj5Q1ug8=
 golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56/go.mod h1:M4RDyNAINzryxdtnbRXRL/OHtkFuWGRjvuhBJpk2IlY=
 golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.27.0/go.mod h1:rWI627Fq0DEoudcK+MBkNkCe0EetEaDSwJJkCcjpazc=
+golang.org/x/mod v0.29.0 h1:HV8lRxZC4l2cr3Zq1LvtOsi/ThTgWnUk/y64QSs8GwA=
+golang.org/x/mod v0.29.0/go.mod h1:NyhrlYXJ2H4eJiRy/WDBO6HMqZQ6q9nk4JzS3NuCK+w=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
-golang.org/x/net v0.43.0 h1:lat02VYK2j4aLzMzecihNvTlJNQUq316m2Mr9rnM6YE=
-golang.org/x/net v0.43.0/go.mod h1:vhO1fvI4dGsIjh73sWfUVjj3N7CA9WkKJNQm2svM6Jg=
-golang.org/x/oauth2 v0.27.0 h1:da9Vo7/tDv5RH/7nZDz1eMGS/q1Vv1N/7FCrBhI9I3M=
-golang.org/x/oauth2 v0.27.0/go.mod h1:onh5ek6nERTohokkhCD/y2cV4Do3fxFHFuAejCkRWT8=
+golang.org/x/net v0.47.0 h1:Mx+4dIFzqraBXUugkia1OOvlD6LemFo1ALMHjrXDOhY=
+golang.org/x/net v0.47.0/go.mod h1:/jNxtkgq5yWUGYkaZGqo27cfGZ1c5Nen03aYrrKpVRU=
+golang.org/x/oauth2 v0.30.0 h1:dnDm7JmhM45NNpd8FDDeLhK6FwqbOf4MLCM9zb1BOHI=
+golang.org/x/oauth2 v0.30.0/go.mod h1:B++QgG3ZKulg6sRPGD/mqlHQs5rB3Ml9erfeDY7xKlU=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.17.0 h1:l60nONMj9l5drqw6jlhIELNv9I0A4OFgRsG9k2oT9Ug=
-golang.org/x/sync v0.17.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
+golang.org/x/sync v0.18.0 h1:kr88TuHDroi+UVf+0hZnirlk8o8T+4MrK6mr60WkH/I=
+golang.org/x/sync v0.18.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.36.0 h1:KVRy2GtZBrk1cBYA7MKu5bEZFxQk4NIDV6RLVcC8o0k=
-golang.org/x/sys v0.36.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
-golang.org/x/term v0.35.0 h1:bZBVKBudEyhRcajGcNc3jIfWPqV4y/Kt2XcoigOWtDQ=
-golang.org/x/term v0.35.0/go.mod h1:TPGtkTLesOwf2DE8CgVYiZinHAOuy5AYUYT1lENIZnA=
+golang.org/x/sys v0.38.0 h1:3yZWxaJjBmCWXqhN1qh02AkOnCQ1poK6oF+a7xWL6Gc=
+golang.org/x/sys v0.38.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
+golang.org/x/term v0.37.0 h1:8EGAD0qCmHYZg6J17DvsMy9/wJ7/D/4pV/wfnld5lTU=
+golang.org/x/term v0.37.0/go.mod h1:5pB4lxRNYYVZuTLmy8oR2BH8dflOR+IbTYFD8fi3254=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.29.0 h1:1neNs90w9YzJ9BocxfsQNHKuAT4pkghyXc4nhZ6sJvk=
-golang.org/x/text v0.29.0/go.mod h1:7MhJOA9CD2qZyOKYazxdYMF85OwPdEr9jTtBpO7ydH4=
+golang.org/x/text v0.31.0 h1:aC8ghyu4JhP8VojJ2lEHBnochRno1sgL6nEi9WGFGMM=
+golang.org/x/text v0.31.0/go.mod h1:tKRAlv61yKIjGGHX/4tP1LTbc13YSec1pxVEWXzfoeM=
 golang.org/x/time v0.9.0 h1:EsRrnYcQiGH+5FfbgvV4AP7qEZstoyrHB0DzarOQ4ZY=
 golang.org/x/time v0.9.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
 golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
-golang.org/x/tools v0.36.0 h1:kWS0uv/zsvHEle1LbV5LE8QujrxB3wfQyxHfhOk0Qkg=
-golang.org/x/tools v0.36.0/go.mod h1:WBDiHKJK8YgLHlcQPYQzNCkUxUypCaa5ZegCVutKm+s=
+golang.org/x/tools v0.38.0 h1:Hx2Xv8hISq8Lm16jvBZ2VQf+RLmbd7wVUsALibYI/IQ=
+golang.org/x/tools v0.38.0/go.mod h1:yEsQ/d/YK8cjh0L6rZlY8tgtlKiBNTL14pGDJPJpYQs=
+golang.org/x/tools/go/expect v0.1.0-deprecated/go.mod h1:eihoPOH+FgIqa3FpoTwguz/bVUSGBlGQU67vpBeOrBY=
+golang.org/x/tools/go/packages/packagestest v0.1.1-deprecated/go.mod h1:RVAQXBGNv1ib0J382/DPCRS/BPnsGebyM1Gj5VSDpG8=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 google.golang.org/genproto/googleapis/api v0.0.0-20250303144028-a0af3efb3deb h1:p31xT4yrYrSM/G4Sn2+TNUkVhFCbG9y8itM2S6Th950=
 google.golang.org/genproto/googleapis/api v0.0.0-20250303144028-a0af3efb3deb/go.mod h1:jbe3Bkdp+Dh2IrslsFCklNhweNTBgSYanP1UXhJDhKg=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20250303144028-a0af3efb3deb h1:TLPQVbx1GJ8VKZxz52VAxl1EBgKXXbTiU9Fc5fZeLn4=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20250303144028-a0af3efb3deb/go.mod h1:LuRYeWDFV6WOn90g357N17oMCaxpgCnbi/44qJvDn2I=
-google.golang.org/grpc v1.72.1 h1:HR03wO6eyZ7lknl75XlxABNVLLFc2PAb6mHlYh756mA=
-google.golang.org/grpc v1.72.1/go.mod h1:wH5Aktxcg25y1I3w7H69nHfXdOG3UiadoBtjh3izSDM=
-google.golang.org/protobuf v1.36.5 h1:tPhr+woSbjfYvY6/GPufUoYizxw1cF/yFoxJ2fmpwlM=
-google.golang.org/protobuf v1.36.5/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20250528174236-200df99c418a h1:v2PbRU4K3llS09c7zodFpNePeamkAwG3mPrAery9VeE=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20250528174236-200df99c418a/go.mod h1:qQ0YXyHHx3XkvlzUtpXDkS29lDSafHMZBAZDc03LQ3A=
+google.golang.org/grpc v1.72.2 h1:TdbGzwb82ty4OusHWepvFWGLgIbNo1/SUynEN0ssqv8=
+google.golang.org/grpc v1.72.2/go.mod h1:wH5Aktxcg25y1I3w7H69nHfXdOG3UiadoBtjh3izSDM=
+google.golang.org/protobuf v1.36.8 h1:xHScyCOEuuwZEc6UtSOvPbAT4zRh0xcNRYekJwfqyMc=
+google.golang.org/protobuf v1.36.8/go.mod h1:fuxRtAxBytpl4zzqUh6/eyUujkJdNiuEkXntxiD/uRU=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
-gopkg.in/evanphx/json-patch.v4 v4.12.0 h1:n6jtcsulIzXPJaxegRbvFNNrZDjbij7ny3gmSPG+6V4=
-gopkg.in/evanphx/json-patch.v4 v4.12.0/go.mod h1:p8EYWUEYMpynmqDbY58zCKCFZw8pRWMG4EsWvDvM72M=
+gopkg.in/evanphx/json-patch.v4 v4.13.0 h1:czT3CmqEaQ1aanPc5SdlgQrrEIb8w/wwCvWWnfEbYzo=
+gopkg.in/evanphx/json-patch.v4 v4.13.0/go.mod h1:p8EYWUEYMpynmqDbY58zCKCFZw8pRWMG4EsWvDvM72M=
 gopkg.in/go-jose/go-jose.v2 v2.6.3/go.mod h1:zzZDPkNNw/c9IE7Z9jr11mBZQhKQTMzoEEIoEdZlFBI=
 gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc=
 gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
 gopkg.in/natefinch/lumberjack.v2 v2.2.1 h1:bBRl1b0OH9s/DuPhuXpNl+VtCaJXFZ5/uEFST95x9zc=
 gopkg.in/natefinch/lumberjack.v2 v2.2.1/go.mod h1:YD8tP3GAjkrDg1eZH7EGmyESg/lsYskCTPBJVb9jqSc=
-gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 k8s.io/gengo/v2 v2.0.0-20250604051438-85fd79dbfd9f/go.mod h1:EJykeLsmFC60UQbYJezXkEsG2FLrt0GPNkU5iK5GWxU=
 k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk=
 k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE=
-k8s.io/kube-openapi v0.0.0-20250710124328-f3f2b991d03b h1:MloQ9/bdJyIu9lb1PzujOPolHyvO06MXG5TUIj2mNAA=
-k8s.io/kube-openapi v0.0.0-20250710124328-f3f2b991d03b/go.mod h1:UZ2yyWbFTpuhSbFhv24aGNOdoRdJZgsIObGBUaYVsts=
-k8s.io/utils v0.0.0-20250604170112-4c0f3b243397 h1:hwvWFiBzdWw1FhfY1FooPn3kzWuJ8tmbZBHi4zVsl1Y=
-k8s.io/utils v0.0.0-20250604170112-4c0f3b243397/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
+k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912 h1:Y3gxNAuB0OBLImH611+UDZcmKS3g6CthxToOb37KgwE=
+k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912/go.mod h1:kdmbQkyfwUagLfXIad1y2TdrjPFWp2Q89B3qkRwf/pQ=
+k8s.io/utils v0.0.0-20251002143259-bc988d571ff4 h1:SjGebBtkBqHFOli+05xYbK8YF1Dzkbzn+gDM4X9T4Ck=
+k8s.io/utils v0.0.0-20251002143259-bc988d571ff4/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
 sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.31.2 h1:jpcvIRr3GLoUoEKRkHKSmGjxb6lWwrBlJsXc+eUYQHM=
 sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.31.2/go.mod h1:Ve9uj1L+deCXFrPOk1LpFXqTg7LCFzFso6PA48q/XZw=
-sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 h1:gBQPwqORJ8d8/YNZWEjoZs7npUVDpVXUUOFfW6CgAqE=
-sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8/go.mod h1:mdzfpAEoE6DHQEN0uh9ZbOCuHbLK5wOm7dK4ctXE9Tg=
+sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 h1:IpInykpT6ceI+QxKBbEflcR5EXP7sU1kvOlxwZh5txg=
+sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730/go.mod h1:mdzfpAEoE6DHQEN0uh9ZbOCuHbLK5wOm7dK4ctXE9Tg=
 sigs.k8s.io/kube-storage-version-migrator v0.0.6-0.20230721195810-5c8923c5ff96/go.mod h1:EOBQyBowOUsd7U4CJnMHNE0ri+zCXyouGdLwC/jZU+I=
 sigs.k8s.io/randfill v1.0.0 h1:JfjMILfT8A6RbawdsK2JXGBR5AQVfd+9TbzrlneTyrU=
 sigs.k8s.io/randfill v1.0.0/go.mod h1:XeLlZ/jmk4i1HRopwe7/aU3H5n1zNUcX6TM94b3QxOY=
diff --git a/staging/src/k8s.io/pod-security-admission/policy/check_hostProbesAndhostLifecycle.go b/staging/src/k8s.io/pod-security-admission/policy/check_hostProbesAndhostLifecycle.go
index 43387c052192a..ad25d8eab2832 100644
--- a/staging/src/k8s.io/pod-security-admission/policy/check_hostProbesAndhostLifecycle.go
+++ b/staging/src/k8s.io/pod-security-admission/policy/check_hostProbesAndhostLifecycle.go
@@ -18,7 +18,6 @@ package policy
 
 import (
 	"fmt"
-	"sync/atomic"
 
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -74,21 +73,7 @@ func CheckHostProbesAndHostLifecycle() Check {
 	}
 }
 
-// TODO(liggitt): rework this to make emulation version influence "latest" across all checks, instead of piece-mill feature gate checking.
-var skipProbeHostEnforcement = &atomic.Bool{}
-
-// SkipProbeHostEnforcement allows opting out of probe host enforcement in baseline policies.
-// This should only be done in clusters emulating minor versions prior to introduction of this check.
-func SkipProbeHostEnforcement() {
-	skipProbeHostEnforcement.Store(true)
-}
-
 func hostProbesAndHostLifecycleV1Dot34(podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec) CheckResult {
-	// cluster is emulating a minor prior to this check existing
-	if skipProbeHostEnforcement.Load() {
-		return CheckResult{Allowed: true}
-	}
-
 	badContainers := sets.New[string]()
 	forbidden := sets.New[string]()
 	visitContainers(podSpec, func(container *corev1.Container) {
diff --git a/staging/src/k8s.io/pod-security-admission/policy/check_hostProbesAndhostLifecycle_test.go b/staging/src/k8s.io/pod-security-admission/policy/check_hostProbesAndhostLifecycle_test.go
index 11e040680bdb8..f6d5034ecf13a 100644
--- a/staging/src/k8s.io/pod-security-admission/policy/check_hostProbesAndhostLifecycle_test.go
+++ b/staging/src/k8s.io/pod-security-admission/policy/check_hostProbesAndhostLifecycle_test.go
@@ -20,8 +20,63 @@ import (
 	"testing"
 
 	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/pod-security-admission/api"
+	"k8s.io/utils/ptr"
 )
 
+func TestHostProbesAndHostLifecycleEmulation(t *testing.T) {
+	testcases := []struct {
+		name            string
+		emulateVersion  *api.Version
+		hostCheckActive bool
+	}{
+		{
+			name:            "no emulation",
+			emulateVersion:  nil,
+			hostCheckActive: true,
+		},
+		{
+			name:            "emulate 1.34",
+			emulateVersion:  ptr.To(api.MajorMinorVersion(1, 34)),
+			hostCheckActive: true,
+		},
+		{
+			name:            "emulate 1.33",
+			emulateVersion:  ptr.To(api.MajorMinorVersion(1, 33)),
+			hostCheckActive: false,
+		},
+	}
+
+	for _, tc := range testcases {
+		t.Run(tc.name, func(t *testing.T) {
+			e, err := NewEvaluator(DefaultChecks(), tc.emulateVersion)
+			if err != nil {
+				t.Fatal(err)
+			}
+
+			// pod that uses a probe with an explicit host
+			podMetadata := &metav1.ObjectMeta{}
+			podSpec := &corev1.PodSpec{Containers: []corev1.Container{{StartupProbe: &corev1.Probe{ProbeHandler: corev1.ProbeHandler{HTTPGet: &corev1.HTTPGetAction{Host: "localhost"}}}}}}
+
+			// evaluating "version=latest" and "version=1.34" should only allow if the host check is not active
+			expectAllowed := tc.hostCheckActive == false
+			if result := AggregateCheckResults(e.EvaluatePod(api.LevelVersion{Level: api.LevelBaseline, Version: api.LatestVersion()}, podMetadata, podSpec)); result.Allowed != expectAllowed {
+				t.Fatalf("evaluating with 'latest' expected allowed=%v, got %v: %v", expectAllowed, result.Allowed, result.ForbiddenReasons)
+			}
+			if result := AggregateCheckResults(e.EvaluatePod(api.LevelVersion{Level: api.LevelBaseline, Version: api.MajorMinorVersion(1, 34)}, podMetadata, podSpec)); result.Allowed != expectAllowed {
+				t.Fatalf("evaluating with '1.34' expected allowed=%v, got %v: %v", expectAllowed, result.Allowed, result.ForbiddenReasons)
+			}
+
+			// evaluating "version=1.33" should always allow
+			if result := AggregateCheckResults(e.EvaluatePod(api.LevelVersion{Level: api.LevelBaseline, Version: api.MajorMinorVersion(1, 33)}, podMetadata, podSpec)); !result.Allowed {
+				t.Fatalf("evaluating with '1.33' expected allowed=true, got %v: %v", result.Allowed, result.ForbiddenReasons)
+			}
+		})
+	}
+
+}
+
 func TestHostProbesAndHostLifecycle(t *testing.T) {
 	tests := []struct {
 		name         string
diff --git a/staging/src/k8s.io/pod-security-admission/policy/check_procMount.go b/staging/src/k8s.io/pod-security-admission/policy/check_procMount.go
deleted file mode 100644
index 8ec585b9c9892..0000000000000
--- a/staging/src/k8s.io/pod-security-admission/policy/check_procMount.go
+++ /dev/null
@@ -1,102 +0,0 @@
-/*
-Copyright 2021 The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package policy
-
-import (
-	"fmt"
-
-	corev1 "k8s.io/api/core/v1"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/apimachinery/pkg/util/sets"
-	"k8s.io/pod-security-admission/api"
-)
-
-/*
-
-The default /proc masks are set up to reduce attack surface, and should be required.
-
-**Restricted Fields:**
-spec.containers[*].securityContext.procMount
-spec.initContainers[*].securityContext.procMount
-
-**Allowed Values:** undefined/null, "Default"
-
-However, if the pod is in a user namespace (`hostUsers: false`), and the
-UserNamespacesPodSecurityStandards feature is enabled, all values are allowed.
-
-*/
-
-func init() {
-	addCheck(CheckProcMount)
-}
-
-// CheckProcMount returns a baseline level check that restricts
-// setting the value of securityContext.procMount to DefaultProcMount
-// in 1.0+
-func CheckProcMount() Check {
-	return Check{
-		ID:    "procMount",
-		Level: api.LevelBaseline,
-		Versions: []VersionedCheck{
-			{
-				MinimumVersion: api.MajorMinorVersion(1, 0),
-				CheckPod:       procMount_1_0,
-			},
-		},
-	}
-}
-
-func procMount_1_0(podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec) CheckResult {
-	// TODO: When we remove the UserNamespacesPodSecurityStandards feature gate (and GA this relaxation),
-	// create a new policy version.
-	// Note: pod validation will check for well formed procMount type, so avoid double validation and allow everything
-	// here.
-	if relaxPolicyForUserNamespacePod(podSpec) {
-		return CheckResult{Allowed: true}
-	}
-
-	var badContainers []string
-	forbiddenProcMountTypes := sets.NewString()
-	visitContainers(podSpec, func(container *corev1.Container) {
-		// allow if the security context is nil.
-		if container.SecurityContext == nil {
-			return
-		}
-		// allow if proc mount is not set.
-		if container.SecurityContext.ProcMount == nil {
-			return
-		}
-		// check if the value of the proc mount type is valid.
-		if *container.SecurityContext.ProcMount != corev1.DefaultProcMount {
-			badContainers = append(badContainers, container.Name)
-			forbiddenProcMountTypes.Insert(string(*container.SecurityContext.ProcMount))
-		}
-	})
-	if len(badContainers) > 0 {
-		return CheckResult{
-			Allowed:         false,
-			ForbiddenReason: "procMount",
-			ForbiddenDetail: fmt.Sprintf(
-				"%s %s must not set securityContext.procMount to %s",
-				pluralize("container", "containers", len(badContainers)),
-				joinQuote(badContainers),
-				joinQuote(forbiddenProcMountTypes.List()),
-			),
-		}
-	}
-	return CheckResult{Allowed: true}
-}
diff --git a/staging/src/k8s.io/pod-security-admission/policy/check_procMount_baseline.go b/staging/src/k8s.io/pod-security-admission/policy/check_procMount_baseline.go
new file mode 100644
index 0000000000000..bd19b4c656e96
--- /dev/null
+++ b/staging/src/k8s.io/pod-security-admission/policy/check_procMount_baseline.go
@@ -0,0 +1,106 @@
+/*
+Copyright 2021 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package policy
+
+import (
+	"fmt"
+
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/util/sets"
+	"k8s.io/pod-security-admission/api"
+)
+
+/*
+
+The default /proc masks are set up to reduce attack surface, and should be required
+by the baseline policy unless the pod is in a user namespace ("hostUsers: false").
+
+**Restricted Fields:**
+spec.containers[*].securityContext.procMount
+spec.initContainers[*].securityContext.procMount
+
+**Allowed Values:** undefined/null, "Default" (or any value if "hostUsers" is false)
+*/
+
+func init() {
+	addCheck(CheckProcMountBaseline)
+}
+
+// CheckProcMount returns a baseline level check that restricts
+// setting the value of securityContext.procMount to DefaultProcMount
+// in 1.0+.
+// Starting in 1.35+, any value is allowed if the pod is in a user namespace ("hostUsers: false").
+func CheckProcMountBaseline() Check {
+	return Check{
+		ID:    "procMount",
+		Level: api.LevelBaseline,
+		Versions: []VersionedCheck{
+			{
+				MinimumVersion: api.MajorMinorVersion(1, 0),
+				CheckPod:       procMount_1_0,
+			},
+			{
+				MinimumVersion: api.MajorMinorVersion(1, 35),
+				CheckPod:       procMount1_35baseline,
+			},
+		},
+	}
+}
+
+// procMount_1_0 blocks unmasked procMount unconditionally
+func procMount_1_0(podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec) CheckResult {
+	var badContainers []string
+	forbiddenProcMountTypes := sets.NewString()
+	visitContainers(podSpec, func(container *corev1.Container) {
+		// allow if the security context is nil.
+		if container.SecurityContext == nil {
+			return
+		}
+		// allow if proc mount is not set.
+		if container.SecurityContext.ProcMount == nil {
+			return
+		}
+		// check if the value of the proc mount type is valid.
+		if *container.SecurityContext.ProcMount != corev1.DefaultProcMount {
+			badContainers = append(badContainers, container.Name)
+			forbiddenProcMountTypes.Insert(string(*container.SecurityContext.ProcMount))
+		}
+	})
+	if len(badContainers) > 0 {
+		return CheckResult{
+			Allowed:         false,
+			ForbiddenReason: "procMount",
+			ForbiddenDetail: fmt.Sprintf(
+				"%s %s must not set securityContext.procMount to %s",
+				pluralize("container", "containers", len(badContainers)),
+				joinQuote(badContainers),
+				joinQuote(forbiddenProcMountTypes.List()),
+			),
+		}
+	}
+	return CheckResult{Allowed: true}
+}
+
+// procMount1_35baseline blocks unmasked procMount for pods that are not in a user namespace
+func procMount1_35baseline(podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec) CheckResult {
+	if relaxPolicyForUserNamespacePod(podSpec) {
+		return CheckResult{Allowed: true}
+	}
+	// If the pod is not in a user namespace, treat it as restricted.
+	return procMount_1_0(podMetadata, podSpec)
+}
diff --git a/staging/src/k8s.io/pod-security-admission/policy/check_procMount_baseline_test.go b/staging/src/k8s.io/pod-security-admission/policy/check_procMount_baseline_test.go
new file mode 100644
index 0000000000000..64689952ab16e
--- /dev/null
+++ b/staging/src/k8s.io/pod-security-admission/policy/check_procMount_baseline_test.go
@@ -0,0 +1,86 @@
+/*
+Copyright 2021 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package policy
+
+import (
+	"testing"
+
+	corev1 "k8s.io/api/core/v1"
+	"k8s.io/utils/ptr"
+)
+
+func TestProcMountBaseline(t *testing.T) {
+	defaultValue := corev1.DefaultProcMount
+	unmaskedValue := corev1.UnmaskedProcMount
+	otherValue := corev1.ProcMountType("other")
+
+	tests := []struct {
+		name          string
+		pod           *corev1.Pod
+		expectReason  string
+		expectDetail  string
+		expectAllowed bool
+	}{
+		{
+			name: "procMount",
+			pod: &corev1.Pod{Spec: corev1.PodSpec{
+				Containers: []corev1.Container{
+					{Name: "a", SecurityContext: nil},
+					{Name: "b", SecurityContext: &corev1.SecurityContext{}},
+					{Name: "c", SecurityContext: &corev1.SecurityContext{ProcMount: &defaultValue}},
+					{Name: "d", SecurityContext: &corev1.SecurityContext{ProcMount: &unmaskedValue}},
+					{Name: "e", SecurityContext: &corev1.SecurityContext{ProcMount: &otherValue}},
+				},
+				HostUsers: ptr.To(true),
+			}},
+			expectReason:  `procMount`,
+			expectAllowed: false,
+			expectDetail:  `containers "d", "e" must not set securityContext.procMount to "Unmasked", "other"`,
+		},
+		{
+			name: "procMount with userns",
+			pod: &corev1.Pod{Spec: corev1.PodSpec{
+				Containers: []corev1.Container{
+					{Name: "a", SecurityContext: nil},
+					{Name: "b", SecurityContext: &corev1.SecurityContext{}},
+					{Name: "c", SecurityContext: &corev1.SecurityContext{ProcMount: &defaultValue}},
+					{Name: "d", SecurityContext: &corev1.SecurityContext{ProcMount: &unmaskedValue}},
+					{Name: "e", SecurityContext: &corev1.SecurityContext{ProcMount: &otherValue}},
+				},
+				HostUsers: ptr.To(false),
+			}},
+			expectReason:  "",
+			expectDetail:  "",
+			expectAllowed: true,
+		},
+	}
+
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			result := procMount1_35baseline(&tc.pod.ObjectMeta, &tc.pod.Spec)
+			if result.Allowed != tc.expectAllowed {
+				t.Fatalf("expected Allowed to be %v was %v", tc.expectAllowed, result.Allowed)
+			}
+			if e, a := tc.expectReason, result.ForbiddenReason; e != a {
+				t.Errorf("expected\n%s\ngot\n%s", e, a)
+			}
+			if e, a := tc.expectDetail, result.ForbiddenDetail; e != a {
+				t.Errorf("expected\n%s\ngot\n%s", e, a)
+			}
+		})
+	}
+}
diff --git a/staging/src/k8s.io/pod-security-admission/policy/check_procMount_restricted.go b/staging/src/k8s.io/pod-security-admission/policy/check_procMount_restricted.go
new file mode 100644
index 0000000000000..5d6559ad4f18f
--- /dev/null
+++ b/staging/src/k8s.io/pod-security-admission/policy/check_procMount_restricted.go
@@ -0,0 +1,56 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package policy
+
+import (
+	"k8s.io/pod-security-admission/api"
+)
+
+/*
+
+The default /proc masks are set up to reduce attack surface, and should be required by the restricted profile.
+
+**Restricted Fields:**
+spec.containers[*].securityContext.procMount
+spec.initContainers[*].securityContext.procMount
+
+**Allowed Values:** undefined/null, "Default"
+
+*/
+
+func init() {
+	addCheck(CheckProcMountRestricted)
+}
+
+// CheckProcMountRestricted returns a restricted level check that forbids unmasked procmount.
+func CheckProcMountRestricted() Check {
+	return Check{
+		ID:    "procMount_restricted",
+		Level: api.LevelRestricted,
+		Versions: []VersionedCheck{
+			{
+				// Prior to 1.35, the baseline "procMount" check ran procMount_1_0 to unconditionally block unmasked procMount.
+				// In 1.35+, baseline conditionally relaxes for user namespace pods.
+				// Starting at that version, keep running the unconditional block in the restricted profile,
+				// and override the slightly weaker version of the same check from the baseline profile.
+				MinimumVersion:   api.MajorMinorVersion(1, 35),
+				CheckPod:         procMount_1_0,
+				OverrideCheckIDs: []CheckID{"procMount"},
+			},
+		},
+	}
+}
diff --git a/staging/src/k8s.io/pod-security-admission/policy/check_procMount_restricted_test.go b/staging/src/k8s.io/pod-security-admission/policy/check_procMount_restricted_test.go
new file mode 100644
index 0000000000000..d791027d06d40
--- /dev/null
+++ b/staging/src/k8s.io/pod-security-admission/policy/check_procMount_restricted_test.go
@@ -0,0 +1,71 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package policy
+
+import (
+	"testing"
+
+	corev1 "k8s.io/api/core/v1"
+)
+
+func TestProcMountRestricted(t *testing.T) {
+	defaultValue := corev1.DefaultProcMount
+	unmaskedValue := corev1.UnmaskedProcMount
+	otherValue := corev1.ProcMountType("other")
+
+	tests := []struct {
+		name          string
+		pod           *corev1.Pod
+		expectReason  string
+		expectDetail  string
+		expectAllowed bool
+	}{
+		{
+			name: "procMount",
+			pod: &corev1.Pod{Spec: corev1.PodSpec{
+				Containers: []corev1.Container{
+					{Name: "a", SecurityContext: nil},
+					{Name: "b", SecurityContext: &corev1.SecurityContext{}},
+					{Name: "c", SecurityContext: &corev1.SecurityContext{ProcMount: &defaultValue}},
+					{Name: "d", SecurityContext: &corev1.SecurityContext{ProcMount: &unmaskedValue}},
+					{Name: "e", SecurityContext: &corev1.SecurityContext{ProcMount: &otherValue}},
+				},
+			}},
+			expectReason:  `procMount`,
+			expectAllowed: false,
+			expectDetail:  `containers "d", "e" must not set securityContext.procMount to "Unmasked", "other"`,
+		},
+	}
+
+	for _, tc := range tests {
+		for _, userns := range []bool{true, false} {
+			t.Run(tc.name, func(t *testing.T) {
+				tc.pod.Spec.HostUsers = &userns
+				result := procMount_1_0(&tc.pod.ObjectMeta, &tc.pod.Spec)
+				if result.Allowed != tc.expectAllowed {
+					t.Fatalf("expected Allowed to be %v was %v", tc.expectAllowed, result.Allowed)
+				}
+				if e, a := tc.expectReason, result.ForbiddenReason; e != a {
+					t.Errorf("expected\n%s\ngot\n%s", e, a)
+				}
+				if e, a := tc.expectDetail, result.ForbiddenDetail; e != a {
+					t.Errorf("expected\n%s\ngot\n%s", e, a)
+				}
+			})
+		}
+	}
+}
diff --git a/staging/src/k8s.io/pod-security-admission/policy/check_procMount_test.go b/staging/src/k8s.io/pod-security-admission/policy/check_procMount_test.go
deleted file mode 100644
index 576be1e743d73..0000000000000
--- a/staging/src/k8s.io/pod-security-admission/policy/check_procMount_test.go
+++ /dev/null
@@ -1,94 +0,0 @@
-/*
-Copyright 2021 The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package policy
-
-import (
-	"testing"
-
-	corev1 "k8s.io/api/core/v1"
-)
-
-func TestProcMount(t *testing.T) {
-	defaultValue := corev1.DefaultProcMount
-	unmaskedValue := corev1.UnmaskedProcMount
-	otherValue := corev1.ProcMountType("other")
-
-	hostUsers := false
-	tests := []struct {
-		name           string
-		pod            *corev1.Pod
-		expectReason   string
-		expectDetail   string
-		expectAllowed  bool
-		relaxForUserNS bool
-	}{
-		{
-			name: "procMount",
-			pod: &corev1.Pod{Spec: corev1.PodSpec{
-				Containers: []corev1.Container{
-					{Name: "a", SecurityContext: nil},
-					{Name: "b", SecurityContext: &corev1.SecurityContext{}},
-					{Name: "c", SecurityContext: &corev1.SecurityContext{ProcMount: &defaultValue}},
-					{Name: "d", SecurityContext: &corev1.SecurityContext{ProcMount: &unmaskedValue}},
-					{Name: "e", SecurityContext: &corev1.SecurityContext{ProcMount: &otherValue}},
-				},
-				HostUsers: &hostUsers,
-			}},
-			expectReason:  `procMount`,
-			expectAllowed: false,
-			expectDetail:  `containers "d", "e" must not set securityContext.procMount to "Unmasked", "other"`,
-		},
-		{
-			name: "procMount",
-			pod: &corev1.Pod{Spec: corev1.PodSpec{
-				Containers: []corev1.Container{
-					{Name: "a", SecurityContext: nil},
-					{Name: "b", SecurityContext: &corev1.SecurityContext{}},
-					{Name: "c", SecurityContext: &corev1.SecurityContext{ProcMount: &defaultValue}},
-					{Name: "d", SecurityContext: &corev1.SecurityContext{ProcMount: &unmaskedValue}},
-					{Name: "e", SecurityContext: &corev1.SecurityContext{ProcMount: &otherValue}},
-				},
-				HostUsers: &hostUsers,
-			}},
-			expectReason:   "",
-			expectDetail:   "",
-			expectAllowed:  true,
-			relaxForUserNS: true,
-		},
-	}
-
-	for _, tc := range tests {
-		t.Run(tc.name, func(t *testing.T) {
-			if tc.relaxForUserNS {
-				RelaxPolicyForUserNamespacePods(true)
-				t.Cleanup(func() {
-					RelaxPolicyForUserNamespacePods(false)
-				})
-			}
-			result := procMount_1_0(&tc.pod.ObjectMeta, &tc.pod.Spec)
-			if result.Allowed != tc.expectAllowed {
-				t.Fatalf("expected Allowed to be %v was %v", tc.expectAllowed, result.Allowed)
-			}
-			if e, a := tc.expectReason, result.ForbiddenReason; e != a {
-				t.Errorf("expected\n%s\ngot\n%s", e, a)
-			}
-			if e, a := tc.expectDetail, result.ForbiddenDetail; e != a {
-				t.Errorf("expected\n%s\ngot\n%s", e, a)
-			}
-		})
-	}
-}
diff --git a/staging/src/k8s.io/pod-security-admission/policy/check_runAsNonRoot.go b/staging/src/k8s.io/pod-security-admission/policy/check_runAsNonRoot.go
index 87b83727b26f6..91b48d19e32cd 100644
--- a/staging/src/k8s.io/pod-security-admission/policy/check_runAsNonRoot.go
+++ b/staging/src/k8s.io/pod-security-admission/policy/check_runAsNonRoot.go
@@ -26,7 +26,8 @@ import (
 )
 
 /*
-Containers must be required to run as non-root users.
+Containers must be required to run as non-root users,
+unless the pod is in a user namespace ("hostUsers: false").
 
 **Restricted Fields:**
 
@@ -37,6 +38,7 @@ spec.initContainers[*].securityContext.runAsNonRoot
 **Allowed Values:**
 true
 undefined/null at container-level if pod-level is set to true
+any value if "hostUsers" is false
 */
 
 func init() {
@@ -52,18 +54,28 @@ func CheckRunAsNonRoot() Check {
 		Versions: []VersionedCheck{
 			{
 				MinimumVersion: api.MajorMinorVersion(1, 0),
-				CheckPod:       runAsNonRoot_1_0,
+				CheckPod:       runAsNonRoot1_0,
+			},
+			{
+				MinimumVersion: api.MajorMinorVersion(1, 35),
+				CheckPod:       runAsNonRoot1_35,
 			},
 		},
 	}
 }
 
-func runAsNonRoot_1_0(podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec) CheckResult {
+func runAsNonRoot1_35(podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec) CheckResult {
 	// See KEP-127: https://github.com/kubernetes/enhancements/blob/308ba8d/keps/sig-node/127-user-namespaces/README.md?plain=1#L411-L447
+	// In the 1.0 policy, this relaxation was gated on a perma-alpha feature gate.
+	// Instead of relaxing 1.0 policy, drop the relaxation there, and add it unconditionally here.
 	if relaxPolicyForUserNamespacePod(podSpec) {
 		return CheckResult{Allowed: true}
 	}
 
+	return runAsNonRoot1_0(podMetadata, podSpec)
+}
+
+func runAsNonRoot1_0(podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec) CheckResult {
 	// things that explicitly set runAsNonRoot=false
 	var badSetters []string
 
diff --git a/staging/src/k8s.io/pod-security-admission/policy/check_runAsNonRoot_test.go b/staging/src/k8s.io/pod-security-admission/policy/check_runAsNonRoot_test.go
index 3daedad4d7a6f..356790cbddde1 100644
--- a/staging/src/k8s.io/pod-security-admission/policy/check_runAsNonRoot_test.go
+++ b/staging/src/k8s.io/pod-security-admission/policy/check_runAsNonRoot_test.go
@@ -25,12 +25,11 @@ import (
 
 func TestRunAsNonRoot(t *testing.T) {
 	tests := []struct {
-		name           string
-		pod            *corev1.Pod
-		expectReason   string
-		expectDetail   string
-		expectAllowed  bool
-		relaxForUserNS bool
+		name          string
+		pod           *corev1.Pod
+		expectReason  string
+		expectDetail  string
+		expectAllowed bool
 	}{
 		{
 			name: "no explicit runAsNonRoot",
@@ -83,37 +82,17 @@ func TestRunAsNonRoot(t *testing.T) {
 			expectDetail: `pod or containers "a", "b" must set securityContext.runAsNonRoot=true`,
 		},
 		{
-			name: "UserNamespacesPodSecurityStandards enabled without HostUsers",
+			name: "host users false allowed",
 			pod: &corev1.Pod{Spec: corev1.PodSpec{
 				HostUsers: ptr.To(false),
 			}},
-			expectAllowed:  true,
-			relaxForUserNS: true,
-		},
-		{
-			name: "UserNamespacesPodSecurityStandards enabled with HostUsers",
-			pod: &corev1.Pod{Spec: corev1.PodSpec{
-				Containers: []corev1.Container{
-					{Name: "a"},
-				},
-				HostUsers: ptr.To(true),
-			}},
-			expectReason:   `runAsNonRoot != true`,
-			expectDetail:   `pod or container "a" must set securityContext.runAsNonRoot=true`,
-			expectAllowed:  false,
-			relaxForUserNS: true,
+			expectAllowed: true,
 		},
 	}
 
 	for _, tc := range tests {
 		t.Run(tc.name, func(t *testing.T) {
-			if tc.relaxForUserNS {
-				RelaxPolicyForUserNamespacePods(true)
-				t.Cleanup(func() {
-					RelaxPolicyForUserNamespacePods(false)
-				})
-			}
-			result := runAsNonRoot_1_0(&tc.pod.ObjectMeta, &tc.pod.Spec)
+			result := runAsNonRoot1_35(&tc.pod.ObjectMeta, &tc.pod.Spec)
 			if result.Allowed != tc.expectAllowed {
 				t.Fatalf("expected Allowed to be %v was %v", tc.expectAllowed, result.Allowed)
 			}
diff --git a/staging/src/k8s.io/pod-security-admission/policy/check_runAsUser.go b/staging/src/k8s.io/pod-security-admission/policy/check_runAsUser.go
index eb9553ee04d82..589e80944519b 100644
--- a/staging/src/k8s.io/pod-security-admission/policy/check_runAsUser.go
+++ b/staging/src/k8s.io/pod-security-admission/policy/check_runAsUser.go
@@ -27,6 +27,7 @@ import (
 
 /*
 Containers must not set runAsUser: 0
+unless the pod is in a user namespace ("hostUsers: false").
 
 **Restricted Fields:**
 
@@ -37,6 +38,7 @@ spec.initContainers[*].securityContext.runAsUser
 **Allowed Values:**
 non-zero values
 undefined/null
+any value if "hostUsers" is false
 
 */
 
@@ -53,18 +55,28 @@ func CheckRunAsUser() Check {
 		Versions: []VersionedCheck{
 			{
 				MinimumVersion: api.MajorMinorVersion(1, 23),
-				CheckPod:       runAsUser_1_23,
+				CheckPod:       runAsUser1_23,
+			},
+			{
+				MinimumVersion: api.MajorMinorVersion(1, 35),
+				CheckPod:       runAsUser1_35,
 			},
 		},
 	}
 }
 
-func runAsUser_1_23(podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec) CheckResult {
+func runAsUser1_35(podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec) CheckResult {
 	// See KEP-127: https://github.com/kubernetes/enhancements/blob/308ba8d/keps/sig-node/127-user-namespaces/README.md?plain=1#L411-L447
+	// In the 1.23 policy, this relaxation was gated on a perma-alpha feature gate.
+	// Instead of relaxing 1.0 policy, drop the relaxation there, and add it unconditionally here.
 	if relaxPolicyForUserNamespacePod(podSpec) {
 		return CheckResult{Allowed: true}
 	}
+	return runAsUser1_23(podMetadata, podSpec)
+
+}
 
+func runAsUser1_23(podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec) CheckResult {
 	// things that explicitly set runAsUser=0
 	var badSetters []string
 
diff --git a/staging/src/k8s.io/pod-security-admission/policy/check_runAsUser_test.go b/staging/src/k8s.io/pod-security-admission/policy/check_runAsUser_test.go
index df54e21f94393..9f3bee9ed4c9a 100644
--- a/staging/src/k8s.io/pod-security-admission/policy/check_runAsUser_test.go
+++ b/staging/src/k8s.io/pod-security-admission/policy/check_runAsUser_test.go
@@ -25,12 +25,11 @@ import (
 
 func TestRunAsUser(t *testing.T) {
 	tests := []struct {
-		name           string
-		pod            *corev1.Pod
-		expectAllowed  bool
-		expectReason   string
-		expectDetail   string
-		relaxForUserNS bool
+		name          string
+		pod           *corev1.Pod
+		expectAllowed bool
+		expectReason  string
+		expectDetail  string
 	}{
 		{
 			name: "pod runAsUser=0",
@@ -92,38 +91,17 @@ func TestRunAsUser(t *testing.T) {
 			expectAllowed: true,
 		},
 		{
-			name: "UserNamespacesPodSecurityStandards enabled without HostUsers",
+			name: "host users false allowed",
 			pod: &corev1.Pod{Spec: corev1.PodSpec{
 				HostUsers: ptr.To(false),
 			}},
-			expectAllowed:  true,
-			relaxForUserNS: true,
-		},
-		{
-			name: "UserNamespacesPodSecurityStandards enabled with HostUsers",
-			pod: &corev1.Pod{Spec: corev1.PodSpec{
-				SecurityContext: &corev1.PodSecurityContext{RunAsUser: ptr.To[int64](0)},
-				Containers: []corev1.Container{
-					{Name: "a", SecurityContext: nil},
-				},
-				HostUsers: ptr.To(true),
-			}},
-			expectAllowed:  false,
-			expectReason:   `runAsUser=0`,
-			expectDetail:   `pod must not set runAsUser=0`,
-			relaxForUserNS: true,
+			expectAllowed: true,
 		},
 	}
 
 	for _, tc := range tests {
 		t.Run(tc.name, func(t *testing.T) {
-			if tc.relaxForUserNS {
-				RelaxPolicyForUserNamespacePods(true)
-				t.Cleanup(func() {
-					RelaxPolicyForUserNamespacePods(false)
-				})
-			}
-			result := runAsUser_1_23(&tc.pod.ObjectMeta, &tc.pod.Spec)
+			result := runAsUser1_35(&tc.pod.ObjectMeta, &tc.pod.Spec)
 			if result.Allowed != tc.expectAllowed {
 				t.Fatalf("expected Allowed to be %v was %v", tc.expectAllowed, result.Allowed)
 			}
diff --git a/staging/src/k8s.io/pod-security-admission/policy/helpers.go b/staging/src/k8s.io/pod-security-admission/policy/helpers.go
index e35348929cfdd..2f7525eb1bff8 100644
--- a/staging/src/k8s.io/pod-security-admission/policy/helpers.go
+++ b/staging/src/k8s.io/pod-security-admission/policy/helpers.go
@@ -18,7 +18,6 @@ package policy
 
 import (
 	"strings"
-	"sync/atomic"
 
 	corev1 "k8s.io/api/core/v1"
 )
@@ -37,20 +36,8 @@ func pluralize(singular, plural string, count int) string {
 	return plural
 }
 
-var relaxPolicyForUserNamespacePods = &atomic.Bool{}
-
-// RelaxPolicyForUserNamespacePods allows opting into relaxing runAsUser /
-// runAsNonRoot restricted policies for user namespace pods, before the
-// usernamespace feature has reached GA and propagated to the oldest supported
-// nodes.
-// This should only be opted into in clusters where the administrator ensures
-// all nodes in the cluster enable the user namespace feature.
-func RelaxPolicyForUserNamespacePods(relax bool) {
-	relaxPolicyForUserNamespacePods.Store(relax)
-}
-
 // relaxPolicyForUserNamespacePod returns true if a policy should be relaxed
 // because of enabled user namespaces in the provided pod spec.
 func relaxPolicyForUserNamespacePod(podSpec *corev1.PodSpec) bool {
-	return relaxPolicyForUserNamespacePods.Load() && podSpec != nil && podSpec.HostUsers != nil && !*podSpec.HostUsers
+	return podSpec != nil && podSpec.HostUsers != nil && !*podSpec.HostUsers
 }
diff --git a/staging/src/k8s.io/pod-security-admission/policy/registry.go b/staging/src/k8s.io/pod-security-admission/policy/registry.go
index 4b91bef8875d4..1648ff020cc60 100644
--- a/staging/src/k8s.io/pod-security-admission/policy/registry.go
+++ b/staging/src/k8s.io/pod-security-admission/policy/registry.go
@@ -46,7 +46,7 @@ type checkRegistry struct {
 // 2. Check.Level must be either Baseline or Restricted
 // 3. Checks must have a non-empty set of versions, sorted in a strictly increasing order
 // 4. Check.Versions cannot include 'latest'
-func NewEvaluator(checks []Check) (Evaluator, error) {
+func NewEvaluator(checks []Check, emulationVersion *api.Version) (*checkRegistry, error) {
 	if err := validateChecks(checks); err != nil {
 		return nil, err
 	}
@@ -55,6 +55,12 @@ func NewEvaluator(checks []Check) (Evaluator, error) {
 		restrictedChecks: map[api.Version][]CheckPodFn{},
 	}
 	populate(r, checks)
+
+	// lower the max version if we're emulating an older minor
+	if emulationVersion != nil && (*emulationVersion).Older(r.maxVersion) {
+		r.maxVersion = *emulationVersion
+	}
+
 	return r, nil
 }
 
diff --git a/staging/src/k8s.io/pod-security-admission/policy/registry_test.go b/staging/src/k8s.io/pod-security-admission/policy/registry_test.go
index 039b83b25b8a1..ee6c078bec2e4 100644
--- a/staging/src/k8s.io/pod-security-admission/policy/registry_test.go
+++ b/staging/src/k8s.io/pod-security-admission/policy/registry_test.go
@@ -43,7 +43,7 @@ func TestCheckRegistry(t *testing.T) {
 	multiOverride.Versions[1].OverrideCheckIDs = []CheckID{"d"}
 	checks = append(checks, multiOverride)
 
-	reg, err := NewEvaluator(checks)
+	reg, err := NewEvaluator(checks, nil)
 	require.NoError(t, err)
 
 	levelCases := []registryTestCase{
@@ -76,7 +76,7 @@ func TestCheckRegistry_NoBaseline(t *testing.T) {
 		withOverrides(generateCheck("h", api.LevelRestricted, []string{"v1.0"}), []CheckID{"b"}),
 	}
 
-	reg, err := NewEvaluator(checks)
+	reg, err := NewEvaluator(checks, nil)
 	require.NoError(t, err)
 
 	levelCases := []registryTestCase{
@@ -103,7 +103,7 @@ func TestCheckRegistry_NoRestricted(t *testing.T) {
 		generateCheck("d", api.LevelBaseline, []string{"v1.11", "v1.15", "v1.20"}),
 	}
 
-	reg, err := NewEvaluator(checks)
+	reg, err := NewEvaluator(checks, nil)
 	require.NoError(t, err)
 
 	levelCases := []registryTestCase{
@@ -124,7 +124,7 @@ func TestCheckRegistry_NoRestricted(t *testing.T) {
 }
 
 func TestCheckRegistry_Empty(t *testing.T) {
-	reg, err := NewEvaluator(nil)
+	reg, err := NewEvaluator(nil, nil)
 	require.NoError(t, err)
 
 	levelCases := []registryTestCase{
diff --git a/staging/src/k8s.io/pod-security-admission/test/fixtures.go b/staging/src/k8s.io/pod-security-admission/test/fixtures.go
index 8aae002faa732..d11719ee2ca4c 100644
--- a/staging/src/k8s.io/pod-security-admission/test/fixtures.go
+++ b/staging/src/k8s.io/pod-security-admission/test/fixtures.go
@@ -183,9 +183,14 @@ type fixtureGenerator struct {
 	// Pass cases are not allowed to be feature-gated (pass cases must only depend on data existing in GA fields).
 	failRequiresFeatures []featuregate.Feature
 
-	// generatePass transforms a minimum valid pod into one or more valid pods.
+	// failRequiresError indicates the fixtures in the failure cases cannot be created with warnings, but result in API errors.
+	// This happens when the combination of fields required to fail the PSA check also fails validation.
+	// When failRequiresError=true, the controller test scenarios expect failure cases to be rejected rather than accepted with warnings.
+	failRequiresError bool
+
+	// generatePass transforms a minimum valid pod into one or more valid pods that pass the given policy level.
 	// pods do not need to populate metadata.name.
-	generatePass func(*corev1.Pod) []*corev1.Pod
+	generatePass func(*corev1.Pod, api.Level) []*corev1.Pod
 	// generateFail transforms a minimum valid pod into one or more invalid pods.
 	// pods do not need to populate metadata.name.
 	generateFail func(*corev1.Pod) []*corev1.Pod
@@ -201,6 +206,11 @@ type fixtureData struct {
 	// Pass cases are not allowed to be feature-gated (pass cases must only depend on data existing in GA fields).
 	failRequiresFeatures []featuregate.Feature
 
+	// failRequiresError indicates the fixtures in the failure cases cannot be created with warnings, but result in API errors.
+	// This happens when the combination of fields required to fail the PSA check also fails validation.
+	// When failRequiresError=true, the controller test scenarios expect failure cases to be rejected rather than accepted with warnings.
+	failRequiresError bool
+
 	pass []*corev1.Pod
 	fail []*corev1.Pod
 }
@@ -248,8 +258,9 @@ func getFixtures(key fixtureKey) (fixtureData, error) {
 			data := fixtureData{
 				expectErrorSubstring: generator.expectErrorSubstring,
 				failRequiresFeatures: generator.failRequiresFeatures,
+				failRequiresError:    generator.failRequiresError,
 
-				pass: generator.generatePass(validPodForLevel.DeepCopy()),
+				pass: generator.generatePass(validPodForLevel.DeepCopy(), key.level),
 				fail: generator.generateFail(validPodForLevel.DeepCopy()),
 			}
 			if len(data.expectErrorSubstring) == 0 {
diff --git a/staging/src/k8s.io/pod-security-admission/test/fixtures_allowPrivilegeEscalation.go b/staging/src/k8s.io/pod-security-admission/test/fixtures_allowPrivilegeEscalation.go
index 8c65138767ebc..2937734ec4aee 100644
--- a/staging/src/k8s.io/pod-security-admission/test/fixtures_allowPrivilegeEscalation.go
+++ b/staging/src/k8s.io/pod-security-admission/test/fixtures_allowPrivilegeEscalation.go
@@ -33,7 +33,7 @@ containerFields: []string{
 
 func init() {
 	fixtureData_1_8 := fixtureGenerator{
-		generatePass: func(p *corev1.Pod) []*corev1.Pod {
+		generatePass: func(p *corev1.Pod, _ api.Level) []*corev1.Pod {
 			// minimal valid pod already captures all valid combinations
 			return nil
 		},
diff --git a/staging/src/k8s.io/pod-security-admission/test/fixtures_appArmorProfile.go b/staging/src/k8s.io/pod-security-admission/test/fixtures_appArmorProfile.go
index 8802c118b7fd0..2d99ebbf2ba42 100644
--- a/staging/src/k8s.io/pod-security-admission/test/fixtures_appArmorProfile.go
+++ b/staging/src/k8s.io/pod-security-admission/test/fixtures_appArmorProfile.go
@@ -24,7 +24,7 @@ import (
 func init() {
 	appArmorFixture_1_0 := fixtureGenerator{
 		expectErrorSubstring: "forbidden AppArmor profile",
-		generatePass: func(pod *corev1.Pod) []*corev1.Pod {
+		generatePass: func(pod *corev1.Pod, _ api.Level) []*corev1.Pod {
 			pod = ensureAnnotation(pod)
 			return []*corev1.Pod{
 				// container with runtime/default annotation
diff --git a/staging/src/k8s.io/pod-security-admission/test/fixtures_capabilities_baseline.go b/staging/src/k8s.io/pod-security-admission/test/fixtures_capabilities_baseline.go
index 1293c2dca70f8..679548f1efb02 100644
--- a/staging/src/k8s.io/pod-security-admission/test/fixtures_capabilities_baseline.go
+++ b/staging/src/k8s.io/pod-security-admission/test/fixtures_capabilities_baseline.go
@@ -48,7 +48,7 @@ func ensureCapabilities(p *corev1.Pod) *corev1.Pod {
 func init() {
 	fixtureData_1_0 := fixtureGenerator{
 		expectErrorSubstring: "capabilities",
-		generatePass: func(p *corev1.Pod) []*corev1.Pod {
+		generatePass: func(p *corev1.Pod, _ api.Level) []*corev1.Pod {
 			// don't generate fixtures if minimal valid pod drops ALL
 			if p.Spec.Containers[0].SecurityContext != nil && p.Spec.Containers[0].SecurityContext.Capabilities != nil {
 				for _, capability := range p.Spec.Containers[0].SecurityContext.Capabilities.Drop {
diff --git a/staging/src/k8s.io/pod-security-admission/test/fixtures_capabilities_restricted.go b/staging/src/k8s.io/pod-security-admission/test/fixtures_capabilities_restricted.go
index 98f098e7860fa..ca0b54cb8a2ea 100644
--- a/staging/src/k8s.io/pod-security-admission/test/fixtures_capabilities_restricted.go
+++ b/staging/src/k8s.io/pod-security-admission/test/fixtures_capabilities_restricted.go
@@ -31,7 +31,7 @@ containerFields: []string{
 func init() {
 	fixtureData_1_22 := fixtureGenerator{
 		expectErrorSubstring: "unrestricted capabilities",
-		generatePass: func(p *corev1.Pod) []*corev1.Pod {
+		generatePass: func(p *corev1.Pod, _ api.Level) []*corev1.Pod {
 			p = ensureCapabilities(p)
 			return []*corev1.Pod{
 				tweak(p, func(p *corev1.Pod) {
diff --git a/staging/src/k8s.io/pod-security-admission/test/fixtures_hostNamespaces.go b/staging/src/k8s.io/pod-security-admission/test/fixtures_hostNamespaces.go
index 0ceb27a2ea850..18a8d60f24d5d 100644
--- a/staging/src/k8s.io/pod-security-admission/test/fixtures_hostNamespaces.go
+++ b/staging/src/k8s.io/pod-security-admission/test/fixtures_hostNamespaces.go
@@ -29,7 +29,7 @@ func init() {
 
 	fixtureData_1_0 := fixtureGenerator{
 		expectErrorSubstring: "host namespaces",
-		generatePass: func(p *corev1.Pod) []*corev1.Pod {
+		generatePass: func(p *corev1.Pod, _ api.Level) []*corev1.Pod {
 			// minimal valid pod already captures all valid combinations
 			return nil
 		},
diff --git a/staging/src/k8s.io/pod-security-admission/test/fixtures_hostPathVolumes.go b/staging/src/k8s.io/pod-security-admission/test/fixtures_hostPathVolumes.go
index 7b891fdaff254..6acf1586ab751 100644
--- a/staging/src/k8s.io/pod-security-admission/test/fixtures_hostPathVolumes.go
+++ b/staging/src/k8s.io/pod-security-admission/test/fixtures_hostPathVolumes.go
@@ -29,7 +29,7 @@ func init() {
 
 	fixtureData_1_0 := fixtureGenerator{
 		expectErrorSubstring: "hostPath",
-		generatePass: func(p *corev1.Pod) []*corev1.Pod {
+		generatePass: func(p *corev1.Pod, _ api.Level) []*corev1.Pod {
 			// minimal valid pod already captures all valid combinations
 			return nil
 		},
diff --git a/staging/src/k8s.io/pod-security-admission/test/fixtures_hostPorts.go b/staging/src/k8s.io/pod-security-admission/test/fixtures_hostPorts.go
index a48ad4d3a04ab..0427fe96a80b3 100644
--- a/staging/src/k8s.io/pod-security-admission/test/fixtures_hostPorts.go
+++ b/staging/src/k8s.io/pod-security-admission/test/fixtures_hostPorts.go
@@ -32,7 +32,7 @@ containerFields: []string{
 func init() {
 	fixtureData_1_0 := fixtureGenerator{
 		expectErrorSubstring: "hostPort",
-		generatePass: func(p *corev1.Pod) []*corev1.Pod {
+		generatePass: func(p *corev1.Pod, _ api.Level) []*corev1.Pod {
 			return []*corev1.Pod{
 				// no host ports
 				tweak(p, func(p *corev1.Pod) {
diff --git a/staging/src/k8s.io/pod-security-admission/test/fixtures_hostProbesAndHostLifecycle.go b/staging/src/k8s.io/pod-security-admission/test/fixtures_hostProbesAndHostLifecycle.go
index 6ec1d45ead6f7..96c46deb4f2c4 100644
--- a/staging/src/k8s.io/pod-security-admission/test/fixtures_hostProbesAndHostLifecycle.go
+++ b/staging/src/k8s.io/pod-security-admission/test/fixtures_hostProbesAndHostLifecycle.go
@@ -25,7 +25,7 @@ import (
 func init() {
 	fixtureDataV1Dot34 := fixtureGenerator{
 		expectErrorSubstring: "probe or lifecycle host",
-		generatePass: func(p *corev1.Pod) []*corev1.Pod {
+		generatePass: func(p *corev1.Pod, _ api.Level) []*corev1.Pod {
 			return []*corev1.Pod{
 				p, // A pod with no probes should pass.
 				tweak(p, func(p *corev1.Pod) {
diff --git a/staging/src/k8s.io/pod-security-admission/test/fixtures_privileged.go b/staging/src/k8s.io/pod-security-admission/test/fixtures_privileged.go
index e0120c4f78941..ecf50f5f643f0 100644
--- a/staging/src/k8s.io/pod-security-admission/test/fixtures_privileged.go
+++ b/staging/src/k8s.io/pod-security-admission/test/fixtures_privileged.go
@@ -33,7 +33,7 @@ containerFields: []string{
 
 func init() {
 	fixtureData_1_0 := fixtureGenerator{
-		generatePass: func(p *corev1.Pod) []*corev1.Pod {
+		generatePass: func(p *corev1.Pod, _ api.Level) []*corev1.Pod {
 			p = ensureSecurityContext(p)
 			return []*corev1.Pod{
 				// privileged explicitly set to false
diff --git a/staging/src/k8s.io/pod-security-admission/test/fixtures_procMount.go b/staging/src/k8s.io/pod-security-admission/test/fixtures_procMount.go
index 98d33f1740465..73917dd164c18 100644
--- a/staging/src/k8s.io/pod-security-admission/test/fixtures_procMount.go
+++ b/staging/src/k8s.io/pod-security-admission/test/fixtures_procMount.go
@@ -20,13 +20,13 @@ import (
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/component-base/featuregate"
 	"k8s.io/pod-security-admission/api"
+	"k8s.io/utils/ptr"
 )
 
 func init() {
-	hostUsers := false
 	fixtureData_1_0 := fixtureGenerator{
 		expectErrorSubstring: "procMount",
-		generatePass: func(p *corev1.Pod) []*corev1.Pod {
+		generatePass: func(p *corev1.Pod, _ api.Level) []*corev1.Pod {
 			p = ensureSecurityContext(p)
 			return []*corev1.Pod{
 				// set proc mount of container and init container to a valid value
@@ -34,7 +34,7 @@ func init() {
 					validProcMountType := corev1.DefaultProcMount
 					copy.Spec.Containers[0].SecurityContext.ProcMount = &validProcMountType
 					copy.Spec.InitContainers[0].SecurityContext.ProcMount = &validProcMountType
-					copy.Spec.HostUsers = &hostUsers
+					copy.Spec.HostUsers = ptr.To(false)
 				}),
 			}
 		},
@@ -46,13 +46,13 @@ func init() {
 				tweak(p, func(copy *corev1.Pod) {
 					unmaskedProcMountType := corev1.UnmaskedProcMount
 					copy.Spec.Containers[0].SecurityContext.ProcMount = &unmaskedProcMountType
-					copy.Spec.HostUsers = &hostUsers
+					copy.Spec.HostUsers = ptr.To(false)
 				}),
 				// set proc mount of init container to a forbidden value
 				tweak(p, func(copy *corev1.Pod) {
 					unmaskedProcMountType := corev1.UnmaskedProcMount
 					copy.Spec.InitContainers[0].SecurityContext.ProcMount = &unmaskedProcMountType
-					copy.Spec.HostUsers = &hostUsers
+					copy.Spec.HostUsers = ptr.To(false)
 				}),
 			}
 		},
@@ -62,4 +62,95 @@ func init() {
 		fixtureKey{level: api.LevelBaseline, version: api.MajorMinorVersion(1, 0), check: "procMount"},
 		fixtureData_1_0,
 	)
+
+	fixtureData1_35baseline := fixtureGenerator{
+		expectErrorSubstring: "procMount",
+		generatePass: func(p *corev1.Pod, level api.Level) []*corev1.Pod {
+			p = ensureSecurityContext(p)
+			retval := []*corev1.Pod{
+				// set proc mount of container and init container to a valid value
+				tweak(p, func(copy *corev1.Pod) {
+					validProcMountType := corev1.DefaultProcMount
+					copy.Spec.Containers[0].SecurityContext.ProcMount = &validProcMountType
+					copy.Spec.InitContainers[0].SecurityContext.ProcMount = &validProcMountType
+					copy.Spec.HostUsers = ptr.To(false)
+				}),
+			}
+
+			if level != api.LevelRestricted {
+				// don't expect the unmasked namespace user pod to pass in restricted mode
+				retval = append(retval, tweak(p, func(copy *corev1.Pod) {
+					unmaskedProcMountType := corev1.UnmaskedProcMount
+					copy.Spec.Containers[0].SecurityContext.ProcMount = &unmaskedProcMountType
+					copy.Spec.InitContainers[0].SecurityContext.ProcMount = &unmaskedProcMountType
+					copy.Spec.HostUsers = ptr.To(false)
+				}))
+			}
+
+			return retval
+		},
+		failRequiresFeatures: []featuregate.Feature{"ProcMountType"},
+		failRequiresError:    true, // the only combination that can fail the 1.35 baseline check also fails validation
+		generateFail: func(p *corev1.Pod) []*corev1.Pod {
+			p = ensureSecurityContext(p)
+			return []*corev1.Pod{
+				// set proc mount of container to a forbidden value
+				tweak(p, func(copy *corev1.Pod) {
+					unmaskedProcMountType := corev1.UnmaskedProcMount
+					copy.Spec.Containers[0].SecurityContext.ProcMount = &unmaskedProcMountType
+					copy.Spec.HostUsers = ptr.To(true)
+				}),
+				// set proc mount of init container to a forbidden value
+				tweak(p, func(copy *corev1.Pod) {
+					unmaskedProcMountType := corev1.UnmaskedProcMount
+					copy.Spec.InitContainers[0].SecurityContext.ProcMount = &unmaskedProcMountType
+					copy.Spec.HostUsers = ptr.To(true)
+				}),
+			}
+		},
+	}
+
+	registerFixtureGenerator(
+		fixtureKey{level: api.LevelBaseline, version: api.MajorMinorVersion(1, 35), check: "procMount"},
+		fixtureData1_35baseline,
+	)
+
+	fixtureData1_35restricted := fixtureGenerator{
+		expectErrorSubstring: "procMount",
+		generatePass: func(p *corev1.Pod, _ api.Level) []*corev1.Pod {
+			p = ensureSecurityContext(p)
+			return []*corev1.Pod{
+				// set proc mount of container and init container to a valid value
+				tweak(p, func(copy *corev1.Pod) {
+					validProcMountType := corev1.DefaultProcMount
+					copy.Spec.Containers[0].SecurityContext.ProcMount = &validProcMountType
+					copy.Spec.InitContainers[0].SecurityContext.ProcMount = &validProcMountType
+					copy.Spec.HostUsers = ptr.To(false)
+				}),
+			}
+		},
+		failRequiresFeatures: []featuregate.Feature{"ProcMountType"},
+		generateFail: func(p *corev1.Pod) []*corev1.Pod {
+			p = ensureSecurityContext(p)
+			return []*corev1.Pod{
+				// set proc mount of container to a forbidden value
+				tweak(p, func(copy *corev1.Pod) {
+					unmaskedProcMountType := corev1.UnmaskedProcMount
+					copy.Spec.Containers[0].SecurityContext.ProcMount = &unmaskedProcMountType
+					copy.Spec.HostUsers = ptr.To(false)
+				}),
+				// set proc mount of init container to a forbidden value
+				tweak(p, func(copy *corev1.Pod) {
+					unmaskedProcMountType := corev1.UnmaskedProcMount
+					copy.Spec.InitContainers[0].SecurityContext.ProcMount = &unmaskedProcMountType
+					copy.Spec.HostUsers = ptr.To(false)
+				}),
+			}
+		},
+	}
+
+	registerFixtureGenerator(
+		fixtureKey{level: api.LevelRestricted, version: api.MajorMinorVersion(1, 35), check: "procMount_restricted"},
+		fixtureData1_35restricted,
+	)
 }
diff --git a/staging/src/k8s.io/pod-security-admission/test/fixtures_restrictedVolumes.go b/staging/src/k8s.io/pod-security-admission/test/fixtures_restrictedVolumes.go
index 596148bfbdaf5..507152068e77f 100644
--- a/staging/src/k8s.io/pod-security-admission/test/fixtures_restrictedVolumes.go
+++ b/staging/src/k8s.io/pod-security-admission/test/fixtures_restrictedVolumes.go
@@ -25,7 +25,7 @@ func init() {
 	// volumeType := "ext4"
 	fixtureData_1_0 := fixtureGenerator{
 		expectErrorSubstring: "restricted volume types",
-		generatePass: func(p *corev1.Pod) []*corev1.Pod {
+		generatePass: func(p *corev1.Pod, _ api.Level) []*corev1.Pod {
 			return []*corev1.Pod{
 				// pod that has all allowed volume types
 				tweak(p, func(p *corev1.Pod) {
diff --git a/staging/src/k8s.io/pod-security-admission/test/fixtures_runAsNonRoot.go b/staging/src/k8s.io/pod-security-admission/test/fixtures_runAsNonRoot.go
index 2dd0096d70181..19b90d5d5e5b8 100644
--- a/staging/src/k8s.io/pod-security-admission/test/fixtures_runAsNonRoot.go
+++ b/staging/src/k8s.io/pod-security-admission/test/fixtures_runAsNonRoot.go
@@ -37,7 +37,7 @@ containerFields: []string{
 func init() {
 
 	fixtureData_1_0 := fixtureGenerator{
-		generatePass: func(p *corev1.Pod) []*corev1.Pod {
+		generatePass: func(p *corev1.Pod, _ api.Level) []*corev1.Pod {
 			p = ensureSecurityContext(p)
 			return []*corev1.Pod{
 				// set at pod level
diff --git a/staging/src/k8s.io/pod-security-admission/test/fixtures_runAsUser.go b/staging/src/k8s.io/pod-security-admission/test/fixtures_runAsUser.go
index e61ed52010aec..c90e6d0771485 100644
--- a/staging/src/k8s.io/pod-security-admission/test/fixtures_runAsUser.go
+++ b/staging/src/k8s.io/pod-security-admission/test/fixtures_runAsUser.go
@@ -37,7 +37,7 @@ containerFields: []string{
 func init() {
 
 	fixtureData_1_23 := fixtureGenerator{
-		generatePass: func(p *corev1.Pod) []*corev1.Pod {
+		generatePass: func(p *corev1.Pod, _ api.Level) []*corev1.Pod {
 			p = ensureSecurityContext(p)
 			return []*corev1.Pod{
 				tweak(p, func(p *corev1.Pod) {
diff --git a/staging/src/k8s.io/pod-security-admission/test/fixtures_seLinuxOptions.go b/staging/src/k8s.io/pod-security-admission/test/fixtures_seLinuxOptions.go
index c11a6fcf0b9d7..2f3b20593c3cd 100644
--- a/staging/src/k8s.io/pod-security-admission/test/fixtures_seLinuxOptions.go
+++ b/staging/src/k8s.io/pod-security-admission/test/fixtures_seLinuxOptions.go
@@ -39,7 +39,7 @@ containerFields: []string{
 func init() {
 	fixtureData_1_0 := fixtureGenerator{
 		expectErrorSubstring: "seLinuxOptions",
-		generatePass: func(p *corev1.Pod) []*corev1.Pod {
+		generatePass: func(p *corev1.Pod, _ api.Level) []*corev1.Pod {
 			p = ensureSELinuxOptions(p)
 			return []*corev1.Pod{
 				// security context with no seLinuxOptions
diff --git a/staging/src/k8s.io/pod-security-admission/test/fixtures_seccompProfile_baseline.go b/staging/src/k8s.io/pod-security-admission/test/fixtures_seccompProfile_baseline.go
index 66d75c8947b7f..1585c9cbc800d 100644
--- a/staging/src/k8s.io/pod-security-admission/test/fixtures_seccompProfile_baseline.go
+++ b/staging/src/k8s.io/pod-security-admission/test/fixtures_seccompProfile_baseline.go
@@ -31,7 +31,7 @@ The check implementation looks at the appropriate value based on version.
 func init() {
 	fixtureData_baseline_1_0 := fixtureGenerator{
 		expectErrorSubstring: "seccompProfile",
-		generatePass: func(p *corev1.Pod) []*corev1.Pod {
+		generatePass: func(p *corev1.Pod, _ api.Level) []*corev1.Pod {
 			// don't generate fixtures if minimal valid pod already has seccomp config
 			if val, ok := p.Annotations[annotationKeyPod]; ok &&
 				val == corev1.SeccompProfileRuntimeDefault {
@@ -67,7 +67,7 @@ func init() {
 
 	fixtureData_baseline_1_19 := fixtureGenerator{
 		expectErrorSubstring: "seccompProfile",
-		generatePass: func(p *corev1.Pod) []*corev1.Pod {
+		generatePass: func(p *corev1.Pod, _ api.Level) []*corev1.Pod {
 			// don't generate fixtures if minimal valid pod already has seccomp config
 			if p.Spec.SecurityContext != nil &&
 				p.Spec.SecurityContext.SeccompProfile != nil &&
diff --git a/staging/src/k8s.io/pod-security-admission/test/fixtures_seccompProfile_restricted.go b/staging/src/k8s.io/pod-security-admission/test/fixtures_seccompProfile_restricted.go
index f26189486cb01..30933c0b62639 100644
--- a/staging/src/k8s.io/pod-security-admission/test/fixtures_seccompProfile_restricted.go
+++ b/staging/src/k8s.io/pod-security-admission/test/fixtures_seccompProfile_restricted.go
@@ -31,7 +31,7 @@ The check implementation looks at the appropriate value based on version.
 func init() {
 	fixtureData_restricted_1_19 := fixtureGenerator{
 		expectErrorSubstring: "seccompProfile",
-		generatePass: func(p *corev1.Pod) []*corev1.Pod {
+		generatePass: func(p *corev1.Pod, _ api.Level) []*corev1.Pod {
 			p = ensureSecurityContext(p)
 			return []*corev1.Pod{
 				tweak(p, func(p *corev1.Pod) {
diff --git a/staging/src/k8s.io/pod-security-admission/test/fixtures_sysctls.go b/staging/src/k8s.io/pod-security-admission/test/fixtures_sysctls.go
index 8c740a6276357..6f9a246a3a5ec 100644
--- a/staging/src/k8s.io/pod-security-admission/test/fixtures_sysctls.go
+++ b/staging/src/k8s.io/pod-security-admission/test/fixtures_sysctls.go
@@ -32,7 +32,7 @@ podFields: []string{
 func init() {
 	fixtureData_1_0 := fixtureGenerator{
 		expectErrorSubstring: "forbidden sysctl",
-		generatePass: func(p *corev1.Pod) []*corev1.Pod {
+		generatePass: func(p *corev1.Pod, _ api.Level) []*corev1.Pod {
 			if p.Spec.SecurityContext == nil {
 				p.Spec.SecurityContext = &corev1.PodSecurityContext{}
 			}
@@ -72,7 +72,7 @@ func init() {
 
 	fixtureData_1_27 := fixtureGenerator{
 		expectErrorSubstring: "forbidden sysctl",
-		generatePass: func(p *corev1.Pod) []*corev1.Pod {
+		generatePass: func(p *corev1.Pod, _ api.Level) []*corev1.Pod {
 			if p.Spec.SecurityContext == nil {
 				p.Spec.SecurityContext = &corev1.PodSecurityContext{}
 			}
@@ -113,7 +113,7 @@ func init() {
 
 	fixtureDataV1Dot29 := fixtureGenerator{
 		expectErrorSubstring: "forbidden sysctl",
-		generatePass: func(p *corev1.Pod) []*corev1.Pod {
+		generatePass: func(p *corev1.Pod, _ api.Level) []*corev1.Pod {
 			if p.Spec.SecurityContext == nil {
 				p.Spec.SecurityContext = &corev1.PodSecurityContext{}
 			}
@@ -159,7 +159,7 @@ func init() {
 
 	fixtureDataV1Dot32 := fixtureGenerator{
 		expectErrorSubstring: "forbidden sysctl",
-		generatePass: func(p *corev1.Pod) []*corev1.Pod {
+		generatePass: func(p *corev1.Pod, _ api.Level) []*corev1.Pod {
 			if p.Spec.SecurityContext == nil {
 				p.Spec.SecurityContext = &corev1.PodSecurityContext{}
 			}
diff --git a/staging/src/k8s.io/pod-security-admission/test/fixtures_windowsHostProcess.go b/staging/src/k8s.io/pod-security-admission/test/fixtures_windowsHostProcess.go
index a54706a626a4e..7d2ff8f4f231b 100644
--- a/staging/src/k8s.io/pod-security-admission/test/fixtures_windowsHostProcess.go
+++ b/staging/src/k8s.io/pod-security-admission/test/fixtures_windowsHostProcess.go
@@ -37,7 +37,7 @@ containerFields: []string{
 func init() {
 
 	fixtureData_1_0 := fixtureGenerator{
-		generatePass: func(p *corev1.Pod) []*corev1.Pod {
+		generatePass: func(p *corev1.Pod, _ api.Level) []*corev1.Pod {
 			// minimal valid pod already captures all valid combinations
 			return nil
 		},
diff --git a/staging/src/k8s.io/pod-security-admission/test/run.go b/staging/src/k8s.io/pod-security-admission/test/run.go
index 8e3451e419e4b..da6f190fa28f0 100644
--- a/staging/src/k8s.io/pod-security-admission/test/run.go
+++ b/staging/src/k8s.io/pod-security-admission/test/run.go
@@ -37,7 +37,7 @@ import (
 )
 
 const (
-	newestMinorVersionToTest            = 34
+	newestMinorVersionToTest            = 35
 	podOSBasedRestrictionEnabledVersion = 29
 )
 
@@ -53,6 +53,10 @@ type Options struct {
 	// If unset, all testcases are run.
 	Features featuregate.FeatureGate
 
+	// EmulationVersion optionally indicates a different minor version is being emulated.
+	// This can lower the effective "latest" version.
+	EmulationVersion *api.Version
+
 	// CreateNamespace is an optional stub for creating a namespace with the given name and labels.
 	// Returning an error fails the test.
 	// If nil, DefaultCreateNamespace is used.
@@ -194,7 +198,7 @@ func Run(t *testing.T, opts Options) {
 	if len(opts.Checks) == 0 {
 		opts.Checks = policy.DefaultChecks()
 	}
-	_, err = policy.NewEvaluator(opts.Checks)
+	_, err = policy.NewEvaluator(opts.Checks, opts.EmulationVersion)
 	if err != nil {
 		t.Fatalf("invalid checks: %v", err)
 	}
@@ -266,8 +270,9 @@ func Run(t *testing.T, opts Options) {
 			}
 
 			// create controller
-			createController := func(t *testing.T, i int, pod *corev1.Pod, expectSuccess bool, expectErrorSubstring string) {
+			createController := func(t *testing.T, i int, pod *corev1.Pod, expectSuccess bool, expectError bool, expectErrorSubstring string) {
 				t.Helper()
+
 				// avoid mutating original pod fixture
 				pod = pod.DeepCopy()
 				if pod.Labels == nil {
@@ -288,30 +293,45 @@ func Run(t *testing.T, opts Options) {
 					},
 				}
 				_, err := client.AppsV1().Deployments(ns).Create(context.Background(), deployment, metav1.CreateOptions{DryRun: []string{metav1.DryRunAll}})
-				if err != nil {
-					t.Errorf("%d: unexpected error creating controller with %s: %v", i, toJSON(pod), err)
+
+				failureText := ""
+				switch {
+				case expectSuccess && expectError:
+					t.Error("invalid test combination, cannot expectSuccess and expectError")
 					return
+				case expectError:
+					if err == nil {
+						t.Errorf("%d: expected error creating controller with %s, got none", i, toJSON(pod))
+						return
+					}
+					failureText = err.Error()
+				default:
+					if err != nil {
+						t.Errorf("%d: unexpected error creating controller with %s: %v", i, toJSON(pod), err)
+						return
+					}
+					failureText = strings.Join(warningHandler.FlushWarnings(), "; ")
 				}
-				warningText := strings.Join(warningHandler.FlushWarnings(), "; ")
+
 				if !expectSuccess {
-					if len(warningText) == 0 {
+					if len(failureText) == 0 {
 						t.Errorf("%d: expected warnings creating %s, got none", i, toJSON(pod))
 						return
 					}
-					if strings.Contains(warningText, policy.UnknownForbiddenReason) {
-						t.Errorf("%d: unexpected unknown forbidden reason creating %s: %v", i, toJSON(pod), warningText)
+					if strings.Contains(failureText, policy.UnknownForbiddenReason) {
+						t.Errorf("%d: unexpected unknown forbidden reason creating %s: %v", i, toJSON(pod), failureText)
 						return
 					}
-					if !strings.Contains(warningText, expectErrorSubstring) {
-						t.Errorf("%d: expected warning with substring %q, got %v", i, expectErrorSubstring, warningText)
+					if !strings.Contains(failureText, expectErrorSubstring) {
+						t.Errorf("%d: expected warning with substring %q, got %v", i, expectErrorSubstring, failureText)
 						return
 					}
 				}
 
-				if expectSuccess && len(warningText) > 0 {
-					if (len(expectErrorSubstring) > 0 && strings.Contains(warningText, expectErrorSubstring)) ||
-						strings.Contains(warningText, policy.UnknownForbiddenReason) {
-						t.Errorf("%d: unexpected warning creating %s: %v", i, toJSON(pod), warningText)
+				if expectSuccess && len(failureText) > 0 {
+					if (len(expectErrorSubstring) > 0 && strings.Contains(failureText, expectErrorSubstring)) ||
+						strings.Contains(failureText, policy.UnknownForbiddenReason) {
+						t.Errorf("%d: unexpected warning creating %s: %v", i, toJSON(pod), failureText)
 					}
 				}
 			}
@@ -335,15 +355,15 @@ func Run(t *testing.T, opts Options) {
 
 			t.Run(ns+"_pass_base", func(t *testing.T) {
 				createPod(t, 0, minimalValidOSNeutralPod.DeepCopy(), true, "")
-				createController(t, 0, minimalValidOSNeutralPod.DeepCopy(), true, "")
+				createController(t, 0, minimalValidOSNeutralPod.DeepCopy(), true, false, "")
 				if minimalValidLinuxPod != nil && minimalValidWindowsPod != nil {
 					// Linux specific pods
 					createPod(t, 0, minimalValidLinuxPod.DeepCopy(), true, "")
-					createController(t, 0, minimalValidLinuxPod.DeepCopy(), true, "")
+					createController(t, 0, minimalValidLinuxPod.DeepCopy(), true, false, "")
 
 					// Windows specific pods
 					createPod(t, 0, minimalValidWindowsPod.DeepCopy(), true, "")
-					createController(t, 0, minimalValidWindowsPod.DeepCopy(), true, "")
+					createController(t, 0, minimalValidWindowsPod.DeepCopy(), true, false, "")
 				}
 
 			})
@@ -364,7 +384,7 @@ func Run(t *testing.T, opts Options) {
 				t.Run(ns+"_pass_"+string(checkID), func(t *testing.T) {
 					for i, pod := range checkData.pass {
 						createPod(t, i, pod, true, "")
-						createController(t, i, pod, true, "")
+						createController(t, i, pod, true, false, "")
 					}
 				})
 
@@ -381,7 +401,7 @@ func Run(t *testing.T, opts Options) {
 					}
 					for i, pod := range checkData.fail {
 						createPod(t, i, pod, false, checkData.expectErrorSubstring)
-						createController(t, i, pod, false, checkData.expectErrorSubstring)
+						createController(t, i, pod, false, checkData.failRequiresError, checkData.expectErrorSubstring)
 					}
 				})
 			}
diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/apparmorprofile0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/apparmorprofile0.yaml
new file mode 100755
index 0000000000000..87475d347ddca
--- /dev/null
+++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/apparmorprofile0.yaml
@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  annotations:
+    container.apparmor.security.beta.kubernetes.io/container1: unconfined
+  name: apparmorprofile0
+spec:
+  containers:
+  - image: registry.k8s.io/pause
+    name: container1
+  initContainers:
+  - image: registry.k8s.io/pause
+    name: initcontainer1
diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/apparmorprofile1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/apparmorprofile1.yaml
new file mode 100755
index 0000000000000..5940a639ec474
--- /dev/null
+++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/apparmorprofile1.yaml
@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  annotations:
+    container.apparmor.security.beta.kubernetes.io/initcontainer1: unconfined
+  name: apparmorprofile1
+spec:
+  containers:
+  - image: registry.k8s.io/pause
+    name: container1
+  initContainers:
+  - image: registry.k8s.io/pause
+    name: initcontainer1
diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/capabilities_baseline0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/capabilities_baseline0.yaml
new file mode 100755
index 0000000000000..e01a9dece8c49
--- /dev/null
+++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/capabilities_baseline0.yaml
@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: capabilities_baseline0
+spec:
+  containers:
+  - image: registry.k8s.io/pause
+    name: container1
+    securityContext:
+      capabilities:
+        add:
+        - NET_RAW
+  initContainers:
+  - image: registry.k8s.io/pause
+    name: initcontainer1
+    securityContext:
+      capabilities: {}
+  securityContext: {}
diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/capabilities_baseline1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/capabilities_baseline1.yaml
new file mode 100755
index 0000000000000..92239d17896d3
--- /dev/null
+++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/capabilities_baseline1.yaml
@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: capabilities_baseline1
+spec:
+  containers:
+  - image: registry.k8s.io/pause
+    name: container1
+    securityContext:
+      capabilities: {}
+  initContainers:
+  - image: registry.k8s.io/pause
+    name: initcontainer1
+    securityContext:
+      capabilities:
+        add:
+        - NET_RAW
+  securityContext: {}
diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/capabilities_baseline2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/capabilities_baseline2.yaml
new file mode 100755
index 0000000000000..089d8c184c2e7
--- /dev/null
+++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/capabilities_baseline2.yaml
@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: capabilities_baseline2
+spec:
+  containers:
+  - image: registry.k8s.io/pause
+    name: container1
+    securityContext:
+      capabilities:
+        add:
+        - chown
+  initContainers:
+  - image: registry.k8s.io/pause
+    name: initcontainer1
+    securityContext:
+      capabilities: {}
+  securityContext: {}
diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/capabilities_baseline3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/capabilities_baseline3.yaml
new file mode 100755
index 0000000000000..4befa1edbea17
--- /dev/null
+++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/capabilities_baseline3.yaml
@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: capabilities_baseline3
+spec:
+  containers:
+  - image: registry.k8s.io/pause
+    name: container1
+    securityContext:
+      capabilities:
+        add:
+        - CAP_CHOWN
+  initContainers:
+  - image: registry.k8s.io/pause
+    name: initcontainer1
+    securityContext:
+      capabilities: {}
+  securityContext: {}
diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/hostnamespaces0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/hostnamespaces0.yaml
new file mode 100755
index 0000000000000..1c4ca9a560a1d
--- /dev/null
+++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/hostnamespaces0.yaml
@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: hostnamespaces0
+spec:
+  containers:
+  - image: registry.k8s.io/pause
+    name: container1
+  hostIPC: true
+  initContainers:
+  - image: registry.k8s.io/pause
+    name: initcontainer1
diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/hostnamespaces1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/hostnamespaces1.yaml
new file mode 100755
index 0000000000000..7967a6d50a990
--- /dev/null
+++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/hostnamespaces1.yaml
@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: hostnamespaces1
+spec:
+  containers:
+  - image: registry.k8s.io/pause
+    name: container1
+  hostNetwork: true
+  initContainers:
+  - image: registry.k8s.io/pause
+    name: initcontainer1
diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/hostnamespaces2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/hostnamespaces2.yaml
new file mode 100755
index 0000000000000..00039668cd205
--- /dev/null
+++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/hostnamespaces2.yaml
@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: hostnamespaces2
+spec:
+  containers:
+  - image: registry.k8s.io/pause
+    name: container1
+  hostPID: true
+  initContainers:
+  - image: registry.k8s.io/pause
+    name: initcontainer1
diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/hostpathvolumes0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/hostpathvolumes0.yaml
new file mode 100755
index 0000000000000..7f026136fae16
--- /dev/null
+++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/hostpathvolumes0.yaml
@@ -0,0 +1,17 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: hostpathvolumes0
+spec:
+  containers:
+  - image: registry.k8s.io/pause
+    name: container1
+  initContainers:
+  - image: registry.k8s.io/pause
+    name: initcontainer1
+  volumes:
+  - emptyDir: {}
+    name: volume-emptydir
+  - hostPath:
+      path: /a
+    name: volume-hostpath
diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/hostpathvolumes1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/hostpathvolumes1.yaml
new file mode 100755
index 0000000000000..382d27f4f4946
--- /dev/null
+++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/hostpathvolumes1.yaml
@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: hostpathvolumes1
+spec:
+  containers:
+  - image: registry.k8s.io/pause
+    name: container1
+  initContainers:
+  - image: registry.k8s.io/pause
+    name: initcontainer1
+  volumes:
+  - hostPath:
+      path: /a
+    name: volume-hostpath-a
+  - hostPath:
+      path: /b
+    name: volume-hostpath-b
diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/hostports0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/hostports0.yaml
new file mode 100755
index 0000000000000..ebfdcd48d0dee
--- /dev/null
+++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/hostports0.yaml
@@ -0,0 +1,14 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: hostports0
+spec:
+  containers:
+  - image: registry.k8s.io/pause
+    name: container1
+    ports:
+    - containerPort: 12345
+      hostPort: 12345
+  initContainers:
+  - image: registry.k8s.io/pause
+    name: initcontainer1
diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/hostports1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/hostports1.yaml
new file mode 100755
index 0000000000000..d9a2b97af3a3c
--- /dev/null
+++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/hostports1.yaml
@@ -0,0 +1,14 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: hostports1
+spec:
+  containers:
+  - image: registry.k8s.io/pause
+    name: container1
+  initContainers:
+  - image: registry.k8s.io/pause
+    name: initcontainer1
+    ports:
+    - containerPort: 12346
+      hostPort: 12346
diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/hostports2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/hostports2.yaml
new file mode 100755
index 0000000000000..61b3388f0a75d
--- /dev/null
+++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/hostports2.yaml
@@ -0,0 +1,19 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: hostports2
+spec:
+  containers:
+  - image: registry.k8s.io/pause
+    name: container1
+    ports:
+    - containerPort: 12345
+      hostPort: 12345
+    - containerPort: 12347
+  initContainers:
+  - image: registry.k8s.io/pause
+    name: initcontainer1
+    ports:
+    - containerPort: 12346
+      hostPort: 12346
+    - containerPort: 12348
diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/hostprobesandhostlifecycle0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/hostprobesandhostlifecycle0.yaml
new file mode 100755
index 0000000000000..0fdf5a472cef6
--- /dev/null
+++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/hostprobesandhostlifecycle0.yaml
@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: hostprobesandhostlifecycle0
+spec:
+  containers:
+  - image: registry.k8s.io/pause
+    livenessProbe:
+      httpGet:
+        host: bad.host
+        port: 8080
+    name: container1
+  initContainers:
+  - image: registry.k8s.io/pause
+    name: initcontainer1
diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/hostprobesandhostlifecycle1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/hostprobesandhostlifecycle1.yaml
new file mode 100755
index 0000000000000..194b86fbebac0
--- /dev/null
+++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/hostprobesandhostlifecycle1.yaml
@@ -0,0 +1,16 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: hostprobesandhostlifecycle1
+spec:
+  containers:
+  - image: registry.k8s.io/pause
+    name: container1
+  initContainers:
+  - image: registry.k8s.io/pause
+    name: initcontainer1
+    readinessProbe:
+      tcpSocket:
+        host: 8.8.8.8
+        port: 8080
+    restartPolicy: Always
diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/hostprobesandhostlifecycle2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/hostprobesandhostlifecycle2.yaml
new file mode 100755
index 0000000000000..d3566005d27bc
--- /dev/null
+++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/hostprobesandhostlifecycle2.yaml
@@ -0,0 +1,16 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: hostprobesandhostlifecycle2
+spec:
+  containers:
+  - image: registry.k8s.io/pause
+    lifecycle:
+      postStart:
+        httpGet:
+          host: bad.host
+          port: 8080
+    name: container1
+  initContainers:
+  - image: registry.k8s.io/pause
+    name: initcontainer1
diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/hostprobesandhostlifecycle3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/hostprobesandhostlifecycle3.yaml
new file mode 100755
index 0000000000000..ecbb7a991f19e
--- /dev/null
+++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/hostprobesandhostlifecycle3.yaml
@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: hostprobesandhostlifecycle3
+spec:
+  containers:
+  - image: registry.k8s.io/pause
+    livenessProbe:
+      httpGet:
+        host: 127.0.0.1
+        port: 8080
+    name: container1
+  initContainers:
+  - image: registry.k8s.io/pause
+    name: initcontainer1
diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/hostprobesandhostlifecycle4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/hostprobesandhostlifecycle4.yaml
new file mode 100755
index 0000000000000..e54314b7b8e94
--- /dev/null
+++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/hostprobesandhostlifecycle4.yaml
@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: hostprobesandhostlifecycle4
+spec:
+  containers:
+  - image: registry.k8s.io/pause
+    name: container1
+    readinessProbe:
+      tcpSocket:
+        host: ::1
+        port: 8080
+  initContainers:
+  - image: registry.k8s.io/pause
+    name: initcontainer1
diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/privileged0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/privileged0.yaml
new file mode 100755
index 0000000000000..e5cc7b94fdd92
--- /dev/null
+++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/privileged0.yaml
@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: privileged0
+spec:
+  containers:
+  - image: registry.k8s.io/pause
+    name: container1
+    securityContext:
+      privileged: true
+  initContainers:
+  - image: registry.k8s.io/pause
+    name: initcontainer1
+    securityContext: {}
+  securityContext: {}
diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/privileged1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/privileged1.yaml
new file mode 100755
index 0000000000000..31935b9955c18
--- /dev/null
+++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/privileged1.yaml
@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: privileged1
+spec:
+  containers:
+  - image: registry.k8s.io/pause
+    name: container1
+    securityContext: {}
+  initContainers:
+  - image: registry.k8s.io/pause
+    name: initcontainer1
+    securityContext:
+      privileged: true
+  securityContext: {}
diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/procmount0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/procmount0.yaml
new file mode 100755
index 0000000000000..761b9a7126f73
--- /dev/null
+++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/procmount0.yaml
@@ -0,0 +1,16 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: procmount0
+spec:
+  containers:
+  - image: registry.k8s.io/pause
+    name: container1
+    securityContext:
+      procMount: Unmasked
+  hostUsers: true
+  initContainers:
+  - image: registry.k8s.io/pause
+    name: initcontainer1
+    securityContext: {}
+  securityContext: {}
diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/procmount1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/procmount1.yaml
new file mode 100755
index 0000000000000..887518ed9ec71
--- /dev/null
+++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/procmount1.yaml
@@ -0,0 +1,16 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: procmount1
+spec:
+  containers:
+  - image: registry.k8s.io/pause
+    name: container1
+    securityContext: {}
+  hostUsers: true
+  initContainers:
+  - image: registry.k8s.io/pause
+    name: initcontainer1
+    securityContext:
+      procMount: Unmasked
+  securityContext: {}
diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/seccompprofile_baseline0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/seccompprofile_baseline0.yaml
new file mode 100755
index 0000000000000..f455958da8288
--- /dev/null
+++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/seccompprofile_baseline0.yaml
@@ -0,0 +1,16 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: seccompprofile_baseline0
+spec:
+  containers:
+  - image: registry.k8s.io/pause
+    name: container1
+    securityContext: {}
+  initContainers:
+  - image: registry.k8s.io/pause
+    name: initcontainer1
+    securityContext: {}
+  securityContext:
+    seccompProfile:
+      type: Unconfined
diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/seccompprofile_baseline1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/seccompprofile_baseline1.yaml
new file mode 100755
index 0000000000000..8a86112acd10c
--- /dev/null
+++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/seccompprofile_baseline1.yaml
@@ -0,0 +1,16 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: seccompprofile_baseline1
+spec:
+  containers:
+  - image: registry.k8s.io/pause
+    name: container1
+    securityContext:
+      seccompProfile:
+        type: Unconfined
+  initContainers:
+  - image: registry.k8s.io/pause
+    name: initcontainer1
+    securityContext: {}
+  securityContext: {}
diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/seccompprofile_baseline2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/seccompprofile_baseline2.yaml
new file mode 100755
index 0000000000000..21822558178a2
--- /dev/null
+++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/seccompprofile_baseline2.yaml
@@ -0,0 +1,16 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: seccompprofile_baseline2
+spec:
+  containers:
+  - image: registry.k8s.io/pause
+    name: container1
+    securityContext: {}
+  initContainers:
+  - image: registry.k8s.io/pause
+    name: initcontainer1
+    securityContext:
+      seccompProfile:
+        type: Unconfined
+  securityContext: {}
diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/selinuxoptions0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/selinuxoptions0.yaml
new file mode 100755
index 0000000000000..f3307078cd7b5
--- /dev/null
+++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/selinuxoptions0.yaml
@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: selinuxoptions0
+spec:
+  containers:
+  - image: registry.k8s.io/pause
+    name: container1
+    securityContext:
+      seLinuxOptions: {}
+  initContainers:
+  - image: registry.k8s.io/pause
+    name: initcontainer1
+    securityContext:
+      seLinuxOptions: {}
+  securityContext:
+    seLinuxOptions:
+      type: somevalue
diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/selinuxoptions1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/selinuxoptions1.yaml
new file mode 100755
index 0000000000000..6629d05efc43c
--- /dev/null
+++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/selinuxoptions1.yaml
@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: selinuxoptions1
+spec:
+  containers:
+  - image: registry.k8s.io/pause
+    name: container1
+    securityContext:
+      seLinuxOptions:
+        type: somevalue
+  initContainers:
+  - image: registry.k8s.io/pause
+    name: initcontainer1
+    securityContext:
+      seLinuxOptions: {}
+  securityContext:
+    seLinuxOptions: {}
diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/selinuxoptions2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/selinuxoptions2.yaml
new file mode 100755
index 0000000000000..65876a92b6145
--- /dev/null
+++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/selinuxoptions2.yaml
@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: selinuxoptions2
+spec:
+  containers:
+  - image: registry.k8s.io/pause
+    name: container1
+    securityContext:
+      seLinuxOptions: {}
+  initContainers:
+  - image: registry.k8s.io/pause
+    name: initcontainer1
+    securityContext:
+      seLinuxOptions:
+        type: somevalue
+  securityContext:
+    seLinuxOptions: {}
diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/selinuxoptions3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/selinuxoptions3.yaml
new file mode 100755
index 0000000000000..71d89fbe572fb
--- /dev/null
+++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/selinuxoptions3.yaml
@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: selinuxoptions3
+spec:
+  containers:
+  - image: registry.k8s.io/pause
+    name: container1
+    securityContext:
+      seLinuxOptions: {}
+  initContainers:
+  - image: registry.k8s.io/pause
+    name: initcontainer1
+    securityContext:
+      seLinuxOptions: {}
+  securityContext:
+    seLinuxOptions:
+      user: somevalue
diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/selinuxoptions4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/selinuxoptions4.yaml
new file mode 100755
index 0000000000000..74e05cbb709a8
--- /dev/null
+++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/selinuxoptions4.yaml
@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: selinuxoptions4
+spec:
+  containers:
+  - image: registry.k8s.io/pause
+    name: container1
+    securityContext:
+      seLinuxOptions: {}
+  initContainers:
+  - image: registry.k8s.io/pause
+    name: initcontainer1
+    securityContext:
+      seLinuxOptions: {}
+  securityContext:
+    seLinuxOptions:
+      role: somevalue
diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/sysctls0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/sysctls0.yaml
new file mode 100755
index 0000000000000..81508d69e60ff
--- /dev/null
+++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/sysctls0.yaml
@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: sysctls0
+spec:
+  containers:
+  - image: registry.k8s.io/pause
+    name: container1
+  initContainers:
+  - image: registry.k8s.io/pause
+    name: initcontainer1
+  securityContext:
+    sysctls:
+    - name: othersysctl
+      value: other
diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/windowshostprocess0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/windowshostprocess0.yaml
new file mode 100755
index 0000000000000..1e506b1f8037c
--- /dev/null
+++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/windowshostprocess0.yaml
@@ -0,0 +1,19 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: windowshostprocess0
+spec:
+  containers:
+  - image: registry.k8s.io/pause
+    name: container1
+    securityContext:
+      windowsOptions: {}
+  hostNetwork: true
+  initContainers:
+  - image: registry.k8s.io/pause
+    name: initcontainer1
+    securityContext:
+      windowsOptions: {}
+  securityContext:
+    windowsOptions:
+      hostProcess: true
diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/windowshostprocess1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/windowshostprocess1.yaml
new file mode 100755
index 0000000000000..1a9d3e94a0ea8
--- /dev/null
+++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/windowshostprocess1.yaml
@@ -0,0 +1,20 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: windowshostprocess1
+spec:
+  containers:
+  - image: registry.k8s.io/pause
+    name: container1
+    securityContext:
+      windowsOptions:
+        hostProcess: true
+  hostNetwork: true
+  initContainers:
+  - image: registry.k8s.io/pause
+    name: initcontainer1
+    securityContext:
+      windowsOptions:
+        hostProcess: true
+  securityContext:
+    windowsOptions: {}
diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/pass/apparmorprofile0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/pass/apparmorprofile0.yaml
new file mode 100755
index 0000000000000..213a6a6c411c4
--- /dev/null
+++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/pass/apparmorprofile0.yaml
@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  annotations:
+    container.apparmor.security.beta.kubernetes.io/container1: localhost/foo
+  name: apparmorprofile0
+spec:
+  containers:
+  - image: registry.k8s.io/pause
+    name: container1
+  initContainers:
+  - image: registry.k8s.io/pause
+    name: initcontainer1
diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/pass/base.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/pass/base.yaml
new file mode 100755
index 0000000000000..387a4be317071
--- /dev/null
+++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/pass/base.yaml
@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: base
+spec:
+  containers:
+  - image: registry.k8s.io/pause
+    name: container1
+  initContainers:
+  - image: registry.k8s.io/pause
+    name: initcontainer1
diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/pass/capabilities_baseline0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/pass/capabilities_baseline0.yaml
new file mode 100755
index 0000000000000..df93c1cd65200
--- /dev/null
+++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/pass/capabilities_baseline0.yaml
@@ -0,0 +1,44 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: capabilities_baseline0
+spec:
+  containers:
+  - image: registry.k8s.io/pause
+    name: container1
+    securityContext:
+      capabilities:
+        add:
+        - AUDIT_WRITE
+        - CHOWN
+        - DAC_OVERRIDE
+        - FOWNER
+        - FSETID
+        - KILL
+        - MKNOD
+        - NET_BIND_SERVICE
+        - SETFCAP
+        - SETGID
+        - SETPCAP
+        - SETUID
+        - SYS_CHROOT
+  initContainers:
+  - image: registry.k8s.io/pause
+    name: initcontainer1
+    securityContext:
+      capabilities:
+        add:
+        - AUDIT_WRITE
+        - CHOWN
+        - DAC_OVERRIDE
+        - FOWNER
+        - FSETID
+        - KILL
+        - MKNOD
+        - NET_BIND_SERVICE
+        - SETFCAP
+        - SETGID
+        - SETPCAP
+        - SETUID
+        - SYS_CHROOT
+  securityContext: {}
diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/pass/hostports0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/pass/hostports0.yaml
new file mode 100755
index 0000000000000..61fddccdbbe1a
--- /dev/null
+++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/pass/hostports0.yaml
@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: hostports0
+spec:
+  containers:
+  - image: registry.k8s.io/pause
+    name: container1
+    ports:
+    - containerPort: 12345
+  initContainers:
+  - image: registry.k8s.io/pause
+    name: initcontainer1
+    ports:
+    - containerPort: 12346
diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/pass/hostprobesandhostlifecycle0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/pass/hostprobesandhostlifecycle0.yaml
new file mode 100755
index 0000000000000..356dbdaa8118a
--- /dev/null
+++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/pass/hostprobesandhostlifecycle0.yaml
@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: hostprobesandhostlifecycle0
+spec:
+  containers:
+  - image: registry.k8s.io/pause
+    name: container1
+  initContainers:
+  - image: registry.k8s.io/pause
+    name: initcontainer1
diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/pass/hostprobesandhostlifecycle1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/pass/hostprobesandhostlifecycle1.yaml
new file mode 100755
index 0000000000000..f11c12a32abd5
--- /dev/null
+++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/pass/hostprobesandhostlifecycle1.yaml
@@ -0,0 +1,14 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: hostprobesandhostlifecycle1
+spec:
+  containers:
+  - image: registry.k8s.io/pause
+    livenessProbe:
+      httpGet:
+        port: 8080
+    name: container1
+  initContainers:
+  - image: registry.k8s.io/pause
+    name: initcontainer1
diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/pass/hostprobesandhostlifecycle2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/pass/hostprobesandhostlifecycle2.yaml
new file mode 100755
index 0000000000000..a9b0b6e358b8f
--- /dev/null
+++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/pass/hostprobesandhostlifecycle2.yaml
@@ -0,0 +1,14 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: hostprobesandhostlifecycle2
+spec:
+  containers:
+  - image: registry.k8s.io/pause
+    name: container1
+    readinessProbe:
+      tcpSocket:
+        port: 8080
+  initContainers:
+  - image: registry.k8s.io/pause
+    name: initcontainer1
diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/pass/privileged0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/pass/privileged0.yaml
new file mode 100755
index 0000000000000..0b64b687c7aea
--- /dev/null
+++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/pass/privileged0.yaml
@@ -0,0 +1,16 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: privileged0
+spec:
+  containers:
+  - image: registry.k8s.io/pause
+    name: container1
+    securityContext:
+      privileged: false
+  initContainers:
+  - image: registry.k8s.io/pause
+    name: initcontainer1
+    securityContext:
+      privileged: false
+  securityContext: {}
diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/pass/procmount0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/pass/procmount0.yaml
new file mode 100755
index 0000000000000..53468519b3209
--- /dev/null
+++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/pass/procmount0.yaml
@@ -0,0 +1,17 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: procmount0
+spec:
+  containers:
+  - image: registry.k8s.io/pause
+    name: container1
+    securityContext:
+      procMount: Default
+  hostUsers: false
+  initContainers:
+  - image: registry.k8s.io/pause
+    name: initcontainer1
+    securityContext:
+      procMount: Default
+  securityContext: {}
diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/pass/procmount1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/pass/procmount1.yaml
new file mode 100755
index 0000000000000..793e56e9f203c
--- /dev/null
+++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/pass/procmount1.yaml
@@ -0,0 +1,17 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: procmount1
+spec:
+  containers:
+  - image: registry.k8s.io/pause
+    name: container1
+    securityContext:
+      procMount: Unmasked
+  hostUsers: false
+  initContainers:
+  - image: registry.k8s.io/pause
+    name: initcontainer1
+    securityContext:
+      procMount: Unmasked
+  securityContext: {}
diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/pass/seccompprofile_baseline0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/pass/seccompprofile_baseline0.yaml
new file mode 100755
index 0000000000000..2e05d163254e9
--- /dev/null
+++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/pass/seccompprofile_baseline0.yaml
@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: seccompprofile_baseline0
+spec:
+  containers:
+  - image: registry.k8s.io/pause
+    name: container1
+    securityContext:
+      seccompProfile:
+        type: RuntimeDefault
+  initContainers:
+  - image: registry.k8s.io/pause
+    name: initcontainer1
+    securityContext: {}
+  securityContext:
+    seccompProfile:
+      type: RuntimeDefault
diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/pass/selinuxoptions0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/pass/selinuxoptions0.yaml
new file mode 100755
index 0000000000000..dafa4dbc3dec8
--- /dev/null
+++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/pass/selinuxoptions0.yaml
@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: selinuxoptions0
+spec:
+  containers:
+  - image: registry.k8s.io/pause
+    name: container1
+    securityContext: {}
+  initContainers:
+  - image: registry.k8s.io/pause
+    name: initcontainer1
+    securityContext:
+      seLinuxOptions: {}
+  securityContext: {}
diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/pass/selinuxoptions1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/pass/selinuxoptions1.yaml
new file mode 100755
index 0000000000000..a2688f5c23efa
--- /dev/null
+++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/pass/selinuxoptions1.yaml
@@ -0,0 +1,21 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: selinuxoptions1
+spec:
+  containers:
+  - image: registry.k8s.io/pause
+    name: container1
+    securityContext:
+      seLinuxOptions:
+        level: somevalue
+        type: container_init_t
+  initContainers:
+  - image: registry.k8s.io/pause
+    name: initcontainer1
+    securityContext:
+      seLinuxOptions:
+        type: container_kvm_t
+  securityContext:
+    seLinuxOptions:
+      type: container_t
diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/pass/sysctls0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/pass/sysctls0.yaml
new file mode 100755
index 0000000000000..2148dc0867ebb
--- /dev/null
+++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/pass/sysctls0.yaml
@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: sysctls0
+spec:
+  containers:
+  - image: registry.k8s.io/pause
+    name: container1
+  initContainers:
+  - image: registry.k8s.io/pause
+    name: initcontainer1
+  securityContext: {}
diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/pass/sysctls1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/pass/sysctls1.yaml
new file mode 100755
index 0000000000000..96eb717348941
--- /dev/null
+++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/pass/sysctls1.yaml
@@ -0,0 +1,17 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: sysctls1
+spec:
+  containers:
+  - image: registry.k8s.io/pause
+    name: container1
+  initContainers:
+  - image: registry.k8s.io/pause
+    name: initcontainer1
+  securityContext:
+    sysctls:
+    - name: net.ipv4.tcp_rmem
+      value: 4096 87380 16777216
+    - name: net.ipv4.tcp_wmem
+      value: 4096 65536 16777216
diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/allowprivilegeescalation0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/allowprivilegeescalation0.yaml
new file mode 100755
index 0000000000000..837b55acc9513
--- /dev/null
+++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/allowprivilegeescalation0.yaml
@@ -0,0 +1,25 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: allowprivilegeescalation0
+spec:
+  containers:
+  - image: registry.k8s.io/pause
+    name: container1
+    securityContext:
+      allowPrivilegeEscalation: true
+      capabilities:
+        drop:
+        - ALL
+  initContainers:
+  - image: registry.k8s.io/pause
+    name: initcontainer1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+  securityContext:
+    runAsNonRoot: true
+    seccompProfile:
+      type: RuntimeDefault
diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/allowprivilegeescalation1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/allowprivilegeescalation1.yaml
new file mode 100755
index 0000000000000..6189466557900
--- /dev/null
+++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/allowprivilegeescalation1.yaml
@@ -0,0 +1,25 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: allowprivilegeescalation1
+spec:
+  containers:
+  - image: registry.k8s.io/pause
+    name: container1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+  initContainers:
+  - image: registry.k8s.io/pause
+    name: initcontainer1
+    securityContext:
+      allowPrivilegeEscalation: true
+      capabilities:
+        drop:
+        - ALL
+  securityContext:
+    runAsNonRoot: true
+    seccompProfile:
+      type: RuntimeDefault
diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/allowprivilegeescalation2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/allowprivilegeescalation2.yaml
new file mode 100755
index 0000000000000..9302cc63494e1
--- /dev/null
+++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/allowprivilegeescalation2.yaml
@@ -0,0 +1,24 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: allowprivilegeescalation2
+spec:
+  containers:
+  - image: registry.k8s.io/pause
+    name: container1
+    securityContext:
+      capabilities:
+        drop:
+        - ALL
+  initContainers:
+  - image: registry.k8s.io/pause
+    name: initcontainer1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+  securityContext:
+    runAsNonRoot: true
+    seccompProfile:
+      type: RuntimeDefault
diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/allowprivilegeescalation3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/allowprivilegeescalation3.yaml
new file mode 100755
index 0000000000000..083ce350f4e73
--- /dev/null
+++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/allowprivilegeescalation3.yaml
@@ -0,0 +1,20 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: allowprivilegeescalation3
+spec:
+  containers:
+  - image: registry.k8s.io/pause
+    name: container1
+  initContainers:
+  - image: registry.k8s.io/pause
+    name: initcontainer1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+  securityContext:
+    runAsNonRoot: true
+    seccompProfile:
+      type: RuntimeDefault
diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/apparmorprofile0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/apparmorprofile0.yaml
new file mode 100755
index 0000000000000..14de67ea27c4e
--- /dev/null
+++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/apparmorprofile0.yaml
@@ -0,0 +1,27 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  annotations:
+    container.apparmor.security.beta.kubernetes.io/container1: unconfined
+  name: apparmorprofile0
+spec:
+  containers:
+  - image: registry.k8s.io/pause
+    name: container1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+  initContainers:
+  - image: registry.k8s.io/pause
+    name: initcontainer1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+  securityContext:
+    runAsNonRoot: true
+    seccompProfile:
+      type: RuntimeDefault
diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/apparmorprofile1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/apparmorprofile1.yaml
new file mode 100755
index 0000000000000..0e4313b54219f
--- /dev/null
+++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/apparmorprofile1.yaml
@@ -0,0 +1,27 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  annotations:
+    container.apparmor.security.beta.kubernetes.io/initcontainer1: unconfined
+  name: apparmorprofile1
+spec:
+  containers:
+  - image: registry.k8s.io/pause
+    name: container1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+  initContainers:
+  - image: registry.k8s.io/pause
+    name: initcontainer1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+  securityContext:
+    runAsNonRoot: true
+    seccompProfile:
+      type: RuntimeDefault
diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/capabilities_baseline0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/capabilities_baseline0.yaml
new file mode 100755
index 0000000000000..2be0164f3e157
--- /dev/null
+++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/capabilities_baseline0.yaml
@@ -0,0 +1,27 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: capabilities_baseline0
+spec:
+  containers:
+  - image: registry.k8s.io/pause
+    name: container1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        add:
+        - NET_RAW
+        drop:
+        - ALL
+  initContainers:
+  - image: registry.k8s.io/pause
+    name: initcontainer1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+  securityContext:
+    runAsNonRoot: true
+    seccompProfile:
+      type: RuntimeDefault
diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/capabilities_baseline1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/capabilities_baseline1.yaml
new file mode 100755
index 0000000000000..f68d6b3883069
--- /dev/null
+++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/capabilities_baseline1.yaml
@@ -0,0 +1,27 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: capabilities_baseline1
+spec:
+  containers:
+  - image: registry.k8s.io/pause
+    name: container1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+  initContainers:
+  - image: registry.k8s.io/pause
+    name: initcontainer1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        add:
+        - NET_RAW
+        drop:
+        - ALL
+  securityContext:
+    runAsNonRoot: true
+    seccompProfile:
+      type: RuntimeDefault
diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/capabilities_baseline2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/capabilities_baseline2.yaml
new file mode 100755
index 0000000000000..702bd87de6e9c
--- /dev/null
+++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/capabilities_baseline2.yaml
@@ -0,0 +1,27 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: capabilities_baseline2
+spec:
+  containers:
+  - image: registry.k8s.io/pause
+    name: container1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        add:
+        - chown
+        drop:
+        - ALL
+  initContainers:
+  - image: registry.k8s.io/pause
+    name: initcontainer1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+  securityContext:
+    runAsNonRoot: true
+    seccompProfile:
+      type: RuntimeDefault
diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/capabilities_baseline3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/capabilities_baseline3.yaml
new file mode 100755
index 0000000000000..3e6aa463175b7
--- /dev/null
+++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/capabilities_baseline3.yaml
@@ -0,0 +1,27 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: capabilities_baseline3
+spec:
+  containers:
+  - image: registry.k8s.io/pause
+    name: container1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        add:
+        - CAP_CHOWN
+        drop:
+        - ALL
+  initContainers:
+  - image: registry.k8s.io/pause
+    name: initcontainer1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+  securityContext:
+    runAsNonRoot: true
+    seccompProfile:
+      type: RuntimeDefault
diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/capabilities_restricted0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/capabilities_restricted0.yaml
new file mode 100755
index 0000000000000..857c11b86bbd3
--- /dev/null
+++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/capabilities_restricted0.yaml
@@ -0,0 +1,23 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: capabilities_restricted0
+spec:
+  containers:
+  - image: registry.k8s.io/pause
+    name: container1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities: {}
+  initContainers:
+  - image: registry.k8s.io/pause
+    name: initcontainer1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+  securityContext:
+    runAsNonRoot: true
+    seccompProfile:
+      type: RuntimeDefault
diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/capabilities_restricted1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/capabilities_restricted1.yaml
new file mode 100755
index 0000000000000..9c987673a0a6c
--- /dev/null
+++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/capabilities_restricted1.yaml
@@ -0,0 +1,23 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: capabilities_restricted1
+spec:
+  containers:
+  - image: registry.k8s.io/pause
+    name: container1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+  initContainers:
+  - image: registry.k8s.io/pause
+    name: initcontainer1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities: {}
+  securityContext:
+    runAsNonRoot: true
+    seccompProfile:
+      type: RuntimeDefault
diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/capabilities_restricted2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/capabilities_restricted2.yaml
new file mode 100755
index 0000000000000..be25f6aeac1d5
--- /dev/null
+++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/capabilities_restricted2.yaml
@@ -0,0 +1,97 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: capabilities_restricted2
+spec:
+  containers:
+  - image: registry.k8s.io/pause
+    name: container1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - SYS_TIME
+        - SYS_MODULE
+        - SYS_RAWIO
+        - SYS_PACCT
+        - SYS_ADMIN
+        - SYS_NICE
+        - SYS_RESOURCE
+        - SYS_TIME
+        - SYS_TTY_CONFIG
+        - MKNOD
+        - AUDIT_WRITE
+        - AUDIT_CONTROL
+        - MAC_OVERRIDE
+        - MAC_ADMIN
+        - NET_ADMIN
+        - SYSLOG
+        - CHOWN
+        - NET_RAW
+        - DAC_OVERRIDE
+        - FOWNER
+        - DAC_READ_SEARCH
+        - FSETID
+        - KILL
+        - SETGID
+        - SETUID
+        - LINUX_IMMUTABLE
+        - NET_BIND_SERVICE
+        - NET_BROADCAST
+        - IPC_LOCK
+        - IPC_OWNER
+        - SYS_CHROOT
+        - SYS_PTRACE
+        - SYS_BOOT
+        - LEASE
+        - SETFCAP
+        - WAKE_ALARM
+        - BLOCK_SUSPEND
+  initContainers:
+  - image: registry.k8s.io/pause
+    name: initcontainer1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - SYS_TIME
+        - SYS_MODULE
+        - SYS_RAWIO
+        - SYS_PACCT
+        - SYS_ADMIN
+        - SYS_NICE
+        - SYS_RESOURCE
+        - SYS_TIME
+        - SYS_TTY_CONFIG
+        - MKNOD
+        - AUDIT_WRITE
+        - AUDIT_CONTROL
+        - MAC_OVERRIDE
+        - MAC_ADMIN
+        - NET_ADMIN
+        - SYSLOG
+        - CHOWN
+        - NET_RAW
+        - DAC_OVERRIDE
+        - FOWNER
+        - DAC_READ_SEARCH
+        - FSETID
+        - KILL
+        - SETGID
+        - SETUID
+        - LINUX_IMMUTABLE
+        - NET_BIND_SERVICE
+        - NET_BROADCAST
+        - IPC_LOCK
+        - IPC_OWNER
+        - SYS_CHROOT
+        - SYS_PTRACE
+        - SYS_BOOT
+        - LEASE
+        - SETFCAP
+        - WAKE_ALARM
+        - BLOCK_SUSPEND
+  securityContext:
+    runAsNonRoot: true
+    seccompProfile:
+      type: RuntimeDefault
diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/capabilities_restricted3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/capabilities_restricted3.yaml
new file mode 100755
index 0000000000000..517cc3cbc2002
--- /dev/null
+++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/capabilities_restricted3.yaml
@@ -0,0 +1,53 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: capabilities_restricted3
+spec:
+  containers:
+  - image: registry.k8s.io/pause
+    name: container1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        add:
+        - AUDIT_WRITE
+        - CHOWN
+        - DAC_OVERRIDE
+        - FOWNER
+        - FSETID
+        - KILL
+        - MKNOD
+        - NET_BIND_SERVICE
+        - SETFCAP
+        - SETGID
+        - SETPCAP
+        - SETUID
+        - SYS_CHROOT
+        drop:
+        - ALL
+  initContainers:
+  - image: registry.k8s.io/pause
+    name: initcontainer1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        add:
+        - AUDIT_WRITE
+        - CHOWN
+        - DAC_OVERRIDE
+        - FOWNER
+        - FSETID
+        - KILL
+        - MKNOD
+        - NET_BIND_SERVICE
+        - SETFCAP
+        - SETGID
+        - SETPCAP
+        - SETUID
+        - SYS_CHROOT
+        drop:
+        - ALL
+  securityContext:
+    runAsNonRoot: true
+    seccompProfile:
+      type: RuntimeDefault
diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/hostnamespaces0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/hostnamespaces0.yaml
new file mode 100755
index 0000000000000..c1a7b7a4ba928
--- /dev/null
+++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/hostnamespaces0.yaml
@@ -0,0 +1,26 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: hostnamespaces0
+spec:
+  containers:
+  - image: registry.k8s.io/pause
+    name: container1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+  hostIPC: true
+  initContainers:
+  - image: registry.k8s.io/pause
+    name: initcontainer1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+  securityContext:
+    runAsNonRoot: true
+    seccompProfile:
+      type: RuntimeDefault
diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/hostnamespaces1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/hostnamespaces1.yaml
new file mode 100755
index 0000000000000..caa294e373c4a
--- /dev/null
+++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/hostnamespaces1.yaml
@@ -0,0 +1,26 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: hostnamespaces1
+spec:
+  containers:
+  - image: registry.k8s.io/pause
+    name: container1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+  hostNetwork: true
+  initContainers:
+  - image: registry.k8s.io/pause
+    name: initcontainer1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+  securityContext:
+    runAsNonRoot: true
+    seccompProfile:
+      type: RuntimeDefault
diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/hostnamespaces2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/hostnamespaces2.yaml
new file mode 100755
index 0000000000000..32350899785db
--- /dev/null
+++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/hostnamespaces2.yaml
@@ -0,0 +1,26 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: hostnamespaces2
+spec:
+  containers:
+  - image: registry.k8s.io/pause
+    name: container1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+  hostPID: true
+  initContainers:
+  - image: registry.k8s.io/pause
+    name: initcontainer1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+  securityContext:
+    runAsNonRoot: true
+    seccompProfile:
+      type: RuntimeDefault
diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/hostpathvolumes0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/hostpathvolumes0.yaml
new file mode 100755
index 0000000000000..86745e64a08e3
--- /dev/null
+++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/hostpathvolumes0.yaml
@@ -0,0 +1,31 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: hostpathvolumes0
+spec:
+  containers:
+  - image: registry.k8s.io/pause
+    name: container1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+  initContainers:
+  - image: registry.k8s.io/pause
+    name: initcontainer1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+  securityContext:
+    runAsNonRoot: true
+    seccompProfile:
+      type: RuntimeDefault
+  volumes:
+  - emptyDir: {}
+    name: volume-emptydir
+  - hostPath:
+      path: /a
+    name: volume-hostpath
diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/hostpathvolumes1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/hostpathvolumes1.yaml
new file mode 100755
index 0000000000000..bc7759c203659
--- /dev/null
+++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/hostpathvolumes1.yaml
@@ -0,0 +1,32 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: hostpathvolumes1
+spec:
+  containers:
+  - image: registry.k8s.io/pause
+    name: container1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+  initContainers:
+  - image: registry.k8s.io/pause
+    name: initcontainer1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+  securityContext:
+    runAsNonRoot: true
+    seccompProfile:
+      type: RuntimeDefault
+  volumes:
+  - hostPath:
+      path: /a
+    name: volume-hostpath-a
+  - hostPath:
+      path: /b
+    name: volume-hostpath-b
diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/hostports0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/hostports0.yaml
new file mode 100755
index 0000000000000..9bf9055d9ee10
--- /dev/null
+++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/hostports0.yaml
@@ -0,0 +1,28 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: hostports0
+spec:
+  containers:
+  - image: registry.k8s.io/pause
+    name: container1
+    ports:
+    - containerPort: 12345
+      hostPort: 12345
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+  initContainers:
+  - image: registry.k8s.io/pause
+    name: initcontainer1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+  securityContext:
+    runAsNonRoot: true
+    seccompProfile:
+      type: RuntimeDefault
diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/hostports1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/hostports1.yaml
new file mode 100755
index 0000000000000..ddecbf4925d86
--- /dev/null
+++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/hostports1.yaml
@@ -0,0 +1,28 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: hostports1
+spec:
+  containers:
+  - image: registry.k8s.io/pause
+    name: container1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+  initContainers:
+  - image: registry.k8s.io/pause
+    name: initcontainer1
+    ports:
+    - containerPort: 12346
+      hostPort: 12346
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+  securityContext:
+    runAsNonRoot: true
+    seccompProfile:
+      type: RuntimeDefault
diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/hostports2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/hostports2.yaml
new file mode 100755
index 0000000000000..ed9f6920981d6
--- /dev/null
+++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/hostports2.yaml
@@ -0,0 +1,33 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: hostports2
+spec:
+  containers:
+  - image: registry.k8s.io/pause
+    name: container1
+    ports:
+    - containerPort: 12345
+      hostPort: 12345
+    - containerPort: 12347
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+  initContainers:
+  - image: registry.k8s.io/pause
+    name: initcontainer1
+    ports:
+    - containerPort: 12346
+      hostPort: 12346
+    - containerPort: 12348
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+  securityContext:
+    runAsNonRoot: true
+    seccompProfile:
+      type: RuntimeDefault
diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/hostprobesandhostlifecycle0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/hostprobesandhostlifecycle0.yaml
new file mode 100755
index 0000000000000..cb32df69fdfef
--- /dev/null
+++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/hostprobesandhostlifecycle0.yaml
@@ -0,0 +1,29 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: hostprobesandhostlifecycle0
+spec:
+  containers:
+  - image: registry.k8s.io/pause
+    livenessProbe:
+      httpGet:
+        host: bad.host
+        port: 8080
+    name: container1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+  initContainers:
+  - image: registry.k8s.io/pause
+    name: initcontainer1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+  securityContext:
+    runAsNonRoot: true
+    seccompProfile:
+      type: RuntimeDefault
diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/hostprobesandhostlifecycle1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/hostprobesandhostlifecycle1.yaml
new file mode 100755
index 0000000000000..8b55e0dd8a0d7
--- /dev/null
+++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/hostprobesandhostlifecycle1.yaml
@@ -0,0 +1,30 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: hostprobesandhostlifecycle1
+spec:
+  containers:
+  - image: registry.k8s.io/pause
+    name: container1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+  initContainers:
+  - image: registry.k8s.io/pause
+    name: initcontainer1
+    readinessProbe:
+      tcpSocket:
+        host: 8.8.8.8
+        port: 8080
+    restartPolicy: Always
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+  securityContext:
+    runAsNonRoot: true
+    seccompProfile:
+      type: RuntimeDefault
diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/hostprobesandhostlifecycle2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/hostprobesandhostlifecycle2.yaml
new file mode 100755
index 0000000000000..86a179b7246b3
--- /dev/null
+++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/hostprobesandhostlifecycle2.yaml
@@ -0,0 +1,30 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: hostprobesandhostlifecycle2
+spec:
+  containers:
+  - image: registry.k8s.io/pause
+    lifecycle:
+      postStart:
+        httpGet:
+          host: bad.host
+          port: 8080
+    name: container1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+  initContainers:
+  - image: registry.k8s.io/pause
+    name: initcontainer1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+  securityContext:
+    runAsNonRoot: true
+    seccompProfile:
+      type: RuntimeDefault
diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/hostprobesandhostlifecycle3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/hostprobesandhostlifecycle3.yaml
new file mode 100755
index 0000000000000..281b6d74a89df
--- /dev/null
+++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/hostprobesandhostlifecycle3.yaml
@@ -0,0 +1,29 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: hostprobesandhostlifecycle3
+spec:
+  containers:
+  - image: registry.k8s.io/pause
+    livenessProbe:
+      httpGet:
+        host: 127.0.0.1
+        port: 8080
+    name: container1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+  initContainers:
+  - image: registry.k8s.io/pause
+    name: initcontainer1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+  securityContext:
+    runAsNonRoot: true
+    seccompProfile:
+      type: RuntimeDefault
diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/hostprobesandhostlifecycle4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/hostprobesandhostlifecycle4.yaml
new file mode 100755
index 0000000000000..d76b87f28fd8f
--- /dev/null
+++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/hostprobesandhostlifecycle4.yaml
@@ -0,0 +1,29 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: hostprobesandhostlifecycle4
+spec:
+  containers:
+  - image: registry.k8s.io/pause
+    name: container1
+    readinessProbe:
+      tcpSocket:
+        host: ::1
+        port: 8080
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+  initContainers:
+  - image: registry.k8s.io/pause
+    name: initcontainer1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+  securityContext:
+    runAsNonRoot: true
+    seccompProfile:
+      type: RuntimeDefault
diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/privileged0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/privileged0.yaml
new file mode 100755
index 0000000000000..7ad39f5c045b8
--- /dev/null
+++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/privileged0.yaml
@@ -0,0 +1,25 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: privileged0
+spec:
+  containers:
+  - image: registry.k8s.io/pause
+    name: container1
+    securityContext:
+      capabilities:
+        drop:
+        - ALL
+      privileged: true
+  initContainers:
+  - image: registry.k8s.io/pause
+    name: initcontainer1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+  securityContext:
+    runAsNonRoot: true
+    seccompProfile:
+      type: RuntimeDefault
diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/privileged1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/privileged1.yaml
new file mode 100755
index 0000000000000..cb41dcb3aa4dd
--- /dev/null
+++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/privileged1.yaml
@@ -0,0 +1,25 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: privileged1
+spec:
+  containers:
+  - image: registry.k8s.io/pause
+    name: container1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+  initContainers:
+  - image: registry.k8s.io/pause
+    name: initcontainer1
+    securityContext:
+      capabilities:
+        drop:
+        - ALL
+      privileged: true
+  securityContext:
+    runAsNonRoot: true
+    seccompProfile:
+      type: RuntimeDefault
diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/procmount0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/procmount0.yaml
new file mode 100755
index 0000000000000..31abae958b790
--- /dev/null
+++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/procmount0.yaml
@@ -0,0 +1,27 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: procmount0
+spec:
+  containers:
+  - image: registry.k8s.io/pause
+    name: container1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+      procMount: Unmasked
+  hostUsers: true
+  initContainers:
+  - image: registry.k8s.io/pause
+    name: initcontainer1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+  securityContext:
+    runAsNonRoot: true
+    seccompProfile:
+      type: RuntimeDefault
diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/procmount1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/procmount1.yaml
new file mode 100755
index 0000000000000..20fc044f33a3e
--- /dev/null
+++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/procmount1.yaml
@@ -0,0 +1,27 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: procmount1
+spec:
+  containers:
+  - image: registry.k8s.io/pause
+    name: container1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+  hostUsers: true
+  initContainers:
+  - image: registry.k8s.io/pause
+    name: initcontainer1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+      procMount: Unmasked
+  securityContext:
+    runAsNonRoot: true
+    seccompProfile:
+      type: RuntimeDefault
diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/procmount_restricted0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/procmount_restricted0.yaml
new file mode 100755
index 0000000000000..a33c140b75879
--- /dev/null
+++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/procmount_restricted0.yaml
@@ -0,0 +1,27 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: procmount_restricted0
+spec:
+  containers:
+  - image: registry.k8s.io/pause
+    name: container1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+      procMount: Unmasked
+  hostUsers: false
+  initContainers:
+  - image: registry.k8s.io/pause
+    name: initcontainer1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+  securityContext:
+    runAsNonRoot: true
+    seccompProfile:
+      type: RuntimeDefault
diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/procmount_restricted1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/procmount_restricted1.yaml
new file mode 100755
index 0000000000000..3aa9205089380
--- /dev/null
+++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/procmount_restricted1.yaml
@@ -0,0 +1,27 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: procmount_restricted1
+spec:
+  containers:
+  - image: registry.k8s.io/pause
+    name: container1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+  hostUsers: false
+  initContainers:
+  - image: registry.k8s.io/pause
+    name: initcontainer1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+      procMount: Unmasked
+  securityContext:
+    runAsNonRoot: true
+    seccompProfile:
+      type: RuntimeDefault
diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/restrictedvolumes0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/restrictedvolumes0.yaml
new file mode 100755
index 0000000000000..5a95336d26956
--- /dev/null
+++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/restrictedvolumes0.yaml
@@ -0,0 +1,29 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: restrictedvolumes0
+spec:
+  containers:
+  - image: registry.k8s.io/pause
+    name: container1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+  initContainers:
+  - image: registry.k8s.io/pause
+    name: initcontainer1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+  securityContext:
+    runAsNonRoot: true
+    seccompProfile:
+      type: RuntimeDefault
+  volumes:
+  - gcePersistentDisk:
+      pdName: test
+    name: volume1
diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/restrictedvolumes1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/restrictedvolumes1.yaml
new file mode 100755
index 0000000000000..153326fea893c
--- /dev/null
+++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/restrictedvolumes1.yaml
@@ -0,0 +1,29 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: restrictedvolumes1
+spec:
+  containers:
+  - image: registry.k8s.io/pause
+    name: container1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+  initContainers:
+  - image: registry.k8s.io/pause
+    name: initcontainer1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+  securityContext:
+    runAsNonRoot: true
+    seccompProfile:
+      type: RuntimeDefault
+  volumes:
+  - awsElasticBlockStore:
+      volumeID: test
+    name: volume1
diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/restrictedvolumes10.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/restrictedvolumes10.yaml
new file mode 100755
index 0000000000000..f34afe69ca897
--- /dev/null
+++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/restrictedvolumes10.yaml
@@ -0,0 +1,29 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: restrictedvolumes10
+spec:
+  containers:
+  - image: registry.k8s.io/pause
+    name: container1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+  initContainers:
+  - image: registry.k8s.io/pause
+    name: initcontainer1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+  securityContext:
+    runAsNonRoot: true
+    seccompProfile:
+      type: RuntimeDefault
+  volumes:
+  - flocker:
+      datasetName: test
+    name: volume1
diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/restrictedvolumes11.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/restrictedvolumes11.yaml
new file mode 100755
index 0000000000000..384e06f6b2301
--- /dev/null
+++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/restrictedvolumes11.yaml
@@ -0,0 +1,30 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: restrictedvolumes11
+spec:
+  containers:
+  - image: registry.k8s.io/pause
+    name: container1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+  initContainers:
+  - image: registry.k8s.io/pause
+    name: initcontainer1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+  securityContext:
+    runAsNonRoot: true
+    seccompProfile:
+      type: RuntimeDefault
+  volumes:
+  - fc:
+      wwids:
+      - test
+    name: volume1
diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/restrictedvolumes12.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/restrictedvolumes12.yaml
new file mode 100755
index 0000000000000..8757fbf7fb4ba
--- /dev/null
+++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/restrictedvolumes12.yaml
@@ -0,0 +1,30 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: restrictedvolumes12
+spec:
+  containers:
+  - image: registry.k8s.io/pause
+    name: container1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+  initContainers:
+  - image: registry.k8s.io/pause
+    name: initcontainer1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+  securityContext:
+    runAsNonRoot: true
+    seccompProfile:
+      type: RuntimeDefault
+  volumes:
+  - azureFile:
+      secretName: test
+      shareName: test
+    name: volume1
diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/restrictedvolumes13.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/restrictedvolumes13.yaml
new file mode 100755
index 0000000000000..9e2086df359b5
--- /dev/null
+++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/restrictedvolumes13.yaml
@@ -0,0 +1,29 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: restrictedvolumes13
+spec:
+  containers:
+  - image: registry.k8s.io/pause
+    name: container1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+  initContainers:
+  - image: registry.k8s.io/pause
+    name: initcontainer1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+  securityContext:
+    runAsNonRoot: true
+    seccompProfile:
+      type: RuntimeDefault
+  volumes:
+  - name: volume1
+    vsphereVolume:
+      volumePath: test
diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/restrictedvolumes14.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/restrictedvolumes14.yaml
new file mode 100755
index 0000000000000..d8b9605e4d152
--- /dev/null
+++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/restrictedvolumes14.yaml
@@ -0,0 +1,30 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: restrictedvolumes14
+spec:
+  containers:
+  - image: registry.k8s.io/pause
+    name: container1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+  initContainers:
+  - image: registry.k8s.io/pause
+    name: initcontainer1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+  securityContext:
+    runAsNonRoot: true
+    seccompProfile:
+      type: RuntimeDefault
+  volumes:
+  - name: volume1
+    quobyte:
+      registry: localhost:1234
+      volume: test
diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/restrictedvolumes15.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/restrictedvolumes15.yaml
new file mode 100755
index 0000000000000..f3462ab7f43e6
--- /dev/null
+++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/restrictedvolumes15.yaml
@@ -0,0 +1,30 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: restrictedvolumes15
+spec:
+  containers:
+  - image: registry.k8s.io/pause
+    name: container1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+  initContainers:
+  - image: registry.k8s.io/pause
+    name: initcontainer1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+  securityContext:
+    runAsNonRoot: true
+    seccompProfile:
+      type: RuntimeDefault
+  volumes:
+  - azureDisk:
+      diskName: test
+      diskURI: https://test.blob.core.windows.net/test/test.vhd
+    name: volume1
diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/restrictedvolumes16.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/restrictedvolumes16.yaml
new file mode 100755
index 0000000000000..d83daa6fcb142
--- /dev/null
+++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/restrictedvolumes16.yaml
@@ -0,0 +1,30 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: restrictedvolumes16
+spec:
+  containers:
+  - image: registry.k8s.io/pause
+    name: container1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+  initContainers:
+  - image: registry.k8s.io/pause
+    name: initcontainer1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+  securityContext:
+    runAsNonRoot: true
+    seccompProfile:
+      type: RuntimeDefault
+  volumes:
+  - name: volume1
+    portworxVolume:
+      fsType: ext4
+      volumeID: test
diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/restrictedvolumes17.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/restrictedvolumes17.yaml
new file mode 100755
index 0000000000000..23f6b770e4644
--- /dev/null
+++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/restrictedvolumes17.yaml
@@ -0,0 +1,32 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: restrictedvolumes17
+spec:
+  containers:
+  - image: registry.k8s.io/pause
+    name: container1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+  initContainers:
+  - image: registry.k8s.io/pause
+    name: initcontainer1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+  securityContext:
+    runAsNonRoot: true
+    seccompProfile:
+      type: RuntimeDefault
+  volumes:
+  - name: volume1
+    scaleIO:
+      gateway: localhost
+      secretRef: null
+      system: test
+      volumeName: test
diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/restrictedvolumes18.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/restrictedvolumes18.yaml
new file mode 100755
index 0000000000000..ca5d93f57fd30
--- /dev/null
+++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/restrictedvolumes18.yaml
@@ -0,0 +1,29 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: restrictedvolumes18
+spec:
+  containers:
+  - image: registry.k8s.io/pause
+    name: container1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+  initContainers:
+  - image: registry.k8s.io/pause
+    name: initcontainer1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+  securityContext:
+    runAsNonRoot: true
+    seccompProfile:
+      type: RuntimeDefault
+  volumes:
+  - name: volume1
+    storageos:
+      volumeName: test
diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/restrictedvolumes19.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/restrictedvolumes19.yaml
new file mode 100755
index 0000000000000..4ca4381bec973
--- /dev/null
+++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/restrictedvolumes19.yaml
@@ -0,0 +1,29 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: restrictedvolumes19
+spec:
+  containers:
+  - image: registry.k8s.io/pause
+    name: container1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+  initContainers:
+  - image: registry.k8s.io/pause
+    name: initcontainer1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+  securityContext:
+    runAsNonRoot: true
+    seccompProfile:
+      type: RuntimeDefault
+  volumes:
+  - hostPath:
+      path: /dev/null
+    name: volume1
diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/restrictedvolumes2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/restrictedvolumes2.yaml
new file mode 100755
index 0000000000000..9154458079c12
--- /dev/null
+++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/restrictedvolumes2.yaml
@@ -0,0 +1,29 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: restrictedvolumes2
+spec:
+  containers:
+  - image: registry.k8s.io/pause
+    name: container1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+  initContainers:
+  - image: registry.k8s.io/pause
+    name: initcontainer1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+  securityContext:
+    runAsNonRoot: true
+    seccompProfile:
+      type: RuntimeDefault
+  volumes:
+  - gitRepo:
+      repository: github.com/kubernetes/kubernetes
+    name: volume1
diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/restrictedvolumes3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/restrictedvolumes3.yaml
new file mode 100755
index 0000000000000..f1060bc355198
--- /dev/null
+++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/restrictedvolumes3.yaml
@@ -0,0 +1,30 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: restrictedvolumes3
+spec:
+  containers:
+  - image: registry.k8s.io/pause
+    name: container1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+  initContainers:
+  - image: registry.k8s.io/pause
+    name: initcontainer1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+  securityContext:
+    runAsNonRoot: true
+    seccompProfile:
+      type: RuntimeDefault
+  volumes:
+  - name: volume1
+    nfs:
+      path: /test
+      server: test
diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/restrictedvolumes4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/restrictedvolumes4.yaml
new file mode 100755
index 0000000000000..3a1447417e476
--- /dev/null
+++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/restrictedvolumes4.yaml
@@ -0,0 +1,31 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: restrictedvolumes4
+spec:
+  containers:
+  - image: registry.k8s.io/pause
+    name: container1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+  initContainers:
+  - image: registry.k8s.io/pause
+    name: initcontainer1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+  securityContext:
+    runAsNonRoot: true
+    seccompProfile:
+      type: RuntimeDefault
+  volumes:
+  - iscsi:
+      iqn: iqn.2001-04.com.example:storage.kube.sys1.xyz
+      lun: 0
+      targetPortal: test
+    name: volume1
diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/restrictedvolumes5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/restrictedvolumes5.yaml
new file mode 100755
index 0000000000000..e64cbe9ab50ce
--- /dev/null
+++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/restrictedvolumes5.yaml
@@ -0,0 +1,30 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: restrictedvolumes5
+spec:
+  containers:
+  - image: registry.k8s.io/pause
+    name: container1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+  initContainers:
+  - image: registry.k8s.io/pause
+    name: initcontainer1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+  securityContext:
+    runAsNonRoot: true
+    seccompProfile:
+      type: RuntimeDefault
+  volumes:
+  - glusterfs:
+      endpoints: test
+      path: test
+    name: volume1
diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/restrictedvolumes6.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/restrictedvolumes6.yaml
new file mode 100755
index 0000000000000..4d596c9e4156e
--- /dev/null
+++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/restrictedvolumes6.yaml
@@ -0,0 +1,31 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: restrictedvolumes6
+spec:
+  containers:
+  - image: registry.k8s.io/pause
+    name: container1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+  initContainers:
+  - image: registry.k8s.io/pause
+    name: initcontainer1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+  securityContext:
+    runAsNonRoot: true
+    seccompProfile:
+      type: RuntimeDefault
+  volumes:
+  - name: volume1
+    rbd:
+      image: test
+      monitors:
+      - test
diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/restrictedvolumes7.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/restrictedvolumes7.yaml
new file mode 100755
index 0000000000000..c3887a35c1222
--- /dev/null
+++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/restrictedvolumes7.yaml
@@ -0,0 +1,29 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: restrictedvolumes7
+spec:
+  containers:
+  - image: registry.k8s.io/pause
+    name: container1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+  initContainers:
+  - image: registry.k8s.io/pause
+    name: initcontainer1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+  securityContext:
+    runAsNonRoot: true
+    seccompProfile:
+      type: RuntimeDefault
+  volumes:
+  - flexVolume:
+      driver: test
+    name: volume1
diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/restrictedvolumes8.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/restrictedvolumes8.yaml
new file mode 100755
index 0000000000000..e11afbbe8ec1d
--- /dev/null
+++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/restrictedvolumes8.yaml
@@ -0,0 +1,29 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: restrictedvolumes8
+spec:
+  containers:
+  - image: registry.k8s.io/pause
+    name: container1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+  initContainers:
+  - image: registry.k8s.io/pause
+    name: initcontainer1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+  securityContext:
+    runAsNonRoot: true
+    seccompProfile:
+      type: RuntimeDefault
+  volumes:
+  - cinder:
+      volumeID: test
+    name: volume1
diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/restrictedvolumes9.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/restrictedvolumes9.yaml
new file mode 100755
index 0000000000000..8159a4858b96b
--- /dev/null
+++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/restrictedvolumes9.yaml
@@ -0,0 +1,30 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: restrictedvolumes9
+spec:
+  containers:
+  - image: registry.k8s.io/pause
+    name: container1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+  initContainers:
+  - image: registry.k8s.io/pause
+    name: initcontainer1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+  securityContext:
+    runAsNonRoot: true
+    seccompProfile:
+      type: RuntimeDefault
+  volumes:
+  - cephfs:
+      monitors:
+      - test
+    name: volume1
diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/runasnonroot0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/runasnonroot0.yaml
new file mode 100755
index 0000000000000..f460f659d94d3
--- /dev/null
+++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/runasnonroot0.yaml
@@ -0,0 +1,24 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: runasnonroot0
+spec:
+  containers:
+  - image: registry.k8s.io/pause
+    name: container1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+  initContainers:
+  - image: registry.k8s.io/pause
+    name: initcontainer1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+  securityContext:
+    seccompProfile:
+      type: RuntimeDefault
diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/runasnonroot1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/runasnonroot1.yaml
new file mode 100755
index 0000000000000..285409793ea15
--- /dev/null
+++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/runasnonroot1.yaml
@@ -0,0 +1,25 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: runasnonroot1
+spec:
+  containers:
+  - image: registry.k8s.io/pause
+    name: container1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+  initContainers:
+  - image: registry.k8s.io/pause
+    name: initcontainer1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+  securityContext:
+    runAsNonRoot: false
+    seccompProfile:
+      type: RuntimeDefault
diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/runasnonroot2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/runasnonroot2.yaml
new file mode 100755
index 0000000000000..067c7970fa7e3
--- /dev/null
+++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/runasnonroot2.yaml
@@ -0,0 +1,26 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: runasnonroot2
+spec:
+  containers:
+  - image: registry.k8s.io/pause
+    name: container1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+      runAsNonRoot: false
+  initContainers:
+  - image: registry.k8s.io/pause
+    name: initcontainer1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+  securityContext:
+    runAsNonRoot: true
+    seccompProfile:
+      type: RuntimeDefault
diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/runasnonroot3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/runasnonroot3.yaml
new file mode 100755
index 0000000000000..5459f294e0b5c
--- /dev/null
+++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/runasnonroot3.yaml
@@ -0,0 +1,26 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: runasnonroot3
+spec:
+  containers:
+  - image: registry.k8s.io/pause
+    name: container1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+  initContainers:
+  - image: registry.k8s.io/pause
+    name: initcontainer1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+      runAsNonRoot: false
+  securityContext:
+    runAsNonRoot: true
+    seccompProfile:
+      type: RuntimeDefault
diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/runasuser0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/runasuser0.yaml
new file mode 100755
index 0000000000000..5f7c9e0f0055a
--- /dev/null
+++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/runasuser0.yaml
@@ -0,0 +1,26 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: runasuser0
+spec:
+  containers:
+  - image: registry.k8s.io/pause
+    name: container1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+  initContainers:
+  - image: registry.k8s.io/pause
+    name: initcontainer1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+  securityContext:
+    runAsNonRoot: true
+    runAsUser: 0
+    seccompProfile:
+      type: RuntimeDefault
diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/runasuser1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/runasuser1.yaml
new file mode 100755
index 0000000000000..ff62334ead6b5
--- /dev/null
+++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/runasuser1.yaml
@@ -0,0 +1,26 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: runasuser1
+spec:
+  containers:
+  - image: registry.k8s.io/pause
+    name: container1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+      runAsUser: 0
+  initContainers:
+  - image: registry.k8s.io/pause
+    name: initcontainer1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+  securityContext:
+    runAsNonRoot: true
+    seccompProfile:
+      type: RuntimeDefault
diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/runasuser2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/runasuser2.yaml
new file mode 100755
index 0000000000000..26c713497d0d0
--- /dev/null
+++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/runasuser2.yaml
@@ -0,0 +1,26 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: runasuser2
+spec:
+  containers:
+  - image: registry.k8s.io/pause
+    name: container1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+  initContainers:
+  - image: registry.k8s.io/pause
+    name: initcontainer1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+      runAsUser: 0
+  securityContext:
+    runAsNonRoot: true
+    seccompProfile:
+      type: RuntimeDefault
diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/seccompprofile_baseline0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/seccompprofile_baseline0.yaml
new file mode 100755
index 0000000000000..0b875ce5f0194
--- /dev/null
+++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/seccompprofile_baseline0.yaml
@@ -0,0 +1,25 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: seccompprofile_baseline0
+spec:
+  containers:
+  - image: registry.k8s.io/pause
+    name: container1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+  initContainers:
+  - image: registry.k8s.io/pause
+    name: initcontainer1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+  securityContext:
+    runAsNonRoot: true
+    seccompProfile:
+      type: Unconfined
diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/seccompprofile_baseline1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/seccompprofile_baseline1.yaml
new file mode 100755
index 0000000000000..3e63c31668cde
--- /dev/null
+++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/seccompprofile_baseline1.yaml
@@ -0,0 +1,27 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: seccompprofile_baseline1
+spec:
+  containers:
+  - image: registry.k8s.io/pause
+    name: container1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+      seccompProfile:
+        type: Unconfined
+  initContainers:
+  - image: registry.k8s.io/pause
+    name: initcontainer1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+  securityContext:
+    runAsNonRoot: true
+    seccompProfile:
+      type: RuntimeDefault
diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/seccompprofile_baseline2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/seccompprofile_baseline2.yaml
new file mode 100755
index 0000000000000..4cd99407164bf
--- /dev/null
+++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/seccompprofile_baseline2.yaml
@@ -0,0 +1,27 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: seccompprofile_baseline2
+spec:
+  containers:
+  - image: registry.k8s.io/pause
+    name: container1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+  initContainers:
+  - image: registry.k8s.io/pause
+    name: initcontainer1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+      seccompProfile:
+        type: Unconfined
+  securityContext:
+    runAsNonRoot: true
+    seccompProfile:
+      type: RuntimeDefault
diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/seccompprofile_restricted0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/seccompprofile_restricted0.yaml
new file mode 100755
index 0000000000000..64b5604b5a4e3
--- /dev/null
+++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/seccompprofile_restricted0.yaml
@@ -0,0 +1,23 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: seccompprofile_restricted0
+spec:
+  containers:
+  - image: registry.k8s.io/pause
+    name: container1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+  initContainers:
+  - image: registry.k8s.io/pause
+    name: initcontainer1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+  securityContext:
+    runAsNonRoot: true
diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/seccompprofile_restricted1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/seccompprofile_restricted1.yaml
new file mode 100755
index 0000000000000..2ec3d48dfb6af
--- /dev/null
+++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/seccompprofile_restricted1.yaml
@@ -0,0 +1,25 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: seccompprofile_restricted1
+spec:
+  containers:
+  - image: registry.k8s.io/pause
+    name: container1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+  initContainers:
+  - image: registry.k8s.io/pause
+    name: initcontainer1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+  securityContext:
+    runAsNonRoot: true
+    seccompProfile:
+      type: Unconfined
diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/seccompprofile_restricted2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/seccompprofile_restricted2.yaml
new file mode 100755
index 0000000000000..c63c622a6add8
--- /dev/null
+++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/seccompprofile_restricted2.yaml
@@ -0,0 +1,25 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: seccompprofile_restricted2
+spec:
+  containers:
+  - image: registry.k8s.io/pause
+    name: container1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+      seccompProfile:
+        type: RuntimeDefault
+  initContainers:
+  - image: registry.k8s.io/pause
+    name: initcontainer1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+  securityContext:
+    runAsNonRoot: true
diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/seccompprofile_restricted3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/seccompprofile_restricted3.yaml
new file mode 100755
index 0000000000000..69c969f8a6819
--- /dev/null
+++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/seccompprofile_restricted3.yaml
@@ -0,0 +1,25 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: seccompprofile_restricted3
+spec:
+  containers:
+  - image: registry.k8s.io/pause
+    name: container1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+  initContainers:
+  - image: registry.k8s.io/pause
+    name: initcontainer1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+      seccompProfile:
+        type: RuntimeDefault
+  securityContext:
+    runAsNonRoot: true
diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/seccompprofile_restricted4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/seccompprofile_restricted4.yaml
new file mode 100755
index 0000000000000..b17bf7648e41b
--- /dev/null
+++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/seccompprofile_restricted4.yaml
@@ -0,0 +1,27 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: seccompprofile_restricted4
+spec:
+  containers:
+  - image: registry.k8s.io/pause
+    name: container1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+      seccompProfile:
+        type: RuntimeDefault
+  initContainers:
+  - image: registry.k8s.io/pause
+    name: initcontainer1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+      seccompProfile:
+        type: Unconfined
+  securityContext:
+    runAsNonRoot: true
diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/selinuxoptions0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/selinuxoptions0.yaml
new file mode 100755
index 0000000000000..7135bb20b8e24
--- /dev/null
+++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/selinuxoptions0.yaml
@@ -0,0 +1,29 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: selinuxoptions0
+spec:
+  containers:
+  - image: registry.k8s.io/pause
+    name: container1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+      seLinuxOptions: {}
+  initContainers:
+  - image: registry.k8s.io/pause
+    name: initcontainer1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+      seLinuxOptions: {}
+  securityContext:
+    runAsNonRoot: true
+    seLinuxOptions:
+      type: somevalue
+    seccompProfile:
+      type: RuntimeDefault
diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/selinuxoptions1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/selinuxoptions1.yaml
new file mode 100755
index 0000000000000..c99b8a5ed4f6b
--- /dev/null
+++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/selinuxoptions1.yaml
@@ -0,0 +1,29 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: selinuxoptions1
+spec:
+  containers:
+  - image: registry.k8s.io/pause
+    name: container1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+      seLinuxOptions:
+        type: somevalue
+  initContainers:
+  - image: registry.k8s.io/pause
+    name: initcontainer1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+      seLinuxOptions: {}
+  securityContext:
+    runAsNonRoot: true
+    seLinuxOptions: {}
+    seccompProfile:
+      type: RuntimeDefault
diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/selinuxoptions2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/selinuxoptions2.yaml
new file mode 100755
index 0000000000000..f2eafc2512bec
--- /dev/null
+++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/selinuxoptions2.yaml
@@ -0,0 +1,29 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: selinuxoptions2
+spec:
+  containers:
+  - image: registry.k8s.io/pause
+    name: container1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+      seLinuxOptions: {}
+  initContainers:
+  - image: registry.k8s.io/pause
+    name: initcontainer1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+      seLinuxOptions:
+        type: somevalue
+  securityContext:
+    runAsNonRoot: true
+    seLinuxOptions: {}
+    seccompProfile:
+      type: RuntimeDefault
diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/selinuxoptions3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/selinuxoptions3.yaml
new file mode 100755
index 0000000000000..1da063ebd1f16
--- /dev/null
+++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/selinuxoptions3.yaml
@@ -0,0 +1,29 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: selinuxoptions3
+spec:
+  containers:
+  - image: registry.k8s.io/pause
+    name: container1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+      seLinuxOptions: {}
+  initContainers:
+  - image: registry.k8s.io/pause
+    name: initcontainer1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+      seLinuxOptions: {}
+  securityContext:
+    runAsNonRoot: true
+    seLinuxOptions:
+      user: somevalue
+    seccompProfile:
+      type: RuntimeDefault
diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/selinuxoptions4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/selinuxoptions4.yaml
new file mode 100755
index 0000000000000..a4a38fb6034a9
--- /dev/null
+++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/selinuxoptions4.yaml
@@ -0,0 +1,29 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: selinuxoptions4
+spec:
+  containers:
+  - image: registry.k8s.io/pause
+    name: container1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+      seLinuxOptions: {}
+  initContainers:
+  - image: registry.k8s.io/pause
+    name: initcontainer1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+      seLinuxOptions: {}
+  securityContext:
+    runAsNonRoot: true
+    seLinuxOptions:
+      role: somevalue
+    seccompProfile:
+      type: RuntimeDefault
diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/sysctls0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/sysctls0.yaml
new file mode 100755
index 0000000000000..841f73d238f5c
--- /dev/null
+++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/sysctls0.yaml
@@ -0,0 +1,28 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: sysctls0
+spec:
+  containers:
+  - image: registry.k8s.io/pause
+    name: container1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+  initContainers:
+  - image: registry.k8s.io/pause
+    name: initcontainer1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+  securityContext:
+    runAsNonRoot: true
+    seccompProfile:
+      type: RuntimeDefault
+    sysctls:
+    - name: othersysctl
+      value: other
diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/windowshostprocess0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/windowshostprocess0.yaml
new file mode 100755
index 0000000000000..4262e6a5b8269
--- /dev/null
+++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/windowshostprocess0.yaml
@@ -0,0 +1,30 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: windowshostprocess0
+spec:
+  containers:
+  - image: registry.k8s.io/pause
+    name: container1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+      windowsOptions: {}
+  hostNetwork: true
+  initContainers:
+  - image: registry.k8s.io/pause
+    name: initcontainer1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+      windowsOptions: {}
+  securityContext:
+    runAsNonRoot: true
+    seccompProfile:
+      type: RuntimeDefault
+    windowsOptions:
+      hostProcess: true
diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/windowshostprocess1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/windowshostprocess1.yaml
new file mode 100755
index 0000000000000..ba1ce4a472f05
--- /dev/null
+++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/windowshostprocess1.yaml
@@ -0,0 +1,31 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: windowshostprocess1
+spec:
+  containers:
+  - image: registry.k8s.io/pause
+    name: container1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+      windowsOptions:
+        hostProcess: true
+  hostNetwork: true
+  initContainers:
+  - image: registry.k8s.io/pause
+    name: initcontainer1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+      windowsOptions:
+        hostProcess: true
+  securityContext:
+    runAsNonRoot: true
+    seccompProfile:
+      type: RuntimeDefault
+    windowsOptions: {}
diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/pass/apparmorprofile0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/pass/apparmorprofile0.yaml
new file mode 100755
index 0000000000000..53ebdaa01393e
--- /dev/null
+++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/pass/apparmorprofile0.yaml
@@ -0,0 +1,27 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  annotations:
+    container.apparmor.security.beta.kubernetes.io/container1: localhost/foo
+  name: apparmorprofile0
+spec:
+  containers:
+  - image: registry.k8s.io/pause
+    name: container1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+  initContainers:
+  - image: registry.k8s.io/pause
+    name: initcontainer1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+  securityContext:
+    runAsNonRoot: true
+    seccompProfile:
+      type: RuntimeDefault
diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/pass/base.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/pass/base.yaml
new file mode 100755
index 0000000000000..3b4f3077dccd6
--- /dev/null
+++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/pass/base.yaml
@@ -0,0 +1,25 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: base
+spec:
+  containers:
+  - image: registry.k8s.io/pause
+    name: container1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+  initContainers:
+  - image: registry.k8s.io/pause
+    name: initcontainer1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+  securityContext:
+    runAsNonRoot: true
+    seccompProfile:
+      type: RuntimeDefault
diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/pass/base_linux.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/pass/base_linux.yaml
new file mode 100755
index 0000000000000..67563df702283
--- /dev/null
+++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/pass/base_linux.yaml
@@ -0,0 +1,27 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: base_linux
+spec:
+  containers:
+  - image: registry.k8s.io/pause
+    name: container1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+  initContainers:
+  - image: registry.k8s.io/pause
+    name: initcontainer1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+  os:
+    name: linux
+  securityContext:
+    runAsNonRoot: true
+    seccompProfile:
+      type: RuntimeDefault
diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/pass/base_windows.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/pass/base_windows.yaml
new file mode 100755
index 0000000000000..2bc48b4f6b734
--- /dev/null
+++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/pass/base_windows.yaml
@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: base_windows
+spec:
+  containers:
+  - image: registry.k8s.io/pause
+    name: container1
+  initContainers:
+  - image: registry.k8s.io/pause
+    name: initcontainer1
+  os:
+    name: windows
+  securityContext:
+    runAsNonRoot: true
diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/pass/capabilities_restricted0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/pass/capabilities_restricted0.yaml
new file mode 100755
index 0000000000000..8a70cb3efdbd4
--- /dev/null
+++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/pass/capabilities_restricted0.yaml
@@ -0,0 +1,29 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: capabilities_restricted0
+spec:
+  containers:
+  - image: registry.k8s.io/pause
+    name: container1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        add:
+        - NET_BIND_SERVICE
+        drop:
+        - ALL
+  initContainers:
+  - image: registry.k8s.io/pause
+    name: initcontainer1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        add:
+        - NET_BIND_SERVICE
+        drop:
+        - ALL
+  securityContext:
+    runAsNonRoot: true
+    seccompProfile:
+      type: RuntimeDefault
diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/pass/hostports0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/pass/hostports0.yaml
new file mode 100755
index 0000000000000..e7f1153589429
--- /dev/null
+++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/pass/hostports0.yaml
@@ -0,0 +1,29 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: hostports0
+spec:
+  containers:
+  - image: registry.k8s.io/pause
+    name: container1
+    ports:
+    - containerPort: 12345
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+  initContainers:
+  - image: registry.k8s.io/pause
+    name: initcontainer1
+    ports:
+    - containerPort: 12346
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+  securityContext:
+    runAsNonRoot: true
+    seccompProfile:
+      type: RuntimeDefault
diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/pass/hostprobesandhostlifecycle0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/pass/hostprobesandhostlifecycle0.yaml
new file mode 100755
index 0000000000000..e32b2ec98926e
--- /dev/null
+++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/pass/hostprobesandhostlifecycle0.yaml
@@ -0,0 +1,25 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: hostprobesandhostlifecycle0
+spec:
+  containers:
+  - image: registry.k8s.io/pause
+    name: container1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+  initContainers:
+  - image: registry.k8s.io/pause
+    name: initcontainer1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+  securityContext:
+    runAsNonRoot: true
+    seccompProfile:
+      type: RuntimeDefault
diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/pass/hostprobesandhostlifecycle1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/pass/hostprobesandhostlifecycle1.yaml
new file mode 100755
index 0000000000000..c34edd0970f33
--- /dev/null
+++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/pass/hostprobesandhostlifecycle1.yaml
@@ -0,0 +1,28 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: hostprobesandhostlifecycle1
+spec:
+  containers:
+  - image: registry.k8s.io/pause
+    livenessProbe:
+      httpGet:
+        port: 8080
+    name: container1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+  initContainers:
+  - image: registry.k8s.io/pause
+    name: initcontainer1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+  securityContext:
+    runAsNonRoot: true
+    seccompProfile:
+      type: RuntimeDefault
diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/pass/hostprobesandhostlifecycle2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/pass/hostprobesandhostlifecycle2.yaml
new file mode 100755
index 0000000000000..09919047d85c7
--- /dev/null
+++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/pass/hostprobesandhostlifecycle2.yaml
@@ -0,0 +1,28 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: hostprobesandhostlifecycle2
+spec:
+  containers:
+  - image: registry.k8s.io/pause
+    name: container1
+    readinessProbe:
+      tcpSocket:
+        port: 8080
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+  initContainers:
+  - image: registry.k8s.io/pause
+    name: initcontainer1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+  securityContext:
+    runAsNonRoot: true
+    seccompProfile:
+      type: RuntimeDefault
diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/pass/privileged0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/pass/privileged0.yaml
new file mode 100755
index 0000000000000..8e3aafdd8f17c
--- /dev/null
+++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/pass/privileged0.yaml
@@ -0,0 +1,27 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: privileged0
+spec:
+  containers:
+  - image: registry.k8s.io/pause
+    name: container1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+      privileged: false
+  initContainers:
+  - image: registry.k8s.io/pause
+    name: initcontainer1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+      privileged: false
+  securityContext:
+    runAsNonRoot: true
+    seccompProfile:
+      type: RuntimeDefault
diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/pass/procmount0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/pass/procmount0.yaml
new file mode 100755
index 0000000000000..5db5a5c947a60
--- /dev/null
+++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/pass/procmount0.yaml
@@ -0,0 +1,28 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: procmount0
+spec:
+  containers:
+  - image: registry.k8s.io/pause
+    name: container1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+      procMount: Default
+  hostUsers: false
+  initContainers:
+  - image: registry.k8s.io/pause
+    name: initcontainer1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+      procMount: Default
+  securityContext:
+    runAsNonRoot: true
+    seccompProfile:
+      type: RuntimeDefault
diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/pass/procmount_restricted0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/pass/procmount_restricted0.yaml
new file mode 100755
index 0000000000000..3906b80f17c0d
--- /dev/null
+++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/pass/procmount_restricted0.yaml
@@ -0,0 +1,28 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: procmount_restricted0
+spec:
+  containers:
+  - image: registry.k8s.io/pause
+    name: container1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+      procMount: Default
+  hostUsers: false
+  initContainers:
+  - image: registry.k8s.io/pause
+    name: initcontainer1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+      procMount: Default
+  securityContext:
+    runAsNonRoot: true
+    seccompProfile:
+      type: RuntimeDefault
diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/pass/restrictedvolumes0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/pass/restrictedvolumes0.yaml
new file mode 100755
index 0000000000000..a11722485c5a7
--- /dev/null
+++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/pass/restrictedvolumes0.yaml
@@ -0,0 +1,47 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: restrictedvolumes0
+spec:
+  containers:
+  - image: registry.k8s.io/pause
+    name: container1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+  initContainers:
+  - image: registry.k8s.io/pause
+    name: initcontainer1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+  securityContext:
+    runAsNonRoot: true
+    seccompProfile:
+      type: RuntimeDefault
+  volumes:
+  - name: volume0
+  - emptyDir: {}
+    name: volume1
+  - name: volume2
+    secret:
+      secretName: test
+  - name: volume3
+    persistentVolumeClaim:
+      claimName: test
+  - downwardAPI:
+      items:
+      - fieldRef:
+          fieldPath: metadata.labels
+        path: labels
+    name: volume4
+  - configMap:
+      name: test
+    name: volume5
+  - name: volume6
+    projected:
+      sources: []
diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/pass/runasnonroot0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/pass/runasnonroot0.yaml
new file mode 100755
index 0000000000000..414ac79b469e9
--- /dev/null
+++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/pass/runasnonroot0.yaml
@@ -0,0 +1,25 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: runasnonroot0
+spec:
+  containers:
+  - image: registry.k8s.io/pause
+    name: container1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+  initContainers:
+  - image: registry.k8s.io/pause
+    name: initcontainer1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+  securityContext:
+    runAsNonRoot: true
+    seccompProfile:
+      type: RuntimeDefault
diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/pass/runasnonroot1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/pass/runasnonroot1.yaml
new file mode 100755
index 0000000000000..549b013e53f8f
--- /dev/null
+++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/pass/runasnonroot1.yaml
@@ -0,0 +1,26 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: runasnonroot1
+spec:
+  containers:
+  - image: registry.k8s.io/pause
+    name: container1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+      runAsNonRoot: true
+  initContainers:
+  - image: registry.k8s.io/pause
+    name: initcontainer1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+      runAsNonRoot: true
+  securityContext:
+    seccompProfile:
+      type: RuntimeDefault
diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/pass/runasuser0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/pass/runasuser0.yaml
new file mode 100755
index 0000000000000..ed7aff0fa1229
--- /dev/null
+++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/pass/runasuser0.yaml
@@ -0,0 +1,28 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: runasuser0
+spec:
+  containers:
+  - image: registry.k8s.io/pause
+    name: container1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+      runAsUser: 1000
+  initContainers:
+  - image: registry.k8s.io/pause
+    name: initcontainer1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+      runAsUser: 1000
+  securityContext:
+    runAsNonRoot: true
+    runAsUser: 1000
+    seccompProfile:
+      type: RuntimeDefault
diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/pass/seccompprofile_restricted0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/pass/seccompprofile_restricted0.yaml
new file mode 100755
index 0000000000000..f904065ce466a
--- /dev/null
+++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/pass/seccompprofile_restricted0.yaml
@@ -0,0 +1,25 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: seccompprofile_restricted0
+spec:
+  containers:
+  - image: registry.k8s.io/pause
+    name: container1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+  initContainers:
+  - image: registry.k8s.io/pause
+    name: initcontainer1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+  securityContext:
+    runAsNonRoot: true
+    seccompProfile:
+      type: RuntimeDefault
diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/pass/seccompprofile_restricted1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/pass/seccompprofile_restricted1.yaml
new file mode 100755
index 0000000000000..5a60fd7c59b62
--- /dev/null
+++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/pass/seccompprofile_restricted1.yaml
@@ -0,0 +1,26 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: seccompprofile_restricted1
+spec:
+  containers:
+  - image: registry.k8s.io/pause
+    name: container1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+  initContainers:
+  - image: registry.k8s.io/pause
+    name: initcontainer1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+  securityContext:
+    runAsNonRoot: true
+    seccompProfile:
+      localhostProfile: testing
+      type: Localhost
diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/pass/seccompprofile_restricted2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/pass/seccompprofile_restricted2.yaml
new file mode 100755
index 0000000000000..39d68e386b69b
--- /dev/null
+++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/pass/seccompprofile_restricted2.yaml
@@ -0,0 +1,28 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: seccompprofile_restricted2
+spec:
+  containers:
+  - image: registry.k8s.io/pause
+    name: container1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+      seccompProfile:
+        type: RuntimeDefault
+  initContainers:
+  - image: registry.k8s.io/pause
+    name: initcontainer1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+      seccompProfile:
+        localhostProfile: testing
+        type: Localhost
+  securityContext:
+    runAsNonRoot: true
diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/pass/selinuxoptions0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/pass/selinuxoptions0.yaml
new file mode 100755
index 0000000000000..a45080b742590
--- /dev/null
+++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/pass/selinuxoptions0.yaml
@@ -0,0 +1,26 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: selinuxoptions0
+spec:
+  containers:
+  - image: registry.k8s.io/pause
+    name: container1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+  initContainers:
+  - image: registry.k8s.io/pause
+    name: initcontainer1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+      seLinuxOptions: {}
+  securityContext:
+    runAsNonRoot: true
+    seccompProfile:
+      type: RuntimeDefault
diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/pass/selinuxoptions1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/pass/selinuxoptions1.yaml
new file mode 100755
index 0000000000000..0a8365605e96d
--- /dev/null
+++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/pass/selinuxoptions1.yaml
@@ -0,0 +1,32 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: selinuxoptions1
+spec:
+  containers:
+  - image: registry.k8s.io/pause
+    name: container1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+      seLinuxOptions:
+        level: somevalue
+        type: container_init_t
+  initContainers:
+  - image: registry.k8s.io/pause
+    name: initcontainer1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+      seLinuxOptions:
+        type: container_kvm_t
+  securityContext:
+    runAsNonRoot: true
+    seLinuxOptions:
+      type: container_t
+    seccompProfile:
+      type: RuntimeDefault
diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/pass/sysctls0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/pass/sysctls0.yaml
new file mode 100755
index 0000000000000..84224ffa94d65
--- /dev/null
+++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/pass/sysctls0.yaml
@@ -0,0 +1,25 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: sysctls0
+spec:
+  containers:
+  - image: registry.k8s.io/pause
+    name: container1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+  initContainers:
+  - image: registry.k8s.io/pause
+    name: initcontainer1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+  securityContext:
+    runAsNonRoot: true
+    seccompProfile:
+      type: RuntimeDefault
diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/pass/sysctls1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/pass/sysctls1.yaml
new file mode 100755
index 0000000000000..a066dc427693a
--- /dev/null
+++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/pass/sysctls1.yaml
@@ -0,0 +1,30 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: sysctls1
+spec:
+  containers:
+  - image: registry.k8s.io/pause
+    name: container1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+  initContainers:
+  - image: registry.k8s.io/pause
+    name: initcontainer1
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+  securityContext:
+    runAsNonRoot: true
+    seccompProfile:
+      type: RuntimeDefault
+    sysctls:
+    - name: net.ipv4.tcp_rmem
+      value: 4096 87380 16777216
+    - name: net.ipv4.tcp_wmem
+      value: 4096 65536 16777216
diff --git a/staging/src/k8s.io/sample-apiserver/artifacts/example/deployment.yaml b/staging/src/k8s.io/sample-apiserver/artifacts/example/deployment.yaml
index 532c4a702fdce..f0fa4380fc835 100644
--- a/staging/src/k8s.io/sample-apiserver/artifacts/example/deployment.yaml
+++ b/staging/src/k8s.io/sample-apiserver/artifacts/example/deployment.yaml
@@ -26,4 +26,4 @@ spec:
         imagePullPolicy: Never
         args: [ "--etcd-servers=http://localhost:2379" ]
       - name: etcd
-        image: gcr.io/etcd-development/etcd:v3.6.4
+        image: registry.k8s.io/etcd:v3.6.6
diff --git a/staging/src/k8s.io/sample-apiserver/go.mod b/staging/src/k8s.io/sample-apiserver/go.mod
index 4b78031fd6795..3101dcaa09905 100644
--- a/staging/src/k8s.io/sample-apiserver/go.mod
+++ b/staging/src/k8s.io/sample-apiserver/go.mod
@@ -2,20 +2,20 @@
 
 module k8s.io/sample-apiserver
 
-go 1.24.0
+go 1.25.0
 
-godebug default=go1.24
+godebug default=go1.25
 
 require (
-	github.com/spf13/cobra v1.9.1
-	github.com/stretchr/testify v1.10.0
-	k8s.io/apimachinery v0.34.1
-	k8s.io/apiserver v0.34.1
-	k8s.io/client-go v0.34.1
+	github.com/spf13/cobra v1.10.0
+	github.com/stretchr/testify v1.11.1
+	k8s.io/apimachinery v0.35.1
+	k8s.io/apiserver v0.35.1
+	k8s.io/client-go v0.35.1
 	k8s.io/code-generator v0.0.0
-	k8s.io/component-base v0.34.1
-	k8s.io/kube-openapi v0.0.0-20250710124328-f3f2b991d03b
-	k8s.io/utils v0.0.0-20250604170112-4c0f3b243397
+	k8s.io/component-base v0.35.1
+	k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912
+	k8s.io/utils v0.0.0-20251002143259-bc988d571ff4
 	sigs.k8s.io/randfill v1.0.0
 	sigs.k8s.io/structured-merge-diff/v6 v6.3.0
 )
@@ -35,7 +35,7 @@ require (
 	github.com/felixge/httpsnoop v1.0.4 // indirect
 	github.com/fsnotify/fsnotify v1.9.0 // indirect
 	github.com/fxamacker/cbor/v2 v2.9.0 // indirect
-	github.com/go-logr/logr v1.4.2 // indirect
+	github.com/go-logr/logr v1.4.3 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-openapi/jsonpointer v0.21.0 // indirect
 	github.com/go-openapi/jsonreference v0.20.2 // indirect
@@ -57,65 +57,66 @@ require (
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
-	github.com/openshift/library-go v0.0.0-20251015151611-6fc7a74b67c5 // indirect
-	github.com/pkg/errors v0.9.1 // indirect
+	github.com/openshift/library-go v0.0.0-20260211202355-e615a1f60a34 // indirect
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
-	github.com/prometheus/client_golang v1.22.0 // indirect
-	github.com/prometheus/client_model v0.6.1 // indirect
-	github.com/prometheus/common v0.62.0 // indirect
-	github.com/prometheus/procfs v0.15.1 // indirect
-	github.com/spf13/pflag v1.0.6 // indirect
+	github.com/prometheus/client_golang v1.23.2 // indirect
+	github.com/prometheus/client_model v0.6.2 // indirect
+	github.com/prometheus/common v0.66.1 // indirect
+	github.com/prometheus/procfs v0.16.1 // indirect
+	github.com/spf13/pflag v1.0.9 // indirect
 	github.com/stoewer/go-strcase v1.3.0 // indirect
 	github.com/x448/float16 v0.8.4 // indirect
-	go.etcd.io/etcd/api/v3 v3.6.4 // indirect
-	go.etcd.io/etcd/client/pkg/v3 v3.6.4 // indirect
-	go.etcd.io/etcd/client/v3 v3.6.4 // indirect
+	go.etcd.io/etcd/api/v3 v3.6.5 // indirect
+	go.etcd.io/etcd/client/pkg/v3 v3.6.5 // indirect
+	go.etcd.io/etcd/client/v3 v3.6.5 // indirect
 	go.opentelemetry.io/auto/sdk v1.1.0 // indirect
 	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.60.0 // indirect
-	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.58.0 // indirect
-	go.opentelemetry.io/otel v1.35.0 // indirect
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.61.0 // indirect
+	go.opentelemetry.io/otel v1.36.0 // indirect
 	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.34.0 // indirect
 	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.34.0 // indirect
-	go.opentelemetry.io/otel/metric v1.35.0 // indirect
-	go.opentelemetry.io/otel/sdk v1.34.0 // indirect
-	go.opentelemetry.io/otel/trace v1.35.0 // indirect
+	go.opentelemetry.io/otel/metric v1.36.0 // indirect
+	go.opentelemetry.io/otel/sdk v1.36.0 // indirect
+	go.opentelemetry.io/otel/trace v1.36.0 // indirect
 	go.opentelemetry.io/proto/otlp v1.5.0 // indirect
 	go.uber.org/atomic v1.11.0 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
 	go.uber.org/zap v1.27.0 // indirect
-	go.yaml.in/yaml/v2 v2.4.2 // indirect
+	go.yaml.in/yaml/v2 v2.4.3 // indirect
 	go.yaml.in/yaml/v3 v3.0.4 // indirect
-	golang.org/x/crypto v0.42.0 // indirect
+	golang.org/x/crypto v0.45.0 // indirect
 	golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 // indirect
-	golang.org/x/mod v0.27.0 // indirect
-	golang.org/x/net v0.43.0 // indirect
-	golang.org/x/oauth2 v0.27.0 // indirect
-	golang.org/x/sync v0.17.0 // indirect
-	golang.org/x/sys v0.36.0 // indirect
-	golang.org/x/term v0.35.0 // indirect
-	golang.org/x/text v0.29.0 // indirect
+	golang.org/x/mod v0.29.0 // indirect
+	golang.org/x/net v0.47.0 // indirect
+	golang.org/x/oauth2 v0.30.0 // indirect
+	golang.org/x/sync v0.18.0 // indirect
+	golang.org/x/sys v0.38.0 // indirect
+	golang.org/x/term v0.37.0 // indirect
+	golang.org/x/text v0.31.0 // indirect
 	golang.org/x/time v0.9.0 // indirect
-	golang.org/x/tools v0.36.0 // indirect
-	golang.org/x/tools/go/expect v0.1.0-deprecated // indirect
+	golang.org/x/tools v0.38.0 // indirect
 	google.golang.org/genproto/googleapis/api v0.0.0-20250303144028-a0af3efb3deb // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20250303144028-a0af3efb3deb // indirect
-	google.golang.org/grpc v1.72.1 // indirect
-	google.golang.org/protobuf v1.36.5 // indirect
-	gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20250528174236-200df99c418a // indirect
+	google.golang.org/grpc v1.72.2 // indirect
+	google.golang.org/protobuf v1.36.8 // indirect
+	gopkg.in/evanphx/json-patch.v4 v4.13.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/natefinch/lumberjack.v2 v2.2.1 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
-	k8s.io/api v0.34.1 // indirect
-	k8s.io/gengo/v2 v2.0.0-20250604051438-85fd79dbfd9f // indirect
+	k8s.io/api v0.35.1 // indirect
+	k8s.io/gengo/v2 v2.0.0-20250922181213-ec3ebc5fd46b // indirect
 	k8s.io/klog/v2 v2.130.1 // indirect
-	k8s.io/kms v0.34.1 // indirect
+	k8s.io/kms v0.35.1 // indirect
 	sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.31.2 // indirect
-	sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 // indirect
+	sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 // indirect
 	sigs.k8s.io/yaml v1.6.0 // indirect
 )
 
 replace (
-	github.com/onsi/ginkgo/v2 => github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251001123353-fd5b1fb35db1
+	github.com/onsi/ginkgo/v2 => github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251120221002-696928a6a0d7
+	github.com/openshift/api => github.com/jacobsee/openshift-api v0.0.0-20260211194905-f62f47eaf03d
+	github.com/openshift/client-go => github.com/jacobsee/client-go v0.0.0-20260211200652-3585e10bcc17
+	github.com/openshift/library-go => github.com/jacobsee/library-go v0.0.0-20260211202355-e615a1f60a34
 	k8s.io/api => ../api
 	k8s.io/apiextensions-apiserver => ../apiextensions-apiserver
 	k8s.io/apimachinery => ../apimachinery
diff --git a/staging/src/k8s.io/sample-apiserver/go.sum b/staging/src/k8s.io/sample-apiserver/go.sum
index cbc15bfbd5bb6..939051a72c13d 100644
--- a/staging/src/k8s.io/sample-apiserver/go.sum
+++ b/staging/src/k8s.io/sample-apiserver/go.sum
@@ -1,9 +1,12 @@
 cel.dev/expr v0.24.0 h1:56OvJKSH3hDGL0ml5uSxZmz3/3Pq4tJ+fb1unVLAFcY=
 cel.dev/expr v0.24.0/go.mod h1:hLPLo1W4QUmuYdA72RBX06QTs6MXw941piREPl3Yfiw=
 cloud.google.com/go/compute/metadata v0.6.0/go.mod h1:FjyFAW1MW0C203CEOMDTu3Dk1FlqW3Rga40jzHL4hfg=
+cyphar.com/go-pathrs v0.2.1/go.mod h1:y8f1EMG7r+hCuFf/rXsKqMJrJAUoADZGNh5/vZPKcGc=
 github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E=
 github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358/go.mod h1:chxPXzSsl7ZWRAuOIE23GDNzjWuZquvFlgA8xmpunjU=
 github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp v1.26.0/go.mod h1:2bIszWvQRlJVmJLiuLhukLImRjKPcYdzzsx6darK02A=
+github.com/Masterminds/semver/v3 v3.4.0 h1:Zog+i5UMtVoCU8oKka5P7i9q9HgrJeGzI9SA1Xbatp0=
+github.com/Masterminds/semver/v3 v3.4.0/go.mod h1:4V+yj/TJE1HU9XfppCwVMZq3I84lprf4nC11bSS5beM=
 github.com/NYTimes/gziphandler v1.1.1 h1:ZUDjpQae29j0ryrS0u/B8HZfJBtBQHjqw2rQ2cqUQ3I=
 github.com/NYTimes/gziphandler v1.1.1/go.mod h1:n/CVRwUEOgIxrgPvAQhUUr9oeUtvrhMomdKFjzJNB0c=
 github.com/RangelReale/osincli v0.0.0-20160924135400-fababb0555f2/go.mod h1:XyjUkMA8GN+tOOPXvnbi3XuRxWFvTJntqvTFnjmhzbk=
@@ -29,6 +32,7 @@ github.com/coreos/go-systemd/v22 v22.5.0 h1:RrqgGjYQKalulkV8NGVIfkXQf6YYmOyiJKk8
 github.com/coreos/go-systemd/v22 v22.5.0/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc=
 github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g=
 github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
+github.com/cyphar/filepath-securejoin v0.6.0/go.mod h1:A8hd4EnAeyujCJRrICiOWqjS1AX0a9kM5XL+NwKoYSc=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM=
@@ -56,8 +60,8 @@ github.com/go-asn1-ber/asn1-ber v1.5.8-0.20250403174932-29230038a667/go.mod h1:h
 github.com/go-jose/go-jose/v4 v4.0.4/go.mod h1:NKb5HO1EZccyMpiZNbdUw/14tiXNyUJh188dfnMCAfc=
 github.com/go-ldap/ldap/v3 v3.4.11/go.mod h1:bY7t0FLK8OAVpp/vV6sSlpz3EQDGcQwc8pF0ujLgKvM=
 github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
-github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY=
-github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
+github.com/go-logr/logr v1.4.3 h1:CjnDlHq8ikf6E492q6eKboGOC0T8CDaOvkHCIg8idEI=
+github.com/go-logr/logr v1.4.3/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
 github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
 github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE=
 github.com/go-logr/zapr v1.3.0 h1:XGdV8XW8zdwFiwOA2Dryh1gj2KRQyOOoNmBy4EplIcQ=
@@ -95,8 +99,8 @@ github.com/google/gnostic-models v0.7.0/go.mod h1:whL5G0m6dmc5cPxKc5bdKdEN3UjI7O
 github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
 github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
-github.com/google/pprof v0.0.0-20241029153458-d1b30febd7db h1:097atOisP2aRj7vFgYQBbFN4U4JNXUNYpxael3UzMyo=
-github.com/google/pprof v0.0.0-20241029153458-d1b30febd7db/go.mod h1:vavhavw2zAxS5dIdcRluK6cSGGPlZynqzFM8NdvU144=
+github.com/google/pprof v0.0.0-20250403155104-27863c87afa6 h1:BHT72Gu3keYf3ZEu2J0b1vyeLSOYI8bm5wbJM/8yDe8=
+github.com/google/pprof v0.0.0-20250403155104-27863c87afa6/go.mod h1:boTsfXsheKC2y+lKOCMpSfarhxDeIzfZG1jqGcPl3cA=
 github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/gorilla/mux v1.8.1/go.mod h1:AKf9I4AEqPTmMytcMc0KkNouC66V3BtZ4qD5fmWSiMQ=
@@ -115,6 +119,10 @@ github.com/hashicorp/golang-lru v0.5.4/go.mod h1:iADmTwqILo4mZ8BN3D2Q6+9jd8WM5uG
 github.com/imdario/mergo v0.3.7/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA=
 github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
 github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
+github.com/jacobsee/client-go v0.0.0-20260211200652-3585e10bcc17/go.mod h1:mCcIpR1nUVJvuLFKl7etbRLixUhJn4XjufJdfzv8Xsc=
+github.com/jacobsee/library-go v0.0.0-20260211202355-e615a1f60a34 h1:iCDeH9PliuQ4IL5NhQhZ1GcXxdlIiuiIed7hK5d5shw=
+github.com/jacobsee/library-go v0.0.0-20260211202355-e615a1f60a34/go.mod h1:mp92ELYoE9GHXRj+jJhp4I9KsFfS5c7WIi5k4RmkPYY=
+github.com/jacobsee/openshift-api v0.0.0-20260211194905-f62f47eaf03d/go.mod h1:u/qMsjN4RliFQwfk4bMEdF1lTjkagrlxPcZ/G9KIVuE=
 github.com/jonboulle/clockwork v0.5.0 h1:Hyh9A8u51kptdkR+cqRpT1EebBwTn1oK9YfGYbdFz6I=
 github.com/jonboulle/clockwork v0.5.0/go.mod h1:3mZlmanh0g2NDKO5TWZVJAfofYk64M7XN3SzBPjZF60=
 github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY=
@@ -152,20 +160,15 @@ github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq
 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
 github.com/mwitkow/go-conntrack v0.0.0-20190716064945-2f068394615f/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U=
 github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+o7JKHSa8/e818NopupXU1YMK5fe1lsApnBw=
-github.com/onsi/gomega v1.35.1 h1:Cwbd75ZBPxFSuZ6T+rN/WCb/gOc6YgFBXLlZLhC7Ds4=
-github.com/onsi/gomega v1.35.1/go.mod h1:PvZbdDc8J6XJEpDK4HCuRBm8a6Fzp9/DmhC9C7yFlog=
+github.com/onsi/gomega v1.38.2 h1:eZCjf2xjZAqe+LeWvKb5weQ+NcPwX84kqJ0cZNxok2A=
+github.com/onsi/gomega v1.38.2/go.mod h1:W2MJcYxRGV63b418Ai34Ud0hEdTVXq9NW9+Sx6uXf3k=
 github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
 github.com/opencontainers/image-spec v1.0.2/go.mod h1:BtxoFyWECRxE4U/7sNtV5W15zMzWCbyJoFRP3s7yZA0=
-github.com/opencontainers/selinux v1.11.0/go.mod h1:E5dMC3VPuVvVHDYmi78qvhJp8+M586T4DlDRYpFkyec=
-github.com/openshift/api v0.0.0-20251015095338-264e80a2b6e7/go.mod h1:d5uzF0YN2nQQFA0jIEWzzOZ+edmo6wzlGLvx5Fhz4uY=
+github.com/opencontainers/selinux v1.13.0/go.mod h1:XxWTed+A/s5NNq4GmYScVy+9jzXhGBVEOAyucdRUY8s=
 github.com/openshift/build-machinery-go v0.0.0-20250530140348-dc5b2804eeee/go.mod h1:8jcm8UPtg2mCAsxfqKil1xrmRMI3a+XU2TZ9fF8A7TE=
-github.com/openshift/client-go v0.0.0-20251015124057-db0dee36e235/go.mod h1:L49W6pfrZkfOE5iC1PqEkuLkXG4W0BX4w8b+L2Bv7fM=
-github.com/openshift/library-go v0.0.0-20251015151611-6fc7a74b67c5 h1:bANtDc8SgetSK4nQehf59x3+H9FqVJCprgjs49/OTg0=
-github.com/openshift/library-go v0.0.0-20251015151611-6fc7a74b67c5/go.mod h1:OlFFws1AO51uzfc48MsStGE4SFMWlMZD0+f5a/zCtKI=
-github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251001123353-fd5b1fb35db1 h1:PMTgifBcBRLJJiM+LgSzPDTk9/Rx4qS09OUrfpY6GBQ=
-github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251001123353-fd5b1fb35db1/go.mod h1:7Du3c42kxCUegi0IImZ1wUQzMBVecgIHjR1C+NkhLQo=
+github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251120221002-696928a6a0d7 h1:02E4Ttpu+7yCQLQxtY42JfcfHU7TBGnje6uB2ytBSdU=
+github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251120221002-696928a6a0d7/go.mod h1:ArE1D/XhNXBXCBkKOLkbsb2c81dQHCRcF5zwn/ykDRo=
 github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU=
-github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/profile v1.7.0/go.mod h1:8Uer0jas47ZQMJ7VD+OHknK4YDY07LPUC6dEvqDjvNo=
 github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10/go.mod h1:t/avpk3KcrXxUnYOhZhMXJlSEyie6gQbtLq5NM3loB8=
@@ -174,27 +177,28 @@ github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRI
 github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/pquerna/cachecontrol v0.1.0/go.mod h1:NrUG3Z7Rdu85UNR3vm7SOsl1nFIeSiQnrHV5K9mBcUI=
 github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring v0.74.0/go.mod h1:wAR5JopumPtAZnu0Cjv2PSqV4p4QB09LMhc6fZZTXuA=
-github.com/prometheus/client_golang v1.22.0 h1:rb93p9lokFEsctTys46VnV1kLCDpVZ0a/Y92Vm0Zc6Q=
-github.com/prometheus/client_golang v1.22.0/go.mod h1:R7ljNsLXhuQXYZYtw6GAE9AZg8Y7vEW5scdCXrWRXC0=
-github.com/prometheus/client_model v0.6.1 h1:ZKSh/rekM+n3CeS952MLRAdFwIKqeY8b62p8ais2e9E=
-github.com/prometheus/client_model v0.6.1/go.mod h1:OrxVMOVHjw3lKMa8+x6HeMGkHMQyHDk9E3jmP2AmGiY=
-github.com/prometheus/common v0.62.0 h1:xasJaQlnWAeyHdUBeGjXmutelfJHWMRr+Fg4QszZ2Io=
-github.com/prometheus/common v0.62.0/go.mod h1:vyBcEuLSvWos9B1+CyL7JZ2up+uFzXhkqml0W5zIY1I=
-github.com/prometheus/procfs v0.15.1 h1:YagwOFzUgYfKKHX6Dr+sHT7km/hxC76UB0learggepc=
-github.com/prometheus/procfs v0.15.1/go.mod h1:fB45yRUv8NstnjriLhBQLuOUt+WW4BsoGhij/e3PBqk=
+github.com/prometheus/client_golang v1.23.2 h1:Je96obch5RDVy3FDMndoUsjAhG5Edi49h0RJWRi/o0o=
+github.com/prometheus/client_golang v1.23.2/go.mod h1:Tb1a6LWHB3/SPIzCoaDXI4I8UHKeFTEQ1YCr+0Gyqmg=
+github.com/prometheus/client_model v0.6.2 h1:oBsgwpGs7iVziMvrGhE53c/GrLUsZdHnqNwqPLxwZyk=
+github.com/prometheus/client_model v0.6.2/go.mod h1:y3m2F6Gdpfy6Ut/GBsUqTWZqCUvMVzSfMLjcu6wAwpE=
+github.com/prometheus/common v0.66.1 h1:h5E0h5/Y8niHc5DlaLlWLArTQI7tMrsfQjHV+d9ZoGs=
+github.com/prometheus/common v0.66.1/go.mod h1:gcaUsgf3KfRSwHY4dIMXLPV0K/Wg1oZ8+SbZk/HH/dA=
+github.com/prometheus/procfs v0.16.1 h1:hZ15bTNuirocR6u0JZ6BAHHmwS1p8B4P6MRqxtzMyRg=
+github.com/prometheus/procfs v0.16.1/go.mod h1:teAbpZRB1iIAJYREa1LsoWUXykVXA1KlTmWl8x/U+Is=
 github.com/robfig/cron v1.2.0/go.mod h1:JGuDeoQd7Z6yL4zQhZ3OPEVHB7fL6Ka6skscFHfmt2k=
 github.com/rogpeppe/fastuuid v1.2.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6LYCDYWNEvQ=
-github.com/rogpeppe/go-internal v1.13.1 h1:KvO1DLK/DRN07sQ1LQKScxyZJuNnedQ5/wKSR38lUII=
-github.com/rogpeppe/go-internal v1.13.1/go.mod h1:uMEvuHeurkdAXX61udpOXGD/AzZDWNMNyH2VO9fmH0o=
+github.com/rogpeppe/go-internal v1.14.1 h1:UQB4HGPB6osV0SQTLymcB4TgvyWu6ZyliaW0tI/otEQ=
+github.com/rogpeppe/go-internal v1.14.1/go.mod h1:MaRKkUm5W0goXpeCfT7UZI6fk/L7L7so1lCWt35ZSgc=
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
 github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ=
 github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
 github.com/soheilhy/cmux v0.1.5 h1:jjzc5WVemNEDTLwv9tlmemhC73tI08BNOIGwBOo10Js=
 github.com/soheilhy/cmux v0.1.5/go.mod h1:T7TcVDs9LWfQgPlPsdngu6I6QIoyIFZDDC6sNE1GqG0=
-github.com/spf13/cobra v1.9.1 h1:CXSaggrXdbHK9CF+8ywj8Amf7PBRmPCOJugH954Nnlo=
-github.com/spf13/cobra v1.9.1/go.mod h1:nDyEzZ8ogv936Cinf6g1RU9MRY64Ir93oCnqb9wxYW0=
-github.com/spf13/pflag v1.0.6 h1:jFzHGLGAlb3ruxLB8MhbI6A8+AQX/2eW4qeyNZXNp2o=
-github.com/spf13/pflag v1.0.6/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
+github.com/spf13/cobra v1.10.0 h1:a5/WeUlSDCvV5a45ljW2ZFtV0bTDpkfSAj3uqB6Sc+0=
+github.com/spf13/cobra v1.10.0/go.mod h1:9dhySC7dnTtEiqzmqfkLj47BslqLCUPMXjG2lj/NgoE=
+github.com/spf13/pflag v1.0.8/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
+github.com/spf13/pflag v1.0.9 h1:9exaQaMOCwffKiiiYk6/BndUBv+iRViNW+4lEMi0PvY=
+github.com/spf13/pflag v1.0.9/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/spiffe/go-spiffe/v2 v2.5.0/go.mod h1:P+NxobPc6wXhVtINNtFjNWGBTreew1GBUCwT2wPmb7g=
 github.com/stoewer/go-strcase v1.3.0 h1:g0eASXYtp+yvN9fK8sH94oCIk0fau9uV1/ZdJ0AVEzs=
 github.com/stoewer/go-strcase v1.3.0/go.mod h1:fAH5hQ5pehh+j3nZfvwdk2RgEgQjAoM8wodgtPmh1xo=
@@ -207,8 +211,8 @@ github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UV
 github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
 github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
-github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
-github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
+github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
+github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
 github.com/tmc/grpc-websocket-proxy v0.0.0-20220101234140-673ab2c3ae75 h1:6fotK7otjonDflCTK0BCfls4SPy3NcCVb5dqqmbRknE=
 github.com/tmc/grpc-websocket-proxy v0.0.0-20220101234140-673ab2c3ae75/go.mod h1:KO6IkyS8Y3j8OdNO85qEYBsRPuteD+YciPomcXdrMnk=
 github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM=
@@ -220,18 +224,18 @@ github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9de
 github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
 github.com/zeebo/errs v1.4.0/go.mod h1:sgbWHsvVuTPHcqJJGQ1WhI5KbWlHYz+2+2C/LSEtCw4=
-go.etcd.io/bbolt v1.4.2 h1:IrUHp260R8c+zYx/Tm8QZr04CX+qWS5PGfPdevhdm1I=
-go.etcd.io/bbolt v1.4.2/go.mod h1:Is8rSHO/b4f3XigBC0lL0+4FwAQv3HXEEIgFMuKHceM=
-go.etcd.io/etcd/api/v3 v3.6.4 h1:7F6N7toCKcV72QmoUKa23yYLiiljMrT4xCeBL9BmXdo=
-go.etcd.io/etcd/api/v3 v3.6.4/go.mod h1:eFhhvfR8Px1P6SEuLT600v+vrhdDTdcfMzmnxVXXSbk=
-go.etcd.io/etcd/client/pkg/v3 v3.6.4 h1:9HBYrjppeOfFjBjaMTRxT3R7xT0GLK8EJMVC4xg6ok0=
-go.etcd.io/etcd/client/pkg/v3 v3.6.4/go.mod h1:sbdzr2cl3HzVmxNw//PH7aLGVtY4QySjQFuaCgcRFAI=
-go.etcd.io/etcd/client/v3 v3.6.4 h1:YOMrCfMhRzY8NgtzUsHl8hC2EBSnuqbR3dh84Uryl7A=
-go.etcd.io/etcd/client/v3 v3.6.4/go.mod h1:jaNNHCyg2FdALyKWnd7hxZXZxZANb0+KGY+YQaEMISo=
-go.etcd.io/etcd/pkg/v3 v3.6.4 h1:fy8bmXIec1Q35/jRZ0KOes8vuFxbvdN0aAFqmEfJZWA=
-go.etcd.io/etcd/pkg/v3 v3.6.4/go.mod h1:kKcYWP8gHuBRcteyv6MXWSN0+bVMnfgqiHueIZnKMtE=
-go.etcd.io/etcd/server/v3 v3.6.4 h1:LsCA7CzjVt+8WGrdsnh6RhC0XqCsLkBly3ve5rTxMAU=
-go.etcd.io/etcd/server/v3 v3.6.4/go.mod h1:aYCL/h43yiONOv0QIR82kH/2xZ7m+IWYjzRmyQfnCAg=
+go.etcd.io/bbolt v1.4.3 h1:dEadXpI6G79deX5prL3QRNP6JB8UxVkqo4UPnHaNXJo=
+go.etcd.io/bbolt v1.4.3/go.mod h1:tKQlpPaYCVFctUIgFKFnAlvbmB3tpy1vkTnDWohtc0E=
+go.etcd.io/etcd/api/v3 v3.6.5 h1:pMMc42276sgR1j1raO/Qv3QI9Af/AuyQUW6CBAWuntA=
+go.etcd.io/etcd/api/v3 v3.6.5/go.mod h1:ob0/oWA/UQQlT1BmaEkWQzI0sJ1M0Et0mMpaABxguOQ=
+go.etcd.io/etcd/client/pkg/v3 v3.6.5 h1:Duz9fAzIZFhYWgRjp/FgNq2gO1jId9Yae/rLn3RrBP8=
+go.etcd.io/etcd/client/pkg/v3 v3.6.5/go.mod h1:8Wx3eGRPiy0qOFMZT/hfvdos+DjEaPxdIDiCDUv/FQk=
+go.etcd.io/etcd/client/v3 v3.6.5 h1:yRwZNFBx/35VKHTcLDeO7XVLbCBFbPi+XV4OC3QJf2U=
+go.etcd.io/etcd/client/v3 v3.6.5/go.mod h1:ZqwG/7TAFZ0BJ0jXRPoJjKQJtbFo/9NIY8uoFFKcCyo=
+go.etcd.io/etcd/pkg/v3 v3.6.5 h1:byxWB4AqIKI4SBmquZUG1WGtvMfMaorXFoCcFbVeoxM=
+go.etcd.io/etcd/pkg/v3 v3.6.5/go.mod h1:uqrXrzmMIJDEy5j00bCqhVLzR5jEJIwDp5wTlLwPGOU=
+go.etcd.io/etcd/server/v3 v3.6.5 h1:4RbUb1Bd4y1WkBHmuF+cZII83JNQMuNXzyjwigQ06y0=
+go.etcd.io/etcd/server/v3 v3.6.5/go.mod h1:PLuhyVXz8WWRhzXDsl3A3zv/+aK9e4A9lpQkqawIaH0=
 go.etcd.io/raft/v3 v3.6.0 h1:5NtvbDVYpnfZWcIHgGRk9DyzkBIXOi8j+DDp1IcnUWQ=
 go.etcd.io/raft/v3 v3.6.0/go.mod h1:nLvLevg6+xrVtHUmVaTcTz603gQPHfh7kUAwV6YpfGo=
 go.opentelemetry.io/auto/sdk v1.1.0 h1:cH53jehLUN6UFLY71z+NDOiNJqDdPRaXzTel0sJySYA=
@@ -239,22 +243,22 @@ go.opentelemetry.io/auto/sdk v1.1.0/go.mod h1:3wSPjt5PWp2RhlCcmmOial7AvC4DQqZb7a
 go.opentelemetry.io/contrib/detectors/gcp v1.34.0/go.mod h1:cV4BMFcscUR/ckqLkbfQmF0PRsq8w/lMGzdbCSveBHo=
 go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.60.0 h1:x7wzEgXfnzJcHDwStJT+mxOz4etr2EcexjqhBvmoakw=
 go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.60.0/go.mod h1:rg+RlpR5dKwaS95IyyZqj5Wd4E13lk/msnTS0Xl9lJM=
-go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.58.0 h1:yd02MEjBdJkG3uabWP9apV+OuWRIXGDuJEUJbOHmCFU=
-go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.58.0/go.mod h1:umTcuxiv1n/s/S6/c2AT/g2CQ7u5C59sHDNmfSwgz7Q=
-go.opentelemetry.io/otel v1.35.0 h1:xKWKPxrxB6OtMCbmMY021CqC45J+3Onta9MqjhnusiQ=
-go.opentelemetry.io/otel v1.35.0/go.mod h1:UEqy8Zp11hpkUrL73gSlELM0DupHoiq72dR+Zqel/+Y=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.61.0 h1:F7Jx+6hwnZ41NSFTO5q4LYDtJRXBf2PD0rNBkeB/lus=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.61.0/go.mod h1:UHB22Z8QsdRDrnAtX4PntOl36ajSxcdUMt1sF7Y6E7Q=
+go.opentelemetry.io/otel v1.36.0 h1:UumtzIklRBY6cI/lllNZlALOF5nNIzJVb16APdvgTXg=
+go.opentelemetry.io/otel v1.36.0/go.mod h1:/TcFMXYjyRNh8khOAO9ybYkqaDBb/70aVwkNML4pP8E=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.34.0 h1:OeNbIYk/2C15ckl7glBlOBp5+WlYsOElzTNmiPW/x60=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.34.0/go.mod h1:7Bept48yIeqxP2OZ9/AqIpYS94h2or0aB4FypJTc8ZM=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.34.0 h1:tgJ0uaNS4c98WRNUEx5U3aDlrDOI5Rs+1Vifcw4DJ8U=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.34.0/go.mod h1:U7HYyW0zt/a9x5J1Kjs+r1f/d4ZHnYFclhYY2+YbeoE=
-go.opentelemetry.io/otel/metric v1.35.0 h1:0znxYu2SNyuMSQT4Y9WDWej0VpcsxkuklLa4/siN90M=
-go.opentelemetry.io/otel/metric v1.35.0/go.mod h1:nKVFgxBZ2fReX6IlyW28MgZojkoAkJGaE8CpgeAU3oE=
-go.opentelemetry.io/otel/sdk v1.34.0 h1:95zS4k/2GOy069d321O8jWgYsW3MzVV+KuSPKp7Wr1A=
-go.opentelemetry.io/otel/sdk v1.34.0/go.mod h1:0e/pNiaMAqaykJGKbi+tSjWfNNHMTxoC9qANsCzbyxU=
-go.opentelemetry.io/otel/sdk/metric v1.34.0 h1:5CeK9ujjbFVL5c1PhLuStg1wxA7vQv7ce1EK0Gyvahk=
-go.opentelemetry.io/otel/sdk/metric v1.34.0/go.mod h1:jQ/r8Ze28zRKoNRdkjCZxfs6YvBTG1+YIqyFVFYec5w=
-go.opentelemetry.io/otel/trace v1.35.0 h1:dPpEfJu1sDIqruz7BHFG3c7528f6ddfSWfFDVt/xgMs=
-go.opentelemetry.io/otel/trace v1.35.0/go.mod h1:WUk7DtFp1Aw2MkvqGdwiXYDZZNvA/1J8o6xRXLrIkyc=
+go.opentelemetry.io/otel/metric v1.36.0 h1:MoWPKVhQvJ+eeXWHFBOPoBOi20jh6Iq2CcCREuTYufE=
+go.opentelemetry.io/otel/metric v1.36.0/go.mod h1:zC7Ks+yeyJt4xig9DEw9kuUFe5C3zLbVjV2PzT6qzbs=
+go.opentelemetry.io/otel/sdk v1.36.0 h1:b6SYIuLRs88ztox4EyrvRti80uXIFy+Sqzoh9kFULbs=
+go.opentelemetry.io/otel/sdk v1.36.0/go.mod h1:+lC+mTgD+MUWfjJubi2vvXWcVxyr9rmlshZni72pXeY=
+go.opentelemetry.io/otel/sdk/metric v1.36.0 h1:r0ntwwGosWGaa0CrSt8cuNuTcccMXERFwHX4dThiPis=
+go.opentelemetry.io/otel/sdk/metric v1.36.0/go.mod h1:qTNOhFDfKRwX0yXOqJYegL5WRaW376QbB7P4Pb0qva4=
+go.opentelemetry.io/otel/trace v1.36.0 h1:ahxWNuqZjpdiFAyrIoQ4GIiAIhxAunQR6MUoKrsNd4w=
+go.opentelemetry.io/otel/trace v1.36.0/go.mod h1:gQ+OnDZzrybY4k4seLzPAWNwVBBVlF2szhehOBB/tGA=
 go.opentelemetry.io/proto/otlp v1.5.0 h1:xJvq7gMzB31/d406fB8U5CBdyQGw4P399D1aQWU/3i4=
 go.opentelemetry.io/proto/otlp v1.5.0/go.mod h1:keN8WnHxOy8PG0rQZjJJ5A2ebUoafqWp0eVQ4yIXvJ4=
 go.uber.org/atomic v1.11.0 h1:ZvwS0R+56ePWxUNi+Atn9dWONBPp/AUETXlHW0DxSjE=
@@ -265,56 +269,56 @@ go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0=
 go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y=
 go.uber.org/zap v1.27.0 h1:aJMhYGrd5QSmlpLMr2MftRKl7t8J8PTZPA732ud/XR8=
 go.uber.org/zap v1.27.0/go.mod h1:GB2qFLM7cTU87MWRP2mPIjqfIDnGu+VIO4V/SdhGo2E=
-go.yaml.in/yaml/v2 v2.4.2 h1:DzmwEr2rDGHl7lsFgAHxmNz/1NlQ7xLIrlN2h5d1eGI=
-go.yaml.in/yaml/v2 v2.4.2/go.mod h1:081UH+NErpNdqlCXm3TtEran0rJZGxAYx9hb/ELlsPU=
+go.yaml.in/yaml/v2 v2.4.3 h1:6gvOSjQoTB3vt1l+CU+tSyi/HOjfOjRLJ4YwYZGwRO0=
+go.yaml.in/yaml/v2 v2.4.3/go.mod h1:zSxWcmIDjOzPXpjlTTbAsKokqkDNAVtZO0WOMiT90s8=
 go.yaml.in/yaml/v3 v3.0.4 h1:tfq32ie2Jv2UxXFdLJdh3jXuOzWiL1fo0bu/FbuKpbc=
 go.yaml.in/yaml/v3 v3.0.4/go.mod h1:DhzuOOF2ATzADvBadXxruRBLzYTpT36CKvDb3+aBEFg=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
-golang.org/x/crypto v0.42.0 h1:chiH31gIWm57EkTXpwnqf8qeuMUi0yekh6mT2AvFlqI=
-golang.org/x/crypto v0.42.0/go.mod h1:4+rDnOTJhQCx2q7/j6rAN5XDw8kPjeaXEUR2eL94ix8=
+golang.org/x/crypto v0.45.0 h1:jMBrvKuj23MTlT0bQEOBcAE0mjg8mK9RXFhRH6nyF3Q=
+golang.org/x/crypto v0.45.0/go.mod h1:XTGrrkGJve7CYK7J8PEww4aY7gM3qMCElcJQ8n8JdX4=
 golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 h1:2dVuKD2vS7b0QIHQbpyTISPd0LeHDbnYEryqj5Q1ug8=
 golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56/go.mod h1:M4RDyNAINzryxdtnbRXRL/OHtkFuWGRjvuhBJpk2IlY=
 golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.27.0 h1:kb+q2PyFnEADO2IEF935ehFUXlWiNjJWtRNgBLSfbxQ=
-golang.org/x/mod v0.27.0/go.mod h1:rWI627Fq0DEoudcK+MBkNkCe0EetEaDSwJJkCcjpazc=
+golang.org/x/mod v0.29.0 h1:HV8lRxZC4l2cr3Zq1LvtOsi/ThTgWnUk/y64QSs8GwA=
+golang.org/x/mod v0.29.0/go.mod h1:NyhrlYXJ2H4eJiRy/WDBO6HMqZQ6q9nk4JzS3NuCK+w=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
-golang.org/x/net v0.43.0 h1:lat02VYK2j4aLzMzecihNvTlJNQUq316m2Mr9rnM6YE=
-golang.org/x/net v0.43.0/go.mod h1:vhO1fvI4dGsIjh73sWfUVjj3N7CA9WkKJNQm2svM6Jg=
-golang.org/x/oauth2 v0.27.0 h1:da9Vo7/tDv5RH/7nZDz1eMGS/q1Vv1N/7FCrBhI9I3M=
-golang.org/x/oauth2 v0.27.0/go.mod h1:onh5ek6nERTohokkhCD/y2cV4Do3fxFHFuAejCkRWT8=
+golang.org/x/net v0.47.0 h1:Mx+4dIFzqraBXUugkia1OOvlD6LemFo1ALMHjrXDOhY=
+golang.org/x/net v0.47.0/go.mod h1:/jNxtkgq5yWUGYkaZGqo27cfGZ1c5Nen03aYrrKpVRU=
+golang.org/x/oauth2 v0.30.0 h1:dnDm7JmhM45NNpd8FDDeLhK6FwqbOf4MLCM9zb1BOHI=
+golang.org/x/oauth2 v0.30.0/go.mod h1:B++QgG3ZKulg6sRPGD/mqlHQs5rB3Ml9erfeDY7xKlU=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.17.0 h1:l60nONMj9l5drqw6jlhIELNv9I0A4OFgRsG9k2oT9Ug=
-golang.org/x/sync v0.17.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
+golang.org/x/sync v0.18.0 h1:kr88TuHDroi+UVf+0hZnirlk8o8T+4MrK6mr60WkH/I=
+golang.org/x/sync v0.18.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.36.0 h1:KVRy2GtZBrk1cBYA7MKu5bEZFxQk4NIDV6RLVcC8o0k=
-golang.org/x/sys v0.36.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
-golang.org/x/telemetry v0.0.0-20250807160809-1a19826ec488/go.mod h1:fGb/2+tgXXjhjHsTNdVEEMZNWA0quBnfrO+AfoDSAKw=
-golang.org/x/term v0.35.0 h1:bZBVKBudEyhRcajGcNc3jIfWPqV4y/Kt2XcoigOWtDQ=
-golang.org/x/term v0.35.0/go.mod h1:TPGtkTLesOwf2DE8CgVYiZinHAOuy5AYUYT1lENIZnA=
+golang.org/x/sys v0.38.0 h1:3yZWxaJjBmCWXqhN1qh02AkOnCQ1poK6oF+a7xWL6Gc=
+golang.org/x/sys v0.38.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
+golang.org/x/telemetry v0.0.0-20251008203120-078029d740a8/go.mod h1:Pi4ztBfryZoJEkyFTI5/Ocsu2jXyDr6iSdgJiYE/uwE=
+golang.org/x/term v0.37.0 h1:8EGAD0qCmHYZg6J17DvsMy9/wJ7/D/4pV/wfnld5lTU=
+golang.org/x/term v0.37.0/go.mod h1:5pB4lxRNYYVZuTLmy8oR2BH8dflOR+IbTYFD8fi3254=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.29.0 h1:1neNs90w9YzJ9BocxfsQNHKuAT4pkghyXc4nhZ6sJvk=
-golang.org/x/text v0.29.0/go.mod h1:7MhJOA9CD2qZyOKYazxdYMF85OwPdEr9jTtBpO7ydH4=
+golang.org/x/text v0.31.0 h1:aC8ghyu4JhP8VojJ2lEHBnochRno1sgL6nEi9WGFGMM=
+golang.org/x/text v0.31.0/go.mod h1:tKRAlv61yKIjGGHX/4tP1LTbc13YSec1pxVEWXzfoeM=
 golang.org/x/time v0.9.0 h1:EsRrnYcQiGH+5FfbgvV4AP7qEZstoyrHB0DzarOQ4ZY=
 golang.org/x/time v0.9.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
 golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
-golang.org/x/tools v0.36.0 h1:kWS0uv/zsvHEle1LbV5LE8QujrxB3wfQyxHfhOk0Qkg=
-golang.org/x/tools v0.36.0/go.mod h1:WBDiHKJK8YgLHlcQPYQzNCkUxUypCaa5ZegCVutKm+s=
-golang.org/x/tools/go/expect v0.1.0-deprecated h1:jY2C5HGYR5lqex3gEniOQL0r7Dq5+VGVgY1nudX5lXY=
-golang.org/x/tools/go/expect v0.1.0-deprecated/go.mod h1:eihoPOH+FgIqa3FpoTwguz/bVUSGBlGQU67vpBeOrBY=
+golang.org/x/tools v0.38.0 h1:Hx2Xv8hISq8Lm16jvBZ2VQf+RLmbd7wVUsALibYI/IQ=
+golang.org/x/tools v0.38.0/go.mod h1:yEsQ/d/YK8cjh0L6rZlY8tgtlKiBNTL14pGDJPJpYQs=
+golang.org/x/tools/go/expect v0.1.1-deprecated h1:jpBZDwmgPhXsKZC6WhL20P4b/wmnpsEAGHaNy0n/rJM=
+golang.org/x/tools/go/expect v0.1.1-deprecated/go.mod h1:eihoPOH+FgIqa3FpoTwguz/bVUSGBlGQU67vpBeOrBY=
 golang.org/x/tools/go/packages/packagestest v0.1.1-deprecated h1:1h2MnaIAIXISqTFKdENegdpAgUXz6NrPEsbIeWaBRvM=
 golang.org/x/tools/go/packages/packagestest v0.1.1-deprecated/go.mod h1:RVAQXBGNv1ib0J382/DPCRS/BPnsGebyM1Gj5VSDpG8=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
@@ -323,38 +327,37 @@ golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8T
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 google.golang.org/genproto/googleapis/api v0.0.0-20250303144028-a0af3efb3deb h1:p31xT4yrYrSM/G4Sn2+TNUkVhFCbG9y8itM2S6Th950=
 google.golang.org/genproto/googleapis/api v0.0.0-20250303144028-a0af3efb3deb/go.mod h1:jbe3Bkdp+Dh2IrslsFCklNhweNTBgSYanP1UXhJDhKg=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20250303144028-a0af3efb3deb h1:TLPQVbx1GJ8VKZxz52VAxl1EBgKXXbTiU9Fc5fZeLn4=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20250303144028-a0af3efb3deb/go.mod h1:LuRYeWDFV6WOn90g357N17oMCaxpgCnbi/44qJvDn2I=
-google.golang.org/grpc v1.72.1 h1:HR03wO6eyZ7lknl75XlxABNVLLFc2PAb6mHlYh756mA=
-google.golang.org/grpc v1.72.1/go.mod h1:wH5Aktxcg25y1I3w7H69nHfXdOG3UiadoBtjh3izSDM=
-google.golang.org/protobuf v1.36.5 h1:tPhr+woSbjfYvY6/GPufUoYizxw1cF/yFoxJ2fmpwlM=
-google.golang.org/protobuf v1.36.5/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20250528174236-200df99c418a h1:v2PbRU4K3llS09c7zodFpNePeamkAwG3mPrAery9VeE=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20250528174236-200df99c418a/go.mod h1:qQ0YXyHHx3XkvlzUtpXDkS29lDSafHMZBAZDc03LQ3A=
+google.golang.org/grpc v1.72.2 h1:TdbGzwb82ty4OusHWepvFWGLgIbNo1/SUynEN0ssqv8=
+google.golang.org/grpc v1.72.2/go.mod h1:wH5Aktxcg25y1I3w7H69nHfXdOG3UiadoBtjh3izSDM=
+google.golang.org/protobuf v1.36.8 h1:xHScyCOEuuwZEc6UtSOvPbAT4zRh0xcNRYekJwfqyMc=
+google.golang.org/protobuf v1.36.8/go.mod h1:fuxRtAxBytpl4zzqUh6/eyUujkJdNiuEkXntxiD/uRU=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
-gopkg.in/evanphx/json-patch.v4 v4.12.0 h1:n6jtcsulIzXPJaxegRbvFNNrZDjbij7ny3gmSPG+6V4=
-gopkg.in/evanphx/json-patch.v4 v4.12.0/go.mod h1:p8EYWUEYMpynmqDbY58zCKCFZw8pRWMG4EsWvDvM72M=
+gopkg.in/evanphx/json-patch.v4 v4.13.0 h1:czT3CmqEaQ1aanPc5SdlgQrrEIb8w/wwCvWWnfEbYzo=
+gopkg.in/evanphx/json-patch.v4 v4.13.0/go.mod h1:p8EYWUEYMpynmqDbY58zCKCFZw8pRWMG4EsWvDvM72M=
 gopkg.in/go-jose/go-jose.v2 v2.6.3/go.mod h1:zzZDPkNNw/c9IE7Z9jr11mBZQhKQTMzoEEIoEdZlFBI=
 gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc=
 gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
 gopkg.in/natefinch/lumberjack.v2 v2.2.1 h1:bBRl1b0OH9s/DuPhuXpNl+VtCaJXFZ5/uEFST95x9zc=
 gopkg.in/natefinch/lumberjack.v2 v2.2.1/go.mod h1:YD8tP3GAjkrDg1eZH7EGmyESg/lsYskCTPBJVb9jqSc=
-gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
-k8s.io/gengo/v2 v2.0.0-20250604051438-85fd79dbfd9f h1:SLb+kxmzfA87x4E4brQzB33VBbT2+x7Zq9ROIHmGn9Q=
-k8s.io/gengo/v2 v2.0.0-20250604051438-85fd79dbfd9f/go.mod h1:EJykeLsmFC60UQbYJezXkEsG2FLrt0GPNkU5iK5GWxU=
+k8s.io/gengo/v2 v2.0.0-20250922181213-ec3ebc5fd46b h1:gMplByicHV/TJBizHd9aVEsTYoJBnnUAT5MHlTkbjhQ=
+k8s.io/gengo/v2 v2.0.0-20250922181213-ec3ebc5fd46b/go.mod h1:CgujABENc3KuTrcsdpGmrrASjtQsWCT7R99mEV4U/fM=
 k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk=
 k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE=
-k8s.io/kube-openapi v0.0.0-20250710124328-f3f2b991d03b h1:MloQ9/bdJyIu9lb1PzujOPolHyvO06MXG5TUIj2mNAA=
-k8s.io/kube-openapi v0.0.0-20250710124328-f3f2b991d03b/go.mod h1:UZ2yyWbFTpuhSbFhv24aGNOdoRdJZgsIObGBUaYVsts=
-k8s.io/utils v0.0.0-20250604170112-4c0f3b243397 h1:hwvWFiBzdWw1FhfY1FooPn3kzWuJ8tmbZBHi4zVsl1Y=
-k8s.io/utils v0.0.0-20250604170112-4c0f3b243397/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
+k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912 h1:Y3gxNAuB0OBLImH611+UDZcmKS3g6CthxToOb37KgwE=
+k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912/go.mod h1:kdmbQkyfwUagLfXIad1y2TdrjPFWp2Q89B3qkRwf/pQ=
+k8s.io/utils v0.0.0-20251002143259-bc988d571ff4 h1:SjGebBtkBqHFOli+05xYbK8YF1Dzkbzn+gDM4X9T4Ck=
+k8s.io/utils v0.0.0-20251002143259-bc988d571ff4/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
 sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.31.2 h1:jpcvIRr3GLoUoEKRkHKSmGjxb6lWwrBlJsXc+eUYQHM=
 sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.31.2/go.mod h1:Ve9uj1L+deCXFrPOk1LpFXqTg7LCFzFso6PA48q/XZw=
-sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 h1:gBQPwqORJ8d8/YNZWEjoZs7npUVDpVXUUOFfW6CgAqE=
-sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8/go.mod h1:mdzfpAEoE6DHQEN0uh9ZbOCuHbLK5wOm7dK4ctXE9Tg=
+sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 h1:IpInykpT6ceI+QxKBbEflcR5EXP7sU1kvOlxwZh5txg=
+sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730/go.mod h1:mdzfpAEoE6DHQEN0uh9ZbOCuHbLK5wOm7dK4ctXE9Tg=
 sigs.k8s.io/kube-storage-version-migrator v0.0.6-0.20230721195810-5c8923c5ff96/go.mod h1:EOBQyBowOUsd7U4CJnMHNE0ri+zCXyouGdLwC/jZU+I=
 sigs.k8s.io/randfill v1.0.0 h1:JfjMILfT8A6RbawdsK2JXGBR5AQVfd+9TbzrlneTyrU=
 sigs.k8s.io/randfill v1.0.0/go.mod h1:XeLlZ/jmk4i1HRopwe7/aU3H5n1zNUcX6TM94b3QxOY=
diff --git a/staging/src/k8s.io/sample-apiserver/hack/update-codegen.sh b/staging/src/k8s.io/sample-apiserver/hack/update-codegen.sh
index 0d902edf2cc2c..39fb34890d344 100755
--- a/staging/src/k8s.io/sample-apiserver/hack/update-codegen.sh
+++ b/staging/src/k8s.io/sample-apiserver/hack/update-codegen.sh
@@ -40,6 +40,7 @@ kube::codegen::gen_openapi \
     --output-dir "${SCRIPT_ROOT}/pkg/generated/openapi" \
     --output-pkg "${THIS_PKG}/pkg/generated/openapi" \
     --report-filename "${report_filename:-"/dev/null"}" \
+    --output-model-name-file "zz_generated.model_name.go" \
     ${update_report:+"${update_report}"} \
     --boilerplate "${SCRIPT_ROOT}/hack/boilerplate.go.txt" \
     "${SCRIPT_ROOT}/pkg/apis"
diff --git a/staging/src/k8s.io/sample-apiserver/pkg/apis/wardle/v1alpha1/doc.go b/staging/src/k8s.io/sample-apiserver/pkg/apis/wardle/v1alpha1/doc.go
index 17625ba062dd2..13d560787440c 100644
--- a/staging/src/k8s.io/sample-apiserver/pkg/apis/wardle/v1alpha1/doc.go
+++ b/staging/src/k8s.io/sample-apiserver/pkg/apis/wardle/v1alpha1/doc.go
@@ -20,6 +20,7 @@ limitations under the License.
 // +k8s:defaulter-gen=TypeMeta
 // +k8s:prerelease-lifecycle-gen=true
 // +groupName=wardle.example.com
+// +k8s:openapi-model-package=io.k8s.sample-apiserver.pkg.apis.wardle.v1alpha1
 
 // Package v1alpha1 is the v1alpha1 version of the API.
 package v1alpha1
diff --git a/staging/src/k8s.io/sample-apiserver/pkg/apis/wardle/v1alpha1/zz_generated.model_name.go b/staging/src/k8s.io/sample-apiserver/pkg/apis/wardle/v1alpha1/zz_generated.model_name.go
new file mode 100644
index 0000000000000..f07365b693898
--- /dev/null
+++ b/staging/src/k8s.io/sample-apiserver/pkg/apis/wardle/v1alpha1/zz_generated.model_name.go
@@ -0,0 +1,52 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by openapi-gen. DO NOT EDIT.
+
+package v1alpha1
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in Fischer) OpenAPIModelName() string {
+	return "io.k8s.sample-apiserver.pkg.apis.wardle.v1alpha1.Fischer"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in FischerList) OpenAPIModelName() string {
+	return "io.k8s.sample-apiserver.pkg.apis.wardle.v1alpha1.FischerList"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in Flunder) OpenAPIModelName() string {
+	return "io.k8s.sample-apiserver.pkg.apis.wardle.v1alpha1.Flunder"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in FlunderList) OpenAPIModelName() string {
+	return "io.k8s.sample-apiserver.pkg.apis.wardle.v1alpha1.FlunderList"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in FlunderSpec) OpenAPIModelName() string {
+	return "io.k8s.sample-apiserver.pkg.apis.wardle.v1alpha1.FlunderSpec"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in FlunderStatus) OpenAPIModelName() string {
+	return "io.k8s.sample-apiserver.pkg.apis.wardle.v1alpha1.FlunderStatus"
+}
diff --git a/staging/src/k8s.io/sample-apiserver/pkg/apis/wardle/v1beta1/doc.go b/staging/src/k8s.io/sample-apiserver/pkg/apis/wardle/v1beta1/doc.go
index 2b7c615aee99d..747050070c2d2 100644
--- a/staging/src/k8s.io/sample-apiserver/pkg/apis/wardle/v1beta1/doc.go
+++ b/staging/src/k8s.io/sample-apiserver/pkg/apis/wardle/v1beta1/doc.go
@@ -19,6 +19,7 @@ limitations under the License.
 // +k8s:conversion-gen=k8s.io/sample-apiserver/pkg/apis/wardle
 // +k8s:defaulter-gen=TypeMeta
 // +groupName=wardle.example.com
+// +k8s:openapi-model-package=io.k8s.sample-apiserver.pkg.apis.wardle.v1beta1
 
 // Package v1beta1 is the v1beta1 version of the API.
 package v1beta1
diff --git a/staging/src/k8s.io/sample-apiserver/pkg/apis/wardle/v1beta1/zz_generated.model_name.go b/staging/src/k8s.io/sample-apiserver/pkg/apis/wardle/v1beta1/zz_generated.model_name.go
new file mode 100644
index 0000000000000..c2902f5cd8534
--- /dev/null
+++ b/staging/src/k8s.io/sample-apiserver/pkg/apis/wardle/v1beta1/zz_generated.model_name.go
@@ -0,0 +1,42 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by openapi-gen. DO NOT EDIT.
+
+package v1beta1
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in Flunder) OpenAPIModelName() string {
+	return "io.k8s.sample-apiserver.pkg.apis.wardle.v1beta1.Flunder"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in FlunderList) OpenAPIModelName() string {
+	return "io.k8s.sample-apiserver.pkg.apis.wardle.v1beta1.FlunderList"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in FlunderSpec) OpenAPIModelName() string {
+	return "io.k8s.sample-apiserver.pkg.apis.wardle.v1beta1.FlunderSpec"
+}
+
+// OpenAPIModelName returns the OpenAPI model name for this type.
+func (in FlunderStatus) OpenAPIModelName() string {
+	return "io.k8s.sample-apiserver.pkg.apis.wardle.v1beta1.FlunderStatus"
+}
diff --git a/staging/src/k8s.io/sample-apiserver/pkg/cmd/server/start.go b/staging/src/k8s.io/sample-apiserver/pkg/cmd/server/start.go
index 90f48b49478f9..37cf8c7586f80 100644
--- a/staging/src/k8s.io/sample-apiserver/pkg/cmd/server/start.go
+++ b/staging/src/k8s.io/sample-apiserver/pkg/cmd/server/start.go
@@ -160,7 +160,7 @@ func NewCommandStartWardleServer(ctx context.Context, defaults *WardleServerOpti
 
 	// Set the emulation version mapping from the "Wardle" component to the kube component.
 	// This ensures that the emulation version of the latter is determined by the emulation version of the former.
-	utilruntime.Must(defaults.ComponentGlobalsRegistry.SetEmulationVersionMapping(apiserver.WardleComponentName, basecompatibility.DefaultKubeComponent, WardleVersionToKubeVersion))
+	utilruntime.Must(defaults.ComponentGlobalsRegistry.SetVersionMapping(apiserver.WardleComponentName, basecompatibility.DefaultKubeComponent, WardleVersionToKubeVersion))
 
 	defaults.ComponentGlobalsRegistry.AddFlags(flags)
 
diff --git a/staging/src/k8s.io/sample-apiserver/pkg/generated/applyconfiguration/wardle/v1alpha1/fischer.go b/staging/src/k8s.io/sample-apiserver/pkg/generated/applyconfiguration/wardle/v1alpha1/fischer.go
index d5d95064bdff0..e7080028712f9 100644
--- a/staging/src/k8s.io/sample-apiserver/pkg/generated/applyconfiguration/wardle/v1alpha1/fischer.go
+++ b/staging/src/k8s.io/sample-apiserver/pkg/generated/applyconfiguration/wardle/v1alpha1/fischer.go
@@ -29,7 +29,8 @@ import (
 type FischerApplyConfiguration struct {
 	v1.TypeMetaApplyConfiguration    `json:",inline"`
 	*v1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	DisallowedFlunders               []string `json:"disallowedFlunders,omitempty"`
+	// DisallowedFlunders holds a list of Flunder.Names that are disallowed.
+	DisallowedFlunders []string `json:"disallowedFlunders,omitempty"`
 }
 
 // Fischer constructs a declarative configuration of the Fischer type for use with
@@ -41,6 +42,7 @@ func Fischer(name string) *FischerApplyConfiguration {
 	b.WithAPIVersion("wardle.example.com/v1alpha1")
 	return b
 }
+
 func (b FischerApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/staging/src/k8s.io/sample-apiserver/pkg/generated/applyconfiguration/wardle/v1alpha1/flunder.go b/staging/src/k8s.io/sample-apiserver/pkg/generated/applyconfiguration/wardle/v1alpha1/flunder.go
index 41ca5712ff324..f524ac18b9714 100644
--- a/staging/src/k8s.io/sample-apiserver/pkg/generated/applyconfiguration/wardle/v1alpha1/flunder.go
+++ b/staging/src/k8s.io/sample-apiserver/pkg/generated/applyconfiguration/wardle/v1alpha1/flunder.go
@@ -44,6 +44,7 @@ func Flunder(name, namespace string) *FlunderApplyConfiguration {
 	b.WithAPIVersion("wardle.example.com/v1alpha1")
 	return b
 }
+
 func (b FlunderApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/staging/src/k8s.io/sample-apiserver/pkg/generated/applyconfiguration/wardle/v1alpha1/flunderspec.go b/staging/src/k8s.io/sample-apiserver/pkg/generated/applyconfiguration/wardle/v1alpha1/flunderspec.go
index b3be3f8a2173f..0953d9cbce255 100644
--- a/staging/src/k8s.io/sample-apiserver/pkg/generated/applyconfiguration/wardle/v1alpha1/flunderspec.go
+++ b/staging/src/k8s.io/sample-apiserver/pkg/generated/applyconfiguration/wardle/v1alpha1/flunderspec.go
@@ -25,7 +25,9 @@ import (
 // FlunderSpecApplyConfiguration represents a declarative configuration of the FlunderSpec type for use
 // with apply.
 type FlunderSpecApplyConfiguration struct {
-	Reference     *string                       `json:"reference,omitempty"`
+	// A name of another flunder or fischer, depending on the reference type.
+	Reference *string `json:"reference,omitempty"`
+	// The reference type, defaults to "Flunder" if reference is set.
 	ReferenceType *wardlev1alpha1.ReferenceType `json:"referenceType,omitempty"`
 }
 
diff --git a/staging/src/k8s.io/sample-apiserver/pkg/generated/applyconfiguration/wardle/v1beta1/flunder.go b/staging/src/k8s.io/sample-apiserver/pkg/generated/applyconfiguration/wardle/v1beta1/flunder.go
index c54da5a321dbb..645f3b675f48a 100644
--- a/staging/src/k8s.io/sample-apiserver/pkg/generated/applyconfiguration/wardle/v1beta1/flunder.go
+++ b/staging/src/k8s.io/sample-apiserver/pkg/generated/applyconfiguration/wardle/v1beta1/flunder.go
@@ -27,6 +27,8 @@ import (
 
 // FlunderApplyConfiguration represents a declarative configuration of the Flunder type for use
 // with apply.
+//
+// Flunder is an example type with a spec and a status.
 type FlunderApplyConfiguration struct {
 	v1.TypeMetaApplyConfiguration    `json:",inline"`
 	*v1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
@@ -44,6 +46,7 @@ func Flunder(name, namespace string) *FlunderApplyConfiguration {
 	b.WithAPIVersion("wardle.example.com/v1beta1")
 	return b
 }
+
 func (b FlunderApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/staging/src/k8s.io/sample-apiserver/pkg/generated/applyconfiguration/wardle/v1beta1/flunderspec.go b/staging/src/k8s.io/sample-apiserver/pkg/generated/applyconfiguration/wardle/v1beta1/flunderspec.go
index cd5a6edb58efc..5a996ba0a5bca 100644
--- a/staging/src/k8s.io/sample-apiserver/pkg/generated/applyconfiguration/wardle/v1beta1/flunderspec.go
+++ b/staging/src/k8s.io/sample-apiserver/pkg/generated/applyconfiguration/wardle/v1beta1/flunderspec.go
@@ -24,10 +24,15 @@ import (
 
 // FlunderSpecApplyConfiguration represents a declarative configuration of the FlunderSpec type for use
 // with apply.
+//
+// FlunderSpec is the specification of a Flunder.
 type FlunderSpecApplyConfiguration struct {
-	FlunderReference *string                      `json:"flunderReference,omitempty"`
-	FischerReference *string                      `json:"fischerReference,omitempty"`
-	ReferenceType    *wardlev1beta1.ReferenceType `json:"referenceType,omitempty"`
+	// A name of another flunder, mutually exclusive to the FischerReference.
+	FlunderReference *string `json:"flunderReference,omitempty"`
+	// A name of a fischer, mutually exclusive to the FlunderReference.
+	FischerReference *string `json:"fischerReference,omitempty"`
+	// The reference type.
+	ReferenceType *wardlev1beta1.ReferenceType `json:"referenceType,omitempty"`
 }
 
 // FlunderSpecApplyConfiguration constructs a declarative configuration of the FlunderSpec type for use with
diff --git a/staging/src/k8s.io/sample-apiserver/pkg/generated/clientset/versioned/fake/clientset_generated.go b/staging/src/k8s.io/sample-apiserver/pkg/generated/clientset/versioned/fake/clientset_generated.go
index aa258e66c5843..a2a793085334f 100644
--- a/staging/src/k8s.io/sample-apiserver/pkg/generated/clientset/versioned/fake/clientset_generated.go
+++ b/staging/src/k8s.io/sample-apiserver/pkg/generated/clientset/versioned/fake/clientset_generated.go
@@ -38,7 +38,7 @@ import (
 // without applying any field management, validations and/or defaults. It shouldn't be considered a replacement
 // for a real clientset and is mostly useful in simple unit tests.
 //
-// DEPRECATED: NewClientset replaces this with support for field management, which significantly improves
+// Deprecated: NewClientset replaces this with support for field management, which significantly improves
 // server side apply testing. NewClientset is only available when apply configurations are generated (e.g.
 // via --with-applyconfig).
 func NewSimpleClientset(objects ...runtime.Object) *Clientset {
@@ -54,8 +54,8 @@ func NewSimpleClientset(objects ...runtime.Object) *Clientset {
 	cs.AddReactor("*", "*", testing.ObjectReaction(o))
 	cs.AddWatchReactor("*", func(action testing.Action) (handled bool, ret watch.Interface, err error) {
 		var opts metav1.ListOptions
-		if watchActcion, ok := action.(testing.WatchActionImpl); ok {
-			opts = watchActcion.ListOptions
+		if watchAction, ok := action.(testing.WatchActionImpl); ok {
+			opts = watchAction.ListOptions
 		}
 		gvr := action.GetResource()
 		ns := action.GetNamespace()
@@ -86,6 +86,17 @@ func (c *Clientset) Tracker() testing.ObjectTracker {
 	return c.tracker
 }
 
+// IsWatchListSemanticsSupported informs the reflector that this client
+// doesn't support WatchList semantics.
+//
+// This is a synthetic method whose sole purpose is to satisfy the optional
+// interface check performed by the reflector.
+// Returning true signals that WatchList can NOT be used.
+// No additional logic is implemented here.
+func (c *Clientset) IsWatchListSemanticsUnSupported() bool {
+	return true
+}
+
 // NewClientset returns a clientset that will respond with the provided objects.
 // It's backed by a very simple object tracker that processes creates, updates and deletions as-is,
 // without applying any validations and/or defaults. It shouldn't be considered a replacement
diff --git a/staging/src/k8s.io/sample-apiserver/pkg/generated/informers/externalversions/factory.go b/staging/src/k8s.io/sample-apiserver/pkg/generated/informers/externalversions/factory.go
index cc782bf7c0143..348cdd49b0db3 100644
--- a/staging/src/k8s.io/sample-apiserver/pkg/generated/informers/externalversions/factory.go
+++ b/staging/src/k8s.io/sample-apiserver/pkg/generated/informers/externalversions/factory.go
@@ -97,6 +97,7 @@ func NewSharedInformerFactory(client versioned.Interface, defaultResync time.Dur
 // NewFilteredSharedInformerFactory constructs a new instance of sharedInformerFactory.
 // Listers obtained via this SharedInformerFactory will be subject to the same filters
 // as specified here.
+//
 // Deprecated: Please use NewSharedInformerFactoryWithOptions instead
 func NewFilteredSharedInformerFactory(client versioned.Interface, defaultResync time.Duration, namespace string, tweakListOptions internalinterfaces.TweakListOptionsFunc) SharedInformerFactory {
 	return NewSharedInformerFactoryWithOptions(client, defaultResync, WithNamespace(namespace), WithTweakListOptions(tweakListOptions))
@@ -204,7 +205,7 @@ func (f *sharedInformerFactory) InformerFor(obj runtime.Object, newFunc internal
 //
 // It is typically used like this:
 //
-//	ctx, cancel := context.Background()
+//	ctx, cancel := context.WithCancel(context.Background())
 //	defer cancel()
 //	factory := NewSharedInformerFactory(client, resyncPeriod)
 //	defer factory.WaitForStop()    // Returns immediately if nothing was started.
diff --git a/staging/src/k8s.io/sample-apiserver/pkg/generated/informers/externalversions/wardle/v1alpha1/fischer.go b/staging/src/k8s.io/sample-apiserver/pkg/generated/informers/externalversions/wardle/v1alpha1/fischer.go
index 760ea15528bcf..b590af40f36db 100644
--- a/staging/src/k8s.io/sample-apiserver/pkg/generated/informers/externalversions/wardle/v1alpha1/fischer.go
+++ b/staging/src/k8s.io/sample-apiserver/pkg/generated/informers/externalversions/wardle/v1alpha1/fischer.go
@@ -56,7 +56,7 @@ func NewFischerInformer(client versioned.Interface, resyncPeriod time.Duration,
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredFischerInformer(client versioned.Interface, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -81,7 +81,7 @@ func NewFilteredFischerInformer(client versioned.Interface, resyncPeriod time.Du
 				}
 				return client.WardleV1alpha1().Fischers().Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apiswardlev1alpha1.Fischer{},
 		resyncPeriod,
 		indexers,
diff --git a/staging/src/k8s.io/sample-apiserver/pkg/generated/informers/externalversions/wardle/v1alpha1/flunder.go b/staging/src/k8s.io/sample-apiserver/pkg/generated/informers/externalversions/wardle/v1alpha1/flunder.go
index fa8389dc4eb41..99cb09addfa59 100644
--- a/staging/src/k8s.io/sample-apiserver/pkg/generated/informers/externalversions/wardle/v1alpha1/flunder.go
+++ b/staging/src/k8s.io/sample-apiserver/pkg/generated/informers/externalversions/wardle/v1alpha1/flunder.go
@@ -57,7 +57,7 @@ func NewFlunderInformer(client versioned.Interface, namespace string, resyncPeri
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredFlunderInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -82,7 +82,7 @@ func NewFilteredFlunderInformer(client versioned.Interface, namespace string, re
 				}
 				return client.WardleV1alpha1().Flunders(namespace).Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apiswardlev1alpha1.Flunder{},
 		resyncPeriod,
 		indexers,
diff --git a/staging/src/k8s.io/sample-apiserver/pkg/generated/informers/externalversions/wardle/v1beta1/flunder.go b/staging/src/k8s.io/sample-apiserver/pkg/generated/informers/externalversions/wardle/v1beta1/flunder.go
index 62f6a184dd208..239d8d220a243 100644
--- a/staging/src/k8s.io/sample-apiserver/pkg/generated/informers/externalversions/wardle/v1beta1/flunder.go
+++ b/staging/src/k8s.io/sample-apiserver/pkg/generated/informers/externalversions/wardle/v1beta1/flunder.go
@@ -57,7 +57,7 @@ func NewFlunderInformer(client versioned.Interface, namespace string, resyncPeri
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredFlunderInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -82,7 +82,7 @@ func NewFilteredFlunderInformer(client versioned.Interface, namespace string, re
 				}
 				return client.WardleV1beta1().Flunders(namespace).Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apiswardlev1beta1.Flunder{},
 		resyncPeriod,
 		indexers,
diff --git a/staging/src/k8s.io/sample-apiserver/pkg/generated/openapi/zz_generated.openapi.go b/staging/src/k8s.io/sample-apiserver/pkg/generated/openapi/zz_generated.openapi.go
index 0b54d941c59b0..fecefdc8922b6 100644
--- a/staging/src/k8s.io/sample-apiserver/pkg/generated/openapi/zz_generated.openapi.go
+++ b/staging/src/k8s.io/sample-apiserver/pkg/generated/openapi/zz_generated.openapi.go
@@ -22,76 +22,130 @@ limitations under the License.
 package openapi
 
 import (
+	resource "k8s.io/apimachinery/pkg/api/resource"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	runtime "k8s.io/apimachinery/pkg/runtime"
+	version "k8s.io/apimachinery/pkg/version"
 	common "k8s.io/kube-openapi/pkg/common"
 	spec "k8s.io/kube-openapi/pkg/validation/spec"
+	v1alpha1 "k8s.io/sample-apiserver/pkg/apis/wardle/v1alpha1"
+	v1beta1 "k8s.io/sample-apiserver/pkg/apis/wardle/v1beta1"
 )
 
 func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenAPIDefinition {
 	return map[string]common.OpenAPIDefinition{
-		"k8s.io/apimachinery/pkg/apis/meta/v1.APIGroup":                  schema_pkg_apis_meta_v1_APIGroup(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.APIGroupList":              schema_pkg_apis_meta_v1_APIGroupList(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.APIResource":               schema_pkg_apis_meta_v1_APIResource(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.APIResourceList":           schema_pkg_apis_meta_v1_APIResourceList(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.APIVersions":               schema_pkg_apis_meta_v1_APIVersions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.ApplyOptions":              schema_pkg_apis_meta_v1_ApplyOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Condition":                 schema_pkg_apis_meta_v1_Condition(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.CreateOptions":             schema_pkg_apis_meta_v1_CreateOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.DeleteOptions":             schema_pkg_apis_meta_v1_DeleteOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Duration":                  schema_pkg_apis_meta_v1_Duration(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.FieldSelectorRequirement":  schema_pkg_apis_meta_v1_FieldSelectorRequirement(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.FieldsV1":                  schema_pkg_apis_meta_v1_FieldsV1(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GetOptions":                schema_pkg_apis_meta_v1_GetOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupKind":                 schema_pkg_apis_meta_v1_GroupKind(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupResource":             schema_pkg_apis_meta_v1_GroupResource(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersion":              schema_pkg_apis_meta_v1_GroupVersion(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionForDiscovery":  schema_pkg_apis_meta_v1_GroupVersionForDiscovery(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionKind":          schema_pkg_apis_meta_v1_GroupVersionKind(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionResource":      schema_pkg_apis_meta_v1_GroupVersionResource(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.InternalEvent":             schema_pkg_apis_meta_v1_InternalEvent(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector":             schema_pkg_apis_meta_v1_LabelSelector(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelectorRequirement":  schema_pkg_apis_meta_v1_LabelSelectorRequirement(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.List":                      schema_pkg_apis_meta_v1_List(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta":                  schema_pkg_apis_meta_v1_ListMeta(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.ListOptions":               schema_pkg_apis_meta_v1_ListOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.ManagedFieldsEntry":        schema_pkg_apis_meta_v1_ManagedFieldsEntry(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.MicroTime":                 schema_pkg_apis_meta_v1_MicroTime(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta":                schema_pkg_apis_meta_v1_ObjectMeta(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.OwnerReference":            schema_pkg_apis_meta_v1_OwnerReference(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.PartialObjectMetadata":     schema_pkg_apis_meta_v1_PartialObjectMetadata(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.PartialObjectMetadataList": schema_pkg_apis_meta_v1_PartialObjectMetadataList(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Patch":                     schema_pkg_apis_meta_v1_Patch(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.PatchOptions":              schema_pkg_apis_meta_v1_PatchOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Preconditions":             schema_pkg_apis_meta_v1_Preconditions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.RootPaths":                 schema_pkg_apis_meta_v1_RootPaths(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.ServerAddressByClientCIDR": schema_pkg_apis_meta_v1_ServerAddressByClientCIDR(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Status":                    schema_pkg_apis_meta_v1_Status(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.StatusCause":               schema_pkg_apis_meta_v1_StatusCause(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.StatusDetails":             schema_pkg_apis_meta_v1_StatusDetails(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Table":                     schema_pkg_apis_meta_v1_Table(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.TableColumnDefinition":     schema_pkg_apis_meta_v1_TableColumnDefinition(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.TableOptions":              schema_pkg_apis_meta_v1_TableOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.TableRow":                  schema_pkg_apis_meta_v1_TableRow(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.TableRowCondition":         schema_pkg_apis_meta_v1_TableRowCondition(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Time":                      schema_pkg_apis_meta_v1_Time(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.Timestamp":                 schema_pkg_apis_meta_v1_Timestamp(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.TypeMeta":                  schema_pkg_apis_meta_v1_TypeMeta(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.UpdateOptions":             schema_pkg_apis_meta_v1_UpdateOptions(ref),
-		"k8s.io/apimachinery/pkg/apis/meta/v1.WatchEvent":                schema_pkg_apis_meta_v1_WatchEvent(ref),
-		"k8s.io/apimachinery/pkg/runtime.RawExtension":                   schema_k8sio_apimachinery_pkg_runtime_RawExtension(ref),
-		"k8s.io/apimachinery/pkg/runtime.TypeMeta":                       schema_k8sio_apimachinery_pkg_runtime_TypeMeta(ref),
-		"k8s.io/apimachinery/pkg/runtime.Unknown":                        schema_k8sio_apimachinery_pkg_runtime_Unknown(ref),
-		"k8s.io/apimachinery/pkg/version.Info":                           schema_k8sio_apimachinery_pkg_version_Info(ref),
-		"k8s.io/sample-apiserver/pkg/apis/wardle/v1alpha1.Fischer":       schema_pkg_apis_wardle_v1alpha1_Fischer(ref),
-		"k8s.io/sample-apiserver/pkg/apis/wardle/v1alpha1.FischerList":   schema_pkg_apis_wardle_v1alpha1_FischerList(ref),
-		"k8s.io/sample-apiserver/pkg/apis/wardle/v1alpha1.Flunder":       schema_pkg_apis_wardle_v1alpha1_Flunder(ref),
-		"k8s.io/sample-apiserver/pkg/apis/wardle/v1alpha1.FlunderList":   schema_pkg_apis_wardle_v1alpha1_FlunderList(ref),
-		"k8s.io/sample-apiserver/pkg/apis/wardle/v1alpha1.FlunderSpec":   schema_pkg_apis_wardle_v1alpha1_FlunderSpec(ref),
-		"k8s.io/sample-apiserver/pkg/apis/wardle/v1alpha1.FlunderStatus": schema_pkg_apis_wardle_v1alpha1_FlunderStatus(ref),
-		"k8s.io/sample-apiserver/pkg/apis/wardle/v1beta1.Flunder":        schema_pkg_apis_wardle_v1beta1_Flunder(ref),
-		"k8s.io/sample-apiserver/pkg/apis/wardle/v1beta1.FlunderList":    schema_pkg_apis_wardle_v1beta1_FlunderList(ref),
-		"k8s.io/sample-apiserver/pkg/apis/wardle/v1beta1.FlunderSpec":    schema_pkg_apis_wardle_v1beta1_FlunderSpec(ref),
-		"k8s.io/sample-apiserver/pkg/apis/wardle/v1beta1.FlunderStatus":  schema_pkg_apis_wardle_v1beta1_FlunderStatus(ref),
+		resource.Quantity{}.OpenAPIModelName():            schema_apimachinery_pkg_api_resource_Quantity(ref),
+		v1.APIGroup{}.OpenAPIModelName():                  schema_pkg_apis_meta_v1_APIGroup(ref),
+		v1.APIGroupList{}.OpenAPIModelName():              schema_pkg_apis_meta_v1_APIGroupList(ref),
+		v1.APIResource{}.OpenAPIModelName():               schema_pkg_apis_meta_v1_APIResource(ref),
+		v1.APIResourceList{}.OpenAPIModelName():           schema_pkg_apis_meta_v1_APIResourceList(ref),
+		v1.APIVersions{}.OpenAPIModelName():               schema_pkg_apis_meta_v1_APIVersions(ref),
+		v1.ApplyOptions{}.OpenAPIModelName():              schema_pkg_apis_meta_v1_ApplyOptions(ref),
+		v1.Condition{}.OpenAPIModelName():                 schema_pkg_apis_meta_v1_Condition(ref),
+		v1.CreateOptions{}.OpenAPIModelName():             schema_pkg_apis_meta_v1_CreateOptions(ref),
+		v1.DeleteOptions{}.OpenAPIModelName():             schema_pkg_apis_meta_v1_DeleteOptions(ref),
+		v1.Duration{}.OpenAPIModelName():                  schema_pkg_apis_meta_v1_Duration(ref),
+		v1.FieldSelectorRequirement{}.OpenAPIModelName():  schema_pkg_apis_meta_v1_FieldSelectorRequirement(ref),
+		v1.FieldsV1{}.OpenAPIModelName():                  schema_pkg_apis_meta_v1_FieldsV1(ref),
+		v1.GetOptions{}.OpenAPIModelName():                schema_pkg_apis_meta_v1_GetOptions(ref),
+		v1.GroupKind{}.OpenAPIModelName():                 schema_pkg_apis_meta_v1_GroupKind(ref),
+		v1.GroupResource{}.OpenAPIModelName():             schema_pkg_apis_meta_v1_GroupResource(ref),
+		v1.GroupVersion{}.OpenAPIModelName():              schema_pkg_apis_meta_v1_GroupVersion(ref),
+		v1.GroupVersionForDiscovery{}.OpenAPIModelName():  schema_pkg_apis_meta_v1_GroupVersionForDiscovery(ref),
+		v1.GroupVersionKind{}.OpenAPIModelName():          schema_pkg_apis_meta_v1_GroupVersionKind(ref),
+		v1.GroupVersionResource{}.OpenAPIModelName():      schema_pkg_apis_meta_v1_GroupVersionResource(ref),
+		v1.InternalEvent{}.OpenAPIModelName():             schema_pkg_apis_meta_v1_InternalEvent(ref),
+		v1.LabelSelector{}.OpenAPIModelName():             schema_pkg_apis_meta_v1_LabelSelector(ref),
+		v1.LabelSelectorRequirement{}.OpenAPIModelName():  schema_pkg_apis_meta_v1_LabelSelectorRequirement(ref),
+		v1.List{}.OpenAPIModelName():                      schema_pkg_apis_meta_v1_List(ref),
+		v1.ListMeta{}.OpenAPIModelName():                  schema_pkg_apis_meta_v1_ListMeta(ref),
+		v1.ListOptions{}.OpenAPIModelName():               schema_pkg_apis_meta_v1_ListOptions(ref),
+		v1.ManagedFieldsEntry{}.OpenAPIModelName():        schema_pkg_apis_meta_v1_ManagedFieldsEntry(ref),
+		v1.MicroTime{}.OpenAPIModelName():                 schema_pkg_apis_meta_v1_MicroTime(ref),
+		v1.ObjectMeta{}.OpenAPIModelName():                schema_pkg_apis_meta_v1_ObjectMeta(ref),
+		v1.OwnerReference{}.OpenAPIModelName():            schema_pkg_apis_meta_v1_OwnerReference(ref),
+		v1.PartialObjectMetadata{}.OpenAPIModelName():     schema_pkg_apis_meta_v1_PartialObjectMetadata(ref),
+		v1.PartialObjectMetadataList{}.OpenAPIModelName(): schema_pkg_apis_meta_v1_PartialObjectMetadataList(ref),
+		v1.Patch{}.OpenAPIModelName():                     schema_pkg_apis_meta_v1_Patch(ref),
+		v1.PatchOptions{}.OpenAPIModelName():              schema_pkg_apis_meta_v1_PatchOptions(ref),
+		v1.Preconditions{}.OpenAPIModelName():             schema_pkg_apis_meta_v1_Preconditions(ref),
+		v1.RootPaths{}.OpenAPIModelName():                 schema_pkg_apis_meta_v1_RootPaths(ref),
+		v1.ServerAddressByClientCIDR{}.OpenAPIModelName(): schema_pkg_apis_meta_v1_ServerAddressByClientCIDR(ref),
+		v1.Status{}.OpenAPIModelName():                    schema_pkg_apis_meta_v1_Status(ref),
+		v1.StatusCause{}.OpenAPIModelName():               schema_pkg_apis_meta_v1_StatusCause(ref),
+		v1.StatusDetails{}.OpenAPIModelName():             schema_pkg_apis_meta_v1_StatusDetails(ref),
+		v1.Table{}.OpenAPIModelName():                     schema_pkg_apis_meta_v1_Table(ref),
+		v1.TableColumnDefinition{}.OpenAPIModelName():     schema_pkg_apis_meta_v1_TableColumnDefinition(ref),
+		v1.TableOptions{}.OpenAPIModelName():              schema_pkg_apis_meta_v1_TableOptions(ref),
+		v1.TableRow{}.OpenAPIModelName():                  schema_pkg_apis_meta_v1_TableRow(ref),
+		v1.TableRowCondition{}.OpenAPIModelName():         schema_pkg_apis_meta_v1_TableRowCondition(ref),
+		v1.Time{}.OpenAPIModelName():                      schema_pkg_apis_meta_v1_Time(ref),
+		v1.Timestamp{}.OpenAPIModelName():                 schema_pkg_apis_meta_v1_Timestamp(ref),
+		v1.TypeMeta{}.OpenAPIModelName():                  schema_pkg_apis_meta_v1_TypeMeta(ref),
+		v1.UpdateOptions{}.OpenAPIModelName():             schema_pkg_apis_meta_v1_UpdateOptions(ref),
+		v1.WatchEvent{}.OpenAPIModelName():                schema_pkg_apis_meta_v1_WatchEvent(ref),
+		runtime.RawExtension{}.OpenAPIModelName():         schema_k8sio_apimachinery_pkg_runtime_RawExtension(ref),
+		runtime.TypeMeta{}.OpenAPIModelName():             schema_k8sio_apimachinery_pkg_runtime_TypeMeta(ref),
+		runtime.Unknown{}.OpenAPIModelName():              schema_k8sio_apimachinery_pkg_runtime_Unknown(ref),
+		version.Info{}.OpenAPIModelName():                 schema_k8sio_apimachinery_pkg_version_Info(ref),
+		v1alpha1.Fischer{}.OpenAPIModelName():             schema_pkg_apis_wardle_v1alpha1_Fischer(ref),
+		v1alpha1.FischerList{}.OpenAPIModelName():         schema_pkg_apis_wardle_v1alpha1_FischerList(ref),
+		v1alpha1.Flunder{}.OpenAPIModelName():             schema_pkg_apis_wardle_v1alpha1_Flunder(ref),
+		v1alpha1.FlunderList{}.OpenAPIModelName():         schema_pkg_apis_wardle_v1alpha1_FlunderList(ref),
+		v1alpha1.FlunderSpec{}.OpenAPIModelName():         schema_pkg_apis_wardle_v1alpha1_FlunderSpec(ref),
+		v1alpha1.FlunderStatus{}.OpenAPIModelName():       schema_pkg_apis_wardle_v1alpha1_FlunderStatus(ref),
+		v1beta1.Flunder{}.OpenAPIModelName():              schema_pkg_apis_wardle_v1beta1_Flunder(ref),
+		v1beta1.FlunderList{}.OpenAPIModelName():          schema_pkg_apis_wardle_v1beta1_FlunderList(ref),
+		v1beta1.FlunderSpec{}.OpenAPIModelName():          schema_pkg_apis_wardle_v1beta1_FlunderSpec(ref),
+		v1beta1.FlunderStatus{}.OpenAPIModelName():        schema_pkg_apis_wardle_v1beta1_FlunderStatus(ref),
+	}
+}
+
+func schema_apimachinery_pkg_api_resource_Quantity(ref common.ReferenceCallback) common.OpenAPIDefinition {
+	return common.EmbedOpenAPIDefinitionIntoV2Extension(common.OpenAPIDefinition{
+		Schema: spec.Schema{
+			SchemaProps: spec.SchemaProps{
+				Description: "Quantity is a fixed-point representation of a number. It provides convenient marshaling/unmarshaling in JSON and YAML, in addition to String() and AsInt64() accessors.\n\nThe serialization format is:\n\n``` <quantity>        ::= <signedNumber><suffix>\n\n\t(Note that <suffix> may be empty, from the \"\" case in <decimalSI>.)\n\n<digit>           ::= 0 | 1 | ... | 9 <digits>          ::= <digit> | <digit><digits> <number>          ::= <digits> | <digits>.<digits> | <digits>. | .<digits> <sign>            ::= \"+\" | \"-\" <signedNumber>    ::= <number> | <sign><number> <suffix>          ::= <binarySI> | <decimalExponent> | <decimalSI> <binarySI>        ::= Ki | Mi | Gi | Ti | Pi | Ei\n\n\t(International System of units; See: http://physics.nist.gov/cuu/Units/binary.html)\n\n<decimalSI>       ::= m | \"\" | k | M | G | T | P | E\n\n\t(Note that 1024 = 1Ki but 1000 = 1k; I didn't choose the capitalization.)\n\n<decimalExponent> ::= \"e\" <signedNumber> | \"E\" <signedNumber> ```\n\nNo matter which of the three exponent forms is used, no quantity may represent a number greater than 2^63-1 in magnitude, nor may it have more than 3 decimal places. Numbers larger or more precise will be capped or rounded up. (E.g.: 0.1m will rounded up to 1m.) This may be extended in the future if we require larger or smaller quantities.\n\nWhen a Quantity is parsed from a string, it will remember the type of suffix it had, and will use the same type again when it is serialized.\n\nBefore serializing, Quantity will be put in \"canonical form\". This means that Exponent/suffix will be adjusted up or down (with a corresponding increase or decrease in Mantissa) such that:\n\n- No precision is lost - No fractional digits will be emitted - The exponent (or suffix) is as large as possible.\n\nThe sign will be omitted unless the number is negative.\n\nExamples:\n\n- 1.5 will be serialized as \"1500m\" - 1.5Gi will be serialized as \"1536Mi\"\n\nNote that the quantity will NEVER be internally represented by a floating point number. That is the whole point of this exercise.\n\nNon-canonical values will still parse as long as they are well formed, but will be re-emitted in their canonical form. (So always use canonical form, or don't diff.)\n\nThis format is intended to make it difficult to use these numbers without writing some sort of special handling code in the hopes that that will cause implementors to also use a fixed point implementation.",
+				OneOf:       common.GenerateOpenAPIV3OneOfSchema(resource.Quantity{}.OpenAPIV3OneOfTypes()),
+				Format:      resource.Quantity{}.OpenAPISchemaFormat(),
+			},
+		},
+	}, common.OpenAPIDefinition{
+		Schema: spec.Schema{
+			SchemaProps: spec.SchemaProps{
+				Description: "Quantity is a fixed-point representation of a number. It provides convenient marshaling/unmarshaling in JSON and YAML, in addition to String() and AsInt64() accessors.\n\nThe serialization format is:\n\n``` <quantity>        ::= <signedNumber><suffix>\n\n\t(Note that <suffix> may be empty, from the \"\" case in <decimalSI>.)\n\n<digit>           ::= 0 | 1 | ... | 9 <digits>          ::= <digit> | <digit><digits> <number>          ::= <digits> | <digits>.<digits> | <digits>. | .<digits> <sign>            ::= \"+\" | \"-\" <signedNumber>    ::= <number> | <sign><number> <suffix>          ::= <binarySI> | <decimalExponent> | <decimalSI> <binarySI>        ::= Ki | Mi | Gi | Ti | Pi | Ei\n\n\t(International System of units; See: http://physics.nist.gov/cuu/Units/binary.html)\n\n<decimalSI>       ::= m | \"\" | k | M | G | T | P | E\n\n\t(Note that 1024 = 1Ki but 1000 = 1k; I didn't choose the capitalization.)\n\n<decimalExponent> ::= \"e\" <signedNumber> | \"E\" <signedNumber> ```\n\nNo matter which of the three exponent forms is used, no quantity may represent a number greater than 2^63-1 in magnitude, nor may it have more than 3 decimal places. Numbers larger or more precise will be capped or rounded up. (E.g.: 0.1m will rounded up to 1m.) This may be extended in the future if we require larger or smaller quantities.\n\nWhen a Quantity is parsed from a string, it will remember the type of suffix it had, and will use the same type again when it is serialized.\n\nBefore serializing, Quantity will be put in \"canonical form\". This means that Exponent/suffix will be adjusted up or down (with a corresponding increase or decrease in Mantissa) such that:\n\n- No precision is lost - No fractional digits will be emitted - The exponent (or suffix) is as large as possible.\n\nThe sign will be omitted unless the number is negative.\n\nExamples:\n\n- 1.5 will be serialized as \"1500m\" - 1.5Gi will be serialized as \"1536Mi\"\n\nNote that the quantity will NEVER be internally represented by a floating point number. That is the whole point of this exercise.\n\nNon-canonical values will still parse as long as they are well formed, but will be re-emitted in their canonical form. (So always use canonical form, or don't diff.)\n\nThis format is intended to make it difficult to use these numbers without writing some sort of special handling code in the hopes that that will cause implementors to also use a fixed point implementation.",
+				Type:        resource.Quantity{}.OpenAPISchemaType(),
+				Format:      resource.Quantity{}.OpenAPISchemaFormat(),
+			},
+		},
+	})
+}
+
+func schema_apimachinery_pkg_api_resource_int64Amount(ref common.ReferenceCallback) common.OpenAPIDefinition {
+	return common.OpenAPIDefinition{
+		Schema: spec.Schema{
+			SchemaProps: spec.SchemaProps{
+				Description: "int64Amount represents a fixed precision numerator and arbitrary scale exponent. It is faster than operations on inf.Dec for values that can be represented as int64.",
+				Type:        []string{"object"},
+				Properties: map[string]spec.Schema{
+					"value": {
+						SchemaProps: spec.SchemaProps{
+							Default: 0,
+							Type:    []string{"integer"},
+							Format:  "int64",
+						},
+					},
+					"scale": {
+						SchemaProps: spec.SchemaProps{
+							Default: 0,
+							Type:    []string{"integer"},
+							Format:  "int32",
+						},
+					},
+				},
+				Required: []string{"value", "scale"},
+			},
+		},
 	}
 }
 
@@ -137,7 +191,7 @@ func schema_pkg_apis_meta_v1_APIGroup(ref common.ReferenceCallback) common.OpenA
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionForDiscovery"),
+										Ref:     ref(v1.GroupVersionForDiscovery{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -147,7 +201,7 @@ func schema_pkg_apis_meta_v1_APIGroup(ref common.ReferenceCallback) common.OpenA
 						SchemaProps: spec.SchemaProps{
 							Description: "preferredVersion is the version preferred by the API server, which probably is the storage version.",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionForDiscovery"),
+							Ref:         ref(v1.GroupVersionForDiscovery{}.OpenAPIModelName()),
 						},
 					},
 					"serverAddressByClientCIDRs": {
@@ -163,7 +217,7 @@ func schema_pkg_apis_meta_v1_APIGroup(ref common.ReferenceCallback) common.OpenA
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/apimachinery/pkg/apis/meta/v1.ServerAddressByClientCIDR"),
+										Ref:     ref(v1.ServerAddressByClientCIDR{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -174,7 +228,7 @@ func schema_pkg_apis_meta_v1_APIGroup(ref common.ReferenceCallback) common.OpenA
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionForDiscovery", "k8s.io/apimachinery/pkg/apis/meta/v1.ServerAddressByClientCIDR"},
+			v1.GroupVersionForDiscovery{}.OpenAPIModelName(), v1.ServerAddressByClientCIDR{}.OpenAPIModelName()},
 	}
 }
 
@@ -212,7 +266,7 @@ func schema_pkg_apis_meta_v1_APIGroupList(ref common.ReferenceCallback) common.O
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/apimachinery/pkg/apis/meta/v1.APIGroup"),
+										Ref:     ref(v1.APIGroup{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -223,7 +277,7 @@ func schema_pkg_apis_meta_v1_APIGroupList(ref common.ReferenceCallback) common.O
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.APIGroup"},
+			v1.APIGroup{}.OpenAPIModelName()},
 	}
 }
 
@@ -391,7 +445,7 @@ func schema_pkg_apis_meta_v1_APIResourceList(ref common.ReferenceCallback) commo
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/apimachinery/pkg/apis/meta/v1.APIResource"),
+										Ref:     ref(v1.APIResource{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -402,7 +456,7 @@ func schema_pkg_apis_meta_v1_APIResourceList(ref common.ReferenceCallback) commo
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.APIResource"},
+			v1.APIResource{}.OpenAPIModelName()},
 	}
 }
 
@@ -460,7 +514,7 @@ func schema_pkg_apis_meta_v1_APIVersions(ref common.ReferenceCallback) common.Op
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/apimachinery/pkg/apis/meta/v1.ServerAddressByClientCIDR"),
+										Ref:     ref(v1.ServerAddressByClientCIDR{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -471,7 +525,7 @@ func schema_pkg_apis_meta_v1_APIVersions(ref common.ReferenceCallback) common.Op
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.ServerAddressByClientCIDR"},
+			v1.ServerAddressByClientCIDR{}.OpenAPIModelName()},
 	}
 }
 
@@ -572,7 +626,7 @@ func schema_pkg_apis_meta_v1_Condition(ref common.ReferenceCallback) common.Open
 					"lastTransitionTime": {
 						SchemaProps: spec.SchemaProps{
 							Description: "lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Time"),
+							Ref:         ref(v1.Time{}.OpenAPIModelName()),
 						},
 					},
 					"reason": {
@@ -596,7 +650,7 @@ func schema_pkg_apis_meta_v1_Condition(ref common.ReferenceCallback) common.Open
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.Time"},
+			v1.Time{}.OpenAPIModelName()},
 	}
 }
 
@@ -692,7 +746,7 @@ func schema_pkg_apis_meta_v1_DeleteOptions(ref common.ReferenceCallback) common.
 					"preconditions": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Must be fulfilled before a deletion is carried out. If not possible, a 409 Conflict status will be returned.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Preconditions"),
+							Ref:         ref(v1.Preconditions{}.OpenAPIModelName()),
 						},
 					},
 					"orphanDependents": {
@@ -740,7 +794,7 @@ func schema_pkg_apis_meta_v1_DeleteOptions(ref common.ReferenceCallback) common.
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.Preconditions"},
+			v1.Preconditions{}.OpenAPIModelName()},
 	}
 }
 
@@ -1052,15 +1106,12 @@ func schema_pkg_apis_meta_v1_InternalEvent(ref common.ReferenceCallback) common.
 					"Object": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Object is:\n * If Type is Added or Modified: the new state of the object.\n * If Type is Deleted: the state of the object immediately before deletion.\n * If Type is Bookmark: the object (instance of a type being watched) where\n   only ResourceVersion field is set. On successful restart of watch from a\n   bookmark resourceVersion, client is guaranteed to not get repeat event\n   nor miss any events.\n * If Type is Error: *api.Status is recommended; other types may make sense\n   depending on context.",
-							Ref:         ref("k8s.io/apimachinery/pkg/runtime.Object"),
 						},
 					},
 				},
 				Required: []string{"Type", "Object"},
 			},
 		},
-		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/runtime.Object"},
 	}
 }
 
@@ -1100,7 +1151,7 @@ func schema_pkg_apis_meta_v1_LabelSelector(ref common.ReferenceCallback) common.
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelectorRequirement"),
+										Ref:     ref(v1.LabelSelectorRequirement{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -1115,7 +1166,7 @@ func schema_pkg_apis_meta_v1_LabelSelector(ref common.ReferenceCallback) common.
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelectorRequirement"},
+			v1.LabelSelectorRequirement{}.OpenAPIModelName()},
 	}
 }
 
@@ -1194,7 +1245,7 @@ func schema_pkg_apis_meta_v1_List(ref common.ReferenceCallback) common.OpenAPIDe
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+							Ref:         ref(v1.ListMeta{}.OpenAPIModelName()),
 						},
 					},
 					"items": {
@@ -1204,7 +1255,7 @@ func schema_pkg_apis_meta_v1_List(ref common.ReferenceCallback) common.OpenAPIDe
 							Items: &spec.SchemaOrArray{
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
-										Ref: ref("k8s.io/apimachinery/pkg/runtime.RawExtension"),
+										Ref: ref(runtime.RawExtension{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -1215,7 +1266,7 @@ func schema_pkg_apis_meta_v1_List(ref common.ReferenceCallback) common.OpenAPIDe
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta", "k8s.io/apimachinery/pkg/runtime.RawExtension"},
+			v1.ListMeta{}.OpenAPIModelName(), runtime.RawExtension{}.OpenAPIModelName()},
 	}
 }
 
@@ -1388,7 +1439,7 @@ func schema_pkg_apis_meta_v1_ManagedFieldsEntry(ref common.ReferenceCallback) co
 					"time": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Time is the timestamp of when the ManagedFields entry was added. The timestamp will also be updated if a field is added, the manager changes any of the owned fields value or removes a field. The timestamp does not update when a field is removed from the entry because another manager took it over.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Time"),
+							Ref:         ref(v1.Time{}.OpenAPIModelName()),
 						},
 					},
 					"fieldsType": {
@@ -1401,7 +1452,7 @@ func schema_pkg_apis_meta_v1_ManagedFieldsEntry(ref common.ReferenceCallback) co
 					"fieldsV1": {
 						SchemaProps: spec.SchemaProps{
 							Description: "FieldsV1 holds the first JSON version format as described in the \"FieldsV1\" type.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.FieldsV1"),
+							Ref:         ref(v1.FieldsV1{}.OpenAPIModelName()),
 						},
 					},
 					"subresource": {
@@ -1415,7 +1466,7 @@ func schema_pkg_apis_meta_v1_ManagedFieldsEntry(ref common.ReferenceCallback) co
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.FieldsV1", "k8s.io/apimachinery/pkg/apis/meta/v1.Time"},
+			v1.FieldsV1{}.OpenAPIModelName(), v1.Time{}.OpenAPIModelName()},
 	}
 }
 
@@ -1490,13 +1541,13 @@ func schema_pkg_apis_meta_v1_ObjectMeta(ref common.ReferenceCallback) common.Ope
 					"creationTimestamp": {
 						SchemaProps: spec.SchemaProps{
 							Description: "CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.\n\nPopulated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Time"),
+							Ref:         ref(v1.Time{}.OpenAPIModelName()),
 						},
 					},
 					"deletionTimestamp": {
 						SchemaProps: spec.SchemaProps{
 							Description: "DeletionTimestamp is RFC 3339 date and time at which this resource will be deleted. This field is set by the server when a graceful deletion is requested by the user, and is not directly settable by a client. The resource is expected to be deleted (no longer visible from resource lists, and not reachable by name) after the time in this field, once the finalizers list is empty. As long as the finalizers list contains items, deletion is blocked. Once the deletionTimestamp is set, this value may not be unset or be set further into the future, although it may be shortened or the resource may be deleted prior to this time. For example, a user may request that a pod is deleted in 30 seconds. The Kubelet will react by sending a graceful termination signal to the containers in the pod. After that 30 seconds, the Kubelet will send a hard termination signal (SIGKILL) to the container and after cleanup, remove the pod from the API. In the presence of network partitions, this object may still exist after this timestamp, until an administrator or automated process can determine the resource is fully terminated. If not set, graceful deletion of the object has not been requested.\n\nPopulated by the system when a graceful deletion is requested. Read-only. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Time"),
+							Ref:         ref(v1.Time{}.OpenAPIModelName()),
 						},
 					},
 					"deletionGracePeriodSeconds": {
@@ -1556,7 +1607,7 @@ func schema_pkg_apis_meta_v1_ObjectMeta(ref common.ReferenceCallback) common.Ope
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/apimachinery/pkg/apis/meta/v1.OwnerReference"),
+										Ref:     ref(v1.OwnerReference{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -1596,7 +1647,7 @@ func schema_pkg_apis_meta_v1_ObjectMeta(ref common.ReferenceCallback) common.Ope
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/apimachinery/pkg/apis/meta/v1.ManagedFieldsEntry"),
+										Ref:     ref(v1.ManagedFieldsEntry{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -1606,7 +1657,7 @@ func schema_pkg_apis_meta_v1_ObjectMeta(ref common.ReferenceCallback) common.Ope
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.ManagedFieldsEntry", "k8s.io/apimachinery/pkg/apis/meta/v1.OwnerReference", "k8s.io/apimachinery/pkg/apis/meta/v1.Time"},
+			v1.ManagedFieldsEntry{}.OpenAPIModelName(), v1.OwnerReference{}.OpenAPIModelName(), v1.Time{}.OpenAPIModelName()},
 	}
 }
 
@@ -1700,14 +1751,14 @@ func schema_pkg_apis_meta_v1_PartialObjectMetadata(ref common.ReferenceCallback)
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Ref:         ref(v1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			v1.ObjectMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -1736,7 +1787,7 @@ func schema_pkg_apis_meta_v1_PartialObjectMetadataList(ref common.ReferenceCallb
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+							Ref:         ref(v1.ListMeta{}.OpenAPIModelName()),
 						},
 					},
 					"items": {
@@ -1747,7 +1798,7 @@ func schema_pkg_apis_meta_v1_PartialObjectMetadataList(ref common.ReferenceCallb
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/apimachinery/pkg/apis/meta/v1.PartialObjectMetadata"),
+										Ref:     ref(v1.PartialObjectMetadata{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -1758,7 +1809,7 @@ func schema_pkg_apis_meta_v1_PartialObjectMetadataList(ref common.ReferenceCallb
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta", "k8s.io/apimachinery/pkg/apis/meta/v1.PartialObjectMetadata"},
+			v1.ListMeta{}.OpenAPIModelName(), v1.PartialObjectMetadata{}.OpenAPIModelName()},
 	}
 }
 
@@ -1957,7 +2008,7 @@ func schema_pkg_apis_meta_v1_Status(ref common.ReferenceCallback) common.OpenAPI
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+							Ref:         ref(v1.ListMeta{}.OpenAPIModelName()),
 						},
 					},
 					"status": {
@@ -1982,14 +2033,9 @@ func schema_pkg_apis_meta_v1_Status(ref common.ReferenceCallback) common.OpenAPI
 						},
 					},
 					"details": {
-						VendorExtensible: spec.VendorExtensible{
-							Extensions: spec.Extensions{
-								"x-kubernetes-list-type": "atomic",
-							},
-						},
 						SchemaProps: spec.SchemaProps{
 							Description: "Extended data associated with the reason.  Each reason may define its own extended details. This field is optional and the data returned is not guaranteed to conform to any schema except that defined by the reason type.",
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.StatusDetails"),
+							Ref:         ref(v1.StatusDetails{}.OpenAPIModelName()),
 						},
 					},
 					"code": {
@@ -2003,7 +2049,7 @@ func schema_pkg_apis_meta_v1_Status(ref common.ReferenceCallback) common.OpenAPI
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta", "k8s.io/apimachinery/pkg/apis/meta/v1.StatusDetails"},
+			v1.ListMeta{}.OpenAPIModelName(), v1.StatusDetails{}.OpenAPIModelName()},
 	}
 }
 
@@ -2089,7 +2135,7 @@ func schema_pkg_apis_meta_v1_StatusDetails(ref common.ReferenceCallback) common.
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/apimachinery/pkg/apis/meta/v1.StatusCause"),
+										Ref:     ref(v1.StatusCause{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -2106,7 +2152,7 @@ func schema_pkg_apis_meta_v1_StatusDetails(ref common.ReferenceCallback) common.
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.StatusCause"},
+			v1.StatusCause{}.OpenAPIModelName()},
 	}
 }
 
@@ -2135,7 +2181,7 @@ func schema_pkg_apis_meta_v1_Table(ref common.ReferenceCallback) common.OpenAPID
 						SchemaProps: spec.SchemaProps{
 							Description: "Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
 							Default:     map[string]interface{}{},
-							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+							Ref:         ref(v1.ListMeta{}.OpenAPIModelName()),
 						},
 					},
 					"columnDefinitions": {
@@ -2151,7 +2197,7 @@ func schema_pkg_apis_meta_v1_Table(ref common.ReferenceCallback) common.OpenAPID
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/apimachinery/pkg/apis/meta/v1.TableColumnDefinition"),
+										Ref:     ref(v1.TableColumnDefinition{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -2170,7 +2216,7 @@ func schema_pkg_apis_meta_v1_Table(ref common.ReferenceCallback) common.OpenAPID
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/apimachinery/pkg/apis/meta/v1.TableRow"),
+										Ref:     ref(v1.TableRow{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -2181,7 +2227,7 @@ func schema_pkg_apis_meta_v1_Table(ref common.ReferenceCallback) common.OpenAPID
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta", "k8s.io/apimachinery/pkg/apis/meta/v1.TableColumnDefinition", "k8s.io/apimachinery/pkg/apis/meta/v1.TableRow"},
+			v1.ListMeta{}.OpenAPIModelName(), v1.TableColumnDefinition{}.OpenAPIModelName(), v1.TableRow{}.OpenAPIModelName()},
 	}
 }
 
@@ -2312,7 +2358,7 @@ func schema_pkg_apis_meta_v1_TableRow(ref common.ReferenceCallback) common.OpenA
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/apimachinery/pkg/apis/meta/v1.TableRowCondition"),
+										Ref:     ref(v1.TableRowCondition{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -2321,7 +2367,7 @@ func schema_pkg_apis_meta_v1_TableRow(ref common.ReferenceCallback) common.OpenA
 					"object": {
 						SchemaProps: spec.SchemaProps{
 							Description: "This field contains the requested additional information about each object based on the includeObject policy when requesting the Table. If \"None\", this field is empty, if \"Object\" this will be the default serialization of the object for the current API version, and if \"Metadata\" (the default) will contain the object metadata. Check the returned kind and apiVersion of the object before parsing. The media type of the object will always match the enclosing list - if this as a JSON table, these will be JSON encoded objects.",
-							Ref:         ref("k8s.io/apimachinery/pkg/runtime.RawExtension"),
+							Ref:         ref(runtime.RawExtension{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -2329,7 +2375,7 @@ func schema_pkg_apis_meta_v1_TableRow(ref common.ReferenceCallback) common.OpenA
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.TableRowCondition", "k8s.io/apimachinery/pkg/runtime.RawExtension"},
+			v1.TableRowCondition{}.OpenAPIModelName(), runtime.RawExtension{}.OpenAPIModelName()},
 	}
 }
 
@@ -2524,7 +2570,7 @@ func schema_pkg_apis_meta_v1_WatchEvent(ref common.ReferenceCallback) common.Ope
 					"object": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Object is:\n * If Type is Added or Modified: the new state of the object.\n * If Type is Deleted: the state of the object immediately before deletion.\n * If Type is Error: *Status is recommended; other types may make sense\n   depending on context.",
-							Ref:         ref("k8s.io/apimachinery/pkg/runtime.RawExtension"),
+							Ref:         ref(runtime.RawExtension{}.OpenAPIModelName()),
 						},
 					},
 				},
@@ -2532,7 +2578,7 @@ func schema_pkg_apis_meta_v1_WatchEvent(ref common.ReferenceCallback) common.Ope
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/runtime.RawExtension"},
+			runtime.RawExtension{}.OpenAPIModelName()},
 	}
 }
 
@@ -2744,7 +2790,7 @@ func schema_pkg_apis_wardle_v1alpha1_Fischer(ref common.ReferenceCallback) commo
 					"metadata": {
 						SchemaProps: spec.SchemaProps{
 							Default: map[string]interface{}{},
-							Ref:     ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Ref:     ref(v1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 					"disallowedFlunders": {
@@ -2771,7 +2817,7 @@ func schema_pkg_apis_wardle_v1alpha1_Fischer(ref common.ReferenceCallback) commo
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+			v1.ObjectMeta{}.OpenAPIModelName()},
 	}
 }
 
@@ -2799,7 +2845,7 @@ func schema_pkg_apis_wardle_v1alpha1_FischerList(ref common.ReferenceCallback) c
 					"metadata": {
 						SchemaProps: spec.SchemaProps{
 							Default: map[string]interface{}{},
-							Ref:     ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+							Ref:     ref(v1.ListMeta{}.OpenAPIModelName()),
 						},
 					},
 					"items": {
@@ -2809,7 +2855,7 @@ func schema_pkg_apis_wardle_v1alpha1_FischerList(ref common.ReferenceCallback) c
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/sample-apiserver/pkg/apis/wardle/v1alpha1.Fischer"),
+										Ref:     ref(v1alpha1.Fischer{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -2820,7 +2866,7 @@ func schema_pkg_apis_wardle_v1alpha1_FischerList(ref common.ReferenceCallback) c
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta", "k8s.io/sample-apiserver/pkg/apis/wardle/v1alpha1.Fischer"},
+			v1.ListMeta{}.OpenAPIModelName(), v1alpha1.Fischer{}.OpenAPIModelName()},
 	}
 }
 
@@ -2847,26 +2893,26 @@ func schema_pkg_apis_wardle_v1alpha1_Flunder(ref common.ReferenceCallback) commo
 					"metadata": {
 						SchemaProps: spec.SchemaProps{
 							Default: map[string]interface{}{},
-							Ref:     ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Ref:     ref(v1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 					"spec": {
 						SchemaProps: spec.SchemaProps{
 							Default: map[string]interface{}{},
-							Ref:     ref("k8s.io/sample-apiserver/pkg/apis/wardle/v1alpha1.FlunderSpec"),
+							Ref:     ref(v1alpha1.FlunderSpec{}.OpenAPIModelName()),
 						},
 					},
 					"status": {
 						SchemaProps: spec.SchemaProps{
 							Default: map[string]interface{}{},
-							Ref:     ref("k8s.io/sample-apiserver/pkg/apis/wardle/v1alpha1.FlunderStatus"),
+							Ref:     ref(v1alpha1.FlunderStatus{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta", "k8s.io/sample-apiserver/pkg/apis/wardle/v1alpha1.FlunderSpec", "k8s.io/sample-apiserver/pkg/apis/wardle/v1alpha1.FlunderStatus"},
+			v1.ObjectMeta{}.OpenAPIModelName(), v1alpha1.FlunderSpec{}.OpenAPIModelName(), v1alpha1.FlunderStatus{}.OpenAPIModelName()},
 	}
 }
 
@@ -2894,7 +2940,7 @@ func schema_pkg_apis_wardle_v1alpha1_FlunderList(ref common.ReferenceCallback) c
 					"metadata": {
 						SchemaProps: spec.SchemaProps{
 							Default: map[string]interface{}{},
-							Ref:     ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+							Ref:     ref(v1.ListMeta{}.OpenAPIModelName()),
 						},
 					},
 					"items": {
@@ -2904,7 +2950,7 @@ func schema_pkg_apis_wardle_v1alpha1_FlunderList(ref common.ReferenceCallback) c
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/sample-apiserver/pkg/apis/wardle/v1alpha1.Flunder"),
+										Ref:     ref(v1alpha1.Flunder{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -2915,7 +2961,7 @@ func schema_pkg_apis_wardle_v1alpha1_FlunderList(ref common.ReferenceCallback) c
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta", "k8s.io/sample-apiserver/pkg/apis/wardle/v1alpha1.Flunder"},
+			v1.ListMeta{}.OpenAPIModelName(), v1alpha1.Flunder{}.OpenAPIModelName()},
 	}
 }
 
@@ -2979,26 +3025,26 @@ func schema_pkg_apis_wardle_v1beta1_Flunder(ref common.ReferenceCallback) common
 					"metadata": {
 						SchemaProps: spec.SchemaProps{
 							Default: map[string]interface{}{},
-							Ref:     ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+							Ref:     ref(v1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 					"spec": {
 						SchemaProps: spec.SchemaProps{
 							Default: map[string]interface{}{},
-							Ref:     ref("k8s.io/sample-apiserver/pkg/apis/wardle/v1beta1.FlunderSpec"),
+							Ref:     ref(v1beta1.FlunderSpec{}.OpenAPIModelName()),
 						},
 					},
 					"status": {
 						SchemaProps: spec.SchemaProps{
 							Default: map[string]interface{}{},
-							Ref:     ref("k8s.io/sample-apiserver/pkg/apis/wardle/v1beta1.FlunderStatus"),
+							Ref:     ref(v1beta1.FlunderStatus{}.OpenAPIModelName()),
 						},
 					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta", "k8s.io/sample-apiserver/pkg/apis/wardle/v1beta1.FlunderSpec", "k8s.io/sample-apiserver/pkg/apis/wardle/v1beta1.FlunderStatus"},
+			v1.ObjectMeta{}.OpenAPIModelName(), v1beta1.FlunderSpec{}.OpenAPIModelName(), v1beta1.FlunderStatus{}.OpenAPIModelName()},
 	}
 }
 
@@ -3026,7 +3072,7 @@ func schema_pkg_apis_wardle_v1beta1_FlunderList(ref common.ReferenceCallback) co
 					"metadata": {
 						SchemaProps: spec.SchemaProps{
 							Default: map[string]interface{}{},
-							Ref:     ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+							Ref:     ref(v1.ListMeta{}.OpenAPIModelName()),
 						},
 					},
 					"items": {
@@ -3036,7 +3082,7 @@ func schema_pkg_apis_wardle_v1beta1_FlunderList(ref common.ReferenceCallback) co
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
-										Ref:     ref("k8s.io/sample-apiserver/pkg/apis/wardle/v1beta1.Flunder"),
+										Ref:     ref(v1beta1.Flunder{}.OpenAPIModelName()),
 									},
 								},
 							},
@@ -3047,7 +3093,7 @@ func schema_pkg_apis_wardle_v1beta1_FlunderList(ref common.ReferenceCallback) co
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta", "k8s.io/sample-apiserver/pkg/apis/wardle/v1beta1.Flunder"},
+			v1.ListMeta{}.OpenAPIModelName(), v1beta1.Flunder{}.OpenAPIModelName()},
 	}
 }
 
diff --git a/staging/src/k8s.io/sample-cli-plugin/go.mod b/staging/src/k8s.io/sample-cli-plugin/go.mod
index ac42a2c632a6c..33f0e07707a3b 100644
--- a/staging/src/k8s.io/sample-cli-plugin/go.mod
+++ b/staging/src/k8s.io/sample-cli-plugin/go.mod
@@ -2,13 +2,13 @@
 
 module k8s.io/sample-cli-plugin
 
-go 1.24.0
+go 1.25.0
 
-godebug default=go1.24
+godebug default=go1.25
 
 require (
-	github.com/spf13/cobra v1.9.1
-	github.com/spf13/pflag v1.0.6
+	github.com/spf13/cobra v1.10.0
+	github.com/spf13/pflag v1.0.9
 	k8s.io/cli-runtime v0.0.0
 	k8s.io/client-go v0.0.0
 )
@@ -20,11 +20,10 @@ require (
 	github.com/emicklei/go-restful/v3 v3.12.2 // indirect
 	github.com/fxamacker/cbor/v2 v2.9.0 // indirect
 	github.com/go-errors/errors v1.4.2 // indirect
-	github.com/go-logr/logr v1.4.2 // indirect
+	github.com/go-logr/logr v1.4.3 // indirect
 	github.com/go-openapi/jsonpointer v0.21.0 // indirect
 	github.com/go-openapi/jsonreference v0.20.2 // indirect
 	github.com/go-openapi/swag v0.23.0 // indirect
-	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/google/btree v1.1.3 // indirect
 	github.com/google/gnostic-models v0.7.0 // indirect
 	github.com/google/uuid v1.6.0 // indirect
@@ -40,28 +39,27 @@ require (
 	github.com/monochromegane/go-gitignore v0.0.0-20200626010858-205db1a8cc00 // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
 	github.com/peterbourgon/diskv v2.0.1+incompatible // indirect
-	github.com/pkg/errors v0.9.1 // indirect
 	github.com/x448/float16 v0.8.4 // indirect
 	github.com/xlab/treeprint v1.2.0 // indirect
-	go.yaml.in/yaml/v2 v2.4.2 // indirect
+	go.yaml.in/yaml/v2 v2.4.3 // indirect
 	go.yaml.in/yaml/v3 v3.0.4 // indirect
-	golang.org/x/net v0.43.0 // indirect
-	golang.org/x/oauth2 v0.27.0 // indirect
-	golang.org/x/sync v0.17.0 // indirect
-	golang.org/x/sys v0.36.0 // indirect
-	golang.org/x/term v0.35.0 // indirect
-	golang.org/x/text v0.29.0 // indirect
+	golang.org/x/net v0.47.0 // indirect
+	golang.org/x/oauth2 v0.30.0 // indirect
+	golang.org/x/sync v0.18.0 // indirect
+	golang.org/x/sys v0.38.0 // indirect
+	golang.org/x/term v0.37.0 // indirect
+	golang.org/x/text v0.31.0 // indirect
 	golang.org/x/time v0.9.0 // indirect
-	google.golang.org/protobuf v1.36.5 // indirect
-	gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect
+	google.golang.org/protobuf v1.36.8 // indirect
+	gopkg.in/evanphx/json-patch.v4 v4.13.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 	k8s.io/api v0.0.0 // indirect
 	k8s.io/apimachinery v0.0.0 // indirect
 	k8s.io/klog/v2 v2.130.1 // indirect
-	k8s.io/kube-openapi v0.0.0-20250710124328-f3f2b991d03b // indirect
-	k8s.io/utils v0.0.0-20250604170112-4c0f3b243397 // indirect
-	sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 // indirect
+	k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912 // indirect
+	k8s.io/utils v0.0.0-20251002143259-bc988d571ff4 // indirect
+	sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 // indirect
 	sigs.k8s.io/kustomize/api v0.20.1 // indirect
 	sigs.k8s.io/kustomize/kyaml v0.20.1 // indirect
 	sigs.k8s.io/randfill v1.0.0 // indirect
@@ -70,7 +68,7 @@ require (
 )
 
 replace (
-	github.com/onsi/ginkgo/v2 => github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251001123353-fd5b1fb35db1
+	github.com/onsi/ginkgo/v2 => github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251120221002-696928a6a0d7
 	k8s.io/api => ../api
 	k8s.io/apimachinery => ../apimachinery
 	k8s.io/cli-runtime => ../cli-runtime
diff --git a/staging/src/k8s.io/sample-cli-plugin/go.sum b/staging/src/k8s.io/sample-cli-plugin/go.sum
index f3e91c49b7d5e..b53889afc8eec 100644
--- a/staging/src/k8s.io/sample-cli-plugin/go.sum
+++ b/staging/src/k8s.io/sample-cli-plugin/go.sum
@@ -1,6 +1,8 @@
 cloud.google.com/go/compute/metadata v0.3.0/go.mod h1:zFmK7XCadkQkj6TtorcaGlCW1hT1fIilQDwofLpJ20k=
 github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161 h1:L/gRVlceqvL25UVaW/CKtUDjefjrs0SPonmDGUVOYP0=
 github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E=
+github.com/Masterminds/semver/v3 v3.4.0 h1:Zog+i5UMtVoCU8oKka5P7i9q9HgrJeGzI9SA1Xbatp0=
+github.com/Masterminds/semver/v3 v3.4.0/go.mod h1:4V+yj/TJE1HU9XfppCwVMZq3I84lprf4nC11bSS5beM=
 github.com/NYTimes/gziphandler v1.1.1/go.mod h1:n/CVRwUEOgIxrgPvAQhUUr9oeUtvrhMomdKFjzJNB0c=
 github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkYZB8zMSxRWpUBQtwG5a7fFgvEO+odwuTv2gs=
 github.com/blang/semver/v4 v4.0.0 h1:1PFHFE6yCCTv8C1TeyNNarDzntLi7wMI5i/pzqYIsAM=
@@ -19,8 +21,8 @@ github.com/fxamacker/cbor/v2 v2.9.0 h1:NpKPmjDBgUfBms6tr6JZkTHtfFGcMKsw3eGcmD/sa
 github.com/fxamacker/cbor/v2 v2.9.0/go.mod h1:vM4b+DJCtHn+zz7h3FFp/hDAI9WNWCsZj23V5ytsSxQ=
 github.com/go-errors/errors v1.4.2 h1:J6MZopCL4uSllY1OfXM374weqZFFItUbrImctkmUxIA=
 github.com/go-errors/errors v1.4.2/go.mod h1:sIVyrIiJhuEF+Pj9Ebtd6P/rEYROXFi3BopGUQ5a5Og=
-github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY=
-github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
+github.com/go-logr/logr v1.4.3 h1:CjnDlHq8ikf6E492q6eKboGOC0T8CDaOvkHCIg8idEI=
+github.com/go-logr/logr v1.4.3/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
 github.com/go-openapi/jsonpointer v0.19.6/go.mod h1:osyAmYz/mB/C3I+WsTTSgw1ONzaLJoLCyoi6/zppojs=
 github.com/go-openapi/jsonpointer v0.21.0 h1:YgdVicSA9vH5RiHs9TZW5oyafXZFc6+2Vc1rr/O9oNQ=
 github.com/go-openapi/jsonpointer v0.21.0/go.mod h1:IUyH9l/+uyhIYQ/PXVA41Rexl+kOkAPDdXEYns6fzUY=
@@ -31,8 +33,6 @@ github.com/go-openapi/swag v0.23.0 h1:vsEVJDUo2hPJ2tu0/Xc+4noaxyEffXNIs3cOULZ+Gr
 github.com/go-openapi/swag v0.23.0/go.mod h1:esZ8ITTYEsH1V2trKHjAN8Ai7xHb8RV+YSZ577vPjgQ=
 github.com/go-task/slim-sprig/v3 v3.0.0 h1:sUs3vkvUymDpBKi3qH1YSqBQk9+9D/8M2mN1vB6EwHI=
 github.com/go-task/slim-sprig/v3 v3.0.0/go.mod h1:W848ghGpv3Qj3dhTPRyJypKRiqCdHZiAzKg9hl15HA8=
-github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
-github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
 github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk=
 github.com/google/btree v1.1.3 h1:CVpQJjYgC4VbzxeGVHfvZrv1ctoYCAI8vbl07Fcxlyg=
 github.com/google/btree v1.1.3/go.mod h1:qOPhT0dTNdNzV6Z/lhRX0YXUafgPLFUh+gZMl761Gm4=
@@ -41,8 +41,8 @@ github.com/google/gnostic-models v0.7.0/go.mod h1:whL5G0m6dmc5cPxKc5bdKdEN3UjI7O
 github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
 github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
-github.com/google/pprof v0.0.0-20241029153458-d1b30febd7db h1:097atOisP2aRj7vFgYQBbFN4U4JNXUNYpxael3UzMyo=
-github.com/google/pprof v0.0.0-20241029153458-d1b30febd7db/go.mod h1:vavhavw2zAxS5dIdcRluK6cSGGPlZynqzFM8NdvU144=
+github.com/google/pprof v0.0.0-20250403155104-27863c87afa6 h1:BHT72Gu3keYf3ZEu2J0b1vyeLSOYI8bm5wbJM/8yDe8=
+github.com/google/pprof v0.0.0-20250403155104-27863c87afa6/go.mod h1:boTsfXsheKC2y+lKOCMpSfarhxDeIzfZG1jqGcPl3cA=
 github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/gorilla/websocket v1.5.4-0.20250319132907-e064f32e3674/go.mod h1:r4w70xmWCQKmi1ONH4KIaBptdivuRPyosB9RmPlGEwA=
@@ -54,8 +54,6 @@ github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8Hm
 github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y=
 github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM=
 github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo=
-github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
-github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
 github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
 github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
 github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
@@ -81,26 +79,26 @@ github.com/monochromegane/go-gitignore v0.0.0-20200626010858-205db1a8cc00/go.mod
 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA=
 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
 github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+o7JKHSa8/e818NopupXU1YMK5fe1lsApnBw=
-github.com/onsi/gomega v1.35.1 h1:Cwbd75ZBPxFSuZ6T+rN/WCb/gOc6YgFBXLlZLhC7Ds4=
-github.com/onsi/gomega v1.35.1/go.mod h1:PvZbdDc8J6XJEpDK4HCuRBm8a6Fzp9/DmhC9C7yFlog=
-github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251001123353-fd5b1fb35db1 h1:PMTgifBcBRLJJiM+LgSzPDTk9/Rx4qS09OUrfpY6GBQ=
-github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251001123353-fd5b1fb35db1/go.mod h1:7Du3c42kxCUegi0IImZ1wUQzMBVecgIHjR1C+NkhLQo=
+github.com/onsi/gomega v1.38.2 h1:eZCjf2xjZAqe+LeWvKb5weQ+NcPwX84kqJ0cZNxok2A=
+github.com/onsi/gomega v1.38.2/go.mod h1:W2MJcYxRGV63b418Ai34Ud0hEdTVXq9NW9+Sx6uXf3k=
+github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251120221002-696928a6a0d7 h1:02E4Ttpu+7yCQLQxtY42JfcfHU7TBGnje6uB2ytBSdU=
+github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251120221002-696928a6a0d7/go.mod h1:ArE1D/XhNXBXCBkKOLkbsb2c81dQHCRcF5zwn/ykDRo=
 github.com/peterbourgon/diskv v2.0.1+incompatible h1:UBdAOUP5p4RWqPBg048CAvpKN+vxiaj6gdUUzhl4XmI=
 github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU=
-github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U=
 github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/rogpeppe/go-internal v1.13.1 h1:KvO1DLK/DRN07sQ1LQKScxyZJuNnedQ5/wKSR38lUII=
-github.com/rogpeppe/go-internal v1.13.1/go.mod h1:uMEvuHeurkdAXX61udpOXGD/AzZDWNMNyH2VO9fmH0o=
+github.com/rogpeppe/go-internal v1.14.1 h1:UQB4HGPB6osV0SQTLymcB4TgvyWu6ZyliaW0tI/otEQ=
+github.com/rogpeppe/go-internal v1.14.1/go.mod h1:MaRKkUm5W0goXpeCfT7UZI6fk/L7L7so1lCWt35ZSgc=
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
 github.com/sergi/go-diff v1.2.0 h1:XU+rvMAioB0UC3q1MFrIQy4Vo5/4VsRDQQXHsEya6xQ=
 github.com/sergi/go-diff v1.2.0/go.mod h1:STckp+ISIX8hZLjrqAeVduY0gWCT9IjLuqbuNXdaHfM=
-github.com/spf13/cobra v1.9.1 h1:CXSaggrXdbHK9CF+8ywj8Amf7PBRmPCOJugH954Nnlo=
-github.com/spf13/cobra v1.9.1/go.mod h1:nDyEzZ8ogv936Cinf6g1RU9MRY64Ir93oCnqb9wxYW0=
-github.com/spf13/pflag v1.0.6 h1:jFzHGLGAlb3ruxLB8MhbI6A8+AQX/2eW4qeyNZXNp2o=
-github.com/spf13/pflag v1.0.6/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
+github.com/spf13/cobra v1.10.0 h1:a5/WeUlSDCvV5a45ljW2ZFtV0bTDpkfSAj3uqB6Sc+0=
+github.com/spf13/cobra v1.10.0/go.mod h1:9dhySC7dnTtEiqzmqfkLj47BslqLCUPMXjG2lj/NgoE=
+github.com/spf13/pflag v1.0.8/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
+github.com/spf13/pflag v1.0.9 h1:9exaQaMOCwffKiiiYk6/BndUBv+iRViNW+4lEMi0PvY=
+github.com/spf13/pflag v1.0.9/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
 github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
@@ -111,71 +109,48 @@ github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/
 github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
 github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
-github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
-github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
+github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
+github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
 github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM=
 github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg=
 github.com/xlab/treeprint v1.2.0 h1:HzHnuAF1plUN2zGlAFHbSQP2qJ0ZAD3XF5XD7OesXRQ=
 github.com/xlab/treeprint v1.2.0/go.mod h1:gj5Gd3gPdKtR1ikdDK6fnFLdmIS0X30kTTuNd/WEJu0=
-github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
-github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
 go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
-go.yaml.in/yaml/v2 v2.4.2 h1:DzmwEr2rDGHl7lsFgAHxmNz/1NlQ7xLIrlN2h5d1eGI=
-go.yaml.in/yaml/v2 v2.4.2/go.mod h1:081UH+NErpNdqlCXm3TtEran0rJZGxAYx9hb/ELlsPU=
+go.yaml.in/yaml/v2 v2.4.3 h1:6gvOSjQoTB3vt1l+CU+tSyi/HOjfOjRLJ4YwYZGwRO0=
+go.yaml.in/yaml/v2 v2.4.3/go.mod h1:zSxWcmIDjOzPXpjlTTbAsKokqkDNAVtZO0WOMiT90s8=
 go.yaml.in/yaml/v3 v3.0.4 h1:tfq32ie2Jv2UxXFdLJdh3jXuOzWiL1fo0bu/FbuKpbc=
 go.yaml.in/yaml/v3 v3.0.4/go.mod h1:DhzuOOF2ATzADvBadXxruRBLzYTpT36CKvDb3+aBEFg=
-golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
-golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
-golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
-golang.org/x/crypto v0.41.0/go.mod h1:pO5AFd7FA68rFak7rOAGVuygIISepHftHnr8dr6+sUc=
-golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.27.0/go.mod h1:rWI627Fq0DEoudcK+MBkNkCe0EetEaDSwJJkCcjpazc=
-golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
-golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
-golang.org/x/net v0.43.0 h1:lat02VYK2j4aLzMzecihNvTlJNQUq316m2Mr9rnM6YE=
-golang.org/x/net v0.43.0/go.mod h1:vhO1fvI4dGsIjh73sWfUVjj3N7CA9WkKJNQm2svM6Jg=
-golang.org/x/oauth2 v0.27.0 h1:da9Vo7/tDv5RH/7nZDz1eMGS/q1Vv1N/7FCrBhI9I3M=
-golang.org/x/oauth2 v0.27.0/go.mod h1:onh5ek6nERTohokkhCD/y2cV4Do3fxFHFuAejCkRWT8=
-golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.17.0 h1:l60nONMj9l5drqw6jlhIELNv9I0A4OFgRsG9k2oT9Ug=
-golang.org/x/sync v0.17.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
-golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/crypto v0.44.0/go.mod h1:013i+Nw79BMiQiMsOPcVCB5ZIJbYkerPrGnOa00tvmc=
+golang.org/x/mod v0.29.0 h1:HV8lRxZC4l2cr3Zq1LvtOsi/ThTgWnUk/y64QSs8GwA=
+golang.org/x/mod v0.29.0/go.mod h1:NyhrlYXJ2H4eJiRy/WDBO6HMqZQ6q9nk4JzS3NuCK+w=
+golang.org/x/net v0.47.0 h1:Mx+4dIFzqraBXUugkia1OOvlD6LemFo1ALMHjrXDOhY=
+golang.org/x/net v0.47.0/go.mod h1:/jNxtkgq5yWUGYkaZGqo27cfGZ1c5Nen03aYrrKpVRU=
+golang.org/x/oauth2 v0.30.0 h1:dnDm7JmhM45NNpd8FDDeLhK6FwqbOf4MLCM9zb1BOHI=
+golang.org/x/oauth2 v0.30.0/go.mod h1:B++QgG3ZKulg6sRPGD/mqlHQs5rB3Ml9erfeDY7xKlU=
+golang.org/x/sync v0.18.0 h1:kr88TuHDroi+UVf+0hZnirlk8o8T+4MrK6mr60WkH/I=
+golang.org/x/sync v0.18.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
 golang.org/x/sys v0.0.0-20210616094352-59db8d763f22/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.36.0 h1:KVRy2GtZBrk1cBYA7MKu5bEZFxQk4NIDV6RLVcC8o0k=
-golang.org/x/sys v0.36.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
-golang.org/x/term v0.35.0 h1:bZBVKBudEyhRcajGcNc3jIfWPqV4y/Kt2XcoigOWtDQ=
-golang.org/x/term v0.35.0/go.mod h1:TPGtkTLesOwf2DE8CgVYiZinHAOuy5AYUYT1lENIZnA=
-golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
-golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.29.0 h1:1neNs90w9YzJ9BocxfsQNHKuAT4pkghyXc4nhZ6sJvk=
-golang.org/x/text v0.29.0/go.mod h1:7MhJOA9CD2qZyOKYazxdYMF85OwPdEr9jTtBpO7ydH4=
+golang.org/x/sys v0.38.0 h1:3yZWxaJjBmCWXqhN1qh02AkOnCQ1poK6oF+a7xWL6Gc=
+golang.org/x/sys v0.38.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
+golang.org/x/term v0.37.0 h1:8EGAD0qCmHYZg6J17DvsMy9/wJ7/D/4pV/wfnld5lTU=
+golang.org/x/term v0.37.0/go.mod h1:5pB4lxRNYYVZuTLmy8oR2BH8dflOR+IbTYFD8fi3254=
+golang.org/x/text v0.31.0 h1:aC8ghyu4JhP8VojJ2lEHBnochRno1sgL6nEi9WGFGMM=
+golang.org/x/text v0.31.0/go.mod h1:tKRAlv61yKIjGGHX/4tP1LTbc13YSec1pxVEWXzfoeM=
 golang.org/x/time v0.9.0 h1:EsRrnYcQiGH+5FfbgvV4AP7qEZstoyrHB0DzarOQ4ZY=
 golang.org/x/time v0.9.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
-golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
-golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
-golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
-golang.org/x/tools v0.36.0 h1:kWS0uv/zsvHEle1LbV5LE8QujrxB3wfQyxHfhOk0Qkg=
-golang.org/x/tools v0.36.0/go.mod h1:WBDiHKJK8YgLHlcQPYQzNCkUxUypCaa5ZegCVutKm+s=
-golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/tools v0.38.0 h1:Hx2Xv8hISq8Lm16jvBZ2VQf+RLmbd7wVUsALibYI/IQ=
+golang.org/x/tools v0.38.0/go.mod h1:yEsQ/d/YK8cjh0L6rZlY8tgtlKiBNTL14pGDJPJpYQs=
+golang.org/x/tools/go/expect v0.1.0-deprecated/go.mod h1:eihoPOH+FgIqa3FpoTwguz/bVUSGBlGQU67vpBeOrBY=
+golang.org/x/tools/go/packages/packagestest v0.1.1-deprecated/go.mod h1:RVAQXBGNv1ib0J382/DPCRS/BPnsGebyM1Gj5VSDpG8=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-google.golang.org/protobuf v1.36.5 h1:tPhr+woSbjfYvY6/GPufUoYizxw1cF/yFoxJ2fmpwlM=
-google.golang.org/protobuf v1.36.5/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE=
+google.golang.org/protobuf v1.36.8 h1:xHScyCOEuuwZEc6UtSOvPbAT4zRh0xcNRYekJwfqyMc=
+google.golang.org/protobuf v1.36.8/go.mod h1:fuxRtAxBytpl4zzqUh6/eyUujkJdNiuEkXntxiD/uRU=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
-gopkg.in/evanphx/json-patch.v4 v4.12.0 h1:n6jtcsulIzXPJaxegRbvFNNrZDjbij7ny3gmSPG+6V4=
-gopkg.in/evanphx/json-patch.v4 v4.12.0/go.mod h1:p8EYWUEYMpynmqDbY58zCKCFZw8pRWMG4EsWvDvM72M=
+gopkg.in/evanphx/json-patch.v4 v4.13.0 h1:czT3CmqEaQ1aanPc5SdlgQrrEIb8w/wwCvWWnfEbYzo=
+gopkg.in/evanphx/json-patch.v4 v4.13.0/go.mod h1:p8EYWUEYMpynmqDbY58zCKCFZw8pRWMG4EsWvDvM72M=
 gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc=
 gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
@@ -184,12 +159,12 @@ gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 k8s.io/gengo/v2 v2.0.0-20250604051438-85fd79dbfd9f/go.mod h1:EJykeLsmFC60UQbYJezXkEsG2FLrt0GPNkU5iK5GWxU=
 k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk=
 k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE=
-k8s.io/kube-openapi v0.0.0-20250710124328-f3f2b991d03b h1:MloQ9/bdJyIu9lb1PzujOPolHyvO06MXG5TUIj2mNAA=
-k8s.io/kube-openapi v0.0.0-20250710124328-f3f2b991d03b/go.mod h1:UZ2yyWbFTpuhSbFhv24aGNOdoRdJZgsIObGBUaYVsts=
-k8s.io/utils v0.0.0-20250604170112-4c0f3b243397 h1:hwvWFiBzdWw1FhfY1FooPn3kzWuJ8tmbZBHi4zVsl1Y=
-k8s.io/utils v0.0.0-20250604170112-4c0f3b243397/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
-sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 h1:gBQPwqORJ8d8/YNZWEjoZs7npUVDpVXUUOFfW6CgAqE=
-sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8/go.mod h1:mdzfpAEoE6DHQEN0uh9ZbOCuHbLK5wOm7dK4ctXE9Tg=
+k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912 h1:Y3gxNAuB0OBLImH611+UDZcmKS3g6CthxToOb37KgwE=
+k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912/go.mod h1:kdmbQkyfwUagLfXIad1y2TdrjPFWp2Q89B3qkRwf/pQ=
+k8s.io/utils v0.0.0-20251002143259-bc988d571ff4 h1:SjGebBtkBqHFOli+05xYbK8YF1Dzkbzn+gDM4X9T4Ck=
+k8s.io/utils v0.0.0-20251002143259-bc988d571ff4/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
+sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 h1:IpInykpT6ceI+QxKBbEflcR5EXP7sU1kvOlxwZh5txg=
+sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730/go.mod h1:mdzfpAEoE6DHQEN0uh9ZbOCuHbLK5wOm7dK4ctXE9Tg=
 sigs.k8s.io/kustomize/api v0.20.1 h1:iWP1Ydh3/lmldBnH/S5RXgT98vWYMaTUL1ADcr+Sv7I=
 sigs.k8s.io/kustomize/api v0.20.1/go.mod h1:t6hUFxO+Ph0VxIk1sKp1WS0dOjbPCtLJ4p8aADLwqjM=
 sigs.k8s.io/kustomize/kyaml v0.20.1 h1:PCMnA2mrVbRP3NIB6v9kYCAc38uvFLVs8j/CD567A78=
diff --git a/staging/src/k8s.io/sample-controller/OWNERS b/staging/src/k8s.io/sample-controller/OWNERS
index 14e42b1acfc28..89f02a37e1b39 100644
--- a/staging/src/k8s.io/sample-controller/OWNERS
+++ b/staging/src/k8s.io/sample-controller/OWNERS
@@ -10,5 +10,6 @@ reviewers:
   - sttts
   - munnerz
   - nikhita
+  - jefftree
 labels:
   - sig/api-machinery
diff --git a/staging/src/k8s.io/sample-controller/README.md b/staging/src/k8s.io/sample-controller/README.md
index b712ca24d2135..bd77cdb2dca4a 100644
--- a/staging/src/k8s.io/sample-controller/README.md
+++ b/staging/src/k8s.io/sample-controller/README.md
@@ -165,3 +165,6 @@ https://github.com/kubernetes/kubernetes/blob/master/staging/src/k8s.io/sample-c
 Code changes are made in that location, merged into k8s.io/kubernetes and
 later synced here.
 
+## Contributing
+
+See [CONTRIBUTING.md](CONTRIBUTING.md) for more information. Please note that [kubernetes/sample-controller](https://github.com/kubernetes/sample-controller/) is a readonly mirror repository, all development is done at [kubernetes/kubernetes](https://github.com/kubernetes/kubernetes).
diff --git a/staging/src/k8s.io/sample-controller/go.mod b/staging/src/k8s.io/sample-controller/go.mod
index 4de4d6fc65022..a42c904efa46e 100644
--- a/staging/src/k8s.io/sample-controller/go.mod
+++ b/staging/src/k8s.io/sample-controller/go.mod
@@ -2,9 +2,9 @@
 
 module k8s.io/sample-controller
 
-go 1.24.0
+go 1.25.0
 
-godebug default=go1.24
+godebug default=go1.25
 
 require (
 	golang.org/x/time v0.9.0
@@ -13,18 +13,17 @@ require (
 	k8s.io/client-go v0.0.0
 	k8s.io/code-generator v0.0.0
 	k8s.io/klog/v2 v2.130.1
-	k8s.io/utils v0.0.0-20250604170112-4c0f3b243397
+	k8s.io/utils v0.0.0-20251002143259-bc988d571ff4
 )
 
 require (
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/emicklei/go-restful/v3 v3.12.2 // indirect
 	github.com/fxamacker/cbor/v2 v2.9.0 // indirect
-	github.com/go-logr/logr v1.4.2 // indirect
+	github.com/go-logr/logr v1.4.3 // indirect
 	github.com/go-openapi/jsonpointer v0.21.0 // indirect
 	github.com/go-openapi/jsonreference v0.20.2 // indirect
 	github.com/go-openapi/swag v0.23.0 // indirect
-	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/google/gnostic-models v0.7.0 // indirect
 	github.com/google/go-cmp v0.7.0 // indirect
 	github.com/google/uuid v1.6.0 // indirect
@@ -34,35 +33,33 @@ require (
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
-	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
-	github.com/spf13/pflag v1.0.6 // indirect
+	github.com/spf13/pflag v1.0.9 // indirect
 	github.com/x448/float16 v0.8.4 // indirect
-	go.yaml.in/yaml/v2 v2.4.2 // indirect
+	go.yaml.in/yaml/v2 v2.4.3 // indirect
 	go.yaml.in/yaml/v3 v3.0.4 // indirect
-	golang.org/x/mod v0.27.0 // indirect
-	golang.org/x/net v0.43.0 // indirect
-	golang.org/x/oauth2 v0.27.0 // indirect
-	golang.org/x/sync v0.17.0 // indirect
-	golang.org/x/sys v0.36.0 // indirect
-	golang.org/x/term v0.35.0 // indirect
-	golang.org/x/text v0.29.0 // indirect
-	golang.org/x/tools v0.36.0 // indirect
-	golang.org/x/tools/go/expect v0.1.0-deprecated // indirect
-	google.golang.org/protobuf v1.36.5 // indirect
-	gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect
+	golang.org/x/mod v0.29.0 // indirect
+	golang.org/x/net v0.47.0 // indirect
+	golang.org/x/oauth2 v0.30.0 // indirect
+	golang.org/x/sync v0.18.0 // indirect
+	golang.org/x/sys v0.38.0 // indirect
+	golang.org/x/term v0.37.0 // indirect
+	golang.org/x/text v0.31.0 // indirect
+	golang.org/x/tools v0.38.0 // indirect
+	google.golang.org/protobuf v1.36.8 // indirect
+	gopkg.in/evanphx/json-patch.v4 v4.13.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
-	k8s.io/gengo/v2 v2.0.0-20250604051438-85fd79dbfd9f // indirect
-	k8s.io/kube-openapi v0.0.0-20250710124328-f3f2b991d03b // indirect
-	sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 // indirect
+	k8s.io/gengo/v2 v2.0.0-20250922181213-ec3ebc5fd46b // indirect
+	k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912 // indirect
+	sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 // indirect
 	sigs.k8s.io/randfill v1.0.0 // indirect
 	sigs.k8s.io/structured-merge-diff/v6 v6.3.0 // indirect
 	sigs.k8s.io/yaml v1.6.0 // indirect
 )
 
 replace (
-	github.com/onsi/ginkgo/v2 => github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251001123353-fd5b1fb35db1
+	github.com/onsi/ginkgo/v2 => github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251120221002-696928a6a0d7
 	k8s.io/api => ../api
 	k8s.io/apimachinery => ../apimachinery
 	k8s.io/client-go => ../client-go
diff --git a/staging/src/k8s.io/sample-controller/go.sum b/staging/src/k8s.io/sample-controller/go.sum
index 5f9f0d659cc02..de6461e2ddb83 100644
--- a/staging/src/k8s.io/sample-controller/go.sum
+++ b/staging/src/k8s.io/sample-controller/go.sum
@@ -1,4 +1,6 @@
 cloud.google.com/go/compute/metadata v0.3.0/go.mod h1:zFmK7XCadkQkj6TtorcaGlCW1hT1fIilQDwofLpJ20k=
+github.com/Masterminds/semver/v3 v3.4.0 h1:Zog+i5UMtVoCU8oKka5P7i9q9HgrJeGzI9SA1Xbatp0=
+github.com/Masterminds/semver/v3 v3.4.0/go.mod h1:4V+yj/TJE1HU9XfppCwVMZq3I84lprf4nC11bSS5beM=
 github.com/NYTimes/gziphandler v1.1.1/go.mod h1:n/CVRwUEOgIxrgPvAQhUUr9oeUtvrhMomdKFjzJNB0c=
 github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkYZB8zMSxRWpUBQtwG5a7fFgvEO+odwuTv2gs=
 github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
@@ -10,8 +12,8 @@ github.com/emicklei/go-restful/v3 v3.12.2 h1:DhwDP0vY3k8ZzE0RunuJy8GhNpPL6zqLkDf
 github.com/emicklei/go-restful/v3 v3.12.2/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc=
 github.com/fxamacker/cbor/v2 v2.9.0 h1:NpKPmjDBgUfBms6tr6JZkTHtfFGcMKsw3eGcmD/sapM=
 github.com/fxamacker/cbor/v2 v2.9.0/go.mod h1:vM4b+DJCtHn+zz7h3FFp/hDAI9WNWCsZj23V5ytsSxQ=
-github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY=
-github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
+github.com/go-logr/logr v1.4.3 h1:CjnDlHq8ikf6E492q6eKboGOC0T8CDaOvkHCIg8idEI=
+github.com/go-logr/logr v1.4.3/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
 github.com/go-openapi/jsonpointer v0.19.6/go.mod h1:osyAmYz/mB/C3I+WsTTSgw1ONzaLJoLCyoi6/zppojs=
 github.com/go-openapi/jsonpointer v0.21.0 h1:YgdVicSA9vH5RiHs9TZW5oyafXZFc6+2Vc1rr/O9oNQ=
 github.com/go-openapi/jsonpointer v0.21.0/go.mod h1:IUyH9l/+uyhIYQ/PXVA41Rexl+kOkAPDdXEYns6fzUY=
@@ -22,7 +24,6 @@ github.com/go-openapi/swag v0.23.0 h1:vsEVJDUo2hPJ2tu0/Xc+4noaxyEffXNIs3cOULZ+Gr
 github.com/go-openapi/swag v0.23.0/go.mod h1:esZ8ITTYEsH1V2trKHjAN8Ai7xHb8RV+YSZ577vPjgQ=
 github.com/go-task/slim-sprig/v3 v3.0.0 h1:sUs3vkvUymDpBKi3qH1YSqBQk9+9D/8M2mN1vB6EwHI=
 github.com/go-task/slim-sprig/v3 v3.0.0/go.mod h1:W848ghGpv3Qj3dhTPRyJypKRiqCdHZiAzKg9hl15HA8=
-github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
 github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
 github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk=
 github.com/google/btree v1.1.3/go.mod h1:qOPhT0dTNdNzV6Z/lhRX0YXUafgPLFUh+gZMl761Gm4=
@@ -31,8 +32,8 @@ github.com/google/gnostic-models v0.7.0/go.mod h1:whL5G0m6dmc5cPxKc5bdKdEN3UjI7O
 github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
 github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
-github.com/google/pprof v0.0.0-20241029153458-d1b30febd7db h1:097atOisP2aRj7vFgYQBbFN4U4JNXUNYpxael3UzMyo=
-github.com/google/pprof v0.0.0-20241029153458-d1b30febd7db/go.mod h1:vavhavw2zAxS5dIdcRluK6cSGGPlZynqzFM8NdvU144=
+github.com/google/pprof v0.0.0-20250403155104-27863c87afa6 h1:BHT72Gu3keYf3ZEu2J0b1vyeLSOYI8bm5wbJM/8yDe8=
+github.com/google/pprof v0.0.0-20250403155104-27863c87afa6/go.mod h1:boTsfXsheKC2y+lKOCMpSfarhxDeIzfZG1jqGcPl3cA=
 github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/gorilla/websocket v1.5.4-0.20250319132907-e064f32e3674/go.mod h1:r4w70xmWCQKmi1ONH4KIaBptdivuRPyosB9RmPlGEwA=
@@ -41,8 +42,6 @@ github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8Hm
 github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y=
 github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM=
 github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo=
-github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
-github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
 github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
 github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
 github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
@@ -62,20 +61,18 @@ github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee/go.mod h1:yWu
 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA=
 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
 github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+o7JKHSa8/e818NopupXU1YMK5fe1lsApnBw=
-github.com/onsi/gomega v1.35.1 h1:Cwbd75ZBPxFSuZ6T+rN/WCb/gOc6YgFBXLlZLhC7Ds4=
-github.com/onsi/gomega v1.35.1/go.mod h1:PvZbdDc8J6XJEpDK4HCuRBm8a6Fzp9/DmhC9C7yFlog=
-github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251001123353-fd5b1fb35db1 h1:PMTgifBcBRLJJiM+LgSzPDTk9/Rx4qS09OUrfpY6GBQ=
-github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251001123353-fd5b1fb35db1/go.mod h1:7Du3c42kxCUegi0IImZ1wUQzMBVecgIHjR1C+NkhLQo=
+github.com/onsi/gomega v1.38.2 h1:eZCjf2xjZAqe+LeWvKb5weQ+NcPwX84kqJ0cZNxok2A=
+github.com/onsi/gomega v1.38.2/go.mod h1:W2MJcYxRGV63b418Ai34Ud0hEdTVXq9NW9+Sx6uXf3k=
+github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251120221002-696928a6a0d7 h1:02E4Ttpu+7yCQLQxtY42JfcfHU7TBGnje6uB2ytBSdU=
+github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251120221002-696928a6a0d7/go.mod h1:ArE1D/XhNXBXCBkKOLkbsb2c81dQHCRcF5zwn/ykDRo=
 github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU=
-github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
-github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U=
 github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/rogpeppe/go-internal v1.13.1 h1:KvO1DLK/DRN07sQ1LQKScxyZJuNnedQ5/wKSR38lUII=
-github.com/rogpeppe/go-internal v1.13.1/go.mod h1:uMEvuHeurkdAXX61udpOXGD/AzZDWNMNyH2VO9fmH0o=
-github.com/spf13/pflag v1.0.6 h1:jFzHGLGAlb3ruxLB8MhbI6A8+AQX/2eW4qeyNZXNp2o=
-github.com/spf13/pflag v1.0.6/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
+github.com/rogpeppe/go-internal v1.14.1 h1:UQB4HGPB6osV0SQTLymcB4TgvyWu6ZyliaW0tI/otEQ=
+github.com/rogpeppe/go-internal v1.14.1/go.mod h1:MaRKkUm5W0goXpeCfT7UZI6fk/L7L7so1lCWt35ZSgc=
+github.com/spf13/pflag v1.0.9 h1:9exaQaMOCwffKiiiYk6/BndUBv+iRViNW+4lEMi0PvY=
+github.com/spf13/pflag v1.0.9/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
 github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
@@ -85,90 +82,64 @@ github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UV
 github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
 github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
-github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
-github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
+github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
+github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
 github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM=
 github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg=
-github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
-github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
 go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
 go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
-go.yaml.in/yaml/v2 v2.4.2 h1:DzmwEr2rDGHl7lsFgAHxmNz/1NlQ7xLIrlN2h5d1eGI=
-go.yaml.in/yaml/v2 v2.4.2/go.mod h1:081UH+NErpNdqlCXm3TtEran0rJZGxAYx9hb/ELlsPU=
+go.yaml.in/yaml/v2 v2.4.3 h1:6gvOSjQoTB3vt1l+CU+tSyi/HOjfOjRLJ4YwYZGwRO0=
+go.yaml.in/yaml/v2 v2.4.3/go.mod h1:zSxWcmIDjOzPXpjlTTbAsKokqkDNAVtZO0WOMiT90s8=
 go.yaml.in/yaml/v3 v3.0.4 h1:tfq32ie2Jv2UxXFdLJdh3jXuOzWiL1fo0bu/FbuKpbc=
 go.yaml.in/yaml/v3 v3.0.4/go.mod h1:DhzuOOF2ATzADvBadXxruRBLzYTpT36CKvDb3+aBEFg=
-golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
-golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
-golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
-golang.org/x/crypto v0.41.0/go.mod h1:pO5AFd7FA68rFak7rOAGVuygIISepHftHnr8dr6+sUc=
-golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.27.0 h1:kb+q2PyFnEADO2IEF935ehFUXlWiNjJWtRNgBLSfbxQ=
-golang.org/x/mod v0.27.0/go.mod h1:rWI627Fq0DEoudcK+MBkNkCe0EetEaDSwJJkCcjpazc=
-golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
-golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
-golang.org/x/net v0.43.0 h1:lat02VYK2j4aLzMzecihNvTlJNQUq316m2Mr9rnM6YE=
-golang.org/x/net v0.43.0/go.mod h1:vhO1fvI4dGsIjh73sWfUVjj3N7CA9WkKJNQm2svM6Jg=
-golang.org/x/oauth2 v0.27.0 h1:da9Vo7/tDv5RH/7nZDz1eMGS/q1Vv1N/7FCrBhI9I3M=
-golang.org/x/oauth2 v0.27.0/go.mod h1:onh5ek6nERTohokkhCD/y2cV4Do3fxFHFuAejCkRWT8=
-golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.17.0 h1:l60nONMj9l5drqw6jlhIELNv9I0A4OFgRsG9k2oT9Ug=
-golang.org/x/sync v0.17.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
-golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.36.0 h1:KVRy2GtZBrk1cBYA7MKu5bEZFxQk4NIDV6RLVcC8o0k=
-golang.org/x/sys v0.36.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
-golang.org/x/telemetry v0.0.0-20250807160809-1a19826ec488/go.mod h1:fGb/2+tgXXjhjHsTNdVEEMZNWA0quBnfrO+AfoDSAKw=
-golang.org/x/term v0.35.0 h1:bZBVKBudEyhRcajGcNc3jIfWPqV4y/Kt2XcoigOWtDQ=
-golang.org/x/term v0.35.0/go.mod h1:TPGtkTLesOwf2DE8CgVYiZinHAOuy5AYUYT1lENIZnA=
-golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
-golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.29.0 h1:1neNs90w9YzJ9BocxfsQNHKuAT4pkghyXc4nhZ6sJvk=
-golang.org/x/text v0.29.0/go.mod h1:7MhJOA9CD2qZyOKYazxdYMF85OwPdEr9jTtBpO7ydH4=
+golang.org/x/crypto v0.44.0/go.mod h1:013i+Nw79BMiQiMsOPcVCB5ZIJbYkerPrGnOa00tvmc=
+golang.org/x/mod v0.29.0 h1:HV8lRxZC4l2cr3Zq1LvtOsi/ThTgWnUk/y64QSs8GwA=
+golang.org/x/mod v0.29.0/go.mod h1:NyhrlYXJ2H4eJiRy/WDBO6HMqZQ6q9nk4JzS3NuCK+w=
+golang.org/x/net v0.47.0 h1:Mx+4dIFzqraBXUugkia1OOvlD6LemFo1ALMHjrXDOhY=
+golang.org/x/net v0.47.0/go.mod h1:/jNxtkgq5yWUGYkaZGqo27cfGZ1c5Nen03aYrrKpVRU=
+golang.org/x/oauth2 v0.30.0 h1:dnDm7JmhM45NNpd8FDDeLhK6FwqbOf4MLCM9zb1BOHI=
+golang.org/x/oauth2 v0.30.0/go.mod h1:B++QgG3ZKulg6sRPGD/mqlHQs5rB3Ml9erfeDY7xKlU=
+golang.org/x/sync v0.18.0 h1:kr88TuHDroi+UVf+0hZnirlk8o8T+4MrK6mr60WkH/I=
+golang.org/x/sync v0.18.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
+golang.org/x/sys v0.38.0 h1:3yZWxaJjBmCWXqhN1qh02AkOnCQ1poK6oF+a7xWL6Gc=
+golang.org/x/sys v0.38.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
+golang.org/x/telemetry v0.0.0-20251008203120-078029d740a8/go.mod h1:Pi4ztBfryZoJEkyFTI5/Ocsu2jXyDr6iSdgJiYE/uwE=
+golang.org/x/term v0.37.0 h1:8EGAD0qCmHYZg6J17DvsMy9/wJ7/D/4pV/wfnld5lTU=
+golang.org/x/term v0.37.0/go.mod h1:5pB4lxRNYYVZuTLmy8oR2BH8dflOR+IbTYFD8fi3254=
+golang.org/x/text v0.31.0 h1:aC8ghyu4JhP8VojJ2lEHBnochRno1sgL6nEi9WGFGMM=
+golang.org/x/text v0.31.0/go.mod h1:tKRAlv61yKIjGGHX/4tP1LTbc13YSec1pxVEWXzfoeM=
 golang.org/x/time v0.9.0 h1:EsRrnYcQiGH+5FfbgvV4AP7qEZstoyrHB0DzarOQ4ZY=
 golang.org/x/time v0.9.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
-golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
-golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
-golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
-golang.org/x/tools v0.36.0 h1:kWS0uv/zsvHEle1LbV5LE8QujrxB3wfQyxHfhOk0Qkg=
-golang.org/x/tools v0.36.0/go.mod h1:WBDiHKJK8YgLHlcQPYQzNCkUxUypCaa5ZegCVutKm+s=
-golang.org/x/tools/go/expect v0.1.0-deprecated h1:jY2C5HGYR5lqex3gEniOQL0r7Dq5+VGVgY1nudX5lXY=
-golang.org/x/tools/go/expect v0.1.0-deprecated/go.mod h1:eihoPOH+FgIqa3FpoTwguz/bVUSGBlGQU67vpBeOrBY=
+golang.org/x/tools v0.38.0 h1:Hx2Xv8hISq8Lm16jvBZ2VQf+RLmbd7wVUsALibYI/IQ=
+golang.org/x/tools v0.38.0/go.mod h1:yEsQ/d/YK8cjh0L6rZlY8tgtlKiBNTL14pGDJPJpYQs=
+golang.org/x/tools/go/expect v0.1.1-deprecated h1:jpBZDwmgPhXsKZC6WhL20P4b/wmnpsEAGHaNy0n/rJM=
+golang.org/x/tools/go/expect v0.1.1-deprecated/go.mod h1:eihoPOH+FgIqa3FpoTwguz/bVUSGBlGQU67vpBeOrBY=
 golang.org/x/tools/go/packages/packagestest v0.1.1-deprecated h1:1h2MnaIAIXISqTFKdENegdpAgUXz6NrPEsbIeWaBRvM=
 golang.org/x/tools/go/packages/packagestest v0.1.1-deprecated/go.mod h1:RVAQXBGNv1ib0J382/DPCRS/BPnsGebyM1Gj5VSDpG8=
-golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-google.golang.org/protobuf v1.36.5 h1:tPhr+woSbjfYvY6/GPufUoYizxw1cF/yFoxJ2fmpwlM=
-google.golang.org/protobuf v1.36.5/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE=
+google.golang.org/protobuf v1.36.8 h1:xHScyCOEuuwZEc6UtSOvPbAT4zRh0xcNRYekJwfqyMc=
+google.golang.org/protobuf v1.36.8/go.mod h1:fuxRtAxBytpl4zzqUh6/eyUujkJdNiuEkXntxiD/uRU=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
-gopkg.in/evanphx/json-patch.v4 v4.12.0 h1:n6jtcsulIzXPJaxegRbvFNNrZDjbij7ny3gmSPG+6V4=
-gopkg.in/evanphx/json-patch.v4 v4.12.0/go.mod h1:p8EYWUEYMpynmqDbY58zCKCFZw8pRWMG4EsWvDvM72M=
+gopkg.in/evanphx/json-patch.v4 v4.13.0 h1:czT3CmqEaQ1aanPc5SdlgQrrEIb8w/wwCvWWnfEbYzo=
+gopkg.in/evanphx/json-patch.v4 v4.13.0/go.mod h1:p8EYWUEYMpynmqDbY58zCKCFZw8pRWMG4EsWvDvM72M=
 gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc=
 gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
-k8s.io/gengo/v2 v2.0.0-20250604051438-85fd79dbfd9f h1:SLb+kxmzfA87x4E4brQzB33VBbT2+x7Zq9ROIHmGn9Q=
-k8s.io/gengo/v2 v2.0.0-20250604051438-85fd79dbfd9f/go.mod h1:EJykeLsmFC60UQbYJezXkEsG2FLrt0GPNkU5iK5GWxU=
+k8s.io/gengo/v2 v2.0.0-20250922181213-ec3ebc5fd46b h1:gMplByicHV/TJBizHd9aVEsTYoJBnnUAT5MHlTkbjhQ=
+k8s.io/gengo/v2 v2.0.0-20250922181213-ec3ebc5fd46b/go.mod h1:CgujABENc3KuTrcsdpGmrrASjtQsWCT7R99mEV4U/fM=
 k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk=
 k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE=
-k8s.io/kube-openapi v0.0.0-20250710124328-f3f2b991d03b h1:MloQ9/bdJyIu9lb1PzujOPolHyvO06MXG5TUIj2mNAA=
-k8s.io/kube-openapi v0.0.0-20250710124328-f3f2b991d03b/go.mod h1:UZ2yyWbFTpuhSbFhv24aGNOdoRdJZgsIObGBUaYVsts=
-k8s.io/utils v0.0.0-20250604170112-4c0f3b243397 h1:hwvWFiBzdWw1FhfY1FooPn3kzWuJ8tmbZBHi4zVsl1Y=
-k8s.io/utils v0.0.0-20250604170112-4c0f3b243397/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
-sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 h1:gBQPwqORJ8d8/YNZWEjoZs7npUVDpVXUUOFfW6CgAqE=
-sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8/go.mod h1:mdzfpAEoE6DHQEN0uh9ZbOCuHbLK5wOm7dK4ctXE9Tg=
+k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912 h1:Y3gxNAuB0OBLImH611+UDZcmKS3g6CthxToOb37KgwE=
+k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912/go.mod h1:kdmbQkyfwUagLfXIad1y2TdrjPFWp2Q89B3qkRwf/pQ=
+k8s.io/utils v0.0.0-20251002143259-bc988d571ff4 h1:SjGebBtkBqHFOli+05xYbK8YF1Dzkbzn+gDM4X9T4Ck=
+k8s.io/utils v0.0.0-20251002143259-bc988d571ff4/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
+sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 h1:IpInykpT6ceI+QxKBbEflcR5EXP7sU1kvOlxwZh5txg=
+sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730/go.mod h1:mdzfpAEoE6DHQEN0uh9ZbOCuHbLK5wOm7dK4ctXE9Tg=
 sigs.k8s.io/randfill v1.0.0 h1:JfjMILfT8A6RbawdsK2JXGBR5AQVfd+9TbzrlneTyrU=
 sigs.k8s.io/randfill v1.0.0/go.mod h1:XeLlZ/jmk4i1HRopwe7/aU3H5n1zNUcX6TM94b3QxOY=
 sigs.k8s.io/structured-merge-diff/v6 v6.3.0 h1:jTijUJbW353oVOd9oTlifJqOGEkUw2jB/fXCbTiQEco=
diff --git a/staging/src/k8s.io/sample-controller/pkg/generated/clientset/versioned/fake/clientset_generated.go b/staging/src/k8s.io/sample-controller/pkg/generated/clientset/versioned/fake/clientset_generated.go
index 3d42bf2a2689a..4fe43173e3e79 100644
--- a/staging/src/k8s.io/sample-controller/pkg/generated/clientset/versioned/fake/clientset_generated.go
+++ b/staging/src/k8s.io/sample-controller/pkg/generated/clientset/versioned/fake/clientset_generated.go
@@ -35,7 +35,7 @@ import (
 // without applying any field management, validations and/or defaults. It shouldn't be considered a replacement
 // for a real clientset and is mostly useful in simple unit tests.
 //
-// DEPRECATED: NewClientset replaces this with support for field management, which significantly improves
+// Deprecated: NewClientset replaces this with support for field management, which significantly improves
 // server side apply testing. NewClientset is only available when apply configurations are generated (e.g.
 // via --with-applyconfig).
 func NewSimpleClientset(objects ...runtime.Object) *Clientset {
@@ -51,8 +51,8 @@ func NewSimpleClientset(objects ...runtime.Object) *Clientset {
 	cs.AddReactor("*", "*", testing.ObjectReaction(o))
 	cs.AddWatchReactor("*", func(action testing.Action) (handled bool, ret watch.Interface, err error) {
 		var opts metav1.ListOptions
-		if watchActcion, ok := action.(testing.WatchActionImpl); ok {
-			opts = watchActcion.ListOptions
+		if watchAction, ok := action.(testing.WatchActionImpl); ok {
+			opts = watchAction.ListOptions
 		}
 		gvr := action.GetResource()
 		ns := action.GetNamespace()
@@ -83,6 +83,17 @@ func (c *Clientset) Tracker() testing.ObjectTracker {
 	return c.tracker
 }
 
+// IsWatchListSemanticsSupported informs the reflector that this client
+// doesn't support WatchList semantics.
+//
+// This is a synthetic method whose sole purpose is to satisfy the optional
+// interface check performed by the reflector.
+// Returning true signals that WatchList can NOT be used.
+// No additional logic is implemented here.
+func (c *Clientset) IsWatchListSemanticsUnSupported() bool {
+	return true
+}
+
 var (
 	_ clientset.Interface = &Clientset{}
 	_ testing.FakeClient  = &Clientset{}
diff --git a/staging/src/k8s.io/sample-controller/pkg/generated/informers/externalversions/factory.go b/staging/src/k8s.io/sample-controller/pkg/generated/informers/externalversions/factory.go
index 46b47b6576262..d04a0c4518595 100644
--- a/staging/src/k8s.io/sample-controller/pkg/generated/informers/externalversions/factory.go
+++ b/staging/src/k8s.io/sample-controller/pkg/generated/informers/externalversions/factory.go
@@ -97,6 +97,7 @@ func NewSharedInformerFactory(client versioned.Interface, defaultResync time.Dur
 // NewFilteredSharedInformerFactory constructs a new instance of sharedInformerFactory.
 // Listers obtained via this SharedInformerFactory will be subject to the same filters
 // as specified here.
+//
 // Deprecated: Please use NewSharedInformerFactoryWithOptions instead
 func NewFilteredSharedInformerFactory(client versioned.Interface, defaultResync time.Duration, namespace string, tweakListOptions internalinterfaces.TweakListOptionsFunc) SharedInformerFactory {
 	return NewSharedInformerFactoryWithOptions(client, defaultResync, WithNamespace(namespace), WithTweakListOptions(tweakListOptions))
@@ -204,7 +205,7 @@ func (f *sharedInformerFactory) InformerFor(obj runtime.Object, newFunc internal
 //
 // It is typically used like this:
 //
-//	ctx, cancel := context.Background()
+//	ctx, cancel := context.WithCancel(context.Background())
 //	defer cancel()
 //	factory := NewSharedInformerFactory(client, resyncPeriod)
 //	defer factory.WaitForStop()    // Returns immediately if nothing was started.
diff --git a/staging/src/k8s.io/sample-controller/pkg/generated/informers/externalversions/samplecontroller/v1alpha1/foo.go b/staging/src/k8s.io/sample-controller/pkg/generated/informers/externalversions/samplecontroller/v1alpha1/foo.go
index b3f20c8ce5ffc..658033c20e35e 100644
--- a/staging/src/k8s.io/sample-controller/pkg/generated/informers/externalversions/samplecontroller/v1alpha1/foo.go
+++ b/staging/src/k8s.io/sample-controller/pkg/generated/informers/externalversions/samplecontroller/v1alpha1/foo.go
@@ -57,7 +57,7 @@ func NewFooInformer(client versioned.Interface, namespace string, resyncPeriod t
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredFooInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -82,7 +82,7 @@ func NewFilteredFooInformer(client versioned.Interface, namespace string, resync
 				}
 				return client.SamplecontrollerV1alpha1().Foos(namespace).Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apissamplecontrollerv1alpha1.Foo{},
 		resyncPeriod,
 		indexers,
diff --git a/test/cmd/apps.sh b/test/cmd/apps.sh
index 979c113007eb7..5098c0190841d 100755
--- a/test/cmd/apps.sh
+++ b/test/cmd/apps.sh
@@ -811,6 +811,10 @@ run_rs_tests() {
     kube::test::if_has_string "${output_message}" 'kubectl-autoscale'
     # Clean up
     kubectl delete hpa frontend "${kube_flags[@]:?}"
+    # autoscale with --dry-run=client should include namespace in output
+    autoscale_namespace=$(kubectl get rs frontend "${kube_flags[@]:?}" -o jsonpath='{.metadata.namespace}')
+    output_message=$(kubectl autoscale rs frontend "${kube_flags[@]:?}" --max=3 -n "$autoscale_namespace" --dry-run=client -o yaml 2>&1)
+    kube::test::if_has_string "${output_message}" 'namespace:'
     # autoscale without specifying --max should fail
     ! kubectl autoscale rs frontend "${kube_flags[@]:?}" || exit 1
     # Clean up
diff --git a/test/cmd/authentication.sh b/test/cmd/authentication.sh
index 04c43bce783d4..ab6c4f638abfe 100644
--- a/test/cmd/authentication.sh
+++ b/test/cmd/authentication.sh
@@ -178,6 +178,8 @@ EOF
     kube::log::status "exec credential plugin not triggered since kubeconfig was configured with --client-certificate/--client-key for authentication"
   fi
 
+  run_allowlist_tests_version
+
   kubectl delete csr testuser
   rm "${TMPDIR:-/tmp}"/invalid_execcredential.sh
   rm "${TMPDIR:-/tmp}"/invalid_exec_plugin.yaml
@@ -187,6 +189,112 @@ EOF
   set +o errexit
 }
 
+run_allowlist_tests_version() {
+  set +o nounset
+  set +o errexit
+
+  cat >"${TMPDIR:-/tmp}/kuberc-deny-all.yaml" <<EOF
+apiVersion: kubectl.config.k8s.io/v1beta1
+kind: Preference
+credentialPluginPolicy: DenyAll
+EOF
+
+  output7=$(kubectl --kubeconfig="${TMPDIR:-/tmp}/valid_exec_plugin.yaml" --kuberc="${TMPDIR:-/tmp}/kuberc-deny-all.yaml" "${kube_flags_without_token[@]:?}" get namespace kube-system -o name 2>&1)
+  rc7="$?"
+
+  if [ "$rc7" -ne 0 ] && [[ "$output7" =~ "DenyAll" ]]; then
+    kube::log::status "exec credential plugin not triggered because plugin policy set to DenyAll"
+  else
+    kube::log::status "Unexpected output when kuberc was configured with credentialPluginPolicy: DenyAll. Exec credential plugin ran despite DenyAll policy"
+    exit 1
+  fi
+
+  output8=$(kubectl --kubeconfig="${TMPDIR:-/tmp}/valid_exec_plugin.yaml" --kuberc="${TMPDIR:-/tmp}/kuberc-deny-all.yaml" "${kube_flags_without_token[@]:?}" config view)
+  rc8="$?"
+
+  if [ "$rc8" -eq 0 ] && kube::test::if_has_string "$output8" "kind: Config"; then
+    kube::log::status "plugin policy has no effect on 'kubectl config view'"
+  else
+    kube::log::status "plugin policy 'DenyAll' prevented 'kubectl config view' from running"
+    exit 1
+  fi
+
+  cat >"${TMPDIR:-/tmp}/kuberc-allowlist-should-fail.yaml" <<EOF
+apiVersion: kubectl.config.k8s.io/v1beta1
+kind: Preference
+credentialPluginPolicy: Allowlist
+credentialPluginAllowlist:
+  - name: abc123
+  - name: foobar
+EOF
+
+  output9=$(kubectl --kubeconfig="${TMPDIR:-/tmp}/valid_exec_plugin.yaml" --kuberc="${TMPDIR:-/tmp}/kuberc-allowlist-should-fail.yaml" "${kube_flags_without_token[@]:?}" get namespace kube-system -o name 2>&1)
+  rc9="$?"
+
+  if [ "$rc9" -ne 0 ] && kube::test::if_has_string "$output9" "is not permitted by the credential plugin allowlist"; then
+    kube::log::status "exec credential plugin not triggered because allowlist does not permit it"
+  else
+    kube::log::status "Unexpected output when kuberc was configured with credentialPluginPolicy: Allowlist. Exec credential plugin ran despite not appearing in allowlist"
+    exit 1
+  fi
+
+  cat >"${TMPDIR:-/tmp}/kuberc-allowlist-should-succeed.yaml" <<EOF
+apiVersion: kubectl.config.k8s.io/v1beta1
+kind: Preference
+credentialPluginPolicy: Allowlist
+credentialPluginAllowlist:
+  - name: foobar
+  - name: echo
+EOF
+
+  output10=$(kubectl --kubeconfig="${TMPDIR:-/tmp}/valid_exec_plugin.yaml" --kuberc="${TMPDIR:-/tmp}/kuberc-allowlist-should-succeed.yaml" "${kube_flags_without_token[@]:?}" get namespace kube-system -o name)
+  rc10="$?"
+
+  if [ "$rc10" -eq 0 ] && [[ "$output10" =~ "namespace/kube-system" ]]; then
+    kube::log::status "exec credential plugin permitted by allowlist"
+  else
+    kube::log::status "Unexpected output when kuberc was configured with credentialPluginPolicy: Allowlist. Exec credential plugin not triggered despite appearing in allowlist"
+    exit 1
+  fi
+
+  cat >"${TMPDIR:-/tmp}/kuberc-allowlist-not-given.yaml" <<EOF
+apiVersion: kubectl.config.k8s.io/v1beta1
+kind: Preference
+EOF
+
+  output11=$(kubectl --kubeconfig="${TMPDIR:-/tmp}/valid_exec_plugin.yaml" --kuberc="${TMPDIR:-/tmp}/kuberc-allowlist-not-given.yaml" "${kube_flags_without_token[@]:?}" get namespace kube-system -o name)
+  rc11="$?"
+
+  if [ "$rc11" -eq 0 ] && [[ "$output11" =~ "namespace/kube-system" ]]; then
+    kube::log::status "exec credential plugin permitted by missing allowlist"
+  else
+    kube::log::status "Unexpected output when kuberc was configured without allowlist"
+    exit 1
+  fi
+
+  cat >"${TMPDIR:-/tmp}/kuberc-invalid-allowlist.yaml" <<EOF
+apiVersion: kubectl.config.k8s.io/v1beta1
+kind: Preference
+credentialPluginPolicy: AllowAll
+credentialPluginAllowlist:
+  - name: foobar
+  - name: echo
+EOF
+
+  output12=$(kubectl --kubeconfig="${TMPDIR:-/tmp}/valid_exec_plugin.yaml" --kuberc="${TMPDIR:-/tmp}/kuberc-invalid-allowlist.yaml" "${kube_flags_without_token[@]:?}" get namespace kube-system -o name 2>&1)
+  rc12="$?"
+
+  if [ "$rc12" -ne 0 ] && [[ "$output12" =~ "misconfigured credential plugin allowlist" ]]; then
+    kube::log::status "exec credential plugin denied by invalid allowlist"
+  else
+    kube::log::status "Unexpected output when kuberc was configured with invalid allowlist"
+    exit 1
+  fi
+
+  set -o nounset
+  set -o errexit
+}
+
 run_exec_credentials_interactive_tests() {
   run_exec_credentials_interactive_tests_version client.authentication.k8s.io/v1beta1
   run_exec_credentials_interactive_tests_version client.authentication.k8s.io/v1
diff --git a/test/cmd/authorization.sh b/test/cmd/authorization.sh
index 80c9e3ed482d3..54448fcee590c 100755
--- a/test/cmd/authorization.sh
+++ b/test/cmd/authorization.sh
@@ -73,6 +73,16 @@ run_impersonation_tests() {
     kube::test::get_object_assert 'csr/foo' '{{.spec.uid}}' 'abc123'
     kubectl delete -f hack/testdata/csr.yml "${kube_flags_with_token[@]:?}"
 
+    # --as-user-extra
+    kubectl create -f hack/testdata/csr.yml "${kube_flags_with_token[@]:?}" --as=user1 --as-uid=abc123 \
+    --as-user-extra key1="hello there" --as-user-extra key1="one,two" --as-user-extra key1="pandas are" --as-user-extra key1="the best" --as-user-extra key2=val3
+    kubectl get csr/foo -oyaml
+    kube::test::get_object_assert 'csr/foo' '{{.spec.username}}' 'user1'
+    kube::test::get_object_assert 'csr/foo' '{{.spec.uid}}' 'abc123'
+    kube::test::get_object_assert 'csr/foo' '{{range .spec.extra.key1}}{{.}} {{end}}' 'hello there one,two pandas are the best '
+    kube::test::get_object_assert 'csr/foo' '{{range .spec.extra.key2}}{{.}} {{end}}' 'val3 '
+    kubectl delete -f hack/testdata/csr.yml "${kube_flags_with_token[@]:?}"
+
   fi
 
   set +o nounset
diff --git a/test/cmd/core.sh b/test/cmd/core.sh
index 3526a0bbd882b..1859b31606247 100755
--- a/test/cmd/core.sh
+++ b/test/cmd/core.sh
@@ -966,7 +966,7 @@ run_service_accounts_tests() {
   # Post-condition: secret exists and has expected values
   kube::test::get_object_assert 'serviceaccount/test-service-account --namespace=test-service-accounts' "{{$id_field}}" 'test-service-account'
   # Describe command should respect the chunk size parameter
-  kube::test::describe_resource_chunk_size_assert serviceaccounts secrets,events "--namespace=test-service-accounts"
+  kube::test::describe_resource_chunk_size_assert serviceaccounts events "--namespace=test-service-accounts"
   # Clean-up
   kubectl delete serviceaccount test-service-account --namespace=test-service-accounts
   # Clean up
diff --git a/test/cmd/delete.sh b/test/cmd/delete.sh
index 0d47302be0bf4..11901c8d14776 100755
--- a/test/cmd/delete.sh
+++ b/test/cmd/delete.sh
@@ -38,7 +38,7 @@ run_kubectl_delete_allnamespaces_tests() {
   kubectl delete configmap --dry-run=server -l deletetest=true --all-namespaces
   kubectl config set-context "${CONTEXT}" --namespace="${ns_one}"
   kube::test::get_object_assert 'configmap -l deletetest' "{{range.items}}{{${id_field:?}}}:{{end}}" 'one:'
-  kubectl config set-context "${CONTEXT}" --namespace="${ns_two}"
+  kubectl config set-context "${CONTEXT}" -n "${ns_two}"
   kube::test::get_object_assert 'configmap -l deletetest' "{{range.items}}{{${id_field:?}}}:{{end}}" 'two:'
 
   kubectl delete configmap -l deletetest=true --all-namespaces
@@ -46,7 +46,7 @@ run_kubectl_delete_allnamespaces_tests() {
   # no configmaps should be in either of those namespaces with label deletetest
   kubectl config set-context "${CONTEXT}" --namespace="${ns_one}"
   kube::test::get_object_assert 'configmap -l deletetest' "{{range.items}}{{${id_field:?}}}:{{end}}" ''
-  kubectl config set-context "${CONTEXT}" --namespace="${ns_two}"
+  kubectl config set-context "${CONTEXT}" -n "${ns_two}"
   kube::test::get_object_assert 'configmap -l deletetest' "{{range.items}}{{${id_field:?}}}:{{end}}" ''
 
   set +o nounset
diff --git a/test/cmd/events.sh b/test/cmd/events.sh
index 5532fb2317b75..2fd8460c8a711 100755
--- a/test/cmd/events.sh
+++ b/test/cmd/events.sh
@@ -34,9 +34,10 @@ run_kubectl_events_tests() {
     # Post-condition: namespace 'test-events' is created.
     kube::test::get_object_assert 'namespaces/test-events' "{{$id_field}}" 'test-events'
 
-    # Pre-condition: event does not exist for Cronjob/pi in any namespace
+    # Pre-condition: event does not exist for CronJob/pi in any namespace
     output_message=$(kubectl events -A "${kube_flags[@]:?}" 2>&1)
-    kube::test::if_has_not_string "${output_message}" "Warning" "InvalidSchedule" "Cronjob/pi"
+    kube::test::if_has_not_string "${output_message}" "InvalidSchedule"
+    kube::test::if_has_not_string "${output_message}" "CronJob/pi"
 
     # Pre-condition: cronjob does not exist in test-events namespace
     kube::test::get_object_assert 'cronjob --namespace=test-events' "{{range.items}}{{ if eq $id_field \"pi\" }}found{{end}}{{end}}:" ':'
@@ -100,54 +101,68 @@ __EOF__
     # Post-Condition: assertion object exists
     kube::test::get_object_assert 'cronjob/pi --namespace=test-events' "{{$id_field}}" 'pi'
 
-    # Post-Condition: events --all-namespaces returns event for Cronjob/pi
+    # Post-Condition: events --all-namespaces returns event for CronJob/pi
     output_message=$(kubectl events -A "${kube_flags[@]:?}" 2>&1)
-    kube::test::if_has_string "${output_message}" "Warning" "InvalidSchedule" "Cronjob/pi"
+    kube::test::if_has_string "${output_message}" "InvalidSchedule"
+    kube::test::if_has_string "${output_message}" "CronJob/pi"
 
-    # Post-Condition: events for test-events namespace returns event for Cronjob/pi
+    # Post-Condition: events for test-events namespace returns event for CronJob/pi
     output_message=$(kubectl events -n test-events "${kube_flags[@]:?}" 2>&1)
-    kube::test::if_has_string "${output_message}" "Warning" "InvalidSchedule" "Cronjob/pi"
+    kube::test::if_has_string "${output_message}" "InvalidSchedule"
+    kube::test::if_has_string "${output_message}" "CronJob/pi"
 
-    # Post-Condition: events returns event for Cronjob/pi when --for flag is used
-    output_message=$(kubectl events -n test-events --for=Cronjob/pi "${kube_flags[@]:?}" 2>&1)
-    kube::test::if_has_string "${output_message}" "Warning" "InvalidSchedule" "Cronjob/pi"
+    # Post-Condition: events returns event for CronJob/pi when --for flag is used
+    output_message=$(kubectl events -n test-events --for=CronJob/pi "${kube_flags[@]:?}" 2>&1)
+    kube::test::if_has_string "${output_message}" "InvalidSchedule"
+    kube::test::if_has_string "${output_message}" "CronJob/pi"
 
-    # Post-Condition: events returns event for fully qualified Cronjob.v1.batch/pi when --for flag is used
+    # Post-Condition: events returns event for fully qualified CronJob.v1.batch/pi when --for flag is used
     output_message=$(kubectl events -n test-events --for Cronjob.v1.batch/pi "${kube_flags[@]:?}" 2>&1)
-    kube::test::if_has_string "${output_message}" "Warning" "InvalidSchedule" "Cronjob/pi"
+    kube::test::if_has_string "${output_message}" "InvalidSchedule"
+    kube::test::if_has_string "${output_message}" "CronJob/pi"
 
     # Post-Condition: events not returns event for fully qualified Cronjob.v1.example.com/pi when --for flag is used
     output_message=$(kubectl events -n test-events --for Cronjob.v1.example.com/pi "${kube_flags[@]:?}" 2>&1)
-    kube::test::if_has_not_string "${output_message}" "Warning" "InvalidSchedule" "Cronjob/pi"
-
-    # Post-Condition: events returns event for fully qualified without version Cronjob.batch/pi when --for flag is used
-    output_message=$(kubectl events -n test-events --for=Cronjob.batch/pi "${kube_flags[@]:?}" 2>&1)
-    kube::test::if_has_string "${output_message}" "Warning" "InvalidSchedule" "Cronjob/pi"
-
-    # Post-Condition: events returns event for Cronjob/pi when watch is enabled
-    output_message=$(kubectl events -n test-events --for=Cronjob/pi --watch --request-timeout=1 "${kube_flags[@]:?}" 2>&1)
-    kube::test::if_has_string "${output_message}" "Warning" "InvalidSchedule" "Cronjob/pi"
-
-    # Post-Condition: events returns event for Cronjob/pi when filtered by Warning
-    output_message=$(kubectl events -n test-events --for=Cronjob/pi --types=Warning "${kube_flags[@]:?}" 2>&1)
-    kube::test::if_has_string "${output_message}" "Warning" "InvalidSchedule" "Cronjob/pi"
-
-    # Post-Condition: events not returns event for Cronjob/pi when filtered only by Normal
-    output_message=$(kubectl events -n test-events --for=Cronjob/pi --types=Normal "${kube_flags[@]:?}" 2>&1)
-    kube::test::if_has_not_string "${output_message}" "Warning" "InvalidSchedule" "Cronjob/pi"
-
-    # Post-Condition: events returns event for Cronjob/pi without headers
-    output_message=$(kubectl events -n test-events --for=Cronjob/pi --no-headers "${kube_flags[@]:?}" 2>&1)
-    kube::test::if_has_not_string "${output_message}" "LAST SEEN" "TYPE" "REASON"
-    kube::test::if_has_string "${output_message}" "Warning" "InvalidSchedule" "Cronjob/pi"
-
-    # Post-Condition: events returns event for Cronjob/pi in json format
-    output_message=$(kubectl events -n test-events --for=Cronjob/pi --output=json "${kube_flags[@]:?}" 2>&1)
-    kube::test::if_has_string "${output_message}" "Warning" "InvalidSchedule" "Cronjob/pi"
-
-    # Post-Condition: events returns event for Cronjob/pi in yaml format
-    output_message=$(kubectl events -n test-events --for=Cronjob/pi --output=yaml "${kube_flags[@]:?}" 2>&1)
-    kube::test::if_has_string "${output_message}" "Warning" "InvalidSchedule" "Cronjob/pi"
+    kube::test::if_has_not_string "${output_message}" "InvalidSchedule"
+    kube::test::if_has_not_string "${output_message}" "CronJob/pi"
+
+    # Post-Condition: events returns event for fully qualified without version CronJob.batch/pi when --for flag is used
+    output_message=$(kubectl events -n test-events --for=CronJob.batch/pi "${kube_flags[@]:?}" 2>&1)
+    kube::test::if_has_string "${output_message}" "InvalidSchedule"
+    kube::test::if_has_string "${output_message}" "CronJob/pi"
+
+    # Post-Condition: events returns event for CronJob/pi when watch is enabled
+    output_message=$(kubectl events -n test-events --for=CronJob/pi --watch --request-timeout=1 "${kube_flags[@]:?}" 2>&1)
+    kube::test::if_has_string "${output_message}" "InvalidSchedule"
+    kube::test::if_has_string "${output_message}" "CronJob/pi"
+
+    # Post-Condition: events returns event for CronJob/pi when filtered by Warning
+    output_message=$(kubectl events -n test-events --for=CronJob/pi --types=Warning "${kube_flags[@]:?}" 2>&1)
+    kube::test::if_has_string "${output_message}" "InvalidSchedule"
+    kube::test::if_has_string "${output_message}" "CronJob/pi"
+
+    # Post-Condition: events not returns event for CronJob/pi when filtered only by Normal
+    output_message=$(kubectl events -n test-events --for=CronJob/pi --types=Normal "${kube_flags[@]:?}" 2>&1)
+    kube::test::if_has_not_string "${output_message}" "InvalidSchedule"
+    kube::test::if_has_not_string "${output_message}" "CronJob/pi"
+
+    # Post-Condition: events returns event for CronJob/pi without headers
+    output_message=$(kubectl events -n test-events --for=CronJob/pi --no-headers "${kube_flags[@]:?}" 2>&1)
+    kube::test::if_has_not_string "${output_message}" "LAST SEEN"
+    kube::test::if_has_string "${output_message}" "InvalidSchedule"
+    kube::test::if_has_string "${output_message}" "CronJob/pi"
+
+    # Post-Condition: events returns event for CronJob/pi in json format
+    output_message=$(kubectl events -n test-events --for=CronJob/pi --output=json "${kube_flags[@]:?}" 2>&1)
+    kube::test::if_has_string "${output_message}" '"reason": "InvalidSchedule"'
+    kube::test::if_has_string "${output_message}" '"kind": "CronJob"'
+    kube::test::if_has_string "${output_message}" '"name": "pi"'
+
+    # Post-Condition: events returns event for CronJob/pi in yaml format
+    output_message=$(kubectl events -n test-events --for=CronJob/pi --output=yaml "${kube_flags[@]:?}" 2>&1)
+    kube::test::if_has_string "${output_message}" "reason: InvalidSchedule"
+    kube::test::if_has_string "${output_message}" "kind: CronJob"
+    kube::test::if_has_string "${output_message}" "name: pi"
 
     #Clean up
     kubectl delete cronjob pi --namespace=test-events
diff --git a/test/cmd/exec.sh b/test/cmd/exec.sh
index 0ead76e8f47bc..02ab7c8d52265 100755
--- a/test/cmd/exec.sh
+++ b/test/cmd/exec.sh
@@ -78,12 +78,12 @@ run_kubectl_exec_resource_name_tests() {
   kube::log::status "Testing kubectl exec TYPE/NAME COMMAND"
 
   ### Test execute invalid resource type
-  output_message=$(! kubectl exec foo/bar date 2>&1)
+  output_message=$(! kubectl exec foo/bar -- date 2>&1)
   # resource type foo should error since it's invalid
   kube::test::if_has_string "${output_message}" 'error:'
 
   ### Test execute non-existing resources
-  output_message=$(! kubectl exec deployments/bar date 2>&1)
+  output_message=$(! kubectl exec deployments/bar -- date 2>&1)
   # resource type foo should error since it doesn't exist
   kube::test::if_has_string "${output_message}" '"bar" not found'
 
@@ -92,7 +92,7 @@ run_kubectl_exec_resource_name_tests() {
   kubectl create -f hack/testdata/configmap.yaml
 
   ### Test execute non-implemented resources
-  output_message=$(! kubectl exec configmap/test-set-env-config date 2>&1)
+  output_message=$(! kubectl exec configmap/test-set-env-config -- date 2>&1)
   # resource type configmap should error since configmap not implemented to be attached
   kube::test::if_has_string "${output_message}" 'not implemented'
 
@@ -100,13 +100,13 @@ run_kubectl_exec_resource_name_tests() {
   # Just check the output, since test-cmd not run kubelet, pod never be assigned.
   # and not really can run `kubectl exec` command
 
-  output_message=$(! kubectl exec pods/test-pod date 2>&1)
+  output_message=$(! kubectl exec pods/test-pod -- date 2>&1)
   # POD test-pod is exists this is shouldn't have output not found
   kube::test::if_has_not_string "${output_message}" 'not found'
   # These must be pass the validate
   kube::test::if_has_not_string "${output_message}" 'pod, type/name or --filename must be specified'
 
-  output_message=$(! kubectl exec replicaset/frontend date 2>&1)
+  output_message=$(! kubectl exec replicaset/frontend -- date 2>&1)
   # Replicaset frontend is valid and exists will select the first pod.
   # and Shouldn't have output not found
   kube::test::if_has_not_string "${output_message}" 'not found'
diff --git a/test/cmd/kuberc.sh b/test/cmd/kuberc.sh
index dc741b676db6b..da5a9a07549df 100755
--- a/test/cmd/kuberc.sh
+++ b/test/cmd/kuberc.sh
@@ -23,140 +23,143 @@ run_kuberc_tests() {
   set -o errexit
 
   create_and_use_new_namespace
-  kube::log::status "Testing kuberc"
+  kube::log::status "Testing kubectl alpha kuberc set commands"
 
-  cat > "${TMPDIR:-/tmp}"/kuberc_file << EOF
+  KUBERC_FILE="${TMPDIR:-/tmp}"/kuberc_file
+  cat > "$KUBERC_FILE" << EOF
 apiVersion: kubectl.config.k8s.io/v1beta1
 kind: Preference
-aliases:
-- name: crns
-  command: create namespace
-  appendArgs:
-   - test-kuberc-ns
-- name: getn
-  command: get
-  prependArgs:
-   - namespace
-  options:
-   - name: output
-     default: wide
-- name: crole
-  command: create role
-  options:
-  - name: verb
-    default: get,watch
-- name: getrole
-  command: get
-  options:
-  - name: output
-    default: json
-- name: runx
-  command: run
-  options:
-  - name: image
-    default: nginx
-  - name: labels
-    default: app=test,env=test
-  - name: env
-    default: DNS_DOMAIN=test
-  - name: namespace
-    default: test-kuberc-ns
-  appendArgs:
-  - test-pod-2
-  - --
-  - custom-arg1
-  - custom-arg2
-- name: setx
-  command: set image
-  appendArgs:
-  - pod/test-pod-2
-  - test-pod-2=busybox
-defaults:
-- command: apply
-  options:
-  - name: server-side
-    default: "true"
-  - name: dry-run
-    default: "server"
-  - name: validate
-    default: "strict"
-- command: delete
-  options:
-  - name: interactive
-    default: "true"
-- command: get
-  options:
-  - name: namespace
-    default: "test-kuberc-ns"
-  - name: output
-    default: "json"
 EOF
 
+  # Build up the kuberc file using kubectl alpha kuberc set commands
+  kubectl alpha kuberc set --kuberc="$KUBERC_FILE" --section=defaults --command=apply --option=server-side=true --option=dry-run=server --option=validate=strict
+  kubectl alpha kuberc set --kuberc="$KUBERC_FILE" --section=defaults --command=delete --option=interactive=true
+  kubectl alpha kuberc set --kuberc="$KUBERC_FILE" --section=defaults --command=get --option=namespace=test-kuberc-ns --option=output=json
+
+  kubectl alpha kuberc set --kuberc="$KUBERC_FILE" --section=aliases --name=crns --command="create namespace" --appendarg=test-kuberc-ns
+  kubectl alpha kuberc set --kuberc="$KUBERC_FILE" --section=aliases --name=getn --command=get --prependarg=namespace --option=output=wide
+  kubectl alpha kuberc set --kuberc="$KUBERC_FILE" --section=aliases --name=crole --command="create role" --option=verb=get,watch
+  kubectl alpha kuberc set --kuberc="$KUBERC_FILE" --section=aliases --name=getrole --command=get --option=output=json
+  kubectl alpha kuberc set --kuberc="$KUBERC_FILE" --section=aliases --name=runx --command=run --option=image=nginx --option=labels=app=test,env=test --option=env=DNS_DOMAIN=test --option=namespace=test-kuberc-ns --appendarg=test-pod-2 --appendarg=-- --appendarg=custom-arg1 --appendarg=custom-arg2
+  kubectl alpha kuberc set --kuberc="$KUBERC_FILE" --section=aliases --name=setx --command="set image" --appendarg=pod/test-pod-2 --appendarg=test-pod-2=busybox
+
+  kube::log::status "Testing kubectl alpha kuberc view commands"
+  # Test: kubectl alpha kuberc view
+  output_message=$(kubectl alpha kuberc view --kuberc="$KUBERC_FILE")
+  kube::test::if_has_string "${output_message}" "apiVersion: kubectl.config.k8s.io/v1beta1"
+  kube::test::if_has_string "${output_message}" "kind: Preference"
+  kube::test::if_has_string "${output_message}" "command: apply"
+  kube::test::if_has_string "${output_message}" "name: runx"
+  kube::test::if_has_string "${output_message}" "server-side"
+  kube::test::if_has_string "${output_message}" "interactive"
+
+  # Test: kubectl alpha kuberc view with json output
+  output_message=$(kubectl alpha kuberc view --kuberc="$KUBERC_FILE" -o json)
+  kube::test::if_has_string "${output_message}" "\"apiVersion\": \"kubectl.config.k8s.io/v1beta1\""
+  kube::test::if_has_string "${output_message}" "\"kind\": \"Preference\""
+
+  # Test: Attempt to set existing default without --overwrite flag should fail
+  output_message=$(! kubectl alpha kuberc set --kuberc="$KUBERC_FILE" --section=defaults --command=get --option=output=yaml 2>&1)
+  kube::test::if_has_string "${output_message}" "defaults for command \"get\" already exist, use --overwrite to replace"
+
+  # Test: Now set with --overwrite flag should succeed and merge options
+  kubectl alpha kuberc set --kuberc="$KUBERC_FILE" --section=defaults --command=get --option=output=yaml --overwrite
+  output_message=$(kubectl alpha kuberc view --kuberc="$KUBERC_FILE")
+  kube::test::if_has_string "${output_message}" "default: yaml"
+  # Should still have namespace option from before
+  kube::test::if_has_string "${output_message}" "default: test-kuberc-ns"
+
+  # Test: Attempt to set existing alias without --overwrite flag should fail
+  output_message=$(! kubectl alpha kuberc set --kuberc="$KUBERC_FILE" --section=aliases --name=getn --command=get --prependarg=pods 2>&1)
+  kube::test::if_has_string "${output_message}" "alias \"getn\" already exists, use --overwrite to replace"
+
+  # Test: Error cases - Missing required flags
+  output_message=$(! kubectl alpha kuberc set --kuberc="$KUBERC_FILE" --command=get --option=output=wide 2>&1)
+  kube::test::if_has_string "${output_message}" "required flag(s) \"section\" not set"
+
+  output_message=$(! kubectl alpha kuberc set --kuberc="$KUBERC_FILE" --section=defaults --option=output=wide 2>&1)
+  kube::test::if_has_string "${output_message}" "required flag(s) \"command\" not set"
+
+  # Test: KUBERC=off with view command
+  output_message=$(! KUBERC=off kubectl alpha kuberc view 2>&1)
+  kube::test::if_has_string "${output_message}" "KUBERC is disabled via KUBERC=off environment variable"
+
+  # Test: KUBERC=off with set command
+  output_message=$(! KUBERC=off kubectl alpha kuberc set --section=defaults --command=get --option=output=wide 2>&1)
+  kube::test::if_has_string "${output_message}" "KUBERC is disabled via KUBERC=off environment variable"
+
+  # Restore getn alias back to "namespace" for remaining tests
+  kubectl alpha kuberc set --kuberc="$KUBERC_FILE" --section=aliases --name=getn --command=get --prependarg=namespace --option=output=wide --overwrite
+  # Restore get defaults back to namespace=test-kuberc-ns and output=json for remaining tests
+  kubectl alpha kuberc set --kuberc="$KUBERC_FILE" --section=defaults --command=get --option=namespace=test-kuberc-ns --option=output=json --overwrite
+
+  kube::log::status "Testing kuberc aliases and defaults functionality"
+
   # Pre-condition: the test-kuberc-ns namespace does not exist
   kube::test::get_object_assert 'namespaces' "{{range.items}}{{ if eq ${id_field:?} \"test-kuberc-ns\" }}found{{end}}{{end}}:" ':'
   # Alias command crns successfully creates namespace
-  kubectl crns --kuberc="${TMPDIR:-/tmp}"/kuberc_file
+  kubectl crns --kuberc="$KUBERC_FILE"
   # Post-condition: namespace 'test-kuberc-ns' is created.
   kube::test::get_object_assert 'namespaces/test-kuberc-ns' "{{$id_field}}" 'test-kuberc-ns'
 
   # Alias command crns successfully creates namespace
-  kubectl getn --kuberc="${TMPDIR:-/tmp}"/kuberc_file test-kuberc-ns
+  kubectl getn --kuberc="$KUBERC_FILE" test-kuberc-ns
   # Post-condition: namespace 'test-kuberc-ns' is created.
   kube::test::get_object_assert 'namespaces/test-kuberc-ns' "{{$id_field}}" 'test-kuberc-ns'
 
   # Alias command crns successfully creates namespace
-  kubectl getn test-kuberc-ns --output=json --kuberc="${TMPDIR:-/tmp}"/kuberc_file
+  kubectl getn test-kuberc-ns --output=json --kuberc="$KUBERC_FILE"
   # Post-condition: namespace 'test-kuberc-ns' is created.
   kube::test::get_object_assert 'namespaces/test-kuberc-ns' "{{$id_field}}" 'test-kuberc-ns'
 
   # check array flags are appended after implicit defaults
-  kubectl crole testkubercrole --verb=list --namespace test-kuberc-ns --resource=pods --kuberc="${TMPDIR:-/tmp}"/kuberc_file
-  output_message=$(kubectl getrole role/testkubercrole -n test-kuberc-ns -oyaml --kuberc="${TMPDIR:-/tmp}"/kuberc_file)
+  kubectl crole testkubercrole --verb=list --namespace test-kuberc-ns --resource=pods --kuberc="$KUBERC_FILE"
+  output_message=$(kubectl getrole role/testkubercrole -n test-kuberc-ns -oyaml --kuberc="$KUBERC_FILE")
   kube::test::if_has_string "${output_message}" 'list'
   kube::test::if_has_not_string "${output_message}" 'watch' 'get'
   # Post-condition: remove role
   kubectl delete role testkubercrole --namespace=test-kuberc-ns
 
   # Alias run command creates a pod with the given configurations
-  kubectl runx --kuberc "${TMPDIR:-/tmp}"/kuberc_file
+  kubectl runx --kuberc "$KUBERC_FILE"
   # Post-Condition: assertion object exists
   kube::test::get_object_assert 'pod/test-pod-2 --namespace=test-kuberc-ns' "{{$id_field}}" 'test-pod-2'
   # Not explicitly pass namespace to assure that default flag value is used
-  output_message=$(kubectl get pod/test-pod-2 2>&1 "${kube_flags[@]:?}" --kuberc="${TMPDIR:-/tmp}"/kuberc_file)
+  output_message=$(kubectl get pod/test-pod-2 2>&1 "${kube_flags[@]:?}" --kuberc="$KUBERC_FILE")
   kube::test::if_has_string "${output_message}" 'nginx' 'app=test' 'env=test' 'DNS_DOMAIN=test' 'custom-arg1'
   # output flag is defaulted to json and assure that it is correct format
   kube::test::if_has_string "${output_message}" '{'
 
   # pass explicit invalid namespace to assure that it takes precedence over the value in kuberc
-  output_message=$(! kubectl get pod/test-pod-2 -n kube-system 2>&1 "${kube_flags[@]:?}" --kuberc="${TMPDIR:-/tmp}"/kuberc_file)
+  output_message=$(! kubectl get pod/test-pod-2 -n kube-system 2>&1 "${kube_flags[@]:?}" --kuberc="$KUBERC_FILE")
   kube::test::if_has_string "${output_message}" 'pods "test-pod-2" not found'
 
   # Alias set env command sets new env var
-  kubectl setx --kuberc="${TMPDIR:-/tmp}"/kuberc_file -n test-kuberc-ns
+  kubectl setx --kuberc="$KUBERC_FILE" -n test-kuberc-ns
   # explicitly pass same namespace also defined in kuberc
-  output_message=$(kubectl get pod/test-pod-2 -n test-kuberc-ns 2>&1 "${kube_flags[@]:?}" --kuberc="${TMPDIR:-/tmp}"/kuberc_file)
+  output_message=$(kubectl get pod/test-pod-2 -n test-kuberc-ns 2>&1 "${kube_flags[@]:?}" --kuberc="$KUBERC_FILE")
   kube::test::if_has_string "${output_message}" 'busybox'
   kube::test::if_has_not_string "${output_message}" 'nginx'
 
   # default overrides should prevent actual apply as they are all dry-run=server
   # also assure that explicit flags are also passed
-  output_message=$(kubectl apply -n test-kuberc-ns -f hack/testdata/pod.yaml --kuberc="${TMPDIR:-/tmp}"/kuberc_file)
+  output_message=$(kubectl apply -n test-kuberc-ns -f hack/testdata/pod.yaml --kuberc="$KUBERC_FILE")
   kube::test::if_has_string "${output_message}" 'serverside-applied (server dry run)'
 
   # interactive flag is defaulted to true and prompted as no
-  output_message=$(kubectl delete pod/test-pod-2 -n test-kuberc-ns <<< $'n\n' --kuberc="${TMPDIR:-/tmp}"/kuberc_file)
+  output_message=$(kubectl delete pod/test-pod-2 -n test-kuberc-ns <<< $'n\n' --kuberc="$KUBERC_FILE")
   kube::test::if_has_string "${output_message}" 'pod/test-pod-2'
   # assure that it is not deleted
-  output_message=$(kubectl get pod/test-pod-2 2>&1 "${kube_flags[@]:?}" --kuberc="${TMPDIR:-/tmp}"/kuberc_file)
+  output_message=$(kubectl get pod/test-pod-2 2>&1 "${kube_flags[@]:?}" --kuberc="$KUBERC_FILE")
   kube::test::if_has_string "${output_message}" "test-pod-2"
 
   # verify getn alias is working or not, depending if KUBECTL_KUBERC is on or off
-  output_message=$(! KUBECTL_KUBERC=false kubectl getn 2>&1 "${kube_flags[@]:?}" --kuberc="${TMPDIR:-/tmp}"/kuberc_file)
+  output_message=$(! KUBECTL_KUBERC=false kubectl getn 2>&1 "${kube_flags[@]:?}" --kuberc="$KUBERC_FILE")
   kube::test::if_has_string "${output_message}" "error: unknown command \"getn\" for \"kubectl\""
-  KUBECTL_KUBERC=true kubectl getn "${kube_flags[@]:?}" --kuberc="${TMPDIR:-/tmp}"/kuberc_file
+  KUBECTL_KUBERC=true kubectl getn "${kube_flags[@]:?}" --kuberc="$KUBERC_FILE"
 
   # verify KUBERC=off is working as expected
-  output_message=$(! KUBERC=off kubectl getn 2>&1 "${kube_flags[@]:?}" --kuberc="${TMPDIR:-/tmp}"/kuberc_file)
+  output_message=$(! KUBERC=off kubectl getn 2>&1 "${kube_flags[@]:?}" --kuberc="$KUBERC_FILE")
   kube::test::if_has_string "${output_message}" "KUBERC=off and passing kuberc flag are mutually exclusive"
   output_message=$(! KUBERC=off kubectl getn 2>&1 "${kube_flags[@]:?}")
   kube::test::if_has_string "${output_message}" "error: unknown command \"getn\" for \"kubectl\""
@@ -206,9 +209,11 @@ EOF
 
   # explicitly overwriting the value that is also defaulted in kuberc and
   # assure that explicit value supersedes
-  output_message=$(kubectl delete namespace/test-kuberc-ns --interactive=false --kuberc="${TMPDIR:-/tmp}"/kuberc_file)
+  output_message=$(kubectl delete namespace/test-kuberc-ns --interactive=false --kuberc="$KUBERC_FILE")
   kube::test::if_has_string "${output_message}" 'namespace "test-kuberc-ns" deleted'
 
+  rm "${TMPDIR:-/tmp}"/kuberc_file
+
   set +o nounset
   set +o errexit
 }
diff --git a/test/cmd/results.sh b/test/cmd/results.sh
index 498d058138f64..a34253f20c26c 100644
--- a/test/cmd/results.sh
+++ b/test/cmd/results.sh
@@ -53,11 +53,6 @@ Error from server (NotFound): pods "no-such-pod" not found
 EOF
   kube::test::results::diff "${TEMP}/actual_stdout" "${TEMP}/actual_stderr" "$res" "${TEMP}/empty" "${TEMP}/expected_stderr" 1 "kubectl get pod/no-such-pod"
 
-  output_message=$(kubectl get namespace kube-system 2>&1 "${kube_flags[@]:?}")
-  kube::test::if_has_not_string "${output_message}" "command headers turned on"
-  output_message=$(kubectl get namespace kube-system 2>&1 "${kube_flags[@]:?}" -v=5)
-  kube::test::if_has_string "${output_message}" "command headers turned on"
-
   set +o nounset
   set +o errexit
 }
diff --git a/test/compatibility_lifecycle/reference/versioned_feature_list.yaml b/test/compatibility_lifecycle/reference/versioned_feature_list.yaml
index b1e225f9a8825..8cbe2d3425678 100644
--- a/test/compatibility_lifecycle/reference/versioned_feature_list.yaml
+++ b/test/compatibility_lifecycle/reference/versioned_feature_list.yaml
@@ -11,6 +11,10 @@
     lockToDefault: false
     preRelease: Deprecated
     version: "1.33"
+  - default: true
+    lockToDefault: true
+    preRelease: Deprecated
+    version: "1.35"
 - name: AllowDNSOnlyNodeCSR
   versionedSpecs:
   - default: true
@@ -41,26 +45,16 @@
     lockToDefault: false
     preRelease: Deprecated
     version: "1.32"
+  - default: false
+    lockToDefault: true
+    preRelease: Deprecated
+    version: "1.35"
 - name: AllowParsingUserUIDFromCertAuth
   versionedSpecs:
   - default: true
     lockToDefault: false
     preRelease: Beta
     version: "1.33"
-- name: AllowServiceLBStatusOnNonLB
-  versionedSpecs:
-  - default: true
-    lockToDefault: false
-    preRelease: GA
-    version: "1.0"
-  - default: false
-    lockToDefault: false
-    preRelease: Deprecated
-    version: "1.29"
-  - default: false
-    lockToDefault: true
-    preRelease: Deprecated
-    version: "1.32"
 - name: AllowUnsafeMalformedObjectDeletion
   versionedSpecs:
   - default: false
@@ -149,6 +143,12 @@
     lockToDefault: true
     preRelease: GA
     version: "1.34"
+- name: AuthorizePodWebsocketUpgradeCreatePermission
+  versionedSpecs:
+  - default: true
+    lockToDefault: false
+    preRelease: Beta
+    version: "1.35"
 - name: AuthorizeWithSelectors
   versionedSpecs:
   - default: false
@@ -179,12 +179,32 @@
     lockToDefault: false
     preRelease: Alpha
     version: "1.32"
+- name: ChangeContainerStatusOnKubeletRestart
+  versionedSpecs:
+  - default: true
+    lockToDefault: false
+    preRelease: GA
+    version: "1.0"
+  - default: false
+    lockToDefault: false
+    preRelease: Deprecated
+    version: "1.35"
 - name: ClearingNominatedNodeNameAfterBinding
   versionedSpecs:
   - default: false
     lockToDefault: false
     preRelease: Alpha
     version: "1.34"
+  - default: true
+    lockToDefault: false
+    preRelease: Beta
+    version: "1.35"
+- name: CloudControllerManagerWatchBasedRoutesReconciliation
+  versionedSpecs:
+  - default: false
+    lockToDefault: false
+    preRelease: Alpha
+    version: "1.35"
 - name: CloudControllerManagerWebhook
   versionedSpecs:
   - default: false
@@ -217,20 +237,6 @@
     lockToDefault: false
     preRelease: Alpha
     version: "1.32"
-- name: ComponentSLIs
-  versionedSpecs:
-  - default: false
-    lockToDefault: false
-    preRelease: Alpha
-    version: "1.26"
-  - default: true
-    lockToDefault: false
-    preRelease: Beta
-    version: "1.27"
-  - default: true
-    lockToDefault: true
-    preRelease: GA
-    version: "1.32"
 - name: ComponentStatusz
   versionedSpecs:
   - default: false
@@ -257,6 +263,12 @@
     lockToDefault: true
     preRelease: GA
     version: "1.34"
+- name: ConstrainedImpersonation
+  versionedSpecs:
+  - default: false
+    lockToDefault: false
+    preRelease: Alpha
+    version: "1.35"
 - name: ContainerCheckpoint
   versionedSpecs:
   - default: false
@@ -273,6 +285,10 @@
     lockToDefault: false
     preRelease: Alpha
     version: "1.34"
+  - default: true
+    lockToDefault: false
+    preRelease: Beta
+    version: "1.35"
 - name: ContainerStopSignals
   versionedSpecs:
   - default: false
@@ -331,6 +347,12 @@
     lockToDefault: true
     preRelease: GA
     version: "1.33"
+- name: CRDObservedGenerationTracking
+  versionedSpecs:
+  - default: false
+    lockToDefault: false
+    preRelease: Beta
+    version: "1.35"
 - name: CRDValidationRatcheting
   versionedSpecs:
   - default: false
@@ -345,16 +367,6 @@
     lockToDefault: true
     preRelease: GA
     version: "1.33"
-- name: CronJobsScheduledAnnotation
-  versionedSpecs:
-  - default: true
-    lockToDefault: false
-    preRelease: Beta
-    version: "1.28"
-  - default: true
-    lockToDefault: true
-    preRelease: GA
-    version: "1.32"
 - name: CrossNamespaceVolumeDataSource
   versionedSpecs:
   - default: false
@@ -379,6 +391,12 @@
     lockToDefault: true
     preRelease: GA
     version: "1.33"
+- name: CSIServiceAccountTokenSecrets
+  versionedSpecs:
+  - default: true
+    lockToDefault: false
+    preRelease: Beta
+    version: "1.35"
 - name: CSIVolumeHealth
   versionedSpecs:
   - default: false
@@ -417,6 +435,10 @@
     lockToDefault: false
     preRelease: Alpha
     version: "1.33"
+  - default: true
+    lockToDefault: false
+    preRelease: Beta
+    version: "1.35"
 - name: DetectCacheInconsistency
   versionedSpecs:
   - default: true
@@ -437,6 +459,10 @@
     lockToDefault: false
     preRelease: GA
     version: "1.34"
+  - default: true
+    lockToDefault: true
+    preRelease: GA
+    version: "1.35"
 - name: DisableCPUQuotaWithExclusiveCPUs
   versionedSpecs:
   - default: true
@@ -479,6 +505,12 @@
     lockToDefault: false
     preRelease: Alpha
     version: "1.34"
+- name: DRADeviceTaintRules
+  versionedSpecs:
+  - default: false
+    lockToDefault: false
+    preRelease: Alpha
+    version: "1.35"
 - name: DRADeviceTaints
   versionedSpecs:
   - default: false
@@ -537,12 +569,20 @@
     lockToDefault: false
     preRelease: GA
     version: "1.34"
+  - default: true
+    lockToDefault: true
+    preRelease: GA
+    version: "1.35"
 - name: EnvFiles
   versionedSpecs:
   - default: false
     lockToDefault: false
     preRelease: Alpha
     version: "1.34"
+  - default: true
+    lockToDefault: false
+    preRelease: Beta
+    version: "1.35"
 - name: EventedPLEG
   versionedSpecs:
   - default: false
@@ -555,6 +595,10 @@
     lockToDefault: false
     preRelease: GA
     version: "1.20"
+  - default: true
+    lockToDefault: true
+    preRelease: GA
+    version: "1.35"
 - name: ExternalServiceAccountTokenSigner
   versionedSpecs:
   - default: false
@@ -565,6 +609,18 @@
     lockToDefault: false
     preRelease: Beta
     version: "1.34"
+- name: GangScheduling
+  versionedSpecs:
+  - default: false
+    lockToDefault: false
+    preRelease: Alpha
+    version: "1.35"
+- name: GenericWorkload
+  versionedSpecs:
+  - default: false
+    lockToDefault: false
+    preRelease: Alpha
+    version: "1.35"
 - name: GitRepoVolumeDriver
   versionedSpecs:
   - default: true
@@ -615,12 +671,20 @@
     lockToDefault: false
     preRelease: Alpha
     version: "1.34"
+  - default: true
+    lockToDefault: false
+    preRelease: Beta
+    version: "1.35"
 - name: HPAConfigurableTolerance
   versionedSpecs:
   - default: false
     lockToDefault: false
     preRelease: Alpha
     version: "1.33"
+  - default: true
+    lockToDefault: false
+    preRelease: Beta
+    version: "1.35"
 - name: HPAScaleToZero
   versionedSpecs:
   - default: false
@@ -637,6 +701,10 @@
     lockToDefault: false
     preRelease: Beta
     version: "1.30"
+  - default: true
+    lockToDefault: true
+    preRelease: GA
+    version: "1.35"
 - name: ImageVolume
   versionedSpecs:
   - default: false
@@ -647,6 +715,16 @@
     lockToDefault: false
     preRelease: Beta
     version: "1.33"
+  - default: true
+    lockToDefault: false
+    preRelease: Beta
+    version: "1.35"
+- name: InPlacePodLevelResourcesVerticalScaling
+  versionedSpecs:
+  - default: false
+    lockToDefault: false
+    preRelease: Alpha
+    version: "1.35"
 - name: InPlacePodVerticalScaling
   versionedSpecs:
   - default: false
@@ -657,6 +735,10 @@
     lockToDefault: false
     preRelease: Beta
     version: "1.33"
+  - default: true
+    lockToDefault: true
+    preRelease: GA
+    version: "1.35"
 - name: InPlacePodVerticalScalingAllocatedStatus
   versionedSpecs:
   - default: false
@@ -709,6 +791,10 @@
     lockToDefault: false
     preRelease: Beta
     version: "1.32"
+  - default: true
+    lockToDefault: true
+    preRelease: GA
+    version: "1.35"
 - name: JobPodReplacementPolicy
   versionedSpecs:
   - default: false
@@ -771,12 +857,20 @@
     lockToDefault: false
     preRelease: Alpha
     version: "1.32"
+  - default: true
+    lockToDefault: false
+    preRelease: Beta
+    version: "1.35"
 - name: KubeletEnsureSecretPulledImages
   versionedSpecs:
   - default: false
     lockToDefault: false
     preRelease: Alpha
     version: "1.33"
+  - default: true
+    lockToDefault: false
+    preRelease: Beta
+    version: "1.35"
 - name: KubeletFineGrainedAuthz
   versionedSpecs:
   - default: false
@@ -887,20 +981,6 @@
     lockToDefault: false
     preRelease: Beta
     version: "1.34"
-- name: LoadBalancerIPMode
-  versionedSpecs:
-  - default: false
-    lockToDefault: false
-    preRelease: Alpha
-    version: "1.29"
-  - default: true
-    lockToDefault: false
-    preRelease: Beta
-    version: "1.30"
-  - default: true
-    lockToDefault: true
-    preRelease: GA
-    version: "1.32"
 - name: LocalStorageCapacityIsolationFSQuotaMonitoring
   versionedSpecs:
   - default: false
@@ -973,6 +1053,10 @@
     lockToDefault: false
     preRelease: Alpha
     version: "1.24"
+  - default: true
+    lockToDefault: false
+    preRelease: Beta
+    version: "1.35"
 - name: MemoryManager
   versionedSpecs:
   - default: false
@@ -1021,6 +1105,28 @@
     lockToDefault: false
     preRelease: Beta
     version: "1.34"
+  - default: true
+    lockToDefault: false
+    preRelease: Beta
+    version: "1.35"
+- name: MutablePodResourcesForSuspendedJobs
+  versionedSpecs:
+  - default: false
+    lockToDefault: false
+    preRelease: Alpha
+    version: "1.35"
+- name: MutablePVNodeAffinity
+  versionedSpecs:
+  - default: false
+    lockToDefault: false
+    preRelease: Alpha
+    version: "1.35"
+- name: MutableSchedulingDirectivesForSuspendedJobs
+  versionedSpecs:
+  - default: false
+    lockToDefault: false
+    preRelease: Alpha
+    version: "1.35"
 - name: MutatingAdmissionPolicy
   versionedSpecs:
   - default: false
@@ -1045,6 +1151,12 @@
     lockToDefault: true
     preRelease: GA
     version: "1.33"
+- name: NodeDeclaredFeatures
+  versionedSpecs:
+  - default: false
+    lockToDefault: false
+    preRelease: Alpha
+    version: "1.35"
 - name: NodeInclusionPolicyInPodTopologySpread
   versionedSpecs:
   - default: false
@@ -1093,6 +1205,10 @@
     lockToDefault: false
     preRelease: Alpha
     version: "1.34"
+  - default: true
+    lockToDefault: false
+    preRelease: Beta
+    version: "1.35"
 - name: OpenAPIEnums
   versionedSpecs:
   - default: false
@@ -1103,6 +1219,12 @@
     lockToDefault: false
     preRelease: Beta
     version: "1.24"
+- name: OpportunisticBatching
+  versionedSpecs:
+  - default: true
+    lockToDefault: false
+    preRelease: Beta
+    version: "1.35"
 - name: OrderedNamespaceDeletion
   versionedSpecs:
   - default: false
@@ -1129,6 +1251,10 @@
     lockToDefault: false
     preRelease: Alpha
     version: "1.34"
+  - default: false
+    lockToDefault: false
+    preRelease: Beta
+    version: "1.35"
 - name: PodDeletionCost
   versionedSpecs:
   - default: false
@@ -1139,16 +1265,6 @@
     lockToDefault: false
     preRelease: Beta
     version: "1.22"
-- name: PodIndexLabel
-  versionedSpecs:
-  - default: true
-    lockToDefault: false
-    preRelease: Beta
-    version: "1.28"
-  - default: true
-    lockToDefault: true
-    preRelease: GA
-    version: "1.32"
 - name: PodLevelResources
   versionedSpecs:
   - default: false
@@ -1203,6 +1319,10 @@
     lockToDefault: false
     preRelease: Beta
     version: "1.34"
+  - default: true
+    lockToDefault: true
+    preRelease: GA
+    version: "1.35"
 - name: PodReadyToStartContainersCondition
   versionedSpecs:
   - default: false
@@ -1233,6 +1353,10 @@
     lockToDefault: false
     preRelease: Alpha
     version: "1.33"
+  - default: true
+    lockToDefault: false
+    preRelease: Beta
+    version: "1.35"
 - name: PortForwardWebsockets
   versionedSpecs:
   - default: false
@@ -1253,18 +1377,16 @@
     lockToDefault: false
     preRelease: Beta
     version: "1.34"
+  - default: true
+    lockToDefault: true
+    preRelease: GA
+    version: "1.35"
 - name: PreventStaticPodAPIReferences
   versionedSpecs:
   - default: true
     lockToDefault: false
     preRelease: Beta
     version: "1.34"
-- name: ProbeHostPodSecurityStandards
-  versionedSpecs:
-  - default: true
-    lockToDefault: true
-    preRelease: GA
-    version: "1.34"
 - name: ProcMountType
   versionedSpecs:
   - default: false
@@ -1385,6 +1507,12 @@
     lockToDefault: false
     preRelease: Alpha
     version: "1.31"
+- name: RestartAllContainersOnContainerExits
+  versionedSpecs:
+  - default: false
+    lockToDefault: false
+    preRelease: Alpha
+    version: "1.35"
 - name: RetryGenerateName
   versionedSpecs:
   - default: false
@@ -1605,34 +1733,6 @@
     lockToDefault: false
     preRelease: Beta
     version: "1.34"
-- name: SizeMemoryBackedVolumes
-  versionedSpecs:
-  - default: false
-    lockToDefault: false
-    preRelease: Alpha
-    version: "1.20"
-  - default: true
-    lockToDefault: false
-    preRelease: Beta
-    version: "1.22"
-  - default: true
-    lockToDefault: true
-    preRelease: GA
-    version: "1.32"
-- name: StatefulSetAutoDeletePVC
-  versionedSpecs:
-  - default: false
-    lockToDefault: false
-    preRelease: Alpha
-    version: "1.23"
-  - default: true
-    lockToDefault: false
-    preRelease: Beta
-    version: "1.27"
-  - default: true
-    lockToDefault: true
-    preRelease: GA
-    version: "1.32"
 - name: StatefulSetSemanticRevisionComparison
   versionedSpecs:
   - default: true
@@ -1677,6 +1777,10 @@
     lockToDefault: false
     preRelease: Alpha
     version: "1.30"
+  - default: false
+    lockToDefault: false
+    preRelease: Beta
+    version: "1.35"
 - name: StreamingCollectionEncodingToJSON
   versionedSpecs:
   - default: true
@@ -1697,26 +1801,6 @@
     lockToDefault: true
     preRelease: GA
     version: "1.34"
-- name: StrictCostEnforcementForVAP
-  versionedSpecs:
-  - default: false
-    lockToDefault: false
-    preRelease: Beta
-    version: "1.30"
-  - default: true
-    lockToDefault: true
-    preRelease: GA
-    version: "1.32"
-- name: StrictCostEnforcementForWebhooks
-  versionedSpecs:
-  - default: false
-    lockToDefault: false
-    preRelease: Beta
-    version: "1.30"
-  - default: true
-    lockToDefault: true
-    preRelease: GA
-    version: "1.32"
 - name: StrictIPCIDRValidation
   versionedSpecs:
   - default: false
@@ -1743,6 +1827,12 @@
     lockToDefault: false
     preRelease: Beta
     version: "1.34"
+- name: StructuredAuthenticationConfigurationJWKSMetrics
+  versionedSpecs:
+  - default: true
+    lockToDefault: false
+    preRelease: Beta
+    version: "1.35"
 - name: StructuredAuthorizationConfiguration
   versionedSpecs:
   - default: false
@@ -1767,12 +1857,26 @@
     lockToDefault: false
     preRelease: Beta
     version: "1.33"
+  - default: true
+    lockToDefault: true
+    preRelease: GA
+    version: "1.35"
 - name: SystemdWatchdog
   versionedSpecs:
   - default: true
     lockToDefault: false
     preRelease: Beta
     version: "1.32"
+  - default: true
+    lockToDefault: true
+    preRelease: GA
+    version: "1.35"
+- name: TaintTolerationComparisonOperators
+  versionedSpecs:
+  - default: false
+    lockToDefault: false
+    preRelease: Alpha
+    version: "1.35"
 - name: TokenRequestServiceAccountUIDValidation
   versionedSpecs:
   - default: true
@@ -1853,12 +1957,12 @@
     lockToDefault: false
     preRelease: Alpha
     version: "1.28"
-- name: UserNamespacesPodSecurityStandards
+- name: UserNamespacesHostNetworkSupport
   versionedSpecs:
   - default: false
     lockToDefault: false
     preRelease: Alpha
-    version: "1.29"
+    version: "1.35"
 - name: UserNamespacesSupport
   versionedSpecs:
   - default: false
@@ -1887,6 +1991,12 @@
     lockToDefault: false
     preRelease: GA
     version: "1.34"
+- name: VolumeLimitScaling
+  versionedSpecs:
+  - default: false
+    lockToDefault: false
+    preRelease: Alpha
+    version: "1.35"
 - name: WatchCacheInitializationPostStartHook
   versionedSpecs:
   - default: false
diff --git a/test/conformance/testdata/conformance.yaml b/test/conformance/testdata/conformance.yaml
index b95f2474f0070..5194b83db59fb 100755
--- a/test/conformance/testdata/conformance.yaml
+++ b/test/conformance/testdata/conformance.yaml
@@ -256,9 +256,10 @@
   file: test/e2e/apimachinery/aggregated_discovery.go
 - testname: aggregator-supports-the-sample-apiserver
   codename: '[sig-api-machinery] Aggregator Should be able to support the 1.17 Sample
-    API Server using the current Aggregator [Conformance]'
+    API Server using the current Aggregator [LinuxOnly] [Conformance]'
   description: Ensure that the sample-apiserver code from 1.17 and compiled against
-    1.17 will work on the current Aggregator/API-Server.
+    1.17 will work on the current Aggregator/API-Server. This test is marked LinuxOnly
+    because etcd does not provide or support images for Windows.
   release: v1.17, v1.21, v1.27
   file: test/e2e/apimachinery/aggregator.go
 - testname: Custom Resource Definition Conversion Webhook, convert mixed version list
@@ -1496,9 +1497,9 @@
 - testname: Kubectl, diff Deployment
   codename: '[sig-cli] Kubectl client Kubectl diff should check if kubectl diff finds
     a difference for Deployments [Conformance]'
-  description: Create a Deployment with httpd image. Declare the same Deployment with
-    a different image, busybox. Diff of live Deployment with declared Deployment MUST
-    include the difference between live and declared image.
+  description: Create a Deployment with agnhost image. Declare the same Deployment
+    with a different image, busybox. Diff of live Deployment with declared Deployment
+    MUST include the difference between live and declared image.
   release: v1.19
   file: test/e2e/kubectl/kubectl.go
 - testname: Kubectl, create service, replication controller
@@ -1643,6 +1644,19 @@
     The event is deleted and MUST NOT show up when listing all events.
   release: v1.25
   file: test/e2e/instrumentation/core_events.go
+- testname: kubernetes.default Endpoints and EndpointSlices
+  codename: '[sig-network] API Server should have Endpoints and EndpointSlices pointing
+    to API Server [Conformance]'
+  description: The "kubernetes.default" service MUST have Endpoints and EndpointSlices
+    pointing to each API server instance.
+  release: v1.21
+  file: test/e2e/network/apiserver.go
+- testname: Kubernetes Service
+  codename: '[sig-network] API Server should provide secure master service [Conformance]'
+  description: By default when a kubernetes cluster is running there MUST be a 'kubernetes'
+    service running in the cluster.
+  release: v1.9
+  file: test/e2e/network/apiserver.go
 - testname: DNS, cluster
   codename: '[sig-network] DNS should provide /etc/hosts entries for the cluster [Conformance]'
   description: When a Pod is created, the pod MUST be able to resolve cluster dns
@@ -1703,36 +1717,19 @@
     DNS configuration MUST be configured in the Pod.
   release: v1.17
   file: test/e2e/network/dns.go
-- testname: EndpointSlice API
+- testname: EndpointSlice, creation/deletion
   codename: '[sig-network] EndpointSlice should create Endpoints and EndpointSlices
     for Pods matching a Service [Conformance]'
-  description: The discovery.k8s.io API group MUST exist in the /apis discovery document.
-    The discovery.k8s.io/v1 API group/version MUST exist in the /apis/discovery.k8s.io
-    discovery document. The endpointslices resource MUST exist in the /apis/discovery.k8s.io/v1
-    discovery document. The endpointslice controller must create EndpointSlices for
-    Pods mataching a Service.
-  release: v1.21
-  file: test/e2e/network/endpointslice.go
-- testname: EndpointSlice API
-  codename: '[sig-network] EndpointSlice should create and delete Endpoints and EndpointSlices
-    for a Service with a selector specified [Conformance]'
-  description: The discovery.k8s.io API group MUST exist in the /apis discovery document.
-    The discovery.k8s.io/v1 API group/version MUST exist in the /apis/discovery.k8s.io
-    discovery document. The endpointslices resource MUST exist in the /apis/discovery.k8s.io/v1
-    discovery document. The endpointslice controller should create and delete EndpointSlices
+  description: The endpointslice controller must create and delete EndpointSlices
     for Pods matching a Service.
-  release: v1.21
+  release: v1.21, v1.35
   file: test/e2e/network/endpointslice.go
-- testname: EndpointSlice API
-  codename: '[sig-network] EndpointSlice should have Endpoints and EndpointSlices
-    pointing to API Server [Conformance]'
-  description: The discovery.k8s.io API group MUST exist in the /apis discovery document.
-    The discovery.k8s.io/v1 API group/version MUST exist in the /apis/discovery.k8s.io
-    discovery document. The endpointslices resource MUST exist in the /apis/discovery.k8s.io/v1
-    discovery document. The cluster MUST have a service named "kubernetes" on the
-    default namespace referencing the API servers. The "kubernetes.default" service
-    MUST have Endpoints and EndpointSlices pointing to each API server instance.
-  release: v1.21
+- testname: EndpointSlice, "empty" Service
+  codename: '[sig-network] EndpointSlice should create and delete EndpointSlices for
+    a Service with a selector that matches no pods [Conformance]'
+  description: The EndpointSlice controller should create and delete empty EndpointSlices
+    for a Service that matches no pods.
+  release: v1.21, v1.35
   file: test/e2e/network/endpointslice.go
 - testname: EndpointSlice, multiple IPs, multiple ports
   codename: '[sig-network] EndpointSlice should support a Service with multiple endpoint
@@ -1770,6 +1767,29 @@
     update, and delete actions.
   release: v1.21
   file: test/e2e/network/endpointslicemirroring.go
+- testname: Endpoint resource lifecycle
+  codename: '[sig-network] Endpoints should test the lifecycle of an Endpoint [Conformance]'
+  description: Create an endpoint, the endpoint MUST exist. The endpoint is updated
+    with a new label, a check after the update MUST find the changes. The endpoint
+    is then patched with a new IPv4 address and port, a check after the patch MUST
+    the changes. The endpoint is deleted by its label, a watch listens for the deleted
+    watch event.
+  release: v1.19
+  file: test/e2e/network/endpoints.go
+- testname: Endpoints, creation/deletion
+  codename: '[sig-network] EndpointsController should create Endpoints for Pods matching
+    a Service [Conformance]'
+  description: The Endpoints controller must create an Endpoints for Pods matching
+    a Service.
+  release: v1.21, v1.35
+  file: test/e2e/network/endpoints.go
+- testname: Endpoints, "empty" Service
+  codename: '[sig-network] EndpointsController should create and delete Endpoints
+    for a Service with a selector that matches no pods [Conformance]'
+  description: The Endpoints controller should create and delete an empty Endpoints
+    for a Service that matches no pods.
+  release: v1.21, v1.35
+  file: test/e2e/network/endpoints.go
 - testname: Scheduling, HostPort matching and HostIP and Protocol not-matching
   codename: '[sig-network] HostPort validates that there is no conflict between pods
     with same hostPort but different hostIP and protocol [LinuxOnly] [Conformance]'
@@ -2042,12 +2062,6 @@
     Windows does not support session affinity.'
   release: v1.19
   file: test/e2e/network/service.go
-- testname: Kubernetes Service
-  codename: '[sig-network] Services should provide secure master service [Conformance]'
-  description: By default when a kubernetes cluster is running there MUST be a 'kubernetes'
-    service running in the cluster.
-  release: v1.9
-  file: test/e2e/network/service.go
 - testname: Service, endpoints
   codename: '[sig-network] Services should serve a basic endpoint from pods [Conformance]'
   description: Create a service with a endpoint without any Pods, the service MUST
@@ -2079,15 +2093,6 @@
     Pod and the service must now have empty set of endpoints.
   release: v1.9
   file: test/e2e/network/service.go
-- testname: Endpoint resource lifecycle
-  codename: '[sig-network] Services should test the lifecycle of an Endpoint [Conformance]'
-  description: Create an endpoint, the endpoint MUST exist. The endpoint is updated
-    with a new label, a check after the update MUST find the changes. The endpoint
-    is then patched with a new IPv4 address and port, a check after the patch MUST
-    the changes. The endpoint is deleted by it's label, a watch listens for the deleted
-    watch event.
-  release: v1.19
-  file: test/e2e/network/service.go
 - testname: ConfigMap, from environment field with various prefixes
   codename: '[sig-node] ConfigMap should be consumable as environment variable names
     with various prefixes [Conformance]'
@@ -2126,6 +2131,12 @@
     ConfigMap must be deleted by Collection.
   release: v1.19
   file: test/e2e/common/node/configmap.go
+- testname: ConfigMap Update
+  codename: '[sig-node] ConfigMap should update ConfigMap successfully [NodeConformance]
+    [Conformance]'
+  description: Ensure that a ConfigMap object can be created and then updated successfully.
+  release: v1.32
+  file: test/e2e/common/node/configmap.go
 - testname: Pod Lifecycle, post start exec hook
   codename: '[sig-node] Container Lifecycle Hook when create a pod with lifecycle
     hook should execute poststart exec hook properly [NodeConformance] [Conformance]'
@@ -2425,6 +2436,63 @@
     its new label found. Deleting the Node MUST succeed and its deletion MUST be confirmed.
   release: v1.32
   file: test/e2e/node/node_lifecycle.go
+- testname: In-place Pod Resize, burtable pod with multiple containers and various
+    operations
+  codename: '[sig-node] Pod InPlace Resize Container burstable pods - extended 6 containers
+    - various operations performed (including adding limits and requests) [MinimumKubeletVersion:1.34]
+    [Conformance]'
+  description: Issuing a Pod Resize request via the Pod Resize subresource patch endpoint
+    to modify CPU and memory requests and limits on a 6-container pod with various
+    operations MUST result in the Pod resources being updated as expected.
+  release: v1.35
+  file: test/e2e/common/node/pod_resize.go
+- testname: In-place Pod Resize, burstable pod resized with equivalents
+  codename: '[sig-node] Pod InPlace Resize Container burstable pods - extended resize
+    with equivalents [MinimumKubeletVersion:1.34] [Conformance]'
+  description: Issuing an in-place Pod Resize request via the Pod Resize subresource
+    patch endpoint to modify CPU requests and limits using equivalent values (e.g.
+    2m -> 1m) MUST result in the updated Pod resources displayed correctly in the
+    status.
+  release: v1.35
+  file: test/e2e/common/node/pod_resize.go
+- testname: In-place Pod Resize, guaranteed pods with multiple containers, net increase
+  codename: '[sig-node] Pod InPlace Resize Container guaranteed pods with multiple
+    containers 3 containers - increase cpu & mem on c1, c2, decrease cpu & mem on
+    c3 - net increase [MinimumKubeletVersion:1.34] [Conformance]'
+  description: Issuing an in-place Pod Resize request via the Pod Resize subresource
+    patch endpoint to modify CPU and memory requests and limits for a guaranteed pod
+    with 3 containers with a net increase MUST result in the Pod resources being updated
+    as expected.
+  release: v1.35
+  file: test/e2e/common/node/pod_resize.go
+- testname: In-place Pod Resize, guaranteed pods with multiple containers, net decrease
+  codename: '[sig-node] Pod InPlace Resize Container guaranteed pods with multiple
+    containers 3 containers - increase cpu & mem on c1, decrease cpu & mem on c2,
+    c3 - net decrease [MinimumKubeletVersion:1.34] [Conformance]'
+  description: Issuing an in-place Pod Resize request via the Pod Resize subresource
+    patch endpoint to modify CPU and memory requests and limits for a pod with 3 containers
+    with a net decrease MUST result in the Pod resources being updated as expected.
+  release: v1.35
+  file: test/e2e/common/node/pod_resize.go
+- testname: In-place Pod Resize, guaranteed pods with multiple containers, various
+    operations
+  codename: '[sig-node] Pod InPlace Resize Container guaranteed pods with multiple
+    containers 3 containers - increase: CPU (c1,c3), memory (c2, c3) ; decrease: CPU
+    (c2) [MinimumKubeletVersion:1.34] [Conformance]'
+  description: Issuing an in-place Pod Resize request via the Pod Resize subresource
+    patch endpoint to modify CPU and memory requests and limits for a pod with 3 containers
+    with various operations MUST result in the Pod resources being updated as expected.
+  release: v1.35
+  file: test/e2e/common/node/pod_resize.go
+- testname: In-place Pod Resize, read and replace endpoints
+  codename: '[sig-node] Pod InPlace Resize Container resize pod via the replace endpoint
+    [MinimumKubeletVersion:1.34] [Conformance]'
+  description: Issuing a Pod Resize request via the Pod Resize subresource replace
+    endpoint MUST result in the Pod resources being updated as expected. The Pod object
+    fetched from the Pod Resize subresource MUST be equivalent to the Pod object fetched
+    from the main Pod endpoint after the resize is completed.
+  release: v1.35
+  file: test/e2e/common/node/pod_resize.go
 - testname: PodTemplate, delete a collection
   codename: '[sig-node] PodTemplates should delete a collection of pod templates [Conformance]'
   description: A set of Pod Templates is created with a label selector which MUST
@@ -2447,6 +2515,28 @@
     The PodTemplate must be deleted.
   release: v1.19
   file: test/e2e/common/node/podtemplates.go
+- testname: Pods Generation, graceful delete
+  codename: '[sig-node] Pods Extended (pod generation) Pod Generation custom-set generation
+    on new pods and graceful delete [Conformance]'
+  description: Create a Pod, ensure that triggering a graceful delete causes the generation
+    to be updated.
+  release: v1.35
+  file: test/e2e/node/pods.go
+- testname: Pods Generation, 500 updates
+  codename: '[sig-node] Pods Extended (pod generation) Pod Generation issue 500 podspec
+    updates and verify generation and observedGeneration eventually converge [MinimumKubeletVersion:1.34]
+    [Conformance]'
+  description: Create a Pod, issue 499 podSpec updates and verify generation and observedGeneration
+    eventually converge to 500.
+  release: v1.35
+  file: test/e2e/node/pods.go
+- testname: Pods Generation, updates
+  codename: '[sig-node] Pods Extended (pod generation) Pod Generation pod generation
+    should start at 1 and increment per update [MinimumKubeletVersion:1.34] [Conformance]'
+  description: Create a Pod, and perform a few updates, ensuring that the pod's metadata.generation
+    and status.observedGeneration are updated as expected.
+  release: v1.35
+  file: test/e2e/node/pods.go
 - testname: Pods, QOS
   codename: '[sig-node] Pods Extended Pods Set QOS Class should be set on Pods with
     matching resource requests and limits for memory and cpu [Conformance]'
@@ -2768,7 +2858,7 @@
   file: test/e2e/common/node/security_context.go
 - testname: Sysctls, reject invalid sysctls
   codename: '[sig-node] Sysctls [LinuxOnly] [NodeConformance] should reject invalid
-    sysctls [MinimumKubeletVersion:1.21] [Conformance]'
+    sysctls [Conformance]'
   description: 'Pod is created with one valid and two invalid sysctls. Pod should
     not apply invalid sysctls. [LinuxOnly]: This test is marked as LinuxOnly since
     Windows does not support sysctls'
@@ -2776,7 +2866,7 @@
   file: test/e2e/common/node/sysctl.go
 - testname: Sysctl, test sysctls
   codename: '[sig-node] Sysctls [LinuxOnly] [NodeConformance] should support sysctls
-    [MinimumKubeletVersion:1.21] [Environment:NotInUserNS] [Conformance]'
+    [Environment:NotInUserNS] [Conformance]'
   description: 'Pod is created with kernel.shm_rmid_forced sysctl. Kernel.shm_rmid_forced
     must be set to 1 [LinuxOnly]: This test is marked as LinuxOnly since Windows does
     not support sysctls [Environment:NotInUserNS]: The test fails in UserNS (as expected):
@@ -2842,6 +2932,31 @@
     lifecycle of a container.
   release: v1.19
   file: test/e2e/common/node/expansion.go
+- testname: CRUD operations for deviceclasses
+  codename: '[sig-node] [DRA] CRUD Tests resource.k8s.io/v1 DeviceClass [Conformance]'
+  description: kube-apiserver must support create/update/list/patch/delete operations
+    for resource.k8s.io/v1 DeviceClass.
+  release: v1.35
+  file: test/e2e/dra/dra.go
+- testname: CRUD operations for resourceclaims
+  codename: '[sig-node] [DRA] CRUD Tests resource.k8s.io/v1 ResourceClaim [Conformance]'
+  description: kube-apiserver must support create/update/list/patch/delete operations
+    for resource.k8s.io/v1 ResourceClaim.
+  release: v1.35
+  file: test/e2e/dra/dra.go
+- testname: CRUD operations for resourceclaimtemplates
+  codename: '[sig-node] [DRA] CRUD Tests resource.k8s.io/v1 ResourceClaimTemplate
+    [Conformance]'
+  description: kube-apiserver must support create/update/list/patch/delete operations
+    for resource.k8s.io/v1 ResourceClaimTemplate.
+  release: v1.35
+  file: test/e2e/dra/dra.go
+- testname: CRUD operations for resoureslices
+  codename: '[sig-node] [DRA] CRUD Tests resource.k8s.io/v1 ResourceSlice [Conformance]'
+  description: kube-apiserver must support create/update/list/patch/delete operations
+    for resource.k8s.io/v1 ResourceSlice.
+  release: v1.35
+  file: test/e2e/dra/dra.go
 - testname: LimitRange, resources
   codename: '[sig-scheduling] LimitRange should create a LimitRange with defaults
     and ensure pod has those defaults applied. [Conformance]'
@@ -3788,4 +3903,15 @@
     via deleteCollection MUST succeed and it MUST be confirmed.
   release: v1.30
   file: test/e2e/storage/volume_attachment.go
+- testname: VolumeAttributesClass, lifecycle
+  codename: '[sig-storage] VolumeAttributesClass [FeatureGate:VolumeAttributesClass]
+    should run through the lifecycle of a VolumeAttributesClass [Conformance]'
+  description: Creating a VolumeAttributesClass MUST succeed. Reading the VolumeAttributesClass
+    MUST succeed. Patching the VolumeAttributesClass MUST succeed with its new label
+    found. Deleting the VolumeAttributesClass MUST succeed and it MUST be confirmed.
+    Replacement VolumeAttributesClass MUST be created. Updating the VolumeAttributesClass
+    MUST succeed with its new label found. Deleting the VolumeAttributesClass via
+    deleteCollection MUST succeed and it MUST be confirmed.
+  release: v1.35
+  file: test/e2e/storage/volumeattributesclass.go
 
diff --git a/test/conformance/testdata/ineligible_endpoints.yaml b/test/conformance/testdata/ineligible_endpoints.yaml
index 20b3cd3e6e588..08ae4e33d92d8 100644
--- a/test/conformance/testdata/ineligible_endpoints.yaml
+++ b/test/conformance/testdata/ineligible_endpoints.yaml
@@ -295,3 +295,9 @@
 - endpoint: replaceNetworkingV1ServiceCIDRStatus
   reason: Kubernetes distribution would reasonably not allow this action via the API
   link: https://github.com/kubernetes/enhancements/pull/4983#issuecomment-2541699445
+- endpoint: connectCoreV1PostNamespacedPodExec
+  reason: Deprecated and uses a sometime unreliable SPDY protocol
+  link: https://github.com/kubernetes/kubernetes/issues/133689#issuecomment-3233952615
+- endpoint: connectCoreV1PostNamespacedPodPortforward
+  reason: Deprecated and uses a sometime unreliable SPDY protocol
+  link: https://github.com/kubernetes/kubernetes/issues/133689#issuecomment-3233952615
\ No newline at end of file
diff --git a/test/conformance/testdata/pending_eligible_endpoints.yaml b/test/conformance/testdata/pending_eligible_endpoints.yaml
index 232b72496ad62..73b314ff7c704 100644
--- a/test/conformance/testdata/pending_eligible_endpoints.yaml
+++ b/test/conformance/testdata/pending_eligible_endpoints.yaml
@@ -1,4 +1 @@
----
-- patchCoreV1NamespacedPodResize
-- readCoreV1NamespacedPodResize
-- replaceCoreV1NamespacedPodResize
+---
\ No newline at end of file
diff --git a/test/e2e/apimachinery/aggregator.go b/test/e2e/apimachinery/aggregator.go
index c20d4f49b9dac..5058614dae171 100644
--- a/test/e2e/apimachinery/aggregator.go
+++ b/test/e2e/apimachinery/aggregator.go
@@ -37,6 +37,7 @@ import (
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/intstr"
+	"k8s.io/apimachinery/pkg/util/resourceversion"
 	"k8s.io/apimachinery/pkg/util/wait"
 	"k8s.io/client-go/discovery"
 	clientset "k8s.io/client-go/kubernetes"
@@ -44,6 +45,7 @@ import (
 	apiregistrationv1 "k8s.io/kube-aggregator/pkg/apis/apiregistration/v1"
 	aggregatorclient "k8s.io/kube-aggregator/pkg/client/clientset_generated/clientset"
 	rbacv1helpers "k8s.io/kubernetes/pkg/apis/rbac/v1"
+	apimachineryutils "k8s.io/kubernetes/test/e2e/common/apimachinery"
 	"k8s.io/kubernetes/test/e2e/framework"
 	e2eauth "k8s.io/kubernetes/test/e2e/framework/auth"
 	e2edeployment "k8s.io/kubernetes/test/e2e/framework/deployment"
@@ -95,8 +97,9 @@ var _ = SIGDescribe("Aggregator", func() {
 		Testname: aggregator-supports-the-sample-apiserver
 		Description: Ensure that the sample-apiserver code from 1.17 and compiled against 1.17
 		will work on the current Aggregator/API-Server.
+		This test is marked LinuxOnly because etcd does not provide or support images for Windows.
 	*/
-	framework.ConformanceIt("Should be able to support the 1.17 Sample API Server using the current Aggregator", func(ctx context.Context) {
+	framework.ConformanceIt("Should be able to support the 1.17 Sample API Server using the current Aggregator [LinuxOnly]", func(ctx context.Context) {
 		// Testing a 1.17 version of the sample-apiserver
 		TestSampleAPIServer(ctx, f, aggrclient, imageutils.GetE2EImage(imageutils.APIServer), defaultApiServiceGroupName, defaultApiServiceVersion)
 	})
@@ -526,9 +529,11 @@ func TestSampleAPIServer(ctx context.Context, f *framework.Framework, aggrclient
 
 	var jr *apiregistrationv1.APIService
 	err = json.Unmarshal([]byte(statusContent), &jr)
+	gomega.Expect(jr).To(apimachineryutils.HaveValidResourceVersion())
 	framework.ExpectNoError(err, "Failed to process statusContent: %v | err: %v ", string(statusContent), err)
 	gomega.Expect(jr.Status.Conditions[0].Message).To(gomega.Equal("all checks passed"), "The Message returned was %v", jr.Status.Conditions[0].Message)
 
+	oldRV := jr.ResourceVersion
 	ginkgo.By("kubectl patch apiservice " + apiServiceName + " -p '{\"spec\":{\"versionPriority\": 400}}'")
 	patchContent, err := restClient.Patch(types.MergePatchType).
 		AbsPath("/apis/apiregistration.k8s.io/v1/apiservices/"+apiServiceName).
@@ -539,6 +544,7 @@ func TestSampleAPIServer(ctx context.Context, f *framework.Framework, aggrclient
 	err = json.Unmarshal([]byte(patchContent), &jr)
 	framework.ExpectNoError(err, "Failed to process patchContent: %v | err: %v ", string(patchContent), err)
 	gomega.Expect(jr.Spec.VersionPriority).To(gomega.Equal(int32(400)), "The VersionPriority returned was %d", jr.Spec.VersionPriority)
+	gomega.Expect(resourceversion.CompareResourceVersion(oldRV, jr.ResourceVersion)).To(gomega.BeNumerically("==", -1), "patched object should have a larger resource version")
 
 	ginkgo.By("List APIServices")
 	listApiservices, err := restClient.Get().
diff --git a/test/e2e/apimachinery/crd_conversion_webhook.go b/test/e2e/apimachinery/crd_conversion_webhook.go
index b1e359e1bf767..110b6b8e5a7c9 100644
--- a/test/e2e/apimachinery/crd_conversion_webhook.go
+++ b/test/e2e/apimachinery/crd_conversion_webhook.go
@@ -36,6 +36,7 @@ import (
 	clientset "k8s.io/client-go/kubernetes"
 	"k8s.io/kubernetes/test/e2e/framework"
 	e2edeployment "k8s.io/kubernetes/test/e2e/framework/deployment"
+	e2eendpointslice "k8s.io/kubernetes/test/e2e/framework/endpointslice"
 	"k8s.io/kubernetes/test/utils/crd"
 	"k8s.io/kubernetes/test/utils/format"
 	imageutils "k8s.io/kubernetes/test/utils/image"
@@ -340,7 +341,7 @@ func deployCustomResourceWebhookAndService(ctx context.Context, f *framework.Fra
 	framework.ExpectNoError(err, "creating service %s in namespace %s", serviceCRDName, namespace)
 
 	ginkgo.By("Verifying the service has paired with the endpoint")
-	err = framework.WaitForServiceEndpointsNum(ctx, client, namespace, serviceCRDName, 1, 1*time.Second, 30*time.Second)
+	err = e2eendpointslice.WaitForEndpointCount(ctx, client, namespace, serviceCRDName, 1)
 	framework.ExpectNoError(err, "waiting for service %s/%s have %d endpoint", namespace, serviceCRDName, 1)
 }
 
diff --git a/test/e2e/apimachinery/crd_publish_openapi.go b/test/e2e/apimachinery/crd_publish_openapi.go
index e28271cbd4b60..8a5854d7ad779 100644
--- a/test/e2e/apimachinery/crd_publish_openapi.go
+++ b/test/e2e/apimachinery/crd_publish_openapi.go
@@ -27,6 +27,7 @@ import (
 	"time"
 
 	"github.com/onsi/ginkgo/v2"
+	"github.com/onsi/gomega"
 	"sigs.k8s.io/yaml"
 
 	"k8s.io/apiserver/pkg/cel/environment"
@@ -39,10 +40,12 @@ import (
 	apiequality "k8s.io/apimachinery/pkg/api/equality"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/apimachinery/pkg/util/resourceversion"
 	"k8s.io/apimachinery/pkg/util/wait"
 	k8sclientset "k8s.io/client-go/kubernetes"
 	"k8s.io/client-go/rest"
 	"k8s.io/kube-openapi/pkg/validation/spec"
+	apimachineryutils "k8s.io/kubernetes/test/e2e/common/apimachinery"
 	"k8s.io/kubernetes/test/e2e/framework"
 	e2ekubectl "k8s.io/kubernetes/test/e2e/framework/kubectl"
 	"k8s.io/kubernetes/test/utils/crd"
@@ -447,6 +450,7 @@ var _ = SIGDescribe("CustomResourcePublishOpenAPI [Privileged:ClusterAdmin]", fu
 		if err != nil {
 			framework.Failf("%v", err)
 		}
+		gomega.Expect(crd.Crd).To(apimachineryutils.HaveValidResourceVersion())
 		// just double check. setupCRD() checked this for us already
 		if err := waitForDefinition(f.ClientSet, definitionName(crd, "v6alpha1"), schemaFoo); err != nil {
 			framework.Failf("%v", err)
@@ -461,10 +465,12 @@ var _ = SIGDescribe("CustomResourcePublishOpenAPI [Privileged:ClusterAdmin]", fu
 			framework.Failf("%v", err)
 		}
 		crd.Crd.Spec.Versions[1].Served = false
+		oldRV := crd.Crd.ResourceVersion
 		crd.Crd, err = crd.APIExtensionClient.ApiextensionsV1().CustomResourceDefinitions().Update(ctx, crd.Crd, metav1.UpdateOptions{})
 		if err != nil {
 			framework.Failf("%v", err)
 		}
+		gomega.Expect(resourceversion.CompareResourceVersion(oldRV, crd.Crd.ResourceVersion)).To(gomega.BeNumerically("==", -1), "updated object should have a larger resource version")
 
 		ginkgo.By("check the unserved version gets removed")
 		if err := waitForDefinitionCleanup(f.ClientSet, definitionName(crd, "v6alpha1")); err != nil {
diff --git a/test/e2e/apimachinery/custom_resource_definition.go b/test/e2e/apimachinery/custom_resource_definition.go
index 18d3d164ced9d..1235ea815e0ff 100644
--- a/test/e2e/apimachinery/custom_resource_definition.go
+++ b/test/e2e/apimachinery/custom_resource_definition.go
@@ -34,11 +34,13 @@ import (
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/apimachinery/pkg/util/resourceversion"
 	"k8s.io/apimachinery/pkg/util/uuid"
 	"k8s.io/apimachinery/pkg/util/wait"
 	"k8s.io/apiserver/pkg/storage/names"
 	"k8s.io/client-go/dynamic"
 	"k8s.io/client-go/util/retry"
+	apimachineryutils "k8s.io/kubernetes/test/e2e/common/apimachinery"
 	"k8s.io/kubernetes/test/e2e/framework"
 	admissionapi "k8s.io/pod-security-admission/api"
 )
@@ -297,7 +299,7 @@ var _ = SIGDescribe("CustomResourceDefinition resources [Privileged:ClusterAdmin
 			Resource: crd.Spec.Names.Plural,
 		}
 		crClient := dynamicClient.Resource(gvr)
-		_, err = crClient.Create(ctx, &unstructured.Unstructured{Object: map[string]interface{}{
+		u1, err := crClient.Create(ctx, &unstructured.Unstructured{Object: map[string]interface{}{
 			"apiVersion": gvr.Group + "/" + gvr.Version,
 			"kind":       crd.Spec.Names.Kind,
 			"metadata": map[string]interface{}{
@@ -305,7 +307,7 @@ var _ = SIGDescribe("CustomResourceDefinition resources [Privileged:ClusterAdmin
 			},
 		}}, metav1.CreateOptions{})
 		framework.ExpectNoError(err, "creating CR")
-
+		gomega.Expect(u1).To(apimachineryutils.HaveValidResourceVersion())
 		// Setting default for a to "A" and waiting for the CR to get defaulted on read
 		crd, err = apiExtensionClient.ApiextensionsV1().CustomResourceDefinitions().Patch(ctx, crd.Name, types.JSONPatchType, []byte(`[
 			{"op":"add","path":"/spec/versions/0/schema/openAPIV3Schema/properties/a/default", "value": "A"}
@@ -313,7 +315,7 @@ var _ = SIGDescribe("CustomResourceDefinition resources [Privileged:ClusterAdmin
 		framework.ExpectNoError(err, "setting default for a to \"A\" in schema")
 
 		err = wait.PollImmediate(time.Millisecond*100, wait.ForeverTestTimeout, func() (bool, error) {
-			u1, err := crClient.Get(ctx, name1, metav1.GetOptions{})
+			u1, err = crClient.Get(ctx, name1, metav1.GetOptions{})
 			if err != nil {
 				return false, err
 			}
@@ -382,6 +384,7 @@ var _ = SIGDescribe("CustomResourceDefinition resources [Privileged:ClusterAdmin
 			return true, nil
 		})
 		framework.ExpectNoError(err, "waiting for CR to be defaulted on read for b and a staying the same")
+		gomega.Expect(resourceversion.CompareResourceVersion(u1.GetResourceVersion(), u2.GetResourceVersion())).To(gomega.BeNumerically("==", -1), "second created object should have a larger resource version")
 	})
 
 })
diff --git a/test/e2e/apimachinery/flowcontrol.go b/test/e2e/apimachinery/flowcontrol.go
index 46fac542b8246..ea13440b6ec98 100644
--- a/test/e2e/apimachinery/flowcontrol.go
+++ b/test/e2e/apimachinery/flowcontrol.go
@@ -37,6 +37,7 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
 	utilrand "k8s.io/apimachinery/pkg/util/rand"
+	"k8s.io/apimachinery/pkg/util/resourceversion"
 	"k8s.io/apimachinery/pkg/util/wait"
 	"k8s.io/apimachinery/pkg/watch"
 	"k8s.io/apiserver/pkg/util/apihelpers"
@@ -44,6 +45,7 @@ import (
 	"k8s.io/client-go/rest"
 	clientsideflowcontrol "k8s.io/client-go/util/flowcontrol"
 	"k8s.io/client-go/util/retry"
+	apimachineryutils "k8s.io/kubernetes/test/e2e/common/apimachinery"
 	"k8s.io/kubernetes/test/e2e/framework"
 	admissionapi "k8s.io/pod-security-admission/api"
 	"k8s.io/utils/ptr"
@@ -384,6 +386,7 @@ var _ = SIGDescribe("API priority and fairness", func() {
 		fsRead, err := client.Get(ctx, fsCreated.Name, metav1.GetOptions{})
 		framework.ExpectNoError(err)
 		gomega.Expect(fsRead.UID).To(gomega.Equal(fsCreated.UID))
+		gomega.Expect(fsRead).To(apimachineryutils.HaveValidResourceVersion())
 
 		ginkgo.By("listing")
 		list, err := client.List(ctx, metav1.ListOptions{LabelSelector: label})
@@ -401,6 +404,7 @@ var _ = SIGDescribe("API priority and fairness", func() {
 		framework.ExpectNoError(err)
 		gomega.Expect(fsPatched.Annotations).To(gomega.HaveKeyWithValue("patched", "true"), "patched object should have the applied annotation")
 		gomega.Expect(fsPatched.Spec.MatchingPrecedence).To(gomega.Equal(int32(9999)), "patched object should have the applied spec")
+		gomega.Expect(resourceversion.CompareResourceVersion(fsCreated.ResourceVersion, fsPatched.ResourceVersion)).To(gomega.BeNumerically("==", -1), "patched object should have a larger resource version")
 
 		ginkgo.By("updating")
 		var fsUpdated *flowcontrol.FlowSchema
@@ -610,6 +614,7 @@ var _ = SIGDescribe("API priority and fairness", func() {
 		plRead, err := client.Get(ctx, plCreated.Name, metav1.GetOptions{})
 		framework.ExpectNoError(err)
 		gomega.Expect(plRead.UID).To(gomega.Equal(plCreated.UID))
+		gomega.Expect(plRead).To(apimachineryutils.HaveValidResourceVersion())
 
 		ginkgo.By("listing")
 		list, err := client.List(ctx, metav1.ListOptions{LabelSelector: label})
@@ -627,6 +632,7 @@ var _ = SIGDescribe("API priority and fairness", func() {
 		framework.ExpectNoError(err)
 		gomega.Expect(plPatched.Annotations).To(gomega.HaveKeyWithValue("patched", "true"), "patched object should have the applied annotation")
 		gomega.Expect(plPatched.Spec.Limited.NominalConcurrencyShares).To(gomega.Equal(ptr.To(int32(4))), "patched object should have the applied spec")
+		gomega.Expect(resourceversion.CompareResourceVersion(plCreated.ResourceVersion, plPatched.ResourceVersion)).To(gomega.BeNumerically("==", -1), "patched object should have a larger resource version")
 
 		ginkgo.By("updating")
 		var plUpdated *flowcontrol.PriorityLevelConfiguration
diff --git a/test/e2e/apimachinery/mutatingadmissionpolicy.go b/test/e2e/apimachinery/mutatingadmissionpolicy.go
index e6309e12d3e9a..093a5c1229088 100644
--- a/test/e2e/apimachinery/mutatingadmissionpolicy.go
+++ b/test/e2e/apimachinery/mutatingadmissionpolicy.go
@@ -19,11 +19,12 @@ package apimachinery
 import (
 	"context"
 	"fmt"
+	"time"
+
 	admissionregistrationv1alpha1 "k8s.io/api/admissionregistration/v1alpha1"
 	"k8s.io/apiserver/pkg/features"
 	"k8s.io/kubernetes/test/e2e/feature"
 	"k8s.io/utils/ptr"
-	"time"
 
 	"github.com/onsi/ginkgo/v2"
 	"github.com/onsi/gomega"
@@ -181,7 +182,7 @@ var _ = SIGDescribe("MutatingAdmissionPolicy [Privileged:ClusterAdmin]", feature
 	   The mutatingadmisionpolicy resource must support create, get,
 	     list, watch, update, patch, delete, and deletecollection.
 	*/
-	framework.It("should support MutatingAdmissionPolicy API operations", func(ctx context.Context) {
+	framework.It("should support MutatingAdmissionPolicy v1alpha1 API operations", func(ctx context.Context) {
 		mapVersion := "v1alpha1"
 		ginkgo.By("getting /apis")
 		{
@@ -409,7 +410,7 @@ var _ = SIGDescribe("MutatingAdmissionPolicy [Privileged:ClusterAdmin]", feature
 	   The MutatingadmissionPolicyBinding resource must support create, get,
 	     list, watch, update, patch, delete, and deletecollection.
 	*/
-	framework.It("should support MutatingAdmissionPolicyBinding API operations", func(ctx context.Context) {
+	framework.It("should support MutatingAdmissionPolicyBinding v1alpha1 API operations", func(ctx context.Context) {
 		mapbVersion := "v1alpha1"
 		ginkgo.By("getting /apis")
 		{
@@ -603,7 +604,7 @@ var _ = SIGDescribe("MutatingAdmissionPolicy [Privileged:ClusterAdmin]", feature
 	   The mutatingadmisionpolicy resource must support create, get,
 	     list, watch, update, patch, delete, and deletecollection.
 	*/
-	framework.It("should support MutatingAdmissionPolicy API operations", func(ctx context.Context) {
+	framework.It("should support MutatingAdmissionPolicy v1beta1 API operations", func(ctx context.Context) {
 		mapVersion := "v1beta1"
 		ginkgo.By("getting /apis")
 		{
@@ -831,7 +832,7 @@ var _ = SIGDescribe("MutatingAdmissionPolicy [Privileged:ClusterAdmin]", feature
 	   The MutatingadmissionPolicyBinding resource must support create, get,
 	     list, watch, update, patch, delete, and deletecollection.
 	*/
-	framework.It("should support MutatingAdmissionPolicyBinding API operations", func(ctx context.Context) {
+	framework.It("should support MutatingAdmissionPolicyBinding v1beta1 API operations", func(ctx context.Context) {
 		mapbVersion := "v1beta1"
 		ginkgo.By("getting /apis")
 		{
diff --git a/test/e2e/apimachinery/namespace.go b/test/e2e/apimachinery/namespace.go
index 79f2b71488385..8db14a461e2cb 100644
--- a/test/e2e/apimachinery/namespace.go
+++ b/test/e2e/apimachinery/namespace.go
@@ -32,10 +32,12 @@ import (
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/intstr"
 	utilrand "k8s.io/apimachinery/pkg/util/rand"
+	"k8s.io/apimachinery/pkg/util/resourceversion"
 	"k8s.io/apimachinery/pkg/util/uuid"
 	"k8s.io/apimachinery/pkg/util/wait"
 	clientscheme "k8s.io/client-go/kubernetes/scheme"
 	"k8s.io/client-go/util/retry"
+	apimachineryutils "k8s.io/kubernetes/test/e2e/common/apimachinery"
 	"k8s.io/kubernetes/test/e2e/feature"
 	"k8s.io/kubernetes/test/e2e/framework"
 	e2epod "k8s.io/kubernetes/test/e2e/framework/pod"
@@ -277,6 +279,7 @@ var _ = SIGDescribe("Namespaces", framework.WithSerial(), func() {
 		ns, err := f.CreateNamespace(ctx, namespaceName, nil)
 		framework.ExpectNoError(err, "failed creating Namespace")
 		namespaceName = ns.ObjectMeta.Name
+		gomega.Expect(ns).To(apimachineryutils.HaveValidResourceVersion())
 
 		ginkgo.By("patching the Namespace")
 		nspatch, err := json.Marshal(map[string]interface{}{
@@ -285,8 +288,9 @@ var _ = SIGDescribe("Namespaces", framework.WithSerial(), func() {
 			},
 		})
 		framework.ExpectNoError(err, "failed to marshal JSON patch data")
-		_, err = f.ClientSet.CoreV1().Namespaces().Patch(ctx, namespaceName, types.StrategicMergePatchType, nspatch, metav1.PatchOptions{})
+		patchedNS, err := f.ClientSet.CoreV1().Namespaces().Patch(ctx, namespaceName, types.StrategicMergePatchType, nspatch, metav1.PatchOptions{})
 		framework.ExpectNoError(err, "failed to patch Namespace")
+		gomega.Expect(resourceversion.CompareResourceVersion(ns.ResourceVersion, patchedNS.ResourceVersion)).To(gomega.BeNumerically("==", -1), "patched object should have a larger resource version")
 
 		ginkgo.By("get the Namespace and ensuring it has the label")
 		namespace, err := f.ClientSet.CoreV1().Namespaces().Get(ctx, namespaceName, metav1.GetOptions{})
diff --git a/test/e2e/apimachinery/resource_quota.go b/test/e2e/apimachinery/resource_quota.go
index 0c220c3f10ac4..5f8a399395fb1 100644
--- a/test/e2e/apimachinery/resource_quota.go
+++ b/test/e2e/apimachinery/resource_quota.go
@@ -40,6 +40,7 @@ import (
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/intstr"
 	utilrand "k8s.io/apimachinery/pkg/util/rand"
+	"k8s.io/apimachinery/pkg/util/resourceversion"
 	"k8s.io/apimachinery/pkg/util/wait"
 	"k8s.io/apimachinery/pkg/watch"
 	quota "k8s.io/apiserver/pkg/quota/v1"
@@ -50,6 +51,7 @@ import (
 	"k8s.io/client-go/util/retry"
 	"k8s.io/kubernetes/pkg/features"
 	"k8s.io/kubernetes/pkg/quota/v1/evaluator/core"
+	apimachineryutils "k8s.io/kubernetes/test/e2e/common/apimachinery"
 	"k8s.io/kubernetes/test/e2e/feature"
 	"k8s.io/kubernetes/test/e2e/framework"
 	e2epv "k8s.io/kubernetes/test/e2e/framework/pv"
@@ -1034,6 +1036,7 @@ var _ = SIGDescribe("ResourceQuota", func() {
 		framework.ExpectNoError(err)
 		gomega.Expect(resourceQuotaResult.Spec.Hard[v1.ResourceCPU]).To(gomega.Equal(resource.MustParse("1")))
 		gomega.Expect(resourceQuotaResult.Spec.Hard[v1.ResourceMemory]).To(gomega.Equal(resource.MustParse("500Mi")))
+		gomega.Expect(resourceQuotaResult).To(apimachineryutils.HaveValidResourceVersion())
 
 		ginkgo.By("Listing all ResourceQuotas with LabelSelector")
 		rq, err := client.CoreV1().ResourceQuotas("").List(ctx, metav1.ListOptions{LabelSelector: labelSelector})
@@ -1046,6 +1049,7 @@ var _ = SIGDescribe("ResourceQuota", func() {
 		framework.ExpectNoError(err, "failed to patch ResourceQuota %s in namespace %s", rqName, ns)
 		gomega.Expect(patchedResourceQuota.Labels[rqName]).To(gomega.Equal("patched"), "Failed to find the label for this ResourceQuota. Current labels: %v", patchedResourceQuota.Labels)
 		gomega.Expect(*patchedResourceQuota.Spec.Hard.Memory()).To(gomega.Equal(resource.MustParse("750Mi")), "Hard memory value for ResourceQuota %q is %s not 750Mi.", patchedResourceQuota.ObjectMeta.Name, patchedResourceQuota.Spec.Hard.Memory().String())
+		gomega.Expect(resourceversion.CompareResourceVersion(rq.Items[0].ResourceVersion, patchedResourceQuota.ResourceVersion)).To(gomega.BeNumerically("==", -1), "patched object should have a larger resource version")
 
 		ginkgo.By("Deleting a Collection of ResourceQuotas")
 		err = client.CoreV1().ResourceQuotas(ns).DeleteCollection(ctx, metav1.DeleteOptions{}, metav1.ListOptions{LabelSelector: labelSelector})
diff --git a/test/e2e/apimachinery/validatingadmissionpolicy.go b/test/e2e/apimachinery/validatingadmissionpolicy.go
index 5f4d0bbbea324..65c524e23e2be 100644
--- a/test/e2e/apimachinery/validatingadmissionpolicy.go
+++ b/test/e2e/apimachinery/validatingadmissionpolicy.go
@@ -35,12 +35,14 @@ import (
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/apimachinery/pkg/types"
 	utilrand "k8s.io/apimachinery/pkg/util/rand"
+	"k8s.io/apimachinery/pkg/util/resourceversion"
 	"k8s.io/apimachinery/pkg/util/wait"
 	"k8s.io/apimachinery/pkg/watch"
 	applyadmissionregistrationv1 "k8s.io/client-go/applyconfigurations/admissionregistration/v1"
 	clientset "k8s.io/client-go/kubernetes"
 	"k8s.io/client-go/openapi3"
 	"k8s.io/client-go/util/retry"
+	apimachineryutils "k8s.io/kubernetes/test/e2e/common/apimachinery"
 	"k8s.io/kubernetes/test/e2e/framework"
 	admissionapi "k8s.io/pod-security-admission/api"
 )
@@ -289,7 +291,7 @@ var _ = SIGDescribe("ValidatingAdmissionPolicy [Privileged:ClusterAdmin]", func(
 	*/
 	framework.It("should type check a CRD", func(ctx context.Context) {
 		crd := crontabExampleCRD()
-		crd.Spec.Group = "stable." + f.UniqueName
+		crd.Spec.Group = "stable." + f.UniqueName + ".example.com"
 		crd.Name = crd.Spec.Names.Plural + "." + crd.Spec.Group
 		var policy *admissionregistrationv1.ValidatingAdmissionPolicy
 		ginkgo.By("creating the CRD", func() {
@@ -519,6 +521,7 @@ var _ = SIGDescribe("ValidatingAdmissionPolicy [Privileged:ClusterAdmin]", func(
 		vapRead, err := client.Get(ctx, vapCreated.Name, metav1.GetOptions{})
 		framework.ExpectNoError(err)
 		gomega.Expect(vapRead.UID).To(gomega.Equal(vapCreated.UID))
+		gomega.Expect(vapRead).To(apimachineryutils.HaveValidResourceVersion())
 
 		ginkgo.By("listing")
 		list, err := client.List(ctx, metav1.ListOptions{LabelSelector: label})
@@ -535,6 +538,7 @@ var _ = SIGDescribe("ValidatingAdmissionPolicy [Privileged:ClusterAdmin]", func(
 		framework.ExpectNoError(err)
 		gomega.Expect(vapPatched.Annotations).To(gomega.HaveKeyWithValue("patched", "true"), "patched object should have the applied annotation")
 		gomega.Expect(vapPatched.Spec.FailurePolicy).To(gomega.HaveValue(gomega.Equal(admissionregistrationv1.Ignore)), "patched object should have the applied spec")
+		gomega.Expect(resourceversion.CompareResourceVersion(vapRead.ResourceVersion, vapPatched.ResourceVersion)).To(gomega.BeNumerically("==", -1), "patched object should have a larger resource version")
 
 		ginkgo.By("updating")
 		var vapUpdated *admissionregistrationv1.ValidatingAdmissionPolicy
@@ -764,6 +768,7 @@ var _ = SIGDescribe("ValidatingAdmissionPolicy [Privileged:ClusterAdmin]", func(
 		vapbRead, err := client.Get(ctx, vapbCreated.Name, metav1.GetOptions{})
 		framework.ExpectNoError(err)
 		gomega.Expect(vapbRead.UID).To(gomega.Equal(vapbCreated.UID))
+		gomega.Expect(vapbRead).To(apimachineryutils.HaveValidResourceVersion())
 
 		ginkgo.By("listing")
 		list, err := client.List(ctx, metav1.ListOptions{LabelSelector: label})
@@ -780,6 +785,7 @@ var _ = SIGDescribe("ValidatingAdmissionPolicy [Privileged:ClusterAdmin]", func(
 		framework.ExpectNoError(err)
 		gomega.Expect(vapbPatched.Annotations).To(gomega.HaveKeyWithValue("patched", "true"), "patched object should have the applied annotation")
 		gomega.Expect(vapbPatched.Spec.ValidationActions).To(gomega.Equal([]admissionregistrationv1.ValidationAction{admissionregistrationv1.Warn}), "patched object should have the applied spec")
+		gomega.Expect(resourceversion.CompareResourceVersion(vapbRead.ResourceVersion, vapbPatched.ResourceVersion)).To(gomega.BeNumerically("==", -1), "patched object should have a larger resource version")
 
 		ginkgo.By("updating")
 		var vapbUpdated *admissionregistrationv1.ValidatingAdmissionPolicyBinding
diff --git a/test/e2e/apimachinery/watchlist.go b/test/e2e/apimachinery/watchlist.go
index e3715a15665ed..baf85229acac4 100644
--- a/test/e2e/apimachinery/watchlist.go
+++ b/test/e2e/apimachinery/watchlist.go
@@ -39,24 +39,19 @@ import (
 	"k8s.io/apimachinery/pkg/util/wait"
 	"k8s.io/apimachinery/pkg/watch"
 	"k8s.io/apiserver/pkg/features"
-	utilfeature "k8s.io/apiserver/pkg/util/feature"
 	"k8s.io/client-go/dynamic"
-	clientfeatures "k8s.io/client-go/features"
 	"k8s.io/client-go/kubernetes"
 	"k8s.io/client-go/metadata"
 	"k8s.io/client-go/metadata/metadatainformer"
 	"k8s.io/client-go/rest"
 	"k8s.io/client-go/tools/cache"
 	"k8s.io/client-go/util/watchlist"
-	"k8s.io/component-base/featuregate"
-	featuregatetesting "k8s.io/component-base/featuregate/testing"
 	"k8s.io/kubernetes/test/e2e/framework"
 )
 
-var _ = SIGDescribe("API Streaming (aka. WatchList)", framework.WithFeatureGate(features.WatchList), framework.WithSerial(), func() {
+var _ = SIGDescribe("API Streaming (aka. WatchList)", framework.WithFeatureGate(features.WatchList), func() {
 	f := framework.NewDefaultFramework("watchlist")
 	ginkgo.It("should be requested by informers when WatchListClient is enabled", func(ctx context.Context) {
-		featuregatetesting.SetFeatureGateDuringTest(ginkgo.GinkgoTB(), utilfeature.DefaultFeatureGate, featuregate.Feature(clientfeatures.WatchListClient), true)
 		stopCh := make(chan struct{})
 		defer close(stopCh)
 
@@ -100,8 +95,6 @@ var _ = SIGDescribe("API Streaming (aka. WatchList)", framework.WithFeatureGate(
 		verifyStoreFor(ctx, verifyStoreForMetaObject(expectedSecrets, secretInformer.GetStore()))
 	})
 	ginkgo.It("should be requested by metadatainformer when WatchListClient is enabled", func(ctx context.Context) {
-		featuregatetesting.SetFeatureGateDuringTest(ginkgo.GinkgoTB(), utilfeature.DefaultFeatureGate, featuregate.Feature(clientfeatures.WatchListClient), true)
-
 		metadataClient, err := metadata.NewForConfig(f.ClientConfig())
 		framework.ExpectNoError(err)
 		secretMetaInformer := metadatainformer.NewFilteredMetadataInformer(
@@ -143,8 +136,6 @@ var _ = SIGDescribe("API Streaming (aka. WatchList)", framework.WithFeatureGate(
 		verifyStoreFor(ctx, verifyPartialObjectMetadataStore(toPointerSlice(expectedSecrets.Items), secretMetaInformer.Informer().GetStore()))
 	})
 	ginkgo.It("should NOT be requested by client-go's List method when WatchListClient is enabled", func(ctx context.Context) {
-		featuregatetesting.SetFeatureGateDuringTest(ginkgo.GinkgoTB(), utilfeature.DefaultFeatureGate, featuregate.Feature(clientfeatures.WatchListClient), true)
-
 		expectedSecrets := addWellKnownSecrets(ctx, f)
 
 		rt, clientConfig := clientConfigWithRoundTripper(f)
@@ -164,8 +155,6 @@ var _ = SIGDescribe("API Streaming (aka. WatchList)", framework.WithFeatureGate(
 		gomega.Expect(rt.actualRequests).To(gomega.Equal(expectedRequestsMadeByKubeClient))
 	})
 	ginkgo.It("should NOT be requested by dynamic client's List method when WatchListClient is enabled", func(ctx context.Context) {
-		featuregatetesting.SetFeatureGateDuringTest(ginkgo.GinkgoTB(), utilfeature.DefaultFeatureGate, featuregate.Feature(clientfeatures.WatchListClient), true)
-
 		ginkgo.By(fmt.Sprintf("Adding 5 secrets to %s namespace", f.Namespace.Name))
 		expectedSecrets := addWellKnownUnstructuredSecrets(ctx, f)
 
@@ -187,8 +176,6 @@ var _ = SIGDescribe("API Streaming (aka. WatchList)", framework.WithFeatureGate(
 		gomega.Expect(rt.actualRequests).To(gomega.Equal(expectedRequestsMadeByDynamicClient))
 	})
 	ginkgo.It("should NOT be requested by metadata client's List method when WatchListClient is enabled", func(ctx context.Context) {
-		featuregatetesting.SetFeatureGateDuringTest(ginkgo.GinkgoTB(), utilfeature.DefaultFeatureGate, featuregate.Feature(clientfeatures.WatchListClient), true)
-
 		metaClient, err := metadata.NewForConfig(f.ClientConfig())
 		framework.ExpectNoError(err)
 		expectedMetaSecrets := []metav1.PartialObjectMetadata{}
@@ -216,8 +203,6 @@ var _ = SIGDescribe("API Streaming (aka. WatchList)", framework.WithFeatureGate(
 	})
 
 	ginkgo.It("server supports sending resources in Table format", func(ctx context.Context) {
-		featuregatetesting.SetFeatureGateDuringTest(ginkgo.GinkgoTB(), utilfeature.DefaultFeatureGate, featuregate.Feature(clientfeatures.WatchListClient), true)
-
 		modifiedClientConfig := dynamic.ConfigFor(f.ClientConfig())
 		modifiedClientConfig.AcceptContentTypes = strings.Join([]string{
 			fmt.Sprintf("application/json;as=Table;v=%s;g=%s", metav1.SchemeGroupVersion.Version, metav1.GroupName),
@@ -271,8 +256,6 @@ var _ = SIGDescribe("API Streaming (aka. WatchList)", framework.WithFeatureGate(
 	})
 
 	ginkgo.It("reflector doesn't support receiving resources as Tables", func(ctx context.Context) {
-		featuregatetesting.SetFeatureGateDuringTest(ginkgo.GinkgoTB(), utilfeature.DefaultFeatureGate, featuregate.Feature(clientfeatures.WatchListClient), true)
-
 		modifiedClientConfig := dynamic.ConfigFor(f.ClientConfig())
 		modifiedClientConfig.AcceptContentTypes = strings.Join([]string{
 			fmt.Sprintf("application/json;as=Table;v=%s;g=%s", metav1.SchemeGroupVersion.Version, metav1.GroupName),
diff --git a/test/e2e/apimachinery/webhook.go b/test/e2e/apimachinery/webhook.go
index ae2734a9269ad..b4cecda6f8bc7 100644
--- a/test/e2e/apimachinery/webhook.go
+++ b/test/e2e/apimachinery/webhook.go
@@ -35,13 +35,16 @@ import (
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/intstr"
+	"k8s.io/apimachinery/pkg/util/resourceversion"
 	"k8s.io/apimachinery/pkg/util/uuid"
 	"k8s.io/apimachinery/pkg/util/wait"
 	"k8s.io/client-go/dynamic"
 	clientset "k8s.io/client-go/kubernetes"
 	"k8s.io/client-go/util/retry"
+	apimachineryutils "k8s.io/kubernetes/test/e2e/common/apimachinery"
 	"k8s.io/kubernetes/test/e2e/framework"
 	e2edeployment "k8s.io/kubernetes/test/e2e/framework/deployment"
+	e2eendpointslice "k8s.io/kubernetes/test/e2e/framework/endpointslice"
 	e2ekubectl "k8s.io/kubernetes/test/e2e/framework/kubectl"
 	e2epod "k8s.io/kubernetes/test/e2e/framework/pod"
 	"k8s.io/kubernetes/test/utils/crd"
@@ -411,6 +414,7 @@ var _ = SIGDescribe("AdmissionWebhook [Privileged:ClusterAdmin]", func() {
 			},
 		})
 		framework.ExpectNoError(err, "Creating validating webhook configuration")
+		gomega.Expect(hook).To(apimachineryutils.HaveValidResourceVersion())
 		defer func() {
 			err := client.AdmissionregistrationV1().ValidatingWebhookConfigurations().Delete(ctx, hook.Name, metav1.DeleteOptions{})
 			framework.ExpectNoError(err, "Deleting validating webhook configuration")
@@ -459,10 +463,12 @@ var _ = SIGDescribe("AdmissionWebhook [Privileged:ClusterAdmin]", func() {
 		framework.ExpectNoError(err, "Waiting for configMap in namespace %s to be allowed creation since webhook was updated to not validate create", f.Namespace.Name)
 
 		ginkgo.By("Patching a validating webhook configuration's rules to include the create operation")
+		oldRV := hook.ResourceVersion
 		hook, err = admissionClient.ValidatingWebhookConfigurations().Patch(ctx, f.UniqueName,
 			types.JSONPatchType,
 			[]byte(`[{"op": "replace", "path": "/webhooks/0/rules/0/operations", "value": ["CREATE"]}]`), metav1.PatchOptions{})
 		framework.ExpectNoError(err, "Patching validating webhook configuration")
+		gomega.Expect(resourceversion.CompareResourceVersion(oldRV, hook.ResourceVersion)).To(gomega.BeNumerically("==", -1), "patched object should have a larger resource version")
 
 		ginkgo.By("Creating a configMap that does not comply to the validation webhook rules")
 		err = wait.PollImmediate(100*time.Millisecond, 30*time.Second, func() (bool, error) {
@@ -503,6 +509,7 @@ var _ = SIGDescribe("AdmissionWebhook [Privileged:ClusterAdmin]", func() {
 			},
 		})
 		framework.ExpectNoError(err, "Creating mutating webhook configuration")
+		gomega.Expect(hook).To(apimachineryutils.HaveValidResourceVersion())
 		defer func() {
 			err := client.AdmissionregistrationV1().MutatingWebhookConfigurations().Delete(ctx, hook.Name, metav1.DeleteOptions{})
 			framework.ExpectNoError(err, "Deleting mutating webhook configuration")
@@ -534,10 +541,12 @@ var _ = SIGDescribe("AdmissionWebhook [Privileged:ClusterAdmin]", func() {
 		framework.ExpectNoError(err, "Waiting for configMap in namespace %s this is not mutated", f.Namespace.Name)
 
 		ginkgo.By("Patching a mutating webhook configuration's rules to include the create operation")
+		oldRV := hook.ResourceVersion
 		hook, err = admissionClient.MutatingWebhookConfigurations().Patch(ctx, f.UniqueName,
 			types.JSONPatchType,
 			[]byte(`[{"op": "replace", "path": "/webhooks/0/rules/0/operations", "value": ["CREATE"]}]`), metav1.PatchOptions{})
 		framework.ExpectNoError(err, "Patching mutating webhook configuration")
+		gomega.Expect(resourceversion.CompareResourceVersion(oldRV, hook.ResourceVersion)).To(gomega.BeNumerically("==", -1), "patched object should have a larger resource version")
 
 		ginkgo.By("Creating a configMap that should be mutated")
 		err = wait.PollImmediate(100*time.Millisecond, 30*time.Second, func() (bool, error) {
@@ -1147,7 +1156,7 @@ func deployWebhookAndService(ctx context.Context, f *framework.Framework, image
 	framework.ExpectNoError(err, "creating service %s in namespace %s", serviceName, namespace)
 
 	ginkgo.By("Verifying the service has paired with the endpoint")
-	err = framework.WaitForServiceEndpointsNum(ctx, client, namespace, serviceName, 1, 1*time.Second, 30*time.Second)
+	err = e2eendpointslice.WaitForEndpointCount(ctx, client, namespace, serviceName, 1)
 	framework.ExpectNoError(err, "waiting for service %s/%s have %d endpoint", namespace, serviceName, 1)
 }
 
diff --git a/test/e2e/apps/controller_revision.go b/test/e2e/apps/controller_revision.go
index 383670927b8df..e9d7430a6eedd 100644
--- a/test/e2e/apps/controller_revision.go
+++ b/test/e2e/apps/controller_revision.go
@@ -30,6 +30,7 @@ import (
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/types"
 	utilrand "k8s.io/apimachinery/pkg/util/rand"
+	"k8s.io/apimachinery/pkg/util/resourceversion"
 	"k8s.io/apimachinery/pkg/util/wait"
 	clientset "k8s.io/client-go/kubernetes"
 	"k8s.io/client-go/kubernetes/scheme"
@@ -37,6 +38,7 @@ import (
 	extensionsinternal "k8s.io/kubernetes/pkg/apis/extensions"
 	"k8s.io/kubernetes/pkg/controller"
 	labelsutil "k8s.io/kubernetes/pkg/util/labels"
+	apimachineryutils "k8s.io/kubernetes/test/e2e/common/apimachinery"
 	"k8s.io/kubernetes/test/e2e/framework"
 	e2edaemonset "k8s.io/kubernetes/test/e2e/framework/daemonset"
 	e2eresource "k8s.io/kubernetes/test/e2e/framework/resource"
@@ -86,7 +88,7 @@ var _ = SIGDescribe("ControllerRevision", framework.WithSerial(), func() {
 	f = framework.NewDefaultFramework("controllerrevisions")
 	f.NamespacePodSecurityLevel = admissionapi.LevelBaseline
 
-	image := WebserverImage
+	image := AgnhostImage
 	dsName := "e2e-" + utilrand.String(5) + "-daemon-set"
 
 	var ns string
@@ -164,12 +166,14 @@ var _ = SIGDescribe("ControllerRevision", framework.WithSerial(), func() {
 			framework.ExpectNoError(err, "failed to lookup ControllerRevision: %v", err)
 			gomega.Expect(initialRevision).NotTo(gomega.BeNil(), "failed to lookup ControllerRevision: %v", initialRevision)
 		}
+		gomega.Expect(&rev).To(apimachineryutils.HaveValidResourceVersion())
 
 		ginkgo.By(fmt.Sprintf("Patching ControllerRevision %q", initialRevision.Name))
 		payload := "{\"metadata\":{\"labels\":{\"" + initialRevision.Name + "\":\"patched\"}}}"
 		patchedControllerRevision, err := csAppsV1.ControllerRevisions(ns).Patch(ctx, initialRevision.Name, types.StrategicMergePatchType, []byte(payload), metav1.PatchOptions{})
 		framework.ExpectNoError(err, "failed to patch ControllerRevision %s in namespace %s", initialRevision.Name, ns)
 		gomega.Expect(patchedControllerRevision.Labels).To(gomega.HaveKeyWithValue(initialRevision.Name, "patched"), "Did not find 'patched' label for this ControllerRevision. Current labels: %v", patchedControllerRevision.Labels)
+		gomega.Expect(resourceversion.CompareResourceVersion(rev.ResourceVersion, patchedControllerRevision.ResourceVersion)).To(gomega.BeNumerically("==", -1), "patched object should have a larger resource version")
 		framework.Logf("%s has been patched", patchedControllerRevision.Name)
 
 		ginkgo.By("Create a new ControllerRevision")
diff --git a/test/e2e/apps/cronjob.go b/test/e2e/apps/cronjob.go
index 70c0f8f89a91b..2a29ffe43aa42 100644
--- a/test/e2e/apps/cronjob.go
+++ b/test/e2e/apps/cronjob.go
@@ -33,6 +33,7 @@ import (
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/apimachinery/pkg/util/resourceversion"
 	"k8s.io/apimachinery/pkg/util/wait"
 	"k8s.io/apimachinery/pkg/watch"
 	clientset "k8s.io/client-go/kubernetes"
@@ -40,6 +41,7 @@ import (
 	"k8s.io/client-go/util/retry"
 	batchinternal "k8s.io/kubernetes/pkg/apis/batch"
 	jobutil "k8s.io/kubernetes/pkg/controller/job/util"
+	apimachineryutils "k8s.io/kubernetes/test/e2e/common/apimachinery"
 	"k8s.io/kubernetes/test/e2e/framework"
 	e2ejob "k8s.io/kubernetes/test/e2e/framework/job"
 	e2eresource "k8s.io/kubernetes/test/e2e/framework/resource"
@@ -380,6 +382,7 @@ var _ = SIGDescribe("CronJob", func() {
 		ginkgo.By("creating")
 		createdCronJob, err := cjClient.Create(ctx, cjTemplate, metav1.CreateOptions{})
 		framework.ExpectNoError(err)
+		gomega.Expect(createdCronJob).To(apimachineryutils.HaveValidResourceVersion())
 
 		ginkgo.By("getting")
 		gottenCronJob, err := cjClient.Get(ctx, createdCronJob.Name, metav1.GetOptions{})
@@ -413,6 +416,7 @@ var _ = SIGDescribe("CronJob", func() {
 			[]byte(`{"metadata":{"annotations":{"patched":"true"}}}`), metav1.PatchOptions{})
 		framework.ExpectNoError(err)
 		gomega.Expect(patchedCronJob.Annotations).To(gomega.HaveKeyWithValue("patched", "true"), "patched object should have the applied annotation")
+		gomega.Expect(resourceversion.CompareResourceVersion(createdCronJob.ResourceVersion, patchedCronJob.ResourceVersion)).To(gomega.BeNumerically("==", -1), "patched object should have a larger resource version")
 
 		ginkgo.By("updating")
 		var cjToUpdate, updatedCronJob *batchv1.CronJob
diff --git a/test/e2e/apps/daemon_set.go b/test/e2e/apps/daemon_set.go
index ad352fbb94052..d66e6c29cea04 100644
--- a/test/e2e/apps/daemon_set.go
+++ b/test/e2e/apps/daemon_set.go
@@ -42,6 +42,7 @@ import (
 	"k8s.io/apimachinery/pkg/selection"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/intstr"
+	"k8s.io/apimachinery/pkg/util/resourceversion"
 	"k8s.io/apimachinery/pkg/util/sets"
 	"k8s.io/apimachinery/pkg/util/wait"
 	watch "k8s.io/apimachinery/pkg/watch"
@@ -52,6 +53,7 @@ import (
 	podutil "k8s.io/kubernetes/pkg/api/v1/pod"
 	extensionsinternal "k8s.io/kubernetes/pkg/apis/extensions"
 	"k8s.io/kubernetes/pkg/controller/daemon"
+	apimachineryutils "k8s.io/kubernetes/test/e2e/common/apimachinery"
 	"k8s.io/kubernetes/test/e2e/framework"
 	e2edaemonset "k8s.io/kubernetes/test/e2e/framework/daemonset"
 	e2ekubectl "k8s.io/kubernetes/test/e2e/framework/kubectl"
@@ -148,7 +150,7 @@ var _ = SIGDescribe("Daemon set", framework.WithSerial(), func() {
 	f = framework.NewDefaultFramework("daemonsets")
 	f.NamespacePodSecurityLevel = admissionapi.LevelBaseline
 
-	image := WebserverImage
+	image := AgnhostImage
 	dsName := "daemon-set"
 
 	var ns string
@@ -355,7 +357,7 @@ var _ = SIGDescribe("Daemon set", framework.WithSerial(), func() {
 		checkDaemonSetPodsLabels(listDaemonPods(ctx, c, ns, label), firstHash)
 
 		ginkgo.By("Update daemon pods image.")
-		patch := getDaemonSetImagePatch(ds.Spec.Template.Spec.Containers[0].Name, AgnhostImage)
+		patch := getDaemonSetImagePatch(ds.Spec.Template.Spec.Containers[0].Name, PrevAgnhostImage)
 		ds, err = c.AppsV1().DaemonSets(ns).Patch(ctx, dsName, types.StrategicMergePatchType, []byte(patch), metav1.PatchOptions{})
 		framework.ExpectNoError(err)
 
@@ -390,6 +392,7 @@ var _ = SIGDescribe("Daemon set", framework.WithSerial(), func() {
 		ds.Spec.UpdateStrategy = appsv1.DaemonSetUpdateStrategy{Type: appsv1.RollingUpdateDaemonSetStrategyType}
 		ds, err := c.AppsV1().DaemonSets(ns).Create(ctx, ds, metav1.CreateOptions{})
 		framework.ExpectNoError(err)
+		gomega.Expect(ds).To(apimachineryutils.HaveValidResourceVersion())
 
 		ginkgo.By("Check that daemon pods launch on every node of the cluster.")
 		err = wait.PollUntilContextTimeout(ctx, dsRetryPeriod, dsRetryTimeout, true, checkRunningOnAllNodes(f, ds))
@@ -405,9 +408,11 @@ var _ = SIGDescribe("Daemon set", framework.WithSerial(), func() {
 		checkDaemonSetPodsLabels(listDaemonPods(ctx, c, ns, label), hash)
 
 		ginkgo.By("Update daemon pods image.")
-		patch := getDaemonSetImagePatch(ds.Spec.Template.Spec.Containers[0].Name, AgnhostImage)
+		oldDsResourceVersion := ds.ResourceVersion
+		patch := getDaemonSetImagePatch(ds.Spec.Template.Spec.Containers[0].Name, PrevAgnhostImage)
 		ds, err = c.AppsV1().DaemonSets(ns).Patch(ctx, dsName, types.StrategicMergePatchType, []byte(patch), metav1.PatchOptions{})
 		framework.ExpectNoError(err)
+		gomega.Expect(resourceversion.CompareResourceVersion(oldDsResourceVersion, ds.ResourceVersion)).To(gomega.BeNumerically("==", -1), "patched object should have a larger resource version")
 
 		// Time to complete the rolling upgrade is proportional to the number of nodes in the cluster.
 		// Get the number of nodes, and set the timeout appropriately.
@@ -417,7 +422,7 @@ var _ = SIGDescribe("Daemon set", framework.WithSerial(), func() {
 		retryTimeout := dsRetryTimeout + time.Duration(nodeCount*30)*time.Second
 
 		ginkgo.By("Check that daemon pods images are updated.")
-		err = wait.PollUntilContextTimeout(ctx, dsRetryPeriod, retryTimeout, true, checkDaemonPodsImageAndAvailability(c, ds, AgnhostImage, 1))
+		err = wait.PollUntilContextTimeout(ctx, dsRetryPeriod, retryTimeout, true, checkDaemonPodsImageAndAvailability(c, ds, PrevAgnhostImage, 1))
 		framework.ExpectNoError(err)
 
 		ginkgo.By("Check that daemon pods are still running on every node of the cluster.")
diff --git a/test/e2e/apps/deployment.go b/test/e2e/apps/deployment.go
index f5f694493ca06..5289802cb45e9 100644
--- a/test/e2e/apps/deployment.go
+++ b/test/e2e/apps/deployment.go
@@ -42,6 +42,7 @@ import (
 	"k8s.io/apimachinery/pkg/util/dump"
 	"k8s.io/apimachinery/pkg/util/intstr"
 	utilrand "k8s.io/apimachinery/pkg/util/rand"
+	"k8s.io/apimachinery/pkg/util/resourceversion"
 	"k8s.io/apimachinery/pkg/util/wait"
 	"k8s.io/apimachinery/pkg/watch"
 	"k8s.io/client-go/dynamic"
@@ -51,6 +52,7 @@ import (
 	"k8s.io/client-go/util/retry"
 	appsinternal "k8s.io/kubernetes/pkg/apis/apps"
 	deploymentutil "k8s.io/kubernetes/pkg/controller/deployment/util"
+	apimachineryutils "k8s.io/kubernetes/test/e2e/common/apimachinery"
 	"k8s.io/kubernetes/test/e2e/framework"
 	e2edeployment "k8s.io/kubernetes/test/e2e/framework/deployment"
 	e2enode "k8s.io/kubernetes/test/e2e/framework/node"
@@ -188,9 +190,9 @@ var _ = SIGDescribe("Deployment", func() {
 		deploymentResource := schema.GroupVersionResource{Group: "apps", Version: "v1", Resource: "deployments"}
 		testNamespaceName := f.Namespace.Name
 		testDeploymentName := "test-deployment"
-		testDeploymentInitialImage := imageutils.GetE2EImage(imageutils.Agnhost)
+		testDeploymentInitialImage := imageutils.GetE2EImage(imageutils.AgnhostPrev)
 		testDeploymentPatchImage := imageutils.GetE2EImage(imageutils.Pause)
-		testDeploymentUpdateImage := imageutils.GetE2EImage(imageutils.Httpd)
+		testDeploymentUpdateImage := imageutils.GetE2EImage(imageutils.Agnhost)
 		testDeploymentDefaultReplicas := int32(2)
 		testDeploymentMinimumReplicas := int32(1)
 		testDeploymentNoReplicas := int32(0)
@@ -213,8 +215,9 @@ var _ = SIGDescribe("Deployment", func() {
 		testDeployment.ObjectMeta.Labels = map[string]string{"test-deployment-static": "true"}
 		testDeployment.Spec.Template.Spec.TerminationGracePeriodSeconds = &one
 
-		_, err = f.ClientSet.AppsV1().Deployments(testNamespaceName).Create(ctx, testDeployment, metav1.CreateOptions{})
+		createdDeployment, err := f.ClientSet.AppsV1().Deployments(testNamespaceName).Create(ctx, testDeployment, metav1.CreateOptions{})
 		framework.ExpectNoError(err, "failed to create Deployment %v in namespace %v", testDeploymentName, testNamespaceName)
+		gomega.Expect(createdDeployment).To(apimachineryutils.HaveValidResourceVersion())
 
 		ginkgo.By("waiting for Deployment to be created")
 		ctxUntil, cancel := context.WithTimeout(ctx, 30*time.Second)
@@ -271,8 +274,9 @@ var _ = SIGDescribe("Deployment", func() {
 			},
 		})
 		framework.ExpectNoError(err, "failed to Marshal Deployment JSON patch")
-		_, err = f.ClientSet.AppsV1().Deployments(testNamespaceName).Patch(ctx, testDeploymentName, types.StrategicMergePatchType, []byte(deploymentPatch), metav1.PatchOptions{})
+		patchedDeployment, err := f.ClientSet.AppsV1().Deployments(testNamespaceName).Patch(ctx, testDeploymentName, types.StrategicMergePatchType, []byte(deploymentPatch), metav1.PatchOptions{})
 		framework.ExpectNoError(err, "failed to patch Deployment")
+		gomega.Expect(resourceversion.CompareResourceVersion(createdDeployment.ResourceVersion, patchedDeployment.ResourceVersion)).To(gomega.BeNumerically("==", -1), "updated object should have a larger resource version")
 		ctxUntil, cancel = context.WithTimeout(ctx, 30*time.Second)
 		defer cancel()
 		_, err = watchtools.Until(ctxUntil, deploymentsList.ResourceVersion, w, func(event watch.Event) (bool, error) {
@@ -501,15 +505,15 @@ var _ = SIGDescribe("Deployment", func() {
 
 		ginkgo.By("creating a Deployment")
 
-		podLabels := map[string]string{"name": WebserverImageName, "e2e": "testing"}
+		podLabels := map[string]string{"name": AgnhostImageName, "e2e": "testing"}
 		replicas := int32(1)
 		framework.Logf("Creating simple deployment %s", dName)
-		d := e2edeployment.NewDeployment(dName, replicas, podLabels, WebserverImageName, WebserverImage, appsv1.RollingUpdateDeploymentStrategyType)
+		d := e2edeployment.NewDeployment(dName, replicas, podLabels, AgnhostImageName, AgnhostImage, appsv1.RollingUpdateDeploymentStrategyType)
 		deploy, err := c.AppsV1().Deployments(ns).Create(ctx, d, metav1.CreateOptions{})
 		framework.ExpectNoError(err)
 
 		// Wait for it to be updated to revision 1
-		err = e2edeployment.WaitForDeploymentRevisionAndImage(c, ns, dName, "1", WebserverImage)
+		err = e2edeployment.WaitForDeploymentRevisionAndImage(c, ns, dName, "1", AgnhostImage)
 		framework.ExpectNoError(err)
 
 		err = e2edeployment.WaitForDeploymentComplete(c, deploy)
@@ -710,16 +714,16 @@ func testDeleteDeployment(ctx context.Context, f *framework.Framework) {
 	c := f.ClientSet
 
 	deploymentName := "test-new-deployment"
-	podLabels := map[string]string{"name": WebserverImageName}
+	podLabels := map[string]string{"name": AgnhostImageName}
 	replicas := int32(1)
 	framework.Logf("Creating simple deployment %s", deploymentName)
-	d := e2edeployment.NewDeployment(deploymentName, replicas, podLabels, WebserverImageName, WebserverImage, appsv1.RollingUpdateDeploymentStrategyType)
+	d := e2edeployment.NewDeployment(deploymentName, replicas, podLabels, AgnhostImageName, AgnhostImage, appsv1.RollingUpdateDeploymentStrategyType)
 	d.Annotations = map[string]string{"test": "should-copy-to-replica-set", v1.LastAppliedConfigAnnotation: "should-not-copy-to-replica-set"}
 	deploy, err := c.AppsV1().Deployments(ns).Create(ctx, d, metav1.CreateOptions{})
 	framework.ExpectNoError(err)
 
 	// Wait for it to be updated to revision 1
-	err = e2edeployment.WaitForDeploymentRevisionAndImage(c, ns, deploymentName, "1", WebserverImage)
+	err = e2edeployment.WaitForDeploymentRevisionAndImage(c, ns, deploymentName, "1", AgnhostImage)
 	framework.ExpectNoError(err)
 
 	err = e2edeployment.WaitForDeploymentComplete(c, deploy)
@@ -741,7 +745,7 @@ func testRollingUpdateDeployment(ctx context.Context, f *framework.Framework) {
 	deploymentPodLabels := map[string]string{"name": podName}
 	rsPodLabels := map[string]string{
 		"name": podName,
-		"pod":  WebserverImageName,
+		"pod":  AgnhostImageName,
 	}
 
 	rsName := "test-rolling-update-controller"
@@ -749,7 +753,7 @@ func testRollingUpdateDeployment(ctx context.Context, f *framework.Framework) {
 	rsRevision := "3546343826724305832"
 	annotations := make(map[string]string)
 	annotations[deploymentutil.RevisionAnnotation] = rsRevision
-	rs := newRS(rsName, replicas, rsPodLabels, WebserverImageName, WebserverImage, nil)
+	rs := newRS(rsName, replicas, rsPodLabels, AgnhostImageName, AgnhostImage, nil)
 	rs.Annotations = annotations
 	framework.Logf("Creating replica set %q (going to be adopted)", rs.Name)
 	_, err := c.AppsV1().ReplicaSets(ns).Create(ctx, rs, metav1.CreateOptions{})
@@ -796,13 +800,13 @@ func testRecreateDeployment(ctx context.Context, f *framework.Framework) {
 	// Create a deployment that brings up agnhost pods.
 	deploymentName := "test-recreate-deployment"
 	framework.Logf("Creating deployment %q", deploymentName)
-	d := e2edeployment.NewDeployment(deploymentName, int32(1), map[string]string{"name": "sample-pod-3"}, AgnhostImageName, AgnhostImage, appsv1.RecreateDeploymentStrategyType)
+	d := e2edeployment.NewDeployment(deploymentName, int32(1), map[string]string{"name": "sample-pod-3"}, AgnhostImageName, PrevAgnhostImage, appsv1.RecreateDeploymentStrategyType)
 	deployment, err := c.AppsV1().Deployments(ns).Create(ctx, d, metav1.CreateOptions{})
 	framework.ExpectNoError(err)
 
 	// Wait for it to be updated to revision 1
 	framework.Logf("Waiting deployment %q to be updated to revision 1", deploymentName)
-	err = e2edeployment.WaitForDeploymentRevisionAndImage(c, ns, deploymentName, "1", AgnhostImage)
+	err = e2edeployment.WaitForDeploymentRevisionAndImage(c, ns, deploymentName, "1", PrevAgnhostImage)
 	framework.ExpectNoError(err)
 
 	framework.Logf("Waiting deployment %q to complete", deploymentName)
@@ -812,8 +816,8 @@ func testRecreateDeployment(ctx context.Context, f *framework.Framework) {
 	// Update deployment to delete agnhost pods and bring up webserver pods.
 	framework.Logf("Triggering a new rollout for deployment %q", deploymentName)
 	deployment, err = e2edeployment.UpdateDeploymentWithRetries(c, ns, deploymentName, func(update *appsv1.Deployment) {
-		update.Spec.Template.Spec.Containers[0].Name = WebserverImageName
-		update.Spec.Template.Spec.Containers[0].Image = WebserverImage
+		update.Spec.Template.Spec.Containers[0].Name = AgnhostImageName
+		update.Spec.Template.Spec.Containers[0].Image = AgnhostImage
 	})
 	framework.ExpectNoError(err)
 
@@ -831,12 +835,12 @@ func testDeploymentCleanUpPolicy(ctx context.Context, f *framework.Framework) {
 	deploymentPodLabels := map[string]string{"name": podName}
 	rsPodLabels := map[string]string{
 		"name": podName,
-		"pod":  WebserverImageName,
+		"pod":  AgnhostImageName,
 	}
 	rsName := "test-cleanup-controller"
 	replicas := int32(1)
 	revisionHistoryLimit := ptr.To[int32](0)
-	_, err := c.AppsV1().ReplicaSets(ns).Create(ctx, newRS(rsName, replicas, rsPodLabels, WebserverImageName, WebserverImage, nil), metav1.CreateOptions{})
+	_, err := c.AppsV1().ReplicaSets(ns).Create(ctx, newRS(rsName, replicas, rsPodLabels, AgnhostImageName, AgnhostImage, nil), metav1.CreateOptions{})
 	framework.ExpectNoError(err)
 
 	// Verify that the required pods have come up.
@@ -909,12 +913,12 @@ func testRolloverDeployment(ctx context.Context, f *framework.Framework) {
 	deploymentPodLabels := map[string]string{"name": podName}
 	rsPodLabels := map[string]string{
 		"name": podName,
-		"pod":  WebserverImageName,
+		"pod":  AgnhostImageName,
 	}
 
 	rsName := "test-rollover-controller"
 	rsReplicas := int32(1)
-	_, err := c.AppsV1().ReplicaSets(ns).Create(ctx, newRS(rsName, rsReplicas, rsPodLabels, WebserverImageName, WebserverImage, nil), metav1.CreateOptions{})
+	_, err := c.AppsV1().ReplicaSets(ns).Create(ctx, newRS(rsName, rsReplicas, rsPodLabels, AgnhostImageName, AgnhostImage, nil), metav1.CreateOptions{})
 	framework.ExpectNoError(err)
 	// Verify that the required pods have come up.
 	err = e2epod.VerifyPodsRunning(ctx,
@@ -1022,7 +1026,7 @@ func testIterativeDeployments(ctx context.Context, f *framework.Framework) {
 	ns := f.Namespace.Name
 	c := f.ClientSet
 
-	podLabels := map[string]string{"name": WebserverImageName}
+	podLabels := map[string]string{"name": AgnhostImageName}
 	replicas := int32(6)
 	zero := int64(0)
 	two := int32(2)
@@ -1030,7 +1034,7 @@ func testIterativeDeployments(ctx context.Context, f *framework.Framework) {
 	// Create a webserver deployment.
 	deploymentName := "webserver"
 	fiveMinutes := int32(5 * 60)
-	d := e2edeployment.NewDeployment(deploymentName, replicas, podLabels, WebserverImageName, WebserverImage, appsv1.RollingUpdateDeploymentStrategyType)
+	d := e2edeployment.NewDeployment(deploymentName, replicas, podLabels, AgnhostImageName, AgnhostImage, appsv1.RollingUpdateDeploymentStrategyType)
 	d.Spec.ProgressDeadlineSeconds = &fiveMinutes
 	d.Spec.RevisionHistoryLimit = &two
 	d.Spec.Template.Spec.TerminationGracePeriodSeconds = &zero
@@ -1148,9 +1152,9 @@ func testDeploymentsControllerRef(ctx context.Context, f *framework.Framework) {
 
 	deploymentName := "test-orphan-deployment"
 	framework.Logf("Creating Deployment %q", deploymentName)
-	podLabels := map[string]string{"name": WebserverImageName}
+	podLabels := map[string]string{"name": AgnhostImageName}
 	replicas := int32(1)
-	d := e2edeployment.NewDeployment(deploymentName, replicas, podLabels, WebserverImageName, WebserverImage, appsv1.RollingUpdateDeploymentStrategyType)
+	d := e2edeployment.NewDeployment(deploymentName, replicas, podLabels, AgnhostImageName, AgnhostImage, appsv1.RollingUpdateDeploymentStrategyType)
 	deploy, err := c.AppsV1().Deployments(ns).Create(ctx, d, metav1.CreateOptions{})
 	framework.ExpectNoError(err)
 	err = e2edeployment.WaitForDeploymentComplete(c, deploy)
@@ -1177,7 +1181,7 @@ func testDeploymentsControllerRef(ctx context.Context, f *framework.Framework) {
 
 	deploymentName = "test-adopt-deployment"
 	framework.Logf("Creating Deployment %q to adopt the ReplicaSet", deploymentName)
-	d = e2edeployment.NewDeployment(deploymentName, replicas, podLabels, WebserverImageName, WebserverImage, appsv1.RollingUpdateDeploymentStrategyType)
+	d = e2edeployment.NewDeployment(deploymentName, replicas, podLabels, AgnhostImageName, AgnhostImage, appsv1.RollingUpdateDeploymentStrategyType)
 	deploy, err = c.AppsV1().Deployments(ns).Create(ctx, d, metav1.CreateOptions{})
 	framework.ExpectNoError(err)
 	err = e2edeployment.WaitForDeploymentComplete(c, deploy)
@@ -1202,12 +1206,12 @@ func testProportionalScalingDeployment(ctx context.Context, f *framework.Framewo
 	ns := f.Namespace.Name
 	c := f.ClientSet
 
-	podLabels := map[string]string{"name": WebserverImageName}
+	podLabels := map[string]string{"name": AgnhostImageName}
 	replicas := int32(10)
 
 	// Create a webserver deployment.
 	deploymentName := "webserver-deployment"
-	d := e2edeployment.NewDeployment(deploymentName, replicas, podLabels, WebserverImageName, WebserverImage, appsv1.RollingUpdateDeploymentStrategyType)
+	d := e2edeployment.NewDeployment(deploymentName, replicas, podLabels, AgnhostImageName, AgnhostImage, appsv1.RollingUpdateDeploymentStrategyType)
 	d.Spec.Strategy.RollingUpdate = new(appsv1.RollingUpdateDeployment)
 	d.Spec.Strategy.RollingUpdate.MaxSurge = ptr.To(intstr.FromInt32(3))
 	d.Spec.Strategy.RollingUpdate.MaxUnavailable = ptr.To(intstr.FromInt32(2))
@@ -1222,7 +1226,7 @@ func testProportionalScalingDeployment(ctx context.Context, f *framework.Framewo
 
 	// Verify that the required pods have come up.
 	framework.Logf("Waiting for all required pods to come up")
-	err = e2epod.VerifyPodsRunning(ctx, c, ns, WebserverImageName, labels.SelectorFromSet(podLabels), false, *(deployment.Spec.Replicas))
+	err = e2epod.VerifyPodsRunning(ctx, c, ns, AgnhostImageName, labels.SelectorFromSet(podLabels), false, *(deployment.Spec.Replicas))
 	framework.ExpectNoError(err, "error in waiting for pods to come up: %v", err)
 
 	framework.Logf("Waiting for deployment %q to complete", deployment.Name)
@@ -1662,12 +1666,12 @@ func testDeploymentSubresources(ctx context.Context, f *framework.Framework) {
 
 	deploymentName := "test-new-deployment"
 	framework.Logf("Creating simple deployment %s", deploymentName)
-	d := e2edeployment.NewDeployment("test-new-deployment", int32(1), map[string]string{"name": WebserverImageName}, WebserverImageName, WebserverImage, appsv1.RollingUpdateDeploymentStrategyType)
+	d := e2edeployment.NewDeployment("test-new-deployment", int32(1), map[string]string{"name": AgnhostImageName}, AgnhostImageName, AgnhostImage, appsv1.RollingUpdateDeploymentStrategyType)
 	deploy, err := c.AppsV1().Deployments(ns).Create(ctx, d, metav1.CreateOptions{})
 	framework.ExpectNoError(err)
 
 	// Wait for it to be updated to revision 1
-	err = e2edeployment.WaitForDeploymentRevisionAndImage(c, ns, deploymentName, "1", WebserverImage)
+	err = e2edeployment.WaitForDeploymentRevisionAndImage(c, ns, deploymentName, "1", AgnhostImage)
 	framework.ExpectNoError(err)
 
 	err = e2edeployment.WaitForDeploymentComplete(c, deploy)
diff --git a/test/e2e/apps/disruption.go b/test/e2e/apps/disruption.go
index 04cd66eae9a76..33cd8b0047d98 100644
--- a/test/e2e/apps/disruption.go
+++ b/test/e2e/apps/disruption.go
@@ -38,6 +38,7 @@ import (
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/intstr"
 	"k8s.io/apimachinery/pkg/util/json"
+	"k8s.io/apimachinery/pkg/util/resourceversion"
 	"k8s.io/apimachinery/pkg/util/sets"
 	"k8s.io/apimachinery/pkg/util/wait"
 	"k8s.io/client-go/dynamic"
@@ -45,6 +46,7 @@ import (
 	clientscheme "k8s.io/client-go/kubernetes/scheme"
 	"k8s.io/client-go/util/retry"
 	podutil "k8s.io/kubernetes/pkg/api/v1/pod"
+	apimachineryutils "k8s.io/kubernetes/test/e2e/common/apimachinery"
 	"k8s.io/kubernetes/test/e2e/framework"
 	e2epod "k8s.io/kubernetes/test/e2e/framework/pod"
 	e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper"
@@ -119,6 +121,7 @@ var _ = SIGDescribe("DisruptionController", func() {
 			return pdb
 		}, cs.PolicyV1().PodDisruptionBudgets(ns).Update)
 		gomega.Expect(updatedPDB.Spec.MinAvailable.String()).To(gomega.Equal("2%"))
+		gomega.Expect(updatedPDB).To(apimachineryutils.HaveValidResourceVersion())
 
 		ginkgo.By("patching the pdb")
 		patchedPDB := patchPDBOrDie(ctx, cs, dc, ns, defaultName, func(old *policyv1.PodDisruptionBudget) (bytes []byte, err error) {
@@ -131,6 +134,7 @@ var _ = SIGDescribe("DisruptionController", func() {
 			return newBytes, nil
 		})
 		gomega.Expect(patchedPDB.Spec.MinAvailable.String()).To(gomega.Equal("3%"))
+		gomega.Expect(resourceversion.CompareResourceVersion(updatedPDB.ResourceVersion, patchedPDB.ResourceVersion)).To(gomega.BeNumerically("==", -1), "patched object should have a larger resource version")
 
 		deletePDBOrDie(ctx, cs, ns, defaultName)
 	})
@@ -470,8 +474,9 @@ var _ = SIGDescribe("DisruptionController", func() {
 			ginkgo.By("Creating a replica set")
 			rsName := "test-rs-with-delayed-ready"
 			replicas := int32(3)
-			rs := newRS(rsName, replicas, defaultLabels, WebserverImageName, WebserverImage, nil)
+			rs := newRS(rsName, replicas, defaultLabels, AgnhostImageName, AgnhostImage, nil)
 			rs.Labels["name"] = rsName
+			rs.Spec.Template.Spec.Containers[0].Args = []string{"netexec", "--http-port=80"}
 			initialDelaySeconds := framework.PodStartTimeout.Seconds() + 30
 			if tc.podsShouldBecomeReadyFirst {
 				initialDelaySeconds = 20
@@ -479,7 +484,7 @@ var _ = SIGDescribe("DisruptionController", func() {
 			rs.Spec.Template.Spec.Containers[0].ReadinessProbe = &v1.Probe{
 				ProbeHandler: v1.ProbeHandler{
 					HTTPGet: &v1.HTTPGetAction{
-						Path: "/index.html",
+						Path: "/",
 						Port: intstr.IntOrString{IntVal: 80},
 					},
 				},
diff --git a/test/e2e/apps/job.go b/test/e2e/apps/job.go
index 0d494569505ef..78f56594cb019 100644
--- a/test/e2e/apps/job.go
+++ b/test/e2e/apps/job.go
@@ -35,6 +35,7 @@ import (
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/apimachinery/pkg/types"
 	utilrand "k8s.io/apimachinery/pkg/util/rand"
+	"k8s.io/apimachinery/pkg/util/resourceversion"
 	"k8s.io/apimachinery/pkg/util/sets"
 	"k8s.io/apimachinery/pkg/watch"
 	"k8s.io/client-go/tools/cache"
@@ -43,6 +44,7 @@ import (
 	"k8s.io/client-go/util/workqueue"
 	batchinternal "k8s.io/kubernetes/pkg/apis/batch"
 	"k8s.io/kubernetes/pkg/features"
+	apimachineryutils "k8s.io/kubernetes/test/e2e/common/apimachinery"
 	"k8s.io/kubernetes/test/e2e/framework"
 	e2ejob "k8s.io/kubernetes/test/e2e/framework/job"
 	e2enode "k8s.io/kubernetes/test/e2e/framework/node"
@@ -1182,11 +1184,13 @@ done`}
 		job.Spec.Suspend = ptr.To(true)
 		job, err = e2ejob.CreateJob(ctx, f.ClientSet, ns, job)
 		framework.ExpectNoError(err, "failed to create job in namespace: %s", ns)
+		gomega.Expect(job).To(apimachineryutils.HaveValidResourceVersion())
 
 		ginkgo.By("Patching the Job")
 		payload := "{\"metadata\":{\"labels\":{\"" + jobName + "\":\"patched\"}}}"
 		patchedJob, err := f.ClientSet.BatchV1().Jobs(ns).Patch(ctx, jobName, types.StrategicMergePatchType, []byte(payload), metav1.PatchOptions{})
 		framework.ExpectNoError(err, "failed to patch Job %s in namespace %s", jobName, ns)
+		gomega.Expect(resourceversion.CompareResourceVersion(job.ResourceVersion, patchedJob.ResourceVersion)).To(gomega.BeNumerically("==", -1), "patched object should have a larger resource version")
 
 		ginkgo.By("Watching for Job to be patched")
 		c := watchEventConfig{
diff --git a/test/e2e/apps/rc.go b/test/e2e/apps/rc.go
index d7fe8f7a04e65..0d69ab479e56c 100644
--- a/test/e2e/apps/rc.go
+++ b/test/e2e/apps/rc.go
@@ -32,6 +32,7 @@ import (
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/apimachinery/pkg/types"
 	utilrand "k8s.io/apimachinery/pkg/util/rand"
+	"k8s.io/apimachinery/pkg/util/resourceversion"
 	"k8s.io/apimachinery/pkg/util/uuid"
 	"k8s.io/apimachinery/pkg/util/wait"
 	watch "k8s.io/apimachinery/pkg/watch"
@@ -39,6 +40,7 @@ import (
 	clientset "k8s.io/client-go/kubernetes"
 	watchtools "k8s.io/client-go/tools/watch"
 	"k8s.io/kubernetes/pkg/controller/replication"
+	apimachineryutils "k8s.io/kubernetes/test/e2e/common/apimachinery"
 	"k8s.io/kubernetes/test/e2e/framework"
 	e2epod "k8s.io/kubernetes/test/e2e/framework/pod"
 	e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper"
@@ -152,8 +154,9 @@ var _ = SIGDescribe("ReplicationController", func() {
 		framework.WatchEventSequenceVerifier(ctx, dc, rcResource, testRcNamespace, testRcName, metav1.ListOptions{LabelSelector: "test-rc-static=true"}, expectedWatchEvents, func(retryWatcher *watchtools.RetryWatcher) (actualWatchEvents []watch.Event) {
 			ginkgo.By("creating a ReplicationController")
 			// Create a ReplicationController
-			_, err := f.ClientSet.CoreV1().ReplicationControllers(testRcNamespace).Create(ctx, &rcTest, metav1.CreateOptions{})
+			testRcCreated, err := f.ClientSet.CoreV1().ReplicationControllers(testRcNamespace).Create(ctx, &rcTest, metav1.CreateOptions{})
 			framework.ExpectNoError(err, "Failed to create ReplicationController")
+			gomega.Expect(testRcCreated).To(apimachineryutils.HaveValidResourceVersion())
 
 			ginkgo.By("waiting for RC to be added")
 			eventFound := false
@@ -208,6 +211,7 @@ var _ = SIGDescribe("ReplicationController", func() {
 			testRcPatched, err := f.ClientSet.CoreV1().ReplicationControllers(testRcNamespace).Patch(ctx, testRcName, types.StrategicMergePatchType, []byte(rcLabelPatchPayload), metav1.PatchOptions{})
 			framework.ExpectNoError(err, "Failed to patch ReplicationController")
 			gomega.Expect(testRcPatched.ObjectMeta.Labels).To(gomega.HaveKeyWithValue("test-rc", "patched"), "failed to patch RC")
+			gomega.Expect(resourceversion.CompareResourceVersion(testRcCreated.ResourceVersion, testRcPatched.ResourceVersion)).To(gomega.BeNumerically("==", -1), "patched object should have a larger resource version")
 			ginkgo.By("waiting for RC to be modified")
 			eventFound = false
 			ctxUntil, cancel = context.WithTimeout(ctx, 60*time.Second)
@@ -430,7 +434,7 @@ var _ = SIGDescribe("ReplicationController", func() {
 		expectedRCReplicaCount := int32(2)
 
 		ginkgo.By(fmt.Sprintf("Creating ReplicationController %q", rcName))
-		rc := newRC(rcName, initialRCReplicaCount, map[string]string{"name": rcName}, WebserverImageName, WebserverImage, nil)
+		rc := newRC(rcName, initialRCReplicaCount, map[string]string{"name": rcName}, AgnhostImageName, AgnhostImage, nil)
 		_, err := rcClient.Create(ctx, rc, metav1.CreateOptions{})
 		framework.ExpectNoError(err, "Failed to create ReplicationController: %v", err)
 
@@ -563,7 +567,7 @@ func testReplicationControllerConditionCheck(ctx context.Context, f *framework.F
 	framework.ExpectNoError(err)
 
 	ginkgo.By(fmt.Sprintf("Creating rc %q that asks for more than the allowed pod quota", name))
-	rc := newRC(name, 3, map[string]string{"name": name}, WebserverImageName, WebserverImage, nil)
+	rc := newRC(name, 3, map[string]string{"name": name}, AgnhostImageName, AgnhostImage, nil)
 	rc, err = c.CoreV1().ReplicationControllers(namespace).Create(ctx, rc, metav1.CreateOptions{})
 	framework.ExpectNoError(err)
 
@@ -633,7 +637,7 @@ func testRCAdoptMatchingOrphans(ctx context.Context, f *framework.Framework) {
 			Containers: []v1.Container{
 				{
 					Name:  name,
-					Image: WebserverImage,
+					Image: AgnhostImage,
 				},
 			},
 		},
@@ -641,7 +645,7 @@ func testRCAdoptMatchingOrphans(ctx context.Context, f *framework.Framework) {
 
 	ginkgo.By("When a replication controller with a matching selector is created")
 	replicas := int32(1)
-	rcSt := newRC(name, replicas, map[string]string{"name": name}, name, WebserverImage, nil)
+	rcSt := newRC(name, replicas, map[string]string{"name": name}, name, AgnhostImage, nil)
 	rcSt.Spec.Selector = map[string]string{"name": name}
 	rc, err := f.ClientSet.CoreV1().ReplicationControllers(f.Namespace.Name).Create(ctx, rcSt, metav1.CreateOptions{})
 	framework.ExpectNoError(err)
@@ -671,7 +675,7 @@ func testRCReleaseControlledNotMatching(ctx context.Context, f *framework.Framew
 	rcLabels := map[string]string{"name": name}
 	ginkgo.By("Given a ReplicationController is created")
 	replicas := int32(1)
-	rcSt := newRC(name, replicas, rcLabels, name, WebserverImage, nil)
+	rcSt := newRC(name, replicas, rcLabels, name, AgnhostImage, nil)
 	rcSt.Spec.Selector = rcLabels
 	rc, err := f.ClientSet.CoreV1().ReplicationControllers(f.Namespace.Name).Create(ctx, rcSt, metav1.CreateOptions{})
 	framework.ExpectNoError(err)
diff --git a/test/e2e/apps/replica_set.go b/test/e2e/apps/replica_set.go
index c6b111741d62d..9047c8edd6afa 100644
--- a/test/e2e/apps/replica_set.go
+++ b/test/e2e/apps/replica_set.go
@@ -26,6 +26,7 @@ import (
 	appsv1 "k8s.io/api/apps/v1"
 	autoscalingv1 "k8s.io/api/autoscaling/v1"
 	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/apimachinery/pkg/util/resourceversion"
 	"k8s.io/apimachinery/pkg/watch"
 	"k8s.io/client-go/tools/cache"
 	watchtools "k8s.io/client-go/tools/watch"
@@ -41,6 +42,7 @@ import (
 	"k8s.io/apimachinery/pkg/util/uuid"
 	"k8s.io/apimachinery/pkg/util/wait"
 	"k8s.io/kubernetes/pkg/controller/replicaset"
+	apimachineryutils "k8s.io/kubernetes/test/e2e/common/apimachinery"
 	"k8s.io/kubernetes/test/e2e/framework"
 	e2epod "k8s.io/kubernetes/test/e2e/framework/pod"
 	e2ereplicaset "k8s.io/kubernetes/test/e2e/framework/replicaset"
@@ -259,7 +261,7 @@ func testReplicaSetConditionCheck(ctx context.Context, f *framework.Framework) {
 	framework.ExpectNoError(err)
 
 	ginkgo.By(fmt.Sprintf("Creating replica set %q that asks for more than the allowed pod quota", name))
-	rs := newRS(name, 3, map[string]string{"name": name}, WebserverImageName, WebserverImage, nil)
+	rs := newRS(name, 3, map[string]string{"name": name}, AgnhostImageName, AgnhostImage, nil)
 	rs, err = c.AppsV1().ReplicaSets(namespace).Create(ctx, rs, metav1.CreateOptions{})
 	framework.ExpectNoError(err)
 
@@ -329,7 +331,7 @@ func testRSAdoptMatchingAndReleaseNotMatching(ctx context.Context, f *framework.
 			Containers: []v1.Container{
 				{
 					Name:  name,
-					Image: WebserverImage,
+					Image: AgnhostImage,
 				},
 			},
 		},
@@ -337,7 +339,7 @@ func testRSAdoptMatchingAndReleaseNotMatching(ctx context.Context, f *framework.
 
 	ginkgo.By("When a replicaset with a matching selector is created")
 	replicas := int32(1)
-	rsSt := newRS(name, replicas, rsLabels, name, WebserverImage, nil)
+	rsSt := newRS(name, replicas, rsLabels, name, AgnhostImage, nil)
 	rsSt.Spec.Selector = &metav1.LabelSelector{MatchLabels: rsLabels}
 	rs, err := f.ClientSet.AppsV1().ReplicaSets(f.Namespace.Name).Create(ctx, rsSt, metav1.CreateOptions{})
 	framework.ExpectNoError(err)
@@ -406,13 +408,13 @@ func testRSScaleSubresources(ctx context.Context, f *framework.Framework) {
 	podName := "sample-pod"
 	rsPodLabels := map[string]string{
 		"name": podName,
-		"pod":  WebserverImageName,
+		"pod":  AgnhostImageName,
 	}
 
 	rsName := "test-rs"
 	replicas := int32(1)
 	ginkgo.By(fmt.Sprintf("Creating replica set %q that asks for more than the allowed pod quota", rsName))
-	rs := newRS(rsName, replicas, rsPodLabels, WebserverImageName, WebserverImage, nil)
+	rs := newRS(rsName, replicas, rsPodLabels, AgnhostImageName, AgnhostImage, nil)
 	_, err := c.AppsV1().ReplicaSets(ns).Create(ctx, rs, metav1.CreateOptions{})
 	framework.ExpectNoError(err)
 
@@ -472,7 +474,7 @@ func testRSLifeCycle(ctx context.Context, f *framework.Framework) {
 	podName := "sample-pod"
 	rsPodLabels := map[string]string{
 		"name": podName,
-		"pod":  WebserverImageName,
+		"pod":  AgnhostImageName,
 	}
 
 	rsName := "test-rs"
@@ -491,9 +493,10 @@ func testRSLifeCycle(ctx context.Context, f *framework.Framework) {
 	rsList, err := f.ClientSet.AppsV1().ReplicaSets("").List(ctx, metav1.ListOptions{LabelSelector: label})
 	framework.ExpectNoError(err, "failed to list rsList")
 	// Create a ReplicaSet
-	rs := newRS(rsName, replicas, rsPodLabels, WebserverImageName, WebserverImage, nil)
-	_, err = c.AppsV1().ReplicaSets(ns).Create(ctx, rs, metav1.CreateOptions{})
+	rs := newRS(rsName, replicas, rsPodLabels, AgnhostImageName, AgnhostImage, nil)
+	createdRS, err := c.AppsV1().ReplicaSets(ns).Create(ctx, rs, metav1.CreateOptions{})
 	framework.ExpectNoError(err)
+	gomega.Expect(createdRS).To(apimachineryutils.HaveValidResourceVersion())
 
 	// Verify that the required pods have come up.
 	err = e2epod.VerifyPodsRunning(ctx, c, ns, podName, labels.SelectorFromSet(map[string]string{"name": podName}), false, replicas)
@@ -527,8 +530,9 @@ func testRSLifeCycle(ctx context.Context, f *framework.Framework) {
 		},
 	})
 	framework.ExpectNoError(err, "failed to Marshal ReplicaSet JSON patch")
-	_, err = f.ClientSet.AppsV1().ReplicaSets(ns).Patch(ctx, rsName, types.StrategicMergePatchType, []byte(rsPatch), metav1.PatchOptions{})
+	patchedRS, err := f.ClientSet.AppsV1().ReplicaSets(ns).Patch(ctx, rsName, types.StrategicMergePatchType, []byte(rsPatch), metav1.PatchOptions{})
 	framework.ExpectNoError(err, "failed to patch ReplicaSet")
+	gomega.Expect(resourceversion.CompareResourceVersion(createdRS.ResourceVersion, patchedRS.ResourceVersion)).To(gomega.BeNumerically("==", -1), "patched object should have a larger resource version")
 
 	ctxUntil, cancel := context.WithTimeout(ctx, f.Timeouts.PodStart)
 	defer cancel()
@@ -571,12 +575,12 @@ func listRSDeleteCollection(ctx context.Context, f *framework.Framework) {
 	podName := "sample-pod"
 	rsPodLabels := map[string]string{
 		"name": podName,
-		"pod":  WebserverImageName,
+		"pod":  AgnhostImageName,
 		"e2e":  e2eValue,
 	}
 
 	ginkgo.By("Create a ReplicaSet")
-	rs := newRS(rsName, replicas, rsPodLabels, WebserverImageName, WebserverImage, nil)
+	rs := newRS(rsName, replicas, rsPodLabels, AgnhostImageName, AgnhostImage, nil)
 	_, err := rsClient.Create(ctx, rs, metav1.CreateOptions{})
 	framework.ExpectNoError(err)
 
@@ -611,7 +615,7 @@ func testRSStatus(ctx context.Context, f *framework.Framework) {
 	podName := "sample-pod"
 	rsPodLabels := map[string]string{
 		"name": podName,
-		"pod":  WebserverImageName,
+		"pod":  AgnhostImageName,
 	}
 	labelSelector := labels.SelectorFromSet(rsPodLabels).String()
 
@@ -628,7 +632,7 @@ func testRSStatus(ctx context.Context, f *framework.Framework) {
 	framework.ExpectNoError(err, "failed to list Replicasets")
 
 	ginkgo.By("Create a Replicaset")
-	rs := newRS(rsName, replicas, rsPodLabels, WebserverImageName, WebserverImage, nil)
+	rs := newRS(rsName, replicas, rsPodLabels, AgnhostImageName, AgnhostImage, nil)
 	testReplicaSet, err := c.AppsV1().ReplicaSets(ns).Create(ctx, rs, metav1.CreateOptions{})
 	framework.ExpectNoError(err)
 
diff --git a/test/e2e/apps/statefulset.go b/test/e2e/apps/statefulset.go
index 419e32271d273..076bc5fbbc7ba 100644
--- a/test/e2e/apps/statefulset.go
+++ b/test/e2e/apps/statefulset.go
@@ -42,6 +42,7 @@ import (
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/intstr"
+	"k8s.io/apimachinery/pkg/util/resourceversion"
 	"k8s.io/apimachinery/pkg/util/strategicpatch"
 	"k8s.io/apimachinery/pkg/util/wait"
 	"k8s.io/apimachinery/pkg/watch"
@@ -49,6 +50,8 @@ import (
 	"k8s.io/client-go/tools/cache"
 	watchtools "k8s.io/client-go/tools/watch"
 	"k8s.io/client-go/util/retry"
+	"k8s.io/kubernetes/pkg/features"
+	apimachineryutils "k8s.io/kubernetes/test/e2e/common/apimachinery"
 	"k8s.io/kubernetes/test/e2e/feature"
 	"k8s.io/kubernetes/test/e2e/framework"
 	e2ekubectl "k8s.io/kubernetes/test/e2e/framework/kubectl"
@@ -73,8 +76,6 @@ const (
 	// Timeout for reads from databases running on stateful pods.
 	readTimeout = 60 * time.Second
 
-	// statefulSetPoll is a poll interval for StatefulSet tests
-	statefulSetPoll = 10 * time.Second
 	// statefulSetTimeout is a timeout interval for StatefulSet operations
 	statefulSetTimeout = 10 * time.Minute
 	// statefulPodTimeout is a timeout for stateful pods to change state
@@ -86,7 +87,7 @@ const (
 var httpProbe = &v1.Probe{
 	ProbeHandler: v1.ProbeHandler{
 		HTTPGet: &v1.HTTPGetAction{
-			Path: "/index.html",
+			Path: "/localhost.crt",
 			Port: intstr.IntOrString{IntVal: 80},
 		},
 	},
@@ -364,7 +365,7 @@ var _ = SIGDescribe("StatefulSet", func() {
 					pods.Items[i].Labels[appsv1.StatefulSetRevisionLabel],
 					currentRevision)
 			}
-			newImage := NewWebserverImage
+			newImage := AgnhostImage
 			oldImage := ss.Spec.Template.Spec.Containers[0].Image
 
 			ginkgo.By(fmt.Sprintf("Updating stateful set template: update image from %s to %s", oldImage, newImage))
@@ -568,6 +569,74 @@ var _ = SIGDescribe("StatefulSet", func() {
 			deletingPodForRollingUpdatePartitionTest(ctx, f, c, ns, ss)
 		})
 
+		f.It("should perform rolling updates with maxUnavailable", framework.WithFeatureGate(features.MaxUnavailableStatefulSet), func(ctx context.Context) {
+			ginkgo.By("Creating a new StatefulSet")
+			ss := e2estatefulset.NewStatefulSet("ss-maxunavailable", ns, headlessSvcName, 5, nil, nil, labels)
+			setHTTPProbe(ss)
+			ss.Spec.UpdateStrategy = appsv1.StatefulSetUpdateStrategy{
+				Type: appsv1.RollingUpdateStatefulSetStrategyType,
+				RollingUpdate: &appsv1.RollingUpdateStatefulSetStrategy{
+					MaxUnavailable: ptr.To(intstr.IntOrString{IntVal: 2}),
+				},
+			}
+			ss, err := c.AppsV1().StatefulSets(ns).Create(ctx, ss, metav1.CreateOptions{})
+			framework.ExpectNoError(err)
+			e2estatefulset.WaitForRunningAndReady(ctx, c, *ss.Spec.Replicas, ss)
+			ss = waitForStatus(ctx, c, ss)
+			currentRevision, updateRevision := ss.Status.CurrentRevision, ss.Status.UpdateRevision
+			gomega.Expect(currentRevision).To(gomega.Equal(updateRevision), "StatefulSet %s/%s created with update revision %s not equal to current revision %s",
+				ss.Namespace, ss.Name, updateRevision, currentRevision)
+			pods, err := e2estatefulset.GetPodList(ctx, c, ss)
+			framework.ExpectNoError(err)
+
+			for i := range pods.Items {
+				gomega.Expect(pods.Items[i].Labels).To(gomega.HaveKeyWithValue(appsv1.StatefulSetRevisionLabel, currentRevision), "Pod %s/%s revision %s is not equal to currentRevision %s",
+					pods.Items[i].Namespace,
+					pods.Items[i].Name,
+					pods.Items[i].Labels[appsv1.StatefulSetRevisionLabel],
+					currentRevision)
+			}
+			newImage := AgnhostImage
+			oldImage := ss.Spec.Template.Spec.Containers[0].Image
+
+			ginkgo.By(fmt.Sprintf("Updating stateful set template: update image from %s to %s", oldImage, newImage))
+			gomega.Expect(oldImage).NotTo(gomega.Equal(newImage), "Incorrect test setup: should update to a different image")
+			ss, err = updateStatefulSetWithRetries(ctx, c, ns, ss.Name, func(update *appsv1.StatefulSet) {
+				update.Spec.Template.Spec.Containers[0].Image = newImage
+			})
+			framework.ExpectNoError(err)
+
+			ginkgo.By("Creating a new revision")
+			ss = waitForStatus(ctx, c, ss)
+
+			ginkgo.By("Performing rolling update with maxUnavailable=2 and continuously monitoring constraint")
+			ss, pods = waitForMaxUnavailableRollingUpdate(ctx, c, ss, 2)
+
+			ginkgo.By("Verifying StatefulSet status reflects completed update")
+			for i := range pods.Items {
+				gomega.Expect(pods.Items[i].Spec.Containers[0].Image).To(gomega.Equal(newImage), "Pod %s/%s has image %s not equal to the new image %s",
+					pods.Items[i].Namespace,
+					pods.Items[i].Name,
+					pods.Items[i].Spec.Containers[0].Image,
+					oldImage)
+				gomega.Expect(pods.Items[i].Labels).To(gomega.HaveKeyWithValue(appsv1.StatefulSetRevisionLabel, ss.Status.CurrentRevision), "Pod %s/%s has revision %s not equal to current revision %s",
+					pods.Items[i].Namespace,
+					pods.Items[i].Name,
+					pods.Items[i].Labels[appsv1.StatefulSetRevisionLabel],
+					ss.Status.CurrentRevision)
+			}
+			gomega.Expect(ss.Status.CurrentRevision).To(gomega.Equal(ss.Status.UpdateRevision), "StatefulSet %s/%s current revision %s does not equal update revision %s on update completion",
+				ss.Namespace,
+				ss.Name,
+				ss.Status.CurrentRevision,
+				ss.Status.UpdateRevision)
+			gomega.Expect(ss.Status.UpdatedReplicas).To(gomega.Equal(*ss.Spec.Replicas), "StatefulSet %s/%s updated replicas %d does not equal desired replicas %d",
+				ss.Namespace,
+				ss.Name,
+				ss.Status.UpdatedReplicas,
+				*ss.Spec.Replicas)
+		})
+
 		// Do not mark this as Conformance.
 		// The legacy OnDelete strategy only exists for backward compatibility with pre-v1 APIs.
 		ginkgo.It("should implement legacy replacement when the update strategy is OnDelete", func(ctx context.Context) {
@@ -611,7 +680,7 @@ var _ = SIGDescribe("StatefulSet", func() {
 					pods.Items[i].Labels[appsv1.StatefulSetRevisionLabel],
 					currentRevision)
 			}
-			newImage := NewWebserverImage
+			newImage := AgnhostImage
 			oldImage := ss.Spec.Template.Spec.Containers[0].Image
 
 			ginkgo.By(fmt.Sprintf("Updating stateful set template: update image from %s to %s", oldImage, newImage))
@@ -822,8 +891,8 @@ var _ = SIGDescribe("StatefulSet", func() {
 				Spec: v1.PodSpec{
 					Containers: []v1.Container{
 						{
-							Name:  "webserver",
-							Image: imageutils.GetE2EImage(imageutils.Httpd),
+							Name:  "agnhost",
+							Image: imageutils.GetE2EImage(imageutils.Agnhost),
 							Ports: []v1.ContainerPort{conflictingPort},
 						},
 					},
@@ -985,12 +1054,13 @@ var _ = SIGDescribe("StatefulSet", func() {
 			// Define StatefulSet Labels
 			ssPodLabels := map[string]string{
 				"name": "sample-pod",
-				"pod":  WebserverImageName,
+				"pod":  AgnhostImageName,
 			}
 			ss := e2estatefulset.NewStatefulSet(ssName, ns, headlessSvcName, 1, nil, nil, ssPodLabels)
 			setHTTPProbe(ss)
 			ss, err := c.AppsV1().StatefulSets(ns).Create(ctx, ss, metav1.CreateOptions{})
 			framework.ExpectNoError(err)
+			gomega.Expect(ss).To(apimachineryutils.HaveValidResourceVersion())
 			e2estatefulset.WaitForRunningAndReady(ctx, c, *ss.Spec.Replicas, ss)
 			waitForStatus(ctx, c, ss)
 
@@ -1013,8 +1083,9 @@ var _ = SIGDescribe("StatefulSet", func() {
 				},
 			})
 			framework.ExpectNoError(err, "failed to Marshal StatefulSet JSON patch")
-			_, err = f.ClientSet.AppsV1().StatefulSets(ns).Patch(ctx, ssName, types.StrategicMergePatchType, []byte(ssPatch), metav1.PatchOptions{})
+			patchedSs, err := f.ClientSet.AppsV1().StatefulSets(ns).Patch(ctx, ssName, types.StrategicMergePatchType, []byte(ssPatch), metav1.PatchOptions{})
 			framework.ExpectNoError(err, "failed to patch Set")
+			gomega.Expect(resourceversion.CompareResourceVersion(ss.ResourceVersion, patchedSs.ResourceVersion)).To(gomega.BeNumerically("==", -1), "patched object should have a larger resource version")
 			ss, err = c.AppsV1().StatefulSets(ns).Get(ctx, ssName, metav1.GetOptions{})
 			framework.ExpectNoError(err, "Failed to get statefulset resource: %v", err)
 			gomega.Expect(*(ss.Spec.Replicas)).To(gomega.Equal(ssPatchReplicas), "statefulset should have 2 replicas")
@@ -1219,7 +1290,7 @@ var _ = SIGDescribe("StatefulSet", func() {
 		// Define StatefulSet Labels
 		ssPodLabels := map[string]string{
 			"name": "sample-pod",
-			"pod":  WebserverImageName,
+			"pod":  AgnhostImageName,
 		}
 		ss := e2estatefulset.NewStatefulSet(ssName, ns, headlessSvcName, 1, nil, nil, ssPodLabels)
 		setHTTPProbe(ss)
@@ -1234,7 +1305,7 @@ var _ = SIGDescribe("StatefulSet", func() {
 		// Define StatefulSet Labels
 		ssPodLabels := map[string]string{
 			"name": "sample-pod",
-			"pod":  WebserverImageName,
+			"pod":  AgnhostImageName,
 		}
 		ss := e2estatefulset.NewStatefulSet(ssName, ns, headlessSvcName, 2, nil, nil, ssPodLabels)
 		ss.Spec.MinReadySeconds = 30
@@ -2166,7 +2237,7 @@ func rollbackTest(ctx context.Context, c clientset.Interface, ns string, ss *app
 	err = breakPodHTTPProbe(ss, &pods.Items[1])
 	framework.ExpectNoError(err)
 	ss, _ = waitForPodNotReady(ctx, c, ss, pods.Items[1].Name)
-	newImage := NewWebserverImage
+	newImage := AgnhostImage
 	oldImage := ss.Spec.Template.Spec.Containers[0].Image
 
 	ginkgo.By(fmt.Sprintf("Updating StatefulSet template: update image from %s to %s", oldImage, newImage))
@@ -2290,7 +2361,7 @@ func deletingPodForRollingUpdatePartitionTest(ctx context.Context, f *framework.
 	defer e2epod.NewPodClient(f).RemoveFinalizer(ctx, pod0.Name, testFinalizer)
 
 	ginkgo.By("Updating image on StatefulSet")
-	newImage := NewWebserverImage
+	newImage := AgnhostImage
 	oldImage := ss.Spec.Template.Spec.Containers[0].Image
 	ginkgo.By(fmt.Sprintf("Updating stateful set template: update image from %s to %s", oldImage, newImage))
 	gomega.Expect(oldImage).ToNot(gomega.Equal(newImage), "Incorrect test setup: should update to a different image")
@@ -2305,7 +2376,7 @@ func deletingPodForRollingUpdatePartitionTest(ctx context.Context, f *framework.
 	gomega.Expect(currentRevision).ToNot(gomega.Equal(updateRevision), "Current revision should not equal update revision during rolling update")
 
 	ginkgo.By("Await for all replicas running, all are updated but pod-0")
-	e2estatefulset.WaitForState(ctx, c, ss, func(set2 *appsv1.StatefulSet, pods2 *v1.PodList) (bool, error) {
+	e2estatefulset.WaitForState(ctx, c, ss, e2estatefulset.StatefulSetPoll, func(set2 *appsv1.StatefulSet, pods2 *v1.PodList) (bool, error) {
 		ss = set2
 		pods = pods2
 		if ss.Status.UpdatedReplicas == *ss.Spec.Replicas-1 && ss.Status.Replicas == *ss.Spec.Replicas && ss.Status.ReadyReplicas == *ss.Spec.Replicas {
@@ -2345,7 +2416,7 @@ func deletingPodForRollingUpdatePartitionTest(ctx context.Context, f *framework.
 	ginkgo.By("Deleting the pod-0 so that kubelet terminates it and StatefulSet controller recreates it")
 	deleteStatefulPodAtIndex(ctx, c, 0, ss)
 	ginkgo.By("Await for two replicas to be updated, while the pod-0 is not running")
-	e2estatefulset.WaitForState(ctx, c, ss, func(set2 *appsv1.StatefulSet, pods2 *v1.PodList) (bool, error) {
+	e2estatefulset.WaitForState(ctx, c, ss, e2estatefulset.StatefulSetPoll, func(set2 *appsv1.StatefulSet, pods2 *v1.PodList) (bool, error) {
 		ss = set2
 		pods = pods2
 		return ss.Status.ReadyReplicas == *ss.Spec.Replicas-1, nil
@@ -2355,7 +2426,7 @@ func deletingPodForRollingUpdatePartitionTest(ctx context.Context, f *framework.
 	e2epod.NewPodClient(f).RemoveFinalizer(ctx, pod0.Name, testFinalizer)
 
 	ginkgo.By("Await for recreation of pod-0, so that all replicas are running")
-	e2estatefulset.WaitForState(ctx, c, ss, func(set2 *appsv1.StatefulSet, pods2 *v1.PodList) (bool, error) {
+	e2estatefulset.WaitForState(ctx, c, ss, e2estatefulset.StatefulSetPoll, func(set2 *appsv1.StatefulSet, pods2 *v1.PodList) (bool, error) {
 		ss = set2
 		pods = pods2
 		return ss.Status.ReadyReplicas == *ss.Spec.Replicas, nil
@@ -2431,7 +2502,7 @@ func breakHTTPProbe(ctx context.Context, c clientset.Interface, ss *appsv1.State
 		return fmt.Errorf("path expected to be not empty: %v", path)
 	}
 	// Ignore 'mv' errors to make this idempotent.
-	cmd := fmt.Sprintf("mv -v /usr/local/apache2/htdocs%v /tmp/ || true", path)
+	cmd := fmt.Sprintf("mv -v %v /tmp/ || true", path)
 	return e2estatefulset.ExecInStatefulPods(ctx, c, ss, cmd)
 }
 
@@ -2441,9 +2512,8 @@ func breakPodHTTPProbe(ss *appsv1.StatefulSet, pod *v1.Pod) error {
 	if path == "" {
 		return fmt.Errorf("path expected to be not empty: %v", path)
 	}
-	// Ignore 'mv' errors to make this idempotent.
-	cmd := fmt.Sprintf("mv -v /usr/local/apache2/htdocs%v /tmp/ || true", path)
-	stdout, err := e2eoutput.RunHostCmdWithRetries(pod.Namespace, pod.Name, cmd, statefulSetPoll, statefulPodTimeout)
+	cmd := fmt.Sprintf("mv -v %v /tmp/ || true", path)
+	stdout, err := e2eoutput.RunHostCmdWithRetries(pod.Namespace, pod.Name, cmd, e2estatefulset.StatefulSetPoll, statefulPodTimeout)
 	framework.Logf("stdout of %v on %v: %v", cmd, pod.Name, stdout)
 	return err
 }
@@ -2455,7 +2525,7 @@ func restoreHTTPProbe(ctx context.Context, c clientset.Interface, ss *appsv1.Sta
 		return fmt.Errorf("path expected to be not empty: %v", path)
 	}
 	// Ignore 'mv' errors to make this idempotent.
-	cmd := fmt.Sprintf("mv -v /tmp%v /usr/local/apache2/htdocs/ || true", path)
+	cmd := fmt.Sprintf("mv -v /tmp%v / || true", path)
 	return e2estatefulset.ExecInStatefulPods(ctx, c, ss, cmd)
 }
 
@@ -2466,8 +2536,8 @@ func restorePodHTTPProbe(ss *appsv1.StatefulSet, pod *v1.Pod) error {
 		return fmt.Errorf("path expected to be not empty: %v", path)
 	}
 	// Ignore 'mv' errors to make this idempotent.
-	cmd := fmt.Sprintf("mv -v /tmp%v /usr/local/apache2/htdocs/ || true", path)
-	stdout, err := e2eoutput.RunHostCmdWithRetries(pod.Namespace, pod.Name, cmd, statefulSetPoll, statefulPodTimeout)
+	cmd := fmt.Sprintf("mv -v /tmp%v / || true", path)
+	stdout, err := e2eoutput.RunHostCmdWithRetries(pod.Namespace, pod.Name, cmd, e2estatefulset.StatefulSetPoll, statefulPodTimeout)
 	framework.Logf("stdout of %v on %v: %v", cmd, pod.Name, stdout)
 	return err
 }
diff --git a/test/e2e/apps/types.go b/test/e2e/apps/types.go
index 4d1f671a6f63d..7b39d11b67b43 100644
--- a/test/e2e/apps/types.go
+++ b/test/e2e/apps/types.go
@@ -22,16 +22,12 @@ import (
 
 // NOTE(claudiub): These constants should NOT be used as Pod Container Images.
 const (
-	WebserverImageName = "httpd"
-	AgnhostImageName   = "agnhost"
+	AgnhostImageName = "agnhost"
 )
 
 var (
-	// WebserverImage is the fully qualified URI to the Httpd image
-	WebserverImage = imageutils.GetE2EImage(imageutils.Httpd)
-
-	// NewWebserverImage is the fully qualified URI to the HttpdNew image
-	NewWebserverImage = imageutils.GetE2EImage(imageutils.HttpdNew)
+	// PrevAgnhostImage is the fully qualified URI to the AgnhostPrev image
+	PrevAgnhostImage = imageutils.GetE2EImage(imageutils.AgnhostPrev)
 
 	// AgnhostImage is the fully qualified URI to the Agnhost image
 	AgnhostImage = imageutils.GetE2EImage(imageutils.Agnhost)
diff --git a/test/e2e/apps/wait.go b/test/e2e/apps/wait.go
index 99392fcb2a552..7173b2e89cf60 100644
--- a/test/e2e/apps/wait.go
+++ b/test/e2e/apps/wait.go
@@ -18,6 +18,7 @@ package apps
 
 import (
 	"context"
+	"time"
 
 	appsv1 "k8s.io/api/apps/v1"
 	v1 "k8s.io/api/core/v1"
@@ -45,7 +46,7 @@ func waitForPartitionedRollingUpdate(ctx context.Context, c clientset.Interface,
 			set.Namespace,
 			set.Name)
 	}
-	e2estatefulset.WaitForState(ctx, c, set, func(set2 *appsv1.StatefulSet, pods2 *v1.PodList) (bool, error) {
+	e2estatefulset.WaitForState(ctx, c, set, e2estatefulset.StatefulSetPoll, func(set2 *appsv1.StatefulSet, pods2 *v1.PodList) (bool, error) {
 		set = set2
 		pods = pods2
 		partition := int(*set.Spec.UpdateStrategy.RollingUpdate.Partition)
@@ -87,7 +88,7 @@ func waitForPartitionedRollingUpdate(ctx context.Context, c clientset.Interface,
 // waitForStatus waits for the StatefulSetStatus's ObservedGeneration to be greater than or equal to set's Generation.
 // The returned StatefulSet contains such a StatefulSetStatus
 func waitForStatus(ctx context.Context, c clientset.Interface, set *appsv1.StatefulSet) *appsv1.StatefulSet {
-	e2estatefulset.WaitForState(ctx, c, set, func(set2 *appsv1.StatefulSet, pods *v1.PodList) (bool, error) {
+	e2estatefulset.WaitForState(ctx, c, set, e2estatefulset.StatefulSetPoll, func(set2 *appsv1.StatefulSet, pods *v1.PodList) (bool, error) {
 		if set2.Status.ObservedGeneration >= set.Generation {
 			set = set2
 			return true, nil
@@ -99,7 +100,7 @@ func waitForStatus(ctx context.Context, c clientset.Interface, set *appsv1.State
 
 // waitForPodNames waits for the StatefulSet's pods to match expected names.
 func waitForPodNames(ctx context.Context, c clientset.Interface, set *appsv1.StatefulSet, expectedPodNames []string) {
-	e2estatefulset.WaitForState(ctx, c, set,
+	e2estatefulset.WaitForState(ctx, c, set, e2estatefulset.StatefulSetPoll,
 		func(intSet *appsv1.StatefulSet, pods *v1.PodList) (bool, error) {
 			if err := expectPodNames(pods, expectedPodNames); err != nil {
 				framework.Logf("Currently %v", err)
@@ -112,7 +113,7 @@ func waitForPodNames(ctx context.Context, c clientset.Interface, set *appsv1.Sta
 // waitForStatus waits for the StatefulSetStatus's CurrentReplicas to be equal to expectedReplicas
 // The returned StatefulSet contains such a StatefulSetStatus
 func waitForStatusCurrentReplicas(ctx context.Context, c clientset.Interface, set *appsv1.StatefulSet, expectedReplicas int32) *appsv1.StatefulSet {
-	e2estatefulset.WaitForState(ctx, c, set, func(set2 *appsv1.StatefulSet, pods *v1.PodList) (bool, error) {
+	e2estatefulset.WaitForState(ctx, c, set, e2estatefulset.StatefulSetPoll, func(set2 *appsv1.StatefulSet, pods *v1.PodList) (bool, error) {
 		if set2.Status.ObservedGeneration >= set.Generation && set2.Status.CurrentReplicas == expectedReplicas {
 			set = set2
 			return true, nil
@@ -125,7 +126,7 @@ func waitForStatusCurrentReplicas(ctx context.Context, c clientset.Interface, se
 // waitForPodNotReady waits for the Pod named podName in set to exist and to not have a Ready condition.
 func waitForPodNotReady(ctx context.Context, c clientset.Interface, set *appsv1.StatefulSet, podName string) (*appsv1.StatefulSet, *v1.PodList) {
 	var pods *v1.PodList
-	e2estatefulset.WaitForState(ctx, c, set, func(set2 *appsv1.StatefulSet, pods2 *v1.PodList) (bool, error) {
+	e2estatefulset.WaitForState(ctx, c, set, e2estatefulset.StatefulSetPoll, func(set2 *appsv1.StatefulSet, pods2 *v1.PodList) (bool, error) {
 		set = set2
 		pods = pods2
 		for i := range pods.Items {
@@ -148,7 +149,7 @@ func waitForRollingUpdate(ctx context.Context, c clientset.Interface, set *appsv
 			set.Name,
 			set.Spec.UpdateStrategy.Type)
 	}
-	e2estatefulset.WaitForState(ctx, c, set, func(set2 *appsv1.StatefulSet, pods2 *v1.PodList) (bool, error) {
+	e2estatefulset.WaitForState(ctx, c, set, e2estatefulset.StatefulSetPoll, func(set2 *appsv1.StatefulSet, pods2 *v1.PodList) (bool, error) {
 		set = set2
 		pods = pods2
 		if len(pods.Items) < int(*set.Spec.Replicas) {
@@ -176,6 +177,62 @@ func waitForRollingUpdate(ctx context.Context, c clientset.Interface, set *appsv
 	return set, pods
 }
 
+// waitForMaxUnavailableRollingUpdate waits for all Pods in set to exist and have the correct revision and for the
+// RollingUpdate to complete while enforcing maxUnavailable constraints. set must have a RollingUpdateStatefulSetStrategyType
+// with MaxUnavailable configured.
+func waitForMaxUnavailableRollingUpdate(ctx context.Context, c clientset.Interface, set *appsv1.StatefulSet, maxUnavailable int) (*appsv1.StatefulSet, *v1.PodList) {
+	var pods *v1.PodList
+	if set.Spec.UpdateStrategy.Type != appsv1.RollingUpdateStatefulSetStrategyType {
+		framework.Failf("StatefulSet %s/%s attempt to wait for maxUnavailable rolling update with updateStrategy %s",
+			set.Namespace,
+			set.Name,
+			set.Spec.UpdateStrategy.Type)
+	}
+	e2estatefulset.WaitForState(ctx, c, set, 1*time.Second, func(set2 *appsv1.StatefulSet, pods2 *v1.PodList) (bool, error) {
+		set = set2
+		pods = pods2
+		if len(pods.Items) < int(*set.Spec.Replicas) {
+			return false, nil
+		}
+
+		// Count unavailable pods
+		unavailablePods := 0
+		e2estatefulset.SortStatefulPods(pods)
+		for i := range pods.Items {
+			if !podutil.IsPodReady(&pods.Items[i]) {
+				unavailablePods++
+			}
+		}
+
+		// Validate maxUnavailable constraint is never violated
+		if unavailablePods > maxUnavailable {
+			framework.Failf("StatefulSet %s/%s rolling update violated maxUnavailable constraint: %d unavailable pods > %d maxUnavailable",
+				set.Namespace, set.Name, unavailablePods, maxUnavailable)
+		}
+
+		if set.Status.UpdateRevision != set.Status.CurrentRevision {
+			framework.Logf("Waiting for StatefulSet %s/%s to complete update, %d unavailable (max %d)",
+				set.Namespace,
+				set.Name,
+				unavailablePods,
+				maxUnavailable,
+			)
+			for i := range pods.Items {
+				if pods.Items[i].Labels[appsv1.StatefulSetRevisionLabel] != set.Status.UpdateRevision {
+					framework.Logf("Waiting for Pod %s/%s to have revision %s update revision %s",
+						pods.Items[i].Namespace,
+						pods.Items[i].Name,
+						set.Status.UpdateRevision,
+						pods.Items[i].Labels[appsv1.StatefulSetRevisionLabel])
+				}
+			}
+			return false, nil
+		}
+		return true, nil
+	})
+	return set, pods
+}
+
 // waitForRunningAndNotReady waits for numStatefulPods in ss to be Running and not Ready.
 func waitForRunningAndNotReady(ctx context.Context, c clientset.Interface, numStatefulPods int32, ss *appsv1.StatefulSet) {
 	e2estatefulset.WaitForRunning(ctx, c, numStatefulPods, 0, ss)
diff --git a/test/e2e/auth/certificates.go b/test/e2e/auth/certificates.go
index d120eb111e7bc..64e99f1f54cb0 100644
--- a/test/e2e/auth/certificates.go
+++ b/test/e2e/auth/certificates.go
@@ -33,6 +33,7 @@ import (
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/apimachinery/pkg/util/resourceversion"
 	"k8s.io/apimachinery/pkg/util/wait"
 	"k8s.io/apimachinery/pkg/watch"
 	"k8s.io/apiserver/pkg/server/dynamiccertificates"
@@ -40,6 +41,7 @@ import (
 	"k8s.io/client-go/rest"
 	"k8s.io/client-go/util/cert"
 	"k8s.io/client-go/util/certificate/csr"
+	apimachineryutils "k8s.io/kubernetes/test/e2e/common/apimachinery"
 	"k8s.io/kubernetes/test/e2e/framework"
 	"k8s.io/kubernetes/test/utils"
 	admissionapi "k8s.io/pod-security-admission/api"
@@ -306,6 +308,7 @@ var _ = SIGDescribe("Certificates API [Privileged:ClusterAdmin]", func() {
 		framework.ExpectNoError(err)
 		gomega.Expect(gottenCSR.UID).To(gomega.Equal(createdCSR.UID))
 		gomega.Expect(gottenCSR.Spec.ExpirationSeconds).To(gomega.Equal(csr.DurationToExpirationSeconds(time.Hour)))
+		gomega.Expect(gottenCSR).To(apimachineryutils.HaveValidResourceVersion())
 
 		ginkgo.By("listing")
 		csrs, err := csrClient.List(ctx, metav1.ListOptions{FieldSelector: "spec.signerName=" + signerName})
@@ -321,6 +324,7 @@ var _ = SIGDescribe("Certificates API [Privileged:ClusterAdmin]", func() {
 		patchedCSR, err := csrClient.Patch(ctx, createdCSR.Name, types.MergePatchType, []byte(`{"metadata":{"annotations":{"patched":"true"}}}`), metav1.PatchOptions{})
 		framework.ExpectNoError(err)
 		gomega.Expect(patchedCSR.Annotations).To(gomega.HaveKeyWithValue("patched", "true"), "patched object should have the applied annotation")
+		gomega.Expect(resourceversion.CompareResourceVersion(gottenCSR.ResourceVersion, patchedCSR.ResourceVersion)).To(gomega.BeNumerically("==", -1), "patched object should have a larger resource version")
 
 		ginkgo.By("updating")
 		csrToUpdate := patchedCSR.DeepCopy()
diff --git a/test/e2e/auth/projected_podcertificate.go b/test/e2e/auth/projected_podcertificate.go
new file mode 100644
index 0000000000000..597a9950c3057
--- /dev/null
+++ b/test/e2e/auth/projected_podcertificate.go
@@ -0,0 +1,457 @@
+/*
+Copyright 2024 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package auth
+
+import (
+	"context"
+	"fmt"
+	"strings"
+	"time"
+
+	"github.com/onsi/ginkgo/v2"
+	"github.com/onsi/gomega"
+
+	appsv1 "k8s.io/api/apps/v1"
+	v1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/labels"
+	certutil "k8s.io/client-go/util/cert"
+	"k8s.io/kubernetes/pkg/features"
+	"k8s.io/kubernetes/test/e2e/framework"
+	e2epod "k8s.io/kubernetes/test/e2e/framework/pod"
+	"k8s.io/kubernetes/test/utils/hermeticpodcertificatesigner"
+	imageutils "k8s.io/kubernetes/test/utils/image" // Import imageutils
+	admissionapi "k8s.io/pod-security-admission/api"
+	admissiontest "k8s.io/pod-security-admission/test"
+	"k8s.io/utils/clock"
+)
+
+var _ = SIGDescribe("Projected PodCertificate",
+	framework.WithFeatureGate(features.PodCertificateRequest),
+	framework.WithFeatureGate(features.ClusterTrustBundle),
+	framework.WithFeatureGate(features.ClusterTrustBundleProjection),
+	func() {
+		f := framework.NewDefaultFramework("projected-podcertificate")
+		f.NamespacePodSecurityLevel = admissionapi.LevelBaseline
+
+		var spiffeSignerName string
+
+		ginkgo.BeforeEach(func(ctx context.Context) {
+			spiffeSignerName = "e2e.example.com/" + f.UniqueName
+
+			ginkgo.By("Starting in-process pod certificate signer...")
+			signerCtx, cancelSigner := context.WithCancel(context.Background())
+			ginkgo.DeferCleanup(func(ctx context.Context) {
+				ginkgo.By("Stopping in-process pod certificate signer...")
+				cancelSigner()
+			})
+
+			var err error
+			caKeys, caCerts, err := hermeticpodcertificatesigner.GenerateCAHierarchy(1) // Generate CA once
+			if err != nil {
+				framework.Failf("failed to generate CA for signer: %v", err)
+			}
+
+			signer := hermeticpodcertificatesigner.New(clock.RealClock{}, spiffeSignerName, caKeys, caCerts, f.ClientSet)
+			go signer.Run(signerCtx)
+		})
+
+		ginkgo.It("should allow server and client pods to establish an mTLS connection", func(ctx context.Context) {
+			namespace := f.Namespace.Name
+			ginkgo.By("Using namespace: " + namespace)
+
+			securityContext := generateContainerSecurityContext()
+			serverDeployment, serverService := createServerObjects(namespace, spiffeSignerName, securityContext)
+			ginkgo.By("Creating server deployment...")
+			_, err := f.ClientSet.AppsV1().Deployments(namespace).Create(ctx, serverDeployment, metav1.CreateOptions{})
+			if err != nil {
+				framework.Failf("failed to create server deployment: %v", err)
+			}
+
+			ginkgo.By("Creating server service...")
+			_, err = f.ClientSet.CoreV1().Services(namespace).Create(ctx, serverService, metav1.CreateOptions{})
+			if err != nil {
+				framework.Failf("failed to create server service: %v", err)
+			}
+
+			clientDeployment := createClientObjects(namespace, spiffeSignerName, securityContext)
+			ginkgo.By("Creating client deployment...")
+			_, err = f.ClientSet.AppsV1().Deployments(namespace).Create(ctx, clientDeployment, metav1.CreateOptions{})
+			if err != nil {
+				framework.Failf("failed to create client deployment: %v", err)
+			}
+
+			ginkgo.By("Waiting for mTLS connection to be built...")
+
+			// The mtlsclient now logs successful polls, check for that pattern.
+			gomega.Eventually(ctx, func(ctx context.Context) (string, error) {
+				clientLabels := labels.Set{"app": "client"}
+				podList, listErr := f.ClientSet.CoreV1().Pods(namespace).List(ctx, metav1.ListOptions{LabelSelector: clientLabels.String()})
+				if listErr != nil || len(podList.Items) == 0 {
+					return "", fmt.Errorf("failed to get client pods: %w", err)
+				}
+				return e2epod.GetPodLogs(ctx, f.ClientSet, namespace, podList.Items[0].Name, "client")
+			}, 30*time.Second, 2*time.Second).Should(gomega.MatchRegexp(`Got response body: Client Identity: spiffe://`),
+				"client logs did not contain expected success message pattern")
+		})
+
+		ginkgo.It("should honor UserAnnotations for SPIFFE URI path", func(ctx context.Context) {
+			namespace := f.Namespace.Name
+			ginkgo.By("Using namespace: " + namespace)
+
+			// Use customerPath to override the path in the spiffeID.
+			customPath := "/custom-workload"
+			userAnnotations := map[string]string{
+				"spiffe/path-overriding": customPath, // Match the key supported the signer
+			}
+			inspectorPod := createInspectorPod(namespace, "path-override-pod", userAnnotations, nil, spiffeSignerName)
+
+			ginkgo.By("Creating inspector pod with UserAnnotations...")
+			_, err := f.ClientSet.CoreV1().Pods(namespace).Create(ctx, inspectorPod, metav1.CreateOptions{})
+			if err != nil {
+				framework.Failf("failed to create inspector pod: %v", err)
+			}
+
+			ginkgo.By("Waiting for inspector pod to be running...")
+			err = e2epod.WaitForPodRunningInNamespace(ctx, f.ClientSet, inspectorPod)
+			if err != nil {
+				framework.Failf("inspector pod failed to start: %v", err)
+			}
+
+			ginkgo.By("Fetching and parsing certificate from pod logs...")
+			logs, err := e2epod.GetPodLogs(ctx, f.ClientSet, namespace, inspectorPod.Name, inspectorPod.Spec.Containers[0].Name)
+			if err != nil {
+				framework.Failf("failed to get pod logs: %v", err)
+			}
+			certs, err := certutil.ParseCertsPEM([]byte(logs))
+			if err != nil {
+				framework.Failf("failed to parse certificate chain from PEM block: %v", err)
+			}
+			gomega.Expect(certs).ToNot(gomega.BeEmpty(), "should parse at least one certificate from the bundle")
+
+			cert := certs[0]
+			foundSPIFFEURI := false
+			for _, uri := range cert.URIs {
+				if uri.Scheme == "spiffe" {
+					foundSPIFFEURI = true
+					ginkgo.By("Found SPIFFE URI: " + uri.String())
+					gomega.Expect(uri.Path).To(gomega.Equal(customPath), "SPIFFE URI path should match the custom path from UserAnnotations")
+					break
+				}
+			}
+			gomega.Expect(foundSPIFFEURI).To(gomega.BeTrueBecause("should find a SPIFFE URI in the certificate's SANs"))
+		})
+
+		ginkgo.Describe("MaxExpirationSeconds validations", func() {
+
+			ginkgo.It("should issue certificate with default life time (24h) when MaxExpirationSeconds is not set", func(ctx context.Context) {
+				namespace := f.Namespace.Name
+				ginkgo.By("Using namespace: " + namespace)
+
+				// Create pod without MaxExpirationSeconds
+				testPod := createInspectorPod(namespace, "default-duration-pod", nil, nil, spiffeSignerName)
+				ginkgo.By("Creating pod without MaxExpirationSeconds...")
+				createdPod, err := f.ClientSet.CoreV1().Pods(namespace).Create(ctx, testPod, metav1.CreateOptions{})
+				if err != nil {
+					framework.Failf("failed to create pod: %v", err)
+				}
+
+				ginkgo.By("Waiting for pod to be running...")
+				err = e2epod.WaitForPodRunningInNamespace(ctx, f.ClientSet, createdPod)
+				if err != nil {
+					framework.Failf("Pod failed to start: %v", err)
+				}
+
+				ginkgo.By("Fetching certificate and verifying duration...")
+				logs, err := e2epod.GetPodLogs(ctx, f.ClientSet, namespace, createdPod.Name, createdPod.Spec.Containers[0].Name)
+				if err != nil {
+					framework.Failf("failed to get pod logs: %v", err)
+				}
+				certs, err := certutil.ParseCertsPEM([]byte(logs))
+				if err != nil {
+					framework.Failf("failed to parse certificate: %v", err)
+				}
+				gomega.Expect(certs).ToNot(gomega.BeEmpty())
+				cert := certs[0]
+				lifeTime := cert.NotAfter.Sub(cert.NotBefore)
+				expectedDuration := 24 * time.Hour // Default from signer code
+				ginkgo.By(fmt.Sprintf("Verifying certificate duration %v is close to %v", lifeTime, expectedDuration))
+				gomega.Expect(lifeTime).To(gomega.BeNumerically("==", expectedDuration), "Certificate duration should be 24 hours")
+			})
+
+			ginkgo.It("should issue certificate with specified duration (1h) when MaxExpirationSeconds is set", func(ctx context.Context) {
+				namespace := f.Namespace.Name
+				ginkgo.By("Using namespace: " + namespace)
+
+				// Create pod requesting 1 hour
+				requestedSeconds := int32(3600)
+				testPod := createInspectorPod(namespace, "one-hour-duration-pod", nil, &requestedSeconds, spiffeSignerName)
+				ginkgo.By("Creating pod requesting 1 hour MaxExpirationSeconds...")
+				createdPod, err := f.ClientSet.CoreV1().Pods(namespace).Create(ctx, testPod, metav1.CreateOptions{})
+				if err != nil {
+					framework.Failf("failed to create pod: %v", err)
+				}
+
+				ginkgo.By("Waiting for pod to be running...")
+				err = e2epod.WaitForPodRunningInNamespace(ctx, f.ClientSet, createdPod)
+				if err != nil {
+					framework.Failf("Pod failed to start: %v", err)
+				}
+
+				ginkgo.By("Fetching certificate and verifying duration...")
+				logs, err := e2epod.GetPodLogs(ctx, f.ClientSet, namespace, createdPod.Name, createdPod.Spec.Containers[0].Name)
+				if err != nil {
+					framework.Failf("failed to get pod logs: %v", err)
+				}
+				certs, err := certutil.ParseCertsPEM([]byte(logs))
+				if err != nil {
+					framework.Failf("failed to parse certificate: %v", err)
+				}
+				gomega.Expect(certs).ToNot(gomega.BeEmpty())
+				cert := certs[0]
+				lifeTime := cert.NotAfter.Sub(cert.NotBefore)
+				expectedDuration := time.Duration(requestedSeconds) * time.Second
+				ginkgo.By(fmt.Sprintf("Verifying certificate duration %v is close to %v", lifeTime, expectedDuration))
+				gomega.Expect(lifeTime).To(gomega.BeNumerically("==", expectedDuration), "Certificate duration should be 1 hour")
+			})
+
+			ginkgo.It("should fail pod startup when MaxExpirationSeconds exceeds maximum (91d)", func(ctx context.Context) {
+				namespace := f.Namespace.Name
+				ginkgo.By("Using namespace: " + namespace)
+
+				// Exceeds 91 days
+				tooLongSeconds := int32((91 * 24 * 60 * 60) + 1)
+				testPod := createInspectorPod(namespace, "too-long-duration-pod", nil, &tooLongSeconds, spiffeSignerName)
+				ginkgo.By("Creating pod requesting >91d MaxExpirationSeconds...")
+				_, err := f.ClientSet.CoreV1().Pods(namespace).Create(ctx, testPod, metav1.CreateOptions{})
+				if err == nil {
+					framework.Fail("Error message does not match the expected.")
+				}
+				if err != nil {
+					if !strings.Contains(err.Error(), "if provided, maxExpirationSeconds must be <= 7862400") {
+						framework.Failf("failed to create pod: %v", err)
+					}
+				}
+			})
+
+			ginkgo.It("should fail pod startup when MaxExpirationSeconds is less than minimum (1h)", func(ctx context.Context) {
+				namespace := f.Namespace.Name
+				ginkgo.By("Using namespace: " + namespace)
+
+				// Less than 1 hour
+				tooShortSeconds := int32(3599)
+				testPod := createInspectorPod(namespace, "too-short-duration-pod", nil, &tooShortSeconds, spiffeSignerName)
+				ginkgo.By("Creating pod requesting <1h MaxExpirationSeconds...")
+				_, err := f.ClientSet.CoreV1().Pods(namespace).Create(ctx, testPod, metav1.CreateOptions{})
+				if err != nil {
+					if !strings.Contains(err.Error(), "if provided, maxExpirationSeconds must be >= 3600") {
+						framework.Fail("Error message does not match the expected")
+					}
+				}
+			})
+		})
+	})
+
+func generateContainerSecurityContext() *v1.SecurityContext {
+	desiredPSALevel := admissionapi.LevelRestricted
+	desiredVersion := admissionapi.GetAPIVersion()
+	minimalPod, err := admissiontest.GetMinimalValidPod(desiredPSALevel, desiredVersion)
+	if err != nil {
+		framework.Failf("failed to get minimal valid pod: %v", err)
+	}
+	return minimalPod.Spec.Containers[0].SecurityContext
+}
+
+// createServerObjects creates the Deployment and Service objects for the mTLS server.
+func createServerObjects(namespace string, spiffeSignerName string, securityContext *v1.SecurityContext) (*appsv1.Deployment, *v1.Service) {
+	replicas := int32(1)
+	serverLabels := map[string]string{"app": "server"}
+
+	signerNameVar := spiffeSignerName
+	serverDeployment := &appsv1.Deployment{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "server",
+			Namespace: namespace,
+			Labels:    serverLabels,
+		},
+		Spec: appsv1.DeploymentSpec{
+			Replicas: &replicas,
+			Selector: &metav1.LabelSelector{MatchLabels: serverLabels},
+			Template: v1.PodTemplateSpec{
+				ObjectMeta: metav1.ObjectMeta{Labels: serverLabels},
+				Spec: v1.PodSpec{
+					Containers: []v1.Container{
+						{
+							Name:  "server",
+							Image: imageutils.GetE2EImage(imageutils.Agnhost), // Use agnhost image >= 2.59
+							Args: []string{
+								"mtlsserver",
+								"--listen=0.0.0.0:443",
+								"--server-creds=/run/tls-config/spiffe-cred-bundle.pem",
+								"--spiffe-trust-bundle=/run/tls-config/spiffe-trust-bundle.pem",
+							},
+							ImagePullPolicy: v1.PullAlways,
+							SecurityContext: securityContext,
+							VolumeMounts:    []v1.VolumeMount{{Name: "tls-config", MountPath: "/run/tls-config"}},
+						},
+					},
+					Volumes: []v1.Volume{{
+						Name: "tls-config",
+						VolumeSource: v1.VolumeSource{
+							Projected: &v1.ProjectedVolumeSource{
+								Sources: []v1.VolumeProjection{
+									{
+										PodCertificate: &v1.PodCertificateProjection{
+											SignerName:           spiffeSignerName,
+											CredentialBundlePath: "spiffe-cred-bundle.pem",
+											KeyType:              "ECDSAP256",
+										},
+									},
+									{
+										ClusterTrustBundle: &v1.ClusterTrustBundleProjection{
+											SignerName:    &signerNameVar,
+											LabelSelector: &metav1.LabelSelector{},
+											Path:          "spiffe-trust-bundle.pem",
+										},
+									},
+								},
+							},
+						},
+					}},
+					RestartPolicy: v1.RestartPolicyAlways,
+				},
+			},
+		},
+	}
+
+	serverService := &v1.Service{
+		ObjectMeta: metav1.ObjectMeta{Name: "server", Namespace: namespace},
+		Spec: v1.ServiceSpec{
+			Type:     v1.ServiceTypeClusterIP,
+			Ports:    []v1.ServicePort{{Name: "https", Port: 443}},
+			Selector: serverLabels,
+		},
+	}
+
+	return serverDeployment, serverService
+}
+
+// createClientObjects creates the Deployment object for the mTLS client.
+func createClientObjects(namespace string, spiffeSignerName string, securityContext *v1.SecurityContext) *appsv1.Deployment {
+	replicas := int32(1)
+	clientLabels := map[string]string{"app": "client"}
+	fetchURL := "https://server." + namespace + ".svc/spiffe-echo"
+	signerNameVar := spiffeSignerName
+
+	return &appsv1.Deployment{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "client",
+			Namespace: namespace,
+			Labels:    clientLabels,
+		},
+		Spec: appsv1.DeploymentSpec{
+			Replicas: &replicas,
+			Selector: &metav1.LabelSelector{MatchLabels: clientLabels},
+			Template: v1.PodTemplateSpec{
+				ObjectMeta: metav1.ObjectMeta{Labels: clientLabels},
+				Spec: v1.PodSpec{
+					RestartPolicy: v1.RestartPolicyAlways,
+					Containers: []v1.Container{{
+						Name:  "client",
+						Image: imageutils.GetE2EImage(imageutils.Agnhost), // Use agnhost image >= 2.59
+						Args: []string{
+							"mtlsclient",
+							"--fetch-url=" + fetchURL,
+							"--server-trust-bundle=/run/tls-config/spiffe-trust-bundle.pem",
+							"--client-cred-bundle=/run/tls-config/spiffe-cred-bundle.pem",
+						},
+						ImagePullPolicy: v1.PullAlways,
+						SecurityContext: securityContext,
+						VolumeMounts:    []v1.VolumeMount{{Name: "tls-config", MountPath: "/run/tls-config"}},
+					}},
+					Volumes: []v1.Volume{{
+						Name: "tls-config",
+						VolumeSource: v1.VolumeSource{
+							Projected: &v1.ProjectedVolumeSource{
+								Sources: []v1.VolumeProjection{
+									{
+										ClusterTrustBundle: &v1.ClusterTrustBundleProjection{
+											SignerName:    &signerNameVar,
+											LabelSelector: &metav1.LabelSelector{},
+											Path:          "spiffe-trust-bundle.pem",
+										},
+									},
+									{
+										PodCertificate: &v1.PodCertificateProjection{
+											SignerName:           spiffeSignerName,
+											CredentialBundlePath: "spiffe-cred-bundle.pem",
+											KeyType:              "ECDSAP256",
+										},
+									},
+								},
+							},
+						},
+					}},
+				},
+			},
+		},
+	}
+}
+
+// createInspectorPod creates a pod designed to print its certificate and wait, for inspection purposes.
+func createInspectorPod(namespace, podName string, userAnnotations map[string]string, maxExpirationSeconds *int32, spiffeSignerName string) *v1.Pod {
+	return &v1.Pod{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      podName,
+			Namespace: namespace,
+		},
+		Spec: v1.PodSpec{
+			Containers: []v1.Container{
+				{
+					Name:  "inspector",
+					Image: imageutils.GetE2EImage(imageutils.Agnhost),
+					// Use standard shell commands available in the agnhost base image
+					Command: []string{"/bin/sh", "-c", "cat /run/tls-config/spiffe-cred-bundle.pem && sleep infinity"},
+					VolumeMounts: []v1.VolumeMount{
+						{Name: "tls-config", MountPath: "/run/tls-config"},
+					},
+				},
+			},
+			Volumes: []v1.Volume{
+				{
+					Name: "tls-config",
+					VolumeSource: v1.VolumeSource{
+						Projected: &v1.ProjectedVolumeSource{
+							Sources: []v1.VolumeProjection{
+								{
+									PodCertificate: &v1.PodCertificateProjection{
+										SignerName:           spiffeSignerName,
+										CredentialBundlePath: "spiffe-cred-bundle.pem",
+										KeyType:              "ECDSAP256",
+										UserAnnotations:      userAnnotations,
+										MaxExpirationSeconds: maxExpirationSeconds,
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+			RestartPolicy: v1.RestartPolicyNever,
+		},
+	}
+}
diff --git a/test/e2e/auth/service_accounts.go b/test/e2e/auth/service_accounts.go
index c88a255ea5456..e9e9fd7848551 100644
--- a/test/e2e/auth/service_accounts.go
+++ b/test/e2e/auth/service_accounts.go
@@ -32,12 +32,14 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
 	utilrand "k8s.io/apimachinery/pkg/util/rand"
+	"k8s.io/apimachinery/pkg/util/resourceversion"
 	"k8s.io/apimachinery/pkg/util/sets"
 	"k8s.io/apimachinery/pkg/util/uuid"
 	"k8s.io/apimachinery/pkg/util/wait"
 	watch "k8s.io/apimachinery/pkg/watch"
 	"k8s.io/client-go/util/retry"
 	"k8s.io/kubernetes/plugin/pkg/admission/serviceaccount"
+	apimachineryutils "k8s.io/kubernetes/test/e2e/common/apimachinery"
 	"k8s.io/kubernetes/test/e2e/framework"
 	e2ekubectl "k8s.io/kubernetes/test/e2e/framework/kubectl"
 	e2epod "k8s.io/kubernetes/test/e2e/framework/pod"
@@ -700,6 +702,7 @@ var _ = SIGDescribe("ServiceAccounts", func() {
 		}
 		createdServiceAccount, err := f.ClientSet.CoreV1().ServiceAccounts(testNamespaceName).Create(ctx, &testServiceAccount, metav1.CreateOptions{})
 		framework.ExpectNoError(err, "failed to create a ServiceAccount")
+		gomega.Expect(createdServiceAccount).To(apimachineryutils.HaveValidResourceVersion())
 
 		getServiceAccount, err := f.ClientSet.CoreV1().ServiceAccounts(testNamespaceName).Get(ctx, testServiceAccountName, metav1.GetOptions{})
 		framework.ExpectNoError(err, "failed to fetch the created ServiceAccount")
@@ -730,8 +733,10 @@ var _ = SIGDescribe("ServiceAccounts", func() {
 			AutomountServiceAccountToken: &boolFalse,
 		})
 		framework.ExpectNoError(err, "failed to marshal JSON patch for the ServiceAccount")
-		_, err = f.ClientSet.CoreV1().ServiceAccounts(testNamespaceName).Patch(ctx, testServiceAccountName, types.StrategicMergePatchType, []byte(testServiceAccountPatchData), metav1.PatchOptions{})
+		patchedServiceAccount, err := f.ClientSet.CoreV1().ServiceAccounts(testNamespaceName).Patch(ctx, testServiceAccountName, types.StrategicMergePatchType, []byte(testServiceAccountPatchData), metav1.PatchOptions{})
 		framework.ExpectNoError(err, "failed to patch the ServiceAccount")
+		gomega.Expect(resourceversion.CompareResourceVersion(createdServiceAccount.ResourceVersion, patchedServiceAccount.ResourceVersion)).To(gomega.BeNumerically("==", -1), "patched object should have a larger resource version")
+
 		eventFound = false
 		for watchEvent := range resourceWatchChan {
 			if watchEvent.Type == watch.Modified {
diff --git a/test/e2e/autoscaling/horizontal_pod_autoscaling_behavior.go b/test/e2e/autoscaling/horizontal_pod_autoscaling_behavior.go
index 5d41c0bde1715..5022ba4b5351f 100644
--- a/test/e2e/autoscaling/horizontal_pod_autoscaling_behavior.go
+++ b/test/e2e/autoscaling/horizontal_pod_autoscaling_behavior.go
@@ -504,7 +504,7 @@ var _ = SIGDescribe(feature.HPAConfigurableTolerance, framework.WithFeatureGate(
 		f := framework.NewDefaultFramework("horizontal-pod-autoscaling")
 		f.NamespacePodSecurityLevel = admissionapi.LevelPrivileged
 
-		waitBuffer := 1 * time.Minute
+		waitBuffer := 2 * time.Minute
 
 		ginkgo.Describe("with large configurable tolerance", func() {
 			ginkgo.It("should not scale", func(ctx context.Context) {
@@ -545,6 +545,73 @@ var _ = SIGDescribe(feature.HPAConfigurableTolerance, framework.WithFeatureGate(
 				gomega.Expect(replicas).To(gomega.BeNumerically("==", initPods), "had %s replicas, still have %s replicas after time deadline", initPods, replicas)
 			})
 		})
+
+		ginkgo.Describe("with small scale-up, large scale-down tolerances", func() {
+			ginkgo.It("should not scale", func(ctx context.Context) {
+				ginkgo.By("setting up resource consumer and HPA")
+				initPods := 10
+				podCPURequest := 200
+				targetCPUUtilizationPercent := 60
+				initCPUUsageTotal := usageForReplicasWithRequest(initPods, podCPURequest, targetCPUUtilizationPercent)
+				waitDeadline := maxHPAReactionTime + maxResourceConsumerDelay + waitBuffer
+
+				rc := e2eautoscaling.NewDynamicResourceConsumer(ctx,
+					hpaName, f.Namespace.Name, e2eautoscaling.KindDeployment, initPods,
+					initCPUUsageTotal, 0, 0, int64(podCPURequest), 200,
+					f.ClientSet, f.ScalesGetter, e2eautoscaling.Disable, e2eautoscaling.Idle,
+					nil)
+				ginkgo.DeferCleanup(rc.CleanUp)
+
+				scaleUpRule := e2eautoscaling.HPAScalingRuleWithToleranceMilli(20)    // 2%
+				scaleDownRule := e2eautoscaling.HPAScalingRuleWithToleranceMilli(300) // 30%
+				hpa := e2eautoscaling.CreateCPUHorizontalPodAutoscalerWithBehavior(ctx,
+					rc, int32(targetCPUUtilizationPercent), int32(initPods), 12,
+					e2eautoscaling.HPABehaviorWithScaleUpAndDownRules(scaleUpRule, scaleDownRule),
+				)
+				ginkgo.DeferCleanup(e2eautoscaling.DeleteHPAWithBehavior, rc, hpa.Name)
+
+				ginkgo.By("waiting for deployment to start initial pods")
+				rc.WaitForReplicas(ctx, initPods, waitDeadline)
+
+				ginkgo.By("trying to trigger scale up to 11 replicas")
+				rc.ConsumeCPU(usageForReplicasWithRequest(11, podCPURequest, targetCPUUtilizationPercent))
+
+				ginkgo.By("waiting for replicas to scale up")
+				waitStart := time.Now()
+				rc.WaitForReplicas(ctx, 11, waitDeadline)
+				timeWaited := time.Since(waitStart)
+				framework.Logf("time waited for scale up: %s", timeWaited)
+				gomega.Expect(timeWaited).To(gomega.BeNumerically("<", waitDeadline), "waited %s, wanted less than %s", timeWaited, waitDeadline)
+
+				// Increase resource usage to match 12 replicas. The difference is less
+				// than 10% (the default tolerance), but it should scale up anyway thanks
+				// to the small scale-up custom tolerance.
+
+				ginkgo.By("trying to trigger scale up to 12 replicas")
+				rc.ConsumeCPU(usageForReplicasWithRequest(12, podCPURequest, targetCPUUtilizationPercent))
+
+				ginkgo.By("waiting for replicas to scale up")
+				waitStart = time.Now()
+				rc.WaitForReplicas(ctx, 12, waitDeadline)
+				timeWaited = time.Since(waitStart)
+				framework.Logf("time waited for scale up: %s", timeWaited)
+				gomega.Expect(timeWaited).To(gomega.BeNumerically("<", waitDeadline), "waited %s, wanted less than %s", timeWaited, waitDeadline)
+
+				// Decrease resource usage to match 10 replicas. Should not scale down
+				// because of the large scale-down custom tolerance.
+
+				ginkgo.By("triggering scale down by lowering consumption")
+				waitStart = time.Now()
+				rc.ConsumeCPU(usageForReplicasWithRequest(10, podCPURequest, targetCPUUtilizationPercent))
+
+				rc.EnsureDesiredReplicasInRange(ctx, 12, 12, waitDeadline, hpa.Name)
+				timeWaited = time.Since(waitStart)
+
+				ginkgo.By("verifying time waited for a scale down")
+				framework.Logf("time waited for scale down: %s", timeWaited)
+				gomega.Expect(timeWaited).To(gomega.BeNumerically(">", waitDeadline), "waited %s, wanted to wait more than %s", timeWaited, waitDeadline)
+			})
+		})
 	})
 
 // usageForReplicas returns usage for (n - 0.5) replicas as if they would consume all CPU
@@ -553,6 +620,10 @@ var _ = SIGDescribe(feature.HPAConfigurableTolerance, framework.WithFeatureGate(
 // HPA rounds up the recommendations. So, if the usage is e.g. for 3.5 replicas,
 // the recommended replica number will be 4.
 func usageForReplicas(replicas int) int {
-	usagePerReplica := podCPURequest * targetCPUUtilizationPercent / 100
+	return usageForReplicasWithRequest(replicas, podCPURequest, targetCPUUtilizationPercent)
+}
+
+func usageForReplicasWithRequest(replicas, podRequest, targetUtilizationPercent int) int {
+	usagePerReplica := podRequest * targetUtilizationPercent / 100
 	return replicas*usagePerReplica - usagePerReplica/2
 }
diff --git a/test/e2e/common/apimachinery/resourceversion_matchers.go b/test/e2e/common/apimachinery/resourceversion_matchers.go
new file mode 100644
index 0000000000000..0b89b63a3084b
--- /dev/null
+++ b/test/e2e/common/apimachinery/resourceversion_matchers.go
@@ -0,0 +1,84 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package apimachinery
+
+import (
+	"fmt"
+	"math/big"
+
+	"github.com/onsi/gomega/types"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// HaveValidResourceVersion returns a Gomega matcher that checks if a kubernetes
+// objects resource version is a valid 128-bit unsigned integer.
+func HaveValidResourceVersion() types.GomegaMatcher {
+	return &HaveValidResourceVersionMatcher{}
+}
+
+type HaveValidResourceVersionMatcher struct {
+	failureReason string
+}
+
+// Match is a gomega matcher that checks whether or not the provided interface
+// is a metav1.Object with a uint128 resource version string.
+func (m *HaveValidResourceVersionMatcher) Match(actual interface{}) (success bool, err error) {
+	// First, ensure the input is an object.
+	o, ok := actual.(metav1.Object)
+	if !ok {
+		return false, fmt.Errorf("HaveValidResourceVersionMatcher matcher expects an api object, but got %T", actual)
+	}
+
+	val, ok := new(big.Int).SetString(o.GetResourceVersion(), 10)
+
+	if !ok {
+		m.failureReason = "the resource version is not a valid integer"
+		return false, nil
+	}
+	if val.Sign() < 0 {
+		m.failureReason = "the resource version is a negative number"
+		return false, nil
+	}
+	if val.BitLen() > 128 {
+		m.failureReason = fmt.Sprintf("resource version requires %d bits (more than 128)", val.BitLen())
+		return false, nil
+	}
+	if val.Cmp(big.NewInt(0)) == 0 {
+		m.failureReason = "the resource version is zero which is not valid"
+		return false, nil
+	}
+
+	return true, nil
+}
+
+// FailureMessage is used when the assertion is `Expect(...).To(...)`
+func (m *HaveValidResourceVersionMatcher) FailureMessage(actual interface{}) (message string) {
+	o, ok := actual.(metav1.Object)
+	if !ok {
+		return fmt.Sprintf("HaveValidResourceVersion matcher expects an api object, but got %T", actual)
+	}
+	return fmt.Sprintf("Expected resource version to be a valid uint128, but got %q: %s", o.GetResourceVersion(), m.failureReason)
+}
+
+// NegatedFailureMessage is used when the assertion is `Expect(...).ToNot(...)`
+func (m *HaveValidResourceVersionMatcher) NegatedFailureMessage(actual interface{}) (message string) {
+	o, ok := actual.(metav1.Object)
+	if !ok {
+		return fmt.Sprintf("HaveValidResourceVersion matcher expects an api object, but got %T", actual)
+	}
+	return fmt.Sprintf("Expected resource version not to be a valid uint128, but got %q", o.GetResourceVersion())
+}
diff --git a/test/e2e/common/apimachinery/resourceversion_matchers_test.go b/test/e2e/common/apimachinery/resourceversion_matchers_test.go
new file mode 100644
index 0000000000000..eda5b0b4be4eb
--- /dev/null
+++ b/test/e2e/common/apimachinery/resourceversion_matchers_test.go
@@ -0,0 +1,94 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package apimachinery
+
+import (
+	"testing"
+
+	v1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+func TestHaveValidResourceVersionMatch(t *testing.T) {
+	tests := []struct {
+		name            string
+		resourceVersion string
+		expectedMatch   bool
+		expectedFailure string
+	}{
+		{
+			name:            "valid resource version",
+			resourceVersion: "123456789012345678901234567890123456789", // 128-bit unsigned int
+			expectedMatch:   true,
+		},
+		{
+			name:            "zero resource version",
+			resourceVersion: "0",
+			expectedMatch:   false,
+			expectedFailure: "Expected resource version to be a valid uint128, but got \"0\": the resource version is zero which is not valid",
+		},
+		{
+			name:            "negative resource version",
+			resourceVersion: "-1",
+			expectedMatch:   false,
+			expectedFailure: "Expected resource version to be a valid uint128, but got \"-1\": the resource version is a negative number",
+		},
+		{
+			name:            "non-numeric resource version",
+			resourceVersion: "abc",
+			expectedMatch:   false,
+			expectedFailure: "Expected resource version to be a valid uint128, but got \"abc\": the resource version is not a valid integer",
+		},
+		{
+			name:            "empty resource version",
+			resourceVersion: "",
+			expectedMatch:   false,
+			expectedFailure: "Expected resource version to be a valid uint128, but got \"\": the resource version is not a valid integer",
+		},
+		{
+			name:            "resource version too large (129 bits)",
+			resourceVersion: "340282366920938463463374607431768211456", // 2^128
+			expectedMatch:   false,
+			expectedFailure: "Expected resource version to be a valid uint128, but got \"340282366920938463463374607431768211456\": resource version requires 129 bits (more than 128)",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			obj := &v1.Pod{
+				ObjectMeta: metav1.ObjectMeta{
+					ResourceVersion: tt.resourceVersion,
+				},
+			}
+
+			matcher := HaveValidResourceVersion()
+			match, err := matcher.Match(obj)
+
+			if match != tt.expectedMatch {
+				t.Errorf("Expected match to be %v, but got %v", tt.expectedMatch, match)
+			}
+
+			if err != nil {
+				t.Errorf("Unexpected error: %v", err)
+			}
+
+			if !match && matcher.FailureMessage(obj) != tt.expectedFailure {
+				t.Errorf("Expected failure message to be %q, but got %q", tt.expectedFailure, matcher.FailureMessage(obj))
+			}
+		})
+	}
+}
diff --git a/test/e2e/common/node/configmap.go b/test/e2e/common/node/configmap.go
index 6faafd94f27b5..493a38c0638f4 100644
--- a/test/e2e/common/node/configmap.go
+++ b/test/e2e/common/node/configmap.go
@@ -24,7 +24,9 @@ import (
 	v1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/apimachinery/pkg/util/resourceversion"
 	"k8s.io/apimachinery/pkg/util/uuid"
+	apimachineryutils "k8s.io/kubernetes/test/e2e/common/apimachinery"
 	"k8s.io/kubernetes/test/e2e/framework"
 	e2epodoutput "k8s.io/kubernetes/test/e2e/framework/pod/output"
 	imageutils "k8s.io/kubernetes/test/utils/image"
@@ -140,8 +142,12 @@ var _ = SIGDescribe("ConfigMap", func() {
 		configMap, err := newConfigMapWithEmptyKey(ctx, f)
 		gomega.Expect(err).To(gomega.HaveOccurred(), "created configMap %q with empty key in namespace %q", configMap.Name, f.Namespace.Name)
 	})
-
-	ginkgo.It("should update ConfigMap successfully", func(ctx context.Context) {
+	/*
+		Release : v1.32
+		Testname: ConfigMap Update
+		Description: Ensure that a ConfigMap object can be created and then updated successfully.
+	*/
+	framework.ConformanceIt("should update ConfigMap successfully", f.WithNodeConformance(), func(ctx context.Context) {
 		name := "configmap-test-" + string(uuid.NewUUID())
 		configMap := newConfigMap(f, name)
 		ginkgo.By(fmt.Sprintf("Creating ConfigMap %v/%v", f.Namespace.Name, configMap.Name))
@@ -192,6 +198,7 @@ var _ = SIGDescribe("ConfigMap", func() {
 		framework.ExpectNoError(err, "failed to get ConfigMap")
 		gomega.Expect(configMap.Data["valueName"]).To(gomega.Equal(testConfigMap.Data["valueName"]))
 		gomega.Expect(configMap.Labels["test-configmap-static"]).To(gomega.Equal(testConfigMap.Labels["test-configmap-static"]))
+		gomega.Expect(configMap).To(apimachineryutils.HaveValidResourceVersion())
 
 		configMapPatchPayload, err := json.Marshal(v1.ConfigMap{
 			ObjectMeta: metav1.ObjectMeta{
@@ -206,8 +213,9 @@ var _ = SIGDescribe("ConfigMap", func() {
 		framework.ExpectNoError(err, "failed to marshal patch data")
 
 		ginkgo.By("patching the ConfigMap")
-		_, err = f.ClientSet.CoreV1().ConfigMaps(testNamespaceName).Patch(ctx, testConfigMapName, types.StrategicMergePatchType, []byte(configMapPatchPayload), metav1.PatchOptions{})
+		patchedConfigMap, err := f.ClientSet.CoreV1().ConfigMaps(testNamespaceName).Patch(ctx, testConfigMapName, types.StrategicMergePatchType, []byte(configMapPatchPayload), metav1.PatchOptions{})
 		framework.ExpectNoError(err, "failed to patch ConfigMap")
+		gomega.Expect(resourceversion.CompareResourceVersion(configMap.ResourceVersion, patchedConfigMap.ResourceVersion)).To(gomega.BeNumerically("==", -1), "patched object should have a larger resource version")
 
 		ginkgo.By("listing all ConfigMaps in all namespaces with a label selector")
 		configMapList, err := f.ClientSet.CoreV1().ConfigMaps("").List(ctx, metav1.ListOptions{
diff --git a/test/e2e/common/node/container.go b/test/e2e/common/node/container.go
index 8af9b9ea6551e..cc762de8ceeb7 100644
--- a/test/e2e/common/node/container.go
+++ b/test/e2e/common/node/container.go
@@ -43,6 +43,7 @@ type ConformanceContainer struct {
 	RestartPolicy    v1.RestartPolicy
 	Volumes          []v1.Volume
 	ImagePullSecrets []string
+	NodeName         string
 
 	PodClient          *e2epod.PodClient
 	podName            string
@@ -50,7 +51,7 @@ type ConformanceContainer struct {
 }
 
 // Create creates the defined conformance container
-func (cc *ConformanceContainer) Create(ctx context.Context) {
+func (cc *ConformanceContainer) Create(ctx context.Context) *v1.Pod {
 	cc.podName = cc.Container.Name + string(uuid.NewUUID())
 	imagePullSecrets := []v1.LocalObjectReference{}
 	for _, s := range cc.ImagePullSecrets {
@@ -65,12 +66,13 @@ func (cc *ConformanceContainer) Create(ctx context.Context) {
 			Containers: []v1.Container{
 				cc.Container,
 			},
+			NodeName:         cc.NodeName,
 			SecurityContext:  cc.PodSecurityContext,
 			Volumes:          cc.Volumes,
 			ImagePullSecrets: imagePullSecrets,
 		},
 	}
-	cc.PodClient.Create(ctx, pod)
+	return cc.PodClient.Create(ctx, pod)
 }
 
 // Delete deletes the defined conformance container
diff --git a/test/e2e/common/node/container_probe.go b/test/e2e/common/node/container_probe.go
index a3b10a744c346..60053a4986152 100644
--- a/test/e2e/common/node/container_probe.go
+++ b/test/e2e/common/node/container_probe.go
@@ -36,7 +36,6 @@ import (
 	podutil "k8s.io/kubernetes/pkg/api/v1/pod"
 	"k8s.io/kubernetes/pkg/features"
 	"k8s.io/kubernetes/pkg/kubelet/events"
-	"k8s.io/kubernetes/test/e2e/feature"
 	"k8s.io/kubernetes/test/e2e/framework"
 	e2eevents "k8s.io/kubernetes/test/e2e/framework/events"
 	e2epod "k8s.io/kubernetes/test/e2e/framework/pod"
@@ -228,7 +227,7 @@ var _ = SIGDescribe("Probing container", func() {
 		Testname: Pod liveness probe, container exec timeout, restart
 		Description: A Pod is created with liveness probe with a Exec action on the Pod. If the liveness probe call does not return within the timeout specified, liveness probe MUST restart the Pod.
 	*/
-	f.It("should be restarted with an exec liveness probe with timeout [MinimumKubeletVersion:1.20]", f.WithNodeConformance(), func(ctx context.Context) {
+	f.It("should be restarted with an exec liveness probe with timeout", f.WithNodeConformance(), func(ctx context.Context) {
 		cmd := []string{"/bin/sh", "-c", "sleep 600"}
 		livenessProbe := &v1.Probe{
 			ProbeHandler:        execHandler([]string{"/bin/sh", "-c", "sleep 10"}),
@@ -245,7 +244,7 @@ var _ = SIGDescribe("Probing container", func() {
 		Testname: Pod readiness probe, container exec timeout, not ready
 		Description: A Pod is created with readiness probe with a Exec action on the Pod. If the readiness probe call does not return within the timeout specified, readiness probe MUST not be Ready.
 	*/
-	f.It("should not be ready with an exec readiness probe timeout [MinimumKubeletVersion:1.20]", f.WithNodeConformance(), func(ctx context.Context) {
+	f.It("should not be ready with an exec readiness probe timeout", f.WithNodeConformance(), func(ctx context.Context) {
 		cmd := []string{"/bin/sh", "-c", "sleep 600"}
 		readinessProbe := &v1.Probe{
 			ProbeHandler:        execHandler([]string{"/bin/sh", "-c", "sleep 10"}),
@@ -260,7 +259,7 @@ var _ = SIGDescribe("Probing container", func() {
 	/*
 		Release: v1.21
 		Testname: Pod liveness probe, container exec timeout, restart
-		Description: A Pod is created with liveness probe with a Exec action on the Pod. If the liveness probe call does not return within the timeout specified, liveness probe MUST restart the Pod. When ExecProbeTimeout feature gate is disabled and cluster is using dockershim, the timeout is ignored BUT a failing liveness probe MUST restart the Pod.
+		Description: A Pod is created with liveness probe with a Exec action on the Pod. If the liveness probe call does not return within the timeout specified, liveness probe MUST restart the Pod.
 	*/
 	ginkgo.It("should be restarted with a failing exec liveness probe that took longer than the timeout", func(ctx context.Context) {
 		cmd := []string{"/bin/sh", "-c", "sleep 600"}
@@ -730,7 +729,7 @@ done
 	})
 })
 
-var _ = SIGDescribe(feature.SidecarContainers, framework.WithFeatureGate(features.SidecarContainers), "Probing restartable init container", func() {
+var _ = SIGDescribe(framework.WithNodeConformance(), framework.WithFeatureGate(features.SidecarContainers), "Probing restartable init container", func() {
 	f := framework.NewDefaultFramework("container-probe")
 	f.NamespacePodSecurityLevel = admissionapi.LevelBaseline
 	var podClient *e2epod.PodClient
@@ -932,7 +931,7 @@ var _ = SIGDescribe(feature.SidecarContainers, framework.WithFeatureGate(feature
 		Pod. If the liveness probe call does not return within the timeout
 		specified, liveness probe MUST restart the Pod.
 	*/
-	ginkgo.It("should be restarted with an exec liveness probe with timeout [MinimumKubeletVersion:1.20]", func(ctx context.Context) {
+	ginkgo.It("should be restarted with an exec liveness probe with timeout", func(ctx context.Context) {
 		cmd := []string{"/bin/sh", "-c", "sleep 600"}
 		livenessProbe := &v1.Probe{
 			ProbeHandler:        execHandler([]string{"/bin/sh", "-c", "sleep 10"}),
@@ -951,7 +950,7 @@ var _ = SIGDescribe(feature.SidecarContainers, framework.WithFeatureGate(feature
 		the Pod. If the readiness probe call does not return within the timeout
 		specified, readiness probe MUST not be Ready.
 	*/
-	ginkgo.It("should not be ready with an exec readiness probe timeout [MinimumKubeletVersion:1.20]", func(ctx context.Context) {
+	ginkgo.It("should not be ready with an exec readiness probe timeout", func(ctx context.Context) {
 		cmd := []string{"/bin/sh", "-c", "sleep 600"}
 		readinessProbe := &v1.Probe{
 			ProbeHandler:        execHandler([]string{"/bin/sh", "-c", "sleep 10"}),
@@ -968,9 +967,7 @@ var _ = SIGDescribe(feature.SidecarContainers, framework.WithFeatureGate(feature
 		Testname: Pod restartalbe init container liveness probe, container exec timeout, restart
 		Description: A Pod is created with liveness probe with a Exec action on the
 		Pod. If the liveness probe call does not return within the timeout
-		specified, liveness probe MUST restart the Pod. When ExecProbeTimeout
-		feature gate is disabled and cluster is using dockershim, the timeout is
-		ignored BUT a failing liveness probe MUST restart the Pod.
+		specified, liveness probe MUST restart the Pod.
 	*/
 	ginkgo.It("should be restarted with a failing exec liveness probe that took longer than the timeout", func(ctx context.Context) {
 		cmd := []string{"/bin/sh", "-c", "sleep 600"}
diff --git a/test/e2e/common/node/downwardapi.go b/test/e2e/common/node/downwardapi.go
index 693534e2a2392..b6cc1556b9fc0 100644
--- a/test/e2e/common/node/downwardapi.go
+++ b/test/e2e/common/node/downwardapi.go
@@ -458,6 +458,10 @@ var _ = SIGDescribe("Downward API", feature.PodLevelResources, framework.WithFea
 				},
 				Spec: v1.PodSpec{
 					Resources: &v1.ResourceRequirements{
+						Requests: v1.ResourceList{
+							v1.ResourceCPU:    resource.MustParse("250m"),
+							v1.ResourceMemory: resource.MustParse("32Mi"),
+						},
 						Limits: v1.ResourceList{
 							v1.ResourceCPU:    resource.MustParse("1250m"),
 							v1.ResourceMemory: resource.MustParse("64Mi"),
@@ -506,6 +510,10 @@ var _ = SIGDescribe("Downward API", feature.PodLevelResources, framework.WithFea
 				},
 				Spec: v1.PodSpec{
 					Resources: &v1.ResourceRequirements{
+						Requests: v1.ResourceList{
+							v1.ResourceCPU:    resource.MustParse("250m"),
+							v1.ResourceMemory: resource.MustParse("32Mi"),
+						},
 						Limits: v1.ResourceList{
 							v1.ResourceCPU: resource.MustParse("1250m"),
 						},
diff --git a/test/e2e/common/node/file_key.go b/test/e2e/common/node/file_key.go
index d575d8bc7e4f0..5aed89c53a23a 100644
--- a/test/e2e/common/node/file_key.go
+++ b/test/e2e/common/node/file_key.go
@@ -61,7 +61,7 @@ var _ = SIGDescribe("FileKeyRef", framework.WithFeatureGate(features.EnvFiles),
 					{
 						Name:    "setup-envfile",
 						Image:   imageutils.GetE2EImage(imageutils.BusyBox),
-						Command: []string{"sh", "-c", "echo 'CONFIG_1=value1' > /data/config.env && echo 'CONFIG_2=value2' >> /data/config.env"},
+						Command: []string{"sh", "-c", `echo CONFIG_1=\'value1\' > /data/config.env && echo CONFIG_2=\'value2\' >> /data/config.env`},
 						VolumeMounts: []v1.VolumeMount{
 							{
 								Name:      "config",
@@ -136,7 +136,7 @@ var _ = SIGDescribe("FileKeyRef", framework.WithFeatureGate(features.EnvFiles),
 					{
 						Name:    "setup-envfile",
 						Image:   imageutils.GetE2EImage(imageutils.BusyBox),
-						Command: []string{"sh", "-c", "echo 'CONFIG_1=value1' > /data/config.env && echo 'CONFIG_2=value2' >> /data/config.env && echo 'CONFIG_3=value3' >> /data/config.env"},
+						Command: []string{"sh", "-c", `echo CONFIG_1=\'value1\' > /data/config.env && echo CONFIG_2=\'value2\' >> /data/config.env && echo CONFIG_3=\'value3\' >> /data/config.env`},
 						VolumeMounts: []v1.VolumeMount{
 							{
 								Name:      "config",
@@ -239,7 +239,7 @@ var _ = SIGDescribe("FileKeyRef", framework.WithFeatureGate(features.EnvFiles),
 					{
 						Name:    "setup-envfile",
 						Image:   imageutils.GetE2EImage(imageutils.BusyBox),
-						Command: []string{"sh", "-c", "echo 'EXISTING_KEY=existing_value' > /data/config.env"},
+						Command: []string{"sh", "-c", `echo EXISTING_KEY=\'existing_value\' > /data/config.env`},
 						VolumeMounts: []v1.VolumeMount{
 							{
 								Name:      "config",
@@ -313,7 +313,7 @@ var _ = SIGDescribe("FileKeyRef", framework.WithFeatureGate(features.EnvFiles),
 					{
 						Name:    "setup-envfile",
 						Image:   imageutils.GetE2EImage(imageutils.BusyBox),
-						Command: []string{"sh", "-c", "echo 'HOOK_CONFIG=hook_value' > /data/config.env"},
+						Command: []string{"sh", "-c", `echo HOOK_CONFIG=\'hook_value\' > /data/config.env`},
 						VolumeMounts: []v1.VolumeMount{
 							{
 								Name:      "config",
@@ -394,7 +394,7 @@ var _ = SIGDescribe("FileKeyRef", framework.WithFeatureGate(features.EnvFiles),
 					{
 						Name:    "setup-envfile",
 						Image:   imageutils.GetE2EImage(imageutils.BusyBox),
-						Command: []string{"sh", "-c", "echo 'HOOK_CONFIG=hook_value' > /data/config.env"},
+						Command: []string{"sh", "-c", `echo HOOK_CONFIG=\'hook_value\' > /data/config.env`},
 						VolumeMounts: []v1.VolumeMount{
 							{
 								Name:      "config",
@@ -475,7 +475,7 @@ var _ = SIGDescribe("FileKeyRef", framework.WithFeatureGate(features.EnvFiles),
 					{
 						Name:    "setup-envfile",
 						Image:   imageutils.GetE2EImage(imageutils.BusyBox),
-						Command: []string{"sh", "-c", "echo 'CONFIG_1=value1' > /data/config.env"},
+						Command: []string{"sh", "-c", `echo CONFIG_1=\'value1\' > /data/config.env`},
 						VolumeMounts: []v1.VolumeMount{
 							{
 								Name:      "config",
@@ -545,7 +545,7 @@ var _ = SIGDescribe("FileKeyRef", framework.WithFeatureGate(features.EnvFiles),
 					{
 						Name:    "setup-envfile",
 						Image:   imageutils.GetE2EImage(imageutils.BusyBox),
-						Command: []string{"sh", "-c", "echo 'CONFIG_1=value1' > /data/config.env"},
+						Command: []string{"sh", "-c", `echo CONFIG_1=\'value1\' > /data/config.env`},
 						VolumeMounts: []v1.VolumeMount{
 							{
 								Name:      "config",
@@ -607,7 +607,7 @@ var _ = SIGDescribe("FileKeyRef", framework.WithFeatureGate(features.EnvFiles),
 					{
 						Name:    "setup-envfile",
 						Image:   imageutils.GetE2EImage(imageutils.BusyBox),
-						Command: []string{"sh", "-c", "echo 'EXISTING_KEY=value' > /data/config.env"},
+						Command: []string{"sh", "-c", `echo EXISTING_KEY=\'value\' > /data/config.env`},
 						VolumeMounts: []v1.VolumeMount{
 							{
 								Name:      "config",
@@ -679,7 +679,7 @@ var _ = SIGDescribe("FileKeyRef", framework.WithFeatureGate(features.EnvFiles),
 					{
 						Name:    "setup-envfile",
 						Image:   imageutils.GetE2EImage(imageutils.BusyBox),
-						Command: []string{"sh", "-c", "echo 'EXISTING_KEY=value' > /data/config.env"},
+						Command: []string{"sh", "-c", `echo EXISTING_KEY=\'value\' > /data/config.env`},
 						VolumeMounts: []v1.VolumeMount{
 							{
 								Name:      "config",
@@ -749,7 +749,7 @@ var _ = SIGDescribe("FileKeyRef", framework.WithFeatureGate(features.EnvFiles),
 					{
 						Name:         "setup-envfile",
 						Image:        imageutils.GetE2EImage(imageutils.BusyBox),
-						Command:      []string{"sh", "-c", "echo 'CONFIG_1=value1' > /data/config.env"},
+						Command:      []string{"sh", "-c", `echo CONFIG_1=\'value1\' > /data/config.env`},
 						VolumeMounts: []v1.VolumeMount{{Name: "config", MountPath: "/data"}},
 					},
 					{
@@ -807,7 +807,7 @@ var _ = SIGDescribe("FileKeyRef", framework.WithFeatureGate(features.EnvFiles),
 					{
 						Name:         "setup-envfile",
 						Image:        imageutils.GetE2EImage(imageutils.BusyBox),
-						Command:      []string{"sh", "-c", "echo 'CONFIG_INIT=fail' > /data/config.env"},
+						Command:      []string{"sh", "-c", `echo CONFIG_INIT=\'fail\' > /data/config.env`},
 						VolumeMounts: []v1.VolumeMount{{Name: "config", MountPath: "/data"}},
 					},
 					{
@@ -856,7 +856,7 @@ var _ = SIGDescribe("FileKeyRef", framework.WithFeatureGate(features.EnvFiles),
 				InitContainers: []v1.Container{{
 					Name:         "setup-envfile",
 					Image:        imageutils.GetE2EImage(imageutils.BusyBox),
-					Command:      []string{"sh", "-c", "echo 'CONFIG_EPH=ephemeral' > /data/config.env"},
+					Command:      []string{"sh", "-c", `echo CONFIG_EPH=\'ephemeral\' > /data/config.env`},
 					VolumeMounts: []v1.VolumeMount{{Name: "config", MountPath: "/data"}},
 				}},
 				Containers: []v1.Container{{
diff --git a/test/e2e/common/node/framework/cgroups/cgroups.go b/test/e2e/common/node/framework/cgroups/cgroups.go
index ce9f758341d41..001127afe34a8 100644
--- a/test/e2e/common/node/framework/cgroups/cgroups.go
+++ b/test/e2e/common/node/framework/cgroups/cgroups.go
@@ -207,8 +207,8 @@ func getExpectedCPULimitFromCPUQuota(cpuQuota int64, podOnCgroupV2 bool) string
 	return expectedCPULimitString
 }
 
-func getExpectedMemLimitString(rr *v1.ResourceRequirements, podOnCgroupv2 bool) string {
-	expectedMemLimitInBytes := rr.Limits.Memory().Value()
+func getExpectedMemLimitString(memLimit *resource.Quantity, podOnCgroupv2 bool) string {
+	expectedMemLimitInBytes := memLimit.Value()
 	expectedMemLimitString := strconv.FormatInt(expectedMemLimitInBytes, 10)
 	if podOnCgroupv2 && expectedMemLimitString == "0" {
 		expectedMemLimitString = "max"
@@ -218,7 +218,20 @@ func getExpectedMemLimitString(rr *v1.ResourceRequirements, podOnCgroupv2 bool)
 
 func verifyContainerCPUWeight(f *framework.Framework, pod *v1.Pod, containerName string, expectedResources *v1.ResourceRequirements, podOnCgroupv2 bool) error {
 	cpuWeightCgPath := getCgroupCPURequestPath(cgroupFsPath, podOnCgroupv2)
-	expectedCPUShares := getExpectedCPUShares(expectedResources, podOnCgroupv2)
+	cpuLim := expectedResources.Limits.Cpu()
+	if cpuLim.IsZero() && pod.Spec.Resources != nil {
+		cpuLim = pod.Spec.Resources.Limits.Cpu()
+	}
+	cpuReq := expectedResources.Requests.Cpu()
+	// Bug - Skip comparing cpu.weight if cpu requests are not set for pod with only
+	// pod-level limits. There's a bug in calculation of cpu.weight when containers without
+	// limits are resized and then restarted because of pod-level limits resize.
+	// Check for cpu.weight when the bug is fixed - https://github.com/kubernetes/kubernetes/issues/135260
+	if cpuReq.IsZero() && pod.Spec.Resources != nil {
+		return nil
+	}
+
+	expectedCPUShares := getExpectedCPUShares(cpuReq, cpuLim, podOnCgroupv2)
 	if err := VerifyCgroupValue(f, pod, containerName, cpuWeightCgPath, expectedCPUShares...); err != nil {
 		return fmt.Errorf("failed to verify cpu request cgroup value: %w", err)
 	}
@@ -227,7 +240,11 @@ func verifyContainerCPUWeight(f *framework.Framework, pod *v1.Pod, containerName
 
 func VerifyContainerCPULimit(f *framework.Framework, pod *v1.Pod, containerName string, expectedResources *v1.ResourceRequirements, podOnCgroupv2 bool) error {
 	cpuLimCgPath := getCgroupCPULimitPath(cgroupFsPath, podOnCgroupv2)
-	expectedCPULimits := getCPULimitCgroupExpectations(expectedResources.Limits.Cpu(), podOnCgroupv2)
+	cpuLim := expectedResources.Limits.Cpu()
+	if cpuLim.IsZero() && pod.Spec.Resources != nil {
+		cpuLim = pod.Spec.Resources.Limits.Cpu()
+	}
+	expectedCPULimits := getCPULimitCgroupExpectations(cpuLim, podOnCgroupv2)
 	if err := VerifyCgroupValue(f, pod, containerName, cpuLimCgPath, expectedCPULimits...); err != nil {
 		return fmt.Errorf("failed to verify cpu limit cgroup value: %w", err)
 	}
@@ -236,7 +253,11 @@ func VerifyContainerCPULimit(f *framework.Framework, pod *v1.Pod, containerName
 
 func VerifyContainerMemoryLimit(f *framework.Framework, pod *v1.Pod, containerName string, expectedResources *v1.ResourceRequirements, podOnCgroupv2 bool) error {
 	memLimCgPath := getCgroupMemLimitPath(cgroupFsPath, podOnCgroupv2)
-	expectedMemLim := getExpectedMemLimitString(expectedResources, podOnCgroupv2)
+	memLim := expectedResources.Limits.Memory()
+	if memLim.IsZero() && pod.Spec.Resources != nil {
+		memLim = pod.Spec.Resources.Limits.Memory()
+	}
+	expectedMemLim := getExpectedMemLimitString(memLim, podOnCgroupv2)
 	if expectedMemLim == "0" {
 		return nil
 	}
@@ -268,7 +289,7 @@ func verifyPodCPUWeight(f *framework.Framework, pod *v1.Pod, expectedResources *
 	} else {
 		cpuWeightCgPath = fmt.Sprintf("%s/%s", podCgPath, cgroupCPUSharesFile)
 	}
-	expectedCPUShares := getExpectedCPUShares(expectedResources, podOnCgroupv2)
+	expectedCPUShares := getExpectedCPUShares(expectedResources.Requests.Cpu(), expectedResources.Limits.Cpu(), podOnCgroupv2)
 	if err := VerifyCgroupValue(f, pod, pod.Spec.Containers[0].Name, cpuWeightCgPath, expectedCPUShares...); err != nil {
 		return fmt.Errorf("pod cgroup cpu weight verification failed: %w", err)
 	}
@@ -308,7 +329,7 @@ func verifyPodMemoryLimit(f *framework.Framework, pod *v1.Pod, expectedResources
 	} else {
 		memLimCgPath = fmt.Sprintf("%s/%s", podCgPath, cgroupMemLimitFile)
 	}
-	expectedMemLim := getExpectedMemLimitString(expectedResources, podOnCgroupv2)
+	expectedMemLim := getExpectedMemLimitString(expectedResources.Limits.Memory(), podOnCgroupv2)
 	if expectedMemLim == "0" {
 		return nil
 	}
diff --git a/test/e2e/common/node/framework/cgroups/cgroups_linux.go b/test/e2e/common/node/framework/cgroups/cgroups_linux.go
index c7f3064b5080d..69bfd82193a35 100644
--- a/test/e2e/common/node/framework/cgroups/cgroups_linux.go
+++ b/test/e2e/common/node/framework/cgroups/cgroups_linux.go
@@ -17,37 +17,15 @@ limitations under the License.
 package cgroups
 
 import (
-	"math"
 	"strconv"
 
-	v1 "k8s.io/api/core/v1"
+	libcontainercgroups "github.com/opencontainers/cgroups"
+	"k8s.io/apimachinery/pkg/api/resource"
 	kubecm "k8s.io/kubernetes/pkg/kubelet/cm"
 )
 
-// convertCPUSharesToCgroupV2Value is copied from ConvertCPUSharesToCgroupV2Value in opencontainers/cgroups.
-// https://github.com/opencontainers/cgroups/pull/20/files
-func convertCPUSharesToCgroupV2Value(cpuShares uint64) uint64 {
-	// The value of 0 means "unset".
-	if cpuShares == 0 {
-		return 0
-	}
-	if cpuShares <= 2 {
-		return 1
-	}
-	if cpuShares >= 262144 {
-		return 10000
-	}
-	l := math.Log2(float64(cpuShares))
-	// Quadratic function which fits min, max, and default.
-	exponent := (l*l+125*l)/612.0 - 7.0/34.0
-
-	return uint64(math.Ceil(math.Pow(10, exponent)))
-}
-
-func getExpectedCPUShares(rr *v1.ResourceRequirements, podOnCgroupv2 bool) []string {
+func getExpectedCPUShares(cpuRequest, cpuLimit *resource.Quantity, podOnCgroupv2 bool) []string {
 	// This function is moved out from cgroups.go because opencontainers/cgroups can only be compiled in linux platforms.
-	cpuRequest := rr.Requests.Cpu()
-	cpuLimit := rr.Limits.Cpu()
 	var shares int64
 	if cpuRequest.IsZero() && !cpuLimit.IsZero() {
 		shares = int64(kubecm.MilliCPUToShares(cpuLimit.MilliValue()))
@@ -62,7 +40,7 @@ func getExpectedCPUShares(rr *v1.ResourceRequirements, podOnCgroupv2 bool) []str
 		// container runtimes, we check if either the old or the new conversion matches the actual value for now.
 		// TODO: Remove the old conversion once container runtimes are updated.
 		oldConverted := 1 + ((shares-2)*9999)/262142
-		converted := convertCPUSharesToCgroupV2Value(uint64(shares))
+		converted := libcontainercgroups.ConvertCPUSharesToCgroupV2Value(uint64(shares))
 		return []string{strconv.FormatInt(oldConverted, 10), strconv.FormatInt(int64(converted), 10)}
 	} else {
 		return []string{strconv.FormatInt(shares, 10)}
diff --git a/test/e2e/common/node/framework/cgroups/cgroups_unsupported.go b/test/e2e/common/node/framework/cgroups/cgroups_unsupported.go
index 8f5c823c8f14c..5f86b04a579b3 100644
--- a/test/e2e/common/node/framework/cgroups/cgroups_unsupported.go
+++ b/test/e2e/common/node/framework/cgroups/cgroups_unsupported.go
@@ -18,9 +18,9 @@ limitations under the License.
 
 package cgroups
 
-import v1 "k8s.io/api/core/v1"
+import "k8s.io/apimachinery/pkg/api/resource"
 
-func getExpectedCPUShares(rr *v1.ResourceRequirements, podOnCgroupv2 bool) []string {
+func getExpectedCPUShares(cpuRequest, cpuLimit *resource.Quantity, podOnCgroupv2 bool) []string {
 	// cgroup is only supported in linux.
 	return []string{}
 }
diff --git a/test/e2e/common/node/framework/podresize/resize.go b/test/e2e/common/node/framework/podresize/resize.go
index 56c4a0e061f3b..fc6c92452bae6 100644
--- a/test/e2e/common/node/framework/podresize/resize.go
+++ b/test/e2e/common/node/framework/podresize/resize.go
@@ -23,6 +23,7 @@ import (
 	"fmt"
 	"strconv"
 	"strings"
+	"time"
 
 	v1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -77,7 +78,7 @@ func makeResizableContainer(tcInfo ResizableContainerInfo) v1.Container {
 	return tc
 }
 
-func MakePodWithResizableContainers(ns, name, timeStamp string, tcInfo []ResizableContainerInfo) *v1.Pod {
+func MakePodWithResizableContainers(ns, name, timeStamp string, tcInfo []ResizableContainerInfo, podResources *v1.ResourceRequirements) *v1.Pod {
 	testInitContainers, testContainers := separateContainers(tcInfo)
 
 	minGracePeriodSeconds := int64(0)
@@ -97,6 +98,11 @@ func MakePodWithResizableContainers(ns, name, timeStamp string, tcInfo []Resizab
 			TerminationGracePeriodSeconds: &minGracePeriodSeconds,
 		},
 	}
+
+	if podResources != nil {
+		pod.Spec.Resources = podResources
+	}
+
 	return pod
 }
 
@@ -154,7 +160,7 @@ func VerifyPodResizePolicy(gotPod *v1.Pod, wantInfo []ResizableContainerInfo) {
 	}
 }
 
-func VerifyPodResources(gotPod *v1.Pod, wantInfo []ResizableContainerInfo) {
+func VerifyPodResources(gotPod *v1.Pod, wantInfo []ResizableContainerInfo, wantPodResources *v1.ResourceRequirements) {
 	ginkgo.GinkgoHelper()
 
 	gotCtrs := append(append([]v1.Container{}, gotPod.Spec.Containers...), gotPod.Spec.InitContainers...)
@@ -171,6 +177,8 @@ func VerifyPodResources(gotPod *v1.Pod, wantInfo []ResizableContainerInfo) {
 			gomega.Expect(gotCtr.Resources).To(gomega.BeComparableTo(wantCtr.Resources))
 		}
 	}
+	gomega.Expect(gotPod.Spec.Resources).To(gomega.BeComparableTo(wantPodResources))
+
 }
 
 func VerifyPodStatusResources(gotPod *v1.Pod, wantInfo []ResizableContainerInfo) error {
@@ -188,6 +196,18 @@ func VerifyPodStatusResources(gotPod *v1.Pod, wantInfo []ResizableContainerInfo)
 	return utilerrors.NewAggregate(errs)
 }
 
+func VerifyPodLevelStatusResources(gotPod *v1.Pod, wantPodResources *v1.ResourceRequirements) error {
+	var errs []error
+	if err := framework.Gomega().Expect(gotPod.Status.AllocatedResources).To(gomega.BeComparableTo(wantPodResources.Requests)); err != nil {
+		errs = append(errs, fmt.Errorf("pod[%s] status allocatedResources mismatch: %w", gotPod.Name, err))
+	}
+
+	if err := framework.Gomega().Expect(gotPod.Status.Resources).To(gomega.BeComparableTo(wantPodResources)); err != nil {
+		errs = append(errs, fmt.Errorf("pod[%s] status resources mismatch: %w", gotPod.Name, err))
+	}
+	return utilerrors.NewAggregate(errs)
+}
+
 func verifyPodContainersStatusResources(gotCtrStatuses []v1.ContainerStatus, wantCtrs []v1.Container) error {
 	ginkgo.GinkgoHelper()
 
@@ -203,6 +223,10 @@ func verifyPodContainersStatusResources(gotCtrStatuses []v1.ContainerStatus, wan
 			continue
 		}
 
+		if err := framework.Gomega().Expect(gotCtrStatus.AllocatedResources).To(gomega.BeComparableTo(wantCtr.Resources.Requests)); err != nil {
+			errs = append(errs, fmt.Errorf("container[%s] status allocatedResources mismatch: %w", wantCtr.Name, err))
+		}
+
 		if err := framework.Gomega().Expect(*gotCtrStatus.Resources).To(gomega.BeComparableTo(wantCtr.Resources)); err != nil {
 			errs = append(errs, fmt.Errorf("container[%s] status resources mismatch: %w", wantCtr.Name, err))
 		}
@@ -211,6 +235,63 @@ func verifyPodContainersStatusResources(gotCtrStatuses []v1.ContainerStatus, wan
 	return utilerrors.NewAggregate(errs)
 }
 
+func VerifyPodCgroupValues(ctx context.Context, f *framework.Framework, pod *v1.Pod) error {
+	aggregatedReqs, aggregatedLims := AggregateContainerResources(pod.Spec)
+	cpuReq := aggregatedReqs[v1.ResourceCPU]
+	cpuLim := aggregatedLims[v1.ResourceCPU]
+	memLim := aggregatedLims[v1.ResourceMemory]
+	if pod.Spec.Resources != nil {
+		cpuReq = pod.Spec.Resources.Requests[v1.ResourceCPU]
+		if pod.Spec.Resources.Limits != nil {
+			if podCPULim, found := pod.Spec.Resources.Limits[v1.ResourceCPU]; found {
+				cpuLim = podCPULim
+			}
+			if podMemLim, found := pod.Spec.Resources.Limits[v1.ResourceMemory]; found {
+				memLim = podMemLim
+			}
+		}
+	}
+
+	cgroupResources := &cgroups.ContainerResources{
+		CPUReq: cpuReq.String(),
+		MemLim: memLim.String(),
+		CPULim: cpuLim.String(),
+		// memory requests are not set in cgroup
+	}
+
+	return cgroups.VerifyPodCgroups(ctx, f, pod, cgroupResources)
+}
+
+func AggregateContainerResources(spec v1.PodSpec) (v1.ResourceList, v1.ResourceList) {
+	// Pre-allocate map memory based on the test's scope, as only
+	// 'cpu' and 'memory' resources will be tracked.
+	aggregatedReqs := make(v1.ResourceList, 2)
+	aggregatedLims := make(v1.ResourceList, 2)
+
+	for _, container := range spec.Containers {
+		addResourceList(aggregatedReqs, container.Resources.Requests)
+		addResourceList(aggregatedLims, container.Resources.Limits)
+	}
+
+	for _, container := range spec.InitContainers {
+		addResourceList(aggregatedReqs, container.Resources.Requests)
+		addResourceList(aggregatedLims, container.Resources.Limits)
+	}
+
+	return aggregatedReqs, aggregatedLims
+}
+
+// TODO: move this to a common helper method and re-use in pod-level resources
+// related tests
+func addResourceList(des, src v1.ResourceList) {
+	for name, quantity := range src {
+		if value, found := des[name]; found {
+			quantity.Add(value)
+		}
+		des[name] = quantity.DeepCopy()
+	}
+}
+
 func VerifyPodContainersCgroupValues(ctx context.Context, f *framework.Framework, pod *v1.Pod, tcInfo []ResizableContainerInfo) error {
 	ginkgo.GinkgoHelper()
 
@@ -325,12 +406,38 @@ func ExpectPodResized(ctx context.Context, f *framework.Framework, resizedPod *v
 
 	// Verify Pod Containers Cgroup Values
 	var errs []error
+
+	onlyPLRSet := func(pod *v1.Pod) bool {
+		if pod.Spec.Resources == nil {
+			return false
+		}
+
+		for _, container := range pod.Spec.Containers {
+			if container.Resources.Requests != nil && container.Resources.Limits != nil {
+				return false
+			}
+		}
+		return true
+	}
+
+	if onlyPLRSet(resizedPod) {
+		// Wait for containers to start. Pods using only
+		// pod-level resources and undergoing container
+		// restarts experience a startup delay before
+		// cgroup metrics are available.
+		ginkgo.By("Waiting for cgroup reading")
+		const cgroupReadDelay = time.Second * 60
+		time.Sleep(cgroupReadDelay)
+	}
+
 	if cgroupErrs := VerifyPodContainersCgroupValues(ctx, f, resizedPod, expectedContainers); cgroupErrs != nil {
 		errs = append(errs, fmt.Errorf("container cgroup values don't match expected: %w", formatErrors(cgroupErrs)))
 	}
+
 	if resourceErrs := VerifyPodStatusResources(resizedPod, expectedContainers); resourceErrs != nil {
 		errs = append(errs, fmt.Errorf("container status resources don't match expected: %w", formatErrors(resourceErrs)))
 	}
+
 	if restartErrs := verifyPodRestarts(f, resizedPod, expectedContainers); restartErrs != nil {
 		errs = append(errs, fmt.Errorf("container restart counts don't match expected: %w", formatErrors(restartErrs)))
 	}
@@ -349,11 +456,11 @@ func ExpectPodResized(ctx context.Context, f *framework.Framework, resizedPod *v
 	}
 }
 
-func MakeResizePatch(originalContainers, desiredContainers []ResizableContainerInfo) []byte {
-	original, err := json.Marshal(MakePodWithResizableContainers("", "", "", originalContainers))
+func MakeResizePatch(originalContainers, desiredContainers []ResizableContainerInfo, originPodResources, desiredPodResources *v1.ResourceRequirements) []byte {
+	original, err := json.Marshal(MakePodWithResizableContainers("", "", "", originalContainers, originPodResources))
 	framework.ExpectNoError(err)
 
-	desired, err := json.Marshal(MakePodWithResizableContainers("", "", "", desiredContainers))
+	desired, err := json.Marshal(MakePodWithResizableContainers("", "", "", desiredContainers, desiredPodResources))
 	framework.ExpectNoError(err)
 
 	patch, err := strategicpatch.CreateTwoWayMergePatch(original, desired, v1.Pod{})
@@ -373,6 +480,9 @@ func UpdateExpectedContainerRestarts(ctx context.Context, pod *v1.Pod, expectedC
 	for _, ctr := range pod.Status.ContainerStatuses {
 		initialRestarts[ctr.Name] = ctr.RestartCount
 	}
+	for _, ctr := range pod.Status.InitContainerStatuses {
+		initialRestarts[ctr.Name] = ctr.RestartCount
+	}
 	for i, ctr := range expectedContainers {
 		newExpectedContainers = append(newExpectedContainers, expectedContainers[i])
 		newExpectedContainers[i].RestartCount += initialRestarts[ctr.Name]
diff --git a/test/e2e/common/node/framework/podresize/resize_test.go b/test/e2e/common/node/framework/podresize/resize_test.go
index ed85967710983..d8964352fac78 100644
--- a/test/e2e/common/node/framework/podresize/resize_test.go
+++ b/test/e2e/common/node/framework/podresize/resize_test.go
@@ -102,7 +102,7 @@ func TestMakeResizePatch(t *testing.T) {
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			patch := MakeResizePatch(tt.old, tt.new)
+			patch := MakeResizePatch(tt.old, tt.new, nil, nil)
 
 			// Ignore the "$setElementOrder" directive for patch comparison.
 			patchMap := strategicpatch.JSONMap{}
diff --git a/test/e2e/common/node/lease.go b/test/e2e/common/node/lease.go
index 91ed53b459aec..4db20edae4db9 100644
--- a/test/e2e/common/node/lease.go
+++ b/test/e2e/common/node/lease.go
@@ -28,7 +28,9 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/labels"
 	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/apimachinery/pkg/util/resourceversion"
 	"k8s.io/apimachinery/pkg/util/strategicpatch"
+	apimachineryutils "k8s.io/kubernetes/test/e2e/common/apimachinery"
 	"k8s.io/kubernetes/test/e2e/framework"
 	admissionapi "k8s.io/pod-security-admission/api"
 	"k8s.io/utils/ptr"
@@ -89,6 +91,7 @@ var _ = SIGDescribe("Lease", func() {
 
 		createdLease, err := leaseClient.Create(ctx, lease, metav1.CreateOptions{})
 		framework.ExpectNoError(err, "creating Lease failed")
+		gomega.Expect(createdLease).To(apimachineryutils.HaveValidResourceVersion())
 
 		readLease, err := leaseClient.Get(ctx, name, metav1.GetOptions{})
 		framework.ExpectNoError(err, "couldn't read Lease")
@@ -132,6 +135,7 @@ var _ = SIGDescribe("Lease", func() {
 		if !apiequality.Semantic.DeepEqual(patchedLease.Spec, readLease.Spec) {
 			framework.Failf("Leases don't match. Diff (- for expected, + for actual):\n%s", cmp.Diff(patchedLease.Spec, readLease.Spec))
 		}
+		gomega.Expect(resourceversion.CompareResourceVersion(createdLease.ResourceVersion, readLease.ResourceVersion)).To(gomega.BeNumerically("==", -1), "patched object should have a larger resource version")
 
 		name2 := "lease2"
 		lease2 := &coordinationv1.Lease{
diff --git a/test/e2e/common/node/lifecycle_hook.go b/test/e2e/common/node/lifecycle_hook.go
index f2982c1efe136..a7a7d51c2c743 100644
--- a/test/e2e/common/node/lifecycle_hook.go
+++ b/test/e2e/common/node/lifecycle_hook.go
@@ -192,7 +192,7 @@ var _ = SIGDescribe("Container Lifecycle Hook", func() {
 			Testname: Pod Lifecycle, poststart https hook
 			Description: When a post-start handler is specified in the container lifecycle using a 'HttpGet' action, then the handler MUST be invoked before the container is terminated. A server pod is created that will serve https requests, create a second pod on the same node with a container lifecycle specifying a post-start that invokes the server pod to validate that the post-start is executed.
 		*/
-		f.It("should execute poststart https hook properly [MinimumKubeletVersion:1.23]", f.WithNodeConformance(), func(ctx context.Context) {
+		f.It("should execute poststart https hook properly", f.WithNodeConformance(), func(ctx context.Context) {
 			lifecycle := &v1.Lifecycle{
 				PostStart: &v1.LifecycleHandler{
 					HTTPGet: &v1.HTTPGetAction{
@@ -237,7 +237,7 @@ var _ = SIGDescribe("Container Lifecycle Hook", func() {
 			Testname: Pod Lifecycle, prestop https hook
 			Description: When a pre-stop handler is specified in the container lifecycle using a 'HttpGet' action, then the handler MUST be invoked before the container is terminated. A server pod is created that will serve https requests, create a second pod on the same node with a container lifecycle specifying a pre-stop that invokes the server pod to validate that the pre-stop is executed.
 		*/
-		f.It("should execute prestop https hook properly [MinimumKubeletVersion:1.23]", f.WithNodeConformance(), func(ctx context.Context) {
+		f.It("should execute prestop https hook properly", f.WithNodeConformance(), func(ctx context.Context) {
 			lifecycle := &v1.Lifecycle{
 				PreStop: &v1.LifecycleHandler{
 					HTTPGet: &v1.HTTPGetAction{
@@ -258,7 +258,7 @@ var _ = SIGDescribe("Container Lifecycle Hook", func() {
 	})
 })
 
-var _ = SIGDescribe(feature.SidecarContainers, framework.WithFeatureGate(features.SidecarContainers), "Restartable Init Container Lifecycle Hook", func() {
+var _ = SIGDescribe(framework.WithNodeConformance(), framework.WithFeatureGate(features.SidecarContainers), "Restartable Init Container Lifecycle Hook", func() {
 	f := framework.NewDefaultFramework("restartable-init-container-lifecycle-hook")
 	// FIXME: This test is being run in the privileged mode because of https://github.com/kubernetes/kubernetes/issues/133091
 	f.NamespacePodSecurityLevel = admissionapi.LevelPrivileged
@@ -431,7 +431,7 @@ var _ = SIGDescribe(feature.SidecarContainers, framework.WithFeatureGate(feature
 			container lifecycle specifying a post-start that invokes the server pod
 			to validate that the post-start is executed.
 		*/
-		ginkgo.It("should execute poststart https hook properly [MinimumKubeletVersion:1.23]", func(ctx context.Context) {
+		ginkgo.It("should execute poststart https hook properly", func(ctx context.Context) {
 			lifecycle := &v1.Lifecycle{
 				PostStart: &v1.LifecycleHandler{
 					HTTPGet: &v1.HTTPGetAction{
@@ -486,7 +486,7 @@ var _ = SIGDescribe(feature.SidecarContainers, framework.WithFeatureGate(feature
 			container lifecycle specifying a pre-stop that invokes the server pod to
 			validate that the pre-stop is executed.
 		*/
-		ginkgo.It("should execute prestop https hook properly [MinimumKubeletVersion:1.23]", func(ctx context.Context) {
+		ginkgo.It("should execute prestop https hook properly", func(ctx context.Context) {
 			lifecycle := &v1.Lifecycle{
 				PreStop: &v1.LifecycleHandler{
 					HTTPGet: &v1.HTTPGetAction{
diff --git a/test/e2e/common/node/pod_admission.go b/test/e2e/common/node/pod_admission.go
index 6a411522edfb5..96b273dae90f1 100644
--- a/test/e2e/common/node/pod_admission.go
+++ b/test/e2e/common/node/pod_admission.go
@@ -18,6 +18,7 @@ package node
 
 import (
 	"context"
+	"k8s.io/klog/v2"
 
 	"github.com/onsi/ginkgo/v2"
 
@@ -67,6 +68,7 @@ var _ = SIGDescribe("PodOSRejection", framework.WithNodeConformance(), func() {
 
 // findLinuxNode finds a Linux node that is Ready and Schedulable
 func findLinuxNode(ctx context.Context, f *framework.Framework) (v1.Node, error) {
+	logger := klog.FromContext(ctx)
 	selector := labels.Set{"kubernetes.io/os": "linux"}.AsSelector()
 	nodeList, err := f.ClientSet.CoreV1().Nodes().List(ctx, metav1.ListOptions{LabelSelector: selector.String()})
 
@@ -77,7 +79,7 @@ func findLinuxNode(ctx context.Context, f *framework.Framework) (v1.Node, error)
 	var targetNode v1.Node
 	foundNode := false
 	for _, n := range nodeList.Items {
-		if e2enode.IsNodeReady(&n) && e2enode.IsNodeSchedulable(&n) {
+		if e2enode.IsNodeReady(logger, &n) && e2enode.IsNodeSchedulable(logger, &n) {
 			targetNode = n
 			foundNode = true
 			break
diff --git a/test/e2e/common/node/pod_hostnameoverride.go b/test/e2e/common/node/pod_hostnameoverride.go
index e68734e244a04..32e9c93347460 100644
--- a/test/e2e/common/node/pod_hostnameoverride.go
+++ b/test/e2e/common/node/pod_hostnameoverride.go
@@ -43,7 +43,7 @@ func newTestPod(namespace string) *v1.Pod {
 			Containers: []v1.Container{
 				{
 					Name:    "test-pod-hostname-override",
-					Image:   imageutils.GetE2EImage(imageutils.Agnhost),
+					Image:   imageutils.GetE2EImage(imageutils.JessieDnsutils),
 					Command: []string{"sh", "-c", "echo $(hostname)';'$(hostname -f)';'"},
 				},
 			},
diff --git a/test/e2e/common/node/pod_level_resources.go b/test/e2e/common/node/pod_level_resources.go
index cfb88e2318682..0cd60e8047b84 100644
--- a/test/e2e/common/node/pod_level_resources.go
+++ b/test/e2e/common/node/pod_level_resources.go
@@ -152,7 +152,7 @@ func podLevelResourcesTests(f *framework.Framework) {
 		// and limits for the pod. If pod-level resource specifications
 		// are specified, totalPodResources is equal to pod-level resources.
 		// Otherwise, it is calculated by aggregating resource requests and
-		// limits from all containers within the pod..
+		// limits from all containers within the pod.
 		totalPodResources *cgroups.ContainerResources
 	}
 
@@ -161,11 +161,19 @@ func podLevelResourcesTests(f *framework.Framework) {
 		podResources *cgroups.ContainerResources
 		containers   []containerInfo
 		expected     expectedPodConfig
+		// If expectedPodLevelResourcesOverride is not specified,
+		// we check the PodSpec to verify whether the API server correctly injected default values
+		// by comparing it with expected.totalPodResources. In most cases, this comparison works fine.
+		// However, if pod-level limits are not specified and all containers have their limits set,
+		// the cgroup for the pod will be configured with the aggregated container-level limits.
+		// Still, the pod-level limits field itself will not have default values set.
+		// To cover this pattern, we allow overriding the values when comparing against the PodSpec.
+		expectedPodLevelResourcesOverride *cgroups.ContainerResources
 	}
 
 	tests := []testCase{
 		{
-			name: "Guaranteed QoS pod with container resources",
+			name: "Guaranteed QoS pod with only container resources",
 			containers: []containerInfo{
 				{Name: "c1", Resources: &cgroups.ContainerResources{CPUReq: "50m", CPULim: "50m", MemReq: "70Mi", MemLim: "70Mi"}},
 				{Name: "c2", Resources: &cgroups.ContainerResources{CPUReq: "70m", CPULim: "70m", MemReq: "50Mi", MemLim: "50Mi"}},
@@ -185,7 +193,7 @@ func podLevelResourcesTests(f *framework.Framework) {
 			},
 		},
 		{
-			name:         "Guaranteed QoS pod with container resources",
+			name:         "Guaranteed QoS pod with other container resources",
 			podResources: &cgroups.ContainerResources{CPUReq: "100m", CPULim: "100m", MemReq: "100Mi", MemLim: "100Mi"},
 			containers: []containerInfo{
 				{Name: "c1", Resources: &cgroups.ContainerResources{CPUReq: "50m", CPULim: "100m", MemReq: "50Mi", MemLim: "100Mi"}},
@@ -208,6 +216,121 @@ func podLevelResourcesTests(f *framework.Framework) {
 				totalPodResources: &cgroups.ContainerResources{CPUReq: "100m", CPULim: "100m", MemReq: "100Mi", MemLim: "100Mi"},
 			},
 		},
+		{
+			name:         "Guaranteed QoS pod, pod resources limits, no container resources",
+			podResources: &cgroups.ContainerResources{CPULim: "100m", MemLim: "100Mi"},
+			containers: []containerInfo{
+				{Name: "c1"},
+				{Name: "c2"},
+			},
+			expected: expectedPodConfig{
+				qos:               v1.PodQOSGuaranteed,
+				totalPodResources: &cgroups.ContainerResources{CPUReq: "100m", CPULim: "100m", MemReq: "100Mi", MemLim: "100Mi"},
+			},
+		},
+		{
+			name:         "Burstable QoS pod, pod resources limits, container resources limits",
+			podResources: &cgroups.ContainerResources{CPULim: "100m", MemLim: "100Mi"},
+			containers: []containerInfo{
+				{Name: "c1", Resources: &cgroups.ContainerResources{CPULim: "50m", MemLim: "50Mi"}},
+				{Name: "c2", Resources: &cgroups.ContainerResources{CPULim: "30m", MemLim: "30Mi"}},
+			},
+			expected: expectedPodConfig{
+				qos:               v1.PodQOSBurstable,
+				totalPodResources: &cgroups.ContainerResources{CPUReq: "80m", CPULim: "100m", MemReq: "80Mi", MemLim: "100Mi"},
+			},
+		},
+		{
+			name:         "Burstable QoS pod, pod resources limits, container resources requests",
+			podResources: &cgroups.ContainerResources{CPULim: "100m", MemLim: "100Mi"},
+			containers: []containerInfo{
+				{Name: "c1", Resources: &cgroups.ContainerResources{CPUReq: "50m", MemReq: "50Mi"}},
+				{Name: "c2", Resources: &cgroups.ContainerResources{CPUReq: "30m", MemReq: "30Mi"}},
+			},
+			expected: expectedPodConfig{
+				qos:               v1.PodQOSBurstable,
+				totalPodResources: &cgroups.ContainerResources{CPUReq: "80m", CPULim: "100m", MemReq: "80Mi", MemLim: "100Mi"},
+			},
+		},
+		{
+			name:         "Burstable QoS pod, pod resources requests, no container resources",
+			podResources: &cgroups.ContainerResources{CPUReq: "100m", MemReq: "100Mi"},
+			containers:   []containerInfo{{Name: "c1"}, {Name: "c2"}},
+			expected: expectedPodConfig{
+				qos:               v1.PodQOSBurstable,
+				totalPodResources: &cgroups.ContainerResources{CPUReq: "100m", MemReq: "100Mi"},
+			},
+		},
+		{
+			name:         "Burstable QoS pod, pod resources requests, container resources requests",
+			podResources: &cgroups.ContainerResources{CPUReq: "100m", MemReq: "100Mi"},
+			containers: []containerInfo{
+				{Name: "c1", Resources: &cgroups.ContainerResources{CPUReq: "50m", MemReq: "50Mi"}},
+				{Name: "c2", Resources: &cgroups.ContainerResources{CPUReq: "30m", MemReq: "30Mi"}},
+			},
+			expected: expectedPodConfig{
+				qos:               v1.PodQOSBurstable,
+				totalPodResources: &cgroups.ContainerResources{CPUReq: "100m", MemReq: "100Mi"},
+			},
+		},
+		{
+			name:         "Burstable QoS pod, pod resources requests, container resources requests and partial limits",
+			podResources: &cgroups.ContainerResources{CPUReq: "100m", MemReq: "100Mi"},
+			containers: []containerInfo{
+				{Name: "c1", Resources: &cgroups.ContainerResources{CPUReq: "50m", CPULim: "50m", MemReq: "50Mi", MemLim: "50Mi"}},
+				{Name: "c2", Resources: &cgroups.ContainerResources{CPUReq: "30m", MemReq: "30Mi"}},
+			},
+			expected: expectedPodConfig{
+				qos:               v1.PodQOSBurstable,
+				totalPodResources: &cgroups.ContainerResources{CPUReq: "100m", MemReq: "100Mi"},
+			},
+		},
+		{
+			name:         "Burstable QoS pod, pod resources requests, container resources limits",
+			podResources: &cgroups.ContainerResources{CPUReq: "100m", MemReq: "100Mi"},
+			containers: []containerInfo{
+				{Name: "c1", Resources: &cgroups.ContainerResources{CPULim: "50m", MemLim: "50Mi"}},
+				{Name: "c2", Resources: &cgroups.ContainerResources{CPULim: "50m", MemLim: "50Mi"}},
+			},
+			expected: expectedPodConfig{
+				qos:               v1.PodQOSBurstable,
+				totalPodResources: &cgroups.ContainerResources{CPUReq: "100m", CPULim: "100m", MemReq: "100Mi", MemLim: "100Mi"},
+			},
+			expectedPodLevelResourcesOverride: &cgroups.ContainerResources{CPUReq: "100m", MemReq: "100Mi"},
+		},
+		{
+			name:         "Burstable QoS pod, pod resources requests, partial container resources limits",
+			podResources: &cgroups.ContainerResources{CPUReq: "100m", MemReq: "100Mi"},
+			containers: []containerInfo{
+				{Name: "c1", Resources: &cgroups.ContainerResources{CPULim: "50m", MemLim: "50Mi"}},
+				{Name: "c2"},
+			},
+			expected: expectedPodConfig{
+				qos: v1.PodQOSBurstable,
+				// If container-level limits are not specified for all containers,
+				// cpu.max and memory.max will not be set.
+				totalPodResources: &cgroups.ContainerResources{CPUReq: "100m", MemReq: "100Mi"},
+			},
+			expectedPodLevelResourcesOverride: &cgroups.ContainerResources{CPUReq: "100m", MemReq: "100Mi"},
+		},
+		{
+			name:         "Burstable QoS pod, pod resources requests, container resources requests and limits",
+			podResources: &cgroups.ContainerResources{CPUReq: "100m", MemReq: "100Mi"},
+			containers: []containerInfo{
+				{Name: "c1", Resources: &cgroups.ContainerResources{CPUReq: "30m", CPULim: "30m", MemReq: "30Mi", MemLim: "30Mi"}},
+				{Name: "c2", Resources: &cgroups.ContainerResources{CPUReq: "30m", CPULim: "30m", MemReq: "30Mi", MemLim: "30Mi"}},
+			},
+			expected: expectedPodConfig{
+				qos: v1.PodQOSBurstable,
+				// At first glance, this may seem invalid. However, the value of CPUReq is only used
+				// to calculate the ratio for cpu.weight (i.e., CPU shares), and the absolute value
+				// of CPUReq is not directly applied. Therefore, it’s not a problem even if CPUReq
+				// exceeds CPULim. Similarly, when the MemoryQoS feature is disabled, MemReq is not
+				// used for memory.min, so it’s also fine for MemReq to exceed MemLim.
+				totalPodResources: &cgroups.ContainerResources{CPUReq: "100m", CPULim: "60m", MemReq: "100Mi", MemLim: "60Mi"},
+			},
+			expectedPodLevelResourcesOverride: &cgroups.ContainerResources{CPUReq: "100m", MemReq: "100Mi"},
+		},
 		{
 			name:         "Burstable QoS pod, no container resources",
 			podResources: &cgroups.ContainerResources{CPUReq: "50m", CPULim: "100m", MemReq: "50Mi", MemLim: "100Mi"},
@@ -221,7 +344,7 @@ func podLevelResourcesTests(f *framework.Framework) {
 			},
 		},
 		{
-			name:         "Burstable QoS pod with container resources",
+			name:         "Burstable QoS pod with yet some other container resources",
 			podResources: &cgroups.ContainerResources{CPUReq: "50m", CPULim: "100m", MemReq: "50Mi", MemLim: "100Mi"},
 			containers: []containerInfo{
 				{Name: "c1", Resources: &cgroups.ContainerResources{CPUReq: "20m", CPULim: "100m", MemReq: "20Mi", MemLim: "100Mi"}},
@@ -244,6 +367,53 @@ func podLevelResourcesTests(f *framework.Framework) {
 				totalPodResources: &cgroups.ContainerResources{CPUReq: "50m", CPULim: "100m", MemReq: "50Mi", MemLim: "100Mi"},
 			},
 		},
+		{
+			name:         "Burstable QoS pod, pod resources requests and limits, container resources limits",
+			podResources: &cgroups.ContainerResources{CPUReq: "50m", CPULim: "100m", MemReq: "50Mi", MemLim: "100Mi"},
+			containers: []containerInfo{
+				{Name: "c1", Resources: &cgroups.ContainerResources{CPULim: "30m", MemLim: "30Mi"}},
+				{Name: "c2", Resources: &cgroups.ContainerResources{CPULim: "20m", MemLim: "20Mi"}},
+			},
+			expected: expectedPodConfig{
+				qos:               v1.PodQOSBurstable,
+				totalPodResources: &cgroups.ContainerResources{CPUReq: "50m", CPULim: "100m", MemReq: "50Mi", MemLim: "100Mi"},
+			},
+		},
+		{
+			name:         "Burstable QoS pod, pod resources requests and limits, container resources requests",
+			podResources: &cgroups.ContainerResources{CPUReq: "50m", CPULim: "100m", MemReq: "50Mi", MemLim: "100Mi"},
+			containers: []containerInfo{
+				{Name: "c1", Resources: &cgroups.ContainerResources{CPUReq: "50m", MemReq: "30Mi"}},
+				{Name: "c2", Resources: &cgroups.ContainerResources{MemReq: "20Mi"}},
+			},
+			expected: expectedPodConfig{
+				qos:               v1.PodQOSBurstable,
+				totalPodResources: &cgroups.ContainerResources{CPUReq: "50m", CPULim: "100m", MemReq: "50Mi", MemLim: "100Mi"},
+			},
+		},
+		{
+			name:         "Burstable QoS pod, partial requests in pod level resources, 1 container with guaranteed resources",
+			podResources: &cgroups.ContainerResources{CPUReq: "", CPULim: "200m", MemReq: "200Mi", MemLim: "200Mi"},
+			containers: []containerInfo{
+				{Name: "c1", Resources: &cgroups.ContainerResources{CPUReq: "100m", CPULim: "100m", MemReq: "100Mi", MemLim: "100Mi"}},
+				{Name: "c2"},
+			},
+			expected: expectedPodConfig{
+				qos:               v1.PodQOSBurstable,
+				totalPodResources: &cgroups.ContainerResources{CPUReq: "100m", CPULim: "200m", MemReq: "200Mi", MemLim: "200Mi"},
+			},
+		},
+		{
+			name: "BestEffort QoS no pod resources, no container resources",
+			containers: []containerInfo{
+				{Name: "c1"},
+				{Name: "c2"},
+			},
+			expected: expectedPodConfig{
+				qos:               v1.PodQOSBestEffort,
+				totalPodResources: &cgroups.ContainerResources{CPUReq: "", CPULim: "", MemReq: "", MemLim: ""},
+			},
+		},
 	}
 
 	for _, tc := range tests {
@@ -256,7 +426,11 @@ func podLevelResourcesTests(f *framework.Framework) {
 			pod := podClient.CreateSync(ctx, testPod)
 
 			ginkgo.By("verifying pod resources are as expected")
-			verifyPodResources(*pod, tc.podResources, tc.expected.totalPodResources)
+			expectedPodResources := tc.expected.totalPodResources
+			if tc.expectedPodLevelResourcesOverride != nil {
+				expectedPodResources = tc.expectedPodLevelResourcesOverride
+			}
+			verifyPodResources(*pod, tc.podResources, expectedPodResources)
 
 			ginkgo.By("verifying pod QoS as expected")
 			verifyQoS(*pod, tc.expected.qos)
diff --git a/test/e2e/common/node/pod_level_resources_resize.go b/test/e2e/common/node/pod_level_resources_resize.go
new file mode 100644
index 0000000000000..92690114c1dfe
--- /dev/null
+++ b/test/e2e/common/node/pod_level_resources_resize.go
@@ -0,0 +1,707 @@
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package node
+
+import (
+	"context"
+	"fmt"
+	"regexp"
+	"strconv"
+	"time"
+
+	"github.com/onsi/gomega"
+	v1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/api/resource"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/types"
+	utilerrors "k8s.io/apimachinery/pkg/util/errors"
+	"k8s.io/kubernetes/pkg/features"
+	"k8s.io/kubernetes/test/e2e/common/node/framework/cgroups"
+	"k8s.io/kubernetes/test/e2e/common/node/framework/podresize"
+	"k8s.io/kubernetes/test/e2e/framework"
+	e2enode "k8s.io/kubernetes/test/e2e/framework/node"
+	e2epod "k8s.io/kubernetes/test/e2e/framework/pod"
+	e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper"
+	admissionapi "k8s.io/pod-security-admission/api"
+
+	"github.com/onsi/ginkgo/v2"
+)
+
+// TODO(ndixita): de-dup tests and common helpers from test/e2e/common/node/pod_resize.go
+func doGuaranteedPodLevelResizeTests(f *framework.Framework) {
+	ginkgo.DescribeTableSubtree("PLR guaranteed qos - 1 container with resize policy", func(cpuPolicy, memPolicy v1.ResourceResizeRestartPolicy, resizeInitCtrs bool) {
+		ginkgo.DescribeTable("resizing", func(ctx context.Context, desiredCtrCPU, desiredCtrMem, desiredPodCPU, desiredPodMem string) {
+
+			// The tests for guaranteed pods include extended resources.
+			nodes, err := e2enode.GetReadySchedulableNodes(context.Background(), f.ClientSet)
+			framework.ExpectNoError(err)
+			for _, node := range nodes.Items {
+				e2enode.AddExtendedResource(ctx, f.ClientSet, node.Name, fakeExtendedResource, resource.MustParse("123"))
+			}
+			defer func() {
+				for _, node := range nodes.Items {
+					e2enode.RemoveExtendedResource(ctx, f.ClientSet, node.Name, fakeExtendedResource)
+				}
+			}()
+
+			originalCtrCPU := originalCPU
+			if desiredCtrCPU == "" {
+				originalCtrCPU = ""
+			}
+			originalCtrMem := originalMem
+			if desiredCtrMem == "" {
+				originalCtrMem = ""
+			}
+
+			originalContainers := makeGuaranteedContainers(1, cpuPolicy, memPolicy, true, true, originalCtrCPU, originalCtrMem)
+			expectedContainers := makeGuaranteedContainers(1, cpuPolicy, memPolicy, true, true, desiredCtrCPU, desiredCtrMem)
+			for i, c := range expectedContainers {
+				// If the pod has init containers, but we are not resizing them, keep the original resources.
+				if c.InitCtr && !resizeInitCtrs {
+					c.Resources = originalContainers[i].Resources
+					expectedContainers[i] = c
+					continue
+				}
+				// For containers where the resize policy is "restart", we expect a restart.
+				expectRestart := int32(0)
+				if cpuPolicy == v1.RestartContainer && desiredCtrCPU != originalCtrCPU {
+					expectRestart = 1
+				}
+				if memPolicy == v1.RestartContainer && desiredCtrMem != originalCtrMem {
+					expectRestart = 1
+				}
+				c.RestartCount = expectRestart
+				expectedContainers[i] = c
+			}
+
+			var originalPodResources, desiredPodResources *v1.ResourceRequirements
+			if desiredPodCPU != "" || desiredPodMem != "" {
+				originalPodResources = makePodResources(offsetCPU(15, originalCPU), offsetCPU(15, originalCPU), offsetMemory(15, originalMem), offsetMemory(15, originalMem))
+				desiredPodResources = makePodResources(offsetCPU(15, desiredPodCPU), offsetCPU(15, desiredPodCPU), offsetMemory(15, desiredPodMem), offsetMemory(15, desiredPodMem))
+			}
+
+			doPatchAndRollbackPLR(ctx, f, originalContainers, expectedContainers, originalPodResources, desiredPodResources, true, true)
+		},
+			// All tests will perform the requested resize, and once completed, will roll back the change.
+			// This results in the coverage of both increase and decrease of
+			// resources.
+			// TODO: de-dup tests in pod_resize.go and this file
+			ginkgo.Entry("cpu", increasedCPU, originalMem, "", ""),
+			ginkgo.Entry("mem", originalCPU, increasedMem, "", ""),
+			ginkgo.Entry("cpu & mem in the same direction", increasedCPU, increasedMem, "", ""),
+			ginkgo.Entry("cpu & mem in opposite directions", increasedCPU, reducedMem, "", ""),
+			ginkgo.Entry("pod-level cpu", originalCPU, originalMem, increasedCPU, originalMem),
+			ginkgo.Entry("pod-level mem", originalCPU, originalMem, originalCPU, offsetMemory(10, increasedMem)),
+			ginkgo.Entry("only pod-level cpu", "", "", increasedCPU, originalMem),
+			ginkgo.Entry("only pod-level mem", "", "", originalCPU, increasedMem),
+			ginkgo.Entry("pod-level cpu & mem in the same direction", originalCPU, originalMem, increasedCPU, increasedMem),
+			ginkgo.Entry("pod-level cpu & mem in opposite directions", originalCPU, originalMem, increasedCPU, reducedMem),
+		)
+	},
+		ginkgo.Entry("no restart", v1.NotRequired, v1.NotRequired, false),
+		ginkgo.Entry("no restart + resize initContainers", v1.NotRequired, v1.NotRequired, true),
+		ginkgo.Entry("mem restart", v1.NotRequired, v1.RestartContainer, false),
+		ginkgo.Entry("cpu restart", v1.RestartContainer, v1.NotRequired, false),
+		ginkgo.Entry("cpu & mem restart", v1.RestartContainer, v1.RestartContainer, false),
+		ginkgo.Entry("cpu & mem restart + resize initContainers", v1.RestartContainer, v1.RestartContainer, true),
+	)
+
+	// All tests will perform the requested resize, and once completed, will roll back the change.
+	// This results in coverage of both the operation as described, and its reverse.
+	ginkgo.Describe("pod-level guaranteed pods with multiple containers", func() {
+		/*
+			Release: v1.35
+			Testname: In-place Pod Resize, guaranteed pods with multiple containers, net increase
+			Description: Issuing an in-place Pod Resize request via the Pod Resize subresource patch endpoint to modify CPU and memory requests and limits for a guaranteed pod with 3 containers with a net increase MUST result in the Pod resources being updated as expected.
+		*/
+		framework.It("3 containers - increase cpu & mem on c1, c2, decrease cpu & mem on c3 - net increase [MinimumKubeletVersion:1.34]", func(ctx context.Context) {
+			originalContainers := makeGuaranteedContainers(3, v1.NotRequired, v1.NotRequired, false, false, originalCPU, originalMem)
+			for i := range originalContainers {
+				originalContainers[i].CPUPolicy = nil
+				originalContainers[i].MemPolicy = nil
+			}
+
+			expectedContainers := []podresize.ResizableContainerInfo{
+				{
+					Name:      "c1",
+					Resources: &cgroups.ContainerResources{CPUReq: offsetCPU(0, increasedCPU), CPULim: offsetCPU(0, increasedCPU), MemReq: offsetMemory(0, increasedMem), MemLim: offsetMemory(0, increasedMem)},
+				},
+				{
+					Name:      "c2",
+					Resources: &cgroups.ContainerResources{CPUReq: offsetCPU(1, increasedCPU), CPULim: offsetCPU(1, increasedCPU), MemReq: offsetMemory(1, increasedMem), MemLim: offsetMemory(1, increasedMem)},
+				},
+				{
+					Name:      "c3",
+					Resources: &cgroups.ContainerResources{CPUReq: offsetCPU(2, reducedCPU), CPULim: offsetCPU(2, reducedCPU), MemReq: offsetMemory(2, reducedMem), MemLim: offsetMemory(2, reducedMem)},
+				},
+			}
+
+			doPatchAndRollbackPLR(ctx, f, originalContainers, expectedContainers, nil, nil, true, true)
+		})
+
+		/*
+			Release: v1.35
+			Testname: In-place Pod Resize, guaranteed pods with multiple containers, net decrease
+			Description: Issuing an in-place Pod Resize request via the Pod Resize subresource patch endpoint to modify CPU and memory requests and limits for a pod with 3 containers with a net decrease MUST result in the Pod resources being updated as expected.
+		*/
+		framework.It("3 containers - increase cpu & mem on c1, decrease cpu & mem on c2, c3 - net decrease [MinimumKubeletVersion:1.34]", func(ctx context.Context) {
+			originalContainers := makeGuaranteedContainers(3, v1.NotRequired, v1.NotRequired, false, false, originalCPU, originalMem)
+			for i := range originalContainers {
+				originalContainers[i].CPUPolicy = nil
+				originalContainers[i].MemPolicy = nil
+			}
+
+			expectedContainers := []podresize.ResizableContainerInfo{
+				{
+					Name:      "c1",
+					Resources: &cgroups.ContainerResources{CPUReq: offsetCPU(0, increasedCPU), CPULim: offsetCPU(0, increasedCPU), MemReq: offsetMemory(0, increasedMem), MemLim: offsetMemory(0, increasedMem)},
+				},
+				{
+					Name:      "c2",
+					Resources: &cgroups.ContainerResources{CPUReq: offsetCPU(1, reducedCPU), CPULim: offsetCPU(1, reducedCPU), MemReq: offsetMemory(1, reducedMem), MemLim: offsetMemory(1, reducedMem)},
+				},
+				{
+					Name:      "c3",
+					Resources: &cgroups.ContainerResources{CPUReq: offsetCPU(2, reducedCPU), CPULim: offsetCPU(2, reducedCPU), MemReq: offsetMemory(2, reducedMem), MemLim: offsetMemory(2, reducedMem)},
+				},
+			}
+
+			doPatchAndRollbackPLR(ctx, f, originalContainers, expectedContainers, nil, nil, true, true)
+		})
+
+		/*
+			Release: v1.35
+			Testname: In-place Pod Resize, guaranteed pods with multiple containers, various operations
+			Description: Issuing an in-place Pod Resize request via the Pod Resize subresource patch endpoint to modify CPU and memory requests and limits for a pod with 3 containers with various operations MUST result in the Pod resources being updated as expected.
+		*/
+		framework.It("3 containers - increase: CPU (c1,c3), memory (c2, c3) ; decrease: CPU (c2) [MinimumKubeletVersion:1.34]", func(ctx context.Context) {
+			originalContainers := makeGuaranteedContainers(3, v1.NotRequired, v1.NotRequired, false, false, originalCPU, originalMem)
+			for i := range originalContainers {
+				originalContainers[i].CPUPolicy = nil
+				originalContainers[i].MemPolicy = nil
+			}
+
+			expectedContainers := []podresize.ResizableContainerInfo{
+				{
+					Name:      "c1",
+					Resources: &cgroups.ContainerResources{CPUReq: offsetCPU(0, increasedCPU), CPULim: offsetCPU(0, increasedCPU), MemReq: offsetMemory(0, originalMem), MemLim: offsetMemory(0, originalMem)},
+				},
+				{
+					Name:      "c2",
+					Resources: &cgroups.ContainerResources{CPUReq: offsetCPU(1, reducedCPU), CPULim: offsetCPU(1, reducedCPU), MemReq: offsetMemory(1, increasedMem), MemLim: offsetMemory(1, increasedMem)},
+				},
+				{
+					Name:      "c3",
+					Resources: &cgroups.ContainerResources{CPUReq: offsetCPU(2, increasedCPU), CPULim: offsetCPU(2, increasedCPU), MemReq: offsetMemory(2, increasedMem), MemLim: offsetMemory(2, increasedMem)},
+				},
+			}
+
+			doPatchAndRollbackPLR(ctx, f, originalContainers, expectedContainers, nil, nil, true, true)
+		})
+	})
+}
+
+func doBurstablePodLevelResizeTests(f *framework.Framework) {
+	ginkgo.DescribeTableSubtree("PLR pod-level burstable pods - 1 container with all requests & limits set and resize policy", func(cpuPolicy, memPolicy v1.ResourceResizeRestartPolicy) {
+		ginkgo.DescribeTable("resizing", func(ctx context.Context, desiredContainerResources, desiredPodLevelResources resourceRequestsLimits) {
+			originalContainers := makeBurstableContainers(1, cpuPolicy, memPolicy, originalCPU, originalCPULimit, originalMem, originalMemLimit)
+			expectedContainers := makeBurstableContainers(1, cpuPolicy, memPolicy, desiredContainerResources.cpuReq, desiredContainerResources.cpuLim, desiredContainerResources.memReq, desiredContainerResources.memLim)
+			for i, c := range expectedContainers {
+				// For containers where the resize policy is "restart", we expect a restart.
+				expectRestart := int32(0)
+				if cpuPolicy == v1.RestartContainer && (desiredContainerResources.cpuReq != originalCPU || desiredContainerResources.cpuLim != originalCPULimit) {
+					expectRestart = 1
+				}
+				if memPolicy == v1.RestartContainer && (desiredContainerResources.memReq != originalMem || desiredContainerResources.memLim != originalMemLimit) {
+					expectRestart = 1
+				}
+				c.RestartCount = expectRestart
+				expectedContainers[i] = c
+			}
+
+			var originalPodResources, desiredPodResources *v1.ResourceRequirements
+			if desiredPodLevelResources != (resourceRequestsLimits{}) {
+				originalPodResources = makePodResources(offsetCPU(30, originalCPU), offsetCPU(30, originalCPULimit), offsetMemory(30, originalMem), offsetMemory(30, originalMemLimit))
+				desiredPodResources = makePodResources(offsetCPU(30, desiredPodLevelResources.cpuReq), offsetCPU(30, desiredPodLevelResources.cpuLim), offsetMemory(30, desiredPodLevelResources.memReq), offsetMemory(30, desiredPodLevelResources.memLim))
+			}
+			doPatchAndRollbackPLR(ctx, f, originalContainers, expectedContainers, originalPodResources, desiredPodResources, true, true)
+		},
+			// All tests will perform the requested resize, and once completed, will roll back the change.
+			// This results in the coverage of both increase and decrease of resources.
+			ginkgo.Entry("cpu requests", resourceRequestsLimits{increasedCPU, originalCPULimit, originalMem, originalMemLimit}, resourceRequestsLimits{}),
+			ginkgo.Entry("cpu limits", resourceRequestsLimits{originalCPU, increasedCPULimit, originalMem, originalMemLimit}, resourceRequestsLimits{}),
+			ginkgo.Entry("mem requests", resourceRequestsLimits{originalCPU, originalCPULimit, increasedMem, originalMemLimit}, resourceRequestsLimits{}),
+			ginkgo.Entry("mem limits", resourceRequestsLimits{originalCPU, originalCPULimit, originalMem, increasedMemLimit}, resourceRequestsLimits{}),
+			ginkgo.Entry("all resources in the same direction", resourceRequestsLimits{increasedCPU, increasedCPULimit, increasedMem, increasedMemLimit}, resourceRequestsLimits{}),
+			ginkgo.Entry("cpu & mem in opposite directions", resourceRequestsLimits{increasedCPU, increasedCPULimit, reducedMem, reducedMemLimit}, resourceRequestsLimits{}),
+			ginkgo.Entry("requests & limits in opposite directions", resourceRequestsLimits{reducedCPU, increasedCPULimit, increasedMem, reducedMemLimit}, resourceRequestsLimits{}),
+			ginkgo.Entry("pod-level cpu requests", resourceRequestsLimits{originalCPU, originalCPULimit, originalMem, originalMemLimit}, resourceRequestsLimits{increasedCPU, originalCPULimit, originalMem, originalMemLimit}),
+			ginkgo.Entry("pod-level cpu limits", resourceRequestsLimits{originalCPU, originalCPULimit, originalMem, originalMemLimit}, resourceRequestsLimits{originalCPU, increasedCPULimit, originalMem, originalMemLimit}),
+			ginkgo.Entry("pod-level mem requests", resourceRequestsLimits{originalCPU, originalCPULimit, originalMem, originalMemLimit}, resourceRequestsLimits{originalCPU, originalCPULimit, increasedMem, originalMemLimit}),
+			ginkgo.Entry("pod-level mem limits", resourceRequestsLimits{originalCPU, originalCPULimit, originalMem, originalMemLimit}, resourceRequestsLimits{originalCPU, originalCPULimit, originalMem, increasedMemLimit}),
+			ginkgo.Entry("pod-level all resources in the same direction", resourceRequestsLimits{originalCPU, originalCPULimit, originalMem, originalMemLimit}, resourceRequestsLimits{increasedCPU, increasedCPULimit, increasedMem, increasedMemLimit}),
+			ginkgo.Entry("pod-level cpu & mem in opposite directions", resourceRequestsLimits{originalCPU, originalCPULimit, originalMem, originalMemLimit}, resourceRequestsLimits{increasedCPU, increasedCPULimit, reducedMem, reducedMemLimit}),
+			ginkgo.Entry("pod-level requests & limits in opposite directions", resourceRequestsLimits{originalCPU, originalCPULimit, originalMem, originalMemLimit}, resourceRequestsLimits{reducedCPU, increasedCPULimit, increasedMem, reducedMemLimit}),
+		)
+	},
+		ginkgo.Entry("no restart", v1.NotRequired, v1.NotRequired),
+		ginkgo.Entry("cpu restart", v1.RestartContainer, v1.NotRequired),
+		ginkgo.Entry("mem restart", v1.NotRequired, v1.RestartContainer),
+		ginkgo.Entry("cpu & mem restart", v1.RestartContainer, v1.RestartContainer),
+	)
+
+	// The following tests cover the remaining burstable pod scenarios:
+	// - multiple containers
+	// - adding limits where only requests were previously set
+	// - adding requests where none were previously set
+	// - resizing with equivalents (e.g. 2m -> 1m)
+	ginkgo.Describe("burstable pods - extended", func() {
+		/*
+			Release: v1.35
+			Testname: In-place Pod Resize, burstable pod with multiple containers and various operations
+			Description: Issuing a Pod Resize request via the Pod Resize subresource patch endpoint to modify CPU and memory requests and limits on a 6-container pod with various operations MUST result in the Pod resources being updated as expected.
+		*/
+		framework.It("6 containers - various operations performed (including adding limits and requests) [MinimumKubeletVersion:1.34]", func(ctx context.Context) {
+			originalContainers := []podresize.ResizableContainerInfo{
+				{
+					// c1 starts with CPU requests only; increase CPU requests + add CPU limits
+					Name:      "c1",
+					Resources: &cgroups.ContainerResources{CPUReq: originalCPU},
+				},
+				{
+					// c2 starts with memory requests only; increase memory requests + add memory limits
+					Name:      "c2",
+					Resources: &cgroups.ContainerResources{MemReq: originalMem},
+				},
+				{
+					// c3 starts with CPU and memory requests; decrease memory requests only
+					Name:      "c3",
+					Resources: &cgroups.ContainerResources{CPUReq: originalCPU, MemReq: originalMem},
+				},
+				{
+					// c4 starts with CPU requests only; decrease CPU requests + add memory requests
+					Name:      "c4",
+					Resources: &cgroups.ContainerResources{CPUReq: originalCPU},
+				},
+				{
+					// c5 starts with memory requests only; increase memory requests + add CPU requests
+					Name:      "c5",
+					Resources: &cgroups.ContainerResources{MemReq: originalMem},
+				},
+			}
+			expectedContainers := []podresize.ResizableContainerInfo{
+				{
+					// c1 starts with CPU requests only; increase CPU requests + add CPU limits
+					Name:      "c1",
+					Resources: &cgroups.ContainerResources{CPUReq: increasedCPU, CPULim: increasedCPULimit},
+				},
+				{
+					// c2 starts with memory requests only; decrease memory requests + add memory limits
+					Name:      "c2",
+					Resources: &cgroups.ContainerResources{MemReq: reducedMem, MemLim: increasedMemLimit},
+				},
+				{
+					// c3 starts with CPU and memory requests; decrease memory requests onloy
+					Name:      "c3",
+					Resources: &cgroups.ContainerResources{CPUReq: originalCPU, MemReq: reducedMem},
+				},
+				{
+					// c4 starts with CPU requests only; decrease CPU requests + add memory requests
+					Name:      "c4",
+					Resources: &cgroups.ContainerResources{CPUReq: reducedCPU, MemReq: originalMem},
+				},
+				{
+					// c5 starts with memory requests only; increase memory requests + add CPU requests
+					Name:      "c5",
+					Resources: &cgroups.ContainerResources{CPUReq: originalCPU, MemReq: increasedMem},
+				},
+			}
+			doPatchAndRollbackPLR(ctx, f, originalContainers, expectedContainers, nil, nil, false, true)
+		})
+
+		/*
+			Release: v1.35
+			Testname: In-place Pod Resize, burstable pod resized with equivalents
+			Description: Issuing an in-place Pod Resize request via the Pod Resize subresource patch endpoint to modify CPU requests and limits using equivalent values (e.g. 2m -> 1m) MUST result in the updated Pod resources displayed correctly in the status.
+		*/
+		framework.It("resize with equivalents [MinimumKubeletVersion:1.34]", func(ctx context.Context) {
+			originalContainers := []podresize.ResizableContainerInfo{
+				{
+					Name:      "c1",
+					Resources: &cgroups.ContainerResources{CPUReq: "2m", CPULim: "10m"},
+				},
+			}
+			expectedContainers := []podresize.ResizableContainerInfo{
+				{
+					Name:      "c1",
+					Resources: &cgroups.ContainerResources{CPUReq: "1m", CPULim: "5m"},
+				},
+			}
+			doPatchAndRollbackPLR(ctx, f, originalContainers, expectedContainers, nil, nil, true, true)
+		})
+	})
+
+	ginkgo.DescribeTable("burstable pods - pod-level resources", func(ctx context.Context, originalContainers, expectedContainers []podresize.ResizableContainerInfo, originalPodLevelResources, expectedPodLevelResources resourceRequestsLimits, doRollback bool) {
+
+		originalPodResources := makePodResources(originalPodLevelResources.cpuReq, originalPodLevelResources.cpuLim, originalPodLevelResources.memReq, originalPodLevelResources.memLim)
+		desiredPodResources := makePodResources(expectedPodLevelResources.cpuReq, expectedPodLevelResources.cpuLim, expectedPodLevelResources.memReq, expectedPodLevelResources.memLim)
+
+		doPatchAndRollbackPLR(ctx, f, originalContainers, expectedContainers, originalPodResources, desiredPodResources, doRollback, true)
+	},
+		ginkgo.Entry("pod-level resize with equivalents",
+			[]podresize.ResizableContainerInfo{
+				{
+					Name:      "c1",
+					Resources: &cgroups.ContainerResources{CPUReq: "2m", CPULim: "10m"},
+				},
+			},
+			[]podresize.ResizableContainerInfo{
+				{
+					Name:      "c1",
+					Resources: &cgroups.ContainerResources{CPUReq: "2m", CPULim: "10m"},
+				},
+			},
+			resourceRequestsLimits{cpuReq: "4m", cpuLim: "20m"},
+			resourceRequestsLimits{cpuReq: "5m", cpuLim: "25m"},
+			true,
+		),
+		ginkgo.Entry("pod-level resize with limits add",
+			[]podresize.ResizableContainerInfo{
+				{
+					Name:      "c1",
+					Resources: &cgroups.ContainerResources{CPUReq: "2m", CPULim: "10m"},
+				},
+			},
+			[]podresize.ResizableContainerInfo{
+				{
+					Name:      "c1",
+					Resources: &cgroups.ContainerResources{CPUReq: "2m", CPULim: "10m"},
+				},
+			},
+			resourceRequestsLimits{cpuReq: "4m"},
+			resourceRequestsLimits{cpuReq: "5m", cpuLim: "25m"},
+			false,
+		),
+		ginkgo.Entry("pod-level resize with requests and limits add",
+			[]podresize.ResizableContainerInfo{
+				{
+					Name:      "c1",
+					Resources: &cgroups.ContainerResources{CPUReq: "2m", CPULim: "10m"},
+				},
+			},
+			[]podresize.ResizableContainerInfo{
+				{
+					Name:      "c1",
+					Resources: &cgroups.ContainerResources{CPUReq: "2m", CPULim: "10m"},
+				},
+			},
+			resourceRequestsLimits{},
+			resourceRequestsLimits{cpuReq: "5m", cpuLim: "25m"},
+			false,
+		),
+		ginkgo.Entry("pod-level resize with no container requests and limits",
+			[]podresize.ResizableContainerInfo{
+				{
+					Name: "c1",
+				},
+			},
+			[]podresize.ResizableContainerInfo{
+				{
+					Name: "c1",
+				},
+			},
+			resourceRequestsLimits{cpuReq: "4m", memReq: "10m"},
+			resourceRequestsLimits{cpuReq: "5m", memReq: "25m"},
+			false,
+		),
+	)
+}
+
+var _ = SIGDescribe("PLR Pod InPlace Resize", framework.WithFeatureGate(features.InPlacePodLevelResourcesVerticalScaling), func() {
+	f := framework.NewDefaultFramework("pod-level-resources-resize-tests")
+	f.NamespacePodSecurityLevel = admissionapi.LevelPrivileged
+	ginkgo.BeforeEach(func(ctx context.Context) {
+		_, err := e2enode.GetRandomReadySchedulableNode(ctx, f.ClientSet)
+		framework.ExpectNoError(err)
+		if framework.NodeOSDistroIs("windows") {
+			e2eskipper.Skipf("runtime does not support InPlacePodVerticalScaling -- skipping")
+		}
+	})
+
+	doGuaranteedPodLevelResizeTests(f)
+	doBurstablePodLevelResizeTests(f)
+	doPodLevelResourcesMemoryLimitDecreaseTest(f)
+})
+
+func makePodResources(cpuReq, cpuLim, memReq, memLim string) *v1.ResourceRequirements {
+	if cpuReq == "" && memReq == "" && cpuLim == "" && memLim == "" {
+		return nil
+	}
+
+	resources := &v1.ResourceRequirements{}
+
+	if cpuLim != "" || memLim != "" {
+		resources.Limits = v1.ResourceList{}
+	}
+
+	if cpuLim != "" {
+		resources.Limits[v1.ResourceCPU] = resource.MustParse(cpuLim)
+	}
+
+	if memLim != "" {
+		resources.Limits[v1.ResourceMemory] = resource.MustParse(memLim)
+
+	}
+
+	if cpuReq != "" || memReq != "" {
+		resources.Requests = v1.ResourceList{}
+	}
+
+	if cpuReq != "" {
+		resources.Requests[v1.ResourceCPU] = resource.MustParse(cpuReq)
+	}
+
+	if memReq != "" {
+		resources.Requests[v1.ResourceMemory] = resource.MustParse(memReq)
+
+	}
+	return resources
+}
+
+func VerifyPodLevelStatus(gotPod *v1.Pod) error {
+	var errs []error
+	var wantStatusResources *v1.ResourceRequirements
+
+	if gotPod.Status.Phase != v1.PodRunning {
+		wantStatusResources = gotPod.Spec.Resources
+		if err := framework.Gomega().Expect(gotPod.Status.Resources).To(gomega.BeComparableTo(wantStatusResources)); err != nil {
+			errs = append(errs, fmt.Errorf("pod.status.resources mismatch: %w", err))
+		}
+	}
+	// TODO(ndixita) - add tests when to compare Pod.Status.Resources with pod
+	// cgroup config values. Converting cgroup values -> Pod.Status.Resources ->
+	// cgroup values is resulting in indeterministic rounded off values
+
+	var wantAllocatedResources v1.ResourceList
+	aggrReq, _ := podresize.AggregateContainerResources(gotPod.Spec)
+	wantAllocatedResources = aggrReq
+
+	if gotPod.Spec.Resources != nil {
+		wantAllocatedResources = gotPod.Spec.Resources.Requests
+	}
+
+	if err := framework.Gomega().Expect(gotPod.Status.AllocatedResources).To(gomega.BeComparableTo(wantAllocatedResources)); err != nil {
+		errs = append(errs, fmt.Errorf("pod.status.allocatedResources mismatch: %w", err))
+	}
+
+	return utilerrors.NewAggregate(errs)
+}
+
+func doPodLevelResourcesMemoryLimitDecreaseTest(f *framework.Framework) {
+	// Tests the behavior when decreasing pod-level memory limit:
+	// 1. Decrease the limit a little bit - should succeed
+	// 2. Decrease the limit down to a tiny amount - should fail
+	// 3. Revert the limit back to the original value - should succeed
+	ginkgo.It("decrease pod-level memory limit below usage", func(ctx context.Context) {
+		podClient := e2epod.NewPodClient(f)
+		originalPLR := &v1.ResourceRequirements{
+			Requests: v1.ResourceList{
+				v1.ResourceMemory: resource.MustParse(originalMem),
+			},
+			Limits: v1.ResourceList{
+				v1.ResourceMemory: resource.MustParse(originalMem),
+			},
+		}
+
+		containers := []podresize.ResizableContainerInfo{{
+			Name: "c1",
+		}}
+
+		ginkgo.By("creating and verifying pod")
+		testPod := createAndVerifyPodPLR(ctx, f, podClient, containers, originalPLR, true)
+
+		// 1. Decrease the limit a little bit - should succeed
+		ginkgo.By("Patching pod with a slightly lowered memory limit")
+		viableLoweredLimitPLR := &v1.ResourceRequirements{
+			Requests: v1.ResourceList{
+				v1.ResourceMemory: resource.MustParse(reducedMem),
+			},
+			Limits: v1.ResourceList{
+				v1.ResourceMemory: resource.MustParse(reducedMem),
+			},
+		}
+		patch := podresize.MakeResizePatch(containers, containers, originalPLR, viableLoweredLimitPLR)
+		testPod, pErr := f.ClientSet.CoreV1().Pods(testPod.Namespace).Patch(ctx, testPod.Name,
+			types.StrategicMergePatchType, patch, metav1.PatchOptions{}, "resize")
+		framework.ExpectNoError(pErr, "failed to patch pod for viable lowered limit")
+
+		ginkgo.By("verifying pod patched for viable lowered limit")
+		podresize.VerifyPodResources(testPod, containers, viableLoweredLimitPLR)
+
+		ginkgo.By("waiting for viable lowered limit to be actuated")
+		resizedPod := podresize.WaitForPodResizeActuation(ctx, f, podClient, testPod, containers)
+		podresize.ExpectPodResized(ctx, f, resizedPod, containers)
+
+		// There is some latency after container startup before memory usage is scraped. On CRI-O
+		// this latency is much higher, so wait enough time for cAdvisor to scrape metrics twice.
+		ginkgo.By("Waiting for stats scraping")
+		const scrapingDelay = 30 * time.Second // 2 * maxHousekeepingInterval
+		startTime := testPod.Status.StartTime
+		time.Sleep(time.Until(startTime.Add(scrapingDelay)))
+
+		// 2. Decrease the limit down to a tiny amount - should fail
+		const nonViableMemoryLimit = "10Ki"
+		ginkgo.By("Patching pod with a greatly lowered memory limit")
+		nonViableLoweredLimitPLR := &v1.ResourceRequirements{
+			Requests: v1.ResourceList{
+				v1.ResourceMemory: resource.MustParse(nonViableMemoryLimit),
+			},
+			Limits: v1.ResourceList{
+				v1.ResourceMemory: resource.MustParse(nonViableMemoryLimit),
+			},
+		}
+
+		patch = podresize.MakeResizePatch(containers, containers, viableLoweredLimitPLR, nonViableLoweredLimitPLR)
+		testPod, pErr = f.ClientSet.CoreV1().Pods(testPod.Namespace).Patch(ctx, testPod.Name,
+			types.StrategicMergePatchType, patch, metav1.PatchOptions{}, "resize")
+		framework.ExpectNoError(pErr, "failed to patch pod for viable lowered limit")
+
+		framework.ExpectNoError(framework.Gomega().
+			Eventually(ctx, framework.RetryNotFound(framework.GetObject(f.ClientSet.CoreV1().Pods(testPod.Namespace).Get, testPod.Name, metav1.GetOptions{}))).
+			WithTimeout(f.Timeouts.PodStart).
+			Should(framework.MakeMatcher(func(pod *v1.Pod) (func() string, error) {
+				// If VerifyPodLevelStatusResources succeeds, it means the resize completed.
+				if podresize.VerifyPodLevelStatusResources(pod, nonViableLoweredLimitPLR) == nil {
+					return nil, gomega.StopTrying("non-viable resize unexpectedly completed")
+				}
+
+				var inProgressCondition *v1.PodCondition
+				for i, condition := range pod.Status.Conditions {
+					switch condition.Type {
+					case v1.PodResizeInProgress:
+						inProgressCondition = &pod.Status.Conditions[i]
+					case v1.PodResizePending:
+						return func() string {
+							return fmt.Sprintf("pod should not be pending, got reason=%s, message=%q", condition.Reason, condition.Message)
+						}, nil
+					}
+				}
+
+				if inProgressCondition == nil {
+					return func() string { return "resize is not in progress" }, nil
+				}
+
+				if inProgressCondition.Reason != v1.PodReasonError {
+					return func() string { return "in-progress reason is not error" }, nil
+				}
+				expectedMsg := regexp.MustCompile(`memory limit \(\d+\) below current usage`)
+				if !expectedMsg.MatchString(inProgressCondition.Message) {
+					return func() string {
+						return fmt.Sprintf("Expected %q to contain %q", inProgressCondition.Message, expectedMsg)
+					}, nil
+				}
+				return nil, nil
+			})),
+		)
+		ginkgo.By("verifying pod status resources still match the viable resize")
+		framework.ExpectNoError(podresize.VerifyPodStatusResources(testPod, containers))
+
+		// 3. Revert the limit back to the original value - should succeed
+		ginkgo.By("Patching pod to revert to original state")
+		patch = podresize.MakeResizePatch(containers, containers, viableLoweredLimitPLR, originalPLR)
+		testPod, pErr = f.ClientSet.CoreV1().Pods(testPod.Namespace).Patch(ctx, testPod.Name,
+			types.StrategicMergePatchType, patch, metav1.PatchOptions{}, "resize")
+		framework.ExpectNoError(pErr, "failed to patch pod back to original values")
+
+		ginkgo.By("verifying pod patched for original values")
+		podresize.VerifyPodResources(testPod, containers, originalPLR)
+
+		ginkgo.By("waiting for the original values to be actuated")
+		resizedPod = podresize.WaitForPodResizeActuation(ctx, f, podClient, testPod, containers)
+		podresize.ExpectPodResized(ctx, f, resizedPod, containers)
+
+		ginkgo.By("deleting pod")
+		podClient.DeleteSync(ctx, testPod.Name, metav1.DeleteOptions{}, f.Timeouts.PodDelete)
+	})
+}
+
+func doPatchAndRollbackPLR(ctx context.Context, f *framework.Framework, originalContainers, expectedContainers []podresize.ResizableContainerInfo, originalPodResources, expectedPodResources *v1.ResourceRequirements, doRollback bool, mountPodCgroup bool) {
+	ginkgo.By("creating and verifying pod")
+	podClient := e2epod.NewPodClient(f)
+	newPod := createAndVerifyPodPLR(ctx, f, podClient, originalContainers, originalPodResources, mountPodCgroup)
+
+	if expectedPodResources != nil {
+		framework.ExpectNoError(VerifyPodLevelStatus(newPod))
+	}
+	ginkgo.By(fmt.Sprintf("patching and verifying pod for resize %s: %v", newPod.Name, newPod.UID))
+	patchAndVerifyPLR(ctx, f, podClient, newPod, originalContainers, expectedContainers, originalPodResources, expectedPodResources, "resize")
+	if doRollback {
+		// Resize has been actuated, test the reverse operation.
+		rollbackContainers := createRollbackContainers(originalContainers, expectedContainers)
+		ginkgo.By("patching and verifying pod for rollback")
+		patchAndVerify(ctx, f, podClient, newPod, expectedContainers, rollbackContainers, expectedPodResources, originalPodResources, "rollback")
+	}
+
+	ginkgo.By("deleting pod")
+	podClient.DeleteSync(ctx, newPod.Name, metav1.DeleteOptions{}, f.Timeouts.PodDelete)
+}
+
+func patchAndVerifyPLR(ctx context.Context, f *framework.Framework, podClient *e2epod.PodClient, newPod *v1.Pod, originalContainers, expectedContainers []podresize.ResizableContainerInfo, originalPodResources, expectedPodResources *v1.ResourceRequirements, opStr string) {
+	patch := podresize.MakeResizePatch(originalContainers, expectedContainers, originalPodResources, expectedPodResources)
+	patchedPod, pErr := f.ClientSet.CoreV1().Pods(newPod.Namespace).Patch(ctx, newPod.Name,
+		types.StrategicMergePatchType, patch, metav1.PatchOptions{}, "resize")
+	framework.ExpectNoError(pErr, fmt.Sprintf("failed to patch pod for %s", opStr))
+
+	expected := podresize.UpdateExpectedContainerRestarts(ctx, patchedPod, expectedContainers)
+
+	podresize.VerifyPodResources(patchedPod, expected, expectedPodResources)
+	resizedPod := podresize.WaitForPodResizeActuation(ctx, f, podClient, newPod, expected)
+	podresize.ExpectPodResized(ctx, f, resizedPod, expected)
+	// Uncomment pod-level status verification after patch in 1.36 release.
+	// convesion of cgroup values -> Pod.Status.Resources -> cgroup values is
+	// resulting in values off by a small number.
+	// framework.ExpectNoError(VerifyPodLevelStatus(resizedPod))
+	if expectedPodResources != nil {
+		framework.ExpectNoError(podresize.VerifyPodCgroupValues(ctx, f, resizedPod))
+	}
+}
+
+func createAndVerifyPodPLR(ctx context.Context, f *framework.Framework, podClient *e2epod.PodClient, originalContainers []podresize.ResizableContainerInfo, podResources *v1.ResourceRequirements, mountPodCgroup bool) *v1.Pod {
+	tStamp := strconv.Itoa(time.Now().Nanosecond())
+	testPod := podresize.MakePodWithResizableContainers(f.Namespace.Name, "", tStamp, originalContainers, podResources)
+	testPod.GenerateName = "resize-test-"
+	testPod = e2epod.MustMixinRestrictedPodSecurity(testPod)
+
+	// TODO: mount pod cgroup path for all pod resize related tests and remove
+	// dependency on mountPodCgroup
+	if mountPodCgroup {
+		// mount pod cgroup in first container that can be used for pod cgroup values verification
+		cgroups.ConfigureHostPathForPodCgroup(testPod)
+	}
+
+	newPod := podClient.CreateSync(ctx, testPod)
+	podresize.VerifyPodResources(newPod, originalContainers, podResources)
+
+	podresize.VerifyPodResizePolicy(newPod, originalContainers)
+	framework.ExpectNoError(podresize.VerifyPodStatusResources(newPod, originalContainers))
+
+	framework.ExpectNoError(podresize.VerifyPodContainersCgroupValues(ctx, f, newPod, originalContainers))
+	if podResources != nil {
+		framework.ExpectNoError(podresize.VerifyPodCgroupValues(ctx, f, newPod))
+	}
+	return newPod
+}
diff --git a/test/e2e/common/node/pod_resize.go b/test/e2e/common/node/pod_resize.go
index fbd7dfbb3391f..c1f31a16e3414 100644
--- a/test/e2e/common/node/pod_resize.go
+++ b/test/e2e/common/node/pod_resize.go
@@ -24,10 +24,11 @@ import (
 	"time"
 
 	v1 "k8s.io/api/core/v1"
+	apiequality "k8s.io/apimachinery/pkg/api/equality"
 	"k8s.io/apimachinery/pkg/api/resource"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/apimachinery/pkg/types"
-	"k8s.io/kubernetes/pkg/features"
 	"k8s.io/kubernetes/test/e2e/common/node/framework/cgroups"
 	"k8s.io/kubernetes/test/e2e/common/node/framework/podresize"
 	"k8s.io/kubernetes/test/e2e/framework"
@@ -35,6 +36,7 @@ import (
 	e2epod "k8s.io/kubernetes/test/e2e/framework/pod"
 	e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper"
 
+	"github.com/google/go-cmp/cmp"
 	"github.com/onsi/ginkgo/v2"
 	"github.com/onsi/gomega"
 )
@@ -58,6 +60,9 @@ const (
 )
 
 func offsetCPU(index int, value string) string {
+	if value == "" {
+		return ""
+	}
 	val := resource.MustParse(value)
 	ptr := &val
 	ptr.Add(resource.MustParse(fmt.Sprintf("%dm", 2*index)))
@@ -65,1211 +70,540 @@ func offsetCPU(index int, value string) string {
 }
 
 func offsetMemory(index int64, value string) string {
+	if value == "" {
+		return ""
+	}
 	val := resource.MustParse(value)
 	ptr := &val
 	ptr.Add(resource.MustParse(fmt.Sprintf("%dMi", 2*index)))
 	return ptr.String()
 }
 
-func doPodResizeTests(f *framework.Framework) {
-	type testCase struct {
-		name                string
-		containers          []podresize.ResizableContainerInfo
-		expected            []podresize.ResizableContainerInfo
-		addExtendedResource bool
-		// TODO(123940): test rollback for all test cases once resize is more responsive.
-		testRollback bool
-	}
+func doGuaranteedPodResizeTests(f *framework.Framework) {
+	ginkgo.DescribeTableSubtree("guaranteed qos - 1 container with resize policy", func(cpuPolicy, memPolicy v1.ResourceResizeRestartPolicy, resizeInitCtrs bool) {
+		ginkgo.DescribeTable("resizing", func(ctx context.Context, desiredCPU, desiredMem string) {
 
-	noRestart := v1.NotRequired
-	doRestart := v1.RestartContainer
-	tests := []testCase{
-		{
-			name: "Guaranteed QoS pod, one container - increase CPU & memory",
-			containers: []podresize.ResizableContainerInfo{
-				{
-					Name:      "c1",
-					Resources: &cgroups.ContainerResources{CPUReq: originalCPU, CPULim: originalCPU, MemReq: originalMem, MemLim: originalMem},
-					CPUPolicy: &noRestart,
-					MemPolicy: &noRestart,
-				},
-			},
-			expected: []podresize.ResizableContainerInfo{
-				{
-					Name:      "c1",
-					Resources: &cgroups.ContainerResources{CPUReq: increasedCPU, CPULim: increasedCPU, MemReq: increasedMem, MemLim: increasedMem},
-					CPUPolicy: &noRestart,
-					MemPolicy: &noRestart,
-				},
-			},
-		},
-		{
-			name: "Guaranteed QoS pod, one container - decrease CPU only",
-			containers: []podresize.ResizableContainerInfo{
-				{
-					Name:      "c1",
-					Resources: &cgroups.ContainerResources{CPUReq: originalCPU, CPULim: originalCPU, MemReq: originalMem, MemLim: originalMem},
-					CPUPolicy: &noRestart,
-					MemPolicy: &noRestart,
-				},
-			},
-			expected: []podresize.ResizableContainerInfo{
-				{
-					Name:      "c1",
-					Resources: &cgroups.ContainerResources{CPUReq: reducedCPU, CPULim: reducedCPU, MemReq: originalMem, MemLim: originalMem},
-					CPUPolicy: &noRestart,
-					MemPolicy: &noRestart,
-				},
-			},
-			testRollback: true,
-		},
-		{
-			name: "Guaranteed QoS pod, three containers (c1, c2, c3) - increase: CPU (c1,c3), memory (c2, c3) ; decrease: CPU (c2)",
-			containers: []podresize.ResizableContainerInfo{
-				{
-					Name:      "c1",
-					Resources: &cgroups.ContainerResources{CPUReq: originalCPU, CPULim: originalCPU, MemReq: originalMem, MemLim: originalMem},
-					CPUPolicy: &noRestart,
-					MemPolicy: &noRestart,
-				},
-				{
-					Name:      "c2",
-					Resources: &cgroups.ContainerResources{CPUReq: offsetCPU(1, originalCPU), CPULim: offsetCPU(1, originalCPU), MemReq: offsetMemory(1, originalMem), MemLim: offsetMemory(1, originalMem)},
-					CPUPolicy: &noRestart,
-					MemPolicy: &noRestart,
-				},
-				{
-					Name:      "c3",
-					Resources: &cgroups.ContainerResources{CPUReq: offsetCPU(2, originalCPU), CPULim: offsetCPU(2, originalCPU), MemReq: offsetMemory(2, originalMem), MemLim: offsetMemory(2, originalMem)},
-					CPUPolicy: &noRestart,
-					MemPolicy: &noRestart,
-				},
-			},
-			expected: []podresize.ResizableContainerInfo{
-				{
-					Name:      "c1",
-					Resources: &cgroups.ContainerResources{CPUReq: increasedCPU, CPULim: increasedCPU, MemReq: originalMem, MemLim: originalMem},
-					CPUPolicy: &noRestart,
-					MemPolicy: &noRestart,
-				},
-				{
-					Name:      "c2",
-					Resources: &cgroups.ContainerResources{CPUReq: offsetCPU(1, reducedCPU), CPULim: offsetCPU(1, reducedCPU), MemReq: offsetMemory(1, increasedMem), MemLim: offsetMemory(1, increasedMem)},
-					CPUPolicy: &noRestart,
-					MemPolicy: &noRestart,
-				},
-				{
-					Name:      "c3",
-					Resources: &cgroups.ContainerResources{CPUReq: offsetCPU(2, increasedCPU), CPULim: offsetCPU(2, increasedCPU), MemReq: offsetMemory(2, increasedMem), MemLim: offsetMemory(2, increasedMem)},
-					CPUPolicy: &noRestart,
-					MemPolicy: &noRestart,
-				},
-			},
-		},
-		{
-			name: "Burstable QoS pod, one container with cpu & memory requests + limits - decrease memory requests only",
-			containers: []podresize.ResizableContainerInfo{
-				{
-					Name:      "c1",
-					Resources: &cgroups.ContainerResources{CPUReq: originalCPU, CPULim: originalCPULimit, MemReq: originalMem, MemLim: originalMemLimit},
-				},
-			},
-			expected: []podresize.ResizableContainerInfo{
-				{
-					Name:      "c1",
-					Resources: &cgroups.ContainerResources{CPUReq: originalCPU, CPULim: originalCPULimit, MemReq: reducedMem, MemLim: originalMemLimit},
-				},
-			},
-			testRollback: true,
-		},
-		{
-			name: "Burstable QoS pod, one container with cpu & memory requests + limits - increase memory requests only",
-			containers: []podresize.ResizableContainerInfo{
-				{
-					Name:      "c1",
-					Resources: &cgroups.ContainerResources{CPUReq: originalCPU, CPULim: originalCPULimit, MemReq: originalMem, MemLim: originalMemLimit},
-				},
-			},
-			expected: []podresize.ResizableContainerInfo{
-				{
-					Name:      "c1",
-					Resources: &cgroups.ContainerResources{CPUReq: originalCPU, CPULim: originalCPULimit, MemReq: increasedMem, MemLim: originalMemLimit},
-				},
-			},
-		},
-		{
-			name: "Burstable QoS pod, one container with cpu & memory requests + limits - increase memory limits only",
-			containers: []podresize.ResizableContainerInfo{
-				{
-					Name:      "c1",
-					Resources: &cgroups.ContainerResources{CPUReq: originalCPU, CPULim: originalCPULimit, MemReq: originalMem, MemLim: originalMemLimit},
-				},
-			},
-			expected: []podresize.ResizableContainerInfo{
-				{
-					Name:      "c1",
-					Resources: &cgroups.ContainerResources{CPUReq: originalCPU, CPULim: originalCPULimit, MemReq: originalMem, MemLim: increasedMemLimit},
-				},
-			},
-		},
-		{
-			name: "Burstable QoS pod with memory requests + limits - decrease memory limit",
-			containers: []podresize.ResizableContainerInfo{
-				{
-					Name:      "c1",
-					Resources: &cgroups.ContainerResources{CPUReq: originalCPU, CPULim: originalCPULimit, MemReq: originalMem, MemLim: originalMemLimit},
-				},
-			},
-			expected: []podresize.ResizableContainerInfo{
-				{
-					Name:      "c1",
-					Resources: &cgroups.ContainerResources{CPUReq: originalCPU, CPULim: originalCPULimit, MemReq: originalMem, MemLim: reducedMemLimit},
-				},
-			},
-		},
-		{
-			name: "Burstable QoS pod, one container with cpu & memory requests + limits - decrease CPU requests only",
-			containers: []podresize.ResizableContainerInfo{
-				{
-					Name:      "c1",
-					Resources: &cgroups.ContainerResources{CPUReq: originalCPU, CPULim: originalCPULimit, MemReq: originalMem, MemLim: originalMemLimit},
-				},
-			},
-			expected: []podresize.ResizableContainerInfo{
-				{
-					Name:      "c1",
-					Resources: &cgroups.ContainerResources{CPUReq: reducedCPU, CPULim: originalCPULimit, MemReq: originalMem, MemLim: originalMemLimit},
-				},
-			},
-			testRollback: true,
-		},
-		{
-			name: "Burstable QoS pod, one container with cpu & memory requests + limits - decrease CPU limits only",
-			containers: []podresize.ResizableContainerInfo{
-				{
-					Name:      "c1",
-					Resources: &cgroups.ContainerResources{CPUReq: originalCPU, CPULim: originalCPULimit, MemReq: originalMem, MemLim: originalMemLimit},
-				},
-			},
-			expected: []podresize.ResizableContainerInfo{
-				{
-					Name:      "c1",
-					Resources: &cgroups.ContainerResources{CPUReq: originalCPU, CPULim: reducedCPULimit, MemReq: originalMem, MemLim: originalMemLimit},
-				},
-			},
-			testRollback: true,
-		},
-		{
-			name: "Burstable QoS pod, one container with cpu & memory requests + limits - increase CPU requests only",
-			containers: []podresize.ResizableContainerInfo{
-				{
-					Name:      "c1",
-					Resources: &cgroups.ContainerResources{CPUReq: originalCPU, CPULim: originalCPULimit, MemReq: originalMem, MemLim: originalMemLimit},
-				},
-			},
-			expected: []podresize.ResizableContainerInfo{
-				{
-					Name:      "c1",
-					Resources: &cgroups.ContainerResources{CPUReq: increasedCPU, CPULim: originalCPULimit, MemReq: originalMem, MemLim: originalMemLimit},
-				},
-			},
-		},
-		{
-			name: "Burstable QoS pod, one container with cpu & memory requests + limits - increase CPU limits only",
-			containers: []podresize.ResizableContainerInfo{
-				{
-					Name:      "c1",
-					Resources: &cgroups.ContainerResources{CPUReq: originalCPU, CPULim: originalCPULimit, MemReq: originalMem, MemLim: originalMemLimit},
-				},
-			},
-			expected: []podresize.ResizableContainerInfo{
-				{
-					Name:      "c1",
-					Resources: &cgroups.ContainerResources{CPUReq: originalCPU, CPULim: increasedCPULimit, MemReq: originalMem, MemLim: originalMemLimit},
-				},
-			},
-		},
-		{
-			name: "Burstable QoS pod, one container with cpu & memory requests + limits - decrease CPU requests and limits",
-			containers: []podresize.ResizableContainerInfo{
-				{
-					Name:      "c1",
-					Resources: &cgroups.ContainerResources{CPUReq: originalCPU, CPULim: originalCPULimit, MemReq: originalMem, MemLim: originalMemLimit},
-				},
-			},
-			expected: []podresize.ResizableContainerInfo{
-				{
-					Name:      "c1",
-					Resources: &cgroups.ContainerResources{CPUReq: reducedCPU, CPULim: reducedCPULimit, MemReq: originalMem, MemLim: originalMemLimit},
-				},
-			},
-		},
-		{
-			name: "Burstable QoS pod, one container with cpu & memory requests + limits - increase CPU requests and limits",
-			containers: []podresize.ResizableContainerInfo{
-				{
-					Name:      "c1",
-					Resources: &cgroups.ContainerResources{CPUReq: originalCPU, CPULim: originalCPULimit, MemReq: originalMem, MemLim: originalMemLimit},
-				},
-			},
-			expected: []podresize.ResizableContainerInfo{
-				{
-					Name:      "c1",
-					Resources: &cgroups.ContainerResources{CPUReq: increasedCPU, CPULim: increasedCPULimit, MemReq: originalMem, MemLim: originalMemLimit},
-				},
-			},
-		},
-		{
-			name: "Burstable QoS pod, one container with cpu & memory requests + limits - decrease CPU requests and increase CPU limits",
-			containers: []podresize.ResizableContainerInfo{
-				{
-					Name:      "c1",
-					Resources: &cgroups.ContainerResources{CPUReq: originalCPU, CPULim: originalCPULimit, MemReq: originalMem, MemLim: originalMemLimit},
-				},
-			},
-			expected: []podresize.ResizableContainerInfo{
-				{
-					Name:      "c1",
-					Resources: &cgroups.ContainerResources{CPUReq: reducedCPU, CPULim: increasedCPULimit, MemReq: originalMem, MemLim: originalMemLimit},
-				},
-			},
-		},
-		{
-			name: "Burstable QoS pod, one container with cpu & memory requests + limits - increase CPU requests and decrease CPU limits",
-			containers: []podresize.ResizableContainerInfo{
-				{
-					Name:      "c1",
-					Resources: &cgroups.ContainerResources{CPUReq: originalCPU, CPULim: originalCPULimit, MemReq: originalMem, MemLim: originalMemLimit},
-				},
-			},
-			expected: []podresize.ResizableContainerInfo{
-				{
-					Name:      "c1",
-					Resources: &cgroups.ContainerResources{CPUReq: increasedCPU, CPULim: reducedCPULimit, MemReq: originalMem, MemLim: originalMemLimit},
-				},
-			},
-		},
-		{
-			name: "Burstable QoS pod, one container with cpu & memory requests + limits - increase memory requests and limits",
-			containers: []podresize.ResizableContainerInfo{
-				{
-					Name:      "c1",
-					Resources: &cgroups.ContainerResources{CPUReq: originalCPU, CPULim: originalCPULimit, MemReq: originalMem, MemLim: originalMemLimit},
-				},
-			},
-			expected: []podresize.ResizableContainerInfo{
-				{
-					Name:      "c1",
-					Resources: &cgroups.ContainerResources{CPUReq: originalCPU, CPULim: originalCPULimit, MemReq: increasedMem, MemLim: increasedMemLimit},
-				},
-			},
-		},
-		{
-			name: "Burstable QoS pod, one container with cpu & memory requests + limits - decrease memory requests and increase memory limits",
-			containers: []podresize.ResizableContainerInfo{
-				{
-					Name:      "c1",
-					Resources: &cgroups.ContainerResources{CPUReq: originalCPU, CPULim: originalCPULimit, MemReq: originalMem, MemLim: originalMemLimit},
-				},
-			},
-			expected: []podresize.ResizableContainerInfo{
-				{
-					Name:      "c1",
-					Resources: &cgroups.ContainerResources{CPUReq: originalCPU, CPULim: originalCPULimit, MemReq: reducedMem, MemLim: increasedMemLimit},
-				},
-			},
-		},
-		{
-			name: "Burstable QoS pod, one container with cpu & memory requests + limits - decrease CPU requests and increase memory limits",
-			containers: []podresize.ResizableContainerInfo{
-				{
-					Name:      "c1",
-					Resources: &cgroups.ContainerResources{CPUReq: originalCPU, CPULim: originalCPULimit, MemReq: originalMem, MemLim: originalMemLimit},
-				},
-			},
-			expected: []podresize.ResizableContainerInfo{
-				{
-					Name:      "c1",
-					Resources: &cgroups.ContainerResources{CPUReq: reducedCPU, CPULim: originalCPULimit, MemReq: originalMem, MemLim: increasedMemLimit},
-				},
-			},
-		},
-		{
-			name: "Burstable QoS pod, one container with cpu & memory requests + limits - decrease memory requests and increase CPU limits",
-			containers: []podresize.ResizableContainerInfo{
-				{
-					Name:      "c1",
-					Resources: &cgroups.ContainerResources{CPUReq: originalCPU, CPULim: originalCPULimit, MemReq: originalMem, MemLim: originalMemLimit},
-				},
-			},
-			expected: []podresize.ResizableContainerInfo{
-				{
-					Name:      "c1",
-					Resources: &cgroups.ContainerResources{CPUReq: originalCPU, CPULim: increasedCPULimit, MemReq: reducedMem, MemLim: originalMemLimit},
-				},
-			},
-		},
-		{
-			name: "Burstable QoS pod, one container with cpu & memory requests + limits - increase memory requests and decrease CPU limits",
-			containers: []podresize.ResizableContainerInfo{
-				{
-					Name:      "c1",
-					Resources: &cgroups.ContainerResources{CPUReq: originalCPU, CPULim: originalCPULimit, MemReq: originalMem, MemLim: originalMemLimit},
-				},
-			},
-			expected: []podresize.ResizableContainerInfo{
-				{
-					Name:      "c1",
-					Resources: &cgroups.ContainerResources{CPUReq: originalCPU, CPULim: reducedCPULimit, MemReq: increasedMem, MemLim: originalMemLimit},
-				},
-			},
-		},
-		{
-			name: "Burstable QoS pod, one container with cpu & memory requests - decrease memory request",
-			containers: []podresize.ResizableContainerInfo{
-				{
-					Name:      "c1",
-					Resources: &cgroups.ContainerResources{CPUReq: originalCPU, MemReq: originalMem},
-				},
-			},
-			expected: []podresize.ResizableContainerInfo{
-				{
-					Name:      "c1",
-					Resources: &cgroups.ContainerResources{CPUReq: originalCPU, MemReq: reducedMem},
-				},
-			},
-		},
-		{
-			name: "Burstable QoS pod, one container with cpu & memory requests - increase cpu request",
-			containers: []podresize.ResizableContainerInfo{
-				{
-					Name:      "c1",
-					Resources: &cgroups.ContainerResources{CPUReq: originalCPU, MemReq: originalMem},
-				},
-			},
-			expected: []podresize.ResizableContainerInfo{
-				{
-					Name:      "c1",
-					Resources: &cgroups.ContainerResources{CPUReq: increasedCPU, MemReq: originalMem},
-				},
-			},
-		},
-		{
-			name: "Burstable QoS pod, one container with cpu requests and limits - resize with equivalents",
-			containers: []podresize.ResizableContainerInfo{
-				{
-					Name:      "c1",
-					Resources: &cgroups.ContainerResources{CPUReq: "2m", CPULim: "10m"},
-				},
-			},
-			expected: []podresize.ResizableContainerInfo{
-				{
-					Name:      "c1",
-					Resources: &cgroups.ContainerResources{CPUReq: "1m", CPULim: "5m"},
-				},
-			},
-		},
-		{
-			name: "Guaranteed QoS pod, one container - increase CPU (NotRequired) & memory (RestartContainer)",
-			containers: []podresize.ResizableContainerInfo{
-				{
-					Name:      "c1",
-					Resources: &cgroups.ContainerResources{CPUReq: originalCPU, CPULim: originalCPU, MemReq: originalMem, MemLim: originalMem},
-					CPUPolicy: &noRestart,
-					MemPolicy: &doRestart,
-				},
-			},
-			expected: []podresize.ResizableContainerInfo{
-				{
-					Name:         "c1",
-					Resources:    &cgroups.ContainerResources{CPUReq: increasedCPU, CPULim: increasedCPU, MemReq: increasedMem, MemLim: increasedMem},
-					CPUPolicy:    &noRestart,
-					MemPolicy:    &doRestart,
-					RestartCount: 1,
-				},
-			},
-			testRollback: true,
-		},
-		{
-			name: "Burstable QoS pod, one container - decrease CPU (NotRequired) & memory (RestartContainer)",
-			containers: []podresize.ResizableContainerInfo{
-				{
-					Name:      "c1",
-					Resources: &cgroups.ContainerResources{CPUReq: originalCPU, CPULim: originalCPULimit, MemReq: originalMem, MemLim: originalMemLimit},
-					CPUPolicy: &noRestart,
-					MemPolicy: &doRestart,
-				},
-			},
-			expected: []podresize.ResizableContainerInfo{
-				{
-					Name:         "c1",
-					Resources:    &cgroups.ContainerResources{CPUReq: reducedCPU, CPULim: reducedCPULimit, MemReq: reducedMem, MemLim: reducedMemLimit},
-					CPUPolicy:    &noRestart,
-					MemPolicy:    &doRestart,
-					RestartCount: 1,
-				},
-			},
-			testRollback: true,
-		},
-		{
-			name: "Burstable QoS pod, one container - decrease memory request (RestartContainer memory resize policy)",
-			containers: []podresize.ResizableContainerInfo{
-				{
-					Name:      "c1",
-					Resources: &cgroups.ContainerResources{CPUReq: originalCPU, CPULim: originalCPULimit, MemReq: originalMem, MemLim: originalMemLimit},
-					CPUPolicy: &noRestart,
-					MemPolicy: &doRestart,
-				},
-			},
-			expected: []podresize.ResizableContainerInfo{
-				{
-					Name:         "c1",
-					Resources:    &cgroups.ContainerResources{CPUReq: originalCPU, CPULim: originalCPULimit, MemReq: reducedMem, MemLim: originalMemLimit},
-					CPUPolicy:    &noRestart,
-					MemPolicy:    &doRestart,
-					RestartCount: 1,
-				},
-			},
-		},
-		{
-			name: "Burstable QoS pod, one container - increase memory request (NoRestart memory resize policy)",
-			containers: []podresize.ResizableContainerInfo{
-				{
-					Name:      "c1",
-					Resources: &cgroups.ContainerResources{CPUReq: originalCPU, CPULim: originalCPULimit, MemReq: originalMem, MemLim: originalMemLimit},
-					CPUPolicy: &noRestart,
-					MemPolicy: &noRestart,
-				},
-			},
-			expected: []podresize.ResizableContainerInfo{
-				{
-					Name:         "c1",
-					Resources:    &cgroups.ContainerResources{CPUReq: originalCPU, CPULim: originalCPULimit, MemReq: increasedMem, MemLim: originalMemLimit},
-					CPUPolicy:    &noRestart,
-					MemPolicy:    &noRestart,
-					RestartCount: 0,
-				},
-			},
+			// The tests for guaranteed pods include extended resources.
+			nodes, err := e2enode.GetReadySchedulableNodes(context.Background(), f.ClientSet)
+			framework.ExpectNoError(err)
+			for _, node := range nodes.Items {
+				e2enode.AddExtendedResource(ctx, f.ClientSet, node.Name, fakeExtendedResource, resource.MustParse("123"))
+			}
+			defer func() {
+				for _, node := range nodes.Items {
+					e2enode.RemoveExtendedResource(ctx, f.ClientSet, node.Name, fakeExtendedResource)
+				}
+			}()
+
+			originalContainers := makeGuaranteedContainers(1, cpuPolicy, memPolicy, true, true, originalCPU, originalMem)
+			expectedContainers := makeGuaranteedContainers(1, cpuPolicy, memPolicy, true, true, desiredCPU, desiredMem)
+			for i, c := range expectedContainers {
+				// If the pod has init containers, but we are not resizing them, keep the original resources.
+				if c.InitCtr && !resizeInitCtrs {
+					c.Resources = originalContainers[i].Resources
+					expectedContainers[i] = c
+					continue
+				}
+				// For containers where the resize policy is "restart", we expect a restart.
+				expectRestart := int32(0)
+				if cpuPolicy == v1.RestartContainer && desiredCPU != originalCPU {
+					expectRestart = 1
+				}
+				if memPolicy == v1.RestartContainer && desiredMem != originalMem {
+					expectRestart = 1
+				}
+				c.RestartCount = expectRestart
+				expectedContainers[i] = c
+			}
+
+			doPatchAndRollback(ctx, f, originalContainers, expectedContainers, nil, nil, true, false)
 		},
-		{
-			name: "Burstable QoS pod, three containers - increase c1 resources, no change for c2, decrease c3 resources (no net change for pod)",
-			containers: []podresize.ResizableContainerInfo{
-				{
-					Name:      "c1",
-					Resources: &cgroups.ContainerResources{CPUReq: originalCPU, CPULim: originalCPULimit, MemReq: originalMem, MemLim: originalMemLimit},
-					CPUPolicy: &noRestart,
-					MemPolicy: &noRestart,
-				},
-				{
-					Name:      "c2",
-					Resources: &cgroups.ContainerResources{CPUReq: offsetCPU(1, originalCPU), CPULim: offsetCPU(1, originalCPULimit), MemReq: offsetMemory(1, originalMem), MemLim: offsetMemory(1, originalMemLimit)},
-					CPUPolicy: &noRestart,
-					MemPolicy: &doRestart,
-				},
-				{
-					Name:      "c3",
-					Resources: &cgroups.ContainerResources{CPUReq: offsetCPU(2, originalCPU), CPULim: offsetCPU(2, originalCPULimit), MemReq: offsetMemory(2, originalMem), MemLim: offsetMemory(2, originalMemLimit)},
-					CPUPolicy: &noRestart,
-					MemPolicy: &noRestart,
-				},
-			},
-			expected: []podresize.ResizableContainerInfo{
+			// All tests will perform the requested resize, and once completed, will roll back the change.
+			// This results in the coverage of both increase and decrease of resources.
+			ginkgo.Entry("cpu", increasedCPU, originalMem),
+			ginkgo.Entry("mem", originalCPU, increasedMem),
+			ginkgo.Entry("cpu & mem in the same direction", increasedCPU, increasedMem),
+			ginkgo.Entry("cpu & mem in opposite directions", increasedCPU, reducedMem),
+		)
+	},
+		ginkgo.Entry("no restart", v1.NotRequired, v1.NotRequired, false),
+		ginkgo.Entry("no restart + resize initContainers", v1.NotRequired, v1.NotRequired, true),
+		ginkgo.Entry("mem restart", v1.NotRequired, v1.RestartContainer, false),
+		ginkgo.Entry("cpu restart", v1.RestartContainer, v1.NotRequired, false),
+		ginkgo.Entry("cpu & mem restart", v1.RestartContainer, v1.RestartContainer, false),
+		ginkgo.Entry("cpu & mem restart + resize initContainers", v1.RestartContainer, v1.RestartContainer, true),
+	)
+
+	// All tests will perform the requested resize, and once completed, will roll back the change.
+	// This results in coverage of both the operation as described, and its reverse.
+	ginkgo.Describe("guaranteed pods with multiple containers", func() {
+		/*
+			Release: v1.35
+			Testname: In-place Pod Resize, guaranteed pods with multiple containers, net increase
+			Description: Issuing an in-place Pod Resize request via the Pod Resize subresource patch endpoint to modify CPU and memory requests and limits for a guaranteed pod with 3 containers with a net increase MUST result in the Pod resources being updated as expected.
+		*/
+		framework.ConformanceIt("3 containers - increase cpu & mem on c1, c2, decrease cpu & mem on c3 - net increase [MinimumKubeletVersion:1.34]", func(ctx context.Context) {
+			originalContainers := makeGuaranteedContainers(3, v1.NotRequired, v1.NotRequired, false, false, originalCPU, originalMem)
+			for i := range originalContainers {
+				originalContainers[i].CPUPolicy = nil
+				originalContainers[i].MemPolicy = nil
+			}
+
+			expectedContainers := []podresize.ResizableContainerInfo{
 				{
 					Name:      "c1",
-					Resources: &cgroups.ContainerResources{CPUReq: increasedCPU, CPULim: increasedCPULimit, MemReq: increasedMem, MemLim: increasedMemLimit},
-					CPUPolicy: &noRestart,
-					MemPolicy: &noRestart,
+					Resources: &cgroups.ContainerResources{CPUReq: offsetCPU(0, increasedCPU), CPULim: offsetCPU(0, increasedCPU), MemReq: offsetMemory(0, increasedMem), MemLim: offsetMemory(0, increasedMem)},
 				},
 				{
 					Name:      "c2",
-					Resources: &cgroups.ContainerResources{CPUReq: offsetCPU(1, originalCPU), CPULim: offsetCPU(1, originalCPULimit), MemReq: offsetMemory(1, originalMem), MemLim: offsetMemory(1, originalMemLimit)},
-					CPUPolicy: &noRestart,
-					MemPolicy: &doRestart,
+					Resources: &cgroups.ContainerResources{CPUReq: offsetCPU(1, increasedCPU), CPULim: offsetCPU(1, increasedCPU), MemReq: offsetMemory(1, increasedMem), MemLim: offsetMemory(1, increasedMem)},
 				},
 				{
 					Name:      "c3",
-					Resources: &cgroups.ContainerResources{CPUReq: offsetCPU(2, reducedCPU), CPULim: offsetCPU(2, reducedCPULimit), MemReq: offsetMemory(2, reducedMem), MemLim: offsetMemory(2, originalMemLimit)},
-					CPUPolicy: &noRestart,
-					MemPolicy: &noRestart,
+					Resources: &cgroups.ContainerResources{CPUReq: offsetCPU(2, reducedCPU), CPULim: offsetCPU(2, reducedCPU), MemReq: offsetMemory(2, reducedMem), MemLim: offsetMemory(2, reducedMem)},
 				},
-			},
-		},
-		{
-			name: "Burstable QoS pod, three containers - decrease c1 resources, increase c2 resources, no change for c3 (net increase for pod)",
-			containers: []podresize.ResizableContainerInfo{
+			}
+
+			doPatchAndRollback(ctx, f, originalContainers, expectedContainers, nil, nil, true, false)
+		})
+
+		/*
+			Release: v1.35
+			Testname: In-place Pod Resize, guaranteed pods with multiple containers, net decrease
+			Description: Issuing an in-place Pod Resize request via the Pod Resize subresource patch endpoint to modify CPU and memory requests and limits for a pod with 3 containers with a net decrease MUST result in the Pod resources being updated as expected.
+		*/
+		framework.ConformanceIt("3 containers - increase cpu & mem on c1, decrease cpu & mem on c2, c3 - net decrease [MinimumKubeletVersion:1.34]", func(ctx context.Context) {
+			originalContainers := makeGuaranteedContainers(3, v1.NotRequired, v1.NotRequired, false, false, originalCPU, originalMem)
+			for i := range originalContainers {
+				originalContainers[i].CPUPolicy = nil
+				originalContainers[i].MemPolicy = nil
+			}
+
+			expectedContainers := []podresize.ResizableContainerInfo{
 				{
 					Name:      "c1",
-					Resources: &cgroups.ContainerResources{CPUReq: originalCPU, CPULim: originalCPULimit, MemReq: originalMem, MemLim: originalMemLimit},
-					CPUPolicy: &noRestart,
-					MemPolicy: &noRestart,
+					Resources: &cgroups.ContainerResources{CPUReq: offsetCPU(0, increasedCPU), CPULim: offsetCPU(0, increasedCPU), MemReq: offsetMemory(0, increasedMem), MemLim: offsetMemory(0, increasedMem)},
 				},
 				{
 					Name:      "c2",
-					Resources: &cgroups.ContainerResources{CPUReq: offsetCPU(1, originalCPU), CPULim: offsetCPU(1, originalCPULimit), MemReq: offsetMemory(1, originalMem), MemLim: offsetMemory(1, originalMemLimit)},
-					CPUPolicy: &noRestart,
-					MemPolicy: &doRestart,
-				},
-				{
-					Name:      "c3",
-					Resources: &cgroups.ContainerResources{CPUReq: offsetCPU(2, originalCPU), CPULim: offsetCPU(2, originalCPULimit), MemReq: offsetMemory(2, originalMem), MemLim: offsetMemory(2, originalMemLimit)},
-					CPUPolicy: &noRestart,
-					MemPolicy: &noRestart,
-				},
-			},
-			expected: []podresize.ResizableContainerInfo{
-				{
-					Name:      "c1",
-					Resources: &cgroups.ContainerResources{CPUReq: reducedCPU, CPULim: reducedCPULimit, MemReq: reducedMem, MemLim: originalMemLimit},
-					CPUPolicy: &noRestart,
-					MemPolicy: &noRestart,
-				},
-				{
-					Name:         "c2",
-					Resources:    &cgroups.ContainerResources{CPUReq: offsetCPU(2, increasedCPU), CPULim: offsetCPU(2, increasedCPULimit), MemReq: offsetMemory(2, increasedMem), MemLim: offsetMemory(2, increasedMemLimit)},
-					CPUPolicy:    &noRestart,
-					MemPolicy:    &doRestart,
-					RestartCount: 1,
+					Resources: &cgroups.ContainerResources{CPUReq: offsetCPU(1, reducedCPU), CPULim: offsetCPU(1, reducedCPU), MemReq: offsetMemory(1, reducedMem), MemLim: offsetMemory(1, reducedMem)},
 				},
 				{
 					Name:      "c3",
-					Resources: &cgroups.ContainerResources{CPUReq: offsetCPU(2, originalCPU), CPULim: offsetCPU(2, originalCPULimit), MemReq: offsetMemory(2, originalMem), MemLim: offsetMemory(2, originalMemLimit)},
-					CPUPolicy: &noRestart,
-					MemPolicy: &noRestart,
+					Resources: &cgroups.ContainerResources{CPUReq: offsetCPU(2, reducedCPU), CPULim: offsetCPU(2, reducedCPU), MemReq: offsetMemory(2, reducedMem), MemLim: offsetMemory(2, reducedMem)},
 				},
-			},
-		},
-		{
-			name: "Burstable QoS pod, three containers - no change for c1, increase c2 resources, decrease c3 (net decrease for pod)",
-			containers: []podresize.ResizableContainerInfo{
+			}
+
+			doPatchAndRollback(ctx, f, originalContainers, expectedContainers, nil, nil, true, false)
+		})
+
+		/*
+			Release: v1.35
+			Testname: In-place Pod Resize, guaranteed pods with multiple containers, various operations
+			Description: Issuing an in-place Pod Resize request via the Pod Resize subresource patch endpoint to modify CPU and memory requests and limits for a pod with 3 containers with various operations MUST result in the Pod resources being updated as expected.
+		*/
+		framework.ConformanceIt("3 containers - increase: CPU (c1,c3), memory (c2, c3) ; decrease: CPU (c2) [MinimumKubeletVersion:1.34]", func(ctx context.Context) {
+			originalContainers := makeGuaranteedContainers(3, v1.NotRequired, v1.NotRequired, false, false, originalCPU, originalMem)
+			for i := range originalContainers {
+				originalContainers[i].CPUPolicy = nil
+				originalContainers[i].MemPolicy = nil
+			}
+
+			expectedContainers := []podresize.ResizableContainerInfo{
 				{
 					Name:      "c1",
-					Resources: &cgroups.ContainerResources{CPUReq: originalCPU, CPULim: originalCPULimit, MemReq: originalMem, MemLim: originalMemLimit},
-					CPUPolicy: &doRestart,
-					MemPolicy: &doRestart,
+					Resources: &cgroups.ContainerResources{CPUReq: offsetCPU(0, increasedCPU), CPULim: offsetCPU(0, increasedCPU), MemReq: offsetMemory(0, originalMem), MemLim: offsetMemory(0, originalMem)},
 				},
 				{
 					Name:      "c2",
-					Resources: &cgroups.ContainerResources{CPUReq: offsetCPU(1, originalCPU), CPULim: offsetCPU(1, originalCPULimit), MemReq: offsetMemory(1, originalMem), MemLim: offsetMemory(1, originalMemLimit)},
-					CPUPolicy: &doRestart,
-					MemPolicy: &noRestart,
+					Resources: &cgroups.ContainerResources{CPUReq: offsetCPU(1, reducedCPU), CPULim: offsetCPU(1, reducedCPU), MemReq: offsetMemory(1, increasedMem), MemLim: offsetMemory(1, increasedMem)},
 				},
 				{
 					Name:      "c3",
-					Resources: &cgroups.ContainerResources{CPUReq: offsetCPU(2, originalCPU), CPULim: offsetCPU(2, originalCPULimit), MemReq: offsetMemory(2, originalMem), MemLim: offsetMemory(2, originalMemLimit)},
-					CPUPolicy: &noRestart,
-					MemPolicy: &doRestart,
-				},
-			},
-			expected: []podresize.ResizableContainerInfo{
-				{
-					Name:      "c1",
-					Resources: &cgroups.ContainerResources{CPUReq: originalCPU, CPULim: originalCPULimit, MemReq: originalMem, MemLim: originalMemLimit},
-					CPUPolicy: &doRestart,
-					MemPolicy: &doRestart,
-				},
-				{
-					Name:         "c2",
-					Resources:    &cgroups.ContainerResources{CPUReq: offsetCPU(1, increasedCPU), CPULim: offsetCPU(1, increasedCPULimit), MemReq: offsetMemory(1, increasedMem), MemLim: offsetMemory(1, increasedMemLimit)},
-					CPUPolicy:    &doRestart,
-					MemPolicy:    &noRestart,
-					RestartCount: 1,
-				},
-				{
-					Name:         "c3",
-					Resources:    &cgroups.ContainerResources{CPUReq: reducedCPU, CPULim: reducedCPULimit, MemReq: reducedMem, MemLim: reducedMemLimit},
-					CPUPolicy:    &noRestart,
-					MemPolicy:    &doRestart,
-					RestartCount: 1,
-				},
-			},
-		},
-		{
-			name: "Burstable QoS pod, mixed containers - scale up cpu and memory",
-			containers: []podresize.ResizableContainerInfo{
-				{
-					Name:      "c1",
-					Resources: &cgroups.ContainerResources{CPUReq: originalCPU, CPULim: originalCPU, MemReq: originalMem, MemLim: originalMem},
-					CPUPolicy: &noRestart,
-					MemPolicy: &noRestart,
-				},
-				{
-					Name:      "c2",
-					Resources: &cgroups.ContainerResources{},
-				},
-			},
-			expected: []podresize.ResizableContainerInfo{
-				{
-					Name:      "c1",
-					Resources: &cgroups.ContainerResources{CPUReq: increasedCPU, CPULim: increasedCPU, MemReq: increasedMem, MemLim: increasedMem},
-					CPUPolicy: &noRestart,
-					MemPolicy: &noRestart,
-				},
-				{
-					Name:      "c2",
-					Resources: &cgroups.ContainerResources{},
-				},
-			},
-		},
-		{
-			name: "Burstable QoS pod, mixed containers - add requests",
-			containers: []podresize.ResizableContainerInfo{
-				{
-					Name:      "c1",
-					Resources: &cgroups.ContainerResources{CPUReq: originalCPU, CPULim: originalCPU, MemReq: originalMem, MemLim: originalMem},
-					CPUPolicy: &noRestart,
-					MemPolicy: &noRestart,
-				},
-				{
-					Name:      "c2",
-					Resources: &cgroups.ContainerResources{},
-				},
-			},
-			expected: []podresize.ResizableContainerInfo{
-				{
-					Name:      "c1",
-					Resources: &cgroups.ContainerResources{CPUReq: originalCPU, CPULim: originalCPU, MemReq: originalMem, MemLim: originalMem},
-					CPUPolicy: &noRestart,
-					MemPolicy: &noRestart,
-				},
-				{
-					Name:      "c2",
-					Resources: &cgroups.ContainerResources{CPUReq: originalCPU, MemReq: originalMem},
-				},
-			},
-		},
-		{
-			name: "Burstable QoS pod, mixed containers - add limits",
-			containers: []podresize.ResizableContainerInfo{
-				{
-					Name:      "c1",
-					Resources: &cgroups.ContainerResources{CPUReq: originalCPU, CPULim: originalCPU, MemReq: originalMem, MemLim: originalMem},
-					CPUPolicy: &noRestart,
-					MemPolicy: &noRestart,
-				},
-				{
-					Name:      "c2",
-					Resources: &cgroups.ContainerResources{CPUReq: originalCPU, MemReq: originalMem},
-					CPUPolicy: &noRestart,
-					MemPolicy: &noRestart,
-				},
-			},
-			expected: []podresize.ResizableContainerInfo{
-				{
-					Name:      "c1",
-					Resources: &cgroups.ContainerResources{CPUReq: originalCPU, CPULim: originalCPU, MemReq: originalMem, MemLim: originalMem},
-					CPUPolicy: &noRestart,
-					MemPolicy: &noRestart,
-				},
-				{
-					Name:      "c2",
-					Resources: &cgroups.ContainerResources{CPUReq: originalCPU, CPULim: originalCPULimit, MemReq: originalMem},
-					CPUPolicy: &noRestart,
-					MemPolicy: &noRestart,
-				},
-			},
-		},
-		{
-			name: "Guaranteed QoS pod, one container - increase CPU & memory with an extended resource",
-			containers: []podresize.ResizableContainerInfo{
-				{
-					Name: "c1",
-					Resources: &cgroups.ContainerResources{CPUReq: originalCPU, CPULim: originalCPU, MemReq: originalMem, MemLim: originalMem,
-						ExtendedResourceReq: "1", ExtendedResourceLim: "1"},
-					CPUPolicy: &noRestart,
-					MemPolicy: &noRestart,
-				},
-			},
-			expected: []podresize.ResizableContainerInfo{
-				{
-					Name: "c1",
-					Resources: &cgroups.ContainerResources{CPUReq: increasedCPU, CPULim: increasedCPU, MemReq: increasedMem, MemLim: increasedMem,
-						ExtendedResourceReq: "1", ExtendedResourceLim: "1"},
-					CPUPolicy: &noRestart,
-					MemPolicy: &noRestart,
-				},
-			},
-			addExtendedResource: true,
-		},
-		{
-			name: "BestEffort QoS pod - empty resize",
-			containers: []podresize.ResizableContainerInfo{
-				{
-					Name:      "c1",
-					Resources: &cgroups.ContainerResources{},
-				},
-			},
-			expected: []podresize.ResizableContainerInfo{
-				{
-					Name:      "c1",
-					Resources: &cgroups.ContainerResources{},
-				},
-			},
-		},
-		{
-			name: "Guaranteed QoS pod, one restartable init container - increase CPU & memory",
-			containers: []podresize.ResizableContainerInfo{
-				{
-					Name:      "c1",
-					Resources: &cgroups.ContainerResources{CPUReq: originalCPU, CPULim: originalCPU, MemReq: originalMem, MemLim: originalMem},
-					CPUPolicy: &noRestart,
-					MemPolicy: &noRestart,
-				},
-				{
-					Name:          "c1-init",
-					Resources:     &cgroups.ContainerResources{CPUReq: originalCPU, CPULim: originalCPU, MemReq: originalMem, MemLim: originalMem},
-					CPUPolicy:     &noRestart,
-					MemPolicy:     &noRestart,
-					InitCtr:       true,
-					RestartPolicy: v1.ContainerRestartPolicyAlways,
+					Resources: &cgroups.ContainerResources{CPUReq: offsetCPU(2, increasedCPU), CPULim: offsetCPU(2, increasedCPU), MemReq: offsetMemory(2, increasedMem), MemLim: offsetMemory(2, increasedMem)},
 				},
-			},
-			expected: []podresize.ResizableContainerInfo{
-				{
-					Name:      "c1",
-					Resources: &cgroups.ContainerResources{CPUReq: originalCPU, CPULim: originalCPU, MemReq: originalMem, MemLim: originalMem},
-					CPUPolicy: &noRestart,
-					MemPolicy: &noRestart,
+			}
+
+			doPatchAndRollback(ctx, f, originalContainers, expectedContainers, nil, nil, true, false)
+		})
+	})
+}
+
+type resourceRequestsLimits struct {
+	cpuReq string
+	cpuLim string
+	memReq string
+	memLim string
+}
+
+func doBurstablePodResizeTests(f *framework.Framework) {
+	ginkgo.DescribeTableSubtree("burstable pods - 1 container with all requests & limits set and resize policy", func(cpuPolicy, memPolicy v1.ResourceResizeRestartPolicy) {
+		ginkgo.DescribeTable("resizing", func(ctx context.Context, desiredContainerResources resourceRequestsLimits) {
+			originalContainers := makeBurstableContainers(1, cpuPolicy, memPolicy, originalCPU, originalCPULimit, originalMem, originalMemLimit)
+			expectedContainers := makeBurstableContainers(1, cpuPolicy, memPolicy, desiredContainerResources.cpuReq, desiredContainerResources.cpuLim, desiredContainerResources.memReq, desiredContainerResources.memLim)
+			for i, c := range expectedContainers {
+				// For containers where the resize policy is "restart", we expect a restart.
+				expectRestart := int32(0)
+				if cpuPolicy == v1.RestartContainer && (desiredContainerResources.cpuReq != originalCPU || desiredContainerResources.cpuLim != originalCPULimit) {
+					expectRestart = 1
+				}
+				if memPolicy == v1.RestartContainer && (desiredContainerResources.memReq != originalMem || desiredContainerResources.memLim != originalMemLimit) {
+					expectRestart = 1
+				}
+				c.RestartCount = expectRestart
+				expectedContainers[i] = c
+			}
+
+			doPatchAndRollback(ctx, f, originalContainers, expectedContainers, nil, nil, true, false)
+		},
+			// All tests will perform the requested resize, and once completed, will roll back the change.
+			// This results in the coverage of both increase and decrease of resources.
+			ginkgo.Entry("cpu requests", resourceRequestsLimits{increasedCPU, originalCPULimit, originalMem, originalMemLimit}),
+			ginkgo.Entry("cpu limits", resourceRequestsLimits{originalCPU, increasedCPULimit, originalMem, originalMemLimit}),
+			ginkgo.Entry("mem requests", resourceRequestsLimits{originalCPU, originalCPULimit, increasedMem, originalMemLimit}),
+			ginkgo.Entry("mem limits", resourceRequestsLimits{originalCPU, originalCPULimit, originalMem, increasedMemLimit}),
+			ginkgo.Entry("all resources in the same direction", resourceRequestsLimits{increasedCPU, increasedCPULimit, increasedMem, increasedMemLimit}),
+			ginkgo.Entry("cpu & mem in opposite directions", resourceRequestsLimits{increasedCPU, increasedCPULimit, reducedMem, reducedMemLimit}),
+			ginkgo.Entry("requests & limits in opposite directions", resourceRequestsLimits{reducedCPU, increasedCPULimit, increasedMem, reducedMemLimit}),
+		)
+	},
+		ginkgo.Entry("no restart", v1.NotRequired, v1.NotRequired),
+		ginkgo.Entry("cpu restart", v1.RestartContainer, v1.NotRequired),
+		ginkgo.Entry("mem restart", v1.NotRequired, v1.RestartContainer),
+		ginkgo.Entry("cpu & mem restart", v1.RestartContainer, v1.RestartContainer),
+	)
+
+	// The following tests cover the remaining burstable pod scenarios:
+	// - multiple containers
+	// - adding limits where only requests were previously set
+	// - adding requests where none were previously set
+	// - resizing with equivalents (e.g. 2m -> 1m)
+	ginkgo.Describe("burstable pods - extended", func() {
+		/*
+			Release: v1.35
+			Testname: In-place Pod Resize, burtable pod with multiple containers and various operations
+			Description: Issuing a Pod Resize request via the Pod Resize subresource patch endpoint to modify CPU and memory requests and limits on a 6-container pod with various operations MUST result in the Pod resources being updated as expected.
+		*/
+		framework.ConformanceIt("6 containers - various operations performed (including adding limits and requests) [MinimumKubeletVersion:1.34]", func(ctx context.Context) {
+			originalContainers := []podresize.ResizableContainerInfo{
+				{
+					// c1 starts with CPU requests only; increase CPU requests + add CPU limits
+					Name:      "c1",
+					Resources: &cgroups.ContainerResources{CPUReq: originalCPU},
+				},
+				{
+					// c2 starts with memory requests only; increase memory requests + add memory limits
+					Name:      "c2",
+					Resources: &cgroups.ContainerResources{MemReq: originalMem},
 				},
 				{
-					Name:          "c1-init",
-					Resources:     &cgroups.ContainerResources{CPUReq: increasedCPU, CPULim: increasedCPU, MemReq: increasedMem, MemLim: increasedMem},
-					CPUPolicy:     &noRestart,
-					MemPolicy:     &noRestart,
-					InitCtr:       true,
-					RestartPolicy: v1.ContainerRestartPolicyAlways,
+					// c3 starts with CPU and memory requests; decrease memory requests only
+					Name:      "c3",
+					Resources: &cgroups.ContainerResources{CPUReq: originalCPU, MemReq: originalMem},
 				},
-			},
-		},
-		{
-			name: "Guaranteed QoS pod, one restartable init container - decrease CPU & increase memory",
-			containers: []podresize.ResizableContainerInfo{
 				{
-					Name:      "c1",
-					Resources: &cgroups.ContainerResources{CPUReq: originalCPU, CPULim: originalCPU, MemReq: originalMem, MemLim: originalMem},
+					// c4 starts with CPU requests only; decrease CPU requests + add memory requests
+					Name:      "c4",
+					Resources: &cgroups.ContainerResources{CPUReq: originalCPU},
 				},
 				{
-					Name:          "c1-init",
-					Resources:     &cgroups.ContainerResources{CPUReq: originalCPU, CPULim: originalCPU, MemReq: originalMem, MemLim: originalMem},
-					InitCtr:       true,
-					RestartPolicy: v1.ContainerRestartPolicyAlways,
+					// c5 starts with memory requests only; increase memory requests + add CPU requests
+					Name:      "c5",
+					Resources: &cgroups.ContainerResources{MemReq: originalMem},
 				},
-			},
-			expected: []podresize.ResizableContainerInfo{
+			}
+			expectedContainers := []podresize.ResizableContainerInfo{
 				{
+					// c1 starts with CPU requests only; increase CPU requests + add CPU limits
 					Name:      "c1",
-					Resources: &cgroups.ContainerResources{CPUReq: originalCPU, CPULim: originalCPU, MemReq: originalMem, MemLim: originalMem},
+					Resources: &cgroups.ContainerResources{CPUReq: increasedCPU, CPULim: increasedCPULimit},
 				},
 				{
-					Name:          "c1-init",
-					Resources:     &cgroups.ContainerResources{CPUReq: reducedCPU, CPULim: reducedCPU, MemReq: increasedMem, MemLim: increasedMem},
-					InitCtr:       true,
-					RestartPolicy: v1.ContainerRestartPolicyAlways,
+					// c2 starts with memory requests only; decrease memory requests + add memory limits
+					Name:      "c2",
+					Resources: &cgroups.ContainerResources{MemReq: reducedMem, MemLim: increasedMemLimit},
 				},
-			},
-		},
-		{
-			name: "Guaranteed QoS pod, one container, one restartable init container - decrease init container CPU",
-			containers: []podresize.ResizableContainerInfo{
 				{
-					Name:      "c1",
-					Resources: &cgroups.ContainerResources{CPUReq: originalCPU, CPULim: originalCPU, MemReq: originalMem, MemLim: originalMem},
+					// c3 starts with CPU and memory requests; decrease memory requests onloy
+					Name:      "c3",
+					Resources: &cgroups.ContainerResources{CPUReq: originalCPU, MemReq: reducedMem},
 				},
 				{
-					Name:          "c1-init",
-					Resources:     &cgroups.ContainerResources{CPUReq: originalCPU, CPULim: originalCPU, MemReq: originalMem, MemLim: originalMem},
-					InitCtr:       true,
-					RestartPolicy: v1.ContainerRestartPolicyAlways,
+					// c4 starts with CPU requests only; decrease CPU requests + add memory requests
+					Name:      "c4",
+					Resources: &cgroups.ContainerResources{CPUReq: reducedCPU, MemReq: originalMem},
 				},
-			},
-			expected: []podresize.ResizableContainerInfo{
 				{
-					Name:      "c1",
-					Resources: &cgroups.ContainerResources{CPUReq: originalCPU, CPULim: originalCPU, MemReq: originalMem, MemLim: originalMem},
+					// c5 starts with memory requests only; increase memory requests + add CPU requests
+					Name:      "c5",
+					Resources: &cgroups.ContainerResources{CPUReq: originalCPU, MemReq: increasedMem},
 				},
+			}
+			doPatchAndRollback(ctx, f, originalContainers, expectedContainers, nil, nil, false, false)
+		})
+
+		/*
+			Release: v1.35
+			Testname: In-place Pod Resize, burstable pod resized with equivalents
+			Description: Issuing an in-place Pod Resize request via the Pod Resize subresource patch endpoint to modify CPU requests and limits using equivalent values (e.g. 2m -> 1m) MUST result in the updated Pod resources displayed correctly in the status.
+		*/
+		framework.ConformanceIt("resize with equivalents [MinimumKubeletVersion:1.34]", func(ctx context.Context) {
+			originalContainers := []podresize.ResizableContainerInfo{
 				{
-					Name:          "c1-init",
-					Resources:     &cgroups.ContainerResources{CPUReq: reducedCPU, CPULim: reducedCPU, MemReq: originalMem, MemLim: originalMem},
-					InitCtr:       true,
-					RestartPolicy: v1.ContainerRestartPolicyAlways,
+					Name:      "c1",
+					Resources: &cgroups.ContainerResources{CPUReq: "2m", CPULim: "10m"},
 				},
-			},
-		},
-		{
-			name: "Burstable QoS pod, one container, one restartable init container - increase init container CPU & memory",
-			containers: []podresize.ResizableContainerInfo{
+			}
+			expectedContainers := []podresize.ResizableContainerInfo{
 				{
 					Name:      "c1",
-					Resources: &cgroups.ContainerResources{CPUReq: originalCPU, CPULim: originalCPULimit, MemReq: originalMem, MemLim: originalMemLimit},
+					Resources: &cgroups.ContainerResources{CPUReq: "1m", CPULim: "5m"},
 				},
+			}
+			doPatchAndRollback(ctx, f, originalContainers, expectedContainers, nil, nil, true, false)
+		})
+	})
+}
+
+func doPodResizePatchErrorTests(f *framework.Framework) {
+	ginkgo.DescribeTable("apply invalid resize patch requests", func(ctx context.Context, originalContainers, desiredContainers []podresize.ResizableContainerInfo, patchError string, waitForStart bool) {
+		podClient := e2epod.NewPodClient(f)
+		var newPod *v1.Pod
+
+		ginkgo.By("creating and verifying pod")
+		if waitForStart {
+			newPod = createAndVerifyPod(ctx, f, podClient, originalContainers, nil, false)
+		} else {
+			tStamp := strconv.Itoa(time.Now().Nanosecond())
+			testPod := podresize.MakePodWithResizableContainers(f.Namespace.Name, "testpod", tStamp, originalContainers, nil)
+			testPod = e2epod.MustMixinRestrictedPodSecurity(testPod)
+			newPod = podClient.Create(ctx, testPod)
+		}
+
+		ginkgo.By("patching pod for resize")
+		patch := podresize.MakeResizePatch(originalContainers, desiredContainers, nil, nil)
+		_, pErr := f.ClientSet.CoreV1().Pods(newPod.Namespace).Patch(ctx, newPod.Name,
+			types.StrategicMergePatchType, patch, metav1.PatchOptions{}, "resize")
+		gomega.Expect(pErr).To(gomega.HaveOccurred())
+		gomega.Expect(pErr.Error()).To(gomega.ContainSubstring(patchError))
+
+		patchedPod, getErr := f.ClientSet.CoreV1().Pods(newPod.Namespace).Get(ctx, newPod.Name, metav1.GetOptions{})
+		framework.ExpectNoError(getErr)
+
+		ginkgo.By("verifying pod resources after patch")
+		podresize.VerifyPodResources(patchedPod, originalContainers, nil)
+
+		if waitForStart {
+			ginkgo.By("verifying pod status resources after patch")
+			framework.ExpectNoError(podresize.VerifyPodStatusResources(patchedPod, originalContainers))
+		}
+
+		ginkgo.By("deleting pod")
+		podClient.DeleteSync(ctx, newPod.Name, metav1.DeleteOptions{}, f.Timeouts.PodDelete)
+	},
+		ginkgo.Entry("BestEffort pod - request memory",
+			[]podresize.ResizableContainerInfo{
 				{
-					Name:          "c1-init",
-					Resources:     &cgroups.ContainerResources{CPUReq: originalCPU, CPULim: originalCPULimit, MemReq: originalMem, MemLim: originalMemLimit},
-					InitCtr:       true,
-					RestartPolicy: v1.ContainerRestartPolicyAlways,
+					Name: "c1",
 				},
 			},
-			expected: []podresize.ResizableContainerInfo{
+			[]podresize.ResizableContainerInfo{
 				{
 					Name:      "c1",
-					Resources: &cgroups.ContainerResources{CPUReq: originalCPU, CPULim: originalCPULimit, MemReq: originalMem, MemLim: originalMemLimit},
+					Resources: &cgroups.ContainerResources{MemReq: originalMem},
 				},
+			},
+			"Pod QOS Class may not change as a result of resizing",
+			true,
+		),
+		ginkgo.Entry("BestEffort pod - request cpu",
+			[]podresize.ResizableContainerInfo{
 				{
-					Name:          "c1-init",
-					Resources:     &cgroups.ContainerResources{CPUReq: increasedCPU, CPULim: increasedCPULimit, MemReq: increasedMem, MemLim: increasedMemLimit},
-					InitCtr:       true,
-					RestartPolicy: v1.ContainerRestartPolicyAlways,
+					Name: "c1",
 				},
 			},
-		},
-		{
-			name: "Burstable QoS pod, one container, one restartable init container - decrease init container CPU only",
-			containers: []podresize.ResizableContainerInfo{
+			[]podresize.ResizableContainerInfo{
 				{
 					Name:      "c1",
-					Resources: &cgroups.ContainerResources{CPUReq: originalCPU, CPULim: originalCPULimit, MemReq: originalMem, MemLim: originalMemLimit},
-				},
-				{
-					Name:          "c1-init",
-					Resources:     &cgroups.ContainerResources{CPUReq: originalCPU, CPULim: originalCPULimit, MemReq: originalMem, MemLim: originalMemLimit},
-					InitCtr:       true,
-					RestartPolicy: v1.ContainerRestartPolicyAlways,
+					Resources: &cgroups.ContainerResources{CPUReq: originalCPU},
 				},
 			},
-			expected: []podresize.ResizableContainerInfo{
+			"Pod QOS Class may not change as a result of resizing",
+			true,
+		),
+		ginkgo.Entry("Guaranteed pod - remove cpu & memory limits",
+			[]podresize.ResizableContainerInfo{
 				{
 					Name:      "c1",
-					Resources: &cgroups.ContainerResources{CPUReq: originalCPU, CPULim: originalCPULimit, MemReq: originalMem, MemLim: originalMemLimit},
-				},
-				{
-					Name:          "c1-init",
-					Resources:     &cgroups.ContainerResources{CPUReq: reducedCPU, CPULim: reducedCPULimit, MemReq: originalMem, MemLim: originalMemLimit},
-					InitCtr:       true,
-					RestartPolicy: v1.ContainerRestartPolicyAlways,
+					Resources: &cgroups.ContainerResources{CPUReq: originalCPU, CPULim: originalCPU, MemReq: originalMem, MemLim: originalMem},
 				},
 			},
-		},
-		{
-			name: "Burstable QoS pod, one container, one restartable init container - increase init container CPU only",
-			containers: []podresize.ResizableContainerInfo{
+			[]podresize.ResizableContainerInfo{
 				{
 					Name:      "c1",
-					Resources: &cgroups.ContainerResources{CPUReq: originalCPU, CPULim: originalCPULimit, MemReq: originalMem, MemLim: originalMemLimit},
-				},
-				{
-					Name:          "c1-init",
-					Resources:     &cgroups.ContainerResources{CPUReq: originalCPU, CPULim: originalCPULimit, MemReq: originalMem, MemLim: originalMemLimit},
-					InitCtr:       true,
-					RestartPolicy: v1.ContainerRestartPolicyAlways,
+					Resources: &cgroups.ContainerResources{CPUReq: originalCPU, MemReq: originalMem},
 				},
 			},
-			expected: []podresize.ResizableContainerInfo{
+			"resource limits cannot be removed",
+			true,
+		),
+		ginkgo.Entry("Burstable pod - remove cpu & memory limits + increase requests",
+			[]podresize.ResizableContainerInfo{
 				{
 					Name:      "c1",
-					Resources: &cgroups.ContainerResources{CPUReq: originalCPU, CPULim: originalCPULimit, MemReq: originalMem, MemLim: originalMemLimit},
-				},
-				{
-					Name:          "c1-init",
-					Resources:     &cgroups.ContainerResources{CPUReq: increasedCPU, CPULim: increasedCPULimit, MemReq: originalMem, MemLim: originalMemLimit},
-					InitCtr:       true,
-					RestartPolicy: v1.ContainerRestartPolicyAlways,
+					Resources: &cgroups.ContainerResources{CPUReq: originalCPU, CPULim: increasedCPULimit, MemReq: originalMem, MemLim: increasedMemLimit},
 				},
 			},
-		},
-		{
-			name: "Burstable QoS pod, one container, one restartable init container - decrease init container memory requests only",
-			containers: []podresize.ResizableContainerInfo{
+			[]podresize.ResizableContainerInfo{
 				{
 					Name:      "c1",
-					Resources: &cgroups.ContainerResources{CPUReq: originalCPU, CPULim: originalCPU, MemReq: originalMem, MemLim: originalMem},
-				},
-				{
-					Name:          "c1-init",
-					Resources:     &cgroups.ContainerResources{CPUReq: originalCPU, CPULim: originalCPULimit, MemReq: originalMem, MemLim: originalMemLimit},
-					InitCtr:       true,
-					RestartPolicy: v1.ContainerRestartPolicyAlways,
+					Resources: &cgroups.ContainerResources{CPUReq: increasedCPU, MemReq: increasedMem},
 				},
 			},
-			expected: []podresize.ResizableContainerInfo{
+			"resource limits cannot be removed",
+			true,
+		),
+		ginkgo.Entry("Burstable pod - remove memory requests",
+			[]podresize.ResizableContainerInfo{
 				{
 					Name:      "c1",
-					Resources: &cgroups.ContainerResources{CPUReq: originalCPU, CPULim: originalCPU, MemReq: originalMem, MemLim: originalMem},
+					Resources: &cgroups.ContainerResources{MemReq: originalMem},
 				},
+			},
+			[]podresize.ResizableContainerInfo{
 				{
-					Name:          "c1-init",
-					Resources:     &cgroups.ContainerResources{CPUReq: originalCPU, CPULim: originalCPULimit, MemReq: reducedMem, MemLim: originalMemLimit},
-					InitCtr:       true,
-					RestartPolicy: v1.ContainerRestartPolicyAlways,
+					Name:      "c1",
+					Resources: &cgroups.ContainerResources{},
 				},
 			},
-		},
-		{
-			name: "Burstable QoS pod, one container, one restartable init container - increase init container memory only",
-			containers: []podresize.ResizableContainerInfo{
+			"resource requests cannot be removed",
+			true,
+		),
+		ginkgo.Entry("Burstable pod - remove cpu requests",
+			[]podresize.ResizableContainerInfo{
 				{
 					Name:      "c1",
-					Resources: &cgroups.ContainerResources{CPUReq: originalCPU, CPULim: originalCPU, MemReq: originalMem, MemLim: originalMem},
+					Resources: &cgroups.ContainerResources{CPUReq: originalCPU},
 				},
+			},
+			[]podresize.ResizableContainerInfo{
 				{
-					Name:          "c1-init",
-					Resources:     &cgroups.ContainerResources{CPUReq: originalCPU, CPULim: originalCPULimit, MemReq: originalMem, MemLim: originalMemLimit},
-					InitCtr:       true,
-					RestartPolicy: v1.ContainerRestartPolicyAlways,
+					Name:      "c1",
+					Resources: &cgroups.ContainerResources{},
 				},
 			},
-			expected: []podresize.ResizableContainerInfo{
+			"resource requests cannot be removed",
+			true,
+		),
+		ginkgo.Entry("Burstable pod - reorder containers",
+			[]podresize.ResizableContainerInfo{
 				{
 					Name:      "c1",
-					Resources: &cgroups.ContainerResources{CPUReq: originalCPU, CPULim: originalCPU, MemReq: originalMem, MemLim: originalMem},
+					Resources: &cgroups.ContainerResources{CPUReq: originalCPU},
 				},
 				{
-					Name:          "c1-init",
-					Resources:     &cgroups.ContainerResources{CPUReq: originalCPU, CPULim: originalCPULimit, MemReq: increasedMem, MemLim: increasedMemLimit},
-					InitCtr:       true,
-					RestartPolicy: v1.ContainerRestartPolicyAlways,
+					Name:      "c2",
+					Resources: &cgroups.ContainerResources{CPUReq: originalCPU},
 				},
 			},
-		},
-	}
-
-	for idx := range tests {
-		tc := tests[idx]
-
-		ginkgo.It(tc.name, func(ctx context.Context) {
-			podClient := e2epod.NewPodClient(f)
-			var testPod, patchedPod *v1.Pod
-			var pErr error
-
-			tStamp := strconv.Itoa(time.Now().Nanosecond())
-			testPod = podresize.MakePodWithResizableContainers(f.Namespace.Name, "", tStamp, tc.containers)
-			testPod.GenerateName = "resize-test-"
-			testPod = e2epod.MustMixinRestrictedPodSecurity(testPod)
-
-			if tc.addExtendedResource {
-				nodes, err := e2enode.GetReadySchedulableNodes(context.Background(), f.ClientSet)
-				framework.ExpectNoError(err)
-
-				for _, node := range nodes.Items {
-					e2enode.AddExtendedResource(ctx, f.ClientSet, node.Name, fakeExtendedResource, resource.MustParse("123"))
-				}
-				defer func() {
-					for _, node := range nodes.Items {
-						e2enode.RemoveExtendedResource(ctx, f.ClientSet, node.Name, fakeExtendedResource)
-					}
-				}()
-			}
-
-			ginkgo.By("creating pod")
-			newPod := podClient.CreateSync(ctx, testPod)
-
-			ginkgo.By("verifying initial pod resources are as expected")
-			podresize.VerifyPodResources(newPod, tc.containers)
-			ginkgo.By("verifying initial pod resize policy is as expected")
-			podresize.VerifyPodResizePolicy(newPod, tc.containers)
-
-			ginkgo.By("verifying initial pod status resources are as expected")
-			framework.ExpectNoError(podresize.VerifyPodStatusResources(newPod, tc.containers))
-			ginkgo.By("verifying initial cgroup config are as expected")
-			framework.ExpectNoError(podresize.VerifyPodContainersCgroupValues(ctx, f, newPod, tc.containers))
-
-			patchAndVerify := func(containers, desiredContainers []podresize.ResizableContainerInfo, opStr string) {
-				ginkgo.By(fmt.Sprintf("patching pod for %s", opStr))
-				patch := podresize.MakeResizePatch(containers, desiredContainers)
-				patchedPod, pErr = f.ClientSet.CoreV1().Pods(newPod.Namespace).Patch(ctx, newPod.Name,
-					types.StrategicMergePatchType, patch, metav1.PatchOptions{}, "resize")
-				framework.ExpectNoError(pErr, fmt.Sprintf("failed to patch pod for %s", opStr))
-				expected := podresize.UpdateExpectedContainerRestarts(ctx, patchedPod, desiredContainers)
-
-				ginkgo.By(fmt.Sprintf("verifying pod patched for %s", opStr))
-				podresize.VerifyPodResources(patchedPod, expected)
-
-				ginkgo.By(fmt.Sprintf("waiting for %s to be actuated", opStr))
-				resizedPod := podresize.WaitForPodResizeActuation(ctx, f, podClient, newPod, expected)
-				podresize.ExpectPodResized(ctx, f, resizedPod, expected)
-			}
-
-			patchAndVerify(tc.containers, tc.expected, "resize")
-
-			if tc.testRollback {
-				// Resize has been actuated, test rollback
-				rollbackContainers := make([]podresize.ResizableContainerInfo, len(tc.containers))
-				copy(rollbackContainers, tc.containers)
-				for i, c := range rollbackContainers {
-					gomega.Expect(c.Name).To(gomega.Equal(tc.expected[i].Name),
-						"test case containers & expectations should be in the same order")
-					// Resizes that trigger a restart should trigger a second restart when rolling back.
-					rollbackContainers[i].RestartCount = tc.expected[i].RestartCount
-				}
-
-				patchAndVerify(tc.expected, rollbackContainers, "rollback")
-			}
-
-			ginkgo.By("deleting pod")
-			podClient.DeleteSync(ctx, newPod.Name, metav1.DeleteOptions{}, f.Timeouts.PodDelete)
-		})
-	}
-}
-
-func doPodResizeErrorTests(f *framework.Framework) {
-
-	type testCase struct {
-		name          string
-		containers    []podresize.ResizableContainerInfo
-		attemptResize []podresize.ResizableContainerInfo // attempted resize target
-		patchError    string
-	}
-
-	tests := []testCase{
-		{
-			name: "BestEffort pod - try requesting memory, expect error",
-			containers: []podresize.ResizableContainerInfo{
+			[]podresize.ResizableContainerInfo{
 				{
-					Name: "c1",
+					Name:      "c2",
+					Resources: &cgroups.ContainerResources{CPUReq: originalCPU},
 				},
-			},
-			attemptResize: []podresize.ResizableContainerInfo{
 				{
-					Name: "c1",
-					Resources: &cgroups.ContainerResources{
-						MemReq: originalMem,
-					},
+					Name:      "c1",
+					Resources: &cgroups.ContainerResources{CPUReq: originalCPU},
 				},
 			},
-			patchError: "Pod QOS Class may not change as a result of resizing",
-		},
-		{
-			name: "Burstable QoS pod, one container with cpu & memory requests + limits - remove memory limits",
-			containers: []podresize.ResizableContainerInfo{
+			"spec.containers[0].name: Forbidden: containers may not be renamed or reordered on resize, spec.containers[1].name: Forbidden: containers may not be renamed or reordered on resize",
+			true,
+		),
+		ginkgo.Entry("Guaranteed pod - rename containers",
+			[]podresize.ResizableContainerInfo{
 				{
-					Name:      "c1",
-					Resources: &cgroups.ContainerResources{CPUReq: originalCPU, CPULim: originalCPULimit, MemReq: originalMem, MemLim: originalMemLimit},
+					Name:      "c1-old",
+					Resources: &cgroups.ContainerResources{CPUReq: originalCPU, CPULim: originalCPU, MemReq: originalMem, MemLim: originalMem},
 				},
-			},
-			attemptResize: []podresize.ResizableContainerInfo{
 				{
-					Name:      "c1",
-					Resources: &cgroups.ContainerResources{CPUReq: originalCPU, CPULim: originalCPULimit, MemReq: originalMem},
+					Name:      "c2-old",
+					Resources: &cgroups.ContainerResources{CPUReq: originalCPU, CPULim: originalCPU, MemReq: originalMem, MemLim: originalMem},
 				},
 			},
-			patchError: "resource limits cannot be removed",
-		},
-		{
-			name: "Burstable QoS pod, one container with cpu & memory requests + limits - remove CPU limits",
-			containers: []podresize.ResizableContainerInfo{
+			[]podresize.ResizableContainerInfo{
 				{
-					Name:      "c1",
-					Resources: &cgroups.ContainerResources{CPUReq: originalCPU, CPULim: originalCPULimit, MemReq: originalMem, MemLim: originalMemLimit},
+					Name:      "c1-new",
+					Resources: &cgroups.ContainerResources{CPUReq: originalCPU, CPULim: originalCPU, MemReq: originalMem, MemLim: originalMem},
 				},
-			},
-			attemptResize: []podresize.ResizableContainerInfo{
 				{
-					Name:      "c1",
-					Resources: &cgroups.ContainerResources{CPUReq: originalCPU, MemReq: originalMem, MemLim: originalMemLimit},
+					Name:      "c2-new",
+					Resources: &cgroups.ContainerResources{CPUReq: originalCPU, CPULim: originalCPU, MemReq: originalMem, MemLim: originalMem},
 				},
 			},
-			patchError: "resource limits cannot be removed",
-		},
-		{
-			name: "Burstable QoS pod, one container with memory requests + limits, cpu requests - remove CPU requests",
-			containers: []podresize.ResizableContainerInfo{
+			"spec.containers[0].name: Forbidden: containers may not be renamed or reordered on resize, spec.containers[1].name: Forbidden: containers may not be renamed or reordered on resize",
+			true,
+		),
+		ginkgo.Entry("Burstable pod - set requests == limits",
+			[]podresize.ResizableContainerInfo{
 				{
 					Name:      "c1",
-					Resources: &cgroups.ContainerResources{CPUReq: originalCPU, MemReq: originalMem, MemLim: originalMemLimit},
+					Resources: &cgroups.ContainerResources{CPUReq: originalCPU, CPULim: increasedCPULimit, MemReq: originalMem, MemLim: increasedMemLimit},
 				},
 			},
-			attemptResize: []podresize.ResizableContainerInfo{
+			[]podresize.ResizableContainerInfo{
 				{
 					Name:      "c1",
-					Resources: &cgroups.ContainerResources{MemReq: originalMem, MemLim: originalMemLimit},
+					Resources: &cgroups.ContainerResources{CPUReq: increasedCPULimit, CPULim: increasedCPULimit, MemReq: increasedMemLimit, MemLim: increasedMemLimit},
 				},
 			},
-			patchError: "resource requests cannot be removed",
-		},
-		{
-			name: "Burstable QoS pod, one container with CPU requests + limits, cpu requests - remove memory requests",
-			containers: []podresize.ResizableContainerInfo{
+			"Pod QOS Class may not change as a result of resizing",
+			true,
+		),
+		ginkgo.Entry("Burstable pod - resize ephemeral storage",
+			[]podresize.ResizableContainerInfo{
 				{
 					Name:      "c1",
-					Resources: &cgroups.ContainerResources{CPUReq: originalCPU, CPULim: originalCPULimit, MemReq: originalMem},
+					Resources: &cgroups.ContainerResources{CPUReq: originalCPU, MemReq: originalMem, EphStorReq: "1"},
 				},
 			},
-			attemptResize: []podresize.ResizableContainerInfo{
+			[]podresize.ResizableContainerInfo{
 				{
 					Name:      "c1",
-					Resources: &cgroups.ContainerResources{CPUReq: originalCPU, CPULim: originalCPULimit},
+					Resources: &cgroups.ContainerResources{CPUReq: originalCPU, MemReq: originalMem, EphStorReq: "3"},
 				},
 			},
-			patchError: "resource requests cannot be removed",
-		},
-		{
-			name: "Burstable QoS pod, two containers with cpu & memory requests + limits - reorder containers",
-			containers: []podresize.ResizableContainerInfo{
+			"only cpu and memory resources are mutable",
+			true,
+		),
+		ginkgo.Entry("Burstable pod - nonrestartable initContainer",
+			[]podresize.ResizableContainerInfo{
 				{
-					Name:      "c1",
-					Resources: &cgroups.ContainerResources{CPUReq: originalCPU, CPULim: originalCPULimit, MemReq: originalMem, MemLim: originalMemLimit},
+					Name:          "c1-init",
+					InitCtr:       true,
+					Resources:     &cgroups.ContainerResources{CPUReq: originalCPU, MemReq: originalMem},
+					RestartPolicy: v1.ContainerRestartPolicyNever,
 				},
 				{
-					Name:      "c2",
-					Resources: &cgroups.ContainerResources{CPUReq: originalCPU, CPULim: originalCPULimit, MemReq: originalMem, MemLim: originalMemLimit},
+					Name:      "c1",
+					Resources: &cgroups.ContainerResources{},
 				},
 			},
-			attemptResize: []podresize.ResizableContainerInfo{
+			[]podresize.ResizableContainerInfo{
 				{
-					Name:      "c2",
-					Resources: &cgroups.ContainerResources{CPUReq: originalCPU, CPULim: originalCPULimit, MemReq: originalMem, MemLim: originalMemLimit},
+					Name:          "c1-init",
+					InitCtr:       true,
+					Resources:     &cgroups.ContainerResources{CPUReq: increasedCPU, MemReq: increasedMem},
+					RestartPolicy: v1.ContainerRestartPolicyNever,
 				},
 				{
 					Name:      "c1",
-					Resources: &cgroups.ContainerResources{CPUReq: originalCPU, CPULim: originalCPULimit, MemReq: originalMem, MemLim: originalMemLimit},
+					Resources: &cgroups.ContainerResources{},
 				},
 			},
-			patchError: "spec.containers[0].name: Forbidden: containers may not be renamed or reordered on resize, spec.containers[1].name: Forbidden: containers may not be renamed or reordered on resize",
-		},
-	}
-
-	for idx := range tests {
-		tc := tests[idx]
-
-		ginkgo.It(tc.name, func(ctx context.Context) {
-			podClient := e2epod.NewPodClient(f)
-			var testPod, patchedPod *v1.Pod
-			var pErr error
-
-			tStamp := strconv.Itoa(time.Now().Nanosecond())
-			testPod = podresize.MakePodWithResizableContainers(f.Namespace.Name, "testpod", tStamp, tc.containers)
-			testPod = e2epod.MustMixinRestrictedPodSecurity(testPod)
-
-			ginkgo.By("creating pod")
-			newPod := podClient.CreateSync(ctx, testPod)
-
-			ginkgo.By("verifying initial pod resources, and policy are as expected")
-			podresize.VerifyPodResources(newPod, tc.containers)
-			podresize.VerifyPodResizePolicy(newPod, tc.containers)
-
-			ginkgo.By("verifying initial pod status resources and cgroup config are as expected")
-			framework.ExpectNoError(podresize.VerifyPodStatusResources(newPod, tc.containers))
-
-			ginkgo.By("patching pod for resize")
-			patch := podresize.MakeResizePatch(tc.containers, tc.attemptResize)
-			patchedPod, pErr = f.ClientSet.CoreV1().Pods(newPod.Namespace).Patch(ctx, newPod.Name,
-				types.StrategicMergePatchType, patch, metav1.PatchOptions{}, "resize")
-			if tc.patchError == "" {
-				framework.ExpectNoError(pErr, "failed to patch pod for resize")
-			} else {
-				gomega.Expect(pErr).To(gomega.HaveOccurred())
-				gomega.Expect(pErr.Error()).To(gomega.ContainSubstring(tc.patchError))
-				patchedPod = newPod
-			}
-
-			ginkgo.By("verifying pod resources after patch")
-			podresize.VerifyPodResources(patchedPod, tc.containers)
-
-			ginkgo.By("verifying pod status resources after patch")
-			framework.ExpectNoError(podresize.VerifyPodStatusResources(patchedPod, tc.containers))
-
-			ginkgo.By("deleting pod")
-			podClient.DeleteSync(ctx, newPod.Name, metav1.DeleteOptions{}, f.Timeouts.PodDelete)
-		})
-	}
+			"resources for non-sidecar init containers are immutable",
+			false,
+		),
+	)
 }
 
 func doPodResizeMemoryLimitDecreaseTest(f *framework.Framework) {
@@ -1279,30 +613,13 @@ func doPodResizeMemoryLimitDecreaseTest(f *framework.Framework) {
 	// 3. Revert the limit back to the original value - should succeed
 	ginkgo.It("decrease memory limit below usage", func(ctx context.Context) {
 		podClient := e2epod.NewPodClient(f)
-		var testPod *v1.Pod
-		var pErr error
-
 		original := []podresize.ResizableContainerInfo{{
 			Name:      "c1",
 			Resources: &cgroups.ContainerResources{MemReq: originalMem, MemLim: originalMem},
 		}}
 
-		tStamp := strconv.Itoa(time.Now().Nanosecond())
-		testPod = podresize.MakePodWithResizableContainers(f.Namespace.Name, "testpod", tStamp, original)
-		testPod = e2epod.MustMixinRestrictedPodSecurity(testPod)
-
-		ginkgo.By("creating pod")
-		testPod = podClient.CreateSync(ctx, testPod)
-
-		ginkgo.By("verifying initial pod resources are as expected")
-		podresize.VerifyPodResources(testPod, original)
-		ginkgo.By("verifying initial pod resize policy is as expected")
-		podresize.VerifyPodResizePolicy(testPod, original)
-
-		ginkgo.By("verifying initial pod status resources are as expected")
-		framework.ExpectNoError(podresize.VerifyPodStatusResources(testPod, original))
-		ginkgo.By("verifying initial cgroup config are as expected")
-		framework.ExpectNoError(podresize.VerifyPodContainersCgroupValues(ctx, f, testPod, original))
+		ginkgo.By("creating and verifying pod")
+		testPod := createAndVerifyPod(ctx, f, podClient, original, nil, false)
 
 		// 1. Decrease the limit a little bit - should succeed
 		ginkgo.By("Patching pod with a slightly lowered memory limit")
@@ -1310,13 +627,13 @@ func doPodResizeMemoryLimitDecreaseTest(f *framework.Framework) {
 			Name:      "c1",
 			Resources: &cgroups.ContainerResources{MemReq: reducedMem, MemLim: reducedMem},
 		}}
-		patch := podresize.MakeResizePatch(original, viableLoweredLimit)
-		testPod, pErr = f.ClientSet.CoreV1().Pods(testPod.Namespace).Patch(ctx, testPod.Name,
+		patch := podresize.MakeResizePatch(original, viableLoweredLimit, nil, nil)
+		testPod, pErr := f.ClientSet.CoreV1().Pods(testPod.Namespace).Patch(ctx, testPod.Name,
 			types.StrategicMergePatchType, patch, metav1.PatchOptions{}, "resize")
 		framework.ExpectNoError(pErr, "failed to patch pod for viable lowered limit")
 
 		ginkgo.By("verifying pod patched for viable lowered limit")
-		podresize.VerifyPodResources(testPod, viableLoweredLimit)
+		podresize.VerifyPodResources(testPod, viableLoweredLimit, nil)
 
 		ginkgo.By("waiting for viable lowered limit to be actuated")
 		resizedPod := podresize.WaitForPodResizeActuation(ctx, f, podClient, testPod, viableLoweredLimit)
@@ -1336,7 +653,7 @@ func doPodResizeMemoryLimitDecreaseTest(f *framework.Framework) {
 			Name:      "c1",
 			Resources: &cgroups.ContainerResources{MemReq: nonViableMemoryLimit, MemLim: nonViableMemoryLimit},
 		}}
-		patch = podresize.MakeResizePatch(viableLoweredLimit, nonViableLoweredLimit)
+		patch = podresize.MakeResizePatch(viableLoweredLimit, nonViableLoweredLimit, nil, nil)
 		testPod, pErr = f.ClientSet.CoreV1().Pods(testPod.Namespace).Patch(ctx, testPod.Name,
 			types.StrategicMergePatchType, patch, metav1.PatchOptions{}, "resize")
 		framework.ExpectNoError(pErr, "failed to patch pod for viable lowered limit")
@@ -1383,13 +700,13 @@ func doPodResizeMemoryLimitDecreaseTest(f *framework.Framework) {
 
 		// 3. Revert the limit back to the original value - should succeed
 		ginkgo.By("Patching pod to revert to original state")
-		patch = podresize.MakeResizePatch(nonViableLoweredLimit, original)
+		patch = podresize.MakeResizePatch(nonViableLoweredLimit, original, nil, nil)
 		testPod, pErr = f.ClientSet.CoreV1().Pods(testPod.Namespace).Patch(ctx, testPod.Name,
 			types.StrategicMergePatchType, patch, metav1.PatchOptions{}, "resize")
 		framework.ExpectNoError(pErr, "failed to patch pod back to original values")
 
 		ginkgo.By("verifying pod patched for original values")
-		podresize.VerifyPodResources(testPod, original)
+		podresize.VerifyPodResources(testPod, original, nil)
 
 		ginkgo.By("waiting for the original values to be actuated")
 		resizedPod = podresize.WaitForPodResizeActuation(ctx, f, podClient, testPod, original)
@@ -1400,15 +717,97 @@ func doPodResizeMemoryLimitDecreaseTest(f *framework.Framework) {
 	})
 }
 
-// NOTE: Pod resize scheduler resource quota tests are out of scope in e2e_node tests,
-//       because in e2e_node tests
-//          a) scheduler and controller manager is not running by the Node e2e
-//          b) api-server in services doesn't start with --enable-admission-plugins=ResourceQuota
-//             and is not possible to start it from TEST_ARGS
-//       Above tests are performed by doSheduletTests() and doPodResizeResourceQuotaTests()
-//       in test/e2e/node/pod_resize.go
+func doPodResizeReadAndReplaceTests(f *framework.Framework) {
+	/*
+		Release: v1.35
+		Testname: In-place Pod Resize, read and replace endpoints
+		Description: Issuing a Pod Resize request via the Pod Resize subresource replace endpoint MUST result in the Pod resources being updated as expected. The Pod object fetched from the Pod Resize subresource MUST be equivalent to the Pod object fetched from the main Pod endpoint after the resize is completed.
+	*/
+	framework.ConformanceIt("resize pod via the replace endpoint [MinimumKubeletVersion:1.34]", func(ctx context.Context) {
+		podClient := e2epod.NewPodClient(f)
+		original := []podresize.ResizableContainerInfo{{
+			Name:      "c1",
+			Resources: &cgroups.ContainerResources{CPUReq: originalCPU, MemReq: originalMem},
+		}}
+		desiredContainers := []podresize.ResizableContainerInfo{{
+			Name:      "c1",
+			Resources: &cgroups.ContainerResources{CPUReq: increasedCPU, MemReq: increasedMem},
+		}}
+		desired := v1.ResourceRequirements{
+			Requests: v1.ResourceList{
+				v1.ResourceCPU:    resource.MustParse(increasedCPU),
+				v1.ResourceMemory: resource.MustParse(increasedMem),
+			},
+		}
+
+		ginkgo.By("creating and verifying pod")
+		pod := createAndVerifyPod(ctx, f, podClient, original, nil, false)
+		gomega.Expect(pod.Generation).To(gomega.BeEquivalentTo(1))
+
+		podToUpdate, err := podClient.Get(ctx, pod.Name, metav1.GetOptions{})
+		framework.ExpectNoError(err, "failed to get pod")
+		podToUpdate.Spec.Containers[0].Resources = desired
+
+		ginkgo.By("updating the pod resources")
+		_, err = podClient.UpdateResize(ctx, pod.Name, podToUpdate, metav1.UpdateOptions{})
+		framework.ExpectNoError(err, "failed to resize pod")
+
+		ginkgo.By("fetching updated pod")
+		updatedPod, err := podClient.Get(ctx, pod.Name, metav1.GetOptions{})
+		framework.ExpectNoError(err, "failed to get pod")
+
+		ginkgo.By("verifying pod resources")
+		podresize.VerifyPodResources(updatedPod, desiredContainers, nil)
+		gomega.Expect(updatedPod.Generation).To(gomega.BeEquivalentTo(2))
+
+		ginkgo.By("verifying pod resources after patch")
+		expected := podresize.UpdateExpectedContainerRestarts(ctx, updatedPod, desiredContainers)
+		resizedPod := podresize.WaitForPodResizeActuation(ctx, f, podClient, updatedPod, expected)
+		podresize.ExpectPodResized(ctx, f, resizedPod, expected)
+
+		ginkgo.By("verifying pod fetched from resize subresource")
+		framework.ExpectNoError(framework.Gomega().
+			Eventually(ctx, framework.RetryNotFound(framework.GetObject(f.ClientSet.CoreV1().Pods(pod.Namespace).Get, pod.Name, metav1.GetOptions{}))).
+			WithTimeout(f.Timeouts.PodStart).
+			Should(framework.MakeMatcher(func(pod *v1.Pod) (func() string, error) {
+				// For some reason, the pod object returned from the client doesn't have the GVK populated.
+				pod.Kind = "Pod"
+				pod.APIVersion = "v1"
+
+				ginkgo.By("verifying pod fetched from resize subresource")
+				podResource := schema.GroupVersionResource{Group: "", Version: "v1", Resource: "pods"}
+				unstruct, err := f.DynamicClient.Resource(podResource).Namespace(f.Namespace.Name).Get(ctx, pod.Name, metav1.GetOptions{}, "resize")
+				if err != nil {
+					return func() string {
+						return fmt.Sprintf("failed to fetch pod after resize: %v", err.Error())
+					}, nil
+				}
+				updatedPodFromResize, err := unstructuredToPod(unstruct)
+				if err != nil {
+					return func() string {
+						return fmt.Sprintf("couldn't convert result to pod object: %v", err.Error())
+					}, nil
+				}
+				if !apiequality.Semantic.DeepEqual(pod, updatedPodFromResize) {
+					return func() string {
+						return fmt.Sprintf("pod from resize subresource not equivalent to pod; %s", cmp.Diff(pod, updatedPodFromResize))
+					}, nil
+				}
+
+				return nil, nil
+			})),
+		)
+	})
+}
 
-var _ = SIGDescribe("Pod InPlace Resize Container", framework.WithFeatureGate(features.InPlacePodVerticalScaling), func() {
+// NOTE: Pod resize scheduler, resource quota, limit ranger, deferred resize tests are out of scope in e2e_node tests,
+//
+//	because in e2e_node tests
+//	   a) scheduler and controller manager is not running by the Node e2e
+//	   b) api-server in services doesn't start with --enable-admission-plugins=ResourceQuota
+//	      and is not possible to start it from TEST_ARGS
+//	Above tests in test/e2e/node/pod_resize.go
+var _ = SIGDescribe("Pod InPlace Resize Container", func() {
 	f := framework.NewDefaultFramework("pod-resize-tests")
 
 	ginkgo.BeforeEach(func(ctx context.Context) {
@@ -1419,7 +818,141 @@ var _ = SIGDescribe("Pod InPlace Resize Container", framework.WithFeatureGate(fe
 		}
 	})
 
-	doPodResizeTests(f)
-	doPodResizeErrorTests(f)
+	doGuaranteedPodResizeTests(f)
+	doBurstablePodResizeTests(f)
+	doPodResizeReadAndReplaceTests(f)
+	doPodResizePatchErrorTests(f)
 	doPodResizeMemoryLimitDecreaseTest(f)
 })
+
+func doPatchAndRollback(ctx context.Context, f *framework.Framework, originalContainers, expectedContainers []podresize.ResizableContainerInfo, originalPodResources, expectedPodResources *v1.ResourceRequirements, doRollback bool, mountPodCgroup bool) {
+	ginkgo.By("creating and verifying pod")
+	podClient := e2epod.NewPodClient(f)
+	newPod := createAndVerifyPod(ctx, f, podClient, originalContainers, originalPodResources, mountPodCgroup)
+
+	ginkgo.By("patching and verifying pod for resize")
+	patchAndVerify(ctx, f, podClient, newPod, originalContainers, expectedContainers, originalPodResources, expectedPodResources, "resize")
+	if doRollback {
+		// Resize has been actuated, test the reverse operation.
+		rollbackContainers := createRollbackContainers(originalContainers, expectedContainers)
+		ginkgo.By("patching and verifying pod for rollback")
+		patchAndVerify(ctx, f, podClient, newPod, expectedContainers, rollbackContainers, expectedPodResources, originalPodResources, "rollback")
+	}
+
+	ginkgo.By("deleting pod")
+	podClient.DeleteSync(ctx, newPod.Name, metav1.DeleteOptions{}, f.Timeouts.PodDelete)
+}
+
+func patchAndVerify(ctx context.Context, f *framework.Framework, podClient *e2epod.PodClient, newPod *v1.Pod, originalContainers, expectedContainers []podresize.ResizableContainerInfo, originalPodResources, expectedPodResources *v1.ResourceRequirements, opStr string) {
+	patch := podresize.MakeResizePatch(originalContainers, expectedContainers, originalPodResources, expectedPodResources)
+	patchedPod, pErr := f.ClientSet.CoreV1().Pods(newPod.Namespace).Patch(ctx, newPod.Name,
+		types.StrategicMergePatchType, patch, metav1.PatchOptions{}, "resize")
+	framework.ExpectNoError(pErr, fmt.Sprintf("failed to patch pod for %s", opStr))
+
+	expected := podresize.UpdateExpectedContainerRestarts(ctx, patchedPod, expectedContainers)
+
+	podresize.VerifyPodResources(patchedPod, expected, expectedPodResources)
+	resizedPod := podresize.WaitForPodResizeActuation(ctx, f, podClient, newPod, expected)
+
+	podresize.ExpectPodResized(ctx, f, resizedPod, expected)
+	if expectedPodResources != nil {
+		framework.ExpectNoError(podresize.VerifyPodCgroupValues(ctx, f, resizedPod))
+	}
+}
+
+func createAndVerifyPod(ctx context.Context, f *framework.Framework, podClient *e2epod.PodClient, originalContainers []podresize.ResizableContainerInfo, podResources *v1.ResourceRequirements, mountPodCgroup bool) *v1.Pod {
+	tStamp := strconv.Itoa(time.Now().Nanosecond())
+	testPod := podresize.MakePodWithResizableContainers(f.Namespace.Name, "", tStamp, originalContainers, podResources)
+	testPod.GenerateName = "resize-test-"
+	testPod = e2epod.MustMixinRestrictedPodSecurity(testPod)
+
+	// TODO: mount pod cgroup path for all pod resize related tests and remove
+	// dependency on mountPodCgroup
+	if mountPodCgroup {
+		// mount pod cgroup in first container that can be used for pod cgroup values verification
+		cgroups.ConfigureHostPathForPodCgroup(testPod)
+	}
+
+	newPod := podClient.CreateSync(ctx, testPod)
+	podresize.VerifyPodResources(newPod, originalContainers, podResources)
+
+	podresize.VerifyPodResizePolicy(newPod, originalContainers)
+	framework.ExpectNoError(podresize.VerifyPodStatusResources(newPod, originalContainers))
+	framework.ExpectNoError(podresize.VerifyPodContainersCgroupValues(ctx, f, newPod, originalContainers))
+	if podResources != nil {
+		framework.ExpectNoError(podresize.VerifyPodCgroupValues(ctx, f, newPod))
+	}
+	return newPod
+}
+
+func makeGuaranteedContainers(numContainers int,
+	cpuPolicy, memPolicy v1.ResourceResizeRestartPolicy,
+	initContainers, extendedResources bool,
+	cpu, mem string) []podresize.ResizableContainerInfo {
+
+	containers := []podresize.ResizableContainerInfo{}
+	for i := range numContainers {
+		// Offset the resources a bit so that in multi-container pods, not all containers have the same resources.
+		resources := &cgroups.ContainerResources{
+			CPUReq: offsetCPU(i, cpu),
+			CPULim: offsetCPU(i, cpu),
+			MemReq: offsetMemory(int64(i), mem),
+			MemLim: offsetMemory(int64(i), mem),
+		}
+
+		if extendedResources {
+			resources.ExtendedResourceReq = "1"
+			resources.ExtendedResourceLim = "1"
+		}
+
+		containers = append(containers, podresize.ResizableContainerInfo{
+			Name:      fmt.Sprintf("c%d", i+1),
+			Resources: resources,
+			CPUPolicy: &cpuPolicy,
+			MemPolicy: &memPolicy,
+		})
+	}
+
+	if initContainers {
+		containers = append(containers, podresize.ResizableContainerInfo{
+			Name:          "c1-init",
+			Resources:     &cgroups.ContainerResources{CPUReq: cpu, CPULim: cpu, MemReq: mem, MemLim: mem},
+			InitCtr:       true,
+			RestartPolicy: v1.ContainerRestartPolicyAlways,
+			CPUPolicy:     &cpuPolicy,
+			MemPolicy:     &memPolicy,
+		})
+	}
+
+	return containers
+}
+
+func makeBurstableContainers(numContainers int,
+	cpuPolicy, memPolicy v1.ResourceResizeRestartPolicy,
+	cpu, cpuLimit, mem, memLimit string) []podresize.ResizableContainerInfo {
+
+	containers := []podresize.ResizableContainerInfo{}
+	for i := range numContainers {
+		// Offset the resources a bit so that in multi-container pods, not all containers have the same resources.
+		resources := &cgroups.ContainerResources{CPUReq: offsetCPU(i, cpu), CPULim: offsetCPU(i, cpuLimit), MemReq: offsetMemory(int64(i), mem), MemLim: offsetMemory(int64(i), memLimit)}
+		containers = append(containers, podresize.ResizableContainerInfo{
+			Name:      fmt.Sprintf("c%d", i+1),
+			Resources: resources,
+			CPUPolicy: &cpuPolicy,
+			MemPolicy: &memPolicy,
+		})
+	}
+	return containers
+}
+
+func createRollbackContainers(originalContainers, expectedContainers []podresize.ResizableContainerInfo) []podresize.ResizableContainerInfo {
+	rollbackContainers := make([]podresize.ResizableContainerInfo, len(originalContainers))
+	copy(rollbackContainers, originalContainers)
+	for i, c := range rollbackContainers {
+		gomega.Expect(c.Name).To(gomega.Equal(expectedContainers[i].Name),
+			"test case containers & expectations should be in the same order")
+		// Resizes that trigger a restart should trigger a second restart when rolling back.
+		rollbackContainers[i].RestartCount = expectedContainers[i].RestartCount
+	}
+	return rollbackContainers
+}
diff --git a/test/e2e/common/node/pods.go b/test/e2e/common/node/pods.go
index 262313c4f864c..00e0eae1c9efb 100644
--- a/test/e2e/common/node/pods.go
+++ b/test/e2e/common/node/pods.go
@@ -27,7 +27,9 @@ import (
 	"strings"
 	"time"
 
+	"k8s.io/apimachinery/pkg/util/resourceversion"
 	"k8s.io/client-go/util/retry"
+	"k8s.io/klog/v2"
 
 	"golang.org/x/net/websocket"
 
@@ -49,6 +51,7 @@ import (
 	"k8s.io/kubectl/pkg/util/podutils"
 	podutil "k8s.io/kubernetes/pkg/api/v1/pod"
 	"k8s.io/kubernetes/pkg/kubelet"
+	apimachineryutils "k8s.io/kubernetes/test/e2e/common/apimachinery"
 	"k8s.io/kubernetes/test/e2e/framework"
 	e2epod "k8s.io/kubernetes/test/e2e/framework/pod"
 	e2epodoutput "k8s.io/kubernetes/test/e2e/framework/pod/output"
@@ -264,7 +267,7 @@ var _ = SIGDescribe("Pods", func() {
 				return podClient.Watch(ctx, options)
 			},
 		}
-		_, informer, w, _ := watchtools.NewIndexerInformerWatcher(lw, &v1.Pod{})
+		_, informer, w, _ := watchtools.NewIndexerInformerWatcherWithLogger(klog.FromContext(ctx), lw, &v1.Pod{})
 		defer w.Stop()
 
 		ctxUntil, cancelCtx := context.WithTimeout(ctx, wait.ForeverTestTimeout)
@@ -901,8 +904,8 @@ var _ = SIGDescribe("Pods", func() {
 		podResource := schema.GroupVersionResource{Group: "", Version: "v1", Resource: "pods"}
 		testNamespaceName := f.Namespace.Name
 		testPodName := "pod-test"
-		testPodImage := imageutils.GetE2EImage(imageutils.Agnhost)
-		testPodImage2 := imageutils.GetE2EImage(imageutils.Httpd)
+		testPodImage := imageutils.GetE2EImage(imageutils.AgnhostPrev)
+		testPodImage2 := imageutils.GetE2EImage(imageutils.Agnhost)
 		testPodLabels := map[string]string{"test-pod-static": "true"}
 		testPodLabelsFlat := "test-pod-static=true"
 		one := int64(1)
@@ -959,6 +962,7 @@ var _ = SIGDescribe("Pods", func() {
 		p, err := f.ClientSet.CoreV1().Pods(testNamespaceName).Get(ctx, testPodName, metav1.GetOptions{})
 		framework.ExpectNoError(err, "failed to get Pod %v in namespace %v", testPodName, testNamespaceName)
 		gomega.Expect(p.Status.Phase).To(gomega.Equal(v1.PodRunning), "failed to see Pod %v in namespace %v running", p.ObjectMeta.Name, testNamespaceName)
+		gomega.Expect(p).To(apimachineryutils.HaveValidResourceVersion())
 
 		ginkgo.By("patching the Pod with a new Label and updated data")
 		prePatchResourceVersion := p.ResourceVersion
@@ -1001,6 +1005,7 @@ var _ = SIGDescribe("Pods", func() {
 		framework.ExpectNoError(err, "failed to fetch Pod %s in namespace %s", testPodName, testNamespaceName)
 		gomega.Expect(pod.ObjectMeta.Labels).To(gomega.HaveKeyWithValue("test-pod", "patched"), "failed to patch Pod - missing label")
 		gomega.Expect(pod.Spec.Containers[0].Image).To(gomega.Equal(testPodImage2), "failed to patch Pod - wrong image")
+		gomega.Expect(resourceversion.CompareResourceVersion(p.ResourceVersion, pod.ResourceVersion)).To(gomega.BeNumerically("==", -1), "patched object should have a larger resource version")
 
 		ginkgo.By("replacing the Pod's status Ready condition to False")
 		var podStatusUpdate *v1.Pod
diff --git a/test/e2e/common/node/podtemplates.go b/test/e2e/common/node/podtemplates.go
index e1466f4df35e8..d41c0204221be 100644
--- a/test/e2e/common/node/podtemplates.go
+++ b/test/e2e/common/node/podtemplates.go
@@ -26,9 +26,11 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
 	utilrand "k8s.io/apimachinery/pkg/util/rand"
+	"k8s.io/apimachinery/pkg/util/resourceversion"
 	"k8s.io/apimachinery/pkg/util/uuid"
 	"k8s.io/apimachinery/pkg/util/wait"
 	"k8s.io/client-go/util/retry"
+	apimachineryutils "k8s.io/kubernetes/test/e2e/common/apimachinery"
 	"k8s.io/kubernetes/test/e2e/framework"
 	imageutils "k8s.io/kubernetes/test/utils/image"
 	admissionapi "k8s.io/pod-security-admission/api"
@@ -84,6 +86,7 @@ var _ = SIGDescribe("PodTemplates", func() {
 		podTemplateRead, err := f.ClientSet.CoreV1().PodTemplates(testNamespaceName).Get(ctx, podTemplateName, metav1.GetOptions{})
 		framework.ExpectNoError(err, "failed to get created PodTemplate")
 		gomega.Expect(podTemplateRead.ObjectMeta.Name).To(gomega.Equal(podTemplateName))
+		gomega.Expect(podTemplateRead).To(apimachineryutils.HaveValidResourceVersion())
 
 		// patch template
 		podTemplatePatch, err := json.Marshal(map[string]interface{}{
@@ -94,8 +97,9 @@ var _ = SIGDescribe("PodTemplates", func() {
 			},
 		})
 		framework.ExpectNoError(err, "failed to marshal patch data")
-		_, err = f.ClientSet.CoreV1().PodTemplates(testNamespaceName).Patch(ctx, podTemplateName, types.StrategicMergePatchType, []byte(podTemplatePatch), metav1.PatchOptions{})
+		patchedPodTemplate, err := f.ClientSet.CoreV1().PodTemplates(testNamespaceName).Patch(ctx, podTemplateName, types.StrategicMergePatchType, []byte(podTemplatePatch), metav1.PatchOptions{})
 		framework.ExpectNoError(err, "failed to patch PodTemplate")
+		gomega.Expect(resourceversion.CompareResourceVersion(podTemplateRead.ResourceVersion, patchedPodTemplate.ResourceVersion)).To(gomega.BeNumerically("==", -1), "patched object should have a larger resource version")
 
 		// get template (ensure label is there)
 		podTemplateRead, err = f.ClientSet.CoreV1().PodTemplates(testNamespaceName).Get(ctx, podTemplateName, metav1.GetOptions{})
diff --git a/test/e2e/common/node/runtime.go b/test/e2e/common/node/runtime.go
index f72f66e47f259..e455e0c1bb430 100644
--- a/test/e2e/common/node/runtime.go
+++ b/test/e2e/common/node/runtime.go
@@ -21,14 +21,15 @@ import (
 	"fmt"
 	"os"
 	"path"
-	"time"
 
 	v1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/util/uuid"
+	"k8s.io/apimachinery/pkg/util/wait"
 	"k8s.io/kubernetes/pkg/kubelet/images"
 	"k8s.io/kubernetes/test/e2e/framework"
 	e2epod "k8s.io/kubernetes/test/e2e/framework/pod"
+	e2eregistry "k8s.io/kubernetes/test/e2e/framework/registry"
 	imageutils "k8s.io/kubernetes/test/utils/image"
 	admissionapi "k8s.io/pod-security-admission/api"
 
@@ -39,7 +40,7 @@ import (
 
 var _ = SIGDescribe("Container Runtime", func() {
 	f := framework.NewDefaultFramework("container-runtime")
-	f.NamespacePodSecurityLevel = admissionapi.LevelBaseline
+	f.NamespacePodSecurityLevel = admissionapi.LevelPrivileged // custom registry pods need HostPorts
 
 	ginkgo.Describe("blackbox test", func() {
 		ginkgo.Context("when starting a container that exits", func() {
@@ -257,142 +258,133 @@ while true; do sleep 1; done
 			})
 		})
 
-		ginkgo.Context("when running a container with a new image", func() {
+		framework.Context("when running a container with a new image", framework.WithSerial(), func() {
+			var registryAddress string
+			var registryNodeNames []string
+			var pullSecret *v1.Secret
+			ginkgo.BeforeEach(func(ctx context.Context) {
+				var err error
 
-			// Images used for ConformanceContainer are not added into NodePrePullImageList, because this test is
-			// testing image pulling, these images don't need to be prepulled. The ImagePullPolicy
-			// is v1.PullAlways, so it won't be blocked by framework image pre-pull list check.
-			imagePullTest := func(ctx context.Context, image string, hasSecret bool, expectedPhase v1.PodPhase, expectedPullStatus bool, windowsImage bool) {
-				command := []string{"/bin/sh", "-c", "while true; do sleep 1; done"}
-				if windowsImage {
-					// -t: Ping the specified host until stopped.
-					command = []string{"ping", "-t", "localhost"}
-				}
-				container := ConformanceContainer{
-					PodClient: e2epod.NewPodClient(f),
-					Container: v1.Container{
-						Name:            "image-pull-test",
-						Image:           image,
-						Command:         command,
-						ImagePullPolicy: v1.PullAlways,
-					},
-					RestartPolicy: v1.RestartPolicyNever,
-				}
-				if hasSecret {
-					// The service account only has pull permission
-					auth := `
-{
-	"auths": {
-		"https://gcr.io": {
-			"auth": "X2pzb25fa2V5OnsKICAidHlwZSI6ICJzZXJ2aWNlX2FjY291bnQiLAogICJwcm9qZWN0X2lkIjogImF1dGhlbnRpY2F0ZWQtaW1hZ2UtcHVsbGluZyIsCiAgInByaXZhdGVfa2V5X2lkIjogImI5ZjJhNjY0YWE5YjIwNDg0Y2MxNTg2MDYzZmVmZGExOTIyNGFjM2IiLAogICJwcml2YXRlX2tleSI6ICItLS0tLUJFR0lOIFBSSVZBVEUgS0VZLS0tLS1cbk1JSUV2UUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktjd2dnU2pBZ0VBQW9JQkFRQzdTSG5LVEVFaVlMamZcbkpmQVBHbUozd3JCY2VJNTBKS0xxS21GWE5RL3REWGJRK2g5YVl4aldJTDhEeDBKZTc0bVovS01uV2dYRjVLWlNcbm9BNktuSU85Yi9SY1NlV2VpSXRSekkzL1lYVitPNkNjcmpKSXl4anFWam5mVzJpM3NhMzd0OUE5VEZkbGZycm5cbjR6UkpiOWl4eU1YNGJMdHFGR3ZCMDNOSWl0QTNzVlo1ODhrb1FBZmgzSmhhQmVnTWorWjRSYko0aGVpQlFUMDNcbnZVbzViRWFQZVQ5RE16bHdzZWFQV2dydDZOME9VRGNBRTl4bGNJek11MjUzUG4vSzgySFpydEx4akd2UkhNVXhcbng0ZjhwSnhmQ3h4QlN3Z1NORit3OWpkbXR2b0wwRmE3ZGducFJlODZWRDY2ejNZenJqNHlLRXRqc2hLZHl5VWRcbkl5cVhoN1JSQWdNQkFBRUNnZ0VBT3pzZHdaeENVVlFUeEFka2wvSTVTRFVidi9NazRwaWZxYjJEa2FnbmhFcG9cbjFJajJsNGlWMTByOS9uenJnY2p5VlBBd3pZWk1JeDFBZVF0RDdoUzRHWmFweXZKWUc3NkZpWFpQUm9DVlB6b3VcbmZyOGRDaWFwbDV0enJDOWx2QXNHd29DTTdJWVRjZmNWdDdjRTEyRDNRS3NGNlo3QjJ6ZmdLS251WVBmK0NFNlRcbmNNMHkwaCtYRS9kMERvSERoVy96YU1yWEhqOFRvd2V1eXRrYmJzNGYvOUZqOVBuU2dET1lQd2xhbFZUcitGUWFcbkpSd1ZqVmxYcEZBUW14M0Jyd25rWnQzQ2lXV2lGM2QrSGk5RXRVYnRWclcxYjZnK1JRT0licWFtcis4YlJuZFhcbjZWZ3FCQWtKWjhSVnlkeFVQMGQxMUdqdU9QRHhCbkhCbmM0UW9rSXJFUUtCZ1FEMUNlaWN1ZGhXdGc0K2dTeGJcbnplanh0VjFONDFtZHVjQnpvMmp5b1dHbzNQVDh3ckJPL3lRRTM0cU9WSi9pZCs4SThoWjRvSWh1K0pBMDBzNmdcblRuSXErdi9kL1RFalk4MW5rWmlDa21SUFdiWHhhWXR4UjIxS1BYckxOTlFKS2ttOHRkeVh5UHFsOE1veUdmQ1dcbjJ2aVBKS05iNkhabnY5Q3lqZEo5ZzJMRG5RS0JnUUREcVN2eURtaGViOTIzSW96NGxlZ01SK205Z2xYVWdTS2dcbkVzZlllbVJmbU5XQitDN3ZhSXlVUm1ZNU55TXhmQlZXc3dXRldLYXhjK0krYnFzZmx6elZZdFpwMThNR2pzTURcbmZlZWZBWDZCWk1zVXQ3Qmw3WjlWSjg1bnRFZHFBQ0xwWitaLzN0SVJWdWdDV1pRMWhrbmxHa0dUMDI0SkVFKytcbk55SDFnM2QzUlFLQmdRQ1J2MXdKWkkwbVBsRklva0tGTkh1YTBUcDNLb1JTU1hzTURTVk9NK2xIckcxWHJtRjZcbkMwNGNTKzQ0N0dMUkxHOFVUaEpKbTRxckh0Ti9aK2dZOTYvMm1xYjRIakpORDM3TVhKQnZFYTN5ZUxTOHEvK1JcbjJGOU1LamRRaU5LWnhQcG84VzhOSlREWTVOa1BaZGh4a2pzSHdVNGRTNjZwMVRESUU0MGd0TFpaRFFLQmdGaldcbktyblFpTnEzOS9iNm5QOFJNVGJDUUFKbmR3anhTUU5kQTVmcW1rQTlhRk9HbCtqamsxQ1BWa0tNSWxLSmdEYkpcbk9heDl2OUc2Ui9NSTFIR1hmV3QxWU56VnRocjRIdHNyQTB0U3BsbWhwZ05XRTZWejZuQURqdGZQSnMyZUdqdlhcbmpQUnArdjhjY21MK3dTZzhQTGprM3ZsN2VlNXJsWWxNQndNdUdjUHhBb0dBZWRueGJXMVJMbVZubEFpSEx1L0xcbmxtZkF3RFdtRWlJMFVnK1BMbm9Pdk81dFE1ZDRXMS94RU44bFA0cWtzcGtmZk1Rbk5oNFNZR0VlQlQzMlpxQ1RcbkpSZ2YwWGpveXZ2dXA5eFhqTWtYcnBZL3ljMXpmcVRaQzBNTzkvMVVjMWJSR2RaMmR5M2xSNU5XYXA3T1h5Zk9cblBQcE5Gb1BUWGd2M3FDcW5sTEhyR3pNPVxuLS0tLS1FTkQgUFJJVkFURSBLRVktLS0tLVxuIiwKICAiY2xpZW50X2VtYWlsIjogImltYWdlLXB1bGxpbmdAYXV0aGVudGljYXRlZC1pbWFnZS1wdWxsaW5nLmlhbS5nc2VydmljZWFjY291bnQuY29tIiwKICAiY2xpZW50X2lkIjogIjExMzc5NzkxNDUzMDA3MzI3ODcxMiIsCiAgImF1dGhfdXJpIjogImh0dHBzOi8vYWNjb3VudHMuZ29vZ2xlLmNvbS9vL29hdXRoMi9hdXRoIiwKICAidG9rZW5fdXJpIjogImh0dHBzOi8vYWNjb3VudHMuZ29vZ2xlLmNvbS9vL29hdXRoMi90b2tlbiIsCiAgImF1dGhfcHJvdmlkZXJfeDUwOV9jZXJ0X3VybCI6ICJodHRwczovL3d3dy5nb29nbGVhcGlzLmNvbS9vYXV0aDIvdjEvY2VydHMiLAogICJjbGllbnRfeDUwOV9jZXJ0X3VybCI6ICJodHRwczovL3d3dy5nb29nbGVhcGlzLmNvbS9yb2JvdC92MS9tZXRhZGF0YS94NTA5L2ltYWdlLXB1bGxpbmclNDBhdXRoZW50aWNhdGVkLWltYWdlLXB1bGxpbmcuaWFtLmdzZXJ2aWNlYWNjb3VudC5jb20iCn0=",
-			"email": "image-pulling@authenticated-image-pulling.iam.gserviceaccount.com"
-		}
-	}
-}`
-					// we might be told to use a different docker config JSON.
-					if framework.TestContext.DockerConfigFile != "" {
-						contents, err := os.ReadFile(framework.TestContext.DockerConfigFile)
-						framework.ExpectNoError(err)
-						auth = string(contents)
-					}
-					secret := &v1.Secret{
-						Data: map[string][]byte{v1.DockerConfigJsonKey: []byte(auth)},
-						Type: v1.SecretTypeDockerConfigJson,
-					}
-					secret.Name = "image-pull-secret-" + string(uuid.NewUUID())
-					ginkgo.By("create image pull secret")
-					_, err := f.ClientSet.CoreV1().Secrets(f.Namespace.Name).Create(ctx, secret, metav1.CreateOptions{})
+				registryAddress, registryNodeNames, err = e2eregistry.SetupRegistry(ctx, f, true)
+				framework.ExpectNoError(err)
+				gomega.Expect(registryNodeNames).ToNot(gomega.BeEmpty())
+				// we need to wait for the registry to be removed and so we need to delete the whole NS ourselves
+				ginkgo.DeferCleanup(func(ctx context.Context) {
+					f.DeleteNamespace(ctx, f.Namespace.Name)
+				})
+
+				secret := e2eregistry.User1DockerSecret(registryAddress)
+				secret.Name = "image-pull-secret-" + string(uuid.NewUUID())
+				// we might be told to use a different docker config JSON.
+				if framework.TestContext.DockerConfigFile != "" {
+					contents, err := os.ReadFile(framework.TestContext.DockerConfigFile)
 					framework.ExpectNoError(err)
-					ginkgo.DeferCleanup(f.ClientSet.CoreV1().Secrets(f.Namespace.Name).Delete, secret.Name, metav1.DeleteOptions{})
-					container.ImagePullSecrets = []string{secret.Name}
+					secret.Data[v1.DockerConfigJsonKey] = contents
 				}
-				// checkContainerStatus checks whether the container status matches expectation.
-				checkContainerStatus := func(ctx context.Context) error {
-					status, err := container.GetStatus(ctx)
-					if err != nil {
-						return fmt.Errorf("failed to get container status: %w", err)
-					}
-					// We need to check container state first. The default pod status is pending, If we check pod phase first,
-					// and the expected pod phase is Pending, the container status may not even show up when we check it.
-					// Check container state
-					if !expectedPullStatus {
-						if status.State.Running == nil {
-							return fmt.Errorf("expected container state: Running, got: %q",
-								GetContainerState(status.State))
-						}
-					}
-					if expectedPullStatus {
-						if status.State.Waiting == nil {
-							return fmt.Errorf("expected container state: Waiting, got: %q",
-								GetContainerState(status.State))
-						}
-						reason := status.State.Waiting.Reason
-						if reason != images.ErrImagePull.Error() &&
-							reason != images.ErrImagePullBackOff.Error() {
-							return fmt.Errorf("unexpected waiting reason: %q", reason)
-						}
-					}
-					// Check pod phase
-					phase, err := container.GetPhase(ctx)
-					if err != nil {
-						return fmt.Errorf("failed to get pod phase: %w", err)
-					}
-					if phase != expectedPhase {
-						return fmt.Errorf("expected pod phase: %q, got: %q", expectedPhase, phase)
-					}
-					return nil
-				}
-
-				// The image registry is not stable, which sometimes causes the test to fail. Add retry mechanism to make this less flaky.
-				const flakeRetry = 3
-				for i := 1; i <= flakeRetry; i++ {
-					var err error
-					ginkgo.By("create the container")
-					container.Create(ctx)
-					ginkgo.By("check the container status")
-					for start := time.Now(); time.Since(start) < ContainerStatusRetryTimeout; time.Sleep(ContainerStatusPollInterval) {
-						if err = checkContainerStatus(ctx); err == nil {
-							break
-						}
-					}
-					ginkgo.By("delete the container")
-					_ = container.Delete(ctx)
-					if err == nil {
-						break
-					}
-					if i < flakeRetry {
-						framework.Logf("No.%d attempt failed: %v, retrying...", i, err)
-					} else {
-						framework.Failf("All %d attempts failed: %v", flakeRetry, err)
-					}
-				}
-			}
+				ginkgo.By("create image pull secret")
+				pullSecret, err = f.ClientSet.CoreV1().Secrets(f.Namespace.Name).Create(ctx, secret, metav1.CreateOptions{})
+				framework.ExpectNoError(err)
+			})
 
 			f.It("should not be able to pull image from invalid registry", f.WithNodeConformance(), func(ctx context.Context) {
 				image := imageutils.GetE2EImage(imageutils.InvalidRegistryImage)
-				imagePullTest(ctx, image, false, v1.PodPending, true, false)
+				_ = ImagePullTest(ctx, f, image, v1.PullAlways, nil, registryNodeNames[0], v1.PodPending, true)
 			})
 
 			f.It("should be able to pull image", f.WithNodeConformance(), func(ctx context.Context) {
-				// NOTE(claudiub): The agnhost image is supposed to work on both Linux and Windows.
 				image := imageutils.GetE2EImage(imageutils.Agnhost)
-				imagePullTest(ctx, image, false, v1.PodRunning, false, false)
+				_ = ImagePullTest(ctx, f, image, v1.PullAlways, nil, registryNodeNames[0], v1.PodRunning, false)
 			})
 
 			f.It("should not be able to pull from private registry without secret", f.WithNodeConformance(), func(ctx context.Context) {
-				image := imageutils.GetE2EImage(imageutils.AuthenticatedAlpine)
-				imagePullTest(ctx, image, false, v1.PodPending, true, false)
+				image := registryAddress + "/pause:testing"
+				_ = ImagePullTest(ctx, f, image, v1.PullAlways, nil, registryNodeNames[0], v1.PodPending, true)
 			})
 
 			f.It("should be able to pull from private registry with secret", f.WithNodeConformance(), func(ctx context.Context) {
-				image := imageutils.GetE2EImage(imageutils.AuthenticatedAlpine)
-				isWindows := false
-				if framework.NodeOSDistroIs("windows") {
-					image = imageutils.GetE2EImage(imageutils.AuthenticatedWindowsNanoServer)
-					isWindows = true
-				}
-				imagePullTest(ctx, image, true, v1.PodRunning, false, isWindows)
+				image := registryAddress + "/pause:testing"
+				_ = ImagePullTest(ctx, f, image, v1.PullAlways, pullSecret, registryNodeNames[0], v1.PodRunning, false)
 			})
 		})
 	})
 })
+
+// Images used by imagePullTest are not added to NodePrePullImageList because this test is
+// specifically testing image pulling behavior. The containers use ImagePullPolicy values other
+// than PullNever, so the framework allows them to be pulled during the test.
+func ImagePullTest(ctx context.Context, f *framework.Framework, image string, imagePullPolicy v1.PullPolicy, pullSecret *v1.Secret, nodeName string, expectedPhase v1.PodPhase, expectedPullStatus bool) *v1.Pod {
+	container := ConformanceContainer{
+		PodClient: e2epod.NewPodClient(f),
+		NodeName:  nodeName,
+		Container: v1.Container{
+			Name:            "image-pull-test",
+			Image:           image,
+			ImagePullPolicy: imagePullPolicy,
+		},
+		RestartPolicy: v1.RestartPolicyNever,
+	}
+	if pullSecret != nil {
+		container.ImagePullSecrets = []string{pullSecret.Name}
+	}
+	// checkContainerStatus checks whether the container status matches expectation.
+	checkContainerStatus := func(ctx context.Context) error {
+		status, err := container.GetStatus(ctx)
+		if err != nil {
+			return fmt.Errorf("failed to get container status: %w", err)
+		}
+		// We need to check container state first. The default pod status is pending, If we check pod phase first,
+		// and the expected pod phase is Pending, the container status may not even show up when we check it.
+		// Check container state
+		if !expectedPullStatus {
+			if status.State.Running == nil {
+				return fmt.Errorf("expected container state: Running, got: %q",
+					GetContainerState(status.State))
+			}
+		}
+		if expectedPullStatus {
+			if status.State.Waiting == nil {
+				gomega.Expect(status.State.Running).To(gomega.BeNil())
+				return fmt.Errorf("expected container state: Waiting, got: %q",
+					GetContainerState(status.State))
+			}
+			reason := status.State.Waiting.Reason
+			if reason != images.ErrImagePull.Error() &&
+				reason != images.ErrImagePullBackOff.Error() &&
+				reason != images.ErrImageNeverPull.Error() {
+				return fmt.Errorf("unexpected waiting reason: %q", reason)
+			}
+		}
+		// Check pod phase
+		phase, err := container.GetPhase(ctx)
+		if err != nil {
+			return fmt.Errorf("failed to get pod phase: %w", err)
+		}
+		if phase != expectedPhase {
+			return fmt.Errorf("expected pod phase: %q, got: %q", expectedPhase, phase)
+		}
+		return nil
+	}
+
+	ginkgo.By("create the container")
+	testPod := container.Create(ctx)
+	ginkgo.DeferCleanup(func(ctx context.Context) {
+		ginkgo.By("delete the conformance container")
+		if err := container.Delete(ctx); err != nil {
+			framework.Logf("error deleting a conformance container: %v", err)
+		}
+	})
+
+	ginkgo.By("check the container status")
+	var latestErr error
+	err := wait.PollUntilContextCancel(ctx, ContainerStatusPollInterval, true, func(ctx context.Context) (bool, error) {
+		if latestErr = checkContainerStatus(ctx); latestErr != nil {
+			return false, nil
+		}
+		return true, nil
+	})
+	if err != nil {
+		framework.Failf("Failed to read container status: %v; last observed error from wait loop: %v", err, latestErr)
+	}
+
+	return testPod
+}
diff --git a/test/e2e/common/node/runtimeclass.go b/test/e2e/common/node/runtimeclass.go
index d401430c4d455..a9d23a978359e 100644
--- a/test/e2e/common/node/runtimeclass.go
+++ b/test/e2e/common/node/runtimeclass.go
@@ -29,10 +29,12 @@ import (
 	"k8s.io/apimachinery/pkg/fields"
 	"k8s.io/apimachinery/pkg/labels"
 	types "k8s.io/apimachinery/pkg/types"
+	"k8s.io/apimachinery/pkg/util/resourceversion"
 	"k8s.io/apimachinery/pkg/util/wait"
 	"k8s.io/apimachinery/pkg/watch"
 	"k8s.io/kubernetes/pkg/kubelet/events"
 	runtimeclasstest "k8s.io/kubernetes/pkg/kubelet/runtimeclass/testing"
+	apimachineryutils "k8s.io/kubernetes/test/e2e/common/apimachinery"
 	"k8s.io/kubernetes/test/e2e/feature"
 	"k8s.io/kubernetes/test/e2e/framework"
 	e2eevents "k8s.io/kubernetes/test/e2e/framework/events"
@@ -287,6 +289,7 @@ var _ = SIGDescribe("RuntimeClass", func() {
 		gottenRC, err := rcClient.Get(ctx, rc.Name, metav1.GetOptions{})
 		framework.ExpectNoError(err)
 		gomega.Expect(gottenRC.UID).To(gomega.Equal(createdRC.UID))
+		gomega.Expect(gottenRC).To(apimachineryutils.HaveValidResourceVersion())
 
 		ginkgo.By("listing")
 		rcs, err := rcClient.List(ctx, metav1.ListOptions{LabelSelector: "test=" + f.UniqueName})
@@ -297,6 +300,7 @@ var _ = SIGDescribe("RuntimeClass", func() {
 		patchedRC, err := rcClient.Patch(ctx, createdRC.Name, types.MergePatchType, []byte(`{"metadata":{"annotations":{"patched":"true"}}}`), metav1.PatchOptions{})
 		framework.ExpectNoError(err)
 		gomega.Expect(patchedRC.Annotations).To(gomega.HaveKeyWithValue("patched", "true"), "patched object should have the applied annotation")
+		gomega.Expect(resourceversion.CompareResourceVersion(gottenRC.ResourceVersion, patchedRC.ResourceVersion)).To(gomega.BeNumerically("==", -1), "patched object should have a larger resource version")
 
 		ginkgo.By("updating")
 		csrToUpdate := patchedRC.DeepCopy()
diff --git a/test/e2e/common/node/secrets.go b/test/e2e/common/node/secrets.go
index 15134187df526..4921724e624d6 100644
--- a/test/e2e/common/node/secrets.go
+++ b/test/e2e/common/node/secrets.go
@@ -25,7 +25,9 @@ import (
 	v1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/apimachinery/pkg/util/resourceversion"
 	"k8s.io/apimachinery/pkg/util/uuid"
+	apimachineryutils "k8s.io/kubernetes/test/e2e/common/apimachinery"
 	"k8s.io/kubernetes/test/e2e/framework"
 	e2epodoutput "k8s.io/kubernetes/test/e2e/framework/pod/output"
 	imageutils "k8s.io/kubernetes/test/utils/image"
@@ -158,7 +160,7 @@ var _ = SIGDescribe("Secrets", func() {
 		secretTestName := "test-secret-" + string(uuid.NewUUID())
 
 		// create a secret in the test namespace
-		_, err := f.ClientSet.CoreV1().Secrets(f.Namespace.Name).Create(ctx, &v1.Secret{
+		createdSecret, err := f.ClientSet.CoreV1().Secrets(f.Namespace.Name).Create(ctx, &v1.Secret{
 			ObjectMeta: metav1.ObjectMeta{
 				Name: secretTestName,
 				Labels: map[string]string{
@@ -171,6 +173,7 @@ var _ = SIGDescribe("Secrets", func() {
 			Type: "Opaque",
 		}, metav1.CreateOptions{})
 		framework.ExpectNoError(err, "failed to create secret")
+		gomega.Expect(createdSecret).To(apimachineryutils.HaveValidResourceVersion())
 
 		ginkgo.By("listing secrets in all namespaces to ensure that there are more than zero")
 		// list all secrets in all namespaces to ensure endpoint coverage
@@ -208,6 +211,7 @@ var _ = SIGDescribe("Secrets", func() {
 
 		secret, err := f.ClientSet.CoreV1().Secrets(f.Namespace.Name).Get(ctx, secretCreatedName, metav1.GetOptions{})
 		framework.ExpectNoError(err, "failed to get secret")
+		gomega.Expect(resourceversion.CompareResourceVersion(createdSecret.ResourceVersion, secret.ResourceVersion)).To(gomega.BeNumerically("==", -1), "patched object should have a larger resource version")
 
 		secretDecodedstring, err := base64.StdEncoding.DecodeString(string(secret.Data["key"]))
 		framework.ExpectNoError(err, "failed to decode secret from Base64")
diff --git a/test/e2e/common/node/security_context.go b/test/e2e/common/node/security_context.go
index 43be7c531a557..85400318d277b 100644
--- a/test/e2e/common/node/security_context.go
+++ b/test/e2e/common/node/security_context.go
@@ -27,12 +27,9 @@ import (
 
 	v1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/apimachinery/pkg/fields"
 	"k8s.io/apimachinery/pkg/util/uuid"
-	"k8s.io/kubernetes/pkg/apis/core"
 	"k8s.io/kubernetes/pkg/features"
 	"k8s.io/kubernetes/pkg/kubelet/events"
-	"k8s.io/kubernetes/pkg/kubelet/lifecycle"
 	"k8s.io/kubernetes/pkg/kubelet/metrics"
 	"k8s.io/kubernetes/test/e2e/feature"
 	"k8s.io/kubernetes/test/e2e/framework"
@@ -129,6 +126,81 @@ var _ = SIGDescribe("Security Context", func() {
 			}
 		})
 
+		f.It("must create a user namespace and use host network when hostUsers is false and hostNetwork is true [LinuxOnly]", feature.UserNamespacesHostNetworkSupport, framework.WithFeatureGate(features.UserNamespacesHostNetworkSupport),
+			feature.UserNamespacesSupport, framework.WithFeatureGate(features.UserNamespacesSupport), func(ctx context.Context) {
+				// with hostUsers=false the pod must use a new user namespace.
+				// with hostNetwork=true the pod must use the host network namespace.
+				podClient := e2epod.PodClientNS(f, f.Namespace.Name)
+
+				// Schedule pods on the same node to ensure they share the same host network namespace.
+				targetNode, err := findLinuxNode(ctx, f)
+				framework.ExpectNoError(err, "Error finding Linux node")
+
+				makePodForHostNetTest := func(nodeName string) *v1.Pod {
+					return &v1.Pod{
+						ObjectMeta: metav1.ObjectMeta{
+							Name: "userns-hostnet-" + string(uuid.NewUUID()),
+						},
+						Spec: v1.PodSpec{
+							NodeName: nodeName,
+							Containers: []v1.Container{
+								{
+									Name:    containerName,
+									Image:   imageutils.GetE2EImage(imageutils.BusyBox),
+									Command: []string{"sh", "-c", "cat /proc/self/uid_map && readlink /proc/self/ns/net"},
+								},
+							},
+							RestartPolicy: v1.RestartPolicyNever,
+							HostUsers:     ptr.To(false),
+							HostNetwork:   true,
+						},
+					}
+				}
+
+				createdPod1 := podClient.Create(ctx, makePodForHostNetTest(targetNode.Name))
+				createdPod2 := podClient.Create(ctx, makePodForHostNetTest(targetNode.Name))
+				ginkgo.DeferCleanup(func(ctx context.Context) {
+					ginkgo.By("delete the pods")
+					podClient.DeleteSync(ctx, createdPod1.Name, metav1.DeleteOptions{}, f.Timeouts.PodDelete)
+					podClient.DeleteSync(ctx, createdPod2.Name, metav1.DeleteOptions{}, f.Timeouts.PodDelete)
+				})
+				getLogs := func(pod *v1.Pod) (string, string, error) {
+					err := e2epod.WaitForPodSuccessInNamespaceTimeout(ctx, f.ClientSet, pod.Name, f.Namespace.Name, f.Timeouts.PodStart)
+					if err != nil {
+						return "", "", err
+					}
+					podStatus, err := podClient.Get(ctx, pod.Name, metav1.GetOptions{})
+					if err != nil {
+						return "", "", err
+					}
+					logs, err := e2epod.GetPodLogs(ctx, f.ClientSet, f.Namespace.Name, podStatus.Name, containerName)
+					if err != nil {
+						return "", "", err
+					}
+					parts := strings.Split(strings.TrimSpace(logs), "\n")
+					if len(parts) != 2 {
+						return "", "", fmt.Errorf("expected 2 lines of logs, got %d: %q", len(parts), logs)
+					}
+					return parts[0], parts[1], nil
+				}
+
+				uidMap1, netNs1, err := getLogs(createdPod1)
+				framework.ExpectNoError(err)
+				uidMap2, netNs2, err := getLogs(createdPod2)
+				framework.ExpectNoError(err)
+
+				// 65536 is the size used for a user namespace.  Verify that the value is present
+				// in the /proc/self/uid_map file.
+				gomega.Expect(uidMap1).To(gomega.ContainSubstring("65536"), "user namespace not created for pod1")
+				gomega.Expect(uidMap2).To(gomega.ContainSubstring("65536"), "user namespace not created for pod2")
+
+				// Check they are in different user namespaces.
+				gomega.Expect(uidMap1).NotTo(gomega.Equal(uidMap2), "two different pods are running with the same user namespace configuration")
+
+				// Check they are in the same network namespace (the host's one).
+				gomega.Expect(netNs1).To(gomega.Equal(netNs2), "two different pods with hostNetwork=true should be in the same network namespace, but they are not. NetNS1: %s, NetNS2: %s", netNs1, netNs2)
+			})
+
 		f.It("must create the user namespace in the configured hostUID/hostGID range [LinuxOnly]", feature.UserNamespacesSupport, framework.WithFeatureGate(features.UserNamespacesSupport), func(ctx context.Context) {
 			// We need to check with the binary "getsubuids" the mappings for the kubelet.
 			// If something is not present, we skip the test as the node wasn't configured to run this test.
@@ -749,7 +821,7 @@ var _ = SIGDescribe("Security Context", func() {
 		})
 	})
 
-	f.Context("SupplementalGroupsPolicy [LinuxOnly]", feature.SupplementalGroupsPolicy, framework.WithFeatureGate(features.SupplementalGroupsPolicy), func() {
+	f.Context("SupplementalGroupsPolicy [LinuxOnly]", func() {
 		timeout := 1 * time.Minute
 
 		agnhostImage := imageutils.GetE2EImage(imageutils.Agnhost)
@@ -792,19 +864,6 @@ var _ = SIGDescribe("Security Context", func() {
 				},
 			}
 		}
-
-		nodeSupportsSupplementalGroupsPolicy := func(ctx context.Context, f *framework.Framework, nodeName string) bool {
-			node, err := f.ClientSet.CoreV1().Nodes().Get(ctx, nodeName, metav1.GetOptions{})
-			framework.ExpectNoError(err)
-			gomega.Expect(node).NotTo(gomega.BeNil())
-			if node.Status.Features != nil {
-				supportsSupplementalGroupsPolicy := node.Status.Features.SupplementalGroupsPolicy
-				if supportsSupplementalGroupsPolicy != nil && *supportsSupplementalGroupsPolicy {
-					return true
-				}
-			}
-			return false
-		}
 		waitForContainerUser := func(ctx context.Context, f *framework.Framework, podName string, containerName string, expectedContainerUser *v1.ContainerUser) error {
 			return framework.Gomega().Eventually(ctx,
 				framework.RetryNotFound(framework.GetObject(f.ClientSet.CoreV1().Pods(f.Namespace.Name).Get, podName, metav1.GetOptions{}))).
@@ -866,28 +925,6 @@ var _ = SIGDescribe("Security Context", func() {
 			stdout := e2epod.ExecCommandInContainer(f, podName, containerName, "id", "-G")
 			gomega.Expect(stdout).To(gomega.Equal(expectedOutput))
 		}
-		expectRejectionEventIssued := func(ctx context.Context, f *framework.Framework, pod *v1.Pod) {
-			framework.ExpectNoError(
-				framework.Gomega().Eventually(ctx,
-					framework.HandleRetry(framework.ListObjects(
-						f.ClientSet.CoreV1().Events(pod.Namespace).List,
-						metav1.ListOptions{
-							FieldSelector: fields.Set{
-								"type":                      core.EventTypeWarning,
-								"reason":                    lifecycle.SupplementalGroupsPolicyNotSupported,
-								"involvedObject.kind":       "Pod",
-								"involvedObject.apiVersion": v1.SchemeGroupVersion.String(),
-								"involvedObject.name":       pod.Name,
-								"involvedObject.uid":        string(pod.UID),
-							}.AsSelector().String(),
-						},
-					))).
-					WithTimeout(timeout).
-					Should(gcustom.MakeMatcher(func(eventList *v1.EventList) (bool, error) {
-						return len(eventList.Items) == 1, nil
-					})),
-			)
-		}
 
 		ginkgo.When("SupplementalGroupsPolicy nil in SecurityContext", func() {
 			ginkgo.When("if the container's primary UID belongs to some groups in the image", func() {
@@ -897,27 +934,8 @@ var _ = SIGDescribe("Security Context", func() {
 						pod = e2epod.NewPodClient(f).CreateSync(ctx, mkPod(ptr.To(v1.SupplementalGroupsPolicyMerge)))
 					})
 				})
-				ginkgo.When("scheduled node does not support SupplementalGroupsPolicy", func() {
-					ginkgo.BeforeEach(func(ctx context.Context) {
-						// ensure the scheduled node does not support SupplementalGroupsPolicy
-						if nodeSupportsSupplementalGroupsPolicy(ctx, f, pod.Spec.NodeName) {
-							e2eskipper.Skipf("scheduled node does support SupplementalGroupsPolicy")
-						}
-					})
-					ginkgo.It("it should add SupplementalGroups to them [LinuxOnly]", func(ctx context.Context) {
-						expectMergePolicyInEffect(ctx, f, pod.Name, pod.Spec.Containers[0].Name, false)
-					})
-				})
-				ginkgo.When("scheduled node supports SupplementalGroupsPolicy", func() {
-					ginkgo.BeforeEach(func(ctx context.Context) {
-						// ensure the scheduled node does support SupplementalGroupsPolicy
-						if !nodeSupportsSupplementalGroupsPolicy(ctx, f, pod.Spec.NodeName) {
-							e2eskipper.Skipf("scheduled node does not support SupplementalGroupsPolicy")
-						}
-					})
-					ginkgo.It("it should add SupplementalGroups to them [LinuxOnly]", func(ctx context.Context) {
-						expectMergePolicyInEffect(ctx, f, pod.Name, pod.Spec.Containers[0].Name, true)
-					})
+				ginkgo.It("it should add SupplementalGroups to them [LinuxOnly]", func(ctx context.Context) {
+					expectMergePolicyInEffect(ctx, f, pod.Name, pod.Spec.Containers[0].Name, true)
 				})
 			})
 		})
@@ -929,27 +947,8 @@ var _ = SIGDescribe("Security Context", func() {
 						pod = e2epod.NewPodClient(f).CreateSync(ctx, mkPod(nil))
 					})
 				})
-				ginkgo.When("scheduled node does not support SupplementalGroupsPolicy", func() {
-					ginkgo.BeforeEach(func(ctx context.Context) {
-						// ensure the scheduled node does not support SupplementalGroupsPolicy
-						if nodeSupportsSupplementalGroupsPolicy(ctx, f, pod.Spec.NodeName) {
-							e2eskipper.Skipf("scheduled node does support SupplementalGroupsPolicy")
-						}
-					})
-					ginkgo.It("it should add SupplementalGroups to them [LinuxOnly]", func(ctx context.Context) {
-						expectMergePolicyInEffect(ctx, f, pod.Name, pod.Spec.Containers[0].Name, false)
-					})
-				})
-				ginkgo.When("scheduled node supports SupplementalGroupsPolicy", func() {
-					ginkgo.BeforeEach(func(ctx context.Context) {
-						// ensure the scheduled node does support SupplementalGroupsPolicy
-						if !nodeSupportsSupplementalGroupsPolicy(ctx, f, pod.Spec.NodeName) {
-							e2eskipper.Skipf("scheduled node does not support SupplementalGroupsPolicy")
-						}
-					})
-					ginkgo.It("it should add SupplementalGroups to them [LinuxOnly]", func(ctx context.Context) {
-						expectMergePolicyInEffect(ctx, f, pod.Name, pod.Spec.Containers[0].Name, true)
-					})
+				ginkgo.It("it should add SupplementalGroups to them [LinuxOnly]", func(ctx context.Context) {
+					expectMergePolicyInEffect(ctx, f, pod.Name, pod.Spec.Containers[0].Name, true)
 				})
 			})
 		})
@@ -958,42 +957,18 @@ var _ = SIGDescribe("Security Context", func() {
 				var pod *v1.Pod
 				ginkgo.BeforeEach(func(ctx context.Context) {
 					ginkgo.By("creating a pod", func() {
-						pod = e2epod.NewPodClient(f).Create(ctx, mkPod(ptr.To(v1.SupplementalGroupsPolicyStrict)))
-						framework.ExpectNoError(e2epod.WaitForPodScheduled(ctx, f.ClientSet, pod.Namespace, pod.Name))
-						var err error
-						pod, err = e2epod.NewPodClient(f).Get(ctx, pod.Name, metav1.GetOptions{})
-						framework.ExpectNoError(err)
+						pod = e2epod.NewPodClient(f).CreateSync(ctx, mkPod(ptr.To(v1.SupplementalGroupsPolicyStrict)))
 					})
 				})
-				ginkgo.When("scheduled node does not support SupplementalGroupsPolicy", func() {
-					ginkgo.BeforeEach(func(ctx context.Context) {
-						// ensure the scheduled node does not support SupplementalGroupsPolicy
-						if nodeSupportsSupplementalGroupsPolicy(ctx, f, pod.Spec.NodeName) {
-							e2eskipper.Skipf("scheduled node does support SupplementalGroupsPolicy")
-						}
-					})
-					ginkgo.It("it should reject the pod [LinuxOnly]", func(ctx context.Context) {
-						expectRejectionEventIssued(ctx, f, pod)
-					})
-				})
-				ginkgo.When("scheduled node supports SupplementalGroupsPolicy", func() {
-					ginkgo.BeforeEach(func(ctx context.Context) {
-						// ensure the scheduled node does support SupplementalGroupsPolicy
-						if !nodeSupportsSupplementalGroupsPolicy(ctx, f, pod.Spec.NodeName) {
-							e2eskipper.Skipf("scheduled node does not support SupplementalGroupsPolicy")
-						}
-						framework.ExpectNoError(e2epod.WaitForPodRunningInNamespace(ctx, f.ClientSet, pod))
-					})
-					ginkgo.It("it should NOT add SupplementalGroups to them [LinuxOnly]", func(ctx context.Context) {
-						expectStrictPolicyInEffect(ctx, f, pod.Name, pod.Spec.Containers[0].Name, true)
-					})
+				ginkgo.It("it should NOT add SupplementalGroups to them [LinuxOnly]", func(ctx context.Context) {
+					expectStrictPolicyInEffect(ctx, f, pod.Name, pod.Spec.Containers[0].Name, true)
 				})
 			})
 		})
 	})
 })
 
-var _ = SIGDescribe("User Namespaces for Pod Security Standards [LinuxOnly]", func() {
+var _ = SIGDescribe("User Namespaces for Restricted Pod Security Standards [LinuxOnly]", func() {
 	ginkgo.BeforeEach(func() {
 		e2eskipper.SkipIfNodeOSDistroIs("windows")
 	})
@@ -1001,8 +976,8 @@ var _ = SIGDescribe("User Namespaces for Pod Security Standards [LinuxOnly]", fu
 	f := framework.NewDefaultFramework("user-namespaces-pss-test")
 	f.NamespacePodSecurityLevel = admissionapi.LevelRestricted
 
-	ginkgo.Context("with UserNamespacesSupport and UserNamespacesPodSecurityStandards enabled", func() {
-		f.It("should allow pod", feature.UserNamespacesPodSecurityStandards, framework.WithFeatureGate(features.UserNamespacesSupport), framework.WithFeatureGate(features.UserNamespacesPodSecurityStandards), func(ctx context.Context) {
+	ginkgo.Context("with UserNamespacesSupport enabled", func() {
+		f.It("should allow pod", feature.UserNamespacesSupport, framework.WithFeatureGate(features.UserNamespacesSupport), func(ctx context.Context) {
 			name := "pod-user-namespaces-pss-" + string(uuid.NewUUID())
 			pod := &v1.Pod{
 				ObjectMeta: metav1.ObjectMeta{Name: name},
diff --git a/test/e2e/common/node/sysctl.go b/test/e2e/common/node/sysctl.go
index eb721effe3587..d9d1560080d35 100644
--- a/test/e2e/common/node/sysctl.go
+++ b/test/e2e/common/node/sysctl.go
@@ -76,7 +76,7 @@ var _ = SIGDescribe("Sysctls [LinuxOnly]", framework.WithNodeConformance(), func
 	  [LinuxOnly]: This test is marked as LinuxOnly since Windows does not support sysctls
 	  [Environment:NotInUserNS]: The test fails in UserNS (as expected): `open /proc/sys/kernel/shm_rmid_forced: permission denied`
 	*/
-	framework.ConformanceIt("should support sysctls [MinimumKubeletVersion:1.21]", environment.NotInUserNS, func(ctx context.Context) {
+	framework.ConformanceIt("should support sysctls", environment.NotInUserNS, func(ctx context.Context) {
 		pod := testPod()
 		pod.Spec.SecurityContext = &v1.PodSecurityContext{
 			Sysctls: []v1.Sysctl{
@@ -122,7 +122,7 @@ var _ = SIGDescribe("Sysctls [LinuxOnly]", framework.WithNodeConformance(), func
 	  Description: Pod is created with one valid and two invalid sysctls. Pod should not apply invalid sysctls.
 	  [LinuxOnly]: This test is marked as LinuxOnly since Windows does not support sysctls
 	*/
-	framework.ConformanceIt("should reject invalid sysctls [MinimumKubeletVersion:1.21]", func(ctx context.Context) {
+	framework.ConformanceIt("should reject invalid sysctls", func(ctx context.Context) {
 		pod := testPod()
 		pod.Spec.SecurityContext = &v1.PodSecurityContext{
 			Sysctls: []v1.Sysctl{
@@ -159,7 +159,7 @@ var _ = SIGDescribe("Sysctls [LinuxOnly]", framework.WithNodeConformance(), func
 	})
 
 	// Pod is created with kernel.msgmax, an unsafe sysctl.
-	ginkgo.It("should not launch unsafe, but not explicitly enabled sysctls on the node [MinimumKubeletVersion:1.21]", func(ctx context.Context) {
+	ginkgo.It("should not launch unsafe, but not explicitly enabled sysctls on the node", func(ctx context.Context) {
 		pod := testPod()
 		pod.Spec.SecurityContext = &v1.PodSecurityContext{
 			Sysctls: []v1.Sysctl{
@@ -186,7 +186,7 @@ var _ = SIGDescribe("Sysctls [LinuxOnly]", framework.WithNodeConformance(), func
 	  [LinuxOnly]: This test is marked as LinuxOnly since Windows does not support sysctls
 	  [Environment:NotInUserNS]: The test fails in UserNS (as expected): `open /proc/sys/kernel/shm_rmid_forced: permission denied`
 	*/
-	f.It("should support sysctls with slashes as separator [MinimumKubeletVersion:1.23]", environment.NotInUserNS, func(ctx context.Context) {
+	f.It("should support sysctls with slashes as separator", environment.NotInUserNS, func(ctx context.Context) {
 		pod := testPod()
 		pod.Spec.SecurityContext = &v1.PodSecurityContext{
 			Sysctls: []v1.Sysctl{
diff --git a/test/e2e/common/util.go b/test/e2e/common/util.go
index 07946bc165960..55ab8987b029b 100644
--- a/test/e2e/common/util.go
+++ b/test/e2e/common/util.go
@@ -57,11 +57,11 @@ var CurrentSuite Suite
 // See also updateImageAllowList() in ../../e2e_node/image_list.go
 // TODO(random-liu): Change the image puller pod to use similar mechanism.
 var PrePulledImages = sets.NewString(
+	imageutils.GetE2EImage(imageutils.AgnhostPrev),
 	imageutils.GetE2EImage(imageutils.Agnhost),
 	imageutils.GetE2EImage(imageutils.BusyBox),
 	imageutils.GetE2EImage(imageutils.IpcUtils),
 	imageutils.GetE2EImage(imageutils.Nginx),
-	imageutils.GetE2EImage(imageutils.Httpd),
 	imageutils.GetE2EImage(imageutils.VolumeNFSServer),
 	imageutils.GetE2EImage(imageutils.NonRoot),
 )
@@ -70,36 +70,34 @@ var PrePulledImages = sets.NewString(
 // before tests starts, so that the tests won't fail due image pulling flakes. These images also have
 // Windows support. Currently, this is only used by E2E tests.
 var WindowsPrePulledImages = sets.NewString(
+	imageutils.GetE2EImage(imageutils.AgnhostPrev),
 	imageutils.GetE2EImage(imageutils.Agnhost),
 	imageutils.GetE2EImage(imageutils.BusyBox),
 	imageutils.GetE2EImage(imageutils.Nginx),
-	imageutils.GetE2EImage(imageutils.Httpd),
 )
 
 type testImagesStruct struct {
-	AgnhostImage  string
-	BusyBoxImage  string
-	KittenImage   string
-	NautilusImage string
-	NginxImage    string
-	NginxNewImage string
-	HttpdImage    string
-	HttpdNewImage string
-	PauseImage    string
+	AgnhostPrevImage string
+	AgnhostImage     string
+	BusyBoxImage     string
+	KittenImage      string
+	NautilusImage    string
+	NginxImage       string
+	NginxNewImage    string
+	PauseImage       string
 }
 
 var testImages testImagesStruct
 
 func init() {
 	testImages = testImagesStruct{
+		imageutils.GetE2EImage(imageutils.AgnhostPrev),
 		imageutils.GetE2EImage(imageutils.Agnhost),
 		imageutils.GetE2EImage(imageutils.BusyBox),
 		imageutils.GetE2EImage(imageutils.Kitten),
 		imageutils.GetE2EImage(imageutils.Nautilus),
 		imageutils.GetE2EImage(imageutils.Nginx),
 		imageutils.GetE2EImage(imageutils.NginxNew),
-		imageutils.GetE2EImage(imageutils.Httpd),
-		imageutils.GetE2EImage(imageutils.HttpdNew),
 		imageutils.GetE2EImage(imageutils.Pause),
 	}
 }
diff --git a/test/e2e/dra/deploy_device_plugin.go b/test/e2e/dra/deploy_device_plugin.go
index 313283fd5e859..defcf5fd67d44 100644
--- a/test/e2e/dra/deploy_device_plugin.go
+++ b/test/e2e/dra/deploy_device_plugin.go
@@ -19,6 +19,7 @@ package dra
 import (
 	"context"
 
+	"github.com/onsi/ginkgo/v2"
 	appsv1 "k8s.io/api/apps/v1"
 	v1 "k8s.io/api/core/v1"
 	"k8s.io/kubernetes/test/e2e/framework"
@@ -32,6 +33,7 @@ import (
 // extended resource name (returned as result) and deploying it twice for the same nodes from different
 // tests would conflict.
 func deployDevicePlugin(ctx context.Context, f *framework.Framework, nodeNames []string) v1.ResourceName {
+	ginkgo.By("Deploy Device Plugin")
 	err := utils.CreateFromManifests(ctx, f, f.Namespace, func(item interface{}) error {
 		switch item := item.(type) {
 		case *appsv1.DaemonSet:
diff --git a/test/e2e/dra/dra.go b/test/e2e/dra/dra.go
index 2e12cb39a9dbf..7456985508708 100644
--- a/test/e2e/dra/dra.go
+++ b/test/e2e/dra/dra.go
@@ -52,6 +52,7 @@ import (
 	drautils "k8s.io/kubernetes/test/e2e/dra/utils"
 	"k8s.io/kubernetes/test/e2e/feature"
 	"k8s.io/kubernetes/test/e2e/framework"
+	e2econformance "k8s.io/kubernetes/test/e2e/framework/conformance"
 	e2edaemonset "k8s.io/kubernetes/test/e2e/framework/daemonset"
 	e2eevents "k8s.io/kubernetes/test/e2e/framework/events"
 	e2epod "k8s.io/kubernetes/test/e2e/framework/pod"
@@ -77,6 +78,156 @@ var _ = framework.SIGDescribe("node")(framework.WithLabel("DRA"), func() {
 	// modify /var/lib/kubelet/plugins.
 	f.NamespacePodSecurityLevel = admissionapi.LevelPrivileged
 
+	f.Context("CRUD Tests", func() {
+		/*
+		   Release: v1.35
+		   Testname: CRUD operations for deviceclasses
+		   Description: kube-apiserver must support create/update/list/patch/delete operations for resource.k8s.io/v1 DeviceClass.
+		*/
+		framework.ConformanceIt("resource.k8s.io/v1 DeviceClass", func(ctx context.Context) {
+			e2econformance.TestResource(ctx, f,
+				&e2econformance.ResourceTestcase[*resourceapi.DeviceClass]{
+					GVR:        resourceapi.SchemeGroupVersion.WithResource("deviceclasses"),
+					Namespaced: ptr.To(false),
+					InitialSpec: &resourceapi.DeviceClass{
+						Spec: resourceapi.DeviceClassSpec{
+							Selectors: []resourceapi.DeviceSelector{{
+								CEL: &resourceapi.CELDeviceSelector{
+									Expression: "false", // Matches no devices
+								},
+							}},
+						},
+					},
+					UpdateSpec: func(obj *resourceapi.DeviceClass) *resourceapi.DeviceClass {
+						obj.Spec.Selectors[0].CEL.Expression = "1 == 0" // Still matches no devices.
+						return obj
+					},
+					StrategicMergePatchSpec: `{"spec": {"selectors": [{"cel": {"expression": "1 == 0"}}]}}`,
+				},
+			)
+		})
+
+		/*
+		   Release: v1.35
+		   Testname: CRUD operations for resourceclaims
+		   Description: kube-apiserver must support create/update/list/patch/delete operations for resource.k8s.io/v1 ResourceClaim.
+		*/
+		framework.ConformanceIt("resource.k8s.io/v1 ResourceClaim", func(ctx context.Context) {
+			e2econformance.TestResource(ctx, f,
+				&e2econformance.ResourceTestcase[*resourceapi.ResourceClaim]{
+					GVR:        resourceapi.SchemeGroupVersion.WithResource("resourceclaims"),
+					Namespaced: ptr.To(true),
+					InitialSpec: &resourceapi.ResourceClaim{
+						Spec: resourceapi.ResourceClaimSpec{
+							Devices: resourceapi.DeviceClaim{
+								Requests: []resourceapi.DeviceRequest{{
+									Name: "req-0",
+									Exactly: &resourceapi.ExactDeviceRequest{
+										DeviceClassName: "dra.example.com",
+									},
+								}},
+							},
+						},
+					},
+					UpdateSpec: func(obj *resourceapi.ResourceClaim) *resourceapi.ResourceClaim {
+						// The spec is immutable, so let's add a label instead.
+						if obj.Labels == nil {
+							obj.Labels = make(map[string]string)
+						}
+						obj.Labels["test.dra.example.com"] = "test"
+						return obj
+					},
+					UpdateStatus: func(obj *resourceapi.ResourceClaim) *resourceapi.ResourceClaim {
+						// Nothing allocated" is a valid allocation result.
+						obj.Status.Allocation = &resourceapi.AllocationResult{}
+						return obj
+					},
+
+					// This test case uses all available patch types to demonstrate what this looks like
+					// and that TestResource supports them. Strategic merge patch, apply patch, and JSON
+					// merge patch are identical for these simple modifications.
+					//
+					// Testing with only one patch type would be sufficient for conformance.
+					ApplyPatchSpec:            `{"metadata": {"labels": {"test.dra.example.com": "test"}}}`,
+					StrategicMergePatchSpec:   `{"metadata": {"labels": {"test.dra.example.com": "test"}}}`,
+					JSONMergePatchSpec:        `{"metadata": {"labels": {"test.dra.example.com": "test"}}}`,
+					JSONPatchSpec:             `[{"op": "add", "path": "/metadata/labels/test.dra.example.com", "value": "test"}]`,
+					ApplyPatchStatus:          `{"status": {"allocation": {}}}`,
+					StrategicMergePatchStatus: `{"status": {"allocation": {}}}`,
+					JSONMergePatchStatus:      `{"status": {"allocation": {}}}`,
+					JSONPatchStatus:           `[{"op": "add", "path": "/status/allocation", "value": {}}]`,
+				})
+		})
+
+		/*
+		   Release: v1.35
+		   Testname: CRUD operations for resourceclaimtemplates
+		   Description: kube-apiserver must support create/update/list/patch/delete operations for resource.k8s.io/v1 ResourceClaimTemplate.
+		*/
+		framework.ConformanceIt("resource.k8s.io/v1 ResourceClaimTemplate", func(ctx context.Context) {
+			e2econformance.TestResource(ctx, f,
+				&e2econformance.ResourceTestcase[*resourceapi.ResourceClaimTemplate]{
+					GVR:        resourceapi.SchemeGroupVersion.WithResource("resourceclaimtemplates"),
+					Namespaced: ptr.To(true),
+					InitialSpec: &resourceapi.ResourceClaimTemplate{
+						Spec: resourceapi.ResourceClaimTemplateSpec{
+							Spec: resourceapi.ResourceClaimSpec{
+								Devices: resourceapi.DeviceClaim{
+									Requests: []resourceapi.DeviceRequest{{
+										Name: "req-0",
+										Exactly: &resourceapi.ExactDeviceRequest{
+											DeviceClassName: "dra.example.com",
+										},
+									}},
+								},
+							},
+						},
+					},
+					UpdateSpec: func(obj *resourceapi.ResourceClaimTemplate) *resourceapi.ResourceClaimTemplate {
+						// The spec is immutable, so let's add a label instead.
+						if obj.Labels == nil {
+							obj.Labels = make(map[string]string)
+						}
+						obj.Labels["test.dra.example.com"] = "test"
+						return obj
+					},
+					StrategicMergePatchSpec: `{"metadata": {"labels": {"test.dra.example.com": "test"}}}`,
+				},
+			)
+		})
+
+		/*
+		   Release: v1.35
+		   Testname: CRUD operations for resoureslices
+		   Description: kube-apiserver must support create/update/list/patch/delete operations for resource.k8s.io/v1 ResourceSlice.
+		*/
+		framework.ConformanceIt("resource.k8s.io/v1 ResourceSlice", func(ctx context.Context) {
+			e2econformance.TestResource(ctx, f,
+				&e2econformance.ResourceTestcase[*resourceapi.ResourceSlice]{
+					GVR:        resourceapi.SchemeGroupVersion.WithResource("resourceslices"),
+					Namespaced: ptr.To(false),
+					InitialSpec: &resourceapi.ResourceSlice{
+						Spec: resourceapi.ResourceSliceSpec{
+							Driver: "dra.example.com",
+							Pool: resourceapi.ResourcePool{
+								Name:               "cluster",
+								Generation:         1,
+								ResourceSliceCount: 1,
+							},
+							NodeName: ptr.To("no-such-node"),
+							// The pool is empty -> no devices.
+						},
+					},
+					UpdateSpec: func(obj *resourceapi.ResourceSlice) *resourceapi.ResourceSlice {
+						obj.Spec.Devices = []resourceapi.Device{{Name: "device-0"}}
+						return obj
+					},
+					StrategicMergePatchSpec: `{"spec": {"devices": [{"name": "device-0"}]}}`,
+				},
+			)
+		})
+	})
+
 	f.Context("kubelet", feature.DynamicResourceAllocation, func() {
 		nodes := drautils.NewNodes(f, 1, 1)
 		driver := drautils.NewDriver(f, nodes, drautils.NetworkResources(10, false))
@@ -921,14 +1072,9 @@ var _ = framework.SIGDescribe("node")(framework.WithLabel("DRA"), func() {
 			}).WithTimeout(f.Timeouts.PodDelete).Should(gomega.HaveField("Status.Allocation", (*resourceapi.AllocationResult)(nil)))
 		})
 
-		// https://github.com/kubernetes/kubernetes/issues/133488
-		// It conflicts with "must run pods with extended resource on dra nodes and device plugin nodes" test case,
-		// because device plugin does not clean up the extended resource "example.com/resource", and kubelet still
-		// keeps "example.com/resource" : 0 in node.status.Capacity.
-		// add WithFlaky to filter out the following test until we can clean up the leaked "example.com/resource" in node.status.
 		if withKubelet {
 			// Serial because the example device plugin can only be deployed with one instance at a time.
-			f.It("supports extended resources together with ResourceClaim", f.WithSerial(), f.WithFlaky(), func(ctx context.Context) {
+			f.It("supports extended resources together with ResourceClaim", f.WithSerial(), func(ctx context.Context) {
 				extendedResourceName := deployDevicePlugin(ctx, f, nodes.NodeNames[0:1])
 
 				pod := b.PodExternal()
@@ -942,6 +1088,54 @@ var _ = framework.SIGDescribe("node")(framework.WithLabel("DRA"), func() {
 		}
 	}
 
+	singleNodeMultipleClaimsTests := func() {
+		nodes := drautils.NewNodes(f, 1, 1)
+		// Allow allocating more than one device so that multiple claims can be prepared on the same node.
+		maxAllocations := 2
+		driver := drautils.NewDriver(f, nodes, drautils.DriverResources(maxAllocations)) // All tests get their own driver instance.
+		driver.WithKubelet = true
+		b := drautils.NewBuilder(f, driver)
+
+		// https://github.com/kubernetes/kubernetes/issues/135901 was fixed and backported to Kubernetes 1.35.
+		// An independent backport was introduced for 1.34: https://github.com/kubernetes/kubernetes/pull/136480;
+		// in the meantime this KubeletMinVersion:1.35 is necessary because
+		// the latest 1.34 release still has the problem.
+		f.It("requests an already allocated and a new claim for a pod", f.WithLabel("KubeletMinVersion:1.35"), func(ctx context.Context) {
+			// This test covers a situation when a pod references a mix of already-prepared and new claims.
+			firstClaim := b.ExternalClaim()
+			secondClaim := b.ExternalClaim()
+
+			b.Create(ctx, firstClaim, secondClaim)
+
+			// First pod uses only firstClaim
+			firstPod := b.PodExternal()
+			b.Create(ctx, firstPod)
+			b.TestPod(ctx, f, firstPod)
+
+			// Second pod uses firstClaim (already prepared) + secondClaim (new)
+			secondPod := b.PodExternal()
+
+			secondPod.Spec.ResourceClaims = []v1.PodResourceClaim{
+				{
+					Name:              "first",
+					ResourceClaimName: &firstClaim.Name,
+				},
+				{
+					Name:              "second",
+					ResourceClaimName: &secondClaim.Name,
+				},
+			}
+
+			secondPod.Spec.Containers[0].Resources.Claims = []v1.ResourceClaim{
+				{Name: "first"},
+				{Name: "second"},
+			}
+
+			b.Create(ctx, secondPod)
+			b.TestPod(ctx, f, secondPod)
+		})
+	}
+
 	// The following tests only make sense when there is more than one node.
 	// They get skipped when there's only one node.
 	multiNodeTests := func(withKubelet bool) {
@@ -1804,18 +1998,17 @@ var _ = framework.SIGDescribe("node")(framework.WithLabel("DRA"), func() {
 	// It is okay to use the same context multiple times (like "control plane"),
 	// as long as the test names the still remain unique overall.
 
-	framework.Context("control plane", framework.WithLabel("ConformanceCandidate") /* TODO: replace with framework.WithConformance() */, func() { singleNodeTests(false) })
+	framework.Context("control plane", func() { singleNodeTests(false) })
 	framework.Context("kubelet", feature.DynamicResourceAllocation, "on single node", func() { singleNodeTests(true) })
+	framework.Context("kubelet", feature.DynamicResourceAllocation, "on single node with multiple claims allocation", singleNodeMultipleClaimsTests)
 
-	framework.Context("control plane", framework.WithLabel("ConformanceCandidate") /* TODO: replace with framework.WithConformance() */, func() { multiNodeTests(false) })
+	framework.Context("control plane", func() { multiNodeTests(false) })
 	framework.Context("kubelet", feature.DynamicResourceAllocation, "on multiple nodes", func() { multiNodeTests(true) })
 
 	framework.Context("kubelet", feature.DynamicResourceAllocation, f.WithFeatureGate(features.DRAPrioritizedList), prioritizedListTests)
 
 	framework.Context("kubelet", feature.DynamicResourceAllocation, f.WithFeatureGate(features.DRAConsumableCapacity), consumableCapacityTests)
 
-	framework.Context("kubelet", feature.DynamicResourceAllocation, f.WithFeatureGate(features.DRAConsumableCapacity), consumableCapacityTests)
-
 	framework.Context("kubelet", feature.DynamicResourceAllocation, "with v1beta1 API", v1beta1Tests)
 	framework.Context("kubelet", feature.DynamicResourceAllocation, "with v1beta2 API", v1beta2Tests)
 
@@ -1830,13 +2023,13 @@ var _ = framework.SIGDescribe("node")(framework.WithLabel("DRA"), func() {
 		}))
 		b := drautils.NewBuilder(f, driver)
 
-		f.It("DeviceTaint keeps pod pending", func(ctx context.Context) {
+		f.It("NoSchedule keeps pod pending", func(ctx context.Context) {
 			pod, template := b.PodInline()
 			b.Create(ctx, pod, template)
 			framework.ExpectNoError(e2epod.WaitForPodNameUnschedulableInNamespace(ctx, f.ClientSet, pod.Name, f.Namespace.Name))
 		})
 
-		f.It("DeviceToleration enables pod scheduling", func(ctx context.Context) {
+		f.It("NoSchedule can be tolerated", func(ctx context.Context) {
 			pod, template := b.PodInline()
 			template.Spec.Spec.Devices.Requests[0].Exactly.Tolerations = []resourceapi.DeviceToleration{{
 				Effect:   resourceapi.DeviceTaintEffectNoSchedule,
@@ -1847,7 +2040,7 @@ var _ = framework.SIGDescribe("node")(framework.WithLabel("DRA"), func() {
 			b.TestPod(ctx, f, pod)
 		})
 
-		f.It("DeviceTaintRule evicts pod", func(ctx context.Context) {
+		f.It("DeviceTaintRule evicts pod", f.WithFeatureGate(features.DRADeviceTaintRules), func(ctx context.Context) {
 			pod, template := b.PodInline()
 			template.Spec.Spec.Devices.Requests[0].Exactly.Tolerations = []resourceapi.DeviceToleration{{
 				Effect:   resourceapi.DeviceTaintEffectNoSchedule,
@@ -1909,63 +2102,273 @@ var _ = framework.SIGDescribe("node")(framework.WithLabel("DRA"), func() {
 		})
 	})
 
+	framework.Context("kubelet", feature.DynamicResourceAllocation, f.WithFeatureGate(features.DRADeviceTaints), func() {
+		nodes := drautils.NewNodes(f, 1, 1)
+		driver := drautils.NewDriver(f, nodes, drautils.NetworkResources(10, false), drautils.TaintAllDevices(resourceapi.DeviceTaint{
+			Key:    "example.com/taint",
+			Value:  "tainted",
+			Effect: resourceapi.DeviceTaintEffectNoExecute,
+		}))
+		b := drautils.NewBuilder(f, driver)
+
+		f.It("NoExecute keeps pod pending", func(ctx context.Context) {
+			pod, template := b.PodInline()
+			b.Create(ctx, pod, template)
+			framework.ExpectNoError(e2epod.WaitForPodNameUnschedulableInNamespace(ctx, f.ClientSet, pod.Name, f.Namespace.Name))
+		})
+
+		f.It("NoExecute can be tolerated", func(ctx context.Context) {
+			pod, template := b.PodInline()
+			template.Spec.Spec.Devices.Requests[0].Exactly.Tolerations = []resourceapi.DeviceToleration{{
+				Effect:   resourceapi.DeviceTaintEffectNoExecute,
+				Operator: resourceapi.DeviceTolerationOpExists,
+				// No key: tolerate *all* taints with this effect.
+			}}
+			b.Create(ctx, pod, template)
+			b.TestPod(ctx, f, pod)
+
+			// Testing the pod is slow enough that the test fails when the pod gets evicted unexpectedly,
+			// We don't need to a "Consistently" here.
+		})
+	})
+
+	extendedResourceTest := func(ctx context.Context, b *drautils.Builder, f *framework.Framework, resourceNames []string, containerEnv []string) {
+		pod := b.Pod()
+		res := v1.ResourceList{}
+		res2 := v1.ResourceList{}
+		for _, resourceName := range resourceNames {
+			res[v1.ResourceName(resourceName)] = resource.MustParse("1")
+			res2[v1.ResourceName(resourceName)] = resource.MustParse("2")
+		}
+		pod.Spec.Containers[0].Resources.Requests = res
+		pod.Spec.Containers[0].Resources.Limits = res
+		pod.Spec.InitContainers = []v1.Container{pod.Spec.Containers[0], pod.Spec.Containers[0], pod.Spec.Containers[0]}
+		pod.Spec.InitContainers[0].Name += "-init"
+		// This must succeed for the pod to start.
+		pod.Spec.InitContainers[0].Command = []string{"sh", "-c", "env|grep container_1_request_0=true"}
+		pod.Spec.InitContainers[0].Resources.Requests = res2
+		pod.Spec.InitContainers[0].Resources.Limits = res2
+		pod.Spec.InitContainers[1].Name += "-sidecar"
+		// This must succeed for the pod to start.
+		pod.Spec.InitContainers[1].Command = []string{"sh", "-c", "while true; do env; env|grep container_1_request_0=true; echo $?; sleep 5; done"}
+		pod.Spec.InitContainers[1].RestartPolicy = ptr.To(v1.ContainerRestartPolicyAlways)
+		pod.Spec.InitContainers[1].Resources.Requests = res
+		pod.Spec.InitContainers[1].Resources.Limits = res
+		pod.Spec.InitContainers[2].Name += "-init-1"
+		// This must succeed for the pod to start.
+		pod.Spec.InitContainers[2].Command = []string{"sh", "-c", "env|grep container_3_request_0=true"}
+		pod.Spec.InitContainers[2].Resources.Requests = res
+		pod.Spec.InitContainers[2].Resources.Limits = res
+
+		b.Create(ctx, pod)
+		err := e2epod.WaitForPodRunningInNamespace(ctx, f.ClientSet, pod)
+		framework.ExpectNoError(err, "start pod")
+		drautils.TestContainerEnv(ctx, f, pod, pod.Spec.Containers[0].Name, false, containerEnv...)
+	}
+
+	runExtendedClaimCleanup := func(ctx context.Context, b *drautils.Builder, shellScript string, waitFn func(context.Context, *v1.Pod) error, cleanupMessage string) {
+		pod := b.Pod()
+		res := v1.ResourceList{}
+		res[v1.ResourceName(b.ExtendedResourceName(0))] = resource.MustParse("1")
+		pod.Spec.Containers[0].Resources.Requests = res
+		pod.Spec.Containers[0].Resources.Limits = res
+
+		pod.Spec.Containers[0].Command = []string{"/bin/sh"}
+		pod.Spec.Containers[0].Args = []string{"-c", shellScript}
+		pod.Spec.RestartPolicy = v1.RestartPolicyNever
+
+		ginkgo.By("Creating the pod with extended resource")
+		b.Create(ctx, pod)
+		err := e2epod.WaitForPodRunningInNamespace(ctx, f.ClientSet, pod)
+		framework.ExpectNoError(err, "start pod")
+
+		ginkgo.By("Verifying extended resource claim exists")
+		var extendedResourceClaim *resourceapi.ResourceClaim
+		gomega.Eventually(ctx, func(ctx context.Context) bool {
+			updatedPod, err := f.ClientSet.CoreV1().Pods(pod.Namespace).Get(ctx, pod.Name, metav1.GetOptions{})
+			if err != nil {
+				return false
+			}
+			if updatedPod.Status.ExtendedResourceClaimStatus == nil {
+				return false
+			}
+			claimName := updatedPod.Status.ExtendedResourceClaimStatus.ResourceClaimName
+			extendedResourceClaim, err = b.ClientV1().ResourceClaims(pod.Namespace).Get(ctx, claimName, metav1.GetOptions{})
+			return err == nil && extendedResourceClaim != nil
+		}).WithTimeout(time.Minute).Should(gomega.BeTrueBecause("extended resource claim should be created"))
+
+		ginkgo.By("Waiting for the pod to reach terminal state")
+		err = waitFn(ctx, pod)
+		framework.ExpectNoError(err, "waiting for pod to reach terminal state")
+
+		ginkgo.By("Verifying extended resource claim is cleaned up")
+		gomega.Eventually(ctx, func(ctx context.Context) bool {
+			_, err := b.ClientV1().ResourceClaims(pod.Namespace).Get(ctx, extendedResourceClaim.Name, metav1.GetOptions{})
+			return apierrors.IsNotFound(err)
+		}).WithTimeout(time.Minute).Should(gomega.BeTrueBecause("extended resource claim should be automatically deleted when pod %s", cleanupMessage))
+	}
+
 	framework.Context(f.WithFeatureGate(features.DRAExtendedResource), func() {
 		nodes := drautils.NewNodes(f, 1, 1)
 		driver := drautils.NewDriver(f, nodes, drautils.NetworkResources(10, false))
 		b := drautils.NewBuilder(f, driver)
 		b.UseExtendedResourceName = true
 
-		ginkgo.It("must run a pod with extended resource with one container one resource", func(ctx context.Context) {
+		ginkgo.It("must run a pod with extended resource with resource quota", func(ctx context.Context) {
+			hard := v1.ResourceList{
+				v1.ResourceName("count/resourceclaims.resource.k8s.io"):                                          resource.MustParse("10"),
+				v1.ResourceName(fmt.Sprintf("requests.%s", b.ExtendedResourceName(0))):                           resource.MustParse("10"),
+				v1.ResourceName(fmt.Sprintf("requests.%s", "deviceclass.resource.kubernetes.io/"+b.ClassName())): resource.MustParse("10"),
+				v1.ResourceName(fmt.Sprintf("%s.deviceclass.resource.k8s.io/devices", b.Class(0).Name)):          resource.MustParse("10"),
+			}
+
+			quota := &v1.ResourceQuota{
+				ObjectMeta: metav1.ObjectMeta{Name: "test-quota", Namespace: f.Namespace.Name},
+				Spec: v1.ResourceQuotaSpec{
+					Hard: hard,
+				},
+			}
+			b.Create(ctx, quota)
+
 			pod := b.Pod()
 			res := v1.ResourceList{}
-			res[v1.ResourceName(drautils.ExtendedResourceName(0))] = resource.MustParse("1")
+
+			// b.ExtendedResourceName(0) is added to the device class with name: b.ClassName()+"0"
+			res[v1.ResourceName(b.ExtendedResourceName(0))] = resource.MustParse("1")
+			// implicit extended resource name
+			res[v1.ResourceName("deviceclass.resource.kubernetes.io/"+b.ClassName())] = resource.MustParse("1")
+
 			pod.Spec.Containers[0].Resources.Requests = res
 			pod.Spec.Containers[0].Resources.Limits = res
+			pod.Spec.InitContainers = []v1.Container{pod.Spec.Containers[0], pod.Spec.Containers[0], pod.Spec.Containers[0]}
+			pod.Spec.InitContainers[0].Name += "-init"
+			// This must succeed for the pod to start.
+			pod.Spec.InitContainers[0].Command = []string{"sh", "-c", "env|grep request_0=true"}
+			pod.Spec.InitContainers[0].Resources.Requests = res
+			pod.Spec.InitContainers[0].Resources.Limits = res
+			pod.Spec.InitContainers[1].Name += "-sidecar"
+			// This must succeed for the pod to start.
+			pod.Spec.InitContainers[1].Command = []string{"sh", "-c", "env|grep container_1_request_0=true; sleep 1"}
+			pod.Spec.InitContainers[1].RestartPolicy = ptr.To(v1.ContainerRestartPolicyAlways)
+			pod.Spec.InitContainers[1].Resources.Requests = res
+			pod.Spec.InitContainers[1].Resources.Limits = res
+			pod.Spec.InitContainers[2].Name += "-init-1"
+			// This must succeed for the pod to start.
+			pod.Spec.InitContainers[2].Command = []string{"sh", "-c", "env|grep request_0=true"}
+			pod.Spec.InitContainers[2].Resources.Requests = res
+			pod.Spec.InitContainers[2].Resources.Limits = res
 
 			b.Create(ctx, pod)
 			err := e2epod.WaitForPodRunningInNamespace(ctx, f.ClientSet, pod)
 			framework.ExpectNoError(err, "start pod")
 			containerEnv := []string{
-				"container_0_request_0", "true",
+				"container_3_request_0", "true",
+				"container_3_request_1", "true",
 			}
 			drautils.TestContainerEnv(ctx, f, pod, pod.Spec.Containers[0].Name, false, containerEnv...)
+
+			claim := b.ExternalClaim()
+			pod2 := b.PodExternal()
+			b.Create(ctx, claim, pod2)
+			b.TestPod(ctx, f, pod2)
+
+			// Expect 5 extended and implicit devices / requests resources to be consumed:
+			//
+			// - external claim, requesting 1 device:
+			//   - 1 deviceclass
+			//   - 1 extended request
+			//   - 1 implicit deviceclaim request
+			//
+			// - pod, requesting 4 devices:
+			//   - sidecar init container
+			//     - 1 extended request
+			//     - 1 implicit deviceclaim request
+			//   - main container
+			//     - 1 extended request
+			//     - 1 implicit deviceclaim request
+			//   - other init containers reuse the later sidecar/main container resource
+			//
+			// - extended resourceclaim auto-created from the pod, requesting 4 devices
+			//   - 4 deviceclasses
+			//   - 2 extended resource requests (4 minus 2 already counted from the pod)
+			//   - 2 implicit deviceclaim requests (4 minus 2 already counted from the pod)
+			consumedDevices := "5"
+
+			usedResources := v1.ResourceList{}
+			usedResources[v1.ResourceName("count/resourceclaims.resource.k8s.io")] = resource.MustParse("2")
+			usedResources[v1.ResourceName(fmt.Sprintf("requests.%s", b.ExtendedResourceName(0)))] = resource.MustParse(consumedDevices)
+			usedResources[v1.ResourceName(fmt.Sprintf("requests.%s", "deviceclass.resource.kubernetes.io/"+b.ClassName()))] = resource.MustParse(consumedDevices)
+			usedResources[v1.ResourceName(fmt.Sprintf("%s.deviceclass.resource.k8s.io/devices", b.Class(0).Name))] = resource.MustParse(consumedDevices)
+
+			gomega.Eventually(ctx, framework.GetObject(f.ClientSet.CoreV1().ResourceQuotas(quota.Namespace).Get, quota.Name, metav1.GetOptions{})).
+				Should(gstruct.PointTo(gstruct.MatchFields(gstruct.IgnoreExtras, gstruct.Fields{
+					"Status": gomega.Equal(v1.ResourceQuotaStatus{
+						Hard: hard,
+						Used: usedResources,
+					})})))
+
+			framework.ExpectNoError(err)
+		})
+
+		ginkgo.It("must run a pod with both implicit and explicit extended resource with one container two resources", func(ctx context.Context) {
+			extendedResourceTest(ctx, b, f, []string{
+				// implicit extended resource name
+				"deviceclass.resource.kubernetes.io/" + b.ClassName(),
+				// b.ExtendedResourceName(0) is added to the device class with name: b.ClassName()+"0"
+				b.ExtendedResourceName(0),
+			}, []string{
+				"container_3_request_0", "true",
+				"container_3_request_1", "true",
+			})
+		})
+
+		ginkgo.It("must run a pod with extended resource with one container one resource", func(ctx context.Context) {
+			extendedResourceTest(ctx, b, f, []string{
+				b.ExtendedResourceName(0),
+			}, []string{
+				"container_3_request_0", "true",
+			})
 		})
 
 		ginkgo.It("must run a pod with extended resource with one container three resources", func(ctx context.Context) {
-			pod := b.Pod()
-			res := v1.ResourceList{}
+			var objects []klog.KMetadata
 			for i := range 3 {
-				res[v1.ResourceName(drautils.ExtendedResourceName(i))] = resource.MustParse("1")
-			}
-			pod.Spec.Containers[0].Resources.Requests = res
-			pod.Spec.Containers[0].Resources.Limits = res
-
-			b.Create(ctx, pod)
-			err := e2epod.WaitForPodRunningInNamespace(ctx, f.ClientSet, pod)
-			framework.ExpectNoError(err, "start pod")
-			containerEnv := []string{
-				"container_0_request_0", "true",
-				"container_0_request_1", "true",
-				"container_0_request_2", "true",
+				if i > 0 {
+					objects = append(objects, b.Class(i))
+				}
 			}
-			drautils.TestContainerEnv(ctx, f, pod, pod.Spec.Containers[0].Name, false, containerEnv...)
+			b.Create(ctx, objects...)
+			extendedResourceTest(ctx, b, f, []string{
+				b.ExtendedResourceName(0),
+				b.ExtendedResourceName(1),
+				b.ExtendedResourceName(2),
+			}, []string{
+				"container_3_request_0", "true",
+				"container_3_request_1", "true",
+				"container_3_request_2", "true",
+			})
 		})
 		ginkgo.It("must run a pod with extended resource with three containers one resource each", func(ctx context.Context) {
+			var objects []klog.KMetadata
 			pod := b.Pod()
 			pod.Spec.Containers = append(pod.Spec.Containers, *pod.Spec.Containers[0].DeepCopy())
 			pod.Spec.Containers = append(pod.Spec.Containers, *pod.Spec.Containers[0].DeepCopy())
 			pod.Spec.Containers[0].Name = "container0"
 			pod.Spec.Containers[1].Name = "container1"
 			pod.Spec.Containers[2].Name = "container2"
+			objects = append(objects, pod)
 
 			for i := range 3 {
 				res := v1.ResourceList{}
-				res[v1.ResourceName(drautils.ExtendedResourceName(i))] = resource.MustParse("1")
+				res[v1.ResourceName(b.ExtendedResourceName(i))] = resource.MustParse("1")
 				pod.Spec.Containers[i].Resources.Requests = res
 				pod.Spec.Containers[i].Resources.Limits = res
+				if i > 0 {
+					objects = append(objects, b.Class(i))
+				}
 			}
 
-			b.Create(ctx, pod)
+			b.Create(ctx, objects...)
 			err := e2epod.WaitForPodRunningInNamespace(ctx, f.ClientSet, pod)
 			framework.ExpectNoError(err, "start pod")
 			for i := range 3 {
@@ -1976,6 +2379,7 @@ var _ = framework.SIGDescribe("node")(framework.WithLabel("DRA"), func() {
 			}
 		})
 		ginkgo.It("must run a pod with extended resource with three containers multiple resources each", func(ctx context.Context) {
+			var objects []klog.KMetadata
 			pod := b.Pod()
 			pod.Spec.Containers = append(pod.Spec.Containers, *pod.Spec.Containers[0].DeepCopy())
 			pod.Spec.Containers = append(pod.Spec.Containers, *pod.Spec.Containers[0].DeepCopy())
@@ -1984,22 +2388,26 @@ var _ = framework.SIGDescribe("node")(framework.WithLabel("DRA"), func() {
 			pod.Spec.Containers[2].Name = "container2"
 
 			res := v1.ResourceList{}
-			res[v1.ResourceName(drautils.ExtendedResourceName(0))] = resource.MustParse("1")
+			res[v1.ResourceName(b.ExtendedResourceName(0))] = resource.MustParse("1")
 			pod.Spec.Containers[0].Resources.Requests = res
 			pod.Spec.Containers[0].Resources.Limits = res
 			res = v1.ResourceList{}
-			res[v1.ResourceName(drautils.ExtendedResourceName(1))] = resource.MustParse("1")
-			res[v1.ResourceName(drautils.ExtendedResourceName(2))] = resource.MustParse("1")
+			res[v1.ResourceName(b.ExtendedResourceName(1))] = resource.MustParse("1")
+			res[v1.ResourceName(b.ExtendedResourceName(2))] = resource.MustParse("1")
 			pod.Spec.Containers[1].Resources.Requests = res
 			pod.Spec.Containers[1].Resources.Limits = res
 			res = v1.ResourceList{}
-			res[v1.ResourceName(drautils.ExtendedResourceName(3))] = resource.MustParse("1")
-			res[v1.ResourceName(drautils.ExtendedResourceName(4))] = resource.MustParse("1")
-			res[v1.ResourceName(drautils.ExtendedResourceName(5))] = resource.MustParse("1")
+			res[v1.ResourceName(b.ExtendedResourceName(3))] = resource.MustParse("1")
+			res[v1.ResourceName(b.ExtendedResourceName(4))] = resource.MustParse("1")
+			res[v1.ResourceName(b.ExtendedResourceName(5))] = resource.MustParse("1")
 			pod.Spec.Containers[2].Resources.Requests = res
 			pod.Spec.Containers[2].Resources.Limits = res
+			for i := 1; i < 6; i++ {
+				objects = append(objects, b.Class(i))
+			}
+			objects = append(objects, pod)
 
-			b.Create(ctx, pod)
+			b.Create(ctx, objects...)
 			err := e2epod.WaitForPodRunningInNamespace(ctx, f.ClientSet, pod)
 			framework.ExpectNoError(err, "start pod")
 			containerEnv := []string{
@@ -2018,6 +2426,76 @@ var _ = framework.SIGDescribe("node")(framework.WithLabel("DRA"), func() {
 			}
 			drautils.TestContainerEnv(ctx, f, pod, pod.Spec.Containers[2].Name, false, containerEnv...)
 		})
+
+		ginkgo.It("must cleanup extended resource claims when pods complete", func(ctx context.Context) {
+			runExtendedClaimCleanup(ctx, b,
+				"echo 'Pod started with extended resource'; sleep 2; echo 'Pod completed successfully'",
+				func(ctx context.Context, p *v1.Pod) error {
+					return e2epod.WaitForPodSuccessInNamespace(ctx, f.ClientSet, p.Name, p.Namespace)
+				},
+				"completes",
+			)
+		})
+
+		ginkgo.It("must cleanup extended resource claims when pods fail", func(ctx context.Context) {
+			runExtendedClaimCleanup(ctx, b,
+				"echo 'Pod started with extended resource'; sleep 2; echo 'Pod failing now'; exit 1",
+				func(ctx context.Context, p *v1.Pod) error {
+					return e2epod.WaitForPodCondition(ctx, f.ClientSet, p.Namespace, p.Name, "pod failed", framework.PodStartTimeout, func(pod *v1.Pod) (bool, error) {
+						return pod.Status.Phase == v1.PodFailed, nil
+					})
+				},
+				"fails",
+			)
+		})
+		f.It("process extended resources after device plugin uninstall", f.WithSerial(), func(ctx context.Context) {
+			resourceName := b.ExtendedResourceName(drautils.SingletonIndex)
+			extendedResourceName := deployDevicePlugin(ctx, f, nodes.NodeNames[0:1])
+			gomega.Expect(string(extendedResourceName)).To(gomega.Equal(resourceName))
+
+			getAllocatable := func() int {
+				node, err := f.ClientSet.CoreV1().Nodes().Get(ctx, nodes.NodeNames[0], metav1.GetOptions{})
+				framework.ExpectNoError(err)
+				for name, quantity := range node.Status.Allocatable {
+					if string(name) == resourceName {
+						return int(quantity.Value())
+					}
+				}
+				return -1
+			}
+			gomega.Eventually(ctx, getAllocatable).WithTimeout(f.Timeouts.PodStart).Should(gomega.Equal(2))
+
+			ginkgo.By("Uninstall Device Plugin")
+			err := f.ClientSet.AppsV1().DaemonSets(f.Namespace.Name).DeleteCollection(
+				ctx,
+				metav1.DeleteOptions{},
+				metav1.ListOptions{LabelSelector: "k8s-app=sample-device-plugin"},
+			)
+			framework.ExpectNoError(err, "uninstall device plugin")
+
+			ginkgo.By("Wait for NodeStatus.Allocatable = 0")
+			gomega.Eventually(ctx, getAllocatable).WithTimeout(f.Timeouts.PodDelete).Should(gomega.BeZero())
+
+			ginkgo.By("Create test pod")
+			pod := b.Pod()
+			pod.Spec.Containers[0].Name = "container0"
+			res := v1.ResourceList{
+				v1.ResourceName(resourceName): resource.MustParse("1"),
+			}
+			pod.Spec.Containers[0].Resources.Requests = res
+			pod.Spec.Containers[0].Resources.Limits = res
+
+			b.Create(ctx, b.Class(drautils.SingletonIndex), pod)
+
+			err = e2epod.WaitForPodRunningInNamespace(ctx, f.ClientSet, pod)
+			framework.ExpectNoError(err, "start pod")
+
+			ginkgo.By("Check that pod is processed by the DRA driver")
+			containerEnv := []string{
+				"container_0_request_0", "true",
+			}
+			drautils.TestContainerEnv(ctx, f, pod, pod.Spec.Containers[0].Name, false, containerEnv...)
+		})
 	})
 
 	framework.Context(f.WithFeatureGate(features.DRAExtendedResource), func() {
@@ -2032,23 +2510,26 @@ var _ = framework.SIGDescribe("node")(framework.WithLabel("DRA"), func() {
 		// The test runs two pods, one pod request extended resource backed by DRA,
 		// the other pod requests extended resource by device plugin.
 		f.It("must run pods with extended resource on dra nodes and device plugin nodes", f.WithSerial(), func(ctx context.Context) {
+			var objects []klog.KMetadata
 			extendedResourceName := deployDevicePlugin(ctx, f, nodes.ExtraNodeNames)
-			// drautils.ExtendedResourceName(-1) must be the same as the returned extendedResourceName
-			// drautils.ExtendedResourceName(-1) is used for DRA drivers
+			// b.ExtendedResourceName(SingletonIndex) must be the same as the returned extendedResourceName.
+			// b.ExtendedResourceName(SingletonIndex) is used for DRA drivers whereas
 			// extendedResourceName is used for device plugin.
-			gomega.Expect(string(extendedResourceName)).To(gomega.Equal(drautils.ExtendedResourceName(-1)))
+			gomega.Expect(string(extendedResourceName)).To(gomega.Equal(b.ExtendedResourceName(drautils.SingletonIndex)))
 
 			pod1 := b.Pod()
 			res := v1.ResourceList{}
-			res[v1.ResourceName(drautils.ExtendedResourceName(-1))] = resource.MustParse("2")
+			res[v1.ResourceName(b.ExtendedResourceName(drautils.SingletonIndex))] = resource.MustParse("2")
 			pod1.Spec.Containers[0].Resources.Requests = res
 			pod1.Spec.Containers[0].Resources.Limits = res
-			b.Create(ctx, pod1)
+			objects = append(objects, b.Class(drautils.SingletonIndex), pod1)
 
 			pod2 := b.Pod()
 			pod2.Spec.Containers[0].Resources.Requests = res
 			pod2.Spec.Containers[0].Resources.Limits = res
-			b.Create(ctx, pod2)
+			objects = append(objects, pod2)
+
+			b.Create(ctx, objects...)
 
 			err := e2epod.WaitForPodRunningInNamespace(ctx, f.ClientSet, pod1)
 			framework.ExpectNoError(err, "start pod1")
@@ -2086,7 +2567,7 @@ var _ = framework.SIGDescribe("node")(framework.WithLabel("DRA"), func() {
 		//
 		// Could become a conformance test because it only depends
 		// on the apiserver.
-		f.It("creates slices", framework.WithLabel("ConformanceCandidate") /* TODO: replace with framework.WithConformance() */, func(ctx context.Context) {
+		f.It("creates slices", func(ctx context.Context) {
 			// Define desired resource slices.
 			driverName := f.Namespace.Name
 			numSlices := 100
@@ -2230,7 +2711,7 @@ var _ = framework.SIGDescribe("node")(framework.WithLabel("DRA"), func() {
 			}).Should(gomega.Succeed())
 		})
 
-		f.It("truncates the name of a generated resource claim", framework.WithLabel("ConformanceCandidate") /* TODO: replace with framework.WithConformance() */, func(ctx context.Context) {
+		f.It("truncates the name of a generated resource claim", func(ctx context.Context) {
 			pod, template := b.PodInline()
 			pod.Name = strings.Repeat("p", 63)
 			pod.Spec.ResourceClaims[0].Name = strings.Repeat("c", 63)
@@ -2240,7 +2721,7 @@ var _ = framework.SIGDescribe("node")(framework.WithLabel("DRA"), func() {
 			b.TestPod(ctx, f, pod)
 		})
 
-		f.It("supports count/resourceclaims.resource.k8s.io ResourceQuota", framework.WithLabel("ConformanceCandidate") /* TODO: replace with framework.WithConformance() */, func(ctx context.Context) {
+		f.It("supports count/resourceclaims.resource.k8s.io ResourceQuota", func(ctx context.Context) {
 			claim := &resourceapi.ResourceClaim{
 				ObjectMeta: metav1.ObjectMeta{
 					Name:      "claim-0",
@@ -2312,10 +2793,7 @@ var _ = framework.SIGDescribe("node")(framework.WithLabel("DRA"), func() {
 			framework.ExpectNoError(err)
 			gomega.Expect(scheduledPod).ToNot(gomega.BeNil())
 
-			var shareIDStr *string
-			if shareID := allocatedResourceClaim.Status.Allocation.Devices.Results[0].ShareID; shareID != nil {
-				shareIDStr = ptr.To(string(*shareID))
-			}
+			shareID := (*string)(allocatedResourceClaim.Status.Allocation.Devices.Results[0].ShareID)
 
 			ginkgo.By("Setting the device status a first time")
 			allocatedResourceClaim.Status.Devices = append(allocatedResourceClaim.Status.Devices,
@@ -2323,7 +2801,7 @@ var _ = framework.SIGDescribe("node")(framework.WithLabel("DRA"), func() {
 					Driver:     allocatedResourceClaim.Status.Allocation.Devices.Results[0].Driver,
 					Pool:       allocatedResourceClaim.Status.Allocation.Devices.Results[0].Pool,
 					Device:     allocatedResourceClaim.Status.Allocation.Devices.Results[0].Device,
-					ShareID:    shareIDStr,
+					ShareID:    shareID,
 					Conditions: []metav1.Condition{{Type: "a", Status: "True", Message: "c", Reason: "d", LastTransitionTime: metav1.NewTime(time.Now().Truncate(time.Second))}},
 					Data:       &runtime.RawExtension{Raw: []byte(`{"foo":"bar"}`)},
 					NetworkData: &resourceapi.NetworkDeviceData{
@@ -2348,7 +2826,7 @@ var _ = framework.SIGDescribe("node")(framework.WithLabel("DRA"), func() {
 				Driver:     allocatedResourceClaim.Status.Allocation.Devices.Results[0].Driver,
 				Pool:       allocatedResourceClaim.Status.Allocation.Devices.Results[0].Pool,
 				Device:     allocatedResourceClaim.Status.Allocation.Devices.Results[0].Device,
-				ShareID:    shareIDStr,
+				ShareID:    shareID,
 				Conditions: []metav1.Condition{{Type: "e", Status: "True", Message: "g", Reason: "h", LastTransitionTime: metav1.NewTime(time.Now().Truncate(time.Second))}},
 				Data:       &runtime.RawExtension{Raw: []byte(`{"bar":"foo"}`)},
 				NetworkData: &resourceapi.NetworkDeviceData{
@@ -2375,7 +2853,7 @@ var _ = framework.SIGDescribe("node")(framework.WithLabel("DRA"), func() {
 		driver := drautils.NewDriver(f, nodes, drautils.DriverResources(1))
 		driver.WithKubelet = false
 
-		f.It("must apply per-node permission checks", framework.WithLabel("ConformanceCandidate") /* TODO: replace with framework.WithConformance() */, func(ctx context.Context) {
+		f.It("must apply per-node permission checks", func(ctx context.Context) {
 			// All of the operations use the client set of a kubelet plugin for
 			// a fictional node which both don't exist, so nothing interferes
 			// when we actually manage to create a slice.
diff --git a/test/e2e/dra/kind.yaml b/test/e2e/dra/kind.yaml
index 8a4a731f087bd..e2536ad2d77c5 100644
--- a/test/e2e/dra/kind.yaml
+++ b/test/e2e/dra/kind.yaml
@@ -8,41 +8,65 @@ containerdConfigPatches:
     enable_cdi = true
 nodes:
 - role: control-plane
-  kubeadmConfigPatches:
+- role: worker
+- role: worker
+- role: worker
+kubeadmConfigPatches:
+  # v1beta4 for the future (v1.35.0+ ?)
+  # https://github.com/kubernetes-sigs/kind/issues/3847
+  # TODO: drop v1beta3 when kind makes the switch
   - |
     kind: ClusterConfiguration
+    apiVersion: kubeadm.k8s.io/v1beta4
     scheduler:
         extraArgs:
-          v: "5"
-          vmodule: "allocator=6,dynamicresources=6" # structured/allocator.go, DRA scheduler plugin
+          - name: "v"
+            value: "5"
+          - name: "vmodule"
+            value: "allocator=6,dynamicresources=6" # structured/allocator.go, DRA scheduler plugin
     controllerManager:
         extraArgs:
-          v: "5"
-          vmodule: "controller=6" # resourceclaim/controller.go - should have renamed it when copying the controller it was based on!
+          - name: "v"
+            value: "5"
+          - name: "vmodule"
+            value: "controller=6" # resourceclaim/controller.go - should have renamed it when copying the controller it was based on!
     apiServer:
         extraArgs:
           runtime-config: "resource.k8s.io/v1alpha3=true,resource.k8s.io/v1beta1=true,resource.k8s.io/v1beta2=true"
   - |
     kind: InitConfiguration
+    apiVersion: kubeadm.k8s.io/v1beta4
     nodeRegistration:
       kubeletExtraArgs:
-        v: "5"
-- role: worker
-  kubeadmConfigPatches:
+        - name: "v"
+          value: "5"
   - |
     kind: JoinConfiguration
     nodeRegistration:
       kubeletExtraArgs:
-        v: "5"
-- role: worker
-  kubeadmConfigPatches:
+        - name: "v"
+          value: "5"
+  # v1beta3 for v1.23.0 ... ?
   - |
-    kind: JoinConfiguration
+    kind: ClusterConfiguration
+    apiVersion: kubeadm.k8s.io/v1beta3
+    scheduler:
+        extraArgs:
+          v: "5"
+          vmodule: "allocator=6,dynamicresources=6" # structured/allocator.go, DRA scheduler plugin
+    controllerManager:
+        extraArgs:
+          v: "5"
+          vmodule: "controller=6" # resourceclaim/controller.go - should have renamed it when copying the controller it was based on!
+    apiServer:
+        extraArgs:
+          runtime-config: "resource.k8s.io/v1alpha3=true,resource.k8s.io/v1beta1=true,resource.k8s.io/v1beta2=true"
+  - |
+    kind: InitConfiguration
+    apiVersion: kubeadm.k8s.io/v1beta3
     nodeRegistration:
       kubeletExtraArgs:
         v: "5"
-- role: worker
-  kubeadmConfigPatches:
   - |
     kind: JoinConfiguration
     nodeRegistration:
diff --git a/test/e2e/dra/test-driver/app/kubeletplugin.go b/test/e2e/dra/test-driver/app/kubeletplugin.go
index 59eb71397ab7e..1095cb27d66b5 100644
--- a/test/e2e/dra/test-driver/app/kubeletplugin.go
+++ b/test/e2e/dra/test-driver/app/kubeletplugin.go
@@ -401,6 +401,7 @@ func (ex *ExamplePlugin) nodePrepareResource(ctx context.Context, claim *resourc
 		device := kubeletplugin.Device{
 			PoolName:     result.Pool,
 			DeviceName:   result.Device,
+			ShareID:      result.ShareID,
 			Requests:     []string{result.Request}, // May also return baseRequestName here.
 			CDIDeviceIDs: []string{cdiDeviceID},
 		}
diff --git a/test/e2e/dra/test-driver/deploy/example/devicetaintpolicy.yaml b/test/e2e/dra/test-driver/deploy/example/devicetaintpolicy.yaml
deleted file mode 100644
index c1e007c7607e0..0000000000000
--- a/test/e2e/dra/test-driver/deploy/example/devicetaintpolicy.yaml
+++ /dev/null
@@ -1,13 +0,0 @@
-apiVersion: resource.k8s.io/v1alpha3
-kind: DeviceTaintRule
-metadata:
-  name: example
-spec:
-  # The entire hardware installation is broken.
-  # Evict all pods and don't schedule new ones.
-  selector:
-    driver: dra.example.com
-  taint:
-    key: dra.example.com/health
-    value: "Down"
-    effect: NoExecute
diff --git a/test/e2e/dra/test-driver/deploy/example/devicetaintrule.yaml b/test/e2e/dra/test-driver/deploy/example/devicetaintrule.yaml
new file mode 100644
index 0000000000000..5826411926691
--- /dev/null
+++ b/test/e2e/dra/test-driver/deploy/example/devicetaintrule.yaml
@@ -0,0 +1,13 @@
+apiVersion: resource.k8s.io/v1alpha3
+kind: DeviceTaintRule
+metadata:
+  name: example
+spec:
+  # The entire hardware installation is broken.
+  # Evict all pods and don't schedule new ones.
+  deviceSelector:
+    driver: test-driver.cdi.k8s.io
+  taint:
+    key: dra.example.com/unhealthy
+    value: "Down"
+    effect: NoExecute
diff --git a/test/e2e/dra/test-driver/deploy/example/pod-external-toleration.yaml b/test/e2e/dra/test-driver/deploy/example/pod-external-toleration.yaml
new file mode 100644
index 0000000000000..ce939feb26ae1
--- /dev/null
+++ b/test/e2e/dra/test-driver/deploy/example/pod-external-toleration.yaml
@@ -0,0 +1,41 @@
+# One external resource claim, one pod, two containers.
+# One container uses resource, one does not.
+apiVersion: resource.k8s.io/v1
+kind: ResourceClaim
+metadata:
+  name: external-claim
+spec:
+  devices:
+    requests:
+    - name: my-device
+      exactly:
+        deviceClassName: example
+        tolerations:
+        - key: "dra.example.com/unhealthy"
+          operator: "Exists"
+          effect: "NoExecute"
+    config:
+    - opaque:
+        driver: test-driver.cdi.k8s.io
+        parameters:
+          a: b
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: test-external-claim
+spec:
+  restartPolicy: Never
+  containers:
+  - name: with-resource
+    image: registry.k8s.io/e2e-test-images/agnhost:2.53
+    command: ["sh", "-c", "set && mount && ls -la /dev/ && /agnhost pause"]
+    resources:
+      claims:
+      - name: resource
+  - name: without-resource
+    image: registry.k8s.io/e2e-test-images/agnhost:2.53
+    command: ["sh", "-c", "set && mount && ls -la /dev/ && /agnhost pause"]
+  resourceClaims:
+  - name: resource
+    resourceClaimName: external-claim
diff --git a/test/e2e/dra/utils/builder.go b/test/e2e/dra/utils/builder.go
index b661d5e15f7a6..147e051e707c6 100644
--- a/test/e2e/dra/utils/builder.go
+++ b/test/e2e/dra/utils/builder.go
@@ -53,14 +53,15 @@ import (
 // "example.com/resource" is not special, any valid extended resource name can be used
 // instead, except when using example device plugin in the test, which hard coded it,
 // see test/e2e/dra/deploy_device_plugin.go.
-// i == -1 is special, the extended resource name has no extra suffix, it is
-// used in the test where a cluster has both DRA driver and device plugin.
-func ExtendedResourceName(i int) string {
-	suffix := ""
-	if i >= 0 {
-		suffix = strconv.Itoa(i)
+// i == -1 == SingletonIndex is special, the extended resource name has no extra suffix
+// and matches the one used by the example device plugin.
+func (b *Builder) ExtendedResourceName(i int) string {
+	switch i {
+	case SingletonIndex:
+		return "example.com/resource"
+	default:
+		return b.driver.Name + "/resource" + fmt.Sprintf("-%d", i)
 	}
-	return "example.com/resource" + suffix
 }
 
 // Builder contains a running counter to make objects unique within thir
@@ -80,17 +81,26 @@ func (b *Builder) ClassName() string {
 	return b.f.UniqueName + b.driver.NameSuffix + "-class"
 }
 
+// SingletonIndex causes Builder.Class and ExtendedResourceName to create a
+// DeviceClass where the the extended resource name has no %d
+// suffix and matches the name as used by the example device plugin.
+const SingletonIndex = -1
+
 // Class returns the device Class that the builder's other objects
 // reference.
 // The input i is used to pick the extended resource name whose suffix has the
 // same i for the device class.
-// i == -1 is special, the extended resource name has no extra suffix, it is
-// used in the test where a cluster has both DRA driver and device plugin.
+// i == -1 == SingletonIndex is special, the extended resource name has no extra suffix.
 func (b *Builder) Class(i int) *resourceapi.DeviceClass {
-	ern := ExtendedResourceName(i)
+	ern := b.ExtendedResourceName(i)
 	name := b.ClassName()
-	if i >= 0 {
-		name = b.ClassName() + strconv.Itoa(i)
+	switch i {
+	case SingletonIndex:
+		name += "-singleton"
+	case 0:
+		// No numeric suffix. This is what most tests use.
+	default:
+		name += "-" + strconv.Itoa(i)
 	}
 	class := &resourceapi.DeviceClass{
 		ObjectMeta: metav1.ObjectMeta{
@@ -343,6 +353,8 @@ func (b *Builder) Create(ctx context.Context, objs ...klog.KMetadata) []klog.KMe
 			})
 		case *v1.Pod:
 			createdObj, err = b.f.ClientSet.CoreV1().Pods(b.f.Namespace.Name).Create(ctx, obj, metav1.CreateOptions{})
+		case *v1.ResourceQuota:
+			createdObj, err = b.f.ClientSet.CoreV1().ResourceQuotas(b.f.Namespace.Name).Create(ctx, obj, metav1.CreateOptions{})
 		case *v1.ConfigMap:
 			createdObj, err = b.f.ClientSet.CoreV1().ConfigMaps(b.f.Namespace.Name).Create(ctx, obj, metav1.CreateOptions{})
 		case *resourceapi.ResourceClaim:
@@ -467,9 +479,7 @@ func NewBuilderNow(ctx context.Context, f *framework.Framework, driver *Driver)
 func (b *Builder) setUp(ctx context.Context) {
 	b.podCounter = 0
 	b.claimCounter = 0
-	for i := -1; i < 6; i++ {
-		b.Create(ctx, b.Class(i))
-	}
+	b.Create(ctx, b.Class(0))
 	ginkgo.DeferCleanup(b.tearDown)
 }
 
@@ -657,7 +667,9 @@ func ToDriverResources(counters []resourceapi.CounterSet, devices ...resourceapi
 						Slices: []resourceslice.Slice{
 							{
 								SharedCounters: counters,
-								Devices:        devices,
+							},
+							{
+								Devices: devices,
 							},
 						},
 					},
diff --git a/test/e2e/dra/utils/deploy.go b/test/e2e/dra/utils/deploy.go
index cad8709fc4243..589048c0a8e90 100644
--- a/test/e2e/dra/utils/deploy.go
+++ b/test/e2e/dra/utils/deploy.go
@@ -149,7 +149,7 @@ func (nodes *Nodes) init(ctx context.Context, f *framework.Framework, minNodes,
 	claimInformer := cache.NewSharedIndexInformer(
 		&cache.ListWatch{
 			ListWithContextFunc: func(ctx context.Context, options metav1.ListOptions) (runtime.Object, error) {
-				slices, err := resourceClient.ResourceClaims("").List(ctx, options)
+				slices, err := resourceClient.ResourceClaims(f.Namespace.Name).List(ctx, options)
 				if err == nil {
 					resourceClaimLogger.Info("Listed ResourceClaims", "resourceAPI", resourceClient.CurrentAPI(), "numClaims", len(slices.Items), "listMeta", slices.ListMeta)
 				} else {
@@ -158,7 +158,7 @@ func (nodes *Nodes) init(ctx context.Context, f *framework.Framework, minNodes,
 				return slices, err
 			},
 			WatchFuncWithContext: func(ctx context.Context, options metav1.ListOptions) (watch.Interface, error) {
-				w, err := resourceClient.ResourceClaims("").Watch(ctx, options)
+				w, err := resourceClient.ResourceClaims(f.Namespace.Name).Watch(ctx, options)
 				if err == nil {
 					resourceClaimLogger.Info("Started watching ResourceClaims", "resourceAPI", resourceClient.CurrentAPI())
 					wrapper := newWatchWrapper(klog.LoggerWithName(resourceClaimLogger, fmt.Sprintf("%d", resourceClaimWatchCounter.Load())), w)
@@ -637,21 +637,24 @@ func (d *Driver) SetUp(nodes *Nodes, driverResources map[string]resourceslice.Dr
 		d.cleanup = append(d.cleanup, func(ctx context.Context) {
 			// Depends on cancel being called first.
 			plugin.Stop()
-
-			// Also explicitly stop all pods.
-			ginkgo.By("scaling down driver proxy pods for " + d.Name)
-			rs, err := d.f.ClientSet.AppsV1().ReplicaSets(d.f.Namespace.Name).Get(ctx, rsName, metav1.GetOptions{})
-			framework.ExpectNoError(err, "get ReplicaSet for driver "+d.Name)
-			rs.Spec.Replicas = ptr.To(int32(0))
-			rs, err = d.f.ClientSet.AppsV1().ReplicaSets(d.f.Namespace.Name).Update(ctx, rs, metav1.UpdateOptions{})
-			framework.ExpectNoError(err, "scale down ReplicaSet for driver "+d.Name)
-			if err := e2ereplicaset.WaitForReplicaSetTargetAvailableReplicas(ctx, d.f.ClientSet, rs, 0); err != nil {
-				framework.ExpectNoError(err, "all kubelet plugin proxies stopped")
-			}
 		})
 		d.Nodes[nodename] = KubeletPlugin{ExamplePlugin: plugin, ClientSet: driverClient}
 	}
 
+	// Scale down the proxy ReplicaSet after all per-node plugins have
+	// been stopped.
+	d.cleanup = append(d.cleanup, func(ctx context.Context) {
+		ginkgo.By("scaling down driver proxy pods for" + d.Name)
+		rs, err := d.f.ClientSet.AppsV1().ReplicaSets(d.f.Namespace.Name).Get(ctx, rsName, metav1.GetOptions{})
+		framework.ExpectNoError(err, "get ReplicaSet for driver "+d.Name)
+		rs.Spec.Replicas = ptr.To(int32(0))
+		rs, err = d.f.ClientSet.AppsV1().ReplicaSets(d.f.Namespace.Name).Update(ctx, rs, metav1.UpdateOptions{})
+		framework.ExpectNoError(err, "scale down ReplicaSet for driver "+d.Name)
+		if err := e2ereplicaset.WaitForReplicaSetTargetAvailableReplicas(ctx, d.f.ClientSet, rs, 0); err != nil {
+			framework.ExpectNoError(err, "all kubelet plugin proxies stopped")
+		}
+	})
+
 	if !d.WithKubelet {
 		return
 	}
diff --git a/test/e2e/e2e_test.go b/test/e2e/e2e_test.go
index 5c57cbd611862..e968787d619ee 100644
--- a/test/e2e/e2e_test.go
+++ b/test/e2e/e2e_test.go
@@ -53,6 +53,7 @@ import (
 	_ "k8s.io/kubernetes/test/e2e/common"
 	_ "k8s.io/kubernetes/test/e2e/dra"
 	_ "k8s.io/kubernetes/test/e2e/instrumentation"
+	_ "k8s.io/kubernetes/test/e2e/invariants"
 	_ "k8s.io/kubernetes/test/e2e/kubectl"
 	_ "k8s.io/kubernetes/test/e2e/lifecycle"
 	_ "k8s.io/kubernetes/test/e2e/lifecycle/bootstrap"
diff --git a/test/e2e/feature/feature.go b/test/e2e/feature/feature.go
index c9ecbaa29d1c8..e097f4c7a147c 100644
--- a/test/e2e/feature/feature.go
+++ b/test/e2e/feature/feature.go
@@ -170,10 +170,6 @@ var (
 	// TODO: document the feature (owning SIG, when to use this feature for a test)
 	GPUUpgrade = framework.WithFeature(framework.ValidFeatures.Add("GPUUpgrade"))
 
-	// OWNER: sig-node
-	// Testing garbage collection of images/containers
-	GarbageCollect = framework.WithFeature(framework.ValidFeatures.Add("GarbageCollect"))
-
 	// OWNER: sig-node
 	// Testing graceful node shutdown
 	GracefulNodeShutdown = framework.WithFeature(framework.ValidFeatures.Add("GracefulNodeShutdown"))
@@ -328,7 +324,7 @@ var (
 	PodGarbageCollector = framework.WithFeature(framework.ValidFeatures.Add("PodGarbageCollector"))
 
 	// owner: sig-node
-	// Marks a test for for pod-level resources feature that requires
+	// Marks a test for pod-level resources feature that requires
 	// PodLevelResources feature gate to be enabled.
 	PodLevelResources = framework.WithFeature(framework.ValidFeatures.Add("PodLevelResources"))
 
@@ -337,10 +333,6 @@ var (
 	// (used for testing specific log stream <https://kep.k8s.io/3288>)
 	PodLogsQuerySplitStreams = framework.WithFeature(framework.ValidFeatures.Add("PodLogsQuerySplitStreams"))
 
-	// Owner: sig-node
-	// Marks tests that require a cluster with PodObservedGenerationTracking
-	PodObservedGenerationTracking = framework.WithFeature(framework.ValidFeatures.Add("PodObservedGenerationTracking"))
-
 	// TODO: document the feature (owning SIG, when to use this feature for a test)
 	PodPriority = framework.WithFeature(framework.ValidFeatures.Add("PodPriority"))
 
@@ -415,10 +407,6 @@ var (
 	// and the networking.k8s.io/v1alpha1 API.
 	ServiceCIDRs = framework.WithFeature(framework.ValidFeatures.Add("ServiceCIDRs"))
 
-	// Owner: sig-node
-	// Sidecar KEP-753
-	SidecarContainers = framework.WithFeature(framework.ValidFeatures.Add("SidecarContainers"))
-
 	// TODO: document the feature (owning SIG, when to use this feature for a test)
 	StackdriverAcceleratorMonitoring = framework.WithFeature(framework.ValidFeatures.Add("StackdriverAcceleratorMonitoring"))
 
@@ -451,13 +439,7 @@ var (
 	// TODO: document the feature (owning SIG, when to use this feature for a test)
 	StorageVersionAPI = framework.WithFeature(framework.ValidFeatures.Add("StorageVersionAPI"))
 
-	// Owner: sig-node
-	// Marks tests that require a cluster with SupplementalGroupsPolicy
-	// (used for testing fine-grained SupplementalGroups control <https://kep.k8s.io/3619>)
-	SupplementalGroupsPolicy = framework.WithFeature(framework.ValidFeatures.Add("SupplementalGroupsPolicy"))
-
-	// Added to test Swap Feature
-	// This label should be used when testing KEP-2400 (Node Swap Support)
+	// The Swap feature tests must run on nodes with the swap memory allocated and kubelet swap enabled. KEP-2400 (Node Swap Support)
 	Swap = framework.WithFeature(framework.ValidFeatures.Add("NodeSwap"))
 
 	SystemNodeCriticalPod = framework.WithFeature(framework.ValidFeatures.Add("SystemNodeCriticalPod"))
@@ -468,11 +450,10 @@ var (
 	// TODO: document the feature (owning SIG, when to use this feature for a test)
 	Upgrade = framework.WithFeature(framework.ValidFeatures.Add("Upgrade"))
 
-	// Owned by SIG Node
-	// Can be used when the UserNamespacesPodSecurityStandards kubelet feature
-	// gate is enabled to relax the application of Pod Security Standards in a
-	// controlled way.
-	UserNamespacesPodSecurityStandards = framework.WithFeature(framework.ValidFeatures.Add("UserNamespacesPodSecurityStandards"))
+	// Owner: sig-node
+	// Test marked with this feature must run on nodes where container runtime allows to pods with hostNetwork to use user namespaces.
+	// This feature can be removed once Containerd and CRI-O both added this support.
+	UserNamespacesHostNetworkSupport = framework.WithFeature(framework.ValidFeatures.Add("UserNamespacesHostNetworkSupport"))
 
 	// TODO: document the feature (owning SIG, when to use this feature for a test)
 	UserNamespacesSupport = framework.WithFeature(framework.ValidFeatures.Add("UserNamespacesSupport"))
diff --git a/test/e2e/framework/autoscaling/autoscaling_utils.go b/test/e2e/framework/autoscaling/autoscaling_utils.go
index 799cd56e9658f..23365fa4ae856 100644
--- a/test/e2e/framework/autoscaling/autoscaling_utils.go
+++ b/test/e2e/framework/autoscaling/autoscaling_utils.go
@@ -40,6 +40,7 @@ import (
 	scaleclient "k8s.io/client-go/scale"
 	"k8s.io/kubernetes/test/e2e/framework"
 	e2edebug "k8s.io/kubernetes/test/e2e/framework/debug"
+	e2eendpointslice "k8s.io/kubernetes/test/e2e/framework/endpointslice"
 	e2ekubectl "k8s.io/kubernetes/test/e2e/framework/kubectl"
 	e2erc "k8s.io/kubernetes/test/e2e/framework/rc"
 	e2eresource "k8s.io/kubernetes/test/e2e/framework/resource"
@@ -62,8 +63,6 @@ const (
 	targetPort                      = 8080
 	sidecarTargetPort               = 8081
 	timeoutRC                       = 120 * time.Second
-	startServiceTimeout             = time.Minute
-	startServiceInterval            = 5 * time.Second
 	invalidKind                     = "ERROR: invalid workload kind for resource consumer"
 	customMetricName                = "QPS"
 	serviceInitializationTimeout    = 2 * time.Minute
@@ -613,8 +612,8 @@ func runServiceAndSidecarForResourceConsumer(ctx context.Context, c clientset.In
 
 	framework.ExpectNoError(e2erc.RunRC(ctx, controllerRcConfig))
 	// Wait for endpoints to propagate for the controller service.
-	framework.ExpectNoError(framework.WaitForServiceEndpointsNum(
-		ctx, c, ns, controllerName, 1, startServiceInterval, startServiceTimeout))
+	framework.ExpectNoError(e2eendpointslice.WaitForEndpointCount(
+		ctx, c, ns, controllerName, 1))
 }
 
 func runServiceAndWorkloadForResourceConsumer(ctx context.Context, c clientset.Interface, resourceClient dynamic.ResourceInterface, apiExtensionClient crdclientset.Interface, ns, name string, kind schema.GroupVersionKind, replicas int, cpuLimitMillis, memLimitMb int64, podAnnotations, serviceAnnotations map[string]string, additionalContainers []v1.Container, podResources *v1.ResourceRequirements) {
@@ -699,8 +698,8 @@ func runServiceAndWorkloadForResourceConsumer(ctx context.Context, c clientset.I
 
 	framework.ExpectNoError(e2erc.RunRC(ctx, controllerRcConfig))
 	// Wait for endpoints to propagate for the controller service.
-	framework.ExpectNoError(framework.WaitForServiceEndpointsNum(
-		ctx, c, ns, controllerName, 1, startServiceInterval, startServiceTimeout))
+	framework.ExpectNoError(e2eendpointslice.WaitForEndpointCount(
+		ctx, c, ns, controllerName, 1))
 }
 
 func CreateHorizontalPodAutoscaler(ctx context.Context, rc *ResourceConsumer, targetRef autoscalingv2.CrossVersionObjectReference, namespace string, metrics []autoscalingv2.MetricSpec, resourceType v1.ResourceName, metricTargetType autoscalingv2.MetricTargetType, metricTargetValue, minReplicas, maxReplicas int32) *autoscalingv2.HorizontalPodAutoscaler {
diff --git a/test/e2e/framework/conformance/.import-restrictions b/test/e2e/framework/conformance/.import-restrictions
new file mode 100644
index 0000000000000..03b5ee5ec2c7a
--- /dev/null
+++ b/test/e2e/framework/conformance/.import-restrictions
@@ -0,0 +1,12 @@
+# This E2E framework sub-package is currently allowed to use arbitrary
+# dependencies except of k/k/pkg, therefore we need to override the
+# restrictions from the parent .import-restrictions file.
+#
+# At some point it may become useful to also check this package's
+# dependencies more careful.
+rules:
+  - selectorRegexp: "^k8s[.]io/kubernetes/pkg"
+    allowedPrefixes: []
+
+  - selectorRegexp: ""
+    allowedPrefixes: [ "" ]
diff --git a/test/e2e/framework/conformance/compare.go b/test/e2e/framework/conformance/compare.go
new file mode 100644
index 0000000000000..29ab0c2ac2ce0
--- /dev/null
+++ b/test/e2e/framework/conformance/compare.go
@@ -0,0 +1,99 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package architecture
+
+import (
+	"github.com/google/go-cmp/cmp"
+
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+)
+
+// compareObjects checks that all expected fields are set as expected.
+// The actual object may have additional fields, their values are ignored.
+func compareObjects(expected, actual *unstructured.Unstructured) string {
+	diff := cmp.Diff(expected.Object, actual.Object,
+		// Fields which are not in the expected object can be ignored.
+		// Only existing fields need to be compared.
+		//
+		// A maybe (?) simpler approach would be to trim the actual object,
+		// then compare with go-cmp. The advantage of telling go-cmp to
+		// ignore fields is that they show up as truncated ("...") in the diff,
+		// which is a bit more correct.
+		cmp.FilterPath(func(path cmp.Path) bool {
+			return fieldIsMissing(expected.Object, path)
+		}, cmp.Ignore()),
+	)
+	return diff
+}
+
+// fieldIsMissing returns true if the field identified by the path is not
+// present in the object. It works by recursively descending along the
+// path and checking the corresponding content of the object along the way.
+func fieldIsMissing(obj map[string]any, path cmp.Path) bool {
+	// First entry is a NOP.
+	missing := fieldIsMissingStep(obj, path[1:])
+	// Uncomment for debugging...
+	// fmt.Printf("fieldIsMissing: %s %v\n", path.GoString(), missing)
+	return missing
+}
+
+func fieldIsMissingStep(value any, path []cmp.PathStep) bool {
+	if len(path) == 0 {
+		// Done, full path was checked.
+		return false
+	}
+	// We only need to descend for certain lookup steps,
+	// everything else is treated as "not missing" and thus
+	// gets compared.
+	switch pathElement := path[0].(type) {
+	case cmp.MapIndex:
+		key := pathElement.Key().String()
+		value, ok := value.(map[string]any)
+		if !ok {
+			// Type mismatch.
+			return false
+		}
+		entry, found := value[key]
+		if !found {
+			return true
+		}
+		return fieldIsMissingStep(entry, path[1:])
+	case cmp.SliceIndex:
+		key := pathElement.Key()
+		value, ok := value.([]any)
+		if !ok {
+			// Type mismatch.
+			return false
+		}
+		if key < 0 {
+			// Not sure why go-cmp uses a negative index, so let's compare it.
+			return false
+		}
+		if key >= len(value) {
+			// Slice is smaller -> missing entry.
+			return true
+		}
+		entry := value[key]
+		return fieldIsMissingStep(entry, path[1:])
+	case cmp.TypeAssertion:
+		// Actual value type will be checked when needed,
+		// skip the assertion here.
+		return fieldIsMissingStep(value, path[1:])
+	default:
+		return false
+	}
+}
diff --git a/test/e2e/framework/conformance/compare_test.go b/test/e2e/framework/conformance/compare_test.go
new file mode 100644
index 0000000000000..dcfc054b31542
--- /dev/null
+++ b/test/e2e/framework/conformance/compare_test.go
@@ -0,0 +1,113 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package architecture
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/require"
+
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+)
+
+func TestCompareObjects(t *testing.T) {
+	for name, tc := range map[string]struct {
+		expected, actual string
+		expectedDiff     string
+	}{
+		"equal": {
+			expected: `{"kind":"test","hello":"world"}`,
+			actual:   `{"kind":"test","hello":"world"}`,
+		},
+
+		"missing": {
+			expected: `{"kind":"test","hello":"world"}`,
+			actual:   `{"kind":"test"}`,
+			expectedDiff: `  map[string]any{
+- 	"hello": string("world"),
+  	"kind":  string("test"),
+  }
+`,
+		},
+
+		"added": {
+			expected: `{"kind":"test","hello":"world"}`,
+			actual:   `{"kind":"test","hello":"world","foo":"bar"}`,
+		},
+
+		"replaced": {
+			expected: `{"kind":"test","hello":"world"}`,
+			actual:   `{"kind":"test","hello":1}`,
+			expectedDiff: `  map[string]any{
+- 	"hello": string("world"),
++ 	"hello": int64(1),
+  	"kind":  string("test"),
+  }
+`,
+		},
+
+		"recursive": {
+			expected: `{"kind":"test","spec":{"hello":"world","removed":42}}`,
+			actual:   `{"kind":"test","spec":{"hello":1,"added":42}}`,
+			expectedDiff: `  map[string]any{
+  	"kind": string("test"),
+  	"spec": map[string]any{
+  		... // 1 ignored entry
+- 		"hello":   string("world"),
++ 		"hello":   int64(1),
+- 		"removed": int64(42),
+  	},
+  }
+`,
+		},
+
+		"list": {
+			expected: `{"kind":"test","items":[{"index":0},{"hello":"world","removed":42}]}`,
+			actual:   `{"kind":"test","items":[{"index":0,"added":true},{"hello":1,"added":42},{"new-entry": true},"new-non-object-entry"]}`,
+			expectedDiff: `  map[string]any{
+  	"items": []any{
+  		map[string]any{"index": int64(0), ...},
++ 		map[string]any{"added": int64(42), "hello": int64(1)},
++ 		map[string]any{"new-entry": bool(true)},
+- 		map[string]any{"hello": string("world"), "removed": int64(42)},
++ 		string("new-non-object-entry"),
+  	},
+  	"kind": string("test"),
+  }`,
+		},
+	} {
+		t.Run(name, func(t *testing.T) {
+			var expected, actual unstructured.Unstructured
+			require.NoError(t, expected.UnmarshalJSON([]byte(tc.expected)), "unmarshal expected")
+			require.NoError(t, actual.UnmarshalJSON([]byte(tc.actual)), "unmarshal actual")
+			actualDiff := compareObjects(&expected, &actual)
+			t.Logf("Actual diff:\n%s", actualDiff)
+			// Upstream go-cmp does not want the diff output to be checked in
+			// tests because it is not stable. They intentionally randomly
+			// switch between space and non-break space to enforce that
+			// (https://github.com/google/go-cmp/issues/366).
+			//
+			// Therefore the expected diff is merely informative, we only check
+			// for empty vs. not empty.
+			if tc.expectedDiff == "" {
+				require.Empty(t, actualDiff)
+			} else {
+				require.NotEmpty(t, actualDiff)
+			}
+		})
+	}
+}
diff --git a/test/e2e/framework/conformance/conformance.go b/test/e2e/framework/conformance/conformance.go
new file mode 100644
index 0000000000000..e1c6139abf6be
--- /dev/null
+++ b/test/e2e/framework/conformance/conformance.go
@@ -0,0 +1,946 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package architecture
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"slices"
+	"time"
+
+	"github.com/onsi/ginkgo/v2"
+	"github.com/onsi/gomega"
+	gtypes "github.com/onsi/gomega/types"
+
+	v1 "k8s.io/api/core/v1"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
+	"k8s.io/apimachinery/pkg/api/meta"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+	"k8s.io/apimachinery/pkg/labels"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/apimachinery/pkg/util/resourceversion"
+	"k8s.io/client-go/dynamic"
+	"k8s.io/client-go/dynamic/dynamicinformer"
+	"k8s.io/client-go/informers"
+	"k8s.io/client-go/rest"
+	"k8s.io/client-go/tools/cache"
+	"k8s.io/klog/v2"
+	apimachineryutils "k8s.io/kubernetes/test/e2e/common/apimachinery"
+	"k8s.io/kubernetes/test/e2e/framework"
+	"k8s.io/kubernetes/test/utils/format"
+	"k8s.io/utils/ptr"
+	k8sjson "sigs.k8s.io/json"
+)
+
+// ResourceTestcaseInterface describes how to test one particular API endpoint
+// by executing different operations against it.
+//
+// The content of created or patched objects is verified by ensuring that
+// all fields are set as in the sent object. Extra fields or map entries
+// are ignored.
+//
+// Basic create/read/update/delete (CRUD) semantic is covered, which
+// is the minimum that is required for conformance testing of a
+// GA feature. Actual functional testing is desirable, but not
+// required.
+//
+// See [ResourceTestcase] for an implementation of this interface
+// where test data is provided as Go objects and patch strings.
+type ResourceTestcaseInterface interface {
+	// GetGroupVersionResource returns the API group, version, and resource (plural form, lower case).
+	GetGroupVersionResource() schema.GroupVersionResource
+
+	// IsNamespaced defines whether the object must be created inside a namespace.
+	IsNamespaced() bool
+
+	// HasStatus defines whether the resource has a "status" sub-resource.
+	//
+	// Other sub-resources are not supported by this common test code.
+	HasStatus() bool
+
+	// VerifyContent defines whether the content of objects returned by
+	// the apiserver gets compared against the content that was sent.
+	//
+	// If enabled, all field values that were sent must also be included
+	// in the returned object. Additional fields and list or map entries
+	// may get added (for example, because of defaulting or mutating
+	// admission).
+	//
+	// This should not be enabled in conformance tests because admission
+	// is allowed to modify what is being stored.
+	VerifyContent() bool
+
+	// GetInitialObject returns the data which is going to be used in a Create call.
+	//
+	// For cluster-scoped resources the test namespace can be used
+	// to create a name which does not conflict with other objects
+	// because it is unique while the test runs.
+	//
+	// It does not need to be set for namespaced resources because the
+	// caller will ensure that. The caller cannot do that for the name because
+	// different resources have different rules for what names are valid
+	GetInitialObject(namespace string) *unstructured.Unstructured
+
+	// GetUpdateSpec modifies an existing object.
+	// It gets called for the result of creating the initial object.
+	//
+	// Ideally it should  change the spec (hence the name).
+	// If that is impossible, then adding some label is also okay.
+	// The goal is to add some fields that can be checked for
+	// after an Update.
+	//
+	// May modify and return the input object.
+	GetUpdateSpec(object *unstructured.Unstructured) *unstructured.Unstructured
+
+	// GetUpdateStatus modifies the status of an existing object.
+	// It gets called for the result of creating the initial object
+	// and then updating its spec.
+	//
+	// May modify and return the input object.
+	GetUpdateStatus(object *unstructured.Unstructured) *unstructured.Unstructured
+
+	// GetPatchSpec describes how to generate patches.
+	//
+	// Each patch is applied to the initial object by itself, without the other patches.
+	// An empty slice is valid and disables testing of patching. This may not be sufficient
+	// for full conformance testing of the resource.
+	//
+	// If content verification is enabled, then this must cause the same change as GetUpdateSpec
+	// because verification of the patch result uses the GetUpdateSpec result as reference.
+	GetPatchSpec() []Patch
+
+	// GetPatchStatus is like GetPatchSpec for the status.
+	//
+	// The initial object with the updated spec gets patched,
+	// so the result must match the result of GetUpdateStatus
+	// applied to GetInitialObject if content verification is
+	// enabled.
+	GetPatchStatus(object *unstructured.Unstructured) []Patch
+}
+
+// Patch contains the parameters for a Patch API call.
+//
+// The data must match an existing object.
+//
+// There's no retry loop because of conflicts, so the patch should not include
+// a check of the ResourceVersion. Checking the UID in the patch is encouraged to prevent
+// patching a replaced resource.
+type Patch struct {
+	GetData func(object *unstructured.Unstructured) []byte
+	Type    types.PatchType
+}
+
+// ResourceTestcase provides test data for testing operations for a resource.
+// Test data is based on the native Go type of the resource.
+// The template parameter must be a pointer to the native Go type.
+//
+// The data is used like this:
+// - create InitialSpec -> update with UpdateSpec -> update status with UpdateStatus
+// - create InitialSpec -> apply StrategicMergePatchSpec and compare against UpdateSpec -> apply StrategicMergePatchStatus and compare against UpdateStatus
+type ResourceTestcase[T runtime.Object] struct {
+	// GroupResourceVersion identifies the API group, version and resource (plural form, lower case)
+	// within that API which is to be tested.
+	GVR schema.GroupVersionResource
+
+	// Namespaced must be true if the resource must be created in a
+	// namespace, false if it is cluster-scoped. Leaving it unset is
+	// an error.
+	//
+	// Namespaced resources get created in the test namespace.
+	//
+	// The name of cluster-scoped resources gets extended with
+	// `-<test namespace name>` to make it unique.
+	Namespaced *bool
+
+	// ContentVerificationEnabled defines whether the content of objects returned by
+	// the apiserver gets compared against the content that was sent.
+	//
+	// If enabled, all field values that were sent must also be included
+	// in the returned object. Additional fields and list or map entries
+	// may get added (for example, because of defaulting or mutating
+	// admission).
+	//
+	// This should not be enabled in conformance tests because admission
+	// is allowed to modify what is being stored.
+	ContentVerificationEnabled bool
+
+	// InitialSpec must contain the initial state of a valid resource, without a status.
+	InitialSpec T
+
+	// UpdateSpec gets called for the created initial object
+	// and must update something, ideally the spec (hence the name).
+	// If that is not possible, then adding some label also works
+	// for the sake of testing an update.
+	//
+	// May modify and return the input object.
+	UpdateSpec func(T) T
+
+	// UpdateStatus gets called for the updated object
+	// and must add a status.
+	//
+	// May be nil if no status is supported.
+	//
+	// May modify and return the input object.
+	UpdateStatus func(T) T
+
+	// StrategicMergePatchSpec may modify fields in InitialSpec
+	// with a strategic merge patch
+	// (https://github.com/kubernetes/community/blob/master/contributors/devel/sig-api-machinery/strategic-merge-patch.md).
+	// Muse use JSON encoding.
+	//
+	// If content verification is enabled, then this must contain the same change as UpdateSpec
+	// because verification of the patch result uses UpdateSpec as reference.
+	StrategicMergePatchSpec string
+
+	// StrategicMergePatchStatus may add status fields
+	// with a strategic merge patch
+	// (https://github.com/kubernetes/community/blob/master/contributors/devel/sig-api-machinery/strategic-merge-patch.md)
+	// Must use JSON encoding.
+	//
+	// The initial object with the updated spec gets patched,
+	// so the result must match GetUpdateStatus
+	// applied to GetInitialObject if content verification is
+	// enabled.
+	//
+	// If empty, the status sub-resource is not getting tested.
+	// May contain the name, but that's not required.
+	StrategicMergePatchStatus string
+
+	// ApplyPatchSpec corresponds to StrategicMergePatchSpec,
+	// using the JSON encoding of a server-side-apply (SSA) patch
+	// (https://kubernetes.io/docs/reference/using-api/server-side-apply).
+	ApplyPatchSpec string
+
+	// ApplyPatchStatus corresponds to StrategicMergePatchStatus,
+	// using the JSON encoding of a server-side-apply (SSA) patch
+	// (https://kubernetes.io/docs/reference/using-api/server-side-apply).
+	ApplyPatchStatus string
+
+	// JSONPatchSpec corresponds to StrategicMergePatchSpec,
+	// using a JSON patch (https://tools.ietf.org/html/rfc6902).
+	JSONPatchSpec string
+
+	// JSONPatchStatus corresponds to StrategicMergePatchStatus,
+	// using a JSON patch (https://tools.ietf.org/html/rfc6902).
+	JSONPatchStatus string
+
+	// JSONMergePatchSpec corresponds to StrategicMergePatchSpec,
+	// using a JSON merge patch (https://tools.ietf.org/html/rfc7386).
+	JSONMergePatchSpec string
+
+	// JSONMergePatchStatus corresponds to StrategicMergePatchStatus,
+	// using a JSON merge patch (https://tools.ietf.org/html/rfc7386).
+	JSONMergePatchStatus string
+}
+
+var _ ResourceTestcaseInterface = &ResourceTestcase[*v1.Pod]{}
+
+func (tc *ResourceTestcase[T]) GetGroupVersionResource() schema.GroupVersionResource {
+	return tc.GVR
+}
+
+func (tc *ResourceTestcase[T]) IsNamespaced() bool {
+	if tc.Namespaced == nil {
+		framework.Fail("Test case error: Namespaced must be set")
+	}
+
+	return *tc.Namespaced
+}
+
+func (tc *ResourceTestcase[T]) HasStatus() bool {
+	return tc.UpdateStatus != nil
+}
+
+func (tc *ResourceTestcase[T]) VerifyContent() bool {
+	return tc.ContentVerificationEnabled
+}
+
+func (tc *ResourceTestcase[T]) GetInitialObject(namespace string) *unstructured.Unstructured {
+	object := tc.toUnstructured("InitialSpec", tc.InitialSpec)
+	if object.GetName() == "" {
+		object.SetName("test")
+	}
+	if !tc.IsNamespaced() {
+		object.SetName(object.GetName() + "-" + namespace)
+	}
+
+	return object
+}
+
+func (tc *ResourceTestcase[T]) GetUpdateSpec(in *unstructured.Unstructured) *unstructured.Unstructured {
+	out := tc.fromUnstructured("existing object", in)
+	out = tc.UpdateSpec(out)
+	return tc.toUnstructured("updated object", out)
+}
+
+func (tc *ResourceTestcase[T]) GetUpdateStatus(in *unstructured.Unstructured) *unstructured.Unstructured {
+	out := tc.fromUnstructured("updated object", in)
+	out = tc.UpdateStatus(out)
+	return tc.toUnstructured("updated object with status", out)
+}
+
+func (tc *ResourceTestcase[T]) GetPatchSpec() []Patch {
+	var patches []Patch
+
+	if tc.StrategicMergePatchSpec != "" {
+		patches = append(patches, Patch{
+			Type: types.StrategicMergePatchType,
+			GetData: func(existingObject *unstructured.Unstructured) []byte {
+				patch := tc.createPatchObject("StrategicMergePatchSpec", tc.StrategicMergePatchSpec, existingObject)
+
+				jsonData, err := patch.MarshalJSON()
+				framework.ExpectNoError(err, "re-encode spec patch as JSON")
+
+				return jsonData
+			},
+		})
+	}
+
+	if tc.ApplyPatchSpec != "" {
+		patches = append(patches, Patch{
+			Type: types.ApplyPatchType,
+			GetData: func(existingObject *unstructured.Unstructured) []byte {
+				patch := tc.createPatchObject("ApplyPatchSpec", tc.ApplyPatchSpec, existingObject)
+
+				jsonData, err := patch.MarshalJSON()
+				framework.ExpectNoError(err, "re-encode spec patch as JSON")
+
+				return jsonData
+			},
+		})
+	}
+
+	if tc.JSONMergePatchSpec != "" {
+		patches = append(patches, Patch{
+			Type: types.MergePatchType,
+			GetData: func(existingObject *unstructured.Unstructured) []byte {
+				patch := tc.createPatchObject("JSONMergePatchSpec", tc.JSONMergePatchSpec, existingObject)
+
+				jsonData, err := patch.MarshalJSON()
+				framework.ExpectNoError(err, "re-encode spec patch as JSON")
+
+				return jsonData
+			},
+		})
+	}
+
+	if tc.JSONPatchSpec != "" {
+		patches = append(patches, Patch{
+			Type: types.JSONPatchType,
+			GetData: func(existingObject *unstructured.Unstructured) []byte {
+				return []byte(tc.JSONPatchSpec)
+			},
+		})
+	}
+
+	return patches
+}
+
+func (tc *ResourceTestcase[T]) GetPatchStatus(object *unstructured.Unstructured) []Patch {
+	var patches []Patch
+
+	if tc.StrategicMergePatchStatus != "" {
+		patches = append(patches, Patch{
+			Type: types.StrategicMergePatchType,
+			GetData: func(existingObject *unstructured.Unstructured) []byte {
+				patch := tc.createPatchObject("StrategicMergePatchStatus", tc.StrategicMergePatchStatus, existingObject)
+
+				jsonData, err := patch.MarshalJSON()
+				framework.ExpectNoError(err, "re-encode status patch as JSON")
+
+				return jsonData
+			},
+		})
+	}
+
+	if tc.ApplyPatchStatus != "" {
+		patches = append(patches, Patch{
+			Type: types.ApplyPatchType,
+			GetData: func(existingObject *unstructured.Unstructured) []byte {
+				patch := tc.createPatchObject("ApplyPatchStatus", tc.ApplyPatchStatus, existingObject)
+
+				jsonData, err := patch.MarshalJSON()
+				framework.ExpectNoError(err, "re-encode status patch as JSON")
+
+				return jsonData
+			},
+		})
+	}
+
+	if tc.JSONMergePatchStatus != "" {
+		patches = append(patches, Patch{
+			Type: types.MergePatchType,
+			GetData: func(existingObject *unstructured.Unstructured) []byte {
+				patch := tc.createPatchObject("JSONMergePatchStatus", tc.JSONMergePatchStatus, existingObject)
+
+				jsonData, err := patch.MarshalJSON()
+				framework.ExpectNoError(err, "re-encode status patch as JSON")
+
+				return jsonData
+			},
+		})
+	}
+
+	if tc.JSONPatchStatus != "" {
+		patches = append(patches, Patch{
+			Type: types.JSONPatchType,
+			GetData: func(existingObject *unstructured.Unstructured) []byte {
+				return []byte(tc.JSONPatchStatus)
+			},
+		})
+	}
+
+	return patches
+}
+
+func (tc *ResourceTestcase[T]) toUnstructured(what string, in T) *unstructured.Unstructured {
+	data, err := json.Marshal(in)
+	framework.ExpectNoError(err, "encode %s as JSON", what)
+
+	out := tc.toUnstructuredFromJSON(what, data)
+
+	return out
+}
+
+func (tc *ResourceTestcase[T]) toUnstructuredFromJSON(what string, in []byte) *unstructured.Unstructured {
+	// UnmarshalCaseSensitivePreserveInts does not need kind (in contrast to unstructured.Unstructured.UnmarshalJSON)
+	// and matches the behavior of preserving ints that we get when receiving from the apiserver (in contrast to plain json.Unmarshal).
+	var out unstructured.Unstructured
+	err := k8sjson.UnmarshalCaseSensitivePreserveInts(in, &out.Object)
+	framework.ExpectNoError(err, "decode %s from JSON", what)
+
+	return &out
+
+}
+
+func (tc *ResourceTestcase[T]) fromUnstructured(what string, in *unstructured.Unstructured) T {
+	data, err := in.MarshalJSON()
+	framework.ExpectNoError(err, "encode %s as JSON", what)
+
+	var out T
+	err = k8sjson.UnmarshalCaseSensitivePreserveInts(data, &out)
+	framework.ExpectNoError(err, "decode %s from JSON", what)
+
+	return out
+
+}
+
+// createPatchObject parses JSON data and then copies namespace/name/uid/kind/apiVersion from the existing object
+// to make the patch complete. This works for strategic merge patches, apply patches and JSON merge patches.
+func (tc *ResourceTestcase[T]) createPatchObject(what string, data string, existingObject *unstructured.Unstructured) *unstructured.Unstructured {
+	object := tc.toUnstructuredFromJSON(what, []byte(data))
+	object.SetNamespace(existingObject.GetNamespace())
+	object.SetName(existingObject.GetName())
+	object.SetUID(existingObject.GetUID())
+	object.SetAPIVersion(existingObject.GetAPIVersion())
+	object.SetKind(existingObject.GetKind())
+	return object
+}
+
+// TestResource covers all the typical endpoints for a resource through
+// dynamic client calls.
+func TestResource(ctx context.Context, f *framework.Framework, tc ResourceTestcaseInterface) {
+	// Set up clients.
+	gvr := tc.GetGroupVersionResource()
+	gv := gvr.GroupVersion()
+	resource := gvr.Resource
+	resourceClient := f.DynamicClient.Resource(gvr)
+	var client dynamic.ResourceInterface
+	var resourceType string
+	if tc.IsNamespaced() {
+		client = resourceClient.Namespace(f.Namespace.Name)
+		resourceType = "namespaced resource"
+	} else {
+		client = resourceClient
+		resourceType = "cluster-scoped resource"
+	}
+	// e.g. `cluster-scoped resource "deviceclasses"`
+	// gvr.String() is too long and includes a comma ("resource.k8s.io/v1, Resource=deviceclasses").
+	resourceType = fmt.Sprintf("%s %q", resourceType, gvr.Resource)
+	config := dynamic.ConfigFor(f.ClientConfig())
+	httpClient, err := rest.HTTPClientFor(config)
+	framework.ExpectNoError(err, "construct HTTP client")
+	restClient, err := rest.UnversionedRESTClientForConfigAndClient(config, httpClient)
+	framework.ExpectNoError(err, "construct REST client")
+
+	// All objects get one label added by the test for List and DeleteCollection.
+	// The label must get added to all objects returned by ResourceTestcase
+	// because the implementation of that interface is unaware of the extra label.
+	labelName := "e2e-test.kubernetes.io"
+	labelValue := f.UniqueName
+	listOptions := metav1.ListOptions{LabelSelector: labelName + "=" + labelValue}
+	addLabel := func(obj *unstructured.Unstructured) *unstructured.Unstructured {
+		obj = obj.DeepCopy()
+		labels := obj.GetLabels()
+		if labels == nil {
+			labels = make(map[string]string)
+		}
+		labels[labelName] = labelValue
+		obj.SetLabels(labels)
+		return obj
+	}
+
+	// Prepare for Create, Get and List.
+	desiredInitialObject := addLabel(tc.GetInitialObject(f.Namespace.Name))
+	if tc.IsNamespaced() {
+		desiredInitialObject.SetNamespace(f.Namespace.Name)
+	}
+
+	getResource := func(ctx context.Context) (*unstructured.Unstructured, error) {
+		return client.Get(ctx, desiredInitialObject.GetName(), metav1.GetOptions{})
+	}
+	desiredUpdatedObject := tc.GetUpdateSpec(desiredInitialObject.DeepCopy())
+	var desiredUpdatedObjectWithStatus *unstructured.Unstructured
+	if tc.HasStatus() {
+		desiredUpdatedObjectWithStatus = addLabel(tc.GetUpdateStatus(desiredUpdatedObject))
+	}
+
+	// Get all resources in the API. The resulting list of resources must include what we are testing.
+	ginkgo.By(fmt.Sprintf("Get %s", gv))
+	path := "/apis/" + gv.String()
+	var api unstructured.Unstructured
+	err = restClient.
+		Get().
+		AbsPath(path).
+		Do(ctx).
+		Into(&api)
+	framework.ExpectNoError(err, "get resource API")
+	resources := api.Object["resources"].([]any)
+	index := slices.IndexFunc(resources, func(entry any) bool {
+		return entry.(map[string]any)["name"].(string) == resource
+	})
+	if index < 0 {
+		framework.Failf("API for %s does not include entry for %s, got:\n%s", gv, resource, format.Object(api, 1))
+	}
+
+	// Set up informers, optionally also in the namespace.
+	// After each step we check that the informers catch up
+	// and what events they received in the meantime.
+	// They get stopped through test context cancellation.
+	var resourceEvents, namespaceEvents eventRecorder
+	resourceInformer := dynamicinformer.NewFilteredDynamicInformer(f.DynamicClient, gvr, "", 0, nil, func(options *metav1.ListOptions) {
+		options.LabelSelector = listOptions.LabelSelector
+	})
+	_, err = resourceInformer.Informer().AddEventHandler(&resourceEvents)
+	framework.ExpectNoError(err, "register resource event handler")
+	listResource := func(_ context.Context) ([]runtime.Object, error) {
+		return resourceInformer.Lister().List(labels.Everything())
+	}
+	go resourceInformer.Informer().RunWithContext(ctx)
+	informersHaveSynced := []cache.InformerSynced{resourceInformer.Informer().HasSynced}
+	var namespaceInformer informers.GenericInformer
+	var listNamespace func(_ context.Context) ([]runtime.Object, error)
+	if tc.IsNamespaced() {
+		namespaceInformer = dynamicinformer.NewFilteredDynamicInformer(f.DynamicClient, gvr, f.Namespace.Name, 0, nil, func(options *metav1.ListOptions) {
+			options.LabelSelector = listOptions.LabelSelector
+		})
+		_, err = namespaceInformer.Informer().AddEventHandler(&namespaceEvents)
+		framework.ExpectNoError(err, "register namespace event handler")
+		listNamespace = func(_ context.Context) ([]runtime.Object, error) {
+			return namespaceInformer.Lister().List(labels.Everything())
+		}
+		go namespaceInformer.Informer().RunWithContext(ctx)
+		informersHaveSynced = append(informersHaveSynced, namespaceInformer.Informer().HasSynced)
+	}
+	if !cache.WaitForNamedCacheSyncWithContext(ctx, informersHaveSynced...) {
+		ginkgo.Fail("informers should have synced and didn't")
+	}
+
+	// matchObject generates a matcher which checks the result of a list operation
+	// against the expected object. Content verification is optional. Without it,
+	// only the namespace and name are checked.
+	matchObject := func(expectedObject *unstructured.Unstructured) gtypes.GomegaMatcher {
+		return &matchObjectList{expectedObject: expectedObject, verifyContent: tc.VerifyContent()}
+	}
+	gomega.Expect(listResource(ctx)).Should(matchObject(nil), "initial list of resources from informer cache")
+	gomega.Expect(resourceEvents.list()).To(gomega.HaveField("Events", gomega.BeEmpty()), "no events from resource informer yet")
+	if listNamespace != nil {
+		gomega.Expect(listNamespace(ctx)).Should(matchObject(nil), "initial list of namespace from informer cache")
+		gomega.Expect(resourceEvents.list()).To(gomega.HaveField("Events", gomega.BeEmpty()), "no events from namespace informer yet")
+	}
+
+	// matchEvents generates a matcher which checks the informer event list.
+	//
+	// The events are expected to involve only the given object.
+	// The ResourceVersion must not decrease.
+	// The sequence of valid events is given as a regular expression
+	// which is applied to the string returned by [EventList.Types].
+	matchEvents := func(obj *unstructured.Unstructured, regexp string) gtypes.GomegaMatcher {
+		// Verify namespace/name/uid of ids event.
+		ids := gomega.HaveField("Events", gomega.Or(gomega.BeEmpty(), gomega.HaveEach(gomega.HaveField("ID()", gomega.Equal(fmt.Sprintf("%s, %s", klog.KObj(obj), obj.GetUID()))))))
+
+		// Match the regexp against the result of Types().
+		order := gomega.HaveField("Types()", gomega.MatchRegexp(regexp))
+
+		// Include full object dump, HaveField itself doesn't.
+		return framework.GomegaObject(gomega.And(ids, order))
+	}
+
+	// ResourceVersion must not decrease. Delete events reset the sequence.
+	var resourceRV, namespaceRV string
+	nextEvents := func(rv *string, events eventList) {
+		ginkgo.GinkgoHelper()
+
+		checkNext := func(obj any) {
+			ginkgo.GinkgoHelper()
+			if obj == nil {
+				return
+			}
+			if tomb, ok := obj.(cache.DeletedFinalStateUnknown); ok {
+				obj = tomb.Obj
+			}
+			metaData, err := meta.Accessor(obj)
+			framework.ExpectNoError(err, "access meta data")
+			gomega.Expect(metaData).To(apimachineryutils.HaveValidResourceVersion())
+
+			nextRV := metaData.GetResourceVersion()
+			if *rv == "" {
+				// Nothing to compare yet, initial version.
+				*rv = nextRV
+				return
+			}
+
+			cmpResult, err := resourceversion.CompareResourceVersion(nextRV, *rv)
+			framework.ExpectNoError(err, "compare ResourceVersions")
+			if cmpResult < 0 {
+				framework.Failf("ResourceVersion %s in %s with UID %s is smaller than previous %s, should be equal or larger", nextRV, klog.KObj(metaData), metaData.GetUID(), *rv)
+			}
+			*rv = nextRV
+		}
+
+		for _, e := range events.Events {
+			checkNext(e.oldObj)
+			checkNext(e.newObj)
+		}
+	}
+
+	// Verification of the result after each step (= what).
+	//
+	// Can check the content of an object or be limited to just name/namespace.
+	//
+	// Also checks the informers. This is a bit redundant after read-only steps,
+	// but then it's also fast and thus can be done more often than strictly necessary.
+	// Collected informer events get reset, so each verify call must match
+	// events since the previous one.
+	verify := func(what string, expected, actual *unstructured.Unstructured, haveExpectedEvents gtypes.GomegaMatcher) {
+		ginkgo.GinkgoHelper()
+
+		// This captures several different failures before handing them to Ginkgo.
+		var failures gomegaFailures
+
+		if expected != nil {
+			if tc.VerifyContent() {
+				diff := compareObjects(expected, actual)
+				failures.Add(fmt.Sprintf("%s: unexpected actual object (- expected, + actual):\n%s", what, diff))
+			} else {
+				failures.G().Expect(actual.GetName()).Should(gomega.Equal(expected.GetName()), "%s: name in returned object", what)
+				failures.G().Expect(actual.GetNamespace()).Should(gomega.Equal(expected.GetNamespace()), "%s: namespace in returned object", what)
+			}
+			failures.G().Expect(actual).To(apimachineryutils.HaveValidResourceVersion())
+		}
+
+		// Abort checking now if there were failures, otherwise we just risk timining out slowly.
+		failures.Check()
+
+		failures.G().Eventually(ctx, listResource).Should(matchObject(expected), "list of resources from informer cache after %s", what)
+		if haveExpectedEvents != nil {
+			// Even if the cache is up-to-date we still need to wait for event delivery.
+			failures.G().Eventually(resourceEvents.list).
+				WithTimeout(5*time.Second).
+				Should(haveExpectedEvents, "list of resource informer events after %s", what)
+		}
+		nextEvents(&resourceRV, resourceEvents.reset())
+		if listNamespace != nil {
+			failures.G().Eventually(ctx, listNamespace).Should(matchObject(expected), "list of namespace from informer cache after %s", what)
+			if haveExpectedEvents != nil {
+				failures.G().Eventually(namespaceEvents.list).
+					WithTimeout(5*time.Second).
+					Should(haveExpectedEvents, "list of namespace informer events after %s", what)
+			}
+			nextEvents(&namespaceRV, namespaceEvents.reset())
+		}
+		failures.Check()
+	}
+
+	// Create the initial resource.
+	ginkgo.By(fmt.Sprintf("Creating:\n%s", format.Object(desiredInitialObject, 1)))
+	existingObject, err := client.Create(ctx, desiredInitialObject, metav1.CreateOptions{FieldValidation: "Strict"})
+	framework.ExpectNoError(err, "create initial %s", resourceType)
+	ginkgo.DeferCleanup(func(ctx context.Context) {
+		// Always clean up.
+		err = client.Delete(ctx, desiredInitialObject.GetName(), metav1.DeleteOptions{})
+		if apierrors.IsNotFound(err) {
+			return
+		}
+		framework.ExpectNoError(err, "delete %s", resourceType)
+		ensureNotFound(ctx, getResource)
+	})
+	verify("create", desiredInitialObject, existingObject,
+		// Initial creation of the object followed by some optional updates by cluster components.
+		matchEvents(existingObject, "^add,(update,)*$"),
+	)
+	createdResourceVersion := existingObject.GetResourceVersion()
+
+	// Get to check for existence.
+	ginkgo.By(fmt.Sprintf("Getting %s", klog.KObj(desiredInitialObject)))
+	existingObject, err = client.Get(ctx, desiredInitialObject.GetName(), metav1.GetOptions{})
+	framework.ExpectNoError(err, "get updated %s", resourceType)
+	verify("get", desiredInitialObject, existingObject,
+		// Optional updates by cluster components.
+		matchEvents(existingObject, "^(update,)*$"),
+	)
+
+	// Update the resource. Retry because the existing object might have been updated in the meantime.
+	mustGet := false
+	gomega.Eventually(ctx, func(ctx context.Context) error {
+		if mustGet {
+			ginkgo.By(fmt.Sprintf("Getting updated %s", klog.KObj(desiredInitialObject)))
+			existingObject, err = getResource(ctx)
+			if err != nil {
+				return fmt.Errorf("get existing %s: %w", resourceType, err)
+			}
+		}
+		object := tc.GetUpdateSpec(existingObject.DeepCopy())
+		ginkgo.By(fmt.Sprintf("Updating:\n%s", format.Object(object, 1)))
+		existingObject, err = client.Update(ctx, object, metav1.UpdateOptions{})
+		if err == nil {
+			return nil
+		}
+		mustGet = apierrors.IsConflict(err)
+		if mustGet {
+			// Retry immediately.
+			return fmt.Errorf("update %s: %w", resourceType, err)
+		}
+		if retry, retryAfter := framework.ShouldRetry(err); retry {
+			// Retry with a delay.
+			return gomega.TryAgainAfter(retryAfter)
+		}
+		// Give up, some other error occurred.
+		return gomega.StopTrying(fmt.Sprintf("update %s", resourceType)).Wrap(err)
+	}).Should(gomega.Succeed())
+	verify("update", desiredUpdatedObject, existingObject,
+		// At least one update.
+		matchEvents(existingObject, "^(update,)+$"),
+	)
+	updatedResourceVersion := existingObject.GetResourceVersion()
+	cmpResult, err := resourceversion.CompareResourceVersion(createdResourceVersion, updatedResourceVersion)
+	framework.ExpectNoError(err, "compare ResourceVersion after create against ResourceVersion after update")
+	if cmpResult >= 0 {
+		framework.Failf("ResourceVersion should have increased during update and didn't (before: %s, after: %s)", createdResourceVersion, updatedResourceVersion)
+	}
+
+	// Same for the status. In addition, read the status (same result, but different endpoint+method).
+	if tc.HasStatus() {
+		mustGet := false
+		gomega.Eventually(ctx, func(ctx context.Context) error {
+			if mustGet {
+				ginkgo.By(fmt.Sprintf("Getting updated %s", klog.KObj(desiredInitialObject)))
+				existingObject, err = client.Get(ctx, desiredInitialObject.GetName(), metav1.GetOptions{}, "status")
+				if err != nil {
+					return fmt.Errorf("get existing %s: %w", resourceType, err)
+				}
+			}
+			object := tc.GetUpdateStatus(existingObject)
+			ginkgo.By(fmt.Sprintf("Updating status:\n%s", format.Object(object, 1)))
+			existingObject, err = client.Update(ctx, object, metav1.UpdateOptions{}, "status")
+			if err == nil {
+				return nil
+			}
+			mustGet = apierrors.IsConflict(err)
+			if mustGet {
+				// Retry immediately.
+				return fmt.Errorf("update %s status: %w", resourceType, err)
+			}
+			if retry, retryAfter := framework.ShouldRetry(err); retry {
+				// Retry with a delay.
+				return gomega.TryAgainAfter(retryAfter)
+			}
+			// Give up, some other error occurred.
+			return gomega.StopTrying(fmt.Sprintf("update %s status", resourceType)).Wrap(err)
+		}).Should(gomega.Succeed())
+		verify("update status", desiredUpdatedObjectWithStatus, existingObject,
+			// At least one update.
+			matchEvents(existingObject, "^(update,)+$"),
+		)
+
+		ginkgo.By(fmt.Sprintf("Getting %s status", klog.KObj(desiredInitialObject)))
+		existingObject, err = client.Get(ctx, desiredInitialObject.GetName(), metav1.GetOptions{}, "status")
+		framework.ExpectNoError(err, "get updated %s", resourceType)
+		verify("get", desiredUpdatedObjectWithStatus, existingObject,
+			// Optional updates by cluster components.
+			matchEvents(existingObject, "^(update,)*$"),
+		)
+	}
+
+	// Patch the resource, potentially using multiple different patch types.
+	// The result must be the same each time if content verification is enabled.
+	for _, patch := range tc.GetPatchSpec() {
+		// Delete the resource to start anew.
+		ginkgo.By(fmt.Sprintf("Deleting %s", klog.KObj(desiredInitialObject)))
+		err = client.Delete(ctx, desiredInitialObject.GetName(), metav1.DeleteOptions{})
+		framework.ExpectNoError(err, "delete updated %s", resourceType)
+		ensureNotFound(ctx, getResource)
+		verify("delete", nil, nil,
+			// Optional updates, deletion.
+			//
+			// We have to verify this here because
+			// otherwise we have no guarantee that we see the delete event.
+			matchEvents(existingObject, "^(update,)*delete,$"),
+		)
+
+		// Recreate for patching.
+		ginkgo.By(fmt.Sprintf("Creating again:\n%s", format.Object(desiredInitialObject, 1)))
+		existingObject, err = client.Create(ctx, desiredInitialObject, metav1.CreateOptions{})
+		framework.ExpectNoError(err, "create %s again", resourceType)
+		patchData := patch.GetData(existingObject)
+
+		ginkgo.By(fmt.Sprintf("Patching with %s:\n%s", patch.Type, string(patchData)))
+		options := metav1.PatchOptions{FieldValidation: "Strict"}
+		switch patch.Type {
+		case types.ApplyYAMLPatchType, types.ApplyCBORPatchType:
+			options.FieldManager = "test-apply"
+			options.Force = ptr.To(true)
+		}
+		existingObject, err = client.Patch(ctx, desiredInitialObject.GetName(), patch.Type, patchData, options)
+		framework.ExpectNoError(err, "patch %s %s", patch.Type, resourceType)
+		verify(fmt.Sprintf("patch %s", patch.Type), desiredUpdatedObject, existingObject,
+			// Recreation and then at least one update.
+			matchEvents(existingObject, "^add,(update,)+$"),
+		)
+	}
+
+	// Same for status. The patches apply on top of the updated object.
+	for _, patch := range tc.GetPatchStatus(existingObject) {
+		// Delete the resource to start anew.
+		ginkgo.By(fmt.Sprintf("Deleting %s", klog.KObj(desiredInitialObject)))
+		err = client.Delete(ctx, desiredInitialObject.GetName(), metav1.DeleteOptions{})
+		framework.ExpectNoError(err, "delete updated %s", resourceType)
+		ensureNotFound(ctx, getResource)
+		verify("delete", nil, nil,
+			// Optional updates, deletion.
+			//
+			// We have to verify this here because
+			// otherwise we have no guarantee that we see the delete event.
+			matchEvents(existingObject, "^(update,)*delete,$"),
+		)
+
+		// Recreate for patching.
+		ginkgo.By(fmt.Sprintf("Creating again:\n%s", format.Object(desiredInitialObject, 1)))
+		existingObject, err = client.Create(ctx, desiredInitialObject, metav1.CreateOptions{})
+		framework.ExpectNoError(err, "create %s again", resourceType)
+
+		// Update again.
+		mustGet := false
+		gomega.Eventually(ctx, func(ctx context.Context) error {
+			if mustGet {
+				ginkgo.By(fmt.Sprintf("Getting updated %s", klog.KObj(desiredInitialObject)))
+				existingObject, err = getResource(ctx)
+				if err != nil {
+					return fmt.Errorf("get existing %s: %w", resourceType, err)
+				}
+			}
+			object := tc.GetUpdateSpec(existingObject.DeepCopy())
+			ginkgo.By(fmt.Sprintf("Updating:\n%s", format.Object(object, 1)))
+			existingObject, err = client.Update(ctx, object, metav1.UpdateOptions{})
+			if err == nil {
+				return nil
+			}
+			mustGet = apierrors.IsConflict(err)
+			if mustGet {
+				// Retry immediately.
+				return fmt.Errorf("update %s: %w", resourceType, err)
+			}
+			if retry, retryAfter := framework.ShouldRetry(err); retry {
+				// Retry with a delay.
+				return gomega.TryAgainAfter(retryAfter)
+			}
+			// Give up, some other error occurred.
+			return gomega.StopTrying(fmt.Sprintf("update %s", resourceType)).Wrap(err)
+		}).Should(gomega.Succeed())
+		patchData := patch.GetData(existingObject)
+
+		ginkgo.By(fmt.Sprintf("Patching status with %s:\n%s", patch.Type, string(patchData)))
+		options := metav1.PatchOptions{FieldValidation: "Strict"}
+		switch patch.Type {
+		case types.ApplyYAMLPatchType, types.ApplyCBORPatchType:
+			options.FieldManager = "test-apply"
+			options.Force = ptr.To(true)
+		}
+		existingObject, err = client.Patch(ctx, desiredInitialObject.GetName(), patch.Type, patchData, options, "status")
+		framework.ExpectNoError(err, "patch %s %s status", patch.Type, resourceType)
+		verify(fmt.Sprintf("patch %s status", patch.Type), desiredUpdatedObject, existingObject,
+			// Recreation and then at least one update.
+			matchEvents(existingObject, "^add,(update,)+$"),
+		)
+	}
+
+	// Use the label as selector in List and DeleteCollection calls.
+	ginkgo.By(fmt.Sprintf("Listing %s collection with label selector %s", gvr, listOptions.LabelSelector))
+	items, err := client.List(ctx, listOptions)
+	framework.ExpectNoError(err, "list %s", resourceType)
+	gomega.Expect(items.Items).Should(gomega.HaveLen(1), "Should have listed exactly the test resource.")
+	verify("list", desiredUpdatedObject, &items.Items[0],
+		// Optional updates by cluster components.
+		matchEvents(existingObject, "^(update,)*$"),
+	)
+
+	if tc.IsNamespaced() {
+		ginkgo.By(fmt.Sprintf("Listing %s without namespace and with label selector %s", gvr, listOptions.LabelSelector))
+		items, err := resourceClient.List(ctx, listOptions)
+		framework.ExpectNoError(err, "list %s in all namespaces", resourceType)
+		gomega.Expect(items.Items).Should(gomega.HaveLen(1), "Should have listed exactly the test resource in all namespaces.")
+		verify("list all namespaces", desiredUpdatedObject, &items.Items[0],
+			// Optional updates by cluster components.
+			matchEvents(existingObject, "^(update,)*$"),
+		)
+	}
+
+	ginkgo.By(fmt.Sprintf("Deleting %s collection with label selector %s", gvr, listOptions.LabelSelector))
+	err = client.DeleteCollection(ctx, metav1.DeleteOptions{}, listOptions)
+	framework.ExpectNoError(err, "delete collection of %s", resourceType)
+	ensureNotFound(ctx, getResource)
+	verify("list", nil, nil,
+		// Optional updates by cluster components, then deletion.
+		matchEvents(existingObject, "^(update,)*delete,$"),
+	)
+}
+
+// ensureNotFound ensures that the error returned by the get function is NotFound.
+// This can be called after deleting an object to ensure that it really got removed
+// and not just marked for deletion with a DeletionTimestamp. Deletion is not
+// necessarily instantaneous e.g. because some cluster component might add its
+// own finalizer.
+func ensureNotFound(ctx context.Context, get func(context.Context) (*unstructured.Unstructured, error)) {
+	ginkgo.GinkgoHelper()
+	ginkgo.By("Checking for existence")
+	gomega.Eventually(ctx, func(ctx context.Context) error {
+		obj, err := framework.HandleRetry(get)(ctx)
+		switch {
+		case apierrors.IsNotFound(err):
+			return nil
+		case err != nil:
+			return fmt.Errorf("unexpected error after GET: %w", err)
+		default:
+			return fmt.Errorf("resource not removed yet:\n%s", format.Object(obj, 1))
+		}
+	}).WithTimeout(30 * time.Second /* From prior conformance tests, e.g. https://github.com/kubernetes/kubernetes/blame/be361a18dda0f2fab1f5e25f8067a9ed43fc3b89/test/e2e/storage/storageclass.go#L152 */).
+		Should(gomega.Succeed())
+}
diff --git a/test/e2e/framework/conformance/failures.go b/test/e2e/framework/conformance/failures.go
new file mode 100644
index 0000000000000..4c0d0558a0c78
--- /dev/null
+++ b/test/e2e/framework/conformance/failures.go
@@ -0,0 +1,60 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package architecture
+
+import (
+	"fmt"
+	"strings"
+
+	"github.com/onsi/ginkgo/v2"
+	"github.com/onsi/gomega"
+	gtypes "github.com/onsi/gomega/types"
+)
+
+type gomegaFailures struct {
+	failures []string
+}
+
+var _ gtypes.GomegaTestingT = &gomegaFailures{}
+
+// Helper implements [gtyppes.GomegaTestingT].
+func (g *gomegaFailures) Helper() {}
+
+// Fatalf implements [gtypes.GomegaTestingT].
+func (g *gomegaFailures) Fatalf(format string, args ...any) {
+	g.Add(fmt.Sprintf(format, args...))
+}
+
+// Adds one failure.
+func (g *gomegaFailures) Add(failure string) {
+	if !strings.HasSuffix(failure, "\n") {
+		failure += "\n"
+	}
+	g.failures = append(g.failures, failure)
+}
+
+// Check fails via [ginkgo.Fail] if there were any failures.
+func (g *gomegaFailures) Check() {
+	if len(g.failures) > 0 {
+		ginkgo.GinkgoHelper()
+		ginkgo.Fail(strings.Join(g.failures, "\n\n"))
+	}
+}
+
+func (g *gomegaFailures) G() *gomega.WithT {
+	return gomega.NewWithT(g)
+}
diff --git a/test/e2e/framework/conformance/informerevents.go b/test/e2e/framework/conformance/informerevents.go
new file mode 100644
index 0000000000000..e5bc886d16478
--- /dev/null
+++ b/test/e2e/framework/conformance/informerevents.go
@@ -0,0 +1,167 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package architecture
+
+import (
+	"fmt"
+	"slices"
+	"strings"
+	"sync"
+
+	"k8s.io/apimachinery/pkg/api/meta"
+	"k8s.io/client-go/tools/cache"
+	"k8s.io/klog/v2"
+)
+
+// eventRecorder implements [cache.ResourceEventHandler] by recording all events.
+// It is thread-safe.
+type eventRecorder struct {
+	mutex  sync.Mutex
+	events []event
+}
+
+// event describes one add/update/delete event.
+// They can be distinguished based on which object(s) are set.
+// Delete events may contain a tombstone instead of the actual
+// deleted object.
+type event struct {
+	oldObj, newObj any
+	isInitialList  bool
+}
+
+func (e event) Type() string {
+	switch {
+	case e.oldObj == nil:
+		return "add"
+	case e.newObj == nil:
+		return "delete"
+	case e.oldObj != nil && e.newObj != nil:
+		return "update"
+	default:
+		return "null"
+	}
+}
+
+// ID returns "[namespace/]name, uid" for the object
+// described in the event. If for whatever reason
+// that is different for the old and new event (an error!),
+// it returns both strings separated by semicolon.
+// If meta data access is not possible, the error string is returned.
+//
+// This is meant to be used with gomega.HaveEach and a matcher
+// which checks for the expected ID.
+func (e event) ID() string {
+	oldID := id(e.oldObj)
+	newID := id(e.newObj)
+	if oldID == newID {
+		return newID
+	}
+	if oldID != "" && newID != "" {
+		return oldID + "; " + newID
+	}
+	if newID != "" {
+		return newID
+	}
+	return oldID
+}
+
+func id(obj any) string {
+	if obj == nil {
+		return ""
+	}
+	if tomb, ok := obj.(cache.DeletedFinalStateUnknown); ok {
+		obj = tomb.Obj
+	}
+	metaData, err := meta.Accessor(obj)
+	if err != nil {
+		return err.Error()
+	}
+	return fmt.Sprintf("%s, %s", klog.KObj(metaData).String(), metaData.GetUID())
+}
+
+var _ cache.ResourceEventHandler = &eventRecorder{}
+
+func (er *eventRecorder) OnAdd(obj any, isInitialList bool) {
+	er.mutex.Lock()
+	defer er.mutex.Unlock()
+
+	er.events = append(er.events, event{
+		newObj:        obj,
+		isInitialList: isInitialList,
+	})
+}
+
+func (er *eventRecorder) OnUpdate(oldObj, newObj any) {
+	er.mutex.Lock()
+	defer er.mutex.Unlock()
+
+	er.events = append(er.events, event{
+		oldObj: oldObj,
+		newObj: newObj,
+	})
+}
+
+func (er *eventRecorder) OnDelete(obj any) {
+	er.mutex.Lock()
+	defer er.mutex.Unlock()
+
+	er.events = append(er.events, event{
+		oldObj: obj,
+	})
+}
+
+// list returns a shallow copy of the current list of events.
+func (er *eventRecorder) list() eventList {
+	er.mutex.Lock()
+	defer er.mutex.Unlock()
+
+	return eventList{Events: slices.Clone(er.events)}
+}
+
+// reset clears the current list of events.
+// Should only be called during idle periods.
+func (er *eventRecorder) reset() eventList {
+	er.mutex.Lock()
+	defer er.mutex.Unlock()
+
+	events := eventList{Events: er.events}
+	er.events = nil
+	return events
+}
+
+// eventList adds pretty-printing to a slice of events.
+type eventList struct {
+	Events []event
+}
+
+// Types returns a comma-separated list of the type of each event.
+// For the sake of simplicity the last entry also ends with a comma.
+//
+// This can be used in Gomega assertions like this:
+//
+//	gomega.Expect(events).To(gomega.HaveField("Types()", gomega.MatchRegexp("^add,(update,)*$"))
+//	gomega.Expect(events).To(gomega.HaveField("Types()", gomega.MatchRegexp("^(update,)*$"))
+func (el eventList) Types() string {
+	var buffer strings.Builder
+
+	for _, e := range el.Events {
+		buffer.WriteString(e.Type())
+		buffer.WriteRune(',')
+	}
+
+	return buffer.String()
+}
diff --git a/test/e2e/framework/conformance/objectmatcher.go b/test/e2e/framework/conformance/objectmatcher.go
new file mode 100644
index 0000000000000..137305cd10c27
--- /dev/null
+++ b/test/e2e/framework/conformance/objectmatcher.go
@@ -0,0 +1,114 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package architecture
+
+import (
+	"fmt"
+	"strings"
+
+	"github.com/onsi/gomega/format"
+	gtypes "github.com/onsi/gomega/types"
+
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/klog/v2"
+)
+
+// matchObjectList is a custom matcher for the result of a generic lister List result
+// ([]runtime.Object where each entry is *unstructured.Unstructed). The list is
+// expected to have exactly one element or none.
+type matchObjectList struct {
+	expectedObject *unstructured.Unstructured
+	verifyContent  bool
+	lastDiff       string
+}
+
+var _ gtypes.GomegaMatcher = &matchObjectList{}
+
+func (m *matchObjectList) Match(actual any) (bool, error) {
+	// Reset state.
+	m.lastDiff = ""
+
+	actualObjects, ok := actual.([]runtime.Object)
+	if !ok {
+		return false, fmt.Errorf("must be passed a []runtime.Object, got %T", actual)
+	}
+
+	if m.expectedObject == nil {
+		// Must be empty,
+		return len(actualObjects) == 0, nil
+	}
+
+	// Must have exactly the expected object.
+	if len(actualObjects) != 1 {
+		return false, nil
+	}
+	actualObject, ok := actualObjects[0].(*unstructured.Unstructured)
+	if !ok {
+		// Shouldn't happen.
+		return false, fmt.Errorf("expected *unstructured.Unstructured, got %T", actualObjects[0])
+	}
+
+	if m.verifyContent {
+		// Remember diff for failure message.
+		m.lastDiff = compareObjects(m.expectedObject, actualObject)
+		if m.lastDiff != "" {
+			return false, nil
+		}
+		return true, nil
+	}
+	return m.expectedObject.GetName() == actualObject.GetName() && m.expectedObject.GetNamespace() == actualObject.GetNamespace(), nil
+}
+
+func (m *matchObjectList) FailureMessage(actual any) string {
+	return m.message(actual, "to")
+}
+
+func (m *matchObjectList) NegatedFailureMessage(actual any) string {
+	return m.message(actual, "not to")
+}
+
+func (m *matchObjectList) message(actual any, to string) string {
+	// Gomega renders []runtime.Object as nested maps.
+	// YAML is more readable.
+	var buffer strings.Builder
+	buffer.WriteString("Expected\n")
+	if actualObjects, ok := actual.([]runtime.Object); ok {
+		buffer.WriteString(fmt.Sprintf("   %T len:%d:\n", actualObjects, len(actualObjects)))
+		for _, object := range actualObjects {
+			buffer.WriteString("      ---\n")
+			if o, ok := object.(*unstructured.Unstructured); ok {
+				buffer.WriteString(format.Object(o, 2))
+			} else {
+				buffer.WriteString(format.Object(object, 2))
+			}
+		}
+	} else {
+		buffer.WriteString(format.Object(actual, 1))
+	}
+	buffer.WriteString(fmt.Sprintf("\n%s contain exactly the following element:\n", to))
+	if m.verifyContent {
+		buffer.WriteString(format.Object(m.expectedObject, 1))
+	} else {
+		buffer.WriteString("      " + klog.KObj(m.expectedObject).String())
+	}
+	if m.lastDiff != "" {
+		buffer.WriteString("\nDiff of checked fields (- expected, + actual):\n")
+		buffer.WriteString(m.lastDiff)
+	}
+	return buffer.String()
+}
diff --git a/test/e2e/framework/daemonset/fixtures.go b/test/e2e/framework/daemonset/fixtures.go
index 5c1a5b54fc715..5dda5cb63d2e0 100644
--- a/test/e2e/framework/daemonset/fixtures.go
+++ b/test/e2e/framework/daemonset/fixtures.go
@@ -19,6 +19,7 @@ package daemonset
 import (
 	"context"
 	"fmt"
+	"k8s.io/klog/v2"
 
 	appsv1 "k8s.io/api/apps/v1"
 	v1 "k8s.io/api/core/v1"
@@ -81,11 +82,12 @@ func CheckPresentOnNodes(ctx context.Context, c clientset.Interface, ds *appsv1.
 }
 
 func SchedulableNodes(ctx context.Context, c clientset.Interface, ds *appsv1.DaemonSet) []string {
+	logger := klog.FromContext(ctx)
 	nodeList, err := c.CoreV1().Nodes().List(ctx, metav1.ListOptions{})
 	framework.ExpectNoError(err)
 	nodeNames := make([]string, 0)
 	for _, node := range nodeList.Items {
-		shouldRun, _ := daemon.NodeShouldRunDaemonPod(&node, ds)
+		shouldRun, _ := daemon.NodeShouldRunDaemonPod(logger, &node, ds)
 		if !shouldRun {
 			framework.Logf("DaemonSet pods can't tolerate node %s with taints %+v, skip checking this node", node.Name, node.Spec.Taints)
 			continue
diff --git a/test/e2e/framework/ginkgowrapper.go b/test/e2e/framework/ginkgowrapper.go
index 7a6237906521d..1dca00dc22a13 100644
--- a/test/e2e/framework/ginkgowrapper.go
+++ b/test/e2e/framework/ginkgowrapper.go
@@ -221,8 +221,14 @@ func registerInSuite(ginkgoCall func(string, ...interface{}) bool, args []interf
 					ginkgoArgs = append(ginkgoArgs, ginkgo.Label("BetaOffByDefault"))
 				}
 			}
-			if fullLabel == "Serial" {
+			switch fullLabel {
+			case "Serial":
 				ginkgoArgs = append(ginkgoArgs, ginkgo.Serial)
+			case "Slow":
+				// Start slow tests first. This avoids the risk
+				// that they get started towards the end of a
+				// run and then make the run longer overall.
+				ginkgoArgs = append(ginkgoArgs, ginkgo.SpecPriority(1))
 			}
 		case ginkgo.Offset:
 			offset = arg
@@ -266,6 +272,9 @@ var (
 func validateSpecs(specs types.SpecReports) {
 	checked := sets.New[call]()
 
+	// Each full test name should only be used once.
+	specNames := make(map[string][]types.SpecReport)
+
 	for _, spec := range specs {
 		for i, text := range spec.ContainerHierarchyTexts {
 			c := call{
@@ -287,6 +296,34 @@ func validateSpecs(specs types.SpecReports) {
 			validateText(spec.LeafNodeLocation, spec.LeafNodeText, spec.LeafNodeLabels)
 			checked.Insert(c)
 		}
+
+		// Track what the same name is used for. The empty name is used more
+		// than once for special nodes (e.g. ReportAfterSuite).
+		fullText := spec.FullText()
+		if fullText != "" {
+			specNames[fullText] = append(specNames[fullText], spec)
+		}
+	}
+
+	for fullText, specs := range specNames {
+		if len(specs) > 1 {
+			// The exact same It call might be made twice, in which case full
+			// text and location are the same in two different specs. We show
+			// that as "<location> (2x)"
+			locationCounts := make(map[string]int)
+			for _, spec := range specs {
+				locationCounts[spec.LeafNodeLocation.String()]++
+			}
+			var locationTexts []string
+			for locationText, count := range locationCounts {
+				text := locationText
+				if count > 1 {
+					text += fmt.Sprintf(" (%dx)", count)
+				}
+				locationTexts = append(locationTexts, text)
+			}
+			recordTextBug(specs[0].LeafNodeLocation, fmt.Sprintf("full test name is not unique: %q (%s)", fullText, strings.Join(locationTexts, ", ")))
+		}
 	}
 }
 
diff --git a/test/e2e/framework/gomega.go b/test/e2e/framework/gomega.go
new file mode 100644
index 0000000000000..a2b885da32b6a
--- /dev/null
+++ b/test/e2e/framework/gomega.go
@@ -0,0 +1,65 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Package framework contains provider-independent helper code for
+// building and running E2E tests with Ginkgo. The actual Ginkgo test
+// suites gets assembled by combining this framework, the optional
+// provider support code and specific tests via a separate .go file
+// like Kubernetes' test/e2e.go.
+package framework
+
+import (
+	"fmt"
+	"strings"
+
+	"github.com/onsi/gomega/format"
+	gtypes "github.com/onsi/gomega/types"
+)
+
+// GomegaObject returns a matcher which appends a full dump of the actual value
+// to the failure of the matcher that it wraps. This is useful e.g. for
+// gomega.HaveField which otherwise only generates a message containing
+// the field that it is checking, but not the object in which that field occurs.
+func GomegaObject(shouldMatch gtypes.GomegaMatcher) gtypes.GomegaMatcher {
+	return &gomegaObjectMatcher{
+		shouldMatch: shouldMatch,
+	}
+}
+
+type gomegaObjectMatcher struct {
+	shouldMatch gtypes.GomegaMatcher
+}
+
+func (m *gomegaObjectMatcher) Match(actual interface{}) (success bool, err error) {
+	return m.shouldMatch.Match(actual)
+}
+
+func (m *gomegaObjectMatcher) FailureMessage(actual interface{}) (message string) {
+	return m.withDump(actual, m.shouldMatch.FailureMessage(actual))
+}
+
+func (m *gomegaObjectMatcher) NegatedFailureMessage(actual interface{}) (message string) {
+	return m.withDump(actual, m.shouldMatch.NegatedFailureMessage(actual))
+}
+
+func (m *gomegaObjectMatcher) withDump(actual any, message string) string {
+	dump := format.Object(actual, 1)
+	if !strings.HasSuffix(message, "\n") {
+		message += "\n"
+	}
+	message += fmt.Sprintf("\nFull object:\n%s", dump)
+	return message
+}
diff --git a/test/e2e/framework/internal/junit/junit.go b/test/e2e/framework/internal/junit/junit.go
index a33c780d5c388..b6b7da62f37ac 100644
--- a/test/e2e/framework/internal/junit/junit.go
+++ b/test/e2e/framework/internal/junit/junit.go
@@ -17,6 +17,9 @@ limitations under the License.
 package junit
 
 import (
+	"slices"
+	"strings"
+
 	"github.com/onsi/ginkgo/v2"
 	"github.com/onsi/ginkgo/v2/reporters"
 	"github.com/onsi/ginkgo/v2/types"
@@ -42,5 +45,20 @@ func WriteJUnitReport(report ginkgo.Report, filename string) error {
 		OmitSpecLabels: true,
 	}
 
+	// Sort specs by full name. The default is by start (or completion?) time,
+	// which is less useful in spyglass because those times are not shown
+	// and thus tests seem to be listed with no apparent order.
+	slices.SortFunc(report.SpecReports, func(a, b types.SpecReport) int {
+		res := strings.Compare(a.FullText(), b.FullText())
+		if res == 0 {
+			// Use start time as tie-breaker in the unlikely
+			// case that two specs have the same full name.
+			return a.StartTime.Compare(b.StartTime)
+		}
+		return res
+	})
+
+	detectDataRaces(report)
+
 	return reporters.GenerateJUnitReportWithConfig(report, filename, config)
 }
diff --git a/test/e2e/framework/internal/junit/junit_data_races.go b/test/e2e/framework/internal/junit/junit_data_races.go
new file mode 100644
index 0000000000000..38717d16ffc46
--- /dev/null
+++ b/test/e2e/framework/internal/junit/junit_data_races.go
@@ -0,0 +1,75 @@
+//go:build race
+
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package junit
+
+import (
+	"regexp"
+	"time"
+
+	"github.com/onsi/ginkgo/v2"
+	"github.com/onsi/ginkgo/v2/types"
+)
+
+var dataRaceRE = regexp.MustCompile(`(?m)^WARNING: DATA RACE$`)
+
+func containsDataRace(output string) bool {
+	return dataRaceRE.MatchString(output)
+}
+
+// Detect data races in output and mark those tests as failed.
+// Ginkgo itself captures the warning in the output of those
+// tests where it is printed, but does not mark the tests as failed.
+// This is not exactly wrong (the reason might be in code that was
+// started elsewhere), but without a test being marked as "failed",
+// prune-junit-xml will prune the output and spyglass won't show
+// the test as failed.
+//
+// Modifies the report. Doesn't touch tests which are already failed
+// because those already need to be investigated.
+func detectDataRaces(report ginkgo.Report) {
+	for i, spec := range report.SpecReports {
+		if spec.State != types.SpecStatePassed {
+			continue
+		}
+
+		// Both variants of captured output get checked, just to be on the safe side.
+		ginkgoWriterRace := containsDataRace(spec.CapturedGinkgoWriterOutput)
+		stdoutRace := containsDataRace(spec.CapturedStdOutErr)
+		if ginkgoWriterRace || stdoutRace {
+			spec.State = types.SpecStateFailed
+			spec.Failure = types.Failure{
+				FailureNodeContext: types.FailureNodeIsLeafNode,
+				FailureNodeType:    spec.LeafNodeType,
+				Location:           types.NewCustomCodeLocation("output analysis"),
+				TimelineLocation: types.TimelineLocation{
+					Time: time.Now(),
+				},
+			}
+			// Let's move that text to the failure message.
+			if stdoutRace {
+				spec.Failure.Message = spec.CapturedStdOutErr
+				spec.CapturedStdOutErr = ""
+			} else {
+				spec.Failure.Message = spec.CapturedGinkgoWriterOutput
+				spec.CapturedGinkgoWriterOutput = ""
+			}
+			report.SpecReports[i] = spec
+		}
+	}
+}
diff --git a/test/e2e/framework/internal/junit/junit_no_data_races.go b/test/e2e/framework/internal/junit/junit_no_data_races.go
new file mode 100644
index 0000000000000..97dd17326c3f0
--- /dev/null
+++ b/test/e2e/framework/internal/junit/junit_no_data_races.go
@@ -0,0 +1,29 @@
+//go:build !race
+
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package junit
+
+import (
+	"github.com/onsi/ginkgo/v2"
+)
+
+func detectDataRaces(report ginkgo.Report) {
+	// This is a NOP variant of this function which is used when the test binary is compiled
+	// without race detection. In that case there cannot be any data race reports and therefore
+	// we don't need to check for them.
+}
diff --git a/test/e2e/framework/node/resource.go b/test/e2e/framework/node/resource.go
index 819275b9d22af..5c154d689926b 100644
--- a/test/e2e/framework/node/resource.go
+++ b/test/e2e/framework/node/resource.go
@@ -20,6 +20,7 @@ import (
 	"context"
 	"encoding/json"
 	"fmt"
+	"k8s.io/klog/v2"
 	"net"
 	"strings"
 	"time"
@@ -325,12 +326,13 @@ func GetPublicIps(ctx context.Context, c clientset.Interface) ([]string, error)
 // If EITHER 1 or 2 is not true, most tests will want to ignore the node entirely.
 // If there are no nodes that are both ready and schedulable, this will return an error.
 func GetReadySchedulableNodes(ctx context.Context, c clientset.Interface) (nodes *v1.NodeList, err error) {
+	logger := klog.FromContext(ctx)
 	nodes, err = checkWaitListSchedulableNodes(ctx, c)
 	if err != nil {
 		return nil, fmt.Errorf("listing schedulable nodes error: %w", err)
 	}
 	Filter(nodes, func(node v1.Node) bool {
-		return IsNodeSchedulable(&node) && isNodeUntainted(&node)
+		return IsNodeSchedulable(logger, &node) && isNodeUntainted(logger, &node)
 	})
 	if len(nodes.Items) == 0 {
 		return nil, fmt.Errorf("there are currently no ready, schedulable nodes in the cluster")
@@ -374,25 +376,26 @@ func GetRandomReadySchedulableNode(ctx context.Context, c clientset.Interface) (
 // E.g. in tests related to nodes with gpu we care about nodes despite
 // presence of nvidia.com/gpu=present:NoSchedule taint
 func GetReadyNodesIncludingTainted(ctx context.Context, c clientset.Interface) (nodes *v1.NodeList, err error) {
+	logger := klog.FromContext(ctx)
 	nodes, err = checkWaitListSchedulableNodes(ctx, c)
 	if err != nil {
 		return nil, fmt.Errorf("listing schedulable nodes error: %w", err)
 	}
 	Filter(nodes, func(node v1.Node) bool {
-		return IsNodeSchedulable(&node)
+		return IsNodeSchedulable(logger, &node)
 	})
 	return nodes, nil
 }
 
 // isNodeUntainted tests whether a fake pod can be scheduled on "node", given its current taints.
 // TODO: need to discuss wether to return bool and error type
-func isNodeUntainted(node *v1.Node) bool {
-	return isNodeUntaintedWithNonblocking(node, "")
+func isNodeUntainted(logger klog.Logger, node *v1.Node) bool {
+	return isNodeUntaintedWithNonblocking(logger, node, "")
 }
 
 // isNodeUntaintedWithNonblocking tests whether a fake pod can be scheduled on "node"
 // but allows for taints in the list of non-blocking taints.
-func isNodeUntaintedWithNonblocking(node *v1.Node, nonblockingTaints string) bool {
+func isNodeUntaintedWithNonblocking(logger klog.Logger, node *v1.Node, nonblockingTaints string) bool {
 	// Simple lookup for nonblocking taints based on comma-delimited list.
 	nonblockingTaintsMap := map[string]struct{}{}
 	for _, t := range strings.Split(nonblockingTaints, ",") {
@@ -413,10 +416,10 @@ func isNodeUntaintedWithNonblocking(node *v1.Node, nonblockingTaints string) boo
 		n = nodeCopy
 	}
 
-	return toleratesTaintsWithNoScheduleNoExecuteEffects(n.Spec.Taints, nil)
+	return toleratesTaintsWithNoScheduleNoExecuteEffects(logger, n.Spec.Taints, nil)
 }
 
-func toleratesTaintsWithNoScheduleNoExecuteEffects(taints []v1.Taint, tolerations []v1.Toleration) bool {
+func toleratesTaintsWithNoScheduleNoExecuteEffects(logger klog.Logger, taints []v1.Taint, tolerations []v1.Toleration) bool {
 	filteredTaints := []v1.Taint{}
 	for _, taint := range taints {
 		if taint.Effect == v1.TaintEffectNoExecute || taint.Effect == v1.TaintEffectNoSchedule {
@@ -426,7 +429,8 @@ func toleratesTaintsWithNoScheduleNoExecuteEffects(taints []v1.Taint, toleration
 
 	toleratesTaint := func(taint v1.Taint) bool {
 		for _, toleration := range tolerations {
-			if toleration.ToleratesTaint(&taint) {
+			//	TaintTolerationComparisonOperators feature gate will be false for e2e since the feature is in Alpha.
+			if toleration.ToleratesTaint(logger, &taint, false) {
 				return true
 			}
 		}
@@ -446,17 +450,18 @@ func toleratesTaintsWithNoScheduleNoExecuteEffects(taints []v1.Taint, toleration
 // IsNodeSchedulable returns true if:
 // 1) doesn't have "unschedulable" field set
 // 2) it also returns true from IsNodeReady
-func IsNodeSchedulable(node *v1.Node) bool {
+func IsNodeSchedulable(logger klog.Logger, node *v1.Node) bool {
 	if node == nil {
 		return false
 	}
-	return !node.Spec.Unschedulable && IsNodeReady(node)
+
+	return !node.Spec.Unschedulable && IsNodeReady(logger, node)
 }
 
 // IsNodeReady returns true if:
 // 1) it's Ready condition is set to true
 // 2) doesn't have NetworkUnavailable condition set to true
-func IsNodeReady(node *v1.Node) bool {
+func IsNodeReady(logger klog.Logger, node *v1.Node) bool {
 	nodeReady := IsConditionSetAsExpected(node, v1.NodeReady, true)
 	networkReady := isConditionUnset(node, v1.NodeNetworkUnavailable) ||
 		IsConditionSetAsExpectedSilent(node, v1.NodeNetworkUnavailable, false)
@@ -467,8 +472,8 @@ func IsNodeReady(node *v1.Node) bool {
 // 1) doesn't have "unschedulable" field set
 // 2) it also returns true from IsNodeReady
 // 3) it also returns true from isNodeUntainted
-func isNodeSchedulableWithoutTaints(node *v1.Node) bool {
-	return IsNodeSchedulable(node) && isNodeUntainted(node)
+func isNodeSchedulableWithoutTaints(logger klog.Logger, node *v1.Node) bool {
+	return IsNodeSchedulable(logger, node) && isNodeUntainted(logger, node)
 }
 
 // hasNonblockingTaint returns true if the node contains at least
diff --git a/test/e2e/framework/node/wait.go b/test/e2e/framework/node/wait.go
index cf8b3d388c908..cde16d79fdf7e 100644
--- a/test/e2e/framework/node/wait.go
+++ b/test/e2e/framework/node/wait.go
@@ -19,6 +19,7 @@ package node
 import (
 	"context"
 	"fmt"
+	"k8s.io/klog/v2"
 	"regexp"
 	"time"
 
@@ -48,6 +49,7 @@ func WaitForReadyNodes(ctx context.Context, c clientset.Interface, size int, tim
 
 // WaitForTotalHealthy checks whether all registered nodes are ready and all required Pods are running on them.
 func WaitForTotalHealthy(ctx context.Context, c clientset.Interface, timeout time.Duration) error {
+	logger := klog.FromContext(ctx)
 	framework.Logf("Waiting up to %v for all nodes to be ready", timeout)
 
 	var notReady []v1.Node
@@ -79,7 +81,7 @@ func WaitForTotalHealthy(ctx context.Context, c clientset.Interface, timeout tim
 		}
 		missingPodsPerNode = make(map[string][]string)
 		for _, node := range nodes.Items {
-			if isNodeSchedulableWithoutTaints(&node) {
+			if isNodeSchedulableWithoutTaints(logger, &node) {
 				for _, requiredPod := range requiredPerNodePods {
 					foundRequired := false
 					for _, presentPod := range systemPodsPerNode[node.Name] {
@@ -145,6 +147,7 @@ func WaitForNodeToBeReady(ctx context.Context, c clientset.Interface, name strin
 }
 
 func WaitForNodeSchedulable(ctx context.Context, c clientset.Interface, name string, timeout time.Duration, wantSchedulable bool) bool {
+	logger := klog.FromContext(ctx)
 	framework.Logf("Waiting up to %v for node %s to be schedulable: %t", timeout, name, wantSchedulable)
 	for start := time.Now(); time.Since(start) < timeout; time.Sleep(poll) {
 		node, err := c.CoreV1().Nodes().Get(ctx, name, metav1.GetOptions{})
@@ -153,7 +156,7 @@ func WaitForNodeSchedulable(ctx context.Context, c clientset.Interface, name str
 			continue
 		}
 
-		if IsNodeSchedulable(node) == wantSchedulable {
+		if IsNodeSchedulable(logger, node) == wantSchedulable {
 			return true
 		}
 	}
@@ -235,6 +238,7 @@ func checkWaitListSchedulableNodes(ctx context.Context, c clientset.Interface) (
 
 // CheckReadyForTests returns a function which will return 'true' once the number of ready nodes is above the allowedNotReadyNodes threshold (i.e. to be used as a global gate for starting the tests).
 func CheckReadyForTests(ctx context.Context, c clientset.Interface, nonblockingTaints string, allowedNotReadyNodes, largeClusterThreshold int) func(ctx context.Context) (bool, error) {
+	logger := klog.FromContext(ctx)
 	attempt := 0
 	return func(ctx context.Context) (bool, error) {
 		if allowedNotReadyNodes == -1 {
@@ -257,7 +261,7 @@ func CheckReadyForTests(ctx context.Context, c clientset.Interface, nonblockingT
 			return false, terminalListNodesErr
 		}
 		for _, node := range allNodes.Items {
-			if !readyForTests(&node, nonblockingTaints) {
+			if !readyForTests(logger, &node, nonblockingTaints) {
 				nodesNotReadyYet = append(nodesNotReadyYet, node)
 			}
 		}
@@ -297,15 +301,15 @@ func CheckReadyForTests(ctx context.Context, c clientset.Interface, nonblockingT
 // to enter a testable state. By default this means it is schedulable, NodeReady, and untainted.
 // Nodes with taints nonblocking taints are permitted to have that taint and
 // also have their node.Spec.Unschedulable field ignored for the purposes of this function.
-func readyForTests(node *v1.Node, nonblockingTaints string) bool {
+func readyForTests(logger klog.Logger, node *v1.Node, nonblockingTaints string) bool {
 	if hasNonblockingTaint(node, nonblockingTaints) {
 		// If the node has one of the nonblockingTaints taints; just check that it is ready
 		// and don't require node.Spec.Unschedulable to be set either way.
-		if !IsNodeReady(node) || !isNodeUntaintedWithNonblocking(node, nonblockingTaints) {
+		if !IsNodeReady(logger, node) || !isNodeUntaintedWithNonblocking(logger, node, nonblockingTaints) {
 			return false
 		}
 	} else {
-		if !IsNodeSchedulable(node) || !isNodeUntainted(node) {
+		if !IsNodeSchedulable(logger, node) || !isNodeUntainted(logger, node) {
 			return false
 		}
 	}
diff --git a/test/e2e/framework/node/wait_test.go b/test/e2e/framework/node/wait_test.go
index f917d40d6d23f..062ab505412d2 100644
--- a/test/e2e/framework/node/wait_test.go
+++ b/test/e2e/framework/node/wait_test.go
@@ -26,6 +26,7 @@ import (
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/client-go/kubernetes/fake"
 	k8stesting "k8s.io/client-go/testing"
+	"k8s.io/klog/v2/ktesting"
 )
 
 // TestCheckReadyForTests specifically is concerned about the multi-node logic
@@ -195,6 +196,7 @@ func TestCheckReadyForTests(t *testing.T) {
 }
 
 func TestReadyForTests(t *testing.T) {
+	logger, _ := ktesting.NewTestContext(t)
 	fromVanillaNode := func(f func(*v1.Node)) *v1.Node {
 		vanillaNode := &v1.Node{
 			ObjectMeta: metav1.ObjectMeta{Name: "test-node"},
@@ -269,7 +271,7 @@ func TestReadyForTests(t *testing.T) {
 
 	for _, tc := range tcs {
 		t.Run(tc.desc, func(t *testing.T) {
-			out := readyForTests(tc.node, tc.nonblockingTaints)
+			out := readyForTests(logger, tc.node, tc.nonblockingTaints)
 			if out != tc.expected {
 				t.Errorf("Expected %v but got %v", tc.expected, out)
 			}
diff --git a/test/e2e/framework/pod/create.go b/test/e2e/framework/pod/create.go
index 47c25b2c03f74..d134fdced4b4d 100644
--- a/test/e2e/framework/pod/create.go
+++ b/test/e2e/framework/pod/create.go
@@ -51,6 +51,7 @@ type Config struct {
 	NodeSelection          NodeSelection
 	ImageID                imageutils.ImageID
 	PodFSGroupChangePolicy *v1.PodFSGroupChangePolicy
+	PodSELinuxChangePolicy *v1.PodSELinuxChangePolicy
 }
 
 // CreateUnschedulablePod with given claims based on node selector
@@ -224,6 +225,9 @@ func MakePodSpec(podConfig *Config) *v1.PodSpec {
 	if podConfig.PodFSGroupChangePolicy != nil {
 		podSpec.SecurityContext.FSGroupChangePolicy = podConfig.PodFSGroupChangePolicy
 	}
+	if podConfig.PodSELinuxChangePolicy != nil {
+		podSpec.SecurityContext.SELinuxChangePolicy = podConfig.PodSELinuxChangePolicy
+	}
 
 	setVolumes(podSpec, podConfig.PVCs, podConfig.InlineVolumeSources, podConfig.PVCsReadOnly)
 	SetNodeSelection(podSpec, podConfig.NodeSelection)
diff --git a/test/e2e/framework/pod/pod_client.go b/test/e2e/framework/pod/pod_client.go
index 664eae425ca20..104f9dec8013a 100644
--- a/test/e2e/framework/pod/pod_client.go
+++ b/test/e2e/framework/pod/pod_client.go
@@ -21,6 +21,7 @@ import (
 	"encoding/json"
 	"fmt"
 	"regexp"
+	"strings"
 	"sync"
 	"time"
 
@@ -271,18 +272,16 @@ func (c *PodClient) mungeSpec(pod *v1.Pod) {
 	// during the test.
 	for i := range pod.Spec.Containers {
 		c := &pod.Spec.Containers[i]
-		if c.ImagePullPolicy == v1.PullAlways {
-			// If the image pull policy is PullAlways, the image doesn't need to be in
-			// the allow list or pre-pulled, because the image is expected to be pulled
-			// in the test anyway.
-			continue
+		// If the image pull policy is PullNever, make sure it is in the pre-pull list.
+		// Note that we skip images from localhost registry here, because
+		// they are usually used for testing private registry pulling,
+		// and they are not supposed to be pre-pulled.
+		if c.ImagePullPolicy == v1.PullNever && !strings.Contains(c.Image, "localhost") {
+			gomega.Expect(ImagePrePullList.Has(c.Image)).To(gomega.BeTrueBecause("Image %q is not in the pre-pull list, consider adding it to PrePulledImages in test/e2e/common/util.go or NodePrePullImageList in test/e2e_node/image_list.go", c.Image))
 		}
-		// If the image policy is not PullAlways, the image must be in the pre-pull list and
-		// pre-pulled.
-		gomega.Expect(ImagePrePullList.Has(c.Image)).To(gomega.BeTrueBecause("Image %q is not in the pre-pull list, consider adding it to PrePulledImages in test/e2e/common/util.go or NodePrePullImageList in test/e2e_node/image_list.go", c.Image))
-		// Do not pull images during the tests because the images in pre-pull list should have
-		// been prepulled.
-		c.ImagePullPolicy = v1.PullNever
+		// If the image pull policy is PullAlways or PullIfNotPresent, the image doesn't need
+		// to be in the allow list or pre-pulled, because the image is expected to be pulled
+		// in the test anyway.
 	}
 }
 
diff --git a/test/e2e/framework/pod/utils.go b/test/e2e/framework/pod/utils.go
index b1fd25bed6dbd..74d42507a5282 100644
--- a/test/e2e/framework/pod/utils.go
+++ b/test/e2e/framework/pod/utils.go
@@ -178,7 +178,7 @@ func GetRestrictedContainerSecurityContext() *v1.SecurityContext {
 	}
 }
 
-var psaEvaluator, _ = psapolicy.NewEvaluator(psapolicy.DefaultChecks())
+var psaEvaluator, _ = psapolicy.NewEvaluator(psapolicy.DefaultChecks(), nil)
 
 // MustMixinRestrictedPodSecurity makes the given pod compliant with the restricted pod security level.
 // If doing so would overwrite existing non-conformant configuration, a test failure is triggered.
diff --git a/test/e2e/framework/pod/wait.go b/test/e2e/framework/pod/wait.go
index 0a8f3153299ca..f76144b9fcdd3 100644
--- a/test/e2e/framework/pod/wait.go
+++ b/test/e2e/framework/pod/wait.go
@@ -495,13 +495,23 @@ func WaitForPodsWithSchedulingGates(ctx context.Context, c clientset.Interface,
 	return err
 }
 
-// WaitForPodTerminatedInNamespace returns an error if it takes too long for the pod to terminate,
+// WaitForPodTerminatedInNamespace returns an error if it takes too long for the pod to terminate after podStartTimeout,
 // if the pod Get api returns an error (IsNotFound or other), or if the pod failed (and thus did not
 // terminate) with an unexpected reason. Typically called to test that the passed-in pod is fully
 // terminated (reason==""), but may be called to detect if a pod did *not* terminate according to
 // the supplied reason.
 func WaitForPodTerminatedInNamespace(ctx context.Context, c clientset.Interface, podName, reason, namespace string) error {
-	return WaitForPodCondition(ctx, c, namespace, podName, fmt.Sprintf("terminated with reason %s", reason), podStartTimeout, func(pod *v1.Pod) (bool, error) {
+	return WaitForPodTerminatedInNamespaceTimeout(ctx, c, podName, reason, namespace, podStartTimeout)
+}
+
+// WaitForPodTerminatedInNamespaceTimeout returns an error if it takes too long
+// for the pod to terminate after the provided timeout, if the pod Get api
+// returns an error (IsNotFound or other), or if the pod failed (and thus did
+// not terminate) with an unexpected reason. Typically called to test that the
+// passed-in pod is fully terminated (reason==""), but may be called to detect
+// if a pod did *not* terminate according to the supplied reason.
+func WaitForPodTerminatedInNamespaceTimeout(ctx context.Context, c clientset.Interface, podName, reason, namespace string, timeout time.Duration) error {
+	return WaitForPodCondition(ctx, c, namespace, podName, fmt.Sprintf("terminated with reason %s", reason), timeout, func(pod *v1.Pod) (bool, error) {
 		// Only consider Failed pods. Successful pods will be deleted and detected in
 		// waitForPodCondition's Get call returning `IsNotFound`
 		if pod.Status.Phase == v1.PodFailed {
diff --git a/test/e2e/framework/registry/.import-restrictions b/test/e2e/framework/registry/.import-restrictions
new file mode 100644
index 0000000000000..71d4c67afee71
--- /dev/null
+++ b/test/e2e/framework/registry/.import-restrictions
@@ -0,0 +1,14 @@
+rules:
+  # Using k8s packages, other framework helpers and the public API should be good enough.
+  #
+  # public API
+  - selectorRegexp: ^k8s[.]io/(api|apimachinery|client-go|component-base|klog|pod-security-admission|utils)
+    allowedPrefixes: [ "" ]
+
+  # test helpers
+  - selectorRegexp: ^k8s[.]io/kubernetes/test
+    allowedPrefixes: [ "" ]
+
+  # stdlib
+  - selectorRegexp: ^[a-z]+(/|$)
+    allowedPrefixes: [ "" ]
\ No newline at end of file
diff --git a/test/e2e/framework/registry/registry.go b/test/e2e/framework/registry/registry.go
new file mode 100644
index 0000000000000..139d61aec3c38
--- /dev/null
+++ b/test/e2e/framework/registry/registry.go
@@ -0,0 +1,146 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package registry
+
+import (
+	"context"
+	"fmt"
+	"time"
+
+	v1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/util/wait"
+	"k8s.io/pod-security-admission/api"
+	"k8s.io/pod-security-admission/test"
+	"k8s.io/utils/ptr"
+
+	"k8s.io/kubernetes/test/e2e/framework"
+	e2edaemonset "k8s.io/kubernetes/test/e2e/framework/daemonset"
+	e2epod "k8s.io/kubernetes/test/e2e/framework/pod"
+	imageutils "k8s.io/kubernetes/test/utils/image"
+)
+
+const (
+	dockerCredsFmt = `{
+	"auths": {
+		"%s": {
+			"auth": "%s"
+		}
+	}
+}`
+	user1creds = "dXNlcjpwYXNzd29yZA==" // user:password
+)
+
+// SetupRegistry runs the `fake-registry-server --private` from the agnhost image.
+// The registry is run with HostPort 5000 exposed in order to allow locally-scheduled
+// pods to query the registry via kubelet.
+// The registry only runs in HTTP (no TLS) mode, and so this hack-path is used as
+// localhost is typically allowed by CRIs and so no CRI-specific configuration is needed
+//
+// By default, the function runs the registry as a DaemonSet on all nodes, but it supports running
+// it in just a `pod` for cases where kube-controller-manager is not running (like in
+// the Node Conformance test suite).
+//
+// This function returns:
+// - the node-local address of the registry
+// - set of node names that the registry runs on, mostly useful only in the podOnly case
+// - an error
+//
+// TODO: once https://github.com/kubernetes/kubernetes/issues/132955 is
+// addressed, we might be able to proxy a single endpoint from the cluster to each
+// node's localhost port instead of using DaemonSets.
+func SetupRegistry(ctx context.Context, f *framework.Framework, podOnly bool) (string, []string, error) {
+	podTestLabel := "test-registry-pod-" + f.UniqueName
+	pod, err := podManifest(podTestLabel)
+	if err != nil {
+		return "", nil, err
+	}
+
+	if podOnly {
+		podClient := e2epod.NewPodClient(f)
+		pod = podClient.Create(ctx, pod)
+		framework.ExpectNoError(e2epod.WaitForPodRunningInNamespace(ctx, f.ClientSet, pod))
+	} else {
+		labels := map[string]string{"kube-e2e": podTestLabel}
+		daemonset := e2edaemonset.NewDaemonSet("", "", labels, nil, nil, nil)
+		daemonset.GenerateName = "test-registry-"
+		daemonset.Spec.Template.Spec = pod.Spec
+
+		daemonset, err = f.ClientSet.AppsV1().DaemonSets(f.Namespace.Name).Create(ctx, daemonset, metav1.CreateOptions{})
+		if err != nil {
+			return "", nil, err
+		}
+
+		err = wait.PollUntilContextTimeout(ctx, 1*time.Second, 120*time.Second, true, func(ctx context.Context) (done bool, err error) {
+			return e2edaemonset.CheckRunningOnAllNodes(ctx, f, daemonset)
+		})
+		if err != nil {
+			return "", nil, err
+		}
+	}
+
+	pods, err := f.ClientSet.CoreV1().Pods(f.Namespace.Name).List(ctx, metav1.ListOptions{LabelSelector: "kube-e2e=" + podTestLabel})
+	if err != nil {
+		return "", nil, err
+	}
+	podNodes := make([]string, 0, len(pods.Items))
+	for _, pod := range pods.Items {
+		podNodes = append(podNodes, pod.Spec.NodeName)
+	}
+
+	return "localhost:5000", podNodes, nil
+}
+
+func podManifest(podTestLabel string) (*v1.Pod, error) {
+	pod, err := test.GetMinimalValidPod(api.LevelRestricted, api.MajorMinorVersion(1, 25))
+	if err != nil {
+		return nil, err
+	}
+
+	pod.ObjectMeta.GenerateName = "test-registry-"
+	pod.ObjectMeta.Labels = map[string]string{"kube-e2e": podTestLabel}
+
+	pod.Spec.InitContainers = nil
+	pod.Spec.Containers[0].Name = "registry"
+	pod.Spec.Containers[0].Image = imageutils.GetE2EImage(imageutils.Agnhost)
+	pod.Spec.Containers[0].ImagePullPolicy = v1.PullIfNotPresent
+	pod.Spec.Containers[0].Args = []string{"fake-registry-server", "--private"}
+	pod.Spec.Containers[0].Ports = []v1.ContainerPort{
+		{
+			Name:          "http",
+			ContainerPort: 5000,
+			HostPort:      5000,
+		},
+	}
+	pod.Spec.Containers[0].SecurityContext.RunAsUser = ptr.To[int64](5123)
+	// setting HostNetwork to true so that the registry is accessible on localhost:<hostport>
+	// and we don't have to deal with any CNI quirks.
+	pod.Spec.HostNetwork = true
+
+	return pod, nil
+}
+
+// User1DockerSecret creates a secret containing the docker credentials for pulling from
+// the agnhost fake-registry-server.
+func User1DockerSecret(registryAddress string) *v1.Secret {
+	return &v1.Secret{
+		Type: v1.SecretTypeDockerConfigJson,
+		Data: map[string][]byte{
+			v1.DockerConfigJsonKey: fmt.Appendf(nil, dockerCredsFmt, registryAddress, user1creds),
+		},
+	}
+}
diff --git a/test/e2e/framework/service/jig.go b/test/e2e/framework/service/jig.go
index 78d01aac83687..78cd28d1a05ba 100644
--- a/test/e2e/framework/service/jig.go
+++ b/test/e2e/framework/service/jig.go
@@ -169,6 +169,15 @@ func ReserveStaticNodePort(port int32) bool {
 // ReleaseStaticNodePort releases the specified port.
 // The corresponding service should have already been deleted, to ensure that the
 // port allocator doesn't try to reuse it before the apiserver considers it available.
+// The caller should do it like below:
+//
+//	ginkgo.DeferCleanup(func(ctx context.Context) {
+//		err := cs.CoreV1().Services(ns).Delete(ctx, serviceName, metav1.DeleteOptions{})
+//		if err != nil && !apierrors.IsNotFound(err) {
+//			framework.ExpectNoError(err, "failed to delete service %s in namespace %s", serviceName, ns)
+//		}
+//		e2eservice.ReleaseStaticNodePort(nodePort)
+//	})
 func ReleaseStaticNodePort(port int32) {
 	staticPortAllocator.releasePort(port)
 }
diff --git a/test/e2e/framework/statefulset/fixtures.go b/test/e2e/framework/statefulset/fixtures.go
index 9a1f6f11f10d1..7bea163d92376 100644
--- a/test/e2e/framework/statefulset/fixtures.go
+++ b/test/e2e/framework/statefulset/fixtures.go
@@ -81,8 +81,9 @@ func NewStatefulSet(name, ns, governingSvcName string, replicas int32, statefulP
 					Containers: []v1.Container{
 						{
 							Name:         "webserver",
-							Image:        imageutils.GetE2EImage(imageutils.Httpd),
+							Image:        imageutils.GetE2EImage(imageutils.AgnhostPrev),
 							VolumeMounts: mounts,
+							Args:         []string{"test-webserver"},
 						},
 					},
 					Volumes: vols,
@@ -107,7 +108,7 @@ func NewStatefulSetPVC(name string) v1.PersistentVolumeClaim {
 			},
 			Resources: v1.VolumeResourceRequirements{
 				Requests: v1.ResourceList{
-					v1.ResourceStorage: *resource.NewQuantity(1, resource.BinarySI),
+					v1.ResourceStorage: resource.MustParse("10Gi"),
 				},
 			},
 		},
diff --git a/test/e2e/framework/statefulset/wait.go b/test/e2e/framework/statefulset/wait.go
index 5615b58ffa0cd..63a2fcc267ff4 100644
--- a/test/e2e/framework/statefulset/wait.go
+++ b/test/e2e/framework/statefulset/wait.go
@@ -19,6 +19,7 @@ package statefulset
 import (
 	"context"
 	"fmt"
+	"time"
 
 	appsv1 "k8s.io/api/apps/v1"
 	v1 "k8s.io/api/core/v1"
@@ -63,9 +64,9 @@ func WaitForRunning(ctx context.Context, c clientset.Interface, numPodsRunning,
 	}
 }
 
-// WaitForState periodically polls for the ss and its pods until the until function returns either true or an error
-func WaitForState(ctx context.Context, c clientset.Interface, ss *appsv1.StatefulSet, until func(*appsv1.StatefulSet, *v1.PodList) (bool, error)) {
-	pollErr := wait.PollUntilContextTimeout(ctx, StatefulSetPoll, StatefulSetTimeout, true,
+// WaitForState periodically polls for the ss and its pods until the until function returns either true or an error.
+func WaitForState(ctx context.Context, c clientset.Interface, ss *appsv1.StatefulSet, pollInterval time.Duration, until func(*appsv1.StatefulSet, *v1.PodList) (bool, error)) {
+	pollErr := wait.PollUntilContextTimeout(ctx, pollInterval, StatefulSetTimeout, true,
 		func(ctx context.Context) (bool, error) {
 			ssGet, err := c.AppsV1().StatefulSets(ss.Namespace).Get(ctx, ss.Name, metav1.GetOptions{})
 			if err != nil {
@@ -91,7 +92,7 @@ func WaitForRunningAndReady(ctx context.Context, c clientset.Interface, numState
 // WaitForPodReady waits for the Pod named podName in set to exist and have a Ready condition.
 func WaitForPodReady(ctx context.Context, c clientset.Interface, set *appsv1.StatefulSet, podName string) (*appsv1.StatefulSet, *v1.PodList) {
 	var pods *v1.PodList
-	WaitForState(ctx, c, set, func(set2 *appsv1.StatefulSet, pods2 *v1.PodList) (bool, error) {
+	WaitForState(ctx, c, set, StatefulSetPoll, func(set2 *appsv1.StatefulSet, pods2 *v1.PodList) (bool, error) {
 		set = set2
 		pods = pods2
 		for i := range pods.Items {
diff --git a/test/e2e/framework/test_context.go b/test/e2e/framework/test_context.go
index 61916785e2ba2..aa35cebd159a9 100644
--- a/test/e2e/framework/test_context.go
+++ b/test/e2e/framework/test_context.go
@@ -28,7 +28,6 @@ import (
 	"os"
 	"path"
 	"path/filepath"
-	"slices"
 	"sort"
 	"strings"
 	"time"
@@ -616,19 +615,6 @@ func AfterReadingAllFlags(t *TestContextType) {
 		}
 
 		ginkgo.ReportAfterSuite("Kubernetes e2e JUnit report", func(report ginkgo.Report) {
-			// Sort specs by full name. The default is by start (or completion?) time,
-			// which is less useful in spyglass because those times are not shown
-			// and thus tests seem to be listed with no apparent order.
-			slices.SortFunc(report.SpecReports, func(a, b types.SpecReport) int {
-				res := strings.Compare(a.FullText(), b.FullText())
-				if res == 0 {
-					// Use start time as tie-breaker in the unlikely
-					// case that two specs have the same full name.
-					return a.StartTime.Compare(b.StartTime)
-				}
-				return res
-			})
-
 			// With Ginkgo v1, we used to write one file per
 			// parallel node. Now Ginkgo v2 automatically merges
 			// all results into a report for us. The 01 suffix is
diff --git a/test/e2e/framework/util.go b/test/e2e/framework/util.go
index a2a65204b0284..dbe7f29854c67 100644
--- a/test/e2e/framework/util.go
+++ b/test/e2e/framework/util.go
@@ -36,7 +36,6 @@ import (
 	"github.com/onsi/gomega"
 
 	v1 "k8s.io/api/core/v1"
-	discoveryv1 "k8s.io/api/discovery/v1"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/fields"
@@ -410,45 +409,6 @@ func CheckTestingNSDeletedExcept(ctx context.Context, c clientset.Interface, ski
 	return fmt.Errorf("Waiting for terminating namespaces to be deleted timed out")
 }
 
-// WaitForServiceEndpointsNum waits until there are EndpointSlices for serviceName
-// containing a total of expectNum endpoints. (If the service is dual-stack, expectNum
-// must count the endpoints of both IP families.)
-// Deprecated: use e2eendpointslice.WaitForEndpointCount or other related functions.
-func WaitForServiceEndpointsNum(ctx context.Context, c clientset.Interface, namespace, serviceName string, expectNum int, interval, timeout time.Duration) error {
-	return wait.PollUntilContextTimeout(ctx, interval, timeout, false, func(ctx context.Context) (bool, error) {
-		Logf("Waiting for amount of service:%s endpoints to be %d", serviceName, expectNum)
-		esList, err := c.DiscoveryV1().EndpointSlices(namespace).List(ctx, metav1.ListOptions{LabelSelector: fmt.Sprintf("%s=%s", discoveryv1.LabelServiceName, serviceName)})
-		if err != nil {
-			Logf("Unexpected error trying to get EndpointSlices for %s : %v", serviceName, err)
-			return false, nil
-		}
-
-		if len(esList.Items) == 0 {
-			Logf("Waiting for at least 1 EndpointSlice to exist")
-			return false, nil
-		}
-
-		if countEndpointsSlicesNum(esList) != expectNum {
-			Logf("Unexpected number of Endpoints on Slices, got %d, expected %d", countEndpointsSlicesNum(esList), expectNum)
-			return false, nil
-		}
-		return true, nil
-	})
-}
-
-func countEndpointsSlicesNum(epList *discoveryv1.EndpointSliceList) int {
-	// EndpointSlices can contain the same address on multiple Slices
-	addresses := sets.Set[string]{}
-	for _, epSlice := range epList.Items {
-		for _, ep := range epSlice.Endpoints {
-			if len(ep.Addresses) > 0 {
-				addresses.Insert(ep.Addresses[0])
-			}
-		}
-	}
-	return addresses.Len()
-}
-
 // restclientConfig returns a config holds the information needed to build connection to kubernetes clusters.
 func restclientConfig(kubeContext string) (*clientcmdapi.Config, error) {
 	//Logf(">>> kubeConfig: %s", TestContext.KubeConfig)
diff --git a/test/e2e/framework/volume/fixtures.go b/test/e2e/framework/volume/fixtures.go
index 830ec08f2b551..ecc59b63da11a 100644
--- a/test/e2e/framework/volume/fixtures.go
+++ b/test/e2e/framework/volume/fixtures.go
@@ -90,8 +90,8 @@ const (
 	PodCleanupTimeout = 20 * time.Second
 )
 
-// SizeRange encapsulates a range of sizes specified as minimum and maximum quantity strings
-// Both values are optional.
+// SizeRange encapsulates a range of sizes specified as minimum, maximum, and step size quantity strings
+// All values are optional.
 // If size is not set, it will assume there's not limitation and it may set a very small size (E.g. 1ki)
 // as Min and set a considerable big size(E.g. 10Ei) as Max, which make it possible to calculate
 // the intersection of given intervals (if it exists)
@@ -104,6 +104,10 @@ type SizeRange struct {
 	// If the Min size is unset, It will be assign a default valid minimum size 1Ki,
 	// which is defined in test/e2e/storage/testsuites/base.go
 	Min string
+	// Step quantity specified as a string including units. E.g "1Gi".
+	// This represents the increment by which the volume size can be expanded.
+	// If the Step size is unset, it will not be assigned a default value.
+	Step string
 }
 
 // TestConfig is a struct for configuration of one tests. The test consist of:
diff --git a/test/e2e/instrumentation/events.go b/test/e2e/instrumentation/events.go
index 553d2bb025f17..32e96e25b6c85 100644
--- a/test/e2e/instrumentation/events.go
+++ b/test/e2e/instrumentation/events.go
@@ -25,9 +25,11 @@ import (
 	eventsv1 "k8s.io/api/events/v1"
 	apiequality "k8s.io/apimachinery/pkg/api/equality"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/util/resourceversion"
 	"k8s.io/apimachinery/pkg/util/strategicpatch"
 	corev1 "k8s.io/client-go/kubernetes/typed/core/v1"
 	typedeventsv1 "k8s.io/client-go/kubernetes/typed/events/v1"
+	apimachineryutils "k8s.io/kubernetes/test/e2e/common/apimachinery"
 	"k8s.io/kubernetes/test/e2e/framework"
 	"k8s.io/kubernetes/test/e2e/instrumentation/common"
 	admissionapi "k8s.io/pod-security-admission/api"
@@ -99,8 +101,9 @@ var _ = common.SIGDescribe("Events API", func() {
 		eventName := "event-test"
 
 		ginkgo.By("creating a test event")
-		_, err := client.Create(ctx, newTestEvent(f.Namespace.Name, eventName, "testevent-constant"), metav1.CreateOptions{})
+		createdEvent, err := client.Create(ctx, newTestEvent(f.Namespace.Name, eventName, "testevent-constant"), metav1.CreateOptions{})
 		framework.ExpectNoError(err, "failed to create test event")
+		gomega.Expect(createdEvent).To(apimachineryutils.HaveValidResourceVersion())
 
 		ginkgo.By("listing events in all namespaces")
 		foundCreatedEvent := eventExistsInList(ctx, clientAllNamespaces, f.Namespace.Name, eventName)
@@ -152,6 +155,7 @@ var _ = common.SIGDescribe("Events API", func() {
 		ginkgo.By("getting the test event")
 		event, err := client.Get(ctx, eventName, metav1.GetOptions{})
 		framework.ExpectNoError(err, "failed to get test event")
+		gomega.Expect(resourceversion.CompareResourceVersion(createdEvent.ResourceVersion, event.ResourceVersion)).To(gomega.BeNumerically("==", -1), "patched object should have a larger resource version")
 		// clear ResourceVersion and ManagedFields which are set by control-plane
 		event.ObjectMeta.ResourceVersion = ""
 		testEvent.ObjectMeta.ResourceVersion = ""
diff --git a/test/e2e/invariants/OWNERS b/test/e2e/invariants/OWNERS
new file mode 100644
index 0000000000000..ba329df787f86
--- /dev/null
+++ b/test/e2e/invariants/OWNERS
@@ -0,0 +1,11 @@
+# go.k8s.io/owners
+options:
+  no_parent_owners: true
+approvers:
+  - bentheelder
+  - aojea
+  - pohly
+reviewers:
+  - bentheelder
+  - aojea
+  - pohly
diff --git a/test/e2e/invariants/README.md b/test/e2e/invariants/README.md
new file mode 100644
index 0000000000000..eb9cd5b3b2a64
--- /dev/null
+++ b/test/e2e/invariants/README.md
@@ -0,0 +1,12 @@
+# Invariant Tests
+
+This package implements [KEP-5468 Invariant Testing][kep].
+
+Before adding new tests here, please reach out to SIG-Testing to discuss
+with the SIG and Tech Leads.
+
+https://github.com/kubernetes/community/tree/master/sig-testing#contact
+
+For more details, see [the kep][kep].
+
+[kep]: https://git.k8s.io/enhancements/keps/sig-testing/5468-invariant-testing
diff --git a/test/e2e/invariants/metrics.go b/test/e2e/invariants/metrics.go
new file mode 100644
index 0000000000000..8a6fe61b31f6e
--- /dev/null
+++ b/test/e2e/invariants/metrics.go
@@ -0,0 +1,182 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// please speak to SIG-Testing leads before adding anything to this package
+// see: https://git.k8s.io/enhancements/keps/sig-testing/5468-invariant-testing
+package invariants
+
+import (
+	"context"
+	"strings"
+
+	clientset "k8s.io/client-go/kubernetes"
+	"k8s.io/component-base/metrics/testutil"
+	"k8s.io/kubernetes/test/e2e/framework"
+	e2emetrics "k8s.io/kubernetes/test/e2e/framework/metrics"
+
+	"github.com/onsi/ginkgo/v2"
+	ginkgotypes "github.com/onsi/ginkgo/v2/types"
+)
+
+// checks for api-server metrics that indicate an internal bug has occurred
+const invariantMetricsLeafText = "should enable checking invariant metrics"
+
+var _ = framework.SIGDescribe("testing")("Invariant Metrics", func() {
+	// this test is a sentinel for selecting the report after suite logic
+	//
+	// this allows us to run it by default in most jobs, but it can be opted-out,
+	// does not run when selecting Conformance, and it can be tagged Flaky
+	// if we encounter issues with it
+	ginkgo.It(invariantMetricsLeafText, func() {})
+})
+
+var _ = ginkgo.ReportAfterSuite("Invariant Metrics", func(ctx ginkgo.SpecContext, report ginkgo.Report) {
+	// skip early if we are in dry-run mode and didn't really run any tests
+	if report.SuiteConfig.DryRun {
+		return
+	}
+	// check if we ran the 'should enabled checking invariants' "test"
+	invariantsSelected := false
+	for _, spec := range report.SpecReports {
+		if spec.LeafNodeText == invariantMetricsLeafText {
+			invariantsSelected = spec.State.Is(ginkgotypes.SpecStatePassed)
+			break
+		}
+	}
+	// skip if the associated "test" was skipped
+	if !invariantsSelected {
+		return
+	}
+	// otherwise actually check invariants now
+	checkInvariantMetrics(ctx)
+})
+
+// apiServerMetricInvariant represents an api-server metric invariant, all
+// fields must be specified
+type apiServerMetricInvariant struct {
+	// Metric is the metric name
+	Metric string
+	// SIG associated with the invariant
+	// Bugs related to this invariant check failing should be labeled with
+	// this SIG.
+	SIG string
+	// Owners are the individuals responsible for the invariant
+	// Bugs related to this invariant check failing should be assigned to these
+	// GitHub handles
+	Owners []string
+	// IsValid should return false if the metric samples violate the invariant
+	IsValid func(testutil.Samples) bool
+}
+
+// Please speak to SIG-Testing leads before adding anything here.
+// All fields must be specified
+var apiServerMetricInvariants = []apiServerMetricInvariant{
+	{
+		// TODO: Migrate to apiserver_validation_declarative_validation_parity_discrepancies_total
+		// when it reaches beta / when this metric is deprecated.
+		// For now we uare using the previous beta metric.
+		Metric: "apiserver_validation_declarative_validation_mismatch_total",
+		SIG:    "api-machinery",
+		Owners: []string{"aaron-prindle", "jpbetz", "thockin"},
+		IsValid: func(samples testutil.Samples) bool {
+			// declarative validation mismatch should never be non-zero
+			for _, sample := range samples {
+				if sample.Value != 0 {
+					return false
+				}
+			}
+			return true
+		},
+	},
+	{
+		// TODO: Migrate to apiserver_validation_declarative_validation_panics_total
+		// when it reaches beta / when this metric is deprecated.
+		// For now we uare using the previous beta metric.
+		Metric: "apiserver_validation_declarative_validation_panic_total",
+		SIG:    "api-machinery",
+		Owners: []string{"aaron-prindle", "jpbetz", "thockin"},
+		IsValid: func(samples testutil.Samples) bool {
+			// declarative validation panics should never be non-zero
+			for _, sample := range samples {
+				if sample.Value != 0 {
+					return false
+				}
+			}
+			return true
+		},
+	},
+}
+
+func checkInvariantMetrics(ctx context.Context) {
+	// Grab metrics
+	config, err := framework.LoadConfig()
+	if err != nil {
+		framework.Failf("error loading client config: %v", err)
+	}
+	c, err := clientset.NewForConfig(config)
+	if err != nil {
+		framework.Failf("error loading client config: %v", err)
+	}
+	grabber, err := e2emetrics.NewMetricsGrabber(ctx, c, nil, config, false, false, false, true, false, false)
+	if err != nil {
+		framework.Failf("error creating metrics grabber: %v", err)
+	}
+	apiserverMetrics, err := grabber.GrabFromAPIServer(ctx)
+	if err != nil {
+		framework.Failf("error grabbing api-server metrics: %v", err)
+	}
+
+	// Check invariant metrics.
+	//
+	//
+	// Please speak to SIG-Testing leads before adding anything here.
+	for _, invariant := range apiServerMetricInvariants {
+		checkAPIServerInvariant(apiserverMetrics, &invariant)
+	}
+}
+
+func checkAPIServerInvariant(metrics e2emetrics.APIServerMetrics, invariant *apiServerMetricInvariant) {
+	metric := invariant.Metric
+	samples, ok := metrics[metric]
+	if !ok || len(samples) == 0 {
+		framework.Failf(
+			`Invariant failed for missing metric: %v
+
+If this failed on a pull request, please check if the PR changes may be related to the failure.
+If not, you can also search for an existing GitHub issue before filing a new issue.
+
+If this failed in a periodic CI job, please file a bug and /assign the owners.
+
+Owners for this metric: %v
+Associated SIG: %v`,
+			metric, strings.Join(invariant.Owners, " "), invariant.SIG,
+		)
+	}
+	if !invariant.IsValid(samples) {
+		framework.Failf(
+			`Invariant failed for metric: %v
+
+If this failed on a pull request, please check if the PR changes may be related to the failure.
+If not, you can also search for an existing GitHub issue before filing a new issue.
+
+If this failed in a periodic CI job, please file a bug and /assign the owners.
+
+Owners for this metric: %v
+Associated SIG: %v`,
+			metric, strings.Join(invariant.Owners, " "), invariant.SIG,
+		)
+	}
+}
diff --git a/test/e2e/invariants/metrics_test.go b/test/e2e/invariants/metrics_test.go
new file mode 100644
index 0000000000000..7ee7327e94088
--- /dev/null
+++ b/test/e2e/invariants/metrics_test.go
@@ -0,0 +1,37 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package invariants
+
+import "testing"
+
+func TestApiServerMetricInvariantsFieldsAreSet(t *testing.T) {
+	// enforce that all fields are set for all registered metrics
+	for i, inv := range apiServerMetricInvariants {
+		if inv.Metric == "" {
+			t.Errorf("apiServerMetricInvariants[%d].Metric is not set", i)
+		}
+		if inv.SIG == "" {
+			t.Errorf("apiServerMetricInvariants[%d].SIG is not set", i)
+		}
+		if len(inv.Owners) == 0 {
+			t.Errorf("apiServerMetricInvariants[%d].Owners is not set", i)
+		}
+		if inv.IsValid == nil {
+			t.Errorf("apiServerMetricInvariants[%d].IsValid is not set", i)
+		}
+	}
+}
diff --git a/test/e2e/kubectl/delete.go b/test/e2e/kubectl/delete.go
index ea18b663b3028..d0e529fddac98 100644
--- a/test/e2e/kubectl/delete.go
+++ b/test/e2e/kubectl/delete.go
@@ -42,14 +42,14 @@ var _ = SIGDescribe("Kubectl delete", func() {
 	var deploymentYaml string
 	f := framework.NewDefaultFramework("kubectl-delete")
 	f.NamespacePodSecurityLevel = admissionapi.LevelBaseline
-	deploymentName := "httpd-deployment"
+	deploymentName := "agnhost-deployment"
 
 	var ns string
 	var c clientset.Interface
 	ginkgo.BeforeEach(func() {
 		c = f.ClientSet
 		ns = f.Namespace.Name
-		deploymentYaml = commonutils.SubstituteImageName(string(readTestFileOrDie(httpdDeployment1Filename)))
+		deploymentYaml = commonutils.SubstituteImageName(string(readTestFileOrDie(agnhostDeployment1Filename)))
 	})
 
 	ginkgo.Describe("interactive", func() {
@@ -69,7 +69,7 @@ var _ = SIGDescribe("Kubectl delete", func() {
 			output := e2ekubectl.RunKubectlOrDieInput(ns, "n", "delete", "--interactive", "deployment", deploymentName)
 			expectedOutput := "You are about to delete the following 1 resource(s):"
 			if !strings.Contains(output, expectedOutput) ||
-				!strings.Contains(output, "deployment.apps/httpd-deployment") ||
+				!strings.Contains(output, "deployment.apps/agnhost-deployment") ||
 				!strings.Contains(output, "deletion is cancelled") {
 				framework.Failf("unexpected output %s", output)
 			}
diff --git a/test/e2e/kubectl/kubectl.go b/test/e2e/kubectl/kubectl.go
index a73583d493a13..99d5f592272c7 100644
--- a/test/e2e/kubectl/kubectl.go
+++ b/test/e2e/kubectl/kubectl.go
@@ -91,25 +91,25 @@ import (
 )
 
 const (
-	updateDemoSelector        = "name=update-demo"
-	guestbookStartupTimeout   = 10 * time.Minute
-	guestbookResponseTimeout  = 3 * time.Minute
-	simplePodSelector         = "name=httpd"
-	simplePodName             = "httpd"
-	simplePodResourceName     = "pod/httpd"
-	httpdDefaultOutput        = "It works!"
-	simplePodPort             = 80
-	pausePodSelector          = "name=pause"
-	pausePodName              = "pause"
-	busyboxPodSelector        = "app=busybox1"
-	busyboxPodName            = "busybox1"
-	kubeCtlManifestPath       = "test/e2e/testing-manifests/kubectl"
-	agnhostControllerFilename = "agnhost-primary-controller.json.in"
-	agnhostServiceFilename    = "agnhost-primary-service.json"
-	httpdDeployment1Filename  = "httpd-deployment1.yaml.in"
-	httpdDeployment2Filename  = "httpd-deployment2.yaml.in"
-	httpdDeployment3Filename  = "httpd-deployment3.yaml.in"
-	metaPattern               = `"kind":"%s","apiVersion":"%s/%s","metadata":{"name":"%s"}`
+	updateDemoSelector         = "name=update-demo"
+	guestbookStartupTimeout    = 10 * time.Minute
+	guestbookResponseTimeout   = 3 * time.Minute
+	simplePodSelector          = "name=agnhost"
+	simplePodName              = "agnhost"
+	simplePodResourceName      = "pod/agnhost"
+	agnhostDefaultOutput       = "itworks"
+	simplePodPort              = 80
+	pausePodSelector           = "name=pause"
+	pausePodName               = "pause"
+	busyboxPodSelector         = "app=busybox1"
+	busyboxPodName             = "busybox1"
+	kubeCtlManifestPath        = "test/e2e/testing-manifests/kubectl"
+	agnhostControllerFilename  = "agnhost-primary-controller.json.in"
+	agnhostServiceFilename     = "agnhost-primary-service.json"
+	agnhostDeployment1Filename = "agnhost-deployment1.yaml.in"
+	agnhostDeployment2Filename = "agnhost-deployment2.yaml.in"
+	agnhostDeployment3Filename = "agnhost-deployment3.yaml.in"
+	metaPattern                = `"kind":"%s","apiVersion":"%s/%s","metadata":{"name":"%s"}`
 )
 
 func unknownFieldMetadataJSON(gvk schema.GroupVersionKind, name string) string {
@@ -586,14 +586,14 @@ var _ = SIGDescribe("Kubectl client", func() {
 				defer cmd.Stop()
 
 				ginkgo.By("curling local port output")
-				localAddr := fmt.Sprintf("http://localhost:%d", cmd.port)
+				localAddr := fmt.Sprintf("http://localhost:%d/echo?msg=%s", cmd.port, agnhostDefaultOutput)
 				body, err := curl(localAddr)
 				framework.Logf("got: %s", body)
 				if err != nil {
 					framework.Failf("Failed http.Get of forwarded port (%s): %v", localAddr, err)
 				}
-				if !strings.Contains(body, httpdDefaultOutput) {
-					framework.Failf("Container port output missing expected value. Wanted:'%s', got: %s", httpdDefaultOutput, body)
+				if !strings.Contains(body, agnhostDefaultOutput) {
+					framework.Failf("Container port output missing expected value. Wanted:'%s', got: %s", agnhostDefaultOutput, body)
 				}
 			})
 
@@ -680,7 +680,7 @@ metadata:
 
 				ginkgo.By("getting pods with in-cluster configs")
 				execOutput := e2eoutput.RunHostCmdOrDie(ns, simplePodName, "/tmp/kubectl get pods --v=6 2>&1")
-				gomega.Expect(execOutput).To(gomega.MatchRegexp("httpd +1/1 +Running"))
+				gomega.Expect(execOutput).To(gomega.MatchRegexp("agnhost +1/1 +Running"))
 				gomega.Expect(execOutput).To(gomega.ContainSubstring("Using in-cluster namespace"))
 				gomega.Expect(execOutput).To(gomega.ContainSubstring("Using in-cluster configuration"))
 
@@ -1030,9 +1030,9 @@ metadata:
 		})
 
 		ginkgo.It("apply set/view last-applied", func(ctx context.Context) {
-			deployment1Yaml := commonutils.SubstituteImageName(string(readTestFileOrDie(httpdDeployment1Filename)))
-			deployment2Yaml := commonutils.SubstituteImageName(string(readTestFileOrDie(httpdDeployment2Filename)))
-			deployment3Yaml := commonutils.SubstituteImageName(string(readTestFileOrDie(httpdDeployment3Filename)))
+			deployment1Yaml := commonutils.SubstituteImageName(string(readTestFileOrDie(agnhostDeployment1Filename)))
+			deployment2Yaml := commonutils.SubstituteImageName(string(readTestFileOrDie(agnhostDeployment2Filename)))
+			deployment3Yaml := commonutils.SubstituteImageName(string(readTestFileOrDie(agnhostDeployment3Filename)))
 
 			ginkgo.By("deployment replicas number is 2")
 			e2ekubectl.RunKubectlOrDieInput(ns, deployment1Yaml, "apply", "-f", "-")
@@ -1055,16 +1055,16 @@ metadata:
 			}
 
 			ginkgo.By("scale set replicas to 3")
-			httpdDeploy := "httpd-deployment"
+			agnhostDeploy := "agnhost-deployment"
 			debugDiscovery()
-			e2ekubectl.RunKubectlOrDie(ns, "scale", "deployment", httpdDeploy, "--replicas=3")
+			e2ekubectl.RunKubectlOrDie(ns, "scale", "deployment", agnhostDeploy, "--replicas=3")
 
 			ginkgo.By("apply file doesn't have replicas but image changed")
 			e2ekubectl.RunKubectlOrDieInput(ns, deployment3Yaml, "apply", "-f", "-")
 
 			ginkgo.By("verify replicas still is 3 and image has been updated")
 			output = e2ekubectl.RunKubectlOrDieInput(ns, deployment3Yaml, "get", "-f", "-", "-o", "json")
-			requiredItems := []string{"\"replicas\": 3", imageutils.GetE2EImage(imageutils.Httpd)}
+			requiredItems := []string{"\"replicas\": 3", imageutils.GetE2EImage(imageutils.AgnhostPrev)}
 			for _, item := range requiredItems {
 				if !strings.Contains(output, item) {
 					framework.Failf("Missing %s in kubectl apply", item)
@@ -1077,23 +1077,23 @@ metadata:
 		/*
 			Release: v1.19
 			Testname: Kubectl, diff Deployment
-			Description: Create a Deployment with httpd image. Declare the same Deployment with a different image, busybox. Diff of live Deployment with declared Deployment MUST include the difference between live and declared image.
+			Description: Create a Deployment with agnhost image. Declare the same Deployment with a different image, busybox. Diff of live Deployment with declared Deployment MUST include the difference between live and declared image.
 		*/
 		framework.ConformanceIt("should check if kubectl diff finds a difference for Deployments", func(ctx context.Context) {
-			ginkgo.By("create deployment with httpd image")
-			deployment := commonutils.SubstituteImageName(string(readTestFileOrDie(httpdDeployment3Filename)))
+			ginkgo.By("create deployment with agnhost image")
+			deployment := commonutils.SubstituteImageName(string(readTestFileOrDie(agnhostDeployment3Filename)))
 			e2ekubectl.RunKubectlOrDieInput(ns, deployment, "create", "-f", "-")
 
 			ginkgo.By("verify diff finds difference between live and declared image")
-			deployment = strings.Replace(deployment, imageutils.GetE2EImage(imageutils.Httpd), imageutils.GetE2EImage(imageutils.BusyBox), 1)
+			deployment = strings.Replace(deployment, imageutils.GetE2EImage(imageutils.AgnhostPrev), imageutils.GetE2EImage(imageutils.BusyBox), 1)
 			if !strings.Contains(deployment, imageutils.GetE2EImage(imageutils.BusyBox)) {
-				framework.Failf("Failed replacing image from %s to %s in:\n%s\n", imageutils.GetE2EImage(imageutils.Httpd), imageutils.GetE2EImage(imageutils.BusyBox), deployment)
+				framework.Failf("Failed replacing image from %s to %s in:\n%s\n", imageutils.GetE2EImage(imageutils.AgnhostPrev), imageutils.GetE2EImage(imageutils.BusyBox), deployment)
 			}
 			output, err := e2ekubectl.RunKubectlInput(ns, deployment, "diff", "-f", "-")
 			if err, ok := err.(*exec.ExitError); ok && err.ExitCode() == 1 {
 				framework.Failf("Expected kubectl diff exit code of 1, but got %d: %v\n", err.ExitCode(), err)
 			}
-			requiredItems := []string{imageutils.GetE2EImage(imageutils.Httpd), imageutils.GetE2EImage(imageutils.BusyBox)}
+			requiredItems := []string{imageutils.GetE2EImage(imageutils.AgnhostPrev), imageutils.GetE2EImage(imageutils.BusyBox)}
 			for _, item := range requiredItems {
 				if !strings.Contains(output, item) {
 					framework.Failf("Missing %s in kubectl diff output:\n%s\n%v\n", item, output, err)
@@ -1111,23 +1111,23 @@ metadata:
 			Description: The command 'kubectl run' must create a pod with the specified image name. After, the command 'kubectl patch pod -p {...} --dry-run=server' should update the Pod with the new image name and server-side dry-run enabled. The image name must not change.
 		*/
 		framework.ConformanceIt("should check if kubectl can dry-run update Pods", func(ctx context.Context) {
-			httpdImage := imageutils.GetE2EImage(imageutils.Httpd)
-			ginkgo.By("running the image " + httpdImage)
-			podName := "e2e-test-httpd-pod"
-			e2ekubectl.RunKubectlOrDie(ns, "run", podName, "--image="+httpdImage, podRunningTimeoutArg, "--labels=run="+podName)
+			agnhostImage := imageutils.GetE2EImage(imageutils.Agnhost)
+			ginkgo.By("running the image " + agnhostImage)
+			podName := "e2e-test-agnhost-pod"
+			e2ekubectl.RunKubectlOrDie(ns, "run", podName, "--image="+agnhostImage, podRunningTimeoutArg, "--labels=run="+podName)
 
 			ginkgo.By("replace the image in the pod with server-side dry-run")
 			specImage := fmt.Sprintf(`{"spec":{"containers":[{"name": "%s","image": "%s"}]}}`, podName, imageutils.GetE2EImage(imageutils.BusyBox))
 			e2ekubectl.RunKubectlOrDie(ns, "patch", "pod", podName, "-p", specImage, "--dry-run=server")
 
-			ginkgo.By("verifying the pod " + podName + " has the right image " + httpdImage)
+			ginkgo.By("verifying the pod " + podName + " has the right image " + agnhostImage)
 			pod, err := c.CoreV1().Pods(ns).Get(ctx, podName, metav1.GetOptions{})
 			if err != nil {
 				framework.Failf("Failed getting pod %s: %v", podName, err)
 			}
 			containers := pod.Spec.Containers
-			if checkContainersImage(containers, httpdImage) {
-				framework.Failf("Failed creating pod with expected image %s", httpdImage)
+			if checkContainersImage(containers, agnhostImage) {
+				framework.Failf("Failed creating pod with expected image %s", agnhostImage)
 			}
 
 			e2ekubectl.RunKubectlOrDie(ns, "delete", "pods", podName)
@@ -1776,7 +1776,7 @@ metadata:
 		var podName string
 
 		ginkgo.BeforeEach(func() {
-			podName = "e2e-test-httpd-pod"
+			podName = "e2e-test-agnhost-pod"
 		})
 
 		ginkgo.AfterEach(func() {
@@ -1789,17 +1789,17 @@ metadata:
 			Description: Command 'kubectl run' MUST create a pod, when a image name is specified in the run command. After the run command there SHOULD be a pod that should exist with one container running the specified image.
 		*/
 		framework.ConformanceIt("should create a pod from an image when restart is Never", func(ctx context.Context) {
-			httpdImage := imageutils.GetE2EImage(imageutils.Httpd)
-			ginkgo.By("running the image " + httpdImage)
-			e2ekubectl.RunKubectlOrDie(ns, "run", podName, "--restart=Never", podRunningTimeoutArg, "--image="+httpdImage)
+			agnhostImage := imageutils.GetE2EImage(imageutils.Agnhost)
+			ginkgo.By("running the image " + agnhostImage)
+			e2ekubectl.RunKubectlOrDie(ns, "run", podName, "--restart=Never", podRunningTimeoutArg, "--image="+agnhostImage)
 			ginkgo.By("verifying the pod " + podName + " was created")
 			pod, err := c.CoreV1().Pods(ns).Get(ctx, podName, metav1.GetOptions{})
 			if err != nil {
 				framework.Failf("Failed getting pod %s: %v", podName, err)
 			}
 			containers := pod.Spec.Containers
-			if checkContainersImage(containers, httpdImage) {
-				framework.Failf("Failed creating pod %s with expected image %s", podName, httpdImage)
+			if checkContainersImage(containers, agnhostImage) {
+				framework.Failf("Failed creating pod %s with expected image %s", podName, agnhostImage)
 			}
 			if pod.Spec.RestartPolicy != v1.RestartPolicyNever {
 				framework.Failf("Failed creating a pod with correct restart policy for --restart=Never")
@@ -1811,7 +1811,7 @@ metadata:
 		var podName string
 
 		ginkgo.BeforeEach(func() {
-			podName = "e2e-test-httpd-pod"
+			podName = "e2e-test-agnhost-pod"
 		})
 
 		ginkgo.AfterEach(func() {
@@ -1824,9 +1824,9 @@ metadata:
 			Description: Command 'kubectl replace' on a existing Pod with a new spec MUST update the image of the container running in the Pod. A -f option to 'kubectl replace' SHOULD force to re-create the resource. The new Pod SHOULD have the container with new change to the image.
 		*/
 		framework.ConformanceIt("should update a single-container pod's image", func(ctx context.Context) {
-			httpdImage := imageutils.GetE2EImage(imageutils.Httpd)
-			ginkgo.By("running the image " + httpdImage)
-			e2ekubectl.RunKubectlOrDie(ns, "run", podName, "--image="+httpdImage, podRunningTimeoutArg, "--labels=run="+podName)
+			agnhostImage := imageutils.GetE2EImage(imageutils.Agnhost)
+			ginkgo.By("running the image " + agnhostImage)
+			e2ekubectl.RunKubectlOrDie(ns, "run", podName, "--image="+agnhostImage, podRunningTimeoutArg, "--labels=run="+podName)
 
 			ginkgo.By("verifying the pod " + podName + " is running")
 			label := labels.SelectorFromSet(labels.Set(map[string]string{"run": podName}))
@@ -1843,7 +1843,7 @@ metadata:
 
 			ginkgo.By("replace the image in the pod")
 			busyboxImage := imageutils.GetE2EImage(imageutils.BusyBox)
-			podJSON = strings.Replace(podJSON, httpdImage, busyboxImage, 1)
+			podJSON = strings.Replace(podJSON, agnhostImage, busyboxImage, 1)
 			e2ekubectl.RunKubectlOrDieInput(ns, podJSON, "replace", "-f", "-")
 
 			ginkgo.By("verifying the pod " + podName + " has the right image " + busyboxImage)
@@ -2025,10 +2025,10 @@ metadata:
 
 	ginkgo.Describe("Kubectl events", func() {
 		ginkgo.It("should show event when pod is created", func(ctx context.Context) {
-			podName := "e2e-test-httpd-pod"
-			httpdImage := imageutils.GetE2EImage(imageutils.Httpd)
-			ginkgo.By("running the image " + httpdImage)
-			e2ekubectl.RunKubectlOrDie(ns, "run", podName, "--image="+httpdImage, podRunningTimeoutArg, "--labels=run="+podName)
+			podName := "e2e-test-agnhost-pod"
+			agnhostImage := imageutils.GetE2EImage(imageutils.Agnhost)
+			ginkgo.By("running the image " + agnhostImage)
+			e2ekubectl.RunKubectlOrDie(ns, "run", podName, "--image="+agnhostImage, podRunningTimeoutArg, "--labels=run="+podName)
 
 			ginkgo.By("verifying the pod " + podName + " is running")
 			label := labels.SelectorFromSet(map[string]string{"run": podName})
diff --git a/test/e2e/kubectl/logs.go b/test/e2e/kubectl/logs.go
index 661a5b346d596..a7730a03942d0 100644
--- a/test/e2e/kubectl/logs.go
+++ b/test/e2e/kubectl/logs.go
@@ -282,6 +282,9 @@ var _ = SIGDescribe("Kubectl logs", func() {
 					framework.Failf("Failed to wait for Deployment to complete: %v", err)
 				}
 
+				if err = e2epod.WaitForPodsRunningReady(ctx, c, ns, 2, framework.PodStartTimeout); err != nil {
+					framework.Failf("Failed to wait for Pods are running: %v", err)
+				}
 			})
 
 			ginkgo.AfterEach(func() {
diff --git a/test/e2e/kubectl/rollout.go b/test/e2e/kubectl/rollout.go
index 0612a590b6308..23904a01133dd 100644
--- a/test/e2e/kubectl/rollout.go
+++ b/test/e2e/kubectl/rollout.go
@@ -48,25 +48,25 @@ var _ = SIGDescribe("Kubectl rollout", func() {
 	ginkgo.BeforeEach(func() {
 		c = f.ClientSet
 		ns = f.Namespace.Name
-		deploymentYaml = commonutils.SubstituteImageName(string(readTestFileOrDie(httpdDeployment1Filename)))
+		deploymentYaml = commonutils.SubstituteImageName(string(readTestFileOrDie(agnhostDeployment1Filename)))
 	})
 
 	ginkgo.Describe("undo", func() {
 		ginkgo.AfterEach(func() {
-			cleanupKubectlInputs(deploymentYaml, ns, "app=httpd")
+			cleanupKubectlInputs(deploymentYaml, ns, "app=agnhost")
 		})
 		ginkgo.It("undo should rollback and update deployment env", func(ctx context.Context) {
 			var err error
 			// create deployment
 			e2ekubectl.RunKubectlOrDieInput(ns, deploymentYaml, "apply", "-f", "-")
 
-			if err = e2edeployment.WaitForDeploymentRevisionAndImage(c, ns, "httpd-deployment", "1", imageutils.GetE2EImage(imageutils.HttpdNew)); err != nil {
-				framework.Failf("created deployment not ready")
+			if err = e2edeployment.WaitForDeploymentRevisionAndImage(c, ns, "agnhost-deployment", "1", imageutils.GetE2EImage(imageutils.Agnhost)); err != nil {
+				framework.Failf("created deployment not ready, err: %v", err)
 			}
 
 			var d *appsv1.Deployment
-			if d, err = c.AppsV1().Deployments(ns).Get(ctx, "httpd-deployment", metav1.GetOptions{}); err != nil {
-				framework.Failf("get deployment failed")
+			if d, err = c.AppsV1().Deployments(ns).Get(ctx, "agnhost-deployment", metav1.GetOptions{}); err != nil {
+				framework.Failf("get deployment failed, err: %v", err)
 			}
 
 			origEnv := d.Spec.Template.Spec.Containers[0].Env
@@ -87,14 +87,14 @@ var _ = SIGDescribe("Kubectl rollout", func() {
 			}
 
 			// do a small update
-			if _, err = e2ekubectl.RunKubectl(ns, "set", "env", "deployment/httpd-deployment", "foo=bar"); err != nil {
+			if _, err = e2ekubectl.RunKubectl(ns, "set", "env", "deployment/agnhost-deployment", "foo=bar"); err != nil {
 				framework.Failf("kubectl failed set env for deployment")
 			}
 			// wait for env to be set
 			if err = e2edeployment.WaitForDeploymentComplete(c, d); err != nil {
 				framework.Failf("update deployment failed")
 			}
-			if d, err = c.AppsV1().Deployments(ns).Get(ctx, "httpd-deployment", metav1.GetOptions{}); err != nil {
+			if d, err = c.AppsV1().Deployments(ns).Get(ctx, "agnhost-deployment", metav1.GetOptions{}); err != nil {
 				framework.Failf("get deployment failed")
 			}
 			envs := d.Spec.Template.Spec.Containers[0].Env
@@ -111,14 +111,14 @@ var _ = SIGDescribe("Kubectl rollout", func() {
 			}
 
 			// rollback
-			if _, err = e2ekubectl.RunKubectl(ns, "rollout", "undo", "deployment/httpd-deployment"); err != nil {
+			if _, err = e2ekubectl.RunKubectl(ns, "rollout", "undo", "deployment/agnhost-deployment"); err != nil {
 				framework.Failf("kubectl failed to rollback deployment")
 			}
 			// wait for rollback finished
 			if err = e2edeployment.WaitForDeploymentComplete(c, d); err != nil {
 				framework.Failf("rollback deployment failed")
 			}
-			if d, err = c.AppsV1().Deployments(ns).Get(ctx, "httpd-deployment", metav1.GetOptions{}); err != nil {
+			if d, err = c.AppsV1().Deployments(ns).Get(ctx, "agnhost-deployment", metav1.GetOptions{}); err != nil {
 				framework.Failf("get deployment failed")
 			}
 
diff --git a/test/e2e/network/apiserver.go b/test/e2e/network/apiserver.go
new file mode 100644
index 0000000000000..965047afa5fca
--- /dev/null
+++ b/test/e2e/network/apiserver.go
@@ -0,0 +1,132 @@
+/*
+Copyright 2019 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package network
+
+import (
+	"context"
+
+	discoveryv1 "k8s.io/api/discovery/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/util/sets"
+	clientset "k8s.io/client-go/kubernetes"
+	"k8s.io/kubernetes/test/e2e/framework"
+	"k8s.io/kubernetes/test/e2e/network/common"
+	admissionapi "k8s.io/pod-security-admission/api"
+
+	"github.com/onsi/ginkgo/v2"
+)
+
+var _ = common.SIGDescribe("API Server", func() {
+	f := framework.NewDefaultFramework("apiserver")
+	f.NamespacePodSecurityLevel = admissionapi.LevelBaseline
+
+	var cs clientset.Interface
+
+	ginkgo.BeforeEach(func() {
+		cs = f.ClientSet
+	})
+
+	/*
+		Release: v1.9
+		Testname: Kubernetes Service
+		Description: By default when a kubernetes cluster is running there MUST be a 'kubernetes' service running in the cluster.
+	*/
+	framework.ConformanceIt("should provide secure master service", func(ctx context.Context) {
+		_, err := cs.CoreV1().Services(metav1.NamespaceDefault).Get(ctx, "kubernetes", metav1.GetOptions{})
+		framework.ExpectNoError(err, "failed to fetch the service object for the service named kubernetes")
+	})
+
+	/*
+		Release: v1.21
+		Testname: kubernetes.default Endpoints and EndpointSlices
+		Description: The "kubernetes.default" service MUST have Endpoints and EndpointSlices pointing to each API server instance.
+	*/
+	framework.ConformanceIt("should have Endpoints and EndpointSlices pointing to API Server", func(ctx context.Context) {
+		namespace := "default"
+		name := "kubernetes"
+		// verify "kubernetes.default" service exist
+		_, err := cs.CoreV1().Services(namespace).Get(ctx, name, metav1.GetOptions{})
+		framework.ExpectNoError(err, "error obtaining API server \"kubernetes\" Service resource on \"default\" namespace")
+
+		// verify Endpoints for the API servers exist
+		endpoints, err := cs.CoreV1().Endpoints(namespace).Get(ctx, name, metav1.GetOptions{})
+		framework.ExpectNoError(err, "error obtaining API server \"kubernetes\" Endpoint resource on \"default\" namespace")
+		if len(endpoints.Subsets) == 0 {
+			framework.Failf("Expected at least 1 subset in endpoints, got %d: %#v", len(endpoints.Subsets), endpoints.Subsets)
+		}
+
+		// get the addresses and ports from the Endpoints
+		epAddresses := sets.New[string]()
+		epPorts := sets.New[int32]()
+		for _, subset := range endpoints.Subsets {
+			for _, addr := range subset.Addresses {
+				epAddresses.Insert(addr.IP)
+			}
+			for _, addr := range subset.NotReadyAddresses {
+				epAddresses.Insert(addr.IP)
+			}
+			for _, port := range subset.Ports {
+				epPorts.Insert(port.Port)
+			}
+		}
+		framework.Logf("Endpoints addresses: %v , ports: %v", sets.List(epAddresses), sets.List(epPorts))
+
+		// verify EndpointSlices for the API servers exist
+		endpointSliceList, err := cs.DiscoveryV1().EndpointSlices(namespace).List(ctx, metav1.ListOptions{
+			LabelSelector: "kubernetes.io/service-name=" + name,
+		})
+		framework.ExpectNoError(err, "error obtaining API server \"kubernetes\" EndpointSlice resource on \"default\" namespace")
+		if len(endpointSliceList.Items) == 0 {
+			framework.Failf("Expected at least 1 EndpointSlice, got %d: %#v", len(endpoints.Subsets), endpoints.Subsets)
+		}
+
+		// get the addresses and ports from the EndpointSlice(s). Since the
+		// Endpoints are single stack, and match the cluster's primary IP family,
+		// we ignore EndpointSlice(s) of the other IP family.
+		var addrType discoveryv1.AddressType
+		if framework.TestContext.ClusterIsIPv6() {
+			addrType = discoveryv1.AddressTypeIPv6
+		} else {
+			addrType = discoveryv1.AddressTypeIPv4
+		}
+
+		sliceAddresses := sets.New[string]()
+		slicePorts := sets.New[int32]()
+		for _, slice := range endpointSliceList.Items {
+			if slice.AddressType != addrType {
+				framework.Logf("Skipping slice %s: wanted %s family, got %s", slice.Name, addrType, slice.AddressType)
+				continue
+			}
+			for _, s := range slice.Endpoints {
+				sliceAddresses.Insert(s.Addresses...)
+			}
+			for _, port := range slice.Ports {
+				if port.Port != nil {
+					slicePorts.Insert(*port.Port)
+				}
+			}
+		}
+
+		framework.Logf("EndpointSlices addresses: %v , ports: %v", sets.List(sliceAddresses), sets.List(slicePorts))
+		if !sliceAddresses.Equal(epAddresses) {
+			framework.Failf("EndpointSlice addresses do not match Endpoints addresses")
+		}
+		if !slicePorts.Equal(epPorts) {
+			framework.Failf("EndpointSlice ports do not match Endpoints ports")
+		}
+	})
+})
diff --git a/test/e2e/network/dns.go b/test/e2e/network/dns.go
index 9a87ba4c065ae..655a039bce913 100644
--- a/test/e2e/network/dns.go
+++ b/test/e2e/network/dns.go
@@ -658,7 +658,7 @@ var _ = common.SIGDescribe("DNS", func() {
 
 	framework.It("should work with a service name that starts with a digit", framework.WithFeatureGate(features.RelaxedServiceNameValidation), func(ctx context.Context) {
 		svcName := "1kubernetes"
-		svc := v1.Service{
+		svc := &v1.Service{
 			ObjectMeta: metav1.ObjectMeta{
 				Name: svcName,
 			},
@@ -666,8 +666,9 @@ var _ = common.SIGDescribe("DNS", func() {
 				Ports: []v1.ServicePort{{Port: 443}},
 			},
 		}
+		_, err := f.ClientSet.CoreV1().Services(f.Namespace.Name).Create(ctx, svc, metav1.CreateOptions{})
+		framework.ExpectNoError(err, "error creating Service")
 
-		createServiceReportErr(ctx, f.ClientSet, f.Namespace.Name, &svc)
 		namesToResolve := []string{
 			fmt.Sprintf("%s.%s.svc.%s", svcName, f.Namespace.Name, framework.TestContext.ClusterDNSDomain),
 		}
diff --git a/test/e2e/network/endpoints.go b/test/e2e/network/endpoints.go
new file mode 100644
index 0000000000000..6f687e756bc0a
--- /dev/null
+++ b/test/e2e/network/endpoints.go
@@ -0,0 +1,543 @@
+/*
+Copyright 2019 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package network
+
+import (
+	"context"
+	"encoding/json"
+	"time"
+
+	v1 "k8s.io/api/core/v1"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/apimachinery/pkg/util/intstr"
+	"k8s.io/apimachinery/pkg/util/resourceversion"
+	"k8s.io/apimachinery/pkg/util/wait"
+	watch "k8s.io/apimachinery/pkg/watch"
+	clientset "k8s.io/client-go/kubernetes"
+	"k8s.io/client-go/tools/cache"
+	watchtools "k8s.io/client-go/tools/watch"
+	apimachineryutils "k8s.io/kubernetes/test/e2e/common/apimachinery"
+	"k8s.io/kubernetes/test/e2e/framework"
+	e2epod "k8s.io/kubernetes/test/e2e/framework/pod"
+	"k8s.io/kubernetes/test/e2e/network/common"
+	imageutils "k8s.io/kubernetes/test/utils/image"
+	admissionapi "k8s.io/pod-security-admission/api"
+
+	"github.com/onsi/ginkgo/v2"
+	"github.com/onsi/gomega"
+)
+
+var _ = common.SIGDescribe("Endpoints", func() {
+	f := framework.NewDefaultFramework("endpoints")
+	f.NamespacePodSecurityLevel = admissionapi.LevelPrivileged
+
+	/*
+	   Release: v1.19
+	   Testname: Endpoint resource lifecycle
+	   Description: Create an endpoint, the endpoint MUST exist.
+	   The endpoint is updated with a new label, a check after the update MUST find the changes.
+	   The endpoint is then patched with a new IPv4 address and port, a check after the patch MUST the changes.
+	   The endpoint is deleted by its label, a watch listens for the deleted watch event.
+	*/
+	framework.ConformanceIt("should test the lifecycle of an Endpoint", func(ctx context.Context) {
+		testNamespaceName := f.Namespace.Name
+		testEndpointName := "testservice"
+		testEndpoints := v1.Endpoints{
+			ObjectMeta: metav1.ObjectMeta{
+				Name: testEndpointName,
+				Labels: map[string]string{
+					"test-endpoint-static": "true",
+				},
+			},
+			Subsets: []v1.EndpointSubset{{
+				Addresses: []v1.EndpointAddress{{
+					IP: "10.0.0.24",
+				}},
+				Ports: []v1.EndpointPort{{
+					Name:     "http",
+					Port:     80,
+					Protocol: v1.ProtocolTCP,
+				}},
+			}},
+		}
+		w := &cache.ListWatch{
+			WatchFunc: func(options metav1.ListOptions) (watch.Interface, error) {
+				options.LabelSelector = "test-endpoint-static=true"
+				return f.ClientSet.CoreV1().Endpoints(testNamespaceName).Watch(ctx, options)
+			},
+		}
+		endpointsList, err := f.ClientSet.CoreV1().Endpoints("").List(ctx, metav1.ListOptions{LabelSelector: "test-endpoint-static=true"})
+		framework.ExpectNoError(err, "failed to list Endpoints")
+
+		ginkgo.By("creating an Endpoint")
+		createdEP, err := f.ClientSet.CoreV1().Endpoints(testNamespaceName).Create(ctx, &testEndpoints, metav1.CreateOptions{})
+		framework.ExpectNoError(err, "failed to create Endpoint")
+		gomega.Expect(createdEP).To(apimachineryutils.HaveValidResourceVersion())
+		ginkgo.By("waiting for available Endpoint")
+		ctxUntil, cancel := context.WithTimeout(ctx, 30*time.Second)
+		defer cancel()
+		_, err = watchtools.Until(ctxUntil, endpointsList.ResourceVersion, w, func(event watch.Event) (bool, error) {
+			switch event.Type {
+			case watch.Added:
+				if endpoints, ok := event.Object.(*v1.Endpoints); ok {
+					found := endpoints.ObjectMeta.Name == endpoints.Name &&
+						endpoints.Labels["test-endpoint-static"] == "true"
+					return found, nil
+				}
+			default:
+				framework.Logf("observed event type %v", event.Type)
+			}
+			return false, nil
+		})
+		framework.ExpectNoError(err, "failed to see %v event", watch.Added)
+
+		ginkgo.By("listing all Endpoints")
+		endpointsList, err = f.ClientSet.CoreV1().Endpoints("").List(ctx, metav1.ListOptions{LabelSelector: "test-endpoint-static=true"})
+		framework.ExpectNoError(err, "failed to list Endpoints")
+		eventFound := false
+		var foundEndpoint v1.Endpoints
+		for _, endpoint := range endpointsList.Items {
+			if endpoint.ObjectMeta.Name == testEndpointName && endpoint.ObjectMeta.Namespace == testNamespaceName {
+				eventFound = true
+				foundEndpoint = endpoint
+				break
+			}
+		}
+		if !eventFound {
+			framework.Fail("unable to find Endpoint Service in list of Endpoints")
+		}
+
+		ginkgo.By("updating the Endpoint")
+		foundEndpoint.ObjectMeta.Labels["test-service"] = "updated"
+		_, err = f.ClientSet.CoreV1().Endpoints(testNamespaceName).Update(ctx, &foundEndpoint, metav1.UpdateOptions{})
+		framework.ExpectNoError(err, "failed to update Endpoint with new label")
+
+		ctxUntil, cancel = context.WithTimeout(ctx, 30*time.Second)
+		defer cancel()
+		_, err = watchtools.Until(ctxUntil, endpointsList.ResourceVersion, w, func(event watch.Event) (bool, error) {
+			switch event.Type {
+			case watch.Modified:
+				if endpoints, ok := event.Object.(*v1.Endpoints); ok {
+					found := endpoints.ObjectMeta.Name == endpoints.Name &&
+						endpoints.Labels["test-endpoint-static"] == "true"
+					return found, nil
+				}
+			default:
+				framework.Logf("observed event type %v", event.Type)
+			}
+			return false, nil
+		})
+		framework.ExpectNoError(err, "failed to see %v event", watch.Modified)
+
+		ginkgo.By("fetching the Endpoint")
+		endpoints, err := f.ClientSet.CoreV1().Endpoints(testNamespaceName).Get(ctx, testEndpointName, metav1.GetOptions{})
+		framework.ExpectNoError(err, "failed to fetch Endpoint")
+		gomega.Expect(foundEndpoint.ObjectMeta.Labels).To(gomega.HaveKeyWithValue("test-service", "updated"), "failed to update Endpoint %v in namespace %v label not updated", testEndpointName, testNamespaceName)
+
+		endpointPatch, err := json.Marshal(map[string]interface{}{
+			"metadata": map[string]interface{}{
+				"labels": map[string]string{
+					"test-service": "patched",
+				},
+			},
+			"subsets": []map[string]interface{}{
+				{
+					"addresses": []map[string]string{
+						{
+							"ip": "10.0.0.25",
+						},
+					},
+					"ports": []map[string]interface{}{
+						{
+							"name": "http-test",
+							"port": int32(8080),
+						},
+					},
+				},
+			},
+		})
+		framework.ExpectNoError(err, "failed to marshal JSON for WatchEvent patch")
+		ginkgo.By("patching the Endpoint")
+		patchedEP, err := f.ClientSet.CoreV1().Endpoints(testNamespaceName).Patch(ctx, testEndpointName, types.StrategicMergePatchType, []byte(endpointPatch), metav1.PatchOptions{})
+		framework.ExpectNoError(err, "failed to patch Endpoint")
+		gomega.Expect(resourceversion.CompareResourceVersion(createdEP.ResourceVersion, patchedEP.ResourceVersion)).To(gomega.BeNumerically("==", -1), "patched object should have a larger resource version")
+
+		ctxUntil, cancel = context.WithTimeout(ctx, 30*time.Second)
+		defer cancel()
+		_, err = watchtools.Until(ctxUntil, endpoints.ResourceVersion, w, func(event watch.Event) (bool, error) {
+			switch event.Type {
+			case watch.Modified:
+				if endpoints, ok := event.Object.(*v1.Endpoints); ok {
+					found := endpoints.ObjectMeta.Name == endpoints.Name &&
+						endpoints.Labels["test-endpoint-static"] == "true"
+					return found, nil
+				}
+			default:
+				framework.Logf("observed event type %v", event.Type)
+			}
+			return false, nil
+		})
+		framework.ExpectNoError(err, "failed to see %v event", watch.Modified)
+
+		ginkgo.By("fetching the Endpoint")
+		endpoints, err = f.ClientSet.CoreV1().Endpoints(testNamespaceName).Get(ctx, testEndpointName, metav1.GetOptions{})
+		framework.ExpectNoError(err, "failed to fetch Endpoint")
+		gomega.Expect(endpoints.ObjectMeta.Labels).To(gomega.HaveKeyWithValue("test-service", "patched"), "failed to patch Endpoint with Label")
+		endpointSubsetOne := endpoints.Subsets[0]
+		endpointSubsetOneAddresses := endpointSubsetOne.Addresses[0]
+		endpointSubsetOnePorts := endpointSubsetOne.Ports[0]
+		gomega.Expect(endpointSubsetOneAddresses.IP).To(gomega.Equal("10.0.0.25"), "failed to patch Endpoint")
+		gomega.Expect(endpointSubsetOnePorts.Name).To(gomega.Equal("http-test"), "failed to patch Endpoint")
+		gomega.Expect(endpointSubsetOnePorts.Port).To(gomega.Equal(int32(8080)), "failed to patch Endpoint")
+
+		ginkgo.By("deleting the Endpoint by Collection")
+		err = f.ClientSet.CoreV1().Endpoints(testNamespaceName).DeleteCollection(ctx, metav1.DeleteOptions{}, metav1.ListOptions{LabelSelector: "test-endpoint-static=true"})
+		framework.ExpectNoError(err, "failed to delete Endpoint by Collection")
+
+		ginkgo.By("waiting for Endpoint deletion")
+		ctxUntil, cancel = context.WithTimeout(ctx, 30*time.Second)
+		defer cancel()
+		_, err = watchtools.Until(ctxUntil, endpoints.ResourceVersion, w, func(event watch.Event) (bool, error) {
+			switch event.Type {
+			case watch.Deleted:
+				if endpoints, ok := event.Object.(*v1.Endpoints); ok {
+					found := endpoints.ObjectMeta.Name == endpoints.Name &&
+						endpoints.Labels["test-endpoint-static"] == "true"
+					return found, nil
+				}
+			default:
+				framework.Logf("observed event type %v", event.Type)
+			}
+			return false, nil
+		})
+		framework.ExpectNoError(err, "failed to see %v event", watch.Deleted)
+
+		ginkgo.By("fetching the Endpoint")
+		_, err = f.ClientSet.CoreV1().Endpoints(testNamespaceName).Get(ctx, testEndpointName, metav1.GetOptions{})
+		gomega.Expect(err).To(gomega.HaveOccurred(), "should not be able to fetch Endpoint")
+	})
+})
+
+var _ = common.SIGDescribe("EndpointsController", func() {
+	f := framework.NewDefaultFramework("endpoints")
+	f.NamespacePodSecurityLevel = admissionapi.LevelPrivileged
+
+	var cs clientset.Interface
+	var podClient *e2epod.PodClient
+
+	ginkgo.BeforeEach(func() {
+		cs = f.ClientSet
+		podClient = e2epod.NewPodClient(f)
+	})
+
+	/*
+		Release: v1.21, v1.35
+		Testname: Endpoints, "empty" Service
+		Description: The Endpoints controller should create and delete an empty Endpoints for a Service that matches no pods.
+	*/
+	framework.ConformanceIt("should create and delete Endpoints for a Service with a selector that matches no pods", func(ctx context.Context) {
+		svc := &v1.Service{
+			ObjectMeta: metav1.ObjectMeta{
+				Name: "example-empty-selector",
+			},
+			Spec: v1.ServiceSpec{
+				Selector: map[string]string{
+					"does-not-match-anything": "endpoints-and-endpoint-slices-should-still-be-created",
+				},
+				Ports: []v1.ServicePort{{
+					Name:     "example",
+					Port:     80,
+					Protocol: v1.ProtocolTCP,
+				}},
+			},
+		}
+		svc, err := cs.CoreV1().Services(f.Namespace.Name).Create(ctx, svc, metav1.CreateOptions{})
+		framework.ExpectNoError(err, "error creating Service")
+
+		// Expect Endpoints resource to be created.
+		if err := wait.PollUntilContextTimeout(ctx, 2*time.Second, wait.ForeverTestTimeout, true, func(ctx context.Context) (bool, error) {
+			_, err := cs.CoreV1().Endpoints(svc.Namespace).Get(ctx, svc.Name, metav1.GetOptions{})
+			if err != nil {
+				return false, nil
+			}
+			return true, nil
+		}); err != nil {
+			framework.Failf("No Endpoints found for Service %s/%s: %s", svc.Namespace, svc.Name, err)
+		}
+
+		err = cs.CoreV1().Services(svc.Namespace).Delete(ctx, svc.Name, metav1.DeleteOptions{})
+		framework.ExpectNoError(err, "error deleting Service")
+
+		// Expect Endpoints resource to be deleted when Service is.
+		if err := wait.PollUntilContextTimeout(ctx, 2*time.Second, wait.ForeverTestTimeout, true, func(ctx context.Context) (bool, error) {
+			_, err := cs.CoreV1().Endpoints(svc.Namespace).Get(ctx, svc.Name, metav1.GetOptions{})
+			if err != nil {
+				if apierrors.IsNotFound(err) {
+					return true, nil
+				}
+				return false, err
+			}
+			return false, nil
+		}); err != nil {
+			framework.Failf("Endpoints resource not deleted after Service %s/%s was deleted: %s", svc.Namespace, svc.Name, err)
+		}
+	})
+
+	/*
+		Release: v1.21, v1.35
+		Testname: Endpoints, creation/deletion
+		Description: The Endpoints controller must create an Endpoints for Pods matching a Service.
+	*/
+	framework.ConformanceIt("should create Endpoints for Pods matching a Service", func(ctx context.Context) {
+		labelPod1 := "pod1"
+		labelPod2 := "pod2"
+		labelShared12 := "shared12"
+		labelValue := "on"
+
+		pod1 := podClient.Create(ctx, &v1.Pod{
+			ObjectMeta: metav1.ObjectMeta{
+				Name: "pod1",
+				Labels: map[string]string{
+					labelPod1:     labelValue,
+					labelShared12: labelValue,
+				},
+			},
+			Spec: v1.PodSpec{
+				Containers: []v1.Container{
+					{
+						Name:  "container1",
+						Image: imageutils.GetE2EImage(imageutils.Nginx),
+						Ports: []v1.ContainerPort{{
+							Name:          "example-name",
+							ContainerPort: int32(3000),
+						}},
+					},
+				},
+			},
+		})
+
+		pod2 := podClient.Create(ctx, &v1.Pod{
+			ObjectMeta: metav1.ObjectMeta{
+				Name: "pod2",
+				Labels: map[string]string{
+					labelPod2:     labelValue,
+					labelShared12: labelValue,
+				},
+			},
+			Spec: v1.PodSpec{
+				Containers: []v1.Container{
+					{
+						Name:  "container1",
+						Image: imageutils.GetE2EImage(imageutils.Nginx),
+						Ports: []v1.ContainerPort{{
+							Name:          "example-name",
+							ContainerPort: int32(3001),
+						}, {
+							Name:          "other-port",
+							ContainerPort: int32(3002),
+						}},
+					},
+				},
+			},
+		})
+
+		svc1 := &v1.Service{
+			ObjectMeta: metav1.ObjectMeta{
+				Name: "example-int-port",
+			},
+			Spec: v1.ServiceSpec{
+				Selector:                 map[string]string{labelPod1: labelValue},
+				PublishNotReadyAddresses: true,
+				Ports: []v1.ServicePort{{
+					Name:       "example",
+					Port:       80,
+					TargetPort: intstr.FromInt32(3000),
+					Protocol:   v1.ProtocolTCP,
+				}},
+			},
+		}
+		svc1, err := cs.CoreV1().Services(f.Namespace.Name).Create(ctx, svc1, metav1.CreateOptions{})
+		framework.ExpectNoError(err, "error creating Service")
+
+		svc2 := &v1.Service{
+			ObjectMeta: metav1.ObjectMeta{
+				Name: "example-named-port",
+			},
+			Spec: v1.ServiceSpec{
+				Selector:                 map[string]string{labelShared12: labelValue},
+				PublishNotReadyAddresses: true,
+				Ports: []v1.ServicePort{{
+					Name:       "http",
+					Port:       80,
+					TargetPort: intstr.FromString("example-name"),
+					Protocol:   v1.ProtocolTCP,
+				}},
+			},
+		}
+		svc2, err = cs.CoreV1().Services(f.Namespace.Name).Create(ctx, svc2, metav1.CreateOptions{})
+		framework.ExpectNoError(err, "error creating Service")
+
+		err = wait.PollUntilContextTimeout(ctx, 2*time.Second, 3*time.Minute, true, func(ctx context.Context) (bool, error) {
+			var err error
+			pod1, err = podClient.Get(ctx, pod1.Name, metav1.GetOptions{})
+			if err != nil {
+				return false, err
+			}
+			if len(pod1.Status.PodIPs) == 0 {
+				return false, nil
+			}
+
+			pod2, err = podClient.Get(ctx, pod2.Name, metav1.GetOptions{})
+			if err != nil {
+				return false, err
+			}
+			if len(pod2.Status.PodIPs) == 0 {
+				return false, nil
+			}
+
+			return true, nil
+		})
+		framework.ExpectNoError(err, "timed out waiting for Pods to have IPs assigned")
+
+		ginkgo.By("referencing a single matching pod")
+		expectEndpoints(ctx, cs, f.Namespace.Name, svc1, []*v1.Pod{pod1}, 1, false)
+
+		ginkgo.By("referencing matching pods with named port")
+		expectEndpoints(ctx, cs, f.Namespace.Name, svc2, []*v1.Pod{pod1, pod2}, 2, true)
+	})
+})
+
+// expectEndpoints verifies that Endpoints exist for a given Service and Namespace with
+// the appropriate attributes set. This is a relatively complex function as the order of
+// attributes or resources is not necessarily consistent. It is used as a helper function
+// for the tests above and takes some shortcuts with the assumption that those test cases
+// will be the only caller of this function.
+func expectEndpoints(ctx context.Context, cs clientset.Interface, ns string, svc *v1.Service, pods []*v1.Pod, numSubsets int, namedPort bool) {
+	endpoints := &v1.Endpoints{}
+	if err := wait.PollUntilContextTimeout(ctx, 2*time.Second, 2*time.Minute, true, func(ctx context.Context) (bool, error) {
+		endpointsFound, hasMatchingEndpoints := hasMatchingEndpoints(ctx, cs, ns, svc.Name, len(pods), numSubsets)
+		if !hasMatchingEndpoints {
+			framework.Logf("Matching Endpoints not found")
+			return false, nil
+		}
+		endpoints = endpointsFound
+		return true, nil
+	}); err != nil {
+		framework.Failf("Timed out waiting for Endpoints to match expectations: %v", err)
+	}
+
+	podsByIP := map[string]*v1.Pod{}
+	for _, pod := range pods {
+		podsByIP[pod.Status.PodIP] = pod
+		if len(pod.Spec.Containers) != 1 {
+			framework.Failf("Expected pod to have 1 container, got %d", len(pod.Spec.Containers))
+		}
+	}
+
+	if endpoints.Name != svc.Name {
+		framework.Failf("Expected Endpoints name to be %s, got %s", svc.Name, endpoints.Name)
+	}
+
+	totalEndpointAddresses := 0
+	for _, subset := range endpoints.Subsets {
+		addresses := []v1.EndpointAddress{}
+		addresses = append(addresses, subset.Addresses...)
+		addresses = append(addresses, subset.NotReadyAddresses...)
+		totalEndpointAddresses += len(addresses)
+
+		if len(subset.Ports) != len(svc.Spec.Ports) {
+			framework.Failf("Expected subset to have %d ports, got %d", len(svc.Spec.Ports), len(subset.Ports))
+		}
+
+		// If not a named port, the subset ports should directly correspond with
+		// the Service ports.
+		if !namedPort {
+			for i, subsetPort := range subset.Ports {
+				svcPort := svc.Spec.Ports[i]
+				if subsetPort.Name != svcPort.Name {
+					framework.Failf("Expected port name to be %s, got %s", svcPort.Name, subsetPort.Name)
+				}
+				if subsetPort.Protocol != svcPort.Protocol {
+					framework.Failf("Expected protocol to be %s, got %s", svcPort.Protocol, subsetPort.Protocol)
+				}
+				if subsetPort.Port != svcPort.TargetPort.IntVal {
+					framework.Failf("Expected port to be %d, got %d", svcPort.TargetPort.IntVal, subsetPort.Port)
+				}
+			}
+		}
+
+		for _, address := range addresses {
+			pod, ok := podsByIP[address.IP]
+			if !ok {
+				framework.Failf("Unexpected address with IP: %s", address.IP)
+			}
+
+			ensurePodTargetRef(pod, address.TargetRef)
+
+			// If a named port, the subset ports should directly correspond with
+			// each individual pod.
+			if namedPort {
+				container := pod.Spec.Containers[0]
+				for _, port := range container.Ports {
+					if port.Name == svc.Spec.Ports[0].TargetPort.String() {
+						subsetPort := subset.Ports[0]
+						if subsetPort.Port != port.ContainerPort {
+							framework.Failf("Expected subset port to be %d, got %d", port.ContainerPort, subsetPort.Port)
+						}
+						if subsetPort.Name != svc.Spec.Ports[0].Name {
+							framework.Failf("Expected subset port name to be %s, got %s", svc.Spec.Ports[0].Name, subsetPort.Name)
+						}
+					}
+				}
+			}
+		}
+	}
+
+	if len(pods) != totalEndpointAddresses {
+		framework.Failf("Expected %d addresses, got %d", len(pods), totalEndpointAddresses)
+	}
+}
+
+// hasMatchingEndpoints returns any Endpoints that match the conditions along
+// with a boolean indicating if all the conditions have been met.
+func hasMatchingEndpoints(ctx context.Context, cs clientset.Interface, ns, svcName string, numIPs, numSubsets int) (*v1.Endpoints, bool) {
+	endpoints, err := cs.CoreV1().Endpoints(ns).Get(ctx, svcName, metav1.GetOptions{})
+	if err != nil {
+		if apierrors.IsNotFound(err) {
+			framework.Logf("Endpoints for %s/%s Service not found", ns, svcName)
+			return nil, false
+		}
+		framework.ExpectNoError(err, "Error fetching Endpoints for %s/%s Service", ns, svcName)
+	}
+	if len(endpoints.Subsets) != numSubsets {
+		framework.Logf("Endpoints for %s/%s Service with %d/%d Subsets", ns, svcName, len(endpoints.Subsets), numSubsets)
+		return nil, false
+	}
+
+	actualNumIPs := 0
+	for _, endpointSubset := range endpoints.Subsets {
+		actualNumIPs += len(endpointSubset.Addresses) + len(endpointSubset.NotReadyAddresses)
+	}
+	if actualNumIPs != numIPs {
+		framework.Logf("Endpoints for %s/%s Service with %d/%d IPs", ns, svcName, actualNumIPs, numIPs)
+		return nil, false
+	}
+
+	return endpoints, true
+}
diff --git a/test/e2e/network/endpointslice.go b/test/e2e/network/endpointslice.go
index 744e4c5b7babc..678b63adc6459 100644
--- a/test/e2e/network/endpointslice.go
+++ b/test/e2e/network/endpointslice.go
@@ -29,11 +29,13 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	types "k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/intstr"
+	"k8s.io/apimachinery/pkg/util/resourceversion"
 	"k8s.io/apimachinery/pkg/util/sets"
 	"k8s.io/apimachinery/pkg/util/wait"
 	"k8s.io/apimachinery/pkg/watch"
 	clientset "k8s.io/client-go/kubernetes"
 	"k8s.io/client-go/util/retry"
+	apimachineryutils "k8s.io/kubernetes/test/e2e/common/apimachinery"
 	"k8s.io/kubernetes/test/e2e/framework"
 	e2epod "k8s.io/kubernetes/test/e2e/framework/pod"
 	"k8s.io/kubernetes/test/e2e/network/common"
@@ -58,52 +60,12 @@ var _ = common.SIGDescribe("EndpointSlice", func() {
 	})
 
 	/*
-		Release: v1.21
-		Testname: EndpointSlice API
-		Description: The discovery.k8s.io API group MUST exist in the /apis discovery document.
-		The discovery.k8s.io/v1 API group/version MUST exist in the /apis/discovery.k8s.io discovery document.
-		The endpointslices resource MUST exist in the /apis/discovery.k8s.io/v1 discovery document.
-		The cluster MUST have a service named "kubernetes" on the default namespace referencing the API servers.
-		The "kubernetes.default" service MUST have Endpoints and EndpointSlices pointing to each API server instance.
+		Release: v1.21, v1.35
+		Testname: EndpointSlice, "empty" Service
+		Description: The EndpointSlice controller should create and delete empty EndpointSlices for a Service that matches no pods.
 	*/
-	framework.ConformanceIt("should have Endpoints and EndpointSlices pointing to API Server", func(ctx context.Context) {
-		namespace := "default"
-		name := "kubernetes"
-		// verify "kubernetes.default" service exist
-		_, err := cs.CoreV1().Services(namespace).Get(ctx, name, metav1.GetOptions{})
-		framework.ExpectNoError(err, "error obtaining API server \"kubernetes\" Service resource on \"default\" namespace")
-
-		// verify Endpoints for the API servers exist
-		endpoints, err := cs.CoreV1().Endpoints(namespace).Get(ctx, name, metav1.GetOptions{})
-		framework.ExpectNoError(err, "error obtaining API server \"kubernetes\" Endpoint resource on \"default\" namespace")
-		if len(endpoints.Subsets) == 0 {
-			framework.Failf("Expected at least 1 subset in endpoints, got %d: %#v", len(endpoints.Subsets), endpoints.Subsets)
-		}
-		// verify EndpointSlices for the API servers exist
-		endpointSliceList, err := cs.DiscoveryV1().EndpointSlices(namespace).List(ctx, metav1.ListOptions{
-			LabelSelector: "kubernetes.io/service-name=" + name,
-		})
-		framework.ExpectNoError(err, "error obtaining API server \"kubernetes\" EndpointSlice resource on \"default\" namespace")
-		if len(endpointSliceList.Items) == 0 {
-			framework.Failf("Expected at least 1 EndpointSlice, got %d: %#v", len(endpoints.Subsets), endpoints.Subsets)
-		}
-
-		if !endpointSlicesEqual(endpoints, endpointSliceList) {
-			framework.Failf("Expected EndpointSlice to have same addresses and port as Endpoints, got %#v: %#v", endpoints, endpointSliceList)
-		}
-
-	})
-
-	/*
-		Release: v1.21
-		Testname: EndpointSlice API
-		Description: The discovery.k8s.io API group MUST exist in the /apis discovery document.
-		The discovery.k8s.io/v1 API group/version MUST exist in the /apis/discovery.k8s.io discovery document.
-		The endpointslices resource MUST exist in the /apis/discovery.k8s.io/v1 discovery document.
-		The endpointslice controller should create and delete EndpointSlices for Pods matching a Service.
-	*/
-	framework.ConformanceIt("should create and delete Endpoints and EndpointSlices for a Service with a selector specified", func(ctx context.Context) {
-		svc := createServiceReportErr(ctx, cs, f.Namespace.Name, &v1.Service{
+	framework.ConformanceIt("should create and delete EndpointSlices for a Service with a selector that matches no pods", func(ctx context.Context) {
+		svc := &v1.Service{
 			ObjectMeta: metav1.ObjectMeta{
 				Name: "example-empty-selector",
 			},
@@ -117,22 +79,13 @@ var _ = common.SIGDescribe("EndpointSlice", func() {
 					Protocol: v1.ProtocolTCP,
 				}},
 			},
-		})
-
-		// Expect Endpoints resource to be created.
-		if err := wait.PollImmediate(2*time.Second, wait.ForeverTestTimeout, func() (bool, error) {
-			_, err := cs.CoreV1().Endpoints(svc.Namespace).Get(ctx, svc.Name, metav1.GetOptions{})
-			if err != nil {
-				return false, nil
-			}
-			return true, nil
-		}); err != nil {
-			framework.Failf("No Endpoints found for Service %s/%s: %s", svc.Namespace, svc.Name, err)
 		}
+		svc, err := cs.CoreV1().Services(f.Namespace.Name).Create(ctx, svc, metav1.CreateOptions{})
+		framework.ExpectNoError(err, "error creating Service")
 
 		// Expect EndpointSlice resource to be created.
 		var endpointSlice discoveryv1.EndpointSlice
-		if err := wait.PollImmediate(2*time.Second, wait.ForeverTestTimeout, func() (bool, error) {
+		if err := wait.PollUntilContextTimeout(ctx, 2*time.Second, wait.ForeverTestTimeout, true, func(ctx context.Context) (bool, error) {
 			endpointSliceList, err := cs.DiscoveryV1().EndpointSlices(svc.Namespace).List(ctx, metav1.ListOptions{
 				LabelSelector: "kubernetes.io/service-name=" + svc.Name,
 			})
@@ -160,28 +113,14 @@ var _ = common.SIGDescribe("EndpointSlice", func() {
 			framework.Failf("Expected EndpointSlice to have 0 endpoints, got %d: %#v", len(endpointSlice.Endpoints), endpointSlice.Endpoints)
 		}
 
-		err := cs.CoreV1().Services(svc.Namespace).Delete(ctx, svc.Name, metav1.DeleteOptions{})
+		err = cs.CoreV1().Services(svc.Namespace).Delete(ctx, svc.Name, metav1.DeleteOptions{})
 		framework.ExpectNoError(err, "error deleting Service")
 
-		// Expect Endpoints resource to be deleted when Service is.
-		if err := wait.PollImmediate(2*time.Second, wait.ForeverTestTimeout, func() (bool, error) {
-			_, err := cs.CoreV1().Endpoints(svc.Namespace).Get(ctx, svc.Name, metav1.GetOptions{})
-			if err != nil {
-				if apierrors.IsNotFound(err) {
-					return true, nil
-				}
-				return false, err
-			}
-			return false, nil
-		}); err != nil {
-			framework.Failf("Endpoints resource not deleted after Service %s/%s was deleted: %s", svc.Namespace, svc.Name, err)
-		}
-
 		// Expect EndpointSlice resource to be deleted when Service is. Wait for
 		// up to 90 seconds since garbage collector only polls every 30 seconds
 		// and may need to retry informer resync at some point during an e2e
 		// run.
-		if err := wait.PollImmediate(2*time.Second, 90*time.Second, func() (bool, error) {
+		if err := wait.PollUntilContextTimeout(ctx, 2*time.Second, 90*time.Second, true, func(ctx context.Context) (bool, error) {
 			endpointSliceList, err := cs.DiscoveryV1().EndpointSlices(svc.Namespace).List(ctx, metav1.ListOptions{
 				LabelSelector: "kubernetes.io/service-name=" + svc.Name,
 			})
@@ -198,17 +137,13 @@ var _ = common.SIGDescribe("EndpointSlice", func() {
 	})
 
 	/*
-		Release: v1.21
-		Testname: EndpointSlice API
-		Description: The discovery.k8s.io API group MUST exist in the /apis discovery document.
-		The discovery.k8s.io/v1 API group/version MUST exist in the /apis/discovery.k8s.io discovery document.
-		The endpointslices resource MUST exist in the /apis/discovery.k8s.io/v1 discovery document.
-		The endpointslice controller must create EndpointSlices for Pods mataching a Service.
+		Release: v1.21, v1.35
+		Testname: EndpointSlice, creation/deletion
+		Description: The endpointslice controller must create and delete EndpointSlices for Pods matching a Service.
 	*/
 	framework.ConformanceIt("should create Endpoints and EndpointSlices for Pods matching a Service", func(ctx context.Context) {
 		labelPod1 := "pod1"
 		labelPod2 := "pod2"
-		labelPod3 := "pod3"
 		labelShared12 := "shared12"
 		labelValue := "on"
 
@@ -259,7 +194,7 @@ var _ = common.SIGDescribe("EndpointSlice", func() {
 			},
 		})
 
-		svc1 := createServiceReportErr(ctx, cs, f.Namespace.Name, &v1.Service{
+		svc1 := &v1.Service{
 			ObjectMeta: metav1.ObjectMeta{
 				Name: "example-int-port",
 			},
@@ -273,9 +208,11 @@ var _ = common.SIGDescribe("EndpointSlice", func() {
 					Protocol:   v1.ProtocolTCP,
 				}},
 			},
-		})
+		}
+		svc1, err := cs.CoreV1().Services(f.Namespace.Name).Create(ctx, svc1, metav1.CreateOptions{})
+		framework.ExpectNoError(err, "error creating Service")
 
-		svc2 := createServiceReportErr(ctx, cs, f.Namespace.Name, &v1.Service{
+		svc2 := &v1.Service{
 			ObjectMeta: metav1.ObjectMeta{
 				Name: "example-named-port",
 			},
@@ -289,25 +226,11 @@ var _ = common.SIGDescribe("EndpointSlice", func() {
 					Protocol:   v1.ProtocolTCP,
 				}},
 			},
-		})
-
-		svc3 := createServiceReportErr(ctx, cs, f.Namespace.Name, &v1.Service{
-			ObjectMeta: metav1.ObjectMeta{
-				Name: "example-no-match",
-			},
-			Spec: v1.ServiceSpec{
-				Selector:                 map[string]string{labelPod3: labelValue},
-				PublishNotReadyAddresses: true,
-				Ports: []v1.ServicePort{{
-					Name:       "example-no-match",
-					Port:       80,
-					TargetPort: intstr.FromInt32(8080),
-					Protocol:   v1.ProtocolTCP,
-				}},
-			},
-		})
+		}
+		svc2, err = cs.CoreV1().Services(f.Namespace.Name).Create(ctx, svc2, metav1.CreateOptions{})
+		framework.ExpectNoError(err, "error creating Service")
 
-		err := wait.PollUntilContextTimeout(ctx, 2*time.Second, 3*time.Minute, true, func(ctx context.Context) (bool, error) {
+		err = wait.PollUntilContextTimeout(ctx, 2*time.Second, 3*time.Minute, true, func(ctx context.Context) (bool, error) {
 			var err error
 			pod1, err = podClient.Get(ctx, pod1.Name, metav1.GetOptions{})
 			if err != nil {
@@ -330,19 +253,14 @@ var _ = common.SIGDescribe("EndpointSlice", func() {
 		framework.ExpectNoError(err, "timed out waiting for Pods to have IPs assigned")
 
 		ginkgo.By("referencing a single matching pod")
-		expectEndpointsAndSlices(ctx, cs, f.Namespace.Name, svc1, []*v1.Pod{pod1}, 1, 1, false)
+		expectEndpointSlices(ctx, cs, f.Namespace.Name, svc1, []*v1.Pod{pod1}, 1, false)
 
 		ginkgo.By("referencing matching pods with named port")
-		expectEndpointsAndSlices(ctx, cs, f.Namespace.Name, svc2, []*v1.Pod{pod1, pod2}, 2, 2, true)
+		expectEndpointSlices(ctx, cs, f.Namespace.Name, svc2, []*v1.Pod{pod1, pod2}, 2, true)
 
-		ginkgo.By("creating empty Endpoints and EndpointSlices for no matching Pods")
-		expectEndpointsAndSlices(ctx, cs, f.Namespace.Name, svc3, []*v1.Pod{}, 0, 1, false)
-
-		// TODO: Update test to cover Endpoints recreation after deletes once it
-		// actually works.
 		ginkgo.By("recreating EndpointSlices after they've been deleted")
 		deleteEndpointSlices(ctx, cs, f.Namespace.Name, svc2)
-		expectEndpointsAndSlices(ctx, cs, f.Namespace.Name, svc2, []*v1.Pod{pod1, pod2}, 2, 2, true)
+		expectEndpointSlices(ctx, cs, f.Namespace.Name, svc2, []*v1.Pod{pod1, pod2}, 2, true)
 	})
 
 	/*
@@ -437,6 +355,7 @@ var _ = common.SIGDescribe("EndpointSlice", func() {
 		queriedEPS, err := epsClient.Get(ctx, createdEPS.Name, metav1.GetOptions{})
 		framework.ExpectNoError(err)
 		gomega.Expect(queriedEPS.UID).To(gomega.Equal(createdEPS.UID))
+		gomega.Expect(queriedEPS).To(apimachineryutils.HaveValidResourceVersion())
 
 		ginkgo.By("listing")
 		epsList, err := epsClient.List(ctx, metav1.ListOptions{LabelSelector: "special-label=" + f.UniqueName})
@@ -464,6 +383,7 @@ var _ = common.SIGDescribe("EndpointSlice", func() {
 		patchedEPS, err := epsClient.Patch(ctx, createdEPS.Name, types.MergePatchType, []byte(`{"metadata":{"annotations":{"patched":"true"}}}`), metav1.PatchOptions{})
 		framework.ExpectNoError(err)
 		gomega.Expect(patchedEPS.Annotations).To(gomega.HaveKeyWithValue("patched", "true"), "patched object should have the applied annotation")
+		gomega.Expect(resourceversion.CompareResourceVersion(createdEPS.ResourceVersion, patchedEPS.ResourceVersion)).To(gomega.BeNumerically("==", -1), "patched object should have a larger resource version")
 
 		ginkgo.By("updating")
 		var epsToUpdate, updatedEPS *discoveryv1.EndpointSlice
@@ -537,7 +457,7 @@ var _ = common.SIGDescribe("EndpointSlice", func() {
 	*/
 	framework.ConformanceIt("should support a Service with multiple ports specified in multiple EndpointSlices", func(ctx context.Context) {
 		ns := f.Namespace.Name
-		svc := createServiceReportErr(ctx, cs, f.Namespace.Name, &v1.Service{
+		svc := &v1.Service{
 			ObjectMeta: metav1.ObjectMeta{
 				Name: "example-custom-endpoints",
 			},
@@ -555,7 +475,9 @@ var _ = common.SIGDescribe("EndpointSlice", func() {
 					},
 				},
 			},
-		})
+		}
+		svc, err := cs.CoreV1().Services(ns).Create(ctx, svc, metav1.CreateOptions{})
+		framework.ExpectNoError(err, "error creating Service")
 
 		// Add a backend pod to the service in the other node
 		port8090 := []v1.ContainerPort{
@@ -614,7 +536,7 @@ var _ = common.SIGDescribe("EndpointSlice", func() {
 			Protocol: &tcpProtocol,
 		}}
 
-		_, err := f.ClientSet.DiscoveryV1().EndpointSlices(ns).Create(ctx, eps1, metav1.CreateOptions{})
+		_, err = f.ClientSet.DiscoveryV1().EndpointSlices(ns).Create(ctx, eps1, metav1.CreateOptions{})
 		framework.ExpectNoError(err)
 		eps2 := epsTemplate.DeepCopy()
 		eps2.Ports = []discoveryv1.EndpointPort{{
@@ -647,7 +569,7 @@ var _ = common.SIGDescribe("EndpointSlice", func() {
 	*/
 	framework.ConformanceIt("should support a Service with multiple endpoint IPs specified in multiple EndpointSlices", func(ctx context.Context) {
 		ns := f.Namespace.Name
-		svc := createServiceReportErr(ctx, cs, f.Namespace.Name, &v1.Service{
+		svc := &v1.Service{
 			ObjectMeta: metav1.ObjectMeta{
 				Name: "example-custom-endpoints",
 			},
@@ -665,7 +587,9 @@ var _ = common.SIGDescribe("EndpointSlice", func() {
 					},
 				},
 			},
-		})
+		}
+		svc, err := cs.CoreV1().Services(ns).Create(ctx, svc, metav1.CreateOptions{})
+		framework.ExpectNoError(err, "error creating Service")
 
 		// Add a backend pod to the service in the other node
 		port8090 := []v1.ContainerPort{
@@ -726,7 +650,7 @@ var _ = common.SIGDescribe("EndpointSlice", func() {
 			Protocol: &tcpProtocol,
 		}}
 
-		_, err := f.ClientSet.DiscoveryV1().EndpointSlices(ns).Create(context.TODO(), eps1, metav1.CreateOptions{})
+		_, err = f.ClientSet.DiscoveryV1().EndpointSlices(ns).Create(context.TODO(), eps1, metav1.CreateOptions{})
 		framework.ExpectNoError(err)
 		eps2 := epsTemplate.DeepCopy()
 		eps2.Endpoints = []discoveryv1.Endpoint{
@@ -757,13 +681,12 @@ var _ = common.SIGDescribe("EndpointSlice", func() {
 
 })
 
-// expectEndpointsAndSlices verifies that Endpoints and EndpointSlices exist for
-// a given Service and Namespace with the appropriate attributes set. This is a
-// relatively complex function as the order of attributes or resources is not
-// necessarily consistent. It is used as a helper function for the tests above
-// and takes some shortcuts with the assumption that those test cases will be
-// the only caller of this function.
-func expectEndpointsAndSlices(ctx context.Context, cs clientset.Interface, ns string, svc *v1.Service, pods []*v1.Pod, numSubsets, numSlices int, namedPort bool) {
+// expectEndpointSlices verifies that EndpointSlices exist for a given Service and
+// Namespace with the appropriate attributes set. This is a relatively complex function as
+// the order of attributes or resources is not necessarily consistent. It is used as a
+// helper function for the tests above and takes some shortcuts with the assumption that
+// those test cases will be the only caller of this function.
+func expectEndpointSlices(ctx context.Context, cs clientset.Interface, ns string, svc *v1.Service, pods []*v1.Pod, numSlices int, namedPort bool) {
 	endpointSlices := []discoveryv1.EndpointSlice{}
 	if err := wait.PollUntilContextTimeout(ctx, 2*time.Second, 2*time.Minute, true, func(ctx context.Context) (bool, error) {
 		endpointSlicesFound, hasMatchingSlices := hasMatchingEndpointSlices(ctx, cs, ns, svc.Name, len(pods), numSlices)
@@ -776,19 +699,6 @@ func expectEndpointsAndSlices(ctx context.Context, cs clientset.Interface, ns st
 		framework.Failf("Timed out waiting for EndpointSlices to match expectations: %v", err)
 	}
 
-	endpoints := &v1.Endpoints{}
-	if err := wait.PollUntilContextTimeout(ctx, 2*time.Second, 2*time.Minute, true, func(ctx context.Context) (bool, error) {
-		endpointsFound, hasMatchingEndpoints := hasMatchingEndpoints(ctx, cs, ns, svc.Name, len(pods), numSubsets)
-		if !hasMatchingEndpoints {
-			framework.Logf("Matching Endpoints not found")
-			return false, nil
-		}
-		endpoints = endpointsFound
-		return true, nil
-	}); err != nil {
-		framework.Failf("Timed out waiting for Endpoints to match expectations: %v", err)
-	}
-
 	podsByIP := map[string]*v1.Pod{}
 	for _, pod := range pods {
 		podsByIP[pod.Status.PodIP] = pod
@@ -797,67 +707,6 @@ func expectEndpointsAndSlices(ctx context.Context, cs clientset.Interface, ns st
 		}
 	}
 
-	if endpoints.Name != svc.Name {
-		framework.Failf("Expected Endpoints name to be %s, got %s", svc.Name, endpoints.Name)
-	}
-
-	totalEndpointAddresses := 0
-	for _, subset := range endpoints.Subsets {
-		addresses := append(subset.Addresses, subset.NotReadyAddresses...)
-		totalEndpointAddresses += len(addresses)
-
-		if len(subset.Ports) != len(svc.Spec.Ports) {
-			framework.Failf("Expected subset to have %d ports, got %d", len(svc.Spec.Ports), len(subset.Ports))
-		}
-
-		// If not a named port, the subset ports should directly correspond with
-		// the Service ports.
-		if !namedPort {
-			for i, subsetPort := range subset.Ports {
-				svcPort := svc.Spec.Ports[i]
-				if subsetPort.Name != svcPort.Name {
-					framework.Failf("Expected port name to be %s, got %s", svcPort.Name, subsetPort.Name)
-				}
-				if subsetPort.Protocol != svcPort.Protocol {
-					framework.Failf("Expected protocol to be %s, got %s", svcPort.Protocol, subsetPort.Protocol)
-				}
-				if subsetPort.Port != svcPort.TargetPort.IntVal {
-					framework.Failf("Expected port to be %d, got %d", svcPort.TargetPort.IntVal, subsetPort.Port)
-				}
-			}
-		}
-
-		for _, address := range addresses {
-			pod, ok := podsByIP[address.IP]
-			if !ok {
-				framework.Failf("Unexpected address with IP: %s", address.IP)
-			}
-
-			ensurePodTargetRef(pod, address.TargetRef)
-
-			// If a named port, the subset ports should directly correspond with
-			// each individual pod.
-			if namedPort {
-				container := pod.Spec.Containers[0]
-				for _, port := range container.Ports {
-					if port.Name == svc.Spec.Ports[0].TargetPort.String() {
-						subsetPort := subset.Ports[0]
-						if subsetPort.Port != port.ContainerPort {
-							framework.Failf("Expected subset port to be %d, got %d", port.ContainerPort, subsetPort.Port)
-						}
-						if subsetPort.Name != svc.Spec.Ports[0].Name {
-							framework.Failf("Expected subset port name to be %s, got %s", svc.Spec.Ports[0].Name, subsetPort.Name)
-						}
-					}
-				}
-			}
-		}
-	}
-
-	if len(pods) != totalEndpointAddresses {
-		framework.Failf("Expected %d addresses, got %d", len(pods), totalEndpointAddresses)
-	}
-
 	if len(pods) == 0 && len(endpointSlices) != 1 {
 		framework.Failf("Expected 1 EndpointSlice, got %d", len(endpointSlices))
 	}
@@ -985,34 +834,6 @@ func hasMatchingEndpointSlices(ctx context.Context, cs clientset.Interface, ns,
 	return esList.Items, true
 }
 
-// hasMatchingEndpoints returns any Endpoints that match the conditions along
-// with a boolean indicating if all the conditions have been met.
-func hasMatchingEndpoints(ctx context.Context, cs clientset.Interface, ns, svcName string, numIPs, numSubsets int) (*v1.Endpoints, bool) {
-	endpoints, err := cs.CoreV1().Endpoints(ns).Get(ctx, svcName, metav1.GetOptions{})
-	if err != nil {
-		if apierrors.IsNotFound(err) {
-			framework.Logf("Endpoints for %s/%s Service not found", ns, svcName)
-			return nil, false
-		}
-		framework.ExpectNoError(err, "Error fetching Endpoints for %s/%s Service", ns, svcName)
-	}
-	if len(endpoints.Subsets) != numSubsets {
-		framework.Logf("Endpoints for %s/%s Service with %d/%d Subsets", ns, svcName, len(endpoints.Subsets), numSubsets)
-		return nil, false
-	}
-
-	actualNumIPs := 0
-	for _, endpointSubset := range endpoints.Subsets {
-		actualNumIPs += len(endpointSubset.Addresses) + len(endpointSubset.NotReadyAddresses)
-	}
-	if actualNumIPs != numIPs {
-		framework.Logf("Endpoints for %s/%s Service with %d/%d IPs", ns, svcName, actualNumIPs, numIPs)
-		return nil, false
-	}
-
-	return endpoints, true
-}
-
 // ensurePodTargetRef ensures that a Pod matches the provided target reference.
 func ensurePodTargetRef(pod *v1.Pod, targetRef *v1.ObjectReference) {
 	if targetRef == nil {
@@ -1031,64 +852,3 @@ func ensurePodTargetRef(pod *v1.Pod, targetRef *v1.ObjectReference) {
 		framework.Failf("Expected TargetRef.UID to be %s, got %s", pod.UID, targetRef.UID)
 	}
 }
-
-// createServiceReportErr creates a Service and reports any associated error.
-func createServiceReportErr(ctx context.Context, cs clientset.Interface, ns string, service *v1.Service) *v1.Service {
-	svc, err := cs.CoreV1().Services(ns).Create(ctx, service, metav1.CreateOptions{})
-	framework.ExpectNoError(err, "error deleting Service")
-	return svc
-}
-
-// endpointSlicesEqual compare if the Endpoint and the EndpointSliceList contains the same endpoints values
-// as in addresses and ports, considering Ready and Unready addresses
-func endpointSlicesEqual(endpoints *v1.Endpoints, endpointSliceList *discoveryv1.EndpointSliceList) bool {
-	// get the apiserver endpoint addresses
-	epAddresses := sets.NewString()
-	epPorts := sets.NewInt32()
-	for _, subset := range endpoints.Subsets {
-		for _, addr := range subset.Addresses {
-			epAddresses.Insert(addr.IP)
-		}
-		for _, addr := range subset.NotReadyAddresses {
-			epAddresses.Insert(addr.IP)
-		}
-		for _, port := range subset.Ports {
-			epPorts.Insert(port.Port)
-		}
-	}
-	framework.Logf("Endpoints addresses: %v , ports: %v", epAddresses.List(), epPorts.List())
-
-	// Endpoints are single stack, and must match the primary IP family of the Service kubernetes.default
-	// However, EndpointSlices can be IPv4 or IPv6, we can only compare the Slices that match the same IP family
-	// framework.TestContext.ClusterIsIPv6() reports the IP family of the kubernetes.default service
-	var addrType discoveryv1.AddressType
-	if framework.TestContext.ClusterIsIPv6() {
-		addrType = discoveryv1.AddressTypeIPv6
-	} else {
-		addrType = discoveryv1.AddressTypeIPv4
-	}
-
-	// get the apiserver addresses from the endpoint slice list
-	sliceAddresses := sets.NewString()
-	slicePorts := sets.NewInt32()
-	for _, slice := range endpointSliceList.Items {
-		if slice.AddressType != addrType {
-			framework.Logf("Skipping slice %s: wanted %s family, got %s", slice.Name, addrType, slice.AddressType)
-			continue
-		}
-		for _, s := range slice.Endpoints {
-			sliceAddresses.Insert(s.Addresses...)
-		}
-		for _, ports := range slice.Ports {
-			if ports.Port != nil {
-				slicePorts.Insert(*ports.Port)
-			}
-		}
-	}
-
-	framework.Logf("EndpointSlices addresses: %v , ports: %v", sliceAddresses.List(), slicePorts.List())
-	if sliceAddresses.Equal(epAddresses) && slicePorts.Equal(epPorts) {
-		return true
-	}
-	return false
-}
diff --git a/test/e2e/network/endpointslicemirroring.go b/test/e2e/network/endpointslicemirroring.go
index bba8a14c5df91..4e949073abd9e 100644
--- a/test/e2e/network/endpointslicemirroring.go
+++ b/test/e2e/network/endpointslicemirroring.go
@@ -53,7 +53,7 @@ var _ = common.SIGDescribe("EndpointSliceMirroring", func() {
 		The endpointslices mirrorowing must mirror endpoint create, update, and delete actions.
 	*/
 	framework.ConformanceIt("should mirror a custom Endpoints resource through create update and delete", func(ctx context.Context) {
-		svc := createServiceReportErr(ctx, cs, f.Namespace.Name, &v1.Service{
+		svc := &v1.Service{
 			ObjectMeta: metav1.ObjectMeta{
 				Name: "example-custom-endpoints",
 			},
@@ -64,7 +64,9 @@ var _ = common.SIGDescribe("EndpointSliceMirroring", func() {
 					Protocol: v1.ProtocolTCP,
 				}},
 			},
-		})
+		}
+		svc, err := cs.CoreV1().Services(f.Namespace.Name).Create(ctx, svc, metav1.CreateOptions{})
+		framework.ExpectNoError(err, "error creating Service")
 
 		endpoints := &v1.Endpoints{
 			ObjectMeta: metav1.ObjectMeta{
@@ -204,7 +206,7 @@ var _ = common.SIGDescribe("EndpointSliceMirroring", func() {
 
 	ginkgo.It("should mirror a custom Endpoint with multiple subsets and same IP address", func(ctx context.Context) {
 		ns := f.Namespace.Name
-		svc := createServiceReportErr(ctx, cs, f.Namespace.Name, &v1.Service{
+		svc := &v1.Service{
 			ObjectMeta: metav1.ObjectMeta{
 				Name: "example-custom-endpoints",
 			},
@@ -222,7 +224,9 @@ var _ = common.SIGDescribe("EndpointSliceMirroring", func() {
 					},
 				},
 			},
-		})
+		}
+		svc, err := cs.CoreV1().Services(f.Namespace.Name).Create(ctx, svc, metav1.CreateOptions{})
+		framework.ExpectNoError(err, "error creating Service")
 
 		// Add a backend pod to the service in the other node
 		port8080 := []v1.ContainerPort{
diff --git a/test/e2e/network/ingress.go b/test/e2e/network/ingress.go
index 5a64957f4f5f6..047848ff4915d 100644
--- a/test/e2e/network/ingress.go
+++ b/test/e2e/network/ingress.go
@@ -27,9 +27,11 @@ import (
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	types "k8s.io/apimachinery/pkg/types"
+	"k8s.io/apimachinery/pkg/util/resourceversion"
 	"k8s.io/apimachinery/pkg/util/wait"
 	"k8s.io/apimachinery/pkg/watch"
 	"k8s.io/client-go/util/retry"
+	apimachineryutils "k8s.io/kubernetes/test/e2e/common/apimachinery"
 	"k8s.io/kubernetes/test/e2e/framework"
 	"k8s.io/kubernetes/test/e2e/network/common"
 	admissionapi "k8s.io/pod-security-admission/api"
@@ -176,6 +178,7 @@ var _ = common.SIGDescribe("Ingress API", func() {
 		gottenIngress, err := ingClient.Get(ctx, createdIngress.Name, metav1.GetOptions{})
 		framework.ExpectNoError(err)
 		gomega.Expect(gottenIngress.UID).To(gomega.Equal(createdIngress.UID))
+		gomega.Expect(gottenIngress).To(apimachineryutils.HaveValidResourceVersion())
 
 		ginkgo.By("listing")
 		ings, err := ingClient.List(ctx, metav1.ListOptions{LabelSelector: "special-label=" + f.UniqueName})
@@ -202,6 +205,7 @@ var _ = common.SIGDescribe("Ingress API", func() {
 		ginkgo.By("patching")
 		patchedIngress, err := ingClient.Patch(ctx, createdIngress.Name, types.MergePatchType, []byte(`{"metadata":{"annotations":{"patched":"true"}}}`), metav1.PatchOptions{})
 		framework.ExpectNoError(err)
+		gomega.Expect(resourceversion.CompareResourceVersion(createdIngress.ResourceVersion, patchedIngress.ResourceVersion)).To(gomega.BeNumerically("==", -1), "patched object should have a larger resource version")
 		gomega.Expect(patchedIngress.Annotations).To(gomega.HaveKeyWithValue("patched", "true"), "patched object should have the applied annotation")
 
 		ginkgo.By("updating")
diff --git a/test/e2e/network/ingressclass.go b/test/e2e/network/ingressclass.go
index 086d5a4591485..a328892416689 100644
--- a/test/e2e/network/ingressclass.go
+++ b/test/e2e/network/ingressclass.go
@@ -26,9 +26,11 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
 
+	"k8s.io/apimachinery/pkg/util/resourceversion"
 	"k8s.io/apimachinery/pkg/util/wait"
 	"k8s.io/apimachinery/pkg/watch"
 	clientset "k8s.io/client-go/kubernetes"
+	apimachineryutils "k8s.io/kubernetes/test/e2e/common/apimachinery"
 	"k8s.io/kubernetes/test/e2e/feature"
 	"k8s.io/kubernetes/test/e2e/framework"
 	"k8s.io/kubernetes/test/e2e/network/common"
@@ -338,6 +340,7 @@ var _ = common.SIGDescribe("IngressClass API", func() {
 		framework.ExpectNoError(err)
 		gomega.Expect(gottenIC.UID).To(gomega.Equal(ingressClass1.UID))
 		gomega.Expect(gottenIC.UID).To(gomega.Equal(ingressClass1.UID))
+		gomega.Expect(gottenIC).To(apimachineryutils.HaveValidResourceVersion())
 
 		ginkgo.By("listing")
 		ics, err := icClient.List(ctx, metav1.ListOptions{LabelSelector: "special-label=generic"})
@@ -353,6 +356,7 @@ var _ = common.SIGDescribe("IngressClass API", func() {
 		patchedIC, err := icClient.Patch(ctx, ingressClass1.Name, types.MergePatchType, []byte(`{"metadata":{"annotations":{"patched":"true"}}}`), metav1.PatchOptions{})
 		framework.ExpectNoError(err)
 		gomega.Expect(patchedIC.Annotations).To(gomega.HaveKeyWithValue("patched", "true"), "patched object should have the applied annotation")
+		gomega.Expect(resourceversion.CompareResourceVersion(ingressClass1.ResourceVersion, patchedIC.ResourceVersion)).To(gomega.BeNumerically("==", -1), "patched object should have a larger resource version")
 
 		ginkgo.By("updating")
 		icToUpdate := patchedIC.DeepCopy()
diff --git a/test/e2e/network/kube_proxy.go b/test/e2e/network/kube_proxy.go
index a5a2ae27dacef..41ada214a7df9 100644
--- a/test/e2e/network/kube_proxy.go
+++ b/test/e2e/network/kube_proxy.go
@@ -48,6 +48,18 @@ import (
 	netutils "k8s.io/utils/net"
 )
 
+// expandIPv6ForConntrack expands an IPv6 address to the format used in /proc/net/nf_conntrack.
+// e.g., "fc00:f853:ccd:e793::3" -> "fc00:f853:0ccd:e793:0000:0000:0000:0003"
+func expandIPv6ForConntrack(ipStr string) string {
+	ip := netutils.ParseIPSloppy(ipStr)
+	if !netutils.IsIPv6(ip) {
+		return ipStr
+	}
+	return fmt.Sprintf("%02x%02x:%02x%02x:%02x%02x:%02x%02x:%02x%02x:%02x%02x:%02x%02x:%02x%02x",
+		ip[0], ip[1], ip[2], ip[3], ip[4], ip[5], ip[6], ip[7],
+		ip[8], ip[9], ip[10], ip[11], ip[12], ip[13], ip[14], ip[15])
+}
+
 var kubeProxyE2eImage = imageutils.GetE2EImage(imageutils.Agnhost)
 
 var _ = common.SIGDescribe("KubeProxy", func() {
@@ -207,61 +219,61 @@ var _ = common.SIGDescribe("KubeProxy", func() {
 		e2epod.NewPodClient(fr).CreateSync(ctx, clientPodSpec)
 
 		ginkgo.By("Checking conntrack entries for the timeout")
-		// These must be synchronized from the default values set in
-		// pkg/apis/../defaults.go ConntrackTCPCloseWaitTimeout. The
-		// current defaults are hidden in the initialization code.
 		const epsilonSeconds = 60
 		const expectedTimeoutSeconds = 60 * 60
-		// the conntrack file uses the IPv6 expanded format
+
+		// Detect conntrack method and build command
 		ip := serverNodeInfo.nodeIP
 		ipFamily := "ipv4"
 		if netutils.IsIPv6String(ip) {
 			ipFamily = "ipv6"
 		}
-		// Obtain the corresponding conntrack entry on the host checking
-		// the nf_conntrack file from the pod e2e-net-exec.
-		// It retries in a loop if the entry is not found.
-		cmd := fmt.Sprintf("conntrack -L -f %s -d %v "+
-			"| grep -m 1 'CLOSE_WAIT.*dport=%v' ",
-			ipFamily, ip, testDaemonTCPPort)
+
+		var cmd, dumpCmd string
+		var timeoutIdx int
+		if _, err := e2epodoutput.RunHostCmd(fr.Namespace.Name, "e2e-net-exec", "test -f /proc/net/nf_conntrack"); err == nil {
+			procIP := ip
+			if ipFamily == "ipv6" {
+				procIP = expandIPv6ForConntrack(ip)
+			}
+			cmd = fmt.Sprintf("cat /proc/net/nf_conntrack | grep -m 1 -E 'CLOSE_WAIT.*dst=%s.*dport=%d'", procIP, testDaemonTCPPort)
+			dumpCmd = "cat /proc/net/nf_conntrack"
+			timeoutIdx = 4 // ipv4 2 tcp 6 <timeout> CLOSE_WAIT ...
+		} else if _, err := e2epodoutput.RunHostCmd(fr.Namespace.Name, "e2e-net-exec", "which conntrack"); err == nil {
+			cmd = fmt.Sprintf("conntrack -L -f %s -d %s 2>/dev/null | grep -m 1 'CLOSE_WAIT.*dport=%d'", ipFamily, ip, testDaemonTCPPort)
+			dumpCmd = "conntrack -L 2>/dev/null"
+			timeoutIdx = 2 // tcp 6 <timeout> CLOSE_WAIT ...
+		} else {
+			e2eskipper.Skipf("Neither /proc/net/nf_conntrack nor conntrack binary available")
+		}
+
 		if err := wait.PollImmediate(2*time.Second, epsilonSeconds*time.Second, func() (bool, error) {
 			result, err := e2epodoutput.RunHostCmd(fr.Namespace.Name, "e2e-net-exec", cmd)
-			// retry if we can't obtain the conntrack entry
 			if err != nil {
-				framework.Logf("failed to obtain conntrack entry: %v %v", result, err)
+				framework.Logf("failed to obtain conntrack entry: %v", err)
 				return false, nil
 			}
-			framework.Logf("conntrack entry for node %v and port %v:  %v", serverNodeInfo.nodeIP, testDaemonTCPPort, result)
-			// Timeout in seconds is available as the third column of the matched entry
-			line := strings.Fields(result)
-			if len(line) < 3 {
-				return false, fmt.Errorf("conntrack entry does not have a timeout field: %v", line)
+			fields := strings.Fields(result)
+			if len(fields) <= timeoutIdx {
+				return false, nil
 			}
-			timeoutSeconds, err := strconv.Atoi(line[2])
+			timeoutSeconds, err := strconv.Atoi(fields[timeoutIdx])
 			if err != nil {
-				return false, fmt.Errorf("failed to convert matched timeout %s to integer: %w", line[2], err)
+				return false, nil
 			}
+			framework.Logf("conntrack timeout for %v:%v = %v", serverNodeInfo.nodeIP, testDaemonTCPPort, timeoutSeconds)
 			if math.Abs(float64(timeoutSeconds-expectedTimeoutSeconds)) < epsilonSeconds {
 				return true, nil
 			}
 			return false, fmt.Errorf("wrong TCP CLOSE_WAIT timeout: %v expected: %v", timeoutSeconds, expectedTimeoutSeconds)
 		}); err != nil {
-			// Dump all conntrack entries for debugging
-			result, err2 := e2epodoutput.RunHostCmd(fr.Namespace.Name, "e2e-net-exec", "conntrack -L")
-			if err2 != nil {
-				framework.Logf("failed to obtain conntrack entry: %v %v", result, err2)
-			}
-			framework.Logf("conntrack entries for node %v:  %v", serverNodeInfo.nodeIP, result)
+			result, _ := e2epodoutput.RunHostCmd(fr.Namespace.Name, "e2e-net-exec", dumpCmd)
+			framework.Logf("conntrack entries: %v", result)
 			framework.Failf("no valid conntrack entry for port %d on node %s: %v", testDaemonTCPPort, serverNodeInfo.nodeIP, err)
 		}
 	})
-})
-
-var _ = common.SIGDescribe("KubeProxyNFAcct", feature.KubeProxyNFAcct, func() {
-	fr := framework.NewDefaultFramework("kube-proxy-nfacct")
-	fr.NamespacePodSecurityLevel = admissionapi.LevelPrivileged
 
-	ginkgo.It("should update metric for tracking accepted packets destined for localhost nodeports", func(ctx context.Context) {
+	framework.It("should update metric for tracking accepted packets destined for localhost nodeports", feature.KubeProxyNFAcct, func(ctx context.Context) {
 		if framework.TestContext.ClusterIsIPv6() {
 			e2eskipper.Skipf("test requires IPv4 cluster")
 		}
diff --git a/test/e2e/network/service.go b/test/e2e/network/service.go
index 74055a34b3437..58708f11eb802 100644
--- a/test/e2e/network/service.go
+++ b/test/e2e/network/service.go
@@ -46,6 +46,7 @@ import (
 	watch "k8s.io/apimachinery/pkg/watch"
 	admissionapi "k8s.io/pod-security-admission/api"
 
+	"k8s.io/apimachinery/pkg/util/resourceversion"
 	clientset "k8s.io/client-go/kubernetes"
 	"k8s.io/client-go/tools/cache"
 	watchtools "k8s.io/client-go/tools/watch"
@@ -56,6 +57,7 @@ import (
 	"k8s.io/utils/ptr"
 
 	podutil "k8s.io/kubernetes/pkg/api/v1/pod"
+	apimachineryutils "k8s.io/kubernetes/test/e2e/common/apimachinery"
 	"k8s.io/kubernetes/test/e2e/framework"
 	e2edeployment "k8s.io/kubernetes/test/e2e/framework/deployment"
 	e2eendpointslice "k8s.io/kubernetes/test/e2e/framework/endpointslice"
@@ -722,16 +724,6 @@ var _ = common.SIGDescribe("Services", func() {
 
 	// TODO: We get coverage of TCP/UDP and multi-port services through the DNS test. We should have a simpler test for multi-port TCP here.
 
-	/*
-		Release: v1.9
-		Testname: Kubernetes Service
-		Description: By default when a kubernetes cluster is running there MUST be a 'kubernetes' service running in the cluster.
-	*/
-	framework.ConformanceIt("should provide secure master service", func(ctx context.Context) {
-		_, err := cs.CoreV1().Services(metav1.NamespaceDefault).Get(ctx, "kubernetes", metav1.GetOptions{})
-		framework.ExpectNoError(err, "failed to fetch the service object for the service named kubernetes")
-	})
-
 	/*
 		Release: v1.9
 		Testname: Service, endpoints
@@ -1747,7 +1739,13 @@ var _ = common.SIGDescribe("Services", func() {
 		}
 
 		nodePort := service.Spec.Ports[0].NodePort
-		defer e2eservice.ReleaseStaticNodePort(nodePort)
+		ginkgo.DeferCleanup(func(ctx context.Context) {
+			err := cs.CoreV1().Services(ns).Delete(ctx, serviceName, metav1.DeleteOptions{})
+			if err != nil && !apierrors.IsNotFound(err) {
+				framework.ExpectNoError(err, "failed to delete service %s in namespace %s", serviceName, ns)
+			}
+			e2eservice.ReleaseStaticNodePort(nodePort)
+		})
 
 		if service.Spec.Type != v1.ServiceTypeNodePort {
 			framework.Failf("got unexpected Spec.Type for new service: %v", service)
@@ -3236,189 +3234,6 @@ var _ = common.SIGDescribe("Services", func() {
 		}
 	})
 
-	/*
-	   Release: v1.19
-	   Testname: Endpoint resource lifecycle
-	   Description: Create an endpoint, the endpoint MUST exist.
-	   The endpoint is updated with a new label, a check after the update MUST find the changes.
-	   The endpoint is then patched with a new IPv4 address and port, a check after the patch MUST the changes.
-	   The endpoint is deleted by it's label, a watch listens for the deleted watch event.
-	*/
-	framework.ConformanceIt("should test the lifecycle of an Endpoint", func(ctx context.Context) {
-		testNamespaceName := f.Namespace.Name
-		testEndpointName := "testservice"
-		testEndpoints := v1.Endpoints{
-			ObjectMeta: metav1.ObjectMeta{
-				Name: testEndpointName,
-				Labels: map[string]string{
-					"test-endpoint-static": "true",
-				},
-			},
-			Subsets: []v1.EndpointSubset{{
-				Addresses: []v1.EndpointAddress{{
-					IP: "10.0.0.24",
-				}},
-				Ports: []v1.EndpointPort{{
-					Name:     "http",
-					Port:     80,
-					Protocol: v1.ProtocolTCP,
-				}},
-			}},
-		}
-		w := &cache.ListWatch{
-			WatchFunc: func(options metav1.ListOptions) (watch.Interface, error) {
-				options.LabelSelector = "test-endpoint-static=true"
-				return f.ClientSet.CoreV1().Endpoints(testNamespaceName).Watch(ctx, options)
-			},
-		}
-		endpointsList, err := f.ClientSet.CoreV1().Endpoints("").List(ctx, metav1.ListOptions{LabelSelector: "test-endpoint-static=true"})
-		framework.ExpectNoError(err, "failed to list Endpoints")
-
-		ginkgo.By("creating an Endpoint")
-		_, err = f.ClientSet.CoreV1().Endpoints(testNamespaceName).Create(ctx, &testEndpoints, metav1.CreateOptions{})
-		framework.ExpectNoError(err, "failed to create Endpoint")
-		ginkgo.By("waiting for available Endpoint")
-		ctxUntil, cancel := context.WithTimeout(ctx, 30*time.Second)
-		defer cancel()
-		_, err = watchtools.Until(ctxUntil, endpointsList.ResourceVersion, w, func(event watch.Event) (bool, error) {
-			switch event.Type {
-			case watch.Added:
-				if endpoints, ok := event.Object.(*v1.Endpoints); ok {
-					found := endpoints.ObjectMeta.Name == endpoints.Name &&
-						endpoints.Labels["test-endpoint-static"] == "true"
-					return found, nil
-				}
-			default:
-				framework.Logf("observed event type %v", event.Type)
-			}
-			return false, nil
-		})
-		framework.ExpectNoError(err, "failed to see %v event", watch.Added)
-
-		ginkgo.By("listing all Endpoints")
-		endpointsList, err = f.ClientSet.CoreV1().Endpoints("").List(ctx, metav1.ListOptions{LabelSelector: "test-endpoint-static=true"})
-		framework.ExpectNoError(err, "failed to list Endpoints")
-		eventFound := false
-		var foundEndpoint v1.Endpoints
-		for _, endpoint := range endpointsList.Items {
-			if endpoint.ObjectMeta.Name == testEndpointName && endpoint.ObjectMeta.Namespace == testNamespaceName {
-				eventFound = true
-				foundEndpoint = endpoint
-				break
-			}
-		}
-		if !eventFound {
-			framework.Fail("unable to find Endpoint Service in list of Endpoints")
-		}
-
-		ginkgo.By("updating the Endpoint")
-		foundEndpoint.ObjectMeta.Labels["test-service"] = "updated"
-		_, err = f.ClientSet.CoreV1().Endpoints(testNamespaceName).Update(ctx, &foundEndpoint, metav1.UpdateOptions{})
-		framework.ExpectNoError(err, "failed to update Endpoint with new label")
-
-		ctxUntil, cancel = context.WithTimeout(ctx, 30*time.Second)
-		defer cancel()
-		_, err = watchtools.Until(ctxUntil, endpointsList.ResourceVersion, w, func(event watch.Event) (bool, error) {
-			switch event.Type {
-			case watch.Modified:
-				if endpoints, ok := event.Object.(*v1.Endpoints); ok {
-					found := endpoints.ObjectMeta.Name == endpoints.Name &&
-						endpoints.Labels["test-endpoint-static"] == "true"
-					return found, nil
-				}
-			default:
-				framework.Logf("observed event type %v", event.Type)
-			}
-			return false, nil
-		})
-		framework.ExpectNoError(err, "failed to see %v event", watch.Modified)
-
-		ginkgo.By("fetching the Endpoint")
-		endpoints, err := f.ClientSet.CoreV1().Endpoints(testNamespaceName).Get(ctx, testEndpointName, metav1.GetOptions{})
-		framework.ExpectNoError(err, "failed to fetch Endpoint")
-		gomega.Expect(foundEndpoint.ObjectMeta.Labels).To(gomega.HaveKeyWithValue("test-service", "updated"), "failed to update Endpoint %v in namespace %v label not updated", testEndpointName, testNamespaceName)
-
-		endpointPatch, err := json.Marshal(map[string]interface{}{
-			"metadata": map[string]interface{}{
-				"labels": map[string]string{
-					"test-service": "patched",
-				},
-			},
-			"subsets": []map[string]interface{}{
-				{
-					"addresses": []map[string]string{
-						{
-							"ip": "10.0.0.25",
-						},
-					},
-					"ports": []map[string]interface{}{
-						{
-							"name": "http-test",
-							"port": int32(8080),
-						},
-					},
-				},
-			},
-		})
-		framework.ExpectNoError(err, "failed to marshal JSON for WatchEvent patch")
-		ginkgo.By("patching the Endpoint")
-		_, err = f.ClientSet.CoreV1().Endpoints(testNamespaceName).Patch(ctx, testEndpointName, types.StrategicMergePatchType, []byte(endpointPatch), metav1.PatchOptions{})
-		framework.ExpectNoError(err, "failed to patch Endpoint")
-		ctxUntil, cancel = context.WithTimeout(ctx, 30*time.Second)
-		defer cancel()
-		_, err = watchtools.Until(ctxUntil, endpoints.ResourceVersion, w, func(event watch.Event) (bool, error) {
-			switch event.Type {
-			case watch.Modified:
-				if endpoints, ok := event.Object.(*v1.Endpoints); ok {
-					found := endpoints.ObjectMeta.Name == endpoints.Name &&
-						endpoints.Labels["test-endpoint-static"] == "true"
-					return found, nil
-				}
-			default:
-				framework.Logf("observed event type %v", event.Type)
-			}
-			return false, nil
-		})
-		framework.ExpectNoError(err, "failed to see %v event", watch.Modified)
-
-		ginkgo.By("fetching the Endpoint")
-		endpoints, err = f.ClientSet.CoreV1().Endpoints(testNamespaceName).Get(ctx, testEndpointName, metav1.GetOptions{})
-		framework.ExpectNoError(err, "failed to fetch Endpoint")
-		gomega.Expect(endpoints.ObjectMeta.Labels).To(gomega.HaveKeyWithValue("test-service", "patched"), "failed to patch Endpoint with Label")
-		endpointSubsetOne := endpoints.Subsets[0]
-		endpointSubsetOneAddresses := endpointSubsetOne.Addresses[0]
-		endpointSubsetOnePorts := endpointSubsetOne.Ports[0]
-		gomega.Expect(endpointSubsetOneAddresses.IP).To(gomega.Equal("10.0.0.25"), "failed to patch Endpoint")
-		gomega.Expect(endpointSubsetOnePorts.Name).To(gomega.Equal("http-test"), "failed to patch Endpoint")
-		gomega.Expect(endpointSubsetOnePorts.Port).To(gomega.Equal(int32(8080)), "failed to patch Endpoint")
-
-		ginkgo.By("deleting the Endpoint by Collection")
-		err = f.ClientSet.CoreV1().Endpoints(testNamespaceName).DeleteCollection(ctx, metav1.DeleteOptions{}, metav1.ListOptions{LabelSelector: "test-endpoint-static=true"})
-		framework.ExpectNoError(err, "failed to delete Endpoint by Collection")
-
-		ginkgo.By("waiting for Endpoint deletion")
-		ctxUntil, cancel = context.WithTimeout(ctx, 30*time.Second)
-		defer cancel()
-		_, err = watchtools.Until(ctxUntil, endpoints.ResourceVersion, w, func(event watch.Event) (bool, error) {
-			switch event.Type {
-			case watch.Deleted:
-				if endpoints, ok := event.Object.(*v1.Endpoints); ok {
-					found := endpoints.ObjectMeta.Name == endpoints.Name &&
-						endpoints.Labels["test-endpoint-static"] == "true"
-					return found, nil
-				}
-			default:
-				framework.Logf("observed event type %v", event.Type)
-			}
-			return false, nil
-		})
-		framework.ExpectNoError(err, "failed to see %v event", watch.Deleted)
-
-		ginkgo.By("fetching the Endpoint")
-		_, err = f.ClientSet.CoreV1().Endpoints(testNamespaceName).Get(ctx, testEndpointName, metav1.GetOptions{})
-		gomega.Expect(err).To(gomega.HaveOccurred(), "should not be able to fetch Endpoint")
-	})
-
 	/*
 		Release: v1.21
 		Testname: Service, complete ServiceStatus lifecycle
@@ -3811,11 +3626,13 @@ var _ = common.SIGDescribe("Services", func() {
 		if err != nil {
 			framework.Failf("failed to get Service %q: %v", serviceName, err)
 		}
+		gomega.Expect(service).To(apimachineryutils.HaveValidResourceVersion())
 		service.Spec.Ports = []v1.ServicePort{svcTCPport}
-		_, err = cs.CoreV1().Services(ns).Update(ctx, service, metav1.UpdateOptions{})
+		updatedSVC, err := cs.CoreV1().Services(ns).Update(ctx, service, metav1.UpdateOptions{})
 		if err != nil {
 			framework.Failf("failed to get Service %q: %v", serviceName, err)
 		}
+		gomega.Expect(resourceversion.CompareResourceVersion(service.ResourceVersion, updatedSVC.ResourceVersion)).To(gomega.BeNumerically("==", -1), "updated object should have a larger resource version")
 
 		ginkgo.By("Checking if the Service forwards traffic to TCP only")
 		err = testEndpointReachability(ctx, service.Spec.ClusterIP, 80, v1.ProtocolTCP, execPod, 30*time.Second)
diff --git a/test/e2e/network/service_cidrs.go b/test/e2e/network/service_cidrs.go
index 1ab6a1e882ac8..c7733743ca8d2 100644
--- a/test/e2e/network/service_cidrs.go
+++ b/test/e2e/network/service_cidrs.go
@@ -21,15 +21,18 @@ import (
 	"net/netip"
 
 	"github.com/onsi/ginkgo/v2"
+	"github.com/onsi/gomega"
 	v1 "k8s.io/api/core/v1"
 	networkingv1 "k8s.io/api/networking/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	types "k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/intstr"
+	"k8s.io/apimachinery/pkg/util/resourceversion"
 	"k8s.io/apimachinery/pkg/util/wait"
 	clientset "k8s.io/client-go/kubernetes"
 	"k8s.io/client-go/util/retry"
 	"k8s.io/kubernetes/pkg/controlplane/controller/defaultservicecidr"
+	apimachineryutils "k8s.io/kubernetes/test/e2e/common/apimachinery"
 	"k8s.io/kubernetes/test/e2e/framework"
 	e2enode "k8s.io/kubernetes/test/e2e/framework/node"
 	e2epod "k8s.io/kubernetes/test/e2e/framework/pod"
@@ -242,10 +245,11 @@ var _ = common.SIGDescribe("ServiceCIDR and IPAddress API", func() {
 		}
 
 		ginkgo.By("creating")
-		_, err := f.ClientSet.NetworkingV1().IPAddresses().Create(ctx, ip, metav1.CreateOptions{})
+		createdIP, err := f.ClientSet.NetworkingV1().IPAddresses().Create(ctx, ip, metav1.CreateOptions{})
 		if err != nil {
 			framework.Failf("unexpected error getting IPAddress: %v", err)
 		}
+		gomega.Expect(createdIP).To(apimachineryutils.HaveValidResourceVersion())
 		_, err = f.ClientSet.NetworkingV1().IPAddresses().Create(ctx, ipv6, metav1.CreateOptions{})
 		if err != nil {
 			framework.Failf("unexpected error getting IPAddress: %v", err)
@@ -259,6 +263,7 @@ var _ = common.SIGDescribe("ServiceCIDR and IPAddress API", func() {
 		if v, ok := patchedIP.Annotations["patched"]; !ok || v != "true" {
 			framework.Failf("patched object should have the applied annotation")
 		}
+		gomega.Expect(resourceversion.CompareResourceVersion(createdIP.ResourceVersion, patchedIP.ResourceVersion)).To(gomega.BeNumerically("==", -1), "patched object should have a larger resource version")
 
 		ginkgo.By("updating")
 		var ipToUpdate, updatedIP *networkingv1.IPAddress
diff --git a/test/e2e/network/topology_hints.go b/test/e2e/network/topology_hints.go
index c9b63683c5ce3..c9601caf10f23 100644
--- a/test/e2e/network/topology_hints.go
+++ b/test/e2e/network/topology_hints.go
@@ -61,7 +61,7 @@ var _ = common.SIGDescribe("Topology Hints", func() {
 		ds, err := c.AppsV1().DaemonSets(f.Namespace.Name).Create(ctx, dsConf, metav1.CreateOptions{})
 		framework.ExpectNoError(err, "error creating DaemonSet")
 
-		svc := createServiceReportErr(ctx, c, f.Namespace.Name, &v1.Service{
+		svc := &v1.Service{
 			ObjectMeta: metav1.ObjectMeta{
 				Name: "topology-hints",
 				Annotations: map[string]string{
@@ -78,7 +78,9 @@ var _ = common.SIGDescribe("Topology Hints", func() {
 					Protocol:   v1.ProtocolTCP,
 				}},
 			},
-		})
+		}
+		svc, err = c.CoreV1().Services(f.Namespace.Name).Create(ctx, svc, metav1.CreateOptions{})
+		framework.ExpectNoError(err, "error creating Service")
 
 		err = wait.PollUntilContextTimeout(ctx, 5*time.Second, framework.PodStartTimeout, false, func(ctx context.Context) (bool, error) {
 			return e2edaemonset.CheckRunningOnAllNodes(ctx, f, ds)
diff --git a/test/e2e/network/traffic_distribution.go b/test/e2e/network/traffic_distribution.go
index 6eff064943c97..28892ebe02ccc 100644
--- a/test/e2e/network/traffic_distribution.go
+++ b/test/e2e/network/traffic_distribution.go
@@ -29,7 +29,6 @@ import (
 	"k8s.io/apimachinery/pkg/util/intstr"
 	"k8s.io/apimachinery/pkg/util/sets"
 	clientset "k8s.io/client-go/kubernetes"
-	"k8s.io/kubernetes/pkg/features"
 	"k8s.io/kubernetes/test/e2e/framework"
 	e2eendpointslice "k8s.io/kubernetes/test/e2e/framework/endpointslice"
 	e2enode "k8s.io/kubernetes/test/e2e/framework/node"
@@ -239,7 +238,7 @@ var _ = common.SIGDescribe("Traffic Distribution", func() {
 	createService := func(ctx context.Context, trafficDist string) *v1.Service {
 		serviceName := "traffic-dist-test-service"
 		ginkgo.By(fmt.Sprintf("creating a service %q with trafficDistribution %q", serviceName, trafficDist))
-		return createServiceReportErr(ctx, c, f.Namespace.Name, &v1.Service{
+		svc := &v1.Service{
 			ObjectMeta: metav1.ObjectMeta{
 				Name: serviceName,
 			},
@@ -254,7 +253,10 @@ var _ = common.SIGDescribe("Traffic Distribution", func() {
 					Protocol:   v1.ProtocolTCP,
 				}},
 			},
-		})
+		}
+		svc, err := c.CoreV1().Services(f.Namespace.Name).Create(ctx, svc, metav1.CreateOptions{})
+		framework.ExpectNoError(err, "error creating Service")
+		return svc
 	}
 
 	// createPods creates endpoint pods for svc as described by serverPods, waits for
@@ -359,21 +361,21 @@ var _ = common.SIGDescribe("Traffic Distribution", func() {
 		checkTrafficDistribution(ctx, clientPods)
 	})
 
-	framework.It("should route traffic to an endpoint in the same zone when using PreferSameZone", framework.WithFeatureGate(features.PreferSameTrafficDistribution), func(ctx context.Context) {
+	framework.It("should route traffic to an endpoint in the same zone when using PreferSameZone", func(ctx context.Context) {
 		clientPods, serverPods := allocateClientsAndServers(ctx)
 		svc := createService(ctx, v1.ServiceTrafficDistributionPreferSameZone)
 		createPods(ctx, svc, clientPods, serverPods)
 		checkTrafficDistribution(ctx, clientPods)
 	})
 
-	framework.It("should route traffic correctly between pods on multiple nodes when using PreferSameZone", framework.WithFeatureGate(features.PreferSameTrafficDistribution), func(ctx context.Context) {
+	framework.It("should route traffic correctly between pods on multiple nodes when using PreferSameZone", func(ctx context.Context) {
 		clientPods, serverPods := allocateMultiNodeClientsAndServers(ctx)
 		svc := createService(ctx, v1.ServiceTrafficDistributionPreferSameZone)
 		createPods(ctx, svc, clientPods, serverPods)
 		checkTrafficDistribution(ctx, clientPods)
 	})
 
-	framework.It("should route traffic to an endpoint on the same node or fall back to same zone when using PreferSameNode", framework.WithFeatureGate(features.PreferSameTrafficDistribution), func(ctx context.Context) {
+	framework.It("should route traffic to an endpoint on the same node or fall back to same zone when using PreferSameNode", func(ctx context.Context) {
 		ginkgo.By("finding a set of nodes for the test")
 		zone1Nodes, zone2Nodes, zone3Nodes := getNodesForMultiNode(ctx)
 
@@ -425,7 +427,7 @@ var _ = common.SIGDescribe("Traffic Distribution", func() {
 		checkTrafficDistribution(ctx, clientPods)
 	})
 
-	framework.It("should route traffic to an endpoint on the same node when using PreferSameNode and fall back when the endpoint becomes unavailable", framework.WithFeatureGate(features.PreferSameTrafficDistribution), func(ctx context.Context) {
+	framework.It("should route traffic to an endpoint on the same node when using PreferSameNode and fall back when the endpoint becomes unavailable", func(ctx context.Context) {
 		ginkgo.By("finding a set of nodes for the test")
 		nodeList, err := e2enode.GetReadySchedulableNodes(ctx, c)
 		framework.ExpectNoError(err)
diff --git a/test/e2e/node/node_lifecycle.go b/test/e2e/node/node_lifecycle.go
index 9e2b53f004a99..c8d1b70bcee84 100644
--- a/test/e2e/node/node_lifecycle.go
+++ b/test/e2e/node/node_lifecycle.go
@@ -27,7 +27,9 @@ import (
 	"k8s.io/apimachinery/pkg/labels"
 	"k8s.io/apimachinery/pkg/types"
 	utilrand "k8s.io/apimachinery/pkg/util/rand"
+	"k8s.io/apimachinery/pkg/util/resourceversion"
 	"k8s.io/client-go/util/retry"
+	apimachineryutils "k8s.io/kubernetes/test/e2e/common/apimachinery"
 	"k8s.io/kubernetes/test/e2e/framework"
 	admissionapi "k8s.io/pod-security-admission/api"
 
@@ -80,6 +82,7 @@ var _ = SIGDescribe("Node Lifecycle", func() {
 		createdNode, err := nodeClient.Create(ctx, &fakeNode, metav1.CreateOptions{})
 		framework.ExpectNoError(err, "failed to create node %q", fakeNode.Name)
 		gomega.Expect(createdNode.Name).To(gomega.Equal(fakeNode.Name), "Checking that the node has been created")
+		gomega.Expect(createdNode).To(apimachineryutils.HaveValidResourceVersion())
 
 		ginkgo.By(fmt.Sprintf("Getting %q", fakeNode.Name))
 		retrievedNode, err := nodeClient.Get(ctx, fakeNode.Name, metav1.GetOptions{})
@@ -92,6 +95,7 @@ var _ = SIGDescribe("Node Lifecycle", func() {
 		framework.ExpectNoError(err, "Failed to patch %q", fakeNode.Name)
 		gomega.Expect(patchedNode.Labels).To(gomega.HaveKeyWithValue(fakeNode.Name, "patched"), "Checking that patched label has been applied")
 		patchedSelector := labels.Set{fakeNode.Name: "patched"}.AsSelector().String()
+		gomega.Expect(resourceversion.CompareResourceVersion(createdNode.ResourceVersion, patchedNode.ResourceVersion)).To(gomega.BeNumerically("==", -1), "patched object should have a larger resource version")
 
 		ginkgo.By(fmt.Sprintf("Listing nodes with LabelSelector %q", patchedSelector))
 		nodes, err := nodeClient.List(ctx, metav1.ListOptions{LabelSelector: patchedSelector})
diff --git a/test/e2e/node/pod_admission.go b/test/e2e/node/pod_admission.go
index 3dcc9e595b7c3..d6b187dbffac9 100644
--- a/test/e2e/node/pod_admission.go
+++ b/test/e2e/node/pod_admission.go
@@ -117,6 +117,8 @@ var _ = SIGDescribe("PodRejectionStatus", func() {
 				"Resize":                      gstruct.Ignore(),
 				"ResourceClaimStatuses":       gstruct.Ignore(),
 				"ExtendedResourceClaimStatus": gstruct.Ignore(),
+				"Resources":                   gstruct.Ignore(),
+				"AllocatedResources":          gstruct.Ignore(),
 			}))
 		})
 	})
diff --git a/test/e2e/node/pod_resize.go b/test/e2e/node/pod_resize.go
index 200f5c34ee8e7..07bfd4cee3d63 100644
--- a/test/e2e/node/pod_resize.go
+++ b/test/e2e/node/pod_resize.go
@@ -24,6 +24,7 @@ import (
 
 	v1 "k8s.io/api/core/v1"
 	schedulingv1 "k8s.io/api/scheduling/v1"
+	apiequality "k8s.io/apimachinery/pkg/api/equality"
 	"k8s.io/apimachinery/pkg/api/resource"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
@@ -40,116 +41,237 @@ import (
 
 	"github.com/onsi/ginkgo/v2"
 	"github.com/onsi/gomega"
+	gomegatypes "github.com/onsi/gomega/types"
 )
 
-func doPodResizeAdmissionPluginsTests(f *framework.Framework) {
-	testcases := []struct {
-		name                  string
-		enableAdmissionPlugin func(ctx context.Context, f *framework.Framework)
-		wantMemoryError       string
-		wantCPUError          string
-	}{
+func doPodResizeResourceQuotaTests(f *framework.Framework) {
+	originalContainers := []podresize.ResizableContainerInfo{
 		{
-			name: "pod-resize-resource-quota-test",
-			enableAdmissionPlugin: func(ctx context.Context, f *framework.Framework) {
-				resourceQuota := v1.ResourceQuota{
-					ObjectMeta: metav1.ObjectMeta{
-						Name:      "resize-resource-quota",
-						Namespace: f.Namespace.Name,
-					},
-					Spec: v1.ResourceQuotaSpec{
-						Hard: v1.ResourceList{
-							v1.ResourceCPU:    resource.MustParse("800m"),
-							v1.ResourceMemory: resource.MustParse("800Mi"),
-						},
-					},
-				}
-
-				ginkgo.By("Creating a ResourceQuota")
-				_, rqErr := f.ClientSet.CoreV1().ResourceQuotas(f.Namespace.Name).Create(ctx, &resourceQuota, metav1.CreateOptions{})
-				framework.ExpectNoError(rqErr, "failed to create resource quota")
-				// pod creation using this quota will fail until the quota status is populated, so we need to wait to
-				// prevent races with the resourcequota controller
-				ginkgo.By("Waiting for ResourceQuota status to populate")
-				quotaStatusErr := waitForResourceQuota(ctx, f.ClientSet, f.Namespace.Name, resourceQuota.Name)
-				framework.ExpectNoError(quotaStatusErr, "resource quota status failed to populate")
+			Name:      "c1",
+			Resources: &cgroups.ContainerResources{CPUReq: "300m", CPULim: "300m", MemReq: "300Mi", MemLim: "300Mi"},
+		},
+	}
 
+	ginkgo.BeforeEach(func(ctx context.Context) {
+		resourceQuota := v1.ResourceQuota{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      "resize-resource-quota",
+				Namespace: f.Namespace.Name,
+			},
+			Spec: v1.ResourceQuotaSpec{
+				Hard: v1.ResourceList{
+					v1.ResourceCPU:    resource.MustParse("800m"),
+					v1.ResourceMemory: resource.MustParse("800Mi"),
+				},
 			},
-			wantMemoryError: "exceeded quota: resize-resource-quota, requested: memory=350Mi, used: memory=700Mi, limited: memory=800Mi",
-			wantCPUError:    "exceeded quota: resize-resource-quota, requested: cpu=200m, used: cpu=700m, limited: cpu=800m",
+		}
+
+		ginkgo.By("Creating a ResourceQuota")
+		_, rqErr := f.ClientSet.CoreV1().ResourceQuotas(f.Namespace.Name).Create(ctx, &resourceQuota, metav1.CreateOptions{})
+		framework.ExpectNoError(rqErr, "failed to create resource quota")
+		// pod creation using this quota will fail until the quota status is populated, so we need to wait to
+		// prevent races with the resourcequota controller
+		ginkgo.By("Waiting for ResourceQuota status to populate")
+		quotaStatusErr := waitForResourceQuota(ctx, f.ClientSet, f.Namespace.Name, resourceQuota.Name)
+		framework.ExpectNoError(quotaStatusErr, "resource quota status failed to populate")
+	})
+
+	ginkgo.DescribeTable("pod-resize-resource-quota-test",
+		func(ctx context.Context, desiredContainers []podresize.ResizableContainerInfo, expectedContainers []podresize.ResizableContainerInfo, wantError string) {
+			tStamp := strconv.Itoa(time.Now().Nanosecond())
+			testPod1 := podresize.MakePodWithResizableContainers(f.Namespace.Name, "testpod1", tStamp, originalContainers, nil)
+			testPod1 = e2epod.MustMixinRestrictedPodSecurity(testPod1)
+			testPod2 := podresize.MakePodWithResizableContainers(f.Namespace.Name, "testpod2", tStamp, originalContainers, nil)
+			testPod2 = e2epod.MustMixinRestrictedPodSecurity(testPod2)
+
+			ginkgo.By("creating pods")
+			podClient := e2epod.NewPodClient(f)
+			newPods := podClient.CreateBatch(ctx, []*v1.Pod{testPod1, testPod2})
+
+			ginkgo.By("verifying initial pod resources, and policy are as expected")
+			podresize.VerifyPodResources(newPods[0], originalContainers, nil)
+
+			ginkgo.By("patching pod for resize with resource-quota")
+			patchString := podresize.MakeResizePatch(originalContainers, desiredContainers, nil, nil)
+
+			if wantError == "" {
+				patchedPod, pErr := f.ClientSet.CoreV1().Pods(newPods[0].Namespace).Patch(ctx,
+					newPods[0].Name, types.StrategicMergePatchType, []byte(patchString), metav1.PatchOptions{}, "resize")
+				framework.ExpectNoError(pErr, "failed to patch pod for resize")
+
+				expected := podresize.UpdateExpectedContainerRestarts(ctx, patchedPod, expectedContainers)
+				ginkgo.By("verifying pod resources are as expected post patch, pre-actuation")
+				podresize.VerifyPodResources(patchedPod, expected, nil)
+
+				ginkgo.By("waiting for resize to be actuated")
+				resizedPod := podresize.WaitForPodResizeActuation(ctx, f, podClient, newPods[0], expected)
+				podresize.ExpectPodResized(ctx, f, resizedPod, expected)
+
+				ginkgo.By("verifying pod resources after resize")
+				podresize.VerifyPodResources(resizedPod, expected, nil)
+
+			} else {
+				var patchedPod *v1.Pod
+				framework.ExpectNoError(framework.Gomega().
+					// Use Eventually because we need to wait for the resource-quota controller to sync.
+					Eventually(ctx, func(ctx context.Context) error {
+						var pErr error
+						patchedPod, pErr = f.ClientSet.CoreV1().Pods(newPods[0].Namespace).Patch(ctx,
+							newPods[0].Name, types.StrategicMergePatchType, []byte(patchString), metav1.PatchOptions{}, "resize")
+						return pErr
+					}).
+					WithTimeout(f.Timeouts.PodStart).
+					Should(gomega.MatchError(gomega.ContainSubstring(wantError))))
+
+				expected := podresize.UpdateExpectedContainerRestarts(ctx, patchedPod, expectedContainers)
+				ginkgo.By("verifying pod patched for resize with error remains unchanged")
+				patchedPod, pErrEx2 := podClient.Get(ctx, newPods[0].Name, metav1.GetOptions{})
+				framework.ExpectNoError(pErrEx2, "failed to get pod post failed resize")
+				podresize.VerifyPodResources(patchedPod, expected, nil)
+				framework.ExpectNoError(podresize.VerifyPodStatusResources(patchedPod, expected))
+			}
 		},
-		{
-			name: "pod-resize-limit-ranger-test",
-			enableAdmissionPlugin: func(ctx context.Context, f *framework.Framework) {
-				lr := v1.LimitRange{
-					ObjectMeta: metav1.ObjectMeta{
-						Name:      "resize-limit-ranger",
-						Namespace: f.Namespace.Name,
-					},
-					Spec: v1.LimitRangeSpec{
-						Limits: []v1.LimitRangeItem{
-							{
-								Type: v1.LimitTypeContainer,
-								Max: v1.ResourceList{
-									v1.ResourceCPU:    resource.MustParse("500m"),
-									v1.ResourceMemory: resource.MustParse("500Mi"),
-								},
-								Min: v1.ResourceList{
-									v1.ResourceCPU:    resource.MustParse("50m"),
-									v1.ResourceMemory: resource.MustParse("50Mi"),
-								},
-								Default: v1.ResourceList{
-									v1.ResourceCPU:    resource.MustParse("100m"),
-									v1.ResourceMemory: resource.MustParse("100Mi"),
-								},
-								DefaultRequest: v1.ResourceList{
-									v1.ResourceCPU:    resource.MustParse("50m"),
-									v1.ResourceMemory: resource.MustParse("50Mi"),
-								},
-							},
-						},
-					},
-				}
 
-				ginkgo.By("Creating a LimitRanger")
-				_, lrErr := f.ClientSet.CoreV1().LimitRanges(f.Namespace.Name).Create(ctx, &lr, metav1.CreateOptions{})
-				framework.ExpectNoError(lrErr, "failed to create limit ranger")
+		ginkgo.Entry("exceed maximum CPU",
+			[]podresize.ResizableContainerInfo{
+				{
+					Name:      "c1",
+					Resources: &cgroups.ContainerResources{CPUReq: "600m", CPULim: "600m", MemReq: "400Mi", MemLim: "400Mi"},
+				},
 			},
-			wantMemoryError: "forbidden: maximum memory usage per Container is 500Mi, but limit is 750Mi",
-			wantCPUError:    "forbidden: maximum cpu usage per Container is 500m, but limit is 600m",
-		},
-	}
+			originalContainers,
+			"exceeded quota: resize-resource-quota, requested: cpu=300m, used: cpu=600m, limited: cpu=800m",
+		),
 
-	for _, tc := range testcases {
-		ginkgo.It(tc.name, func(ctx context.Context) {
-			containers := []podresize.ResizableContainerInfo{
+		ginkgo.Entry("exceed maximum Memory",
+			[]podresize.ResizableContainerInfo{
 				{
 					Name:      "c1",
-					Resources: &cgroups.ContainerResources{CPUReq: "300m", CPULim: "300m", MemReq: "300Mi", MemLim: "300Mi"},
+					Resources: &cgroups.ContainerResources{CPUReq: "250m", CPULim: "250m", MemReq: "750Mi", MemLim: "750Mi"},
 				},
-			}
-			patchString := `{"spec":{"containers":[
-				{"name":"c1", "resources":{"requests":{"cpu":"400m","memory":"400Mi"},"limits":{"cpu":"400m","memory":"400Mi"}}}
-			]}}`
-			expected := []podresize.ResizableContainerInfo{
+			},
+			originalContainers,
+			"exceeded quota: resize-resource-quota, requested: memory=450Mi, used: memory=600Mi, limited: memory=800Mi",
+		),
+
+		ginkgo.Entry("exceed maximum CPU and Memory",
+			[]podresize.ResizableContainerInfo{
+				{
+					Name:      "c1",
+					Resources: &cgroups.ContainerResources{CPUReq: "600m", CPULim: "600m", MemReq: "750Mi", MemLim: "750Mi"},
+				},
+			},
+			originalContainers,
+			"exceeded quota: resize-resource-quota, requested: cpu=300m,memory=450Mi, used: cpu=600m,memory=600Mi, limited: cpu=800m,memory=800Mi",
+		),
+
+		ginkgo.Entry("valid increase of CPU",
+			[]podresize.ResizableContainerInfo{
+				{
+					Name:      "c1",
+					Resources: &cgroups.ContainerResources{CPUReq: "350m", CPULim: "350m", MemReq: "300Mi", MemLim: "300Mi"},
+				},
+			},
+			[]podresize.ResizableContainerInfo{
+				{
+					Name:      "c1",
+					Resources: &cgroups.ContainerResources{CPUReq: "350m", CPULim: "350m", MemReq: "300Mi", MemLim: "300Mi"},
+				},
+			},
+			"",
+		),
+
+		ginkgo.Entry("valid increase of Memory",
+			[]podresize.ResizableContainerInfo{
+				{
+					Name:      "c1",
+					Resources: &cgroups.ContainerResources{CPUReq: "350m", CPULim: "350m", MemReq: "350Mi", MemLim: "350Mi"},
+				},
+			},
+			[]podresize.ResizableContainerInfo{
+				{
+					Name:      "c1",
+					Resources: &cgroups.ContainerResources{CPUReq: "350m", CPULim: "350m", MemReq: "350Mi", MemLim: "350Mi"},
+				},
+			},
+			"",
+		),
+
+		ginkgo.Entry("valid increase for both CPU and Memory",
+			[]podresize.ResizableContainerInfo{
 				{
 					Name:      "c1",
 					Resources: &cgroups.ContainerResources{CPUReq: "400m", CPULim: "400m", MemReq: "400Mi", MemLim: "400Mi"},
 				},
-			}
-			patchStringExceedCPU := `{"spec":{"containers":[
-				{"name":"c1", "resources":{"requests":{"cpu":"600m"},"limits":{"cpu":"600m"}}}
-			]}}`
-			patchStringExceedMemory := `{"spec":{"containers":[
-				{"name":"c1", "resources":{"requests":{"cpu":"250m","memory":"750Mi"},"limits":{"cpu":"250m","memory":"750Mi"}}}
-			]}}`
+			},
+			[]podresize.ResizableContainerInfo{
+				{
+					Name:      "c1",
+					Resources: &cgroups.ContainerResources{CPUReq: "400m", CPULim: "400m", MemReq: "400Mi", MemLim: "400Mi"},
+				},
+			},
+			"",
+		),
+	)
+}
 
-			tc.enableAdmissionPlugin(ctx, f)
+func doPodResizeLimitRangerTests(f *framework.Framework) {
+	originalContainers := []podresize.ResizableContainerInfo{
+		{
+			Name:      "c1",
+			Resources: &cgroups.ContainerResources{CPUReq: "300m", CPULim: "300m", MemReq: "300Mi", MemLim: "300Mi"},
+		},
+	}
 
+	ginkgo.BeforeEach(func(ctx context.Context) {
+		ginkgo.By("Creating a LimitRanger")
+		lr := &v1.LimitRange{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      "resize-limit-ranger",
+				Namespace: f.Namespace.Name,
+			},
+			Spec: v1.LimitRangeSpec{
+				Limits: []v1.LimitRangeItem{
+					{
+						Type: v1.LimitTypeContainer,
+						Max: v1.ResourceList{
+							v1.ResourceCPU:    resource.MustParse("500m"),
+							v1.ResourceMemory: resource.MustParse("500Mi"),
+						},
+						Min: v1.ResourceList{
+							v1.ResourceCPU:    resource.MustParse("50m"),
+							v1.ResourceMemory: resource.MustParse("50Mi"),
+						},
+						Default: v1.ResourceList{
+							v1.ResourceCPU:    resource.MustParse("100m"),
+							v1.ResourceMemory: resource.MustParse("100Mi"),
+						},
+						DefaultRequest: v1.ResourceList{
+							v1.ResourceCPU:    resource.MustParse("50m"),
+							v1.ResourceMemory: resource.MustParse("50Mi"),
+						},
+					},
+				},
+			},
+		}
+		_, lrErr := f.ClientSet.CoreV1().LimitRanges(f.Namespace.Name).Create(context.Background(), lr, metav1.CreateOptions{})
+		framework.ExpectNoError(lrErr, "failed to create limit ranger")
+
+		ginkgo.By("Fetching the LimitRange to ensure it has proper values")
+		gotLr, lrErr := f.ClientSet.CoreV1().LimitRanges(f.Namespace.Name).Get(ctx, lr.Name, metav1.GetOptions{})
+		framework.ExpectNoError(lrErr)
+
+		if !apiequality.Semantic.DeepEqual(lr.Spec.Limits, gotLr.Spec.Limits) {
+			framework.Failf("retrieved LimitRange does not match created one: got %v; expected %v", gotLr.Spec.Limits, lr.Spec.Limits)
+		}
+	})
+
+	ginkgo.DescribeTable("pod-resize-limit-ranger-test",
+		func(ctx context.Context, desiredContainers []podresize.ResizableContainerInfo, expectedContainers []podresize.ResizableContainerInfo, wantErrors []string) {
 			tStamp := strconv.Itoa(time.Now().Nanosecond())
-			testPod1 := podresize.MakePodWithResizableContainers(f.Namespace.Name, "testpod1", tStamp, containers)
+			testPod1 := podresize.MakePodWithResizableContainers(f.Namespace.Name, "testpod1", tStamp, originalContainers, nil)
 			testPod1 = e2epod.MustMixinRestrictedPodSecurity(testPod1)
-			testPod2 := podresize.MakePodWithResizableContainers(f.Namespace.Name, "testpod2", tStamp, containers)
+			testPod2 := podresize.MakePodWithResizableContainers(f.Namespace.Name, "testpod2", tStamp, originalContainers, nil)
 			testPod2 = e2epod.MustMixinRestrictedPodSecurity(testPod2)
 
 			ginkgo.By("creating pods")
@@ -157,60 +279,216 @@ func doPodResizeAdmissionPluginsTests(f *framework.Framework) {
 			newPods := podClient.CreateBatch(ctx, []*v1.Pod{testPod1, testPod2})
 
 			ginkgo.By("verifying initial pod resources, and policy are as expected")
-			podresize.VerifyPodResources(newPods[0], containers)
-
-			ginkgo.By("patching pod for resize within resource quota")
-			patchedPod, pErr := f.ClientSet.CoreV1().Pods(newPods[0].Namespace).Patch(ctx, newPods[0].Name,
-				types.StrategicMergePatchType, []byte(patchString), metav1.PatchOptions{}, "resize")
-			framework.ExpectNoError(pErr, "failed to patch pod for resize")
-			expected = podresize.UpdateExpectedContainerRestarts(ctx, patchedPod, expected)
-
-			ginkgo.By("verifying pod patched for resize within resource quota")
-			podresize.VerifyPodResources(patchedPod, expected)
-
-			ginkgo.By("waiting for resize to be actuated")
-			resizedPod := podresize.WaitForPodResizeActuation(ctx, f, podClient, newPods[0], expected)
-			podresize.ExpectPodResized(ctx, f, resizedPod, expected)
-
-			ginkgo.By("verifying pod resources after resize")
-			podresize.VerifyPodResources(resizedPod, expected)
-
-			ginkgo.By("patching pod for resize with memory exceeding resource quota")
-			framework.ExpectNoError(framework.Gomega().
-				// Use Eventually because we need to wait for the quota controller to sync.
-				Eventually(ctx, func(ctx context.Context) error {
-					_, pErrExceedMemory := f.ClientSet.CoreV1().Pods(resizedPod.Namespace).Patch(ctx,
-						resizedPod.Name, types.StrategicMergePatchType, []byte(patchStringExceedMemory), metav1.PatchOptions{DryRun: []string{metav1.DryRunAll}}, "resize")
-					return pErrExceedMemory
-				}).
-				WithTimeout(f.Timeouts.PodStart).
-				Should(gomega.MatchError(gomega.ContainSubstring(tc.wantMemoryError))))
-
-			ginkgo.By("verifying pod patched for resize exceeding memory resource quota remains unchanged")
-			patchedPodExceedMemory, pErrEx2 := podClient.Get(ctx, resizedPod.Name, metav1.GetOptions{})
-			framework.ExpectNoError(pErrEx2, "failed to get pod post exceed memory resize")
-			podresize.VerifyPodResources(patchedPodExceedMemory, expected)
-			framework.ExpectNoError(podresize.VerifyPodStatusResources(patchedPodExceedMemory, expected))
-
-			ginkgo.By(fmt.Sprintf("patching pod %s for resize with CPU exceeding resource quota", resizedPod.Name))
-			framework.ExpectNoError(framework.Gomega().
-				// Use Eventually because we need to wait for the quota controller to sync.
-				Eventually(ctx, func(ctx context.Context) error {
-					_, pErrExceedCPU := f.ClientSet.CoreV1().Pods(resizedPod.Namespace).Patch(ctx,
-						resizedPod.Name, types.StrategicMergePatchType, []byte(patchStringExceedCPU), metav1.PatchOptions{DryRun: []string{metav1.DryRunAll}}, "resize")
-					return pErrExceedCPU
-				}).
-				WithTimeout(f.Timeouts.PodStart).
-				Should(gomega.MatchError(gomega.ContainSubstring(tc.wantCPUError))))
-
-			ginkgo.By("verifying pod patched for resize exceeding CPU resource quota remains unchanged")
-			patchedPodExceedCPU, pErrEx1 := podClient.Get(ctx, resizedPod.Name, metav1.GetOptions{})
-			framework.ExpectNoError(pErrEx1, "failed to get pod post exceed CPU resize")
-			podresize.VerifyPodResources(patchedPodExceedCPU, expected)
-			framework.ExpectNoError(podresize.VerifyPodStatusResources(patchedPodExceedMemory, expected))
-		})
-	}
+			podresize.VerifyPodResources(newPods[0], originalContainers, nil)
+
+			ginkgo.By("patching pod for resize with limit-ranger")
+			patchString := podresize.MakeResizePatch(originalContainers, desiredContainers, nil, nil)
+
+			if len(wantErrors) == 0 {
+				patchedPod, pErr := f.ClientSet.CoreV1().Pods(newPods[0].Namespace).Patch(ctx,
+					newPods[0].Name, types.StrategicMergePatchType, []byte(patchString), metav1.PatchOptions{}, "resize")
+				framework.ExpectNoError(pErr, "failed to patch pod for resize")
 
+				expected := podresize.UpdateExpectedContainerRestarts(ctx, patchedPod, expectedContainers)
+				ginkgo.By("verifying pod resources are as expected post patch, pre-actuation")
+				podresize.VerifyPodResources(patchedPod, expected, nil)
+
+				ginkgo.By("waiting for resize to be actuated")
+				resizedPod := podresize.WaitForPodResizeActuation(ctx, f, podClient, newPods[0], expected)
+				podresize.ExpectPodResized(ctx, f, resizedPod, expected)
+
+				ginkgo.By("verifying pod resources after resize")
+				podresize.VerifyPodResources(resizedPod, expected, nil)
+
+			} else {
+				var patchedPod *v1.Pod
+				var errMatchers []gomegatypes.GomegaMatcher
+				for _, wantErr := range wantErrors {
+					errMatchers = append(errMatchers, gomega.ContainSubstring(wantErr))
+				}
+
+				framework.ExpectNoError(framework.Gomega().
+					// Use Eventually because we need to wait for the limit-ranger controller to sync.
+					Eventually(ctx, func(ctx context.Context) error {
+						var pErr error
+						patchedPod, pErr = f.ClientSet.CoreV1().Pods(newPods[0].Namespace).Patch(ctx,
+							newPods[0].Name, types.StrategicMergePatchType, []byte(patchString), metav1.PatchOptions{}, "resize")
+						return pErr
+					}).
+					WithTimeout(f.Timeouts.PodStart).
+					Should(gomega.MatchError(gomega.And(errMatchers...))))
+
+				expected := podresize.UpdateExpectedContainerRestarts(ctx, patchedPod, expectedContainers)
+				ginkgo.By("verifying pod patched for resize with error remains unchanged")
+				patchedPod, pErrEx2 := podClient.Get(ctx, newPods[0].Name, metav1.GetOptions{})
+				framework.ExpectNoError(pErrEx2, "failed to get pod post failed resize")
+				podresize.VerifyPodResources(patchedPod, expected, nil)
+				framework.ExpectNoError(podresize.VerifyPodStatusResources(patchedPod, expected))
+			}
+		},
+
+		ginkgo.Entry("exceed maximum CPU",
+			[]podresize.ResizableContainerInfo{
+				{
+					Name:      "c1",
+					Resources: &cgroups.ContainerResources{CPUReq: "600m", CPULim: "600m", MemReq: "250Mi", MemLim: "250Mi"},
+				},
+			},
+			originalContainers,
+			[]string{"forbidden: maximum cpu usage per Container is 500m, but limit is 600m"},
+		),
+
+		ginkgo.Entry("exceed maximum Memory",
+			[]podresize.ResizableContainerInfo{
+				{
+					Name:      "c1",
+					Resources: &cgroups.ContainerResources{CPUReq: "250m", CPULim: "250m", MemReq: "750Mi", MemLim: "750Mi"},
+				},
+			},
+			originalContainers,
+			[]string{"forbidden: maximum memory usage per Container is 500Mi, but limit is 750Mi"},
+		),
+
+		ginkgo.Entry("exceed maximum Memory and CPU",
+			[]podresize.ResizableContainerInfo{
+				{
+					Name:      "c1",
+					Resources: &cgroups.ContainerResources{CPUReq: "600m", CPULim: "600m", MemReq: "600Mi", MemLim: "600Mi"},
+				},
+			},
+			originalContainers,
+			[]string{"maximum cpu usage per Container is 500m, but limit is 600m", "maximum memory usage per Container is 500Mi, but limit is 600Mi"},
+		),
+
+		ginkgo.Entry("request below min CPU",
+			[]podresize.ResizableContainerInfo{
+				{
+					Name:      "c1",
+					Resources: &cgroups.ContainerResources{CPUReq: "10m", CPULim: "10m", MemReq: "400Mi", MemLim: "400Mi"},
+				},
+			},
+			originalContainers,
+			[]string{"forbidden: minimum cpu usage per Container is 50m, but request is 10m"},
+		),
+
+		ginkgo.Entry("request below min Memory",
+			[]podresize.ResizableContainerInfo{
+				{
+					Name:      "c1",
+					Resources: &cgroups.ContainerResources{CPUReq: "250m", CPULim: "250m", MemReq: "10Mi", MemLim: "10Mi"},
+				},
+			},
+			originalContainers,
+			[]string{"forbidden: minimum memory usage per Container is 50Mi, but request is 10Mi"},
+		),
+
+		ginkgo.Entry("request below min CPU and min Memory",
+			[]podresize.ResizableContainerInfo{
+				{
+					Name:      "c1",
+					Resources: &cgroups.ContainerResources{CPUReq: "10m", CPULim: "10m", MemReq: "10Mi", MemLim: "10Mi"},
+				},
+			},
+			originalContainers,
+			[]string{"minimum cpu usage per Container is 50m, but request is 10m", "minimum memory usage per Container is 50Mi, but request is 10Mi"},
+		),
+
+		ginkgo.Entry("valid increase of CPU",
+			[]podresize.ResizableContainerInfo{
+				{
+					Name:      "c1",
+					Resources: &cgroups.ContainerResources{CPUReq: "350m", CPULim: "350m", MemReq: "300Mi", MemLim: "300Mi"},
+				},
+			},
+			[]podresize.ResizableContainerInfo{
+				{
+					Name:      "c1",
+					Resources: &cgroups.ContainerResources{CPUReq: "350m", CPULim: "350m", MemReq: "300Mi", MemLim: "300Mi"},
+				},
+			},
+			nil,
+		),
+
+		ginkgo.Entry("valid increase of Memory",
+			[]podresize.ResizableContainerInfo{
+				{
+					Name:      "c1",
+					Resources: &cgroups.ContainerResources{CPUReq: "350m", CPULim: "350m", MemReq: "350Mi", MemLim: "350Mi"},
+				},
+			},
+			[]podresize.ResizableContainerInfo{
+				{
+					Name:      "c1",
+					Resources: &cgroups.ContainerResources{CPUReq: "350m", CPULim: "350m", MemReq: "350Mi", MemLim: "350Mi"},
+				},
+			},
+			nil,
+		),
+
+		ginkgo.Entry("valid increase of CPU and Memory",
+			[]podresize.ResizableContainerInfo{
+				{
+					Name:      "c1",
+					Resources: &cgroups.ContainerResources{CPUReq: "400m", CPULim: "400m", MemReq: "400Mi", MemLim: "400Mi"},
+				},
+			},
+			[]podresize.ResizableContainerInfo{
+				{
+					Name:      "c1",
+					Resources: &cgroups.ContainerResources{CPUReq: "400m", CPULim: "400m", MemReq: "400Mi", MemLim: "400Mi"},
+				},
+			},
+			nil,
+		),
+
+		ginkgo.Entry("valid decrease of Memory",
+			[]podresize.ResizableContainerInfo{
+				{
+					Name:      "c1",
+					Resources: &cgroups.ContainerResources{CPUReq: "400m", CPULim: "400m", MemReq: "350Mi", MemLim: "350Mi"},
+				},
+			},
+			[]podresize.ResizableContainerInfo{
+				{
+					Name:      "c1",
+					Resources: &cgroups.ContainerResources{CPUReq: "400m", CPULim: "400m", MemReq: "350Mi", MemLim: "350Mi"},
+				},
+			},
+			nil,
+		),
+
+		ginkgo.Entry("valid decrease of CPU",
+			[]podresize.ResizableContainerInfo{
+				{
+					Name:      "c1",
+					Resources: &cgroups.ContainerResources{CPUReq: "350m", CPULim: "350m", MemReq: "350Mi", MemLim: "350Mi"},
+				},
+			},
+			[]podresize.ResizableContainerInfo{
+				{
+					Name:      "c1",
+					Resources: &cgroups.ContainerResources{CPUReq: "350m", CPULim: "350m", MemReq: "350Mi", MemLim: "350Mi"},
+				},
+			},
+			nil,
+		),
+
+		ginkgo.Entry("valid decrease of CPU and Memory",
+			[]podresize.ResizableContainerInfo{
+				{
+					Name:      "c1",
+					Resources: &cgroups.ContainerResources{CPUReq: "250m", CPULim: "250m", MemReq: "250Mi", MemLim: "250Mi"},
+				},
+			},
+			[]podresize.ResizableContainerInfo{
+				{
+					Name:      "c1",
+					Resources: &cgroups.ContainerResources{CPUReq: "250m", CPULim: "250m", MemReq: "250Mi", MemLim: "250Mi"},
+				},
+			},
+			nil,
+		),
+	)
 }
 
 func doPodResizeSchedulerTests(f *framework.Framework) {
@@ -264,9 +542,9 @@ func doPodResizeSchedulerTests(f *framework.Framework) {
 			}`, testPod2CPUQuantityResized.MilliValue(), testPod2CPUQuantityResized.MilliValue())
 
 		tStamp := strconv.Itoa(time.Now().Nanosecond())
-		testPod1 := podresize.MakePodWithResizableContainers(f.Namespace.Name, "testpod1", tStamp, c1)
+		testPod1 := podresize.MakePodWithResizableContainers(f.Namespace.Name, "testpod1", tStamp, c1, nil)
 		testPod1 = e2epod.MustMixinRestrictedPodSecurity(testPod1)
-		testPod2 := podresize.MakePodWithResizableContainers(f.Namespace.Name, "testpod2", tStamp, c2)
+		testPod2 := podresize.MakePodWithResizableContainers(f.Namespace.Name, "testpod2", tStamp, c2, nil)
 		testPod2 = e2epod.MustMixinRestrictedPodSecurity(testPod2)
 		e2epod.SetNodeAffinity(&testPod1.Spec, node.Name)
 		e2epod.SetNodeAffinity(&testPod2.Spec, node.Name)
@@ -322,7 +600,7 @@ func doPodResizeSchedulerTests(f *framework.Framework) {
 			}`, testPod1CPUQuantityResized.MilliValue(), testPod1CPUQuantityResized.MilliValue())
 
 		tStamp = strconv.Itoa(time.Now().Nanosecond())
-		testPod3 := podresize.MakePodWithResizableContainers(f.Namespace.Name, "testpod3", tStamp, c3)
+		testPod3 := podresize.MakePodWithResizableContainers(f.Namespace.Name, "testpod3", tStamp, c3, nil)
 		testPod3 = e2epod.MustMixinRestrictedPodSecurity(testPod3)
 		e2epod.SetNodeAffinity(&testPod3.Spec, node.Name)
 
@@ -446,9 +724,9 @@ func doPodResizeRetryDeferredTests(f *framework.Framework) {
 			},
 		}
 		tStamp := strconv.Itoa(time.Now().Nanosecond())
-		testPod1 := podresize.MakePodWithResizableContainers(f.Namespace.Name, "testpod1", tStamp, c1)
+		testPod1 := podresize.MakePodWithResizableContainers(f.Namespace.Name, "testpod1", tStamp, c1, nil)
 		testPod1 = e2epod.MustMixinRestrictedPodSecurity(testPod1)
-		testPod2 := podresize.MakePodWithResizableContainers(f.Namespace.Name, "testpod2", tStamp, c2)
+		testPod2 := podresize.MakePodWithResizableContainers(f.Namespace.Name, "testpod2", tStamp, c2, nil)
 		testPod2 = e2epod.MustMixinRestrictedPodSecurity(testPod2)
 		e2epod.SetNodeAffinity(&testPod1.Spec, node.Name)
 		e2epod.SetNodeAffinity(&testPod2.Spec, node.Name)
@@ -502,7 +780,7 @@ func doPodResizeRetryDeferredTests(f *framework.Framework) {
 			}`, testPod1CPUQuantityResizedCPU.MilliValue(), testPod1CPUQuantityResizedCPU.MilliValue())
 
 		tStamp = strconv.Itoa(time.Now().Nanosecond())
-		testPod3 := podresize.MakePodWithResizableContainers(f.Namespace.Name, "testpod3", tStamp, c3)
+		testPod3 := podresize.MakePodWithResizableContainers(f.Namespace.Name, "testpod3", tStamp, c3, nil)
 		testPod3 = e2epod.MustMixinRestrictedPodSecurity(testPod3)
 		e2epod.SetNodeAffinity(&testPod3.Spec, node.Name)
 
@@ -587,7 +865,7 @@ func doPodResizeRetryDeferredTests(f *framework.Framework) {
 		}
 
 		tStamp := strconv.Itoa(time.Now().Nanosecond())
-		testPod1 := podresize.MakePodWithResizableContainers(f.Namespace.Name, "testpod1", tStamp, containerWithMajorityCPU)
+		testPod1 := podresize.MakePodWithResizableContainers(f.Namespace.Name, "testpod1", tStamp, containerWithMajorityCPU, nil)
 		testPod1 = e2epod.MustMixinRestrictedPodSecurity(testPod1)
 		e2epod.SetNodeAffinity(&testPod1.Spec, node.Name)
 
@@ -596,7 +874,7 @@ func doPodResizeRetryDeferredTests(f *framework.Framework) {
 		gomega.Expect(testPod1.Status.Phase).To(gomega.Equal(v1.PodRunning))
 
 		// Create pod2 with 1/16 of the node allocatable CPU, with high priority based on priority class.
-		testPod2 := podresize.MakePodWithResizableContainers(f.Namespace.Name, "testpod2", tStamp, containerWithLittleCPU)
+		testPod2 := podresize.MakePodWithResizableContainers(f.Namespace.Name, "testpod2", tStamp, containerWithLittleCPU, nil)
 		testPod2 = e2epod.MustMixinRestrictedPodSecurity(testPod2)
 		pc, err := f.ClientSet.SchedulingV1().PriorityClasses().Create(ctx, &schedulingv1.PriorityClass{
 			ObjectMeta: metav1.ObjectMeta{
@@ -617,7 +895,7 @@ func doPodResizeRetryDeferredTests(f *framework.Framework) {
 		gomega.Expect(testPod2.Status.Phase).To(gomega.Equal(v1.PodRunning))
 
 		// Create pod3 with 1/16 of the node allocatable CPU, that is a "guaranteed" pod (all others should be "burstable").
-		testPod3 := podresize.MakePodWithResizableContainers(f.Namespace.Name, "testpod3", tStamp, containerWithLittleCPUGuaranteedQoS)
+		testPod3 := podresize.MakePodWithResizableContainers(f.Namespace.Name, "testpod3", tStamp, containerWithLittleCPUGuaranteedQoS, nil)
 		testPod3 = e2epod.MustMixinRestrictedPodSecurity(testPod3)
 		e2epod.SetNodeAffinity(&testPod3.Spec, node.Name)
 
@@ -626,7 +904,7 @@ func doPodResizeRetryDeferredTests(f *framework.Framework) {
 		gomega.Expect(testPod3.Status.Phase).To(gomega.Equal(v1.PodRunning))
 
 		// Create pod4 with 1/16 of the node allocatable CPU.
-		testPod4 := podresize.MakePodWithResizableContainers(f.Namespace.Name, "testpod4", tStamp, containerWithLittleCPU)
+		testPod4 := podresize.MakePodWithResizableContainers(f.Namespace.Name, "testpod4", tStamp, containerWithLittleCPU, nil)
 		testPod4 = e2epod.MustMixinRestrictedPodSecurity(testPod4)
 		e2epod.SetNodeAffinity(&testPod4.Spec, node.Name)
 
@@ -635,7 +913,7 @@ func doPodResizeRetryDeferredTests(f *framework.Framework) {
 		gomega.Expect(testPod4.Status.Phase).To(gomega.Equal(v1.PodRunning))
 
 		// Create pod5 with 1/16 of the node allocatable CPU.
-		testPod5 := podresize.MakePodWithResizableContainers(f.Namespace.Name, "testpod5", tStamp, containerWithLittleCPU)
+		testPod5 := podresize.MakePodWithResizableContainers(f.Namespace.Name, "testpod5", tStamp, containerWithLittleCPU, nil)
 		testPod5 = e2epod.MustMixinRestrictedPodSecurity(testPod5)
 		e2epod.SetNodeAffinity(&testPod5.Spec, node.Name)
 
@@ -806,19 +1084,19 @@ func doPodResizeRetryDeferredTests(f *framework.Framework) {
 		}
 
 		tStamp := strconv.Itoa(time.Now().Nanosecond())
-		testPod1 := podresize.MakePodWithResizableContainers(f.Namespace.Name, "testpod1", tStamp, c)
+		testPod1 := podresize.MakePodWithResizableContainers(f.Namespace.Name, "testpod1", tStamp, c, nil)
 		testPod1 = e2epod.MustMixinRestrictedPodSecurity(testPod1)
 		e2epod.SetNodeAffinity(&testPod1.Spec, node.Name)
 
-		testPod2 := podresize.MakePodWithResizableContainers(f.Namespace.Name, "testpod2", tStamp, c)
+		testPod2 := podresize.MakePodWithResizableContainers(f.Namespace.Name, "testpod2", tStamp, c, nil)
 		testPod2 = e2epod.MustMixinRestrictedPodSecurity(testPod2)
 		e2epod.SetNodeAffinity(&testPod2.Spec, node.Name)
 
-		testPod3 := podresize.MakePodWithResizableContainers(f.Namespace.Name, "testpod3", tStamp, c)
+		testPod3 := podresize.MakePodWithResizableContainers(f.Namespace.Name, "testpod3", tStamp, c, nil)
 		testPod3 = e2epod.MustMixinRestrictedPodSecurity(testPod3)
 		e2epod.SetNodeAffinity(&testPod3.Spec, node.Name)
 
-		testPod4 := podresize.MakePodWithResizableContainers(f.Namespace.Name, "testpod4", tStamp, c)
+		testPod4 := podresize.MakePodWithResizableContainers(f.Namespace.Name, "testpod4", tStamp, c, nil)
 		testPod4 = e2epod.MustMixinRestrictedPodSecurity(testPod4)
 		e2epod.SetNodeAffinity(&testPod4.Spec, node.Name)
 
@@ -863,9 +1141,9 @@ func doPodResizeRetryDeferredTests(f *framework.Framework) {
 			},
 		}
 
-		patchTestPod2ToDeferred := podresize.MakeResizePatch(c, expectedTestPod2Resized)
-		patchTestPod3ToDeferred := podresize.MakeResizePatch(c, expectedTestPod3Resized)
-		patchTestPod4ToDeferred := podresize.MakeResizePatch(c, expectedTestPod4Resized)
+		patchTestPod2ToDeferred := podresize.MakeResizePatch(c, expectedTestPod2Resized, nil, nil)
+		patchTestPod3ToDeferred := podresize.MakeResizePatch(c, expectedTestPod3Resized, nil, nil)
+		patchTestPod4ToDeferred := podresize.MakeResizePatch(c, expectedTestPod4Resized, nil, nil)
 
 		patches := []string{string(patchTestPod2ToDeferred), string(patchTestPod3ToDeferred), string(patchTestPod4ToDeferred)}
 
@@ -924,8 +1202,21 @@ var _ = SIGDescribe(framework.WithSerial(), "Pod InPlace Resize Container (defer
 	doPodResizeRetryDeferredTests(f)
 })
 
-var _ = SIGDescribe("Pod InPlace Resize Container", framework.WithFeatureGate(features.InPlacePodVerticalScaling), func() {
-	f := framework.NewDefaultFramework("pod-resize-tests")
+var _ = SIGDescribe("Pod InPlace Resize Container (resource-quota)", framework.WithFeatureGate(features.InPlacePodVerticalScaling), func() {
+	f := framework.NewDefaultFramework("pod-resize-resource-quota-tests")
+
+	ginkgo.BeforeEach(func(ctx context.Context) {
+		node, err := e2enode.GetRandomReadySchedulableNode(ctx, f.ClientSet)
+		framework.ExpectNoError(err)
+		if framework.NodeOSDistroIs("windows") || e2enode.IsARM64(node) {
+			e2eskipper.Skipf("runtime does not support InPlacePodVerticalScaling -- skipping")
+		}
+	})
+	doPodResizeResourceQuotaTests(f)
+})
+
+var _ = SIGDescribe("Pod InPlace Resize Container (limit-ranger)", framework.WithFeatureGate(features.InPlacePodVerticalScaling), func() {
+	f := framework.NewDefaultFramework("pod-resize-limit-ranger-tests")
 
 	ginkgo.BeforeEach(func(ctx context.Context) {
 		node, err := e2enode.GetRandomReadySchedulableNode(ctx, f.ClientSet)
@@ -934,7 +1225,7 @@ var _ = SIGDescribe("Pod InPlace Resize Container", framework.WithFeatureGate(fe
 			e2eskipper.Skipf("runtime does not support InPlacePodVerticalScaling -- skipping")
 		}
 	})
-	doPodResizeAdmissionPluginsTests(f)
+	doPodResizeLimitRangerTests(f)
 })
 
 func waitForResourceQuota(ctx context.Context, c clientset.Interface, ns, quotaName string) error {
diff --git a/test/e2e/node/pods.go b/test/e2e/node/pods.go
index dd8528bcf741f..2cbf75c6542c5 100644
--- a/test/e2e/node/pods.go
+++ b/test/e2e/node/pods.go
@@ -41,7 +41,6 @@ import (
 	"k8s.io/client-go/util/retry"
 	"k8s.io/kubernetes/pkg/features"
 	"k8s.io/kubernetes/pkg/kubelet/events"
-	"k8s.io/kubernetes/test/e2e/feature"
 	"k8s.io/kubernetes/test/e2e/framework"
 	e2ekubelet "k8s.io/kubernetes/test/e2e/framework/kubelet"
 	e2enode "k8s.io/kubernetes/test/e2e/framework/node"
@@ -338,7 +337,8 @@ var _ = SIGDescribe("Pods Extended", func() {
 				return podClient.Delete(ctx, pod.Name, metav1.DeleteOptions{})
 			})
 
-			err := e2epod.WaitForPodTerminatedInNamespace(ctx, f.ClientSet, pod.Name, "Evicted", f.Namespace.Name)
+			// Intentionally increase the timeout to ensure the metrics availability required for this test.
+			err := e2epod.WaitForPodTerminatedInNamespaceTimeout(ctx, f.ClientSet, pod.Name, "Evicted", f.Namespace.Name, 10*time.Minute)
 			if err != nil {
 				framework.Failf("error waiting for pod to be evicted: %v", err)
 			}
@@ -419,7 +419,7 @@ var _ = SIGDescribe("Pods Extended", func() {
 	})
 })
 
-var _ = SIGDescribe("Pods Extended (pod generation)", feature.PodObservedGenerationTracking, framework.WithFeatureGate(features.PodObservedGenerationTracking), func() {
+var _ = SIGDescribe("Pods Extended (pod generation)", func() {
 	f := framework.NewDefaultFramework("pods")
 	f.NamespacePodSecurityLevel = admissionapi.LevelBaseline
 
@@ -429,7 +429,12 @@ var _ = SIGDescribe("Pods Extended (pod generation)", feature.PodObservedGenerat
 			podClient = e2epod.NewPodClient(f)
 		})
 
-		ginkgo.It("pod generation should start at 1 and increment per update", func(ctx context.Context) {
+		/*
+			Release: v1.35
+			Testname: Pods Generation, updates
+			Description: Create a Pod, and perform a few updates, ensuring that the pod's metadata.generation and status.observedGeneration are updated as expected.
+		*/
+		framework.ConformanceIt("pod generation should start at 1 and increment per update [MinimumKubeletVersion:1.34]", func(ctx context.Context) {
 			ginkgo.By("creating the pod")
 			podName := "pod-generation-" + string(uuid.NewUUID())
 			pod := e2epod.NewAgnhostPod(f.Namespace.Name, podName, nil, nil, nil)
@@ -529,7 +534,12 @@ var _ = SIGDescribe("Pods Extended (pod generation)", feature.PodObservedGenerat
 			}
 		})
 
-		ginkgo.It("custom-set generation on new pods and graceful delete", func(ctx context.Context) {
+		/*
+			Release: v1.35
+			Testname: Pods Generation, graceful delete
+			Description: Create a Pod, ensure that triggering a graceful delete causes the generation to be updated.
+		*/
+		framework.ConformanceIt("custom-set generation on new pods and graceful delete", func(ctx context.Context) {
 			ginkgo.By("creating the pod")
 			name := "pod-generation-" + string(uuid.NewUUID())
 			value := strconv.Itoa(time.Now().Nanosecond())
@@ -565,7 +575,12 @@ var _ = SIGDescribe("Pods Extended (pod generation)", feature.PodObservedGenerat
 			gomega.Expect(pod.Generation).To(gomega.BeEquivalentTo(2))
 		})
 
-		ginkgo.It("issue 500 podspec updates and verify generation and observedGeneration eventually converge", func(ctx context.Context) {
+		/*
+			Release: v1.35
+			Testname: Pods Generation, 500 updates
+			Description: Create a Pod, issue 499 podSpec updates and verify generation and observedGeneration eventually converge to 500.
+		*/
+		framework.ConformanceIt("issue 500 podspec updates and verify generation and observedGeneration eventually converge [MinimumKubeletVersion:1.34]", func(ctx context.Context) {
 			ginkgo.By("creating the pod")
 			name := "pod-generation-" + string(uuid.NewUUID())
 			value := strconv.Itoa(time.Now().Nanosecond())
@@ -857,6 +872,350 @@ var _ = SIGDescribe("Pod Extended (container restart policy)", framework.WithFea
 	})
 })
 
+var _ = SIGDescribe("Pod Extended (RestartAllContainers)", framework.WithFeatureGate(features.ContainerRestartRules), framework.WithFeatureGate(features.RestartAllContainersOnContainerExits), func() {
+	f := framework.NewDefaultFramework("pods")
+	f.NamespacePodSecurityLevel = admissionapi.LevelBaseline
+
+	ginkgo.Describe("RestartAllContainers", func() {
+		var (
+			containerRestartPolicyAlways = v1.ContainerRestartPolicyAlways
+			containerRestartPolicyNever  = v1.ContainerRestartPolicyNever
+		)
+
+		restartAllContainersRules := []v1.ContainerRestartRule{
+			{
+				Action: v1.ContainerRestartRuleActionRestartAllContainers,
+				ExitCodes: &v1.ContainerRestartRuleOnExitCodes{
+					Operator: v1.ContainerRestartRuleOnExitCodesOpIn,
+					Values:   []int32{42},
+				},
+			},
+		}
+
+		ginkgo.It("should restart all containers on regular container exit", func(ctx context.Context) {
+			podName := "restart-rules-exit-code-" + string(uuid.NewUUID())
+			pod := &v1.Pod{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: podName,
+				},
+				Spec: v1.PodSpec{
+					RestartPolicy: v1.RestartPolicyNever,
+					InitContainers: []v1.Container{
+						{
+							Name:    "init",
+							Image:   imageutils.GetE2EImage(imageutils.BusyBox),
+							Command: []string{"/bin/sh", "-c", "exit 0"},
+						},
+						{
+							Name:          "sidecar",
+							Image:         imageutils.GetE2EImage(imageutils.BusyBox),
+							Command:       []string{"/bin/sh", "-c", "sleep 10000"},
+							RestartPolicy: &containerRestartPolicyAlways,
+						},
+					},
+					Containers: []v1.Container{
+						{
+							Name:               "source-container",
+							Image:              imageutils.GetE2EImage(imageutils.BusyBox),
+							Command:            []string{"/bin/sh", "-c", "if [ -f /mnt/restart-complete ]; then sleep 10000; else touch /mnt/restart-complete; exit 42; fi"},
+							RestartPolicy:      &containerRestartPolicyNever,
+							RestartPolicyRules: restartAllContainersRules,
+							VolumeMounts: []v1.VolumeMount{
+								{
+									Name:      "workdir",
+									MountPath: "/mnt",
+								},
+							},
+						},
+						{
+							Name:    "regular",
+							Image:   imageutils.GetE2EImage(imageutils.BusyBox),
+							Command: []string{"/bin/sh", "-c", "sleep 10000"},
+						},
+					},
+					Volumes: []v1.Volume{
+						{
+							Name: "workdir",
+							VolumeSource: v1.VolumeSource{
+								EmptyDir: &v1.EmptyDirVolumeSource{},
+							},
+						},
+					},
+				},
+			}
+
+			// All containers should be restarted once
+			podClient := e2epod.NewPodClient(f)
+			podClient.Create(ctx, pod)
+			ginkgo.DeferCleanup(func(ctx context.Context) error {
+				ginkgo.By("deleting the pod")
+				return podClient.Delete(ctx, pod.Name, metav1.DeleteOptions{})
+			})
+			validateAllContainersRestarted(ctx, f, pod, []string{"init", "sidecar", "source-container", "regular"})
+			framework.ExpectNoError(e2epod.WaitForContainerRunning(ctx, f.ClientSet, f.Namespace.Name, podName, "source-container", 3*time.Minute))
+			framework.ExpectNoError(e2epod.WaitForContainerRunning(ctx, f.ClientSet, f.Namespace.Name, podName, "regular", 3*time.Minute))
+		})
+
+		ginkgo.It("should restart all containers on sidecar container exit", func(ctx context.Context) {
+			podName := "restart-rules-exit-code-" + string(uuid.NewUUID())
+			pod := &v1.Pod{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: podName,
+				},
+				Spec: v1.PodSpec{
+					RestartPolicy: v1.RestartPolicyNever,
+					InitContainers: []v1.Container{
+						{
+							Name:    "init",
+							Image:   imageutils.GetE2EImage(imageutils.BusyBox),
+							Command: []string{"/bin/sh", "-c", "exit 0"},
+						},
+						{
+							Name:          "sidecar",
+							Image:         imageutils.GetE2EImage(imageutils.BusyBox),
+							Command:       []string{"/bin/sh", "-c", "sleep 10000"},
+							RestartPolicy: &containerRestartPolicyAlways,
+						},
+						{
+							Name:               "source-sidecar",
+							Image:              imageutils.GetE2EImage(imageutils.BusyBox),
+							Command:            []string{"/bin/sh", "-c", "if [ -f /mnt/init-complete ]; then sleep 10000; else touch /mnt/init-complete; sleep 30; exit 42; fi"},
+							RestartPolicy:      &containerRestartPolicyAlways,
+							RestartPolicyRules: restartAllContainersRules,
+							VolumeMounts: []v1.VolumeMount{
+								{
+									Name:      "workdir",
+									MountPath: "/mnt",
+								},
+							},
+						},
+					},
+					Containers: []v1.Container{
+						{
+							Name:    "regular",
+							Image:   imageutils.GetE2EImage(imageutils.BusyBox),
+							Command: []string{"/bin/sh", "-c", "sleep 10000"},
+						},
+					},
+					Volumes: []v1.Volume{
+						{
+							Name: "workdir",
+							VolumeSource: v1.VolumeSource{
+								EmptyDir: &v1.EmptyDirVolumeSource{},
+							},
+						},
+					},
+				},
+			}
+
+			// All containers should be restarted once
+			podClient := e2epod.NewPodClient(f)
+			podClient.Create(ctx, pod)
+			ginkgo.DeferCleanup(func(ctx context.Context) error {
+				ginkgo.By("deleting the pod")
+				return podClient.Delete(ctx, pod.Name, metav1.DeleteOptions{})
+			})
+			validateAllContainersRestarted(ctx, f, pod, []string{"init", "sidecar", "source-sidecar", "regular"})
+			framework.ExpectNoError(e2epod.WaitForContainerRunning(ctx, f.ClientSet, f.Namespace.Name, podName, "regular", 3*time.Minute))
+			framework.ExpectNoError(e2epod.WaitForContainerRunning(ctx, f.ClientSet, f.Namespace.Name, podName, "source-sidecar", 3*time.Minute))
+		})
+
+		ginkgo.It("should restart init and sidecar containers on init container exit", func(ctx context.Context) {
+			podName := "restart-rules-exit-code-" + string(uuid.NewUUID())
+			pod := &v1.Pod{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: podName,
+				},
+				Spec: v1.PodSpec{
+					RestartPolicy: v1.RestartPolicyNever,
+					InitContainers: []v1.Container{
+						{
+							Name:          "sidecar",
+							Image:         imageutils.GetE2EImage(imageutils.BusyBox),
+							Command:       []string{"/bin/sh", "-c", "sleep 10000"},
+							RestartPolicy: &containerRestartPolicyAlways,
+						},
+						{
+							Name:    "init",
+							Image:   imageutils.GetE2EImage(imageutils.BusyBox),
+							Command: []string{"/bin/sh", "-c", "exit 0"},
+						},
+						{
+							Name:               "source-init",
+							Image:              imageutils.GetE2EImage(imageutils.BusyBox),
+							Command:            []string{"/bin/sh", "-c", "if [ -f /mnt/init-complete ]; then exit 0; else touch /mnt/init-complete; exit 42; fi"},
+							RestartPolicy:      &containerRestartPolicyNever,
+							RestartPolicyRules: restartAllContainersRules,
+							VolumeMounts: []v1.VolumeMount{
+								{
+									Name:      "workdir",
+									MountPath: "/mnt",
+								},
+							},
+						},
+					},
+					Containers: []v1.Container{
+						{
+							Name:    "regular",
+							Image:   imageutils.GetE2EImage(imageutils.BusyBox),
+							Command: []string{"/bin/sh", "-c", "sleep 10000"},
+						},
+					},
+					Volumes: []v1.Volume{
+						{
+							Name: "workdir",
+							VolumeSource: v1.VolumeSource{
+								EmptyDir: &v1.EmptyDirVolumeSource{},
+							},
+						},
+					},
+				},
+			}
+
+			// All containers should be restarted once
+			podClient := e2epod.NewPodClient(f)
+			podClient.Create(ctx, pod)
+			ginkgo.DeferCleanup(func(ctx context.Context) error {
+				ginkgo.By("deleting the pod")
+				return podClient.Delete(ctx, pod.Name, metav1.DeleteOptions{})
+			})
+			validateAllContainersRestarted(ctx, f, pod, []string{"init", "sidecar", "source-init"})
+			framework.ExpectNoError(e2epod.WaitForContainerRunning(ctx, f.ClientSet, f.Namespace.Name, podName, "regular", 3*time.Minute))
+		})
+
+		ginkgo.It("should allow multiple RestartAllContainers actions and not introduce a loop", func(ctx context.Context) {
+			podName := "restart-rules-exit-code-" + string(uuid.NewUUID())
+			pod := &v1.Pod{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: podName,
+				},
+				Spec: v1.PodSpec{
+					RestartPolicy: v1.RestartPolicyNever,
+					Containers: []v1.Container{
+						{
+							Name:               "source-container",
+							Image:              imageutils.GetE2EImage(imageutils.BusyBox),
+							Command:            []string{"/bin/sh", "-c", "if [ -f /mnt/restart-complete ]; then sleep 10000; else touch /mnt/restart-complete; sleep 10; exit 42; fi"},
+							RestartPolicy:      &containerRestartPolicyNever,
+							RestartPolicyRules: restartAllContainersRules,
+							VolumeMounts: []v1.VolumeMount{
+								{
+									Name:      "workdir",
+									MountPath: "/mnt",
+								},
+							},
+						},
+						{
+							Name:               "regular",
+							Image:              imageutils.GetE2EImage(imageutils.BusyBox),
+							Command:            []string{"/bin/sh", "-c", "sleep 10000"},
+							RestartPolicy:      &containerRestartPolicyNever,
+							RestartPolicyRules: restartAllContainersRules,
+						},
+					},
+					Volumes: []v1.Volume{
+						{
+							Name: "workdir",
+							VolumeSource: v1.VolumeSource{
+								EmptyDir: &v1.EmptyDirVolumeSource{},
+							},
+						},
+					},
+				},
+			}
+
+			// All containers should be restarted once
+			podClient := e2epod.NewPodClient(f)
+			podClient.Create(ctx, pod)
+			ginkgo.DeferCleanup(func(ctx context.Context) error {
+				ginkgo.By("deleting the pod")
+				return podClient.Delete(ctx, pod.Name, metav1.DeleteOptions{})
+			})
+			validateAllContainersRestarted(ctx, f, pod, []string{"source-container", "regular"})
+			framework.ExpectNoError(e2epod.WaitForContainerRunning(ctx, f.ClientSet, f.Namespace.Name, podName, "source-container", 3*time.Minute))
+			framework.ExpectNoError(e2epod.WaitForContainerRunning(ctx, f.ClientSet, f.Namespace.Name, podName, "regular", 3*time.Minute))
+		})
+
+		ginkgo.It("should restart all containers on a previously restarted regular container exit ", func(ctx context.Context) {
+			podName := "restart-rules-exit-code-" + string(uuid.NewUUID())
+			pod := &v1.Pod{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: podName,
+				},
+				Spec: v1.PodSpec{
+					Containers: []v1.Container{
+						{
+							Name:               "source-container",
+							Image:              imageutils.GetE2EImage(imageutils.BusyBox),
+							Command:            []string{"/bin/sh", "-c", "if [ -f /mnt/restart-complete ]; then sleep 10000; elif [ -f /mnt/restart-1 ]; then touch /mnt/restart-complete; exit 42; else touch /mnt/restart-1; exit 1; fi"},
+							RestartPolicy:      &containerRestartPolicyAlways,
+							RestartPolicyRules: restartAllContainersRules,
+							VolumeMounts: []v1.VolumeMount{
+								{
+									Name:      "workdir",
+									MountPath: "/mnt",
+								},
+							},
+						},
+						{
+							Name:    "regular",
+							Image:   imageutils.GetE2EImage(imageutils.BusyBox),
+							Command: []string{"/bin/sh", "-c", "sleep 10000"},
+						},
+					},
+					Volumes: []v1.Volume{
+						{
+							Name: "workdir",
+							VolumeSource: v1.VolumeSource{
+								EmptyDir: &v1.EmptyDirVolumeSource{},
+							},
+						},
+					},
+				},
+			}
+
+			// All containers should be restarted once
+			podClient := e2epod.NewPodClient(f)
+			podClient.Create(ctx, pod)
+			ginkgo.DeferCleanup(func(ctx context.Context) error {
+				ginkgo.By("deleting the pod")
+				return podClient.Delete(ctx, pod.Name, metav1.DeleteOptions{})
+			})
+			validateAllContainersRestarted(ctx, f, pod, []string{"source-container", "regular"})
+			framework.ExpectNoError(e2epod.WaitForContainerRunning(ctx, f.ClientSet, f.Namespace.Name, podName, "source-container", 3*time.Minute))
+			framework.ExpectNoError(e2epod.WaitForContainerRunning(ctx, f.ClientSet, f.Namespace.Name, podName, "regular", 3*time.Minute))
+		})
+	})
+})
+
+func validateAllContainersRestarted(ctx context.Context, f *framework.Framework, pod *v1.Pod, containers []string) {
+	ginkgo.By("Waiting for all containers to restart")
+	err := e2epod.WaitForPodCondition(ctx, f.ClientSet, f.Namespace.Name, pod.Name, "all containers restarted", 3*time.Minute, func(pod *v1.Pod) (bool, error) {
+		restartedCount := 0
+		for _, cName := range containers {
+			restarted := false
+			for _, status := range pod.Status.ContainerStatuses {
+				if status.Name == cName && status.RestartCount > 0 {
+					restarted = true
+				}
+			}
+			for _, status := range pod.Status.InitContainerStatuses {
+				if status.Name == cName && status.RestartCount > 0 {
+					restarted = true
+				}
+			}
+			if restarted {
+				restartedCount++
+			} else {
+				framework.Logf("container %s did not restart", cName)
+			}
+		}
+		framework.Logf("%d out of %d containers restarted", restartedCount, len(containers))
+		return restartedCount == len(containers), nil
+	})
+	framework.ExpectNoError(err, "failed to see all containers restart")
+}
+
 func createAndValidateRestartableContainer(ctx context.Context, f *framework.Framework, pod *v1.Pod, podName, containerName string) {
 	ginkgo.By("Creating the pod")
 	e2epod.NewPodClient(f).Create(ctx, pod)
diff --git a/test/e2e/scheduling/limit_range.go b/test/e2e/scheduling/limit_range.go
index ecb0d1479902a..e3997b75bbc6d 100644
--- a/test/e2e/scheduling/limit_range.go
+++ b/test/e2e/scheduling/limit_range.go
@@ -35,11 +35,14 @@ import (
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/types"
 	utilrand "k8s.io/apimachinery/pkg/util/rand"
+	"k8s.io/apimachinery/pkg/util/resourceversion"
 	"k8s.io/apimachinery/pkg/util/uuid"
 	"k8s.io/apimachinery/pkg/util/wait"
 	"k8s.io/apimachinery/pkg/watch"
 	"k8s.io/client-go/tools/cache"
 	watchtools "k8s.io/client-go/tools/watch"
+	"k8s.io/klog/v2"
+	apimachineryutils "k8s.io/kubernetes/test/e2e/common/apimachinery"
 	"k8s.io/kubernetes/test/e2e/framework"
 	e2eservice "k8s.io/kubernetes/test/e2e/framework/service"
 	imageutils "k8s.io/kubernetes/test/utils/image"
@@ -91,7 +94,7 @@ var _ = SIGDescribe("LimitRange", func() {
 				return f.ClientSet.CoreV1().LimitRanges(f.Namespace.Name).Watch(ctx, options)
 			},
 		}
-		_, informer, w, _ := watchtools.NewIndexerInformerWatcher(lw, &v1.LimitRange{})
+		_, informer, w, _ := watchtools.NewIndexerInformerWatcherWithLogger(klog.FromContext(ctx), lw, &v1.LimitRange{})
 		defer w.Stop()
 
 		timeoutCtx, cancel := context.WithTimeout(ctx, wait.ForeverTestTimeout)
@@ -292,6 +295,7 @@ var _ = SIGDescribe("LimitRange", func() {
 		ginkgo.By(fmt.Sprintf("Creating LimitRange %q in namespace %q", lrName, f.Namespace.Name))
 		limitRange, err := lrClient.Create(ctx, limitRange, metav1.CreateOptions{})
 		framework.ExpectNoError(err, "Failed to create limitRange %q", lrName)
+		gomega.Expect(limitRange).To(apimachineryutils.HaveValidResourceVersion())
 
 		ginkgo.By("Creating another limitRange in another namespace")
 		lrNamespace, err := f.CreateNamespace(ctx, lrName, nil)
@@ -333,6 +337,7 @@ var _ = SIGDescribe("LimitRange", func() {
 			framework.Failf("LimitRange does not have the correct min limitRange. Currently is %#v ", patchedLimitRange.Spec.Limits[0].Min)
 		}
 		framework.Logf("LimitRange %q has been patched", lrName)
+		gomega.Expect(resourceversion.CompareResourceVersion(limitRange.ResourceVersion, patchedLimitRange.ResourceVersion)).To(gomega.BeNumerically("==", -1), "patched object should have a larger resource version")
 
 		ginkgo.By(fmt.Sprintf("Delete LimitRange %q by Collection with labelSelector: %q", lrName, patchedLabelSelector))
 		err = lrClient.DeleteCollection(ctx, metav1.DeleteOptions{}, metav1.ListOptions{LabelSelector: patchedLabelSelector})
diff --git a/test/e2e/scheduling/preemption.go b/test/e2e/scheduling/preemption.go
index 04b6082265f88..3a8222861a0a9 100644
--- a/test/e2e/scheduling/preemption.go
+++ b/test/e2e/scheduling/preemption.go
@@ -36,6 +36,7 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/apimachinery/pkg/util/resourceversion"
 	"k8s.io/apimachinery/pkg/util/sets"
 	"k8s.io/apimachinery/pkg/util/strategicpatch"
 	"k8s.io/apimachinery/pkg/util/wait"
@@ -44,6 +45,7 @@ import (
 	"k8s.io/client-go/tools/cache"
 	"k8s.io/kubernetes/pkg/apis/scheduling"
 	"k8s.io/kubernetes/pkg/features"
+	apimachineryutils "k8s.io/kubernetes/test/e2e/common/apimachinery"
 	"k8s.io/kubernetes/test/e2e/feature"
 	"k8s.io/kubernetes/test/e2e/framework"
 	e2enode "k8s.io/kubernetes/test/e2e/framework/node"
@@ -373,7 +375,7 @@ var _ = SIGDescribe("SchedulerPreemption", framework.WithSerial(), func() {
 		highPriorityPods := make([]*v1.Pod, 0, 5*nodeListLen)
 		mediumPriorityPods := make([]*v1.Pod, 0, 10*nodeListLen)
 
-		ginkgo.By("Run medium priority pods that have same requirements as that of lower priority pod")
+		ginkgo.By("Run high/medium priority pods that have same requirements as that of lower priority pod")
 		for i := range nodeList.Items {
 			// Create medium priority pods first
 			// to confirm the scheduler finally prioritize the high priority pods, ignoring the medium priority pods.
@@ -391,23 +393,7 @@ var _ = SIGDescribe("SchedulerPreemption", framework.WithSerial(), func() {
 				})
 				mediumPriorityPods = append(mediumPriorityPods, p)
 			}
-		}
-
-		// All low priority Pods should be the target of preemption.
-		// Those Pods have a finalizer and hence should not be deleted yet at this point.
-		ginkgo.By("Check all low priority pods to be about to preempted.")
-		for _, pod := range lowPriorityPods {
-			framework.ExpectNoError(wait.PollUntilContextTimeout(ctx, time.Second, framework.PodStartTimeout, false, func(ctx context.Context) (bool, error) {
-				preemptedPod, err := cs.CoreV1().Pods(pod.Namespace).Get(ctx, pod.Name, metav1.GetOptions{})
-				if err != nil {
-					return false, err
-				}
-				return preemptedPod.DeletionTimestamp != nil, nil
-			}))
-		}
 
-		ginkgo.By("Run high priority pods that have same requirements as that of lower priority pod")
-		for i := range nodeList.Items {
 			for j := 0; j < 5; j++ {
 				p := createPausePod(ctx, f, pausePodConfig{
 					Name:              fmt.Sprintf("pod%d-%d-%v", i, j, highPriorityClassName),
@@ -422,6 +408,19 @@ var _ = SIGDescribe("SchedulerPreemption", framework.WithSerial(), func() {
 			}
 		}
 
+		// All low priority Pods should be the target of preemption.
+		// Those Pods have a finalizer and hence should not be deleted yet at this point.
+		ginkgo.By("Check all low priority pods to be about to preempted.")
+		for _, pod := range lowPriorityPods {
+			framework.ExpectNoError(wait.PollUntilContextTimeout(ctx, time.Second, framework.PodStartTimeout, false, func(ctx context.Context) (bool, error) {
+				preemptedPod, err := cs.CoreV1().Pods(pod.Namespace).Get(ctx, pod.Name, metav1.GetOptions{})
+				if err != nil {
+					return false, err
+				}
+				return preemptedPod.DeletionTimestamp != nil, nil
+			}))
+		}
+
 		// All high priority Pods should be schedulable by removing the low priority Pods.
 		ginkgo.By("Wait for high priority pods to be ready for the preemption.")
 		for _, pod := range highPriorityPods {
@@ -978,6 +977,8 @@ var _ = SIGDescribe("SchedulerPreemption", framework.WithSerial(), func() {
 				framework.ExpectNoError(err)
 				gomega.Expect(livePC.Value).To(gomega.Equal(pc.Value))
 				gomega.Expect(livePC.Description).To(gomega.Equal(newDesc))
+				gomega.Expect(livePC).To(apimachineryutils.HaveValidResourceVersion())
+				gomega.Expect(resourceversion.CompareResourceVersion(pc.ResourceVersion, livePC.ResourceVersion)).To(gomega.BeNumerically("==", -1), "changed object should have a larger resource version")
 			}
 		})
 	})
diff --git a/test/e2e/scheduling/workload.go b/test/e2e/scheduling/workload.go
new file mode 100644
index 0000000000000..ec8ac63746712
--- /dev/null
+++ b/test/e2e/scheduling/workload.go
@@ -0,0 +1,69 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package scheduling
+
+import (
+	"context"
+
+	schedulingv1alpha1 "k8s.io/api/scheduling/v1alpha1"
+	"k8s.io/kubernetes/pkg/features"
+	"k8s.io/kubernetes/test/e2e/framework"
+	e2econformance "k8s.io/kubernetes/test/e2e/framework/conformance"
+	admissionapi "k8s.io/pod-security-admission/api"
+	"k8s.io/utils/ptr"
+)
+
+var _ = SIGDescribe("Workload", framework.WithFeatureGate(features.GenericWorkload), func() {
+	f := framework.NewDefaultFramework("workload-test")
+	f.NamespacePodSecurityLevel = admissionapi.LevelPrivileged
+
+	/*
+	   Release: v1.?
+	   Testname: CRUD operations for Workloads
+	   Description: kube-apiserver must support create/get/list/update/patch/delete operations for scheduling.k8s.io/v1alpha1 Workload.
+	*/
+	framework.It("Workload API availability", func(ctx context.Context) {
+		e2econformance.TestResource(ctx, f,
+			&e2econformance.ResourceTestcase[*schedulingv1alpha1.Workload]{
+				GVR:        schedulingv1alpha1.SchemeGroupVersion.WithResource("workloads"),
+				Namespaced: ptr.To(true),
+				InitialSpec: &schedulingv1alpha1.Workload{
+					Spec: schedulingv1alpha1.WorkloadSpec{
+						PodGroups: []schedulingv1alpha1.PodGroup{
+							{
+								Name: "pg1",
+								Policy: schedulingv1alpha1.PodGroupPolicy{
+									Gang: &schedulingv1alpha1.GangSchedulingPolicy{
+										MinCount: 5,
+									},
+								},
+							},
+						},
+					},
+				},
+				UpdateSpec: func(obj *schedulingv1alpha1.Workload) *schedulingv1alpha1.Workload {
+					obj.Spec.ControllerRef = &schedulingv1alpha1.TypedLocalObjectReference{
+						Kind: "foo",
+						Name: "bar",
+					}
+					return obj
+				},
+				StrategicMergePatchSpec: `{"metadata": {"labels": {"foo": "bar"}}}`,
+			},
+		)
+	})
+})
diff --git a/test/e2e/storage/csi_inline.go b/test/e2e/storage/csi_inline.go
index 9a968fbe5cc18..2b0334761441c 100644
--- a/test/e2e/storage/csi_inline.go
+++ b/test/e2e/storage/csi_inline.go
@@ -26,8 +26,10 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/labels"
 	types "k8s.io/apimachinery/pkg/types"
+	"k8s.io/apimachinery/pkg/util/resourceversion"
 	"k8s.io/apimachinery/pkg/util/uuid"
 	"k8s.io/client-go/util/retry"
+	apimachineryutils "k8s.io/kubernetes/test/e2e/common/apimachinery"
 	"k8s.io/kubernetes/test/e2e/framework"
 	"k8s.io/kubernetes/test/e2e/storage/utils"
 	imageutils "k8s.io/kubernetes/test/utils/image"
@@ -193,8 +195,10 @@ var _ = utils.SIGDescribe("CSIInlineVolumes", func() {
 		ginkgo.By("Creating two CSIDrivers")
 		createdDriver1, err := client.Create(ctx, driver1, metav1.CreateOptions{})
 		framework.ExpectNoError(err, "Failed to create first CSIDriver")
+		gomega.Expect(createdDriver1).To(apimachineryutils.HaveValidResourceVersion())
 		createdDriver2, err := client.Create(ctx, driver2, metav1.CreateOptions{})
 		framework.ExpectNoError(err, "Failed to create second CSIDriver")
+		gomega.Expect(createdDriver2).To(apimachineryutils.HaveValidResourceVersion())
 		_, err = client.Create(ctx, driver1, metav1.CreateOptions{})
 		if !apierrors.IsAlreadyExists(err) {
 			framework.Failf("expected 409, got %#v", err)
@@ -214,6 +218,7 @@ var _ = utils.SIGDescribe("CSIInlineVolumes", func() {
 		patchedCSIDriver, err := client.Patch(ctx, createdDriver2.Name, types.StrategicMergePatchType, []byte(payload), metav1.PatchOptions{})
 		framework.ExpectNoError(err, "failed to patch CSIDriver %q", createdDriver2.Name)
 		gomega.Expect(patchedCSIDriver.Labels[createdDriver2.Name]).To(gomega.ContainSubstring("patched"), "Checking that patched label has been applied")
+		gomega.Expect(resourceversion.CompareResourceVersion(createdDriver2.ResourceVersion, patchedCSIDriver.ResourceVersion)).To(gomega.BeNumerically("==", -1), "patched object should have a larger resource version")
 
 		ginkgo.By(fmt.Sprintf("Updating the CSIDriver %q", createdDriver2.Name))
 		var updatedCSIDriver *storagev1.CSIDriver
diff --git a/test/e2e/storage/csi_node.go b/test/e2e/storage/csi_node.go
index 079eb553c563b..35c48a0d8b8d9 100644
--- a/test/e2e/storage/csi_node.go
+++ b/test/e2e/storage/csi_node.go
@@ -26,7 +26,9 @@ import (
 	"k8s.io/apimachinery/pkg/labels"
 	"k8s.io/apimachinery/pkg/types"
 	utilrand "k8s.io/apimachinery/pkg/util/rand"
+	"k8s.io/apimachinery/pkg/util/resourceversion"
 	"k8s.io/client-go/util/retry"
+	apimachineryutils "k8s.io/kubernetes/test/e2e/common/apimachinery"
 	"k8s.io/kubernetes/test/e2e/framework"
 	"k8s.io/kubernetes/test/e2e/storage/utils"
 
@@ -64,6 +66,7 @@ var _ = utils.SIGDescribe("CSINodes", func() {
 			ginkgo.By(fmt.Sprintf("Creating initial csiNode %q", initialCSINode.Name))
 			csiNode, err := csiNodeClient.Create(ctx, &initialCSINode, metav1.CreateOptions{})
 			framework.ExpectNoError(err, "failed to create csiNode %q", initialCSINode.Name)
+			gomega.Expect(csiNode).To(apimachineryutils.HaveValidResourceVersion())
 
 			ginkgo.By(fmt.Sprintf("Getting initial csiNode %q", initialCSINode.Name))
 			retrievedCSINode, err := csiNodeClient.Get(ctx, initialCSINode.Name, metav1.GetOptions{})
@@ -75,6 +78,7 @@ var _ = utils.SIGDescribe("CSINodes", func() {
 			patchedCSINode, err := csiNodeClient.Patch(ctx, csiNode.Name, types.StrategicMergePatchType, []byte(payload), metav1.PatchOptions{})
 			framework.ExpectNoError(err, "Failed to patch csiNode %q", csiNode.Name)
 			gomega.Expect(patchedCSINode.Labels).To(gomega.HaveKeyWithValue(csiNode.Name, "patched"), "Checking that patched label has been applied")
+			gomega.Expect(resourceversion.CompareResourceVersion(csiNode.ResourceVersion, patchedCSINode.ResourceVersion)).To(gomega.BeNumerically("==", -1), "patched object should have a larger resource version")
 
 			patchedSelector := labels.Set{csiNode.Name: "patched"}.AsSelector().String()
 			ginkgo.By(fmt.Sprintf("Listing csiNodes with LabelSelector %q", patchedSelector))
diff --git a/test/e2e/storage/csimock/base.go b/test/e2e/storage/csimock/base.go
index 4c51a11a319dc..5d261ec04fc46 100644
--- a/test/e2e/storage/csimock/base.go
+++ b/test/e2e/storage/csimock/base.go
@@ -98,18 +98,19 @@ type testParameters struct {
 	enableResizing      bool   // enable resizing for both CSI mock driver and storageClass.
 	enableNodeExpansion bool   // enable node expansion for CSI mock driver
 	// just disable resizing on driver it overrides enableResizing flag for CSI mock driver
-	disableResizingOnDriver    bool
-	disableControllerExpansion bool
-	enableSnapshot             bool
-	enableVolumeMountGroup     bool // enable the VOLUME_MOUNT_GROUP node capability in the CSI mock driver.
-	enableNodeVolumeCondition  bool
-	hooks                      *drivers.Hooks
-	tokenRequests              []storagev1.TokenRequest
-	requiresRepublish          *bool
-	fsGroupPolicy              *storagev1.FSGroupPolicy
-	enableSELinuxMount         *bool
-	enableCSINodeExpandSecret  bool
-	reclaimPolicy              *v1.PersistentVolumeReclaimPolicy
+	disableResizingOnDriver      bool
+	disableControllerExpansion   bool
+	enableSnapshot               bool
+	enableVolumeMountGroup       bool // enable the VOLUME_MOUNT_GROUP node capability in the CSI mock driver.
+	enableNodeVolumeCondition    bool
+	hooks                        *drivers.Hooks
+	tokenRequests                []storagev1.TokenRequest
+	serviceAccountTokenInSecrets *bool // if true, the service account token should be passed only via secrets
+	requiresRepublish            *bool
+	fsGroupPolicy                *storagev1.FSGroupPolicy
+	enableSELinuxMount           *bool
+	enableCSINodeExpandSecret    bool
+	reclaimPolicy                *v1.PersistentVolumeReclaimPolicy
 }
 
 type mockDriverSetup struct {
@@ -149,6 +150,7 @@ const (
 var (
 	errPodCompleted   = fmt.Errorf("pod ran to completion")
 	errNotEnoughSpace = errors.New(errReasonNotEnoughSpace)
+	sleepCommand      = []string{"sleep", "infinity"}
 )
 
 func newMockDriverSetup(f *framework.Framework) *mockDriverSetup {
@@ -166,22 +168,23 @@ func (m *mockDriverSetup) init(ctx context.Context, tp testParameters) {
 
 	var err error
 	driverOpts := drivers.CSIMockDriverOpts{
-		RegisterDriver:             tp.registerDriver,
-		PodInfo:                    tp.podInfo,
-		StorageCapacity:            tp.storageCapacity,
-		EnableTopology:             tp.enableTopology,
-		AttachLimit:                tp.attachLimit,
-		DisableAttach:              tp.disableAttach,
-		EnableResizing:             tp.enableResizing,
-		EnableNodeExpansion:        tp.enableNodeExpansion,
-		EnableNodeVolumeCondition:  tp.enableNodeVolumeCondition,
-		DisableControllerExpansion: tp.disableControllerExpansion,
-		EnableSnapshot:             tp.enableSnapshot,
-		EnableVolumeMountGroup:     tp.enableVolumeMountGroup,
-		TokenRequests:              tp.tokenRequests,
-		RequiresRepublish:          tp.requiresRepublish,
-		FSGroupPolicy:              tp.fsGroupPolicy,
-		EnableSELinuxMount:         tp.enableSELinuxMount,
+		RegisterDriver:               tp.registerDriver,
+		PodInfo:                      tp.podInfo,
+		StorageCapacity:              tp.storageCapacity,
+		EnableTopology:               tp.enableTopology,
+		AttachLimit:                  tp.attachLimit,
+		DisableAttach:                tp.disableAttach,
+		EnableResizing:               tp.enableResizing,
+		EnableNodeExpansion:          tp.enableNodeExpansion,
+		EnableNodeVolumeCondition:    tp.enableNodeVolumeCondition,
+		DisableControllerExpansion:   tp.disableControllerExpansion,
+		EnableSnapshot:               tp.enableSnapshot,
+		EnableVolumeMountGroup:       tp.enableVolumeMountGroup,
+		TokenRequests:                tp.tokenRequests,
+		RequiresRepublish:            tp.requiresRepublish,
+		FSGroupPolicy:                tp.fsGroupPolicy,
+		EnableSELinuxMount:           tp.enableSELinuxMount,
+		ServiceAccountTokenInSecrets: tp.serviceAccountTokenInSecrets,
 	}
 
 	// At the moment, only tests which need hooks are
@@ -474,7 +477,15 @@ func (m *mockDriverSetup) createPodWithFSGroup(ctx context.Context, fsGroup *int
 	return class, claim, pod
 }
 
-func (m *mockDriverSetup) createPodWithSELinux(ctx context.Context, accessModes []v1.PersistentVolumeAccessMode, mountOptions []string, seLinuxOpts *v1.SELinuxOptions, policy *v1.PodSELinuxChangePolicy, privileged bool) (*storagev1.StorageClass, *v1.PersistentVolumeClaim, *v1.Pod) {
+func (m *mockDriverSetup) createPodWithSELinux(
+	ctx context.Context,
+	accessModes []v1.PersistentVolumeAccessMode,
+	mountOptions []string,
+	seLinuxOpts *v1.SELinuxOptions,
+	policy *v1.PodSELinuxChangePolicy,
+	privileged bool,
+	command []string) (*storagev1.StorageClass, *v1.PersistentVolumeClaim, *v1.Pod) {
+
 	ginkgo.By("Creating pod with SELinux context")
 	f := m.f
 	nodeSelection := m.config.ClientNodeSelection
@@ -491,7 +502,7 @@ func (m *mockDriverSetup) createPodWithSELinux(ctx context.Context, accessModes
 		ReclaimPolicy:        m.tp.reclaimPolicy,
 	}
 	class, claim := createClaim(ctx, f.ClientSet, scTest, nodeSelection, m.tp.scName, f.Namespace.Name, accessModes)
-	pod, err := startPausePodWithSELinuxOptions(f.ClientSet, claim, nodeSelection, f.Namespace.Name, seLinuxOpts, policy, privileged)
+	pod, err := startPausePodWithSELinuxOptions(f.ClientSet, claim, nodeSelection, f.Namespace.Name, seLinuxOpts, policy, privileged, command)
 	framework.ExpectNoError(err, "Failed to create pause pod with SELinux context %s: %v", seLinuxOpts, err)
 
 	if class != nil {
@@ -866,7 +877,19 @@ func startBusyBoxPodWithVolumeSource(cs clientset.Interface, volumeSource v1.Vol
 	return cs.CoreV1().Pods(ns).Create(context.TODO(), pod, metav1.CreateOptions{})
 }
 
-func startPausePodWithSELinuxOptions(cs clientset.Interface, pvc *v1.PersistentVolumeClaim, node e2epod.NodeSelection, ns string, seLinuxOpts *v1.SELinuxOptions, policy *v1.PodSELinuxChangePolicy, privileged bool) (*v1.Pod, error) {
+func startPausePodWithSELinuxOptions(
+	cs clientset.Interface,
+	pvc *v1.PersistentVolumeClaim,
+	node e2epod.NodeSelection,
+	ns string,
+	seLinuxOpts *v1.SELinuxOptions,
+	policy *v1.PodSELinuxChangePolicy,
+	privileged bool,
+	command []string) (*v1.Pod, error) {
+
+	if len(command) == 0 {
+		command = sleepCommand
+	}
 	pod := &v1.Pod{
 		ObjectMeta: metav1.ObjectMeta{
 			GenerateName: "pvc-volume-tester-",
@@ -878,8 +901,9 @@ func startPausePodWithSELinuxOptions(cs clientset.Interface, pvc *v1.PersistentV
 			},
 			Containers: []v1.Container{
 				{
-					Name:  "volume-tester",
-					Image: imageutils.GetE2EImage(imageutils.Pause),
+					Name:    "volume-tester",
+					Image:   e2epod.GetDefaultTestImage(),
+					Command: command,
 					SecurityContext: &v1.SecurityContext{
 						Privileged: &privileged,
 					},
@@ -914,11 +938,39 @@ func startPausePodWithSELinuxOptions(cs clientset.Interface, pvc *v1.PersistentV
 	return cs.CoreV1().Pods(ns).Create(context.TODO(), pod, metav1.CreateOptions{})
 }
 
-// checkNodePublishVolume goes through all calls to the mock driver and checks that at least one NodePublishVolume call had expected attributes.
-// If a matched call is found but it has unexpected attributes, checkNodePublishVolume skips it and continues searching.
-func checkNodePublishVolume(ctx context.Context, getCalls func(ctx context.Context) ([]drivers.MockCSICall, error), pod *v1.Pod, expectPodInfo, ephemeralVolume, csiInlineVolumesEnabled, csiServiceAccountTokenEnabled bool) error {
+// checkExpectedValues checks if all expected key-value pairs are present in the actual map
+// and returns the set of keys that were found matching.
+func checkExpectedValues(expected map[string]string, actual map[string]string) sets.Set[string] {
+	found := sets.New[string]()
+	for k, v := range expected {
+		vv, exists := actual[k]
+		if exists && (v == vv || (v == "<nonempty>" && len(vv) != 0)) {
+			found.Insert(k)
+		}
+	}
+	return found
+}
+
+// checkUnexpectedValues checks if any unexpected keys are present in the actual map
+// and returns a map of unexpected key-value pairs.
+func checkUnexpectedValues(unexpectedKeys sets.Set[string], actual map[string]string) map[string]string {
+	unexpected := make(map[string]string)
+	for k := range actual {
+		if unexpectedKeys.Has(k) {
+			unexpected[k] = actual[k]
+		}
+	}
+	return unexpected
+}
+
+// checkNodePublishVolume goes through all calls to the mock driver and checks that at least one NodePublishVolume call had expected attributes and secrets.
+// If a matched call is found but it has unexpected attributes or secrets, checkNodePublishVolume skips it and continues searching.
+func checkNodePublishVolume(ctx context.Context, getCalls func(ctx context.Context) ([]drivers.MockCSICall, error), pod *v1.Pod, expectPodInfo, ephemeralVolume, csiInlineVolumesEnabled, csiServiceAccountTokenEnabled, serviceAccountTokenInSecrets bool) error {
 	expectedAttributes := map[string]string{}
 	unexpectedAttributeKeys := sets.New[string]()
+	expectedSecrets := map[string]string{}
+	unexpectedSecretKeys := sets.New[string]()
+
 	if expectPodInfo {
 		expectedAttributes["csi.storage.k8s.io/pod.name"] = pod.Name
 		expectedAttributes["csi.storage.k8s.io/pod.namespace"] = pod.Namespace
@@ -937,10 +989,20 @@ func checkNodePublishVolume(ctx context.Context, getCalls func(ctx context.Conte
 		unexpectedAttributeKeys.Insert("csi.storage.k8s.io/ephemeral")
 	}
 
-	if csiServiceAccountTokenEnabled {
-		expectedAttributes["csi.storage.k8s.io/serviceAccount.tokens"] = "<nonempty>"
-	} else {
-		unexpectedAttributeKeys.Insert("csi.storage.k8s.io/serviceAccount.tokens")
+	tokenKey := "csi.storage.k8s.io/serviceAccount.tokens"
+	switch {
+	case csiServiceAccountTokenEnabled && serviceAccountTokenInSecrets:
+		// Token should be in secrets field (if opted in by CSI driver)
+		expectedSecrets[tokenKey] = "<nonempty>"
+		unexpectedAttributeKeys.Insert(tokenKey)
+	case csiServiceAccountTokenEnabled:
+		// Token should be in attributes (legacy behavior)
+		expectedAttributes[tokenKey] = "<nonempty>"
+		unexpectedSecretKeys.Insert(tokenKey)
+	default:
+		// Token should not be present anywhere
+		unexpectedAttributeKeys.Insert(tokenKey)
+		unexpectedSecretKeys.Insert(tokenKey)
 	}
 
 	calls, err := getCalls(ctx)
@@ -948,47 +1010,53 @@ func checkNodePublishVolume(ctx context.Context, getCalls func(ctx context.Conte
 		return err
 	}
 
-	var volumeContexts []map[string]string
+	nodePublishCallCount := 0
 	for _, call := range calls {
 		if call.Method != "NodePublishVolume" {
 			continue
 		}
+		nodePublishCallCount++
 
 		volumeCtx := call.Request.VolumeContext
 
 		// Check that NodePublish had expected attributes
-		foundAttributes := sets.NewString()
-		for k, v := range expectedAttributes {
-			vv, found := volumeCtx[k]
-			if found && (v == vv || (v == "<nonempty>" && len(vv) != 0)) {
-				foundAttributes.Insert(k)
-			}
-		}
+		foundAttributes := checkExpectedValues(expectedAttributes, volumeCtx)
 		if foundAttributes.Len() != len(expectedAttributes) {
 			framework.Logf("Skipping the NodePublishVolume call: expected attribute %+v, got %+v", format.Object(expectedAttributes, 1), format.Object(volumeCtx, 1))
 			continue
 		}
 
 		// Check that NodePublish had no unexpected attributes
-		unexpectedAttributes := make(map[string]string)
-		for k := range volumeCtx {
-			if unexpectedAttributeKeys.Has(k) {
-				unexpectedAttributes[k] = volumeCtx[k]
-			}
-		}
+		unexpectedAttributes := checkUnexpectedValues(unexpectedAttributeKeys, volumeCtx)
 		if len(unexpectedAttributes) != 0 {
 			framework.Logf("Skipping the NodePublishVolume call because it contains unexpected attributes %+v", format.Object(unexpectedAttributes, 1))
 			continue
 		}
 
+		secrets := call.Request.Secrets
+
+		// Check that NodePublish had expected secrets
+		foundSecrets := checkExpectedValues(expectedSecrets, secrets)
+		if foundSecrets.Len() != len(expectedSecrets) {
+			framework.Logf("Skipping the NodePublishVolume call: expected secret %+v, got %+v", format.Object(expectedSecrets, 1), format.Object(secrets, 1))
+			continue
+		}
+
+		// Check that NodePublish had no unexpected secrets
+		unexpectedSecrets := checkUnexpectedValues(unexpectedSecretKeys, secrets)
+		if len(unexpectedSecrets) != 0 {
+			framework.Logf("Skipping the NodePublishVolume call because it contains unexpected secrets %+v", format.Object(unexpectedSecrets, 1))
+			continue
+		}
+
 		return nil
 	}
 
-	if len(volumeContexts) == 0 {
+	if nodePublishCallCount == 0 {
 		return fmt.Errorf("NodePublishVolume was never called")
 	}
 
-	return fmt.Errorf("NodePublishVolume was called %d times, but no call had expected attributes %s or calls have unwanted attributes key %+v", len(volumeContexts), format.Object(expectedAttributes, 1), unexpectedAttributeKeys.UnsortedList())
+	return fmt.Errorf("NodePublishVolume was called %d times, but no call had expected attributes %s and secrets %s, or calls have unwanted attributes keys %+v or secret keys %+v", nodePublishCallCount, format.Object(expectedAttributes, 1), format.Object(expectedSecrets, 1), unexpectedAttributeKeys.UnsortedList(), unexpectedSecretKeys.UnsortedList())
 }
 
 // createFSGroupRequestPreHook creates a hook that records the fsGroup passed in
diff --git a/test/e2e/storage/csimock/csi_selinux_mount.go b/test/e2e/storage/csimock/csi_selinux_mount.go
index 3a7045cbaf905..e6da5c7c427e3 100644
--- a/test/e2e/storage/csimock/csi_selinux_mount.go
+++ b/test/e2e/storage/csimock/csi_selinux_mount.go
@@ -298,7 +298,7 @@ var _ = utils.SIGDescribe("CSI Mock selinux on mount", func() {
 				// Act
 				ginkgo.By("Starting the initial pod")
 				accessModes := []v1.PersistentVolumeAccessMode{t.volumeMode}
-				_, claim, pod := m.createPodWithSELinux(ctx, accessModes, t.mountOptions, t.firstPodSELinuxOpts, t.firstPodChangePolicy, false /* privileged */)
+				_, claim, pod := m.createPodWithSELinux(ctx, accessModes, t.mountOptions, t.firstPodSELinuxOpts, t.firstPodChangePolicy, false /* privileged */, sleepCommand)
 				err := e2epod.WaitForPodNameRunningInNamespace(ctx, m.cs, pod.Name, pod.Namespace)
 				framework.ExpectNoError(err, "starting the initial pod")
 
@@ -331,7 +331,15 @@ var _ = utils.SIGDescribe("CSI Mock selinux on mount", func() {
 				pod, err = m.cs.CoreV1().Pods(pod.Namespace).Get(ctx, pod.Name, metav1.GetOptions{})
 				framework.ExpectNoError(err, "getting the initial pod")
 				nodeSelection := e2epod.NodeSelection{Name: pod.Spec.NodeName}
-				pod2, err := startPausePodWithSELinuxOptions(f.ClientSet, claim, nodeSelection, f.Namespace.Name, t.secondPodSELinuxOpts, t.secondPodChangePolicy, false /* privileged */)
+				pod2, err := startPausePodWithSELinuxOptions(
+					f.ClientSet,
+					claim,
+					nodeSelection,
+					f.Namespace.Name,
+					t.secondPodSELinuxOpts,
+					t.secondPodChangePolicy,
+					false, /* privileged */
+					sleepCommand)
 				framework.ExpectNoError(err, "creating second pod with SELinux context %s", t.secondPodSELinuxOpts)
 				m.pods = append(m.pods, pod2)
 
@@ -353,7 +361,7 @@ var _ = utils.SIGDescribe("CSI Mock selinux on mount", func() {
 					} else {
 						// There is nothing blocking the second pod from starting, wait for the second pod to fullly start.
 						reason = string(events.StartedContainer)
-						msg = "Started container"
+						msg = "" // the message has changed in Kubernetes 1.35, the Reason must be enough.
 					}
 				}
 				eventSelector := fields.Set{
@@ -361,6 +369,7 @@ var _ = utils.SIGDescribe("CSI Mock selinux on mount", func() {
 					"involvedObject.name":      pod2.Name,
 					"involvedObject.namespace": pod2.Namespace,
 					"reason":                   reason,
+					"source":                   "kubelet",
 				}.AsSelector().String()
 				err = e2eevents.WaitTimeoutForEvent(ctx, m.cs, pod2.Namespace, eventSelector, msg, f.Timeouts.PodStart)
 				framework.ExpectNoError(err, "waiting for event %q in the second test pod", msg)
@@ -454,6 +463,7 @@ var _ = utils.SIGDescribe("CSI Mock selinux on mount metrics and SELinuxWarningC
 			firstPodSELinuxOpts              *v1.SELinuxOptions
 			firstPodChangePolicy             *v1.PodSELinuxChangePolicy
 			firstPodPrivileged               bool
+			firstPodTargetPhase              v1.PodPhase // Phase the first pod should reach before the second pod is created. Empty value means Running
 			secondPodSELinuxOpts             *v1.SELinuxOptions
 			secondPodChangePolicy            *v1.PodSELinuxChangePolicy
 			secondPodPrivileged              bool
@@ -719,6 +729,74 @@ var _ = utils.SIGDescribe("CSI Mock selinux on mount metrics and SELinuxWarningC
 				expectControllerConflictProperty: "SELinuxLabel",
 				testTags:                         []interface{}{framework.WithFeatureGate(features.SELinuxMount)},
 			},
+			{
+				name:                    "error is not bumped on a finished Pod with a different context on RWO volume and SELinuxMount enabled",
+				csiDriverSELinuxEnabled: true,
+				firstPodSELinuxOpts:     &seLinuxOpts1,
+				firstPodTargetPhase:     v1.PodSucceeded,
+				secondPodSELinuxOpts:    &seLinuxOpts2,
+				volumeMode:              v1.ReadWriteOnce,
+				waitForSecondPodStart:   true,
+				// The volume is unmounted between the first and the second Pod, so admitted_total increases,
+				expectNodeIncreases: sets.New[string]("volume_manager_selinux_volumes_admitted_total"),
+				testTags:            []interface{}{framework.WithFeatureGate(features.SELinuxMount)},
+			},
+			{
+				name:                    "error is not bumped on a failed Pod with a different context on RWO volume and SELinuxMount enabled",
+				csiDriverSELinuxEnabled: true,
+				firstPodSELinuxOpts:     &seLinuxOpts1,
+				firstPodTargetPhase:     v1.PodFailed,
+				secondPodSELinuxOpts:    &seLinuxOpts2,
+				volumeMode:              v1.ReadWriteOnce,
+				waitForSecondPodStart:   true,
+				// The volume is unmounted between the first and the second Pod, so admitted_total increases,
+				expectNodeIncreases: sets.New[string]("volume_manager_selinux_volumes_admitted_total"),
+				testTags:            []interface{}{framework.WithFeatureGate(features.SELinuxMount)},
+			},
+			{
+				name:                    "warning is not bumped on RWO volume with CSIDriver.SELinuxMount disabled and mismatched labels",
+				csiDriverSELinuxEnabled: false,
+				firstPodSELinuxOpts:     &seLinuxOpts1,
+				secondPodSELinuxOpts:    &seLinuxOpts2,
+				volumeMode:              v1.ReadWriteOnce,
+				waitForSecondPodStart:   true,
+				expectNodeIncreases:     sets.New[string]( /* no metric is increased, admitted_total was already increased when the first pod started */ ),
+				testTags:                []interface{}{framework.WithFeatureGate(features.SELinuxMount)},
+			},
+			{
+				name:                    "warning is not bumped on RWX volume with CSIDriver.SELinuxMount disabled and mismatched labels",
+				csiDriverSELinuxEnabled: false,
+				firstPodSELinuxOpts:     &seLinuxOpts1,
+				secondPodSELinuxOpts:    &seLinuxOpts2,
+				volumeMode:              v1.ReadWriteMany,
+				waitForSecondPodStart:   true,
+				expectNodeIncreases:     sets.New[string]( /* no metric is increased, admitted_total was already increased when the first pod started */ ),
+				testTags:                []interface{}{framework.WithFeatureGate(features.SELinuxMount)},
+			},
+			{
+				name:                    "warning is not bumped on RWO volume with CSIDriver.SELinuxMount disabled and mismatched policies",
+				csiDriverSELinuxEnabled: false,
+				firstPodSELinuxOpts:     &seLinuxOpts1,
+				firstPodChangePolicy:    &recursive,
+				secondPodSELinuxOpts:    &seLinuxOpts1,
+				secondPodChangePolicy:   &mount,
+				volumeMode:              v1.ReadWriteOnce,
+				waitForSecondPodStart:   true,
+				expectNodeIncreases:     sets.New[string]( /* no metric is increased, admitted_total was already increased when the first pod started */ ),
+				testTags:                []interface{}{framework.WithFeatureGate(features.SELinuxMount)},
+			},
+			{
+				name:                    "warning is not bumped on RWX volume with CSIDriver.SELinuxMount disabled and mismatched policies",
+				csiDriverSELinuxEnabled: false,
+				firstPodSELinuxOpts:     &seLinuxOpts1,
+				firstPodChangePolicy:    &recursive,
+				secondPodSELinuxOpts:    &seLinuxOpts1,
+				secondPodChangePolicy:   &mount,
+				volumeMode:              v1.ReadWriteMany,
+				waitForSecondPodStart:   true,
+				expectNodeIncreases:     sets.New[string]( /* no metric is increased, admitted_total was already increased when the first pod started */ ),
+				testTags:                []interface{}{framework.WithFeatureGate(features.SELinuxMount)},
+			},
 		}
 		for _, t := range tests {
 			t := t
@@ -726,6 +804,9 @@ var _ = utils.SIGDescribe("CSI Mock selinux on mount metrics and SELinuxWarningC
 				if processLabel == "" {
 					e2eskipper.Skipf("SELinux tests are supported only on %+v", getSupportedSELinuxDistros())
 				}
+				if t.firstPodTargetPhase == "" {
+					t.firstPodTargetPhase = v1.PodRunning
+				}
 
 				// Some metrics use CSI driver name as a label, which is "csi-mock-" + the namespace name.
 				volumePluginLabel := "volume_plugin=\"kubernetes.io/csi/csi-mock-" + f.Namespace.Name + "\""
@@ -744,9 +825,24 @@ var _ = utils.SIGDescribe("CSI Mock selinux on mount metrics and SELinuxWarningC
 
 				ginkgo.By("Starting the first pod")
 				accessModes := []v1.PersistentVolumeAccessMode{t.volumeMode}
-				_, claim, pod := m.createPodWithSELinux(ctx, accessModes, []string{}, t.firstPodSELinuxOpts, t.firstPodChangePolicy, t.firstPodPrivileged)
-				err = e2epod.WaitForPodNameRunningInNamespace(ctx, m.cs, pod.Name, pod.Namespace)
-				framework.ExpectNoError(err, "starting the initial pod")
+				command := sleepCommand
+				switch t.firstPodTargetPhase {
+				case v1.PodSucceeded:
+					command = []string{"/bin/true"}
+				case v1.PodFailed:
+					command = []string{"/bin/false"}
+				}
+				_, claim, pod := m.createPodWithSELinux(ctx, accessModes, []string{}, t.firstPodSELinuxOpts, t.firstPodChangePolicy, t.firstPodPrivileged, command)
+
+				switch t.firstPodTargetPhase {
+				case v1.PodRunning:
+					err = e2epod.WaitForPodNameRunningInNamespace(ctx, m.cs, pod.Name, pod.Namespace)
+					framework.ExpectNoError(err, "starting the initial pod")
+				case v1.PodSucceeded, v1.PodFailed:
+					ginkgo.By("Waiting for the first pod to complete")
+					err = e2epod.WaitForPodNoLongerRunningInNamespace(ctx, m.cs, pod.Name, pod.Namespace)
+					framework.ExpectNoError(err, "starting and completing the initial pod")
+				}
 
 				ginkgo.By("Grabbing initial metrics")
 				pod, err = m.cs.CoreV1().Pods(pod.Namespace).Get(ctx, pod.Name, metav1.GetOptions{})
@@ -759,7 +855,15 @@ var _ = utils.SIGDescribe("CSI Mock selinux on mount metrics and SELinuxWarningC
 				ginkgo.By("Starting the second pod")
 				// Skip scheduler, it would block scheduling the second pod with ReadWriteOncePod PV.
 				nodeSelection := e2epod.NodeSelection{Name: pod.Spec.NodeName}
-				pod2, err := startPausePodWithSELinuxOptions(f.ClientSet, claim, nodeSelection, f.Namespace.Name, t.secondPodSELinuxOpts, t.secondPodChangePolicy, t.secondPodPrivileged)
+				pod2, err := startPausePodWithSELinuxOptions(
+					f.ClientSet,
+					claim,
+					nodeSelection,
+					f.Namespace.Name,
+					t.secondPodSELinuxOpts,
+					t.secondPodChangePolicy,
+					t.secondPodPrivileged,
+					sleepCommand)
 				framework.ExpectNoError(err, "creating second pod with SELinux context %s", t.secondPodSELinuxOpts)
 				m.pods = append(m.pods, pod2)
 
@@ -795,6 +899,9 @@ var _ = utils.SIGDescribe("CSI Mock selinux on mount metrics and SELinuxWarningC
 					// Check the controler generated event on the second pod
 					err = waitForConflictEvent(ctx, m.cs, pod2, pod, t.expectControllerConflictProperty, f.Timeouts.PodStart)
 					framework.ExpectNoError(err, "while waiting for an event on the second pod")
+				} else {
+					err := checkForNoConflictEvents(ctx, m.cs, pod, pod2)
+					framework.ExpectNoError(err, "ensuring there are no SELinux conflict events")
 				}
 			}
 			// t.testTags is array and it's not possible to use It("name", func(){xxx}, t.testTags...)
@@ -974,6 +1081,29 @@ func waitForConflictEvent(ctx context.Context, cs clientset.Interface, pod, othe
 	return e2eevents.WaitTimeoutForEvent(ctx, cs, pod.Namespace, eventSelector, msg, timeout)
 }
 
+func checkForNoConflictEvents(ctx context.Context, cs clientset.Interface, pod, otherPod *v1.Pod) error {
+	eventSelector := fields.Set{
+		"involvedObject.kind":      "Pod",
+		"involvedObject.name":      pod.Name,
+		"involvedObject.namespace": pod.Namespace,
+	}.AsSelector().String()
+	options := metav1.ListOptions{FieldSelector: eventSelector}
+
+	events, err := cs.CoreV1().Events(pod.Namespace).List(ctx, options)
+	if err != nil {
+		return fmt.Errorf("error getting events: %w", err)
+	}
+
+	msg := fmt.Sprintf("conflicts with pod %s that uses the same volume as this pod", otherPod.Name)
+	ginkgo.By(fmt.Sprintf("Checking for the SELinux controller events on pod %q: %q", pod.Name, msg))
+	for _, event := range events.Items {
+		if strings.Contains(event.Message, msg) {
+			return fmt.Errorf("conflict event found: %s", event.Message)
+		}
+	}
+	return nil
+}
+
 func dumpMetrics(metrics map[string]float64) {
 	// Print the metrics sorted by metric name for better readability
 	keys := make([]string, 0, len(metrics))
diff --git a/test/e2e/storage/csimock/csi_service_account_token.go b/test/e2e/storage/csimock/csi_service_account_token.go
index 19c041396adb0..08dba9bd894ad 100644
--- a/test/e2e/storage/csimock/csi_service_account_token.go
+++ b/test/e2e/storage/csimock/csi_service_account_token.go
@@ -39,9 +39,10 @@ var _ = utils.SIGDescribe("CSI Mock volume service account token", func() {
 			err error
 		)
 		tests := []struct {
-			desc                  string
-			deployCSIDriverObject bool
-			tokenRequests         []storagev1.TokenRequest
+			desc                         string
+			deployCSIDriverObject        bool
+			tokenRequests                []storagev1.TokenRequest
+			serviceAccountTokenInSecrets *bool
 		}{
 			{
 				desc:                  "token should not be plumbed down when csiServiceAccountTokenEnabled=false",
@@ -58,15 +59,22 @@ var _ = utils.SIGDescribe("CSI Mock volume service account token", func() {
 				deployCSIDriverObject: true,
 				tokenRequests:         []storagev1.TokenRequest{{ExpirationSeconds: ptr.To[int64](60 * 10)}},
 			},
+			{
+				desc:                         "token should be plumbed down only in secrets when serviceAccountTokenInSecrets=true",
+				deployCSIDriverObject:        true,
+				tokenRequests:                []storagev1.TokenRequest{{ExpirationSeconds: ptr.To[int64](60 * 10)}},
+				serviceAccountTokenInSecrets: ptr.To(true),
+			},
 		}
 		for _, test := range tests {
 			test := test
 			csiServiceAccountTokenEnabled := test.tokenRequests != nil
 			ginkgo.It(test.desc, func(ctx context.Context) {
 				m.init(ctx, testParameters{
-					registerDriver:    test.deployCSIDriverObject,
-					tokenRequests:     test.tokenRequests,
-					requiresRepublish: &csiServiceAccountTokenEnabled,
+					registerDriver:               test.deployCSIDriverObject,
+					tokenRequests:                test.tokenRequests,
+					requiresRepublish:            &csiServiceAccountTokenEnabled,
+					serviceAccountTokenInSecrets: test.serviceAccountTokenInSecrets,
 				})
 
 				ginkgo.DeferCleanup(m.cleanup)
@@ -88,7 +96,11 @@ var _ = utils.SIGDescribe("CSI Mock volume service account token", func() {
 				framework.ExpectNoError(err, "while deleting")
 
 				ginkgo.By("Checking CSI driver logs")
-				err = checkNodePublishVolume(ctx, m.driver.GetCalls, pod, false, false, false, test.deployCSIDriverObject && csiServiceAccountTokenEnabled)
+				var serviceAccountTokenInSecrets bool
+				if test.serviceAccountTokenInSecrets != nil {
+					serviceAccountTokenInSecrets = *test.serviceAccountTokenInSecrets
+				}
+				err = checkNodePublishVolume(ctx, m.driver.GetCalls, pod, false, false, false, test.deployCSIDriverObject && csiServiceAccountTokenEnabled, serviceAccountTokenInSecrets)
 				framework.ExpectNoError(err)
 			})
 		}
diff --git a/test/e2e/storage/csimock/csi_volume_expansion.go b/test/e2e/storage/csimock/csi_volume_expansion.go
index 5ef302d92acaa..e8683b203f65d 100644
--- a/test/e2e/storage/csimock/csi_volume_expansion.go
+++ b/test/e2e/storage/csimock/csi_volume_expansion.go
@@ -591,33 +591,36 @@ var _ = utils.SIGDescribe("CSI Mock volume expansion", func() {
 
 func validateQuotaUsage(ctx context.Context, m *mockDriverSetup, currentQuota, expectedQuota *v1.ResourceQuota) {
 	ginkgo.By("Waiting for resource quota usage to be updated")
-	var err error
-	var quota *v1.ResourceQuota
-	var usedCount resource.Quantity
-	var usedSize resource.Quantity
+	var (
+		quota     *v1.ResourceQuota
+		usedCount resource.Quantity
+		usedSize  resource.Quantity
+	)
 
 	expectedCount := expectedQuota.Status.Used[pvcCountQuotaKey]
 	expectedUsedSize := expectedQuota.Status.Used[pvcSizeQuotaKey]
 
-	waitErr := wait.PollUntilContextTimeout(ctx, resizePollInterval, csiResizeWaitPeriod, true, func(pollContext context.Context) (bool, error) {
-		quota, err = m.cs.CoreV1().ResourceQuotas(currentQuota.Namespace).Get(pollContext, currentQuota.Name, metav1.GetOptions{})
+	gomega.Eventually(func() error {
+		q, err := m.cs.CoreV1().ResourceQuotas(currentQuota.Namespace).Get(ctx, currentQuota.Name, metav1.GetOptions{})
 		if err != nil {
-			return false, fmt.Errorf("error fetching resource quota %q: %w", expectedQuota.Name, err)
+			return fmt.Errorf("failed to get resource quota %s/%s: %w", currentQuota.Namespace, currentQuota.Name, err)
 		}
-		if quota.Status.Used == nil {
-			return false, nil
+		if q.Status.Used == nil {
+			return fmt.Errorf("resource quota %s/%s has nil Status.Used", currentQuota.Namespace, currentQuota.Name)
 		}
+
+		quota = q
 		usedCount = quota.Status.Used[pvcCountQuotaKey]
 		usedSize = quota.Status.Used[pvcSizeQuotaKey]
-		if usedCount.Cmp(expectedCount) == 0 && usedSize.Cmp(expectedUsedSize) == 0 {
-			return true, nil
-		}
-		return false, nil
-	})
 
-	if waitErr != nil {
-		framework.Failf("error while waiting for resource quota usage to be updated, currentlyUsed: %s/%s, expected: %s/%s: %v", usedCount.String(), usedSize.String(), expectedCount.String(), expectedUsedSize.String(), waitErr)
-	}
+		if usedCount.Cmp(expectedCount) != 0 || usedSize.Cmp(expectedUsedSize) != 0 {
+			return fmt.Errorf(
+				"resource quota usage did not converge; currentlyUsed: %s/%s, expected: %s/%s",
+				usedCount.String(), usedSize.String(), expectedCount.String(), expectedUsedSize.String(),
+			)
+		}
+		return nil
+	}, csiResizeWaitPeriod, resizePollInterval).Should(gomega.Succeed())
 }
 
 func validateRecoveryBehaviour(ctx context.Context, pvc *v1.PersistentVolumeClaim, m *mockDriverSetup, test recoveryTest) {
@@ -647,8 +650,10 @@ func validateRecoveryBehaviour(ctx context.Context, pvc *v1.PersistentVolumeClai
 		framework.Failf("error updating pvc size %q", pvc.Name)
 	}
 
-	// if expansion failed on controller with final error, then recovery should be possible
-	if test.simulatedCSIDriverError == expansionFailedOnControllerWithInfeasibleError {
+	// If expansion failed on controller (infeasible or final), recovery should be possible.
+	// Wait for the recovery resize to settle before checking quota.
+	if test.simulatedCSIDriverError == expansionFailedOnControllerWithInfeasibleError ||
+		test.simulatedCSIDriverError == expansionFailedOnControllerWithFinalError {
 		validateExpansionSuccess(ctx, pvc, m, test, test.recoverySize.String())
 		return
 	}
diff --git a/test/e2e/storage/csimock/csi_volume_limit_scaling.go b/test/e2e/storage/csimock/csi_volume_limit_scaling.go
new file mode 100644
index 0000000000000..0ce6a0d42bb3b
--- /dev/null
+++ b/test/e2e/storage/csimock/csi_volume_limit_scaling.go
@@ -0,0 +1,149 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package csimock
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/onsi/ginkgo/v2"
+	v1 "k8s.io/api/core/v1"
+	storagev1 "k8s.io/api/storage/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/fields"
+	clientset "k8s.io/client-go/kubernetes"
+	admissionapi "k8s.io/pod-security-admission/api"
+	"k8s.io/utils/ptr"
+
+	"k8s.io/kubernetes/pkg/features"
+	"k8s.io/kubernetes/test/e2e/framework"
+	e2eevents "k8s.io/kubernetes/test/e2e/framework/events"
+	e2epod "k8s.io/kubernetes/test/e2e/framework/pod"
+	e2epv "k8s.io/kubernetes/test/e2e/framework/pv"
+	"k8s.io/kubernetes/test/e2e/storage/testsuites"
+	"k8s.io/kubernetes/test/e2e/storage/utils"
+)
+
+var _ = utils.SIGDescribe("CSI Mock VolumeLimitScaling scheduling", framework.WithFeatureGate(features.VolumeLimitScaling), func() {
+	f := framework.NewDefaultFramework("csi-mock-volumes-limit-sched")
+	f.NamespacePodSecurityLevel = admissionapi.LevelPrivileged
+
+	f.Context("VolumeLimitScaling scheduling", func() {
+		tests := []struct {
+			name              string
+			csiDriverPresent  bool
+			expectSchedulable bool
+		}{
+			{
+				name:              "blocks scheduling when driver not installed and CSIDriver is present",
+				csiDriverPresent:  true,
+				expectSchedulable: false,
+			},
+			{
+				name:              "allows scheduling when driver not installed and CSIDriver object is not present",
+				csiDriverPresent:  false,
+				expectSchedulable: true,
+			},
+		}
+
+		for _, t := range tests {
+			// capture range variable
+			tc := t
+			testFunc := func(ctx context.Context) {
+				// Create a CSIDriver for a fake, not-installed driver name
+				fakeDriver := fmt.Sprintf("csi-mock-uninstalled-%s", f.Namespace.Name)
+				csiDriver := &storagev1.CSIDriver{
+					ObjectMeta: metav1.ObjectMeta{Name: fakeDriver},
+					Spec:       storagev1.CSIDriverSpec{},
+				}
+
+				if tc.csiDriverPresent {
+					_, err := f.ClientSet.StorageV1().CSIDrivers().Create(ctx, csiDriver, metav1.CreateOptions{})
+					framework.ExpectNoError(err, "creating CSIDriver %s", fakeDriver)
+					ginkgo.DeferCleanup(func() {
+						_ = f.ClientSet.StorageV1().CSIDrivers().Delete(context.TODO(), fakeDriver, metav1.DeleteOptions{})
+					})
+				}
+
+				// Create a StorageClass that uses the fake driver with WaitForFirstConsumer
+				scTest := testsuites.StorageClassTest{
+					Name:         fakeDriver,
+					Provisioner:  fakeDriver,
+					DelayBinding: false,
+					ClaimSize:    "1Gi",
+				}
+				sc := createSC(f.ClientSet, scTest, "", f.Namespace.Name)
+				pvConfig := e2epv.PersistentVolumeConfig{
+					Capacity:         "1Gi",
+					StorageClassName: sc.Name,
+					VolumeMode:       ptr.To(v1.PersistentVolumeFilesystem),
+					AccessModes:      []v1.PersistentVolumeAccessMode{v1.ReadWriteOnce},
+					ReclaimPolicy:    v1.PersistentVolumeReclaimDelete,
+					PVSource: v1.PersistentVolumeSource{
+						CSI: &v1.CSIPersistentVolumeSource{
+							Driver:       fakeDriver,
+							VolumeHandle: "test-volume-handle",
+						},
+					},
+				}
+				pvcConfig := e2epv.PersistentVolumeClaimConfig{
+					ClaimSize:        "1Gi",
+					StorageClassName: &sc.Name,
+					VolumeMode:       ptr.To(v1.PersistentVolumeFilesystem),
+					AccessModes:      []v1.PersistentVolumeAccessMode{v1.ReadWriteOnce},
+				}
+				volume, claim, err := e2epv.CreatePVPVC(ctx, f.ClientSet, f.Timeouts, pvConfig, pvcConfig, f.Namespace.Name, true)
+				framework.ExpectNoError(err, "creating PV and PVC")
+				err = e2epv.WaitOnPVandPVC(ctx, f.ClientSet, f.Timeouts, f.Namespace.Name, volume, claim)
+				framework.ExpectNoError(err, "waiting for PV and PVC to be bound each other")
+
+				// Create a pod using that PVC
+				pod, err := createPodWithPVCWithoutNodeSelection(f.ClientSet, claim, f.Namespace.Name)
+				framework.ExpectNoError(err, "creating pod")
+
+				if tc.expectSchedulable {
+					// Pod should get scheduled to some node (NodeName set). Allow more time in case binders are slow.
+					err = e2epod.WaitForPodCondition(ctx, f.ClientSet, pod.Namespace, pod.Name, "pod is scheduled", f.Timeouts.PodStart, func(p *v1.Pod) (bool, error) {
+						return p.Spec.NodeName != "", nil
+					})
+					framework.ExpectNoError(err, "waiting for pod to be scheduled when prevent=false")
+				} else {
+					// Expect FailedScheduling event with driver-not-installed message
+					framework.Logf("Waiting for FailedScheduling event with driver-not-installed message")
+					framework.Logf("Pod status: %+v", pod.Status)
+					failedMsg := fmt.Sprintf("%s CSI driver is not installed on the node", fakeDriver)
+					eventSelector := fields.Set{
+						"involvedObject.kind":      "Pod",
+						"involvedObject.name":      pod.Name,
+						"involvedObject.namespace": pod.Namespace,
+						"reason":                   "FailedScheduling",
+					}.AsSelector().String()
+					err = e2eevents.WaitTimeoutForEvent(ctx, f.ClientSet, pod.Namespace, eventSelector, failedMsg, f.Timeouts.PodStart)
+					framework.ExpectNoError(err, "waiting for FailedScheduling due to missing CSI driver")
+				}
+			}
+
+			// Compose It with feature tags
+			args := []interface{}{tc.name, testFunc}
+			framework.It(args...)
+		}
+	})
+})
+
+func createPodWithPVCWithoutNodeSelection(cs clientset.Interface, pvc *v1.PersistentVolumeClaim, ns string) (*v1.Pod, error) {
+	return startPausePodWithClaim(cs, pvc, e2epod.NodeSelection{}, ns)
+}
diff --git a/test/e2e/storage/csimock/csi_workload.go b/test/e2e/storage/csimock/csi_workload.go
index 5f44c69e6a4f4..ceb4f8f00e902 100644
--- a/test/e2e/storage/csimock/csi_workload.go
+++ b/test/e2e/storage/csimock/csi_workload.go
@@ -149,7 +149,7 @@ func waitUntilPodInfoInLog(ctx context.Context, m *mockDriverSetup, expectPodInf
 			framework.ExpectNoError(err, "while deleting")
 
 			ginkgo.By("Checking CSI driver logs")
-			err = checkNodePublishVolume(ctx, m.driver.GetCalls, pod, expectPodInfo, expectEphemeral, csiInlineVolumesEnabled, false)
+			err = checkNodePublishVolume(ctx, m.driver.GetCalls, pod, expectPodInfo, expectEphemeral, csiInlineVolumesEnabled, false, false)
 			framework.ExpectNoError(err)
 		})
 
diff --git a/test/e2e/storage/csistoragecapacity.go b/test/e2e/storage/csistoragecapacity.go
index ffb62de46d77a..b7aac8e6cf826 100644
--- a/test/e2e/storage/csistoragecapacity.go
+++ b/test/e2e/storage/csistoragecapacity.go
@@ -24,8 +24,10 @@ import (
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	types "k8s.io/apimachinery/pkg/types"
+	"k8s.io/apimachinery/pkg/util/resourceversion"
 	"k8s.io/apimachinery/pkg/util/wait"
 	"k8s.io/apimachinery/pkg/watch"
+	apimachineryutils "k8s.io/kubernetes/test/e2e/common/apimachinery"
 	"k8s.io/kubernetes/test/e2e/framework"
 	"k8s.io/kubernetes/test/e2e/storage/utils"
 	admissionapi "k8s.io/pod-security-admission/api"
@@ -154,6 +156,7 @@ var _ = utils.SIGDescribe("CSIStorageCapacity", func() {
 		gottenCSC, err := cscClient.Get(ctx, csc.Name, metav1.GetOptions{})
 		framework.ExpectNoError(err)
 		gomega.Expect(gottenCSC.UID).To(gomega.Equal(createdCSC.UID))
+		gomega.Expect(gottenCSC).To(apimachineryutils.HaveValidResourceVersion())
 
 		ginkgo.By("listing in namespace")
 		cscs, err := cscClient.List(ctx, metav1.ListOptions{LabelSelector: "test=" + f.UniqueName})
@@ -169,6 +172,7 @@ var _ = utils.SIGDescribe("CSIStorageCapacity", func() {
 		patchedCSC, err := cscClient.Patch(ctx, createdCSC.Name, types.MergePatchType, []byte(`{"metadata":{"annotations":{"patched":"true"}}}`), metav1.PatchOptions{})
 		framework.ExpectNoError(err)
 		gomega.Expect(patchedCSC.Annotations).To(gomega.HaveKeyWithValue("patched", "true"), "patched object should have the applied annotation")
+		gomega.Expect(resourceversion.CompareResourceVersion(createdCSC.ResourceVersion, patchedCSC.ResourceVersion)).To(gomega.BeNumerically("==", -1), "patched object should have a larger resource version")
 
 		ginkgo.By("updating")
 		csrToUpdate := patchedCSC.DeepCopy()
diff --git a/test/e2e/storage/drivers/csi-test/driver/.mockery.yaml b/test/e2e/storage/drivers/csi-test/driver/.mockery.yaml
index 2ccaee2339210..b9f34dd43e968 100644
--- a/test/e2e/storage/drivers/csi-test/driver/.mockery.yaml
+++ b/test/e2e/storage/drivers/csi-test/driver/.mockery.yaml
@@ -1,12 +1,14 @@
 ---
 dir: .
-filename: mock_{{.InterfaceName | snakecase}}.go
-outpkg: driver
-boilerplate-file: ../../../../../../hack/boilerplate/boilerplate.generatego.txt
-with-expecter: True
+filename: mocks.go
+pkgname: driver
+template: testify
+template-data:
+  boilerplate-file: ../../../../../../hack/boilerplate/boilerplate.generatego.txt
+  unroll-variadic: true
 packages:
   github.com/container-storage-interface/spec/lib/go/csi:
     interfaces:
-      ControllerServer:
-      IdentityServer:
-      NodeServer:
+      ControllerServer: {}
+      IdentityServer: {}
+      NodeServer: {}
diff --git a/test/e2e/storage/drivers/csi-test/driver/mock_controller_server.go b/test/e2e/storage/drivers/csi-test/driver/mock_controller_server.go
deleted file mode 100644
index 3aef0fd37eef3..0000000000000
--- a/test/e2e/storage/drivers/csi-test/driver/mock_controller_server.go
+++ /dev/null
@@ -1,879 +0,0 @@
-/*
-Copyright The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-// Code generated by mockery v2.53.3. DO NOT EDIT.
-
-package driver
-
-import (
-	context "context"
-
-	csi "github.com/container-storage-interface/spec/lib/go/csi"
-	mock "github.com/stretchr/testify/mock"
-)
-
-// MockControllerServer is an autogenerated mock type for the ControllerServer type
-type MockControllerServer struct {
-	mock.Mock
-}
-
-type MockControllerServer_Expecter struct {
-	mock *mock.Mock
-}
-
-func (_m *MockControllerServer) EXPECT() *MockControllerServer_Expecter {
-	return &MockControllerServer_Expecter{mock: &_m.Mock}
-}
-
-// ControllerExpandVolume provides a mock function with given fields: _a0, _a1
-func (_m *MockControllerServer) ControllerExpandVolume(_a0 context.Context, _a1 *csi.ControllerExpandVolumeRequest) (*csi.ControllerExpandVolumeResponse, error) {
-	ret := _m.Called(_a0, _a1)
-
-	if len(ret) == 0 {
-		panic("no return value specified for ControllerExpandVolume")
-	}
-
-	var r0 *csi.ControllerExpandVolumeResponse
-	var r1 error
-	if rf, ok := ret.Get(0).(func(context.Context, *csi.ControllerExpandVolumeRequest) (*csi.ControllerExpandVolumeResponse, error)); ok {
-		return rf(_a0, _a1)
-	}
-	if rf, ok := ret.Get(0).(func(context.Context, *csi.ControllerExpandVolumeRequest) *csi.ControllerExpandVolumeResponse); ok {
-		r0 = rf(_a0, _a1)
-	} else {
-		if ret.Get(0) != nil {
-			r0 = ret.Get(0).(*csi.ControllerExpandVolumeResponse)
-		}
-	}
-
-	if rf, ok := ret.Get(1).(func(context.Context, *csi.ControllerExpandVolumeRequest) error); ok {
-		r1 = rf(_a0, _a1)
-	} else {
-		r1 = ret.Error(1)
-	}
-
-	return r0, r1
-}
-
-// MockControllerServer_ControllerExpandVolume_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'ControllerExpandVolume'
-type MockControllerServer_ControllerExpandVolume_Call struct {
-	*mock.Call
-}
-
-// ControllerExpandVolume is a helper method to define mock.On call
-//   - _a0 context.Context
-//   - _a1 *csi.ControllerExpandVolumeRequest
-func (_e *MockControllerServer_Expecter) ControllerExpandVolume(_a0 interface{}, _a1 interface{}) *MockControllerServer_ControllerExpandVolume_Call {
-	return &MockControllerServer_ControllerExpandVolume_Call{Call: _e.mock.On("ControllerExpandVolume", _a0, _a1)}
-}
-
-func (_c *MockControllerServer_ControllerExpandVolume_Call) Run(run func(_a0 context.Context, _a1 *csi.ControllerExpandVolumeRequest)) *MockControllerServer_ControllerExpandVolume_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run(args[0].(context.Context), args[1].(*csi.ControllerExpandVolumeRequest))
-	})
-	return _c
-}
-
-func (_c *MockControllerServer_ControllerExpandVolume_Call) Return(_a0 *csi.ControllerExpandVolumeResponse, _a1 error) *MockControllerServer_ControllerExpandVolume_Call {
-	_c.Call.Return(_a0, _a1)
-	return _c
-}
-
-func (_c *MockControllerServer_ControllerExpandVolume_Call) RunAndReturn(run func(context.Context, *csi.ControllerExpandVolumeRequest) (*csi.ControllerExpandVolumeResponse, error)) *MockControllerServer_ControllerExpandVolume_Call {
-	_c.Call.Return(run)
-	return _c
-}
-
-// ControllerGetCapabilities provides a mock function with given fields: _a0, _a1
-func (_m *MockControllerServer) ControllerGetCapabilities(_a0 context.Context, _a1 *csi.ControllerGetCapabilitiesRequest) (*csi.ControllerGetCapabilitiesResponse, error) {
-	ret := _m.Called(_a0, _a1)
-
-	if len(ret) == 0 {
-		panic("no return value specified for ControllerGetCapabilities")
-	}
-
-	var r0 *csi.ControllerGetCapabilitiesResponse
-	var r1 error
-	if rf, ok := ret.Get(0).(func(context.Context, *csi.ControllerGetCapabilitiesRequest) (*csi.ControllerGetCapabilitiesResponse, error)); ok {
-		return rf(_a0, _a1)
-	}
-	if rf, ok := ret.Get(0).(func(context.Context, *csi.ControllerGetCapabilitiesRequest) *csi.ControllerGetCapabilitiesResponse); ok {
-		r0 = rf(_a0, _a1)
-	} else {
-		if ret.Get(0) != nil {
-			r0 = ret.Get(0).(*csi.ControllerGetCapabilitiesResponse)
-		}
-	}
-
-	if rf, ok := ret.Get(1).(func(context.Context, *csi.ControllerGetCapabilitiesRequest) error); ok {
-		r1 = rf(_a0, _a1)
-	} else {
-		r1 = ret.Error(1)
-	}
-
-	return r0, r1
-}
-
-// MockControllerServer_ControllerGetCapabilities_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'ControllerGetCapabilities'
-type MockControllerServer_ControllerGetCapabilities_Call struct {
-	*mock.Call
-}
-
-// ControllerGetCapabilities is a helper method to define mock.On call
-//   - _a0 context.Context
-//   - _a1 *csi.ControllerGetCapabilitiesRequest
-func (_e *MockControllerServer_Expecter) ControllerGetCapabilities(_a0 interface{}, _a1 interface{}) *MockControllerServer_ControllerGetCapabilities_Call {
-	return &MockControllerServer_ControllerGetCapabilities_Call{Call: _e.mock.On("ControllerGetCapabilities", _a0, _a1)}
-}
-
-func (_c *MockControllerServer_ControllerGetCapabilities_Call) Run(run func(_a0 context.Context, _a1 *csi.ControllerGetCapabilitiesRequest)) *MockControllerServer_ControllerGetCapabilities_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run(args[0].(context.Context), args[1].(*csi.ControllerGetCapabilitiesRequest))
-	})
-	return _c
-}
-
-func (_c *MockControllerServer_ControllerGetCapabilities_Call) Return(_a0 *csi.ControllerGetCapabilitiesResponse, _a1 error) *MockControllerServer_ControllerGetCapabilities_Call {
-	_c.Call.Return(_a0, _a1)
-	return _c
-}
-
-func (_c *MockControllerServer_ControllerGetCapabilities_Call) RunAndReturn(run func(context.Context, *csi.ControllerGetCapabilitiesRequest) (*csi.ControllerGetCapabilitiesResponse, error)) *MockControllerServer_ControllerGetCapabilities_Call {
-	_c.Call.Return(run)
-	return _c
-}
-
-// ControllerGetVolume provides a mock function with given fields: _a0, _a1
-func (_m *MockControllerServer) ControllerGetVolume(_a0 context.Context, _a1 *csi.ControllerGetVolumeRequest) (*csi.ControllerGetVolumeResponse, error) {
-	ret := _m.Called(_a0, _a1)
-
-	if len(ret) == 0 {
-		panic("no return value specified for ControllerGetVolume")
-	}
-
-	var r0 *csi.ControllerGetVolumeResponse
-	var r1 error
-	if rf, ok := ret.Get(0).(func(context.Context, *csi.ControllerGetVolumeRequest) (*csi.ControllerGetVolumeResponse, error)); ok {
-		return rf(_a0, _a1)
-	}
-	if rf, ok := ret.Get(0).(func(context.Context, *csi.ControllerGetVolumeRequest) *csi.ControllerGetVolumeResponse); ok {
-		r0 = rf(_a0, _a1)
-	} else {
-		if ret.Get(0) != nil {
-			r0 = ret.Get(0).(*csi.ControllerGetVolumeResponse)
-		}
-	}
-
-	if rf, ok := ret.Get(1).(func(context.Context, *csi.ControllerGetVolumeRequest) error); ok {
-		r1 = rf(_a0, _a1)
-	} else {
-		r1 = ret.Error(1)
-	}
-
-	return r0, r1
-}
-
-// MockControllerServer_ControllerGetVolume_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'ControllerGetVolume'
-type MockControllerServer_ControllerGetVolume_Call struct {
-	*mock.Call
-}
-
-// ControllerGetVolume is a helper method to define mock.On call
-//   - _a0 context.Context
-//   - _a1 *csi.ControllerGetVolumeRequest
-func (_e *MockControllerServer_Expecter) ControllerGetVolume(_a0 interface{}, _a1 interface{}) *MockControllerServer_ControllerGetVolume_Call {
-	return &MockControllerServer_ControllerGetVolume_Call{Call: _e.mock.On("ControllerGetVolume", _a0, _a1)}
-}
-
-func (_c *MockControllerServer_ControllerGetVolume_Call) Run(run func(_a0 context.Context, _a1 *csi.ControllerGetVolumeRequest)) *MockControllerServer_ControllerGetVolume_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run(args[0].(context.Context), args[1].(*csi.ControllerGetVolumeRequest))
-	})
-	return _c
-}
-
-func (_c *MockControllerServer_ControllerGetVolume_Call) Return(_a0 *csi.ControllerGetVolumeResponse, _a1 error) *MockControllerServer_ControllerGetVolume_Call {
-	_c.Call.Return(_a0, _a1)
-	return _c
-}
-
-func (_c *MockControllerServer_ControllerGetVolume_Call) RunAndReturn(run func(context.Context, *csi.ControllerGetVolumeRequest) (*csi.ControllerGetVolumeResponse, error)) *MockControllerServer_ControllerGetVolume_Call {
-	_c.Call.Return(run)
-	return _c
-}
-
-// ControllerModifyVolume provides a mock function with given fields: _a0, _a1
-func (_m *MockControllerServer) ControllerModifyVolume(_a0 context.Context, _a1 *csi.ControllerModifyVolumeRequest) (*csi.ControllerModifyVolumeResponse, error) {
-	ret := _m.Called(_a0, _a1)
-
-	if len(ret) == 0 {
-		panic("no return value specified for ControllerModifyVolume")
-	}
-
-	var r0 *csi.ControllerModifyVolumeResponse
-	var r1 error
-	if rf, ok := ret.Get(0).(func(context.Context, *csi.ControllerModifyVolumeRequest) (*csi.ControllerModifyVolumeResponse, error)); ok {
-		return rf(_a0, _a1)
-	}
-	if rf, ok := ret.Get(0).(func(context.Context, *csi.ControllerModifyVolumeRequest) *csi.ControllerModifyVolumeResponse); ok {
-		r0 = rf(_a0, _a1)
-	} else {
-		if ret.Get(0) != nil {
-			r0 = ret.Get(0).(*csi.ControllerModifyVolumeResponse)
-		}
-	}
-
-	if rf, ok := ret.Get(1).(func(context.Context, *csi.ControllerModifyVolumeRequest) error); ok {
-		r1 = rf(_a0, _a1)
-	} else {
-		r1 = ret.Error(1)
-	}
-
-	return r0, r1
-}
-
-// MockControllerServer_ControllerModifyVolume_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'ControllerModifyVolume'
-type MockControllerServer_ControllerModifyVolume_Call struct {
-	*mock.Call
-}
-
-// ControllerModifyVolume is a helper method to define mock.On call
-//   - _a0 context.Context
-//   - _a1 *csi.ControllerModifyVolumeRequest
-func (_e *MockControllerServer_Expecter) ControllerModifyVolume(_a0 interface{}, _a1 interface{}) *MockControllerServer_ControllerModifyVolume_Call {
-	return &MockControllerServer_ControllerModifyVolume_Call{Call: _e.mock.On("ControllerModifyVolume", _a0, _a1)}
-}
-
-func (_c *MockControllerServer_ControllerModifyVolume_Call) Run(run func(_a0 context.Context, _a1 *csi.ControllerModifyVolumeRequest)) *MockControllerServer_ControllerModifyVolume_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run(args[0].(context.Context), args[1].(*csi.ControllerModifyVolumeRequest))
-	})
-	return _c
-}
-
-func (_c *MockControllerServer_ControllerModifyVolume_Call) Return(_a0 *csi.ControllerModifyVolumeResponse, _a1 error) *MockControllerServer_ControllerModifyVolume_Call {
-	_c.Call.Return(_a0, _a1)
-	return _c
-}
-
-func (_c *MockControllerServer_ControllerModifyVolume_Call) RunAndReturn(run func(context.Context, *csi.ControllerModifyVolumeRequest) (*csi.ControllerModifyVolumeResponse, error)) *MockControllerServer_ControllerModifyVolume_Call {
-	_c.Call.Return(run)
-	return _c
-}
-
-// ControllerPublishVolume provides a mock function with given fields: _a0, _a1
-func (_m *MockControllerServer) ControllerPublishVolume(_a0 context.Context, _a1 *csi.ControllerPublishVolumeRequest) (*csi.ControllerPublishVolumeResponse, error) {
-	ret := _m.Called(_a0, _a1)
-
-	if len(ret) == 0 {
-		panic("no return value specified for ControllerPublishVolume")
-	}
-
-	var r0 *csi.ControllerPublishVolumeResponse
-	var r1 error
-	if rf, ok := ret.Get(0).(func(context.Context, *csi.ControllerPublishVolumeRequest) (*csi.ControllerPublishVolumeResponse, error)); ok {
-		return rf(_a0, _a1)
-	}
-	if rf, ok := ret.Get(0).(func(context.Context, *csi.ControllerPublishVolumeRequest) *csi.ControllerPublishVolumeResponse); ok {
-		r0 = rf(_a0, _a1)
-	} else {
-		if ret.Get(0) != nil {
-			r0 = ret.Get(0).(*csi.ControllerPublishVolumeResponse)
-		}
-	}
-
-	if rf, ok := ret.Get(1).(func(context.Context, *csi.ControllerPublishVolumeRequest) error); ok {
-		r1 = rf(_a0, _a1)
-	} else {
-		r1 = ret.Error(1)
-	}
-
-	return r0, r1
-}
-
-// MockControllerServer_ControllerPublishVolume_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'ControllerPublishVolume'
-type MockControllerServer_ControllerPublishVolume_Call struct {
-	*mock.Call
-}
-
-// ControllerPublishVolume is a helper method to define mock.On call
-//   - _a0 context.Context
-//   - _a1 *csi.ControllerPublishVolumeRequest
-func (_e *MockControllerServer_Expecter) ControllerPublishVolume(_a0 interface{}, _a1 interface{}) *MockControllerServer_ControllerPublishVolume_Call {
-	return &MockControllerServer_ControllerPublishVolume_Call{Call: _e.mock.On("ControllerPublishVolume", _a0, _a1)}
-}
-
-func (_c *MockControllerServer_ControllerPublishVolume_Call) Run(run func(_a0 context.Context, _a1 *csi.ControllerPublishVolumeRequest)) *MockControllerServer_ControllerPublishVolume_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run(args[0].(context.Context), args[1].(*csi.ControllerPublishVolumeRequest))
-	})
-	return _c
-}
-
-func (_c *MockControllerServer_ControllerPublishVolume_Call) Return(_a0 *csi.ControllerPublishVolumeResponse, _a1 error) *MockControllerServer_ControllerPublishVolume_Call {
-	_c.Call.Return(_a0, _a1)
-	return _c
-}
-
-func (_c *MockControllerServer_ControllerPublishVolume_Call) RunAndReturn(run func(context.Context, *csi.ControllerPublishVolumeRequest) (*csi.ControllerPublishVolumeResponse, error)) *MockControllerServer_ControllerPublishVolume_Call {
-	_c.Call.Return(run)
-	return _c
-}
-
-// ControllerUnpublishVolume provides a mock function with given fields: _a0, _a1
-func (_m *MockControllerServer) ControllerUnpublishVolume(_a0 context.Context, _a1 *csi.ControllerUnpublishVolumeRequest) (*csi.ControllerUnpublishVolumeResponse, error) {
-	ret := _m.Called(_a0, _a1)
-
-	if len(ret) == 0 {
-		panic("no return value specified for ControllerUnpublishVolume")
-	}
-
-	var r0 *csi.ControllerUnpublishVolumeResponse
-	var r1 error
-	if rf, ok := ret.Get(0).(func(context.Context, *csi.ControllerUnpublishVolumeRequest) (*csi.ControllerUnpublishVolumeResponse, error)); ok {
-		return rf(_a0, _a1)
-	}
-	if rf, ok := ret.Get(0).(func(context.Context, *csi.ControllerUnpublishVolumeRequest) *csi.ControllerUnpublishVolumeResponse); ok {
-		r0 = rf(_a0, _a1)
-	} else {
-		if ret.Get(0) != nil {
-			r0 = ret.Get(0).(*csi.ControllerUnpublishVolumeResponse)
-		}
-	}
-
-	if rf, ok := ret.Get(1).(func(context.Context, *csi.ControllerUnpublishVolumeRequest) error); ok {
-		r1 = rf(_a0, _a1)
-	} else {
-		r1 = ret.Error(1)
-	}
-
-	return r0, r1
-}
-
-// MockControllerServer_ControllerUnpublishVolume_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'ControllerUnpublishVolume'
-type MockControllerServer_ControllerUnpublishVolume_Call struct {
-	*mock.Call
-}
-
-// ControllerUnpublishVolume is a helper method to define mock.On call
-//   - _a0 context.Context
-//   - _a1 *csi.ControllerUnpublishVolumeRequest
-func (_e *MockControllerServer_Expecter) ControllerUnpublishVolume(_a0 interface{}, _a1 interface{}) *MockControllerServer_ControllerUnpublishVolume_Call {
-	return &MockControllerServer_ControllerUnpublishVolume_Call{Call: _e.mock.On("ControllerUnpublishVolume", _a0, _a1)}
-}
-
-func (_c *MockControllerServer_ControllerUnpublishVolume_Call) Run(run func(_a0 context.Context, _a1 *csi.ControllerUnpublishVolumeRequest)) *MockControllerServer_ControllerUnpublishVolume_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run(args[0].(context.Context), args[1].(*csi.ControllerUnpublishVolumeRequest))
-	})
-	return _c
-}
-
-func (_c *MockControllerServer_ControllerUnpublishVolume_Call) Return(_a0 *csi.ControllerUnpublishVolumeResponse, _a1 error) *MockControllerServer_ControllerUnpublishVolume_Call {
-	_c.Call.Return(_a0, _a1)
-	return _c
-}
-
-func (_c *MockControllerServer_ControllerUnpublishVolume_Call) RunAndReturn(run func(context.Context, *csi.ControllerUnpublishVolumeRequest) (*csi.ControllerUnpublishVolumeResponse, error)) *MockControllerServer_ControllerUnpublishVolume_Call {
-	_c.Call.Return(run)
-	return _c
-}
-
-// CreateSnapshot provides a mock function with given fields: _a0, _a1
-func (_m *MockControllerServer) CreateSnapshot(_a0 context.Context, _a1 *csi.CreateSnapshotRequest) (*csi.CreateSnapshotResponse, error) {
-	ret := _m.Called(_a0, _a1)
-
-	if len(ret) == 0 {
-		panic("no return value specified for CreateSnapshot")
-	}
-
-	var r0 *csi.CreateSnapshotResponse
-	var r1 error
-	if rf, ok := ret.Get(0).(func(context.Context, *csi.CreateSnapshotRequest) (*csi.CreateSnapshotResponse, error)); ok {
-		return rf(_a0, _a1)
-	}
-	if rf, ok := ret.Get(0).(func(context.Context, *csi.CreateSnapshotRequest) *csi.CreateSnapshotResponse); ok {
-		r0 = rf(_a0, _a1)
-	} else {
-		if ret.Get(0) != nil {
-			r0 = ret.Get(0).(*csi.CreateSnapshotResponse)
-		}
-	}
-
-	if rf, ok := ret.Get(1).(func(context.Context, *csi.CreateSnapshotRequest) error); ok {
-		r1 = rf(_a0, _a1)
-	} else {
-		r1 = ret.Error(1)
-	}
-
-	return r0, r1
-}
-
-// MockControllerServer_CreateSnapshot_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'CreateSnapshot'
-type MockControllerServer_CreateSnapshot_Call struct {
-	*mock.Call
-}
-
-// CreateSnapshot is a helper method to define mock.On call
-//   - _a0 context.Context
-//   - _a1 *csi.CreateSnapshotRequest
-func (_e *MockControllerServer_Expecter) CreateSnapshot(_a0 interface{}, _a1 interface{}) *MockControllerServer_CreateSnapshot_Call {
-	return &MockControllerServer_CreateSnapshot_Call{Call: _e.mock.On("CreateSnapshot", _a0, _a1)}
-}
-
-func (_c *MockControllerServer_CreateSnapshot_Call) Run(run func(_a0 context.Context, _a1 *csi.CreateSnapshotRequest)) *MockControllerServer_CreateSnapshot_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run(args[0].(context.Context), args[1].(*csi.CreateSnapshotRequest))
-	})
-	return _c
-}
-
-func (_c *MockControllerServer_CreateSnapshot_Call) Return(_a0 *csi.CreateSnapshotResponse, _a1 error) *MockControllerServer_CreateSnapshot_Call {
-	_c.Call.Return(_a0, _a1)
-	return _c
-}
-
-func (_c *MockControllerServer_CreateSnapshot_Call) RunAndReturn(run func(context.Context, *csi.CreateSnapshotRequest) (*csi.CreateSnapshotResponse, error)) *MockControllerServer_CreateSnapshot_Call {
-	_c.Call.Return(run)
-	return _c
-}
-
-// CreateVolume provides a mock function with given fields: _a0, _a1
-func (_m *MockControllerServer) CreateVolume(_a0 context.Context, _a1 *csi.CreateVolumeRequest) (*csi.CreateVolumeResponse, error) {
-	ret := _m.Called(_a0, _a1)
-
-	if len(ret) == 0 {
-		panic("no return value specified for CreateVolume")
-	}
-
-	var r0 *csi.CreateVolumeResponse
-	var r1 error
-	if rf, ok := ret.Get(0).(func(context.Context, *csi.CreateVolumeRequest) (*csi.CreateVolumeResponse, error)); ok {
-		return rf(_a0, _a1)
-	}
-	if rf, ok := ret.Get(0).(func(context.Context, *csi.CreateVolumeRequest) *csi.CreateVolumeResponse); ok {
-		r0 = rf(_a0, _a1)
-	} else {
-		if ret.Get(0) != nil {
-			r0 = ret.Get(0).(*csi.CreateVolumeResponse)
-		}
-	}
-
-	if rf, ok := ret.Get(1).(func(context.Context, *csi.CreateVolumeRequest) error); ok {
-		r1 = rf(_a0, _a1)
-	} else {
-		r1 = ret.Error(1)
-	}
-
-	return r0, r1
-}
-
-// MockControllerServer_CreateVolume_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'CreateVolume'
-type MockControllerServer_CreateVolume_Call struct {
-	*mock.Call
-}
-
-// CreateVolume is a helper method to define mock.On call
-//   - _a0 context.Context
-//   - _a1 *csi.CreateVolumeRequest
-func (_e *MockControllerServer_Expecter) CreateVolume(_a0 interface{}, _a1 interface{}) *MockControllerServer_CreateVolume_Call {
-	return &MockControllerServer_CreateVolume_Call{Call: _e.mock.On("CreateVolume", _a0, _a1)}
-}
-
-func (_c *MockControllerServer_CreateVolume_Call) Run(run func(_a0 context.Context, _a1 *csi.CreateVolumeRequest)) *MockControllerServer_CreateVolume_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run(args[0].(context.Context), args[1].(*csi.CreateVolumeRequest))
-	})
-	return _c
-}
-
-func (_c *MockControllerServer_CreateVolume_Call) Return(_a0 *csi.CreateVolumeResponse, _a1 error) *MockControllerServer_CreateVolume_Call {
-	_c.Call.Return(_a0, _a1)
-	return _c
-}
-
-func (_c *MockControllerServer_CreateVolume_Call) RunAndReturn(run func(context.Context, *csi.CreateVolumeRequest) (*csi.CreateVolumeResponse, error)) *MockControllerServer_CreateVolume_Call {
-	_c.Call.Return(run)
-	return _c
-}
-
-// DeleteSnapshot provides a mock function with given fields: _a0, _a1
-func (_m *MockControllerServer) DeleteSnapshot(_a0 context.Context, _a1 *csi.DeleteSnapshotRequest) (*csi.DeleteSnapshotResponse, error) {
-	ret := _m.Called(_a0, _a1)
-
-	if len(ret) == 0 {
-		panic("no return value specified for DeleteSnapshot")
-	}
-
-	var r0 *csi.DeleteSnapshotResponse
-	var r1 error
-	if rf, ok := ret.Get(0).(func(context.Context, *csi.DeleteSnapshotRequest) (*csi.DeleteSnapshotResponse, error)); ok {
-		return rf(_a0, _a1)
-	}
-	if rf, ok := ret.Get(0).(func(context.Context, *csi.DeleteSnapshotRequest) *csi.DeleteSnapshotResponse); ok {
-		r0 = rf(_a0, _a1)
-	} else {
-		if ret.Get(0) != nil {
-			r0 = ret.Get(0).(*csi.DeleteSnapshotResponse)
-		}
-	}
-
-	if rf, ok := ret.Get(1).(func(context.Context, *csi.DeleteSnapshotRequest) error); ok {
-		r1 = rf(_a0, _a1)
-	} else {
-		r1 = ret.Error(1)
-	}
-
-	return r0, r1
-}
-
-// MockControllerServer_DeleteSnapshot_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'DeleteSnapshot'
-type MockControllerServer_DeleteSnapshot_Call struct {
-	*mock.Call
-}
-
-// DeleteSnapshot is a helper method to define mock.On call
-//   - _a0 context.Context
-//   - _a1 *csi.DeleteSnapshotRequest
-func (_e *MockControllerServer_Expecter) DeleteSnapshot(_a0 interface{}, _a1 interface{}) *MockControllerServer_DeleteSnapshot_Call {
-	return &MockControllerServer_DeleteSnapshot_Call{Call: _e.mock.On("DeleteSnapshot", _a0, _a1)}
-}
-
-func (_c *MockControllerServer_DeleteSnapshot_Call) Run(run func(_a0 context.Context, _a1 *csi.DeleteSnapshotRequest)) *MockControllerServer_DeleteSnapshot_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run(args[0].(context.Context), args[1].(*csi.DeleteSnapshotRequest))
-	})
-	return _c
-}
-
-func (_c *MockControllerServer_DeleteSnapshot_Call) Return(_a0 *csi.DeleteSnapshotResponse, _a1 error) *MockControllerServer_DeleteSnapshot_Call {
-	_c.Call.Return(_a0, _a1)
-	return _c
-}
-
-func (_c *MockControllerServer_DeleteSnapshot_Call) RunAndReturn(run func(context.Context, *csi.DeleteSnapshotRequest) (*csi.DeleteSnapshotResponse, error)) *MockControllerServer_DeleteSnapshot_Call {
-	_c.Call.Return(run)
-	return _c
-}
-
-// DeleteVolume provides a mock function with given fields: _a0, _a1
-func (_m *MockControllerServer) DeleteVolume(_a0 context.Context, _a1 *csi.DeleteVolumeRequest) (*csi.DeleteVolumeResponse, error) {
-	ret := _m.Called(_a0, _a1)
-
-	if len(ret) == 0 {
-		panic("no return value specified for DeleteVolume")
-	}
-
-	var r0 *csi.DeleteVolumeResponse
-	var r1 error
-	if rf, ok := ret.Get(0).(func(context.Context, *csi.DeleteVolumeRequest) (*csi.DeleteVolumeResponse, error)); ok {
-		return rf(_a0, _a1)
-	}
-	if rf, ok := ret.Get(0).(func(context.Context, *csi.DeleteVolumeRequest) *csi.DeleteVolumeResponse); ok {
-		r0 = rf(_a0, _a1)
-	} else {
-		if ret.Get(0) != nil {
-			r0 = ret.Get(0).(*csi.DeleteVolumeResponse)
-		}
-	}
-
-	if rf, ok := ret.Get(1).(func(context.Context, *csi.DeleteVolumeRequest) error); ok {
-		r1 = rf(_a0, _a1)
-	} else {
-		r1 = ret.Error(1)
-	}
-
-	return r0, r1
-}
-
-// MockControllerServer_DeleteVolume_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'DeleteVolume'
-type MockControllerServer_DeleteVolume_Call struct {
-	*mock.Call
-}
-
-// DeleteVolume is a helper method to define mock.On call
-//   - _a0 context.Context
-//   - _a1 *csi.DeleteVolumeRequest
-func (_e *MockControllerServer_Expecter) DeleteVolume(_a0 interface{}, _a1 interface{}) *MockControllerServer_DeleteVolume_Call {
-	return &MockControllerServer_DeleteVolume_Call{Call: _e.mock.On("DeleteVolume", _a0, _a1)}
-}
-
-func (_c *MockControllerServer_DeleteVolume_Call) Run(run func(_a0 context.Context, _a1 *csi.DeleteVolumeRequest)) *MockControllerServer_DeleteVolume_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run(args[0].(context.Context), args[1].(*csi.DeleteVolumeRequest))
-	})
-	return _c
-}
-
-func (_c *MockControllerServer_DeleteVolume_Call) Return(_a0 *csi.DeleteVolumeResponse, _a1 error) *MockControllerServer_DeleteVolume_Call {
-	_c.Call.Return(_a0, _a1)
-	return _c
-}
-
-func (_c *MockControllerServer_DeleteVolume_Call) RunAndReturn(run func(context.Context, *csi.DeleteVolumeRequest) (*csi.DeleteVolumeResponse, error)) *MockControllerServer_DeleteVolume_Call {
-	_c.Call.Return(run)
-	return _c
-}
-
-// GetCapacity provides a mock function with given fields: _a0, _a1
-func (_m *MockControllerServer) GetCapacity(_a0 context.Context, _a1 *csi.GetCapacityRequest) (*csi.GetCapacityResponse, error) {
-	ret := _m.Called(_a0, _a1)
-
-	if len(ret) == 0 {
-		panic("no return value specified for GetCapacity")
-	}
-
-	var r0 *csi.GetCapacityResponse
-	var r1 error
-	if rf, ok := ret.Get(0).(func(context.Context, *csi.GetCapacityRequest) (*csi.GetCapacityResponse, error)); ok {
-		return rf(_a0, _a1)
-	}
-	if rf, ok := ret.Get(0).(func(context.Context, *csi.GetCapacityRequest) *csi.GetCapacityResponse); ok {
-		r0 = rf(_a0, _a1)
-	} else {
-		if ret.Get(0) != nil {
-			r0 = ret.Get(0).(*csi.GetCapacityResponse)
-		}
-	}
-
-	if rf, ok := ret.Get(1).(func(context.Context, *csi.GetCapacityRequest) error); ok {
-		r1 = rf(_a0, _a1)
-	} else {
-		r1 = ret.Error(1)
-	}
-
-	return r0, r1
-}
-
-// MockControllerServer_GetCapacity_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetCapacity'
-type MockControllerServer_GetCapacity_Call struct {
-	*mock.Call
-}
-
-// GetCapacity is a helper method to define mock.On call
-//   - _a0 context.Context
-//   - _a1 *csi.GetCapacityRequest
-func (_e *MockControllerServer_Expecter) GetCapacity(_a0 interface{}, _a1 interface{}) *MockControllerServer_GetCapacity_Call {
-	return &MockControllerServer_GetCapacity_Call{Call: _e.mock.On("GetCapacity", _a0, _a1)}
-}
-
-func (_c *MockControllerServer_GetCapacity_Call) Run(run func(_a0 context.Context, _a1 *csi.GetCapacityRequest)) *MockControllerServer_GetCapacity_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run(args[0].(context.Context), args[1].(*csi.GetCapacityRequest))
-	})
-	return _c
-}
-
-func (_c *MockControllerServer_GetCapacity_Call) Return(_a0 *csi.GetCapacityResponse, _a1 error) *MockControllerServer_GetCapacity_Call {
-	_c.Call.Return(_a0, _a1)
-	return _c
-}
-
-func (_c *MockControllerServer_GetCapacity_Call) RunAndReturn(run func(context.Context, *csi.GetCapacityRequest) (*csi.GetCapacityResponse, error)) *MockControllerServer_GetCapacity_Call {
-	_c.Call.Return(run)
-	return _c
-}
-
-// ListSnapshots provides a mock function with given fields: _a0, _a1
-func (_m *MockControllerServer) ListSnapshots(_a0 context.Context, _a1 *csi.ListSnapshotsRequest) (*csi.ListSnapshotsResponse, error) {
-	ret := _m.Called(_a0, _a1)
-
-	if len(ret) == 0 {
-		panic("no return value specified for ListSnapshots")
-	}
-
-	var r0 *csi.ListSnapshotsResponse
-	var r1 error
-	if rf, ok := ret.Get(0).(func(context.Context, *csi.ListSnapshotsRequest) (*csi.ListSnapshotsResponse, error)); ok {
-		return rf(_a0, _a1)
-	}
-	if rf, ok := ret.Get(0).(func(context.Context, *csi.ListSnapshotsRequest) *csi.ListSnapshotsResponse); ok {
-		r0 = rf(_a0, _a1)
-	} else {
-		if ret.Get(0) != nil {
-			r0 = ret.Get(0).(*csi.ListSnapshotsResponse)
-		}
-	}
-
-	if rf, ok := ret.Get(1).(func(context.Context, *csi.ListSnapshotsRequest) error); ok {
-		r1 = rf(_a0, _a1)
-	} else {
-		r1 = ret.Error(1)
-	}
-
-	return r0, r1
-}
-
-// MockControllerServer_ListSnapshots_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'ListSnapshots'
-type MockControllerServer_ListSnapshots_Call struct {
-	*mock.Call
-}
-
-// ListSnapshots is a helper method to define mock.On call
-//   - _a0 context.Context
-//   - _a1 *csi.ListSnapshotsRequest
-func (_e *MockControllerServer_Expecter) ListSnapshots(_a0 interface{}, _a1 interface{}) *MockControllerServer_ListSnapshots_Call {
-	return &MockControllerServer_ListSnapshots_Call{Call: _e.mock.On("ListSnapshots", _a0, _a1)}
-}
-
-func (_c *MockControllerServer_ListSnapshots_Call) Run(run func(_a0 context.Context, _a1 *csi.ListSnapshotsRequest)) *MockControllerServer_ListSnapshots_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run(args[0].(context.Context), args[1].(*csi.ListSnapshotsRequest))
-	})
-	return _c
-}
-
-func (_c *MockControllerServer_ListSnapshots_Call) Return(_a0 *csi.ListSnapshotsResponse, _a1 error) *MockControllerServer_ListSnapshots_Call {
-	_c.Call.Return(_a0, _a1)
-	return _c
-}
-
-func (_c *MockControllerServer_ListSnapshots_Call) RunAndReturn(run func(context.Context, *csi.ListSnapshotsRequest) (*csi.ListSnapshotsResponse, error)) *MockControllerServer_ListSnapshots_Call {
-	_c.Call.Return(run)
-	return _c
-}
-
-// ListVolumes provides a mock function with given fields: _a0, _a1
-func (_m *MockControllerServer) ListVolumes(_a0 context.Context, _a1 *csi.ListVolumesRequest) (*csi.ListVolumesResponse, error) {
-	ret := _m.Called(_a0, _a1)
-
-	if len(ret) == 0 {
-		panic("no return value specified for ListVolumes")
-	}
-
-	var r0 *csi.ListVolumesResponse
-	var r1 error
-	if rf, ok := ret.Get(0).(func(context.Context, *csi.ListVolumesRequest) (*csi.ListVolumesResponse, error)); ok {
-		return rf(_a0, _a1)
-	}
-	if rf, ok := ret.Get(0).(func(context.Context, *csi.ListVolumesRequest) *csi.ListVolumesResponse); ok {
-		r0 = rf(_a0, _a1)
-	} else {
-		if ret.Get(0) != nil {
-			r0 = ret.Get(0).(*csi.ListVolumesResponse)
-		}
-	}
-
-	if rf, ok := ret.Get(1).(func(context.Context, *csi.ListVolumesRequest) error); ok {
-		r1 = rf(_a0, _a1)
-	} else {
-		r1 = ret.Error(1)
-	}
-
-	return r0, r1
-}
-
-// MockControllerServer_ListVolumes_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'ListVolumes'
-type MockControllerServer_ListVolumes_Call struct {
-	*mock.Call
-}
-
-// ListVolumes is a helper method to define mock.On call
-//   - _a0 context.Context
-//   - _a1 *csi.ListVolumesRequest
-func (_e *MockControllerServer_Expecter) ListVolumes(_a0 interface{}, _a1 interface{}) *MockControllerServer_ListVolumes_Call {
-	return &MockControllerServer_ListVolumes_Call{Call: _e.mock.On("ListVolumes", _a0, _a1)}
-}
-
-func (_c *MockControllerServer_ListVolumes_Call) Run(run func(_a0 context.Context, _a1 *csi.ListVolumesRequest)) *MockControllerServer_ListVolumes_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run(args[0].(context.Context), args[1].(*csi.ListVolumesRequest))
-	})
-	return _c
-}
-
-func (_c *MockControllerServer_ListVolumes_Call) Return(_a0 *csi.ListVolumesResponse, _a1 error) *MockControllerServer_ListVolumes_Call {
-	_c.Call.Return(_a0, _a1)
-	return _c
-}
-
-func (_c *MockControllerServer_ListVolumes_Call) RunAndReturn(run func(context.Context, *csi.ListVolumesRequest) (*csi.ListVolumesResponse, error)) *MockControllerServer_ListVolumes_Call {
-	_c.Call.Return(run)
-	return _c
-}
-
-// ValidateVolumeCapabilities provides a mock function with given fields: _a0, _a1
-func (_m *MockControllerServer) ValidateVolumeCapabilities(_a0 context.Context, _a1 *csi.ValidateVolumeCapabilitiesRequest) (*csi.ValidateVolumeCapabilitiesResponse, error) {
-	ret := _m.Called(_a0, _a1)
-
-	if len(ret) == 0 {
-		panic("no return value specified for ValidateVolumeCapabilities")
-	}
-
-	var r0 *csi.ValidateVolumeCapabilitiesResponse
-	var r1 error
-	if rf, ok := ret.Get(0).(func(context.Context, *csi.ValidateVolumeCapabilitiesRequest) (*csi.ValidateVolumeCapabilitiesResponse, error)); ok {
-		return rf(_a0, _a1)
-	}
-	if rf, ok := ret.Get(0).(func(context.Context, *csi.ValidateVolumeCapabilitiesRequest) *csi.ValidateVolumeCapabilitiesResponse); ok {
-		r0 = rf(_a0, _a1)
-	} else {
-		if ret.Get(0) != nil {
-			r0 = ret.Get(0).(*csi.ValidateVolumeCapabilitiesResponse)
-		}
-	}
-
-	if rf, ok := ret.Get(1).(func(context.Context, *csi.ValidateVolumeCapabilitiesRequest) error); ok {
-		r1 = rf(_a0, _a1)
-	} else {
-		r1 = ret.Error(1)
-	}
-
-	return r0, r1
-}
-
-// MockControllerServer_ValidateVolumeCapabilities_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'ValidateVolumeCapabilities'
-type MockControllerServer_ValidateVolumeCapabilities_Call struct {
-	*mock.Call
-}
-
-// ValidateVolumeCapabilities is a helper method to define mock.On call
-//   - _a0 context.Context
-//   - _a1 *csi.ValidateVolumeCapabilitiesRequest
-func (_e *MockControllerServer_Expecter) ValidateVolumeCapabilities(_a0 interface{}, _a1 interface{}) *MockControllerServer_ValidateVolumeCapabilities_Call {
-	return &MockControllerServer_ValidateVolumeCapabilities_Call{Call: _e.mock.On("ValidateVolumeCapabilities", _a0, _a1)}
-}
-
-func (_c *MockControllerServer_ValidateVolumeCapabilities_Call) Run(run func(_a0 context.Context, _a1 *csi.ValidateVolumeCapabilitiesRequest)) *MockControllerServer_ValidateVolumeCapabilities_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run(args[0].(context.Context), args[1].(*csi.ValidateVolumeCapabilitiesRequest))
-	})
-	return _c
-}
-
-func (_c *MockControllerServer_ValidateVolumeCapabilities_Call) Return(_a0 *csi.ValidateVolumeCapabilitiesResponse, _a1 error) *MockControllerServer_ValidateVolumeCapabilities_Call {
-	_c.Call.Return(_a0, _a1)
-	return _c
-}
-
-func (_c *MockControllerServer_ValidateVolumeCapabilities_Call) RunAndReturn(run func(context.Context, *csi.ValidateVolumeCapabilitiesRequest) (*csi.ValidateVolumeCapabilitiesResponse, error)) *MockControllerServer_ValidateVolumeCapabilities_Call {
-	_c.Call.Return(run)
-	return _c
-}
-
-// NewMockControllerServer creates a new instance of MockControllerServer. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
-// The first argument is typically a *testing.T value.
-func NewMockControllerServer(t interface {
-	mock.TestingT
-	Cleanup(func())
-}) *MockControllerServer {
-	mock := &MockControllerServer{}
-	mock.Mock.Test(t)
-
-	t.Cleanup(func() { mock.AssertExpectations(t) })
-
-	return mock
-}
diff --git a/test/e2e/storage/drivers/csi-test/driver/mock_identity_server.go b/test/e2e/storage/drivers/csi-test/driver/mock_identity_server.go
deleted file mode 100644
index 3e02f50ad57db..0000000000000
--- a/test/e2e/storage/drivers/csi-test/driver/mock_identity_server.go
+++ /dev/null
@@ -1,230 +0,0 @@
-/*
-Copyright The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-// Code generated by mockery v2.53.3. DO NOT EDIT.
-
-package driver
-
-import (
-	context "context"
-
-	csi "github.com/container-storage-interface/spec/lib/go/csi"
-	mock "github.com/stretchr/testify/mock"
-)
-
-// MockIdentityServer is an autogenerated mock type for the IdentityServer type
-type MockIdentityServer struct {
-	mock.Mock
-}
-
-type MockIdentityServer_Expecter struct {
-	mock *mock.Mock
-}
-
-func (_m *MockIdentityServer) EXPECT() *MockIdentityServer_Expecter {
-	return &MockIdentityServer_Expecter{mock: &_m.Mock}
-}
-
-// GetPluginCapabilities provides a mock function with given fields: _a0, _a1
-func (_m *MockIdentityServer) GetPluginCapabilities(_a0 context.Context, _a1 *csi.GetPluginCapabilitiesRequest) (*csi.GetPluginCapabilitiesResponse, error) {
-	ret := _m.Called(_a0, _a1)
-
-	if len(ret) == 0 {
-		panic("no return value specified for GetPluginCapabilities")
-	}
-
-	var r0 *csi.GetPluginCapabilitiesResponse
-	var r1 error
-	if rf, ok := ret.Get(0).(func(context.Context, *csi.GetPluginCapabilitiesRequest) (*csi.GetPluginCapabilitiesResponse, error)); ok {
-		return rf(_a0, _a1)
-	}
-	if rf, ok := ret.Get(0).(func(context.Context, *csi.GetPluginCapabilitiesRequest) *csi.GetPluginCapabilitiesResponse); ok {
-		r0 = rf(_a0, _a1)
-	} else {
-		if ret.Get(0) != nil {
-			r0 = ret.Get(0).(*csi.GetPluginCapabilitiesResponse)
-		}
-	}
-
-	if rf, ok := ret.Get(1).(func(context.Context, *csi.GetPluginCapabilitiesRequest) error); ok {
-		r1 = rf(_a0, _a1)
-	} else {
-		r1 = ret.Error(1)
-	}
-
-	return r0, r1
-}
-
-// MockIdentityServer_GetPluginCapabilities_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetPluginCapabilities'
-type MockIdentityServer_GetPluginCapabilities_Call struct {
-	*mock.Call
-}
-
-// GetPluginCapabilities is a helper method to define mock.On call
-//   - _a0 context.Context
-//   - _a1 *csi.GetPluginCapabilitiesRequest
-func (_e *MockIdentityServer_Expecter) GetPluginCapabilities(_a0 interface{}, _a1 interface{}) *MockIdentityServer_GetPluginCapabilities_Call {
-	return &MockIdentityServer_GetPluginCapabilities_Call{Call: _e.mock.On("GetPluginCapabilities", _a0, _a1)}
-}
-
-func (_c *MockIdentityServer_GetPluginCapabilities_Call) Run(run func(_a0 context.Context, _a1 *csi.GetPluginCapabilitiesRequest)) *MockIdentityServer_GetPluginCapabilities_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run(args[0].(context.Context), args[1].(*csi.GetPluginCapabilitiesRequest))
-	})
-	return _c
-}
-
-func (_c *MockIdentityServer_GetPluginCapabilities_Call) Return(_a0 *csi.GetPluginCapabilitiesResponse, _a1 error) *MockIdentityServer_GetPluginCapabilities_Call {
-	_c.Call.Return(_a0, _a1)
-	return _c
-}
-
-func (_c *MockIdentityServer_GetPluginCapabilities_Call) RunAndReturn(run func(context.Context, *csi.GetPluginCapabilitiesRequest) (*csi.GetPluginCapabilitiesResponse, error)) *MockIdentityServer_GetPluginCapabilities_Call {
-	_c.Call.Return(run)
-	return _c
-}
-
-// GetPluginInfo provides a mock function with given fields: _a0, _a1
-func (_m *MockIdentityServer) GetPluginInfo(_a0 context.Context, _a1 *csi.GetPluginInfoRequest) (*csi.GetPluginInfoResponse, error) {
-	ret := _m.Called(_a0, _a1)
-
-	if len(ret) == 0 {
-		panic("no return value specified for GetPluginInfo")
-	}
-
-	var r0 *csi.GetPluginInfoResponse
-	var r1 error
-	if rf, ok := ret.Get(0).(func(context.Context, *csi.GetPluginInfoRequest) (*csi.GetPluginInfoResponse, error)); ok {
-		return rf(_a0, _a1)
-	}
-	if rf, ok := ret.Get(0).(func(context.Context, *csi.GetPluginInfoRequest) *csi.GetPluginInfoResponse); ok {
-		r0 = rf(_a0, _a1)
-	} else {
-		if ret.Get(0) != nil {
-			r0 = ret.Get(0).(*csi.GetPluginInfoResponse)
-		}
-	}
-
-	if rf, ok := ret.Get(1).(func(context.Context, *csi.GetPluginInfoRequest) error); ok {
-		r1 = rf(_a0, _a1)
-	} else {
-		r1 = ret.Error(1)
-	}
-
-	return r0, r1
-}
-
-// MockIdentityServer_GetPluginInfo_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetPluginInfo'
-type MockIdentityServer_GetPluginInfo_Call struct {
-	*mock.Call
-}
-
-// GetPluginInfo is a helper method to define mock.On call
-//   - _a0 context.Context
-//   - _a1 *csi.GetPluginInfoRequest
-func (_e *MockIdentityServer_Expecter) GetPluginInfo(_a0 interface{}, _a1 interface{}) *MockIdentityServer_GetPluginInfo_Call {
-	return &MockIdentityServer_GetPluginInfo_Call{Call: _e.mock.On("GetPluginInfo", _a0, _a1)}
-}
-
-func (_c *MockIdentityServer_GetPluginInfo_Call) Run(run func(_a0 context.Context, _a1 *csi.GetPluginInfoRequest)) *MockIdentityServer_GetPluginInfo_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run(args[0].(context.Context), args[1].(*csi.GetPluginInfoRequest))
-	})
-	return _c
-}
-
-func (_c *MockIdentityServer_GetPluginInfo_Call) Return(_a0 *csi.GetPluginInfoResponse, _a1 error) *MockIdentityServer_GetPluginInfo_Call {
-	_c.Call.Return(_a0, _a1)
-	return _c
-}
-
-func (_c *MockIdentityServer_GetPluginInfo_Call) RunAndReturn(run func(context.Context, *csi.GetPluginInfoRequest) (*csi.GetPluginInfoResponse, error)) *MockIdentityServer_GetPluginInfo_Call {
-	_c.Call.Return(run)
-	return _c
-}
-
-// Probe provides a mock function with given fields: _a0, _a1
-func (_m *MockIdentityServer) Probe(_a0 context.Context, _a1 *csi.ProbeRequest) (*csi.ProbeResponse, error) {
-	ret := _m.Called(_a0, _a1)
-
-	if len(ret) == 0 {
-		panic("no return value specified for Probe")
-	}
-
-	var r0 *csi.ProbeResponse
-	var r1 error
-	if rf, ok := ret.Get(0).(func(context.Context, *csi.ProbeRequest) (*csi.ProbeResponse, error)); ok {
-		return rf(_a0, _a1)
-	}
-	if rf, ok := ret.Get(0).(func(context.Context, *csi.ProbeRequest) *csi.ProbeResponse); ok {
-		r0 = rf(_a0, _a1)
-	} else {
-		if ret.Get(0) != nil {
-			r0 = ret.Get(0).(*csi.ProbeResponse)
-		}
-	}
-
-	if rf, ok := ret.Get(1).(func(context.Context, *csi.ProbeRequest) error); ok {
-		r1 = rf(_a0, _a1)
-	} else {
-		r1 = ret.Error(1)
-	}
-
-	return r0, r1
-}
-
-// MockIdentityServer_Probe_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Probe'
-type MockIdentityServer_Probe_Call struct {
-	*mock.Call
-}
-
-// Probe is a helper method to define mock.On call
-//   - _a0 context.Context
-//   - _a1 *csi.ProbeRequest
-func (_e *MockIdentityServer_Expecter) Probe(_a0 interface{}, _a1 interface{}) *MockIdentityServer_Probe_Call {
-	return &MockIdentityServer_Probe_Call{Call: _e.mock.On("Probe", _a0, _a1)}
-}
-
-func (_c *MockIdentityServer_Probe_Call) Run(run func(_a0 context.Context, _a1 *csi.ProbeRequest)) *MockIdentityServer_Probe_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run(args[0].(context.Context), args[1].(*csi.ProbeRequest))
-	})
-	return _c
-}
-
-func (_c *MockIdentityServer_Probe_Call) Return(_a0 *csi.ProbeResponse, _a1 error) *MockIdentityServer_Probe_Call {
-	_c.Call.Return(_a0, _a1)
-	return _c
-}
-
-func (_c *MockIdentityServer_Probe_Call) RunAndReturn(run func(context.Context, *csi.ProbeRequest) (*csi.ProbeResponse, error)) *MockIdentityServer_Probe_Call {
-	_c.Call.Return(run)
-	return _c
-}
-
-// NewMockIdentityServer creates a new instance of MockIdentityServer. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
-// The first argument is typically a *testing.T value.
-func NewMockIdentityServer(t interface {
-	mock.TestingT
-	Cleanup(func())
-}) *MockIdentityServer {
-	mock := &MockIdentityServer{}
-	mock.Mock.Test(t)
-
-	t.Cleanup(func() { mock.AssertExpectations(t) })
-
-	return mock
-}
diff --git a/test/e2e/storage/drivers/csi-test/driver/mock_node_server.go b/test/e2e/storage/drivers/csi-test/driver/mock_node_server.go
deleted file mode 100644
index 4b3f106914222..0000000000000
--- a/test/e2e/storage/drivers/csi-test/driver/mock_node_server.go
+++ /dev/null
@@ -1,525 +0,0 @@
-/*
-Copyright The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-// Code generated by mockery v2.53.3. DO NOT EDIT.
-
-package driver
-
-import (
-	context "context"
-
-	csi "github.com/container-storage-interface/spec/lib/go/csi"
-	mock "github.com/stretchr/testify/mock"
-)
-
-// MockNodeServer is an autogenerated mock type for the NodeServer type
-type MockNodeServer struct {
-	mock.Mock
-}
-
-type MockNodeServer_Expecter struct {
-	mock *mock.Mock
-}
-
-func (_m *MockNodeServer) EXPECT() *MockNodeServer_Expecter {
-	return &MockNodeServer_Expecter{mock: &_m.Mock}
-}
-
-// NodeExpandVolume provides a mock function with given fields: _a0, _a1
-func (_m *MockNodeServer) NodeExpandVolume(_a0 context.Context, _a1 *csi.NodeExpandVolumeRequest) (*csi.NodeExpandVolumeResponse, error) {
-	ret := _m.Called(_a0, _a1)
-
-	if len(ret) == 0 {
-		panic("no return value specified for NodeExpandVolume")
-	}
-
-	var r0 *csi.NodeExpandVolumeResponse
-	var r1 error
-	if rf, ok := ret.Get(0).(func(context.Context, *csi.NodeExpandVolumeRequest) (*csi.NodeExpandVolumeResponse, error)); ok {
-		return rf(_a0, _a1)
-	}
-	if rf, ok := ret.Get(0).(func(context.Context, *csi.NodeExpandVolumeRequest) *csi.NodeExpandVolumeResponse); ok {
-		r0 = rf(_a0, _a1)
-	} else {
-		if ret.Get(0) != nil {
-			r0 = ret.Get(0).(*csi.NodeExpandVolumeResponse)
-		}
-	}
-
-	if rf, ok := ret.Get(1).(func(context.Context, *csi.NodeExpandVolumeRequest) error); ok {
-		r1 = rf(_a0, _a1)
-	} else {
-		r1 = ret.Error(1)
-	}
-
-	return r0, r1
-}
-
-// MockNodeServer_NodeExpandVolume_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'NodeExpandVolume'
-type MockNodeServer_NodeExpandVolume_Call struct {
-	*mock.Call
-}
-
-// NodeExpandVolume is a helper method to define mock.On call
-//   - _a0 context.Context
-//   - _a1 *csi.NodeExpandVolumeRequest
-func (_e *MockNodeServer_Expecter) NodeExpandVolume(_a0 interface{}, _a1 interface{}) *MockNodeServer_NodeExpandVolume_Call {
-	return &MockNodeServer_NodeExpandVolume_Call{Call: _e.mock.On("NodeExpandVolume", _a0, _a1)}
-}
-
-func (_c *MockNodeServer_NodeExpandVolume_Call) Run(run func(_a0 context.Context, _a1 *csi.NodeExpandVolumeRequest)) *MockNodeServer_NodeExpandVolume_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run(args[0].(context.Context), args[1].(*csi.NodeExpandVolumeRequest))
-	})
-	return _c
-}
-
-func (_c *MockNodeServer_NodeExpandVolume_Call) Return(_a0 *csi.NodeExpandVolumeResponse, _a1 error) *MockNodeServer_NodeExpandVolume_Call {
-	_c.Call.Return(_a0, _a1)
-	return _c
-}
-
-func (_c *MockNodeServer_NodeExpandVolume_Call) RunAndReturn(run func(context.Context, *csi.NodeExpandVolumeRequest) (*csi.NodeExpandVolumeResponse, error)) *MockNodeServer_NodeExpandVolume_Call {
-	_c.Call.Return(run)
-	return _c
-}
-
-// NodeGetCapabilities provides a mock function with given fields: _a0, _a1
-func (_m *MockNodeServer) NodeGetCapabilities(_a0 context.Context, _a1 *csi.NodeGetCapabilitiesRequest) (*csi.NodeGetCapabilitiesResponse, error) {
-	ret := _m.Called(_a0, _a1)
-
-	if len(ret) == 0 {
-		panic("no return value specified for NodeGetCapabilities")
-	}
-
-	var r0 *csi.NodeGetCapabilitiesResponse
-	var r1 error
-	if rf, ok := ret.Get(0).(func(context.Context, *csi.NodeGetCapabilitiesRequest) (*csi.NodeGetCapabilitiesResponse, error)); ok {
-		return rf(_a0, _a1)
-	}
-	if rf, ok := ret.Get(0).(func(context.Context, *csi.NodeGetCapabilitiesRequest) *csi.NodeGetCapabilitiesResponse); ok {
-		r0 = rf(_a0, _a1)
-	} else {
-		if ret.Get(0) != nil {
-			r0 = ret.Get(0).(*csi.NodeGetCapabilitiesResponse)
-		}
-	}
-
-	if rf, ok := ret.Get(1).(func(context.Context, *csi.NodeGetCapabilitiesRequest) error); ok {
-		r1 = rf(_a0, _a1)
-	} else {
-		r1 = ret.Error(1)
-	}
-
-	return r0, r1
-}
-
-// MockNodeServer_NodeGetCapabilities_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'NodeGetCapabilities'
-type MockNodeServer_NodeGetCapabilities_Call struct {
-	*mock.Call
-}
-
-// NodeGetCapabilities is a helper method to define mock.On call
-//   - _a0 context.Context
-//   - _a1 *csi.NodeGetCapabilitiesRequest
-func (_e *MockNodeServer_Expecter) NodeGetCapabilities(_a0 interface{}, _a1 interface{}) *MockNodeServer_NodeGetCapabilities_Call {
-	return &MockNodeServer_NodeGetCapabilities_Call{Call: _e.mock.On("NodeGetCapabilities", _a0, _a1)}
-}
-
-func (_c *MockNodeServer_NodeGetCapabilities_Call) Run(run func(_a0 context.Context, _a1 *csi.NodeGetCapabilitiesRequest)) *MockNodeServer_NodeGetCapabilities_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run(args[0].(context.Context), args[1].(*csi.NodeGetCapabilitiesRequest))
-	})
-	return _c
-}
-
-func (_c *MockNodeServer_NodeGetCapabilities_Call) Return(_a0 *csi.NodeGetCapabilitiesResponse, _a1 error) *MockNodeServer_NodeGetCapabilities_Call {
-	_c.Call.Return(_a0, _a1)
-	return _c
-}
-
-func (_c *MockNodeServer_NodeGetCapabilities_Call) RunAndReturn(run func(context.Context, *csi.NodeGetCapabilitiesRequest) (*csi.NodeGetCapabilitiesResponse, error)) *MockNodeServer_NodeGetCapabilities_Call {
-	_c.Call.Return(run)
-	return _c
-}
-
-// NodeGetInfo provides a mock function with given fields: _a0, _a1
-func (_m *MockNodeServer) NodeGetInfo(_a0 context.Context, _a1 *csi.NodeGetInfoRequest) (*csi.NodeGetInfoResponse, error) {
-	ret := _m.Called(_a0, _a1)
-
-	if len(ret) == 0 {
-		panic("no return value specified for NodeGetInfo")
-	}
-
-	var r0 *csi.NodeGetInfoResponse
-	var r1 error
-	if rf, ok := ret.Get(0).(func(context.Context, *csi.NodeGetInfoRequest) (*csi.NodeGetInfoResponse, error)); ok {
-		return rf(_a0, _a1)
-	}
-	if rf, ok := ret.Get(0).(func(context.Context, *csi.NodeGetInfoRequest) *csi.NodeGetInfoResponse); ok {
-		r0 = rf(_a0, _a1)
-	} else {
-		if ret.Get(0) != nil {
-			r0 = ret.Get(0).(*csi.NodeGetInfoResponse)
-		}
-	}
-
-	if rf, ok := ret.Get(1).(func(context.Context, *csi.NodeGetInfoRequest) error); ok {
-		r1 = rf(_a0, _a1)
-	} else {
-		r1 = ret.Error(1)
-	}
-
-	return r0, r1
-}
-
-// MockNodeServer_NodeGetInfo_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'NodeGetInfo'
-type MockNodeServer_NodeGetInfo_Call struct {
-	*mock.Call
-}
-
-// NodeGetInfo is a helper method to define mock.On call
-//   - _a0 context.Context
-//   - _a1 *csi.NodeGetInfoRequest
-func (_e *MockNodeServer_Expecter) NodeGetInfo(_a0 interface{}, _a1 interface{}) *MockNodeServer_NodeGetInfo_Call {
-	return &MockNodeServer_NodeGetInfo_Call{Call: _e.mock.On("NodeGetInfo", _a0, _a1)}
-}
-
-func (_c *MockNodeServer_NodeGetInfo_Call) Run(run func(_a0 context.Context, _a1 *csi.NodeGetInfoRequest)) *MockNodeServer_NodeGetInfo_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run(args[0].(context.Context), args[1].(*csi.NodeGetInfoRequest))
-	})
-	return _c
-}
-
-func (_c *MockNodeServer_NodeGetInfo_Call) Return(_a0 *csi.NodeGetInfoResponse, _a1 error) *MockNodeServer_NodeGetInfo_Call {
-	_c.Call.Return(_a0, _a1)
-	return _c
-}
-
-func (_c *MockNodeServer_NodeGetInfo_Call) RunAndReturn(run func(context.Context, *csi.NodeGetInfoRequest) (*csi.NodeGetInfoResponse, error)) *MockNodeServer_NodeGetInfo_Call {
-	_c.Call.Return(run)
-	return _c
-}
-
-// NodeGetVolumeStats provides a mock function with given fields: _a0, _a1
-func (_m *MockNodeServer) NodeGetVolumeStats(_a0 context.Context, _a1 *csi.NodeGetVolumeStatsRequest) (*csi.NodeGetVolumeStatsResponse, error) {
-	ret := _m.Called(_a0, _a1)
-
-	if len(ret) == 0 {
-		panic("no return value specified for NodeGetVolumeStats")
-	}
-
-	var r0 *csi.NodeGetVolumeStatsResponse
-	var r1 error
-	if rf, ok := ret.Get(0).(func(context.Context, *csi.NodeGetVolumeStatsRequest) (*csi.NodeGetVolumeStatsResponse, error)); ok {
-		return rf(_a0, _a1)
-	}
-	if rf, ok := ret.Get(0).(func(context.Context, *csi.NodeGetVolumeStatsRequest) *csi.NodeGetVolumeStatsResponse); ok {
-		r0 = rf(_a0, _a1)
-	} else {
-		if ret.Get(0) != nil {
-			r0 = ret.Get(0).(*csi.NodeGetVolumeStatsResponse)
-		}
-	}
-
-	if rf, ok := ret.Get(1).(func(context.Context, *csi.NodeGetVolumeStatsRequest) error); ok {
-		r1 = rf(_a0, _a1)
-	} else {
-		r1 = ret.Error(1)
-	}
-
-	return r0, r1
-}
-
-// MockNodeServer_NodeGetVolumeStats_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'NodeGetVolumeStats'
-type MockNodeServer_NodeGetVolumeStats_Call struct {
-	*mock.Call
-}
-
-// NodeGetVolumeStats is a helper method to define mock.On call
-//   - _a0 context.Context
-//   - _a1 *csi.NodeGetVolumeStatsRequest
-func (_e *MockNodeServer_Expecter) NodeGetVolumeStats(_a0 interface{}, _a1 interface{}) *MockNodeServer_NodeGetVolumeStats_Call {
-	return &MockNodeServer_NodeGetVolumeStats_Call{Call: _e.mock.On("NodeGetVolumeStats", _a0, _a1)}
-}
-
-func (_c *MockNodeServer_NodeGetVolumeStats_Call) Run(run func(_a0 context.Context, _a1 *csi.NodeGetVolumeStatsRequest)) *MockNodeServer_NodeGetVolumeStats_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run(args[0].(context.Context), args[1].(*csi.NodeGetVolumeStatsRequest))
-	})
-	return _c
-}
-
-func (_c *MockNodeServer_NodeGetVolumeStats_Call) Return(_a0 *csi.NodeGetVolumeStatsResponse, _a1 error) *MockNodeServer_NodeGetVolumeStats_Call {
-	_c.Call.Return(_a0, _a1)
-	return _c
-}
-
-func (_c *MockNodeServer_NodeGetVolumeStats_Call) RunAndReturn(run func(context.Context, *csi.NodeGetVolumeStatsRequest) (*csi.NodeGetVolumeStatsResponse, error)) *MockNodeServer_NodeGetVolumeStats_Call {
-	_c.Call.Return(run)
-	return _c
-}
-
-// NodePublishVolume provides a mock function with given fields: _a0, _a1
-func (_m *MockNodeServer) NodePublishVolume(_a0 context.Context, _a1 *csi.NodePublishVolumeRequest) (*csi.NodePublishVolumeResponse, error) {
-	ret := _m.Called(_a0, _a1)
-
-	if len(ret) == 0 {
-		panic("no return value specified for NodePublishVolume")
-	}
-
-	var r0 *csi.NodePublishVolumeResponse
-	var r1 error
-	if rf, ok := ret.Get(0).(func(context.Context, *csi.NodePublishVolumeRequest) (*csi.NodePublishVolumeResponse, error)); ok {
-		return rf(_a0, _a1)
-	}
-	if rf, ok := ret.Get(0).(func(context.Context, *csi.NodePublishVolumeRequest) *csi.NodePublishVolumeResponse); ok {
-		r0 = rf(_a0, _a1)
-	} else {
-		if ret.Get(0) != nil {
-			r0 = ret.Get(0).(*csi.NodePublishVolumeResponse)
-		}
-	}
-
-	if rf, ok := ret.Get(1).(func(context.Context, *csi.NodePublishVolumeRequest) error); ok {
-		r1 = rf(_a0, _a1)
-	} else {
-		r1 = ret.Error(1)
-	}
-
-	return r0, r1
-}
-
-// MockNodeServer_NodePublishVolume_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'NodePublishVolume'
-type MockNodeServer_NodePublishVolume_Call struct {
-	*mock.Call
-}
-
-// NodePublishVolume is a helper method to define mock.On call
-//   - _a0 context.Context
-//   - _a1 *csi.NodePublishVolumeRequest
-func (_e *MockNodeServer_Expecter) NodePublishVolume(_a0 interface{}, _a1 interface{}) *MockNodeServer_NodePublishVolume_Call {
-	return &MockNodeServer_NodePublishVolume_Call{Call: _e.mock.On("NodePublishVolume", _a0, _a1)}
-}
-
-func (_c *MockNodeServer_NodePublishVolume_Call) Run(run func(_a0 context.Context, _a1 *csi.NodePublishVolumeRequest)) *MockNodeServer_NodePublishVolume_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run(args[0].(context.Context), args[1].(*csi.NodePublishVolumeRequest))
-	})
-	return _c
-}
-
-func (_c *MockNodeServer_NodePublishVolume_Call) Return(_a0 *csi.NodePublishVolumeResponse, _a1 error) *MockNodeServer_NodePublishVolume_Call {
-	_c.Call.Return(_a0, _a1)
-	return _c
-}
-
-func (_c *MockNodeServer_NodePublishVolume_Call) RunAndReturn(run func(context.Context, *csi.NodePublishVolumeRequest) (*csi.NodePublishVolumeResponse, error)) *MockNodeServer_NodePublishVolume_Call {
-	_c.Call.Return(run)
-	return _c
-}
-
-// NodeStageVolume provides a mock function with given fields: _a0, _a1
-func (_m *MockNodeServer) NodeStageVolume(_a0 context.Context, _a1 *csi.NodeStageVolumeRequest) (*csi.NodeStageVolumeResponse, error) {
-	ret := _m.Called(_a0, _a1)
-
-	if len(ret) == 0 {
-		panic("no return value specified for NodeStageVolume")
-	}
-
-	var r0 *csi.NodeStageVolumeResponse
-	var r1 error
-	if rf, ok := ret.Get(0).(func(context.Context, *csi.NodeStageVolumeRequest) (*csi.NodeStageVolumeResponse, error)); ok {
-		return rf(_a0, _a1)
-	}
-	if rf, ok := ret.Get(0).(func(context.Context, *csi.NodeStageVolumeRequest) *csi.NodeStageVolumeResponse); ok {
-		r0 = rf(_a0, _a1)
-	} else {
-		if ret.Get(0) != nil {
-			r0 = ret.Get(0).(*csi.NodeStageVolumeResponse)
-		}
-	}
-
-	if rf, ok := ret.Get(1).(func(context.Context, *csi.NodeStageVolumeRequest) error); ok {
-		r1 = rf(_a0, _a1)
-	} else {
-		r1 = ret.Error(1)
-	}
-
-	return r0, r1
-}
-
-// MockNodeServer_NodeStageVolume_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'NodeStageVolume'
-type MockNodeServer_NodeStageVolume_Call struct {
-	*mock.Call
-}
-
-// NodeStageVolume is a helper method to define mock.On call
-//   - _a0 context.Context
-//   - _a1 *csi.NodeStageVolumeRequest
-func (_e *MockNodeServer_Expecter) NodeStageVolume(_a0 interface{}, _a1 interface{}) *MockNodeServer_NodeStageVolume_Call {
-	return &MockNodeServer_NodeStageVolume_Call{Call: _e.mock.On("NodeStageVolume", _a0, _a1)}
-}
-
-func (_c *MockNodeServer_NodeStageVolume_Call) Run(run func(_a0 context.Context, _a1 *csi.NodeStageVolumeRequest)) *MockNodeServer_NodeStageVolume_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run(args[0].(context.Context), args[1].(*csi.NodeStageVolumeRequest))
-	})
-	return _c
-}
-
-func (_c *MockNodeServer_NodeStageVolume_Call) Return(_a0 *csi.NodeStageVolumeResponse, _a1 error) *MockNodeServer_NodeStageVolume_Call {
-	_c.Call.Return(_a0, _a1)
-	return _c
-}
-
-func (_c *MockNodeServer_NodeStageVolume_Call) RunAndReturn(run func(context.Context, *csi.NodeStageVolumeRequest) (*csi.NodeStageVolumeResponse, error)) *MockNodeServer_NodeStageVolume_Call {
-	_c.Call.Return(run)
-	return _c
-}
-
-// NodeUnpublishVolume provides a mock function with given fields: _a0, _a1
-func (_m *MockNodeServer) NodeUnpublishVolume(_a0 context.Context, _a1 *csi.NodeUnpublishVolumeRequest) (*csi.NodeUnpublishVolumeResponse, error) {
-	ret := _m.Called(_a0, _a1)
-
-	if len(ret) == 0 {
-		panic("no return value specified for NodeUnpublishVolume")
-	}
-
-	var r0 *csi.NodeUnpublishVolumeResponse
-	var r1 error
-	if rf, ok := ret.Get(0).(func(context.Context, *csi.NodeUnpublishVolumeRequest) (*csi.NodeUnpublishVolumeResponse, error)); ok {
-		return rf(_a0, _a1)
-	}
-	if rf, ok := ret.Get(0).(func(context.Context, *csi.NodeUnpublishVolumeRequest) *csi.NodeUnpublishVolumeResponse); ok {
-		r0 = rf(_a0, _a1)
-	} else {
-		if ret.Get(0) != nil {
-			r0 = ret.Get(0).(*csi.NodeUnpublishVolumeResponse)
-		}
-	}
-
-	if rf, ok := ret.Get(1).(func(context.Context, *csi.NodeUnpublishVolumeRequest) error); ok {
-		r1 = rf(_a0, _a1)
-	} else {
-		r1 = ret.Error(1)
-	}
-
-	return r0, r1
-}
-
-// MockNodeServer_NodeUnpublishVolume_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'NodeUnpublishVolume'
-type MockNodeServer_NodeUnpublishVolume_Call struct {
-	*mock.Call
-}
-
-// NodeUnpublishVolume is a helper method to define mock.On call
-//   - _a0 context.Context
-//   - _a1 *csi.NodeUnpublishVolumeRequest
-func (_e *MockNodeServer_Expecter) NodeUnpublishVolume(_a0 interface{}, _a1 interface{}) *MockNodeServer_NodeUnpublishVolume_Call {
-	return &MockNodeServer_NodeUnpublishVolume_Call{Call: _e.mock.On("NodeUnpublishVolume", _a0, _a1)}
-}
-
-func (_c *MockNodeServer_NodeUnpublishVolume_Call) Run(run func(_a0 context.Context, _a1 *csi.NodeUnpublishVolumeRequest)) *MockNodeServer_NodeUnpublishVolume_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run(args[0].(context.Context), args[1].(*csi.NodeUnpublishVolumeRequest))
-	})
-	return _c
-}
-
-func (_c *MockNodeServer_NodeUnpublishVolume_Call) Return(_a0 *csi.NodeUnpublishVolumeResponse, _a1 error) *MockNodeServer_NodeUnpublishVolume_Call {
-	_c.Call.Return(_a0, _a1)
-	return _c
-}
-
-func (_c *MockNodeServer_NodeUnpublishVolume_Call) RunAndReturn(run func(context.Context, *csi.NodeUnpublishVolumeRequest) (*csi.NodeUnpublishVolumeResponse, error)) *MockNodeServer_NodeUnpublishVolume_Call {
-	_c.Call.Return(run)
-	return _c
-}
-
-// NodeUnstageVolume provides a mock function with given fields: _a0, _a1
-func (_m *MockNodeServer) NodeUnstageVolume(_a0 context.Context, _a1 *csi.NodeUnstageVolumeRequest) (*csi.NodeUnstageVolumeResponse, error) {
-	ret := _m.Called(_a0, _a1)
-
-	if len(ret) == 0 {
-		panic("no return value specified for NodeUnstageVolume")
-	}
-
-	var r0 *csi.NodeUnstageVolumeResponse
-	var r1 error
-	if rf, ok := ret.Get(0).(func(context.Context, *csi.NodeUnstageVolumeRequest) (*csi.NodeUnstageVolumeResponse, error)); ok {
-		return rf(_a0, _a1)
-	}
-	if rf, ok := ret.Get(0).(func(context.Context, *csi.NodeUnstageVolumeRequest) *csi.NodeUnstageVolumeResponse); ok {
-		r0 = rf(_a0, _a1)
-	} else {
-		if ret.Get(0) != nil {
-			r0 = ret.Get(0).(*csi.NodeUnstageVolumeResponse)
-		}
-	}
-
-	if rf, ok := ret.Get(1).(func(context.Context, *csi.NodeUnstageVolumeRequest) error); ok {
-		r1 = rf(_a0, _a1)
-	} else {
-		r1 = ret.Error(1)
-	}
-
-	return r0, r1
-}
-
-// MockNodeServer_NodeUnstageVolume_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'NodeUnstageVolume'
-type MockNodeServer_NodeUnstageVolume_Call struct {
-	*mock.Call
-}
-
-// NodeUnstageVolume is a helper method to define mock.On call
-//   - _a0 context.Context
-//   - _a1 *csi.NodeUnstageVolumeRequest
-func (_e *MockNodeServer_Expecter) NodeUnstageVolume(_a0 interface{}, _a1 interface{}) *MockNodeServer_NodeUnstageVolume_Call {
-	return &MockNodeServer_NodeUnstageVolume_Call{Call: _e.mock.On("NodeUnstageVolume", _a0, _a1)}
-}
-
-func (_c *MockNodeServer_NodeUnstageVolume_Call) Run(run func(_a0 context.Context, _a1 *csi.NodeUnstageVolumeRequest)) *MockNodeServer_NodeUnstageVolume_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run(args[0].(context.Context), args[1].(*csi.NodeUnstageVolumeRequest))
-	})
-	return _c
-}
-
-func (_c *MockNodeServer_NodeUnstageVolume_Call) Return(_a0 *csi.NodeUnstageVolumeResponse, _a1 error) *MockNodeServer_NodeUnstageVolume_Call {
-	_c.Call.Return(_a0, _a1)
-	return _c
-}
-
-func (_c *MockNodeServer_NodeUnstageVolume_Call) RunAndReturn(run func(context.Context, *csi.NodeUnstageVolumeRequest) (*csi.NodeUnstageVolumeResponse, error)) *MockNodeServer_NodeUnstageVolume_Call {
-	_c.Call.Return(run)
-	return _c
-}
-
-// NewMockNodeServer creates a new instance of MockNodeServer. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
-// The first argument is typically a *testing.T value.
-func NewMockNodeServer(t interface {
-	mock.TestingT
-	Cleanup(func())
-}) *MockNodeServer {
-	mock := &MockNodeServer{}
-	mock.Mock.Test(t)
-
-	t.Cleanup(func() { mock.AssertExpectations(t) })
-
-	return mock
-}
diff --git a/test/e2e/storage/drivers/csi-test/driver/mocks.go b/test/e2e/storage/drivers/csi-test/driver/mocks.go
new file mode 100644
index 0000000000000..7590edc327d48
--- /dev/null
+++ b/test/e2e/storage/drivers/csi-test/driver/mocks.go
@@ -0,0 +1,1809 @@
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by mockery; DO NOT EDIT.
+// github.com/vektra/mockery
+// template: testify
+
+package driver
+
+import (
+	"context"
+
+	"github.com/container-storage-interface/spec/lib/go/csi"
+	mock "github.com/stretchr/testify/mock"
+)
+
+// NewMockIdentityServer creates a new instance of MockIdentityServer. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
+// The first argument is typically a *testing.T value.
+func NewMockIdentityServer(t interface {
+	mock.TestingT
+	Cleanup(func())
+}) *MockIdentityServer {
+	mock := &MockIdentityServer{}
+	mock.Mock.Test(t)
+
+	t.Cleanup(func() { mock.AssertExpectations(t) })
+
+	return mock
+}
+
+// MockIdentityServer is an autogenerated mock type for the IdentityServer type
+type MockIdentityServer struct {
+	mock.Mock
+}
+
+type MockIdentityServer_Expecter struct {
+	mock *mock.Mock
+}
+
+func (_m *MockIdentityServer) EXPECT() *MockIdentityServer_Expecter {
+	return &MockIdentityServer_Expecter{mock: &_m.Mock}
+}
+
+// GetPluginCapabilities provides a mock function for the type MockIdentityServer
+func (_mock *MockIdentityServer) GetPluginCapabilities(context1 context.Context, getPluginCapabilitiesRequest *csi.GetPluginCapabilitiesRequest) (*csi.GetPluginCapabilitiesResponse, error) {
+	ret := _mock.Called(context1, getPluginCapabilitiesRequest)
+
+	if len(ret) == 0 {
+		panic("no return value specified for GetPluginCapabilities")
+	}
+
+	var r0 *csi.GetPluginCapabilitiesResponse
+	var r1 error
+	if returnFunc, ok := ret.Get(0).(func(context.Context, *csi.GetPluginCapabilitiesRequest) (*csi.GetPluginCapabilitiesResponse, error)); ok {
+		return returnFunc(context1, getPluginCapabilitiesRequest)
+	}
+	if returnFunc, ok := ret.Get(0).(func(context.Context, *csi.GetPluginCapabilitiesRequest) *csi.GetPluginCapabilitiesResponse); ok {
+		r0 = returnFunc(context1, getPluginCapabilitiesRequest)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(*csi.GetPluginCapabilitiesResponse)
+		}
+	}
+	if returnFunc, ok := ret.Get(1).(func(context.Context, *csi.GetPluginCapabilitiesRequest) error); ok {
+		r1 = returnFunc(context1, getPluginCapabilitiesRequest)
+	} else {
+		r1 = ret.Error(1)
+	}
+	return r0, r1
+}
+
+// MockIdentityServer_GetPluginCapabilities_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetPluginCapabilities'
+type MockIdentityServer_GetPluginCapabilities_Call struct {
+	*mock.Call
+}
+
+// GetPluginCapabilities is a helper method to define mock.On call
+//   - context1 context.Context
+//   - getPluginCapabilitiesRequest *csi.GetPluginCapabilitiesRequest
+func (_e *MockIdentityServer_Expecter) GetPluginCapabilities(context1 interface{}, getPluginCapabilitiesRequest interface{}) *MockIdentityServer_GetPluginCapabilities_Call {
+	return &MockIdentityServer_GetPluginCapabilities_Call{Call: _e.mock.On("GetPluginCapabilities", context1, getPluginCapabilitiesRequest)}
+}
+
+func (_c *MockIdentityServer_GetPluginCapabilities_Call) Run(run func(context1 context.Context, getPluginCapabilitiesRequest *csi.GetPluginCapabilitiesRequest)) *MockIdentityServer_GetPluginCapabilities_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 context.Context
+		if args[0] != nil {
+			arg0 = args[0].(context.Context)
+		}
+		var arg1 *csi.GetPluginCapabilitiesRequest
+		if args[1] != nil {
+			arg1 = args[1].(*csi.GetPluginCapabilitiesRequest)
+		}
+		run(
+			arg0,
+			arg1,
+		)
+	})
+	return _c
+}
+
+func (_c *MockIdentityServer_GetPluginCapabilities_Call) Return(getPluginCapabilitiesResponse *csi.GetPluginCapabilitiesResponse, err error) *MockIdentityServer_GetPluginCapabilities_Call {
+	_c.Call.Return(getPluginCapabilitiesResponse, err)
+	return _c
+}
+
+func (_c *MockIdentityServer_GetPluginCapabilities_Call) RunAndReturn(run func(context1 context.Context, getPluginCapabilitiesRequest *csi.GetPluginCapabilitiesRequest) (*csi.GetPluginCapabilitiesResponse, error)) *MockIdentityServer_GetPluginCapabilities_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// GetPluginInfo provides a mock function for the type MockIdentityServer
+func (_mock *MockIdentityServer) GetPluginInfo(context1 context.Context, getPluginInfoRequest *csi.GetPluginInfoRequest) (*csi.GetPluginInfoResponse, error) {
+	ret := _mock.Called(context1, getPluginInfoRequest)
+
+	if len(ret) == 0 {
+		panic("no return value specified for GetPluginInfo")
+	}
+
+	var r0 *csi.GetPluginInfoResponse
+	var r1 error
+	if returnFunc, ok := ret.Get(0).(func(context.Context, *csi.GetPluginInfoRequest) (*csi.GetPluginInfoResponse, error)); ok {
+		return returnFunc(context1, getPluginInfoRequest)
+	}
+	if returnFunc, ok := ret.Get(0).(func(context.Context, *csi.GetPluginInfoRequest) *csi.GetPluginInfoResponse); ok {
+		r0 = returnFunc(context1, getPluginInfoRequest)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(*csi.GetPluginInfoResponse)
+		}
+	}
+	if returnFunc, ok := ret.Get(1).(func(context.Context, *csi.GetPluginInfoRequest) error); ok {
+		r1 = returnFunc(context1, getPluginInfoRequest)
+	} else {
+		r1 = ret.Error(1)
+	}
+	return r0, r1
+}
+
+// MockIdentityServer_GetPluginInfo_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetPluginInfo'
+type MockIdentityServer_GetPluginInfo_Call struct {
+	*mock.Call
+}
+
+// GetPluginInfo is a helper method to define mock.On call
+//   - context1 context.Context
+//   - getPluginInfoRequest *csi.GetPluginInfoRequest
+func (_e *MockIdentityServer_Expecter) GetPluginInfo(context1 interface{}, getPluginInfoRequest interface{}) *MockIdentityServer_GetPluginInfo_Call {
+	return &MockIdentityServer_GetPluginInfo_Call{Call: _e.mock.On("GetPluginInfo", context1, getPluginInfoRequest)}
+}
+
+func (_c *MockIdentityServer_GetPluginInfo_Call) Run(run func(context1 context.Context, getPluginInfoRequest *csi.GetPluginInfoRequest)) *MockIdentityServer_GetPluginInfo_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 context.Context
+		if args[0] != nil {
+			arg0 = args[0].(context.Context)
+		}
+		var arg1 *csi.GetPluginInfoRequest
+		if args[1] != nil {
+			arg1 = args[1].(*csi.GetPluginInfoRequest)
+		}
+		run(
+			arg0,
+			arg1,
+		)
+	})
+	return _c
+}
+
+func (_c *MockIdentityServer_GetPluginInfo_Call) Return(getPluginInfoResponse *csi.GetPluginInfoResponse, err error) *MockIdentityServer_GetPluginInfo_Call {
+	_c.Call.Return(getPluginInfoResponse, err)
+	return _c
+}
+
+func (_c *MockIdentityServer_GetPluginInfo_Call) RunAndReturn(run func(context1 context.Context, getPluginInfoRequest *csi.GetPluginInfoRequest) (*csi.GetPluginInfoResponse, error)) *MockIdentityServer_GetPluginInfo_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// Probe provides a mock function for the type MockIdentityServer
+func (_mock *MockIdentityServer) Probe(context1 context.Context, probeRequest *csi.ProbeRequest) (*csi.ProbeResponse, error) {
+	ret := _mock.Called(context1, probeRequest)
+
+	if len(ret) == 0 {
+		panic("no return value specified for Probe")
+	}
+
+	var r0 *csi.ProbeResponse
+	var r1 error
+	if returnFunc, ok := ret.Get(0).(func(context.Context, *csi.ProbeRequest) (*csi.ProbeResponse, error)); ok {
+		return returnFunc(context1, probeRequest)
+	}
+	if returnFunc, ok := ret.Get(0).(func(context.Context, *csi.ProbeRequest) *csi.ProbeResponse); ok {
+		r0 = returnFunc(context1, probeRequest)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(*csi.ProbeResponse)
+		}
+	}
+	if returnFunc, ok := ret.Get(1).(func(context.Context, *csi.ProbeRequest) error); ok {
+		r1 = returnFunc(context1, probeRequest)
+	} else {
+		r1 = ret.Error(1)
+	}
+	return r0, r1
+}
+
+// MockIdentityServer_Probe_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Probe'
+type MockIdentityServer_Probe_Call struct {
+	*mock.Call
+}
+
+// Probe is a helper method to define mock.On call
+//   - context1 context.Context
+//   - probeRequest *csi.ProbeRequest
+func (_e *MockIdentityServer_Expecter) Probe(context1 interface{}, probeRequest interface{}) *MockIdentityServer_Probe_Call {
+	return &MockIdentityServer_Probe_Call{Call: _e.mock.On("Probe", context1, probeRequest)}
+}
+
+func (_c *MockIdentityServer_Probe_Call) Run(run func(context1 context.Context, probeRequest *csi.ProbeRequest)) *MockIdentityServer_Probe_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 context.Context
+		if args[0] != nil {
+			arg0 = args[0].(context.Context)
+		}
+		var arg1 *csi.ProbeRequest
+		if args[1] != nil {
+			arg1 = args[1].(*csi.ProbeRequest)
+		}
+		run(
+			arg0,
+			arg1,
+		)
+	})
+	return _c
+}
+
+func (_c *MockIdentityServer_Probe_Call) Return(probeResponse *csi.ProbeResponse, err error) *MockIdentityServer_Probe_Call {
+	_c.Call.Return(probeResponse, err)
+	return _c
+}
+
+func (_c *MockIdentityServer_Probe_Call) RunAndReturn(run func(context1 context.Context, probeRequest *csi.ProbeRequest) (*csi.ProbeResponse, error)) *MockIdentityServer_Probe_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// NewMockControllerServer creates a new instance of MockControllerServer. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
+// The first argument is typically a *testing.T value.
+func NewMockControllerServer(t interface {
+	mock.TestingT
+	Cleanup(func())
+}) *MockControllerServer {
+	mock := &MockControllerServer{}
+	mock.Mock.Test(t)
+
+	t.Cleanup(func() { mock.AssertExpectations(t) })
+
+	return mock
+}
+
+// MockControllerServer is an autogenerated mock type for the ControllerServer type
+type MockControllerServer struct {
+	mock.Mock
+}
+
+type MockControllerServer_Expecter struct {
+	mock *mock.Mock
+}
+
+func (_m *MockControllerServer) EXPECT() *MockControllerServer_Expecter {
+	return &MockControllerServer_Expecter{mock: &_m.Mock}
+}
+
+// ControllerExpandVolume provides a mock function for the type MockControllerServer
+func (_mock *MockControllerServer) ControllerExpandVolume(context1 context.Context, controllerExpandVolumeRequest *csi.ControllerExpandVolumeRequest) (*csi.ControllerExpandVolumeResponse, error) {
+	ret := _mock.Called(context1, controllerExpandVolumeRequest)
+
+	if len(ret) == 0 {
+		panic("no return value specified for ControllerExpandVolume")
+	}
+
+	var r0 *csi.ControllerExpandVolumeResponse
+	var r1 error
+	if returnFunc, ok := ret.Get(0).(func(context.Context, *csi.ControllerExpandVolumeRequest) (*csi.ControllerExpandVolumeResponse, error)); ok {
+		return returnFunc(context1, controllerExpandVolumeRequest)
+	}
+	if returnFunc, ok := ret.Get(0).(func(context.Context, *csi.ControllerExpandVolumeRequest) *csi.ControllerExpandVolumeResponse); ok {
+		r0 = returnFunc(context1, controllerExpandVolumeRequest)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(*csi.ControllerExpandVolumeResponse)
+		}
+	}
+	if returnFunc, ok := ret.Get(1).(func(context.Context, *csi.ControllerExpandVolumeRequest) error); ok {
+		r1 = returnFunc(context1, controllerExpandVolumeRequest)
+	} else {
+		r1 = ret.Error(1)
+	}
+	return r0, r1
+}
+
+// MockControllerServer_ControllerExpandVolume_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'ControllerExpandVolume'
+type MockControllerServer_ControllerExpandVolume_Call struct {
+	*mock.Call
+}
+
+// ControllerExpandVolume is a helper method to define mock.On call
+//   - context1 context.Context
+//   - controllerExpandVolumeRequest *csi.ControllerExpandVolumeRequest
+func (_e *MockControllerServer_Expecter) ControllerExpandVolume(context1 interface{}, controllerExpandVolumeRequest interface{}) *MockControllerServer_ControllerExpandVolume_Call {
+	return &MockControllerServer_ControllerExpandVolume_Call{Call: _e.mock.On("ControllerExpandVolume", context1, controllerExpandVolumeRequest)}
+}
+
+func (_c *MockControllerServer_ControllerExpandVolume_Call) Run(run func(context1 context.Context, controllerExpandVolumeRequest *csi.ControllerExpandVolumeRequest)) *MockControllerServer_ControllerExpandVolume_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 context.Context
+		if args[0] != nil {
+			arg0 = args[0].(context.Context)
+		}
+		var arg1 *csi.ControllerExpandVolumeRequest
+		if args[1] != nil {
+			arg1 = args[1].(*csi.ControllerExpandVolumeRequest)
+		}
+		run(
+			arg0,
+			arg1,
+		)
+	})
+	return _c
+}
+
+func (_c *MockControllerServer_ControllerExpandVolume_Call) Return(controllerExpandVolumeResponse *csi.ControllerExpandVolumeResponse, err error) *MockControllerServer_ControllerExpandVolume_Call {
+	_c.Call.Return(controllerExpandVolumeResponse, err)
+	return _c
+}
+
+func (_c *MockControllerServer_ControllerExpandVolume_Call) RunAndReturn(run func(context1 context.Context, controllerExpandVolumeRequest *csi.ControllerExpandVolumeRequest) (*csi.ControllerExpandVolumeResponse, error)) *MockControllerServer_ControllerExpandVolume_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// ControllerGetCapabilities provides a mock function for the type MockControllerServer
+func (_mock *MockControllerServer) ControllerGetCapabilities(context1 context.Context, controllerGetCapabilitiesRequest *csi.ControllerGetCapabilitiesRequest) (*csi.ControllerGetCapabilitiesResponse, error) {
+	ret := _mock.Called(context1, controllerGetCapabilitiesRequest)
+
+	if len(ret) == 0 {
+		panic("no return value specified for ControllerGetCapabilities")
+	}
+
+	var r0 *csi.ControllerGetCapabilitiesResponse
+	var r1 error
+	if returnFunc, ok := ret.Get(0).(func(context.Context, *csi.ControllerGetCapabilitiesRequest) (*csi.ControllerGetCapabilitiesResponse, error)); ok {
+		return returnFunc(context1, controllerGetCapabilitiesRequest)
+	}
+	if returnFunc, ok := ret.Get(0).(func(context.Context, *csi.ControllerGetCapabilitiesRequest) *csi.ControllerGetCapabilitiesResponse); ok {
+		r0 = returnFunc(context1, controllerGetCapabilitiesRequest)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(*csi.ControllerGetCapabilitiesResponse)
+		}
+	}
+	if returnFunc, ok := ret.Get(1).(func(context.Context, *csi.ControllerGetCapabilitiesRequest) error); ok {
+		r1 = returnFunc(context1, controllerGetCapabilitiesRequest)
+	} else {
+		r1 = ret.Error(1)
+	}
+	return r0, r1
+}
+
+// MockControllerServer_ControllerGetCapabilities_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'ControllerGetCapabilities'
+type MockControllerServer_ControllerGetCapabilities_Call struct {
+	*mock.Call
+}
+
+// ControllerGetCapabilities is a helper method to define mock.On call
+//   - context1 context.Context
+//   - controllerGetCapabilitiesRequest *csi.ControllerGetCapabilitiesRequest
+func (_e *MockControllerServer_Expecter) ControllerGetCapabilities(context1 interface{}, controllerGetCapabilitiesRequest interface{}) *MockControllerServer_ControllerGetCapabilities_Call {
+	return &MockControllerServer_ControllerGetCapabilities_Call{Call: _e.mock.On("ControllerGetCapabilities", context1, controllerGetCapabilitiesRequest)}
+}
+
+func (_c *MockControllerServer_ControllerGetCapabilities_Call) Run(run func(context1 context.Context, controllerGetCapabilitiesRequest *csi.ControllerGetCapabilitiesRequest)) *MockControllerServer_ControllerGetCapabilities_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 context.Context
+		if args[0] != nil {
+			arg0 = args[0].(context.Context)
+		}
+		var arg1 *csi.ControllerGetCapabilitiesRequest
+		if args[1] != nil {
+			arg1 = args[1].(*csi.ControllerGetCapabilitiesRequest)
+		}
+		run(
+			arg0,
+			arg1,
+		)
+	})
+	return _c
+}
+
+func (_c *MockControllerServer_ControllerGetCapabilities_Call) Return(controllerGetCapabilitiesResponse *csi.ControllerGetCapabilitiesResponse, err error) *MockControllerServer_ControllerGetCapabilities_Call {
+	_c.Call.Return(controllerGetCapabilitiesResponse, err)
+	return _c
+}
+
+func (_c *MockControllerServer_ControllerGetCapabilities_Call) RunAndReturn(run func(context1 context.Context, controllerGetCapabilitiesRequest *csi.ControllerGetCapabilitiesRequest) (*csi.ControllerGetCapabilitiesResponse, error)) *MockControllerServer_ControllerGetCapabilities_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// ControllerGetVolume provides a mock function for the type MockControllerServer
+func (_mock *MockControllerServer) ControllerGetVolume(context1 context.Context, controllerGetVolumeRequest *csi.ControllerGetVolumeRequest) (*csi.ControllerGetVolumeResponse, error) {
+	ret := _mock.Called(context1, controllerGetVolumeRequest)
+
+	if len(ret) == 0 {
+		panic("no return value specified for ControllerGetVolume")
+	}
+
+	var r0 *csi.ControllerGetVolumeResponse
+	var r1 error
+	if returnFunc, ok := ret.Get(0).(func(context.Context, *csi.ControllerGetVolumeRequest) (*csi.ControllerGetVolumeResponse, error)); ok {
+		return returnFunc(context1, controllerGetVolumeRequest)
+	}
+	if returnFunc, ok := ret.Get(0).(func(context.Context, *csi.ControllerGetVolumeRequest) *csi.ControllerGetVolumeResponse); ok {
+		r0 = returnFunc(context1, controllerGetVolumeRequest)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(*csi.ControllerGetVolumeResponse)
+		}
+	}
+	if returnFunc, ok := ret.Get(1).(func(context.Context, *csi.ControllerGetVolumeRequest) error); ok {
+		r1 = returnFunc(context1, controllerGetVolumeRequest)
+	} else {
+		r1 = ret.Error(1)
+	}
+	return r0, r1
+}
+
+// MockControllerServer_ControllerGetVolume_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'ControllerGetVolume'
+type MockControllerServer_ControllerGetVolume_Call struct {
+	*mock.Call
+}
+
+// ControllerGetVolume is a helper method to define mock.On call
+//   - context1 context.Context
+//   - controllerGetVolumeRequest *csi.ControllerGetVolumeRequest
+func (_e *MockControllerServer_Expecter) ControllerGetVolume(context1 interface{}, controllerGetVolumeRequest interface{}) *MockControllerServer_ControllerGetVolume_Call {
+	return &MockControllerServer_ControllerGetVolume_Call{Call: _e.mock.On("ControllerGetVolume", context1, controllerGetVolumeRequest)}
+}
+
+func (_c *MockControllerServer_ControllerGetVolume_Call) Run(run func(context1 context.Context, controllerGetVolumeRequest *csi.ControllerGetVolumeRequest)) *MockControllerServer_ControllerGetVolume_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 context.Context
+		if args[0] != nil {
+			arg0 = args[0].(context.Context)
+		}
+		var arg1 *csi.ControllerGetVolumeRequest
+		if args[1] != nil {
+			arg1 = args[1].(*csi.ControllerGetVolumeRequest)
+		}
+		run(
+			arg0,
+			arg1,
+		)
+	})
+	return _c
+}
+
+func (_c *MockControllerServer_ControllerGetVolume_Call) Return(controllerGetVolumeResponse *csi.ControllerGetVolumeResponse, err error) *MockControllerServer_ControllerGetVolume_Call {
+	_c.Call.Return(controllerGetVolumeResponse, err)
+	return _c
+}
+
+func (_c *MockControllerServer_ControllerGetVolume_Call) RunAndReturn(run func(context1 context.Context, controllerGetVolumeRequest *csi.ControllerGetVolumeRequest) (*csi.ControllerGetVolumeResponse, error)) *MockControllerServer_ControllerGetVolume_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// ControllerModifyVolume provides a mock function for the type MockControllerServer
+func (_mock *MockControllerServer) ControllerModifyVolume(context1 context.Context, controllerModifyVolumeRequest *csi.ControllerModifyVolumeRequest) (*csi.ControllerModifyVolumeResponse, error) {
+	ret := _mock.Called(context1, controllerModifyVolumeRequest)
+
+	if len(ret) == 0 {
+		panic("no return value specified for ControllerModifyVolume")
+	}
+
+	var r0 *csi.ControllerModifyVolumeResponse
+	var r1 error
+	if returnFunc, ok := ret.Get(0).(func(context.Context, *csi.ControllerModifyVolumeRequest) (*csi.ControllerModifyVolumeResponse, error)); ok {
+		return returnFunc(context1, controllerModifyVolumeRequest)
+	}
+	if returnFunc, ok := ret.Get(0).(func(context.Context, *csi.ControllerModifyVolumeRequest) *csi.ControllerModifyVolumeResponse); ok {
+		r0 = returnFunc(context1, controllerModifyVolumeRequest)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(*csi.ControllerModifyVolumeResponse)
+		}
+	}
+	if returnFunc, ok := ret.Get(1).(func(context.Context, *csi.ControllerModifyVolumeRequest) error); ok {
+		r1 = returnFunc(context1, controllerModifyVolumeRequest)
+	} else {
+		r1 = ret.Error(1)
+	}
+	return r0, r1
+}
+
+// MockControllerServer_ControllerModifyVolume_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'ControllerModifyVolume'
+type MockControllerServer_ControllerModifyVolume_Call struct {
+	*mock.Call
+}
+
+// ControllerModifyVolume is a helper method to define mock.On call
+//   - context1 context.Context
+//   - controllerModifyVolumeRequest *csi.ControllerModifyVolumeRequest
+func (_e *MockControllerServer_Expecter) ControllerModifyVolume(context1 interface{}, controllerModifyVolumeRequest interface{}) *MockControllerServer_ControllerModifyVolume_Call {
+	return &MockControllerServer_ControllerModifyVolume_Call{Call: _e.mock.On("ControllerModifyVolume", context1, controllerModifyVolumeRequest)}
+}
+
+func (_c *MockControllerServer_ControllerModifyVolume_Call) Run(run func(context1 context.Context, controllerModifyVolumeRequest *csi.ControllerModifyVolumeRequest)) *MockControllerServer_ControllerModifyVolume_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 context.Context
+		if args[0] != nil {
+			arg0 = args[0].(context.Context)
+		}
+		var arg1 *csi.ControllerModifyVolumeRequest
+		if args[1] != nil {
+			arg1 = args[1].(*csi.ControllerModifyVolumeRequest)
+		}
+		run(
+			arg0,
+			arg1,
+		)
+	})
+	return _c
+}
+
+func (_c *MockControllerServer_ControllerModifyVolume_Call) Return(controllerModifyVolumeResponse *csi.ControllerModifyVolumeResponse, err error) *MockControllerServer_ControllerModifyVolume_Call {
+	_c.Call.Return(controllerModifyVolumeResponse, err)
+	return _c
+}
+
+func (_c *MockControllerServer_ControllerModifyVolume_Call) RunAndReturn(run func(context1 context.Context, controllerModifyVolumeRequest *csi.ControllerModifyVolumeRequest) (*csi.ControllerModifyVolumeResponse, error)) *MockControllerServer_ControllerModifyVolume_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// ControllerPublishVolume provides a mock function for the type MockControllerServer
+func (_mock *MockControllerServer) ControllerPublishVolume(context1 context.Context, controllerPublishVolumeRequest *csi.ControllerPublishVolumeRequest) (*csi.ControllerPublishVolumeResponse, error) {
+	ret := _mock.Called(context1, controllerPublishVolumeRequest)
+
+	if len(ret) == 0 {
+		panic("no return value specified for ControllerPublishVolume")
+	}
+
+	var r0 *csi.ControllerPublishVolumeResponse
+	var r1 error
+	if returnFunc, ok := ret.Get(0).(func(context.Context, *csi.ControllerPublishVolumeRequest) (*csi.ControllerPublishVolumeResponse, error)); ok {
+		return returnFunc(context1, controllerPublishVolumeRequest)
+	}
+	if returnFunc, ok := ret.Get(0).(func(context.Context, *csi.ControllerPublishVolumeRequest) *csi.ControllerPublishVolumeResponse); ok {
+		r0 = returnFunc(context1, controllerPublishVolumeRequest)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(*csi.ControllerPublishVolumeResponse)
+		}
+	}
+	if returnFunc, ok := ret.Get(1).(func(context.Context, *csi.ControllerPublishVolumeRequest) error); ok {
+		r1 = returnFunc(context1, controllerPublishVolumeRequest)
+	} else {
+		r1 = ret.Error(1)
+	}
+	return r0, r1
+}
+
+// MockControllerServer_ControllerPublishVolume_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'ControllerPublishVolume'
+type MockControllerServer_ControllerPublishVolume_Call struct {
+	*mock.Call
+}
+
+// ControllerPublishVolume is a helper method to define mock.On call
+//   - context1 context.Context
+//   - controllerPublishVolumeRequest *csi.ControllerPublishVolumeRequest
+func (_e *MockControllerServer_Expecter) ControllerPublishVolume(context1 interface{}, controllerPublishVolumeRequest interface{}) *MockControllerServer_ControllerPublishVolume_Call {
+	return &MockControllerServer_ControllerPublishVolume_Call{Call: _e.mock.On("ControllerPublishVolume", context1, controllerPublishVolumeRequest)}
+}
+
+func (_c *MockControllerServer_ControllerPublishVolume_Call) Run(run func(context1 context.Context, controllerPublishVolumeRequest *csi.ControllerPublishVolumeRequest)) *MockControllerServer_ControllerPublishVolume_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 context.Context
+		if args[0] != nil {
+			arg0 = args[0].(context.Context)
+		}
+		var arg1 *csi.ControllerPublishVolumeRequest
+		if args[1] != nil {
+			arg1 = args[1].(*csi.ControllerPublishVolumeRequest)
+		}
+		run(
+			arg0,
+			arg1,
+		)
+	})
+	return _c
+}
+
+func (_c *MockControllerServer_ControllerPublishVolume_Call) Return(controllerPublishVolumeResponse *csi.ControllerPublishVolumeResponse, err error) *MockControllerServer_ControllerPublishVolume_Call {
+	_c.Call.Return(controllerPublishVolumeResponse, err)
+	return _c
+}
+
+func (_c *MockControllerServer_ControllerPublishVolume_Call) RunAndReturn(run func(context1 context.Context, controllerPublishVolumeRequest *csi.ControllerPublishVolumeRequest) (*csi.ControllerPublishVolumeResponse, error)) *MockControllerServer_ControllerPublishVolume_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// ControllerUnpublishVolume provides a mock function for the type MockControllerServer
+func (_mock *MockControllerServer) ControllerUnpublishVolume(context1 context.Context, controllerUnpublishVolumeRequest *csi.ControllerUnpublishVolumeRequest) (*csi.ControllerUnpublishVolumeResponse, error) {
+	ret := _mock.Called(context1, controllerUnpublishVolumeRequest)
+
+	if len(ret) == 0 {
+		panic("no return value specified for ControllerUnpublishVolume")
+	}
+
+	var r0 *csi.ControllerUnpublishVolumeResponse
+	var r1 error
+	if returnFunc, ok := ret.Get(0).(func(context.Context, *csi.ControllerUnpublishVolumeRequest) (*csi.ControllerUnpublishVolumeResponse, error)); ok {
+		return returnFunc(context1, controllerUnpublishVolumeRequest)
+	}
+	if returnFunc, ok := ret.Get(0).(func(context.Context, *csi.ControllerUnpublishVolumeRequest) *csi.ControllerUnpublishVolumeResponse); ok {
+		r0 = returnFunc(context1, controllerUnpublishVolumeRequest)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(*csi.ControllerUnpublishVolumeResponse)
+		}
+	}
+	if returnFunc, ok := ret.Get(1).(func(context.Context, *csi.ControllerUnpublishVolumeRequest) error); ok {
+		r1 = returnFunc(context1, controllerUnpublishVolumeRequest)
+	} else {
+		r1 = ret.Error(1)
+	}
+	return r0, r1
+}
+
+// MockControllerServer_ControllerUnpublishVolume_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'ControllerUnpublishVolume'
+type MockControllerServer_ControllerUnpublishVolume_Call struct {
+	*mock.Call
+}
+
+// ControllerUnpublishVolume is a helper method to define mock.On call
+//   - context1 context.Context
+//   - controllerUnpublishVolumeRequest *csi.ControllerUnpublishVolumeRequest
+func (_e *MockControllerServer_Expecter) ControllerUnpublishVolume(context1 interface{}, controllerUnpublishVolumeRequest interface{}) *MockControllerServer_ControllerUnpublishVolume_Call {
+	return &MockControllerServer_ControllerUnpublishVolume_Call{Call: _e.mock.On("ControllerUnpublishVolume", context1, controllerUnpublishVolumeRequest)}
+}
+
+func (_c *MockControllerServer_ControllerUnpublishVolume_Call) Run(run func(context1 context.Context, controllerUnpublishVolumeRequest *csi.ControllerUnpublishVolumeRequest)) *MockControllerServer_ControllerUnpublishVolume_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 context.Context
+		if args[0] != nil {
+			arg0 = args[0].(context.Context)
+		}
+		var arg1 *csi.ControllerUnpublishVolumeRequest
+		if args[1] != nil {
+			arg1 = args[1].(*csi.ControllerUnpublishVolumeRequest)
+		}
+		run(
+			arg0,
+			arg1,
+		)
+	})
+	return _c
+}
+
+func (_c *MockControllerServer_ControllerUnpublishVolume_Call) Return(controllerUnpublishVolumeResponse *csi.ControllerUnpublishVolumeResponse, err error) *MockControllerServer_ControllerUnpublishVolume_Call {
+	_c.Call.Return(controllerUnpublishVolumeResponse, err)
+	return _c
+}
+
+func (_c *MockControllerServer_ControllerUnpublishVolume_Call) RunAndReturn(run func(context1 context.Context, controllerUnpublishVolumeRequest *csi.ControllerUnpublishVolumeRequest) (*csi.ControllerUnpublishVolumeResponse, error)) *MockControllerServer_ControllerUnpublishVolume_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// CreateSnapshot provides a mock function for the type MockControllerServer
+func (_mock *MockControllerServer) CreateSnapshot(context1 context.Context, createSnapshotRequest *csi.CreateSnapshotRequest) (*csi.CreateSnapshotResponse, error) {
+	ret := _mock.Called(context1, createSnapshotRequest)
+
+	if len(ret) == 0 {
+		panic("no return value specified for CreateSnapshot")
+	}
+
+	var r0 *csi.CreateSnapshotResponse
+	var r1 error
+	if returnFunc, ok := ret.Get(0).(func(context.Context, *csi.CreateSnapshotRequest) (*csi.CreateSnapshotResponse, error)); ok {
+		return returnFunc(context1, createSnapshotRequest)
+	}
+	if returnFunc, ok := ret.Get(0).(func(context.Context, *csi.CreateSnapshotRequest) *csi.CreateSnapshotResponse); ok {
+		r0 = returnFunc(context1, createSnapshotRequest)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(*csi.CreateSnapshotResponse)
+		}
+	}
+	if returnFunc, ok := ret.Get(1).(func(context.Context, *csi.CreateSnapshotRequest) error); ok {
+		r1 = returnFunc(context1, createSnapshotRequest)
+	} else {
+		r1 = ret.Error(1)
+	}
+	return r0, r1
+}
+
+// MockControllerServer_CreateSnapshot_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'CreateSnapshot'
+type MockControllerServer_CreateSnapshot_Call struct {
+	*mock.Call
+}
+
+// CreateSnapshot is a helper method to define mock.On call
+//   - context1 context.Context
+//   - createSnapshotRequest *csi.CreateSnapshotRequest
+func (_e *MockControllerServer_Expecter) CreateSnapshot(context1 interface{}, createSnapshotRequest interface{}) *MockControllerServer_CreateSnapshot_Call {
+	return &MockControllerServer_CreateSnapshot_Call{Call: _e.mock.On("CreateSnapshot", context1, createSnapshotRequest)}
+}
+
+func (_c *MockControllerServer_CreateSnapshot_Call) Run(run func(context1 context.Context, createSnapshotRequest *csi.CreateSnapshotRequest)) *MockControllerServer_CreateSnapshot_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 context.Context
+		if args[0] != nil {
+			arg0 = args[0].(context.Context)
+		}
+		var arg1 *csi.CreateSnapshotRequest
+		if args[1] != nil {
+			arg1 = args[1].(*csi.CreateSnapshotRequest)
+		}
+		run(
+			arg0,
+			arg1,
+		)
+	})
+	return _c
+}
+
+func (_c *MockControllerServer_CreateSnapshot_Call) Return(createSnapshotResponse *csi.CreateSnapshotResponse, err error) *MockControllerServer_CreateSnapshot_Call {
+	_c.Call.Return(createSnapshotResponse, err)
+	return _c
+}
+
+func (_c *MockControllerServer_CreateSnapshot_Call) RunAndReturn(run func(context1 context.Context, createSnapshotRequest *csi.CreateSnapshotRequest) (*csi.CreateSnapshotResponse, error)) *MockControllerServer_CreateSnapshot_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// CreateVolume provides a mock function for the type MockControllerServer
+func (_mock *MockControllerServer) CreateVolume(context1 context.Context, createVolumeRequest *csi.CreateVolumeRequest) (*csi.CreateVolumeResponse, error) {
+	ret := _mock.Called(context1, createVolumeRequest)
+
+	if len(ret) == 0 {
+		panic("no return value specified for CreateVolume")
+	}
+
+	var r0 *csi.CreateVolumeResponse
+	var r1 error
+	if returnFunc, ok := ret.Get(0).(func(context.Context, *csi.CreateVolumeRequest) (*csi.CreateVolumeResponse, error)); ok {
+		return returnFunc(context1, createVolumeRequest)
+	}
+	if returnFunc, ok := ret.Get(0).(func(context.Context, *csi.CreateVolumeRequest) *csi.CreateVolumeResponse); ok {
+		r0 = returnFunc(context1, createVolumeRequest)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(*csi.CreateVolumeResponse)
+		}
+	}
+	if returnFunc, ok := ret.Get(1).(func(context.Context, *csi.CreateVolumeRequest) error); ok {
+		r1 = returnFunc(context1, createVolumeRequest)
+	} else {
+		r1 = ret.Error(1)
+	}
+	return r0, r1
+}
+
+// MockControllerServer_CreateVolume_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'CreateVolume'
+type MockControllerServer_CreateVolume_Call struct {
+	*mock.Call
+}
+
+// CreateVolume is a helper method to define mock.On call
+//   - context1 context.Context
+//   - createVolumeRequest *csi.CreateVolumeRequest
+func (_e *MockControllerServer_Expecter) CreateVolume(context1 interface{}, createVolumeRequest interface{}) *MockControllerServer_CreateVolume_Call {
+	return &MockControllerServer_CreateVolume_Call{Call: _e.mock.On("CreateVolume", context1, createVolumeRequest)}
+}
+
+func (_c *MockControllerServer_CreateVolume_Call) Run(run func(context1 context.Context, createVolumeRequest *csi.CreateVolumeRequest)) *MockControllerServer_CreateVolume_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 context.Context
+		if args[0] != nil {
+			arg0 = args[0].(context.Context)
+		}
+		var arg1 *csi.CreateVolumeRequest
+		if args[1] != nil {
+			arg1 = args[1].(*csi.CreateVolumeRequest)
+		}
+		run(
+			arg0,
+			arg1,
+		)
+	})
+	return _c
+}
+
+func (_c *MockControllerServer_CreateVolume_Call) Return(createVolumeResponse *csi.CreateVolumeResponse, err error) *MockControllerServer_CreateVolume_Call {
+	_c.Call.Return(createVolumeResponse, err)
+	return _c
+}
+
+func (_c *MockControllerServer_CreateVolume_Call) RunAndReturn(run func(context1 context.Context, createVolumeRequest *csi.CreateVolumeRequest) (*csi.CreateVolumeResponse, error)) *MockControllerServer_CreateVolume_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// DeleteSnapshot provides a mock function for the type MockControllerServer
+func (_mock *MockControllerServer) DeleteSnapshot(context1 context.Context, deleteSnapshotRequest *csi.DeleteSnapshotRequest) (*csi.DeleteSnapshotResponse, error) {
+	ret := _mock.Called(context1, deleteSnapshotRequest)
+
+	if len(ret) == 0 {
+		panic("no return value specified for DeleteSnapshot")
+	}
+
+	var r0 *csi.DeleteSnapshotResponse
+	var r1 error
+	if returnFunc, ok := ret.Get(0).(func(context.Context, *csi.DeleteSnapshotRequest) (*csi.DeleteSnapshotResponse, error)); ok {
+		return returnFunc(context1, deleteSnapshotRequest)
+	}
+	if returnFunc, ok := ret.Get(0).(func(context.Context, *csi.DeleteSnapshotRequest) *csi.DeleteSnapshotResponse); ok {
+		r0 = returnFunc(context1, deleteSnapshotRequest)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(*csi.DeleteSnapshotResponse)
+		}
+	}
+	if returnFunc, ok := ret.Get(1).(func(context.Context, *csi.DeleteSnapshotRequest) error); ok {
+		r1 = returnFunc(context1, deleteSnapshotRequest)
+	} else {
+		r1 = ret.Error(1)
+	}
+	return r0, r1
+}
+
+// MockControllerServer_DeleteSnapshot_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'DeleteSnapshot'
+type MockControllerServer_DeleteSnapshot_Call struct {
+	*mock.Call
+}
+
+// DeleteSnapshot is a helper method to define mock.On call
+//   - context1 context.Context
+//   - deleteSnapshotRequest *csi.DeleteSnapshotRequest
+func (_e *MockControllerServer_Expecter) DeleteSnapshot(context1 interface{}, deleteSnapshotRequest interface{}) *MockControllerServer_DeleteSnapshot_Call {
+	return &MockControllerServer_DeleteSnapshot_Call{Call: _e.mock.On("DeleteSnapshot", context1, deleteSnapshotRequest)}
+}
+
+func (_c *MockControllerServer_DeleteSnapshot_Call) Run(run func(context1 context.Context, deleteSnapshotRequest *csi.DeleteSnapshotRequest)) *MockControllerServer_DeleteSnapshot_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 context.Context
+		if args[0] != nil {
+			arg0 = args[0].(context.Context)
+		}
+		var arg1 *csi.DeleteSnapshotRequest
+		if args[1] != nil {
+			arg1 = args[1].(*csi.DeleteSnapshotRequest)
+		}
+		run(
+			arg0,
+			arg1,
+		)
+	})
+	return _c
+}
+
+func (_c *MockControllerServer_DeleteSnapshot_Call) Return(deleteSnapshotResponse *csi.DeleteSnapshotResponse, err error) *MockControllerServer_DeleteSnapshot_Call {
+	_c.Call.Return(deleteSnapshotResponse, err)
+	return _c
+}
+
+func (_c *MockControllerServer_DeleteSnapshot_Call) RunAndReturn(run func(context1 context.Context, deleteSnapshotRequest *csi.DeleteSnapshotRequest) (*csi.DeleteSnapshotResponse, error)) *MockControllerServer_DeleteSnapshot_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// DeleteVolume provides a mock function for the type MockControllerServer
+func (_mock *MockControllerServer) DeleteVolume(context1 context.Context, deleteVolumeRequest *csi.DeleteVolumeRequest) (*csi.DeleteVolumeResponse, error) {
+	ret := _mock.Called(context1, deleteVolumeRequest)
+
+	if len(ret) == 0 {
+		panic("no return value specified for DeleteVolume")
+	}
+
+	var r0 *csi.DeleteVolumeResponse
+	var r1 error
+	if returnFunc, ok := ret.Get(0).(func(context.Context, *csi.DeleteVolumeRequest) (*csi.DeleteVolumeResponse, error)); ok {
+		return returnFunc(context1, deleteVolumeRequest)
+	}
+	if returnFunc, ok := ret.Get(0).(func(context.Context, *csi.DeleteVolumeRequest) *csi.DeleteVolumeResponse); ok {
+		r0 = returnFunc(context1, deleteVolumeRequest)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(*csi.DeleteVolumeResponse)
+		}
+	}
+	if returnFunc, ok := ret.Get(1).(func(context.Context, *csi.DeleteVolumeRequest) error); ok {
+		r1 = returnFunc(context1, deleteVolumeRequest)
+	} else {
+		r1 = ret.Error(1)
+	}
+	return r0, r1
+}
+
+// MockControllerServer_DeleteVolume_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'DeleteVolume'
+type MockControllerServer_DeleteVolume_Call struct {
+	*mock.Call
+}
+
+// DeleteVolume is a helper method to define mock.On call
+//   - context1 context.Context
+//   - deleteVolumeRequest *csi.DeleteVolumeRequest
+func (_e *MockControllerServer_Expecter) DeleteVolume(context1 interface{}, deleteVolumeRequest interface{}) *MockControllerServer_DeleteVolume_Call {
+	return &MockControllerServer_DeleteVolume_Call{Call: _e.mock.On("DeleteVolume", context1, deleteVolumeRequest)}
+}
+
+func (_c *MockControllerServer_DeleteVolume_Call) Run(run func(context1 context.Context, deleteVolumeRequest *csi.DeleteVolumeRequest)) *MockControllerServer_DeleteVolume_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 context.Context
+		if args[0] != nil {
+			arg0 = args[0].(context.Context)
+		}
+		var arg1 *csi.DeleteVolumeRequest
+		if args[1] != nil {
+			arg1 = args[1].(*csi.DeleteVolumeRequest)
+		}
+		run(
+			arg0,
+			arg1,
+		)
+	})
+	return _c
+}
+
+func (_c *MockControllerServer_DeleteVolume_Call) Return(deleteVolumeResponse *csi.DeleteVolumeResponse, err error) *MockControllerServer_DeleteVolume_Call {
+	_c.Call.Return(deleteVolumeResponse, err)
+	return _c
+}
+
+func (_c *MockControllerServer_DeleteVolume_Call) RunAndReturn(run func(context1 context.Context, deleteVolumeRequest *csi.DeleteVolumeRequest) (*csi.DeleteVolumeResponse, error)) *MockControllerServer_DeleteVolume_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// GetCapacity provides a mock function for the type MockControllerServer
+func (_mock *MockControllerServer) GetCapacity(context1 context.Context, getCapacityRequest *csi.GetCapacityRequest) (*csi.GetCapacityResponse, error) {
+	ret := _mock.Called(context1, getCapacityRequest)
+
+	if len(ret) == 0 {
+		panic("no return value specified for GetCapacity")
+	}
+
+	var r0 *csi.GetCapacityResponse
+	var r1 error
+	if returnFunc, ok := ret.Get(0).(func(context.Context, *csi.GetCapacityRequest) (*csi.GetCapacityResponse, error)); ok {
+		return returnFunc(context1, getCapacityRequest)
+	}
+	if returnFunc, ok := ret.Get(0).(func(context.Context, *csi.GetCapacityRequest) *csi.GetCapacityResponse); ok {
+		r0 = returnFunc(context1, getCapacityRequest)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(*csi.GetCapacityResponse)
+		}
+	}
+	if returnFunc, ok := ret.Get(1).(func(context.Context, *csi.GetCapacityRequest) error); ok {
+		r1 = returnFunc(context1, getCapacityRequest)
+	} else {
+		r1 = ret.Error(1)
+	}
+	return r0, r1
+}
+
+// MockControllerServer_GetCapacity_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetCapacity'
+type MockControllerServer_GetCapacity_Call struct {
+	*mock.Call
+}
+
+// GetCapacity is a helper method to define mock.On call
+//   - context1 context.Context
+//   - getCapacityRequest *csi.GetCapacityRequest
+func (_e *MockControllerServer_Expecter) GetCapacity(context1 interface{}, getCapacityRequest interface{}) *MockControllerServer_GetCapacity_Call {
+	return &MockControllerServer_GetCapacity_Call{Call: _e.mock.On("GetCapacity", context1, getCapacityRequest)}
+}
+
+func (_c *MockControllerServer_GetCapacity_Call) Run(run func(context1 context.Context, getCapacityRequest *csi.GetCapacityRequest)) *MockControllerServer_GetCapacity_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 context.Context
+		if args[0] != nil {
+			arg0 = args[0].(context.Context)
+		}
+		var arg1 *csi.GetCapacityRequest
+		if args[1] != nil {
+			arg1 = args[1].(*csi.GetCapacityRequest)
+		}
+		run(
+			arg0,
+			arg1,
+		)
+	})
+	return _c
+}
+
+func (_c *MockControllerServer_GetCapacity_Call) Return(getCapacityResponse *csi.GetCapacityResponse, err error) *MockControllerServer_GetCapacity_Call {
+	_c.Call.Return(getCapacityResponse, err)
+	return _c
+}
+
+func (_c *MockControllerServer_GetCapacity_Call) RunAndReturn(run func(context1 context.Context, getCapacityRequest *csi.GetCapacityRequest) (*csi.GetCapacityResponse, error)) *MockControllerServer_GetCapacity_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// ListSnapshots provides a mock function for the type MockControllerServer
+func (_mock *MockControllerServer) ListSnapshots(context1 context.Context, listSnapshotsRequest *csi.ListSnapshotsRequest) (*csi.ListSnapshotsResponse, error) {
+	ret := _mock.Called(context1, listSnapshotsRequest)
+
+	if len(ret) == 0 {
+		panic("no return value specified for ListSnapshots")
+	}
+
+	var r0 *csi.ListSnapshotsResponse
+	var r1 error
+	if returnFunc, ok := ret.Get(0).(func(context.Context, *csi.ListSnapshotsRequest) (*csi.ListSnapshotsResponse, error)); ok {
+		return returnFunc(context1, listSnapshotsRequest)
+	}
+	if returnFunc, ok := ret.Get(0).(func(context.Context, *csi.ListSnapshotsRequest) *csi.ListSnapshotsResponse); ok {
+		r0 = returnFunc(context1, listSnapshotsRequest)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(*csi.ListSnapshotsResponse)
+		}
+	}
+	if returnFunc, ok := ret.Get(1).(func(context.Context, *csi.ListSnapshotsRequest) error); ok {
+		r1 = returnFunc(context1, listSnapshotsRequest)
+	} else {
+		r1 = ret.Error(1)
+	}
+	return r0, r1
+}
+
+// MockControllerServer_ListSnapshots_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'ListSnapshots'
+type MockControllerServer_ListSnapshots_Call struct {
+	*mock.Call
+}
+
+// ListSnapshots is a helper method to define mock.On call
+//   - context1 context.Context
+//   - listSnapshotsRequest *csi.ListSnapshotsRequest
+func (_e *MockControllerServer_Expecter) ListSnapshots(context1 interface{}, listSnapshotsRequest interface{}) *MockControllerServer_ListSnapshots_Call {
+	return &MockControllerServer_ListSnapshots_Call{Call: _e.mock.On("ListSnapshots", context1, listSnapshotsRequest)}
+}
+
+func (_c *MockControllerServer_ListSnapshots_Call) Run(run func(context1 context.Context, listSnapshotsRequest *csi.ListSnapshotsRequest)) *MockControllerServer_ListSnapshots_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 context.Context
+		if args[0] != nil {
+			arg0 = args[0].(context.Context)
+		}
+		var arg1 *csi.ListSnapshotsRequest
+		if args[1] != nil {
+			arg1 = args[1].(*csi.ListSnapshotsRequest)
+		}
+		run(
+			arg0,
+			arg1,
+		)
+	})
+	return _c
+}
+
+func (_c *MockControllerServer_ListSnapshots_Call) Return(listSnapshotsResponse *csi.ListSnapshotsResponse, err error) *MockControllerServer_ListSnapshots_Call {
+	_c.Call.Return(listSnapshotsResponse, err)
+	return _c
+}
+
+func (_c *MockControllerServer_ListSnapshots_Call) RunAndReturn(run func(context1 context.Context, listSnapshotsRequest *csi.ListSnapshotsRequest) (*csi.ListSnapshotsResponse, error)) *MockControllerServer_ListSnapshots_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// ListVolumes provides a mock function for the type MockControllerServer
+func (_mock *MockControllerServer) ListVolumes(context1 context.Context, listVolumesRequest *csi.ListVolumesRequest) (*csi.ListVolumesResponse, error) {
+	ret := _mock.Called(context1, listVolumesRequest)
+
+	if len(ret) == 0 {
+		panic("no return value specified for ListVolumes")
+	}
+
+	var r0 *csi.ListVolumesResponse
+	var r1 error
+	if returnFunc, ok := ret.Get(0).(func(context.Context, *csi.ListVolumesRequest) (*csi.ListVolumesResponse, error)); ok {
+		return returnFunc(context1, listVolumesRequest)
+	}
+	if returnFunc, ok := ret.Get(0).(func(context.Context, *csi.ListVolumesRequest) *csi.ListVolumesResponse); ok {
+		r0 = returnFunc(context1, listVolumesRequest)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(*csi.ListVolumesResponse)
+		}
+	}
+	if returnFunc, ok := ret.Get(1).(func(context.Context, *csi.ListVolumesRequest) error); ok {
+		r1 = returnFunc(context1, listVolumesRequest)
+	} else {
+		r1 = ret.Error(1)
+	}
+	return r0, r1
+}
+
+// MockControllerServer_ListVolumes_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'ListVolumes'
+type MockControllerServer_ListVolumes_Call struct {
+	*mock.Call
+}
+
+// ListVolumes is a helper method to define mock.On call
+//   - context1 context.Context
+//   - listVolumesRequest *csi.ListVolumesRequest
+func (_e *MockControllerServer_Expecter) ListVolumes(context1 interface{}, listVolumesRequest interface{}) *MockControllerServer_ListVolumes_Call {
+	return &MockControllerServer_ListVolumes_Call{Call: _e.mock.On("ListVolumes", context1, listVolumesRequest)}
+}
+
+func (_c *MockControllerServer_ListVolumes_Call) Run(run func(context1 context.Context, listVolumesRequest *csi.ListVolumesRequest)) *MockControllerServer_ListVolumes_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 context.Context
+		if args[0] != nil {
+			arg0 = args[0].(context.Context)
+		}
+		var arg1 *csi.ListVolumesRequest
+		if args[1] != nil {
+			arg1 = args[1].(*csi.ListVolumesRequest)
+		}
+		run(
+			arg0,
+			arg1,
+		)
+	})
+	return _c
+}
+
+func (_c *MockControllerServer_ListVolumes_Call) Return(listVolumesResponse *csi.ListVolumesResponse, err error) *MockControllerServer_ListVolumes_Call {
+	_c.Call.Return(listVolumesResponse, err)
+	return _c
+}
+
+func (_c *MockControllerServer_ListVolumes_Call) RunAndReturn(run func(context1 context.Context, listVolumesRequest *csi.ListVolumesRequest) (*csi.ListVolumesResponse, error)) *MockControllerServer_ListVolumes_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// ValidateVolumeCapabilities provides a mock function for the type MockControllerServer
+func (_mock *MockControllerServer) ValidateVolumeCapabilities(context1 context.Context, validateVolumeCapabilitiesRequest *csi.ValidateVolumeCapabilitiesRequest) (*csi.ValidateVolumeCapabilitiesResponse, error) {
+	ret := _mock.Called(context1, validateVolumeCapabilitiesRequest)
+
+	if len(ret) == 0 {
+		panic("no return value specified for ValidateVolumeCapabilities")
+	}
+
+	var r0 *csi.ValidateVolumeCapabilitiesResponse
+	var r1 error
+	if returnFunc, ok := ret.Get(0).(func(context.Context, *csi.ValidateVolumeCapabilitiesRequest) (*csi.ValidateVolumeCapabilitiesResponse, error)); ok {
+		return returnFunc(context1, validateVolumeCapabilitiesRequest)
+	}
+	if returnFunc, ok := ret.Get(0).(func(context.Context, *csi.ValidateVolumeCapabilitiesRequest) *csi.ValidateVolumeCapabilitiesResponse); ok {
+		r0 = returnFunc(context1, validateVolumeCapabilitiesRequest)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(*csi.ValidateVolumeCapabilitiesResponse)
+		}
+	}
+	if returnFunc, ok := ret.Get(1).(func(context.Context, *csi.ValidateVolumeCapabilitiesRequest) error); ok {
+		r1 = returnFunc(context1, validateVolumeCapabilitiesRequest)
+	} else {
+		r1 = ret.Error(1)
+	}
+	return r0, r1
+}
+
+// MockControllerServer_ValidateVolumeCapabilities_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'ValidateVolumeCapabilities'
+type MockControllerServer_ValidateVolumeCapabilities_Call struct {
+	*mock.Call
+}
+
+// ValidateVolumeCapabilities is a helper method to define mock.On call
+//   - context1 context.Context
+//   - validateVolumeCapabilitiesRequest *csi.ValidateVolumeCapabilitiesRequest
+func (_e *MockControllerServer_Expecter) ValidateVolumeCapabilities(context1 interface{}, validateVolumeCapabilitiesRequest interface{}) *MockControllerServer_ValidateVolumeCapabilities_Call {
+	return &MockControllerServer_ValidateVolumeCapabilities_Call{Call: _e.mock.On("ValidateVolumeCapabilities", context1, validateVolumeCapabilitiesRequest)}
+}
+
+func (_c *MockControllerServer_ValidateVolumeCapabilities_Call) Run(run func(context1 context.Context, validateVolumeCapabilitiesRequest *csi.ValidateVolumeCapabilitiesRequest)) *MockControllerServer_ValidateVolumeCapabilities_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 context.Context
+		if args[0] != nil {
+			arg0 = args[0].(context.Context)
+		}
+		var arg1 *csi.ValidateVolumeCapabilitiesRequest
+		if args[1] != nil {
+			arg1 = args[1].(*csi.ValidateVolumeCapabilitiesRequest)
+		}
+		run(
+			arg0,
+			arg1,
+		)
+	})
+	return _c
+}
+
+func (_c *MockControllerServer_ValidateVolumeCapabilities_Call) Return(validateVolumeCapabilitiesResponse *csi.ValidateVolumeCapabilitiesResponse, err error) *MockControllerServer_ValidateVolumeCapabilities_Call {
+	_c.Call.Return(validateVolumeCapabilitiesResponse, err)
+	return _c
+}
+
+func (_c *MockControllerServer_ValidateVolumeCapabilities_Call) RunAndReturn(run func(context1 context.Context, validateVolumeCapabilitiesRequest *csi.ValidateVolumeCapabilitiesRequest) (*csi.ValidateVolumeCapabilitiesResponse, error)) *MockControllerServer_ValidateVolumeCapabilities_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// NewMockNodeServer creates a new instance of MockNodeServer. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
+// The first argument is typically a *testing.T value.
+func NewMockNodeServer(t interface {
+	mock.TestingT
+	Cleanup(func())
+}) *MockNodeServer {
+	mock := &MockNodeServer{}
+	mock.Mock.Test(t)
+
+	t.Cleanup(func() { mock.AssertExpectations(t) })
+
+	return mock
+}
+
+// MockNodeServer is an autogenerated mock type for the NodeServer type
+type MockNodeServer struct {
+	mock.Mock
+}
+
+type MockNodeServer_Expecter struct {
+	mock *mock.Mock
+}
+
+func (_m *MockNodeServer) EXPECT() *MockNodeServer_Expecter {
+	return &MockNodeServer_Expecter{mock: &_m.Mock}
+}
+
+// NodeExpandVolume provides a mock function for the type MockNodeServer
+func (_mock *MockNodeServer) NodeExpandVolume(context1 context.Context, nodeExpandVolumeRequest *csi.NodeExpandVolumeRequest) (*csi.NodeExpandVolumeResponse, error) {
+	ret := _mock.Called(context1, nodeExpandVolumeRequest)
+
+	if len(ret) == 0 {
+		panic("no return value specified for NodeExpandVolume")
+	}
+
+	var r0 *csi.NodeExpandVolumeResponse
+	var r1 error
+	if returnFunc, ok := ret.Get(0).(func(context.Context, *csi.NodeExpandVolumeRequest) (*csi.NodeExpandVolumeResponse, error)); ok {
+		return returnFunc(context1, nodeExpandVolumeRequest)
+	}
+	if returnFunc, ok := ret.Get(0).(func(context.Context, *csi.NodeExpandVolumeRequest) *csi.NodeExpandVolumeResponse); ok {
+		r0 = returnFunc(context1, nodeExpandVolumeRequest)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(*csi.NodeExpandVolumeResponse)
+		}
+	}
+	if returnFunc, ok := ret.Get(1).(func(context.Context, *csi.NodeExpandVolumeRequest) error); ok {
+		r1 = returnFunc(context1, nodeExpandVolumeRequest)
+	} else {
+		r1 = ret.Error(1)
+	}
+	return r0, r1
+}
+
+// MockNodeServer_NodeExpandVolume_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'NodeExpandVolume'
+type MockNodeServer_NodeExpandVolume_Call struct {
+	*mock.Call
+}
+
+// NodeExpandVolume is a helper method to define mock.On call
+//   - context1 context.Context
+//   - nodeExpandVolumeRequest *csi.NodeExpandVolumeRequest
+func (_e *MockNodeServer_Expecter) NodeExpandVolume(context1 interface{}, nodeExpandVolumeRequest interface{}) *MockNodeServer_NodeExpandVolume_Call {
+	return &MockNodeServer_NodeExpandVolume_Call{Call: _e.mock.On("NodeExpandVolume", context1, nodeExpandVolumeRequest)}
+}
+
+func (_c *MockNodeServer_NodeExpandVolume_Call) Run(run func(context1 context.Context, nodeExpandVolumeRequest *csi.NodeExpandVolumeRequest)) *MockNodeServer_NodeExpandVolume_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 context.Context
+		if args[0] != nil {
+			arg0 = args[0].(context.Context)
+		}
+		var arg1 *csi.NodeExpandVolumeRequest
+		if args[1] != nil {
+			arg1 = args[1].(*csi.NodeExpandVolumeRequest)
+		}
+		run(
+			arg0,
+			arg1,
+		)
+	})
+	return _c
+}
+
+func (_c *MockNodeServer_NodeExpandVolume_Call) Return(nodeExpandVolumeResponse *csi.NodeExpandVolumeResponse, err error) *MockNodeServer_NodeExpandVolume_Call {
+	_c.Call.Return(nodeExpandVolumeResponse, err)
+	return _c
+}
+
+func (_c *MockNodeServer_NodeExpandVolume_Call) RunAndReturn(run func(context1 context.Context, nodeExpandVolumeRequest *csi.NodeExpandVolumeRequest) (*csi.NodeExpandVolumeResponse, error)) *MockNodeServer_NodeExpandVolume_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// NodeGetCapabilities provides a mock function for the type MockNodeServer
+func (_mock *MockNodeServer) NodeGetCapabilities(context1 context.Context, nodeGetCapabilitiesRequest *csi.NodeGetCapabilitiesRequest) (*csi.NodeGetCapabilitiesResponse, error) {
+	ret := _mock.Called(context1, nodeGetCapabilitiesRequest)
+
+	if len(ret) == 0 {
+		panic("no return value specified for NodeGetCapabilities")
+	}
+
+	var r0 *csi.NodeGetCapabilitiesResponse
+	var r1 error
+	if returnFunc, ok := ret.Get(0).(func(context.Context, *csi.NodeGetCapabilitiesRequest) (*csi.NodeGetCapabilitiesResponse, error)); ok {
+		return returnFunc(context1, nodeGetCapabilitiesRequest)
+	}
+	if returnFunc, ok := ret.Get(0).(func(context.Context, *csi.NodeGetCapabilitiesRequest) *csi.NodeGetCapabilitiesResponse); ok {
+		r0 = returnFunc(context1, nodeGetCapabilitiesRequest)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(*csi.NodeGetCapabilitiesResponse)
+		}
+	}
+	if returnFunc, ok := ret.Get(1).(func(context.Context, *csi.NodeGetCapabilitiesRequest) error); ok {
+		r1 = returnFunc(context1, nodeGetCapabilitiesRequest)
+	} else {
+		r1 = ret.Error(1)
+	}
+	return r0, r1
+}
+
+// MockNodeServer_NodeGetCapabilities_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'NodeGetCapabilities'
+type MockNodeServer_NodeGetCapabilities_Call struct {
+	*mock.Call
+}
+
+// NodeGetCapabilities is a helper method to define mock.On call
+//   - context1 context.Context
+//   - nodeGetCapabilitiesRequest *csi.NodeGetCapabilitiesRequest
+func (_e *MockNodeServer_Expecter) NodeGetCapabilities(context1 interface{}, nodeGetCapabilitiesRequest interface{}) *MockNodeServer_NodeGetCapabilities_Call {
+	return &MockNodeServer_NodeGetCapabilities_Call{Call: _e.mock.On("NodeGetCapabilities", context1, nodeGetCapabilitiesRequest)}
+}
+
+func (_c *MockNodeServer_NodeGetCapabilities_Call) Run(run func(context1 context.Context, nodeGetCapabilitiesRequest *csi.NodeGetCapabilitiesRequest)) *MockNodeServer_NodeGetCapabilities_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 context.Context
+		if args[0] != nil {
+			arg0 = args[0].(context.Context)
+		}
+		var arg1 *csi.NodeGetCapabilitiesRequest
+		if args[1] != nil {
+			arg1 = args[1].(*csi.NodeGetCapabilitiesRequest)
+		}
+		run(
+			arg0,
+			arg1,
+		)
+	})
+	return _c
+}
+
+func (_c *MockNodeServer_NodeGetCapabilities_Call) Return(nodeGetCapabilitiesResponse *csi.NodeGetCapabilitiesResponse, err error) *MockNodeServer_NodeGetCapabilities_Call {
+	_c.Call.Return(nodeGetCapabilitiesResponse, err)
+	return _c
+}
+
+func (_c *MockNodeServer_NodeGetCapabilities_Call) RunAndReturn(run func(context1 context.Context, nodeGetCapabilitiesRequest *csi.NodeGetCapabilitiesRequest) (*csi.NodeGetCapabilitiesResponse, error)) *MockNodeServer_NodeGetCapabilities_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// NodeGetInfo provides a mock function for the type MockNodeServer
+func (_mock *MockNodeServer) NodeGetInfo(context1 context.Context, nodeGetInfoRequest *csi.NodeGetInfoRequest) (*csi.NodeGetInfoResponse, error) {
+	ret := _mock.Called(context1, nodeGetInfoRequest)
+
+	if len(ret) == 0 {
+		panic("no return value specified for NodeGetInfo")
+	}
+
+	var r0 *csi.NodeGetInfoResponse
+	var r1 error
+	if returnFunc, ok := ret.Get(0).(func(context.Context, *csi.NodeGetInfoRequest) (*csi.NodeGetInfoResponse, error)); ok {
+		return returnFunc(context1, nodeGetInfoRequest)
+	}
+	if returnFunc, ok := ret.Get(0).(func(context.Context, *csi.NodeGetInfoRequest) *csi.NodeGetInfoResponse); ok {
+		r0 = returnFunc(context1, nodeGetInfoRequest)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(*csi.NodeGetInfoResponse)
+		}
+	}
+	if returnFunc, ok := ret.Get(1).(func(context.Context, *csi.NodeGetInfoRequest) error); ok {
+		r1 = returnFunc(context1, nodeGetInfoRequest)
+	} else {
+		r1 = ret.Error(1)
+	}
+	return r0, r1
+}
+
+// MockNodeServer_NodeGetInfo_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'NodeGetInfo'
+type MockNodeServer_NodeGetInfo_Call struct {
+	*mock.Call
+}
+
+// NodeGetInfo is a helper method to define mock.On call
+//   - context1 context.Context
+//   - nodeGetInfoRequest *csi.NodeGetInfoRequest
+func (_e *MockNodeServer_Expecter) NodeGetInfo(context1 interface{}, nodeGetInfoRequest interface{}) *MockNodeServer_NodeGetInfo_Call {
+	return &MockNodeServer_NodeGetInfo_Call{Call: _e.mock.On("NodeGetInfo", context1, nodeGetInfoRequest)}
+}
+
+func (_c *MockNodeServer_NodeGetInfo_Call) Run(run func(context1 context.Context, nodeGetInfoRequest *csi.NodeGetInfoRequest)) *MockNodeServer_NodeGetInfo_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 context.Context
+		if args[0] != nil {
+			arg0 = args[0].(context.Context)
+		}
+		var arg1 *csi.NodeGetInfoRequest
+		if args[1] != nil {
+			arg1 = args[1].(*csi.NodeGetInfoRequest)
+		}
+		run(
+			arg0,
+			arg1,
+		)
+	})
+	return _c
+}
+
+func (_c *MockNodeServer_NodeGetInfo_Call) Return(nodeGetInfoResponse *csi.NodeGetInfoResponse, err error) *MockNodeServer_NodeGetInfo_Call {
+	_c.Call.Return(nodeGetInfoResponse, err)
+	return _c
+}
+
+func (_c *MockNodeServer_NodeGetInfo_Call) RunAndReturn(run func(context1 context.Context, nodeGetInfoRequest *csi.NodeGetInfoRequest) (*csi.NodeGetInfoResponse, error)) *MockNodeServer_NodeGetInfo_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// NodeGetVolumeStats provides a mock function for the type MockNodeServer
+func (_mock *MockNodeServer) NodeGetVolumeStats(context1 context.Context, nodeGetVolumeStatsRequest *csi.NodeGetVolumeStatsRequest) (*csi.NodeGetVolumeStatsResponse, error) {
+	ret := _mock.Called(context1, nodeGetVolumeStatsRequest)
+
+	if len(ret) == 0 {
+		panic("no return value specified for NodeGetVolumeStats")
+	}
+
+	var r0 *csi.NodeGetVolumeStatsResponse
+	var r1 error
+	if returnFunc, ok := ret.Get(0).(func(context.Context, *csi.NodeGetVolumeStatsRequest) (*csi.NodeGetVolumeStatsResponse, error)); ok {
+		return returnFunc(context1, nodeGetVolumeStatsRequest)
+	}
+	if returnFunc, ok := ret.Get(0).(func(context.Context, *csi.NodeGetVolumeStatsRequest) *csi.NodeGetVolumeStatsResponse); ok {
+		r0 = returnFunc(context1, nodeGetVolumeStatsRequest)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(*csi.NodeGetVolumeStatsResponse)
+		}
+	}
+	if returnFunc, ok := ret.Get(1).(func(context.Context, *csi.NodeGetVolumeStatsRequest) error); ok {
+		r1 = returnFunc(context1, nodeGetVolumeStatsRequest)
+	} else {
+		r1 = ret.Error(1)
+	}
+	return r0, r1
+}
+
+// MockNodeServer_NodeGetVolumeStats_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'NodeGetVolumeStats'
+type MockNodeServer_NodeGetVolumeStats_Call struct {
+	*mock.Call
+}
+
+// NodeGetVolumeStats is a helper method to define mock.On call
+//   - context1 context.Context
+//   - nodeGetVolumeStatsRequest *csi.NodeGetVolumeStatsRequest
+func (_e *MockNodeServer_Expecter) NodeGetVolumeStats(context1 interface{}, nodeGetVolumeStatsRequest interface{}) *MockNodeServer_NodeGetVolumeStats_Call {
+	return &MockNodeServer_NodeGetVolumeStats_Call{Call: _e.mock.On("NodeGetVolumeStats", context1, nodeGetVolumeStatsRequest)}
+}
+
+func (_c *MockNodeServer_NodeGetVolumeStats_Call) Run(run func(context1 context.Context, nodeGetVolumeStatsRequest *csi.NodeGetVolumeStatsRequest)) *MockNodeServer_NodeGetVolumeStats_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 context.Context
+		if args[0] != nil {
+			arg0 = args[0].(context.Context)
+		}
+		var arg1 *csi.NodeGetVolumeStatsRequest
+		if args[1] != nil {
+			arg1 = args[1].(*csi.NodeGetVolumeStatsRequest)
+		}
+		run(
+			arg0,
+			arg1,
+		)
+	})
+	return _c
+}
+
+func (_c *MockNodeServer_NodeGetVolumeStats_Call) Return(nodeGetVolumeStatsResponse *csi.NodeGetVolumeStatsResponse, err error) *MockNodeServer_NodeGetVolumeStats_Call {
+	_c.Call.Return(nodeGetVolumeStatsResponse, err)
+	return _c
+}
+
+func (_c *MockNodeServer_NodeGetVolumeStats_Call) RunAndReturn(run func(context1 context.Context, nodeGetVolumeStatsRequest *csi.NodeGetVolumeStatsRequest) (*csi.NodeGetVolumeStatsResponse, error)) *MockNodeServer_NodeGetVolumeStats_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// NodePublishVolume provides a mock function for the type MockNodeServer
+func (_mock *MockNodeServer) NodePublishVolume(context1 context.Context, nodePublishVolumeRequest *csi.NodePublishVolumeRequest) (*csi.NodePublishVolumeResponse, error) {
+	ret := _mock.Called(context1, nodePublishVolumeRequest)
+
+	if len(ret) == 0 {
+		panic("no return value specified for NodePublishVolume")
+	}
+
+	var r0 *csi.NodePublishVolumeResponse
+	var r1 error
+	if returnFunc, ok := ret.Get(0).(func(context.Context, *csi.NodePublishVolumeRequest) (*csi.NodePublishVolumeResponse, error)); ok {
+		return returnFunc(context1, nodePublishVolumeRequest)
+	}
+	if returnFunc, ok := ret.Get(0).(func(context.Context, *csi.NodePublishVolumeRequest) *csi.NodePublishVolumeResponse); ok {
+		r0 = returnFunc(context1, nodePublishVolumeRequest)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(*csi.NodePublishVolumeResponse)
+		}
+	}
+	if returnFunc, ok := ret.Get(1).(func(context.Context, *csi.NodePublishVolumeRequest) error); ok {
+		r1 = returnFunc(context1, nodePublishVolumeRequest)
+	} else {
+		r1 = ret.Error(1)
+	}
+	return r0, r1
+}
+
+// MockNodeServer_NodePublishVolume_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'NodePublishVolume'
+type MockNodeServer_NodePublishVolume_Call struct {
+	*mock.Call
+}
+
+// NodePublishVolume is a helper method to define mock.On call
+//   - context1 context.Context
+//   - nodePublishVolumeRequest *csi.NodePublishVolumeRequest
+func (_e *MockNodeServer_Expecter) NodePublishVolume(context1 interface{}, nodePublishVolumeRequest interface{}) *MockNodeServer_NodePublishVolume_Call {
+	return &MockNodeServer_NodePublishVolume_Call{Call: _e.mock.On("NodePublishVolume", context1, nodePublishVolumeRequest)}
+}
+
+func (_c *MockNodeServer_NodePublishVolume_Call) Run(run func(context1 context.Context, nodePublishVolumeRequest *csi.NodePublishVolumeRequest)) *MockNodeServer_NodePublishVolume_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 context.Context
+		if args[0] != nil {
+			arg0 = args[0].(context.Context)
+		}
+		var arg1 *csi.NodePublishVolumeRequest
+		if args[1] != nil {
+			arg1 = args[1].(*csi.NodePublishVolumeRequest)
+		}
+		run(
+			arg0,
+			arg1,
+		)
+	})
+	return _c
+}
+
+func (_c *MockNodeServer_NodePublishVolume_Call) Return(nodePublishVolumeResponse *csi.NodePublishVolumeResponse, err error) *MockNodeServer_NodePublishVolume_Call {
+	_c.Call.Return(nodePublishVolumeResponse, err)
+	return _c
+}
+
+func (_c *MockNodeServer_NodePublishVolume_Call) RunAndReturn(run func(context1 context.Context, nodePublishVolumeRequest *csi.NodePublishVolumeRequest) (*csi.NodePublishVolumeResponse, error)) *MockNodeServer_NodePublishVolume_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// NodeStageVolume provides a mock function for the type MockNodeServer
+func (_mock *MockNodeServer) NodeStageVolume(context1 context.Context, nodeStageVolumeRequest *csi.NodeStageVolumeRequest) (*csi.NodeStageVolumeResponse, error) {
+	ret := _mock.Called(context1, nodeStageVolumeRequest)
+
+	if len(ret) == 0 {
+		panic("no return value specified for NodeStageVolume")
+	}
+
+	var r0 *csi.NodeStageVolumeResponse
+	var r1 error
+	if returnFunc, ok := ret.Get(0).(func(context.Context, *csi.NodeStageVolumeRequest) (*csi.NodeStageVolumeResponse, error)); ok {
+		return returnFunc(context1, nodeStageVolumeRequest)
+	}
+	if returnFunc, ok := ret.Get(0).(func(context.Context, *csi.NodeStageVolumeRequest) *csi.NodeStageVolumeResponse); ok {
+		r0 = returnFunc(context1, nodeStageVolumeRequest)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(*csi.NodeStageVolumeResponse)
+		}
+	}
+	if returnFunc, ok := ret.Get(1).(func(context.Context, *csi.NodeStageVolumeRequest) error); ok {
+		r1 = returnFunc(context1, nodeStageVolumeRequest)
+	} else {
+		r1 = ret.Error(1)
+	}
+	return r0, r1
+}
+
+// MockNodeServer_NodeStageVolume_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'NodeStageVolume'
+type MockNodeServer_NodeStageVolume_Call struct {
+	*mock.Call
+}
+
+// NodeStageVolume is a helper method to define mock.On call
+//   - context1 context.Context
+//   - nodeStageVolumeRequest *csi.NodeStageVolumeRequest
+func (_e *MockNodeServer_Expecter) NodeStageVolume(context1 interface{}, nodeStageVolumeRequest interface{}) *MockNodeServer_NodeStageVolume_Call {
+	return &MockNodeServer_NodeStageVolume_Call{Call: _e.mock.On("NodeStageVolume", context1, nodeStageVolumeRequest)}
+}
+
+func (_c *MockNodeServer_NodeStageVolume_Call) Run(run func(context1 context.Context, nodeStageVolumeRequest *csi.NodeStageVolumeRequest)) *MockNodeServer_NodeStageVolume_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 context.Context
+		if args[0] != nil {
+			arg0 = args[0].(context.Context)
+		}
+		var arg1 *csi.NodeStageVolumeRequest
+		if args[1] != nil {
+			arg1 = args[1].(*csi.NodeStageVolumeRequest)
+		}
+		run(
+			arg0,
+			arg1,
+		)
+	})
+	return _c
+}
+
+func (_c *MockNodeServer_NodeStageVolume_Call) Return(nodeStageVolumeResponse *csi.NodeStageVolumeResponse, err error) *MockNodeServer_NodeStageVolume_Call {
+	_c.Call.Return(nodeStageVolumeResponse, err)
+	return _c
+}
+
+func (_c *MockNodeServer_NodeStageVolume_Call) RunAndReturn(run func(context1 context.Context, nodeStageVolumeRequest *csi.NodeStageVolumeRequest) (*csi.NodeStageVolumeResponse, error)) *MockNodeServer_NodeStageVolume_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// NodeUnpublishVolume provides a mock function for the type MockNodeServer
+func (_mock *MockNodeServer) NodeUnpublishVolume(context1 context.Context, nodeUnpublishVolumeRequest *csi.NodeUnpublishVolumeRequest) (*csi.NodeUnpublishVolumeResponse, error) {
+	ret := _mock.Called(context1, nodeUnpublishVolumeRequest)
+
+	if len(ret) == 0 {
+		panic("no return value specified for NodeUnpublishVolume")
+	}
+
+	var r0 *csi.NodeUnpublishVolumeResponse
+	var r1 error
+	if returnFunc, ok := ret.Get(0).(func(context.Context, *csi.NodeUnpublishVolumeRequest) (*csi.NodeUnpublishVolumeResponse, error)); ok {
+		return returnFunc(context1, nodeUnpublishVolumeRequest)
+	}
+	if returnFunc, ok := ret.Get(0).(func(context.Context, *csi.NodeUnpublishVolumeRequest) *csi.NodeUnpublishVolumeResponse); ok {
+		r0 = returnFunc(context1, nodeUnpublishVolumeRequest)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(*csi.NodeUnpublishVolumeResponse)
+		}
+	}
+	if returnFunc, ok := ret.Get(1).(func(context.Context, *csi.NodeUnpublishVolumeRequest) error); ok {
+		r1 = returnFunc(context1, nodeUnpublishVolumeRequest)
+	} else {
+		r1 = ret.Error(1)
+	}
+	return r0, r1
+}
+
+// MockNodeServer_NodeUnpublishVolume_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'NodeUnpublishVolume'
+type MockNodeServer_NodeUnpublishVolume_Call struct {
+	*mock.Call
+}
+
+// NodeUnpublishVolume is a helper method to define mock.On call
+//   - context1 context.Context
+//   - nodeUnpublishVolumeRequest *csi.NodeUnpublishVolumeRequest
+func (_e *MockNodeServer_Expecter) NodeUnpublishVolume(context1 interface{}, nodeUnpublishVolumeRequest interface{}) *MockNodeServer_NodeUnpublishVolume_Call {
+	return &MockNodeServer_NodeUnpublishVolume_Call{Call: _e.mock.On("NodeUnpublishVolume", context1, nodeUnpublishVolumeRequest)}
+}
+
+func (_c *MockNodeServer_NodeUnpublishVolume_Call) Run(run func(context1 context.Context, nodeUnpublishVolumeRequest *csi.NodeUnpublishVolumeRequest)) *MockNodeServer_NodeUnpublishVolume_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 context.Context
+		if args[0] != nil {
+			arg0 = args[0].(context.Context)
+		}
+		var arg1 *csi.NodeUnpublishVolumeRequest
+		if args[1] != nil {
+			arg1 = args[1].(*csi.NodeUnpublishVolumeRequest)
+		}
+		run(
+			arg0,
+			arg1,
+		)
+	})
+	return _c
+}
+
+func (_c *MockNodeServer_NodeUnpublishVolume_Call) Return(nodeUnpublishVolumeResponse *csi.NodeUnpublishVolumeResponse, err error) *MockNodeServer_NodeUnpublishVolume_Call {
+	_c.Call.Return(nodeUnpublishVolumeResponse, err)
+	return _c
+}
+
+func (_c *MockNodeServer_NodeUnpublishVolume_Call) RunAndReturn(run func(context1 context.Context, nodeUnpublishVolumeRequest *csi.NodeUnpublishVolumeRequest) (*csi.NodeUnpublishVolumeResponse, error)) *MockNodeServer_NodeUnpublishVolume_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// NodeUnstageVolume provides a mock function for the type MockNodeServer
+func (_mock *MockNodeServer) NodeUnstageVolume(context1 context.Context, nodeUnstageVolumeRequest *csi.NodeUnstageVolumeRequest) (*csi.NodeUnstageVolumeResponse, error) {
+	ret := _mock.Called(context1, nodeUnstageVolumeRequest)
+
+	if len(ret) == 0 {
+		panic("no return value specified for NodeUnstageVolume")
+	}
+
+	var r0 *csi.NodeUnstageVolumeResponse
+	var r1 error
+	if returnFunc, ok := ret.Get(0).(func(context.Context, *csi.NodeUnstageVolumeRequest) (*csi.NodeUnstageVolumeResponse, error)); ok {
+		return returnFunc(context1, nodeUnstageVolumeRequest)
+	}
+	if returnFunc, ok := ret.Get(0).(func(context.Context, *csi.NodeUnstageVolumeRequest) *csi.NodeUnstageVolumeResponse); ok {
+		r0 = returnFunc(context1, nodeUnstageVolumeRequest)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(*csi.NodeUnstageVolumeResponse)
+		}
+	}
+	if returnFunc, ok := ret.Get(1).(func(context.Context, *csi.NodeUnstageVolumeRequest) error); ok {
+		r1 = returnFunc(context1, nodeUnstageVolumeRequest)
+	} else {
+		r1 = ret.Error(1)
+	}
+	return r0, r1
+}
+
+// MockNodeServer_NodeUnstageVolume_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'NodeUnstageVolume'
+type MockNodeServer_NodeUnstageVolume_Call struct {
+	*mock.Call
+}
+
+// NodeUnstageVolume is a helper method to define mock.On call
+//   - context1 context.Context
+//   - nodeUnstageVolumeRequest *csi.NodeUnstageVolumeRequest
+func (_e *MockNodeServer_Expecter) NodeUnstageVolume(context1 interface{}, nodeUnstageVolumeRequest interface{}) *MockNodeServer_NodeUnstageVolume_Call {
+	return &MockNodeServer_NodeUnstageVolume_Call{Call: _e.mock.On("NodeUnstageVolume", context1, nodeUnstageVolumeRequest)}
+}
+
+func (_c *MockNodeServer_NodeUnstageVolume_Call) Run(run func(context1 context.Context, nodeUnstageVolumeRequest *csi.NodeUnstageVolumeRequest)) *MockNodeServer_NodeUnstageVolume_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 context.Context
+		if args[0] != nil {
+			arg0 = args[0].(context.Context)
+		}
+		var arg1 *csi.NodeUnstageVolumeRequest
+		if args[1] != nil {
+			arg1 = args[1].(*csi.NodeUnstageVolumeRequest)
+		}
+		run(
+			arg0,
+			arg1,
+		)
+	})
+	return _c
+}
+
+func (_c *MockNodeServer_NodeUnstageVolume_Call) Return(nodeUnstageVolumeResponse *csi.NodeUnstageVolumeResponse, err error) *MockNodeServer_NodeUnstageVolume_Call {
+	_c.Call.Return(nodeUnstageVolumeResponse, err)
+	return _c
+}
+
+func (_c *MockNodeServer_NodeUnstageVolume_Call) RunAndReturn(run func(context1 context.Context, nodeUnstageVolumeRequest *csi.NodeUnstageVolumeRequest) (*csi.NodeUnstageVolumeResponse, error)) *MockNodeServer_NodeUnstageVolume_Call {
+	_c.Call.Return(run)
+	return _c
+}
diff --git a/test/e2e/storage/drivers/csi.go b/test/e2e/storage/drivers/csi.go
index d1253ddb7a89f..8d892e99bc543 100644
--- a/test/e2e/storage/drivers/csi.go
+++ b/test/e2e/storage/drivers/csi.go
@@ -40,6 +40,7 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
+	"os"
 	"strconv"
 	"strings"
 	"sync"
@@ -159,7 +160,9 @@ func InitHostPathCSIDriver() storageframework.TestDriver {
 		storageframework.CapReadWriteOncePod:               true,
 		storageframework.CapMultiplePVsSameID:              true,
 		storageframework.CapFSResizeFromSourceNotSupported: true,
-		storageframework.CapVolumeGroupSnapshot:            true,
+		// There are extensive tests that NodeStage / NodePublish are called with -o context in csimock/csi_selinux_mount.go,
+		// but the csi-driver-hostpath can't physically make -o context to appear in the mount table that the CapSELinuxMount tests expect.
+		storageframework.CapSELinuxMount: false,
 
 		// This is needed for the
 		// testsuites/volumelimits.go `should support volume limits`
@@ -167,6 +170,10 @@ func InitHostPathCSIDriver() storageframework.TestDriver {
 		// added when patching the deployment.
 		storageframework.CapVolumeLimits: true,
 	}
+	// TODO: It can be removed after the VolumeGroupSnapshot feature is default enabled
+	if os.Getenv("CSI_PROW_ENABLE_GROUP_SNAPSHOT") == "true" {
+		capabilities[storageframework.CapVolumeGroupSnapshot] = true
+	}
 	return initHostPathCSIDriver("csi-hostpath",
 		capabilities,
 		// Volume attributes don't matter, but we have to provide at least one map.
@@ -290,6 +297,15 @@ func (h *hostpathCSIDriver) PrepareTest(ctx context.Context, f *framework.Framew
 		DriverContainerArguments: []string{"--feature-gates=VolumeAttributesClass=true"},
 	})
 
+	// VGS E2E FeatureGate patches
+	// TODO: These can be removed after the VolumeGroupSnapshot feature is default enabled
+	if os.Getenv("CSI_PROW_ENABLE_GROUP_SNAPSHOT") == "true" {
+		patches = append(patches, utils.PatchCSIOptions{
+			DriverContainerName:      "csi-snapshotter",
+			DriverContainerArguments: []string{"--feature-gates=CSIVolumeGroupSnapshot=true"},
+		})
+	}
+
 	err = utils.CreateFromManifests(ctx, config.Framework, driverNamespace, func(item interface{}) error {
 		for _, o := range patches {
 			if err := utils.PatchCSIDeployment(config.Framework, o, item); err != nil {
@@ -717,11 +733,12 @@ func (m *mockCSIDriver) PrepareTest(ctx context.Context, f *framework.Framework)
 			storagev1.VolumeLifecyclePersistent,
 			storagev1.VolumeLifecycleEphemeral,
 		},
-		TokenRequests:     m.tokenRequests,
-		RequiresRepublish: m.requiresRepublish,
-		FSGroupPolicy:     m.fsGroupPolicy,
-		SELinuxMount:      m.enableSELinuxMount,
-		Features:          map[string][]string{},
+		TokenRequests:                m.tokenRequests,
+		RequiresRepublish:            m.requiresRepublish,
+		ServiceAccountTokenInSecrets: m.serviceAccountTokenInSecrets,
+		FSGroupPolicy:                m.fsGroupPolicy,
+		SELinuxMount:                 m.enableSELinuxMount,
+		Features:                     map[string][]string{},
 	}
 	if m.enableMutableCSINodeAllocatableCount {
 		o.Features["csi-attacher"] = []string{"MutableCSINodeAllocatableCount=true"}
diff --git a/test/e2e/storage/external/external.go b/test/e2e/storage/external/external.go
index 343b5a743af27..d0b59a148ba80 100644
--- a/test/e2e/storage/external/external.go
+++ b/test/e2e/storage/external/external.go
@@ -82,13 +82,8 @@ type driverDefinition struct {
 	// VolumeAttributesClass must be set to enable volume modification tests.
 	// The default is to not run those tests.
 	VolumeAttributesClass struct {
-		// FromName set to true enables the usage of a
-		// VolumeAttributesClass with DriverInfo.Name as
-		// provisioner and no parameters.
-		FromName bool
-
 		// FromFile is used only when FromName is false.  It
-		// loads a storage class from the given .yaml or .json
+		// loads a VolumeAttributesClass from the given .yaml or .json
 		// file. File names are resolved by the
 		// framework.testfiles package, which typically means
 		// that they can be absolute or relative to the test
@@ -126,6 +121,29 @@ type driverDefinition struct {
 		FromExistingClassName string
 	}
 
+	// GroupSnapshotClass must be set to enable groupsnapshotting tests.
+	// The default is to not run those tests.
+	GroupSnapshotClass struct {
+		// FromName set to true enables the usage of a
+		// groupsnapshotter class with DriverInfo.Name as provisioner.
+		FromName bool
+
+		// FromFile is used only when FromName is false.  It
+		// loads a groupsnapshot class from the given .yaml or .json
+		// file. File names are resolved by the
+		// framework.testfiles package, which typically means
+		// that they can be absolute or relative to the test
+		// suite's --repo-root parameter.
+		//
+		// This can be used when the groupsnapshot class is meant to have
+		// additional parameters.
+		FromFile string
+
+		// FromExistingClassName specifies the name of a pre-installed
+		// GroupSnapshotClass that will be copied and used for the tests.
+		FromExistingClassName string
+	}
+
 	// InlineVolumes defines one or more volumes for use as inline
 	// ephemeral volumes. At least one such volume has to be
 	// defined to enable testing of inline ephemeral volumes.  If
@@ -392,6 +410,20 @@ func loadSnapshotClass(filename string) (*unstructured.Unstructured, error) {
 	return snapshotClass, nil
 }
 
+func loadGroupSnapshotClass(filename string) (*unstructured.Unstructured, error) {
+	data, err := os.ReadFile(filename)
+	if err != nil {
+		return nil, err
+	}
+	groupSnapshotClass := &unstructured.Unstructured{}
+
+	if err := runtime.DecodeInto(scheme.Codecs.UniversalDecoder(), data, groupSnapshotClass); err != nil {
+		return nil, fmt.Errorf("%s: %w", filename, err)
+	}
+
+	return groupSnapshotClass, nil
+}
+
 func (d *driverDefinition) GetSnapshotClass(ctx context.Context, e2econfig *storageframework.PerTestConfig, parameters map[string]string) *unstructured.Unstructured {
 	if !d.SnapshotClass.FromName && d.SnapshotClass.FromFile == "" && d.SnapshotClass.FromExistingClassName == "" {
 		e2eskipper.Skipf("Driver %q does not support snapshotting - skipping", d.DriverInfo.Name)
@@ -435,8 +467,51 @@ func (d *driverDefinition) GetSnapshotClass(ctx context.Context, e2econfig *stor
 	return utils.GenerateSnapshotClassSpec(snapshotter, parameters, ns)
 }
 
+func (d *driverDefinition) GetVolumeGroupSnapshotClass(ctx context.Context, e2econfig *storageframework.PerTestConfig, parameters map[string]string) *unstructured.Unstructured {
+	if !d.GroupSnapshotClass.FromName && d.GroupSnapshotClass.FromFile == "" && d.GroupSnapshotClass.FromExistingClassName == "" {
+		e2eskipper.Skipf("Driver %q does not support groupsnapshotting - skipping", d.DriverInfo.Name)
+	}
+
+	f := e2econfig.Framework
+	snapshotter := d.DriverInfo.Name
+	ns := e2econfig.Framework.Namespace.Name
+
+	switch {
+	case d.GroupSnapshotClass.FromName:
+		// Do nothing (just use empty parameters)
+	case d.GroupSnapshotClass.FromExistingClassName != "":
+		groupSnapshotClass, err := f.DynamicClient.Resource(utils.VolumeGroupSnapshotClassGVR).Get(ctx, d.GroupSnapshotClass.FromExistingClassName, metav1.GetOptions{})
+		framework.ExpectNoError(err, "getting snapshot class %s", d.SnapshotClass.FromExistingClassName)
+
+		if params, ok := groupSnapshotClass.Object["parameters"].(map[string]interface{}); ok {
+			for k, v := range params {
+				parameters[k] = v.(string)
+			}
+		}
+
+		if snapshotProvider, ok := groupSnapshotClass.Object["driver"]; ok {
+			snapshotter = snapshotProvider.(string)
+		}
+	case d.GroupSnapshotClass.FromFile != "":
+		groupSnapshotClass, err := loadGroupSnapshotClass(d.GroupSnapshotClass.FromFile)
+		framework.ExpectNoError(err, "load groupsnapshot class from %s", d.GroupSnapshotClass.FromFile)
+
+		if params, ok := groupSnapshotClass.Object["parameters"].(map[string]interface{}); ok {
+			for k, v := range params {
+				parameters[k] = v.(string)
+			}
+		}
+
+		if snapshotProvider, ok := groupSnapshotClass.Object["driver"]; ok {
+			snapshotter = snapshotProvider.(string)
+		}
+	}
+
+	return utils.GenerateVolumeGroupSnapshotClassSpec(snapshotter, parameters, ns)
+}
+
 func (d *driverDefinition) GetVolumeAttributesClass(ctx context.Context, e2econfig *storageframework.PerTestConfig) *storagev1.VolumeAttributesClass {
-	if !d.VolumeAttributesClass.FromName && d.VolumeAttributesClass.FromFile == "" && d.VolumeAttributesClass.FromExistingClassName == "" {
+	if d.VolumeAttributesClass.FromFile == "" && d.VolumeAttributesClass.FromExistingClassName == "" {
 		e2eskipper.Skipf("Driver %q has no configured VolumeAttributesClass - skipping", d.DriverInfo.Name)
 		return nil
 	}
@@ -448,8 +523,6 @@ func (d *driverDefinition) GetVolumeAttributesClass(ctx context.Context, e2econf
 
 	f := e2econfig.Framework
 	switch {
-	case d.VolumeAttributesClass.FromName:
-		vac = &storagev1.VolumeAttributesClass{DriverName: d.DriverInfo.Name}
 	case d.VolumeAttributesClass.FromExistingClassName != "":
 		vac, err = f.ClientSet.StorageV1().VolumeAttributesClasses().Get(ctx, d.VolumeAttributesClass.FromExistingClassName, metav1.GetOptions{})
 		framework.ExpectNoError(err, "getting VolumeAttributesClass %s", d.VolumeAttributesClass.FromExistingClassName)
diff --git a/test/e2e/storage/external/testdata/example.yaml b/test/e2e/storage/external/testdata/example.yaml
index 038d9054b09d3..ee4ef5a2bbd2d 100644
--- a/test/e2e/storage/external/testdata/example.yaml
+++ b/test/e2e/storage/external/testdata/example.yaml
@@ -2,6 +2,9 @@ StorageClass:
   FromExistingClassName: example
 VolumeAttributesClass:
   FromExistingClassName: example-vac
+GroupSnapshotClass:
+  FromExistingClassName: example-gsc
+
 DriverInfo:
   Name: example
   RequiredAccessModes:
@@ -12,6 +15,7 @@ DriverInfo:
     exec: true
     block: true
     fsGroup: true
+    groupSnapshot: true
     topology: true
     controllerExpansion: true
     nodeExpansion: true
diff --git a/test/e2e/storage/framework/testdriver.go b/test/e2e/storage/framework/testdriver.go
index 40b1ecda98cac..259fd1222bee7 100644
--- a/test/e2e/storage/framework/testdriver.go
+++ b/test/e2e/storage/framework/testdriver.go
@@ -130,7 +130,8 @@ type SnapshottableTestDriver interface {
 	GetSnapshotClass(ctx context.Context, config *PerTestConfig, parameters map[string]string) *unstructured.Unstructured
 }
 
-type VoulmeGroupSnapshottableTestDriver interface {
+// VolumeGroupSnapshottableTestDriver represents an interface for a TestDriver that supports DynamicGroupSnapshot
+type VolumeGroupSnapshottableTestDriver interface {
 	TestDriver
 	// GetVolumeGroupSnapshotClass returns a VolumeGroupSnapshotClass to create group snapshot.
 	GetVolumeGroupSnapshotClass(ctx context.Context, config *PerTestConfig, parameters map[string]string) *unstructured.Unstructured
@@ -224,6 +225,9 @@ const (
 
 	// The driver supports ReadOnlyMany (ROX) access mode
 	CapReadOnlyMany Capability = "capReadOnlyMany"
+
+	// The driver supports SELinuxMount feature
+	CapSELinuxMount Capability = "seLinuxMount"
 )
 
 // DriverInfo represents static information about a TestDriver.
diff --git a/test/e2e/storage/framework/volume_group_snapshot_resource.go b/test/e2e/storage/framework/volume_group_snapshot_resource.go
index 842b2da3c68ba..1a7a180b12bc7 100644
--- a/test/e2e/storage/framework/volume_group_snapshot_resource.go
+++ b/test/e2e/storage/framework/volume_group_snapshot_resource.go
@@ -64,7 +64,7 @@ type VolumeGroupSnapshotResource struct {
 // CreateVolumeGroupSnapshot creates a VolumeGroupSnapshotClass with given SnapshotDeletionPolicy and a VolumeGroupSnapshot
 // from the VolumeGroupSnapshotClass using a dynamic client.
 // Returns the unstructured VolumeGroupSnapshotClass and VolumeGroupSnapshot objects.
-func CreateVolumeGroupSnapshot(ctx context.Context, sDriver VoulmeGroupSnapshottableTestDriver, config *PerTestConfig, pattern TestPattern, groupName string, pvcNamespace string, timeouts *framework.TimeoutContext, parameters map[string]string) (*unstructured.Unstructured, *unstructured.Unstructured, *unstructured.Unstructured) {
+func CreateVolumeGroupSnapshot(ctx context.Context, sDriver VolumeGroupSnapshottableTestDriver, config *PerTestConfig, pattern TestPattern, groupName string, pvcNamespace string, timeouts *framework.TimeoutContext, parameters map[string]string) (*unstructured.Unstructured, *unstructured.Unstructured, *unstructured.Unstructured) {
 	defer ginkgo.GinkgoRecover()
 	var err error
 	if pattern.SnapshotType != VolumeGroupSnapshot {
@@ -120,7 +120,7 @@ func (r *VolumeGroupSnapshotResource) CleanupResource(ctx context.Context, timeo
 }
 
 // CreateVolumeGroupSnapshotResource creates a VolumeGroupSnapshotResource object with the given parameters.
-func CreateVolumeGroupSnapshotResource(ctx context.Context, sDriver VoulmeGroupSnapshottableTestDriver, config *PerTestConfig, pattern TestPattern, pvcName string, pvcNamespace string, timeouts *framework.TimeoutContext, parameters map[string]string) *VolumeGroupSnapshotResource {
+func CreateVolumeGroupSnapshotResource(ctx context.Context, sDriver VolumeGroupSnapshottableTestDriver, config *PerTestConfig, pattern TestPattern, pvcName string, pvcNamespace string, timeouts *framework.TimeoutContext, parameters map[string]string) *VolumeGroupSnapshotResource {
 	vgsClass, snapshot, vgsc := CreateVolumeGroupSnapshot(ctx, sDriver, config, pattern, pvcName, pvcNamespace, timeouts, parameters)
 	vgs := &VolumeGroupSnapshotResource{
 		Config:     config,
diff --git a/test/e2e/storage/framework/volume_resource.go b/test/e2e/storage/framework/volume_resource.go
index 7f01fa1032ae9..9208f39a78b95 100644
--- a/test/e2e/storage/framework/volume_resource.go
+++ b/test/e2e/storage/framework/volume_resource.go
@@ -24,7 +24,6 @@ import (
 	"github.com/onsi/ginkgo/v2"
 	v1 "k8s.io/api/core/v1"
 	storagev1 "k8s.io/api/storage/v1"
-	storagev1beta1 "k8s.io/api/storage/v1beta1"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/api/resource"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -47,7 +46,6 @@ type VolumeResource struct {
 	Pvc       *v1.PersistentVolumeClaim
 	Pv        *v1.PersistentVolume
 	Sc        *storagev1.StorageClass
-	Vac       *storagev1beta1.VolumeAttributesClass
 
 	Volume TestVolume
 }
diff --git a/test/e2e/storage/persistent_volumes.go b/test/e2e/storage/persistent_volumes.go
index 7686a0b6fac2a..44761f6df077a 100644
--- a/test/e2e/storage/persistent_volumes.go
+++ b/test/e2e/storage/persistent_volumes.go
@@ -31,9 +31,11 @@ import (
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	types "k8s.io/apimachinery/pkg/types"
 	utilerrors "k8s.io/apimachinery/pkg/util/errors"
+	"k8s.io/apimachinery/pkg/util/resourceversion"
 	"k8s.io/apimachinery/pkg/util/uuid"
 	clientset "k8s.io/client-go/kubernetes"
 	"k8s.io/client-go/util/retry"
+	apimachineryutils "k8s.io/kubernetes/test/e2e/common/apimachinery"
 	"k8s.io/kubernetes/test/e2e/framework"
 	e2epod "k8s.io/kubernetes/test/e2e/framework/pod"
 	e2epv "k8s.io/kubernetes/test/e2e/framework/pv"
@@ -211,6 +213,25 @@ var _ = utils.SIGDescribe("PersistentVolumes", func() {
 				completeTest(ctx, f, c, ns, pv, pvc)
 			})
 
+			// The same as above, but with multiple volumes reference the same PVC in the pod.
+			ginkgo.It("create a PVC and use it multiple times in a single pod", func(ctx context.Context) {
+				pv, pvc, err = e2epv.CreatePVPVC(ctx, c, f.Timeouts, pvConfig, pvcConfig, ns, true)
+				framework.ExpectNoError(err)
+
+				framework.Logf("Creating nfs test pod")
+				pod := e2epod.MakePod(ns, nil, []*v1.PersistentVolumeClaim{pvc, pvc}, admissionapi.LevelPrivileged,
+					"touch /mnt/volume1/SUCCESS && cat /mnt/volume2/SUCCESS")
+				runPod, err := c.CoreV1().Pods(ns).Create(ctx, pod, metav1.CreateOptions{})
+				framework.ExpectNoError(err)
+				defer func() {
+					err := e2epod.DeletePodWithWait(ctx, c, runPod)
+					framework.ExpectNoError(err)
+				}()
+
+				err = testPodSuccessOrFail(ctx, c, f.Timeouts, ns, runPod)
+				framework.ExpectNoError(err)
+			})
+
 			// Create new PV without claim, verify it's in Available state and LastPhaseTransitionTime is set.
 			f.It("create a PV: test phase transition timestamp is set and phase is Available", func(ctx context.Context) {
 				pvObj := e2epv.MakePersistentVolume(pvConfig)
@@ -475,24 +496,28 @@ var _ = utils.SIGDescribe("PersistentVolumes", func() {
 			framework.ExpectNoError(err, "Failed to list PVs with the labelSelector: %q", volLabel.AsSelector().String())
 			gomega.Expect(pvList.Items).To(gomega.HaveLen(1))
 			initialPV := pvList.Items[0]
+			gomega.Expect(&initialPV).To(apimachineryutils.HaveValidResourceVersion())
 
 			ginkgo.By(fmt.Sprintf("Listing PVCs in namespace %q", ns))
 			pvcList, err := pvcClient.List(ctx, metav1.ListOptions{})
 			framework.ExpectNoError(err, "Failed to list PVCs with the labelSelector: %q", volLabel.AsSelector().String())
 			gomega.Expect(pvcList.Items).To(gomega.HaveLen(1))
 			initialPVC := pvcList.Items[0]
+			gomega.Expect(&initialPVC).To(apimachineryutils.HaveValidResourceVersion())
 
 			ginkgo.By(fmt.Sprintf("Patching the PV %q", initialPV.Name))
 			payload := "{\"metadata\":{\"labels\":{\"" + initialPV.Name + "\":\"patched\"}}}"
 			patchedPV, err := pvClient.Patch(ctx, initialPV.Name, types.StrategicMergePatchType, []byte(payload), metav1.PatchOptions{})
 			framework.ExpectNoError(err, "Failed to patch PV %q", initialPV.Name)
 			gomega.Expect(patchedPV.Labels).To(gomega.HaveKeyWithValue(patchedPV.Name, "patched"), "Checking that patched label has been applied")
+			gomega.Expect(resourceversion.CompareResourceVersion(initialPV.ResourceVersion, patchedPV.ResourceVersion)).To(gomega.BeNumerically("==", -1), "patched object should have a larger resource version")
 
 			ginkgo.By(fmt.Sprintf("Patching the PVC %q", initialPVC.Name))
 			payload = "{\"metadata\":{\"labels\":{\"" + initialPVC.Name + "\":\"patched\"}}}"
 			patchedPVC, err := pvcClient.Patch(ctx, initialPVC.Name, types.StrategicMergePatchType, []byte(payload), metav1.PatchOptions{})
 			framework.ExpectNoError(err, "Failed to patch PVC %q", initialPVC.Name)
 			gomega.Expect(patchedPVC.Labels).To(gomega.HaveKeyWithValue(patchedPVC.Name, "patched"), "Checking that patched label has been applied")
+			gomega.Expect(resourceversion.CompareResourceVersion(initialPVC.ResourceVersion, patchedPVC.ResourceVersion)).To(gomega.BeNumerically("==", -1), "patched object should have a larger resource version")
 
 			ginkgo.By(fmt.Sprintf("Getting PV %q", patchedPV.Name))
 			retrievedPV, err := pvClient.Get(ctx, patchedPV.Name, metav1.GetOptions{})
diff --git a/test/e2e/storage/pvc_protection.go b/test/e2e/storage/pvc_protection.go
index cc49cf2f2ab72..6cfcc748f3cf8 100644
--- a/test/e2e/storage/pvc_protection.go
+++ b/test/e2e/storage/pvc_protection.go
@@ -82,7 +82,7 @@ var _ = utils.SIGDescribe("PVC Protection", func() {
 		e2epv.SkipIfNoDefaultStorageClass(ctx, client)
 		t := testsuites.StorageClassTest{
 			Timeouts:  f.Timeouts,
-			ClaimSize: "1Gi",
+			ClaimSize: "10Gi",
 		}
 		pvc = e2epv.MakePersistentVolumeClaim(e2epv.PersistentVolumeClaimConfig{
 			NamePrefix: prefix,
diff --git a/test/e2e/storage/storageclass.go b/test/e2e/storage/storageclass.go
index 8b33028938c64..30d38563d336f 100644
--- a/test/e2e/storage/storageclass.go
+++ b/test/e2e/storage/storageclass.go
@@ -25,7 +25,9 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/labels"
 	types "k8s.io/apimachinery/pkg/types"
+	"k8s.io/apimachinery/pkg/util/resourceversion"
 	"k8s.io/client-go/util/retry"
+	apimachineryutils "k8s.io/kubernetes/test/e2e/common/apimachinery"
 	"k8s.io/kubernetes/test/e2e/framework"
 	"k8s.io/kubernetes/test/e2e/storage/utils"
 	admissionapi "k8s.io/pod-security-admission/api"
@@ -68,6 +70,7 @@ var _ = utils.SIGDescribe("StorageClasses", func() {
 			ginkgo.By("Creating a StorageClass")
 			createdStorageClass, err := scClient.Create(ctx, initialSC, metav1.CreateOptions{})
 			framework.ExpectNoError(err, "failed to create the requested StorageClass")
+			gomega.Expect(createdStorageClass).To(apimachineryutils.HaveValidResourceVersion())
 
 			ginkgo.By(fmt.Sprintf("Get StorageClass %q", createdStorageClass.Name))
 			retrievedStorageClass, err := scClient.Get(ctx, createdStorageClass.Name, metav1.GetOptions{})
@@ -78,6 +81,7 @@ var _ = utils.SIGDescribe("StorageClasses", func() {
 			patchedStorageClass, err := scClient.Patch(ctx, retrievedStorageClass.Name, types.StrategicMergePatchType, []byte(payload), metav1.PatchOptions{})
 			framework.ExpectNoError(err, "failed to patch StorageClass %q", retrievedStorageClass.Name)
 			gomega.Expect(patchedStorageClass.Labels).To(gomega.HaveKeyWithValue(patchedStorageClass.Name, "patched"), "checking that patched label has been applied")
+			gomega.Expect(resourceversion.CompareResourceVersion(retrievedStorageClass.ResourceVersion, patchedStorageClass.ResourceVersion)).To(gomega.BeNumerically("==", -1), "patched object should have a larger resource version")
 
 			ginkgo.By(fmt.Sprintf("Delete StorageClass %q", patchedStorageClass.Name))
 			err = scClient.Delete(ctx, patchedStorageClass.Name, metav1.DeleteOptions{})
diff --git a/test/e2e/storage/testsuites/base.go b/test/e2e/storage/testsuites/base.go
index e04c567bd0f3c..0208e59cf7a72 100644
--- a/test/e2e/storage/testsuites/base.go
+++ b/test/e2e/storage/testsuites/base.go
@@ -74,8 +74,10 @@ var BaseSuites = []func() storageframework.TestSuite{
 	},
 }
 
-// CSISuites is a list of storage test suites that work only for CSI drivers
+// CSISuites is a list of storage test suites that work only for CSI drivers.
 var CSISuites = append(BaseSuites,
+	// The following tests suites must not be already in BaseSuites,
+	// otherwise the same configuration gets tested multiple times.
 	func() storageframework.TestSuite {
 		return InitCustomEphemeralTestSuite(CSIEphemeralTestPatterns())
 	},
@@ -86,6 +88,7 @@ var CSISuites = append(BaseSuites,
 	InitReadWriteOncePodTestSuite,
 	InitVolumeModifyTestSuite,
 	InitVolumeModifyStressTestSuite,
+	InitSELinuxMountTestSuite,
 )
 
 func getVolumeOpsFromMetricsForPlugin(ms testutil.Metrics, pluginName string) opCounts {
diff --git a/test/e2e/storage/testsuites/readwriteoncepod.go b/test/e2e/storage/testsuites/readwriteoncepod.go
index a149084b3543b..6236f9e02b0e1 100644
--- a/test/e2e/storage/testsuites/readwriteoncepod.go
+++ b/test/e2e/storage/testsuites/readwriteoncepod.go
@@ -60,7 +60,7 @@ func InitCustomReadWriteOncePodTestSuite(patterns []storageframework.TestPattern
 		tsInfo: storageframework.TestSuiteInfo{
 			Name:         "read-write-once-pod",
 			TestPatterns: patterns,
-			TestTags:     []interface{}{framework.WithLabel("MinimumKubeletVersion:1.27")},
+			TestTags:     []interface{}{},
 		},
 	}
 }
diff --git a/test/e2e/storage/testsuites/selinuxmount.go b/test/e2e/storage/testsuites/selinuxmount.go
new file mode 100644
index 0000000000000..b99d1f234dae6
--- /dev/null
+++ b/test/e2e/storage/testsuites/selinuxmount.go
@@ -0,0 +1,232 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package testsuites
+
+import (
+	"context"
+	"fmt"
+	"strings"
+
+	"github.com/onsi/ginkgo/v2"
+	"github.com/onsi/gomega"
+	v1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/util/errors"
+	"k8s.io/component-base/featuregate"
+	"k8s.io/kubernetes/pkg/features"
+	"k8s.io/kubernetes/test/e2e/feature"
+	"k8s.io/kubernetes/test/e2e/framework"
+	e2epod "k8s.io/kubernetes/test/e2e/framework/pod"
+	e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper"
+	e2evolume "k8s.io/kubernetes/test/e2e/framework/volume"
+	storageframework "k8s.io/kubernetes/test/e2e/storage/framework"
+	admissionapi "k8s.io/pod-security-admission/api"
+	"k8s.io/utils/ptr"
+)
+
+type seLinuxMountTestSuite struct {
+	tsInfo storageframework.TestSuiteInfo
+}
+
+var (
+	// Pod SELinux label used in the test pods.
+	seLinuxLabel = &v1.SELinuxOptions{Level: "s0:c0,c1"}
+	// The expected SELinux mount option, matching both Debian (system_u:object_r:svirt_lxc_net_t) and Fedore based distros (system_u:object_r:container_file_t)
+	seLinuxMountOptionRE = "context=\"system_u:object_r:[^:]*:s0:c0,c1\""
+)
+
+// InitCustomSELinuxMountTestSuite returns seLinuxMountTestSuite that implements TestSuite interface
+// using custom test patterns
+func InitCustomSELinuxMountTestSuite(patterns []storageframework.TestPattern) storageframework.TestSuite {
+	return &seLinuxMountTestSuite{
+		tsInfo: storageframework.TestSuiteInfo{
+			Name:         "seLinuxMount",
+			TestPatterns: patterns,
+			SupportedSizeRange: e2evolume.SizeRange{
+				Min: "1Mi",
+			},
+			TestTags: []interface{}{
+				feature.SELinux,
+				framework.WithFeatureGate(features.SELinuxMountReadWriteOncePod),
+				framework.WithFeatureGate(features.SELinuxChangePolicy),
+			},
+		},
+	}
+}
+
+// InitSELinuxMountTestSuite returns seLinuxMountTestSuite that implements TestSuite interface
+// using testsuite default patterns
+func InitSELinuxMountTestSuite() storageframework.TestSuite {
+	patterns := []storageframework.TestPattern{
+		storageframework.DefaultFsDynamicPV,
+	}
+	return InitCustomSELinuxMountTestSuite(patterns)
+}
+
+func (s *seLinuxMountTestSuite) GetTestSuiteInfo() storageframework.TestSuiteInfo {
+	return s.tsInfo
+}
+
+func (s *seLinuxMountTestSuite) SkipUnsupportedTests(driver storageframework.TestDriver, pattern storageframework.TestPattern) {
+	if !driver.GetDriverInfo().Capabilities[storageframework.CapSELinuxMount] {
+		e2eskipper.Skipf("Driver %q does not support SELinuxMount - skipping", driver.GetDriverInfo().Name)
+	}
+}
+
+func (s *seLinuxMountTestSuite) DefineTests(driver storageframework.TestDriver, pattern storageframework.TestPattern) {
+	type local struct {
+		config *storageframework.PerTestConfig
+
+		resource *storageframework.VolumeResource
+		pod      *v1.Pod
+	}
+	var l local
+
+	// Beware that it also registers an AfterEach which renders f unusable. Any code using
+	// f must run inside an It or Context callback.
+	f := framework.NewFrameworkWithCustomTimeouts("selinux-mount", storageframework.GetDriverTimeouts(driver))
+	f.NamespacePodSecurityLevel = admissionapi.LevelPrivileged
+
+	init := func(ctx context.Context, accessMode v1.PersistentVolumeAccessMode) {
+		l = local{}
+		l.config = driver.PrepareTest(ctx, f)
+		testVolumeSizeRange := s.GetTestSuiteInfo().SupportedSizeRange
+		l.resource = storageframework.CreateVolumeResourceWithAccessModes(ctx, driver, l.config, pattern, testVolumeSizeRange, []v1.PersistentVolumeAccessMode{accessMode}, nil)
+	}
+
+	cleanup := func(ctx context.Context) {
+		var errs []error
+		if l.pod != nil {
+			ginkgo.By("Deleting pod")
+			err := e2epod.DeletePodWithWait(ctx, f.ClientSet, l.pod)
+			errs = append(errs, err)
+			l.pod = nil
+		}
+
+		if l.resource != nil {
+			errs = append(errs, l.resource.CleanupResource(ctx))
+			l.resource = nil
+		}
+
+		framework.ExpectNoError(errors.NewAggregate(errs), "while cleaning up resource")
+	}
+
+	tests := []struct {
+		name                     string
+		accessMode               v1.PersistentVolumeAccessMode
+		seLinuxChangePolicy      *v1.PodSELinuxChangePolicy
+		featureGates             []featuregate.Feature
+		expectSELinuxMountOption bool
+	}{
+		{
+			name:                     "Pod with RWOP volume and the default policy",
+			accessMode:               v1.ReadWriteOncePod,
+			seLinuxChangePolicy:      nil, // implies mount option
+			expectSELinuxMountOption: true,
+		},
+		{
+			name:                     "Pod with RWO volume and mount policy",
+			accessMode:               v1.ReadWriteOnce,
+			seLinuxChangePolicy:      ptr.To(v1.SELinuxChangePolicyMountOption),
+			featureGates:             []featuregate.Feature{features.SELinuxMount},
+			expectSELinuxMountOption: true,
+		},
+		{
+			name:                     "Pod with RWOP volume and recursive policy",
+			accessMode:               v1.ReadWriteOncePod,
+			seLinuxChangePolicy:      ptr.To(v1.SELinuxChangePolicyRecursive),
+			expectSELinuxMountOption: false,
+		},
+		{
+			name:                     "Pod with RWO and recursive policy",
+			accessMode:               v1.ReadWriteOnce,
+			seLinuxChangePolicy:      ptr.To(v1.SELinuxChangePolicyRecursive),
+			expectSELinuxMountOption: false,
+		},
+	}
+	for _, test := range tests {
+		framework.Context(test.name, func() {
+			// Compose framework.It arguments dynamically, because the feature gates are dynamic
+			var args []interface{}
+			// Test name
+			if test.expectSELinuxMountOption {
+				args = append(args, "should mount volumes with SELinux mount option")
+			} else {
+				args = append(args, "should mount volumes without SELinux mount option")
+			}
+			// Feature gates
+			for _, fg := range test.featureGates {
+				args = append(args, framework.WithFeatureGate(fg))
+			}
+			// The test body
+			args = append(args, func(ctx context.Context) {
+				init(ctx, test.accessMode)
+				ginkgo.DeferCleanup(cleanup)
+
+				ginkgo.By("Creating a pod with PVC")
+				podConfig := e2epod.Config{
+					NS:                     f.Namespace.Name,
+					PVCs:                   []*v1.PersistentVolumeClaim{l.resource.Pvc},
+					SeLinuxLabel:           seLinuxLabel,
+					NodeSelection:          l.config.ClientNodeSelection,
+					PodSELinuxChangePolicy: test.seLinuxChangePolicy,
+				}
+				var err error
+				l.pod, err = e2epod.CreateSecPod(ctx, f.ClientSet, &podConfig, f.Timeouts.PodStart)
+				framework.ExpectNoError(err, "while creating the pod")
+
+				ginkgo.By("Waiting for pod to be ready")
+				err = e2epod.WaitForPodRunningInNamespace(ctx, f.ClientSet, l.pod)
+				framework.ExpectNoError(err, "while waiting for the pod to be ready")
+
+				ginkgo.By("Checking the volume mount options")
+				mountOptions, err := getVolumeMountOptions(f, l.pod.Name, "write-pod", "/mnt/volume1")
+				framework.ExpectNoError(err, "while getting the mount options")
+				framework.Logf("Detected mount options: %s", mountOptions)
+				if test.expectSELinuxMountOption {
+					gomega.Expect(mountOptions).To(gomega.MatchRegexp(seLinuxMountOptionRE), "-o context mount option should be present")
+				} else {
+					gomega.Expect(mountOptions).NotTo(gomega.MatchRegexp(seLinuxMountOptionRE), "-o context mount option should not be present")
+				}
+			})
+			framework.It(args...)
+		})
+	}
+}
+
+func getVolumeMountOptions(f *framework.Framework, podName string, containerName string, volumePath string) (string, error) {
+	cmd := []string{"cat", "/proc/mounts"}
+	stdout, stderr, err := e2epod.ExecCommandInContainerWithFullOutput(f, podName, containerName, cmd...)
+	if err != nil {
+		// Log all details about the call, except the error that will be logged by the caller
+		framework.Logf("Executed: %s", strings.Join(cmd, " "))
+		framework.Logf("stdout: %s", stdout)
+		framework.Logf("stderr: %s", stderr)
+		return "", err
+	}
+
+	for _, line := range strings.Split(stdout, "\n") {
+		parts := strings.Fields(line)
+		if len(parts) < 4 {
+			continue
+		}
+		mountPath := parts[1]
+		if mountPath == volumePath {
+			return parts[3], nil
+		}
+	}
+	return "", fmt.Errorf("volume path %s not found in /proc/mounts", volumePath)
+}
diff --git a/test/e2e/storage/testsuites/volume_expand.go b/test/e2e/storage/testsuites/volume_expand.go
index 7ffacae370750..e1db1feac87f7 100644
--- a/test/e2e/storage/testsuites/volume_expand.go
+++ b/test/e2e/storage/testsuites/volume_expand.go
@@ -117,6 +117,12 @@ func (v *volumeExpandTestSuite) DefineTests(driver storageframework.TestDriver,
 	f := framework.NewFrameworkWithCustomTimeouts("volume-expand", storageframework.GetDriverTimeouts(driver))
 	f.NamespacePodSecurityLevel = admissionapi.LevelPrivileged
 
+	driverSizeRange := driver.GetDriverInfo().SupportedSizeRange
+	expandSize := resource.MustParse("1Gi")
+	if driverSizeRange.Step != "" {
+		expandSize = resource.MustParse(driverSizeRange.Step)
+	}
+
 	init := func(ctx context.Context) {
 		l = local{}
 
@@ -182,7 +188,7 @@ func (v *volumeExpandTestSuite) DefineTests(driver storageframework.TestDriver,
 			ginkgo.By("Expanding non-expandable pvc")
 			currentPvcSize := l.resource.Pvc.Spec.Resources.Requests[v1.ResourceStorage]
 			newSize := currentPvcSize.DeepCopy()
-			newSize.Add(resource.MustParse("1Gi"))
+			newSize.Add(expandSize)
 			framework.Logf("currentPvcSize %v, newSize %v", currentPvcSize, newSize)
 			_, err = ExpandPVCSizeToError(ctx, l.resource.Pvc, newSize, f.ClientSet)
 			gomega.Expect(err).To(gomega.MatchError(apierrors.IsForbidden, "While updating non-expandable PVC"))
@@ -217,7 +223,7 @@ func (v *volumeExpandTestSuite) DefineTests(driver storageframework.TestDriver,
 			ginkgo.By("Expanding current pvc")
 			currentPvcSize := l.resource.Pvc.Spec.Resources.Requests[v1.ResourceStorage]
 			newSize := currentPvcSize.DeepCopy()
-			newSize.Add(resource.MustParse("1Gi"))
+			newSize.Add(expandSize)
 			framework.Logf("currentPvcSize %v, newSize %v", currentPvcSize, newSize)
 			newPVC, err := ExpandPVCSize(ctx, l.resource.Pvc, newSize, f.ClientSet)
 			framework.ExpectNoError(err, "While updating pvc for more size")
@@ -289,7 +295,7 @@ func (v *volumeExpandTestSuite) DefineTests(driver storageframework.TestDriver,
 			ginkgo.By("Expanding current pvc")
 			currentPvcSize := l.resource.Pvc.Spec.Resources.Requests[v1.ResourceStorage]
 			newSize := currentPvcSize.DeepCopy()
-			newSize.Add(resource.MustParse("1Gi"))
+			newSize.Add(expandSize)
 			framework.Logf("currentPvcSize %v, newSize %v", currentPvcSize, newSize)
 			newPVC, err := ExpandPVCSize(ctx, l.resource.Pvc, newSize, f.ClientSet)
 			framework.ExpectNoError(err, "While updating pvc for more size")
@@ -341,7 +347,7 @@ func (v *volumeExpandTestSuite) DefineTests(driver storageframework.TestDriver,
 			ginkgo.By("Expanding current pvc")
 			currentPvcSize := l.resource.Pvc.Spec.Resources.Requests[v1.ResourceStorage]
 			newSize := currentPvcSize.DeepCopy()
-			newSize.Add(resource.MustParse("1Gi"))
+			newSize.Add(expandSize)
 			framework.Logf("currentPvcSize %v, newSize %v", currentPvcSize, newSize)
 			newPVC, err := ExpandPVCSize(ctx, l.resource.Pvc, newSize, f.ClientSet)
 			framework.ExpectNoError(err, "While updating pvc for more size")
diff --git a/test/e2e/storage/testsuites/volume_group_snapshottable.go b/test/e2e/storage/testsuites/volume_group_snapshottable.go
index e823442a5c62e..f603ad6f3c8e3 100644
--- a/test/e2e/storage/testsuites/volume_group_snapshottable.go
+++ b/test/e2e/storage/testsuites/volume_group_snapshottable.go
@@ -20,35 +20,42 @@ import (
 	"context"
 	"crypto/sha256"
 	"fmt"
+	"strings"
 
 	"github.com/onsi/ginkgo/v2"
 	"github.com/onsi/gomega"
+	appsv1 "k8s.io/api/apps/v1"
 	v1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/api/resource"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	clientset "k8s.io/client-go/kubernetes"
 	"k8s.io/kubernetes/test/e2e/feature"
 	"k8s.io/kubernetes/test/e2e/framework"
+	e2ekubectl "k8s.io/kubernetes/test/e2e/framework/kubectl"
 	e2epod "k8s.io/kubernetes/test/e2e/framework/pod"
 	e2epv "k8s.io/kubernetes/test/e2e/framework/pv"
 	e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper"
+	e2estatefulset "k8s.io/kubernetes/test/e2e/framework/statefulset"
 	e2evolume "k8s.io/kubernetes/test/e2e/framework/volume"
 	storageframework "k8s.io/kubernetes/test/e2e/storage/framework"
 	admissionapi "k8s.io/pod-security-admission/api"
 )
 
 type volumeGroupSnapshottableTest struct {
-	config      *storageframework.PerTestConfig
-	pods        []*v1.Pod
-	volumeGroup [3][]*storageframework.VolumeResource
-	snapshots   []*storageframework.VolumeGroupSnapshotResource
-	numPods     int
-	numVolumes  int
+	config          *storageframework.PerTestConfig
+	statefulSet     *appsv1.StatefulSet
+	pods            []*v1.Pod
+	volumeResources []*storageframework.VolumeResource
+	snapshots       []*storageframework.VolumeGroupSnapshotResource
+	numReplicas     int
 }
 
+// VolumeGroupSnapshottableTestSuite represents a test suite for testing volume group snapshot functionality.
 type VolumeGroupSnapshottableTestSuite struct {
 	tsInfo storageframework.TestSuiteInfo
 }
 
+// InitVolumeGroupSnapshottableTestSuite initializes the test suite for volume group snapshottable functionality.
 func InitVolumeGroupSnapshottableTestSuite() storageframework.TestSuite {
 	patterns := []storageframework.TestPattern{
 		storageframework.VolumeGroupSnapshotDelete,
@@ -56,6 +63,8 @@ func InitVolumeGroupSnapshottableTestSuite() storageframework.TestSuite {
 	return InitCustomGroupSnapshottableTestSuite(patterns)
 }
 
+// InitCustomGroupSnapshottableTestSuite initializes a custom test suite for volume group snapshottable tests
+// with the provided test patterns.
 func InitCustomGroupSnapshottableTestSuite(patterns []storageframework.TestPattern) storageframework.TestSuite {
 	return &VolumeGroupSnapshottableTestSuite{
 		tsInfo: storageframework.TestSuiteInfo{
@@ -69,143 +78,225 @@ func InitCustomGroupSnapshottableTestSuite(patterns []storageframework.TestPatte
 	}
 }
 
+// SkipUnsupportedTests skips tests if the driver does not support group snapshots.
 func (s *VolumeGroupSnapshottableTestSuite) SkipUnsupportedTests(driver storageframework.TestDriver, pattern storageframework.TestPattern) {
 	// Check preconditions.
 	dInfo := driver.GetDriverInfo()
 	ok := false
-	_, ok = driver.(storageframework.VoulmeGroupSnapshottableTestDriver)
+	_, ok = driver.(storageframework.VolumeGroupSnapshottableTestDriver)
 	if !dInfo.Capabilities[storageframework.CapVolumeGroupSnapshot] || !ok {
 		e2eskipper.Skipf("Driver %q does not support group snapshots - skipping", dInfo.Name)
 	}
 }
 
+// GetTestSuiteInfo returns the test suite information for the VolumeGroupSnapshottableTestSuite.
 func (s *VolumeGroupSnapshottableTestSuite) GetTestSuiteInfo() storageframework.TestSuiteInfo {
 	return s.tsInfo
 }
 
+// DefineTests defines the test cases for the VolumeGroupSnapshottableTestSuite.
 func (s *VolumeGroupSnapshottableTestSuite) DefineTests(driver storageframework.TestDriver, pattern storageframework.TestPattern) {
 	labelKey := "group"
 	labelValue := "test-group"
 	f := framework.NewDefaultFramework("volumegroupsnapshottable")
 	f.NamespacePodSecurityLevel = admissionapi.LevelPrivileged
 	ginkgo.Describe("VolumeGroupSnapshottable", func() {
+		var tk *e2ekubectl.TestKubeconfig
+		ginkgo.BeforeEach(func() {
+			tk = e2ekubectl.NewTestKubeconfig(framework.TestContext.CertDir, framework.TestContext.Host, framework.TestContext.KubeConfig, framework.TestContext.KubeContext, framework.TestContext.KubectlPath, f.Namespace.Name)
+		})
 
 		ginkgo.Context("", func() {
 			var (
-				snapshottableDriver storageframework.VoulmeGroupSnapshottableTestDriver
+				snapshottableDriver storageframework.VolumeGroupSnapshottableTestDriver
 				cs                  clientset.Interface
 				groupTest           *volumeGroupSnapshottableTest
 			)
 			init := func(ctx context.Context) {
-				snapshottableDriver = driver.(storageframework.VoulmeGroupSnapshottableTestDriver)
+				snapshottableDriver = driver.(storageframework.VolumeGroupSnapshottableTestDriver)
 				cs = f.ClientSet
 				config := driver.PrepareTest(ctx, f)
 
 				groupTest = &volumeGroupSnapshottableTest{
-					config:      config,
-					volumeGroup: [3][]*storageframework.VolumeResource{},
-					snapshots:   []*storageframework.VolumeGroupSnapshotResource{},
-					pods:        []*v1.Pod{},
-					numPods:     1,
-					numVolumes:  3,
+					config:          config,
+					volumeResources: []*storageframework.VolumeResource{},
+					snapshots:       []*storageframework.VolumeGroupSnapshotResource{},
+					pods:            []*v1.Pod{},
+					numReplicas:     3,
 				}
 			}
 
-			createGroupLabel := func(ctx context.Context, pvc *v1.PersistentVolumeClaim, labelKey, labelValue string) {
-				if pvc.Labels == nil {
-					pvc.Labels = map[string]string{}
+			createStatefulSetAndVolumes := func(ctx context.Context) {
+				// Create volume resource which includes storage class
+				volumeResource := storageframework.CreateVolumeResource(ctx, driver, groupTest.config, pattern, s.GetTestSuiteInfo().SupportedSizeRange)
+				groupTest.volumeResources = append(groupTest.volumeResources, volumeResource)
+
+				// Create StatefulSet with volumeClaimTemplates
+				statefulSetName := fmt.Sprintf("statefulset-vgs-%s", f.Namespace.Name)
+				replicas := int32(groupTest.numReplicas)
+
+				statefulSet := &appsv1.StatefulSet{
+					ObjectMeta: metav1.ObjectMeta{
+						Name:      statefulSetName,
+						Namespace: f.Namespace.Name,
+					},
+					Spec: appsv1.StatefulSetSpec{
+						Replicas: &replicas,
+						Selector: &metav1.LabelSelector{
+							MatchLabels: map[string]string{
+								"app": statefulSetName,
+							},
+						},
+						Template: v1.PodTemplateSpec{
+							ObjectMeta: metav1.ObjectMeta{
+								Labels: map[string]string{
+									"app": statefulSetName,
+								},
+							},
+							Spec: v1.PodSpec{
+								Containers: []v1.Container{
+									{
+										Name:    "test-container",
+										Image:   e2epod.GetDefaultTestImage(),
+										Command: []string{"sleep", "3600"},
+										VolumeMounts: []v1.VolumeMount{
+											{
+												Name:      "data",
+												MountPath: "/mnt/data",
+											},
+										},
+									},
+								},
+							},
+						},
+						VolumeClaimTemplates: []v1.PersistentVolumeClaim{
+							{
+								ObjectMeta: metav1.ObjectMeta{
+									Name: "data",
+									Labels: map[string]string{
+										labelKey: labelValue,
+									},
+								},
+								Spec: v1.PersistentVolumeClaimSpec{
+									AccessModes: []v1.PersistentVolumeAccessMode{
+										v1.ReadWriteOnce,
+									},
+									Resources: v1.VolumeResourceRequirements{
+										Requests: v1.ResourceList{
+											v1.ResourceStorage: resource.MustParse(s.GetTestSuiteInfo().SupportedSizeRange.Min),
+										},
+									},
+									StorageClassName: &volumeResource.Sc.Name,
+								},
+							},
+						},
+					},
 				}
-				pvc.Labels[labelKey] = labelValue
-				_, err := cs.CoreV1().PersistentVolumeClaims(pvc.GetNamespace()).Update(ctx, pvc, metav1.UpdateOptions{})
-				framework.ExpectNoError(err, "failed to update PVC %s", pvc.Name)
-			}
 
-			createPodsAndVolumes := func(ctx context.Context) {
-				for i := 0; i < groupTest.numPods; i++ {
-					framework.Logf("Creating resources for pod %d/%d", i, groupTest.numPods-1)
-					for j := 0; j < groupTest.numVolumes; j++ {
-						volume := storageframework.CreateVolumeResource(ctx, driver, groupTest.config, pattern, s.GetTestSuiteInfo().SupportedSizeRange)
-						groupTest.volumeGroup[i] = append(groupTest.volumeGroup[i], volume)
-						createGroupLabel(ctx, volume.Pvc, labelKey, labelValue)
+				var err error
+				groupTest.statefulSet, err = cs.AppsV1().StatefulSets(f.Namespace.Name).Create(ctx, statefulSet, metav1.CreateOptions{})
+				framework.ExpectNoError(err, "failed to create StatefulSet")
 
-					}
-					pvcs := []*v1.PersistentVolumeClaim{}
-					for _, volume := range groupTest.volumeGroup[i] {
-						pvcs = append(pvcs, volume.Pvc)
-					}
-					// Create a pod with multiple volumes
-					podConfig := e2epod.Config{
-						NS:           f.Namespace.Name,
-						PVCs:         pvcs,
-						SeLinuxLabel: e2epv.SELinuxLabel,
-					}
-					pod, err := e2epod.MakeSecPod(&podConfig)
-					framework.ExpectNoError(err, "failed to create pod")
+				// Wait for StatefulSet to be ready
+				e2estatefulset.WaitForRunningAndReady(ctx, cs, replicas, groupTest.statefulSet)
+
+				// Get the pods created by StatefulSet
+				for i := 0; i < groupTest.numReplicas; i++ {
+					podName := fmt.Sprintf("%s-%d", statefulSetName, i)
+					pod, err := cs.CoreV1().Pods(f.Namespace.Name).Get(ctx, podName, metav1.GetOptions{})
+					framework.ExpectNoError(err, "failed to get StatefulSet pod %s", podName)
 					groupTest.pods = append(groupTest.pods, pod)
 				}
+			}
+
+			writeTestDataToVolumes := func(ctx context.Context) map[string]string {
+				mountPath := "/mnt/data"
+				writePath := fmt.Sprintf("%s/testfile", mountPath)
+				originalMntTestData := make(map[string]string)
+
+				ginkgo.By("writing test data to all StatefulSet volumes")
 				for i, pod := range groupTest.pods {
-					pod, err := cs.CoreV1().Pods(f.Namespace.Name).Create(ctx, pod, metav1.CreateOptions{})
-					if err != nil {
-						framework.Failf("Failed to create pod-%d [%+v]. Error: %v", i, pod, err)
-					}
-					if err = e2epod.WaitForPodRunningInNamespace(ctx, cs, pod); err != nil {
-						framework.Failf("Failed to wait for pod-%d [%+v] to turn into running status. Error: %v", i, pod, err)
-					}
+					// For StatefulSet, each pod has one PVC named "data-{statefulset-name}-{index}"
+					pvcName := fmt.Sprintf("data-%s-%d", groupTest.statefulSet.Name, i)
+					testData := fmt.Sprintf("HelloFromStatefulSetPVC%d", i)
+					originalMntTestData[pvcName] = testData
+					err := tk.WriteFileViaContainer(pod.Name, pod.Spec.Containers[0].Name, writePath, testData)
+					framework.ExpectNoError(err, "failed to write test data to StatefulSet pod %s", pod.Name)
 				}
+				return originalMntTestData
 			}
 
 			cleanup := func(ctx context.Context) {
-				for _, pod := range groupTest.pods {
-					framework.Logf("Deleting pod %s", pod.Name)
-					err := e2epod.DeletePodWithWait(ctx, cs, pod)
-					framework.ExpectNoError(err, "failed to delete pod %s", pod.Name)
+				if groupTest.statefulSet != nil {
+					framework.Logf("Deleting StatefulSet %s", groupTest.statefulSet.Name)
+					err := cs.AppsV1().StatefulSets(f.Namespace.Name).Delete(ctx, groupTest.statefulSet.Name, metav1.DeleteOptions{})
+					framework.ExpectNoError(err, "failed to delete StatefulSet %s", groupTest.statefulSet.Name)
 				}
-				for _, group := range groupTest.volumeGroup {
-					for _, volume := range group {
-						framework.Logf("Deleting volume %s", volume.Pvc.Name)
-						err := volume.CleanupResource(ctx)
-						framework.ExpectNoError(err, "failed to delete volume %s", volume.Pvc.Name)
+				for _, volumeResource := range groupTest.volumeResources {
+					if volumeResource != nil {
+						framework.Logf("Deleting volume resource")
+						err := volumeResource.CleanupResource(ctx)
+						framework.ExpectNoError(err, "failed to delete volume resource")
 					}
 				}
-
 			}
 
-			ginkgo.It("should create snapshots for multiple volumes in a pod", func(ctx context.Context) {
+			ginkgo.It("should create snapshots for StatefulSet volumes and verify data consistency after restore", func(ctx context.Context) {
 				init(ctx)
-				createPodsAndVolumes(ctx)
+				createStatefulSetAndVolumes(ctx)
 				ginkgo.DeferCleanup(cleanup)
 
-				snapshot := storageframework.CreateVolumeGroupSnapshotResource(ctx, snapshottableDriver, groupTest.config, pattern, labelValue, groupTest.volumeGroup[0][0].Pvc.GetNamespace(), f.Timeouts, map[string]string{"deletionPolicy": pattern.SnapshotDeletionPolicy.String()})
+				originalMntTestData := writeTestDataToVolumes(ctx)
+
+				snapshot := storageframework.CreateVolumeGroupSnapshotResource(ctx, snapshottableDriver, groupTest.config, pattern, labelValue, f.Namespace.Name, f.Timeouts, map[string]string{"deletionPolicy": pattern.SnapshotDeletionPolicy.String()})
 				groupTest.snapshots = append(groupTest.snapshots, snapshot)
+
 				ginkgo.By("verifying the snapshots in the group are ready to use")
 				status := snapshot.VGS.Object["status"]
-				err := framework.Gomega().Expect(status).NotTo(gomega.BeNil())
-				framework.ExpectNoError(err, "failed to get status of group snapshot")
-
+				gomega.Expect(status).ShouldNot(gomega.BeNil(), "failed to get status of group snapshot")
 				volumeListMap := snapshot.VGSContent.Object["status"].(map[string]interface{})
-				err = framework.Gomega().Expect(volumeListMap).NotTo(gomega.BeNil())
-				framework.ExpectNoError(err, "failed to get volume snapshot list")
+				gomega.Expect(volumeListMap).ShouldNot(gomega.BeNil(), "failed to get group snapshot list")
 				volumeSnapshotInfoList := volumeListMap["volumeSnapshotInfoList"].([]interface{})
-				err = framework.Gomega().Expect(volumeSnapshotInfoList).NotTo(gomega.BeNil())
-				framework.ExpectNoError(err, "failed to get volume snapshot list")
-				err = framework.Gomega().Expect(len(volumeSnapshotInfoList)).To(gomega.Equal(groupTest.numVolumes))
-				framework.ExpectNoError(err, "failed to get volume snapshot list")
-				claimSize := groupTest.volumeGroup[0][0].Pvc.Spec.Resources.Requests.Storage().String()
+				gomega.Expect(volumeSnapshotInfoList).ShouldNot(gomega.BeNil(), "failed to get group snapshot handle list")
+				gomega.Expect(volumeSnapshotInfoList).Should(gomega.HaveLen(groupTest.numReplicas), "failed to verify snapshot handle list length")
+				claimSize := s.GetTestSuiteInfo().SupportedSizeRange.Min
+
+				ginkgo.By("creating restored PVCs from snapshots")
+				restoredPVCs := []*v1.PersistentVolumeClaim{}
+				volumeHandleToPVCName := make(map[string]string)
+
+				// First, create mapping from volume handles to original PVC names for StatefulSet
+				for i := 0; i < groupTest.numReplicas; i++ {
+					pvcName := fmt.Sprintf("data-%s-%d", groupTest.statefulSet.Name, i)
+					pvc, err := cs.CoreV1().PersistentVolumeClaims(f.Namespace.Name).Get(ctx, pvcName, metav1.GetOptions{})
+					framework.ExpectNoError(err, "failed to get PVC %s", pvcName)
+
+					pv, err := cs.CoreV1().PersistentVolumes().Get(ctx, pvc.Spec.VolumeName, metav1.GetOptions{})
+					framework.ExpectNoError(err, "failed to get PV for PVC %s", pvcName)
+					volumeHandle := pv.Spec.CSI.VolumeHandle
+					volumeHandleToPVCName[volumeHandle] = pvcName
+				}
+
 				for _, info := range volumeSnapshotInfoList {
 					// Create a PVC from the snapshot
 					volumeHandle := info.(map[string]interface{})["volumeHandle"].(string)
-					err = framework.Gomega().Expect(volumeHandle).NotTo(gomega.BeNil())
-					framework.ExpectNoError(err, "failed to get volume handle from volume")
+					if volumeHandle == "" {
+						framework.Failf("volumeHandle missing for volume snapshot %v", info)
+					}
 
 					uid := snapshot.VGS.Object["metadata"].(map[string]interface{})["uid"].(string)
-					err = framework.Gomega().Expect(uid).NotTo(gomega.BeNil())
-					framework.ExpectNoError(err, "failed to get uuid from content")
+					gomega.Expect(uid).NotTo(gomega.BeNil(), "failed to get uuid from content")
 					volumeSnapshotName := fmt.Sprintf("snapshot-%x", sha256.Sum256([]byte(
 						uid+volumeHandle)))
 
+					// Use original PVC name as base for restored PVC name
+					originalPVCName := volumeHandleToPVCName[volumeHandle]
+					restoredPVCName := fmt.Sprintf("restored-%s", originalPVCName)
+
 					pvc := e2epv.MakePersistentVolumeClaim(e2epv.PersistentVolumeClaimConfig{
-						StorageClassName: &groupTest.volumeGroup[0][0].Sc.Name,
+						StorageClassName: &groupTest.volumeResources[0].Sc.Name,
 						ClaimSize:        claimSize,
+						Name:             restoredPVCName,
 					}, f.Namespace.Name)
 
 					group := "snapshot.storage.k8s.io"
@@ -216,21 +307,62 @@ func (s *VolumeGroupSnapshottableTestSuite) DefineTests(driver storageframework.
 						Name:     volumeSnapshotName,
 					}
 
-					volSrc := v1.VolumeSource{
-						Ephemeral: &v1.EphemeralVolumeSource{
-							VolumeClaimTemplate: &v1.PersistentVolumeClaimTemplate{
-								Spec: pvc.Spec,
-							},
-						},
-					}
-					pvc, err = cs.CoreV1().PersistentVolumeClaims(f.Namespace.Name).Create(ctx, pvc, metav1.CreateOptions{})
+					pvc, err := cs.CoreV1().PersistentVolumeClaims(f.Namespace.Name).Create(ctx, pvc, metav1.CreateOptions{})
 					framework.ExpectNoError(err, "failed to create PVC from snapshot")
+					restoredPVCs = append(restoredPVCs, pvc)
+				}
+
+				ginkgo.DeferCleanup(func(ctx context.Context) {
+					for _, pvc := range restoredPVCs {
+						framework.Logf("Deleting restored PVC %s", pvc.Name)
+						err := cs.CoreV1().PersistentVolumeClaims(f.Namespace.Name).Delete(ctx, pvc.Name, metav1.DeleteOptions{})
+						framework.ExpectNoError(err, "failed to delete restored PVC %s", pvc.Name)
+					}
+				})
 
-					pod := StartInPodWithVolumeSource(ctx, cs, volSrc, pvc.Namespace, "snapshot-pod", "sleep 300", groupTest.config.ClientNodeSelection)
-					ginkgo.DeferCleanup(e2epod.DeletePodWithWait, cs, pod)
-					framework.ExpectNoError(e2epod.WaitTimeoutForPodRunningInNamespace(ctx, cs, pod.Name, pod.Namespace, f.Timeouts.PodStartSlow), "Pod did not start in expected time")
+				ginkgo.By("creating single pod with all restored volumes")
+				restoredPodConfig := e2epod.Config{
+					NS:           f.Namespace.Name,
+					PVCs:         restoredPVCs,
+					SeLinuxLabel: e2epv.SELinuxLabel,
 				}
+				restoredPod, err := e2epod.MakeSecPod(&restoredPodConfig)
+				framework.ExpectNoError(err, "failed to create restored pod config")
 
+				restoredPod, err = cs.CoreV1().Pods(f.Namespace.Name).Create(ctx, restoredPod, metav1.CreateOptions{})
+				framework.ExpectNoError(err, "failed to create restored pod")
+				ginkgo.DeferCleanup(e2epod.DeletePodWithWait, cs, restoredPod)
+				framework.ExpectNoError(e2epod.WaitTimeoutForPodRunningInNamespace(ctx, cs, restoredPod.Name, restoredPod.Namespace, f.Timeouts.PodStartSlow), "Restored pod did not start in expected time")
+
+				ginkgo.By("verifying data consistency for all restored StatefulSet volumes")
+				var dataConsistencyCheckErrors []string
+				for volumeIndex, pvc := range restoredPVCs {
+					dataPath := "/mnt/volume"
+					mountPath := fmt.Sprintf("%s%d", dataPath, volumeIndex+1)
+					readPath := fmt.Sprintf("%s/testfile", mountPath)
+
+					// Extract original PVC name from restored PVC name
+					const restoredPrefix = "restored-"
+					if !strings.HasPrefix(pvc.Name, restoredPrefix) {
+						framework.Failf("unexpected restored PVC name format: %s, expected prefix %s", pvc.Name, restoredPrefix)
+					}
+					originalPVCName := pvc.Name[len(restoredPrefix):]
+					expectedData, ok := originalMntTestData[originalPVCName]
+					if !ok {
+						framework.Failf("no test data found for original PVC %s", originalPVCName)
+					}
+
+					restoredData, err := tk.ReadFileViaContainer(restoredPod.Name, restoredPod.Spec.Containers[0].Name, readPath)
+					if err != nil || !strings.Contains(restoredData, expectedData) {
+						dataConsistencyCheckErrors = append(dataConsistencyCheckErrors, fmt.Sprintf("volume %s (from %s), expectedData: %s, restoredData: %s : err: %v", pvc.Name, originalPVCName, expectedData, restoredData, err))
+					} else {
+						framework.Logf("data consistency verified for StatefulSet volume %s (from %s): found expected data '%s'", pvc.Name, originalPVCName, expectedData)
+					}
+				}
+				if len(dataConsistencyCheckErrors) > 0 {
+					framework.Logf("data verification failed for one or more volumes: %v", dataConsistencyCheckErrors)
+				}
+				gomega.Expect(dataConsistencyCheckErrors).Should(gomega.BeEmpty(), "failed to check data consistency")
 			})
 		})
 	})
diff --git a/test/e2e/storage/testsuites/volume_io.go b/test/e2e/storage/testsuites/volume_io.go
index 6c01dbf162451..d649c4657134f 100644
--- a/test/e2e/storage/testsuites/volume_io.go
+++ b/test/e2e/storage/testsuites/volume_io.go
@@ -44,13 +44,13 @@ import (
 	admissionapi "k8s.io/pod-security-admission/api"
 )
 
-// MD5 hashes of the test file corresponding to each file size.
+// sha256 hashes of the test file corresponding to each file size.
 // Test files are generated in testVolumeIO()
 // If test file generation algorithm changes, these must be recomputed.
-var md5hashes = map[int64]string{
-	storageframework.FileSizeSmall:  "5c34c2813223a7ca05a3c2f38c0d1710",
-	storageframework.FileSizeMedium: "f2fa202b1ffeedda5f3a58bd1ae81104",
-	storageframework.FileSizeLarge:  "8d763edc71bd16217664793b5a15e403",
+var sha256sum = map[int64]string{
+	storageframework.FileSizeSmall:  "aa39c2cbd49a28425c977d229b43e1ff9579ecd98cea7b466982bab04753f2ab",
+	storageframework.FileSizeMedium: "5f718f3b7788352e1450c6c14c6051f0298d49ac6af18c5a1ce3cd3b5947de24",
+	storageframework.FileSizeLarge:  "11b058d55b088031fbdec33e3e896c032550ff20ca0ed37f76ad1d5d155c5f50",
 }
 
 const mountPath = "/opt"
@@ -270,18 +270,18 @@ func verifyFile(ctx context.Context, f *framework.Framework, pod *v1.Pod, fpath
 	}
 
 	ginkgo.By("verifying file hash")
-	rtnstr, stderr, err = e2epod.ExecShellInPodWithFullOutput(ctx, f, pod.Name, fmt.Sprintf("md5sum %s | cut -d' ' -f1", fpath))
+	rtnstr, stderr, err = e2epod.ExecShellInPodWithFullOutput(ctx, f, pod.Name, fmt.Sprintf("sha256sum %s | cut -d' ' -f1", fpath))
 	if err != nil {
-		return fmt.Errorf("unable to test file hash via `md5sum %s`: %v\nstdout: %s\nstderr: %s", fpath, err, rtnstr, stderr)
+		return fmt.Errorf("unable to test file hash via `sha256sum %s`: %v\nstdout: %s\nstderr: %s", fpath, err, rtnstr, stderr)
 	}
 	actualHash := strings.TrimSuffix(rtnstr, "\n")
-	expectedHash, ok := md5hashes[expectSize]
+	expectedHash, ok := sha256sum[expectSize]
 	if !ok {
 		return fmt.Errorf("file hash is unknown for file size %d. Was a new file size added to the test suite?",
 			expectSize)
 	}
 	if actualHash != expectedHash {
-		return fmt.Errorf("MD5 hash is incorrect for file %s with size %d. Expected: `%s`; Actual: `%s`",
+		return fmt.Errorf("SHA256 hash is incorrect for file %s with size %d. Expected: `%s`; Actual: `%s`",
 			fpath, expectSize, expectedHash, actualHash)
 	}
 
diff --git a/test/e2e/storage/testsuites/volumeperf.go b/test/e2e/storage/testsuites/volumeperf.go
index da82e46e9bfc8..6a19c0a0beb2a 100644
--- a/test/e2e/storage/testsuites/volumeperf.go
+++ b/test/e2e/storage/testsuites/volumeperf.go
@@ -297,11 +297,11 @@ func newPVCWatch(ctx context.Context, f *framework.Framework, provisionCount int
 	_, controller := cache.NewInformer(
 		&cache.ListWatch{
 			ListFunc: func(options metav1.ListOptions) (runtime.Object, error) {
-				obj, err := f.ClientSet.CoreV1().PersistentVolumeClaims(ns).List(ctx, metav1.ListOptions{})
+				obj, err := f.ClientSet.CoreV1().PersistentVolumeClaims(ns).List(ctx, options)
 				return runtime.Object(obj), err
 			},
 			WatchFunc: func(options metav1.ListOptions) (watch.Interface, error) {
-				return f.ClientSet.CoreV1().PersistentVolumeClaims(ns).Watch(ctx, metav1.ListOptions{})
+				return f.ClientSet.CoreV1().PersistentVolumeClaims(ns).Watch(ctx, options)
 			},
 		},
 		&v1.PersistentVolumeClaim{},
diff --git a/test/e2e/storage/utils/deployment.go b/test/e2e/storage/utils/deployment.go
index f36905cf569e0..771069c49a5de 100644
--- a/test/e2e/storage/utils/deployment.go
+++ b/test/e2e/storage/utils/deployment.go
@@ -155,6 +155,9 @@ func PatchCSIDeployment(f *e2eframework.Framework, o PatchCSIOptions, object int
 		if o.RequiresRepublish != nil {
 			object.Spec.RequiresRepublish = o.RequiresRepublish
 		}
+		if o.ServiceAccountTokenInSecrets != nil {
+			object.Spec.ServiceAccountTokenInSecrets = o.ServiceAccountTokenInSecrets
+		}
 		if o.FSGroupPolicy != nil {
 			object.Spec.FSGroupPolicy = o.FSGroupPolicy
 		}
@@ -216,6 +219,10 @@ type PatchCSIOptions struct {
 	// field *if* the driver deploys a CSIDriver object. Ignored
 	// otherwise.
 	RequiresRepublish *bool
+	// If not nil, the value to use for the CSIDriver.Spec.ServiceAccountTokenInSecrets
+	// field *if* the driver deploys a CSIDriver object. Ignored
+	// otherwise.
+	ServiceAccountTokenInSecrets *bool
 	// If not nil, the value to use for the CSIDriver.Spec.FSGroupPolicy
 	// field *if* the driver deploys a CSIDriver object. Ignored
 	// otherwise.
diff --git a/test/e2e/storage/volume_attachment.go b/test/e2e/storage/volume_attachment.go
index f1a06ec9d776c..d965cb0ba28d8 100644
--- a/test/e2e/storage/volume_attachment.go
+++ b/test/e2e/storage/volume_attachment.go
@@ -29,7 +29,9 @@ import (
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/apimachinery/pkg/types"
 	utilrand "k8s.io/apimachinery/pkg/util/rand"
+	"k8s.io/apimachinery/pkg/util/resourceversion"
 	"k8s.io/client-go/util/retry"
+	apimachineryutils "k8s.io/kubernetes/test/e2e/common/apimachinery"
 	"k8s.io/kubernetes/test/e2e/framework"
 	"k8s.io/kubernetes/test/e2e/storage/utils"
 
@@ -65,12 +67,14 @@ var _ = utils.SIGDescribe("VolumeAttachment", func() {
 			retrievedVA, err := vaClient.Get(ctx, firstVA, metav1.GetOptions{})
 			framework.ExpectNoError(err, "failed to get VolumeAttachment %q", firstVA)
 			gomega.Expect(retrievedVA.Name).To(gomega.Equal(firstVA), "Checking that retrieved VolumeAttachment has the correct name")
+			gomega.Expect(retrievedVA).To(apimachineryutils.HaveValidResourceVersion())
 
 			ginkgo.By(fmt.Sprintf("Patch VolumeAttachment %q on node %q", firstVA, vaNodeName))
 			payload := "{\"metadata\":{\"labels\":{\"" + retrievedVA.Name + "\":\"patched\"}}}"
 			patchedVA, err := vaClient.Patch(ctx, retrievedVA.Name, types.MergePatchType, []byte(payload), metav1.PatchOptions{})
 			framework.ExpectNoError(err, "failed to patch PV %q", firstVA)
 			gomega.Expect(patchedVA.Labels).To(gomega.HaveKeyWithValue(patchedVA.Name, "patched"), "Checking that patched label has been applied")
+			gomega.Expect(resourceversion.CompareResourceVersion(retrievedVA.ResourceVersion, patchedVA.ResourceVersion)).To(gomega.BeNumerically("==", -1), "patched object should have a larger resource version")
 
 			patchedSelector := labels.Set{patchedVA.Name: "patched"}.AsSelector().String()
 			ginkgo.By(fmt.Sprintf("List VolumeAttachments with %q label", patchedSelector))
diff --git a/test/e2e/storage/volume_provisioning.go b/test/e2e/storage/volume_provisioning.go
index c8bb6046faab1..a7b714c6577a3 100644
--- a/test/e2e/storage/volume_provisioning.go
+++ b/test/e2e/storage/volume_provisioning.go
@@ -345,8 +345,8 @@ var _ = utils.SIGDescribe("Dynamic Provisioning", func() {
 				Client:       c,
 				Name:         "default",
 				Timeouts:     f.Timeouts,
-				ClaimSize:    "2Gi",
-				ExpectedSize: "2Gi",
+				ClaimSize:    "10Gi",
+				ExpectedSize: "10Gi",
 			}
 
 			test.Claim = e2epv.MakePersistentVolumeClaim(e2epv.PersistentVolumeClaimConfig{
@@ -370,7 +370,7 @@ var _ = utils.SIGDescribe("Dynamic Provisioning", func() {
 			test := testsuites.StorageClassTest{
 				Name:      "default",
 				Timeouts:  f.Timeouts,
-				ClaimSize: "2Gi",
+				ClaimSize: "10Gi",
 			}
 
 			ginkgo.By("setting the is-default StorageClass annotation to false")
@@ -407,7 +407,7 @@ var _ = utils.SIGDescribe("Dynamic Provisioning", func() {
 			test := testsuites.StorageClassTest{
 				Name:      "default",
 				Timeouts:  f.Timeouts,
-				ClaimSize: "2Gi",
+				ClaimSize: "10Gi",
 			}
 
 			ginkgo.By("removing the is-default StorageClass annotation")
@@ -444,7 +444,7 @@ var _ = utils.SIGDescribe("Dynamic Provisioning", func() {
 				Name:        "AWS EBS with invalid KMS key",
 				Provisioner: "kubernetes.io/aws-ebs",
 				Timeouts:    f.Timeouts,
-				ClaimSize:   "2Gi",
+				ClaimSize:   "10Gi",
 				Parameters:  map[string]string{"kmsKeyId": "arn:aws:kms:us-east-1:123456789012:key/55555555-5555-5555-5555-555555555555"},
 			}
 
diff --git a/test/e2e/storage/volumeattributesclass.go b/test/e2e/storage/volumeattributesclass.go
index abed51177ced1..29aa0e9d9b102 100644
--- a/test/e2e/storage/volumeattributesclass.go
+++ b/test/e2e/storage/volumeattributesclass.go
@@ -40,7 +40,7 @@ var _ = utils.SIGDescribe("VolumeAttributesClass", framework.WithFeatureGate(fea
 	f := framework.NewDefaultFramework("csi-volumeattributesclass")
 	f.NamespacePodSecurityLevel = admissionapi.LevelBaseline
 	/*
-		Release: v1.29
+		Release: v1.35
 		Testname: VolumeAttributesClass, lifecycle
 		Description: Creating a VolumeAttributesClass MUST succeed. Reading the VolumeAttributesClass MUST
 		succeed. Patching the VolumeAttributesClass MUST succeed with its new label found. Deleting
@@ -48,7 +48,7 @@ var _ = utils.SIGDescribe("VolumeAttributesClass", framework.WithFeatureGate(fea
 		MUST be created. Updating the VolumeAttributesClass MUST succeed with its new label found.
 		Deleting the VolumeAttributesClass via deleteCollection MUST succeed and it MUST be confirmed.
 	*/
-	framework.It("should run through the lifecycle of a VolumeAttributesClass", func(ctx context.Context) {
+	framework.ConformanceIt("should run through the lifecycle of a VolumeAttributesClass", func(ctx context.Context) {
 
 		vacClient := f.ClientSet.StorageV1().VolumeAttributesClasses()
 		var initialVAC, replacementVAC *storagev1.VolumeAttributesClass
diff --git a/test/e2e/suites.go b/test/e2e/suites.go
index 987619cd13f07..1493142b1c74a 100644
--- a/test/e2e/suites.go
+++ b/test/e2e/suites.go
@@ -35,6 +35,7 @@ func AfterSuiteActions(ctx context.Context) {
 	if framework.TestContext.ReportDir != "" {
 		framework.CoreDump(framework.TestContext.ReportDir)
 	}
+	// TODO: nothing is using this? what should we do with it?
 	if framework.TestContext.GatherSuiteMetricsAfterTest {
 		if err := gatherTestSuiteMetrics(ctx); err != nil {
 			framework.Logf("Error gathering metrics: %v", err)
diff --git a/test/e2e/testing-manifests/auth/encrypt/kind.yaml b/test/e2e/testing-manifests/auth/encrypt/kind.yaml
index 4256d243af711..208965a2ef57c 100644
--- a/test/e2e/testing-manifests/auth/encrypt/kind.yaml
+++ b/test/e2e/testing-manifests/auth/encrypt/kind.yaml
@@ -21,8 +21,39 @@ nodes:
     readOnly: true
     propagation: None
   kubeadmConfigPatches:
+    # v1beta4 for the future (v1.35.0+ ?)
+    # https://github.com/kubernetes-sigs/kind/issues/3847
+    # TODO: drop v1beta3 when kind makes the switch
     - |
       kind: ClusterConfiguration
+      apiVersion: kubeadm.k8s.io/v1beta4
+      apiServer:
+        extraArgs:
+          - name: "encryption-provider-config"
+            value: "/etc/kubernetes/encryption-config.yaml"
+          - name: "v"
+            value: "5"
+        extraVolumes:
+        - name: encryption-config
+          hostPath: "/etc/kubernetes/encryption-config.yaml"
+          mountPath: "/etc/kubernetes/encryption-config.yaml"
+          readOnly: true
+          pathType: File
+        - name: sock-path
+          hostPath: "/tmp"
+          mountPath: "/tmp"
+      scheduler:
+        extraArgs:
+          - name: "v"
+            value: "5"
+      controllerManager:
+        extraArgs:
+          - name: "v"
+            value: "5"
+    # v1beta3 for v1.23.0 ... ?
+    - |
+      kind: ClusterConfiguration
+      apiVersion: kubeadm.k8s.io/v1beta3
       apiServer:
         extraArgs:
           encryption-provider-config: "/etc/kubernetes/encryption-config.yaml"
diff --git a/test/e2e/testing-manifests/gpu/gce/nvidia-driver-installer.yaml b/test/e2e/testing-manifests/gpu/gce/nvidia-driver-installer.yaml
index 24be2839bd155..b3f211753f667 100644
--- a/test/e2e/testing-manifests/gpu/gce/nvidia-driver-installer.yaml
+++ b/test/e2e/testing-manifests/gpu/gce/nvidia-driver-installer.yaml
@@ -27,121 +27,120 @@ spec:
         nodeAffinity:
           requiredDuringSchedulingIgnoredDuringExecution:
             nodeSelectorTerms:
-            - matchExpressions:
-              - key: cloud.google.com/gke-accelerator
-                operator: Exists
+              - matchExpressions:
+                  - key: cloud.google.com/gke-accelerator
+                    operator: Exists
       tolerations:
-      - operator: "Exists"
+        - operator: "Exists"
       hostNetwork: true
       hostPID: true
       volumes:
-      - name: dev
-        hostPath:
-          path: /dev
-      - name: vulkan-icd-mount
-        hostPath:
-          path: /home/kubernetes/bin/nvidia/vulkan/icd.d
-      - name: nvidia-install-dir-host
-        hostPath:
-          path: /home/kubernetes/bin/nvidia
-      - name: root-mount
-        hostPath:
-          path: /
-      - name: cos-tools
-        hostPath:
-          path: /var/lib/cos-tools
-      - name: nvidia-config
-        hostPath:
-          path: /etc/nvidia
-      initContainers:
-      - image: "ubuntu@sha256:3f85b7caad41a95462cf5b787d8a04604c8262cdcdf9a472b8c52ef83375fe15"
-        name: bind-mount-install-dir
-        securityContext:
-          privileged: true
-        command:
-        - nsenter
-        - -at
-        - '1'
-        - --
-        - sh
-        - -c
-        - |
-          if mountpoint -q /var/lib/nvidia; then
-            echo "The mountpoint /var/lib/nvidia exists."
-          else
-            echo "The mountpoint /var/lib/nvidia does not exist. Creating directories /home/kubernetes/bin/nvidia and /var/lib/nvidia and bind mount."
-            mkdir -p /var/lib/nvidia /home/kubernetes/bin/nvidia
-            mount --bind /home/kubernetes/bin/nvidia /var/lib/nvidia
-            echo "Done creating bind mounts"
-          fi
-        # The COS GPU installer image version may be dependent on the version of COS being used.
-        # Refer to details about the installer in https://cos.googlesource.com/cos/tools/+/refs/heads/master/src/cmd/cos_gpu_installer/
-        # and the COS release notes (https://cloud.google.com/container-optimized-os/docs/release-notes) to determine version COS GPU installer for a given version of COS.
-
-        # Maps to gcr.io/cos-cloud/cos-gpu-installer:v2.1.10 - suitable for COS M109 as per https://cloud.google.com/container-optimized-os/docs/release-notes
-      - image: "gcr.io/cos-cloud/cos-gpu-installer:v2.1.10"
-        name: nvidia-driver-installer
-        resources:
-          requests:
-            cpu: 150m
-        securityContext:
-          privileged: true
-        env:
-          - name: NVIDIA_INSTALL_DIR_HOST
-            value: /home/kubernetes/bin/nvidia
-          - name: NVIDIA_INSTALL_DIR_CONTAINER
-            value: /usr/local/nvidia
-          - name: VULKAN_ICD_DIR_HOST
-            value: /home/kubernetes/bin/nvidia/vulkan/icd.d
-          - name: VULKAN_ICD_DIR_CONTAINER
-            value: /etc/vulkan/icd.d
-          - name: ROOT_MOUNT_DIR
-            value: /root
-          - name: COS_TOOLS_DIR_HOST
-            value: /var/lib/cos-tools
-          - name: COS_TOOLS_DIR_CONTAINER
-            value: /build/cos-tools
-        volumeMounts:
-        - name: nvidia-install-dir-host
-          mountPath: /usr/local/nvidia
-        - name: vulkan-icd-mount
-          mountPath: /etc/vulkan/icd.d
         - name: dev
-          mountPath: /dev
+          hostPath:
+            path: /dev
+        - name: vulkan-icd-mount
+          hostPath:
+            path: /home/kubernetes/bin/nvidia/vulkan/icd.d
+        - name: nvidia-install-dir-host
+          hostPath:
+            path: /home/kubernetes/bin/nvidia
         - name: root-mount
-          mountPath: /root
+          hostPath:
+            path: /
         - name: cos-tools
-          mountPath: /build/cos-tools
-        command:
-        - bash
-        - -c
-        - |
-          echo "Checking for existing GPU driver modules"
-          if lsmod | grep nvidia; then
-            echo "GPU driver is already installed, the installed version may or may not be the driver version being tried to install, skipping installation"
-            exit 0
-          else
-            echo "No GPU driver module detected, installing now"
-            /cos-gpu-installer install
-          fi
-      - image: "gcr.io/gke-release/nvidia-partition-gpu@sha256:e226275da6c45816959fe43cde907ee9a85c6a2aa8a429418a4cadef8ecdb86a"
-        name: partition-gpus
-        env:
-          - name: LD_LIBRARY_PATH
-            value: /usr/local/nvidia/lib64
-        resources:
-          requests:
-            cpu: 150m
-        securityContext:
-          privileged: true
-        volumeMounts:
-        - name: nvidia-install-dir-host
-          mountPath: /usr/local/nvidia
-        - name: dev
-          mountPath: /dev
+          hostPath:
+            path: /var/lib/cos-tools
         - name: nvidia-config
-          mountPath: /etc/nvidia
-      containers:
-      - image: "registry.k8s.io/pause:3.10.1"
-        name: pause
+          hostPath:
+            path: /etc/nvidia
+      initContainers:
+        - image: "ubuntu@sha256:3f85b7caad41a95462cf5b787d8a04604c8262cdcdf9a472b8c52ef83375fe15"
+          name: bind-mount-install-dir
+          securityContext:
+            privileged: true
+          command:
+            - nsenter
+            - -at
+            - "1"
+            - --
+            - sh
+            - -c
+            - |
+              if mountpoint -q /var/lib/nvidia; then
+                echo "The mountpoint /var/lib/nvidia exists."
+              else
+                echo "The mountpoint /var/lib/nvidia does not exist. Creating directories /home/kubernetes/bin/nvidia and /var/lib/nvidia and bind mount."
+                mkdir -p /var/lib/nvidia /home/kubernetes/bin/nvidia
+                mount --bind /home/kubernetes/bin/nvidia /var/lib/nvidia
+                echo "Done creating bind mounts"
+              fi
+          # The COS GPU installer image version may be dependent on the version of COS being used.
+          # Refer to details about the installer in https://cos.googlesource.com/cos/tools/+/refs/heads/master/src/cmd/cos_gpu_installer/
+          # and the COS release notes (https://cloud.google.com/container-optimized-os/docs/release-notes) to determine version COS GPU installer for a given version of COS.
 
+          # Maps to gcr.io/cos-cloud/cos-gpu-installer:v2.5.7 - suitable for COS M121 as per https://cloud.google.com/container-optimized-os/docs/release-notes/m121
+        - image: "gcr.io/cos-cloud/cos-gpu-installer:v2.5.7"
+          name: nvidia-driver-installer
+          resources:
+            requests:
+              cpu: 150m
+          securityContext:
+            privileged: true
+          env:
+            - name: NVIDIA_INSTALL_DIR_HOST
+              value: /home/kubernetes/bin/nvidia
+            - name: NVIDIA_INSTALL_DIR_CONTAINER
+              value: /usr/local/nvidia
+            - name: VULKAN_ICD_DIR_HOST
+              value: /home/kubernetes/bin/nvidia/vulkan/icd.d
+            - name: VULKAN_ICD_DIR_CONTAINER
+              value: /etc/vulkan/icd.d
+            - name: ROOT_MOUNT_DIR
+              value: /root
+            - name: COS_TOOLS_DIR_HOST
+              value: /var/lib/cos-tools
+            - name: COS_TOOLS_DIR_CONTAINER
+              value: /build/cos-tools
+          volumeMounts:
+            - name: nvidia-install-dir-host
+              mountPath: /usr/local/nvidia
+            - name: vulkan-icd-mount
+              mountPath: /etc/vulkan/icd.d
+            - name: dev
+              mountPath: /dev
+            - name: root-mount
+              mountPath: /root
+            - name: cos-tools
+              mountPath: /build/cos-tools
+          command:
+            - bash
+            - -c
+            - |
+              echo "Checking for existing GPU driver modules"
+              if lsmod | grep nvidia; then
+                echo "GPU driver is already installed, the installed version may or may not be the driver version being tried to install, skipping installation"
+                exit 0
+              else
+                echo "No GPU driver module detected, installing now"
+                /cos-gpu-installer install
+              fi
+        - image: "gcr.io/gke-release/nvidia-partition-gpu:1.30.0-gke.10"
+          name: partition-gpus
+          env:
+            - name: LD_LIBRARY_PATH
+              value: /usr/local/nvidia/lib64
+          resources:
+            requests:
+              cpu: 150m
+          securityContext:
+            privileged: true
+          volumeMounts:
+            - name: nvidia-install-dir-host
+              mountPath: /usr/local/nvidia
+            - name: dev
+              mountPath: /dev
+            - name: nvidia-config
+              mountPath: /etc/nvidia
+      containers:
+        - image: "registry.k8s.io/pause:3.10.1"
+          name: pause
diff --git a/test/e2e/testing-manifests/kubectl/agnhost-deployment1.yaml.in b/test/e2e/testing-manifests/kubectl/agnhost-deployment1.yaml.in
new file mode 100644
index 0000000000000..6beb13d8f4abe
--- /dev/null
+++ b/test/e2e/testing-manifests/kubectl/agnhost-deployment1.yaml.in
@@ -0,0 +1,22 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: agnhost-deployment
+spec:
+  replicas: 2
+  selector:
+    matchLabels:
+      app: agnhost
+  template:
+    metadata:
+      labels:
+        app: agnhost
+      annotations:
+        annotations_app: annotations_agnhost
+    spec:
+      containers:
+      - name: agnhost
+        image: {{.AgnhostImage}}
+        args: ["netexec", "--http-port=80"]
+        ports:
+        - containerPort: 80
diff --git a/test/e2e/testing-manifests/kubectl/agnhost-deployment2.yaml.in b/test/e2e/testing-manifests/kubectl/agnhost-deployment2.yaml.in
new file mode 100644
index 0000000000000..0954a523e1e72
--- /dev/null
+++ b/test/e2e/testing-manifests/kubectl/agnhost-deployment2.yaml.in
@@ -0,0 +1,19 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: agnhost-deployment
+spec:
+  selector:
+    matchLabels:
+      app: agnhost
+  template:
+    metadata:
+      labels:
+        app: agnhost
+    spec:
+      containers:
+      - name: agnhost
+        image: {{.AgnhostImage}}
+        args: ["netexec", "--http-port=80"]
+        ports:
+        - containerPort: 80
diff --git a/test/e2e/testing-manifests/kubectl/agnhost-deployment3.yaml.in b/test/e2e/testing-manifests/kubectl/agnhost-deployment3.yaml.in
new file mode 100644
index 0000000000000..ee4762c2b85d3
--- /dev/null
+++ b/test/e2e/testing-manifests/kubectl/agnhost-deployment3.yaml.in
@@ -0,0 +1,19 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: agnhost-deployment
+spec:
+  selector:
+    matchLabels:
+      app: agnhost
+  template:
+    metadata:
+      labels:
+        app: agnhost
+    spec:
+      containers:
+      - name: agnhost
+        image: {{.AgnhostPrevImage}}
+        args: ["netexec", "--http-port=80"]
+        ports:
+        - containerPort: 80
diff --git a/test/e2e/testing-manifests/kubectl/agnhost-rc.yaml.in b/test/e2e/testing-manifests/kubectl/agnhost-rc.yaml.in
new file mode 100644
index 0000000000000..823e45b2af9f1
--- /dev/null
+++ b/test/e2e/testing-manifests/kubectl/agnhost-rc.yaml.in
@@ -0,0 +1,16 @@
+apiVersion: v1
+kind: ReplicationController
+metadata:
+  name: agnhost-rc
+spec:
+  replicas: 1
+  selector:
+    run: agnhost-rc
+  template:
+    metadata:
+      labels:
+        run: agnhost-rc
+    spec:
+      containers:
+      - image: {{.AgnhostPrevImage}}
+        name: agnhost-rc
diff --git a/test/e2e/testing-manifests/kubectl/httpd-deployment1.yaml.in b/test/e2e/testing-manifests/kubectl/httpd-deployment1.yaml.in
deleted file mode 100644
index 72164958b8978..0000000000000
--- a/test/e2e/testing-manifests/kubectl/httpd-deployment1.yaml.in
+++ /dev/null
@@ -1,21 +0,0 @@
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: httpd-deployment
-spec:
-  replicas: 2
-  selector:
-    matchLabels:
-      app: httpd
-  template:
-    metadata:
-      labels:
-        app: httpd
-      annotations:
-        annotations_app: annotations_httpd
-    spec:
-      containers:
-      - name: httpd
-        image: {{.HttpdNewImage}}
-        ports:
-        - containerPort: 80
diff --git a/test/e2e/testing-manifests/kubectl/httpd-deployment2.yaml.in b/test/e2e/testing-manifests/kubectl/httpd-deployment2.yaml.in
deleted file mode 100644
index 944379863f42f..0000000000000
--- a/test/e2e/testing-manifests/kubectl/httpd-deployment2.yaml.in
+++ /dev/null
@@ -1,18 +0,0 @@
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: httpd-deployment
-spec:
-  selector:
-    matchLabels:
-      app: httpd
-  template:
-    metadata:
-      labels:
-        app: httpd
-    spec:
-      containers:
-      - name: httpd
-        image: {{.HttpdNewImage}}
-        ports:
-        - containerPort: 80
diff --git a/test/e2e/testing-manifests/kubectl/httpd-deployment3.yaml.in b/test/e2e/testing-manifests/kubectl/httpd-deployment3.yaml.in
deleted file mode 100644
index 8ad38c74fbcf7..0000000000000
--- a/test/e2e/testing-manifests/kubectl/httpd-deployment3.yaml.in
+++ /dev/null
@@ -1,18 +0,0 @@
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: httpd-deployment
-spec:
-  selector:
-    matchLabels:
-      app: httpd
-  template:
-    metadata:
-      labels:
-        app: httpd
-    spec:
-      containers:
-      - name: httpd
-        image: {{.HttpdImage}}
-        ports:
-        - containerPort: 80
diff --git a/test/e2e/testing-manifests/kubectl/httpd-rc.yaml.in b/test/e2e/testing-manifests/kubectl/httpd-rc.yaml.in
deleted file mode 100644
index ed02b5c50b5f6..0000000000000
--- a/test/e2e/testing-manifests/kubectl/httpd-rc.yaml.in
+++ /dev/null
@@ -1,16 +0,0 @@
-apiVersion: v1
-kind: ReplicationController
-metadata:
-  name: httpd-rc
-spec:
-  replicas: 1
-  selector:
-    run: httpd-rc
-  template:
-    metadata:
-      labels:
-        run: httpd-rc
-    spec:
-      containers:
-      - image: {{.HttpdNewImage}}
-        name: httpd-rc
diff --git a/test/e2e/testing-manifests/kubectl/pod-with-readiness-probe.yaml.in b/test/e2e/testing-manifests/kubectl/pod-with-readiness-probe.yaml.in
index ec39217a55e62..e78fb6868f411 100644
--- a/test/e2e/testing-manifests/kubectl/pod-with-readiness-probe.yaml.in
+++ b/test/e2e/testing-manifests/kubectl/pod-with-readiness-probe.yaml.in
@@ -1,13 +1,14 @@
 apiVersion: v1
 kind: Pod
 metadata:
-  name: httpd
+  name: agnhost
   labels:
-    name: httpd
+    name: agnhost
 spec:
   containers:
-  - name: httpd
-    image: {{.HttpdImage}}
+  - name: agnhost
+    image: {{.AgnhostImage}}
+    args: ["netexec", "--http-port=80"]
     ports:
     - containerPort: 80
     readinessProbe:
diff --git a/test/e2e/testing-manifests/rbd-storage-class.yaml b/test/e2e/testing-manifests/rbd-storage-class.yaml
deleted file mode 100644
index e2d7d67d98cc3..0000000000000
--- a/test/e2e/testing-manifests/rbd-storage-class.yaml
+++ /dev/null
@@ -1,14 +0,0 @@
-apiVersion: storage.k8s.io/v1
-kind: StorageClass
-metadata:
-   name: slow
-provisioner: kubernetes.io/rbd
-parameters:
-    monitors: 127.0.0.1:6789
-    adminId: admin
-    adminSecretName: ceph-secret-admin
-    adminSecretNamespace: "kube-system"
-    pool: kube
-    userId: kube
-    userSecretName: ceph-secret-user
-
diff --git a/test/e2e/testing-manifests/storage-csi/external-snapshotter/volume-group-snapshots/csi-hostpath-plugin.yaml b/test/e2e/testing-manifests/storage-csi/external-snapshotter/volume-group-snapshots/csi-hostpath-plugin.yaml
index 4bedcf6e3c0f3..9f79eb4da3b4b 100644
--- a/test/e2e/testing-manifests/storage-csi/external-snapshotter/volume-group-snapshots/csi-hostpath-plugin.yaml
+++ b/test/e2e/testing-manifests/storage-csi/external-snapshotter/volume-group-snapshots/csi-hostpath-plugin.yaml
@@ -276,7 +276,7 @@ spec:
               mountPath: /csi
 
         - name: node-driver-registrar
-          image: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.13.0
+          image: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.15.0
           args:
             - --v=5
             - --csi-address=/csi/csi.sock
@@ -304,13 +304,13 @@ spec:
           volumeMounts:
           - mountPath: /csi
             name: socket-dir
-          image: registry.k8s.io/sig-storage/livenessprobe:v2.15.0
+          image: registry.k8s.io/sig-storage/livenessprobe:v2.17.0
           args:
           - --csi-address=/csi/csi.sock
           - --health-port=9898
 
         - name: csi-attacher
-          image: registry.k8s.io/sig-storage/csi-attacher:v4.8.0
+          image: registry.k8s.io/sig-storage/csi-attacher:v4.10.0
           args:
             - --v=5
             - --csi-address=/csi/csi.sock
@@ -324,7 +324,7 @@ spec:
             name: socket-dir
 
         - name: csi-provisioner
-          image: registry.k8s.io/sig-storage/csi-provisioner:v5.1.0
+          image: registry.k8s.io/sig-storage/csi-provisioner:v5.3.0
           args:
             - -v=5
             - --csi-address=/csi/csi.sock
@@ -340,7 +340,7 @@ spec:
               name: socket-dir
 
         - name: csi-resizer
-          image: registry.k8s.io/sig-storage/csi-resizer:v1.13.1
+          image: registry.k8s.io/sig-storage/csi-resizer:v1.14.0
           args:
             - -v=5
             - -csi-address=/csi/csi.sock
diff --git a/test/e2e/testing-manifests/storage-csi/external-snapshotter/volume-group-snapshots/run_group_snapshot_e2e.sh b/test/e2e/testing-manifests/storage-csi/external-snapshotter/volume-group-snapshots/run_group_snapshot_e2e.sh
index 9791f9b070a87..8d39c1ba44e2b 100755
--- a/test/e2e/testing-manifests/storage-csi/external-snapshotter/volume-group-snapshots/run_group_snapshot_e2e.sh
+++ b/test/e2e/testing-manifests/storage-csi/external-snapshotter/volume-group-snapshots/run_group_snapshot_e2e.sh
@@ -28,8 +28,6 @@ set -o errexit -o nounset -o xtrace
 # parallel testing is enabled. Using LABEL_FILTER instead of combining SKIP and
 # FOCUS is recommended (more expressive, easier to read than regexp).
 #
-# GA_ONLY: true  - limit to GA APIs/features as much as possible
-#          false - (default) APIs and features left at defaults
 # FEATURE_GATES:
 #          JSON or YAML encoding of a string/bool map: {"FeatureGateA": true, "FeatureGateB": false}
 #          Enables or disables feature gates in the entire cluster.
@@ -84,74 +82,16 @@ build() {
   export PATH="${PWD}/_output/bin:$PATH"
 }
 
-check_structured_log_support() {
-	case "${KUBE_VERSION}" in
-		v1.1[0-8].*)
-			echo "$1 is only supported on versions >= v1.19, got ${KUBE_VERSION}"
-			exit 1
-			;;
-	esac
-}
-
 # up a cluster with kind
 create_cluster() {
-  # Grab the version of the cluster we're about to start
-  KUBE_VERSION="$(docker run --rm --entrypoint=cat "kindest/node:latest" /kind/version)"
-
   # Default Log level for all components in test clusters
   KIND_CLUSTER_LOG_LEVEL=${KIND_CLUSTER_LOG_LEVEL:-4}
 
-  # potentially enable --logging-format
-  CLUSTER_LOG_FORMAT=${CLUSTER_LOG_FORMAT:-}
-  scheduler_extra_args="      \"v\": \"${KIND_CLUSTER_LOG_LEVEL}\""
-  controllerManager_extra_args="      \"v\": \"${KIND_CLUSTER_LOG_LEVEL}\""
-  apiServer_extra_args="      \"v\": \"${KIND_CLUSTER_LOG_LEVEL}\""
-  if [ -n "$CLUSTER_LOG_FORMAT" ]; then
-      check_structured_log_support "CLUSTER_LOG_FORMAT"
-      scheduler_extra_args="${scheduler_extra_args}
-      \"logging-format\": \"${CLUSTER_LOG_FORMAT}\""
-      controllerManager_extra_args="${controllerManager_extra_args}
-      \"logging-format\": \"${CLUSTER_LOG_FORMAT}\""
-      apiServer_extra_args="${apiServer_extra_args}
-      \"logging-format\": \"${CLUSTER_LOG_FORMAT}\""
-  fi
-  kubelet_extra_args="      \"v\": \"${KIND_CLUSTER_LOG_LEVEL}\""
-  KUBELET_LOG_FORMAT=${KUBELET_LOG_FORMAT:-$CLUSTER_LOG_FORMAT}
-  if [ -n "$KUBELET_LOG_FORMAT" ]; then
-      check_structured_log_support "KUBECTL_LOG_FORMAT"
-      kubelet_extra_args="${kubelet_extra_args}
-      \"logging-format\": \"${KUBELET_LOG_FORMAT}\""
-  fi
-
   # JSON or YAML map injected into featureGates config
   feature_gates="${FEATURE_GATES:-{\}}"
   # --runtime-config argument value passed to the API server, again as a map
   runtime_config="${RUNTIME_CONFIG:-{\}}"
 
-  case "${GA_ONLY:-false}" in
-  false)
-    :
-    ;;
-  true)
-    if [ "${feature_gates}" != "{}" ]; then
-      echo "GA_ONLY=true and FEATURE_GATES=${feature_gates} are mutually exclusive."
-      exit 1
-    fi
-    if [ "${runtime_config}" != "{}" ]; then
-      echo "GA_ONLY=true and RUNTIME_CONFIG=${runtime_config} are mutually exclusive."
-      exit 1
-    fi
-
-    echo "Limiting to GA APIs and features for ${KUBE_VERSION}"
-    feature_gates='{"AllAlpha":false,"AllBeta":false}'
-    runtime_config='{"api/alpha":"false", "api/beta":"false"}'
-    ;;
-  *)
-    echo "\$GA_ONLY set to '${GA_ONLY}'; supported values are true and false (default)"
-    exit 1
-    ;;
-  esac
-
   # create the config file
   cat <<EOF > "${ARTIFACTS}/kind-config.yaml"
 # config for 1 control plane node and 2 workers (necessary for conformance)
@@ -170,29 +110,67 @@ nodes:
 featureGates: ${feature_gates}
 runtimeConfig: ${runtime_config}
 kubeadmConfigPatches:
+# v1beta4 for the future (v1.35.0+ ?)
+# https://github.com/kubernetes-sigs/kind/issues/3847
+# TODO: drop v1beta3 when kind makes the switch
+- |
+  kind: ClusterConfiguration
+  apiVersion: kubeadm.k8s.io/v1beta4
+  metadata:
+    name: config
+  apiServer:
+    extraArgs:
+      - name: "v"
+        value: "${KIND_CLUSTER_LOG_LEVEL}"
+  controllerManager:
+    extraArgs:
+      - name: "v"
+        value: "${KIND_CLUSTER_LOG_LEVEL}"
+  scheduler:
+    extraArgs:
+      - name: "v"
+        value: "${KIND_CLUSTER_LOG_LEVEL}"
+  ---
+  kind: InitConfiguration
+  apiVersion: kubeadm.k8s.io/v1beta4
+  nodeRegistration:
+    kubeletExtraArgs:
+      - name: "v"
+        value: "${KIND_CLUSTER_LOG_LEVEL}"
+  ---
+  kind: JoinConfiguration
+  apiVersion: kubeadm.k8s.io/v1beta4
+  nodeRegistration:
+    kubeletExtraArgs:
+      - name: "v"
+        value: "${KIND_CLUSTER_LOG_LEVEL}"
+# v1beta3 for v1.23.0 ... ?
 - |
   kind: ClusterConfiguration
+  apiVersion: kubeadm.k8s.io/v1beta3
   metadata:
     name: config
   apiServer:
     extraArgs:
-${apiServer_extra_args}
+      "v": "${KIND_CLUSTER_LOG_LEVEL}"
   controllerManager:
     extraArgs:
-${controllerManager_extra_args}
+      "v": "${KIND_CLUSTER_LOG_LEVEL}"
   scheduler:
     extraArgs:
-${scheduler_extra_args}
+      "v": "${KIND_CLUSTER_LOG_LEVEL}"
   ---
   kind: InitConfiguration
+  apiVersion: kubeadm.k8s.io/v1beta3
   nodeRegistration:
     kubeletExtraArgs:
-${kubelet_extra_args}
+     "v": "${KIND_CLUSTER_LOG_LEVEL}"
   ---
   kind: JoinConfiguration
+  apiVersion: kubeadm.k8s.io/v1beta3
   nodeRegistration:
     kubeletExtraArgs:
-${kubelet_extra_args}
+      "v": "${KIND_CLUSTER_LOG_LEVEL}"
 EOF
   # NOTE: must match the number of workers above
   NUM_NODES=2
diff --git a/test/e2e/testing-manifests/storage-csi/hostpath/hostpath/csi-hostpath-plugin.yaml b/test/e2e/testing-manifests/storage-csi/hostpath/hostpath/csi-hostpath-plugin.yaml
index d2e97779bd630..080fe5cb01879 100644
--- a/test/e2e/testing-manifests/storage-csi/hostpath/hostpath/csi-hostpath-plugin.yaml
+++ b/test/e2e/testing-manifests/storage-csi/hostpath/hostpath/csi-hostpath-plugin.yaml
@@ -295,7 +295,7 @@ spec:
               mountPath: /csi
 
         - name: node-driver-registrar
-          image: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.13.0
+          image: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.15.0
           args:
             - --v=5
             - --csi-address=/csi/csi.sock
@@ -323,13 +323,13 @@ spec:
           volumeMounts:
           - mountPath: /csi
             name: socket-dir
-          image: registry.k8s.io/sig-storage/livenessprobe:v2.15.0
+          image: registry.k8s.io/sig-storage/livenessprobe:v2.17.0
           args:
           - --csi-address=/csi/csi.sock
           - --health-port=9898
 
         - name: csi-attacher
-          image: registry.k8s.io/sig-storage/csi-attacher:v4.8.0
+          image: registry.k8s.io/sig-storage/csi-attacher:v4.10.0
           args:
             - --v=5
             - --csi-address=/csi/csi.sock
diff --git a/test/e2e/windows/host_process.go b/test/e2e/windows/host_process.go
index 98a3c6c45c035..171e8f499a5cf 100644
--- a/test/e2e/windows/host_process.go
+++ b/test/e2e/windows/host_process.go
@@ -86,7 +86,7 @@ var (
 	User_NTAuthoritySystem       = "NT AUTHORITY\\SYSTEM"
 )
 
-var _ = sigDescribe(feature.WindowsHostProcessContainers, "[MinimumKubeletVersion:1.22] HostProcess containers", skipUnlessWindows(func() {
+var _ = sigDescribe(feature.WindowsHostProcessContainers, "HostProcess containers", skipUnlessWindows(func() {
 	ginkgo.BeforeEach(func() {
 		e2eskipper.SkipUnlessNodeOSDistroIs("windows")
 	})
diff --git a/test/e2e/windows/kubelet_stats.go b/test/e2e/windows/kubelet_stats.go
index 0ce1571250382..e2fc5a5c10cc2 100644
--- a/test/e2e/windows/kubelet_stats.go
+++ b/test/e2e/windows/kubelet_stats.go
@@ -19,6 +19,7 @@ package windows
 import (
 	"context"
 	"fmt"
+	"k8s.io/klog/v2"
 	"time"
 
 	v1 "k8s.io/api/core/v1"
@@ -210,6 +211,7 @@ var _ = sigDescribe(feature.Windows, "Kubelet-Stats", skipUnlessWindows(func() {
 
 // findWindowsNode finds a Windows node that is Ready and Schedulable
 func findWindowsNode(ctx context.Context, f *framework.Framework) (v1.Node, error) {
+	logger := klog.FromContext(ctx)
 	selector := labels.Set{"kubernetes.io/os": "windows"}.AsSelector()
 	nodeList, err := f.ClientSet.CoreV1().Nodes().List(ctx, metav1.ListOptions{LabelSelector: selector.String()})
 
@@ -220,7 +222,7 @@ func findWindowsNode(ctx context.Context, f *framework.Framework) (v1.Node, erro
 	var targetNode v1.Node
 	foundNode := false
 	for _, n := range nodeList.Items {
-		if e2enode.IsNodeReady(&n) && e2enode.IsNodeSchedulable(&n) {
+		if e2enode.IsNodeReady(logger, &n) && e2enode.IsNodeSchedulable(logger, &n) {
 			targetNode = n
 			foundNode = true
 			break
@@ -236,6 +238,7 @@ func findWindowsNode(ctx context.Context, f *framework.Framework) (v1.Node, erro
 
 // findWindowsNodes finds all Windows nodes that are Ready and Schedulable
 func findWindowsNodes(ctx context.Context, f *framework.Framework) ([]v1.Node, error) {
+	logger := klog.FromContext(ctx)
 	selector := labels.Set{"kubernetes.io/os": "windows"}.AsSelector()
 	nodeList, err := f.ClientSet.CoreV1().Nodes().List(ctx, metav1.ListOptions{LabelSelector: selector.String()})
 
@@ -245,7 +248,7 @@ func findWindowsNodes(ctx context.Context, f *framework.Framework) ([]v1.Node, e
 
 	var targetNodes []v1.Node
 	for _, n := range nodeList.Items {
-		if e2enode.IsNodeReady(&n) && e2enode.IsNodeSchedulable(&n) {
+		if e2enode.IsNodeReady(logger, &n) && e2enode.IsNodeSchedulable(logger, &n) {
 			targetNodes = append(targetNodes, n)
 		}
 	}
diff --git a/test/e2e/windows/reboot_node.go b/test/e2e/windows/reboot_node.go
index 575a944c67a7f..c35fc65044dfb 100644
--- a/test/e2e/windows/reboot_node.go
+++ b/test/e2e/windows/reboot_node.go
@@ -44,7 +44,7 @@ import (
 	admissionapi "k8s.io/pod-security-admission/api"
 )
 
-var _ = sigDescribe(feature.Windows, "[Excluded:WindowsDocker] [MinimumKubeletVersion:1.22] RebootHost containers", framework.WithSerial(), framework.WithDisruptive(), framework.WithSlow(), skipUnlessWindows(func() {
+var _ = sigDescribe(feature.Windows, "[Excluded:WindowsDocker] RebootHost containers", framework.WithSerial(), framework.WithDisruptive(), framework.WithSlow(), skipUnlessWindows(func() {
 	ginkgo.BeforeEach(func() {
 		e2eskipper.SkipUnlessNodeOSDistroIs("windows")
 	})
@@ -53,6 +53,7 @@ var _ = sigDescribe(feature.Windows, "[Excluded:WindowsDocker] [MinimumKubeletVe
 	f.NamespacePodSecurityLevel = admissionapi.LevelPrivileged
 
 	ginkgo.It("should run as a reboot process on the host/node", func(ctx context.Context) {
+		e2eskipper.Skipf("skipping test until graceful shutdown feature enabled")
 
 		ginkgo.By("selecting a Windows node")
 		nodes, err := findWindowsNodes(ctx, f)
diff --git a/test/e2e_dra/upgradedowngrade_test.go b/test/e2e_dra/upgradedowngrade_test.go
index 312293d7239ab..1be909178c1df 100644
--- a/test/e2e_dra/upgradedowngrade_test.go
+++ b/test/e2e_dra/upgradedowngrade_test.go
@@ -123,6 +123,20 @@ var _ = ginkgo.Describe("DRA upgrade/downgrade", func() {
 		version, err := version.ParseGeneric(gitVersion)
 		tCtx.ExpectNoError(err, "parse version %s of repo root %q", gitVersion, repoRoot)
 		major, previousMinor := version.Major(), version.Minor()-1
+		if strings.Contains(gitVersion, "-alpha.0") {
+			// All version up to and including x.y.z-alpha.0 are treated as if we were
+			// still the previous minor version x.(y-1). There are two reason for this:
+			//
+			// - During code freeze around (at?) -rc.0, the master branch already
+			//   identfies itself as the next release with -alpha.0. Without this
+			//   special case, we would change the version skew testing from what
+			//   has been tested and been known to work to something else, which
+			//   can and at least once did break.
+			//
+			// - Early in the next cycle the differences compared to the previous
+			//   release are small, so it's more interesting to go back further.
+			previousMinor--
+		}
 		tCtx.Logf("got version: major: %d, minor: %d, previous minor: %d", major, version.Minor(), previousMinor)
 		tCtx = ktesting.End(tCtx)
 
diff --git a/test/e2e_node/container_lifecycle_test.go b/test/e2e_node/container_lifecycle_test.go
index 6c99596dc7814..71d6d027fec3c 100644
--- a/test/e2e_node/container_lifecycle_test.go
+++ b/test/e2e_node/container_lifecycle_test.go
@@ -26,13 +26,13 @@ import (
 	"github.com/onsi/gomega"
 	v1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/watch"
 	runtimeapi "k8s.io/cri-api/pkg/apis/runtime/v1"
-	admissionapi "k8s.io/pod-security-admission/api"
-
-	"k8s.io/kubernetes/test/e2e/feature"
+	"k8s.io/kubernetes/pkg/features"
 	"k8s.io/kubernetes/test/e2e/framework"
 	e2epod "k8s.io/kubernetes/test/e2e/framework/pod"
 	imageutils "k8s.io/kubernetes/test/utils/image"
+	admissionapi "k8s.io/pod-security-admission/api"
 	"k8s.io/utils/ptr"
 )
 
@@ -2121,7 +2121,7 @@ var _ = SIGDescribe(framework.WithSerial(), "Containers Lifecycle", func() {
 	})
 })
 
-var _ = SIGDescribe(feature.SidecarContainers, "Containers Lifecycle", func() {
+var _ = SIGDescribe(framework.WithNodeConformance(), "Containers Lifecycle", func() {
 	f := framework.NewDefaultFramework("containers-lifecycle-test")
 	addAfterEachForCleaningUpPods(f)
 	f.NamespacePodSecurityLevel = admissionapi.LevelPrivileged
@@ -4923,6 +4923,7 @@ var _ = SIGDescribe(feature.SidecarContainers, "Containers Lifecycle", func() {
 									Delay:         1,
 									ExitCode:      0,
 									ContainerName: containerName,
+									LoopPeriod:    0.2,
 								}),
 							},
 						},
@@ -5027,7 +5028,7 @@ var _ = SIGDescribe(feature.SidecarContainers, "Containers Lifecycle", func() {
 				ps3, err := results.TimeOfStart(prefixedName(PreStopPrefix, restartableInit3))
 				framework.ExpectNoError(err)
 
-				const toleration = 500 // milliseconds
+				const toleration = 1000 // milliseconds
 				gomega.Expect(ps1-ps2).To(gomega.BeNumerically("~", 0, toleration),
 					fmt.Sprintf("expected PreStop 1 & PreStop 2 to be killed at the same time, got %s", results))
 				gomega.Expect(ps1-ps3).To(gomega.BeNumerically("~", 0, toleration),
@@ -6015,13 +6016,13 @@ fi`},
 
 })
 
-var _ = SIGDescribe(feature.SidecarContainers, framework.WithSerial(), "Containers Lifecycle", func() {
+var _ = SIGDescribe(framework.WithNodeConformance(), framework.WithSerial(), "Containers Lifecycle", func() {
 	f := framework.NewDefaultFramework("containers-lifecycle-test-serial")
 	addAfterEachForCleaningUpPods(f)
 	f.NamespacePodSecurityLevel = admissionapi.LevelPrivileged
 
 	ginkgo.When("A node running restartable init containers reboots", func() {
-		ginkgo.It("should restart the containers in right order with the proper phase after the node reboot", func(ctx context.Context) {
+		ginkgo.It("should restart the containers in right order after the node reboot", func(ctx context.Context) {
 			init1 := "init-1"
 			restartableInit2 := "restartable-init-2"
 			init3 := "init-3"
@@ -6121,9 +6122,9 @@ var _ = SIGDescribe(feature.SidecarContainers, framework.WithSerial(), "Containe
 			})
 			framework.ExpectNoError(err)
 
-			ginkgo.By("Waiting for the pod to run after re-initialization")
-			err = e2epod.WaitForPodRunningInNamespace(ctx, f.ClientSet, pod)
-			framework.ExpectNoError(err)
+			ginkgo.By("Waiting for regular container to start running")
+			err = e2epod.WaitForContainerRunning(ctx, f.ClientSet, pod.Namespace, pod.Name, regular1, f.Timeouts.PodStart)
+			framework.ExpectNoError(err, "regular container %q should be running", regular1)
 
 			ginkgo.By("Parsing results")
 			pod, err = client.Get(ctx, pod.Name, metav1.GetOptions{})
@@ -6304,3 +6305,630 @@ var _ = SIGDescribe(feature.SidecarContainers, framework.WithSerial(), "Containe
 		})
 	})
 })
+
+var _ = SIGDescribe(framework.WithSerial(), "Not Change Container Status", framework.WithFeatureGate(features.ChangeContainerStatusOnKubeletRestart), func() {
+	f := framework.NewDefaultFramework("not-change-container-status-test-serial")
+	addAfterEachForCleaningUpPods(f)
+	f.NamespacePodSecurityLevel = admissionapi.LevelPrivileged
+	ginkgo.When("a Pod is running", func() {
+		testKubeletRestart := func(ctx context.Context, pod *v1.Pod) {
+			client := e2epod.NewPodClient(f)
+			pod = client.Create(ctx, pod)
+
+			ginkgo.By("Waiting for the pod to be running and ready")
+			err := e2epod.WaitForPodCondition(ctx, f.ClientSet, pod.Namespace, pod.Name, "PodReady", f.Timeouts.PodStart,
+				func(p *v1.Pod) (bool, error) {
+					if p.Status.Phase != v1.PodRunning {
+						return false, nil
+					}
+					for _, cond := range p.Status.Conditions {
+						if cond.Type == v1.PodReady && cond.Status == v1.ConditionTrue {
+							return true, nil
+						}
+					}
+					return false, nil
+				})
+			framework.ExpectNoError(err)
+
+			// Double check the initial state before starting the concurrent check
+			p, err := client.Get(ctx, pod.Name, metav1.GetOptions{})
+			framework.ExpectNoError(err)
+			gomega.Expect(p.Status.ContainerStatuses).ToNot(gomega.BeEmpty())
+			for _, status := range p.Status.ContainerStatuses {
+				gomega.Expect(status.RestartCount).To(gomega.BeZero())
+				gomega.Expect(status.Started).ToNot(gomega.BeNil())
+				gomega.Expect(*status.Started).To(gomega.BeTrueBecause("The Started field should be set to true when a pod enters the Ready condition."))
+				gomega.Expect(status.Ready).To(gomega.BeTrueBecause("The Ready field should be set to true when a pod enters the Ready condition."))
+			}
+
+			// The grace period for kubelet startup is 10 seconds, so we wait here for 11 seconds.
+			time.Sleep(time.Second * 11)
+
+			stopCh := make(chan struct{})
+			errCh := make(chan error, 1)
+			go func() {
+				watcher, err := f.ClientSet.CoreV1().Pods(pod.Namespace).Watch(ctx, metav1.ListOptions{
+					FieldSelector: "metadata.name=" + pod.Name,
+				})
+				if err != nil {
+					errCh <- fmt.Errorf("failed to watch pod: %w", err)
+					return
+				}
+				defer watcher.Stop()
+
+				for {
+					select {
+					case event, ok := <-watcher.ResultChan():
+						if !ok {
+							return
+						}
+						if event.Type != watch.Modified {
+							continue
+						}
+						p, ok := event.Object.(*v1.Pod)
+						if !ok {
+							continue
+						}
+
+						if p.Status.Phase != v1.PodRunning {
+							errCh <- fmt.Errorf("pod phase is %v, expected %v", p.Status.Phase, v1.PodRunning)
+							return
+						}
+						if len(p.Status.ContainerStatuses) < len(pod.Spec.Containers) {
+							continue
+						}
+						for _, containerStatus := range p.Status.ContainerStatuses {
+							if containerStatus.RestartCount > 0 {
+								errCh <- fmt.Errorf("container %q restarted %d times", containerStatus.Name, containerStatus.RestartCount)
+								return
+							}
+							if containerStatus.Started == nil || !*containerStatus.Started {
+								errCh <- fmt.Errorf("container %q started status is not true", containerStatus.Name)
+								return
+							}
+							if !containerStatus.Ready {
+								errCh <- fmt.Errorf("container %q ready status is not true", containerStatus.Name)
+								return
+							}
+						}
+					case <-stopCh:
+						close(errCh)
+						return
+					}
+				}
+			}()
+
+			ginkgo.By("restarting the kubelet")
+			restartKubelet := mustStopKubelet(ctx, f)
+			restartKubelet(ctx)
+
+			ginkgo.By("ensuring kubelet is healthy")
+			gomega.Eventually(ctx, func() bool {
+				return kubeletHealthCheck(kubeletHealthCheckURL)
+			}, f.Timeouts.PodStart, f.Timeouts.Poll).Should(gomega.BeTrueBecause("kubelet should be started"))
+
+			// Let the goroutine run for a few more seconds to catch any delayed changes
+			time.Sleep(5 * time.Second)
+			close(stopCh)
+
+			// Check for errors from the goroutine
+			for err := range errCh {
+				framework.ExpectNoError(err, "pod status check failed during kubelet restart")
+			}
+		}
+
+		ginkgo.It("should not affect pod status when pod has no probe", func(ctx context.Context) {
+			pod := &v1.Pod{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "pod-no-probe",
+				},
+				Spec: v1.PodSpec{
+					Containers: []v1.Container{
+						{
+							Name:    "container",
+							Image:   defaultImage,
+							Command: []string{"sleep", "3600"},
+						},
+					},
+				},
+			}
+			testKubeletRestart(ctx, pod)
+		})
+
+		ginkgo.It("should not affect pod status when pod has startupProbe", func(ctx context.Context) {
+			pod := &v1.Pod{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "pod-with-startup-probe",
+				},
+				Spec: v1.PodSpec{
+					Containers: []v1.Container{
+						{
+							Name:    "container",
+							Image:   defaultImage,
+							Command: []string{"sleep", "3600"},
+							StartupProbe: &v1.Probe{
+								ProbeHandler: v1.ProbeHandler{
+									Exec: &v1.ExecAction{
+										Command: []string{"/bin/true"},
+									},
+								},
+								InitialDelaySeconds: 1,
+								PeriodSeconds:       1,
+							},
+						},
+					},
+				},
+			}
+			testKubeletRestart(ctx, pod)
+		})
+
+		ginkgo.It("should not affect pod status when pod has readinessProbe", func(ctx context.Context) {
+			pod := &v1.Pod{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "pod-with-readiness-probe",
+				},
+				Spec: v1.PodSpec{
+					Containers: []v1.Container{
+						{
+							Name:    "container",
+							Image:   defaultImage,
+							Command: []string{"sleep", "3600"},
+							ReadinessProbe: &v1.Probe{
+								ProbeHandler: v1.ProbeHandler{
+									Exec: &v1.ExecAction{
+										Command: []string{"/bin/true"},
+									},
+								},
+								InitialDelaySeconds: 1,
+								PeriodSeconds:       1,
+							},
+						},
+					},
+				},
+			}
+			testKubeletRestart(ctx, pod)
+		})
+
+		ginkgo.It("should not affect pod status when pod has startupProbe and readinessProbe", func(ctx context.Context) {
+			pod := &v1.Pod{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "pod-with-startup-and-readiness-probe",
+				},
+				Spec: v1.PodSpec{
+					Containers: []v1.Container{
+						{
+							Name:    "container",
+							Image:   defaultImage,
+							Command: []string{"sleep", "3600"},
+							StartupProbe: &v1.Probe{
+								ProbeHandler: v1.ProbeHandler{
+									Exec: &v1.ExecAction{
+										Command: []string{"/bin/true"},
+									},
+								},
+								InitialDelaySeconds: 1,
+								PeriodSeconds:       1,
+							},
+							ReadinessProbe: &v1.Probe{
+								ProbeHandler: v1.ProbeHandler{
+									Exec: &v1.ExecAction{
+										Command: []string{"/bin/true"},
+									},
+								},
+								InitialDelaySeconds: 1,
+								PeriodSeconds:       1,
+							},
+						},
+					},
+				},
+			}
+			testKubeletRestart(ctx, pod)
+		})
+
+		ginkgo.It("should not affect pod status when pod has multiple containers", func(ctx context.Context) {
+			pod := &v1.Pod{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "pod-with-multiple-containers",
+				},
+				Spec: v1.PodSpec{
+					Containers: []v1.Container{
+						{
+							Name:    "container1",
+							Image:   defaultImage,
+							Command: []string{"sleep", "3600"},
+						},
+						{
+							Name:    "container2",
+							Image:   defaultImage,
+							Command: []string{"sleep", "3600"},
+						},
+					},
+				},
+			}
+			testKubeletRestart(ctx, pod)
+		})
+
+		ginkgo.It("should not affect pod status when pod has multiple containers with startupProbes", func(ctx context.Context) {
+			pod := &v1.Pod{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "pod-mc-with-startup-probes",
+				},
+				Spec: v1.PodSpec{
+					Containers: []v1.Container{
+						{
+							Name:    "container1",
+							Image:   defaultImage,
+							Command: []string{"sleep", "3600"},
+							StartupProbe: &v1.Probe{
+								ProbeHandler: v1.ProbeHandler{
+									Exec: &v1.ExecAction{
+										Command: []string{"/bin/true"},
+									},
+								},
+								InitialDelaySeconds: 1,
+								PeriodSeconds:       1,
+							},
+						},
+						{
+							Name:    "container2",
+							Image:   defaultImage,
+							Command: []string{"sleep", "3600"},
+							StartupProbe: &v1.Probe{
+								ProbeHandler: v1.ProbeHandler{
+									Exec: &v1.ExecAction{
+										Command: []string{"/bin/true"},
+									},
+								},
+								InitialDelaySeconds: 1,
+								PeriodSeconds:       1,
+							},
+						},
+					},
+				},
+			}
+			testKubeletRestart(ctx, pod)
+		})
+
+		ginkgo.It("should not affect pod status when pod has multiple containers with readinessProbes", func(ctx context.Context) {
+			pod := &v1.Pod{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "pod-mc-with-readiness-probes",
+				},
+				Spec: v1.PodSpec{
+					Containers: []v1.Container{
+						{
+							Name:    "container1",
+							Image:   defaultImage,
+							Command: []string{"sleep", "3600"},
+							ReadinessProbe: &v1.Probe{
+								ProbeHandler: v1.ProbeHandler{
+									Exec: &v1.ExecAction{
+										Command: []string{"/bin/true"},
+									},
+								},
+								InitialDelaySeconds: 1,
+								PeriodSeconds:       1,
+							},
+						},
+						{
+							Name:    "container2",
+							Image:   defaultImage,
+							Command: []string{"sleep", "3600"},
+							ReadinessProbe: &v1.Probe{
+								ProbeHandler: v1.ProbeHandler{
+									Exec: &v1.ExecAction{
+										Command: []string{"/bin/true"},
+									},
+								},
+								InitialDelaySeconds: 1,
+								PeriodSeconds:       1,
+							},
+						},
+					},
+				},
+			}
+			testKubeletRestart(ctx, pod)
+		})
+
+		ginkgo.It("should not affect pod status when pod has multiple containers with startup and readiness probes", func(ctx context.Context) {
+			pod := &v1.Pod{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "pod-mc-with-startup-and-readiness-probes",
+				},
+				Spec: v1.PodSpec{
+					Containers: []v1.Container{
+						{
+							Name:    "container1",
+							Image:   defaultImage,
+							Command: []string{"sleep", "3600"},
+							StartupProbe: &v1.Probe{
+								ProbeHandler: v1.ProbeHandler{
+									Exec: &v1.ExecAction{
+										Command: []string{"/bin/true"},
+									},
+								},
+								InitialDelaySeconds: 1,
+								PeriodSeconds:       1,
+							},
+							ReadinessProbe: &v1.Probe{
+								ProbeHandler: v1.ProbeHandler{
+									Exec: &v1.ExecAction{
+										Command: []string{"/bin/true"},
+									},
+								},
+								InitialDelaySeconds: 1,
+								PeriodSeconds:       1,
+							},
+						},
+						{
+							Name:    "container2",
+							Image:   defaultImage,
+							Command: []string{"sleep", "3600"},
+							StartupProbe: &v1.Probe{
+								ProbeHandler: v1.ProbeHandler{
+									Exec: &v1.ExecAction{
+										Command: []string{"/bin/true"},
+									},
+								},
+								InitialDelaySeconds: 1,
+								PeriodSeconds:       1,
+							},
+							ReadinessProbe: &v1.Probe{
+								ProbeHandler: v1.ProbeHandler{
+									Exec: &v1.ExecAction{
+										Command: []string{"/bin/true"},
+									},
+								},
+								InitialDelaySeconds: 1,
+								PeriodSeconds:       1,
+							},
+						},
+					},
+				},
+			}
+			testKubeletRestart(ctx, pod)
+		})
+	})
+
+	ginkgo.When("a Pod is running with a restartable init container", func() {
+		testKubeletRestartForRestartableInit := func(ctx context.Context, pod *v1.Pod) {
+			client := e2epod.NewPodClient(f)
+			pod = client.Create(ctx, pod)
+
+			ginkgo.By("Waiting for the pod to be running and ready")
+			err := e2epod.WaitForPodCondition(ctx, f.ClientSet, pod.Namespace, pod.Name, "PodReady", f.Timeouts.PodStart,
+				func(p *v1.Pod) (bool, error) {
+					if p.Status.Phase != v1.PodRunning {
+						return false, nil
+					}
+					for _, cond := range p.Status.Conditions {
+						if cond.Type == v1.PodReady && cond.Status == v1.ConditionTrue {
+							return true, nil
+						}
+					}
+					return false, nil
+				})
+			framework.ExpectNoError(err)
+
+			// Double check the initial state before starting the concurrent check
+			p, err := client.Get(ctx, pod.Name, metav1.GetOptions{})
+			framework.ExpectNoError(err)
+			gomega.Expect(p.Status.InitContainerStatuses).ToNot(gomega.BeEmpty())
+			gomega.Expect(p.Status.InitContainerStatuses[0].RestartCount).To(gomega.BeZero())
+			gomega.Expect(p.Status.InitContainerStatuses[0].Started).ToNot(gomega.BeNil())
+			gomega.Expect(*p.Status.InitContainerStatuses[0].Started).To(gomega.BeTrueBecause("The Started field should be set to true when a pod enters the Ready condition."))
+			gomega.Expect(p.Status.InitContainerStatuses[0].Ready).To(gomega.BeTrueBecause("The Ready field should be set to true when a pod enters the Ready condition."))
+
+			// The grace period for kubelet startup is 10 seconds, so we wait here for 11 seconds.
+			time.Sleep(time.Second * 11)
+
+			stopCh := make(chan struct{})
+			errCh := make(chan error, 1)
+			go func() {
+				watcher, err := f.ClientSet.CoreV1().Pods(pod.Namespace).Watch(ctx, metav1.ListOptions{
+					FieldSelector: "metadata.name=" + pod.Name,
+				})
+				if err != nil {
+					errCh <- fmt.Errorf("failed to watch pod: %w", err)
+					return
+				}
+				defer watcher.Stop()
+
+				for {
+					select {
+					case event, ok := <-watcher.ResultChan():
+						if !ok {
+							return
+						}
+						if event.Type != watch.Modified {
+							continue
+						}
+						p, ok := event.Object.(*v1.Pod)
+						if !ok {
+							continue
+						}
+
+						if p.Status.Phase != v1.PodRunning {
+							errCh <- fmt.Errorf("pod phase is %v, expected %v", p.Status.Phase, v1.PodRunning)
+							return
+						}
+						if len(p.Status.InitContainerStatuses) == 0 {
+							errCh <- fmt.Errorf("pod has no init container statuses")
+							return
+						}
+						containerStatus := p.Status.InitContainerStatuses[0]
+						if containerStatus.RestartCount > 0 {
+							errCh <- fmt.Errorf("container restarted %d times", containerStatus.RestartCount)
+							return
+						}
+						if containerStatus.Started == nil || !*containerStatus.Started {
+							errCh <- fmt.Errorf("container started status is not true")
+							return
+						}
+						if !containerStatus.Ready {
+							errCh <- fmt.Errorf("container ready status is not true")
+							return
+						}
+					case <-stopCh:
+						close(errCh)
+						return
+					}
+				}
+			}()
+
+			ginkgo.By("restarting the kubelet")
+			restartKubelet := mustStopKubelet(ctx, f)
+			restartKubelet(ctx)
+
+			ginkgo.By("ensuring kubelet is healthy")
+			gomega.Eventually(ctx, func() bool {
+				return kubeletHealthCheck(kubeletHealthCheckURL)
+			}, f.Timeouts.PodStart, f.Timeouts.Poll).Should(gomega.BeTrueBecause("kubelet should be started"))
+
+			// Let the goroutine run for a few more seconds to catch any delayed changes
+			time.Sleep(5 * time.Second)
+			close(stopCh)
+
+			// Check for errors from the goroutine
+			for err := range errCh {
+				framework.ExpectNoError(err, "pod status check failed during kubelet restart")
+			}
+		}
+
+		ginkgo.It("should not affect pod status when restartable init container has no probe", func(ctx context.Context) {
+			pod := &v1.Pod{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "pod-restartable-init-no-probe",
+				},
+				Spec: v1.PodSpec{
+					InitContainers: []v1.Container{
+						{
+							Name:          "restartable-init",
+							Image:         defaultImage,
+							Command:       []string{"sleep", "3600"},
+							RestartPolicy: &containerRestartPolicyAlways,
+						},
+					},
+					Containers: []v1.Container{
+						{
+							Name:  "container",
+							Image: imageutils.GetPauseImageName(),
+						},
+					},
+				},
+			}
+			testKubeletRestartForRestartableInit(ctx, pod)
+		})
+
+		ginkgo.It("should not affect pod status when restartable init container has startupProbe", func(ctx context.Context) {
+			pod := &v1.Pod{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "pod-restartable-init-with-startup-probe",
+				},
+				Spec: v1.PodSpec{
+					InitContainers: []v1.Container{
+						{
+							Name:          "restartable-init",
+							Image:         defaultImage,
+							Command:       []string{"sleep", "3600"},
+							RestartPolicy: &containerRestartPolicyAlways,
+							StartupProbe: &v1.Probe{
+								ProbeHandler: v1.ProbeHandler{
+									Exec: &v1.ExecAction{
+										Command: []string{"/bin/true"},
+									},
+								},
+								InitialDelaySeconds: 1,
+								PeriodSeconds:       1,
+							},
+						},
+					},
+					Containers: []v1.Container{
+						{
+							Name:  "container",
+							Image: imageutils.GetPauseImageName(),
+						},
+					},
+				},
+			}
+			testKubeletRestartForRestartableInit(ctx, pod)
+		})
+
+		ginkgo.It("should not affect pod status when restartable init container has readinessProbe", func(ctx context.Context) {
+			pod := &v1.Pod{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "pod-restartable-init-with-readiness-probe",
+				},
+				Spec: v1.PodSpec{
+					InitContainers: []v1.Container{
+						{
+							Name:          "restartable-init",
+							Image:         defaultImage,
+							Command:       []string{"sleep", "3600"},
+							RestartPolicy: &containerRestartPolicyAlways,
+							ReadinessProbe: &v1.Probe{
+								ProbeHandler: v1.ProbeHandler{
+									Exec: &v1.ExecAction{
+										Command: []string{"/bin/true"},
+									},
+								},
+								InitialDelaySeconds: 1,
+								PeriodSeconds:       1,
+							},
+						},
+					},
+					Containers: []v1.Container{
+						{
+							Name:  "container",
+							Image: imageutils.GetPauseImageName(),
+						},
+					},
+				},
+			}
+			testKubeletRestartForRestartableInit(ctx, pod)
+		})
+
+		ginkgo.It("should not affect pod status when restartable init container has startupProbe and readinessProbe", func(ctx context.Context) {
+			pod := &v1.Pod{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "pod-restartable-init-with-startup-and-readiness-probe",
+				},
+				Spec: v1.PodSpec{
+					InitContainers: []v1.Container{
+						{
+							Name:          "restartable-init",
+							Image:         defaultImage,
+							Command:       []string{"sleep", "3600"},
+							RestartPolicy: &containerRestartPolicyAlways,
+							StartupProbe: &v1.Probe{
+								ProbeHandler: v1.ProbeHandler{
+									Exec: &v1.ExecAction{
+										Command: []string{"/bin/true"},
+									},
+								},
+								InitialDelaySeconds: 1,
+								PeriodSeconds:       1,
+							},
+							ReadinessProbe: &v1.Probe{
+								ProbeHandler: v1.ProbeHandler{
+									Exec: &v1.ExecAction{
+										Command: []string{"/bin/true"},
+									},
+								},
+								InitialDelaySeconds: 1,
+								PeriodSeconds:       1,
+							},
+						},
+					},
+					Containers: []v1.Container{
+						{
+							Name:  "container",
+							Image: imageutils.GetPauseImageName(),
+						},
+					},
+				},
+			}
+			testKubeletRestartForRestartableInit(ctx, pod)
+		})
+	})
+})
diff --git a/test/e2e_node/container_restart_test.go b/test/e2e_node/container_restart_test.go
index d4e75dc0f4284..40dd999a4585b 100644
--- a/test/e2e_node/container_restart_test.go
+++ b/test/e2e_node/container_restart_test.go
@@ -67,7 +67,10 @@ var _ = SIGDescribe("Container Restart", feature.CriProxy, framework.WithSerial(
 
 		tempSetCurrentKubeletConfig(f, func(ctx context.Context, initialConfig *kubeletconfig.KubeletConfiguration) {
 			initialConfig.CrashLoopBackOff.MaxContainerRestartPeriod = &metav1.Duration{Duration: time.Duration(30 * time.Second)}
-			initialConfig.FeatureGates = map[string]bool{"KubeletCrashLoopBackOffMax": true}
+			if initialConfig.FeatureGates == nil {
+				initialConfig.FeatureGates = map[string]bool{}
+			}
+			initialConfig.FeatureGates["KubeletCrashLoopBackOffMax"] = true
 		})
 
 		ginkgo.BeforeEach(func() {
@@ -88,7 +91,10 @@ var _ = SIGDescribe("Container Restart", feature.CriProxy, framework.WithSerial(
 	ginkgo.Context("Reduced default container restart backs off as expected", func() {
 
 		tempSetCurrentKubeletConfig(f, func(ctx context.Context, initialConfig *kubeletconfig.KubeletConfiguration) {
-			initialConfig.FeatureGates = map[string]bool{"ReduceDefaultCrashLoopBackOffDecay": true}
+			if initialConfig.FeatureGates == nil {
+				initialConfig.FeatureGates = map[string]bool{}
+			}
+			initialConfig.FeatureGates["ReduceDefaultCrashLoopBackOffDecay"] = true
 		})
 
 		ginkgo.BeforeEach(func() {
@@ -111,9 +117,12 @@ var _ = SIGDescribe("Container Restart", feature.CriProxy, framework.WithSerial(
 	ginkgo.Context("Lower node config container restart takes precedence", func() {
 
 		tempSetCurrentKubeletConfig(f, func(ctx context.Context, initialConfig *kubeletconfig.KubeletConfiguration) {
-			initialConfig.FeatureGates = map[string]bool{"ReduceDefaultCrashLoopBackOffDecay": true}
 			initialConfig.CrashLoopBackOff.MaxContainerRestartPeriod = &metav1.Duration{Duration: time.Duration(1 * time.Second)}
-			initialConfig.FeatureGates = map[string]bool{"KubeletCrashLoopBackOffMax": true}
+			if initialConfig.FeatureGates == nil {
+				initialConfig.FeatureGates = map[string]bool{}
+			}
+			initialConfig.FeatureGates["ReduceDefaultCrashLoopBackOffDecay"] = true
+			initialConfig.FeatureGates["KubeletCrashLoopBackOffMax"] = true
 		})
 
 		ginkgo.BeforeEach(func() {
diff --git a/test/e2e_node/cpu_manager_test.go b/test/e2e_node/cpu_manager_test.go
index d27c76c841cf4..e0b41a47f47c7 100644
--- a/test/e2e_node/cpu_manager_test.go
+++ b/test/e2e_node/cpu_manager_test.go
@@ -1,5 +1,5 @@
 /*
-Copyright 2017 The Kubernetes Authors.
+Copyright 2025 The Kubernetes Authors.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -18,31 +18,32 @@ package e2enode
 
 import (
 	"context"
-	"errors"
 	"fmt"
-	"io/fs"
 	"os"
-	"os/exec"
 	"path/filepath"
+	"reflect"
 	"regexp"
 	"strconv"
 	"strings"
 	"time"
 
+	"github.com/onsi/ginkgo/v2"
+	"github.com/onsi/gomega"
+	"github.com/onsi/gomega/gcustom"
+	"github.com/onsi/gomega/types"
+
 	v1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/resource"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	runtimeapi "k8s.io/cri-api/pkg/apis/runtime/v1"
-	"k8s.io/kubelet/pkg/types"
+	"k8s.io/apimachinery/pkg/util/sets"
+	"k8s.io/klog/v2"
+	"k8s.io/kubernetes/pkg/features"
 	kubeletconfig "k8s.io/kubernetes/pkg/kubelet/apis/config"
+	"k8s.io/kubernetes/pkg/kubelet/cm"
 	"k8s.io/kubernetes/pkg/kubelet/cm/cpumanager"
 	admissionapi "k8s.io/pod-security-admission/api"
 	"k8s.io/utils/cpuset"
 
-	"github.com/onsi/ginkgo/v2"
-	"github.com/onsi/gomega"
-	"github.com/onsi/gomega/gcustom"
-	gomegatypes "github.com/onsi/gomega/types"
 	"k8s.io/kubernetes/test/e2e/feature"
 	"k8s.io/kubernetes/test/e2e/framework"
 	e2epod "k8s.io/kubernetes/test/e2e/framework/pod"
@@ -50,1441 +51,2794 @@ import (
 )
 
 const (
-	minSMTLevel    = 2
-	minCPUCapacity = 2
+	defaultCFSPeriod = "100000"
 )
 
-// Helper for makeCPUManagerPod().
-type ctnAttribute struct {
-	ctnName       string
-	ctnCommand    string
-	cpuRequest    string
-	cpuLimit      string
-	restartPolicy *v1.ContainerRestartPolicy
-}
+// this is ugly, but pratical
+var (
+	e2enodeRuntimeName     string
+	e2enodeCgroupV2Enabled bool
+	e2enodeCgroupDriver    string
+)
 
-// makeCPUMangerPod returns a pod with the provided ctnAttributes.
-func makeCPUManagerPod(podName string, ctnAttributes []ctnAttribute) *v1.Pod {
-	var containers []v1.Container
-	for _, ctnAttr := range ctnAttributes {
-		cpusetCmd := fmt.Sprintf("grep Cpus_allowed_list /proc/self/status | cut -f2 && sleep 1d")
-		ctn := v1.Container{
-			Name:  ctnAttr.ctnName,
-			Image: busyboxImage,
-			Resources: v1.ResourceRequirements{
-				Requests: v1.ResourceList{
-					v1.ResourceCPU:    resource.MustParse(ctnAttr.cpuRequest),
-					v1.ResourceMemory: resource.MustParse("100Mi"),
-				},
-				Limits: v1.ResourceList{
-					v1.ResourceCPU:    resource.MustParse(ctnAttr.cpuLimit),
-					v1.ResourceMemory: resource.MustParse("100Mi"),
-				},
-			},
-			Command: []string{"sh", "-c", cpusetCmd},
-			VolumeMounts: []v1.VolumeMount{
-				{
-					Name:      "sysfscgroup",
-					MountPath: "/sysfscgroup",
-				},
-				{
-					Name:      "podinfo",
-					MountPath: "/podinfo",
-				},
-			},
-		}
-		containers = append(containers, ctn)
-	}
+/*
+   - Serial:
+   because the test updates kubelet configuration.
+
+   - Ordered:
+   Each spec (It block) need to run with a kubelet configuration in place. At minimum, we need
+   the non-default cpumanager static policy, then we have the cpumanager options and so forth.
+   The simplest solution is to set the kubelet explicitly each time, but this will cause a kubelet restart
+   each time, which takes longer and makes the flow intrinsically more fragile (so more flakes are more likely).
+   Using Ordered allows us to use BeforeAll/AfterAll, and most notably to reuse the kubelet config in a batch
+   of specs (It blocks). Each it block will still set its kubelet config preconditions, but with a sensible
+   test arrangement, many of these preconditions will devolve into noop.
+   Arguably, this decision increases the coupling among specs, leaving room for subtle ordering bugs.
+   There's no argue the ginkgo spec randomization would help, but the tradeoff here is between
+   lane complexity/fragility (reconfiguring the kubelet is not bulletproof yet) and accepting this risk.
+   If in the future we decide to pivot to make each spec fully independent, little changes will be needed.
+   Finally, worth pointing out that the previous cpumanager e2e test incarnation implemented the same
+   concept in a more convoluted way with function helpers, so arguably using Ordered and making it
+   explicit is already an improvement.
+*/
 
-	return &v1.Pod{
-		ObjectMeta: metav1.ObjectMeta{
-			Name: podName,
-		},
-		Spec: v1.PodSpec{
-			RestartPolicy: v1.RestartPolicyNever,
-			Containers:    containers,
-			Volumes: []v1.Volume{
-				{
-					Name: "sysfscgroup",
-					VolumeSource: v1.VolumeSource{
-						HostPath: &v1.HostPathVolumeSource{Path: "/sys/fs/cgroup"},
-					},
-				},
-				{
-					Name: "podinfo",
-					VolumeSource: v1.VolumeSource{
-						DownwardAPI: &v1.DownwardAPIVolumeSource{
-							Items: []v1.DownwardAPIVolumeFile{
-								{
-									Path: "uid",
-									FieldRef: &v1.ObjectFieldSelector{
-										APIVersion: "v1",
-										FieldPath:  "metadata.uid",
-									},
-								},
-							},
-						},
-					},
-				},
-			},
-		},
-	}
-}
+/*
+ * Extending the cpumanager test suite
+ * TL;DRs: THE MOST IMPORTANT:
+ * Please keep the test hierarchy very flat.
+ * Nesting more than 2 contexts total from SIGDescribe root is likely to be a smell.
+ * The problem with deep nesting is the interaction between BeforeEach blocks and the increased scope of variables.
+ * The Ideal layout would be
+ *   SIGDescribe # top level, unique
+ *     Context   # you can add more context, but please try hard to avoid nesting them
+ *       It      # add it blocks freely. Feel free to start new *non-nested* contexts as you see fit
+ *     Context
+ *       It
+ *       It
+ * Exception: if you need to add the same labels to quite a few (say, 3+) It blocks, you can add a **empty** context
+ * The most important thing is to avoid long chain of beforeeach/aftereach and > 2 level of context nesting.
+ * So a **empty** context only to group labels is acceptable:
+ *   SIGDescribe
+ *     Context(label1, label2) # avoid beforeeach/aftereach and variables here
+ *       Context
+ *         It
+ *         It
+ *     Context
+ *       It
+ * Final rule of thumb: if the nesting of the context description starts to read awkward or funny or stop making sense
+ * if read as english sentence, then the nesting is likely too deep.
+ */
 
-// makeCPUMangerInitContainersPod returns a pod with init containers with the
-// provided ctnAttributes.
-func makeCPUManagerInitContainersPod(podName string, ctnAttributes []ctnAttribute) *v1.Pod {
-	var containers []v1.Container
-	cpusetCmd := "grep Cpus_allowed_list /proc/self/status | cut -f2"
-	cpusetAndSleepCmd := "grep Cpus_allowed_list /proc/self/status | cut -f2 && sleep 1d"
-	for _, ctnAttr := range ctnAttributes {
-		ctn := v1.Container{
-			Name:  ctnAttr.ctnName,
-			Image: busyboxImage,
-			Resources: v1.ResourceRequirements{
-				Requests: v1.ResourceList{
-					v1.ResourceCPU:    resource.MustParse(ctnAttr.cpuRequest),
-					v1.ResourceMemory: resource.MustParse("100Mi"),
-				},
-				Limits: v1.ResourceList{
-					v1.ResourceCPU:    resource.MustParse(ctnAttr.cpuLimit),
-					v1.ResourceMemory: resource.MustParse("100Mi"),
-				},
-			},
-			Command:       []string{"sh", "-c", cpusetCmd},
-			RestartPolicy: ctnAttr.restartPolicy,
-		}
-		if ctnAttr.restartPolicy != nil && *ctnAttr.restartPolicy == v1.ContainerRestartPolicyAlways {
-			ctn.Command = []string{"sh", "-c", cpusetAndSleepCmd}
-		}
-		containers = append(containers, ctn)
-	}
+/*
+ * About reserved CPUs:
+ * all the tests assume the first available CPUID is 0, which is pretty fair and most of time correct.
+ * A better approach would be check what we do have in the node. This is deferred to a later stage alongside
+ * other improvements.
+ */
+var _ = SIGDescribe("CPU Manager", ginkgo.Ordered, ginkgo.ContinueOnFailure, framework.WithSerial(), feature.CPUManager, func() {
+	f := framework.NewDefaultFramework("cpumanager-test")
+	f.NamespacePodSecurityLevel = admissionapi.LevelPrivileged
 
-	return &v1.Pod{
-		ObjectMeta: metav1.ObjectMeta{
-			Name: podName,
-		},
-		Spec: v1.PodSpec{
-			RestartPolicy:  v1.RestartPolicyNever,
-			InitContainers: containers,
-			Containers: []v1.Container{
-				{
-					Name:  "regular",
-					Image: busyboxImage,
-					Resources: v1.ResourceRequirements{
-						Requests: v1.ResourceList{
-							v1.ResourceCPU:    resource.MustParse("1000m"),
-							v1.ResourceMemory: resource.MustParse("100Mi"),
-						},
-						Limits: v1.ResourceList{
-							v1.ResourceCPU:    resource.MustParse("1000m"),
-							v1.ResourceMemory: resource.MustParse("100Mi"),
-						},
-					},
-					Command: []string{"sh", "-c", cpusetAndSleepCmd},
-				},
-			},
-		},
-	}
-}
+	// original kubeletconfig before the context start, to be restored
+	var oldCfg *kubeletconfig.KubeletConfiguration
+	var reservedCPUs cpuset.CPUSet
+	var onlineCPUs cpuset.CPUSet
+	var smtLevel int
+	var uncoreGroupSize int
+	// tracks all the pods created by a It() block. Best would be a namespace per It block
+	// TODO: move to a namespace per It block?
+	var podMap map[string]*v1.Pod
+
+	// closure just and only to not carry around awkwardly `f` and `onlineCPUs` only for logging purposes
+	var skipIfAllocatableCPUsLessThan func(node *v1.Node, cpuReq int)
+
+	ginkgo.BeforeAll(func(ctx context.Context) {
+		var err error
+		oldCfg, err = getCurrentKubeletConfig(ctx)
+		framework.ExpectNoError(err)
 
-func deletePodSyncByName(ctx context.Context, f *framework.Framework, podName string) {
-	gp := int64(0)
-	delOpts := metav1.DeleteOptions{
-		GracePeriodSeconds: &gp,
-	}
-	e2epod.NewPodClient(f).DeleteSync(ctx, podName, delOpts, f.Timeouts.PodDelete)
-}
+		onlineCPUs, err = getOnlineCPUs() // this should not change at all, at least during this suite lifetime
+		framework.ExpectNoError(err)
+		framework.Logf("Online CPUs: %s", onlineCPUs)
 
-func deletePods(ctx context.Context, f *framework.Framework, podNames []string) {
-	for _, podName := range podNames {
-		deletePodSyncByName(ctx, f, podName)
-	}
-}
+		smtLevel = smtLevelFromSysFS() // this should not change at all, at least during this suite lifetime
+		framework.Logf("SMT level: %d", smtLevel)
 
-func getLocalNodeCPUDetails(ctx context.Context, f *framework.Framework) (cpuCapVal int64, cpuAllocVal int64, cpuResVal int64) {
-	localNodeCap := getLocalNode(ctx, f).Status.Capacity
-	cpuCap := localNodeCap[v1.ResourceCPU]
-	localNodeAlloc := getLocalNode(ctx, f).Status.Allocatable
-	cpuAlloc := localNodeAlloc[v1.ResourceCPU]
-	cpuRes := cpuCap.DeepCopy()
-	cpuRes.Sub(cpuAlloc)
+		uncoreGroupSize = getUncoreCPUGroupSize()
+		framework.Logf("Uncore Group Size: %d", uncoreGroupSize)
 
-	// RoundUp reserved CPUs to get only integer cores.
-	cpuRes.RoundUp(0)
+		e2enodeCgroupV2Enabled = IsCgroup2UnifiedMode()
+		framework.Logf("cgroup V2 enabled: %v", e2enodeCgroupV2Enabled)
 
-	return cpuCap.Value(), cpuCap.Value() - cpuRes.Value(), cpuRes.Value()
-}
+		e2enodeCgroupDriver = oldCfg.CgroupDriver
+		framework.Logf("cgroup driver: %s", e2enodeCgroupDriver)
 
-func waitForContainerRemoval(ctx context.Context, containerName, podName, podNS string) {
-	rs, _, err := getCRIClient()
-	framework.ExpectNoError(err)
-	gomega.Eventually(ctx, func(ctx context.Context) bool {
-		containers, err := rs.ListContainers(ctx, &runtimeapi.ContainerFilter{
-			LabelSelector: map[string]string{
-				types.KubernetesPodNameLabel:       podName,
-				types.KubernetesPodNamespaceLabel:  podNS,
-				types.KubernetesContainerNameLabel: containerName,
-			},
-		})
-		if err != nil {
-			return false
-		}
-		return len(containers) == 0
-	}, 2*time.Minute, 1*time.Second).Should(gomega.BeTrueBecause("Containers were expected to be removed"))
-}
+		runtime, _, err := getCRIClient()
+		framework.ExpectNoError(err, "Failed to get CRI client")
 
-func isHTEnabled() bool {
-	outData, err := exec.Command("/bin/sh", "-c", "lscpu | grep \"Thread(s) per core:\" | cut -d \":\" -f 2").Output()
-	framework.ExpectNoError(err)
+		version, err := runtime.Version(context.Background(), "")
+		framework.ExpectNoError(err, "Failed to get runtime version")
 
-	threadsPerCore, err := strconv.Atoi(strings.TrimSpace(string(outData)))
-	framework.ExpectNoError(err)
+		e2enodeRuntimeName = version.GetRuntimeName()
+		framework.Logf("runtime: %s", e2enodeRuntimeName)
+	})
 
-	return threadsPerCore > 1
-}
+	ginkgo.AfterAll(func(ctx context.Context) {
+		updateKubeletConfig(ctx, f, oldCfg, true)
+	})
 
-func isMultiNUMA() bool {
-	outData, err := exec.Command("/bin/sh", "-c", "lscpu | grep \"NUMA node(s):\" | cut -d \":\" -f 2").Output()
-	framework.ExpectNoError(err)
+	ginkgo.BeforeEach(func(ctx context.Context) {
+		// note intentionally NOT set reservedCPUs -  this must be initialized on a test-by-test basis
+		podMap = make(map[string]*v1.Pod)
+	})
 
-	numaNodes, err := strconv.Atoi(strings.TrimSpace(string(outData)))
-	framework.ExpectNoError(err)
+	ginkgo.JustBeforeEach(func(ctx context.Context) {
+		// note intentionally NOT set reservedCPUs -  this must be initialized on a test-by-test basis
+
+		// use a closure to minimize the arguments, to make the usage more straightforward
+		skipIfAllocatableCPUsLessThan = func(node *v1.Node, val int) {
+			ginkgo.GinkgoHelper()
+			cpuReq := int64(val + reservedCPUs.Size()) // reserved CPUs are not usable, need to account them
+			// the framework is initialized using an injected BeforeEach node, so the
+			// earliest we can do is to initialize the other objects here
+			nodeCPUDetails := cpuDetailsFromNode(node)
+
+			msg := fmt.Sprintf("%v full CPUs (detected=%v requested=%v reserved=%v online=%v smt=%v)", cpuReq, nodeCPUDetails.Allocatable, val, reservedCPUs.Size(), onlineCPUs.Size(), smtLevel)
+			ginkgo.By("Checking if allocatable: " + msg)
+			if nodeCPUDetails.Allocatable < cpuReq {
+				e2eskipper.Skipf("Skipping CPU Manager test: not allocatable %s", msg)
+			}
+		}
+	})
 
-	return numaNodes > 1
-}
+	ginkgo.AfterEach(func(ctx context.Context) {
+		deletePodsAsync(ctx, f, podMap)
+	})
 
-func getSMTLevel() int {
-	cpuID := 0 // this is just the most likely cpu to be present in a random system. No special meaning besides this.
-	out, err := exec.Command("/bin/sh", "-c", fmt.Sprintf("cat /sys/devices/system/cpu/cpu%d/topology/thread_siblings_list | tr -d \"\n\r\"", cpuID)).Output()
-	framework.ExpectNoError(err)
-	// how many thread sibling you have = SMT level
-	// example: 2-way SMT means 2 threads sibling for each thread
-	cpus, err := cpuset.Parse(strings.TrimSpace(string(out)))
-	framework.ExpectNoError(err)
-	return cpus.Size()
-}
+	ginkgo.When("running non-guaranteed pods tests", ginkgo.Label("non-guaranteed", "reserved-cpus"), func() {
+		ginkgo.It("should let the container access all the online CPUs without a reserved CPUs set", func(ctx context.Context) {
+			updateKubeletConfigIfNeeded(ctx, f, configureCPUManagerInKubelet(oldCfg, &cpuManagerKubeletArguments{
+				policyName:         string(cpumanager.PolicyStatic),
+				reservedSystemCPUs: cpuset.CPUSet{},
+			}))
 
-func getUncoreCPUGroupSize() int {
-	cpuID := 0 // this is just the most likely cpu to be present in a random system. No special meaning besides this.
-	out, err := os.ReadFile(fmt.Sprintf("/sys/devices/system/cpu/cpu%d/cache/index3/shared_cpu_list", cpuID))
-	if errors.Is(err, fs.ErrNotExist) {
-		return 0 // no Uncore/LLC cache detected, nothing to do
-	}
-	framework.ExpectNoError(err)
-	// how many cores share a same Uncore/LLC block?
-	cpus, err := cpuset.Parse(strings.TrimSpace(string(out)))
-	framework.ExpectNoError(err)
-	return cpus.Size()
-}
+			pod := makeCPUManagerPod("non-gu-pod", []ctnAttribute{
+				{
+					ctnName:    "non-gu-container",
+					cpuRequest: "100m",
+					cpuLimit:   "200m",
+				},
+			})
+			ginkgo.By("creating the test pod")
+			pod = e2epod.NewPodClient(f).CreateSync(ctx, pod)
+			podMap[string(pod.UID)] = pod
 
-func getCPUSiblingList(cpuRes int64) string {
-	out, err := exec.Command("/bin/sh", "-c", fmt.Sprintf("cat /sys/devices/system/cpu/cpu%d/topology/thread_siblings_list | tr -d \"\n\r\"", cpuRes)).Output()
-	framework.ExpectNoError(err)
-	return string(out)
-}
+			ginkgo.By("checking if the expected cpuset was assigned")
 
-func getCoreSiblingList(cpuRes int64) string {
-	out, err := exec.Command("/bin/sh", "-c", fmt.Sprintf("cat /sys/devices/system/cpu/cpu%d/topology/core_siblings_list | tr -d \"\n\r\"", cpuRes)).Output()
-	framework.ExpectNoError(err)
-	return string(out)
-}
+			gomega.Expect(pod).To(HaveContainerCPUsEqualTo("non-gu-container", onlineCPUs))
+		})
 
-type cpuManagerKubeletArguments struct {
-	policyName                       string
-	enableCPUManagerOptions          bool
-	disableCPUQuotaWithExclusiveCPUs bool
-	enablePodLevelResources          bool
-	reservedSystemCPUs               cpuset.CPUSet
-	options                          map[string]string
-}
+		ginkgo.It("should let the container access all the online CPUs when using a reserved CPUs set", func(ctx context.Context) {
+			reservedCPUs = cpuset.New(0)
 
-func configureCPUManagerInKubelet(oldCfg *kubeletconfig.KubeletConfiguration, kubeletArguments *cpuManagerKubeletArguments) *kubeletconfig.KubeletConfiguration {
-	newCfg := oldCfg.DeepCopy()
-	if newCfg.FeatureGates == nil {
-		newCfg.FeatureGates = make(map[string]bool)
-	}
+			updateKubeletConfigIfNeeded(ctx, f, configureCPUManagerInKubelet(oldCfg, &cpuManagerKubeletArguments{
+				policyName:         string(cpumanager.PolicyStatic),
+				reservedSystemCPUs: reservedCPUs, // Not really needed for the tests but helps to make a more precise check
+			}))
 
-	newCfg.FeatureGates["CPUManagerPolicyBetaOptions"] = kubeletArguments.enableCPUManagerOptions
-	newCfg.FeatureGates["CPUManagerPolicyAlphaOptions"] = kubeletArguments.enableCPUManagerOptions
-	newCfg.FeatureGates["DisableCPUQuotaWithExclusiveCPUs"] = kubeletArguments.disableCPUQuotaWithExclusiveCPUs
-	newCfg.FeatureGates["PodLevelResources"] = kubeletArguments.enablePodLevelResources
+			pod := makeCPUManagerPod("non-gu-pod", []ctnAttribute{
+				{
+					ctnName:    "non-gu-container",
+					cpuRequest: "100m",
+					cpuLimit:   "200m",
+				},
+			})
+			ginkgo.By("creating the test pod")
+			pod = e2epod.NewPodClient(f).CreateSync(ctx, pod)
+			podMap[string(pod.UID)] = pod
 
-	newCfg.CPUManagerPolicy = kubeletArguments.policyName
-	newCfg.CPUManagerReconcilePeriod = metav1.Duration{Duration: 1 * time.Second}
+			ginkgo.By("checking if the expected cpuset was assigned")
 
-	if kubeletArguments.options != nil {
-		newCfg.CPUManagerPolicyOptions = kubeletArguments.options
-	}
+			gomega.Expect(pod).To(HaveContainerCPUsEqualTo("non-gu-container", onlineCPUs))
+		})
 
-	if kubeletArguments.reservedSystemCPUs.Size() > 0 {
-		cpus := kubeletArguments.reservedSystemCPUs.String()
-		framework.Logf("configureCPUManagerInKubelet: using reservedSystemCPUs=%q", cpus)
-		newCfg.ReservedSystemCPUs = cpus
-	} else {
-		// The Kubelet panics if either kube-reserved or system-reserved is not set
-		// when CPU Manager is enabled. Set cpu in kube-reserved > 0 so that
-		// kubelet doesn't panic.
-		if newCfg.KubeReserved == nil {
-			newCfg.KubeReserved = map[string]string{}
-		}
+		ginkgo.It("should let the container access all the online non-exclusively-allocated CPUs when using a reserved CPUs set", ginkgo.Label("guaranteed", "exclusive-cpus"), func(ctx context.Context) {
+			cpuCount := 1
+			reservedCPUs = cpuset.New(0)
 
-		if _, ok := newCfg.KubeReserved["cpu"]; !ok {
-			newCfg.KubeReserved["cpu"] = "200m"
-		}
-	}
+			skipIfAllocatableCPUsLessThan(getLocalNode(ctx, f), cpuCount+1) // note the extra for the non-gu pod
 
-	return newCfg
-}
+			updateKubeletConfigIfNeeded(ctx, f, configureCPUManagerInKubelet(oldCfg, &cpuManagerKubeletArguments{
+				policyName:         string(cpumanager.PolicyStatic),
+				reservedSystemCPUs: reservedCPUs, // Not really needed for the tests but helps to make a more precise check
+			}))
 
-func runGuPodTest(ctx context.Context, f *framework.Framework, cpuCount int, strictReservedCPUs cpuset.CPUSet) {
-	var pod *v1.Pod
+			podGu := makeCPUManagerPod("gu-pod", []ctnAttribute{
+				{
+					ctnName:    "gu-container",
+					cpuRequest: fmt.Sprintf("%dm", 1000*cpuCount),
+					cpuLimit:   fmt.Sprintf("%dm", 1000*cpuCount),
+				},
+			})
+			ginkgo.By("creating the guaranteed test pod")
+			podGu = e2epod.NewPodClient(f).CreateSync(ctx, podGu)
+			podMap[string(podGu.UID)] = podGu
 
-	ctnAttrs := []ctnAttribute{
-		{
-			ctnName:    "gu-container",
-			cpuRequest: fmt.Sprintf("%dm", 1000*cpuCount),
-			cpuLimit:   fmt.Sprintf("%dm", 1000*cpuCount),
-		},
-	}
-	pod = makeCPUManagerPod("gu-pod", ctnAttrs)
-	pod = e2epod.NewPodClient(f).CreateSync(ctx, pod)
+			podBu := makeCPUManagerPod("non-gu-pod", []ctnAttribute{
+				{
+					ctnName:    "non-gu-container",
+					cpuRequest: "200m",
+					cpuLimit:   "300m",
+				},
+			})
+			ginkgo.By("creating the burstable test pod")
+			podBu = e2epod.NewPodClient(f).CreateSync(ctx, podBu)
+			podMap[string(podBu.UID)] = podBu
+
+			ginkgo.By("checking if the expected cpuset was assigned")
+
+			// we cannot nor we should predict which CPUs the container gets
+			gomega.Expect(podGu).To(HaveContainerCPUsCount("gu-container", cpuCount))
+			gomega.Expect(podGu).To(HaveContainerCPUsASubsetOf("gu-container", onlineCPUs))
+			gomega.Expect(podGu).ToNot(HaveContainerCPUsOverlapWith("gu-container", reservedCPUs))
+
+			exclusiveCPUs, err := getContainerAllowedCPUs(podGu, "gu-container", false)
+			framework.ExpectNoError(err, "cannot get exclusive CPUs for pod %s/%s", podGu.Namespace, podGu.Name)
+			expectedSharedCPUs := onlineCPUs.Difference(exclusiveCPUs)
+			gomega.Expect(podBu).To(HaveContainerCPUsEqualTo("non-gu-container", expectedSharedCPUs))
+		})
+	})
 
-	ginkgo.By("checking if the expected cpuset was assigned")
-	// any full CPU is fine - we cannot nor we should predict which one, though
-	for _, cnt := range pod.Spec.Containers {
-		ginkgo.By(fmt.Sprintf("validating the container %s on Gu pod %s", cnt.Name, pod.Name))
+	ginkgo.When("running guaranteed pod tests", ginkgo.Label("guaranteed", "exclusive-cpus"), func() {
+		ginkgo.BeforeEach(func(ctx context.Context) {
+			reservedCPUs = cpuset.New(0)
+		})
 
-		logs, err := e2epod.GetPodLogs(ctx, f.ClientSet, f.Namespace.Name, pod.Name, cnt.Name)
-		framework.ExpectNoError(err, "expected log not found in container [%s] of pod [%s]", cnt.Name, pod.Name)
+		ginkgo.It("should allocate exclusively a CPU to a 1-container pod", func(ctx context.Context) {
+			cpuCount := 1
 
-		cpus := getContainerAllowedCPUsFromLogs(pod.Name, cnt.Name, logs)
+			skipIfAllocatableCPUsLessThan(getLocalNode(ctx, f), cpuCount)
 
-		gomega.Expect(cpus.Size()).To(gomega.Equal(cpuCount), "expected cpu set size == %d, got %q", cpuCount, cpus.String())
-		gomega.Expect(cpus.Intersection(strictReservedCPUs).IsEmpty()).To(gomega.BeTrueBecause("cpuset %q should not contain strict reserved cpus %q", cpus.String(), strictReservedCPUs.String()))
-	}
+			updateKubeletConfigIfNeeded(ctx, f, configureCPUManagerInKubelet(oldCfg, &cpuManagerKubeletArguments{
+				policyName:         string(cpumanager.PolicyStatic),
+				reservedSystemCPUs: reservedCPUs, // Not really needed for the tests but helps to make a more precise check
+			}))
 
-	ginkgo.By("by deleting the pods and waiting for container removal")
-	deletePods(ctx, f, []string{pod.Name})
-	waitForAllContainerRemoval(ctx, pod.Name, pod.Namespace)
-}
+			pod := makeCPUManagerPod("gu-pod", []ctnAttribute{
+				{
+					ctnName:    "gu-container",
+					cpuRequest: fmt.Sprintf("%dm", 1000*cpuCount),
+					cpuLimit:   fmt.Sprintf("%dm", 1000*cpuCount),
+				},
+			})
+			ginkgo.By("creating the test pod")
+			pod = e2epod.NewPodClient(f).CreateSync(ctx, pod)
+			podMap[string(pod.UID)] = pod
 
-func runNonGuPodTest(ctx context.Context, f *framework.Framework, cpuCap int64, strictReservedCPUs cpuset.CPUSet) {
-	var ctnAttrs []ctnAttribute
-	var err error
-	var pod *v1.Pod
-	var expAllowedCPUsListRegex string
-
-	ctnAttrs = []ctnAttribute{
-		{
-			ctnName:    "non-gu-container",
-			cpuRequest: "100m",
-			cpuLimit:   "200m",
-		},
-	}
-	pod = makeCPUManagerPod("non-gu-pod", ctnAttrs)
-	pod = e2epod.NewPodClient(f).CreateSync(ctx, pod)
+			ginkgo.By("checking if the expected cpuset was assigned")
 
-	ginkgo.By("checking if the expected cpuset was assigned")
-	expAllowedCPUs, err := cpuset.Parse(fmt.Sprintf("0-%d", cpuCap-1))
-	framework.ExpectNoError(err)
-	expAllowedCPUs = expAllowedCPUs.Difference(strictReservedCPUs)
-	expAllowedCPUsListRegex = fmt.Sprintf("^%s\n$", expAllowedCPUs.String())
-	err = e2epod.NewPodClient(f).MatchContainerOutput(ctx, pod.Name, pod.Spec.Containers[0].Name, expAllowedCPUsListRegex)
-	framework.ExpectNoError(err, "expected log not found in container [%s] of pod [%s]",
-		pod.Spec.Containers[0].Name, pod.Name)
-
-	ginkgo.By("by deleting the pods and waiting for container removal")
-	deletePods(ctx, f, []string{pod.Name})
-	waitForContainerRemoval(ctx, pod.Spec.Containers[0].Name, pod.Name, pod.Namespace)
-}
+			// we cannot nor we should predict which CPUs the container gets
+			gomega.Expect(pod).To(HaveContainerCPUsCount("gu-container", cpuCount))
+			gomega.Expect(pod).To(HaveContainerCPUsASubsetOf("gu-container", onlineCPUs))
+			gomega.Expect(pod).ToNot(HaveContainerCPUsOverlapWith("gu-container", reservedCPUs))
+		})
 
-func mustParseCPUSet(s string) cpuset.CPUSet {
-	res, err := cpuset.Parse(s)
-	framework.ExpectNoError(err)
-	return res
-}
+		// we don't use a separate group (gingo.When) with BeforeEach to factor out the tests because each
+		// test need to check for the amount of CPUs it needs.
 
-func runAutomaticallyRemoveInactivePodsFromCPUManagerStateFile(ctx context.Context, f *framework.Framework) {
-	var cpu1 int
-	var ctnAttrs []ctnAttribute
-	var pod *v1.Pod
-	var cpuList []int
-	var expAllowedCPUsListRegex string
-	var err error
-	// First running a Gu Pod,
-	// second disable cpu manager in kubelet,
-	// then delete the Gu Pod,
-	// then enable cpu manager in kubelet,
-	// at last wait for the reconcile process cleaned up the state file, if the assignments map is empty,
-	// it proves that the automatic cleanup in the reconcile process is in effect.
-	ginkgo.By("running a Gu pod for test remove")
-	ctnAttrs = []ctnAttribute{
-		{
-			ctnName:    "gu-container-testremove",
-			cpuRequest: "1000m",
-			cpuLimit:   "1000m",
-		},
-	}
-	pod = makeCPUManagerPod("gu-pod-testremove", ctnAttrs)
-	pod = e2epod.NewPodClient(f).CreateSync(ctx, pod)
-
-	ginkgo.By("checking if the expected cpuset was assigned")
-	cpu1 = 1
-	if isHTEnabled() {
-		cpuList = mustParseCPUSet(getCPUSiblingList(0)).List()
-		cpu1 = cpuList[1]
-	} else if isMultiNUMA() {
-		cpuList = mustParseCPUSet(getCoreSiblingList(0)).List()
-		if len(cpuList) > 1 {
-			cpu1 = cpuList[1]
-		}
-	}
-	expAllowedCPUsListRegex = fmt.Sprintf("^%d\n$", cpu1)
-	err = e2epod.NewPodClient(f).MatchContainerOutput(ctx, pod.Name, pod.Spec.Containers[0].Name, expAllowedCPUsListRegex)
-	framework.ExpectNoError(err, "expected log not found in container [%s] of pod [%s]",
-		pod.Spec.Containers[0].Name, pod.Name)
+		ginkgo.It("should allocate exclusively a even number of CPUs to a 1-container pod", func(ctx context.Context) {
+			cpuCount := 2
 
-	deletePodSyncByName(ctx, f, pod.Name)
-	// we need to wait for all containers to really be gone so cpumanager reconcile loop will not rewrite the cpu_manager_state.
-	// this is in turn needed because we will have an unavoidable (in the current framework) race with the
-	// reconcile loop which will make our attempt to delete the state file and to restore the old config go haywire
-	waitForAllContainerRemoval(ctx, pod.Name, pod.Namespace)
+			skipIfAllocatableCPUsLessThan(getLocalNode(ctx, f), cpuCount)
 
-}
+			updateKubeletConfigIfNeeded(ctx, f, configureCPUManagerInKubelet(oldCfg, &cpuManagerKubeletArguments{
+				policyName:         string(cpumanager.PolicyStatic),
+				reservedSystemCPUs: reservedCPUs, // Not really needed for the tests but helps to make a more precise check
+			}))
 
-func runMultipleGuNonGuPods(ctx context.Context, f *framework.Framework, cpuCap int64, cpuAlloc int64) {
-	var cpuListString, expAllowedCPUsListRegex string
-	var cpuList []int
-	var cpu1 int
-	var cset cpuset.CPUSet
-	var err error
-	var ctnAttrs []ctnAttribute
-	var pod1, pod2 *v1.Pod
-
-	ctnAttrs = []ctnAttribute{
-		{
-			ctnName:    "gu-container",
-			cpuRequest: "1000m",
-			cpuLimit:   "1000m",
-		},
-	}
-	pod1 = makeCPUManagerPod("gu-pod", ctnAttrs)
-	pod1 = e2epod.NewPodClient(f).CreateSync(ctx, pod1)
-
-	ctnAttrs = []ctnAttribute{
-		{
-			ctnName:    "non-gu-container",
-			cpuRequest: "200m",
-			cpuLimit:   "300m",
-		},
-	}
-	pod2 = makeCPUManagerPod("non-gu-pod", ctnAttrs)
-	pod2 = e2epod.NewPodClient(f).CreateSync(ctx, pod2)
-
-	ginkgo.By("checking if the expected cpuset was assigned")
-	cpu1 = 1
-	if isHTEnabled() {
-		cpuList = mustParseCPUSet(getCPUSiblingList(0)).List()
-		cpu1 = cpuList[1]
-	} else if isMultiNUMA() {
-		cpuList = mustParseCPUSet(getCoreSiblingList(0)).List()
-		if len(cpuList) > 1 {
-			cpu1 = cpuList[1]
-		}
-	}
-	expAllowedCPUsListRegex = fmt.Sprintf("^%d\n$", cpu1)
-	err = e2epod.NewPodClient(f).MatchContainerOutput(ctx, pod1.Name, pod1.Spec.Containers[0].Name, expAllowedCPUsListRegex)
-	framework.ExpectNoError(err, "expected log not found in container [%s] of pod [%s]",
-		pod1.Spec.Containers[0].Name, pod1.Name)
-
-	cpuListString = "0"
-	if cpuAlloc > 2 {
-		cset = mustParseCPUSet(fmt.Sprintf("0-%d", cpuCap-1))
-		cpuListString = fmt.Sprintf("%s", cset.Difference(cpuset.New(cpu1)))
-	}
-	expAllowedCPUsListRegex = fmt.Sprintf("^%s\n$", cpuListString)
-	err = e2epod.NewPodClient(f).MatchContainerOutput(ctx, pod2.Name, pod2.Spec.Containers[0].Name, expAllowedCPUsListRegex)
-	framework.ExpectNoError(err, "expected log not found in container [%s] of pod [%s]",
-		pod2.Spec.Containers[0].Name, pod2.Name)
-	ginkgo.By("by deleting the pods and waiting for container removal")
-	deletePods(ctx, f, []string{pod1.Name, pod2.Name})
-	waitForContainerRemoval(ctx, pod1.Spec.Containers[0].Name, pod1.Name, pod1.Namespace)
-	waitForContainerRemoval(ctx, pod2.Spec.Containers[0].Name, pod2.Name, pod2.Namespace)
-}
+			pod := makeCPUManagerPod("gu-pod", []ctnAttribute{
+				{
+					ctnName:    "gu-container",
+					cpuRequest: fmt.Sprintf("%dm", 1000*cpuCount),
+					cpuLimit:   fmt.Sprintf("%dm", 1000*cpuCount),
+				},
+			})
+			ginkgo.By("creating the test pod")
+			pod = e2epod.NewPodClient(f).CreateSync(ctx, pod)
+			podMap[string(pod.UID)] = pod
+
+			ginkgo.By("checking if the expected cpuset was assigned")
+
+			// we cannot nor we should predict which CPUs the container gets
+			gomega.Expect(pod).To(HaveContainerCPUsCount("gu-container", cpuCount))
+			gomega.Expect(pod).To(HaveContainerCPUsASubsetOf("gu-container", onlineCPUs))
+			gomega.Expect(pod).ToNot(HaveContainerCPUsOverlapWith("gu-container", reservedCPUs))
+			// TODO: this is probably too strict but it is the closest of the old test did
+			gomega.Expect(pod).To(HaveContainerCPUsThreadSiblings("gu-container"))
+		})
 
-func runMultipleCPUGuPod(ctx context.Context, f *framework.Framework) {
-	var cpuListString, expAllowedCPUsListRegex string
-	var cpuList []int
-	var cset cpuset.CPUSet
-	var err error
-	var ctnAttrs []ctnAttribute
-	var pod *v1.Pod
-
-	ctnAttrs = []ctnAttribute{
-		{
-			ctnName:    "gu-container",
-			cpuRequest: "2000m",
-			cpuLimit:   "2000m",
-		},
-	}
-	pod = makeCPUManagerPod("gu-pod", ctnAttrs)
-	pod = e2epod.NewPodClient(f).CreateSync(ctx, pod)
-
-	ginkgo.By("checking if the expected cpuset was assigned")
-	cpuListString = "1-2"
-	if isMultiNUMA() {
-		cpuList = mustParseCPUSet(getCoreSiblingList(0)).List()
-		if len(cpuList) > 1 {
-			cset = mustParseCPUSet(getCPUSiblingList(int64(cpuList[1])))
-			if !isHTEnabled() && len(cpuList) > 2 {
-				cset = mustParseCPUSet(fmt.Sprintf("%d-%d", cpuList[1], cpuList[2]))
-			}
-			cpuListString = fmt.Sprintf("%s", cset)
-		}
-	} else if isHTEnabled() {
-		cpuListString = "2-3"
-		cpuList = mustParseCPUSet(getCPUSiblingList(0)).List()
-		if cpuList[1] != 1 {
-			cset = mustParseCPUSet(getCPUSiblingList(1))
-			cpuListString = fmt.Sprintf("%s", cset)
-		}
-	}
-	expAllowedCPUsListRegex = fmt.Sprintf("^%s\n$", cpuListString)
-	err = e2epod.NewPodClient(f).MatchContainerOutput(ctx, pod.Name, pod.Spec.Containers[0].Name, expAllowedCPUsListRegex)
-	framework.ExpectNoError(err, "expected log not found in container [%s] of pod [%s]",
-		pod.Spec.Containers[0].Name, pod.Name)
-
-	ginkgo.By("by deleting the pods and waiting for container removal")
-	deletePods(ctx, f, []string{pod.Name})
-	waitForContainerRemoval(ctx, pod.Spec.Containers[0].Name, pod.Name, pod.Namespace)
-}
+		ginkgo.It("should allocate exclusively a odd number of CPUs to a 1-container pod", func(ctx context.Context) {
+			cpuCount := 3
 
-func runMultipleCPUContainersGuPod(ctx context.Context, f *framework.Framework) {
-	var expAllowedCPUsListRegex string
-	var cpuList []int
-	var cpu1, cpu2 int
-	var err error
-	var ctnAttrs []ctnAttribute
-	var pod *v1.Pod
-	ctnAttrs = []ctnAttribute{
-		{
-			ctnName:    "gu-container1",
-			cpuRequest: "1000m",
-			cpuLimit:   "1000m",
-		},
-		{
-			ctnName:    "gu-container2",
-			cpuRequest: "1000m",
-			cpuLimit:   "1000m",
-		},
-	}
-	pod = makeCPUManagerPod("gu-pod", ctnAttrs)
-	pod = e2epod.NewPodClient(f).CreateSync(ctx, pod)
-
-	ginkgo.By("checking if the expected cpuset was assigned")
-	cpu1, cpu2 = 1, 2
-	if isHTEnabled() {
-		cpuList = mustParseCPUSet(getCPUSiblingList(0)).List()
-		if cpuList[1] != 1 {
-			cpu1, cpu2 = cpuList[1], 1
-		}
-		if isMultiNUMA() {
-			cpuList = mustParseCPUSet(getCoreSiblingList(0)).List()
-			if len(cpuList) > 1 {
-				cpu2 = cpuList[1]
-			}
-		}
-	} else if isMultiNUMA() {
-		cpuList = mustParseCPUSet(getCoreSiblingList(0)).List()
-		if len(cpuList) > 2 {
-			cpu1, cpu2 = cpuList[1], cpuList[2]
-		}
-	}
-	expAllowedCPUsListRegex = fmt.Sprintf("^%d|%d\n$", cpu1, cpu2)
-	err = e2epod.NewPodClient(f).MatchContainerOutput(ctx, pod.Name, pod.Spec.Containers[0].Name, expAllowedCPUsListRegex)
-	framework.ExpectNoError(err, "expected log not found in container [%s] of pod [%s]",
-		pod.Spec.Containers[0].Name, pod.Name)
-
-	err = e2epod.NewPodClient(f).MatchContainerOutput(ctx, pod.Name, pod.Spec.Containers[1].Name, expAllowedCPUsListRegex)
-	framework.ExpectNoError(err, "expected log not found in container [%s] of pod [%s]",
-		pod.Spec.Containers[1].Name, pod.Name)
-
-	ginkgo.By("by deleting the pods and waiting for container removal")
-	deletePods(ctx, f, []string{pod.Name})
-	waitForContainerRemoval(ctx, pod.Spec.Containers[0].Name, pod.Name, pod.Namespace)
-	waitForContainerRemoval(ctx, pod.Spec.Containers[1].Name, pod.Name, pod.Namespace)
-}
+			skipIfAllocatableCPUsLessThan(getLocalNode(ctx, f), cpuCount)
 
-func runCfsQuotaGuPods(ctx context.Context, f *framework.Framework, disabledCPUQuotaWithExclusiveCPUs bool, cpuAlloc int64) {
-	var err error
-	var ctnAttrs []ctnAttribute
-	var pod1, pod2, pod3 *v1.Pod
-	podsToClean := make(map[string]*v1.Pod) // pod.UID -> pod
-
-	framework.Logf("runCfsQuotaGuPods: disableQuota=%v, CPU Allocatable=%v", disabledCPUQuotaWithExclusiveCPUs, cpuAlloc)
-
-	deleteTestPod := func(pod *v1.Pod) {
-		// waitForContainerRemoval takes "long" to complete; if we use the parent ctx we get a
-		// 'deadline expired' message and the cleanup aborts, which we don't want.
-		// So let's use a separate and more generous timeout (determined by trial and error)
-		ctx2, cancel := context.WithTimeout(context.Background(), 10*time.Minute)
-		defer cancel()
-		deletePodSyncAndWait(ctx2, f, pod.Namespace, pod.Name)
-		delete(podsToClean, string(pod.UID))
-	}
+			updateKubeletConfigIfNeeded(ctx, f, configureCPUManagerInKubelet(oldCfg, &cpuManagerKubeletArguments{
+				policyName:         string(cpumanager.PolicyStatic),
+				reservedSystemCPUs: reservedCPUs, // Not really needed for the tests but helps to make a more precise check
+			}))
 
-	// cleanup leftovers on test failure. The happy path is covered by `deleteTestPod` calls
-	ginkgo.DeferCleanup(func() {
-		ginkgo.By("by deleting the pods and waiting for container removal")
-		// waitForContainerRemoval takes "long" to complete; if we use the parent ctx we get a
-		// 'deadline expired' message and the cleanup aborts, which we don't want.
-		// So let's use a separate and more generous timeout (determined by trial and error)
-		ctx2, cancel := context.WithTimeout(context.Background(), 10*time.Minute)
-		defer cancel()
-		deletePodsAsync(ctx2, f, podsToClean)
-	})
+			pod := makeCPUManagerPod("gu-pod", []ctnAttribute{
+				{
+					ctnName:    "gu-container",
+					cpuRequest: fmt.Sprintf("%dm", 1000*cpuCount),
+					cpuLimit:   fmt.Sprintf("%dm", 1000*cpuCount),
+				},
+			})
+			ginkgo.By("creating the test pod")
+			pod = e2epod.NewPodClient(f).CreateSync(ctx, pod)
+			podMap[string(pod.UID)] = pod
+
+			ginkgo.By("checking if the expected cpuset was assigned")
+
+			// we cannot nor we should predict which CPUs the container gets
+			gomega.Expect(pod).To(HaveContainerCPUsCount("gu-container", cpuCount))
+			gomega.Expect(pod).To(HaveContainerCPUsASubsetOf("gu-container", onlineCPUs))
+			gomega.Expect(pod).ToNot(HaveContainerCPUsOverlapWith("gu-container", reservedCPUs))
+			// TODO: this is probably too strict but it is the closest of the old test did
+			toleration := 1
+			gomega.Expect(pod).To(HaveContainerCPUsQuasiThreadSiblings("gu-container", toleration))
+		})
 
-	podCFSCheckCommand := []string{"sh", "-c", `cat $(find /sysfscgroup | grep -E "($(cat /podinfo/uid)|$(cat /podinfo/uid | sed 's/-/_/g'))(/|\.slice/)cpu.max$") && sleep 1d`}
-	cfsCheckCommand := []string{"sh", "-c", "cat /sys/fs/cgroup/cpu.max && sleep 1d"}
-	defaultPeriod := "100000"
+		ginkgo.It("should allocate exclusively CPUs to a multi-container pod (1+2)", func(ctx context.Context) {
+			cpuCount := 3 // total
 
-	ctnAttrs = []ctnAttribute{
-		{
-			ctnName:    "gu-container-cfsquota-disabled",
-			cpuRequest: "1",
-			cpuLimit:   "1",
-		},
-	}
-	pod1 = makeCPUManagerPod("gu-pod1", ctnAttrs)
-	pod1.Spec.Containers[0].Command = cfsCheckCommand
-	pod1 = e2epod.NewPodClient(f).CreateSync(ctx, pod1)
-	podsToClean[string(pod1.UID)] = pod1
+			skipIfAllocatableCPUsLessThan(getLocalNode(ctx, f), cpuCount)
 
-	ginkgo.By("checking if the expected cfs quota was assigned (GU pod, exclusive CPUs, unlimited)")
+			updateKubeletConfigIfNeeded(ctx, f, configureCPUManagerInKubelet(oldCfg, &cpuManagerKubeletArguments{
+				policyName:         string(cpumanager.PolicyStatic),
+				reservedSystemCPUs: reservedCPUs, // Not really needed for the tests but helps to make a more precise check
+			}))
 
-	expectedQuota := "100000"
-	if disabledCPUQuotaWithExclusiveCPUs {
-		expectedQuota = "max"
-	}
-	expCFSQuotaRegex := fmt.Sprintf("^%s %s\n$", expectedQuota, defaultPeriod)
-	err = e2epod.NewPodClient(f).MatchContainerOutput(ctx, pod1.Name, pod1.Spec.Containers[0].Name, expCFSQuotaRegex)
-	framework.ExpectNoError(err, "expected log not found in container [%s] of pod [%s]",
-		pod1.Spec.Containers[0].Name, pod1.Name)
-	deleteTestPod(pod1)
-
-	ctnAttrs = []ctnAttribute{
-		{
-			ctnName:    "gu-container-cfsquota-enabled",
-			cpuRequest: "500m",
-			cpuLimit:   "500m",
-		},
-	}
-	pod2 = makeCPUManagerPod("gu-pod2", ctnAttrs)
-	pod2.Spec.Containers[0].Command = cfsCheckCommand
-	pod2 = e2epod.NewPodClient(f).CreateSync(ctx, pod2)
-	podsToClean[string(pod2.UID)] = pod2
-
-	ginkgo.By("checking if the expected cfs quota was assigned (GU pod, limited)")
-
-	expectedQuota = "50000"
-	expCFSQuotaRegex = fmt.Sprintf("^%s %s\n$", expectedQuota, defaultPeriod)
-	err = e2epod.NewPodClient(f).MatchContainerOutput(ctx, pod2.Name, pod2.Spec.Containers[0].Name, expCFSQuotaRegex)
-	framework.ExpectNoError(err, "expected log not found in container [%s] of pod [%s]",
-		pod2.Spec.Containers[0].Name, pod2.Name)
-	deleteTestPod(pod2)
-
-	ctnAttrs = []ctnAttribute{
-		{
-			ctnName:    "non-gu-container",
-			cpuRequest: "100m",
-			cpuLimit:   "500m",
-		},
-	}
-	pod3 = makeCPUManagerPod("non-gu-pod3", ctnAttrs)
-	pod3.Spec.Containers[0].Command = cfsCheckCommand
-	pod3 = e2epod.NewPodClient(f).CreateSync(ctx, pod3)
-	podsToClean[string(pod3.UID)] = pod3
-
-	ginkgo.By("checking if the expected cfs quota was assigned (BU pod, limited)")
-
-	expectedQuota = "50000"
-	expCFSQuotaRegex = fmt.Sprintf("^%s %s\n$", expectedQuota, defaultPeriod)
-	err = e2epod.NewPodClient(f).MatchContainerOutput(ctx, pod3.Name, pod3.Spec.Containers[0].Name, expCFSQuotaRegex)
-	framework.ExpectNoError(err, "expected log not found in container [%s] of pod [%s]",
-		pod3.Spec.Containers[0].Name, pod3.Name)
-	deleteTestPod(pod3)
-
-	if cpuAlloc >= 2 {
-		ctnAttrs = []ctnAttribute{
-			{
-				ctnName:    "gu-container-non-int-values",
-				cpuRequest: "500m",
-				cpuLimit:   "500m",
-			},
-			{
-				ctnName:    "gu-container-int-values",
-				cpuRequest: "1",
-				cpuLimit:   "1",
-			},
-		}
-		pod4 := makeCPUManagerPod("gu-pod4", ctnAttrs)
-		pod4.Spec.Containers[0].Command = cfsCheckCommand
-		pod4.Spec.Containers[1].Command = cfsCheckCommand
-		pod4 = e2epod.NewPodClient(f).CreateSync(ctx, pod4)
-		podsToClean[string(pod4.UID)] = pod4
-
-		ginkgo.By("checking if the expected cfs quota was assigned (GU pod, container 0 exclusive CPUs unlimited, container 1 limited)")
-
-		expectedQuota = "50000"
-		expCFSQuotaRegex = fmt.Sprintf("^%s %s\n$", expectedQuota, defaultPeriod)
-		err = e2epod.NewPodClient(f).MatchContainerOutput(ctx, pod4.Name, pod4.Spec.Containers[0].Name, expCFSQuotaRegex)
-		framework.ExpectNoError(err, "expected log not found in container [%s] of pod [%s]",
-			pod4.Spec.Containers[0].Name, pod4.Name)
-		expectedQuota = "100000"
-		if disabledCPUQuotaWithExclusiveCPUs {
-			expectedQuota = "max"
-		}
-		expCFSQuotaRegex = fmt.Sprintf("^%s %s\n$", expectedQuota, defaultPeriod)
-		err = e2epod.NewPodClient(f).MatchContainerOutput(ctx, pod4.Name, pod4.Spec.Containers[1].Name, expCFSQuotaRegex)
-		framework.ExpectNoError(err, "expected log not found in container [%s] of pod [%s]",
-			pod4.Spec.Containers[1].Name, pod4.Name)
-		deleteTestPod(pod4)
-
-		ctnAttrs = []ctnAttribute{
-			{
-				ctnName:    "gu-container-non-int-values",
-				cpuRequest: "500m",
-				cpuLimit:   "500m",
-			},
-			{
-				ctnName:    "gu-container-int-values",
-				cpuRequest: "1",
-				cpuLimit:   "1",
-			},
-		}
+			pod := makeCPUManagerPod("gu-pod", []ctnAttribute{
+				{
+					ctnName:    "gu-container-1",
+					cpuRequest: "1000m",
+					cpuLimit:   "1000m",
+				},
+				{
+					ctnName:    "gu-container-2",
+					cpuRequest: "2000m",
+					cpuLimit:   "2000m",
+				},
+			})
+			ginkgo.By("creating the test pod")
+			pod = e2epod.NewPodClient(f).CreateSync(ctx, pod)
+			podMap[string(pod.UID)] = pod
+
+			ginkgo.By("checking if the expected cpuset was assigned")
+
+			// we cannot nor we should predict which CPUs the container gets
+			gomega.Expect(pod).To(HaveContainerCPUsCount("gu-container-1", 1))
+			gomega.Expect(pod).To(HaveContainerCPUsASubsetOf("gu-container-1", onlineCPUs))
+			gomega.Expect(pod).ToNot(HaveContainerCPUsOverlapWith("gu-container-1", reservedCPUs))
+
+			gomega.Expect(pod).To(HaveContainerCPUsCount("gu-container-2", 2))
+			gomega.Expect(pod).To(HaveContainerCPUsASubsetOf("gu-container-2", onlineCPUs))
+			gomega.Expect(pod).ToNot(HaveContainerCPUsOverlapWith("gu-container-2", reservedCPUs))
+			// TODO: this is probably too strict but it is the closest of the old test did
+			gomega.Expect(pod).To(HaveContainerCPUsThreadSiblings("gu-container-2"))
+		})
 
-		pod5 := makeCPUManagerPod("gu-pod5", ctnAttrs)
-		pod5.Spec.Containers[0].Command = podCFSCheckCommand
-		pod5 = e2epod.NewPodClient(f).CreateSync(ctx, pod5)
-		podsToClean[string(pod5.UID)] = pod5
+		ginkgo.It("should allocate exclusively CPUs to a multi-container pod (3+2)", func(ctx context.Context) {
+			cpuCount := 5 // total
 
-		ginkgo.By("checking if the expected cfs quota was assigned to pod (GU pod, unlimited)")
+			skipIfAllocatableCPUsLessThan(getLocalNode(ctx, f), cpuCount)
 
-		expectedQuota = "150000"
+			updateKubeletConfigIfNeeded(ctx, f, configureCPUManagerInKubelet(oldCfg, &cpuManagerKubeletArguments{
+				policyName:         string(cpumanager.PolicyStatic),
+				reservedSystemCPUs: reservedCPUs, // Not really needed for the tests but helps to make a more precise check
+			}))
 
-		if disabledCPUQuotaWithExclusiveCPUs {
-			expectedQuota = "max"
-		}
+			pod := makeCPUManagerPod("gu-pod", []ctnAttribute{
+				{
+					ctnName:    "gu-container-1",
+					cpuRequest: "3000m",
+					cpuLimit:   "3000m",
+				},
+				{
+					ctnName:    "gu-container-2",
+					cpuRequest: "2000m",
+					cpuLimit:   "2000m",
+				},
+			})
+			ginkgo.By("creating the test pod")
+			pod = e2epod.NewPodClient(f).CreateSync(ctx, pod)
+			podMap[string(pod.UID)] = pod
+
+			ginkgo.By("checking if the expected cpuset was assigned")
+
+			// we cannot nor we should predict which CPUs the container gets
+			gomega.Expect(pod).To(HaveContainerCPUsCount("gu-container-1", 3))
+			gomega.Expect(pod).To(HaveContainerCPUsASubsetOf("gu-container-1", onlineCPUs))
+			gomega.Expect(pod).ToNot(HaveContainerCPUsOverlapWith("gu-container-1", reservedCPUs))
+			toleration := 1
+			gomega.Expect(pod).To(HaveContainerCPUsQuasiThreadSiblings("gu-container-1", toleration))
+
+			gomega.Expect(pod).To(HaveContainerCPUsCount("gu-container-2", 2))
+			gomega.Expect(pod).To(HaveContainerCPUsASubsetOf("gu-container-2", onlineCPUs))
+			gomega.Expect(pod).ToNot(HaveContainerCPUsOverlapWith("gu-container-2", reservedCPUs))
+			gomega.Expect(pod).To(HaveContainerCPUsThreadSiblings("gu-container-2"))
+		})
 
-		expCFSQuotaRegex = fmt.Sprintf("^%s %s\n$", expectedQuota, defaultPeriod)
+		ginkgo.It("should allocate exclusively CPUs to a multi-container pod (4+2)", func(ctx context.Context) {
+			cpuCount := 6 // total
 
-		err = e2epod.NewPodClient(f).MatchContainerOutput(ctx, pod5.Name, pod5.Spec.Containers[0].Name, expCFSQuotaRegex)
-		framework.ExpectNoError(err, "expected log not found in container [%s] of pod [%s]", pod5.Spec.Containers[0].Name, pod5.Name)
-		deleteTestPod(pod5)
-	} else {
-		ginkgo.By(fmt.Sprintf("some cases SKIPPED - requests at least %d allocatable cores, got %d", 2, cpuAlloc))
-	}
+			skipIfAllocatableCPUsLessThan(getLocalNode(ctx, f), cpuCount)
 
-	ctnAttrs = []ctnAttribute{
-		{
-			ctnName:    "gu-container",
-			cpuRequest: "100m",
-			cpuLimit:   "100m",
-		},
-	}
+			updateKubeletConfigIfNeeded(ctx, f, configureCPUManagerInKubelet(oldCfg, &cpuManagerKubeletArguments{
+				policyName:         string(cpumanager.PolicyStatic),
+				reservedSystemCPUs: reservedCPUs, // Not really needed for the tests but helps to make a more precise check
+			}))
 
-	pod6 := makeCPUManagerPod("gu-pod6", ctnAttrs)
-	pod6.Spec.Containers[0].Command = podCFSCheckCommand
-	pod6 = e2epod.NewPodClient(f).CreateSync(ctx, pod6)
-	podsToClean[string(pod6.UID)] = pod6
+			pod := makeCPUManagerPod("gu-pod", []ctnAttribute{
+				{
+					ctnName:    "gu-container-1",
+					cpuRequest: "4000m",
+					cpuLimit:   "4000m",
+				},
+				{
+					ctnName:    "gu-container-2",
+					cpuRequest: "2000m",
+					cpuLimit:   "2000m",
+				},
+			})
+			ginkgo.By("creating the test pod")
+			pod = e2epod.NewPodClient(f).CreateSync(ctx, pod)
+			podMap[string(pod.UID)] = pod
+
+			ginkgo.By("checking if the expected cpuset was assigned")
+
+			// we cannot nor we should predict which CPUs the container gets
+			gomega.Expect(pod).To(HaveContainerCPUsCount("gu-container-1", 4))
+			gomega.Expect(pod).To(HaveContainerCPUsASubsetOf("gu-container-1", onlineCPUs))
+			gomega.Expect(pod).ToNot(HaveContainerCPUsOverlapWith("gu-container-1", reservedCPUs))
+			gomega.Expect(pod).To(HaveContainerCPUsThreadSiblings("gu-container-1"))
+
+			gomega.Expect(pod).To(HaveContainerCPUsCount("gu-container-2", 2))
+			gomega.Expect(pod).To(HaveContainerCPUsASubsetOf("gu-container-2", onlineCPUs))
+			gomega.Expect(pod).ToNot(HaveContainerCPUsOverlapWith("gu-container-2", reservedCPUs))
+			gomega.Expect(pod).To(HaveContainerCPUsThreadSiblings("gu-container-2"))
+		})
 
-	ginkgo.By("checking if the expected cfs quota was assigned to pod (GU pod, limited)")
+		ginkgo.It("should allocate exclusively a CPU to multiple 1-container pods", func(ctx context.Context) {
+			cpuCount := 4 // total
 
-	expectedQuota = "10000"
-	expCFSQuotaRegex = fmt.Sprintf("^%s %s\n$", expectedQuota, defaultPeriod)
-	err = e2epod.NewPodClient(f).MatchContainerOutput(ctx, pod6.Name, pod6.Spec.Containers[0].Name, expCFSQuotaRegex)
-	framework.ExpectNoError(err, "expected log not found in container [%s] of pod [%s]", pod6.Spec.Containers[0].Name, pod6.Name)
-	deleteTestPod(pod6)
-}
+			skipIfAllocatableCPUsLessThan(getLocalNode(ctx, f), cpuCount)
 
-func runMultipleGuPods(ctx context.Context, f *framework.Framework) {
-	var expAllowedCPUsListRegex string
-	var cpuList []int
-	var cpu1, cpu2 int
-	var err error
-	var ctnAttrs []ctnAttribute
-	var pod1, pod2 *v1.Pod
-
-	ctnAttrs = []ctnAttribute{
-		{
-			ctnName:    "gu-container1",
-			cpuRequest: "1000m",
-			cpuLimit:   "1000m",
-		},
-	}
-	pod1 = makeCPUManagerPod("gu-pod1", ctnAttrs)
-	pod1 = e2epod.NewPodClient(f).CreateSync(ctx, pod1)
-
-	ctnAttrs = []ctnAttribute{
-		{
-			ctnName:    "gu-container2",
-			cpuRequest: "1000m",
-			cpuLimit:   "1000m",
-		},
-	}
-	pod2 = makeCPUManagerPod("gu-pod2", ctnAttrs)
-	pod2 = e2epod.NewPodClient(f).CreateSync(ctx, pod2)
-
-	ginkgo.By("checking if the expected cpuset was assigned")
-	cpu1, cpu2 = 1, 2
-	if isHTEnabled() {
-		cpuList = mustParseCPUSet(getCPUSiblingList(0)).List()
-		if cpuList[1] != 1 {
-			cpu1, cpu2 = cpuList[1], 1
-		}
-		if isMultiNUMA() {
-			cpuList = mustParseCPUSet(getCoreSiblingList(0)).List()
-			if len(cpuList) > 1 {
-				cpu2 = cpuList[1]
-			}
-		}
-	} else if isMultiNUMA() {
-		cpuList = mustParseCPUSet(getCoreSiblingList(0)).List()
-		if len(cpuList) > 2 {
-			cpu1, cpu2 = cpuList[1], cpuList[2]
-		}
-	}
-	expAllowedCPUsListRegex = fmt.Sprintf("^%d\n$", cpu1)
-	err = e2epod.NewPodClient(f).MatchContainerOutput(ctx, pod1.Name, pod1.Spec.Containers[0].Name, expAllowedCPUsListRegex)
-	framework.ExpectNoError(err, "expected log not found in container [%s] of pod [%s]",
-		pod1.Spec.Containers[0].Name, pod1.Name)
-
-	expAllowedCPUsListRegex = fmt.Sprintf("^%d\n$", cpu2)
-	err = e2epod.NewPodClient(f).MatchContainerOutput(ctx, pod2.Name, pod2.Spec.Containers[0].Name, expAllowedCPUsListRegex)
-	framework.ExpectNoError(err, "expected log not found in container [%s] of pod [%s]",
-		pod2.Spec.Containers[0].Name, pod2.Name)
-	ginkgo.By("by deleting the pods and waiting for container removal")
-	deletePods(ctx, f, []string{pod1.Name, pod2.Name})
-	waitForContainerRemoval(ctx, pod1.Spec.Containers[0].Name, pod1.Name, pod1.Namespace)
-	waitForContainerRemoval(ctx, pod2.Spec.Containers[0].Name, pod2.Name, pod2.Namespace)
-}
+			updateKubeletConfigIfNeeded(ctx, f, configureCPUManagerInKubelet(oldCfg, &cpuManagerKubeletArguments{
+				policyName:         string(cpumanager.PolicyStatic),
+				reservedSystemCPUs: reservedCPUs, // Not really needed for the tests but helps to make a more precise check
+			}))
 
-func runCPUManagerTests(f *framework.Framework) {
-	var cpuCap, cpuAlloc int64
-	var oldCfg *kubeletconfig.KubeletConfiguration
+			pod1 := makeCPUManagerPod("gu-pod-1", []ctnAttribute{
+				{
+					ctnName:    "gu-container-1",
+					cpuRequest: "2000m",
+					cpuLimit:   "2000m",
+				},
+			})
+			ginkgo.By("creating the test pod 1")
+			pod1 = e2epod.NewPodClient(f).CreateSync(ctx, pod1)
+			podMap[string(pod1.UID)] = pod1
 
-	ginkgo.BeforeEach(func(ctx context.Context) {
-		var err error
-		if oldCfg == nil {
-			oldCfg, err = getCurrentKubeletConfig(ctx)
-			framework.ExpectNoError(err)
-		}
+			pod2 := makeCPUManagerPod("gu-pod-2", []ctnAttribute{
+				{
+					ctnName:    "gu-container-2",
+					cpuRequest: "2000m",
+					cpuLimit:   "2000m",
+				},
+			})
+			ginkgo.By("creating the test pod 2")
+			pod2 = e2epod.NewPodClient(f).CreateSync(ctx, pod2)
+			podMap[string(pod2.UID)] = pod2
+
+			ginkgo.By("checking if the expected cpuset was assigned")
+
+			// we cannot nor we should predict which CPUs the container gets
+			gomega.Expect(pod1).To(HaveContainerCPUsCount("gu-container-1", 2))
+			gomega.Expect(pod1).To(HaveContainerCPUsASubsetOf("gu-container-1", onlineCPUs))
+			gomega.Expect(pod1).ToNot(HaveContainerCPUsOverlapWith("gu-container-1", reservedCPUs))
+			gomega.Expect(pod1).To(HaveContainerCPUsThreadSiblings("gu-container-1"))
+
+			gomega.Expect(pod2).To(HaveContainerCPUsCount("gu-container-2", 2))
+			gomega.Expect(pod2).To(HaveContainerCPUsASubsetOf("gu-container-2", onlineCPUs))
+			gomega.Expect(pod2).ToNot(HaveContainerCPUsOverlapWith("gu-container-2", reservedCPUs))
+			gomega.Expect(pod2).To(HaveContainerCPUsThreadSiblings("gu-container-2"))
+		})
 	})
 
-	ginkgo.It("should assign CPUs as expected based on the Pod spec", func(ctx context.Context) {
-		cpuCap, cpuAlloc, _ = getLocalNodeCPUDetails(ctx, f)
-
-		// Skip CPU Manager tests altogether if the CPU capacity < minCPUCapacity.
-		if cpuCap < minCPUCapacity {
-			e2eskipper.Skipf("Skipping CPU Manager tests since the CPU capacity < %d", minCPUCapacity)
-		}
-
-		// Enable CPU Manager in the kubelet.
-		newCfg := configureCPUManagerInKubelet(oldCfg, &cpuManagerKubeletArguments{
-			policyName:         string(cpumanager.PolicyStatic),
-			reservedSystemCPUs: cpuset.CPUSet{},
+	ginkgo.When("running guaranteed pod tests with feature gates disabled", ginkgo.Label("guaranteed", "exclusive-cpus", "feature-gate-disabled"), func() {
+		ginkgo.BeforeEach(func(ctx context.Context) {
+			reservedCPUs = cpuset.New(0)
 		})
-		updateKubeletConfig(ctx, f, newCfg, true)
 
-		ginkgo.By("running a non-Gu pod")
-		runNonGuPodTest(ctx, f, cpuCap, cpuset.New())
+		ginkgo.It("should allocate exclusively a CPU to a 1-container pod", func(ctx context.Context) {
+			cpuCount := 1
 
-		ginkgo.By("running a Gu pod")
-		runGuPodTest(ctx, f, 1, cpuset.New())
+			skipIfAllocatableCPUsLessThan(getLocalNode(ctx, f), cpuCount)
 
-		ginkgo.By("running multiple Gu and non-Gu pods")
-		runMultipleGuNonGuPods(ctx, f, cpuCap, cpuAlloc)
+			updateKubeletConfigIfNeeded(ctx, f, configureCPUManagerInKubelet(oldCfg, &cpuManagerKubeletArguments{
+				policyName:              string(cpumanager.PolicyStatic),
+				reservedSystemCPUs:      reservedCPUs, // Not really needed for the tests but helps to make a more precise check
+				enableCPUManagerOptions: false,
+			}))
 
-		// Skip rest of the tests if CPU capacity < 3.
-		if cpuCap < 3 {
-			e2eskipper.Skipf("Skipping rest of the CPU Manager tests since CPU capacity < 3")
-		}
+			pod := makeCPUManagerPod("gu-pod", []ctnAttribute{
+				{
+					ctnName:    "gu-container",
+					cpuRequest: fmt.Sprintf("%dm", 1000*cpuCount),
+					cpuLimit:   fmt.Sprintf("%dm", 1000*cpuCount),
+				},
+			})
+			ginkgo.By("creating the test pod")
+			pod = e2epod.NewPodClient(f).CreateSync(ctx, pod)
+			podMap[string(pod.UID)] = pod
 
-		ginkgo.By("running a Gu pod requesting multiple CPUs")
-		runMultipleCPUGuPod(ctx, f)
+			ginkgo.By("checking if the expected cpuset was assigned")
 
-		ginkgo.By("running a Gu pod with multiple containers requesting integer CPUs")
-		runMultipleCPUContainersGuPod(ctx, f)
+			// we cannot nor we should predict which CPUs the container gets
+			gomega.Expect(pod).To(HaveContainerCPUsCount("gu-container", cpuCount))
+			gomega.Expect(pod).To(HaveContainerCPUsASubsetOf("gu-container", onlineCPUs))
+			gomega.Expect(pod).ToNot(HaveContainerCPUsOverlapWith("gu-container", reservedCPUs))
+		})
 
-		ginkgo.By("running multiple Gu pods")
-		runMultipleGuPods(ctx, f)
+		// we don't use a separate group (gingo.When) with BeforeEach to factor out the tests because each
+		// test need to check for the amount of CPUs it needs.
 
-		ginkgo.By("test for automatically remove inactive pods from cpumanager state file.")
-		runAutomaticallyRemoveInactivePodsFromCPUManagerStateFile(ctx, f)
-	})
+		ginkgo.It("should allocate exclusively a even number of CPUs to a 1-container pod", func(ctx context.Context) {
+			cpuCount := 2
 
-	ginkgo.It("reservedSystemCPUs are excluded only for Gu pods (strict-cpu-reservation option not enabled by default)", func(ctx context.Context) {
-		cpuCap, cpuAlloc, _ = getLocalNodeCPUDetails(ctx, f)
+			skipIfAllocatableCPUsLessThan(getLocalNode(ctx, f), cpuCount)
 
-		// Skip CPU Manager tests altogether if the CPU capacity < 2.
-		if cpuCap < 2 {
-			e2eskipper.Skipf("Skipping CPU Manager tests since the CPU capacity < 2")
-		}
+			updateKubeletConfigIfNeeded(ctx, f, configureCPUManagerInKubelet(oldCfg, &cpuManagerKubeletArguments{
+				policyName:              string(cpumanager.PolicyStatic),
+				reservedSystemCPUs:      reservedCPUs, // Not really needed for the tests but helps to make a more precise check
+				enableCPUManagerOptions: false,
+			}))
 
-		reservedSystemCPUs := cpuset.New(0)
-		newCfg := configureCPUManagerInKubelet(oldCfg, &cpuManagerKubeletArguments{
-			policyName:         string(cpumanager.PolicyStatic),
-			reservedSystemCPUs: reservedSystemCPUs,
+			pod := makeCPUManagerPod("gu-pod", []ctnAttribute{
+				{
+					ctnName:    "gu-container",
+					cpuRequest: fmt.Sprintf("%dm", 1000*cpuCount),
+					cpuLimit:   fmt.Sprintf("%dm", 1000*cpuCount),
+				},
+			})
+			ginkgo.By("creating the test pod")
+			pod = e2epod.NewPodClient(f).CreateSync(ctx, pod)
+			podMap[string(pod.UID)] = pod
+
+			ginkgo.By("checking if the expected cpuset was assigned")
+
+			// we cannot nor we should predict which CPUs the container gets
+			gomega.Expect(pod).To(HaveContainerCPUsCount("gu-container", cpuCount))
+			gomega.Expect(pod).To(HaveContainerCPUsASubsetOf("gu-container", onlineCPUs))
+			gomega.Expect(pod).ToNot(HaveContainerCPUsOverlapWith("gu-container", reservedCPUs))
+			// TODO: this is probably too strict but it is the closest of the old test did
+			gomega.Expect(pod).To(HaveContainerCPUsThreadSiblings("gu-container"))
 		})
-		updateKubeletConfig(ctx, f, newCfg, true)
-
-		ginkgo.By("running a Gu pod - it shouldn't use reserved system CPUs")
-		runGuPodTest(ctx, f, 1, reservedSystemCPUs)
 
-		ginkgo.By("running a non-Gu pod - it can use reserved system CPUs")
-		runNonGuPodTest(ctx, f, cpuCap, cpuset.New())
+		ginkgo.It("should allocate exclusively a odd number of CPUs to a 1-container pod", func(ctx context.Context) {
+			cpuCount := 3
 
-	})
-
-	ginkgo.It("reservedSystemCPUs are excluded for both Gu and non-Gu pods (strict-cpu-reservation option enabled)", func(ctx context.Context) {
-		cpuCap, cpuAlloc, _ = getLocalNodeCPUDetails(ctx, f)
+			skipIfAllocatableCPUsLessThan(getLocalNode(ctx, f), cpuCount)
 
-		// Skip CPU Manager tests altogether if the CPU capacity < 2.
-		if cpuCap < 2 {
-			e2eskipper.Skipf("Skipping CPU Manager tests since the CPU capacity < 2")
-		}
+			updateKubeletConfigIfNeeded(ctx, f, configureCPUManagerInKubelet(oldCfg, &cpuManagerKubeletArguments{
+				policyName:              string(cpumanager.PolicyStatic),
+				reservedSystemCPUs:      reservedCPUs, // Not really needed for the tests but helps to make a more precise check
+				enableCPUManagerOptions: false,
+			}))
 
-		reservedSystemCPUs := cpuset.New(0)
-		cpuPolicyOptions := map[string]string{
-			cpumanager.StrictCPUReservationOption: "true",
-		}
-		newCfg := configureCPUManagerInKubelet(oldCfg, &cpuManagerKubeletArguments{
-			policyName:              string(cpumanager.PolicyStatic),
-			reservedSystemCPUs:      reservedSystemCPUs,
-			enableCPUManagerOptions: true,
-			options:                 cpuPolicyOptions,
+			pod := makeCPUManagerPod("gu-pod", []ctnAttribute{
+				{
+					ctnName:    "gu-container",
+					cpuRequest: fmt.Sprintf("%dm", 1000*cpuCount),
+					cpuLimit:   fmt.Sprintf("%dm", 1000*cpuCount),
+				},
+			})
+			ginkgo.By("creating the test pod")
+			pod = e2epod.NewPodClient(f).CreateSync(ctx, pod)
+			podMap[string(pod.UID)] = pod
+
+			ginkgo.By("checking if the expected cpuset was assigned")
+
+			// we cannot nor we should predict which CPUs the container gets
+			gomega.Expect(pod).To(HaveContainerCPUsCount("gu-container", cpuCount))
+			gomega.Expect(pod).To(HaveContainerCPUsASubsetOf("gu-container", onlineCPUs))
+			gomega.Expect(pod).ToNot(HaveContainerCPUsOverlapWith("gu-container", reservedCPUs))
+			// TODO: this is probably too strict but it is the closest of the old test did
+			toleration := 1
+			gomega.Expect(pod).To(HaveContainerCPUsQuasiThreadSiblings("gu-container", toleration))
 		})
-		updateKubeletConfig(ctx, f, newCfg, true)
 
-		ginkgo.By("running a Gu pod - it shouldn't use reserved system CPUs")
-		runGuPodTest(ctx, f, 1, reservedSystemCPUs)
+		ginkgo.It("should allocate exclusively CPUs to a multi-container pod (1+2)", func(ctx context.Context) {
+			cpuCount := 3 // total
 
-		ginkgo.By("running a non-Gu pod - it shouldn't use reserved system CPUs with strict-cpu-reservation option enabled")
-		runNonGuPodTest(ctx, f, cpuCap, reservedSystemCPUs)
-	})
+			skipIfAllocatableCPUsLessThan(getLocalNode(ctx, f), cpuCount)
 
-	ginkgo.It("should assign CPUs as expected with enhanced policy based on strict SMT alignment", func(ctx context.Context) {
-		fullCPUsOnlyOpt := fmt.Sprintf("option=%s", cpumanager.FullPCPUsOnlyOption)
-		_, cpuAlloc, _ = getLocalNodeCPUDetails(ctx, f)
-		smtLevel := getSMTLevel()
+			updateKubeletConfigIfNeeded(ctx, f, configureCPUManagerInKubelet(oldCfg, &cpuManagerKubeletArguments{
+				policyName:              string(cpumanager.PolicyStatic),
+				reservedSystemCPUs:      reservedCPUs, // Not really needed for the tests but helps to make a more precise check
+				enableCPUManagerOptions: false,
+			}))
 
-		// strict SMT alignment is trivially verified and granted on non-SMT systems
-		if smtLevel < minSMTLevel {
-			e2eskipper.Skipf("Skipping CPU Manager %s tests since SMT disabled", fullCPUsOnlyOpt)
-		}
+			pod := makeCPUManagerPod("gu-pod", []ctnAttribute{
+				{
+					ctnName:    "gu-container-1",
+					cpuRequest: "1000m",
+					cpuLimit:   "1000m",
+				},
+				{
+					ctnName:    "gu-container-2",
+					cpuRequest: "2000m",
+					cpuLimit:   "2000m",
+				},
+			})
+			ginkgo.By("creating the test pod")
+			pod = e2epod.NewPodClient(f).CreateSync(ctx, pod)
+			podMap[string(pod.UID)] = pod
+
+			ginkgo.By("checking if the expected cpuset was assigned")
+
+			// we cannot nor we should predict which CPUs the container gets
+			gomega.Expect(pod).To(HaveContainerCPUsCount("gu-container-1", 1))
+			gomega.Expect(pod).To(HaveContainerCPUsASubsetOf("gu-container-1", onlineCPUs))
+			gomega.Expect(pod).ToNot(HaveContainerCPUsOverlapWith("gu-container-1", reservedCPUs))
+
+			gomega.Expect(pod).To(HaveContainerCPUsCount("gu-container-2", 2))
+			gomega.Expect(pod).To(HaveContainerCPUsASubsetOf("gu-container-2", onlineCPUs))
+			gomega.Expect(pod).ToNot(HaveContainerCPUsOverlapWith("gu-container-2", reservedCPUs))
+			// TODO: this is probably too strict but it is the closest of the old test did
+			gomega.Expect(pod).To(HaveContainerCPUsThreadSiblings("gu-container-2"))
+		})
 
-		// our tests want to allocate a full core, so we need at least 2*2=4 virtual cpus
-		minCPUCount := int64(smtLevel * minCPUCapacity)
-		if cpuAlloc < minCPUCount {
-			e2eskipper.Skipf("Skipping CPU Manager %s tests since the CPU capacity < %d", fullCPUsOnlyOpt, minCPUCount)
-		}
+		ginkgo.It("should allocate exclusively CPUs to a multi-container pod (3+2)", func(ctx context.Context) {
+			cpuCount := 5 // total
 
-		framework.Logf("SMT level %d", smtLevel)
+			skipIfAllocatableCPUsLessThan(getLocalNode(ctx, f), cpuCount)
 
-		// TODO: we assume the first available CPUID is 0, which is pretty fair, but we should probably
-		// check what we do have in the node.
-		cpuPolicyOptions := map[string]string{
-			cpumanager.FullPCPUsOnlyOption: "true",
-		}
-		newCfg := configureCPUManagerInKubelet(oldCfg,
-			&cpuManagerKubeletArguments{
+			updateKubeletConfigIfNeeded(ctx, f, configureCPUManagerInKubelet(oldCfg, &cpuManagerKubeletArguments{
 				policyName:              string(cpumanager.PolicyStatic),
-				reservedSystemCPUs:      cpuset.New(0),
-				enableCPUManagerOptions: true,
-				options:                 cpuPolicyOptions,
-			},
-		)
-		updateKubeletConfig(ctx, f, newCfg, true)
-
-		// the order between negative and positive doesn't really matter
-		runSMTAlignmentNegativeTests(ctx, f)
-		runSMTAlignmentPositiveTests(ctx, f, smtLevel, cpuset.New())
-	})
-
-	ginkgo.It("should assign CPUs as expected based on strict SMT alignment, reservedSystemCPUs should be excluded (both strict-cpu-reservation and full-pcpus-only options enabled)", func(ctx context.Context) {
-		fullCPUsOnlyOpt := fmt.Sprintf("option=%s", cpumanager.FullPCPUsOnlyOption)
-		_, cpuAlloc, _ = getLocalNodeCPUDetails(ctx, f)
-		smtLevel := getSMTLevel()
+				reservedSystemCPUs:      reservedCPUs, // Not really needed for the tests but helps to make a more precise check
+				enableCPUManagerOptions: false,
+			}))
 
-		// strict SMT alignment is trivially verified and granted on non-SMT systems
-		if smtLevel < 2 {
-			e2eskipper.Skipf("Skipping CPU Manager %s tests since SMT disabled", fullCPUsOnlyOpt)
-		}
+			pod := makeCPUManagerPod("gu-pod", []ctnAttribute{
+				{
+					ctnName:    "gu-container-1",
+					cpuRequest: "3000m",
+					cpuLimit:   "3000m",
+				},
+				{
+					ctnName:    "gu-container-2",
+					cpuRequest: "2000m",
+					cpuLimit:   "2000m",
+				},
+			})
+			ginkgo.By("creating the test pod")
+			pod = e2epod.NewPodClient(f).CreateSync(ctx, pod)
+			podMap[string(pod.UID)] = pod
+
+			ginkgo.By("checking if the expected cpuset was assigned")
+
+			// we cannot nor we should predict which CPUs the container gets
+			gomega.Expect(pod).To(HaveContainerCPUsCount("gu-container-1", 3))
+			gomega.Expect(pod).To(HaveContainerCPUsASubsetOf("gu-container-1", onlineCPUs))
+			gomega.Expect(pod).ToNot(HaveContainerCPUsOverlapWith("gu-container-1", reservedCPUs))
+			toleration := 1
+			gomega.Expect(pod).To(HaveContainerCPUsQuasiThreadSiblings("gu-container-1", toleration))
+
+			gomega.Expect(pod).To(HaveContainerCPUsCount("gu-container-2", 2))
+			gomega.Expect(pod).To(HaveContainerCPUsASubsetOf("gu-container-2", onlineCPUs))
+			gomega.Expect(pod).ToNot(HaveContainerCPUsOverlapWith("gu-container-2", reservedCPUs))
+			gomega.Expect(pod).To(HaveContainerCPUsThreadSiblings("gu-container-2"))
+		})
 
-		// our tests want to allocate a full core, so we need at last smtLevel*2 virtual cpus
-		if cpuAlloc < int64(smtLevel*2) {
-			e2eskipper.Skipf("Skipping CPU Manager %s tests since the CPU capacity < %d", fullCPUsOnlyOpt, smtLevel*2)
-		}
+		ginkgo.It("should allocate exclusively CPUs to a multi-container pod (4+2)", func(ctx context.Context) {
+			cpuCount := 6 // total
 
-		framework.Logf("SMT level %d", smtLevel)
+			skipIfAllocatableCPUsLessThan(getLocalNode(ctx, f), cpuCount)
 
-		reservedSystemCPUs := cpuset.New(0)
-		cpuPolicyOptions := map[string]string{
-			cpumanager.FullPCPUsOnlyOption:        "true",
-			cpumanager.StrictCPUReservationOption: "true",
-		}
-		newCfg := configureCPUManagerInKubelet(oldCfg,
-			&cpuManagerKubeletArguments{
+			updateKubeletConfigIfNeeded(ctx, f, configureCPUManagerInKubelet(oldCfg, &cpuManagerKubeletArguments{
 				policyName:              string(cpumanager.PolicyStatic),
-				reservedSystemCPUs:      reservedSystemCPUs,
-				enableCPUManagerOptions: true,
-				options:                 cpuPolicyOptions,
-			},
-		)
-		updateKubeletConfig(ctx, f, newCfg, true)
+				reservedSystemCPUs:      reservedCPUs, // Not really needed for the tests but helps to make a more precise check
+				enableCPUManagerOptions: false,
+			}))
 
-		// the order between negative and positive doesn't really matter
-		runSMTAlignmentNegativeTests(ctx, f)
-		runSMTAlignmentPositiveTests(ctx, f, smtLevel, reservedSystemCPUs)
-	})
+			pod := makeCPUManagerPod("gu-pod", []ctnAttribute{
+				{
+					ctnName:    "gu-container-1",
+					cpuRequest: "4000m",
+					cpuLimit:   "4000m",
+				},
+				{
+					ctnName:    "gu-container-2",
+					cpuRequest: "2000m",
+					cpuLimit:   "2000m",
+				},
+			})
+			ginkgo.By("creating the test pod")
+			pod = e2epod.NewPodClient(f).CreateSync(ctx, pod)
+			podMap[string(pod.UID)] = pod
+
+			ginkgo.By("checking if the expected cpuset was assigned")
+
+			// we cannot nor we should predict which CPUs the container gets
+			gomega.Expect(pod).To(HaveContainerCPUsCount("gu-container-1", 4))
+			gomega.Expect(pod).To(HaveContainerCPUsASubsetOf("gu-container-1", onlineCPUs))
+			gomega.Expect(pod).ToNot(HaveContainerCPUsOverlapWith("gu-container-1", reservedCPUs))
+			gomega.Expect(pod).To(HaveContainerCPUsThreadSiblings("gu-container-1"))
+
+			gomega.Expect(pod).To(HaveContainerCPUsCount("gu-container-2", 2))
+			gomega.Expect(pod).To(HaveContainerCPUsASubsetOf("gu-container-2", onlineCPUs))
+			gomega.Expect(pod).ToNot(HaveContainerCPUsOverlapWith("gu-container-2", reservedCPUs))
+			gomega.Expect(pod).To(HaveContainerCPUsThreadSiblings("gu-container-2"))
+		})
 
-	ginkgo.It("should not enforce CFS quota for containers with static CPUs assigned", func(ctx context.Context) {
-		if !IsCgroup2UnifiedMode() {
-			e2eskipper.Skipf("Skipping since CgroupV2 not used")
-		}
-		_, cpuAlloc, _ = getLocalNodeCPUDetails(ctx, f)
-		if cpuAlloc < 1 { // save expensive kubelet restart
-			e2eskipper.Skipf("Skipping since not enough allocatable CPU got %d required 1", cpuAlloc)
-		}
-		newCfg := configureCPUManagerInKubelet(oldCfg,
-			&cpuManagerKubeletArguments{
-				policyName:                       string(cpumanager.PolicyStatic),
-				reservedSystemCPUs:               cpuset.New(0),
-				disableCPUQuotaWithExclusiveCPUs: true,
-			},
-		)
-		updateKubeletConfig(ctx, f, newCfg, true)
+		ginkgo.It("should allocate exclusively a CPU to multiple 1-container pods", func(ctx context.Context) {
+			cpuCount := 4 // total
 
-		_, cpuAlloc, _ = getLocalNodeCPUDetails(ctx, f) // check again after we reserved 1 full CPU. Some tests require > 1 exclusive CPU
-		runCfsQuotaGuPods(ctx, f, true, cpuAlloc)
-	})
+			skipIfAllocatableCPUsLessThan(getLocalNode(ctx, f), cpuCount)
 
-	ginkgo.It("should keep enforcing the CFS quota for containers with static CPUs assigned and feature gate disabled", func(ctx context.Context) {
-		if !IsCgroup2UnifiedMode() {
-			e2eskipper.Skipf("Skipping since CgroupV2 not used")
-		}
-		_, cpuAlloc, _ = getLocalNodeCPUDetails(ctx, f)
-		if cpuAlloc < 1 { // save expensive kubelet restart
-			e2eskipper.Skipf("Skipping since not enough allocatable CPU got %d required 1", cpuAlloc)
-		}
-		newCfg := configureCPUManagerInKubelet(oldCfg,
-			&cpuManagerKubeletArguments{
-				policyName:                       string(cpumanager.PolicyStatic),
-				reservedSystemCPUs:               cpuset.New(0),
-				disableCPUQuotaWithExclusiveCPUs: false,
-			},
-		)
+			updateKubeletConfigIfNeeded(ctx, f, configureCPUManagerInKubelet(oldCfg, &cpuManagerKubeletArguments{
+				policyName:              string(cpumanager.PolicyStatic),
+				reservedSystemCPUs:      reservedCPUs, // Not really needed for the tests but helps to make a more precise check
+				enableCPUManagerOptions: false,
+			}))
 
-		updateKubeletConfig(ctx, f, newCfg, true)
+			pod1 := makeCPUManagerPod("gu-pod-1", []ctnAttribute{
+				{
+					ctnName:    "gu-container-1",
+					cpuRequest: "2000m",
+					cpuLimit:   "2000m",
+				},
+			})
+			ginkgo.By("creating the test pod 1")
+			pod1 = e2epod.NewPodClient(f).CreateSync(ctx, pod1)
+			podMap[string(pod1.UID)] = pod1
 
-		_, cpuAlloc, _ = getLocalNodeCPUDetails(ctx, f) // check again after we reserved 1 full CPU. Some tests require > 1 exclusive CPU
-		runCfsQuotaGuPods(ctx, f, false, cpuAlloc)
+			pod2 := makeCPUManagerPod("gu-pod-2", []ctnAttribute{
+				{
+					ctnName:    "gu-container-2",
+					cpuRequest: "2000m",
+					cpuLimit:   "2000m",
+				},
+			})
+			ginkgo.By("creating the test pod 2")
+			pod2 = e2epod.NewPodClient(f).CreateSync(ctx, pod2)
+			podMap[string(pod2.UID)] = pod2
+
+			ginkgo.By("checking if the expected cpuset was assigned")
+
+			// we cannot nor we should predict which CPUs the container gets
+			gomega.Expect(pod1).To(HaveContainerCPUsCount("gu-container-1", 2))
+			gomega.Expect(pod1).To(HaveContainerCPUsASubsetOf("gu-container-1", onlineCPUs))
+			gomega.Expect(pod1).ToNot(HaveContainerCPUsOverlapWith("gu-container-1", reservedCPUs))
+			gomega.Expect(pod1).To(HaveContainerCPUsThreadSiblings("gu-container-1"))
+
+			gomega.Expect(pod2).To(HaveContainerCPUsCount("gu-container-2", 2))
+			gomega.Expect(pod2).To(HaveContainerCPUsASubsetOf("gu-container-2", onlineCPUs))
+			gomega.Expect(pod2).ToNot(HaveContainerCPUsOverlapWith("gu-container-2", reservedCPUs))
+			gomega.Expect(pod2).To(HaveContainerCPUsThreadSiblings("gu-container-2"))
+		})
 	})
 
-	f.It("should not reuse CPUs of restartable init containers", feature.SidecarContainers, func(ctx context.Context) {
-		cpuCap, cpuAlloc, _ = getLocalNodeCPUDetails(ctx, f)
-
-		// Skip rest of the tests if CPU capacity < 3.
-		if cpuCap < 3 {
-			e2eskipper.Skipf("Skipping rest of the CPU Manager tests since CPU capacity < 3, got %d", cpuCap)
-		}
-
-		// Enable CPU Manager in the kubelet.
-		newCfg := configureCPUManagerInKubelet(oldCfg, &cpuManagerKubeletArguments{
-			policyName:         string(cpumanager.PolicyStatic),
-			reservedSystemCPUs: cpuset.CPUSet{},
+	ginkgo.When("running with strict CPU reservation", ginkgo.Label("strict-cpu-reservation"), func() {
+		ginkgo.BeforeEach(func(ctx context.Context) {
+			reservedCPUs = cpuset.New(0)
 		})
-		updateKubeletConfig(ctx, f, newCfg, true)
-
-		ginkgo.By("running a Gu pod with a regular init container and a restartable init container")
-		ctrAttrs := []ctnAttribute{
-			{
-				ctnName:    "gu-init-container1",
-				cpuRequest: "1000m",
-				cpuLimit:   "1000m",
-			},
-			{
-				ctnName:       "gu-restartable-init-container2",
-				cpuRequest:    "1000m",
-				cpuLimit:      "1000m",
-				restartPolicy: &containerRestartPolicyAlways,
-			},
-		}
-		pod := makeCPUManagerInitContainersPod("gu-pod", ctrAttrs)
-		pod = e2epod.NewPodClient(f).CreateSync(ctx, pod)
-
-		ginkgo.By("checking if the expected cpuset was assigned")
-		logs, err := e2epod.GetPodLogs(ctx, f.ClientSet, f.Namespace.Name, pod.Name, pod.Spec.InitContainers[0].Name)
-		framework.ExpectNoError(err, "expected log not found in init container [%s] of pod [%s]", pod.Spec.InitContainers[0].Name, pod.Name)
-
-		reusableCPUs := getContainerAllowedCPUsFromLogs(pod.Name, pod.Spec.InitContainers[0].Name, logs)
-
-		gomega.Expect(reusableCPUs.Size()).To(gomega.Equal(1), "expected cpu set size == 1, got %q", reusableCPUs.String())
-
-		logs, err = e2epod.GetPodLogs(ctx, f.ClientSet, f.Namespace.Name, pod.Name, pod.Spec.InitContainers[1].Name)
-		framework.ExpectNoError(err, "expected log not found in init container [%s] of pod [%s]", pod.Spec.InitContainers[1].Name, pod.Name)
-
-		nonReusableCPUs := getContainerAllowedCPUsFromLogs(pod.Name, pod.Spec.InitContainers[1].Name, logs)
 
-		gomega.Expect(nonReusableCPUs.Size()).To(gomega.Equal(1), "expected cpu set size == 1, got %q", nonReusableCPUs.String())
+		ginkgo.It("should let the container access all the online CPUs without a reserved CPUs set", func(ctx context.Context) {
+			updateKubeletConfigIfNeeded(ctx, f, configureCPUManagerInKubelet(oldCfg, &cpuManagerKubeletArguments{
+				policyName:              string(cpumanager.PolicyStatic),
+				reservedSystemCPUs:      cpuset.CPUSet{},
+				enableCPUManagerOptions: true,
+				options: map[string]string{
+					cpumanager.StrictCPUReservationOption: "true",
+				},
+			}))
 
-		logs, err = e2epod.GetPodLogs(ctx, f.ClientSet, f.Namespace.Name, pod.Name, pod.Spec.Containers[0].Name)
-		framework.ExpectNoError(err, "expected log not found in container [%s] of pod [%s]", pod.Spec.Containers[0].Name, pod.Name)
+			pod := makeCPUManagerPod("non-gu-pod", []ctnAttribute{
+				{
+					ctnName:    "non-gu-container",
+					cpuRequest: "100m",
+					cpuLimit:   "200m",
+				},
+			})
+			ginkgo.By("creating the test pod")
+			pod = e2epod.NewPodClient(f).CreateSync(ctx, pod)
+			podMap[string(pod.UID)] = pod
 
-		cpus := getContainerAllowedCPUsFromLogs(pod.Name, pod.Spec.Containers[0].Name, logs)
+			ginkgo.By("checking if the expected cpuset was assigned")
 
-		gomega.Expect(cpus.Size()).To(gomega.Equal(1), "expected cpu set size == 1, got %q", cpus.String())
+			// cpumanager will always reserve at least 1 cpu. In this case we don't set which, and if we treat the cpumanager
+			// as black box (which we very much should) we can't predict which one. So we can only assert that *A* cpu is not
+			// usable because is reserved.
+			gomega.Expect(pod).To(HaveContainerCPUsCount("non-gu-container", onlineCPUs.Size()-1))
+		})
 
-		gomega.Expect(reusableCPUs.Equals(nonReusableCPUs)).To(gomega.BeTrueBecause("expected reusable cpuset [%s] to be equal to non-reusable cpuset [%s]", reusableCPUs.String(), nonReusableCPUs.String()))
-		gomega.Expect(nonReusableCPUs.Intersection(cpus).IsEmpty()).To(gomega.BeTrueBecause("expected non-reusable cpuset [%s] to be disjoint from cpuset [%s]", nonReusableCPUs.String(), cpus.String()))
+		ginkgo.It("should let the container access all the online CPUs minus the reserved CPUs set when enabled", func(ctx context.Context) {
+			updateKubeletConfigIfNeeded(ctx, f, configureCPUManagerInKubelet(oldCfg, &cpuManagerKubeletArguments{
+				policyName:              string(cpumanager.PolicyStatic),
+				reservedSystemCPUs:      reservedCPUs, // Not really needed for the tests but helps to make a more precise check
+				enableCPUManagerOptions: true,
+				options: map[string]string{
+					cpumanager.StrictCPUReservationOption: "true",
+				},
+			}))
 
-		ginkgo.By("by deleting the pods and waiting for container removal")
-		deletePods(ctx, f, []string{pod.Name})
-		waitForContainerRemoval(ctx, pod.Spec.InitContainers[0].Name, pod.Name, pod.Namespace)
-		waitForContainerRemoval(ctx, pod.Spec.InitContainers[1].Name, pod.Name, pod.Namespace)
-		waitForContainerRemoval(ctx, pod.Spec.Containers[0].Name, pod.Name, pod.Namespace)
-	})
+			pod := makeCPUManagerPod("non-gu-pod", []ctnAttribute{
+				{
+					ctnName:    "non-gu-container",
+					cpuRequest: "100m",
+					cpuLimit:   "200m",
+				},
+			})
+			ginkgo.By("creating the test pod")
+			pod = e2epod.NewPodClient(f).CreateSync(ctx, pod)
+			podMap[string(pod.UID)] = pod
 
-	ginkgo.It("should assign packed CPUs with distribute-cpus-across-numa disabled and pcpu-only policy options enabled", func(ctx context.Context) {
-		fullCPUsOnlyOpt := fmt.Sprintf("option=%s", cpumanager.FullPCPUsOnlyOption)
-		_, cpuAlloc, _ = getLocalNodeCPUDetails(ctx, f)
-		smtLevel := getSMTLevel()
+			ginkgo.By("checking if the expected cpuset was assigned")
 
-		// strict SMT alignment is trivially verified and granted on non-SMT systems
-		if smtLevel < minSMTLevel {
-			e2eskipper.Skipf("Skipping CPU Manager %s tests since SMT disabled", fullCPUsOnlyOpt)
-		}
+			gomega.Expect(pod).To(HaveContainerCPUsEqualTo("non-gu-container", onlineCPUs.Difference(reservedCPUs)))
+		})
 
-		// our tests want to allocate a full core, so we need at least 2*2=4 virtual cpus
-		minCPUCount := int64(smtLevel * minCPUCapacity)
-		if cpuAlloc < minCPUCount {
-			e2eskipper.Skipf("Skipping CPU Manager %s tests since the CPU capacity < %d", fullCPUsOnlyOpt, minCPUCount)
-		}
+		ginkgo.It("should let the container access all the online non-exclusively-allocated CPUs minus the reserved CPUs set when enabled", func(ctx context.Context) {
+			cpuCount := 1
 
-		framework.Logf("SMT level %d", smtLevel)
+			skipIfAllocatableCPUsLessThan(getLocalNode(ctx, f), cpuCount+1) // note the extra for the non-gu pod)
 
-		cpuPolicyOptions := map[string]string{
-			cpumanager.FullPCPUsOnlyOption:            "true",
-			cpumanager.DistributeCPUsAcrossNUMAOption: "false",
-		}
-		newCfg := configureCPUManagerInKubelet(oldCfg,
-			&cpuManagerKubeletArguments{
+			updateKubeletConfigIfNeeded(ctx, f, configureCPUManagerInKubelet(oldCfg, &cpuManagerKubeletArguments{
 				policyName:              string(cpumanager.PolicyStatic),
-				reservedSystemCPUs:      cpuset.New(0),
+				reservedSystemCPUs:      reservedCPUs, // Not really needed for the tests but helps to make a more precise check
 				enableCPUManagerOptions: true,
-				options:                 cpuPolicyOptions,
-			},
-		)
-		updateKubeletConfig(ctx, f, newCfg, true)
-
-		ctnAttrs := []ctnAttribute{
-			{
-				ctnName:    "test-gu-container-distribute-cpus-across-numa-disabled",
-				cpuRequest: "2000m",
-				cpuLimit:   "2000m",
-			},
-		}
-		pod := makeCPUManagerPod("test-pod-distribute-cpus-across-numa-disabled", ctnAttrs)
-		pod = e2epod.NewPodClient(f).CreateSync(ctx, pod)
+				options: map[string]string{
+					cpumanager.StrictCPUReservationOption: "true",
+				},
+			}))
 
-		for _, cnt := range pod.Spec.Containers {
-			ginkgo.By(fmt.Sprintf("validating the container %s on Gu pod %s", cnt.Name, pod.Name))
+			cpuReq := fmt.Sprintf("%dm", 1000*cpuCount)
 
-			logs, err := e2epod.GetPodLogs(ctx, f.ClientSet, f.Namespace.Name, pod.Name, cnt.Name)
-			framework.ExpectNoError(err, "expected log not found in container [%s] of pod [%s]", cnt.Name, pod.Name)
+			podGu := makeCPUManagerPod("gu-pod", []ctnAttribute{
+				{
+					ctnName:    "gu-container",
+					cpuRequest: cpuReq,
+					cpuLimit:   cpuReq,
+				},
+			})
+			ginkgo.By("creating the guaranteed test pod")
+			podGu = e2epod.NewPodClient(f).CreateSync(ctx, podGu)
+			podMap[string(podGu.UID)] = podGu
 
-			cpus := getContainerAllowedCPUsFromLogs(pod.Name, cnt.Name, logs)
+			podBu := makeCPUManagerPod("non-gu-pod", []ctnAttribute{
+				{
+					ctnName:    "non-gu-container",
+					cpuRequest: "200m",
+					cpuLimit:   "300m",
+				},
+			})
+			ginkgo.By("creating the burstable test pod")
+			podBu = e2epod.NewPodClient(f).CreateSync(ctx, podBu)
+			podMap[string(podBu.UID)] = podBu
 
-			validateSMTAlignment(cpus, smtLevel, pod, &cnt)
-			gomega.Expect(cpus).To(BePackedCPUs())
-		}
-		deletePodSyncByName(ctx, f, pod.Name)
-		// we need to wait for all containers to really be gone so cpumanager reconcile loop will not rewrite the cpu_manager_state.
-		// this is in turn needed because we will have an unavoidable (in the current framework) race with th
-		// reconcile loop which will make our attempt to delete the state file and to restore the old config go haywire
-		waitForAllContainerRemoval(ctx, pod.Name, pod.Namespace)
-	})
+			ginkgo.By("checking if the expected cpuset was assigned")
 
-	ginkgo.It("should assign CPUs distributed across NUMA with distribute-cpus-across-numa and pcpu-only policy options enabled", func(ctx context.Context) {
-		var cpusNumPerNUMA, numaNodeNum int
+			usableCPUs := onlineCPUs.Difference(reservedCPUs)
 
-		fullCPUsOnlyOpt := fmt.Sprintf("option=%s", cpumanager.FullPCPUsOnlyOption)
-		_, cpuAlloc, _ = getLocalNodeCPUDetails(ctx, f)
-		smtLevel := getSMTLevel()
-		framework.Logf("SMT level %d", smtLevel)
+			// any full CPU is fine - we cannot nor we should predict which one, though
+			gomega.Expect(podGu).To(HaveContainerCPUsCount("gu-container", cpuCount))
+			gomega.Expect(podGu).To(HaveContainerCPUsASubsetOf("gu-container", usableCPUs))
+			gomega.Expect(podGu).ToNot(HaveContainerCPUsOverlapWith("gu-container", reservedCPUs))
 
-		// strict SMT alignment is trivially verified and granted on non-SMT systems
-		if smtLevel < minSMTLevel {
-			e2eskipper.Skipf("Skipping CPU Manager %s tests since SMT disabled", fullCPUsOnlyOpt)
-		}
+			exclusiveCPUs, err := getContainerAllowedCPUs(podGu, "gu-container", false)
+			framework.ExpectNoError(err, "cannot get exclusive CPUs for pod %s/%s", podGu.Namespace, podGu.Name)
+			expectedSharedCPUs := usableCPUs.Difference(exclusiveCPUs)
+			gomega.Expect(podBu).To(HaveContainerCPUsEqualTo("non-gu-container", expectedSharedCPUs))
+		})
+	})
 
-		// our tests want to allocate a full core, so we need at least 2*2=4 virtual cpus
-		minCPUCount := int64(smtLevel * minCPUCapacity)
-		if cpuAlloc < minCPUCount {
-			e2eskipper.Skipf("Skipping CPU Manager %s tests since the CPU capacity < %d", fullCPUsOnlyOpt, minCPUCount)
-		}
+	ginkgo.When("running with SMT Alignment", ginkgo.Label("smt-alignment"), func() {
+		ginkgo.BeforeEach(func(ctx context.Context) {
+			// strict SMT alignment is trivially verified and granted on non-SMT systems
+			if smtLevel < minSMTLevel {
+				e2eskipper.Skipf("Skipping CPU Manager %q tests since SMT disabled", cpumanager.FullPCPUsOnlyOption)
+			}
 
-		// this test is intended to be run on a multi-node NUMA system and
-		// a system with at least 4 cores per socket, hostcheck skips test
-		// if above requirements are not satisfied
-		numaNodeNum, _, _, cpusNumPerNUMA = hostCheck()
+			reservedCPUs = cpuset.New(0)
 
-		cpuPolicyOptions := map[string]string{
-			cpumanager.FullPCPUsOnlyOption:            "true",
-			cpumanager.DistributeCPUsAcrossNUMAOption: "true",
-		}
-		newCfg := configureCPUManagerInKubelet(oldCfg,
-			&cpuManagerKubeletArguments{
+			updateKubeletConfigIfNeeded(ctx, f, configureCPUManagerInKubelet(oldCfg, &cpuManagerKubeletArguments{
 				policyName:              string(cpumanager.PolicyStatic),
-				reservedSystemCPUs:      cpuset.New(0),
+				reservedSystemCPUs:      reservedCPUs,
 				enableCPUManagerOptions: true,
-				options:                 cpuPolicyOptions,
-			},
-		)
-		updateKubeletConfig(ctx, f, newCfg, true)
-		// 'distribute-cpus-across-numa' policy option ensures that CPU allocations are evenly distributed
-		//  across NUMA nodes in cases where more than one NUMA node is required to satisfy the allocation.
-		// So, we want to ensure that the CPU Request exceeds the number of CPUs that can fit within a single
-		// NUMA node. We have to pick cpuRequest such that:
-		// 1. CPURequest > cpusNumPerNUMA
-		// 2. Not occupy all the CPUs on the node ande leave room for reserved CPU
-		// 3. CPURequest is a multiple if number of NUMA nodes to allow equal CPU distribution across NUMA nodes
-		//
-		// In summary: cpusNumPerNUMA < CPURequest < ((cpusNumPerNuma * numaNodeNum) - reservedCPUscount)
-		// Considering all these constraints we select: CPURequest= (cpusNumPerNUMA-smtLevel)*numaNodeNum
-
-		cpuReq := (cpusNumPerNUMA - smtLevel) * numaNodeNum
-		ctnAttrs := []ctnAttribute{
-			{
-				ctnName:    "test-gu-container-distribute-cpus-across-numa",
-				cpuRequest: fmt.Sprintf("%d", cpuReq),
-				cpuLimit:   fmt.Sprintf("%d", cpuReq),
-			},
-		}
-		pod := makeCPUManagerPod("test-pod-distribute-cpus-across-numa", ctnAttrs)
-		pod = e2epod.NewPodClient(f).CreateSync(ctx, pod)
+				options: map[string]string{
+					cpumanager.FullPCPUsOnlyOption: "true",
+				},
+			}))
+		})
 
-		for _, cnt := range pod.Spec.Containers {
-			ginkgo.By(fmt.Sprintf("validating the container %s on Gu pod %s", cnt.Name, pod.Name))
+		ginkgo.It("should reject workload asking non-SMT-multiple of cpus", func(ctx context.Context) {
+			cpuCount := 1
+			cpuReq := fmt.Sprintf("%dm", 1000*cpuCount)
 
-			logs, err := e2epod.GetPodLogs(ctx, f.ClientSet, f.Namespace.Name, pod.Name, cnt.Name)
-			framework.ExpectNoError(err, "expected log not found in container [%s] of pod [%s]", cnt.Name, pod.Name)
+			skipIfAllocatableCPUsLessThan(getLocalNode(ctx, f), cpuCount)
 
-			cpus := getContainerAllowedCPUsFromLogs(pod.Name, cnt.Name, logs)
+			ginkgo.By("creating the testing pod")
+			// negative test: try to run a container whose requests aren't a multiple of SMT level, expect a rejection
+			pod := makeCPUManagerPod("gu-pod", []ctnAttribute{
+				{
+					ctnName:    "gu-container-neg",
+					cpuRequest: cpuReq,
+					cpuLimit:   cpuReq,
+				},
+			})
+			ginkgo.By("creating the test pod")
+			// CreateSync would wait for pod to become Ready - which will never happen if production code works as intended!
+			pod = e2epod.NewPodClient(f).Create(ctx, pod)
+			podMap[string(pod.UID)] = pod
+
+			ginkgo.By("ensuring the testing pod is in failed state")
+			err := e2epod.WaitForPodCondition(ctx, f.ClientSet, f.Namespace.Name, pod.Name, "Failed", 30*time.Second, func(pod *v1.Pod) (bool, error) {
+				if pod.Status.Phase != v1.PodPending {
+					return true, nil
+				}
+				return false, nil
+			})
+			framework.ExpectNoError(err)
 
-			validateSMTAlignment(cpus, smtLevel, pod, &cnt)
-			// We expect a perfectly even spilit i.e. equal distribution across NUMA Node as the CPU Request is 4*smtLevel*numaNodeNum.
-			expectedSpread := cpus.Size() / numaNodeNum
-			gomega.Expect(cpus).To(BeDistributedCPUs(expectedSpread))
-		}
-		deletePodSyncByName(ctx, f, pod.Name)
-		// we need to wait for all containers to really be gone so cpumanager reconcile loop will not rewrite the cpu_manager_state.
-		// this is in turn needed because we will have an unavoidable (in the current framework) race with th
-		// reconcile loop which will make our attempt to delete the state file and to restore the old config go haywire
-		waitForAllContainerRemoval(ctx, pod.Name, pod.Namespace)
-	})
+			ginkgo.By("ensuring the testing pod is failed for the expected reason")
+			pod, err = e2epod.NewPodClient(f).Get(ctx, pod.Name, metav1.GetOptions{})
+			framework.ExpectNoError(err)
+			gomega.Expect(pod).To(BeAPodInPhase(v1.PodFailed))
+			gomega.Expect(pod).To(HaveStatusReasonMatchingRegex(`SMT.*Alignment.*Error`))
+		})
 
-	ginkgo.AfterEach(func(ctx context.Context) {
-		updateKubeletConfig(ctx, f, oldCfg, true)
-	})
-}
+		ginkgo.It("should admit workload asking SMT-multiple of cpus", func(ctx context.Context) {
+			// positive test: try to run a container whose requests are a multiple of SMT level, check allocated cores
+			// 1. are core siblings
+			// 2. take a full core
+			// WARNING: this assumes 2-way SMT systems - we don't know how to access other SMT levels.
+			//          this means on more-than-2-way SMT systems this test will prove nothing
+			skipIfAllocatableCPUsLessThan(getLocalNode(ctx, f), smtLevel)
+
+			cpuRequest := fmt.Sprintf("%d000m", smtLevel)
+			ginkgo.By(fmt.Sprintf("creating the testing pod cpuRequest=%v", cpuRequest))
+			pod := makeCPUManagerPod("gu-pod", []ctnAttribute{
+				{
+					ctnName:    "gu-container-pos",
+					cpuRequest: cpuRequest,
+					cpuLimit:   cpuRequest,
+				},
+			})
+			ginkgo.By("creating the test pod")
+			pod = e2epod.NewPodClient(f).CreateSync(ctx, pod)
+			podMap[string(pod.UID)] = pod
 
-func runSMTAlignmentNegativeTests(ctx context.Context, f *framework.Framework) {
-	// negative test: try to run a container whose requests aren't a multiple of SMT level, expect a rejection
-	ctnAttrs := []ctnAttribute{
-		{
-			ctnName:    "gu-container-neg",
-			cpuRequest: "1000m",
-			cpuLimit:   "1000m",
-		},
-	}
-	pod := makeCPUManagerPod("gu-pod", ctnAttrs)
-	// CreateSync would wait for pod to become Ready - which will never happen if production code works as intended!
-	pod = e2epod.NewPodClient(f).Create(ctx, pod)
+			ginkgo.By("validating each container in the testing pod")
+			for _, cnt := range pod.Spec.Containers {
+				ginkgo.By(fmt.Sprintf("validating the container %s on pod %s", cnt.Name, pod.Name))
 
-	err := e2epod.WaitForPodCondition(ctx, f.ClientSet, f.Namespace.Name, pod.Name, "Failed", 30*time.Second, func(pod *v1.Pod) (bool, error) {
-		if pod.Status.Phase != v1.PodPending {
-			return true, nil
-		}
-		return false, nil
+				gomega.Expect(pod).To(HaveContainerCPUsAlignedTo(cnt.Name, smtLevel))
+				gomega.Expect(pod).To(HaveContainerCPUsThreadSiblings(cnt.Name))
+			}
+		})
 	})
-	framework.ExpectNoError(err)
-	pod, err = e2epod.NewPodClient(f).Get(ctx, pod.Name, metav1.GetOptions{})
-	framework.ExpectNoError(err)
 
-	if pod.Status.Phase != v1.PodFailed {
-		framework.Failf("pod %s not failed: %v", pod.Name, pod.Status)
-	}
-	if !isSMTAlignmentError(pod) {
-		framework.Failf("pod %s failed for wrong reason: %q", pod.Name, pod.Status.Reason)
-	}
+	ginkgo.When("running with Uncore Cache Alignment", ginkgo.Label("prefer-align-cpus-by-uncore-cache"), func() {
+		ginkgo.BeforeEach(func(ctx context.Context) {
 
-	deletePodSyncByName(ctx, f, pod.Name)
-	// we need to wait for all containers to really be gone so cpumanager reconcile loop will not rewrite the cpu_manager_state.
-	// this is in turn needed because we will have an unavoidable (in the current framework) race with th
-	// reconcile loop which will make our attempt to delete the state file and to restore the old config go haywire
-	waitForAllContainerRemoval(ctx, pod.Name, pod.Namespace)
-}
+			reservedCPUs := cpuset.New(0)
 
-func runSMTAlignmentPositiveTests(ctx context.Context, f *framework.Framework, smtLevel int, strictReservedCPUs cpuset.CPUSet) {
-	// positive test: try to run a container whose requests are a multiple of SMT level, check allocated cores
-	// 1. are core siblings
-	// 2. take a full core
-	// WARNING: this assumes 2-way SMT systems - we don't know how to access other SMT levels.
-	//          this means on more-than-2-way SMT systems this test will prove nothing
-	ctnAttrs := []ctnAttribute{
-		{
-			ctnName:    "gu-container-pos",
-			cpuRequest: "2000m",
-			cpuLimit:   "2000m",
-		},
-	}
-	pod := makeCPUManagerPod("gu-pod", ctnAttrs)
-	pod = e2epod.NewPodClient(f).CreateSync(ctx, pod)
+			updateKubeletConfigIfNeeded(ctx, f, configureCPUManagerInKubelet(oldCfg, &cpuManagerKubeletArguments{
+				policyName:              string(cpumanager.PolicyStatic),
+				reservedSystemCPUs:      reservedCPUs,
+				enableCPUManagerOptions: true,
+				options: map[string]string{
+					cpumanager.PreferAlignByUnCoreCacheOption: "true",
+				},
+			}))
+		})
 
-	for _, cnt := range pod.Spec.Containers {
-		ginkgo.By(fmt.Sprintf("validating the container %s on Gu pod %s", cnt.Name, pod.Name))
+		ginkgo.It("should admit container asking odd integer amount of cpus", func(ctx context.Context) {
+			// assume uncore caches's worth of cpus will always be an even integer value
+			// smallest odd integer cpu request can be 1 cpu
+			// for meaningful test, minimum allocatable cpu requirement should be:
+			// minCPUCapacity + reservedCPUs.Size() + 1 CPU allocated
+			cpuCount := minCPUCapacity + reservedCPUs.Size() + 1
+			skipIfAllocatableCPUsLessThan(getLocalNode(ctx, f), cpuCount)
+
+			// check if the node processor architecture has split or monolithic uncore cache.
+			// prefer-align-cpus-by-uncore-cache can be enabled on non-split uncore cache processors
+			// with no change to default static behavior
+			allocatableCPUs := cpuDetailsFromNode(getLocalNode(ctx, f)).Allocatable
+			hasSplitUncore := (allocatableCPUs > int64(uncoreGroupSize))
+
+			if hasSplitUncore {
+				// create a container that requires one less cpu than a full uncore cache's worth of cpus
+				// assume total shared CPUs of a single uncore cache will always be an even integer
+				cpuRequest := fmt.Sprintf("%d000m", (uncoreGroupSize - 1))
+				ginkgo.By(fmt.Sprintf("creating the testing pod cpuRequest=%v", cpuRequest))
+				pod := makeCPUManagerPod("gu-pod", []ctnAttribute{
+					{
+						ctnName:    "gu-container-pos",
+						cpuRequest: cpuRequest,
+						cpuLimit:   cpuRequest,
+					},
+				})
+				ginkgo.By("creating the test pod")
+				pod = e2epod.NewPodClient(f).CreateSync(ctx, pod)
+				podMap[string(pod.UID)] = pod
+
+				ginkgo.By("validating each container in the testing pod")
+				for _, cnt := range pod.Spec.Containers {
+					ginkgo.By(fmt.Sprintf("validating the container %s on pod %s", cnt.Name, pod.Name))
+
+					gomega.Expect(pod).To(HaveContainerCPUsWithSameUncoreCacheID(cnt.Name))
+				}
+			} else {
+				// for node with monolithic uncore cache processor
+				// uncoreGroupSize will be socket's worth of CPUs
+				// subtract (minCPUCapacity + 1) CPU resource constraint
+				cpuRequest := fmt.Sprintf("%d000m", (uncoreGroupSize - (minCPUCapacity + 1)))
+				ginkgo.By(fmt.Sprintf("creating the testing pod cpuRequest=%v", cpuRequest))
+				pod := makeCPUManagerPod("gu-pod", []ctnAttribute{
+					{
+						ctnName:    "gu-container-pos",
+						cpuRequest: cpuRequest,
+						cpuLimit:   cpuRequest,
+					},
+				})
+				ginkgo.By("creating the test pod")
+				pod = e2epod.NewPodClient(f).CreateSync(ctx, pod)
+				podMap[string(pod.UID)] = pod
 
-		logs, err := e2epod.GetPodLogs(ctx, f.ClientSet, f.Namespace.Name, pod.Name, cnt.Name)
-		framework.ExpectNoError(err, "expected log not found in container [%s] of pod [%s]", cnt.Name, pod.Name)
+				ginkgo.By("validating each container in the testing pod")
+				for _, cnt := range pod.Spec.Containers {
+					ginkgo.By(fmt.Sprintf("validating the container %s on pod %s", cnt.Name, pod.Name))
 
-		cpus := getContainerAllowedCPUsFromLogs(pod.Name, cnt.Name, logs)
+					gomega.Expect(pod).To(HaveContainerCPUsWithSameUncoreCacheID(cnt.Name))
+				}
+			}
+		})
+	})
 
-		gomega.Expect(cpus.Intersection(strictReservedCPUs).IsEmpty()).To(gomega.BeTrueBecause("cpuset %q should not contain strict reserved cpus %q", cpus.String(), strictReservedCPUs.String()))
-		validateSMTAlignment(cpus, smtLevel, pod, &cnt)
-	}
+	ginkgo.When("running with Uncore Cache Alignment disabled", ginkgo.Label("prefer-align-cpus-by-uncore-cache"), func() {
+		ginkgo.BeforeEach(func(ctx context.Context) {
 
-	deletePodSyncByName(ctx, f, pod.Name)
-	// we need to wait for all containers to really be gone so cpumanager reconcile loop will not rewrite the cpu_manager_state.
-	// this is in turn needed because we will have an unavoidable (in the current framework) race with th
-	// reconcile loop which will make our attempt to delete the state file and to restore the old config go haywire
-	waitForAllContainerRemoval(ctx, pod.Name, pod.Namespace)
-}
+			reservedCPUs := cpuset.New(0)
 
-func validateSMTAlignment(cpus cpuset.CPUSet, smtLevel int, pod *v1.Pod, cnt *v1.Container) {
-	framework.Logf("validating cpus: %v", cpus)
+			updateKubeletConfigIfNeeded(ctx, f, configureCPUManagerInKubelet(oldCfg, &cpuManagerKubeletArguments{
+				policyName:              string(cpumanager.PolicyStatic),
+				reservedSystemCPUs:      reservedCPUs,
+				enableCPUManagerOptions: true,
+				options: map[string]string{
+					cpumanager.PreferAlignByUnCoreCacheOption: "false",
+				},
+			}))
+		})
 
-	if cpus.Size()%smtLevel != 0 {
-		framework.Failf("pod %q cnt %q received non-smt-multiple cpuset %v (SMT level %d)", pod.Name, cnt.Name, cpus, smtLevel)
-	}
+		ginkgo.It("should allocate exclusively CPUs to a multi-container pod (1+2)", func(ctx context.Context) {
+			cpuCount := 3 // total
 
-	// now check all the given cpus are thread siblings.
-	// to do so the easiest way is to rebuild the expected set of siblings from all the cpus we got.
-	// if the expected set matches the given set, the given set was good.
+			skipIfAllocatableCPUsLessThan(getLocalNode(ctx, f), cpuCount)
+
+			updateKubeletConfigIfNeeded(ctx, f, configureCPUManagerInKubelet(oldCfg, &cpuManagerKubeletArguments{
+				policyName:         string(cpumanager.PolicyStatic),
+				reservedSystemCPUs: reservedCPUs, // Not really needed for the tests but helps to make a more precise check
+			}))
+
+			pod := makeCPUManagerPod("gu-pod", []ctnAttribute{
+				{
+					ctnName:    "gu-container-1",
+					cpuRequest: "1000m",
+					cpuLimit:   "1000m",
+				},
+				{
+					ctnName:    "gu-container-2",
+					cpuRequest: "2000m",
+					cpuLimit:   "2000m",
+				},
+			})
+			ginkgo.By("creating the test pod")
+			pod = e2epod.NewPodClient(f).CreateSync(ctx, pod)
+			podMap[string(pod.UID)] = pod
+
+			ginkgo.By("checking if the expected cpuset was assigned")
+
+			// we cannot nor we should predict which CPUs the container gets
+			gomega.Expect(pod).To(HaveContainerCPUsCount("gu-container-1", 1))
+			gomega.Expect(pod).To(HaveContainerCPUsASubsetOf("gu-container-1", onlineCPUs))
+			gomega.Expect(pod).ToNot(HaveContainerCPUsOverlapWith("gu-container-1", reservedCPUs))
+
+			gomega.Expect(pod).To(HaveContainerCPUsCount("gu-container-2", 2))
+			gomega.Expect(pod).To(HaveContainerCPUsASubsetOf("gu-container-2", onlineCPUs))
+			gomega.Expect(pod).ToNot(HaveContainerCPUsOverlapWith("gu-container-2", reservedCPUs))
+			// TODO: this is probably too strict but it is the closest of the old test did
+			gomega.Expect(pod).To(HaveContainerCPUsThreadSiblings("gu-container-2"))
+		})
+	})
+
+	ginkgo.When("checking the compatibility between options", func() {
+		// please avoid nesting `BeforeEach` as much as possible. Ideally avoid completely.
+		ginkgo.Context("SMT Alignment and strict CPU reservation", ginkgo.Label("smt-alignment", "strict-cpu-reservation"), func() {
+			ginkgo.BeforeEach(func(ctx context.Context) {
+				// strict SMT alignment is trivially verified and granted on non-SMT systems
+				if smtLevel < minSMTLevel {
+					e2eskipper.Skipf("Skipping CPU Manager %q tests since SMT disabled", cpumanager.FullPCPUsOnlyOption)
+				}
+				reservedCPUs = cpuset.New(0)
+			})
+
+			ginkgo.It("should reject workload asking non-SMT-multiple of cpus", func(ctx context.Context) {
+				cpuCount := 1
+
+				skipIfAllocatableCPUsLessThan(getLocalNode(ctx, f), cpuCount+1) // note the extra for the non-gu pod)
+
+				updateKubeletConfigIfNeeded(ctx, f, configureCPUManagerInKubelet(oldCfg, &cpuManagerKubeletArguments{
+					policyName:              string(cpumanager.PolicyStatic),
+					reservedSystemCPUs:      reservedCPUs,
+					enableCPUManagerOptions: true,
+					options: map[string]string{
+						cpumanager.FullPCPUsOnlyOption:        "true",
+						cpumanager.StrictCPUReservationOption: "true",
+					},
+				}))
+
+				// negative test: try to run a container whose requests aren't a multiple of SMT level, expect a rejection
+				pod := makeCPUManagerPod("gu-pod", []ctnAttribute{
+					{
+						ctnName:    "gu-container-neg",
+						cpuRequest: "1000m",
+						cpuLimit:   "1000m",
+					},
+				})
+				ginkgo.By("creating the testing pod")
+				// CreateSync would wait for pod to become Ready - which will never happen if production code works as intended!
+				pod = e2epod.NewPodClient(f).Create(ctx, pod)
+				podMap[string(pod.UID)] = pod
+
+				ginkgo.By("ensuring the testing pod is in failed state")
+				err := e2epod.WaitForPodCondition(ctx, f.ClientSet, f.Namespace.Name, pod.Name, "Failed", 30*time.Second, func(pod *v1.Pod) (bool, error) {
+					if pod.Status.Phase != v1.PodPending {
+						return true, nil
+					}
+					return false, nil
+				})
+				framework.ExpectNoError(err)
+
+				ginkgo.By("ensuring the testing pod is failed for the expected reason")
+				pod, err = e2epod.NewPodClient(f).Get(ctx, pod.Name, metav1.GetOptions{})
+				framework.ExpectNoError(err)
+				gomega.Expect(pod).To(BeAPodInPhase(v1.PodFailed))
+				gomega.Expect(pod).To(HaveStatusReasonMatchingRegex(`SMT.*Alignment.*Error`))
+			})
+
+			ginkgo.It("should admit workload asking SMT-multiple of cpus", func(ctx context.Context) {
+				// positive test: try to run a container whose requests are a multiple of SMT level, check allocated cores
+				// 1. are core siblings
+				// 2. take a full core
+				// WARNING: this assumes 2-way SMT systems - we don't know how to access other SMT levels.
+				//          this means on more-than-2-way SMT systems this test will prove nothing
+				skipIfAllocatableCPUsLessThan(getLocalNode(ctx, f), smtLevel)
+
+				updateKubeletConfigIfNeeded(ctx, f, configureCPUManagerInKubelet(oldCfg, &cpuManagerKubeletArguments{
+					policyName:              string(cpumanager.PolicyStatic),
+					reservedSystemCPUs:      reservedCPUs,
+					enableCPUManagerOptions: true,
+					options: map[string]string{
+						cpumanager.FullPCPUsOnlyOption:        "true",
+						cpumanager.StrictCPUReservationOption: "true",
+					},
+				}))
+
+				cpuCount := smtLevel
+				cpuRequest := fmt.Sprintf("%d000m", smtLevel)
+				ginkgo.By(fmt.Sprintf("creating the testing pod cpuRequest=%v", cpuRequest))
+				pod := makeCPUManagerPod("gu-pod", []ctnAttribute{
+					{
+						ctnName:    "gu-container-x",
+						cpuRequest: cpuRequest,
+						cpuLimit:   cpuRequest,
+					},
+				})
+				ginkgo.By("creating the testing pod")
+				pod = e2epod.NewPodClient(f).CreateSync(ctx, pod)
+				podMap[string(pod.UID)] = pod
+
+				usableCPUs := onlineCPUs.Difference(reservedCPUs)
+
+				gomega.Expect(pod).To(HaveContainerCPUsCount("gu-container-x", cpuCount))
+				gomega.Expect(pod).To(HaveContainerCPUsASubsetOf("gu-container-x", usableCPUs))
+				gomega.Expect(pod).ToNot(HaveContainerCPUsOverlapWith("gu-container-x", reservedCPUs))
+
+				ginkgo.By("validating each container in the testing pod")
+				for _, cnt := range pod.Spec.Containers {
+					ginkgo.By(fmt.Sprintf("validating the container %s on pod %s", cnt.Name, pod.Name))
+
+					gomega.Expect(pod).To(HaveContainerCPUsAlignedTo(cnt.Name, smtLevel))
+					gomega.Expect(pod).To(HaveContainerCPUsThreadSiblings(cnt.Name))
+				}
+			})
+		})
+
+		// please avoid nesting `BeforeEach` as much as possible. Ideally avoid completely.
+		ginkgo.Context("SMT Alignment and Uncore Cache Alignment", ginkgo.Label("smt-alignment", "prefer-align-cpus-by-uncore-cache"), func() {
+			ginkgo.BeforeEach(func(ctx context.Context) {
+				// strict SMT alignment is trivially verified and granted on non-SMT systems
+				if smtLevel < minSMTLevel {
+					e2eskipper.Skipf("Skipping CPU Manager %q tests since SMT disabled", cpumanager.FullPCPUsOnlyOption)
+				}
+				reservedCPUs = cpuset.New(0)
+			})
+
+			ginkgo.It("should assign packed CPUs with prefer-align-cpus-by-uncore-cache disabled and pcpu-only policy options enabled", func(ctx context.Context) {
+				skipIfAllocatableCPUsLessThan(getLocalNode(ctx, f), smtLevel)
+
+				updateKubeletConfigIfNeeded(ctx, f, configureCPUManagerInKubelet(oldCfg, &cpuManagerKubeletArguments{
+					policyName:              string(cpumanager.PolicyStatic),
+					reservedSystemCPUs:      reservedCPUs,
+					enableCPUManagerOptions: true,
+					options: map[string]string{
+						cpumanager.FullPCPUsOnlyOption:            "true",
+						cpumanager.PreferAlignByUnCoreCacheOption: "false",
+					},
+				}))
+
+				ctnAttrs := []ctnAttribute{
+					{
+						ctnName:    "test-gu-container-uncore-cache-alignment-disabled",
+						cpuRequest: "2000m",
+						cpuLimit:   "2000m",
+					},
+				}
+				pod := makeCPUManagerPod("test-pod-uncore-cache-alignment-disabled", ctnAttrs)
+				ginkgo.By("creating the test pod")
+				pod = e2epod.NewPodClient(f).CreateSync(ctx, pod)
+				podMap[string(pod.UID)] = pod
+
+				ginkgo.By("validating each container in the testing pod")
+				for _, cnt := range pod.Spec.Containers {
+					ginkgo.By(fmt.Sprintf("validating the container %s on pod %s", cnt.Name, pod.Name))
+
+					gomega.Expect(pod).To(HaveContainerCPUsAlignedTo(cnt.Name, smtLevel))
+					gomega.Expect(pod).To(HaveContainerCPUsThreadSiblings(cnt.Name))
+				}
+			})
+
+			ginkgo.It("should assign CPUs aligned to uncore caches with prefer-align-cpus-by-uncore-cache and pcpu-only policy options enabled", func(ctx context.Context) {
+
+				skipIfAllocatableCPUsLessThan(getLocalNode(ctx, f), smtLevel)
+
+				updateKubeletConfigIfNeeded(ctx, f, configureCPUManagerInKubelet(oldCfg, &cpuManagerKubeletArguments{
+					policyName:              string(cpumanager.PolicyStatic),
+					reservedSystemCPUs:      reservedCPUs,
+					enableCPUManagerOptions: true,
+					options: map[string]string{
+						cpumanager.FullPCPUsOnlyOption:            "true",
+						cpumanager.PreferAlignByUnCoreCacheOption: "true",
+					},
+				}))
+
+				// check if the node processor architecture has split or monolithic uncore cache.
+				// prefer-align-cpus-by-uncore-cache can be enabled on non-split uncore cache processors
+				// with no change to default static behavior
+				allocatableCPUs := cpuDetailsFromNode(getLocalNode(ctx, f)).Allocatable
+				hasSplitUncore := (allocatableCPUs > int64(uncoreGroupSize))
+
+				if hasSplitUncore {
+					// for node with split uncore cache processor
+					// create a pod that requires a full uncore cache worth of CPUs
+					ctnAttrs := []ctnAttribute{
+						{
+							ctnName:    "test-gu-container-align-cpus-by-uncore-cache-on-split-uncore",
+							cpuRequest: fmt.Sprintf("%d", uncoreGroupSize),
+							cpuLimit:   fmt.Sprintf("%d", uncoreGroupSize),
+						},
+					}
+					pod := makeCPUManagerPod("test-pod-align-cpus-by-uncore-cache", ctnAttrs)
+					ginkgo.By("creating the test pod")
+					pod = e2epod.NewPodClient(f).CreateSync(ctx, pod)
+					podMap[string(pod.UID)] = pod
+
+					// 'prefer-align-cpus-by-uncore-cache' policy options will attempt at best-effort to allocate cpus
+					// so that distribution across uncore caches is minimized. Since the test container is requesting a full
+					// uncore cache worth of cpus and CPU0 is part of the reserved CPUset and not allocatable, the policy will attempt
+					// to allocate cpus from the next available uncore cache
+
+					for _, cnt := range pod.Spec.Containers {
+						ginkgo.By(fmt.Sprintf("validating the container %s on pod %s", cnt.Name, pod.Name))
+
+						gomega.Expect(pod).To(HaveContainerCPUsAlignedTo(cnt.Name, smtLevel))
+						cpus, err := getContainerAllowedCPUs(pod, cnt.Name, false)
+						framework.ExpectNoError(err, "cannot get cpus allocated to pod %s/%s cnt %s", pod.Namespace, pod.Name, cnt.Name)
+
+						siblingsCPUs := makeThreadSiblingCPUSet(cpus)
+						gomega.Expect(pod).To(HaveContainerCPUsEqualTo(cnt.Name, siblingsCPUs))
+
+						gomega.Expect(pod).To(HaveContainerCPUsWithSameUncoreCacheID(cnt.Name))
+						gomega.Expect(pod).ToNot(HaveContainerCPUsShareUncoreCacheWith(cnt.Name, reservedCPUs))
+					}
+				} else {
+					// for node with monolithic uncore cache processor
+					// expect default static behavior with pcpu-only policy enabled
+					// and prefer-align-cpus-by-uncore-cache enabled
+					ctnAttrs := []ctnAttribute{
+						{
+							ctnName:    "test-gu-container-align-cpus-by-uncore-cache-on-mono-uncore",
+							cpuRequest: "2000m",
+							cpuLimit:   "2000m",
+						},
+					}
+					pod := makeCPUManagerPod("test-pod-align-cpus-by-uncore-cache", ctnAttrs)
+					ginkgo.By("creating the test pod")
+					pod = e2epod.NewPodClient(f).CreateSync(ctx, pod)
+					podMap[string(pod.UID)] = pod
+
+					ginkgo.By("validating each container in the testing pod")
+					for _, cnt := range pod.Spec.Containers {
+						ginkgo.By(fmt.Sprintf("validating the container %s on pod %s", cnt.Name, pod.Name))
+
+						gomega.Expect(pod).To(HaveContainerCPUsAlignedTo(cnt.Name, smtLevel))
+						gomega.Expect(pod).To(HaveContainerCPUsThreadSiblings(cnt.Name))
+					}
+				}
+			})
+		})
+
+		// please avoid nesting `BeforeEach` as much as possible. Ideally avoid completely.
+		ginkgo.Context("Strict CPU Reservation and Uncore Cache Alignment", ginkgo.Label("strict-cpu-reservation", "prefer-align-cpus-by-uncore-cache"), func() {
+			ginkgo.BeforeEach(func(ctx context.Context) {
+				reservedCPUs = cpuset.New(0)
+			})
+
+			ginkgo.It("should assign CPUs aligned to uncore caches with prefer-align-cpus-by-uncore-cache and avoid reserved cpus", func(ctx context.Context) {
+				// assume uncore caches's worth of cpus will always be an even integer value
+				// smallest integer cpu request can be 1 cpu
+				// for meaningful test, minimum allocatable cpu requirement should be:
+				// minCPUCapacity + reservedCPUs.Size() + 1 CPU allocated
+				cpuCount := minCPUCapacity + reservedCPUs.Size() + 1
+				skipIfAllocatableCPUsLessThan(getLocalNode(ctx, f), cpuCount)
+
+				updateKubeletConfigIfNeeded(ctx, f, configureCPUManagerInKubelet(oldCfg, &cpuManagerKubeletArguments{
+					policyName:              string(cpumanager.PolicyStatic),
+					reservedSystemCPUs:      reservedCPUs,
+					enableCPUManagerOptions: true,
+					options: map[string]string{
+						cpumanager.StrictCPUReservationOption:     "true",
+						cpumanager.PreferAlignByUnCoreCacheOption: "true",
+					},
+				}))
+
+				// check if the node processor architecture has split or monolithic uncore cache.
+				// prefer-align-cpus-by-uncore-cache can be enabled on non-split uncore cache processors
+				// with no change to default static behavior
+				allocatableCPUs := cpuDetailsFromNode(getLocalNode(ctx, f)).Allocatable
+				hasSplitUncore := (allocatableCPUs > int64(uncoreGroupSize))
+
+				if hasSplitUncore {
+					// for node with split uncore cache processor
+					// create a pod that requires a full uncore cache worth of CPUs
+					ctnAttrs := []ctnAttribute{
+						{
+							ctnName:    "test-gu-container-align-cpus-by-uncore-cache-on-split-uncore",
+							cpuRequest: fmt.Sprintf("%d", uncoreGroupSize),
+							cpuLimit:   fmt.Sprintf("%d", uncoreGroupSize),
+						},
+					}
+					pod := makeCPUManagerPod("test-pod-align-cpus-by-uncore-cache", ctnAttrs)
+					ginkgo.By("creating the test pod")
+					pod = e2epod.NewPodClient(f).CreateSync(ctx, pod)
+					podMap[string(pod.UID)] = pod
+
+					// 'prefer-align-cpus-by-uncore-cache' policy options will attempt at best-effort to allocate cpus
+					// so that distribution across uncore caches is minimized. Since the test container is requesting a full
+					// uncore cache worth of cpus and CPU0 is part of the reserved CPUset and not allocatable, the policy will attempt
+					// to allocate cpus from the next available uncore cache
+
+					for _, cnt := range pod.Spec.Containers {
+						ginkgo.By(fmt.Sprintf("validating the container %s on pod %s", cnt.Name, pod.Name))
+
+						gomega.Expect(pod).To(HaveContainerCPUsAlignedTo(cnt.Name, smtLevel))
+						cpus, err := getContainerAllowedCPUs(pod, cnt.Name, false)
+						framework.ExpectNoError(err, "cannot get cpus allocated to pod %s/%s cnt %s", pod.Namespace, pod.Name, cnt.Name)
+
+						siblingsCPUs := makeThreadSiblingCPUSet(cpus)
+						gomega.Expect(pod).To(HaveContainerCPUsEqualTo(cnt.Name, siblingsCPUs))
+
+						gomega.Expect(pod).To(HaveContainerCPUsWithSameUncoreCacheID(cnt.Name))
+						gomega.Expect(pod).ToNot(HaveContainerCPUsShareUncoreCacheWith(cnt.Name, reservedCPUs))
+					}
+				} else {
+					// for node with monolithic uncore cache processor
+					// expect default static packed behavior
+					// when prefer-align-cpus-by-uncore-cache enabled
+					ctnAttrs := []ctnAttribute{
+						{
+							ctnName:    "test-gu-container-align-cpus-by-uncore-cache-on-mono-uncore",
+							cpuRequest: "1000m",
+							cpuLimit:   "1000m",
+						},
+					}
+					pod := makeCPUManagerPod("test-pod-align-cpus-by-uncore-cache", ctnAttrs)
+					ginkgo.By("creating the test pod")
+					pod = e2epod.NewPodClient(f).CreateSync(ctx, pod)
+					podMap[string(pod.UID)] = pod
+
+					ginkgo.By("validating each container in the testing pod")
+					for _, cnt := range pod.Spec.Containers {
+						ginkgo.By(fmt.Sprintf("validating the container %s on pod %s", cnt.Name, pod.Name))
+
+						// expect allocated CPUs to be on the same uncore cache
+						gomega.Expect(pod).To(HaveContainerCPUsWithSameUncoreCacheID(cnt.Name))
+						gomega.Expect(pod).ToNot(HaveContainerCPUsOverlapWith("test-gu-container-align-cpus-by-uncore-cache-on-mono-uncore", reservedCPUs))
+					}
+				}
+			})
+		})
+
+		// please avoid nesting `BeforeEach` as much as possible. Ideally avoid completely.
+		ginkgo.Context("SMT Alignment and distribution across NUMA", ginkgo.Label("smt-alignment", "distribute-cpus-across-numa"), func() {
+			ginkgo.BeforeEach(func(ctx context.Context) {
+				// strict SMT alignment is trivially verified and granted on non-SMT systems
+				if smtLevel < minSMTLevel {
+					e2eskipper.Skipf("Skipping CPU Manager %q tests since SMT disabled", cpumanager.FullPCPUsOnlyOption)
+				}
+				reservedCPUs = cpuset.New(0)
+			})
+
+			ginkgo.It("should assign packed CPUs with distribute-cpus-across-numa disabled and pcpu-only policy options enabled", func(ctx context.Context) {
+				skipIfAllocatableCPUsLessThan(getLocalNode(ctx, f), smtLevel)
+
+				updateKubeletConfigIfNeeded(ctx, f, configureCPUManagerInKubelet(oldCfg, &cpuManagerKubeletArguments{
+					policyName:              string(cpumanager.PolicyStatic),
+					reservedSystemCPUs:      reservedCPUs,
+					enableCPUManagerOptions: true,
+					options: map[string]string{
+						cpumanager.FullPCPUsOnlyOption:            "true",
+						cpumanager.DistributeCPUsAcrossNUMAOption: "false",
+					},
+				}))
+
+				ctnAttrs := []ctnAttribute{
+					{
+						ctnName:    "test-gu-container-distribute-cpus-across-numa-disabled",
+						cpuRequest: "2000m",
+						cpuLimit:   "2000m",
+					},
+				}
+				pod := makeCPUManagerPod("test-pod-distribute-cpus-across-numa-disabled", ctnAttrs)
+				ginkgo.By("creating the test pod")
+				pod = e2epod.NewPodClient(f).CreateSync(ctx, pod)
+				podMap[string(pod.UID)] = pod
+
+				ginkgo.By("validating each container in the testing pod")
+				for _, cnt := range pod.Spec.Containers {
+					ginkgo.By(fmt.Sprintf("validating the container %s on pod %s", cnt.Name, pod.Name))
+
+					gomega.Expect(pod).To(HaveContainerCPUsAlignedTo(cnt.Name, smtLevel))
+					gomega.Expect(pod).To(HaveContainerCPUsThreadSiblings(cnt.Name))
+				}
+			})
+
+			ginkgo.It("should assign CPUs distributed across NUMA with distribute-cpus-across-numa and pcpu-only policy options enabled", func(ctx context.Context) {
+				reservedCPUs = cpuset.New(0)
+
+				// this test is intended to be run on a multi-node NUMA system and
+				// a system with at least 4 cores per socket, hostcheck skips test
+				// if above requirements are not satisfied
+				numaNodeNum, _, _, cpusNumPerNUMA := hostCheck()
+				cpuReq := (cpusNumPerNUMA - smtLevel) * numaNodeNum
+
+				skipIfAllocatableCPUsLessThan(getLocalNode(ctx, f), cpuReq)
+
+				updateKubeletConfigIfNeeded(ctx, f, configureCPUManagerInKubelet(oldCfg, &cpuManagerKubeletArguments{
+					policyName:              string(cpumanager.PolicyStatic),
+					reservedSystemCPUs:      reservedCPUs,
+					enableCPUManagerOptions: true,
+					options: map[string]string{
+						cpumanager.FullPCPUsOnlyOption:            "true",
+						cpumanager.DistributeCPUsAcrossNUMAOption: "true",
+					},
+				}))
+
+				// 'distribute-cpus-across-numa' policy option ensures that CPU allocations are evenly distributed
+				//  across NUMA nodes in cases where more than one NUMA node is required to satisfy the allocation.
+				// So, we want to ensure that the CPU Request exceeds the number of CPUs that can fit within a single
+				// NUMA node. We have to pick cpuRequest such that:
+				// 1. CPURequest > cpusNumPerNUMA
+				// 2. Not occupy all the CPUs on the node ande leave room for reserved CPU
+				// 3. CPURequest is a multiple if number of NUMA nodes to allow equal CPU distribution across NUMA nodes
+				//
+				// In summary: cpusNumPerNUMA < CPURequest < ((cpusNumPerNuma * numaNodeNum) - reservedCPUscount)
+				// Considering all these constraints we select: CPURequest= (cpusNumPerNUMA-smtLevel)*numaNodeNum
+
+				ctnAttrs := []ctnAttribute{
+					{
+						ctnName:    "test-gu-container-distribute-cpus-across-numa",
+						cpuRequest: fmt.Sprintf("%d", cpuReq),
+						cpuLimit:   fmt.Sprintf("%d", cpuReq),
+					},
+				}
+				pod := makeCPUManagerPod("test-pod-distribute-cpus-across-numa", ctnAttrs)
+				ginkgo.By("creating the test pod")
+				pod = e2epod.NewPodClient(f).CreateSync(ctx, pod)
+				podMap[string(pod.UID)] = pod
+
+				for _, cnt := range pod.Spec.Containers {
+					ginkgo.By(fmt.Sprintf("validating the container %s on pod %s", cnt.Name, pod.Name))
+
+					gomega.Expect(pod).To(HaveContainerCPUsAlignedTo(cnt.Name, smtLevel))
+					cpus, err := getContainerAllowedCPUs(pod, cnt.Name, false)
+					framework.ExpectNoError(err, "cannot get cpus allocated to pod %s/%s cnt %s", pod.Namespace, pod.Name, cnt.Name)
+
+					siblingsCPUs := makeThreadSiblingCPUSet(cpus)
+					gomega.Expect(pod).To(HaveContainerCPUsEqualTo(cnt.Name, siblingsCPUs))
+
+					// We expect a perfectly even spilit i.e. equal distribution across NUMA Node as the CPU Request is 4*smtLevel*numaNodeNum.
+					expectedSpread := cpus.Size() / numaNodeNum
+					gomega.Expect(cpus).To(BeDistributedCPUs(expectedSpread))
+				}
+			})
+		})
+	})
+
+	ginkgo.When("checking the CFS quota management", ginkgo.Label("cfs-quota"), func() {
+		ginkgo.BeforeEach(func(ctx context.Context) {
+			requireCGroupV2()
+			// WARNING: this assumes 2-way SMT systems - we don't know how to access other SMT levels.
+			//          this means on more-than-2-way SMT systems this test will prove nothing
+			reservedCPUs = cpuset.New(0)
+			updateKubeletConfigIfNeeded(ctx, f, configureCPUManagerInKubelet(oldCfg, &cpuManagerKubeletArguments{
+				policyName:                       string(cpumanager.PolicyStatic),
+				reservedSystemCPUs:               reservedCPUs,
+				disableCPUQuotaWithExclusiveCPUs: true,
+			}))
+		})
+
+		ginkgo.It("should enforce for best-effort pod", func(ctx context.Context) {
+			ctnName := "be-container"
+			pod := makeCPUManagerBEPod("be-pod", []ctnAttribute{
+				{
+					ctnName:    ctnName,
+					ctnCommand: "sleep 1d",
+				},
+			})
+			ginkgo.By("creating the test pod")
+			pod = e2epod.NewPodClient(f).CreateSync(ctx, pod)
+			podMap[string(pod.UID)] = pod
+
+			gomega.Expect(pod).To(HaveSandboxQuota("max"))
+			gomega.Expect(pod).To(HaveContainerQuota(ctnName, "max"))
+		})
+
+		ginkgo.It("should disable for guaranteed pod with exclusive single CPU assigned", func(ctx context.Context) {
+			cpuCount := 1
+			skipIfAllocatableCPUsLessThan(getLocalNode(ctx, f), cpuCount)
+
+			ctnName := "gu-container-cfsquota-disabled"
+			pod := makeCPUManagerPod("gu-pod-cfsquota-off", []ctnAttribute{
+				{
+					ctnName:    ctnName,
+					cpuRequest: "1",
+					cpuLimit:   "1",
+				},
+			})
+			ginkgo.By("creating the test pod")
+			pod = e2epod.NewPodClient(f).CreateSync(ctx, pod)
+			podMap[string(pod.UID)] = pod
+
+			gomega.Expect(pod).To(HaveSandboxQuota("max"))
+			gomega.Expect(pod).To(HaveContainerQuota(ctnName, "max"))
+		})
+
+		ginkgo.It("should disable for guaranteed pod with exclusive four CPUs assigned", func(ctx context.Context) {
+			cpuCount := 4
+			skipIfAllocatableCPUsLessThan(getLocalNode(ctx, f), cpuCount)
+
+			ctnName := "gu-container-cfsquota-disabled"
+			pod := makeCPUManagerPod("gu-pod-cfsquota-off", []ctnAttribute{
+				{
+					ctnName:    ctnName,
+					cpuRequest: "3",
+					cpuLimit:   "3",
+				},
+			})
+			ginkgo.By("creating the test pod")
+			pod = e2epod.NewPodClient(f).CreateSync(ctx, pod)
+			podMap[string(pod.UID)] = pod
+
+			gomega.Expect(pod).To(HaveSandboxQuota("max"))
+			gomega.Expect(pod).To(HaveContainerQuota(ctnName, "max"))
+
+			gomega.Expect(pod).To(HaveContainerCPUsCount(ctnName, 3))
+			gomega.Expect(pod).To(HaveContainerCPUsASubsetOf(ctnName, onlineCPUs))
+			gomega.Expect(pod).ToNot(HaveContainerCPUsOverlapWith(ctnName, reservedCPUs))
+		})
+
+		ginkgo.It("should enforce for guaranteed pod", func(ctx context.Context) {
+			cpuCount := 1 // overshoot, minimum request is 1
+			skipIfAllocatableCPUsLessThan(getLocalNode(ctx, f), cpuCount)
+
+			ctnName := "gu-container-cfsquota-enabled"
+			pod := makeCPUManagerPod("gu-pod-cfs-quota-on", []ctnAttribute{
+				{
+					ctnName:    ctnName,
+					cpuRequest: "500m",
+					cpuLimit:   "500m",
+				},
+			})
+			ginkgo.By("creating the test pod")
+			pod = e2epod.NewPodClient(f).CreateSync(ctx, pod)
+			podMap[string(pod.UID)] = pod
+
+			gomega.Expect(pod).To(HaveSandboxQuota("50000"))
+			gomega.Expect(pod).To(HaveContainerQuota(ctnName, "50000"))
+		})
+
+		ginkgo.It("should enforce for burstable pod", func(ctx context.Context) {
+			skipIfAllocatableCPUsLessThan(getLocalNode(ctx, f), 0)
+
+			ctnName := "bu-container-cfsquota-enabled"
+			pod := makeCPUManagerPod("bu-pod-cfs-quota-on", []ctnAttribute{
+				{
+					ctnName:    ctnName,
+					cpuRequest: "100m",
+					cpuLimit:   "500m",
+				},
+			})
+			ginkgo.By("creating the test pod")
+			pod = e2epod.NewPodClient(f).CreateSync(ctx, pod)
+			podMap[string(pod.UID)] = pod
+
+			gomega.Expect(pod).To(HaveSandboxQuota("50000"))
+			gomega.Expect(pod).To(HaveContainerQuota(ctnName, "50000"))
+		})
+
+		ginkgo.It("should not enforce with multiple containers without exclusive CPUs", func(ctx context.Context) {
+			cpuCount := 2
+			skipIfAllocatableCPUsLessThan(getLocalNode(ctx, f), cpuCount)
+
+			pod := makeCPUManagerPod("gu-pod-multicontainer", []ctnAttribute{
+				{
+					ctnName:    "gu-container-non-int-values-1",
+					cpuRequest: "100m",
+					cpuLimit:   "500m",
+				},
+				{
+					ctnName:    "gu-container-non-int-values-2",
+					cpuRequest: "300m",
+					cpuLimit:   "1200m",
+				},
+			})
+			ginkgo.By("creating the test pod")
+			pod = e2epod.NewPodClient(f).CreateSync(ctx, pod)
+			podMap[string(pod.UID)] = pod
+
+			gomega.Expect(pod).To(HaveSandboxQuota("170000"))
+			gomega.Expect(pod).To(HaveContainerQuota("gu-container-non-int-values-1", "50000"))
+			gomega.Expect(pod).To(HaveContainerQuota("gu-container-non-int-values-2", "120000"))
+		})
+
+		ginkgo.It("should not enforce with multiple containers only in the container with exclusive CPUs", func(ctx context.Context) {
+			cpuCount := 2
+			skipIfAllocatableCPUsLessThan(getLocalNode(ctx, f), cpuCount)
+
+			pod := makeCPUManagerPod("gu-pod-multicontainer-mixed", []ctnAttribute{
+				{
+					ctnName:    "gu-container-non-int-values",
+					cpuRequest: "500m",
+					cpuLimit:   "500m",
+				},
+				{
+					ctnName:    "gu-container-int-values",
+					cpuRequest: "1",
+					cpuLimit:   "1",
+				},
+			})
+			ginkgo.By("creating the test pod")
+			pod = e2epod.NewPodClient(f).CreateSync(ctx, pod)
+			podMap[string(pod.UID)] = pod
+
+			gomega.Expect(pod).To(HaveSandboxQuota("max"))
+			gomega.Expect(pod).To(HaveContainerQuota("gu-container-non-int-values", "50000"))
+			gomega.Expect(pod).To(HaveContainerQuota("gu-container-int-values", "max"))
+		})
+	})
+
+	ginkgo.When("checking the CFS quota management can be disabled", ginkgo.Label("cfs-quota"), func() {
+		// NOTE: these tests check only cases on which the quota is set to "max", so we intentionally
+		// don't duplicate the all the tests
+
+		ginkgo.BeforeEach(func(ctx context.Context) {
+			requireCGroupV2()
+			// WARNING: this assumes 2-way SMT systems - we don't know how to access other SMT levels.
+			//          this means on more-than-2-way SMT systems this test will prove nothing
+			reservedCPUs = cpuset.New(0)
+			updateKubeletConfigIfNeeded(ctx, f, configureCPUManagerInKubelet(oldCfg, &cpuManagerKubeletArguments{
+				policyName:                       string(cpumanager.PolicyStatic),
+				reservedSystemCPUs:               reservedCPUs,
+				disableCPUQuotaWithExclusiveCPUs: false,
+			}))
+		})
+
+		ginkgo.It("should enforce for a guaranteed pod with exclusive CPUs assigned", func(ctx context.Context) {
+			cpuCount := 1
+			skipIfAllocatableCPUsLessThan(getLocalNode(ctx, f), cpuCount)
+
+			ctnName := "gu-container-cfsquota-disabled"
+			pod := makeCPUManagerPod("gu-pod-cfsquota-off", []ctnAttribute{
+				{
+					ctnName:    ctnName,
+					cpuRequest: "1",
+					cpuLimit:   "1",
+				},
+			})
+			ginkgo.By("creating the test pod")
+			pod = e2epod.NewPodClient(f).CreateSync(ctx, pod)
+			podMap[string(pod.UID)] = pod
+
+			gomega.Expect(pod).To(HaveSandboxQuota("100000"))
+			gomega.Expect(pod).To(HaveContainerQuota(ctnName, "100000"))
+		})
+
+		ginkgo.It("should enforce for a guaranteed pod with multiple exclusive CPUs assigned", func(ctx context.Context) {
+			cpuCount := 4
+			skipIfAllocatableCPUsLessThan(getLocalNode(ctx, f), cpuCount)
+
+			ctnName := "gu-container-cfsquota-disabled"
+			pod := makeCPUManagerPod("gu-pod-cfsquota-off", []ctnAttribute{
+				{
+					ctnName:    ctnName,
+					cpuRequest: "3",
+					cpuLimit:   "3",
+				},
+			})
+			ginkgo.By("creating the test pod")
+			pod = e2epod.NewPodClient(f).CreateSync(ctx, pod)
+			podMap[string(pod.UID)] = pod
+
+			gomega.Expect(pod).To(HaveSandboxQuota("300000"))
+			gomega.Expect(pod).To(HaveContainerQuota(ctnName, "300000"))
+
+			gomega.Expect(pod).To(HaveContainerCPUsCount(ctnName, 3))
+			gomega.Expect(pod).To(HaveContainerCPUsASubsetOf(ctnName, onlineCPUs))
+			gomega.Expect(pod).ToNot(HaveContainerCPUsOverlapWith(ctnName, reservedCPUs))
+		})
+
+		ginkgo.It("should enforce for guaranteed pod not requiring exclusive CPUs", func(ctx context.Context) {
+			cpuCount := 1 // overshoot, minimum request is 1
+			skipIfAllocatableCPUsLessThan(getLocalNode(ctx, f), cpuCount)
+
+			ctnName := "gu-container-cfsquota-enabled"
+			pod := makeCPUManagerPod("gu-pod-cfs-quota-on", []ctnAttribute{
+				{
+					ctnName:    ctnName,
+					cpuRequest: "500m",
+					cpuLimit:   "500m",
+				},
+			})
+			ginkgo.By("creating the test pod")
+			pod = e2epod.NewPodClient(f).CreateSync(ctx, pod)
+			podMap[string(pod.UID)] = pod
+
+			gomega.Expect(pod).To(HaveSandboxQuota("50000"))
+			gomega.Expect(pod).To(HaveContainerQuota(ctnName, "50000"))
+		})
+
+		ginkgo.It("should enforce with multiple containers regardless if they require exclusive CPUs or not", func(ctx context.Context) {
+			cpuCount := 2
+			skipIfAllocatableCPUsLessThan(getLocalNode(ctx, f), cpuCount)
+
+			pod := makeCPUManagerPod("gu-pod-multicontainer-mixed", []ctnAttribute{
+				{
+					ctnName:    "gu-container-non-int-values",
+					cpuRequest: "500m",
+					cpuLimit:   "500m",
+				},
+				{
+					ctnName:    "gu-container-int-values",
+					cpuRequest: "1",
+					cpuLimit:   "1",
+				},
+			})
+			ginkgo.By("creating the test pod")
+			pod = e2epod.NewPodClient(f).CreateSync(ctx, pod)
+			podMap[string(pod.UID)] = pod
+
+			gomega.Expect(pod).To(HaveSandboxQuota("150000"))
+			gomega.Expect(pod).To(HaveContainerQuota("gu-container-non-int-values", "50000"))
+			gomega.Expect(pod).To(HaveContainerQuota("gu-container-int-values", "100000"))
+		})
+	})
+
+	f.Context("When checking the sidecar containers", framework.WithNodeConformance(), func() {
+		ginkgo.BeforeEach(func(ctx context.Context) {
+			reservedCPUs = cpuset.New(0)
+		})
+
+		ginkgo.It("should reuse init container exclusive CPUs, but not sidecar container exclusive CPUS", func(ctx context.Context) {
+			cpuCount := 2 // total
+
+			skipIfAllocatableCPUsLessThan(getLocalNode(ctx, f), cpuCount)
+
+			updateKubeletConfigIfNeeded(ctx, f, configureCPUManagerInKubelet(oldCfg, &cpuManagerKubeletArguments{
+				policyName:         string(cpumanager.PolicyStatic),
+				reservedSystemCPUs: reservedCPUs, // Not really needed for the tests but helps to make a more precise check
+			}))
+
+			var containerRestartPolicyAlways = v1.ContainerRestartPolicyAlways
+
+			ctrAttrs := []ctnAttribute{
+				{
+					ctnName:    "init-container1",
+					cpuRequest: "1000m",
+					cpuLimit:   "1000m",
+				},
+				{
+					ctnName:       "sidecar-container",
+					cpuRequest:    "1000m",
+					cpuLimit:      "1000m",
+					restartPolicy: &containerRestartPolicyAlways,
+				},
+			}
+			pod := makeCPUManagerInitContainersPod("gu-pod", ctrAttrs)
+			ginkgo.By("running a Gu pod with a regular init container and a restartable init container")
+			pod = e2epod.NewPodClient(f).CreateSync(ctx, pod)
+			podMap[string(pod.UID)] = pod
+
+			// when we get there the real initcontainer terminated, so we can only check its logs
+			ginkgo.By("checking if the expected cpuset was assigned")
+			logs, err := e2epod.GetPodLogs(ctx, f.ClientSet, pod.Namespace, pod.Name, pod.Spec.InitContainers[0].Name)
+			framework.ExpectNoError(err, "expected log not found in init container [%s] of pod [%s]", pod.Spec.InitContainers[0].Name, pod.Name)
+
+			reusableCPUs := getContainerAllowedCPUsFromLogs(pod.Name, pod.Spec.InitContainers[0].Name, logs)
+			gomega.Expect(reusableCPUs.Size()).To(gomega.Equal(1), "expected cpu set size == 1, got %q", reusableCPUs.String())
+
+			nonReusableCPUs, err := getContainerAllowedCPUs(pod, pod.Spec.InitContainers[1].Name, true)
+			framework.ExpectNoError(err, "cannot get exclusive CPUs for pod %s/%s", pod.Namespace, pod.Name)
+
+			gomega.Expect(nonReusableCPUs.Size()).To(gomega.Equal(1), "expected cpu set size == 1, got %q", nonReusableCPUs.String())
+			gomega.Expect(reusableCPUs.Equals(nonReusableCPUs)).To(gomega.BeTrueBecause("expected reusable cpuset [%s] to be equal to non-reusable cpuset [%s]", reusableCPUs.String(), nonReusableCPUs.String()))
+
+			appContainerName := pod.Spec.Containers[0].Name
+			gomega.Expect(pod).To(HaveContainerCPUsCount(appContainerName, 1))
+			gomega.Expect(pod).To(HaveContainerCPUsASubsetOf(appContainerName, onlineCPUs))
+			gomega.Expect(pod).ToNot(HaveContainerCPUsOverlapWith(appContainerName, reservedCPUs))
+			gomega.Expect(pod).ToNot(HaveContainerCPUsOverlapWith(appContainerName, nonReusableCPUs))
+		})
+	})
+})
+
+var _ = SIGDescribe("CPU Manager Incompatibility Pod Level Resources", ginkgo.Ordered, ginkgo.ContinueOnFailure, framework.WithSerial(), feature.CPUManager, feature.PodLevelResources, framework.WithFeatureGate(features.PodLevelResources), func() {
+	f := framework.NewDefaultFramework("cpu-manager-incompatibility-pod-level-resources-test")
+	f.NamespacePodSecurityLevel = admissionapi.LevelPrivileged
+
+	// original kubeletconfig before the context start, to be restored
+	var oldCfg *kubeletconfig.KubeletConfiguration
+	var reservedCPUs cpuset.CPUSet
+	var onlineCPUs cpuset.CPUSet
+	var smtLevel int
+	var uncoreGroupSize int
+	// tracks all the pods created by a It() block. Best would be a namespace per It block
+	var podMap map[string]*v1.Pod
+
+	ginkgo.BeforeAll(func(ctx context.Context) {
+		var err error
+		oldCfg, err = getCurrentKubeletConfig(ctx)
+		framework.ExpectNoError(err)
+
+		onlineCPUs, err = getOnlineCPUs() // this should not change at all, at least during this suite lifetime
+		framework.ExpectNoError(err)
+		framework.Logf("Online CPUs: %s", onlineCPUs)
+
+		smtLevel = smtLevelFromSysFS() // this should not change at all, at least during this suite lifetime
+		framework.Logf("SMT level: %d", smtLevel)
+
+		uncoreGroupSize = getUncoreCPUGroupSize()
+		framework.Logf("Uncore Group Size: %d", uncoreGroupSize)
+
+		e2enodeCgroupV2Enabled = IsCgroup2UnifiedMode()
+		framework.Logf("cgroup V2 enabled: %v", e2enodeCgroupV2Enabled)
+
+		e2enodeCgroupDriver = oldCfg.CgroupDriver
+		framework.Logf("cgroup driver: %s", e2enodeCgroupDriver)
+
+		runtime, _, err := getCRIClient()
+		framework.ExpectNoError(err, "Failed to get CRI client")
+
+		version, err := runtime.Version(context.Background(), "")
+		framework.ExpectNoError(err, "Failed to get runtime version")
+
+		e2enodeRuntimeName = version.GetRuntimeName()
+		framework.Logf("runtime: %s", e2enodeRuntimeName)
+	})
+
+	ginkgo.AfterAll(func(ctx context.Context) {
+		updateKubeletConfig(ctx, f, oldCfg, true)
+	})
+
+	ginkgo.BeforeEach(func(ctx context.Context) {
+		// note intentionally NOT set reservedCPUs -  this must be initialized on a test-by-test basis
+		podMap = make(map[string]*v1.Pod)
+	})
+
+	ginkgo.JustBeforeEach(func(ctx context.Context) {
+		if !e2enodeCgroupV2Enabled {
+			e2eskipper.Skipf("Skipping since CgroupV2 not used")
+		}
+	})
+
+	ginkgo.AfterEach(func(ctx context.Context) {
+		deletePodsAsync(ctx, f, podMap)
+	})
+
+	ginkgo.When("running guaranteed pod level resources tests", ginkgo.Label("guaranteed pod level resources", "reserved-cpus"), func() {
+		ginkgo.It("should let the container access all the online CPUs without a reserved CPUs set", func(ctx context.Context) {
+			updateKubeletConfigIfNeeded(ctx, f, configureCPUManagerInKubelet(oldCfg, &cpuManagerKubeletArguments{
+				policyName:              string(cpumanager.PolicyStatic),
+				reservedSystemCPUs:      cpuset.CPUSet{},
+				enablePodLevelResources: true,
+			}))
+
+			pod := makeCPUManagerPod("gu-pod-level-resources", []ctnAttribute{
+				{
+					ctnName:    "gu-container",
+					cpuRequest: "1",
+					cpuLimit:   "1",
+				},
+			})
+			pod.Spec.Resources = &v1.ResourceRequirements{
+				Limits: v1.ResourceList{
+					v1.ResourceCPU:    resource.MustParse("1"),
+					v1.ResourceMemory: resource.MustParse("100Mi"),
+				},
+				Requests: v1.ResourceList{
+					v1.ResourceCPU:    resource.MustParse("1"),
+					v1.ResourceMemory: resource.MustParse("100Mi"),
+				},
+			}
+
+			ginkgo.By("creating the test pod")
+			pod = e2epod.NewPodClient(f).CreateSync(ctx, pod)
+			podMap[string(pod.UID)] = pod
+
+			ginkgo.By("checking if the expected cpuset was assigned")
+			gomega.Expect(pod).To(HaveContainerCPUsEqualTo("gu-container", onlineCPUs))
+		})
+
+		ginkgo.It("should let the container access all the online CPUs when using a reserved CPUs set", func(ctx context.Context) {
+			reservedCPUs = cpuset.New(0)
+
+			updateKubeletConfigIfNeeded(ctx, f, configureCPUManagerInKubelet(oldCfg, &cpuManagerKubeletArguments{
+				policyName:              string(cpumanager.PolicyStatic),
+				reservedSystemCPUs:      reservedCPUs, // Not really needed for the tests but helps to make a more precise check
+				enablePodLevelResources: true,
+			}))
+
+			pod := makeCPUManagerPod("gu-pod-level-resources", []ctnAttribute{
+				{
+					ctnName:    "gu-container",
+					cpuRequest: "1",
+					cpuLimit:   "1",
+				},
+			})
+			pod.Spec.Resources = &v1.ResourceRequirements{
+				Limits: v1.ResourceList{
+					v1.ResourceCPU:    resource.MustParse("1"),
+					v1.ResourceMemory: resource.MustParse("100Mi"),
+				},
+				Requests: v1.ResourceList{
+					v1.ResourceCPU:    resource.MustParse("1"),
+					v1.ResourceMemory: resource.MustParse("100Mi"),
+				},
+			}
+
+			ginkgo.By("creating the test pod")
+			pod = e2epod.NewPodClient(f).CreateSync(ctx, pod)
+			podMap[string(pod.UID)] = pod
+
+			ginkgo.By("checking if the expected cpuset was assigned")
+			gomega.Expect(pod).To(HaveContainerCPUsEqualTo("gu-container", onlineCPUs))
+		})
+	})
+})
+
+// Matching helpers
+
+func HaveStatusReasonMatchingRegex(expr string) types.GomegaMatcher {
+	return gcustom.MakeMatcher(func(actual *v1.Pod) (bool, error) {
+		re, err := regexp.Compile(expr)
+		if err != nil {
+			return false, err
+		}
+		return re.MatchString(actual.Status.Reason), nil
+	}).WithTemplate("Pod {{.Actual.Namespace}}/{{.Actual.Name}} UID {{.Actual.UID}} reason {{.Actual.Status.Reason}} does not match regexp {{.Data}}", expr)
+}
+
+type msgData struct {
+	Name             string
+	CurrentCPUs      string
+	ExpectedCPUs     string
+	MismatchedCPUs   string
+	UncoreCacheAlign string
+	Count            int
+	Aligned          int
+	CurrentQuota     string
+	ExpectedQuota    string
+}
+
+func HaveContainerCPUsCount(ctnName string, val int) types.GomegaMatcher {
+	md := &msgData{
+		Name:  ctnName,
+		Count: val,
+	}
+	return gcustom.MakeMatcher(func(actual *v1.Pod) (bool, error) {
+		cpus, err := getContainerAllowedCPUs(actual, ctnName, false)
+		md.CurrentCPUs = cpus.String()
+		if err != nil {
+			framework.Logf("getContainerAllowedCPUs(%s) failed: %v", ctnName, err)
+			return false, err
+		}
+		return cpus.Size() == val, nil
+	}).WithTemplate("Pod {{.Actual.Namespace}}/{{.Actual.Name}} UID {{.Actual.UID}} has allowed CPUs <{{.Data.CurrentCPUs}}> not matching expected count <{{.Data.Count}}> for container {{.Data.Name}}", md)
+}
+
+func HaveContainerCPUsAlignedTo(ctnName string, val int) types.GomegaMatcher {
+	md := &msgData{
+		Name:    ctnName,
+		Aligned: val,
+	}
+	return gcustom.MakeMatcher(func(actual *v1.Pod) (bool, error) {
+		cpus, err := getContainerAllowedCPUs(actual, ctnName, false)
+		md.CurrentCPUs = cpus.String()
+		if err != nil {
+			framework.Logf("getContainerAllowedCPUs(%s) failed: %v", ctnName, err)
+			return false, err
+		}
+		return cpus.Size()%val == 0, nil
+	}).WithTemplate("Pod {{.Actual.Namespace}}/{{.Actual.Name}} UID {{.Actual.UID}} has allowed CPUs <{{.Data.CurrentCPUs}}> not aligned to value <{{.Data.Aligned}}> for container {{.Data.Name}}", md)
+}
+
+func HaveContainerCPUsOverlapWith(ctnName string, ref cpuset.CPUSet) types.GomegaMatcher {
+	md := &msgData{
+		Name:         ctnName,
+		ExpectedCPUs: ref.String(),
+	}
+	return gcustom.MakeMatcher(func(actual *v1.Pod) (bool, error) {
+		cpus, err := getContainerAllowedCPUs(actual, ctnName, false)
+		md.CurrentCPUs = cpus.String()
+		if err != nil {
+			framework.Logf("getContainerAllowedCPUs(%s) failed: %v", ctnName, err)
+			return false, err
+		}
+		sharedCPUs := cpus.Intersection(ref)
+		return sharedCPUs.Size() > 0, nil
+	}).WithTemplate("Pod {{.Actual.Namespace}}/{{.Actual.Name}} UID {{.Actual.UID}} has allowed CPUs <{{.Data.CurrentCPUs}}> overlapping with expected CPUs <{{.Data.ExpectedCPUs}}> for container {{.Data.Name}}", md)
+}
+
+func HaveContainerCPUsASubsetOf(ctnName string, ref cpuset.CPUSet) types.GomegaMatcher {
+	md := &msgData{
+		Name:         ctnName,
+		ExpectedCPUs: ref.String(),
+	}
+	return gcustom.MakeMatcher(func(actual *v1.Pod) (bool, error) {
+		cpus, err := getContainerAllowedCPUs(actual, ctnName, false)
+		md.CurrentCPUs = cpus.String()
+		if err != nil {
+			framework.Logf("getContainerAllowedCPUs(%s) failed: %v", ctnName, err)
+			return false, err
+		}
+		return cpus.IsSubsetOf(ref), nil
+	}).WithTemplate("Pod {{.Actual.Namespace}}/{{.Actual.Name}} UID {{.Actual.UID}} has allowed CPUs <{{.Data.CurrentCPUs}}> not a subset of expected CPUs <{{.Data.ExpectedCPUs}}> for container {{.Data.Name}}", md)
+}
+
+func HaveContainerCPUsEqualTo(ctnName string, expectedCPUs cpuset.CPUSet) types.GomegaMatcher {
+	md := &msgData{
+		Name:         ctnName,
+		ExpectedCPUs: expectedCPUs.String(),
+	}
+	return gcustom.MakeMatcher(func(actual *v1.Pod) (bool, error) {
+		cpus, err := getContainerAllowedCPUs(actual, ctnName, false)
+		md.CurrentCPUs = cpus.String()
+		if err != nil {
+			framework.Logf("getContainerAllowedCPUs(%s) failed: %v", ctnName, err)
+			return false, err
+		}
+		return cpus.Equals(expectedCPUs), nil
+	}).WithTemplate("Pod {{.Actual.Namespace}}/{{.Actual.Name}} UID {{.Actual.UID}} has allowed CPUs <{{.Data.CurrentCPUs}}> not matching the expected value <{{.Data.ExpectedCPUs}}> for container {{.Data.Name}}", md)
+}
+
+func HaveSandboxQuota(expectedQuota string) types.GomegaMatcher {
+	md := &msgData{
+		ExpectedQuota: expectedQuota,
+	}
+	return gcustom.MakeMatcher(func(actual *v1.Pod) (bool, error) {
+		md.Name = klog.KObj(actual).String()
+		quota, err := getSandboxCFSQuota(actual)
+		md.CurrentQuota = quota
+		if err != nil {
+			framework.Logf("getSandboxCFSQuota() failed: %v", err)
+			return false, err
+		}
+		re, err := regexp.Compile(fmt.Sprintf("^%s %s$", expectedQuota, defaultCFSPeriod))
+		if err != nil {
+			return false, err
+		}
+		return re.MatchString(quota), nil
+	}).WithTemplate("Pod {{.Actual.Namespace}}/{{.Actual.Name}} UID {{.Actual.UID}} has quota <{{.Data.CurrentQuota}}> not matching expected value <{{.Data.ExpectedQuota}}>", md)
+}
+
+func HaveContainerQuota(ctnName, expectedQuota string) types.GomegaMatcher {
+	md := &msgData{
+		Name:          ctnName,
+		ExpectedQuota: expectedQuota,
+	}
+	return gcustom.MakeMatcher(func(actual *v1.Pod) (bool, error) {
+		quota, err := getContainerCFSQuota(actual, ctnName, false)
+		md.CurrentQuota = quota
+		if err != nil {
+			framework.Logf("getContainerCFSQuota(%s) failed: %v", ctnName, err)
+			return false, err
+		}
+		re, err := regexp.Compile(fmt.Sprintf("^%s %s$", expectedQuota, defaultCFSPeriod))
+		if err != nil {
+			return false, err
+		}
+		return re.MatchString(quota), nil
+	}).WithTemplate("Pod {{.Actual.Namespace}}/{{.Actual.Name}} UID {{.Actual.UID}} has quota <{{.Data.CurrentQuota}}> not matching expected value <{{.Data.ExpectedQuota}}> for container {{.Data.Name}}", md)
+}
+
+func HaveContainerCPUsThreadSiblings(ctnName string) types.GomegaMatcher {
+	md := &msgData{
+		Name: ctnName,
+	}
+	return gcustom.MakeMatcher(func(actual *v1.Pod) (bool, error) {
+		cpus, err := getContainerAllowedCPUs(actual, ctnName, false)
+		md.CurrentCPUs = cpus.String()
+		if err != nil {
+			framework.Logf("getContainerAllowedCPUs(%s) failed: %v", ctnName, err)
+			return false, err
+		}
+		expectedCPUs := makeThreadSiblingCPUSet(cpus)
+		md.ExpectedCPUs = expectedCPUs.String()
+		return cpus.Equals(expectedCPUs), nil
+	}).WithTemplate("Pod {{.Actual.Namespace}}/{{.Actual.Name}} UID {{.Actual.UID}} has allowed CPUs <{{.Data.CurrentCPUs}}> not all thread sibling pairs (would be <{{.Data.ExpectedCPUs}}>) for container {{.Data.Name}}", md)
+}
+
+func HaveContainerCPUsQuasiThreadSiblings(ctnName string, toleration int) types.GomegaMatcher {
+	md := &msgData{
+		Name:  ctnName,
+		Count: toleration,
+	}
+	return gcustom.MakeMatcher(func(actual *v1.Pod) (bool, error) {
+		cpus, err := getContainerAllowedCPUs(actual, ctnName, false)
+		md.CurrentCPUs = cpus.String()
+		if err != nil {
+			framework.Logf("getContainerAllowedCPUs(%s) failed: %v", ctnName, err)
+			return false, err
+		}
+		// this is by construction >= cpus (extreme case: cpus is made by all non-thread-siblings)
+		expectedCPUs := makeThreadSiblingCPUSet(cpus)
+		md.ExpectedCPUs = expectedCPUs.String()
+		mismatchedCPUs := expectedCPUs.Difference(cpus)
+		md.MismatchedCPUs = mismatchedCPUs.String()
+		return mismatchedCPUs.Size() <= toleration, nil
+	}).WithTemplate("Pod {{.Actual.Namespace}}/{{.Actual.Name}} UID {{.Actual.UID}} has allowed CPUs <{{.Data.CurrentCPUs}}> not all thread sibling pairs (would be <{{.Data.ExpectedCPUs}}> mismatched <{{.Data.MismatchedCPUs}}> toleration <{{.Data.Count}}>) for container {{.Data.Name}}", md)
+}
+
+func HaveContainerCPUsWithSameUncoreCacheID(ctnName string) types.GomegaMatcher {
+	md := &msgData{
+		Name: ctnName,
+	}
+	return gcustom.MakeMatcher(func(actual *v1.Pod) (bool, error) {
+		cpus, err := getContainerAllowedCPUs(actual, ctnName, false)
+		if err != nil {
+			return false, fmt.Errorf("getContainerAllowedCPUs(%s) failed: %w", ctnName, err)
+		}
+		md.CurrentCPUs = cpus.String()
+
+		var commonCacheID *int64
+
+		for _, cpu := range cpus.List() {
+			// determine the Uncore Cache ID for each cpu
+			uncoreID, err := uncoreCacheIDFromSysFS(cpu)
+			if err != nil {
+				return false, fmt.Errorf("failed to read cache ID for CPU %d: %w", cpu, err)
+			}
+
+			// if this the first CPU we check, set the Uncore Cache ID as the reference
+			// for subsequent CPUs, compare the Uncore Cache ID to the reference
+			if commonCacheID == nil {
+				commonCacheID = &uncoreID
+			} else if *commonCacheID != uncoreID {
+				md.UncoreCacheAlign = fmt.Sprintf("shared uncoreID mismatch: CPU %d has uncoreID %d, CPUSet has uncoreID %d", cpu, uncoreID, *commonCacheID)
+				return false, nil
+			}
+		}
+
+		// All CPUs matched the same cache ID
+		md.UncoreCacheAlign = fmt.Sprintf("all CPUs share cache ID %d", *commonCacheID)
+		return true, nil
+	}).WithTemplate(
+		"Pod {{.Actual.Namespace}}/{{.Actual.Name}} UID {{.Actual.UID}} container {{.Data.Name}} has CPUSet <{{.Data.CurrentCPUs}}> where not all CPUs share the same uncore cache ID: {{.Data.UncoreCacheAlign}}",
+		md,
+	)
+}
+
+func HaveContainerCPUsShareUncoreCacheWith(ctnName string, ref cpuset.CPUSet) types.GomegaMatcher {
+	md := &msgData{
+		Name:         ctnName,
+		ExpectedCPUs: ref.String(),
+	}
+	return gcustom.MakeMatcher(func(actual *v1.Pod) (bool, error) {
+		containerCPUs, err := getContainerAllowedCPUs(actual, ctnName, false)
+		if err != nil {
+			return false, fmt.Errorf("getContainerAllowedCPUs(%s) failed: %w", ctnName, err)
+		}
+		md.CurrentCPUs = containerCPUs.String()
+
+		// Build set of uncore cache IDs from the reference cpuset
+		refUncoreIDs := sets.New[int64]()
+		for _, cpu := range ref.UnsortedList() {
+			uncoreID, err := uncoreCacheIDFromSysFS(cpu)
+			if err != nil {
+				return false, fmt.Errorf("failed to read uncore cache ID for reference CPU %d: %w", cpu, err)
+			}
+			refUncoreIDs.Insert(uncoreID)
+		}
+
+		// Check if any container CPUs share an uncore ID with the reference set
+		for _, cpu := range containerCPUs.UnsortedList() {
+			uncoreID, err := uncoreCacheIDFromSysFS(cpu)
+			if err != nil {
+				return false, fmt.Errorf("failed to read uncore cache ID for container CPU %d: %w", cpu, err)
+			}
+			if refUncoreIDs.Has(uncoreID) {
+				md.UncoreCacheAlign = fmt.Sprintf("%d", uncoreID)
+				return true, nil
+			}
+		}
+
+		return false, nil
+	}).WithTemplate(
+		"Pod {{.Actual.Namespace}}/{{.Actual.Name}} UID {{.Actual.UID}} container {{.Data.Name}} has CPUSet <{{.Data.CurrentCPUs}}> sharing uncoreCache ID <{{.Data.UncoreCacheAlign}}> with reference CPUSet <{{.Data.ExpectedCPUs}}>",
+		md,
+	)
+}
+
+// Custom matcher for checking packed CPUs.
+func BePackedCPUs() types.GomegaMatcher {
+	return gcustom.MakeMatcher(func(allocatedCPUs cpuset.CPUSet) (bool, error) {
+		distribution := computeNUMADistribution(allocatedCPUs)
+		for _, count := range distribution {
+			// This assumption holds true if there are enough CPUs on a single NUMA node.
+			// We are intentionally limiting the CPU request to 2 to minimize the number
+			// of CPUs required to fulfill this case and therefore maximize the chances
+			// of correctly validating this case.
+			if count == allocatedCPUs.Size() {
+				return true, nil
+			}
+		}
+		return false, nil
+	}).WithMessage("expected CPUs to be packed")
+}
+
+// Custom matcher for checking distributed CPUs.
+func BeDistributedCPUs(expectedSpread int) types.GomegaMatcher {
+	return gcustom.MakeMatcher(func(allocatedCPUs cpuset.CPUSet) (bool, error) {
+		distribution := computeNUMADistribution(allocatedCPUs)
+		for _, count := range distribution {
+			if count != expectedSpread {
+				return false, nil
+			}
+		}
+		return true, nil
+	}).WithTemplate("expected CPUs to be evenly distributed across NUMA nodes\nExpected: {{.Data}}\nGot:\n{{.FormattedActual}}\nDistribution: {{.Data}}\n").WithTemplateData(expectedSpread)
+}
+
+// Other helpers
+
+func getContainerAllowedCPUsFromLogs(podName, cntName, logs string) cpuset.CPUSet {
+	framework.Logf("got pod logs: <%v>", logs)
+	cpus, err := cpuset.Parse(strings.TrimSpace(logs))
+	framework.ExpectNoError(err, "parsing cpuset from logs for [%s] of pod [%s]", cntName, podName)
+	return cpus
+}
+
+// computeNUMADistribution calculates CPU distribution per NUMA node.
+func computeNUMADistribution(allocatedCPUs cpuset.CPUSet) map[int]int {
+	numaCPUs, err := getNumaNodeCPUs()
+	framework.ExpectNoError(err, "Error retrieving NUMA nodes")
+	framework.Logf("NUMA Node CPUs allocation: %v", numaCPUs)
+
+	distribution := make(map[int]int)
+	for node, cpus := range numaCPUs {
+		distribution[node] = cpus.Intersection(allocatedCPUs).Size()
+	}
+
+	framework.Logf("allocated CPUs %s distribution: %v", allocatedCPUs.String(), distribution)
+	return distribution
+}
+
+func getContainerAllowedCPUs(pod *v1.Pod, ctnName string, isInit bool) (cpuset.CPUSet, error) {
+	cgPath, err := makeCgroupPathForContainer(pod, ctnName, isInit, e2enodeCgroupV2Enabled)
+	if err != nil {
+		return cpuset.CPUSet{}, err
+	}
+	cgPath = filepath.Join(cgPath, cpusetFileNameFromVersion(e2enodeCgroupV2Enabled))
+	framework.Logf("pod %s/%s cnt %s qos=%s path %q", pod.Namespace, pod.Name, ctnName, pod.Status.QOSClass, cgPath)
+	data, err := os.ReadFile(cgPath)
+	if err != nil {
+		return cpuset.CPUSet{}, err
+	}
+	cpus := strings.TrimSpace(string(data))
+	framework.Logf("pod %s/%s cnt %s cpuset %q", pod.Namespace, pod.Name, ctnName, cpus)
+	return cpuset.Parse(cpus)
+}
+
+func getSandboxCFSQuota(pod *v1.Pod) (string, error) {
+	if !e2enodeCgroupV2Enabled {
+		return "", fmt.Errorf("only Cgroup V2 is supported")
+	}
+	cgPath := filepath.Join(makeCgroupPathForPod(pod, true), "cpu.max")
+	data, err := os.ReadFile(cgPath)
+	if err != nil {
+		return "", err
+	}
+	quota := strings.TrimSpace(string(data))
+	framework.Logf("pod %s/%s qos=%s path %q quota %q", pod.Namespace, pod.Name, pod.Status.QOSClass, cgPath, quota)
+	return quota, nil
+}
+
+func getContainerCFSQuota(pod *v1.Pod, ctnName string, isInit bool) (string, error) {
+	if !e2enodeCgroupV2Enabled {
+		return "", fmt.Errorf("only Cgroup V2 is supported")
+	}
+	cgPath, err := makeCgroupPathForContainer(pod, ctnName, isInit, true)
+	if err != nil {
+		return "", err
+	}
+	data, err := os.ReadFile(filepath.Join(cgPath, "cpu.max"))
+	if err != nil {
+		return "", err
+	}
+	quota := strings.TrimSpace(string(data))
+	framework.Logf("pod %s/%s qos=%s cnt %s path %q quota %q", pod.Namespace, pod.Name, pod.Status.QOSClass, ctnName, cgPath, quota)
+	return quota, nil
+}
+
+const (
+	kubeCgroupRoot = "/sys/fs/cgroup"
+)
+
+// example path (systemd, crio, v2):
+// /sys/fs/cgroup/ kubepods.slice/kubepods-burstable.slice/kubepods-burstable-pod0b7632a2_a56e_4278_987a_22de18008dbe.slice/ crio-conmon-0bc5eac79e3ae7a0c2651f14722aa10fa333eb2325c2ca97da33aa284cda81b0.scope
+// example path (cgroup, containerd, v1):
+// /sys/fs/cgroup/cpuset kubepods/burstable pod8e414e92-17c2-41de-81c7-0045bba9103b b5791f89a6971bb4a751ffbebf533399c91630aa2906d7c6b5e239f405f3b97a
+
+func makeCgroupPathForPod(pod *v1.Pod, isV2 bool) string {
+	components := []string{defaultNodeAllocatableCgroup}
+	if pod.Status.QOSClass != v1.PodQOSGuaranteed {
+		components = append(components, strings.ToLower(string(pod.Status.QOSClass)))
+	}
+	components = append(components, "pod"+string(pod.UID))
+
+	cgroupName := cm.NewCgroupName(cm.RootCgroupName, components...)
+	cgroupFsName := ""
+	// it's quite ugly to use a global, but it saves us to pass a parameter all across the stack many times
+	if e2enodeCgroupDriver == "systemd" {
+		cgroupFsName = cgroupName.ToSystemd()
+	} else {
+		cgroupFsName = cgroupName.ToCgroupfs()
+	}
+	if !isV2 {
+		cgroupFsName = filepath.Join("cpuset", cgroupFsName)
+	}
+	return filepath.Join(kubeCgroupRoot, cgroupFsName)
+}
+
+func makeCgroupPathForContainer(pod *v1.Pod, ctnName string, isInit, isV2 bool) (string, error) {
+	fullCntID, ok := findContainerIDByName(pod, ctnName, isInit)
+	if !ok {
+		return "", fmt.Errorf("cannot find status for container %q", ctnName)
+	}
+	cntID, err := parseContainerID(fullCntID)
+	if err != nil {
+		return "", err
+	}
+	cntPath := ""
+	if e2enodeCgroupDriver == "systemd" {
+		cntPath = containerCgroupPathPrefixFromDriver(e2enodeRuntimeName) + "-" + cntID + ".scope"
+	} else {
+		cntPath = cntID
+	}
+
+	return filepath.Join(makeCgroupPathForPod(pod, isV2), cntPath), nil
+}
+
+func cpusetFileNameFromVersion(isV2 bool) string {
+	if isV2 {
+		return "cpuset.cpus.effective"
+	}
+	return "cpuset.cpus"
+}
+
+func containerCgroupPathPrefixFromDriver(runtimeName string) string {
+	if runtimeName == "cri-o" {
+		return "crio"
+	}
+	return "cri-containerd"
+}
+
+func parseContainerID(fullID string) (string, error) {
+	_, cntID, found := strings.Cut(fullID, "://")
+	if !found {
+		return "", fmt.Errorf("unsupported containerID: %q", fullID)
+	}
+	// TODO: should we validate the kind?
+	return cntID, nil
+}
+
+func findContainerIDByName(pod *v1.Pod, ctnName string, isInit bool) (string, bool) {
+	cntStatuses := pod.Status.ContainerStatuses
+	if isInit {
+		cntStatuses = pod.Status.InitContainerStatuses
+	}
+	for idx := range cntStatuses {
+		if cntStatuses[idx].Name == ctnName {
+			return cntStatuses[idx].ContainerID, true
+		}
+	}
+	return "", false
+}
+
+func makeThreadSiblingCPUSet(cpus cpuset.CPUSet) cpuset.CPUSet {
 	siblingsCPUs := cpuset.New()
 	for _, cpuID := range cpus.UnsortedList() {
-		threadSiblings, err := cpuset.Parse(strings.TrimSpace(getCPUSiblingList(int64(cpuID))))
-		framework.ExpectNoError(err, "parsing cpuset from logs for [%s] of pod [%s]", cnt.Name, pod.Name)
-		siblingsCPUs = siblingsCPUs.Union(threadSiblings)
+		siblingsCPUs = siblingsCPUs.Union(cpuSiblingListFromSysFS(int64(cpuID)))
+	}
+	return siblingsCPUs
+}
+
+func updateKubeletConfigIfNeeded(ctx context.Context, f *framework.Framework, desiredCfg *kubeletconfig.KubeletConfiguration) *v1.Node {
+	curCfg, err := getCurrentKubeletConfig(ctx)
+	framework.ExpectNoError(err)
+
+	if equalKubeletConfiguration(curCfg, desiredCfg) {
+		framework.Logf("Kubelet configuration already compliant, nothing to do")
+		return getLocalNode(ctx, f)
+	}
+
+	framework.Logf("Updating Kubelet configuration")
+	updateKubeletConfig(ctx, f, desiredCfg, true)
+	framework.Logf("Updated Kubelet configuration")
+
+	return getLocalNode(ctx, f)
+}
+
+func equalKubeletConfiguration(cfgA, cfgB *kubeletconfig.KubeletConfiguration) bool {
+	cfgA = cfgA.DeepCopy()
+	cfgB = cfgB.DeepCopy()
+	// we care only about the payload, force metadata to be uniform
+	cfgA.TypeMeta = metav1.TypeMeta{}
+	cfgB.TypeMeta = metav1.TypeMeta{}
+	return reflect.DeepEqual(cfgA, cfgB)
+}
+
+type nodeCPUDetails struct {
+	Capacity    int64
+	Allocatable int64
+	Reserved    int64
+}
+
+func cpuDetailsFromNode(node *v1.Node) nodeCPUDetails {
+	localNodeCap := node.Status.Capacity
+	cpuCap := localNodeCap[v1.ResourceCPU]
+	localNodeAlloc := node.Status.Allocatable
+	cpuAlloc := localNodeAlloc[v1.ResourceCPU]
+	cpuRes := cpuCap.DeepCopy()
+	cpuRes.Sub(cpuAlloc)
+	// RoundUp reserved CPUs to get only integer cores.
+	cpuRes.RoundUp(0)
+	return nodeCPUDetails{
+		Capacity:    cpuCap.Value(),
+		Allocatable: cpuCap.Value() - cpuRes.Value(),
+		Reserved:    cpuRes.Value(),
+	}
+}
+
+// smtLevelFromSysFS returns the number of symmetrical multi-thread (SMT) execution units the processor provides.
+// The most common value on x86_64 is 2 (2 virtual threads/cores per physical core), that would be smtLevel == 2.
+// The following are all synonyms: threadsPerCore, smtLevel
+// Note: can't find a good enough yet not overly long name, "threadSiblingCount", "smtLevel", "threadsPerCore" are all questionable.
+func smtLevelFromSysFS() int {
+	cpuID := int64(0) // this is just the most likely cpu to be present in a random system. No special meaning besides this.
+	cpus := cpuSiblingListFromSysFS(cpuID)
+	return cpus.Size()
+}
+
+func cpuSiblingListFromSysFS(cpuID int64) cpuset.CPUSet {
+	data, err := os.ReadFile(fmt.Sprintf("/sys/devices/system/cpu/cpu%d/topology/thread_siblings_list", cpuID))
+	framework.ExpectNoError(err)
+	// how many thread sibling you have = SMT level
+	// example: 2-way SMT means 2 threads sibling for each thread
+	cpus, err := cpuset.Parse(strings.TrimSpace(string(data)))
+	framework.ExpectNoError(err)
+	return cpus
+}
+
+func uncoreCacheIDFromSysFS(cpuID int) (int64, error) {
+	// expect sysfs path for Uncore Cache ID for each CPU to be:
+	// /sys/devices/system/cpu/cpu#/cache/index3/id
+	cacheIDPath := filepath.Join("/sys/devices/system/cpu", fmt.Sprintf("cpu%d", cpuID), "cache", "index3", "id")
+	cacheIDBytes, err := os.ReadFile(cacheIDPath)
+	if err != nil {
+		return 0, fmt.Errorf("failed to read cache ID for CPU %d: %w", cpuID, err)
+	}
+
+	cacheIDStr := strings.TrimSpace(string(cacheIDBytes))
+	cacheID, err := strconv.ParseInt(cacheIDStr, 10, 64)
+	if err != nil {
+		return 0, fmt.Errorf("failed to parse cache ID for CPU %d: %w", cpuID, err)
+	}
+
+	return cacheID, nil
+}
+
+func makeCPUManagerBEPod(podName string, ctnAttributes []ctnAttribute) *v1.Pod {
+	var containers []v1.Container
+	for _, ctnAttr := range ctnAttributes {
+		ctn := v1.Container{
+			Name:    ctnAttr.ctnName,
+			Image:   busyboxImage,
+			Command: []string{"sh", "-c", ctnAttr.ctnCommand},
+			VolumeMounts: []v1.VolumeMount{
+				{
+					Name:      "sysfscgroup",
+					MountPath: "/sysfscgroup",
+				},
+				{
+					Name:      "podinfo",
+					MountPath: "/podinfo",
+				},
+			},
+		}
+		containers = append(containers, ctn)
 	}
 
-	framework.Logf("siblings cpus: %v", siblingsCPUs)
-	if !siblingsCPUs.Equals(cpus) {
-		framework.Failf("pod %q cnt %q received non-smt-aligned cpuset %v (expected %v)", pod.Name, cnt.Name, cpus, siblingsCPUs)
+	return &v1.Pod{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: podName,
+		},
+		Spec: v1.PodSpec{
+			RestartPolicy: v1.RestartPolicyNever,
+			Containers:    containers,
+			Volumes: []v1.Volume{
+				{
+					Name: "sysfscgroup",
+					VolumeSource: v1.VolumeSource{
+						HostPath: &v1.HostPathVolumeSource{Path: "/sys/fs/cgroup"},
+					},
+				},
+				{
+					Name: "podinfo",
+					VolumeSource: v1.VolumeSource{
+						DownwardAPI: &v1.DownwardAPIVolumeSource{
+							Items: []v1.DownwardAPIVolumeFile{
+								{
+									Path: "uid",
+									FieldRef: &v1.ObjectFieldSelector{
+										APIVersion: "v1",
+										FieldPath:  "metadata.uid",
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+		},
 	}
 }
 
-func isSMTAlignmentError(pod *v1.Pod) bool {
-	re := regexp.MustCompile(`SMT.*Alignment.*Error`)
-	return re.MatchString(pod.Status.Reason)
+func requireCGroupV2() {
+	if e2enodeCgroupV2Enabled {
+		return
+	}
+	e2eskipper.Skipf("Skipping since CgroupV2 not used")
+
 }
 
-// getNumaNodeCPUs retrieves CPUs for each NUMA node.
-func getNumaNodeCPUs() (map[int]cpuset.CPUSet, error) {
-	numaNodes := make(map[int]cpuset.CPUSet)
-	nodePaths, err := filepath.Glob("/sys/devices/system/node/node*/cpulist")
-	if err != nil {
-		return nil, err
-	}
+const (
+	minSMTLevel    = 2
+	minCPUCapacity = 2
+)
 
-	for _, nodePath := range nodePaths {
-		data, err := os.ReadFile(nodePath)
-		framework.ExpectNoError(err, "Error obtaning CPU information from the node")
-		cpuSet := strings.TrimSpace(string(data))
-		cpus, err := cpuset.Parse(cpuSet)
-		framework.ExpectNoError(err, "Error parsing CPUset")
+// Helper for makeCPUManagerPod().
+type ctnAttribute struct {
+	ctnName       string
+	ctnCommand    string
+	cpuRequest    string
+	cpuLimit      string
+	restartPolicy *v1.ContainerRestartPolicy
+}
 
-		// Extract node ID from path (e.g., "node0" -> 0)
-		base := filepath.Base(filepath.Dir(nodePath))
-		nodeID, err := strconv.Atoi(strings.TrimPrefix(base, "node"))
-		if err != nil {
-			continue
+// makeCPUMangerPod returns a pod with the provided ctnAttributes.
+func makeCPUManagerPod(podName string, ctnAttributes []ctnAttribute) *v1.Pod {
+	var containers []v1.Container
+	for _, ctnAttr := range ctnAttributes {
+		cpusetCmd := "grep Cpus_allowed_list /proc/self/status | cut -f2 && sleep 1d"
+		ctn := v1.Container{
+			Name:  ctnAttr.ctnName,
+			Image: busyboxImage,
+			Resources: v1.ResourceRequirements{
+				Requests: v1.ResourceList{
+					v1.ResourceCPU:    resource.MustParse(ctnAttr.cpuRequest),
+					v1.ResourceMemory: resource.MustParse("100Mi"),
+				},
+				Limits: v1.ResourceList{
+					v1.ResourceCPU:    resource.MustParse(ctnAttr.cpuLimit),
+					v1.ResourceMemory: resource.MustParse("100Mi"),
+				},
+			},
+			Command: []string{"sh", "-c", cpusetCmd},
+			VolumeMounts: []v1.VolumeMount{
+				{
+					Name:      "sysfscgroup",
+					MountPath: "/sysfscgroup",
+				},
+				{
+					Name:      "podinfo",
+					MountPath: "/podinfo",
+				},
+			},
 		}
-		numaNodes[nodeID] = cpus
+		containers = append(containers, ctn)
 	}
 
-	return numaNodes, nil
+	return &v1.Pod{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: podName,
+		},
+		Spec: v1.PodSpec{
+			RestartPolicy: v1.RestartPolicyNever,
+			Containers:    containers,
+			Volumes: []v1.Volume{
+				{
+					Name: "sysfscgroup",
+					VolumeSource: v1.VolumeSource{
+						HostPath: &v1.HostPathVolumeSource{Path: "/sys/fs/cgroup"},
+					},
+				},
+				{
+					Name: "podinfo",
+					VolumeSource: v1.VolumeSource{
+						DownwardAPI: &v1.DownwardAPIVolumeSource{
+							Items: []v1.DownwardAPIVolumeFile{
+								{
+									Path: "uid",
+									FieldRef: &v1.ObjectFieldSelector{
+										APIVersion: "v1",
+										FieldPath:  "metadata.uid",
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+		},
+	}
 }
 
-func getContainerAllowedCPUsFromLogs(podName, cntName, logs string) cpuset.CPUSet {
-	framework.Logf("got pod logs: <%v>", logs)
-	cpus, err := cpuset.Parse(strings.TrimSpace(logs))
-	framework.ExpectNoError(err, "parsing cpuset from logs for [%s] of pod [%s]", cntName, podName)
-	return cpus
+// makeCPUMangerInitContainersPod returns a pod with init containers with the
+// provided ctnAttributes.
+func makeCPUManagerInitContainersPod(podName string, ctnAttributes []ctnAttribute) *v1.Pod {
+	var containers []v1.Container
+	cpusetCmd := "grep Cpus_allowed_list /proc/self/status | cut -f2"
+	cpusetAndSleepCmd := "grep Cpus_allowed_list /proc/self/status | cut -f2 && sleep 1d"
+	for _, ctnAttr := range ctnAttributes {
+		ctn := v1.Container{
+			Name:  ctnAttr.ctnName,
+			Image: busyboxImage,
+			Resources: v1.ResourceRequirements{
+				Requests: v1.ResourceList{
+					v1.ResourceCPU:    resource.MustParse(ctnAttr.cpuRequest),
+					v1.ResourceMemory: resource.MustParse("100Mi"),
+				},
+				Limits: v1.ResourceList{
+					v1.ResourceCPU:    resource.MustParse(ctnAttr.cpuLimit),
+					v1.ResourceMemory: resource.MustParse("100Mi"),
+				},
+			},
+			Command:       []string{"sh", "-c", cpusetCmd},
+			RestartPolicy: ctnAttr.restartPolicy,
+		}
+		if ctnAttr.restartPolicy != nil && *ctnAttr.restartPolicy == v1.ContainerRestartPolicyAlways {
+			ctn.Command = []string{"sh", "-c", cpusetAndSleepCmd}
+		}
+		containers = append(containers, ctn)
+	}
+
+	return &v1.Pod{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: podName,
+		},
+		Spec: v1.PodSpec{
+			RestartPolicy:  v1.RestartPolicyNever,
+			InitContainers: containers,
+			Containers: []v1.Container{
+				{
+					Name:  "regular",
+					Image: busyboxImage,
+					Resources: v1.ResourceRequirements{
+						Requests: v1.ResourceList{
+							v1.ResourceCPU:    resource.MustParse("1000m"),
+							v1.ResourceMemory: resource.MustParse("100Mi"),
+						},
+						Limits: v1.ResourceList{
+							v1.ResourceCPU:    resource.MustParse("1000m"),
+							v1.ResourceMemory: resource.MustParse("100Mi"),
+						},
+					},
+					Command: []string{"sh", "-c", cpusetAndSleepCmd},
+				},
+			},
+		},
+	}
 }
 
-// computeNUMADistribution calculates CPU distribution per NUMA node.
-func computeNUMADistribution(allocatedCPUs cpuset.CPUSet) map[int]int {
-	numaCPUs, err := getNumaNodeCPUs()
-	framework.ExpectNoError(err, "Error retrieving NUMA nodes")
-	framework.Logf("NUMA Node CPUs allocation: %v", numaCPUs)
+type cpuManagerKubeletArguments struct {
+	policyName                       string
+	enableCPUManagerOptions          bool
+	disableCPUQuotaWithExclusiveCPUs bool
+	enablePodLevelResources          bool
+	reservedSystemCPUs               cpuset.CPUSet
+	options                          map[string]string
+}
 
-	distribution := make(map[int]int)
-	for node, cpus := range numaCPUs {
-		distribution[node] = cpus.Intersection(allocatedCPUs).Size()
+func configureCPUManagerInKubelet(oldCfg *kubeletconfig.KubeletConfiguration, kubeletArguments *cpuManagerKubeletArguments) *kubeletconfig.KubeletConfiguration {
+	newCfg := oldCfg.DeepCopy()
+	if newCfg.FeatureGates == nil {
+		newCfg.FeatureGates = make(map[string]bool)
 	}
 
-	framework.Logf("allocated CPUs %s distribution: %v", allocatedCPUs.String(), distribution)
-	return distribution
-}
+	newCfg.FeatureGates["CPUManagerPolicyBetaOptions"] = kubeletArguments.enableCPUManagerOptions
+	newCfg.FeatureGates["CPUManagerPolicyAlphaOptions"] = kubeletArguments.enableCPUManagerOptions
+	newCfg.FeatureGates["DisableCPUQuotaWithExclusiveCPUs"] = kubeletArguments.disableCPUQuotaWithExclusiveCPUs
+	newCfg.FeatureGates["PodLevelResources"] = kubeletArguments.enablePodLevelResources
 
-// Custom matcher for checking packed CPUs.
-func BePackedCPUs() gomegatypes.GomegaMatcher {
-	return gcustom.MakeMatcher(func(allocatedCPUs cpuset.CPUSet) (bool, error) {
-		distribution := computeNUMADistribution(allocatedCPUs)
-		for _, count := range distribution {
-			// This assumption holds true if there are enough CPUs on a single NUMA node.
-			// We are intentionally limiting the CPU request to 2 to minimize the number
-			// of CPUs required to fulfill this case and therefore maximize the chances
-			// of correctly validating this case.
-			if count == allocatedCPUs.Size() {
-				return true, nil
-			}
-		}
-		return false, nil
-	}).WithMessage("expected CPUs to be packed")
-}
+	newCfg.CPUManagerPolicy = kubeletArguments.policyName
+	newCfg.CPUManagerReconcilePeriod = metav1.Duration{Duration: 1 * time.Second}
 
-// Custom matcher for checking distributed CPUs.
-func BeDistributedCPUs(expectedSpread int) gomegatypes.GomegaMatcher {
-	return gcustom.MakeMatcher(func(allocatedCPUs cpuset.CPUSet) (bool, error) {
-		distribution := computeNUMADistribution(allocatedCPUs)
-		for _, count := range distribution {
-			if count != expectedSpread {
-				return false, nil
-			}
+	if kubeletArguments.options != nil {
+		newCfg.CPUManagerPolicyOptions = kubeletArguments.options
+	}
+
+	if kubeletArguments.reservedSystemCPUs.Size() > 0 {
+		cpus := kubeletArguments.reservedSystemCPUs.String()
+		framework.Logf("configureCPUManagerInKubelet: using reservedSystemCPUs=%q", cpus)
+		newCfg.ReservedSystemCPUs = cpus
+	} else {
+		// The Kubelet panics if either kube-reserved or system-reserved is not set
+		// when CPU Manager is enabled. Set cpu in kube-reserved > 0 so that
+		// kubelet doesn't panic.
+		if newCfg.KubeReserved == nil {
+			newCfg.KubeReserved = map[string]string{}
 		}
-		return true, nil
-	}).WithTemplate("expected CPUs to be evenly distributed across NUMA nodes\nExpected: {{.Data}}\nGot:\n{{.FormattedActual}}\nDistribution: {{.Data}}\n").WithTemplateData(expectedSpread)
-}
 
-// Serial because the test updates kubelet configuration.
-var _ = SIGDescribe("CPU Manager", framework.WithSerial(), feature.CPUManager, func() {
-	f := framework.NewDefaultFramework("cpu-manager-test")
-	f.NamespacePodSecurityLevel = admissionapi.LevelPrivileged
+		if _, ok := newCfg.KubeReserved["cpu"]; !ok {
+			newCfg.KubeReserved["cpu"] = "200m"
+		}
+	}
 
-	ginkgo.Context("With kubeconfig updated with static CPU Manager policy run the CPU Manager tests", func() {
-		runCPUManagerTests(f)
-	})
-})
+	return newCfg
+}
diff --git a/test/e2e_node/cpumanager_test.go b/test/e2e_node/cpumanager_test.go
deleted file mode 100644
index e5069b9ce24bf..0000000000000
--- a/test/e2e_node/cpumanager_test.go
+++ /dev/null
@@ -1,2612 +0,0 @@
-/*
-Copyright 2025 The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package e2enode
-
-/*
- * this is a rewrite of the cpumanager e2e_node test.
- * we will move testcases from cpu_manager_test.go to cpumanager_test.go.
- * Full details in the tracking issue: https://github.com/kubernetes/kubernetes/issues/129884
- */
-
-import (
-	"context"
-	"fmt"
-	"os"
-	"path/filepath"
-	"reflect"
-	"regexp"
-	"strconv"
-	"strings"
-	"time"
-
-	"github.com/onsi/ginkgo/v2"
-	"github.com/onsi/gomega"
-	"github.com/onsi/gomega/gcustom"
-	"github.com/onsi/gomega/types"
-
-	v1 "k8s.io/api/core/v1"
-	"k8s.io/apimachinery/pkg/api/resource"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/apimachinery/pkg/util/sets"
-	"k8s.io/klog/v2"
-	"k8s.io/kubernetes/pkg/features"
-	kubeletconfig "k8s.io/kubernetes/pkg/kubelet/apis/config"
-	"k8s.io/kubernetes/pkg/kubelet/cm"
-	"k8s.io/kubernetes/pkg/kubelet/cm/cpumanager"
-	admissionapi "k8s.io/pod-security-admission/api"
-	"k8s.io/utils/cpuset"
-
-	"k8s.io/kubernetes/test/e2e/feature"
-	"k8s.io/kubernetes/test/e2e/framework"
-	e2epod "k8s.io/kubernetes/test/e2e/framework/pod"
-	e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper"
-)
-
-const (
-	defaultCFSPeriod = "100000"
-)
-
-// this is ugly, but pratical
-var (
-	e2enodeRuntimeName     string
-	e2enodeCgroupV2Enabled bool
-	e2enodeCgroupDriver    string
-)
-
-/*
-   - Serial:
-   because the test updates kubelet configuration.
-
-   - Ordered:
-   Each spec (It block) need to run with a kubelet configuration in place. At minimum, we need
-   the non-default cpumanager static policy, then we have the cpumanager options and so forth.
-   The simplest solution is to set the kubelet explicitly each time, but this will cause a kubelet restart
-   each time, which takes longer and makes the flow intrinsically more fragile (so more flakes are more likely).
-   Using Ordered allows us to use BeforeAll/AfterAll, and most notably to reuse the kubelet config in a batch
-   of specs (It blocks). Each it block will still set its kubelet config preconditions, but with a sensible
-   test arrangement, many of these preconditions will devolve into noop.
-   Arguably, this decision increases the coupling among specs, leaving room for subtle ordering bugs.
-   There's no argue the ginkgo spec randomization would help, but the tradeoff here is between
-   lane complexity/fragility (reconfiguring the kubelet is not bulletproof yet) and accepting this risk.
-   If in the future we decide to pivot to make each spec fully independent, little changes will be needed.
-   Finally, worth pointing out that the previous cpumanager e2e test incarnation implemented the same
-   concept in a more convoluted way with function helpers, so arguably using Ordered and making it
-   explicit is already an improvement.
-*/
-
-/*
- * Extending the cpumanager test suite
- * TL;DRs: THE MOST IMPORTANT:
- * Please keep the test hierarchy very flat.
- * Nesting more than 2 contexts total from SIGDescribe root is likely to be a smell.
- * The problem with deep nesting is the interaction between BeforeEach blocks and the increased scope of variables.
- * The Ideal layout would be
- *   SIGDescribe # top level, unique
- *     Context   # you can add more context, but please try hard to avoid nesting them
- *       It      # add it blocks freely. Feel free to start new *non-nested* contexts as you see fit
- *     Context
- *       It
- *       It
- * Exception: if you need to add the same labels to quite a few (say, 3+) It blocks, you can add a **empty** context
- * The most important thing is to avoid long chain of beforeeach/aftereach and > 2 level of context nesting.
- * So a **empty** context only to group labels is acceptable:
- *   SIGDescribe
- *     Context(label1, label2) # avoid beforeeach/aftereach and variables here
- *       Context
- *         It
- *         It
- *     Context
- *       It
- * Final rule of thumb: if the nesting of the context description starts to read awkward or funny or stop making sense
- * if read as english sentence, then the nesting is likely too deep.
- */
-
-/*
- * About reserved CPUs:
- * all the tests assume the first available CPUID is 0, which is pretty fair and most of time correct.
- * A better approach would be check what we do have in the node. This is deferred to a later stage alongside
- * other improvements.
- */
-var _ = SIGDescribe("CPU Manager", ginkgo.Ordered, ginkgo.ContinueOnFailure, framework.WithSerial(), feature.CPUManager, func() {
-	f := framework.NewDefaultFramework("cpumanager-test")
-	f.NamespacePodSecurityLevel = admissionapi.LevelPrivileged
-
-	// original kubeletconfig before the context start, to be restored
-	var oldCfg *kubeletconfig.KubeletConfiguration
-	var reservedCPUs cpuset.CPUSet
-	var onlineCPUs cpuset.CPUSet
-	var smtLevel int
-	var uncoreGroupSize int
-	// tracks all the pods created by a It() block. Best would be a namespace per It block
-	// TODO: move to a namespace per It block?
-	var podMap map[string]*v1.Pod
-
-	// closure just and only to not carry around awkwardly `f` and `onlineCPUs` only for logging purposes
-	var skipIfAllocatableCPUsLessThan func(node *v1.Node, cpuReq int)
-
-	ginkgo.BeforeAll(func(ctx context.Context) {
-		var err error
-		oldCfg, err = getCurrentKubeletConfig(ctx)
-		framework.ExpectNoError(err)
-
-		onlineCPUs, err = getOnlineCPUs() // this should not change at all, at least during this suite lifetime
-		framework.ExpectNoError(err)
-		framework.Logf("Online CPUs: %s", onlineCPUs)
-
-		smtLevel = smtLevelFromSysFS() // this should not change at all, at least during this suite lifetime
-		framework.Logf("SMT level: %d", smtLevel)
-
-		uncoreGroupSize = getUncoreCPUGroupSize()
-		framework.Logf("Uncore Group Size: %d", uncoreGroupSize)
-
-		e2enodeCgroupV2Enabled = IsCgroup2UnifiedMode()
-		framework.Logf("cgroup V2 enabled: %v", e2enodeCgroupV2Enabled)
-
-		e2enodeCgroupDriver = oldCfg.CgroupDriver
-		framework.Logf("cgroup driver: %s", e2enodeCgroupDriver)
-
-		runtime, _, err := getCRIClient()
-		framework.ExpectNoError(err, "Failed to get CRI client")
-
-		version, err := runtime.Version(context.Background(), "")
-		framework.ExpectNoError(err, "Failed to get runtime version")
-
-		e2enodeRuntimeName = version.GetRuntimeName()
-		framework.Logf("runtime: %s", e2enodeRuntimeName)
-	})
-
-	ginkgo.AfterAll(func(ctx context.Context) {
-		updateKubeletConfig(ctx, f, oldCfg, true)
-	})
-
-	ginkgo.BeforeEach(func(ctx context.Context) {
-		// note intentionally NOT set reservedCPUs -  this must be initialized on a test-by-test basis
-		podMap = make(map[string]*v1.Pod)
-	})
-
-	ginkgo.JustBeforeEach(func(ctx context.Context) {
-		// note intentionally NOT set reservedCPUs -  this must be initialized on a test-by-test basis
-
-		// use a closure to minimize the arguments, to make the usage more straightforward
-		skipIfAllocatableCPUsLessThan = func(node *v1.Node, val int) {
-			ginkgo.GinkgoHelper()
-			cpuReq := int64(val + reservedCPUs.Size()) // reserved CPUs are not usable, need to account them
-			// the framework is initialized using an injected BeforeEach node, so the
-			// earliest we can do is to initialize the other objects here
-			nodeCPUDetails := cpuDetailsFromNode(node)
-
-			msg := fmt.Sprintf("%v full CPUs (detected=%v requested=%v reserved=%v online=%v smt=%v)", cpuReq, nodeCPUDetails.Allocatable, val, reservedCPUs.Size(), onlineCPUs.Size(), smtLevel)
-			ginkgo.By("Checking if allocatable: " + msg)
-			if nodeCPUDetails.Allocatable < cpuReq {
-				e2eskipper.Skipf("Skipping CPU Manager test: not allocatable %s", msg)
-			}
-		}
-	})
-
-	ginkgo.AfterEach(func(ctx context.Context) {
-		deletePodsAsync(ctx, f, podMap)
-	})
-
-	ginkgo.When("running non-guaranteed pods tests", ginkgo.Label("non-guaranteed", "reserved-cpus"), func() {
-		ginkgo.It("should let the container access all the online CPUs without a reserved CPUs set", func(ctx context.Context) {
-			updateKubeletConfigIfNeeded(ctx, f, configureCPUManagerInKubelet(oldCfg, &cpuManagerKubeletArguments{
-				policyName:         string(cpumanager.PolicyStatic),
-				reservedSystemCPUs: cpuset.CPUSet{},
-			}))
-
-			pod := makeCPUManagerPod("non-gu-pod", []ctnAttribute{
-				{
-					ctnName:    "non-gu-container",
-					cpuRequest: "100m",
-					cpuLimit:   "200m",
-				},
-			})
-			ginkgo.By("creating the test pod")
-			pod = e2epod.NewPodClient(f).CreateSync(ctx, pod)
-			podMap[string(pod.UID)] = pod
-
-			ginkgo.By("checking if the expected cpuset was assigned")
-
-			gomega.Expect(pod).To(HaveContainerCPUsEqualTo("non-gu-container", onlineCPUs))
-		})
-
-		ginkgo.It("should let the container access all the online CPUs when using a reserved CPUs set", func(ctx context.Context) {
-			reservedCPUs = cpuset.New(0)
-
-			updateKubeletConfigIfNeeded(ctx, f, configureCPUManagerInKubelet(oldCfg, &cpuManagerKubeletArguments{
-				policyName:         string(cpumanager.PolicyStatic),
-				reservedSystemCPUs: reservedCPUs, // Not really needed for the tests but helps to make a more precise check
-			}))
-
-			pod := makeCPUManagerPod("non-gu-pod", []ctnAttribute{
-				{
-					ctnName:    "non-gu-container",
-					cpuRequest: "100m",
-					cpuLimit:   "200m",
-				},
-			})
-			ginkgo.By("creating the test pod")
-			pod = e2epod.NewPodClient(f).CreateSync(ctx, pod)
-			podMap[string(pod.UID)] = pod
-
-			ginkgo.By("checking if the expected cpuset was assigned")
-
-			gomega.Expect(pod).To(HaveContainerCPUsEqualTo("non-gu-container", onlineCPUs))
-		})
-
-		ginkgo.It("should let the container access all the online non-exclusively-allocated CPUs when using a reserved CPUs set", ginkgo.Label("guaranteed", "exclusive-cpus"), func(ctx context.Context) {
-			cpuCount := 1
-			reservedCPUs = cpuset.New(0)
-
-			skipIfAllocatableCPUsLessThan(getLocalNode(ctx, f), cpuCount+1) // note the extra for the non-gu pod
-
-			updateKubeletConfigIfNeeded(ctx, f, configureCPUManagerInKubelet(oldCfg, &cpuManagerKubeletArguments{
-				policyName:         string(cpumanager.PolicyStatic),
-				reservedSystemCPUs: reservedCPUs, // Not really needed for the tests but helps to make a more precise check
-			}))
-
-			podGu := makeCPUManagerPod("gu-pod", []ctnAttribute{
-				{
-					ctnName:    "gu-container",
-					cpuRequest: fmt.Sprintf("%dm", 1000*cpuCount),
-					cpuLimit:   fmt.Sprintf("%dm", 1000*cpuCount),
-				},
-			})
-			ginkgo.By("creating the guaranteed test pod")
-			podGu = e2epod.NewPodClient(f).CreateSync(ctx, podGu)
-			podMap[string(podGu.UID)] = podGu
-
-			podBu := makeCPUManagerPod("non-gu-pod", []ctnAttribute{
-				{
-					ctnName:    "non-gu-container",
-					cpuRequest: "200m",
-					cpuLimit:   "300m",
-				},
-			})
-			ginkgo.By("creating the burstable test pod")
-			podBu = e2epod.NewPodClient(f).CreateSync(ctx, podBu)
-			podMap[string(podBu.UID)] = podBu
-
-			ginkgo.By("checking if the expected cpuset was assigned")
-
-			// we cannot nor we should predict which CPUs the container gets
-			gomega.Expect(podGu).To(HaveContainerCPUsCount("gu-container", cpuCount))
-			gomega.Expect(podGu).To(HaveContainerCPUsASubsetOf("gu-container", onlineCPUs))
-			gomega.Expect(podGu).ToNot(HaveContainerCPUsOverlapWith("gu-container", reservedCPUs))
-
-			exclusiveCPUs, err := getContainerAllowedCPUs(podGu, "gu-container", false)
-			framework.ExpectNoError(err, "cannot get exclusive CPUs for pod %s/%s", podGu.Namespace, podGu.Name)
-			expectedSharedCPUs := onlineCPUs.Difference(exclusiveCPUs)
-			gomega.Expect(podBu).To(HaveContainerCPUsEqualTo("non-gu-container", expectedSharedCPUs))
-		})
-	})
-
-	ginkgo.When("running guaranteed pod tests", ginkgo.Label("guaranteed", "exclusive-cpus"), func() {
-		ginkgo.BeforeEach(func(ctx context.Context) {
-			reservedCPUs = cpuset.New(0)
-		})
-
-		ginkgo.It("should allocate exclusively a CPU to a 1-container pod", func(ctx context.Context) {
-			cpuCount := 1
-
-			skipIfAllocatableCPUsLessThan(getLocalNode(ctx, f), cpuCount)
-
-			updateKubeletConfigIfNeeded(ctx, f, configureCPUManagerInKubelet(oldCfg, &cpuManagerKubeletArguments{
-				policyName:         string(cpumanager.PolicyStatic),
-				reservedSystemCPUs: reservedCPUs, // Not really needed for the tests but helps to make a more precise check
-			}))
-
-			pod := makeCPUManagerPod("gu-pod", []ctnAttribute{
-				{
-					ctnName:    "gu-container",
-					cpuRequest: fmt.Sprintf("%dm", 1000*cpuCount),
-					cpuLimit:   fmt.Sprintf("%dm", 1000*cpuCount),
-				},
-			})
-			ginkgo.By("creating the test pod")
-			pod = e2epod.NewPodClient(f).CreateSync(ctx, pod)
-			podMap[string(pod.UID)] = pod
-
-			ginkgo.By("checking if the expected cpuset was assigned")
-
-			// we cannot nor we should predict which CPUs the container gets
-			gomega.Expect(pod).To(HaveContainerCPUsCount("gu-container", cpuCount))
-			gomega.Expect(pod).To(HaveContainerCPUsASubsetOf("gu-container", onlineCPUs))
-			gomega.Expect(pod).ToNot(HaveContainerCPUsOverlapWith("gu-container", reservedCPUs))
-		})
-
-		// we don't use a separate group (gingo.When) with BeforeEach to factor out the tests because each
-		// test need to check for the amount of CPUs it needs.
-
-		ginkgo.It("should allocate exclusively a even number of CPUs to a 1-container pod", func(ctx context.Context) {
-			cpuCount := 2
-
-			skipIfAllocatableCPUsLessThan(getLocalNode(ctx, f), cpuCount)
-
-			updateKubeletConfigIfNeeded(ctx, f, configureCPUManagerInKubelet(oldCfg, &cpuManagerKubeletArguments{
-				policyName:         string(cpumanager.PolicyStatic),
-				reservedSystemCPUs: reservedCPUs, // Not really needed for the tests but helps to make a more precise check
-			}))
-
-			pod := makeCPUManagerPod("gu-pod", []ctnAttribute{
-				{
-					ctnName:    "gu-container",
-					cpuRequest: fmt.Sprintf("%dm", 1000*cpuCount),
-					cpuLimit:   fmt.Sprintf("%dm", 1000*cpuCount),
-				},
-			})
-			ginkgo.By("creating the test pod")
-			pod = e2epod.NewPodClient(f).CreateSync(ctx, pod)
-			podMap[string(pod.UID)] = pod
-
-			ginkgo.By("checking if the expected cpuset was assigned")
-
-			// we cannot nor we should predict which CPUs the container gets
-			gomega.Expect(pod).To(HaveContainerCPUsCount("gu-container", cpuCount))
-			gomega.Expect(pod).To(HaveContainerCPUsASubsetOf("gu-container", onlineCPUs))
-			gomega.Expect(pod).ToNot(HaveContainerCPUsOverlapWith("gu-container", reservedCPUs))
-			// TODO: this is probably too strict but it is the closest of the old test did
-			gomega.Expect(pod).To(HaveContainerCPUsThreadSiblings("gu-container"))
-		})
-
-		ginkgo.It("should allocate exclusively a odd number of CPUs to a 1-container pod", func(ctx context.Context) {
-			cpuCount := 3
-
-			skipIfAllocatableCPUsLessThan(getLocalNode(ctx, f), cpuCount)
-
-			updateKubeletConfigIfNeeded(ctx, f, configureCPUManagerInKubelet(oldCfg, &cpuManagerKubeletArguments{
-				policyName:         string(cpumanager.PolicyStatic),
-				reservedSystemCPUs: reservedCPUs, // Not really needed for the tests but helps to make a more precise check
-			}))
-
-			pod := makeCPUManagerPod("gu-pod", []ctnAttribute{
-				{
-					ctnName:    "gu-container",
-					cpuRequest: fmt.Sprintf("%dm", 1000*cpuCount),
-					cpuLimit:   fmt.Sprintf("%dm", 1000*cpuCount),
-				},
-			})
-			ginkgo.By("creating the test pod")
-			pod = e2epod.NewPodClient(f).CreateSync(ctx, pod)
-			podMap[string(pod.UID)] = pod
-
-			ginkgo.By("checking if the expected cpuset was assigned")
-
-			// we cannot nor we should predict which CPUs the container gets
-			gomega.Expect(pod).To(HaveContainerCPUsCount("gu-container", cpuCount))
-			gomega.Expect(pod).To(HaveContainerCPUsASubsetOf("gu-container", onlineCPUs))
-			gomega.Expect(pod).ToNot(HaveContainerCPUsOverlapWith("gu-container", reservedCPUs))
-			// TODO: this is probably too strict but it is the closest of the old test did
-			toleration := 1
-			gomega.Expect(pod).To(HaveContainerCPUsQuasiThreadSiblings("gu-container", toleration))
-		})
-
-		ginkgo.It("should allocate exclusively CPUs to a multi-container pod (1+2)", func(ctx context.Context) {
-			cpuCount := 3 // total
-
-			skipIfAllocatableCPUsLessThan(getLocalNode(ctx, f), cpuCount)
-
-			updateKubeletConfigIfNeeded(ctx, f, configureCPUManagerInKubelet(oldCfg, &cpuManagerKubeletArguments{
-				policyName:         string(cpumanager.PolicyStatic),
-				reservedSystemCPUs: reservedCPUs, // Not really needed for the tests but helps to make a more precise check
-			}))
-
-			pod := makeCPUManagerPod("gu-pod", []ctnAttribute{
-				{
-					ctnName:    "gu-container-1",
-					cpuRequest: "1000m",
-					cpuLimit:   "1000m",
-				},
-				{
-					ctnName:    "gu-container-2",
-					cpuRequest: "2000m",
-					cpuLimit:   "2000m",
-				},
-			})
-			ginkgo.By("creating the test pod")
-			pod = e2epod.NewPodClient(f).CreateSync(ctx, pod)
-			podMap[string(pod.UID)] = pod
-
-			ginkgo.By("checking if the expected cpuset was assigned")
-
-			// we cannot nor we should predict which CPUs the container gets
-			gomega.Expect(pod).To(HaveContainerCPUsCount("gu-container-1", 1))
-			gomega.Expect(pod).To(HaveContainerCPUsASubsetOf("gu-container-1", onlineCPUs))
-			gomega.Expect(pod).ToNot(HaveContainerCPUsOverlapWith("gu-container-1", reservedCPUs))
-
-			gomega.Expect(pod).To(HaveContainerCPUsCount("gu-container-2", 2))
-			gomega.Expect(pod).To(HaveContainerCPUsASubsetOf("gu-container-2", onlineCPUs))
-			gomega.Expect(pod).ToNot(HaveContainerCPUsOverlapWith("gu-container-2", reservedCPUs))
-			// TODO: this is probably too strict but it is the closest of the old test did
-			gomega.Expect(pod).To(HaveContainerCPUsThreadSiblings("gu-container-2"))
-		})
-
-		ginkgo.It("should allocate exclusively CPUs to a multi-container pod (3+2)", func(ctx context.Context) {
-			cpuCount := 5 // total
-
-			skipIfAllocatableCPUsLessThan(getLocalNode(ctx, f), cpuCount)
-
-			updateKubeletConfigIfNeeded(ctx, f, configureCPUManagerInKubelet(oldCfg, &cpuManagerKubeletArguments{
-				policyName:         string(cpumanager.PolicyStatic),
-				reservedSystemCPUs: reservedCPUs, // Not really needed for the tests but helps to make a more precise check
-			}))
-
-			pod := makeCPUManagerPod("gu-pod", []ctnAttribute{
-				{
-					ctnName:    "gu-container-1",
-					cpuRequest: "3000m",
-					cpuLimit:   "3000m",
-				},
-				{
-					ctnName:    "gu-container-2",
-					cpuRequest: "2000m",
-					cpuLimit:   "2000m",
-				},
-			})
-			ginkgo.By("creating the test pod")
-			pod = e2epod.NewPodClient(f).CreateSync(ctx, pod)
-			podMap[string(pod.UID)] = pod
-
-			ginkgo.By("checking if the expected cpuset was assigned")
-
-			// we cannot nor we should predict which CPUs the container gets
-			gomega.Expect(pod).To(HaveContainerCPUsCount("gu-container-1", 3))
-			gomega.Expect(pod).To(HaveContainerCPUsASubsetOf("gu-container-1", onlineCPUs))
-			gomega.Expect(pod).ToNot(HaveContainerCPUsOverlapWith("gu-container-1", reservedCPUs))
-			toleration := 1
-			gomega.Expect(pod).To(HaveContainerCPUsQuasiThreadSiblings("gu-container-1", toleration))
-
-			gomega.Expect(pod).To(HaveContainerCPUsCount("gu-container-2", 2))
-			gomega.Expect(pod).To(HaveContainerCPUsASubsetOf("gu-container-2", onlineCPUs))
-			gomega.Expect(pod).ToNot(HaveContainerCPUsOverlapWith("gu-container-2", reservedCPUs))
-			gomega.Expect(pod).To(HaveContainerCPUsThreadSiblings("gu-container-2"))
-		})
-
-		ginkgo.It("should allocate exclusively CPUs to a multi-container pod (4+2)", func(ctx context.Context) {
-			cpuCount := 6 // total
-
-			skipIfAllocatableCPUsLessThan(getLocalNode(ctx, f), cpuCount)
-
-			updateKubeletConfigIfNeeded(ctx, f, configureCPUManagerInKubelet(oldCfg, &cpuManagerKubeletArguments{
-				policyName:         string(cpumanager.PolicyStatic),
-				reservedSystemCPUs: reservedCPUs, // Not really needed for the tests but helps to make a more precise check
-			}))
-
-			pod := makeCPUManagerPod("gu-pod", []ctnAttribute{
-				{
-					ctnName:    "gu-container-1",
-					cpuRequest: "4000m",
-					cpuLimit:   "4000m",
-				},
-				{
-					ctnName:    "gu-container-2",
-					cpuRequest: "2000m",
-					cpuLimit:   "2000m",
-				},
-			})
-			ginkgo.By("creating the test pod")
-			pod = e2epod.NewPodClient(f).CreateSync(ctx, pod)
-			podMap[string(pod.UID)] = pod
-
-			ginkgo.By("checking if the expected cpuset was assigned")
-
-			// we cannot nor we should predict which CPUs the container gets
-			gomega.Expect(pod).To(HaveContainerCPUsCount("gu-container-1", 4))
-			gomega.Expect(pod).To(HaveContainerCPUsASubsetOf("gu-container-1", onlineCPUs))
-			gomega.Expect(pod).ToNot(HaveContainerCPUsOverlapWith("gu-container-1", reservedCPUs))
-			gomega.Expect(pod).To(HaveContainerCPUsThreadSiblings("gu-container-1"))
-
-			gomega.Expect(pod).To(HaveContainerCPUsCount("gu-container-2", 2))
-			gomega.Expect(pod).To(HaveContainerCPUsASubsetOf("gu-container-2", onlineCPUs))
-			gomega.Expect(pod).ToNot(HaveContainerCPUsOverlapWith("gu-container-2", reservedCPUs))
-			gomega.Expect(pod).To(HaveContainerCPUsThreadSiblings("gu-container-2"))
-		})
-
-		ginkgo.It("should allocate exclusively a CPU to multiple 1-container pods", func(ctx context.Context) {
-			cpuCount := 4 // total
-
-			skipIfAllocatableCPUsLessThan(getLocalNode(ctx, f), cpuCount)
-
-			updateKubeletConfigIfNeeded(ctx, f, configureCPUManagerInKubelet(oldCfg, &cpuManagerKubeletArguments{
-				policyName:         string(cpumanager.PolicyStatic),
-				reservedSystemCPUs: reservedCPUs, // Not really needed for the tests but helps to make a more precise check
-			}))
-
-			pod1 := makeCPUManagerPod("gu-pod-1", []ctnAttribute{
-				{
-					ctnName:    "gu-container-1",
-					cpuRequest: "2000m",
-					cpuLimit:   "2000m",
-				},
-			})
-			ginkgo.By("creating the test pod 1")
-			pod1 = e2epod.NewPodClient(f).CreateSync(ctx, pod1)
-			podMap[string(pod1.UID)] = pod1
-
-			pod2 := makeCPUManagerPod("gu-pod-2", []ctnAttribute{
-				{
-					ctnName:    "gu-container-2",
-					cpuRequest: "2000m",
-					cpuLimit:   "2000m",
-				},
-			})
-			ginkgo.By("creating the test pod 2")
-			pod2 = e2epod.NewPodClient(f).CreateSync(ctx, pod2)
-			podMap[string(pod2.UID)] = pod2
-
-			ginkgo.By("checking if the expected cpuset was assigned")
-
-			// we cannot nor we should predict which CPUs the container gets
-			gomega.Expect(pod1).To(HaveContainerCPUsCount("gu-container-1", 2))
-			gomega.Expect(pod1).To(HaveContainerCPUsASubsetOf("gu-container-1", onlineCPUs))
-			gomega.Expect(pod1).ToNot(HaveContainerCPUsOverlapWith("gu-container-1", reservedCPUs))
-			gomega.Expect(pod1).To(HaveContainerCPUsThreadSiblings("gu-container-1"))
-
-			gomega.Expect(pod2).To(HaveContainerCPUsCount("gu-container-2", 2))
-			gomega.Expect(pod2).To(HaveContainerCPUsASubsetOf("gu-container-2", onlineCPUs))
-			gomega.Expect(pod2).ToNot(HaveContainerCPUsOverlapWith("gu-container-2", reservedCPUs))
-			gomega.Expect(pod2).To(HaveContainerCPUsThreadSiblings("gu-container-2"))
-		})
-	})
-
-	ginkgo.When("running guaranteed pod tests with feature gates disabled", ginkgo.Label("guaranteed", "exclusive-cpus", "feature-gate-disabled"), func() {
-		ginkgo.BeforeEach(func(ctx context.Context) {
-			reservedCPUs = cpuset.New(0)
-		})
-
-		ginkgo.It("should allocate exclusively a CPU to a 1-container pod", func(ctx context.Context) {
-			cpuCount := 1
-
-			skipIfAllocatableCPUsLessThan(getLocalNode(ctx, f), cpuCount)
-
-			updateKubeletConfigIfNeeded(ctx, f, configureCPUManagerInKubelet(oldCfg, &cpuManagerKubeletArguments{
-				policyName:              string(cpumanager.PolicyStatic),
-				reservedSystemCPUs:      reservedCPUs, // Not really needed for the tests but helps to make a more precise check
-				enableCPUManagerOptions: false,
-			}))
-
-			pod := makeCPUManagerPod("gu-pod", []ctnAttribute{
-				{
-					ctnName:    "gu-container",
-					cpuRequest: fmt.Sprintf("%dm", 1000*cpuCount),
-					cpuLimit:   fmt.Sprintf("%dm", 1000*cpuCount),
-				},
-			})
-			ginkgo.By("creating the test pod")
-			pod = e2epod.NewPodClient(f).CreateSync(ctx, pod)
-			podMap[string(pod.UID)] = pod
-
-			ginkgo.By("checking if the expected cpuset was assigned")
-
-			// we cannot nor we should predict which CPUs the container gets
-			gomega.Expect(pod).To(HaveContainerCPUsCount("gu-container", cpuCount))
-			gomega.Expect(pod).To(HaveContainerCPUsASubsetOf("gu-container", onlineCPUs))
-			gomega.Expect(pod).ToNot(HaveContainerCPUsOverlapWith("gu-container", reservedCPUs))
-		})
-
-		// we don't use a separate group (gingo.When) with BeforeEach to factor out the tests because each
-		// test need to check for the amount of CPUs it needs.
-
-		ginkgo.It("should allocate exclusively a even number of CPUs to a 1-container pod", func(ctx context.Context) {
-			cpuCount := 2
-
-			skipIfAllocatableCPUsLessThan(getLocalNode(ctx, f), cpuCount)
-
-			updateKubeletConfigIfNeeded(ctx, f, configureCPUManagerInKubelet(oldCfg, &cpuManagerKubeletArguments{
-				policyName:              string(cpumanager.PolicyStatic),
-				reservedSystemCPUs:      reservedCPUs, // Not really needed for the tests but helps to make a more precise check
-				enableCPUManagerOptions: false,
-			}))
-
-			pod := makeCPUManagerPod("gu-pod", []ctnAttribute{
-				{
-					ctnName:    "gu-container",
-					cpuRequest: fmt.Sprintf("%dm", 1000*cpuCount),
-					cpuLimit:   fmt.Sprintf("%dm", 1000*cpuCount),
-				},
-			})
-			ginkgo.By("creating the test pod")
-			pod = e2epod.NewPodClient(f).CreateSync(ctx, pod)
-			podMap[string(pod.UID)] = pod
-
-			ginkgo.By("checking if the expected cpuset was assigned")
-
-			// we cannot nor we should predict which CPUs the container gets
-			gomega.Expect(pod).To(HaveContainerCPUsCount("gu-container", cpuCount))
-			gomega.Expect(pod).To(HaveContainerCPUsASubsetOf("gu-container", onlineCPUs))
-			gomega.Expect(pod).ToNot(HaveContainerCPUsOverlapWith("gu-container", reservedCPUs))
-			// TODO: this is probably too strict but it is the closest of the old test did
-			gomega.Expect(pod).To(HaveContainerCPUsThreadSiblings("gu-container"))
-		})
-
-		ginkgo.It("should allocate exclusively a odd number of CPUs to a 1-container pod", func(ctx context.Context) {
-			cpuCount := 3
-
-			skipIfAllocatableCPUsLessThan(getLocalNode(ctx, f), cpuCount)
-
-			updateKubeletConfigIfNeeded(ctx, f, configureCPUManagerInKubelet(oldCfg, &cpuManagerKubeletArguments{
-				policyName:              string(cpumanager.PolicyStatic),
-				reservedSystemCPUs:      reservedCPUs, // Not really needed for the tests but helps to make a more precise check
-				enableCPUManagerOptions: false,
-			}))
-
-			pod := makeCPUManagerPod("gu-pod", []ctnAttribute{
-				{
-					ctnName:    "gu-container",
-					cpuRequest: fmt.Sprintf("%dm", 1000*cpuCount),
-					cpuLimit:   fmt.Sprintf("%dm", 1000*cpuCount),
-				},
-			})
-			ginkgo.By("creating the test pod")
-			pod = e2epod.NewPodClient(f).CreateSync(ctx, pod)
-			podMap[string(pod.UID)] = pod
-
-			ginkgo.By("checking if the expected cpuset was assigned")
-
-			// we cannot nor we should predict which CPUs the container gets
-			gomega.Expect(pod).To(HaveContainerCPUsCount("gu-container", cpuCount))
-			gomega.Expect(pod).To(HaveContainerCPUsASubsetOf("gu-container", onlineCPUs))
-			gomega.Expect(pod).ToNot(HaveContainerCPUsOverlapWith("gu-container", reservedCPUs))
-			// TODO: this is probably too strict but it is the closest of the old test did
-			toleration := 1
-			gomega.Expect(pod).To(HaveContainerCPUsQuasiThreadSiblings("gu-container", toleration))
-		})
-
-		ginkgo.It("should allocate exclusively CPUs to a multi-container pod (1+2)", func(ctx context.Context) {
-			cpuCount := 3 // total
-
-			skipIfAllocatableCPUsLessThan(getLocalNode(ctx, f), cpuCount)
-
-			updateKubeletConfigIfNeeded(ctx, f, configureCPUManagerInKubelet(oldCfg, &cpuManagerKubeletArguments{
-				policyName:              string(cpumanager.PolicyStatic),
-				reservedSystemCPUs:      reservedCPUs, // Not really needed for the tests but helps to make a more precise check
-				enableCPUManagerOptions: false,
-			}))
-
-			pod := makeCPUManagerPod("gu-pod", []ctnAttribute{
-				{
-					ctnName:    "gu-container-1",
-					cpuRequest: "1000m",
-					cpuLimit:   "1000m",
-				},
-				{
-					ctnName:    "gu-container-2",
-					cpuRequest: "2000m",
-					cpuLimit:   "2000m",
-				},
-			})
-			ginkgo.By("creating the test pod")
-			pod = e2epod.NewPodClient(f).CreateSync(ctx, pod)
-			podMap[string(pod.UID)] = pod
-
-			ginkgo.By("checking if the expected cpuset was assigned")
-
-			// we cannot nor we should predict which CPUs the container gets
-			gomega.Expect(pod).To(HaveContainerCPUsCount("gu-container-1", 1))
-			gomega.Expect(pod).To(HaveContainerCPUsASubsetOf("gu-container-1", onlineCPUs))
-			gomega.Expect(pod).ToNot(HaveContainerCPUsOverlapWith("gu-container-1", reservedCPUs))
-
-			gomega.Expect(pod).To(HaveContainerCPUsCount("gu-container-2", 2))
-			gomega.Expect(pod).To(HaveContainerCPUsASubsetOf("gu-container-2", onlineCPUs))
-			gomega.Expect(pod).ToNot(HaveContainerCPUsOverlapWith("gu-container-2", reservedCPUs))
-			// TODO: this is probably too strict but it is the closest of the old test did
-			gomega.Expect(pod).To(HaveContainerCPUsThreadSiblings("gu-container-2"))
-		})
-
-		ginkgo.It("should allocate exclusively CPUs to a multi-container pod (3+2)", func(ctx context.Context) {
-			cpuCount := 5 // total
-
-			skipIfAllocatableCPUsLessThan(getLocalNode(ctx, f), cpuCount)
-
-			updateKubeletConfigIfNeeded(ctx, f, configureCPUManagerInKubelet(oldCfg, &cpuManagerKubeletArguments{
-				policyName:              string(cpumanager.PolicyStatic),
-				reservedSystemCPUs:      reservedCPUs, // Not really needed for the tests but helps to make a more precise check
-				enableCPUManagerOptions: false,
-			}))
-
-			pod := makeCPUManagerPod("gu-pod", []ctnAttribute{
-				{
-					ctnName:    "gu-container-1",
-					cpuRequest: "3000m",
-					cpuLimit:   "3000m",
-				},
-				{
-					ctnName:    "gu-container-2",
-					cpuRequest: "2000m",
-					cpuLimit:   "2000m",
-				},
-			})
-			ginkgo.By("creating the test pod")
-			pod = e2epod.NewPodClient(f).CreateSync(ctx, pod)
-			podMap[string(pod.UID)] = pod
-
-			ginkgo.By("checking if the expected cpuset was assigned")
-
-			// we cannot nor we should predict which CPUs the container gets
-			gomega.Expect(pod).To(HaveContainerCPUsCount("gu-container-1", 3))
-			gomega.Expect(pod).To(HaveContainerCPUsASubsetOf("gu-container-1", onlineCPUs))
-			gomega.Expect(pod).ToNot(HaveContainerCPUsOverlapWith("gu-container-1", reservedCPUs))
-			toleration := 1
-			gomega.Expect(pod).To(HaveContainerCPUsQuasiThreadSiblings("gu-container-1", toleration))
-
-			gomega.Expect(pod).To(HaveContainerCPUsCount("gu-container-2", 2))
-			gomega.Expect(pod).To(HaveContainerCPUsASubsetOf("gu-container-2", onlineCPUs))
-			gomega.Expect(pod).ToNot(HaveContainerCPUsOverlapWith("gu-container-2", reservedCPUs))
-			gomega.Expect(pod).To(HaveContainerCPUsThreadSiblings("gu-container-2"))
-		})
-
-		ginkgo.It("should allocate exclusively CPUs to a multi-container pod (4+2)", func(ctx context.Context) {
-			cpuCount := 6 // total
-
-			skipIfAllocatableCPUsLessThan(getLocalNode(ctx, f), cpuCount)
-
-			updateKubeletConfigIfNeeded(ctx, f, configureCPUManagerInKubelet(oldCfg, &cpuManagerKubeletArguments{
-				policyName:              string(cpumanager.PolicyStatic),
-				reservedSystemCPUs:      reservedCPUs, // Not really needed for the tests but helps to make a more precise check
-				enableCPUManagerOptions: false,
-			}))
-
-			pod := makeCPUManagerPod("gu-pod", []ctnAttribute{
-				{
-					ctnName:    "gu-container-1",
-					cpuRequest: "4000m",
-					cpuLimit:   "4000m",
-				},
-				{
-					ctnName:    "gu-container-2",
-					cpuRequest: "2000m",
-					cpuLimit:   "2000m",
-				},
-			})
-			ginkgo.By("creating the test pod")
-			pod = e2epod.NewPodClient(f).CreateSync(ctx, pod)
-			podMap[string(pod.UID)] = pod
-
-			ginkgo.By("checking if the expected cpuset was assigned")
-
-			// we cannot nor we should predict which CPUs the container gets
-			gomega.Expect(pod).To(HaveContainerCPUsCount("gu-container-1", 4))
-			gomega.Expect(pod).To(HaveContainerCPUsASubsetOf("gu-container-1", onlineCPUs))
-			gomega.Expect(pod).ToNot(HaveContainerCPUsOverlapWith("gu-container-1", reservedCPUs))
-			gomega.Expect(pod).To(HaveContainerCPUsThreadSiblings("gu-container-1"))
-
-			gomega.Expect(pod).To(HaveContainerCPUsCount("gu-container-2", 2))
-			gomega.Expect(pod).To(HaveContainerCPUsASubsetOf("gu-container-2", onlineCPUs))
-			gomega.Expect(pod).ToNot(HaveContainerCPUsOverlapWith("gu-container-2", reservedCPUs))
-			gomega.Expect(pod).To(HaveContainerCPUsThreadSiblings("gu-container-2"))
-		})
-
-		ginkgo.It("should allocate exclusively a CPU to multiple 1-container pods", func(ctx context.Context) {
-			cpuCount := 4 // total
-
-			skipIfAllocatableCPUsLessThan(getLocalNode(ctx, f), cpuCount)
-
-			updateKubeletConfigIfNeeded(ctx, f, configureCPUManagerInKubelet(oldCfg, &cpuManagerKubeletArguments{
-				policyName:              string(cpumanager.PolicyStatic),
-				reservedSystemCPUs:      reservedCPUs, // Not really needed for the tests but helps to make a more precise check
-				enableCPUManagerOptions: false,
-			}))
-
-			pod1 := makeCPUManagerPod("gu-pod-1", []ctnAttribute{
-				{
-					ctnName:    "gu-container-1",
-					cpuRequest: "2000m",
-					cpuLimit:   "2000m",
-				},
-			})
-			ginkgo.By("creating the test pod 1")
-			pod1 = e2epod.NewPodClient(f).CreateSync(ctx, pod1)
-			podMap[string(pod1.UID)] = pod1
-
-			pod2 := makeCPUManagerPod("gu-pod-2", []ctnAttribute{
-				{
-					ctnName:    "gu-container-2",
-					cpuRequest: "2000m",
-					cpuLimit:   "2000m",
-				},
-			})
-			ginkgo.By("creating the test pod 2")
-			pod2 = e2epod.NewPodClient(f).CreateSync(ctx, pod2)
-			podMap[string(pod2.UID)] = pod2
-
-			ginkgo.By("checking if the expected cpuset was assigned")
-
-			// we cannot nor we should predict which CPUs the container gets
-			gomega.Expect(pod1).To(HaveContainerCPUsCount("gu-container-1", 2))
-			gomega.Expect(pod1).To(HaveContainerCPUsASubsetOf("gu-container-1", onlineCPUs))
-			gomega.Expect(pod1).ToNot(HaveContainerCPUsOverlapWith("gu-container-1", reservedCPUs))
-			gomega.Expect(pod1).To(HaveContainerCPUsThreadSiblings("gu-container-1"))
-
-			gomega.Expect(pod2).To(HaveContainerCPUsCount("gu-container-2", 2))
-			gomega.Expect(pod2).To(HaveContainerCPUsASubsetOf("gu-container-2", onlineCPUs))
-			gomega.Expect(pod2).ToNot(HaveContainerCPUsOverlapWith("gu-container-2", reservedCPUs))
-			gomega.Expect(pod2).To(HaveContainerCPUsThreadSiblings("gu-container-2"))
-		})
-	})
-
-	ginkgo.When("running with strict CPU reservation", ginkgo.Label("strict-cpu-reservation"), func() {
-		ginkgo.BeforeEach(func(ctx context.Context) {
-			reservedCPUs = cpuset.New(0)
-		})
-
-		ginkgo.It("should let the container access all the online CPUs without a reserved CPUs set", func(ctx context.Context) {
-			updateKubeletConfigIfNeeded(ctx, f, configureCPUManagerInKubelet(oldCfg, &cpuManagerKubeletArguments{
-				policyName:              string(cpumanager.PolicyStatic),
-				reservedSystemCPUs:      cpuset.CPUSet{},
-				enableCPUManagerOptions: true,
-				options: map[string]string{
-					cpumanager.StrictCPUReservationOption: "true",
-				},
-			}))
-
-			pod := makeCPUManagerPod("non-gu-pod", []ctnAttribute{
-				{
-					ctnName:    "non-gu-container",
-					cpuRequest: "100m",
-					cpuLimit:   "200m",
-				},
-			})
-			ginkgo.By("creating the test pod")
-			pod = e2epod.NewPodClient(f).CreateSync(ctx, pod)
-			podMap[string(pod.UID)] = pod
-
-			ginkgo.By("checking if the expected cpuset was assigned")
-
-			// cpumanager will always reserve at least 1 cpu. In this case we don't set which, and if we treat the cpumanager
-			// as black box (which we very much should) we can't predict which one. So we can only assert that *A* cpu is not
-			// usable because is reserved.
-			gomega.Expect(pod).To(HaveContainerCPUsCount("non-gu-container", onlineCPUs.Size()-1))
-		})
-
-		ginkgo.It("should let the container access all the online CPUs minus the reserved CPUs set when enabled", func(ctx context.Context) {
-			updateKubeletConfigIfNeeded(ctx, f, configureCPUManagerInKubelet(oldCfg, &cpuManagerKubeletArguments{
-				policyName:              string(cpumanager.PolicyStatic),
-				reservedSystemCPUs:      reservedCPUs, // Not really needed for the tests but helps to make a more precise check
-				enableCPUManagerOptions: true,
-				options: map[string]string{
-					cpumanager.StrictCPUReservationOption: "true",
-				},
-			}))
-
-			pod := makeCPUManagerPod("non-gu-pod", []ctnAttribute{
-				{
-					ctnName:    "non-gu-container",
-					cpuRequest: "100m",
-					cpuLimit:   "200m",
-				},
-			})
-			ginkgo.By("creating the test pod")
-			pod = e2epod.NewPodClient(f).CreateSync(ctx, pod)
-			podMap[string(pod.UID)] = pod
-
-			ginkgo.By("checking if the expected cpuset was assigned")
-
-			gomega.Expect(pod).To(HaveContainerCPUsEqualTo("non-gu-container", onlineCPUs.Difference(reservedCPUs)))
-		})
-
-		ginkgo.It("should let the container access all the online non-exclusively-allocated CPUs minus the reserved CPUs set when enabled", func(ctx context.Context) {
-			cpuCount := 1
-
-			skipIfAllocatableCPUsLessThan(getLocalNode(ctx, f), cpuCount+1) // note the extra for the non-gu pod)
-
-			updateKubeletConfigIfNeeded(ctx, f, configureCPUManagerInKubelet(oldCfg, &cpuManagerKubeletArguments{
-				policyName:              string(cpumanager.PolicyStatic),
-				reservedSystemCPUs:      reservedCPUs, // Not really needed for the tests but helps to make a more precise check
-				enableCPUManagerOptions: true,
-				options: map[string]string{
-					cpumanager.StrictCPUReservationOption: "true",
-				},
-			}))
-
-			cpuReq := fmt.Sprintf("%dm", 1000*cpuCount)
-
-			podGu := makeCPUManagerPod("gu-pod", []ctnAttribute{
-				{
-					ctnName:    "gu-container",
-					cpuRequest: cpuReq,
-					cpuLimit:   cpuReq,
-				},
-			})
-			ginkgo.By("creating the guaranteed test pod")
-			podGu = e2epod.NewPodClient(f).CreateSync(ctx, podGu)
-			podMap[string(podGu.UID)] = podGu
-
-			podBu := makeCPUManagerPod("non-gu-pod", []ctnAttribute{
-				{
-					ctnName:    "non-gu-container",
-					cpuRequest: "200m",
-					cpuLimit:   "300m",
-				},
-			})
-			ginkgo.By("creating the burstable test pod")
-			podBu = e2epod.NewPodClient(f).CreateSync(ctx, podBu)
-			podMap[string(podBu.UID)] = podBu
-
-			ginkgo.By("checking if the expected cpuset was assigned")
-
-			usableCPUs := onlineCPUs.Difference(reservedCPUs)
-
-			// any full CPU is fine - we cannot nor we should predict which one, though
-			gomega.Expect(podGu).To(HaveContainerCPUsCount("gu-container", cpuCount))
-			gomega.Expect(podGu).To(HaveContainerCPUsASubsetOf("gu-container", usableCPUs))
-			gomega.Expect(podGu).ToNot(HaveContainerCPUsOverlapWith("gu-container", reservedCPUs))
-
-			exclusiveCPUs, err := getContainerAllowedCPUs(podGu, "gu-container", false)
-			framework.ExpectNoError(err, "cannot get exclusive CPUs for pod %s/%s", podGu.Namespace, podGu.Name)
-			expectedSharedCPUs := usableCPUs.Difference(exclusiveCPUs)
-			gomega.Expect(podBu).To(HaveContainerCPUsEqualTo("non-gu-container", expectedSharedCPUs))
-		})
-	})
-
-	ginkgo.When("running with SMT Alignment", ginkgo.Label("smt-alignment"), func() {
-		ginkgo.BeforeEach(func(ctx context.Context) {
-			// strict SMT alignment is trivially verified and granted on non-SMT systems
-			if smtLevel < minSMTLevel {
-				e2eskipper.Skipf("Skipping CPU Manager %q tests since SMT disabled", cpumanager.FullPCPUsOnlyOption)
-			}
-
-			reservedCPUs = cpuset.New(0)
-
-			updateKubeletConfigIfNeeded(ctx, f, configureCPUManagerInKubelet(oldCfg, &cpuManagerKubeletArguments{
-				policyName:              string(cpumanager.PolicyStatic),
-				reservedSystemCPUs:      reservedCPUs,
-				enableCPUManagerOptions: true,
-				options: map[string]string{
-					cpumanager.FullPCPUsOnlyOption: "true",
-				},
-			}))
-		})
-
-		ginkgo.It("should reject workload asking non-SMT-multiple of cpus", func(ctx context.Context) {
-			cpuCount := 1
-			cpuReq := fmt.Sprintf("%dm", 1000*cpuCount)
-
-			skipIfAllocatableCPUsLessThan(getLocalNode(ctx, f), cpuCount)
-
-			ginkgo.By("creating the testing pod")
-			// negative test: try to run a container whose requests aren't a multiple of SMT level, expect a rejection
-			pod := makeCPUManagerPod("gu-pod", []ctnAttribute{
-				{
-					ctnName:    "gu-container-neg",
-					cpuRequest: cpuReq,
-					cpuLimit:   cpuReq,
-				},
-			})
-			ginkgo.By("creating the test pod")
-			// CreateSync would wait for pod to become Ready - which will never happen if production code works as intended!
-			pod = e2epod.NewPodClient(f).Create(ctx, pod)
-			podMap[string(pod.UID)] = pod
-
-			ginkgo.By("ensuring the testing pod is in failed state")
-			err := e2epod.WaitForPodCondition(ctx, f.ClientSet, f.Namespace.Name, pod.Name, "Failed", 30*time.Second, func(pod *v1.Pod) (bool, error) {
-				if pod.Status.Phase != v1.PodPending {
-					return true, nil
-				}
-				return false, nil
-			})
-			framework.ExpectNoError(err)
-
-			ginkgo.By("ensuring the testing pod is failed for the expected reason")
-			pod, err = e2epod.NewPodClient(f).Get(ctx, pod.Name, metav1.GetOptions{})
-			framework.ExpectNoError(err)
-			gomega.Expect(pod).To(BeAPodInPhase(v1.PodFailed))
-			gomega.Expect(pod).To(HaveStatusReasonMatchingRegex(`SMT.*Alignment.*Error`))
-		})
-
-		ginkgo.It("should admit workload asking SMT-multiple of cpus", func(ctx context.Context) {
-			// positive test: try to run a container whose requests are a multiple of SMT level, check allocated cores
-			// 1. are core siblings
-			// 2. take a full core
-			// WARNING: this assumes 2-way SMT systems - we don't know how to access other SMT levels.
-			//          this means on more-than-2-way SMT systems this test will prove nothing
-			skipIfAllocatableCPUsLessThan(getLocalNode(ctx, f), smtLevel)
-
-			cpuRequest := fmt.Sprintf("%d000m", smtLevel)
-			ginkgo.By(fmt.Sprintf("creating the testing pod cpuRequest=%v", cpuRequest))
-			pod := makeCPUManagerPod("gu-pod", []ctnAttribute{
-				{
-					ctnName:    "gu-container-pos",
-					cpuRequest: cpuRequest,
-					cpuLimit:   cpuRequest,
-				},
-			})
-			ginkgo.By("creating the test pod")
-			pod = e2epod.NewPodClient(f).CreateSync(ctx, pod)
-			podMap[string(pod.UID)] = pod
-
-			ginkgo.By("validating each container in the testing pod")
-			for _, cnt := range pod.Spec.Containers {
-				ginkgo.By(fmt.Sprintf("validating the container %s on pod %s", cnt.Name, pod.Name))
-
-				gomega.Expect(pod).To(HaveContainerCPUsAlignedTo(cnt.Name, smtLevel))
-				gomega.Expect(pod).To(HaveContainerCPUsThreadSiblings(cnt.Name))
-			}
-		})
-	})
-
-	ginkgo.When("running with Uncore Cache Alignment", ginkgo.Label("prefer-align-cpus-by-uncore-cache"), func() {
-		ginkgo.BeforeEach(func(ctx context.Context) {
-
-			reservedCPUs := cpuset.New(0)
-
-			updateKubeletConfigIfNeeded(ctx, f, configureCPUManagerInKubelet(oldCfg, &cpuManagerKubeletArguments{
-				policyName:              string(cpumanager.PolicyStatic),
-				reservedSystemCPUs:      reservedCPUs,
-				enableCPUManagerOptions: true,
-				options: map[string]string{
-					cpumanager.PreferAlignByUnCoreCacheOption: "true",
-				},
-			}))
-		})
-
-		ginkgo.It("should admit container asking odd integer amount of cpus", func(ctx context.Context) {
-			// assume uncore caches's worth of cpus will always be an even integer value
-			// smallest odd integer cpu request can be 1 cpu
-			// for meaningful test, minimum allocatable cpu requirement should be:
-			// minCPUCapacity + reservedCPUs.Size() + 1 CPU allocated
-			cpuCount := minCPUCapacity + reservedCPUs.Size() + 1
-			skipIfAllocatableCPUsLessThan(getLocalNode(ctx, f), cpuCount)
-
-			// check if the node processor architecture has split or monolithic uncore cache.
-			// prefer-align-cpus-by-uncore-cache can be enabled on non-split uncore cache processors
-			// with no change to default static behavior
-			allocatableCPUs := cpuDetailsFromNode(getLocalNode(ctx, f)).Allocatable
-			hasSplitUncore := (allocatableCPUs > int64(uncoreGroupSize))
-
-			if hasSplitUncore {
-				// create a container that requires one less cpu than a full uncore cache's worth of cpus
-				// assume total shared CPUs of a single uncore cache will always be an even integer
-				cpuRequest := fmt.Sprintf("%d000m", (uncoreGroupSize - 1))
-				ginkgo.By(fmt.Sprintf("creating the testing pod cpuRequest=%v", cpuRequest))
-				pod := makeCPUManagerPod("gu-pod", []ctnAttribute{
-					{
-						ctnName:    "gu-container-pos",
-						cpuRequest: cpuRequest,
-						cpuLimit:   cpuRequest,
-					},
-				})
-				ginkgo.By("creating the test pod")
-				pod = e2epod.NewPodClient(f).CreateSync(ctx, pod)
-				podMap[string(pod.UID)] = pod
-
-				ginkgo.By("validating each container in the testing pod")
-				for _, cnt := range pod.Spec.Containers {
-					ginkgo.By(fmt.Sprintf("validating the container %s on pod %s", cnt.Name, pod.Name))
-
-					gomega.Expect(pod).To(HaveContainerCPUsWithSameUncoreCacheID(cnt.Name))
-				}
-			} else {
-				// for node with monolithic uncore cache processor
-				// uncoreGroupSize will be socket's worth of CPUs
-				// subtract (minCPUCapacity + 1) CPU resource constraint
-				cpuRequest := fmt.Sprintf("%d000m", (uncoreGroupSize - (minCPUCapacity + 1)))
-				ginkgo.By(fmt.Sprintf("creating the testing pod cpuRequest=%v", cpuRequest))
-				pod := makeCPUManagerPod("gu-pod", []ctnAttribute{
-					{
-						ctnName:    "gu-container-pos",
-						cpuRequest: cpuRequest,
-						cpuLimit:   cpuRequest,
-					},
-				})
-				ginkgo.By("creating the test pod")
-				pod = e2epod.NewPodClient(f).CreateSync(ctx, pod)
-				podMap[string(pod.UID)] = pod
-
-				ginkgo.By("validating each container in the testing pod")
-				for _, cnt := range pod.Spec.Containers {
-					ginkgo.By(fmt.Sprintf("validating the container %s on pod %s", cnt.Name, pod.Name))
-
-					gomega.Expect(pod).To(HaveContainerCPUsWithSameUncoreCacheID(cnt.Name))
-				}
-			}
-		})
-	})
-
-	ginkgo.When("running with Uncore Cache Alignment disabled", ginkgo.Label("prefer-align-cpus-by-uncore-cache"), func() {
-		ginkgo.BeforeEach(func(ctx context.Context) {
-
-			reservedCPUs := cpuset.New(0)
-
-			updateKubeletConfigIfNeeded(ctx, f, configureCPUManagerInKubelet(oldCfg, &cpuManagerKubeletArguments{
-				policyName:              string(cpumanager.PolicyStatic),
-				reservedSystemCPUs:      reservedCPUs,
-				enableCPUManagerOptions: true,
-				options: map[string]string{
-					cpumanager.PreferAlignByUnCoreCacheOption: "false",
-				},
-			}))
-		})
-
-		ginkgo.It("should allocate exclusively CPUs to a multi-container pod (1+2)", func(ctx context.Context) {
-			cpuCount := 3 // total
-
-			skipIfAllocatableCPUsLessThan(getLocalNode(ctx, f), cpuCount)
-
-			updateKubeletConfigIfNeeded(ctx, f, configureCPUManagerInKubelet(oldCfg, &cpuManagerKubeletArguments{
-				policyName:         string(cpumanager.PolicyStatic),
-				reservedSystemCPUs: reservedCPUs, // Not really needed for the tests but helps to make a more precise check
-			}))
-
-			pod := makeCPUManagerPod("gu-pod", []ctnAttribute{
-				{
-					ctnName:    "gu-container-1",
-					cpuRequest: "1000m",
-					cpuLimit:   "1000m",
-				},
-				{
-					ctnName:    "gu-container-2",
-					cpuRequest: "2000m",
-					cpuLimit:   "2000m",
-				},
-			})
-			ginkgo.By("creating the test pod")
-			pod = e2epod.NewPodClient(f).CreateSync(ctx, pod)
-			podMap[string(pod.UID)] = pod
-
-			ginkgo.By("checking if the expected cpuset was assigned")
-
-			// we cannot nor we should predict which CPUs the container gets
-			gomega.Expect(pod).To(HaveContainerCPUsCount("gu-container-1", 1))
-			gomega.Expect(pod).To(HaveContainerCPUsASubsetOf("gu-container-1", onlineCPUs))
-			gomega.Expect(pod).ToNot(HaveContainerCPUsOverlapWith("gu-container-1", reservedCPUs))
-
-			gomega.Expect(pod).To(HaveContainerCPUsCount("gu-container-2", 2))
-			gomega.Expect(pod).To(HaveContainerCPUsASubsetOf("gu-container-2", onlineCPUs))
-			gomega.Expect(pod).ToNot(HaveContainerCPUsOverlapWith("gu-container-2", reservedCPUs))
-			// TODO: this is probably too strict but it is the closest of the old test did
-			gomega.Expect(pod).To(HaveContainerCPUsThreadSiblings("gu-container-2"))
-		})
-	})
-
-	ginkgo.When("checking the compatibility between options", func() {
-		// please avoid nesting `BeforeEach` as much as possible. Ideally avoid completely.
-		ginkgo.Context("SMT Alignment and strict CPU reservation", ginkgo.Label("smt-alignment", "strict-cpu-reservation"), func() {
-			ginkgo.BeforeEach(func(ctx context.Context) {
-				// strict SMT alignment is trivially verified and granted on non-SMT systems
-				if smtLevel < minSMTLevel {
-					e2eskipper.Skipf("Skipping CPU Manager %q tests since SMT disabled", cpumanager.FullPCPUsOnlyOption)
-				}
-				reservedCPUs = cpuset.New(0)
-			})
-
-			ginkgo.It("should reject workload asking non-SMT-multiple of cpus", func(ctx context.Context) {
-				cpuCount := 1
-
-				skipIfAllocatableCPUsLessThan(getLocalNode(ctx, f), cpuCount+1) // note the extra for the non-gu pod)
-
-				updateKubeletConfigIfNeeded(ctx, f, configureCPUManagerInKubelet(oldCfg, &cpuManagerKubeletArguments{
-					policyName:              string(cpumanager.PolicyStatic),
-					reservedSystemCPUs:      reservedCPUs,
-					enableCPUManagerOptions: true,
-					options: map[string]string{
-						cpumanager.FullPCPUsOnlyOption:        "true",
-						cpumanager.StrictCPUReservationOption: "true",
-					},
-				}))
-
-				// negative test: try to run a container whose requests aren't a multiple of SMT level, expect a rejection
-				pod := makeCPUManagerPod("gu-pod", []ctnAttribute{
-					{
-						ctnName:    "gu-container-neg",
-						cpuRequest: "1000m",
-						cpuLimit:   "1000m",
-					},
-				})
-				ginkgo.By("creating the testing pod")
-				// CreateSync would wait for pod to become Ready - which will never happen if production code works as intended!
-				pod = e2epod.NewPodClient(f).Create(ctx, pod)
-				podMap[string(pod.UID)] = pod
-
-				ginkgo.By("ensuring the testing pod is in failed state")
-				err := e2epod.WaitForPodCondition(ctx, f.ClientSet, f.Namespace.Name, pod.Name, "Failed", 30*time.Second, func(pod *v1.Pod) (bool, error) {
-					if pod.Status.Phase != v1.PodPending {
-						return true, nil
-					}
-					return false, nil
-				})
-				framework.ExpectNoError(err)
-
-				ginkgo.By("ensuring the testing pod is failed for the expected reason")
-				pod, err = e2epod.NewPodClient(f).Get(ctx, pod.Name, metav1.GetOptions{})
-				framework.ExpectNoError(err)
-				gomega.Expect(pod).To(BeAPodInPhase(v1.PodFailed))
-				gomega.Expect(pod).To(HaveStatusReasonMatchingRegex(`SMT.*Alignment.*Error`))
-			})
-
-			ginkgo.It("should admit workload asking SMT-multiple of cpus", func(ctx context.Context) {
-				// positive test: try to run a container whose requests are a multiple of SMT level, check allocated cores
-				// 1. are core siblings
-				// 2. take a full core
-				// WARNING: this assumes 2-way SMT systems - we don't know how to access other SMT levels.
-				//          this means on more-than-2-way SMT systems this test will prove nothing
-				skipIfAllocatableCPUsLessThan(getLocalNode(ctx, f), smtLevel)
-
-				updateKubeletConfigIfNeeded(ctx, f, configureCPUManagerInKubelet(oldCfg, &cpuManagerKubeletArguments{
-					policyName:              string(cpumanager.PolicyStatic),
-					reservedSystemCPUs:      reservedCPUs,
-					enableCPUManagerOptions: true,
-					options: map[string]string{
-						cpumanager.FullPCPUsOnlyOption:        "true",
-						cpumanager.StrictCPUReservationOption: "true",
-					},
-				}))
-
-				cpuCount := smtLevel
-				cpuRequest := fmt.Sprintf("%d000m", smtLevel)
-				ginkgo.By(fmt.Sprintf("creating the testing pod cpuRequest=%v", cpuRequest))
-				pod := makeCPUManagerPod("gu-pod", []ctnAttribute{
-					{
-						ctnName:    "gu-container-x",
-						cpuRequest: cpuRequest,
-						cpuLimit:   cpuRequest,
-					},
-				})
-				ginkgo.By("creating the testing pod")
-				pod = e2epod.NewPodClient(f).CreateSync(ctx, pod)
-				podMap[string(pod.UID)] = pod
-
-				usableCPUs := onlineCPUs.Difference(reservedCPUs)
-
-				gomega.Expect(pod).To(HaveContainerCPUsCount("gu-container-x", cpuCount))
-				gomega.Expect(pod).To(HaveContainerCPUsASubsetOf("gu-container-x", usableCPUs))
-				gomega.Expect(pod).ToNot(HaveContainerCPUsOverlapWith("gu-container-x", reservedCPUs))
-
-				ginkgo.By("validating each container in the testing pod")
-				for _, cnt := range pod.Spec.Containers {
-					ginkgo.By(fmt.Sprintf("validating the container %s on pod %s", cnt.Name, pod.Name))
-
-					gomega.Expect(pod).To(HaveContainerCPUsAlignedTo(cnt.Name, smtLevel))
-					gomega.Expect(pod).To(HaveContainerCPUsThreadSiblings(cnt.Name))
-				}
-			})
-		})
-
-		// please avoid nesting `BeforeEach` as much as possible. Ideally avoid completely.
-		ginkgo.Context("SMT Alignment and Uncore Cache Alignment", ginkgo.Label("smt-alignment", "prefer-align-cpus-by-uncore-cache"), func() {
-			ginkgo.BeforeEach(func(ctx context.Context) {
-				// strict SMT alignment is trivially verified and granted on non-SMT systems
-				if smtLevel < minSMTLevel {
-					e2eskipper.Skipf("Skipping CPU Manager %q tests since SMT disabled", cpumanager.FullPCPUsOnlyOption)
-				}
-				reservedCPUs = cpuset.New(0)
-			})
-
-			ginkgo.It("should assign packed CPUs with prefer-align-cpus-by-uncore-cache disabled and pcpu-only policy options enabled", func(ctx context.Context) {
-				skipIfAllocatableCPUsLessThan(getLocalNode(ctx, f), smtLevel)
-
-				updateKubeletConfigIfNeeded(ctx, f, configureCPUManagerInKubelet(oldCfg, &cpuManagerKubeletArguments{
-					policyName:              string(cpumanager.PolicyStatic),
-					reservedSystemCPUs:      reservedCPUs,
-					enableCPUManagerOptions: true,
-					options: map[string]string{
-						cpumanager.FullPCPUsOnlyOption:            "true",
-						cpumanager.PreferAlignByUnCoreCacheOption: "false",
-					},
-				}))
-
-				ctnAttrs := []ctnAttribute{
-					{
-						ctnName:    "test-gu-container-uncore-cache-alignment-disabled",
-						cpuRequest: "2000m",
-						cpuLimit:   "2000m",
-					},
-				}
-				pod := makeCPUManagerPod("test-pod-uncore-cache-alignment-disabled", ctnAttrs)
-				ginkgo.By("creating the test pod")
-				pod = e2epod.NewPodClient(f).CreateSync(ctx, pod)
-				podMap[string(pod.UID)] = pod
-
-				ginkgo.By("validating each container in the testing pod")
-				for _, cnt := range pod.Spec.Containers {
-					ginkgo.By(fmt.Sprintf("validating the container %s on pod %s", cnt.Name, pod.Name))
-
-					gomega.Expect(pod).To(HaveContainerCPUsAlignedTo(cnt.Name, smtLevel))
-					gomega.Expect(pod).To(HaveContainerCPUsThreadSiblings(cnt.Name))
-				}
-			})
-
-			ginkgo.It("should assign CPUs aligned to uncore caches with prefer-align-cpus-by-uncore-cache and pcpu-only policy options enabled", func(ctx context.Context) {
-
-				skipIfAllocatableCPUsLessThan(getLocalNode(ctx, f), smtLevel)
-
-				updateKubeletConfigIfNeeded(ctx, f, configureCPUManagerInKubelet(oldCfg, &cpuManagerKubeletArguments{
-					policyName:              string(cpumanager.PolicyStatic),
-					reservedSystemCPUs:      reservedCPUs,
-					enableCPUManagerOptions: true,
-					options: map[string]string{
-						cpumanager.FullPCPUsOnlyOption:            "true",
-						cpumanager.PreferAlignByUnCoreCacheOption: "true",
-					},
-				}))
-
-				// check if the node processor architecture has split or monolithic uncore cache.
-				// prefer-align-cpus-by-uncore-cache can be enabled on non-split uncore cache processors
-				// with no change to default static behavior
-				allocatableCPUs := cpuDetailsFromNode(getLocalNode(ctx, f)).Allocatable
-				hasSplitUncore := (allocatableCPUs > int64(uncoreGroupSize))
-
-				if hasSplitUncore {
-					// for node with split uncore cache processor
-					// create a pod that requires a full uncore cache worth of CPUs
-					ctnAttrs := []ctnAttribute{
-						{
-							ctnName:    "test-gu-container-align-cpus-by-uncore-cache-on-split-uncore",
-							cpuRequest: fmt.Sprintf("%d", uncoreGroupSize),
-							cpuLimit:   fmt.Sprintf("%d", uncoreGroupSize),
-						},
-					}
-					pod := makeCPUManagerPod("test-pod-align-cpus-by-uncore-cache", ctnAttrs)
-					ginkgo.By("creating the test pod")
-					pod = e2epod.NewPodClient(f).CreateSync(ctx, pod)
-					podMap[string(pod.UID)] = pod
-
-					// 'prefer-align-cpus-by-uncore-cache' policy options will attempt at best-effort to allocate cpus
-					// so that distribution across uncore caches is minimized. Since the test container is requesting a full
-					// uncore cache worth of cpus and CPU0 is part of the reserved CPUset and not allocatable, the policy will attempt
-					// to allocate cpus from the next available uncore cache
-
-					for _, cnt := range pod.Spec.Containers {
-						ginkgo.By(fmt.Sprintf("validating the container %s on pod %s", cnt.Name, pod.Name))
-
-						gomega.Expect(pod).To(HaveContainerCPUsAlignedTo(cnt.Name, smtLevel))
-						cpus, err := getContainerAllowedCPUs(pod, cnt.Name, false)
-						framework.ExpectNoError(err, "cannot get cpus allocated to pod %s/%s cnt %s", pod.Namespace, pod.Name, cnt.Name)
-
-						siblingsCPUs := makeThreadSiblingCPUSet(cpus)
-						gomega.Expect(pod).To(HaveContainerCPUsEqualTo(cnt.Name, siblingsCPUs))
-
-						gomega.Expect(pod).To(HaveContainerCPUsWithSameUncoreCacheID(cnt.Name))
-						gomega.Expect(pod).ToNot(HaveContainerCPUsShareUncoreCacheWith(cnt.Name, reservedCPUs))
-					}
-				} else {
-					// for node with monolithic uncore cache processor
-					// expect default static behavior with pcpu-only policy enabled
-					// and prefer-align-cpus-by-uncore-cache enabled
-					ctnAttrs := []ctnAttribute{
-						{
-							ctnName:    "test-gu-container-align-cpus-by-uncore-cache-on-mono-uncore",
-							cpuRequest: "2000m",
-							cpuLimit:   "2000m",
-						},
-					}
-					pod := makeCPUManagerPod("test-pod-align-cpus-by-uncore-cache", ctnAttrs)
-					ginkgo.By("creating the test pod")
-					pod = e2epod.NewPodClient(f).CreateSync(ctx, pod)
-					podMap[string(pod.UID)] = pod
-
-					ginkgo.By("validating each container in the testing pod")
-					for _, cnt := range pod.Spec.Containers {
-						ginkgo.By(fmt.Sprintf("validating the container %s on pod %s", cnt.Name, pod.Name))
-
-						gomega.Expect(pod).To(HaveContainerCPUsAlignedTo(cnt.Name, smtLevel))
-						gomega.Expect(pod).To(HaveContainerCPUsThreadSiblings(cnt.Name))
-					}
-				}
-			})
-		})
-
-		// please avoid nesting `BeforeEach` as much as possible. Ideally avoid completely.
-		ginkgo.Context("Strict CPU Reservation and Uncore Cache Alignment", ginkgo.Label("strict-cpu-reservation", "prefer-align-cpus-by-uncore-cache"), func() {
-			ginkgo.BeforeEach(func(ctx context.Context) {
-				reservedCPUs = cpuset.New(0)
-			})
-
-			ginkgo.It("should assign CPUs aligned to uncore caches with prefer-align-cpus-by-uncore-cache and avoid reserved cpus", func(ctx context.Context) {
-				// assume uncore caches's worth of cpus will always be an even integer value
-				// smallest integer cpu request can be 1 cpu
-				// for meaningful test, minimum allocatable cpu requirement should be:
-				// minCPUCapacity + reservedCPUs.Size() + 1 CPU allocated
-				cpuCount := minCPUCapacity + reservedCPUs.Size() + 1
-				skipIfAllocatableCPUsLessThan(getLocalNode(ctx, f), cpuCount)
-
-				updateKubeletConfigIfNeeded(ctx, f, configureCPUManagerInKubelet(oldCfg, &cpuManagerKubeletArguments{
-					policyName:              string(cpumanager.PolicyStatic),
-					reservedSystemCPUs:      reservedCPUs,
-					enableCPUManagerOptions: true,
-					options: map[string]string{
-						cpumanager.StrictCPUReservationOption:     "true",
-						cpumanager.PreferAlignByUnCoreCacheOption: "true",
-					},
-				}))
-
-				// check if the node processor architecture has split or monolithic uncore cache.
-				// prefer-align-cpus-by-uncore-cache can be enabled on non-split uncore cache processors
-				// with no change to default static behavior
-				allocatableCPUs := cpuDetailsFromNode(getLocalNode(ctx, f)).Allocatable
-				hasSplitUncore := (allocatableCPUs > int64(uncoreGroupSize))
-
-				if hasSplitUncore {
-					// for node with split uncore cache processor
-					// create a pod that requires a full uncore cache worth of CPUs
-					ctnAttrs := []ctnAttribute{
-						{
-							ctnName:    "test-gu-container-align-cpus-by-uncore-cache-on-split-uncore",
-							cpuRequest: fmt.Sprintf("%d", uncoreGroupSize),
-							cpuLimit:   fmt.Sprintf("%d", uncoreGroupSize),
-						},
-					}
-					pod := makeCPUManagerPod("test-pod-align-cpus-by-uncore-cache", ctnAttrs)
-					ginkgo.By("creating the test pod")
-					pod = e2epod.NewPodClient(f).CreateSync(ctx, pod)
-					podMap[string(pod.UID)] = pod
-
-					// 'prefer-align-cpus-by-uncore-cache' policy options will attempt at best-effort to allocate cpus
-					// so that distribution across uncore caches is minimized. Since the test container is requesting a full
-					// uncore cache worth of cpus and CPU0 is part of the reserved CPUset and not allocatable, the policy will attempt
-					// to allocate cpus from the next available uncore cache
-
-					for _, cnt := range pod.Spec.Containers {
-						ginkgo.By(fmt.Sprintf("validating the container %s on pod %s", cnt.Name, pod.Name))
-
-						gomega.Expect(pod).To(HaveContainerCPUsAlignedTo(cnt.Name, smtLevel))
-						cpus, err := getContainerAllowedCPUs(pod, cnt.Name, false)
-						framework.ExpectNoError(err, "cannot get cpus allocated to pod %s/%s cnt %s", pod.Namespace, pod.Name, cnt.Name)
-
-						siblingsCPUs := makeThreadSiblingCPUSet(cpus)
-						gomega.Expect(pod).To(HaveContainerCPUsEqualTo(cnt.Name, siblingsCPUs))
-
-						gomega.Expect(pod).To(HaveContainerCPUsWithSameUncoreCacheID(cnt.Name))
-						gomega.Expect(pod).ToNot(HaveContainerCPUsShareUncoreCacheWith(cnt.Name, reservedCPUs))
-					}
-				} else {
-					// for node with monolithic uncore cache processor
-					// expect default static packed behavior
-					// when prefer-align-cpus-by-uncore-cache enabled
-					ctnAttrs := []ctnAttribute{
-						{
-							ctnName:    "test-gu-container-align-cpus-by-uncore-cache-on-mono-uncore",
-							cpuRequest: "1000m",
-							cpuLimit:   "1000m",
-						},
-					}
-					pod := makeCPUManagerPod("test-pod-align-cpus-by-uncore-cache", ctnAttrs)
-					ginkgo.By("creating the test pod")
-					pod = e2epod.NewPodClient(f).CreateSync(ctx, pod)
-					podMap[string(pod.UID)] = pod
-
-					ginkgo.By("validating each container in the testing pod")
-					for _, cnt := range pod.Spec.Containers {
-						ginkgo.By(fmt.Sprintf("validating the container %s on pod %s", cnt.Name, pod.Name))
-
-						// expect allocated CPUs to be on the same uncore cache
-						gomega.Expect(pod).To(HaveContainerCPUsWithSameUncoreCacheID(cnt.Name))
-						gomega.Expect(pod).ToNot(HaveContainerCPUsOverlapWith("test-gu-container-align-cpus-by-uncore-cache-on-mono-uncore", reservedCPUs))
-					}
-				}
-			})
-		})
-
-		// please avoid nesting `BeforeEach` as much as possible. Ideally avoid completely.
-		ginkgo.Context("SMT Alignment and distribution across NUMA", ginkgo.Label("smt-alignment", "distribute-cpus-across-numa"), func() {
-			ginkgo.BeforeEach(func(ctx context.Context) {
-				// strict SMT alignment is trivially verified and granted on non-SMT systems
-				if smtLevel < minSMTLevel {
-					e2eskipper.Skipf("Skipping CPU Manager %q tests since SMT disabled", cpumanager.FullPCPUsOnlyOption)
-				}
-				reservedCPUs = cpuset.New(0)
-			})
-
-			ginkgo.It("should assign packed CPUs with distribute-cpus-across-numa disabled and pcpu-only policy options enabled", func(ctx context.Context) {
-				skipIfAllocatableCPUsLessThan(getLocalNode(ctx, f), smtLevel)
-
-				updateKubeletConfigIfNeeded(ctx, f, configureCPUManagerInKubelet(oldCfg, &cpuManagerKubeletArguments{
-					policyName:              string(cpumanager.PolicyStatic),
-					reservedSystemCPUs:      reservedCPUs,
-					enableCPUManagerOptions: true,
-					options: map[string]string{
-						cpumanager.FullPCPUsOnlyOption:            "true",
-						cpumanager.DistributeCPUsAcrossNUMAOption: "false",
-					},
-				}))
-
-				ctnAttrs := []ctnAttribute{
-					{
-						ctnName:    "test-gu-container-distribute-cpus-across-numa-disabled",
-						cpuRequest: "2000m",
-						cpuLimit:   "2000m",
-					},
-				}
-				pod := makeCPUManagerPod("test-pod-distribute-cpus-across-numa-disabled", ctnAttrs)
-				ginkgo.By("creating the test pod")
-				pod = e2epod.NewPodClient(f).CreateSync(ctx, pod)
-				podMap[string(pod.UID)] = pod
-
-				ginkgo.By("validating each container in the testing pod")
-				for _, cnt := range pod.Spec.Containers {
-					ginkgo.By(fmt.Sprintf("validating the container %s on pod %s", cnt.Name, pod.Name))
-
-					gomega.Expect(pod).To(HaveContainerCPUsAlignedTo(cnt.Name, smtLevel))
-					gomega.Expect(pod).To(HaveContainerCPUsThreadSiblings(cnt.Name))
-				}
-			})
-
-			ginkgo.It("should assign CPUs distributed across NUMA with distribute-cpus-across-numa and pcpu-only policy options enabled", func(ctx context.Context) {
-				reservedCPUs = cpuset.New(0)
-
-				// this test is intended to be run on a multi-node NUMA system and
-				// a system with at least 4 cores per socket, hostcheck skips test
-				// if above requirements are not satisfied
-				numaNodeNum, _, _, cpusNumPerNUMA := hostCheck()
-				cpuReq := (cpusNumPerNUMA - smtLevel) * numaNodeNum
-
-				skipIfAllocatableCPUsLessThan(getLocalNode(ctx, f), cpuReq)
-
-				updateKubeletConfigIfNeeded(ctx, f, configureCPUManagerInKubelet(oldCfg, &cpuManagerKubeletArguments{
-					policyName:              string(cpumanager.PolicyStatic),
-					reservedSystemCPUs:      reservedCPUs,
-					enableCPUManagerOptions: true,
-					options: map[string]string{
-						cpumanager.FullPCPUsOnlyOption:            "true",
-						cpumanager.DistributeCPUsAcrossNUMAOption: "true",
-					},
-				}))
-
-				// 'distribute-cpus-across-numa' policy option ensures that CPU allocations are evenly distributed
-				//  across NUMA nodes in cases where more than one NUMA node is required to satisfy the allocation.
-				// So, we want to ensure that the CPU Request exceeds the number of CPUs that can fit within a single
-				// NUMA node. We have to pick cpuRequest such that:
-				// 1. CPURequest > cpusNumPerNUMA
-				// 2. Not occupy all the CPUs on the node ande leave room for reserved CPU
-				// 3. CPURequest is a multiple if number of NUMA nodes to allow equal CPU distribution across NUMA nodes
-				//
-				// In summary: cpusNumPerNUMA < CPURequest < ((cpusNumPerNuma * numaNodeNum) - reservedCPUscount)
-				// Considering all these constraints we select: CPURequest= (cpusNumPerNUMA-smtLevel)*numaNodeNum
-
-				ctnAttrs := []ctnAttribute{
-					{
-						ctnName:    "test-gu-container-distribute-cpus-across-numa",
-						cpuRequest: fmt.Sprintf("%d", cpuReq),
-						cpuLimit:   fmt.Sprintf("%d", cpuReq),
-					},
-				}
-				pod := makeCPUManagerPod("test-pod-distribute-cpus-across-numa", ctnAttrs)
-				ginkgo.By("creating the test pod")
-				pod = e2epod.NewPodClient(f).CreateSync(ctx, pod)
-				podMap[string(pod.UID)] = pod
-
-				for _, cnt := range pod.Spec.Containers {
-					ginkgo.By(fmt.Sprintf("validating the container %s on pod %s", cnt.Name, pod.Name))
-
-					gomega.Expect(pod).To(HaveContainerCPUsAlignedTo(cnt.Name, smtLevel))
-					cpus, err := getContainerAllowedCPUs(pod, cnt.Name, false)
-					framework.ExpectNoError(err, "cannot get cpus allocated to pod %s/%s cnt %s", pod.Namespace, pod.Name, cnt.Name)
-
-					siblingsCPUs := makeThreadSiblingCPUSet(cpus)
-					gomega.Expect(pod).To(HaveContainerCPUsEqualTo(cnt.Name, siblingsCPUs))
-
-					// We expect a perfectly even spilit i.e. equal distribution across NUMA Node as the CPU Request is 4*smtLevel*numaNodeNum.
-					expectedSpread := cpus.Size() / numaNodeNum
-					gomega.Expect(cpus).To(BeDistributedCPUs(expectedSpread))
-				}
-			})
-		})
-	})
-
-	ginkgo.When("checking the CFS quota management", ginkgo.Label("cfs-quota"), func() {
-		ginkgo.BeforeEach(func(ctx context.Context) {
-			requireCGroupV2()
-			// WARNING: this assumes 2-way SMT systems - we don't know how to access other SMT levels.
-			//          this means on more-than-2-way SMT systems this test will prove nothing
-			reservedCPUs = cpuset.New(0)
-			updateKubeletConfigIfNeeded(ctx, f, configureCPUManagerInKubelet(oldCfg, &cpuManagerKubeletArguments{
-				policyName:                       string(cpumanager.PolicyStatic),
-				reservedSystemCPUs:               reservedCPUs,
-				disableCPUQuotaWithExclusiveCPUs: true,
-			}))
-		})
-
-		ginkgo.It("should enforce for best-effort pod", func(ctx context.Context) {
-			ctnName := "be-container"
-			pod := makeCPUManagerBEPod("be-pod", []ctnAttribute{
-				{
-					ctnName:    ctnName,
-					ctnCommand: "sleep 1d",
-				},
-			})
-			ginkgo.By("creating the test pod")
-			pod = e2epod.NewPodClient(f).CreateSync(ctx, pod)
-			podMap[string(pod.UID)] = pod
-
-			gomega.Expect(pod).To(HaveSandboxQuota("max"))
-			gomega.Expect(pod).To(HaveContainerQuota(ctnName, "max"))
-		})
-
-		ginkgo.It("should disable for guaranteed pod with exclusive CPUs assigned", func(ctx context.Context) {
-			cpuCount := 1
-			skipIfAllocatableCPUsLessThan(getLocalNode(ctx, f), cpuCount)
-
-			ctnName := "gu-container-cfsquota-disabled"
-			pod := makeCPUManagerPod("gu-pod-cfsquota-off", []ctnAttribute{
-				{
-					ctnName:    ctnName,
-					cpuRequest: "1",
-					cpuLimit:   "1",
-				},
-			})
-			ginkgo.By("creating the test pod")
-			pod = e2epod.NewPodClient(f).CreateSync(ctx, pod)
-			podMap[string(pod.UID)] = pod
-
-			gomega.Expect(pod).To(HaveSandboxQuota("max"))
-			gomega.Expect(pod).To(HaveContainerQuota(ctnName, "max"))
-		})
-
-		ginkgo.It("should disable for guaranteed pod with exclusive CPUs assigned", func(ctx context.Context) {
-			cpuCount := 4
-			skipIfAllocatableCPUsLessThan(getLocalNode(ctx, f), cpuCount)
-
-			ctnName := "gu-container-cfsquota-disabled"
-			pod := makeCPUManagerPod("gu-pod-cfsquota-off", []ctnAttribute{
-				{
-					ctnName:    ctnName,
-					cpuRequest: "3",
-					cpuLimit:   "3",
-				},
-			})
-			ginkgo.By("creating the test pod")
-			pod = e2epod.NewPodClient(f).CreateSync(ctx, pod)
-			podMap[string(pod.UID)] = pod
-
-			gomega.Expect(pod).To(HaveSandboxQuota("max"))
-			gomega.Expect(pod).To(HaveContainerQuota(ctnName, "max"))
-
-			gomega.Expect(pod).To(HaveContainerCPUsCount(ctnName, 3))
-			gomega.Expect(pod).To(HaveContainerCPUsASubsetOf(ctnName, onlineCPUs))
-			gomega.Expect(pod).ToNot(HaveContainerCPUsOverlapWith(ctnName, reservedCPUs))
-		})
-
-		ginkgo.It("should enforce for guaranteed pod", func(ctx context.Context) {
-			cpuCount := 1 // overshoot, minimum request is 1
-			skipIfAllocatableCPUsLessThan(getLocalNode(ctx, f), cpuCount)
-
-			ctnName := "gu-container-cfsquota-enabled"
-			pod := makeCPUManagerPod("gu-pod-cfs-quota-on", []ctnAttribute{
-				{
-					ctnName:    ctnName,
-					cpuRequest: "500m",
-					cpuLimit:   "500m",
-				},
-			})
-			ginkgo.By("creating the test pod")
-			pod = e2epod.NewPodClient(f).CreateSync(ctx, pod)
-			podMap[string(pod.UID)] = pod
-
-			gomega.Expect(pod).To(HaveSandboxQuota("50000"))
-			gomega.Expect(pod).To(HaveContainerQuota(ctnName, "50000"))
-		})
-
-		ginkgo.It("should enforce for burstable pod", func(ctx context.Context) {
-			skipIfAllocatableCPUsLessThan(getLocalNode(ctx, f), 0)
-
-			ctnName := "bu-container-cfsquota-enabled"
-			pod := makeCPUManagerPod("bu-pod-cfs-quota-on", []ctnAttribute{
-				{
-					ctnName:    ctnName,
-					cpuRequest: "100m",
-					cpuLimit:   "500m",
-				},
-			})
-			ginkgo.By("creating the test pod")
-			pod = e2epod.NewPodClient(f).CreateSync(ctx, pod)
-			podMap[string(pod.UID)] = pod
-
-			gomega.Expect(pod).To(HaveSandboxQuota("50000"))
-			gomega.Expect(pod).To(HaveContainerQuota(ctnName, "50000"))
-		})
-
-		ginkgo.It("should not enforce with multiple containers without exclusive CPUs", func(ctx context.Context) {
-			cpuCount := 2
-			skipIfAllocatableCPUsLessThan(getLocalNode(ctx, f), cpuCount)
-
-			pod := makeCPUManagerPod("gu-pod-multicontainer", []ctnAttribute{
-				{
-					ctnName:    "gu-container-non-int-values-1",
-					cpuRequest: "100m",
-					cpuLimit:   "500m",
-				},
-				{
-					ctnName:    "gu-container-non-int-values-2",
-					cpuRequest: "300m",
-					cpuLimit:   "1200m",
-				},
-			})
-			ginkgo.By("creating the test pod")
-			pod = e2epod.NewPodClient(f).CreateSync(ctx, pod)
-			podMap[string(pod.UID)] = pod
-
-			gomega.Expect(pod).To(HaveSandboxQuota("170000"))
-			gomega.Expect(pod).To(HaveContainerQuota("gu-container-non-int-values-1", "50000"))
-			gomega.Expect(pod).To(HaveContainerQuota("gu-container-non-int-values-2", "120000"))
-		})
-
-		ginkgo.It("should not enforce with multiple containers only in the container with exclusive CPUs", func(ctx context.Context) {
-			cpuCount := 2
-			skipIfAllocatableCPUsLessThan(getLocalNode(ctx, f), cpuCount)
-
-			pod := makeCPUManagerPod("gu-pod-multicontainer-mixed", []ctnAttribute{
-				{
-					ctnName:    "gu-container-non-int-values",
-					cpuRequest: "500m",
-					cpuLimit:   "500m",
-				},
-				{
-					ctnName:    "gu-container-int-values",
-					cpuRequest: "1",
-					cpuLimit:   "1",
-				},
-			})
-			ginkgo.By("creating the test pod")
-			pod = e2epod.NewPodClient(f).CreateSync(ctx, pod)
-			podMap[string(pod.UID)] = pod
-
-			gomega.Expect(pod).To(HaveSandboxQuota("max"))
-			gomega.Expect(pod).To(HaveContainerQuota("gu-container-non-int-values", "50000"))
-			gomega.Expect(pod).To(HaveContainerQuota("gu-container-int-values", "max"))
-		})
-	})
-
-	ginkgo.When("checking the CFS quota management can be disabled", ginkgo.Label("cfs-quota"), func() {
-		// NOTE: these tests check only cases on which the quota is set to "max", so we intentionally
-		// don't duplicate the all the tests
-
-		ginkgo.BeforeEach(func(ctx context.Context) {
-			requireCGroupV2()
-			// WARNING: this assumes 2-way SMT systems - we don't know how to access other SMT levels.
-			//          this means on more-than-2-way SMT systems this test will prove nothing
-			reservedCPUs = cpuset.New(0)
-			updateKubeletConfigIfNeeded(ctx, f, configureCPUManagerInKubelet(oldCfg, &cpuManagerKubeletArguments{
-				policyName:                       string(cpumanager.PolicyStatic),
-				reservedSystemCPUs:               reservedCPUs,
-				disableCPUQuotaWithExclusiveCPUs: false,
-			}))
-		})
-
-		ginkgo.It("should enforce for a guaranteed pod with exclusive CPUs assigned", func(ctx context.Context) {
-			cpuCount := 1
-			skipIfAllocatableCPUsLessThan(getLocalNode(ctx, f), cpuCount)
-
-			ctnName := "gu-container-cfsquota-disabled"
-			pod := makeCPUManagerPod("gu-pod-cfsquota-off", []ctnAttribute{
-				{
-					ctnName:    ctnName,
-					cpuRequest: "1",
-					cpuLimit:   "1",
-				},
-			})
-			ginkgo.By("creating the test pod")
-			pod = e2epod.NewPodClient(f).CreateSync(ctx, pod)
-			podMap[string(pod.UID)] = pod
-
-			gomega.Expect(pod).To(HaveSandboxQuota("100000"))
-			gomega.Expect(pod).To(HaveContainerQuota(ctnName, "100000"))
-		})
-
-		ginkgo.It("should enforce for a guaranteed pod with multiple exclusive CPUs assigned", func(ctx context.Context) {
-			cpuCount := 4
-			skipIfAllocatableCPUsLessThan(getLocalNode(ctx, f), cpuCount)
-
-			ctnName := "gu-container-cfsquota-disabled"
-			pod := makeCPUManagerPod("gu-pod-cfsquota-off", []ctnAttribute{
-				{
-					ctnName:    ctnName,
-					cpuRequest: "3",
-					cpuLimit:   "3",
-				},
-			})
-			ginkgo.By("creating the test pod")
-			pod = e2epod.NewPodClient(f).CreateSync(ctx, pod)
-			podMap[string(pod.UID)] = pod
-
-			gomega.Expect(pod).To(HaveSandboxQuota("300000"))
-			gomega.Expect(pod).To(HaveContainerQuota(ctnName, "300000"))
-
-			gomega.Expect(pod).To(HaveContainerCPUsCount(ctnName, 3))
-			gomega.Expect(pod).To(HaveContainerCPUsASubsetOf(ctnName, onlineCPUs))
-			gomega.Expect(pod).ToNot(HaveContainerCPUsOverlapWith(ctnName, reservedCPUs))
-		})
-
-		ginkgo.It("should enforce for guaranteed pod not requiring exclusive CPUs", func(ctx context.Context) {
-			cpuCount := 1 // overshoot, minimum request is 1
-			skipIfAllocatableCPUsLessThan(getLocalNode(ctx, f), cpuCount)
-
-			ctnName := "gu-container-cfsquota-enabled"
-			pod := makeCPUManagerPod("gu-pod-cfs-quota-on", []ctnAttribute{
-				{
-					ctnName:    ctnName,
-					cpuRequest: "500m",
-					cpuLimit:   "500m",
-				},
-			})
-			ginkgo.By("creating the test pod")
-			pod = e2epod.NewPodClient(f).CreateSync(ctx, pod)
-			podMap[string(pod.UID)] = pod
-
-			gomega.Expect(pod).To(HaveSandboxQuota("50000"))
-			gomega.Expect(pod).To(HaveContainerQuota(ctnName, "50000"))
-		})
-
-		ginkgo.It("should enforce with multiple containers regardless if they require exclusive CPUs or not", func(ctx context.Context) {
-			cpuCount := 2
-			skipIfAllocatableCPUsLessThan(getLocalNode(ctx, f), cpuCount)
-
-			pod := makeCPUManagerPod("gu-pod-multicontainer-mixed", []ctnAttribute{
-				{
-					ctnName:    "gu-container-non-int-values",
-					cpuRequest: "500m",
-					cpuLimit:   "500m",
-				},
-				{
-					ctnName:    "gu-container-int-values",
-					cpuRequest: "1",
-					cpuLimit:   "1",
-				},
-			})
-			ginkgo.By("creating the test pod")
-			pod = e2epod.NewPodClient(f).CreateSync(ctx, pod)
-			podMap[string(pod.UID)] = pod
-
-			gomega.Expect(pod).To(HaveSandboxQuota("150000"))
-			gomega.Expect(pod).To(HaveContainerQuota("gu-container-non-int-values", "50000"))
-			gomega.Expect(pod).To(HaveContainerQuota("gu-container-int-values", "100000"))
-		})
-	})
-
-	f.Context("When checking the sidecar containers", feature.SidecarContainers, func() {
-		ginkgo.BeforeEach(func(ctx context.Context) {
-			reservedCPUs = cpuset.New(0)
-		})
-
-		ginkgo.It("should reuse init container exclusive CPUs, but not sidecar container exclusive CPUS", func(ctx context.Context) {
-			cpuCount := 2 // total
-
-			skipIfAllocatableCPUsLessThan(getLocalNode(ctx, f), cpuCount)
-
-			updateKubeletConfigIfNeeded(ctx, f, configureCPUManagerInKubelet(oldCfg, &cpuManagerKubeletArguments{
-				policyName:         string(cpumanager.PolicyStatic),
-				reservedSystemCPUs: reservedCPUs, // Not really needed for the tests but helps to make a more precise check
-			}))
-
-			var containerRestartPolicyAlways = v1.ContainerRestartPolicyAlways
-
-			ctrAttrs := []ctnAttribute{
-				{
-					ctnName:    "init-container1",
-					cpuRequest: "1000m",
-					cpuLimit:   "1000m",
-				},
-				{
-					ctnName:       "sidecar-container",
-					cpuRequest:    "1000m",
-					cpuLimit:      "1000m",
-					restartPolicy: &containerRestartPolicyAlways,
-				},
-			}
-			pod := makeCPUManagerInitContainersPod("gu-pod", ctrAttrs)
-			ginkgo.By("running a Gu pod with a regular init container and a restartable init container")
-			pod = e2epod.NewPodClient(f).CreateSync(ctx, pod)
-			podMap[string(pod.UID)] = pod
-
-			// when we get there the real initcontainer terminated, so we can only check its logs
-			ginkgo.By("checking if the expected cpuset was assigned")
-			logs, err := e2epod.GetPodLogs(ctx, f.ClientSet, pod.Namespace, pod.Name, pod.Spec.InitContainers[0].Name)
-			framework.ExpectNoError(err, "expected log not found in init container [%s] of pod [%s]", pod.Spec.InitContainers[0].Name, pod.Name)
-
-			reusableCPUs := getContainerAllowedCPUsFromLogs(pod.Name, pod.Spec.InitContainers[0].Name, logs)
-			gomega.Expect(reusableCPUs.Size()).To(gomega.Equal(1), "expected cpu set size == 1, got %q", reusableCPUs.String())
-
-			nonReusableCPUs, err := getContainerAllowedCPUs(pod, pod.Spec.InitContainers[1].Name, true)
-			framework.ExpectNoError(err, "cannot get exclusive CPUs for pod %s/%s", pod.Namespace, pod.Name)
-
-			gomega.Expect(nonReusableCPUs.Size()).To(gomega.Equal(1), "expected cpu set size == 1, got %q", nonReusableCPUs.String())
-			gomega.Expect(reusableCPUs.Equals(nonReusableCPUs)).To(gomega.BeTrueBecause("expected reusable cpuset [%s] to be equal to non-reusable cpuset [%s]", reusableCPUs.String(), nonReusableCPUs.String()))
-
-			appContainerName := pod.Spec.Containers[0].Name
-			gomega.Expect(pod).To(HaveContainerCPUsCount(appContainerName, 1))
-			gomega.Expect(pod).To(HaveContainerCPUsASubsetOf(appContainerName, onlineCPUs))
-			gomega.Expect(pod).ToNot(HaveContainerCPUsOverlapWith(appContainerName, reservedCPUs))
-			gomega.Expect(pod).ToNot(HaveContainerCPUsOverlapWith(appContainerName, nonReusableCPUs))
-		})
-	})
-})
-
-var _ = SIGDescribe("CPU Manager Incompatibility Pod Level Resources", ginkgo.Ordered, ginkgo.ContinueOnFailure, framework.WithSerial(), feature.CPUManager, feature.PodLevelResources, framework.WithFeatureGate(features.PodLevelResources), func() {
-	f := framework.NewDefaultFramework("cpu-manager-incompatibility-pod-level-resources-test")
-	f.NamespacePodSecurityLevel = admissionapi.LevelPrivileged
-
-	// original kubeletconfig before the context start, to be restored
-	var oldCfg *kubeletconfig.KubeletConfiguration
-	var reservedCPUs cpuset.CPUSet
-	var onlineCPUs cpuset.CPUSet
-	var smtLevel int
-	var uncoreGroupSize int
-	// tracks all the pods created by a It() block. Best would be a namespace per It block
-	var podMap map[string]*v1.Pod
-
-	ginkgo.BeforeAll(func(ctx context.Context) {
-		var err error
-		oldCfg, err = getCurrentKubeletConfig(ctx)
-		framework.ExpectNoError(err)
-
-		onlineCPUs, err = getOnlineCPUs() // this should not change at all, at least during this suite lifetime
-		framework.ExpectNoError(err)
-		framework.Logf("Online CPUs: %s", onlineCPUs)
-
-		smtLevel = smtLevelFromSysFS() // this should not change at all, at least during this suite lifetime
-		framework.Logf("SMT level: %d", smtLevel)
-
-		uncoreGroupSize = getUncoreCPUGroupSize()
-		framework.Logf("Uncore Group Size: %d", uncoreGroupSize)
-
-		e2enodeCgroupV2Enabled = IsCgroup2UnifiedMode()
-		framework.Logf("cgroup V2 enabled: %v", e2enodeCgroupV2Enabled)
-
-		e2enodeCgroupDriver = oldCfg.CgroupDriver
-		framework.Logf("cgroup driver: %s", e2enodeCgroupDriver)
-
-		runtime, _, err := getCRIClient()
-		framework.ExpectNoError(err, "Failed to get CRI client")
-
-		version, err := runtime.Version(context.Background(), "")
-		framework.ExpectNoError(err, "Failed to get runtime version")
-
-		e2enodeRuntimeName = version.GetRuntimeName()
-		framework.Logf("runtime: %s", e2enodeRuntimeName)
-	})
-
-	ginkgo.AfterAll(func(ctx context.Context) {
-		updateKubeletConfig(ctx, f, oldCfg, true)
-	})
-
-	ginkgo.BeforeEach(func(ctx context.Context) {
-		// note intentionally NOT set reservedCPUs -  this must be initialized on a test-by-test basis
-		podMap = make(map[string]*v1.Pod)
-	})
-
-	ginkgo.JustBeforeEach(func(ctx context.Context) {
-		if !e2enodeCgroupV2Enabled {
-			e2eskipper.Skipf("Skipping since CgroupV2 not used")
-		}
-	})
-
-	ginkgo.AfterEach(func(ctx context.Context) {
-		deletePodsAsync(ctx, f, podMap)
-	})
-
-	ginkgo.When("running guaranteed pod level resources tests", ginkgo.Label("guaranteed pod level resources", "reserved-cpus"), func() {
-		ginkgo.It("should let the container access all the online CPUs without a reserved CPUs set", func(ctx context.Context) {
-			updateKubeletConfigIfNeeded(ctx, f, configureCPUManagerInKubelet(oldCfg, &cpuManagerKubeletArguments{
-				policyName:              string(cpumanager.PolicyStatic),
-				reservedSystemCPUs:      cpuset.CPUSet{},
-				enablePodLevelResources: true,
-			}))
-
-			pod := makeCPUManagerPod("gu-pod-level-resources", []ctnAttribute{
-				{
-					ctnName:    "gu-container",
-					cpuRequest: "1",
-					cpuLimit:   "1",
-				},
-			})
-			pod.Spec.Resources = &v1.ResourceRequirements{
-				Limits: v1.ResourceList{
-					v1.ResourceCPU:    resource.MustParse("1"),
-					v1.ResourceMemory: resource.MustParse("100Mi"),
-				},
-				Requests: v1.ResourceList{
-					v1.ResourceCPU:    resource.MustParse("1"),
-					v1.ResourceMemory: resource.MustParse("100Mi"),
-				},
-			}
-
-			ginkgo.By("creating the test pod")
-			pod = e2epod.NewPodClient(f).CreateSync(ctx, pod)
-			podMap[string(pod.UID)] = pod
-
-			ginkgo.By("checking if the expected cpuset was assigned")
-			gomega.Expect(pod).To(HaveContainerCPUsEqualTo("gu-container", onlineCPUs))
-		})
-
-		ginkgo.It("should let the container access all the online CPUs when using a reserved CPUs set", func(ctx context.Context) {
-			reservedCPUs = cpuset.New(0)
-
-			updateKubeletConfigIfNeeded(ctx, f, configureCPUManagerInKubelet(oldCfg, &cpuManagerKubeletArguments{
-				policyName:              string(cpumanager.PolicyStatic),
-				reservedSystemCPUs:      reservedCPUs, // Not really needed for the tests but helps to make a more precise check
-				enablePodLevelResources: true,
-			}))
-
-			pod := makeCPUManagerPod("gu-pod-level-resources", []ctnAttribute{
-				{
-					ctnName:    "gu-container",
-					cpuRequest: "1",
-					cpuLimit:   "1",
-				},
-			})
-			pod.Spec.Resources = &v1.ResourceRequirements{
-				Limits: v1.ResourceList{
-					v1.ResourceCPU:    resource.MustParse("1"),
-					v1.ResourceMemory: resource.MustParse("100Mi"),
-				},
-				Requests: v1.ResourceList{
-					v1.ResourceCPU:    resource.MustParse("1"),
-					v1.ResourceMemory: resource.MustParse("100Mi"),
-				},
-			}
-
-			ginkgo.By("creating the test pod")
-			pod = e2epod.NewPodClient(f).CreateSync(ctx, pod)
-			podMap[string(pod.UID)] = pod
-
-			ginkgo.By("checking if the expected cpuset was assigned")
-			gomega.Expect(pod).To(HaveContainerCPUsEqualTo("gu-container", onlineCPUs))
-		})
-	})
-})
-
-// Matching helpers
-
-func HaveStatusReasonMatchingRegex(expr string) types.GomegaMatcher {
-	return gcustom.MakeMatcher(func(actual *v1.Pod) (bool, error) {
-		re, err := regexp.Compile(expr)
-		if err != nil {
-			return false, err
-		}
-		return re.MatchString(actual.Status.Reason), nil
-	}).WithTemplate("Pod {{.Actual.Namespace}}/{{.Actual.Name}} UID {{.Actual.UID}} reason {{.Actual.Status.Reason}} does not match regexp {{.Data}}", expr)
-}
-
-type msgData struct {
-	Name             string
-	CurrentCPUs      string
-	ExpectedCPUs     string
-	MismatchedCPUs   string
-	UncoreCacheAlign string
-	Count            int
-	Aligned          int
-	CurrentQuota     string
-	ExpectedQuota    string
-}
-
-func HaveContainerCPUsCount(ctnName string, val int) types.GomegaMatcher {
-	md := &msgData{
-		Name:  ctnName,
-		Count: val,
-	}
-	return gcustom.MakeMatcher(func(actual *v1.Pod) (bool, error) {
-		cpus, err := getContainerAllowedCPUs(actual, ctnName, false)
-		md.CurrentCPUs = cpus.String()
-		if err != nil {
-			framework.Logf("getContainerAllowedCPUs(%s) failed: %v", ctnName, err)
-			return false, err
-		}
-		return cpus.Size() == val, nil
-	}).WithTemplate("Pod {{.Actual.Namespace}}/{{.Actual.Name}} UID {{.Actual.UID}} has allowed CPUs <{{.Data.CurrentCPUs}}> not matching expected count <{{.Data.Count}}> for container {{.Data.Name}}", md)
-}
-
-func HaveContainerCPUsAlignedTo(ctnName string, val int) types.GomegaMatcher {
-	md := &msgData{
-		Name:    ctnName,
-		Aligned: val,
-	}
-	return gcustom.MakeMatcher(func(actual *v1.Pod) (bool, error) {
-		cpus, err := getContainerAllowedCPUs(actual, ctnName, false)
-		md.CurrentCPUs = cpus.String()
-		if err != nil {
-			framework.Logf("getContainerAllowedCPUs(%s) failed: %v", ctnName, err)
-			return false, err
-		}
-		return cpus.Size()%val == 0, nil
-	}).WithTemplate("Pod {{.Actual.Namespace}}/{{.Actual.Name}} UID {{.Actual.UID}} has allowed CPUs <{{.Data.CurrentCPUs}}> not aligned to value <{{.Data.Aligned}}> for container {{.Data.Name}}", md)
-}
-
-func HaveContainerCPUsOverlapWith(ctnName string, ref cpuset.CPUSet) types.GomegaMatcher {
-	md := &msgData{
-		Name:         ctnName,
-		ExpectedCPUs: ref.String(),
-	}
-	return gcustom.MakeMatcher(func(actual *v1.Pod) (bool, error) {
-		cpus, err := getContainerAllowedCPUs(actual, ctnName, false)
-		md.CurrentCPUs = cpus.String()
-		if err != nil {
-			framework.Logf("getContainerAllowedCPUs(%s) failed: %v", ctnName, err)
-			return false, err
-		}
-		sharedCPUs := cpus.Intersection(ref)
-		return sharedCPUs.Size() > 0, nil
-	}).WithTemplate("Pod {{.Actual.Namespace}}/{{.Actual.Name}} UID {{.Actual.UID}} has allowed CPUs <{{.Data.CurrentCPUs}}> overlapping with expected CPUs <{{.Data.ExpectedCPUs}}> for container {{.Data.Name}}", md)
-}
-
-func HaveContainerCPUsASubsetOf(ctnName string, ref cpuset.CPUSet) types.GomegaMatcher {
-	md := &msgData{
-		Name:         ctnName,
-		ExpectedCPUs: ref.String(),
-	}
-	return gcustom.MakeMatcher(func(actual *v1.Pod) (bool, error) {
-		cpus, err := getContainerAllowedCPUs(actual, ctnName, false)
-		md.CurrentCPUs = cpus.String()
-		if err != nil {
-			framework.Logf("getContainerAllowedCPUs(%s) failed: %v", ctnName, err)
-			return false, err
-		}
-		return cpus.IsSubsetOf(ref), nil
-	}).WithTemplate("Pod {{.Actual.Namespace}}/{{.Actual.Name}} UID {{.Actual.UID}} has allowed CPUs <{{.Data.CurrentCPUs}}> not a subset of expected CPUs <{{.Data.ExpectedCPUs}}> for container {{.Data.Name}}", md)
-}
-
-func HaveContainerCPUsEqualTo(ctnName string, expectedCPUs cpuset.CPUSet) types.GomegaMatcher {
-	md := &msgData{
-		Name:         ctnName,
-		ExpectedCPUs: expectedCPUs.String(),
-	}
-	return gcustom.MakeMatcher(func(actual *v1.Pod) (bool, error) {
-		cpus, err := getContainerAllowedCPUs(actual, ctnName, false)
-		md.CurrentCPUs = cpus.String()
-		if err != nil {
-			framework.Logf("getContainerAllowedCPUs(%s) failed: %v", ctnName, err)
-			return false, err
-		}
-		return cpus.Equals(expectedCPUs), nil
-	}).WithTemplate("Pod {{.Actual.Namespace}}/{{.Actual.Name}} UID {{.Actual.UID}} has allowed CPUs <{{.Data.CurrentCPUs}}> not matching the expected value <{{.Data.ExpectedCPUs}}> for container {{.Data.Name}}", md)
-}
-
-func HaveSandboxQuota(expectedQuota string) types.GomegaMatcher {
-	md := &msgData{
-		ExpectedQuota: expectedQuota,
-	}
-	return gcustom.MakeMatcher(func(actual *v1.Pod) (bool, error) {
-		md.Name = klog.KObj(actual).String()
-		quota, err := getSandboxCFSQuota(actual)
-		md.CurrentQuota = quota
-		if err != nil {
-			framework.Logf("getSandboxCFSQuota() failed: %v", err)
-			return false, err
-		}
-		re, err := regexp.Compile(fmt.Sprintf("^%s %s$", expectedQuota, defaultCFSPeriod))
-		if err != nil {
-			return false, err
-		}
-		return re.MatchString(quota), nil
-	}).WithTemplate("Pod {{.Actual.Namespace}}/{{.Actual.Name}} UID {{.Actual.UID}} has quota <{{.Data.CurrentQuota}}> not matching expected value <{{.Data.ExpectedQuota}}>", md)
-}
-
-func HaveContainerQuota(ctnName, expectedQuota string) types.GomegaMatcher {
-	md := &msgData{
-		Name:          ctnName,
-		ExpectedQuota: expectedQuota,
-	}
-	return gcustom.MakeMatcher(func(actual *v1.Pod) (bool, error) {
-		quota, err := getContainerCFSQuota(actual, ctnName, false)
-		md.CurrentQuota = quota
-		if err != nil {
-			framework.Logf("getContainerCFSQuota(%s) failed: %v", ctnName, err)
-			return false, err
-		}
-		re, err := regexp.Compile(fmt.Sprintf("^%s %s$", expectedQuota, defaultCFSPeriod))
-		if err != nil {
-			return false, err
-		}
-		return re.MatchString(quota), nil
-	}).WithTemplate("Pod {{.Actual.Namespace}}/{{.Actual.Name}} UID {{.Actual.UID}} has quota <{{.Data.CurrentQuota}}> not matching expected value <{{.Data.ExpectedQuota}}> for container {{.Data.Name}}", md)
-}
-
-func HaveContainerCPUsThreadSiblings(ctnName string) types.GomegaMatcher {
-	md := &msgData{
-		Name: ctnName,
-	}
-	return gcustom.MakeMatcher(func(actual *v1.Pod) (bool, error) {
-		cpus, err := getContainerAllowedCPUs(actual, ctnName, false)
-		md.CurrentCPUs = cpus.String()
-		if err != nil {
-			framework.Logf("getContainerAllowedCPUs(%s) failed: %v", ctnName, err)
-			return false, err
-		}
-		expectedCPUs := makeThreadSiblingCPUSet(cpus)
-		md.ExpectedCPUs = expectedCPUs.String()
-		return cpus.Equals(expectedCPUs), nil
-	}).WithTemplate("Pod {{.Actual.Namespace}}/{{.Actual.Name}} UID {{.Actual.UID}} has allowed CPUs <{{.Data.CurrentCPUs}}> not all thread sibling pairs (would be <{{.Data.ExpectedCPUs}}>) for container {{.Data.Name}}", md)
-}
-
-func HaveContainerCPUsQuasiThreadSiblings(ctnName string, toleration int) types.GomegaMatcher {
-	md := &msgData{
-		Name:  ctnName,
-		Count: toleration,
-	}
-	return gcustom.MakeMatcher(func(actual *v1.Pod) (bool, error) {
-		cpus, err := getContainerAllowedCPUs(actual, ctnName, false)
-		md.CurrentCPUs = cpus.String()
-		if err != nil {
-			framework.Logf("getContainerAllowedCPUs(%s) failed: %v", ctnName, err)
-			return false, err
-		}
-		// this is by construction >= cpus (extreme case: cpus is made by all non-thread-siblings)
-		expectedCPUs := makeThreadSiblingCPUSet(cpus)
-		md.ExpectedCPUs = expectedCPUs.String()
-		mismatchedCPUs := expectedCPUs.Difference(cpus)
-		md.MismatchedCPUs = mismatchedCPUs.String()
-		return mismatchedCPUs.Size() <= toleration, nil
-	}).WithTemplate("Pod {{.Actual.Namespace}}/{{.Actual.Name}} UID {{.Actual.UID}} has allowed CPUs <{{.Data.CurrentCPUs}}> not all thread sibling pairs (would be <{{.Data.ExpectedCPUs}}> mismatched <{{.Data.MismatchedCPUs}}> toleration <{{.Data.Count}}>) for container {{.Data.Name}}", md)
-}
-
-func HaveContainerCPUsWithSameUncoreCacheID(ctnName string) types.GomegaMatcher {
-	md := &msgData{
-		Name: ctnName,
-	}
-	return gcustom.MakeMatcher(func(actual *v1.Pod) (bool, error) {
-		cpus, err := getContainerAllowedCPUs(actual, ctnName, false)
-		if err != nil {
-			return false, fmt.Errorf("getContainerAllowedCPUs(%s) failed: %w", ctnName, err)
-		}
-		md.CurrentCPUs = cpus.String()
-
-		var commonCacheID *int64
-
-		for _, cpu := range cpus.List() {
-			// determine the Uncore Cache ID for each cpu
-			uncoreID, err := uncoreCacheIDFromSysFS(cpu)
-			if err != nil {
-				return false, fmt.Errorf("failed to read cache ID for CPU %d: %w", cpu, err)
-			}
-
-			// if this the first CPU we check, set the Uncore Cache ID as the reference
-			// for subsequent CPUs, compare the Uncore Cache ID to the reference
-			if commonCacheID == nil {
-				commonCacheID = &uncoreID
-			} else if *commonCacheID != uncoreID {
-				md.UncoreCacheAlign = fmt.Sprintf("shared uncoreID mismatch: CPU %d has uncoreID %d, CPUSet has uncoreID %d", cpu, uncoreID, *commonCacheID)
-				return false, nil
-			}
-		}
-
-		// All CPUs matched the same cache ID
-		md.UncoreCacheAlign = fmt.Sprintf("all CPUs share cache ID %d", *commonCacheID)
-		return true, nil
-	}).WithTemplate(
-		"Pod {{.Actual.Namespace}}/{{.Actual.Name}} UID {{.Actual.UID}} container {{.Data.Name}} has CPUSet <{{.Data.CurrentCPUs}}> where not all CPUs share the same uncore cache ID: {{.Data.UncoreCacheAlign}}",
-		md,
-	)
-}
-
-func HaveContainerCPUsShareUncoreCacheWith(ctnName string, ref cpuset.CPUSet) types.GomegaMatcher {
-	md := &msgData{
-		Name:         ctnName,
-		ExpectedCPUs: ref.String(),
-	}
-	return gcustom.MakeMatcher(func(actual *v1.Pod) (bool, error) {
-		containerCPUs, err := getContainerAllowedCPUs(actual, ctnName, false)
-		if err != nil {
-			return false, fmt.Errorf("getContainerAllowedCPUs(%s) failed: %w", ctnName, err)
-		}
-		md.CurrentCPUs = containerCPUs.String()
-
-		// Build set of uncore cache IDs from the reference cpuset
-		refUncoreIDs := sets.New[int64]()
-		for _, cpu := range ref.UnsortedList() {
-			uncoreID, err := uncoreCacheIDFromSysFS(cpu)
-			if err != nil {
-				return false, fmt.Errorf("failed to read uncore cache ID for reference CPU %d: %w", cpu, err)
-			}
-			refUncoreIDs.Insert(uncoreID)
-		}
-
-		// Check if any container CPUs share an uncore ID with the reference set
-		for _, cpu := range containerCPUs.UnsortedList() {
-			uncoreID, err := uncoreCacheIDFromSysFS(cpu)
-			if err != nil {
-				return false, fmt.Errorf("failed to read uncore cache ID for container CPU %d: %w", cpu, err)
-			}
-			if refUncoreIDs.Has(uncoreID) {
-				md.UncoreCacheAlign = fmt.Sprintf("%d", uncoreID)
-				return true, nil
-			}
-		}
-
-		return false, nil
-	}).WithTemplate(
-		"Pod {{.Actual.Namespace}}/{{.Actual.Name}} UID {{.Actual.UID}} container {{.Data.Name}} has CPUSet <{{.Data.CurrentCPUs}}> sharing uncoreCache ID <{{.Data.UncoreCacheAlign}}> with reference CPUSet <{{.Data.ExpectedCPUs}}>",
-		md,
-	)
-}
-
-// Other helpers
-
-func getContainerAllowedCPUs(pod *v1.Pod, ctnName string, isInit bool) (cpuset.CPUSet, error) {
-	cgPath, err := makeCgroupPathForContainer(pod, ctnName, isInit, e2enodeCgroupV2Enabled)
-	if err != nil {
-		return cpuset.CPUSet{}, err
-	}
-	cgPath = filepath.Join(cgPath, cpusetFileNameFromVersion(e2enodeCgroupV2Enabled))
-	framework.Logf("pod %s/%s cnt %s qos=%s path %q", pod.Namespace, pod.Name, ctnName, pod.Status.QOSClass, cgPath)
-	data, err := os.ReadFile(cgPath)
-	if err != nil {
-		return cpuset.CPUSet{}, err
-	}
-	cpus := strings.TrimSpace(string(data))
-	framework.Logf("pod %s/%s cnt %s cpuset %q", pod.Namespace, pod.Name, ctnName, cpus)
-	return cpuset.Parse(cpus)
-}
-
-func getSandboxCFSQuota(pod *v1.Pod) (string, error) {
-	if !e2enodeCgroupV2Enabled {
-		return "", fmt.Errorf("only Cgroup V2 is supported")
-	}
-	cgPath := filepath.Join(makeCgroupPathForPod(pod, true), "cpu.max")
-	data, err := os.ReadFile(cgPath)
-	if err != nil {
-		return "", err
-	}
-	quota := strings.TrimSpace(string(data))
-	framework.Logf("pod %s/%s qos=%s path %q quota %q", pod.Namespace, pod.Name, pod.Status.QOSClass, cgPath, quota)
-	return quota, nil
-}
-
-func getContainerCFSQuota(pod *v1.Pod, ctnName string, isInit bool) (string, error) {
-	if !e2enodeCgroupV2Enabled {
-		return "", fmt.Errorf("only Cgroup V2 is supported")
-	}
-	cgPath, err := makeCgroupPathForContainer(pod, ctnName, isInit, true)
-	if err != nil {
-		return "", err
-	}
-	data, err := os.ReadFile(filepath.Join(cgPath, "cpu.max"))
-	if err != nil {
-		return "", err
-	}
-	quota := strings.TrimSpace(string(data))
-	framework.Logf("pod %s/%s qos=%s cnt %s path %q quota %q", pod.Namespace, pod.Name, pod.Status.QOSClass, ctnName, cgPath, quota)
-	return quota, nil
-}
-
-const (
-	kubeCgroupRoot = "/sys/fs/cgroup"
-)
-
-// example path (systemd, crio, v2):
-// /sys/fs/cgroup/ kubepods.slice/kubepods-burstable.slice/kubepods-burstable-pod0b7632a2_a56e_4278_987a_22de18008dbe.slice/ crio-conmon-0bc5eac79e3ae7a0c2651f14722aa10fa333eb2325c2ca97da33aa284cda81b0.scope
-// example path (cgroup, containerd, v1):
-// /sys/fs/cgroup/cpuset kubepods/burstable pod8e414e92-17c2-41de-81c7-0045bba9103b b5791f89a6971bb4a751ffbebf533399c91630aa2906d7c6b5e239f405f3b97a
-
-func makeCgroupPathForPod(pod *v1.Pod, isV2 bool) string {
-	components := []string{defaultNodeAllocatableCgroup}
-	if pod.Status.QOSClass != v1.PodQOSGuaranteed {
-		components = append(components, strings.ToLower(string(pod.Status.QOSClass)))
-	}
-	components = append(components, "pod"+string(pod.UID))
-
-	cgroupName := cm.NewCgroupName(cm.RootCgroupName, components...)
-	cgroupFsName := ""
-	// it's quite ugly to use a global, but it saves us to pass a parameter all across the stack many times
-	if e2enodeCgroupDriver == "systemd" {
-		cgroupFsName = cgroupName.ToSystemd()
-	} else {
-		cgroupFsName = cgroupName.ToCgroupfs()
-	}
-	if !isV2 {
-		cgroupFsName = filepath.Join("cpuset", cgroupFsName)
-	}
-	return filepath.Join(kubeCgroupRoot, cgroupFsName)
-}
-
-func makeCgroupPathForContainer(pod *v1.Pod, ctnName string, isInit, isV2 bool) (string, error) {
-	fullCntID, ok := findContainerIDByName(pod, ctnName, isInit)
-	if !ok {
-		return "", fmt.Errorf("cannot find status for container %q", ctnName)
-	}
-	cntID, err := parseContainerID(fullCntID)
-	if err != nil {
-		return "", err
-	}
-	cntPath := ""
-	if e2enodeCgroupDriver == "systemd" {
-		cntPath = containerCgroupPathPrefixFromDriver(e2enodeRuntimeName) + "-" + cntID + ".scope"
-	} else {
-		cntPath = cntID
-	}
-
-	return filepath.Join(makeCgroupPathForPod(pod, isV2), cntPath), nil
-}
-
-func cpusetFileNameFromVersion(isV2 bool) string {
-	if isV2 {
-		return "cpuset.cpus.effective"
-	}
-	return "cpuset.cpus"
-}
-
-func containerCgroupPathPrefixFromDriver(runtimeName string) string {
-	if runtimeName == "cri-o" {
-		return "crio"
-	}
-	return "cri-containerd"
-}
-
-func parseContainerID(fullID string) (string, error) {
-	_, cntID, found := strings.Cut(fullID, "://")
-	if !found {
-		return "", fmt.Errorf("unsupported containerID: %q", fullID)
-	}
-	// TODO: should we validate the kind?
-	return cntID, nil
-}
-
-func findContainerIDByName(pod *v1.Pod, ctnName string, isInit bool) (string, bool) {
-	cntStatuses := pod.Status.ContainerStatuses
-	if isInit {
-		cntStatuses = pod.Status.InitContainerStatuses
-	}
-	for idx := range cntStatuses {
-		if cntStatuses[idx].Name == ctnName {
-			return cntStatuses[idx].ContainerID, true
-		}
-	}
-	return "", false
-}
-
-func makeThreadSiblingCPUSet(cpus cpuset.CPUSet) cpuset.CPUSet {
-	siblingsCPUs := cpuset.New()
-	for _, cpuID := range cpus.UnsortedList() {
-		siblingsCPUs = siblingsCPUs.Union(cpuSiblingListFromSysFS(int64(cpuID)))
-	}
-	return siblingsCPUs
-}
-
-func updateKubeletConfigIfNeeded(ctx context.Context, f *framework.Framework, desiredCfg *kubeletconfig.KubeletConfiguration) *v1.Node {
-	curCfg, err := getCurrentKubeletConfig(ctx)
-	framework.ExpectNoError(err)
-
-	if equalKubeletConfiguration(curCfg, desiredCfg) {
-		framework.Logf("Kubelet configuration already compliant, nothing to do")
-		return getLocalNode(ctx, f)
-	}
-
-	framework.Logf("Updating Kubelet configuration")
-	updateKubeletConfig(ctx, f, desiredCfg, true)
-	framework.Logf("Updated Kubelet configuration")
-
-	return getLocalNode(ctx, f)
-}
-
-func equalKubeletConfiguration(cfgA, cfgB *kubeletconfig.KubeletConfiguration) bool {
-	cfgA = cfgA.DeepCopy()
-	cfgB = cfgB.DeepCopy()
-	// we care only about the payload, force metadata to be uniform
-	cfgA.TypeMeta = metav1.TypeMeta{}
-	cfgB.TypeMeta = metav1.TypeMeta{}
-	return reflect.DeepEqual(cfgA, cfgB)
-}
-
-type nodeCPUDetails struct {
-	Capacity    int64
-	Allocatable int64
-	Reserved    int64
-}
-
-func cpuDetailsFromNode(node *v1.Node) nodeCPUDetails {
-	localNodeCap := node.Status.Capacity
-	cpuCap := localNodeCap[v1.ResourceCPU]
-	localNodeAlloc := node.Status.Allocatable
-	cpuAlloc := localNodeAlloc[v1.ResourceCPU]
-	cpuRes := cpuCap.DeepCopy()
-	cpuRes.Sub(cpuAlloc)
-	// RoundUp reserved CPUs to get only integer cores.
-	cpuRes.RoundUp(0)
-	return nodeCPUDetails{
-		Capacity:    cpuCap.Value(),
-		Allocatable: cpuCap.Value() - cpuRes.Value(),
-		Reserved:    cpuRes.Value(),
-	}
-}
-
-// smtLevelFromSysFS returns the number of symmetrical multi-thread (SMT) execution units the processor provides.
-// The most common value on x86_64 is 2 (2 virtual threads/cores per physical core), that would be smtLevel == 2.
-// The following are all synonyms: threadsPerCore, smtLevel
-// Note: can't find a good enough yet not overly long name, "threadSiblingCount", "smtLevel", "threadsPerCore" are all questionable.
-func smtLevelFromSysFS() int {
-	cpuID := int64(0) // this is just the most likely cpu to be present in a random system. No special meaning besides this.
-	cpus := cpuSiblingListFromSysFS(cpuID)
-	return cpus.Size()
-}
-
-func cpuSiblingListFromSysFS(cpuID int64) cpuset.CPUSet {
-	data, err := os.ReadFile(fmt.Sprintf("/sys/devices/system/cpu/cpu%d/topology/thread_siblings_list", cpuID))
-	framework.ExpectNoError(err)
-	// how many thread sibling you have = SMT level
-	// example: 2-way SMT means 2 threads sibling for each thread
-	cpus, err := cpuset.Parse(strings.TrimSpace(string(data)))
-	framework.ExpectNoError(err)
-	return cpus
-}
-
-func uncoreCacheIDFromSysFS(cpuID int) (int64, error) {
-	// expect sysfs path for Uncore Cache ID for each CPU to be:
-	// /sys/devices/system/cpu/cpu#/cache/index3/id
-	cacheIDPath := filepath.Join("/sys/devices/system/cpu", fmt.Sprintf("cpu%d", cpuID), "cache", "index3", "id")
-	cacheIDBytes, err := os.ReadFile(cacheIDPath)
-	if err != nil {
-		return 0, fmt.Errorf("failed to read cache ID for CPU %d: %w", cpuID, err)
-	}
-
-	cacheIDStr := strings.TrimSpace(string(cacheIDBytes))
-	cacheID, err := strconv.ParseInt(cacheIDStr, 10, 64)
-	if err != nil {
-		return 0, fmt.Errorf("failed to parse cache ID for CPU %d: %w", cpuID, err)
-	}
-
-	return cacheID, nil
-}
-
-func makeCPUManagerBEPod(podName string, ctnAttributes []ctnAttribute) *v1.Pod {
-	var containers []v1.Container
-	for _, ctnAttr := range ctnAttributes {
-		ctn := v1.Container{
-			Name:    ctnAttr.ctnName,
-			Image:   busyboxImage,
-			Command: []string{"sh", "-c", ctnAttr.ctnCommand},
-			VolumeMounts: []v1.VolumeMount{
-				{
-					Name:      "sysfscgroup",
-					MountPath: "/sysfscgroup",
-				},
-				{
-					Name:      "podinfo",
-					MountPath: "/podinfo",
-				},
-			},
-		}
-		containers = append(containers, ctn)
-	}
-
-	return &v1.Pod{
-		ObjectMeta: metav1.ObjectMeta{
-			Name: podName,
-		},
-		Spec: v1.PodSpec{
-			RestartPolicy: v1.RestartPolicyNever,
-			Containers:    containers,
-			Volumes: []v1.Volume{
-				{
-					Name: "sysfscgroup",
-					VolumeSource: v1.VolumeSource{
-						HostPath: &v1.HostPathVolumeSource{Path: "/sys/fs/cgroup"},
-					},
-				},
-				{
-					Name: "podinfo",
-					VolumeSource: v1.VolumeSource{
-						DownwardAPI: &v1.DownwardAPIVolumeSource{
-							Items: []v1.DownwardAPIVolumeFile{
-								{
-									Path: "uid",
-									FieldRef: &v1.ObjectFieldSelector{
-										APIVersion: "v1",
-										FieldPath:  "metadata.uid",
-									},
-								},
-							},
-						},
-					},
-				},
-			},
-		},
-	}
-}
-
-func requireCGroupV2() {
-	if e2enodeCgroupV2Enabled {
-		return
-	}
-	e2eskipper.Skipf("Skipping since CgroupV2 not used")
-
-}
diff --git a/test/e2e_node/device_plugin_failures_pod_status_test.go b/test/e2e_node/device_plugin_failures_pod_status_test.go
index 8bc85e4148d21..fa94cbb3414cb 100644
--- a/test/e2e_node/device_plugin_failures_pod_status_test.go
+++ b/test/e2e_node/device_plugin_failures_pod_status_test.go
@@ -27,7 +27,6 @@ import (
 	v1 "k8s.io/api/core/v1"
 	kubeletdevicepluginv1beta1 "k8s.io/kubelet/pkg/apis/deviceplugin/v1beta1"
 	"k8s.io/kubernetes/pkg/features"
-	"k8s.io/kubernetes/test/e2e/feature"
 	e2epod "k8s.io/kubernetes/test/e2e/framework/pod"
 	e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper"
 	imageutils "k8s.io/kubernetes/test/utils/image"
@@ -40,7 +39,7 @@ import (
 	"k8s.io/kubernetes/test/e2e_node/testdeviceplugin"
 )
 
-var _ = SIGDescribe("Device Plugin Failures Pod Status", feature.ResourceHealthStatus, func() {
+var _ = SIGDescribe("Device Plugin Failures Pod Status", framework.WithFeatureGate(features.ResourceHealthStatus), func() {
 	f := framework.NewDefaultFramework("device-plugin-failures")
 	f.NamespacePodSecurityLevel = admissionapi.LevelPrivileged
 
diff --git a/test/e2e_node/device_plugin_test.go b/test/e2e_node/device_plugin_test.go
index 7fe48fd8e7ad5..d6bda3b99efaa 100644
--- a/test/e2e_node/device_plugin_test.go
+++ b/test/e2e_node/device_plugin_test.go
@@ -52,6 +52,7 @@ import (
 	e2enode "k8s.io/kubernetes/test/e2e/framework/node"
 	e2epod "k8s.io/kubernetes/test/e2e/framework/pod"
 	e2etestfiles "k8s.io/kubernetes/test/e2e/framework/testfiles"
+	testutils "k8s.io/kubernetes/test/utils"
 )
 
 var (
@@ -93,7 +94,7 @@ const (
 )
 
 func testDevicePlugin(f *framework.Framework, pluginSockDir string) {
-	pluginSockDir = filepath.Join(pluginSockDir) + "/"
+	pluginSockDir = filepath.Clean(pluginSockDir) + "/"
 
 	type ResourceValue struct {
 		Allocatable int
@@ -691,7 +692,7 @@ func testDevicePlugin(f *framework.Framework, pluginSockDir string) {
 			}
 		})
 
-		f.It("Can schedule a pod with a restartable init container", feature.SidecarContainers, func(ctx context.Context) {
+		f.It("Can schedule a pod with a restartable init container", framework.WithNodeConformance(), func(ctx context.Context) {
 			podRECMD := "devs=$(ls /tmp/ | egrep '^Dev-[0-9]+$') && echo stub devices: $devs && sleep %s"
 			sleepOneSecond := "1s"
 			rl := v1.ResourceList{v1.ResourceName(SampleDeviceResourceName): *resource.NewQuantity(1, resource.DecimalSI)}
@@ -867,6 +868,13 @@ func testDevicePluginNodeReboot(f *framework.Framework, pluginSockDir string) {
 
 			devicePluginPod = e2epod.NewPodClient(f).CreateSync(ctx, dp)
 
+			framework.Logf("Waiting for device plugin pod to be Running")
+			err = e2epod.WaitForPodCondition(ctx, f.ClientSet, devicePluginPod.Namespace, devicePluginPod.Name, "Ready", 2*time.Minute, testutils.PodRunningReady)
+			if err != nil {
+				framework.Logf("Sample Device Pod %v took too long to enter running/ready: %v", dp.Name, err)
+			}
+			framework.ExpectNoError(err, "WaitForPodCondition() failed err: %v", err)
+
 			go func() {
 				// Since autoregistration is disabled for the device plugin (as REGISTER_CONTROL_FILE
 				// environment variable is specified), device plugin registration needs to be triggerred
@@ -893,7 +901,7 @@ func testDevicePluginNodeReboot(f *framework.Framework, pluginSockDir string) {
 				return ready &&
 					CountSampleDeviceCapacity(node) == expectedSampleDevsAmount &&
 					CountSampleDeviceAllocatable(node) == expectedSampleDevsAmount
-			}, 30*time.Second, framework.Poll).Should(gomega.BeTrueBecause("expected resource to be available on local node"))
+			}, 2*time.Minute, framework.Poll).Should(gomega.BeTrueBecause("expected resource exported by the sample device plugin to be available on local node"))
 		})
 
 		ginkgo.AfterEach(func(ctx context.Context) {
@@ -981,17 +989,14 @@ func testDevicePluginNodeReboot(f *framework.Framework, pluginSockDir string) {
 				return err
 			}, 30*time.Second, framework.Poll).ShouldNot(gomega.HaveOccurred(), "cannot fetch the compute resource assignment after kubelet restart")
 
-			// if we got this far, podresources API will now report 2 entries:
-			// - sample device plugin pod, running and doing fine
-			// - our test pod, in failed state. Pods in terminal state will still be reported, see https://github.com/kubernetes/kubernetes/issues/119423
-			// so we care about our test pod, and it will be present in the returned list till 119423 is fixed, but since it failed admission it must not have
-			// any device allocated to it, hence we check for empty device set in the podresources response. So, we check that
-			// A. our test pod must be present in the list response *and*
-			// B. it has no devices assigned to it.
-			// anything else is unexpected and thus makes the test fail. Once 119423 is fixed, a better, simpler and more intuitive check will be for the
-			// test pod to not be present in the podresources list response, but till that time we're stuck with this approach.
+			// if we got this far, podresources API will now report only the sample device plugin pod,
+			// because pods that failed admission are no longer reported in the list
+			// (see https://github.com/kubernetes/kubernetes/pull/132028).
+			// Hence, we verify that our test pod is NOT present in the podresources response.
+
 			_, found := checkPodResourcesAssignment(v1PodResources, pod1.Namespace, pod1.Name, pod1.Spec.Containers[0].Name, SampleDeviceResourceName, []string{})
-			gomega.Expect(found).To(gomega.BeTrueBecause("%s/%s/%s failed admission, should not have devices registered", pod1.Namespace, pod1.Name, pod1.Spec.Containers[0].Name))
+			framework.ExpectNoError(err, "unexpected device assignment mismatch for %s/%s", pod1.Namespace, pod1.Name)
+			gomega.Expect(found).To(gomega.BeFalseBecause("%s/%s/%s failed admission, so it must not appear in podresources list", pod1.Namespace, pod1.Name, pod1.Spec.Containers[0].Name))
 		})
 	})
 }
diff --git a/test/e2e_node/dra_test.go b/test/e2e_node/dra_test.go
index ce47b9daca7ae..643a8137efc54 100644
--- a/test/e2e_node/dra_test.go
+++ b/test/e2e_node/dra_test.go
@@ -19,13 +19,14 @@ E2E Node test for DRA (Dynamic Resource Allocation)
 This test covers node-specific aspects of DRA
 The test can be run locally on Linux this way:
     make test-e2e-node FOCUS='\[Feature:DynamicResourceAllocation\]' SKIP='\[Flaky\]' PARALLELISM=1 \
-       TEST_ARGS='--feature-gates="DynamicResourceAllocation=true,ResourceHealthStatus=true" --service-feature-gates="DynamicResourceAllocation=true,ResourceHealthStatus=true" --runtime-config=api/all=true'
+       TEST_ARGS='--feature-gates="DynamicResourceAllocation=true,ResourceHealthStatus=true,DRAConsumableCapacity=true" --service-feature-gates="DynamicResourceAllocation=true,ResourceHealthStatus=true,DRAConsumableCapacity=true" --runtime-config=api/all=true'
 */
 
 package e2enode
 
 import (
 	"context"
+	"encoding/json"
 	"errors"
 	"fmt"
 	"net"
@@ -47,6 +48,8 @@ import (
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
+	apitypes "k8s.io/apimachinery/pkg/types"
+	"k8s.io/apimachinery/pkg/util/uuid"
 	"k8s.io/client-go/kubernetes"
 	"k8s.io/component-base/metrics/testutil"
 	"k8s.io/klog/v2"
@@ -57,6 +60,7 @@ import (
 	"k8s.io/kubernetes/test/e2e/feature"
 	"k8s.io/kubernetes/test/e2e/framework"
 	e2epod "k8s.io/kubernetes/test/e2e/framework/pod"
+	e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper"
 
 	"k8s.io/dynamic-resource-allocation/kubeletplugin"
 	"k8s.io/dynamic-resource-allocation/resourceslice"
@@ -105,7 +109,7 @@ var _ = framework.SIGDescribe("node")(framework.WithLabel("DRA"), feature.Dynami
 
 	f.Context("Resource Kubelet Plugin", f.WithSerial(), func() {
 		ginkgo.It("must register after Kubelet restart", func(ctx context.Context) {
-			kubeletPlugin := newKubeletPlugin(ctx, f.ClientSet, getNodeName(ctx, f), driverName)
+			kubeletPlugin := newKubeletPlugin(ctx, f.ClientSet, f.Namespace.Name, getNodeName(ctx, f), driverName)
 
 			oldCalls := kubeletPlugin.GetGRPCCalls()
 			getNewCalls := func() []testdriver.GRPCCall {
@@ -121,11 +125,11 @@ var _ = framework.SIGDescribe("node")(framework.WithLabel("DRA"), feature.Dynami
 		})
 
 		ginkgo.It("must register after plugin restart", func(ctx context.Context) {
-			kubeletPlugin := newKubeletPlugin(ctx, f.ClientSet, getNodeName(ctx, f), driverName)
+			kubeletPlugin := newKubeletPlugin(ctx, f.ClientSet, f.Namespace.Name, getNodeName(ctx, f), driverName)
 
 			ginkgo.By("restart Kubelet Plugin")
 			kubeletPlugin.Stop()
-			kubeletPlugin = newKubeletPlugin(ctx, f.ClientSet, getNodeName(ctx, f), driverName)
+			kubeletPlugin = newKubeletPlugin(ctx, f.ClientSet, f.Namespace.Name, getNodeName(ctx, f), driverName)
 
 			ginkgo.By("wait for Kubelet plugin re-registration")
 			gomega.Eventually(kubeletPlugin.GetGRPCCalls).WithTimeout(pluginRegistrationTimeout).Should(testdrivergomega.BeRegistered)
@@ -134,7 +138,7 @@ var _ = framework.SIGDescribe("node")(framework.WithLabel("DRA"), feature.Dynami
 		// Test that the kubelet plugin manager retries plugin registration
 		// when the GetInfo call fails, and succeeds once the call passes.
 		ginkgo.It("must recover and register after registration failure", func(ctx context.Context) {
-			kubeletPlugin := newKubeletPlugin(ctx, f.ClientSet, getNodeName(ctx, f), driverName)
+			kubeletPlugin := newKubeletPlugin(ctx, f.ClientSet, f.Namespace.Name, getNodeName(ctx, f), driverName)
 
 			ginkgo.By("set GetInfo failure mode")
 			kubeletPlugin.SetGetInfoError(fmt.Errorf("simulated GetInfo failure"))
@@ -155,7 +159,7 @@ var _ = framework.SIGDescribe("node")(framework.WithLabel("DRA"), feature.Dynami
 		})
 
 		ginkgo.It("must process pod created when kubelet is not running", func(ctx context.Context) {
-			newKubeletPlugin(ctx, f.ClientSet, getNodeName(ctx, f), driverName)
+			newKubeletPlugin(ctx, f.ClientSet, f.Namespace.Name, getNodeName(ctx, f), driverName)
 
 			// Stop Kubelet
 			ginkgo.By("stop kubelet")
@@ -174,7 +178,7 @@ var _ = framework.SIGDescribe("node")(framework.WithLabel("DRA"), feature.Dynami
 		})
 
 		ginkgo.It("must keep pod in pending state if NodePrepareResources times out", func(ctx context.Context) {
-			kubeletPlugin := newKubeletPlugin(ctx, f.ClientSet, getNodeName(ctx, f), driverName)
+			kubeletPlugin := newKubeletPlugin(ctx, f.ClientSet, f.Namespace.Name, getNodeName(ctx, f), driverName)
 
 			unblockNodePrepareResources := kubeletPlugin.BlockNodePrepareResources()
 			defer unblockNodePrepareResources()
@@ -194,7 +198,7 @@ var _ = framework.SIGDescribe("node")(framework.WithLabel("DRA"), feature.Dynami
 		})
 
 		ginkgo.It("must run pod if NodePrepareResources fails and then succeeds", func(ctx context.Context) {
-			kubeletPlugin := newKubeletPlugin(ctx, f.ClientSet, getNodeName(ctx, f), driverName)
+			kubeletPlugin := newKubeletPlugin(ctx, f.ClientSet, f.Namespace.Name, getNodeName(ctx, f), driverName)
 
 			unsetNodePrepareResourcesFailureMode := kubeletPlugin.SetNodePrepareResourcesFailureMode()
 			pod := createTestObjects(ctx, f.ClientSet, getNodeName(ctx, f), f.Namespace.Name, "draclass", "external-claim", "drapod", true, []string{driverName})
@@ -219,7 +223,7 @@ var _ = framework.SIGDescribe("node")(framework.WithLabel("DRA"), feature.Dynami
 		})
 
 		ginkgo.It("must run pod if NodeUnprepareResources fails and then succeeds", func(ctx context.Context) {
-			kubeletPlugin := newKubeletPlugin(ctx, f.ClientSet, getNodeName(ctx, f), driverName)
+			kubeletPlugin := newKubeletPlugin(ctx, f.ClientSet, f.Namespace.Name, getNodeName(ctx, f), driverName)
 
 			unsetNodeUnprepareResourcesFailureMode := kubeletPlugin.SetNodeUnprepareResourcesFailureMode()
 			pod := createTestObjects(ctx, f.ClientSet, getNodeName(ctx, f), f.Namespace.Name, "draclass", "external-claim", "drapod", true, []string{driverName})
@@ -241,7 +245,7 @@ var _ = framework.SIGDescribe("node")(framework.WithLabel("DRA"), feature.Dynami
 		})
 
 		ginkgo.It("must retry NodePrepareResources after Kubelet restart", func(ctx context.Context) {
-			kubeletPlugin := newKubeletPlugin(ctx, f.ClientSet, getNodeName(ctx, f), driverName)
+			kubeletPlugin := newKubeletPlugin(ctx, f.ClientSet, f.Namespace.Name, getNodeName(ctx, f), driverName)
 
 			unsetNodePrepareResourcesFailureMode := kubeletPlugin.SetNodePrepareResourcesFailureMode()
 			pod := createTestObjects(ctx, f.ClientSet, getNodeName(ctx, f), f.Namespace.Name, "draclass", "external-claim", "drapod", true, []string{driverName})
@@ -272,7 +276,7 @@ var _ = framework.SIGDescribe("node")(framework.WithLabel("DRA"), feature.Dynami
 		})
 
 		ginkgo.It("must retry NodeUnprepareResources after Kubelet restart", func(ctx context.Context) {
-			kubeletPlugin := newKubeletPlugin(ctx, f.ClientSet, getNodeName(ctx, f), driverName)
+			kubeletPlugin := newKubeletPlugin(ctx, f.ClientSet, f.Namespace.Name, getNodeName(ctx, f), driverName)
 
 			unsetNodeUnprepareResourcesFailureMode := kubeletPlugin.SetNodeUnprepareResourcesFailureMode()
 			pod := createTestObjects(ctx, f.ClientSet, getNodeName(ctx, f), f.Namespace.Name, "draclass", "external-claim", "drapod", true, []string{driverName})
@@ -299,7 +303,7 @@ var _ = framework.SIGDescribe("node")(framework.WithLabel("DRA"), feature.Dynami
 		})
 
 		ginkgo.It("must call NodeUnprepareResources for deleted pod", func(ctx context.Context) {
-			kubeletPlugin := newKubeletPlugin(ctx, f.ClientSet, getNodeName(ctx, f), driverName)
+			kubeletPlugin := newKubeletPlugin(ctx, f.ClientSet, f.Namespace.Name, getNodeName(ctx, f), driverName)
 
 			unsetNodeUnprepareResourcesFailureMode := kubeletPlugin.SetNodeUnprepareResourcesFailureMode()
 			pod := createTestObjects(ctx, f.ClientSet, getNodeName(ctx, f), f.Namespace.Name, "draclass", "external-claim", "drapod", false, []string{driverName})
@@ -323,7 +327,7 @@ var _ = framework.SIGDescribe("node")(framework.WithLabel("DRA"), feature.Dynami
 		})
 
 		ginkgo.It("must call NodeUnprepareResources for deleted pod after Kubelet restart", func(ctx context.Context) {
-			kubeletPlugin := newKubeletPlugin(ctx, f.ClientSet, getNodeName(ctx, f), driverName)
+			kubeletPlugin := newKubeletPlugin(ctx, f.ClientSet, f.Namespace.Name, getNodeName(ctx, f), driverName)
 
 			unsetNodeUnprepareResourcesFailureMode := kubeletPlugin.SetNodeUnprepareResourcesFailureMode()
 			pod := createTestObjects(ctx, f.ClientSet, getNodeName(ctx, f), f.Namespace.Name, "draclass", "external-claim", "drapod", false, []string{driverName})
@@ -354,7 +358,7 @@ var _ = framework.SIGDescribe("node")(framework.WithLabel("DRA"), feature.Dynami
 		})
 
 		ginkgo.It("must not call NodePrepareResources for deleted pod after Kubelet restart", func(ctx context.Context) {
-			kubeletPlugin := newKubeletPlugin(ctx, f.ClientSet, getNodeName(ctx, f), driverName)
+			kubeletPlugin := newKubeletPlugin(ctx, f.ClientSet, f.Namespace.Name, getNodeName(ctx, f), driverName)
 
 			unblockNodePrepareResources := kubeletPlugin.BlockNodePrepareResources()
 			pod := createTestObjects(ctx, f.ClientSet, getNodeName(ctx, f), f.Namespace.Name, "draclass", "external-claim", "drapod", false, []string{driverName})
@@ -393,7 +397,7 @@ var _ = framework.SIGDescribe("node")(framework.WithLabel("DRA"), feature.Dynami
 			gomega.Eventually(registrar.GetGRPCCalls).WithTimeout(pluginRegistrationTimeout).Should(testdrivergomega.BeRegistered)
 
 			ginkgo.By("start DRA plugin service")
-			draService := newDRAService(ctx, f.ClientSet, nodeName, driverName, datadir, opts...)
+			draService := newDRAService(ctx, f.ClientSet, f.Namespace.Name, nodeName, driverName, datadir, opts...)
 
 			pod := createTestObjects(ctx, f.ClientSet, nodeName, f.Namespace.Name, "draclass", "external-claim", "drapod", false, []string{driverName})
 
@@ -425,7 +429,7 @@ var _ = framework.SIGDescribe("node")(framework.WithLabel("DRA"), feature.Dynami
 			gomega.Eventually(registrar.GetGRPCCalls).WithTimeout(pluginRegistrationTimeout).Should(testdrivergomega.BeRegistered)
 
 			ginkgo.By("start DRA plugin service")
-			draService := newDRAService(ctx, f.ClientSet, nodeName, driverName, datadir, opts...)
+			draService := newDRAService(ctx, f.ClientSet, f.Namespace.Name, nodeName, driverName, datadir, opts...)
 
 			pod := createTestObjects(ctx, f.ClientSet, getNodeName(ctx, f), f.Namespace.Name, "draclass", "external-claim", "drasleeppod" /* enables sleeping */, false /* pod is deleted below */, []string{driverName})
 
@@ -443,12 +447,14 @@ var _ = framework.SIGDescribe("node")(framework.WithLabel("DRA"), feature.Dynami
 			gomega.Eventually(ctx, listResources(f.ClientSet)).Should(gomega.BeEmpty(), "ResourceSlices without plugin")
 
 			ginkgo.By("restarting plugin")
-			draService = newDRAService(ctx, f.ClientSet, nodeName, driverName, datadir, opts...)
+			draService = newDRAService(ctx, f.ClientSet, f.Namespace.Name, nodeName, driverName, datadir, opts...)
 
-			ginkgo.By("stopping pod")
+			ginkgo.By("stopping pod and waiting for it to get removed, indicating that NodeUnprepareResources must have been called")
 			err = f.ClientSet.CoreV1().Pods(pod.Namespace).Delete(ctx, pod.Name, metav1.DeleteOptions{})
-			framework.ExpectNoError(err)
+			framework.ExpectNoError(err, "delete pod")
 			gomega.Eventually(draService.GetGRPCCalls).WithTimeout(retryTestTimeout).Should(testdrivergomega.NodeUnprepareResourcesSucceeded)
+			err = e2epod.WaitForPodNotFoundInNamespace(ctx, f.ClientSet, pod.Name, pod.Namespace, f.Timeouts.PodDelete)
+			framework.ExpectNoError(err, "pod + claim shutdown")
 		}
 		ginkgo.DescribeTable("must be functional after service reconnect",
 			functionalAfterServiceReconnect,
@@ -463,7 +469,7 @@ var _ = framework.SIGDescribe("node")(framework.WithLabel("DRA"), feature.Dynami
 
 		failOnClosedListener := func(
 			ctx context.Context,
-			service func(ctx context.Context, clientSet kubernetes.Interface, nodeName, driverName, datadir string, opts ...any) *testdriver.ExamplePlugin,
+			service func(ctx context.Context, clientSet kubernetes.Interface, testNamespace, nodeName, driverName, datadir string, opts ...any) *testdriver.ExamplePlugin,
 			listenerOptionFun func(listen func(ctx context.Context, path string) (net.Listener, error)) kubeletplugin.Option,
 		) {
 			ginkgo.By("create a custom listener")
@@ -482,6 +488,7 @@ var _ = framework.SIGDescribe("node")(framework.WithLabel("DRA"), feature.Dynami
 			service(
 				ctx,
 				f.ClientSet,
+				f.Namespace.Name,
 				getNodeName(ctx, f),
 				driverName,
 				"",
@@ -499,7 +506,7 @@ var _ = framework.SIGDescribe("node")(framework.WithLabel("DRA"), feature.Dynami
 		// The wrappedNewRegistrar function is used to create a new registrar
 		// with the same signature as the newDRAService function, so that it can be
 		// used in the DescribeTable.
-		wrappedNewRegistrar := func(ctx context.Context, clientSet kubernetes.Interface, nodeName, driverName, datadir string, opts ...any) *testdriver.ExamplePlugin {
+		wrappedNewRegistrar := func(ctx context.Context, clientSet kubernetes.Interface, testNamespace, nodeName, driverName, datadir string, opts ...any) *testdriver.ExamplePlugin {
 			return newRegistrar(ctx, clientSet, nodeName, driverName, opts...)
 		}
 		ginkgo.DescribeTable("must report gRPC serving error",
@@ -507,13 +514,62 @@ var _ = framework.SIGDescribe("node")(framework.WithLabel("DRA"), feature.Dynami
 			ginkgo.Entry("for registrar", wrappedNewRegistrar, kubeletplugin.RegistrarListener),
 			ginkgo.Entry("for DRA service", newDRAService, kubeletplugin.PluginListener),
 		)
+
+		// This test verifies that the Kubelet establishes only a single gRPC connection
+		// with the DRA plugin throughout the plugin lifecycle.
+		//
+		// It does so by:
+		// - Using a custom gRPC listener that counts accepted connections.
+		// - Sequentially creating pods that trigger NodePrepareResources and NodeUnprepareResources.
+		// - Asserting that only one connection was accepted by the listener — since each
+		// call to net.Listener.Accept() corresponds to a new incoming connection —
+		// ensures that the plugin reused the same gRPC connection for all calls.
+		ginkgo.It("must use one gRPC connection for all service calls", func(ctx context.Context) {
+			var listener *countingListener
+			var err error
+			getListener := func(_ context.Context, socketPath string) (net.Listener, error) {
+				listener, err = newCountingListener(socketPath)
+				return listener, err
+			}
+
+			nodeName := getNodeName(ctx, f)
+
+			ginkgo.By("start DRA registrar")
+			registrar := newRegistrar(ctx, f.ClientSet, nodeName, driverName)
+
+			ginkgo.By("wait for registration to complete")
+			gomega.Eventually(registrar.GetGRPCCalls).WithTimeout(pluginRegistrationTimeout).Should(testdrivergomega.BeRegistered)
+
+			ginkgo.By("start DRA plugin service")
+			draService := newDRAService(ctx, f.ClientSet, f.Namespace.Name, nodeName, driverName, "", kubeletplugin.PluginListener(getListener))
+
+			for _, suffix := range []string{"-1", "-2"} {
+				draService.ResetGRPCCalls()
+
+				ginkgo.By("create test objects " + suffix)
+				pod := createTestObjects(ctx, f.ClientSet, nodeName, f.Namespace.Name, "draclass"+suffix, "external-claim"+suffix, "drapod"+suffix, true, []string{driverName})
+
+				ginkgo.By("wait for NodePrepareResources call to succeed " + suffix)
+				gomega.Eventually(draService.GetGRPCCalls).WithTimeout(retryTestTimeout).Should(testdrivergomega.NodePrepareResourcesSucceeded)
+
+				ginkgo.By("wait for NodeUnprepareResources call to succeed " + suffix)
+				gomega.Eventually(draService.GetGRPCCalls).WithTimeout(retryTestTimeout).Should(testdrivergomega.NodeUnprepareResourcesSucceeded)
+
+				ginkgo.By("wait for pod to succeed " + suffix)
+				err = e2epod.WaitForPodSuccessInNamespace(ctx, f.ClientSet, pod.Name, f.Namespace.Name)
+				framework.ExpectNoError(err)
+
+				ginkgo.By("check that listener.Accept was called only once " + suffix)
+				gomega.Expect(listener.acceptCount()).To(gomega.Equal(1))
+			}
+		})
 	})
 
 	f.Context("Two resource Kubelet Plugins", f.WithSerial(), func() {
 		// start creates plugins which will get stopped when the context gets canceled.
 		start := func(ctx context.Context) (*testdriver.ExamplePlugin, *testdriver.ExamplePlugin) {
-			kubeletPlugin1 := newKubeletPlugin(ctx, f.ClientSet, getNodeName(ctx, f), kubeletPlugin1Name)
-			kubeletPlugin2 := newKubeletPlugin(ctx, f.ClientSet, getNodeName(ctx, f), kubeletPlugin2Name)
+			kubeletPlugin1 := newKubeletPlugin(ctx, f.ClientSet, f.Namespace.Name, getNodeName(ctx, f), kubeletPlugin1Name)
+			kubeletPlugin2 := newKubeletPlugin(ctx, f.ClientSet, f.Namespace.Name, getNodeName(ctx, f), kubeletPlugin2Name)
 
 			ginkgo.By("wait for Kubelet plugin registration")
 			gomega.Eventually(kubeletPlugin1.GetGRPCCalls()).WithTimeout(pluginRegistrationTimeout).Should(testdrivergomega.BeRegistered)
@@ -550,13 +606,8 @@ var _ = framework.SIGDescribe("node")(framework.WithLabel("DRA"), feature.Dynami
 			framework.ExpectNoError(err)
 			gomega.Expect(kubeletPlugin1.GetGRPCCalls()).Should(testdrivergomega.NodePrepareResourcesSucceeded, "Plugin 1 should have prepared resources.")
 			gomega.Expect(kubeletPlugin2.GetGRPCCalls()).Should(testdrivergomega.NodePrepareResourcesSucceeded, "Plugin 2 should have prepared resources.")
-			driverName := func(element any) string {
-				el := element.(*testutil.Sample)
-				return string(el.Metric[testutil.LabelName("driver_name")])
-			}
-
 			gomega.Expect(getKubeletMetrics(ctx)).Should(gstruct.MatchKeys(gstruct.IgnoreExtras, gstruct.Keys{
-				"dra_resource_claims_in_use": gstruct.MatchAllElements(driverName, gstruct.Elements{
+				"dra_resource_claims_in_use": gstruct.MatchAllElements(driverNameLabelKey, gstruct.Elements{
 					"<any>":            timelessSample(1),
 					kubeletPlugin1Name: timelessSample(1),
 					kubeletPlugin2Name: timelessSample(1),
@@ -571,10 +622,10 @@ var _ = framework.SIGDescribe("node")(framework.WithLabel("DRA"), feature.Dynami
 			gomega.Expect(kubeletPlugin1.GetGRPCCalls()).Should(testdrivergomega.NodeUnprepareResourcesSucceeded, "Plugin 2 should have unprepared resources.")
 			gomega.Expect(kubeletPlugin2.GetGRPCCalls()).Should(testdrivergomega.NodeUnprepareResourcesSucceeded, "Plugin 2 should have unprepared resources.")
 			gomega.Expect(getKubeletMetrics(ctx)).Should(gstruct.MatchKeys(gstruct.IgnoreExtras, gstruct.Keys{
-				"dra_resource_claims_in_use": gstruct.MatchAllElements(driverName, gstruct.Elements{
+				"dra_resource_claims_in_use": gstruct.MatchAllElements(driverNameLabelKey, gstruct.Elements{
 					"<any>": timelessSample(0),
 				}),
-			}), "metrics while pod is running")
+			}), "metrics after deleting pod")
 		})
 
 		ginkgo.It("must run pod if NodePrepareResources fails for one plugin and then succeeds", func(ctx context.Context) {
@@ -713,7 +764,7 @@ var _ = framework.SIGDescribe("node")(framework.WithLabel("DRA"), feature.Dynami
 			matchNode := gomega.ConsistOf(matchResourcesByNodeName(nodeName))
 
 			ginkgo.By("start plugin and wait for ResourceSlice")
-			kubeletPlugin := newKubeletPlugin(ctx, f.ClientSet, getNodeName(ctx, f), driverName)
+			kubeletPlugin := newKubeletPlugin(ctx, f.ClientSet, f.Namespace.Name, getNodeName(ctx, f), driverName)
 			gomega.Eventually(ctx, listResources(f.ClientSet)).Should(matchNode, "ResourceSlice from kubelet plugin")
 			gomega.Consistently(ctx, listResources(f.ClientSet)).WithTimeout(5*time.Second).Should(matchNode, "ResourceSlice from kubelet plugin")
 
@@ -733,7 +784,7 @@ var _ = framework.SIGDescribe("node")(framework.WithLabel("DRA"), feature.Dynami
 			gomega.Eventually(registrar.GetGRPCCalls).WithTimeout(pluginRegistrationTimeout).Should(testdrivergomega.BeRegistered)
 
 			ginkgo.By("start DRA plugin service")
-			kubeletPlugin := newDRAService(ctx, f.ClientSet, nodeName, driverName, datadir, opts...)
+			kubeletPlugin := newDRAService(ctx, f.ClientSet, f.Namespace.Name, nodeName, driverName, datadir, opts...)
 
 			ginkgo.By("wait for ResourceSlice to be created by plugin")
 			matchNode := gomega.ConsistOf(matchResourcesByNodeName(nodeName))
@@ -785,7 +836,7 @@ var _ = framework.SIGDescribe("node")(framework.WithLabel("DRA"), feature.Dynami
 			gomega.Eventually(registrar.GetGRPCCalls).WithTimeout(pluginRegistrationTimeout).Should(testdrivergomega.BeRegistered)
 
 			ginkgo.By("start DRA plugin service")
-			kubeletPlugin := newDRAService(ctx, f.ClientSet, nodeName, driverName, datadir, opts...)
+			kubeletPlugin := newDRAService(ctx, f.ClientSet, f.Namespace.Name, nodeName, driverName, datadir, opts...)
 
 			ginkgo.By("wait for ResourceSlice to be created by plugin")
 			matchNode := gomega.ConsistOf(matchResourcesByNodeName(nodeName))
@@ -803,7 +854,7 @@ var _ = framework.SIGDescribe("node")(framework.WithLabel("DRA"), feature.Dynami
 			time.Sleep(5 * time.Second)
 
 			ginkgo.By("restarting plugin")
-			newDRAService(ctx, f.ClientSet, nodeName, driverName, datadir, opts...)
+			newDRAService(ctx, f.ClientSet, f.Namespace.Name, nodeName, driverName, datadir, opts...)
 
 			ginkgo.By("ensuring unchanged ResourceSlices")
 			gomega.Consistently(ctx, listResources(f.ClientSet)).WithTimeout(time.Minute).Should(gomega.Equal(slices), "ResourceSlices")
@@ -826,7 +877,7 @@ var _ = framework.SIGDescribe("node")(framework.WithLabel("DRA"), feature.Dynami
 		// reported by a DRA plugin are correctly reflected in the Pod's status.
 		ginkgo.It("should reflect device health changes in the Pod's status", func(ctx context.Context) {
 			ginkgo.By("Starting the test driver with channel-based control")
-			kubeletPlugin := newKubeletPlugin(ctx, f.ClientSet, getNodeName(ctx, f), driverName)
+			kubeletPlugin := newKubeletPlugin(ctx, f.ClientSet, f.Namespace.Name, getNodeName(ctx, f), driverName)
 
 			className := "health-test-class"
 			claimName := "health-test-claim"
@@ -876,11 +927,77 @@ var _ = framework.SIGDescribe("node")(framework.WithLabel("DRA"), feature.Dynami
 			}).WithTimeout(60*time.Second).WithPolling(2*time.Second).Should(gomega.Equal("Healthy"), "Device health should recover and update to Healthy")
 		})
 
+		// This test verifies that the Kubelet establishes only a single gRPC connection
+		// with the DRA plugin throughout the plugin lifecycle.
+		//
+		// It does so by:
+		// - Using a custom gRPC listener that counts accepted connections.
+		// - Sequentially creating pods that trigger NodePrepareResources and NodeUnprepareResources.
+		// - Asserting that only one connection was accepted by the listener — since each
+		// call to net.Listener.Accept() corresponds to a new incoming connection —
+		// ensures that the plugin reused the same gRPC connection for all calls.
+		//
+		// NOTE: This is a copy of a similar test to test service connection reuse with enabled
+		// ResourceHealth. It should be merged with the original test when the ResourceHealth feature matures.
+		ginkgo.It("must reuse one gRPC connection for service and health-monitoring calls", func(ctx context.Context) {
+			var listener *countingListener
+			var err error
+			getListener := func(_ context.Context, socketPath string) (net.Listener, error) {
+				listener, err = newCountingListener(socketPath)
+				return listener, err
+			}
+
+			nodeName := getNodeName(ctx, f)
+
+			ginkgo.By("start DRA registrar")
+			registrar := newRegistrar(ctx, f.ClientSet, nodeName, driverName)
+
+			ginkgo.By("wait for registration to complete")
+			gomega.Eventually(registrar.GetGRPCCalls).WithTimeout(pluginRegistrationTimeout).Should(testdrivergomega.BeRegistered)
+
+			ginkgo.By("start DRA plugin service")
+			draService := newDRAService(ctx, f.ClientSet, f.Namespace.Name, nodeName, driverName, "", kubeletplugin.PluginListener(getListener))
+
+			for _, suffix := range []string{"-1", "-2"} {
+				className := "health-test-class" + suffix
+				claimName := "health-test-claim" + suffix
+				podName := "health-test-pod" + suffix
+				poolNameForTest := "pool-a" + suffix
+				deviceNameForTest := "dev-0" + suffix
+
+				draService.ResetGRPCCalls()
+
+				ginkgo.By("create test objects " + suffix)
+				pod := createHealthTestPodAndClaim(ctx, f, driverName, podName, claimName, className, poolNameForTest, deviceNameForTest)
+
+				ginkgo.By("wait for NodePrepareResources call to succeed " + suffix)
+				gomega.Eventually(draService.GetGRPCCalls).WithTimeout(retryTestTimeout).Should(testdrivergomega.NodePrepareResourcesSucceeded)
+
+				ginkgo.By("Waiting for the pod to be running")
+				framework.ExpectNoError(e2epod.WaitForPodRunningInNamespace(ctx, f.ClientSet, pod))
+
+				ginkgo.By("Forcing a 'Healthy' status update to establish a baseline")
+				draService.HealthControlChan <- testdriver.DeviceHealthUpdate{
+					PoolName:   poolNameForTest,
+					DeviceName: deviceNameForTest,
+					Health:     "Healthy",
+				}
+
+				ginkgo.By("Verifying device health is now Healthy in the pod status")
+				gomega.Eventually(ctx, func(ctx context.Context) (string, error) {
+					return getDeviceHealthFromAPIServer(f, pod.Namespace, pod.Name, driverName, claimName, poolNameForTest, deviceNameForTest)
+				}).WithTimeout(30*time.Second).WithPolling(1*time.Second).Should(gomega.Equal("Healthy"), "Device health should be Healthy after explicit update")
+
+				ginkgo.By("check that listener.Accept was called only once " + suffix)
+				gomega.Expect(listener.acceptCount()).To(gomega.Equal(1))
+			}
+		})
+
 		// Verifies that device health transitions to "Unknown" when a DRA plugin
 		// stops and recovers to "Healthy" upon plugin restart.
 		ginkgo.It("should update health to Unknown when plugin stops and recover upon restart", func(ctx context.Context) {
 			ginkgo.By("Starting the test driver")
-			kubeletPlugin := newKubeletPlugin(ctx, f.ClientSet, getNodeName(ctx, f), driverName)
+			kubeletPlugin := newKubeletPlugin(ctx, f.ClientSet, f.Namespace.Name, getNodeName(ctx, f), driverName)
 
 			className := "unknown-test-class"
 			claimName := "unknown-test-claim"
@@ -913,7 +1030,7 @@ var _ = framework.SIGDescribe("node")(framework.WithLabel("DRA"), feature.Dynami
 
 			ginkgo.By("Restarting the DRA plugin to simulate recovery")
 			// Re-initialize the plugin, which will re-register with the Kubelet.
-			kubeletPlugin = newKubeletPlugin(ctx, f.ClientSet, getNodeName(ctx, f), driverName)
+			kubeletPlugin = newKubeletPlugin(ctx, f.ClientSet, f.Namespace.Name, getNodeName(ctx, f), driverName)
 
 			ginkgo.By("Forcing a 'Healthy' status update after restart")
 			kubeletPlugin.HealthControlChan <- testdriver.DeviceHealthUpdate{
@@ -930,14 +1047,23 @@ var _ = framework.SIGDescribe("node")(framework.WithLabel("DRA"), feature.Dynami
 
 	})
 
-	f.Context("Resource Health with Feature Gate Disabled", framework.WithLabel("[FeatureGate:ResourceHealthStatus:Disabled]"), f.WithSerial(), func() {
+	// This matches the "Resource Health" context above, except that it contains tests which need to run
+	// when the feature gate is disabled. This has to be checked at runtime because there is no generic
+	// way to filter out such tests in advance.
+	f.Context("Resource Health", f.WithSerial(), func() {
+
+		ginkgo.BeforeEach(func() {
+			if e2eskipper.IsFeatureGateEnabled(features.ResourceHealthStatus) {
+				e2eskipper.Skipf("feature %s is enabled", features.ResourceHealthStatus)
+			}
+		})
 
 		// Verifies that the Kubelet adds no health status to the Pod when the
 		// ResourceHealthStatus feature gate is disabled.
 		ginkgo.It("should not add health status to Pod when feature gate is disabled", func(ctx context.Context) {
 
 			ginkgo.By("Starting a test driver")
-			newKubeletPlugin(ctx, f.ClientSet, getNodeName(ctx, f), driverName, withHealthService(false))
+			newKubeletPlugin(ctx, f.ClientSet, f.Namespace.Name, getNodeName(ctx, f), driverName, withHealthService(false))
 
 			className := "gate-disabled-class"
 			claimName := "gate-disabled-claim"
@@ -967,6 +1093,73 @@ var _ = framework.SIGDescribe("node")(framework.WithLabel("DRA"), feature.Dynami
 				return fmt.Errorf("could not find container 'testcontainer' in pod status")
 			}).WithContext(ctx).WithTimeout(30*time.Second).WithPolling(2*time.Second).Should(gomega.Succeed(), "The allocatedResourcesStatus field should be absent when the feature gate is disabled")
 		})
+
+		f.Context("Device ShareID", framework.WithFeatureGate(features.DRAConsumableCapacity), f.WithSerial(), func() {
+
+			ginkgo.BeforeEach(func() {
+				if e2eskipper.IsFeatureGateEnabled(features.DRAConsumableCapacity) {
+					e2eskipper.Skipf("feature %s is enabled", features.DRAConsumableCapacity)
+				}
+			})
+
+			testWithDeviceRequestAllocationResults := func(ctx context.Context, results []resourceapi.DeviceRequestAllocationResult) {
+				nodeName := getNodeName(ctx, f)
+				kubeletPlugin := newKubeletPlugin(ctx, f.ClientSet, f.Namespace.Name, getNodeName(ctx, f), driverName)
+
+				ginkgo.By("wait for registration to complete")
+				gomega.Eventually(kubeletPlugin.GetGRPCCalls).WithTimeout(pluginRegistrationTimeout).Should(testdrivergomega.BeRegistered)
+
+				pod := createTestObjects(ctx, f.ClientSet, nodeName, f.Namespace.Name, "draclass", "external-claim", "drapod", false, []string{driverName}, results...)
+
+				ginkgo.By("wait for NodePrepareResources call to succeed with given allocation results")
+				gomega.Eventually(kubeletPlugin.GetGRPCCalls).WithTimeout(retryTestTimeout).Should(testdrivergomega.NodePrepareResourcesSucceeded)
+
+				ginkgo.By("wait for pod to succeed")
+				err := e2epod.WaitForPodSuccessInNamespace(ctx, f.ClientSet, pod.Name, f.Namespace.Name)
+				framework.ExpectNoError(err)
+
+				ginkgo.By("delete pod")
+				e2epod.DeletePodOrFail(ctx, f.ClientSet, f.Namespace.Name, pod.Name)
+
+				ginkgo.By("wait for NodeUnprepareResources call to succeed")
+				gomega.Eventually(kubeletPlugin.GetGRPCCalls).WithTimeout(retryTestTimeout).Should(testdrivergomega.NodeUnprepareResourcesSucceeded)
+			}
+			ginkgo.DescribeTable("must be functional when plugin starts to listen on a service socket after registration with the specified allocation results",
+				testWithDeviceRequestAllocationResults,
+				ginkgo.Entry("without ShareID", nil),
+				ginkgo.Entry("with a ShareID", []resourceapi.DeviceRequestAllocationResult{
+					{
+						Driver:      driverName,
+						Pool:        "some-pool",
+						Device:      "some-device",
+						Request:     "my-request",
+						ShareID:     ptr.To(uuid.NewUUID()),
+						AdminAccess: ptr.To(false),
+					},
+				},
+				),
+				ginkgo.Entry("same device with two ShareIDs", []resourceapi.DeviceRequestAllocationResult{
+					{
+						Driver:      driverName,
+						Pool:        "some-pool",
+						Device:      "some-device",
+						Request:     "my-request",
+						ShareID:     ptr.To(uuid.NewUUID()),
+						AdminAccess: ptr.To(false),
+					},
+					{
+						Driver:      driverName,
+						Pool:        "some-pool",
+						Device:      "some-device",
+						Request:     "my-request",
+						ShareID:     ptr.To(uuid.NewUUID()),
+						AdminAccess: ptr.To(false),
+					},
+				},
+				),
+			)
+
+		})
 	})
 })
 
@@ -981,7 +1174,7 @@ func withHealthService(enabled bool) pluginOption {
 }
 
 // Run Kubelet plugin and wait until it's registered
-func newKubeletPlugin(ctx context.Context, clientSet kubernetes.Interface, nodeName, driverName string, options ...pluginOption) *testdriver.ExamplePlugin {
+func newKubeletPlugin(ctx context.Context, clientSet kubernetes.Interface, testNamespace string, nodeName, driverName string, options ...pluginOption) *testdriver.ExamplePlugin {
 	ginkgo.By("start Kubelet plugin")
 	logger := klog.LoggerWithValues(klog.LoggerWithName(klog.Background(), "DRA kubelet plugin "+driverName), "node", nodeName)
 	ctx = klog.NewContext(ctx, logger)
@@ -1003,7 +1196,7 @@ func newKubeletPlugin(ctx context.Context, clientSet kubernetes.Interface, nodeN
 	}
 
 	plugin, err := testdriver.StartPlugin(
-		ctx,
+		context.WithoutCancel(ctx), // Stopping is handled in draServiceCleanup.
 		cdiDir,
 		driverName,
 		clientSet,
@@ -1027,14 +1220,9 @@ func newKubeletPlugin(ctx context.Context, clientSet kubernetes.Interface, nodeN
 	)
 	framework.ExpectNoError(err)
 
-	gomega.Eventually(plugin.GetGRPCCalls).WithTimeout(pluginRegistrationTimeout).Should(testdrivergomega.BeRegistered)
+	ginkgo.DeferCleanup(func(ctx context.Context) { draServiceCleanup(ctx, clientSet, driverName, testNamespace, plugin) })
 
-	ginkgo.DeferCleanup(func(ctx context.Context) {
-		// kubelet should do this eventually, but better make sure.
-		// A separate test checks this explicitly.
-		framework.ExpectNoError(clientSet.ResourceV1().ResourceSlices().DeleteCollection(ctx, metav1.DeleteOptions{}, metav1.ListOptions{FieldSelector: resourceapi.ResourceSliceSelectorDriver + "=" + driverName}))
-	})
-	ginkgo.DeferCleanup(plugin.Stop)
+	gomega.Eventually(plugin.GetGRPCCalls).WithTimeout(pluginRegistrationTimeout).Should(testdrivergomega.BeRegistered)
 
 	return plugin
 }
@@ -1053,7 +1241,7 @@ func newRegistrar(ctx context.Context, clientSet kubernetes.Interface, nodeName,
 	allOpts = append(allOpts, opts...)
 
 	registrar, err := testdriver.StartPlugin(
-		ctx,
+		context.WithoutCancel(ctx), // It gets stopped during test cleanup or when requested earlier.
 		cdiDir,
 		driverName,
 		clientSet,
@@ -1062,6 +1250,7 @@ func newRegistrar(ctx context.Context, clientSet kubernetes.Interface, nodeName,
 		allOpts...,
 	)
 	framework.ExpectNoError(err, "start only Kubelet plugin registrar")
+	ginkgo.DeferCleanup(registrar.Stop)
 	return registrar
 }
 
@@ -1080,7 +1269,7 @@ func newRegistrar(ctx context.Context, clientSet kubernetes.Interface, nodeName,
 //
 // Returns:
 //   - A pointer to the started ExamplePlugin instance.
-func newDRAService(ctx context.Context, clientSet kubernetes.Interface, nodeName, driverName, datadir string, opts ...any) *testdriver.ExamplePlugin {
+func newDRAService(ctx context.Context, clientSet kubernetes.Interface, testNamespace, nodeName, driverName, datadir string, opts ...any) *testdriver.ExamplePlugin {
 	ginkgo.By("start only Kubelet plugin")
 	logger := klog.LoggerWithValues(klog.LoggerWithName(klog.Background(), "kubelet plugin "+driverName), "node", nodeName)
 	ctx = klog.NewContext(ctx, logger)
@@ -1106,7 +1295,7 @@ func newDRAService(ctx context.Context, clientSet kubernetes.Interface, nodeName
 	framework.ExpectNoError(err, "create DRA socket directory")
 
 	plugin, err := testdriver.StartPlugin(
-		ctx,
+		context.WithoutCancel(ctx), // Stopping is handled in draServiceCleanup.
 		cdiDir,
 		driverName,
 		clientSet,
@@ -1130,14 +1319,44 @@ func newDRAService(ctx context.Context, clientSet kubernetes.Interface, nodeName
 	)
 	framework.ExpectNoError(err)
 
-	ginkgo.DeferCleanup(func(ctx context.Context) {
+	ginkgo.DeferCleanup(func(ctx context.Context) { draServiceCleanup(ctx, clientSet, driverName, testNamespace, plugin) })
+
+	return plugin
+}
+
+func draServiceCleanup(ctx context.Context, clientSet kubernetes.Interface, driverName string, testNamespace string, plugin *testdriver.ExamplePlugin) {
+	// Always stop at the end, even in the case of failures.
+	defer func() {
+		ginkgo.By("Stopping the driver and deleting ResourceSlices...")
+		plugin.Stop()
+
 		// kubelet should do this eventually, but better make sure.
 		// A separate test checks this explicitly.
 		framework.ExpectNoError(clientSet.ResourceV1().ResourceSlices().DeleteCollection(ctx, metav1.DeleteOptions{}, metav1.ListOptions{FieldSelector: resourceapi.ResourceSliceSelectorDriver + "=" + driverName}))
-	})
-	ginkgo.DeferCleanup(plugin.Stop)
-
-	return plugin
+	}()
+
+	// Some test was leaking an in-use ResourceClaim
+	// (https://github.com/kubernetes/kubernetes/issues/133304) because it
+	// didn't delete its pod before the driver shutdown. The namespace
+	// deletion usually takes care of this, but that happens later and
+	// without the driver the pods stay pending. Therefore we delete all of
+	// the pods in the test namespace *before* proceeding with the driver
+	// shutdown.
+	ginkgo.By("Deleting pods and waiting for ResourceClaims to be released...")
+	framework.ExpectNoError(clientSet.CoreV1().Pods(testNamespace).DeleteCollection(ctx, metav1.DeleteOptions{}, metav1.ListOptions{}))
+
+	// Failing here is a bit more obvious than in the metric check below.
+	// The metrics get checked, too, because we want to be certain that those go down.
+	gomega.Eventually(ctx, framework.ListObjects(clientSet.CoreV1().Pods(testNamespace).List, metav1.ListOptions{})).Should(gomega.HaveField("Items", gomega.BeEmpty()), "All pods should be deleted, shut down and removed.")
+
+	// We allow for a delay because it takes a while till the kubelet fully deals with pod deletion.
+	// Typically there is no dra_resource_claims_in_use entry for the driver (covered by gstruct.IgnoreMissing).
+	// If there is one, it must be zero.
+	gomega.Eventually(ctx, getKubeletMetrics).Should(gstruct.MatchKeys(gstruct.IgnoreExtras, gstruct.Keys{
+		"dra_resource_claims_in_use": gstruct.MatchElements(driverNameLabelKey, gstruct.IgnoreExtras|gstruct.IgnoreMissing, gstruct.Elements{
+			driverName: timelessSample(0),
+		}),
+	}), "The test should have deleted all pods.\nInstead some claims prepared by the driver %s are still in use at the time when the driver gets uninstalled.", driverName)
 }
 
 // createTestObjects creates objects required by the test
@@ -1146,7 +1365,8 @@ func newDRAService(ctx context.Context, clientSet kubernetes.Interface, nodeName
 // and placed on the node without involving the scheduler and the DRA controller.
 //
 // Instead adding more parameters, the podName determines what the pod does.
-func createTestObjects(ctx context.Context, clientSet kubernetes.Interface, nodename, namespace, className, claimName, podName string, deferPodDeletion bool, driverNames []string) *v1.Pod {
+func createTestObjects(ctx context.Context, clientSet kubernetes.Interface, nodename, namespace, className, claimName, podName string, deferPodDeletion bool, driverNames []string,
+	deviceRequestResults ...resourceapi.DeviceRequestAllocationResult) *v1.Pod {
 	// DeviceClass
 	class := &resourceapi.DeviceClass{
 		ObjectMeta: metav1.ObjectMeta{
@@ -1234,17 +1454,28 @@ func createTestObjects(ctx context.Context, clientSet kubernetes.Interface, node
 
 	// Update claim status: set ReservedFor and AllocationResult
 	// NOTE: This is usually done by the DRA controller or the scheduler.
-	results := make([]resourceapi.DeviceRequestAllocationResult, len(driverNames))
+
+	var results []resourceapi.DeviceRequestAllocationResult
+	if len(deviceRequestResults) > 0 {
+		// Specify DeviceRequestAllocationResult to test specific condition of allocation result such as ShareID
+		results = deviceRequestResults
+	} else {
+		// Generate `some-device` DeviceRequestAllocationResult for each driver
+		results = make([]resourceapi.DeviceRequestAllocationResult, len(driverNames))
+		for i, driverName := range driverNames {
+			results[i] = resourceapi.DeviceRequestAllocationResult{
+				Driver:      driverName,
+				Pool:        "some-pool",
+				Device:      "some-device",
+				Request:     claim.Spec.Devices.Requests[0].Name,
+				AdminAccess: ptr.To(false),
+			}
+		}
+	}
+
 	config := make([]resourceapi.DeviceAllocationConfiguration, len(driverNames))
 
 	for i, driverName := range driverNames {
-		results[i] = resourceapi.DeviceRequestAllocationResult{
-			Driver:      driverName,
-			Pool:        "some-pool",
-			Device:      "some-device",
-			Request:     claim.Spec.Devices.Requests[0].Name,
-			AdminAccess: ptr.To(false),
-		}
 		config[i] = resourceapi.DeviceAllocationConfiguration{
 			Source: resourceapi.AllocationConfigSourceClaim,
 			DeviceConfiguration: resourceapi.DeviceConfiguration{
@@ -1373,10 +1604,10 @@ func createHealthTestPodAndClaim(ctx context.Context, f *framework.Framework, dr
 	}
 	_, err := f.ClientSet.ResourceV1().DeviceClasses().Create(ctx, dc, metav1.CreateOptions{})
 	framework.ExpectNoError(err, "failed to create DeviceClass "+className)
-	ginkgo.DeferCleanup(func() {
-		err := f.ClientSet.ResourceV1().ResourceClaims(f.Namespace.Name).Delete(context.Background(), claimName, metav1.DeleteOptions{})
+	ginkgo.DeferCleanup(func(ctx context.Context) {
+		err := f.ClientSet.ResourceV1().DeviceClasses().Delete(ctx, className, metav1.DeleteOptions{})
 		if err != nil && !apierrors.IsNotFound(err) {
-			framework.Failf("Failed to delete ResourceClaim %s: %v", claimName, err)
+			framework.Failf("Failed to delete DeviceClass %s: %v", className, err)
 		}
 	})
 	ginkgo.By(fmt.Sprintf("Creating ResourceClaim %q", claimName))
@@ -1398,8 +1629,8 @@ func createHealthTestPodAndClaim(ctx context.Context, f *framework.Framework, dr
 
 	_, err = f.ClientSet.ResourceV1().ResourceClaims(f.Namespace.Name).Create(ctx, claim, metav1.CreateOptions{})
 	framework.ExpectNoError(err, "failed to create ResourceClaim "+claimName)
-	ginkgo.DeferCleanup(func() {
-		err := f.ClientSet.ResourceV1().ResourceClaims(f.Namespace.Name).Delete(context.Background(), claimName, metav1.DeleteOptions{})
+	ginkgo.DeferCleanup(func(ctx context.Context) {
+		err := f.ClientSet.ResourceV1().ResourceClaims(f.Namespace.Name).Delete(ctx, claimName, metav1.DeleteOptions{})
 		if err != nil && !apierrors.IsNotFound(err) {
 			framework.Failf("Failed to delete ResourceClaim %s: %v", claimName, err)
 		}
@@ -1431,10 +1662,22 @@ func createHealthTestPodAndClaim(ctx context.Context, f *framework.Framework, dr
 	// Create the pod on the API server to assign the real UID.
 	createdPod, err := f.ClientSet.CoreV1().Pods(f.Namespace.Name).Create(ctx, pod, metav1.CreateOptions{})
 	framework.ExpectNoError(err, "failed to create Pod "+podName)
-	ginkgo.DeferCleanup(func() {
-		e2epod.DeletePodOrFail(context.Background(), f.ClientSet, createdPod.Namespace, createdPod.Name)
+	ginkgo.DeferCleanup(func(ctx context.Context) {
+		e2epod.DeletePodOrFail(ctx, f.ClientSet, createdPod.Namespace, createdPod.Name)
 	})
 
+	// Patch the Pod's status to include the ResourceClaimStatuses, mimicking the scheduler.
+	patch, err := json.Marshal(v1.Pod{
+		Status: v1.PodStatus{
+			ResourceClaimStatuses: []v1.PodResourceClaimStatus{
+				{Name: claimName, ResourceClaimName: &claimName},
+			},
+		},
+	})
+	framework.ExpectNoError(err, "failed to marshal patch for Pod status")
+	_, err = f.ClientSet.CoreV1().Pods(f.Namespace.Name).Patch(ctx, createdPod.Name, apitypes.StrategicMergePatchType, patch, metav1.PatchOptions{}, "status")
+	framework.ExpectNoError(err, "failed to patch Pod status with ResourceClaimStatuses")
+
 	ginkgo.By(fmt.Sprintf("Allocating claim %q to pod %q with its real UID", claimName, podName))
 	// Get the created claim to ensure the latest version before updating.
 	claimToUpdate, err := f.ClientSet.ResourceV1().ResourceClaims(f.Namespace.Name).Get(ctx, claimName, metav1.GetOptions{})
@@ -1504,3 +1747,50 @@ func (l *errorOnCloseListener) Close() error {
 func (*errorOnCloseListener) Addr() net.Addr {
 	return &net.UnixAddr{Name: "errorOnCloseListener", Net: "unix"}
 }
+
+// driverNameLabelKey maps metric samples to their driver_name label value.
+// Used with gstruct.MatchAllElements.
+func driverNameLabelKey(element any) string {
+	el := element.(*testutil.Sample)
+	return string(el.Metric[testutil.LabelName("driver_name")])
+}
+
+// countingListener is a wrapper around net.Listener that counts the number of times
+// Accept method is called. It embeds a net.Listener and uses atomic counters
+// to safely track the number of accept operations.
+type countingListener struct {
+	net.Listener
+	acceptCalls atomic.Int32
+}
+
+// newCountingListener creates a new Unix domain socket listener
+// wrapped in a countingListener to track accepted connections.
+func newCountingListener(socketPath string) (*countingListener, error) {
+	addr, err := net.ResolveUnixAddr("unix", socketPath)
+	if err != nil {
+		return nil, err
+	}
+
+	l, err := net.ListenUnix("unix", addr)
+	if err != nil {
+		return nil, err
+	}
+
+	return &countingListener{Listener: l}, nil
+}
+
+// Accept waits for and returns the accepted connection.
+// It increments the acceptCalls counter each time the call succeeded.
+func (l *countingListener) Accept() (net.Conn, error) {
+	conn, err := l.Listener.Accept()
+	if err == nil {
+		l.acceptCalls.Add(1)
+	}
+	return conn, err
+}
+
+// acceptCount returns the number of times the accept method
+// has been called on the listener.
+func (l *countingListener) acceptCount() int {
+	return int(l.acceptCalls.Load())
+}
diff --git a/test/e2e_node/e2e_node_suite_test.go b/test/e2e_node/e2e_node_suite_test.go
index 270db0de0a927..4e6b2f03e0dee 100644
--- a/test/e2e_node/e2e_node_suite_test.go
+++ b/test/e2e_node/e2e_node_suite_test.go
@@ -437,16 +437,6 @@ func loadSystemSpecFromFile(filename string) (*system.SysSpec, error) {
 	return spec, nil
 }
 
-// isNodeReady returns true if a node is ready; false otherwise.
-func isNodeReady(node *v1.Node) bool {
-	for _, c := range node.Status.Conditions {
-		if c.Type == v1.NodeReady {
-			return c.Status == v1.ConditionTrue
-		}
-	}
-	return false
-}
-
 func setExtraEnvs() {
 	for name, value := range framework.TestContext.ExtraEnvs {
 		os.Setenv(name, value)
diff --git a/test/e2e_node/eviction_test.go b/test/e2e_node/eviction_test.go
index 383d3a8ed5da4..4081f4c973c4e 100644
--- a/test/e2e_node/eviction_test.go
+++ b/test/e2e_node/eviction_test.go
@@ -73,19 +73,19 @@ const (
 var _ = SIGDescribe("InodeEviction", framework.WithSlow(), framework.WithSerial(), framework.WithDisruptive(), feature.Eviction, func() {
 	f := framework.NewDefaultFramework("inode-eviction-test")
 	f.NamespacePodSecurityLevel = admissionapi.LevelPrivileged
-	expectedNodeCondition := v1.NodeDiskPressure
-	expectedStarvedResource := resourceInodes
-	pressureTimeout := 15 * time.Minute
-	inodesConsumed := uint64(200000)
+	const expectedNodeCondition = v1.NodeDiskPressure
+	const expectedStarvedResource = resourceInodes
+	const pressureTimeout = 15 * time.Minute
+	const inodesToThreshold = uint64(100000)
 	ginkgo.Context(fmt.Sprintf(testContextFmt, expectedNodeCondition), func() {
 		tempSetCurrentKubeletConfig(f, func(ctx context.Context, initialConfig *kubeletconfig.KubeletConfiguration) {
-			// Set the eviction threshold to inodesFree - inodesConsumed, so that using inodesConsumed causes an eviction.
+			// Set the eviction threshold to inodesFree - inodesToThreshold, so that using inodesToThreshold causes an eviction.
 			summary := eventuallyGetSummary(ctx)
 			inodesFree := *summary.Node.Fs.InodesFree
-			if inodesFree <= inodesConsumed {
+			if inodesFree <= inodesToThreshold {
 				e2eskipper.Skipf("Too few inodes free on the host for the InodeEviction test to run")
 			}
-			initialConfig.EvictionHard = map[string]string{string(evictionapi.SignalNodeFsInodesFree): fmt.Sprintf("%d", inodesFree-inodesConsumed)}
+			initialConfig.EvictionHard = map[string]string{string(evictionapi.SignalNodeFsInodesFree): fmt.Sprintf("%d", inodesFree-inodesToThreshold)}
 			initialConfig.EvictionMinimumReclaim = map[string]string{}
 		})
 		runEvictionTest(f, pressureTimeout, expectedNodeCondition, expectedStarvedResource, logInodeMetrics, []podEvictSpec{
@@ -93,7 +93,7 @@ var _ = SIGDescribe("InodeEviction", framework.WithSlow(), framework.WithSerial(
 				evictionPriority: 1,
 				// TODO(#127864): Container runtime may not immediate free up the resources after the pod eviction,
 				// causing the test to fail. We provision an emptyDir volume to avoid relying on the runtime behavior.
-				pod: inodeConsumingPod("volume-inode-hog", lotsOfFiles, &v1.VolumeSource{EmptyDir: &v1.EmptyDirVolumeSource{}}),
+				pod: inodeConsumingPod("volume-inode-hog", lotsOfFiles, &v1.VolumeSource{EmptyDir: &v1.EmptyDirVolumeSource{}}, true),
 			},
 			{
 				evictionPriority: 0,
@@ -107,14 +107,14 @@ var _ = SIGDescribe("InodeEviction", framework.WithSlow(), framework.WithSerial(
 // by reclaiming resources(inodes) through image garbage collection.
 // Disk pressure is induced by consuming a lot of inodes on the node.
 // Images are pre-pulled before running the test workload to ensure
-// that the image garbage collerctor can remove them to avoid eviction.
+// that the image garbage collector can remove them to avoid eviction.
 var _ = SIGDescribe("ImageGCNoEviction", framework.WithSlow(), framework.WithSerial(), framework.WithDisruptive(), feature.Eviction, func() {
 	f := framework.NewDefaultFramework("image-gc-eviction-test")
 	f.NamespacePodSecurityLevel = admissionapi.LevelPrivileged
-	pressureTimeout := 10 * time.Minute
-	expectedNodeCondition := v1.NodeDiskPressure
-	expectedStarvedResource := resourceInodes
-	inodesConsumed := uint64(100000)
+	const pressureTimeout = 10 * time.Minute
+	const expectedNodeCondition = v1.NodeDiskPressure
+	const expectedStarvedResource = resourceInodes
+	const inodesToThreshold = uint64(100000)
 	ginkgo.Context(fmt.Sprintf(testContextFmt, expectedNodeCondition), func() {
 		prepull := func(ctx context.Context) {
 			// Prepull images for image garbage collector to remove them
@@ -128,22 +128,74 @@ var _ = SIGDescribe("ImageGCNoEviction", framework.WithSlow(), framework.WithSer
 		}
 
 		tempSetCurrentKubeletConfig(f, func(ctx context.Context, initialConfig *kubeletconfig.KubeletConfiguration) {
-			// Set the eviction threshold to inodesFree - inodesConsumed, so that using inodesConsumed causes an eviction.
+			// Set the eviction threshold to inodesFree - inodesToThreshold, so that using inodesToThreshold causes an eviction.
 			summary := eventuallyGetSummary(ctx)
 			inodesFree := *summary.Node.Fs.InodesFree
-			if inodesFree <= inodesConsumed {
+			if inodesFree <= inodesToThreshold {
 				e2eskipper.Skipf("Too few inodes free on the host for the InodeEviction test to run")
 			}
-			framework.Logf("Setting eviction threshold to %d inodes", inodesFree-inodesConsumed)
-			initialConfig.EvictionHard = map[string]string{string(evictionapi.SignalNodeFsInodesFree): fmt.Sprintf("%d", inodesFree-inodesConsumed)}
+			framework.Logf("Setting eviction threshold to %d inodes", inodesFree-inodesToThreshold)
+			initialConfig.EvictionHard = map[string]string{string(evictionapi.SignalNodeFsInodesFree): fmt.Sprintf("%d", inodesFree-inodesToThreshold)}
 			initialConfig.EvictionMinimumReclaim = map[string]string{}
 		})
 		// Consume enough inodes to induce disk pressure,
 		// but expect that image garbage collection can reduce it enough to avoid an eviction
-		runEvictionTest(f, pressureTimeout, expectedNodeCondition, expectedStarvedResource, logDiskMetrics, []podEvictSpec{
+		runEvictionTest(f, pressureTimeout, expectedNodeCondition, expectedStarvedResource, logInodeMetrics, []podEvictSpec{
 			{
 				evictionPriority: 0,
-				pod:              inodeConsumingPod("container-inode", 110000, nil),
+				pod:              inodeConsumingPod("container-inode", 110000, nil, true),
+			},
+		})
+	})
+})
+
+// ImageGCTerminatedPodsContainersCleanup tests that the node responds to disk
+// pressure by cleaning up containers from terminated pods without evicting
+// running pods, when reclaiming their resources freed enough space to eliminate
+// the disk pressure
+// Disk pressure is induced by pulling large images
+var _ = SIGDescribe("ImageGCTerminatedPodsContainersCleanup", framework.WithSlow(), framework.WithSerial(), framework.WithDisruptive(), feature.Eviction, func() {
+	f := framework.NewDefaultFramework("image-gc-terminated-pods-containers-cleanup-test")
+	f.NamespacePodSecurityLevel = admissionapi.LevelPrivileged
+	const pressureTimeout = 10 * time.Minute
+	const expectedNodeCondition = v1.NodeDiskPressure
+	const expectedStarvedResource = resourceInodes
+	const inodesToThreshold = uint64(50000)
+
+	ginkgo.Context(fmt.Sprintf(testContextFmt, expectedNodeCondition), func() {
+		prepull := func(ctx context.Context) {
+			// Prepull images for image garbage collector to remove them
+			// when reclaiming resources
+			err := PrePullAllImages(ctx)
+			gomega.Expect(err).ShouldNot(gomega.HaveOccurred())
+		}
+		ginkgo.BeforeEach(prepull)
+		if framework.TestContext.PrepullImages {
+			ginkgo.AfterEach(prepull)
+		}
+
+		tempSetCurrentKubeletConfig(f, func(ctx context.Context, initialConfig *kubeletconfig.KubeletConfiguration) {
+			// Set the eviction threshold to inodesFree - inodesToThreshold, so that using inodesToThreshold causes an eviction.
+			summary := eventuallyGetSummary(ctx)
+			inodesFree := *summary.Node.Fs.InodesFree
+			if inodesFree <= inodesToThreshold {
+				e2eskipper.Skipf("Too few inodes free on the host for the InodeEviction test to run")
+			}
+			framework.Logf("Setting eviction threshold to %d inodes", inodesFree-inodesToThreshold)
+			initialConfig.EvictionHard = map[string]string{string(evictionapi.SignalNodeFsInodesFree): fmt.Sprintf("%d", inodesFree-inodesToThreshold)}
+			initialConfig.EvictionMinimumReclaim = map[string]string{}
+		})
+		runEvictionTest(f, pressureTimeout, expectedNodeCondition, expectedStarvedResource, logInodeMetrics, []podEvictSpec{
+			// Setting the volume as nil, will make the file to be written to the
+			// container writable layer, which defaults to using the node's root fs.
+			{
+				evictionPriority: 0,
+				pod:              inodeConsumingPod("disk-hog", 30000, nil, false),
+				expectToSucceed:  true,
+			},
+			{
+				evictionPriority: 0,
+				pod:              inodeConsumingPod("container-inode", 30000, &v1.VolumeSource{EmptyDir: &v1.EmptyDirVolumeSource{}}, true),
 			},
 		})
 	})
@@ -154,9 +206,9 @@ var _ = SIGDescribe("ImageGCNoEviction", framework.WithSlow(), framework.WithSer
 var _ = SIGDescribe("MemoryAllocatableEviction", framework.WithSlow(), framework.WithSerial(), framework.WithDisruptive(), feature.Eviction, func() {
 	f := framework.NewDefaultFramework("memory-allocatable-eviction-test")
 	f.NamespacePodSecurityLevel = admissionapi.LevelPrivileged
-	expectedNodeCondition := v1.NodeMemoryPressure
-	expectedStarvedResource := v1.ResourceMemory
-	pressureTimeout := 10 * time.Minute
+	const expectedNodeCondition = v1.NodeMemoryPressure
+	const expectedStarvedResource = v1.ResourceMemory
+	const pressureTimeout = 10 * time.Minute
 	ginkgo.Context(fmt.Sprintf(testContextFmt, expectedNodeCondition), func() {
 		tempSetCurrentKubeletConfig(f, func(ctx context.Context, initialConfig *kubeletconfig.KubeletConfiguration) {
 			// Set large system and kube reserved values to trigger allocatable thresholds far before hard eviction thresholds.
@@ -188,9 +240,9 @@ var _ = SIGDescribe("MemoryAllocatableEviction", framework.WithSlow(), framework
 var _ = SIGDescribe("MemoryAllocatableEvictionPodLevelResources", framework.WithSlow(), framework.WithSerial(), framework.WithDisruptive(), feature.PodLevelResources, func() {
 	f := framework.NewDefaultFramework("memory-allocatable-eviction-test-pod-level-resources")
 	f.NamespacePodSecurityLevel = admissionapi.LevelPrivileged
-	expectedNodeCondition := v1.NodeMemoryPressure
-	expectedStarvedResource := v1.ResourceMemory
-	pressureTimeout := 10 * time.Minute
+	const expectedNodeCondition = v1.NodeMemoryPressure
+	const expectedStarvedResource = v1.ResourceMemory
+	const pressureTimeout = 10 * time.Minute
 	ginkgo.Context(fmt.Sprintf(testContextFmt, expectedNodeCondition), func() {
 		tempSetCurrentKubeletConfig(f, func(ctx context.Context, initialConfig *kubeletconfig.KubeletConfiguration) {
 			// Set large system and kube reserved values to trigger allocatable thresholds far before hard eviction thresholds.
@@ -222,9 +274,9 @@ var _ = SIGDescribe("MemoryAllocatableEvictionPodLevelResources", framework.With
 var _ = SIGDescribe("LocalStorageEviction", framework.WithSlow(), framework.WithSerial(), framework.WithDisruptive(), feature.Eviction, func() {
 	f := framework.NewDefaultFramework("localstorage-eviction-test")
 	f.NamespacePodSecurityLevel = admissionapi.LevelPrivileged
-	pressureTimeout := 15 * time.Minute
-	expectedNodeCondition := v1.NodeDiskPressure
-	expectedStarvedResource := v1.ResourceEphemeralStorage
+	const pressureTimeout = 15 * time.Minute
+	const expectedNodeCondition = v1.NodeDiskPressure
+	const expectedStarvedResource = v1.ResourceEphemeralStorage
 	ginkgo.Context(fmt.Sprintf(testContextFmt, expectedNodeCondition), func() {
 
 		tempSetCurrentKubeletConfig(f, func(ctx context.Context, initialConfig *kubeletconfig.KubeletConfiguration) {
@@ -263,9 +315,9 @@ var _ = SIGDescribe("LocalStorageEviction", framework.WithSlow(), framework.With
 var _ = SIGDescribe("LocalStorageSoftEviction", framework.WithSlow(), framework.WithSerial(), framework.WithDisruptive(), feature.Eviction, func() {
 	f := framework.NewDefaultFramework("localstorage-eviction-test")
 	f.NamespacePodSecurityLevel = admissionapi.LevelPrivileged
-	pressureTimeout := 10 * time.Minute
-	expectedNodeCondition := v1.NodeDiskPressure
-	expectedStarvedResource := v1.ResourceEphemeralStorage
+	const pressureTimeout = 10 * time.Minute
+	const expectedNodeCondition = v1.NodeDiskPressure
+	const expectedStarvedResource = v1.ResourceEphemeralStorage
 	ginkgo.Context(fmt.Sprintf(testContextFmt, expectedNodeCondition), func() {
 		tempSetCurrentKubeletConfig(f, func(ctx context.Context, initialConfig *kubeletconfig.KubeletConfiguration) {
 			diskConsumed := resource.MustParse("4Gi")
@@ -301,12 +353,12 @@ var _ = SIGDescribe("LocalStorageSoftEviction", framework.WithSlow(), framework.
 var _ = SIGDescribe("LocalStorageSoftEvictionNotOverwriteTerminationGracePeriodSeconds", framework.WithSlow(), framework.WithSerial(), framework.WithDisruptive(), feature.Eviction, func() {
 	f := framework.NewDefaultFramework("localstorage-eviction-test")
 	f.NamespacePodSecurityLevel = admissionapi.LevelPrivileged
-	pressureTimeout := 10 * time.Minute
-	expectedNodeCondition := v1.NodeDiskPressure
-	expectedStarvedResource := v1.ResourceEphemeralStorage
+	const pressureTimeout = 10 * time.Minute
+	const expectedNodeCondition = v1.NodeDiskPressure
+	const expectedStarvedResource = v1.ResourceEphemeralStorage
 
-	evictionMaxPodGracePeriod := 30
-	evictionSoftGracePeriod := 30
+	const evictionMaxPodGracePeriod = 30
+	const evictionSoftGracePeriod = 30
 	ginkgo.Context(fmt.Sprintf(testContextFmt, expectedNodeCondition), func() {
 		tempSetCurrentKubeletConfig(f, func(ctx context.Context, initialConfig *kubeletconfig.KubeletConfiguration) {
 			diskConsumed := resource.MustParse("4Gi")
@@ -340,7 +392,7 @@ var _ = SIGDescribe("LocalStorageSoftEvictionNotOverwriteTerminationGracePeriodS
 var _ = SIGDescribe("LocalStorageCapacityIsolationEviction", framework.WithSlow(), framework.WithSerial(), framework.WithDisruptive(), feature.LocalStorageCapacityIsolationQuota, feature.Eviction, func() {
 	f := framework.NewDefaultFramework("localstorage-eviction-test")
 	f.NamespacePodSecurityLevel = admissionapi.LevelPrivileged
-	evictionTestTimeout := 10 * time.Minute
+	const evictionTestTimeout = 10 * time.Minute
 	ginkgo.Context(fmt.Sprintf(testContextFmt, "evictions due to pod local storage violations"), func() {
 		tempSetCurrentKubeletConfig(f, func(ctx context.Context, initialConfig *kubeletconfig.KubeletConfiguration) {
 			// setting a threshold to 0% disables; non-empty map overrides default value (necessary due to omitempty)
@@ -368,7 +420,7 @@ var _ = SIGDescribe("LocalStorageCapacityIsolationEviction", framework.WithSlow(
 					v1.ResourceRequirements{Limits: containerLimit}),
 			},
 			{
-				evictionPriority: 0, // This pod should not be evicted because MemoryBackedVolumes cannot use more space than is allocated to them since SizeMemoryBackedVolumes was enabled
+				evictionPriority: 0, // This pod should not be evicted because MemoryBackedVolumes cannot use more space than is allocated to them
 				pod: diskConsumingPod("emptydir-memory-sizelimit", useOverLimit, &v1.VolumeSource{
 					EmptyDir: &v1.EmptyDirVolumeSource{Medium: "Memory", SizeLimit: &sizeLimit},
 				}, v1.ResourceRequirements{}),
@@ -393,12 +445,12 @@ var _ = SIGDescribe("LocalStorageCapacityIsolationEviction", framework.WithSlow(
 var _ = SIGDescribe("PriorityMemoryEvictionOrdering", framework.WithSlow(), framework.WithSerial(), framework.WithDisruptive(), feature.Eviction, func() {
 	f := framework.NewDefaultFramework("priority-memory-eviction-ordering-test")
 	f.NamespacePodSecurityLevel = admissionapi.LevelPrivileged
-	expectedNodeCondition := v1.NodeMemoryPressure
-	expectedStarvedResource := v1.ResourceMemory
-	pressureTimeout := 10 * time.Minute
+	const expectedNodeCondition = v1.NodeMemoryPressure
+	const expectedStarvedResource = v1.ResourceMemory
+	const pressureTimeout = 10 * time.Minute
 
 	highPriorityClassName := f.BaseName + "-high-priority"
-	highPriority := int32(999999999)
+	const highPriority = int32(999999999)
 
 	ginkgo.Context(fmt.Sprintf(testContextFmt, expectedNodeCondition), func() {
 		tempSetCurrentKubeletConfig(f, func(ctx context.Context, initialConfig *kubeletconfig.KubeletConfiguration) {
@@ -471,12 +523,12 @@ var _ = SIGDescribe("PriorityMemoryEvictionOrdering", framework.WithSlow(), fram
 var _ = SIGDescribe("PriorityMemoryEvictionOrderingPodLevelResources", framework.WithSlow(), framework.WithSerial(), framework.WithDisruptive(), feature.PodLevelResources, func() {
 	f := framework.NewDefaultFramework("priority-memory-eviction-ordering-test-pod-level-resources")
 	f.NamespacePodSecurityLevel = admissionapi.LevelPrivileged
-	expectedNodeCondition := v1.NodeMemoryPressure
-	expectedStarvedResource := v1.ResourceMemory
-	pressureTimeout := 10 * time.Minute
+	const expectedNodeCondition = v1.NodeMemoryPressure
+	const expectedStarvedResource = v1.ResourceMemory
+	const pressureTimeout = 10 * time.Minute
 
 	highPriorityClassName := f.BaseName + "-high-priority"
-	highPriority := int32(999999999)
+	const highPriority = int32(999999999)
 
 	ginkgo.Context(fmt.Sprintf(testContextFmt, expectedNodeCondition), func() {
 		tempSetCurrentKubeletConfig(f, func(ctx context.Context, initialConfig *kubeletconfig.KubeletConfiguration) {
@@ -538,12 +590,12 @@ var _ = SIGDescribe("PriorityMemoryEvictionOrderingPodLevelResources", framework
 var _ = SIGDescribe("PriorityLocalStorageEvictionOrdering", framework.WithSlow(), framework.WithSerial(), framework.WithDisruptive(), feature.Eviction, func() {
 	f := framework.NewDefaultFramework("priority-disk-eviction-ordering-test")
 	f.NamespacePodSecurityLevel = admissionapi.LevelPrivileged
-	expectedNodeCondition := v1.NodeDiskPressure
-	expectedStarvedResource := v1.ResourceEphemeralStorage
-	pressureTimeout := 15 * time.Minute
+	const expectedNodeCondition = v1.NodeDiskPressure
+	const expectedStarvedResource = v1.ResourceEphemeralStorage
+	const pressureTimeout = 15 * time.Minute
 
 	highPriorityClassName := f.BaseName + "-high-priority"
-	highPriority := int32(999999999)
+	const highPriority = int32(999999999)
 
 	ginkgo.Context(fmt.Sprintf(testContextFmt, expectedNodeCondition), func() {
 		tempSetCurrentKubeletConfig(f, func(ctx context.Context, initialConfig *kubeletconfig.KubeletConfiguration) {
@@ -601,16 +653,16 @@ var _ = SIGDescribe("PriorityLocalStorageEvictionOrdering", framework.WithSlow()
 var _ = SIGDescribe("PriorityPidEvictionOrdering", framework.WithSlow(), framework.WithSerial(), framework.WithDisruptive(), feature.Eviction, func() {
 	f := framework.NewDefaultFramework("pidpressure-eviction-test")
 	f.NamespacePodSecurityLevel = admissionapi.LevelPrivileged
-	pressureTimeout := 10 * time.Minute
-	expectedNodeCondition := v1.NodePIDPressure
-	expectedStarvedResource := noStarvedResource
+	const pressureTimeout = 10 * time.Minute
+	const expectedNodeCondition = v1.NodePIDPressure
+	const expectedStarvedResource = noStarvedResource
 
 	highPriorityClassName := f.BaseName + "-high-priority"
-	highPriority := int32(999999999)
+	const highPriority = int32(999999999)
 	// Apparently there is a threshold at around 10,000+. If it's over the threshold,
 	// the processes are likely to be oom-killed instead of evicted.
 	// One test can have at most two pidConsumingPods at a time not to cause oom-kill.
-	processes := 5000
+	const processes = 5000
 
 	// if criStats is true, PodAndContainerStatsFromCRI will use data from cri instead of cadvisor for kubelet to get pid count of pods
 	for _, criStats := range []bool{true, false} {
@@ -686,6 +738,7 @@ type podEvictSpec struct {
 	evictionPriority           int
 	pod                        *v1.Pod
 	wantPodDisruptionCondition *v1.PodConditionType
+	expectToSucceed            bool
 
 	evictionMaxPodGracePeriod int
 	evictionSoftGracePeriod   int
@@ -713,13 +766,35 @@ func runEvictionTest(f *framework.Framework, pressureTimeout time.Duration, expe
 			time.Sleep(30 * time.Second)
 			ginkgo.By("setting up pods to be used by tests")
 			pods := []*v1.Pod{}
+			podsToSucceed := []*v1.Pod{}
 			for _, spec := range testSpecs {
 				if spec.prePodCreationModificationFunc != nil {
 					spec.prePodCreationModificationFunc(ctx, spec.pod)
 				}
+				if spec.expectToSucceed {
+					podsToSucceed = append(podsToSucceed, spec.pod)
+					continue
+				}
 				pods = append(pods, spec.pod)
 			}
-			e2epod.NewPodClient(f).CreateBatch(ctx, pods)
+
+			e2ePodClient := e2epod.NewPodClient(f)
+
+			// Create all expected pods and wait for them to succeed.
+			// CreateBatch was not used to prevent a race condition because of
+			// underlying call to CreateSync, which may fail if the wait function
+			// misses to see the pod readiness before it terminates.
+			for _, pod := range podsToSucceed {
+				*pod = *e2ePodClient.Create(ctx, pod)
+			}
+
+			ginkgo.By(fmt.Sprintf("Waiting for the expected pods to complete: %v", podsToSucceed))
+			for _, pod := range podsToSucceed {
+				framework.ExpectNoError(e2epod.WaitForPodSuccessInNamespace(ctx, f.ClientSet, pod.Name, pod.Namespace))
+			}
+
+			// Create all other pods after expected to succeed pods terminated
+			e2ePodClient.CreateBatch(ctx, pods)
 		})
 
 		ginkgo.It("should eventually evict all of the correct pods", func(ctx context.Context) {
@@ -855,8 +930,10 @@ func verifyEvictionOrdering(ctx context.Context, f *framework.Framework, testSpe
 			}
 		}
 		gomega.Expect(priorityPod).NotTo(gomega.BeNil())
-		gomega.Expect(priorityPod.Status.Phase).ToNot(gomega.Equal(v1.PodSucceeded),
-			fmt.Sprintf("pod: %s succeeded unexpectedly", priorityPod.Name))
+		if !priorityPodSpec.expectToSucceed {
+			gomega.Expect(priorityPod.Status.Phase).ToNot(gomega.Equal(v1.PodSucceeded),
+				fmt.Sprintf("pod: %s succeeded unexpectedly", priorityPod.Name))
+		}
 
 		// Check eviction ordering.
 		// Note: it is alright for a priority 1 and priority 2 pod (for example) to fail in the same round,
@@ -1185,13 +1262,13 @@ const (
 	volumeName      = "test-volume"
 )
 
-func inodeConsumingPod(name string, numFiles int, volumeSource *v1.VolumeSource) *v1.Pod {
+func inodeConsumingPod(name string, numFiles int, volumeSource *v1.VolumeSource, sleepAfterExecuting bool) *v1.Pod {
 	path := ""
 	if volumeSource != nil {
 		path = volumeMountPath
 	}
 	// Each iteration creates an empty file
-	return podWithCommand(volumeSource, v1.ResourceRequirements{}, numFiles, name, fmt.Sprintf("touch %s${i}.txt; sleep 0.001;", filepath.Join(path, "file")))
+	return podWithCommand(volumeSource, v1.ResourceRequirements{}, numFiles, name, fmt.Sprintf("touch %s${i}.txt; sleep 0.001;", filepath.Join(path, "file")), sleepAfterExecuting)
 }
 
 func diskConsumingPod(name string, diskConsumedMB int, volumeSource *v1.VolumeSource, resources v1.ResourceRequirements) *v1.Pod {
@@ -1200,17 +1277,17 @@ func diskConsumingPod(name string, diskConsumedMB int, volumeSource *v1.VolumeSo
 		path = volumeMountPath
 	}
 	// Each iteration writes 1 Mb, so do diskConsumedMB iterations.
-	return podWithCommand(volumeSource, resources, diskConsumedMB, name, fmt.Sprintf("dd if=/dev/urandom of=%s${i} bs=1048576 count=1 2>/dev/null; sleep .1;", filepath.Join(path, "file")))
+	return podWithCommand(volumeSource, resources, diskConsumedMB, name, fmt.Sprintf("dd if=/dev/urandom of=%s${i} bs=1048576 count=1 2>/dev/null; sleep .1;", filepath.Join(path, "file")), true)
 }
 
 func pidConsumingPod(name string, numProcesses int) *v1.Pod {
 	// Slowing down the iteration speed to prevent a race condition where eviction may occur
 	// before the correct number of processes is captured in the stats during a sudden surge in processes.
-	return podWithCommand(nil, v1.ResourceRequirements{}, numProcesses, name, "/bin/sleep 0.01; (/bin/sleep 3600)&")
+	return podWithCommand(nil, v1.ResourceRequirements{}, numProcesses, name, "/bin/sleep 0.01; (/bin/sleep 3600)&", true)
 }
 
 // podWithCommand returns a pod with the provided volumeSource and resourceRequirements.
-func podWithCommand(volumeSource *v1.VolumeSource, resources v1.ResourceRequirements, iterations int, name, command string) *v1.Pod {
+func podWithCommand(volumeSource *v1.VolumeSource, resources v1.ResourceRequirements, iterations int, name, command string, sleepAfterExecuting bool) *v1.Pod {
 	// Due to https://github.com/kubernetes/kubernetes/issues/115819,
 	// When evictionHard to used, we were setting grace period to 0 which meant the default setting (30 seconds)
 	// This could help with flakiness as we should send sigterm right away.
@@ -1221,6 +1298,7 @@ func podWithCommand(volumeSource *v1.VolumeSource, resources v1.ResourceRequirem
 		volumeMounts = []v1.VolumeMount{{MountPath: volumeMountPath, Name: volumeName}}
 		volumes = []v1.Volume{{Name: volumeName, VolumeSource: *volumeSource}}
 	}
+
 	return &v1.Pod{
 		ObjectMeta: metav1.ObjectMeta{Name: fmt.Sprintf("%s-pod", name)},
 		Spec: v1.PodSpec{
@@ -1233,7 +1311,7 @@ func podWithCommand(volumeSource *v1.VolumeSource, resources v1.ResourceRequirem
 					Command: []string{
 						"sh",
 						"-c",
-						fmt.Sprintf("i=0; while [ $i -lt %d ]; do %s i=$(($i+1)); done; while true; do sleep 5; done", iterations, command),
+						fmt.Sprintf("i=0; while [ $i -lt %d ]; do %s i=$(($i+1)); done; while %v; do sleep 5; done", iterations, command, sleepAfterExecuting),
 					},
 					Resources:    resources,
 					VolumeMounts: volumeMounts,
diff --git a/test/e2e_node/garbage_collector_test.go b/test/e2e_node/garbage_collector_test.go
index 5a11a109e22b1..60c388167ba65 100644
--- a/test/e2e_node/garbage_collector_test.go
+++ b/test/e2e_node/garbage_collector_test.go
@@ -27,7 +27,6 @@ import (
 	internalapi "k8s.io/cri-api/pkg/apis"
 	runtimeapi "k8s.io/cri-api/pkg/apis/runtime/v1"
 	"k8s.io/kubelet/pkg/types"
-	"k8s.io/kubernetes/test/e2e/feature"
 	"k8s.io/kubernetes/test/e2e/framework"
 	e2epod "k8s.io/kubernetes/test/e2e/framework/pod"
 	admissionapi "k8s.io/pod-security-admission/api"
@@ -73,7 +72,7 @@ type testRun struct {
 
 // GarbageCollect tests that the Kubelet conforms to the Kubelet Garbage Collection Policy, found here:
 // http://kubernetes.io/docs/admin/garbage-collection/
-var _ = SIGDescribe("GarbageCollect", framework.WithSerial(), feature.GarbageCollect, func() {
+var _ = SIGDescribe("GarbageCollect", framework.WithSerial(), framework.WithNodeConformance(), func() {
 	f := framework.NewDefaultFramework("garbage-collect-test")
 	f.NamespacePodSecurityLevel = admissionapi.LevelPrivileged
 	containerNamePrefix := "gc-test-container-"
diff --git a/test/e2e_node/image_credential_pulls.go b/test/e2e_node/image_credential_pulls.go
new file mode 100644
index 0000000000000..28937dc803edd
--- /dev/null
+++ b/test/e2e_node/image_credential_pulls.go
@@ -0,0 +1,101 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package e2enode
+
+import (
+	"context"
+	"path"
+
+	"github.com/onsi/ginkgo/v2"
+
+	v1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	internalapi "k8s.io/cri-api/pkg/apis"
+	runtimeapi "k8s.io/cri-api/pkg/apis/runtime/v1"
+	"k8s.io/kubernetes/pkg/features"
+	admissionapi "k8s.io/pod-security-admission/api"
+
+	e2ecommonnode "k8s.io/kubernetes/test/e2e/common/node"
+	"k8s.io/kubernetes/test/e2e/framework"
+	e2eregistry "k8s.io/kubernetes/test/e2e/framework/registry"
+)
+
+var _ = SIGDescribe("Ensure Credential Pulled Images", func() {
+	f := framework.NewDefaultFramework("ensure-credential-pulled-images")
+	f.NamespacePodSecurityLevel = admissionapi.LevelPrivileged
+	var is internalapi.ImageManagerService
+
+	framework.Describe("pulling images with credentials", framework.WithFeatureGate(features.KubeletEnsureSecretPulledImages), framework.WithSerial(), func() {
+		var testImage string
+		var testSecret *v1.Secret
+		var testNode string
+		ginkgo.BeforeEach(func(ctx context.Context) {
+			var err error
+			_, is, err = getCRIClient()
+			framework.ExpectNoError(err)
+
+			registryAddress, _, err := e2eregistry.SetupRegistry(ctx, f, true)
+			framework.ExpectNoError(err)
+			// this is to wait for the complete removal of all registry pods between tests
+			ginkgo.DeferCleanup(func(ctx context.Context) {
+				f.DeleteNamespace(ctx, f.Namespace.Name)
+			})
+
+			testImage = path.Join(registryAddress, "pause:testing")
+			_ = is.RemoveImage(ctx, &runtimeapi.ImageSpec{Image: testImage})
+
+			testSecret = e2eregistry.User1DockerSecret(registryAddress)
+			testSecret.GenerateName = f.UniqueName
+			testSecret, err = f.ClientSet.CoreV1().Secrets(f.Namespace.Name).Create(ctx, testSecret, metav1.CreateOptions{})
+			framework.ExpectNoError(err)
+			origPod := e2ecommonnode.ImagePullTest(ctx, f, testImage, v1.PullIfNotPresent, testSecret, "", v1.PodRunning, false)
+			testNode = origPod.Spec.NodeName
+		})
+
+		for _, pullPolicy := range []v1.PullPolicy{v1.PullIfNotPresent, v1.PullNever} {
+			framework.Context(string(pullPolicy), func() {
+				framework.It("pod without PullSecret cannot access previously pulled private image", func(ctx context.Context) {
+					_ = e2ecommonnode.ImagePullTest(ctx, f, testImage, pullPolicy, nil, testNode, v1.PodPending, true)
+				})
+				framework.It("pod with invalid PullSecret cannot access previously pulled private image", func(ctx context.Context) {
+					invalidSecret, err := f.ClientSet.CoreV1().Secrets(f.Namespace.Name).Create(ctx, &v1.Secret{
+						ObjectMeta: metav1.ObjectMeta{GenerateName: f.UniqueName},
+						Type:       v1.SecretTypeDockerConfigJson,
+						Data: map[string][]byte{
+							v1.DockerConfigJsonKey: []byte(`{"auths":{"somerepo.com": {"auth": "aW52YWxpZHVzZXI6aW52YWxpZHBhc3N3b3Jk"}}}`),
+						},
+					}, metav1.CreateOptions{})
+					framework.ExpectNoError(err)
+
+					_ = e2ecommonnode.ImagePullTest(ctx, f, testImage, pullPolicy, invalidSecret, testNode, v1.PodPending, true)
+				})
+				framework.It("pod with the same PullSecret can access previously pulled image", func(ctx context.Context) {
+					_ = e2ecommonnode.ImagePullTest(ctx, f, testImage, pullPolicy, testSecret, testNode, v1.PodRunning, false)
+				})
+				framework.It("pod with the same credentials in a different secret can access previously pulled image", func(ctx context.Context) {
+					newSecret := testSecret.DeepCopy()
+					newSecret.Name = ""
+					newSecret.ResourceVersion = ""
+					newSecret.GenerateName = f.UniqueName
+					newSecret, err := f.ClientSet.CoreV1().Secrets(f.Namespace.Name).Create(ctx, newSecret, metav1.CreateOptions{})
+					framework.ExpectNoError(err)
+					_ = e2ecommonnode.ImagePullTest(ctx, f, testImage, pullPolicy, newSecret, testNode, v1.PodRunning, false)
+				})
+			})
+		}
+	})
+})
diff --git a/test/e2e_node/image_gc_test.go b/test/e2e_node/image_gc_test.go
index 4a4105dc70adc..6f814bd0b2b38 100644
--- a/test/e2e_node/image_gc_test.go
+++ b/test/e2e_node/image_gc_test.go
@@ -24,9 +24,7 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	internalapi "k8s.io/cri-api/pkg/apis"
 	runtimeapi "k8s.io/cri-api/pkg/apis/runtime/v1"
-	kubefeatures "k8s.io/kubernetes/pkg/features"
 	kubeletconfig "k8s.io/kubernetes/pkg/kubelet/apis/config"
-	"k8s.io/kubernetes/test/e2e/feature"
 	"k8s.io/kubernetes/test/e2e/framework"
 	e2epod "k8s.io/kubernetes/test/e2e/framework/pod"
 	admissionapi "k8s.io/pod-security-admission/api"
@@ -42,7 +40,7 @@ const (
 	checkGCFreq  time.Duration = 30 * time.Second
 )
 
-var _ = SIGDescribe("ImageGarbageCollect", framework.WithSerial(), feature.GarbageCollect, func() {
+var _ = SIGDescribe("ImageGarbageCollect", framework.WithSerial(), framework.WithNodeConformance(), func() {
 	f := framework.NewDefaultFramework("image-garbage-collect-test")
 	f.NamespacePodSecurityLevel = admissionapi.LevelPrivileged
 	var is internalapi.ImageManagerService
@@ -58,10 +56,6 @@ var _ = SIGDescribe("ImageGarbageCollect", framework.WithSerial(), feature.Garba
 		tempSetCurrentKubeletConfig(f, func(ctx context.Context, initialConfig *kubeletconfig.KubeletConfiguration) {
 			initialConfig.ImageMaximumGCAge = metav1.Duration{Duration: time.Duration(time.Minute * 1)}
 			initialConfig.ImageMinimumGCAge = metav1.Duration{Duration: time.Duration(time.Second * 1)}
-			if initialConfig.FeatureGates == nil {
-				initialConfig.FeatureGates = make(map[string]bool)
-			}
-			initialConfig.FeatureGates[string(kubefeatures.ImageMaximumGCAge)] = true
 		})
 		ginkgo.It("should GC unused images", func(ctx context.Context) {
 			pod := innocentPod()
diff --git a/test/e2e_node/image_list.go b/test/e2e_node/image_list.go
index 9f77481a0e0c8..653f22e89f759 100644
--- a/test/e2e_node/image_list.go
+++ b/test/e2e_node/image_list.go
@@ -50,6 +50,7 @@ const (
 // NodePrePullImageList is a list of images used in node e2e test. These images will be prepulled
 // before test running so that the image pulling won't fail in actual test.
 var NodePrePullImageList = sets.NewString(
+	imageutils.GetE2EImage(imageutils.AgnhostPrev),
 	imageutils.GetE2EImage(imageutils.Agnhost),
 	"gcr.io/cadvisor/cadvisor:v0.47.2",
 	busyboxImage,
@@ -99,7 +100,7 @@ func isRunningOnArm64() bool {
 }
 
 func getNodeProblemDetectorImage() string {
-	const defaultImage string = "registry.k8s.io/node-problem-detector/node-problem-detector:v0.8.21"
+	const defaultImage string = "registry.k8s.io/node-problem-detector/node-problem-detector:v1.34.0"
 	image := os.Getenv("NODE_PROBLEM_DETECTOR_IMAGE")
 	if image == "" {
 		image = defaultImage
diff --git a/test/e2e_node/image_pull_test.go b/test/e2e_node/image_pull_test.go
index b8f7b8bb637e1..6a8bd8700ec70 100644
--- a/test/e2e_node/image_pull_test.go
+++ b/test/e2e_node/image_pull_test.go
@@ -304,8 +304,8 @@ func checkPodPullingOverlap(podStartTime map[string]metav1.Time, podEndTime map[
 
 func prepareAndCleanup(ctx context.Context, f *framework.Framework) (testpods []*v1.Pod) {
 	// cuda images are > 2Gi and it will reduce the flaky rate
-	image1 := imageutils.GetE2EImage(imageutils.Httpd)
-	image2 := imageutils.GetE2EImage(imageutils.HttpdNew)
+	image1 := imageutils.GetE2EImage(imageutils.AgnhostPrev)
+	image2 := imageutils.GetE2EImage(imageutils.Agnhost)
 	node := getNodeName(ctx, f)
 
 	testpod := &v1.Pod{
diff --git a/test/e2e_node/image_volume.go b/test/e2e_node/image_volume.go
index a2352844c9317..1c3249cffcdde 100644
--- a/test/e2e_node/image_volume.go
+++ b/test/e2e_node/image_volume.go
@@ -23,15 +23,14 @@ import (
 	"strings"
 	"time"
 
+	"github.com/blang/semver/v4"
 	"github.com/onsi/ginkgo/v2"
 	"github.com/onsi/gomega"
 	"github.com/opencontainers/selinux/go-selinux"
 	v1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/kubernetes/pkg/features"
 	"k8s.io/kubernetes/pkg/kubelet/images"
 	"k8s.io/kubernetes/pkg/kubelet/kuberuntime"
-	"k8s.io/kubernetes/test/e2e/feature"
 	"k8s.io/kubernetes/test/e2e/framework"
 	e2enode "k8s.io/kubernetes/test/e2e/framework/node"
 	e2epod "k8s.io/kubernetes/test/e2e/framework/pod"
@@ -42,7 +41,7 @@ import (
 
 // Run this single test locally using a running CRI-O instance by:
 // make test-e2e-node CONTAINER_RUNTIME_ENDPOINT="unix:///var/run/crio/crio.sock" TEST_ARGS='--ginkgo.focus="ImageVolume" --feature-gates=ImageVolume=true --service-feature-gates=ImageVolume=true --kubelet-flags="--cgroup-root=/ --runtime-cgroups=/system.slice/crio.service --kubelet-cgroups=/system.slice/kubelet.service --fail-swap-on=false"'
-var _ = SIGDescribe("ImageVolume", feature.ImageVolume, func() {
+var _ = SIGDescribe("ImageVolume", func() {
 	f := framework.NewDefaultFramework("image-volume-test")
 	f.NamespacePodSecurityLevel = admissionapi.LevelPrivileged
 
@@ -60,9 +59,32 @@ var _ = SIGDescribe("ImageVolume", feature.ImageVolume, func() {
 		defaultSELinuxLevel = "s0:c1,c5"
 	)
 
-	ginkgo.BeforeEach(func(ctx context.Context) {
-		e2eskipper.SkipUnlessFeatureGateEnabled(features.ImageVolume)
-	})
+	// TODO: remove when containerd 2.2 is available on all node e2e test platforms.
+	requireContainerdVersion := func(givenVersion string) {
+		runtime, _, err := getCRIClient()
+		framework.ExpectNoError(err, "Failed to get CRI client")
+
+		resp, err := runtime.Version(context.Background(), "")
+		framework.ExpectNoError(err, "Failed to get runtime version")
+
+		// Other runtimes like CRI-O do not need to enforce any version requirement.
+		if resp.GetRuntimeName() != "containerd" {
+			return
+		}
+
+		// Throw away any version suffix which just causes semver parsing issues.
+		version, _, _ := strings.Cut(resp.GetRuntimeVersion(), "-")
+
+		parsedVersion, err := semver.ParseTolerant(version)
+		framework.ExpectNoError(err, "Failed to parse CRI runtime version: "+version)
+
+		requiredVersion, err := semver.ParseTolerant(givenVersion)
+		framework.ExpectNoError(err, "Failed to parse required CRI runtime version")
+
+		if parsedVersion.LT(requiredVersion) {
+			e2eskipper.Skipf("runtime containerd is version %q, but test requires at least %q", resp.GetRuntimeVersion(), requiredVersion)
+		}
+	}
 
 	createPod := func(ctx context.Context, podName, nodeName string, volumes []v1.Volume, volumeMounts []v1.VolumeMount, selinuxOptions *v1.SELinuxOptions) {
 		pod := &v1.Pod{
@@ -102,6 +124,10 @@ var _ = SIGDescribe("ImageVolume", feature.ImageVolume, func() {
 		gomega.Expect(secondFileContents).To(gomega.ContainSubstring("Alpine Linux"))
 	}
 
+	ginkgo.BeforeEach(func(ctx context.Context) {
+		requireContainerdVersion("2.1")
+	})
+
 	f.It("should succeed with pod and pull policy of Always", func(ctx context.Context) {
 		var selinuxOptions *v1.SELinuxOptions
 		if selinux.GetEnabled() {
@@ -276,16 +302,7 @@ var _ = SIGDescribe("ImageVolume", feature.ImageVolume, func() {
 
 	f.Context("subPath", func() {
 		ginkgo.BeforeEach(func(ctx context.Context) {
-			runtime, _, err := getCRIClient()
-			framework.ExpectNoError(err, "Failed to get CRI client")
-
-			version, err := runtime.Version(context.Background(), "")
-			framework.ExpectNoError(err, "Failed to get runtime version")
-
-			// TODO: enable the subpath tests if containerd main branch has support for it.
-			if version.GetRuntimeName() != "cri-o" {
-				e2eskipper.Skip("runtime is not CRI-O")
-			}
+			requireContainerdVersion("2.2")
 		})
 
 		f.It("should succeed when using a valid subPath", func(ctx context.Context) {
diff --git a/test/e2e_node/kubelet_config_dir_test.go b/test/e2e_node/kubelet_config_dir_test.go
index b1879852338fd..f5f0eca869eef 100644
--- a/test/e2e_node/kubelet_config_dir_test.go
+++ b/test/e2e_node/kubelet_config_dir_test.go
@@ -20,6 +20,7 @@ import (
 	"context"
 	"os"
 	"path/filepath"
+	"strconv"
 	"time"
 
 	"github.com/onsi/ginkgo/v2"
@@ -28,6 +29,7 @@ import (
 	kubeletconfig "k8s.io/kubernetes/pkg/kubelet/apis/config"
 	"k8s.io/kubernetes/test/e2e/feature"
 	"k8s.io/kubernetes/test/e2e/framework"
+	"k8s.io/utils/cpuset"
 )
 
 var _ = SIGDescribe("Kubelet Config", framework.WithSlow(), framework.WithSerial(), framework.WithDisruptive(), feature.KubeletConfigDropInDir, func() {
@@ -133,11 +135,18 @@ featureGates:
 			framework.ExpectNoError(err)
 
 			// Replace specific fields in the initial configuration with expectedConfig values
-			initialConfig.Port = int32(8080)                  // not overridden by second file, should be retained.
-			initialConfig.ReadOnlyPort = int32(10257)         // overridden by second file.
-			initialConfig.SystemReserved = map[string]string{ // overridden by map in second file.
-				"memory": "2Gi",
+			initialConfig.Port = int32(8080)          // not overridden by second file, should be retained.
+			initialConfig.ReadOnlyPort = int32(10257) // overridden by second file.
+			if initialConfig.SystemReserved == nil {
+				initialConfig.SystemReserved = map[string]string{}
 			}
+			if initialConfig.ReservedSystemCPUs != "" {
+				reservedCPUSet, err := cpuset.Parse(initialConfig.ReservedSystemCPUs)
+				if err == nil {
+					initialConfig.SystemReserved["cpu"] = strconv.Itoa(reservedCPUSet.Size())
+				}
+			}
+			initialConfig.SystemReserved["memory"] = "2Gi"
 			initialConfig.ClusterDNS = []string{"192.168.1.1", "192.168.1.5", "192.168.1.8"} // overridden by slice in second file.
 			// This value was explicitly set in the drop-in, make sure it is retained
 			initialConfig.CPUManagerReconcilePeriod = metav1.Duration{Duration: time.Second}
@@ -164,11 +173,14 @@ featureGates:
 				},
 			}
 			// This covers the case where the fields within the map are overridden.
-			overrides := map[string]bool{
-				"PodAndContainerStatsFromCRI":                      false,
-				"DynamicResourceAllocation":                        true,
-				"KubeletServiceAccountTokenForCredentialProviders": true,
+			overrides := initialConfig.FeatureGates
+			if overrides == nil {
+				overrides = map[string]bool{}
 			}
+			overrides["PodAndContainerStatsFromCRI"] = false
+			overrides["DynamicResourceAllocation"] = true
+			overrides["KubeletServiceAccountTokenForCredentialProviders"] = true
+
 			// In some CI jobs, `NodeSwap` is explicitly disabled as the images are cgroupv1 based,
 			// so such flags should be picked up directly from the initial configuration
 			if _, ok := initialConfig.FeatureGates["NodeSwap"]; ok {
diff --git a/test/e2e_node/mirror_pod_grace_period_test.go b/test/e2e_node/mirror_pod_grace_period_test.go
index 5022a1a0b3cc3..7934b4b948614 100644
--- a/test/e2e_node/mirror_pod_grace_period_test.go
+++ b/test/e2e_node/mirror_pod_grace_period_test.go
@@ -36,6 +36,7 @@ import (
 	e2epod "k8s.io/kubernetes/test/e2e/framework/pod"
 	imageutils "k8s.io/kubernetes/test/utils/image"
 	admissionapi "k8s.io/pod-security-admission/api"
+	"k8s.io/utils/ptr"
 )
 
 var _ = SIGDescribe("MirrorPodWithGracePeriod", func() {
@@ -162,7 +163,7 @@ var _ = SIGDescribe("MirrorPodWithGracePeriod", func() {
 			})
 			ginkgo.It("the mirror pod should terminate successfully", func(ctx context.Context) {
 				ginkgo.By("verifying the pod is described as syncing in metrics")
-				gomega.Eventually(ctx, getKubeletMetrics, 5*time.Second, time.Second).Should(gstruct.MatchKeys(gstruct.IgnoreExtras, gstruct.Keys{
+				gomega.Eventually(ctx, getKubeletMetrics, time.Minute, 5*time.Second).Should(gstruct.MatchKeys(gstruct.IgnoreExtras, gstruct.Keys{
 					"kubelet_working_pods": gstruct.MatchElements(sampleLabelID, 0, gstruct.Elements{
 						`kubelet_working_pods{config="desired", lifecycle="sync", static=""}`:                    timelessSample(0),
 						`kubelet_working_pods{config="desired", lifecycle="sync", static="true"}`:                timelessSample(1),
@@ -216,9 +217,8 @@ var _ = SIGDescribe("MirrorPodWithGracePeriod", func() {
 				gomega.Consistently(ctx, func(ctx context.Context) error {
 					return checkMirrorPodRunning(ctx, f.ClientSet, mirrorPodName, ns)
 				}, 19*time.Second, 200*time.Millisecond).Should(gomega.BeNil())
-
 				ginkgo.By("verifying the pod is described as terminating in metrics")
-				gomega.Eventually(ctx, getKubeletMetrics, 5*time.Second, time.Second).Should(gstruct.MatchKeys(gstruct.IgnoreExtras, gstruct.Keys{
+				gomega.Eventually(ctx, getKubeletMetrics, time.Minute, 5*time.Second).Should(gstruct.MatchKeys(gstruct.IgnoreExtras, gstruct.Keys{
 					"kubelet_working_pods": gstruct.MatchElements(sampleLabelID, 0, gstruct.Elements{
 						`kubelet_working_pods{config="desired", lifecycle="sync", static=""}`:                    timelessSample(0),
 						`kubelet_working_pods{config="desired", lifecycle="sync", static="true"}`:                timelessSample(0),
@@ -280,7 +280,7 @@ var _ = SIGDescribe("MirrorPodWithGracePeriod", func() {
 				}, time.Second*3, time.Second).Should(gomega.Succeed())
 
 				ginkgo.By("verifying the pod finishes terminating and is removed from metrics")
-				gomega.Eventually(ctx, getKubeletMetrics, 15*time.Second, time.Second).Should(gstruct.MatchKeys(gstruct.IgnoreExtras, gstruct.Keys{
+				gomega.Eventually(ctx, getKubeletMetrics, time.Minute, 5*time.Second).Should(gstruct.MatchKeys(gstruct.IgnoreExtras, gstruct.Keys{
 					"kubelet_working_pods": gstruct.MatchElements(sampleLabelID, 0, gstruct.Elements{
 						`kubelet_working_pods{config="desired", lifecycle="sync", static=""}`:                    timelessSample(0),
 						`kubelet_working_pods{config="desired", lifecycle="sync", static="true"}`:                timelessSample(0),
@@ -344,6 +344,7 @@ var _ = SIGDescribe("MirrorPodWithGracePeriod", func() {
 
 func createStaticPodWithGracePeriod(dir, name, namespace string) error {
 	podSpec := v1.PodSpec{
+		TerminationGracePeriodSeconds: ptr.To(int64(20)),
 		Containers: []v1.Container{{
 			Name:    "m-test",
 			Image:   imageutils.GetE2EImage(imageutils.BusyBox),
diff --git a/test/e2e_node/mirror_pod_test.go b/test/e2e_node/mirror_pod_test.go
index efd2b3f94a8b8..3f598c243f1a6 100644
--- a/test/e2e_node/mirror_pod_test.go
+++ b/test/e2e_node/mirror_pod_test.go
@@ -32,8 +32,10 @@ import (
 	"k8s.io/apimachinery/pkg/util/uuid"
 	"k8s.io/apimachinery/pkg/util/wait"
 	clientset "k8s.io/client-go/kubernetes"
+	"k8s.io/kubernetes/pkg/features"
 	kubetypes "k8s.io/kubernetes/pkg/kubelet/types"
 	"k8s.io/kubernetes/test/e2e/framework"
+	e2epod "k8s.io/kubernetes/test/e2e/framework/pod"
 	imageutils "k8s.io/kubernetes/test/utils/image"
 	admissionapi "k8s.io/pod-security-admission/api"
 	"sigs.k8s.io/yaml"
@@ -41,6 +43,7 @@ import (
 	"github.com/google/go-cmp/cmp"
 	"github.com/onsi/ginkgo/v2"
 	"github.com/onsi/gomega"
+	"k8s.io/apimachinery/pkg/watch"
 	"k8s.io/cli-runtime/pkg/printers"
 	e2evolume "k8s.io/kubernetes/test/e2e/framework/volume"
 )
@@ -300,7 +303,7 @@ var _ = SIGDescribe("MirrorPod (Pod Generation)", func() {
 			}, 2*time.Minute, time.Second*4).Should(gomega.Succeed())
 		})
 
-		f.It("mirror pod: update activeDeadlineSeconds", func(ctx context.Context) {
+		f.It("mirror pod: update activeDeadlineSeconds", f.WithNodeConformance(), func(ctx context.Context) {
 			ginkgo.By("get mirror pod uid")
 			pod, err := f.ClientSet.CoreV1().Pods(ns).Get(ctx, mirrorPodName, metav1.GetOptions{})
 			framework.ExpectNoError(err)
@@ -323,7 +326,7 @@ var _ = SIGDescribe("MirrorPod (Pod Generation)", func() {
 			gomega.Expect(pod.Status.ObservedGeneration).To(gomega.BeEquivalentTo(int64(0)))
 		})
 
-		f.It("mirror pod: update container image", func(ctx context.Context) {
+		f.It("mirror pod: update container image", f.WithNodeConformance(), func(ctx context.Context) {
 			ginkgo.By("get mirror pod uid")
 			pod, err := f.ClientSet.CoreV1().Pods(ns).Get(ctx, mirrorPodName, metav1.GetOptions{})
 			framework.ExpectNoError(err)
@@ -346,7 +349,7 @@ var _ = SIGDescribe("MirrorPod (Pod Generation)", func() {
 			gomega.Expect(pod.Status.ObservedGeneration).To(gomega.BeEquivalentTo(int64(0)))
 		})
 
-		f.It("mirror pod: update initContainer image", func(ctx context.Context) {
+		f.It("mirror pod: update initContainer image", f.WithNodeConformance(), func(ctx context.Context) {
 			ginkgo.By("get mirror pod uid")
 			pod, err := f.ClientSet.CoreV1().Pods(ns).Get(ctx, mirrorPodName, metav1.GetOptions{})
 			framework.ExpectNoError(err)
@@ -382,6 +385,103 @@ var _ = SIGDescribe("MirrorPod (Pod Generation)", func() {
 	})
 })
 
+var _ = SIGDescribe("MirrorPod with EnvFiles", framework.WithNodeConformance(), framework.WithFeatureGate(features.EnvFiles), func() {
+	f := framework.NewDefaultFramework("mirror-pod-envfiles")
+	f.NamespacePodSecurityLevel = admissionapi.LevelPrivileged
+	var ns, podPath, staticPodName, mirrorPodName string
+
+	ginkgo.Context("when creating a static pod with EnvFiles", func() {
+		ginkgo.BeforeEach(func() {
+			ns = f.Namespace.Name
+			staticPodName = "static-pod-envfiles-" + string(uuid.NewUUID())
+			mirrorPodName = staticPodName + "-" + framework.TestContext.NodeName
+			podPath = kubeletCfg.StaticPodPath
+		})
+
+		ginkgo.AfterEach(func(ctx context.Context) {
+			ginkgo.By("delete the static pod")
+			err := deleteStaticPod(podPath, staticPodName, ns)
+			framework.ExpectNoError(err)
+
+			ginkgo.By("wait for the mirror pod to disappear")
+			gomega.Eventually(ctx, func(ctx context.Context) error {
+				return checkMirrorPodDisappear(ctx, f.ClientSet, mirrorPodName, ns)
+			}, 2*time.Minute, time.Second*4).Should(gomega.Succeed())
+		})
+
+		ginkgo.It("should be able to consume variables from a file", func(ctx context.Context) {
+			podSpec := v1.PodSpec{
+				InitContainers: []v1.Container{
+					{
+						Name:    "setup-envfile",
+						Image:   imageutils.GetE2EImage(imageutils.BusyBox),
+						Command: []string{"sh", "-c", `echo CONFIG_1=\'value1\' > /data/config.env && echo CONFIG_2=\'value2\' >> /data/config.env`},
+						VolumeMounts: []v1.VolumeMount{
+							{
+								Name:      "config",
+								MountPath: "/data",
+							},
+						},
+					},
+				},
+				Containers: []v1.Container{
+					{
+						Name:    "use-envfile",
+						Image:   imageutils.GetE2EImage(imageutils.BusyBox),
+						Command: []string{"sh", "-c", "env | grep -E '(CONFIG_1|CONFIG_2)' | sort"},
+						Env: []v1.EnvVar{
+							{
+								Name: "CONFIG_1",
+								ValueFrom: &v1.EnvVarSource{
+									FileKeyRef: &v1.FileKeySelector{
+										VolumeName: "config",
+										Path:       "config.env",
+										Key:        "CONFIG_1",
+									},
+								},
+							},
+							{
+								Name: "CONFIG_2",
+								ValueFrom: &v1.EnvVarSource{
+									FileKeyRef: &v1.FileKeySelector{
+										VolumeName: "config",
+										Path:       "config.env",
+										Key:        "CONFIG_2",
+									},
+								},
+							},
+						},
+					},
+				},
+				RestartPolicy: v1.RestartPolicyNever,
+				Volumes: []v1.Volume{
+					{
+						Name: "config",
+						VolumeSource: v1.VolumeSource{
+							EmptyDir: &v1.EmptyDirVolumeSource{},
+						},
+					},
+				},
+			}
+
+			ginkgo.By("create the static pod with envfiles")
+			err := createStaticPodWithSpec(podPath, staticPodName, ns, podSpec)
+			framework.ExpectNoError(err)
+
+			ginkgo.By("wait for the mirror pod to succeed")
+			err = e2epod.WaitForPodSuccessInNamespace(ctx, f.ClientSet, mirrorPodName, ns)
+			framework.ExpectNoError(err)
+
+			ginkgo.By("checking the logs of the mirror pod")
+			logs, err := e2epod.GetPodLogs(ctx, f.ClientSet, ns, mirrorPodName, "use-envfile")
+			framework.ExpectNoError(err)
+
+			gomega.Expect(logs).To(gomega.ContainSubstring("CONFIG_1=value1"))
+			gomega.Expect(logs).To(gomega.ContainSubstring("CONFIG_2=value2"))
+		})
+	})
+})
+
 func podVolumeDirectoryExists(uid types.UID) bool {
 	podVolumePath := fmt.Sprintf("/var/lib/kubelet/pods/%s/volumes/", uid)
 	var podVolumeDirectoryExists bool
@@ -671,3 +771,169 @@ func checkMirrorPodRecreated(ctx context.Context, cl clientset.Interface, name,
 	}
 	return nil
 }
+
+var _ = SIGDescribe("MirrorPod", framework.WithSerial(), func() {
+	f := framework.NewDefaultFramework("mirror-pod-serial")
+	f.NamespacePodSecurityLevel = admissionapi.LevelPrivileged
+	ginkgo.Context("when kubelet restarts", func() {
+		var ns, podPath, staticPodName, mirrorPodName string
+		ginkgo.BeforeEach(func(ctx context.Context) {
+			ns = f.Namespace.Name
+			staticPodName = "static-pod-" + string(uuid.NewUUID())
+			mirrorPodName = staticPodName + "-" + framework.TestContext.NodeName
+			podPath = kubeletCfg.StaticPodPath
+
+			ginkgo.By("create the static pod")
+			podSpec := v1.PodSpec{
+				Containers: []v1.Container{
+					{
+						Name:    "container",
+						Image:   defaultImage,
+						Command: []string{"sleep", "3600"},
+						StartupProbe: &v1.Probe{
+							ProbeHandler: v1.ProbeHandler{
+								Exec: &v1.ExecAction{
+									Command: []string{"/bin/true"},
+								},
+							},
+							InitialDelaySeconds: 1,
+							PeriodSeconds:       1,
+						},
+						ReadinessProbe: &v1.Probe{
+							ProbeHandler: v1.ProbeHandler{
+								Exec: &v1.ExecAction{
+									Command: []string{"/bin/true"},
+								},
+							},
+							InitialDelaySeconds: 1,
+							PeriodSeconds:       1,
+						},
+					},
+				},
+			}
+
+			err := createStaticPodWithSpec(podPath, staticPodName, ns, podSpec)
+			framework.ExpectNoError(err)
+
+			ginkgo.By("wait for the mirror pod to be running")
+			gomega.Eventually(ctx, func(ctx context.Context) error {
+				return checkMirrorPodRunning(ctx, f.ClientSet, mirrorPodName, ns)
+			}, 2*time.Minute, time.Second*4).Should(gomega.Succeed())
+		})
+
+		ginkgo.AfterEach(func(ctx context.Context) {
+			ginkgo.By("delete the static pod")
+			err := deleteStaticPod(podPath, staticPodName, ns)
+			framework.ExpectNoError(err)
+
+			ginkgo.By("wait for the mirror pod to disappear")
+			gomega.Eventually(ctx, func(ctx context.Context) error {
+				return checkMirrorPodDisappear(ctx, f.ClientSet, mirrorPodName, ns)
+			}, 2*time.Minute, time.Second*4).Should(gomega.Succeed())
+		})
+
+		f.It("should not change container status", f.WithNodeConformance(), func(ctx context.Context) {
+			ginkgo.By("Waiting for the pod to be running and ready")
+			err := e2epod.WaitForPodCondition(ctx, f.ClientSet, ns, mirrorPodName, "PodReady", f.Timeouts.PodStart,
+				func(p *v1.Pod) (bool, error) {
+					if p.Status.Phase != v1.PodRunning {
+						return false, nil
+					}
+					for _, cond := range p.Status.Conditions {
+						if cond.Type == v1.PodReady && cond.Status == v1.ConditionTrue {
+							return true, nil
+						}
+					}
+					return false, nil
+				})
+			framework.ExpectNoError(err)
+
+			pod, err := f.ClientSet.CoreV1().Pods(ns).Get(ctx, mirrorPodName, metav1.GetOptions{})
+			framework.ExpectNoError(err)
+
+			ginkgo.By("Double check the initial state before starting the concurrent check")
+			gomega.Expect(pod.Status.ContainerStatuses).ToNot(gomega.BeEmpty())
+			for _, status := range pod.Status.ContainerStatuses {
+				gomega.Expect(status.RestartCount).To(gomega.BeZero())
+				gomega.Expect(status.Started).ToNot(gomega.BeNil())
+				gomega.Expect(*status.Started).To(gomega.BeTrueBecause("The Started field should be set to true when a pod enters the Ready condition."))
+				gomega.Expect(status.Ready).To(gomega.BeTrueBecause("The Ready field should be set to true when a pod enters the Ready condition."))
+			}
+
+			// The grace period for kubelet startup is 10 seconds, so we wait here for 11 seconds.
+			time.Sleep(time.Second * 11)
+
+			stopCh := make(chan struct{})
+			errCh := make(chan error, 1)
+			go func() {
+				defer ginkgo.GinkgoRecover()
+				watcher, err := f.ClientSet.CoreV1().Pods(ns).Watch(ctx, metav1.ListOptions{
+					FieldSelector: "metadata.name=" + mirrorPodName,
+				})
+				if err != nil {
+					errCh <- fmt.Errorf("failed to watch pod: %w", err)
+					return
+				}
+				defer watcher.Stop()
+
+				for {
+					select {
+					case event, ok := <-watcher.ResultChan():
+						if !ok {
+							return
+						}
+						if event.Type != watch.Modified {
+							continue
+						}
+						p, ok := event.Object.(*v1.Pod)
+						if !ok {
+							continue
+						}
+
+						if p.Status.Phase != v1.PodRunning {
+							errCh <- fmt.Errorf("pod phase is %v, expected %v", p.Status.Phase, v1.PodRunning)
+							return
+						}
+						if len(p.Status.ContainerStatuses) < len(pod.Spec.Containers) {
+							continue
+						}
+						for _, containerStatus := range p.Status.ContainerStatuses {
+							if containerStatus.RestartCount > 0 {
+								errCh <- fmt.Errorf("container %q restarted %d times", containerStatus.Name, containerStatus.RestartCount)
+								return
+							}
+							if containerStatus.Started == nil || !*containerStatus.Started {
+								errCh <- fmt.Errorf("container %q started status is not true", containerStatus.Name)
+								return
+							}
+							if !containerStatus.Ready {
+								errCh <- fmt.Errorf("container %q ready status is not true", containerStatus.Name)
+								return
+							}
+						}
+					case <-stopCh:
+						close(errCh)
+						return
+					}
+				}
+			}()
+
+			ginkgo.By("restarting the kubelet")
+			restartKubelet := mustStopKubelet(ctx, f)
+			restartKubelet(ctx)
+
+			ginkgo.By("ensuring kubelet is healthy")
+			gomega.Eventually(ctx, func() bool {
+				return kubeletHealthCheck(kubeletHealthCheckURL)
+			}, f.Timeouts.PodStart, f.Timeouts.Poll).Should(gomega.BeTrueBecause("kubelet should be started"))
+
+			// Let the goroutine run for a few more seconds to catch any delayed changes
+			time.Sleep(5 * time.Second)
+			close(stopCh)
+
+			for err := range errCh {
+				framework.ExpectNoError(err, "pod status check failed during kubelet restart")
+			}
+		})
+	})
+})
diff --git a/test/e2e_node/node_container_manager_test.go b/test/e2e_node/node_container_manager_test.go
index 69c82c0e34eb3..603fb5b9d2fed 100644
--- a/test/e2e_node/node_container_manager_test.go
+++ b/test/e2e_node/node_container_manager_test.go
@@ -31,6 +31,7 @@ import (
 	v1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/resource"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/klog/v2"
 	kubeletconfig "k8s.io/kubernetes/pkg/kubelet/apis/config"
 	"k8s.io/kubernetes/pkg/kubelet/cm"
 	"k8s.io/kubernetes/pkg/kubelet/stats/pidlimit"
@@ -182,7 +183,7 @@ const (
 
 func createIfNotExists(cm cm.CgroupManager, cgroupConfig *cm.CgroupConfig) error {
 	if !cm.Exists(cgroupConfig.Name) {
-		if err := cm.Create(cgroupConfig); err != nil {
+		if err := cm.Create(klog.Background(), cgroupConfig); err != nil {
 			return err
 		}
 	}
@@ -208,11 +209,11 @@ func destroyTemporaryCgroupsForReservation(cgroupManager cm.CgroupManager) error
 	cgroupConfig := &cm.CgroupConfig{
 		Name: cm.NewCgroupName(cm.RootCgroupName, kubeReservedCgroup),
 	}
-	if err := cgroupManager.Destroy(cgroupConfig); err != nil {
+	if err := cgroupManager.Destroy(klog.Background(), cgroupConfig); err != nil {
 		return err
 	}
 	cgroupConfig.Name = cm.NewCgroupName(cm.RootCgroupName, systemReservedCgroup)
-	return cgroupManager.Destroy(cgroupConfig)
+	return cgroupManager.Destroy(klog.Background(), cgroupConfig)
 }
 
 // convertSharesToWeight converts from cgroup v1 cpu.shares to cgroup v2 cpu.weight
@@ -233,7 +234,7 @@ func runTest(ctx context.Context, f *framework.Framework) error {
 	}
 
 	// Create a cgroup manager object for manipulating cgroups.
-	cgroupManager := cm.NewCgroupManager(subsystems, oldCfg.CgroupDriver)
+	cgroupManager := cm.NewCgroupManager(klog.Background(), subsystems, oldCfg.CgroupDriver)
 
 	ginkgo.DeferCleanup(destroyTemporaryCgroupsForReservation, cgroupManager)
 	ginkgo.DeferCleanup(func(ctx context.Context) {
@@ -273,7 +274,7 @@ func runTest(ctx context.Context, f *framework.Framework) error {
 	expectedNAPodCgroup := cm.NewCgroupName(cm.RootCgroupName, nodeAllocatableCgroup)
 
 	// Cleanup from the previous kubelet, to verify the new one creates it correctly
-	if err := cgroupManager.Destroy(&cm.CgroupConfig{
+	if err := cgroupManager.Destroy(klog.Background(), &cm.CgroupConfig{
 		Name: cm.NewCgroupName(expectedNAPodCgroup),
 	}); err != nil {
 		return err
diff --git a/test/e2e_node/node_shutdown_linux_test.go b/test/e2e_node/node_shutdown_linux_test.go
index ebfa18752117a..51878480b5d13 100644
--- a/test/e2e_node/node_shutdown_linux_test.go
+++ b/test/e2e_node/node_shutdown_linux_test.go
@@ -93,10 +93,11 @@ var _ = SIGDescribe("GracefulNodeShutdown", framework.WithSerial(), feature.Grac
 		)
 
 		tempSetCurrentKubeletConfig(f, func(ctx context.Context, initialConfig *kubeletconfig.KubeletConfiguration) {
-			initialConfig.FeatureGates = map[string]bool{
-				string(features.GracefulNodeShutdown):                   true,
-				string(features.GracefulNodeShutdownBasedOnPodPriority): false,
+			if initialConfig.FeatureGates == nil {
+				initialConfig.FeatureGates = map[string]bool{}
 			}
+			initialConfig.FeatureGates[string(features.GracefulNodeShutdown)] = true
+			initialConfig.FeatureGates[string(features.GracefulNodeShutdownBasedOnPodPriority)] = false
 			initialConfig.ShutdownGracePeriod = metav1.Duration{Duration: nodeShutdownGracePeriod}
 		})
 
@@ -195,11 +196,13 @@ var _ = SIGDescribe("GracefulNodeShutdown", framework.WithSerial(), feature.Grac
 		)
 
 		tempSetCurrentKubeletConfig(f, func(ctx context.Context, initialConfig *kubeletconfig.KubeletConfiguration) {
-			initialConfig.FeatureGates = map[string]bool{
-				string(features.GracefulNodeShutdown):                   true,
-				string(features.GracefulNodeShutdownBasedOnPodPriority): false,
-				string(features.PodReadyToStartContainersCondition):     true,
+			if initialConfig.FeatureGates == nil {
+				initialConfig.FeatureGates = map[string]bool{}
 			}
+			initialConfig.FeatureGates[string(features.GracefulNodeShutdown)] = true
+			initialConfig.FeatureGates[string(features.GracefulNodeShutdownBasedOnPodPriority)] = false
+			initialConfig.FeatureGates[string(features.PodReadyToStartContainersCondition)] = true
+
 			initialConfig.ShutdownGracePeriod = metav1.Duration{Duration: nodeShutdownGracePeriod}
 			initialConfig.ShutdownGracePeriodCriticalPods = metav1.Duration{Duration: nodeShutdownGracePeriodCriticalPods}
 		})
@@ -261,7 +264,7 @@ var _ = SIGDescribe("GracefulNodeShutdown", framework.WithSerial(), feature.Grac
 				})
 
 				// Ignore timeout error since the context will be explicitly cancelled and the watch will never return true
-				if err != nil && err != wait.ErrWaitTimeout {
+				if err != nil && !wait.Interrupted(err) {
 					framework.Failf("watch for invalid pod status failed: %v", err.Error())
 				}
 			}()
@@ -390,10 +393,12 @@ var _ = SIGDescribe("GracefulNodeShutdown", framework.WithSerial(), feature.Grac
 		)
 
 		tempSetCurrentKubeletConfig(f, func(ctx context.Context, initialConfig *kubeletconfig.KubeletConfiguration) {
-			initialConfig.FeatureGates = map[string]bool{
-				string(features.GracefulNodeShutdown):                   true,
-				string(features.GracefulNodeShutdownBasedOnPodPriority): true,
+			if initialConfig.FeatureGates == nil {
+				initialConfig.FeatureGates = map[string]bool{}
 			}
+			initialConfig.FeatureGates[string(features.GracefulNodeShutdown)] = true
+			initialConfig.FeatureGates[string(features.GracefulNodeShutdownBasedOnPodPriority)] = true
+
 			initialConfig.ShutdownGracePeriodByPodPriority = []kubeletconfig.ShutdownGracePeriodByPodPriority{
 				{
 					Priority:                   scheduling.SystemCriticalPriority,
@@ -642,14 +647,6 @@ func emitSignalPrepareForShutdown(b bool) error {
 	return conn.Emit("/org/freedesktop/login1", "org.freedesktop.login1.Manager.PrepareForShutdown", b)
 }
 
-func getNodeReadyStatus(ctx context.Context, f *framework.Framework) bool {
-	nodeList, err := f.ClientSet.CoreV1().Nodes().List(ctx, metav1.ListOptions{})
-	framework.ExpectNoError(err)
-	// Assuming that there is only one node, because this is a node e2e test.
-	gomega.Expect(nodeList.Items).To(gomega.HaveLen(1), "the number of nodes is not as expected")
-	return isNodeReady(&nodeList.Items[0])
-}
-
 const (
 	// https://github.com/kubernetes/kubernetes/blob/1dd781ddcad454cc381806fbc6bd5eba8fa368d7/pkg/kubelet/nodeshutdown/nodeshutdown_manager_linux.go#L43-L44
 	podShutdownReason  = "Terminated"
diff --git a/test/e2e_node/pod_conditions_test.go b/test/e2e_node/pod_conditions_test.go
index 4641d9c213180..46ff72033f25a 100644
--- a/test/e2e_node/pod_conditions_test.go
+++ b/test/e2e_node/pod_conditions_test.go
@@ -50,9 +50,10 @@ var _ = SIGDescribe("Pod conditions managed by Kubelet", func() {
 
 	f.Context("including PodReadyToStartContainers condition", f.WithSerial(), feature.PodReadyToStartContainersCondition, func() {
 		tempSetCurrentKubeletConfig(f, func(ctx context.Context, initialConfig *kubeletconfig.KubeletConfiguration) {
-			initialConfig.FeatureGates = map[string]bool{
-				string(features.PodReadyToStartContainersCondition): true,
+			if initialConfig.FeatureGates == nil {
+				initialConfig.FeatureGates = map[string]bool{}
 			}
+			initialConfig.FeatureGates[string(features.PodReadyToStartContainersCondition)] = true
 		})
 		ginkgo.It("a pod without init containers should report all conditions set in expected order after the pod is up", runPodReadyConditionsTest(f, false, true))
 		ginkgo.It("a pod with init containers should report all conditions set in expected order after the pod is up", runPodReadyConditionsTest(f, true, true))
diff --git a/test/e2e_node/pod_hostnamefqdn_test.go b/test/e2e_node/pod_hostnamefqdn_test.go
index 51b9bf51bfc17..92d8ebff17b9b 100644
--- a/test/e2e_node/pod_hostnamefqdn_test.go
+++ b/test/e2e_node/pod_hostnamefqdn_test.go
@@ -63,7 +63,7 @@ func testPod(podnamebase string) *v1.Pod {
 			Containers: []v1.Container{
 				{
 					Name:  "test-container",
-					Image: imageutils.GetE2EImage(imageutils.BusyBox),
+					Image: imageutils.GetE2EImage(imageutils.JessieDnsutils),
 				},
 			},
 			RestartPolicy: v1.RestartPolicyNever,
diff --git a/test/e2e_node/podresources_test.go b/test/e2e_node/podresources_test.go
index 6382613ca665e..3d55705a0434d 100644
--- a/test/e2e_node/podresources_test.go
+++ b/test/e2e_node/podresources_test.go
@@ -1113,7 +1113,7 @@ var _ = SIGDescribe("POD Resources API", framework.WithSerial(), feature.PodReso
 					podresourcesGetAllocatableResourcesTests(ctx, cli, sd, onlineCPUs, reservedSystemCPUs)
 				})
 
-				framework.It("should return the expected responses", feature.SidecarContainers, func(ctx context.Context) {
+				framework.It("should return the expected responses", framework.WithNodeConformance(), func(ctx context.Context) {
 					onlineCPUs, err := getOnlineCPUs()
 					framework.ExpectNoError(err, "getOnlineCPUs() failed err: %v", err)
 
@@ -1259,7 +1259,7 @@ var _ = SIGDescribe("POD Resources API", framework.WithSerial(), feature.PodReso
 					podresourcesGetTests(ctx, f, cli, false)
 				})
 
-				framework.It("should return the expected responses", feature.SidecarContainers, func(ctx context.Context) {
+				framework.It("should return the expected responses", framework.WithNodeConformance(), func(ctx context.Context) {
 					onlineCPUs, err := getOnlineCPUs()
 					framework.ExpectNoError(err, "getOnlineCPUs() failed err: %v", err)
 
@@ -1624,6 +1624,9 @@ var _ = SIGDescribe("POD Resources API", framework.WithSerial(), feature.PodReso
 				cpus := reservedSystemCPUs.String()
 				framework.Logf("configurePodResourcesInKubelet: using reservedSystemCPUs=%q", cpus)
 				initialConfig.ReservedSystemCPUs = cpus
+				if initialConfig.FeatureGates == nil {
+					initialConfig.FeatureGates = make(map[string]bool)
+				}
 				initialConfig.FeatureGates["KubeletPodResourcesListUseActivePods"] = false
 			})
 
diff --git a/test/e2e_node/proc_mount_test.go b/test/e2e_node/proc_mount_test.go
index e0023ba8d737b..5a968b089ac24 100644
--- a/test/e2e_node/proc_mount_test.go
+++ b/test/e2e_node/proc_mount_test.go
@@ -46,10 +46,10 @@ var _ = SIGDescribe("DefaultProcMount [LinuxOnly]", framework.WithNodeConformanc
 })
 
 var _ = SIGDescribe("ProcMount [LinuxOnly]", feature.ProcMountType, feature.UserNamespacesSupport, func() {
-	f := framework.NewDefaultFramework("proc-mount-baseline-test")
-	f.NamespacePodSecurityLevel = admissionapi.LevelBaseline
+	f := framework.NewDefaultFramework("proc-mount-restricted-test")
+	f.NamespacePodSecurityLevel = admissionapi.LevelRestricted
 
-	f.It("will fail to unmask proc mounts if not privileged", func(ctx context.Context) {
+	f.It("will fail to unmask proc mounts at restricted level", func(ctx context.Context) {
 		if !supportsUserNS(ctx, f) {
 			e2eskipper.Skipf("runtime does not support user namespaces")
 		}
diff --git a/test/e2e_node/quota_lsci_test.go b/test/e2e_node/quota_lsci_test.go
index 3992b4ed0b5ec..922fd12a005ba 100644
--- a/test/e2e_node/quota_lsci_test.go
+++ b/test/e2e_node/quota_lsci_test.go
@@ -57,7 +57,7 @@ func runOneQuotaTest(f *framework.Framework, quotasRequested bool, userNamespace
 	if quotasRequested {
 		priority = 1
 	}
-	ginkgo.Context(fmt.Sprintf(testContextFmt, fmt.Sprintf("use quotas for LSCI monitoring (quotas enabled: %v)", quotasRequested)), func() {
+	ginkgo.Context(fmt.Sprintf(testContextFmt, fmt.Sprintf("use quotas for LSCI monitoring (quotas enabled: %v, userNamespacesEnabled: %v)", quotasRequested, userNamespacesEnabled)), func() {
 		tempSetCurrentKubeletConfig(f, func(ctx context.Context, initialConfig *kubeletconfig.KubeletConfiguration) {
 			defer withFeatureGate(LSCIQuotaFeature, quotasRequested)()
 			// TODO: remove hardcoded kubelet volume directory path
diff --git a/test/e2e_node/remote/gce/gce_runner.go b/test/e2e_node/remote/gce/gce_runner.go
index 97476fea97852..f746758c9ec5c 100644
--- a/test/e2e_node/remote/gce/gce_runner.go
+++ b/test/e2e_node/remote/gce/gce_runner.go
@@ -583,7 +583,7 @@ func (g *GCERunner) createGCEInstance(imageConfig *internalGCEImage) (string, er
 		if err != nil {
 			continue
 		}
-		if strings.ToUpper(instance.Status) != "RUNNING" {
+		if !strings.EqualFold(instance.Status, "RUNNING") {
 			_ = fmt.Errorf("instance %s not in state RUNNING, was %s", name, instance.Status)
 			continue
 		}
@@ -669,7 +669,7 @@ func (g *GCERunner) registerGceHostIP(host string) error {
 	if err != nil {
 		return err
 	}
-	if strings.ToUpper(instance.Status) != "RUNNING" {
+	if !strings.EqualFold(instance.Status, "RUNNING") {
 		return fmt.Errorf("instance %s not in state RUNNING, was %s", host, instance.Status)
 	}
 	externalIP := g.getExternalIP(instance)
diff --git a/test/e2e_node/remote/node_e2e.go b/test/e2e_node/remote/node_e2e.go
index 98fd4eb334b3e..9baf478ce32e7 100644
--- a/test/e2e_node/remote/node_e2e.go
+++ b/test/e2e_node/remote/node_e2e.go
@@ -112,7 +112,7 @@ func prependMemcgNotificationFlag(args string) string {
 // a credential provider plugin.
 func prependCredentialProviderFlag(args, workspace string) string {
 	credentialProviderConfig := filepath.Join(workspace, "credential-provider.yaml")
-	featureGateFlag := "--kubelet-flags=--feature-gates=KubeletServiceAccountTokenForCredentialProviders=true"
+	featureGateFlag := "--kubelet-flags=--feature-gates=KubeletServiceAccountTokenForCredentialProviders=true,KubeletEnsureSecretPulledImages=true"
 	configFlag := fmt.Sprintf("--kubelet-flags=--image-credential-provider-config=%s", credentialProviderConfig)
 	binFlag := fmt.Sprintf("--kubelet-flags=--image-credential-provider-bin-dir=%s", workspace)
 	return fmt.Sprintf("%s %s %s %s", featureGateFlag, configFlag, binFlag, args)
diff --git a/test/e2e_node/remote/utils.go b/test/e2e_node/remote/utils.go
index fa2edfc2948ac..53f1685945fc7 100644
--- a/test/e2e_node/remote/utils.go
+++ b/test/e2e_node/remote/utils.go
@@ -28,7 +28,7 @@ import (
 // utils.go contains functions used across test suites.
 
 const (
-	cniVersion       = "v1.7.1"
+	cniVersion       = "v1.8.0"
 	cniDirectory     = "cni/bin" // The CNI tarball places binaries under directory under "cni/bin".
 	cniConfDirectory = "cni/net.d"
 
diff --git a/test/e2e_node/restart_all_containers_test.go b/test/e2e_node/restart_all_containers_test.go
new file mode 100644
index 0000000000000..5de189108b9bb
--- /dev/null
+++ b/test/e2e_node/restart_all_containers_test.go
@@ -0,0 +1,272 @@
+//go:build linux
+// +build linux
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package e2enode
+
+import (
+	"context"
+	"fmt"
+	"time"
+
+	"github.com/onsi/ginkgo/v2"
+	"github.com/onsi/gomega"
+	v1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/util/uuid"
+	"k8s.io/kubernetes/pkg/features"
+	"k8s.io/kubernetes/test/e2e/framework"
+	e2epod "k8s.io/kubernetes/test/e2e/framework/pod"
+	imageutils "k8s.io/kubernetes/test/utils/image"
+	admissionapi "k8s.io/pod-security-admission/api"
+)
+
+var _ = SIGDescribe("RestartAllContainersWithKubeletRestarts",
+	framework.WithSerial(),
+	framework.WithDisruptive(),
+	framework.WithFeatureGate(features.ContainerRestartRules),
+	framework.WithFeatureGate(features.RestartAllContainersOnContainerExits),
+	func() {
+		const (
+			containerCount = 10
+		)
+		var (
+			containerRestartPolicyNever = v1.ContainerRestartPolicyNever
+		)
+		restartAllContainersRules := []v1.ContainerRestartRule{
+			{
+				Action: v1.ContainerRestartRuleActionRestartAllContainers,
+				ExitCodes: &v1.ContainerRestartRuleOnExitCodes{
+					Operator: v1.ContainerRestartRuleOnExitCodesOpIn,
+					Values:   []int32{42},
+				},
+			},
+		}
+		f := framework.NewDefaultFramework("restart-test")
+		f.NamespacePodSecurityLevel = admissionapi.LevelBaseline
+
+		ginkgo.It("kubelet restart during cleanup", func(ctx context.Context) {
+			podName := "restart-kubelet-during-cleanup" + string(uuid.NewUUID())
+			pod := &v1.Pod{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: podName,
+				},
+				Spec: v1.PodSpec{
+					RestartPolicy: v1.RestartPolicyNever,
+					Containers: []v1.Container{
+						{
+							Name:               "source-container",
+							Image:              imageutils.GetE2EImage(imageutils.BusyBox),
+							Command:            []string{"/bin/sh", "-c", "if [ -f /mnt/init-complete ]; then sleep 3600; else touch /mnt/init-complete; sleep 10; exit 42; fi"},
+							RestartPolicy:      &containerRestartPolicyNever,
+							RestartPolicyRules: restartAllContainersRules,
+							VolumeMounts: []v1.VolumeMount{
+								{
+									Name:      "workdir",
+									MountPath: "/mnt",
+								},
+							},
+						},
+					},
+					Volumes: []v1.Volume{
+						{
+							Name: "workdir",
+							VolumeSource: v1.VolumeSource{
+								EmptyDir: &v1.EmptyDirVolumeSource{},
+							},
+						},
+					},
+				},
+			}
+			// Setting up extra containers so the cleanup takes more time to coordinate with kubelet restart.
+			for i := 0; i < containerCount; i++ {
+				pod.Spec.Containers = append(pod.Spec.Containers, v1.Container{
+					Name:    fmt.Sprintf("container-%d", i),
+					Image:   imageutils.GetE2EImage(imageutils.BusyBox),
+					Command: []string{"/bin/sh", "-c", "sleep 3600; exit 0"},
+				})
+			}
+
+			ginkgo.By(fmt.Sprintf("Creating a pod (%v/%v)", f.Namespace.Name, podName))
+			podClient := e2epod.NewPodClient(f)
+			podClient.Create(ctx, pod)
+			ginkgo.DeferCleanup(func(ctx context.Context) error {
+				ginkgo.By("deleting the pod")
+				return podClient.Delete(ctx, pod.Name, metav1.DeleteOptions{})
+			})
+
+			ginkgo.By("waiting for pod to be marked for restart")
+			gomega.Eventually(ctx, func() error {
+				pod, err := getPodByName(ctx, f, podName)
+				if err != nil {
+					return err
+				}
+				for _, cond := range pod.Status.Conditions {
+					if cond.Type == v1.AllContainersRestarting && cond.Status == v1.ConditionTrue {
+						return nil
+					}
+				}
+				return fmt.Errorf("pod not marked for restart")
+			}, 2*time.Minute, 1*time.Second).Should(gomega.Succeed())
+
+			ginkgo.By("restarting kubelet")
+			restartKubelet := mustStopKubelet(ctx, f)
+			restartKubelet(ctx)
+
+			ginkgo.By("waiting for containers to restart")
+			gomega.Eventually(ctx, func() error {
+				pod, err := getPodByName(ctx, f, podName)
+				if err != nil {
+					return err
+				}
+				restartedContainers := 0
+				runningContainers := 0
+				for _, c := range pod.Status.ContainerStatuses {
+					if c.RestartCount > 0 {
+						restartedContainers++
+					}
+					if c.State.Running != nil {
+						runningContainers++
+					}
+				}
+				if restartedContainers < containerCount+1 {
+					return fmt.Errorf("not all containers have restarted")
+				}
+				if runningContainers < containerCount+1 {
+					return fmt.Errorf("not all containers are running")
+				}
+				return nil
+			}, 3*time.Minute, f.Timeouts.Poll).Should(gomega.Succeed())
+		})
+
+		ginkgo.It("kubelet restart during startup", func(ctx context.Context) {
+			podName := "restart-kubelet-during-cleanup" + string(uuid.NewUUID())
+			pod := &v1.Pod{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: podName,
+				},
+				Spec: v1.PodSpec{
+					RestartPolicy: v1.RestartPolicyNever,
+					InitContainers: []v1.Container{
+						{
+							Name:  "init",
+							Image: imageutils.GetE2EImage(imageutils.BusyBox),
+							// Let init container sleep 20s before succeeding to coordinate with kubelet restart
+							Command: []string{"/bin/sh", "-c", "sleep 20; exit 0"},
+						},
+					},
+					Containers: []v1.Container{
+						{
+							Name:               "source-container",
+							Image:              imageutils.GetE2EImage(imageutils.BusyBox),
+							Command:            []string{"/bin/sh", "-c", "if [ -f /mnt/init-complete ]; then sleep 3600; else touch /mnt/init-complete; sleep 10; exit 42; fi"},
+							RestartPolicy:      &containerRestartPolicyNever,
+							RestartPolicyRules: restartAllContainersRules,
+							VolumeMounts: []v1.VolumeMount{
+								{
+									Name:      "workdir",
+									MountPath: "/mnt",
+								},
+							},
+						},
+					},
+					Volumes: []v1.Volume{
+						{
+							Name: "workdir",
+							VolumeSource: v1.VolumeSource{
+								EmptyDir: &v1.EmptyDirVolumeSource{},
+							},
+						},
+					},
+				},
+			}
+			// Setting up extra containers so the cleanup takes more time to coordinate with kubelet restart.
+			for i := 0; i < containerCount; i++ {
+				pod.Spec.Containers = append(pod.Spec.Containers, v1.Container{
+					Name:    fmt.Sprintf("container-%d", i),
+					Image:   imageutils.GetE2EImage(imageutils.BusyBox),
+					Command: []string{"/bin/sh", "-c", "sleep 3600; exit 0"},
+				})
+			}
+
+			ginkgo.By(fmt.Sprintf("Creating a pod (%v/%v)", f.Namespace.Name, podName))
+			podClient := e2epod.NewPodClient(f)
+			podClient.Create(ctx, pod)
+			ginkgo.DeferCleanup(func(ctx context.Context) error {
+				ginkgo.By("deleting the pod")
+				return podClient.Delete(ctx, pod.Name, metav1.DeleteOptions{})
+			})
+
+			ginkgo.By("waiting for pod to be marked for restart")
+			gomega.Eventually(ctx, func() error {
+				pod, err := getPodByName(ctx, f, podName)
+				if err != nil {
+					return err
+				}
+				for _, cond := range pod.Status.Conditions {
+					if cond.Type == v1.AllContainersRestarting && cond.Status == v1.ConditionTrue {
+						return nil
+					}
+				}
+				return fmt.Errorf("pod not marked for restart")
+			}, 2*time.Minute, 1*time.Second).Should(gomega.Succeed())
+
+			ginkgo.By("waiting for pod cleanup finish")
+			gomega.Eventually(ctx, func() error {
+				pod, err := getPodByName(ctx, f, podName)
+				if err != nil {
+					return err
+				}
+				for _, cond := range pod.Status.Conditions {
+					if cond.Type == v1.AllContainersRestarting && cond.Status == v1.ConditionFalse {
+						return nil
+					}
+				}
+				return fmt.Errorf("pod cleanup not finished")
+			}, 2*time.Minute, 1*time.Second).Should(gomega.Succeed())
+
+			ginkgo.By("restarting kubelet")
+			restartKubelet := mustStopKubelet(ctx, f)
+			restartKubelet(ctx)
+
+			ginkgo.By("waiting for containers to restart")
+			gomega.Eventually(ctx, func() error {
+				pod, err := getPodByName(ctx, f, podName)
+				if err != nil {
+					return err
+				}
+				restartedContainers := 0
+				runningContainers := 0
+				for _, c := range pod.Status.ContainerStatuses {
+					if c.RestartCount > 0 {
+						restartedContainers++
+					}
+					if c.State.Running != nil {
+						runningContainers++
+					}
+				}
+				if restartedContainers < containerCount+1 {
+					return fmt.Errorf("not all containers have restarted")
+				}
+				if runningContainers < containerCount+1 {
+					return fmt.Errorf("not all containers are running")
+				}
+				return nil
+			}, 3*time.Minute, f.Timeouts.Poll).Should(gomega.Succeed())
+		})
+	})
diff --git a/test/e2e_node/runtime_conformance_test.go b/test/e2e_node/runtime_conformance_test.go
index 0aa256d40030f..bf491e76ab441 100644
--- a/test/e2e_node/runtime_conformance_test.go
+++ b/test/e2e_node/runtime_conformance_test.go
@@ -21,13 +21,14 @@ import (
 	"fmt"
 	"os"
 	"path/filepath"
-	"time"
 
 	v1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/util/wait"
 	"k8s.io/kubernetes/pkg/kubelet/images"
 	"k8s.io/kubernetes/test/e2e/common/node"
 	"k8s.io/kubernetes/test/e2e/framework"
 	e2epod "k8s.io/kubernetes/test/e2e/framework/pod"
+	e2eregistry "k8s.io/kubernetes/test/e2e/framework/registry"
 	"k8s.io/kubernetes/test/e2e_node/services"
 	admissionapi "k8s.io/pod-security-admission/api"
 
@@ -36,57 +37,73 @@ import (
 
 var _ = SIGDescribe("Container Runtime Conformance Test", func() {
 	f := framework.NewDefaultFramework("runtime-conformance")
-	f.NamespacePodSecurityLevel = admissionapi.LevelBaseline
+	f.NamespacePodSecurityLevel = admissionapi.LevelPrivileged // custom registry pods need HostPorts
 
 	ginkgo.Describe("container runtime conformance blackbox test", func() {
 
 		ginkgo.Context("when running a container with a new image", func() {
-			// The service account only has pull permission
-			auth := `
-{
-	"auths": {
-		"https://gcr.io": {
-			"auth": "X2pzb25fa2V5OnsKICAidHlwZSI6ICJzZXJ2aWNlX2FjY291bnQiLAogICJwcm9qZWN0X2lkIjogImF1dGhlbnRpY2F0ZWQtaW1hZ2UtcHVsbGluZyIsCiAgInByaXZhdGVfa2V5X2lkIjogImI5ZjJhNjY0YWE5YjIwNDg0Y2MxNTg2MDYzZmVmZGExOTIyNGFjM2IiLAogICJwcml2YXRlX2tleSI6ICItLS0tLUJFR0lOIFBSSVZBVEUgS0VZLS0tLS1cbk1JSUV2UUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktjd2dnU2pBZ0VBQW9JQkFRQzdTSG5LVEVFaVlMamZcbkpmQVBHbUozd3JCY2VJNTBKS0xxS21GWE5RL3REWGJRK2g5YVl4aldJTDhEeDBKZTc0bVovS01uV2dYRjVLWlNcbm9BNktuSU85Yi9SY1NlV2VpSXRSekkzL1lYVitPNkNjcmpKSXl4anFWam5mVzJpM3NhMzd0OUE5VEZkbGZycm5cbjR6UkpiOWl4eU1YNGJMdHFGR3ZCMDNOSWl0QTNzVlo1ODhrb1FBZmgzSmhhQmVnTWorWjRSYko0aGVpQlFUMDNcbnZVbzViRWFQZVQ5RE16bHdzZWFQV2dydDZOME9VRGNBRTl4bGNJek11MjUzUG4vSzgySFpydEx4akd2UkhNVXhcbng0ZjhwSnhmQ3h4QlN3Z1NORit3OWpkbXR2b0wwRmE3ZGducFJlODZWRDY2ejNZenJqNHlLRXRqc2hLZHl5VWRcbkl5cVhoN1JSQWdNQkFBRUNnZ0VBT3pzZHdaeENVVlFUeEFka2wvSTVTRFVidi9NazRwaWZxYjJEa2FnbmhFcG9cbjFJajJsNGlWMTByOS9uenJnY2p5VlBBd3pZWk1JeDFBZVF0RDdoUzRHWmFweXZKWUc3NkZpWFpQUm9DVlB6b3VcbmZyOGRDaWFwbDV0enJDOWx2QXNHd29DTTdJWVRjZmNWdDdjRTEyRDNRS3NGNlo3QjJ6ZmdLS251WVBmK0NFNlRcbmNNMHkwaCtYRS9kMERvSERoVy96YU1yWEhqOFRvd2V1eXRrYmJzNGYvOUZqOVBuU2dET1lQd2xhbFZUcitGUWFcbkpSd1ZqVmxYcEZBUW14M0Jyd25rWnQzQ2lXV2lGM2QrSGk5RXRVYnRWclcxYjZnK1JRT0licWFtcis4YlJuZFhcbjZWZ3FCQWtKWjhSVnlkeFVQMGQxMUdqdU9QRHhCbkhCbmM0UW9rSXJFUUtCZ1FEMUNlaWN1ZGhXdGc0K2dTeGJcbnplanh0VjFONDFtZHVjQnpvMmp5b1dHbzNQVDh3ckJPL3lRRTM0cU9WSi9pZCs4SThoWjRvSWh1K0pBMDBzNmdcblRuSXErdi9kL1RFalk4MW5rWmlDa21SUFdiWHhhWXR4UjIxS1BYckxOTlFKS2ttOHRkeVh5UHFsOE1veUdmQ1dcbjJ2aVBKS05iNkhabnY5Q3lqZEo5ZzJMRG5RS0JnUUREcVN2eURtaGViOTIzSW96NGxlZ01SK205Z2xYVWdTS2dcbkVzZlllbVJmbU5XQitDN3ZhSXlVUm1ZNU55TXhmQlZXc3dXRldLYXhjK0krYnFzZmx6elZZdFpwMThNR2pzTURcbmZlZWZBWDZCWk1zVXQ3Qmw3WjlWSjg1bnRFZHFBQ0xwWitaLzN0SVJWdWdDV1pRMWhrbmxHa0dUMDI0SkVFKytcbk55SDFnM2QzUlFLQmdRQ1J2MXdKWkkwbVBsRklva0tGTkh1YTBUcDNLb1JTU1hzTURTVk9NK2xIckcxWHJtRjZcbkMwNGNTKzQ0N0dMUkxHOFVUaEpKbTRxckh0Ti9aK2dZOTYvMm1xYjRIakpORDM3TVhKQnZFYTN5ZUxTOHEvK1JcbjJGOU1LamRRaU5LWnhQcG84VzhOSlREWTVOa1BaZGh4a2pzSHdVNGRTNjZwMVRESUU0MGd0TFpaRFFLQmdGaldcbktyblFpTnEzOS9iNm5QOFJNVGJDUUFKbmR3anhTUU5kQTVmcW1rQTlhRk9HbCtqamsxQ1BWa0tNSWxLSmdEYkpcbk9heDl2OUc2Ui9NSTFIR1hmV3QxWU56VnRocjRIdHNyQTB0U3BsbWhwZ05XRTZWejZuQURqdGZQSnMyZUdqdlhcbmpQUnArdjhjY21MK3dTZzhQTGprM3ZsN2VlNXJsWWxNQndNdUdjUHhBb0dBZWRueGJXMVJMbVZubEFpSEx1L0xcbmxtZkF3RFdtRWlJMFVnK1BMbm9Pdk81dFE1ZDRXMS94RU44bFA0cWtzcGtmZk1Rbk5oNFNZR0VlQlQzMlpxQ1RcbkpSZ2YwWGpveXZ2dXA5eFhqTWtYcnBZL3ljMXpmcVRaQzBNTzkvMVVjMWJSR2RaMmR5M2xSNU5XYXA3T1h5Zk9cblBQcE5Gb1BUWGd2M3FDcW5sTEhyR3pNPVxuLS0tLS1FTkQgUFJJVkFURSBLRVktLS0tLVxuIiwKICAiY2xpZW50X2VtYWlsIjogImltYWdlLXB1bGxpbmdAYXV0aGVudGljYXRlZC1pbWFnZS1wdWxsaW5nLmlhbS5nc2VydmljZWFjY291bnQuY29tIiwKICAiY2xpZW50X2lkIjogIjExMzc5NzkxNDUzMDA3MzI3ODcxMiIsCiAgImF1dGhfdXJpIjogImh0dHBzOi8vYWNjb3VudHMuZ29vZ2xlLmNvbS9vL29hdXRoMi9hdXRoIiwKICAidG9rZW5fdXJpIjogImh0dHBzOi8vYWNjb3VudHMuZ29vZ2xlLmNvbS9vL29hdXRoMi90b2tlbiIsCiAgImF1dGhfcHJvdmlkZXJfeDUwOV9jZXJ0X3VybCI6ICJodHRwczovL3d3dy5nb29nbGVhcGlzLmNvbS9vYXV0aDIvdjEvY2VydHMiLAogICJjbGllbnRfeDUwOV9jZXJ0X3VybCI6ICJodHRwczovL3d3dy5nb29nbGVhcGlzLmNvbS9yb2JvdC92MS9tZXRhZGF0YS94NTA5L2ltYWdlLXB1bGxpbmclNDBhdXRoZW50aWNhdGVkLWltYWdlLXB1bGxpbmcuaWFtLmdzZXJ2aWNlYWNjb3VudC5jb20iCn0=",
-			"email": "image-pulling@authenticated-image-pulling.iam.gserviceaccount.com"
-		}
-	}
-}`
 			// The following images are not added into NodePrePullImageList, because this test is
 			// testing image pulling, these images don't need to be prepulled. The ImagePullPolicy
 			// is v1.PullAlways, so it won't be blocked by framework image pre-pull list check.
 			for _, testCase := range []struct {
-				description string
-				image       string
-				phase       v1.PodPhase
-				waiting     bool
+				description  string
+				image        string
+				setupRegisty bool
+				phase        v1.PodPhase
+				waiting      bool
 			}{
 				{
-					description: "should be able to pull from private registry with credential provider",
-					image:       "gcr.io/authenticated-image-pulling/alpine:3.7",
-					phase:       v1.PodRunning,
-					waiting:     false,
+					description:  "should be able to pull from private registry with credential provider",
+					image:        "pause:testing",
+					setupRegisty: true,
+					phase:        v1.PodRunning,
+					waiting:      false,
 				},
 			} {
-				testCase := testCase
-				f.It(testCase.description+"", f.WithNodeConformance(), func(ctx context.Context) {
+				var registryAddress string
+				var podNodes []string
+				ginkgo.BeforeEach(func(ctx context.Context) {
+					var err error
+					if !testCase.setupRegisty {
+						return
+					}
+
+					registryAddress, podNodes, err = e2eregistry.SetupRegistry(ctx, f, true)
+					framework.ExpectNoError(err)
+					// we need to wait for the registry to be removed and so we need to delete the whole NS ourselves
+					ginkgo.DeferCleanup(func(ctx context.Context) {
+						f.DeleteNamespace(ctx, f.Namespace.Name)
+					})
+				})
+
+				f.It(testCase.description+"", f.WithNodeConformance(), f.WithDisruptive(), f.WithSerial(), func(ctx context.Context) {
 					name := "image-pull-test"
-					command := []string{"/bin/sh", "-c", "while true; do sleep 1; done"}
 					container := node.ConformanceContainer{
 						PodClient: e2epod.NewPodClient(f),
 						Container: v1.Container{
-							Name:    name,
-							Image:   testCase.image,
-							Command: command,
+							Name:  name,
+							Image: registryAddress + "/" + testCase.image,
 							// PullAlways makes sure that the image will always be pulled even if it is present before the test.
 							ImagePullPolicy: v1.PullAlways,
 						},
 						RestartPolicy: v1.RestartPolicyNever,
 					}
+					if testCase.setupRegisty {
+						container.NodeName = podNodes[0]
+					}
 
+					auth := e2eregistry.User1DockerSecret(registryAddress).Data[v1.DockerConfigJsonKey]
 					configFile := filepath.Join(services.KubeletRootDirectory, "config.json")
+
+					// the kubelet would cache the config for 5 minutes, let's restart instead
+					restartKubelet(context.Background(), true)
+
 					err := os.WriteFile(configFile, []byte(auth), 0644)
 					framework.ExpectNoError(err)
-					defer os.Remove(configFile)
+					ginkgo.DeferCleanup(func() {
+						framework.ExpectNoError(os.Remove(configFile))
+						framework.ExpectNoError(os.RemoveAll(filepath.Join(services.KubeletRootDirectory, "image_manager")))
+					})
 
 					// checkContainerStatus checks whether the container status matches expectation.
 					checkContainerStatus := func(ctx context.Context) error {
@@ -125,29 +142,28 @@ var _ = SIGDescribe("Container Runtime Conformance Test", func() {
 						}
 						return nil
 					}
-					// The image registry is not stable, which sometimes causes the test to fail. Add retry mechanism to make this
-					// less flaky.
-					const flakeRetry = 3
-					for i := 1; i <= flakeRetry; i++ {
-						var err error
-						ginkgo.By("create the container")
-						container.Create(ctx)
-						ginkgo.By("check the container status")
-						for start := time.Now(); time.Since(start) < node.ContainerStatusRetryTimeout; time.Sleep(node.ContainerStatusPollInterval) {
-							if err = checkContainerStatus(ctx); err == nil {
-								break
-							}
-						}
-						ginkgo.By("delete the container")
-						_ = container.Delete(ctx)
-						if err == nil {
-							break
+
+					ginkgo.By("create the container")
+					container.Create(ctx)
+					ginkgo.DeferCleanup(func(ctx context.Context) {
+						ginkgo.By("delete the conformance container")
+						if err := container.Delete(ctx); err != nil {
+							framework.Logf("error deleting a conformance container: %v", err)
 						}
-						if i < flakeRetry {
-							framework.Logf("No.%d attempt failed: %v, retrying...", i, err)
-						} else {
-							framework.Failf("All %d attempts failed: %v", flakeRetry, err)
+					})
+
+					ginkgo.By("check the container status")
+					var latestErr error
+					err = wait.PollUntilContextTimeout(ctx, node.ContainerStatusPollInterval, node.ContainerStatusRetryTimeout, true, func(ctx context.Context) (bool, error) {
+						if latestErr = checkContainerStatus(ctx); latestErr != nil {
+							return false, nil
 						}
+						return true, nil
+					})
+					if err != nil {
+						credsContent, readErr := os.ReadFile(configFile)
+						framework.Logf("credentials read error: %v; credentials used:\n%v", readErr, credsContent)
+						framework.Failf("Failed to read container status: %v; last observed error from wait loop: %v", err, latestErr)
 					}
 				})
 			}
diff --git a/test/e2e_node/standalone_test.go b/test/e2e_node/standalone_test.go
index 51cf0b8f3c293..36c77ea67c42a 100644
--- a/test/e2e_node/standalone_test.go
+++ b/test/e2e_node/standalone_test.go
@@ -24,27 +24,151 @@ import (
 	"io"
 	"net/http"
 	"os"
+	"path/filepath"
 	"strings"
 	"time"
 
 	v1 "k8s.io/api/core/v1"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/api/resource"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/apimachinery/pkg/util/uuid"
+	"k8s.io/apimachinery/pkg/util/wait"
 	"k8s.io/cli-runtime/pkg/printers"
 	"k8s.io/kubernetes/pkg/cluster/ports"
+	"k8s.io/kubernetes/pkg/features"
 	"k8s.io/kubernetes/test/e2e/feature"
 	"k8s.io/kubernetes/test/e2e/framework"
+	testutils "k8s.io/kubernetes/test/utils"
 	imageutils "k8s.io/kubernetes/test/utils/image"
 	admissionapi "k8s.io/pod-security-admission/api"
 
 	"github.com/onsi/ginkgo/v2"
 	"github.com/onsi/gomega"
-	apierrors "k8s.io/apimachinery/pkg/api/errors"
-	testutils "k8s.io/kubernetes/test/utils"
 )
 
+var _ = SIGDescribe(feature.StandaloneMode, framework.WithFeatureGate(features.EnvFiles), func() {
+	f := framework.NewDefaultFramework("static-pod-envfiles")
+	f.NamespacePodSecurityLevel = admissionapi.LevelBaseline
+	ginkgo.Context("when creating a static pod with EnvFiles", func() {
+		var ns, podPath, staticPodName string
+
+		ginkgo.It("the pod should be running and consume variables", func(ctx context.Context) {
+			ns = f.Namespace.Name
+			staticPodName = "static-pod-envfiles-" + string(uuid.NewUUID())
+			podPath = kubeletCfg.StaticPodPath
+
+			podSpec := &v1.Pod{
+				TypeMeta: metav1.TypeMeta{
+					Kind:       "Pod",
+					APIVersion: "v1",
+				},
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      staticPodName,
+					Namespace: ns,
+				},
+				Spec: v1.PodSpec{
+					InitContainers: []v1.Container{
+						{
+							Name:    "setup-envfile",
+							Image:   imageutils.GetE2EImage(imageutils.BusyBox),
+							Command: []string{"sh", "-c", `echo CONFIG_1=\'value1\' > /data/config.env && echo CONFIG_2=\'value2\' >> /data/config.env`},
+							VolumeMounts: []v1.VolumeMount{
+								{
+									Name:      "config",
+									MountPath: "/data",
+								},
+							},
+						},
+					},
+					Containers: []v1.Container{
+						{
+							Name:    "use-envfile",
+							Image:   imageutils.GetE2EImage(imageutils.BusyBox),
+							Command: []string{"sh", "-c", "env | grep -E '(CONFIG_1|CONFIG_2)' | sort"},
+							Env: []v1.EnvVar{
+								{
+									Name: "CONFIG_1",
+									ValueFrom: &v1.EnvVarSource{
+										FileKeyRef: &v1.FileKeySelector{
+											VolumeName: "config",
+											Path:       "config.env",
+											Key:        "CONFIG_1",
+										},
+									},
+								},
+								{
+									Name: "CONFIG_2",
+									ValueFrom: &v1.EnvVarSource{
+										FileKeyRef: &v1.FileKeySelector{
+											VolumeName: "config",
+											Path:       "config.env",
+											Key:        "CONFIG_2",
+										},
+									},
+								},
+							},
+						},
+					},
+					RestartPolicy: v1.RestartPolicyNever,
+					Volumes: []v1.Volume{
+						{
+							Name: "config",
+							VolumeSource: v1.VolumeSource{
+								EmptyDir: &v1.EmptyDirVolumeSource{},
+							},
+						},
+					},
+				},
+			}
+
+			err := scheduleStaticPod(podPath, staticPodName, ns, podSpec)
+			framework.ExpectNoError(err)
+
+			gomega.Eventually(ctx, func(ctx context.Context) error {
+				pod, err := getPodFromStandaloneKubelet(ctx, ns, staticPodName)
+				if err != nil {
+					return fmt.Errorf("error getting pod(%v/%v) from standalone kubelet: %w", ns, staticPodName, err)
+				}
+				if pod.Status.Phase == v1.PodSucceeded {
+					return nil
+				}
+				if pod.Status.Phase == v1.PodFailed {
+					logs, err := getPodLogsFromStandaloneKubelet(ctx, ns, staticPodName, "use-envfile")
+					if err != nil {
+						framework.Logf("failed to get logs on pod failure: %v", err)
+					}
+					return fmt.Errorf("pod (%v/%v) failed, logs: %s", ns, staticPodName, logs)
+				}
+				return fmt.Errorf("pod (%v/%v) is not succeeded, phase: %s", ns, staticPodName, pod.Status.Phase)
+			}, f.Timeouts.PodStart, time.Second*5).Should(gomega.Succeed())
+
+			logs, err := getPodLogsFromStandaloneKubelet(ctx, ns, staticPodName, "use-envfile")
+			framework.ExpectNoError(err)
+
+			gomega.Expect(logs).To(gomega.ContainSubstring("CONFIG_1=value1"))
+			gomega.Expect(logs).To(gomega.ContainSubstring("CONFIG_2=value2"))
+		})
+
+		ginkgo.AfterEach(func(ctx context.Context) {
+			ginkgo.By(fmt.Sprintf("delete the static pod (%v/%v)", ns, staticPodName))
+			err := deleteStaticPod(podPath, staticPodName, ns)
+			framework.ExpectNoError(err)
+
+			ginkgo.By(fmt.Sprintf("wait for pod to disappear (%v/%v)", ns, staticPodName))
+			gomega.Eventually(ctx, func(ctx context.Context) error {
+				_, err := getPodFromStandaloneKubelet(ctx, ns, staticPodName)
+
+				if apierrors.IsNotFound(err) {
+					return nil
+				}
+				return fmt.Errorf("pod (%v/%v) still exists", ns, staticPodName)
+			}).Should(gomega.Succeed())
+		})
+	})
+})
+
 var _ = SIGDescribe(feature.StandaloneMode, func() {
 	f := framework.NewDefaultFramework("static-pod")
 	f.NamespacePodSecurityLevel = admissionapi.LevelBaseline
@@ -212,6 +336,110 @@ var _ = SIGDescribe(feature.StandaloneMode, func() {
 	})
 })
 
+var _ = SIGDescribe("Pod Extended (RestartAllContainers)",
+	feature.StandaloneMode,
+	framework.WithFeatureGate(features.ContainerRestartRules),
+	framework.WithFeatureGate(features.RestartAllContainersOnContainerExits),
+	func() {
+		f := framework.NewDefaultFramework("static-pod")
+		f.NamespacePodSecurityLevel = admissionapi.LevelBaseline
+		ginkgo.It("should restart all containers on regular container exit", func(ctx context.Context) {
+			ns := f.Namespace.Name
+			staticPodName := "static-pod-" + string(uuid.NewUUID())
+			podPath := kubeletCfg.StaticPodPath
+			var (
+				containerRestartPolicyAlways = v1.ContainerRestartPolicyAlways
+				containerRestartPolicyNever  = v1.ContainerRestartPolicyNever
+			)
+			restartAllContainersRules := []v1.ContainerRestartRule{
+				{
+					Action: v1.ContainerRestartRuleActionRestartAllContainers,
+					ExitCodes: &v1.ContainerRestartRuleOnExitCodes{
+						Operator: v1.ContainerRestartRuleOnExitCodesOpIn,
+						Values:   []int32{42},
+					},
+				},
+			}
+			pod := &v1.Pod{
+				TypeMeta: metav1.TypeMeta{
+					Kind:       "Pod",
+					APIVersion: "v1",
+				},
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      staticPodName,
+					Namespace: ns,
+				},
+				Spec: v1.PodSpec{
+					RestartPolicy: v1.RestartPolicyNever,
+					InitContainers: []v1.Container{
+						{
+							Name:    "init",
+							Image:   imageutils.GetE2EImage(imageutils.BusyBox),
+							Command: []string{"/bin/sh", "-c", "exit 0"},
+						},
+						{
+							Name:          "sidecar",
+							Image:         imageutils.GetE2EImage(imageutils.BusyBox),
+							Command:       []string{"/bin/sh", "-c", "sleep 10000"},
+							RestartPolicy: &containerRestartPolicyAlways,
+						},
+					},
+					Containers: []v1.Container{
+						{
+							Name:               "source-container",
+							Image:              imageutils.GetE2EImage(imageutils.BusyBox),
+							Command:            []string{"/bin/sh", "-c", "sleep 60; exit 42"},
+							RestartPolicy:      &containerRestartPolicyNever,
+							RestartPolicyRules: restartAllContainersRules,
+						},
+						{
+							Name:    "regular",
+							Image:   imageutils.GetE2EImage(imageutils.BusyBox),
+							Command: []string{"/bin/sh", "-c", "sleep 10000"},
+						},
+					},
+				},
+			}
+
+			err := scheduleStaticPod(podPath, staticPodName, ns, pod)
+			framework.ExpectNoError(err)
+
+			gomega.Eventually(ctx, func(ctx context.Context) error {
+				pod, err := getPodFromStandaloneKubelet(ctx, ns, staticPodName)
+				if err != nil {
+					return fmt.Errorf("error getting pod(%v/%v) from standalone kubelet: %w", ns, staticPodName, err)
+				}
+
+				isReady, err := testutils.PodRunningReady(pod)
+				if err != nil {
+					return fmt.Errorf("error checking if pod (%v/%v) is running ready: %w", ns, staticPodName, err)
+				}
+				if !isReady {
+					return fmt.Errorf("pod (%v/%v) is not running", ns, staticPodName)
+				}
+				return nil
+			}, f.Timeouts.PodStart, f.Timeouts.Poll).Should(gomega.Succeed())
+
+			gomega.Eventually(ctx, func(ctx context.Context) error {
+				pod, err := getPodFromStandaloneKubelet(ctx, ns, staticPodName)
+				if err != nil {
+					return fmt.Errorf("error getting pod(%v/%v) from standalone kubelet: %w", ns, staticPodName, err)
+				}
+				for _, c := range pod.Status.InitContainerStatuses {
+					if c.RestartCount == 0 {
+						return fmt.Errorf("init container %v has not restarted", c.Name)
+					}
+				}
+				for _, c := range pod.Status.ContainerStatuses {
+					if c.RestartCount == 0 {
+						return fmt.Errorf("container %v has not restarted", c.Name)
+					}
+				}
+				return nil
+			}, 10*time.Minute, f.Timeouts.Poll).Should(gomega.Succeed())
+		})
+	})
+
 func createBasicStaticPodSpec(name, namespace string) *v1.Pod {
 	podSpec := &v1.Pod{
 		TypeMeta: metav1.TypeMeta{
@@ -315,6 +543,36 @@ func getPodFromStandaloneKubelet(ctx context.Context, podNamespace string, podNa
 	return nil, apierrors.NewNotFound(schema.GroupResource{Resource: "pods"}, podName)
 }
 
+func getPodLogsFromStandaloneKubelet(ctx context.Context, podNamespace string, podName string, containerName string) (string, error) {
+	pod, err := getPodFromStandaloneKubelet(ctx, podNamespace, podName)
+	if err != nil {
+		return "", fmt.Errorf("failed to get pod %s/%s: %w", podNamespace, podName, err)
+	}
+
+	logCRIDir := "/var/log/pods"
+	podLogDir := filepath.Join(logCRIDir, fmt.Sprintf("%s_%s_%s", pod.Namespace, pod.Name, pod.UID))
+	logFile := filepath.Join(podLogDir, containerName, "0.log")
+
+	var content []byte
+	err = wait.PollUntilContextTimeout(ctx, time.Second, time.Minute, true, func(ctx context.Context) (bool, error) {
+		var errRead error
+		content, errRead = os.ReadFile(logFile)
+		if errRead != nil {
+			if os.IsNotExist(errRead) {
+				return false, nil
+			}
+			return false, errRead
+		}
+		return true, nil
+	})
+
+	if err != nil {
+		return "", fmt.Errorf("could not read log file %s: %w", logFile, err)
+	}
+
+	return string(content), nil
+}
+
 // Decodes the http response from /configz and returns a kubeletconfig.KubeletConfiguration (internal type).
 func decodePods(respBody []byte) (*v1.PodList, error) {
 	// This hack because /pods reports the following structure:
@@ -328,3 +586,78 @@ func decodePods(respBody []byte) (*v1.PodList, error) {
 
 	return &pods, nil
 }
+
+var _ = SIGDescribe(feature.StandaloneMode, framework.WithSerial(), func() {
+	f := framework.NewDefaultFramework("static-pod-serial")
+	f.NamespacePodSecurityLevel = admissionapi.LevelBaseline
+	ginkgo.Context("when creating a static pod and restarting kubelet", func() {
+		var ns, podPath, staticPodName string
+
+		ginkgo.BeforeEach(func() {
+			ns = f.Namespace.Name
+			staticPodName = "static-pod-" + string(uuid.NewUUID())
+			podPath = kubeletCfg.StaticPodPath
+		})
+
+		ginkgo.AfterEach(func(ctx context.Context) {
+			ginkgo.By(fmt.Sprintf("delete the static pod (%v/%v)", ns, staticPodName))
+			err := deleteStaticPod(podPath, staticPodName, ns)
+			framework.ExpectNoError(err)
+
+			ginkgo.By(fmt.Sprintf("wait for pod to disappear (%v/%v)", ns, staticPodName))
+			gomega.Eventually(ctx, func(ctx context.Context) error {
+				_, err := getPodFromStandaloneKubelet(ctx, ns, staticPodName)
+
+				if apierrors.IsNotFound(err) {
+					return nil
+				}
+				return fmt.Errorf("pod (%v/%v) still exists", ns, staticPodName)
+			}).Should(gomega.Succeed())
+		})
+
+		ginkgo.It("the pod should be running and kubelet not panic", func(ctx context.Context) {
+			err := scheduleStaticPod(podPath, staticPodName, ns, createBasicStaticPodSpec(staticPodName, ns))
+			framework.ExpectNoError(err)
+
+			ginkgo.By("Waiting for the pod to be running")
+			gomega.Eventually(ctx, func(ctx context.Context) error {
+				pod, err := getPodFromStandaloneKubelet(ctx, ns, staticPodName)
+				if err != nil {
+					return fmt.Errorf("error getting pod(%v/%v) from standalone kubelet: %w", ns, staticPodName, err)
+				}
+
+				isReady, err := testutils.PodRunningReady(pod)
+				if err != nil {
+					return fmt.Errorf("error checking if pod (%v/%v) is running ready: %w", ns, staticPodName, err)
+				}
+				if !isReady {
+					return fmt.Errorf("pod (%v/%v) is not running", ns, staticPodName)
+				}
+				return nil
+			}, f.Timeouts.PodStart, time.Second*5).Should(gomega.Succeed())
+
+			ginkgo.By("restarting the kubelet")
+			restartKubelet(ctx, true)
+
+			gomega.Eventually(ctx, func() bool {
+				return kubeletHealthCheck(kubeletHealthCheckURL)
+			}, f.Timeouts.PodStart, f.Timeouts.Poll).Should(gomega.BeTrueBecause("kubelet should be started"))
+
+			ginkgo.By("ensuring that pod is running")
+			gomega.Eventually(ctx, func(ctx context.Context) error {
+				pod, err := getPodFromStandaloneKubelet(ctx, ns, staticPodName)
+				if err != nil {
+					return fmt.Errorf("error getting pod(%v/%v) from standalone kubelet: %w", ns, staticPodName, err)
+				}
+				isReady, err := testutils.PodRunningReady(pod)
+				if err != nil {
+					return fmt.Errorf("error checking if pod (%v/%v) is running ready: %w", ns, staticPodName, err)
+				}
+				if !isReady {
+					return fmt.Errorf("pod (%v/%v) is not running", ns, staticPodName)
+				}
+				return nil
+			}, f.Timeouts.PodStart, time.Second*30).Should(gomega.Succeed())
+		})
+	})
+})
diff --git a/test/e2e_node/summary_test.go b/test/e2e_node/summary_test.go
index ff0c1f3bdc079..08b4dbf92b9df 100644
--- a/test/e2e_node/summary_test.go
+++ b/test/e2e_node/summary_test.go
@@ -30,7 +30,6 @@ import (
 	utilfeature "k8s.io/apiserver/pkg/util/feature"
 	kubeletstatsv1alpha1 "k8s.io/kubelet/pkg/apis/stats/v1alpha1"
 	"k8s.io/kubernetes/pkg/features"
-	"k8s.io/kubernetes/test/e2e/feature"
 	"k8s.io/kubernetes/test/e2e/framework"
 	e2ekubectl "k8s.io/kubernetes/test/e2e/framework/kubectl"
 	e2epod "k8s.io/kubernetes/test/e2e/framework/pod"
@@ -368,11 +367,8 @@ var _ = SIGDescribe("Summary API", framework.WithNodeConformance(), func() {
 		})
 	})
 
-	framework.Context("when querying /stats/summary under pressure", feature.KubeletPSI, framework.WithSerial(), func() {
+	framework.Context("when querying /stats/summary under pressure", framework.WithSerial(), framework.WithNodeConformance(), framework.WithFeatureGate(features.KubeletPSI), func() {
 		ginkgo.BeforeEach(func() {
-			if !utilfeature.DefaultFeatureGate.Enabled(features.KubeletPSI) {
-				ginkgo.Skip("KubeletPSI feature gate is not enabled")
-			}
 			if !IsCgroup2UnifiedMode() {
 				ginkgo.Skip("Skipping since CgroupV2 not used")
 			}
@@ -381,7 +377,16 @@ var _ = SIGDescribe("Summary API", framework.WithNodeConformance(), func() {
 		ginkgo.It("should report CPU pressure in PSI metrics", func(ctx context.Context) {
 			podName := "cpu-pressure-pod"
 			ginkgo.By("Creating a pod to generate CPU pressure")
-			pod := e2epod.NewPodClient(f).Create(ctx, getStressTestPod(podName, "cpu-stress", []string{"stress", "--cpus", "1"}))
+			podSpec := getStressTestPod(podName, "cpu-stress", []string{"stress", "--cpus", "1"})
+			podSpec.Spec.Containers[0].Resources = v1.ResourceRequirements{
+				Limits: v1.ResourceList{
+					v1.ResourceCPU: resource.MustParse("500m"),
+				},
+				Requests: v1.ResourceList{
+					v1.ResourceCPU: resource.MustParse("500m"),
+				},
+			}
+			pod := e2epod.NewPodClient(f).Create(ctx, podSpec)
 
 			ginkgo.By("Waiting for the pod to start")
 			framework.ExpectNoError(e2epod.WaitForPodRunningInNamespace(ctx, f.ClientSet, pod))
diff --git a/test/e2e_node/terminate_pods_test.go b/test/e2e_node/terminate_pods_test.go
index 9d72caeb46cab..b5de26f52c026 100644
--- a/test/e2e_node/terminate_pods_test.go
+++ b/test/e2e_node/terminate_pods_test.go
@@ -78,7 +78,7 @@ var _ = SIGDescribe("Terminate Pods", func() {
 				}
 			}
 			return false
-		}, 20*time.Second, 1*time.Second).Should(gomega.BeTrueBecause("expected container to be ready"))
+		}, 20*time.Second, 1*time.Second).Should(gomega.BeTrueBecause("expected container to be not ready"))
 
 		err := client.Delete(context.Background(), pod.Name, metav1.DeleteOptions{})
 
diff --git a/test/e2e_node/topology_manager_test.go b/test/e2e_node/topology_manager_test.go
index 6e95503e14b60..ac020e7a4f5af 100644
--- a/test/e2e_node/topology_manager_test.go
+++ b/test/e2e_node/topology_manager_test.go
@@ -1453,3 +1453,296 @@ var _ = SIGDescribe("Topology Manager", framework.WithSerial(), feature.Topology
 		runPreferClosestNUMATests(f)
 	})
 })
+
+func runGuPodTest(ctx context.Context, f *framework.Framework, cpuCount int, strictReservedCPUs cpuset.CPUSet) {
+	var pod *v1.Pod
+
+	ctnAttrs := []ctnAttribute{
+		{
+			ctnName:    "gu-container",
+			cpuRequest: fmt.Sprintf("%dm", 1000*cpuCount),
+			cpuLimit:   fmt.Sprintf("%dm", 1000*cpuCount),
+		},
+	}
+	pod = makeCPUManagerPod("gu-pod", ctnAttrs)
+	pod = e2epod.NewPodClient(f).CreateSync(ctx, pod)
+
+	ginkgo.By("checking if the expected cpuset was assigned")
+	// any full CPU is fine - we cannot nor we should predict which one, though
+	for _, cnt := range pod.Spec.Containers {
+		ginkgo.By(fmt.Sprintf("validating the container %s on Gu pod %s", cnt.Name, pod.Name))
+
+		logs, err := e2epod.GetPodLogs(ctx, f.ClientSet, f.Namespace.Name, pod.Name, cnt.Name)
+		framework.ExpectNoError(err, "expected log not found in container [%s] of pod [%s]", cnt.Name, pod.Name)
+
+		cpus := getContainerAllowedCPUsFromLogs(pod.Name, cnt.Name, logs)
+
+		gomega.Expect(cpus.Size()).To(gomega.Equal(cpuCount), "expected cpu set size == %d, got %q", cpuCount, cpus.String())
+		gomega.Expect(cpus.Intersection(strictReservedCPUs).IsEmpty()).To(gomega.BeTrueBecause("cpuset %q should not contain strict reserved cpus %q", cpus.String(), strictReservedCPUs.String()))
+	}
+
+	ginkgo.By("by deleting the pods and waiting for container removal")
+	deletePods(ctx, f, []string{pod.Name})
+	waitForAllContainerRemoval(ctx, pod.Name, pod.Namespace)
+}
+
+func runNonGuPodTest(ctx context.Context, f *framework.Framework, cpuCap int64, strictReservedCPUs cpuset.CPUSet) {
+	var ctnAttrs []ctnAttribute
+	var err error
+	var pod *v1.Pod
+	var expAllowedCPUsListRegex string
+
+	ctnAttrs = []ctnAttribute{
+		{
+			ctnName:    "non-gu-container",
+			cpuRequest: "100m",
+			cpuLimit:   "200m",
+		},
+	}
+	pod = makeCPUManagerPod("non-gu-pod", ctnAttrs)
+	pod = e2epod.NewPodClient(f).CreateSync(ctx, pod)
+
+	ginkgo.By("checking if the expected cpuset was assigned")
+	expAllowedCPUs, err := cpuset.Parse(fmt.Sprintf("0-%d", cpuCap-1))
+	framework.ExpectNoError(err)
+	expAllowedCPUs = expAllowedCPUs.Difference(strictReservedCPUs)
+	expAllowedCPUsListRegex = fmt.Sprintf("^%s\n$", expAllowedCPUs.String())
+	err = e2epod.NewPodClient(f).MatchContainerOutput(ctx, pod.Name, pod.Spec.Containers[0].Name, expAllowedCPUsListRegex)
+	framework.ExpectNoError(err, "expected log not found in container [%s] of pod [%s]",
+		pod.Spec.Containers[0].Name, pod.Name)
+
+	ginkgo.By("by deleting the pods and waiting for container removal")
+	deletePods(ctx, f, []string{pod.Name})
+	waitForContainerRemoval(ctx, pod.Spec.Containers[0].Name, pod.Name, pod.Namespace)
+}
+
+func runMultipleGuNonGuPods(ctx context.Context, f *framework.Framework, cpuCap int64, cpuAlloc int64) {
+	var cpuListString, expAllowedCPUsListRegex string
+	var cpuList []int
+	var cpu1 int
+	var cset cpuset.CPUSet
+	var err error
+	var ctnAttrs []ctnAttribute
+	var pod1, pod2 *v1.Pod
+
+	ctnAttrs = []ctnAttribute{
+		{
+			ctnName:    "gu-container",
+			cpuRequest: "1000m",
+			cpuLimit:   "1000m",
+		},
+	}
+	pod1 = makeCPUManagerPod("gu-pod", ctnAttrs)
+	pod1 = e2epod.NewPodClient(f).CreateSync(ctx, pod1)
+
+	ctnAttrs = []ctnAttribute{
+		{
+			ctnName:    "non-gu-container",
+			cpuRequest: "200m",
+			cpuLimit:   "300m",
+		},
+	}
+	pod2 = makeCPUManagerPod("non-gu-pod", ctnAttrs)
+	pod2 = e2epod.NewPodClient(f).CreateSync(ctx, pod2)
+
+	ginkgo.By("checking if the expected cpuset was assigned")
+	cpu1 = 1
+	if isHTEnabled() {
+		cpuList = mustParseCPUSet(getCPUSiblingList(0)).List()
+		cpu1 = cpuList[1]
+	} else if isMultiNUMA() {
+		cpuList = mustParseCPUSet(getCoreSiblingList(0)).List()
+		if len(cpuList) > 1 {
+			cpu1 = cpuList[1]
+		}
+	}
+	expAllowedCPUsListRegex = fmt.Sprintf("^%d\n$", cpu1)
+	err = e2epod.NewPodClient(f).MatchContainerOutput(ctx, pod1.Name, pod1.Spec.Containers[0].Name, expAllowedCPUsListRegex)
+	framework.ExpectNoError(err, "expected log not found in container [%s] of pod [%s]",
+		pod1.Spec.Containers[0].Name, pod1.Name)
+
+	cpuListString = "0"
+	if cpuAlloc > 2 {
+		cset = mustParseCPUSet(fmt.Sprintf("0-%d", cpuCap-1))
+		cpuListString = cset.Difference(cpuset.New(cpu1)).String()
+	}
+	expAllowedCPUsListRegex = fmt.Sprintf("^%s\n$", cpuListString)
+	err = e2epod.NewPodClient(f).MatchContainerOutput(ctx, pod2.Name, pod2.Spec.Containers[0].Name, expAllowedCPUsListRegex)
+	framework.ExpectNoError(err, "expected log not found in container [%s] of pod [%s]",
+		pod2.Spec.Containers[0].Name, pod2.Name)
+	ginkgo.By("by deleting the pods and waiting for container removal")
+	deletePods(ctx, f, []string{pod1.Name, pod2.Name})
+	waitForContainerRemoval(ctx, pod1.Spec.Containers[0].Name, pod1.Name, pod1.Namespace)
+	waitForContainerRemoval(ctx, pod2.Spec.Containers[0].Name, pod2.Name, pod2.Namespace)
+}
+
+func runMultipleCPUGuPod(ctx context.Context, f *framework.Framework) {
+	var cpuListString, expAllowedCPUsListRegex string
+	var cpuList []int
+	var cset cpuset.CPUSet
+	var err error
+	var ctnAttrs []ctnAttribute
+	var pod *v1.Pod
+
+	ctnAttrs = []ctnAttribute{
+		{
+			ctnName:    "gu-container",
+			cpuRequest: "2000m",
+			cpuLimit:   "2000m",
+		},
+	}
+	pod = makeCPUManagerPod("gu-pod", ctnAttrs)
+	pod = e2epod.NewPodClient(f).CreateSync(ctx, pod)
+
+	ginkgo.By("checking if the expected cpuset was assigned")
+	cpuListString = "1-2"
+	if isMultiNUMA() {
+		cpuList = mustParseCPUSet(getCoreSiblingList(0)).List()
+		if len(cpuList) > 1 {
+			cset = mustParseCPUSet(getCPUSiblingList(int64(cpuList[1])))
+			if !isHTEnabled() && len(cpuList) > 2 {
+				cset = mustParseCPUSet(fmt.Sprintf("%d-%d", cpuList[1], cpuList[2]))
+			}
+			cpuListString = cset.String()
+		}
+	} else if isHTEnabled() {
+		cpuListString = "2-3"
+		cpuList = mustParseCPUSet(getCPUSiblingList(0)).List()
+		if cpuList[1] != 1 {
+			cset = mustParseCPUSet(getCPUSiblingList(1))
+			cpuListString = cset.String()
+		}
+	}
+	expAllowedCPUsListRegex = fmt.Sprintf("^%s\n$", cpuListString)
+	err = e2epod.NewPodClient(f).MatchContainerOutput(ctx, pod.Name, pod.Spec.Containers[0].Name, expAllowedCPUsListRegex)
+	framework.ExpectNoError(err, "expected log not found in container [%s] of pod [%s]",
+		pod.Spec.Containers[0].Name, pod.Name)
+
+	ginkgo.By("by deleting the pods and waiting for container removal")
+	deletePods(ctx, f, []string{pod.Name})
+	waitForContainerRemoval(ctx, pod.Spec.Containers[0].Name, pod.Name, pod.Namespace)
+}
+
+func runMultipleCPUContainersGuPod(ctx context.Context, f *framework.Framework) {
+	var expAllowedCPUsListRegex string
+	var cpuList []int
+	var cpu1, cpu2 int
+	var err error
+	var ctnAttrs []ctnAttribute
+	var pod *v1.Pod
+	ctnAttrs = []ctnAttribute{
+		{
+			ctnName:    "gu-container1",
+			cpuRequest: "1000m",
+			cpuLimit:   "1000m",
+		},
+		{
+			ctnName:    "gu-container2",
+			cpuRequest: "1000m",
+			cpuLimit:   "1000m",
+		},
+	}
+	pod = makeCPUManagerPod("gu-pod", ctnAttrs)
+	pod = e2epod.NewPodClient(f).CreateSync(ctx, pod)
+
+	ginkgo.By("checking if the expected cpuset was assigned")
+	cpu1, cpu2 = 1, 2
+	if isHTEnabled() {
+		cpuList = mustParseCPUSet(getCPUSiblingList(0)).List()
+		if cpuList[1] != 1 {
+			cpu1, cpu2 = cpuList[1], 1
+		}
+		if isMultiNUMA() {
+			cpuList = mustParseCPUSet(getCoreSiblingList(0)).List()
+			if len(cpuList) > 1 {
+				cpu2 = cpuList[1]
+			}
+		}
+	} else if isMultiNUMA() {
+		cpuList = mustParseCPUSet(getCoreSiblingList(0)).List()
+		if len(cpuList) > 2 {
+			cpu1, cpu2 = cpuList[1], cpuList[2]
+		}
+	}
+	expAllowedCPUsListRegex = fmt.Sprintf("^%d|%d\n$", cpu1, cpu2)
+	err = e2epod.NewPodClient(f).MatchContainerOutput(ctx, pod.Name, pod.Spec.Containers[0].Name, expAllowedCPUsListRegex)
+	framework.ExpectNoError(err, "expected log not found in container [%s] of pod [%s]",
+		pod.Spec.Containers[0].Name, pod.Name)
+
+	err = e2epod.NewPodClient(f).MatchContainerOutput(ctx, pod.Name, pod.Spec.Containers[1].Name, expAllowedCPUsListRegex)
+	framework.ExpectNoError(err, "expected log not found in container [%s] of pod [%s]",
+		pod.Spec.Containers[1].Name, pod.Name)
+
+	ginkgo.By("by deleting the pods and waiting for container removal")
+	deletePods(ctx, f, []string{pod.Name})
+	waitForContainerRemoval(ctx, pod.Spec.Containers[0].Name, pod.Name, pod.Namespace)
+	waitForContainerRemoval(ctx, pod.Spec.Containers[1].Name, pod.Name, pod.Namespace)
+}
+
+func runMultipleGuPods(ctx context.Context, f *framework.Framework) {
+	var expAllowedCPUsListRegex string
+	var cpuList []int
+	var cpu1, cpu2 int
+	var err error
+	var ctnAttrs []ctnAttribute
+	var pod1, pod2 *v1.Pod
+
+	ctnAttrs = []ctnAttribute{
+		{
+			ctnName:    "gu-container1",
+			cpuRequest: "1000m",
+			cpuLimit:   "1000m",
+		},
+	}
+	pod1 = makeCPUManagerPod("gu-pod1", ctnAttrs)
+	pod1 = e2epod.NewPodClient(f).CreateSync(ctx, pod1)
+
+	ctnAttrs = []ctnAttribute{
+		{
+			ctnName:    "gu-container2",
+			cpuRequest: "1000m",
+			cpuLimit:   "1000m",
+		},
+	}
+	pod2 = makeCPUManagerPod("gu-pod2", ctnAttrs)
+	pod2 = e2epod.NewPodClient(f).CreateSync(ctx, pod2)
+
+	ginkgo.By("checking if the expected cpuset was assigned")
+	cpu1, cpu2 = 1, 2
+	if isHTEnabled() {
+		cpuList = mustParseCPUSet(getCPUSiblingList(0)).List()
+		if cpuList[1] != 1 {
+			cpu1, cpu2 = cpuList[1], 1
+		}
+		if isMultiNUMA() {
+			cpuList = mustParseCPUSet(getCoreSiblingList(0)).List()
+			if len(cpuList) > 1 {
+				cpu2 = cpuList[1]
+			}
+		}
+	} else if isMultiNUMA() {
+		cpuList = mustParseCPUSet(getCoreSiblingList(0)).List()
+		if len(cpuList) > 2 {
+			cpu1, cpu2 = cpuList[1], cpuList[2]
+		}
+	}
+	expAllowedCPUsListRegex = fmt.Sprintf("^%d\n$", cpu1)
+	err = e2epod.NewPodClient(f).MatchContainerOutput(ctx, pod1.Name, pod1.Spec.Containers[0].Name, expAllowedCPUsListRegex)
+	framework.ExpectNoError(err, "expected log not found in container [%s] of pod [%s]",
+		pod1.Spec.Containers[0].Name, pod1.Name)
+
+	expAllowedCPUsListRegex = fmt.Sprintf("^%d\n$", cpu2)
+	err = e2epod.NewPodClient(f).MatchContainerOutput(ctx, pod2.Name, pod2.Spec.Containers[0].Name, expAllowedCPUsListRegex)
+	framework.ExpectNoError(err, "expected log not found in container [%s] of pod [%s]",
+		pod2.Spec.Containers[0].Name, pod2.Name)
+	ginkgo.By("by deleting the pods and waiting for container removal")
+	deletePods(ctx, f, []string{pod1.Name, pod2.Name})
+	waitForContainerRemoval(ctx, pod1.Spec.Containers[0].Name, pod1.Name, pod1.Namespace)
+	waitForContainerRemoval(ctx, pod2.Spec.Containers[0].Name, pod2.Name, pod2.Namespace)
+}
+
+func mustParseCPUSet(s string) cpuset.CPUSet {
+	res, err := cpuset.Parse(s)
+	framework.ExpectNoError(err)
+	return res
+}
diff --git a/test/e2e_node/user_namespaces_test.go b/test/e2e_node/user_namespaces_test.go
index 84cc3d65fc520..c576e0bf4e9b6 100644
--- a/test/e2e_node/user_namespaces_test.go
+++ b/test/e2e_node/user_namespaces_test.go
@@ -20,23 +20,39 @@ limitations under the License.
 package e2enode
 
 import (
+	"bytes"
 	"context"
+	"errors"
 	"fmt"
+	"os/exec"
+	"os/user"
+	"strconv"
+	"strings"
 	"time"
 
+	"github.com/onsi/ginkgo/v2"
 	"github.com/onsi/gomega"
 	v1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/util/uuid"
 	kubefeatures "k8s.io/kubernetes/pkg/features"
 	kubeletconfig "k8s.io/kubernetes/pkg/kubelet/apis/config"
 	"k8s.io/kubernetes/test/e2e/feature"
 	"k8s.io/kubernetes/test/e2e/framework"
 	e2epod "k8s.io/kubernetes/test/e2e/framework/pod"
+	e2eoutput "k8s.io/kubernetes/test/e2e/framework/pod/output"
 	e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper"
 	imageutils "k8s.io/kubernetes/test/utils/image"
 	admissionapi "k8s.io/pod-security-admission/api"
 )
 
+var (
+	customIDsPerPod int64 = 65536 * 2
+	// kubelet user used for userns mapping.
+	kubeletUserForUsernsMapping = "kubelet"
+	getsubuidsBinary            = "getsubids"
+)
+
 var _ = SIGDescribe("UserNamespaces", "[LinuxOnly]", feature.UserNamespacesSupport, framework.WithSerial(), func() {
 	f := framework.NewDefaultFramework("user-namespace-off-test")
 	f.NamespacePodSecurityLevel = admissionapi.LevelPrivileged
@@ -48,6 +64,7 @@ var _ = SIGDescribe("UserNamespaces", "[LinuxOnly]", feature.UserNamespacesSuppo
 				initialConfig.FeatureGates = make(map[string]bool)
 			}
 			initialConfig.FeatureGates[string(kubefeatures.UserNamespacesSupport)] = false
+			initialConfig.FeatureGates[string(kubefeatures.ProcMountType)] = false
 		})
 		f.It("will fail to create a hostUsers=false pod", func(ctx context.Context) {
 			if on, ok := serviceFeatureGates[string(kubefeatures.UserNamespacesSupport)]; !ok || !on {
@@ -87,3 +104,100 @@ var _ = SIGDescribe("UserNamespaces", "[LinuxOnly]", feature.UserNamespacesSuppo
 		})
 	})
 })
+
+var _ = SIGDescribe("user namespaces kubeconfig tests", "[LinuxOnly]", feature.UserNamespacesSupport, framework.WithFeatureGate(kubefeatures.UserNamespacesSupport), framework.WithSerial(), func() {
+	f := framework.NewDefaultFramework("userns-kubeconfig")
+	f.NamespacePodSecurityLevel = admissionapi.LevelPrivileged
+	f.Context("test config using userNamespaces.idsPerPod", func() {
+		ginkgo.BeforeEach(func() {
+			if hasMappings, err := hasKubeletUsernsMappings(); err != nil {
+				framework.Failf("failed to check kubelet user namespace mappings: %v", err)
+			} else if hasMappings {
+				// idsPerPod needs to be in sync with the kubelet's user namespace
+				// mappings. Let's skip the test if there are mappings present.
+				e2eskipper.Skipf("kubelet is configured with custom user namespace mappings, skipping test")
+			}
+		})
+
+		tempSetCurrentKubeletConfig(f, func(ctx context.Context, initialConfig *kubeletconfig.KubeletConfiguration) {
+			if initialConfig.UserNamespaces == nil {
+				initialConfig.UserNamespaces = &kubeletconfig.UserNamespaces{}
+			}
+			initialConfig.UserNamespaces.IDsPerPod = &customIDsPerPod
+		})
+		f.It("honors idsPerPod in userns pods", func(ctx context.Context) {
+			if !supportsUserNS(ctx, f) {
+				e2eskipper.Skipf("runtime does not support user namespaces")
+			}
+			falseVar := false
+			pod := &v1.Pod{
+				ObjectMeta: metav1.ObjectMeta{Name: "userns-pod" + string(uuid.NewUUID())},
+				Spec: v1.PodSpec{
+					Containers: []v1.Container{
+						{
+							Name:  "container",
+							Image: imageutils.GetE2EImage(imageutils.BusyBox),
+							// The third field is the mapping length, that must be equal to idsPerPod.
+							Command: []string{"awk", "NR != 1 { exit 1 } { print $3 }", "/proc/self/uid_map"},
+						},
+					},
+					HostUsers:     &falseVar,
+					RestartPolicy: v1.RestartPolicyNever,
+				},
+			}
+			expected := []string{strconv.FormatInt(customIDsPerPod, 10)}
+			e2eoutput.TestContainerOutput(ctx, f, "idsPerPod is configured correctly", pod, 0, expected)
+		})
+	})
+})
+
+func hasKubeletUsernsMappings() (bool, error) {
+	if _, err := user.Lookup(kubeletUserForUsernsMapping); err != nil {
+		var e user.UnknownUserError
+		if errors.As(err, &e) {
+			err = nil
+		}
+		return false, err
+	}
+	cmdBin, err := exec.LookPath(getsubuidsBinary)
+	if err != nil {
+		if errors.Is(err, exec.ErrNotFound) {
+			err = nil
+		}
+		return false, err
+	}
+	outUids, err := getsubids(cmdBin, kubeletUserForUsernsMapping)
+	if err != nil {
+		return false, err
+	}
+	if outUids == "" {
+		return false, nil
+	}
+	outGids, err := getsubids(cmdBin, "-g", kubeletUserForUsernsMapping)
+	if err != nil {
+		return false, err
+	}
+	if string(outUids) != string(outGids) {
+		return false, fmt.Errorf("user %q has different subuids and subgids: %q vs %q", kubeletUserForUsernsMapping, outUids, outGids)
+	}
+	return true, nil
+}
+
+// getsubids runs the getsubids command to fetch subuid mappings for a user.
+// If the command fails with "Error fetching ranges", it returns an empty string
+// to indicate that no subuid mappings were found, which is not considered an error.
+// Otherwise, it returns the output of the command as a string.
+// (e.g., "0: user 100000 65536")
+func getsubids(cmdBin string, cmdArgs ...string) (string, error) {
+	var stderr bytes.Buffer
+	cmd := exec.Command(cmdBin, cmdArgs...)
+	cmd.Stderr = &stderr
+	out, err := cmd.Output()
+	if err != nil {
+		if strings.TrimSpace(stderr.String()) == "Error fetching ranges" {
+			return "", nil // No subuid mappings found, this is not an error
+		}
+		return "", fmt.Errorf("failed to run %v: %w (stderr=%q)", cmd.Args, err, stderr.String())
+	}
+	return strings.TrimSpace(string(out)), nil
+}
diff --git a/test/e2e_node/util.go b/test/e2e_node/util.go
index c82191383359d..77d03f1756044 100644
--- a/test/e2e_node/util.go
+++ b/test/e2e_node/util.go
@@ -38,7 +38,6 @@ import (
 	"go.opentelemetry.io/otel/trace/noop"
 
 	v1 "k8s.io/api/core/v1"
-	apiequality "k8s.io/apimachinery/pkg/api/equality"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/util/runtime"
 	"k8s.io/apimachinery/pkg/util/sets"
@@ -64,7 +63,6 @@ import (
 	"k8s.io/kubernetes/test/e2e/framework"
 	e2emetrics "k8s.io/kubernetes/test/e2e/framework/metrics"
 	e2enode "k8s.io/kubernetes/test/e2e/framework/node"
-	e2enodekubelet "k8s.io/kubernetes/test/e2e_node/kubeletconfig"
 	imageutils "k8s.io/kubernetes/test/utils/image"
 
 	"github.com/onsi/ginkgo/v2"
@@ -166,12 +164,6 @@ func getV1NodeDevices(ctx context.Context) (*kubeletpodresourcesv1.ListPodResour
 	return resp, nil
 }
 
-// Returns the current KubeletConfiguration
-func getCurrentKubeletConfig(ctx context.Context) (*kubeletconfig.KubeletConfiguration, error) {
-	// namespace only relevant if useProxy==true, so we don't bother
-	return e2enodekubelet.GetCurrentKubeletConfig(ctx, framework.TestContext.NodeName, "", false, framework.TestContext.StandaloneMode)
-}
-
 func addAfterEachForCleaningUpPods(f *framework.Framework) {
 	ginkgo.AfterEach(func(ctx context.Context) {
 		ginkgo.By("Deleting any Pods created by the test in namespace: " + f.Namespace.Name)
@@ -187,50 +179,6 @@ func addAfterEachForCleaningUpPods(f *framework.Framework) {
 	})
 }
 
-// Must be called within a Context. Allows the function to modify the KubeletConfiguration during the BeforeEach of the context.
-// The change is reverted in the AfterEach of the context.
-func tempSetCurrentKubeletConfig(f *framework.Framework, updateFunction func(ctx context.Context, initialConfig *kubeletconfig.KubeletConfiguration)) {
-	var oldCfg *kubeletconfig.KubeletConfiguration
-
-	ginkgo.BeforeEach(func(ctx context.Context) {
-		var err error
-		oldCfg, err = getCurrentKubeletConfig(ctx)
-		framework.ExpectNoError(err)
-
-		newCfg := oldCfg.DeepCopy()
-		updateFunction(ctx, newCfg)
-		if apiequality.Semantic.DeepEqual(*newCfg, *oldCfg) {
-			return
-		}
-
-		updateKubeletConfig(ctx, f, newCfg, true)
-	})
-
-	ginkgo.AfterEach(func(ctx context.Context) {
-		if oldCfg != nil {
-			// Update the Kubelet configuration.
-			updateKubeletConfig(ctx, f, oldCfg, true)
-		}
-	})
-}
-
-func updateKubeletConfig(ctx context.Context, f *framework.Framework, kubeletConfig *kubeletconfig.KubeletConfiguration, deleteStateFiles bool) {
-	// Update the Kubelet configuration.
-	ginkgo.By("Stopping the kubelet")
-	restartKubelet := mustStopKubelet(ctx, f)
-
-	// Delete CPU and memory manager state files to be sure it will not prevent the kubelet restart
-	if deleteStateFiles {
-		deleteStateFile(cpuManagerStateFile)
-		deleteStateFile(memoryManagerStateFile)
-	}
-
-	framework.ExpectNoError(e2enodekubelet.WriteKubeletConfigFile(kubeletConfig))
-
-	ginkgo.By("Restarting the kubelet")
-	restartKubelet(ctx)
-}
-
 func waitForKubeletToStart(ctx context.Context, f *framework.Framework) {
 	// wait until the kubelet health check will succeed
 	gomega.Eventually(ctx, func() bool {
@@ -291,14 +239,29 @@ func getLocalNode(ctx context.Context, f *framework.Framework) *v1.Node {
 // the caller decide. The check is intentionally done like `getLocalNode` does.
 // Note `getLocalNode` aborts (as in ginkgo.Expect) the test implicitly if the worker node is not ready.
 func getLocalTestNode(ctx context.Context, f *framework.Framework) (*v1.Node, bool) {
+	logger := klog.FromContext(ctx)
 	node, err := f.ClientSet.CoreV1().Nodes().Get(ctx, framework.TestContext.NodeName, metav1.GetOptions{})
 	framework.ExpectNoError(err)
-	ready := e2enode.IsNodeReady(node)
-	schedulable := e2enode.IsNodeSchedulable(node)
+	ready := e2enode.IsNodeReady(logger, node)
+	schedulable := e2enode.IsNodeSchedulable(logger, node)
 	framework.Logf("node %q ready=%v schedulable=%v", node.Name, ready, schedulable)
 	return node, ready && schedulable
 }
 
+func getLocalNodeCPUDetails(ctx context.Context, f *framework.Framework) (cpuCapVal int64, cpuAllocVal int64, cpuResVal int64) {
+	localNodeCap := getLocalNode(ctx, f).Status.Capacity
+	cpuCap := localNodeCap[v1.ResourceCPU]
+	localNodeAlloc := getLocalNode(ctx, f).Status.Allocatable
+	cpuAlloc := localNodeAlloc[v1.ResourceCPU]
+	cpuRes := cpuCap.DeepCopy()
+	cpuRes.Sub(cpuAlloc)
+
+	// RoundUp reserved CPUs to get only integer cores.
+	cpuRes.RoundUp(0)
+
+	return cpuCap.Value(), cpuCap.Value() - cpuRes.Value(), cpuRes.Value()
+}
+
 // logKubeletLatencyMetrics logs KubeletLatencyMetrics computed from the Prometheus
 // metrics exposed on the current node and identified by the metricNames.
 // The Kubelet subsystem prefix is automatically prepended to these metric names.
@@ -631,3 +594,35 @@ func WaitForPodInitContainerToFail(ctx context.Context, c clientset.Interface, n
 func nodeNameOrIP() string {
 	return "localhost"
 }
+
+func deletePodSyncByName(ctx context.Context, f *framework.Framework, podName string) {
+	gp := int64(0)
+	delOpts := metav1.DeleteOptions{
+		GracePeriodSeconds: &gp,
+	}
+	e2epod.NewPodClient(f).DeleteSync(ctx, podName, delOpts, f.Timeouts.PodDelete)
+}
+
+func deletePods(ctx context.Context, f *framework.Framework, podNames []string) {
+	for _, podName := range podNames {
+		deletePodSyncByName(ctx, f, podName)
+	}
+}
+
+func waitForContainerRemoval(ctx context.Context, containerName, podName, podNS string) {
+	rs, _, err := getCRIClient()
+	framework.ExpectNoError(err)
+	gomega.Eventually(ctx, func(ctx context.Context) bool {
+		containers, err := rs.ListContainers(ctx, &runtimeapi.ContainerFilter{
+			LabelSelector: map[string]string{
+				types.KubernetesPodNameLabel:       podName,
+				types.KubernetesPodNamespaceLabel:  podNS,
+				types.KubernetesContainerNameLabel: containerName,
+			},
+		})
+		if err != nil {
+			return false
+		}
+		return len(containers) == 0
+	}, 2*time.Minute, 1*time.Second).Should(gomega.BeTrueBecause("Containers were expected to be removed"))
+}
diff --git a/test/e2e_node/util_criproxy_linux.go b/test/e2e_node/util_criproxy_linux.go
new file mode 100644
index 0000000000000..a33b6a06c2c3d
--- /dev/null
+++ b/test/e2e_node/util_criproxy_linux.go
@@ -0,0 +1,44 @@
+//go:build linux
+// +build linux
+
+/*
+Copyright 2020 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package e2enode
+
+import (
+	"fmt"
+
+	"k8s.io/kubernetes/test/e2e_node/criproxy"
+)
+
+// addCRIProxyInjector registers an injector function for the CRIProxy.
+func addCRIProxyInjector(proxy *criproxy.RemoteRuntime, injector func(apiName string) error) error {
+	if proxy == nil {
+		return fmt.Errorf("failed to add injector because the CRI Proxy is undefined")
+	}
+	proxy.AddInjector(injector)
+	return nil
+}
+
+// resetCRIProxyInjector resets all injector functions for the CRIProxy.
+func resetCRIProxyInjector(proxy *criproxy.RemoteRuntime) error {
+	if proxy == nil {
+		return fmt.Errorf("failed to reset injector because the CRI Proxy is undefined")
+	}
+	proxy.ResetInjectors()
+	return nil
+}
diff --git a/test/e2e_node/util_kubeletconfig.go b/test/e2e_node/util_kubeletconfig.go
new file mode 100644
index 0000000000000..1b0b4425ccb2c
--- /dev/null
+++ b/test/e2e_node/util_kubeletconfig.go
@@ -0,0 +1,120 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package e2enode
+
+import (
+	"context"
+	"time"
+
+	v1 "k8s.io/api/core/v1"
+	apiequality "k8s.io/apimachinery/pkg/api/equality"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	kubeletconfig "k8s.io/kubernetes/pkg/kubelet/apis/config"
+
+	"k8s.io/kubernetes/test/e2e/framework"
+	e2enodekubelet "k8s.io/kubernetes/test/e2e_node/kubeletconfig"
+
+	"github.com/onsi/ginkgo/v2"
+	"github.com/onsi/gomega"
+)
+
+// Returns the current KubeletConfiguration
+func getCurrentKubeletConfig(ctx context.Context) (*kubeletconfig.KubeletConfiguration, error) {
+	// namespace only relevant if useProxy==true, so we don't bother
+	return e2enodekubelet.GetCurrentKubeletConfig(ctx, framework.TestContext.NodeName, "", false, framework.TestContext.StandaloneMode)
+}
+
+// Must be called within a Context. Allows the function to modify the KubeletConfiguration during the BeforeEach of the context.
+// The change is reverted in the AfterEach of the context.
+func tempSetCurrentKubeletConfig(f *framework.Framework, updateFunction func(ctx context.Context, initialConfig *kubeletconfig.KubeletConfiguration)) {
+	var oldCfg *kubeletconfig.KubeletConfiguration
+
+	ginkgo.BeforeEach(func(ctx context.Context) {
+		var err error
+		oldCfg, err = getCurrentKubeletConfig(ctx)
+		framework.ExpectNoError(err)
+
+		newCfg := oldCfg.DeepCopy()
+		updateFunction(ctx, newCfg)
+		if apiequality.Semantic.DeepEqual(*newCfg, *oldCfg) {
+			return
+		}
+
+		updateKubeletConfig(ctx, f, newCfg, true)
+	})
+
+	ginkgo.AfterEach(func(ctx context.Context) {
+		if oldCfg != nil {
+			// Update the Kubelet configuration.
+			updateKubeletConfig(ctx, f, oldCfg, true)
+		}
+	})
+}
+
+type updateKubeletOptions struct {
+	deleteStateFiles          bool
+	ensureConsistentReadyNode bool
+	// TODO: add option to use systemctl stop, now we only use systemctl kill for historical reasons
+}
+
+func updateKubeletConfigWithOptions(ctx context.Context, f *framework.Framework, kubeletConfig *kubeletconfig.KubeletConfiguration, opts updateKubeletOptions) {
+	ginkgo.GinkgoHelper()
+
+	// Update the Kubelet configuration.
+	restartKubelet := mustStopKubelet(ctx, f)
+
+	// Delete CPU and memory manager state files to be sure it will not prevent the kubelet restart
+	if opts.deleteStateFiles {
+		deleteStateFile(cpuManagerStateFile)
+		deleteStateFile(memoryManagerStateFile)
+	}
+
+	framework.ExpectNoError(e2enodekubelet.WriteKubeletConfigFile(kubeletConfig))
+
+	restartKubelet(ctx)
+
+	if opts.ensureConsistentReadyNode {
+		gomega.Consistently(ctx, func(ctx context.Context) bool {
+			return getNodeReadyStatus(ctx, f) && kubeletHealthCheck(kubeletHealthCheckURL)
+		}).WithTimeout(2 * time.Minute).WithPolling(2 * time.Second).Should(gomega.BeTrueBecause("node keeps reporting ready status"))
+	}
+}
+
+func updateKubeletConfig(ctx context.Context, f *framework.Framework, kubeletConfig *kubeletconfig.KubeletConfiguration, deleteStateFiles bool) {
+	updateKubeletConfigWithOptions(ctx, f, kubeletConfig, updateKubeletOptions{
+		deleteStateFiles: deleteStateFiles,
+	})
+}
+
+func getNodeReadyStatus(ctx context.Context, f *framework.Framework) bool {
+	ginkgo.GinkgoHelper()
+	nodeList, err := f.ClientSet.CoreV1().Nodes().List(ctx, metav1.ListOptions{})
+	framework.ExpectNoError(err)
+	// Assuming that there is only one node, because this is a node e2e test.
+	gomega.Expect(nodeList.Items).To(gomega.HaveLen(1), "the number of nodes is not as expected")
+	return isNodeReady(&nodeList.Items[0])
+}
+
+// isNodeReady returns true if a node is ready; false otherwise.
+func isNodeReady(node *v1.Node) bool {
+	for _, c := range node.Status.Conditions {
+		if c.Type == v1.NodeReady {
+			return c.Status == v1.ConditionTrue
+		}
+	}
+	return false
+}
diff --git a/test/e2e_node/util_machineinfo_linux.go b/test/e2e_node/util_machineinfo_linux.go
new file mode 100644
index 0000000000000..721a4b8d70178
--- /dev/null
+++ b/test/e2e_node/util_machineinfo_linux.go
@@ -0,0 +1,113 @@
+//go:build linux
+// +build linux
+
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package e2enode
+
+import (
+	"errors"
+	"fmt"
+	"io/fs"
+	"os"
+	"os/exec"
+	"path/filepath"
+	"strconv"
+	"strings"
+
+	libcontainercgroups "github.com/opencontainers/cgroups"
+	"k8s.io/utils/cpuset"
+
+	"k8s.io/kubernetes/test/e2e/framework"
+)
+
+// IsCgroup2UnifiedMode returns whether we are running in cgroup v2 unified mode.
+func IsCgroup2UnifiedMode() bool {
+	return libcontainercgroups.IsCgroup2UnifiedMode()
+}
+
+func isHTEnabled() bool {
+	outData, err := exec.Command("/bin/sh", "-c", "lscpu | grep \"Thread(s) per core:\" | cut -d \":\" -f 2").Output()
+	framework.ExpectNoError(err)
+
+	threadsPerCore, err := strconv.Atoi(strings.TrimSpace(string(outData)))
+	framework.ExpectNoError(err)
+
+	return threadsPerCore > 1
+}
+
+func isMultiNUMA() bool {
+	outData, err := exec.Command("/bin/sh", "-c", "lscpu | grep \"NUMA node(s):\" | cut -d \":\" -f 2").Output()
+	framework.ExpectNoError(err)
+
+	numaNodes, err := strconv.Atoi(strings.TrimSpace(string(outData)))
+	framework.ExpectNoError(err)
+
+	return numaNodes > 1
+}
+
+func getUncoreCPUGroupSize() int {
+	cpuID := 0 // this is just the most likely cpu to be present in a random system. No special meaning besides this.
+	out, err := os.ReadFile(fmt.Sprintf("/sys/devices/system/cpu/cpu%d/cache/index3/shared_cpu_list", cpuID))
+	if errors.Is(err, fs.ErrNotExist) {
+		return 0 // no Uncore/LLC cache detected, nothing to do
+	}
+	framework.ExpectNoError(err)
+	// how many cores share a same Uncore/LLC block?
+	cpus, err := cpuset.Parse(strings.TrimSpace(string(out)))
+	framework.ExpectNoError(err)
+	return cpus.Size()
+}
+
+func getCPUSiblingList(cpuRes int64) string {
+	out, err := exec.Command("/bin/sh", "-c", fmt.Sprintf("cat /sys/devices/system/cpu/cpu%d/topology/thread_siblings_list | tr -d \"\n\r\"", cpuRes)).Output()
+	framework.ExpectNoError(err)
+	return string(out)
+}
+
+func getCoreSiblingList(cpuRes int64) string {
+	out, err := exec.Command("/bin/sh", "-c", fmt.Sprintf("cat /sys/devices/system/cpu/cpu%d/topology/core_siblings_list | tr -d \"\n\r\"", cpuRes)).Output()
+	framework.ExpectNoError(err)
+	return string(out)
+}
+
+// getNumaNodeCPUs retrieves CPUs for each NUMA node.
+func getNumaNodeCPUs() (map[int]cpuset.CPUSet, error) {
+	numaNodes := make(map[int]cpuset.CPUSet)
+	nodePaths, err := filepath.Glob("/sys/devices/system/node/node*/cpulist")
+	if err != nil {
+		return nil, err
+	}
+
+	for _, nodePath := range nodePaths {
+		data, err := os.ReadFile(nodePath)
+		framework.ExpectNoError(err, "Error obtaning CPU information from the node")
+		cpuSet := strings.TrimSpace(string(data))
+		cpus, err := cpuset.Parse(cpuSet)
+		framework.ExpectNoError(err, "Error parsing CPUset")
+
+		// Extract node ID from path (e.g., "node0" -> 0)
+		base := filepath.Base(filepath.Dir(nodePath))
+		nodeID, err := strconv.Atoi(strings.TrimPrefix(base, "node"))
+		if err != nil {
+			continue
+		}
+		numaNodes[nodeID] = cpus
+	}
+
+	return numaNodes, nil
+}
diff --git a/test/e2e_node/util_machineinfo_unsupported.go b/test/e2e_node/util_machineinfo_unsupported.go
new file mode 100644
index 0000000000000..a9eed49931685
--- /dev/null
+++ b/test/e2e_node/util_machineinfo_unsupported.go
@@ -0,0 +1,56 @@
+//go:build !linux
+// +build !linux
+
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package e2enode
+
+import (
+	"errors"
+
+	"k8s.io/utils/cpuset"
+)
+
+// IsCgroup2UnifiedMode returns whether we are running in cgroup v2 unified mode.
+func IsCgroup2UnifiedMode() bool {
+	return false
+}
+
+func isHTEnabled() bool {
+	return false
+}
+
+func isMultiNUMA() bool {
+	return false
+}
+
+func getUncoreCPUGroupSize() int {
+	return 1
+}
+
+func getCPUSiblingList(cpuRes int64) string {
+	return ""
+}
+
+func getCoreSiblingList(cpuRes int64) string {
+	return ""
+}
+
+// getNumaNodeCPUs retrieves CPUs for each NUMA node.
+func getNumaNodeCPUs() (map[int]cpuset.CPUSet, error) {
+	return nil, errors.New("not implemented")
+}
diff --git a/test/e2e_node/utils_linux.go b/test/e2e_node/utils_linux.go
deleted file mode 100644
index b4c86c0c9612e..0000000000000
--- a/test/e2e_node/utils_linux.go
+++ /dev/null
@@ -1,50 +0,0 @@
-//go:build linux
-// +build linux
-
-/*
-Copyright 2020 The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package e2enode
-
-import (
-	"fmt"
-
-	libcontainercgroups "github.com/opencontainers/cgroups"
-	"k8s.io/kubernetes/test/e2e_node/criproxy"
-)
-
-// IsCgroup2UnifiedMode returns whether we are running in cgroup v2 unified mode.
-func IsCgroup2UnifiedMode() bool {
-	return libcontainercgroups.IsCgroup2UnifiedMode()
-}
-
-// addCRIProxyInjector registers an injector function for the CRIProxy.
-func addCRIProxyInjector(proxy *criproxy.RemoteRuntime, injector func(apiName string) error) error {
-	if proxy == nil {
-		return fmt.Errorf("failed to add injector because the CRI Proxy is undefined")
-	}
-	proxy.AddInjector(injector)
-	return nil
-}
-
-// resetCRIProxyInjector resets all injector functions for the CRIProxy.
-func resetCRIProxyInjector(proxy *criproxy.RemoteRuntime) error {
-	if proxy == nil {
-		return fmt.Errorf("failed to reset injector because the CRI Proxy is undefined")
-	}
-	proxy.ResetInjectors()
-	return nil
-}
diff --git a/test/e2e_node/utils_unsupported.go b/test/e2e_node/utils_unsupported.go
deleted file mode 100644
index 758af2798abd8..0000000000000
--- a/test/e2e_node/utils_unsupported.go
+++ /dev/null
@@ -1,25 +0,0 @@
-//go:build !linux
-// +build !linux
-
-/*
-Copyright 2020 The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package e2enode
-
-// IsCgroup2UnifiedMode returns whether we are running in cgroup v2 unified mode.
-func IsCgroup2UnifiedMode() bool {
-	return false
-}
diff --git a/test/images/.permitted-images b/test/images/.permitted-images
index 7dafd331b21de..d49abdf852498 100644
--- a/test/images/.permitted-images
+++ b/test/images/.permitted-images
@@ -3,8 +3,10 @@
 # We are aiming to consolidate on: registry.k8s.io/e2e-test-images/agnhost
 # The sources for which are in test/images/agnhost.
 # If agnhost is missing functionality for your tests, please reach out to SIG Testing.
-gcr.io/authenticated-image-pulling/alpine
-gcr.io/authenticated-image-pulling/windows-nanoserver
+#
+# TODO: remove gcr.io/k8s-authenticated-test/agnhost and set up a cluster-local
+#       private registry via test/e2e/framework/registry.SetupRegistry() to test
+#       private image pulls
 gcr.io/k8s-authenticated-test/agnhost
 invalid.registry.k8s.io/invalid/alpine
 registry.k8s.io/build-image/distroless-iptables
@@ -12,7 +14,6 @@ registry.k8s.io/cloud-provider-gcp/gcp-compute-persistent-disk-csi-driver
 registry.k8s.io/e2e-test-images/agnhost
 registry.k8s.io/e2e-test-images/apparmor-loader
 registry.k8s.io/e2e-test-images/busybox
-registry.k8s.io/e2e-test-images/httpd
 registry.k8s.io/e2e-test-images/ipc-utils
 registry.k8s.io/e2e-test-images/jessie-dnsutils
 registry.k8s.io/e2e-test-images/kitten
diff --git a/test/images/Makefile b/test/images/Makefile
index 160b54a577d18..1c7d27d789835 100644
--- a/test/images/Makefile
+++ b/test/images/Makefile
@@ -30,7 +30,7 @@ endif
 #   WHAT: Directory names to build.
 #
 # Example:
-#   make all WHAT=httpd
+#   make all WHAT=agnhost
 all: all-container
 
 all-container:
diff --git a/test/images/README.md b/test/images/README.md
index f806cc0f30c1e..10dbf854983fb 100644
--- a/test/images/README.md
+++ b/test/images/README.md
@@ -211,7 +211,7 @@ sudo chmod o+x /etc/docker
 ```
 
 A few images have been mirrored from dockerhub into the `gcr.io/k8s-staging-e2e-test-images` registry
-(`busybox`,`httpd`, `httpd-new`, `nginx`, `nginx-new`, `perl`), and they
+(`busybox`, `nginx`, `nginx-new`, `perl`), and they
 only have a noop Dockerfile. However, due to an [issue](https://github.com/kubernetes/test-infra/issues/20884),
 the same SHA cannot be pushed twice. A small change to them is required in order to generate a new SHA,
 which can then be pushed and promoted.
diff --git a/test/images/agnhost/Dockerfile b/test/images/agnhost/Dockerfile
index 6d0bbe04d8156..2ee561f5cdace 100644
--- a/test/images/agnhost/Dockerfile
+++ b/test/images/agnhost/Dockerfile
@@ -13,7 +13,22 @@
 # limitations under the License.
 
 ARG BASEIMAGE
-FROM $BASEIMAGE
+ARG GOLANG_VERSION
+
+FROM golang:$GOLANG_VERSION AS preparer
+
+RUN go install github.com/google/go-containerregistry/cmd/crane@latest && \
+    apt-get update && apt-get install -y jq
+
+COPY fakeregistryserver/prepare_registry.sh /prepare_registry.sh
+COPY fakeregistryserver/images.txt /images.txt
+
+RUN chmod +x /prepare_registry.sh
+
+# run the script during the build to create the artifact inside the image
+RUN /prepare_registry.sh
+
+FROM $BASEIMAGE AS main
 
 CROSS_BUILD_COPY qemu-QEMUARCH-static /usr/bin/
 
@@ -38,7 +53,7 @@ RUN tar -xzvf /coredns.tgz && rm -f /coredns.tgz
 # PORT 8080 needed by: netexec, nettest, resource-consumer, resource-consumer-controller
 # PORT 8081 needed by: netexec
 # PORT 9376 needed by: serve-hostname
-# PORT 5000 needed by: grpc-health-checking
+# PORT 5000 needed by: grpc-health-checking, fake-registry-server
 EXPOSE 80 8080 8081 9376 5000
 
 # from netexec
@@ -49,6 +64,7 @@ ADD porter/localhost.crt localhost.crt
 ADD porter/localhost.key localhost.key
 
 ADD agnhost agnhost
+COPY --from=preparer /registry /var/registry
 
 # needed for the entrypoint-tester related tests. Some of the entrypoint-tester related tests
 # overrides this image's entrypoint with agnhost-2 binary, and will verify that the correct
diff --git a/test/images/agnhost/README.md b/test/images/agnhost/README.md
index 4a7d1e1cff83c..045e842893b2e 100644
--- a/test/images/agnhost/README.md
+++ b/test/images/agnhost/README.md
@@ -182,6 +182,23 @@ Usage:
     kubectl exec test-agnhost -- /agnhost fake-gitserver
 ```
 
+### fake-registry-server
+
+Starts a fake OCI registry server that serves static image files. This can be used to test
+pulling images from a private (with `--private` flag) or public registry.
+
+Private registry has static credentials `user:password`
+
+Usage:
+
+```console
+kubectl exec test-agnhost -- /agnhost fake-registry-server [--private]
+```
+
+#### Adding new image to the registry
+
+Adding a new image requires a new version of agnhost. To add new image, add a new line 
+to `test/images/agnhost/fakeregistryserver/images.txt` in format `<image> <tag> <internal tag>`
 
 ### guestbook
 
@@ -350,6 +367,33 @@ Usage:
         [--retry_time <seconds>] [--break_on_expected_content <true_or_false>]
 ```
 
+### mtlsclient
+
+```console
+    kubectl run test-agnhost \
+      --generator=run-pod/v1 \
+      --image=registry.k8s.io/e2e-test-images/agnhost:2.58 \
+      --restart=Always \
+      -- \
+      mtlsclient \
+      --fetch-url=<server-address> \ 
+      --server-trust-bundle=<server-trust-bundle.pem> \ 
+      --client-cred-bundle=<client-cred-bundle.pem>
+```
+
+### mtlsserver
+
+```console
+    kubectl run test-agnhost \
+      --generator=run-pod/v1 \
+      --image=registry.k8s.io/e2e-test-images/agnhost:2.58 \
+      --restart=Always \
+      -- \
+      mtlsserver \
+      --listen=<0.0.0.0:443> \
+      --server-creds=<server-cred-bundle.pem> \ 
+      --spiffe-trust-bundle=<spiffe-trust-bundle.pem> 
+```
 
 ### net
 
diff --git a/test/images/agnhost/VERSION b/test/images/agnhost/VERSION
index 81b3a99d62f34..acc0797df38c3 100644
--- a/test/images/agnhost/VERSION
+++ b/test/images/agnhost/VERSION
@@ -1 +1 @@
-2.56
+2.59
diff --git a/test/images/agnhost/agnhost.go b/test/images/agnhost/agnhost.go
index fff876b6856c3..5bef6e8b40bfa 100644
--- a/test/images/agnhost/agnhost.go
+++ b/test/images/agnhost/agnhost.go
@@ -28,12 +28,15 @@ import (
 	"k8s.io/kubernetes/test/images/agnhost/dns"
 	"k8s.io/kubernetes/test/images/agnhost/entrypoint-tester"
 	"k8s.io/kubernetes/test/images/agnhost/fakegitserver"
+	"k8s.io/kubernetes/test/images/agnhost/fakeregistryserver"
 	grpchealthchecking "k8s.io/kubernetes/test/images/agnhost/grpc-health-checking"
 	"k8s.io/kubernetes/test/images/agnhost/guestbook"
 	"k8s.io/kubernetes/test/images/agnhost/inclusterclient"
 	"k8s.io/kubernetes/test/images/agnhost/liveness"
 	logsgen "k8s.io/kubernetes/test/images/agnhost/logs-generator"
 	"k8s.io/kubernetes/test/images/agnhost/mounttest"
+	"k8s.io/kubernetes/test/images/agnhost/mtlsclient"
+	"k8s.io/kubernetes/test/images/agnhost/mtlsserver"
 	"k8s.io/kubernetes/test/images/agnhost/net"
 	"k8s.io/kubernetes/test/images/agnhost/netexec"
 	"k8s.io/kubernetes/test/images/agnhost/nettest"
@@ -68,6 +71,7 @@ func main() {
 	rootCmd.AddCommand(dns.CmdEtcHosts)
 	rootCmd.AddCommand(entrypoint.CmdEntrypointTester)
 	rootCmd.AddCommand(fakegitserver.CmdFakeGitServer)
+	rootCmd.AddCommand(fakeregistryserver.CmdFakeRegistryServer)
 	rootCmd.AddCommand(guestbook.CmdGuestbook)
 	rootCmd.AddCommand(inclusterclient.CmdInClusterClient)
 	rootCmd.AddCommand(liveness.CmdLiveness)
@@ -90,7 +94,8 @@ func main() {
 	rootCmd.AddCommand(grpchealthchecking.CmdGrpcHealthChecking)
 	rootCmd.AddCommand(vishhstress.CmdStress)
 	rootCmd.AddCommand(podcertificatesigner.CmdPodCertificateSigner)
-
+	rootCmd.AddCommand(mtlsclient.CmdMtlsClient)
+	rootCmd.AddCommand(mtlsserver.CmdMtlsServer)
 	// NOTE(claudiub): Some tests are passing logging related flags, so we need to be able to
 	// accept them. This will also include them in the printed help.
 	code := cli.Run(rootCmd)
diff --git a/test/images/agnhost/fakeregistryserver/images.txt b/test/images/agnhost/fakeregistryserver/images.txt
new file mode 100644
index 0000000000000..6946c5f13ef91
--- /dev/null
+++ b/test/images/agnhost/fakeregistryserver/images.txt
@@ -0,0 +1 @@
+pause 3.10.1 testing
diff --git a/test/images/agnhost/fakeregistryserver/prepare_registry.sh b/test/images/agnhost/fakeregistryserver/prepare_registry.sh
new file mode 100755
index 0000000000000..1912ff2c0b33a
--- /dev/null
+++ b/test/images/agnhost/fakeregistryserver/prepare_registry.sh
@@ -0,0 +1,88 @@
+#!/bin/bash
+
+# Copyright 2025 The Kubernetes Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -o errexit
+set -o nounset
+set -o pipefail
+
+readonly REGISTRY_URL="registry.k8s.io"
+readonly REGISTRY_DIR="/registry"
+
+# This script prepares a directory with container images to be used as a fake registry,
+# then creates a tarball of that directory inside the container.
+
+# function to download an image manifest and its blobs to create a fake registry layout.
+prepare_image() {
+    local image_name="$1"
+    local tag="$2"
+    local internal_tag="$3"
+    local image_dir="$REGISTRY_DIR/$image_name"
+
+    echo "--- Preparing image: ${image_name}:${tag} as ${image_name}:${internal_tag} ---"
+
+    mkdir -p "$image_dir/manifests"
+    mkdir -p "$image_dir/blobs"
+
+    echo "Downloading and filtering manifest list for $image_name:$tag..."
+    local tmp_manifest_path="$image_dir/manifests/tmp_${internal_tag}"
+    # download the manifest and pipe it to jq to filter out windows images
+    crane manifest "$REGISTRY_URL/$image_name:$tag" | jq '.manifests |= map(select(.platform.os != "windows"))' > "$tmp_manifest_path"
+    echo "Saved manifest list to $tmp_manifest_path"
+
+    local manifest_digest
+    manifest_digest="sha256:$(sha256sum < "$tmp_manifest_path" | awk '{print $1}')"
+    mv "$tmp_manifest_path" "$image_dir/manifests/$manifest_digest"
+    echo "Saved manifest list to $image_dir/manifests/$manifest_digest"
+
+    # the file named after the tag now contains only the digest, acting as a redirect pointer
+    echo "$manifest_digest" > "$image_dir/manifests/${internal_tag}"
+    echo "Created tag file ${internal_tag} pointing to digest $manifest_digest"
+
+    echo "Parsing manifest list and downloading individual manifests and blobs..."
+    
+    jq -r '.manifests[].digest' < "$image_dir/manifests/$manifest_digest" | while read -r individual_manifest_digest; do
+      echo "  Downloading manifest $individual_manifest_digest..."
+      local individual_manifest_path="$image_dir/manifests/$individual_manifest_digest"
+      crane manifest "$REGISTRY_URL/$image_name@$individual_manifest_digest" > "$individual_manifest_path"
+      echo "  Saved manifest to $individual_manifest_path"
+
+      local config_digest
+      config_digest=$(jq -r '.config.digest' < "$individual_manifest_path")
+      echo "    Downloading config blob $config_digest..."
+      crane blob "$REGISTRY_URL/$image_name@$config_digest" > "$image_dir/blobs/$config_digest"
+      echo "    Saved config blob to $image_dir/blobs/$config_digest"
+
+      jq -r '.layers[].digest' < "$individual_manifest_path" | while read -r layer_digest; do
+        echo "    Downloading layer blob $layer_digest..."
+        crane blob "$REGISTRY_URL/$image_name@$layer_digest" > "$image_dir/blobs/$layer_digest"
+        echo "    Saved layer blob to $image_dir/blobs/$layer_digest"
+      done
+    done
+
+    echo "--- Successfully prepared ${image_name}:${internal_tag} ---"
+}
+
+# create the registry directory
+mkdir -p "$REGISTRY_DIR"
+
+echo "--> Processing images.txt..."
+while read -r image tag internal_tag; do
+    # skip empty lines or comments
+    [[ -z "$image" || "$image" == \#* ]] && continue
+    prepare_image "$image" "$tag" "$internal_tag"
+done < /images.txt
+
+echo "--> Done"
diff --git a/test/images/agnhost/fakeregistryserver/registryserver.go b/test/images/agnhost/fakeregistryserver/registryserver.go
new file mode 100644
index 0000000000000..06b4211b8ed4c
--- /dev/null
+++ b/test/images/agnhost/fakeregistryserver/registryserver.go
@@ -0,0 +1,161 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package fakeregistryserver
+
+import (
+	"encoding/json"
+	"fmt"
+	"log"
+	"net/http"
+	"os"
+	"strings"
+
+	"github.com/spf13/cobra"
+)
+
+var (
+	port        int
+	private     bool
+	registryDir = "/var/registry"
+)
+
+const (
+	privateRegistryUser = "user"
+	privateRegistryPass = "password"
+)
+
+func init() {
+	CmdFakeRegistryServer.Flags().IntVar(&port, "port", 5000, "Port number.")
+	CmdFakeRegistryServer.Flags().BoolVar(&private, "private", false, "Enable authentication for the registry.")
+}
+
+// CmdFakeRegistryServer is the cobra command for the fake registry server
+var CmdFakeRegistryServer = &cobra.Command{
+	Use:   "fake-registry-server",
+	Short: "Starts a fake registry server for testing",
+	Long:  fmt.Sprintf("Starts a fake registry server that serves static OCI image files from %s folder", registryDir),
+	Run:   main,
+}
+
+func main(cmd *cobra.Command, args []string) {
+	registryMux := NewRegistryServerMux(private)
+
+	addr := fmt.Sprintf(":%d", port)
+	log.Printf("HTTP server starting to listen on %s", addr)
+	if err := http.ListenAndServe(addr, registryMux); err != nil {
+		log.Fatalf("Error while starting the HTTP server: %v", err)
+	}
+}
+
+func NewRegistryServerMux(isPrivate bool) *http.ServeMux {
+	mux := http.NewServeMux()
+
+	var v2Handler http.Handler = http.HandlerFunc(handleV2)
+	if isPrivate {
+		v2Handler = auth(v2Handler)
+	}
+	mux.Handle("/v2/", v2Handler)
+
+	return mux
+}
+
+func auth(h http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		user, pass, ok := r.BasicAuth()
+		if !ok || user != privateRegistryUser || pass != privateRegistryPass {
+			w.Header().Set("WWW-Authenticate", `Basic realm="Restricted"`)
+			w.WriteHeader(http.StatusUnauthorized)
+			_, _ = w.Write([]byte("Unauthorized\n"))
+			return
+		}
+		h.ServeHTTP(w, r)
+	})
+}
+
+// handleBlobs serves blob requests
+func handleBlobs(w http.ResponseWriter, r *http.Request, imageName, identifier string) {
+	filePath := fmt.Sprintf("%s/%s/blobs/%s", registryDir, imageName, identifier)
+	w.Header().Set("Content-Type", "application/octet-stream")
+	log.Printf("Serving blob: %s", filePath)
+	http.ServeFile(w, r, filePath)
+}
+
+// handleManifests serves manifest requests. It dynamically sets the Content-Type
+// based on the manifest's mediaType field. If the identifier is a tag, it
+// reads the digest from the tag file and issues a redirect.
+func handleManifests(w http.ResponseWriter, r *http.Request, imageName, identifier string) {
+	filePath := fmt.Sprintf("%s/%s/manifests/%s", registryDir, imageName, identifier)
+
+	// if the identifier is not a digest, assume it's a tag and perform a redirect.
+	if !strings.HasPrefix(identifier, "sha256:") {
+		digest, err := os.ReadFile(filePath)
+		if err != nil {
+			http.NotFound(w, r)
+			return
+		}
+		redirectURL := strings.Replace(r.URL.String(), identifier, strings.TrimSpace(string(digest)), 1)
+		w.Header().Set("Location", redirectURL)
+		w.WriteHeader(http.StatusTemporaryRedirect)
+		return
+	}
+
+	manifestContent, err := os.ReadFile(filePath)
+	if err != nil {
+		http.NotFound(w, r)
+		return
+	}
+
+	var manifestData struct {
+		MediaType string `json:"mediaType"`
+	}
+
+	if err := json.Unmarshal(manifestContent, &manifestData); err == nil && manifestData.MediaType != "" {
+		w.Header().Set("Content-Type", manifestData.MediaType)
+	}
+
+	log.Printf("Serving manifest: %s", filePath)
+	_, _ = w.Write(manifestContent)
+}
+
+func handleV2(w http.ResponseWriter, r *http.Request) {
+	w.Header().Set("Docker-Distribution-Api-Version", "registry/2.0")
+
+	if r.URL.Path == "/v2/" {
+		w.WriteHeader(http.StatusOK)
+		return
+	}
+
+	path := strings.TrimPrefix(r.URL.Path, "/v2/")
+	parts := strings.Split(path, "/")
+	if len(parts) < 3 {
+		http.NotFound(w, r)
+		return
+	}
+
+	imageName := parts[0]
+	objectType := parts[1]
+	identifier := parts[2]
+
+	switch objectType {
+	case "blobs":
+		handleBlobs(w, r, imageName, identifier)
+	case "manifests":
+		handleManifests(w, r, imageName, identifier)
+	default:
+		http.NotFound(w, r)
+	}
+}
diff --git a/test/images/agnhost/fakeregistryserver/registryserver_test.go b/test/images/agnhost/fakeregistryserver/registryserver_test.go
new file mode 100644
index 0000000000000..890cbb0336948
--- /dev/null
+++ b/test/images/agnhost/fakeregistryserver/registryserver_test.go
@@ -0,0 +1,310 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package fakeregistryserver
+
+import (
+	"fmt"
+	"io"
+	"net/http"
+	"net/http/httptest"
+	"os"
+	"path/filepath"
+	"testing"
+)
+
+const (
+	testImageName       = "pause"
+	testTag             = "testing"
+	testManifestDigest  = "sha256:f11bf0cbf1d8f08b83261a5bde660d016fbad261f5a84e7c603c0eba4e217811"
+	testBlobDigest      = "sha256:19e4906e80f6945d2222896120e909003ebf8028c30ebc8c99c3c42a35fb6b7f"
+	testManifestContent = `{
+   "mediaType": "application/vnd.docker.distribution.manifest.list.v2+json",
+   "manifests": [
+      {
+         "digest": "sha256:e5b941ef8f71de54dc3a13398226c269ba217d06650a21bd3afcf9d890cf1f41",
+         "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
+         "platform": {
+            "architecture": "amd64",
+            "os": "linux"
+         },
+         "size": 528
+      }
+   ],
+   "schemaVersion": 2
+}`
+	testBlobContent = `this is a fake blob`
+)
+
+func closeBody(t *testing.T, resp *http.Response) {
+	err := resp.Body.Close()
+	if err != nil {
+		t.Fatalf("Error closing response body: %v", err)
+	}
+}
+
+// setupTestRegistry creates a temporary directory structure for the fake registry.
+func setupTestRegistry(t *testing.T) (string, func() error) {
+	t.Helper()
+	tempDir, err := os.MkdirTemp("", "fake-registry-")
+	if err != nil {
+		t.Fatalf("Failed to create temp dir: %v", err)
+	}
+
+	manifestsDir := filepath.Join(tempDir, testImageName, "manifests")
+	blobsDir := filepath.Join(tempDir, testImageName, "blobs")
+	if err := os.MkdirAll(manifestsDir, 0755); err != nil {
+		t.Fatalf("Failed to create manifests dir: %v", err)
+	}
+	if err := os.MkdirAll(blobsDir, 0755); err != nil {
+		t.Fatalf("Failed to create blobs dir: %v", err)
+	}
+
+	// write the manifest file
+	if err := os.WriteFile(filepath.Join(manifestsDir, testManifestDigest), []byte(testManifestContent), 0644); err != nil {
+		t.Fatalf("Failed to write manifest file: %v", err)
+	}
+
+	// write the tag file
+	if err := os.WriteFile(filepath.Join(manifestsDir, testTag), []byte(testManifestDigest), 0644); err != nil {
+		t.Fatalf("Failed to write tag file: %v", err)
+	}
+
+	// write the blob file
+	if err := os.WriteFile(filepath.Join(blobsDir, testBlobDigest), []byte(testBlobContent), 0644); err != nil {
+		t.Fatalf("Failed to write blob file: %v", err)
+	}
+
+	cleanup := func() error {
+		return os.RemoveAll(tempDir)
+	}
+
+	return tempDir, cleanup
+}
+
+func TestRegistryServer(t *testing.T) {
+	tempDir, cleanup := setupTestRegistry(t)
+	defer func() {
+		if err := cleanup(); err != nil {
+			t.Fatalf("Failed to cleanup temp dir: %v", err)
+		}
+	}()
+
+	originalRegistryDir := registryDir
+	registryDir = tempDir
+	defer func() { registryDir = originalRegistryDir }()
+
+	t.Run("Public Mode", func(t *testing.T) {
+		server := httptest.NewServer(NewRegistryServerMux(false))
+		defer server.Close()
+		client := server.Client()
+
+		t.Run("GET /v2/", func(t *testing.T) {
+			resp, err := client.Get(server.URL + "/v2/")
+			if err != nil {
+				t.Fatalf("Request failed: %v", err)
+			}
+			defer closeBody(t, resp)
+			if resp.StatusCode != http.StatusOK {
+				t.Errorf("Expected status OK; got %v", resp.Status)
+			}
+		})
+
+		t.Run("HEAD manifest tag not exists", func(t *testing.T) {
+			url := fmt.Sprintf("%s/v2/%s/manifests/%s", server.URL, testImageName, "non-exists")
+			resp, err := client.Head(url)
+			if err != nil {
+				t.Fatalf("Request failed: %v", err)
+			}
+			defer closeBody(t, resp)
+
+			if resp.StatusCode != http.StatusNotFound {
+				t.Errorf("Expected status NotFound; got %v", resp.Status)
+			}
+		})
+
+		t.Run("GET manifest by tag", func(t *testing.T) {
+			client.CheckRedirect = func(req *http.Request, via []*http.Request) error {
+				return http.ErrUseLastResponse
+			}
+			defer func() { client.CheckRedirect = nil }()
+
+			url := fmt.Sprintf("%s/v2/%s/manifests/%s", server.URL, testImageName, testTag)
+			resp, err := client.Get(url)
+			if err != nil {
+				t.Fatalf("Request failed: %v", err)
+			}
+			defer closeBody(t, resp)
+
+			if resp.StatusCode != http.StatusTemporaryRedirect {
+				t.Errorf("Expected status Temporary Redirect; got %v", resp.Status)
+			}
+			expectedLocation := fmt.Sprintf("/v2/%s/manifests/%s", testImageName, testManifestDigest)
+			if loc := resp.Header.Get("Location"); loc != expectedLocation {
+				t.Errorf("Expected redirect to %q; got %q", expectedLocation, loc)
+			}
+		})
+
+		t.Run("HEAD manifest by digest", func(t *testing.T) {
+			url := fmt.Sprintf("%s/v2/%s/manifests/%s", server.URL, testImageName, testManifestDigest)
+			resp, err := client.Head(url)
+			if err != nil {
+				t.Fatalf("Request failed: %v", err)
+			}
+			defer closeBody(t, resp)
+
+			if resp.StatusCode != http.StatusOK {
+				t.Errorf("Expected status OK; got %v", resp.Status)
+			}
+		})
+
+		t.Run("HEAD manifest digest not exists", func(t *testing.T) {
+			url := fmt.Sprintf("%s/v2/%s/manifests/%s", server.URL, testImageName, "sha256:non-exists")
+			resp, err := client.Head(url)
+			if err != nil {
+				t.Fatalf("Request failed: %v", err)
+			}
+			defer closeBody(t, resp)
+
+			if resp.StatusCode != http.StatusNotFound {
+				t.Errorf("Expected status NotFound; got %v", resp.Status)
+			}
+		})
+
+		t.Run("GET manifest by digest", func(t *testing.T) {
+			url := fmt.Sprintf("%s/v2/%s/manifests/%s", server.URL, testImageName, testManifestDigest)
+			resp, err := client.Get(url)
+			if err != nil {
+				t.Fatalf("Request failed: %v", err)
+			}
+			defer closeBody(t, resp)
+
+			if resp.StatusCode != http.StatusOK {
+				t.Errorf("Expected status OK; got %v", resp.Status)
+			}
+			body, _ := io.ReadAll(resp.Body)
+			if string(body) != testManifestContent {
+				t.Errorf("Expected body %q; got %q", testManifestContent, string(body))
+			}
+			if ctype := resp.Header.Get("Content-Type"); ctype != "application/vnd.docker.distribution.manifest.list.v2+json" {
+				t.Errorf("Expected Content-Type header to be set from manifest; got %q", ctype)
+			}
+		})
+
+		t.Run("HEAD blob", func(t *testing.T) {
+			url := fmt.Sprintf("%s/v2/%s/blobs/%s", server.URL, testImageName, testBlobDigest)
+			resp, err := client.Head(url)
+			if err != nil {
+				t.Fatalf("Request failed: %v", err)
+			}
+			defer closeBody(t, resp)
+
+			if resp.StatusCode != http.StatusOK {
+				t.Errorf("Expected status OK; got %v", resp.Status)
+			}
+		})
+
+		t.Run("HEAD blob not exists", func(t *testing.T) {
+			url := fmt.Sprintf("%s/v2/%s/blobs/%s", server.URL, testImageName, "non-exists")
+			resp, err := client.Head(url)
+			if err != nil {
+				t.Fatalf("Request failed: %v", err)
+			}
+			defer closeBody(t, resp)
+
+			if resp.StatusCode != http.StatusNotFound {
+				t.Errorf("Expected status NotFound; got %v", resp.Status)
+			}
+		})
+
+		t.Run("GET blob", func(t *testing.T) {
+			url := fmt.Sprintf("%s/v2/%s/blobs/%s", server.URL, testImageName, testBlobDigest)
+			resp, err := client.Get(url)
+			if err != nil {
+				t.Fatalf("Request failed: %v", err)
+			}
+			defer closeBody(t, resp)
+
+			if resp.StatusCode != http.StatusOK {
+				t.Errorf("Expected status OK; got %v", resp.Status)
+			}
+			body, _ := io.ReadAll(resp.Body)
+			if string(body) != testBlobContent {
+				t.Errorf("Expected body %q; got %q", testBlobContent, string(body))
+			}
+		})
+	})
+
+	t.Run("Private Mode", func(t *testing.T) {
+		server := httptest.NewServer(NewRegistryServerMux(true))
+		defer server.Close()
+		client := server.Client()
+
+		t.Run("GET blob without auth", func(t *testing.T) {
+			url := fmt.Sprintf("%s/v2/%s/blobs/%s", server.URL, testImageName, testBlobDigest)
+			resp, err := client.Get(url)
+			if err != nil {
+				t.Fatalf("Request failed: %v", err)
+			}
+			defer closeBody(t, resp)
+			if resp.StatusCode != http.StatusUnauthorized {
+				t.Errorf("Expected status Unauthorized; got %v", resp.Status)
+			}
+		})
+
+		t.Run("GET blob with correct auth", func(t *testing.T) {
+			url := fmt.Sprintf("%s/v2/%s/blobs/%s", server.URL, testImageName, testBlobDigest)
+			req, _ := http.NewRequest(http.MethodGet, url, nil)
+			req.SetBasicAuth(privateRegistryUser, privateRegistryPass)
+			resp, err := client.Do(req)
+			if err != nil {
+				t.Fatalf("Request failed: %v", err)
+			}
+			defer closeBody(t, resp)
+
+			if resp.StatusCode != http.StatusOK {
+				t.Errorf("Expected status OK; got %v", resp.Status)
+			}
+		})
+
+		t.Run("GET manifest without auth", func(t *testing.T) {
+			url := fmt.Sprintf("%s/v2/%s/manifests/%s", server.URL, testImageName, testManifestDigest)
+			resp, err := client.Get(url)
+			if err != nil {
+				t.Fatalf("Request failed: %v", err)
+			}
+			defer closeBody(t, resp)
+			if resp.StatusCode != http.StatusUnauthorized {
+				t.Errorf("Expected status Unauthorized; got %v", resp.Status)
+			}
+		})
+
+		t.Run("GET manifest with correct auth", func(t *testing.T) {
+			url := fmt.Sprintf("%s/v2/%s/manifests/%s", server.URL, testImageName, testManifestDigest)
+			req, _ := http.NewRequest(http.MethodGet, url, nil)
+			req.SetBasicAuth(privateRegistryUser, privateRegistryPass)
+			resp, err := client.Do(req)
+			if err != nil {
+				t.Fatalf("Request failed: %v", err)
+			}
+			defer closeBody(t, resp)
+
+			if resp.StatusCode != http.StatusOK {
+				t.Errorf("Expected status OK; got %v", resp.Status)
+			}
+		})
+	})
+}
diff --git a/test/images/agnhost/mtlsclient/client.go b/test/images/agnhost/mtlsclient/client.go
new file mode 100644
index 0000000000000..93daf01a601dc
--- /dev/null
+++ b/test/images/agnhost/mtlsclient/client.go
@@ -0,0 +1,157 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Package mtlsclient is an agnhost subcommand implementing a client to build
+// the mTLS with the server.
+package mtlsclient
+
+import (
+	"crypto/tls"
+	"crypto/x509"
+	"encoding/pem"
+	"fmt"
+	"io"
+	"log"
+	"net/http"
+	"net/url"
+	"os"
+	"time"
+
+	"github.com/spf13/cobra"
+	"k8s.io/component-base/logs"
+	"k8s.io/klog/v2"
+)
+
+var CmdMtlsClient = &cobra.Command{
+	Use:   "mtlsclient",
+	Short: "Client is configured to build mTLS with server",
+	Args:  cobra.MaximumNArgs(0),
+	RunE:  main,
+}
+
+var (
+	fetchURL              string
+	serverTrustBundleFile string
+	clientCredBundleFile  string
+)
+
+func init() {
+	CmdMtlsClient.Flags().StringVar(&fetchURL, "fetch-url", "", "server URL to poll")
+	CmdMtlsClient.Flags().StringVar(&serverTrustBundleFile, "server-trust-bundle", "", "File with trust anchors to verify the server certificate")
+	CmdMtlsClient.Flags().StringVar(&clientCredBundleFile, "client-cred-bundle", "", "File with client key and certificate chain")
+}
+
+func main(cmd *cobra.Command, args []string) error {
+	logs.InitLogs()
+	defer logs.FlushLogs()
+
+	if fetchURL == "" || serverTrustBundleFile == "" || clientCredBundleFile == "" {
+		return fmt.Errorf("missing required flags")
+	}
+
+	if _, err := url.ParseRequestURI(fetchURL); err != nil {
+		return fmt.Errorf("invalid --fetch-url: %w", err)
+	}
+
+	for range time.Tick(10 * time.Second) {
+		if err := pollOnce(); err != nil {
+			klog.Errorf("while sending requests to the server: %v", err)
+		}
+	}
+	return nil
+}
+
+func pollOnce() error {
+	trustBundlePEM, err := os.ReadFile(serverTrustBundleFile)
+	if err != nil {
+		return fmt.Errorf("while reading service trust bundle: %w", err)
+	}
+
+	serverTrustAnchors := x509.NewCertPool()
+	serverTrustAnchors.AppendCertsFromPEM(trustBundlePEM)
+
+	tlsConfig := &tls.Config{
+		RootCAs: serverTrustAnchors,
+	}
+
+	// Load and send client certificates if a bundle file was specified.
+	if clientCredBundleFile != "" {
+		bundlePEM, err := os.ReadFile(clientCredBundleFile)
+		if err != nil {
+			return fmt.Errorf("while reading client credential bundle: %w", err)
+		}
+
+		cert := tls.Certificate{}
+
+		var block *pem.Block
+		rest := bundlePEM
+		for {
+			block, rest = pem.Decode(rest)
+			if block == nil {
+				break
+			}
+
+			switch block.Type {
+			case "PRIVATE KEY":
+				cert.PrivateKey, err = x509.ParsePKCS8PrivateKey(block.Bytes)
+				if err != nil {
+					return fmt.Errorf("while parsing private key from credential bundle: %w", err)
+				}
+			case "CERTIFICATE":
+				cert.Certificate = append(cert.Certificate, block.Bytes)
+			}
+		}
+
+		if cert.PrivateKey == nil {
+			return fmt.Errorf("client credential bundle had no private key")
+		}
+
+		if len(cert.Certificate) == 0 {
+			return fmt.Errorf("client credential bundle had no certificates")
+		}
+
+		tlsConfig.Certificates = []tls.Certificate{cert}
+	}
+
+	client := &http.Client{
+		Transport: &http.Transport{
+			TLSClientConfig: tlsConfig,
+		},
+	}
+
+	resp, err := client.Get(fetchURL)
+	if err != nil {
+		return fmt.Errorf("while getting URL: %w", err)
+
+	}
+
+	if resp.StatusCode < 200 || resp.StatusCode >= 300 {
+		return fmt.Errorf("non-2xx status %d %q", resp.StatusCode, resp.Status)
+	}
+
+	body, err := io.ReadAll(resp.Body)
+	if err != nil {
+		return fmt.Errorf("while reading body: %w", err)
+	}
+	defer func() {
+		if err := resp.Body.Close(); err != nil {
+			log.Printf("while closing response body: %v", err)
+		}
+	}()
+
+	log.Printf("Got response body: %s", string(body))
+	return nil
+}
diff --git a/test/images/agnhost/mtlsserver/server.go b/test/images/agnhost/mtlsserver/server.go
new file mode 100644
index 0000000000000..eca32da00b60c
--- /dev/null
+++ b/test/images/agnhost/mtlsserver/server.go
@@ -0,0 +1,163 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Package mtlsserver is an agnhost subcommand implementing a server to build
+// the mTLS with the client and echo the client identity.
+package mtlsserver
+
+import (
+	"crypto/tls"
+	"crypto/x509"
+	"fmt"
+	"log"
+	"net/http"
+	"os"
+	"time"
+
+	"github.com/spf13/cobra"
+	"k8s.io/component-base/logs"
+)
+
+var CmdMtlsServer = &cobra.Command{
+	Use:   "mtlsserver",
+	Short: "Server is configured to build mTLS with client and echo client's spiffe identity",
+	Args:  cobra.MaximumNArgs(0),
+	RunE:  main,
+}
+
+var (
+	listen                string
+	serverCredsFile       string
+	spiffeTrustBundleFile string
+)
+
+func init() {
+	CmdMtlsServer.Flags().StringVar(&listen, "listen", "", "<address>:<port> to listen on")
+	CmdMtlsServer.Flags().StringVar(&serverCredsFile, "server-creds", "", "Credential bundle with the server key and certificate chain")
+	CmdMtlsServer.Flags().StringVar(&spiffeTrustBundleFile, "spiffe-trust-bundle", "", "Trust bundle for verifying client certificates")
+}
+
+func main(cmd *cobra.Command, args []string) error {
+	logs.InitLogs()
+	defer logs.FlushLogs()
+
+	if listen == "" || serverCredsFile == "" || spiffeTrustBundleFile == "" {
+		return fmt.Errorf("missing required flags")
+	}
+
+	if err := serve(); err != nil {
+		return fmt.Errorf("error while serving: %w", err)
+	}
+	return nil
+}
+
+func serve() error {
+	serveMux := http.NewServeMux()
+	serveMux.HandleFunc("GET /spiffe-echo", handleGetSPIFFEEcho)
+
+	clientTrustBundlePEM, err := os.ReadFile(spiffeTrustBundleFile)
+	if err != nil {
+		return fmt.Errorf("while reading SPIFFE trust anchors: %w", err)
+	}
+
+	rootPool := x509.NewCertPool()
+	if ok := rootPool.AppendCertsFromPEM(clientTrustBundlePEM); !ok {
+		return fmt.Errorf("failed to append client certs from PEM")
+	}
+
+	// Pre-load server cert to check early if it's readable
+	_, err = tls.LoadX509KeyPair(serverCredsFile, serverCredsFile)
+	if err != nil {
+		return fmt.Errorf("while loading server key pair: %w", err)
+	}
+
+	server := &http.Server{
+		Addr: listen,
+
+		Handler: serveMux,
+
+		TLSConfig: &tls.Config{
+			// Tell the client to send client certs if they have any.  Don't
+			// pass in roots to verify the client certificate, since we expect
+			// multiple types signed by different CAs.  Instead, each endpoint
+			// will do the appropriate client certificate verification.
+			ClientAuth: tls.RequestClientCert,
+		},
+
+		ReadTimeout:    30 * time.Second,
+		WriteTimeout:   30 * time.Second,
+		MaxHeaderBytes: 1 << 20,
+	}
+
+	// TODO: Auto-reload the server creds
+	if err := server.ListenAndServeTLS(serverCredsFile, serverCredsFile); err != nil {
+		return fmt.Errorf("while listening: %w", err)
+	}
+
+	return nil
+}
+
+func handleGetSPIFFEEcho(w http.ResponseWriter, r *http.Request) {
+	if len(r.TLS.PeerCertificates) == 0 {
+		http.Error(w, "SPIFFE client certificate authentication required", http.StatusUnauthorized)
+		return
+	}
+
+	leafCert := r.TLS.PeerCertificates[0]
+
+	// TODO: Use the trust domain from the leaf certificate to select which
+	// trust bundle to use, to permit federated use cases.
+
+	intermediatePool := x509.NewCertPool()
+	if len(r.TLS.PeerCertificates) > 1 {
+		for _, intermediate := range r.TLS.PeerCertificates[1:] {
+			intermediatePool.AddCert(intermediate)
+		}
+	}
+	rootTrustBundlePEM, err := os.ReadFile(spiffeTrustBundleFile)
+	if err != nil {
+		log.Printf("Error while reading SPIFFE trust anchors: %v", err)
+		http.Error(w, "Internal Error", http.StatusInternalServerError)
+		return
+	}
+	rootPool := x509.NewCertPool()
+	rootPool.AppendCertsFromPEM(rootTrustBundlePEM)
+
+	chains, err := leafCert.Verify(x509.VerifyOptions{
+		Intermediates: intermediatePool,
+		Roots:         rootPool,
+	})
+	if err != nil {
+		log.Printf("Error while verifying SPIFFE client certificate: %v", err)
+		http.Error(w, "SPIFFE client certificate authentication required", http.StatusUnauthorized)
+		return
+	}
+	if len(chains) == 0 {
+		log.Print("Client certificate did not chain to any roots")
+		http.Error(w, "SPIFFE client certificate authentication required", http.StatusUnauthorized)
+		return
+	}
+
+	if len(leafCert.URIs) != 1 {
+		log.Printf("SPIFFE client certificate did not have 1 URI SAN, count: %d", len(leafCert.URIs))
+		http.Error(w, "Malformed SPIFFE certificate", http.StatusUnauthorized)
+		return
+	}
+
+	if _, err := w.Write([]byte("Client Identity: " + leafCert.URIs[0].String())); err != nil {
+		log.Printf("Error while writing response: %v", err)
+	}
+}
diff --git a/test/images/agnhost/podcertificatesigner/podcertificatesigner.go b/test/images/agnhost/podcertificatesigner/podcertificatesigner.go
index a2c361a03b635..ccb9ecb1cdec5 100644
--- a/test/images/agnhost/podcertificatesigner/podcertificatesigner.go
+++ b/test/images/agnhost/podcertificatesigner/podcertificatesigner.go
@@ -21,7 +21,6 @@ package podcertificatesigner
 
 import (
 	"context"
-	"flag"
 	"fmt"
 	"os"
 	"os/signal"
@@ -51,8 +50,6 @@ func init() {
 }
 
 func run(cmd *cobra.Command, args []string) error {
-	flag.Set("logtostderr", "true")
-
 	ctx, cancel := context.WithCancel(context.Background())
 	defer cancel()
 
diff --git a/test/images/httpd-new/ALIAS b/test/images/httpd-new/ALIAS
deleted file mode 100644
index 71e8b8eecba01..0000000000000
--- a/test/images/httpd-new/ALIAS
+++ /dev/null
@@ -1 +0,0 @@
-httpd
diff --git a/test/images/httpd-new/BASEIMAGE b/test/images/httpd-new/BASEIMAGE
deleted file mode 100644
index 561825ea686f7..0000000000000
--- a/test/images/httpd-new/BASEIMAGE
+++ /dev/null
@@ -1,7 +0,0 @@
-linux/amd64=httpd:2.4.39-alpine
-linux/arm=arm32v6/httpd:2.4.39-alpine
-linux/arm64=arm64v8/httpd:2.4.39-alpine
-linux/ppc64le=ppc64le/httpd:2.4.39-alpine
-linux/s390x=s390x/httpd:2.4.39-alpine
-windows/amd64/1809=REGISTRY/busybox:1.29-2-windows-amd64-1809
-windows/amd64/ltsc2022=REGISTRY/busybox:1.29-2-windows-amd64-ltsc2022
diff --git a/test/images/httpd-new/Dockerfile b/test/images/httpd-new/Dockerfile
deleted file mode 100644
index 09a6978c0b5fb..0000000000000
--- a/test/images/httpd-new/Dockerfile
+++ /dev/null
@@ -1,17 +0,0 @@
-# Copyright 2020 The Kubernetes Authors.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-# NOTE(claudiub): Noop. We're just mirroring the image to staging.
-ARG BASEIMAGE
-FROM $BASEIMAGE
diff --git a/test/images/httpd-new/Dockerfile_windows b/test/images/httpd-new/Dockerfile_windows
deleted file mode 100644
index a86ea940a63cb..0000000000000
--- a/test/images/httpd-new/Dockerfile_windows
+++ /dev/null
@@ -1,46 +0,0 @@
-# Copyright 2021 The Kubernetes Authors.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-ARG BASEIMAGE
-ARG REGISTRY
-
-# We're using a Linux image to unpack the archive, then we're copying it over to Windows.
-FROM --platform=linux/amd64 alpine:3.6 as prep
-
-ADD https://home.apache.org/~steffenal/VC15/binaries/httpd-2.4.54-win64-VC15.zip /httpd.zip
-ADD https://windows.php.net/downloads/releases/archives/php-7.4.14-Win32-vc15-x64.zip /php.zip
-ADD https://windows.php.net/downloads/nano/crt/crt-vc15-x64.zip /crt-vc15-x64.zip
-
-RUN unzip /httpd.zip &&\
-    mv ReadMe.txt /Apache24/DistributionReadMe.txt &&\
-    mkdir /php &&\
-    unzip /php.zip -d /php/ &&\
-    unzip /crt-vc15-x64.zip -d /
-
-FROM $BASEIMAGE
-
-COPY --from=prep /Apache24 /usr/local/apache2
-COPY --from=prep /php /tools/php74
-COPY --from=prep /vcruntime140.dll /Windows/System32/
-COPY --from=prep /msvcp140.dll /Windows/System32/
-
-COPY httpd.conf /usr/local/apache2/conf/httpd.conf
-COPY index.html /usr/local/apache2/htdocs/index.html
-
-# NOTE(claudiub): docker buildx sets the PATH env variable to a Linux-like PATH, which is not desirable.
-ENV PATH="C:\dig;C:\bin;C:\curl;C:\Windows\System32;C:\Windows;C:\Program Files\PowerShell;C:\tools\php74\;C:\usr\local\apache2\bin\;"
-
-USER ContainerAdministrator
-EXPOSE 80
-ENTRYPOINT ["C:/usr/local/apache2/bin/httpd.exe"]
diff --git a/test/images/httpd-new/VERSION b/test/images/httpd-new/VERSION
deleted file mode 100644
index 2d1d6febf14fa..0000000000000
--- a/test/images/httpd-new/VERSION
+++ /dev/null
@@ -1 +0,0 @@
-2.4.39-4
diff --git a/test/images/httpd-new/httpd.conf b/test/images/httpd-new/httpd.conf
deleted file mode 100644
index e799726d023ac..0000000000000
--- a/test/images/httpd-new/httpd.conf
+++ /dev/null
@@ -1,533 +0,0 @@
-#
-# This is the main Apache HTTP server configuration file.  It contains the
-# configuration directives that give the server its instructions.
-# See <URL:http://httpd.apache.org/docs/2.4/> for detailed information.
-# In particular, see
-# <URL:http://httpd.apache.org/docs/2.4/mod/directives.html>
-# for a discussion of each configuration directive.
-#
-# Do NOT simply read the instructions in here without understanding
-# what they do.  They're here only as hints or reminders.  If you are unsure
-# consult the online docs. You have been warned.
-#
-# Configuration and logfile names: If the filenames you specify for many
-# of the server's control files begin with "/" (or "drive:/" for Win32), the
-# server will use that explicit path.  If the filenames do *not* begin
-# with "/", the value of ServerRoot is prepended -- so "logs/access_log"
-# with ServerRoot set to "/usr/local/apache2" will be interpreted by the
-# server as "/usr/local/apache2/logs/access_log", whereas "/logs/access_log"
-# will be interpreted as '/logs/access_log'.
-#
-# NOTE: Where filenames are specified, you must use forward slashes
-# instead of backslashes (e.g., "c:/apache" instead of "c:\apache").
-# If a drive letter is omitted, the drive on which httpd.exe is located
-# will be used by default.  It is recommended that you always supply
-# an explicit drive letter in absolute paths to avoid confusion.
-
-#
-# ServerRoot: The top of the directory tree under which the server's
-# configuration, error, and log files are kept.
-#
-# Do not add a slash at the end of the directory path.  If you point
-# ServerRoot at a non-local disk, be sure to specify a local disk on the
-# Mutex directive, if file-based mutexes are used.  If you wish to share the
-# same ServerRoot for multiple httpd daemons, you will need to change at
-# least PidFile.
-#
-Define SRVROOT "C:/usr/local/apache2/"
-ServerRoot "${SRVROOT}"
-
-#
-# Mutex: Allows you to set the mutex mechanism and mutex file directory
-# for individual mutexes, or change the global defaults
-#
-# Uncomment and change the directory if mutexes are file-based and the default
-# mutex file directory is not on a local disk or is not appropriate for some
-# other reason.
-#
-# Mutex default:logs
-
-#
-# Listen: Allows you to bind Apache to specific IP addresses and/or
-# ports, instead of the default. See also the <VirtualHost>
-# directive.
-#
-# Change this to Listen on specific IP addresses as shown below to
-# prevent Apache from glomming onto all bound IP addresses.
-#
-#Listen 12.34.56.78:80
-Listen 80
-AddHandler application/x-httpd-php .php
-AddType application/x-httpd-php .php .html
-PHPIniDir "c:/tools/php74"
-#
-# Dynamic Shared Object (DSO) Support
-#
-# To be able to use the functionality of a module which was built as a DSO you
-# have to place corresponding `LoadModule' lines at this location so the
-# directives contained in it are actually available _before_ they are used.
-# Statically compiled modules (those listed by `httpd -l') do not need
-# to be loaded here.
-#
-# Example:
-LoadModule php7_module "c:/tools/php74/php7apache2_4.dll"
-# LoadModule foo_module modules/mod_foo.so
-#
-#LoadModule access_compat_module modules/mod_access_compat.so
-LoadModule actions_module modules/mod_actions.so
-LoadModule alias_module modules/mod_alias.so
-LoadModule allowmethods_module modules/mod_allowmethods.so
-LoadModule asis_module modules/mod_asis.so
-LoadModule auth_basic_module modules/mod_auth_basic.so
-#LoadModule auth_digest_module modules/mod_auth_digest.so
-#LoadModule auth_form_module modules/mod_auth_form.so
-#LoadModule authn_anon_module modules/mod_authn_anon.so
-LoadModule authn_core_module modules/mod_authn_core.so
-#LoadModule authn_dbd_module modules/mod_authn_dbd.so
-#LoadModule authn_dbm_module modules/mod_authn_dbm.so
-LoadModule authn_file_module modules/mod_authn_file.so
-#LoadModule authn_socache_module modules/mod_authn_socache.so
-#LoadModule authnz_fcgi_module modules/mod_authnz_fcgi.so
-#LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
-LoadModule authz_core_module modules/mod_authz_core.so
-#LoadModule authz_dbd_module modules/mod_authz_dbd.so
-#LoadModule authz_dbm_module modules/mod_authz_dbm.so
-LoadModule authz_groupfile_module modules/mod_authz_groupfile.so
-LoadModule authz_host_module modules/mod_authz_host.so
-#LoadModule authz_owner_module modules/mod_authz_owner.so
-LoadModule authz_user_module modules/mod_authz_user.so
-LoadModule autoindex_module modules/mod_autoindex.so
-#LoadModule buffer_module modules/mod_buffer.so
-#LoadModule cache_module modules/mod_cache.so
-#LoadModule cache_disk_module modules/mod_cache_disk.so
-#LoadModule cache_socache_module modules/mod_cache_socache.so
-#LoadModule cern_meta_module modules/mod_cern_meta.so
-LoadModule cgi_module modules/mod_cgi.so
-#LoadModule charset_lite_module modules/mod_charset_lite.so
-#LoadModule data_module modules/mod_data.so
-#LoadModule dav_module modules/mod_dav.so
-#LoadModule dav_fs_module modules/mod_dav_fs.so
-#LoadModule dav_lock_module modules/mod_dav_lock.so
-#LoadModule dbd_module modules/mod_dbd.so
-#LoadModule deflate_module modules/mod_deflate.so
-LoadModule dir_module modules/mod_dir.so
-#LoadModule dumpio_module modules/mod_dumpio.so
-LoadModule env_module modules/mod_env.so
-#LoadModule expires_module modules/mod_expires.so
-#LoadModule ext_filter_module modules/mod_ext_filter.so
-#LoadModule file_cache_module modules/mod_file_cache.so
-#LoadModule filter_module modules/mod_filter.so
-#LoadModule headers_module modules/mod_headers.so
-#LoadModule heartbeat_module modules/mod_heartbeat.so
-#LoadModule heartmonitor_module modules/mod_heartmonitor.so
-#LoadModule http2_module modules/mod_http2.so
-#LoadModule ident_module modules/mod_ident.so
-#LoadModule imagemap_module modules/mod_imagemap.so
-LoadModule include_module modules/mod_include.so
-LoadModule info_module modules/mod_info.so
-LoadModule isapi_module modules/mod_isapi.so
-#LoadModule lbmethod_bybusyness_module modules/mod_lbmethod_bybusyness.so
-#LoadModule lbmethod_byrequests_module modules/mod_lbmethod_byrequests.so
-#LoadModule lbmethod_bytraffic_module modules/mod_lbmethod_bytraffic.so
-#LoadModule lbmethod_heartbeat_module modules/mod_lbmethod_heartbeat.so
-#LoadModule ldap_module modules/mod_ldap.so
-#LoadModule logio_module modules/mod_logio.so
-LoadModule log_config_module modules/mod_log_config.so
-#LoadModule log_debug_module modules/mod_log_debug.so
-#LoadModule log_forensic_module modules/mod_log_forensic.so
-#LoadModule lua_module modules/mod_lua.so
-#LoadModule macro_module modules/mod_macro.so
-#LoadModule md_module modules/mod_md.so
-LoadModule mime_module modules/mod_mime.so
-#LoadModule mime_magic_module modules/mod_mime_magic.so
-LoadModule negotiation_module modules/mod_negotiation.so
-#LoadModule proxy_module modules/mod_proxy.so
-#LoadModule proxy_ajp_module modules/mod_proxy_ajp.so
-#LoadModule proxy_balancer_module modules/mod_proxy_balancer.so
-#LoadModule proxy_connect_module modules/mod_proxy_connect.so
-#LoadModule proxy_express_module modules/mod_proxy_express.so
-#LoadModule proxy_fcgi_module modules/mod_proxy_fcgi.so
-#LoadModule proxy_ftp_module modules/mod_proxy_ftp.so
-#LoadModule proxy_html_module modules/mod_proxy_html.so
-#LoadModule proxy_http_module modules/mod_proxy_http.so
-#LoadModule proxy_http2_module modules/mod_proxy_http2.so
-#LoadModule proxy_scgi_module modules/mod_proxy_scgi.so
-#LoadModule proxy_uwsgi_module modules/mod_proxy_uwsgi.so
-#LoadModule proxy_wstunnel_module modules/mod_proxy_wstunnel.so
-#LoadModule ratelimit_module modules/mod_ratelimit.so
-#LoadModule reflector_module modules/mod_reflector.so
-#LoadModule remoteip_module modules/mod_remoteip.so
-#LoadModule request_module modules/mod_request.so
-#LoadModule reqtimeout_module modules/mod_reqtimeout.so
-#LoadModule rewrite_module modules/mod_rewrite.so
-#LoadModule sed_module modules/mod_sed.so
-#LoadModule session_module modules/mod_session.so
-#LoadModule session_cookie_module modules/mod_session_cookie.so
-#LoadModule session_crypto_module modules/mod_session_crypto.so
-#LoadModule session_dbd_module modules/mod_session_dbd.so
-LoadModule setenvif_module modules/mod_setenvif.so
-#LoadModule slotmem_plain_module modules/mod_slotmem_plain.so
-#LoadModule slotmem_shm_module modules/mod_slotmem_shm.so
-#LoadModule socache_dbm_module modules/mod_socache_dbm.so
-#LoadModule socache_memcache_module modules/mod_socache_memcache.so
-LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
-#LoadModule speling_module modules/mod_speling.so
-LoadModule ssl_module modules/mod_ssl.so
-LoadModule status_module modules/mod_status.so
-#LoadModule substitute_module modules/mod_substitute.so
-#LoadModule unique_id_module modules/mod_unique_id.so
-#LoadModule userdir_module modules/mod_userdir.so
-#LoadModule usertrack_module modules/mod_usertrack.so
-#LoadModule version_module modules/mod_version.so
-#LoadModule vhost_alias_module modules/mod_vhost_alias.so
-#LoadModule watchdog_module modules/mod_watchdog.so
-#LoadModule xml2enc_module modules/mod_xml2enc.so
-
-<IfModule unixd_module>
-#
-# If you wish httpd to run as a different user or group, you must run
-# httpd as root initially and it will switch.
-#
-# User/Group: The name (or #number) of the user/group to run httpd as.
-# It is usually good practice to create a dedicated user and group for
-# running httpd, as with most system services.
-#
-User daemon
-Group daemon
-
-</IfModule>
-
-# 'Main' server configuration
-#
-# The directives in this section set up the values used by the 'main'
-# server, which responds to any requests that aren't handled by a
-# <VirtualHost> definition.  These values also provide defaults for
-# any <VirtualHost> containers you may define later in the file.
-#
-# All of these directives may appear inside <VirtualHost> containers,
-# in which case these default settings will be overridden for the
-# virtual host being defined.
-#
-
-#
-# ServerAdmin: Your address, where problems with the server should be
-# e-mailed.  This address appears on some server-generated pages, such
-# as error documents.  e.g. admin@your-domain.com
-#
-ServerAdmin admin@example.com
-
-#
-# ServerName gives the name and port that the server uses to identify itself.
-# This can often be determined automatically, but we recommend you specify
-# it explicitly to prevent problems during startup.
-#
-# If your host doesn't have a registered DNS name, enter its IP address here.
-#
-ServerName localhost:80
-
-#
-# Deny access to the entirety of your server's filesystem. You must
-# explicitly permit access to web content directories in other
-# <Directory> blocks below.
-#
-<Directory />
-    AllowOverride none
-    Require all denied
-</Directory>
-
-#
-# Note that from this point forward you must specifically allow
-# particular features to be enabled - so if something's not working as
-# you might expect, make sure that you have specifically enabled it
-# below.
-#
-
-#
-# DocumentRoot: The directory out of which you will serve your
-# documents. By default, all requests are taken from this directory, but
-# symbolic links and aliases may be used to point to other locations.
-#
-DocumentRoot "${SRVROOT}/htdocs"
-<Directory "${SRVROOT}/htdocs">
-    #
-    # Possible values for the Options directive are "None", "All",
-    # or any combination of:
-    #   Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
-    #
-    # Note that "MultiViews" must be named *explicitly* --- "Options All"
-    # doesn't give it to you.
-    #
-    # The Options directive is both complicated and important.  Please see
-    # http://httpd.apache.org/docs/2.4/mod/core.html#options
-    # for more information.
-    #
-    Options Indexes FollowSymLinks
-
-    #
-    # AllowOverride controls what directives may be placed in .htaccess files.
-    # It can be "All", "None", or any combination of the keywords:
-    #   Options FileInfo AuthConfig Limit
-    #
-    AllowOverride None
-
-    #
-    # Controls who can get stuff from this server.
-    #
-    Require all granted
-</Directory>
-
-#
-# DirectoryIndex: sets the file that Apache will serve if a directory
-# is requested.
-#
-<IfModule dir_module>
-    DirectoryIndex index.html
-</IfModule>
-
-#
-# The following lines prevent .htaccess and .htpasswd files from being
-# viewed by Web clients.
-#
-<Files ".ht*">
-    Require all denied
-</Files>
-
-#
-# ErrorLog: The location of the error log file.
-# If you do not specify an ErrorLog directive within a <VirtualHost>
-# container, error messages relating to that virtual host will be
-# logged here.  If you *do* define an error logfile for a <VirtualHost>
-# container, that host's errors will be logged there and not here.
-#
-ErrorLog "logs/error.log"
-
-#
-# LogLevel: Control the number of messages logged to the error_log.
-# Possible values include: debug, info, notice, warn, error, crit,
-# alert, emerg.
-#
-LogLevel warn
-
-<IfModule log_config_module>
-    #
-    # The following directives define some format nicknames for use with
-    # a CustomLog directive (see below).
-    #
-    LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
-    LogFormat "%h %l %u %t \"%r\" %>s %b" common
-
-    <IfModule logio_module>
-      # You need to enable mod_logio.c to use %I and %O
-      LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
-    </IfModule>
-
-    #
-    # The location and format of the access logfile (Common Logfile Format).
-    # If you do not define any access logfiles within a <VirtualHost>
-    # container, they will be logged here.  Contrariwise, if you *do*
-    # define per-<VirtualHost> access logfiles, transactions will be
-    # logged therein and *not* in this file.
-    #
-    CustomLog "logs/access.log" common
-
-    #
-    # If you prefer a logfile with access, agent, and referer information
-    # (Combined Logfile Format) you can use the following directive.
-    #
-    #CustomLog "logs/access.log" combined
-</IfModule>
-
-<IfModule alias_module>
-    #
-    # Redirect: Allows you to tell clients about documents that used to
-    # exist in your server's namespace, but do not anymore. The client
-    # will make a new request for the document at its new location.
-    # Example:
-    # Redirect permanent /foo http://www.example.com/bar
-
-    #
-    # Alias: Maps web paths into filesystem paths and is used to
-    # access content that does not live under the DocumentRoot.
-    # Example:
-    # Alias /webpath /full/filesystem/path
-    #
-    # If you include a trailing / on /webpath then the server will
-    # require it to be present in the URL.  You will also likely
-    # need to provide a <Directory> section to allow access to
-    # the filesystem path.
-
-    #
-    # ScriptAlias: This controls which directories contain server scripts.
-    # ScriptAliases are essentially the same as Aliases, except that
-    # documents in the target directory are treated as applications and
-    # run by the server when requested rather than as documents sent to the
-    # client.  The same rules about trailing "/" apply to ScriptAlias
-    # directives as to Alias.
-    #
-    ScriptAlias /cgi-bin/ "${SRVROOT}/cgi-bin/"
-
-</IfModule>
-
-<IfModule cgid_module>
-    #
-    # ScriptSock: On threaded servers, designate the path to the UNIX
-    # socket used to communicate with the CGI daemon of mod_cgid.
-    #
-    #Scriptsock logs/cgisock
-</IfModule>
-
-#
-# "${SRVROOT}/cgi-bin" should be changed to whatever your ScriptAliased
-# CGI directory exists, if you have that configured.
-#
-<Directory "${SRVROOT}/cgi-bin">
-    AllowOverride None
-    Options None
-    Require all granted
-</Directory>
-
-<IfModule mime_module>
-    #
-    # TypesConfig points to the file containing the list of mappings from
-    # filename extension to MIME-type.
-    #
-    TypesConfig conf/mime.types
-
-    #
-    # AddType allows you to add to or override the MIME configuration
-    # file specified in TypesConfig for specific file types.
-    #
-    #AddType application/x-gzip .tgz
-    #
-    # AddEncoding allows you to have certain browsers uncompress
-    # information on the fly. Note: Not all browsers support this.
-    #
-    #AddEncoding x-compress .Z
-    #AddEncoding x-gzip .gz .tgz
-    #
-    # If the AddEncoding directives above are commented-out, then you
-    # probably should define those extensions to indicate media types:
-    #
-    AddType application/x-compress .Z
-    AddType application/x-gzip .gz .tgz
-
-    #
-    # AddHandler allows you to map certain file extensions to "handlers":
-    # actions unrelated to filetype. These can be either built into the server
-    # or added with the Action directive (see below)
-    #
-    # To use CGI scripts outside of ScriptAliased directories:
-    # (You will also need to add "ExecCGI" to the "Options" directive.)
-    #
-    #AddHandler cgi-script .cgi .pl
-
-    # For type maps (negotiated resources):
-    #AddHandler type-map var
-
-    #
-    # Filters allow you to process content before it is sent to the client.
-    #
-    # To parse .shtml files for server-side includes (SSI):
-    # (You will also need to add "Includes" to the "Options" directive.)
-    #
-    #AddType text/html .shtml
-    #AddOutputFilter INCLUDES .shtml
-</IfModule>
-
-#
-# The mod_mime_magic module allows the server to use various hints from the
-# contents of the file itself to determine its type.  The MIMEMagicFile
-# directive tells the module where the hint definitions are located.
-#
-#MIMEMagicFile conf/magic
-
-#
-# Customizable error responses come in three flavors:
-# 1) plain text 2) local redirects 3) external redirects
-#
-# Some examples:
-#ErrorDocument 500 "The server made a boo boo."
-#ErrorDocument 404 /missing.html
-#ErrorDocument 404 "/cgi-bin/missing_handler.pl"
-#ErrorDocument 402 http://www.example.com/subscription_info.html
-#
-
-#
-# MaxRanges: Maximum number of Ranges in a request before
-# returning the entire resource, or one of the special
-# values 'default', 'none' or 'unlimited'.
-# Default setting is to accept 200 Ranges.
-#MaxRanges unlimited
-
-#
-# EnableMMAP and EnableSendfile: On systems that support it,
-# memory-mapping or the sendfile syscall may be used to deliver
-# files.  This usually improves server performance, but must
-# be turned off when serving from networked-mounted
-# filesystems or if support for these functions is otherwise
-# broken on your system.
-# Defaults: EnableMMAP On, EnableSendfile Off
-#
-#EnableMMAP off
-#EnableSendfile on
-
-#AcceptFilter http none
-#AcceptFilter https none
-
-# Supplemental configuration
-#
-# The configuration files in the conf/extra/ directory can be
-# included to add extra features or to modify the default configuration of
-# the server, or you may simply copy their contents here and change as
-# necessary.
-
-# Server-pool management (MPM specific)
-#Include conf/extra/httpd-mpm.conf
-
-# Multi-language error messages
-#Include conf/extra/httpd-multilang-errordoc.conf
-
-# Fancy directory listings
-Include conf/extra/httpd-autoindex.conf
-
-# Language settings
-#Include conf/extra/httpd-languages.conf
-
-# User home directories
-#Include conf/extra/httpd-userdir.conf
-
-# Real-time info on requests and configuration
-Include conf/extra/httpd-info.conf
-
-# Virtual hosts
-# Include conf/extra/httpd-vhosts.conf
-
-# Local access to the Apache HTTP Server Manual
-#Include conf/extra/httpd-manual.conf
-
-# Distributed authoring and versioning (WebDAV)
-#Include conf/extra/httpd-dav.conf
-
-# Various default settings
-#Include conf/extra/httpd-default.conf
-
-# Configure mod_proxy_html to understand HTML4/XHTML1
-<IfModule proxy_html_module>
-Include conf/extra/httpd-proxy-html.conf
-</IfModule>
-
-# Secure (SSL/TLS) connections
-# Note: The following must must be present to support
-#       starting without SSL on platforms with no /dev/random equivalent
-#       but a statically compiled-in mod_ssl.
-#
-<IfModule ssl_module>
-#Include conf/extra/httpd-ssl.conf
-#Include conf/extra/httpd-ahssl.conf
-SSLRandomSeed startup builtin
-SSLRandomSeed connect builtin
-</IfModule>
-<IfModule http2_module>
-    ProtocolsHonorOrder On
-    Protocols h2 h2c http/1.1
-</IfModule>
diff --git a/test/images/httpd-new/index.html b/test/images/httpd-new/index.html
deleted file mode 100644
index f5f1c377b64ac..0000000000000
--- a/test/images/httpd-new/index.html
+++ /dev/null
@@ -1 +0,0 @@
-<html><body><h1>It works!</h1></body></html>
diff --git a/test/images/httpd/BASEIMAGE b/test/images/httpd/BASEIMAGE
deleted file mode 100644
index df7dae1983c69..0000000000000
--- a/test/images/httpd/BASEIMAGE
+++ /dev/null
@@ -1,7 +0,0 @@
-linux/amd64=httpd:2.4.38-alpine
-linux/arm=arm32v6/httpd:2.4.38-alpine
-linux/arm64=arm64v8/httpd:2.4.38-alpine
-linux/ppc64le=ppc64le/httpd:2.4.38-alpine
-linux/s390x=s390x/httpd:2.4.38-alpine
-windows/amd64/1809=REGISTRY/busybox:1.29-2-windows-amd64-1809
-windows/amd64/ltsc2022=REGISTRY/busybox:1.29-2-windows-amd64-ltsc2022
diff --git a/test/images/httpd/Dockerfile b/test/images/httpd/Dockerfile
deleted file mode 100644
index 09a6978c0b5fb..0000000000000
--- a/test/images/httpd/Dockerfile
+++ /dev/null
@@ -1,17 +0,0 @@
-# Copyright 2020 The Kubernetes Authors.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-# NOTE(claudiub): Noop. We're just mirroring the image to staging.
-ARG BASEIMAGE
-FROM $BASEIMAGE
diff --git a/test/images/httpd/Dockerfile_windows b/test/images/httpd/Dockerfile_windows
deleted file mode 100644
index b7ebb8d9bd3ad..0000000000000
--- a/test/images/httpd/Dockerfile_windows
+++ /dev/null
@@ -1,46 +0,0 @@
-# Copyright 2021 The Kubernetes Authors.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-ARG BASEIMAGE
-ARG REGISTRY
-
-# We're using a Linux image to unpack the archive, then we're copying it over to Windows.
-FROM --platform=linux/amd64 alpine:3.6 as prep
-
-ADD https://home.apache.org/~steffenal/VC14/binaries/httpd-2.4.41-win64-VC14.zip /httpd.zip
-ADD https://windows.php.net/downloads/releases/archives/php-7.4.14-Win32-vc15-x64.zip /php.zip
-ADD https://windows.php.net/downloads/nano/crt/crt-vc15-x64.zip /crt-vc15-x64.zip
-
-RUN unzip /httpd.zip &&\
-    mv ReadMe.txt /Apache24/DistributionReadMe.txt &&\
-    mkdir /php &&\
-    unzip /php.zip -d /php/ &&\
-    unzip /crt-vc15-x64.zip -d /
-
-FROM $BASEIMAGE
-
-COPY --from=prep /Apache24 /usr/local/apache2
-COPY --from=prep /php /tools/php74
-COPY --from=prep /vcruntime140.dll /Windows/System32/
-COPY --from=prep /msvcp140.dll /Windows/System32/
-
-COPY httpd.conf /usr/local/apache2/conf/httpd.conf
-COPY index.html /usr/local/apache2/htdocs/index.html
-
-# NOTE(claudiub): docker buildx sets the PATH env variable to a Linux-like PATH, which is not desirable.
-ENV PATH="C:\dig;C:\bin;C:\curl;C:\Windows\System32;C:\Windows;C:\Program Files\PowerShell;C:\tools\php74\;C:\usr\local\apache2\bin\;"
-
-USER ContainerAdministrator
-EXPOSE 80
-ENTRYPOINT ["C:/usr/local/apache2/bin/httpd.exe"]
diff --git a/test/images/httpd/VERSION b/test/images/httpd/VERSION
deleted file mode 100644
index e26e344226eb8..0000000000000
--- a/test/images/httpd/VERSION
+++ /dev/null
@@ -1 +0,0 @@
-2.4.38-4
diff --git a/test/images/httpd/httpd.conf b/test/images/httpd/httpd.conf
deleted file mode 100644
index e799726d023ac..0000000000000
--- a/test/images/httpd/httpd.conf
+++ /dev/null
@@ -1,533 +0,0 @@
-#
-# This is the main Apache HTTP server configuration file.  It contains the
-# configuration directives that give the server its instructions.
-# See <URL:http://httpd.apache.org/docs/2.4/> for detailed information.
-# In particular, see
-# <URL:http://httpd.apache.org/docs/2.4/mod/directives.html>
-# for a discussion of each configuration directive.
-#
-# Do NOT simply read the instructions in here without understanding
-# what they do.  They're here only as hints or reminders.  If you are unsure
-# consult the online docs. You have been warned.
-#
-# Configuration and logfile names: If the filenames you specify for many
-# of the server's control files begin with "/" (or "drive:/" for Win32), the
-# server will use that explicit path.  If the filenames do *not* begin
-# with "/", the value of ServerRoot is prepended -- so "logs/access_log"
-# with ServerRoot set to "/usr/local/apache2" will be interpreted by the
-# server as "/usr/local/apache2/logs/access_log", whereas "/logs/access_log"
-# will be interpreted as '/logs/access_log'.
-#
-# NOTE: Where filenames are specified, you must use forward slashes
-# instead of backslashes (e.g., "c:/apache" instead of "c:\apache").
-# If a drive letter is omitted, the drive on which httpd.exe is located
-# will be used by default.  It is recommended that you always supply
-# an explicit drive letter in absolute paths to avoid confusion.
-
-#
-# ServerRoot: The top of the directory tree under which the server's
-# configuration, error, and log files are kept.
-#
-# Do not add a slash at the end of the directory path.  If you point
-# ServerRoot at a non-local disk, be sure to specify a local disk on the
-# Mutex directive, if file-based mutexes are used.  If you wish to share the
-# same ServerRoot for multiple httpd daemons, you will need to change at
-# least PidFile.
-#
-Define SRVROOT "C:/usr/local/apache2/"
-ServerRoot "${SRVROOT}"
-
-#
-# Mutex: Allows you to set the mutex mechanism and mutex file directory
-# for individual mutexes, or change the global defaults
-#
-# Uncomment and change the directory if mutexes are file-based and the default
-# mutex file directory is not on a local disk or is not appropriate for some
-# other reason.
-#
-# Mutex default:logs
-
-#
-# Listen: Allows you to bind Apache to specific IP addresses and/or
-# ports, instead of the default. See also the <VirtualHost>
-# directive.
-#
-# Change this to Listen on specific IP addresses as shown below to
-# prevent Apache from glomming onto all bound IP addresses.
-#
-#Listen 12.34.56.78:80
-Listen 80
-AddHandler application/x-httpd-php .php
-AddType application/x-httpd-php .php .html
-PHPIniDir "c:/tools/php74"
-#
-# Dynamic Shared Object (DSO) Support
-#
-# To be able to use the functionality of a module which was built as a DSO you
-# have to place corresponding `LoadModule' lines at this location so the
-# directives contained in it are actually available _before_ they are used.
-# Statically compiled modules (those listed by `httpd -l') do not need
-# to be loaded here.
-#
-# Example:
-LoadModule php7_module "c:/tools/php74/php7apache2_4.dll"
-# LoadModule foo_module modules/mod_foo.so
-#
-#LoadModule access_compat_module modules/mod_access_compat.so
-LoadModule actions_module modules/mod_actions.so
-LoadModule alias_module modules/mod_alias.so
-LoadModule allowmethods_module modules/mod_allowmethods.so
-LoadModule asis_module modules/mod_asis.so
-LoadModule auth_basic_module modules/mod_auth_basic.so
-#LoadModule auth_digest_module modules/mod_auth_digest.so
-#LoadModule auth_form_module modules/mod_auth_form.so
-#LoadModule authn_anon_module modules/mod_authn_anon.so
-LoadModule authn_core_module modules/mod_authn_core.so
-#LoadModule authn_dbd_module modules/mod_authn_dbd.so
-#LoadModule authn_dbm_module modules/mod_authn_dbm.so
-LoadModule authn_file_module modules/mod_authn_file.so
-#LoadModule authn_socache_module modules/mod_authn_socache.so
-#LoadModule authnz_fcgi_module modules/mod_authnz_fcgi.so
-#LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
-LoadModule authz_core_module modules/mod_authz_core.so
-#LoadModule authz_dbd_module modules/mod_authz_dbd.so
-#LoadModule authz_dbm_module modules/mod_authz_dbm.so
-LoadModule authz_groupfile_module modules/mod_authz_groupfile.so
-LoadModule authz_host_module modules/mod_authz_host.so
-#LoadModule authz_owner_module modules/mod_authz_owner.so
-LoadModule authz_user_module modules/mod_authz_user.so
-LoadModule autoindex_module modules/mod_autoindex.so
-#LoadModule buffer_module modules/mod_buffer.so
-#LoadModule cache_module modules/mod_cache.so
-#LoadModule cache_disk_module modules/mod_cache_disk.so
-#LoadModule cache_socache_module modules/mod_cache_socache.so
-#LoadModule cern_meta_module modules/mod_cern_meta.so
-LoadModule cgi_module modules/mod_cgi.so
-#LoadModule charset_lite_module modules/mod_charset_lite.so
-#LoadModule data_module modules/mod_data.so
-#LoadModule dav_module modules/mod_dav.so
-#LoadModule dav_fs_module modules/mod_dav_fs.so
-#LoadModule dav_lock_module modules/mod_dav_lock.so
-#LoadModule dbd_module modules/mod_dbd.so
-#LoadModule deflate_module modules/mod_deflate.so
-LoadModule dir_module modules/mod_dir.so
-#LoadModule dumpio_module modules/mod_dumpio.so
-LoadModule env_module modules/mod_env.so
-#LoadModule expires_module modules/mod_expires.so
-#LoadModule ext_filter_module modules/mod_ext_filter.so
-#LoadModule file_cache_module modules/mod_file_cache.so
-#LoadModule filter_module modules/mod_filter.so
-#LoadModule headers_module modules/mod_headers.so
-#LoadModule heartbeat_module modules/mod_heartbeat.so
-#LoadModule heartmonitor_module modules/mod_heartmonitor.so
-#LoadModule http2_module modules/mod_http2.so
-#LoadModule ident_module modules/mod_ident.so
-#LoadModule imagemap_module modules/mod_imagemap.so
-LoadModule include_module modules/mod_include.so
-LoadModule info_module modules/mod_info.so
-LoadModule isapi_module modules/mod_isapi.so
-#LoadModule lbmethod_bybusyness_module modules/mod_lbmethod_bybusyness.so
-#LoadModule lbmethod_byrequests_module modules/mod_lbmethod_byrequests.so
-#LoadModule lbmethod_bytraffic_module modules/mod_lbmethod_bytraffic.so
-#LoadModule lbmethod_heartbeat_module modules/mod_lbmethod_heartbeat.so
-#LoadModule ldap_module modules/mod_ldap.so
-#LoadModule logio_module modules/mod_logio.so
-LoadModule log_config_module modules/mod_log_config.so
-#LoadModule log_debug_module modules/mod_log_debug.so
-#LoadModule log_forensic_module modules/mod_log_forensic.so
-#LoadModule lua_module modules/mod_lua.so
-#LoadModule macro_module modules/mod_macro.so
-#LoadModule md_module modules/mod_md.so
-LoadModule mime_module modules/mod_mime.so
-#LoadModule mime_magic_module modules/mod_mime_magic.so
-LoadModule negotiation_module modules/mod_negotiation.so
-#LoadModule proxy_module modules/mod_proxy.so
-#LoadModule proxy_ajp_module modules/mod_proxy_ajp.so
-#LoadModule proxy_balancer_module modules/mod_proxy_balancer.so
-#LoadModule proxy_connect_module modules/mod_proxy_connect.so
-#LoadModule proxy_express_module modules/mod_proxy_express.so
-#LoadModule proxy_fcgi_module modules/mod_proxy_fcgi.so
-#LoadModule proxy_ftp_module modules/mod_proxy_ftp.so
-#LoadModule proxy_html_module modules/mod_proxy_html.so
-#LoadModule proxy_http_module modules/mod_proxy_http.so
-#LoadModule proxy_http2_module modules/mod_proxy_http2.so
-#LoadModule proxy_scgi_module modules/mod_proxy_scgi.so
-#LoadModule proxy_uwsgi_module modules/mod_proxy_uwsgi.so
-#LoadModule proxy_wstunnel_module modules/mod_proxy_wstunnel.so
-#LoadModule ratelimit_module modules/mod_ratelimit.so
-#LoadModule reflector_module modules/mod_reflector.so
-#LoadModule remoteip_module modules/mod_remoteip.so
-#LoadModule request_module modules/mod_request.so
-#LoadModule reqtimeout_module modules/mod_reqtimeout.so
-#LoadModule rewrite_module modules/mod_rewrite.so
-#LoadModule sed_module modules/mod_sed.so
-#LoadModule session_module modules/mod_session.so
-#LoadModule session_cookie_module modules/mod_session_cookie.so
-#LoadModule session_crypto_module modules/mod_session_crypto.so
-#LoadModule session_dbd_module modules/mod_session_dbd.so
-LoadModule setenvif_module modules/mod_setenvif.so
-#LoadModule slotmem_plain_module modules/mod_slotmem_plain.so
-#LoadModule slotmem_shm_module modules/mod_slotmem_shm.so
-#LoadModule socache_dbm_module modules/mod_socache_dbm.so
-#LoadModule socache_memcache_module modules/mod_socache_memcache.so
-LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
-#LoadModule speling_module modules/mod_speling.so
-LoadModule ssl_module modules/mod_ssl.so
-LoadModule status_module modules/mod_status.so
-#LoadModule substitute_module modules/mod_substitute.so
-#LoadModule unique_id_module modules/mod_unique_id.so
-#LoadModule userdir_module modules/mod_userdir.so
-#LoadModule usertrack_module modules/mod_usertrack.so
-#LoadModule version_module modules/mod_version.so
-#LoadModule vhost_alias_module modules/mod_vhost_alias.so
-#LoadModule watchdog_module modules/mod_watchdog.so
-#LoadModule xml2enc_module modules/mod_xml2enc.so
-
-<IfModule unixd_module>
-#
-# If you wish httpd to run as a different user or group, you must run
-# httpd as root initially and it will switch.
-#
-# User/Group: The name (or #number) of the user/group to run httpd as.
-# It is usually good practice to create a dedicated user and group for
-# running httpd, as with most system services.
-#
-User daemon
-Group daemon
-
-</IfModule>
-
-# 'Main' server configuration
-#
-# The directives in this section set up the values used by the 'main'
-# server, which responds to any requests that aren't handled by a
-# <VirtualHost> definition.  These values also provide defaults for
-# any <VirtualHost> containers you may define later in the file.
-#
-# All of these directives may appear inside <VirtualHost> containers,
-# in which case these default settings will be overridden for the
-# virtual host being defined.
-#
-
-#
-# ServerAdmin: Your address, where problems with the server should be
-# e-mailed.  This address appears on some server-generated pages, such
-# as error documents.  e.g. admin@your-domain.com
-#
-ServerAdmin admin@example.com
-
-#
-# ServerName gives the name and port that the server uses to identify itself.
-# This can often be determined automatically, but we recommend you specify
-# it explicitly to prevent problems during startup.
-#
-# If your host doesn't have a registered DNS name, enter its IP address here.
-#
-ServerName localhost:80
-
-#
-# Deny access to the entirety of your server's filesystem. You must
-# explicitly permit access to web content directories in other
-# <Directory> blocks below.
-#
-<Directory />
-    AllowOverride none
-    Require all denied
-</Directory>
-
-#
-# Note that from this point forward you must specifically allow
-# particular features to be enabled - so if something's not working as
-# you might expect, make sure that you have specifically enabled it
-# below.
-#
-
-#
-# DocumentRoot: The directory out of which you will serve your
-# documents. By default, all requests are taken from this directory, but
-# symbolic links and aliases may be used to point to other locations.
-#
-DocumentRoot "${SRVROOT}/htdocs"
-<Directory "${SRVROOT}/htdocs">
-    #
-    # Possible values for the Options directive are "None", "All",
-    # or any combination of:
-    #   Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
-    #
-    # Note that "MultiViews" must be named *explicitly* --- "Options All"
-    # doesn't give it to you.
-    #
-    # The Options directive is both complicated and important.  Please see
-    # http://httpd.apache.org/docs/2.4/mod/core.html#options
-    # for more information.
-    #
-    Options Indexes FollowSymLinks
-
-    #
-    # AllowOverride controls what directives may be placed in .htaccess files.
-    # It can be "All", "None", or any combination of the keywords:
-    #   Options FileInfo AuthConfig Limit
-    #
-    AllowOverride None
-
-    #
-    # Controls who can get stuff from this server.
-    #
-    Require all granted
-</Directory>
-
-#
-# DirectoryIndex: sets the file that Apache will serve if a directory
-# is requested.
-#
-<IfModule dir_module>
-    DirectoryIndex index.html
-</IfModule>
-
-#
-# The following lines prevent .htaccess and .htpasswd files from being
-# viewed by Web clients.
-#
-<Files ".ht*">
-    Require all denied
-</Files>
-
-#
-# ErrorLog: The location of the error log file.
-# If you do not specify an ErrorLog directive within a <VirtualHost>
-# container, error messages relating to that virtual host will be
-# logged here.  If you *do* define an error logfile for a <VirtualHost>
-# container, that host's errors will be logged there and not here.
-#
-ErrorLog "logs/error.log"
-
-#
-# LogLevel: Control the number of messages logged to the error_log.
-# Possible values include: debug, info, notice, warn, error, crit,
-# alert, emerg.
-#
-LogLevel warn
-
-<IfModule log_config_module>
-    #
-    # The following directives define some format nicknames for use with
-    # a CustomLog directive (see below).
-    #
-    LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
-    LogFormat "%h %l %u %t \"%r\" %>s %b" common
-
-    <IfModule logio_module>
-      # You need to enable mod_logio.c to use %I and %O
-      LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
-    </IfModule>
-
-    #
-    # The location and format of the access logfile (Common Logfile Format).
-    # If you do not define any access logfiles within a <VirtualHost>
-    # container, they will be logged here.  Contrariwise, if you *do*
-    # define per-<VirtualHost> access logfiles, transactions will be
-    # logged therein and *not* in this file.
-    #
-    CustomLog "logs/access.log" common
-
-    #
-    # If you prefer a logfile with access, agent, and referer information
-    # (Combined Logfile Format) you can use the following directive.
-    #
-    #CustomLog "logs/access.log" combined
-</IfModule>
-
-<IfModule alias_module>
-    #
-    # Redirect: Allows you to tell clients about documents that used to
-    # exist in your server's namespace, but do not anymore. The client
-    # will make a new request for the document at its new location.
-    # Example:
-    # Redirect permanent /foo http://www.example.com/bar
-
-    #
-    # Alias: Maps web paths into filesystem paths and is used to
-    # access content that does not live under the DocumentRoot.
-    # Example:
-    # Alias /webpath /full/filesystem/path
-    #
-    # If you include a trailing / on /webpath then the server will
-    # require it to be present in the URL.  You will also likely
-    # need to provide a <Directory> section to allow access to
-    # the filesystem path.
-
-    #
-    # ScriptAlias: This controls which directories contain server scripts.
-    # ScriptAliases are essentially the same as Aliases, except that
-    # documents in the target directory are treated as applications and
-    # run by the server when requested rather than as documents sent to the
-    # client.  The same rules about trailing "/" apply to ScriptAlias
-    # directives as to Alias.
-    #
-    ScriptAlias /cgi-bin/ "${SRVROOT}/cgi-bin/"
-
-</IfModule>
-
-<IfModule cgid_module>
-    #
-    # ScriptSock: On threaded servers, designate the path to the UNIX
-    # socket used to communicate with the CGI daemon of mod_cgid.
-    #
-    #Scriptsock logs/cgisock
-</IfModule>
-
-#
-# "${SRVROOT}/cgi-bin" should be changed to whatever your ScriptAliased
-# CGI directory exists, if you have that configured.
-#
-<Directory "${SRVROOT}/cgi-bin">
-    AllowOverride None
-    Options None
-    Require all granted
-</Directory>
-
-<IfModule mime_module>
-    #
-    # TypesConfig points to the file containing the list of mappings from
-    # filename extension to MIME-type.
-    #
-    TypesConfig conf/mime.types
-
-    #
-    # AddType allows you to add to or override the MIME configuration
-    # file specified in TypesConfig for specific file types.
-    #
-    #AddType application/x-gzip .tgz
-    #
-    # AddEncoding allows you to have certain browsers uncompress
-    # information on the fly. Note: Not all browsers support this.
-    #
-    #AddEncoding x-compress .Z
-    #AddEncoding x-gzip .gz .tgz
-    #
-    # If the AddEncoding directives above are commented-out, then you
-    # probably should define those extensions to indicate media types:
-    #
-    AddType application/x-compress .Z
-    AddType application/x-gzip .gz .tgz
-
-    #
-    # AddHandler allows you to map certain file extensions to "handlers":
-    # actions unrelated to filetype. These can be either built into the server
-    # or added with the Action directive (see below)
-    #
-    # To use CGI scripts outside of ScriptAliased directories:
-    # (You will also need to add "ExecCGI" to the "Options" directive.)
-    #
-    #AddHandler cgi-script .cgi .pl
-
-    # For type maps (negotiated resources):
-    #AddHandler type-map var
-
-    #
-    # Filters allow you to process content before it is sent to the client.
-    #
-    # To parse .shtml files for server-side includes (SSI):
-    # (You will also need to add "Includes" to the "Options" directive.)
-    #
-    #AddType text/html .shtml
-    #AddOutputFilter INCLUDES .shtml
-</IfModule>
-
-#
-# The mod_mime_magic module allows the server to use various hints from the
-# contents of the file itself to determine its type.  The MIMEMagicFile
-# directive tells the module where the hint definitions are located.
-#
-#MIMEMagicFile conf/magic
-
-#
-# Customizable error responses come in three flavors:
-# 1) plain text 2) local redirects 3) external redirects
-#
-# Some examples:
-#ErrorDocument 500 "The server made a boo boo."
-#ErrorDocument 404 /missing.html
-#ErrorDocument 404 "/cgi-bin/missing_handler.pl"
-#ErrorDocument 402 http://www.example.com/subscription_info.html
-#
-
-#
-# MaxRanges: Maximum number of Ranges in a request before
-# returning the entire resource, or one of the special
-# values 'default', 'none' or 'unlimited'.
-# Default setting is to accept 200 Ranges.
-#MaxRanges unlimited
-
-#
-# EnableMMAP and EnableSendfile: On systems that support it,
-# memory-mapping or the sendfile syscall may be used to deliver
-# files.  This usually improves server performance, but must
-# be turned off when serving from networked-mounted
-# filesystems or if support for these functions is otherwise
-# broken on your system.
-# Defaults: EnableMMAP On, EnableSendfile Off
-#
-#EnableMMAP off
-#EnableSendfile on
-
-#AcceptFilter http none
-#AcceptFilter https none
-
-# Supplemental configuration
-#
-# The configuration files in the conf/extra/ directory can be
-# included to add extra features or to modify the default configuration of
-# the server, or you may simply copy their contents here and change as
-# necessary.
-
-# Server-pool management (MPM specific)
-#Include conf/extra/httpd-mpm.conf
-
-# Multi-language error messages
-#Include conf/extra/httpd-multilang-errordoc.conf
-
-# Fancy directory listings
-Include conf/extra/httpd-autoindex.conf
-
-# Language settings
-#Include conf/extra/httpd-languages.conf
-
-# User home directories
-#Include conf/extra/httpd-userdir.conf
-
-# Real-time info on requests and configuration
-Include conf/extra/httpd-info.conf
-
-# Virtual hosts
-# Include conf/extra/httpd-vhosts.conf
-
-# Local access to the Apache HTTP Server Manual
-#Include conf/extra/httpd-manual.conf
-
-# Distributed authoring and versioning (WebDAV)
-#Include conf/extra/httpd-dav.conf
-
-# Various default settings
-#Include conf/extra/httpd-default.conf
-
-# Configure mod_proxy_html to understand HTML4/XHTML1
-<IfModule proxy_html_module>
-Include conf/extra/httpd-proxy-html.conf
-</IfModule>
-
-# Secure (SSL/TLS) connections
-# Note: The following must must be present to support
-#       starting without SSL on platforms with no /dev/random equivalent
-#       but a statically compiled-in mod_ssl.
-#
-<IfModule ssl_module>
-#Include conf/extra/httpd-ssl.conf
-#Include conf/extra/httpd-ahssl.conf
-SSLRandomSeed startup builtin
-SSLRandomSeed connect builtin
-</IfModule>
-<IfModule http2_module>
-    ProtocolsHonorOrder On
-    Protocols h2 h2c http/1.1
-</IfModule>
diff --git a/test/images/httpd/index.html b/test/images/httpd/index.html
deleted file mode 100644
index f5f1c377b64ac..0000000000000
--- a/test/images/httpd/index.html
+++ /dev/null
@@ -1 +0,0 @@
-<html><body><h1>It works!</h1></body></html>
diff --git a/test/images/image-util.sh b/test/images/image-util.sh
index 5233022279e66..06ddeb4310c41 100755
--- a/test/images/image-util.sh
+++ b/test/images/image-util.sh
@@ -187,7 +187,7 @@ build() {
 
     # `--provenance=false --sbom=false` is set to avoid creating a manifest list: https://github.com/kubernetes/kubernetes/issues/123266
     docker buildx build --progress=plain --no-cache --pull --output=type="${output_type}" --platform "${os_name}/${arch}" --provenance=false --sbom=false \
-        --build-arg BASEIMAGE="${base_image}" --build-arg REGISTRY="${REGISTRY}" --build-arg OS_VERSION="${os_version}" \
+        --build-arg BASEIMAGE="${base_image}" --build-arg REGISTRY="${REGISTRY}" --build-arg OS_VERSION="${os_version}" --build-arg GOLANG_VERSION="${GOLANG_VERSION}" \
         -t "${REGISTRY}/${image}:${TAG}-${suffix}" -f "${dockerfile_name}" \
 	--label "image_version=${TAG}" --label "commit_id=${GIT_COMMIT_ID}" \
 	--label "git_url=https://github.com/kubernetes/kubernetes/tree/${GIT_COMMIT_ID}/test/images/${img_folder}" .
diff --git a/test/images/kitten/BASEIMAGE b/test/images/kitten/BASEIMAGE
index cbe3db3e8b8df..cc8442fd268cd 100644
--- a/test/images/kitten/BASEIMAGE
+++ b/test/images/kitten/BASEIMAGE
@@ -1,7 +1,7 @@
-linux/amd64=REGISTRY/agnhost:2.33-linux-amd64
-linux/arm=REGISTRY/agnhost:2.33-linux-arm
-linux/arm64=REGISTRY/agnhost:2.33-linux-arm64
-linux/ppc64le=REGISTRY/agnhost:2.33-linux-ppc64le
-linux/s390x=REGISTRY/agnhost:2.33-linux-s390x
-windows/amd64/1809=REGISTRY/agnhost:2.33-windows-amd64-1809
-windows/amd64/ltsc2022=REGISTRY/agnhost:2.33-windows-amd64-ltsc2022
+linux/amd64=REGISTRY/agnhost:2.57-linux-amd64
+linux/arm=REGISTRY/agnhost:2.57-linux-arm
+linux/arm64=REGISTRY/agnhost:2.57-linux-arm64
+linux/ppc64le=REGISTRY/agnhost:2.57-linux-ppc64le
+linux/s390x=REGISTRY/agnhost:2.57-linux-s390x
+windows/amd64/1809=REGISTRY/agnhost:2.57-windows-amd64-1809
+windows/amd64/ltsc2022=REGISTRY/agnhost:2.57-windows-amd64-ltsc2022
diff --git a/test/images/kitten/VERSION b/test/images/kitten/VERSION
index d3bdbdf1fdaec..6259340971be0 100644
--- a/test/images/kitten/VERSION
+++ b/test/images/kitten/VERSION
@@ -1 +1 @@
-1.7
+1.8
diff --git a/test/images/nautilus/BASEIMAGE b/test/images/nautilus/BASEIMAGE
index cbe3db3e8b8df..cc8442fd268cd 100644
--- a/test/images/nautilus/BASEIMAGE
+++ b/test/images/nautilus/BASEIMAGE
@@ -1,7 +1,7 @@
-linux/amd64=REGISTRY/agnhost:2.33-linux-amd64
-linux/arm=REGISTRY/agnhost:2.33-linux-arm
-linux/arm64=REGISTRY/agnhost:2.33-linux-arm64
-linux/ppc64le=REGISTRY/agnhost:2.33-linux-ppc64le
-linux/s390x=REGISTRY/agnhost:2.33-linux-s390x
-windows/amd64/1809=REGISTRY/agnhost:2.33-windows-amd64-1809
-windows/amd64/ltsc2022=REGISTRY/agnhost:2.33-windows-amd64-ltsc2022
+linux/amd64=REGISTRY/agnhost:2.57-linux-amd64
+linux/arm=REGISTRY/agnhost:2.57-linux-arm
+linux/arm64=REGISTRY/agnhost:2.57-linux-arm64
+linux/ppc64le=REGISTRY/agnhost:2.57-linux-ppc64le
+linux/s390x=REGISTRY/agnhost:2.57-linux-s390x
+windows/amd64/1809=REGISTRY/agnhost:2.57-windows-amd64-1809
+windows/amd64/ltsc2022=REGISTRY/agnhost:2.57-windows-amd64-ltsc2022
diff --git a/test/images/nautilus/VERSION b/test/images/nautilus/VERSION
index d3bdbdf1fdaec..6259340971be0 100644
--- a/test/images/nautilus/VERSION
+++ b/test/images/nautilus/VERSION
@@ -1 +1 @@
-1.7
+1.8
diff --git a/test/images/node-perf/tf-wide-deep/BASEIMAGE b/test/images/node-perf/tf-wide-deep/BASEIMAGE
index 9b23a60fbade2..f0cc017f7686a 100644
--- a/test/images/node-perf/tf-wide-deep/BASEIMAGE
+++ b/test/images/node-perf/tf-wide-deep/BASEIMAGE
@@ -1 +1 @@
-linux/amd64=python:3.6-slim-stretch
+linux/amd64=python:3.11-slim-bookworm
diff --git a/test/images/node-perf/tf-wide-deep/Dockerfile b/test/images/node-perf/tf-wide-deep/Dockerfile
index a0d69002ef87b..6ed7f1fa30401 100644
--- a/test/images/node-perf/tf-wide-deep/Dockerfile
+++ b/test/images/node-perf/tf-wide-deep/Dockerfile
@@ -19,22 +19,15 @@ CROSS_BUILD_COPY qemu-QEMUARCH-static /usr/bin/
 
 RUN apt-get update && apt-get install -y wget time
 
-RUN case $(uname -m) in \
-    aarch64) \
-      pip install tensorflow-aarch64==1.2; \
-      ;; \
-    *) \
-      pip install tensorflow==1.9.0; \
-      ;; \
-    esac
-
-RUN wget https://github.com/tensorflow/models/archive/v1.9.0.tar.gz \
-&& tar xzf v1.9.0.tar.gz \
-&& rm -f v1.9.0.tar.gz
-
-RUN python /models-1.9.0/official/wide_deep/data_download.py
-
-WORKDIR $HOME/models-1.9.0/official/wide_deep
-ENV PYTHONPATH=$PYTHONPATH:$HOME/models-1.9.0
+RUN pip install tensorflow==2.20.0
+
+RUN wget https://github.com/tensorflow/models/archive/v2.15.0.tar.gz \
+&& tar xzf v2.15.0.tar.gz \
+&& rm -f v2.15.0.tar.gz
+
+RUN python /models-2.15.0/official/wide_deep/data_download.py
+
+WORKDIR $HOME/models-2.15.0/official/wide_deep
+ENV PYTHONPATH=$PYTHONPATH:$HOME/models-2.15.0
 
 ENTRYPOINT python ./wide_deep.py
diff --git a/test/images/node-perf/tf-wide-deep/VERSION b/test/images/node-perf/tf-wide-deep/VERSION
index 7e32cd56983e6..c068b2447cc22 100644
--- a/test/images/node-perf/tf-wide-deep/VERSION
+++ b/test/images/node-perf/tf-wide-deep/VERSION
@@ -1 +1 @@
-1.3
+1.4
diff --git a/test/images/regression-issue-74839/VERSION b/test/images/regression-issue-74839/VERSION
index 7e32cd56983e6..c068b2447cc22 100644
--- a/test/images/regression-issue-74839/VERSION
+++ b/test/images/regression-issue-74839/VERSION
@@ -1 +1 @@
-1.3
+1.4
diff --git a/test/images/regression-issue-74839/main.go b/test/images/regression-issue-74839/main.go
index f2d3d8a62a034..5cf749caeca00 100644
--- a/test/images/regression-issue-74839/main.go
+++ b/test/images/regression-issue-74839/main.go
@@ -100,17 +100,18 @@ func probe(ip string) {
 
 		log.Printf("tcp packet: %+v, flag: %v, data: %v, addr: %v", pkt, pkt.FlagString(), data, addr)
 
+		ipPort := fmt.Sprintf("%s:%d", addr.String(), pkt.DestPort)
 		if pkt.Flags&SYN != 0 {
-			pending[addr.String()] = pkt.Seq + 1
+			pending[ipPort] = pkt.Seq + 1
 			continue
 		}
 		if pkt.Flags&RST != 0 {
 			log.Println("ERROR: RST received")
 		}
 		if pkt.Flags&ACK != 0 {
-			if seq, ok := pending[addr.String()]; ok {
+			if seq, ok := pending[ipPort]; ok {
 				log.Println("connection established")
-				delete(pending, addr.String())
+				delete(pending, ipPort)
 
 				badPkt := &tcpPacket{
 					SrcPort:    pkt.DestPort,
diff --git a/test/images/sample-device-plugin/sampledeviceplugin.go b/test/images/sample-device-plugin/sampledeviceplugin.go
index 4350e91b15bc6..6f705f1e98b9a 100644
--- a/test/images/sample-device-plugin/sampledeviceplugin.go
+++ b/test/images/sample-device-plugin/sampledeviceplugin.go
@@ -17,6 +17,7 @@ limitations under the License.
 package main
 
 import (
+	"context"
 	"fmt"
 	"os"
 	"os/signal"
@@ -92,6 +93,8 @@ func stubRegisterControlFunc() bool {
 }
 
 func main() {
+	ctx := context.Background()
+	logger := klog.FromContext(ctx)
 	// respond to syscalls for termination
 	sigCh := make(chan os.Signal, 1)
 	signal.Notify(sigCh, syscall.SIGHUP, syscall.SIGINT, syscall.SIGTERM, syscall.SIGQUIT)
@@ -102,24 +105,24 @@ func main() {
 	}
 
 	pluginSocksDir := os.Getenv("PLUGIN_SOCK_DIR")
-	klog.Infof("pluginSocksDir: %s", pluginSocksDir)
+	logger.Info("pluginSocksDir: %s", pluginSocksDir)
 	if pluginSocksDir == "" {
 		pluginSocksDir = pluginapi.DevicePluginPath
 	}
 
 	socketPath := pluginSocksDir + "/dp." + fmt.Sprintf("%d", time.Now().Unix())
 
-	dp1 := plugin.NewDevicePluginStub(devs, socketPath, resourceName, false, false)
-	if err := dp1.Start(); err != nil {
+	dp1 := plugin.NewDevicePluginStub(logger, devs, socketPath, resourceName, false, false)
+	if err := dp1.Start(ctx); err != nil {
 		panic(err)
 
 	}
 	dp1.SetAllocFunc(stubAllocFunc)
 
 	cdiEnabled := os.Getenv("CDI_ENABLED")
-	klog.Infof("CDI_ENABLED: %s", cdiEnabled)
+	logger.Info("CDI_ENABLED: %s", cdiEnabled)
 	if cdiEnabled != "" {
-		if err := createCDIFile(devs); err != nil {
+		if err := createCDIFile(logger, devs); err != nil {
 			panic(err)
 		}
 		defer func() {
@@ -142,15 +145,15 @@ func main() {
 	}
 
 	if !autoregister {
-		go dp1.Watch(pluginapi.KubeletSocket, resourceName, pluginapi.DevicePluginPath)
+		go dp1.Watch(ctx, pluginapi.KubeletSocket, resourceName, pluginapi.DevicePluginPath)
 
 		triggerPath := filepath.Dir(registerControlFile)
 
-		klog.InfoS("Registration process will be managed explicitly", "triggerPath", triggerPath, "triggerEntry", registerControlFile)
+		logger.Info("Registration process will be managed explicitly", "triggerPath", triggerPath, "triggerEntry", registerControlFile)
 
 		watcher, err := fsnotify.NewWatcher()
 		if err != nil {
-			klog.Errorf("Watcher creation failed: %v ", err)
+			logger.Error(err, "Watcher creation failed")
 			panic(err)
 		}
 		defer watcher.Close()
@@ -158,26 +161,26 @@ func main() {
 		updateCh := make(chan bool)
 		defer close(updateCh)
 
-		go handleRegistrationProcess(registerControlFile, dp1, watcher, updateCh)
+		go handleRegistrationProcess(logger, registerControlFile, dp1, watcher, updateCh)
 
 		err = watcher.Add(triggerPath)
 		if err != nil {
-			klog.Errorf("Failed to add watch to %q: %v", triggerPath, err)
+			logger.Error(err, "Failed to add watch", "triggerPath", triggerPath)
 			panic(err)
 		}
 		for {
 			select {
 			case received := <-updateCh:
 				if received {
-					if err := dp1.Register(pluginapi.KubeletSocket, resourceName, pluginapi.DevicePluginPath); err != nil {
+					if err := dp1.Register(ctx, pluginapi.KubeletSocket, resourceName, pluginapi.DevicePluginPath); err != nil {
 						panic(err)
 					}
-					klog.InfoS("Control file was deleted, registration succeeded")
+					logger.Info("Control file was deleted, registration succeeded")
 				}
 			// Catch termination signals
 			case sig := <-sigCh:
-				klog.InfoS("Shutting down, received signal", "signal", sig)
-				if err := dp1.Stop(); err != nil {
+				logger.Info("Shutting down, received signal", "signal", sig)
+				if err := dp1.Stop(logger); err != nil {
 					panic(err)
 				}
 				return
@@ -185,44 +188,44 @@ func main() {
 			time.Sleep(5 * time.Second)
 		}
 	} else {
-		if err := dp1.Register(pluginapi.KubeletSocket, resourceName, pluginapi.DevicePluginPath); err != nil {
+		if err := dp1.Register(ctx, pluginapi.KubeletSocket, resourceName, pluginapi.DevicePluginPath); err != nil {
 			panic(err)
 		}
 
-		go dp1.Watch(pluginapi.KubeletSocket, resourceName, pluginapi.DevicePluginPath)
+		go dp1.Watch(ctx, pluginapi.KubeletSocket, resourceName, pluginapi.DevicePluginPath)
 		// Catch termination signals
 		sig := <-sigCh
-		klog.InfoS("Shutting down, received signal", "signal", sig)
-		if err := dp1.Stop(); err != nil {
+		logger.Info("Shutting down, received signal", "signal", sig)
+		if err := dp1.Stop(logger); err != nil {
 			panic(err)
 		}
 		return
 	}
 }
 
-func handleRegistrationProcess(registerControlFile string, dpStub *plugin.Stub, watcher *fsnotify.Watcher, updateCh chan<- bool) {
-	klog.InfoS("Starting watching routine")
+func handleRegistrationProcess(logger klog.Logger, registerControlFile string, dpStub *plugin.Stub, watcher *fsnotify.Watcher, updateCh chan<- bool) {
+	logger.Info("Starting watching routine")
 	for {
-		klog.InfoS("handleRegistrationProcess for loop")
+		logger.Info("handleRegistrationProcess for loop")
 		select {
 		case event, ok := <-watcher.Events:
 			if !ok {
 				return
 			}
-			klog.InfoS("Received event", "name", event.Name, "operation", event.Op)
+			logger.Info("Received event", "name", event.Name, "operation", event.Op)
 			if event.Op&fsnotify.Remove == fsnotify.Remove {
 				if event.Name == registerControlFile {
-					klog.InfoS("Expected delete", "name", event.Name, "operation", event.Op)
+					logger.Info("Expected delete", "name", event.Name, "operation", event.Op)
 					updateCh <- true
 					continue
 				}
-				klog.InfoS("Spurious delete", "name", event.Name, "operation", event.Op)
+				logger.Info("Spurious delete", "name", event.Name, "operation", event.Op)
 			}
 		case err, ok := <-watcher.Errors:
 			if !ok {
 				return
 			}
-			klog.ErrorS(err, "error")
+			logger.Error(err, "error")
 			panic(err)
 		default:
 			time.Sleep(5 * time.Second)
@@ -230,7 +233,7 @@ func handleRegistrationProcess(registerControlFile string, dpStub *plugin.Stub,
 	}
 }
 
-func createCDIFile(devs []*pluginapi.Device) error {
+func createCDIFile(logger klog.Logger, devs []*pluginapi.Device) error {
 	content := fmt.Sprintf(`{"cdiVersion":"%s","kind":"%s","devices":[`, cdiVersion, resourceName)
 	for i, dev := range devs {
 		name := cdiPrefix + dev.ID
@@ -243,6 +246,6 @@ func createCDIFile(devs []*pluginapi.Device) error {
 	if err := os.WriteFile(cdiPath, []byte(content), 0644); err != nil {
 		return fmt.Errorf("failed to create CDI file: %s", err)
 	}
-	klog.InfoS("Created CDI file", "path", cdiPath, "devices", devs)
+	logger.Info("Created CDI file", "path", cdiPath, "devices", devs)
 	return nil
 }
diff --git a/test/images/volume/iscsi/BASEIMAGE b/test/images/volume/iscsi/BASEIMAGE
index 7f6cb4ec09870..1135f457a2b94 100644
--- a/test/images/volume/iscsi/BASEIMAGE
+++ b/test/images/volume/iscsi/BASEIMAGE
@@ -1,4 +1,4 @@
-linux/amd64=fedora:38
-linux/arm64=arm64v8/fedora:38
-linux/ppc64le=ppc64le/fedora:38
-linux/s390x=s390x/fedora:38
+linux/amd64=fedora:42
+linux/arm64=arm64v8/fedora:42
+linux/ppc64le=ppc64le/fedora:42
+linux/s390x=s390x/fedora:42
diff --git a/test/images/volume/iscsi/VERSION b/test/images/volume/iscsi/VERSION
index 5154b3f68e9af..1effb003408e4 100644
--- a/test/images/volume/iscsi/VERSION
+++ b/test/images/volume/iscsi/VERSION
@@ -1 +1 @@
-2.6
+2.7
diff --git a/test/images/volume/nfs/BASEIMAGE b/test/images/volume/nfs/BASEIMAGE
index 5c378f3841389..ce09878386096 100644
--- a/test/images/volume/nfs/BASEIMAGE
+++ b/test/images/volume/nfs/BASEIMAGE
@@ -1,4 +1,4 @@
-linux/amd64=centos:7
-linux/arm64=arm64v8/centos:7
-linux/ppc64le=ppc64le/centos:7
-linux/s390x=s390x/clefos:7
+linux/amd64=quay.io/centos/centos:stream9
+linux/arm64=quay.io/centos/centos:stream9
+linux/ppc64le=quay.io/centos/centos:stream9
+linux/s390x=quay.io/centos/centos:stream9
diff --git a/test/images/volume/nfs/Dockerfile b/test/images/volume/nfs/Dockerfile
index f6b184c6dc614..fc0e5cc0d4e17 100644
--- a/test/images/volume/nfs/Dockerfile
+++ b/test/images/volume/nfs/Dockerfile
@@ -16,7 +16,7 @@ ARG BASEIMAGE
 FROM $BASEIMAGE
 
 CROSS_BUILD_COPY qemu-QEMUARCH-static /usr/bin/
-RUN yum -y install /usr/bin/ps nfs-utils && yum clean all
+RUN dnf -y install procps-ng nfs-utils && dnf clean all
 RUN mkdir -p /exports
 ADD run_nfs.sh /usr/local/bin/
 ADD index.html /tmp/index.html
diff --git a/test/images/volume/nfs/VERSION b/test/images/volume/nfs/VERSION
index c068b2447cc22..c239c60cba28a 100644
--- a/test/images/volume/nfs/VERSION
+++ b/test/images/volume/nfs/VERSION
@@ -1 +1 @@
-1.4
+1.5
diff --git a/test/images/volume/rbd/BASEIMAGE b/test/images/volume/rbd/BASEIMAGE
deleted file mode 100644
index 7f6cb4ec09870..0000000000000
--- a/test/images/volume/rbd/BASEIMAGE
+++ /dev/null
@@ -1,4 +0,0 @@
-linux/amd64=fedora:38
-linux/arm64=arm64v8/fedora:38
-linux/ppc64le=ppc64le/fedora:38
-linux/s390x=s390x/fedora:38
diff --git a/test/images/volume/rbd/Dockerfile b/test/images/volume/rbd/Dockerfile
deleted file mode 100644
index fd82a4126a5ee..0000000000000
--- a/test/images/volume/rbd/Dockerfile
+++ /dev/null
@@ -1,37 +0,0 @@
-# Copyright 2016 The Kubernetes Authors.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-# CEPH all in one
-# Based on image by Ricardo Rocha, ricardo@catalyst.net.nz
-
-ARG BASEIMAGE
-FROM $BASEIMAGE
-
-CROSS_BUILD_COPY qemu-QEMUARCH-static /usr/bin/
-
-# Base Packages
-RUN yum install -y wget strace psmisc procps-ng ceph ceph-fuse hostname && yum clean all
-
-# Get ports exposed
-EXPOSE 6789
-
-ADD ./bootstrap.sh /bootstrap.sh
-ADD ./mon.sh /mon.sh
-ADD ./mds.sh /mds.sh
-ADD ./osd.sh /osd.sh
-ADD ./ceph.conf.sh /ceph.conf.sh
-ADD ./keyring /var/lib/ceph/mon/keyring
-ADD ./block.tar.gz /
-
-CMD /bootstrap.sh
diff --git a/test/images/volume/rbd/README.md b/test/images/volume/rbd/README.md
deleted file mode 100644
index 1630be89df8be..0000000000000
--- a/test/images/volume/rbd/README.md
+++ /dev/null
@@ -1,9 +0,0 @@
-# rbd and ceph target container for testing.
-
-* The container needs to run with `docker --privileged` mode
-
-`block.tar.gz` is a small ext2 filesystem created by `create_block.sh` (run as root!)
-
-# Credentials
-
-Credentials in this directory are generated for testing purposes only.
diff --git a/test/images/volume/rbd/VERSION b/test/images/volume/rbd/VERSION
deleted file mode 100644
index af0b7ddbffd5d..0000000000000
--- a/test/images/volume/rbd/VERSION
+++ /dev/null
@@ -1 +0,0 @@
-1.0.6
diff --git a/test/images/volume/rbd/block.tar.gz b/test/images/volume/rbd/block.tar.gz
deleted file mode 100644
index 8ec08a1d96204..0000000000000
Binary files a/test/images/volume/rbd/block.tar.gz and /dev/null differ
diff --git a/test/images/volume/rbd/bootstrap.sh b/test/images/volume/rbd/bootstrap.sh
deleted file mode 100755
index 3414bfa949b3b..0000000000000
--- a/test/images/volume/rbd/bootstrap.sh
+++ /dev/null
@@ -1,76 +0,0 @@
-#!/usr/bin/env bash
-
-# Copyright 2015 The Kubernetes Authors.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-#
-# Bootstraps a CEPH server.
-# It creates two OSDs on local machine, creates RBD pool there
-# and imports 'block' device there.
-#
-# We must create fresh OSDs and filesystem here, because shipping it
-# in a container would increase the image by ~300MB.
-#
-
-
-# Create /etc/ceph/ceph.conf
-sh ./ceph.conf.sh "$(hostname -i)"
-
-# Configure and start ceph-mon
-sh ./mon.sh "$(hostname -i)"
-
-# Configure and start 2x ceph-osd
-mkdir -p /var/lib/ceph/osd/ceph-0 /var/lib/ceph/osd/ceph-1
-sh ./osd.sh 0
-sh ./osd.sh 1
-
-# Configure and start cephfs metadata server
-sh ./mds.sh
-
-# Prepare a RBD volume "foo" (only with layering feature, the others may
-# require newer clients).
-# NOTE: we need Ceph kernel modules on the host that runs the client!
-# As the default pool `rbd` might not be created on arm64 platform for ceph deployment,
-# should create it if it does not exist.
-arch=$(uname -m)
-if [[ ${arch} = 'aarch64' || ${arch} = 'arm64' ]]; then
-    if [[ $(ceph osd lspools) = "" ]]; then
-        ceph osd pool create rbd 8
-        rbd pool init rbd
-    fi
-fi
-rbd import --image-feature layering block foo
-
-# Prepare a cephfs volume
-ceph osd pool create cephfs_data 4
-ceph osd pool create cephfs_metadata 4
-ceph fs new cephfs cephfs_metadata cephfs_data
-# Put index.html into the volume
-# It takes a while until the volume created above is mountable,
-# 1 second is usually enough, but try indefinetily.
-sleep 1
-while ! ceph-fuse -m "$(hostname -i):6789" /mnt; do
-    echo "Waiting for cephfs to be up"
-    sleep 1
-done
-echo "Hello Ceph!" > /mnt/index.html
-chmod 644 /mnt/index.html
-umount /mnt
-
-echo "Ceph is ready"
-
-# Wait forever
-while true; do
-    sleep 10
-done
diff --git a/test/images/volume/rbd/ceph.conf.sh b/test/images/volume/rbd/ceph.conf.sh
deleted file mode 100755
index 6db6658d128d3..0000000000000
--- a/test/images/volume/rbd/ceph.conf.sh
+++ /dev/null
@@ -1,42 +0,0 @@
-#!/usr/bin/env bash
-
-# Copyright 2015 The Kubernetes Authors.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-#
-# Configures /etc/ceph.conf from a template.
-#
-
-echo "
-[global]
-auth cluster required = none
-auth service required = none
-auth client required = none
-
-[mon.a]
-host = cephbox
-mon addr = $1
-
-[osd]
-osd journal size = 128
-journal dio = false
-
-# allow running on ext4
-osd max object name len = 256
-osd max object namespace len = 64
-
-[osd.0]
-osd host = cephbox
-" > /etc/ceph/ceph.conf
-
diff --git a/test/images/volume/rbd/create_block.sh b/test/images/volume/rbd/create_block.sh
deleted file mode 100755
index 258639e0eb76b..0000000000000
--- a/test/images/volume/rbd/create_block.sh
+++ /dev/null
@@ -1,50 +0,0 @@
-#!/usr/bin/env bash
-
-# Copyright 2015 The Kubernetes Authors.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-# Create block.tar.gz with a small ext2 filesystem.
-# It must be run as root (to mount with '-o loop')!
-
-# Exit on the first error.
-set -e
-
-MNTDIR="$(mktemp -d)"
-
-cleanup()
-{
-    # Make sure we return the right exit code
-    RET=$?
-    # Silently remove everything and ignore errors
-    set +e
-    /bin/umount "$MNTDIR" 2>/dev/null
-    /bin/rmdir "$MNTDIR" 2>/dev/null
-    /bin/rm block 2>/dev/null
-    exit $RET
-}
-
-trap cleanup TERM EXIT
-
-# Create 120MB device with ext2
-# (volume_io tests need at least 100MB)
-dd if=/dev/zero of=block seek=120 count=1 bs=1M
-mkfs.ext2 block
-
-# Add index.html to it
-mount -o loop block "$MNTDIR"
-echo "Hello from RBD" > "$MNTDIR/index.html"
-umount "$MNTDIR"
-
-rm block.tar.gz 2>/dev/null || :
-tar cfz block.tar.gz block
diff --git a/test/images/volume/rbd/keyring b/test/images/volume/rbd/keyring
deleted file mode 100644
index f8c5af2241793..0000000000000
--- a/test/images/volume/rbd/keyring
+++ /dev/null
@@ -1,8 +0,0 @@
-[mon.]
-        key = AQDRrKNV6z4UChAABzP1ZyysTU4pjgjNOf/p3A==
-[client.admin]
-        key = AQDRrKNVbEevChAAEmRC+pW/KBVHxa0w/POILA==
-        auid = 0
-        caps mds = "allow *"
-        caps mon = "allow *"
-        caps osd = "allow *"
diff --git a/test/images/volume/rbd/mds.sh b/test/images/volume/rbd/mds.sh
deleted file mode 100755
index a5c896774469d..0000000000000
--- a/test/images/volume/rbd/mds.sh
+++ /dev/null
@@ -1,20 +0,0 @@
-#!/usr/bin/env bash
-
-# Copyright 2017 The Kubernetes Authors.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-#
-# Configures Ceph Metadata Service (mds), needed by CephFS
-#
-ceph-mds -i cephfs -c /etc/ceph/ceph.conf
diff --git a/test/images/volume/rbd/mon.sh b/test/images/volume/rbd/mon.sh
deleted file mode 100755
index 21c4ee6438381..0000000000000
--- a/test/images/volume/rbd/mon.sh
+++ /dev/null
@@ -1,36 +0,0 @@
-#!/usr/bin/env bash
-
-# Copyright 2015 The Kubernetes Authors.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-#
-# Configures and launches a new MON.
-#
-
-# monitor setup
-monmaptool --create --clobber --fsid "$(uuidgen)" --add a "${1}":6789 /etc/ceph/monmap
-mkdir /var/lib/ceph/mon/ceph-a
-ceph-mon -i a --mkfs --monmap /etc/ceph/monmap -k /var/lib/ceph/mon/keyring
-cp /var/lib/ceph/mon/keyring /var/lib/ceph/mon/ceph-a
-ceph-mon -i a --monmap /etc/ceph/monmap -k /var/lib/ceph/mon/ceph-a/keyring
-
-# client setup (handy)
-cp /var/lib/ceph/mon/keyring /etc/ceph
-
-# for this test we want to
-ceph osd getcrushmap -o /tmp/crushc
-crushtool -d /tmp/crushc -o /tmp/crushd
-sed -i 's/step chooseleaf firstn 0 type host/step chooseleaf firstn 0 type osd/' /tmp/crushd
-crushtool -c /tmp/crushd -o /tmp/crushc
-ceph osd setcrushmap -i /tmp/crushc
diff --git a/test/images/volume/rbd/osd.sh b/test/images/volume/rbd/osd.sh
deleted file mode 100755
index f86d3d1731965..0000000000000
--- a/test/images/volume/rbd/osd.sh
+++ /dev/null
@@ -1,25 +0,0 @@
-#!/usr/bin/env bash
-
-# Copyright 2015 The Kubernetes Authors.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-#
-# Configures and launches a new OSD.
-#
-
-ceph osd create
-ceph-osd -i "${1}" --mkfs --mkkey
-ceph auth add "osd.${1}" osd 'allow *' mon 'allow rwx' -i "/var/lib/ceph/osd/ceph-${1}/keyring"
-ceph osd crush add "${1}" 1 root=default host=cephbox
-ceph-osd -i "${1}" -k "/var/lib/ceph/osd/ceph-${1}/keyring"
diff --git a/test/instrumentation/documentation/documentation-list.yaml b/test/instrumentation/documentation/documentation-list.yaml
index b94b377b3a3d7..52b351d5b0cea 100644
--- a/test/instrumentation/documentation/documentation-list.yaml
+++ b/test/instrumentation/documentation/documentation-list.yaml
@@ -89,6 +89,30 @@
   - 128
   - 256
   - 512
+- name: pod_deletion_duration_seconds
+  subsystem: device_taint_eviction_controller
+  help: Latency, in seconds, between the time when a device taint effect has been
+    activated and a Pod's deletion via DeviceTaintEvictionController.
+  type: Histogram
+  stabilityLevel: ALPHA
+  buckets:
+  - 0.005
+  - 0.025
+  - 0.1
+  - 0.5
+  - 1
+  - 2.5
+  - 10
+  - 30
+  - 60
+  - 120
+  - 180
+  - 240
+- name: pod_deletions_total
+  subsystem: device_taint_eviction_controller
+  help: Total number of Pods deleted by DeviceTaintEvictionController since its start.
+  type: Counter
+  stabilityLevel: ALPHA
 - name: addresses_skipped_per_sync
   subsystem: endpoint_slice_mirroring_controller
   help: Number of addresses skipped on each Endpoints sync due to being invalid or
@@ -476,26 +500,22 @@
   - 2
   - 4
   - 8
-- name: allocated_resource_claims
-  subsystem: resourceclaim_controller
-  help: Number of allocated ResourceClaims
-  type: Gauge
-  stabilityLevel: ALPHA
-- name: create_attempts_total
-  subsystem: resourceclaim_controller
-  help: Number of ResourceClaims creation requests
-  type: Counter
-  stabilityLevel: ALPHA
-- name: create_failures_total
+- name: creates_total
   subsystem: resourceclaim_controller
-  help: Number of ResourceClaims creation request failures
+  help: Number of ResourceClaims creation requests, categorized by creation status
+    and admin access
   type: Counter
   stabilityLevel: ALPHA
-- name: resource_claims
-  subsystem: resourceclaim_controller
-  help: Number of ResourceClaims
-  type: Gauge
+  labels:
+  - admin_access
+  - status
+- name: resourceclaim_controller_resource_claims
+  help: Number of ResourceClaims, categorized by allocation status and admin access
+  type: Custom
   stabilityLevel: ALPHA
+  labels:
+  - allocated
+  - admin_access
 - name: job_pods_finished_total
   subsystem: job_controller
   help: The number of finished Pods that are fully tracked
@@ -579,6 +599,13 @@
   help: Number of PersistentVolumeClaim creation requests
   type: Counter
   stabilityLevel: ALPHA
+- name: kubelet_credential_provider_config_info
+  help: Information about the last applied credential provider configuration with
+    hash as label
+  type: Custom
+  stabilityLevel: ALPHA
+  labels:
+  - hash
 - name: credential_provider_plugin_duration
   subsystem: kubelet
   help: Duration of execution in seconds for credential provider plugin
@@ -598,7 +625,7 @@
   - 2.5
   - 5
   - 10
-- name: credential_provider_plugin_errors
+- name: credential_provider_plugin_errors_total
   subsystem: kubelet
   help: Number of errors from credential provider plugin
   type: Counter
@@ -755,6 +782,15 @@
   help: Counter of certificate renewal errors.
   type: Counter
   stabilityLevel: ALPHA
+- name: container_swap_limit_bytes
+  help: Current amount of the container swap limit in bytes. Reported only on non-windows
+    systems
+  type: Custom
+  stabilityLevel: ALPHA
+  labels:
+  - container
+  - pod
+  - namespace
 - name: container_swap_usage_bytes
   help: Current amount of the container swap usage in bytes. Reported only on non-windows
     systems
@@ -817,16 +853,16 @@
   - 16.995624819678714
   - 26.07345379475354
   - 39.99999999999997
-- name: force_cleaned_failed_volume_operation_errors_total
-  help: The number of volumes that failed force cleanup after their reconstruction
-    failed during kubelet startup.
-  type: Counter
-  stabilityLevel: ALPHA
-- name: force_cleaned_failed_volume_operations_total
-  help: The number of volumes that were force cleaned after their reconstruction failed
-    during kubelet startup. This includes both successful and failed cleanups.
-  type: Counter
+- name: dra_resource_claims_in_use
+  help: The number of ResourceClaims that are currently in use on the node, by driver
+    name (driver_name label value) and across all drivers (special value <any> for
+    driver_name). Note that the sum of all by-driver counts is not the total number
+    of in-use ResourceClaims because the same ResourceClaim might use devices from
+    different drivers. Instead, use the count for the <any> driver_name.
+  type: Custom
   stabilityLevel: ALPHA
+  labels:
+  - driver_name
 - name: active_pods
   subsystem: kubelet
   help: The number of pods the kubelet considers active and which are being considered
@@ -875,6 +911,15 @@
   labels:
   - boundary
   - scope
+- name: container_aligned_compute_resources_failure_count
+  subsystem: kubelet
+  help: Cumulative number of failures to allocate aligned compute resources to containers
+    by alignment type.
+  type: Counter
+  stabilityLevel: ALPHA
+  labels:
+  - boundary
+  - scope
 - name: kubelet_container_log_filesystem_used_bytes
   help: Bytes used by the container's logs on the filesystem.
   type: Custom
@@ -884,6 +929,18 @@
   - namespace
   - pod
   - container
+- name: container_requested_resizes_total
+  subsystem: kubelet
+  help: Number of requested resizes, counted at the container level. Different resources
+    on the same container are counted separately. The 'requirement' label refers to
+    'memory' or 'limits'; the 'operation' label can be one of 'add', 'remove', 'increase'
+    or 'decrease'.
+  type: Counter
+  stabilityLevel: ALPHA
+  labels:
+  - operation
+  - requirement
+  - resource
 - name: containers_per_pod_count
   subsystem: kubelet
   help: The number of containers per pod.
@@ -895,6 +952,13 @@
   - 4
   - 8
   - 16
+- name: cpu_manager_allocation_per_numa
+  subsystem: kubelet
+  help: Number of CPUs allocated per NUMA node
+  type: Gauge
+  stabilityLevel: ALPHA
+  labels:
+  - numa_node
 - name: cpu_manager_exclusive_cpu_allocation_count
   subsystem: kubelet
   help: The total number of CPUs exclusively allocated to containers running on this
@@ -916,6 +980,14 @@
   help: The size of the shared CPU pool for non-guaranteed QoS pods, in millicores.
   type: Gauge
   stabilityLevel: ALPHA
+- name: cri_losing_support
+  subsystem: kubelet
+  help: the Kubernetes version that the currently running CRI implementation will
+    lose support on if not upgraded.
+  type: Gauge
+  stabilityLevel: ALPHA
+  labels:
+  - version
 - name: desired_pods
   subsystem: kubelet
   help: The number of pods the kubelet is being instructed to run. static is true
@@ -1093,6 +1165,21 @@
   - 1800
   - 2700
   - 3600
+- name: image_volume_mounted_errors_total
+  subsystem: kubelet
+  help: Number of failed image volume mounts.
+  type: Counter
+  stabilityLevel: ALPHA
+- name: image_volume_mounted_succeed_total
+  subsystem: kubelet
+  help: Number of successful image volume mounts.
+  type: Counter
+  stabilityLevel: ALPHA
+- name: image_volume_requested_total
+  subsystem: kubelet
+  help: Number of requested image volumes.
+  type: Counter
+  stabilityLevel: ALPHA
 - name: lifecycle_handler_http_fallbacks_total
   subsystem: kubelet
   help: The number of times lifecycle handlers successfully fell back to http from
@@ -1216,6 +1303,54 @@
   - 2.5
   - 5
   - 10
+- name: pod_deferred_accepted_resizes_total
+  subsystem: kubelet
+  help: Cumulative number of resizes that were accepted after being deferred.
+  type: Counter
+  stabilityLevel: ALPHA
+  labels:
+  - retry_trigger
+- name: pod_in_progress_resizes
+  subsystem: kubelet
+  help: Number of in-progress resizes for pods.
+  type: Gauge
+  stabilityLevel: ALPHA
+- name: pod_infeasible_resizes_total
+  subsystem: kubelet
+  help: Number of infeasible resizes for pods.
+  type: Counter
+  stabilityLevel: ALPHA
+  labels:
+  - reason_detail
+- name: pod_pending_resizes
+  subsystem: kubelet
+  help: Number of pending resizes for pods.
+  type: Gauge
+  stabilityLevel: ALPHA
+  labels:
+  - reason
+- name: pod_resize_duration_milliseconds
+  subsystem: kubelet
+  help: Duration in milliseconds to actuate a pod resize
+  type: Histogram
+  stabilityLevel: ALPHA
+  labels:
+  - success
+  buckets:
+  - 10
+  - 50
+  - 100
+  - 500
+  - 1000
+  - 2000
+  - 5000
+  - 10000
+  - 20000
+  - 30000
+  - 60000
+  - 120000
+  - 300000
+  - 600000
 - name: pod_resources_endpoint_errors_get
   subsystem: kubelet
   help: Number of requests to the PodResource Get endpoint which returned error. Broken
@@ -1563,6 +1698,18 @@
   help: Cumulative number of pods started
   type: Counter
   stabilityLevel: ALPHA
+- name: started_user_namespaced_pods_errors_total
+  subsystem: kubelet
+  help: Cumulative number of errors when starting pods with user namespaces. This
+    metric will only be collected on Linux.
+  type: Counter
+  stabilityLevel: ALPHA
+- name: started_user_namespaced_pods_total
+  subsystem: kubelet
+  help: Cumulative number of pods with user namespaces started. This metric will only
+    be collected on Linux.
+  type: Counter
+  stabilityLevel: ALPHA
 - name: topology_manager_admission_duration_ms
   subsystem: kubelet
   help: Duration in milliseconds to serve a pod admission request.
@@ -1704,12 +1851,17 @@
   - namespace
   - pod
   - probe_type
+- name: scrape_error
+  help: 1 if there was an error while getting container metrics, 0 otherwise
+  type: Custom
+  deprecatedVersion: 1.29.0
+  stabilityLevel: ALPHA
 - name: probe_total
   subsystem: prober
   help: Cumulative number of a liveness, readiness or startup probe for a container
     by result.
   type: Counter
-  stabilityLevel: ALPHA
+  stabilityLevel: BETA
   labels:
   - container
   - namespace
@@ -1717,88 +1869,6 @@
   - pod_uid
   - probe_type
   - result
-- name: reconstruct_volume_operations_errors_total
-  help: The number of volumes that failed reconstruction from the operating system
-    during kubelet startup.
-  type: Counter
-  stabilityLevel: ALPHA
-- name: reconstruct_volume_operations_total
-  help: The number of volumes that were attempted to be reconstructed from the operating
-    system during kubelet startup. This includes both successful and failed reconstruction.
-  type: Counter
-  stabilityLevel: ALPHA
-- name: scrape_error
-  help: 1 if there was an error while getting container metrics, 0 otherwise
-  type: Custom
-  deprecatedVersion: 1.29.0
-  stabilityLevel: ALPHA
-- name: volume_manager_selinux_container_errors_total
-  help: Number of errors when kubelet cannot compute SELinux context for a container.
-    Kubelet can't start such a Pod then and it will retry, therefore value of this
-    metric may not represent the actual nr. of containers.
-  type: Gauge
-  stabilityLevel: ALPHA
-  labels:
-  - access_mode
-- name: volume_manager_selinux_container_warnings_total
-  help: Number of errors when kubelet cannot compute SELinux context for a container
-    that are ignored. They will become real errors when SELinuxMountReadWriteOncePod
-    feature is expanded to all volume access modes.
-  type: Gauge
-  stabilityLevel: ALPHA
-  labels:
-  - access_mode
-- name: volume_manager_selinux_pod_context_mismatch_errors_total
-  help: Number of errors when a Pod defines different SELinux contexts for its containers
-    that use the same volume. Kubelet can't start such a Pod then and it will retry,
-    therefore value of this metric may not represent the actual nr. of Pods.
-  type: Gauge
-  stabilityLevel: ALPHA
-  labels:
-  - access_mode
-- name: volume_manager_selinux_pod_context_mismatch_warnings_total
-  help: Number of errors when a Pod defines different SELinux contexts for its containers
-    that use the same volume. They are not errors yet, but they will become real errors
-    when SELinuxMountReadWriteOncePod feature is expanded to all volume access modes.
-  type: Gauge
-  stabilityLevel: ALPHA
-  labels:
-  - access_mode
-- name: volume_manager_selinux_volume_context_mismatch_errors_total
-  help: Number of errors when a Pod uses a volume that is already mounted with a different
-    SELinux context than the Pod needs. Kubelet can't start such a Pod then and it
-    will retry, therefore value of this metric may not represent the actual nr. of
-    Pods.
-  type: Gauge
-  stabilityLevel: ALPHA
-  labels:
-  - access_mode
-  - volume_plugin
-- name: volume_manager_selinux_volume_context_mismatch_warnings_total
-  help: Number of errors when a Pod uses a volume that is already mounted with a different
-    SELinux context than the Pod needs. They are not errors yet, but they will become
-    real errors when SELinuxMountReadWriteOncePod feature is expanded to all volume
-    access modes.
-  type: Gauge
-  stabilityLevel: ALPHA
-  labels:
-  - access_mode
-  - volume_plugin
-- name: volume_manager_selinux_volumes_admitted_total
-  help: Number of volumes whose SELinux context was fine and will be mounted with
-    mount -o context option.
-  type: Gauge
-  stabilityLevel: ALPHA
-  labels:
-  - access_mode
-  - volume_plugin
-- name: volume_manager_total_volumes
-  help: Number of volumes in Volume Manager
-  type: Custom
-  stabilityLevel: ALPHA
-  labels:
-  - plugin_name
-  - state
 - name: container_cpu_usage_seconds_total
   help: Cumulative cpu time consumed by the container in core-seconds
   type: Custom
@@ -1849,24 +1919,46 @@
   help: 1 if there was an error while getting container metrics, 0 otherwise
   type: Custom
   stabilityLevel: STABLE
-- name: csr_honored_duration_total
-  subsystem: certificates_registry
-  namespace: apiserver
-  help: Total number of issued CSRs with a requested duration that was honored, sliced
-    by signer (only kubernetes.io signer names are specifically identified)
+- name: force_cleaned_failed_volume_operation_errors_total
+  help: The number of volumes that failed force cleanup after their reconstruction
+    failed during kubelet startup.
   type: Counter
   stabilityLevel: ALPHA
-  labels:
-  - signerName
-- name: csr_requested_duration_total
-  subsystem: certificates_registry
-  namespace: apiserver
-  help: Total number of issued CSRs with a requested duration, sliced by signer (only
-    kubernetes.io signer names are specifically identified)
+- name: force_cleaned_failed_volume_operations_total
+  help: The number of volumes that were force cleaned after their reconstruction failed
+    during kubelet startup. This includes both successful and failed cleanups.
+  type: Counter
+  stabilityLevel: ALPHA
+- name: conntrack_reconciler_deleted_entries_total
+  subsystem: kubeproxy
+  help: Cumulative conntrack flows deleted by conntrack reconciler
   type: Counter
   stabilityLevel: ALPHA
   labels:
-  - signerName
+  - ip_family
+- name: conntrack_reconciler_sync_duration_seconds
+  subsystem: kubeproxy
+  help: ReconcileConntrackFlowsLatency latency in seconds
+  type: Histogram
+  stabilityLevel: ALPHA
+  labels:
+  - ip_family
+  buckets:
+  - 0.001
+  - 0.002
+  - 0.004
+  - 0.008
+  - 0.016
+  - 0.032
+  - 0.064
+  - 0.128
+  - 0.256
+  - 0.512
+  - 1.024
+  - 2.048
+  - 4.096
+  - 8.192
+  - 16.384
 - name: kubeproxy_iptables_ct_state_invalid_dropped_packets_total
   help: packets dropped by iptables to work around conntrack problems
   type: Custom
@@ -1880,6 +1972,8 @@
   help: In Cluster Network Programming Latency in seconds
   type: Histogram
   stabilityLevel: ALPHA
+  labels:
+  - ip_family
   buckets:
   - 0.25
   - 0.5
@@ -1980,6 +2074,8 @@
   help: SyncProxyRules latency in seconds for full resyncs
   type: Histogram
   stabilityLevel: ALPHA
+  labels:
+  - ip_family
   buckets:
   - 0.001
   - 0.002
@@ -2001,6 +2097,8 @@
   help: SyncProxyRules latency in seconds for partial resyncs
   type: Histogram
   stabilityLevel: ALPHA
+  labels:
+  - ip_family
   buckets:
   - 0.001
   - 0.002
@@ -2022,6 +2120,8 @@
   help: SyncProxyRules latency in seconds
   type: Histogram
   stabilityLevel: ALPHA
+  labels:
+  - ip_family
   buckets:
   - 0.001
   - 0.002
@@ -2054,50 +2154,65 @@
   type: Gauge
   stabilityLevel: ALPHA
   labels:
+  - ip_family
   - table
 - name: sync_proxy_rules_iptables_partial_restore_failures_total
   subsystem: kubeproxy
   help: Cumulative proxy iptables partial restore failures
   type: Counter
   stabilityLevel: ALPHA
+  labels:
+  - ip_family
 - name: sync_proxy_rules_iptables_restore_failures_total
   subsystem: kubeproxy
   help: Cumulative proxy iptables restore failures
   type: Counter
   stabilityLevel: ALPHA
+  labels:
+  - ip_family
 - name: sync_proxy_rules_iptables_total
   subsystem: kubeproxy
   help: Total number of iptables rules owned by kube-proxy
   type: Gauge
   stabilityLevel: ALPHA
   labels:
+  - ip_family
   - table
 - name: sync_proxy_rules_last_queued_timestamp_seconds
   subsystem: kubeproxy
   help: The last time a sync of proxy rules was queued
   type: Gauge
   stabilityLevel: ALPHA
+  labels:
+  - ip_family
 - name: sync_proxy_rules_last_timestamp_seconds
   subsystem: kubeproxy
   help: The last time proxy rules were successfully synced
   type: Gauge
   stabilityLevel: ALPHA
+  labels:
+  - ip_family
 - name: sync_proxy_rules_nftables_cleanup_failures_total
   subsystem: kubeproxy
   help: Cumulative proxy nftables cleanup failures
   type: Counter
   stabilityLevel: ALPHA
+  labels:
+  - ip_family
 - name: sync_proxy_rules_nftables_sync_failures_total
   subsystem: kubeproxy
   help: Cumulative proxy nftables sync failures
   type: Counter
   stabilityLevel: ALPHA
+  labels:
+  - ip_family
 - name: sync_proxy_rules_no_local_endpoints_total
   subsystem: kubeproxy
   help: Number of services with a Local traffic policy and no endpoints
   type: Gauge
   stabilityLevel: ALPHA
   labels:
+  - ip_family
   - traffic_policy
 - name: sync_proxy_rules_service_changes_pending
   subsystem: kubeproxy
@@ -2109,6 +2224,101 @@
   help: Cumulative proxy rules Service changes
   type: Counter
   stabilityLevel: ALPHA
+- name: reconstruct_volume_operations_errors_total
+  help: The number of volumes that failed reconstruction from the operating system
+    during kubelet startup.
+  type: Counter
+  stabilityLevel: ALPHA
+- name: reconstruct_volume_operations_total
+  help: The number of volumes that were attempted to be reconstructed from the operating
+    system during kubelet startup. This includes both successful and failed reconstruction.
+  type: Counter
+  stabilityLevel: ALPHA
+- name: volume_manager_selinux_container_errors_total
+  help: Number of errors when kubelet cannot compute SELinux context for a container.
+    Kubelet can't start such a Pod then and it will retry, therefore value of this
+    metric may not represent the actual nr. of containers.
+  type: Gauge
+  stabilityLevel: ALPHA
+  labels:
+  - access_mode
+- name: volume_manager_selinux_container_warnings_total
+  help: Number of errors when kubelet cannot compute SELinux context for a container
+    that are ignored. They will become real errors when SELinuxMountReadWriteOncePod
+    feature is expanded to all volume access modes.
+  type: Gauge
+  stabilityLevel: ALPHA
+  labels:
+  - access_mode
+- name: volume_manager_selinux_pod_context_mismatch_errors_total
+  help: Number of errors when a Pod defines different SELinux contexts for its containers
+    that use the same volume. Kubelet can't start such a Pod then and it will retry,
+    therefore value of this metric may not represent the actual nr. of Pods.
+  type: Gauge
+  stabilityLevel: ALPHA
+  labels:
+  - access_mode
+- name: volume_manager_selinux_pod_context_mismatch_warnings_total
+  help: Number of errors when a Pod defines different SELinux contexts for its containers
+    that use the same volume. They are not errors yet, but they will become real errors
+    when SELinuxMountReadWriteOncePod feature is expanded to all volume access modes.
+  type: Gauge
+  stabilityLevel: ALPHA
+  labels:
+  - access_mode
+- name: volume_manager_selinux_volume_context_mismatch_errors_total
+  help: Number of errors when a Pod uses a volume that is already mounted with a different
+    SELinux context than the Pod needs. Kubelet can't start such a Pod then and it
+    will retry, therefore value of this metric may not represent the actual nr. of
+    Pods.
+  type: Gauge
+  stabilityLevel: ALPHA
+  labels:
+  - access_mode
+  - volume_plugin
+- name: volume_manager_selinux_volume_context_mismatch_warnings_total
+  help: Number of errors when a Pod uses a volume that is already mounted with a different
+    SELinux context than the Pod needs. They are not errors yet, but they will become
+    real errors when SELinuxMountReadWriteOncePod feature is expanded to all volume
+    access modes.
+  type: Gauge
+  stabilityLevel: ALPHA
+  labels:
+  - access_mode
+  - volume_plugin
+- name: volume_manager_selinux_volumes_admitted_total
+  help: Number of volumes whose SELinux context was fine and will be mounted with
+    mount -o context option.
+  type: Gauge
+  stabilityLevel: ALPHA
+  labels:
+  - access_mode
+  - volume_plugin
+- name: volume_manager_total_volumes
+  help: Number of volumes in Volume Manager
+  type: Custom
+  stabilityLevel: ALPHA
+  labels:
+  - plugin_name
+  - state
+- name: csr_honored_duration_total
+  subsystem: certificates_registry
+  namespace: apiserver
+  help: Total number of issued CSRs with a requested duration that was honored, sliced
+    by signer (only kubernetes.io signer names are specifically identified)
+  type: Counter
+  stabilityLevel: ALPHA
+  labels:
+  - signerName
+- name: csr_requested_duration_total
+  subsystem: certificates_registry
+  namespace: apiserver
+  help: Total number of issued CSRs with a requested duration, sliced by signer (only
+    kubernetes.io signer names are specifically identified)
+  type: Counter
+  stabilityLevel: ALPHA
+  labels:
+  - signerName
 - name: ip_errors_total
   subsystem: clusterip_repair
   namespace: apiserver
@@ -2308,6 +2518,45 @@
   stabilityLevel: ALPHA
   labels:
   - code
+- name: async_api_call_execution_duration_seconds
+  subsystem: scheduler
+  help: Duration in seconds for executing API call in the async dispatcher.
+  type: Histogram
+  stabilityLevel: ALPHA
+  labels:
+  - call_type
+  - result
+  buckets:
+  - 0.001
+  - 0.002
+  - 0.004
+  - 0.008
+  - 0.016
+  - 0.032
+  - 0.064
+  - 0.128
+  - 0.256
+  - 0.512
+  - 1.024
+  - 2.048
+  - 4.096
+  - 8.192
+  - 16.384
+- name: async_api_call_execution_total
+  subsystem: scheduler
+  help: Total number of API calls executed by the async dispatcher.
+  type: Counter
+  stabilityLevel: ALPHA
+  labels:
+  - call_type
+  - result
+- name: cache_size
+  subsystem: scheduler
+  help: Number of nodes, pods, and assumed (bound) pods in the scheduler cache.
+  type: Gauge
+  stabilityLevel: ALPHA
+  labels:
+  - type
 - name: event_handling_duration_seconds
   subsystem: scheduler
   help: Event handling latency in seconds.
@@ -2342,6 +2591,13 @@
   stabilityLevel: ALPHA
   labels:
   - event
+- name: pending_async_api_calls
+  subsystem: scheduler
+  help: Number of API calls currently pending in the async queue.
+  type: Gauge
+  stabilityLevel: ALPHA
+  labels:
+  - call_type
 - name: permit_wait_duration_seconds
   subsystem: scheduler
   help: Duration of waiting on permit.
@@ -2470,13 +2726,6 @@
   - 0.009852612533569338
   - 0.014778918800354007
   - 0.02216837820053101
-- name: scheduler_cache_size
-  subsystem: scheduler
-  help: Number of nodes, pods, and assumed (bound) pods in the scheduler cache.
-  type: Gauge
-  stabilityLevel: ALPHA
-  labels:
-  - type
 - name: scheduling_algorithm_duration_seconds
   subsystem: scheduler
   help: Scheduling algorithm latency in seconds
@@ -2653,36 +2902,6 @@
   - 4
   - 8
   - 16
-- name: pod_scheduling_duration_seconds
-  subsystem: scheduler
-  help: E2e latency for a pod being scheduled which may include multiple scheduling
-    attempts.
-  type: Histogram
-  deprecatedVersion: 1.29.0
-  stabilityLevel: STABLE
-  labels:
-  - attempts
-  buckets:
-  - 0.01
-  - 0.02
-  - 0.04
-  - 0.08
-  - 0.16
-  - 0.32
-  - 0.64
-  - 1.28
-  - 2.56
-  - 5.12
-  - 10.24
-  - 20.48
-  - 40.96
-  - 81.92
-  - 163.84
-  - 327.68
-  - 655.36
-  - 1310.72
-  - 2621.44
-  - 5242.88
 - name: preemption_attempts_total
   subsystem: scheduler
   help: Total preemption attempts in the cluster till now
@@ -2767,26 +2986,6 @@
   - 120
   - 300
   - 600
-- name: graph_actions_duration_seconds
-  subsystem: node_authorizer
-  help: Histogram of duration of graph actions in node authorizer.
-  type: Histogram
-  stabilityLevel: ALPHA
-  labels:
-  - operation
-  buckets:
-  - 0.0001
-  - 0.0002
-  - 0.0004
-  - 0.0008
-  - 0.0016
-  - 0.0032
-  - 0.0064
-  - 0.0128
-  - 0.0256
-  - 0.0512
-  - 0.1024
-  - 0.2048
 - name: storage_operation_duration_seconds
   help: Storage operation duration
   type: Histogram
@@ -2831,6 +3030,26 @@
   - 120
   - 300
   - 600
+- name: graph_actions_duration_seconds
+  subsystem: node_authorizer
+  help: Histogram of duration of graph actions in node authorizer.
+  type: Histogram
+  stabilityLevel: ALPHA
+  labels:
+  - operation
+  buckets:
+  - 0.0001
+  - 0.0002
+  - 0.0004
+  - 0.0008
+  - 0.0016
+  - 0.0032
+  - 0.0064
+  - 0.0128
+  - 0.0256
+  - 0.0512
+  - 0.1024
+  - 0.2048
 - name: ratcheting_seconds
   subsystem: validation
   namespace: apiextensions_apiserver
@@ -2849,24 +3068,6 @@
   - 0.16384
   - 0.65536
   - 2.62144
-- name: apiextensions_openapi_v2_regeneration_count
-  help: Counter of OpenAPI v2 spec regeneration count broken down by causing CRD name
-    and reason.
-  type: Counter
-  stabilityLevel: ALPHA
-  labels:
-  - crd
-  - reason
-- name: apiextensions_openapi_v3_regeneration_count
-  help: Counter of OpenAPI v3 spec regeneration count broken down by group, version,
-    causing CRD and reason.
-  type: Counter
-  stabilityLevel: ALPHA
-  labels:
-  - crd
-  - group
-  - reason
-  - version
 - name: conversion_webhook_duration_seconds
   namespace: apiserver
   help: Conversion webhook request latency
@@ -2925,6 +3126,24 @@
   - 4.096
   - 8.192
   - 16.384
+- name: apiextensions_openapi_v2_regeneration_count
+  help: Counter of OpenAPI v2 spec regeneration count broken down by causing CRD name
+    and reason.
+  type: Counter
+  stabilityLevel: ALPHA
+  labels:
+  - crd
+  - reason
+- name: apiextensions_openapi_v3_regeneration_count
+  help: Counter of OpenAPI v3 spec regeneration count broken down by group, version,
+    causing CRD and reason.
+  type: Counter
+  stabilityLevel: ALPHA
+  labels:
+  - crd
+  - group
+  - reason
+  - version
 - name: match_condition_evaluation_errors_total
   subsystem: admission
   namespace: apiserver
@@ -3029,14 +3248,13 @@
   - rejected
   - type
 - name: check_duration_seconds
-  subsystem: validating_admission_policy
+  subsystem: mutating_admission_policy
   namespace: apiserver
-  help: Validation admission latency for individual validation expressions in seconds,
-    labeled by policy and further including binding and enforcement action taken.
+  help: Mutation admission latency for individual mutation expressions in seconds,
+    labeled by policy and binding.
   type: Histogram
-  stabilityLevel: BETA
+  stabilityLevel: ALPHA
   labels:
-  - enforcement_action
   - error_type
   - policy
   - policy_binding
@@ -3047,14 +3265,43 @@
   - 0.1
   - 1
 - name: check_total
-  subsystem: validating_admission_policy
+  subsystem: mutating_admission_policy
   namespace: apiserver
-  help: Validation admission policy check total, labeled by policy and further identified
-    by binding and enforcement action taken.
+  help: Mutation admission policy check total, labeled by policy and further identified
+    by binding.
   type: Counter
-  stabilityLevel: BETA
+  stabilityLevel: ALPHA
   labels:
-  - enforcement_action
+  - error_type
+  - policy
+  - policy_binding
+- name: check_duration_seconds
+  subsystem: validating_admission_policy
+  namespace: apiserver
+  help: Validation admission latency for individual validation expressions in seconds,
+    labeled by policy and further including binding and enforcement action taken.
+  type: Histogram
+  stabilityLevel: BETA
+  labels:
+  - enforcement_action
+  - error_type
+  - policy
+  - policy_binding
+  buckets:
+  - 5e-07
+  - 0.001
+  - 0.01
+  - 0.1
+  - 1
+- name: check_total
+  subsystem: validating_admission_policy
+  namespace: apiserver
+  help: Validation admission policy check total, labeled by policy and further identified
+    by binding and enforcement action taken.
+  type: Counter
+  stabilityLevel: BETA
+  labels:
+  - enforcement_action
   - error_type
   - policy
   - policy_binding
@@ -3116,6 +3363,10 @@
   - 2.5
   - 10
   - 25
+- name: aggregator_discovery_aggregation_count_total
+  help: Counter of number of times discovery was aggregated
+  type: Counter
+  stabilityLevel: ALPHA
 - name: error_total
   subsystem: apiserver_audit
   help: Counter of audit events that failed to be audited properly. Plugin identifies
@@ -3212,6 +3463,14 @@
   - 7.776e+06
   - 1.5552e+07
   - 3.1104e+07
+- name: current_inqueue_requests
+  subsystem: apiserver
+  help: Maximal number of queued requests in this apiserver per request kind in last
+    second.
+  type: Gauge
+  stabilityLevel: ALPHA
+  labels:
+  - request_kind
 - name: apiserver_delegated_authn_request_duration_seconds
   help: Request latency in seconds. Broken down by status code.
   type: Histogram
@@ -3254,177 +3513,6 @@
   stabilityLevel: ALPHA
   labels:
   - code
-- name: active_fetch_count
-  subsystem: token_cache
-  namespace: authentication
-  type: Gauge
-  stabilityLevel: ALPHA
-  labels:
-  - status
-- name: fetch_total
-  subsystem: token_cache
-  namespace: authentication
-  type: Counter
-  stabilityLevel: ALPHA
-  labels:
-  - status
-- name: request_duration_seconds
-  subsystem: token_cache
-  namespace: authentication
-  type: Histogram
-  stabilityLevel: ALPHA
-  labels:
-  - status
-- name: request_total
-  subsystem: token_cache
-  namespace: authentication
-  type: Counter
-  stabilityLevel: ALPHA
-  labels:
-  - status
-- name: compilation_duration_seconds
-  subsystem: cel
-  namespace: apiserver
-  help: CEL compilation time in seconds.
-  type: Histogram
-  stabilityLevel: BETA
-- name: evaluation_duration_seconds
-  subsystem: cel
-  namespace: apiserver
-  help: CEL evaluation time in seconds.
-  type: Histogram
-  stabilityLevel: BETA
-- name: aggregator_discovery_aggregation_count_total
-  help: Counter of number of times discovery was aggregated
-  type: Counter
-  stabilityLevel: ALPHA
-- name: automatic_reload_last_timestamp_seconds
-  subsystem: authentication_config_controller
-  namespace: apiserver
-  help: Timestamp of the last automatic reload of authentication configuration split
-    by status and apiserver identity.
-  type: Gauge
-  stabilityLevel: ALPHA
-  labels:
-  - apiserver_id_hash
-  - status
-- name: automatic_reloads_total
-  subsystem: authentication_config_controller
-  namespace: apiserver
-  help: Total number of automatic reloads of authentication configuration split by
-    status and apiserver identity.
-  type: Counter
-  stabilityLevel: ALPHA
-  labels:
-  - apiserver_id_hash
-  - status
-- name: automatic_reload_last_timestamp_seconds
-  subsystem: authorization_config_controller
-  namespace: apiserver
-  help: Timestamp of the last automatic reload of authorization configuration split
-    by status and apiserver identity.
-  type: Gauge
-  stabilityLevel: ALPHA
-  labels:
-  - apiserver_id_hash
-  - status
-- name: automatic_reloads_total
-  subsystem: authorization_config_controller
-  namespace: apiserver
-  help: Total number of automatic reloads of authorization configuration split by
-    status and apiserver identity.
-  type: Counter
-  stabilityLevel: ALPHA
-  labels:
-  - apiserver_id_hash
-  - status
-- name: current_inqueue_requests
-  subsystem: apiserver
-  help: Maximal number of queued requests in this apiserver per request kind in last
-    second.
-  type: Gauge
-  stabilityLevel: ALPHA
-  labels:
-  - request_kind
-- name: dial_duration_seconds
-  subsystem: egress_dialer
-  namespace: apiserver
-  help: Dial latency histogram in seconds, labeled by the protocol (http-connect or
-    grpc), transport (tcp or uds)
-  type: Histogram
-  stabilityLevel: ALPHA
-  labels:
-  - protocol
-  - transport
-  buckets:
-  - 0.005
-  - 0.025
-  - 0.1
-  - 0.5
-  - 2.5
-  - 12.5
-- name: dial_failure_count
-  subsystem: egress_dialer
-  namespace: apiserver
-  help: Dial failure count, labeled by the protocol (http-connect or grpc), transport
-    (tcp or uds), and stage (connect or proxy). The stage indicates at which stage
-    the dial failed
-  type: Counter
-  stabilityLevel: ALPHA
-  labels:
-  - protocol
-  - stage
-  - transport
-- name: dial_start_total
-  subsystem: egress_dialer
-  namespace: apiserver
-  help: Dial starts, labeled by the protocol (http-connect or grpc) and transport
-    (tcp or uds).
-  type: Counter
-  stabilityLevel: ALPHA
-  labels:
-  - protocol
-  - transport
-- name: automatic_reload_failures_total
-  subsystem: encryption_config_controller
-  namespace: apiserver
-  help: Total number of failed automatic reloads of encryption configuration split
-    by apiserver identity.
-  type: Counter
-  deprecatedVersion: 1.30.0
-  stabilityLevel: ALPHA
-  labels:
-  - apiserver_id_hash
-- name: automatic_reload_last_timestamp_seconds
-  subsystem: encryption_config_controller
-  namespace: apiserver
-  help: Timestamp of the last successful or failed automatic reload of encryption
-    configuration split by apiserver identity.
-  type: Gauge
-  stabilityLevel: ALPHA
-  labels:
-  - apiserver_id_hash
-  - status
-- name: automatic_reload_success_total
-  subsystem: encryption_config_controller
-  namespace: apiserver
-  help: Total number of successful automatic reloads of encryption configuration split
-    by apiserver identity.
-  type: Counter
-  deprecatedVersion: 1.30.0
-  stabilityLevel: ALPHA
-  labels:
-  - apiserver_id_hash
-- name: automatic_reloads_total
-  subsystem: encryption_config_controller
-  namespace: apiserver
-  help: Total number of reload successes and failures of encryption configuration
-    split by apiserver identity.
-  type: Counter
-  stabilityLevel: ALPHA
-  labels:
-  - apiserver_id_hash
-  - status
 - name: request_aborts_total
   subsystem: apiserver
   help: Number of requests which apiserver aborted possibly due to a timeout, for
@@ -3444,6 +3532,7 @@
   type: Histogram
   stabilityLevel: ALPHA
   labels:
+  - group
   - resource
   - verb
   buckets:
@@ -3622,6 +3711,7 @@
   type: Counter
   stabilityLevel: ALPHA
   labels:
+  - group
   - resource
   - subresource
   - verb
@@ -3637,7 +3727,7 @@
   stabilityLevel: ALPHA
   labels:
   - group
-  - kind
+  - resource
   - version
   buckets:
   - 1024
@@ -3655,7 +3745,7 @@
   stabilityLevel: ALPHA
   labels:
   - group
-  - kind
+  - resource
   - version
 - name: watch_list_duration_seconds
   subsystem: apiserver
@@ -3720,6 +3810,34 @@
   - 4.096
   - 8.192
   - 16.384
+- name: active_fetch_count
+  subsystem: token_cache
+  namespace: authentication
+  type: Gauge
+  stabilityLevel: ALPHA
+  labels:
+  - status
+- name: fetch_total
+  subsystem: token_cache
+  namespace: authentication
+  type: Counter
+  stabilityLevel: ALPHA
+  labels:
+  - status
+- name: request_duration_seconds
+  subsystem: token_cache
+  namespace: authentication
+  type: Histogram
+  stabilityLevel: ALPHA
+  labels:
+  - status
+- name: request_total
+  subsystem: token_cache
+  namespace: authentication
+  type: Counter
+  stabilityLevel: ALPHA
+  labels:
+  - status
 - name: authorization_attempts_total
   help: Counter of authorization attempts broken down by result. It can be either
     'allowed', 'denied', 'no-opinion' or 'error'.
@@ -3777,6 +3895,18 @@
   - 30
   - 45
   - 60
+- name: compilation_duration_seconds
+  subsystem: cel
+  namespace: apiserver
+  help: CEL compilation time in seconds.
+  type: Histogram
+  stabilityLevel: BETA
+- name: evaluation_duration_seconds
+  subsystem: cel
+  namespace: apiserver
+  help: CEL evaluation time in seconds.
+  type: Histogram
+  stabilityLevel: BETA
 - name: current_inflight_requests
   subsystem: apiserver
   help: Maximal number of currently used inflight request limit of this apiserver
@@ -3888,92 +4018,115 @@
   - 1e+07
   - 1e+08
   - 1e+09
-- name: jwt_authenticator_latency_seconds
-  subsystem: authentication
-  namespace: apiserver
-  help: Latency of jwt authentication operations in seconds. This is the time spent
-    authenticating a token for cache miss only (i.e. when the token is not found in
-    the cache).
-  type: Histogram
+- name: apiserver_authentication_config_controller_last_config_info
+  help: Information about the last applied authentication configuration with hash
+    as label, split by apiserver identity.
+  type: Custom
   stabilityLevel: ALPHA
   labels:
-  - jwt_issuer_hash
-  - result
-  buckets:
-  - 0.001
-  - 0.005
-  - 0.01
-  - 0.025
-  - 0.05
-  - 0.1
-  - 0.25
-  - 0.5
-  - 1
-  - 2.5
-  - 5
-  - 10
-- name: webhook_duration_seconds
-  subsystem: authorization
+  - apiserver_id_hash
+  - hash
+- name: apiserver_authorization_config_controller_last_config_info
+  help: Information about the last applied authorization configuration with hash as
+    label, split by apiserver identity.
+  type: Custom
+  stabilityLevel: ALPHA
+  labels:
+  - apiserver_id_hash
+  - hash
+- name: cache_list_fetched_objects_total
   namespace: apiserver
-  help: Request latency in seconds.
+  help: Number of objects read from watch cache in the course of serving a LIST request
+  type: Counter
+  stabilityLevel: ALPHA
+  labels:
+  - group
+  - index
+  - resource
+- name: cache_list_returned_objects_total
+  namespace: apiserver
+  help: Number of objects returned for a LIST request from watch cache
+  type: Counter
+  stabilityLevel: ALPHA
+  labels:
+  - group
+  - resource
+- name: cache_list_total
+  namespace: apiserver
+  help: Number of LIST requests served from watch cache
+  type: Counter
+  stabilityLevel: ALPHA
+  labels:
+  - group
+  - index
+  - resource
+- name: dial_duration_seconds
+  subsystem: egress_dialer
+  namespace: apiserver
+  help: Dial latency histogram in seconds, labeled by the protocol (http-connect or
+    grpc), transport (tcp or uds)
   type: Histogram
   stabilityLevel: ALPHA
   labels:
-  - name
-  - result
+  - protocol
+  - transport
   buckets:
   - 0.005
-  - 0.01
   - 0.025
-  - 0.05
   - 0.1
-  - 0.25
   - 0.5
-  - 1
   - 2.5
-  - 5
-  - 10
-- name: webhook_evaluations_fail_open_total
-  subsystem: authorization
+  - 12.5
+- name: dial_failure_count
+  subsystem: egress_dialer
   namespace: apiserver
-  help: NoOpinion results due to webhook timeout or error.
+  help: Dial failure count, labeled by the protocol (http-connect or grpc), transport
+    (tcp or uds), and stage (connect or proxy). The stage indicates at which stage
+    the dial failed
   type: Counter
   stabilityLevel: ALPHA
   labels:
-  - name
-  - result
-- name: webhook_evaluations_total
-  subsystem: authorization
+  - protocol
+  - stage
+  - transport
+- name: dial_start_total
+  subsystem: egress_dialer
   namespace: apiserver
-  help: Round-trips to authorization webhooks.
+  help: Dial starts, labeled by the protocol (http-connect or grpc) and transport
+    (tcp or uds).
   type: Counter
   stabilityLevel: ALPHA
   labels:
-  - name
-  - result
-- name: cache_list_fetched_objects_total
+  - protocol
+  - transport
+- name: automatic_reload_last_timestamp_seconds
+  subsystem: encryption_config_controller
   namespace: apiserver
-  help: Number of objects read from watch cache in the course of serving a LIST request
-  type: Counter
+  help: Timestamp of the last successful or failed automatic reload of encryption
+    configuration split by apiserver identity.
+  type: Gauge
   stabilityLevel: ALPHA
   labels:
-  - index
-  - resource_prefix
-- name: cache_list_returned_objects_total
+  - apiserver_id_hash
+  - status
+- name: automatic_reloads_total
+  subsystem: encryption_config_controller
   namespace: apiserver
-  help: Number of objects returned for a LIST request from watch cache
+  help: Total number of reload successes and failures of encryption configuration
+    split by apiserver identity.
   type: Counter
   stabilityLevel: ALPHA
   labels:
-  - resource_prefix
-- name: cache_list_total
-  namespace: apiserver
-  help: Number of LIST requests served from watch cache
-  type: Counter
+  - apiserver_id_hash
+  - status
+- name: apiserver_encryption_config_controller_last_config_info
+  help: Information about the last applied encryption configuration with hash as label,
+    split by apiserver identity.
+  type: Custom
   stabilityLevel: ALPHA
   labels:
-  - index
-  - resource_prefix
+  - apiserver_id_hash
+  - hash
 - name: dek_cache_fill_percent
   subsystem: envelope_encryption
   namespace: apiserver
@@ -4083,675 +4236,844 @@
   - 13.1072
   - 26.2144
   - 52.4288
-- name: current_inqueue_seats
-  subsystem: flowcontrol
+- name: init_events_total
   namespace: apiserver
-  help: Number of seats currently pending in queues of the API Priority and Fairness
-    subsystem
-  type: Gauge
+  help: Counter of init events processed in watch cache broken by resource type.
+  type: Counter
   stabilityLevel: ALPHA
   labels:
-  - flow_schema
-  - priority_level
-- name: current_limit_seats
-  subsystem: flowcontrol
-  namespace: apiserver
-  help: current derived number of execution seats available to each priority level
+  - group
+  - resource
+- name: apiserver_resource_objects
+  help: Number of stored objects at the time of last check split by kind. In case
+    of a fetching error, the value will be -1.
   type: Gauge
   stabilityLevel: ALPHA
   labels:
-  - priority_level
-- name: current_r
-  subsystem: flowcontrol
-  namespace: apiserver
-  help: R(time of last change)
+  - group
+  - resource
+- name: apiserver_resource_size_estimate_bytes
+  help: Estimated size of stored objects in database. Estimate is based on sum of
+    last observed sizes of serialized objects. In case of a fetching error, the value
+    will be -1.
   type: Gauge
   stabilityLevel: ALPHA
   labels:
-  - priority_level
-- name: demand_seats
-  subsystem: flowcontrol
+  - group
+  - resource
+- name: storage_consistency_checks_total
   namespace: apiserver
-  help: Observations, at the end of every nanosecond, of (the number of seats each
-    priority level could use) / (nominal number of seats for that level)
-  type: TimingRatioHistogram
+  help: Counter for status of consistency checks between etcd and watch cache
+  type: Counter
   stabilityLevel: ALPHA
   labels:
-  - priority_level
-  buckets:
-  - 0.2
-  - 0.4
-  - 0.6
-  - 0.8
-  - 1
-  - 1.2
-  - 1.4
-  - 1.7
-  - 2
-  - 2.8
-  - 4
-  - 6
-- name: demand_seats_average
-  subsystem: flowcontrol
+  - group
+  - resource
+  - status
+- name: data_key_generation_duration_seconds
+  subsystem: storage
   namespace: apiserver
-  help: Time-weighted average, over last adjustment period, of demand_seats
-  type: Gauge
+  help: Latencies in seconds of data encryption key(DEK) generation operations.
+  type: Histogram
   stabilityLevel: ALPHA
-  labels:
-  - priority_level
-- name: demand_seats_high_watermark
-  subsystem: flowcontrol
+  buckets:
+  - 5e-06
+  - 1e-05
+  - 2e-05
+  - 4e-05
+  - 8e-05
+  - 0.00016
+  - 0.00032
+  - 0.00064
+  - 0.00128
+  - 0.00256
+  - 0.00512
+  - 0.01024
+  - 0.02048
+  - 0.04096
+- name: data_key_generation_failures_total
+  subsystem: storage
   namespace: apiserver
-  help: High watermark, over last adjustment period, of demand_seats
-  type: Gauge
+  help: Total number of failed data encryption key(DEK) generation operations.
+  type: Counter
   stabilityLevel: ALPHA
-  labels:
-  - priority_level
-- name: demand_seats_smoothed
-  subsystem: flowcontrol
-  namespace: apiserver
-  help: Smoothed seat demands
+- name: storage_db_total_size_in_bytes
+  subsystem: apiserver
+  help: Total size of the storage database file physically allocated in bytes.
   type: Gauge
+  deprecatedVersion: 1.28.0
   stabilityLevel: ALPHA
   labels:
-  - priority_level
-- name: demand_seats_stdev
-  subsystem: flowcontrol
+  - endpoint
+- name: storage_decode_errors_total
   namespace: apiserver
-  help: Time-weighted standard deviation, over last adjustment period, of demand_seats
-  type: Gauge
+  help: Number of stored object decode errors split by object type
+  type: Counter
   stabilityLevel: ALPHA
   labels:
-  - priority_level
-- name: dispatch_r
-  subsystem: flowcontrol
+  - group
+  - resource
+- name: envelope_transformation_cache_misses_total
+  subsystem: storage
   namespace: apiserver
-  help: R(time of last dispatch)
-  type: Gauge
+  help: Total number of cache misses while accessing key decryption key(KEK).
+  type: Counter
   stabilityLevel: ALPHA
-  labels:
-  - priority_level
-- name: epoch_advance_total
-  subsystem: flowcontrol
-  namespace: apiserver
-  help: Number of times the queueset's progress meter jumped backward
+- name: storage_events_received_total
+  subsystem: apiserver
+  help: Number of etcd events received split by kind.
   type: Counter
   stabilityLevel: ALPHA
   labels:
-  - priority_level
-  - success
-- name: latest_s
-  subsystem: flowcontrol
-  namespace: apiserver
-  help: S(most recently dispatched request)
-  type: Gauge
+  - group
+  - resource
+- name: apiserver_storage_list_evaluated_objects_total
+  help: Number of objects tested in the course of serving a LIST request from storage
+  type: Counter
   stabilityLevel: ALPHA
   labels:
-  - priority_level
-- name: lower_limit_seats
-  subsystem: flowcontrol
+  - group
+  - resource
+- name: apiserver_storage_list_fetched_objects_total
+  help: Number of objects read from storage in the course of serving a LIST request
+  type: Counter
+  stabilityLevel: ALPHA
+  labels:
+  - group
+  - resource
+- name: apiserver_storage_list_returned_objects_total
+  help: Number of objects returned for a LIST request from storage
+  type: Counter
+  stabilityLevel: ALPHA
+  labels:
+  - group
+  - resource
+- name: apiserver_storage_list_total
+  help: Number of LIST requests served from storage
+  type: Counter
+  stabilityLevel: ALPHA
+  labels:
+  - group
+  - resource
+- name: transformation_duration_seconds
+  subsystem: storage
   namespace: apiserver
-  help: Configured lower bound on number of execution seats available to each priority
-    level
-  type: Gauge
+  help: Latencies in seconds of value transformation operations.
+  type: Histogram
   stabilityLevel: ALPHA
   labels:
-  - priority_level
-- name: next_discounted_s_bounds
-  subsystem: flowcontrol
+  - transformation_type
+  - transformer_prefix
+  buckets:
+  - 5e-06
+  - 1e-05
+  - 2e-05
+  - 4e-05
+  - 8e-05
+  - 0.00016
+  - 0.00032
+  - 0.00064
+  - 0.00128
+  - 0.00256
+  - 0.00512
+  - 0.01024
+  - 0.02048
+  - 0.04096
+  - 0.08192
+  - 0.16384
+  - 0.32768
+  - 0.65536
+  - 1.31072
+  - 2.62144
+  - 5.24288
+  - 10.48576
+  - 20.97152
+  - 41.94304
+  - 83.88608
+- name: transformation_operations_total
+  subsystem: storage
   namespace: apiserver
-  help: min and max, over queues, of S(oldest waiting request in queue) - estimated
-    work in progress
-  type: Gauge
+  help: Total number of transformations. Successful transformation will have a status
+    'OK' and a varied status string when the transformation fails. The status, resource,
+    and transformation_type fields can be used for alerting purposes. For example,
+    you can monitor for encryption/decryption failures using the transformation_type
+    (e.g., from_storage for decryption and to_storage for encryption). Additionally,
+    these fields can be used to ensure that the correct transformers are applied to
+    each resource.
+  type: Counter
   stabilityLevel: ALPHA
   labels:
-  - bound
-  - priority_level
-- name: next_s_bounds
-  subsystem: flowcontrol
+  - resource
+  - status
+  - transformation_type
+  - transformer_prefix
+- name: terminated_watchers_total
   namespace: apiserver
-  help: min and max, over queues, of S(oldest waiting request in queue)
-  type: Gauge
+  help: Counter of watchers closed due to unresponsiveness broken by resource type.
+  type: Counter
   stabilityLevel: ALPHA
   labels:
-  - bound
-  - priority_level
-- name: priority_level_request_utilization
-  subsystem: flowcontrol
+  - group
+  - resource
+- name: consistent_read_total
+  subsystem: watch_cache
   namespace: apiserver
-  help: Observations, at the end of every nanosecond, of number of requests (as a
-    fraction of the relevant limit) waiting or in any stage of execution (but only
-    initial stage for WATCHes)
-  type: TimingRatioHistogram
+  help: Counter for consistent reads from cache.
+  type: Counter
   stabilityLevel: ALPHA
   labels:
-  - phase
-  - priority_level
-  buckets:
-  - 0
-  - 0.001
-  - 0.003
-  - 0.01
-  - 0.03
-  - 0.1
-  - 0.25
-  - 0.5
-  - 0.75
-  - 1
-- name: priority_level_seat_utilization
-  subsystem: flowcontrol
+  - fallback
+  - group
+  - resource
+  - success
+- name: events_dispatched_total
+  subsystem: watch_cache
   namespace: apiserver
-  help: Observations, at the end of every nanosecond, of utilization of seats for
-    any stage of execution (but only initial stage for WATCHes)
-  type: TimingRatioHistogram
+  help: Counter of events dispatched in watch cache broken by resource type.
+  type: Counter
   stabilityLevel: ALPHA
   labels:
-  - priority_level
+  - group
+  - resource
+- name: events_received_total
+  subsystem: watch_cache
+  namespace: apiserver
+  help: Counter of events received in watch cache broken by resource type.
+  type: Counter
+  stabilityLevel: ALPHA
+  labels:
+  - group
+  - resource
+- name: initializations_total
+  subsystem: watch_cache
+  namespace: apiserver
+  help: Counter of watch cache initializations broken by resource type.
+  type: Counter
+  stabilityLevel: ALPHA
+  labels:
+  - group
+  - resource
+- name: read_wait_seconds
+  subsystem: watch_cache
+  namespace: apiserver
+  help: Histogram of time spent waiting for a watch cache to become fresh.
+  type: Histogram
+  stabilityLevel: ALPHA
+  labels:
+  - group
+  - resource
   buckets:
-  - 0
+  - 0.005
+  - 0.025
+  - 0.05
   - 0.1
   - 0.2
-  - 0.3
   - 0.4
-  - 0.5
   - 0.6
-  - 0.7
   - 0.8
-  - 0.9
-  - 0.95
-  - 0.99
   - 1
-  constLabels:
-    phase: executing
-- name: read_vs_write_current_requests
-  subsystem: flowcontrol
+  - 1.25
+  - 1.5
+  - 2
+  - 3
+- name: resource_version
+  subsystem: watch_cache
   namespace: apiserver
-  help: Observations, at the end of every nanosecond, of the number of requests (as
-    a fraction of the relevant limit) waiting or in regular stage of execution
-  type: TimingRatioHistogram
+  help: Current resource version of watch cache broken by resource type.
+  type: Gauge
   stabilityLevel: ALPHA
   labels:
-  - phase
-  - request_kind
+  - group
+  - resource
+- name: etcd_bookmark_counts
+  help: Number of etcd bookmarks (progress notify events) split by kind.
+  type: Gauge
+  stabilityLevel: ALPHA
+  labels:
+  - group
+  - resource
+- name: etcd_lease_object_counts
+  help: Number of objects attached to a single etcd lease.
+  type: Histogram
+  stabilityLevel: ALPHA
   buckets:
-  - 0
-  - 0.001
-  - 0.01
+  - 10
+  - 50
+  - 100
+  - 500
+  - 1000
+  - 2500
+  - 5000
+- name: etcd_request_duration_seconds
+  help: Etcd request latency in seconds for each operation and object type.
+  type: Histogram
+  stabilityLevel: ALPHA
+  labels:
+  - group
+  - operation
+  - resource
+  buckets:
+  - 0.005
+  - 0.025
+  - 0.05
   - 0.1
   - 0.2
-  - 0.3
   - 0.4
-  - 0.5
   - 0.6
-  - 0.7
   - 0.8
-  - 0.9
-  - 0.95
-  - 0.99
   - 1
-- name: request_concurrency_in_use
-  subsystem: flowcontrol
-  namespace: apiserver
-  help: Concurrency (number of seats) occupied by the currently executing (initial
-    stage for a WATCH, any stage otherwise) requests in the API Priority and Fairness
-    subsystem
+  - 1.25
+  - 1.5
+  - 2
+  - 3
+  - 4
+  - 5
+  - 6
+  - 8
+  - 10
+  - 15
+  - 20
+  - 30
+  - 45
+  - 60
+- name: etcd_request_errors_total
+  help: Etcd failed request counts for each operation and object type.
+  type: Counter
+  stabilityLevel: ALPHA
+  labels:
+  - group
+  - operation
+  - resource
+- name: etcd_requests_total
+  help: Etcd request counts for each operation and object type.
+  type: Counter
+  stabilityLevel: ALPHA
+  labels:
+  - group
+  - operation
+  - resource
+- name: capacity
+  subsystem: watch_cache
+  help: Total capacity of watch cache broken by resource type.
   type: Gauge
-  deprecatedVersion: 1.31.0
   stabilityLevel: ALPHA
   labels:
-  - flow_schema
-  - priority_level
-- name: request_concurrency_limit
-  subsystem: flowcontrol
+  - group
+  - resource
+- name: capacity_decrease_total
+  subsystem: watch_cache
+  help: Total number of watch cache capacity decrease events broken by resource type.
+  type: Counter
+  stabilityLevel: ALPHA
+  labels:
+  - group
+  - resource
+- name: capacity_increase_total
+  subsystem: watch_cache
+  help: Total number of watch cache capacity increase events broken by resource type.
+  type: Counter
+  stabilityLevel: ALPHA
+  labels:
+  - group
+  - resource
+- name: automatic_reload_last_timestamp_seconds
+  subsystem: authentication_config_controller
   namespace: apiserver
-  help: Nominal number of execution seats configured for each priority level
+  help: Timestamp of the last automatic reload of authentication configuration split
+    by status and apiserver identity.
   type: Gauge
-  deprecatedVersion: 1.30.0
-  stabilityLevel: ALPHA
+  stabilityLevel: BETA
   labels:
-  - priority_level
-- name: request_dispatch_no_accommodation_total
-  subsystem: flowcontrol
+  - apiserver_id_hash
+  - status
+- name: automatic_reloads_total
+  subsystem: authentication_config_controller
   namespace: apiserver
-  help: Number of times a dispatch attempt resulted in a non accommodation due to
-    lack of available seats
+  help: Total number of automatic reloads of authentication configuration split by
+    status and apiserver identity.
   type: Counter
-  stabilityLevel: ALPHA
+  stabilityLevel: BETA
   labels:
-  - flow_schema
-  - priority_level
-- name: request_execution_seconds
-  subsystem: flowcontrol
+  - apiserver_id_hash
+  - status
+- name: automatic_reload_last_timestamp_seconds
+  subsystem: authorization_config_controller
   namespace: apiserver
-  help: Duration of initial stage (for a WATCH) or any (for a non-WATCH) stage of
-    request execution in the API Priority and Fairness subsystem
+  help: Timestamp of the last automatic reload of authorization configuration split
+    by status and apiserver identity.
+  type: Gauge
+  stabilityLevel: BETA
+  labels:
+  - apiserver_id_hash
+  - status
+- name: automatic_reloads_total
+  subsystem: authorization_config_controller
+  namespace: apiserver
+  help: Total number of automatic reloads of authorization configuration split by
+    status and apiserver identity.
+  type: Counter
+  stabilityLevel: BETA
+  labels:
+  - apiserver_id_hash
+  - status
+- name: apiserver_storage_objects
+  help: '[DEPRECATED, consider using apiserver_resource_objects instead] Number of
+    stored objects at the time of last check split by kind. In case of a fetching
+    error, the value will be -1.'
+  type: Gauge
+  deprecatedVersion: 1.34.0
+  stabilityLevel: STABLE
+  labels:
+  - resource
+- name: apiserver_storage_size_bytes
+  help: Size of the storage database file physically allocated in bytes.
+  type: Custom
+  stabilityLevel: STABLE
+  labels:
+  - storage_cluster_id
+- name: jwt_authenticator_latency_seconds
+  subsystem: authentication
+  namespace: apiserver
+  help: Latency of jwt authentication operations in seconds. This is the time spent
+    authenticating a token for cache miss only (i.e. when the token is not found in
+    the cache).
   type: Histogram
   stabilityLevel: ALPHA
   labels:
-  - flow_schema
-  - priority_level
-  - type
+  - jwt_issuer_hash
+  - result
   buckets:
-  - 0
+  - 0.001
   - 0.005
-  - 0.02
+  - 0.01
+  - 0.025
   - 0.05
   - 0.1
-  - 0.2
+  - 0.25
   - 0.5
   - 1
-  - 2
+  - 2.5
   - 5
   - 10
-  - 15
-  - 30
-- name: request_queue_length_after_enqueue
-  subsystem: flowcontrol
+- name: webhook_duration_seconds
+  subsystem: authorization
   namespace: apiserver
-  help: Length of queue in the API Priority and Fairness subsystem, as seen by each
-    request after it is enqueued
+  help: Request latency in seconds.
   type: Histogram
   stabilityLevel: ALPHA
   labels:
-  - flow_schema
-  - priority_level
+  - name
+  - result
   buckets:
-  - 0
+  - 0.005
+  - 0.01
+  - 0.025
+  - 0.05
+  - 0.1
+  - 0.25
+  - 0.5
+  - 1
+  - 2.5
+  - 5
   - 10
-  - 25
-  - 50
-  - 100
-  - 250
-  - 500
-  - 1000
-- name: seat_fair_frac
-  subsystem: flowcontrol
+- name: webhook_evaluations_fail_open_total
+  subsystem: authorization
+  namespace: apiserver
+  help: NoOpinion results due to webhook timeout or error.
+  type: Counter
+  stabilityLevel: ALPHA
+  labels:
+  - name
+  - result
+- name: webhook_evaluations_total
+  subsystem: authorization
   namespace: apiserver
-  help: Fair fraction of server's concurrency to allocate to each priority level that
-    can use it
-  type: Gauge
+  help: Round-trips to authorization webhooks.
+  type: Counter
   stabilityLevel: ALPHA
-- name: target_seats
+  labels:
+  - name
+  - result
+- name: current_inqueue_seats
   subsystem: flowcontrol
   namespace: apiserver
-  help: Seat allocation targets
+  help: Number of seats currently pending in queues of the API Priority and Fairness
+    subsystem
   type: Gauge
   stabilityLevel: ALPHA
   labels:
+  - flow_schema
   - priority_level
-- name: upper_limit_seats
+- name: current_limit_seats
   subsystem: flowcontrol
   namespace: apiserver
-  help: Configured upper bound on number of execution seats available to each priority
-    level
+  help: current derived number of execution seats available to each priority level
   type: Gauge
   stabilityLevel: ALPHA
   labels:
   - priority_level
-- name: watch_count_samples
+- name: current_r
   subsystem: flowcontrol
   namespace: apiserver
-  help: count of watchers for mutating requests in API Priority and Fairness
-  type: Histogram
+  help: R(time of last change)
+  type: Gauge
   stabilityLevel: ALPHA
   labels:
-  - flow_schema
   - priority_level
-  buckets:
-  - 0
-  - 1
-  - 10
-  - 100
-  - 1000
-  - 10000
-- name: work_estimated_seats
+- name: demand_seats
   subsystem: flowcontrol
   namespace: apiserver
-  help: Number of estimated seats (maximum of initial and final seats) associated
-    with requests in API Priority and Fairness
-  type: Histogram
+  help: Observations, at the end of every nanosecond, of (the number of seats each
+    priority level could use) / (nominal number of seats for that level)
+  type: TimingRatioHistogram
   stabilityLevel: ALPHA
   labels:
-  - flow_schema
   - priority_level
   buckets:
+  - 0.2
+  - 0.4
+  - 0.6
+  - 0.8
   - 1
+  - 1.2
+  - 1.4
+  - 1.7
   - 2
+  - 2.8
   - 4
-  - 10
-- name: init_events_total
+  - 6
+- name: demand_seats_average
+  subsystem: flowcontrol
   namespace: apiserver
-  help: Counter of init events processed in watch cache broken by resource type.
-  type: Counter
-  stabilityLevel: ALPHA
-  labels:
-  - resource
-- name: rerouted_request_total
-  subsystem: apiserver
-  help: Total number of requests that were proxied to a peer kube apiserver because
-    the local apiserver was not capable of serving it
-  type: Counter
+  help: Time-weighted average, over last adjustment period, of demand_seats
+  type: Gauge
   stabilityLevel: ALPHA
   labels:
-  - code
-- name: data_key_generation_duration_seconds
-  subsystem: storage
-  namespace: apiserver
-  help: Latencies in seconds of data encryption key(DEK) generation operations.
-  type: Histogram
-  stabilityLevel: ALPHA
-  buckets:
-  - 5e-06
-  - 1e-05
-  - 2e-05
-  - 4e-05
-  - 8e-05
-  - 0.00016
-  - 0.00032
-  - 0.00064
-  - 0.00128
-  - 0.00256
-  - 0.00512
-  - 0.01024
-  - 0.02048
-  - 0.04096
-- name: data_key_generation_failures_total
-  subsystem: storage
+  - priority_level
+- name: demand_seats_high_watermark
+  subsystem: flowcontrol
   namespace: apiserver
-  help: Total number of failed data encryption key(DEK) generation operations.
-  type: Counter
-  stabilityLevel: ALPHA
-- name: storage_db_total_size_in_bytes
-  subsystem: apiserver
-  help: Total size of the storage database file physically allocated in bytes.
+  help: High watermark, over last adjustment period, of demand_seats
   type: Gauge
-  deprecatedVersion: 1.28.0
   stabilityLevel: ALPHA
   labels:
-  - endpoint
-- name: storage_decode_errors_total
+  - priority_level
+- name: demand_seats_smoothed
+  subsystem: flowcontrol
   namespace: apiserver
-  help: Number of stored object decode errors split by object type
-  type: Counter
+  help: Smoothed seat demands
+  type: Gauge
   stabilityLevel: ALPHA
   labels:
-  - resource
-- name: envelope_transformation_cache_misses_total
-  subsystem: storage
+  - priority_level
+- name: demand_seats_stdev
+  subsystem: flowcontrol
   namespace: apiserver
-  help: Total number of cache misses while accessing key decryption key(KEK).
-  type: Counter
-  stabilityLevel: ALPHA
-- name: storage_events_received_total
-  subsystem: apiserver
-  help: Number of etcd events received split by kind.
-  type: Counter
-  stabilityLevel: ALPHA
-  labels:
-  - resource
-- name: apiserver_storage_list_evaluated_objects_total
-  help: Number of objects tested in the course of serving a LIST request from storage
-  type: Counter
+  help: Time-weighted standard deviation, over last adjustment period, of demand_seats
+  type: Gauge
   stabilityLevel: ALPHA
   labels:
-  - resource
-- name: apiserver_storage_list_fetched_objects_total
-  help: Number of objects read from storage in the course of serving a LIST request
-  type: Counter
+  - priority_level
+- name: dispatch_r
+  subsystem: flowcontrol
+  namespace: apiserver
+  help: R(time of last dispatch)
+  type: Gauge
   stabilityLevel: ALPHA
   labels:
-  - resource
-- name: apiserver_storage_list_returned_objects_total
-  help: Number of objects returned for a LIST request from storage
+  - priority_level
+- name: epoch_advance_total
+  subsystem: flowcontrol
+  namespace: apiserver
+  help: Number of times the queueset's progress meter jumped backward
   type: Counter
   stabilityLevel: ALPHA
   labels:
-  - resource
-- name: apiserver_storage_list_total
-  help: Number of LIST requests served from storage
-  type: Counter
+  - priority_level
+  - success
+- name: latest_s
+  subsystem: flowcontrol
+  namespace: apiserver
+  help: S(most recently dispatched request)
+  type: Gauge
   stabilityLevel: ALPHA
   labels:
-  - resource
-- name: transformation_duration_seconds
-  subsystem: storage
+  - priority_level
+- name: lower_limit_seats
+  subsystem: flowcontrol
   namespace: apiserver
-  help: Latencies in seconds of value transformation operations.
-  type: Histogram
+  help: Configured lower bound on number of execution seats available to each priority
+    level
+  type: Gauge
   stabilityLevel: ALPHA
   labels:
-  - transformation_type
-  - transformer_prefix
-  buckets:
-  - 5e-06
-  - 1e-05
-  - 2e-05
-  - 4e-05
-  - 8e-05
-  - 0.00016
-  - 0.00032
-  - 0.00064
-  - 0.00128
-  - 0.00256
-  - 0.00512
-  - 0.01024
-  - 0.02048
-  - 0.04096
-  - 0.08192
-  - 0.16384
-  - 0.32768
-  - 0.65536
-  - 1.31072
-  - 2.62144
-  - 5.24288
-  - 10.48576
-  - 20.97152
-  - 41.94304
-  - 83.88608
-- name: transformation_operations_total
-  subsystem: storage
+  - priority_level
+- name: next_discounted_s_bounds
+  subsystem: flowcontrol
   namespace: apiserver
-  help: Total number of transformations. Successful transformation will have a status
-    'OK' and a varied status string when the transformation fails. The status, resource,
-    and transformation_type fields can be used for alerting purposes. For example,
-    you can monitor for encryption/decryption failures using the transformation_type
-    (e.g., from_storage for decryption and to_storage for encryption). Additionally,
-    these fields can be used to ensure that the correct transformers are applied to
-    each resource.
-  type: Counter
+  help: min and max, over queues, of S(oldest waiting request in queue) - estimated
+    work in progress
+  type: Gauge
   stabilityLevel: ALPHA
   labels:
-  - resource
-  - status
-  - transformation_type
-  - transformer_prefix
-- name: stream_translator_requests_total
-  subsystem: apiserver
-  help: Total number of requests that were handled by the StreamTranslatorProxy, which
-    processes streaming RemoteCommand/V5
-  type: Counter
+  - bound
+  - priority_level
+- name: next_s_bounds
+  subsystem: flowcontrol
+  namespace: apiserver
+  help: min and max, over queues, of S(oldest waiting request in queue)
+  type: Gauge
   stabilityLevel: ALPHA
   labels:
-  - code
-- name: stream_tunnel_requests_total
-  subsystem: apiserver
-  help: Total number of requests that were handled by the StreamTunnelProxy, which
-    processes streaming PortForward/V2
-  type: Counter
+  - bound
+  - priority_level
+- name: priority_level_request_utilization
+  subsystem: flowcontrol
+  namespace: apiserver
+  help: Observations, at the end of every nanosecond, of number of requests (as a
+    fraction of the relevant limit) waiting or in any stage of execution (but only
+    initial stage for WATCHes)
+  type: TimingRatioHistogram
   stabilityLevel: ALPHA
   labels:
-  - code
-- name: terminated_watchers_total
+  - phase
+  - priority_level
+  buckets:
+  - 0
+  - 0.001
+  - 0.003
+  - 0.01
+  - 0.03
+  - 0.1
+  - 0.25
+  - 0.5
+  - 0.75
+  - 1
+- name: priority_level_seat_utilization
+  subsystem: flowcontrol
   namespace: apiserver
-  help: Counter of watchers closed due to unresponsiveness broken by resource type.
-  type: Counter
+  help: Observations, at the end of every nanosecond, of utilization of seats for
+    any stage of execution (but only initial stage for WATCHes)
+  type: TimingRatioHistogram
   stabilityLevel: ALPHA
   labels:
-  - resource
-- name: consistent_read_total
-  subsystem: watch_cache
+  - priority_level
+  buckets:
+  - 0
+  - 0.1
+  - 0.2
+  - 0.3
+  - 0.4
+  - 0.5
+  - 0.6
+  - 0.7
+  - 0.8
+  - 0.9
+  - 0.95
+  - 0.99
+  - 1
+  constLabels:
+    phase: executing
+- name: read_vs_write_current_requests
+  subsystem: flowcontrol
   namespace: apiserver
-  help: Counter for consistent reads from cache.
-  type: Counter
+  help: Observations, at the end of every nanosecond, of the number of requests (as
+    a fraction of the relevant limit) waiting or in regular stage of execution
+  type: TimingRatioHistogram
   stabilityLevel: ALPHA
   labels:
-  - fallback
-  - resource
-  - success
-- name: events_dispatched_total
-  subsystem: watch_cache
+  - phase
+  - request_kind
+  buckets:
+  - 0
+  - 0.001
+  - 0.01
+  - 0.1
+  - 0.2
+  - 0.3
+  - 0.4
+  - 0.5
+  - 0.6
+  - 0.7
+  - 0.8
+  - 0.9
+  - 0.95
+  - 0.99
+  - 1
+- name: request_concurrency_in_use
+  subsystem: flowcontrol
   namespace: apiserver
-  help: Counter of events dispatched in watch cache broken by resource type.
-  type: Counter
+  help: Concurrency (number of seats) occupied by the currently executing (initial
+    stage for a WATCH, any stage otherwise) requests in the API Priority and Fairness
+    subsystem
+  type: Gauge
+  deprecatedVersion: 1.31.0
   stabilityLevel: ALPHA
   labels:
-  - resource
-- name: events_received_total
-  subsystem: watch_cache
+  - flow_schema
+  - priority_level
+- name: request_concurrency_limit
+  subsystem: flowcontrol
   namespace: apiserver
-  help: Counter of events received in watch cache broken by resource type.
-  type: Counter
+  help: Nominal number of execution seats configured for each priority level
+  type: Gauge
+  deprecatedVersion: 1.30.0
   stabilityLevel: ALPHA
   labels:
-  - resource
-- name: initializations_total
-  subsystem: watch_cache
+  - priority_level
+- name: request_dispatch_no_accommodation_total
+  subsystem: flowcontrol
   namespace: apiserver
-  help: Counter of watch cache initializations broken by resource type.
+  help: Number of times a dispatch attempt resulted in a non accommodation due to
+    lack of available seats
   type: Counter
   stabilityLevel: ALPHA
   labels:
-  - resource
-- name: read_wait_seconds
-  subsystem: watch_cache
+  - flow_schema
+  - priority_level
+- name: request_execution_seconds
+  subsystem: flowcontrol
   namespace: apiserver
-  help: Histogram of time spent waiting for a watch cache to become fresh.
+  help: Duration of initial stage (for a WATCH) or any (for a non-WATCH) stage of
+    request execution in the API Priority and Fairness subsystem
   type: Histogram
   stabilityLevel: ALPHA
   labels:
-  - resource
+  - flow_schema
+  - priority_level
+  - type
   buckets:
+  - 0
   - 0.005
-  - 0.025
+  - 0.02
   - 0.05
   - 0.1
   - 0.2
-  - 0.4
-  - 0.6
-  - 0.8
+  - 0.5
   - 1
-  - 1.25
-  - 1.5
   - 2
-  - 3
-- name: resource_version
-  subsystem: watch_cache
+  - 5
+  - 10
+  - 15
+  - 30
+- name: request_queue_length_after_enqueue
+  subsystem: flowcontrol
   namespace: apiserver
-  help: Current resource version of watch cache broken by resource type.
-  type: Gauge
+  help: Length of queue in the API Priority and Fairness subsystem, as seen by each
+    request after it is enqueued
+  type: Histogram
   stabilityLevel: ALPHA
   labels:
-  - resource
-- name: x509_insecure_sha1_total
-  subsystem: webhooks
+  - flow_schema
+  - priority_level
+  buckets:
+  - 0
+  - 10
+  - 25
+  - 50
+  - 100
+  - 250
+  - 500
+  - 1000
+- name: seat_fair_frac
+  subsystem: flowcontrol
   namespace: apiserver
-  help: Counts the number of requests to servers with insecure SHA1 signatures in
-    their serving certificate OR the number of connection failures due to the insecure
-    SHA1 signatures (either/or, based on the runtime environment)
-  type: Counter
+  help: Fair fraction of server's concurrency to allocate to each priority level that
+    can use it
+  type: Gauge
   stabilityLevel: ALPHA
-- name: x509_missing_san_total
-  subsystem: webhooks
+- name: target_seats
+  subsystem: flowcontrol
   namespace: apiserver
-  help: Counts the number of requests to servers missing SAN extension in their serving
-    certificate OR the number of connection failures due to the lack of x509 certificate
-    SAN extension missing (either/or, based on the runtime environment)
-  type: Counter
+  help: Seat allocation targets
+  type: Gauge
   stabilityLevel: ALPHA
-- name: etcd_bookmark_counts
-  help: Number of etcd bookmarks (progress notify events) split by kind.
+  labels:
+  - priority_level
+- name: upper_limit_seats
+  subsystem: flowcontrol
+  namespace: apiserver
+  help: Configured upper bound on number of execution seats available to each priority
+    level
   type: Gauge
   stabilityLevel: ALPHA
   labels:
-  - resource
-- name: etcd_lease_object_counts
-  help: Number of objects attached to a single etcd lease.
+  - priority_level
+- name: watch_count_samples
+  subsystem: flowcontrol
+  namespace: apiserver
+  help: count of watchers for mutating requests in API Priority and Fairness
   type: Histogram
   stabilityLevel: ALPHA
+  labels:
+  - flow_schema
+  - priority_level
   buckets:
+  - 0
+  - 1
   - 10
-  - 50
   - 100
-  - 500
   - 1000
-  - 2500
-  - 5000
-- name: etcd_request_duration_seconds
-  help: Etcd request latency in seconds for each operation and object type.
+  - 10000
+- name: work_estimated_seats
+  subsystem: flowcontrol
+  namespace: apiserver
+  help: Number of estimated seats (maximum of initial and final seats) associated
+    with requests in API Priority and Fairness
   type: Histogram
   stabilityLevel: ALPHA
   labels:
-  - operation
-  - type
+  - flow_schema
+  - priority_level
   buckets:
-  - 0.005
-  - 0.025
-  - 0.05
-  - 0.1
-  - 0.2
-  - 0.4
-  - 0.6
-  - 0.8
   - 1
-  - 1.25
-  - 1.5
   - 2
-  - 3
   - 4
-  - 5
-  - 6
   - 8
-  - 10
-  - 15
-  - 20
-  - 30
-  - 45
-  - 60
-- name: etcd_request_errors_total
-  help: Etcd failed request counts for each operation and object type.
-  type: Counter
-  stabilityLevel: ALPHA
-  labels:
-  - operation
-  - type
-- name: etcd_requests_total
-  help: Etcd request counts for each operation and object type.
+  - 16
+  - 32
+  - 64
+  - 100
+- name: rerouted_request_total
+  subsystem: apiserver
+  help: Total number of requests that were proxied to a peer kube apiserver because
+    the local apiserver was not capable of serving it
   type: Counter
   stabilityLevel: ALPHA
   labels:
-  - operation
-  - type
-- name: capacity
-  subsystem: watch_cache
-  help: Total capacity of watch cache broken by resource type.
-  type: Gauge
-  stabilityLevel: ALPHA
-  labels:
-  - resource
-- name: capacity_decrease_total
-  subsystem: watch_cache
-  help: Total number of watch cache capacity decrease events broken by resource type.
+  - code
+- name: stream_translator_requests_total
+  subsystem: apiserver
+  help: Total number of requests that were handled by the StreamTranslatorProxy, which
+    processes streaming RemoteCommand/V5
   type: Counter
   stabilityLevel: ALPHA
   labels:
-  - resource
-- name: capacity_increase_total
-  subsystem: watch_cache
-  help: Total number of watch cache capacity increase events broken by resource type.
+  - code
+- name: stream_tunnel_requests_total
+  subsystem: apiserver
+  help: Total number of requests that were handled by the StreamTunnelProxy, which
+    processes streaming PortForward/V2
   type: Counter
   stabilityLevel: ALPHA
   labels:
-  - resource
+  - code
+- name: x509_insecure_sha1_total
+  subsystem: webhooks
+  namespace: apiserver
+  help: Counts the number of requests to servers with insecure SHA1 signatures in
+    their serving certificate OR the number of connection failures due to the insecure
+    SHA1 signatures (either/or, based on the runtime environment)
+  type: Counter
+  stabilityLevel: ALPHA
+- name: x509_missing_san_total
+  subsystem: webhooks
+  namespace: apiserver
+  help: Counts the number of requests to servers missing SAN extension in their serving
+    certificate OR the number of connection failures due to the lack of x509 certificate
+    SAN extension missing (either/or, based on the runtime environment)
+  type: Counter
+  stabilityLevel: ALPHA
 - name: current_executing_requests
   subsystem: flowcontrol
   namespace: apiserver
@@ -4834,19 +5156,19 @@
   - 10
   - 15
   - 30
-- name: apiserver_storage_objects
-  help: Number of stored objects at the time of last check split by kind. In case
-    of a fetching error, the value will be -1.
-  type: Gauge
-  stabilityLevel: STABLE
-  labels:
-  - resource
-- name: apiserver_storage_size_bytes
-  help: Size of the storage database file physically allocated in bytes.
-  type: Custom
-  stabilityLevel: STABLE
-  labels:
-  - storage_cluster_id
+- name: declarative_validation_mismatch_total
+  subsystem: validation
+  namespace: apiserver
+  help: Number of times declarative validation results differed from handwritten validation
+    results for core types.
+  type: Counter
+  stabilityLevel: BETA
+- name: declarative_validation_panic_total
+  subsystem: validation
+  namespace: apiserver
+  help: Number of times declarative validation has panicked during validation.
+  type: Counter
+  stabilityLevel: BETA
 - name: request_duration_seconds
   subsystem: cloud_provider_webhook
   help: Request latency in seconds. Broken down by status code.
@@ -4953,92 +5275,6 @@
   - 4096
   - 8192
   - 16384
-- name: changes
-  subsystem: endpoint_slice_controller
-  help: Number of EndpointSlice changes
-  type: Counter
-  stabilityLevel: ALPHA
-  labels:
-  - operation
-- name: desired_endpoint_slices
-  subsystem: endpoint_slice_controller
-  help: Number of EndpointSlices that would exist with perfect endpoint allocation
-  type: Gauge
-  stabilityLevel: ALPHA
-- name: endpoints_added_per_sync
-  subsystem: endpoint_slice_controller
-  help: Number of endpoints added on each Service sync
-  type: Histogram
-  stabilityLevel: ALPHA
-  buckets:
-  - 2
-  - 4
-  - 8
-  - 16
-  - 32
-  - 64
-  - 128
-  - 256
-  - 512
-  - 1024
-  - 2048
-  - 4096
-  - 8192
-  - 16384
-  - 32768
-- name: endpoints_desired
-  subsystem: endpoint_slice_controller
-  help: Number of endpoints desired
-  type: Gauge
-  stabilityLevel: ALPHA
-- name: endpoints_removed_per_sync
-  subsystem: endpoint_slice_controller
-  help: Number of endpoints removed on each Service sync
-  type: Histogram
-  stabilityLevel: ALPHA
-  buckets:
-  - 2
-  - 4
-  - 8
-  - 16
-  - 32
-  - 64
-  - 128
-  - 256
-  - 512
-  - 1024
-  - 2048
-  - 4096
-  - 8192
-  - 16384
-  - 32768
-- name: endpointslices_changed_per_sync
-  subsystem: endpoint_slice_controller
-  help: Number of EndpointSlices changed on each Service sync
-  type: Histogram
-  stabilityLevel: ALPHA
-  labels:
-  - topology
-  - traffic_distribution
-- name: num_endpoint_slices
-  subsystem: endpoint_slice_controller
-  help: Number of EndpointSlices
-  type: Gauge
-  stabilityLevel: ALPHA
-- name: services_count_by_traffic_distribution
-  subsystem: endpoint_slice_controller
-  help: Number of Services using some specific trafficDistribution
-  type: Gauge
-  stabilityLevel: ALPHA
-  labels:
-  - traffic_distribution
-- name: syncs
-  subsystem: endpoint_slice_controller
-  help: Number of EndpointSlice syncs
-  type: Counter
-  stabilityLevel: ALPHA
-  labels:
-  - result
 - name: kubernetes_build_info
   help: A metric with a constant '1' value labeled by major, minor, git version, git
     commit, git tree state, build date, Go version, and compiler from which Kubernetes
@@ -5236,6 +5472,16 @@
   labels:
   - manager
   - name
+- name: version_info
+  help: Provides the compatibility version info of the component. The component label
+    is the name of the component, usually kube, but is relevant for aggregated-apiservers.
+  type: Gauge
+  stabilityLevel: ALPHA
+  labels:
+  - binary
+  - component
+  - emulation
+  - min_compat
 - name: adds_total
   subsystem: workqueue
   help: Total number of adds handled by workqueue
@@ -5364,21 +5610,6 @@
   stabilityLevel: ALPHA
   labels:
   - reason
-- name: aggregator_unavailable_apiservice
-  help: Gauge of APIServices which are marked as unavailable broken down by APIService
-    name.
-  type: Custom
-  stabilityLevel: ALPHA
-  labels:
-  - name
-- name: aggregator_unavailable_apiservice_total
-  help: Counter of APIServices which are marked as unavailable broken down by APIService
-    name and reason.
-  type: Counter
-  stabilityLevel: ALPHA
-  labels:
-  - name
-  - reason
 - name: x509_insecure_sha1_total
   subsystem: kube_aggregator
   namespace: apiserver
@@ -5395,6 +5626,107 @@
     SAN extension missing (either/or, based on the runtime environment)
   type: Counter
   stabilityLevel: ALPHA
+- name: changes
+  subsystem: endpoint_slice_controller
+  help: Number of EndpointSlice changes
+  type: Counter
+  stabilityLevel: ALPHA
+  labels:
+  - operation
+- name: desired_endpoint_slices
+  subsystem: endpoint_slice_controller
+  help: Number of EndpointSlices that would exist with perfect endpoint allocation
+  type: Gauge
+  stabilityLevel: ALPHA
+- name: endpoints_added_per_sync
+  subsystem: endpoint_slice_controller
+  help: Number of endpoints added on each Service sync
+  type: Histogram
+  stabilityLevel: ALPHA
+  buckets:
+  - 2
+  - 4
+  - 8
+  - 16
+  - 32
+  - 64
+  - 128
+  - 256
+  - 512
+  - 1024
+  - 2048
+  - 4096
+  - 8192
+  - 16384
+  - 32768
+- name: endpoints_desired
+  subsystem: endpoint_slice_controller
+  help: Number of endpoints desired
+  type: Gauge
+  stabilityLevel: ALPHA
+- name: endpoints_removed_per_sync
+  subsystem: endpoint_slice_controller
+  help: Number of endpoints removed on each Service sync
+  type: Histogram
+  stabilityLevel: ALPHA
+  buckets:
+  - 2
+  - 4
+  - 8
+  - 16
+  - 32
+  - 64
+  - 128
+  - 256
+  - 512
+  - 1024
+  - 2048
+  - 4096
+  - 8192
+  - 16384
+  - 32768
+- name: endpointslices_changed_per_sync
+  subsystem: endpoint_slice_controller
+  help: Number of EndpointSlices changed on each Service sync
+  type: Histogram
+  stabilityLevel: ALPHA
+  labels:
+  - topology
+  - traffic_distribution
+- name: num_endpoint_slices
+  subsystem: endpoint_slice_controller
+  help: Number of EndpointSlices
+  type: Gauge
+  stabilityLevel: ALPHA
+- name: services_count_by_traffic_distribution
+  subsystem: endpoint_slice_controller
+  help: Number of Services using some specific trafficDistribution
+  type: Gauge
+  stabilityLevel: ALPHA
+  labels:
+  - traffic_distribution
+- name: syncs
+  subsystem: endpoint_slice_controller
+  help: Number of EndpointSlice syncs
+  type: Counter
+  stabilityLevel: ALPHA
+  labels:
+  - result
+- name: aggregator_unavailable_apiservice
+  help: Gauge of APIServices which are marked as unavailable broken down by APIService
+    name.
+  type: Custom
+  stabilityLevel: ALPHA
+  labels:
+  - name
+- name: aggregator_unavailable_apiservice_total
+  help: Counter of APIServices which are marked as unavailable broken down by APIService
+    name and reason.
+  type: Counter
+  stabilityLevel: ALPHA
+  labels:
+  - name
+  - reason
 - name: pod_security_errors_total
   help: Number of errors preventing normal evaluation. Non-fatal errors may result
     in the latest restricted profile being used for evaluation.
diff --git a/test/instrumentation/documentation/documentation.md b/test/instrumentation/documentation/documentation.md
index bb64782fa535b..017b4a748a2e1 100644
--- a/test/instrumentation/documentation/documentation.md
+++ b/test/instrumentation/documentation/documentation.md
@@ -6,10 +6,10 @@ description: >-
   Details of the metric data that Kubernetes components export.
 ---
 
-## Metrics (v1.32)
+## Metrics (v1.34)
 
-<!-- (auto-generated 2024 Nov 09) -->
-<!-- (auto-generated v1.32) -->
+<!-- (auto-generated 2025 Sep 12) -->
+<!-- (auto-generated v1.34) -->
 This page details the metrics that different Kubernetes components export. You can query the metrics endpoint for these 
 components using an HTTP scrape, and fetch the current metrics data in Prometheus format.
 
@@ -82,11 +82,11 @@ Stable metrics observe strict API contracts and no labels can be added or remove
 	<li class="metric_labels_varying"><label class="metric_detail">Labels:</label><span class="metric_label">component</span><span class="metric_label">group</span><span class="metric_label">resource</span><span class="metric_label">scope</span><span class="metric_label">subresource</span><span class="metric_label">verb</span><span class="metric_label">version</span></li></ul>
 	</div><div class="metric" data-stability="stable">
 	<div class="metric_name">apiserver_storage_objects</div>
-	<div class="metric_help">Number of stored objects at the time of last check split by kind. In case of a fetching error, the value will be -1.</div>
+	<div class="metric_help">[DEPRECATED, consider using apiserver_resource_objects instead] Number of stored objects at the time of last check split by kind. In case of a fetching error, the value will be -1.</div>
 	<ul>
 	<li><label class="metric_detail">Stability Level:</label><span class="metric_stability_level">STABLE</span></li>
 	<li data-type="gauge"><label class="metric_detail">Type:</label> <span class="metric_type">Gauge</span></li>
-	<li class="metric_labels_varying"><label class="metric_detail">Labels:</label><span class="metric_label">resource</span></li></ul>
+	<li class="metric_labels_varying"><label class="metric_detail">Labels:</label><span class="metric_label">resource</span></li><li class="metric_deprecated_version"><label class="metric_detail">Deprecated Versions:</label><span>1.34.0</span></li></ul>
 	</div><div class="metric" data-stability="stable">
 	<div class="metric_name">apiserver_storage_size_bytes</div>
 	<div class="metric_help">Size of the storage database file physically allocated in bytes.</div>
@@ -242,13 +242,6 @@ Stable metrics observe strict API contracts and no labels can be added or remove
 	<li data-type="histogram"><label class="metric_detail">Type:</label> <span class="metric_type">Histogram</span></li>
 	</ul>
 	</div><div class="metric" data-stability="stable">
-	<div class="metric_name">scheduler_pod_scheduling_duration_seconds</div>
-	<div class="metric_help">E2e latency for a pod being scheduled which may include multiple scheduling attempts.</div>
-	<ul>
-	<li><label class="metric_detail">Stability Level:</label><span class="metric_stability_level">STABLE</span></li>
-	<li data-type="histogram"><label class="metric_detail">Type:</label> <span class="metric_type">Histogram</span></li>
-	<li class="metric_labels_varying"><label class="metric_detail">Labels:</label><span class="metric_label">attempts</span></li><li class="metric_deprecated_version"><label class="metric_detail">Deprecated Versions:</label><span>1.29.0</span></li></ul>
-	</div><div class="metric" data-stability="stable">
 	<div class="metric_name">scheduler_preemption_attempts_total</div>
 	<div class="metric_help">Total preemption attempts in the cluster till now</div>
 	<ul>
@@ -291,6 +284,34 @@ Stable metrics observe strict API contracts and no labels can be added or remove
 Beta metrics observe a looser API contract than its stable counterparts. No labels can be removed from beta metrics during their lifetime, however, labels can be added while the metric is in the beta stage. This offers the assurance that beta metrics will honor existing dashboards and alerts, while allowing for amendments in the future. 
 
 <div class="metrics"><div class="metric" data-stability="beta">
+	<div class="metric_name">apiserver_authentication_config_controller_automatic_reload_last_timestamp_seconds</div>
+	<div class="metric_help">Timestamp of the last automatic reload of authentication configuration split by status and apiserver identity.</div>
+	<ul>
+	<li><label class="metric_detail">Stability Level:</label><span class="metric_stability_level">BETA</span></li>
+	<li data-type="gauge"><label class="metric_detail">Type:</label> <span class="metric_type">Gauge</span></li>
+	<li class="metric_labels_varying"><label class="metric_detail">Labels:</label><span class="metric_label">apiserver_id_hash</span><span class="metric_label">status</span></li></ul>
+	</div><div class="metric" data-stability="beta">
+	<div class="metric_name">apiserver_authentication_config_controller_automatic_reloads_total</div>
+	<div class="metric_help">Total number of automatic reloads of authentication configuration split by status and apiserver identity.</div>
+	<ul>
+	<li><label class="metric_detail">Stability Level:</label><span class="metric_stability_level">BETA</span></li>
+	<li data-type="counter"><label class="metric_detail">Type:</label> <span class="metric_type">Counter</span></li>
+	<li class="metric_labels_varying"><label class="metric_detail">Labels:</label><span class="metric_label">apiserver_id_hash</span><span class="metric_label">status</span></li></ul>
+	</div><div class="metric" data-stability="beta">
+	<div class="metric_name">apiserver_authorization_config_controller_automatic_reload_last_timestamp_seconds</div>
+	<div class="metric_help">Timestamp of the last automatic reload of authorization configuration split by status and apiserver identity.</div>
+	<ul>
+	<li><label class="metric_detail">Stability Level:</label><span class="metric_stability_level">BETA</span></li>
+	<li data-type="gauge"><label class="metric_detail">Type:</label> <span class="metric_type">Gauge</span></li>
+	<li class="metric_labels_varying"><label class="metric_detail">Labels:</label><span class="metric_label">apiserver_id_hash</span><span class="metric_label">status</span></li></ul>
+	</div><div class="metric" data-stability="beta">
+	<div class="metric_name">apiserver_authorization_config_controller_automatic_reloads_total</div>
+	<div class="metric_help">Total number of automatic reloads of authorization configuration split by status and apiserver identity.</div>
+	<ul>
+	<li><label class="metric_detail">Stability Level:</label><span class="metric_stability_level">BETA</span></li>
+	<li data-type="counter"><label class="metric_detail">Type:</label> <span class="metric_type">Counter</span></li>
+	<li class="metric_labels_varying"><label class="metric_detail">Labels:</label><span class="metric_label">apiserver_id_hash</span><span class="metric_label">status</span></li></ul>
+	</div><div class="metric" data-stability="beta">
 	<div class="metric_name">apiserver_cel_compilation_duration_seconds</div>
 	<div class="metric_help">CEL compilation time in seconds.</div>
 	<ul>
@@ -368,6 +389,20 @@ Beta metrics observe a looser API contract than its stable counterparts. No labe
 	<li data-type="counter"><label class="metric_detail">Type:</label> <span class="metric_type">Counter</span></li>
 	<li class="metric_labels_varying"><label class="metric_detail">Labels:</label><span class="metric_label">enforcement_action</span><span class="metric_label">error_type</span><span class="metric_label">policy</span><span class="metric_label">policy_binding</span></li></ul>
 	</div><div class="metric" data-stability="beta">
+	<div class="metric_name">apiserver_validation_declarative_validation_mismatch_total</div>
+	<div class="metric_help">Number of times declarative validation results differed from handwritten validation results for core types.</div>
+	<ul>
+	<li><label class="metric_detail">Stability Level:</label><span class="metric_stability_level">BETA</span></li>
+	<li data-type="counter"><label class="metric_detail">Type:</label> <span class="metric_type">Counter</span></li>
+	</ul>
+	</div><div class="metric" data-stability="beta">
+	<div class="metric_name">apiserver_validation_declarative_validation_panic_total</div>
+	<div class="metric_help">Number of times declarative validation has panicked during validation.</div>
+	<ul>
+	<li><label class="metric_detail">Stability Level:</label><span class="metric_stability_level">BETA</span></li>
+	<li data-type="counter"><label class="metric_detail">Type:</label> <span class="metric_type">Counter</span></li>
+	</ul>
+	</div><div class="metric" data-stability="beta">
 	<div class="metric_name">disabled_metrics_total</div>
 	<div class="metric_help">The count of disabled metrics.</div>
 	<ul>
@@ -389,6 +424,13 @@ Beta metrics observe a looser API contract than its stable counterparts. No labe
 	<li data-type="gauge"><label class="metric_detail">Type:</label> <span class="metric_type">Gauge</span></li>
 	<li class="metric_labels_varying"><label class="metric_detail">Labels:</label><span class="metric_label">name</span><span class="metric_label">stage</span></li></ul>
 	</div><div class="metric" data-stability="beta">
+	<div class="metric_name">prober_probe_total</div>
+	<div class="metric_help">Cumulative number of a liveness, readiness or startup probe for a container by result.</div>
+	<ul>
+	<li><label class="metric_detail">Stability Level:</label><span class="metric_stability_level">BETA</span></li>
+	<li data-type="counter"><label class="metric_detail">Type:</label> <span class="metric_type">Counter</span></li>
+	<li class="metric_labels_varying"><label class="metric_detail">Labels:</label><span class="metric_label">container</span><span class="metric_label">namespace</span><span class="metric_label">pod</span><span class="metric_label">pod_uid</span><span class="metric_label">probe_type</span><span class="metric_label">result</span></li></ul>
+	</div><div class="metric" data-stability="beta">
 	<div class="metric_name">registered_metrics_total</div>
 	<div class="metric_help">The count of registered metrics broken by stability level and deprecation version.</div>
 	<ul>
@@ -543,19 +585,12 @@ Alpha metrics do not have any API guarantees. These metrics must be used at your
 	<li data-type="counter"><label class="metric_detail">Type:</label> <span class="metric_type">Counter</span></li>
 	</ul>
 	</div><div class="metric" data-stability="alpha">
-	<div class="metric_name">apiserver_authentication_config_controller_automatic_reload_last_timestamp_seconds</div>
-	<div class="metric_help">Timestamp of the last automatic reload of authentication configuration split by status and apiserver identity.</div>
-	<ul>
-	<li><label class="metric_detail">Stability Level:</label><span class="metric_stability_level">ALPHA</span></li>
-	<li data-type="gauge"><label class="metric_detail">Type:</label> <span class="metric_type">Gauge</span></li>
-	<li class="metric_labels_varying"><label class="metric_detail">Labels:</label><span class="metric_label">apiserver_id_hash</span><span class="metric_label">status</span></li></ul>
-	</div><div class="metric" data-stability="alpha">
-	<div class="metric_name">apiserver_authentication_config_controller_automatic_reloads_total</div>
-	<div class="metric_help">Total number of automatic reloads of authentication configuration split by status and apiserver identity.</div>
+	<div class="metric_name">apiserver_authentication_config_controller_last_config_info</div>
+	<div class="metric_help">Information about the last applied authentication configuration with hash as label, split by apiserver identity.</div>
 	<ul>
 	<li><label class="metric_detail">Stability Level:</label><span class="metric_stability_level">ALPHA</span></li>
-	<li data-type="counter"><label class="metric_detail">Type:</label> <span class="metric_type">Counter</span></li>
-	<li class="metric_labels_varying"><label class="metric_detail">Labels:</label><span class="metric_label">apiserver_id_hash</span><span class="metric_label">status</span></li></ul>
+	<li data-type="custom"><label class="metric_detail">Type:</label> <span class="metric_type">Custom</span></li>
+	<li class="metric_labels_varying"><label class="metric_detail">Labels:</label><span class="metric_label">apiserver_id_hash</span><span class="metric_label">hash</span></li></ul>
 	</div><div class="metric" data-stability="alpha">
 	<div class="metric_name">apiserver_authentication_jwt_authenticator_latency_seconds</div>
 	<div class="metric_help">Latency of jwt authentication operations in seconds. This is the time spent authenticating a token for cache miss only (i.e. when the token is not found in the cache).</div>
@@ -564,19 +599,12 @@ Alpha metrics do not have any API guarantees. These metrics must be used at your
 	<li data-type="histogram"><label class="metric_detail">Type:</label> <span class="metric_type">Histogram</span></li>
 	<li class="metric_labels_varying"><label class="metric_detail">Labels:</label><span class="metric_label">jwt_issuer_hash</span><span class="metric_label">result</span></li></ul>
 	</div><div class="metric" data-stability="alpha">
-	<div class="metric_name">apiserver_authorization_config_controller_automatic_reload_last_timestamp_seconds</div>
-	<div class="metric_help">Timestamp of the last automatic reload of authorization configuration split by status and apiserver identity.</div>
+	<div class="metric_name">apiserver_authorization_config_controller_last_config_info</div>
+	<div class="metric_help">Information about the last applied authorization configuration with hash as label, split by apiserver identity.</div>
 	<ul>
 	<li><label class="metric_detail">Stability Level:</label><span class="metric_stability_level">ALPHA</span></li>
-	<li data-type="gauge"><label class="metric_detail">Type:</label> <span class="metric_type">Gauge</span></li>
-	<li class="metric_labels_varying"><label class="metric_detail">Labels:</label><span class="metric_label">apiserver_id_hash</span><span class="metric_label">status</span></li></ul>
-	</div><div class="metric" data-stability="alpha">
-	<div class="metric_name">apiserver_authorization_config_controller_automatic_reloads_total</div>
-	<div class="metric_help">Total number of automatic reloads of authorization configuration split by status and apiserver identity.</div>
-	<ul>
-	<li><label class="metric_detail">Stability Level:</label><span class="metric_stability_level">ALPHA</span></li>
-	<li data-type="counter"><label class="metric_detail">Type:</label> <span class="metric_type">Counter</span></li>
-	<li class="metric_labels_varying"><label class="metric_detail">Labels:</label><span class="metric_label">apiserver_id_hash</span><span class="metric_label">status</span></li></ul>
+	<li data-type="custom"><label class="metric_detail">Type:</label> <span class="metric_type">Custom</span></li>
+	<li class="metric_labels_varying"><label class="metric_detail">Labels:</label><span class="metric_label">apiserver_id_hash</span><span class="metric_label">hash</span></li></ul>
 	</div><div class="metric" data-stability="alpha">
 	<div class="metric_name">apiserver_authorization_decisions_total</div>
 	<div class="metric_help">Total number of terminal decisions made by an authorizer split by authorizer type, name, and decision.</div>
@@ -632,21 +660,21 @@ Alpha metrics do not have any API guarantees. These metrics must be used at your
 	<ul>
 	<li><label class="metric_detail">Stability Level:</label><span class="metric_stability_level">ALPHA</span></li>
 	<li data-type="counter"><label class="metric_detail">Type:</label> <span class="metric_type">Counter</span></li>
-	<li class="metric_labels_varying"><label class="metric_detail">Labels:</label><span class="metric_label">index</span><span class="metric_label">resource_prefix</span></li></ul>
+	<li class="metric_labels_varying"><label class="metric_detail">Labels:</label><span class="metric_label">group</span><span class="metric_label">index</span><span class="metric_label">resource</span></li></ul>
 	</div><div class="metric" data-stability="alpha">
 	<div class="metric_name">apiserver_cache_list_returned_objects_total</div>
 	<div class="metric_help">Number of objects returned for a LIST request from watch cache</div>
 	<ul>
 	<li><label class="metric_detail">Stability Level:</label><span class="metric_stability_level">ALPHA</span></li>
 	<li data-type="counter"><label class="metric_detail">Type:</label> <span class="metric_type">Counter</span></li>
-	<li class="metric_labels_varying"><label class="metric_detail">Labels:</label><span class="metric_label">resource_prefix</span></li></ul>
+	<li class="metric_labels_varying"><label class="metric_detail">Labels:</label><span class="metric_label">group</span><span class="metric_label">resource</span></li></ul>
 	</div><div class="metric" data-stability="alpha">
 	<div class="metric_name">apiserver_cache_list_total</div>
 	<div class="metric_help">Number of LIST requests served from watch cache</div>
 	<ul>
 	<li><label class="metric_detail">Stability Level:</label><span class="metric_stability_level">ALPHA</span></li>
 	<li data-type="counter"><label class="metric_detail">Type:</label> <span class="metric_type">Counter</span></li>
-	<li class="metric_labels_varying"><label class="metric_detail">Labels:</label><span class="metric_label">index</span><span class="metric_label">resource_prefix</span></li></ul>
+	<li class="metric_labels_varying"><label class="metric_detail">Labels:</label><span class="metric_label">group</span><span class="metric_label">index</span><span class="metric_label">resource</span></li></ul>
 	</div><div class="metric" data-stability="alpha">
 	<div class="metric_name">apiserver_certificates_registry_csr_honored_duration_total</div>
 	<div class="metric_help">Total number of issued CSRs with a requested duration that was honored, sliced by signer (only kubernetes.io signer names are specifically identified)</div>
@@ -760,13 +788,6 @@ Alpha metrics do not have any API guarantees. These metrics must be used at your
 	<li data-type="counter"><label class="metric_detail">Type:</label> <span class="metric_type">Counter</span></li>
 	<li class="metric_labels_varying"><label class="metric_detail">Labels:</label><span class="metric_label">protocol</span><span class="metric_label">transport</span></li></ul>
 	</div><div class="metric" data-stability="alpha">
-	<div class="metric_name">apiserver_encryption_config_controller_automatic_reload_failures_total</div>
-	<div class="metric_help">Total number of failed automatic reloads of encryption configuration split by apiserver identity.</div>
-	<ul>
-	<li><label class="metric_detail">Stability Level:</label><span class="metric_stability_level">ALPHA</span></li>
-	<li data-type="counter"><label class="metric_detail">Type:</label> <span class="metric_type">Counter</span></li>
-	<li class="metric_labels_varying"><label class="metric_detail">Labels:</label><span class="metric_label">apiserver_id_hash</span></li><li class="metric_deprecated_version"><label class="metric_detail">Deprecated Versions:</label><span>1.30.0</span></li></ul>
-	</div><div class="metric" data-stability="alpha">
 	<div class="metric_name">apiserver_encryption_config_controller_automatic_reload_last_timestamp_seconds</div>
 	<div class="metric_help">Timestamp of the last successful or failed automatic reload of encryption configuration split by apiserver identity.</div>
 	<ul>
@@ -774,13 +795,6 @@ Alpha metrics do not have any API guarantees. These metrics must be used at your
 	<li data-type="gauge"><label class="metric_detail">Type:</label> <span class="metric_type">Gauge</span></li>
 	<li class="metric_labels_varying"><label class="metric_detail">Labels:</label><span class="metric_label">apiserver_id_hash</span><span class="metric_label">status</span></li></ul>
 	</div><div class="metric" data-stability="alpha">
-	<div class="metric_name">apiserver_encryption_config_controller_automatic_reload_success_total</div>
-	<div class="metric_help">Total number of successful automatic reloads of encryption configuration split by apiserver identity.</div>
-	<ul>
-	<li><label class="metric_detail">Stability Level:</label><span class="metric_stability_level">ALPHA</span></li>
-	<li data-type="counter"><label class="metric_detail">Type:</label> <span class="metric_type">Counter</span></li>
-	<li class="metric_labels_varying"><label class="metric_detail">Labels:</label><span class="metric_label">apiserver_id_hash</span></li><li class="metric_deprecated_version"><label class="metric_detail">Deprecated Versions:</label><span>1.30.0</span></li></ul>
-	</div><div class="metric" data-stability="alpha">
 	<div class="metric_name">apiserver_encryption_config_controller_automatic_reloads_total</div>
 	<div class="metric_help">Total number of reload successes and failures of encryption configuration split by apiserver identity.</div>
 	<ul>
@@ -788,6 +802,13 @@ Alpha metrics do not have any API guarantees. These metrics must be used at your
 	<li data-type="counter"><label class="metric_detail">Type:</label> <span class="metric_type">Counter</span></li>
 	<li class="metric_labels_varying"><label class="metric_detail">Labels:</label><span class="metric_label">apiserver_id_hash</span><span class="metric_label">status</span></li></ul>
 	</div><div class="metric" data-stability="alpha">
+	<div class="metric_name">apiserver_encryption_config_controller_last_config_info</div>
+	<div class="metric_help">Information about the last applied encryption configuration with hash as label, split by apiserver identity.</div>
+	<ul>
+	<li><label class="metric_detail">Stability Level:</label><span class="metric_stability_level">ALPHA</span></li>
+	<li data-type="custom"><label class="metric_detail">Type:</label> <span class="metric_type">Custom</span></li>
+	<li class="metric_labels_varying"><label class="metric_detail">Labels:</label><span class="metric_label">apiserver_id_hash</span><span class="metric_label">hash</span></li></ul>
+	</div><div class="metric" data-stability="alpha">
 	<div class="metric_name">apiserver_envelope_encryption_dek_cache_fill_percent</div>
 	<div class="metric_help">Percent of the cache slots currently occupied by cached DEKs.</div>
 	<ul>
@@ -1073,7 +1094,7 @@ Alpha metrics do not have any API guarantees. These metrics must be used at your
 	<ul>
 	<li><label class="metric_detail">Stability Level:</label><span class="metric_stability_level">ALPHA</span></li>
 	<li data-type="counter"><label class="metric_detail">Type:</label> <span class="metric_type">Counter</span></li>
-	<li class="metric_labels_varying"><label class="metric_detail">Labels:</label><span class="metric_label">resource</span></li></ul>
+	<li class="metric_labels_varying"><label class="metric_detail">Labels:</label><span class="metric_label">group</span><span class="metric_label">resource</span></li></ul>
 	</div><div class="metric" data-stability="alpha">
 	<div class="metric_name">apiserver_kube_aggregator_x509_insecure_sha1_total</div>
 	<div class="metric_help">Counts the number of requests to servers with insecure SHA1 signatures in their serving certificate OR the number of connection failures due to the insecure SHA1 signatures (either/or, based on the runtime environment)</div>
@@ -1089,6 +1110,20 @@ Alpha metrics do not have any API guarantees. These metrics must be used at your
 	<li data-type="counter"><label class="metric_detail">Type:</label> <span class="metric_type">Counter</span></li>
 	</ul>
 	</div><div class="metric" data-stability="alpha">
+	<div class="metric_name">apiserver_mutating_admission_policy_check_duration_seconds</div>
+	<div class="metric_help">Mutation admission latency for individual mutation expressions in seconds, labeled by policy and binding.</div>
+	<ul>
+	<li><label class="metric_detail">Stability Level:</label><span class="metric_stability_level">ALPHA</span></li>
+	<li data-type="histogram"><label class="metric_detail">Type:</label> <span class="metric_type">Histogram</span></li>
+	<li class="metric_labels_varying"><label class="metric_detail">Labels:</label><span class="metric_label">error_type</span><span class="metric_label">policy</span><span class="metric_label">policy_binding</span></li></ul>
+	</div><div class="metric" data-stability="alpha">
+	<div class="metric_name">apiserver_mutating_admission_policy_check_total</div>
+	<div class="metric_help">Mutation admission policy check total, labeled by policy and further identified by binding.</div>
+	<ul>
+	<li><label class="metric_detail">Stability Level:</label><span class="metric_stability_level">ALPHA</span></li>
+	<li data-type="counter"><label class="metric_detail">Type:</label> <span class="metric_type">Counter</span></li>
+	<li class="metric_labels_varying"><label class="metric_detail">Labels:</label><span class="metric_label">error_type</span><span class="metric_label">policy</span><span class="metric_label">policy_binding</span></li></ul>
+	</div><div class="metric" data-stability="alpha">
 	<div class="metric_name">apiserver_nodeport_repair_port_errors_total</div>
 	<div class="metric_help">Number of errors detected on ports by the repair loop broken down by type of error: leak, repair, full, outOfRange, duplicate, unknown</div>
 	<ul>
@@ -1115,7 +1150,7 @@ Alpha metrics do not have any API guarantees. These metrics must be used at your
 	<ul>
 	<li><label class="metric_detail">Stability Level:</label><span class="metric_stability_level">ALPHA</span></li>
 	<li data-type="histogram"><label class="metric_detail">Type:</label> <span class="metric_type">Histogram</span></li>
-	<li class="metric_labels_varying"><label class="metric_detail">Labels:</label><span class="metric_label">resource</span><span class="metric_label">verb</span></li></ul>
+	<li class="metric_labels_varying"><label class="metric_detail">Labels:</label><span class="metric_label">group</span><span class="metric_label">resource</span><span class="metric_label">verb</span></li></ul>
 	</div><div class="metric" data-stability="alpha">
 	<div class="metric_name">apiserver_request_filter_duration_seconds</div>
 	<div class="metric_help">Request filter latency distribution in seconds, for each filter type</div>
@@ -1166,12 +1201,33 @@ Alpha metrics do not have any API guarantees. These metrics must be used at your
 	<li data-type="counter"><label class="metric_detail">Type:</label> <span class="metric_type">Counter</span></li>
 	<li class="metric_labels_varying"><label class="metric_detail">Labels:</label><span class="metric_label">code</span></li></ul>
 	</div><div class="metric" data-stability="alpha">
+	<div class="metric_name">apiserver_resource_objects</div>
+	<div class="metric_help">Number of stored objects at the time of last check split by kind. In case of a fetching error, the value will be -1.</div>
+	<ul>
+	<li><label class="metric_detail">Stability Level:</label><span class="metric_stability_level">ALPHA</span></li>
+	<li data-type="gauge"><label class="metric_detail">Type:</label> <span class="metric_type">Gauge</span></li>
+	<li class="metric_labels_varying"><label class="metric_detail">Labels:</label><span class="metric_label">group</span><span class="metric_label">resource</span></li></ul>
+	</div><div class="metric" data-stability="alpha">
+	<div class="metric_name">apiserver_resource_size_estimate_bytes</div>
+	<div class="metric_help">Estimated size of stored objects in database. Estimate is based on sum of last observed sizes of serialized objects. In case of a fetching error, the value will be -1.</div>
+	<ul>
+	<li><label class="metric_detail">Stability Level:</label><span class="metric_stability_level">ALPHA</span></li>
+	<li data-type="gauge"><label class="metric_detail">Type:</label> <span class="metric_type">Gauge</span></li>
+	<li class="metric_labels_varying"><label class="metric_detail">Labels:</label><span class="metric_label">group</span><span class="metric_label">resource</span></li></ul>
+	</div><div class="metric" data-stability="alpha">
 	<div class="metric_name">apiserver_selfrequest_total</div>
 	<div class="metric_help">Counter of apiserver self-requests broken out for each verb, API resource and subresource.</div>
 	<ul>
 	<li><label class="metric_detail">Stability Level:</label><span class="metric_stability_level">ALPHA</span></li>
 	<li data-type="counter"><label class="metric_detail">Type:</label> <span class="metric_type">Counter</span></li>
-	<li class="metric_labels_varying"><label class="metric_detail">Labels:</label><span class="metric_label">resource</span><span class="metric_label">subresource</span><span class="metric_label">verb</span></li></ul>
+	<li class="metric_labels_varying"><label class="metric_detail">Labels:</label><span class="metric_label">group</span><span class="metric_label">resource</span><span class="metric_label">subresource</span><span class="metric_label">verb</span></li></ul>
+	</div><div class="metric" data-stability="alpha">
+	<div class="metric_name">apiserver_storage_consistency_checks_total</div>
+	<div class="metric_help">Counter for status of consistency checks between etcd and watch cache</div>
+	<ul>
+	<li><label class="metric_detail">Stability Level:</label><span class="metric_stability_level">ALPHA</span></li>
+	<li data-type="counter"><label class="metric_detail">Type:</label> <span class="metric_type">Counter</span></li>
+	<li class="metric_labels_varying"><label class="metric_detail">Labels:</label><span class="metric_label">group</span><span class="metric_label">resource</span><span class="metric_label">status</span></li></ul>
 	</div><div class="metric" data-stability="alpha">
 	<div class="metric_name">apiserver_storage_data_key_generation_duration_seconds</div>
 	<div class="metric_help">Latencies in seconds of data encryption key(DEK) generation operations.</div>
@@ -1199,7 +1255,7 @@ Alpha metrics do not have any API guarantees. These metrics must be used at your
 	<ul>
 	<li><label class="metric_detail">Stability Level:</label><span class="metric_stability_level">ALPHA</span></li>
 	<li data-type="counter"><label class="metric_detail">Type:</label> <span class="metric_type">Counter</span></li>
-	<li class="metric_labels_varying"><label class="metric_detail">Labels:</label><span class="metric_label">resource</span></li></ul>
+	<li class="metric_labels_varying"><label class="metric_detail">Labels:</label><span class="metric_label">group</span><span class="metric_label">resource</span></li></ul>
 	</div><div class="metric" data-stability="alpha">
 	<div class="metric_name">apiserver_storage_envelope_transformation_cache_misses_total</div>
 	<div class="metric_help">Total number of cache misses while accessing key decryption key(KEK).</div>
@@ -1213,35 +1269,35 @@ Alpha metrics do not have any API guarantees. These metrics must be used at your
 	<ul>
 	<li><label class="metric_detail">Stability Level:</label><span class="metric_stability_level">ALPHA</span></li>
 	<li data-type="counter"><label class="metric_detail">Type:</label> <span class="metric_type">Counter</span></li>
-	<li class="metric_labels_varying"><label class="metric_detail">Labels:</label><span class="metric_label">resource</span></li></ul>
+	<li class="metric_labels_varying"><label class="metric_detail">Labels:</label><span class="metric_label">group</span><span class="metric_label">resource</span></li></ul>
 	</div><div class="metric" data-stability="alpha">
 	<div class="metric_name">apiserver_storage_list_evaluated_objects_total</div>
 	<div class="metric_help">Number of objects tested in the course of serving a LIST request from storage</div>
 	<ul>
 	<li><label class="metric_detail">Stability Level:</label><span class="metric_stability_level">ALPHA</span></li>
 	<li data-type="counter"><label class="metric_detail">Type:</label> <span class="metric_type">Counter</span></li>
-	<li class="metric_labels_varying"><label class="metric_detail">Labels:</label><span class="metric_label">resource</span></li></ul>
+	<li class="metric_labels_varying"><label class="metric_detail">Labels:</label><span class="metric_label">group</span><span class="metric_label">resource</span></li></ul>
 	</div><div class="metric" data-stability="alpha">
 	<div class="metric_name">apiserver_storage_list_fetched_objects_total</div>
 	<div class="metric_help">Number of objects read from storage in the course of serving a LIST request</div>
 	<ul>
 	<li><label class="metric_detail">Stability Level:</label><span class="metric_stability_level">ALPHA</span></li>
 	<li data-type="counter"><label class="metric_detail">Type:</label> <span class="metric_type">Counter</span></li>
-	<li class="metric_labels_varying"><label class="metric_detail">Labels:</label><span class="metric_label">resource</span></li></ul>
+	<li class="metric_labels_varying"><label class="metric_detail">Labels:</label><span class="metric_label">group</span><span class="metric_label">resource</span></li></ul>
 	</div><div class="metric" data-stability="alpha">
 	<div class="metric_name">apiserver_storage_list_returned_objects_total</div>
 	<div class="metric_help">Number of objects returned for a LIST request from storage</div>
 	<ul>
 	<li><label class="metric_detail">Stability Level:</label><span class="metric_stability_level">ALPHA</span></li>
 	<li data-type="counter"><label class="metric_detail">Type:</label> <span class="metric_type">Counter</span></li>
-	<li class="metric_labels_varying"><label class="metric_detail">Labels:</label><span class="metric_label">resource</span></li></ul>
+	<li class="metric_labels_varying"><label class="metric_detail">Labels:</label><span class="metric_label">group</span><span class="metric_label">resource</span></li></ul>
 	</div><div class="metric" data-stability="alpha">
 	<div class="metric_name">apiserver_storage_list_total</div>
 	<div class="metric_help">Number of LIST requests served from storage</div>
 	<ul>
 	<li><label class="metric_detail">Stability Level:</label><span class="metric_stability_level">ALPHA</span></li>
 	<li data-type="counter"><label class="metric_detail">Type:</label> <span class="metric_type">Counter</span></li>
-	<li class="metric_labels_varying"><label class="metric_detail">Labels:</label><span class="metric_label">resource</span></li></ul>
+	<li class="metric_labels_varying"><label class="metric_detail">Labels:</label><span class="metric_label">group</span><span class="metric_label">resource</span></li></ul>
 	</div><div class="metric" data-stability="alpha">
 	<div class="metric_name">apiserver_storage_transformation_duration_seconds</div>
 	<div class="metric_help">Latencies in seconds of value transformation operations.</div>
@@ -1276,7 +1332,7 @@ Alpha metrics do not have any API guarantees. These metrics must be used at your
 	<ul>
 	<li><label class="metric_detail">Stability Level:</label><span class="metric_stability_level">ALPHA</span></li>
 	<li data-type="counter"><label class="metric_detail">Type:</label> <span class="metric_type">Counter</span></li>
-	<li class="metric_labels_varying"><label class="metric_detail">Labels:</label><span class="metric_label">resource</span></li></ul>
+	<li class="metric_labels_varying"><label class="metric_detail">Labels:</label><span class="metric_label">group</span><span class="metric_label">resource</span></li></ul>
 	</div><div class="metric" data-stability="alpha">
 	<div class="metric_name">apiserver_tls_handshake_errors_total</div>
 	<div class="metric_help">Number of requests dropped with 'TLS handshake error from' error</div>
@@ -1290,56 +1346,56 @@ Alpha metrics do not have any API guarantees. These metrics must be used at your
 	<ul>
 	<li><label class="metric_detail">Stability Level:</label><span class="metric_stability_level">ALPHA</span></li>
 	<li data-type="counter"><label class="metric_detail">Type:</label> <span class="metric_type">Counter</span></li>
-	<li class="metric_labels_varying"><label class="metric_detail">Labels:</label><span class="metric_label">fallback</span><span class="metric_label">resource</span><span class="metric_label">success</span></li></ul>
+	<li class="metric_labels_varying"><label class="metric_detail">Labels:</label><span class="metric_label">fallback</span><span class="metric_label">group</span><span class="metric_label">resource</span><span class="metric_label">success</span></li></ul>
 	</div><div class="metric" data-stability="alpha">
 	<div class="metric_name">apiserver_watch_cache_events_dispatched_total</div>
 	<div class="metric_help">Counter of events dispatched in watch cache broken by resource type.</div>
 	<ul>
 	<li><label class="metric_detail">Stability Level:</label><span class="metric_stability_level">ALPHA</span></li>
 	<li data-type="counter"><label class="metric_detail">Type:</label> <span class="metric_type">Counter</span></li>
-	<li class="metric_labels_varying"><label class="metric_detail">Labels:</label><span class="metric_label">resource</span></li></ul>
+	<li class="metric_labels_varying"><label class="metric_detail">Labels:</label><span class="metric_label">group</span><span class="metric_label">resource</span></li></ul>
 	</div><div class="metric" data-stability="alpha">
 	<div class="metric_name">apiserver_watch_cache_events_received_total</div>
 	<div class="metric_help">Counter of events received in watch cache broken by resource type.</div>
 	<ul>
 	<li><label class="metric_detail">Stability Level:</label><span class="metric_stability_level">ALPHA</span></li>
 	<li data-type="counter"><label class="metric_detail">Type:</label> <span class="metric_type">Counter</span></li>
-	<li class="metric_labels_varying"><label class="metric_detail">Labels:</label><span class="metric_label">resource</span></li></ul>
+	<li class="metric_labels_varying"><label class="metric_detail">Labels:</label><span class="metric_label">group</span><span class="metric_label">resource</span></li></ul>
 	</div><div class="metric" data-stability="alpha">
 	<div class="metric_name">apiserver_watch_cache_initializations_total</div>
 	<div class="metric_help">Counter of watch cache initializations broken by resource type.</div>
 	<ul>
 	<li><label class="metric_detail">Stability Level:</label><span class="metric_stability_level">ALPHA</span></li>
 	<li data-type="counter"><label class="metric_detail">Type:</label> <span class="metric_type">Counter</span></li>
-	<li class="metric_labels_varying"><label class="metric_detail">Labels:</label><span class="metric_label">resource</span></li></ul>
+	<li class="metric_labels_varying"><label class="metric_detail">Labels:</label><span class="metric_label">group</span><span class="metric_label">resource</span></li></ul>
 	</div><div class="metric" data-stability="alpha">
 	<div class="metric_name">apiserver_watch_cache_read_wait_seconds</div>
 	<div class="metric_help">Histogram of time spent waiting for a watch cache to become fresh.</div>
 	<ul>
 	<li><label class="metric_detail">Stability Level:</label><span class="metric_stability_level">ALPHA</span></li>
 	<li data-type="histogram"><label class="metric_detail">Type:</label> <span class="metric_type">Histogram</span></li>
-	<li class="metric_labels_varying"><label class="metric_detail">Labels:</label><span class="metric_label">resource</span></li></ul>
+	<li class="metric_labels_varying"><label class="metric_detail">Labels:</label><span class="metric_label">group</span><span class="metric_label">resource</span></li></ul>
 	</div><div class="metric" data-stability="alpha">
 	<div class="metric_name">apiserver_watch_cache_resource_version</div>
 	<div class="metric_help">Current resource version of watch cache broken by resource type.</div>
 	<ul>
 	<li><label class="metric_detail">Stability Level:</label><span class="metric_stability_level">ALPHA</span></li>
 	<li data-type="gauge"><label class="metric_detail">Type:</label> <span class="metric_type">Gauge</span></li>
-	<li class="metric_labels_varying"><label class="metric_detail">Labels:</label><span class="metric_label">resource</span></li></ul>
+	<li class="metric_labels_varying"><label class="metric_detail">Labels:</label><span class="metric_label">group</span><span class="metric_label">resource</span></li></ul>
 	</div><div class="metric" data-stability="alpha">
 	<div class="metric_name">apiserver_watch_events_sizes</div>
 	<div class="metric_help">Watch event size distribution in bytes</div>
 	<ul>
 	<li><label class="metric_detail">Stability Level:</label><span class="metric_stability_level">ALPHA</span></li>
 	<li data-type="histogram"><label class="metric_detail">Type:</label> <span class="metric_type">Histogram</span></li>
-	<li class="metric_labels_varying"><label class="metric_detail">Labels:</label><span class="metric_label">group</span><span class="metric_label">kind</span><span class="metric_label">version</span></li></ul>
+	<li class="metric_labels_varying"><label class="metric_detail">Labels:</label><span class="metric_label">group</span><span class="metric_label">resource</span><span class="metric_label">version</span></li></ul>
 	</div><div class="metric" data-stability="alpha">
 	<div class="metric_name">apiserver_watch_events_total</div>
 	<div class="metric_help">Number of events sent in watch clients</div>
 	<ul>
 	<li><label class="metric_detail">Stability Level:</label><span class="metric_stability_level">ALPHA</span></li>
 	<li data-type="counter"><label class="metric_detail">Type:</label> <span class="metric_type">Counter</span></li>
-	<li class="metric_labels_varying"><label class="metric_detail">Labels:</label><span class="metric_label">group</span><span class="metric_label">kind</span><span class="metric_label">version</span></li></ul>
+	<li class="metric_labels_varying"><label class="metric_detail">Labels:</label><span class="metric_label">group</span><span class="metric_label">resource</span><span class="metric_label">version</span></li></ul>
 	</div><div class="metric" data-stability="alpha">
 	<div class="metric_name">apiserver_watch_list_duration_seconds</div>
 	<div class="metric_help">Response latency distribution in seconds for watch list requests broken by group, version, resource and scope.</div>
@@ -1467,6 +1523,13 @@ Alpha metrics do not have any API guarantees. These metrics must be used at your
 	<li data-type="counter"><label class="metric_detail">Type:</label> <span class="metric_type">Counter</span></li>
 	<li class="metric_labels_varying"><label class="metric_detail">Labels:</label><span class="metric_label">code</span></li></ul>
 	</div><div class="metric" data-stability="alpha">
+	<div class="metric_name">container_swap_limit_bytes</div>
+	<div class="metric_help">Current amount of the container swap limit in bytes. Reported only on non-windows systems</div>
+	<ul>
+	<li><label class="metric_detail">Stability Level:</label><span class="metric_stability_level">ALPHA</span></li>
+	<li data-type="custom"><label class="metric_detail">Type:</label> <span class="metric_type">Custom</span></li>
+	<li class="metric_labels_varying"><label class="metric_detail">Labels:</label><span class="metric_label">container</span><span class="metric_label">pod</span><span class="metric_label">namespace</span></li></ul>
+	</div><div class="metric" data-stability="alpha">
 	<div class="metric_name">container_swap_usage_bytes</div>
 	<div class="metric_help">Current amount of the container swap usage in bytes. Reported only on non-windows systems</div>
 	<ul>
@@ -1481,6 +1544,20 @@ Alpha metrics do not have any API guarantees. These metrics must be used at your
 	<li data-type="histogram"><label class="metric_detail">Type:</label> <span class="metric_type">Histogram</span></li>
 	<li class="metric_labels_varying"><label class="metric_detail">Labels:</label><span class="metric_label">driver_name</span><span class="metric_label">grpc_status_code</span><span class="metric_label">method_name</span><span class="metric_label">migrated</span></li></ul>
 	</div><div class="metric" data-stability="alpha">
+	<div class="metric_name">device_taint_eviction_controller_pod_deletion_duration_seconds</div>
+	<div class="metric_help">Latency, in seconds, between the time when a device taint effect has been activated and a Pod's deletion via DeviceTaintEvictionController.</div>
+	<ul>
+	<li><label class="metric_detail">Stability Level:</label><span class="metric_stability_level">ALPHA</span></li>
+	<li data-type="histogram"><label class="metric_detail">Type:</label> <span class="metric_type">Histogram</span></li>
+	</ul>
+	</div><div class="metric" data-stability="alpha">
+	<div class="metric_name">device_taint_eviction_controller_pod_deletions_total</div>
+	<div class="metric_help">Total number of Pods deleted by DeviceTaintEvictionController since its start.</div>
+	<ul>
+	<li><label class="metric_detail">Stability Level:</label><span class="metric_stability_level">ALPHA</span></li>
+	<li data-type="counter"><label class="metric_detail">Type:</label> <span class="metric_type">Counter</span></li>
+	</ul>
+	</div><div class="metric" data-stability="alpha">
 	<div class="metric_name">dra_grpc_operations_duration_seconds</div>
 	<div class="metric_help">Duration in seconds of the DRA gRPC operations</div>
 	<ul>
@@ -1495,6 +1572,13 @@ Alpha metrics do not have any API guarantees. These metrics must be used at your
 	<li data-type="histogram"><label class="metric_detail">Type:</label> <span class="metric_type">Histogram</span></li>
 	<li class="metric_labels_varying"><label class="metric_detail">Labels:</label><span class="metric_label">is_error</span><span class="metric_label">operation_name</span></li></ul>
 	</div><div class="metric" data-stability="alpha">
+	<div class="metric_name">dra_resource_claims_in_use</div>
+	<div class="metric_help">The number of ResourceClaims that are currently in use on the node, by driver name (driver_name label value) and across all drivers (special value <any> for driver_name). Note that the sum of all by-driver counts is not the total number of in-use ResourceClaims because the same ResourceClaim might use devices from different drivers. Instead, use the count for the <any> driver_name.</div>
+	<ul>
+	<li><label class="metric_detail">Stability Level:</label><span class="metric_stability_level">ALPHA</span></li>
+	<li data-type="custom"><label class="metric_detail">Type:</label> <span class="metric_type">Custom</span></li>
+	<li class="metric_labels_varying"><label class="metric_detail">Labels:</label><span class="metric_label">driver_name</span></li></ul>
+	</div><div class="metric" data-stability="alpha">
 	<div class="metric_name">endpoint_slice_controller_changes</div>
 	<div class="metric_help">Number of EndpointSlice changes</div>
 	<ul>
@@ -1640,7 +1724,7 @@ Alpha metrics do not have any API guarantees. These metrics must be used at your
 	<ul>
 	<li><label class="metric_detail">Stability Level:</label><span class="metric_stability_level">ALPHA</span></li>
 	<li data-type="gauge"><label class="metric_detail">Type:</label> <span class="metric_type">Gauge</span></li>
-	<li class="metric_labels_varying"><label class="metric_detail">Labels:</label><span class="metric_label">resource</span></li></ul>
+	<li class="metric_labels_varying"><label class="metric_detail">Labels:</label><span class="metric_label">group</span><span class="metric_label">resource</span></li></ul>
 	</div><div class="metric" data-stability="alpha">
 	<div class="metric_name">etcd_lease_object_counts</div>
 	<div class="metric_help">Number of objects attached to a single etcd lease.</div>
@@ -1654,21 +1738,21 @@ Alpha metrics do not have any API guarantees. These metrics must be used at your
 	<ul>
 	<li><label class="metric_detail">Stability Level:</label><span class="metric_stability_level">ALPHA</span></li>
 	<li data-type="histogram"><label class="metric_detail">Type:</label> <span class="metric_type">Histogram</span></li>
-	<li class="metric_labels_varying"><label class="metric_detail">Labels:</label><span class="metric_label">operation</span><span class="metric_label">type</span></li></ul>
+	<li class="metric_labels_varying"><label class="metric_detail">Labels:</label><span class="metric_label">group</span><span class="metric_label">operation</span><span class="metric_label">resource</span></li></ul>
 	</div><div class="metric" data-stability="alpha">
 	<div class="metric_name">etcd_request_errors_total</div>
 	<div class="metric_help">Etcd failed request counts for each operation and object type.</div>
 	<ul>
 	<li><label class="metric_detail">Stability Level:</label><span class="metric_stability_level">ALPHA</span></li>
 	<li data-type="counter"><label class="metric_detail">Type:</label> <span class="metric_type">Counter</span></li>
-	<li class="metric_labels_varying"><label class="metric_detail">Labels:</label><span class="metric_label">operation</span><span class="metric_label">type</span></li></ul>
+	<li class="metric_labels_varying"><label class="metric_detail">Labels:</label><span class="metric_label">group</span><span class="metric_label">operation</span><span class="metric_label">resource</span></li></ul>
 	</div><div class="metric" data-stability="alpha">
 	<div class="metric_name">etcd_requests_total</div>
 	<div class="metric_help">Etcd request counts for each operation and object type.</div>
 	<ul>
 	<li><label class="metric_detail">Stability Level:</label><span class="metric_stability_level">ALPHA</span></li>
 	<li data-type="counter"><label class="metric_detail">Type:</label> <span class="metric_type">Counter</span></li>
-	<li class="metric_labels_varying"><label class="metric_detail">Labels:</label><span class="metric_label">operation</span><span class="metric_label">type</span></li></ul>
+	<li class="metric_labels_varying"><label class="metric_detail">Labels:</label><span class="metric_label">group</span><span class="metric_label">operation</span><span class="metric_label">resource</span></li></ul>
 	</div><div class="metric" data-stability="alpha">
 	<div class="metric_name">etcd_version_info</div>
 	<div class="metric_help">Etcd server's binary version</div>
@@ -1922,6 +2006,13 @@ Alpha metrics do not have any API guarantees. These metrics must be used at your
 	<li data-type="counter"><label class="metric_detail">Type:</label> <span class="metric_type">Counter</span></li>
 	<li class="metric_labels_varying"><label class="metric_detail">Labels:</label><span class="metric_label">boundary</span><span class="metric_label">scope</span></li></ul>
 	</div><div class="metric" data-stability="alpha">
+	<div class="metric_name">kubelet_container_aligned_compute_resources_failure_count</div>
+	<div class="metric_help">Cumulative number of failures to allocate aligned compute resources to containers by alignment type.</div>
+	<ul>
+	<li><label class="metric_detail">Stability Level:</label><span class="metric_stability_level">ALPHA</span></li>
+	<li data-type="counter"><label class="metric_detail">Type:</label> <span class="metric_type">Counter</span></li>
+	<li class="metric_labels_varying"><label class="metric_detail">Labels:</label><span class="metric_label">boundary</span><span class="metric_label">scope</span></li></ul>
+	</div><div class="metric" data-stability="alpha">
 	<div class="metric_name">kubelet_container_log_filesystem_used_bytes</div>
 	<div class="metric_help">Bytes used by the container's logs on the filesystem.</div>
 	<ul>
@@ -1929,6 +2020,13 @@ Alpha metrics do not have any API guarantees. These metrics must be used at your
 	<li data-type="custom"><label class="metric_detail">Type:</label> <span class="metric_type">Custom</span></li>
 	<li class="metric_labels_varying"><label class="metric_detail">Labels:</label><span class="metric_label">uid</span><span class="metric_label">namespace</span><span class="metric_label">pod</span><span class="metric_label">container</span></li></ul>
 	</div><div class="metric" data-stability="alpha">
+	<div class="metric_name">kubelet_container_requested_resizes_total</div>
+	<div class="metric_help">Number of requested resizes, counted at the container level. Different resources on the same container are counted separately. The 'requirement' label refers to 'memory' or 'limits'; the 'operation' label can be one of 'add', 'remove', 'increase' or 'decrease'.</div>
+	<ul>
+	<li><label class="metric_detail">Stability Level:</label><span class="metric_stability_level">ALPHA</span></li>
+	<li data-type="counter"><label class="metric_detail">Type:</label> <span class="metric_type">Counter</span></li>
+	<li class="metric_labels_varying"><label class="metric_detail">Labels:</label><span class="metric_label">operation</span><span class="metric_label">requirement</span><span class="metric_label">resource</span></li></ul>
+	</div><div class="metric" data-stability="alpha">
 	<div class="metric_name">kubelet_containers_per_pod_count</div>
 	<div class="metric_help">The number of containers per pod.</div>
 	<ul>
@@ -1936,6 +2034,13 @@ Alpha metrics do not have any API guarantees. These metrics must be used at your
 	<li data-type="histogram"><label class="metric_detail">Type:</label> <span class="metric_type">Histogram</span></li>
 	</ul>
 	</div><div class="metric" data-stability="alpha">
+	<div class="metric_name">kubelet_cpu_manager_allocation_per_numa</div>
+	<div class="metric_help">Number of CPUs allocated per NUMA node</div>
+	<ul>
+	<li><label class="metric_detail">Stability Level:</label><span class="metric_stability_level">ALPHA</span></li>
+	<li data-type="gauge"><label class="metric_detail">Type:</label> <span class="metric_type">Gauge</span></li>
+	<li class="metric_labels_varying"><label class="metric_detail">Labels:</label><span class="metric_label">numa_node</span></li></ul>
+	</div><div class="metric" data-stability="alpha">
 	<div class="metric_name">kubelet_cpu_manager_exclusive_cpu_allocation_count</div>
 	<div class="metric_help">The total number of CPUs exclusively allocated to containers running on this node</div>
 	<ul>
@@ -1964,6 +2069,13 @@ Alpha metrics do not have any API guarantees. These metrics must be used at your
 	<li data-type="gauge"><label class="metric_detail">Type:</label> <span class="metric_type">Gauge</span></li>
 	</ul>
 	</div><div class="metric" data-stability="alpha">
+	<div class="metric_name">kubelet_credential_provider_config_info</div>
+	<div class="metric_help">Information about the last applied credential provider configuration with hash as label</div>
+	<ul>
+	<li><label class="metric_detail">Stability Level:</label><span class="metric_stability_level">ALPHA</span></li>
+	<li data-type="custom"><label class="metric_detail">Type:</label> <span class="metric_type">Custom</span></li>
+	<li class="metric_labels_varying"><label class="metric_detail">Labels:</label><span class="metric_label">hash</span></li></ul>
+	</div><div class="metric" data-stability="alpha">
 	<div class="metric_name">kubelet_credential_provider_plugin_duration</div>
 	<div class="metric_help">Duration of execution in seconds for credential provider plugin</div>
 	<ul>
@@ -1971,13 +2083,20 @@ Alpha metrics do not have any API guarantees. These metrics must be used at your
 	<li data-type="histogram"><label class="metric_detail">Type:</label> <span class="metric_type">Histogram</span></li>
 	<li class="metric_labels_varying"><label class="metric_detail">Labels:</label><span class="metric_label">plugin_name</span></li></ul>
 	</div><div class="metric" data-stability="alpha">
-	<div class="metric_name">kubelet_credential_provider_plugin_errors</div>
+	<div class="metric_name">kubelet_credential_provider_plugin_errors_total</div>
 	<div class="metric_help">Number of errors from credential provider plugin</div>
 	<ul>
 	<li><label class="metric_detail">Stability Level:</label><span class="metric_stability_level">ALPHA</span></li>
 	<li data-type="counter"><label class="metric_detail">Type:</label> <span class="metric_type">Counter</span></li>
 	<li class="metric_labels_varying"><label class="metric_detail">Labels:</label><span class="metric_label">plugin_name</span></li></ul>
 	</div><div class="metric" data-stability="alpha">
+	<div class="metric_name">kubelet_cri_losing_support</div>
+	<div class="metric_help">the Kubernetes version that the currently running CRI implementation will lose support on if not upgraded.</div>
+	<ul>
+	<li><label class="metric_detail">Stability Level:</label><span class="metric_stability_level">ALPHA</span></li>
+	<li data-type="gauge"><label class="metric_detail">Type:</label> <span class="metric_type">Gauge</span></li>
+	<li class="metric_labels_varying"><label class="metric_detail">Labels:</label><span class="metric_label">version</span></li></ul>
+	</div><div class="metric" data-stability="alpha">
 	<div class="metric_name">kubelet_desired_pods</div>
 	<div class="metric_help">The number of pods the kubelet is being instructed to run. static is true if the pod is not from the apiserver.</div>
 	<ul>
@@ -2083,6 +2202,27 @@ Alpha metrics do not have any API guarantees. These metrics must be used at your
 	<li data-type="histogram"><label class="metric_detail">Type:</label> <span class="metric_type">Histogram</span></li>
 	<li class="metric_labels_varying"><label class="metric_detail">Labels:</label><span class="metric_label">image_size_in_bytes</span></li></ul>
 	</div><div class="metric" data-stability="alpha">
+	<div class="metric_name">kubelet_image_volume_mounted_errors_total</div>
+	<div class="metric_help">Number of failed image volume mounts.</div>
+	<ul>
+	<li><label class="metric_detail">Stability Level:</label><span class="metric_stability_level">ALPHA</span></li>
+	<li data-type="counter"><label class="metric_detail">Type:</label> <span class="metric_type">Counter</span></li>
+	</ul>
+	</div><div class="metric" data-stability="alpha">
+	<div class="metric_name">kubelet_image_volume_mounted_succeed_total</div>
+	<div class="metric_help">Number of successful image volume mounts.</div>
+	<ul>
+	<li><label class="metric_detail">Stability Level:</label><span class="metric_stability_level">ALPHA</span></li>
+	<li data-type="counter"><label class="metric_detail">Type:</label> <span class="metric_type">Counter</span></li>
+	</ul>
+	</div><div class="metric" data-stability="alpha">
+	<div class="metric_name">kubelet_image_volume_requested_total</div>
+	<div class="metric_help">Number of requested image volumes.</div>
+	<ul>
+	<li><label class="metric_detail">Stability Level:</label><span class="metric_stability_level">ALPHA</span></li>
+	<li data-type="counter"><label class="metric_detail">Type:</label> <span class="metric_type">Counter</span></li>
+	</ul>
+	</div><div class="metric" data-stability="alpha">
 	<div class="metric_name">kubelet_lifecycle_handler_http_fallbacks_total</div>
 	<div class="metric_help">The number of times lifecycle handlers successfully fell back to http from https.</div>
 	<ul>
@@ -2209,6 +2349,41 @@ Alpha metrics do not have any API guarantees. These metrics must be used at your
 	<li data-type="histogram"><label class="metric_detail">Type:</label> <span class="metric_type">Histogram</span></li>
 	</ul>
 	</div><div class="metric" data-stability="alpha">
+	<div class="metric_name">kubelet_pod_deferred_accepted_resizes_total</div>
+	<div class="metric_help">Cumulative number of resizes that were accepted after being deferred.</div>
+	<ul>
+	<li><label class="metric_detail">Stability Level:</label><span class="metric_stability_level">ALPHA</span></li>
+	<li data-type="counter"><label class="metric_detail">Type:</label> <span class="metric_type">Counter</span></li>
+	<li class="metric_labels_varying"><label class="metric_detail">Labels:</label><span class="metric_label">retry_trigger</span></li></ul>
+	</div><div class="metric" data-stability="alpha">
+	<div class="metric_name">kubelet_pod_in_progress_resizes</div>
+	<div class="metric_help">Number of in-progress resizes for pods.</div>
+	<ul>
+	<li><label class="metric_detail">Stability Level:</label><span class="metric_stability_level">ALPHA</span></li>
+	<li data-type="gauge"><label class="metric_detail">Type:</label> <span class="metric_type">Gauge</span></li>
+	</ul>
+	</div><div class="metric" data-stability="alpha">
+	<div class="metric_name">kubelet_pod_infeasible_resizes_total</div>
+	<div class="metric_help">Number of infeasible resizes for pods.</div>
+	<ul>
+	<li><label class="metric_detail">Stability Level:</label><span class="metric_stability_level">ALPHA</span></li>
+	<li data-type="counter"><label class="metric_detail">Type:</label> <span class="metric_type">Counter</span></li>
+	<li class="metric_labels_varying"><label class="metric_detail">Labels:</label><span class="metric_label">reason_detail</span></li></ul>
+	</div><div class="metric" data-stability="alpha">
+	<div class="metric_name">kubelet_pod_pending_resizes</div>
+	<div class="metric_help">Number of pending resizes for pods.</div>
+	<ul>
+	<li><label class="metric_detail">Stability Level:</label><span class="metric_stability_level">ALPHA</span></li>
+	<li data-type="gauge"><label class="metric_detail">Type:</label> <span class="metric_type">Gauge</span></li>
+	<li class="metric_labels_varying"><label class="metric_detail">Labels:</label><span class="metric_label">reason</span></li></ul>
+	</div><div class="metric" data-stability="alpha">
+	<div class="metric_name">kubelet_pod_resize_duration_milliseconds</div>
+	<div class="metric_help">Duration in milliseconds to actuate a pod resize</div>
+	<ul>
+	<li><label class="metric_detail">Stability Level:</label><span class="metric_stability_level">ALPHA</span></li>
+	<li data-type="histogram"><label class="metric_detail">Type:</label> <span class="metric_type">Histogram</span></li>
+	<li class="metric_labels_varying"><label class="metric_detail">Labels:</label><span class="metric_label">success</span></li></ul>
+	</div><div class="metric" data-stability="alpha">
 	<div class="metric_name">kubelet_pod_resources_endpoint_errors_get</div>
 	<div class="metric_help">Number of requests to the PodResource Get endpoint which returned error. Broken down by server api version.</div>
 	<ul>
@@ -2419,6 +2594,20 @@ Alpha metrics do not have any API guarantees. These metrics must be used at your
 	<li data-type="counter"><label class="metric_detail">Type:</label> <span class="metric_type">Counter</span></li>
 	</ul>
 	</div><div class="metric" data-stability="alpha">
+	<div class="metric_name">kubelet_started_user_namespaced_pods_errors_total</div>
+	<div class="metric_help">Cumulative number of errors when starting pods with user namespaces. This metric will only be collected on Linux.</div>
+	<ul>
+	<li><label class="metric_detail">Stability Level:</label><span class="metric_stability_level">ALPHA</span></li>
+	<li data-type="counter"><label class="metric_detail">Type:</label> <span class="metric_type">Counter</span></li>
+	</ul>
+	</div><div class="metric" data-stability="alpha">
+	<div class="metric_name">kubelet_started_user_namespaced_pods_total</div>
+	<div class="metric_help">Cumulative number of pods with user namespaces started. This metric will only be collected on Linux.</div>
+	<ul>
+	<li><label class="metric_detail">Stability Level:</label><span class="metric_stability_level">ALPHA</span></li>
+	<li data-type="counter"><label class="metric_detail">Type:</label> <span class="metric_type">Counter</span></li>
+	</ul>
+	</div><div class="metric" data-stability="alpha">
 	<div class="metric_name">kubelet_topology_manager_admission_duration_ms</div>
 	<div class="metric_help">Duration in milliseconds to serve a pod admission request.</div>
 	<ul>
@@ -2503,6 +2692,20 @@ Alpha metrics do not have any API guarantees. These metrics must be used at your
 	<li data-type="gauge"><label class="metric_detail">Type:</label> <span class="metric_type">Gauge</span></li>
 	<li class="metric_labels_varying"><label class="metric_detail">Labels:</label><span class="metric_label">config</span><span class="metric_label">lifecycle</span><span class="metric_label">static</span></li></ul>
 	</div><div class="metric" data-stability="alpha">
+	<div class="metric_name">kubeproxy_conntrack_reconciler_deleted_entries_total</div>
+	<div class="metric_help">Cumulative conntrack flows deleted by conntrack reconciler</div>
+	<ul>
+	<li><label class="metric_detail">Stability Level:</label><span class="metric_stability_level">ALPHA</span></li>
+	<li data-type="counter"><label class="metric_detail">Type:</label> <span class="metric_type">Counter</span></li>
+	<li class="metric_labels_varying"><label class="metric_detail">Labels:</label><span class="metric_label">ip_family</span></li></ul>
+	</div><div class="metric" data-stability="alpha">
+	<div class="metric_name">kubeproxy_conntrack_reconciler_sync_duration_seconds</div>
+	<div class="metric_help">ReconcileConntrackFlowsLatency latency in seconds</div>
+	<ul>
+	<li><label class="metric_detail">Stability Level:</label><span class="metric_stability_level">ALPHA</span></li>
+	<li data-type="histogram"><label class="metric_detail">Type:</label> <span class="metric_type">Histogram</span></li>
+	<li class="metric_labels_varying"><label class="metric_detail">Labels:</label><span class="metric_label">ip_family</span></li></ul>
+	</div><div class="metric" data-stability="alpha">
 	<div class="metric_name">kubeproxy_iptables_ct_state_invalid_dropped_packets_total</div>
 	<div class="metric_help">packets dropped by iptables to work around conntrack problems</div>
 	<ul>
@@ -2522,7 +2725,7 @@ Alpha metrics do not have any API guarantees. These metrics must be used at your
 	<ul>
 	<li><label class="metric_detail">Stability Level:</label><span class="metric_stability_level">ALPHA</span></li>
 	<li data-type="histogram"><label class="metric_detail">Type:</label> <span class="metric_type">Histogram</span></li>
-	</ul>
+	<li class="metric_labels_varying"><label class="metric_detail">Labels:</label><span class="metric_label">ip_family</span></li></ul>
 	</div><div class="metric" data-stability="alpha">
 	<div class="metric_name">kubeproxy_proxy_healthz_total</div>
 	<div class="metric_help">Cumulative proxy healthz HTTP status</div>
@@ -2543,21 +2746,21 @@ Alpha metrics do not have any API guarantees. These metrics must be used at your
 	<ul>
 	<li><label class="metric_detail">Stability Level:</label><span class="metric_stability_level">ALPHA</span></li>
 	<li data-type="histogram"><label class="metric_detail">Type:</label> <span class="metric_type">Histogram</span></li>
-	</ul>
+	<li class="metric_labels_varying"><label class="metric_detail">Labels:</label><span class="metric_label">ip_family</span></li></ul>
 	</div><div class="metric" data-stability="alpha">
 	<div class="metric_name">kubeproxy_sync_partial_proxy_rules_duration_seconds</div>
 	<div class="metric_help">SyncProxyRules latency in seconds for partial resyncs</div>
 	<ul>
 	<li><label class="metric_detail">Stability Level:</label><span class="metric_stability_level">ALPHA</span></li>
 	<li data-type="histogram"><label class="metric_detail">Type:</label> <span class="metric_type">Histogram</span></li>
-	</ul>
+	<li class="metric_labels_varying"><label class="metric_detail">Labels:</label><span class="metric_label">ip_family</span></li></ul>
 	</div><div class="metric" data-stability="alpha">
 	<div class="metric_name">kubeproxy_sync_proxy_rules_duration_seconds</div>
 	<div class="metric_help">SyncProxyRules latency in seconds</div>
 	<ul>
 	<li><label class="metric_detail">Stability Level:</label><span class="metric_stability_level">ALPHA</span></li>
 	<li data-type="histogram"><label class="metric_detail">Type:</label> <span class="metric_type">Histogram</span></li>
-	</ul>
+	<li class="metric_labels_varying"><label class="metric_detail">Labels:</label><span class="metric_label">ip_family</span></li></ul>
 	</div><div class="metric" data-stability="alpha">
 	<div class="metric_name">kubeproxy_sync_proxy_rules_endpoint_changes_pending</div>
 	<div class="metric_help">Pending proxy rules Endpoint changes</div>
@@ -2578,63 +2781,63 @@ Alpha metrics do not have any API guarantees. These metrics must be used at your
 	<ul>
 	<li><label class="metric_detail">Stability Level:</label><span class="metric_stability_level">ALPHA</span></li>
 	<li data-type="gauge"><label class="metric_detail">Type:</label> <span class="metric_type">Gauge</span></li>
-	<li class="metric_labels_varying"><label class="metric_detail">Labels:</label><span class="metric_label">table</span></li></ul>
+	<li class="metric_labels_varying"><label class="metric_detail">Labels:</label><span class="metric_label">ip_family</span><span class="metric_label">table</span></li></ul>
 	</div><div class="metric" data-stability="alpha">
 	<div class="metric_name">kubeproxy_sync_proxy_rules_iptables_partial_restore_failures_total</div>
 	<div class="metric_help">Cumulative proxy iptables partial restore failures</div>
 	<ul>
 	<li><label class="metric_detail">Stability Level:</label><span class="metric_stability_level">ALPHA</span></li>
 	<li data-type="counter"><label class="metric_detail">Type:</label> <span class="metric_type">Counter</span></li>
-	</ul>
+	<li class="metric_labels_varying"><label class="metric_detail">Labels:</label><span class="metric_label">ip_family</span></li></ul>
 	</div><div class="metric" data-stability="alpha">
 	<div class="metric_name">kubeproxy_sync_proxy_rules_iptables_restore_failures_total</div>
 	<div class="metric_help">Cumulative proxy iptables restore failures</div>
 	<ul>
 	<li><label class="metric_detail">Stability Level:</label><span class="metric_stability_level">ALPHA</span></li>
 	<li data-type="counter"><label class="metric_detail">Type:</label> <span class="metric_type">Counter</span></li>
-	</ul>
+	<li class="metric_labels_varying"><label class="metric_detail">Labels:</label><span class="metric_label">ip_family</span></li></ul>
 	</div><div class="metric" data-stability="alpha">
 	<div class="metric_name">kubeproxy_sync_proxy_rules_iptables_total</div>
 	<div class="metric_help">Total number of iptables rules owned by kube-proxy</div>
 	<ul>
 	<li><label class="metric_detail">Stability Level:</label><span class="metric_stability_level">ALPHA</span></li>
 	<li data-type="gauge"><label class="metric_detail">Type:</label> <span class="metric_type">Gauge</span></li>
-	<li class="metric_labels_varying"><label class="metric_detail">Labels:</label><span class="metric_label">table</span></li></ul>
+	<li class="metric_labels_varying"><label class="metric_detail">Labels:</label><span class="metric_label">ip_family</span><span class="metric_label">table</span></li></ul>
 	</div><div class="metric" data-stability="alpha">
 	<div class="metric_name">kubeproxy_sync_proxy_rules_last_queued_timestamp_seconds</div>
 	<div class="metric_help">The last time a sync of proxy rules was queued</div>
 	<ul>
 	<li><label class="metric_detail">Stability Level:</label><span class="metric_stability_level">ALPHA</span></li>
 	<li data-type="gauge"><label class="metric_detail">Type:</label> <span class="metric_type">Gauge</span></li>
-	</ul>
+	<li class="metric_labels_varying"><label class="metric_detail">Labels:</label><span class="metric_label">ip_family</span></li></ul>
 	</div><div class="metric" data-stability="alpha">
 	<div class="metric_name">kubeproxy_sync_proxy_rules_last_timestamp_seconds</div>
 	<div class="metric_help">The last time proxy rules were successfully synced</div>
 	<ul>
 	<li><label class="metric_detail">Stability Level:</label><span class="metric_stability_level">ALPHA</span></li>
 	<li data-type="gauge"><label class="metric_detail">Type:</label> <span class="metric_type">Gauge</span></li>
-	</ul>
+	<li class="metric_labels_varying"><label class="metric_detail">Labels:</label><span class="metric_label">ip_family</span></li></ul>
 	</div><div class="metric" data-stability="alpha">
 	<div class="metric_name">kubeproxy_sync_proxy_rules_nftables_cleanup_failures_total</div>
 	<div class="metric_help">Cumulative proxy nftables cleanup failures</div>
 	<ul>
 	<li><label class="metric_detail">Stability Level:</label><span class="metric_stability_level">ALPHA</span></li>
 	<li data-type="counter"><label class="metric_detail">Type:</label> <span class="metric_type">Counter</span></li>
-	</ul>
+	<li class="metric_labels_varying"><label class="metric_detail">Labels:</label><span class="metric_label">ip_family</span></li></ul>
 	</div><div class="metric" data-stability="alpha">
 	<div class="metric_name">kubeproxy_sync_proxy_rules_nftables_sync_failures_total</div>
 	<div class="metric_help">Cumulative proxy nftables sync failures</div>
 	<ul>
 	<li><label class="metric_detail">Stability Level:</label><span class="metric_stability_level">ALPHA</span></li>
 	<li data-type="counter"><label class="metric_detail">Type:</label> <span class="metric_type">Counter</span></li>
-	</ul>
+	<li class="metric_labels_varying"><label class="metric_detail">Labels:</label><span class="metric_label">ip_family</span></li></ul>
 	</div><div class="metric" data-stability="alpha">
 	<div class="metric_name">kubeproxy_sync_proxy_rules_no_local_endpoints_total</div>
 	<div class="metric_help">Number of services with a Local traffic policy and no endpoints</div>
 	<ul>
 	<li><label class="metric_detail">Stability Level:</label><span class="metric_stability_level">ALPHA</span></li>
 	<li data-type="gauge"><label class="metric_detail">Type:</label> <span class="metric_type">Gauge</span></li>
-	<li class="metric_labels_varying"><label class="metric_detail">Labels:</label><span class="metric_label">traffic_policy</span></li></ul>
+	<li class="metric_labels_varying"><label class="metric_detail">Labels:</label><span class="metric_label">ip_family</span><span class="metric_label">traffic_policy</span></li></ul>
 	</div><div class="metric" data-stability="alpha">
 	<div class="metric_name">kubeproxy_sync_proxy_rules_service_changes_pending</div>
 	<div class="metric_help">Pending proxy rules Service changes</div>
@@ -2825,13 +3028,6 @@ Alpha metrics do not have any API guarantees. These metrics must be used at your
 	<li data-type="histogram"><label class="metric_detail">Type:</label> <span class="metric_type">Histogram</span></li>
 	<li class="metric_labels_varying"><label class="metric_detail">Labels:</label><span class="metric_label">container</span><span class="metric_label">namespace</span><span class="metric_label">pod</span><span class="metric_label">probe_type</span></li></ul>
 	</div><div class="metric" data-stability="alpha">
-	<div class="metric_name">prober_probe_total</div>
-	<div class="metric_help">Cumulative number of a liveness, readiness or startup probe for a container by result.</div>
-	<ul>
-	<li><label class="metric_detail">Stability Level:</label><span class="metric_stability_level">ALPHA</span></li>
-	<li data-type="counter"><label class="metric_detail">Type:</label> <span class="metric_type">Counter</span></li>
-	<li class="metric_labels_varying"><label class="metric_detail">Labels:</label><span class="metric_label">container</span><span class="metric_label">namespace</span><span class="metric_label">pod</span><span class="metric_label">pod_uid</span><span class="metric_label">probe_type</span><span class="metric_label">result</span></li></ul>
-	</div><div class="metric" data-stability="alpha">
 	<div class="metric_name">pv_collector_bound_pv_count</div>
 	<div class="metric_help">Gauge measuring number of persistent volume currently bound</div>
 	<ul>
@@ -2888,33 +3084,19 @@ Alpha metrics do not have any API guarantees. These metrics must be used at your
 	<li data-type="histogram"><label class="metric_detail">Type:</label> <span class="metric_type">Histogram</span></li>
 	</ul>
 	</div><div class="metric" data-stability="alpha">
-	<div class="metric_name">resourceclaim_controller_allocated_resource_claims</div>
-	<div class="metric_help">Number of allocated ResourceClaims</div>
-	<ul>
-	<li><label class="metric_detail">Stability Level:</label><span class="metric_stability_level">ALPHA</span></li>
-	<li data-type="gauge"><label class="metric_detail">Type:</label> <span class="metric_type">Gauge</span></li>
-	</ul>
-	</div><div class="metric" data-stability="alpha">
-	<div class="metric_name">resourceclaim_controller_create_attempts_total</div>
-	<div class="metric_help">Number of ResourceClaims creation requests</div>
+	<div class="metric_name">resourceclaim_controller_creates_total</div>
+	<div class="metric_help">Number of ResourceClaims creation requests, categorized by creation status and admin access</div>
 	<ul>
 	<li><label class="metric_detail">Stability Level:</label><span class="metric_stability_level">ALPHA</span></li>
 	<li data-type="counter"><label class="metric_detail">Type:</label> <span class="metric_type">Counter</span></li>
-	</ul>
-	</div><div class="metric" data-stability="alpha">
-	<div class="metric_name">resourceclaim_controller_create_failures_total</div>
-	<div class="metric_help">Number of ResourceClaims creation request failures</div>
-	<ul>
-	<li><label class="metric_detail">Stability Level:</label><span class="metric_stability_level">ALPHA</span></li>
-	<li data-type="counter"><label class="metric_detail">Type:</label> <span class="metric_type">Counter</span></li>
-	</ul>
+	<li class="metric_labels_varying"><label class="metric_detail">Labels:</label><span class="metric_label">admin_access</span><span class="metric_label">status</span></li></ul>
 	</div><div class="metric" data-stability="alpha">
 	<div class="metric_name">resourceclaim_controller_resource_claims</div>
-	<div class="metric_help">Number of ResourceClaims</div>
+	<div class="metric_help">Number of ResourceClaims, categorized by allocation status and admin access</div>
 	<ul>
 	<li><label class="metric_detail">Stability Level:</label><span class="metric_stability_level">ALPHA</span></li>
-	<li data-type="gauge"><label class="metric_detail">Type:</label> <span class="metric_type">Gauge</span></li>
-	</ul>
+	<li data-type="custom"><label class="metric_detail">Type:</label> <span class="metric_type">Custom</span></li>
+	<li class="metric_labels_varying"><label class="metric_detail">Labels:</label><span class="metric_label">allocated</span><span class="metric_label">admin_access</span></li></ul>
 	</div><div class="metric" data-stability="alpha">
 	<div class="metric_name">rest_client_dns_resolution_duration_seconds</div>
 	<div class="metric_help">DNS resolver latency in seconds. Broken down by host.</div>
@@ -3035,6 +3217,27 @@ Alpha metrics do not have any API guarantees. These metrics must be used at your
 	<li data-type="gauge"><label class="metric_detail">Type:</label> <span class="metric_type">Gauge</span></li>
 	<li class="metric_labels_varying"><label class="metric_detail">Labels:</label><span class="metric_label">manager</span><span class="metric_label">name</span></li></ul>
 	</div><div class="metric" data-stability="alpha">
+	<div class="metric_name">scheduler_async_api_call_execution_duration_seconds</div>
+	<div class="metric_help">Duration in seconds for executing API call in the async dispatcher.</div>
+	<ul>
+	<li><label class="metric_detail">Stability Level:</label><span class="metric_stability_level">ALPHA</span></li>
+	<li data-type="histogram"><label class="metric_detail">Type:</label> <span class="metric_type">Histogram</span></li>
+	<li class="metric_labels_varying"><label class="metric_detail">Labels:</label><span class="metric_label">call_type</span><span class="metric_label">result</span></li></ul>
+	</div><div class="metric" data-stability="alpha">
+	<div class="metric_name">scheduler_async_api_call_execution_total</div>
+	<div class="metric_help">Total number of API calls executed by the async dispatcher.</div>
+	<ul>
+	<li><label class="metric_detail">Stability Level:</label><span class="metric_stability_level">ALPHA</span></li>
+	<li data-type="counter"><label class="metric_detail">Type:</label> <span class="metric_type">Counter</span></li>
+	<li class="metric_labels_varying"><label class="metric_detail">Labels:</label><span class="metric_label">call_type</span><span class="metric_label">result</span></li></ul>
+	</div><div class="metric" data-stability="alpha">
+	<div class="metric_name">scheduler_cache_size</div>
+	<div class="metric_help">Number of nodes, pods, and assumed (bound) pods in the scheduler cache.</div>
+	<ul>
+	<li><label class="metric_detail">Stability Level:</label><span class="metric_stability_level">ALPHA</span></li>
+	<li data-type="gauge"><label class="metric_detail">Type:</label> <span class="metric_type">Gauge</span></li>
+	<li class="metric_labels_varying"><label class="metric_detail">Labels:</label><span class="metric_label">type</span></li></ul>
+	</div><div class="metric" data-stability="alpha">
 	<div class="metric_name">scheduler_event_handling_duration_seconds</div>
 	<div class="metric_help">Event handling latency in seconds.</div>
 	<ul>
@@ -3056,6 +3259,13 @@ Alpha metrics do not have any API guarantees. These metrics must be used at your
 	<li data-type="gauge"><label class="metric_detail">Type:</label> <span class="metric_type">Gauge</span></li>
 	<li class="metric_labels_varying"><label class="metric_detail">Labels:</label><span class="metric_label">event</span></li></ul>
 	</div><div class="metric" data-stability="alpha">
+	<div class="metric_name">scheduler_pending_async_api_calls</div>
+	<div class="metric_help">Number of API calls currently pending in the async queue.</div>
+	<ul>
+	<li><label class="metric_detail">Stability Level:</label><span class="metric_stability_level">ALPHA</span></li>
+	<li data-type="gauge"><label class="metric_detail">Type:</label> <span class="metric_type">Gauge</span></li>
+	<li class="metric_labels_varying"><label class="metric_detail">Labels:</label><span class="metric_label">call_type</span></li></ul>
+	</div><div class="metric" data-stability="alpha">
 	<div class="metric_name">scheduler_permit_wait_duration_seconds</div>
 	<div class="metric_help">Duration of waiting on permit.</div>
 	<ul>
@@ -3098,13 +3308,6 @@ Alpha metrics do not have any API guarantees. These metrics must be used at your
 	<li data-type="histogram"><label class="metric_detail">Type:</label> <span class="metric_type">Histogram</span></li>
 	<li class="metric_labels_varying"><label class="metric_detail">Labels:</label><span class="metric_label">event</span><span class="metric_label">hint</span><span class="metric_label">plugin</span></li></ul>
 	</div><div class="metric" data-stability="alpha">
-	<div class="metric_name">scheduler_scheduler_cache_size</div>
-	<div class="metric_help">Number of nodes, pods, and assumed (bound) pods in the scheduler cache.</div>
-	<ul>
-	<li><label class="metric_detail">Stability Level:</label><span class="metric_stability_level">ALPHA</span></li>
-	<li data-type="gauge"><label class="metric_detail">Type:</label> <span class="metric_type">Gauge</span></li>
-	<li class="metric_labels_varying"><label class="metric_detail">Labels:</label><span class="metric_label">type</span></li></ul>
-	</div><div class="metric" data-stability="alpha">
 	<div class="metric_name">scheduler_scheduling_algorithm_duration_seconds</div>
 	<div class="metric_help">Scheduling algorithm latency in seconds</div>
 	<ul>
@@ -3252,6 +3455,13 @@ Alpha metrics do not have any API guarantees. These metrics must be used at your
 	<li data-type="histogram"><label class="metric_detail">Type:</label> <span class="metric_type">Histogram</span></li>
 	</ul>
 	</div><div class="metric" data-stability="alpha">
+	<div class="metric_name">version_info</div>
+	<div class="metric_help">Provides the compatibility version info of the component. The component label is the name of the component, usually kube, but is relevant for aggregated-apiservers.</div>
+	<ul>
+	<li><label class="metric_detail">Stability Level:</label><span class="metric_stability_level">ALPHA</span></li>
+	<li data-type="gauge"><label class="metric_detail">Type:</label> <span class="metric_type">Gauge</span></li>
+	<li class="metric_labels_varying"><label class="metric_detail">Labels:</label><span class="metric_label">binary</span><span class="metric_label">component</span><span class="metric_label">emulation</span><span class="metric_label">min_compat</span></li></ul>
+	</div><div class="metric" data-stability="alpha">
 	<div class="metric_name">volume_manager_selinux_container_errors_total</div>
 	<div class="metric_help">Number of errors when kubelet cannot compute SELinux context for a container. Kubelet can't start such a Pod then and it will retry, therefore value of this metric may not represent the actual nr. of containers.</div>
 	<ul>
@@ -3327,21 +3537,21 @@ Alpha metrics do not have any API guarantees. These metrics must be used at your
 	<ul>
 	<li><label class="metric_detail">Stability Level:</label><span class="metric_stability_level">ALPHA</span></li>
 	<li data-type="gauge"><label class="metric_detail">Type:</label> <span class="metric_type">Gauge</span></li>
-	<li class="metric_labels_varying"><label class="metric_detail">Labels:</label><span class="metric_label">resource</span></li></ul>
+	<li class="metric_labels_varying"><label class="metric_detail">Labels:</label><span class="metric_label">group</span><span class="metric_label">resource</span></li></ul>
 	</div><div class="metric" data-stability="alpha">
 	<div class="metric_name">watch_cache_capacity_decrease_total</div>
 	<div class="metric_help">Total number of watch cache capacity decrease events broken by resource type.</div>
 	<ul>
 	<li><label class="metric_detail">Stability Level:</label><span class="metric_stability_level">ALPHA</span></li>
 	<li data-type="counter"><label class="metric_detail">Type:</label> <span class="metric_type">Counter</span></li>
-	<li class="metric_labels_varying"><label class="metric_detail">Labels:</label><span class="metric_label">resource</span></li></ul>
+	<li class="metric_labels_varying"><label class="metric_detail">Labels:</label><span class="metric_label">group</span><span class="metric_label">resource</span></li></ul>
 	</div><div class="metric" data-stability="alpha">
 	<div class="metric_name">watch_cache_capacity_increase_total</div>
 	<div class="metric_help">Total number of watch cache capacity increase events broken by resource type.</div>
 	<ul>
 	<li><label class="metric_detail">Stability Level:</label><span class="metric_stability_level">ALPHA</span></li>
 	<li data-type="counter"><label class="metric_detail">Type:</label> <span class="metric_type">Counter</span></li>
-	<li class="metric_labels_varying"><label class="metric_detail">Labels:</label><span class="metric_label">resource</span></li></ul>
+	<li class="metric_labels_varying"><label class="metric_detail">Labels:</label><span class="metric_label">group</span><span class="metric_label">resource</span></li></ul>
 	</div><div class="metric" data-stability="alpha">
 	<div class="metric_name">workqueue_adds_total</div>
 	<div class="metric_help">Total number of adds handled by workqueue</div>
diff --git a/test/instrumentation/testdata/stable-metrics-list.yaml b/test/instrumentation/testdata/stable-metrics-list.yaml
index 07b00802d2d97..502eceaad6349 100644
--- a/test/instrumentation/testdata/stable-metrics-list.yaml
+++ b/test/instrumentation/testdata/stable-metrics-list.yaml
@@ -183,6 +183,21 @@
   help: The count of hidden metrics.
   type: Counter
   stabilityLevel: BETA
+- name: image_volume_mounted_errors_total
+  subsystem: kubelet
+  help: Number of failed image volume mounts.
+  type: Counter
+  stabilityLevel: BETA
+- name: image_volume_mounted_succeed_total
+  subsystem: kubelet
+  help: Number of successful image volume mounts.
+  type: Counter
+  stabilityLevel: BETA
+- name: image_volume_requested_total
+  subsystem: kubelet
+  help: Number of requested image volumes.
+  type: Counter
+  stabilityLevel: BETA
 - name: feature_enabled
   namespace: kubernetes
   help: This metric records the data about the stage and enablement of a k8s feature.
@@ -416,6 +431,7 @@
     stored objects at the time of last check split by kind. In case of a fetching
     error, the value will be -1.'
   type: Gauge
+  deprecatedVersion: 1.34.0
   stabilityLevel: STABLE
   labels:
   - resource
diff --git a/test/integration/apimachinery/watch_restart_test.go b/test/integration/apimachinery/watch_restart_test.go
index c2c1b2f368e54..8701e97d49227 100644
--- a/test/integration/apimachinery/watch_restart_test.go
+++ b/test/integration/apimachinery/watch_restart_test.go
@@ -35,6 +35,7 @@ import (
 	watchtools "k8s.io/client-go/tools/watch"
 	kubeapiservertesting "k8s.io/kubernetes/cmd/kube-apiserver/app/testing"
 	"k8s.io/kubernetes/test/integration/framework"
+	"k8s.io/kubernetes/test/utils/ktesting"
 )
 
 func noopNormalization(output []string) []string {
@@ -66,6 +67,8 @@ func TestWatchRestartsIfTimeoutNotReached(t *testing.T) {
 	// Has to be longer than 5 seconds
 	timeout := 30 * time.Second
 
+	logger, _ := ktesting.NewTestContext(t)
+
 	server := kubeapiservertesting.StartTestServerOrDie(t, nil, []string{"--min-request-timeout=7"}, framework.SharedEtcd())
 	defer server.TearDownFn()
 
@@ -199,7 +202,7 @@ func TestWatchRestartsIfTimeoutNotReached(t *testing.T) {
 				// since the watcher is driven by an informer it is crucial to start producing only after the informer has synced
 				// otherwise we might not get all expected events since the informer LIST (or watchelist) and only then WATCHES
 				// all events received during the initial LIST (or watchlist) will be seen as a single event (to most recent version of an obj)
-				_, informer, w, done := watchtools.NewIndexerInformerWatcher(lw, &corev1.Secret{})
+				_, informer, w, done := watchtools.NewIndexerInformerWatcherWithLogger(logger, lw, &corev1.Secret{})
 				cache.WaitForCacheSync(context.TODO().Done(), informer.HasSynced)
 				return w, nil, func() { <-done }
 			},
diff --git a/test/integration/apiserver/admissionwebhook/match_conditions_test.go b/test/integration/apiserver/admissionwebhook/match_conditions_test.go
index f79f158863d30..a0d714b7cf241 100644
--- a/test/integration/apiserver/admissionwebhook/match_conditions_test.go
+++ b/test/integration/apiserver/admissionwebhook/match_conditions_test.go
@@ -37,10 +37,7 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/wait"
-	genericfeatures "k8s.io/apiserver/pkg/features"
-	utilfeature "k8s.io/apiserver/pkg/util/feature"
 	clientset "k8s.io/client-go/kubernetes"
-	featuregatetesting "k8s.io/component-base/featuregate/testing"
 	apiservertesting "k8s.io/kubernetes/cmd/kube-apiserver/app/testing"
 	"k8s.io/kubernetes/test/integration/framework"
 )
@@ -568,327 +565,7 @@ func TestMatchConditions(t *testing.T) {
 	}
 }
 
-func TestMatchConditionsWithoutStrictCostEnforcement(t *testing.T) {
-	testcases := []struct {
-		name            string
-		matchConditions []admissionregistrationv1.MatchCondition
-		pods            []*corev1.Pod
-		matchedPods     []*corev1.Pod
-		expectErrorPod  bool
-		failPolicy      *admissionregistrationv1.FailurePolicyType
-		errMessage      string
-	}{
-		{
-			name: "without strict cost enforcement: Authz check does not exceed per call limit",
-			matchConditions: []admissionregistrationv1.MatchCondition{
-				{
-					Name:       "test1",
-					Expression: "authorizer.group('').resource('pods').name('test1').check('create').allowed() && authorizer.group('').resource('pods').name('test1').check('create').allowed() && authorizer.group('').resource('pods').name('test1').check('create').allowed()",
-				},
-			},
-			pods: []*corev1.Pod{
-				matchConditionsTestPod("test1", "kube-system"),
-			},
-			matchedPods: []*corev1.Pod{
-				matchConditionsTestPod("test1", "kube-system"),
-			},
-			expectErrorPod: false,
-		},
-		{
-			name:            "without strict cost enforcement: Authz check does not exceed overall cost limit",
-			matchConditions: generateMatchConditionsWithAuthzCheck(8, "authorizer.group('').resource('pods').name('test1').check('create').allowed() && authorizer.group('').resource('pods').name('test1').check('create').allowed()"),
-			pods: []*corev1.Pod{
-				matchConditionsTestPod("test1", "kube-system"),
-			},
-			matchedPods: []*corev1.Pod{
-				matchConditionsTestPod("test1", "kube-system"),
-			},
-			expectErrorPod: false,
-		},
-	}
-
-	roots := x509.NewCertPool()
-	if !roots.AppendCertsFromPEM(localhostCert) {
-		t.Fatal("Failed to append Cert from PEM")
-	}
-	cert, err := tls.X509KeyPair(localhostCert, localhostKey)
-	if err != nil {
-		t.Fatalf("Failed to build cert with error: %+v", err)
-	}
-
-	recorder := &admissionRecorder{requests: []*admissionv1.AdmissionRequest{}}
-
-	webhookServer := httptest.NewUnstartedServer(newMatchConditionHandler(recorder))
-	webhookServer.TLS = &tls.Config{
-		RootCAs:      roots,
-		Certificates: []tls.Certificate{cert},
-	}
-	webhookServer.StartTLS()
-	defer webhookServer.Close()
-
-	dryRunCreate := metav1.CreateOptions{
-		DryRun: []string{metav1.DryRunAll},
-	}
-
-	for _, testcase := range testcases {
-		t.Run(testcase.name, func(t *testing.T) {
-			upCh := recorder.Reset()
-			server, err := apiservertesting.StartTestServer(t, nil, []string{
-				"--emulated-version", "1.31",
-				"--feature-gates", "StrictCostEnforcementForWebhooks=false",
-				"--disable-admission-plugins=ServiceAccount",
-			}, framework.SharedEtcd())
-			if err != nil {
-				t.Fatal(err)
-			}
-			defer server.TearDownFn()
-
-			config := server.ClientConfig
-
-			client, err := clientset.NewForConfig(config)
-			if err != nil {
-				t.Fatal(err)
-			}
-
-			// Write markers to a separate namespace to avoid cross-talk
-			markerNs := "marker"
-			_, err = client.CoreV1().Namespaces().Create(context.TODO(), &corev1.Namespace{ObjectMeta: metav1.ObjectMeta{Name: markerNs}}, metav1.CreateOptions{})
-			if err != nil {
-				t.Fatal(err)
-			}
-
-			// Create a marker object to use to check for the webhook configurations to be ready.
-			marker, err := client.CoreV1().Pods(markerNs).Create(context.TODO(), newMarkerPod(markerNs), metav1.CreateOptions{})
-			if err != nil {
-				t.Fatal(err)
-			}
-
-			endpoint := webhookServer.URL
-			markerEndpoint := webhookServer.URL + "/marker"
-			validatingwebhook := &admissionregistrationv1.ValidatingWebhookConfiguration{
-				ObjectMeta: metav1.ObjectMeta{
-					Name: "admission.integration.test",
-				},
-				Webhooks: []admissionregistrationv1.ValidatingWebhook{
-					{
-						Name: "admission.integration.test",
-						Rules: []admissionregistrationv1.RuleWithOperations{{
-							Operations: []admissionregistrationv1.OperationType{admissionregistrationv1.Create},
-							Rule: admissionregistrationv1.Rule{
-								APIGroups:   []string{""},
-								APIVersions: []string{"v1"},
-								Resources:   []string{"pods"},
-							},
-						}},
-						ClientConfig: admissionregistrationv1.WebhookClientConfig{
-							URL:      &endpoint,
-							CABundle: localhostCert,
-						},
-						// ignore pods in the marker namespace
-						NamespaceSelector: &metav1.LabelSelector{
-							MatchExpressions: []metav1.LabelSelectorRequirement{
-								{
-									Key:      corev1.LabelMetadataName,
-									Operator: metav1.LabelSelectorOpNotIn,
-									Values:   []string{"marker"},
-								},
-							}},
-						FailurePolicy:           testcase.failPolicy,
-						SideEffects:             &noSideEffects,
-						AdmissionReviewVersions: []string{"v1"},
-						MatchConditions:         testcase.matchConditions,
-					},
-					{
-						Name: "admission.integration.test.marker",
-						Rules: []admissionregistrationv1.RuleWithOperations{{
-							Operations: []admissionregistrationv1.OperationType{admissionregistrationv1.OperationAll},
-							Rule:       admissionregistrationv1.Rule{APIGroups: []string{""}, APIVersions: []string{"v1"}, Resources: []string{"pods"}},
-						}},
-						ClientConfig: admissionregistrationv1.WebhookClientConfig{
-							URL:      &markerEndpoint,
-							CABundle: localhostCert,
-						},
-						NamespaceSelector: &metav1.LabelSelector{MatchLabels: map[string]string{
-							corev1.LabelMetadataName: "marker",
-						}},
-						ObjectSelector:          &metav1.LabelSelector{MatchLabels: map[string]string{"marker": "true"}},
-						FailurePolicy:           testcase.failPolicy,
-						SideEffects:             &noSideEffects,
-						AdmissionReviewVersions: []string{"v1"},
-					},
-				},
-			}
-
-			validatingcfg, err := client.AdmissionregistrationV1().ValidatingWebhookConfigurations().Create(context.TODO(), validatingwebhook, metav1.CreateOptions{})
-			if err != nil {
-				t.Fatal(err)
-			}
-
-			vhwHasBeenCleanedUp := false
-			defer func() {
-				if !vhwHasBeenCleanedUp {
-					err := client.AdmissionregistrationV1().ValidatingWebhookConfigurations().Delete(context.TODO(), validatingcfg.GetName(), metav1.DeleteOptions{})
-					if err != nil {
-						t.Fatal(err)
-					}
-				}
-			}()
-
-			// wait until new webhook is called the first time
-			if err := wait.PollUntilContextTimeout(context.Background(), time.Millisecond*5, wait.ForeverTestTimeout, true, func(_ context.Context) (bool, error) {
-				_, err = client.CoreV1().Pods(markerNs).Patch(context.TODO(), marker.Name, types.JSONPatchType, []byte("[]"), metav1.PatchOptions{})
-				select {
-				case <-upCh:
-					return true, nil
-				default:
-					t.Logf("Waiting for webhook to become effective, getting marker object: %v", err)
-					return false, nil
-				}
-			}); err != nil {
-				t.Fatal(err)
-			}
-
-			for _, pod := range testcase.pods {
-				_, err := client.CoreV1().Pods(pod.Namespace).Create(context.TODO(), pod, dryRunCreate)
-				if !testcase.expectErrorPod && err != nil {
-					t.Fatalf("unexpected error creating test pod: %v", err)
-				} else if testcase.expectErrorPod && err == nil {
-					t.Fatal("expected error creating pods")
-				} else if testcase.expectErrorPod && err != nil && !strings.Contains(err.Error(), testcase.errMessage) {
-					t.Fatalf("expected error message includes: %v, but get %v", testcase.errMessage, err)
-				}
-			}
-
-			if len(recorder.requests) != len(testcase.matchedPods) {
-				t.Errorf("unexpected requests %v, expected %v", recorder.requests, testcase.matchedPods)
-			}
-
-			for i, request := range recorder.requests {
-				if request.Name != testcase.matchedPods[i].Name {
-					t.Errorf("unexpected pod name %v, expected %v", request.Name, testcase.matchedPods[i].Name)
-				}
-				if request.Namespace != testcase.matchedPods[i].Namespace {
-					t.Errorf("unexpected pod namespace %v, expected %v", request.Namespace, testcase.matchedPods[i].Namespace)
-				}
-			}
-
-			// Reset and rerun against mutating webhook configuration
-			// TODO: private helper function for validation after creating vwh or mwh
-			upCh = recorder.Reset()
-			err = client.AdmissionregistrationV1().ValidatingWebhookConfigurations().Delete(context.TODO(), validatingcfg.GetName(), metav1.DeleteOptions{})
-			if err != nil {
-				t.Fatal(err)
-			} else {
-				vhwHasBeenCleanedUp = true
-			}
-
-			mutatingwebhook := &admissionregistrationv1.MutatingWebhookConfiguration{
-				ObjectMeta: metav1.ObjectMeta{
-					Name: "admission.integration.test",
-				},
-				Webhooks: []admissionregistrationv1.MutatingWebhook{
-					{
-						Name: "admission.integration.test",
-						Rules: []admissionregistrationv1.RuleWithOperations{{
-							Operations: []admissionregistrationv1.OperationType{admissionregistrationv1.Create},
-							Rule: admissionregistrationv1.Rule{
-								APIGroups:   []string{""},
-								APIVersions: []string{"v1"},
-								Resources:   []string{"pods"},
-							},
-						}},
-						ClientConfig: admissionregistrationv1.WebhookClientConfig{
-							URL:      &endpoint,
-							CABundle: localhostCert,
-						},
-						// ignore pods in the marker namespace
-						NamespaceSelector: &metav1.LabelSelector{
-							MatchExpressions: []metav1.LabelSelectorRequirement{
-								{
-									Key:      corev1.LabelMetadataName,
-									Operator: metav1.LabelSelectorOpNotIn,
-									Values:   []string{"marker"},
-								},
-							}},
-						FailurePolicy:           testcase.failPolicy,
-						SideEffects:             &noSideEffects,
-						AdmissionReviewVersions: []string{"v1"},
-						MatchConditions:         testcase.matchConditions,
-					},
-					{
-						Name: "admission.integration.test.marker",
-						Rules: []admissionregistrationv1.RuleWithOperations{{
-							Operations: []admissionregistrationv1.OperationType{admissionregistrationv1.OperationAll},
-							Rule:       admissionregistrationv1.Rule{APIGroups: []string{""}, APIVersions: []string{"v1"}, Resources: []string{"pods"}},
-						}},
-						ClientConfig: admissionregistrationv1.WebhookClientConfig{
-							URL:      &markerEndpoint,
-							CABundle: localhostCert,
-						},
-						NamespaceSelector: &metav1.LabelSelector{MatchLabels: map[string]string{
-							corev1.LabelMetadataName: "marker",
-						}},
-						ObjectSelector:          &metav1.LabelSelector{MatchLabels: map[string]string{"marker": "true"}},
-						FailurePolicy:           testcase.failPolicy,
-						SideEffects:             &noSideEffects,
-						AdmissionReviewVersions: []string{"v1"},
-					},
-				},
-			}
-
-			mutatingcfg, err := client.AdmissionregistrationV1().MutatingWebhookConfigurations().Create(context.TODO(), mutatingwebhook, metav1.CreateOptions{})
-			if err != nil {
-				t.Fatal(err)
-			}
-			defer func() {
-				err := client.AdmissionregistrationV1().MutatingWebhookConfigurations().Delete(context.TODO(), mutatingcfg.GetName(), metav1.DeleteOptions{})
-				if err != nil {
-					t.Fatal(err)
-				}
-			}()
-
-			// wait until new webhook is called the first time
-			if err := wait.PollUntilContextTimeout(context.Background(), time.Millisecond*5, wait.ForeverTestTimeout, true, func(_ context.Context) (bool, error) {
-				_, err = client.CoreV1().Pods(markerNs).Patch(context.TODO(), marker.Name, types.JSONPatchType, []byte("[]"), metav1.PatchOptions{})
-				select {
-				case <-upCh:
-					return true, nil
-				default:
-					t.Logf("Waiting for webhook to become effective, getting marker object: %v", err)
-					return false, nil
-				}
-			}); err != nil {
-				t.Fatal(err)
-			}
-
-			for _, pod := range testcase.pods {
-				_, err = client.CoreV1().Pods(pod.Namespace).Create(context.TODO(), pod, dryRunCreate)
-				if testcase.expectErrorPod == false && err != nil {
-					t.Fatalf("unexpected error creating test pod: %v", err)
-				} else if testcase.expectErrorPod == true && err == nil {
-					t.Fatal("expected error creating pods")
-				}
-			}
-
-			if len(recorder.requests) != len(testcase.matchedPods) {
-				t.Errorf("unexpected requests %v, expected %v", recorder.requests, testcase.matchedPods)
-			}
-
-			for i, request := range recorder.requests {
-				if request.Name != testcase.matchedPods[i].Name {
-					t.Errorf("unexpected pod name %v, expected %v", request.Name, testcase.matchedPods[i].Name)
-				}
-				if request.Namespace != testcase.matchedPods[i].Namespace {
-					t.Errorf("unexpected pod namespace %v, expected %v", request.Namespace, testcase.matchedPods[i].Namespace)
-				}
-			}
-		})
-	}
-}
-
 func TestMatchConditionsWithStrictCostEnforcement(t *testing.T) {
-	featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, genericfeatures.StrictCostEnforcementForWebhooks, true)
-
 	testcases := []struct {
 		name            string
 		matchConditions []admissionregistrationv1.MatchCondition
diff --git a/test/integration/apiserver/apiserver_test.go b/test/integration/apiserver/apiserver_test.go
index 9cbcebd401f17..5e72a6a6e5440 100644
--- a/test/integration/apiserver/apiserver_test.go
+++ b/test/integration/apiserver/apiserver_test.go
@@ -1705,8 +1705,10 @@ func TestGetScaleSubresourceAsTableForAllBuiltins(t *testing.T) {
 	// Enable all features and apis for testing
 	flags := framework.DefaultTestServerFlags()
 	flags = append(flags, "--runtime-config=api/all=true")
-	featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, "AllAlpha", true)
-	featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, "AllBeta", true)
+	featuregatetesting.SetFeatureGatesDuringTest(t, utilfeature.DefaultFeatureGate, featuregatetesting.FeatureOverrides{
+		"AllAlpha": true,
+		"AllBeta":  true,
+	})
 
 	testNamespace := "test-scale"
 	server := kubeapiservertesting.StartTestServerOrDie(t, nil, flags, framework.SharedEtcd())
@@ -3209,6 +3211,20 @@ func TestEmulatedStorageVersion(t *testing.T) {
 				Version: "v1",
 			},
 		},
+		{
+			name:            "vap before ga release",
+			emulatedVersion: "1.30",
+			gvr: schema.GroupVersionResource{
+				Group:    "admissionregistration.k8s.io",
+				Version:  "v1beta1",
+				Resource: "validatingadmissionpolicies",
+			},
+			object: validVap,
+			expectedStorageVersion: schema.GroupVersion{
+				Group:   "admissionregistration.k8s.io",
+				Version: "v1beta1",
+			},
+		},
 	}
 
 	// Group cases by their emulated version
@@ -3315,6 +3331,180 @@ func TestEmulatedStorageVersion(t *testing.T) {
 	}
 }
 
+func TestMinCompatibilityStorageVersion(t *testing.T) {
+	validVap := &admissionregistrationv1.ValidatingAdmissionPolicy{
+		Spec: admissionregistrationv1.ValidatingAdmissionPolicySpec{
+			MatchConstraints: &admissionregistrationv1.MatchResources{
+				ResourceRules: []admissionregistrationv1.NamedRuleWithOperations{
+					{
+						ResourceNames: []string{"foo"},
+						RuleWithOperations: admissionregistrationv1.RuleWithOperations{
+							Operations: []admissionregistrationv1.OperationType{"CREATE"},
+							Rule: admissionregistrationv1.Rule{
+								APIGroups:   []string{"*"},
+								APIVersions: []string{"*"},
+								Resources:   []string{"*"},
+							},
+						},
+					},
+				},
+			},
+			Validations: []admissionregistrationv1.Validation{
+				{
+					Expression: "true",
+					Message:    "always valid",
+				},
+			},
+		},
+	}
+
+	type testCase struct {
+		name                    string
+		minCompatibilityVersion string
+		gvr                     schema.GroupVersionResource
+		object                  runtime.Object
+		expectedStorageVersion  schema.GroupVersion
+	}
+	cases := []testCase{
+		{
+			name:                    "vap after ga release",
+			minCompatibilityVersion: "1.31",
+			gvr: schema.GroupVersionResource{
+				Group:    "admissionregistration.k8s.io",
+				Version:  "v1beta1",
+				Resource: "validatingadmissionpolicies",
+			},
+			object: validVap,
+			expectedStorageVersion: schema.GroupVersion{
+				Group:   "admissionregistration.k8s.io",
+				Version: "v1",
+			},
+		},
+		{
+			name:                    "vap before ga release",
+			minCompatibilityVersion: "1.29",
+			gvr: schema.GroupVersionResource{
+				Group:    "admissionregistration.k8s.io",
+				Version:  "v1beta1",
+				Resource: "validatingadmissionpolicies",
+			},
+			object: validVap,
+			expectedStorageVersion: schema.GroupVersion{
+				Group:   "admissionregistration.k8s.io",
+				Version: "v1beta1",
+			},
+		},
+	}
+
+	// Group cases by their min compatibility version
+	groupedCases := map[string][]testCase{}
+	for _, c := range cases {
+		groupedCases[c.minCompatibilityVersion] = append(groupedCases[c.minCompatibilityVersion], c)
+	}
+
+	for minCompatibilityVersion, cases := range groupedCases {
+		t.Run(minCompatibilityVersion, func(t *testing.T) {
+			server := kubeapiservertesting.StartTestServerOrDie(
+				t, nil, []string{
+					"--emulated-version=kube=1.33", // admissionregistration.k8s.io/v1beta1 is removed at 1.34
+					"--min-compatibility-version=kube=" + minCompatibilityVersion,
+					`--storage-media-type=application/json`,
+					fmt.Sprintf("--runtime-config=%s=true", admissionregistrationv1beta1.SchemeGroupVersion),
+				}, framework.SharedEtcd())
+			defer server.TearDownFn()
+
+			client := clientset.NewForConfigOrDie(server.ClientConfig)
+			dynamicClient := dynamic.NewForConfigOrDie(server.ClientConfig)
+
+			// create test namespace
+			testNamespace := "test-min-compatibility-storage-version"
+			_, err := client.CoreV1().Namespaces().Create(context.TODO(), &v1.Namespace{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: testNamespace,
+				},
+			}, metav1.CreateOptions{})
+			if err != nil {
+				t.Fatalf("failed to create test ns: %v", err)
+			}
+
+			restMapper := restmapper.NewDeferredDiscoveryRESTMapper(memory.NewMemCacheClient(client.Discovery()))
+
+			for i, c := range cases {
+				t.Run(c.name, func(t *testing.T) {
+					gvk, err := restMapper.KindFor(c.gvr)
+					if err != nil {
+						t.Fatalf("failed to get GVK: %v", err)
+					}
+					c.object.GetObjectKind().SetGroupVersionKind(gvk)
+
+					mapping, err := restMapper.RESTMapping(gvk.GroupKind(), gvk.Version)
+					if err != nil {
+						t.Fatalf("failed to get RESTMapping: %v", err)
+					} else if mapping.Resource != c.gvr {
+						t.Fatalf("expected resource %v, got %v", c.gvr, mapping.Resource)
+					}
+
+					asUnstructured, err := runtime.DefaultUnstructuredConverter.ToUnstructured(c.object)
+					if err != nil {
+						t.Fatalf("failed to convert object to unstructured: %v", err)
+					}
+
+					uns := &unstructured.Unstructured{
+						Object: asUnstructured,
+					}
+					uns.SetName(fmt.Sprintf("test-object%d", i))
+
+					ns := testNamespace
+					if mapping.Scope.Name() == meta.RESTScopeNameRoot {
+						ns = ""
+					}
+
+					// create object
+					created, err := dynamicClient.Resource(c.gvr).Namespace(ns).Create(context.TODO(), uns, metav1.CreateOptions{})
+					if err != nil {
+						t.Fatalf("failed to create object: %v", err)
+					}
+
+					// Fetch object from ETCD
+					// Use this poor man's way to get the etcd path. This wont
+					// work for all resources, but should work for most we want
+					// to test against
+					resourcePrefix := mapping.Resource.Resource
+					if special, ok := kubeapiserver.SpecialDefaultResourcePrefixes[c.gvr.GroupResource()]; ok {
+						resourcePrefix = special
+					}
+					etcdPathComponents := []string{
+						"/",
+						server.EtcdStoragePrefix,
+						resourcePrefix,
+					}
+
+					if len(ns) > 0 {
+						etcdPathComponents = append(etcdPathComponents, ns)
+					}
+					etcdPathComponents = append(etcdPathComponents, created.GetName())
+					etcdPath := path.Join(etcdPathComponents...)
+					fetched, err := server.EtcdClient.Get(context.TODO(), etcdPath)
+					if err != nil {
+						t.Fatalf("failed to fetch object from etcd: %v", err)
+					} else if fetched.More || fetched.Count != 1 || len(fetched.Kvs) != 1 {
+						t.Fatalf("unexpected fetched response: %v", fetched)
+					}
+
+					storedObject := &metav1.PartialObjectMetadata{}
+					err = json.Unmarshal(fetched.Kvs[0].Value, storedObject)
+
+					if err != nil {
+						t.Fatalf("failed to decode object: %v", err)
+					} else if storedObject.GroupVersionKind().GroupVersion() != c.expectedStorageVersion {
+						t.Fatalf("expected storage version %s, got %s", c.expectedStorageVersion.String(), storedObject.GroupVersionKind().GroupVersion().String())
+					}
+				})
+			}
+		})
+	}
+}
+
 // TestAllowedEmulationVersions tests the TestServer can start without problem for all allowed emulation versions.
 func TestAllowedEmulationVersions(t *testing.T) {
 	tcs := []struct {
@@ -3385,10 +3575,6 @@ func TestEnableEmulationVersion(t *testing.T) {
 			path:               "/apis/flowcontrol.apiserver.k8s.io/v1/flowschemas",
 			expectedStatusCode: 200,
 		},
-		{
-			path:               "/apis/flowcontrol.apiserver.k8s.io/v1beta3/flowschemas", // introduced at 1.26, removed at 1.32
-			expectedStatusCode: 200,
-		},
 		{
 			path:               "/apis/networking.k8s.io/v1beta1/servicecidrs", // introduced at 1.31, removed at 1.34
 			expectedStatusCode: 200,
@@ -3447,10 +3633,6 @@ func TestEnableEmulationVersionForwardCompatible(t *testing.T) {
 			path:               "/apis/flowcontrol.apiserver.k8s.io/v1/flowschemas",
 			expectedStatusCode: 200,
 		},
-		{
-			path:               "/apis/flowcontrol.apiserver.k8s.io/v1beta3/flowschemas", // introduced at 1.26, removed at 1.32
-			expectedStatusCode: 200,
-		},
 		{
 			path:               "/apis/networking.k8s.io/v1beta1/servicecidrs", // introduced at 1.31, removed at 1.34
 			expectedStatusCode: 200,
@@ -3509,10 +3691,6 @@ func TestEnableRuntimeConfigEmulationVersionForwardCompatible(t *testing.T) {
 			path:               "/apis/flowcontrol.apiserver.k8s.io/v1/flowschemas",
 			expectedStatusCode: 200,
 		},
-		{
-			path:               "/apis/flowcontrol.apiserver.k8s.io/v1beta3/flowschemas", // introduced at 1.26, removed at 1.32
-			expectedStatusCode: 200,
-		},
 		{
 			path:               "/apis/networking.k8s.io/v1beta1/servicecidrs", // introduced at 1.31, removed at 1.34
 			expectedStatusCode: 200,
@@ -3544,9 +3722,9 @@ func TestEnableRuntimeConfigEmulationVersionForwardCompatible(t *testing.T) {
 }
 
 func TestDisableEmulationVersion(t *testing.T) {
-	featuregatetesting.SetFeatureGateEmulationVersionDuringTest(t, utilfeature.DefaultFeatureGate, version.MustParse("1.32"))
+	featuregatetesting.SetFeatureGateEmulationVersionDuringTest(t, utilfeature.DefaultFeatureGate, version.MustParse("1.34"))
 	server := kubeapiservertesting.StartTestServerOrDie(t,
-		&kubeapiservertesting.TestServerInstanceOptions{BinaryVersion: "1.32"},
+		&kubeapiservertesting.TestServerInstanceOptions{BinaryVersion: "1.34"},
 		[]string{}, framework.SharedEtcd())
 	defer server.TearDownFn()
 
@@ -3568,11 +3746,11 @@ func TestDisableEmulationVersion(t *testing.T) {
 			expectedStatusCode: 200,
 		},
 		{
-			path:               "/apis/flowcontrol.apiserver.k8s.io/v1/flowschemas",
+			path:               "/apis/networking.k8s.io/v1/servicecidrs",
 			expectedStatusCode: 200,
 		},
 		{
-			path:               "/apis/flowcontrol.apiserver.k8s.io/v1beta3/flowschemas", // introduced at 1.26, removed at 1.32
+			path:               "/apis/networking.k8s.io/v1beta1/servicecidrs", // introduced at 1.31, removed at 1.34
 			expectedStatusCode: 404,
 		},
 	}
@@ -3681,8 +3859,10 @@ func assertManagedFields(t *testing.T, obj *unstructured.Unstructured) {
 // TestDefaultStorageEncoding verifies that the storage encoding for all built-in resources is
 // Protobuf.
 func TestDefaultStorageEncoding(t *testing.T) {
-	featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, "AllAlpha", true)
-	featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, "AllBeta", true)
+	featuregatetesting.SetFeatureGatesDuringTest(t, utilfeature.DefaultFeatureGate, featuregatetesting.FeatureOverrides{
+		"AllAlpha": true,
+		"AllBeta":  true,
+	})
 
 	protobufRecognizer := protobuf.NewSerializer(runtime.NewScheme(), runtime.NewScheme())
 	var recognizersByGroup map[string]recognizer.RecognizingDecoder
diff --git a/test/integration/apiserver/apply/apply_crd_beta_test.go b/test/integration/apiserver/apply/apply_crd_beta_test.go
index eb956d3511fe7..72e23f82f94aa 100644
--- a/test/integration/apiserver/apply/apply_crd_beta_test.go
+++ b/test/integration/apiserver/apply/apply_crd_beta_test.go
@@ -227,3 +227,82 @@ func nearlyRemovedBetaMultipleVersionNoxuCRD(scope apiextensionsv1beta1.Resource
 		},
 	}
 }
+
+func nearlyRemovedBetaMultipleVersionNoxuCRDWithStatus(scope apiextensionsv1beta1.ResourceScope) *apiextensionsv1beta1.CustomResourceDefinition {
+	return &apiextensionsv1beta1.CustomResourceDefinition{
+		ObjectMeta: metav1.ObjectMeta{Name: "myresources.example.com"},
+		Spec: apiextensionsv1beta1.CustomResourceDefinitionSpec{
+			Group:   "example.com",
+			Version: "v1beta1",
+			Names: apiextensionsv1beta1.CustomResourceDefinitionNames{
+				Plural:     "myresources",
+				Singular:   "myresource",
+				Kind:       "MyResource",
+				ShortNames: []string{"mr"},
+				ListKind:   "MyResourceList",
+			},
+			Scope: scope,
+			Versions: []apiextensionsv1beta1.CustomResourceDefinitionVersion{
+				{
+					Name:    "v1beta1",
+					Served:  true,
+					Storage: false,
+					Schema: &apiextensionsv1beta1.CustomResourceValidation{
+						OpenAPIV3Schema: &apiextensionsv1beta1.JSONSchemaProps{
+							Type: "object",
+							Properties: map[string]apiextensionsv1beta1.JSONSchemaProps{
+								"spec": {
+									Type: "object",
+									Properties: map[string]apiextensionsv1beta1.JSONSchemaProps{
+										"a": {Type: "string"},
+										"b": {Type: "string"},
+									},
+								},
+								"status": {
+									Type: "object",
+									Properties: map[string]apiextensionsv1beta1.JSONSchemaProps{
+										"a": {Type: "string"},
+									},
+								},
+							},
+						},
+					},
+					Subresources: &apiextensionsv1beta1.CustomResourceSubresources{
+						Status: &apiextensionsv1beta1.CustomResourceSubresourceStatus{},
+					},
+				},
+				{
+					Name:    "v1",
+					Served:  true,
+					Storage: true,
+					Schema: &apiextensionsv1beta1.CustomResourceValidation{
+						OpenAPIV3Schema: &apiextensionsv1beta1.JSONSchemaProps{
+							Type: "object",
+							Properties: map[string]apiextensionsv1beta1.JSONSchemaProps{
+								"spec": {
+									Type: "object",
+									Properties: map[string]apiextensionsv1beta1.JSONSchemaProps{
+										"a": {Type: "string"},
+										"b": {Type: "string"},
+									},
+								},
+								"status": {
+									Type: "object",
+									Properties: map[string]apiextensionsv1beta1.JSONSchemaProps{
+										"a": {Type: "string"},
+									},
+								},
+							},
+						},
+					},
+					Subresources: &apiextensionsv1beta1.CustomResourceSubresources{
+						Status: &apiextensionsv1beta1.CustomResourceSubresourceStatus{},
+					},
+				},
+			},
+			Subresources: &apiextensionsv1beta1.CustomResourceSubresources{
+				Status: &apiextensionsv1beta1.CustomResourceSubresourceStatus{},
+			},
+		},
+	}
+}
diff --git a/test/integration/apiserver/apply/apply_test.go b/test/integration/apiserver/apply/apply_test.go
index a4f2db15d7bea..941923c589198 100644
--- a/test/integration/apiserver/apply/apply_test.go
+++ b/test/integration/apiserver/apply/apply_test.go
@@ -976,7 +976,7 @@ func TestUpdateVeryLargeObject(t *testing.T) {
 		updateErr = err
 		return false, nil
 	})
-	if pollErr == wait.ErrWaitTimeout {
+	if wait.Interrupted(pollErr) {
 		t.Errorf("unable to update configMap: %v", updateErr)
 	}
 
diff --git a/test/integration/apiserver/apply/reset_fields_test.go b/test/integration/apiserver/apply/reset_fields_test.go
index 86a53619e5f45..f93dd6f51ca75 100644
--- a/test/integration/apiserver/apply/reset_fields_test.go
+++ b/test/integration/apiserver/apply/reset_fields_test.go
@@ -25,11 +25,14 @@ import (
 	"testing"
 
 	v1 "k8s.io/api/core/v1"
+	apiextensionsv1beta1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1"
 	apiextensionsclientset "k8s.io/apiextensions-apiserver/pkg/client/clientset/clientset"
+	"k8s.io/apiextensions-apiserver/test/integration/fixtures"
 	"k8s.io/apimachinery/pkg/api/meta"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/client-go/dynamic"
 	"k8s.io/client-go/kubernetes"
 	apiservertesting "k8s.io/kubernetes/cmd/kube-apiserver/app/testing"
@@ -321,6 +324,116 @@ func TestApplyResetFields(t *testing.T) {
 	}
 }
 
+// TestUpdateStatusWithOldVersion tests that apply with resetFields works correctly when updating
+// a custom resource's status subresource using an older API version while maintaining field ownership.
+func TestUpdateStatusWithOldVersion(t *testing.T) {
+	server, err := apiservertesting.StartTestServer(t, apiservertesting.NewDefaultTestServerOptions(), []string{"--disable-admission-plugins", "ServiceAccount,TaintNodesByCondition"}, framework.SharedEtcd())
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer server.TearDownFn()
+
+	client, err := kubernetes.NewForConfig(server.ClientConfig)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	apiExtensionClient, err := apiextensionsclientset.NewForConfig(server.ClientConfig)
+	if err != nil {
+		t.Fatal(err)
+	}
+	dynamicClient, err := dynamic.NewForConfig(server.ClientConfig)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	noxuBetaDefinition := nearlyRemovedBetaMultipleVersionNoxuCRDWithStatus(apiextensionsv1beta1.NamespaceScoped)
+
+	noxuDefinition, err := fixtures.CreateCRDUsingRemovedAPI(server.EtcdClient, server.EtcdStoragePrefix, noxuBetaDefinition, apiExtensionClient, dynamicClient)
+	if err != nil {
+		t.Fatal(err)
+	}
+	kind := noxuDefinition.Spec.Names.Kind
+	apiVersion := noxuDefinition.Spec.Group + "/" + noxuDefinition.Spec.Versions[1].Name
+	name := "mytest"
+
+	rest := apiExtensionClient.Discovery().RESTClient()
+	// create namespace ns test
+	if _, err := client.CoreV1().Namespaces().Create(context.TODO(), &v1.Namespace{ObjectMeta: metav1.ObjectMeta{Name: resetFieldsNamespace}}, metav1.CreateOptions{}); err != nil {
+		t.Fatal(err)
+	}
+
+	// Create the resource using the v1 CRD API.
+	yamlBody := []byte(fmt.Sprintf(`
+apiVersion: %s
+kind: %s
+metadata:
+ name: %s
+ namespace: %s
+spec:
+ a: value-for-a
+ b: value-for-b`, apiVersion, kind, name, resetFieldsNamespace))
+	result, err := rest.Patch(types.ApplyPatchType).
+		AbsPath("/apis", noxuDefinition.Spec.Group, noxuDefinition.Spec.Versions[1].Name, "/namespaces", resetFieldsNamespace, noxuDefinition.Spec.Names.Plural).
+		Name(name).
+		Param("fieldManager", "apply_test").
+		Body(yamlBody).
+		DoRaw(context.TODO())
+	if err != nil {
+		t.Fatalf("failed to create custom resource with apply: %v:\n%v", err, string(result))
+	}
+	t.Logf("result: %s", string(result))
+	oldManagedFields, err := getManagedFields(result)
+	if err != nil {
+		t.Fatalf("failed to get managed fields: %v", err)
+	}
+	// When updating the status subresource via the v1beta1 CRD API,
+	// we assign a value to the spec field for testing purposes.
+	// However, in this case, the operation should NOT trigger any field manager updates
+	// related to server-side apply tracking.
+	updateStatusBytes := []byte(`{
+  "spec": { "a": "value-for-a-update" },
+  "status": {
+    "a": "status-for-a"
+  }
+}`)
+	result, err = rest.Patch(types.MergePatchType).
+		AbsPath("/apis", noxuDefinition.Spec.Group, noxuDefinition.Spec.Versions[0].Name, "/namespaces", resetFieldsNamespace, noxuDefinition.Spec.Names.Plural).
+		Name(name).
+		SubResource("status").
+		Param("fieldManager", "subresource_test").
+		Body(updateStatusBytes).
+		DoRaw(context.TODO())
+	if err != nil {
+		t.Fatalf("Error updating subresource: %v ", err)
+	}
+	t.Logf("result: %s", string(result))
+	newManagedFields, err := getManagedFields(result)
+	if err != nil {
+		t.Fatalf("failed to get managed fields: %v", err)
+	}
+	// newManagedFields should include oldManagedFields
+	var applyManagerFound, subresourceManagerFound bool
+	for i, field := range newManagedFields {
+		if field.Manager == "apply_test" {
+			if !reflect.DeepEqual(newManagedFields[i], oldManagedFields[0]) {
+				t.Fatalf("Expected managed fields to not have changed when trying manually setting them via subresoures.\n\nExpected: %#v\n\nGot: %#v", oldManagedFields[0], newManagedFields[i])
+			}
+			applyManagerFound = true
+		}
+		if field.Manager == "subresource_test" {
+			subresourceManagerFound = true
+		}
+	}
+	if !applyManagerFound {
+		t.Errorf("expected field manager 'apply_test' to be present in newManagedFields")
+	}
+	if !subresourceManagerFound {
+		t.Errorf("expected field manager 'subresource_test' to be present in newManagedFields")
+	}
+
+}
+
 func expectConflict(objRet *unstructured.Unstructured, err error, dynamicClient dynamic.Interface, resource schema.GroupVersionResource, namespace, name string) error {
 	if err != nil && strings.Contains(err.Error(), "conflict") {
 		return nil
diff --git a/test/integration/apiserver/apply/status_test.go b/test/integration/apiserver/apply/status_test.go
index 15aee66dafaad..ba0e11337c9be 100644
--- a/test/integration/apiserver/apply/status_test.go
+++ b/test/integration/apiserver/apply/status_test.go
@@ -58,6 +58,7 @@ var statusData = map[schema.GroupVersionResource]string{
 	gvr("storage.k8s.io", "v1", "volumeattachments"):                `{"status": {"attached": true}}`,
 	gvr("policy", "v1", "poddisruptionbudgets"):                     `{"status": {"currentHealthy": 5}}`,
 	gvr("policy", "v1beta1", "poddisruptionbudgets"):                `{"status": {"currentHealthy": 5}}`,
+	gvr("resource.k8s.io", "v1alpha3", "devicetaintrules"):          `{"status": {"conditions": [{"type": "EvictionInProgress", "status": "True", "reason: "PodsLeft", "message: "100 pods left", "lastTransitionTime": "2020-01-01T00:00:00Z"}]}}`,
 	gvr("resource.k8s.io", "v1beta1", "resourceclaims"):             `{"status": {"allocation": {"nodeSelector": {"nodeSelectorTerms": [{"matchExpressions": [{"key": "some-label", "operator": "In", "values": ["some-value"]}] }]}}}}`,
 	gvr("resource.k8s.io", "v1beta2", "resourceclaims"):             `{"status": {"allocation": {"nodeSelector": {"nodeSelectorTerms": [{"matchExpressions": [{"key": "some-label", "operator": "In", "values": ["some-value"]}] }]}}}}`,
 	gvr("resource.k8s.io", "v1", "resourceclaims"):                  `{"status": {"allocation": {"nodeSelector": {"nodeSelectorTerms": [{"matchExpressions": [{"key": "some-label", "operator": "In", "values": ["some-value"]}] }]}}}}`,
diff --git a/test/integration/apiserver/cel/admission_policy_test.go b/test/integration/apiserver/cel/admission_policy_test.go
index 4c59fa6468f8e..d079a4cba138e 100644
--- a/test/integration/apiserver/cel/admission_policy_test.go
+++ b/test/integration/apiserver/cel/admission_policy_test.go
@@ -29,7 +29,9 @@ import (
 	v1 "k8s.io/api/admission/v1"
 	corev1 "k8s.io/api/core/v1"
 	apiextensionsclientset "k8s.io/apiextensions-apiserver/pkg/client/clientset/clientset"
+	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/version"
+	"k8s.io/apimachinery/pkg/util/wait"
 	utilfeature "k8s.io/apiserver/pkg/util/feature"
 	featuregatetesting "k8s.io/component-base/featuregate/testing"
 	apiservertesting "k8s.io/kubernetes/cmd/kube-apiserver/app/testing"
@@ -38,6 +40,7 @@ import (
 	admissionregistrationv1beta1apis "k8s.io/kubernetes/pkg/apis/admissionregistration/v1beta1"
 	"k8s.io/kubernetes/test/integration/etcd"
 	"k8s.io/kubernetes/test/integration/framework"
+	"k8s.io/kubernetes/test/utils/ktesting"
 
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
@@ -568,8 +571,38 @@ func testPolicyAdmission(t *testing.T, supportV1Beta1 bool) {
 		}
 	}
 
-	// Allow the policy & binding to establish
-	time.Sleep(1 * time.Second)
+	testConfigmap := corev1.ConfigMap{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: "test-k8s",
+		},
+	}
+	_, err = client.CoreV1().ConfigMaps(testNamespace).Create(context.TODO(), &testConfigmap, metav1.CreateOptions{})
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	_, ctx := ktesting.NewTestContext(t)
+	// Try to patch the configmap and look for the warning message.
+	if err := wait.PollUntilContextTimeout(ctx, time.Millisecond*100, time.Second*5, false, func(ctx context.Context) (bool, error) {
+		holder.reset(t)
+		_, err = client.CoreV1().ConfigMaps(testNamespace).Patch(ctx, testConfigmap.Name, types.JSONPatchType, []byte("[]"), metav1.PatchOptions{})
+		if err != nil {
+			return false, nil
+		}
+		for _, warning := range holder.warnings {
+			if strings.Contains(warning, beginSentinel) {
+				return true, nil
+			}
+		}
+		return false, nil
+	}); err != nil {
+		t.Errorf("timed out waiting policy and binding to establish: %v", err)
+	}
+
+	err = client.CoreV1().ConfigMaps(testNamespace).Delete(ctx, testConfigmap.Name, metav1.DeleteOptions{})
+	if err != nil {
+		t.Errorf("failed to delete ConfigMap with error: %+v", err)
+	}
 
 	start := time.Now()
 	count := 0
diff --git a/test/integration/apiserver/cel/typeresolution_test.go b/test/integration/apiserver/cel/typeresolution_test.go
index 9e294f81dcc0f..78e3265b2bd8f 100644
--- a/test/integration/apiserver/cel/typeresolution_test.go
+++ b/test/integration/apiserver/cel/typeresolution_test.go
@@ -376,7 +376,7 @@ func TestBuiltinResolution(t *testing.T) {
 // with the practical defaults.
 // `self` is defined as the object being evaluated against.
 func simpleCompileCEL(schema *spec.Schema, expression string) (cel.Program, error) {
-	env, err := environment.MustBaseEnvSet(environment.DefaultCompatibilityVersion(), true).Env(environment.NewExpressions)
+	env, err := environment.MustBaseEnvSet(environment.DefaultCompatibilityVersion()).Env(environment.NewExpressions)
 	if err != nil {
 		return nil, err
 	}
diff --git a/test/integration/apiserver/cel/validatingadmissionpolicy_test.go b/test/integration/apiserver/cel/validatingadmissionpolicy_test.go
index ecd5115d26140..e1e90e758a26a 100644
--- a/test/integration/apiserver/cel/validatingadmissionpolicy_test.go
+++ b/test/integration/apiserver/cel/validatingadmissionpolicy_test.go
@@ -36,10 +36,7 @@ import (
 	"k8s.io/apiextensions-apiserver/test/integration/fixtures"
 	auditinternal "k8s.io/apiserver/pkg/apis/audit"
 	auditv1 "k8s.io/apiserver/pkg/apis/audit/v1"
-	genericfeatures "k8s.io/apiserver/pkg/features"
-	utilfeature "k8s.io/apiserver/pkg/util/feature"
 	"k8s.io/client-go/rest"
-	featuregatetesting "k8s.io/component-base/featuregate/testing"
 	"k8s.io/utils/ptr"
 
 	"k8s.io/kubernetes/cmd/kube-apiserver/app/options"
@@ -2126,7 +2123,6 @@ func Test_ValidatingAdmissionPolicy_ParamResourceDeletedThenRecreated(t *testing
 func Test_CostLimitForValidation(t *testing.T) {
 	resetPolicyRefreshInterval := generic.SetPolicyRefreshIntervalForTests(policyRefreshInterval)
 	defer resetPolicyRefreshInterval()
-	featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, genericfeatures.StrictCostEnforcementForVAP, true)
 	server, err := apiservertesting.StartTestServer(t, nil, []string{
 		"--enable-admission-plugins", "ValidatingAdmissionPolicy",
 	}, framework.SharedEtcd())
@@ -2231,98 +2227,6 @@ func Test_CostLimitForValidation(t *testing.T) {
 	}
 }
 
-// Test_CostLimitForValidationWithFeatureDisabled tests the cost limit set for a ValidatingAdmissionPolicy
-// with StrictCostEnforcementForVAP feature disabled.
-func Test_CostLimitForValidationWithFeatureDisabled(t *testing.T) {
-	resetPolicyRefreshInterval := generic.SetPolicyRefreshIntervalForTests(policyRefreshInterval)
-	defer resetPolicyRefreshInterval()
-	server, err := apiservertesting.StartTestServer(t, nil, []string{
-		"--emulated-version", "1.31",
-		"--feature-gates", "StrictCostEnforcementForVAP=false",
-		"--enable-admission-plugins", "ValidatingAdmissionPolicy",
-	}, framework.SharedEtcd())
-	if err != nil {
-		t.Fatal(err)
-	}
-	defer server.TearDownFn()
-
-	config := server.ClientConfig
-	client, err := clientset.NewForConfig(config)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	testcases := []struct {
-		name          string
-		policy        *admissionregistrationv1.ValidatingAdmissionPolicy
-		err           string
-		failureReason metav1.StatusReason
-	}{
-		{
-			name: "Without StrictCostEnforcementForVAP: Single expression exceeds per call cost limit for native library",
-			policy: withValidations([]admissionregistrationv1.Validation{
-				{
-					Expression: "[1, 2, 3, 4, 5, 6, 7, 8, 9, 10].all(x, [1, 2, 3, 4, 5, 6, 7, 8, 9, 10].all(y, [1, 2, 3, 4, 5, 6, 7, 8, 9, 10].all(z, [1, 2, 3, 4, 5, 6, 7, 8, 9, 10].all(z2, [1, 2, 3, 4, 5, 6, 7, 8, 9, 10].all(z3, [1, 2, 3, 4, 5, 6, 7, 8, 9, 10].all(z4, [1, 2, 3, 4, 5, 6, 7, 8, 9, 10].all(z5, int('1'.find('[0-9]*')) < 100)))))))",
-				},
-			}, withFailurePolicy(admissionregistrationv1.Fail, withNamespaceMatch(makePolicy("validate-namespace-suffix")))),
-			err:           "operation cancelled: actual cost limit exceeded",
-			failureReason: metav1.StatusReasonInvalid,
-		},
-		{
-			name: "Without StrictCostEnforcementForVAP: Expression does not exceed per call cost limit for extended library",
-			policy: withValidations([]admissionregistrationv1.Validation{
-				{
-
-					Expression: "authorizer.group('apps').resource('deployments').subresource('status').namespace('test').name('backend').check('create').allowed() && authorizer.group('apps').resource('deployments').subresource('status').namespace('test').name('backend').check('create').allowed() && authorizer.group('apps').resource('deployments').subresource('status').namespace('test').name('backend').check('create').allowed()",
-				},
-			}, withFailurePolicy(admissionregistrationv1.Fail, withNamespaceMatch(makePolicy("validate-namespace-suffix")))),
-		},
-		{
-			name: "Without StrictCostEnforcementForVAP: Expression does not exceed per call cost limit for extended library in variables",
-			policy: withVariables([]admissionregistrationv1.Variable{
-				{
-					Name:       "authzCheck",
-					Expression: "authorizer.group('apps').resource('deployments').subresource('status').namespace('test').name('backend').check('create').allowed() && authorizer.group('apps').resource('deployments').subresource('status').namespace('test').name('backend').check('create').allowed() && authorizer.group('apps').resource('deployments').subresource('status').namespace('test').name('backend').check('create').allowed()",
-				},
-			}, withValidations([]admissionregistrationv1.Validation{
-				{
-					Expression: "variables.authzCheck",
-				},
-			}, withFailurePolicy(admissionregistrationv1.Fail, withNamespaceMatch(makePolicy("validate-namespace-suffix"))))),
-		},
-		{
-			name:   "Without StrictCostEnforcementForVAP: Expression does not exceed per policy cost limit for extended library",
-			policy: withValidations(generateValidationsWithAuthzCheck(29, "authorizer.group('apps').resource('deployments').subresource('status').namespace('test').name('backend').check('create').allowed()"), withFailurePolicy(admissionregistrationv1.Fail, withNamespaceMatch(makePolicy("validate-namespace-suffix")))),
-		},
-	}
-	for i, testcase := range testcases {
-		t.Run(testcase.name, func(t *testing.T) {
-			policy := withWaitReadyConstraintAndExpression(testcase.policy)
-			if _, err := client.AdmissionregistrationV1().ValidatingAdmissionPolicies().Create(context.TODO(), policy, metav1.CreateOptions{}); err != nil {
-				t.Fatal(err)
-			}
-			policyBinding := makeBinding("validate-namespace-suffix-binding", "validate-namespace-suffix", "")
-			if err := createAndWaitReady(t, client, policyBinding, nil); err != nil {
-				t.Fatal(err)
-			}
-
-			nsName := fmt.Sprintf("test-%d-k8s", i)
-			ns := &v1.Namespace{
-				ObjectMeta: metav1.ObjectMeta{
-					Name: nsName,
-				},
-			}
-
-			_, err = client.CoreV1().Namespaces().Create(context.TODO(), ns, metav1.CreateOptions{})
-			checkExpectedError(t, err, testcase.err)
-			checkFailureReason(t, err, testcase.failureReason)
-			if err := cleanupPolicy(t, client, policy, policyBinding); err != nil {
-				t.Fatalf("error while cleaning up policy and its bindings: %v", err)
-			}
-		})
-	}
-}
-
 // generate n validation rules with provided expression
 func generateValidationsWithAuthzCheck(num int, exp string) []admissionregistrationv1.Validation {
 	var validations = make([]admissionregistrationv1.Validation, num)
diff --git a/test/integration/apiserver/coordinated_leader_election_test.go b/test/integration/apiserver/coordinated_leader_election_test.go
deleted file mode 100644
index 8523341bba6c1..0000000000000
--- a/test/integration/apiserver/coordinated_leader_election_test.go
+++ /dev/null
@@ -1,453 +0,0 @@
-/*
-Copyright 2024 The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package apiserver
-
-import (
-	"context"
-	"fmt"
-	"sync"
-	"testing"
-	"time"
-
-	v1 "k8s.io/api/coordination/v1"
-	v1beta1 "k8s.io/api/coordination/v1beta1"
-	apierrors "k8s.io/apimachinery/pkg/api/errors"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/apimachinery/pkg/util/wait"
-	genericfeatures "k8s.io/apiserver/pkg/features"
-	utilfeature "k8s.io/apiserver/pkg/util/feature"
-	kubernetes "k8s.io/client-go/kubernetes"
-	"k8s.io/client-go/rest"
-	"k8s.io/client-go/tools/leaderelection"
-	"k8s.io/client-go/tools/leaderelection/resourcelock"
-	featuregatetesting "k8s.io/component-base/featuregate/testing"
-	"k8s.io/klog/v2"
-	apiservertesting "k8s.io/kubernetes/cmd/kube-apiserver/app/testing"
-	"k8s.io/kubernetes/pkg/controlplane/apiserver"
-	"k8s.io/kubernetes/test/integration/framework"
-	"k8s.io/utils/ptr"
-)
-
-func TestSingleLeaseCandidate(t *testing.T) {
-	tests := []struct {
-		name                   string
-		preferredStrategy      v1.CoordinatedLeaseStrategy
-		expectedHolderIdentity *string
-	}{
-		{
-			name:                   "default strategy, has lease identity",
-			preferredStrategy:      v1.OldestEmulationVersion,
-			expectedHolderIdentity: ptr.To("foo1"),
-		},
-	}
-	featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, genericfeatures.CoordinatedLeaderElection, true)
-
-	flags := []string{fmt.Sprintf("--runtime-config=%s=true", v1beta1.SchemeGroupVersion)}
-	server, err := apiservertesting.StartTestServer(t, apiservertesting.NewDefaultTestServerOptions(), flags, framework.SharedEtcd())
-	if err != nil {
-		t.Fatal(err)
-	}
-	defer server.TearDownFn()
-	config := server.ClientConfig
-
-	for _, tc := range tests {
-		t.Run(tc.name, func(t *testing.T) {
-			ctx, cancel := context.WithCancel(context.Background())
-			defer cancel()
-
-			cletest := setupCLE(config, ctx, t)
-			defer cletest.cleanup()
-			go cletest.createAndRunFakeController("foo1", "default", "foo", "1.20.0", "1.20.0", tc.preferredStrategy)
-			cletest.pollForLease(ctx, "foo", "default", tc.expectedHolderIdentity)
-		})
-	}
-}
-
-func TestSingleLeaseCandidateUsingThirdPartyStrategy(t *testing.T) {
-	tests := []struct {
-		name                   string
-		preferredStrategy      v1.CoordinatedLeaseStrategy
-		expectedHolderIdentity *string
-	}{
-		{
-			name:              "third party strategy, no holder identity",
-			preferredStrategy: v1.CoordinatedLeaseStrategy("foo.com/bar"),
-			// Because a third-party CoordinatedLeaseStrategy is in use,
-			// the coordinated leader election controller doesn't manage
-			// the lease's leader election and does not set the holder identity,
-			// and leave it to some other controller. The lease will be created
-			// with the strategy set but holderIdentity set to nil.
-			expectedHolderIdentity: nil,
-		},
-	}
-	featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, genericfeatures.CoordinatedLeaderElection, true)
-	flags := []string{fmt.Sprintf("--runtime-config=%s=true", v1beta1.SchemeGroupVersion)}
-	server, err := apiservertesting.StartTestServer(t, apiservertesting.NewDefaultTestServerOptions(), flags, framework.SharedEtcd())
-	if err != nil {
-		t.Fatal(err)
-	}
-	defer server.TearDownFn()
-	config := server.ClientConfig
-
-	for _, tc := range tests {
-		t.Run(tc.name, func(t *testing.T) {
-			ctx, cancel := context.WithCancel(context.Background())
-			defer cancel()
-
-			cletest := setupCLE(config, ctx, t)
-			defer cletest.cleanup()
-			go cletest.createAndRunFakeController("foo1", "default", "foo", "1.20.0", "1.20.0", tc.preferredStrategy)
-			cletest.pollForLease(ctx, "foo", "default", tc.expectedHolderIdentity)
-		})
-	}
-}
-
-func TestMultipleLeaseCandidate(t *testing.T) {
-	tests := []struct {
-		name                   string
-		preferredStrategy      v1.CoordinatedLeaseStrategy
-		expectedHolderIdentity *string
-	}{
-		{
-			name:              "default strategy, has lease identity",
-			preferredStrategy: v1.OldestEmulationVersion,
-			// Because the OldestEmulationVersion strategy is used here, the
-			// the coordinated leader election controller will pick the candidate
-			// with OldestEmulationVersion and OldestBinaryVersion.
-			expectedHolderIdentity: ptr.To("baz3"),
-		},
-	}
-	featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, genericfeatures.CoordinatedLeaderElection, true)
-
-	flags := []string{fmt.Sprintf("--runtime-config=%s=true", v1beta1.SchemeGroupVersion)}
-	server, err := apiservertesting.StartTestServer(t, apiservertesting.NewDefaultTestServerOptions(), flags, framework.SharedEtcd())
-	if err != nil {
-		t.Fatal(err)
-	}
-	defer server.TearDownFn()
-	config := server.ClientConfig
-
-	for _, tc := range tests {
-		t.Run(tc.name, func(t *testing.T) {
-			ctx, cancel := context.WithCancel(context.Background())
-			defer cancel()
-
-			cletest := setupCLE(config, ctx, t)
-			defer cletest.cleanup()
-			go cletest.createAndRunFakeController("baz1", "default", "baz", "1.20.0", "1.20.0", tc.preferredStrategy)
-			go cletest.createAndRunFakeController("baz2", "default", "baz", "1.20.0", "1.19.0", tc.preferredStrategy)
-			go cletest.createAndRunFakeController("baz3", "default", "baz", "1.19.0", "1.19.0", tc.preferredStrategy)
-			go cletest.createAndRunFakeController("baz4", "default", "baz", "1.20.0", "1.19.0", tc.preferredStrategy)
-			cletest.pollForLease(ctx, "baz", "default", tc.expectedHolderIdentity)
-		})
-	}
-}
-
-func TestMultipleLeaseCandidateUsingThirdPartyStrategy(t *testing.T) {
-	tests := []struct {
-		name                   string
-		preferredStrategy      v1.CoordinatedLeaseStrategy
-		expectedHolderIdentity *string
-	}{
-		{
-			name:              "third party strategy, no holder identity",
-			preferredStrategy: v1.CoordinatedLeaseStrategy("foo.com/bar"),
-			// Because a third-party CoordinatedLeaseStrategy is in use,
-			// the coordinated leader election controller doesn't manage
-			// the lease's leader election and does not set the holder identity,
-			// and leave it to some other controller. The lease will be created
-			// with the strategy set but holderIdentity set to nil.
-			expectedHolderIdentity: nil,
-		},
-	}
-	featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, genericfeatures.CoordinatedLeaderElection, true)
-	flags := []string{fmt.Sprintf("--runtime-config=%s=true", v1beta1.SchemeGroupVersion)}
-
-	server, err := apiservertesting.StartTestServer(t, apiservertesting.NewDefaultTestServerOptions(), flags, framework.SharedEtcd())
-	if err != nil {
-		t.Fatal(err)
-	}
-	defer server.TearDownFn()
-	config := server.ClientConfig
-
-	for _, tc := range tests {
-		t.Run(tc.name, func(t *testing.T) {
-			ctx, cancel := context.WithCancel(context.Background())
-			defer cancel()
-
-			cletest := setupCLE(config, ctx, t)
-			defer cletest.cleanup()
-			go cletest.createAndRunFakeController("baz1", "default", "baz", "1.20.0", "1.20.0", tc.preferredStrategy)
-			go cletest.createAndRunFakeController("baz2", "default", "baz", "1.20.0", "1.19.0", tc.preferredStrategy)
-			go cletest.createAndRunFakeController("baz3", "default", "baz", "1.19.0", "1.19.0", tc.preferredStrategy)
-			go cletest.createAndRunFakeController("baz4", "default", "baz", "1.2.0", "1.19.0", tc.preferredStrategy)
-			go cletest.createAndRunFakeController("baz5", "default", "baz", "1.20.0", "1.19.0", tc.preferredStrategy)
-			cletest.pollForLease(ctx, "baz", "default", tc.expectedHolderIdentity)
-		})
-	}
-}
-
-func TestLeaseSwapIfBetterAvailable(t *testing.T) {
-	featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, genericfeatures.CoordinatedLeaderElection, true)
-
-	flags := []string{fmt.Sprintf("--runtime-config=%s=true", v1beta1.SchemeGroupVersion)}
-	server, err := apiservertesting.StartTestServer(t, apiservertesting.NewDefaultTestServerOptions(), flags, framework.SharedEtcd())
-	if err != nil {
-		t.Fatal(err)
-	}
-	defer server.TearDownFn()
-	config := server.ClientConfig
-
-	ctx, cancel := context.WithCancel(context.Background())
-	defer cancel()
-	cletest := setupCLE(config, ctx, t)
-	defer cletest.cleanup()
-
-	go cletest.createAndRunFakeController("bar1", "default", "bar", "1.20.0", "1.20.0", v1.OldestEmulationVersion)
-	cletest.pollForLease(ctx, "bar", "default", ptr.To("bar1"))
-	go cletest.createAndRunFakeController("bar2", "default", "bar", "1.19.0", "1.19.0", v1.OldestEmulationVersion)
-	cletest.pollForLease(ctx, "bar", "default", ptr.To("bar2"))
-}
-
-// TestUpgradeSkew tests that a legacy client and a CLE aware client operating on the same lease do not cause errors
-func TestUpgradeSkew(t *testing.T) {
-	featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, genericfeatures.CoordinatedLeaderElection, true)
-
-	flags := []string{fmt.Sprintf("--runtime-config=%s=true", v1beta1.SchemeGroupVersion)}
-	server, err := apiservertesting.StartTestServer(t, apiservertesting.NewDefaultTestServerOptions(), flags, framework.SharedEtcd())
-	if err != nil {
-		t.Fatal(err)
-	}
-	defer server.TearDownFn()
-	config := server.ClientConfig
-
-	ctx, cancel := context.WithCancel(context.Background())
-	defer cancel()
-	cletest := setupCLE(config, ctx, t)
-	defer cletest.cleanup()
-
-	go cletest.createAndRunFakeLegacyController("foo1-130", "default", "foobar")
-	cletest.pollForLease(ctx, "foobar", "default", ptr.To("foo1-130"))
-	go cletest.createAndRunFakeController("foo1-131", "default", "foobar", "1.31.0", "1.31.0", v1.OldestEmulationVersion)
-	// running a new controller should not kick off old leader
-	cletest.pollForLease(ctx, "foobar", "default", ptr.To("foo1-130"))
-	cletest.cancelController("foo1-130", "default")
-	cletest.pollForLease(ctx, "foobar", "default", ptr.To("foo1-131"))
-}
-
-func TestLeaseCandidateCleanup(t *testing.T) {
-	featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, genericfeatures.CoordinatedLeaderElection, true)
-	apiserver.LeaseCandidateGCPeriod = 1 * time.Second
-
-	defer func() {
-		apiserver.LeaseCandidateGCPeriod = 30 * time.Minute
-	}()
-
-	flags := []string{fmt.Sprintf("--runtime-config=%s=true", v1beta1.SchemeGroupVersion)}
-	server, err := apiservertesting.StartTestServer(t, apiservertesting.NewDefaultTestServerOptions(), flags, framework.SharedEtcd())
-	if err != nil {
-		t.Fatal(err)
-	}
-	defer server.TearDownFn()
-	config := server.ClientConfig
-	clientset, err := kubernetes.NewForConfig(config)
-	if err != nil {
-		t.Fatal(err)
-	}
-	expiredLC := &v1beta1.LeaseCandidate{
-		ObjectMeta: metav1.ObjectMeta{
-			Name:      "expired",
-			Namespace: "default",
-		},
-		Spec: v1beta1.LeaseCandidateSpec{
-			LeaseName:        "foobaz",
-			BinaryVersion:    "0.1.0",
-			EmulationVersion: "0.1.0",
-			Strategy:         v1.OldestEmulationVersion,
-			RenewTime:        &metav1.MicroTime{Time: time.Now().Add(-2 * time.Hour)},
-			PingTime:         &metav1.MicroTime{Time: time.Now().Add(-1 * time.Hour)},
-		},
-	}
-	ctx := context.Background()
-	_, err = clientset.CoordinationV1beta1().LeaseCandidates("default").Create(ctx, expiredLC, metav1.CreateOptions{})
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	err = wait.PollUntilContextTimeout(ctx, 1000*time.Millisecond, 5*time.Second, true, func(ctx context.Context) (done bool, err error) {
-		_, err = clientset.CoordinationV1beta1().LeaseCandidates("default").Get(ctx, "expired", metav1.GetOptions{})
-		if apierrors.IsNotFound(err) {
-			return true, nil
-		}
-		return false, nil
-	})
-	if err != nil {
-		t.Fatalf("Timieout waiting for lease gc")
-	}
-
-}
-
-type ctxCancelPair struct {
-	ctx    context.Context
-	cancel func()
-}
-type cleTest struct {
-	config    *rest.Config
-	clientset *kubernetes.Clientset
-	t         *testing.T
-	mu        sync.Mutex
-	ctx       context.Context
-	ctxList   map[string]ctxCancelPair
-}
-
-func (t *cleTest) createAndRunFakeLegacyController(name string, namespace string, targetLease string) {
-	ctx, cancel := context.WithCancel(t.ctx)
-	t.mu.Lock()
-	defer t.mu.Unlock()
-	t.ctxList[name+"/"+namespace] = ctxCancelPair{ctx, cancel}
-
-	electionChecker := leaderelection.NewLeaderHealthzAdaptor(time.Second * 20)
-	go leaderElectAndRunUncoordinated(ctx, t.config, name, electionChecker,
-		namespace,
-		"leases",
-		targetLease,
-		leaderelection.LeaderCallbacks{
-			OnStartedLeading: func(ctx context.Context) {
-				klog.Info("Elected leader, starting..")
-			},
-			OnStoppedLeading: func() {
-				klog.Errorf("%s Lost leadership, stopping", name)
-			},
-		})
-
-}
-func (t *cleTest) createAndRunFakeController(name string, namespace string, targetLease string, binaryVersion string, compatibilityVersion string, preferredStrategy v1.CoordinatedLeaseStrategy) {
-	identityLease, _, err := leaderelection.NewCandidate(
-		t.clientset,
-		namespace,
-		name,
-		targetLease,
-		binaryVersion,
-		compatibilityVersion,
-		preferredStrategy,
-	)
-	if err != nil {
-		t.t.Error(err)
-	}
-
-	ctx, cancel := context.WithCancel(t.ctx)
-	t.mu.Lock()
-	t.ctxList[name+"/"+namespace] = ctxCancelPair{ctx, cancel}
-	t.mu.Unlock()
-	go identityLease.Run(ctx)
-
-	electionChecker := leaderelection.NewLeaderHealthzAdaptor(time.Second * 20)
-	go leaderElectAndRunCoordinated(ctx, t.config, name, electionChecker,
-		namespace,
-		"leases",
-		targetLease,
-		leaderelection.LeaderCallbacks{
-			OnStartedLeading: func(ctx context.Context) {
-				klog.Info("Elected leader, starting..")
-			},
-			OnStoppedLeading: func() {
-				klog.Errorf("%s Lost leadership, stopping", name)
-				// klog.FlushAndExit(klog.ExitFlushTimeout, 1)
-			},
-		})
-}
-
-func leaderElectAndRunUncoordinated(ctx context.Context, kubeconfig *rest.Config, lockIdentity string, electionChecker *leaderelection.HealthzAdaptor, resourceNamespace, resourceLock, leaseName string, callbacks leaderelection.LeaderCallbacks) {
-	leaderElectAndRun(ctx, kubeconfig, lockIdentity, electionChecker, resourceNamespace, resourceLock, leaseName, callbacks, false)
-}
-
-func leaderElectAndRunCoordinated(ctx context.Context, kubeconfig *rest.Config, lockIdentity string, electionChecker *leaderelection.HealthzAdaptor, resourceNamespace, resourceLock, leaseName string, callbacks leaderelection.LeaderCallbacks) {
-	leaderElectAndRun(ctx, kubeconfig, lockIdentity, electionChecker, resourceNamespace, resourceLock, leaseName, callbacks, true)
-}
-
-func leaderElectAndRun(ctx context.Context, kubeconfig *rest.Config, lockIdentity string, electionChecker *leaderelection.HealthzAdaptor, resourceNamespace, resourceLock, leaseName string, callbacks leaderelection.LeaderCallbacks, coordinated bool) {
-	logger := klog.FromContext(ctx)
-	rl, err := resourcelock.NewFromKubeconfig(resourceLock,
-		resourceNamespace,
-		leaseName,
-		resourcelock.ResourceLockConfig{
-			Identity: lockIdentity,
-		},
-		kubeconfig,
-		5*time.Second)
-	if err != nil {
-		logger.Error(err, "Error creating lock")
-		klog.FlushAndExit(klog.ExitFlushTimeout, 1)
-	}
-
-	leaderelection.RunOrDie(ctx, leaderelection.LeaderElectionConfig{
-		Lock:          rl,
-		LeaseDuration: 5 * time.Second,
-		RenewDeadline: 3 * time.Second,
-		RetryPeriod:   2 * time.Second,
-		Callbacks:     callbacks,
-		WatchDog:      electionChecker,
-		Name:          leaseName,
-		Coordinated:   coordinated,
-	})
-}
-
-func (t *cleTest) pollForLease(ctx context.Context, name, namespace string, holder *string) {
-	err := wait.PollUntilContextTimeout(ctx, 1000*time.Millisecond, 25*time.Second, true, func(ctx context.Context) (done bool, err error) {
-		lease, err := t.clientset.CoordinationV1().Leases(namespace).Get(ctx, name, metav1.GetOptions{})
-		if err != nil {
-			fmt.Println(err)
-			return false, nil
-		}
-		if holder == nil {
-			return lease.Spec.HolderIdentity == nil, nil
-		}
-		return lease.Spec.HolderIdentity != nil && *lease.Spec.HolderIdentity == *holder, nil
-	})
-	if err != nil {
-		t.t.Fatalf("timeout waiting for Lease %s %s err: %v", name, namespace, err)
-	}
-}
-
-func (t *cleTest) cancelController(name, namespace string) {
-	t.mu.Lock()
-	defer t.mu.Unlock()
-	t.ctxList[name+"/"+namespace].cancel()
-	delete(t.ctxList, name+"/"+namespace)
-}
-
-func (t *cleTest) cleanup() {
-	err := t.clientset.CoordinationV1().Leases("kube-system").Delete(context.TODO(), "leader-election-controller", metav1.DeleteOptions{})
-	if err != nil && !apierrors.IsNotFound(err) {
-		t.t.Error(err)
-	}
-}
-
-func setupCLE(config *rest.Config, ctx context.Context, t *testing.T) *cleTest {
-	clientset, err := kubernetes.NewForConfig(config)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	return &cleTest{
-		config:    config,
-		clientset: clientset,
-		ctx:       ctx,
-		ctxList:   map[string]ctxCancelPair{},
-		t:         t,
-	}
-}
diff --git a/test/integration/apiserver/coordinatedleaderelection/leaderelection_test.go b/test/integration/apiserver/coordinatedleaderelection/cle_lease_test.go
similarity index 100%
rename from test/integration/apiserver/coordinatedleaderelection/leaderelection_test.go
rename to test/integration/apiserver/coordinatedleaderelection/cle_lease_test.go
diff --git a/test/integration/apiserver/coordinatedleaderelection/cle_managed_lease_test.go b/test/integration/apiserver/coordinatedleaderelection/cle_managed_lease_test.go
new file mode 100644
index 0000000000000..30987b8c60d4f
--- /dev/null
+++ b/test/integration/apiserver/coordinatedleaderelection/cle_managed_lease_test.go
@@ -0,0 +1,453 @@
+/*
+Copyright 2024 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package leaderelection
+
+import (
+	"context"
+	"fmt"
+	"sync"
+	"testing"
+	"time"
+
+	v1 "k8s.io/api/coordination/v1"
+	v1beta1 "k8s.io/api/coordination/v1beta1"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/util/wait"
+	genericfeatures "k8s.io/apiserver/pkg/features"
+	utilfeature "k8s.io/apiserver/pkg/util/feature"
+	kubernetes "k8s.io/client-go/kubernetes"
+	"k8s.io/client-go/rest"
+	"k8s.io/client-go/tools/leaderelection"
+	"k8s.io/client-go/tools/leaderelection/resourcelock"
+	featuregatetesting "k8s.io/component-base/featuregate/testing"
+	"k8s.io/klog/v2"
+	apiservertesting "k8s.io/kubernetes/cmd/kube-apiserver/app/testing"
+	"k8s.io/kubernetes/pkg/controlplane/apiserver"
+	"k8s.io/kubernetes/test/integration/framework"
+	"k8s.io/utils/ptr"
+)
+
+func TestSingleLeaseCandidate(t *testing.T) {
+	tests := []struct {
+		name                   string
+		preferredStrategy      v1.CoordinatedLeaseStrategy
+		expectedHolderIdentity *string
+	}{
+		{
+			name:                   "default strategy, has lease identity",
+			preferredStrategy:      v1.OldestEmulationVersion,
+			expectedHolderIdentity: ptr.To("foo1"),
+		},
+	}
+	featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, genericfeatures.CoordinatedLeaderElection, true)
+
+	flags := []string{fmt.Sprintf("--runtime-config=%s=true", v1beta1.SchemeGroupVersion)}
+	server, err := apiservertesting.StartTestServer(t, apiservertesting.NewDefaultTestServerOptions(), flags, framework.SharedEtcd())
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer server.TearDownFn()
+	config := server.ClientConfig
+
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			ctx, cancel := context.WithCancel(context.Background())
+			defer cancel()
+
+			cletest := setupCLE(config, ctx, t)
+			defer cletest.cleanup()
+			go cletest.createAndRunFakeController("foo1", "default", "foo", "1.20.0", "1.20.0", tc.preferredStrategy)
+			cletest.pollForLease(ctx, "foo", "default", tc.expectedHolderIdentity)
+		})
+	}
+}
+
+func TestSingleLeaseCandidateUsingThirdPartyStrategy(t *testing.T) {
+	tests := []struct {
+		name                   string
+		preferredStrategy      v1.CoordinatedLeaseStrategy
+		expectedHolderIdentity *string
+	}{
+		{
+			name:              "third party strategy, no holder identity",
+			preferredStrategy: v1.CoordinatedLeaseStrategy("foo.com/bar"),
+			// Because a third-party CoordinatedLeaseStrategy is in use,
+			// the coordinated leader election controller doesn't manage
+			// the lease's leader election and does not set the holder identity,
+			// and leave it to some other controller. The lease will be created
+			// with the strategy set but holderIdentity set to nil.
+			expectedHolderIdentity: nil,
+		},
+	}
+	featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, genericfeatures.CoordinatedLeaderElection, true)
+	flags := []string{fmt.Sprintf("--runtime-config=%s=true", v1beta1.SchemeGroupVersion)}
+	server, err := apiservertesting.StartTestServer(t, apiservertesting.NewDefaultTestServerOptions(), flags, framework.SharedEtcd())
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer server.TearDownFn()
+	config := server.ClientConfig
+
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			ctx, cancel := context.WithCancel(context.Background())
+			defer cancel()
+
+			cletest := setupCLE(config, ctx, t)
+			defer cletest.cleanup()
+			go cletest.createAndRunFakeController("foo1", "default", "foo", "1.20.0", "1.20.0", tc.preferredStrategy)
+			cletest.pollForLease(ctx, "foo", "default", tc.expectedHolderIdentity)
+		})
+	}
+}
+
+func TestMultipleLeaseCandidate(t *testing.T) {
+	tests := []struct {
+		name                   string
+		preferredStrategy      v1.CoordinatedLeaseStrategy
+		expectedHolderIdentity *string
+	}{
+		{
+			name:              "default strategy, has lease identity",
+			preferredStrategy: v1.OldestEmulationVersion,
+			// Because the OldestEmulationVersion strategy is used here, the
+			// the coordinated leader election controller will pick the candidate
+			// with OldestEmulationVersion and OldestBinaryVersion.
+			expectedHolderIdentity: ptr.To("baz3"),
+		},
+	}
+	featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, genericfeatures.CoordinatedLeaderElection, true)
+
+	flags := []string{fmt.Sprintf("--runtime-config=%s=true", v1beta1.SchemeGroupVersion)}
+	server, err := apiservertesting.StartTestServer(t, apiservertesting.NewDefaultTestServerOptions(), flags, framework.SharedEtcd())
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer server.TearDownFn()
+	config := server.ClientConfig
+
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			ctx, cancel := context.WithCancel(context.Background())
+			defer cancel()
+
+			cletest := setupCLE(config, ctx, t)
+			defer cletest.cleanup()
+			go cletest.createAndRunFakeController("baz1", "default", "baz", "1.20.0", "1.20.0", tc.preferredStrategy)
+			go cletest.createAndRunFakeController("baz2", "default", "baz", "1.20.0", "1.19.0", tc.preferredStrategy)
+			go cletest.createAndRunFakeController("baz3", "default", "baz", "1.19.0", "1.19.0", tc.preferredStrategy)
+			go cletest.createAndRunFakeController("baz4", "default", "baz", "1.20.0", "1.19.0", tc.preferredStrategy)
+			cletest.pollForLease(ctx, "baz", "default", tc.expectedHolderIdentity)
+		})
+	}
+}
+
+func TestMultipleLeaseCandidateUsingThirdPartyStrategy(t *testing.T) {
+	tests := []struct {
+		name                   string
+		preferredStrategy      v1.CoordinatedLeaseStrategy
+		expectedHolderIdentity *string
+	}{
+		{
+			name:              "third party strategy, no holder identity",
+			preferredStrategy: v1.CoordinatedLeaseStrategy("foo.com/bar"),
+			// Because a third-party CoordinatedLeaseStrategy is in use,
+			// the coordinated leader election controller doesn't manage
+			// the lease's leader election and does not set the holder identity,
+			// and leave it to some other controller. The lease will be created
+			// with the strategy set but holderIdentity set to nil.
+			expectedHolderIdentity: nil,
+		},
+	}
+	featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, genericfeatures.CoordinatedLeaderElection, true)
+	flags := []string{fmt.Sprintf("--runtime-config=%s=true", v1beta1.SchemeGroupVersion)}
+
+	server, err := apiservertesting.StartTestServer(t, apiservertesting.NewDefaultTestServerOptions(), flags, framework.SharedEtcd())
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer server.TearDownFn()
+	config := server.ClientConfig
+
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			ctx, cancel := context.WithCancel(context.Background())
+			defer cancel()
+
+			cletest := setupCLE(config, ctx, t)
+			defer cletest.cleanup()
+			go cletest.createAndRunFakeController("baz1", "default", "baz", "1.20.0", "1.20.0", tc.preferredStrategy)
+			go cletest.createAndRunFakeController("baz2", "default", "baz", "1.20.0", "1.19.0", tc.preferredStrategy)
+			go cletest.createAndRunFakeController("baz3", "default", "baz", "1.19.0", "1.19.0", tc.preferredStrategy)
+			go cletest.createAndRunFakeController("baz4", "default", "baz", "1.2.0", "1.19.0", tc.preferredStrategy)
+			go cletest.createAndRunFakeController("baz5", "default", "baz", "1.20.0", "1.19.0", tc.preferredStrategy)
+			cletest.pollForLease(ctx, "baz", "default", tc.expectedHolderIdentity)
+		})
+	}
+}
+
+func TestLeaseSwapIfBetterAvailable(t *testing.T) {
+	featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, genericfeatures.CoordinatedLeaderElection, true)
+
+	flags := []string{fmt.Sprintf("--runtime-config=%s=true", v1beta1.SchemeGroupVersion)}
+	server, err := apiservertesting.StartTestServer(t, apiservertesting.NewDefaultTestServerOptions(), flags, framework.SharedEtcd())
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer server.TearDownFn()
+	config := server.ClientConfig
+
+	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel()
+	cletest := setupCLE(config, ctx, t)
+	defer cletest.cleanup()
+
+	go cletest.createAndRunFakeController("bar1", "default", "bar", "1.20.0", "1.20.0", v1.OldestEmulationVersion)
+	cletest.pollForLease(ctx, "bar", "default", ptr.To("bar1"))
+	go cletest.createAndRunFakeController("bar2", "default", "bar", "1.19.0", "1.19.0", v1.OldestEmulationVersion)
+	cletest.pollForLease(ctx, "bar", "default", ptr.To("bar2"))
+}
+
+// TestUpgradeSkew tests that a legacy client and a CLE aware client operating on the same lease do not cause errors
+func TestUpgradeSkew(t *testing.T) {
+	featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, genericfeatures.CoordinatedLeaderElection, true)
+
+	flags := []string{fmt.Sprintf("--runtime-config=%s=true", v1beta1.SchemeGroupVersion)}
+	server, err := apiservertesting.StartTestServer(t, apiservertesting.NewDefaultTestServerOptions(), flags, framework.SharedEtcd())
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer server.TearDownFn()
+	config := server.ClientConfig
+
+	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel()
+	cletest := setupCLE(config, ctx, t)
+	defer cletest.cleanup()
+
+	go cletest.createAndRunFakeLegacyController("foo1-130", "default", "foobar")
+	cletest.pollForLease(ctx, "foobar", "default", ptr.To("foo1-130"))
+	go cletest.createAndRunFakeController("foo1-131", "default", "foobar", "1.31.0", "1.31.0", v1.OldestEmulationVersion)
+	// running a new controller should not kick off old leader
+	cletest.pollForLease(ctx, "foobar", "default", ptr.To("foo1-130"))
+	cletest.cancelController("foo1-130", "default")
+	cletest.pollForLease(ctx, "foobar", "default", ptr.To("foo1-131"))
+}
+
+func TestLeaseCandidateCleanup(t *testing.T) {
+	featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, genericfeatures.CoordinatedLeaderElection, true)
+	apiserver.LeaseCandidateGCPeriod = 1 * time.Second
+
+	defer func() {
+		apiserver.LeaseCandidateGCPeriod = 30 * time.Minute
+	}()
+
+	flags := []string{fmt.Sprintf("--runtime-config=%s=true", v1beta1.SchemeGroupVersion)}
+	server, err := apiservertesting.StartTestServer(t, apiservertesting.NewDefaultTestServerOptions(), flags, framework.SharedEtcd())
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer server.TearDownFn()
+	config := server.ClientConfig
+	clientset, err := kubernetes.NewForConfig(config)
+	if err != nil {
+		t.Fatal(err)
+	}
+	expiredLC := &v1beta1.LeaseCandidate{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "expired",
+			Namespace: "default",
+		},
+		Spec: v1beta1.LeaseCandidateSpec{
+			LeaseName:        "foobaz",
+			BinaryVersion:    "0.1.0",
+			EmulationVersion: "0.1.0",
+			Strategy:         v1.OldestEmulationVersion,
+			RenewTime:        &metav1.MicroTime{Time: time.Now().Add(-2 * time.Hour)},
+			PingTime:         &metav1.MicroTime{Time: time.Now().Add(-1 * time.Hour)},
+		},
+	}
+	ctx := context.Background()
+	_, err = clientset.CoordinationV1beta1().LeaseCandidates("default").Create(ctx, expiredLC, metav1.CreateOptions{})
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	err = wait.PollUntilContextTimeout(ctx, 1000*time.Millisecond, 5*time.Second, true, func(ctx context.Context) (done bool, err error) {
+		_, err = clientset.CoordinationV1beta1().LeaseCandidates("default").Get(ctx, "expired", metav1.GetOptions{})
+		if apierrors.IsNotFound(err) {
+			return true, nil
+		}
+		return false, nil
+	})
+	if err != nil {
+		t.Fatalf("Timieout waiting for lease gc")
+	}
+
+}
+
+type ctxCancelPair struct {
+	ctx    context.Context
+	cancel func()
+}
+type cleTest struct {
+	config    *rest.Config
+	clientset *kubernetes.Clientset
+	t         *testing.T
+	mu        sync.Mutex
+	ctx       context.Context
+	ctxList   map[string]ctxCancelPair
+}
+
+func (t *cleTest) createAndRunFakeLegacyController(name string, namespace string, targetLease string) {
+	ctx, cancel := context.WithCancel(t.ctx)
+	t.mu.Lock()
+	defer t.mu.Unlock()
+	t.ctxList[name+"/"+namespace] = ctxCancelPair{ctx, cancel}
+
+	electionChecker := leaderelection.NewLeaderHealthzAdaptor(time.Second * 20)
+	go leaderElectAndRunUncoordinated(ctx, t.config, name, electionChecker,
+		namespace,
+		"leases",
+		targetLease,
+		leaderelection.LeaderCallbacks{
+			OnStartedLeading: func(ctx context.Context) {
+				klog.Info("Elected leader, starting..")
+			},
+			OnStoppedLeading: func() {
+				klog.Errorf("%s Lost leadership, stopping", name)
+			},
+		})
+
+}
+func (t *cleTest) createAndRunFakeController(name string, namespace string, targetLease string, binaryVersion string, compatibilityVersion string, preferredStrategy v1.CoordinatedLeaseStrategy) {
+	identityLease, _, err := leaderelection.NewCandidate(
+		t.clientset,
+		namespace,
+		name,
+		targetLease,
+		binaryVersion,
+		compatibilityVersion,
+		preferredStrategy,
+	)
+	if err != nil {
+		t.t.Error(err)
+	}
+
+	ctx, cancel := context.WithCancel(t.ctx)
+	t.mu.Lock()
+	t.ctxList[name+"/"+namespace] = ctxCancelPair{ctx, cancel}
+	t.mu.Unlock()
+	go identityLease.Run(ctx)
+
+	electionChecker := leaderelection.NewLeaderHealthzAdaptor(time.Second * 20)
+	go leaderElectAndRunCoordinated(ctx, t.config, name, electionChecker,
+		namespace,
+		"leases",
+		targetLease,
+		leaderelection.LeaderCallbacks{
+			OnStartedLeading: func(ctx context.Context) {
+				klog.Info("Elected leader, starting..")
+			},
+			OnStoppedLeading: func() {
+				klog.Errorf("%s Lost leadership, stopping", name)
+				// klog.FlushAndExit(klog.ExitFlushTimeout, 1)
+			},
+		})
+}
+
+func leaderElectAndRunUncoordinated(ctx context.Context, kubeconfig *rest.Config, lockIdentity string, electionChecker *leaderelection.HealthzAdaptor, resourceNamespace, resourceLock, leaseName string, callbacks leaderelection.LeaderCallbacks) {
+	leaderElectAndRun(ctx, kubeconfig, lockIdentity, electionChecker, resourceNamespace, resourceLock, leaseName, callbacks, false)
+}
+
+func leaderElectAndRunCoordinated(ctx context.Context, kubeconfig *rest.Config, lockIdentity string, electionChecker *leaderelection.HealthzAdaptor, resourceNamespace, resourceLock, leaseName string, callbacks leaderelection.LeaderCallbacks) {
+	leaderElectAndRun(ctx, kubeconfig, lockIdentity, electionChecker, resourceNamespace, resourceLock, leaseName, callbacks, true)
+}
+
+func leaderElectAndRun(ctx context.Context, kubeconfig *rest.Config, lockIdentity string, electionChecker *leaderelection.HealthzAdaptor, resourceNamespace, resourceLock, leaseName string, callbacks leaderelection.LeaderCallbacks, coordinated bool) {
+	logger := klog.FromContext(ctx)
+	rl, err := resourcelock.NewFromKubeconfig(resourceLock,
+		resourceNamespace,
+		leaseName,
+		resourcelock.ResourceLockConfig{
+			Identity: lockIdentity,
+		},
+		kubeconfig,
+		5*time.Second)
+	if err != nil {
+		logger.Error(err, "Error creating lock")
+		klog.FlushAndExit(klog.ExitFlushTimeout, 1)
+	}
+
+	leaderelection.RunOrDie(ctx, leaderelection.LeaderElectionConfig{
+		Lock:          rl,
+		LeaseDuration: 5 * time.Second,
+		RenewDeadline: 3 * time.Second,
+		RetryPeriod:   2 * time.Second,
+		Callbacks:     callbacks,
+		WatchDog:      electionChecker,
+		Name:          leaseName,
+		Coordinated:   coordinated,
+	})
+}
+
+func (t *cleTest) pollForLease(ctx context.Context, name, namespace string, holder *string) {
+	err := wait.PollUntilContextTimeout(ctx, 1000*time.Millisecond, 25*time.Second, true, func(ctx context.Context) (done bool, err error) {
+		lease, err := t.clientset.CoordinationV1().Leases(namespace).Get(ctx, name, metav1.GetOptions{})
+		if err != nil {
+			fmt.Println(err)
+			return false, nil
+		}
+		if holder == nil {
+			return lease.Spec.HolderIdentity == nil, nil
+		}
+		return lease.Spec.HolderIdentity != nil && *lease.Spec.HolderIdentity == *holder, nil
+	})
+	if err != nil {
+		t.t.Fatalf("timeout waiting for Lease %s %s err: %v", name, namespace, err)
+	}
+}
+
+func (t *cleTest) cancelController(name, namespace string) {
+	t.mu.Lock()
+	defer t.mu.Unlock()
+	t.ctxList[name+"/"+namespace].cancel()
+	delete(t.ctxList, name+"/"+namespace)
+}
+
+func (t *cleTest) cleanup() {
+	err := t.clientset.CoordinationV1().Leases("kube-system").Delete(context.TODO(), "leader-election-controller", metav1.DeleteOptions{})
+	if err != nil && !apierrors.IsNotFound(err) {
+		t.t.Error(err)
+	}
+}
+
+func setupCLE(config *rest.Config, ctx context.Context, t *testing.T) *cleTest {
+	clientset, err := kubernetes.NewForConfig(config)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	return &cleTest{
+		config:    config,
+		clientset: clientset,
+		ctx:       ctx,
+		ctxList:   map[string]ctxCancelPair{},
+		t:         t,
+	}
+}
diff --git a/test/integration/apiserver/discovery/framework.go b/test/integration/apiserver/discovery/framework.go
index 460525fd9ca26..2183c26dee1be 100644
--- a/test/integration/apiserver/discovery/framework.go
+++ b/test/integration/apiserver/discovery/framework.go
@@ -44,6 +44,7 @@ import (
 
 const acceptV1JSON = "application/json"
 const acceptV2JSON = "application/json;g=apidiscovery.k8s.io;v=v2;as=APIGroupDiscoveryList"
+const acceptV2JSONNoPeer = "application/json;g=apidiscovery.k8s.io;v=v2;as=APIGroupDiscoveryList;profile=nopeer"
 
 const maxTimeout = 10 * time.Second
 
@@ -717,3 +718,72 @@ func FindGroupVersionV2(discovery apidiscoveryv2.APIGroupDiscoveryList, gv metav
 
 	return nil
 }
+
+// FetchNoPeerDiscovery explicitly requests no-peer discovery
+func FetchNoPeerDiscovery(ctx context.Context, client testClient) (apidiscoveryv2.APIGroupDiscoveryList, error) {
+	result, err := client.
+		Discovery().
+		RESTClient().
+		Get().
+		AbsPath("/apis").
+		SetHeader("Accept", acceptV2JSONNoPeer).
+		Do(ctx).
+		Raw()
+
+	if err != nil {
+		return apidiscoveryv2.APIGroupDiscoveryList{}, fmt.Errorf("failed to fetch no-peer discovery: %w", err)
+	}
+
+	groupList := apidiscoveryv2.APIGroupDiscoveryList{}
+	err = json.Unmarshal(result, &groupList)
+	if err != nil {
+		return apidiscoveryv2.APIGroupDiscoveryList{}, fmt.Errorf("failed to parse no-peer discovery: %w", err)
+	}
+
+	return groupList, nil
+}
+
+// FetchPeerAggregatedDiscovery explicitly requests peer-aggregated discovery
+func FetchPeerAggregatedDiscovery(ctx context.Context, client testClient) (apidiscoveryv2.APIGroupDiscoveryList, error) {
+	result, err := client.
+		Discovery().
+		RESTClient().
+		Get().
+		AbsPath("/apis").
+		SetHeader("Accept", acceptV2JSON).
+		Do(ctx).
+		Raw()
+
+	if err != nil {
+		return apidiscoveryv2.APIGroupDiscoveryList{}, fmt.Errorf("failed to fetch peer-aggregated discovery: %w", err)
+	}
+
+	groupList := apidiscoveryv2.APIGroupDiscoveryList{}
+	err = json.Unmarshal(result, &groupList)
+	if err != nil {
+		return apidiscoveryv2.APIGroupDiscoveryList{}, fmt.Errorf("failed to parse peer-aggregated discovery: %w", err)
+	}
+
+	return groupList, nil
+}
+
+// WaitForPeerAggregatedDiscoveryWithCondition waits for peer-aggregated discovery to satisfy a condition.
+func WaitForPeerAggregatedDiscoveryWithCondition(ctx context.Context, client testClient, condition func(result apidiscoveryv2.APIGroupDiscoveryList) bool) error {
+	return wait.PollUntilContextTimeout(
+		ctx,
+		5*time.Second,
+		30*time.Second,
+		true,
+		func(ctx context.Context) (done bool, err error) {
+			groupList, err := FetchPeerAggregatedDiscovery(ctx, client)
+			if err != nil {
+				return false, err
+			}
+
+			if condition(groupList) {
+				return true, nil
+			}
+
+			return false, nil
+		})
+}
diff --git a/test/integration/apiserver/discovery/peer_agg_discovery_test.go b/test/integration/apiserver/discovery/peer_agg_discovery_test.go
new file mode 100644
index 0000000000000..4ad91ee62558b
--- /dev/null
+++ b/test/integration/apiserver/discovery/peer_agg_discovery_test.go
@@ -0,0 +1,386 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package discovery
+
+import (
+	"context"
+	"fmt"
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/require"
+
+	"k8s.io/apiserver/pkg/server"
+	"k8s.io/client-go/kubernetes"
+	"k8s.io/client-go/util/cert"
+	"k8s.io/kubernetes/test/integration/framework"
+
+	apidiscoveryv2 "k8s.io/api/apidiscovery/v2"
+	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
+	apiextensionsclient "k8s.io/apiextensions-apiserver/pkg/client/clientset/clientset"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	genericfeatures "k8s.io/apiserver/pkg/features"
+	utilfeature "k8s.io/apiserver/pkg/util/feature"
+	featuregatetesting "k8s.io/component-base/featuregate/testing"
+	kubeapiservertesting "k8s.io/kubernetes/cmd/kube-apiserver/app/testing"
+	testutil "k8s.io/kubernetes/test/utils"
+)
+
+func TestPeerAggregatedDiscovery(t *testing.T) {
+	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Minute)
+	defer cancel()
+
+	// Enable feature gates for peer-aggregated discovery and peer proxy.
+	featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, genericfeatures.APIServerIdentity, true)
+	featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, genericfeatures.UnknownVersionInteroperabilityProxy, true)
+
+	// Create shared etcd.
+	etcd := framework.SharedEtcd()
+
+	// Create certificates for aggregation and client-cert auth.
+	proxyCA, err := createProxyCertContent()
+	require.NoError(t, err)
+
+	// Start two API servers with different API configurations.
+	server.SetHostnameFuncForTests("test-server-a")
+	serverA := kubeapiservertesting.StartTestServerOrDie(t, &kubeapiservertesting.TestServerInstanceOptions{
+		EnableCertAuth: true,
+		ProxyCA:        &proxyCA,
+	}, []string{
+		"--runtime-config=apps/v1=false",
+	}, etcd)
+	t.Cleanup(serverA.TearDownFn)
+	clientA, err := kubernetes.NewForConfig(serverA.ClientConfig)
+	require.NoError(t, err)
+
+	server.SetHostnameFuncForTests("test-server-b")
+	serverB := kubeapiservertesting.StartTestServerOrDie(t, &kubeapiservertesting.TestServerInstanceOptions{
+		EnableCertAuth: true,
+		ProxyCA:        &proxyCA,
+	}, []string{
+		"--runtime-config=batch/v1=false",
+	}, etcd)
+	t.Cleanup(serverB.TearDownFn)
+
+	clientB, err := kubernetes.NewForConfig(serverB.ClientConfig)
+	require.NoError(t, err)
+
+	t.Run("CheckIdentityLeases", func(t *testing.T) {
+		// Check for identity leases in the kube-system namespace
+		leases, err := clientA.CoordinationV1().Leases("kube-system").List(ctx, metav1.ListOptions{
+			LabelSelector: "apiserver.kubernetes.io/identity=kube-apiserver",
+		})
+		if err != nil {
+			t.Logf("Failed to list identity leases: %v", err)
+		} else {
+			t.Logf("Found %d identity leases:", len(leases.Items))
+		}
+	})
+
+	t.Run("NoPeerDiscoveryWorks", func(t *testing.T) {
+		testNoPeerDiscovery(t, ctx, clientA, clientB)
+	})
+
+	t.Run("PeerAggregatedDiscoveryEndpoint", func(t *testing.T) {
+		testPeerAggregatedDiscoveryEndpoint(t, ctx, clientA, clientB)
+	})
+}
+
+func TestPeerAggregatedDiscoveryWithCRD(t *testing.T) {
+	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Minute)
+	defer cancel()
+
+	// Enable feature gates for peer-aggregated discovery and peer proxy.
+	featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, genericfeatures.APIServerIdentity, true)
+	featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, genericfeatures.UnknownVersionInteroperabilityProxy, true)
+
+	// Create shared etcd.
+	etcd := framework.SharedEtcd()
+
+	// Create certificates for aggregation and client-cert auth.
+	proxyCA, err := createProxyCertContent()
+	require.NoError(t, err)
+
+	// Start two API servers with different API configurations.
+	server.SetHostnameFuncForTests("test-server-a")
+	serverA := kubeapiservertesting.StartTestServerOrDie(t, &kubeapiservertesting.TestServerInstanceOptions{
+		EnableCertAuth: true,
+		ProxyCA:        &proxyCA,
+	}, []string{
+		"--runtime-config=apps/v1=false",
+	}, etcd)
+	t.Cleanup(serverA.TearDownFn)
+	clientA, err := kubernetes.NewForConfig(serverA.ClientConfig)
+	require.NoError(t, err)
+	crdClientA, err := apiextensionsclient.NewForConfig(serverA.ClientConfig)
+	require.NoError(t, err)
+
+	server.SetHostnameFuncForTests("test-server-b")
+	serverB := kubeapiservertesting.StartTestServerOrDie(t, &kubeapiservertesting.TestServerInstanceOptions{
+		EnableCertAuth: true,
+		ProxyCA:        &proxyCA,
+	}, []string{
+		"--runtime-config=batch/v1=false",
+	}, etcd)
+	t.Cleanup(serverB.TearDownFn)
+
+	clientB, err := kubernetes.NewForConfig(serverB.ClientConfig)
+	require.NoError(t, err)
+	_, err = apiextensionsclient.NewForConfig(serverB.ClientConfig)
+	require.NoError(t, err)
+
+	// Create a new CRD in serverA
+	crdName := "foos.example.com"
+	crdSpec := makeCRDSpec("example.com", "Foo", false, []string{"v1"})
+	crd := &apiextensionsv1.CustomResourceDefinition{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: crdName,
+		},
+		Spec: crdSpec,
+	}
+	_, err = crdClientA.ApiextensionsV1().CustomResourceDefinitions().Create(ctx, crd, metav1.CreateOptions{})
+	require.NoError(t, err, "Failed to create CRD %s", crdName)
+
+	// Wait for peer-aggregated discovery to reflect the new group on both servers
+	for _, tc := range []struct {
+		name   string
+		client kubernetes.Interface
+	}{
+		{"serverA", clientA},
+		{"serverB", clientB},
+	} {
+		t.Run(tc.name+"_peeragg_with_crd", func(t *testing.T) {
+			testClientSet := testClientSet{kubeClientSet: tc.client}
+			testCtx, cancel := context.WithTimeout(ctx, 1*time.Minute)
+			defer cancel()
+
+			err := WaitForPeerAggregatedDiscoveryWithCondition(testCtx, testClientSet, func(result apidiscoveryv2.APIGroupDiscoveryList) bool {
+				for _, group := range result.Items {
+					if group.Name == "example.com" {
+						return true
+					}
+				}
+				return false
+			})
+			require.NoError(t, err, "Peer-aggregated discovery did not show CRD group on %s", tc.name)
+			t.Logf("Peer-aggregated discovery on %s contains CRD group example.com", tc.name)
+		})
+	}
+
+	// Now delete the CRD and verify it gets removed from peer-aggregated discovery
+	t.Log("Deleting CRD from serverA...")
+	err = crdClientA.ApiextensionsV1().CustomResourceDefinitions().Delete(ctx, crdName, metav1.DeleteOptions{})
+	require.NoError(t, err, "Failed to delete CRD %s", crdName)
+
+	// Wait for peer-aggregated discovery to reflect the deletion on both servers
+	// The CRD should be excluded from local discovery and therefore should NOT appear
+	// in peer-aggregated discovery from ANY peer.
+	for _, tc := range []struct {
+		name   string
+		client kubernetes.Interface
+	}{
+		{"serverA", clientA},
+		{"serverB", clientB},
+	} {
+		t.Run(tc.name+"_peeragg_without_crd", func(t *testing.T) {
+			testClientSet := testClientSet{kubeClientSet: tc.client}
+			testCtx, cancel := context.WithTimeout(ctx, 2*time.Minute)
+			defer cancel()
+
+			// Wait for the CRD group to be removed from peer-aggregated discovery
+			// This validates:
+			// 1. The exclusion filter properly removes the CRD from local server's discovery
+			// 2. The grace period mechanism works (waits for peers to also see the deletion)
+			// 3. The peer-aggregated discovery doesn't show stale CRD data from any peer
+			err := WaitForPeerAggregatedDiscoveryWithCondition(testCtx, testClientSet, func(result apidiscoveryv2.APIGroupDiscoveryList) bool {
+				for _, group := range result.Items {
+					if group.Name == "example.com" {
+						// Still finding the group - not yet removed
+						return false
+					}
+				}
+				// Group not found - successfully removed
+				return true
+			})
+			require.NoError(t, err, "Peer-aggregated discovery should not show deleted CRD group on %s", tc.name)
+			t.Logf("Peer-aggregated discovery on %s correctly removed CRD group example.com after deletion", tc.name)
+		})
+	}
+
+	// Additionally verify that no-peer discovery also doesn't show the CRD
+	// This ensures the CRD is truly removed and not just filtered from peer-aggregated discovery
+	for _, tc := range []struct {
+		name   string
+		client kubernetes.Interface
+	}{
+		{"serverA", clientA},
+		{"serverB", clientB},
+	} {
+		t.Run(tc.name+"_nopeer_without_crd", func(t *testing.T) {
+			testClientSet := testClientSet{kubeClientSet: tc.client}
+
+			result, err := FetchNoPeerDiscovery(ctx, testClientSet)
+			require.NoError(t, err, "Should be able to fetch no-peer discovery from %s", tc.name)
+
+			hasCRDGroup := false
+			for _, group := range result.Items {
+				if group.Name == "example.com" {
+					hasCRDGroup = true
+					break
+				}
+			}
+			require.False(t, hasCRDGroup, "%s should NOT have example.com in no-peer discovery after CRD deletion", tc.name)
+			t.Logf("No-peer discovery on %s correctly does not show deleted CRD group", tc.name)
+		})
+	}
+}
+
+func testNoPeerDiscovery(t *testing.T, ctx context.Context, clientA, clientB kubernetes.Interface) {
+	testClientA := testClientSet{kubeClientSet: clientA}
+	testClientB := testClientSet{kubeClientSet: clientB}
+
+	// Verify serverA does NOT have apps/v1 in no-peer discovery (disabled via runtime-config)
+	resultA, err := FetchNoPeerDiscovery(ctx, testClientA)
+	require.NoError(t, err, "Should be able to fetch no-peer discovery from serverA")
+
+	hasAppsV1InA := false
+	for _, group := range resultA.Items {
+		if group.Name == "apps" {
+			for _, version := range group.Versions {
+				if version.Version == "v1" {
+					hasAppsV1InA = true
+					break
+				}
+			}
+		}
+	}
+	require.False(t, hasAppsV1InA, "ServerA should NOT have apps/v1 in no-peer discovery (disabled via runtime-config)")
+
+	// Verify serverB does NOT have batch/v1 in no-peer discovery (disabled via runtime-config)
+	resultB, err := FetchNoPeerDiscovery(ctx, testClientB)
+	require.NoError(t, err, "Should be able to fetch no-peer discovery from serverB")
+
+	hasBatchV1InB := false
+	for _, group := range resultB.Items {
+		if group.Name == "batch" {
+			for _, version := range group.Versions {
+				if version.Version == "v1" {
+					hasBatchV1InB = true
+					break
+				}
+			}
+		}
+	}
+	require.False(t, hasBatchV1InB, "ServerB should NOT have batch/v1 in no-peer discovery (disabled via runtime-config)")
+
+	// Verify serverA HAS batch/v1 in no-peer discovery (should be enabled by default)
+	hasBatchV1InA := false
+	var foundGroupsA []string
+	for _, group := range resultA.Items {
+		foundGroupsA = append(foundGroupsA, group.Name)
+		if group.Name == "batch" {
+			for _, version := range group.Versions {
+				if version.Version == "v1" {
+					hasBatchV1InA = true
+					break
+				}
+			}
+		}
+	}
+	t.Logf("ServerA no-peer discovery has groups: %v", foundGroupsA)
+	require.True(t, hasBatchV1InA, "ServerA should have batch/v1 in no-peer discovery (enabled by default)")
+
+	// Verify serverB HAS apps/v1 in no-peer discovery (should be enabled by default)
+	hasAppsV1InB := false
+	var foundGroupsB []string
+	for _, group := range resultB.Items {
+		foundGroupsB = append(foundGroupsB, group.Name)
+		if group.Name == "apps" {
+			for _, version := range group.Versions {
+				if version.Version == "v1" {
+					hasAppsV1InB = true
+					break
+				}
+			}
+		}
+	}
+	t.Logf("ServerB no-peer discovery has groups: %v", foundGroupsB)
+	require.True(t, hasAppsV1InB, "ServerB should have apps/v1 in no-peer discovery (enabled by default)")
+
+	t.Log("No-peer discovery validation complete:")
+	t.Log("  ServerA: has batch/v1, missing apps/v1 ✓")
+	t.Log("  ServerB: has apps/v1, missing batch/v1 ✓")
+}
+
+func testPeerAggregatedDiscoveryEndpoint(t *testing.T, ctx context.Context, clientA, clientB kubernetes.Interface) {
+	testCases := []struct {
+		name   string
+		client kubernetes.Interface
+	}{
+		{"serverA", clientA},
+		{"serverB", clientB},
+	}
+
+	for _, tc := range testCases {
+		t.Run(fmt.Sprintf("%s_peer_aggregated_discovery", tc.name), func(t *testing.T) {
+			testClientSet := testClientSet{kubeClientSet: tc.client}
+			testCtx, cancel := context.WithTimeout(ctx, 1*time.Minute)
+			defer cancel()
+
+			// Wait for peer-aggregated discovery to contain both apps and batch groups.
+			err := WaitForPeerAggregatedDiscoveryWithCondition(testCtx, testClientSet, func(result apidiscoveryv2.APIGroupDiscoveryList) bool {
+				hasApps, hasBatch := false, false
+
+				for _, group := range result.Items {
+					if group.Name == "apps" {
+						hasApps = true
+					}
+					if group.Name == "batch" {
+						hasBatch = true
+					}
+				}
+
+				return hasApps && hasBatch
+			})
+
+			if err != nil {
+				t.Logf("Failed to get expected groups from %s after: %v", tc.name, err)
+			}
+
+			require.NoError(t, err, "Failed to get expected groups from %s within timeout", tc.name)
+			t.Logf("Successfully validated %s peer-aggregated discovery contains both apps and batch groups", tc.name)
+		})
+	}
+}
+
+func createProxyCertContent() (kubeapiservertesting.ProxyCA, error) {
+	result := kubeapiservertesting.ProxyCA{}
+	proxySigningKey, err := testutil.NewPrivateKey()
+	if err != nil {
+		return result, err
+	}
+	proxySigningCert, err := cert.NewSelfSignedCACert(cert.Config{CommonName: "front-proxy-ca"}, proxySigningKey)
+	if err != nil {
+		return result, err
+	}
+
+	result = kubeapiservertesting.ProxyCA{
+		ProxySigningCert: proxySigningCert,
+		ProxySigningKey:  proxySigningKey,
+	}
+	return result, nil
+}
diff --git a/test/integration/apiserver/httpproxy/httpproxy_test.go b/test/integration/apiserver/httpproxy/httpproxy_test.go
new file mode 100644
index 0000000000000..12625b36aa48f
--- /dev/null
+++ b/test/integration/apiserver/httpproxy/httpproxy_test.go
@@ -0,0 +1,259 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package httpproxy
+
+import (
+	"context"
+	"encoding/json"
+	"encoding/pem"
+	"fmt"
+	"io"
+	"net/http"
+	"net/http/httptest"
+	"net/url"
+	"strings"
+	"testing"
+	"time"
+
+	admissionv1 "k8s.io/api/admission/v1"
+	admissionregistrationv1 "k8s.io/api/admissionregistration/v1"
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	utilnettesting "k8s.io/apimachinery/pkg/util/net/testing"
+	"k8s.io/client-go/kubernetes"
+	kastesting "k8s.io/kubernetes/cmd/kube-apiserver/app/testing"
+	"k8s.io/kubernetes/test/integration/framework"
+	"k8s.io/kubernetes/test/utils/fakedns"
+)
+
+func TestEgressToWebhookWithProxy(t *testing.T) {
+	// Go's http.ProxyFromEnvironment bypasses the proxy
+	// for localhost/127.0.0.1. To test this, we must make the HTTP client
+	// resolve a non-local hostname to 127.0.0.1.
+	const (
+		webhookHostname = "webhook.example.com"
+		proxyHostname   = "proxy.example.com"
+	)
+
+	hosts := map[string]string{
+		webhookHostname: "127.0.0.1",
+		proxyHostname:   "127.0.0.1",
+	}
+
+	// Fake DNS server
+	dnsServer, err := fakedns.NewServer(hosts)
+	if err != nil {
+		t.Fatalf("failed to create fake DNS server: %v", err)
+	}
+	dnsServer.Hijack(t)
+
+	webhookHit := make(chan struct{}, 2)
+	webhookServer := httptest.NewUnstartedServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		t.Log("Webhook received request")
+		w.Header().Set("Content-Type", "application/json")
+		body, err := io.ReadAll(r.Body)
+		if err != nil {
+			t.Logf("Failed to read webhook request body: %v", err)
+			http.Error(w, "failed to read body", http.StatusBadRequest)
+			return
+		}
+		var review admissionv1.AdmissionReview
+		if err := json.Unmarshal(body, &review); err != nil {
+			t.Logf("Failed to unmarshal admission review: %v", err)
+			http.Error(w, "failed to unmarshal", http.StatusBadRequest)
+			return
+		}
+
+		resp, err := json.Marshal(admissionv1.AdmissionReview{
+			TypeMeta: metav1.TypeMeta{APIVersion: "admission.k8s.io/v1", Kind: "AdmissionReview"},
+			Response: &admissionv1.AdmissionResponse{UID: review.Request.UID, Allowed: true},
+		})
+		if err != nil {
+			t.Logf("Failed to marshal admission response: %v", err)
+			http.Error(w, "failed to marshal response", http.StatusInternalServerError)
+			return
+		}
+		_, _ = w.Write(resp)
+		select {
+		case webhookHit <- struct{}{}:
+		default:
+		}
+	}))
+	webhookServer.EnableHTTP2 = true
+	webhookServer.StartTLS()
+	defer webhookServer.Close() //nolint:errcheck
+
+	// Proxy server
+	proxyHit := make(chan struct{}, 2)
+	proxyHandler := utilnettesting.NewHTTPProxyHandler(t, func(r *http.Request) bool {
+		t.Logf("Proxy received request for: %s %s", r.Method, r.URL.String())
+		select {
+		case proxyHit <- struct{}{}:
+		default:
+		}
+		return true
+	})
+	defer proxyHandler.Wait()
+
+	proxyServer := httptest.NewUnstartedServer(proxyHandler)
+	proxyServer.Start()
+	defer proxyServer.Close() //nolint:errcheck
+
+	proxyServerURL, err := url.Parse(proxyServer.URL)
+	if err != nil {
+		t.Fatalf("failed to parse proxy server URL: %v", err)
+	}
+	proxyURL := fmt.Sprintf("http://%s:%s", proxyHostname, proxyServerURL.Port())
+
+	etcd := framework.SharedEtcd()
+
+	// Construct the webhook URL using our fake hostname and the real port.
+	webhookServerURL, err := url.Parse(webhookServer.URL)
+	if err != nil {
+		t.Fatalf("failed to parse webhook server URL: %v", err)
+	}
+	webhookURL := fmt.Sprintf("https://%s:%s", webhookHostname, webhookServerURL.Port())
+	caCertDER := webhookServer.TLS.Certificates[0].Certificate[0]
+	caCertPEM := pem.EncodeToMemory(&pem.Block{
+		Type:  "CERTIFICATE",
+		Bytes: caCertDER,
+	})
+
+	sideEffectsNone := admissionregistrationv1.SideEffectClassNone
+	failPolicy := admissionregistrationv1.Fail
+	webhookConfig := &admissionregistrationv1.ValidatingWebhookConfiguration{
+		ObjectMeta: metav1.ObjectMeta{Name: "test-webhook-proxy"},
+		Webhooks: []admissionregistrationv1.ValidatingWebhook{
+			{
+				Name: "test-proxy.example.com",
+				ClientConfig: admissionregistrationv1.WebhookClientConfig{
+					URL:      &webhookURL,
+					CABundle: caCertPEM,
+				},
+				Rules: []admissionregistrationv1.RuleWithOperations{
+					{
+						Operations: []admissionregistrationv1.OperationType{admissionregistrationv1.Create},
+						Rule: admissionregistrationv1.Rule{
+							APIGroups:   []string{""},
+							APIVersions: []string{"v1"},
+							Resources:   []string{"pods"},
+						},
+					},
+				},
+				SideEffects:             &sideEffectsNone,
+				AdmissionReviewVersions: []string{"v1"},
+				TimeoutSeconds:          &[]int32{30}[0],
+				FailurePolicy:           &failPolicy,
+			},
+		},
+	}
+
+	// Test with HTTP_PROXY
+	t.Log("Testing with HTTP_PROXY")
+	t.Setenv("HTTP_PROXY", proxyURL)
+	t.Setenv("HTTPS_PROXY", proxyURL)
+	t.Setenv("NO_PROXY", "") // Ensure NO_PROXY is cleared
+	serverA := kastesting.StartTestServerOrDie(t, kastesting.NewDefaultTestServerOptions(), []string{"--disable-admission-plugins=ServiceAccount"}, etcd)
+
+	clientA, err := kubernetes.NewForConfig(serverA.ClientConfig)
+	if err != nil {
+		t.Fatalf("failed to create kubernetes client: %v", err)
+	}
+
+	_, err = clientA.AdmissionregistrationV1().ValidatingWebhookConfigurations().Create(context.Background(), webhookConfig, metav1.CreateOptions{})
+	if err != nil {
+		t.Fatalf("failed to create webhook config: %v", err)
+	}
+	// It can take a moment for the webhook to be consistently available.
+	time.Sleep(2 * time.Second)
+
+	pod := &corev1.Pod{
+		ObjectMeta: metav1.ObjectMeta{Name: "test-pod"},
+		Spec: corev1.PodSpec{
+			Containers: []corev1.Container{{Name: "test", Image: "test"}},
+		},
+	}
+	_, err = clientA.CoreV1().Pods("default").Create(context.Background(), pod, metav1.CreateOptions{})
+	if err != nil {
+		t.Errorf("failed to create pod: %v", err)
+	}
+
+	select {
+	case <-proxyHit:
+		t.Log("Proxy was hit as expected")
+	case <-time.After(5 * time.Second):
+		t.Fatal("Proxy was not hit")
+	}
+	select {
+	case <-webhookHit:
+		t.Log("Webhook was hit as expected")
+	case <-time.After(5 * time.Second):
+		t.Fatal("Webhook was not hit")
+	}
+
+	serverA.TearDownFn()
+
+	// Clear channels for the next run
+	for len(proxyHit) > 0 {
+		<-proxyHit
+	}
+	for len(webhookHit) > 0 {
+		<-webhookHit
+	}
+
+	// Part 2: Test with NO_PROXY
+	t.Log("Testing with NO_PROXY")
+	t.Setenv("HTTP_PROXY", proxyURL)
+	t.Setenv("HTTPS_PROXY", proxyURL)
+	// Use the fake hostname in NO_PROXY
+	t.Setenv("NO_PROXY", strings.Join([]string{webhookHostname, "127.0.0.1", "localhost"}, ","))
+
+	serverB := kastesting.StartTestServerOrDie(t, kastesting.NewDefaultTestServerOptions(), []string{"--disable-admission-plugins=ServiceAccount"}, etcd)
+	defer serverB.TearDownFn()
+
+	clientB, err := kubernetes.NewForConfig(serverB.ClientConfig)
+	if err != nil {
+		t.Fatalf("failed to create kubernetes client: %v", err)
+	}
+
+	pod2 := &corev1.Pod{
+		ObjectMeta: metav1.ObjectMeta{Name: "test-pod-2"},
+		Spec: corev1.PodSpec{
+			Containers: []corev1.Container{{Name: "test", Image: "test"}},
+		},
+	}
+	_, err = clientB.CoreV1().Pods("default").Create(context.Background(), pod2, metav1.CreateOptions{})
+	if err != nil {
+		t.Fatalf("failed to create pod: %v", err)
+	}
+
+	select {
+	case <-webhookHit:
+		t.Log("Webhook was hit as expected")
+	case <-time.After(5 * time.Second):
+		t.Fatal("Webhook was not hit")
+	}
+
+	select {
+	case <-proxyHit:
+		t.Fatal("Proxy was hit, but should have been bypassed by NO_PROXY")
+	case <-time.After(2 * time.Second):
+		t.Log("Proxy was not hit, as expected")
+	}
+	// It needs to break the proxy connection or it will panic at cleanup
+	webhookServer.Close()
+}
diff --git a/test/integration/apiserver/httpproxy/main_test.go b/test/integration/apiserver/httpproxy/main_test.go
new file mode 100644
index 0000000000000..0b1b67c7c7068
--- /dev/null
+++ b/test/integration/apiserver/httpproxy/main_test.go
@@ -0,0 +1,27 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package httpproxy
+
+import (
+	"testing"
+
+	"k8s.io/kubernetes/test/integration/framework"
+)
+
+func TestMain(m *testing.M) {
+	framework.EtcdMain(m.Run)
+}
diff --git a/test/integration/apiserver/oidc/oidc_test.go b/test/integration/apiserver/oidc/oidc_test.go
index bbbe08adc2f3c..740c2e4a4a934 100644
--- a/test/integration/apiserver/oidc/oidc_test.go
+++ b/test/integration/apiserver/oidc/oidc_test.go
@@ -27,6 +27,7 @@ import (
 	"crypto/x509"
 	"encoding/json"
 	"fmt"
+	"io"
 	"net"
 	"net/http"
 	"net/url"
@@ -34,7 +35,6 @@ import (
 	"path/filepath"
 	"regexp"
 	"strings"
-	"sync"
 	"testing"
 	"time"
 
@@ -49,16 +49,21 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	utilrand "k8s.io/apimachinery/pkg/util/rand"
 	"k8s.io/apimachinery/pkg/util/wait"
+	"k8s.io/apiserver/pkg/features"
 	genericapiserver "k8s.io/apiserver/pkg/server"
 	authenticationconfigmetrics "k8s.io/apiserver/pkg/server/options/authenticationconfig/metrics"
+	utilfeature "k8s.io/apiserver/pkg/util/feature"
+	"k8s.io/apiserver/plugin/pkg/authenticator/token/oidc"
 	"k8s.io/client-go/kubernetes"
 	_ "k8s.io/client-go/plugin/pkg/client/auth/oidc"
 	"k8s.io/client-go/rest"
 	"k8s.io/client-go/tools/clientcmd/api"
 	certutil "k8s.io/client-go/util/cert"
+	featuregatetesting "k8s.io/component-base/featuregate/testing"
 	kubeapiserverapptesting "k8s.io/kubernetes/cmd/kube-apiserver/app/testing"
 	"k8s.io/kubernetes/pkg/apis/rbac"
 	"k8s.io/kubernetes/pkg/kubeapiserver/options"
+	"k8s.io/kubernetes/pkg/util/slice"
 	"k8s.io/kubernetes/test/integration/framework"
 	utilsoidc "k8s.io/kubernetes/test/utils/oidc"
 	"k8s.io/kubernetes/test/utils/oidc/handlers"
@@ -79,12 +84,6 @@ const (
 	rsaKeyBitSize = 2048
 )
 
-var (
-	// testServerMutex serializes test server starts to prevent data races
-	// in admission plugin flag registration
-	testServerMutex sync.Mutex
-)
-
 var (
 	defaultRole = &rbacv1.Role{
 		TypeMeta:   metav1.TypeMeta{APIVersion: "rbac.authorization.k8s.io/v1", Kind: "Role"},
@@ -140,6 +139,8 @@ func TestStructuredAuthenticationConfig(t *testing.T) {
 }
 
 func runTests(t *testing.T, useAuthenticationConfig bool) {
+	genericapiserver.SetHostnameFuncForTests("testAPIServerID")
+
 	var tests = []singleTest[*rsa.PrivateKey, *rsa.PublicKey]{
 		{
 			name: "ID token is ok",
@@ -1592,18 +1593,7 @@ jwt:
 			}
 
 			adminClient := kubernetes.NewForConfigOrDie(apiServer.ClientConfig)
-			body, err := adminClient.RESTClient().Get().AbsPath("/metrics").DoRaw(ctx)
-			require.NoError(t, err)
-			var gotMetricStrings []string
-			trimFP := regexp.MustCompile(`(.*)(} \d+\.\d+.*)`)
-			for _, line := range strings.Split(string(body), "\n") {
-				if strings.HasPrefix(line, "apiserver_authentication_config_controller_") {
-					if strings.Contains(line, "_seconds") {
-						line = trimFP.ReplaceAllString(line, `$1`) + "} FP" // ignore floating point metric values
-					}
-					gotMetricStrings = append(gotMetricStrings, line)
-				}
-			}
+			gotMetricStrings := getMetrics(t, ctx, adminClient, "apiserver_authentication_config_controller_")
 			if diff := cmp.Diff(tt.wantMetricStrings, gotMetricStrings); diff != "" {
 				t.Errorf("unexpected metrics diff (-want +got): %s", diff)
 			}
@@ -1751,6 +1741,11 @@ jwt:
 }
 
 func TestMultipleJWTAuthenticators(t *testing.T) {
+	featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.StructuredAuthenticationConfigurationJWKSMetrics, true)
+
+	genericapiserver.SetHostnameFuncForTests("testAPIServerID")
+	oidc.ResetMetrics()
+
 	caCertContent1, _, caFilePath1, caKeyFilePath1 := generateCert(t)
 	signingPrivateKey1, publicKey1 := rsaGenerateKey(t)
 	oidcServer1 := utilsoidc.BuildAndRunTestServer(t, caFilePath1, caKeyFilePath1, "")
@@ -1853,6 +1848,260 @@ jwt:
 		Groups:   []string{"system:role1", "system:role2", "system:role3", "system:role4", "system:authenticated"},
 		UID:      "1234",
 	}, res.Status.UserInfo)
+
+	jwtIssuerHash1 := fmt.Sprintf("sha256:%x", sha256.Sum256([]byte(oidcServer1.URL())))
+	jwtIssuerHash2 := fmt.Sprintf("sha256:%x", sha256.Sum256([]byte("https://example.com")))
+
+	keySetHash1 := fetchJWKSAndComputeHash(t, oidcServer1.URL(), caCertContent1)
+	keySetHash2 := fetchJWKSAndComputeHash(t, oidcServer2.URL(), caCertContent2)
+
+	wantMetricStrings := []string{
+		fmt.Sprintf(`apiserver_authentication_jwt_authenticator_jwks_fetch_last_key_set_info{apiserver_id_hash="sha256:3c607df3b2bf22c9d9f01d5314b4bbf411c48ef43ff44ff29b1d55b41367c795",hash="%s",jwt_issuer_hash="%s"} 1`, keySetHash1, jwtIssuerHash1),
+		fmt.Sprintf(`apiserver_authentication_jwt_authenticator_jwks_fetch_last_key_set_info{apiserver_id_hash="sha256:3c607df3b2bf22c9d9f01d5314b4bbf411c48ef43ff44ff29b1d55b41367c795",hash="%s",jwt_issuer_hash="%s"} 1`, keySetHash2, jwtIssuerHash2),
+		fmt.Sprintf(`apiserver_authentication_jwt_authenticator_jwks_fetch_last_timestamp_seconds{apiserver_id_hash="sha256:3c607df3b2bf22c9d9f01d5314b4bbf411c48ef43ff44ff29b1d55b41367c795",jwt_issuer_hash="%s",result="success"} FP`, jwtIssuerHash1),
+		fmt.Sprintf(`apiserver_authentication_jwt_authenticator_jwks_fetch_last_timestamp_seconds{apiserver_id_hash="sha256:3c607df3b2bf22c9d9f01d5314b4bbf411c48ef43ff44ff29b1d55b41367c795",jwt_issuer_hash="%s",result="success"} FP`, jwtIssuerHash2),
+	}
+	adminClient := kubernetes.NewForConfigOrDie(apiServer.ClientConfig)
+	gotMetricStrings := getMetrics(t, ctx, adminClient, "apiserver_authentication_jwt_authenticator_jwks_")
+
+	wantMetricStrings = slice.SortStrings(wantMetricStrings)
+
+	if diff := cmp.Diff(wantMetricStrings, gotMetricStrings); diff != "" {
+		t.Errorf("unexpected metrics diff (-want +got): %s", diff)
+	}
+}
+
+// TestJWKSMetricsCleanupOnIssuerRemoval tests that metrics are cleaned up when an issuer is removed.
+// 1. Start with two issuers configured and verify that metrics for both issuers exist.
+// 2. Remove one issuer from the config and verify that metrics for the removed issuer are deleted.
+func TestJWKSMetricsCleanupOnIssuerRemoval(t *testing.T) {
+	featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.StructuredAuthenticationConfigurationJWKSMetrics, true)
+
+	genericapiserver.SetHostnameFuncForTests("testAPIServerID")
+	oidc.ResetMetrics()
+
+	const hardCodedTokenCacheTTLAndPollInterval = 10 * time.Second
+	origUpdateAuthenticationConfigTimeout := options.UpdateAuthenticationConfigTimeout
+	t.Cleanup(func() { options.UpdateAuthenticationConfigTimeout = origUpdateAuthenticationConfigTimeout })
+	options.UpdateAuthenticationConfigTimeout = 2 * hardCodedTokenCacheTTLAndPollInterval
+
+	caCertContent1, _, caFilePath1, caKeyFilePath1 := generateCert(t)
+	signingPrivateKey1, publicKey1 := rsaGenerateKey(t)
+	oidcServer1 := utilsoidc.BuildAndRunTestServer(t, caFilePath1, caKeyFilePath1, "")
+
+	caCertContent2, _, caFilePath2, caKeyFilePath2 := generateCert(t)
+	signingPrivateKey2, publicKey2 := rsaGenerateKey(t)
+	oidcServer2 := utilsoidc.BuildAndRunTestServer(t, caFilePath2, caKeyFilePath2, "")
+
+	authenticationConfig := fmt.Sprintf(`
+apiVersion: apiserver.config.k8s.io/v1
+kind: AuthenticationConfiguration
+jwt:
+- issuer:
+    url: %s
+    audiences:
+    - foo
+    audienceMatchPolicy: MatchAny
+    certificateAuthority: |
+        %s
+  claimMappings:
+    username:
+      expression: "'k8s-' + claims.sub"
+- issuer:
+    url: %s
+    audiences:
+    - bar
+    audienceMatchPolicy: MatchAny
+    certificateAuthority: |
+        %s
+  claimMappings:
+    username:
+      expression: "'k8s-' + claims.sub"
+`, oidcServer1.URL(), indentCertificateAuthority(string(caCertContent1)), oidcServer2.URL(), indentCertificateAuthority(string(caCertContent2)))
+
+	oidcServer1.JwksHandler().EXPECT().KeySet().RunAndReturn(utilsoidc.DefaultJwksHandlerBehavior(t, publicKey1)).Maybe()
+	oidcServer2.JwksHandler().EXPECT().KeySet().RunAndReturn(utilsoidc.DefaultJwksHandlerBehavior(t, publicKey2)).Maybe()
+
+	apiServer := startTestAPIServerForOIDC(t, apiServerOIDCConfig{
+		authenticationConfigYAML: authenticationConfig,
+	}, publicKey1)
+
+	idTokenLifetime := time.Second * 1200
+	oidcServer1.TokenHandler().EXPECT().Token().RunAndReturn(utilsoidc.TokenHandlerBehaviorReturningPredefinedJWT(
+		t,
+		signingPrivateKey1,
+		map[string]interface{}{
+			"iss": oidcServer1.URL(),
+			"sub": defaultOIDCClaimedUsername,
+			"aud": "foo",
+			"exp": time.Now().Add(idTokenLifetime).Unix(),
+		},
+		defaultStubAccessToken,
+		defaultStubRefreshToken,
+	)).Times(1)
+
+	oidcServer2.TokenHandler().EXPECT().Token().RunAndReturn(utilsoidc.TokenHandlerBehaviorReturningPredefinedJWT(
+		t,
+		signingPrivateKey2,
+		map[string]interface{}{
+			"iss": oidcServer2.URL(),
+			"sub": defaultOIDCClaimedUsername,
+			"aud": "bar",
+			"exp": time.Now().Add(idTokenLifetime).Unix(),
+		},
+		defaultStubAccessToken,
+		defaultStubRefreshToken,
+	)).Times(1)
+
+	ctx := testContext(t)
+
+	tokenURL1, err := oidcServer1.TokenURL()
+	require.NoError(t, err)
+	tokenURL2, err := oidcServer2.TokenURL()
+	require.NoError(t, err)
+
+	client1 := configureClientFetchingOIDCCredentials(t, apiServer.ClientConfig, caCertContent1, caFilePath1, oidcServer1.URL(), tokenURL1)
+	_, err = client1.AuthenticationV1().SelfSubjectReviews().Create(ctx, &authenticationv1.SelfSubjectReview{}, metav1.CreateOptions{})
+	require.NoError(t, err)
+
+	client2 := configureClientFetchingOIDCCredentials(t, apiServer.ClientConfig, caCertContent2, caFilePath2, oidcServer2.URL(), tokenURL2)
+	_, err = client2.AuthenticationV1().SelfSubjectReviews().Create(ctx, &authenticationv1.SelfSubjectReview{}, metav1.CreateOptions{})
+	require.NoError(t, err)
+
+	jwtIssuerHash1 := getHash(oidcServer1.URL())
+	jwtIssuerHash2 := getHash(oidcServer2.URL())
+
+	keySetHash1 := fetchJWKSAndComputeHash(t, oidcServer1.URL(), caCertContent1)
+	keySetHash2 := fetchJWKSAndComputeHash(t, oidcServer2.URL(), caCertContent2)
+
+	adminClient := kubernetes.NewForConfigOrDie(apiServer.ClientConfig)
+
+	// Check that metrics exist for both the issuers with correct jwt_issuer_hash + hash combos
+	wantMetricStrings := []string{
+		fmt.Sprintf(`apiserver_authentication_jwt_authenticator_jwks_fetch_last_key_set_info{apiserver_id_hash="sha256:3c607df3b2bf22c9d9f01d5314b4bbf411c48ef43ff44ff29b1d55b41367c795",hash="%s",jwt_issuer_hash="%s"} 1`, keySetHash1, jwtIssuerHash1),
+		fmt.Sprintf(`apiserver_authentication_jwt_authenticator_jwks_fetch_last_key_set_info{apiserver_id_hash="sha256:3c607df3b2bf22c9d9f01d5314b4bbf411c48ef43ff44ff29b1d55b41367c795",hash="%s",jwt_issuer_hash="%s"} 1`, keySetHash2, jwtIssuerHash2),
+		fmt.Sprintf(`apiserver_authentication_jwt_authenticator_jwks_fetch_last_timestamp_seconds{apiserver_id_hash="sha256:3c607df3b2bf22c9d9f01d5314b4bbf411c48ef43ff44ff29b1d55b41367c795",jwt_issuer_hash="%s",result="success"} FP`, jwtIssuerHash1),
+		fmt.Sprintf(`apiserver_authentication_jwt_authenticator_jwks_fetch_last_timestamp_seconds{apiserver_id_hash="sha256:3c607df3b2bf22c9d9f01d5314b4bbf411c48ef43ff44ff29b1d55b41367c795",jwt_issuer_hash="%s",result="success"} FP`, jwtIssuerHash2),
+	}
+	gotMetricStrings := getMetrics(t, ctx, adminClient, "apiserver_authentication_jwt_authenticator_jwks_")
+
+	wantMetricStrings = slice.SortStrings(wantMetricStrings)
+	if diff := cmp.Diff(wantMetricStrings, gotMetricStrings); diff != "" {
+		t.Errorf("unexpected metrics before reload diff (-want +got): %s", diff)
+	}
+
+	// Now update the config to only have ONE issuer (remove issuer 2)
+	newAuthenticationConfig := fmt.Sprintf(`
+apiVersion: apiserver.config.k8s.io/v1
+kind: AuthenticationConfiguration
+jwt:
+- issuer:
+    url: %s
+    audiences:
+    - foo
+    audienceMatchPolicy: MatchAny
+    certificateAuthority: |
+        %s
+  claimMappings:
+    username:
+      expression: "'k8s-' + claims.sub"
+`, oidcServer1.URL(), indentCertificateAuthority(string(caCertContent1)))
+
+	authConfigFilePath := apiServer.ServerOpts.Authentication.AuthenticationConfigFile
+
+	tempFile, err := os.CreateTemp(filepath.Dir(authConfigFilePath), "auth-config-*.yaml")
+	require.NoError(t, err)
+	_, err = tempFile.Write([]byte(newAuthenticationConfig))
+	require.NoError(t, err)
+	err = tempFile.Close()
+	require.NoError(t, err)
+
+	err = os.Rename(tempFile.Name(), authConfigFilePath)
+	require.NoError(t, err)
+
+	newAuthConfigHash := getHash(newAuthenticationConfig)
+
+	// Wait for config reload by polling for the new config hash
+	err = wait.PollUntilContextTimeout(ctx, time.Second, 3*hardCodedTokenCacheTTLAndPollInterval, true, func(ctx context.Context) (done bool, err error) {
+		body, err := adminClient.RESTClient().Get().AbsPath("/metrics").DoRaw(ctx)
+		if err != nil {
+			return false, err
+		}
+
+		metricsStr := string(body)
+		expectedConfigHashMetric := fmt.Sprintf(`apiserver_authentication_config_controller_last_config_info{apiserver_id_hash="sha256:3c607df3b2bf22c9d9f01d5314b4bbf411c48ef43ff44ff29b1d55b41367c795",hash="%s"} 1`, newAuthConfigHash)
+		return strings.Contains(metricsStr, expectedConfigHashMetric), nil
+	})
+	require.NoError(t, err, "config reload not detected")
+
+	// Wait for metric cleanup by polling until issuer 2 metrics are removed
+	wantMetricStringsAfterReload := []string{
+		fmt.Sprintf(`apiserver_authentication_jwt_authenticator_jwks_fetch_last_key_set_info{apiserver_id_hash="sha256:3c607df3b2bf22c9d9f01d5314b4bbf411c48ef43ff44ff29b1d55b41367c795",hash="%s",jwt_issuer_hash="%s"} 1`, keySetHash1, jwtIssuerHash1),
+		fmt.Sprintf(`apiserver_authentication_jwt_authenticator_jwks_fetch_last_timestamp_seconds{apiserver_id_hash="sha256:3c607df3b2bf22c9d9f01d5314b4bbf411c48ef43ff44ff29b1d55b41367c795",jwt_issuer_hash="%s",result="success"} FP`, jwtIssuerHash1),
+	}
+	wantMetricStringsAfterReload = slice.SortStrings(wantMetricStringsAfterReload)
+
+	err = wait.PollUntilContextTimeout(ctx, time.Second, 120*time.Second, true, func(ctx context.Context) (done bool, err error) {
+		gotMetricStrings := getMetrics(t, ctx, adminClient, "apiserver_authentication_jwt_authenticator_jwks_")
+		diff := cmp.Diff(wantMetricStringsAfterReload, gotMetricStrings)
+		return len(diff) == 0, nil
+	})
+	require.NoError(t, err, "metrics cleanup not completed - issuer 2 metrics still present")
+}
+
+// fetchJWKSAndComputeHash fetches the JWKS from the given server URL using the provided CA certificate,
+// and returns the hash of the keyset bytes (computed the same way as the authenticator does).
+func fetchJWKSAndComputeHash(t *testing.T, serverURL string, caCertContent []byte) string {
+	t.Helper()
+
+	caCertPool := x509.NewCertPool()
+	caCertPool.AppendCertsFromPEM(caCertContent)
+	httpClient := &http.Client{
+		Transport: &http.Transport{
+			TLSClientConfig: &tls.Config{RootCAs: caCertPool},
+		},
+	}
+
+	resp, err := httpClient.Get(serverURL + "/jwks")
+	require.NoError(t, err)
+	defer func() {
+		_ = resp.Body.Close()
+	}()
+
+	keySetBytes, err := io.ReadAll(resp.Body)
+	require.NoError(t, err)
+
+	return getHash(string(keySetBytes))
+}
+
+// getMetrics fetches metrics from the API server and returns only metrics matching the given prefixes.
+// Floating point values in metrics ending with "_seconds" are normalized to "FP" for consistent comparison.
+// Results are sorted alphabetically.
+func getMetrics(t *testing.T, ctx context.Context, adminClient *kubernetes.Clientset, prefixes ...string) []string {
+	t.Helper()
+
+	body, err := adminClient.RESTClient().Get().AbsPath("/metrics").DoRaw(ctx)
+	require.NoError(t, err)
+
+	var gotMetricStrings []string
+	trimFP := regexp.MustCompile(`(.*)(} \d+\.\d+.*)`)
+	for _, line := range strings.Split(string(body), "\n") {
+		matched := false
+		for _, prefix := range prefixes {
+			if strings.HasPrefix(line, prefix) {
+				matched = true
+				break
+			}
+		}
+		if matched {
+			if strings.Contains(line, "_seconds") {
+				line = trimFP.ReplaceAllString(line, `$1`) + "} FP" // ignore floating point metric values
+			}
+			gotMetricStrings = append(gotMetricStrings, line)
+		}
+	}
+
+	return slice.SortStrings(gotMetricStrings)
 }
 
 func rsaGenerateKey(t *testing.T) (*rsa.PrivateKey, *rsa.PublicKey) {
@@ -2011,15 +2260,12 @@ egressSelections:
 	}
 	customFlags = append(customFlags, "--authorization-mode=RBAC")
 
-	// Serialize test server starts to prevent data races in admission plugin flag registration
-	testServerMutex.Lock()
 	server, err := kubeapiserverapptesting.StartTestServer(
 		t,
 		kubeapiserverapptesting.NewDefaultTestServerOptions(),
 		customFlags,
 		framework.SharedEtcd(),
 	)
-	testServerMutex.Unlock()
 	require.NoError(t, err)
 
 	t.Cleanup(server.TearDownFn)
diff --git a/test/integration/apiserver/openapi/openapi_enum_test.go b/test/integration/apiserver/openapi/openapi_enum_test.go
index 931e9f0232510..8b9b1c3e02cbb 100644
--- a/test/integration/apiserver/openapi/openapi_enum_test.go
+++ b/test/integration/apiserver/openapi/openapi_enum_test.go
@@ -35,7 +35,6 @@ import (
 )
 
 func TestEnablingOpenAPIEnumTypes(t *testing.T) {
-	const typeToAddEnum = "k8s.io/api/core/v1.ContainerPort"
 	const typeToCheckEnum = "io.k8s.api.core.v1.ContainerPort"
 
 	for _, tc := range []struct {
@@ -60,7 +59,7 @@ func TestEnablingOpenAPIEnumTypes(t *testing.T) {
 
 			getDefinitionsFn := openapi.GetOpenAPIDefinitionsWithoutDisabledFeatures(func(ref common.ReferenceCallback) map[string]common.OpenAPIDefinition {
 				defs := generated.GetOpenAPIDefinitions(ref)
-				def := defs[typeToAddEnum]
+				def := defs[typeToCheckEnum]
 				// replace protocol to add the would-be enum field.
 				def.Schema.Properties["protocol"] = spec.Schema{
 					SchemaProps: spec.SchemaProps{
@@ -71,7 +70,7 @@ func TestEnablingOpenAPIEnumTypes(t *testing.T) {
 						Enum:        []interface{}{"SCTP", "TCP", "UDP"},
 					},
 				}
-				defs[typeToAddEnum] = def
+				defs[typeToCheckEnum] = def
 				return defs
 			})
 
diff --git a/test/integration/apiserver/peerproxy/peer_proxy_test.go b/test/integration/apiserver/peerproxy/peer_proxy_test.go
index 522ed49d66e30..35e3e5b76f0f6 100644
--- a/test/integration/apiserver/peerproxy/peer_proxy_test.go
+++ b/test/integration/apiserver/peerproxy/peer_proxy_test.go
@@ -38,7 +38,6 @@ import (
 	"k8s.io/klog/v2"
 	kastesting "k8s.io/kubernetes/cmd/kube-apiserver/app/testing"
 	controlplaneapiserver "k8s.io/kubernetes/pkg/controlplane/apiserver"
-	kubefeatures "k8s.io/kubernetes/pkg/features"
 
 	"k8s.io/kubernetes/test/integration/framework"
 	testutil "k8s.io/kubernetes/test/utils"
@@ -56,8 +55,10 @@ func TestPeerProxiedRequest(t *testing.T) {
 	transport.DialerStopCh = ctx.Done()
 
 	// enable feature flags
-	featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.APIServerIdentity, true)
-	featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, kubefeatures.UnknownVersionInteroperabilityProxy, true)
+	featuregatetesting.SetFeatureGatesDuringTest(t, utilfeature.DefaultFeatureGate, featuregatetesting.FeatureOverrides{
+		features.APIServerIdentity:                   true,
+		features.UnknownVersionInteroperabilityProxy: true,
+	})
 
 	// create sharedetcd
 	etcd := framework.SharedEtcd()
@@ -117,8 +118,10 @@ func TestPeerProxiedRequestToThirdServerAfterFirstDies(t *testing.T) {
 	transport.DialerStopCh = ctx.Done()
 
 	// enable feature flags
-	featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.APIServerIdentity, true)
-	featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, kubefeatures.UnknownVersionInteroperabilityProxy, true)
+	featuregatetesting.SetFeatureGatesDuringTest(t, utilfeature.DefaultFeatureGate, featuregatetesting.FeatureOverrides{
+		features.APIServerIdentity:                   true,
+		features.UnknownVersionInteroperabilityProxy: true,
+	})
 
 	// create sharedetcd
 	etcd := framework.SharedEtcd()
diff --git a/test/integration/apiserver/subresource_auth_test.go b/test/integration/apiserver/subresource_auth_test.go
new file mode 100644
index 0000000000000..285343bfb6f2a
--- /dev/null
+++ b/test/integration/apiserver/subresource_auth_test.go
@@ -0,0 +1,177 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package apiserver
+
+import (
+	"context"
+	"fmt"
+	"testing"
+
+	corev1 "k8s.io/api/core/v1"
+	rbacv1 "k8s.io/api/rbac/v1"
+	"k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/client-go/kubernetes"
+	"k8s.io/client-go/rest"
+	"k8s.io/kubernetes/cmd/kube-apiserver/app/options"
+	"k8s.io/kubernetes/test/integration/framework"
+	"k8s.io/kubernetes/test/utils/ktesting"
+)
+
+// TestPodSubresourceAuth tests that the synthetic authorization check for pod subresources is working correctly.
+func TestPodSubresourceAuth(t *testing.T) {
+	tCtx := ktesting.Init(t)
+	_, clientConfig, tearDownFn := framework.StartTestServer(tCtx, t, framework.TestServerSetup{
+		ModifyServerRunOptions: func(opts *options.ServerRunOptions) {
+			opts.Authorization.Modes = []string{"RBAC"}
+		},
+	})
+	defer tearDownFn()
+
+	adminConfig := rest.CopyConfig(clientConfig)
+	adminClientset, err := kubernetes.NewForConfig(adminConfig)
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+
+	ns := "test-pod-subresource-auth"
+	if _, err := adminClientset.CoreV1().Namespaces().Create(context.TODO(), &corev1.Namespace{ObjectMeta: metav1.ObjectMeta{Name: ns}}, metav1.CreateOptions{}); err != nil {
+		t.Fatal(err)
+	}
+
+	sa := &corev1.ServiceAccount{ObjectMeta: metav1.ObjectMeta{Name: "default"}}
+	if _, err := adminClientset.CoreV1().ServiceAccounts(ns).Create(context.TODO(), sa, metav1.CreateOptions{}); err != nil {
+		t.Fatal(err)
+	}
+
+	pod := &corev1.Pod{
+		ObjectMeta: metav1.ObjectMeta{Name: "test-pod"},
+		Spec: corev1.PodSpec{
+			Containers: []corev1.Container{
+				{
+					Name:  "test-container",
+					Image: "test-image",
+				},
+			},
+		},
+	}
+	if _, err := adminClientset.CoreV1().Pods(ns).Create(context.TODO(), pod, metav1.CreateOptions{}); err != nil {
+		t.Fatal(err)
+	}
+
+	// User with only 'get' permissions
+	podGetterUsername := "pod-getter"
+	podGetterRole := &rbacv1.Role{
+		ObjectMeta: metav1.ObjectMeta{Name: "pod-getter-role"},
+		Rules: []rbacv1.PolicyRule{
+			{
+				APIGroups: []string{""},
+				Resources: []string{"pods/exec", "pods/attach", "pods/portforward"},
+				Verbs:     []string{"get"},
+			},
+		},
+	}
+	if _, err := adminClientset.RbacV1().Roles(ns).Create(context.TODO(), podGetterRole, metav1.CreateOptions{}); err != nil {
+		t.Fatal(err)
+	}
+	podGetterRoleBinding := &rbacv1.RoleBinding{
+		ObjectMeta: metav1.ObjectMeta{Name: "pod-getter-binding"},
+		Subjects:   []rbacv1.Subject{{Kind: "User", Name: podGetterUsername}},
+		RoleRef:    rbacv1.RoleRef{Kind: "Role", Name: "pod-getter-role"},
+	}
+	if _, err := adminClientset.RbacV1().RoleBindings(ns).Create(context.TODO(), podGetterRoleBinding, metav1.CreateOptions{}); err != nil {
+		t.Fatal(err)
+	}
+
+	podGetterConfig := rest.CopyConfig(clientConfig)
+	podGetterConfig.Impersonate = rest.ImpersonationConfig{UserName: podGetterUsername}
+	podGetterClient, err := kubernetes.NewForConfig(podGetterConfig)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// User with 'get' and 'create' permissions on pods subresources.
+	podCreatorUsername := "pod-creator"
+	podCreatorRole := &rbacv1.Role{
+		ObjectMeta: metav1.ObjectMeta{Name: "pod-creator-role"},
+		Rules: []rbacv1.PolicyRule{
+			{
+				APIGroups: []string{""},
+				Resources: []string{"pods/exec", "pods/attach", "pods/portforward"},
+				Verbs:     []string{"get"},
+			},
+			{
+				APIGroups: []string{""},
+				Resources: []string{"pods/exec", "pods/attach", "pods/portforward"},
+				Verbs:     []string{"create"},
+			},
+		},
+	}
+	if _, err := adminClientset.RbacV1().Roles(ns).Create(context.TODO(), podCreatorRole, metav1.CreateOptions{}); err != nil {
+		t.Fatal(err)
+	}
+	podCreatorRoleBinding := &rbacv1.RoleBinding{
+		ObjectMeta: metav1.ObjectMeta{Name: "pod-creator-binding"},
+		Subjects:   []rbacv1.Subject{{Kind: "User", Name: podCreatorUsername}},
+		RoleRef:    rbacv1.RoleRef{Kind: "Role", Name: "pod-creator-role"},
+	}
+	if _, err := adminClientset.RbacV1().RoleBindings(ns).Create(context.TODO(), podCreatorRoleBinding, metav1.CreateOptions{}); err != nil {
+		t.Fatal(err)
+	}
+
+	podCreatorConfig := rest.CopyConfig(clientConfig)
+	podCreatorConfig.Impersonate = rest.ImpersonationConfig{UserName: podCreatorUsername}
+	podCreatorClient, err := kubernetes.NewForConfig(podCreatorConfig)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	subresources := []string{"exec", "attach", "portforward"}
+	for _, subresource := range subresources {
+		t.Run(fmt.Sprintf("subresource=%s", subresource), func(t *testing.T) {
+			// User with only 'get' permissions should be denied.
+			// GET method, since that is the method for WebSocket upgrade requests.
+			err := podGetterClient.CoreV1().RESTClient().Get().
+				Namespace(ns).
+				Resource("pods").
+				Name("test-pod").
+				SubResource(subresource).
+				Do(context.TODO()).
+				Error()
+			if !errors.IsForbidden(err) {
+				t.Errorf("expected forbidden error for user with only 'get' permissions, but got: %v", err)
+			}
+
+			// User with 'get' and 'create' permissions should be allowed.
+			// GET method, since that is the method for WebSocket upgrade requests.
+			err = podCreatorClient.CoreV1().RESTClient().Get().
+				Namespace(ns).
+				Resource("pods").
+				Name("test-pod").
+				SubResource(subresource).
+				Do(context.TODO()).
+				Error()
+			// Absence of "Forbidden" is proof of success; the integration test
+			// server doesn't have a real Kubelet running for the pod, so the
+			// proxying/streaming connection ultimately fails after the authorization
+			// has already succeeded (hence "Bad Request" error).
+			if err != nil && !errors.IsBadRequest(err) {
+				t.Errorf("expected nil error for user with 'create' permissions, but got: %v", err)
+			}
+		})
+	}
+}
diff --git a/test/integration/apiserver/tracing/tracing_test.go b/test/integration/apiserver/tracing/tracing_test.go
index 44120920be9af..5eda6be4279ca 100644
--- a/test/integration/apiserver/tracing/tracing_test.go
+++ b/test/integration/apiserver/tracing/tracing_test.go
@@ -391,10 +391,10 @@ endpoint: %s`, listener.Addr().String())), os.FileMode(0755)); err != nil {
 						"user_agent.original": func(v *commonv1.AnyValue) bool {
 							return strings.HasPrefix(v.GetStringValue(), "tracing.test")
 						},
-						"http.target": func(v *commonv1.AnyValue) bool {
+						"url.path": func(v *commonv1.AnyValue) bool {
 							return v.GetStringValue() == "/api/v1/nodes"
 						},
-						"http.method": func(v *commonv1.AnyValue) bool {
+						"http.request.method": func(v *commonv1.AnyValue) bool {
 							return v.GetStringValue() == "POST"
 						},
 						"audit-id": func(v *commonv1.AnyValue) bool {
@@ -510,10 +510,10 @@ endpoint: %s`, listener.Addr().String())), os.FileMode(0755)); err != nil {
 						"user_agent.original": func(v *commonv1.AnyValue) bool {
 							return strings.HasPrefix(v.GetStringValue(), "tracing.test")
 						},
-						"http.target": func(v *commonv1.AnyValue) bool {
+						"url.path": func(v *commonv1.AnyValue) bool {
 							return v.GetStringValue() == "/api/v1/nodes/fake"
 						},
-						"http.method": func(v *commonv1.AnyValue) bool {
+						"http.request.method": func(v *commonv1.AnyValue) bool {
 							return v.GetStringValue() == "GET"
 						},
 						"audit-id": func(v *commonv1.AnyValue) bool {
@@ -617,10 +617,10 @@ endpoint: %s`, listener.Addr().String())), os.FileMode(0755)); err != nil {
 						"user_agent.original": func(v *commonv1.AnyValue) bool {
 							return strings.HasPrefix(v.GetStringValue(), "tracing.test")
 						},
-						"http.target": func(v *commonv1.AnyValue) bool {
+						"url.path": func(v *commonv1.AnyValue) bool {
 							return v.GetStringValue() == "/api/v1/nodes"
 						},
-						"http.method": func(v *commonv1.AnyValue) bool {
+						"http.request.method": func(v *commonv1.AnyValue) bool {
 							return v.GetStringValue() == "GET"
 						},
 						"audit-id": func(v *commonv1.AnyValue) bool {
@@ -712,10 +712,10 @@ endpoint: %s`, listener.Addr().String())), os.FileMode(0755)); err != nil {
 						"user_agent.original": func(v *commonv1.AnyValue) bool {
 							return strings.HasPrefix(v.GetStringValue(), "tracing.test")
 						},
-						"http.target": func(v *commonv1.AnyValue) bool {
+						"url.path": func(v *commonv1.AnyValue) bool {
 							return v.GetStringValue() == "/api/v1/nodes/fake"
 						},
-						"http.method": func(v *commonv1.AnyValue) bool {
+						"http.request.method": func(v *commonv1.AnyValue) bool {
 							return v.GetStringValue() == "PUT"
 						},
 						"audit-id": func(v *commonv1.AnyValue) bool {
@@ -856,10 +856,10 @@ endpoint: %s`, listener.Addr().String())), os.FileMode(0755)); err != nil {
 						"user_agent.original": func(v *commonv1.AnyValue) bool {
 							return strings.HasPrefix(v.GetStringValue(), "tracing.test")
 						},
-						"http.target": func(v *commonv1.AnyValue) bool {
+						"url.path": func(v *commonv1.AnyValue) bool {
 							return v.GetStringValue() == "/api/v1/nodes/fake"
 						},
-						"http.method": func(v *commonv1.AnyValue) bool {
+						"http.request.method": func(v *commonv1.AnyValue) bool {
 							return v.GetStringValue() == "PATCH"
 						},
 						"audit-id": func(v *commonv1.AnyValue) bool {
@@ -977,10 +977,10 @@ endpoint: %s`, listener.Addr().String())), os.FileMode(0755)); err != nil {
 						"user_agent.original": func(v *commonv1.AnyValue) bool {
 							return strings.HasPrefix(v.GetStringValue(), "tracing.test")
 						},
-						"http.target": func(v *commonv1.AnyValue) bool {
+						"url.path": func(v *commonv1.AnyValue) bool {
 							return v.GetStringValue() == "/api/v1/nodes/fake"
 						},
-						"http.method": func(v *commonv1.AnyValue) bool {
+						"http.request.method": func(v *commonv1.AnyValue) bool {
 							return v.GetStringValue() == "DELETE"
 						},
 						"audit-id": func(v *commonv1.AnyValue) bool {
diff --git a/test/integration/apiserver/watchcache_test.go b/test/integration/apiserver/watchcache_test.go
index f93a85d4cd434..88ce87b5b7450 100644
--- a/test/integration/apiserver/watchcache_test.go
+++ b/test/integration/apiserver/watchcache_test.go
@@ -161,7 +161,7 @@ func TestWatchCacheUpdatedByEtcd(t *testing.T) {
 			return false, nil
 		}
 		return res.ResourceVersion == se.ResourceVersion, nil
-	}); err == nil || err != wait.ErrWaitTimeout {
+	}); err == nil || !wait.Interrupted(err) {
 		t.Errorf("Events watchcache unexpected synced: %v", err)
 	}
 }
diff --git a/test/integration/auth/auth_test.go b/test/integration/auth/auth_test.go
index d80b049d07e6f..6660254a466fb 100644
--- a/test/integration/auth/auth_test.go
+++ b/test/integration/auth/auth_test.go
@@ -56,8 +56,12 @@ import (
 	"k8s.io/apiserver/pkg/authentication/request/bearertoken"
 	"k8s.io/apiserver/pkg/authentication/serviceaccount"
 	"k8s.io/apiserver/pkg/authentication/token/cache"
+	"k8s.io/apiserver/pkg/authentication/token/tokenfile"
+	"k8s.io/apiserver/pkg/authentication/user"
 	"k8s.io/apiserver/pkg/authorization/authorizer"
 	unionauthz "k8s.io/apiserver/pkg/authorization/union"
+	"k8s.io/apiserver/pkg/features"
+	utilfeature "k8s.io/apiserver/pkg/util/feature"
 	webhookutil "k8s.io/apiserver/pkg/util/webhook"
 	"k8s.io/apiserver/plugin/pkg/authenticator/token/webhook"
 	clientset "k8s.io/client-go/kubernetes"
@@ -65,6 +69,7 @@ import (
 	v1 "k8s.io/client-go/tools/clientcmd/api/v1"
 	resttransport "k8s.io/client-go/transport"
 	utiltesting "k8s.io/client-go/util/testing"
+	featuregatetesting "k8s.io/component-base/featuregate/testing"
 	"k8s.io/kubernetes/cmd/kube-apiserver/app/options"
 	kubeapiservertesting "k8s.io/kubernetes/cmd/kube-apiserver/app/testing"
 	"k8s.io/kubernetes/pkg/apis/autoscaling"
@@ -1007,16 +1012,14 @@ func TestImpersonateWithUID(t *testing.T) {
 		client := clientset.NewForConfigOrDie(clientConfig)
 		_, err := client.CoreV1().Nodes().List(ctx, metav1.ListOptions{})
 
-		if !errors.IsInternalError(err) {
-			t.Fatalf("expected internal error, got %T %v", err, err)
+		if !errors.IsBadRequest(err) {
+			t.Fatalf("expected bad request, got %T %v", err, err)
 		}
 		if diff := cmp.Diff(
-			`an error on the server ("Internal Server Error: \"/api/v1/nodes\": `+
-				`requested [{UID  1234  authentication.k8s.io/v1  }] without impersonating a user") `+
-				`has prevented the request from succeeding (get nodes)`,
+			`requested [{UID  1234  authentication.k8s.io/v1  }] without impersonating a user`,
 			err.Error(),
 		); diff != "" {
-			t.Fatalf("internal error different than expected, -got, +want:\n %s", diff)
+			t.Fatalf("bad request different than expected, -got, +want:\n %s", diff)
 		}
 	})
 
@@ -1054,6 +1057,391 @@ func TestImpersonateWithUID(t *testing.T) {
 	})
 }
 
+// TestConstrainedImpersonation tests the constrained impersonation feature.
+// It ensures that users can only perform actions on behalf of other users
+// if they have the appropriate permissions.
+// This test covers:
+// - A user attempting to impersonate another user.
+// - A user attempting to impersonate a node.
+// - A service account attempting to impersonate a node it is scheduled on.
+// - The fallback to legacy impersonation when the feature is enabled.
+func TestConstrainedImpersonation(t *testing.T) {
+	superUser := "admin/system:masters"
+
+	authenticator := group.NewAuthenticatedGroupAdder(bearertoken.New(tokenfile.New(map[string]*user.DefaultInfo{
+		superUser: {Name: "admin", Groups: []string{"system:masters"}},
+		"bob":     {Name: "bob"},
+		"alice":   {Name: "alice"},
+		"node1":   {Name: "system:node:node1", Groups: []string{user.NodesGroup}},
+		"serviceaccount1": {Name: "system:serviceaccount:default:sa1", Extra: map[string][]string{
+			"authentication.kubernetes.io/node-name": {"node1"},
+		}},
+		"serviceaccount2": {Name: "system:serviceaccount:default:sa2", Extra: map[string][]string{
+			"authentication.kubernetes.io/node-name": {"node2"},
+		}},
+	})))
+
+	ctx, cancel := context.WithTimeout(context.Background(), 3*time.Minute)
+	t.Cleanup(cancel)
+
+	featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.ConstrainedImpersonation, true)
+	_, kubeConfig, tearDownFn := framework.StartTestServer(ctx, t, framework.TestServerSetup{
+		ModifyServerRunOptions: func(opts *options.ServerRunOptions) {
+			opts.Authorization.Modes = []string{"RBAC"}
+		},
+		ModifyServerConfig: func(config *controlplane.Config) {
+			config.ControlPlane.Generic.Authentication.Authenticator = authenticator
+		},
+	})
+	t.Cleanup(tearDownFn)
+
+	superuserClient, _ := clientsetForToken(superUser, kubeConfig)
+
+	// preset permissions for users to be impersonated
+	authutil.GrantUserAuthorization(t, ctx, superuserClient, "system:node:node1", rbacv1.PolicyRule{
+		Verbs:     []string{"list"},
+		APIGroups: []string{""},
+		Resources: []string{"pods"},
+	})
+	authutil.GrantUserAuthorization(t, ctx, superuserClient, "alice", rbacv1.PolicyRule{
+		Verbs:     []string{"list"},
+		APIGroups: []string{""},
+		Resources: []string{"pods"},
+	})
+
+	t.Run("bob impersonating alice", func(t *testing.T) {
+		impersonatorClientConfig := rest.CopyConfig(kubeConfig)
+		impersonatorClientConfig.BearerToken = "bob"
+		impersonatorClientConfig.Impersonate = rest.ImpersonationConfig{
+			UserName: "alice",
+		}
+
+		client := clientset.NewForConfigOrDie(impersonatorClientConfig)
+		_, err := client.CoreV1().Pods(metav1.NamespaceAll).List(ctx, metav1.ListOptions{})
+		if !errors.IsForbidden(err) {
+			t.Fatalf("expected forbidden error, got %T %v", err, err)
+		}
+
+		if diff := cmp.Diff(
+			`pods is forbidden: User "bob" cannot impersonate-on:user-info:list resource "pods" in API group "" at the cluster scope`,
+			err.Error(),
+		); diff != "" {
+			t.Fatalf("forbidden error different than expected, -got, +want:\n %s", diff)
+		}
+
+		// with impersonation:user-info permission added, bob still cannot list pods
+		authutil.GrantUserAuthorization(t, ctx, superuserClient, "bob", rbacv1.PolicyRule{
+			Verbs:     []string{"impersonate:user-info"},
+			APIGroups: []string{"authentication.k8s.io"},
+			Resources: []string{"users"},
+		})
+
+		_, err = client.CoreV1().Pods(metav1.NamespaceAll).List(ctx, metav1.ListOptions{})
+		if !errors.IsForbidden(err) {
+			t.Fatalf("expected forbidden error, got %T %v", err, err)
+		}
+
+		if diff := cmp.Diff(
+			`pods is forbidden: User "bob" cannot impersonate-on:user-info:list resource "pods" in API group "" at the cluster scope`,
+			err.Error(),
+		); diff != "" {
+			t.Fatalf("forbidden error different than expected, -got, +want:\n %s", diff)
+		}
+
+		// with impersonate-on:list permission added, bob can list but not watch pods.
+		authutil.GrantUserAuthorization(t, ctx, superuserClient, "bob", rbacv1.PolicyRule{
+			Verbs:     []string{"impersonate-on:user-info:list"},
+			APIGroups: []string{""},
+			Resources: []string{"pods"},
+		})
+
+		_, err = client.CoreV1().Pods(metav1.NamespaceAll).List(ctx, metav1.ListOptions{})
+		if err != nil {
+			t.Fatalf("expected no error, got %T %v", err, err)
+		}
+
+		_, err = client.CoreV1().Pods(metav1.NamespaceAll).Watch(ctx, metav1.ListOptions{})
+		if !errors.IsForbidden(err) {
+			t.Fatalf("expected forbidden error, got %T %v", err, err)
+		}
+	})
+
+	t.Run("bob impersonating a node", func(t *testing.T) {
+		impersonatorClientConfig := rest.CopyConfig(kubeConfig)
+		impersonatorClientConfig.BearerToken = "bob"
+		impersonatorClientConfig.Impersonate = rest.ImpersonationConfig{
+			UserName: "system:node:node1",
+		}
+
+		client := clientset.NewForConfigOrDie(impersonatorClientConfig)
+		_, err := client.CoreV1().Pods(metav1.NamespaceAll).List(ctx, metav1.ListOptions{})
+		if !errors.IsForbidden(err) {
+			t.Fatalf("expected forbidden error, got %T %v", err, err)
+		}
+
+		if diff := cmp.Diff(
+			`pods is forbidden: User "bob" cannot impersonate-on:arbitrary-node:list resource "pods" in API group "" at the cluster scope`,
+			err.Error(),
+		); diff != "" {
+			t.Fatalf("forbidden error different than expected, -got, +want:\n %s", diff)
+		}
+
+		// with permissions added, bob still cannot list pods since bob needs
+		// permission to impersonate node.
+		authutil.GrantUserAuthorization(t, ctx, superuserClient, "bob", rbacv1.PolicyRule{
+			Verbs:     []string{"impersonate:user-info"},
+			APIGroups: []string{"authentication.k8s.io"},
+			Resources: []string{"users"},
+		})
+		authutil.GrantUserAuthorization(t, ctx, superuserClient, "bob", rbacv1.PolicyRule{
+			Verbs:     []string{"impersonate-on:arbitrary-node:list"},
+			APIGroups: []string{""},
+			Resources: []string{"pods"},
+		})
+
+		_, err = client.CoreV1().Pods(metav1.NamespaceAll).List(ctx, metav1.ListOptions{})
+		if !errors.IsForbidden(err) {
+			t.Fatalf("expected forbidden error, got %T %v", err, err)
+		}
+
+		if diff := cmp.Diff(
+			`nodes.authentication.k8s.io "node1" is forbidden: User "bob" cannot impersonate:arbitrary-node resource "nodes" in API group "authentication.k8s.io" at the cluster scope`,
+			err.Error(),
+		); diff != "" {
+			t.Fatalf("forbidden error different than expected, -got, +want:\n %s", diff)
+		}
+
+		authutil.GrantUserAuthorization(t, ctx, superuserClient, "bob", rbacv1.PolicyRule{
+			Verbs:     []string{"impersonate:arbitrary-node"},
+			APIGroups: []string{"authentication.k8s.io"},
+			Resources: []string{"nodes"},
+		})
+
+		_, err = client.CoreV1().Pods(metav1.NamespaceAll).List(ctx, metav1.ListOptions{})
+		if err != nil {
+			t.Fatalf("expected no error, got %T %v", err, err)
+		}
+	})
+
+	t.Run("impersonating scheduled node", func(t *testing.T) {
+		impersonatorClientConfig := rest.CopyConfig(kubeConfig)
+		impersonatorClientConfig.BearerToken = "serviceaccount2"
+		impersonatorClientConfig.Impersonate = rest.ImpersonationConfig{
+			UserName: "system:node:node1",
+		}
+
+		client := clientset.NewForConfigOrDie(impersonatorClientConfig)
+
+		// with permissions added, it cannot list pods since sa on the node2 instead of node1.
+		authutil.GrantUserAuthorization(t, ctx, superuserClient, "system:serviceaccount:default:sa2", rbacv1.PolicyRule{
+			Verbs:     []string{"impersonate:associated-node"},
+			APIGroups: []string{"authentication.k8s.io"},
+			Resources: []string{"nodes"},
+		})
+		authutil.GrantUserAuthorization(t, ctx, superuserClient, "system:serviceaccount:default:sa2", rbacv1.PolicyRule{
+			Verbs:     []string{"impersonate-on:associated-node:list"},
+			APIGroups: []string{""},
+			Resources: []string{"pods"},
+		})
+
+		_, err := client.CoreV1().Pods(metav1.NamespaceAll).List(ctx, metav1.ListOptions{})
+		if !errors.IsForbidden(err) {
+			t.Fatalf("expected forbidden error, got %T %v", err, err)
+		}
+
+		if diff := cmp.Diff(
+			`pods is forbidden: User "system:serviceaccount:default:sa2" cannot impersonate-on:arbitrary-node:list resource "pods" in API group "" at the cluster scope`,
+			err.Error(),
+		); diff != "" {
+			t.Fatalf("forbidden error different than expected, -got, +want:\n %s", diff)
+		}
+
+		// change to service account1 which is at node1
+		impersonatorClientConfig.BearerToken = "serviceaccount1"
+
+		client = clientset.NewForConfigOrDie(impersonatorClientConfig)
+		authutil.GrantUserAuthorization(t, ctx, superuserClient, "system:serviceaccount:default:sa1", rbacv1.PolicyRule{
+			Verbs:     []string{"impersonate:associated-node"},
+			APIGroups: []string{"authentication.k8s.io"},
+			Resources: []string{"nodes"},
+		})
+		authutil.GrantUserAuthorization(t, ctx, superuserClient, "system:serviceaccount:default:sa1", rbacv1.PolicyRule{
+			Verbs:     []string{"impersonate-on:associated-node:list"},
+			APIGroups: []string{""},
+			Resources: []string{"pods"},
+		})
+
+		_, err = client.CoreV1().Pods(metav1.NamespaceAll).List(ctx, metav1.ListOptions{})
+		if err != nil {
+			t.Fatalf("expected no error, got %T %v", err, err)
+		}
+	})
+
+	t.Run("fallback to legacy impersonation", func(t *testing.T) {
+		impersonatorClientConfig := rest.CopyConfig(kubeConfig)
+		impersonatorClientConfig.BearerToken = "bob"
+		impersonatorClientConfig.Impersonate = rest.ImpersonationConfig{
+			UserName: "alice",
+		}
+
+		client := clientset.NewForConfigOrDie(impersonatorClientConfig)
+
+		// with legacy impersonation verb, bob can impersonate alice.
+		authutil.GrantUserAuthorization(t, ctx, superuserClient, "bob", rbacv1.PolicyRule{
+			Verbs:     []string{"impersonate"},
+			APIGroups: []string{""},
+			Resources: []string{"users"},
+		})
+
+		_, err := client.CoreV1().Pods(metav1.NamespaceAll).List(ctx, metav1.ListOptions{})
+		if err != nil {
+			t.Fatalf("expected no error, got %T %v", err, err)
+		}
+	})
+}
+
+// TestConstrainedImpersonationDisabled tests the impersonation behavior when the
+// ConstrainedImpersonation feature gate is disabled. In this mode, the legacy
+// impersonation behavior is expected, where a user only needs the "impersonate"
+// permission on the user, group, or service account they are trying to
+// impersonate.
+func TestConstrainedImpersonationDisabled(t *testing.T) {
+	superUser := "admin/system:masters"
+
+	authenticator := group.NewAuthenticatedGroupAdder(bearertoken.New(tokenfile.New(map[string]*user.DefaultInfo{
+		superUser: {Name: "admin", Groups: []string{"system:masters"}},
+		"bob":     {Name: "bob"},
+		"alice":   {Name: "alice"},
+		"node1":   {Name: "system:node:node1", Groups: []string{user.NodesGroup}},
+		"serviceaccount1": {Name: "system:serviceaccount:default:sa1", Extra: map[string][]string{
+			"authentication.kubernetes.io/node-name": {"node1"},
+		}},
+	})))
+
+	ctx, cancel := context.WithTimeout(context.Background(), 3*time.Minute)
+	t.Cleanup(cancel)
+
+	featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.ConstrainedImpersonation, false)
+	_, kubeConfig, tearDownFn := framework.StartTestServer(ctx, t, framework.TestServerSetup{
+		ModifyServerRunOptions: func(opts *options.ServerRunOptions) {
+			opts.Authorization.Modes = []string{"RBAC"}
+		},
+		ModifyServerConfig: func(config *controlplane.Config) {
+			config.ControlPlane.Generic.Authentication.Authenticator = authenticator
+		},
+	})
+	t.Cleanup(tearDownFn)
+
+	superuserClient, _ := clientsetForToken(superUser, kubeConfig)
+
+	// preset permissions for users to be impersonated
+	authutil.GrantUserAuthorization(t, ctx, superuserClient, "system:node:node1", rbacv1.PolicyRule{
+		Verbs:     []string{"list"},
+		APIGroups: []string{""},
+		Resources: []string{"pods"},
+	})
+	authutil.GrantUserAuthorization(t, ctx, superuserClient, "alice", rbacv1.PolicyRule{
+		Verbs:     []string{"list"},
+		APIGroups: []string{""},
+		Resources: []string{"pods"},
+	})
+
+	t.Run("bob impersonating alice", func(t *testing.T) {
+		authutil.GrantUserAuthorization(t, ctx, superuserClient, "bob", rbacv1.PolicyRule{
+			Verbs:     []string{"impersonate:user-info"},
+			APIGroups: []string{"authentication.k8s.io"},
+			Resources: []string{"users"},
+		})
+		authutil.GrantUserAuthorization(t, ctx, superuserClient, "bob", rbacv1.PolicyRule{
+			Verbs:     []string{"impersonate-on:user-info:list"},
+			APIGroups: []string{""},
+			Resources: []string{"pods"},
+		})
+
+		impersonatorClientConfig := rest.CopyConfig(kubeConfig)
+		impersonatorClientConfig.BearerToken = "bob"
+		impersonatorClientConfig.Impersonate = rest.ImpersonationConfig{
+			UserName: "alice",
+		}
+
+		client := clientset.NewForConfigOrDie(impersonatorClientConfig)
+		_, err := client.CoreV1().Pods(metav1.NamespaceAll).List(ctx, metav1.ListOptions{})
+		if !errors.IsForbidden(err) {
+			t.Fatalf("expected forbidden error, got %T %v", err, err)
+		}
+
+		if diff := cmp.Diff(
+			`users "alice" is forbidden: User "bob" cannot impersonate resource "users" in API group "" at the cluster scope`,
+			err.Error(),
+		); diff != "" {
+			t.Fatalf("forbidden error different than expected, -got, +want:\n %s", diff)
+		}
+
+		// with legacy impersonation permission added, bob can list pods
+		authutil.GrantUserAuthorization(t, ctx, superuserClient, "bob", rbacv1.PolicyRule{
+			Verbs:     []string{"impersonate"},
+			APIGroups: []string{""},
+			Resources: []string{"users"},
+		})
+
+		_, err = client.CoreV1().Pods(metav1.NamespaceAll).List(ctx, metav1.ListOptions{})
+		if err != nil {
+			t.Fatalf("expected no error, got %T %v", err, err)
+		}
+	})
+
+	t.Run("serviceaccount impersonating a node", func(t *testing.T) {
+		authutil.GrantUserAuthorization(t, ctx, superuserClient, "system:serviceaccount:default:sa1", rbacv1.PolicyRule{
+			Verbs:     []string{"impersonate:associated-node"},
+			APIGroups: []string{"authentication.k8s.io"},
+			Resources: []string{"nodes"},
+		})
+		authutil.GrantUserAuthorization(t, ctx, superuserClient, "system:serviceaccount:default:sa1", rbacv1.PolicyRule{
+			Verbs:     []string{"impersonate-on:associated-node:list"},
+			APIGroups: []string{""},
+			Resources: []string{"pods"},
+		})
+
+		impersonatorClientConfig := rest.CopyConfig(kubeConfig)
+		impersonatorClientConfig.BearerToken = "serviceaccount1"
+		impersonatorClientConfig.Impersonate = rest.ImpersonationConfig{
+			UserName: "system:node:node1",
+		}
+
+		client := clientset.NewForConfigOrDie(impersonatorClientConfig)
+		_, err := client.CoreV1().Pods(metav1.NamespaceAll).List(ctx, metav1.ListOptions{})
+		if !errors.IsForbidden(err) {
+			t.Fatalf("expected forbidden error, got %T %v", err, err)
+		}
+
+		if diff := cmp.Diff(
+			`users "system:node:node1" is forbidden: User "system:serviceaccount:default:sa1" cannot impersonate resource "users" in API group "" at the cluster scope`,
+			err.Error(),
+		); diff != "" {
+			t.Fatalf("forbidden error different than expected, -got, +want:\n %s", diff)
+		}
+
+		// with legacy impersonation permission added, sa can list pods
+		authutil.GrantUserAuthorization(t, ctx, superuserClient, "system:serviceaccount:default:sa1", rbacv1.PolicyRule{
+			Verbs:         []string{"impersonate"},
+			APIGroups:     []string{""},
+			Resources:     []string{"users"},
+			ResourceNames: []string{"system:node:node1"},
+		})
+		authutil.GrantUserAuthorization(t, ctx, superuserClient, "system:serviceaccount:default:sa1", rbacv1.PolicyRule{
+			Verbs:         []string{"impersonate"},
+			APIGroups:     []string{""},
+			Resources:     []string{"groups"},
+			ResourceNames: []string{"system:nodes"},
+		})
+
+		_, err = client.CoreV1().Pods(metav1.NamespaceAll).List(ctx, metav1.ListOptions{})
+		if err != nil {
+			t.Fatalf("expected no error, got %T %v", err, err)
+		}
+	})
+}
+
 func csrPEM(t *testing.T) []byte {
 	t.Helper()
 
diff --git a/test/integration/auth/node_test.go b/test/integration/auth/node_test.go
index 3f179159f48b9..3e5f63ffcd7da 100644
--- a/test/integration/auth/node_test.go
+++ b/test/integration/auth/node_test.go
@@ -874,7 +874,7 @@ func TestNodeRestrictionServiceAccountAudience(t *testing.T) {
 
 	ctx := testContext(t)
 
-	kcm := kubecontrollermanagertesting.StartTestServerOrDie(ctx, []string{
+	kcm := kubecontrollermanagertesting.StartTestServerOrDie(t, ctx, []string{
 		"--kubeconfig=" + kubeConfigFile,
 		"--controllers=ephemeral-volume-controller", // we need this controller to test the ephemeral volume source in the pod
 		"--leader-elect=false",                      // KCM leader election calls os.Exit when it ends, so it is easier to just turn it off altogether
diff --git a/test/integration/auth/podsecurity_test.go b/test/integration/auth/podsecurity_test.go
index a3b0d3ee98779..384788ecd7f95 100644
--- a/test/integration/auth/podsecurity_test.go
+++ b/test/integration/auth/podsecurity_test.go
@@ -52,8 +52,10 @@ import (
 
 func TestPodSecurity(t *testing.T) {
 	// Enable all feature gates needed to allow all fields to be exercised
-	featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.ProcMountType, true)
-	featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.UserNamespacesSupport, true)
+	featuregatetesting.SetFeatureGatesDuringTest(t, utilfeature.DefaultFeatureGate, featuregatetesting.FeatureOverrides{
+		features.ProcMountType:         true,
+		features.UserNamespacesSupport: true,
+	})
 	// Start server
 	server := startPodSecurityServer(t)
 	opts := podsecuritytest.Options{
@@ -98,8 +100,10 @@ func TestPodSecurityGAOnly(t *testing.T) {
 
 func TestPodSecurityWebhook(t *testing.T) {
 	// Enable all feature gates needed to allow all fields to be exercised
-	featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.ProcMountType, true)
-	featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.UserNamespacesSupport, true)
+	featuregatetesting.SetFeatureGatesDuringTest(t, utilfeature.DefaultFeatureGate, featuregatetesting.FeatureOverrides{
+		features.ProcMountType:         true,
+		features.UserNamespacesSupport: true,
+	})
 
 	// Start test API server.
 	capabilities.ResetForTest()
diff --git a/test/integration/certificates/controller_approval_test.go b/test/integration/certificates/controller_approval_test.go
index c17791ce5018c..6aab4437c18e4 100644
--- a/test/integration/certificates/controller_approval_test.go
+++ b/test/integration/certificates/controller_approval_test.go
@@ -174,7 +174,7 @@ func ensureCertificateRequestNotApproved(client clientset.Interface, name string
 	// There is currently no way to explicitly check if the CSR has been rejected for auto-approval.
 	err := waitForCertificateRequestApproved(client, name)
 	switch {
-	case err == wait.ErrWaitTimeout:
+	case wait.Interrupted(err):
 		return nil
 	case err == nil:
 		return fmt.Errorf("CertificateSigningRequest was auto-approved")
diff --git a/test/integration/client/exec_test.go b/test/integration/client/exec_test.go
index 8c872e9029532..5e4b907a6f5d4 100644
--- a/test/integration/client/exec_test.go
+++ b/test/integration/client/exec_test.go
@@ -91,15 +91,29 @@ type execPluginCall struct {
 	callStatus string
 }
 
-type execPluginMetrics struct {
-	calls []execPluginCall
+type execPluginPolicyCall struct {
+	status string
 }
 
+type wantMetrics struct {
+	calls       []execPluginCall
+	policyCalls []execPluginPolicyCall
+}
+
+// go does not allow implementing different interfaces that share method names,
+// so implement the interfaces on type aliases instead, casting them as needed
+type execPluginMetrics wantMetrics
+type execPluginPolicyMetrics wantMetrics
+
 func (m *execPluginMetrics) Increment(exitCode int, callStatus string) {
 	m.calls = append(m.calls, execPluginCall{exitCode: exitCode, callStatus: callStatus})
 }
 
-var execPluginMetricsComparer = cmp.Comparer(func(a, b *execPluginMetrics) bool {
+func (m *execPluginPolicyMetrics) Increment(status string) {
+	m.policyCalls = append(m.policyCalls, execPluginPolicyCall{status: status})
+}
+
+var wantMetricsComparer = cmp.Comparer(func(a, b *wantMetrics) bool {
 	return reflect.DeepEqual(a, b)
 })
 
@@ -110,7 +124,7 @@ type execPluginClientTestData struct {
 	wantCertificate               *tls.Certificate
 	wantGetCertificateErrorPrefix string
 	wantClientErrorPrefix         string
-	wantMetrics                   *execPluginMetrics
+	wantMetrics                   *wantMetrics
 }
 
 func execPluginClientTests(t *testing.T, unauthorizedCert, unauthorizedKey []byte, clientAuthorizedToken, clientCertFileName, clientKeyFileName string) []execPluginClientTestData {
@@ -134,12 +148,17 @@ func execPluginClientTests(t *testing.T, unauthorizedCert, unauthorizedKey []byt
 			wantAuthorizationHeaderValues: [][]string{{"Bearer unauthorized"}},
 			wantCertificate:               &tls.Certificate{},
 			wantClientErrorPrefix:         "Unauthorized",
-			wantMetrics: &execPluginMetrics{
+			wantMetrics: &wantMetrics{
 				calls: []execPluginCall{
 					// 2 calls since we preemptively refresh the creds upon a 401 HTTP response.
 					{exitCode: 0, callStatus: "no_error"},
 					{exitCode: 0, callStatus: "no_error"},
 				},
+				policyCalls: []execPluginPolicyCall{
+					// 2 calls since we preemptively refresh the creds upon a 401 HTTP response.
+					{status: "allowed"},
+					{status: "allowed"},
+				},
 			},
 		},
 		{
@@ -162,12 +181,17 @@ func execPluginClientTests(t *testing.T, unauthorizedCert, unauthorizedKey []byt
 			wantAuthorizationHeaderValues: [][]string{nil},
 			wantCertificate:               x509KeyPair(unauthorizedCert, unauthorizedKey, true),
 			wantClientErrorPrefix:         "Unauthorized",
-			wantMetrics: &execPluginMetrics{
+			wantMetrics: &wantMetrics{
 				calls: []execPluginCall{
 					// 2 calls since we preemptively refresh the creds upon a 401 HTTP response.
 					{exitCode: 0, callStatus: "no_error"},
 					{exitCode: 0, callStatus: "no_error"},
 				},
+				policyCalls: []execPluginPolicyCall{
+					// 2 calls since we preemptively refresh the creds upon a 401 HTTP response.
+					{status: "allowed"},
+					{status: "allowed"},
+				},
 			},
 		},
 		{
@@ -188,7 +212,10 @@ func execPluginClientTests(t *testing.T, unauthorizedCert, unauthorizedKey []byt
 			},
 			wantAuthorizationHeaderValues: [][]string{{"Bearer " + clientAuthorizedToken}},
 			wantCertificate:               &tls.Certificate{},
-			wantMetrics:                   &execPluginMetrics{calls: []execPluginCall{{exitCode: 0, callStatus: "no_error"}}},
+			wantMetrics: &wantMetrics{
+				calls:       []execPluginCall{{exitCode: 0, callStatus: "no_error"}},
+				policyCalls: []execPluginPolicyCall{{status: "allowed"}},
+			},
 		},
 		{
 			name: "authorized certificate",
@@ -209,7 +236,10 @@ func execPluginClientTests(t *testing.T, unauthorizedCert, unauthorizedKey []byt
 			},
 			wantAuthorizationHeaderValues: [][]string{nil},
 			wantCertificate:               loadX509KeyPair(clientCertFileName, clientKeyFileName),
-			wantMetrics:                   &execPluginMetrics{calls: []execPluginCall{{exitCode: 0, callStatus: "no_error"}}},
+			wantMetrics: &wantMetrics{
+				calls:       []execPluginCall{{exitCode: 0, callStatus: "no_error"}},
+				policyCalls: []execPluginPolicyCall{{status: "allowed"}},
+			},
 		},
 		{
 			name: "authorized token and certificate",
@@ -231,7 +261,10 @@ func execPluginClientTests(t *testing.T, unauthorizedCert, unauthorizedKey []byt
 			},
 			wantAuthorizationHeaderValues: [][]string{{"Bearer " + clientAuthorizedToken}},
 			wantCertificate:               loadX509KeyPair(clientCertFileName, clientKeyFileName),
-			wantMetrics:                   &execPluginMetrics{calls: []execPluginCall{{exitCode: 0, callStatus: "no_error"}}},
+			wantMetrics: &wantMetrics{
+				calls:       []execPluginCall{{exitCode: 0, callStatus: "no_error"}},
+				policyCalls: []execPluginPolicyCall{{status: "allowed"}},
+			},
 		},
 		{
 			name: "unauthorized token and authorized certificate favors authorized certificate",
@@ -253,7 +286,10 @@ func execPluginClientTests(t *testing.T, unauthorizedCert, unauthorizedKey []byt
 			},
 			wantAuthorizationHeaderValues: [][]string{{"Bearer client-unauthorized-token"}},
 			wantCertificate:               loadX509KeyPair(clientCertFileName, clientKeyFileName),
-			wantMetrics:                   &execPluginMetrics{calls: []execPluginCall{{exitCode: 0, callStatus: "no_error"}}},
+			wantMetrics: &wantMetrics{
+				calls:       []execPluginCall{{exitCode: 0, callStatus: "no_error"}},
+				policyCalls: []execPluginPolicyCall{{status: "allowed"}},
+			},
 		},
 		{
 			name: "authorized token and unauthorized certificate favors authorized token",
@@ -275,7 +311,10 @@ func execPluginClientTests(t *testing.T, unauthorizedCert, unauthorizedKey []byt
 			},
 			wantAuthorizationHeaderValues: [][]string{{"Bearer " + clientAuthorizedToken}},
 			wantCertificate:               x509KeyPair([]byte(unauthorizedCert), []byte(unauthorizedKey), true),
-			wantMetrics:                   &execPluginMetrics{calls: []execPluginCall{{exitCode: 0, callStatus: "no_error"}}},
+			wantMetrics: &wantMetrics{
+				calls:       []execPluginCall{{exitCode: 0, callStatus: "no_error"}},
+				policyCalls: []execPluginPolicyCall{{status: "allowed"}},
+			},
 		},
 		{
 			name: "unauthorized token and unauthorized certificate",
@@ -298,12 +337,17 @@ func execPluginClientTests(t *testing.T, unauthorizedCert, unauthorizedKey []byt
 			wantAuthorizationHeaderValues: [][]string{{"Bearer client-unauthorized-token"}},
 			wantCertificate:               x509KeyPair(unauthorizedCert, unauthorizedKey, true),
 			wantClientErrorPrefix:         "Unauthorized",
-			wantMetrics: &execPluginMetrics{
+			wantMetrics: &wantMetrics{
 				calls: []execPluginCall{
 					// 2 calls since we preemptively refresh the creds upon a 401 HTTP response.
 					{exitCode: 0, callStatus: "no_error"},
 					{exitCode: 0, callStatus: "no_error"},
 				},
+				policyCalls: []execPluginPolicyCall{
+					// 2 calls since we preemptively refresh the creds upon a 401 HTTP response.
+					{status: "allowed"},
+					{status: "allowed"},
+				},
 			},
 		},
 		{
@@ -326,7 +370,7 @@ func execPluginClientTests(t *testing.T, unauthorizedCert, unauthorizedKey []byt
 			},
 			wantAuthorizationHeaderValues: [][]string{{"Basic " + basicAuthHeaderValue("unauthorized", "unauthorized")}},
 			wantClientErrorPrefix:         "Unauthorized",
-			wantMetrics:                   &execPluginMetrics{},
+			wantMetrics:                   &wantMetrics{},
 		},
 		{
 			name: "good token with static auth bearer token favors static auth bearer token",
@@ -347,7 +391,7 @@ func execPluginClientTests(t *testing.T, unauthorizedCert, unauthorizedKey []byt
 			},
 			wantAuthorizationHeaderValues: [][]string{{"Bearer some-unauthorized-token"}},
 			wantClientErrorPrefix:         "Unauthorized",
-			wantMetrics:                   &execPluginMetrics{},
+			wantMetrics:                   &wantMetrics{},
 		},
 		{
 			name: "good token with static auth cert and key favors static cert",
@@ -370,7 +414,7 @@ func execPluginClientTests(t *testing.T, unauthorizedCert, unauthorizedKey []byt
 			wantAuthorizationHeaderValues: [][]string{nil},
 			wantClientErrorPrefix:         "Unauthorized",
 			wantCertificate:               x509KeyPair(unauthorizedCert, unauthorizedKey, false),
-			wantMetrics:                   &execPluginMetrics{},
+			wantMetrics:                   &wantMetrics{},
 		},
 		{
 			name: "unknown binary",
@@ -379,16 +423,22 @@ func execPluginClientTests(t *testing.T, unauthorizedCert, unauthorizedKey []byt
 			},
 			wantGetCertificateErrorPrefix: "exec: executable does not exist not found",
 			wantClientErrorPrefix:         `Get "https`,
-			wantMetrics:                   &execPluginMetrics{calls: []execPluginCall{{exitCode: 1, callStatus: "plugin_not_found_error"}}},
+			wantMetrics: &wantMetrics{
+				calls:       []execPluginCall{{exitCode: 1, callStatus: "plugin_not_found_error"}},
+				policyCalls: []execPluginPolicyCall{{status: "allowed"}},
+			},
 		},
 		{
 			name: "binary not executable",
 			clientConfigFunc: func(c *rest.Config) {
 				c.ExecProvider.Command = "./testdata/exec-plugin-not-executable.sh"
 			},
-			wantGetCertificateErrorPrefix: "exec: fork/exec ./testdata/exec-plugin-not-executable.sh: permission denied",
+			wantGetCertificateErrorPrefix: "exec: fork/exec testdata/exec-plugin-not-executable.sh: permission denied",
 			wantClientErrorPrefix:         `Get "https`,
-			wantMetrics:                   &execPluginMetrics{calls: []execPluginCall{{exitCode: 1, callStatus: "plugin_not_found_error"}}},
+			wantMetrics: &wantMetrics{
+				calls:       []execPluginCall{{exitCode: 1, callStatus: "plugin_not_found_error"}},
+				policyCalls: []execPluginPolicyCall{{status: "allowed"}},
+			},
 		},
 		{
 			name: "binary fails",
@@ -402,7 +452,88 @@ func execPluginClientTests(t *testing.T, unauthorizedCert, unauthorizedKey []byt
 			},
 			wantGetCertificateErrorPrefix: "exec: executable testdata/exec-plugin.sh failed with exit code 10",
 			wantClientErrorPrefix:         `Get "https`,
-			wantMetrics:                   &execPluginMetrics{calls: []execPluginCall{{exitCode: 10, callStatus: "plugin_execution_error"}}},
+			wantMetrics: &wantMetrics{
+				calls:       []execPluginCall{{exitCode: 10, callStatus: "plugin_execution_error"}},
+				policyCalls: []execPluginPolicyCall{{status: "allowed"}},
+			},
+		},
+		{
+			name: "binary denied by denyall policy",
+			clientConfigFunc: func(c *rest.Config) {
+				c.ExecProvider.PluginPolicy.PolicyType = clientcmdapi.PluginPolicyDenyAll
+			},
+			wantGetCertificateErrorPrefix: "plugin",
+			wantClientErrorPrefix:         `Get "https`,
+			wantMetrics: &wantMetrics{
+				policyCalls: []execPluginPolicyCall{{status: "denied"}},
+			},
+		},
+		{
+			name: "binary denied by allowlist policy",
+			clientConfigFunc: func(c *rest.Config) {
+				c.ExecProvider.PluginPolicy.PolicyType = clientcmdapi.PluginPolicyAllowlist
+				c.ExecProvider.PluginPolicy.Allowlist = []clientcmdapi.AllowlistEntry{
+					{Name: "/only/my/very/secure/binary"},
+					{Name: "other-very-secure-binary"},
+				}
+			},
+			wantGetCertificateErrorPrefix: `plugin path "testdata/exec-plugin.sh" is not permitted by the credential plugin allowlist`,
+			wantClientErrorPrefix:         `Get "https`,
+			wantMetrics: &wantMetrics{
+				policyCalls: []execPluginPolicyCall{{status: "denied"}},
+			},
+		},
+		{
+			name: "allowall policy happy path",
+			clientConfigFunc: func(c *rest.Config) {
+				c.ExecProvider.PluginPolicy.PolicyType = clientcmdapi.PluginPolicyAllowAll
+				c.ExecProvider.Env = []clientcmdapi.ExecEnvVar{
+					{
+						Name: outputEnvVar,
+						Value: fmt.Sprintf(`{
+						"kind": "ExecCredential",
+						"apiVersion": "client.authentication.k8s.io/v1",
+						"status": {
+							"token": "%s"
+						}
+					}`, clientAuthorizedToken),
+					},
+				}
+			},
+			wantAuthorizationHeaderValues: [][]string{{"Bearer " + clientAuthorizedToken}},
+			wantCertificate:               &tls.Certificate{},
+			wantMetrics: &wantMetrics{
+				calls:       []execPluginCall{{exitCode: 0, callStatus: "no_error"}},
+				policyCalls: []execPluginPolicyCall{{status: "allowed"}},
+			},
+		},
+		{
+			name: "allowlist policy happy path",
+			clientConfigFunc: func(c *rest.Config) {
+				c.ExecProvider.PluginPolicy.PolicyType = clientcmdapi.PluginPolicyAllowlist
+				c.ExecProvider.PluginPolicy.Allowlist = []clientcmdapi.AllowlistEntry{
+					{Name: "testdata/exec-plugin.sh"},
+					{Name: "other-very-secure-binary"},
+				}
+				c.ExecProvider.Env = []clientcmdapi.ExecEnvVar{
+					{
+						Name: outputEnvVar,
+						Value: fmt.Sprintf(`{
+						"kind": "ExecCredential",
+						"apiVersion": "client.authentication.k8s.io/v1",
+						"status": {
+							"token": "%s"
+						}
+					}`, clientAuthorizedToken),
+					},
+				}
+			},
+			wantAuthorizationHeaderValues: [][]string{{"Bearer " + clientAuthorizedToken}},
+			wantCertificate:               &tls.Certificate{},
+			wantMetrics: &wantMetrics{
+				calls:       []execPluginCall{{exitCode: 0, callStatus: "no_error"}},
+				policyCalls: []execPluginPolicyCall{{status: "allowed"}},
+			},
 		},
 	}
 	return append(v1Tests, v1beta1TestsFromV1Tests(v1Tests)...)
@@ -486,7 +617,7 @@ func TestExecPluginViaClient(t *testing.T) {
 			}
 
 			// Validate that the proper metrics were set.
-			if diff := cmp.Diff(test.wantMetrics, actualMetrics, execPluginMetricsComparer); diff != "" {
+			if diff := cmp.Diff(test.wantMetrics, actualMetrics, wantMetricsComparer); diff != "" {
 				t.Error("unexpected metrics; -want, +got:\n" + diff)
 			}
 
@@ -521,14 +652,18 @@ func TestExecPluginViaClient(t *testing.T) {
 	}
 }
 
-func captureMetrics(t *testing.T) *execPluginMetrics {
+func captureMetrics(t *testing.T) *wantMetrics {
 	previousCallsMetric := metrics.ExecPluginCalls
+	previousPolicyCallsMetric := metrics.ExecPluginPolicyCalls
 	t.Cleanup(func() {
 		metrics.ExecPluginCalls = previousCallsMetric
+		metrics.ExecPluginPolicyCalls = previousPolicyCallsMetric
 	})
 
-	actualMetrics := &execPluginMetrics{}
-	metrics.ExecPluginCalls = actualMetrics
+	actualMetrics := &wantMetrics{}
+
+	metrics.ExecPluginCalls = (*execPluginMetrics)(actualMetrics)
+	metrics.ExecPluginPolicyCalls = (*execPluginPolicyMetrics)(actualMetrics)
 	return actualMetrics
 }
 
diff --git a/test/integration/client/metrics/metrics_test.go b/test/integration/client/metrics/metrics_test.go
index e8f7fec02f23d..41b0539e58770 100644
--- a/test/integration/client/metrics/metrics_test.go
+++ b/test/integration/client/metrics/metrics_test.go
@@ -44,8 +44,10 @@ import (
 
 // regression test for https://issues.k8s.io/117258
 func TestAPIServerTransportMetrics(t *testing.T) {
-	featuregatetesting.SetFeatureGateDuringTest(t, feature.DefaultFeatureGate, "AllAlpha", true)
-	featuregatetesting.SetFeatureGateDuringTest(t, feature.DefaultFeatureGate, "AllBeta", true)
+	featuregatetesting.SetFeatureGatesDuringTest(t, feature.DefaultFeatureGate, featuregatetesting.FeatureOverrides{
+		"AllAlpha": true,
+		"AllBeta":  true,
+	})
 
 	// reset default registry metrics
 	legacyregistry.Reset()
diff --git a/test/integration/cloudprovider/ccm_test.go b/test/integration/cloudprovider/ccm_test.go
index dfc33263dee6e..d1d1ac2f7d11f 100644
--- a/test/integration/cloudprovider/ccm_test.go
+++ b/test/integration/cloudprovider/ccm_test.go
@@ -117,7 +117,7 @@ func Test_RemoveExternalCloudProviderTaint(t *testing.T) {
 			return fakeCloud, nil
 		})
 
-	ccm := ccmservertesting.StartTestServerOrDie(ctx, args)
+	ccm := ccmservertesting.StartTestServerOrDie(t, ctx, args)
 	defer ccm.TearDownFn()
 
 	// There should be only the taint TaintNodeNotReady, added by the admission plugin TaintNodesByCondition
@@ -223,7 +223,7 @@ func Test_ExternalCloudProviderNodeAddresses(t *testing.T) {
 		func(config io.Reader) (cloudprovider.Interface, error) {
 			return fakeCloud, nil
 		})
-	ccm := ccmservertesting.StartTestServerOrDie(ctx, args)
+	ccm := ccmservertesting.StartTestServerOrDie(t, ctx, args)
 	defer ccm.TearDownFn()
 
 	testCases := []struct {
diff --git a/test/integration/clustertrustbundles/apiserversigner_test.go b/test/integration/clustertrustbundles/apiserversigner_test.go
index 320b800a05787..4ee037cfc5d0c 100644
--- a/test/integration/clustertrustbundles/apiserversigner_test.go
+++ b/test/integration/clustertrustbundles/apiserversigner_test.go
@@ -78,7 +78,7 @@ func TestClusterTrustBundlesPublisherController(t *testing.T) {
 
 	kubeConfigFile := createKubeConfigFileForRestConfig(t, server.ClientConfig)
 
-	kcm := kubecontrollermanagertesting.StartTestServerOrDie(ctx, []string{
+	kcm := kubecontrollermanagertesting.StartTestServerOrDie(t, ctx, []string{
 		"--kubeconfig=" + kubeConfigFile,
 		"--controllers=kube-apiserver-serving-clustertrustbundle-publisher-controller", // these are the only controllers needed for this test
 		"--use-service-account-credentials=true",                                       // exercise RBAC of kube-apiserver-serving-clustertrustbundle-publisher controller
diff --git a/test/integration/controlplane/kube_apiserver_test.go b/test/integration/controlplane/kube_apiserver_test.go
index d26823155ae29..ff633c65e9c1e 100644
--- a/test/integration/controlplane/kube_apiserver_test.go
+++ b/test/integration/controlplane/kube_apiserver_test.go
@@ -27,6 +27,7 @@ import (
 	"testing"
 	"time"
 
+	"github.com/google/go-cmp/cmp"
 	"k8s.io/apiextensions-apiserver/test/integration/fixtures"
 
 	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
@@ -47,6 +48,9 @@ import (
 	kubeapiservertesting "k8s.io/kubernetes/cmd/kube-apiserver/app/testing"
 	"k8s.io/kubernetes/test/integration/etcd"
 	"k8s.io/kubernetes/test/integration/framework"
+
+	flagzv1alpha1 "k8s.io/apiserver/pkg/server/flagz/api/v1alpha1"
+	v1alpha1 "k8s.io/apiserver/pkg/server/statusz/api/v1alpha1"
 )
 
 const (
@@ -132,7 +136,7 @@ func TestLivezAndReadyz(t *testing.T) {
 
 func TestFlagz(t *testing.T) {
 	featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.ComponentFlagz, true)
-	testServerFlags := append(framework.DefaultTestServerFlags(), "--emulated-version=1.32")
+	testServerFlags := append(framework.DefaultTestServerFlags(), "--v=2")
 	server := kubeapiservertesting.StartTestServerOrDie(t, nil, testServerFlags, framework.SharedEtcd())
 	defer server.TearDownFn()
 
@@ -141,33 +145,107 @@ func TestFlagz(t *testing.T) {
 		t.Fatalf("Unexpected error: %v", err)
 	}
 
-	res := client.CoreV1().RESTClient().Get().RequestURI("/flagz").Do(context.TODO())
-	var status int
-	res.StatusCode(&status)
-	if status != http.StatusOK {
-		t.Fatalf("flagz/ should be healthy, got %v", status)
+	wantBodyStr := "kube-apiserver flagz\nWarning: This endpoint is not meant to be machine parseable"
+	wantBodyJSON := &flagzv1alpha1.Flagz{
+		TypeMeta: metav1.TypeMeta{
+			Kind:       "Flagz",
+			APIVersion: "config.k8s.io/v1alpha1",
+		},
+		ObjectMeta: metav1.ObjectMeta{
+			Name: "kube-apiserver",
+		},
 	}
 
-	expectedHeader := `
-kube-apiserver flags
-Warning: This endpoint is not meant to be machine parseable, has no formatting compatibility guarantees and is for debugging purposes only.`
-
-	raw, err := res.Raw()
-	if err != nil {
-		t.Fatal(err)
-	}
-	if !bytes.HasPrefix(raw, []byte(expectedHeader)) {
-		t.Fatalf("Header mismatch!\nExpected:\n%s\n\nGot:\n%s", expectedHeader, string(raw))
-	}
-	found := false
-	for _, line := range strings.Split(string(raw), "\n") {
-		if strings.Contains(line, "emulated-version") && strings.Contains(line, "1.32") {
-			found = true
-			break
-		}
-	}
-	if !found {
-		t.Fatalf("Expected flag --emulated-version=[1.32] to be reflected in /flagz output, got:\n%s", string(raw))
+	for _, tc := range []struct {
+		name         string
+		acceptHeader string
+		wantStatus   int
+		wantBodySub  string               // for text/plain
+		wantJSON     *flagzv1alpha1.Flagz // for application/json
+	}{
+		{
+			name:         "text plain response",
+			acceptHeader: "text/plain",
+			wantStatus:   http.StatusOK,
+			wantBodySub:  wantBodyStr,
+		},
+		{
+			name:         "structured json response",
+			acceptHeader: "application/json;v=v1alpha1;g=config.k8s.io;as=Flagz",
+			wantStatus:   http.StatusOK,
+			wantJSON:     wantBodyJSON,
+		},
+		{
+			name:         "no accept header (defaults to text)",
+			acceptHeader: "",
+			wantStatus:   http.StatusOK,
+			wantBodySub:  wantBodyStr,
+		},
+		{
+			name:         "invalid accept header",
+			acceptHeader: "application/xml",
+			wantStatus:   http.StatusNotAcceptable,
+		},
+		{
+			name:         "application/json without params",
+			acceptHeader: "application/json",
+			wantStatus:   http.StatusNotAcceptable,
+		},
+		{
+			name:         "application/json with missing as",
+			acceptHeader: "application/json;v=v1alpha1;g=config.k8s.io",
+			wantStatus:   http.StatusNotAcceptable,
+		},
+		{
+			name:         "wildcard accept header",
+			acceptHeader: "*/*",
+			wantStatus:   http.StatusOK,
+			wantBodySub:  wantBodyStr,
+		},
+		{
+			name:         "bad json header fall back wildcard",
+			acceptHeader: "application/json;v=foo;g=config.k8s.io;as=Flagz,*/*",
+			wantStatus:   http.StatusOK,
+			wantBodySub:  wantBodyStr,
+		},
+	} {
+		t.Run(tc.name, func(t *testing.T) {
+			req := client.CoreV1().RESTClient().Get().RequestURI("/flagz")
+			req.SetHeader("Accept", tc.acceptHeader)
+			res := req.Do(context.TODO())
+			var status int
+			res.StatusCode(&status)
+			if status != tc.wantStatus {
+				t.Fatalf("want status %d, got %d", tc.wantStatus, status)
+			}
+			raw, err := res.Raw()
+			if err != nil && tc.wantStatus == http.StatusOK {
+				t.Fatalf("unexpected error: %v", err)
+			}
+			if tc.wantStatus == http.StatusOK {
+				if tc.wantBodySub != "" {
+					if !bytes.Contains(raw, []byte(tc.wantBodySub)) {
+						t.Errorf("body missing expected substring: %q\nGot:\n%s", tc.wantBodySub, string(raw))
+					}
+				}
+				if tc.wantJSON != nil {
+					var got flagzv1alpha1.Flagz
+					if err := json.Unmarshal(raw, &got); err != nil {
+						t.Fatalf("error unmarshalling JSON: %v", err)
+					}
+					// Only check static fields, since others are dynamic
+					if got.TypeMeta != tc.wantJSON.TypeMeta {
+						t.Errorf("TypeMeta mismatch: want %+v, got %+v", tc.wantJSON.TypeMeta, got.TypeMeta)
+					}
+					if got.ObjectMeta.Name != tc.wantJSON.ObjectMeta.Name {
+						t.Errorf("ObjectMeta.Name mismatch: want %q, got %q", tc.wantJSON.ObjectMeta.Name, got.ObjectMeta.Name)
+					}
+					if got.Flags["v"] != "2" {
+						t.Errorf("v mismatch: want %q, got %q", "2", got.Flags["v"])
+					}
+				}
+			}
+		})
 	}
 }
 
@@ -181,23 +259,111 @@ func TestStatusz(t *testing.T) {
 		t.Fatalf("Unexpected error: %v", err)
 	}
 
-	res := client.CoreV1().RESTClient().Get().RequestURI("/statusz").Do(context.TODO())
-	var status int
-	res.StatusCode(&status)
-	if status != http.StatusOK {
-		t.Fatalf("statusz/ should be healthy, got %v", status)
-	}
-
-	expectedHeader := `
-apiserver statusz
-Warning: This endpoint is not meant to be machine parseable, has no formatting compatibility guarantees and is for debugging purposes only.`
-
-	raw, err := res.Raw()
-	if err != nil {
-		t.Fatal(err)
-	}
-	if !bytes.Contains(raw, []byte(expectedHeader)) {
-		t.Fatalf("Header mismatch!\nExpected:\n%s\n\nGot:\n%s", expectedHeader, string(raw))
+	wantBodyStr := "statusz\nWarning: This endpoint is not meant to be machine parseable"
+	wantBodyJSON := &v1alpha1.Statusz{
+		// StartTime, UptimeSeconds, GoVersion, BinaryVersion,
+		// EmulationVersion, Paths are dynamic, so we only check
+		// static fields
+		TypeMeta: metav1.TypeMeta{
+			Kind:       "Statusz",
+			APIVersion: "config.k8s.io/v1alpha1",
+		},
+		ObjectMeta: metav1.ObjectMeta{
+			Name: "apiserver",
+		},
+		Paths: []string{"/healthz", "/livez", "/metrics", "/readyz", "/statusz", "/version"},
+	}
+
+	for _, tc := range []struct {
+		name         string
+		acceptHeader string
+		wantStatus   int
+		wantBodySub  string            // for text/plain responses
+		wantJSON     *v1alpha1.Statusz // for structured response
+	}{
+		{
+			name:         "text plain response",
+			acceptHeader: "text/plain",
+			wantStatus:   http.StatusOK,
+			wantBodySub:  wantBodyStr,
+		},
+		{
+			name:         "structured json response",
+			acceptHeader: "application/json;v=v1alpha1;g=config.k8s.io;as=Statusz",
+			wantStatus:   http.StatusOK,
+			wantJSON:     wantBodyJSON,
+		},
+		{
+			name:         "no accept header (defaults to text)",
+			acceptHeader: "",
+			wantStatus:   http.StatusOK,
+			wantBodySub:  wantBodyStr,
+		},
+		{
+			name:         "invalid accept header",
+			acceptHeader: "application/xml",
+			wantStatus:   http.StatusNotAcceptable,
+		},
+		{
+			name:         "application/json without params",
+			acceptHeader: "application/json",
+			wantStatus:   http.StatusNotAcceptable,
+		},
+		{
+			name:         "application/json with missing as",
+			acceptHeader: "application/json;v=v1alpha1;g=config.k8s.io",
+			wantStatus:   http.StatusNotAcceptable,
+		},
+		{
+			name:         "wildcard accept header",
+			acceptHeader: "*/*",
+			wantStatus:   http.StatusOK,
+			wantBodySub:  wantBodyStr,
+		},
+		{
+			name:         "bad json header fall back wildcard",
+			acceptHeader: "application/json;v=foo;g=config.k8s.io;as=Statusz,*/*",
+			wantStatus:   http.StatusOK,
+			wantBodySub:  wantBodyStr,
+		},
+	} {
+		t.Run(tc.name, func(t *testing.T) {
+			req := client.CoreV1().RESTClient().Get().RequestURI("/statusz")
+			req.SetHeader("Accept", tc.acceptHeader)
+			res := req.Do(context.TODO())
+			var status int
+			res.StatusCode(&status)
+			if status != tc.wantStatus {
+				t.Fatalf("want status %d, got %d", tc.wantStatus, status)
+			}
+			raw, err := res.Raw()
+			if err != nil && tc.wantStatus == http.StatusOK {
+				t.Fatalf("unexpected error: %v", err)
+			}
+			if tc.wantStatus == http.StatusOK {
+				if tc.wantBodySub != "" {
+					if !bytes.Contains(raw, []byte(tc.wantBodySub)) {
+						t.Errorf("body missing expected substring: %q\nGot:\n%s", tc.wantBodySub, string(raw))
+					}
+				}
+				if tc.wantJSON != nil {
+					var got v1alpha1.Statusz
+					if err := json.Unmarshal(raw, &got); err != nil {
+						t.Fatalf("error unmarshalling JSON: %v", err)
+					}
+					// Only check static fields, since others are dynamic
+					if got.TypeMeta != tc.wantJSON.TypeMeta {
+						t.Errorf("TypeMeta mismatch: want %+v, got %+v", tc.wantJSON.TypeMeta, got.TypeMeta)
+					}
+					if got.ObjectMeta.Name != tc.wantJSON.ObjectMeta.Name {
+						t.Errorf("ObjectMeta.Name mismatch: want %q, got %q", tc.wantJSON.ObjectMeta.Name, got.ObjectMeta.Name)
+					}
+					if diff := cmp.Diff(tc.wantJSON.Paths, got.Paths); diff != "" {
+						t.Errorf("Paths mismatch (-want,+got):\n%s", diff)
+					}
+				}
+			}
+		})
 	}
 }
 
diff --git a/test/integration/controlplane/transformation/kms_transformation_test.go b/test/integration/controlplane/transformation/kms_transformation_test.go
index 89c539dd24b31..8f7c4074986f0 100644
--- a/test/integration/controlplane/transformation/kms_transformation_test.go
+++ b/test/integration/controlplane/transformation/kms_transformation_test.go
@@ -623,8 +623,10 @@ resources:
 	t.Run("encrypt all resources", func(t *testing.T) {
 		_ = mock.NewBase64Plugin(t, "@encrypt-all-kms-provider.sock")
 		// To ensure we are checking all REST resources
-		featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, "AllAlpha", true)
-		featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, "AllBeta", true)
+		featuregatetesting.SetFeatureGatesDuringTest(t, utilfeature.DefaultFeatureGate, featuregatetesting.FeatureOverrides{
+			"AllAlpha": true,
+			"AllBeta":  true,
+		})
 		// Need to enable this explicitly as the feature is deprecated
 		featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.KMSv1, true)
 
@@ -1064,7 +1066,7 @@ func verifyIfKMSTransformersSwapped(t *testing.T, wantPrefix, wantPrefixForEncry
 
 		return true, nil
 	})
-	if pollErr == wait.ErrWaitTimeout {
+	if wait.Interrupted(pollErr) {
 		t.Fatalf("failed to verify if kms transformers swapped, err: %v", swapErr)
 	}
 }
diff --git a/test/integration/controlplane/transformation/kmsv2_transformation_test.go b/test/integration/controlplane/transformation/kmsv2_transformation_test.go
index a0ecbbc1c952c..e8602480ca781 100644
--- a/test/integration/controlplane/transformation/kmsv2_transformation_test.go
+++ b/test/integration/controlplane/transformation/kmsv2_transformation_test.go
@@ -405,6 +405,7 @@ resources:
 // 7. when kms-plugin is down, no-op update for a pod should succeed and not result in RV change even once the DEK/seed is valid
 func TestKMSv2ProviderKeyIDStaleness(t *testing.T) {
 	t.Parallel()
+
 	t.Run("regular gcm", func(t *testing.T) {
 		t.Parallel()
 		kmsName := "kms-provider-key-id-stale-false"
@@ -605,9 +606,10 @@ resources:
 	}
 
 	// Invalidate the DEK by moving the current time forward
-	origNowFunc := kmsv2.NowFunc
-	t.Cleanup(func() { kmsv2.NowFunc = origNowFunc })
-	kmsv2.NowFunc = func() time.Time { return origNowFunc().Add(5 * time.Minute) }
+	origNowFunc := kmsv2.GetNowFunc(kmsName)
+	t.Cleanup(kmsv2.SetNowFuncForTests(kmsName, func() time.Time {
+		return origNowFunc().Add(5 * time.Minute)
+	}))
 
 	// 6. when kms-plugin is down, expect creation of new pod and encryption to fail because the DEK is invalid
 	_, err = test.createPod(testNamespace, dynamicClient)
@@ -630,7 +632,7 @@ resources:
 	)
 
 	// fix plugin and wait for new writes to start working again
-	kmsv2.NowFunc = origNowFunc
+	t.Cleanup(kmsv2.SetNowFuncForTests(kmsName, origNowFunc))
 	pluginMock.ExitFailedState()
 	err = wait.Poll(time.Second, 3*time.Minute,
 		func() (bool, error) {
@@ -1441,7 +1443,7 @@ resources:
 		t.Fatal(err)
 	}
 	if !proto.Equal(expectedDEKSourceHKDFSHA256XNonceAESGCMSeedObject, legacyDEKSourceHKDFSHA256XNonceAESGCMSeedObject) {
-		t.Errorf("kms v2 legacy encrypted object diff, want: %+v; got: %+v", expectedDEKSourceAESGCMKeyObject, legacyDEKSourceAESGCMKeyObject)
+		t.Errorf("kms v2 legacy encrypted object diff, want: %+v; got: %+v", expectedDEKSourceHKDFSHA256XNonceAESGCMSeedObject, legacyDEKSourceHKDFSHA256XNonceAESGCMSeedObject)
 	}
 
 	ctx := testContext(t)
diff --git a/test/integration/defaulttolerationseconds/defaulttolerationseconds_test.go b/test/integration/defaulttolerationseconds/defaulttolerationseconds_test.go
index ccfe0f97a80cb..72c8ced008e7f 100644
--- a/test/integration/defaulttolerationseconds/defaulttolerationseconds_test.go
+++ b/test/integration/defaulttolerationseconds/defaulttolerationseconds_test.go
@@ -110,7 +110,7 @@ func TestAdmission(t *testing.T) {
 // newHandlerForTest returns a handler configured for testing.
 func newHandlerForTest() (*defaulttolerationseconds.Plugin, error) {
 	handler := defaulttolerationseconds.NewDefaultTolerationSeconds()
-	pluginInitializer := initializer.New(nil, nil, nil, nil, nil, nil, nil)
+	pluginInitializer := initializer.New(nil, nil, nil, nil, nil, nil, nil, nil)
 	pluginInitializer.Initialize(handler)
 	return handler, admission.ValidateInitialization(handler)
 }
diff --git a/test/integration/deployment/deployment_test.go b/test/integration/deployment/deployment_test.go
index a53e141b94fc0..96b022a9308f2 100644
--- a/test/integration/deployment/deployment_test.go
+++ b/test/integration/deployment/deployment_test.go
@@ -19,9 +19,13 @@ package deployment
 import (
 	"context"
 	"fmt"
+	"math"
+	"reflect"
 	"strings"
 	"testing"
 
+	"github.com/google/go-cmp/cmp"
+
 	apps "k8s.io/api/apps/v1"
 	v1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -929,6 +933,8 @@ func TestSpecReplicasChange(t *testing.T) {
 }
 
 func TestDeploymentAvailableCondition(t *testing.T) {
+	featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.DeploymentReplicaSetTerminatingReplicas, true)
+
 	_, ctx := ktesting.NewTestContext(t)
 	ctx, cancel := context.WithCancel(ctx)
 	defer cancel()
@@ -968,7 +974,7 @@ func TestDeploymentAvailableCondition(t *testing.T) {
 	}
 
 	// Verify all replicas fields of DeploymentStatus have desired counts
-	if err = tester.checkDeploymentStatusReplicasFields(10, 10, 0, 0, 10, nil); err != nil {
+	if err = tester.checkDeploymentStatusReplicasFields(10, 10, 0, 0, 10, ptr.To[int32](0)); err != nil {
 		t.Fatal(err)
 	}
 
@@ -988,7 +994,7 @@ func TestDeploymentAvailableCondition(t *testing.T) {
 	}
 
 	// Verify all replicas fields of DeploymentStatus have desired counts
-	if err = tester.checkDeploymentStatusReplicasFields(10, 10, 10, 0, 10, nil); err != nil {
+	if err = tester.checkDeploymentStatusReplicasFields(10, 10, 10, 0, 10, ptr.To[int32](0)); err != nil {
 		t.Fatal(err)
 	}
 
@@ -1011,7 +1017,7 @@ func TestDeploymentAvailableCondition(t *testing.T) {
 	}
 
 	// Verify all replicas fields of DeploymentStatus have desired counts
-	if err = tester.checkDeploymentStatusReplicasFields(10, 10, 10, 10, 0, nil); err != nil {
+	if err = tester.checkDeploymentStatusReplicasFields(10, 10, 10, 10, 0, ptr.To[int32](0)); err != nil {
 		t.Fatal(err)
 	}
 }
@@ -1401,3 +1407,425 @@ func TestTerminatingReplicasDeploymentStatus(t *testing.T) {
 		t.Fatal(err)
 	}
 }
+
+func TestRecreateDeploymentForPodReplacement(t *testing.T) {
+	tests := []struct {
+		name                                                   string
+		enableDeploymentReplicaSetTerminatingReplicas          bool
+		expectedReplicasAfterOldRSScaleDown                    int32
+		expectedTerminatingReplicasAfterOldRSScaleDown         *int32
+		expectedReplicasAfterNewRS                             int32
+		expectedTerminatingReplicasAfterNewRS                  *int32
+		expectedReplicasAfterInFlightPodTermination            int32
+		expectedTerminatingReplicasAfterInFlightPodTermination *int32
+		expectedReplicasAfterInFlightScaleUp                   int32
+		expectedTerminatingReplicasAfterInFlightScaleUp        *int32
+		expectedReplicasAfterInFlightScaleDown                 int32
+		expectedTerminatingReplicasAfterInFlightScaleDown      *int32
+		expectedReplicasForDeploymentComplete                  int32
+		expectedTerminatingReplicasForDeploymentComplete       *int32
+	}{
+		{
+			name: "recreate should wait for terminating pods to complete in a new rollout with DeploymentReplicaSetTerminatingReplicas=false",
+			enableDeploymentReplicaSetTerminatingReplicas: false,
+
+			expectedReplicasAfterOldRSScaleDown:                    0,
+			expectedTerminatingReplicasAfterOldRSScaleDown:         nil, // terminating counting disabled for all expectedTerminating
+			expectedReplicasAfterNewRS:                             6,
+			expectedTerminatingReplicasAfterNewRS:                  nil,
+			expectedReplicasAfterInFlightPodTermination:            6, // 1 pod terminated
+			expectedTerminatingReplicasAfterInFlightPodTermination: nil,
+			expectedReplicasAfterInFlightScaleUp:                   7, // +1 scale up
+			expectedTerminatingReplicasAfterInFlightScaleUp:        nil,
+			expectedReplicasAfterInFlightScaleDown:                 5, // -2 scale down
+			expectedTerminatingReplicasAfterInFlightScaleDown:      nil,
+			expectedReplicasForDeploymentComplete:                  5,
+			expectedTerminatingReplicasForDeploymentComplete:       nil,
+		},
+		{
+			name: "recreate should wait for terminating pods to complete in a new rollout with DeploymentReplicaSetTerminatingReplicas=true",
+			enableDeploymentReplicaSetTerminatingReplicas: true,
+
+			expectedReplicasAfterOldRSScaleDown:                    0,
+			expectedTerminatingReplicasAfterOldRSScaleDown:         ptr.To[int32](6),
+			expectedReplicasAfterNewRS:                             6,
+			expectedTerminatingReplicasAfterNewRS:                  ptr.To[int32](0),
+			expectedReplicasAfterInFlightPodTermination:            6, // 1 pod terminated
+			expectedTerminatingReplicasAfterInFlightPodTermination: ptr.To[int32](1),
+			expectedReplicasAfterInFlightScaleUp:                   7, // +1 scale up
+			expectedTerminatingReplicasAfterInFlightScaleUp:        ptr.To[int32](1),
+			expectedReplicasAfterInFlightScaleDown:                 5, // -2 scale down
+			expectedTerminatingReplicasAfterInFlightScaleDown:      ptr.To[int32](3),
+			expectedReplicasForDeploymentComplete:                  5,
+			expectedTerminatingReplicasForDeploymentComplete:       ptr.To[int32](3),
+		},
+	}
+
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.DeploymentReplicaSetTerminatingReplicas, test.enableDeploymentReplicaSetTerminatingReplicas)
+
+			_, ctx := ktesting.NewTestContext(t)
+			ctx, cancel := context.WithCancel(ctx)
+			defer cancel()
+
+			closeFn, rm, dc, informers, c := dcSetup(ctx, t)
+			defer closeFn()
+
+			name := "test-recreate-deployment-pod-replacement"
+			ns := framework.CreateNamespaceOrDie(c, name, t)
+			defer framework.DeleteNamespaceOrDie(c, ns, t)
+
+			// Start informer and controllers
+			stopControllers := runControllersAndInformers(t, rm, dc, informers)
+			defer stopControllers()
+
+			deploymentName := "deployment"
+			replicas := int32(6)
+			tester := &deploymentTester{t: t, c: c, deployment: newDeployment(deploymentName, ns.Name, replicas)}
+			tester.deployment.Spec.Strategy.Type = apps.RecreateDeploymentStrategyType
+			tester.deployment.Spec.Strategy.RollingUpdate = nil
+			tester.deployment.Spec.Template.Spec.NodeName = "fake-node"
+			tester.deployment.Spec.Template.Spec.TerminationGracePeriodSeconds = ptr.To(int64(300))
+
+			var err error
+			tester.deployment, err = c.AppsV1().Deployments(ns.Name).Create(context.TODO(), tester.deployment, metav1.CreateOptions{})
+			if err != nil {
+				t.Fatalf("failed to create deployment %q: %v", deploymentName, err)
+			}
+
+			// Ensure the deployment completes while marking its pods as ready simultaneously
+			if err := tester.waitForDeploymentCompleteAndMarkPodsReady(); err != nil {
+				t.Fatal(err)
+			}
+			// Record current replicaset before starting new rollout
+			firstRS, err := tester.expectNewReplicaSet()
+			if err != nil {
+				t.Fatal(err)
+			}
+
+			// trigger a new rollout
+			tester.deployment, err = tester.updateDeployment(func(update *apps.Deployment) {
+				update.Spec.Template.Spec.Containers[0].Env = append(update.Spec.Template.Spec.Containers[0].Env, v1.EnvVar{Name: "deploy2", Value: "true"})
+			})
+			if err != nil {
+				t.Fatalf("failed updating deployment %q: %v", deploymentName, err)
+			}
+
+			// Wait for old replicaset of 1st rollout to have 0 replicas first
+			firstRS, err = c.AppsV1().ReplicaSets(ns.Name).Get(context.TODO(), firstRS.Name, metav1.GetOptions{})
+			if err != nil {
+				t.Fatalf("failed to get replicaset %q: %v", firstRS.Name, err)
+			}
+			firstRS.Spec.Replicas = ptr.To[int32](0)
+			if err = tester.waitRSStable(firstRS); err != nil {
+				t.Fatal(err)
+			}
+
+			// Verify all replicas fields of DeploymentStatus have desired counts after scale down phase
+			expectedReplicas := test.expectedReplicasAfterOldRSScaleDown
+			if err = tester.waitForDeploymentStatusReplicasFields(ctx, expectedReplicas, expectedReplicas, 0, 0, expectedReplicas, test.expectedTerminatingReplicasAfterOldRSScaleDown); err != nil {
+				t.Fatal(err)
+			}
+
+			// Verify that the new rollout won't create new replica set, until the old pods terminate
+			if err := tester.expectNoNewReplicaSet(); err != nil {
+				t.Fatal(err)
+			}
+			// remove terminating pods and skip graceful termination of the old RS
+			if err := tester.removeRSPods(ctx, firstRS, math.MaxInt, true, 0); err != nil {
+				t.Fatal(err)
+			}
+
+			// Verify all replicas fields of DeploymentStatus have desired counts after new RS creation
+			expectedReplicas = test.expectedReplicasAfterNewRS
+			if err = tester.waitForDeploymentStatusReplicasFields(ctx, expectedReplicas, expectedReplicas, 0, 0, expectedReplicas, test.expectedTerminatingReplicasAfterNewRS); err != nil {
+				t.Fatal(err)
+			}
+			// Verify that the new rollout created new replica set
+			secondRS, err := tester.expectNewReplicaSet()
+			if err != nil {
+				t.Fatal(err)
+			}
+
+			// start terminating 1 pod
+			err = tester.removeRSPods(ctx, secondRS, 1, false, 300)
+			if err != nil {
+				t.Fatal(err)
+			}
+			// Verify all replicas fields of DeploymentStatus have desired counts after surprise pod termination
+			expectedReplicas = test.expectedReplicasAfterInFlightPodTermination
+			if err = tester.waitForDeploymentStatusReplicasFields(ctx, expectedReplicas, expectedReplicas, 0, 0, expectedReplicas, test.expectedTerminatingReplicasAfterInFlightPodTermination); err != nil {
+				t.Fatal(err)
+			}
+
+			// Scale up during the deployment rollout
+			tester.deployment, err = tester.updateDeployment(func(update *apps.Deployment) {
+				update.Spec.Replicas = ptr.To[int32](7)
+			})
+			if err != nil {
+				t.Fatalf("failed to update deployment %q: %v", deploymentName, err)
+			}
+
+			// Verify all replicas fields of DeploymentStatus have desired counts after in flight scale up
+			expectedReplicas = test.expectedReplicasAfterInFlightScaleUp
+			if err = tester.waitForDeploymentStatusReplicasFields(ctx, expectedReplicas, expectedReplicas, 0, 0, expectedReplicas, test.expectedTerminatingReplicasAfterInFlightScaleUp); err != nil {
+				t.Fatal(err)
+			}
+
+			// Scale down during the deployment rollout
+			tester.deployment, err = tester.updateDeployment(func(update *apps.Deployment) {
+				update.Spec.Replicas = ptr.To[int32](5)
+			})
+			if err != nil {
+				t.Fatalf("failed to update/scale deployment %q: %v", deploymentName, err)
+			}
+
+			// Verify all replicas fields of DeploymentStatus have desired counts after in flight scale down
+			expectedReplicas = test.expectedReplicasAfterInFlightScaleDown
+			if err = tester.waitForDeploymentStatusReplicasFields(ctx, expectedReplicas, expectedReplicas, 0, 0, expectedReplicas, test.expectedTerminatingReplicasAfterInFlightScaleDown); err != nil {
+				t.Fatal(err)
+			}
+
+			// Verify all replicas fields of DeploymentStatus have desired counts before the deployment is completed
+			expectedReplicas = test.expectedReplicasForDeploymentComplete
+			if err = tester.waitForDeploymentStatusReplicasFields(ctx, expectedReplicas, expectedReplicas, 0, 0, expectedReplicas, test.expectedTerminatingReplicasForDeploymentComplete); err != nil {
+				t.Fatal(err)
+			}
+
+			// Ensure the new deployment completes while marking its pods as ready simultaneously
+			if err = tester.waitForDeploymentCompleteAndMarkPodsReady(); err != nil {
+				t.Fatal(err)
+			}
+			// Verify all replicas fields of DeploymentStatus have desired counts after the deployment is completed
+			expectedReplicas = test.expectedReplicasForDeploymentComplete
+			if err = tester.waitForDeploymentStatusReplicasFields(ctx, expectedReplicas, expectedReplicas, expectedReplicas, expectedReplicas, 0, test.expectedTerminatingReplicasForDeploymentComplete); err != nil {
+				t.Fatal(err)
+			}
+
+			// remove terminating pods (if there are any) and skip graceful termination of the old RS
+			if err := tester.removeRSPods(ctx, firstRS, math.MaxInt, true, 0); err != nil {
+				t.Fatal(err)
+			}
+			// remove terminating pods and skip graceful termination of the new RS
+			if err := tester.removeRSPods(ctx, secondRS, math.MaxInt, true, 0); err != nil {
+				t.Fatal(err)
+			}
+
+			// Verify all replicas fields of DeploymentStatus have desired counts after the deployment is completed and old pods have terminated
+			expectedReplicas = test.expectedReplicasForDeploymentComplete
+			var expectedFinalTerminatingReplicas *int32
+			if test.enableDeploymentReplicaSetTerminatingReplicas {
+				expectedFinalTerminatingReplicas = ptr.To[int32](0)
+			}
+			if err = tester.waitForDeploymentStatusReplicasFields(ctx, expectedReplicas, expectedReplicas, expectedReplicas, expectedReplicas, 0, expectedFinalTerminatingReplicas); err != nil {
+				t.Fatal(err)
+			}
+		})
+	}
+}
+
+func TestRollingUpdateAndProportionalScalingForDeploymentPodReplacement(t *testing.T) {
+	tests := []struct {
+		name                                          string
+		enableDeploymentReplicaSetTerminatingReplicas bool
+		terminatingReplicasFirstRS                    int32
+		terminatingReplicasSecondRS                   int32
+
+		expectedFirstRSReplicasDuringNewRollout          int32
+		expectedSecondRSReplicasDuringNewRollout         int32
+		expectedTerminatingReplicasDuringNewRollout      *int32
+		expectedFirstRSReplicasAfterInFlightScaleUp      int32
+		expectedSecondRSReplicasAfterInFlightScaleUp     int32
+		expectedTerminatingReplicasDuringInFlightScaleUp *int32
+		expectedFirstRSAnnotationsAfterInFlightScaleUp   map[string]string
+		expectedSecondRSAnnotationsAfterInFlightScaleUp  map[string]string
+	}{
+		// starts with 100 replicas + 20 maxSurge
+		{
+			name: "rolling update should not wait for terminating pods with DeploymentReplicaSetTerminatingReplicas=false",
+			enableDeploymentReplicaSetTerminatingReplicas: false,
+
+			expectedFirstRSReplicasDuringNewRollout:          100,
+			expectedSecondRSReplicasDuringNewRollout:         20,
+			expectedTerminatingReplicasDuringNewRollout:      nil,
+			expectedFirstRSReplicasAfterInFlightScaleUp:      117,
+			expectedSecondRSReplicasAfterInFlightScaleUp:     23,
+			expectedTerminatingReplicasDuringInFlightScaleUp: nil,
+			expectedFirstRSAnnotationsAfterInFlightScaleUp: map[string]string{
+				deploymentutil.DesiredReplicasAnnotation: "120",
+				deploymentutil.MaxReplicasAnnotation:     "140",
+				deploymentutil.RevisionAnnotation:        "1",
+			},
+			expectedSecondRSAnnotationsAfterInFlightScaleUp: map[string]string{
+				deploymentutil.DesiredReplicasAnnotation: "120",
+				deploymentutil.MaxReplicasAnnotation:     "140",
+				deploymentutil.RevisionAnnotation:        "2",
+			},
+		},
+		{
+			name: "rolling update and scaling should not wait for terminating pods with DeploymentReplicaSetTerminatingReplicas=true",
+			enableDeploymentReplicaSetTerminatingReplicas: true,
+			terminatingReplicasFirstRS:                    15,
+			terminatingReplicasSecondRS:                   1,
+
+			expectedFirstRSReplicasDuringNewRollout:          100,
+			expectedSecondRSReplicasDuringNewRollout:         20,
+			expectedTerminatingReplicasDuringNewRollout:      ptr.To[int32](15),
+			expectedFirstRSReplicasAfterInFlightScaleUp:      117,
+			expectedSecondRSReplicasAfterInFlightScaleUp:     23,
+			expectedTerminatingReplicasDuringInFlightScaleUp: ptr.To[int32](16),
+			expectedFirstRSAnnotationsAfterInFlightScaleUp: map[string]string{
+				deploymentutil.DesiredReplicasAnnotation: "120",
+				deploymentutil.MaxReplicasAnnotation:     "140",
+				deploymentutil.RevisionAnnotation:        "1",
+			},
+			expectedSecondRSAnnotationsAfterInFlightScaleUp: map[string]string{
+				deploymentutil.DesiredReplicasAnnotation: "120",
+				deploymentutil.MaxReplicasAnnotation:     "140",
+				deploymentutil.RevisionAnnotation:        "2",
+			},
+		},
+	}
+
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.DeploymentReplicaSetTerminatingReplicas, test.enableDeploymentReplicaSetTerminatingReplicas)
+
+			_, ctx := ktesting.NewTestContext(t)
+			ctx, cancel := context.WithCancel(ctx)
+			defer cancel()
+
+			closeFn, rm, dc, informers, c := dcSetup(ctx, t)
+			defer closeFn()
+
+			name := "test-proportional-scaling"
+			ns := framework.CreateNamespaceOrDie(c, name, t)
+			defer framework.DeleteNamespaceOrDie(c, ns, t)
+
+			// Start informer and controllers
+			stopControllers := runControllersAndInformers(t, rm, dc, informers)
+			defer stopControllers()
+
+			deploymentName := "deployment"
+			replicas := int32(100)
+			maxSurge := int32(20)
+			tester := &deploymentTester{t: t, c: c, deployment: newDeployment(deploymentName, ns.Name, replicas)}
+			tester.deployment.Spec.Strategy.RollingUpdate.MaxSurge = ptr.To(intstr.FromInt32(maxSurge))
+			tester.deployment.Spec.Strategy.RollingUpdate.MaxUnavailable = ptr.To(intstr.FromInt32(0))
+			tester.deployment.Spec.Template.Spec.NodeName = "fake-node"
+			tester.deployment.Spec.Template.Spec.TerminationGracePeriodSeconds = ptr.To(int64(300))
+
+			var err error
+			tester.deployment, err = c.AppsV1().Deployments(ns.Name).Create(context.TODO(), tester.deployment, metav1.CreateOptions{})
+			if err != nil {
+				t.Fatalf("failed to create deployment %q: %v", deploymentName, err)
+			}
+
+			// Ensure the deployment completes while marking its pods as ready simultaneously
+			if err := tester.waitForDeploymentCompleteAndMarkPodsReady(); err != nil {
+				t.Fatal(err)
+			}
+			// Record current replicaset before starting new rollout
+			firstRS, err := tester.expectNewReplicaSet()
+			if err != nil {
+				t.Fatal(err)
+			}
+
+			// Terminating some replicas
+			err = tester.removeRSPods(ctx, firstRS, int(test.terminatingReplicasFirstRS), false, 300)
+			if err != nil {
+				t.Fatal(err)
+			}
+			// Ensure the deployment completes while marking its pods as ready simultaneously
+			if err := tester.waitForDeploymentCompleteAndMarkPodsReady(); err != nil {
+				t.Fatal(err)
+			}
+
+			// Trigger a new rollout
+			tester.deployment, err = tester.updateDeployment(func(update *apps.Deployment) {
+				update.Spec.Template.Spec.Containers[0].Env = append(update.Spec.Template.Spec.Containers[0].Env, v1.EnvVar{Name: "deploy2", Value: "true"})
+			})
+			if err != nil {
+				t.Fatalf("failed updating deployment %q: %v", deploymentName, err)
+			}
+			expectedReplicasDuringNewRollout := test.expectedFirstRSReplicasDuringNewRollout + test.expectedSecondRSReplicasDuringNewRollout
+			if err = tester.waitForDeploymentStatusReplicasFields(ctx, expectedReplicasDuringNewRollout, test.expectedSecondRSReplicasDuringNewRollout, test.expectedFirstRSReplicasDuringNewRollout, test.expectedFirstRSReplicasDuringNewRollout, test.expectedSecondRSReplicasDuringNewRollout, test.expectedTerminatingReplicasDuringNewRollout); err != nil {
+				t.Fatal(err)
+			}
+
+			// Verify that the new rollout created new replica set
+			secondRS, err := tester.expectNewReplicaSet()
+			if err != nil {
+				t.Fatal(err)
+			}
+
+			// terminating additional replicas
+			err = tester.removeRSPods(ctx, secondRS, int(test.terminatingReplicasSecondRS), false, 300)
+			if err != nil {
+				t.Fatal(err)
+			}
+			if err = tester.waitForDeploymentStatusReplicasFields(ctx, expectedReplicasDuringNewRollout, test.expectedSecondRSReplicasDuringNewRollout, test.expectedFirstRSReplicasDuringNewRollout, test.expectedFirstRSReplicasDuringNewRollout, test.expectedSecondRSReplicasDuringNewRollout, test.expectedTerminatingReplicasDuringInFlightScaleUp); err != nil {
+				t.Fatal(err)
+			}
+
+			// Scale up during the deployment rollout
+			tester.deployment, err = tester.updateDeployment(func(update *apps.Deployment) {
+				update.Spec.Replicas = ptr.To[int32](120)
+			})
+			if err != nil {
+				t.Fatalf("failed to update/scale deployment %q: %v", deploymentName, err)
+			}
+			expectedReplicasDuringInFlightScaleUp := test.expectedFirstRSReplicasAfterInFlightScaleUp + test.expectedSecondRSReplicasAfterInFlightScaleUp
+			expectedSurgeReplicas := expectedReplicasDuringInFlightScaleUp - test.expectedFirstRSReplicasDuringNewRollout
+			if err = tester.waitForDeploymentStatusReplicasFields(ctx, expectedReplicasDuringInFlightScaleUp, test.expectedSecondRSReplicasAfterInFlightScaleUp, test.expectedFirstRSReplicasDuringNewRollout, test.expectedFirstRSReplicasDuringNewRollout, expectedSurgeReplicas, test.expectedTerminatingReplicasDuringInFlightScaleUp); err != nil {
+				t.Fatal(err)
+			}
+
+			// Check pod count and annotations for all replica sets
+			firstRS, err = c.AppsV1().ReplicaSets(ns.Name).Get(context.TODO(), firstRS.Name, metav1.GetOptions{})
+			if err != nil {
+				t.Fatalf("failed to get replicaset %q: %v", firstRS.Name, err)
+			}
+			if *(firstRS.Spec.Replicas) != test.expectedFirstRSReplicasAfterInFlightScaleUp {
+				t.Fatalf("unexpected first RS .spec.replicas: expect %d, got %d", test.expectedFirstRSReplicasAfterInFlightScaleUp, *(firstRS.Spec.Replicas))
+			}
+			if !reflect.DeepEqual(test.expectedFirstRSAnnotationsAfterInFlightScaleUp, firstRS.Annotations) {
+				t.Fatalf("unexpected %q replica set annotations: %s", firstRS.Name, cmp.Diff(test.expectedFirstRSAnnotationsAfterInFlightScaleUp, firstRS.Annotations))
+			}
+
+			secondRS, err = c.AppsV1().ReplicaSets(ns.Name).Get(context.TODO(), secondRS.Name, metav1.GetOptions{})
+			if err != nil {
+				t.Fatalf("failed to get replicaset %q: %v", secondRS.Name, err)
+			}
+			if *(secondRS.Spec.Replicas) != test.expectedSecondRSReplicasAfterInFlightScaleUp {
+				t.Fatalf("unexpected second RS .spec.replicas: expect %d, got %d", test.expectedSecondRSReplicasAfterInFlightScaleUp, *(secondRS.Spec.Replicas))
+			}
+			if !reflect.DeepEqual(test.expectedSecondRSAnnotationsAfterInFlightScaleUp, secondRS.Annotations) {
+				t.Fatalf("unexpected %q replica set annotations: %s", secondRS.Name, cmp.Diff(test.expectedSecondRSAnnotationsAfterInFlightScaleUp, secondRS.Annotations))
+			}
+
+			// Ensure the deployment completes while marking its pods as ready and removing terminated pods simultaneously
+			if err := tester.waitForDeploymentCompleteAndMarkPodsReadyAndRemoveTerminated(ctx); err != nil {
+				t.Fatal(err)
+			}
+
+			// all replica sets' annotations should be up-to-date in the end
+			rss := []*apps.ReplicaSet{firstRS, secondRS}
+			for idx, curRS := range rss {
+				curRS, err = c.AppsV1().ReplicaSets(ns.Name).Get(context.TODO(), curRS.Name, metav1.GetOptions{})
+				if err != nil {
+					t.Fatalf("failed to get replicaset when checking desired replicas annotation: %v", err)
+				}
+				expectedFinalAnnotations := map[string]string{
+					deploymentutil.DesiredReplicasAnnotation: "120",
+					deploymentutil.MaxReplicasAnnotation:     "140",
+					deploymentutil.RevisionAnnotation:        fmt.Sprintf("%d", idx+1),
+				}
+				if !reflect.DeepEqual(expectedFinalAnnotations, curRS.Annotations) {
+					t.Fatalf("unexpected %q replica set annotations: %s", curRS.Name, cmp.Diff(expectedFinalAnnotations, curRS.Annotations))
+				}
+			}
+		})
+	}
+}
diff --git a/test/integration/deployment/util.go b/test/integration/deployment/util.go
index 670d7f814efff..a035689772bce 100644
--- a/test/integration/deployment/util.go
+++ b/test/integration/deployment/util.go
@@ -19,6 +19,7 @@ package deployment
 import (
 	"context"
 	"fmt"
+	"math"
 	"sync"
 	"testing"
 	"time"
@@ -220,6 +221,37 @@ func (d *deploymentTester) markUpdatedPodsReady(wg *sync.WaitGroup) {
 	}
 }
 
+// removeTerminatedPods manually removes terminated Deployment pods,
+// until the deployment is complete
+func (d *deploymentTester) removeTerminatedPods(ctx context.Context, wg *sync.WaitGroup) {
+	defer wg.Done()
+
+	err := wait.PollUntilContextTimeout(ctx, pollInterval, pollTimeout, true, func(ctx context.Context) (bool, error) {
+		// We're done when the deployment is complete
+		if completed, err := d.deploymentComplete(); err != nil {
+			return false, err
+		} else if completed {
+			return true, nil
+		}
+		// Otherwise, mark remaining pods as ready
+		rsList, err := deploymentutil.ListReplicaSets(d.deployment, deploymentutil.RsListFromClient(d.c.AppsV1()))
+		if err != nil {
+			d.t.Log(err)
+			return false, nil
+		}
+		for _, rs := range rsList {
+			if err := d.removeRSPods(ctx, rs, math.MaxInt, true, 0); err != nil {
+				d.t.Log(err)
+				return false, nil
+			}
+		}
+		return false, nil
+	})
+	if err != nil {
+		d.t.Errorf("failed to remove terminated Deployment pods: %v", err)
+	}
+}
+
 func (d *deploymentTester) deploymentComplete() (bool, error) {
 	latest, err := d.c.AppsV1().Deployments(d.deployment.Namespace).Get(context.TODO(), d.deployment.Name, metav1.GetOptions{})
 	if err != nil {
@@ -283,6 +315,30 @@ func (d *deploymentTester) waitForDeploymentCompleteAndMarkPodsReady() error {
 	return nil
 }
 
+// waitForDeploymentCompleteAndMarkPodsReadyAndRemoveTerminating waits for the Deployment to complete
+// while marking updated Deployment pods as ready and removes terminated pods at the same time.
+func (d *deploymentTester) waitForDeploymentCompleteAndMarkPodsReadyAndRemoveTerminated(ctx context.Context) error {
+	var wg sync.WaitGroup
+
+	// Manually mark updated Deployment pods as ready in a separate goroutine
+	wg.Add(1)
+	go d.markUpdatedPodsReady(&wg)
+
+	wg.Add(1)
+	go d.removeTerminatedPods(ctx, &wg)
+
+	// Wait for the Deployment status to complete using soft check, while Deployment pods are becoming ready
+	err := d.waitForDeploymentComplete()
+	if err != nil {
+		return fmt.Errorf("failed to wait for Deployment status %s: %w", d.deployment.Name, err)
+	}
+
+	// Wait for goroutine to finish
+	wg.Wait()
+
+	return nil
+}
+
 func (d *deploymentTester) updateDeployment(applyUpdate testutil.UpdateDeploymentFunc) (*apps.Deployment, error) {
 	return testutil.UpdateDeploymentWithRetries(d.c, d.deployment.Namespace, d.deployment.Name, applyUpdate, d.t.Logf, pollInterval, pollTimeout)
 }
@@ -432,6 +488,20 @@ func (d *deploymentTester) markUpdatedPodsReadyWithoutComplete() error {
 	return nil
 }
 
+// waitForReadyReplicas waits for number of ready replicas to equal number of replicas.
+func (d *deploymentTester) waitForDeploymentStatusReplicasFields(ctx context.Context, replicas, updatedReplicas, readyReplicas, availableReplicas, unavailableReplicas int32, terminatingReplicas *int32) error {
+	var lastErr error
+	err := wait.PollUntilContextTimeout(ctx, pollInterval, pollTimeout, true, func(_ context.Context) (bool, error) {
+		// do not pass ctx to checkDeploymentStatusReplicasFields (Deployments().Get) so we always obtain the latest error and not the one from deadline exceeded
+		lastErr = d.checkDeploymentStatusReplicasFields(replicas, updatedReplicas, readyReplicas, availableReplicas, unavailableReplicas, terminatingReplicas)
+		return lastErr == nil, nil
+	})
+	if err != nil {
+		return fmt.Errorf("%w: %w", lastErr, err)
+	}
+	return nil
+}
+
 // Verify all replicas fields of DeploymentStatus have desired count.
 // Immediately return an error when found a non-matching replicas field.
 func (d *deploymentTester) checkDeploymentStatusReplicasFields(replicas, updatedReplicas, readyReplicas, availableReplicas, unavailableReplicas int32, terminatingReplicas *int32) error {
@@ -456,6 +526,33 @@ func (d *deploymentTester) checkDeploymentStatusReplicasFields(replicas, updated
 	}
 	if !ptr.Equal(deployment.Status.TerminatingReplicas, terminatingReplicas) {
 		return fmt.Errorf("unexpected .terminatingReplicas: expect %v, got %v", ptr.Deref(terminatingReplicas, -1), ptr.Deref(deployment.Status.TerminatingReplicas, -1))
+
+	}
+	return nil
+}
+
+func (d *deploymentTester) removeRSPods(ctx context.Context, replicaset *apps.ReplicaSet, count int, targetOnlyTerminating bool, gracePeriodSeconds int64) error {
+	selector, err := metav1.LabelSelectorAsSelector(replicaset.Spec.Selector)
+	if err != nil {
+		return fmt.Errorf("could not parse a selector for a replica set %q: %w", replicaset.Name, err)
+	}
+	pods, err := d.c.CoreV1().Pods(replicaset.Namespace).List(ctx, metav1.ListOptions{LabelSelector: selector.String()})
+	if err != nil {
+		return fmt.Errorf("failed to get pods for a replica set %q: %w", replicaset.Name, err)
+	}
+
+	for i, pod := range pods.Items {
+		if i >= count {
+			break
+		}
+		if targetOnlyTerminating && pod.DeletionTimestamp == nil {
+			continue
+		}
+		err := d.c.CoreV1().Pods(replicaset.Namespace).Delete(ctx, pod.Name, metav1.DeleteOptions{GracePeriodSeconds: ptr.To(gracePeriodSeconds)})
+		if err != nil {
+			return fmt.Errorf("failed to delete pod %q for a replica set %q: %w", pod.Name, replicaset.Name, err)
+		}
 	}
+
 	return nil
 }
diff --git a/test/integration/dra/binding_conditions_test.go b/test/integration/dra/binding_conditions_test.go
new file mode 100644
index 0000000000000..35041c685d800
--- /dev/null
+++ b/test/integration/dra/binding_conditions_test.go
@@ -0,0 +1,610 @@
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package dra
+
+import (
+	"fmt"
+	"strings"
+	"time"
+
+	"github.com/onsi/gomega"
+	"github.com/onsi/gomega/gstruct"
+	v1 "k8s.io/api/core/v1"
+	resourceapi "k8s.io/api/resource/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/client-go/util/retry"
+	"k8s.io/kubernetes/test/utils/format"
+	"k8s.io/kubernetes/test/utils/ktesting"
+)
+
+var (
+	nodeName           = "worker-0"
+	poolWithBinding    = nodeName + "-with-binding"
+	poolWithoutBinding = nodeName + "-without-binding"
+	bindingCondition   = "attached"
+	failureCondition   = "failed"
+)
+
+// testDeviceBindingConditions is the entry point for running each integration test that verifies DeviceBindingConditions.
+// Some of these tests use device taints, and they assume that DRADeviceTaints is enabled.
+func testDeviceBindingConditions(tCtx ktesting.TContext, enabled bool) {
+	tCtx.Parallel()
+
+	tCtx.Run("BasicFlow", func(tCtx ktesting.TContext) { testDeviceBindingConditionsBasicFlow(tCtx, enabled) })
+	if enabled {
+		tCtx.Run("FailureTaints", func(tCtx ktesting.TContext) { testDeviceBindingFailureConditionsReschedule(tCtx, true) })
+		tCtx.Run("FailureRemove", func(tCtx ktesting.TContext) { testDeviceBindingFailureConditionsReschedule(tCtx, false) })
+		tCtx.Run("TimeoutReached", func(tCtx ktesting.TContext) { testDeviceBindingConditionsTimeoutReached(tCtx) })
+		tCtx.Run("TimeoutRecover", func(tCtx ktesting.TContext) { testDeviceBindingConditionsTimeoutRecovery(tCtx) })
+	}
+}
+
+// testBindingConditionsBasicFlow tests scheduling with mixed devices: one with BindingConditions, one without.
+// It verifies that the scheduler prioritizes the device without BindingConditions for the first pod.
+// The second pod then uses the device with BindingConditions. The test checks that the scheduler retries
+// after an initial binding failure of the second pod, ensuring successful scheduling after rescheduling.
+func testDeviceBindingConditionsBasicFlow(tCtx ktesting.TContext, enabled bool) {
+	namespace := createTestNamespace(tCtx, nil)
+	class, driverName := createTestClass(tCtx, namespace)
+	startScheduler(tCtx)
+
+	slice := &resourceapi.ResourceSlice{
+		ObjectMeta: metav1.ObjectMeta{
+			GenerateName: namespace + "-",
+		},
+		Spec: resourceapi.ResourceSliceSpec{
+			NodeName: &nodeName,
+			Pool: resourceapi.ResourcePool{
+				Name:               poolWithBinding,
+				ResourceSliceCount: 1,
+			},
+			Driver: driverName,
+			Devices: []resourceapi.Device{
+				{
+					Name:                     "with-binding",
+					BindingConditions:        []string{bindingCondition},
+					BindingFailureConditions: []string{failureCondition},
+				},
+			},
+		},
+	}
+	slice, err := tCtx.Client().ResourceV1().ResourceSlices().Create(tCtx, slice, metav1.CreateOptions{FieldValidation: "Strict"})
+	tCtx.ExpectNoError(err, "create slice")
+
+	haveBindingConditionFields := len(slice.Spec.Devices[0].BindingConditions) > 0 || len(slice.Spec.Devices[0].BindingFailureConditions) > 0
+	if !enabled {
+		if haveBindingConditionFields {
+			tCtx.Fatalf("Expected device binding condition fields to get dropped, got instead:\n%s", format.Object(slice, 1))
+		}
+		return
+	}
+	if !haveBindingConditionFields {
+		tCtx.Fatalf("Expected device binding condition fields to be stored, got instead:\n%s", format.Object(slice, 1))
+	}
+
+	sliceWithoutBinding := &resourceapi.ResourceSlice{
+		ObjectMeta: metav1.ObjectMeta{
+			GenerateName: namespace + "-without-binding-",
+		},
+		Spec: resourceapi.ResourceSliceSpec{
+			NodeName: &nodeName,
+			Pool: resourceapi.ResourcePool{
+				Name:               poolWithoutBinding,
+				ResourceSliceCount: 1,
+			},
+			Driver: driverName,
+			Devices: []resourceapi.Device{
+				{
+					Name: "without-binding",
+				},
+			},
+		},
+	}
+	_, err = tCtx.Client().ResourceV1().ResourceSlices().Create(tCtx, sliceWithoutBinding, metav1.CreateOptions{FieldValidation: "Strict"})
+	tCtx.ExpectNoError(err, "create slice without binding conditions")
+
+	// Schedule first pod and wait for the scheduler to reach the binding phase, which marks the claim as allocated.
+	start := time.Now()
+	claim1 := createClaim(tCtx, namespace, "-a", class, claim)
+	pod := createPod(tCtx, namespace, "-a", podWithClaimName, claim1)
+	claim1 = waitForClaimAllocatedToDevice(tCtx, namespace, claim1.Name, 10*time.Second)
+	end := time.Now()
+	gomega.NewWithT(tCtx).Expect(claim1).To(gomega.HaveField("Status.Allocation", gstruct.PointTo(gstruct.MatchFields(gstruct.IgnoreExtras, gstruct.Fields{
+		"Devices": gomega.Equal(resourceapi.DeviceAllocationResult{
+			Results: []resourceapi.DeviceRequestAllocationResult{{
+				Request: claim1.Spec.Devices.Requests[0].Name,
+				Driver:  driverName,
+				Pool:    poolWithoutBinding,
+				Device:  "without-binding",
+			}}}),
+		// NodeSelector intentionally not checked - that's covered elsewhere.
+		"AllocationTimestamp": gomega.HaveField("Time", gomega.And(
+			gomega.BeTemporally(">=", start.Truncate(time.Second) /* may get rounded down during round-tripping */),
+			gomega.BeTemporally("<=", end),
+		)),
+	}))), "first allocated claim")
+
+	waitForPodScheduled(tCtx, namespace, pod.Name)
+
+	// Second pod should get the device with binding conditions.
+	claim2 := createClaim(tCtx, namespace, "-b", class, claim)
+	pod = createPod(tCtx, namespace, "-b", podWithClaimName, claim2)
+	claim2 = waitForClaimAllocatedToDevice(tCtx, namespace, claim2.Name, 10*time.Second)
+	end = time.Now()
+	gomega.NewWithT(tCtx).Expect(claim2).To(gomega.HaveField("Status.Allocation", gstruct.PointTo(gstruct.MatchFields(gstruct.IgnoreExtras, gstruct.Fields{
+		"Devices": gomega.Equal(resourceapi.DeviceAllocationResult{
+			Results: []resourceapi.DeviceRequestAllocationResult{{
+				Request:                  claim2.Spec.Devices.Requests[0].Name,
+				Driver:                   driverName,
+				Pool:                     poolWithBinding,
+				Device:                   "with-binding",
+				BindingConditions:        []string{bindingCondition},
+				BindingFailureConditions: []string{failureCondition},
+			}}}),
+		// NodeSelector intentionally not checked - that's covered elsewhere.
+		"AllocationTimestamp": gomega.HaveField("Time", gomega.And(
+			gomega.BeTemporally(">=", start.Truncate(time.Second) /* may get rounded down during round-tripping */),
+			gomega.BeTemporally("<=", end),
+		)),
+	}))), "second allocated claim")
+
+	// fail the binding condition for the second claim, so that it gets scheduled later.
+	err = retry.RetryOnConflict(retry.DefaultRetry, func() error {
+		latest, err := tCtx.Client().ResourceV1().ResourceClaims(namespace).Get(tCtx, claim2.Name, metav1.GetOptions{})
+		if err != nil {
+			return err
+		}
+		latest.Status.Devices = []resourceapi.AllocatedDeviceStatus{{
+			Driver: driverName,
+			Pool:   poolWithBinding,
+			Device: "with-binding",
+			Conditions: []metav1.Condition{{
+				Type:               failureCondition,
+				Status:             metav1.ConditionTrue,
+				ObservedGeneration: latest.Generation,
+				LastTransitionTime: metav1.Now(),
+				Reason:             "Testing",
+				Message:            "The test has seen the allocation and is failing the binding.",
+			}},
+		}}
+		_, err = tCtx.Client().ResourceV1().ResourceClaims(namespace).UpdateStatus(tCtx, latest, metav1.UpdateOptions{})
+		return err
+	})
+	tCtx.ExpectNoError(err, "add binding failure condition to second claim")
+
+	// Then wait until the scheduler has cleared the device statuses again.
+	waitForClaim(tCtx, namespace, claim2.Name, 30*time.Second,
+		gomega.HaveField("Status.Devices", gomega.HaveLen(0)),
+		"claim should have cleared device conditions after rescheduling",
+	)
+
+	// allocation restored?
+	claim2 = waitForClaimAllocatedToDevice(tCtx, namespace, claim2.Name, 10*time.Second)
+
+	// Now it's safe to set the final binding condition.
+	// Allow the scheduler to proceed.
+	err = retry.RetryOnConflict(retry.DefaultRetry, func() error {
+		latest, err := tCtx.Client().ResourceV1().ResourceClaims(namespace).Get(tCtx, claim2.Name, metav1.GetOptions{})
+		if err != nil {
+			return err
+		}
+		// Write status.devices for the CURRENT allocation device.
+		latest.Status.Devices = []resourceapi.AllocatedDeviceStatus{{
+			Driver: driverName,
+			Pool:   poolWithBinding,
+			Device: "with-binding",
+			Conditions: []metav1.Condition{{
+				Type:               bindingCondition,
+				Status:             metav1.ConditionTrue,
+				ObservedGeneration: latest.Generation,
+				LastTransitionTime: metav1.Now(),
+				Reason:             "Testing",
+				Message:            "The test has seen the allocation.",
+			}},
+		}}
+		_, err = tCtx.Client().ResourceV1().ResourceClaims(namespace).UpdateStatus(tCtx, latest, metav1.UpdateOptions{})
+		return err
+	})
+	tCtx.ExpectNoError(err, "add binding condition to second claim")
+	waitForPodScheduled(tCtx, namespace, pod.Name)
+}
+
+// testBindingFailureReschedule verifies scheduling behavior when device preparation fails on a node.
+// It tests that a BindingFailure is written, and the scheduler successfully reschedules the pod
+// to a different node where binding succeeds. This ensures that failure recovery via rescheduling works as expected.
+// Device preparation failure is simulated in two ways: by applying DeviceTaints or by removing the device from ResourceSlice.
+// The simulation method is controlled via the `useTaints` argument: when true, DeviceTaints are used; when false, the device is removed from ResourceSlice.
+func testDeviceBindingFailureConditionsReschedule(tCtx ktesting.TContext, useTaints bool) {
+	namespace := createTestNamespace(tCtx, nil)
+	class, driverName := createTestClass(tCtx, namespace)
+	startScheduler(tCtx)
+
+	anotherNodeName := "worker-1"
+	anotherPoolWithoutBinding := anotherNodeName + "-without-binding"
+
+	slice := &resourceapi.ResourceSlice{
+		ObjectMeta: metav1.ObjectMeta{
+			GenerateName: namespace + "-",
+		},
+		Spec: resourceapi.ResourceSliceSpec{
+			NodeName: &nodeName,
+			Pool: resourceapi.ResourcePool{
+				Name:               poolWithBinding,
+				ResourceSliceCount: 1,
+			},
+			Driver: driverName,
+			Devices: []resourceapi.Device{
+				{
+					Name:                     "with-binding",
+					BindingConditions:        []string{bindingCondition},
+					BindingFailureConditions: []string{failureCondition},
+				},
+			},
+		},
+	}
+	slice = createSlice(tCtx, slice)
+
+	// Schedule the first pod to a device that has binding conditions set,
+	// ensuring the initial allocation occurs on the intended node.
+	claim1 := createClaim(tCtx, namespace, "-a", class, claim)
+	pod := createPod(tCtx, namespace, "-a", podWithClaimName, claim1)
+	claim1 = waitForClaimAllocatedToDevice(tCtx, namespace, claim1.Name, 10*time.Second)
+	gomega.NewWithT(tCtx).Expect(claim1).To(gomega.HaveField("Status.Allocation", gstruct.PointTo(gstruct.MatchFields(gstruct.IgnoreExtras, gstruct.Fields{
+		"Devices": gomega.Equal(resourceapi.DeviceAllocationResult{
+			Results: []resourceapi.DeviceRequestAllocationResult{{
+				Request:                  claim1.Spec.Devices.Requests[0].Name,
+				Driver:                   driverName,
+				Pool:                     poolWithBinding,
+				Device:                   "with-binding",
+				BindingConditions:        []string{bindingCondition},
+				BindingFailureConditions: []string{failureCondition},
+			}}}),
+	}))), "third allocated claim to the device with binding conditions")
+
+	if useTaints {
+		// Add taint to the device with binding conditions,
+		// preventing further scheduling to this device.
+		err := retry.RetryOnConflict(retry.DefaultRetry, func() error {
+			latest, err := tCtx.Client().ResourceV1().ResourceSlices().Get(tCtx, slice.Name, metav1.GetOptions{})
+			if err != nil {
+				return err
+			}
+			slice = latest.DeepCopy()
+			slice.Spec.Devices[0].Taints = []resourceapi.DeviceTaint{
+				{
+					Key:    "dra-test.k8s.io/preparation-failed",
+					Value:  "true",
+					Effect: resourceapi.DeviceTaintEffectNoSchedule,
+				},
+			}
+			_, err = tCtx.Client().ResourceV1().ResourceSlices().Update(tCtx, slice, metav1.UpdateOptions{})
+			return err
+		})
+		tCtx.ExpectNoError(err, "add taint to second slice")
+	} else {
+		// Remove the device from the slice to simulate its unavailability due to preparation failure.
+		err := retry.RetryOnConflict(retry.DefaultRetry, func() error {
+			latest, err := tCtx.Client().ResourceV1().ResourceSlices().Get(tCtx, slice.Name, metav1.GetOptions{})
+			if err != nil {
+				return err
+			}
+			slice = latest.DeepCopy()
+			slice.Spec.Devices = nil
+			_, err = tCtx.Client().ResourceV1().ResourceSlices().Update(tCtx, slice, metav1.UpdateOptions{})
+			return err
+		})
+		tCtx.ExpectNoError(err, "remove devices in slice")
+	}
+
+	// Create a new slice on a different node with a device that has no binding conditions,
+	// allowing the scheduler to retry and allocate the claim successfully.
+	sliceWithoutBinding := &resourceapi.ResourceSlice{
+		ObjectMeta: metav1.ObjectMeta{
+			GenerateName: namespace + "-without-binding-",
+		},
+		Spec: resourceapi.ResourceSliceSpec{
+			NodeName: &anotherNodeName,
+			Pool: resourceapi.ResourcePool{
+				Name:               anotherPoolWithoutBinding,
+				ResourceSliceCount: 1,
+			},
+			Driver: driverName,
+			Devices: []resourceapi.Device{
+				{
+					Name: "without-binding",
+				},
+			},
+		},
+	}
+	createSlice(tCtx, sliceWithoutBinding)
+
+	// Explicitly fail the binding condition for the third claim to trigger rescheduling logic.
+	err := retry.RetryOnConflict(retry.DefaultRetry, func() error {
+		latest, err := tCtx.Client().ResourceV1().ResourceClaims(namespace).Get(tCtx, claim1.Name, metav1.GetOptions{})
+		if err != nil {
+			return err
+		}
+		claim1 = latest.DeepCopy()
+		claim1.Status.Devices = []resourceapi.AllocatedDeviceStatus{{
+			Driver: driverName,
+			Pool:   poolWithBinding,
+			Device: "with-binding",
+			Conditions: []metav1.Condition{{
+				Type:               failureCondition,
+				Status:             metav1.ConditionTrue,
+				ObservedGeneration: claim1.Generation,
+				LastTransitionTime: metav1.Now(),
+				Reason:             "Testing",
+				Message:            "The test has seen the allocation and is failing the binding.",
+			}},
+		}}
+		_, err = tCtx.Client().ResourceV1().ResourceClaims(namespace).UpdateStatus(tCtx, claim1, metav1.UpdateOptions{})
+		return err
+	})
+	tCtx.ExpectNoError(err, "add binding failure condition to claim")
+
+	// Then wait until the scheduler has cleared the device statuses again.
+	waitForClaim(tCtx, namespace, claim1.Name, 30*time.Second,
+		gomega.HaveField("Status.Devices", gomega.HaveLen(0)),
+		"claim should have cleared device conditions after rescheduling",
+	)
+
+	// allocation restored?
+	claim1 = waitForClaimAllocatedToDevice(tCtx, namespace, claim1.Name, 10*time.Second)
+
+	gomega.NewWithT(tCtx).Expect(claim1).To(gomega.HaveField("Status.Allocation", gstruct.PointTo(gstruct.MatchFields(gstruct.IgnoreExtras, gstruct.Fields{
+		"Devices": gomega.Equal(resourceapi.DeviceAllocationResult{
+			Results: []resourceapi.DeviceRequestAllocationResult{{
+				Request: claim1.Spec.Devices.Requests[0].Name,
+				Driver:  driverName,
+				Pool:    anotherPoolWithoutBinding,
+				Device:  "without-binding",
+			}}}),
+	}))), "third allocated claim to the device without binding conditions")
+
+	waitForPodScheduled(tCtx, namespace, pod.Name)
+}
+
+// testBindingConditionsTimeoutReachedd verifies that a short bindingTimeout triggers
+// a PreBind timeout when the required BindingConditions never become true.
+func testDeviceBindingConditionsTimeoutReached(tCtx ktesting.TContext) {
+	namespace := createTestNamespace(tCtx, nil)
+	class, driver := createTestClass(tCtx, namespace)
+
+	// One device that REQUIRES a binding condition.
+	slice := &resourceapi.ResourceSlice{
+		ObjectMeta: metav1.ObjectMeta{GenerateName: namespace + "-timeout-"},
+		Spec: resourceapi.ResourceSliceSpec{
+			NodeName: &nodeName,
+			Pool: resourceapi.ResourcePool{
+				Name:               poolWithBinding,
+				ResourceSliceCount: 1,
+			},
+			Driver: driver,
+			Devices: []resourceapi.Device{{
+				Name:                     "with-binding",
+				BindingConditions:        []string{bindingCondition},
+				BindingFailureConditions: []string{failureCondition},
+			}},
+		},
+	}
+	createSlice(tCtx, slice)
+
+	wantTO := 6 * time.Second // bindingTimeout
+	maxTO := wantTO * 19 / 10 // 1.9 * wantTO
+
+	// Start the scheduler with a short binding timeout.
+	cfg := fmt.Sprintf(`
+profiles:
+- schedulerName: default-scheduler
+  pluginConfig:
+  - name: DynamicResources
+    args:
+      bindingTimeout: %s
+`, wantTO)
+
+	startSchedulerWithConfig(tCtx, cfg)
+
+	// Create claim+pod: allocation happens, then scheduler waits in PreBind.
+	claim1 := createClaim(tCtx, namespace, "-timeout-enforced", class, claim)
+	pod := createPod(tCtx, namespace, "-timeout-enforced", podWithClaimName, claim1)
+
+	// Wait until the claim is allocated.
+	allocatedClaim := waitForClaimAllocatedToDevice(tCtx, namespace, claim1.Name, 10*time.Second)
+
+	gomega.NewWithT(tCtx).Expect(allocatedClaim).To(gomega.HaveField(
+		"Status.Allocation",
+		gstruct.PointTo(gstruct.MatchFields(gstruct.IgnoreExtras, gstruct.Fields{
+			"Devices": gomega.Equal(resourceapi.DeviceAllocationResult{
+				Results: []resourceapi.DeviceRequestAllocationResult{{
+					Request:                  allocatedClaim.Spec.Devices.Requests[0].Name,
+					Driver:                   driver,
+					Pool:                     poolWithBinding,
+					Device:                   "with-binding",
+					BindingConditions:        []string{bindingCondition},
+					BindingFailureConditions: []string{failureCondition},
+				}},
+			}),
+		}),
+		)), "Claim must be allocated to the condition-gated device")
+
+	tStart := time.Now()
+
+	// The scheduler should hit the binding timeout and surface that on the pod.
+	// We poll the pod's conditions until we see a message containing "binding timeout".
+	ktesting.Eventually(tCtx, func(tCtx ktesting.TContext) *v1.Pod {
+		p, err := tCtx.Client().CoreV1().Pods(namespace).Get(tCtx, pod.Name, metav1.GetOptions{})
+		tCtx.ExpectNoError(err, "get pod")
+		return p
+	}).WithTimeout(maxTO).WithPolling(300*time.Millisecond).Should(
+		gomega.HaveField("Status.Conditions",
+			gomega.ContainElement(
+				gstruct.MatchFields(gstruct.IgnoreExtras, gstruct.Fields{
+					"Message": gomega.ContainSubstring("binding timeout"),
+				}),
+			),
+		),
+		"pod should report binding timeout in a condition message",
+	)
+
+	elapsed := time.Since(tStart)
+	gomega.NewWithT(tCtx).Expect(elapsed).To(
+		gomega.BeNumerically("<=", maxTO),
+		"bindingTimeout should trigger roughly near %s (observed %v)", wantTO, elapsed,
+	)
+	// Verify that the pod remains unscheduled after the binding timeout.
+	ktesting.Eventually(tCtx, func(tCtx ktesting.TContext) *v1.Pod {
+		pod, err := tCtx.Client().CoreV1().Pods(namespace).Get(tCtx, pod.Name, metav1.GetOptions{})
+		tCtx.ExpectNoError(err, "get pod")
+		return pod
+	}).WithTimeout(wantTO).WithPolling(200 * time.Millisecond).Should(gomega.SatisfyAll(
+		gomega.HaveField("Spec.NodeName", gomega.BeEmpty()),
+
+		gomega.HaveField("Status.Conditions",
+			gomega.Not(gomega.ContainElement(v1.PodCondition{
+				Type:   v1.PodScheduled,
+				Status: v1.ConditionTrue,
+			}))),
+	))
+}
+
+// testDeviceBindingConditionsTimeoutRecovery verifies that when a device with BindingConditions
+// fails to become ready within the timeout (BindingTimeout enforced), and a new device without
+// binding conditions is added, the scheduler reschedules the claim to the new available device.
+func testDeviceBindingConditionsTimeoutRecovery(tCtx ktesting.TContext) {
+	namespace := createTestNamespace(tCtx, nil)
+	class, driverName := createTestClass(tCtx, namespace)
+
+	// Start the scheduler with a short binding timeout.
+	const cfg = `
+profiles:
+- schedulerName: default-scheduler
+  pluginConfig:
+  - name: DynamicResources
+    args:
+      bindingTimeout: 5s
+`
+	startSchedulerWithConfig(tCtx, cfg)
+
+	// Initial slice: one device that *requires* a binding condition that never becomes true.
+	slice := &resourceapi.ResourceSlice{
+		ObjectMeta: metav1.ObjectMeta{
+			GenerateName: namespace + "-",
+		},
+		Spec: resourceapi.ResourceSliceSpec{
+			NodeName: &nodeName,
+			Pool: resourceapi.ResourcePool{
+				Name:               poolWithBinding,
+				ResourceSliceCount: 1,
+			},
+			Driver: driverName,
+			Devices: []resourceapi.Device{{
+				Name:                     "with-binding",
+				BindingConditions:        []string{bindingCondition},
+				BindingFailureConditions: []string{failureCondition},
+			}},
+		},
+	}
+	createSlice(tCtx, slice)
+	claim1 := createClaim(tCtx, namespace, "-timeout", class, claim)
+	pod := createPod(tCtx, namespace, "-timeout", podWithClaimName, claim1)
+
+	claim1 = waitForClaimAllocatedToDevice(tCtx, namespace, claim1.Name, 10*time.Second)
+	gomega.NewWithT(tCtx).Expect(claim1).To(gomega.HaveField(
+		"Status.Allocation",
+		gstruct.PointTo(gstruct.MatchFields(gstruct.IgnoreExtras, gstruct.Fields{
+			"Devices": gomega.Equal(resourceapi.DeviceAllocationResult{
+				Results: []resourceapi.DeviceRequestAllocationResult{{
+					Request:                  claim.Spec.Devices.Requests[0].Name,
+					Driver:                   driverName,
+					Pool:                     poolWithBinding,
+					Device:                   "with-binding",
+					BindingConditions:        []string{bindingCondition},
+					BindingFailureConditions: []string{failureCondition},
+				}},
+			}),
+		}),
+		)), "Expected allocation to the condition-gated device")
+
+	sliceWithoutBinding := &resourceapi.ResourceSlice{
+		ObjectMeta: metav1.ObjectMeta{GenerateName: namespace + "-recovery-"},
+		Spec: resourceapi.ResourceSliceSpec{
+			NodeName: &nodeName,
+			Pool: resourceapi.ResourcePool{
+				Name:               poolWithoutBinding,
+				ResourceSliceCount: 1,
+			},
+			Driver: driverName,
+			Devices: []resourceapi.Device{{
+				Name: "without-binding",
+			}},
+		},
+	}
+	sliceWithoutBinding = createSlice(tCtx, sliceWithoutBinding)
+
+	// Ensure the ResourceSlice has been created before the binding timeout occurs.
+	ktesting.Eventually(tCtx, func(tCtx ktesting.TContext) error {
+		p, err := tCtx.Client().CoreV1().Pods(namespace).Get(tCtx, pod.Name, metav1.GetOptions{})
+		if err == nil {
+			for _, c := range p.Status.Conditions {
+				if strings.Contains(strings.ToLower(c.Message), "binding timeout") {
+					return gomega.StopTrying("binding timeout occurred before slice is created")
+				}
+			}
+		}
+		_, err = tCtx.Client().ResourceV1().ResourceSlices().Get(tCtx, sliceWithoutBinding.Name, metav1.GetOptions{})
+		return err
+	}).WithTimeout(10*time.Second).WithPolling(300*time.Millisecond).Should(
+		gomega.Succeed(), "slice must be created before binding timeout")
+
+	// Wait until the binding timeout occurs.
+	ktesting.Eventually(tCtx, func(tCtx ktesting.TContext) *v1.Pod {
+		p, err := tCtx.Client().CoreV1().Pods(namespace).Get(tCtx, pod.Name, metav1.GetOptions{})
+		tCtx.ExpectNoError(err, "get pod")
+		return p
+	}).WithTimeout(20*time.Second).WithPolling(300*time.Millisecond).Should(
+		gomega.HaveField("Status.Conditions",
+			gomega.ContainElement(
+				gstruct.MatchFields(gstruct.IgnoreExtras, gstruct.Fields{
+					"Message": gomega.ContainSubstring("binding timeout"),
+				}),
+			),
+		),
+		"pod should report binding timeout before reallocation",
+	)
+
+	// Verify recovery to the newly added device without BindingConditions through rescheduling triggered by binding timeout.
+	ktesting.Eventually(tCtx, func(tCtx ktesting.TContext) *resourceapi.ResourceClaim {
+		c, err := tCtx.Client().ResourceV1().ResourceClaims(namespace).Get(tCtx, claim1.Name, metav1.GetOptions{})
+		tCtx.ExpectNoError(err)
+		return c
+	}).WithTimeout(10*time.Second).WithPolling(1*time.Second).Should(gomega.HaveField(
+		"Status.Allocation",
+		gstruct.PointTo(gstruct.MatchFields(gstruct.IgnoreExtras, gstruct.Fields{
+			"Devices": gomega.Equal(resourceapi.DeviceAllocationResult{
+				Results: []resourceapi.DeviceRequestAllocationResult{{
+					Request: claim.Spec.Devices.Requests[0].Name,
+					Driver:  driverName,
+					Pool:    poolWithoutBinding,
+					Device:  "without-binding",
+				}},
+			}),
+		}),
+		)), "Expected allocation to the device without binding conditions")
+
+	waitForPodScheduled(tCtx, namespace, pod.Name)
+}
diff --git a/test/integration/dra/device_taints_test.go b/test/integration/dra/device_taints_test.go
new file mode 100644
index 0000000000000..b14027e4e09c6
--- /dev/null
+++ b/test/integration/dra/device_taints_test.go
@@ -0,0 +1,250 @@
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package dra
+
+import (
+	"context"
+	"fmt"
+	"sync"
+	"sync/atomic"
+	"time"
+
+	"github.com/onsi/gomega"
+	"github.com/onsi/gomega/gstruct"
+	v1 "k8s.io/api/core/v1"
+	resourceapi "k8s.io/api/resource/v1"
+	resourcealpha "k8s.io/api/resource/v1alpha3"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	utilfeature "k8s.io/apiserver/pkg/util/feature"
+	"k8s.io/client-go/informers"
+	resourcealphainformers "k8s.io/client-go/informers/resource/v1alpha3"
+	"k8s.io/client-go/tools/cache"
+	"k8s.io/kubernetes/pkg/controller/devicetainteviction"
+	"k8s.io/kubernetes/pkg/features"
+	"k8s.io/kubernetes/test/utils/ktesting"
+	"k8s.io/utils/ptr"
+)
+
+// testEvictCluster simulates a cluster with many scheduled pods where each
+// pod uses it's own ResourceClaim with one device. Then all those
+// devices get tainted with a single DeviceTaintRule (causing eviction of all pods at once)
+// or by updating the slices (more gradual).
+func testEvictCluster(tCtx ktesting.TContext, useRule bool) {
+	tCtx.Parallel()
+
+	var wg sync.WaitGroup
+	defer func() {
+		tCtx.Cancel("time to shut down")
+		wg.Wait()
+	}()
+
+	numPods := 1000
+	devicesPerSlice := 50
+	numSlices := (numPods + devicesPerSlice - 1) / devicesPerSlice
+	namespace := createTestNamespace(tCtx, nil)
+	nodeName := "node-" + namespace
+	driverName := "driver-" + namespace
+	poolName := "cluster"
+
+	var slices []*resourceapi.ResourceSlice
+	for i := range numSlices {
+		slice := &resourceapi.ResourceSlice{
+			ObjectMeta: metav1.ObjectMeta{
+				Name: fmt.Sprintf("slice-%s-%d", namespace, i),
+			},
+			Spec: resourceapi.ResourceSliceSpec{
+				Driver: driverName,
+				Pool: resourceapi.ResourcePool{
+					Name:               poolName,
+					ResourceSliceCount: int64(numSlices),
+				},
+				AllNodes: ptr.To(true),
+			},
+		}
+		for e := range devicesPerSlice {
+			slice.Spec.Devices = append(slice.Spec.Devices, resourceapi.Device{
+				Name: fmt.Sprintf("device-%d", i*devicesPerSlice+e),
+			})
+		}
+		slices = append(slices, createSlice(tCtx, slice))
+	}
+
+	for i := range numPods {
+		suffix := fmt.Sprintf("-%d", i)
+
+		pod := podWithClaimName.DeepCopy()
+		pod.Name += suffix
+		pod.Namespace = namespace
+		*pod.Spec.ResourceClaims[0].ResourceClaimName += suffix
+		pod.Spec.NodeName = nodeName // Must be scheduled to be evicted.
+		pod = must(tCtx, tCtx.Client().CoreV1().Pods(namespace).Create, pod, metav1.CreateOptions{})
+
+		// Scheduled pods do not get deleted without acknowledgement by the kubelet,
+		// so we have to force-delete to clean up as we don't have a kubelet.
+		tCtx.CleanupCtx(func(tCtx ktesting.TContext) {
+			err := tCtx.Client().CoreV1().Pods(namespace).Delete(tCtx, pod.Name, metav1.DeleteOptions{GracePeriodSeconds: ptr.To(int64(0))})
+			if !apierrors.IsNotFound(err) {
+				tCtx.ExpectNoError(err)
+			}
+		})
+
+		// No finalizer, so deleting the namespace will be able to delete the claim.
+		claim := claim.DeepCopy()
+		claim.Name += suffix
+		claim.Namespace = namespace
+		claim = must(tCtx, tCtx.Client().ResourceV1().ResourceClaims(namespace).Create, claim, metav1.CreateOptions{})
+		claim.Status.Allocation = &resourceapi.AllocationResult{
+			Devices: resourceapi.DeviceAllocationResult{
+				Results: []resourceapi.DeviceRequestAllocationResult{{
+					Request: claim.Spec.Devices.Requests[0].Name,
+					Driver:  driverName,
+					Pool:    poolName,
+					Device:  "device" + suffix,
+				}},
+			},
+		}
+		claim.Status.ReservedFor = []resourceapi.ResourceClaimConsumerReference{{
+			Resource: "pods",
+			Name:     pod.Name,
+			UID:      pod.UID,
+		}}
+		must(tCtx, tCtx.Client().ResourceV1().ResourceClaims(namespace).UpdateStatus, claim, metav1.UpdateOptions{})
+	}
+
+	// Create a new factory and sync it so that when the controller starts, it is up-to-date.
+	// This works as long as this is the only test running it.
+	informerFactory := informers.NewSharedInformerFactory(tCtx.Client(), 0)
+	var ruleInformer resourcealphainformers.DeviceTaintRuleInformer
+	if utilfeature.DefaultFeatureGate.Enabled(features.DRADeviceTaintRules) {
+		ruleInformer = informerFactory.Resource().V1alpha3().DeviceTaintRules()
+	}
+	controller := devicetainteviction.New(tCtx.Client(),
+		informerFactory.Core().V1().Pods(),
+		informerFactory.Resource().V1().ResourceClaims(),
+		informerFactory.Resource().V1().ResourceSlices(),
+		ruleInformer,
+		informerFactory.Resource().V1().DeviceClasses(),
+		"device-taint-eviction",
+	)
+
+	var numExistingPods atomic.Int64
+	podsDeleted := make(chan struct{})
+	_, _ = informerFactory.Core().V1().Pods().Informer().AddEventHandler(cache.ResourceEventHandlerFuncs{
+		AddFunc: func(obj any) {
+			pod := obj.(*v1.Pod)
+			if pod.Namespace == namespace {
+				numExistingPods.Add(1)
+			}
+		},
+
+		UpdateFunc: func(oldObj, newObj any) {
+			oldPod, newPod := oldObj.(*v1.Pod), newObj.(*v1.Pod)
+			if newPod.Namespace == namespace &&
+				oldPod.DeletionTimestamp == nil &&
+				newPod.DeletionTimestamp != nil &&
+				numExistingPods.Add(-1) == 0 {
+				// All pods marked for deletion.
+				close(podsDeleted)
+			}
+		},
+	})
+
+	informerFactory.Start(tCtx.Done())
+	for t, synced := range informerFactory.WaitForCacheSync(tCtx.Done()) {
+		tCtx.Logf("informer %s synced: %v", t, synced)
+		if !synced {
+			tCtx.Errorf("informer for %s failed to sync", t)
+		}
+	}
+	if tCtx.Failed() {
+		tCtx.FailNow()
+	}
+	wg.Go(func() {
+		if err := controller.Run(tCtx, 10 /* workers */); err != nil {
+			tCtx.Errorf("Unexpected Run error: %w", err)
+		}
+	})
+
+	ruleName := "rule-" + namespace
+	rule := &resourcealpha.DeviceTaintRule{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: ruleName,
+		},
+		Spec: resourcealpha.DeviceTaintRuleSpec{
+			DeviceSelector: &resourcealpha.DeviceTaintSelector{
+				Driver: &driverName,
+			},
+			Taint: resourcealpha.DeviceTaint{
+				Key:    "testing",
+				Effect: resourcealpha.DeviceTaintEffectNoExecute,
+			},
+		},
+	}
+
+	if useRule {
+		// Evict through DeviceTaintRule.
+		must(tCtx, tCtx.Client().ResourceV1alpha3().DeviceTaintRules().Create, rule, metav1.CreateOptions{})
+		tCtx.CleanupCtx(func(tCtx ktesting.TContext) {
+			err := tCtx.Client().ResourceV1alpha3().DeviceTaintRules().Delete(tCtx, ruleName, metav1.DeleteOptions{})
+			if apierrors.IsNotFound(err) {
+				return
+			}
+			tCtx.ExpectNoError(err)
+		})
+	} else {
+		// Evict by tainting each device.
+		for i, slice := range slices {
+			slice = slice.DeepCopy()
+			slice.Spec.Pool.Generation++
+			for i := range slice.Spec.Devices {
+				slice.Spec.Devices[i].Taints = []resourceapi.DeviceTaint{{
+					Key:    "testing",
+					Effect: resourceapi.DeviceTaintEffectNoExecute,
+				}}
+			}
+			slices[i] = must(tCtx, tCtx.Client().ResourceV1().ResourceSlices().Update, slice, metav1.UpdateOptions{})
+		}
+	}
+
+	getRule := func(tCtx ktesting.TContext) *resourcealpha.DeviceTaintRule {
+		rule = must(tCtx, tCtx.Client().ResourceV1alpha3().DeviceTaintRules().Get, ruleName, metav1.GetOptions{})
+		return rule
+	}
+
+	// Evict and wait for pods to be gone.
+	start := time.Now()
+	select {
+	case <-podsDeleted:
+		// Okay.
+	case <-tCtx.Done():
+		tCtx.Fatalf("Waiting for pod deletion was canceled: %v", context.Cause(tCtx))
+	case <-time.After(30 * time.Second):
+		tCtx.Fatal("Timed out waiting for pod deletion")
+	}
+	duration := time.Since(start)
+	tCtx.Logf("Evicted %d pods in %s.", numPods, duration)
+
+	if useRule {
+		// Check condition.
+		ktesting.Eventually(tCtx, getRule).WithPolling(10 * time.Second).Should(gomega.HaveField("Status.Conditions", gomega.ConsistOf(gstruct.MatchFields(gstruct.IgnoreExtras, gstruct.Fields{
+			"Type":    gomega.Equal(resourcealpha.DeviceTaintConditionEvictionInProgress),
+			"Status":  gomega.Equal(metav1.ConditionFalse),
+			"Message": gomega.Equal(fmt.Sprintf("%d pods evicted since starting the controller.", numPods)),
+		}))))
+	}
+}
diff --git a/test/integration/dra/dra_test.go b/test/integration/dra/dra_test.go
index d957c25b58e41..69151b711c88c 100644
--- a/test/integration/dra/dra_test.go
+++ b/test/integration/dra/dra_test.go
@@ -22,7 +22,7 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
-	"regexp"
+	"math/rand/v2"
 	"sort"
 	"strings"
 	"sync"
@@ -47,10 +47,11 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/apimachinery/pkg/util/sets"
+	"k8s.io/apimachinery/pkg/util/version"
 	utilfeature "k8s.io/apiserver/pkg/util/feature"
 	resourceapiac "k8s.io/client-go/applyconfigurations/resource/v1"
 	"k8s.io/client-go/informers"
-	"k8s.io/client-go/kubernetes"
 	"k8s.io/client-go/tools/cache"
 	"k8s.io/component-base/featuregate"
 	featuregatetesting "k8s.io/component-base/featuregate/testing"
@@ -84,6 +85,8 @@ var (
 	claimName                   = podName + "-" + resourceName
 	className                   = "my-resource-class"
 	extendedClassName           = "my-extended-resource-class"
+	device1                     = "device-1"
+	device2                     = "device-2"
 	podWithClaimName            = st.MakePod().Name(podName).Namespace(namespace).
 					Container("my-container").
 					PodResourceClaims(v1.PodResourceClaim{Name: resourceName, ResourceClaimName: &claimName}).
@@ -113,110 +116,14 @@ var (
 	claimPrioritizedList = st.MakeResourceClaim().
 				Name(claimName).
 				Namespace(namespace).
-				RequestWithPrioritizedList(className).
+				RequestWithPrioritizedList(st.SubRequest("subreq-1", className, 1)).
 				Obj()
-
-	numNodes = 2
 )
 
-// createTestNamespace creates a namespace with a name that is derived from the
-// current test name:
-// - Non-alpha-numeric characters replaced by hyphen.
-// - Truncated in the middle to make it short enough for GenerateName.
-// - Hyphen plus random suffix added by the apiserver.
-func createTestNamespace(tCtx ktesting.TContext, labels map[string]string) string {
-	tCtx.Helper()
-	name := regexp.MustCompile(`[^[:alnum:]_-]`).ReplaceAllString(tCtx.Name(), "-")
-	name = strings.ToLower(name)
-	if len(name) > 63 {
-		name = name[:30] + "--" + name[len(name)-30:]
-	}
-	ns := &v1.Namespace{ObjectMeta: metav1.ObjectMeta{GenerateName: name + "-"}}
-	ns.Labels = labels
-	ns, err := tCtx.Client().CoreV1().Namespaces().Create(tCtx, ns, metav1.CreateOptions{})
-	tCtx.ExpectNoError(err, "create test namespace")
-	tCtx.CleanupCtx(func(tCtx ktesting.TContext) {
-		tCtx.ExpectNoError(tCtx.Client().CoreV1().Namespaces().Delete(tCtx, ns.Name, metav1.DeleteOptions{}), "delete test namespace")
-	})
-	return ns.Name
-}
-
-// createSlice creates the given ResourceSlice and removes it when the test is done.
-func createSlice(tCtx ktesting.TContext, slice *resourceapi.ResourceSlice) *resourceapi.ResourceSlice {
-	tCtx.Helper()
-	slice, err := tCtx.Client().ResourceV1().ResourceSlices().Create(tCtx, slice, metav1.CreateOptions{})
-	tCtx.ExpectNoError(err, "create ResourceSlice")
-	tCtx.CleanupCtx(func(tCtx ktesting.TContext) {
-		tCtx.Log("Cleaning up ResourceSlice...")
-		err := tCtx.Client().ResourceV1().ResourceSlices().Delete(tCtx, slice.Name, metav1.DeleteOptions{})
-		tCtx.ExpectNoError(err, "delete ResourceSlice")
-	})
-	return slice
-}
-
-// createTestClass creates a DeviceClass with a driver name derived from the test namespace
-func createTestClass(tCtx ktesting.TContext, namespace string) (*resourceapi.DeviceClass, string) {
-	tCtx.Helper()
-	driverName := namespace + ".driver"
-	class := class.DeepCopy()
-	class.Name = namespace + ".class"
-	class.Spec.Selectors = []resourceapi.DeviceSelector{{
-		CEL: &resourceapi.CELDeviceSelector{
-			Expression: fmt.Sprintf("device.driver == %q", driverName),
-		},
-	}}
-	_, err := tCtx.Client().ResourceV1().DeviceClasses().Create(tCtx, class, metav1.CreateOptions{})
-	tCtx.ExpectNoError(err, "create class")
-	tCtx.CleanupCtx(func(tCtx ktesting.TContext) {
-		tCtx.Log("Cleaning up DeviceClass...")
-		err := tCtx.Client().ResourceV1().DeviceClasses().Delete(tCtx, class.Name, metav1.DeleteOptions{})
-		tCtx.ExpectNoError(err, "delete class")
-	})
-
-	return class, driverName
-}
-
-// createClaim creates a claim and in the namespace.
-// The class must already exist and is used for all requests.
-func createClaim(tCtx ktesting.TContext, namespace string, suffix string, class *resourceapi.DeviceClass, claim *resourceapi.ResourceClaim) *resourceapi.ResourceClaim {
-	tCtx.Helper()
-	claim = claim.DeepCopy()
-	claim.Namespace = namespace
-	claim.Name += suffix
-	claimName := claim.Name
-	for i := range claim.Spec.Devices.Requests {
-		request := &claim.Spec.Devices.Requests[i]
-		if request.Exactly != nil && request.Exactly.DeviceClassName != "" {
-			request.Exactly.DeviceClassName = class.Name
-			continue
-		}
-		for e := range request.FirstAvailable {
-			subRequest := &request.FirstAvailable[e]
-			subRequest.DeviceClassName = class.Name
-		}
-	}
-	claim, err := tCtx.Client().ResourceV1().ResourceClaims(namespace).Create(tCtx, claim, metav1.CreateOptions{})
-	tCtx.ExpectNoError(err, "create claim "+claimName)
-	return claim
-}
-
-// createPod create a pod in the namespace, referencing the given claim.
-func createPod(tCtx ktesting.TContext, namespace string, suffix string, claim *resourceapi.ResourceClaim, pod *v1.Pod) *v1.Pod {
-	tCtx.Helper()
-	pod = pod.DeepCopy()
-	pod.Name += suffix
-	podName := pod.Name
-	pod.Namespace = namespace
-	pod.Spec.ResourceClaims[0].ResourceClaimName = &claim.Name
-	pod, err := tCtx.Client().CoreV1().Pods(namespace).Create(tCtx, pod, metav1.CreateOptions{})
-	tCtx.ExpectNoError(err, "create pod "+podName)
-	tCtx.CleanupCtx(func(tCtx ktesting.TContext) {
-		tCtx.Log("Cleaning up Pod...")
-		err := tCtx.Client().CoreV1().Pods(namespace).Delete(tCtx, pod.Name, metav1.DeleteOptions{})
-		tCtx.ExpectNoError(err, "delete Pod")
-	})
-	return pod
-}
+const (
+	numNodes       = 8
+	maxPodsPerNode = 5000 // This should never be the limiting factor, no matter how many tests run in parallel.
+)
 
 func TestDRA(t *testing.T) {
 	// Each sub-test brings up the API server in a certain
@@ -248,6 +155,7 @@ func TestDRA(t *testing.T) {
 			f: func(tCtx ktesting.TContext) {
 				tCtx.Run("Pod", func(tCtx ktesting.TContext) { testPod(tCtx, true) })
 				tCtx.Run("FilterTimeout", testFilterTimeout)
+				tCtx.Run("UsesAllResources", testUsesAllResources)
 			},
 		},
 		"GA": {
@@ -265,6 +173,7 @@ func TestDRA(t *testing.T) {
 				tCtx.Run("ExtendedResource", func(tCtx ktesting.TContext) { testExtendedResource(tCtx, false) })
 				tCtx.Run("ResourceClaimDeviceStatus", func(tCtx ktesting.TContext) { testResourceClaimDeviceStatus(tCtx, false) })
 				tCtx.Run("DeviceBindingConditions", func(tCtx ktesting.TContext) { testDeviceBindingConditions(tCtx, false) })
+				tCtx.Run("UsesAllResources", testUsesAllResources)
 			},
 		},
 		"v1beta1": {
@@ -291,6 +200,14 @@ func TestDRA(t *testing.T) {
 				})
 			},
 		},
+		"slice-taints": {
+			features: map[featuregate.Feature]bool{
+				features.DRADeviceTaints: true,
+			},
+			f: func(tCtx ktesting.TContext) {
+				tCtx.Run("EvictClusterWithSlices", func(tCtx ktesting.TContext) { testEvictCluster(tCtx, false) })
+			},
+		},
 		"all": {
 			apis: map[schema.GroupVersion]bool{
 				resourcev1beta1.SchemeGroupVersion:  true,
@@ -305,22 +222,30 @@ func TestDRA(t *testing.T) {
 				features.DRADeviceBindingConditions:   true,
 				features.DRAConsumableCapacity:        true,
 				features.DRADeviceTaints:              true,
+				features.DRADeviceTaintRules:          true,
 				features.DRAPartitionableDevices:      true,
 				features.DRAPrioritizedList:           true,
 				features.DRAResourceClaimDeviceStatus: true,
 				features.DRAExtendedResource:          true,
 			},
 			f: func(tCtx ktesting.TContext) {
+				// These tests must run in parallel as much as possible to keep overall runtime low!
+
 				tCtx.Run("AdminAccess", func(tCtx ktesting.TContext) { testAdminAccess(tCtx, true) })
 				tCtx.Run("Convert", testConvert)
 				tCtx.Run("ControllerManagerMetrics", testControllerManagerMetrics)
 				tCtx.Run("DeviceBindingConditions", func(tCtx ktesting.TContext) { testDeviceBindingConditions(tCtx, true) })
 				tCtx.Run("PrioritizedList", func(tCtx ktesting.TContext) { testPrioritizedList(tCtx, true) })
+				tCtx.Run("PrioritizedListScoring", func(tCtx ktesting.TContext) { testPrioritizedListScoring(tCtx) })
 				tCtx.Run("PublishResourceSlices", func(tCtx ktesting.TContext) { testPublishResourceSlices(tCtx, true) })
 				// note testExtendedResource depends on testPublishResourceSlices to provide the devices
 				tCtx.Run("ExtendedResource", func(tCtx ktesting.TContext) { testExtendedResource(tCtx, true) })
 				tCtx.Run("ResourceClaimDeviceStatus", func(tCtx ktesting.TContext) { testResourceClaimDeviceStatus(tCtx, true) })
 				tCtx.Run("MaxResourceSlice", testMaxResourceSlice)
+				tCtx.Run("EvictClusterWithRule", func(tCtx ktesting.TContext) { testEvictCluster(tCtx, true) })
+				tCtx.Run("EvictClusterWithSlices", func(tCtx ktesting.TContext) { testEvictCluster(tCtx, false) })
+				tCtx.Run("InvalidResourceSlices", testInvalidResourceSlices)
+				tCtx.Run("UsesAllResources", testUsesAllResources)
 			},
 		},
 	} {
@@ -336,9 +261,11 @@ func TestDRA(t *testing.T) {
 			sort.Strings(entries)
 			t.Logf("Config: %s", strings.Join(entries, ","))
 
-			for key, value := range tc.features {
-				featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, key, value)
+			// We need to set emulation version for DynamicResourceAllocation feature gate, which is locked at 1.35.
+			if draEnabled, draExists := tc.features[features.DynamicResourceAllocation]; draExists && !draEnabled {
+				featuregatetesting.SetFeatureGateEmulationVersionDuringTest(t, utilfeature.DefaultFeatureGate, version.MustParse("1.34"))
 			}
+			featuregatetesting.SetFeatureGatesDuringTest(t, utilfeature.DefaultFeatureGate, tc.features)
 
 			etcdOptions := framework.SharedEtcd()
 			apiServerOptions := kubeapiservertesting.NewDefaultTestServerOptions()
@@ -371,7 +298,7 @@ func createNodes(tCtx ktesting.TContext) {
 				Name: fmt.Sprintf("worker-%d", i),
 			},
 		}
-		node, err := tCtx.Client().CoreV1().Nodes().Create(tCtx, node, metav1.CreateOptions{})
+		node, err := tCtx.Client().CoreV1().Nodes().Create(tCtx, node, metav1.CreateOptions{FieldValidation: "Strict"})
 		tCtx.ExpectNoError(err, fmt.Sprintf("creating node #%d", i))
 
 		// Make the node ready.
@@ -379,7 +306,7 @@ func createNodes(tCtx ktesting.TContext) {
 			Capacity: v1.ResourceList{
 				v1.ResourceCPU:    resource.MustParse("100"),
 				v1.ResourceMemory: resource.MustParse("1000"),
-				v1.ResourcePods:   resource.MustParse("100"),
+				v1.ResourcePods:   *resource.NewScaledQuantity(maxPodsPerNode, 0),
 			},
 			Phase: v1.NodeRunning,
 			Conditions: []v1.NodeCondition{
@@ -519,7 +446,7 @@ func testPod(tCtx ktesting.TContext, draEnabled bool) {
 	namespace := createTestNamespace(tCtx, nil)
 	podWithClaimName := podWithClaimName.DeepCopy()
 	podWithClaimName.Namespace = namespace
-	pod, err := tCtx.Client().CoreV1().Pods(namespace).Create(tCtx, podWithClaimName, metav1.CreateOptions{})
+	pod, err := tCtx.Client().CoreV1().Pods(namespace).Create(tCtx, podWithClaimName, metav1.CreateOptions{FieldValidation: "Strict"})
 	tCtx.ExpectNoError(err, "create pod")
 	if draEnabled {
 		assert.NotEmpty(tCtx, pod.Spec.ResourceClaims, "should store resource claims in pod spec")
@@ -531,7 +458,7 @@ func testPod(tCtx ktesting.TContext, draEnabled bool) {
 // testAPIDisabled checks that the resource.k8s.io API is disabled.
 func testAPIDisabled(tCtx ktesting.TContext) {
 	tCtx.Parallel()
-	_, err := tCtx.Client().ResourceV1().ResourceClaims(claim.Namespace).Create(tCtx, claim, metav1.CreateOptions{})
+	_, err := tCtx.Client().ResourceV1().ResourceClaims(claim.Namespace).Create(tCtx, claim, metav1.CreateOptions{FieldValidation: "Strict"})
 	if !apierrors.IsNotFound(err) {
 		tCtx.Fatalf("expected 'resource not found' error, got %v", err)
 	}
@@ -543,7 +470,7 @@ func testConvert(tCtx ktesting.TContext) {
 	namespace := createTestNamespace(tCtx, nil)
 	claim := claim.DeepCopy()
 	claim.Namespace = namespace
-	claim, err := tCtx.Client().ResourceV1().ResourceClaims(namespace).Create(tCtx, claim, metav1.CreateOptions{})
+	claim, err := tCtx.Client().ResourceV1().ResourceClaims(namespace).Create(tCtx, claim, metav1.CreateOptions{FieldValidation: "Strict"})
 	tCtx.ExpectNoError(err, "create claim")
 	claimBeta2, err := tCtx.Client().ResourceV1beta2().ResourceClaims(namespace).Get(tCtx, claim.Name, metav1.GetOptions{})
 	tCtx.ExpectNoError(err, "get claim")
@@ -556,12 +483,14 @@ func testConvert(tCtx ktesting.TContext) {
 // when the AdminAccess feature is enabled, it also checks that the field
 // is only allowed to be used in namespace with the Resource Admin Access label
 func testAdminAccess(tCtx ktesting.TContext, adminAccessEnabled bool) {
+	tCtx.Parallel()
+
 	namespace := createTestNamespace(tCtx, nil)
 	claim1 := claim.DeepCopy()
 	claim1.Namespace = namespace
 	claim1.Spec.Devices.Requests[0].Exactly.AdminAccess = ptr.To(true)
 	// create claim with AdminAccess in non-admin namespace
-	_, err := tCtx.Client().ResourceV1().ResourceClaims(namespace).Create(tCtx, claim1, metav1.CreateOptions{})
+	_, err := tCtx.Client().ResourceV1().ResourceClaims(namespace).Create(tCtx, claim1, metav1.CreateOptions{FieldValidation: "Strict"})
 	if adminAccessEnabled {
 		if err != nil {
 			// should result in validation error
@@ -577,7 +506,7 @@ func testAdminAccess(tCtx ktesting.TContext, adminAccessEnabled bool) {
 		claim2.Namespace = adminNS
 		claim2.Name = "claim2"
 		claim2.Spec.Devices.Requests[0].Exactly.AdminAccess = ptr.To(true)
-		claim2, err := tCtx.Client().ResourceV1().ResourceClaims(adminNS).Create(tCtx, claim2, metav1.CreateOptions{})
+		claim2, err := tCtx.Client().ResourceV1().ResourceClaims(adminNS).Create(tCtx, claim2, metav1.CreateOptions{FieldValidation: "Strict"})
 		tCtx.ExpectNoError(err, "create claim")
 		if !ptr.Deref(claim2.Spec.Devices.Requests[0].Exactly.AdminAccess, true) {
 			tCtx.Fatalf("should store AdminAccess in ResourceClaim %v", claim2)
@@ -612,7 +541,7 @@ func testFilterTimeout(tCtx ktesting.TContext) {
 	claim = createClaim(tCtx, namespace, "", class, claim)
 
 	tCtx.Run("disabled", func(tCtx ktesting.TContext) {
-		pod := createPod(tCtx, namespace, "", claim, podWithClaimName)
+		pod := createPod(tCtx, namespace, "", podWithClaimName, claim)
 		startSchedulerWithConfig(tCtx, `
 profiles:
 - schedulerName: default-scheduler
@@ -625,7 +554,7 @@ profiles:
 	})
 
 	tCtx.Run("enabled", func(tCtx ktesting.TContext) {
-		pod := createPod(tCtx, namespace, "", claim, podWithClaimName)
+		pod := createPod(tCtx, namespace, "", podWithClaimName, claim)
 		startSchedulerWithConfig(tCtx, `
 profiles:
 - schedulerName: default-scheduler
@@ -683,13 +612,13 @@ func testPrioritizedList(tCtx ktesting.TContext, enabled bool) {
 	// We could create ResourceSlices for some node with the right driver.
 	// But failing during Filter is sufficient to determine that it did
 	// not fail during PreFilter because of FirstAvailable.
-	pod := createPod(tCtx, namespace, "", claim, podWithClaimName)
+	pod := createPod(tCtx, namespace, "", podWithClaimName, claim)
 	schedulingAttempted := gomega.HaveField("Status.Conditions", gomega.ContainElement(
 		gstruct.MatchFields(gstruct.IgnoreExtras, gstruct.Fields{
 			"Type":    gomega.Equal(v1.PodScheduled),
 			"Status":  gomega.Equal(v1.ConditionFalse),
 			"Reason":  gomega.Equal("Unschedulable"),
-			"Message": gomega.Equal("0/2 nodes are available: 2 cannot allocate all claims. still not schedulable, preemption: 0/2 nodes are available: 2 Preemption is not helpful for scheduling."),
+			"Message": gomega.Equal("0/8 nodes are available: 8 cannot allocate all claims. still not schedulable, preemption: 0/8 nodes are available: 8 Preemption is not helpful for scheduling."),
 		}),
 	))
 	ktesting.Eventually(tCtx, func(tCtx ktesting.TContext) *v1.Pod {
@@ -699,27 +628,203 @@ func testPrioritizedList(tCtx ktesting.TContext, enabled bool) {
 	}).WithTimeout(10 * time.Second).WithPolling(time.Second).Should(schedulingAttempted)
 }
 
+type nodeInfo struct {
+	name       string
+	driverName string
+	class      *resourceapi.DeviceClass
+	pool       string
+}
+
+func testPrioritizedListScoring(tCtx ktesting.TContext) {
+	tCtx.Parallel()
+	namespace := createTestNamespace(tCtx, nil)
+	nodes, err := tCtx.Client().CoreV1().Nodes().List(tCtx, metav1.ListOptions{})
+	tCtx.ExpectNoError(err, "list nodes")
+
+	// We don't want to use more than 8 nodes since we limit the number
+	// of subrequests to max 8.
+	var nodesForTest []v1.Node
+	if len(nodes.Items) > 8 {
+		nodesForTest = nodes.Items[:8]
+	} else {
+		nodesForTest = nodes.Items
+	}
+
+	// Create a separate device class and driver for each node. This makes
+	// it easy to create subrequests that can only be satisfied by specific
+	// nodes.
+	var nodeInfos []nodeInfo
+	for _, node := range nodesForTest {
+		driverName := fmt.Sprintf("%s-%s", namespace, node.Name)
+		class, driverName := createTestClass(tCtx, driverName)
+		slice := st.MakeResourceSlice(node.Name, driverName).Devices(device1, device2)
+		createSlice(tCtx, slice.Obj())
+		nodeInfos = append(nodeInfos, nodeInfo{
+			name:       node.Name,
+			driverName: driverName,
+			class:      class,
+			pool:       slice.Spec.Pool.Name,
+		})
+	}
+
+	// Randomize the list of nodes so the selected node isn't always the first one.
+	rand.Shuffle(len(nodeInfos), func(i, j int) {
+		nodeInfos[i], nodeInfos[j] = nodeInfos[j], nodeInfos[i]
+	})
+
+	startScheduler(tCtx)
+
+	tCtx.Run("single-claim", func(tCtx ktesting.TContext) {
+		var firstAvailable []resourceapi.DeviceSubRequest
+		for i := range nodeInfos {
+			firstAvailable = append(firstAvailable, resourceapi.DeviceSubRequest{
+				Name:            fmt.Sprintf("subreq-%d", i),
+				DeviceClassName: nodeInfos[i].class.Name,
+			})
+		}
+		claimPrioritizedList := st.MakeResourceClaim().
+			Name(claimName + "-pl-single-claim").
+			Namespace(namespace).
+			RequestWithPrioritizedList(firstAvailable...).
+			Obj()
+		claim, err := tCtx.Client().ResourceV1().ResourceClaims(namespace).Create(tCtx, claimPrioritizedList, metav1.CreateOptions{})
+		tCtx.ExpectNoError(err, "create claim "+claimName)
+
+		_ = createPod(tCtx, namespace, "-pl-single-claim", podWithClaimName, claim)
+		expectedSelectedRequest := fmt.Sprintf("%s/%s", claim.Spec.Devices.Requests[0].Name, claim.Spec.Devices.Requests[0].FirstAvailable[0].Name)
+		ktesting.Eventually(tCtx, func(tCtx ktesting.TContext) *resourceapi.ResourceClaim {
+			c, err := tCtx.Client().ResourceV1().ResourceClaims(namespace).Get(tCtx, claim.Name, metav1.GetOptions{})
+			tCtx.ExpectNoError(err)
+			return c
+		}).WithTimeout(10 * time.Second).WithPolling(time.Second).Should(expectedAllocatedClaim(expectedSelectedRequest, nodeInfos[0]))
+	})
+
+	tCtx.Run("multi-claim", func(tCtx ktesting.TContext) {
+		// Set up two claims where the node in nodeInfos[2] will be the best
+		// option:
+		// nodeInfos[1]: rank 1 in claim1 and rank 3 in claim2, so it will get a score of 14
+		// nodeInfos[2]: rank 2 in claim1 and rank 1 in claim2, so it will get a score of 15
+		// nodeInfos[3]: rank 3 in claim1 and rank 2 in claim2, so it will get a score of 13
+		claimPrioritizedList1 := st.MakeResourceClaim().
+			Name(claimName + "-pl-multiclaim-1").
+			Namespace(namespace).
+			RequestWithPrioritizedList([]resourceapi.DeviceSubRequest{
+				{
+					Name:            "subreq-0",
+					DeviceClassName: nodeInfos[1].class.Name,
+				},
+				{
+					Name:            "subreq-1",
+					DeviceClassName: nodeInfos[2].class.Name,
+				},
+				{
+					Name:            "subreq-2",
+					DeviceClassName: nodeInfos[3].class.Name,
+				},
+			}...).
+			Obj()
+		claim1, err := tCtx.Client().ResourceV1().ResourceClaims(namespace).Create(tCtx, claimPrioritizedList1, metav1.CreateOptions{})
+		tCtx.ExpectNoError(err, "create claim "+claimName)
+
+		claimPrioritizedList2 := st.MakeResourceClaim().
+			Name(claimName + "-pl-multiclaim-2").
+			Namespace(namespace).
+			RequestWithPrioritizedList([]resourceapi.DeviceSubRequest{
+				{
+					Name:            "subreq-0",
+					DeviceClassName: nodeInfos[2].class.Name,
+				},
+				{
+					Name:            "subreq-1",
+					DeviceClassName: nodeInfos[3].class.Name,
+				},
+				{
+					Name:            "subreq-2",
+					DeviceClassName: nodeInfos[1].class.Name,
+				},
+			}...).
+			Obj()
+		claim2, err := tCtx.Client().ResourceV1().ResourceClaims(namespace).Create(tCtx, claimPrioritizedList2, metav1.CreateOptions{})
+		tCtx.ExpectNoError(err, "create claim "+claimName)
+
+		pod := st.MakePod().Name(podName).Namespace(namespace).
+			Container("my-container").
+			Obj()
+		_ = createPod(tCtx, namespace, "-pl-multiclaim", pod, claim1, claim2)
+
+		// The second subrequest in claim1 is for nodeInfos[2], so it should be chosen.
+		expectedSelectedRequest := fmt.Sprintf("%s/%s", claim1.Spec.Devices.Requests[0].Name, claim1.Spec.Devices.Requests[0].FirstAvailable[1].Name)
+		ktesting.Eventually(tCtx, func(tCtx ktesting.TContext) *resourceapi.ResourceClaim {
+			c, err := tCtx.Client().ResourceV1().ResourceClaims(namespace).Get(tCtx, claimPrioritizedList1.Name, metav1.GetOptions{})
+			tCtx.ExpectNoError(err)
+			return c
+		}).WithTimeout(10 * time.Second).WithPolling(time.Second).Should(expectedAllocatedClaim(expectedSelectedRequest, nodeInfos[2]))
+
+		// The first subrequest in claim2 is for nodeInfos[2], so it should be chosen.
+		expectedSelectedRequest = fmt.Sprintf("%s/%s", claim2.Spec.Devices.Requests[0].Name, claim2.Spec.Devices.Requests[0].FirstAvailable[0].Name)
+		ktesting.Eventually(tCtx, func(tCtx ktesting.TContext) *resourceapi.ResourceClaim {
+			c, err := tCtx.Client().ResourceV1().ResourceClaims(namespace).Get(tCtx, claimPrioritizedList2.Name, metav1.GetOptions{})
+			tCtx.ExpectNoError(err)
+			return c
+		}).WithTimeout(10 * time.Second).WithPolling(time.Second).Should(expectedAllocatedClaim(expectedSelectedRequest, nodeInfos[2]))
+	})
+}
+
+func expectedAllocatedClaim(request string, nodeInfo nodeInfo) gtypes.GomegaMatcher {
+	return gomega.HaveField("Status.Allocation", gstruct.PointTo(gstruct.MatchFields(gstruct.IgnoreExtras, gstruct.Fields{
+		"Devices": gstruct.MatchFields(gstruct.IgnoreExtras, gstruct.Fields{
+			"Results": gomega.HaveExactElements(gstruct.MatchFields(gstruct.IgnoreExtras, gstruct.Fields{
+				"Request": gomega.Equal(request),
+				"Driver":  gomega.Equal(nodeInfo.driverName),
+				"Pool":    gomega.Equal(nodeInfo.pool),
+			})),
+		}),
+		"NodeSelector": gstruct.PointTo(gstruct.MatchFields(gstruct.IgnoreExtras, gstruct.Fields{
+			"NodeSelectorTerms": gomega.HaveExactElements(gstruct.MatchFields(gstruct.IgnoreExtras, gstruct.Fields{
+				"MatchFields": gomega.HaveExactElements(gstruct.MatchFields(gstruct.IgnoreExtras, gstruct.Fields{
+					"Key":      gomega.Equal("metadata.name"),
+					"Operator": gomega.Equal(v1.NodeSelectorOpIn),
+					"Values":   gomega.HaveExactElements(gomega.Equal(nodeInfo.name)),
+				})),
+			})),
+		})),
+	})))
+}
+
 func testExtendedResource(tCtx ktesting.TContext, enabled bool) {
 	tCtx.Parallel()
-	c, err := tCtx.Client().ResourceV1().DeviceClasses().Create(tCtx, classWithExtendedResource, metav1.CreateOptions{})
+
+	namespace := createTestNamespace(tCtx, nil)
+	driverName := namespace + driverNameSuffix
+	class := classWithExtendedResource.DeepCopy()
+	class.Spec.Selectors = []resourceapi.DeviceSelector{{
+		CEL: &resourceapi.CELDeviceSelector{
+			Expression: fmt.Sprintf("device.driver == %q", driverName),
+		},
+	}}
+	c, err := tCtx.Client().ResourceV1().DeviceClasses().Create(tCtx, class, metav1.CreateOptions{FieldValidation: "Strict"})
 	tCtx.ExpectNoError(err, "create class")
+
+	slice := st.MakeResourceSlice("worker-0", driverName).Devices(device1)
+	createSlice(tCtx, slice.Obj())
+
 	if enabled {
 		require.NotEmpty(tCtx, c.Spec.ExtendedResourceName, "should store ExtendedResourceName")
 	}
-	namespace := createTestNamespace(tCtx, nil)
+
 	tCtx.Run("scheduler", func(tCtx ktesting.TContext) {
 		startScheduler(tCtx)
 
 		pod := podWithExtendedResource.DeepCopy()
 		pod.Namespace = namespace
-		_, err := tCtx.Client().CoreV1().Pods(namespace).Create(tCtx, pod, metav1.CreateOptions{})
+		_, err := tCtx.Client().CoreV1().Pods(namespace).Create(tCtx, pod, metav1.CreateOptions{FieldValidation: "Strict"})
 		tCtx.ExpectNoError(err, "create pod")
 		schedulingAttempted := gomega.HaveField("Status.Conditions", gomega.ContainElement(
 			gstruct.MatchFields(gstruct.IgnoreExtras, gstruct.Fields{
 				"Type":    gomega.Equal(v1.PodScheduled),
 				"Status":  gomega.Equal(v1.ConditionFalse),
 				"Reason":  gomega.Equal("Unschedulable"),
-				"Message": gomega.Equal("0/2 nodes are available: 2 Insufficient my-example.com/my-extended-resource. no new claims to deallocate, preemption: 0/2 nodes are available: 2 Preemption is not helpful for scheduling."),
+				"Message": gomega.Equal("0/8 nodes are available: 8 Insufficient my-example.com/my-extended-resource. no new claims to deallocate, preemption: 0/8 nodes are available: 8 Preemption is not helpful for scheduling."),
 			}),
 		))
 		if enabled {
@@ -760,12 +865,16 @@ func testPublishResourceSlices(tCtx ktesting.TContext, haveLatestAPI bool, disab
 						},
 					},
 					{
-						SharedCounters: []resourceapi.CounterSet{{
-							Name: "gpu-0",
-							Counters: map[string]resourceapi.Counter{
-								"mem": {Value: resource.MustParse("1")},
+						SharedCounters: []resourceapi.CounterSet{
+							{
+								Name: "gpu-0",
+								Counters: map[string]resourceapi.Counter{
+									"mem": {Value: resource.MustParse("1")},
+								},
 							},
-						}},
+						},
+					},
+					{
 						Devices: []resourceapi.Device{
 							{
 								Name: "device-tainted-default",
@@ -828,32 +937,46 @@ func testPublishResourceSlices(tCtx ktesting.TContext, haveLatestAPI bool, disab
 			Devices:        sl.Devices,
 		})
 	}
-	for _, disabled := range disabledFeatures {
-		switch disabled {
-		case features.DRADeviceTaints:
-			for i := range expectedSliceSpecs {
-				for e := range expectedSliceSpecs[i].Devices {
-					expectedSliceSpecs[i].Devices[e].Taints = nil
+
+	// Keep track of the disabled features used in each slice. This allows us to check
+	// that we get the right set of features listed in the droppedFields error.
+	disabledFeaturesBySlice := make([]sets.Set[featuregate.Feature], len(resources.Pools[poolName].Slices))
+	for i := range expectedSliceSpecs {
+		disabledFeaturesForSlice := sets.New[featuregate.Feature]()
+		for _, disabled := range disabledFeatures {
+			switch disabled {
+			case features.DRADeviceTaints:
+				for e, device := range expectedSliceSpecs[i].Devices {
+					if device.Taints != nil {
+						expectedSliceSpecs[i].Devices[e].Taints = nil
+						disabledFeaturesForSlice.Insert(disabled)
+					}
 				}
-			}
-		case features.DRAPartitionableDevices:
-			for i := range expectedSliceSpecs {
-				expectedSliceSpecs[i].SharedCounters = nil
-				for e := range expectedSliceSpecs[i].Devices {
-					expectedSliceSpecs[i].Devices[e].ConsumesCounters = nil
+			case features.DRAPartitionableDevices:
+				if expectedSliceSpecs[i].SharedCounters != nil {
+					expectedSliceSpecs[i].SharedCounters = nil
+					disabledFeaturesForSlice.Insert(disabled)
 				}
-			}
-		case features.DRADeviceBindingConditions:
-			for i := range expectedSliceSpecs {
-				for e := range expectedSliceSpecs[i].Devices {
-					expectedSliceSpecs[i].Devices[e].BindingConditions = nil
-					expectedSliceSpecs[i].Devices[e].BindingFailureConditions = nil
-					expectedSliceSpecs[i].Devices[e].BindsToNode = nil
+				for e, device := range expectedSliceSpecs[i].Devices {
+					if device.ConsumesCounters != nil {
+						expectedSliceSpecs[i].Devices[e].ConsumesCounters = nil
+						disabledFeaturesForSlice.Insert(disabled)
+					}
+				}
+			case features.DRADeviceBindingConditions:
+				for e, device := range expectedSliceSpecs[i].Devices {
+					if device.BindingConditions != nil || device.BindingFailureConditions != nil || device.BindsToNode != nil {
+						expectedSliceSpecs[i].Devices[e].BindingConditions = nil
+						expectedSliceSpecs[i].Devices[e].BindingFailureConditions = nil
+						expectedSliceSpecs[i].Devices[e].BindsToNode = nil
+						disabledFeaturesForSlice.Insert(disabled)
+					}
 				}
+			default:
+				tCtx.Fatalf("faulty test, case for %s missing", disabled)
 			}
-		default:
-			tCtx.Fatalf("faulty test, case for %s missing", disabled)
 		}
+		disabledFeaturesBySlice[i] = disabledFeaturesForSlice
 	}
 	var expectedSlices []any
 	for _, spec := range expectedSliceSpecs {
@@ -968,10 +1091,13 @@ func testPublishResourceSlices(tCtx ktesting.TContext, haveLatestAPI bool, disab
 				var droppedFields *resourceslice.DroppedFieldsError
 				if errors.As(err, &droppedFields) {
 					var disabled []string
-					for _, feature := range disabledFeatures {
+					for _, feature := range disabledFeaturesBySlice[droppedFields.SliceIndex].UnsortedList() {
 						disabled = append(disabled, string(feature))
 					}
-					assert.ErrorContains(tCtx, err, fmt.Sprintf("pool %q, slice #1: some fields were dropped by the apiserver, probably because these features are disabled: %s", poolName, strings.Join(disabled, " ")))
+					// Make sure the error is about the right resource pool.
+					assert.Equal(tCtx, poolName, droppedFields.PoolName)
+					// Make sure the error identifies the correct disabled features.
+					assert.ElementsMatch(tCtx, disabled, droppedFields.DisabledFeatures())
 					gotDroppedFieldError.Store(true)
 				} else if validationErrorsOkay.Load() && apierrors.IsInvalid(err) {
 					gotValidationError.Store(true)
@@ -1051,6 +1177,9 @@ func testPublishResourceSlices(tCtx ktesting.TContext, haveLatestAPI bool, disab
 			slices, err := tCtx.Client().ResourceV1().ResourceSlices().List(tCtx, listDriverSlices)
 			tCtx.ExpectNoError(err, "list slices")
 			for _, slice := range slices.Items {
+				if len(slice.Spec.Devices) == 0 {
+					continue
+				}
 				if slice.Spec.Devices[0].Attributes == nil {
 					slice.Spec.Devices[0].Attributes = make(map[resourceapi.QualifiedName]resourceapi.DeviceAttribute)
 				}
@@ -1070,6 +1199,8 @@ func testPublishResourceSlices(tCtx ktesting.TContext, haveLatestAPI bool, disab
 //
 // When enabled, it tries server-side-apply (SSA) with different clients. This is what DRA drivers should be using.
 func testResourceClaimDeviceStatus(tCtx ktesting.TContext, enabled bool) {
+	tCtx.Parallel()
+
 	namespace := createTestNamespace(tCtx, nil)
 
 	claim := &resourceapi.ResourceClaim{
@@ -1090,7 +1221,7 @@ func testResourceClaimDeviceStatus(tCtx ktesting.TContext, enabled bool) {
 		},
 	}
 
-	claim, err := tCtx.Client().ResourceV1().ResourceClaims(namespace).Create(tCtx, claim, metav1.CreateOptions{})
+	claim, err := tCtx.Client().ResourceV1().ResourceClaims(namespace).Create(tCtx, claim, metav1.CreateOptions{FieldValidation: "Strict"})
 	tCtx.ExpectNoError(err, "create ResourceClaim")
 
 	deviceStatus := []resourceapi.AllocatedDeviceStatus{{
@@ -1239,30 +1370,33 @@ func testResourceClaimDeviceStatus(tCtx ktesting.TContext, enabled bool) {
 	require.Equal(tCtx, deviceStatus, claim.Status.Devices, "after removing device status three")
 }
 
-// testMaxResourceSlice creates a ResourceSlice that is as large as possible
+// testMaxResourceSlice creates ResourceSlices that are as large as possible
 // and prints some information about it.
 func testMaxResourceSlice(tCtx ktesting.TContext) {
-	slice := NewMaxResourceSlice()
-	createdSlice, err := tCtx.Client().ResourceV1().ResourceSlices().Create(tCtx, slice, metav1.CreateOptions{})
-	tCtx.ExpectNoError(err)
-	totalSize := createdSlice.Size()
-	var managedFieldsSize int
-	for _, f := range createdSlice.ManagedFields {
-		managedFieldsSize += f.Size()
-	}
-	specSize := createdSlice.Spec.Size()
-	tCtx.Logf("\n\nTotal size: %s\nManagedFields size: %s (%.0f%%)\nSpec size: %s (%.0f)%%\n\nManagedFields:\n%s",
-		resource.NewQuantity(int64(totalSize), resource.BinarySI),
-		resource.NewQuantity(int64(managedFieldsSize), resource.BinarySI), float64(managedFieldsSize)*100/float64(totalSize),
-		resource.NewQuantity(int64(specSize), resource.BinarySI), float64(specSize)*100/float64(totalSize),
-		klog.Format(createdSlice.ManagedFields),
-	)
-	if diff := cmp.Diff(slice.Spec, createdSlice.Spec); diff != "" {
-		tCtx.Errorf("ResourceSliceSpec got modified during Create (- want, + got):\n%s", diff)
+	for name, slice := range NewMaxResourceSlices() {
+		tCtx.Run(name, func(tCtx ktesting.TContext) {
+			createdSlice := createSlice(tCtx, slice)
+			totalSize := createdSlice.Size()
+			var managedFieldsSize int
+			for _, f := range createdSlice.ManagedFields {
+				managedFieldsSize += f.Size()
+			}
+			specSize := createdSlice.Spec.Size()
+			tCtx.Logf("\n\nTotal size: %s\nManagedFields size: %s (%.0f%%)\nSpec size: %s (%.0f)%%\n\nManagedFields:\n%s",
+				resource.NewQuantity(int64(totalSize), resource.BinarySI),
+				resource.NewQuantity(int64(managedFieldsSize), resource.BinarySI), float64(managedFieldsSize)*100/float64(totalSize),
+				resource.NewQuantity(int64(specSize), resource.BinarySI), float64(specSize)*100/float64(totalSize),
+				klog.Format(createdSlice.ManagedFields),
+			)
+			if diff := cmp.Diff(slice.Spec, createdSlice.Spec); diff != "" {
+				tCtx.Errorf("ResourceSliceSpec got modified during Create (- want, + got):\n%s", diff)
+			}
+		})
 	}
 }
 
-// testControllerManagerMetrics tests ResourceClaim metrics
+// testControllerManagerMetrics tests ResourceClaim metrics.
+// It must run sequentially.
 func testControllerManagerMetrics(tCtx ktesting.TContext) {
 	namespace := createTestNamespace(tCtx, nil)
 	class, _ := createTestClass(tCtx, namespace)
@@ -1319,7 +1453,7 @@ func testControllerManagerMetrics(tCtx ktesting.TContext) {
 		},
 	}
 
-	_, err := tCtx.Client().ResourceV1().ResourceClaimTemplates(namespace).Create(tCtx, template1, metav1.CreateOptions{})
+	_, err := tCtx.Client().ResourceV1().ResourceClaimTemplates(namespace).Create(tCtx, template1, metav1.CreateOptions{FieldValidation: "Strict"})
 	tCtx.ExpectNoError(err, "create ResourceClaimTemplate without admin access")
 
 	pod1 := &v1.Pod{
@@ -1339,7 +1473,7 @@ func testControllerManagerMetrics(tCtx ktesting.TContext) {
 		},
 	}
 
-	_, err = tCtx.Client().CoreV1().Pods(namespace).Create(tCtx, pod1, metav1.CreateOptions{})
+	_, err = tCtx.Client().CoreV1().Pods(namespace).Create(tCtx, pod1, metav1.CreateOptions{FieldValidation: "Strict"})
 	tCtx.ExpectNoError(err, "create Pod with ResourceClaimTemplate without admin access")
 
 	time.Sleep(200 * time.Millisecond)
@@ -1373,7 +1507,7 @@ func testControllerManagerMetrics(tCtx ktesting.TContext) {
 		},
 	}
 
-	_, err = tCtx.Client().ResourceV1().ResourceClaimTemplates(adminNS).Create(tCtx, template2, metav1.CreateOptions{})
+	_, err = tCtx.Client().ResourceV1().ResourceClaimTemplates(adminNS).Create(tCtx, template2, metav1.CreateOptions{FieldValidation: "Strict"})
 	tCtx.ExpectNoError(err, "create ResourceClaimTemplate with admin access")
 
 	pod2 := &v1.Pod{
@@ -1393,7 +1527,7 @@ func testControllerManagerMetrics(tCtx ktesting.TContext) {
 		},
 	}
 
-	_, err = tCtx.Client().CoreV1().Pods(adminNS).Create(tCtx, pod2, metav1.CreateOptions{})
+	_, err = tCtx.Client().CoreV1().Pods(adminNS).Create(tCtx, pod2, metav1.CreateOptions{FieldValidation: "Strict"})
 	tCtx.ExpectNoError(err, "create Pod with ResourceClaimTemplate with admin access in admin namespace")
 
 	time.Sleep(200 * time.Millisecond)
@@ -1424,7 +1558,7 @@ func testControllerManagerMetrics(tCtx ktesting.TContext) {
 		},
 	}
 
-	_, err = tCtx.Client().ResourceV1().ResourceClaimTemplates(namespace).Create(tCtx, invalidTemplate, metav1.CreateOptions{})
+	_, err = tCtx.Client().ResourceV1().ResourceClaimTemplates(namespace).Create(tCtx, invalidTemplate, metav1.CreateOptions{FieldValidation: "Strict"})
 	require.Error(tCtx, err, "should fail to create ResourceClaimTemplate with AdminAccess in non-admin namespace")
 	require.ErrorContains(tCtx, err, "admin access to devices requires the `resource.kubernetes.io/admin-access: true` label on the containing namespace")
 
@@ -1448,7 +1582,7 @@ func testControllerManagerMetrics(tCtx ktesting.TContext) {
 		},
 	}
 
-	_, err = tCtx.Client().ResourceV1().ResourceClaimTemplates(namespace).Create(tCtx, template4, metav1.CreateOptions{})
+	_, err = tCtx.Client().ResourceV1().ResourceClaimTemplates(namespace).Create(tCtx, template4, metav1.CreateOptions{FieldValidation: "Strict"})
 	tCtx.ExpectNoError(err, "create second ResourceClaimTemplate without admin access")
 
 	pod4 := &v1.Pod{
@@ -1468,7 +1602,7 @@ func testControllerManagerMetrics(tCtx ktesting.TContext) {
 		},
 	}
 
-	_, err = tCtx.Client().CoreV1().Pods(namespace).Create(tCtx, pod4, metav1.CreateOptions{})
+	_, err = tCtx.Client().CoreV1().Pods(namespace).Create(tCtx, pod4, metav1.CreateOptions{FieldValidation: "Strict"})
 	tCtx.ExpectNoError(err, "create second Pod with ResourceClaimTemplate without admin access")
 
 	time.Sleep(200 * time.Millisecond)
@@ -1490,205 +1624,125 @@ func matchPointer[T any](p *T) gtypes.GomegaMatcher {
 	return gstruct.PointTo(gomega.Equal(*p))
 }
 
-// testDeviceBindingConditions tests scheduling with mixed devices: one with BindingConditions, one without.
-// It verifies that the scheduler prioritizes the device without BindingConditions for the first pod.
-// The second pod then uses the device with BindingConditions. The test checks that the scheduler retries
-// after an initial binding failure of the second pod, ensuring successful scheduling after rescheduling.
-func testDeviceBindingConditions(tCtx ktesting.TContext, enabled bool) {
-	namespace := createTestNamespace(tCtx, nil)
-	class, driverName := createTestClass(tCtx, namespace)
-
-	nodeName := "worker-0"
-	poolWithBinding := nodeName + "-with-binding"
-	poolWithoutBinding := nodeName + "-without-binding"
-	bindingCondition := "attached"
-	failureCondition := "failed"
+func testInvalidResourceSlices(tCtx ktesting.TContext) {
+	driverNamePlaceholder := "driver"
 	startScheduler(tCtx)
-
-	slice := &resourceapi.ResourceSlice{
-		ObjectMeta: metav1.ObjectMeta{
-			GenerateName: namespace + "-",
-		},
-		Spec: resourceapi.ResourceSliceSpec{
-			NodeName: &nodeName,
-			Pool: resourceapi.ResourcePool{
-				Name:               poolWithBinding,
-				ResourceSliceCount: 1,
+	testCases := map[string]struct {
+		slices                        []*st.ResourceSliceWrapper
+		expectPodToSchedule           bool
+		expectedPodScheduledCondition gstruct.Fields
+		expectedPool                  string
+	}{
+		"invalid-one-node-and-valid-other": {
+			slices: []*st.ResourceSliceWrapper{
+				func() *st.ResourceSliceWrapper {
+					invalidPoolSlice := st.MakeResourceSlice("worker-0", driverNamePlaceholder).Devices("device-1")
+					invalidPoolSlice.Name += "-1"
+					invalidPoolSlice.Spec.Pool.ResourceSliceCount = 2
+					return invalidPoolSlice
+				}(),
+				func() *st.ResourceSliceWrapper {
+					invalidPoolSlice := st.MakeResourceSlice("worker-0", driverNamePlaceholder).Devices("device-1")
+					invalidPoolSlice.Name += "-2"
+					invalidPoolSlice.Spec.Pool.ResourceSliceCount = 2
+					return invalidPoolSlice
+				}(),
+				func() *st.ResourceSliceWrapper {
+					validPoolSlice := st.MakeResourceSlice("worker-1", driverNamePlaceholder).Devices("device-1")
+					return validPoolSlice
+				}(),
 			},
-			Driver: driverName,
-			Devices: []resourceapi.Device{
-				{
-					Name:                     "with-binding",
-					BindingConditions:        []string{bindingCondition},
-					BindingFailureConditions: []string{failureCondition},
-				},
+			expectPodToSchedule: true,
+			expectedPodScheduledCondition: gstruct.Fields{
+				"Type":   gomega.Equal(v1.PodScheduled),
+				"Status": gomega.Equal(v1.ConditionTrue),
 			},
+			expectedPool: "worker-1",
 		},
-	}
-	slice, err := tCtx.Client().ResourceV1().ResourceSlices().Create(tCtx, slice, metav1.CreateOptions{})
-	tCtx.ExpectNoError(err, "create slice")
-
-	haveBindingConditionFields := len(slice.Spec.Devices[0].BindingConditions) > 0 || len(slice.Spec.Devices[0].BindingFailureConditions) > 0
-	if !enabled {
-		if haveBindingConditionFields {
-			tCtx.Fatalf("Expected device binding condition fields to get dropped, got instead:\n%s", format.Object(slice, 1))
-		}
-		return
-	}
-	if !haveBindingConditionFields {
-		tCtx.Fatalf("Expected device binding condition fields to be stored, got instead:\n%s", format.Object(slice, 1))
-	}
-
-	sliceWithoutBinding := &resourceapi.ResourceSlice{
-		ObjectMeta: metav1.ObjectMeta{
-			GenerateName: namespace + "-without-binding-",
-		},
-		Spec: resourceapi.ResourceSliceSpec{
-			NodeName: &nodeName,
-			Pool: resourceapi.ResourcePool{
-				Name:               poolWithoutBinding,
-				ResourceSliceCount: 1,
+		"only-invalid-for-one-node": {
+			slices: []*st.ResourceSliceWrapper{
+				func() *st.ResourceSliceWrapper {
+					invalidPoolSlice := st.MakeResourceSlice("worker-0", driverNamePlaceholder).Devices("device-1")
+					invalidPoolSlice.Name += "-1"
+					invalidPoolSlice.Spec.Pool.ResourceSliceCount = 2
+					return invalidPoolSlice
+				}(),
+				func() *st.ResourceSliceWrapper {
+					invalidPoolSlice := st.MakeResourceSlice("worker-0", driverNamePlaceholder).Devices("device-1")
+					invalidPoolSlice.Name += "-2"
+					invalidPoolSlice.Spec.Pool.ResourceSliceCount = 2
+					return invalidPoolSlice
+				}(),
 			},
-			Driver: driverName,
-			Devices: []resourceapi.Device{
-				{
-					Name: "without-binding",
-				},
+			expectPodToSchedule: false,
+			expectedPodScheduledCondition: gstruct.Fields{
+				"Type":    gomega.Equal(v1.PodScheduled),
+				"Status":  gomega.Equal(v1.ConditionFalse),
+				"Message": gomega.Equal("0/8 nodes are available: 1 invalid resource pools were encountered, 7 cannot allocate all claims. still not schedulable, preemption: 0/8 nodes are available: 8 Preemption is not helpful for scheduling."),
+			},
+		},
+		"invalid-for-all-nodes": {
+			slices: func() []*st.ResourceSliceWrapper {
+				var slices []*st.ResourceSliceWrapper
+				for i := 0; i < 8; i++ {
+					nodeName := fmt.Sprintf("worker-%d", i)
+					invalidPoolSlice1 := st.MakeResourceSlice(nodeName, driverNamePlaceholder).Devices("device-1")
+					invalidPoolSlice1.Name += "-1"
+					invalidPoolSlice1.Spec.Pool.ResourceSliceCount = 2
+
+					invalidPoolSlice2 := st.MakeResourceSlice(nodeName, driverNamePlaceholder).Devices("device-1")
+					invalidPoolSlice2.Name += "-2"
+					invalidPoolSlice2.Spec.Pool.ResourceSliceCount = 2
+					slices = append(slices, invalidPoolSlice1, invalidPoolSlice2)
+				}
+				return slices
+			}(),
+			expectPodToSchedule: false,
+			expectedPodScheduledCondition: gstruct.Fields{
+				"Type":    gomega.Equal(v1.PodScheduled),
+				"Status":  gomega.Equal(v1.ConditionFalse),
+				"Message": gomega.Equal("0/8 nodes are available: 8 invalid resource pools were encountered. still not schedulable, preemption: 0/8 nodes are available: 8 Preemption is not helpful for scheduling."),
 			},
 		},
 	}
-	_, err = tCtx.Client().ResourceV1().ResourceSlices().Create(tCtx, sliceWithoutBinding, metav1.CreateOptions{})
-	tCtx.ExpectNoError(err, "create slice without binding conditions")
-
-	// Schedule first pod and wait for the scheduler to reach the binding phase, which marks the claim as allocated.
-	start := time.Now()
-	claim1 := createClaim(tCtx, namespace, "-a", class, claim)
-	pod := createPod(tCtx, namespace, "-a", claim1, podWithClaimName)
-	ktesting.Eventually(tCtx, func(tCtx ktesting.TContext) *resourceapi.ResourceClaim {
-		c, err := tCtx.Client().ResourceV1().ResourceClaims(namespace).Get(tCtx, claim1.Name, metav1.GetOptions{})
-		tCtx.ExpectNoError(err)
-		claim1 = c
-		return claim1
-	}).WithTimeout(10*time.Second).WithPolling(time.Second).Should(gomega.HaveField("Status.Allocation", gomega.Not(gomega.BeNil())), "Claim should have been allocated.")
-	end := time.Now()
-	gomega.NewWithT(tCtx).Expect(claim1).To(gomega.HaveField("Status.Allocation", gstruct.PointTo(gstruct.MatchFields(gstruct.IgnoreExtras, gstruct.Fields{
-		"Devices": gomega.Equal(resourceapi.DeviceAllocationResult{
-			Results: []resourceapi.DeviceRequestAllocationResult{{
-				Request: claim1.Spec.Devices.Requests[0].Name,
-				Driver:  driverName,
-				Pool:    poolWithoutBinding,
-				Device:  "without-binding",
-			}}}),
-		// NodeSelector intentionally not checked - that's covered elsewhere.
-		"AllocationTimestamp": gomega.HaveField("Time", gomega.And(
-			gomega.BeTemporally(">=", start.Truncate(time.Second) /* may get rounded down during round-tripping */),
-			gomega.BeTemporally("<=", end),
-		)),
-	}))), "first allocated claim")
-
-	err = waitForPodScheduled(tCtx, tCtx.Client(), namespace, pod.Name)
-	tCtx.ExpectNoError(err, "first pod scheduled")
-
-	// Second pod should get the device with binding conditions.
-	claim2 := createClaim(tCtx, namespace, "-b", class, claim)
-	pod = createPod(tCtx, namespace, "-b", claim2, podWithClaimName)
-	ktesting.Eventually(tCtx, func(tCtx ktesting.TContext) *resourceapi.ResourceClaim {
-		c, err := tCtx.Client().ResourceV1().ResourceClaims(namespace).Get(tCtx, claim2.Name, metav1.GetOptions{})
-		tCtx.ExpectNoError(err)
-		claim2 = c
-		return claim2
-	}).WithTimeout(10*time.Second).WithPolling(time.Second).Should(gomega.HaveField("Status.Allocation", gomega.Not(gomega.BeNil())), "Claim should have been allocated.")
-	end = time.Now()
-	gomega.NewWithT(tCtx).Expect(claim2).To(gomega.HaveField("Status.Allocation", gstruct.PointTo(gstruct.MatchFields(gstruct.IgnoreExtras, gstruct.Fields{
-		"Devices": gomega.Equal(resourceapi.DeviceAllocationResult{
-			Results: []resourceapi.DeviceRequestAllocationResult{{
-				Request:                  claim2.Spec.Devices.Requests[0].Name,
-				Driver:                   driverName,
-				Pool:                     poolWithBinding,
-				Device:                   "with-binding",
-				BindingConditions:        []string{bindingCondition},
-				BindingFailureConditions: []string{failureCondition},
-			}}}),
-		// NodeSelector intentionally not checked - that's covered elsewhere.
-		"AllocationTimestamp": gomega.HaveField("Time", gomega.And(
-			gomega.BeTemporally(">=", start.Truncate(time.Second) /* may get rounded down during round-tripping */),
-			gomega.BeTemporally("<=", end),
-		)),
-	}))), "second allocated claim")
-
-	// fail the binding condition for the second claim, so that it gets scheduled later.
-	claim2.Status.Devices = []resourceapi.AllocatedDeviceStatus{{
-		Driver: driverName,
-		Pool:   poolWithBinding,
-		Device: "with-binding",
-		Conditions: []metav1.Condition{{
-			Type:               failureCondition,
-			Status:             metav1.ConditionTrue,
-			ObservedGeneration: claim2.Generation,
-			LastTransitionTime: metav1.Now(),
-			Reason:             "Testing",
-			Message:            "The test has seen the allocation and is failing the binding.",
-		}},
-	}}
 
-	claim2, err = tCtx.Client().ResourceV1().ResourceClaims(namespace).UpdateStatus(tCtx, claim2, metav1.UpdateOptions{})
-	tCtx.ExpectNoError(err, "add binding failure condition to second claim")
-
-	// Wait until the claim.status.Devices[0].Conditions become nil again after rescheduling.
-	setConditionsFlag := false
-	ktesting.Eventually(tCtx, func(tCtx ktesting.TContext) *resourceapi.ResourceClaim {
-		c, err := tCtx.Client().ResourceV1().ResourceClaims(namespace).Get(tCtx, claim2.Name, metav1.GetOptions{})
-		tCtx.ExpectNoError(err, "get claim")
-		claim2 = c
-		if claim2.Status.Devices != nil && len(claim2.Status.Devices[0].Conditions) != 0 {
-			setConditionsFlag = true
-		}
-		if setConditionsFlag && len(claim2.Status.Devices) == 0 {
-			// The scheduler has retried and removed the conditions.
-			// This is the expected state. Finish waiting.
-			return nil
-		}
-		return claim2
-	}).WithTimeout(30*time.Second).WithPolling(time.Second).Should(gomega.BeNil(), "claim should not have any condition")
-
-	// Allow the scheduler to proceed.
-	claim2.Status.Devices = []resourceapi.AllocatedDeviceStatus{{
-		Driver: driverName,
-		Pool:   poolWithBinding,
-		Device: "with-binding",
-		Conditions: []metav1.Condition{{
-			Type:               bindingCondition,
-			Status:             metav1.ConditionTrue,
-			ObservedGeneration: claim2.Generation,
-			LastTransitionTime: metav1.Now(),
-			Reason:             "Testing",
-			Message:            "The test has seen the allocation.",
-		}},
-	}}
-
-	claim2, err = tCtx.Client().ResourceV1().ResourceClaims(namespace).UpdateStatus(tCtx, claim2, metav1.UpdateOptions{})
-	tCtx.ExpectNoError(err, "add binding condition to second claim")
-	err = waitForPodScheduled(tCtx, tCtx.Client(), namespace, pod.Name)
-	tCtx.ExpectNoError(err, "second pod scheduled")
-}
-
-func waitForPodScheduled(ctx context.Context, client kubernetes.Interface, namespace, podName string) error {
-	timeout := time.After(60 * time.Second)
-	tick := time.Tick(1 * time.Second)
-	for {
-		select {
-		case <-timeout:
-			return fmt.Errorf("timed out waiting for pod %s/%s to be scheduled", namespace, podName)
-		case <-tick:
-			pod, err := client.CoreV1().Pods(namespace).Get(ctx, podName, metav1.GetOptions{})
-			if err != nil {
-				continue
+	for tn, tc := range testCases {
+		tCtx.Run(tn, func(tCtx ktesting.TContext) {
+			namespace := createTestNamespace(tCtx, nil)
+			class, driverName := createTestClass(tCtx, namespace)
+			for _, slice := range tc.slices {
+				// update the driver since we don't know the actual name until the
+				// class is created.
+				slice.Spec.Driver = driverName
+				createSlice(tCtx, slice.Obj())
 			}
-			for _, cond := range pod.Status.Conditions {
-				if cond.Type == v1.PodScheduled && cond.Status == v1.ConditionTrue {
-					return nil
-				}
+
+			claim := createClaim(tCtx, namespace, "", class, claim)
+			pod := createPod(tCtx, namespace, "", podWithClaimName, claim)
+			schedulingAttempted := gomega.HaveField("Status.Conditions", gomega.ContainElement(
+				gstruct.MatchFields(gstruct.IgnoreExtras, tc.expectedPodScheduledCondition),
+			))
+			ktesting.Eventually(tCtx, func(tCtx ktesting.TContext) *v1.Pod {
+				pod, err := tCtx.Client().CoreV1().Pods(namespace).Get(tCtx, pod.Name, metav1.GetOptions{})
+				tCtx.ExpectNoError(err, "get pod")
+				return pod
+			}).WithTimeout(10 * time.Second).WithPolling(time.Second).Should(schedulingAttempted)
+
+			// Only check the ResourceClaim if we expected the Pod to schedule.
+			if tc.expectPodToSchedule {
+				ktesting.Eventually(tCtx, func(tCtx ktesting.TContext) *resourceapi.ResourceClaim {
+					c, err := tCtx.Client().ResourceV1().ResourceClaims(namespace).Get(tCtx, claim.Name, metav1.GetOptions{})
+					tCtx.ExpectNoError(err)
+					return c
+				}).WithTimeout(10 * time.Second).WithPolling(time.Second).Should(gomega.HaveField("Status.Allocation", gstruct.PointTo(gstruct.MatchFields(gstruct.IgnoreExtras, gstruct.Fields{
+					"Devices": gstruct.MatchFields(gstruct.IgnoreExtras, gstruct.Fields{
+						"Results": gomega.HaveExactElements(gstruct.MatchFields(gstruct.IgnoreExtras, gstruct.Fields{
+							"Driver": gomega.Equal(driverName),
+							"Pool":   gomega.Equal(tc.expectedPool),
+						})),
+					}),
+				}))))
 			}
-		}
+		})
 	}
 }
diff --git a/test/integration/dra/helpers_test.go b/test/integration/dra/helpers_test.go
new file mode 100644
index 0000000000000..32484053572fc
--- /dev/null
+++ b/test/integration/dra/helpers_test.go
@@ -0,0 +1,229 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package dra
+
+import (
+	"context"
+	"fmt"
+	"regexp"
+	"strings"
+	"time"
+
+	"github.com/onsi/gomega"
+	gtypes "github.com/onsi/gomega/types"
+
+	v1 "k8s.io/api/core/v1"
+	resourceapi "k8s.io/api/resource/v1"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/kubernetes/test/utils/ktesting"
+	"k8s.io/utils/ptr"
+)
+
+const (
+	driverNameSuffix = ".driver"
+	classNameSuffix  = ".class"
+)
+
+// must can be wrapped around a Create/Update/Patch/Get/Delete call and handles the error checking:
+//
+//	pod = must(tCtx, tCtx.Client().CoreV1().Pods(namespace).Create, pod, metav1.CreateOptions{})
+func must[R, P, O any](tCtx ktesting.TContext, call func(context.Context, P, O) (*R, error), p P, o O) *R {
+	tCtx.Helper()
+	r, err := call(tCtx, p, o)
+	tCtx.ExpectNoError(err)
+	return r
+}
+
+// createTestNamespace creates a namespace with a name that is derived from the
+// current test name:
+// - Non-alpha-numeric characters replaced by hyphen.
+// - Truncated in the middle to make it short enough for GenerateName.
+// - Hyphen plus random suffix added by the apiserver.
+func createTestNamespace(tCtx ktesting.TContext, labels map[string]string) string {
+	tCtx.Helper()
+	name := regexp.MustCompile(`[^[:alnum:]_-]`).ReplaceAllString(tCtx.Name(), "-")
+	name = strings.ToLower(name)
+	// Make sure the generated name leaves enough room so we
+	// can use it as a prefix for the driver name.
+	if len(name) > (56 - len(driverNameSuffix)) {
+		name = name[:24] + "--" + name[len(name)-24:]
+	}
+	ns := &v1.Namespace{ObjectMeta: metav1.ObjectMeta{GenerateName: name + "-"}}
+	ns.Labels = labels
+	ns, err := tCtx.Client().CoreV1().Namespaces().Create(tCtx, ns, metav1.CreateOptions{})
+	tCtx.ExpectNoError(err, "create test namespace")
+	tCtx.CleanupCtx(func(tCtx ktesting.TContext) {
+		tCtx.ExpectNoError(tCtx.Client().CoreV1().Namespaces().Delete(tCtx, ns.Name, metav1.DeleteOptions{}))
+		// *Not* waiting here. Deleting namespaces is slow.
+	})
+	return ns.Name
+}
+
+// createSlice creates the given ResourceSlice and removes it when the test is done.
+func createSlice(tCtx ktesting.TContext, slice *resourceapi.ResourceSlice) *resourceapi.ResourceSlice {
+	tCtx.Helper()
+	slice, err := tCtx.Client().ResourceV1().ResourceSlices().Create(tCtx, slice, metav1.CreateOptions{})
+	tCtx.ExpectNoError(err, "create ResourceSlice")
+	tCtx.CleanupCtx(func(tCtx ktesting.TContext) {
+		tCtx.Log("Cleaning up ResourceSlice...")
+		deleteAndWait(tCtx, tCtx.Client().ResourceV1().ResourceSlices().Delete, tCtx.Client().ResourceV1().ResourceSlices().Get, slice.Name)
+	})
+	return slice
+}
+
+// createTestClass creates a DeviceClass with a driver name derived from the test namespace
+func createTestClass(tCtx ktesting.TContext, namespace string) (*resourceapi.DeviceClass, string) {
+	tCtx.Helper()
+	driverName := namespace + driverNameSuffix
+	class := class.DeepCopy()
+	class.Name = namespace + classNameSuffix
+	class.Spec.Selectors = []resourceapi.DeviceSelector{{
+		CEL: &resourceapi.CELDeviceSelector{
+			Expression: fmt.Sprintf("device.driver == %q", driverName),
+		},
+	}}
+	_, err := tCtx.Client().ResourceV1().DeviceClasses().Create(tCtx, class, metav1.CreateOptions{})
+	tCtx.ExpectNoError(err, "create class")
+	tCtx.CleanupCtx(func(tCtx ktesting.TContext) {
+		tCtx.Log("Cleaning up DeviceClass...")
+		deleteAndWait(tCtx, tCtx.Client().ResourceV1().DeviceClasses().Delete, tCtx.Client().ResourceV1().DeviceClasses().Get, class.Name)
+	})
+
+	return class, driverName
+}
+
+// createClaim creates a claim and in the namespace.
+// The class must already exist and is used for all requests.
+func createClaim(tCtx ktesting.TContext, namespace string, suffix string, class *resourceapi.DeviceClass, claim *resourceapi.ResourceClaim) *resourceapi.ResourceClaim {
+	tCtx.Helper()
+	claim = claim.DeepCopy()
+	claim.Namespace = namespace
+	claim.Name += suffix
+	claimName := claim.Name
+	for i := range claim.Spec.Devices.Requests {
+		request := &claim.Spec.Devices.Requests[i]
+		if request.Exactly != nil && request.Exactly.DeviceClassName != "" {
+			request.Exactly.DeviceClassName = class.Name
+			continue
+		}
+		for e := range request.FirstAvailable {
+			subRequest := &request.FirstAvailable[e]
+			subRequest.DeviceClassName = class.Name
+		}
+	}
+	claim, err := tCtx.Client().ResourceV1().ResourceClaims(namespace).Create(tCtx, claim, metav1.CreateOptions{})
+	tCtx.ExpectNoError(err, "create claim "+claimName)
+	// TODO: some tests leak claims. Probably they need to be fixed... later.
+	// tCtx.CleanupCtx(func(tCtx ktesting.TContext) {
+	//		// We want to know when tearing this down gets stuck.
+	//	deleteAndWait(tCtx, tCtx.Client().ResourceV1().ResourceClaims(namespace).Delete, tCtx.Client().ResourceV1().ResourceClaims(namespace).Get, claim.Name)
+	// })
+	return claim
+}
+
+// createPod create a pod in the namespace, referencing the given claim.
+func createPod(tCtx ktesting.TContext, namespace string, suffix string, pod *v1.Pod, claims ...*resourceapi.ResourceClaim) *v1.Pod {
+	tCtx.Helper()
+	pod = pod.DeepCopy()
+	pod.Name += suffix
+	podName := pod.Name
+	pod.Namespace = namespace
+	var resourceClaims []v1.PodResourceClaim
+	for _, claim := range claims {
+		resourceClaims = append(resourceClaims, v1.PodResourceClaim{
+			Name:              claim.Name,
+			ResourceClaimName: &claim.Name,
+		})
+	}
+	pod.Spec.ResourceClaims = resourceClaims
+	pod, err := tCtx.Client().CoreV1().Pods(namespace).Create(tCtx, pod, metav1.CreateOptions{})
+	tCtx.ExpectNoError(err, "create pod "+podName)
+	tCtx.CleanupCtx(func(tCtx ktesting.TContext) {
+		tCtx.Log("Cleaning up Pod...")
+		// We must delete pods before uninstalling our driver.
+		// Also, we want to know when stopping it gets stuck.
+		deleteAndWait(tCtx, tCtx.Client().CoreV1().Pods(namespace).Delete, tCtx.Client().CoreV1().Pods(namespace).Get, pod.Name)
+	})
+	return pod
+}
+
+func waitForPodScheduled(tCtx ktesting.TContext, namespace, podName string) {
+	tCtx.Helper()
+
+	ktesting.Eventually(tCtx, func(tCtx ktesting.TContext) *v1.Pod {
+		return must(tCtx, tCtx.Client().CoreV1().Pods(namespace).Get, podName, metav1.GetOptions{})
+	}).WithTimeout(60*time.Second).Should(
+		gomega.HaveField("Status.Conditions", gomega.ContainElement(
+			gomega.And(
+				gomega.HaveField("Type", gomega.Equal(v1.PodScheduled)),
+				gomega.HaveField("Status", gomega.Equal(v1.ConditionTrue)),
+			),
+		)),
+		"Pod %s should have been scheduled.", podName,
+	)
+}
+
+func deleteAndWait[T any](tCtx ktesting.TContext, del func(context.Context, string, metav1.DeleteOptions) error, get func(context.Context, string, metav1.GetOptions) (T, error), name string) {
+	tCtx.Helper()
+
+	var t T
+	var anyT any = t
+	var options metav1.DeleteOptions
+	if _, ok := anyT.(*v1.Pod); ok {
+		// Special case for pods: we don't have a kubelet which acknowledges
+		// shutdown of a scheduled pod, so we have to force-delete.
+		options.GracePeriodSeconds = ptr.To(int64(0))
+	}
+
+	tCtx.ExpectNoError(del(tCtx, name, options), fmt.Sprintf("delete %T %s", t, name))
+	waitForNotFound(tCtx, get, name)
+}
+
+func waitForNotFound[T any](tCtx ktesting.TContext, get func(context.Context, string, metav1.GetOptions) (T, error), name string) {
+	tCtx.Helper()
+
+	var t T
+	ktesting.Eventually(tCtx, func(tCtx ktesting.TContext) error {
+		_, err := get(tCtx, name, metav1.GetOptions{})
+		return err
+	}).WithTimeout(60*time.Second).Should(gomega.MatchError(apierrors.IsNotFound, "IsNotFound"), "Object %T %s should have been removed.", t, name)
+}
+
+func waitForClaim(tCtx ktesting.TContext, namespace, claimName string, timeout time.Duration, match gtypes.GomegaMatcher, description ...any) *resourceapi.ResourceClaim {
+	tCtx.Helper()
+	var latestClaim *resourceapi.ResourceClaim
+	ktesting.Eventually(tCtx, func(tCtx ktesting.TContext) *resourceapi.ResourceClaim {
+		c, err := tCtx.Client().ResourceV1().ResourceClaims(namespace).Get(tCtx, claimName, metav1.GetOptions{})
+		tCtx.ExpectNoError(err, "get claim")
+		latestClaim = c
+		return latestClaim
+	}).WithTimeout(timeout).WithPolling(time.Second).Should(match, description...)
+	return latestClaim
+}
+
+func waitForClaimAllocatedToDevice(tCtx ktesting.TContext, namespace, claimName string, timeout time.Duration) *resourceapi.ResourceClaim {
+	tCtx.Helper()
+	return waitForClaim(
+		tCtx,
+		namespace,
+		claimName,
+		timeout,
+		gomega.HaveField("Status.Allocation", gomega.Not(gomega.BeNil())),
+		"Claim should have been allocated.",
+	)
+}
diff --git a/test/integration/dra/objects.go b/test/integration/dra/objects.go
index aef0001e14cf5..1fb2f25da65f8 100644
--- a/test/integration/dra/objects.go
+++ b/test/integration/dra/objects.go
@@ -29,11 +29,101 @@ import (
 	"k8s.io/utils/ptr"
 )
 
-// NewMaxResourceSlice creates a slice that is as large as possible given the current validation constraints.
-func NewMaxResourceSlice() *resourceapi.ResourceSlice {
-	slice := &resourceapi.ResourceSlice{
+// NewMaxResourceSlices creates slices that are as large as possible given the current validation constraints.
+func NewMaxResourceSlices() map[string]*resourceapi.ResourceSlice {
+	slices := map[string]*resourceapi.ResourceSlice{
+		"basic":                             newBasicResourceSlice(resourceapi.ResourceSliceMaxDevices),
+		"with-taints-and-consumes-counters": newResourceSliceWithTaintsAndConsumesCounters(),
+		"with-shared-counters":              newSharedCountersResourceSlice(),
+	}
+	return slices
+}
+
+func newResourceSliceWithTaintsAndConsumesCounters() *resourceapi.ResourceSlice {
+	slice := newBasicResourceSlice(resourceapi.ResourceSliceMaxDevicesWithTaintsOrConsumesCounters)
+	for i := range slice.Spec.Devices {
+		for j := 0; j < resourceapi.DeviceTaintsMaxLength; j++ {
+			slice.Spec.Devices[i].Taints = append(slice.Spec.Devices[i].Taints,
+				resourceapi.DeviceTaint{
+					Key:       maxLabelName(i),
+					Value:     maxLabelValue(i),
+					Effect:    resourceapi.DeviceTaintEffectNoSchedule,
+					TimeAdded: &metav1.Time{Time: time.Now().Truncate(time.Second)},
+				},
+			)
+		}
+		slice.Spec.Devices[i].ConsumesCounters = func() []resourceapi.DeviceCounterConsumption {
+			var consumesCounters []resourceapi.DeviceCounterConsumption
+			for i := 0; i < resourceapi.ResourceSliceMaxDeviceCounterConsumptionsPerDevice; i++ {
+				consumesCounters = append(consumesCounters, resourceapi.DeviceCounterConsumption{
+					CounterSet: maxDNSLabel(i),
+					Counters: func() map[string]resourceapi.Counter {
+						counters := make(map[string]resourceapi.Counter)
+						for i := 0; i < resourceapi.ResourceSliceMaxCountersPerDeviceCounterConsumption; i++ {
+							counters[maxDNSLabel(i)] = resourceapi.Counter{
+								Value: resource.MustParse("80Gi"),
+							}
+						}
+						return counters
+					}(),
+				})
+			}
+			return consumesCounters
+		}()
+	}
+	return slice
+}
+
+func newBasicResourceSlice(numDevices int) *resourceapi.ResourceSlice {
+	slice := commonResourceSlice()
+	slice.Spec.PerDeviceNodeSelection = ptr.To(true)
+	var devices []resourceapi.Device
+	for i := 0; i < numDevices; i++ {
+		devices = append(devices, resourceapi.Device{
+			Name: maxDNSLabel(i),
+			// Use attributes rather than capacity since it is more expensive.
+			Attributes: func() map[resourceapi.QualifiedName]resourceapi.DeviceAttribute {
+				attributes := make(map[resourceapi.QualifiedName]resourceapi.DeviceAttribute)
+				for i := 0; i < resourceapi.ResourceSliceMaxAttributesAndCapacitiesPerDevice; i++ {
+					attributes[maxResourceQualifiedName(i)] = resourceapi.DeviceAttribute{
+						StringValue: ptr.To(maxDNSLabel(i)),
+					}
+				}
+				return attributes
+			}(),
+			NodeName: ptr.To(maxSubDomain(0)),
+		})
+	}
+	slice.Spec.Devices = devices
+	return slice
+}
+
+func newSharedCountersResourceSlice() *resourceapi.ResourceSlice {
+	slice := commonResourceSlice()
+	slice.Spec.NodeName = ptr.To(maxSubDomain(0))
+	var counterSets []resourceapi.CounterSet
+	for i := 0; i < resourceapi.ResourceSliceMaxCounterSets; i++ {
+		counterSets = append(counterSets, resourceapi.CounterSet{
+			Name: maxDNSLabel(i),
+			Counters: func() map[string]resourceapi.Counter {
+				counters := make(map[string]resourceapi.Counter)
+				for i := 0; i < resourceapi.ResourceSliceMaxCountersPerCounterSet; i++ {
+					counters[maxDNSLabel(i)] = resourceapi.Counter{
+						Value: resource.MustParse("80Gi"),
+					}
+				}
+				return counters
+			}(),
+		})
+	}
+	slice.Spec.SharedCounters = counterSets
+	return slice
+}
+
+func commonResourceSlice() *resourceapi.ResourceSlice {
+	return &resourceapi.ResourceSlice{
 		ObjectMeta: metav1.ObjectMeta{
-			Name: maxSubDomain(0),
+			Name: maxSubDomain(1),
 			// Number of labels is not restricted.
 			Labels: maxKeyValueMap(10),
 			// Total size of annotations is limited to TotalAnnotationSizeLimitB = 256 KB.
@@ -48,75 +138,8 @@ func NewMaxResourceSlice() *resourceapi.ResourceSlice {
 				Generation:         math.MaxInt64,
 				ResourceSliceCount: math.MaxInt64,
 			},
-			// use PerDeviceNodeSelection as it requires setting the node selection on
-			// every device and therefore will be the most expensive option in terms of
-			// object size.
-			PerDeviceNodeSelection: ptr.To(true),
-			// The validation caps the total number of counters across all CounterSets. So
-			// the most expensive option is to have a single counter per CounterSet.
-			SharedCounters: func() []resourceapi.CounterSet {
-				var counterSets []resourceapi.CounterSet
-				for i := 0; i < resourceapi.ResourceSliceMaxSharedCounters; i++ {
-					counterSets = append(counterSets, resourceapi.CounterSet{
-						Name: maxDNSLabel(i),
-						Counters: map[string]resourceapi.Counter{
-							maxDNSLabel(0): {
-								Value: resource.MustParse("80Gi"),
-							},
-						},
-					})
-				}
-				return counterSets
-			}(),
-			Devices: func() []resourceapi.Device {
-				var devices []resourceapi.Device
-				for i := 0; i < resourceapi.ResourceSliceMaxDevices; i++ {
-					devices = append(devices, resourceapi.Device{
-						Name: maxDNSLabel(i),
-						// Use attributes rather than capacity since it is more expensive.
-						Attributes: func() map[resourceapi.QualifiedName]resourceapi.DeviceAttribute {
-							attributes := make(map[resourceapi.QualifiedName]resourceapi.DeviceAttribute)
-							for i := 0; i < resourceapi.ResourceSliceMaxAttributesAndCapacitiesPerDevice; i++ {
-								attributes[maxResourceQualifiedName(i)] = resourceapi.DeviceAttribute{
-									StringValue: ptr.To(maxDNSLabel(i)),
-								}
-							}
-							return attributes
-						}(),
-						ConsumesCounters: func() []resourceapi.DeviceCounterConsumption {
-							var consumesCounters []resourceapi.DeviceCounterConsumption
-							for i := 0; i < resourceapi.ResourceSliceMaxDeviceCountersPerSlice/resourceapi.ResourceSliceMaxDevices; i++ {
-								consumesCounters = append(consumesCounters, resourceapi.DeviceCounterConsumption{
-									CounterSet: maxDNSLabel(i),
-									Counters: map[string]resourceapi.Counter{
-										maxDNSLabel(0): {
-											Value: resource.MustParse("80Gi"),
-										},
-									},
-								})
-							}
-							return consumesCounters
-						}(),
-						NodeName: ptr.To(maxSubDomain(0)),
-						Taints: func() []resourceapi.DeviceTaint {
-							var taints []resourceapi.DeviceTaint
-							for i := 0; i < resourceapi.DeviceTaintsMaxLength; i++ {
-								taints = append(taints, resourceapi.DeviceTaint{
-									Key:       maxLabelName(i),
-									Value:     maxLabelValue(i),
-									Effect:    resourceapi.DeviceTaintEffectNoSchedule,
-									TimeAdded: &metav1.Time{Time: time.Now().Truncate(time.Second)},
-								})
-							}
-							return taints
-						}(),
-					})
-				}
-				return devices
-			}(),
 		},
 	}
-	return slice
 }
 
 // maxKeyValueMap produces a map for labels or annotations.
diff --git a/test/integration/dra/uses_all_resources_test.go b/test/integration/dra/uses_all_resources_test.go
new file mode 100644
index 0000000000000..520d653c3ca10
--- /dev/null
+++ b/test/integration/dra/uses_all_resources_test.go
@@ -0,0 +1,92 @@
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package dra
+
+import (
+	"fmt"
+	"time"
+
+	"github.com/onsi/gomega"
+
+	v1 "k8s.io/api/core/v1"
+	resourceapi "k8s.io/api/resource/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/dynamic-resource-allocation/structured"
+	"k8s.io/klog/v2"
+	st "k8s.io/kubernetes/pkg/scheduler/testing"
+	"k8s.io/kubernetes/test/utils/ktesting"
+)
+
+func testUsesAllResources(tCtx ktesting.TContext) {
+	tCtx.Parallel()
+	namespace := createTestNamespace(tCtx, nil)
+	nodes, err := tCtx.Client().CoreV1().Nodes().List(tCtx, metav1.ListOptions{})
+	tCtx.ExpectNoError(err, "list nodes")
+	numDevicesPerNode := 100 // One pod gets scheduled per device.
+
+	class, driverName := createTestClass(tCtx, namespace)
+	for _, node := range nodes.Items {
+		// Globally unique device names make debugging simpler...
+		devices := make([]string, numDevicesPerNode)
+		for i := range numDevicesPerNode {
+			devices[i] = fmt.Sprintf("%s-device-%03d", node.Name, i)
+		}
+		slice := st.MakeResourceSlice(node.Name, driverName).Devices(devices...)
+		createSlice(tCtx, slice.Obj())
+	}
+
+	var claims []*resourceapi.ResourceClaim
+	var pods []*v1.Pod
+	for i := range len(nodes.Items) * numDevicesPerNode {
+		tCtx := ktesting.WithStep(tCtx, fmt.Sprintf("#%04d", i))
+
+		claim := st.MakeResourceClaim().
+			Name(fmt.Sprintf("claim-%04d", i)).
+			Namespace(namespace).
+			Request(class.Name).
+			Obj()
+		claim, err := tCtx.Client().ResourceV1().ResourceClaims(namespace).Create(tCtx, claim, metav1.CreateOptions{})
+		tCtx.ExpectNoError(err, "create claim")
+		claims = append(claims, claim)
+
+		pod := createPod(tCtx, namespace, fmt.Sprintf("-%04d", i), podWithClaimName, claim)
+		pods = append(pods, pod)
+	}
+
+	startScheduler(tCtx)
+
+	// Eventually, all pods should be scheduled and thus all claims allocated.
+	allocated := make(map[structured.DeviceID]*resourceapi.ResourceClaim, len(claims))
+	tCtx = ktesting.WithStep(tCtx, "check claim allocation")
+	tCtx = ktesting.WithTimeout(tCtx, time.Duration(len(pods))*5*time.Second, "scheduling timeout for all pods")
+	for _, claim := range claims {
+		var actualClaim *resourceapi.ResourceClaim
+		ktesting.Eventually(tCtx, func(tCtx ktesting.TContext) *resourceapi.ResourceClaim {
+			c, err := tCtx.Client().ResourceV1().ResourceClaims(claim.Namespace).Get(tCtx, claim.Name, metav1.GetOptions{})
+			tCtx.ExpectNoError(err)
+			actualClaim = c
+			return c
+		}).Should(gomega.HaveField("Status.Allocation", gomega.Not(gomega.BeNil())))
+		tCtx.Expect(actualClaim.Status.Allocation.Devices.Results).To(gomega.HaveLen(1))
+		result := actualClaim.Status.Allocation.Devices.Results[0]
+		id := structured.MakeDeviceID(result.Driver, result.Pool, result.Device)
+		if otherClaim, ok := allocated[id]; ok {
+			tCtx.Fatalf("device %s was allocated to claims %s and %s", id, klog.KObj(actualClaim), klog.KObj(otherClaim))
+		}
+		allocated[id] = actualClaim
+	}
+}
diff --git a/test/integration/dualstack/dualstack_test.go b/test/integration/dualstack/dualstack_test.go
index ef6363be00da5..f3ac97c370e84 100644
--- a/test/integration/dualstack/dualstack_test.go
+++ b/test/integration/dualstack/dualstack_test.go
@@ -45,6 +45,10 @@ import (
 func TestCreateServiceSingleStackIPv4(t *testing.T) {
 	for _, enableMultiServiceCIDR := range []bool{false, true} {
 		for _, disableAllocatorDualWrite := range []bool{false, true} {
+			if !enableMultiServiceCIDR && disableAllocatorDualWrite {
+				// Inavlid configuration: DisableAllocatorDualWrite depends on MultiServiceCIDR
+				continue
+			}
 			t.Run(fmt.Sprintf("MultiServiceCIDR=%v DisableAllocatorDualWrite=%v", enableMultiServiceCIDR, disableAllocatorDualWrite), func(t *testing.T) {
 				// Create an IPv4 single stack control-plane
 				tCtx := ktesting.Init(t)
@@ -56,7 +60,7 @@ func TestCreateServiceSingleStackIPv4(t *testing.T) {
 					"--disable-admission-plugins=ServiceAccount",
 					fmt.Sprintf("--feature-gates=%s=%v,%s=%v", features.MultiCIDRServiceAllocator, enableMultiServiceCIDR, features.DisableAllocatorDualWrite, disableAllocatorDualWrite),
 				}
-				if !enableMultiServiceCIDR {
+				if !enableMultiServiceCIDR || !disableAllocatorDualWrite {
 					flags = append(flags, "--emulated-version=1.33")
 				}
 				s := kubeapiservertesting.StartTestServerOrDie(t,
@@ -292,6 +296,10 @@ func TestCreateServiceSingleStackIPv4(t *testing.T) {
 func TestCreateServiceSingleStackIPv6(t *testing.T) {
 	for _, enableMultiServiceCIDR := range []bool{false, true} {
 		for _, disableAllocatorDualWrite := range []bool{false, true} {
+			if !enableMultiServiceCIDR && disableAllocatorDualWrite {
+				// Inavlid configuration: DisableAllocatorDualWrite depends on MultiServiceCIDR
+				continue
+			}
 			t.Run(fmt.Sprintf("MultiServiceCIDR=%v DisableAllocatorDualWrite=%v", enableMultiServiceCIDR, disableAllocatorDualWrite), func(t *testing.T) {
 				// Create an IPv6 only control-plane
 				tCtx := ktesting.Init(t)
@@ -303,7 +311,7 @@ func TestCreateServiceSingleStackIPv6(t *testing.T) {
 					"--disable-admission-plugins=ServiceAccount",
 					fmt.Sprintf("--feature-gates=%s=%v,%s=%v", features.MultiCIDRServiceAllocator, enableMultiServiceCIDR, features.DisableAllocatorDualWrite, disableAllocatorDualWrite),
 				}
-				if !enableMultiServiceCIDR {
+				if !enableMultiServiceCIDR || !disableAllocatorDualWrite {
 					flags = append(flags, "--emulated-version=1.33")
 				}
 				s := kubeapiservertesting.StartTestServerOrDie(t,
@@ -526,6 +534,10 @@ func TestCreateServiceSingleStackIPv6(t *testing.T) {
 func TestCreateServiceDualStackIPv4IPv6(t *testing.T) {
 	for _, enableMultiServiceCIDR := range []bool{false, true} {
 		for _, disableAllocatorDualWrite := range []bool{false, true} {
+			if !enableMultiServiceCIDR && disableAllocatorDualWrite {
+				// Inavlid configuration: DisableAllocatorDualWrite depends on MultiServiceCIDR
+				continue
+			}
 			t.Run(fmt.Sprintf("MultiServiceCIDR=%v DisableAllocatorDualWrite=%v", enableMultiServiceCIDR, disableAllocatorDualWrite), func(t *testing.T) {
 				// Create an IPv4IPv6 dual stack control-plane
 				tCtx := ktesting.Init(t)
@@ -537,7 +549,7 @@ func TestCreateServiceDualStackIPv4IPv6(t *testing.T) {
 					"--disable-admission-plugins=ServiceAccount",
 					fmt.Sprintf("--feature-gates=%s=%v,%s=%v", features.MultiCIDRServiceAllocator, enableMultiServiceCIDR, features.DisableAllocatorDualWrite, disableAllocatorDualWrite),
 				}
-				if !enableMultiServiceCIDR {
+				if !enableMultiServiceCIDR || !disableAllocatorDualWrite {
 					flags = append(flags, "--emulated-version=1.33")
 				}
 				s := kubeapiservertesting.StartTestServerOrDie(t,
@@ -808,6 +820,10 @@ func TestCreateServiceDualStackIPv4IPv6(t *testing.T) {
 func TestCreateServiceDualStackIPv6IPv4(t *testing.T) {
 	for _, enableMultiServiceCIDR := range []bool{false, true} {
 		for _, disableAllocatorDualWrite := range []bool{false, true} {
+			if !enableMultiServiceCIDR && disableAllocatorDualWrite {
+				// Inavlid configuration: DisableAllocatorDualWrite depends on MultiServiceCIDR
+				continue
+			}
 			t.Run(fmt.Sprintf("MultiServiceCIDR=%v DisableAllocatorDualWrite=%v", enableMultiServiceCIDR, disableAllocatorDualWrite), func(t *testing.T) {
 				// Create an IPv6IPv4 dual stack control-plane
 				tCtx := ktesting.Init(t)
@@ -819,7 +835,7 @@ func TestCreateServiceDualStackIPv6IPv4(t *testing.T) {
 					"--disable-admission-plugins=ServiceAccount",
 					fmt.Sprintf("--feature-gates=%s=%v,%s=%v", features.MultiCIDRServiceAllocator, enableMultiServiceCIDR, features.DisableAllocatorDualWrite, disableAllocatorDualWrite),
 				}
-				if !enableMultiServiceCIDR {
+				if !enableMultiServiceCIDR || !disableAllocatorDualWrite {
 					flags = append(flags, "--emulated-version=1.33")
 				}
 				s := kubeapiservertesting.StartTestServerOrDie(t,
diff --git a/test/integration/endpointslice/endpointslice_test.go b/test/integration/endpointslice/endpointslice_test.go
new file mode 100644
index 0000000000000..9d36563808ed5
--- /dev/null
+++ b/test/integration/endpointslice/endpointslice_test.go
@@ -0,0 +1,301 @@
+/*
+Copyright 2020 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package endpointslice
+
+import (
+	"context"
+	"fmt"
+	"testing"
+	"time"
+
+	corev1 "k8s.io/api/core/v1"
+	discovery "k8s.io/api/discovery/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/util/intstr"
+	"k8s.io/apimachinery/pkg/util/wait"
+	"k8s.io/client-go/informers"
+	clientset "k8s.io/client-go/kubernetes"
+	kubeapiservertesting "k8s.io/kubernetes/cmd/kube-apiserver/app/testing"
+	"k8s.io/kubernetes/pkg/controller/endpoint"
+	"k8s.io/kubernetes/pkg/controller/endpointslice"
+	"k8s.io/kubernetes/test/integration/framework"
+	"k8s.io/kubernetes/test/utils/ktesting"
+)
+
+// TestEndpointsControllersLabelSemantics tests that the corresponding endpoints controller
+// creates an Endpoint or EndpointSlice with the service.kubernetes.io/headless label when
+// a headless service is created.
+// It also verifies that Service labels are propagated to the Endpoints and EndpointSlice.
+func TestEndpointsControllersLabelSemantics(t *testing.T) {
+	// Disable ServiceAccount admission plugin as we don't have serviceaccount controller running.
+	server := kubeapiservertesting.StartTestServerOrDie(t, nil, framework.DefaultTestServerFlags(), framework.SharedEtcd())
+	defer server.TearDownFn()
+
+	client, err := clientset.NewForConfig(server.ClientConfig)
+	if err != nil {
+		t.Fatalf("Error creating clientset: %v", err)
+	}
+
+	resyncPeriod := 12 * time.Hour
+	informers := informers.NewSharedInformerFactory(client, resyncPeriod)
+
+	tCtx := ktesting.Init(t)
+	epController := endpoint.NewEndpointController(
+		tCtx,
+		informers.Core().V1().Pods(),
+		informers.Core().V1().Services(),
+		informers.Core().V1().Endpoints(),
+		client,
+		0)
+
+	epsController := endpointslice.NewController(
+		tCtx,
+		informers.Core().V1().Pods(),
+		informers.Core().V1().Services(),
+		informers.Core().V1().Nodes(),
+		informers.Discovery().V1().EndpointSlices(),
+		int32(100),
+		client,
+		1*time.Second)
+
+	// Start informer and controllers
+	informers.Start(tCtx.Done())
+	go epsController.Run(tCtx, 1)
+	go epController.Run(tCtx, 1)
+
+	ns := framework.CreateNamespaceOrDie(client, "test-endpoints-semantics", t)
+	defer framework.DeleteNamespaceOrDie(client, ns, t)
+
+	svc := &corev1.Service{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: "test-123",
+			Labels: map[string]string{
+				"app": "test",
+			},
+		},
+		Spec: corev1.ServiceSpec{
+			Type:      corev1.ServiceTypeClusterIP,
+			ClusterIP: corev1.ClusterIPNone, // Headless service
+			Selector: map[string]string{
+				"app": "test",
+			},
+			Ports: []corev1.ServicePort{
+				{
+					Port:       80,
+					TargetPort: intstr.FromInt(8080),
+				},
+			},
+		},
+	}
+	_, err = client.CoreV1().Services(ns.Name).Create(tCtx, svc, metav1.CreateOptions{})
+	if err != nil {
+		t.Fatalf("Error creating service: %v", err)
+	}
+
+	validateLabelsOnEndpointAndEndpointSlice(t, tCtx, client, ns.Name, svc.Name,
+		[]string{corev1.IsHeadlessService, "app"}, nil)
+
+	svc.Labels["new-label"] = "new-label-value"
+	delete(svc.Labels, "app")
+
+	_, err = client.CoreV1().Services(ns.Name).Update(tCtx, svc, metav1.UpdateOptions{})
+	if err != nil {
+		t.Fatalf("Error updating service: %v", err)
+	}
+
+	// Validate that the new labels are propagated.
+	validateLabelsOnEndpointAndEndpointSlice(t, tCtx, client, ns.Name, svc.Name,
+		[]string{corev1.IsHeadlessService, "new-label"}, []string{"app"})
+}
+
+// TestEndpointsHeadlessLabel tests how the service.kubernetes.io/headless
+// label is applied to Endpoints and EndpointSlices based on Service properties.
+func TestEndpointsHeadlessLabel(t *testing.T) {
+	tCtx := ktesting.Init(t)
+
+	// Disable ServiceAccount admission plugin as we don't have serviceaccount controller running.
+	server := kubeapiservertesting.StartTestServerOrDie(t, nil, framework.DefaultTestServerFlags(), framework.SharedEtcd())
+	defer server.TearDownFn()
+
+	client, err := clientset.NewForConfig(server.ClientConfig)
+	if err != nil {
+		t.Fatalf("Error creating clientset: %v", err)
+	}
+
+	resyncPeriod := 12 * time.Hour
+	informers := informers.NewSharedInformerFactory(client, resyncPeriod)
+
+	epController := endpoint.NewEndpointController(
+		tCtx,
+		informers.Core().V1().Pods(),
+		informers.Core().V1().Services(),
+		informers.Core().V1().Endpoints(),
+		client,
+		0)
+
+	epsController := endpointslice.NewController(
+		tCtx,
+		informers.Core().V1().Pods(),
+		informers.Core().V1().Services(),
+		informers.Core().V1().Nodes(),
+		informers.Discovery().V1().EndpointSlices(),
+		int32(100),
+		client,
+		1*time.Second)
+
+	// Start informer and controllers
+	informers.Start(tCtx.Done())
+	go epController.Run(tCtx, 1)
+	go epsController.Run(tCtx, 1)
+
+	testCases := []struct {
+		name          string
+		serviceLabels map[string]string
+		isHeadless    bool
+	}{
+		{
+			name:          "non-headless service with no labels",
+			serviceLabels: nil,
+			isHeadless:    false,
+		},
+		{
+			name:          "headless service with no labels",
+			serviceLabels: nil,
+			isHeadless:    true,
+		},
+		{
+			name:          "non-headless service with headless label",
+			serviceLabels: map[string]string{corev1.IsHeadlessService: ""},
+			isHeadless:    false,
+		},
+		{
+			name:          "headless service with headless label",
+			serviceLabels: map[string]string{corev1.IsHeadlessService: ""},
+			isHeadless:    true,
+		},
+	}
+
+	for i, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			nsName := fmt.Sprintf("test-headless-label-%d", i)
+			ns := framework.CreateNamespaceOrDie(client, nsName, t)
+			defer framework.DeleteNamespaceOrDie(client, ns, t)
+
+			svcName := fmt.Sprintf("test-svc-%d", i)
+			svc := &corev1.Service{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:   svcName,
+					Labels: tc.serviceLabels,
+				},
+				Spec: corev1.ServiceSpec{
+					Selector: map[string]string{"app": "test"},
+					Ports: []corev1.ServicePort{{
+						Port:       80,
+						TargetPort: intstr.FromInt(8080),
+					}},
+				},
+			}
+
+			if tc.isHeadless {
+				svc.Spec.ClusterIP = corev1.ClusterIPNone
+			}
+
+			_, err := client.CoreV1().Services(ns.Name).Create(tCtx, svc, metav1.CreateOptions{})
+			if err != nil {
+				t.Fatalf("Error creating service: %v", err)
+			}
+
+			if tc.isHeadless {
+				validateLabelsOnEndpointAndEndpointSlice(t, tCtx, client, ns.Name, svc.Name,
+					[]string{corev1.IsHeadlessService}, nil)
+			} else {
+				validateLabelsOnEndpointAndEndpointSlice(t, tCtx, client, ns.Name, svc.Name,
+					nil, []string{corev1.IsHeadlessService})
+			}
+
+		})
+	}
+}
+
+// validateLabelsOnEndpointAndEndpointSlice is a helper function to check for the
+// presence of expected labels and absence of unexpected labels on an Endpoint
+// and its corresponding EndpointSlice.
+func validateLabelsOnEndpointAndEndpointSlice(t *testing.T, tCtx context.Context, client clientset.Interface, nsName, svcName string, wantLabels, notWantLabels []string) {
+	t.Helper()
+	// Validate Endpoint
+	err := wait.PollUntilContextTimeout(tCtx, 1*time.Second, 1*time.Minute, true, func(context.Context) (bool, error) {
+		endpoint, err := client.CoreV1().Endpoints(nsName).Get(tCtx, svcName, metav1.GetOptions{})
+		if err != nil {
+			t.Logf("Error getting endpoints: %v", err)
+			return false, nil
+		}
+
+		for _, label := range wantLabels {
+			if _, ok := endpoint.Labels[label]; !ok {
+				t.Logf("Expected %s label on Endpoints", label)
+				return false, nil
+			}
+		}
+		for _, label := range notWantLabels {
+			if _, ok := endpoint.Labels[label]; ok {
+				t.Logf("Unexpected %s label on Endpoints", label)
+				return false, nil
+			}
+		}
+		return true, nil
+	})
+	if err != nil {
+		t.Fatalf("Timed out waiting for Endpoint labels: %v", err)
+	}
+
+	// Validate EndpointSlice
+	err = wait.PollUntilContextTimeout(tCtx, 1*time.Second, 1*time.Minute, true, func(context.Context) (bool, error) {
+		lSelector := discovery.LabelServiceName + "=" + svcName
+		esList, err := client.DiscoveryV1().EndpointSlices(nsName).List(tCtx, metav1.ListOptions{LabelSelector: lSelector})
+		if err != nil {
+			t.Logf("Error listing EndpointSlices: %v", err)
+			return false, err
+		}
+
+		if len(esList.Items) == 0 {
+			t.Logf("Waiting for EndpointSlice to be created")
+			return false, nil
+		}
+		if len(esList.Items) != 1 {
+			t.Logf("Only expected 1 EndpointSlice, got %d", len(esList.Items))
+			return false, nil
+		}
+
+		endpointSlice := esList.Items[0]
+		for _, label := range wantLabels {
+			if _, ok := endpointSlice.Labels[label]; !ok {
+				t.Logf("Expected %s label on EndpointSlice", label)
+				return false, nil
+			}
+		}
+		for _, label := range notWantLabels {
+			if _, ok := endpointSlice.Labels[label]; ok {
+				t.Logf("Unexpected %s label on EndpointSlice", label)
+				return false, nil
+			}
+		}
+		return true, nil
+	})
+	if err != nil {
+		t.Fatalf("Timed out waiting for EndpointSlice labels: %v", err)
+	}
+}
diff --git a/test/integration/etcd/data.go b/test/integration/etcd/data.go
index e71bdf7b4c866..e9a410083c971 100644
--- a/test/integration/etcd/data.go
+++ b/test/integration/etcd/data.go
@@ -229,7 +229,7 @@ func GetEtcdStorageDataForNamespaceServedAt(namespace string, v string, isEmulat
 			ExpectedEtcdPath:  "/registry/podcertificaterequests/" + namespace + "/req-1",
 			ExpectedGVK:       gvkP("certificates.k8s.io", "v1alpha1", "PodCertificateRequest"),
 			IntroducedVersion: "1.34",
-			RemovedVersion:    "1.37",
+			RemovedVersion:    "1.35",
 		},
 		// --
 
@@ -240,6 +240,13 @@ func GetEtcdStorageDataForNamespaceServedAt(namespace string, v string, isEmulat
 			IntroducedVersion: "1.33",
 			RemovedVersion:    "1.39",
 		},
+		gvr("certificates.k8s.io", "v1beta1", "podcertificaterequests"): {
+			Stub:              `{"metadata": {"name": "req-1"}, "spec": {"signerName":"example.com/signer", "podName":"pod-1", "podUID":"pod-uid-1", "serviceAccountName":"sa-1", "serviceAccountUID":"sa-uid-1", "nodeName":"node-1", "nodeUID":"node-uid-1", "maxExpirationSeconds":86400, "pkixPublicKey":"MCowBQYDK2VwAyEA5g+rk9q/hjojtc2nwHJ660RdX5w1f4AK0/kP391QyLY=", "proofOfPossession":"SuGHX7SMyPHuN5cD5wjKLXGNbhdlCYUnTH65JkTx17iWlLynQ/g9GiTYObftSHNzqRh0ofdgAGqK6a379O7RBw=="}, "userConfig": {"test/foo":"bar"}}`,
+			ExpectedEtcdPath:  "/registry/podcertificaterequests/" + namespace + "/req-1",
+			ExpectedGVK:       gvkP("certificates.k8s.io", "v1beta1", "PodCertificateRequest"),
+			IntroducedVersion: "1.35",
+			RemovedVersion:    "1.39",
+		},
 		// --
 
 		// k8s.io/kubernetes/pkg/apis/coordination/v1
@@ -344,32 +351,12 @@ func GetEtcdStorageDataForNamespaceServedAt(namespace string, v string, isEmulat
 		},
 		// --
 
-		// k8s.io/kubernetes/pkg/apis/storagemigration/v1alpha1
-		gvr("storagemigration.k8s.io", "v1alpha1", "storageversionmigrations"): {
-			Stub:              `{"metadata": {"name": "test-migration"}, "spec":{"resource": {"group": "test-group", "resource": "test-resource", "version": "test-version"}}}`,
+		// k8s.io/kubernetes/pkg/apis/storagemigration/v1beta1
+		gvr("storagemigration.k8s.io", "v1beta1", "storageversionmigrations"): {
+			Stub:              `{"metadata": {"name": "test-migration"}, "spec":{"resource": {"group": "test-group", "resource": "test-resource"}}}`,
 			ExpectedEtcdPath:  "/registry/storageversionmigrations/test-migration",
-			IntroducedVersion: "1.30",
-			RemovedVersion:    "1.36",
-		},
-		// --
-
-		// k8s.io/kubernetes/pkg/apis/flowcontrol/v1beta3
-		gvr("flowcontrol.apiserver.k8s.io", "v1beta3", "flowschemas"): {
-			Stub:              `{"metadata": {"name": "fs-2"}, "spec": {"priorityLevelConfiguration": {"name": "name1"}}}`,
-			ExpectedEtcdPath:  "/registry/flowschemas/fs-2",
-			ExpectedGVK:       gvkP("flowcontrol.apiserver.k8s.io", "v1", "FlowSchema"),
-			IntroducedVersion: "1.26",
-			RemovedVersion:    "1.32",
-		},
-		// --
-
-		// k8s.io/kubernetes/pkg/apis/flowcontrol/v1beta3
-		gvr("flowcontrol.apiserver.k8s.io", "v1beta3", "prioritylevelconfigurations"): {
-			Stub:              `{"metadata": {"name": "conf4"}, "spec": {"type": "Limited", "limited": {"nominalConcurrencyShares":3, "limitResponse": {"type": "Reject"}}}}`,
-			ExpectedEtcdPath:  "/registry/prioritylevelconfigurations/conf4",
-			ExpectedGVK:       gvkP("flowcontrol.apiserver.k8s.io", "v1", "PriorityLevelConfiguration"),
-			IntroducedVersion: "1.26",
-			RemovedVersion:    "1.32",
+			IntroducedVersion: "1.35",
+			RemovedVersion:    "1.41",
 		},
 		// --
 
@@ -397,16 +384,6 @@ func GetEtcdStorageDataForNamespaceServedAt(namespace string, v string, isEmulat
 		},
 		// --
 
-		// k8s.io/kubernetes/pkg/apis/storage/v1alpha1
-		gvr("storage.k8s.io", "v1alpha1", "volumeattributesclasses"): {
-			Stub:              `{"metadata": {"name": "vac1"}, "driverName": "example.com/driver", "parameters": {"foo": "bar"}}`,
-			ExpectedEtcdPath:  "/registry/volumeattributesclasses/vac1",
-			ExpectedGVK:       gvkP("storage.k8s.io", "v1beta1", "VolumeAttributesClass"),
-			IntroducedVersion: "1.29",
-			RemovedVersion:    "1.35",
-		},
-		// --
-
 		// k8s.io/kubernetes/pkg/apis/storage/v1beta1
 		gvr("storage.k8s.io", "v1beta1", "volumeattributesclasses"): {
 			Stub:              `{"metadata": {"name": "vac2"}, "driverName": "example.com/driver", "parameters": {"foo": "bar"}}`,
@@ -502,14 +479,12 @@ func GetEtcdStorageDataForNamespaceServedAt(namespace string, v string, isEmulat
 		gvr("admissionregistration.k8s.io", "v1beta1", "mutatingadmissionpolicies"): {
 			Stub:              `{"metadata":{"name":"map1b1"},"spec":{"paramKind":{"apiVersion":"test.example.com/v1","kind":"Example"},"matchConstraints":{"resourceRules": [{"resourceNames": ["fakeName"], "apiGroups":["apps"],"apiVersions":["v1"],"operations":["CREATE", "UPDATE"], "resources":["deployments"]}]},"reinvocationPolicy": "IfNeeded","mutations":[{"applyConfiguration": {"expression":"Object{metadata: Object.metadata{labels: {'example':'true'}}}"}, "patchType":"ApplyConfiguration"}]}}`,
 			ExpectedEtcdPath:  "/registry/mutatingadmissionpolicies/map1b1",
-			ExpectedGVK:       gvkP("admissionregistration.k8s.io", "v1alpha1", "MutatingAdmissionPolicy"),
 			IntroducedVersion: "1.34",
 			RemovedVersion:    "1.40",
 		},
 		gvr("admissionregistration.k8s.io", "v1beta1", "mutatingadmissionpolicybindings"): {
 			Stub:              `{"metadata":{"name":"mpb1b1"},"spec":{"policyName":"replicalimit-policy.example.com","paramRef":{"name":"replica-limit-test.example.com", "parameterNotFoundAction": "Allow"}}}`,
 			ExpectedEtcdPath:  "/registry/mutatingadmissionpolicybindings/mpb1b1",
-			ExpectedGVK:       gvkP("admissionregistration.k8s.io", "v1alpha1", "MutatingAdmissionPolicyBinding"),
 			IntroducedVersion: "1.34",
 			RemovedVersion:    "1.40",
 		},
@@ -519,12 +494,14 @@ func GetEtcdStorageDataForNamespaceServedAt(namespace string, v string, isEmulat
 		gvr("admissionregistration.k8s.io", "v1alpha1", "mutatingadmissionpolicies"): {
 			Stub:              `{"metadata":{"name":"map1"},"spec":{"paramKind":{"apiVersion":"test.example.com/v1","kind":"Example"},"matchConstraints":{"resourceRules": [{"resourceNames": ["fakeName"], "apiGroups":["apps"],"apiVersions":["v1"],"operations":["CREATE", "UPDATE"], "resources":["deployments"]}]},"reinvocationPolicy": "IfNeeded","mutations":[{"applyConfiguration": {"expression":"Object{metadata: Object.metadata{labels: {'example':'true'}}}"}, "patchType":"ApplyConfiguration"}]}}`,
 			ExpectedEtcdPath:  "/registry/mutatingadmissionpolicies/map1",
+			ExpectedGVK:       gvkP("admissionregistration.k8s.io", "v1beta1", "MutatingAdmissionPolicy"),
 			IntroducedVersion: "1.32",
 			RemovedVersion:    "1.38",
 		},
 		gvr("admissionregistration.k8s.io", "v1alpha1", "mutatingadmissionpolicybindings"): {
 			Stub:              `{"metadata":{"name":"mpb1"},"spec":{"policyName":"replicalimit-policy.example.com","paramRef":{"name":"replica-limit-test.example.com", "parameterNotFoundAction": "Allow"}}}`,
 			ExpectedEtcdPath:  "/registry/mutatingadmissionpolicybindings/mpb1",
+			ExpectedGVK:       gvkP("admissionregistration.k8s.io", "v1beta1", "MutatingAdmissionPolicyBinding"),
 			IntroducedVersion: "1.32",
 			RemovedVersion:    "1.38",
 		},
@@ -538,6 +515,15 @@ func GetEtcdStorageDataForNamespaceServedAt(namespace string, v string, isEmulat
 		},
 		// --
 
+		// k8s.io/kubernetes/pkg/apis/scheduling/v1alpha1
+		gvr("scheduling.k8s.io", "v1alpha1", "workloads"): {
+			Stub:              `{"metadata": {"name": "w1"}, "spec": {"podGroups": [{"name": "group1", "policy": {"basic": {}}}]}}`,
+			ExpectedEtcdPath:  "/registry/workloads/" + namespace + "/w1",
+			IntroducedVersion: "1.35",
+			RemovedVersion:    "1.41",
+		},
+		// --
+
 		// k8s.io/kube-aggregator/pkg/apis/apiregistration/v1
 		// depends on aggregator using the same ungrouped RESTOptionsGetter as the kube apiserver, not SimpleRestOptionsFactory in aggregator.go
 		gvr("apiregistration.k8s.io", "v1", "apiservices"): {
@@ -606,28 +592,28 @@ func GetEtcdStorageDataForNamespaceServedAt(namespace string, v string, isEmulat
 		gvr("resource.k8s.io", "v1beta1", "deviceclasses"): {
 			Stub:              `{"metadata": {"name": "class2name"}}`,
 			ExpectedEtcdPath:  "/registry/deviceclasses/class2name",
-			ExpectedGVK:       gvkP("resource.k8s.io", "v1beta2", "DeviceClass"),
+			ExpectedGVK:       gvkP("resource.k8s.io", "v1", "DeviceClass"),
 			IntroducedVersion: "1.32",
 			RemovedVersion:    "1.38",
 		},
 		gvr("resource.k8s.io", "v1beta1", "resourceclaims"): {
 			Stub:              `{"metadata": {"name": "claim2name"}, "spec": {"devices": {"requests": [{"name": "req-0", "deviceClassName": "example-class", "allocationMode": "ExactCount", "count": 1}]}}}`,
 			ExpectedEtcdPath:  "/registry/resourceclaims/" + namespace + "/claim2name",
-			ExpectedGVK:       gvkP("resource.k8s.io", "v1beta2", "ResourceClaim"),
+			ExpectedGVK:       gvkP("resource.k8s.io", "v1", "ResourceClaim"),
 			IntroducedVersion: "1.32",
 			RemovedVersion:    "1.38",
 		},
 		gvr("resource.k8s.io", "v1beta1", "resourceclaimtemplates"): {
 			Stub:              `{"metadata": {"name": "claimtemplate2name"}, "spec": {"spec": {"devices": {"requests": [{"name": "req-0", "deviceClassName": "example-class", "allocationMode": "ExactCount", "count": 1}]}}}}`,
 			ExpectedEtcdPath:  "/registry/resourceclaimtemplates/" + namespace + "/claimtemplate2name",
-			ExpectedGVK:       gvkP("resource.k8s.io", "v1beta2", "ResourceClaimTemplate"),
+			ExpectedGVK:       gvkP("resource.k8s.io", "v1", "ResourceClaimTemplate"),
 			IntroducedVersion: "1.32",
 			RemovedVersion:    "1.38",
 		},
 		gvr("resource.k8s.io", "v1beta1", "resourceslices"): {
 			Stub:              `{"metadata": {"name": "node2slice"}, "spec": {"nodeName": "worker1", "driver": "dra.example.com", "pool": {"name": "worker1", "resourceSliceCount": 1}}}`,
 			ExpectedEtcdPath:  "/registry/resourceslices/node2slice",
-			ExpectedGVK:       gvkP("resource.k8s.io", "v1beta2", "ResourceSlice"),
+			ExpectedGVK:       gvkP("resource.k8s.io", "v1", "ResourceSlice"),
 			IntroducedVersion: "1.32",
 			RemovedVersion:    "1.38",
 		},
@@ -640,28 +626,28 @@ func GetEtcdStorageDataForNamespaceServedAt(namespace string, v string, isEmulat
 		gvr("resource.k8s.io", "v1beta2", "deviceclasses"): {
 			Stub:              `{"metadata": {"name": "class3name"}}`,
 			ExpectedEtcdPath:  "/registry/deviceclasses/class3name",
-			ExpectedGVK:       gvkP("resource.k8s.io", "v1beta2", "DeviceClass"),
+			ExpectedGVK:       gvkP("resource.k8s.io", "v1", "DeviceClass"),
 			IntroducedVersion: "1.33",
 			RemovedVersion:    "1.39",
 		},
 		gvr("resource.k8s.io", "v1beta2", "resourceclaims"): {
 			Stub:              `{"metadata": {"name": "claim3name"}, "spec": {"devices": {"requests": [{"name": "req-0", "exactly": {"deviceClassName": "example-class", "allocationMode": "ExactCount", "count": 1}}]}}}`,
 			ExpectedEtcdPath:  "/registry/resourceclaims/" + namespace + "/claim3name",
-			ExpectedGVK:       gvkP("resource.k8s.io", "v1beta2", "ResourceClaim"),
+			ExpectedGVK:       gvkP("resource.k8s.io", "v1", "ResourceClaim"),
 			IntroducedVersion: "1.33",
 			RemovedVersion:    "1.39",
 		},
 		gvr("resource.k8s.io", "v1beta2", "resourceclaimtemplates"): {
 			Stub:              `{"metadata": {"name": "claimtemplate3name"}, "spec": {"spec": {"devices": {"requests": [{"name": "req-0", "exactly": {"deviceClassName": "example-class", "allocationMode": "ExactCount", "count": 1}}]}}}}`,
 			ExpectedEtcdPath:  "/registry/resourceclaimtemplates/" + namespace + "/claimtemplate3name",
-			ExpectedGVK:       gvkP("resource.k8s.io", "v1beta2", "ResourceClaimTemplate"),
+			ExpectedGVK:       gvkP("resource.k8s.io", "v1", "ResourceClaimTemplate"),
 			IntroducedVersion: "1.33",
 			RemovedVersion:    "1.39",
 		},
 		gvr("resource.k8s.io", "v1beta2", "resourceslices"): {
 			Stub:              `{"metadata": {"name": "node3slice"}, "spec": {"nodeName": "worker1", "driver": "dra.example.com", "pool": {"name": "worker1", "resourceSliceCount": 1}}}`,
 			ExpectedEtcdPath:  "/registry/resourceslices/node3slice",
-			ExpectedGVK:       gvkP("resource.k8s.io", "v1beta2", "ResourceSlice"),
+			ExpectedGVK:       gvkP("resource.k8s.io", "v1", "ResourceSlice"),
 			IntroducedVersion: "1.33",
 			RemovedVersion:    "1.39",
 		},
@@ -671,25 +657,25 @@ func GetEtcdStorageDataForNamespaceServedAt(namespace string, v string, isEmulat
 		gvr("resource.k8s.io", "v1", "deviceclasses"): {
 			Stub:              `{"metadata": {"name": "class4name"}}`,
 			ExpectedEtcdPath:  "/registry/deviceclasses/class4name",
-			ExpectedGVK:       gvkP("resource.k8s.io", "v1beta2", "DeviceClass"),
+			ExpectedGVK:       gvkP("resource.k8s.io", "v1", "DeviceClass"),
 			IntroducedVersion: "1.34",
 		},
 		gvr("resource.k8s.io", "v1", "resourceclaims"): {
 			Stub:              `{"metadata": {"name": "claim4name"}, "spec": {"devices": {"requests": [{"name": "req-0", "exactly": {"deviceClassName": "example-class", "allocationMode": "ExactCount", "count": 1}}]}}}`,
 			ExpectedEtcdPath:  "/registry/resourceclaims/" + namespace + "/claim4name",
-			ExpectedGVK:       gvkP("resource.k8s.io", "v1beta2", "ResourceClaim"),
+			ExpectedGVK:       gvkP("resource.k8s.io", "v1", "ResourceClaim"),
 			IntroducedVersion: "1.34",
 		},
 		gvr("resource.k8s.io", "v1", "resourceclaimtemplates"): {
 			Stub:              `{"metadata": {"name": "claimtemplate4name"}, "spec": {"spec": {"devices": {"requests": [{"name": "req-0", "exactly": {"deviceClassName": "example-class", "allocationMode": "ExactCount", "count": 1}}]}}}}`,
 			ExpectedEtcdPath:  "/registry/resourceclaimtemplates/" + namespace + "/claimtemplate4name",
-			ExpectedGVK:       gvkP("resource.k8s.io", "v1beta2", "ResourceClaimTemplate"),
+			ExpectedGVK:       gvkP("resource.k8s.io", "v1", "ResourceClaimTemplate"),
 			IntroducedVersion: "1.34",
 		},
 		gvr("resource.k8s.io", "v1", "resourceslices"): {
 			Stub:              `{"metadata": {"name": "node4slice"}, "spec": {"nodeName": "worker1", "driver": "dra.example.com", "pool": {"name": "worker1", "resourceSliceCount": 1}}}`,
 			ExpectedEtcdPath:  "/registry/resourceslices/node4slice",
-			ExpectedGVK:       gvkP("resource.k8s.io", "v1beta2", "ResourceSlice"),
+			ExpectedGVK:       gvkP("resource.k8s.io", "v1", "ResourceSlice"),
 			IntroducedVersion: "1.34",
 		},
 		// --
diff --git a/test/integration/etcd/etcd_storage_path_test.go b/test/integration/etcd/etcd_storage_path_test.go
index 4ebfca813256c..9ad3b02f44968 100644
--- a/test/integration/etcd/etcd_storage_path_test.go
+++ b/test/integration/etcd/etcd_storage_path_test.go
@@ -88,8 +88,10 @@ func TestEtcdStoragePath(t *testing.T) {
 
 func testEtcdStoragePathWithVersion(t *testing.T, v string) {
 	if v == componentbaseversion.DefaultKubeBinaryVersion {
-		featuregatetesting.SetFeatureGateDuringTest(t, feature.DefaultFeatureGate, "AllAlpha", true)
-		featuregatetesting.SetFeatureGateDuringTest(t, feature.DefaultFeatureGate, "AllBeta", true)
+		featuregatetesting.SetFeatureGatesDuringTest(t, feature.DefaultFeatureGate, featuregatetesting.FeatureOverrides{
+			"AllAlpha": true,
+			"AllBeta":  true,
+		})
 	} else {
 		// Only test for beta and GA APIs with emulated version.
 		featuregatetesting.SetFeatureGateEmulationVersionDuringTest(t, feature.DefaultFeatureGate, version.MustParse(v))
diff --git a/test/integration/etcd/server.go b/test/integration/etcd/server.go
index fff4882c73922..f34e59889c0f0 100644
--- a/test/integration/etcd/server.go
+++ b/test/integration/etcd/server.go
@@ -47,6 +47,7 @@ import (
 	"k8s.io/client-go/restmapper"
 	utiltesting "k8s.io/client-go/util/testing"
 	basecompatibility "k8s.io/component-base/compatibility"
+	"k8s.io/component-base/featuregate"
 	featuregatetesting "k8s.io/component-base/featuregate/testing"
 	"k8s.io/kubernetes/cmd/kube-apiserver/app"
 	"k8s.io/kubernetes/cmd/kube-apiserver/app/options"
@@ -125,14 +126,18 @@ func StartRealAPIServerOrDie(t *testing.T, configFuncs ...func(*options.ServerRu
 
 	// If the local ComponentGlobalsRegistry is changed by configFuncs,
 	// we need to copy the new feature values back to the DefaultFeatureGate because most feature checks still use the DefaultFeatureGate.
-	if !featureGate.EmulationVersion().EqualTo(feature.DefaultMutableFeatureGate.EmulationVersion()) {
-		featuregatetesting.SetFeatureGateEmulationVersionDuringTest(t, feature.DefaultMutableFeatureGate, effectiveVersion.EmulationVersion())
+	if !featureGate.EmulationVersion().EqualTo(feature.DefaultMutableFeatureGate.EmulationVersion()) || !featureGate.MinCompatibilityVersion().EqualTo(feature.DefaultMutableFeatureGate.MinCompatibilityVersion()) {
+		featuregatetesting.SetFeatureGateVersionsDuringTest(t, feature.DefaultMutableFeatureGate, effectiveVersion.EmulationVersion(), effectiveVersion.MinCompatibilityVersion())
 	}
+	featureOverrides := map[featuregate.Feature]bool{}
 	for f := range feature.DefaultMutableFeatureGate.GetAll() {
 		if featureGate.Enabled(f) != feature.DefaultFeatureGate.Enabled(f) {
-			featuregatetesting.SetFeatureGateDuringTest(t, feature.DefaultFeatureGate, f, featureGate.Enabled(f))
+			featureOverrides[f] = featureGate.Enabled(f)
 		}
 	}
+	if len(featureOverrides) > 0 {
+		featuregatetesting.SetFeatureGatesDuringTest(t, feature.DefaultFeatureGate, featureOverrides)
+	}
 	feature.DefaultMutableFeatureGate.AddMetrics()
 
 	completedOptions, err := opts.Complete(tCtx)
diff --git a/test/integration/framework/test_server.go b/test/integration/framework/test_server.go
index 223c1704eca3d..8ce601f9ac122 100644
--- a/test/integration/framework/test_server.go
+++ b/test/integration/framework/test_server.go
@@ -41,6 +41,7 @@ import (
 	"k8s.io/client-go/rest"
 	"k8s.io/client-go/util/cert"
 	basecompatibility "k8s.io/component-base/compatibility"
+	"k8s.io/component-base/featuregate"
 	featuregatetesting "k8s.io/component-base/featuregate/testing"
 	aggregatorscheme "k8s.io/kube-aggregator/pkg/apiserver/scheme"
 	netutils "k8s.io/utils/net"
@@ -175,14 +176,18 @@ func StartTestServer(ctx context.Context, t testing.TB, setup TestServerSetup) (
 
 	// If the local ComponentGlobalsRegistry is changed by ModifyServerRunOptions,
 	// we need to copy the new feature values back to the DefaultFeatureGate because most feature checks still use the DefaultFeatureGate.
-	if !featureGate.EmulationVersion().EqualTo(utilfeature.DefaultMutableFeatureGate.EmulationVersion()) {
-		featuregatetesting.SetFeatureGateEmulationVersionDuringTest(t, utilfeature.DefaultMutableFeatureGate, effectiveVersion.EmulationVersion())
+	if !featureGate.EmulationVersion().EqualTo(utilfeature.DefaultMutableFeatureGate.EmulationVersion()) || !featureGate.MinCompatibilityVersion().EqualTo(utilfeature.DefaultMutableFeatureGate.MinCompatibilityVersion()) {
+		featuregatetesting.SetFeatureGateVersionsDuringTest(t, utilfeature.DefaultMutableFeatureGate, effectiveVersion.EmulationVersion(), effectiveVersion.MinCompatibilityVersion())
 	}
+	featureOverrides := map[featuregate.Feature]bool{}
 	for f := range utilfeature.DefaultMutableFeatureGate.GetAll() {
 		if featureGate.Enabled(f) != utilfeature.DefaultFeatureGate.Enabled(f) {
-			featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, f, featureGate.Enabled(f))
+			featureOverrides[f] = featureGate.Enabled(f)
 		}
 	}
+	if len(featureOverrides) > 0 {
+		featuregatetesting.SetFeatureGatesDuringTest(t, utilfeature.DefaultFeatureGate, featureOverrides)
+	}
 	utilfeature.DefaultMutableFeatureGate.AddMetrics()
 
 	completedOptions, err := opts.Complete(ctx)
diff --git a/test/integration/garbagecollector/garbage_collector_test.go b/test/integration/garbagecollector/garbage_collector_test.go
index 9ae660f1fc284..110bf99b7a6c2 100644
--- a/test/integration/garbagecollector/garbage_collector_test.go
+++ b/test/integration/garbagecollector/garbage_collector_test.go
@@ -434,7 +434,7 @@ func testCrossNamespaceReferences(t *testing.T, watchCache bool) {
 			return false, nil
 		}
 		return true, nil
-	}); err != nil && err != wait.ErrWaitTimeout {
+	}); err != nil && !wait.Interrupted(err) {
 		t.Error(err)
 	}
 
@@ -448,7 +448,7 @@ func testCrossNamespaceReferences(t *testing.T, watchCache bool) {
 			return false, fmt.Errorf("expected %d valid children, got %d", validChildrenCount, len(children.Items))
 		}
 		return false, nil
-	}); err != nil && err != wait.ErrWaitTimeout {
+	}); err != nil && !wait.Interrupted(err) {
 		t.Error(err)
 	}
 
diff --git a/test/integration/job/job_test.go b/test/integration/job/job_test.go
index 3e0bee1d264e1..798ab81a9259c 100644
--- a/test/integration/job/job_test.go
+++ b/test/integration/job/job_test.go
@@ -34,6 +34,7 @@ import (
 	v1 "k8s.io/api/core/v1"
 	eventsv1 "k8s.io/api/events/v1"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
+	"k8s.io/apimachinery/pkg/api/resource"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/sets"
@@ -830,8 +831,10 @@ func TestSuccessPolicy(t *testing.T) {
 				// TODO: this will be removed in 1.36
 				featuregatetesting.SetFeatureGateEmulationVersionDuringTest(t, feature.DefaultFeatureGate, utilversion.MustParse("1.32"))
 			}
-			featuregatetesting.SetFeatureGateDuringTest(t, feature.DefaultFeatureGate, features.JobSuccessPolicy, tc.enableJobSuccessPolicy)
-			featuregatetesting.SetFeatureGateDuringTest(t, feature.DefaultFeatureGate, features.JobBackoffLimitPerIndex, tc.enableBackoffLimitPerIndex)
+			featuregatetesting.SetFeatureGatesDuringTest(t, feature.DefaultFeatureGate, featuregatetesting.FeatureOverrides{
+				features.JobSuccessPolicy:        tc.enableJobSuccessPolicy,
+				features.JobBackoffLimitPerIndex: tc.enableBackoffLimitPerIndex,
+			})
 
 			ctx, cancel := startJobControllerAndWaitForCaches(t, restConfig)
 			t.Cleanup(cancel)
@@ -1591,10 +1594,15 @@ func TestDelayTerminalPhaseCondition(t *testing.T) {
 			} else if !test.enableJobPodReplacementPolicy {
 				// TODO: this will be removed in 1.37.
 				featuregatetesting.SetFeatureGateEmulationVersionDuringTest(t, feature.DefaultFeatureGate, utilversion.MustParse("1.33"))
+			} else if !test.enableJobManagedBy {
+				// TODO: this will be removed in 1.38.
+				featuregatetesting.SetFeatureGateEmulationVersionDuringTest(t, feature.DefaultFeatureGate, utilversion.MustParse("1.34"))
 			}
-			featuregatetesting.SetFeatureGateDuringTest(t, feature.DefaultFeatureGate, features.JobPodReplacementPolicy, test.enableJobPodReplacementPolicy)
-			featuregatetesting.SetFeatureGateDuringTest(t, feature.DefaultFeatureGate, features.JobManagedBy, test.enableJobManagedBy)
-			featuregatetesting.SetFeatureGateDuringTest(t, feature.DefaultFeatureGate, features.JobSuccessPolicy, test.enableJobSuccessPolicy)
+			featuregatetesting.SetFeatureGatesDuringTest(t, feature.DefaultFeatureGate, featuregatetesting.FeatureOverrides{
+				features.JobPodReplacementPolicy: test.enableJobPodReplacementPolicy,
+				features.JobManagedBy:            test.enableJobManagedBy,
+				features.JobSuccessPolicy:        test.enableJobSuccessPolicy,
+			})
 
 			ctx, cancel := startJobControllerAndWaitForCaches(t, restConfig)
 			t.Cleanup(cancel)
@@ -2146,6 +2154,8 @@ func TestManagedBy(t *testing.T) {
 	for name, test := range testCases {
 		t.Run(name, func(t *testing.T) {
 			resetMetrics()
+			// TODO: this will be removed in 1.38.
+			featuregatetesting.SetFeatureGateEmulationVersionDuringTest(t, feature.DefaultFeatureGate, utilversion.MustParse("1.34"))
 			featuregatetesting.SetFeatureGateDuringTest(t, feature.DefaultFeatureGate, features.JobManagedBy, test.enableJobManagedBy)
 
 			ctx, cancel := startJobControllerAndWaitForCaches(t, restConfig)
@@ -2193,6 +2203,8 @@ func TestManagedBy(t *testing.T) {
 // and is disabled again with re-enabling of the feature gate.
 func TestManagedBy_Reenabling(t *testing.T) {
 	customControllerName := "example.com/custom-job-controller"
+	// TODO: this will be removed in 1.38.
+	featuregatetesting.SetFeatureGateEmulationVersionDuringTest(t, feature.DefaultFeatureGate, utilversion.MustParse("1.34"))
 	featuregatetesting.SetFeatureGateDuringTest(t, feature.DefaultFeatureGate, features.JobManagedBy, true)
 
 	closeFn, restConfig, clientSet, ns := setup(t, "managed-by-reenabling")
@@ -4276,6 +4288,193 @@ func TestNodeSelectorUpdate(t *testing.T) {
 
 }
 
+func TestUpdateJobPodResources(t *testing.T) {
+	testCases := map[string]struct {
+		enableFeatureGate bool
+		suspend           bool
+		updateResources   bool
+		containers        []v1.Container
+		expectUpdate      bool
+		startThenSuspend  bool
+		initialResources  *v1.ResourceRequirements
+		jobName           string
+	}{
+		"suspended job, feature gate enabled, update resources": {
+			enableFeatureGate: true,
+			suspend:           true,
+			updateResources:   true,
+			containers: []v1.Container{{
+				Name:  "test-container",
+				Image: "busybox",
+			}},
+			expectUpdate: true,
+			jobName:      "update-suspend",
+		},
+		"non-suspended job, feature gate enabled, update resources": {
+			enableFeatureGate: true,
+			suspend:           false,
+			updateResources:   true,
+			containers: []v1.Container{{
+				Name:  "test-container",
+				Image: "busybox",
+			}},
+			expectUpdate: false,
+			jobName:      "update-fail-running",
+		},
+		"suspended job, feature gate disabled, update resources": {
+			enableFeatureGate: false,
+			suspend:           true,
+			updateResources:   true,
+			containers: []v1.Container{{
+				Name:  "test-container",
+				Image: "busybox",
+			}},
+			expectUpdate: false,
+			jobName:      "no-update-with-feature-disabled",
+		},
+		"started then suspended job, feature gate enabled, update resources": {
+			enableFeatureGate: true,
+			suspend:           false,
+			updateResources:   true,
+			containers: []v1.Container{{
+				Name:  "test-container",
+				Image: "busybox",
+			}},
+			expectUpdate:     true,
+			startThenSuspend: true,
+			jobName:          "suspend-resume-mutate",
+		},
+	}
+
+	for name, tc := range testCases {
+		t.Run(name, func(t *testing.T) {
+			featuregatetesting.SetFeatureGateDuringTest(t, feature.DefaultFeatureGate, features.MutablePodResourcesForSuspendedJobs, tc.enableFeatureGate)
+
+			closeFn, restConfig, cs, ns := setup(t, "update-job-pod-resources")
+			defer closeFn()
+
+			ctx, cancel := startJobControllerAndWaitForCaches(t, restConfig)
+			defer cancel()
+
+			job := &batchv1.Job{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      tc.jobName,
+					Namespace: ns.Name,
+				},
+				Spec: batchv1.JobSpec{
+					Suspend:     ptr.To(tc.suspend),
+					Parallelism: ptr.To[int32](1),
+					Completions: ptr.To[int32](1),
+					Template: v1.PodTemplateSpec{
+						Spec: v1.PodSpec{
+							Containers:    tc.containers,
+							RestartPolicy: v1.RestartPolicyNever,
+						},
+					},
+				},
+			}
+
+			job, err := createJobWithDefaults(ctx, cs, ns.Name, job)
+			if err != nil {
+				t.Fatalf("Failed to create Job: %v", err)
+			}
+
+			jobClient := cs.BatchV1().Jobs(ns.Name)
+
+			// Handle start-then-suspend case
+			if tc.startThenSuspend {
+				t.Logf("Waiting for pods to be active on starting job")
+				waitForPodsToBeActive(ctx, t, jobClient, 1, job)
+				// Suspend the job
+				_, err = updateJob(ctx, jobClient, job.Name, func(j *batchv1.Job) {
+					j.Spec.Suspend = ptr.To(true)
+				})
+				if err != nil {
+					t.Fatalf("Failed to suspend Job: %v", err)
+				}
+
+				// Wait for the job to be suspended
+				err = wait.PollUntilContextTimeout(ctx, time.Second, wait.ForeverTestTimeout, true, func(ctx context.Context) (bool, error) {
+					j, err := jobClient.Get(ctx, job.Name, metav1.GetOptions{})
+					if err != nil {
+						return false, err
+					}
+					return j.Spec.Suspend != nil && *j.Spec.Suspend, nil
+				})
+				if err != nil {
+					t.Fatalf("Failed to wait for job to be suspended: %v", err)
+				}
+				t.Logf("job is suspended")
+			}
+
+			waitForPodsToBeActive(ctx, t, jobClient, 0, job)
+
+			if tc.updateResources {
+				_, err := updateJob(ctx, jobClient, job.Name, func(j *batchv1.Job) {
+					for i := range j.Spec.Template.Spec.Containers {
+						j.Spec.Template.Spec.Containers[i].Resources = v1.ResourceRequirements{
+							Requests: v1.ResourceList{
+								v1.ResourceCPU:    resource.MustParse("200m"),
+								v1.ResourceMemory: resource.MustParse("256Mi"),
+							},
+							Limits: v1.ResourceList{
+								v1.ResourceCPU:    resource.MustParse("400m"),
+								v1.ResourceMemory: resource.MustParse("512Mi"),
+							},
+						}
+					}
+				})
+				if err != nil && tc.expectUpdate {
+					t.Fatalf("Failed to update Job: %v", err)
+				}
+			}
+
+			// Unsuspend the job if it was suspended or if it's the start-then-suspend case
+			if tc.suspend || tc.startThenSuspend {
+				_, err = updateJob(ctx, jobClient, job.Name, func(j *batchv1.Job) {
+					j.Spec.Suspend = ptr.To(false)
+				})
+				if err != nil {
+					t.Fatalf("Failed to unsuspend Job: %v", err)
+				}
+			}
+			waitForPodsToBeActive(ctx, t, jobClient, 1, job)
+			pods, err := getJobPods(ctx, t, cs, job, func(s v1.PodStatus) bool { return true })
+			if err != nil {
+				t.Fatalf("Failed to get Job pods: %v", err)
+			}
+			if len(pods) != 1 {
+				t.Fatalf("Expected 1 pod, got %d", len(pods))
+			}
+
+			pod := pods[0]
+			expectedResources := v1.ResourceRequirements{
+				Requests: v1.ResourceList{
+					v1.ResourceCPU:    resource.MustParse("200m"),
+					v1.ResourceMemory: resource.MustParse("256Mi"),
+				},
+				Limits: v1.ResourceList{
+					v1.ResourceCPU:    resource.MustParse("400m"),
+					v1.ResourceMemory: resource.MustParse("512Mi"),
+				},
+			}
+
+			for i := range tc.containers {
+				if tc.expectUpdate {
+					if diff := cmp.Diff(expectedResources, pod.Spec.Containers[i].Resources); diff != "" {
+						t.Errorf("Unexpected resources in pod spec for container %q (-want +got):\n%s", pod.Spec.Containers[i].Name, diff)
+					}
+				} else {
+					if len(pod.Spec.Containers[i].Resources.Requests) > 0 ||
+						len(pod.Spec.Containers[i].Resources.Limits) > 0 {
+						t.Errorf("Expected no resource updates for container %q, but got: %+v", pod.Spec.Containers[i].Name, pod.Spec.Containers[i].Resources)
+					}
+				}
+			}
+		})
+	}
+}
+
 // TestDelayedJobUpdateEvent tests that a Job only creates one Pod even when
 // the job events are delayed. This test verfies the finishedJobStore is working
 // correctly and preventing from job controller creating a new pod if the job success
@@ -4415,6 +4614,118 @@ func TestDelayedJobUpdateEvent(t *testing.T) {
 
 }
 
+// TestMutableSchedulingDirectivesForSuspendedJobs verifies that scheduling directives
+// can be mutated when the feature is enabled for a suspended JOb.
+func TestMutableSchedulingDirectivesForSuspendedJobs(t *testing.T) {
+	featuregatetesting.SetFeatureGateDuringTest(t, feature.DefaultFeatureGate, features.MutableSchedulingDirectivesForSuspendedJobs, true)
+
+	closeFn, restConfig, clientSet, ns := setup(t, "mutable-scheduling-directives-for-suspended-jobs")
+	t.Cleanup(closeFn)
+	ctx, cancel := startJobControllerAndWaitForCaches(t, restConfig)
+	t.Cleanup(cancel)
+
+	job, err := createJobWithDefaults(ctx, clientSet, ns.Name, &batchv1.Job{
+		Spec: batchv1.JobSpec{
+			Parallelism: ptr.To[int32](1),
+			Completions: ptr.To[int32](2),
+			Suspend:     ptr.To(false),
+		},
+	})
+	if err != nil {
+		t.Fatalf("Failed to create Job: %v", err)
+	}
+
+	// await for the Job to be running and the status.startTime set
+	validateJobsPodsStatusOnly(ctx, t, clientSet, job, podsByStatus{
+		Active:      1,
+		Ready:       ptr.To[int32](0),
+		Terminating: ptr.To[int32](0),
+	})
+
+	job, err = clientSet.BatchV1().Jobs(ns.Name).Get(ctx, job.Name, metav1.GetOptions{})
+	if err != nil {
+		t.Fatalf("Failed to get Job: %v", err)
+	}
+	if job.Status.StartTime == nil {
+		t.Fatalf("Job startTime was not set")
+	}
+
+	// verify an update to an unsuspended Job would fail
+	jobCopy := job.DeepCopy()
+	jobCopy.Spec.Template.Spec.NodeSelector = map[string]string{
+		"key": "value",
+	}
+
+	_, err = clientSet.BatchV1().Jobs(job.Namespace).Update(ctx, jobCopy, metav1.UpdateOptions{})
+	if err == nil {
+		t.Fatalf("update of scheduling directives succeeded for unsuspended job %s", klog.KObj(jobCopy))
+	}
+
+	// suspend the Job
+	job.Spec.Suspend = ptr.To(true)
+	job, err = clientSet.BatchV1().Jobs(ns.Name).Update(ctx, job, metav1.UpdateOptions{})
+	if err != nil {
+		t.Fatalf("Failed to suspend Job: %v", err)
+	}
+
+	// await for the Job to have no active Pods and have the JobSuspended condition
+	validateJobsPodsStatusOnly(ctx, t, clientSet, job, podsByStatus{
+		Active:      0,
+		Ready:       ptr.To[int32](0),
+		Terminating: ptr.To[int32](0),
+	})
+
+	job, err = clientSet.BatchV1().Jobs(ns.Name).Get(ctx, job.Name, metav1.GetOptions{})
+	if err != nil {
+		t.Fatalf("Failed to get Job: %v", err)
+	}
+
+	if job.Status.StartTime != nil {
+		t.Fatalf("Job startTime was not cleaned")
+	}
+
+	if getJobConditionStatus(ctx, job, batchv1.JobSuspended) != v1.ConditionTrue {
+		t.Fatalf("JobSuspended condition was not set to True")
+	}
+
+	// since the Job is suspended the update is now accepted
+	job.Spec.Template.Spec.NodeSelector = map[string]string{
+		"key": "value",
+	}
+
+	job, err = clientSet.BatchV1().Jobs(job.Namespace).Update(ctx, job, metav1.UpdateOptions{})
+	if err != nil {
+		t.Fatalf("update of scheduling directives failed for suspended job %s", klog.KObj(job))
+	}
+
+	// resume the Job again and the Pods get created
+	job.Spec.Suspend = ptr.To(false)
+	job, err = clientSet.BatchV1().Jobs(ns.Name).Update(ctx, job, metav1.UpdateOptions{})
+	if err != nil {
+		t.Fatalf("Failed to resume Job: %v", err)
+	}
+
+	// await for the Job to be running again and assert on the status
+	validateJobsPodsStatusOnly(ctx, t, clientSet, job, podsByStatus{
+		Active:      1,
+		Ready:       ptr.To[int32](0),
+		Terminating: ptr.To[int32](0),
+	})
+
+	job, err = clientSet.BatchV1().Jobs(ns.Name).Get(ctx, job.Name, metav1.GetOptions{})
+	if err != nil {
+		t.Fatalf("Failed to get Job: %v", err)
+	}
+
+	if getJobConditionStatus(ctx, job, batchv1.JobSuspended) != v1.ConditionFalse {
+		t.Error("JobSuspended condition was not set to False")
+	}
+
+	if job.Status.StartTime == nil {
+		t.Error("Job startTime was not set after resume")
+	}
+}
+
 type podsByStatus struct {
 	Active      int
 	Ready       *int32
@@ -4506,7 +4817,7 @@ func getJobPods(ctx context.Context, t *testing.T, clientSet clientset.Interface
 	if err != nil {
 		return nil, err
 	}
-	jobPods := make([]*v1.Pod, 0, 0)
+	jobPods := make([]*v1.Pod, 0)
 	for _, pod := range allPods.Items {
 		if metav1.IsControlledBy(&pod, jobObj) && filter(pod.Status) {
 			p := pod
diff --git a/test/integration/kubelet/podcertificatemanager_integration_test.go b/test/integration/kubelet/podcertificatemanager_integration_test.go
index 7e29d46e7674f..ff9eb50c9506e 100644
--- a/test/integration/kubelet/podcertificatemanager_integration_test.go
+++ b/test/integration/kubelet/podcertificatemanager_integration_test.go
@@ -18,13 +18,15 @@ package kubelet
 
 import (
 	"context"
+	"crypto/x509"
+	"encoding/pem"
 	"fmt"
 	"slices"
 	"testing"
 	"time"
 
 	"github.com/google/go-cmp/cmp"
-	certsv1alpha1 "k8s.io/api/certificates/v1alpha1"
+	certsv1beta1 "k8s.io/api/certificates/v1beta1"
 	corev1 "k8s.io/api/core/v1"
 	rbacv1 "k8s.io/api/rbac/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -55,7 +57,7 @@ func TestPodCertificateManager(t *testing.T) {
 		[]string{
 			"--authorization-mode=Node,RBAC",
 			"--feature-gates=AuthorizeNodeWithSelectors=true,PodCertificateRequest=true",
-			fmt.Sprintf("--runtime-config=%s=true", certsv1alpha1.SchemeGroupVersion),
+			fmt.Sprintf("--runtime-config=%s=true", certsv1beta1.SchemeGroupVersion),
 		},
 		framework.SharedEtcd(),
 	)
@@ -168,7 +170,8 @@ func TestPodCertificateManager(t *testing.T) {
 	node1PodCertificateManager := podcertificate.NewIssuingManager(
 		node1Client,
 		node1PodManager,
-		node1PCRInformerFactory.Certificates().V1alpha1().PodCertificateRequests(),
+		nil,
+		node1PCRInformerFactory.Certificates().V1beta1().PodCertificateRequests(),
 		node1NodeInformerFactory.Core().V1().Nodes(),
 		types.NodeName(node1.ObjectMeta.Name),
 		clock.RealClock{},
@@ -233,6 +236,7 @@ func TestPodCertificateManager(t *testing.T) {
 										SignerName:           signerName,
 										KeyType:              "ED25519",
 										CredentialBundlePath: "creds.pem",
+										UserAnnotations:      map[string]string{hermeticpodcertificatesigner.SpiffePathKey: "workload"},
 									},
 								},
 							},
@@ -260,9 +264,9 @@ func TestPodCertificateManager(t *testing.T) {
 
 	// Within a few seconds, we should see a PodCertificateRequest created for
 	// this pod.
-	var gotPCR *certsv1alpha1.PodCertificateRequest
+	var gotPCR *certsv1beta1.PodCertificateRequest
 	err = wait.PollUntilContextTimeout(ctx, 1*time.Second, 15*time.Second, true, func(ctx context.Context) (bool, error) {
-		pcrs, err := adminClient.CertificatesV1alpha1().PodCertificateRequests(workloadNS.ObjectMeta.Name).List(ctx, metav1.ListOptions{})
+		pcrs, err := adminClient.CertificatesV1beta1().PodCertificateRequests(workloadNS.ObjectMeta.Name).List(ctx, metav1.ListOptions{})
 		if err != nil {
 			return false, fmt.Errorf("while listing PodCertificateRequests: %w", err)
 		}
@@ -281,19 +285,20 @@ func TestPodCertificateManager(t *testing.T) {
 	// Check that the created PCR spec matches expectations.  Blank out fields on
 	// gotPCR that we don't care about.  Blank out status, because the
 	// controller might have already signed it.
-	wantPCR := &certsv1alpha1.PodCertificateRequest{
+	wantPCR := &certsv1beta1.PodCertificateRequest{
 		ObjectMeta: metav1.ObjectMeta{
 			Namespace: workloadNS.ObjectMeta.Name,
 		},
-		Spec: certsv1alpha1.PodCertificateRequestSpec{
-			SignerName:           workloadPod.Spec.Volumes[0].VolumeSource.Projected.Sources[0].PodCertificate.SignerName,
-			PodName:              workloadPod.ObjectMeta.Name,
-			PodUID:               workloadPod.ObjectMeta.UID,
-			ServiceAccountName:   workloadSA.ObjectMeta.Name,
-			ServiceAccountUID:    workloadSA.ObjectMeta.UID,
-			NodeName:             types.NodeName(node1.ObjectMeta.Name),
-			NodeUID:              node1.ObjectMeta.UID,
-			MaxExpirationSeconds: ptr.To[int32](86400),
+		Spec: certsv1beta1.PodCertificateRequestSpec{
+			SignerName:                workloadPod.Spec.Volumes[0].VolumeSource.Projected.Sources[0].PodCertificate.SignerName,
+			PodName:                   workloadPod.ObjectMeta.Name,
+			PodUID:                    workloadPod.ObjectMeta.UID,
+			ServiceAccountName:        workloadSA.ObjectMeta.Name,
+			ServiceAccountUID:         workloadSA.ObjectMeta.UID,
+			NodeName:                  types.NodeName(node1.ObjectMeta.Name),
+			NodeUID:                   node1.ObjectMeta.UID,
+			MaxExpirationSeconds:      ptr.To[int32](86400),
+			UnverifiedUserAnnotations: map[string]string{hermeticpodcertificatesigner.SpiffePathKey: "workload"},
 		},
 	}
 	gotPCRClone := gotPCR.DeepCopy()
@@ -301,14 +306,14 @@ func TestPodCertificateManager(t *testing.T) {
 	gotPCRClone.ObjectMeta.Namespace = gotPCR.ObjectMeta.Namespace
 	gotPCRClone.Spec.PKIXPublicKey = nil
 	gotPCRClone.Spec.ProofOfPossession = nil
-	gotPCRClone.Status = certsv1alpha1.PodCertificateRequestStatus{}
+	gotPCRClone.Status = certsv1beta1.PodCertificateRequestStatus{}
 	if diff := cmp.Diff(gotPCRClone, wantPCR); diff != "" {
 		t.Fatalf("PodCertificateManager created a bad PCR; diff (-got +want)\n%s", diff)
 	}
 
 	// Wait some more time for the PCR to be issued.
 	err = wait.PollUntilContextTimeout(ctx, 1*time.Second, 15*time.Second, true, func(ctx context.Context) (bool, error) {
-		pcrs, err := adminClient.CertificatesV1alpha1().PodCertificateRequests(workloadNS.ObjectMeta.Name).List(ctx, metav1.ListOptions{})
+		pcrs, err := adminClient.CertificatesV1beta1().PodCertificateRequests(workloadNS.ObjectMeta.Name).List(ctx, metav1.ListOptions{})
 		if err != nil {
 			return false, fmt.Errorf("while listing PodCertificateRequests: %w", err)
 		}
@@ -321,9 +326,9 @@ func TestPodCertificateManager(t *testing.T) {
 
 		for _, cond := range gotPCR.Status.Conditions {
 			switch cond.Type {
-			case certsv1alpha1.PodCertificateRequestConditionTypeDenied,
-				certsv1alpha1.PodCertificateRequestConditionTypeFailed,
-				certsv1alpha1.PodCertificateRequestConditionTypeIssued:
+			case certsv1beta1.PodCertificateRequestConditionTypeDenied,
+				certsv1beta1.PodCertificateRequestConditionTypeFailed,
+				certsv1beta1.PodCertificateRequestConditionTypeIssued:
 				return true, nil
 			}
 		}
@@ -334,12 +339,24 @@ func TestPodCertificateManager(t *testing.T) {
 	}
 
 	isIssued := slices.ContainsFunc(gotPCR.Status.Conditions, func(cond metav1.Condition) bool {
-		return cond.Type == certsv1alpha1.PodCertificateRequestConditionTypeIssued
+		return cond.Type == certsv1beta1.PodCertificateRequestConditionTypeIssued
 	})
 	if !isIssued {
 		t.Fatalf("The test signingController didn't issue the PCR:\n%+v", gotPCR)
 	}
 
+	// Check the spiffe path has been overridden with the UserAnnotations.
+	issuedCertPem := []byte(gotPCR.Status.CertificateChain)
+	block, _ := pem.Decode(issuedCertPem)
+	cert, err := x509.ParseCertificate(block.Bytes)
+	if err != nil {
+		t.Fatalf("Failed to parse the issued certificate: %v", err)
+	}
+
+	if cert.URIs[0].Path != "/workload" {
+		t.Logf("Certificate path is %s", cert.URIs[0].Path)
+		t.Fatalf("Failed to override the spiffe path with the user annotations")
+	}
 	// Now we know that the PCR was issued, so we can wait for the
 	// podcertificate manager to return some valid credentials.
 	err = wait.PollUntilContextTimeout(ctx, 1*time.Second, 15*time.Second, true, func(ctx context.Context) (bool, error) {
diff --git a/test/integration/kubelet/watch_manager_test.go b/test/integration/kubelet/watch_manager_test.go
index 5754c4eb11233..0e3804b001ebd 100644
--- a/test/integration/kubelet/watch_manager_test.go
+++ b/test/integration/kubelet/watch_manager_test.go
@@ -31,6 +31,7 @@ import (
 	"k8s.io/apimachinery/pkg/util/wait"
 	"k8s.io/apimachinery/pkg/watch"
 	"k8s.io/client-go/kubernetes"
+	"k8s.io/client-go/tools/cache"
 	kubeapiservertesting "k8s.io/kubernetes/cmd/kube-apiserver/app/testing"
 	"k8s.io/kubernetes/pkg/kubelet/util/manager"
 	"k8s.io/kubernetes/test/integration/framework"
@@ -66,12 +67,15 @@ func TestWatchBasedManager(t *testing.T) {
 	// We want all watches to be up and running to stress test it.
 	// So don't treat any secret as immutable here.
 	isImmutable := func(_ runtime.Object) bool { return false }
+	listWatcherWithWatchListSemanticsWrapper := func(lw *cache.ListWatch) cache.ListerWatcher {
+		return cache.ToListWatcherWithWatchListSemantics(lw, client)
+	}
 	fakeClock := testingclock.NewFakeClock(time.Now())
 
 	stopCh := make(chan struct{})
 	t.Cleanup(func() { close(stopCh) })
 
-	store := manager.NewObjectCache(listObj, watchObj, newObj, isImmutable, schema.GroupResource{Group: "v1", Resource: "secrets"}, fakeClock, time.Minute, stopCh)
+	store := manager.NewObjectCache(listObj, watchObj, newObj, isImmutable, listWatcherWithWatchListSemanticsWrapper, schema.GroupResource{Group: "v1", Resource: "secrets"}, fakeClock, time.Minute, stopCh)
 
 	// create 1000 secrets in parallel
 	t.Log(time.Now(), "creating 1000 secrets")
diff --git a/test/integration/metrics/metrics_test.go b/test/integration/metrics/metrics_test.go
index 45d84d8f4dd6a..b7bc748de63bd 100644
--- a/test/integration/metrics/metrics_test.go
+++ b/test/integration/metrics/metrics_test.go
@@ -31,8 +31,8 @@ import (
 	dto "github.com/prometheus/client_model/go"
 	"github.com/prometheus/common/expfmt"
 	"github.com/prometheus/common/model"
-	admissionregistrationv1beta1 "k8s.io/api/admissionregistration/v1beta1"
 	v1 "k8s.io/api/core/v1"
+	networkingv1beta1 "k8s.io/api/networking/v1beta1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apiserver/pkg/endpoints/metrics"
 	"k8s.io/apiserver/pkg/features"
@@ -119,7 +119,7 @@ func TestAPIServerMetrics(t *testing.T) {
 	t.Setenv("KUBE_APISERVER_SERVE_REMOVED_APIS_FOR_ONE_RELEASE", "true")
 
 	flags := framework.DefaultTestServerFlags()
-	flags = append(flags, fmt.Sprintf("--runtime-config=%s=true", admissionregistrationv1beta1.SchemeGroupVersion))
+	flags = append(flags, fmt.Sprintf("--runtime-config=%s=true", networkingv1beta1.SchemeGroupVersion))
 	s := kubeapiservertesting.StartTestServerOrDie(t, nil, flags, framework.SharedEtcd())
 	defer s.TearDownFn()
 
@@ -131,7 +131,7 @@ func TestAPIServerMetrics(t *testing.T) {
 	}
 
 	// Make a request to a deprecated API to ensure there's at least one data point
-	if _, err := client.AdmissionregistrationV1beta1().ValidatingAdmissionPolicies().List(context.TODO(), metav1.ListOptions{}); err != nil {
+	if _, err := client.NetworkingV1beta1().ServiceCIDRs().List(context.TODO(), metav1.ListOptions{}); err != nil {
 		t.Fatalf("unexpected error: %v", err)
 	}
 
@@ -722,7 +722,7 @@ type consistencyCheckStatus struct {
 }
 
 func parseMetric(r io.Reader, name string) (*dto.MetricFamily, error) {
-	var parser expfmt.TextParser
+	parser := expfmt.NewTextParser(model.UTF8Validation)
 	mfs, err := parser.TextToMetricFamilies(r)
 	if err != nil {
 		return nil, err
diff --git a/test/integration/node/lifecycle_test.go b/test/integration/node/lifecycle_test.go
index e79f1fe555242..ff1d87a54fef6 100644
--- a/test/integration/node/lifecycle_test.go
+++ b/test/integration/node/lifecycle_test.go
@@ -467,7 +467,7 @@ func TestTaintBasedEvictions(t *testing.T) {
 // newHandlerForTest returns a handler configured for testing.
 func newHandlerForTest() (*defaulttolerationseconds.Plugin, error) {
 	handler := defaulttolerationseconds.NewDefaultTolerationSeconds()
-	pluginInitializer := initializer.New(nil, nil, nil, nil, nil, nil, nil)
+	pluginInitializer := initializer.New(nil, nil, nil, nil, nil, nil, nil, nil)
 	pluginInitializer.Initialize(handler)
 	return handler, admission.ValidateInitialization(handler)
 }
diff --git a/test/integration/podcertificaterequests/podcertificate_integration_test.go b/test/integration/podcertificaterequests/podcertificate_integration_test.go
index 63583d176363e..4859735f34ca8 100644
--- a/test/integration/podcertificaterequests/podcertificate_integration_test.go
+++ b/test/integration/podcertificaterequests/podcertificate_integration_test.go
@@ -26,7 +26,7 @@ import (
 	"fmt"
 	"time"
 
-	certsv1alpha1 "k8s.io/api/certificates/v1alpha1"
+	certsv1beta1 "k8s.io/api/certificates/v1beta1"
 	corev1 "k8s.io/api/core/v1"
 	k8serrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -39,6 +39,7 @@ import (
 	kubeapiservertesting "k8s.io/kubernetes/cmd/kube-apiserver/app/testing"
 	"k8s.io/kubernetes/pkg/controller/certificates/cleaner"
 	"k8s.io/kubernetes/test/integration/framework"
+	"k8s.io/kubernetes/test/utils/hermeticpodcertificatesigner"
 	"k8s.io/utils/clock"
 )
 
@@ -58,7 +59,7 @@ func TestCleanerController(t *testing.T) {
 		[]string{
 			"--authorization-mode=Node,RBAC",
 			"--feature-gates=AuthorizeNodeWithSelectors=true,PodCertificateRequest=true",
-			fmt.Sprintf("--runtime-config=%s=true", certsv1alpha1.SchemeGroupVersion),
+			fmt.Sprintf("--runtime-config=%s=true", certsv1beta1.SchemeGroupVersion),
 		},
 		framework.SharedEtcd(),
 	)
@@ -75,7 +76,7 @@ func TestCleanerController(t *testing.T) {
 	}
 	c := cleaner.NewPCRCleanerController(
 		cleanerClient,
-		informers.Certificates().V1alpha1().PodCertificateRequests(),
+		informers.Certificates().V1beta1().PodCertificateRequests(),
 		clock.RealClock{},
 		1*time.Second,
 		1*time.Second,
@@ -139,29 +140,30 @@ func TestCleanerController(t *testing.T) {
 
 	// Have node1 create a PodCertificateRequest for pod1
 	_, _, pubPKIX, proof := mustMakeEd25519KeyAndProof(t, []byte(pod.ObjectMeta.UID))
-	pcr := &certsv1alpha1.PodCertificateRequest{
+	pcr := &certsv1beta1.PodCertificateRequest{
 		ObjectMeta: metav1.ObjectMeta{
 			Namespace: "default",
 			Name:      "pcr1",
 		},
-		Spec: certsv1alpha1.PodCertificateRequestSpec{
-			SignerName:         "kubernetes.io/foo",
-			PodName:            pod.ObjectMeta.Name,
-			PodUID:             pod.ObjectMeta.UID,
-			ServiceAccountName: sa.ObjectMeta.Name,
-			ServiceAccountUID:  sa.ObjectMeta.UID,
-			NodeName:           types.NodeName(node.ObjectMeta.Name),
-			NodeUID:            node.ObjectMeta.UID,
-			PKIXPublicKey:      pubPKIX,
-			ProofOfPossession:  proof,
+		Spec: certsv1beta1.PodCertificateRequestSpec{
+			SignerName:                "kubernetes.io/foo",
+			PodName:                   pod.ObjectMeta.Name,
+			PodUID:                    pod.ObjectMeta.UID,
+			ServiceAccountName:        sa.ObjectMeta.Name,
+			ServiceAccountUID:         sa.ObjectMeta.UID,
+			NodeName:                  types.NodeName(node.ObjectMeta.Name),
+			NodeUID:                   node.ObjectMeta.UID,
+			PKIXPublicKey:             pubPKIX,
+			ProofOfPossession:         proof,
+			UnverifiedUserAnnotations: map[string]string{hermeticpodcertificatesigner.SpiffePathKey: "pod1"},
 		},
 	}
-	pcr, err = node1Client.CertificatesV1alpha1().PodCertificateRequests(pcr.ObjectMeta.Namespace).Create(ctx, pcr, metav1.CreateOptions{})
+	pcr, err = node1Client.CertificatesV1beta1().PodCertificateRequests(pcr.ObjectMeta.Namespace).Create(ctx, pcr, metav1.CreateOptions{})
 	if err != nil {
 		t.Fatalf("Unexpected error creating PodCertificateRequest: %v", err)
 	}
 	err = wait.PollUntilContextTimeout(ctx, 1*time.Second, 15*time.Second, true, func(ctx context.Context) (bool, error) {
-		_, err := client.CertificatesV1alpha1().PodCertificateRequests(pcr.ObjectMeta.Namespace).Get(ctx, pcr.ObjectMeta.Name, metav1.GetOptions{})
+		_, err := client.CertificatesV1beta1().PodCertificateRequests(pcr.ObjectMeta.Namespace).Get(ctx, pcr.ObjectMeta.Name, metav1.GetOptions{})
 		if k8serrors.IsNotFound(err) {
 			return true, nil
 		} else if err != nil {
@@ -192,7 +194,7 @@ func TestNodeRestriction(t *testing.T) {
 			"--authorization-mode=Node,RBAC",
 			"--enable-admission-plugins=NodeRestriction",
 			"--feature-gates=AuthorizeNodeWithSelectors=true,PodCertificateRequest=true",
-			fmt.Sprintf("--runtime-config=%s=true", certsv1alpha1.SchemeGroupVersion),
+			fmt.Sprintf("--runtime-config=%s=true", certsv1beta1.SchemeGroupVersion),
 		},
 		framework.SharedEtcd(),
 	)
@@ -269,28 +271,29 @@ func TestNodeRestriction(t *testing.T) {
 	t.Run("node1 can create PCR for pod on node1", func(t *testing.T) {
 		// Have node2 create a PodCertificateRequest for pod1
 		_, _, pubPKIX, proof := mustMakeEd25519KeyAndProof(t, []byte(pod.ObjectMeta.UID))
-		pcr := &certsv1alpha1.PodCertificateRequest{
+		pcr := &certsv1beta1.PodCertificateRequest{
 			ObjectMeta: metav1.ObjectMeta{
 				Namespace: "default",
 				Name:      "pcr1",
 			},
-			Spec: certsv1alpha1.PodCertificateRequestSpec{
-				SignerName:         "kubernetes.io/foo",
-				PodName:            pod.ObjectMeta.Name,
-				PodUID:             pod.ObjectMeta.UID,
-				ServiceAccountName: sa.ObjectMeta.Name,
-				ServiceAccountUID:  sa.ObjectMeta.UID,
-				NodeName:           types.NodeName(node1.ObjectMeta.Name),
-				NodeUID:            node1.ObjectMeta.UID,
-				PKIXPublicKey:      pubPKIX,
-				ProofOfPossession:  proof,
+			Spec: certsv1beta1.PodCertificateRequestSpec{
+				SignerName:                "kubernetes.io/foo",
+				PodName:                   pod.ObjectMeta.Name,
+				PodUID:                    pod.ObjectMeta.UID,
+				ServiceAccountName:        sa.ObjectMeta.Name,
+				ServiceAccountUID:         sa.ObjectMeta.UID,
+				NodeName:                  types.NodeName(node1.ObjectMeta.Name),
+				NodeUID:                   node1.ObjectMeta.UID,
+				PKIXPublicKey:             pubPKIX,
+				ProofOfPossession:         proof,
+				UnverifiedUserAnnotations: map[string]string{hermeticpodcertificatesigner.SpiffePathKey: "pod1"},
 			},
 		}
 
 		// Informer lag inside kube-apiserver could cause us to get transient
 		// errors.
 		err = wait.PollUntilContextTimeout(ctx, 1*time.Second, 15*time.Second, true, func(ctx context.Context) (bool, error) {
-			_, err = node1Client.CertificatesV1alpha1().PodCertificateRequests("default").Create(ctx, pcr, metav1.CreateOptions{})
+			_, err = node1Client.CertificatesV1beta1().PodCertificateRequests("default").Create(ctx, pcr, metav1.CreateOptions{})
 			if err != nil {
 				return false, err
 			}
@@ -304,21 +307,22 @@ func TestNodeRestriction(t *testing.T) {
 	t.Run("node2 cannot create PCR for pod on node1", func(t *testing.T) {
 		// Have node2 create a PodCertificateRequest for pod1
 		_, _, pubPKIX, proof := mustMakeEd25519KeyAndProof(t, []byte(pod.ObjectMeta.UID))
-		pcr := &certsv1alpha1.PodCertificateRequest{
+		pcr := &certsv1beta1.PodCertificateRequest{
 			ObjectMeta: metav1.ObjectMeta{
 				Namespace: "default",
 				Name:      "pcr1",
 			},
-			Spec: certsv1alpha1.PodCertificateRequestSpec{
-				SignerName:         "kubernetes.io/foo",
-				PodName:            pod.ObjectMeta.Name,
-				PodUID:             pod.ObjectMeta.UID,
-				ServiceAccountName: sa.ObjectMeta.Name,
-				ServiceAccountUID:  sa.ObjectMeta.UID,
-				NodeName:           types.NodeName(node1.ObjectMeta.Name),
-				NodeUID:            node1.ObjectMeta.UID,
-				PKIXPublicKey:      pubPKIX,
-				ProofOfPossession:  proof,
+			Spec: certsv1beta1.PodCertificateRequestSpec{
+				SignerName:                "kubernetes.io/foo",
+				PodName:                   pod.ObjectMeta.Name,
+				PodUID:                    pod.ObjectMeta.UID,
+				ServiceAccountName:        sa.ObjectMeta.Name,
+				ServiceAccountUID:         sa.ObjectMeta.UID,
+				NodeName:                  types.NodeName(node1.ObjectMeta.Name),
+				NodeUID:                   node1.ObjectMeta.UID,
+				PKIXPublicKey:             pubPKIX,
+				ProofOfPossession:         proof,
+				UnverifiedUserAnnotations: map[string]string{hermeticpodcertificatesigner.SpiffePathKey: "pod1"},
 			},
 		}
 
@@ -327,7 +331,7 @@ func TestNodeRestriction(t *testing.T) {
 		// should be transient, so wait for some time to see if we reach our
 		// durable error condition.
 		err = wait.PollUntilContextTimeout(ctx, 1*time.Second, 15*time.Second, true, func(ctx context.Context) (bool, error) {
-			_, err = node2Client.CertificatesV1alpha1().PodCertificateRequests("default").Create(ctx, pcr, metav1.CreateOptions{})
+			_, err = node2Client.CertificatesV1beta1().PodCertificateRequests("default").Create(ctx, pcr, metav1.CreateOptions{})
 			if err == nil || k8serrors.IsForbidden(err) {
 				return true, err
 			}
@@ -343,21 +347,22 @@ func TestNodeRestriction(t *testing.T) {
 	t.Run("node2 cannot create PCR for pod that doesn't exist", func(t *testing.T) {
 		// Have node2 create a PodCertificateRequest for pod1
 		_, _, pubPKIX, proof := mustMakeEd25519KeyAndProof(t, []byte(pod.ObjectMeta.UID))
-		pcr := &certsv1alpha1.PodCertificateRequest{
+		pcr := &certsv1beta1.PodCertificateRequest{
 			ObjectMeta: metav1.ObjectMeta{
 				Namespace: "default",
 				Name:      "pcr1",
 			},
-			Spec: certsv1alpha1.PodCertificateRequestSpec{
-				SignerName:         "kubernetes.io/foo",
-				PodName:            "dnepod",
-				PodUID:             "dnepoduid",
-				ServiceAccountName: sa.ObjectMeta.Name,
-				ServiceAccountUID:  sa.ObjectMeta.UID,
-				NodeName:           types.NodeName(node2.ObjectMeta.Name),
-				NodeUID:            node2.ObjectMeta.UID,
-				PKIXPublicKey:      pubPKIX,
-				ProofOfPossession:  proof,
+			Spec: certsv1beta1.PodCertificateRequestSpec{
+				SignerName:                "kubernetes.io/foo",
+				PodName:                   "dnepod",
+				PodUID:                    "dnepoduid",
+				ServiceAccountName:        sa.ObjectMeta.Name,
+				ServiceAccountUID:         sa.ObjectMeta.UID,
+				NodeName:                  types.NodeName(node2.ObjectMeta.Name),
+				NodeUID:                   node2.ObjectMeta.UID,
+				PKIXPublicKey:             pubPKIX,
+				ProofOfPossession:         proof,
+				UnverifiedUserAnnotations: map[string]string{hermeticpodcertificatesigner.SpiffePathKey: "pod1"},
 			},
 		}
 
@@ -366,7 +371,7 @@ func TestNodeRestriction(t *testing.T) {
 		// hold here for 15 seconds and assume if we're still getting an error,
 		// then it can't be due to informer lag.
 		err = wait.PollUntilContextTimeout(ctx, 1*time.Second, 15*time.Second, true, func(ctx context.Context) (bool, error) {
-			_, err = node2Client.CertificatesV1alpha1().PodCertificateRequests("default").Create(ctx, pcr, metav1.CreateOptions{})
+			_, err = node2Client.CertificatesV1beta1().PodCertificateRequests("default").Create(ctx, pcr, metav1.CreateOptions{})
 			if err == nil {
 				return true, err
 			}
@@ -392,7 +397,7 @@ func TestNodeAuthorization(t *testing.T) {
 			"--authorization-mode=Node,RBAC",
 			"--enable-admission-plugins=NodeRestriction",
 			"--feature-gates=AuthorizeNodeWithSelectors=true,PodCertificateRequest=true",
-			fmt.Sprintf("--runtime-config=%s=true", certsv1alpha1.SchemeGroupVersion),
+			fmt.Sprintf("--runtime-config=%s=true", certsv1beta1.SchemeGroupVersion),
 		},
 		framework.SharedEtcd(),
 	)
@@ -468,28 +473,29 @@ func TestNodeAuthorization(t *testing.T) {
 
 	// Have node1 create a PodCertificateRequest for pod1
 	_, _, pubPKIX, proof := mustMakeEd25519KeyAndProof(t, []byte(pod.ObjectMeta.UID))
-	pcr := &certsv1alpha1.PodCertificateRequest{
+	pcr := &certsv1beta1.PodCertificateRequest{
 		ObjectMeta: metav1.ObjectMeta{
 			Namespace: "default",
 			Name:      "pcr1",
 		},
-		Spec: certsv1alpha1.PodCertificateRequestSpec{
-			SignerName:         "kubernetes.io/foo",
-			PodName:            pod.ObjectMeta.Name,
-			PodUID:             pod.ObjectMeta.UID,
-			ServiceAccountName: sa.ObjectMeta.Name,
-			ServiceAccountUID:  sa.ObjectMeta.UID,
-			NodeName:           types.NodeName(node1.ObjectMeta.Name),
-			NodeUID:            node1.ObjectMeta.UID,
-			PKIXPublicKey:      pubPKIX,
-			ProofOfPossession:  proof,
+		Spec: certsv1beta1.PodCertificateRequestSpec{
+			SignerName:                "kubernetes.io/foo",
+			PodName:                   pod.ObjectMeta.Name,
+			PodUID:                    pod.ObjectMeta.UID,
+			ServiceAccountName:        sa.ObjectMeta.Name,
+			ServiceAccountUID:         sa.ObjectMeta.UID,
+			NodeName:                  types.NodeName(node1.ObjectMeta.Name),
+			NodeUID:                   node1.ObjectMeta.UID,
+			PKIXPublicKey:             pubPKIX,
+			ProofOfPossession:         proof,
+			UnverifiedUserAnnotations: map[string]string{hermeticpodcertificatesigner.SpiffePathKey: "pod1"},
 		},
 	}
 
 	// Creating the PCR could fail if there is informer lag in the
 	// noderestriction logic.  Poll until it succeeds.
 	err = wait.PollUntilContextTimeout(ctx, 1*time.Second, 15*time.Second, true, func(ctx context.Context) (bool, error) {
-		_, err = node1Client.CertificatesV1alpha1().PodCertificateRequests("default").Create(ctx, pcr, metav1.CreateOptions{})
+		_, err = node1Client.CertificatesV1beta1().PodCertificateRequests("default").Create(ctx, pcr, metav1.CreateOptions{})
 		if err != nil {
 			return false, err
 		}
@@ -500,14 +506,14 @@ func TestNodeAuthorization(t *testing.T) {
 	}
 
 	t.Run("node1 can directly get pcr1", func(t *testing.T) {
-		_, err := node1Client.CertificatesV1alpha1().PodCertificateRequests("default").Get(ctx, "pcr1", metav1.GetOptions{})
+		_, err := node1Client.CertificatesV1beta1().PodCertificateRequests("default").Get(ctx, "pcr1", metav1.GetOptions{})
 		if err != nil {
 			t.Fatalf("Unexpected error listing PodCertificateRequests as node1: %v", err)
 		}
 	})
 
 	t.Run("node1 can see pcr1 when listing", func(t *testing.T) {
-		pcrList, err := node1Client.CertificatesV1alpha1().PodCertificateRequests("default").List(ctx, metav1.ListOptions{
+		pcrList, err := node1Client.CertificatesV1beta1().PodCertificateRequests("default").List(ctx, metav1.ListOptions{
 			FieldSelector: "spec.nodeName=node1",
 		})
 		if err != nil {
@@ -524,7 +530,7 @@ func TestNodeAuthorization(t *testing.T) {
 	})
 
 	t.Run("node2 cannot list with field selector for node1", func(t *testing.T) {
-		_, err := node2Client.CertificatesV1alpha1().PodCertificateRequests("default").List(ctx, metav1.ListOptions{
+		_, err := node2Client.CertificatesV1beta1().PodCertificateRequests("default").List(ctx, metav1.ListOptions{
 			FieldSelector: "spec.nodeName=node1",
 		})
 		if err == nil {
@@ -535,7 +541,7 @@ func TestNodeAuthorization(t *testing.T) {
 	})
 
 	t.Run("node2 cannot directly get pcr1", func(t *testing.T) {
-		_, err := node2Client.CertificatesV1alpha1().PodCertificateRequests("default").Get(ctx, "pcr1", metav1.GetOptions{})
+		_, err := node2Client.CertificatesV1beta1().PodCertificateRequests("default").Get(ctx, "pcr1", metav1.GetOptions{})
 		if err == nil {
 			t.Fatalf("Getting pcr1 unexpectedly succeeded")
 		} else if !k8serrors.IsForbidden(err) {
@@ -544,7 +550,7 @@ func TestNodeAuthorization(t *testing.T) {
 	})
 
 	t.Run("node2 cannot see pcr1 when listing", func(t *testing.T) {
-		pcrList, err := node2Client.CertificatesV1alpha1().PodCertificateRequests("default").List(ctx, metav1.ListOptions{
+		pcrList, err := node2Client.CertificatesV1beta1().PodCertificateRequests("default").List(ctx, metav1.ListOptions{
 			FieldSelector: "spec.nodeName=node2",
 		})
 		if err != nil {
@@ -573,7 +579,7 @@ func TestNodeAuthorizerNamespaceNameConfusion(t *testing.T) {
 			"--authorization-mode=Node,RBAC",
 			"--enable-admission-plugins=NodeRestriction",
 			"--feature-gates=AuthorizeNodeWithSelectors=true,PodCertificateRequest=true",
-			fmt.Sprintf("--runtime-config=%s=true", certsv1alpha1.SchemeGroupVersion),
+			fmt.Sprintf("--runtime-config=%s=true", certsv1beta1.SchemeGroupVersion),
 		},
 		framework.SharedEtcd(),
 	)
@@ -697,27 +703,28 @@ func TestNodeAuthorizerNamespaceNameConfusion(t *testing.T) {
 
 	// Have node1 create a PodCertificateRequest for bar/foo
 	_, _, pubPKIX, proof := mustMakeEd25519KeyAndProof(t, []byte(podBarFoo.ObjectMeta.UID))
-	pcrBarFoo := &certsv1alpha1.PodCertificateRequest{
+	pcrBarFoo := &certsv1beta1.PodCertificateRequest{
 		ObjectMeta: metav1.ObjectMeta{
 			Namespace: "bar",
 			Name:      "foo",
 		},
-		Spec: certsv1alpha1.PodCertificateRequestSpec{
-			SignerName:         "kubernetes.io/foo",
-			PodName:            podBarFoo.ObjectMeta.Name,
-			PodUID:             podBarFoo.ObjectMeta.UID,
-			ServiceAccountName: saBar.ObjectMeta.Name,
-			ServiceAccountUID:  saBar.ObjectMeta.UID,
-			NodeName:           types.NodeName(node1.ObjectMeta.Name),
-			NodeUID:            node1.ObjectMeta.UID,
-			PKIXPublicKey:      pubPKIX,
-			ProofOfPossession:  proof,
+		Spec: certsv1beta1.PodCertificateRequestSpec{
+			SignerName:                "kubernetes.io/foo",
+			PodName:                   podBarFoo.ObjectMeta.Name,
+			PodUID:                    podBarFoo.ObjectMeta.UID,
+			ServiceAccountName:        saBar.ObjectMeta.Name,
+			ServiceAccountUID:         saBar.ObjectMeta.UID,
+			NodeName:                  types.NodeName(node1.ObjectMeta.Name),
+			NodeUID:                   node1.ObjectMeta.UID,
+			PKIXPublicKey:             pubPKIX,
+			ProofOfPossession:         proof,
+			UnverifiedUserAnnotations: map[string]string{hermeticpodcertificatesigner.SpiffePathKey: "foo"},
 		},
 	}
 	// Creating the PCR could fail if there is informer lag in the
 	// noderestriction logic.  Poll until it succeeds.
 	err = wait.PollUntilContextTimeout(ctx, 1*time.Second, 15*time.Second, true, func(ctx context.Context) (bool, error) {
-		_, err = node1Client.CertificatesV1alpha1().PodCertificateRequests("bar").Create(ctx, pcrBarFoo, metav1.CreateOptions{})
+		_, err = node1Client.CertificatesV1beta1().PodCertificateRequests("bar").Create(ctx, pcrBarFoo, metav1.CreateOptions{})
 		if err != nil {
 			return false, err
 		}
@@ -729,27 +736,28 @@ func TestNodeAuthorizerNamespaceNameConfusion(t *testing.T) {
 
 	// Have node2 create a PodCertificateRequest for foo/bar
 	_, _, pubPKIXFooBar, proofFooBar := mustMakeEd25519KeyAndProof(t, []byte(podFooBar.ObjectMeta.UID))
-	pcrFooBar := &certsv1alpha1.PodCertificateRequest{
+	pcrFooBar := &certsv1beta1.PodCertificateRequest{
 		ObjectMeta: metav1.ObjectMeta{
 			Namespace: "foo",
 			Name:      "bar",
 		},
-		Spec: certsv1alpha1.PodCertificateRequestSpec{
-			SignerName:         "kubernetes.io/foo",
-			PodName:            podFooBar.ObjectMeta.Name,
-			PodUID:             podFooBar.ObjectMeta.UID,
-			ServiceAccountName: saFoo.ObjectMeta.Name,
-			ServiceAccountUID:  saFoo.ObjectMeta.UID,
-			NodeName:           types.NodeName(node2.ObjectMeta.Name),
-			NodeUID:            node2.ObjectMeta.UID,
-			PKIXPublicKey:      pubPKIXFooBar,
-			ProofOfPossession:  proofFooBar,
+		Spec: certsv1beta1.PodCertificateRequestSpec{
+			SignerName:                "kubernetes.io/foo",
+			PodName:                   podFooBar.ObjectMeta.Name,
+			PodUID:                    podFooBar.ObjectMeta.UID,
+			ServiceAccountName:        saFoo.ObjectMeta.Name,
+			ServiceAccountUID:         saFoo.ObjectMeta.UID,
+			NodeName:                  types.NodeName(node2.ObjectMeta.Name),
+			NodeUID:                   node2.ObjectMeta.UID,
+			PKIXPublicKey:             pubPKIXFooBar,
+			ProofOfPossession:         proofFooBar,
+			UnverifiedUserAnnotations: map[string]string{hermeticpodcertificatesigner.SpiffePathKey: "bar"},
 		},
 	}
 	// Creating the PCR could fail if there is informer lag in the
 	// noderestriction logic.  Poll until it succeeds.
 	err = wait.PollUntilContextTimeout(ctx, 1*time.Second, 15*time.Second, true, func(ctx context.Context) (bool, error) {
-		_, err = node2Client.CertificatesV1alpha1().PodCertificateRequests("foo").Create(ctx, pcrFooBar, metav1.CreateOptions{})
+		_, err = node2Client.CertificatesV1beta1().PodCertificateRequests("foo").Create(ctx, pcrFooBar, metav1.CreateOptions{})
 		if err != nil {
 			return false, err
 		}
@@ -760,27 +768,27 @@ func TestNodeAuthorizerNamespaceNameConfusion(t *testing.T) {
 	}
 
 	t.Run("node1 can directly get bar/foo", func(t *testing.T) {
-		_, err := node1Client.CertificatesV1alpha1().PodCertificateRequests("bar").Get(ctx, "foo", metav1.GetOptions{})
+		_, err := node1Client.CertificatesV1beta1().PodCertificateRequests("bar").Get(ctx, "foo", metav1.GetOptions{})
 		if err != nil {
 			t.Fatalf("Unexpected error getting bar/foo as node1: %v", err)
 		}
 	})
 
 	t.Run("node2 can directly get foo/bar", func(t *testing.T) {
-		_, err := node2Client.CertificatesV1alpha1().PodCertificateRequests("foo").Get(ctx, "bar", metav1.GetOptions{})
+		_, err := node2Client.CertificatesV1beta1().PodCertificateRequests("foo").Get(ctx, "bar", metav1.GetOptions{})
 		if err != nil {
 			t.Fatalf("Unexpected error getting foo/bar as node2: %v", err)
 		}
 	})
 
 	// Delete bar/foo
-	err = client.CertificatesV1alpha1().PodCertificateRequests("bar").Delete(ctx, "foo", metav1.DeleteOptions{})
+	err = client.CertificatesV1beta1().PodCertificateRequests("bar").Delete(ctx, "foo", metav1.DeleteOptions{})
 	if err != nil {
 		t.Fatalf("Unexpected error deleting pcr bar/foo: %v", err)
 	}
 
 	t.Run("node2 can still directly get foo/bar after bar/foo was deleted", func(t *testing.T) {
-		_, err := node2Client.CertificatesV1alpha1().PodCertificateRequests("foo").Get(ctx, "bar", metav1.GetOptions{})
+		_, err := node2Client.CertificatesV1beta1().PodCertificateRequests("foo").Get(ctx, "bar", metav1.GetOptions{})
 		if err != nil {
 			t.Fatalf("Unexpected error getting foo/bar as node2: %v", err)
 		}
diff --git a/test/integration/pods/pods_test.go b/test/integration/pods/pods_test.go
index 250d0320f0f9a..be9a0745858bc 100644
--- a/test/integration/pods/pods_test.go
+++ b/test/integration/pods/pods_test.go
@@ -36,6 +36,7 @@ import (
 	typedv1 "k8s.io/client-go/kubernetes/typed/core/v1"
 	"k8s.io/client-go/rest"
 	featuregatetesting "k8s.io/component-base/featuregate/testing"
+	ipprfeature "k8s.io/component-helpers/nodedeclaredfeatures/features/inplacepodresize"
 	kubeapiservertesting "k8s.io/kubernetes/cmd/kube-apiserver/app/testing"
 	rbachelper "k8s.io/kubernetes/pkg/apis/rbac/v1"
 	"k8s.io/kubernetes/pkg/features"
@@ -869,6 +870,11 @@ func TestPodResizeRBAC(t *testing.T) {
 					{
 						Name:  "fake-name",
 						Image: "fakeimage",
+						Resources: v1.ResourceRequirements{
+							Requests: v1.ResourceList{
+								v1.ResourceCPU: resource.MustParse("100m"),
+							},
+						},
 					},
 				},
 			},
@@ -929,7 +935,7 @@ func TestPodResizeRBAC(t *testing.T) {
 			}
 			resp.Spec.Containers[0].Resources = v1.ResourceRequirements{
 				Requests: v1.ResourceList{
-					v1.ResourceEphemeralStorage: resource.MustParse("2Gi"),
+					v1.ResourceCPU: resource.MustParse("200m"),
 				},
 			}
 			_, err = saClient.CoreV1().Pods(ns.Name).UpdateResize(context.TODO(), resp.Name, resp, metav1.UpdateOptions{})
@@ -1494,3 +1500,142 @@ func TestRelaxedDNSSearchValidation(t *testing.T) {
 		}
 	}
 }
+
+func TestNodeDeclaredFeatureAdmission(t *testing.T) {
+	featuregatetesting.SetFeatureGatesDuringTest(t, utilfeature.DefaultFeatureGate, featuregatetesting.FeatureOverrides{
+		features.NodeDeclaredFeatures:      true,
+		features.InPlacePodVerticalScaling: true,
+	})
+	server := kubeapiservertesting.StartTestServerOrDie(t, nil, framework.DefaultTestServerFlags(), framework.SharedEtcd())
+	defer server.TearDownFn()
+	client := clientset.NewForConfigOrDie(server.ClientConfig)
+	ns := framework.CreateNamespaceOrDie(client, "pod-resize-feature-admission", t)
+	defer framework.DeleteNamespaceOrDie(client, ns, t)
+
+	nodeName := "test-node"
+	testPod := &v1.Pod{
+		ObjectMeta: metav1.ObjectMeta{
+			GenerateName: "test-pod-",
+		},
+		Spec: v1.PodSpec{
+			NodeName: nodeName,
+			Containers: []v1.Container{
+				{
+					Name:  "test-container",
+					Image: "fakeimage",
+					Resources: v1.ResourceRequirements{
+						Requests: v1.ResourceList{v1.ResourceCPU: resource.MustParse("1"), v1.ResourceMemory: resource.MustParse("1Gi")},
+						Limits:   v1.ResourceList{v1.ResourceCPU: resource.MustParse("1"), v1.ResourceMemory: resource.MustParse("1Gi")},
+					},
+				},
+			},
+			RestartPolicy: v1.RestartPolicyAlways,
+		},
+		Status: v1.PodStatus{
+			Phase: v1.PodRunning,
+			ContainerStatuses: []v1.ContainerStatus{
+				{
+					Name:  "test-container",
+					Ready: true,
+					AllocatedResources: v1.ResourceList{
+						v1.ResourceCPU:    resource.MustParse("1"),
+						v1.ResourceMemory: resource.MustParse("1Gi"),
+					},
+				},
+			},
+		},
+	}
+
+	testCases := []struct {
+		name                 string
+		nodeDeclaredFeatures []string
+		nodeVersion          string
+		podUpdateFn          func(pod *v1.Pod)
+		expectError          string
+	}{
+		{
+			name:                 "admission fails when required feature is not declared on node",
+			nodeDeclaredFeatures: []string{"SomeOtherFeature"},
+			nodeVersion:          "1.35.0",
+			podUpdateFn: func(pod *v1.Pod) {
+				pod.Spec.Containers[0].Resources.Requests[v1.ResourceCPU] = resource.MustParse("2")
+				pod.Spec.Containers[0].Resources.Limits[v1.ResourceCPU] = resource.MustParse("2")
+			},
+			expectError: "pod update requires features GuaranteedQoSPodCPUResize which are not available on node",
+		},
+
+		{
+			name:                 "admission succeeds when required feature is declared on node",
+			nodeDeclaredFeatures: []string{ipprfeature.GuaranteedQoSPodCPUResize},
+			nodeVersion:          "1.35.0",
+			podUpdateFn: func(pod *v1.Pod) {
+				pod.Spec.Containers[0].Resources.Requests[v1.ResourceCPU] = resource.MustParse("2")
+				pod.Spec.Containers[0].Resources.Limits[v1.ResourceCPU] = resource.MustParse("2")
+			},
+			expectError: "",
+		},
+
+		{
+			name:                 "admission succeeds when pod update does not require any declared feature",
+			nodeDeclaredFeatures: []string{"SomeOtherFeature"},
+			nodeVersion:          "1.35.0",
+			podUpdateFn: func(pod *v1.Pod) {
+				pod.ObjectMeta.Labels = map[string]string{"foo": "bar"}
+			},
+			expectError: "",
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+
+			node := &v1.Node{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: nodeName,
+				},
+				Status: v1.NodeStatus{
+					NodeInfo:         v1.NodeSystemInfo{KubeletVersion: tc.nodeVersion},
+					DeclaredFeatures: tc.nodeDeclaredFeatures,
+				},
+			}
+			_, err := client.CoreV1().Nodes().Create(context.TODO(), node, metav1.CreateOptions{})
+			if err != nil {
+				t.Fatalf("Failed to create node: %v", err)
+			}
+			defer func() {
+				err := client.CoreV1().Nodes().Delete(context.TODO(), nodeName, metav1.DeleteOptions{})
+				if err != nil {
+					t.Fatalf("Failed to delete Node %v", err)
+				}
+			}()
+
+			createdPod, err := client.CoreV1().Pods(ns.Name).Create(context.TODO(), testPod, metav1.CreateOptions{})
+			if err != nil {
+				t.Fatalf("Failed to create pod: %v", err)
+			}
+			defer func() {
+				err := client.CoreV1().Pods(ns.Name).Delete(context.TODO(), createdPod.Name, metav1.DeleteOptions{})
+				if err != nil {
+					t.Fatalf("Failed to delete Node %v", err)
+				}
+			}()
+
+			podToUpdate := createdPod.DeepCopy()
+			tc.podUpdateFn(podToUpdate)
+
+			_, err = client.CoreV1().Pods(ns.Name).UpdateResize(context.TODO(), podToUpdate.Name, podToUpdate, metav1.UpdateOptions{})
+
+			if tc.expectError == "" {
+				if err != nil {
+					t.Errorf("Expected no error, but got: %v", err)
+				}
+			} else {
+				if err == nil {
+					t.Errorf("Expected error containing %q, but got no error", tc.expectError)
+				} else if !strings.Contains(err.Error(), tc.expectError) {
+					t.Errorf("Expected error containing %q, but got: %v", tc.expectError, err)
+				}
+			}
+		})
+	}
+}
diff --git a/test/integration/quota/quota_test.go b/test/integration/quota/quota_test.go
index 0b60d33414ae8..ec214d139c58f 100644
--- a/test/integration/quota/quota_test.go
+++ b/test/integration/quota/quota_test.go
@@ -90,7 +90,7 @@ func TestQuota(t *testing.T) {
 
 	discoveryFunc := clientset.Discovery().ServerPreferredNamespacedResources
 	listerFuncForResource := generic.ListerFuncForResourceFunc(informers.ForResource)
-	qc := quotainstall.NewQuotaConfigurationForControllers(listerFuncForResource)
+	qc := quotainstall.NewQuotaConfigurationForControllers(listerFuncForResource, nil)
 	informersStarted := make(chan struct{})
 	resourceQuotaControllerOptions := &resourcequotacontroller.ControllerOptions{
 		QuotaClient:               clientset.CoreV1(),
@@ -319,7 +319,7 @@ plugins:
 
 	discoveryFunc := clientset.Discovery().ServerPreferredNamespacedResources
 	listerFuncForResource := generic.ListerFuncForResourceFunc(informers.ForResource)
-	qc := quotainstall.NewQuotaConfigurationForControllers(listerFuncForResource)
+	qc := quotainstall.NewQuotaConfigurationForControllers(listerFuncForResource, nil)
 	informersStarted := make(chan struct{})
 	resourceQuotaControllerOptions := &resourcequotacontroller.ControllerOptions{
 		QuotaClient:               clientset.CoreV1(),
@@ -445,7 +445,7 @@ plugins:
 
 	discoveryFunc := clientset.Discovery().ServerPreferredNamespacedResources
 	listerFuncForResource := generic.ListerFuncForResourceFunc(informers.ForResource)
-	qc := quotainstall.NewQuotaConfigurationForControllers(listerFuncForResource)
+	qc := quotainstall.NewQuotaConfigurationForControllers(listerFuncForResource, nil)
 	informersStarted := make(chan struct{})
 	resourceQuotaControllerOptions := &resourcequotacontroller.ControllerOptions{
 		QuotaClient:               clientset.CoreV1(),
diff --git a/test/integration/scheduler/batch/batch_test.go b/test/integration/scheduler/batch/batch_test.go
new file mode 100644
index 0000000000000..8a06dd412fb62
--- /dev/null
+++ b/test/integration/scheduler/batch/batch_test.go
@@ -0,0 +1,638 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package batch
+
+import (
+	"context"
+	"strings"
+	"testing"
+	"time"
+
+	v1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/api/resource"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/client-go/informers"
+	restclient "k8s.io/client-go/rest"
+	kubeschedulerconfigv1 "k8s.io/kube-scheduler/config/v1"
+	fwk "k8s.io/kube-scheduler/framework"
+	apiservertesting "k8s.io/kubernetes/cmd/kube-apiserver/app/testing"
+	"k8s.io/kubernetes/pkg/scheduler/apis/config"
+	kubeschedulerscheme "k8s.io/kubernetes/pkg/scheduler/apis/config/scheme"
+	"k8s.io/kubernetes/pkg/scheduler/framework/plugins/names"
+	frameworkruntime "k8s.io/kubernetes/pkg/scheduler/framework/runtime"
+	"k8s.io/kubernetes/test/integration/framework"
+
+	"k8s.io/kubernetes/pkg/scheduler"
+	st "k8s.io/kubernetes/pkg/scheduler/testing"
+	testutil "k8s.io/kubernetes/test/integration/util"
+	"k8s.io/kubernetes/test/utils/ktesting"
+)
+
+type podDef struct {
+	name                string
+	nodeSelector        map[string]string
+	nodeAffinity        []string
+	expectedNode        string
+	expectBatched       bool
+	scheduler           string
+	expectUnschedulable bool
+	priority            int32
+}
+
+type nodeDef struct {
+	name    string
+	labels  map[string]string
+	maxPods int
+}
+
+type scenario struct {
+	name  string
+	pods  []podDef
+	nodes []nodeDef
+}
+
+func TestBatchScenarios(t *testing.T) {
+	table := []*scenario{
+		{
+			name: "one pod one node",
+			pods: []podDef{
+				{
+					name:         "1ppn-batchp1",
+					expectedNode: "1ppn-batchn1",
+				},
+			},
+			nodes: []nodeDef{
+				{
+					name:    "1ppn-batchn1",
+					maxPods: 1,
+				},
+			},
+		},
+		{
+			name: "distinct pods on distinct nodes",
+			pods: []podDef{
+				{
+					name:         "dpdn-batchp1",
+					nodeSelector: map[string]string{"forpod": "1"},
+					expectedNode: "dpdn-batchn1",
+				},
+				{
+					name:         "dpdn-batchp2",
+					nodeSelector: map[string]string{"forpod": "2"},
+					expectedNode: "dpdn-batchn2",
+				},
+				{
+					name:         "dpdn-batchp3",
+					nodeSelector: map[string]string{"forpod": "3"},
+					expectedNode: "dpdn-batchn3",
+				},
+			},
+			nodes: []nodeDef{
+				{
+					name:    "dpdn-batchn3",
+					maxPods: 10,
+					labels:  map[string]string{"forpod": "3"},
+				},
+				{
+					name:    "dpdn-batchn2",
+					maxPods: 10,
+					labels:  map[string]string{"forpod": "2"},
+				},
+				{
+					name:    "dpdn-batchn1",
+					maxPods: 10,
+					labels:  map[string]string{"forpod": "1"},
+				},
+			},
+		},
+
+		{
+			name: "three pod batch",
+			pods: []podDef{
+				{
+					name:         "tpb-batchp1",
+					expectedNode: "tpb-batchn1",
+					nodeAffinity: []string{"tpb-batchn1", "tpb-batchn2", "tpb-batchn3"},
+				},
+				{
+					name:          "tpb-batchp2",
+					expectedNode:  "tpb-batchn2",
+					nodeAffinity:  []string{"tpb-batchn1", "tpb-batchn2", "tpb-batchn3"},
+					expectBatched: true,
+				},
+				{
+					name:          "tpb-batchp3",
+					expectedNode:  "tpb-batchn3",
+					nodeAffinity:  []string{"tpb-batchn1", "tpb-batchn2", "tpb-batchn3"},
+					expectBatched: true,
+				},
+			},
+			nodes: []nodeDef{
+				{
+					name:    "tpb-batchn3",
+					maxPods: 1,
+				},
+				{
+					name:    "tpb-batchn2",
+					maxPods: 1,
+				},
+				{
+					name:    "tpb-batchn1",
+					maxPods: 1,
+				},
+			},
+		},
+		{
+			name: "two consecutive batches",
+			pods: []podDef{
+				{
+					name:         "tcb-batchp1",
+					expectedNode: "tcb-batchn1",
+					nodeAffinity: []string{"tcb-batchn1", "tcb-batchn2"},
+				},
+				{
+					name:          "tcb-batchp2",
+					expectedNode:  "tcb-batchn2",
+					nodeAffinity:  []string{"tcb-batchn1", "tcb-batchn2"},
+					expectBatched: true,
+				},
+				{
+					name:         "tcb-batchp3",
+					expectedNode: "tcb-batchn4",
+					nodeAffinity: []string{"tcb-batchn4", "tcb-batchn3"},
+				},
+				{
+					name:          "tcb-batchp4",
+					expectedNode:  "tcb-batchn3",
+					nodeAffinity:  []string{"tcb-batchn4", "tcb-batchn3"},
+					expectBatched: true,
+				},
+			},
+			nodes: []nodeDef{
+				{
+					name:    "tcb-batchn4",
+					maxPods: 1,
+				},
+				{
+					name:    "tcb-batchn3",
+					maxPods: 1,
+				},
+				{
+					name:    "tcb-batchn2",
+					maxPods: 1,
+				},
+				{
+					name:    "tcb-batchn1",
+					maxPods: 1,
+				},
+			},
+		},
+		{
+			name: "multiple pods per node means no batching",
+			pods: []podDef{
+				{
+					name:         "mppn-batchp1",
+					expectedNode: "mppn-batchn1",
+					nodeAffinity: []string{"mppn-batchn1", "mppn-batchn2"},
+				},
+				{
+					name:         "mppn-batchp2",
+					expectedNode: "mppn-batchn1",
+					nodeAffinity: []string{"mppn-batchn1", "mppn-batchn2"},
+				},
+				{
+					name:         "mppn-batchp3",
+					expectedNode: "mppn-batchn4",
+					nodeAffinity: []string{"mppn-batchn4", "mppn-batchn3"},
+				},
+				{
+					name:         "mppn-batchp4",
+					expectedNode: "mppn-batchn4",
+					nodeAffinity: []string{"mppn-batchn4", "mppn-batchn3"},
+				},
+			},
+			nodes: []nodeDef{
+				{
+					name:    "mppn-batchn4",
+					maxPods: 2,
+				},
+				{
+					name:    "mppn-batchn3",
+					maxPods: 2,
+				},
+				{
+					name:    "mppn-batchn2",
+					maxPods: 2,
+				},
+				{
+					name:    "mppn-batchn1",
+					maxPods: 2,
+				},
+			},
+		},
+		{
+			name: "no batching between schedulers",
+			pods: []podDef{
+				{
+					name:         "bts--batchp1",
+					expectedNode: "bts--batchn1",
+					nodeAffinity: []string{"bts--batchn1", "bts--batchn2", "bts--batchn3"},
+				},
+				{
+					name:         "bts--batchp2",
+					expectedNode: "bts--batchn2",
+					nodeAffinity: []string{"bts--batchn1", "bts--batchn2", "bts--batchn3"},
+					scheduler:    "mysched",
+				},
+			},
+			nodes: []nodeDef{
+				{
+					name:    "bts--batchn3",
+					maxPods: 1,
+				},
+				{
+					name:    "bts--batchn2",
+					maxPods: 1,
+				},
+				{
+					name:    "bts--batchn1",
+					maxPods: 1,
+				},
+			},
+		},
+		{
+			name: "no batching missing sign",
+			pods: []podDef{
+				{
+					name:         "nsg-batchp1",
+					expectedNode: "nsg-batchn1",
+					nodeAffinity: []string{"nsg-batchn1", "nsg-batchn2", "nsg-batchn3"},
+					scheduler:    "nosign",
+				},
+				{
+					name:         "nsg-batchp2",
+					expectedNode: "nsg-batchn2",
+					nodeAffinity: []string{"nsg-batchn1", "nsg-batchn2", "nsg-batchn3"},
+					scheduler:    "nosign",
+				},
+			},
+			nodes: []nodeDef{
+				{
+					name:    "nsg-batchn3",
+					maxPods: 1,
+				},
+				{
+					name:    "nsg-batchn2",
+					maxPods: 1,
+				},
+				{
+					name:    "nsg-batchn1",
+					maxPods: 1,
+				},
+			},
+		},
+		{
+			name: "no batching empty sign",
+			pods: []podDef{
+				{
+					name:         "esg-batchp1",
+					expectedNode: "esg-batchn1",
+					nodeAffinity: []string{"esg-batchn1", "esg-batchn2", "esg-batchn3"},
+					scheduler:    "emptysign",
+				},
+				{
+					name:         "esg-batchp2",
+					expectedNode: "esg-batchn2",
+					nodeAffinity: []string{"esg-batchn1", "esg-batchn2", "esg-batchn3"},
+					scheduler:    "emptysign",
+				},
+			},
+			nodes: []nodeDef{
+				{
+					name:    "esg-batchn3",
+					maxPods: 1,
+				},
+				{
+					name:    "esg-batchn2",
+					maxPods: 1,
+				},
+				{
+					name:    "esg-batchn1",
+					maxPods: 1,
+				},
+			},
+		},
+		{
+			name: "unschedulable pod",
+			pods: []podDef{
+				{
+					name:         "usp-batchp1",
+					expectedNode: "usp-batchn1",
+				},
+				{
+					name:                "usp-batchp2",
+					expectBatched:       false,
+					expectUnschedulable: true,
+				},
+			},
+			nodes: []nodeDef{
+				{
+					name:    "usp-batchn1",
+					maxPods: 1,
+				},
+			},
+		},
+	}
+
+	for _, tt := range table {
+		t.Run(tt.name, func(t *testing.T) {
+			finalPods, batched := runScenario(t, tt, true)
+			for i, p := range finalPods {
+				if p.Spec.NodeName != tt.pods[i].expectedNode {
+					t.Fatalf("Invalid node '%s' for pod '%s'. Expected '%s'", p.Spec.NodeName, p.Name, tt.pods[i].expectedNode)
+				}
+				if batched[i] != tt.pods[i].expectBatched {
+					t.Fatalf("Expected pod %s batched %t, actually %t", p.Name, tt.pods[i].expectBatched, batched[i])
+				}
+			}
+		})
+	}
+}
+
+func newPod(d *podDef) *v1.Pod {
+	aff := &v1.NodeAffinity{}
+	if len(d.nodeAffinity) > 0 {
+		for i, node := range d.nodeAffinity {
+			a := v1.PreferredSchedulingTerm{
+				Weight: int32(len(d.nodeAffinity) - i),
+				Preference: v1.NodeSelectorTerm{
+					MatchFields: []v1.NodeSelectorRequirement{
+						{
+							Key:      "metadata.name",
+							Operator: v1.NodeSelectorOpIn,
+							Values:   []string{node},
+						},
+					},
+				},
+			}
+			aff.PreferredDuringSchedulingIgnoredDuringExecution = append(aff.PreferredDuringSchedulingIgnoredDuringExecution, a)
+		}
+	}
+
+	ret := testutil.InitPausePod(&testutil.PausePodConfig{
+		Name:      d.name,
+		Affinity:  &v1.Affinity{NodeAffinity: aff},
+		Namespace: "default",
+		Resources: &v1.ResourceRequirements{
+			Requests: v1.ResourceList{
+				v1.ResourceCPU:    *(resource.NewQuantity(10, resource.DecimalSI)),
+				v1.ResourceMemory: *(resource.NewQuantity(4*1024*1024, resource.DecimalSI)),
+			},
+		},
+		NodeSelector:  d.nodeSelector,
+		SchedulerName: d.scheduler,
+	})
+
+	if d.priority != 0 {
+		ret.Spec.Priority = &d.priority
+	}
+
+	return ret
+}
+
+func resources(maxPods int) v1.ResourceList {
+	return v1.ResourceList{
+		v1.ResourceCPU:    *(resource.NewQuantity(100, resource.DecimalSI)),
+		v1.ResourceMemory: *(resource.NewQuantity(4*1024*1024*1024, resource.DecimalSI)),
+		v1.ResourcePods:   *resource.NewQuantity(int64(maxPods), resource.DecimalSI),
+	}
+}
+
+func newNode(d *nodeDef) *v1.Node {
+	n := st.MakeNode()
+	n.Name(d.name)
+	n.Labels = d.labels
+	n.Status.Capacity = resources(d.maxPods)
+	n.Status.Allocatable = resources(d.maxPods)
+	return n.Obj()
+}
+
+func newDefaultComponentConfig() (*config.KubeSchedulerConfiguration, error) {
+	gvk := kubeschedulerconfigv1.SchemeGroupVersion.WithKind("KubeSchedulerConfiguration")
+	cfg := config.KubeSchedulerConfiguration{}
+	_, _, err := kubeschedulerscheme.Codecs.UniversalDecoder().Decode(nil, &gvk, &cfg)
+	if err != nil {
+		return nil, err
+	}
+
+	// Clear pod topo spread defaults.
+	profile := cfg.Profiles[0]
+	for _, cfg := range profile.PluginConfig {
+		if cfg.Name == names.PodTopologySpread {
+			tps := cfg.Args.(*config.PodTopologySpreadArgs)
+			tps.DefaultConstraints = []v1.TopologySpreadConstraint{}
+			tps.DefaultingType = config.ListDefaulting
+		}
+	}
+
+	return &cfg, nil
+}
+
+type testPluginNoSign struct{}
+
+var _ fwk.FilterPlugin = &testPluginNoSign{}
+
+func (pl *testPluginNoSign) Name() string {
+	return "nosign"
+}
+
+func (pl *testPluginNoSign) Filter(ctx context.Context, state fwk.CycleState, pod *v1.Pod, nodeInfo fwk.NodeInfo) *fwk.Status {
+	return nil
+}
+
+func newNoSignPlugin(_ context.Context, injArgs runtime.Object, f fwk.Handle) (fwk.Plugin, error) {
+	return &testPluginNoSign{}, nil
+}
+
+type testPluginEmptySign struct{}
+
+var _ fwk.FilterPlugin = &testPluginEmptySign{}
+var _ fwk.SignPlugin = &testPluginEmptySign{}
+
+func (pl *testPluginEmptySign) Name() string {
+	return "nosign"
+}
+
+func (pl *testPluginEmptySign) Filter(ctx context.Context, state fwk.CycleState, pod *v1.Pod, nodeInfo fwk.NodeInfo) *fwk.Status {
+	return nil
+}
+
+func (pl *testPluginEmptySign) SignPod(ctx context.Context, pod *v1.Pod) ([]fwk.SignFragment, *fwk.Status) {
+	return nil, fwk.NewStatus(fwk.Unschedulable)
+}
+
+func newEmptySignPlugin(_ context.Context, injArgs runtime.Object, f fwk.Handle) (fwk.Plugin, error) {
+	return &testPluginEmptySign{}, nil
+}
+
+// To access the test-only field in the framework
+type batchGetter interface {
+	TotalBatchedPods() int64
+}
+
+func runScenario(t *testing.T, tt *scenario, batch bool) ([]*v1.Pod, []bool) {
+	_, tCtx := ktesting.NewTestContext(t)
+
+	cfg, err := newDefaultComponentConfig()
+	if err != nil {
+		tCtx.Fatalf("Error creating default component config: %v", err)
+	}
+
+	newProfile := cfg.Profiles[0].DeepCopy()
+	newProfile.SchedulerName = "mysched"
+	cfg.Profiles = append(cfg.Profiles, *newProfile)
+
+	newProfile = cfg.Profiles[0].DeepCopy()
+	newProfile.SchedulerName = "nosign"
+	newProfile.Plugins.Filter.Enabled = append(newProfile.Plugins.Filter.Enabled, config.Plugin{Name: "nosign"})
+	cfg.Profiles = append(cfg.Profiles, *newProfile)
+
+	newProfile = cfg.Profiles[0].DeepCopy()
+	newProfile.SchedulerName = "emptysign"
+	newProfile.Plugins.Filter.Enabled = append(newProfile.Plugins.Filter.Enabled, config.Plugin{Name: "emptysign"})
+	cfg.Profiles = append(cfg.Profiles, *newProfile)
+
+	scheduler, _, testCtx := mustSetupCluster(tCtx, cfg, frameworkruntime.Registry{
+		"nosign":    newNoSignPlugin,
+		"emptysign": newEmptySignPlugin,
+	})
+
+	getter := scheduler.Profiles["default-scheduler"].(batchGetter)
+
+	cs := testCtx.Client()
+
+	// Add nodes.
+	for _, n := range tt.nodes {
+		_, err := testutil.CreateNode(cs, newNode(&n))
+		if err != nil {
+			t.Fatal("Failed adding node", "node", n, err)
+		}
+	}
+
+	finalPods := []*v1.Pod{}
+	batched := []bool{}
+	for _, pd := range tt.pods {
+		prevBatched := getter.TotalBatchedPods()
+
+		p := newPod(&pd)
+		createdPod, err := cs.CoreV1().Pods(p.Namespace).Create(testCtx, p, metav1.CreateOptions{})
+		if err != nil {
+			t.Fatalf("Failed to create pod %s/%s, error: %v",
+				p.Namespace, p.Name, err)
+		}
+
+		if err := testutil.WaitForPodToScheduleWithTimeout(testCtx, cs, createdPod, 5*time.Second); err != nil {
+			if !pd.expectUnschedulable {
+				t.Errorf("Failed to schedule pod %s/%s on the node, err: %v",
+					p.Namespace, p.Name, err)
+			} else {
+				break
+			}
+		}
+
+		if pd.expectUnschedulable {
+			t.Fatalf("Expected pod to be unschedulable but it was scheduled")
+		}
+
+		finalPod, err := cs.CoreV1().Pods(p.Namespace).Get(testCtx, p.Name, metav1.GetOptions{})
+		if err != nil {
+			t.Fatalf("Failed to get pod %v", err)
+		}
+		finalPods = append(finalPods, finalPod)
+
+		currBatched := getter.TotalBatchedPods()
+
+		batched = append(batched, currBatched > prevBatched)
+	}
+
+	return finalPods, batched
+}
+
+// mustSetupCluster starts the following components:
+// - k8s api server
+// - scheduler
+// - some of the kube-controller-manager controllers
+//
+// It returns regular and dynamic clients, and destroyFunc which should be used to
+// remove resources after finished.
+// Notes on rate limiter:
+//   - client rate limit is set to 5000.
+func mustSetupCluster(tCtx ktesting.TContext, config *config.KubeSchedulerConfiguration, outOfTreePluginRegistry frameworkruntime.Registry) (*scheduler.Scheduler, informers.SharedInformerFactory, ktesting.TContext) {
+	var runtimeConfig []string
+	customFlags := []string{
+		// Disable ServiceAccount admission plugin as we don't have serviceaccount controller running.
+		"--disable-admission-plugins=ServiceAccount,TaintNodesByCondition,Priority",
+		"--runtime-config=" + strings.Join(runtimeConfig, ","),
+	}
+	serverOpts := apiservertesting.NewDefaultTestServerOptions()
+	// Timeout sufficiently long to handle deleting pods of the largest test cases.
+	serverOpts.RequestTimeout = 10 * time.Minute
+	server, err := apiservertesting.StartTestServer(tCtx, serverOpts, customFlags, framework.SharedEtcd())
+	if err != nil {
+		tCtx.Fatalf("start apiserver: %v", err)
+	}
+	// Cleanup will be in reverse order: first the clients by canceling the
+	// child context (happens automatically), then the server.
+	tCtx.Cleanup(server.TearDownFn)
+	tCtx = ktesting.WithCancel(tCtx)
+
+	// TODO: client connection configuration, such as QPS or Burst is configurable in theory, this could be derived from the `config`, need to
+	// support this when there is any testcase that depends on such configuration.
+	cfg := restclient.CopyConfig(server.ClientConfig)
+	cfg.QPS = 5000.0
+	cfg.Burst = 5000
+
+	// use default component config if config here is nil
+	if config == nil {
+		var err error
+		config, err = newDefaultComponentConfig()
+		if err != nil {
+			tCtx.Fatalf("Error creating default component config: %v", err)
+		}
+	}
+
+	tCtx = ktesting.WithRESTConfig(tCtx, cfg)
+
+	// Not all config options will be effective but only those mostly related with scheduler performance will
+	// be applied to start a scheduler, most of them are defined in `scheduler.schedulerOptions`.
+	scheduler, informerFactory := testutil.StartScheduler(tCtx, config, outOfTreePluginRegistry)
+	testutil.StartFakePVController(tCtx, tCtx.Client(), informerFactory)
+	runGC := testutil.CreateGCController(tCtx, tCtx, *cfg, informerFactory)
+	runNS := testutil.CreateNamespaceController(tCtx, tCtx, *cfg, informerFactory)
+
+	runResourceClaimController := func() {}
+
+	informerFactory.Start(tCtx.Done())
+	informerFactory.WaitForCacheSync(tCtx.Done())
+	go runGC()
+	go runNS()
+	go runResourceClaimController()
+
+	return scheduler, informerFactory, tCtx
+
+}
diff --git a/test/integration/scheduler/batch/main_test.go b/test/integration/scheduler/batch/main_test.go
new file mode 100644
index 0000000000000..8075d6901a05d
--- /dev/null
+++ b/test/integration/scheduler/batch/main_test.go
@@ -0,0 +1,27 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package batch
+
+import (
+	"testing"
+
+	"k8s.io/kubernetes/test/integration/framework"
+)
+
+func TestMain(m *testing.M) {
+	framework.EtcdMain(m.Run)
+}
diff --git a/test/integration/scheduler/eventhandler/eventhandler_test.go b/test/integration/scheduler/eventhandler/eventhandler_test.go
index 5d4b0f035e0d9..3a38f31dbf76e 100644
--- a/test/integration/scheduler/eventhandler/eventhandler_test.go
+++ b/test/integration/scheduler/eventhandler/eventhandler_test.go
@@ -30,12 +30,12 @@ import (
 	utilfeature "k8s.io/apiserver/pkg/util/feature"
 	featuregatetesting "k8s.io/component-base/featuregate/testing"
 	"k8s.io/component-helpers/scheduling/corev1"
+	"k8s.io/klog/v2"
 	configv1 "k8s.io/kube-scheduler/config/v1"
 	fwk "k8s.io/kube-scheduler/framework"
 	"k8s.io/kubernetes/pkg/features"
 	"k8s.io/kubernetes/pkg/scheduler"
 	configtesting "k8s.io/kubernetes/pkg/scheduler/apis/config/testing"
-	"k8s.io/kubernetes/pkg/scheduler/framework"
 	frameworkruntime "k8s.io/kubernetes/pkg/scheduler/framework/runtime"
 	st "k8s.io/kubernetes/pkg/scheduler/testing"
 	schedulerutils "k8s.io/kubernetes/test/integration/scheduler"
@@ -46,7 +46,7 @@ import (
 
 var lowPriority, mediumPriority, highPriority int32 = 100, 200, 300
 
-var _ framework.FilterPlugin = &fooPlugin{}
+var _ fwk.FilterPlugin = &fooPlugin{}
 
 type fooPlugin struct {
 }
@@ -56,12 +56,13 @@ func (pl *fooPlugin) Name() string {
 }
 
 func (pl *fooPlugin) Filter(ctx context.Context, state fwk.CycleState, pod *v1.Pod, nodeInfo fwk.NodeInfo) *fwk.Status {
+	logger := klog.FromContext(ctx)
 	taints := nodeInfo.Node().Spec.Taints
 	if len(taints) == 0 {
 		return nil
 	}
 
-	if corev1.TolerationsTolerateTaint(pod.Spec.Tolerations, &nodeInfo.Node().Spec.Taints[0]) {
+	if corev1.TolerationsTolerateTaint(logger, pod.Spec.Tolerations, &nodeInfo.Node().Spec.Taints[0], utilfeature.DefaultFeatureGate.Enabled(features.TaintTolerationComparisonOperators)) {
 		return nil
 	}
 	return fwk.NewStatus(fwk.Unschedulable)
@@ -74,8 +75,8 @@ func (pl *fooPlugin) EventsToRegister(_ context.Context) ([]fwk.ClusterEventWith
 }
 
 // newPlugin returns a plugin factory with specified Plugin.
-func newPlugin(plugin framework.Plugin) frameworkruntime.PluginFactory {
-	return func(_ context.Context, _ runtime.Object, fh framework.Handle) (framework.Plugin, error) {
+func newPlugin(plugin fwk.Plugin) frameworkruntime.PluginFactory {
+	return func(_ context.Context, _ runtime.Object, fh fwk.Handle) (fwk.Plugin, error) {
 		return plugin, nil
 	}
 }
diff --git a/test/integration/scheduler/filters/filters_test.go b/test/integration/scheduler/filters/filters_test.go
index 80289982691fe..8e142ecc452f4 100644
--- a/test/integration/scheduler/filters/filters_test.go
+++ b/test/integration/scheduler/filters/filters_test.go
@@ -24,6 +24,7 @@ import (
 
 	"github.com/google/go-cmp/cmp"
 
+	"github.com/stretchr/testify/mock"
 	v1 "k8s.io/api/core/v1"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/api/resource"
@@ -33,12 +34,14 @@ import (
 	utilfeature "k8s.io/apiserver/pkg/util/feature"
 	"k8s.io/client-go/kubernetes"
 	featuregatetesting "k8s.io/component-base/featuregate/testing"
+	ndf "k8s.io/component-helpers/nodedeclaredfeatures"
+	ndffeatures "k8s.io/component-helpers/nodedeclaredfeatures/features"
+	ndftesting "k8s.io/component-helpers/nodedeclaredfeatures/testing"
 	"k8s.io/component-helpers/storage/volume"
 	"k8s.io/kubernetes/pkg/features"
 	st "k8s.io/kubernetes/pkg/scheduler/testing"
 	testutils "k8s.io/kubernetes/test/integration/util"
 	imageutils "k8s.io/kubernetes/test/utils/image"
-	"k8s.io/kubernetes/test/utils/ktesting"
 	"k8s.io/utils/ptr"
 )
 
@@ -1080,8 +1083,6 @@ func TestInterPodAffinity(t *testing.T) {
 				featuregatetesting.SetFeatureGateEmulationVersionDuringTest(t, utilfeature.DefaultFeatureGate, version.MustParse("1.32"))
 				featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.MatchLabelKeysInPodAffinity, false)
 			}
-			_, ctx := ktesting.NewTestContext(t)
-
 			testCtx := initTest(t, "")
 			cs := testCtx.ClientSet
 
@@ -1113,11 +1114,11 @@ func TestInterPodAffinity(t *testing.T) {
 				if pod.Namespace == "" {
 					pod.Namespace = defaultNS
 				}
-				createdPod, err := cs.CoreV1().Pods(pod.Namespace).Create(ctx, pod, metav1.CreateOptions{})
+				createdPod, err := cs.CoreV1().Pods(pod.Namespace).Create(testCtx.Ctx, pod, metav1.CreateOptions{})
 				if err != nil {
 					t.Fatalf("Error while creating pod: %v", err)
 				}
-				err = wait.PollUntilContextTimeout(ctx, pollInterval, wait.ForeverTestTimeout, false,
+				err = wait.PollUntilContextTimeout(testCtx.Ctx, pollInterval, wait.ForeverTestTimeout, false,
 					testutils.PodScheduled(cs, createdPod.Namespace, createdPod.Name))
 				if err != nil {
 					t.Errorf("Error while creating pod: %v", err)
@@ -1127,7 +1128,7 @@ func TestInterPodAffinity(t *testing.T) {
 				test.pod.Namespace = defaultNS
 			}
 
-			testPod, err := cs.CoreV1().Pods(test.pod.Namespace).Create(ctx, test.pod, metav1.CreateOptions{})
+			testPod, err := cs.CoreV1().Pods(test.pod.Namespace).Create(testCtx.Ctx, test.pod, metav1.CreateOptions{})
 			if err != nil {
 				if !(test.errorType == "invalidPod" && apierrors.IsInvalid(err)) {
 					t.Fatalf("Error while creating pod: %v", err)
@@ -1135,10 +1136,10 @@ func TestInterPodAffinity(t *testing.T) {
 			}
 
 			if test.fits {
-				err = wait.PollUntilContextTimeout(ctx, pollInterval, wait.ForeverTestTimeout, false,
+				err = wait.PollUntilContextTimeout(testCtx.Ctx, pollInterval, wait.ForeverTestTimeout, false,
 					testutils.PodScheduled(cs, testPod.Namespace, testPod.Name))
 			} else {
-				err = wait.PollUntilContextTimeout(ctx, pollInterval, wait.ForeverTestTimeout, false,
+				err = wait.PollUntilContextTimeout(testCtx.Ctx, pollInterval, wait.ForeverTestTimeout, false,
 					podUnschedulable(cs, testPod.Namespace, testPod.Name))
 			}
 			if err != nil {
@@ -1146,22 +1147,22 @@ func TestInterPodAffinity(t *testing.T) {
 				return
 			}
 
-			err = cs.CoreV1().Pods(test.pod.Namespace).Delete(ctx, test.pod.Name, *metav1.NewDeleteOptions(0))
+			err = cs.CoreV1().Pods(test.pod.Namespace).Delete(testCtx.Ctx, test.pod.Name, *metav1.NewDeleteOptions(0))
 			if err != nil {
 				t.Errorf("Error while deleting pod: %v", err)
 			}
-			err = wait.PollUntilContextTimeout(ctx, pollInterval, wait.ForeverTestTimeout, true,
-				testutils.PodDeleted(ctx, cs, testCtx.NS.Name, test.pod.Name))
+			err = wait.PollUntilContextTimeout(testCtx.Ctx, pollInterval, wait.ForeverTestTimeout, true,
+				testutils.PodDeleted(testCtx.Ctx, cs, testCtx.NS.Name, test.pod.Name))
 			if err != nil {
 				t.Errorf("Error while waiting for pod to get deleted: %v", err)
 			}
 			for _, pod := range test.pods {
-				err = cs.CoreV1().Pods(pod.Namespace).Delete(ctx, pod.Name, *metav1.NewDeleteOptions(0))
+				err = cs.CoreV1().Pods(pod.Namespace).Delete(testCtx.Ctx, pod.Name, *metav1.NewDeleteOptions(0))
 				if err != nil {
 					t.Errorf("Error while deleting pod: %v", err)
 				}
-				err = wait.PollUntilContextTimeout(ctx, pollInterval, wait.ForeverTestTimeout, true,
-					testutils.PodDeleted(ctx, cs, pod.Namespace, pod.Name))
+				err = wait.PollUntilContextTimeout(testCtx.Ctx, pollInterval, wait.ForeverTestTimeout, true,
+					testutils.PodDeleted(testCtx.Ctx, cs, pod.Namespace, pod.Name))
 				if err != nil {
 					t.Errorf("Error while waiting for pod to get deleted: %v", err)
 				}
@@ -1494,9 +1495,238 @@ func TestTaintTolerationFilter(t *testing.T) {
 			}).Container(pause).Obj(),
 			fit: true,
 		},
+		{
+			name: "Pod with Gt toleration matches node taint with greater value",
+			nodes: []*v1.Node{
+				st.MakeNode().Name("node-gt-1").
+					Taints([]v1.Taint{
+						{
+							Key:    "node.example.com/priority-level",
+							Value:  "999",
+							Effect: v1.TaintEffectNoSchedule,
+						},
+					}).Obj(),
+			},
+			incomingPod: st.MakePod().Name("pod-gt-1").
+				Tolerations([]v1.Toleration{
+					{
+						Key:      "node.example.com/priority-level",
+						Operator: v1.TolerationOpGt,
+						Value:    "900",
+						Effect:   v1.TaintEffectNoSchedule,
+					},
+				}).Container(pause).
+				Obj(),
+			fit: true,
+		},
+		{
+			name: "Pod with Gt toleration does not match node taint with lesser value",
+			nodes: []*v1.Node{
+				st.MakeNode().Name("node-gt-2").
+					Taints([]v1.Taint{
+						{
+							Key:    "node.example.com/priority-level",
+							Value:  "850",
+							Effect: v1.TaintEffectNoSchedule,
+						},
+					}).Obj(),
+			},
+			incomingPod: st.MakePod().Name("pod-gt-2").
+				Tolerations([]v1.Toleration{
+					{
+						Key:      "node.example.com/priority-level",
+						Operator: v1.TolerationOpGt,
+						Value:    "900",
+						Effect:   v1.TaintEffectNoSchedule,
+					},
+				}).Container(pause).
+				Obj(),
+			fit: false,
+		},
+		{
+			name: "Pod with Lt toleration matches node taint with lesser value",
+			nodes: []*v1.Node{
+				st.MakeNode().Name("node-lt-1").
+					Taints([]v1.Taint{
+						{
+							Key:    "node.example.com/error-rate",
+							Value:  "5",
+							Effect: v1.TaintEffectNoSchedule,
+						},
+					}).Obj(),
+			},
+			incomingPod: st.MakePod().Name("pod-lt-1").
+				Tolerations([]v1.Toleration{
+					{
+						Key:      "node.example.com/error-rate",
+						Operator: v1.TolerationOpLt,
+						Value:    "10",
+						Effect:   v1.TaintEffectNoSchedule,
+					},
+				}).Container(pause).
+				Obj(),
+			fit: true,
+		},
+		{
+			name: "Pod with Lt toleration does not match node taint with greater value",
+			nodes: []*v1.Node{
+				st.MakeNode().Name("node-lt-2").
+					Taints([]v1.Taint{
+						{
+							Key:    "node.example.com/error-rate",
+							Value:  "15",
+							Effect: v1.TaintEffectNoSchedule,
+						},
+					}).Obj(),
+			},
+			incomingPod: st.MakePod().Name("pod-lt-2").
+				Tolerations([]v1.Toleration{
+					{
+						Key:      "node.example.com/error-rate",
+						Operator: v1.TolerationOpLt,
+						Value:    "10",
+						Effect:   v1.TaintEffectNoSchedule,
+					},
+				}).Container(pause).
+				Obj(),
+			fit: false,
+		},
+		{
+			name: "Pod with mixed tolerations including Gt operator",
+			nodes: []*v1.Node{
+				st.MakeNode().Name("node-mixed").
+					Taints([]v1.Taint{
+						{
+							Key:    "node.example.com/priority-level",
+							Value:  "950",
+							Effect: v1.TaintEffectNoSchedule,
+						},
+						{
+							Key:    "node.example.com/zone",
+							Value:  "west",
+							Effect: v1.TaintEffectNoSchedule,
+						},
+					}).Obj(),
+			},
+			incomingPod: st.MakePod().Name("pod-mixed").
+				Tolerations([]v1.Toleration{
+					{
+						Key:      "node.example.com/priority-level",
+						Operator: v1.TolerationOpGt,
+						Value:    "900",
+						Effect:   v1.TaintEffectNoSchedule,
+					},
+					{
+						Key:      "node.example.com/zone",
+						Operator: v1.TolerationOpEqual,
+						Value:    "west",
+						Effect:   v1.TaintEffectNoSchedule,
+					},
+				}).Container(pause).
+				Obj(),
+			fit: true,
+		},
+		{
+			name: "Pod with Gt toleration with negative values",
+			nodes: []*v1.Node{
+				st.MakeNode().Name("node-negative").
+					Taints([]v1.Taint{
+						{
+							Key:    "node.example.com/temperature",
+							Value:  "10",
+							Effect: v1.TaintEffectNoSchedule,
+						},
+					}).Obj(),
+			},
+			incomingPod: st.MakePod().Name("pod-negative").
+				Tolerations([]v1.Toleration{
+					{
+						Key:      "node.example.com/temperature",
+						Operator: v1.TolerationOpGt,
+						Value:    "-20",
+						Effect:   v1.TaintEffectNoSchedule,
+					},
+				}).Container(pause).
+				Obj(),
+			fit: true,
+		},
+		{
+			name: "Pod with Lt toleration with zero values",
+			nodes: []*v1.Node{
+				st.MakeNode().Name("node-zero").
+					Taints([]v1.Taint{
+						{
+							Key:    "node.example.com/latency",
+							Value:  "0",
+							Effect: v1.TaintEffectNoSchedule,
+						},
+					}).Obj(),
+			},
+			incomingPod: st.MakePod().Name("pod-zero").
+				Tolerations([]v1.Toleration{
+					{
+						Key:      "node.example.com/latency",
+						Operator: v1.TolerationOpLt,
+						Value:    "5",
+						Effect:   v1.TaintEffectNoSchedule,
+					},
+				}).Container(pause).
+				Obj(),
+			fit: true, // 0 < 5
+		},
+		{
+			name: "Pod with Gt toleration and empty Effect matches any taint effect",
+			nodes: []*v1.Node{
+				st.MakeNode().Name("node-any-effect").
+					Taints([]v1.Taint{
+						{
+							Key:    "node.example.com/priority-level",
+							Value:  "999",
+							Effect: v1.TaintEffectPreferNoSchedule,
+						},
+					}).Obj(),
+			},
+			incomingPod: st.MakePod().Name("pod-any-effect").
+				Tolerations([]v1.Toleration{
+					{
+						Key:      "node.example.com/priority-level",
+						Operator: v1.TolerationOpGt,
+						Value:    "900",
+					},
+				}).Container(pause).
+				Obj(),
+			fit: true,
+		},
+		{
+			name: "Pod with Lt toleration with large numbers",
+			nodes: []*v1.Node{
+				st.MakeNode().Name("node-large").
+					Taints([]v1.Taint{
+						{
+							Key:    "node.example.com/memory",
+							Value:  "999999999",
+							Effect: v1.TaintEffectNoSchedule,
+						},
+					}).Obj(),
+			},
+			incomingPod: st.MakePod().Name("pod-large").
+				Tolerations([]v1.Toleration{
+					{
+						Key:      "node.example.com/memory",
+						Operator: v1.TolerationOpLt,
+						Value:    "1000000000",
+						Effect:   v1.TaintEffectNoSchedule,
+					},
+				}).Container(pause).
+				Obj(),
+			fit: true,
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
+			// Enable the TaintTolerationComparisonOperators feature gate for Gt/Lt tests
+			featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.TaintTolerationComparisonOperators, true)
+
 			testCtx := initTest(t, "taint-toleration-filter")
 			cs := testCtx.ClientSet
 			ns := testCtx.NS.Name
@@ -2937,3 +3167,126 @@ func TestNodeAffinityFilter(t *testing.T) {
 		})
 	}
 }
+
+func TestNodeDeclaredFeaturesFilter(t *testing.T) {
+	// Helper to create a pod that requires the feature.
+	podRequiringFeatureA := st.MakePod().Name("pod-req-feature-a").
+		UID("pod-req-feature").
+		Containers([]v1.Container{{Name: "container-req-feature-a", Image: imageutils.GetPauseImageName()}}).Obj()
+
+	// Helper to create a pod that does NOT require the feature.
+	podWithoutRequirement := st.MakePod().Name("pod-no-req").UID("pod-no-req").
+		Containers([]v1.Container{{Name: "container-no-req", Image: imageutils.GetPauseImageName()}}).
+		Obj()
+
+	nodeWithFeatureA := st.MakeNode().Name("node-with-feature-a").DeclaredFeatures([]string{"FeatureA"}).Obj()
+
+	nodeWithFeatureB := st.MakeNode().Name("node-with-feature-b").DeclaredFeatures([]string{"FeatureB"}).Obj()
+	nodeWithFeatureB.Status.DeclaredFeatures = []string{"FeatureB"}
+
+	nodeWithoutFeatures := st.MakeNode().Name("node-without-features").Obj()
+	nodeWithoutFeatures.Status.DeclaredFeatures = []string{}
+
+	nodeWithMultipleFeatures := st.MakeNode().Name("node-with-multiple-features").DeclaredFeatures([]string{"FeatureA", "FeatureB"}).Obj()
+
+	mockFeature := ndftesting.NewMockFeature(t)
+	mockFeature.EXPECT().Name().Return("FeatureA").Maybe()
+	mockFeature.EXPECT().InferForScheduling(mock.Anything).RunAndReturn(func(podInfo *ndf.PodInfo) bool {
+		return podInfo.Spec.Containers[0].Name == "container-req-feature-a"
+	})
+	mockFeature.EXPECT().MaxVersion().Return(nil).Maybe()
+	mockFeature.EXPECT().InferForUpdate(mock.Anything, mock.Anything).Return(false).Maybe()
+	mockFeature.EXPECT().Discover(mock.Anything).Return(false).Maybe()
+
+	tests := []struct {
+		name           string
+		pod            *v1.Pod
+		nodes          []*v1.Node
+		featureEnabled bool
+		expectedNode   string
+	}{
+		{
+			name:           "Feature gate disabled",
+			pod:            podRequiringFeatureA.DeepCopy(),
+			nodes:          []*v1.Node{nodeWithoutFeatures},
+			featureEnabled: false,
+			expectedNode:   "node-without-features",
+		},
+		{
+			name:           "pod without feature requirement schedulable on node without features",
+			pod:            podWithoutRequirement.DeepCopy(),
+			nodes:          []*v1.Node{nodeWithoutFeatures},
+			featureEnabled: true,
+			expectedNode:   "node-without-features",
+		},
+		{
+			name:           "pod without feature requirement schedulable on node with features",
+			pod:            podWithoutRequirement.DeepCopy(),
+			nodes:          []*v1.Node{nodeWithFeatureA},
+			featureEnabled: true,
+			expectedNode:   "node-with-feature-a",
+		},
+		{
+			name:           "pod with feature requirement schedulable on node with the feature",
+			pod:            podRequiringFeatureA.DeepCopy(),
+			nodes:          []*v1.Node{nodeWithFeatureA, nodeWithFeatureB},
+			featureEnabled: true,
+			expectedNode:   "node-with-feature-a",
+		},
+		{
+			name:           "pod with feature requirement not schedulable on node without features",
+			pod:            podRequiringFeatureA.DeepCopy(),
+			nodes:          []*v1.Node{nodeWithFeatureB},
+			featureEnabled: true,
+			expectedNode:   "",
+		},
+		{
+			name:           "pod with feature requirement schedulable on node with multiple features",
+			pod:            podRequiringFeatureA.DeepCopy(),
+			nodes:          []*v1.Node{nodeWithMultipleFeatures, nodeWithoutFeatures},
+			featureEnabled: true,
+			expectedNode:   "node-with-multiple-features",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.NodeDeclaredFeatures, tt.featureEnabled)
+			if tt.featureEnabled {
+				originalAllFeatures := ndffeatures.AllFeatures
+				ndffeatures.AllFeatures = []ndf.Feature{mockFeature}
+				defer func() {
+					ndffeatures.AllFeatures = originalAllFeatures
+				}()
+			}
+			testCtx := testutils.InitTestSchedulerWithNS(t, "node-features-filter")
+			cs := testCtx.ClientSet
+			ns := testCtx.NS.Name
+			for _, node := range tt.nodes {
+				if _, err := testutils.CreateNode(testCtx.ClientSet, node); err != nil {
+					t.Fatalf("Failed to create node %v: %v", node.Name, err)
+				}
+			}
+			// Ensure nodes are present in scheduler cache.
+			if err := testutils.WaitForNodesInCache(testCtx.Ctx, testCtx.Scheduler, len(tt.nodes)); err != nil {
+				t.Fatalf("Failed to wait for nodes in cache: %v", err)
+			}
+
+			tt.pod.Namespace = ns
+			if _, err := cs.CoreV1().Pods(ns).Create(testCtx.Ctx, tt.pod, metav1.CreateOptions{}); err != nil {
+				t.Fatalf("Failed to create pod %v: %v", tt.pod.Name, err)
+			}
+			if tt.expectedNode != "" {
+				err := wait.PollUntilContextTimeout(testCtx.Ctx, pollInterval, wait.ForeverTestTimeout, false, testutils.PodScheduledIn(cs, tt.pod.Namespace, tt.pod.Name, []string{tt.expectedNode}))
+				if err != nil {
+					t.Errorf("Expected pod to be scheduled, but it was not: %v", err)
+				}
+			} else {
+				err := wait.PollUntilContextTimeout(testCtx.Ctx, pollInterval, wait.ForeverTestTimeout, false, testutils.PodUnschedulable(cs, tt.pod.Namespace, tt.pod.Name))
+				if err != nil {
+					t.Errorf("Expected pod to be unschedulable, but it was not: %v", err)
+				}
+			}
+		})
+	}
+}
diff --git a/test/integration/scheduler/gang/gang_test.go b/test/integration/scheduler/gang/gang_test.go
new file mode 100644
index 0000000000000..b050353a02a21
--- /dev/null
+++ b/test/integration/scheduler/gang/gang_test.go
@@ -0,0 +1,235 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package gang
+
+import (
+	"context"
+	"testing"
+	"time"
+
+	v1 "k8s.io/api/core/v1"
+	schedulingapi "k8s.io/api/scheduling/v1alpha1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/util/wait"
+	utilfeature "k8s.io/apiserver/pkg/util/feature"
+	featuregatetesting "k8s.io/component-base/featuregate/testing"
+	"k8s.io/kubernetes/pkg/features"
+	"k8s.io/kubernetes/pkg/scheduler"
+	"k8s.io/kubernetes/pkg/scheduler/backend/queue"
+	workloadmanager "k8s.io/kubernetes/pkg/scheduler/backend/workloadmanager"
+	st "k8s.io/kubernetes/pkg/scheduler/testing"
+	testutils "k8s.io/kubernetes/test/integration/util"
+)
+
+// podInUnschedulablePods checks if the given Pod is in the unschedulable pods pool.
+func podInUnschedulablePods(t *testing.T, queue queue.SchedulingQueue, podName string) bool {
+	t.Helper()
+	unschedPods := queue.UnschedulablePods()
+	for _, pod := range unschedPods {
+		if pod.Name == podName {
+			return true
+		}
+	}
+	return false
+}
+
+func TestGangScheduling(t *testing.T) {
+	node := st.MakeNode().Name("node").Capacity(map[v1.ResourceName]string{v1.ResourceCPU: "4"}).Obj()
+
+	workload := st.MakeWorkload().Name("workload").PodGroup(st.MakePodGroup().Name("pg").MinCount(3).Obj()).Obj()
+
+	p1 := st.MakePod().Name("p1").Req(map[v1.ResourceName]string{v1.ResourceCPU: "1"}).Container("image").
+		WorkloadRef(&v1.WorkloadReference{Name: "workload", PodGroup: "pg"}).Obj()
+	p2 := st.MakePod().Name("p2").Req(map[v1.ResourceName]string{v1.ResourceCPU: "1"}).Container("image").
+		WorkloadRef(&v1.WorkloadReference{Name: "workload", PodGroup: "pg"}).Obj()
+	p3 := st.MakePod().Name("p3").Req(map[v1.ResourceName]string{v1.ResourceCPU: "1"}).Container("image").
+		WorkloadRef(&v1.WorkloadReference{Name: "workload", PodGroup: "pg"}).Obj()
+	blockerPod := st.MakePod().Name("blocker").Req(map[v1.ResourceName]string{v1.ResourceCPU: "2"}).Container("image").
+		ZeroTerminationGracePeriod().Obj()
+
+	// step represents a single step in a test scenario.
+	type step struct {
+		name                         string
+		createWorkload               *schedulingapi.Workload
+		createPods                   []*v1.Pod
+		deletePods                   []string
+		waitForPodsGatedOnPreEnqueue []string
+		waitForPodsUnschedulable     []string
+		waitForPodsScheduled         []string
+	}
+
+	tests := []struct {
+		name  string
+		steps []step
+	}{
+		{
+			name: "gang schedules when workload and resources are available",
+			steps: []step{
+				{
+					name:           "Create the Workload object",
+					createWorkload: workload,
+				},
+				{
+					name:       "Create all pods belonging to the gang",
+					createPods: []*v1.Pod{p1, p2, p3},
+				},
+				{
+					name:                 "Verify all gang pods are scheduled successfully",
+					waitForPodsScheduled: []string{"p1", "p2", "p3"},
+				},
+			},
+		},
+		{
+			name: "gang waits for quorum to start, then schedules",
+			steps: []step{
+				{
+					name:           "Create the Workload object",
+					createWorkload: workload,
+				},
+				{
+					name:       "Create subset of pods belonging to the gang",
+					createPods: []*v1.Pod{p1, p2},
+				},
+				{
+					name:                         "Verify pods are gated at PreEnqueue (no quorum)",
+					waitForPodsGatedOnPreEnqueue: []string{"p1", "p2"},
+				},
+				{
+					name:       "Create the last pod belonging to the gang to unblock PreEnqueue",
+					createPods: []*v1.Pod{p3},
+				},
+				{
+					name:                 "Verify all gang pods are scheduled successfully",
+					waitForPodsScheduled: []string{"p1", "p2", "p3"},
+				},
+			},
+		},
+		{
+			name: "gang waits for workload, then for resources, then schedules",
+			steps: []step{
+				{
+					name:       "Create the resource-blocking pod",
+					createPods: []*v1.Pod{blockerPod},
+				},
+				{
+					name:                 "Schedule the resource-blocking pod",
+					waitForPodsScheduled: []string{"blocker"},
+				},
+				{
+					name:       "Create gang pods before Workload is created",
+					createPods: []*v1.Pod{p1, p2, p3},
+				},
+				{
+					name:                         "Verify pods are gated at PreEnqueue (no Workload object)",
+					waitForPodsGatedOnPreEnqueue: []string{"p1", "p2", "p3"},
+				},
+				{
+					name:           "Create the Workload to unblock PreEnqueue",
+					createWorkload: workload,
+				},
+				{
+					name:                     "Verify pods become unschedulable (Permit timeout due to resource blocker)",
+					waitForPodsUnschedulable: []string{"p1", "p2", "p3"},
+				},
+				{
+					name:       "Delete the resource-blocking pod",
+					deletePods: []string{"blocker"},
+				},
+				{
+					name:                 "Verify the entire gang is now scheduled",
+					waitForPodsScheduled: []string{"p1", "p2", "p3"},
+				},
+			},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			featuregatetesting.SetFeatureGatesDuringTest(t, utilfeature.DefaultFeatureGate, featuregatetesting.FeatureOverrides{
+				features.GenericWorkload: true,
+				features.GangScheduling:  true,
+			})
+
+			workloadmanager.DefaultSchedulingTimeoutDuration = 5 * time.Second
+
+			testCtx := testutils.InitTestSchedulerWithNS(t, "gang-scheduling",
+				// disable backoff
+				scheduler.WithPodMaxBackoffSeconds(0),
+				scheduler.WithPodInitialBackoffSeconds(0))
+
+			cs, ns := testCtx.ClientSet, testCtx.NS.Name
+
+			_, err := cs.CoreV1().Nodes().Create(testCtx.Ctx, node, metav1.CreateOptions{})
+			if err != nil {
+				t.Fatalf("Failed to create node: %v", err)
+			}
+
+			for i, step := range tt.steps {
+				t.Logf("Executing step %d: %s", i, step.name)
+				switch {
+				case step.createPods != nil:
+					for _, pod := range step.createPods {
+						p := pod.DeepCopy()
+						p.Namespace = ns
+						if _, err := cs.CoreV1().Pods(ns).Create(testCtx.Ctx, p, metav1.CreateOptions{}); err != nil {
+							t.Fatalf("Step %d: Failed to create pod %s: %v", i, p.Name, err)
+						}
+					}
+				case step.createWorkload != nil:
+					w := step.createWorkload.DeepCopy()
+					w.Namespace = ns
+					if _, err := cs.SchedulingV1alpha1().Workloads(ns).Create(testCtx.Ctx, w, metav1.CreateOptions{}); err != nil {
+						t.Fatalf("Step %d: Failed to create workload %s: %v", i, w.Name, err)
+					}
+				case step.deletePods != nil:
+					for _, podName := range step.deletePods {
+						if err := cs.CoreV1().Pods(ns).Delete(testCtx.Ctx, podName, metav1.DeleteOptions{}); err != nil {
+							t.Fatalf("Step %d: Failed to delete pod %s: %v", i, podName, err)
+						}
+					}
+				case step.waitForPodsGatedOnPreEnqueue != nil:
+					for _, podName := range step.waitForPodsGatedOnPreEnqueue {
+						err := wait.PollUntilContextTimeout(testCtx.Ctx, 100*time.Millisecond, wait.ForeverTestTimeout, false,
+							func(_ context.Context) (bool, error) {
+								return podInUnschedulablePods(t, testCtx.Scheduler.SchedulingQueue, podName), nil
+							},
+						)
+						if err != nil {
+							t.Fatalf("Step %d: Failed to wait for pod %s to be in unschedulable pods pool: %v", i, podName, err)
+						}
+					}
+				case step.waitForPodsUnschedulable != nil:
+					for _, podName := range step.waitForPodsUnschedulable {
+						err := wait.PollUntilContextTimeout(testCtx.Ctx, 100*time.Millisecond, wait.ForeverTestTimeout, false,
+							testutils.PodUnschedulable(cs, ns, podName))
+						if err != nil {
+							t.Fatalf("Step %d: Failed to wait for pod %s to be unschedulable: %v", i, podName, err)
+						}
+					}
+				case step.waitForPodsScheduled != nil:
+					for _, podName := range step.waitForPodsScheduled {
+						err := wait.PollUntilContextTimeout(testCtx.Ctx, 100*time.Millisecond, wait.ForeverTestTimeout, false,
+							testutils.PodScheduled(cs, ns, podName))
+						if err != nil {
+							t.Fatalf("Step %d: Failed to wait for pod %s to be scheduled: %v", i, podName, err)
+						}
+					}
+				}
+			}
+		})
+	}
+}
diff --git a/test/integration/scheduler/gang/main_test.go b/test/integration/scheduler/gang/main_test.go
new file mode 100644
index 0000000000000..22d5e40d9681c
--- /dev/null
+++ b/test/integration/scheduler/gang/main_test.go
@@ -0,0 +1,27 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package gang
+
+import (
+	"testing"
+
+	"k8s.io/kubernetes/test/integration/framework"
+)
+
+func TestMain(m *testing.M) {
+	framework.EtcdMain(m.Run)
+}
diff --git a/test/integration/scheduler/nominated_node_name/nominated_node_name_test.go b/test/integration/scheduler/nominated_node_name/nominated_node_name_test.go
index a163bceb85bf7..3bc8907afc868 100644
--- a/test/integration/scheduler/nominated_node_name/nominated_node_name_test.go
+++ b/test/integration/scheduler/nominated_node_name/nominated_node_name_test.go
@@ -18,20 +18,35 @@ package nominatednodename
 
 import (
 	"context"
+	"fmt"
+	"sync"
 	"testing"
 	"time"
 
 	v1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/apimachinery/pkg/util/wait"
 	utilfeature "k8s.io/apiserver/pkg/util/feature"
 	featuregatetesting "k8s.io/component-base/featuregate/testing"
+	configv1 "k8s.io/kube-scheduler/config/v1"
 	fwk "k8s.io/kube-scheduler/framework"
 	"k8s.io/kubernetes/pkg/features"
 	"k8s.io/kubernetes/pkg/scheduler"
-	"k8s.io/kubernetes/pkg/scheduler/framework"
+	"k8s.io/kubernetes/pkg/scheduler/apis/config"
+	configtesting "k8s.io/kubernetes/pkg/scheduler/apis/config/testing"
+	"k8s.io/kubernetes/pkg/scheduler/backend/queue"
+	"k8s.io/kubernetes/pkg/scheduler/framework/plugins/defaultpreemption"
+	plfeature "k8s.io/kubernetes/pkg/scheduler/framework/plugins/feature"
+	"k8s.io/kubernetes/pkg/scheduler/framework/plugins/names"
+	"k8s.io/kubernetes/pkg/scheduler/framework/preemption"
 	frameworkruntime "k8s.io/kubernetes/pkg/scheduler/framework/runtime"
+	st "k8s.io/kubernetes/pkg/scheduler/testing"
 	schedulerutils "k8s.io/kubernetes/test/integration/scheduler"
 	testutils "k8s.io/kubernetes/test/integration/util"
+	"k8s.io/kubernetes/test/utils/ktesting"
+	"k8s.io/utils/ptr"
 )
 
 type FakePermitPlugin struct {
@@ -90,23 +105,18 @@ func (pp *RunForeverPreBindPlugin) PreBind(ctx context.Context, state fwk.CycleS
 	}
 }
 
-// Test_PutNominatedNodeNameInBindingCycle makes sure that nominatedNodeName is set in the binding cycle
+// TestNominatedNodeNameIsSetBeforePreBindAndWaitOnPermit makes sure that nominatedNodeName is set in the binding cycle
 // when the PreBind or Permit plugin (WaitOnPermit) is going to work.
-func Test_PutNominatedNodeNameInBindingCycle(t *testing.T) {
-	cancel := make(chan struct{})
+func TestNominatedNodeNameIsSetBeforePreBindAndWaitOnPermit(t *testing.T) {
 	tests := []struct {
 		name                    string
-		plugin                  framework.Plugin
+		plugin                  fwk.Plugin
 		expectNominatedNodeName bool
-		cleanup                 func()
 	}{
 		{
 			name:                    "NominatedNodeName is put if PreBindPlugin will run",
-			plugin:                  &RunForeverPreBindPlugin{cancel: cancel},
+			plugin:                  &RunForeverPreBindPlugin{},
 			expectNominatedNodeName: true,
-			cleanup: func() {
-				close(cancel)
-			},
 		},
 		{
 			name:                    "NominatedNodeName is put if PermitPlugin will run at WaitOnPermit",
@@ -120,55 +130,604 @@ func Test_PutNominatedNodeNameInBindingCycle(t *testing.T) {
 			plugin: &FakePermitPlugin{
 				code: fwk.Success,
 			},
+			expectNominatedNodeName: false,
 		},
 		{
-			name:   "NominatedNodeName is not put if PermitPlugin nor PreBindPlugin will run",
-			plugin: nil,
+			name:                    "NominatedNodeName is not put if PermitPlugin nor PreBindPlugin will run",
+			plugin:                  nil,
+			expectNominatedNodeName: false,
 		},
 	}
 
 	for _, test := range tests {
-		t.Run(test.name, func(t *testing.T) {
-			featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.NominatedNodeNameForExpectation, true)
+		for _, nnnForExpectationEnabled := range []bool{true, false} {
+			t.Run(fmt.Sprintf("%s (NominatedNodeName for expectation: %v)", test.name, nnnForExpectationEnabled), func(t *testing.T) {
+				featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.NominatedNodeNameForExpectation, nnnForExpectationEnabled)
 
-			testContext := testutils.InitTestAPIServer(t, "nnn-test", nil)
-			if test.cleanup != nil {
-				defer test.cleanup()
-			}
+				testContext := testutils.InitTestAPIServer(t, "nnn-test", nil)
 
-			pf := func(plugin framework.Plugin) frameworkruntime.PluginFactory {
-				return func(_ context.Context, _ runtime.Object, fh framework.Handle) (framework.Plugin, error) {
-					return plugin, nil
+				pf := func(plugin fwk.Plugin) frameworkruntime.PluginFactory {
+					return func(_ context.Context, _ runtime.Object, fh fwk.Handle) (fwk.Plugin, error) {
+						return plugin, nil
+					}
 				}
-			}
 
-			plugins := []framework.Plugin{&NoNNNPostBindPlugin{cancel: testContext.Ctx.Done(), t: t}}
-			if test.plugin != nil {
-				plugins = append(plugins, test.plugin)
-			}
+				plugins := []fwk.Plugin{&NoNNNPostBindPlugin{cancel: testContext.Ctx.Done(), t: t}}
+				if test.plugin != nil {
+					// This code makes sure that each test case (for each value of feature gate) uses a separate cancel channel.
+					runForeverPlugin, ok := test.plugin.(*RunForeverPreBindPlugin)
+					if ok {
+						cancel := make(chan struct{})
+						runForeverPlugin.cancel = cancel
+						defer func() {
+							close(cancel)
+						}()
+					}
 
-			registry, prof := schedulerutils.InitRegistryAndConfig(t, pf, plugins...)
+					plugins = append(plugins, test.plugin)
+				}
 
-			testCtx, teardown := schedulerutils.InitTestSchedulerForFrameworkTest(t, testContext, 10, true,
-				scheduler.WithProfiles(prof),
-				scheduler.WithFrameworkOutOfTreeRegistry(registry))
-			defer teardown()
+				registry, prof := schedulerutils.InitRegistryAndConfig(t, pf, plugins...)
 
-			pod, err := testutils.CreatePausePod(testCtx.ClientSet,
-				testutils.InitPausePod(&testutils.PausePodConfig{Name: "test-pod", Namespace: testCtx.NS.Name}))
-			if err != nil {
-				t.Fatalf("Error while creating a test pod: %v", err)
-			}
+				testCtx, teardown := schedulerutils.InitTestSchedulerForFrameworkTest(t, testContext, 10, true,
+					scheduler.WithProfiles(prof),
+					scheduler.WithFrameworkOutOfTreeRegistry(registry))
+				defer teardown()
 
-			if test.expectNominatedNodeName {
-				if err := testutils.WaitForNominatedNodeName(testCtx.Ctx, testCtx.ClientSet, pod); err != nil {
-					t.Errorf(".status.nominatedNodeName was not set for pod %v/%v: %v", pod.Namespace, pod.Name, err)
+				pod, err := testutils.CreatePausePod(testCtx.ClientSet,
+					testutils.InitPausePod(&testutils.PausePodConfig{Name: "test-pod", Namespace: testCtx.NS.Name}))
+				if err != nil {
+					t.Fatalf("Error while creating a test pod: %v", err)
 				}
-			} else {
-				if err := testutils.WaitForPodToSchedule(testCtx.Ctx, testCtx.ClientSet, pod); err != nil {
-					t.Errorf("Pod %v/%v was not scheduled: %v", pod.Namespace, pod.Name, err)
+
+				if test.expectNominatedNodeName {
+					err := testutils.WaitForNominatedNodeNameWithTimeout(testCtx.Ctx, testCtx.ClientSet, pod, time.Second)
+					if nnnForExpectationEnabled {
+						if err != nil {
+							t.Errorf(".status.nominatedNodeName was not set in pod %v/%v: %v", pod.Namespace, pod.Name, err)
+						}
+					} else {
+						// If the feature is disabled, the expectation is that pod will be pending but NNN won't be set.
+						if err == nil {
+							t.Errorf("expected .status.nominatedNodeName not to be set in pod %v/%v: %v", pod.Namespace, pod.Name, err)
+						}
+					}
+				} else {
+					if err := testutils.WaitForPodToSchedule(testCtx.Ctx, testCtx.ClientSet, pod); err != nil {
+						t.Errorf("Pod %v/%v was not scheduled: %v", pod.Namespace, pod.Name, err)
+					}
 				}
+			})
+		}
+	}
+}
+
+// TestPreemptionAndNominatedNodeNameScenarios tests setting/clearing NominatedNodeName in scenarios with preemption.
+func TestPreemptionAndNominatedNodeNameScenarios(t *testing.T) {
+	type createPod struct {
+		pod               *v1.Pod
+		nominatedNodeName string
+		// count is the number of times the pod should be created by this action.
+		// i.e., if you use it, you have to use GenerateName.
+		// By default, it's 1.
+		count *int
+	}
+
+	type schedulePod struct {
+		podName               string
+		expectSuccess         bool
+		expectUnschedulable   bool
+		expectedScheduledNode string
+	}
+
+	type checkNNN struct {
+		podName     string
+		expectedNNN string
+	}
+
+	type scenario struct {
+		// name is this step's name, just for the debugging purpose.
+		name string
+
+		// Only one of the following actions should be set.
+
+		// createPod creates a Pod.
+		createPod *createPod
+		// createNode creates an additional Node.
+		createNode string
+		// schedulePod schedules one Pod that is at the top of the activeQ.
+		// You should give a Pod name that is supposed to be scheduled.
+		schedulePod *schedulePod
+		// completePreemption completes the preemption that is currently on-going.
+		// You should give a Pod name.
+		completePreemption string
+		// checkNNN checks that NominatedNodeName is set as expected.
+		checkNNN *checkNNN
+	}
+
+	tests := []struct {
+		name string
+		// scenarios after the first attempt of scheduling the pod.
+		scenarios []scenario
+	}{
+		{
+			name: "basic preemption sets NominatedNodeName",
+			scenarios: []scenario{
+				{
+					name: "create scheduled Pod",
+					createPod: &createPod{
+						pod: st.MakePod().Name("victim").Req(map[v1.ResourceName]string{v1.ResourceCPU: "4"}).Node("node").Container("image").ZeroTerminationGracePeriod().Priority(1).Obj(),
+					},
+				},
+				{
+					name: "create a preemptor Pod",
+					createPod: &createPod{
+						pod: st.MakePod().Name("preemptor").Req(map[v1.ResourceName]string{v1.ResourceCPU: "2"}).Container("image").Priority(100).Obj(),
+					},
+				},
+				{
+					name: "schedule the preemptor Pod",
+					schedulePod: &schedulePod{
+						podName:             "preemptor",
+						expectUnschedulable: true,
+					},
+				},
+				{
+					name: "check NNN is set in preemptor",
+					checkNNN: &checkNNN{
+						podName:     "preemptor",
+						expectedNNN: "node",
+					},
+				},
+				{
+					name:               "complete the preemption API calls",
+					completePreemption: "preemptor",
+				},
+				{
+					name: "schedule the preemptor Pod again",
+					schedulePod: &schedulePod{
+						podName:               "preemptor",
+						expectSuccess:         true,
+						expectedScheduledNode: "node",
+					},
+				},
+			},
+		},
+		{
+			name: "Overwrite NominatedNodeName with preemption",
+			scenarios: []scenario{
+				{
+					name:       "create node2",
+					createNode: "node2",
+				},
+				{
+					name: "create pods on node",
+					createPod: &createPod{
+						pod:   st.MakePod().GenerateName("victim-").Req(map[v1.ResourceName]string{v1.ResourceCPU: "2"}).Node("node").Container("image").ZeroTerminationGracePeriod().Priority(1).Obj(),
+						count: ptr.To(2),
+					},
+				},
+				{
+					name: "create pod on node2",
+					createPod: &createPod{
+						pod: st.MakePod().Name("victim-3").Req(map[v1.ResourceName]string{v1.ResourceCPU: "3"}).Node("node2").Container("image").ZeroTerminationGracePeriod().Priority(1).Obj(),
+					},
+				},
+				{
+					name: "create a preemptor Pod with NNN set to node",
+					createPod: &createPod{
+						pod:               st.MakePod().Name("preemptor").Req(map[v1.ResourceName]string{v1.ResourceCPU: "4"}).Container("image").Priority(100).Obj(),
+						nominatedNodeName: "node",
+					},
+				},
+				{
+					name: "schedule the preemptor Pod",
+					schedulePod: &schedulePod{
+						podName:             "preemptor",
+						expectUnschedulable: true,
+					},
+				},
+				{
+					name: "check NNN in preemptor gets changed to node2 (because preemption of only 1 victim is needed on this node)",
+					checkNNN: &checkNNN{
+						podName:     "preemptor",
+						expectedNNN: "node2",
+					},
+				},
+				{
+					name:               "complete the preemption API calls",
+					completePreemption: "preemptor",
+				},
+				{
+					name: "schedule the preemptor Pod again",
+					schedulePod: &schedulePod{
+						podName:               "preemptor",
+						expectSuccess:         true,
+						expectedScheduledNode: "node2",
+					},
+				},
+			},
+		},
+		{
+			name: "NNN is ignored on pod that cannot fit on the node",
+			scenarios: []scenario{
+				{
+					name: "create pod with NNN that exceeds capacity of the node",
+					createPod: &createPod{
+						pod:               st.MakePod().Name("pod-exceeds-capacity").Req(map[v1.ResourceName]string{v1.ResourceCPU: "5"}).Container("image").ZeroTerminationGracePeriod().Priority(1).Obj(),
+						nominatedNodeName: "node",
+					},
+				},
+				{
+					name: "create pod without NNN that fits on the node",
+					createPod: &createPod{
+						pod: st.MakePod().Name("pod-fits").Req(map[v1.ResourceName]string{v1.ResourceCPU: "3"}).Container("image").ZeroTerminationGracePeriod().Priority(1).Obj(),
+					},
+				},
+				{
+					name: "schedule pod-exceeds-capacity",
+					schedulePod: &schedulePod{
+						podName: "pod-exceeds-capacity",
+					},
+				},
+				{
+					name: "check NNN in pod-exceeds-capacity gets cleared upon scheduling failure",
+					checkNNN: &checkNNN{
+						podName:     "pod-exceeds-capacity",
+						expectedNNN: "",
+					},
+				},
+				{
+					name: "schedule pod-fits",
+					schedulePod: &schedulePod{
+						podName:               "pod-fits",
+						expectSuccess:         true,
+						expectedScheduledNode: "node",
+					},
+				},
+			},
+		},
+		{
+			name: "NNN is ignored on lower priority pod when higher priority pod without NNN is being scheduled",
+			scenarios: []scenario{
+				{
+					name: "create low priority pod with NNN",
+					createPod: &createPod{
+						pod:               st.MakePod().Name("low-priority").Req(map[v1.ResourceName]string{v1.ResourceCPU: "4"}).Container("image").ZeroTerminationGracePeriod().Priority(1).Obj(),
+						nominatedNodeName: "node",
+					},
+				},
+				{
+					name: "create high priority pod without NNN",
+					createPod: &createPod{
+						pod: st.MakePod().Name("high-priority").Req(map[v1.ResourceName]string{v1.ResourceCPU: "4"}).Container("image").ZeroTerminationGracePeriod().Priority(100).Obj(),
+					},
+				},
+				{
+					name: "schedule high-priority",
+					schedulePod: &schedulePod{
+						podName:               "high-priority",
+						expectSuccess:         true,
+						expectedScheduledNode: "node",
+					},
+				},
+				{
+					name: "schedule low-priority",
+					schedulePod: &schedulePod{
+						podName: "low-priority",
+					},
+				},
+				{
+					name: "check NNN in low priority pod gets cleared upon scheduling failure",
+					checkNNN: &checkNNN{
+						podName:     "low-priority",
+						expectedNNN: "",
+					},
+				},
+			},
+		},
+		{
+			name: "No preemption, NNN is cleared after binding",
+			scenarios: []scenario{
+				{
+					name: "create pod with NNN",
+					createPod: &createPod{
+						pod:               st.MakePod().Name("pod").Req(map[v1.ResourceName]string{v1.ResourceCPU: "4"}).Container("image").ZeroTerminationGracePeriod().Priority(1).Obj(),
+						nominatedNodeName: "node",
+					},
+				},
+				{
+					name: "schedule pod (this step also verifies is NNN is cleared after binding, depending on the enabled feature)",
+					schedulePod: &schedulePod{
+						podName:               "pod",
+						expectSuccess:         true,
+						expectedScheduledNode: "node",
+					},
+				},
+			},
+		},
+	}
+	// All test cases run on the same node.
+	node := st.MakeNode().Name("node").Capacity(map[v1.ResourceName]string{v1.ResourceCPU: "4"}).Obj()
+
+	for _, nnnForExpectationEnabled := range []bool{true, false} {
+		for _, clearNNNAfterBindingEnabled := range []bool{true, false} {
+			for _, test := range tests {
+
+				t.Run(fmt.Sprintf("%s (NominatedNodeName for expectation: %v, Clearing NNN: %v)", test.name, nnnForExpectationEnabled, clearNNNAfterBindingEnabled), func(t *testing.T) {
+					featuregatetesting.SetFeatureGatesDuringTest(t, utilfeature.DefaultFeatureGate, featuregatetesting.FeatureOverrides{
+						features.NominatedNodeNameForExpectation:       nnnForExpectationEnabled,
+						features.ClearingNominatedNodeNameAfterBinding: clearNNNAfterBindingEnabled,
+						features.SchedulerAsyncPreemption:              true,
+					})
+
+					// We need to use a custom preemption plugin to test async preemption behavior
+					delayedPreemptionPluginName := "delay-preemption"
+					var lock sync.Mutex
+					// keyed by the pod name
+					preemptionDoneChannels := make(map[string]chan struct{})
+					defer func() {
+						lock.Lock()
+						defer lock.Unlock()
+						for _, ch := range preemptionDoneChannels {
+							close(ch)
+						}
+					}()
+					registry := make(frameworkruntime.Registry)
+					var preemptionPlugin *defaultpreemption.DefaultPreemption
+					err := registry.Register(delayedPreemptionPluginName, func(c context.Context, r runtime.Object, fh fwk.Handle) (fwk.Plugin, error) {
+						p, err := frameworkruntime.FactoryAdapter(plfeature.Features{EnableAsyncPreemption: true}, defaultpreemption.New)(c, &config.DefaultPreemptionArgs{
+							// Set default values to pass the validation at the initialization, not related to the test.
+							MinCandidateNodesPercentage: 10,
+							MinCandidateNodesAbsolute:   100,
+						}, fh)
+						if err != nil {
+							return nil, fmt.Errorf("error creating default preemption plugin: %w", err)
+						}
+
+						var ok bool
+						preemptionPlugin, ok = p.(*defaultpreemption.DefaultPreemption)
+						if !ok {
+							return nil, fmt.Errorf("unexpected plugin type %T", p)
+						}
+
+						preemptPodFn := preemptionPlugin.Evaluator.PreemptPod
+						preemptionPlugin.Evaluator.PreemptPod = func(ctx context.Context, c preemption.Candidate, preemptor, victim *v1.Pod, pluginName string) error {
+							// block the preemption goroutine to complete until the test case allows it to proceed.
+							lock.Lock()
+							ch, ok := preemptionDoneChannels[preemptor.Name]
+							lock.Unlock()
+							if ok {
+								<-ch
+							}
+							return preemptPodFn(ctx, c, preemptor, victim, pluginName)
+						}
+
+						return preemptionPlugin, nil
+					})
+					if err != nil {
+						t.Fatalf("Error registering a filter: %v", err)
+					}
+
+					cfg := configtesting.V1ToInternalWithDefaults(t, configv1.KubeSchedulerConfiguration{
+						Profiles: []configv1.KubeSchedulerProfile{{
+							SchedulerName: ptr.To(v1.DefaultSchedulerName),
+							Plugins: &configv1.Plugins{
+								MultiPoint: configv1.PluginSet{
+									Enabled: []configv1.Plugin{
+										{Name: delayedPreemptionPluginName},
+									},
+									Disabled: []configv1.Plugin{
+										{Name: names.DefaultPreemption},
+									},
+								},
+							},
+						}},
+					})
+
+					// It initializes the scheduler, but doesn't start.
+					// We manually trigger the scheduling cycle.
+					testCtx := testutils.InitTestSchedulerWithOptions(t,
+						testutils.InitTestAPIServer(t, "preemption", nil),
+						0,
+						scheduler.WithProfiles(cfg.Profiles...),
+						scheduler.WithFrameworkOutOfTreeRegistry(registry),
+						// disable backoff
+						scheduler.WithPodMaxBackoffSeconds(0),
+						scheduler.WithPodInitialBackoffSeconds(0),
+					)
+					testutils.SyncSchedulerInformerFactory(testCtx)
+					cs := testCtx.ClientSet
+
+					if preemptionPlugin == nil {
+						t.Fatalf("the preemption plugin should be initialized")
+					}
+
+					logger, _ := ktesting.NewTestContext(t)
+					if testCtx.Scheduler.APIDispatcher != nil {
+						testCtx.Scheduler.APIDispatcher.Run(logger)
+						defer testCtx.Scheduler.APIDispatcher.Close()
+					}
+					testCtx.Scheduler.SchedulingQueue.Run(logger)
+					defer testCtx.Scheduler.SchedulingQueue.Close()
+
+					createdPods := []*v1.Pod{}
+					defer testutils.CleanupPods(testCtx.Ctx, cs, t, createdPods)
+
+					ctx, cancel := context.WithCancel(context.Background())
+					defer cancel()
+
+					if _, err := cs.CoreV1().Nodes().Create(ctx, node, metav1.CreateOptions{}); err != nil {
+						t.Fatalf("Failed to create an initial Node %q: %v", node.Name, err)
+					}
+					defer func() {
+						if err := cs.CoreV1().Nodes().Delete(ctx, node.Name, metav1.DeleteOptions{}); err != nil {
+							t.Fatalf("Failed to delete the Node %q: %v", node.Name, err)
+						}
+					}()
+
+					for _, scenario := range test.scenarios {
+						t.Logf("Running scenario: %s", scenario.name)
+						switch {
+						case scenario.createNode != "":
+							newNode := st.MakeNode().Name(scenario.createNode).Capacity(map[v1.ResourceName]string{v1.ResourceCPU: "4"}).Obj()
+							if _, err := cs.CoreV1().Nodes().Create(ctx, newNode, metav1.CreateOptions{}); err != nil {
+								t.Fatalf("Failed to create an initial Node %q: %v", newNode.Name, err)
+							}
+							defer func() {
+								if err := cs.CoreV1().Nodes().Delete(ctx, newNode.Name, metav1.DeleteOptions{}); err != nil {
+									t.Fatalf("Failed to delete the Node %q: %v", newNode.Name, err)
+								}
+							}()
+						case scenario.createPod != nil:
+							if scenario.createPod.count == nil {
+								scenario.createPod.count = ptr.To(1)
+							}
+
+							for i := 0; i < *scenario.createPod.count; i++ {
+								pod, err := cs.CoreV1().Pods(testCtx.NS.Name).Create(ctx, scenario.createPod.pod, metav1.CreateOptions{})
+								if err != nil {
+									t.Fatalf("Failed to create a Pod %q: %v", scenario.createPod.pod.Name, err)
+								}
+
+								if scenario.createPod.nominatedNodeName != "" {
+									patch := []byte(fmt.Sprintf(`{"status":{"nominatedNodeName":"%s"}}`, scenario.createPod.nominatedNodeName))
+									pod, err = cs.CoreV1().Pods(testCtx.NS.Name).Patch(ctx, pod.Name, types.StrategicMergePatchType, patch, metav1.PatchOptions{}, "status")
+									if err != nil {
+										t.Fatalf("update pod %s status with NNN: %v", scenario.createPod.pod.Name, err)
+									}
+									// Wait until the scheduler picks up the NNN set on the pod.
+									if err := wait.PollUntilContextTimeout(testCtx.Ctx, time.Millisecond*200, wait.ForeverTestTimeout, false, func(ctx context.Context) (bool, error) {
+										nominatedPods := testCtx.Scheduler.SchedulingQueue.NominatedPodsForNode(scenario.createPod.nominatedNodeName)
+										if contains(nominatedPods, pod.Name) {
+											return true, nil
+										}
+										return false, nil
+									}); err != nil {
+										t.Fatalf("scheduler does not see NNN set on pod %s: %v", scenario.createPod.pod.Name, err)
+									}
+								}
+								createdPods = append(createdPods, pod)
+							}
+						case scenario.schedulePod != nil:
+							lastFailure := ""
+							if err := wait.PollUntilContextTimeout(testCtx.Ctx, time.Millisecond*200, wait.ForeverTestTimeout, false, func(ctx context.Context) (bool, error) {
+								if len(testCtx.Scheduler.SchedulingQueue.PodsInActiveQ()) == 0 {
+									lastFailure = fmt.Sprintf("Expected the pod %s to be scheduled, but no pod arrives at the activeQ", scenario.schedulePod.podName)
+									return false, nil
+								}
+
+								if testCtx.Scheduler.SchedulingQueue.PodsInActiveQ()[0].Name != scenario.schedulePod.podName {
+									// need to wait more because maybe the queue will get another Pod that higher priority than the current top pod.
+									lastFailure = fmt.Sprintf("The pod %s is expected to be scheduled, but the top Pod is %s", scenario.schedulePod.podName, testCtx.Scheduler.SchedulingQueue.PodsInActiveQ()[0].Name)
+									return false, nil
+								}
+
+								return true, nil
+							}); err != nil {
+								t.Fatal(lastFailure)
+							}
+
+							lock.Lock()
+							preemptionDoneChannels[scenario.schedulePod.podName] = make(chan struct{})
+							lock.Unlock()
+							testCtx.Scheduler.ScheduleOne(testCtx.Ctx)
+
+							if scenario.schedulePod.expectSuccess {
+								lastFailure := ""
+								if err := wait.PollUntilContextTimeout(testCtx.Ctx, time.Millisecond*200, wait.ForeverTestTimeout, false, func(ctx context.Context) (bool, error) {
+									pod, err2 := cs.CoreV1().Pods(testCtx.NS.Name).Get(ctx, scenario.schedulePod.podName, metav1.GetOptions{})
+									if err2 != nil {
+										// This could be a connection error so we want to retry.
+										return false, nil
+									}
+									if pod.Spec.NodeName == "" {
+										// Pod is not scheduled yet.
+										return false, nil
+									}
+									if scenario.schedulePod.expectedScheduledNode != pod.Spec.NodeName {
+										lastFailure = fmt.Sprintf("Expected pod %s to be scheduled on node %s but got %v", scenario.schedulePod.podName, scenario.schedulePod.expectedScheduledNode, pod.Spec.NodeName)
+										return false, err2
+									}
+									if clearNNNAfterBindingEnabled && pod.Status.NominatedNodeName != "" {
+										lastFailure = fmt.Sprintf("Expected pod %s to have NNN cleared after binding but got \"%v\"", scenario.schedulePod.podName, pod.Status.NominatedNodeName)
+										return false, err2
+									}
+									return true, nil
+								}); err != nil {
+									t.Fatal(lastFailure)
+								}
+
+							} else if scenario.schedulePod.expectUnschedulable {
+								// Wait some time for the scheduling operation to finish and move the pod to unschedulable or backoff.
+								if err := wait.PollUntilContextTimeout(testCtx.Ctx, time.Millisecond*200, 2*time.Second, false, func(ctx context.Context) (bool, error) {
+									if podInUnschedulablePodPool(t, testCtx.Scheduler.SchedulingQueue, scenario.schedulePod.podName) {
+										return true, nil
+									}
+									return false, nil
+								}); err != nil {
+									t.Fatalf("Expected the pod %s to be in the unschedulable queue after the scheduling attempt", scenario.schedulePod.podName)
+								}
+							}
+						case scenario.completePreemption != "":
+							lock.Lock()
+							if _, ok := preemptionDoneChannels[scenario.completePreemption]; !ok {
+								t.Fatalf("The preemptor Pod %q is not running preemption", scenario.completePreemption)
+							}
+
+							close(preemptionDoneChannels[scenario.completePreemption])
+							delete(preemptionDoneChannels, scenario.completePreemption)
+							lock.Unlock()
+						case scenario.checkNNN != nil:
+							lastFailure := ""
+							if err := wait.PollUntilContextTimeout(testCtx.Ctx, time.Millisecond*200, wait.ForeverTestTimeout, false, func(ctx context.Context) (bool, error) {
+								pod, err := cs.CoreV1().Pods(testCtx.NS.Name).Get(ctx, scenario.checkNNN.podName, metav1.GetOptions{})
+
+								if err != nil {
+									lastFailure = fmt.Sprintf("Cannot retrieve pod %v", scenario.checkNNN.podName)
+									return false, err
+								}
+								if scenario.checkNNN.expectedNNN != pod.Status.NominatedNodeName {
+									lastFailure = fmt.Sprintf("Expected .status.nominatedNodeName %v for pod \"%v\" but got \"%v\"", scenario.checkNNN.expectedNNN, scenario.checkNNN.podName, pod.Status.NominatedNodeName)
+									return false, nil
+								}
+
+								return true, nil
+							}); err != nil {
+								t.Fatal(lastFailure, err)
+							}
+						}
+					}
+				})
 			}
-		})
+		}
+	}
+}
+
+func podInUnschedulablePodPool(t *testing.T, queue queue.SchedulingQueue, podName string) bool {
+	t.Helper()
+	// First, look for the pod in the activeQ.
+	for _, pod := range queue.PodsInActiveQ() {
+		if pod.Name == podName {
+			return false
+		}
+	}
+
+	pending, _ := queue.PendingPods()
+	for _, pod := range pending {
+		if pod.Name == podName {
+			return true
+		}
+	}
+
+	return false
+}
+
+func contains(pods []fwk.PodInfo, podName string) bool {
+	for _, p := range pods {
+		if podName == p.GetPod().GetName() {
+			return true
+		}
 	}
+	return false
 }
diff --git a/test/integration/scheduler/plugins/plugins_test.go b/test/integration/scheduler/plugins/plugins_test.go
index 9d4dd1a4dc953..ea07593a58620 100644
--- a/test/integration/scheduler/plugins/plugins_test.go
+++ b/test/integration/scheduler/plugins/plugins_test.go
@@ -63,14 +63,14 @@ import (
 
 // imported from testutils
 var (
-	initRegistryAndConfig = func(t *testing.T, plugins ...framework.Plugin) (frameworkruntime.Registry, schedulerconfig.KubeSchedulerProfile) {
+	initRegistryAndConfig = func(t *testing.T, plugins ...fwk.Plugin) (frameworkruntime.Registry, schedulerconfig.KubeSchedulerProfile) {
 		return schedulerutils.InitRegistryAndConfig(t, newPlugin, plugins...)
 	}
 )
 
 // newPlugin returns a plugin factory with specified Plugin.
-func newPlugin(plugin framework.Plugin) frameworkruntime.PluginFactory {
-	return func(_ context.Context, _ runtime.Object, fh framework.Handle) (framework.Plugin, error) {
+func newPlugin(plugin fwk.Plugin) frameworkruntime.PluginFactory {
+	return func(_ context.Context, _ runtime.Object, fh fwk.Handle) (fwk.Plugin, error) {
 		switch pl := plugin.(type) {
 		case *PermitPlugin:
 			pl.fh = fh
@@ -159,7 +159,7 @@ func (fp *FilterPlugin) deepCopy() *FilterPlugin {
 
 type PostFilterPlugin struct {
 	name                string
-	fh                  framework.Handle
+	fh                  fwk.Handle
 	numPostFilterCalled int
 	failPostFilter      bool
 	rejectPostFilter    bool
@@ -269,7 +269,7 @@ type PermitPlugin struct {
 	waitingPod          string
 	rejectingPod        string
 	allowingPod         string
-	fh                  framework.Handle
+	fh                  fwk.Handle
 }
 
 func (pp *PermitPlugin) deepCopy() *PermitPlugin {
@@ -307,24 +307,24 @@ const (
 	permitPluginName             = "permit-plugin"
 )
 
-var _ framework.PreEnqueuePlugin = &PreEnqueuePlugin{}
-var _ framework.PreFilterPlugin = &PreFilterPlugin{}
-var _ framework.PostFilterPlugin = &PostFilterPlugin{}
-var _ framework.ScorePlugin = &ScorePlugin{}
-var _ framework.FilterPlugin = &FilterPlugin{}
-var _ framework.EnqueueExtensions = &FilterPlugin{}
-var _ framework.ScorePlugin = &ScorePlugin{}
-var _ framework.ScorePlugin = &ScoreWithNormalizePlugin{}
-var _ framework.EnqueueExtensions = &ScorePlugin{}
-var _ framework.ReservePlugin = &ReservePlugin{}
-var _ framework.PreScorePlugin = &PreScorePlugin{}
-var _ framework.PreBindPlugin = &PreBindPlugin{}
-var _ framework.EnqueueExtensions = &PreBindPlugin{}
-var _ framework.BindPlugin = &BindPlugin{}
-var _ framework.PostBindPlugin = &PostBindPlugin{}
-var _ framework.PermitPlugin = &PermitPlugin{}
-var _ framework.EnqueueExtensions = &PermitPlugin{}
-var _ framework.QueueSortPlugin = &QueueSortPlugin{}
+var _ fwk.PreEnqueuePlugin = &PreEnqueuePlugin{}
+var _ fwk.PreFilterPlugin = &PreFilterPlugin{}
+var _ fwk.PostFilterPlugin = &PostFilterPlugin{}
+var _ fwk.ScorePlugin = &ScorePlugin{}
+var _ fwk.FilterPlugin = &FilterPlugin{}
+var _ fwk.EnqueueExtensions = &FilterPlugin{}
+var _ fwk.ScorePlugin = &ScorePlugin{}
+var _ fwk.ScorePlugin = &ScoreWithNormalizePlugin{}
+var _ fwk.EnqueueExtensions = &ScorePlugin{}
+var _ fwk.ReservePlugin = &ReservePlugin{}
+var _ fwk.PreScorePlugin = &PreScorePlugin{}
+var _ fwk.PreBindPlugin = &PreBindPlugin{}
+var _ fwk.EnqueueExtensions = &PreBindPlugin{}
+var _ fwk.BindPlugin = &BindPlugin{}
+var _ fwk.PostBindPlugin = &PostBindPlugin{}
+var _ fwk.PermitPlugin = &PermitPlugin{}
+var _ fwk.EnqueueExtensions = &PermitPlugin{}
+var _ fwk.QueueSortPlugin = &QueueSortPlugin{}
 
 func (ep *QueueSortPlugin) Name() string {
 	return queuesortPluginName
@@ -375,12 +375,12 @@ func (sp *ScorePlugin) Score(ctx context.Context, state fwk.CycleState, p *v1.Po
 	if sp.numScoreCalled == 1 {
 		// The first node is scored the highest, the rest is scored lower.
 		sp.highScoreNode = nodeInfo.Node().Name
-		score = framework.MaxNodeScore
+		score = fwk.MaxNodeScore
 	}
 	return score, nil
 }
 
-func (sp *ScorePlugin) ScoreExtensions() framework.ScoreExtensions {
+func (sp *ScorePlugin) ScoreExtensions() fwk.ScoreExtensions {
 	return nil
 }
 
@@ -403,12 +403,12 @@ func (sp *ScoreWithNormalizePlugin) Score(ctx context.Context, state fwk.CycleSt
 	return score, nil
 }
 
-func (sp *ScoreWithNormalizePlugin) NormalizeScore(ctx context.Context, state fwk.CycleState, pod *v1.Pod, scores framework.NodeScoreList) *fwk.Status {
+func (sp *ScoreWithNormalizePlugin) NormalizeScore(ctx context.Context, state fwk.CycleState, pod *v1.Pod, scores fwk.NodeScoreList) *fwk.Status {
 	sp.numNormalizeScoreCalled++
 	return nil
 }
 
-func (sp *ScoreWithNormalizePlugin) ScoreExtensions() framework.ScoreExtensions {
+func (sp *ScoreWithNormalizePlugin) ScoreExtensions() fwk.ScoreExtensions {
 	return sp
 }
 
@@ -576,12 +576,12 @@ func (pp *PreFilterPlugin) Name() string {
 }
 
 // Extensions returns the PreFilterExtensions interface.
-func (pp *PreFilterPlugin) PreFilterExtensions() framework.PreFilterExtensions {
+func (pp *PreFilterPlugin) PreFilterExtensions() fwk.PreFilterExtensions {
 	return nil
 }
 
 // PreFilter is a test function that returns (true, nil) or errors for testing.
-func (pp *PreFilterPlugin) PreFilter(ctx context.Context, state fwk.CycleState, pod *v1.Pod, nodes []fwk.NodeInfo) (*framework.PreFilterResult, *fwk.Status) {
+func (pp *PreFilterPlugin) PreFilter(ctx context.Context, state fwk.CycleState, pod *v1.Pod, nodes []fwk.NodeInfo) (*fwk.PreFilterResult, *fwk.Status) {
 	pp.numPreFilterCalled++
 	if pp.failPreFilter {
 		return nil, fwk.NewStatus(fwk.Error, fmt.Sprintf("injecting failure for pod %v", pod.Name))
@@ -590,7 +590,7 @@ func (pp *PreFilterPlugin) PreFilter(ctx context.Context, state fwk.CycleState,
 		return nil, fwk.NewStatus(fwk.Unschedulable, fmt.Sprintf("reject pod %v", pod.Name))
 	}
 	if len(pp.preFilterResultNodes) != 0 {
-		return &framework.PreFilterResult{NodeNames: pp.preFilterResultNodes}, nil
+		return &fwk.PreFilterResult{NodeNames: pp.preFilterResultNodes}, nil
 	}
 	return nil, nil
 }
@@ -600,7 +600,7 @@ func (pp *PostFilterPlugin) Name() string {
 	return pp.name
 }
 
-func (pp *PostFilterPlugin) PostFilter(ctx context.Context, state fwk.CycleState, pod *v1.Pod, _ framework.NodeToStatusReader) (*framework.PostFilterResult, *fwk.Status) {
+func (pp *PostFilterPlugin) PostFilter(ctx context.Context, state fwk.CycleState, pod *v1.Pod, _ fwk.NodeToStatusReader) (*fwk.PostFilterResult, *fwk.Status) {
 	pp.numPostFilterCalled++
 	nodeInfos, err := pp.fh.SnapshotSharedLister().NodeInfos().List()
 	if err != nil {
@@ -660,7 +660,7 @@ func (pp *PermitPlugin) Permit(ctx context.Context, state fwk.CycleState, pod *v
 		}
 		if pp.waitAndRejectPermit {
 			pp.rejectingPod = pod.Name
-			pp.fh.IterateOverWaitingPods(func(wp framework.WaitingPod) {
+			pp.fh.IterateOverWaitingPods(func(wp fwk.WaitingPod) {
 				wp.Reject(pp.name, fmt.Sprintf("reject pod %v", wp.GetPod().Name))
 			})
 			return fwk.NewStatus(fwk.Unschedulable, fmt.Sprintf("reject pod %v", pod.Name)), 0
@@ -676,14 +676,14 @@ func (pp *PermitPlugin) Permit(ctx context.Context, state fwk.CycleState, pod *v
 
 // allowAllPods allows all waiting pods.
 func (pp *PermitPlugin) allowAllPods() {
-	pp.fh.IterateOverWaitingPods(func(wp framework.WaitingPod) { wp.Allow(pp.name) })
+	pp.fh.IterateOverWaitingPods(func(wp fwk.WaitingPod) { wp.Allow(pp.name) })
 }
 
 // rejectAllPods rejects all waiting pods.
 func (pp *PermitPlugin) rejectAllPods() {
 	pp.mutex.Lock()
 	defer pp.mutex.Unlock()
-	pp.fh.IterateOverWaitingPods(func(wp framework.WaitingPod) { wp.Reject(pp.name, "rejectAllPods") })
+	pp.fh.IterateOverWaitingPods(func(wp fwk.WaitingPod) { wp.Reject(pp.name, "rejectAllPods") })
 }
 
 func (pp *PermitPlugin) EventsToRegister(_ context.Context) ([]fwk.ClusterEventWithHint, error) {
@@ -1419,7 +1419,7 @@ func TestUnReserveReservePlugins(t *testing.T) {
 
 	for _, test := range tests {
 		t.Run(test.name, func(t *testing.T) {
-			var pls []framework.Plugin
+			var pls []fwk.Plugin
 			for _, pl := range test.plugins {
 				pls = append(pls, pl)
 			}
@@ -1517,7 +1517,7 @@ func TestUnReservePermitPlugins(t *testing.T) {
 				name:        "reservePlugin",
 				failReserve: false,
 			}
-			registry, profile := initRegistryAndConfig(t, []framework.Plugin{test.plugin, reservePlugin}...)
+			registry, profile := initRegistryAndConfig(t, []fwk.Plugin{test.plugin, reservePlugin}...)
 
 			testCtx, teardown := schedulerutils.InitTestSchedulerForFrameworkTest(t, testContext, 2, true,
 				scheduler.WithProfiles(profile),
@@ -1589,7 +1589,7 @@ func TestUnReservePreBindPlugins(t *testing.T) {
 				name:        "reservePlugin",
 				failReserve: false,
 			}
-			registry, profile := initRegistryAndConfig(t, []framework.Plugin{test.plugin, reservePlugin}...)
+			registry, profile := initRegistryAndConfig(t, []fwk.Plugin{test.plugin, reservePlugin}...)
 
 			testCtx, teardown := schedulerutils.InitTestSchedulerForFrameworkTest(t, testContext, 2, true,
 				scheduler.WithProfiles(profile),
@@ -1658,7 +1658,7 @@ func TestUnReserveBindPlugins(t *testing.T) {
 				name:        "reservePlugin",
 				failReserve: false,
 			}
-			registry, profile := initRegistryAndConfig(t, []framework.Plugin{test.plugin, reservePlugin}...)
+			registry, profile := initRegistryAndConfig(t, []fwk.Plugin{test.plugin, reservePlugin}...)
 
 			test.plugin.client = testContext.ClientSet
 
@@ -2093,7 +2093,7 @@ func TestMultiplePermitPlugins(t *testing.T) {
 		t.Errorf("Error while creating a test pod: %v", err)
 	}
 
-	var waitingPod framework.WaitingPod
+	var waitingPod fwk.WaitingPod
 	// Wait until the test pod is actually waiting.
 	wait.PollUntilContextTimeout(testCtx.Ctx, 10*time.Millisecond, 30*time.Second, false, func(ctx context.Context) (bool, error) {
 		waitingPod = perPlugin1.fh.GetWaitingPod(pod.UID)
@@ -2145,7 +2145,7 @@ func TestPermitPluginsCancelled(t *testing.T) {
 		t.Errorf("Error while creating a test pod: %v", err)
 	}
 
-	var waitingPod framework.WaitingPod
+	var waitingPod fwk.WaitingPod
 	// Wait until the test pod is actually waiting.
 	wait.PollUntilContextTimeout(testCtx.Ctx, 10*time.Millisecond, 30*time.Second, false, func(ctx context.Context) (bool, error) {
 		waitingPod = perPlugin1.fh.GetWaitingPod(pod.UID)
@@ -2554,7 +2554,7 @@ func TestPreemptWithPermitPlugin(t *testing.T) {
 				// Wait until the waiting-pod is actually waiting.
 				if err := wait.PollUntilContextTimeout(testCtx.Ctx, 10*time.Millisecond, 30*time.Second, false, func(ctx context.Context) (bool, error) {
 					w := false
-					permitPlugin.fh.IterateOverWaitingPods(func(wp framework.WaitingPod) { w = true })
+					permitPlugin.fh.IterateOverWaitingPods(func(wp fwk.WaitingPod) { w = true })
 					return w, nil
 				}); err != nil {
 					t.Fatalf("The waiting pod is expected to be waiting: %v", err)
@@ -2579,7 +2579,7 @@ func TestPreemptWithPermitPlugin(t *testing.T) {
 			if w := tt.waitingPod; w != nil {
 				if err := wait.PollUntilContextTimeout(testCtx.Ctx, 200*time.Millisecond, wait.ForeverTestTimeout, false, func(ctx context.Context) (bool, error) {
 					w := false
-					permitPlugin.fh.IterateOverWaitingPods(func(wp framework.WaitingPod) { w = true })
+					permitPlugin.fh.IterateOverWaitingPods(func(wp fwk.WaitingPod) { w = true })
 					return !w, nil
 				}); err != nil {
 					t.Fatalf("Expected the waiting pod to get preempted.")
@@ -2619,8 +2619,8 @@ const (
 	jobPluginName = "job plugin"
 )
 
-var _ framework.PreFilterPlugin = &JobPlugin{}
-var _ framework.PostBindPlugin = &PostBindPlugin{}
+var _ fwk.PreFilterPlugin = &JobPlugin{}
+var _ fwk.PostBindPlugin = &PostBindPlugin{}
 
 type JobPlugin struct {
 	podLister     listersv1.PodLister
@@ -2631,7 +2631,7 @@ func (j *JobPlugin) Name() string {
 	return jobPluginName
 }
 
-func (j *JobPlugin) PreFilter(_ context.Context, _ fwk.CycleState, p *v1.Pod, nodes []fwk.NodeInfo) (*framework.PreFilterResult, *fwk.Status) {
+func (j *JobPlugin) PreFilter(_ context.Context, _ fwk.CycleState, p *v1.Pod, nodes []fwk.NodeInfo) (*fwk.PreFilterResult, *fwk.Status) {
 	labelSelector := labels.SelectorFromSet(labels.Set{"driver": ""})
 	driverPods, err := j.podLister.Pods(p.Namespace).List(labelSelector)
 	if err != nil {
@@ -2643,7 +2643,7 @@ func (j *JobPlugin) PreFilter(_ context.Context, _ fwk.CycleState, p *v1.Pod, no
 	return nil, nil
 }
 
-func (j *JobPlugin) PreFilterExtensions() framework.PreFilterExtensions {
+func (j *JobPlugin) PreFilterExtensions() fwk.PreFilterExtensions {
 	return nil
 }
 
@@ -2678,7 +2678,7 @@ func (j *JobPlugin) PostBind(_ context.Context, state fwk.CycleState, p *v1.Pod,
 func TestActivatePods(t *testing.T) {
 	var jobPlugin *JobPlugin
 	// Create a plugin registry for testing. Register a Job plugin.
-	registry := frameworkruntime.Registry{jobPluginName: func(_ context.Context, _ runtime.Object, fh framework.Handle) (framework.Plugin, error) {
+	registry := frameworkruntime.Registry{jobPluginName: func(_ context.Context, _ runtime.Object, fh fwk.Handle) (fwk.Plugin, error) {
 		jobPlugin = &JobPlugin{podLister: fh.SharedInformerFactory().Core().V1().Pods().Lister()}
 		return jobPlugin, nil
 	}}
@@ -2749,10 +2749,10 @@ func TestActivatePods(t *testing.T) {
 	}
 }
 
-var _ framework.PreEnqueuePlugin = &SchedulingGatesPluginWithEvents{}
-var _ framework.EnqueueExtensions = &SchedulingGatesPluginWithEvents{}
-var _ framework.PreEnqueuePlugin = &SchedulingGatesPluginWOEvents{}
-var _ framework.EnqueueExtensions = &SchedulingGatesPluginWOEvents{}
+var _ fwk.PreEnqueuePlugin = &SchedulingGatesPluginWithEvents{}
+var _ fwk.EnqueueExtensions = &SchedulingGatesPluginWithEvents{}
+var _ fwk.PreEnqueuePlugin = &SchedulingGatesPluginWOEvents{}
+var _ fwk.EnqueueExtensions = &SchedulingGatesPluginWOEvents{}
 
 const (
 	schedulingGatesPluginWithEvents = "scheduling-gates-with-events"
@@ -2801,7 +2801,7 @@ func (pl *SchedulingGatesPluginWOEvents) EventsToRegister(_ context.Context) ([]
 
 // This test helps to verify registering nil events for PreEnqueue plugin works as expected.
 func TestPreEnqueuePluginEventsToRegister(t *testing.T) {
-	num := func(pl framework.Plugin) int {
+	num := func(pl fwk.Plugin) int {
 		switch item := pl.(type) {
 		case *SchedulingGatesPluginWithEvents:
 			return item.called
@@ -2852,7 +2852,7 @@ func TestPreEnqueuePluginEventsToRegister(t *testing.T) {
 
 				testContext := testutils.InitTestAPIServer(t, "preenqueue-plugin", nil)
 				// use new plugin every time to clear counts
-				var plugin framework.PreEnqueuePlugin
+				var plugin fwk.PreEnqueuePlugin
 				if tt.withEvents {
 					plugin = &SchedulingGatesPluginWithEvents{SchedulingGates: schedulinggates.SchedulingGates{}}
 				} else {
diff --git a/test/integration/scheduler/preemption/misc/miscpreemption_test.go b/test/integration/scheduler/preemption/misc/miscpreemption_test.go
index 805ecd104af6f..ed6df6d11e058 100644
--- a/test/integration/scheduler/preemption/misc/miscpreemption_test.go
+++ b/test/integration/scheduler/preemption/misc/miscpreemption_test.go
@@ -401,8 +401,10 @@ func TestPreemptionStarvation(t *testing.T) {
 		for _, clearingNominatedNodeNameAfterBinding := range []bool{true, false} {
 			for _, test := range tests {
 				t.Run(fmt.Sprintf("%s (Async preemption enabled: %v, ClearingNominatedNodeNameAfterBinding: %v)", test.name, asyncPreemptionEnabled, clearingNominatedNodeNameAfterBinding), func(t *testing.T) {
-					featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.SchedulerAsyncPreemption, asyncPreemptionEnabled)
-					featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.ClearingNominatedNodeNameAfterBinding, clearingNominatedNodeNameAfterBinding)
+					featuregatetesting.SetFeatureGatesDuringTest(t, utilfeature.DefaultFeatureGate, featuregatetesting.FeatureOverrides{
+						features.SchedulerAsyncPreemption:              asyncPreemptionEnabled,
+						features.ClearingNominatedNodeNameAfterBinding: clearingNominatedNodeNameAfterBinding,
+					})
 
 					pendingPods := make([]*v1.Pod, test.numExpectedPending)
 					numRunningPods := test.numExistingPod - test.numExpectedPending
@@ -513,8 +515,10 @@ func TestPreemptionRaces(t *testing.T) {
 		for _, clearingNominatedNodeNameAfterBinding := range []bool{true, false} {
 			for _, test := range tests {
 				t.Run(fmt.Sprintf("%s (Async preemption enabled: %v, ClearingNominatedNodeNameAfterBinding: %v)", test.name, asyncPreemptionEnabled, clearingNominatedNodeNameAfterBinding), func(t *testing.T) {
-					featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.SchedulerAsyncPreemption, asyncPreemptionEnabled)
-					featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.ClearingNominatedNodeNameAfterBinding, clearingNominatedNodeNameAfterBinding)
+					featuregatetesting.SetFeatureGatesDuringTest(t, utilfeature.DefaultFeatureGate, featuregatetesting.FeatureOverrides{
+						features.SchedulerAsyncPreemption:              asyncPreemptionEnabled,
+						features.ClearingNominatedNodeNameAfterBinding: clearingNominatedNodeNameAfterBinding,
+					})
 
 					if test.numRepetitions <= 0 {
 						test.numRepetitions = 1
@@ -799,8 +803,10 @@ func TestPDBInPreemption(t *testing.T) {
 		for _, clearingNominatedNodeNameAfterBinding := range []bool{true, false} {
 			for _, test := range tests {
 				t.Run(fmt.Sprintf("%s (Async preemption enabled: %v, ClearingNominatedNodeNameAfterBinding: %v)", test.name, asyncPreemptionEnabled, clearingNominatedNodeNameAfterBinding), func(t *testing.T) {
-					featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.SchedulerAsyncPreemption, asyncPreemptionEnabled)
-					featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.ClearingNominatedNodeNameAfterBinding, clearingNominatedNodeNameAfterBinding)
+					featuregatetesting.SetFeatureGatesDuringTest(t, utilfeature.DefaultFeatureGate, featuregatetesting.FeatureOverrides{
+						features.SchedulerAsyncPreemption:              asyncPreemptionEnabled,
+						features.ClearingNominatedNodeNameAfterBinding: clearingNominatedNodeNameAfterBinding,
+					})
 
 					for i := 1; i <= test.nodeCnt; i++ {
 						nodeName := fmt.Sprintf("node-%v", i)
@@ -957,11 +963,11 @@ func TestReadWriteOncePodPreemption(t *testing.T) {
 			init: func() error {
 				_, err := testutils.CreatePV(cs, pv1)
 				if err != nil {
-					return fmt.Errorf("cannot create pv: %w", err)
+					return fmt.Errorf("cannot create pv: %v", err)
 				}
 				_, err = testutils.CreatePVC(cs, pvc1)
 				if err != nil {
-					return fmt.Errorf("cannot create pvc: %w", err)
+					return fmt.Errorf("cannot create pvc: %v", err)
 				}
 				return nil
 			},
@@ -996,10 +1002,10 @@ func TestReadWriteOncePodPreemption(t *testing.T) {
 			preemptedPodIndexes: map[int]struct{}{0: {}},
 			cleanup: func() error {
 				if err := testutils.DeletePVC(cs, pvc1.Name, pvc1.Namespace); err != nil {
-					return fmt.Errorf("cannot delete pvc: %w", err)
+					return fmt.Errorf("cannot delete pvc: %v", err)
 				}
 				if err := testutils.DeletePV(cs, pv1.Name); err != nil {
-					return fmt.Errorf("cannot delete pv: %w", err)
+					return fmt.Errorf("cannot delete pv: %v", err)
 				}
 				return nil
 			},
@@ -1010,13 +1016,13 @@ func TestReadWriteOncePodPreemption(t *testing.T) {
 				for _, pv := range []*v1.PersistentVolume{pv1, pv2} {
 					_, err := testutils.CreatePV(cs, pv)
 					if err != nil {
-						return fmt.Errorf("cannot create pv: %w", err)
+						return fmt.Errorf("cannot create pv: %v", err)
 					}
 				}
 				for _, pvc := range []*v1.PersistentVolumeClaim{pvc1, pvc2} {
 					_, err := testutils.CreatePVC(cs, pvc)
 					if err != nil {
-						return fmt.Errorf("cannot create pvc: %w", err)
+						return fmt.Errorf("cannot create pvc: %v", err)
 					}
 				}
 				return nil
@@ -1076,12 +1082,12 @@ func TestReadWriteOncePodPreemption(t *testing.T) {
 			cleanup: func() error {
 				for _, pvc := range []*v1.PersistentVolumeClaim{pvc1, pvc2} {
 					if err := testutils.DeletePVC(cs, pvc.Name, pvc.Namespace); err != nil {
-						return fmt.Errorf("cannot delete pvc: %w", err)
+						return fmt.Errorf("cannot delete pvc: %v", err)
 					}
 				}
 				for _, pv := range []*v1.PersistentVolume{pv1, pv2} {
 					if err := testutils.DeletePV(cs, pv.Name); err != nil {
-						return fmt.Errorf("cannot delete pv: %w", err)
+						return fmt.Errorf("cannot delete pv: %v", err)
 					}
 				}
 				return nil
@@ -1093,13 +1099,13 @@ func TestReadWriteOncePodPreemption(t *testing.T) {
 				for _, pv := range []*v1.PersistentVolume{pv1, pv2} {
 					_, err := testutils.CreatePV(cs, pv)
 					if err != nil {
-						return fmt.Errorf("cannot create pv: %w", err)
+						return fmt.Errorf("cannot create pv: %v", err)
 					}
 				}
 				for _, pvc := range []*v1.PersistentVolumeClaim{pvc1, pvc2} {
 					_, err := testutils.CreatePVC(cs, pvc)
 					if err != nil {
-						return fmt.Errorf("cannot create pvc: %w", err)
+						return fmt.Errorf("cannot create pvc: %v", err)
 					}
 				}
 				return nil
@@ -1156,12 +1162,12 @@ func TestReadWriteOncePodPreemption(t *testing.T) {
 			cleanup: func() error {
 				for _, pvc := range []*v1.PersistentVolumeClaim{pvc1, pvc2} {
 					if err := testutils.DeletePVC(cs, pvc.Name, pvc.Namespace); err != nil {
-						return fmt.Errorf("cannot delete pvc: %w", err)
+						return fmt.Errorf("cannot delete pvc: %v", err)
 					}
 				}
 				for _, pv := range []*v1.PersistentVolume{pv1, pv2} {
 					if err := testutils.DeletePV(cs, pv.Name); err != nil {
-						return fmt.Errorf("cannot delete pv: %w", err)
+						return fmt.Errorf("cannot delete pv: %v", err)
 					}
 				}
 				return nil
@@ -1184,8 +1190,10 @@ func TestReadWriteOncePodPreemption(t *testing.T) {
 		for _, clearingNominatedNodeNameAfterBinding := range []bool{true, false} {
 			for _, test := range tests {
 				t.Run(fmt.Sprintf("%s (Async preemption enabled: %v, ClearingNominatedNodeNameAfterBinding: %v)", test.name, asyncPreemptionEnabled, clearingNominatedNodeNameAfterBinding), func(t *testing.T) {
-					featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.SchedulerAsyncPreemption, asyncPreemptionEnabled)
-					featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.ClearingNominatedNodeNameAfterBinding, clearingNominatedNodeNameAfterBinding)
+					featuregatetesting.SetFeatureGatesDuringTest(t, utilfeature.DefaultFeatureGate, featuregatetesting.FeatureOverrides{
+						features.SchedulerAsyncPreemption:              asyncPreemptionEnabled,
+						features.ClearingNominatedNodeNameAfterBinding: clearingNominatedNodeNameAfterBinding,
+					})
 
 					if err := test.init(); err != nil {
 						t.Fatalf("Error while initializing test: %v", err)
diff --git a/test/integration/scheduler/preemption/nominatednodename/nominatednodename_test.go b/test/integration/scheduler/preemption/nominatednodename/nominatednodename_test.go
index 38cf9706c6069..917666d9a10de 100644
--- a/test/integration/scheduler/preemption/nominatednodename/nominatednodename_test.go
+++ b/test/integration/scheduler/preemption/nominatednodename/nominatednodename_test.go
@@ -80,7 +80,7 @@ func (af *alwaysFail) PreBind(_ context.Context, _ fwk.CycleState, p *v1.Pod, _
 	return fwk.NewStatus(fwk.Unschedulable)
 }
 
-func newAlwaysFail(_ context.Context, _ runtime.Object, _ framework.Handle) (framework.Plugin, error) {
+func newAlwaysFail(_ context.Context, _ runtime.Object, _ fwk.Handle) (fwk.Plugin, error) {
 	return &alwaysFail{}, nil
 }
 
@@ -94,15 +94,12 @@ func TestNominatedNode(t *testing.T) {
 		nodeCapacity map[v1.ResourceName]string
 		// A slice of pods to be created in batch.
 		podsToCreate [][]*v1.Pod
-		// Each postCheck function is run after each batch of pods' creation.
+		// Each postCheck function is run after creating the corresponding batch of pods. The check is run for each pod in the batch.
 		postChecks []func(ctx context.Context, cs clientset.Interface, pod *v1.Pod) error
 		// Delete the fake node or not. Optional.
 		deleteFakeNode bool
 		// Pods to be deleted. Optional.
 		podNamesToDelete []string
-		// Whether NominatedNodeName will be always nil at the end of the test,
-		// regardless of the NominatedNodeNameForExpectation feature gate state.
-		expectNilNominatedNodeName bool
 
 		// Register dummy plugin to simulate particular scheduling failures. Optional.
 		customPlugins     *configv1.Plugins
@@ -119,18 +116,20 @@ func TestNominatedNode(t *testing.T) {
 					st.MakePod().Name("low-4").Priority(lowPriority).Req(map[v1.ResourceName]string{v1.ResourceCPU: "1"}).Obj(),
 				},
 				{
-					st.MakePod().Name("medium").Priority(mediumPriority).Req(map[v1.ResourceName]string{v1.ResourceCPU: "4"}).Obj(),
+					st.MakePod().Name("medium").Priority(mediumPriority).Req(map[v1.ResourceName]string{v1.ResourceCPU: "3"}).Obj(),
 				},
 				{
-					st.MakePod().Name("high").Priority(highPriority).Req(map[v1.ResourceName]string{v1.ResourceCPU: "3"}).Obj(),
+					st.MakePod().Name("high").Priority(highPriority).Req(map[v1.ResourceName]string{v1.ResourceCPU: "4"}).Obj(),
 				},
 			},
 			postChecks: []func(ctx context.Context, cs clientset.Interface, pod *v1.Pod) error{
 				testutils.WaitForPodToSchedule,
+				// Expect NNN to be set on "medium" pod after starting preemption.
 				testutils.WaitForNominatedNodeName,
+				// Expect NNN to be set on "high" pod after starting preemption.
 				testutils.WaitForNominatedNodeName,
 			},
-			expectNilNominatedNodeName: true,
+			podNamesToDelete: []string{"low-1", "low-2", "low-3", "low-4"},
 		},
 		{
 			name:         "mid-priority pod preempts low-priority pod, followed by a high-priority pod without additional preemption",
@@ -148,7 +147,9 @@ func TestNominatedNode(t *testing.T) {
 			},
 			postChecks: []func(ctx context.Context, cs clientset.Interface, pod *v1.Pod) error{
 				testutils.WaitForPodToSchedule,
+				// Expect NNN to be set on "medium" pod after starting preemption.
 				testutils.WaitForNominatedNodeName,
+				// Expect "high" pod to get scheduled before "medium" re-enters the scheduling cycle.
 				testutils.WaitForPodToSchedule,
 			},
 			podNamesToDelete: []string{"low"},
@@ -204,7 +205,7 @@ func TestNominatedNode(t *testing.T) {
 			podNamesToDelete: []string{"low"},
 		},
 		{
-			name:         "mid-priority pod preempts low-priority pod, but failed the scheduling unexpectedly",
+			name:         "mid-priority pod preempts low-priority pod, but failed on PreBind",
 			nodeCapacity: map[v1.ResourceName]string{v1.ResourceCPU: "1"},
 			podsToCreate: [][]*v1.Pod{
 				{
@@ -232,12 +233,14 @@ func TestNominatedNode(t *testing.T) {
 
 	for _, asyncPreemptionEnabled := range []bool{true, false} {
 		for _, asyncAPICallsEnabled := range []bool{true, false} {
-			for _, nominatedNodeNameForExpectationEnabled := range []bool{false} {
+			for _, nominatedNodeNameForExpectationEnabled := range []bool{true, false} {
 				for _, tt := range tests {
 					t.Run(fmt.Sprintf("%s (Async preemption: %v, Async API calls: %v, NNN for expectation: %v)", tt.name, asyncPreemptionEnabled, asyncAPICallsEnabled, nominatedNodeNameForExpectationEnabled), func(t *testing.T) {
-						featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.SchedulerAsyncPreemption, asyncPreemptionEnabled)
-						featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.SchedulerAsyncAPICalls, asyncAPICallsEnabled)
-						featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.NominatedNodeNameForExpectation, nominatedNodeNameForExpectationEnabled)
+						featuregatetesting.SetFeatureGatesDuringTest(t, utilfeature.DefaultFeatureGate, featuregatetesting.FeatureOverrides{
+							features.SchedulerAsyncPreemption:        asyncPreemptionEnabled,
+							features.SchedulerAsyncAPICalls:          asyncAPICallsEnabled,
+							features.NominatedNodeNameForExpectation: nominatedNodeNameForExpectationEnabled,
+						})
 
 						cfg := configtesting.V1ToInternalWithDefaults(t, configv1.KubeSchedulerConfiguration{
 							Profiles: []configv1.KubeSchedulerProfile{{
@@ -298,33 +301,18 @@ func TestNominatedNode(t *testing.T) {
 							}
 						}
 
-						if nominatedNodeNameForExpectationEnabled && !tt.expectNilNominatedNodeName {
-							// Verify if .status.nominatedNodeName is not cleared when NominatedNodeNameForExpectation is enabled.
-							// Wait for 1 second to make sure the pod is re-processed, what would potentially clear the NominatedNodeName (when the feature won't work).
-							select {
-							case <-time.After(time.Second):
-							case <-testCtx.Ctx.Done():
-							}
-							pod, err := cs.CoreV1().Pods(ns).Get(testCtx.Ctx, "medium", metav1.GetOptions{})
+						// Verify if .status.nominatedNodeName is cleared.
+						if err := wait.PollUntilContextTimeout(testCtx.Ctx, 100*time.Millisecond, wait.ForeverTestTimeout, false, func(ctx context.Context) (bool, error) {
+							pod, err := cs.CoreV1().Pods(ns).Get(ctx, "medium", metav1.GetOptions{})
 							if err != nil {
 								t.Errorf("Error getting the medium pod: %v", err)
-							} else if len(pod.Status.NominatedNodeName) == 0 {
-								t.Errorf(".status.nominatedNodeName of the medium pod was cleared: %v", err)
 							}
-						} else {
-							// Verify if .status.nominatedNodeName is cleared when NominatedNodeNameForExpectation is disabled.
-							if err := wait.PollUntilContextTimeout(testCtx.Ctx, 100*time.Millisecond, wait.ForeverTestTimeout, false, func(ctx context.Context) (bool, error) {
-								pod, err := cs.CoreV1().Pods(ns).Get(ctx, "medium", metav1.GetOptions{})
-								if err != nil {
-									t.Errorf("Error getting the medium pod: %v", err)
-								}
-								if len(pod.Status.NominatedNodeName) == 0 {
-									return true, nil
-								}
-								return false, err
-							}); err != nil {
-								t.Errorf(".status.nominatedNodeName of the medium pod was not cleared: %v", err)
+							if len(pod.Status.NominatedNodeName) == 0 {
+								return true, nil
 							}
+							return false, err
+						}); err != nil {
+							t.Errorf(".status.nominatedNodeName of the medium pod was not cleared: %v", err)
 						}
 					})
 				}
diff --git a/test/integration/scheduler/preemption/preemption_test.go b/test/integration/scheduler/preemption/preemption_test.go
index 18d71c492418e..ff14d11dacc41 100644
--- a/test/integration/scheduler/preemption/preemption_test.go
+++ b/test/integration/scheduler/preemption/preemption_test.go
@@ -20,7 +20,10 @@ package preemption
 
 import (
 	"context"
+	"errors"
 	"fmt"
+	"strings"
+	"sync"
 	"testing"
 	"time"
 
@@ -40,7 +43,7 @@ import (
 	"k8s.io/kubernetes/pkg/scheduler/apis/config"
 	configtesting "k8s.io/kubernetes/pkg/scheduler/apis/config/testing"
 	"k8s.io/kubernetes/pkg/scheduler/backend/queue"
-	"k8s.io/kubernetes/pkg/scheduler/framework"
+	"k8s.io/kubernetes/pkg/scheduler/framework/plugins/defaultbinder"
 	"k8s.io/kubernetes/pkg/scheduler/framework/plugins/defaultpreemption"
 	plfeature "k8s.io/kubernetes/pkg/scheduler/framework/plugins/feature"
 	"k8s.io/kubernetes/pkg/scheduler/framework/plugins/names"
@@ -97,7 +100,7 @@ func (fp *tokenFilter) Filter(ctx context.Context, state fwk.CycleState, pod *v1
 	return fwk.NewStatus(status, fmt.Sprintf("can't fit %v", pod.Name))
 }
 
-func (fp *tokenFilter) PreFilter(ctx context.Context, state fwk.CycleState, pod *v1.Pod, nodes []fwk.NodeInfo) (*framework.PreFilterResult, *fwk.Status) {
+func (fp *tokenFilter) PreFilter(ctx context.Context, state fwk.CycleState, pod *v1.Pod, nodes []fwk.NodeInfo) (*fwk.PreFilterResult, *fwk.Status) {
 	if !fp.EnablePreFilter || fp.Tokens > 0 {
 		return nil, nil
 	}
@@ -116,18 +119,18 @@ func (fp *tokenFilter) RemovePod(ctx context.Context, state fwk.CycleState, podT
 	return nil
 }
 
-func (fp *tokenFilter) PreFilterExtensions() framework.PreFilterExtensions {
+func (fp *tokenFilter) PreFilterExtensions() fwk.PreFilterExtensions {
 	return fp
 }
 
-var _ framework.FilterPlugin = &tokenFilter{}
+var _ fwk.FilterPlugin = &tokenFilter{}
 
 // TestPreemption tests a few preemption scenarios.
 func TestPreemption(t *testing.T) {
 	// Initialize scheduler with a filter plugin.
 	var filter tokenFilter
 	registry := make(frameworkruntime.Registry)
-	err := registry.Register(filterPluginName, func(_ context.Context, _ runtime.Object, fh framework.Handle) (framework.Plugin, error) {
+	err := registry.Register(filterPluginName, func(_ context.Context, _ runtime.Object, fh fwk.Handle) (fwk.Plugin, error) {
 		return &filter, nil
 	})
 	if err != nil {
@@ -405,9 +408,11 @@ func TestPreemption(t *testing.T) {
 			for _, clearingNominatedNodeNameAfterBinding := range []bool{true, false} {
 				for _, test := range tests {
 					t.Run(fmt.Sprintf("%s (Async preemption enabled: %v, Async API calls enabled: %v, ClearingNominatedNodeNameAfterBinding: %v)", test.name, asyncPreemptionEnabled, asyncAPICallsEnabled, clearingNominatedNodeNameAfterBinding), func(t *testing.T) {
-						featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.SchedulerAsyncPreemption, asyncPreemptionEnabled)
-						featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.SchedulerAsyncAPICalls, asyncAPICallsEnabled)
-						featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.ClearingNominatedNodeNameAfterBinding, clearingNominatedNodeNameAfterBinding)
+						featuregatetesting.SetFeatureGatesDuringTest(t, utilfeature.DefaultFeatureGate, featuregatetesting.FeatureOverrides{
+							features.SchedulerAsyncPreemption:              asyncPreemptionEnabled,
+							features.SchedulerAsyncAPICalls:                asyncAPICallsEnabled,
+							features.ClearingNominatedNodeNameAfterBinding: clearingNominatedNodeNameAfterBinding,
+						})
 
 						testCtx := testutils.InitTestSchedulerWithOptions(t,
 							testutils.InitTestAPIServer(t, "preemption", nil),
@@ -478,6 +483,9 @@ func TestPreemption(t *testing.T) {
 }
 
 func TestAsyncPreemption(t *testing.T) {
+	const podBlockedInBindingName = "pod-blocked-in-binding"
+	const reservingPodName = "reserving-pod"
+
 	type createPod struct {
 		pod *v1.Pod
 		// count is the number of times the pod should be created by this action.
@@ -487,8 +495,9 @@ func TestAsyncPreemption(t *testing.T) {
 	}
 
 	type schedulePod struct {
-		podName       string
-		expectSuccess bool
+		podName             string
+		expectSuccess       bool
+		expectUnschedulable bool
 	}
 
 	type scenario struct {
@@ -499,6 +508,8 @@ func TestAsyncPreemption(t *testing.T) {
 
 		// createPod creates a Pod.
 		createPod *createPod
+		// createNode creates an additional Node.
+		createNode string
 		// schedulePod schedules one Pod that is at the top of the activeQ.
 		// You should give a Pod name that is supposed to be scheduled.
 		schedulePod *schedulePod
@@ -512,6 +523,15 @@ func TestAsyncPreemption(t *testing.T) {
 		// You should give a Pod index representing the order of Pod creation.
 		// e.g., if you want to check the Pod created first in the test case, you should give 0.
 		podRunningPreemption *int
+		// activatePod moves the pod from unschedulable to active or backoff.
+		// The value is the name of the pod to activate.
+		activatePod string
+		// resumeBind resumes the binding operation that keeps the pod blocked.
+		// Note: The pod will only become blocked in the first place, if pod name matches string defined in podBlockedInBinding.
+		resumeBind bool
+		// verifyPodInUnschedulable waits for some time and confirms that the given pod is in the unschedulable pool.
+		// The value is the name of the checked pod.
+		verifyPodInUnschedulable string
 	}
 
 	tests := []struct {
@@ -539,7 +559,8 @@ func TestAsyncPreemption(t *testing.T) {
 				{
 					name: "schedule the preemptor Pod",
 					schedulePod: &schedulePod{
-						podName: "preemptor",
+						podName:             "preemptor",
+						expectUnschedulable: true,
 					},
 				},
 				{
@@ -563,6 +584,49 @@ func TestAsyncPreemption(t *testing.T) {
 				},
 			},
 		},
+		{
+			name: "basic async preemption with 1 victim, preemptor gated until preemption API call finishes",
+			scenarios: []scenario{
+				{
+					name: "create victim",
+					createPod: &createPod{
+						pod: st.MakePod().GenerateName("victim-").Req(map[v1.ResourceName]string{v1.ResourceCPU: "1"}).Node("node").Container("image").ZeroTerminationGracePeriod().Priority(1).Obj(),
+					},
+				},
+				{
+					name: "create a preemptor Pod",
+					createPod: &createPod{
+						pod: st.MakePod().Name("preemptor").Req(map[v1.ResourceName]string{v1.ResourceCPU: "4"}).Container("image").Priority(100).Obj(),
+					},
+				},
+				{
+					name: "schedule the preemptor Pod",
+					schedulePod: &schedulePod{
+						podName:             "preemptor",
+						expectUnschedulable: true,
+					},
+				},
+				{
+					name:            "check the preemptor Pod is in the queue and gated",
+					podGatedInQueue: "preemptor",
+				},
+				{
+					name:                 "check the preemptor Pod making the preemption API calls",
+					podRunningPreemption: ptr.To(1),
+				},
+				{
+					name:               "complete the preemption API call",
+					completePreemption: "preemptor",
+				},
+				{
+					name: "schedule the preemptor Pod again and expect it to be scheduled",
+					schedulePod: &schedulePod{
+						podName:       "preemptor",
+						expectSuccess: true,
+					},
+				},
+			},
+		},
 		{
 			name: "Lower priority Pod doesn't take over the place for higher priority Pod that is running the preemption",
 			scenarios: []scenario{
@@ -582,7 +646,8 @@ func TestAsyncPreemption(t *testing.T) {
 				{
 					name: "schedule the preemptor Pod",
 					schedulePod: &schedulePod{
-						podName: "preemptor-high-priority",
+						podName:             "preemptor-high-priority",
+						expectUnschedulable: true,
 					},
 				},
 				{
@@ -604,7 +669,8 @@ func TestAsyncPreemption(t *testing.T) {
 				{
 					name: "schedule the mid-priority Pod",
 					schedulePod: &schedulePod{
-						podName: "pod-mid-priority",
+						podName:             "pod-mid-priority",
+						expectUnschedulable: true,
 					},
 				},
 				{
@@ -622,7 +688,8 @@ func TestAsyncPreemption(t *testing.T) {
 				{
 					name: "schedule the mid-priority Pod again",
 					schedulePod: &schedulePod{
-						podName: "pod-mid-priority",
+						podName:             "pod-mid-priority",
+						expectUnschedulable: true,
 					},
 				},
 			},
@@ -646,7 +713,8 @@ func TestAsyncPreemption(t *testing.T) {
 				{
 					name: "schedule the preemptor Pod",
 					schedulePod: &schedulePod{
-						podName: "preemptor-high-priority",
+						podName:             "preemptor-high-priority",
+						expectUnschedulable: true,
 					},
 				},
 				{
@@ -668,7 +736,8 @@ func TestAsyncPreemption(t *testing.T) {
 				{
 					name: "schedule the super-high-priority Pod",
 					schedulePod: &schedulePod{
-						podName: "preemptor-super-high-priority",
+						podName:             "preemptor-super-high-priority",
+						expectUnschedulable: true,
 					},
 				},
 				{
@@ -700,7 +769,8 @@ func TestAsyncPreemption(t *testing.T) {
 				{
 					name: "schedule the high-priority Pod",
 					schedulePod: &schedulePod{
-						podName: "preemptor-high-priority",
+						podName:             "preemptor-high-priority",
+						expectUnschedulable: true,
 					},
 				},
 			},
@@ -725,7 +795,8 @@ func TestAsyncPreemption(t *testing.T) {
 				{
 					name: "schedule the preemptor Pod",
 					schedulePod: &schedulePod{
-						podName: "preemptor-high-priority",
+						podName:             "preemptor-high-priority",
+						expectUnschedulable: true,
 					},
 				},
 				{
@@ -748,7 +819,8 @@ func TestAsyncPreemption(t *testing.T) {
 				{
 					name: "schedule the mid-priority Pod",
 					schedulePod: &schedulePod{
-						podName: "preemptor-mid-priority",
+						podName:             "preemptor-mid-priority",
+						expectUnschedulable: true,
 					},
 				},
 				{
@@ -784,27 +856,381 @@ func TestAsyncPreemption(t *testing.T) {
 				},
 			},
 		},
+		{
+			// This scenario verifies the fix for https://github.com/kubernetes/kubernetes/issues/134217
+			// Scenario reproduces the issue:
+			// Victim pod takes long in binding. Preemptor pod attempts preemption, goes to unschedulable, then the victim is deleted.
+			// Preemptor pod is woken up by the Pod/Delete event and is being scheduled, even before the victim binding is terminated.
+			name: "victim blocked in binding, preemptor pod gets scheduled after victim-in-binding is deleted",
+			scenarios: []scenario{
+				{
+					name: "create victim Pod that is going to be blocked in binding",
+					createPod: &createPod{
+						pod: st.MakePod().Name(podBlockedInBindingName).Req(map[v1.ResourceName]string{v1.ResourceCPU: "2"}).Container("image").ZeroTerminationGracePeriod().Priority(1).Obj(),
+					},
+				},
+				{
+					name: "schedule victim Pod",
+					schedulePod: &schedulePod{
+						podName: podBlockedInBindingName,
+					},
+				},
+				{
+					name: "create a preemptor Pod",
+					createPod: &createPod{
+						pod: st.MakePod().Name("preemptor").Req(map[v1.ResourceName]string{v1.ResourceCPU: "4"}).Container("image").Priority(100).Obj(),
+					},
+				},
+				{
+					name: "schedule the preemptor Pod",
+					schedulePod: &schedulePod{
+						podName:             "preemptor",
+						expectUnschedulable: true,
+					},
+				},
+				{
+					name:               "complete the preemption API call",
+					completePreemption: "preemptor",
+				},
+				{
+					name: "schedule the preemptor Pod again and expect it to be scheduled (assumed victim pod was forgotten)",
+					schedulePod: &schedulePod{
+						podName:       "preemptor",
+						expectSuccess: true,
+					},
+				},
+				{
+					name:       "resume binding of the blocked pod",
+					resumeBind: true,
+				},
+			},
+		},
+		{
+			// This scenario verifies the fix for https://github.com/kubernetes/kubernetes/issues/134217
+			// Scenario reproduces the issue, but with a victim that is under graceful termination:
+			// Victim pod takes long in binding. Preemptor pod attempts preemption, goes to unschedulable, then the victim's graceful termination is initiated.
+			// Preemptor pod is woken up by the Pod/Update event (working like AssignedPodDeleted) and is being scheduled, even before the victim binding is terminated.
+			name: "victim blocked in binding, preemptor pod gets scheduled when victim-in-binding is under graceful termination",
+			scenarios: []scenario{
+				{
+					name: "create victim Pod with long termination grace period that is going to be blocked in binding",
+					createPod: &createPod{
+						pod: st.MakePod().Name(podBlockedInBindingName).Req(map[v1.ResourceName]string{v1.ResourceCPU: "2"}).TerminationGracePeriodSeconds(1000).Container("image").Priority(1).Obj(),
+					},
+				},
+				{
+					name: "schedule victim Pod",
+					schedulePod: &schedulePod{
+						podName: podBlockedInBindingName,
+					},
+				},
+				{
+					name: "create a preemptor Pod",
+					createPod: &createPod{
+						pod: st.MakePod().Name("preemptor").Req(map[v1.ResourceName]string{v1.ResourceCPU: "4"}).Container("image").Priority(100).Obj(),
+					},
+				},
+				{
+					name: "schedule the preemptor Pod",
+					schedulePod: &schedulePod{
+						podName:             "preemptor",
+						expectUnschedulable: true,
+					},
+				},
+				{
+					name:               "complete the preemption API call",
+					completePreemption: "preemptor",
+				},
+				{
+					name: "schedule the preemptor Pod again and expect it to be scheduled (assumed victim pod was forgotten)",
+					schedulePod: &schedulePod{
+						podName:       "preemptor",
+						expectSuccess: true,
+					},
+				},
+			},
+		},
+		{
+			// This scenario verifies the fix for https://github.com/kubernetes/kubernetes/issues/134217
+			// Scenario reproduces the issue, but with a victim that is under graceful termination:
+			// Victim pod takes long in binding. Preemptor pod attempts preemption, goes to unschedulable, then the victim's graceful termination is initiated.
+			// Preemptor pod is woken up by the Pod/Update event (working like AssignedPodDeleted) and is being scheduled, even before the victim binding is terminated.
+			name: "victim blocked in binding, preemptor pod gets scheduled when victim-in-binding is under graceful termination",
+			scenarios: []scenario{
+				{
+					name: "create victim Pod with long termination grace period that is going to be blocked in binding",
+					createPod: &createPod{
+						pod: st.MakePod().Name(podBlockedInBindingName).Req(map[v1.ResourceName]string{v1.ResourceCPU: "2"}).Container("image").TerminationGracePeriodSeconds(1000).Priority(1).Obj(),
+					},
+				},
+				{
+					name: "schedule victim Pod",
+					schedulePod: &schedulePod{
+						podName: podBlockedInBindingName,
+					},
+				},
+				{
+					name: "create a preemptor Pod",
+					createPod: &createPod{
+						pod: st.MakePod().Name("preemptor").Req(map[v1.ResourceName]string{v1.ResourceCPU: "4"}).Container("image").Priority(100).Obj(),
+					},
+				},
+				{
+					name: "schedule the preemptor Pod",
+					schedulePod: &schedulePod{
+						podName:             "preemptor",
+						expectUnschedulable: true,
+					},
+				},
+				{
+					name:               "complete the preemption API call",
+					completePreemption: "preemptor",
+				},
+				{
+					name: "schedule the preemptor Pod again and expect it to be scheduled (assumed victim pod was forgotten)",
+					schedulePod: &schedulePod{
+						podName:       "preemptor",
+						expectSuccess: true,
+					},
+				},
+				{
+					name:       "resume binding of the blocked pod",
+					resumeBind: true,
+				},
+			},
+		},
+		{
+			// This scenario verifies the fix for https://github.com/kubernetes/kubernetes/issues/134217
+			// Scenario reproduces the issue, but with a victim that is reserving some resources required by the preemptor:
+			// Victim pod takes long in binding. Preemptor pod attempts preemption, goes to unschedulable, then the victim is deleted.
+			// Preemptor pod is woken up by the Pod/Update event (working like AssignedPodDeleted), but is still unschedulable, because victim has to unreserve its resources.
+			// After resuming binding for a victim, it releases the resources in its failure handler, preemptor is woken up again and ultimately scheduled.
+			name: "victim blocked in binding, preemptor pod gets scheduled after victim-in-binding is deleted and its resources are unreserved",
+			scenarios: []scenario{
+				{
+					name: "create victim Pod that is going to be blocked in binding",
+					createPod: &createPod{
+						pod: st.MakePod().Name(podBlockedInBindingName + reservingPodName).Req(map[v1.ResourceName]string{v1.ResourceCPU: "2"}).Container("image").ZeroTerminationGracePeriod().Priority(1).Obj(),
+					},
+				},
+				{
+					name: "schedule victim Pod",
+					schedulePod: &schedulePod{
+						podName: podBlockedInBindingName + reservingPodName,
+					},
+				},
+				{
+					name: "create a preemptor Pod",
+					createPod: &createPod{
+						pod: st.MakePod().Name("preemptor").Req(map[v1.ResourceName]string{v1.ResourceCPU: "4"}).Container("image").Priority(100).Obj(),
+					},
+				},
+				{
+					name: "schedule the preemptor Pod",
+					schedulePod: &schedulePod{
+						podName:             "preemptor",
+						expectUnschedulable: true,
+					},
+				},
+				{
+					name:               "complete the preemption API call",
+					completePreemption: "preemptor",
+				},
+				{
+					name: "schedule the preemptor Pod again and expect it to be unschedulable (resources are still reserved by the victim)",
+					schedulePod: &schedulePod{
+						podName:             "preemptor",
+						expectUnschedulable: true,
+					},
+				},
+				{
+					name:       "resume binding of the blocked pod",
+					resumeBind: true,
+				},
+				{
+					name: "schedule the preemptor Pod again and expect it to be scheduled (victim pod unreserved its resources)",
+					schedulePod: &schedulePod{
+						podName:       "preemptor",
+						expectSuccess: true,
+					},
+				},
+			},
+		},
+		{
+			// This scenario verifies the fix for https://github.com/kubernetes/kubernetes/issues/134217
+			// Scenario reproduces the issue, but with a victim that is under graceful termination and sis reserving some resources required by the preemptor:
+			// Victim pod takes long in binding. Preemptor pod attempts preemption, goes to unschedulable, then the victim's graceful termination is initiated.
+			// Preemptor pod is woken up by the Pod/Update event (working like AssignedPodDeleted), but is still unschedulable, because victim has to unreserve its resources.
+			// After resuming binding for a victim, it releases the resources in its failure handler, preemptor is woken up again and ultimately scheduled.
+			name: "victim blocked in binding, preemptor pod gets scheduled after victim-in-binding is under graceful termination and its resources are unreserved",
+			scenarios: []scenario{
+				{
+					name: "create victim Pod that is going to be blocked in binding",
+					createPod: &createPod{
+						pod: st.MakePod().Name(podBlockedInBindingName + reservingPodName).Req(map[v1.ResourceName]string{v1.ResourceCPU: "2"}).Container("image").TerminationGracePeriodSeconds(1000).Priority(1).Obj(),
+					},
+				},
+				{
+					name: "schedule victim Pod",
+					schedulePod: &schedulePod{
+						podName: podBlockedInBindingName + reservingPodName,
+					},
+				},
+				{
+					name: "create a preemptor Pod",
+					createPod: &createPod{
+						pod: st.MakePod().Name("preemptor").Req(map[v1.ResourceName]string{v1.ResourceCPU: "4"}).Container("image").Priority(100).Obj(),
+					},
+				},
+				{
+					name: "schedule the preemptor Pod",
+					schedulePod: &schedulePod{
+						podName:             "preemptor",
+						expectUnschedulable: true,
+					},
+				},
+				{
+					name:               "complete the preemption API call",
+					completePreemption: "preemptor",
+				},
+				{
+					name: "schedule the preemptor Pod again and expect it to be unschedulable (resources are still reserved by the victim)",
+					schedulePod: &schedulePod{
+						podName:             "preemptor",
+						expectUnschedulable: true,
+					},
+				},
+				{
+					name:       "resume binding of the blocked pod",
+					resumeBind: true,
+				},
+				{
+					name: "schedule the preemptor Pod again and expect it to be scheduled (victim pod unreserved its resources)",
+					schedulePod: &schedulePod{
+						podName:       "preemptor",
+						expectSuccess: true,
+					},
+				},
+			},
+		},
+		{
+			// Expected test outcome: lower priority Pod switches to another node, does not get stuck in unschedulable queue forever. (This part is in comment due to test name length limit.)
+			name: "While lower priority Pod is waiting for preemption, higher priority Pod takes its place on the node",
+			scenarios: []scenario{
+				{
+					name: "create N-1 victim Pods on the first node",
+					createPod: &createPod{
+						pod:   st.MakePod().GenerateName("victim-").Req(map[v1.ResourceName]string{v1.ResourceCPU: "1"}).Node("node").Container("image").ZeroTerminationGracePeriod().Priority(1).Obj(),
+						count: ptr.To(3),
+					},
+				},
+				{
+					name: "create the last victim Pod on the first node, that is going to be blocked in binding",
+					createPod: &createPod{
+						pod: st.MakePod().Name(podBlockedInBindingName).Req(map[v1.ResourceName]string{v1.ResourceCPU: "1"}).Container("image").ZeroTerminationGracePeriod().Priority(1).Obj(),
+					},
+				},
+				{
+					name: "schedule the last victim Pod",
+					schedulePod: &schedulePod{
+						podName: podBlockedInBindingName,
+					},
+				},
+				{
+					name: "create a mid-priority preemptor Pod",
+					createPod: &createPod{
+						pod: st.MakePod().Name("preemptor-mid-priority").Req(map[v1.ResourceName]string{v1.ResourceCPU: "4"}).Container("image").Priority(50).Obj(),
+					},
+				},
+				{
+					name: "schedule the mid-priority preemptor Pod",
+					schedulePod: &schedulePod{
+						podName: "preemptor-mid-priority",
+					},
+				},
+				{
+					name:               "complete the preemption API calls",
+					completePreemption: "preemptor-mid-priority",
+				},
+				{
+					name:            "check the mid-priority preemptor Pod is gated, waiting for the last victim to be preempted",
+					podGatedInQueue: "preemptor-mid-priority",
+				},
+				{
+					name:       "create node2",
+					createNode: "node2",
+				},
+				{
+					name: "create victim Pods on node2",
+					createPod: &createPod{
+						pod:   st.MakePod().GenerateName("victim-").Req(map[v1.ResourceName]string{v1.ResourceCPU: "1"}).Node("node2").Container("image").ZeroTerminationGracePeriod().Priority(1).Obj(),
+						count: ptr.To(4),
+					},
+				},
+				{
+					name: "create a high-priority preemptor Pod",
+					createPod: &createPod{
+						pod: st.MakePod().Name("preemptor-high-priority").Req(map[v1.ResourceName]string{v1.ResourceCPU: "2"}).Container("image").Priority(100).Obj(),
+					},
+				},
+				{
+					name: "schedule the high-priority preemptor Pod and expect it to get scheduled on node1",
+					// While we don't check explicitly that Pod is scheduled on node1, we can assume that because
+					// Pod won't fit on node2 without preemption and there are enough resources on node1.
+					schedulePod: &schedulePod{
+						podName:       "preemptor-high-priority",
+						expectSuccess: true,
+					},
+				},
+				{
+					name:       "allow the preemption of the last victim Pod on node1 to finish",
+					resumeBind: true,
+				},
+				{
+					name: "check that mid-priority preemptor Pod got activated by completed preemption and try scheduling it again",
+					schedulePod: &schedulePod{
+						podName: "preemptor-mid-priority",
+						// Pod won't fit on node1 anymore and should trigger preemptions on node2.
+						expectUnschedulable: true,
+					},
+				},
+				{
+					name:               "complete the preemption API calls on node2",
+					completePreemption: "preemptor-mid-priority",
+				},
+				{
+					name: "check that mid-priority Pod got activated, schedule it on node2",
+					schedulePod: &schedulePod{
+						podName:       "preemptor-mid-priority",
+						expectSuccess: true,
+					},
+				},
+			},
+		},
 	}
 
 	// All test cases have the same node.
 	node := st.MakeNode().Name("node").Capacity(map[v1.ResourceName]string{v1.ResourceCPU: "4"}).Obj()
-	for _, asyncAPICallsEnabled := range []bool{true, false} {
+	for _, asyncAPICallsEnabled := range []bool{true} {
 		for _, test := range tests {
 			t.Run(fmt.Sprintf("%s (Async API calls enabled: %v)", test.name, asyncAPICallsEnabled), func(t *testing.T) {
 				featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.SchedulerAsyncAPICalls, asyncAPICallsEnabled)
 
 				// We need to use a custom preemption plugin to test async preemption behavior
 				delayedPreemptionPluginName := "delay-preemption"
+				var lock sync.Mutex
 				// keyed by the pod name
 				preemptionDoneChannels := make(map[string]chan struct{})
 				defer func() {
+					lock.Lock()
+					defer lock.Unlock()
 					for _, ch := range preemptionDoneChannels {
 						close(ch)
 					}
 				}()
 				registry := make(frameworkruntime.Registry)
 				var preemptionPlugin *defaultpreemption.DefaultPreemption
-				err := registry.Register(delayedPreemptionPluginName, func(c context.Context, r runtime.Object, fh framework.Handle) (framework.Plugin, error) {
+				err := registry.Register(delayedPreemptionPluginName, func(c context.Context, r runtime.Object, fh fwk.Handle) (fwk.Plugin, error) {
 					p, err := frameworkruntime.FactoryAdapter(plfeature.Features{EnableAsyncPreemption: true}, defaultpreemption.New)(c, &config.DefaultPreemptionArgs{
 						// Set default values to pass the validation at the initialization, not related to the test.
 						MinCandidateNodesPercentage: 10,
@@ -823,7 +1249,10 @@ func TestAsyncPreemption(t *testing.T) {
 					preemptPodFn := preemptionPlugin.Evaluator.PreemptPod
 					preemptionPlugin.Evaluator.PreemptPod = func(ctx context.Context, c preemption.Candidate, preemptor, victim *v1.Pod, pluginName string) error {
 						// block the preemption goroutine to complete until the test case allows it to proceed.
-						if ch, ok := preemptionDoneChannels[preemptor.Name]; ok {
+						lock.Lock()
+						ch, ok := preemptionDoneChannels[preemptor.Name]
+						lock.Unlock()
+						if ok {
 							<-ch
 						}
 						return preemptPodFn(ctx, c, preemptor, victim, pluginName)
@@ -834,16 +1263,54 @@ func TestAsyncPreemption(t *testing.T) {
 				if err != nil {
 					t.Fatalf("Error registering a filter: %v", err)
 				}
+
+				// Register fake bind plugin that will block on binding for the specified pod name, until it receives a resume signal via the blockBindingChannel.
+				blockBindingChannel := make(chan struct{})
+				defer close(blockBindingChannel)
+				blockingBindPluginName := "blockingBindPlugin"
+				err = registry.Register(blockingBindPluginName, func(ctx context.Context, o runtime.Object, fh fwk.Handle) (fwk.Plugin, error) {
+					db, err := defaultbinder.New(ctx, o, fh)
+					if err != nil {
+						t.Fatalf("Error creating a default binder plugin: %v", err)
+					}
+					var bindPlugin = blockingBindPlugin{
+						name:                blockingBindPluginName,
+						nameOfPodToBlock:    podBlockedInBindingName,
+						realPlugin:          db.(fwk.BindPlugin),
+						blockBindingChannel: blockBindingChannel,
+					}
+					return &bindPlugin, nil
+				})
+				if err != nil {
+					t.Fatalf("Error registering a bind plugin: %v", err)
+				}
+
+				// Register fake plugin that will reserve some fake resources for one pod.
+				// This could be used to check scheduler's behavior when the victim has to unreserve these resources to let the preemptor schedule.
+				reservingPluginName := "reservingPlugin"
+				err = registry.Register(reservingPluginName, func(ctx context.Context, o runtime.Object, fh fwk.Handle) (fwk.Plugin, error) {
+					return &reservingPlugin{
+						name:               reservingPluginName,
+						nameOfPodToReserve: reservingPodName,
+					}, nil
+				})
+				if err != nil {
+					t.Fatalf("Error registering a reserving plugin: %v", err)
+				}
+
 				cfg := configtesting.V1ToInternalWithDefaults(t, configv1.KubeSchedulerConfiguration{
 					Profiles: []configv1.KubeSchedulerProfile{{
 						SchedulerName: ptr.To(v1.DefaultSchedulerName),
 						Plugins: &configv1.Plugins{
 							MultiPoint: configv1.PluginSet{
 								Enabled: []configv1.Plugin{
+									{Name: blockingBindPluginName},
 									{Name: delayedPreemptionPluginName},
+									{Name: reservingPluginName},
 								},
 								Disabled: []configv1.Plugin{
 									{Name: names.DefaultPreemption},
+									{Name: names.DefaultBinder},
 								},
 							},
 						},
@@ -896,6 +1363,16 @@ func TestAsyncPreemption(t *testing.T) {
 				for _, scenario := range test.scenarios {
 					t.Logf("Running scenario: %s", scenario.name)
 					switch {
+					case scenario.createNode != "":
+						newNode := st.MakeNode().Name(scenario.createNode).Capacity(map[v1.ResourceName]string{v1.ResourceCPU: "4"}).Obj()
+						if _, err := cs.CoreV1().Nodes().Create(ctx, newNode, metav1.CreateOptions{}); err != nil {
+							t.Fatalf("Failed to create an initial Node %q: %v", newNode.Name, err)
+						}
+						defer func() {
+							if err := cs.CoreV1().Nodes().Delete(ctx, newNode.Name, metav1.DeleteOptions{}); err != nil {
+								t.Fatalf("Failed to delete the Node %q: %v", newNode.Name, err)
+							}
+						}()
 					case scenario.createPod != nil:
 						if scenario.createPod.count == nil {
 							scenario.createPod.count = ptr.To(1)
@@ -927,24 +1404,36 @@ func TestAsyncPreemption(t *testing.T) {
 							t.Fatal(lastFailure)
 						}
 
+						lock.Lock()
 						preemptionDoneChannels[scenario.schedulePod.podName] = make(chan struct{})
+						lock.Unlock()
 						testCtx.Scheduler.ScheduleOne(testCtx.Ctx)
+
 						if scenario.schedulePod.expectSuccess {
 							if err := wait.PollUntilContextTimeout(testCtx.Ctx, 200*time.Millisecond, wait.ForeverTestTimeout, false, testutils.PodScheduled(cs, testCtx.NS.Name, scenario.schedulePod.podName)); err != nil {
 								t.Fatalf("Expected the pod %s to be scheduled", scenario.schedulePod.podName)
 							}
-						} else {
+						} else if scenario.schedulePod.expectUnschedulable {
 							if !podInUnschedulablePodPool(t, testCtx.Scheduler.SchedulingQueue, scenario.schedulePod.podName) {
-								t.Fatalf("Expected the pod %s to be in the queue after the scheduling attempt", scenario.schedulePod.podName)
+								t.Fatalf("Expected the pod %s to be in the unschedulable queue after the scheduling attempt", scenario.schedulePod.podName)
 							}
 						}
+					case scenario.activatePod != "":
+						pod := unschedulablePod(t, testCtx.Scheduler.SchedulingQueue, scenario.activatePod)
+						if pod == nil {
+							t.Fatalf("Expected the pod %s to be in unschedulable queue before activation phase", scenario.activatePod)
+						}
+						m := map[string]*v1.Pod{scenario.activatePod: pod}
+						testCtx.Scheduler.SchedulingQueue.Activate(logger, m)
 					case scenario.completePreemption != "":
+						lock.Lock()
 						if _, ok := preemptionDoneChannels[scenario.completePreemption]; !ok {
 							t.Fatalf("The preemptor Pod %q is not running preemption", scenario.completePreemption)
 						}
 
 						close(preemptionDoneChannels[scenario.completePreemption])
 						delete(preemptionDoneChannels, scenario.completePreemption)
+						lock.Unlock()
 					case scenario.podGatedInQueue != "":
 						// make sure the Pod is in the queue in the first place.
 						if !podInUnschedulablePodPool(t, testCtx.Scheduler.SchedulingQueue, scenario.podGatedInQueue) {
@@ -963,6 +1452,20 @@ func TestAsyncPreemption(t *testing.T) {
 						}); err != nil {
 							t.Fatalf("Expected the pod %s to be running preemption", createdPods[*scenario.podRunningPreemption].Name)
 						}
+					case scenario.resumeBind:
+						blockBindingChannel <- struct{}{}
+					case scenario.verifyPodInUnschedulable != "":
+						if err := wait.PollUntilContextTimeout(testCtx.Ctx, 50*time.Millisecond, 200*time.Millisecond, false, func(ctx context.Context) (bool, error) {
+							if !podInUnschedulablePodPool(t, testCtx.Scheduler.SchedulingQueue, scenario.verifyPodInUnschedulable) {
+								return false, fmt.Errorf("expected the pod %s to remain in the unschedulable queue after the scheduling attempt", scenario.verifyPodInUnschedulable)
+							}
+							// Continue polling to confirm that pod remains in unschedulable queue and does not get activated.
+							return false, nil
+						}); err != nil && !errors.Is(err, context.DeadlineExceeded) {
+							// If timeout was reached or context was cancelled without finding that vanished from unschedulable, it means the state is as expected.
+							// If a different error occurred, it means that the pod got unexpectedly activated, or something else went wrong.
+							t.Fatalf("Error in scenario verifyPodInUnschedulable: %v", err)
+						}
 					}
 				}
 			})
@@ -988,3 +1491,131 @@ func podInUnschedulablePodPool(t *testing.T, queue queue.SchedulingQueue, podNam
 	}
 	return false
 }
+
+// unschedulablePod checks if the given Pod is in the unschedulable queue and returns it.
+func unschedulablePod(t *testing.T, queue queue.SchedulingQueue, podName string) *v1.Pod {
+	t.Helper()
+	unschedPods := queue.UnschedulablePods()
+	for _, pod := range unschedPods {
+		if pod.Name == podName {
+			return pod
+		}
+	}
+	return nil
+}
+
+// blockingBindPlugin is a fake plugin that simulates a long binding operation.
+// Underneath it calls realPlugin.Bind(), after receiving a signal that binding can be unblocked.
+type blockingBindPlugin struct {
+	name                string
+	nameOfPodToBlock    string
+	realPlugin          fwk.BindPlugin
+	blockBindingChannel chan struct{}
+}
+
+func (bp *blockingBindPlugin) Name() string {
+	return bp.name
+}
+
+func (bp *blockingBindPlugin) Bind(ctx context.Context, state fwk.CycleState, p *v1.Pod, nodeName string) *fwk.Status {
+	if strings.Contains(p.Name, bp.nameOfPodToBlock) {
+		// block the bind goroutine to complete until the test case allows it to proceed.
+		select {
+		case <-bp.blockBindingChannel:
+		case <-ctx.Done():
+		}
+	}
+	return bp.realPlugin.Bind(ctx, state, p, nodeName)
+}
+
+var _ fwk.BindPlugin = &blockingBindPlugin{}
+
+// reservingPlugin is a fake plugin that reserves some resource in memory for nameOfPodToReserve pod.
+// Other pods won't be scheduled, unless the resources are unreserved.
+type reservingPlugin struct {
+	lock               sync.Mutex
+	name               string
+	nameOfPodToReserve string
+	reserved           bool
+}
+
+func (rp *reservingPlugin) Name() string {
+	return rp.name
+}
+
+func (rp *reservingPlugin) EventsToRegister(_ context.Context) ([]fwk.ClusterEventWithHint, error) {
+	return []fwk.ClusterEventWithHint{
+		// Plugin will wake up the pod on any Pod/Delete event.
+		{Event: fwk.ClusterEvent{Resource: fwk.Pod, ActionType: fwk.Delete}},
+	}, nil
+}
+
+const reservingPluginStateKey = "PreFilterReserving"
+
+type reservingPluginState struct {
+	reserved bool
+}
+
+func (s reservingPluginState) Clone() fwk.StateData {
+	return reservingPluginState{
+		reserved: s.reserved,
+	}
+}
+
+func (rp *reservingPlugin) PreFilter(ctx context.Context, state fwk.CycleState, pod *v1.Pod, nodes []fwk.NodeInfo) (*fwk.PreFilterResult, *fwk.Status) {
+	rp.lock.Lock()
+	state.Write(reservingPluginStateKey, reservingPluginState{reserved: rp.reserved})
+	rp.lock.Unlock()
+	return nil, nil
+}
+
+func (rp *reservingPlugin) Filter(ctx context.Context, state fwk.CycleState, pod *v1.Pod, nodeInfo fwk.NodeInfo) *fwk.Status {
+	s, err := state.Read(reservingPluginStateKey)
+	if err != nil {
+		return fwk.AsStatus(err)
+	}
+	if s.(reservingPluginState).reserved {
+		return fwk.NewStatus(fwk.Unschedulable, "resources are reserved")
+	}
+	return nil
+}
+
+func (rp *reservingPlugin) Reserve(ctx context.Context, state fwk.CycleState, p *v1.Pod, nodeName string) *fwk.Status {
+	if strings.Contains(p.Name, rp.nameOfPodToReserve) {
+		rp.lock.Lock()
+		rp.reserved = true
+		rp.lock.Unlock()
+	}
+	return nil
+}
+
+func (rp *reservingPlugin) Unreserve(ctx context.Context, state fwk.CycleState, p *v1.Pod, nodeName string) {
+	if strings.Contains(p.Name, rp.nameOfPodToReserve) {
+		rp.lock.Lock()
+		rp.reserved = false
+		rp.lock.Unlock()
+	}
+}
+
+func (rp *reservingPlugin) PreFilterExtensions() fwk.PreFilterExtensions {
+	return rp
+}
+
+func (rp *reservingPlugin) AddPod(ctx context.Context, state fwk.CycleState, podToSchedule *v1.Pod, podInfoToAdd fwk.PodInfo, nodeInfo fwk.NodeInfo) *fwk.Status {
+	if strings.Contains(podInfoToAdd.GetPod().Name, rp.nameOfPodToReserve) {
+		state.Write(reservingPluginStateKey, reservingPluginState{reserved: true})
+	}
+	return nil
+}
+
+func (rp *reservingPlugin) RemovePod(ctx context.Context, state fwk.CycleState, podToSchedule *v1.Pod, podInfoToRemove fwk.PodInfo, nodeInfo fwk.NodeInfo) *fwk.Status {
+	if strings.Contains(podInfoToRemove.GetPod().Name, rp.nameOfPodToReserve) {
+		state.Write(reservingPluginStateKey, reservingPluginState{reserved: false})
+	}
+	return nil
+}
+
+var _ fwk.PreFilterPlugin = &reservingPlugin{}
+var _ fwk.FilterPlugin = &reservingPlugin{}
+var _ fwk.PreFilterExtensions = &reservingPlugin{}
+var _ fwk.ReservePlugin = &reservingPlugin{}
diff --git a/test/integration/scheduler/queueing/former/queue_test.go b/test/integration/scheduler/queueing/former/queue_test.go
index 65bb87eb197c5..cf5fd7607a3d8 100644
--- a/test/integration/scheduler/queueing/former/queue_test.go
+++ b/test/integration/scheduler/queueing/former/queue_test.go
@@ -27,10 +27,10 @@ import (
 	"k8s.io/kubernetes/test/integration/scheduler/queueing"
 )
 
-// TestCoreResourceEnqueueWithQueueingHints verify Pods failed by in-tree default plugins can be
+// TestCoreResourceEnqueueWithoutQueueingHints verify Pods failed by in-tree default plugins can be
 // moved properly upon their registered events.
 // Here, we run only the test cases where the EnableSchedulingQueueHint is disabled.
-func TestCoreResourceEnqueueWithQueueingHints(t *testing.T) {
+func TestCoreResourceEnqueueWithoutQueueingHints(t *testing.T) {
 	for _, tt := range queueing.CoreResourceEnqueueTestCases {
 		if tt.EnableSchedulingQueueHint != nil && !tt.EnableSchedulingQueueHint.Has(false) {
 			continue
diff --git a/test/integration/scheduler/queueing/queue.go b/test/integration/scheduler/queueing/queue.go
index bed3183653753..dfb1ac7067c56 100644
--- a/test/integration/scheduler/queueing/queue.go
+++ b/test/integration/scheduler/queueing/queue.go
@@ -22,7 +22,10 @@ import (
 	"testing"
 	"time"
 
+	"github.com/stretchr/testify/mock"
 	v1 "k8s.io/api/core/v1"
+	resourceapi "k8s.io/api/resource/v1"
+	schedulingapi "k8s.io/api/scheduling/v1alpha1"
 	storagev1 "k8s.io/api/storage/v1"
 	"k8s.io/apimachinery/pkg/api/resource"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -32,6 +35,9 @@ import (
 	featuregatetesting "k8s.io/component-base/featuregate/testing"
 	"k8s.io/component-base/metrics/legacyregistry"
 	"k8s.io/component-base/metrics/testutil"
+	ndf "k8s.io/component-helpers/nodedeclaredfeatures"
+	ndffeatures "k8s.io/component-helpers/nodedeclaredfeatures/features"
+	ndftesting "k8s.io/component-helpers/nodedeclaredfeatures/testing"
 	"k8s.io/component-helpers/storage/volume"
 	configv1 "k8s.io/kube-scheduler/config/v1"
 	fwk "k8s.io/kube-scheduler/framework"
@@ -46,6 +52,13 @@ import (
 	"k8s.io/utils/ptr"
 )
 
+type rejectingPhase string
+
+const (
+	rejectingPhasePreEnqueue      rejectingPhase = "PreEnqueue"
+	rejectingPhaseSchedulingCycle rejectingPhase = "SchedulingCycle"
+)
+
 type CoreResourceEnqueueTestCase struct {
 	Name string
 	// InitialNodes is the list of Nodes to be created at first.
@@ -70,9 +83,21 @@ type CoreResourceEnqueueTestCase struct {
 	InitialStorageCapacities []*storagev1.CSIStorageCapacity
 	// InitialVolumeAttachment is the list of VolumeAttachment to be created at first.
 	InitialVolumeAttachment []*storagev1.VolumeAttachment
+	// InitialDeviceClasses are the list of DeviceClass to be created at first.
+	InitialDeviceClasses []*resourceapi.DeviceClass
+	// InitialWorkloads is the list of Workloads to be created at first.
+	InitialWorkloads []*schedulingapi.Workload
 	// Pods are the list of Pods to be created.
 	// All of them are expected to be unschedulable at first.
 	Pods []*v1.Pod
+	// ExpectedInitialRejectingPhase specifies how Pods are supposed to be initially rejected.
+	// rejectingPhase could be either "PreEnqueue" or "SchedulingCycle". Depending on the value:
+	// - "PreEnqueue": test case waits for the Pods to be observed by the scheduler
+	//   and put in the unschedulable pods pool, being blocked at the PreEnqueue gate.
+	// - "SchedulingCycle": test case lets pods experience scheduling cycle once,
+	//   being rejected by PreFilter or Filter gates.
+	// Defaults to "SchedulingCycle".
+	ExpectedInitialRejectingPhase rejectingPhase
 	// TriggerFn is the function that triggers the event to move Pods.
 	// It returns the map keyed with ClusterEvents to be triggered by this function,
 	// and valued with the number of triggering of the event.
@@ -89,6 +114,11 @@ type CoreResourceEnqueueTestCase struct {
 	// EnabledRAExtendedResource indicates wether the test case should run with feature gate
 	// DRAExtendedResource enabled or not.
 	EnableDRAExtendedResource bool
+	// EnableNodeDeclaredFeatures indicates if the test case runs with the NodeDeclaredFeatures feature gate enabled.
+	EnableNodeDeclaredFeatures bool
+	// EnableGangScheduling indicates wether the test case should run with feature gates
+	// GenericWorkload and GangScheduling enabled or not.
+	EnableGangScheduling bool
 }
 
 var (
@@ -124,7 +154,8 @@ var CoreResourceEnqueueTestCases = []*CoreResourceEnqueueTestCase{
 			}
 			return map[fwk.ClusterEvent]uint64{{Resource: fwk.Node, ActionType: fwk.UpdateNodeAllocatable}: 1}, nil
 		},
-		WantRequeuedPods: sets.New("pod2"),
+		WantRequeuedPods:          sets.New("pod2"),
+		EnableSchedulingQueueHint: sets.New(true),
 	},
 	{
 		Name:          "Pod rejected by the PodAffinity plugin is requeued when a new Node is created and turned to ready",
@@ -365,7 +396,7 @@ var CoreResourceEnqueueTestCases = []*CoreResourceEnqueueTestCase{
 	},
 	{
 		Name:          "Pod rejected by the NodeResourcesFit plugin isn't requeued when a Node has the extended resource, and DRAExtendedResource is disabled",
-		EnablePlugins: []string{names.NodeResourcesFit},
+		EnablePlugins: []string{names.NodeResourcesFit, names.DynamicResources},
 		InitialNodes: []*v1.Node{
 			st.MakeNode().Name("fake-node1").Capacity(map[v1.ResourceName]string{v1.ResourceCPU: "4", "example.com/gpu": "1"}).Obj(),
 		},
@@ -386,7 +417,7 @@ var CoreResourceEnqueueTestCases = []*CoreResourceEnqueueTestCase{
 	},
 	{
 		Name:          "Pod rejected by the NodeResourcesFit plugin isn't requeued when a Node has the extended resource, and DRAExtendedResource is enabled",
-		EnablePlugins: []string{names.NodeResourcesFit},
+		EnablePlugins: []string{names.NodeResourcesFit, names.DynamicResources},
 		InitialNodes: []*v1.Node{
 			st.MakeNode().Name("fake-node1").Capacity(map[v1.ResourceName]string{v1.ResourceCPU: "4", "example.com/gpu": "1"}).Obj(),
 		},
@@ -407,7 +438,7 @@ var CoreResourceEnqueueTestCases = []*CoreResourceEnqueueTestCase{
 	},
 	{
 		Name:          "Pod rejected by the NodeResourcesFit plugin isn't requeued when a Node does not have the extended resource, and DRAExtendedResource is disabled",
-		EnablePlugins: []string{names.NodeResourcesFit},
+		EnablePlugins: []string{names.NodeResourcesFit, names.DynamicResources},
 		InitialNodes: []*v1.Node{
 			st.MakeNode().Name("fake-node1").Capacity(map[v1.ResourceName]string{v1.ResourceCPU: "4"}).Obj(),
 		},
@@ -428,11 +459,21 @@ var CoreResourceEnqueueTestCases = []*CoreResourceEnqueueTestCase{
 	},
 	{
 		Name:          "Pod rejected by the NodeResourcesFit plugin is requeued when a Node does not have the extended resource, and DRAExtendedResource is enabled",
-		EnablePlugins: []string{names.NodeResourcesFit, names.NodeAffinity},
+		EnablePlugins: []string{names.NodeResourcesFit, names.NodeAffinity, names.DynamicResources},
 		InitialNodes: []*v1.Node{
 			st.MakeNode().Name("fake-node1").Capacity(map[v1.ResourceName]string{v1.ResourceCPU: "4"}).Obj(),
 			st.MakeNode().Name("fake-node2").Capacity(map[v1.ResourceName]string{v1.ResourceCPU: "2"}).Label("group", "b").Obj(),
 		},
+		InitialDeviceClasses: []*resourceapi.DeviceClass{
+			{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "gpu-device-class",
+				},
+				Spec: resourceapi.DeviceClassSpec{
+					ExtendedResourceName: ptr.To("example.com/gpu"),
+				},
+			},
+		},
 		Pods: []*v1.Pod{
 			// - Pod1 requests available amount of CPU (in fake-node1), but will be rejected by NodeAffinity plugin. Note that the NodeResourceFit plugin will register for QHints because it rejected fake-node2.
 			st.MakePod().Name("pod1").Res(map[v1.ResourceName]string{v1.ResourceCPU: "4", "example.com/gpu": "1"}).NodeAffinityIn("group", []string{"b"}, st.NodeSelectorTypeMatchExpressions).Container("image").Obj(),
@@ -449,6 +490,53 @@ var CoreResourceEnqueueTestCases = []*CoreResourceEnqueueTestCase{
 		EnableSchedulingQueueHint: sets.New(true),
 		EnableDRAExtendedResource: true,
 	},
+	{
+		Name:          "Pod rejected by the NodeResourcesFit plugin is requeued when created DeviceClass having the extended resource matching pod's requests, and DRAExtendedResource is enabled",
+		EnablePlugins: []string{names.NodeResourcesFit},
+		InitialNodes: []*v1.Node{
+			st.MakeNode().Name("fake-node1").Capacity(map[v1.ResourceName]string{v1.ResourceCPU: "4"}).Obj(),
+		},
+		Pods: []*v1.Pod{
+			// - Pod1 requests available amount of CPU (in fake-node1), but will be rejected due to lack of extended resource exampe.com/gpu.
+			st.MakePod().Name("pod1").Res(map[v1.ResourceName]string{v1.ResourceCPU: "4", "example.com/gpu": "1"}).Container("image").Obj(),
+			st.MakePod().Name("pod2").Res(map[v1.ResourceName]string{v1.ResourceCPU: "4", "example.com/othergpu": "1"}).Container("image").Obj(),
+		},
+		TriggerFn: func(testCtx *testutils.TestContext) (map[fwk.ClusterEvent]uint64, error) {
+			// Trigger a DeviceClass Create event that has the extended resource name that matches pod's resource request.
+			if _, err := testCtx.ClientSet.ResourceV1().DeviceClasses().Create(testCtx.Ctx, &resourceapi.DeviceClass{ObjectMeta: metav1.ObjectMeta{Name: "fake-class"}, Spec: resourceapi.DeviceClassSpec{ExtendedResourceName: ptr.To("example.com/gpu")}}, metav1.CreateOptions{}); err != nil {
+				return nil, fmt.Errorf("failed to create the fake-class: %w", err)
+			}
+
+			return map[fwk.ClusterEvent]uint64{{Resource: fwk.DeviceClass, ActionType: fwk.Add}: 1}, nil
+		},
+		WantRequeuedPods:          sets.New("pod1"),
+		EnableSchedulingQueueHint: sets.New(true),
+		EnableDRAExtendedResource: true,
+	},
+	{
+		Name:                 "Pod rejected by the NodeResourcesFit plugin is requeued when updated DeviceClass has the extended resource, and DRAExtendedResource is enabled",
+		EnablePlugins:        []string{names.NodeResourcesFit},
+		InitialDeviceClasses: []*resourceapi.DeviceClass{{ObjectMeta: metav1.ObjectMeta{Name: "fake-class"}, Spec: resourceapi.DeviceClassSpec{ExtendedResourceName: nil}}},
+		InitialNodes: []*v1.Node{
+			st.MakeNode().Name("fake-node1").Capacity(map[v1.ResourceName]string{v1.ResourceCPU: "4"}).Obj(),
+		},
+		Pods: []*v1.Pod{
+			// - Pod1 requests available amount of CPU (in fake-node1), but will be rejected due to lack of extended resource example.com/gpu.
+			st.MakePod().Name("pod1").Res(map[v1.ResourceName]string{v1.ResourceCPU: "4", "example.com/gpu": "1"}).Container("image").Obj(),
+			st.MakePod().Name("pod2").Res(map[v1.ResourceName]string{v1.ResourceCPU: "4", "example.com/othergpu": "1"}).Container("image").Obj(),
+		},
+		TriggerFn: func(testCtx *testutils.TestContext) (map[fwk.ClusterEvent]uint64, error) {
+			// Trigger a DeviceClass Update event that adds the extended resource name that matches pod's resource request.
+			if _, err := testCtx.ClientSet.ResourceV1().DeviceClasses().Update(testCtx.Ctx, &resourceapi.DeviceClass{ObjectMeta: metav1.ObjectMeta{Name: "fake-class"}, Spec: resourceapi.DeviceClassSpec{ExtendedResourceName: ptr.To("example.com/gpu")}}, metav1.UpdateOptions{}); err != nil {
+				return nil, fmt.Errorf("failed to update the fake-class: %w", err)
+			}
+
+			return map[fwk.ClusterEvent]uint64{{Resource: fwk.DeviceClass, ActionType: fwk.Update}: 1}, nil
+		},
+		WantRequeuedPods:          sets.New("pod1"),
+		EnableSchedulingQueueHint: sets.New(true),
+		EnableDRAExtendedResource: true,
+	},
 	{
 		Name:          "Pod rejected by the NodeResourcesFit plugin isn't requeued when a Node is updated without increase in the requested resources",
 		EnablePlugins: []string{names.NodeResourcesFit, names.NodeAffinity},
@@ -2410,6 +2498,158 @@ var CoreResourceEnqueueTestCases = []*CoreResourceEnqueueTestCase{
 		WantRequeuedPods:          sets.New("pod1"),
 		EnableSchedulingQueueHint: sets.New(true),
 	},
+	{
+		Name:                       "pod becomes schedulable after node update with required feature",
+		EnableNodeDeclaredFeatures: true,
+		EnableSchedulingQueueHint:  sets.New(true),
+		EnablePlugins:              []string{names.NodeDeclaredFeatures},
+		InitialNodes: []*v1.Node{
+			st.MakeNode().Name("node-1").Obj(),
+		},
+		Pods: []*v1.Pod{
+			st.MakePod().Name("pod1").Container("pause").Tolerations([]v1.Toleration{{Key: "featureA", Effect: v1.TaintEffectNoExecute, TolerationSeconds: ptr.To(int64(200))}}).Obj(),
+		},
+		TriggerFn: func(testCtx *testutils.TestContext) (map[fwk.ClusterEvent]uint64, error) {
+			node, err := testCtx.ClientSet.CoreV1().Nodes().Get(testCtx.Ctx, "node-1", metav1.GetOptions{})
+			if err != nil {
+				return nil, err
+			}
+			updatedNode := node.DeepCopy()
+			updatedNode.Status.DeclaredFeatures = []string{"FeatureA"}
+			if _, err := testCtx.ClientSet.CoreV1().Nodes().UpdateStatus(testCtx.Ctx, updatedNode, metav1.UpdateOptions{}); err != nil {
+				return nil, fmt.Errorf("failed to update node status: %w", err)
+			}
+			return map[fwk.ClusterEvent]uint64{{Resource: fwk.Node, ActionType: fwk.UpdateNodeDeclaredFeature}: 1}, nil
+		},
+		WantRequeuedPods: sets.New("pod1"),
+	},
+	{
+		Name:                       "pod remains unschedulable after node update that does not update declared features",
+		EnableNodeDeclaredFeatures: true,
+		EnableSchedulingQueueHint:  sets.New(true),
+		EnablePlugins:              []string{names.NodeDeclaredFeatures},
+		InitialNodes: []*v1.Node{
+			st.MakeNode().Name("node-1").Obj(),
+		},
+		Pods: []*v1.Pod{
+			st.MakePod().Name("pod1").Container("pause").Tolerations([]v1.Toleration{{Key: "featureA", Effect: v1.TaintEffectNoExecute, TolerationSeconds: ptr.To(int64(200))}}).Obj(),
+		},
+		TriggerFn: func(testCtx *testutils.TestContext) (map[fwk.ClusterEvent]uint64, error) {
+			node, err := testCtx.ClientSet.CoreV1().Nodes().Get(testCtx.Ctx, "node-1", metav1.GetOptions{})
+			if err != nil {
+				return nil, err
+			}
+			updatedNode := node.DeepCopy()
+			if updatedNode.Labels == nil {
+				updatedNode.Labels = make(map[string]string)
+			}
+			updatedNode.Labels["foo"] = "bar"
+			if _, err := testCtx.ClientSet.CoreV1().Nodes().Update(testCtx.Ctx, updatedNode, metav1.UpdateOptions{}); err != nil {
+				return nil, fmt.Errorf("failed to update node status: %w", err)
+			}
+			return map[fwk.ClusterEvent]uint64{{Resource: fwk.Node, ActionType: fwk.UpdateNodeDeclaredFeature}: 0}, nil
+		},
+		WantRequeuedPods: sets.Set[string]{},
+	},
+	{
+		Name:                       "pod becomes schedulable after pod update that removes feature requirement",
+		EnableNodeDeclaredFeatures: true,
+		EnableSchedulingQueueHint:  sets.New(true),
+		EnablePlugins:              []string{names.NodeDeclaredFeatures},
+		InitialNodes: []*v1.Node{
+			st.MakeNode().Name("node-1").Obj(),
+		},
+		Pods: []*v1.Pod{
+			st.MakePod().Name("pod1").Container("pause").Tolerations([]v1.Toleration{{Key: "featureA", Effect: v1.TaintEffectNoExecute, TolerationSeconds: ptr.To(int64(200))}}).Obj(),
+		},
+		TriggerFn: func(testCtx *testutils.TestContext) (map[fwk.ClusterEvent]uint64, error) {
+			pod, err := testCtx.ClientSet.CoreV1().Pods(testCtx.NS.Name).Get(testCtx.Ctx, "pod1", metav1.GetOptions{})
+			if err != nil {
+				return nil, err
+			}
+			updatedPod := pod.DeepCopy()
+			// Modify toleration so that we no longer require the feature.
+			updatedPod.Spec.Tolerations[0].TolerationSeconds = ptr.To(int64(0))
+			if _, err := testCtx.ClientSet.CoreV1().Pods(testCtx.NS.Name).Update(testCtx.Ctx, updatedPod, metav1.UpdateOptions{}); err != nil {
+				return nil, err
+			}
+			return map[fwk.ClusterEvent]uint64{{Resource: unschedulablePod, ActionType: fwk.Update}: 1}, nil
+		},
+		WantRequeuedPods: sets.New("pod1"),
+	},
+	{
+		Name:                       "pod remains unschedulable after pod update that does not remove feature requirement",
+		EnableNodeDeclaredFeatures: true,
+		EnableSchedulingQueueHint:  sets.New(true),
+		EnablePlugins:              []string{names.NodeDeclaredFeatures},
+		InitialNodes: []*v1.Node{
+			st.MakeNode().Name("node-1").Obj(),
+		},
+		Pods: []*v1.Pod{
+			st.MakePod().Name("pod1").Container("pause").Tolerations([]v1.Toleration{{Key: "featureA", Effect: v1.TaintEffectNoExecute, TolerationSeconds: ptr.To(int64(200))}}).Obj(),
+		},
+		TriggerFn: func(testCtx *testutils.TestContext) (map[fwk.ClusterEvent]uint64, error) {
+			pod, err := testCtx.ClientSet.CoreV1().Pods(testCtx.NS.Name).Get(testCtx.Ctx, "pod1", metav1.GetOptions{})
+			if err != nil {
+				return nil, err
+			}
+			updatedPod := pod.DeepCopy()
+			updatedPod.Labels = make(map[string]string)
+			updatedPod.Labels["foo"] = "bar"
+			if _, err := testCtx.ClientSet.CoreV1().Pods(testCtx.NS.Name).Update(testCtx.Ctx, updatedPod, metav1.UpdateOptions{}); err != nil {
+				return nil, err
+			}
+			return map[fwk.ClusterEvent]uint64{{Resource: unschedulablePod, ActionType: fwk.Update}: 1}, nil
+		},
+		WantRequeuedPods: sets.Set[string]{},
+	},
+	{
+		Name:          "Pod rejected by the GangScheduling plugin is requeued when a new pod with matching workload reference is created",
+		EnablePlugins: []string{names.GangScheduling},
+		InitialNodes: []*v1.Node{
+			st.MakeNode().Name("fake-node1").Obj(),
+		},
+		InitialWorkloads: []*schedulingapi.Workload{
+			st.MakeWorkload().Name("w1").PodGroup(st.MakePodGroup().Name("pg1").MinCount(2).Obj()).Obj(),
+		},
+		Pods: []*v1.Pod{
+			st.MakePod().Name("pod1").Container("image").WorkloadRef(&v1.WorkloadReference{Name: "w1", PodGroup: "pg1"}).Obj(),
+			st.MakePod().Name("pod2").Container("image").WorkloadRef(&v1.WorkloadReference{Name: "w1", PodGroup: "pg2"}).Obj(),
+		},
+		TriggerFn: func(testCtx *testutils.TestContext) (map[fwk.ClusterEvent]uint64, error) {
+			pod := st.MakePod().Name("pod3").Container("image").WorkloadRef(&v1.WorkloadReference{Name: "w1", PodGroup: "pg1"}).Obj()
+			if _, err := testCtx.ClientSet.CoreV1().Pods(testCtx.NS.Name).Create(testCtx.Ctx, pod, metav1.CreateOptions{}); err != nil {
+				return nil, fmt.Errorf("failed to create Pod %q: %w", pod.Name, err)
+			}
+			return map[fwk.ClusterEvent]uint64{framework.EventUnscheduledPodAdd: 1}, nil
+		},
+		ExpectedInitialRejectingPhase: rejectingPhasePreEnqueue,
+		WantRequeuedPods:              sets.New("pod1", "pod3"),
+		EnableSchedulingQueueHint:     sets.New(true),
+		EnableGangScheduling:          true,
+	},
+	{
+		Name:          "Pod rejected by the GangScheduling plugin is requeued when a matching workload is created",
+		EnablePlugins: []string{names.GangScheduling},
+		InitialNodes: []*v1.Node{
+			st.MakeNode().Name("fake-node1").Obj(),
+		},
+		Pods: []*v1.Pod{
+			st.MakePod().Name("pod1").Container("image").WorkloadRef(&v1.WorkloadReference{Name: "w1", PodGroup: "pg1"}).Obj(),
+			st.MakePod().Name("pod2").Container("image").WorkloadRef(&v1.WorkloadReference{Name: "w1", PodGroup: "pg2"}).Obj(),
+		},
+		TriggerFn: func(testCtx *testutils.TestContext) (map[fwk.ClusterEvent]uint64, error) {
+			workload := st.MakeWorkload().Name("w1").PodGroup(st.MakePodGroup().Name("pg1").MinCount(1).Obj()).Obj()
+			if _, err := testCtx.ClientSet.SchedulingV1alpha1().Workloads(testCtx.NS.Name).Create(testCtx.Ctx, workload, metav1.CreateOptions{}); err != nil {
+				return nil, fmt.Errorf("failed to create Workload %q: %w", workload.Name, err)
+			}
+			return map[fwk.ClusterEvent]uint64{{Resource: fwk.Workload, ActionType: fwk.Add}: 1}, nil
+		},
+		ExpectedInitialRejectingPhase: rejectingPhasePreEnqueue,
+		WantRequeuedPods:              sets.New("pod1"),
+		EnableSchedulingQueueHint:     sets.New(true),
+		EnableGangScheduling:          true,
+	},
 }
 
 // TestCoreResourceEnqueue verify Pods failed by in-tree default plugins can be
@@ -2420,6 +2660,29 @@ func RunTestCoreResourceEnqueue(t *testing.T, tt *CoreResourceEnqueueTestCase) {
 	if tt.EnableDRAExtendedResource {
 		featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.DRAExtendedResource, true)
 	}
+	if tt.EnableNodeDeclaredFeatures {
+		featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.NodeDeclaredFeatures, true)
+
+		mockFeature := ndftesting.NewMockFeature(t)
+		mockFeature.EXPECT().Name().Return("FeatureA").Maybe()
+		mockFeature.EXPECT().InferForScheduling(mock.Anything).RunAndReturn(func(podInfo *ndf.PodInfo) bool {
+			return len(podInfo.Spec.Tolerations) > 0 && podInfo.Spec.Tolerations[0].TolerationSeconds != nil &&
+				*podInfo.Spec.Tolerations[0].TolerationSeconds > 0
+		})
+		mockFeature.EXPECT().MaxVersion().Return(nil).Maybe()
+
+		originalAllFeatures := ndffeatures.AllFeatures
+		ndffeatures.AllFeatures = []ndf.Feature{mockFeature}
+		defer func() {
+			ndffeatures.AllFeatures = originalAllFeatures
+		}()
+	}
+	if tt.EnableGangScheduling {
+		featuregatetesting.SetFeatureGatesDuringTest(t, utilfeature.DefaultFeatureGate, featuregatetesting.FeatureOverrides{
+			features.GenericWorkload: true,
+			features.GangScheduling:  true,
+		})
+	}
 	logger, _ := ktesting.NewTestContext(t)
 
 	opts := []scheduler.Option{scheduler.WithPodInitialBackoffSeconds(0), scheduler.WithPodMaxBackoffSeconds(0)}
@@ -2471,6 +2734,12 @@ func RunTestCoreResourceEnqueue(t *testing.T, tt *CoreResourceEnqueueTestCase) {
 		}
 	}
 
+	for _, deviceClass := range tt.InitialDeviceClasses {
+		if _, err := cs.ResourceV1().DeviceClasses().Create(ctx, deviceClass, metav1.CreateOptions{}); err != nil {
+			t.Fatalf("Failed to create a DeviceClass %q: %v", deviceClass.Name, err)
+		}
+	}
+
 	for _, csinode := range tt.InitialCSINodes {
 		if _, err := testCtx.ClientSet.StorageV1().CSINodes().Create(ctx, csinode, metav1.CreateOptions{}); err != nil {
 			t.Fatalf("Failed to create a CSINode %q: %v", csinode.Name, err)
@@ -2514,6 +2783,13 @@ func RunTestCoreResourceEnqueue(t *testing.T, tt *CoreResourceEnqueueTestCase) {
 		}
 	}
 
+	for _, wl := range tt.InitialWorkloads {
+		wl.Namespace = ns
+		if _, err := cs.SchedulingV1alpha1().Workloads(ns).Create(testCtx.Ctx, wl, metav1.CreateOptions{}); err != nil {
+			t.Fatalf("Failed to create a Workload %q: %v", wl.Name, err)
+		}
+	}
+
 	for _, pod := range tt.InitialPods {
 		if _, err := cs.CoreV1().Pods(ns).Create(ctx, pod, metav1.CreateOptions{}); err != nil {
 			t.Fatalf("Failed to create an initial Pod %q: %v", pod.Name, err)
@@ -2526,35 +2802,48 @@ func RunTestCoreResourceEnqueue(t *testing.T, tt *CoreResourceEnqueueTestCase) {
 		}
 	}
 
-	// Wait for the tt.Pods to be present in the scheduling active queue.
-	if err := wait.PollUntilContextTimeout(ctx, time.Millisecond*200, wait.ForeverTestTimeout, false, func(ctx context.Context) (bool, error) {
-		pendingPods, _ := testCtx.Scheduler.SchedulingQueue.PendingPods()
-		return len(pendingPods) == len(tt.Pods) && len(testCtx.Scheduler.SchedulingQueue.PodsInActiveQ()) == len(tt.Pods), nil
-	}); err != nil {
-		t.Fatalf("Failed to wait for all pods to be present in the scheduling queue: %v", err)
-	}
+	switch tt.ExpectedInitialRejectingPhase {
+	case rejectingPhasePreEnqueue:
+		// Wait for the tt.Pods to be unschedulable in the scheduling queue.
+		if err := wait.PollUntilContextTimeout(ctx, time.Millisecond*200, wait.ForeverTestTimeout, false, func(ctx context.Context) (bool, error) {
+			pendingPods, _ := testCtx.Scheduler.SchedulingQueue.PendingPods()
+			return len(pendingPods) == len(tt.Pods) && len(testCtx.Scheduler.SchedulingQueue.PodsInActiveQ()) == 0, nil
+		}); err != nil {
+			t.Fatalf("Failed to wait for all pods to be present in the scheduling queue: %v", err)
+		}
+		t.Log("All pods are waiting as unschedulable, will trigger triggerFn")
+	case rejectingPhaseSchedulingCycle:
+		fallthrough
+	default: // Defaults to rejectingPhaseSchedulingCycle.
+		// Wait for the tt.Pods to be present in the scheduling active queue.
+		if err := wait.PollUntilContextTimeout(ctx, time.Millisecond*200, wait.ForeverTestTimeout, false, func(ctx context.Context) (bool, error) {
+			pendingPods, _ := testCtx.Scheduler.SchedulingQueue.PendingPods()
+			return len(pendingPods) == len(tt.Pods) && len(testCtx.Scheduler.SchedulingQueue.PodsInActiveQ()) == len(tt.Pods), nil
+		}); err != nil {
+			t.Fatalf("Failed to wait for all pods to be present in the scheduling queue: %v", err)
+		}
 
-	t.Log("Confirmed Pods in the scheduling queue, starting to schedule them")
+		t.Log("Confirmed Pods in the scheduling queue, starting to schedule them")
 
-	// Pop all pods out. They should become unschedulable.
-	for i := 0; i < len(tt.Pods); i++ {
-		testCtx.Scheduler.ScheduleOne(testCtx.Ctx)
-	}
-	// Wait for the tt.Pods to be still present in the scheduling (unschedulable) queue.
-	if err := wait.PollUntilContextTimeout(ctx, time.Millisecond*200, wait.ForeverTestTimeout, false, func(ctx context.Context) (bool, error) {
-		activePodsCount := len(testCtx.Scheduler.SchedulingQueue.PodsInActiveQ())
-		if activePodsCount > 0 {
-			return false, fmt.Errorf("active queue was expected to be empty, but found %v Pods", activePodsCount)
+		// Pop all pods out. They should become unschedulable.
+		for i := 0; i < len(tt.Pods); i++ {
+			testCtx.Scheduler.ScheduleOne(testCtx.Ctx)
 		}
+		// Wait for the tt.Pods to be still present in the scheduling (unschedulable) queue.
+		if err := wait.PollUntilContextTimeout(ctx, time.Millisecond*200, wait.ForeverTestTimeout, false, func(ctx context.Context) (bool, error) {
+			activePodsCount := len(testCtx.Scheduler.SchedulingQueue.PodsInActiveQ())
+			if activePodsCount > 0 {
+				return false, fmt.Errorf("active queue was expected to be empty, but found %v Pods", activePodsCount)
+			}
 
-		pendingPods, _ := testCtx.Scheduler.SchedulingQueue.PendingPods()
-		return len(pendingPods) == len(tt.Pods), nil
-	}); err != nil {
-		t.Fatalf("Failed to wait for all pods to remain in the scheduling queue after scheduling attempts: %v", err)
+			pendingPods, _ := testCtx.Scheduler.SchedulingQueue.PendingPods()
+			return len(pendingPods) == len(tt.Pods), nil
+		}); err != nil {
+			t.Fatalf("Failed to wait for all pods to remain in the scheduling queue after scheduling attempts: %v", err)
+		}
+		t.Log("finished initial schedulings for all Pods, will trigger triggerFn")
 	}
 
-	t.Log("finished initial schedulings for all Pods, will trigger triggerFn")
-
 	legacyregistry.Reset() // reset the metric before triggering
 	wantTriggeredEvents, err := tt.TriggerFn(testCtx)
 	if err != nil {
diff --git a/test/integration/scheduler/queueing/queue_test.go b/test/integration/scheduler/queueing/queue_test.go
index 4c47fd7260b6c..11fe79c46409e 100644
--- a/test/integration/scheduler/queueing/queue_test.go
+++ b/test/integration/scheduler/queueing/queue_test.go
@@ -186,8 +186,8 @@ func TestSchedulingGates(t *testing.T) {
 	}
 }
 
-var _ framework.FilterPlugin = &fakeCRPlugin{}
-var _ framework.EnqueueExtensions = &fakeCRPlugin{}
+var _ fwk.FilterPlugin = &fakeCRPlugin{}
+var _ fwk.EnqueueExtensions = &fakeCRPlugin{}
 
 type fakeCRPlugin struct{}
 
@@ -263,7 +263,7 @@ func TestCustomResourceEnqueue(t *testing.T) {
 	}
 
 	registry := frameworkruntime.Registry{
-		"fakeCRPlugin": func(_ context.Context, _ runtime.Object, fh framework.Handle) (framework.Plugin, error) {
+		"fakeCRPlugin": func(_ context.Context, _ runtime.Object, fh fwk.Handle) (fwk.Plugin, error) {
 			return &fakeCRPlugin{}, nil
 		},
 	}
@@ -370,13 +370,13 @@ func TestCustomResourceEnqueue(t *testing.T) {
 func TestRequeueByBindFailure(t *testing.T) {
 	fakeBind := &firstFailBindPlugin{}
 	registry := frameworkruntime.Registry{
-		"firstFailBindPlugin": func(ctx context.Context, o runtime.Object, fh framework.Handle) (framework.Plugin, error) {
+		"firstFailBindPlugin": func(ctx context.Context, o runtime.Object, fh fwk.Handle) (fwk.Plugin, error) {
 			binder, err := defaultbinder.New(ctx, nil, fh)
 			if err != nil {
 				return nil, err
 			}
 
-			fakeBind.defaultBinderPlugin = binder.(framework.BindPlugin)
+			fakeBind.defaultBinderPlugin = binder.(fwk.BindPlugin)
 			return fakeBind, nil
 		},
 	}
@@ -439,7 +439,7 @@ func TestRequeueByBindFailure(t *testing.T) {
 // firstFailBindPlugin rejects the Pod in the first Bind call.
 type firstFailBindPlugin struct {
 	counter             int
-	defaultBinderPlugin framework.BindPlugin
+	defaultBinderPlugin fwk.BindPlugin
 }
 
 func (*firstFailBindPlugin) Name() string {
@@ -462,7 +462,7 @@ func TestRequeueByPermitRejection(t *testing.T) {
 	queueingHintCalledCounter := 0
 	fakePermit := &fakePermitPlugin{}
 	registry := frameworkruntime.Registry{
-		fakePermitPluginName: func(ctx context.Context, o runtime.Object, fh framework.Handle) (framework.Plugin, error) {
+		fakePermitPluginName: func(ctx context.Context, o runtime.Object, fh fwk.Handle) (fwk.Plugin, error) {
 			fakePermit = &fakePermitPlugin{
 				frameworkHandler: fh,
 				schedulingHint: func(logger klog.Logger, pod *v1.Pod, oldObj, newObj interface{}) (fwk.QueueingHint, error) {
@@ -525,7 +525,7 @@ func TestRequeueByPermitRejection(t *testing.T) {
 
 	// reject pod-1 to simulate the failure in Permit plugins.
 	// This pod-1 should be enqueued to activeQ because the NodeUpdate event has happened.
-	fakePermit.frameworkHandler.IterateOverWaitingPods(func(wp framework.WaitingPod) {
+	fakePermit.frameworkHandler.IterateOverWaitingPods(func(wp fwk.WaitingPod) {
 		if wp.GetPod().Name == "pod-1" {
 			wp.Reject(fakePermitPluginName, "fakePermitPlugin rejects the Pod")
 			return
@@ -534,7 +534,7 @@ func TestRequeueByPermitRejection(t *testing.T) {
 
 	// Wait for pod-2 to be scheduled.
 	err := wait.PollUntilContextTimeout(ctx, 200*time.Millisecond, wait.ForeverTestTimeout, false, func(ctx context.Context) (done bool, err error) {
-		fakePermit.frameworkHandler.IterateOverWaitingPods(func(wp framework.WaitingPod) {
+		fakePermit.frameworkHandler.IterateOverWaitingPods(func(wp fwk.WaitingPod) {
 			if wp.GetPod().Name == "pod-2" {
 				wp.Allow(fakePermitPluginName)
 			}
@@ -548,7 +548,7 @@ func TestRequeueByPermitRejection(t *testing.T) {
 
 	err = wait.PollUntilContextTimeout(ctx, 200*time.Millisecond, wait.ForeverTestTimeout, false, func(ctx context.Context) (done bool, err error) {
 		pod1Found := false
-		fakePermit.frameworkHandler.IterateOverWaitingPods(func(wp framework.WaitingPod) {
+		fakePermit.frameworkHandler.IterateOverWaitingPods(func(wp fwk.WaitingPod) {
 			if wp.GetPod().Name == "pod-1" {
 				pod1Found = true
 				wp.Allow(fakePermitPluginName)
@@ -566,7 +566,7 @@ func TestRequeueByPermitRejection(t *testing.T) {
 }
 
 type fakePermitPlugin struct {
-	frameworkHandler framework.Handle
+	frameworkHandler fwk.Handle
 	schedulingHint   fwk.QueueingHintFn
 }
 
diff --git a/test/integration/scheduler/rescheduling_test.go b/test/integration/scheduler/rescheduling_test.go
index 10d89fdef24b5..7035d5d1df0ce 100644
--- a/test/integration/scheduler/rescheduling_test.go
+++ b/test/integration/scheduler/rescheduling_test.go
@@ -30,18 +30,17 @@ import (
 	fwk "k8s.io/kube-scheduler/framework"
 	"k8s.io/kubernetes/pkg/features"
 	"k8s.io/kubernetes/pkg/scheduler"
-	"k8s.io/kubernetes/pkg/scheduler/framework"
 	st "k8s.io/kubernetes/pkg/scheduler/testing"
 	testutils "k8s.io/kubernetes/test/integration/util"
 )
 
-var _ framework.PermitPlugin = &PermitPlugin{}
-var _ framework.EnqueueExtensions = &PermitPlugin{}
-var _ framework.ReservePlugin = &ReservePlugin{}
-var _ framework.EnqueueExtensions = &ReservePlugin{}
+var _ fwk.PermitPlugin = &PermitPlugin{}
+var _ fwk.EnqueueExtensions = &PermitPlugin{}
+var _ fwk.ReservePlugin = &ReservePlugin{}
+var _ fwk.EnqueueExtensions = &ReservePlugin{}
 
 type ResettablePlugin interface {
-	framework.Plugin
+	fwk.Plugin
 	Reset()
 }
 
diff --git a/test/integration/scheduler/scheduler_test.go b/test/integration/scheduler/scheduler_test.go
index 2b07119c2a20a..f862dbe1dfbdb 100644
--- a/test/integration/scheduler/scheduler_test.go
+++ b/test/integration/scheduler/scheduler_test.go
@@ -32,10 +32,13 @@ import (
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/util/wait"
 	"k8s.io/apimachinery/pkg/watch"
+	utilfeature "k8s.io/apiserver/pkg/util/feature"
 	clientset "k8s.io/client-go/kubernetes"
 	corelisters "k8s.io/client-go/listers/core/v1"
 	"k8s.io/client-go/tools/cache"
+	featuregatetesting "k8s.io/component-base/featuregate/testing"
 	configv1 "k8s.io/kube-scheduler/config/v1"
+	"k8s.io/kubernetes/pkg/features"
 	"k8s.io/kubernetes/pkg/scheduler"
 	configtesting "k8s.io/kubernetes/pkg/scheduler/apis/config/testing"
 	st "k8s.io/kubernetes/pkg/scheduler/testing"
@@ -1024,3 +1027,222 @@ func TestHostPorts(t *testing.T) {
 		})
 	}
 }
+
+// TestTaintTolerationGtLtIntegration tests integration scenarios for Gt/Lt toleration operators
+// The test verifies that unschedulable pods are re-queued when taint values change.
+// 1. Create node1 with dedicated taint and node2 with low priority taint
+// 2. Wait for scheduler to observe both nodes
+// 3. Create pod1 that tolerates node1's taint; it schedules on node1
+// 4. Create pod2 with Gt toleration for priority; it's unschedulable (doesn't tolerate node1, node2's priority too low)
+// 5. Update node2's taint to acceptable priority; pod2 schedules on node2
+// 6. Create node3 with high error-rate taint
+// 7. Create pod3 with Lt toleration for error-rate; it's unschedulable (node3's error-rate too high)
+// 8. Update node3's taint to acceptable error-rate; pod3 schedules on node3
+func TestTaintTolerationGtLtIntegration(t *testing.T) {
+	featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.TaintTolerationComparisonOperators, true)
+
+	testCtx := testutils.InitTestSchedulerWithNS(t, "gt-lt-integration")
+
+	goodCondition := v1.NodeCondition{
+		Type:              v1.NodeReady,
+		Status:            v1.ConditionTrue,
+		Reason:            "schedulable condition",
+		LastHeartbeatTime: metav1.Time{Time: time.Now()},
+	}
+
+	// 1. Create node1 with dedicated taint
+	node1 := st.MakeNode().Name("node1").
+		Capacity(map[v1.ResourceName]string{v1.ResourceCPU: "1"}).
+		Taints([]v1.Taint{
+			{
+				Key:    "node.example.com/dedicated",
+				Value:  "special",
+				Effect: v1.TaintEffectNoSchedule,
+			},
+		}).Obj()
+	node1.Status.Conditions = []v1.NodeCondition{goodCondition}
+	_, err := testutils.CreateNode(testCtx.ClientSet, node1)
+	if err != nil {
+		t.Fatalf("Failed to create node1: %v", err)
+	}
+
+	// Create node2 with a taint that pod2 can't tolerate (priority too low)
+	node2 := st.MakeNode().Name("node2").
+		Capacity(map[v1.ResourceName]string{v1.ResourceCPU: "1"}).
+		Taints([]v1.Taint{
+			{
+				Key:    "node.example.com/priority-level",
+				Value:  "850", // Too low for pod2's Gt 900 requirement
+				Effect: v1.TaintEffectNoSchedule,
+			},
+		}).Obj()
+	node2.Status.Conditions = []v1.NodeCondition{goodCondition}
+	node2, err = testutils.CreateNode(testCtx.ClientSet, node2)
+	if err != nil {
+		t.Fatalf("Failed to create node2: %v", err)
+	}
+
+	// 2. Wait for scheduler to observe both nodes
+	if err := testutils.WaitForNodesInCache(testCtx.Ctx, testCtx.Scheduler, 2); err != nil {
+		t.Fatalf("Failed to wait for nodes in cache: %v", err)
+	}
+
+	// 3. Create pod1 that tolerates node1's taint and should schedule on node1
+	pod1 := st.MakePod().Name("pod1").Namespace(testCtx.NS.Name).
+		Container("busybox").
+		Req(map[v1.ResourceName]string{v1.ResourceCPU: "900m"}).
+		Tolerations([]v1.Toleration{
+			{
+				Key:      "node.example.com/dedicated",
+				Operator: v1.TolerationOpEqual,
+				Value:    "special",
+				Effect:   v1.TaintEffectNoSchedule,
+			},
+		}).Obj()
+	pod1, err = testutils.CreatePausePod(testCtx.ClientSet, pod1)
+	if err != nil {
+		t.Fatalf("Failed to create pod1: %v", err)
+	}
+
+	err = testutils.WaitForPodToSchedule(testCtx.Ctx, testCtx.ClientSet, pod1)
+	if err != nil {
+		t.Fatalf("Failed to schedule pod1: %v", err)
+	}
+
+	// 4. Create pod2 with Gt toleration, it should be unschedulable as it can't tolerate node1's taint, and node2's taint value is too low
+	pod2 := st.MakePod().Name("pod2").Namespace(testCtx.NS.Name).
+		Container("busybox").
+		Req(map[v1.ResourceName]string{v1.ResourceCPU: "200m"}).
+		Tolerations([]v1.Toleration{
+			{
+				Key:      "node.example.com/priority-level",
+				Operator: v1.TolerationOpGt,
+				Value:    "900",
+				Effect:   v1.TaintEffectNoSchedule,
+			},
+		}).Obj()
+	pod2, err = testutils.CreatePausePod(testCtx.ClientSet, pod2)
+	if err != nil {
+		t.Fatalf("Failed to create pod2: %v", err)
+	}
+
+	err = testutils.WaitForPodUnschedulable(testCtx.Ctx, testCtx.ClientSet, pod2)
+	if err != nil {
+		t.Fatalf("Failed to verify pod2 is unschedulable: %v", err)
+	}
+
+	// 5. Update the taint value on node2 to acceptable priority; pod2 should now schedule on node2
+	node2, err = testCtx.ClientSet.CoreV1().Nodes().Get(testCtx.Ctx, node2.Name, metav1.GetOptions{})
+	if err != nil {
+		t.Fatalf("Failed to get node2: %v", err)
+	}
+
+	// Update taint to have acceptable priority value
+	for i := range node2.Spec.Taints {
+		if node2.Spec.Taints[i].Key == "node.example.com/priority-level" {
+			node2.Spec.Taints[i].Value = "950"
+			break
+		}
+	}
+
+	_, err = testCtx.ClientSet.CoreV1().Nodes().Update(testCtx.Ctx, node2, metav1.UpdateOptions{})
+	if err != nil {
+		t.Fatalf("Failed to update node2 taint: %v", err)
+	}
+
+	// Verify pod2 now schedules on node2
+	err = testutils.WaitForPodToSchedule(testCtx.Ctx, testCtx.ClientSet, pod2)
+	if err != nil {
+		t.Fatalf("Failed to schedule pod2: %v", err)
+	}
+
+	scheduledPod2, err := testCtx.ClientSet.CoreV1().Pods(testCtx.NS.Name).Get(testCtx.Ctx, pod2.Name, metav1.GetOptions{})
+	if err != nil {
+		t.Fatalf("Failed to get scheduled pod2: %v", err)
+	}
+
+	if scheduledPod2.Spec.NodeName != node2.Name {
+		t.Errorf("Pod2 scheduled on unexpected node: got %s, expected %s", scheduledPod2.Spec.NodeName, node2.Name)
+	}
+
+	// 6. Test Lt operator scenario - create node3 with high error rate
+	node3 := st.MakeNode().Name("node3").
+		Capacity(map[v1.ResourceName]string{v1.ResourceCPU: "1"}).
+		Taints([]v1.Taint{
+			{
+				Key:    "node.example.com/error-rate",
+				Value:  "15", // Too high for pod3's Lt 10 requirement
+				Effect: v1.TaintEffectNoSchedule,
+			},
+		}).Obj()
+	node3.Status.Conditions = []v1.NodeCondition{goodCondition}
+	node3, err = testutils.CreateNode(testCtx.ClientSet, node3)
+	if err != nil {
+		t.Fatalf("Failed to create node3: %v", err)
+	}
+
+	// Wait for scheduler to observe node3
+	if err := testutils.WaitForNodesInCache(testCtx.Ctx, testCtx.Scheduler, 3); err != nil {
+		t.Fatalf("Failed to wait for nodes in cache: %v", err)
+	}
+
+	// 7. Create pod3 with Lt toleration, it should be unschedulable as node3's error rate is too high
+	pod3 := st.MakePod().Name("pod3").Namespace(testCtx.NS.Name).
+		Container("busybox").
+		Req(map[v1.ResourceName]string{v1.ResourceCPU: "100m"}).
+		Tolerations([]v1.Toleration{
+			{
+				Key:      "node.example.com/error-rate",
+				Operator: v1.TolerationOpLt,
+				Value:    "10",
+				Effect:   v1.TaintEffectNoSchedule,
+			},
+		}).Obj()
+	pod3, err = testutils.CreatePausePod(testCtx.ClientSet, pod3)
+	if err != nil {
+		t.Fatalf("Failed to create pod3: %v", err)
+	}
+
+	err = testutils.WaitForPodUnschedulable(testCtx.Ctx, testCtx.ClientSet, pod3)
+	if err != nil {
+		t.Fatalf("Failed to verify pod3 is unschedulable: %v", err)
+	}
+
+	// 8. Update node3 taint to acceptable error rate; pod3 should now schedule
+	node3, err = testCtx.ClientSet.CoreV1().Nodes().Get(testCtx.Ctx, node3.Name, metav1.GetOptions{})
+	if err != nil {
+		t.Fatalf("Failed to get node3: %v", err)
+	}
+
+	for i := range node3.Spec.Taints {
+		if node3.Spec.Taints[i].Key == "node.example.com/error-rate" {
+			node3.Spec.Taints[i].Value = "5"
+			break
+		}
+	}
+
+	_, err = testCtx.ClientSet.CoreV1().Nodes().Update(testCtx.Ctx, node3, metav1.UpdateOptions{})
+	if err != nil {
+		t.Fatalf("Failed to update node3 taint: %v", err)
+	}
+
+	err = testutils.WaitForPodToSchedule(testCtx.Ctx, testCtx.ClientSet, pod3)
+	if err != nil {
+		t.Fatalf("Failed to schedule pod3: %v", err)
+	}
+
+	scheduledPod3, err := testCtx.ClientSet.CoreV1().Pods(testCtx.NS.Name).Get(testCtx.Ctx, pod3.Name, metav1.GetOptions{})
+	if err != nil {
+		t.Fatalf("Failed to get scheduled pod3: %v", err)
+	}
+
+	if scheduledPod3.Spec.NodeName != node3.Name {
+		t.Errorf("Pod3 scheduled on unexpected node: got %s, expected %s", scheduledPod3.Spec.NodeName, node3.Name)
+	}
+
+	// Cleanup pods
+	defer testutils.CleanupPods(testCtx.Ctx, testCtx.ClientSet, t, []*v1.Pod{pod1, pod2, pod3})
+	if err := testCtx.ClientSet.CoreV1().Nodes().DeleteCollection(testCtx.Ctx, metav1.DeleteOptions{}, metav1.ListOptions{}); err != nil {
+		t.Errorf("error whiling deleting nodes, error: %v", err)
+	}
+}
diff --git a/test/integration/scheduler/scoring/priorities_test.go b/test/integration/scheduler/scoring/priorities_test.go
index 6cfe12cf14e36..572a7748c10bc 100644
--- a/test/integration/scheduler/scoring/priorities_test.go
+++ b/test/integration/scheduler/scoring/priorities_test.go
@@ -67,6 +67,9 @@ var (
 	ignorePolicy = v1.NodeInclusionPolicyIgnore
 	honorPolicy  = v1.NodeInclusionPolicyHonor
 	taints       = []v1.Taint{{Key: v1.TaintNodeUnschedulable, Value: "", Effect: v1.TaintEffectPreferNoSchedule}}
+
+	priorityLowTaint  = v1.Taint{Key: "node.example.com/priority-class", Value: "800", Effect: v1.TaintEffectNoSchedule}
+	priorityHighTaint = v1.Taint{Key: "node.example.com/priority-class", Value: "999", Effect: v1.TaintEffectPreferNoSchedule}
 )
 
 const (
@@ -834,9 +837,29 @@ func TestTaintTolerationScoring(t *testing.T) {
 			},
 			expectedNodesName: sets.New("node-2"),
 		},
+		{
+			name: "pod with Gt toleration prefers nodes with matching numeric taints",
+			podTolerations: []v1.Toleration{
+				{
+					Key:      "node.example.com/priority-class",
+					Operator: v1.TolerationOpGt,
+					Value:    "900",
+					Effect:   v1.TaintEffectPreferNoSchedule,
+				},
+			},
+			nodes: []*v1.Node{
+				st.MakeNode().Name("node-gt-low").
+					Taints([]v1.Taint{priorityLowTaint}).Obj(),
+				st.MakeNode().Name("node-gt-high").
+					Taints([]v1.Taint{priorityHighTaint}).Obj(),
+			},
+			expectedNodesName: sets.New("node-gt-high"),
+		},
 	}
 	for i, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
+			// Enable the TaintTolerationComparisonOperators feature gate for Gt/Lt tests
+			featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.TaintTolerationComparisonOperators, true)
 			testCtx := initTestSchedulerForScoringTests(t, tainttoleration.Name, tainttoleration.Name)
 
 			for _, n := range tt.nodes {
diff --git a/test/integration/scheduler/serving/endpoints_test.go b/test/integration/scheduler/serving/endpoints_test.go
index eeb9d2c3b5df4..06d444fd33d85 100644
--- a/test/integration/scheduler/serving/endpoints_test.go
+++ b/test/integration/scheduler/serving/endpoints_test.go
@@ -19,6 +19,7 @@ package serving
 import (
 	"crypto/tls"
 	"crypto/x509"
+	"encoding/json"
 	"fmt"
 	"io"
 	"net/http"
@@ -28,6 +29,10 @@ import (
 	"strings"
 	"testing"
 
+	"github.com/google/go-cmp/cmp"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	flagzv1alpha1 "k8s.io/apiserver/pkg/server/flagz/api/v1alpha1"
+	"k8s.io/apiserver/pkg/server/statusz/api/v1alpha1"
 	utilfeature "k8s.io/apiserver/pkg/util/feature"
 	"k8s.io/client-go/util/retry"
 	featuregatetesting "k8s.io/component-base/featuregate/testing"
@@ -39,9 +44,6 @@ import (
 )
 
 func TestEndpointHandlers(t *testing.T) {
-	featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.ComponentFlagz, true)
-	featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.ComponentStatusz, true)
-
 	server, configStr, _, err := startTestAPIServer(t)
 	if err != nil {
 		t.Fatalf("Failed to start kube-apiserver server: %v", err)
@@ -121,26 +123,6 @@ func TestEndpointHandlers(t *testing.T) {
 			useBrokenConfig:  true,
 			wantResponseCode: http.StatusInternalServerError,
 		},
-		{
-			name:             "/flagz",
-			path:             "/flagz",
-			requestHeader:    map[string]string{"Accept": "text/plain"},
-			wantResponseCode: http.StatusOK,
-			wantResponseBodyRegx: `^\n` +
-				`kube-scheduler flags\n` +
-				`Warning: This endpoint is not meant to be machine parseable, ` +
-				`has no formatting compatibility guarantees and is for debugging purposes only.`,
-		},
-		{
-			name:             "/statusz",
-			path:             "/statusz",
-			requestHeader:    map[string]string{"Accept": "text/plain"},
-			wantResponseCode: http.StatusOK,
-			wantResponseBodyRegx: `^\n` +
-				`kube-scheduler statusz\n` +
-				`Warning: This endpoint is not meant to be machine parseable, ` +
-				`has no formatting compatibility guarantees and is for debugging purposes only.`,
-		},
 	}
 
 	for _, tt := range tests {
@@ -153,7 +135,7 @@ func TestEndpointHandlers(t *testing.T) {
 				configFile = brokenConfig.Name()
 			}
 			result, err := kubeschedulertesting.StartTestServer(
-				ctx,
+				t, ctx,
 				[]string{"--kubeconfig", configFile, "--leader-elect=false", "--authorization-always-allow-paths", tt.path})
 
 			if err != nil {
@@ -167,7 +149,7 @@ func TestEndpointHandlers(t *testing.T) {
 			if err != nil {
 				t.Fatalf("Failed to get client from test server: %v", err)
 			}
-			req, err := http.NewRequest("GET", base+tt.path, nil)
+			req, err := http.NewRequest(http.MethodGet, base+tt.path, nil)
 			if err != nil {
 				t.Fatalf("failed to request: %v", err)
 			}
@@ -183,8 +165,9 @@ func TestEndpointHandlers(t *testing.T) {
 					// the endpoint /readyz/sched-handler-sync needs some time to finish
 					// the initialization, so we need to retry
 					return !tt.useBrokenConfig &&
-						(tt.path == "/readyz" || tt.path == "/readyz/sched-handler-sync") &&
-						strings.Contains(err.Error(), "handlers are not fully synchronized")
+						// The message differ depending on endpoint
+						(tt.path == "/readyz" && strings.Contains(err.Error(), "sched-handler-sync failed: reason withheld") ||
+							tt.path == "/readyz/sched-handler-sync" && strings.Contains(err.Error(), "handlers are not fully synchronized"))
 				},
 				func() error {
 					r, err := client.Do(req)
@@ -221,6 +204,279 @@ func TestEndpointHandlers(t *testing.T) {
 	}
 }
 
+func TestSchedulerZPages(t *testing.T) {
+	featuregatetesting.SetFeatureGatesDuringTest(t, utilfeature.DefaultFeatureGate, featuregatetesting.FeatureOverrides{
+		features.ComponentStatusz: true,
+		features.ComponentFlagz:   true,
+	})
+
+	server, configStr, _, err := startTestAPIServer(t)
+	if err != nil {
+		t.Fatalf("Failed to start kube-apiserver server: %v", err)
+	}
+	defer server.TearDownFn()
+
+	apiserverConfig, err := os.CreateTemp("", "kubeconfig")
+	if err != nil {
+		t.Fatalf("Failed to create config file: %v", err)
+	}
+	defer func() {
+		_ = os.Remove(apiserverConfig.Name())
+	}()
+	if _, err = apiserverConfig.WriteString(configStr); err != nil {
+		t.Fatalf("Failed to write config file: %v", err)
+	}
+
+	_, ctx := ktesting.NewTestContext(t)
+	result, err := kubeschedulertesting.StartTestServer(
+		t, ctx,
+		[]string{"--kubeconfig", apiserverConfig.Name(), "--leader-elect=false", "--authorization-always-allow-paths=/statusz,/flagz"},
+	)
+	if err != nil {
+		t.Fatalf("Failed to start kube-scheduler server: %v", err)
+	}
+	if result.TearDownFn != nil {
+		defer result.TearDownFn()
+	}
+
+	client, base, err := clientAndURLFromTestServer(result)
+	if err != nil {
+		t.Fatalf("Failed to get client from test server: %v", err)
+	}
+
+	statuszWantBodyStr := "kube-scheduler statusz\nWarning: This endpoint is not meant to be machine parseable"
+	statuszWantBodyJSON := &v1alpha1.Statusz{
+		TypeMeta: metav1.TypeMeta{
+			Kind:       "Statusz",
+			APIVersion: "config.k8s.io/v1alpha1",
+		},
+		ObjectMeta: metav1.ObjectMeta{
+			Name: "kube-scheduler",
+		},
+		Paths: []string{"/configz", "/flagz", "/healthz", "/livez", "/metrics", "/readyz"},
+	}
+
+	flagzWantBodyStr := "kube-scheduler flagz\nWarning: This endpoint is not meant to be machine parseable"
+	flagzWantBodyJSON := &flagzv1alpha1.Flagz{
+		TypeMeta: metav1.TypeMeta{
+			Kind:       "Flagz",
+			APIVersion: "config.k8s.io/v1alpha1",
+		},
+		ObjectMeta: metav1.ObjectMeta{
+			Name: "kube-scheduler",
+		},
+	}
+
+	statuszTestCases := []struct {
+		name         string
+		acceptHeader string
+		wantStatus   int
+		wantBodySub  string            // for text/plain
+		wantJSON     *v1alpha1.Statusz // for application/json
+	}{
+		{
+			name:         "text plain response",
+			acceptHeader: "text/plain",
+			wantStatus:   http.StatusOK,
+			wantBodySub:  statuszWantBodyStr,
+		},
+		{
+			name:         "structured json response",
+			acceptHeader: "application/json;v=v1alpha1;g=config.k8s.io;as=Statusz",
+			wantStatus:   http.StatusOK,
+			wantJSON:     statuszWantBodyJSON,
+		},
+		{
+			name:         "no accept header (defaults to text)",
+			acceptHeader: "",
+			wantStatus:   http.StatusOK,
+			wantBodySub:  statuszWantBodyStr,
+		},
+		{
+			name:         "invalid accept header",
+			acceptHeader: "application/xml",
+			wantStatus:   http.StatusNotAcceptable,
+		},
+		{
+			name:         "application/json without params",
+			acceptHeader: "application/json",
+			wantStatus:   http.StatusNotAcceptable,
+		},
+		{
+			name:         "application/json with missing as",
+			acceptHeader: "application/json;v=v1alpha1;g=config.k8s.io",
+			wantStatus:   http.StatusNotAcceptable,
+		},
+		{
+			name:         "wildcard accept header",
+			acceptHeader: "*/*",
+			wantStatus:   http.StatusOK,
+			wantBodySub:  statuszWantBodyStr,
+		},
+		{
+			name:         "bad json header fall back wildcard",
+			acceptHeader: "application/json;v=foo;g=config.k8s.io;as=Statusz,*/*",
+			wantStatus:   http.StatusOK,
+			wantBodySub:  statuszWantBodyStr,
+		},
+	}
+
+	flagzTestCases := []struct {
+		name         string
+		acceptHeader string
+		wantStatus   int
+		wantBodySub  string               // for text/plain
+		wantJSON     *flagzv1alpha1.Flagz // for structured json
+	}{
+		{
+			name:         "text plain response",
+			acceptHeader: "text/plain",
+			wantStatus:   http.StatusOK,
+			wantBodySub:  flagzWantBodyStr,
+		},
+		{
+			name:         "structured json response",
+			acceptHeader: "application/json;v=v1alpha1;g=config.k8s.io;as=Flagz",
+			wantStatus:   http.StatusOK,
+			wantJSON:     flagzWantBodyJSON,
+		},
+		{
+			name:         "no accept header (defaults to text)",
+			acceptHeader: "",
+			wantStatus:   http.StatusOK,
+			wantBodySub:  flagzWantBodyStr,
+		},
+		{
+			name:         "invalid accept header",
+			acceptHeader: "application/xml",
+			wantStatus:   http.StatusNotAcceptable,
+		},
+		{
+			name:         "application/json without params",
+			acceptHeader: "application/json",
+			wantStatus:   http.StatusNotAcceptable,
+		},
+		{
+			name:         "application/json with missing as",
+			acceptHeader: "application/json;v=v1alpha1;g=config.k8s.io",
+			wantStatus:   http.StatusNotAcceptable,
+		},
+		{
+			name:         "wildcard accept header",
+			acceptHeader: "*/*",
+			wantStatus:   http.StatusOK,
+			wantBodySub:  flagzWantBodyStr,
+		},
+		{
+			name:         "bad json header fall back wildcard",
+			acceptHeader: "application/json;v=foo;g=config.k8s.io;as=Flagz,*/*",
+			wantStatus:   http.StatusOK,
+			wantBodySub:  flagzWantBodyStr,
+		},
+	}
+
+	for _, tc := range statuszTestCases {
+		t.Run("statusz_"+tc.name, func(t *testing.T) {
+			req, err := http.NewRequest(http.MethodGet, base+"/statusz", nil)
+			if err != nil {
+				t.Fatalf("failed to request: %v", err)
+			}
+
+			req.Header.Set("Accept", tc.acceptHeader)
+			r, err := client.Do(req)
+			if err != nil {
+				t.Fatalf("failed to GET /statusz: %v", err)
+			}
+
+			body, err := io.ReadAll(r.Body)
+			if err != nil {
+				t.Fatalf("failed to read response body: %v", err)
+			}
+
+			if err = r.Body.Close(); err != nil {
+				t.Fatalf("failed to close response body: %v", err)
+			}
+
+			if r.StatusCode != tc.wantStatus {
+				t.Fatalf("want status %d, got %d", tc.wantStatus, r.StatusCode)
+			}
+
+			if tc.wantStatus == http.StatusOK {
+				if tc.wantBodySub != "" {
+					if !strings.Contains(string(body), tc.wantBodySub) {
+						t.Errorf("body missing expected substring: %q\nGot:\n%s", tc.wantBodySub, string(body))
+					}
+				}
+				if tc.wantJSON != nil {
+					var got v1alpha1.Statusz
+					if err := json.Unmarshal(body, &got); err != nil {
+						t.Fatalf("error unmarshalling JSON: %v", err)
+					}
+					// Only check static fields, since others are dynamic
+					if got.TypeMeta != tc.wantJSON.TypeMeta {
+						t.Errorf("TypeMeta mismatch: want %+v, got %+v", tc.wantJSON.TypeMeta, got.TypeMeta)
+					}
+					if got.ObjectMeta.Name != tc.wantJSON.ObjectMeta.Name {
+						t.Errorf("ObjectMeta.Name mismatch: want %q, got %q", tc.wantJSON.ObjectMeta.Name, got.ObjectMeta.Name)
+					}
+					if diff := cmp.Diff(tc.wantJSON.Paths, got.Paths); diff != "" {
+						t.Errorf("Paths mismatch (-want,+got):\n%s", diff)
+					}
+				}
+			}
+		})
+	}
+
+	for _, tc := range flagzTestCases {
+		t.Run("flagz_"+tc.name, func(t *testing.T) {
+			req, err := http.NewRequest(http.MethodGet, base+"/flagz", nil)
+			if err != nil {
+				t.Fatalf("failed to request: %v", err)
+			}
+
+			req.Header.Set("Accept", tc.acceptHeader)
+			r, err := client.Do(req)
+			if err != nil {
+				t.Fatalf("failed to GET /flagz: %v", err)
+			}
+
+			body, err := io.ReadAll(r.Body)
+			if err != nil {
+				t.Fatalf("failed to read response body: %v", err)
+			}
+
+			if err = r.Body.Close(); err != nil {
+				t.Fatalf("failed to close response body: %v", err)
+			}
+
+			if r.StatusCode != tc.wantStatus {
+				t.Fatalf("want status %d, got %d", tc.wantStatus, r.StatusCode)
+			}
+
+			if tc.wantStatus == http.StatusOK {
+				if tc.wantBodySub != "" {
+					if !strings.Contains(string(body), tc.wantBodySub) {
+						t.Errorf("body missing expected substring: %q\nGot:\n%s", tc.wantBodySub, string(body))
+					}
+				}
+				if tc.wantJSON != nil {
+					var got flagzv1alpha1.Flagz
+					if err := json.Unmarshal(body, &got); err != nil {
+						t.Fatalf("error unmarshalling JSON: %v", err)
+					}
+					// Only check static fields, since others are dynamic
+					if got.TypeMeta != tc.wantJSON.TypeMeta {
+						t.Errorf("TypeMeta mismatch: want %+v, got %+v", tc.wantJSON.TypeMeta, got.TypeMeta)
+					}
+					if got.ObjectMeta.Name != tc.wantJSON.ObjectMeta.Name {
+						t.Errorf("ObjectMeta.Name mismatch: want %q, got %q", tc.wantJSON.ObjectMeta.Name, got.ObjectMeta.Name)
+					}
+				}
+			}
+		})
+	}
+}
+
 // TODO: Make this a util function once there is a unified way to start a testing apiserver so that we can reuse it.
 func startTestAPIServer(t *testing.T) (server *kubeapiservertesting.TestServer, apiserverConfig, token string, err error) {
 	// Insulate this test from picking up in-cluster config when run inside a pod
diff --git a/test/integration/scheduler/taint/taint_test.go b/test/integration/scheduler/taint/taint_test.go
index 0777a7e140a95..a2fe4f288b236 100644
--- a/test/integration/scheduler/taint/taint_test.go
+++ b/test/integration/scheduler/taint/taint_test.go
@@ -26,10 +26,13 @@ import (
 	v1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/resource"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	utilfeature "k8s.io/apiserver/pkg/util/feature"
 	"k8s.io/client-go/informers"
 	"k8s.io/client-go/kubernetes"
 	restclient "k8s.io/client-go/rest"
+	featuregatetesting "k8s.io/component-base/featuregate/testing"
 	"k8s.io/kubernetes/pkg/controller/nodelifecycle"
+	"k8s.io/kubernetes/pkg/features"
 	"k8s.io/kubernetes/plugin/pkg/admission/podtolerationrestriction"
 	pluginapi "k8s.io/kubernetes/plugin/pkg/admission/podtolerationrestriction/apis/podtolerationrestriction"
 	testutils "k8s.io/kubernetes/test/integration/util"
@@ -72,8 +75,6 @@ func TestTaintNodeByCondition(t *testing.T) {
 	admission.SetExternalKubeClientSet(externalClientset)
 	admission.SetExternalKubeInformerFactory(externalInformers)
 
-	testCtx = testutils.InitTestScheduler(t, testCtx)
-
 	cs := testCtx.ClientSet
 	nsName := testCtx.NS.Name
 
@@ -101,11 +102,9 @@ func TestTaintNodeByCondition(t *testing.T) {
 	// Waiting for all controllers to sync
 	externalInformers.Start(testCtx.Ctx.Done())
 	externalInformers.WaitForCacheSync(testCtx.Ctx.Done())
-	testutils.SyncSchedulerInformerFactory(testCtx)
 
-	// Run all controllers
+	// Run node lifecycle controller
 	go nc.Run(testCtx.Ctx)
-	go testCtx.Scheduler.Run(testCtx.Ctx)
 
 	// -------------------------------------------
 	// Test TaintNodeByCondition feature.
@@ -157,6 +156,53 @@ func TestTaintNodeByCondition(t *testing.T) {
 		Effect:   v1.TaintEffectNoSchedule,
 	}
 
+	priorityClassTaint := v1.Taint{Key: "node.example.com/priority-class", Value: "950", Effect: v1.TaintEffectNoSchedule}
+	priorityClassPreferTaint := v1.Taint{Key: "node.example.com/priority-class", Value: "950", Effect: v1.TaintEffectPreferNoSchedule}
+	errorRateTaint := v1.Taint{Key: "node.example.com/error-rate", Value: "5", Effect: v1.TaintEffectNoSchedule}
+	cpuUtilizationTaint := v1.Taint{Key: "node.example.com/cpu-utilization", Value: "75", Effect: v1.TaintEffectNoExecute}
+
+	priorityClassGtToleration := v1.Toleration{
+		Key:      "node.example.com/priority-class",
+		Operator: v1.TolerationOpGt,
+		Value:    "900",
+		Effect:   v1.TaintEffectNoSchedule,
+	}
+
+	errorRateLtToleration := v1.Toleration{
+		Key:      "node.example.com/error-rate",
+		Operator: v1.TolerationOpLt,
+		Value:    "10",
+		Effect:   v1.TaintEffectNoSchedule,
+	}
+
+	cpuUtilizationGtToleration := v1.Toleration{
+		Key:      "node.example.com/cpu-utilization",
+		Operator: v1.TolerationOpGt,
+		Value:    "50",
+		Effect:   v1.TaintEffectNoExecute,
+	}
+
+	cpuUtilizationLtToleration := v1.Toleration{
+		Key:      "node.example.com/cpu-utilization",
+		Operator: v1.TolerationOpLt,
+		Value:    "90",
+		Effect:   v1.TaintEffectNoExecute,
+	}
+
+	priorityClassGtPreferToleration := v1.Toleration{
+		Key:      "node.example.com/priority-class",
+		Operator: v1.TolerationOpGt,
+		Value:    "900",
+		Effect:   v1.TaintEffectPreferNoSchedule,
+	}
+
+	errorRateLtPreferToleration := v1.Toleration{
+		Key:      "node.example.com/error-rate",
+		Operator: v1.TolerationOpLt,
+		Value:    "10",
+		Effect:   v1.TaintEffectPreferNoSchedule,
+	}
+
 	bestEffortPod := newPod(nsName, "besteffort-pod", nil, nil)
 	burstablePod := newPod(nsName, "burstable-pod", podRes, nil)
 	guaranteePod := newPod(nsName, "guarantee-pod", podRes, podRes)
@@ -169,12 +215,13 @@ func TestTaintNodeByCondition(t *testing.T) {
 
 	// switch to table driven testings
 	tests := []struct {
-		name           string
-		existingTaints []v1.Taint
-		nodeConditions []v1.NodeCondition
-		unschedulable  bool
-		expectedTaints []v1.Taint
-		pods           []podCase
+		name                                       string
+		existingTaints                             []v1.Taint
+		nodeConditions                             []v1.NodeCondition
+		unschedulable                              bool
+		expectedTaints                             []v1.Taint
+		pods                                       []podCase
+		enableTaintTolerationComparisonOperatorsFG []bool
 	}{
 		{
 			name: "not-ready node",
@@ -499,67 +546,219 @@ func TestTaintNodeByCondition(t *testing.T) {
 				},
 			},
 		},
+		{
+			name:           "node with numeric priority-class taint - pods with Gt toleration",
+			existingTaints: []v1.Taint{priorityClassTaint},
+			nodeConditions: []v1.NodeCondition{
+				{
+					Type:   v1.NodeReady,
+					Status: v1.ConditionTrue,
+				},
+			},
+			expectedTaints: []v1.Taint{priorityClassTaint},
+			pods: []podCase{
+				{
+					pod:  bestEffortPod,
+					fits: false,
+				},
+				{
+					pod:         bestEffortPod,
+					tolerations: []v1.Toleration{priorityClassGtToleration},
+					fits:        true,
+				},
+			},
+			enableTaintTolerationComparisonOperatorsFG: []bool{true},
+		},
+		{
+			name:           "node with numeric error-rate taint - pods with Lt toleration",
+			existingTaints: []v1.Taint{errorRateTaint},
+			nodeConditions: []v1.NodeCondition{
+				{
+					Type:   v1.NodeReady,
+					Status: v1.ConditionTrue,
+				},
+			},
+			expectedTaints: []v1.Taint{errorRateTaint},
+			pods: []podCase{
+				{
+					pod:  burstablePod,
+					fits: false,
+				},
+				{
+					pod:         burstablePod,
+					tolerations: []v1.Toleration{errorRateLtToleration},
+					fits:        true,
+				},
+			},
+			enableTaintTolerationComparisonOperatorsFG: []bool{true},
+		},
+		{
+			name:           "node with multiple numeric taints - mixed tolerations",
+			existingTaints: []v1.Taint{priorityClassTaint, errorRateTaint},
+			nodeConditions: []v1.NodeCondition{
+				{
+					Type:   v1.NodeReady,
+					Status: v1.ConditionTrue,
+				},
+			},
+			expectedTaints: []v1.Taint{priorityClassTaint, errorRateTaint},
+			pods: []podCase{
+				{
+					pod:  guaranteePod,
+					fits: false,
+				},
+				{
+					pod:         guaranteePod,
+					tolerations: []v1.Toleration{priorityClassGtToleration},
+					fits:        false,
+				},
+				{
+					pod: guaranteePod,
+					tolerations: []v1.Toleration{
+						priorityClassGtToleration,
+						errorRateLtToleration,
+					},
+					fits: true,
+				},
+			},
+			enableTaintTolerationComparisonOperatorsFG: []bool{true},
+		},
+		{
+			name:           "node with numeric taint - pods with Lt or Gt tolerations, and NoExecute effect",
+			existingTaints: []v1.Taint{cpuUtilizationTaint},
+			nodeConditions: []v1.NodeCondition{
+				{
+					Type:   v1.NodeReady,
+					Status: v1.ConditionTrue,
+				},
+			},
+			expectedTaints: []v1.Taint{cpuUtilizationTaint},
+			pods: []podCase{
+				{
+					pod:  guaranteePod,
+					fits: false,
+				},
+				{
+					pod:         guaranteePod,
+					tolerations: []v1.Toleration{cpuUtilizationLtToleration},
+					fits:        true,
+				},
+				{
+					pod:         guaranteePod,
+					tolerations: []v1.Toleration{cpuUtilizationGtToleration},
+					fits:        true,
+				},
+			},
+			enableTaintTolerationComparisonOperatorsFG: []bool{true},
+		},
+		{
+			name:           "node with numeric taint - pods with PreferNoSchedule effect and Gt toleration",
+			existingTaints: []v1.Taint{priorityClassPreferTaint},
+			nodeConditions: []v1.NodeCondition{
+				{
+					Type:   v1.NodeReady,
+					Status: v1.ConditionTrue,
+				},
+			},
+			expectedTaints: []v1.Taint{priorityClassPreferTaint},
+			pods: []podCase{
+				{
+					pod:  bestEffortPod,
+					fits: true,
+				},
+				{
+					pod:         bestEffortPod,
+					tolerations: []v1.Toleration{priorityClassGtPreferToleration},
+					fits:        true,
+				},
+				{
+					pod:         bestEffortPod,
+					tolerations: []v1.Toleration{errorRateLtPreferToleration},
+					fits:        true,
+				},
+			},
+			enableTaintTolerationComparisonOperatorsFG: []bool{true},
+		},
 	}
 
 	for _, test := range tests {
-		t.Run(test.name, func(t *testing.T) {
-			node := &v1.Node{
-				ObjectMeta: metav1.ObjectMeta{
-					Name: "node-1",
-				},
-				Spec: v1.NodeSpec{
-					Unschedulable: test.unschedulable,
-					Taints:        test.existingTaints,
-				},
-				Status: v1.NodeStatus{
-					Capacity:    nodeRes,
-					Allocatable: nodeRes,
-					Conditions:  test.nodeConditions,
-				},
-			}
-
-			if _, err := cs.CoreV1().Nodes().Create(testCtx.Ctx, node, metav1.CreateOptions{}); err != nil {
-				t.Errorf("Failed to create node, err: %v", err)
-			}
-			if err := testutils.WaitForNodeTaints(testCtx.Ctx, cs, node, test.expectedTaints); err != nil {
-				node, err = cs.CoreV1().Nodes().Get(testCtx.Ctx, node.Name, metav1.GetOptions{})
-				if err != nil {
-					t.Errorf("Failed to get node <%s>", node.Name)
+		featureGateEnabled := []bool{true, false}
+		if len(test.enableTaintTolerationComparisonOperatorsFG) != 0 {
+			featureGateEnabled = test.enableTaintTolerationComparisonOperatorsFG
+		}
+		for _, enabled := range featureGateEnabled {
+			t.Run(fmt.Sprintf("%s (TaintToleration Comparison Operators enabled: %v)", test.name, enabled), func(t *testing.T) {
+				featuregatetesting.SetFeatureGatesDuringTest(t, utilfeature.DefaultFeatureGate, featuregatetesting.FeatureOverrides{
+					features.TaintTolerationComparisonOperators: enabled,
+				})
+
+				testCtx := testutils.InitTestScheduler(t, testCtx)
+				testutils.SyncSchedulerInformerFactory(testCtx)
+				go testCtx.Scheduler.Run(testCtx.SchedulerCtx)
+
+				node := &v1.Node{
+					ObjectMeta: metav1.ObjectMeta{
+						Name: "node-1",
+					},
+					Spec: v1.NodeSpec{
+						Unschedulable: test.unschedulable,
+						Taints:        test.existingTaints,
+					},
+					Status: v1.NodeStatus{
+						Capacity:    nodeRes,
+						Allocatable: nodeRes,
+						Conditions:  test.nodeConditions,
+					},
 				}
 
-				t.Errorf("Failed to taint node <%s>, expected: %v, got: %v, err: %v", node.Name, test.expectedTaints, node.Spec.Taints, err)
-			}
-
-			var pods []*v1.Pod
-			for i, p := range test.pods {
-				pod := p.pod.DeepCopy()
-				pod.Name = fmt.Sprintf("%s-%d", pod.Name, i)
-				pod.Spec.Tolerations = p.tolerations
+				if _, err := cs.CoreV1().Nodes().Create(testCtx.Ctx, node, metav1.CreateOptions{}); err != nil {
+					t.Errorf("Failed to create node, err: %v", err)
+				}
+				if err := testutils.WaitForNodeTaints(testCtx.Ctx, cs, node, test.expectedTaints); err != nil {
+					node, err = cs.CoreV1().Nodes().Get(testCtx.Ctx, node.Name, metav1.GetOptions{})
+					if err != nil {
+						t.Errorf("Failed to get node <%s>", node.Name)
+					}
 
-				createdPod, err := cs.CoreV1().Pods(pod.Namespace).Create(testCtx.Ctx, pod, metav1.CreateOptions{})
-				if err != nil {
-					t.Fatalf("Failed to create pod %s/%s, error: %v",
-						pod.Namespace, pod.Name, err)
+					t.Errorf("Failed to taint node <%s>, expected: %v, got: %v, err: %v", node.Name, test.expectedTaints, node.Spec.Taints, err)
 				}
 
-				pods = append(pods, createdPod)
+				var pods []*v1.Pod
+				for i, p := range test.pods {
+					pod := p.pod.DeepCopy()
+					pod.Name = fmt.Sprintf("%s-%d", pod.Name, i)
+					pod.Spec.Tolerations = p.tolerations
 
-				if p.fits {
-					if err := testutils.WaitForPodToSchedule(testCtx.Ctx, cs, createdPod); err != nil {
-						t.Errorf("Failed to schedule pod %s/%s on the node, err: %v",
+					createdPod, err := cs.CoreV1().Pods(pod.Namespace).Create(testCtx.Ctx, pod, metav1.CreateOptions{})
+					if err != nil {
+						t.Fatalf("Failed to create pod %s/%s, error: %v",
 							pod.Namespace, pod.Name, err)
 					}
-				} else {
-					if err := testutils.WaitForPodUnschedulable(testCtx.Ctx, cs, createdPod); err != nil {
-						t.Errorf("Unschedulable pod %s/%s gets scheduled on the node, err: %v",
-							pod.Namespace, pod.Name, err)
+
+					pods = append(pods, createdPod)
+
+					if p.fits {
+						if err := testutils.WaitForPodToSchedule(testCtx.Ctx, cs, createdPod); err != nil {
+							t.Errorf("Failed to schedule pod %s/%s on the node, err: %v",
+								pod.Namespace, pod.Name, err)
+						}
+					} else {
+						if err := testutils.WaitForPodUnschedulable(testCtx.Ctx, cs, createdPod); err != nil {
+							t.Errorf("Unschedulable pod %s/%s gets scheduled on the node, err: %v",
+								pod.Namespace, pod.Name, err)
+						}
 					}
 				}
-			}
 
-			testutils.CleanupPods(testCtx.Ctx, cs, t, pods)
-			testutils.CleanupNodes(cs, t)
-			testutils.WaitForSchedulerCacheCleanup(testCtx.Ctx, testCtx.Scheduler, t)
-		})
+				testutils.CleanupPods(testCtx.Ctx, cs, t, pods)
+				testutils.CleanupNodes(cs, t)
+				testutils.WaitForSchedulerCacheCleanup(testCtx.Ctx, testCtx.Scheduler, t)
+
+				// Clean up scheduler context
+				if testCtx.SchedulerCloseFn != nil {
+					testCtx.SchedulerCloseFn()
+				}
+			})
+		}
 	}
 }
diff --git a/test/integration/scheduler/util.go b/test/integration/scheduler/util.go
index 74d9e8a97f1ee..954e7c3c8a67d 100644
--- a/test/integration/scheduler/util.go
+++ b/test/integration/scheduler/util.go
@@ -26,10 +26,10 @@ import (
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/util/wait"
 	configv1 "k8s.io/kube-scheduler/config/v1"
+	fwk "k8s.io/kube-scheduler/framework"
 	"k8s.io/kubernetes/pkg/scheduler"
 	schedulerconfig "k8s.io/kubernetes/pkg/scheduler/apis/config"
 	configtesting "k8s.io/kubernetes/pkg/scheduler/apis/config/testing"
-	"k8s.io/kubernetes/pkg/scheduler/framework"
 	"k8s.io/kubernetes/pkg/scheduler/framework/plugins/defaultbinder"
 	"k8s.io/kubernetes/pkg/scheduler/framework/plugins/queuesort"
 	frameworkruntime "k8s.io/kubernetes/pkg/scheduler/framework/runtime"
@@ -84,14 +84,14 @@ func InitTestSchedulerForFrameworkTest(t *testing.T, testCtx *testutils.TestCont
 }
 
 // NewPlugin returns a plugin factory with specified Plugin.
-func NewPlugin(plugin framework.Plugin) frameworkruntime.PluginFactory {
-	return func(_ context.Context, _ runtime.Object, fh framework.Handle) (framework.Plugin, error) {
+func NewPlugin(plugin fwk.Plugin) frameworkruntime.PluginFactory {
+	return func(_ context.Context, _ runtime.Object, fh fwk.Handle) (fwk.Plugin, error) {
 		return plugin, nil
 	}
 }
 
 // InitRegistryAndConfig returns registry and plugins config based on give plugins.
-func InitRegistryAndConfig(t *testing.T, factory func(plugin framework.Plugin) frameworkruntime.PluginFactory, plugins ...framework.Plugin) (frameworkruntime.Registry, schedulerconfig.KubeSchedulerProfile) {
+func InitRegistryAndConfig(t *testing.T, factory func(plugin fwk.Plugin) frameworkruntime.PluginFactory, plugins ...fwk.Plugin) (frameworkruntime.Registry, schedulerconfig.KubeSchedulerProfile) {
 	if len(plugins) == 0 {
 		return frameworkruntime.Registry{}, schedulerconfig.KubeSchedulerProfile{}
 	}
@@ -108,32 +108,32 @@ func InitRegistryAndConfig(t *testing.T, factory func(plugin framework.Plugin) f
 		plugin := configv1.Plugin{Name: p.Name()}
 
 		switch p.(type) {
-		case framework.QueueSortPlugin:
+		case fwk.QueueSortPlugin:
 			pls.QueueSort.Enabled = append(pls.QueueSort.Enabled, plugin)
 			// It's intentional to disable the PrioritySort plugin.
 			pls.QueueSort.Disabled = []configv1.Plugin{{Name: queuesort.Name}}
-		case framework.PreEnqueuePlugin:
+		case fwk.PreEnqueuePlugin:
 			pls.PreEnqueue.Enabled = append(pls.PreEnqueue.Enabled, plugin)
-		case framework.PreFilterPlugin:
+		case fwk.PreFilterPlugin:
 			pls.PreFilter.Enabled = append(pls.PreFilter.Enabled, plugin)
-		case framework.FilterPlugin:
+		case fwk.FilterPlugin:
 			pls.Filter.Enabled = append(pls.Filter.Enabled, plugin)
-		case framework.PreScorePlugin:
+		case fwk.PreScorePlugin:
 			pls.PreScore.Enabled = append(pls.PreScore.Enabled, plugin)
-		case framework.ScorePlugin:
+		case fwk.ScorePlugin:
 			pls.Score.Enabled = append(pls.Score.Enabled, plugin)
-		case framework.ReservePlugin:
+		case fwk.ReservePlugin:
 			pls.Reserve.Enabled = append(pls.Reserve.Enabled, plugin)
-		case framework.PreBindPlugin:
+		case fwk.PreBindPlugin:
 			pls.PreBind.Enabled = append(pls.PreBind.Enabled, plugin)
-		case framework.BindPlugin:
+		case fwk.BindPlugin:
 			pls.Bind.Enabled = append(pls.Bind.Enabled, plugin)
 			// It's intentional to disable the DefaultBind plugin. Otherwise, DefaultBinder's failure would fail
 			// a pod's scheduling, as well as the test BindPlugin's execution.
 			pls.Bind.Disabled = []configv1.Plugin{{Name: defaultbinder.Name}}
-		case framework.PostBindPlugin:
+		case fwk.PostBindPlugin:
 			pls.PostBind.Enabled = append(pls.PostBind.Enabled, plugin)
-		case framework.PermitPlugin:
+		case fwk.PermitPlugin:
 			pls.Permit.Enabled = append(pls.Permit.Enabled, plugin)
 		}
 	}
diff --git a/test/integration/scheduler_perf/README.md b/test/integration/scheduler_perf/README.md
index 1ebc61657ace2..a6a487db73b55 100644
--- a/test/integration/scheduler_perf/README.md
+++ b/test/integration/scheduler_perf/README.md
@@ -33,7 +33,7 @@ Currently the test suite has the following:
 
 ```shell
 # In Kubernetes root path
-make test-integration WHAT=./test/integration/scheduler_perf/... KUBE_TIMEOUT=-timeout=1h ETCD_LOGLEVEL=warn KUBE_TEST_VMODULE="''" FULL_LOG=y ARTIFACTS=/tmp SHORT=-short=false KUBE_TEST_ARGS='-run=^$ -benchtime=1ns -bench=BenchmarkPerfScheduling'
+make test-integration WHAT=./test/integration/scheduler_perf/... KUBE_CACHE_MUTATION_DETECTOR=false KUBE_TIMEOUT=-timeout=1h ETCD_LOGLEVEL=warn KUBE_TEST_VMODULE="''" FULL_LOG=y ARTIFACTS=/tmp SHORT=-short=false KUBE_TEST_ARGS='-run=^$ -benchtime=1ns -bench=BenchmarkPerfScheduling'
 ```
 
 The output can used for [`benchstat`](https://pkg.go.dev/golang.org/x/perf/cmd/benchstat)
@@ -51,7 +51,7 @@ a comma-separated list of label names. Each label may have a `+` or `-` as prefi
 be set. For example, this runs all performance benchmarks except those that are labeled
 as "integration-test":
 ```shell
-make test-integration WHAT=./test/integration/scheduler_perf/... KUBE_TIMEOUT=-timeout=1h ETCD_LOGLEVEL=warn KUBE_TEST_VMODULE="''" SHORT=-short=false ARTIFACTS=/tmp FULL_LOG=y KUBE_TEST_ARGS='-run=^$ -benchtime=1ns -bench=BenchmarkPerfScheduling -perf-scheduling-label-filter=performance,-integration-test'
+make test-integration WHAT=./test/integration/scheduler_perf/... KUBE_CACHE_MUTATION_DETECTOR=false KUBE_TIMEOUT=-timeout=1h ETCD_LOGLEVEL=warn KUBE_TEST_VMODULE="''" SHORT=-short=false ARTIFACTS=/tmp FULL_LOG=y KUBE_TEST_ARGS='-run=^$ -benchtime=1ns -bench=BenchmarkPerfScheduling -perf-scheduling-label-filter=performance,-integration-test'
 ```
 
 Once the benchmark is finished, JSON files with metrics are available in the subdirectories (`test/integration/scheduler_perf/config/<topic>`). 
@@ -65,17 +65,19 @@ Otherwise, the golang benchmark framework will try to run a test more than once
 
 ```shell
 # In Kubernetes root path
-make test-integration WHAT=./test/integration/scheduler_perf/... KUBE_TIMEOUT=-timeout=1h ETCD_LOGLEVEL=warn KUBE_TEST_VMODULE="''" SHORT=-short=false ARTIFACTS=/tmp FULL_LOG=y KUBE_TEST_ARGS='-run=^$ -benchtime=1ns -bench=BenchmarkPerfScheduling/SchedulingBasic/5000Nodes/5000InitPods/1000PodsToSchedule'
+make test-integration WHAT=./test/integration/scheduler_perf/... KUBE_CACHE_MUTATION_DETECTOR=false KUBE_TIMEOUT=-timeout=1h ETCD_LOGLEVEL=warn KUBE_TEST_VMODULE="''" SHORT=-short=false ARTIFACTS=/tmp FULL_LOG=y KUBE_TEST_ARGS='-run=^$ -benchtime=1ns -bench=BenchmarkPerfScheduling/SchedulingBasic/5000Nodes/5000InitPods/1000PodsToSchedule'
 ```
 
 To produce a cpu profile:
 
 ```shell
 # In Kubernetes root path
-make test-integration WHAT=./test/integration/scheduler_perf/... KUBE_TIMEOUT=-timeout=1h ETCD_LOGLEVEL=warn KUBE_TEST_VMODULE="''" FULL_LOG=y ARTIFACTS=/tmp SHORT=-short=false KUBE_TEST_ARGS='-run=^$ -benchtime=1ns -bench=BenchmarkPerfScheduling -cpuprofile ~/cpu-profile.out'
+make test-integration WHAT=./test/integration/scheduler_perf/... KUBE_CACHE_MUTATION_DETECTOR=false KUBE_TIMEOUT=-timeout=1h ETCD_LOGLEVEL=warn KUBE_TEST_VMODULE="''" FULL_LOG=y ARTIFACTS=/tmp SHORT=-short=false KUBE_TEST_ARGS='-run=^$ -benchtime=1ns -bench=BenchmarkPerfScheduling -cpuprofile ~/cpu-profile.out'
 ```
 
 Here some explanations for those parameters:
+- `KUBE_CACHE_MUTATION_DETECTOR=false`: prevents enabling the client-go/tools/cache sanity checking,
+  which can be expensive (uses DeepEqual) and is off in production
 - `KUBE_TIMEOUT=-timeout=1h`: benchmarks may have to run longer than the default 10 minutes
 - `FULL_LOG=y`: ensures that benchmark results are shown
 - `ARTIFACTS=/tmp`: redirects non-test log output, which is lengthy and breaks parsing by `benchstat`
@@ -151,8 +153,10 @@ The test cases labeled as `short` are executed in pull-kubernetes-integration jo
 | ci-kubernetes-integration-master | integration-test       |
 | pull-kubernetes-integration      | integration-test,short |
 | ci-benchmark-scheduler-perf      | performance            |
+| pull-kubernetes-scheduler-perf   | performance            |
 
 See the comment on [./misc/performance-config.yaml](./misc/performance-config.yaml) for the details.
+Workloads without any labels are good for local usage, because they run faster than performance ones.
 
 ## Scheduling throughput thresholds
 
diff --git a/test/integration/scheduler_perf/affinity/performance-config.yaml b/test/integration/scheduler_perf/affinity/performance-config.yaml
index bc7f6c8a553b8..809bfe007cafc 100644
--- a/test/integration/scheduler_perf/affinity/performance-config.yaml
+++ b/test/integration/scheduler_perf/affinity/performance-config.yaml
@@ -50,13 +50,11 @@
       initPods: 1
       measurePods: 4
   - name: 500Nodes
-    labels: [performance, short]
     params:
       initNodes: 500
       initPods: 100
       measurePods: 400
   - name: 5000Nodes
-    labels: [performance, short]
     params:
       initNodes: 5000
       initPods: 1000
@@ -117,7 +115,6 @@
       initPods: 5
       measurePods: 10
   - name: 500Nodes
-    labels: [performance, short]
     params:
       initNodes: 500
       initPods: 500
@@ -180,13 +177,11 @@
       initPods: 5
       measurePods: 10
   - name: 500Nodes
-    labels: [performance, short]
     params:
       initNodes: 500
       initPods: 500
       measurePods: 1000
   - name: 5000Nodes
-    labels: [performance]
     params:
       initNodes: 5000
       initPods: 5000
@@ -243,7 +238,6 @@
       initPods: 5
       measurePods: 10
   - name: 500Nodes
-    labels: [performance, short]
     params:
       initNodes: 500
       initPods: 500
@@ -305,13 +299,11 @@
       initPods: 5
       measurePods: 10
   - name: 500Nodes
-    labels: [performance, short]
     params:
       initNodes: 500
       initPods: 500
       measurePods: 1000
   - name: 5000Nodes
-    labels: [performance, short]
     params:
       initNodes: 5000
       initPods: 5000
@@ -387,13 +379,11 @@
       initPods: 2
       measurePods: 10
   - name: 500Nodes
-    labels: [performance, short]
     params:
       initNodes: 500
       initPods: 200
       measurePods: 1000
   - name: 5000Nodes
-    labels: [performance]
     params:
       initNodes: 5000
       initPods: 2000
@@ -460,7 +450,6 @@
       initNamespaces: 2
       measurePods: 6
   - name: 500Nodes
-    labels: [performance, short]
     params:
       initNodes: 500
       initPodsPerNamespace: 4
@@ -537,7 +526,6 @@
       initNamespaces: 2
       measurePods: 10
   - name: 500Nodes
-    labels: [performance, short]
     params:
       initNodes: 500
       initPodsPerNamespace: 4
@@ -617,7 +605,6 @@
       initNamespaces: 2
       measurePods: 10
   - name: 500Nodes
-    labels: [performance, short]
     params:
       initNodes: 500
       initPodsPerNamespace: 4
@@ -694,14 +681,12 @@
       initNamespaces: 2
       measurePods: 10
   - name: 500Nodes
-    labels: [performance, short]
     params:
       initNodes: 500
       initPodsPerNamespace: 4
       initNamespaces: 10
       measurePods: 100
   - name: 5000Nodes
-    labels: [performance]
     params:
       initNodes: 5000
       initPodsPerNamespace: 50
diff --git a/test/integration/scheduler_perf/dra.go b/test/integration/scheduler_perf/dra.go
index 75f11e58e3fd4..7dbc34099307c 100644
--- a/test/integration/scheduler_perf/dra.go
+++ b/test/integration/scheduler_perf/dra.go
@@ -23,6 +23,7 @@ import (
 	"reflect"
 	"sync"
 
+	"github.com/onsi/gomega"
 	"github.com/stretchr/testify/require"
 
 	v1 "k8s.io/api/core/v1"
@@ -38,6 +39,7 @@ import (
 	"k8s.io/dynamic-resource-allocation/cel"
 	resourceslicetracker "k8s.io/dynamic-resource-allocation/resourceslice/tracker"
 	"k8s.io/dynamic-resource-allocation/structured"
+	"k8s.io/kube-scheduler/framework"
 	"k8s.io/kubernetes/pkg/features"
 	"k8s.io/kubernetes/pkg/scheduler/framework/plugins/dynamicresources"
 	"k8s.io/kubernetes/pkg/scheduler/util/assumecache"
@@ -141,7 +143,6 @@ type createResourceDriverOp struct {
 }
 
 var _ realOp = &createResourceDriverOp{}
-var _ runnableOp = &createResourceDriverOp{}
 
 func (op *createResourceDriverOp) isValid(allowParameterization bool) error {
 	if !isValidCount(allowParameterization, op.MaxClaimsPerNode, op.MaxClaimsPerNodeParam) {
@@ -170,9 +171,7 @@ func (op *createResourceDriverOp) patchParams(w *workload) (realOp, error) {
 	return op, op.isValid(false)
 }
 
-func (op *createResourceDriverOp) requiredNamespaces() []string { return nil }
-
-func (op *createResourceDriverOp) run(tCtx ktesting.TContext) {
+func (op *createResourceDriverOp) run(tCtx ktesting.TContext, draManager framework.SharedDRAManager) {
 	tCtx.Logf("creating resource driver %q for nodes matching %q", op.DriverName, op.Nodes)
 
 	var driverNodes []string
@@ -191,11 +190,20 @@ func (op *createResourceDriverOp) run(tCtx ktesting.TContext) {
 		}
 	}
 
+	numSlices := 0
 	for _, nodeName := range driverNodes {
 		slice := resourceSlice(op.DriverName, nodeName, op.MaxClaimsPerNode)
 		_, err := tCtx.Client().ResourceV1().ResourceSlices().Create(tCtx, slice, metav1.CreateOptions{})
 		tCtx.ExpectNoError(err, "create node resource slice")
+		numSlices++
 	}
+
+	ktesting.Eventually(tCtx, func(tCtx ktesting.TContext) int {
+		slices, err := draManager.ResourceSlices().ListWithDeviceTaintRules()
+		tCtx.ExpectNoError(err, "list ResourceSlices")
+		return len(slices)
+	}).Should(gomega.Equal(numSlices), "informer has received all ResourceSlices")
+
 	tCtx.CleanupCtx(func(tCtx ktesting.TContext) {
 		err := tCtx.Client().ResourceV1().ResourceSlices().DeleteCollection(tCtx,
 			metav1.DeleteOptions{},
@@ -278,12 +286,12 @@ func (op *allocResourceClaimsOp) run(tCtx ktesting.TContext) {
 	claimInformer := informerFactory.Resource().V1().ResourceClaims().Informer()
 	nodeLister := informerFactory.Core().V1().Nodes().Lister()
 	resourceSliceTrackerOpts := resourceslicetracker.Options{
-		EnableDeviceTaints:       utilfeature.DefaultFeatureGate.Enabled(features.DRADeviceTaints),
+		EnableDeviceTaintRules:   utilfeature.DefaultFeatureGate.Enabled(features.DRADeviceTaintRules),
 		EnableConsumableCapacity: utilfeature.DefaultFeatureGate.Enabled(features.DRAConsumableCapacity),
 		SliceInformer:            informerFactory.Resource().V1().ResourceSlices(),
 		KubeClient:               tCtx.Client(),
 	}
-	if resourceSliceTrackerOpts.EnableDeviceTaints {
+	if resourceSliceTrackerOpts.EnableDeviceTaintRules {
 		resourceSliceTrackerOpts.TaintInformer = informerFactory.Resource().V1alpha3().DeviceTaintRules()
 		resourceSliceTrackerOpts.ClassInformer = informerFactory.Resource().V1().DeviceClasses()
 	}
diff --git a/test/integration/scheduler_perf/dra/consumablecapacity/consumablecapacity_test.go b/test/integration/scheduler_perf/dra/consumablecapacity/consumablecapacity_test.go
index 16ee41eb33744..95d77534c2edf 100644
--- a/test/integration/scheduler_perf/dra/consumablecapacity/consumablecapacity_test.go
+++ b/test/integration/scheduler_perf/dra/consumablecapacity/consumablecapacity_test.go
@@ -22,6 +22,7 @@ import (
 	"testing"
 
 	_ "k8s.io/component-base/logs/json/register"
+	"k8s.io/dynamic-resource-allocation/structured"
 	perf "k8s.io/kubernetes/test/integration/scheduler_perf"
 )
 
@@ -35,9 +36,22 @@ func TestMain(m *testing.M) {
 }
 
 func TestSchedulerPerf(t *testing.T) {
-	perf.RunIntegrationPerfScheduling(t, "performance-config.yaml")
+	// Verify correct behavior with all available allocators for this feature.
+	for _, allocatorName := range []string{"experimental"} {
+		t.Run(allocatorName, func(t *testing.T) {
+			structured.EnableAllocators(allocatorName)
+			defer structured.EnableAllocators()
+
+			perf.RunIntegrationPerfScheduling(t, "performance-config.yaml")
+		})
+	}
 }
 
 func BenchmarkPerfScheduling(b *testing.B) {
+	// Restrict benchmarking to the allocator for this feature
+	// to ensure that we do not accidentally pick something else.
+	structured.EnableAllocators("experimental")
+	defer structured.EnableAllocators()
+
 	perf.RunBenchmarkPerfScheduling(b, "performance-config.yaml", "dra_consumablecapacity", nil)
 }
diff --git a/test/integration/scheduler_perf/dra/consumablecapacity/performance-config.yaml b/test/integration/scheduler_perf/dra/consumablecapacity/performance-config.yaml
index 3fbd5edba031b..5a2e58ca0e0e6 100644
--- a/test/integration/scheduler_perf/dra/consumablecapacity/performance-config.yaml
+++ b/test/integration/scheduler_perf/dra/consumablecapacity/performance-config.yaml
@@ -17,13 +17,13 @@
 # Combining `performance` and `short` selects suitable workloads for a local
 # before/after comparisons with benchstat.
 
-# SteadyStateClusterResourceClaimTemplateConsumableCapacity is a variant of
+# ConsumableCapacity is a variant of
 # SchedulingWithResourceClaimTemplate. It creates a single ResourceSlice that have two devices, 
 # one preallocate device slice and one basic device. Both allows multiple allocations and contain consumable capacity.
 # And, it creates a resource claim template with two requests.
 # Each requests half of this capacity for two count.
 # The first request checks distinctAttribute which the other checks matchAttribute.
-- name: SteadyStateClusterResourceClaimTemplateConsumableCapacity
+- name: ConsumableCapacity
   featureGates:
     DynamicResourceAllocation: true
     DRAConsumableCapacity: true
@@ -48,7 +48,7 @@
   - opcode: createPods
     namespace: test
     countParam: $measurePods
-    steadyState: true
+    steadyStateParam: $steadyState
     durationParam: $duration
     podTemplatePath: ../templates/pod-with-claim-template.yaml
     collectMetrics: true
@@ -60,7 +60,8 @@
       nodesWithoutDRA: 1
       resourceSlices: 1
       measurePods: 1
-      duration: 2s
+      steadyState: false
+      duration: 0s # unused
       maxClaimsPerNode: 2
   - name: fast_with_DRAPartitionableDevices
     featureGates:
@@ -72,7 +73,8 @@
       nodesWithoutDRA: 1
       resourceSlices: 1
       measurePods: 1
-      duration: 2s
+      steadyState: false
+      duration: 0s # unused
       maxClaimsPerNode: 2
   - name: 2000pods_100nodes
     params:
@@ -80,5 +82,6 @@
       nodesWithoutDRA: 0
       resourceSlices: 2000
       measurePods: 2000
+      steadyState: true
       duration: 10s
       maxClaimsPerNode: 20
diff --git a/test/integration/scheduler_perf/dra/devicetaints/devicetaints_test.go b/test/integration/scheduler_perf/dra/devicetaints/devicetaints_test.go
index 46b4133d55db0..d17b0143785d3 100644
--- a/test/integration/scheduler_perf/dra/devicetaints/devicetaints_test.go
+++ b/test/integration/scheduler_perf/dra/devicetaints/devicetaints_test.go
@@ -22,6 +22,7 @@ import (
 	"testing"
 
 	_ "k8s.io/component-base/logs/json/register"
+	"k8s.io/dynamic-resource-allocation/structured"
 	perf "k8s.io/kubernetes/test/integration/scheduler_perf"
 )
 
@@ -35,9 +36,22 @@ func TestMain(m *testing.M) {
 }
 
 func TestSchedulerPerf(t *testing.T) {
-	perf.RunIntegrationPerfScheduling(t, "performance-config.yaml")
+	// Verify correct behavior with all available allocators for this feature
+	for _, allocatorName := range []string{"experimental"} {
+		t.Run(allocatorName, func(t *testing.T) {
+			structured.EnableAllocators(allocatorName)
+			defer structured.EnableAllocators()
+
+			perf.RunIntegrationPerfScheduling(t, "performance-config.yaml")
+		})
+	}
 }
 
 func BenchmarkPerfScheduling(b *testing.B) {
+	// Restrict benchmarking to the allocator for this feature
+	// to ensure that we do not accidentally pick something else.
+	structured.EnableAllocators("experimental")
+	defer structured.EnableAllocators()
+
 	perf.RunBenchmarkPerfScheduling(b, "performance-config.yaml", "dra_devicetaints", nil)
 }
diff --git a/test/integration/scheduler_perf/dra/devicetaints/performance-config.yaml b/test/integration/scheduler_perf/dra/devicetaints/performance-config.yaml
index d46ba826ac8ce..99ca9dc60974c 100644
--- a/test/integration/scheduler_perf/dra/devicetaints/performance-config.yaml
+++ b/test/integration/scheduler_perf/dra/devicetaints/performance-config.yaml
@@ -17,9 +17,9 @@
 # Combining `performance` and `short` selects suitable workloads for a local
 # before/after comparisons with benchstat.
 
-# SchedulingWithResourceClaimTemplateToleration is a variant of SchedulingWithResourceClaimTemplate
+# DeviceTaintToleration is a variant of SchedulingWithResourceClaimTemplate
 # with a claim template that tolerates the taint defined in a DeviceTaintRule.
-- name: SchedulingWithResourceClaimTemplateToleration
+- name: DeviceTaintToleration
   featureGates:
     DynamicResourceAllocation: true
     DRADeviceTaints: true
diff --git a/test/integration/scheduler_perf/dra/dra_test.go b/test/integration/scheduler_perf/dra/dra_test.go
index 419de6b01817c..bf64abb0877c1 100644
--- a/test/integration/scheduler_perf/dra/dra_test.go
+++ b/test/integration/scheduler_perf/dra/dra_test.go
@@ -21,7 +21,11 @@ import (
 	"os"
 	"testing"
 
+	utilfeature "k8s.io/apiserver/pkg/util/feature"
+	featuregatetesting "k8s.io/component-base/featuregate/testing"
 	_ "k8s.io/component-base/logs/json/register"
+	"k8s.io/dynamic-resource-allocation/structured"
+	"k8s.io/kubernetes/pkg/features"
 	perf "k8s.io/kubernetes/test/integration/scheduler_perf"
 )
 
@@ -35,9 +39,55 @@ func TestMain(m *testing.M) {
 }
 
 func TestSchedulerPerf(t *testing.T) {
-	perf.RunIntegrationPerfScheduling(t, "performance-config.yaml")
+	// Verify correct behavior with all available allocators.
+	for _, allocatorName := range []string{"stable", "incubating", "experimental"} {
+		t.Run(allocatorName, func(t *testing.T) {
+			structured.EnableAllocators(allocatorName)
+			defer structured.EnableAllocators()
+
+			// In order to run with the "stable" implementation, we have to disable
+			// some features, something that isn't specified in the YAML
+			// configuration because for other implementations we want the default
+			// features. Using "AllAlpha" and "AllBeta" would be better here,
+			// but interacts poorly with setting the emulated version to 1.33 later
+			// on ("scheduler_perf.go:1117: failed to set emulation version to 1.33 during test:
+			// cannot set feature gate NominatedNodeNameForExpectation to false, feature is PreAlpha at emulated version 1.33, ...")
+			//
+			// Once the current "incubating" becomes "stable", this can be replaced
+			// with two sub tests:
+			// - "ga-only": keep disabling optional features
+			// - "default": don't change features
+			if allocatorName == "stable" {
+				featuregatetesting.SetFeatureGatesDuringTest(t, utilfeature.DefaultFeatureGate, featuregatetesting.FeatureOverrides{
+					features.DRAAdminAccess:     false,
+					features.DRAPrioritizedList: false,
+				})
+			}
+
+			perf.RunIntegrationPerfScheduling(t, "performance-config.yaml")
+		})
+	}
 }
 
+// These benchmarks have to contain the word BenchmarkPerfScheduling to be picked up
+// by benchmark jobs.
+//
+// Sub-tests should have worked, too, but gotestsum was unhappy.
+
 func BenchmarkPerfScheduling(b *testing.B) {
+	// Restrict benchmarking to the default allocator.
+	structured.EnableAllocators("incubating")
+	defer structured.EnableAllocators()
+
+	// "dra" is how this was called traditionally.
+	// It's kept to avoid changing perf-dash results.
 	perf.RunBenchmarkPerfScheduling(b, "performance-config.yaml", "dra", nil)
 }
+
+func BenchmarkPerfSchedulingExperimental(b *testing.B) {
+	// And now the experimental allocator.
+	structured.EnableAllocators("experimental")
+	defer structured.EnableAllocators()
+
+	perf.RunBenchmarkPerfScheduling(b, "performance-config.yaml", "dra_experimental", nil)
+}
diff --git a/test/integration/scheduler_perf/dra/extendedresource/extendedresource_test.go b/test/integration/scheduler_perf/dra/extendedresource/extendedresource_test.go
index b2a8adfcaafe2..d26b5528b7d2a 100644
--- a/test/integration/scheduler_perf/dra/extendedresource/extendedresource_test.go
+++ b/test/integration/scheduler_perf/dra/extendedresource/extendedresource_test.go
@@ -22,6 +22,7 @@ import (
 	"testing"
 
 	_ "k8s.io/component-base/logs/json/register"
+	"k8s.io/dynamic-resource-allocation/structured"
 	perf "k8s.io/kubernetes/test/integration/scheduler_perf"
 )
 
@@ -35,9 +36,22 @@ func TestMain(m *testing.M) {
 }
 
 func TestSchedulerPerf(t *testing.T) {
-	perf.RunIntegrationPerfScheduling(t, "performance-config.yaml")
+	// Verify correct behavior with all available allocators for this feature.
+	for _, allocatorName := range []string{"experimental"} {
+		t.Run(allocatorName, func(t *testing.T) {
+			structured.EnableAllocators(allocatorName)
+			defer structured.EnableAllocators()
+
+			perf.RunIntegrationPerfScheduling(t, "performance-config.yaml")
+		})
+	}
 }
 
 func BenchmarkPerfScheduling(b *testing.B) {
+	// Restrict benchmarking to the allocator for this feature
+	// to ensure that we do not accidentally pick something else.
+	structured.EnableAllocators("experimental")
+	defer structured.EnableAllocators()
+
 	perf.RunBenchmarkPerfScheduling(b, "performance-config.yaml", "dra_extendedresource", nil)
 }
diff --git a/test/integration/scheduler_perf/dra/extendedresource/performance-config.yaml b/test/integration/scheduler_perf/dra/extendedresource/performance-config.yaml
index 8c1776652eff2..5a0e5f6443656 100644
--- a/test/integration/scheduler_perf/dra/extendedresource/performance-config.yaml
+++ b/test/integration/scheduler_perf/dra/extendedresource/performance-config.yaml
@@ -17,8 +17,9 @@
 # Combining `performance` and `short` selects suitable workloads for a local
 # before/after comparisons with benchstat.
 
-# SchedulingWithExtendedResource uses pods with extended resources requests.
-- name: SchedulingWithExtendedResource
+# ExtendedResource uses pods with extended resources requests.
+# Each pod requests a unique extended resource.
+- name: ExtendedResource
   featureGates:
     DynamicResourceAllocation: true
     DRAExtendedResource: true
@@ -58,17 +59,91 @@
       initPods: 0
       measurePods: 10
       maxClaimsPerNode: 10
+
+- name: ExtendedResource_25Classes
+  featureGates:
+    DynamicResourceAllocation: true
+    DRAExtendedResource: true
+  workloadTemplate:
+  - opcode: createNodes
+    countParam: $nodesWithoutDRA
+  - opcode: createNodes
+    nodeTemplatePath: ../templates/node-with-dra-test-driver.yaml
+    countParam: $nodesWithDRA
+  - opcode: createResourceDriver
+    driverName: test-driver.cdi.k8s.io
+    nodes: scheduler-perf-dra-*
+    maxClaimsPerNodeParam: $maxClaimsPerNode
+  - opcode: createAny
+    templatePath: ../templates/deviceclass-extended-resource.yaml
+    countParam: $classes
+  - opcode: createPods
+    namespace: init
+    countParam: $initPods
+    podTemplatePath: ../templates/pod-with-extended-resource-mod25.yaml
+  - opcode: createPods
+    namespace: test
+    countParam: $measurePods
+    podTemplatePath: ../templates/pod-with-extended-resource-mod25.yaml
+    collectMetrics: true
+  workloads:
+  - name: 2000pods_200nodes
+    params:
+      classes: 25
+      nodesWithDRA: 200
+      nodesWithoutDRA: 0
+      initPods: 1000
+      measurePods: 1000
+      maxClaimsPerNode: 10
+  - name: 5000pods_500nodes
+    labels: [performance]
+    params:
+      classes: 25
+      nodesWithDRA: 500
+      nodesWithoutDRA: 0
+      initPods: 2500
+      measurePods: 2500
+      maxClaimsPerNode: 10
+
+- name: ExtendedResource_50Classes
+  featureGates:
+    DynamicResourceAllocation: true
+    DRAExtendedResource: true
+  workloadTemplate:
+  - opcode: createNodes
+    countParam: $nodesWithoutDRA
+  - opcode: createNodes
+    nodeTemplatePath: ../templates/node-with-dra-test-driver.yaml
+    countParam: $nodesWithDRA
+  - opcode: createResourceDriver
+    driverName: test-driver.cdi.k8s.io
+    nodes: scheduler-perf-dra-*
+    maxClaimsPerNodeParam: $maxClaimsPerNode
+  - opcode: createAny
+    templatePath: ../templates/deviceclass-extended-resource.yaml
+    countParam: $classes
+  - opcode: createPods
+    namespace: init
+    countParam: $initPods
+    podTemplatePath: ../templates/pod-with-extended-resource-mod50.yaml
+  - opcode: createPods
+    namespace: test
+    countParam: $measurePods
+    podTemplatePath: ../templates/pod-with-extended-resource-mod50.yaml
+    collectMetrics: true
+  workloads:
   - name: 2000pods_200nodes
     params:
-      classes: 1000
+      classes: 50
       nodesWithDRA: 200
       nodesWithoutDRA: 0
       initPods: 1000
       measurePods: 1000
       maxClaimsPerNode: 10
   - name: 5000pods_500nodes
+    labels: [performance]
     params:
-      classes: 2500
+      classes: 50
       nodesWithDRA: 500
       nodesWithoutDRA: 0
       initPods: 2500
diff --git a/test/integration/scheduler_perf/dra/extendedresource/scoring/extendedresource_scoring_test.go b/test/integration/scheduler_perf/dra/extendedresource/scoring/extendedresource_scoring_test.go
new file mode 100644
index 0000000000000..7a6c7c6815319
--- /dev/null
+++ b/test/integration/scheduler_perf/dra/extendedresource/scoring/extendedresource_scoring_test.go
@@ -0,0 +1,57 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package extendedresourcescoring
+
+import (
+	"fmt"
+	"os"
+	"testing"
+
+	_ "k8s.io/component-base/logs/json/register"
+	"k8s.io/dynamic-resource-allocation/structured"
+	perf "k8s.io/kubernetes/test/integration/scheduler_perf"
+)
+
+func TestMain(m *testing.M) {
+	if err := perf.InitTests(); err != nil {
+		fmt.Fprintf(os.Stderr, "%v\n", err)
+		os.Exit(1)
+	}
+
+	m.Run()
+}
+
+func TestSchedulerPerf(t *testing.T) {
+	// Verify correct behavior with all available allocators for this feature.
+	for _, allocatorName := range []string{"experimental"} {
+		t.Run(allocatorName, func(t *testing.T) {
+			structured.EnableAllocators(allocatorName)
+			defer structured.EnableAllocators()
+
+			perf.RunIntegrationPerfScheduling(t, "performance-config.yaml")
+		})
+	}
+}
+
+func BenchmarkPerfScheduling(b *testing.B) {
+	// Restrict benchmarking to the allocator for this feature
+	// to ensure that we do not accidentally pick something else.
+	structured.EnableAllocators("experimental")
+	defer structured.EnableAllocators()
+
+	perf.RunBenchmarkPerfScheduling(b, "performance-config.yaml", "dra_extendedresource_scoring", nil)
+}
diff --git a/test/integration/scheduler_perf/dra/extendedresource/scoring/performance-config.yaml b/test/integration/scheduler_perf/dra/extendedresource/scoring/performance-config.yaml
new file mode 100644
index 0000000000000..d1c9cb8f9a9f3
--- /dev/null
+++ b/test/integration/scheduler_perf/dra/extendedresource/scoring/performance-config.yaml
@@ -0,0 +1,88 @@
+# The following labels are used in this file. (listed in ascending order of the number of covered test cases)
+#
+# - integration-test: test cases to run as the integration test, usually to spot some issues in the scheduler implementation or scheduler-perf itself.
+# - performance: test cases to run in the performance test.
+# - short: supplemental label for the above two labels (must not used alone), which literally means short execution time test cases.
+#
+# Specifically, the CIs use labels like the following:
+# - `ci-kubernetes-integration-master` (`integration-test`): Test cases are chosen based on a tradeoff between code coverage and overall runtime. 
+# It basically covers all test cases but with their smallest workload. 
+# - `pull-kubernetes-integration` (`integration-test`,`short`): Test cases are chosen so that they should take less than total 5 min to complete.
+# - `ci-benchmark-scheduler-perf` (`performance`): Long enough test cases are chosen (ideally, longer than 10 seconds) 
+# to provide meaningful samples for the pod scheduling rate.
+#
+# Also, `performance`+`short` isn't used in the CIs, but it's used to test the performance test locally.
+# (Sometimes, the test cases with `integration-test` are too small to spot issues.)
+#
+# Combining `performance` and `short` selects suitable workloads for a local
+# before/after comparisons with benchstat.
+
+# This config is specific for testing DRA extended resource scoring performance.
+# It ensures that multiple nodes can satisfy each pod's extended resource
+# requirements, forcing the scheduler to use scoring to choose between nodes.
+
+# ExtendedResourceScoring uses pods with extended resources that can be satisfied
+# by multiple nodes, triggering scoring competition to test the DRA scoring implementation.
+- name: ExtendedResourceScoring
+  featureGates:
+    DynamicResourceAllocation: true
+    DRAExtendedResource: true
+  schedulerConfigPath: scheduler-config.yaml
+  workloadTemplate:
+  - opcode: createNodes
+    countParam: $nodesWithoutDRA
+  - opcode: createNodes
+    nodeTemplatePath: ../../templates/node-with-dra-test-driver.yaml
+    countParam: $nodesWithDRA
+  - opcode: createResourceDriver
+    driverName: test-driver.cdi.k8s.io
+    nodes: scheduler-perf-dra-*
+    maxClaimsPerNodeParam: $maxClaimsPerNode
+  - opcode: createAny
+    templatePath: ../../templates/deviceclass-extended-resource-scoring.yaml
+    countParam: $classes
+  - opcode: createPods
+    namespace: init
+    countParam: $initPods
+    podTemplatePath: ../../templates/pod-with-extended-resource-scoring.yaml
+  - opcode: createPods
+    namespace: test
+    countParam: $measurePods
+    podTemplatePath: ../../templates/pod-with-extended-resource-scoring.yaml
+    collectMetrics: true
+  workloads:
+  - name: fast
+    featureGates:
+      DRAExtendedResource: true
+    labels: [integration-test, short]
+    params:
+      # Use fewer classes than nodes to ensure multiple nodes can satisfy
+      # each pod's extended resource requirements, forcing scoring competition.
+      classes: 2
+      nodesWithDRA: 3
+      nodesWithoutDRA: 1
+      initPods: 0
+      measurePods: 10
+      maxClaimsPerNode: 10
+  - name: 2000pods_200nodes
+    featureGates:
+      DRAExtendedResource: true
+    labels: [integration-test, performance]
+    params:
+      classes: 10
+      nodesWithDRA: 200
+      nodesWithoutDRA: 0
+      initPods: 0
+      measurePods: 2000
+      maxClaimsPerNode: 20
+  - name: 5000pods_500nodes
+    featureGates:
+      DRAExtendedResource: true
+    labels: [integration-test, performance]
+    params:
+      classes: 20
+      nodesWithDRA: 500
+      nodesWithoutDRA: 0
+      initPods: 0
+      measurePods: 5000
+      maxClaimsPerNode: 20
diff --git a/test/integration/scheduler_perf/dra/extendedresource/scoring/scheduler-config.yaml b/test/integration/scheduler_perf/dra/extendedresource/scoring/scheduler-config.yaml
new file mode 100644
index 0000000000000..e034385d9a31f
--- /dev/null
+++ b/test/integration/scheduler_perf/dra/extendedresource/scoring/scheduler-config.yaml
@@ -0,0 +1,16 @@
+apiVersion: kubescheduler.config.k8s.io/v1
+kind: KubeSchedulerConfiguration
+profiles:
+- schedulerName: default-scheduler
+  pluginConfig:
+  - name: NodeResourcesFit
+    args:
+      scoringStrategy:
+        type: LeastAllocated
+        resources:
+        - name: cpu
+          weight: 1
+        - name: memory
+          weight: 1
+        - name: example.com/gpu
+          weight: 1
diff --git a/test/integration/scheduler_perf/dra/partitionabledevices/partitionabledevices_test.go b/test/integration/scheduler_perf/dra/partitionabledevices/partitionabledevices_test.go
index d2789f6ae7d96..76bd292958ac2 100644
--- a/test/integration/scheduler_perf/dra/partitionabledevices/partitionabledevices_test.go
+++ b/test/integration/scheduler_perf/dra/partitionabledevices/partitionabledevices_test.go
@@ -22,6 +22,7 @@ import (
 	"testing"
 
 	_ "k8s.io/component-base/logs/json/register"
+	"k8s.io/dynamic-resource-allocation/structured"
 	perf "k8s.io/kubernetes/test/integration/scheduler_perf"
 )
 
@@ -35,9 +36,22 @@ func TestMain(m *testing.M) {
 }
 
 func TestSchedulerPerf(t *testing.T) {
-	perf.RunIntegrationPerfScheduling(t, "performance-config.yaml")
+	// Verify correct behavior with all available allocators for this feature.
+	for _, allocatorName := range []string{"experimental"} {
+		t.Run(allocatorName, func(t *testing.T) {
+			structured.EnableAllocators(allocatorName)
+			defer structured.EnableAllocators()
+
+			perf.RunIntegrationPerfScheduling(t, "performance-config.yaml")
+		})
+	}
 }
 
 func BenchmarkPerfScheduling(b *testing.B) {
+	// Restrict benchmarking to the allocator for this feature
+	// to ensure that we do not accidentally pick something else.
+	structured.EnableAllocators("experimental")
+	defer structured.EnableAllocators()
+
 	perf.RunBenchmarkPerfScheduling(b, "performance-config.yaml", "dra_partitionabledevices", nil)
 }
diff --git a/test/integration/scheduler_perf/dra/partitionabledevices/performance-config.yaml b/test/integration/scheduler_perf/dra/partitionabledevices/performance-config.yaml
index ae75efab9789e..149881c3e9b86 100644
--- a/test/integration/scheduler_perf/dra/partitionabledevices/performance-config.yaml
+++ b/test/integration/scheduler_perf/dra/partitionabledevices/performance-config.yaml
@@ -17,11 +17,11 @@
 # Combining `performance` and `short` selects suitable workloads for a local
 # before/after comparisons with benchstat.
 
-# SchedulingWithResourceClaimTemplatePartitionable is a variant of SchedulingWithResourceClaimTemplate.
+# Partitionable is a variant of SchedulingWithResourceClaimTemplate.
 # It creates ResourceSlices with partitionable devices and uses a claim template referenced
 # by the test pods. It includes allocated claims that consumes counters and it sets up the devices
 # such that the allocator will have to backtrack once in order to find a working solution.
-- name: SteadyStateClusterResourceClaimTemplatePartitionable
+- name: Partitionable
   featureGates:
     DynamicResourceAllocation: true
     DRAPartitionableDevices: true
@@ -32,7 +32,10 @@
     nodeTemplatePath: ../templates/node-with-dra-test-driver.yaml
     countParam: $nodesWithDRA
   - opcode: createAny
-    templatePath: ../templates/resourceslice-partitionable.yaml
+    templatePath: ../templates/resourceslice-partitionable-countersets.yaml
+    countParam: $resourceSlices
+  - opcode: createAny
+    templatePath: ../templates/resourceslice-partitionable-devices.yaml
     countParam: $resourceSlices
   - opcode: createAny
     templatePath: ../templates/deviceclass.yaml
@@ -48,7 +51,7 @@
   - opcode: createPods
     namespace: test
     countParam: $measurePods
-    steadyState: true
+    steadyStateParam: $steadyState
     durationParam: $duration
     podTemplatePath: ../templates/pod-with-claim-template.yaml
     collectMetrics: true
@@ -65,7 +68,8 @@
       resourceSlices: 10
       initClaims: 10
       measurePods: 10
-      duration: 2s
+      steadyState: false
+      duration: 0s # unused
   - name: fast_QueueingHintsEnabled
     featureGates:
       SchedulerQueueingHints: true
@@ -78,7 +82,8 @@
       resourceSlices: 10
       initClaims: 10
       measurePods: 10
-      duration: 2s
+      steadyState: false
+      duration: 0s # unused
   - name: 2000pods_100nodes
     params:
       nodesWithDRA: 100
@@ -86,13 +91,14 @@
       resourceSlices: 2000
       initClaims: 2000
       measurePods: 2000
+      steadyState: true
       duration: 10s
 
-# SchedulingWithResourceClaimTemplatePartitionableBacktracking is a variant of
+# PartitionableBacktracking is a variant of
 # SchedulingWithResourceClaimTemplate. It creates a single ResourceSlice and a
 # ResourceClaim that forces the allocator to backtrack multiple times in order
 # to find a solution.
-- name: SteadyStateClusterResourceClaimTemplatePartitionableBacktracking
+- name: PartitionableBacktracking
   featureGates:
     DynamicResourceAllocation: true
     DRAPartitionableDevices: true
@@ -103,7 +109,10 @@
     nodeTemplatePath: ../templates/node-with-dra-test-driver.yaml
     countParam: $nodesWithDRA
   - opcode: createAny
-    templatePath: ../templates/resourceslice-partitionable-backtracking.yaml
+    templatePath: ../templates/resourceslice-partitionable-backtracking-countersets.yaml
+    countParam: $resourceSlices
+  - opcode: createAny
+    templatePath: ../templates/resourceslice-partitionable-backtracking-devices.yaml
     countParam: $resourceSlices
   - opcode: createAny
     templatePath: ../templates/deviceclass.yaml
@@ -113,8 +122,6 @@
   - opcode: createPods
     namespace: test
     countParam: $measurePods
-    steadyState: true
-    durationParam: $duration
     podTemplatePath: ../templates/pod-with-claim-template.yaml
     collectMetrics: true
   workloads:
@@ -129,7 +136,6 @@
       nodesWithoutDRA: 1
       resourceSlices: 1
       measurePods: 1
-      duration: 2s
   - name: fast_QueueingHintsEnabled
     featureGates:
       SchedulerQueueingHints: true
@@ -141,4 +147,3 @@
       nodesWithoutDRA: 1
       resourceSlices: 1
       measurePods: 1
-      duration: 2s
diff --git a/test/integration/scheduler_perf/dra/performance-config.yaml b/test/integration/scheduler_perf/dra/performance-config.yaml
index 35bea6a2c003d..432c05e3253b9 100644
--- a/test/integration/scheduler_perf/dra/performance-config.yaml
+++ b/test/integration/scheduler_perf/dra/performance-config.yaml
@@ -17,6 +17,43 @@
 # Combining `performance` and `short` selects suitable workloads for a local
 # before/after comparisons with benchstat.
 
+# PublishResourceSlices measures how quickly the scheduler consumes ResourceSlices as they
+# get created by a DRA driver. The other tests don't include this part and instead start
+# the measurement only after the scheduler is up-to-date.
+#
+# Any cost associated with handling ResourceSlices gets amortized over multiple pod scheduling
+# cycles: the more pods get scheduled without changes to ResourceSlices, the less it matters
+# how long this takes.
+- name: PublishResourceSlices
+  featureGates:
+    DynamicResourceAllocation: true
+  workloadTemplate:
+  - opcode: createNodes
+    countParam: $nodesWithoutDRA
+  - opcode: createNodes
+    nodeTemplatePath: templates/node-with-dra-test-driver.yaml
+    countParam: $nodesWithDRA
+  - opcode: startCollectingMetrics
+    namespaces: ["default"]
+  - opcode: createResourceDriver
+    driverName: test-driver.cdi.k8s.io
+    nodes: scheduler-perf-dra-*
+    maxClaimsPerNodeParam: $maxClaimsPerNode
+  - opcode: stopCollectingMetrics
+  workloads:
+  - name: 500nodes
+    labels: [performance]
+    params:
+      nodesWithDRA: 500
+      nodesWithoutDRA: 0
+      maxClaimsPerNode: 10
+  - name: 5000nodes
+    labels: [performance]
+    params:
+      nodesWithDRA: 5000
+      nodesWithoutDRA: 0
+      maxClaimsPerNode: 10
+
 # SchedulingWithResourceClaimTemplate uses a ResourceClaimTemplate
 # and dynamically creates ResourceClaim instances for each pod. Node, pod and
 # device counts are chosen so that the cluster gets filled up completely.
@@ -93,8 +130,9 @@
     featureGates:
       SchedulerQueueingHints: false
     labels: [performance]
-    # https://perf-dash.k8s.io/#/?jobname=scheduler-perf-benchmark&metriccategoryname=Scheduler&metricname=BenchmarkPerfScheduling&Metric=SchedulingThroughput&Name=BenchmarkPerfScheduling%2FSchedulingWithResourceClaimTemplate%2F5000pods_500nodes%2Ftest&event=not%20applicable&extension_point=not%20applicable&plugin=not%20applicable&result=not%20applicable
-    threshold: 40 # typically above 51
+    threshold:
+      # https://perf-dash.k8s.io/#/?jobname=scheduler-perf-benchmark&metriccategoryname=Scheduler&metricname=BenchmarkPerfScheduling&Metric=SchedulingThroughput&Name=BenchmarkPerfScheduling%2FSchedulingWithResourceClaimTemplate%2F5000pods_500nodes%2Ftest&event=not%20applicable&extension_point=not%20applicable&plugin=not%20applicable&result=not%20applicable
+      dra: 40 # typically above 51
     params:
       nodesWithDRA: 500
       nodesWithoutDRA: 0
@@ -105,8 +143,9 @@
     featureGates:
       SchedulerQueueingHints: true
     labels: [performance]
-    # https://perf-dash.k8s.io/#/?jobname=scheduler-perf-benchmark&metriccategoryname=Scheduler&metricname=BenchmarkPerfScheduling&Metric=SchedulingThroughput&Name=BenchmarkPerfScheduling%2FSchedulingWithResourceClaimTemplate%2F5000pods_500nodes_QueueingHintsEnabled%2Ftest&event=not%20applicable&extension_point=not%20applicable&plugin=not%20applicable&result=not%20applicable
-    threshold: 56 # typically above 70
+    threshold:
+      # https://perf-dash.k8s.io/#/?jobname=scheduler-perf-benchmark&metriccategoryname=Scheduler&metricname=BenchmarkPerfScheduling&Metric=SchedulingThroughput&Name=BenchmarkPerfScheduling%2FSchedulingWithResourceClaimTemplate%2F5000pods_500nodes_QueueingHintsEnabled%2Ftest&event=not%20applicable&extension_point=not%20applicable&plugin=not%20applicable&result=not%20applicable
+      dra: 56 # typically above 70
     params:
       nodesWithDRA: 500
       nodesWithoutDRA: 0
@@ -153,30 +192,6 @@
     podTemplatePath: templates/pod-with-claim-template.yaml
     collectMetrics: true
   workloads:
-  - name: fast
-    featureGates:
-      SchedulerQueueingHints: false
-    labels: [integration-test, short]
-    params:
-      # This testcase runs through all code paths without
-      # taking too long overall.
-      nodesWithDRA: 1
-      nodesWithoutDRA: 1
-      initClaims: 0
-      maxClaimsPerNode: 10
-      duration: 2s
-  - name: fast_QueueingHintsEnabled
-    featureGates:
-      SchedulerQueueingHints: true
-    labels: [integration-test, short]
-    params:
-      # This testcase runs through all code paths without
-      # taking too long overall.
-      nodesWithDRA: 1
-      nodesWithoutDRA: 1
-      initClaims: 0
-      maxClaimsPerNode: 10
-      duration: 2s
   - name: empty_100nodes
     params:
       nodesWithDRA: 100
@@ -195,8 +210,9 @@
     featureGates:
       SchedulerQueueingHints: false
     labels: [performance]
-    # https://perf-dash.k8s.io/#/?jobname=scheduler-perf-benchmark&metriccategoryname=Scheduler&metricname=BenchmarkPerfScheduling&Metric=SchedulingThroughput&Name=BenchmarkPerfScheduling%2FSteadyStateClusterResourceClaimTemplate%2Fempty_500nodes%2Ftest&event=not%20applicable&extension_point=not%20applicable&plugin=not%20applicable&result=not%20applicable
-    threshold: 64 # typically above 81
+    threshold:
+      # https://perf-dash.k8s.io/#/?jobname=scheduler-perf-benchmark&metriccategoryname=Scheduler&metricname=BenchmarkPerfScheduling&Metric=SchedulingThroughput&Name=BenchmarkPerfScheduling%2FSteadyStateClusterResourceClaimTemplate%2Fempty_500nodes%2Ftest&event=not%20applicable&extension_point=not%20applicable&plugin=not%20applicable&result=not%20applicable
+      dra: 64 # typically above 81
     params:
       nodesWithDRA: 500
       nodesWithoutDRA: 0
@@ -207,8 +223,9 @@
     featureGates:
       SchedulerQueueingHints: true
     labels: [performance]
-    # https://perf-dash.k8s.io/#/?jobname=scheduler-perf-benchmark&metriccategoryname=Scheduler&metricname=BenchmarkPerfScheduling&Metric=SchedulingThroughput&Name=BenchmarkPerfScheduling%2FSteadyStateClusterResourceClaimTemplate%2Fempty_500nodes_QueueingHintsEnabled%2Ftest&event=not%20applicable&extension_point=not%20applicable&plugin=not%20applicable&result=not%20applicable
-    threshold: 64 # typically above 81
+    threshold:
+      # https://perf-dash.k8s.io/#/?jobname=scheduler-perf-benchmark&metriccategoryname=Scheduler&metricname=BenchmarkPerfScheduling&Metric=SchedulingThroughput&Name=BenchmarkPerfScheduling%2FSteadyStateClusterResourceClaimTemplate%2Fempty_500nodes_QueueingHintsEnabled%2Ftest&event=not%20applicable&extension_point=not%20applicable&plugin=not%20applicable&result=not%20applicable
+      dra: 64 # typically above 81
     params:
       nodesWithDRA: 500
       nodesWithoutDRA: 0
@@ -234,8 +251,9 @@
     featureGates:
       SchedulerQueueingHints: false
     labels: [performance]
-    # https://perf-dash.k8s.io/#/?jobname=scheduler-perf-benchmark&metriccategoryname=Scheduler&metricname=BenchmarkPerfScheduling&Metric=SchedulingThroughput&Name=BenchmarkPerfScheduling%2FSteadyStateClusterResourceClaimTemplate%2Fhalf_500nodes%2Ftest&event=not%20applicable&extension_point=not%20applicable&plugin=not%20applicable&result=not%20applicable
-    threshold: 70 # typically over 78
+    threshold:
+      # https://perf-dash.k8s.io/#/?jobname=scheduler-perf-benchmark&metriccategoryname=Scheduler&metricname=BenchmarkPerfScheduling&Metric=SchedulingThroughput&Name=BenchmarkPerfScheduling%2FSteadyStateClusterResourceClaimTemplate%2Fhalf_500nodes%2Ftest&event=not%20applicable&extension_point=not%20applicable&plugin=not%20applicable&result=not%20applicable
+      dra: 70 # typically over 78
     params:
       nodesWithDRA: 500
       nodesWithoutDRA: 0
@@ -246,8 +264,9 @@
     featureGates:
       SchedulerQueueingHints: true
     labels: [performance]
-    # https://perf-dash.k8s.io/#/?jobname=scheduler-perf-benchmark&metriccategoryname=Scheduler&metricname=BenchmarkPerfScheduling&Metric=SchedulingThroughput&Name=BenchmarkPerfScheduling%2FSteadyStateClusterResourceClaimTemplate%2Fhalf_500nodes_QueueingHintsEnabled%2Ftest&event=not%20applicable&extension_point=not%20applicable&plugin=not%20applicable&result=not%20applicable
-    threshold: 60 # typically over 75
+    threshold:
+      # https://perf-dash.k8s.io/#/?jobname=scheduler-perf-benchmark&metriccategoryname=Scheduler&metricname=BenchmarkPerfScheduling&Metric=SchedulingThroughput&Name=BenchmarkPerfScheduling%2FSteadyStateClusterResourceClaimTemplate%2Fhalf_500nodes_QueueingHintsEnabled%2Ftest&event=not%20applicable&extension_point=not%20applicable&plugin=not%20applicable&result=not%20applicable
+      dra: 60 # typically over 75
     params:
       nodesWithDRA: 500
       nodesWithoutDRA: 0
@@ -273,8 +292,9 @@
     featureGates:
       SchedulerQueueingHints: false
     labels: [performance]
-    # https://perf-dash.k8s.io/#/?jobname=scheduler-perf-benchmark&metriccategoryname=Scheduler&metricname=BenchmarkPerfScheduling&Metric=SchedulingThroughput&Name=BenchmarkPerfScheduling%2FSteadyStateClusterResourceClaimTemplate%2Ffull_500nodes%2Ftest&event=not%20applicable&extension_point=not%20applicable&plugin=not%20applicable&result=not%20applicable
-    threshold: 60 # typically over 75
+    threshold:
+      # https://perf-dash.k8s.io/#/?jobname=scheduler-perf-benchmark&metriccategoryname=Scheduler&metricname=BenchmarkPerfScheduling&Metric=SchedulingThroughput&Name=BenchmarkPerfScheduling%2FSteadyStateClusterResourceClaimTemplate%2Ffull_500nodes%2Ftest&event=not%20applicable&extension_point=not%20applicable&plugin=not%20applicable&result=not%20applicable
+      dra: 60 # typically over 75
     params:
       nodesWithDRA: 500
       nodesWithoutDRA: 0
@@ -285,8 +305,9 @@
     featureGates:
       SchedulerQueueingHints: true
     labels: [performance]
-    # https://perf-dash.k8s.io/#/?jobname=scheduler-perf-benchmark&metriccategoryname=Scheduler&metricname=BenchmarkPerfScheduling&Metric=SchedulingThroughput&Name=BenchmarkPerfScheduling%2FSteadyStateClusterResourceClaimTemplate%2Ffull_500nodes_QueueingHintsEnabled%2Ftest&event=not%20applicable&extension_point=not%20applicable&plugin=not%20applicable&result=not%20applicable
-    threshold: 60 # typically over 75
+    threshold:
+      # https://perf-dash.k8s.io/#/?jobname=scheduler-perf-benchmark&metriccategoryname=Scheduler&metricname=BenchmarkPerfScheduling&Metric=SchedulingThroughput&Name=BenchmarkPerfScheduling%2FSteadyStateClusterResourceClaimTemplate%2Ffull_500nodes_QueueingHintsEnabled%2Ftest&event=not%20applicable&extension_point=not%20applicable&plugin=not%20applicable&result=not%20applicable
+      dra: 60 # typically over 75
     params:
       nodesWithDRA: 500
       nodesWithoutDRA: 0
@@ -300,7 +321,6 @@
 - name: SchedulingWithResourceClaim
   featureGates:
     DynamicResourceAllocation: true
-    # SchedulerQueueingHints: true
   workloadTemplate:
   - opcode: createNodes
     countParam: $nodesWithoutDRA
diff --git a/test/integration/scheduler_perf/dra/prioritizedlist/performance-config.yaml b/test/integration/scheduler_perf/dra/prioritizedlist/performance-config.yaml
index 46a4e5442ab55..ad8459e0516e1 100644
--- a/test/integration/scheduler_perf/dra/prioritizedlist/performance-config.yaml
+++ b/test/integration/scheduler_perf/dra/prioritizedlist/performance-config.yaml
@@ -17,9 +17,9 @@
 # Combining `performance` and `short` selects suitable workloads for a local
 # before/after comparisons with benchstat.
 
-# SteadyStateResourceClaimTemplateFirstAvailable is a variant of SteadyStateResourceClaimTemplate
+# FirstAvailable is a variant of SchedulingWithResourceClaimTemplate
 # with a claim template that uses the "firstAvailable" subrequests, aka DRAPrioritizedList.
-- name: SteadyStateClusterResourceClaimTemplateFirstAvailable
+- name: FirstAvailable
   featureGates:
     DynamicResourceAllocation: true
     DRAPrioritizedList: true
@@ -35,6 +35,8 @@
     maxClaimsPerNodeParam: $maxClaimsPerNode
   - opcode: createAny
     templatePath: ../templates/deviceclass.yaml
+  - opcode: createAny
+    templatePath: ../templates/deviceclass-no-devices.yaml
   - opcode: createAny
     templatePath: ../templates/resourceclaim.yaml
     countParam: $initClaims
@@ -47,8 +49,6 @@
   - opcode: createPods
     namespace: test
     count: 10
-    steadyState: true
-    durationParam: $duration
     podTemplatePath: ../templates/pod-with-claim-template.yaml
     collectMetrics: true
   workloads:
@@ -63,7 +63,6 @@
       nodesWithoutDRA: 1
       initClaims: 0
       maxClaimsPerNode: 10
-      duration: 2s
   - name: fast_QueueingHintsEnabled
     featureGates:
       SchedulerQueueingHints: true
@@ -75,4 +74,3 @@
       nodesWithoutDRA: 1
       initClaims: 0
       maxClaimsPerNode: 10
-      duration: 2s
diff --git a/test/integration/scheduler_perf/dra/prioritizedlist/prioritizedlist_test.go b/test/integration/scheduler_perf/dra/prioritizedlist/prioritizedlist_test.go
index 76cba27ae0d43..605dcae183593 100644
--- a/test/integration/scheduler_perf/dra/prioritizedlist/prioritizedlist_test.go
+++ b/test/integration/scheduler_perf/dra/prioritizedlist/prioritizedlist_test.go
@@ -22,6 +22,7 @@ import (
 	"testing"
 
 	_ "k8s.io/component-base/logs/json/register"
+	"k8s.io/dynamic-resource-allocation/structured"
 	perf "k8s.io/kubernetes/test/integration/scheduler_perf"
 )
 
@@ -35,9 +36,22 @@ func TestMain(m *testing.M) {
 }
 
 func TestSchedulerPerf(t *testing.T) {
-	perf.RunIntegrationPerfScheduling(t, "performance-config.yaml")
+	// Verify correct behavior with all available allocators for this feature.
+	for _, allocatorName := range []string{"incubating", "experimental"} {
+		t.Run(allocatorName, func(t *testing.T) {
+			structured.EnableAllocators(allocatorName)
+			defer structured.EnableAllocators()
+
+			perf.RunIntegrationPerfScheduling(t, "performance-config.yaml")
+		})
+	}
 }
 
 func BenchmarkPerfScheduling(b *testing.B) {
+	// Restrict benchmarking to the allocator for this feature
+	// to ensure that we do not accidentally pick something else.
+	structured.EnableAllocators("incubating")
+	defer structured.EnableAllocators()
+
 	perf.RunBenchmarkPerfScheduling(b, "performance-config.yaml", "dra_prioritizedlist", nil)
 }
diff --git a/test/integration/scheduler_perf/dra/templates/deviceclass-extended-resource-scoring.yaml b/test/integration/scheduler_perf/dra/templates/deviceclass-extended-resource-scoring.yaml
new file mode 100644
index 0000000000000..114651606bd66
--- /dev/null
+++ b/test/integration/scheduler_perf/dra/templates/deviceclass-extended-resource-scoring.yaml
@@ -0,0 +1,11 @@
+apiVersion: resource.k8s.io/v1beta2
+kind: DeviceClass
+metadata:
+  name: scoring-test-class-{{.Index}}
+spec:
+  selectors:
+  - cel:
+      expression: device.driver == "test-driver.cdi.k8s.io"
+  # All device classes expose the same extended resource name
+  # This allows multiple nodes to satisfy the same pod's extended resource request
+  extendedResourceName: example.com/gpu
diff --git a/test/integration/scheduler_perf/dra/templates/deviceclass-no-devices.yaml b/test/integration/scheduler_perf/dra/templates/deviceclass-no-devices.yaml
new file mode 100644
index 0000000000000..c822aaf9f687e
--- /dev/null
+++ b/test/integration/scheduler_perf/dra/templates/deviceclass-no-devices.yaml
@@ -0,0 +1,8 @@
+apiVersion: resource.k8s.io/v1
+kind: DeviceClass
+metadata:
+  name: no-devices-class
+spec:
+  selectors:
+  - cel:
+      expression: device.driver == "no-such-driver.cdi.k8s.io"
diff --git a/test/integration/scheduler_perf/dra/templates/pod-with-extended-resource-mod25.yaml b/test/integration/scheduler_perf/dra/templates/pod-with-extended-resource-mod25.yaml
new file mode 100644
index 0000000000000..690762f3cda88
--- /dev/null
+++ b/test/integration/scheduler_perf/dra/templates/pod-with-extended-resource-mod25.yaml
@@ -0,0 +1,16 @@
+# Pod template for extended resource tests.
+# Pods cycle through 25 device classes (example.com/gpu-0 through example.com/gpu-24)
+apiVersion: v1
+kind: Pod
+metadata:
+  name: test-dra-{{.Index}}
+spec:
+  containers:
+  - image: registry.k8s.io/pause:3.9
+    name: pause
+    resources:
+      requests:
+        example.com/gpu-{{mod .Index 25}}: 1
+      limits:
+        example.com/gpu-{{mod .Index 25}}: 1
+
diff --git a/test/integration/scheduler_perf/dra/templates/pod-with-extended-resource-mod50.yaml b/test/integration/scheduler_perf/dra/templates/pod-with-extended-resource-mod50.yaml
new file mode 100644
index 0000000000000..2fd25530ea8c8
--- /dev/null
+++ b/test/integration/scheduler_perf/dra/templates/pod-with-extended-resource-mod50.yaml
@@ -0,0 +1,16 @@
+# Pod template for extended resource tests.
+# Pods cycle through 50 device classes (example.com/gpu-0 through example.com/gpu-49)
+apiVersion: v1
+kind: Pod
+metadata:
+  name: test-dra-{{.Index}}
+spec:
+  containers:
+  - image: registry.k8s.io/pause:3.9
+    name: pause
+    resources:
+      requests:
+        example.com/gpu-{{mod .Index 50}}: 1
+      limits:
+        example.com/gpu-{{mod .Index 50}}: 1
+
diff --git a/test/integration/scheduler_perf/dra/templates/pod-with-extended-resource-scoring.yaml b/test/integration/scheduler_perf/dra/templates/pod-with-extended-resource-scoring.yaml
new file mode 100644
index 0000000000000..11c301414a341
--- /dev/null
+++ b/test/integration/scheduler_perf/dra/templates/pod-with-extended-resource-scoring.yaml
@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: scoring-test-pod-{{.Index}}
+spec:
+  containers:
+  - image: registry.k8s.io/pause:3.9
+    name: pause
+    resources:
+      requests:
+        # All pods request the same extended resource
+        # This forces the scheduler to choose between multiple nodes
+        example.com/gpu: 1
+      limits:
+        example.com/gpu: 1
diff --git a/test/integration/scheduler_perf/dra/templates/resourceclaimtemplate-consumablecapacity.yaml b/test/integration/scheduler_perf/dra/templates/resourceclaimtemplate-consumablecapacity.yaml
index 05ac81282f633..13cfdaa18d289 100644
--- a/test/integration/scheduler_perf/dra/templates/resourceclaimtemplate-consumablecapacity.yaml
+++ b/test/integration/scheduler_perf/dra/templates/resourceclaimtemplate-consumablecapacity.yaml
@@ -9,21 +9,12 @@ spec:
       - name: req-0
         exactly:
           deviceClassName: test-class
-          count: 2
           capacity:
             requests:
               memory: 40Gi
       - name: req-1
         exactly:
           deviceClassName: test-class
-          count: 2
           capacity:
             requests:
               memory: 40Gi
-      constraints:
-      - requests:
-        - req-0
-        distinctAttribute: dra.example.com/slice
-      - requests:
-        - req-1
-        matchAttribute: dra.example.com/slice
diff --git a/test/integration/scheduler_perf/dra/templates/resourceclaimtemplate-first-available.yaml b/test/integration/scheduler_perf/dra/templates/resourceclaimtemplate-first-available.yaml
index 8c2dea4280f04..60e0244a3b18d 100644
--- a/test/integration/scheduler_perf/dra/templates/resourceclaimtemplate-first-available.yaml
+++ b/test/integration/scheduler_perf/dra/templates/resourceclaimtemplate-first-available.yaml
@@ -9,6 +9,6 @@ spec:
       - name: req-0
         firstAvailable:
         - name: sub-0
-          deviceClassName: no-such-class
+          deviceClassName: no-devices-class
         - name: sub-1
           deviceClassName: test-class
diff --git a/test/integration/scheduler_perf/dra/templates/resourceslice-consumablecapacity.yaml b/test/integration/scheduler_perf/dra/templates/resourceslice-consumablecapacity.yaml
index f2ff35d09e1a0..a5d94dc351db6 100644
--- a/test/integration/scheduler_perf/dra/templates/resourceslice-consumablecapacity.yaml
+++ b/test/integration/scheduler_perf/dra/templates/resourceslice-consumablecapacity.yaml
@@ -15,21 +15,9 @@ spec:
         operator: In
         values:
         - "true"
-  sharedCounters:
-  - name: counter-set
-    counters:
-      counter1:
-        value: "1"
-      counter2:
-        value: "1"
   devices:
   - name: shareable-device
     allowMultipleAllocations: true
-    attributes:
-      preallocate:
-        bool: false
-      dra.example.com/slice:
-        int: {{.Index}}
     capacity:
       memory:
         value: 80Gi
@@ -37,27 +25,3 @@ spec:
           default: 1Gi
           validRange:
             min: 1Gi
-  # 2 counter devices
-  - name: device-2-counters-1
-    allowMultipleAllocations: true
-    attributes:
-      preallocate:
-        bool: true
-      dra.example.com/slice:
-        int: {{.Index}}
-    capacity:
-      counters:
-        value: "2"
-      memory:
-        value: 80Gi
-        requestPolicy:
-          default: 1Gi
-          validRange:
-            min: 1Gi
-    consumesCounters:
-    - counterSet: counter-set
-      counters:
-        counter1:
-          value: "1"
-        counter2:
-          value: "1"
diff --git a/test/integration/scheduler_perf/dra/templates/resourceslice-partitionable-backtracking-countersets.yaml b/test/integration/scheduler_perf/dra/templates/resourceslice-partitionable-backtracking-countersets.yaml
new file mode 100644
index 0000000000000..e08406f6a72b0
--- /dev/null
+++ b/test/integration/scheduler_perf/dra/templates/resourceslice-partitionable-backtracking-countersets.yaml
@@ -0,0 +1,40 @@
+kind: ResourceSlice
+apiVersion: resource.k8s.io/v1
+metadata:
+  name: resourceslice-countersets-{{.Index}}
+spec:
+  pool:
+    name: resourceslice-{{.Index}}
+    generation: 1
+    resourceSliceCount: 2
+  driver: test-driver.cdi.k8s.io
+  nodeSelector:
+    nodeSelectorTerms:
+    - matchExpressions:
+      - key: node-with-dra
+        operator: In
+        values:
+        - "true"
+  sharedCounters:
+  - name: counter-set-for-cpu
+    counters:
+      cpu1:
+        value: "1"
+      cpu2:
+        value: "1"
+      cpu3:
+        value: "1"
+      cpu4:
+        value: "1"
+      cpu5:
+        value: "1"
+      cpu6:
+        value: "1"
+      cpu7:
+        value: "1"
+      cpu8:
+        value: "1"
+  - name: counter-set-for-mem
+    counters:
+      mem:
+        value: "70Gi"
diff --git a/test/integration/scheduler_perf/dra/templates/resourceslice-partitionable-backtracking-devices.yaml b/test/integration/scheduler_perf/dra/templates/resourceslice-partitionable-backtracking-devices.yaml
new file mode 100644
index 0000000000000..47f55f7ca88f1
--- /dev/null
+++ b/test/integration/scheduler_perf/dra/templates/resourceslice-partitionable-backtracking-devices.yaml
@@ -0,0 +1,98 @@
+kind: ResourceSlice
+apiVersion: resource.k8s.io/v1
+metadata:
+  name: resourceslice-devices-{{.Index}}
+spec:
+  pool:
+    name: resourceslice-{{.Index}}
+    generation: 1
+    resourceSliceCount: 2
+  driver: test-driver.cdi.k8s.io
+  nodeSelector:
+    nodeSelectorTerms:
+    - matchExpressions:
+      - key: node-with-dra
+        operator: In
+        values:
+        - "true"
+  devices:
+  - name: device-1
+    consumesCounters:
+    - counterSet: counter-set-for-cpu
+      counters:
+        cpu1:
+          value: "1"
+    - counterSet: counter-set-for-mem
+      counters:
+        mem:
+          value: "20Gi"
+  - name: device-2
+    consumesCounters:
+    - counterSet: counter-set-for-cpu
+      counters:
+        cpu2:
+          value: "1"
+    - counterSet: counter-set-for-mem
+      counters:
+        mem:
+          value: "10Gi"
+  - name: device-3
+    consumesCounters:
+    - counterSet: counter-set-for-cpu
+      counters:
+        cpu3:
+          value: "1"
+    - counterSet: counter-set-for-mem
+      counters:
+        mem:
+          value: "10Gi"
+  - name: device-4
+    consumesCounters:
+    - counterSet: counter-set-for-cpu
+      counters:
+        cpu4:
+          value: "1"
+    - counterSet: counter-set-for-mem
+      counters:
+        mem:
+          value: "10Gi"
+  - name: device-5
+    consumesCounters:
+    - counterSet: counter-set-for-cpu
+      counters:
+        cpu5:
+          value: "1"
+    - counterSet: counter-set-for-mem
+      counters:
+        mem:
+          value: "10Gi"
+  - name: device-6
+    consumesCounters:
+    - counterSet: counter-set-for-cpu
+      counters:
+        cpu6:
+          value: "1"
+    - counterSet: counter-set-for-mem
+      counters:
+        mem:
+          value: "10Gi"
+  - name: device-7
+    consumesCounters:
+    - counterSet: counter-set-for-cpu
+      counters:
+        cpu7:
+          value: "1"
+    - counterSet: counter-set-for-mem
+      counters:
+        mem:
+          value: "10Gi"
+  - name: device-8
+    consumesCounters:
+    - counterSet: counter-set-for-cpu
+      counters:
+        cpu8:
+          value: "1"
+    - counterSet: counter-set-for-mem
+      counters:
+        mem:
+          value: "10Gi"
diff --git a/test/integration/scheduler_perf/dra/templates/resourceslice-partitionable-backtracking.yaml b/test/integration/scheduler_perf/dra/templates/resourceslice-partitionable-backtracking.yaml
deleted file mode 100644
index 20a915b4210f5..0000000000000
--- a/test/integration/scheduler_perf/dra/templates/resourceslice-partitionable-backtracking.yaml
+++ /dev/null
@@ -1,121 +0,0 @@
-kind: ResourceSlice
-apiVersion: resource.k8s.io/v1
-metadata:
-  name: resourceslice-{{.Index}}
-spec:
-  pool:
-    name: resourceslice-{{.Index}}
-    generation: 1
-    resourceSliceCount: 1
-  driver: test-driver.cdi.k8s.io
-  nodeSelector:
-    nodeSelectorTerms:
-    - matchExpressions:
-      - key: node-with-dra
-        operator: In
-        values:
-        - "true"
-  sharedCounters:
-  - name: counter-set-for-cpu
-    counters:
-      cpu1:
-        value: "1"
-      cpu2:
-        value: "1"
-      cpu3:
-        value: "1"
-      cpu4:
-        value: "1"
-      cpu5:
-        value: "1"
-      cpu6:
-        value: "1"
-      cpu7:
-        value: "1"
-      cpu8:
-        value: "1"
-  - name: counter-set-for-mem
-    counters:
-      mem:
-        value: "70Gi"
-  devices:
-  - name: device-1
-    consumesCounters:
-    - counterSet: counter-set-for-cpu
-      counters:
-        cpu1:
-          value: "1"
-    - counterSet: counter-set-for-mem
-      counters:
-        mem:
-          value: "20Gi"
-  - name: device-2
-    consumesCounters:
-    - counterSet: counter-set-for-cpu
-      counters:
-        cpu2:
-          value: "1"
-    - counterSet: counter-set-for-mem
-      counters:
-        mem:
-          value: "10Gi"
-  - name: device-3
-    consumesCounters:
-    - counterSet: counter-set-for-cpu
-      counters:
-        cpu3:
-          value: "1"
-    - counterSet: counter-set-for-mem
-      counters:
-        mem:
-          value: "10Gi"
-  - name: device-4
-    consumesCounters:
-    - counterSet: counter-set-for-cpu
-      counters:
-        cpu4:
-          value: "1"
-    - counterSet: counter-set-for-mem
-      counters:
-        mem:
-          value: "10Gi"
-  - name: device-5
-    consumesCounters:
-    - counterSet: counter-set-for-cpu
-      counters:
-        cpu5:
-          value: "1"
-    - counterSet: counter-set-for-mem
-      counters:
-        mem:
-          value: "10Gi"
-  - name: device-6
-    consumesCounters:
-    - counterSet: counter-set-for-cpu
-      counters:
-        cpu6:
-          value: "1"
-    - counterSet: counter-set-for-mem
-      counters:
-        mem:
-          value: "10Gi"
-  - name: device-7
-    consumesCounters:
-    - counterSet: counter-set-for-cpu
-      counters:
-        cpu7:
-          value: "1"
-    - counterSet: counter-set-for-mem
-      counters:
-        mem:
-          value: "10Gi"
-  - name: device-8
-    consumesCounters:
-    - counterSet: counter-set-for-cpu
-      counters:
-        cpu8:
-          value: "1"
-    - counterSet: counter-set-for-mem
-      counters:
-        mem:
-          value: "10Gi"
diff --git a/test/integration/scheduler_perf/dra/templates/resourceslice-partitionable-countersets.yaml b/test/integration/scheduler_perf/dra/templates/resourceslice-partitionable-countersets.yaml
new file mode 100644
index 0000000000000..3db481e5d64bf
--- /dev/null
+++ b/test/integration/scheduler_perf/dra/templates/resourceslice-partitionable-countersets.yaml
@@ -0,0 +1,28 @@
+kind: ResourceSlice
+apiVersion: resource.k8s.io/v1
+metadata:
+  name: resourceslice-countersets-{{.Index}}
+spec:
+  pool:
+    name: resourceslice-{{.Index}}
+    generation: 1
+    resourceSliceCount: 2
+  driver: test-driver.cdi.k8s.io
+  nodeSelector:
+    nodeSelectorTerms:
+    - matchExpressions:
+      - key: node-with-dra
+        operator: In
+        values:
+        - "true"
+  sharedCounters:
+  - name: counter-set
+    counters:
+      counter1:
+        value: "1"
+      counter2:
+        value: "1"
+      counter3:
+        value: "1"
+      counter4:
+        value: "1"
diff --git a/test/integration/scheduler_perf/dra/templates/resourceslice-partitionable-devices.yaml b/test/integration/scheduler_perf/dra/templates/resourceslice-partitionable-devices.yaml
new file mode 100644
index 0000000000000..bf9ee3e8c501f
--- /dev/null
+++ b/test/integration/scheduler_perf/dra/templates/resourceslice-partitionable-devices.yaml
@@ -0,0 +1,108 @@
+kind: ResourceSlice
+apiVersion: resource.k8s.io/v1
+metadata:
+  name: resourceslice-devices-{{.Index}}
+spec:
+  pool:
+    name: resourceslice-{{.Index}}
+    generation: 1
+    resourceSliceCount: 2
+  driver: test-driver.cdi.k8s.io
+  nodeSelector:
+    nodeSelectorTerms:
+    - matchExpressions:
+      - key: node-with-dra
+        operator: In
+        values:
+        - "true"
+  devices:
+  # 2 counter devices
+  - name: device-2-counters-1
+    attributes:
+      preallocate:
+        bool: true
+      dra.example.com/slice:
+        int: {{.Index}}
+    capacity:
+      counters:
+        value: "2"
+    consumesCounters:
+    - counterSet: counter-set
+      counters:
+        counter1:
+          value: "1"
+        counter2:
+          value: "1"
+  - name: device-2-counters-2
+    attributes:
+      preallocate:
+        bool: false
+      dra.example.com/slice:
+        int: {{.Index}}
+    capacity:
+      counters:
+        value: "2"
+    consumesCounters:
+    - counterSet: counter-set
+      counters:
+        counter3:
+          value: "1"
+        counter4:
+          value: "1"
+  # 1 counter devices
+  - name: device-1-counter-1
+    attributes:
+      preallocate:
+        bool: false
+      dra.example.com/slice:
+        int: {{.Index}}
+    capacity:
+      counters:
+        value: "1"
+    consumesCounters:
+    - counterSet: counter-set
+      counters:
+        counter1:
+          value: "1"
+  - name: device-1-counter-2
+    attributes:
+      preallocate:
+        bool: false
+      dra.example.com/slice:
+        int: {{.Index}}
+    capacity:
+      counters:
+        value: "1"
+    consumesCounters:
+    - counterSet: counter-set
+      counters:
+        counter2:
+          value: "1"
+  - name: device-1-counter-3
+    attributes:
+      preallocate:
+        bool: false
+      dra.example.com/slice:
+        int: {{.Index}}
+    capacity:
+      counters:
+        value: "1"
+    consumesCounters:
+    - counterSet: counter-set
+      counters:
+        counter3:
+          value: "1"
+  - name: device-1-counter-4
+    attributes:
+      preallocate:
+        bool: false
+      dra.example.com/slice:
+        int: {{.Index}}
+    capacity:
+      counters:
+        value: "1"
+    consumesCounters:
+    - counterSet: counter-set
+      counters:
+        counter4:
+          value: "1"
diff --git a/test/integration/scheduler_perf/dra/templates/resourceslice-partitionable.yaml b/test/integration/scheduler_perf/dra/templates/resourceslice-partitionable.yaml
deleted file mode 100644
index db3abc68b38fa..0000000000000
--- a/test/integration/scheduler_perf/dra/templates/resourceslice-partitionable.yaml
+++ /dev/null
@@ -1,119 +0,0 @@
-kind: ResourceSlice
-apiVersion: resource.k8s.io/v1
-metadata:
-  name: resourceslice-{{.Index}}
-spec:
-  pool:
-    name: resourceslice-{{.Index}}
-    generation: 1
-    resourceSliceCount: 1
-  driver: test-driver.cdi.k8s.io
-  nodeSelector:
-    nodeSelectorTerms:
-    - matchExpressions:
-      - key: node-with-dra
-        operator: In
-        values:
-        - "true"
-  sharedCounters:
-  - name: counter-set
-    counters:
-      counter1:
-        value: "1"
-      counter2:
-        value: "1"
-      counter3:
-        value: "1"
-      counter4:
-        value: "1"
-  devices:
-  # 2 counter devices
-  - name: device-2-counters-1
-    attributes:
-      preallocate:
-        bool: true
-      dra.example.com/slice:
-        int: {{.Index}}
-    capacity:
-      counters:
-        value: "2"
-    consumesCounters:
-    - counterSet: counter-set
-      counters:
-        counter1:
-          value: "1"
-        counter2:
-          value: "1"
-  - name: device-2-counters-2
-    attributes:
-      preallocate:
-        bool: false
-      dra.example.com/slice:
-        int: {{.Index}}
-    capacity:
-      counters:
-        value: "2"
-    consumesCounters:
-    - counterSet: counter-set
-      counters:
-        counter3:
-          value: "1"
-        counter4:
-          value: "1"
-  # 1 counter devices
-  - name: device-1-counter-1
-    attributes:
-      preallocate:
-        bool: false
-      dra.example.com/slice:
-        int: {{.Index}}
-    capacity:
-      counters:
-        value: "1"
-    consumesCounters:
-    - counterSet: counter-set
-      counters:
-        counter1:
-          value: "1"
-  - name: device-1-counter-2
-    attributes:
-      preallocate:
-        bool: false
-      dra.example.com/slice:
-        int: {{.Index}}
-    capacity:
-      counters:
-        value: "1"
-    consumesCounters:
-    - counterSet: counter-set
-      counters:
-        counter2:
-          value: "1"
-  - name: device-1-counter-3
-    attributes:
-      preallocate:
-        bool: false
-      dra.example.com/slice:
-        int: {{.Index}}
-    capacity:
-      counters:
-        value: "1"
-    consumesCounters:
-    - counterSet: counter-set
-      counters:
-        counter3:
-          value: "1"
-  - name: device-1-counter-4
-    attributes:
-      preallocate:
-        bool: false
-      dra.example.com/slice:
-        int: {{.Index}}
-    capacity:
-      counters:
-        value: "1"
-    consumesCounters:
-    - counterSet: counter-set
-      counters:
-        counter4:
-          value: "1"
diff --git a/test/integration/scheduler_perf/label_selector.go b/test/integration/scheduler_perf/label_selector.go
index 57f1c714db9b3..8d3ad7da6a96a 100644
--- a/test/integration/scheduler_perf/label_selector.go
+++ b/test/integration/scheduler_perf/label_selector.go
@@ -16,7 +16,7 @@ limitations under the License.
 
 package benchmark
 
-// enabled checks a a label filter that works as in GitHub:
+// enabled checks a label filter that works as in GitHub:
 // - empty string means enabled
 // - individual labels are comma-separated
 // - [+]<label> means the workload must have that label
diff --git a/test/integration/scheduler_perf/misc/performance-config.yaml b/test/integration/scheduler_perf/misc/performance-config.yaml
index 6a33f47995680..a645035dfaafc 100644
--- a/test/integration/scheduler_perf/misc/performance-config.yaml
+++ b/test/integration/scheduler_perf/misc/performance-config.yaml
@@ -55,13 +55,11 @@
       initPods: 5
       measurePods: 10
   - name: 500Nodes
-    labels: [performance, short]
     params:
       initNodes: 500
       initPods: 500
       measurePods: 1000
   - name: 5000Nodes
-    labels: [performance, short]
     params:
       initNodes: 5000
       initPods: 1000
@@ -278,7 +276,6 @@
       initPods: 20
       measurePods: 5
   - name: 500Nodes
-    labels: [performance, short]
     params:
       initNodes: 500
       initPods: 2000
@@ -369,13 +366,11 @@
       initPods: 1
       measurePods: 10
   - name: 500Nodes/10Init/1kPods
-    labels: [performance, short]
     params:
       initNodes: 500
       initPods: 10
       measurePods: 1000
   - name: 5kNodes/100Init/1kPods
-    labels: [performance, short]
     params:
       initNodes: 5000
       initPods: 100
@@ -468,12 +463,10 @@
       initNodes: 10
       measurePods: 100
   - name: 1000Nodes
-    labels: [performance, short]
     params:
       initNodes: 1000
       measurePods: 1000
   - name: 5000Nodes
-    labels: [performance, short]
     params:
       initNodes: 5000
       measurePods: 2000
@@ -604,7 +597,6 @@
   - name: 1000Node_1000DeletingPods
     featureGates:
       SchedulerQueueingHints: false
-    labels: [performance, short]
     params:
       initNodes: 1000
       deletingPods: 1000
@@ -612,11 +604,26 @@
   - name: 1000Node_1000DeletingPods_QueueingHintsEnabled
     featureGates:
       SchedulerQueueingHints: true
-    labels: [performance, short]
     params:
       initNodes: 1000
       deletingPods: 1000
       measurePods: 1000
+  - name: 5000Node_5000DeletingPods
+    featureGates:
+      SchedulerQueueingHints: false
+    labels: [performance]
+    params:
+      initNodes: 5000
+      deletingPods: 5000
+      measurePods: 5000
+  - name: 5000Node_5000DeletingPods_QueueingHintsEnabled
+    featureGates:
+      SchedulerQueueingHints: true
+    labels: [performance]
+    params:
+      initNodes: 5000
+      deletingPods: 5000
+      measurePods: 5000
 
 ## SchedulingWithExtendedResource uses pods with extended resources requests.
 - name: SchedulingWithExtendedResource
@@ -657,7 +664,6 @@
   - name: 500pods_500nodes
     featureGates:
       DRAExtendedResource: false
-    labels: [performance, short]
     params:
       nodesWithExtendedResource: 500
       nodesWithoutExtendedResource: 0
@@ -665,7 +671,6 @@
   - name: 500pods_500nodes_DRAExtendedResourceEnabled
     featureGates:
       DRAExtendedResource: true
-    labels: [performance, short]
     params:
       nodesWithExtendedResource: 500
       nodesWithoutExtendedResource: 0
diff --git a/test/integration/scheduler_perf/scheduler_perf.go b/test/integration/scheduler_perf/scheduler_perf.go
index aa562cba73437..5f0b903b80e69 100644
--- a/test/integration/scheduler_perf/scheduler_perf.go
+++ b/test/integration/scheduler_perf/scheduler_perf.go
@@ -29,6 +29,7 @@ import (
 	"os"
 	"path"
 	"regexp"
+	"runtime"
 	"slices"
 	"strings"
 	"sync"
@@ -42,7 +43,7 @@ import (
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"k8s.io/apimachinery/pkg/labels"
 	"k8s.io/apimachinery/pkg/runtime/schema"
-	"k8s.io/apimachinery/pkg/util/runtime"
+	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
 	"k8s.io/apimachinery/pkg/util/version"
 	"k8s.io/apimachinery/pkg/util/wait"
 	utilfeature "k8s.io/apiserver/pkg/util/feature"
@@ -61,6 +62,7 @@ import (
 	"k8s.io/component-base/metrics/testutil"
 	"k8s.io/klog/v2"
 	"k8s.io/kubernetes/pkg/features"
+	"k8s.io/kubernetes/pkg/scheduler"
 	"k8s.io/kubernetes/pkg/scheduler/apis/config"
 	"k8s.io/kubernetes/pkg/scheduler/apis/config/scheme"
 	"k8s.io/kubernetes/pkg/scheduler/apis/config/validation"
@@ -129,7 +131,7 @@ type FeatureGateFlag interface {
 
 func init() {
 	f := featuregate.NewFeatureGate()
-	runtime.Must(logsapi.AddFeatureGates(f))
+	utilruntime.Must(logsapi.AddFeatureGates(f))
 	LoggingFeatureGate = f
 
 	LoggingConfig = logsapi.NewLoggingConfiguration()
@@ -142,7 +144,7 @@ var (
 			"scheduler_framework_extension_point_duration_seconds": {
 				{
 					Label:  extensionPointsLabelName,
-					Values: metrics.ExtentionPoints,
+					Values: metrics.ExtensionPoints,
 				},
 			},
 			"scheduler_scheduling_attempt_duration_seconds": {
@@ -159,7 +161,7 @@ var (
 				},
 				{
 					Label:  extensionPointsLabelName,
-					Values: metrics.ExtentionPoints,
+					Values: metrics.ExtensionPoints,
 				},
 			},
 		},
@@ -276,8 +278,7 @@ type testCase struct {
 	// Optional
 	MetricsCollectorConfig *metricsCollectorConfig
 	// Template for sequence of ops that each workload must follow. Each op will
-	// be executed serially one after another. Each element of the list must be
-	// createNodesOp, createPodsOp, or barrierOp.
+	// be executed serially one after another.
 	WorkloadTemplate []op
 	// List of workloads to run under this testCase.
 	Workloads []*workload
@@ -331,8 +332,14 @@ type workload struct {
 	// The comparison is performed for op with CollectMetrics set to true.
 	// If the measured value is below the threshold, the workload's test case will fail.
 	// If set to zero, the threshold check is disabled.
+	//
+	// May contain a single value or map of topic name to value.
+	// The single value is used if there is no entry in the map for the topic name.
+	// Topic names are passed to RunBenchmarkPerfScheduling. This approach
+	// makes it possible to reuse the same test cases in different configurations.
+	//
 	// Optional
-	Threshold float64
+	Threshold thresholds
 	// ThresholdMetricSelector defines to what metric the Threshold should be compared.
 	// If nil, the metric is set to DefaultThresholdMetricSelector of the testCase.
 	// If DefaultThresholdMetricSelector is nil, the metric is set to "SchedulingThroughput".
@@ -345,8 +352,13 @@ type workload struct {
 }
 
 func (w *workload) isValid(mcc *metricsCollectorConfig) error {
-	if w.Threshold < 0 {
-		return fmt.Errorf("invalid Threshold=%f; should be non-negative", w.Threshold)
+	if w.Threshold.value < 0 {
+		return fmt.Errorf("invalid Threshold=%f; should be non-negative", w.Threshold.value)
+	}
+	for topicName, value := range w.Threshold.valuesByTopic {
+		if value < 0 {
+			return fmt.Errorf("invalid Threshold=%f for topic %q; should be non-negative", value, topicName)
+		}
 	}
 
 	return w.ThresholdMetricSelector.isValid(mcc)
@@ -360,12 +372,34 @@ func (w *workload) setDefaults(testCaseThresholdMetricSelector *thresholdMetricS
 		w.ThresholdMetricSelector = testCaseThresholdMetricSelector
 		return
 	}
-	// By defult, SchedulingThroughput should be compared with the threshold.
+	// By default, SchedulingThroughput should be compared with the threshold.
 	w.ThresholdMetricSelector = &thresholdMetricSelector{
 		Name: "SchedulingThroughput",
 	}
 }
 
+type thresholds struct {
+	value         float64
+	valuesByTopic map[string]float64
+}
+
+func (t *thresholds) UnmarshalJSON(text []byte) error {
+	if errFloat64 := json.Unmarshal(text, &t.value); errFloat64 != nil {
+		// Not a plain number. Let's try as map.
+		if errMap := json.Unmarshal(text, &t.valuesByTopic); errMap != nil {
+			return fmt.Errorf("expected either float64 or topic name -> float64 map: %w, %w", errFloat64, errMap)
+		}
+	}
+	return nil
+}
+
+func (t *thresholds) Get(topicName string) float64 {
+	if value, ok := t.valuesByTopic[topicName]; ok {
+		return value
+	}
+	return t.value
+}
+
 // thresholdMetricSelector defines the name and labels of metric to compare with threshold.
 type thresholdMetricSelector struct {
 	// Name of the metric is compared to "Metric" field in DataItem labels.
@@ -438,7 +472,7 @@ func (p *params) UnmarshalJSON(b []byte) error {
 
 // get retrieves the parameter as an integer
 func (p params) get(key string) (int, error) {
-	// JSON unmarshals integer constants in an "any" field as float.
+	// JSON unmarshal integer constants in an "any" field as float.
 	f, err := getParam[float64](p, key)
 	if err != nil {
 		return 0, err
@@ -447,7 +481,7 @@ func (p params) get(key string) (int, error) {
 }
 
 // getParam retrieves the parameter as specific type. There is no conversion,
-// so in practice this means that only types that JSON unmarshaling uses
+// so in practice this means that only types that JSON unmarshalling uses
 // (float64, string, bool) work.
 func getParam[T float64 | string | bool](p params, key string) (T, error) {
 	p.isUsed[key] = true
@@ -542,7 +576,7 @@ type realOp interface {
 	patchParams(w *workload) (realOp, error)
 }
 
-// runnableOp is an interface implemented by some operations. It makes it posssible
+// runnableOp is an interface implemented by some operations. It makes it possible
 // to execute the operation without having to add separate code into runWorkload.
 type runnableOp interface {
 	realOp
@@ -672,11 +706,13 @@ type createPodsOp struct {
 	// the namespace, so use different namespaces for pods that
 	// are supposed to be kept running.
 	SteadyState bool
+	// Template parameter for SteadyState.
+	SteadyStateParam string
 	// How long to keep the cluster in a steady state.
 	Duration metav1.Duration
 	// Template parameter for Duration.
 	DurationParam string
-	// Whether or not to enable metrics collection for this createPodsOp.
+	// Whether to enable metrics collection for this createPodsOp.
 	// Optional. Both CollectMetrics and SkipWaitToCompletion cannot be true at
 	// the same time for a particular createPodsOp.
 	CollectMetrics bool
@@ -688,7 +724,7 @@ type createPodsOp struct {
 	// If nil, DefaultPodTemplatePath will be used.
 	// Optional
 	PodTemplatePath *string
-	// Whether or not to wait for all pods in this op to get scheduled.
+	// Whether to wait for all pods in this op to get scheduled.
 	// Defaults to false if not specified.
 	// Optional
 	SkipWaitToCompletion bool
@@ -711,6 +747,9 @@ func (cpo *createPodsOp) isValid(allowParameterization bool) error {
 	if cpo.SkipWaitToCompletion && cpo.SteadyState {
 		return errors.New("skipWaitToCompletion and steadyState cannot be true at the same time")
 	}
+	if cpo.SteadyState && !allowParameterization && cpo.Duration.Duration <= 0 {
+		return errors.New("when creating pods in a steady state, the test duration must be > 0")
+	}
 	return nil
 }
 
@@ -735,6 +774,13 @@ func (cpo createPodsOp) patchParams(w *workload) (realOp, error) {
 			return nil, fmt.Errorf("parsing duration parameter %s: %w", cpo.DurationParam, err)
 		}
 	}
+	if cpo.SteadyStateParam != "" {
+		var err error
+		cpo.SteadyState, err = getParam[bool](w.Params, cpo.SteadyStateParam[1:])
+		if err != nil {
+			return nil, err
+		}
+	}
 	return &cpo, (&cpo).isValid(false)
 }
 
@@ -787,7 +833,7 @@ type deletePodsOp struct {
 	// If empty, it will delete all Pods in the namespace.
 	// Optional.
 	LabelSelector map[string]string
-	// Whether or not to wait for all pods in this op to be deleted.
+	// Whether to wait for all pods in this op to be deleted.
 	// Defaults to false if not specified.
 	// Optional
 	SkipWaitToCompletion bool
@@ -1021,7 +1067,7 @@ func initTestOutput(tb testing.TB) io.Writer {
 
 var specialFilenameChars = regexp.MustCompile(`[^a-zA-Z0-9-_]`)
 
-func setupTestCase(t testing.TB, tc *testCase, featureGates map[featuregate.Feature]bool, outOfTreePluginRegistry frameworkruntime.Registry) (informers.SharedInformerFactory, ktesting.TContext) {
+func setupTestCase(t testing.TB, tc *testCase, featureGates map[featuregate.Feature]bool, outOfTreePluginRegistry frameworkruntime.Registry) (*scheduler.Scheduler, informers.SharedInformerFactory, ktesting.TContext) {
 	tCtx := ktesting.Init(t, initoption.PerTestOutput(UseTestingLog))
 	artifacts, doArtifacts := os.LookupEnv("ARTIFACTS")
 	if !UseTestingLog && doArtifacts {
@@ -1054,6 +1100,11 @@ func setupTestCase(t testing.TB, tc *testCase, featureGates map[featuregate.Feat
 			//
 			// This is a major issue because many Kubernetes goroutines get
 			// started without waiting for them to stop :-(
+			//
+			// In practice, klog's own flushing got called out by the race detector.
+			// As we know about that one, we can force it to stop explicitly to
+			// satisfy the race detector.
+			klog.StopFlushDaemon()
 			if err := logsapi.ResetForTest(LoggingFeatureGate); err != nil {
 				t.Errorf("Failed to reset the logging configuration: %v", err)
 			}
@@ -1097,10 +1148,10 @@ func setupTestCase(t testing.TB, tc *testCase, featureGates map[featuregate.Feat
 	// Only emulate v1.33 when QueueingHints is explicitly disabled.
 	if qhEnabled, exists := featureGates[features.SchedulerQueueingHints]; exists && !qhEnabled {
 		featuregatetesting.SetFeatureGateEmulationVersionDuringTest(t, utilfeature.DefaultFeatureGate, version.MustParse("1.33"))
+	} else if _, found := featureGates[features.OpportunisticBatching]; !found {
+		featureGates[features.OpportunisticBatching] = false
 	}
-	for feature, flag := range featureGates {
-		featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, feature, flag)
-	}
+	featuregatetesting.SetFeatureGatesDuringTest(t, utilfeature.DefaultFeatureGate, featureGates)
 
 	// 30 minutes should be plenty enough even for the 5000-node tests.
 	timeout := 30 * time.Minute
@@ -1117,13 +1168,9 @@ func setupTestCase(t testing.TB, tc *testCase, featureGates map[featuregate.Feat
 }
 
 func featureGatesMerge(src map[featuregate.Feature]bool, overrides map[featuregate.Feature]bool) map[featuregate.Feature]bool {
-	if len(src) == 0 {
-		return maps.Clone(overrides)
-	}
-	result := maps.Clone(src)
-	for feature, enabled := range overrides {
-		result[feature] = enabled
-	}
+	result := make(map[featuregate.Feature]bool)
+	maps.Copy(result, src)
+	maps.Copy(result, overrides)
 	return result
 }
 
@@ -1201,11 +1248,8 @@ func RunBenchmarkPerfScheduling(b *testing.B, configFile string, topicName strin
 					fixJSONOutput(b)
 
 					featureGates := featureGatesMerge(tc.FeatureGates, w.FeatureGates)
-					informerFactory, tCtx := setupTestCase(b, tc, featureGates, outOfTreePluginRegistry)
+					scheduler, informerFactory, tCtx := setupTestCase(b, tc, featureGates, outOfTreePluginRegistry)
 
-					// TODO(#93795): make sure each workload within a test case has a unique
-					// name? The name is used to identify the stats in benchmark reports.
-					// TODO(#94404): check for unused template parameters? Probably a typo.
 					err := w.isValid(tc.MetricsCollectorConfig)
 					if err != nil {
 						b.Fatalf("workload %s is not valid: %v", w.Name, err)
@@ -1218,7 +1262,7 @@ func RunBenchmarkPerfScheduling(b *testing.B, configFile string, topicName strin
 						}
 					}
 
-					results, err := runWorkload(tCtx, tc, w, informerFactory)
+					results, err := runWorkload(tCtx, tc, w, topicName, scheduler, informerFactory)
 					if err != nil {
 						tCtx.Fatalf("Error running workload %s: %s", w.Name, err)
 					}
@@ -1285,7 +1329,15 @@ func RunBenchmarkPerfScheduling(b *testing.B, configFile string, topicName strin
 			}
 		})
 	}
-	if err := dataItems2JSONFile(dataItems, b.Name()+"_benchmark_"+topicName); err != nil {
+	// Different top-level BenchmarkPerfScheduling* tests are supported as long as they use unique topic names.
+	// The final JSON file then is always called BenchmarkPerfScheduling_benchmark_<topic name>_<date+time>.json
+	// because that is what perf-dash is configured to read:
+	// https://github.com/kubernetes/perf-tests/blob/581139e45e79cf04b9c2777b82677957f1e7f90b/perfdash/config.go#L520-L525
+	namePrefix := b.Name()
+	namePrefix = regexp.MustCompile(`^BenchmarkPerfScheduling[^/]*`).ReplaceAllString(namePrefix, "BenchmarkPerfScheduling")
+	namePrefix = strings.ReplaceAll(namePrefix, "/", "_")
+	namePrefix += "_benchmark_" + topicName
+	if err := dataItems2JSONFile(dataItems, namePrefix); err != nil {
 		b.Fatalf("unable to write measured data %+v: %v", dataItems, err)
 	}
 }
@@ -1313,13 +1365,13 @@ func RunIntegrationPerfScheduling(t *testing.T, configFile string) {
 						t.Skipf("disabled by label filter %q", TestSchedulingLabelFilter)
 					}
 					featureGates := featureGatesMerge(tc.FeatureGates, w.FeatureGates)
-					informerFactory, tCtx := setupTestCase(t, tc, featureGates, nil)
+					scheduler, informerFactory, tCtx := setupTestCase(t, tc, featureGates, nil)
 					err := w.isValid(tc.MetricsCollectorConfig)
 					if err != nil {
 						t.Fatalf("workload %s is not valid: %v", w.Name, err)
 					}
 
-					_, err = runWorkload(tCtx, tc, w, informerFactory)
+					_, err = runWorkload(tCtx, tc, w, "" /* topic name not relevant */, scheduler, informerFactory)
 					if err != nil {
 						tCtx.Fatalf("Error running workload %s: %s", w.Name, err)
 					}
@@ -1379,7 +1431,7 @@ func unrollWorkloadTemplate(tb ktesting.TB, wt []op, w *workload) []op {
 	return unrolled
 }
 
-func setupClusterForWorkload(tCtx ktesting.TContext, configPath string, featureGates map[featuregate.Feature]bool, outOfTreePluginRegistry frameworkruntime.Registry) (informers.SharedInformerFactory, ktesting.TContext) {
+func setupClusterForWorkload(tCtx ktesting.TContext, configPath string, featureGates map[featuregate.Feature]bool, outOfTreePluginRegistry frameworkruntime.Registry) (*scheduler.Scheduler, informers.SharedInformerFactory, ktesting.TContext) {
 	var cfg *config.KubeSchedulerConfiguration
 	var err error
 	if configPath != "" {
@@ -1443,6 +1495,10 @@ func checkEmptyInFlightEvents() error {
 func startCollectingMetrics(tCtx ktesting.TContext, collectorWG *sync.WaitGroup, podInformer coreinformers.PodInformer, mcc *metricsCollectorConfig, throughputErrorMargin float64, opIndex int, name string, namespaces []string, labelSelector map[string]string) (ktesting.TContext, []testDataCollector, error) {
 	collectorCtx := ktesting.WithCancel(tCtx)
 	workloadName := tCtx.Name()
+
+	// Clean up memory usage from the initial setup phase.
+	runtime.GC()
+
 	// The first part is the same for each workload, therefore we can strip it.
 	workloadName = workloadName[strings.Index(name, "/")+1:]
 	collectors := getTestDataCollectors(podInformer, fmt.Sprintf("%s/%s", workloadName, name), namespaces, labelSelector, mcc, throughputErrorMargin)
@@ -1462,10 +1518,17 @@ func startCollectingMetrics(tCtx ktesting.TContext, collectorWG *sync.WaitGroup,
 			collector.run(collectorCtx)
 		}()
 	}
+	if b, ok := tCtx.TB().(*testing.B); ok {
+		b.ResetTimer()
+	}
+	tCtx.Log("Started metrics collection")
 	return collectorCtx, collectors, nil
 }
 
 func stopCollectingMetrics(tCtx ktesting.TContext, collectorCtx ktesting.TContext, collectorWG *sync.WaitGroup, threshold float64, tms thresholdMetricSelector, opIndex int, collectors []testDataCollector) ([]DataItem, error) {
+	if b, ok := tCtx.TB().(*testing.B); ok {
+		b.StopTimer()
+	}
 	if collectorCtx == nil {
 		return nil, fmt.Errorf("missing startCollectingMetrics operation before stopping")
 	}
@@ -1480,11 +1543,13 @@ func stopCollectingMetrics(tCtx ktesting.TContext, collectorCtx ktesting.TContex
 			tCtx.Errorf("op %d: %s", opIndex, err)
 		}
 	}
+	tCtx.Log("Stopped metrics collection")
 	return dataItems, nil
 }
 
 type WorkloadExecutor struct {
 	tCtx                         ktesting.TContext
+	scheduler                    *scheduler.Scheduler
 	wg                           sync.WaitGroup
 	collectorCtx                 ktesting.TContext
 	collectorWG                  sync.WaitGroup
@@ -1495,10 +1560,11 @@ type WorkloadExecutor struct {
 	throughputErrorMargin        float64
 	testCase                     *testCase
 	workload                     *workload
+	topicName                    string
 	nextNodeIndex                int
 }
 
-func runWorkload(tCtx ktesting.TContext, tc *testCase, w *workload, informerFactory informers.SharedInformerFactory) ([]DataItem, error) {
+func runWorkload(tCtx ktesting.TContext, tc *testCase, w *workload, topicName string, scheduler *scheduler.Scheduler, informerFactory informers.SharedInformerFactory) ([]DataItem, error) {
 	b, benchmarking := tCtx.TB().(*testing.B)
 	if benchmarking {
 		start := time.Now()
@@ -1532,11 +1598,13 @@ func runWorkload(tCtx ktesting.TContext, tc *testCase, w *workload, informerFact
 
 	executor := WorkloadExecutor{
 		tCtx:                         tCtx,
+		scheduler:                    scheduler,
 		numPodsScheduledPerNamespace: make(map[string]int),
 		podInformer:                  podInformer,
 		throughputErrorMargin:        throughputErrorMargin,
 		testCase:                     tc,
 		workload:                     w,
+		topicName:                    topicName,
 	}
 
 	tCtx.TB().Cleanup(func() {
@@ -1592,6 +1660,9 @@ func (e *WorkloadExecutor) runOp(op realOp, opIndex int) error {
 		return e.runStartCollectingMetricsOp(opIndex, concreteOp)
 	case *stopCollectingMetricsOp:
 		return e.runStopCollectingMetrics(opIndex)
+	case *createResourceDriverOp:
+		concreteOp.run(e.tCtx, e.scheduler.Profiles["default-scheduler"].SharedDRAManager())
+		return nil
 	default:
 		return e.runDefaultOp(opIndex, concreteOp)
 	}
@@ -1671,7 +1742,7 @@ func (e *WorkloadExecutor) runSleepOp(op *sleepOp) error {
 }
 
 func (e *WorkloadExecutor) runStopCollectingMetrics(opIndex int) error {
-	items, err := stopCollectingMetrics(e.tCtx, e.collectorCtx, &e.collectorWG, e.workload.Threshold, *e.workload.ThresholdMetricSelector, opIndex, e.collectors)
+	items, err := stopCollectingMetrics(e.tCtx, e.collectorCtx, &e.collectorWG, e.workload.Threshold.Get(e.topicName), *e.workload.ThresholdMetricSelector, opIndex, e.collectors)
 	if err != nil {
 		return err
 	}
@@ -1725,7 +1796,7 @@ func (e *WorkloadExecutor) runCreatePodsOp(opIndex int, op *createPodsOp) error
 		// CollectMetrics and SkipWaitToCompletion can never be true at the
 		// same time, so if we're here, it means that all pods have been
 		// scheduled.
-		items, err := stopCollectingMetrics(e.tCtx, e.collectorCtx, &e.collectorWG, e.workload.Threshold, *e.workload.ThresholdMetricSelector, opIndex, e.collectors)
+		items, err := stopCollectingMetrics(e.tCtx, e.collectorCtx, &e.collectorWG, e.workload.Threshold.Get(e.topicName), *e.workload.ThresholdMetricSelector, opIndex, e.collectors)
 		if err != nil {
 			return err
 		}
@@ -1894,17 +1965,17 @@ func (e *WorkloadExecutor) runChurnOp(opIndex int, op *churnOp) error {
 }
 
 func (e *WorkloadExecutor) runDefaultOp(opIndex int, op realOp) error {
-	runable, ok := op.(runnableOp)
+	runnable, ok := op.(runnableOp)
 	if !ok {
 		return fmt.Errorf("invalid op %v", op)
 	}
-	for _, namespace := range runable.requiredNamespaces() {
+	for _, namespace := range runnable.requiredNamespaces() {
 		err := createNamespaceIfNotPresent(e.tCtx, namespace, &e.numPodsScheduledPerNamespace)
 		if err != nil {
 			return err
 		}
 	}
-	runable.run(e.tCtx)
+	runnable.run(e.tCtx)
 	return nil
 }
 
@@ -2058,6 +2129,8 @@ func createPodsSteadily(tCtx ktesting.TContext, namespace string, podInformer co
 				return
 			}
 
+			mutex.Lock()
+			defer mutex.Unlock()
 			existingPods--
 			if pod.Spec.NodeName != "" {
 				runningPods--
@@ -2086,6 +2159,23 @@ func createPodsSteadily(tCtx ktesting.TContext, namespace string, podInformer co
 		select {
 		case <-tCtx.Done():
 			tCtx.Logf("Completed after seeing %d scheduled pod: %v", countScheduledPods, context.Cause(tCtx))
+
+			// Sanity check: at least one pod should have been scheduled,
+			// giving us a non-zero average.
+			//
+			// This is important because otherwise "no pods scheduled because of constant
+			// failure" would not get detected in unit tests. For benchmarks
+			// it's less important, but indicates that the time period
+			// might have been too small.
+			//
+			// The collector logs "Failed to measure SchedulingThroughput ... Increase pods and/or nodes to make scheduling take longer"
+			// but that is hard to spot.
+			//
+			// The non-steady case blocks until all pods have been scheduled
+			// and doesn't need this check.
+			if countScheduledPods == 0 {
+				return errors.New("no pod at all got scheduled, either because of a problem or because the test interval was too small")
+			}
 			return nil
 		case <-scheduledPods:
 			countScheduledPods++
@@ -2175,7 +2265,7 @@ func waitUntilPodsScheduledInNamespace(tCtx ktesting.TContext, podInformer corei
 }
 
 // waitUntilPodsAttemptedInNamespace blocks until all pods in the given
-// namespace at least once went through a schedyling cycle.
+// namespace at least once went through a scheduling cycle.
 // Times out after 10 minutes similarly to waitUntilPodsScheduledInNamespace.
 func waitUntilPodsAttemptedInNamespace(tCtx ktesting.TContext, podInformer coreinformers.PodInformer, labelSelector map[string]string, namespace string, wantCount int) error {
 	var pendingPod *v1.Pod
@@ -2236,7 +2326,7 @@ func waitUntilPodsScheduled(tCtx ktesting.TContext, podInformer coreinformers.Po
 }
 
 // waitUntilPodsAttempted blocks until the all pods in the given namespaces are
-// attempted (at least once went through a schedyling cycle).
+// attempted (at least once went through a scheduling cycle).
 func waitUntilPodsAttempted(tCtx ktesting.TContext, podInformer coreinformers.PodInformer, labelSelector map[string]string, namespaces []string, numPodsScheduledPerNamespace map[string]int) error {
 	// If unspecified, default to all known namespaces.
 	if len(namespaces) == 0 {
@@ -2324,7 +2414,8 @@ func validateTestCases(testCases []*testCase) error {
 			return fmt.Errorf("%s: no ops defined", tc.Name)
 		}
 		// Make sure there's at least one CreatePods op with collectMetrics set to
-		// true in each workload. What's the point of running a performance
+		// true, or a startCollectingMetricsOp together with stopCollectingMetricsOp
+		// in each workload. What's the point of running a performance
 		// benchmark if no statistics are collected for reporting?
 		if !tc.collectsMetrics() {
 			return fmt.Errorf("%s: no op in the workload template collects metrics", tc.Name)
diff --git a/test/integration/scheduler_perf/scheduler_perf_test.go b/test/integration/scheduler_perf/scheduler_perf_test.go
index d110655479a11..0deccf942d5a4 100644
--- a/test/integration/scheduler_perf/scheduler_perf_test.go
+++ b/test/integration/scheduler_perf/scheduler_perf_test.go
@@ -31,6 +31,7 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/util/sets"
 	"k8s.io/client-go/kubernetes/fake"
+	"k8s.io/component-base/featuregate"
 	testutils "k8s.io/kubernetes/test/utils"
 	ktesting "k8s.io/kubernetes/test/utils/ktesting"
 	"k8s.io/utils/ptr"
@@ -416,3 +417,82 @@ func createObjTemplateFile(t *testing.T, obj any) *string {
 	}
 	return &templateFile
 }
+
+func TestFeatureGatesMerge(t *testing.T) {
+	const (
+		FeatureA featuregate.Feature = "FeatureA"
+		FeatureB featuregate.Feature = "FeatureB"
+		FeatureC featuregate.Feature = "FeatureC"
+	)
+
+	tests := []struct {
+		name      string
+		src       map[featuregate.Feature]bool
+		overrides map[featuregate.Feature]bool
+		want      map[featuregate.Feature]bool
+	}{
+		{
+			name:      "both nil, return empty map",
+			src:       nil,
+			overrides: nil,
+			want:      map[featuregate.Feature]bool{},
+		},
+		{
+			name:      "both empty, return empty map",
+			src:       map[featuregate.Feature]bool{},
+			overrides: map[featuregate.Feature]bool{},
+			want:      map[featuregate.Feature]bool{},
+		},
+		{
+			name:      "nil src, valid overrides",
+			src:       nil,
+			overrides: map[featuregate.Feature]bool{FeatureA: true},
+			want:      map[featuregate.Feature]bool{FeatureA: true},
+		},
+		{
+			name:      "valid src, nil overrides",
+			src:       map[featuregate.Feature]bool{FeatureA: true},
+			overrides: nil,
+			want:      map[featuregate.Feature]bool{FeatureA: true},
+		},
+		{
+			name:      "distinct features merged",
+			src:       map[featuregate.Feature]bool{FeatureA: true},
+			overrides: map[featuregate.Feature]bool{FeatureB: false},
+			want:      map[featuregate.Feature]bool{FeatureA: true, FeatureB: false},
+		},
+		{
+			name:      "overlap with the same value",
+			src:       map[featuregate.Feature]bool{FeatureA: true, FeatureB: true},
+			overrides: map[featuregate.Feature]bool{FeatureB: true},
+			want:      map[featuregate.Feature]bool{FeatureA: true, FeatureB: true},
+		},
+		{
+			name:      "overlap with override (true to false)",
+			src:       map[featuregate.Feature]bool{FeatureA: true},
+			overrides: map[featuregate.Feature]bool{FeatureA: false},
+			want:      map[featuregate.Feature]bool{FeatureA: false},
+		},
+		{
+			name:      "overlap with override (false to true)",
+			src:       map[featuregate.Feature]bool{FeatureA: false},
+			overrides: map[featuregate.Feature]bool{FeatureA: true},
+			want:      map[featuregate.Feature]bool{FeatureA: true},
+		},
+		{
+			name:      "mixed distinct and overlap",
+			src:       map[featuregate.Feature]bool{FeatureA: true, FeatureB: true},
+			overrides: map[featuregate.Feature]bool{FeatureB: false, FeatureC: true},
+			want:      map[featuregate.Feature]bool{FeatureA: true, FeatureB: false, FeatureC: true},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got := featureGatesMerge(tt.src, tt.overrides)
+			if diff := cmp.Diff(tt.want, got); diff != "" {
+				t.Errorf("Unexpected featureGatesMerge result (-want,+got):\n%s", diff)
+			}
+		})
+	}
+}
diff --git a/test/integration/scheduler_perf/topology_spreading/performance-config.yaml b/test/integration/scheduler_perf/topology_spreading/performance-config.yaml
index 3bee5b7d02802..a3089d9c11198 100644
--- a/test/integration/scheduler_perf/topology_spreading/performance-config.yaml
+++ b/test/integration/scheduler_perf/topology_spreading/performance-config.yaml
@@ -50,7 +50,6 @@
       initPods: 10
       measurePods: 10
   - name: 500Nodes
-    labels: [performance, short]
     params:
       initNodes: 500
       initPods: 1000
@@ -113,7 +112,6 @@
       initPods: 10
       measurePods: 10
   - name: 500Nodes
-    labels: [performance, short]
     params:
       initNodes: 500
       initPods: 1000
@@ -182,7 +180,6 @@
       initPods: 10
       measurePods: 10
   - name: 500Nodes
-    labels: [performance, short]
     params:
       initNodes: 500
       initPods: 1000
@@ -241,7 +238,6 @@
       normalNodes: 4
       measurePods: 4
   - name: 500Nodes
-    labels: [performance, short]
     params:
       taintNodes: 100
       normalNodes: 400
diff --git a/test/integration/scheduler_perf/util.go b/test/integration/scheduler_perf/util.go
index 74c794556076d..85c99d84d7f93 100644
--- a/test/integration/scheduler_perf/util.go
+++ b/test/integration/scheduler_perf/util.go
@@ -51,6 +51,7 @@ import (
 	kubeschedulerconfigv1 "k8s.io/kube-scheduler/config/v1"
 	apiservertesting "k8s.io/kubernetes/cmd/kube-apiserver/app/testing"
 	"k8s.io/kubernetes/pkg/features"
+	"k8s.io/kubernetes/pkg/scheduler"
 	"k8s.io/kubernetes/pkg/scheduler/apis/config"
 	kubeschedulerscheme "k8s.io/kubernetes/pkg/scheduler/apis/config/scheme"
 	frameworkruntime "k8s.io/kubernetes/pkg/scheduler/framework/runtime"
@@ -91,7 +92,7 @@ func newDefaultComponentConfig() (*config.KubeSchedulerConfiguration, error) {
 // remove resources after finished.
 // Notes on rate limiter:
 //   - client rate limit is set to 5000.
-func mustSetupCluster(tCtx ktesting.TContext, config *config.KubeSchedulerConfiguration, enabledFeatures map[featuregate.Feature]bool, outOfTreePluginRegistry frameworkruntime.Registry) (informers.SharedInformerFactory, ktesting.TContext) {
+func mustSetupCluster(tCtx ktesting.TContext, config *config.KubeSchedulerConfiguration, enabledFeatures map[featuregate.Feature]bool, outOfTreePluginRegistry frameworkruntime.Registry) (*scheduler.Scheduler, informers.SharedInformerFactory, ktesting.TContext) {
 	var runtimeConfig []string
 	if enabledFeatures[features.DynamicResourceAllocation] {
 		runtimeConfig = append(runtimeConfig, fmt.Sprintf("%s=true", resourceapi.SchemeGroupVersion))
@@ -135,7 +136,7 @@ func mustSetupCluster(tCtx ktesting.TContext, config *config.KubeSchedulerConfig
 
 	// Not all config options will be effective but only those mostly related with scheduler performance will
 	// be applied to start a scheduler, most of them are defined in `scheduler.schedulerOptions`.
-	_, informerFactory := util.StartScheduler(tCtx, config, outOfTreePluginRegistry)
+	scheduler, informerFactory := util.StartScheduler(tCtx, config, outOfTreePluginRegistry)
 	util.StartFakePVController(tCtx, tCtx.Client(), informerFactory)
 	runGC := util.CreateGCController(tCtx, tCtx, *cfg, informerFactory)
 	runNS := util.CreateNamespaceController(tCtx, tCtx, *cfg, informerFactory)
@@ -153,7 +154,7 @@ func mustSetupCluster(tCtx ktesting.TContext, config *config.KubeSchedulerConfig
 	go runNS()
 	go runResourceClaimController()
 
-	return informerFactory, tCtx
+	return scheduler, informerFactory, tCtx
 }
 
 func isAttempted(pod *v1.Pod) bool {
diff --git a/test/integration/scheduler_perf/volumes/performance-config.yaml b/test/integration/scheduler_perf/volumes/performance-config.yaml
index 74deb810e0230..74ef0aa232029 100644
--- a/test/integration/scheduler_perf/volumes/performance-config.yaml
+++ b/test/integration/scheduler_perf/volumes/performance-config.yaml
@@ -45,13 +45,11 @@
       initPods: 5
       measurePods: 10
   - name: 500Nodes
-    labels: [performance, short]
     params:
       initNodes: 500
       initPods: 500
       measurePods: 1000
   - name: 5000Nodes
-    labels: [performance, short]
     params:
       initNodes: 5000
       initPods: 5000
@@ -106,7 +104,6 @@
       initPods: 5
       measurePods: 10
   - name: 500Nodes
-    labels: [performance, short]
     params:
       initNodes: 500
       initPods: 500
@@ -176,7 +173,6 @@
       initPods: 5
       measurePods: 10
   - name: 500Nodes
-    labels: [performance, short]
     params:
       initNodes: 500
       initPods: 500
@@ -244,7 +240,6 @@
       initPods: 5
       measurePods: 10
   - name: 500Nodes
-    labels: [performance, short]
     params:
       initNodes: 500
       initPods: 500
diff --git a/test/integration/service/loadbalancer_test.go b/test/integration/service/loadbalancer_test.go
index 13188a97fb79d..abf88c854a457 100644
--- a/test/integration/service/loadbalancer_test.go
+++ b/test/integration/service/loadbalancer_test.go
@@ -19,7 +19,6 @@ package service
 import (
 	"context"
 	"encoding/json"
-	"fmt"
 	"testing"
 	"time"
 
@@ -657,24 +656,13 @@ func Test_ServiceLoadBalancerIPMode(t *testing.T) {
 	}
 
 	testCases := []struct {
-		ipModeEnabled   bool
 		setIPMode       *corev1.LoadBalancerIPMode
 		externalIP      string
 		expectedIngress corev1.LoadBalancerIngress
 	}{
 		{
-			ipModeEnabled: false,
-			externalIP:    "1.2.3.4",
-			expectedIngress: corev1.LoadBalancerIngress{
-				IP:     "1.2.3.4",
-				IPMode: nil,
-				Ports:  []corev1.PortStatus{{Port: 80, Protocol: corev1.ProtocolTCP}},
-			},
-		},
-		{
-			ipModeEnabled: true,
-			setIPMode:     nil,
-			externalIP:    "1.2.3.4",
+			setIPMode:  nil,
+			externalIP: "1.2.3.4",
 			expectedIngress: corev1.LoadBalancerIngress{
 				IP:     "1.2.3.4",
 				IPMode: ptr.To(corev1.LoadBalancerIPModeVIP),
@@ -682,9 +670,8 @@ func Test_ServiceLoadBalancerIPMode(t *testing.T) {
 			},
 		},
 		{
-			ipModeEnabled: true,
-			setIPMode:     ptr.To(corev1.LoadBalancerIPModeVIP),
-			externalIP:    "1.2.3.4",
+			setIPMode:  ptr.To(corev1.LoadBalancerIPModeVIP),
+			externalIP: "1.2.3.4",
 			expectedIngress: corev1.LoadBalancerIngress{
 				IP:     "1.2.3.4",
 				IPMode: ptr.To(corev1.LoadBalancerIPModeVIP),
@@ -692,9 +679,8 @@ func Test_ServiceLoadBalancerIPMode(t *testing.T) {
 			},
 		},
 		{
-			ipModeEnabled: true,
-			setIPMode:     ptr.To(corev1.LoadBalancerIPModeProxy),
-			externalIP:    "1.2.3.4",
+			setIPMode:  ptr.To(corev1.LoadBalancerIPModeProxy),
+			externalIP: "1.2.3.4",
 			expectedIngress: corev1.LoadBalancerIngress{
 				IP:     "1.2.3.4",
 				IPMode: ptr.To(corev1.LoadBalancerIPModeProxy),
@@ -705,12 +691,7 @@ func Test_ServiceLoadBalancerIPMode(t *testing.T) {
 
 	for _, tc := range testCases {
 		t.Run("", func(t *testing.T) {
-			serverFlags := framework.DefaultTestServerFlags()
-			if !tc.ipModeEnabled {
-				serverFlags = append(serverFlags, "--emulated-version=1.31")
-			}
-			serverFlags = append(serverFlags, fmt.Sprintf("--feature-gates=LoadBalancerIPMode=%v", tc.ipModeEnabled))
-			server := kubeapiservertesting.StartTestServerOrDie(t, nil, serverFlags, framework.SharedEtcd())
+			server := kubeapiservertesting.StartTestServerOrDie(t, nil, framework.DefaultTestServerFlags(), framework.SharedEtcd())
 			defer server.TearDownFn()
 
 			client, err := clientset.NewForConfig(server.ClientConfig)
@@ -751,8 +732,8 @@ func Test_ServiceLoadBalancerIPMode(t *testing.T) {
 
 			ingress := service.Status.LoadBalancer.Ingress[0]
 			if !apiequality.Semantic.DeepEqual(&ingress, &tc.expectedIngress) {
-				t.Errorf("expected Ingress %v, got IP %v",
-					ingress, tc.expectedIngress)
+				t.Errorf("expected Ingress %v, got %v",
+					tc.expectedIngress, ingress)
 				if ingress.IPMode != nil && tc.expectedIngress.IPMode != nil {
 					t.Logf("IPMode %v expected %v", *ingress.IPMode, *tc.expectedIngress.IPMode)
 				}
diff --git a/test/integration/service/service_test.go b/test/integration/service/service_test.go
index 04b11f9f7ee51..296f5532b420c 100644
--- a/test/integration/service/service_test.go
+++ b/test/integration/service/service_test.go
@@ -549,141 +549,6 @@ func Test_TransitionsForTrafficDistribution(t *testing.T) {
 	}
 
 	assertEndpointSliceHints(t, ctx, client, ns.GetName(), svc.GetName(), false, false)
-}
-
-// Test transitions involving the `trafficDistribution` field with
-// PreferSameTrafficDistribution enabled.
-func Test_TransitionsForPreferSameTrafficDistribution(t *testing.T) {
-
-	////////////////////////////////////////////////////////////////////////////
-	// Setup components, like kube-apiserver and EndpointSlice controller.
-	////////////////////////////////////////////////////////////////////////////
-
-	featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.ServiceTrafficDistribution, true)
-	featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.PreferSameTrafficDistribution, true)
-
-	// Disable ServiceAccount admission plugin as we don't have serviceaccount controller running.
-	server := kubeapiservertesting.StartTestServerOrDie(t, nil, framework.DefaultTestServerFlags(), framework.SharedEtcd())
-	defer server.TearDownFn()
-
-	client, err := clientset.NewForConfig(server.ClientConfig)
-	if err != nil {
-		t.Fatalf("Error creating clientset: %v", err)
-	}
-
-	resyncPeriod := 12 * time.Hour
-	informers := informers.NewSharedInformerFactory(client, resyncPeriod)
-
-	ctx := ktesting.Init(t)
-	defer ctx.Cancel("test has completed")
-	epsController := endpointslice.NewController(
-		ctx,
-		informers.Core().V1().Pods(),
-		informers.Core().V1().Services(),
-		informers.Core().V1().Nodes(),
-		informers.Discovery().V1().EndpointSlices(),
-		int32(100),
-		client,
-		1*time.Second,
-	)
-
-	informers.Start(ctx.Done())
-	go epsController.Run(ctx, 1)
-
-	////////////////////////////////////////////////////////////////////////////
-	// Create a namespace, node, pod in the node, and a service exposing the pod.
-	////////////////////////////////////////////////////////////////////////////
-
-	ns := framework.CreateNamespaceOrDie(client, "test-service-traffic-distribution", t)
-	defer framework.DeleteNamespaceOrDie(client, ns, t)
-
-	node := &corev1.Node{
-		ObjectMeta: metav1.ObjectMeta{
-			Name: "fake-node",
-			Labels: map[string]string{
-				corev1.LabelTopologyZone: "fake-zone-1",
-			},
-		},
-	}
-
-	pod := &corev1.Pod{
-		ObjectMeta: metav1.ObjectMeta{
-			Name:      "test-pod",
-			Namespace: ns.GetName(),
-			Labels: map[string]string{
-				"foo": "bar",
-			},
-		},
-		Spec: corev1.PodSpec{
-			NodeName: node.GetName(),
-			Containers: []corev1.Container{
-				{
-					Name:  "fake-name",
-					Image: "fake-image",
-					Ports: []corev1.ContainerPort{
-						{
-							Name:          "port-443",
-							ContainerPort: 443,
-						},
-					},
-				},
-			},
-		},
-		Status: corev1.PodStatus{
-			Phase: corev1.PodRunning,
-			Conditions: []corev1.PodCondition{
-				{
-					Type:   corev1.PodReady,
-					Status: corev1.ConditionTrue,
-				},
-			},
-			PodIP: "10.0.0.1",
-			PodIPs: []corev1.PodIP{
-				{
-					IP: "10.0.0.1",
-				},
-			},
-		},
-	}
-
-	svc := &corev1.Service{
-		ObjectMeta: metav1.ObjectMeta{
-			Name:      "test-service",
-			Namespace: ns.GetName(),
-		},
-		Spec: corev1.ServiceSpec{
-			Selector: map[string]string{
-				"foo": "bar",
-			},
-			Ports: []corev1.ServicePort{
-				{Name: "port-443", Port: 443, Protocol: "TCP", TargetPort: intstr.FromInt32(443)},
-			},
-		},
-	}
-
-	_, err = client.CoreV1().Nodes().Create(ctx, node, metav1.CreateOptions{})
-	if err != nil {
-		t.Fatalf("Failed to create test node: %v", err)
-	}
-	_, err = client.CoreV1().Pods(ns.Name).Create(ctx, pod, metav1.CreateOptions{})
-	if err != nil {
-		t.Fatalf("Failed to create test ready pod: %v", err)
-	}
-	_, err = client.CoreV1().Pods(ns.Name).UpdateStatus(ctx, pod, metav1.UpdateOptions{})
-	if err != nil {
-		t.Fatalf("Failed to update status for test pod to Ready: %v", err)
-	}
-	_, err = client.CoreV1().Services(ns.Name).Create(ctx, svc, metav1.CreateOptions{})
-	if err != nil {
-		t.Fatalf("Failed to create test service: %v", err)
-	}
-
-	////////////////////////////////////////////////////////////////////////////
-	// Assert that without the presence of `trafficDistribution` field there are
-	// no zone hints in EndpointSlice.
-	////////////////////////////////////////////////////////////////////////////
-
-	assertEndpointSliceHints(t, ctx, client, ns.GetName(), svc.GetName(), false, false)
 
 	////////////////////////////////////////////////////////////////////////////
 	// Update the service by setting `trafficDistribution: PreferSameZone`
@@ -691,7 +556,7 @@ func Test_TransitionsForPreferSameTrafficDistribution(t *testing.T) {
 	// Assert that the respective EndpointSlices get the same-zone hints.
 	////////////////////////////////////////////////////////////////////////////
 
-	trafficDist := corev1.ServiceTrafficDistributionPreferSameZone
+	trafficDist = corev1.ServiceTrafficDistributionPreferSameZone
 	svc.Spec.TrafficDistribution = &trafficDist
 	_, err = client.CoreV1().Services(ns.Name).Update(ctx, svc, metav1.UpdateOptions{})
 	if err != nil {
diff --git a/test/integration/serviceaccount/service_account_test.go b/test/integration/serviceaccount/service_account_test.go
index dc75b84136088..69fbba42c4d23 100644
--- a/test/integration/serviceaccount/service_account_test.go
+++ b/test/integration/serviceaccount/service_account_test.go
@@ -406,8 +406,9 @@ func startServiceAccountTestServerAndWaitForCaches(ctx context.Context, t *testi
 		return rootClientset, clientConfig, stop, informers, err
 	}
 	go tokenController.Run(ctx, 1)
-
+	logger := klog.FromContext(ctx)
 	serviceAccountController, err := serviceaccountcontroller.NewServiceAccountsController(
+		logger,
 		informers.Core().V1().ServiceAccounts(),
 		informers.Core().V1().Namespaces(),
 		rootClientset,
diff --git a/test/integration/servicecidr/allocator_test.go b/test/integration/servicecidr/allocator_test.go
index 1e370d8b886b1..ee6c425897e29 100644
--- a/test/integration/servicecidr/allocator_test.go
+++ b/test/integration/servicecidr/allocator_test.go
@@ -30,9 +30,11 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/util/wait"
+	"k8s.io/client-go/informers"
 	clientset "k8s.io/client-go/kubernetes"
 	kubeapiservertesting "k8s.io/kubernetes/cmd/kube-apiserver/app/testing"
 	"k8s.io/kubernetes/pkg/api/legacyscheme"
+	"k8s.io/kubernetes/pkg/controller/servicecidrs"
 	"k8s.io/kubernetes/pkg/features"
 	"k8s.io/kubernetes/test/integration/framework"
 	"k8s.io/kubernetes/test/utils/ktesting"
@@ -61,11 +63,6 @@ func TestServiceAllocation(t *testing.T) {
 			ipAllocatorGate:      true,
 			disableDualWriteGate: true,
 		},
-		{
-			name:                 "disable dual write with bitmap allocator",
-			ipAllocatorGate:      false,
-			disableDualWriteGate: true,
-		},
 	}
 	for _, tc := range testcases {
 		t.Run(tc.name, func(t *testing.T) {
@@ -296,6 +293,9 @@ func TestMigrateService(t *testing.T) {
 // TestSkewedAllocatorsRollback creating an apiserver with the new allocator and
 // later starting an old apiserver with the bitmap allocator.
 func TestSkewedAllocatorsRollback(t *testing.T) {
+	// TODO(#134606): Fix or remove this test.
+	t.Skip("Temporarily disabled: see http://issues.k8s.io/134606")
+
 	svc := func(i int) *v1.Service {
 		return &v1.Service{
 			ObjectMeta: metav1.ObjectMeta{
@@ -344,7 +344,7 @@ func TestSkewedAllocatorsRollback(t *testing.T) {
 			"--service-cluster-ip-range=10.0.0.0/24",
 			"--disable-admission-plugins=ServiceAccount",
 			"--emulated-version=1.33",
-			fmt.Sprintf("--feature-gates=%s=false,%s=true", features.MultiCIDRServiceAllocator, features.DisableAllocatorDualWrite)},
+			fmt.Sprintf("--feature-gates=%s=false,%s=false", features.MultiCIDRServiceAllocator, features.DisableAllocatorDualWrite)},
 		etcdOptions)
 	defer s2.TearDownFn()
 
@@ -574,3 +574,77 @@ func TestFlagsIPAllocator(t *testing.T) {
 	}
 
 }
+
+// regression test for https://issues.k8s.io/135333
+func TestInvalidService(t *testing.T) {
+	etcdOptions := framework.SharedEtcd()
+	apiServerOptions := kubeapiservertesting.NewDefaultTestServerOptions()
+	s := kubeapiservertesting.StartTestServerOrDie(t,
+		apiServerOptions,
+		[]string{
+			"--service-cluster-ip-range=10.0.0.0/24",
+			"--disable-admission-plugins=ServiceAccount",
+		},
+		etcdOptions)
+	defer s.TearDownFn()
+
+	client, err := clientset.NewForConfig(s.ClientConfig)
+	if err != nil {
+		t.Fatalf("Unexpected error: %v", err)
+	}
+
+	// ServiceCIDR controller
+	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel()
+	resyncPeriod := 12 * time.Hour
+	informerFactory := informers.NewSharedInformerFactory(client, resyncPeriod)
+	go servicecidrs.NewController(
+		ctx,
+		informerFactory.Networking().V1().ServiceCIDRs(),
+		informerFactory.Networking().V1().IPAddresses(),
+		client,
+	).Run(ctx, 5)
+	informerFactory.Start(ctx.Done())
+	informerFactory.WaitForCacheSync(ctx.Done())
+
+	// Add a new service CIDR to be able to create new IPs.
+	cidr := makeServiceCIDR("test2", "10.168.0.0/24", "")
+	if _, err := client.NetworkingV1().ServiceCIDRs().Create(context.Background(), cidr, metav1.CreateOptions{}); err != nil {
+		t.Fatalf("got unexpected error: %v", err)
+	}
+	// wait ServiceCIDR is ready
+	if err := wait.PollUntilContextTimeout(context.Background(), 1*time.Second, time.Minute, false, func(ctx context.Context) (bool, error) {
+		cidr, err := client.NetworkingV1().ServiceCIDRs().Get(context.TODO(), cidr.Name, metav1.GetOptions{})
+		if err != nil {
+			return false, err
+		}
+		return isServiceCIDRReady(cidr), nil
+	}); err != nil {
+		t.Fatalf("waiting for service cidr ready condition %v", err)
+	}
+
+	// A service without a name keeps failing to allocate an IP address because
+	// it tries to create the IPAddress object with an invalid reference.
+	// Eventually the request times out causing high CPU usage during that time.
+	svc := &v1.Service{
+		Spec: v1.ServiceSpec{
+			Type: v1.ServiceTypeClusterIP,
+			Ports: []v1.ServicePort{
+				{Port: 80},
+			},
+		},
+	}
+
+	// The request can not time out during the allocation and should return an invalid error instead.
+	ctx, cancel = context.WithTimeout(context.Background(), 10*time.Second)
+	defer cancel()
+	// It will fail because the service is missing a name
+	_, err = client.CoreV1().Services(metav1.NamespaceDefault).Create(ctx, svc, metav1.CreateOptions{})
+	if err == nil {
+		t.Fatalf("expected error")
+	}
+	if !apierrors.IsInvalid(err) {
+		t.Errorf("unexpected error reason: %v", err)
+	}
+
+}
diff --git a/test/integration/servicecidr/feature_enable_disable_test.go b/test/integration/servicecidr/feature_enable_disable_test.go
index a17701561cb14..042f73812aa5f 100644
--- a/test/integration/servicecidr/feature_enable_disable_test.go
+++ b/test/integration/servicecidr/feature_enable_disable_test.go
@@ -53,7 +53,7 @@ func TestEnableDisableServiceCIDR(t *testing.T) {
 			"--service-cluster-ip-range=10.0.0.0/24",
 			"--disable-admission-plugins=ServiceAccount",
 			"--emulated-version=1.33",
-			fmt.Sprintf("--feature-gates=%s=false", features.MultiCIDRServiceAllocator)},
+			fmt.Sprintf("--feature-gates=%s=false,%s=false", features.MultiCIDRServiceAllocator, features.DisableAllocatorDualWrite)},
 		etcdOptions)
 
 	client1, err := clientset.NewForConfig(s1.ClientConfig)
@@ -115,7 +115,7 @@ func TestEnableDisableServiceCIDR(t *testing.T) {
 			"--service-cluster-ip-range=10.0.0.0/24",
 			"--disable-admission-plugins=ServiceAccount",
 			"--emulated-version=1.33",
-			fmt.Sprintf("--feature-gates=%s=false", features.MultiCIDRServiceAllocator)},
+			fmt.Sprintf("--feature-gates=%s=false,%s=false", features.MultiCIDRServiceAllocator, features.DisableAllocatorDualWrite)},
 		etcdOptions)
 	defer s3.TearDownFn()
 
diff --git a/test/integration/servicecidr/servicecidr_test.go b/test/integration/servicecidr/servicecidr_test.go
index 4d9194c47eedb..97cd453142d70 100644
--- a/test/integration/servicecidr/servicecidr_test.go
+++ b/test/integration/servicecidr/servicecidr_test.go
@@ -20,10 +20,13 @@ import (
 	"context"
 	"fmt"
 	"net/netip"
+	"reflect"
+	"sort"
 	"strings"
 	"testing"
 	"time"
 
+	admissionregistrationv1 "k8s.io/api/admissionregistration/v1"
 	v1 "k8s.io/api/core/v1"
 	networkingv1 "k8s.io/api/networking/v1"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
@@ -31,9 +34,11 @@ import (
 	"k8s.io/apimachinery/pkg/util/wait"
 	"k8s.io/client-go/informers"
 	"k8s.io/client-go/kubernetes"
+	"k8s.io/client-go/rest"
 	kubeapiservertesting "k8s.io/kubernetes/cmd/kube-apiserver/app/testing"
 	"k8s.io/kubernetes/pkg/controller/servicecidrs"
 	"k8s.io/kubernetes/test/integration/framework"
+	"k8s.io/utils/ptr"
 )
 
 func TestServiceAllocNewServiceCIDR(t *testing.T) {
@@ -348,3 +353,173 @@ func cidrContainsIP(cidr, ip string) bool {
 	address := netip.MustParseAddr(ip)
 	return prefix.Contains(address)
 }
+
+// TestValidationAdmissionPolicyServiceCIDR tests that a ValidatingAdmissionPolicy
+// can be used to prevent updates to the default ServiceCIDR from users other than the
+// apiserver, and that the apiserver can update it on startup.
+func TestValidationAdmissionPolicyServiceCIDR(t *testing.T) {
+	// This test restarts the apiserver, so it cannot run in parallel.
+	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel()
+
+	etcdOptions := framework.SharedEtcd()
+	// 1. Start an apiserver as a single stack.
+	apiServerOptions := kubeapiservertesting.NewDefaultTestServerOptions()
+	s := kubeapiservertesting.StartTestServerOrDie(t,
+		apiServerOptions,
+		[]string{
+			"--runtime-config=networking.k8s.io/v1=true",
+			"--service-cluster-ip-range=192.168.0.0/24",
+			"--advertise-address=10.1.1.1",
+			"--disable-admission-plugins=ServiceAccount",
+			"--enable-admission-plugins=ValidatingAdmissionPolicy",
+		},
+		etcdOptions)
+
+	clientset, err := kubernetes.NewForConfig(s.ClientConfig)
+	if err != nil {
+		s.TearDownFn()
+		t.Fatalf("Failed to create clientset: %v", err)
+	}
+
+	// fake user
+	newCfg := *s.ClientConfig
+	newCfg.Impersonate = rest.ImpersonationConfig{
+		UserName: "fake-admin",
+		Groups:   []string{"system:authenticated"},
+	}
+	kc, err := kubernetes.NewForConfig(&newCfg)
+	if err != nil {
+		t.Fatalf("Unexpected error creating kubernetes client impersonating %q", newCfg.Impersonate.UserName)
+	}
+
+	// 2. Install a validationadmissionpolicy that only allows the user apiserver to update the default servicecidr to dual stack
+	policy := &admissionregistrationv1.ValidatingAdmissionPolicy{
+		ObjectMeta: metav1.ObjectMeta{Name: "deny-non-apiserver-servicecidr-updates"},
+		Spec: admissionregistrationv1.ValidatingAdmissionPolicySpec{
+			FailurePolicy: ptr.To(admissionregistrationv1.Fail),
+			MatchConstraints: &admissionregistrationv1.MatchResources{
+				ResourceRules: []admissionregistrationv1.NamedRuleWithOperations{
+					{
+						RuleWithOperations: admissionregistrationv1.RuleWithOperations{
+							Operations: []admissionregistrationv1.OperationType{"CREATE", "UPDATE"},
+							Rule:       admissionregistrationv1.Rule{APIGroups: []string{"networking.k8s.io"}, APIVersions: []string{"v1"}, Resources: []string{"servicecidrs"}},
+						},
+					},
+				},
+			},
+			Validations: []admissionregistrationv1.Validation{{
+				// only allow to CREATE or UPDATE the default kubernetes ServiceCIDR to the apiserver
+				Expression: "request.userInfo.username == 'system:apiserver' && 'system:masters' in request.userInfo.groups",
+				Message:    "only apiserver can update and create servicecidrs",
+			}, {
+				Expression: "object.metadata.name == 'kubernetes'",
+				Message:    "only allow changes on the default servicecidr",
+			}},
+		},
+	}
+	policy, err = clientset.AdmissionregistrationV1().ValidatingAdmissionPolicies().Create(ctx, policy, metav1.CreateOptions{})
+	if err != nil {
+		s.TearDownFn()
+		t.Fatalf("Failed to create policy: %v", err)
+	}
+	binding := &admissionregistrationv1.ValidatingAdmissionPolicyBinding{
+		ObjectMeta: metav1.ObjectMeta{Name: "deny-non-apiserver-servicecidr-updates-binding"},
+		Spec: admissionregistrationv1.ValidatingAdmissionPolicyBindingSpec{
+			PolicyName: policy.Name,
+			ValidationActions: []admissionregistrationv1.ValidationAction{
+				admissionregistrationv1.Deny,
+			},
+			MatchResources: &admissionregistrationv1.MatchResources{
+				NamespaceSelector: &metav1.LabelSelector{}, // Match cluster-scoped resources
+			},
+		},
+	}
+	_, err = clientset.AdmissionregistrationV1().ValidatingAdmissionPolicyBindings().Create(ctx, binding, metav1.CreateOptions{})
+	if err != nil {
+		s.TearDownFn()
+		t.Fatalf("Failed to create binding: %v", err)
+	}
+
+	// Wait for policy and binding to become active.
+	time.Sleep(2 * time.Second)
+
+	// 3. Try to update the defaultservicecidr to dual stack from the test and check that fails
+	defaultCIDR, err := clientset.NetworkingV1().ServiceCIDRs().Get(ctx, "kubernetes", metav1.GetOptions{})
+	if err != nil {
+		s.TearDownFn()
+		t.Fatalf("Failed to get default ServiceCIDR: %v", err)
+	}
+
+	defaultCIDR.Spec.CIDRs = append(defaultCIDR.Spec.CIDRs, "2001:db8::/112")
+	_, err = kc.NetworkingV1().ServiceCIDRs().Update(ctx, defaultCIDR, metav1.UpdateOptions{})
+	if err == nil {
+		s.TearDownFn()
+		t.Fatal("Expected an error updating default ServiceCIDR but got none")
+	}
+	if !strings.Contains(err.Error(), "only apiserver can update and create servicecidrs") {
+		s.TearDownFn()
+		t.Fatalf("Expected error to contain 'only apiserver can update and create servicecidrs', but got: %v", err)
+	}
+
+	// 4. add a new ServiceCIDR
+	_, err = clientset.NetworkingV1().ServiceCIDRs().Create(ctx, makeServiceCIDR("cidrnew", "192.168.0.0/28", ""), metav1.CreateOptions{})
+	if err == nil {
+		s.TearDownFn()
+		t.Fatal("Expected an error creating a new ServiceCIDR but got none")
+	}
+	if !strings.Contains(err.Error(), "only allow changes on the default servicecidr") {
+		s.TearDownFn()
+		t.Fatalf("Expected error to contain 'only allow changes on the default servicecidr', but got: %v", err)
+	}
+
+	// 5. Stop current apiserver and start a new one with dual stack cidrs in the flags
+	s.TearDownFn()
+	apiServerOptionsDual := kubeapiservertesting.NewDefaultTestServerOptions()
+	sDual := kubeapiservertesting.StartTestServerOrDie(t,
+		apiServerOptionsDual,
+		[]string{
+			"--runtime-config=networking.k8s.io/v1=true",
+			"--service-cluster-ip-range=192.168.0.0/24,2001:db8::/112",
+			"--advertise-address=10.1.1.1",
+			"--disable-admission-plugins=ServiceAccount",
+			"--enable-admission-plugins=ValidatingAdmissionPolicy",
+		},
+		etcdOptions)
+	defer sDual.TearDownFn()
+
+	clientsetDual, err := kubernetes.NewForConfig(sDual.ClientConfig)
+	if err != nil {
+		t.Fatalf("Failed to create clientset for dual-stack server: %v", err)
+	}
+
+	// 6. Validate that the default service cidr has been updated
+	err = wait.PollUntilContextTimeout(ctx, 1*time.Second, 30*time.Second, true, func(ctx context.Context) (bool, error) {
+		cidr, err := clientsetDual.NetworkingV1().ServiceCIDRs().Get(ctx, "kubernetes", metav1.GetOptions{})
+		if err != nil {
+			// The API server may not be fully ready, so retry on error.
+			t.Logf("failed to get service cidr, retrying: %v", err)
+			return false, nil
+		}
+		if len(cidr.Spec.CIDRs) == 2 {
+			return true, nil
+		}
+		t.Logf("service cidr not updated yet, have: %v", cidr.Spec.CIDRs)
+		return false, nil
+	})
+	if err != nil {
+		t.Fatalf("Failed to wait for default ServiceCIDR to be updated to dual-stack: %v", err)
+	}
+
+	updatedDefaultCIDR, err := clientsetDual.NetworkingV1().ServiceCIDRs().Get(ctx, "kubernetes", metav1.GetOptions{})
+	if err != nil {
+		t.Fatalf("Failed to get updated default ServiceCIDR: %v", err)
+	}
+
+	expectedCIDRs := []string{"192.168.0.0/24", "2001:db8::/112"}
+	sort.Strings(updatedDefaultCIDR.Spec.CIDRs)
+	sort.Strings(expectedCIDRs)
+	if !reflect.DeepEqual(updatedDefaultCIDR.Spec.CIDRs, expectedCIDRs) {
+		t.Errorf("Expected ServiceCIDR to be %v, but got %v", expectedCIDRs, updatedDefaultCIDR.Spec.CIDRs)
+	}
+}
diff --git a/test/integration/serving/serving_test.go b/test/integration/serving/serving_test.go
index c92c81000d278..12d9a35f73450 100644
--- a/test/integration/serving/serving_test.go
+++ b/test/integration/serving/serving_test.go
@@ -20,15 +20,22 @@ import (
 	"context"
 	"crypto/tls"
 	"crypto/x509"
+	"encoding/json"
 	"fmt"
 	"io"
 	"net"
 	"net/http"
 	"os"
 	"path"
+	"slices"
 	"strings"
 	"testing"
 
+	"github.com/google/go-cmp/cmp"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	flagzv1alpha1 "k8s.io/apiserver/pkg/server/flagz/api/v1alpha1"
+	"k8s.io/apiserver/pkg/server/statusz/api/v1alpha1"
+
 	"k8s.io/apiserver/pkg/server"
 	"k8s.io/apiserver/pkg/server/options"
 	utilfeature "k8s.io/apiserver/pkg/util/feature"
@@ -46,15 +53,15 @@ import (
 )
 
 type componentTester interface {
-	StartTestServer(ctx context.Context, customFlags []string) (*options.SecureServingOptionsWithLoopback, *server.SecureServingInfo, func(), error)
+	StartTestServer(t *testing.T, ctx context.Context, customFlags []string) (*options.SecureServingOptions, *server.SecureServingInfo, func(), error)
 }
 
 type kubeControllerManagerTester struct{}
 
-func (kubeControllerManagerTester) StartTestServer(ctx context.Context, customFlags []string) (*options.SecureServingOptionsWithLoopback, *server.SecureServingInfo, func(), error) {
+func (kubeControllerManagerTester) StartTestServer(t *testing.T, ctx context.Context, customFlags []string) (*options.SecureServingOptions, *server.SecureServingInfo, func(), error) {
 	// avoid starting any controller loops, we're just testing serving
 	customFlags = append([]string{"--controllers="}, customFlags...)
-	gotResult, err := kubectrlmgrtesting.StartTestServer(ctx, customFlags)
+	gotResult, err := kubectrlmgrtesting.StartTestServer(t, ctx, customFlags)
 	if err != nil {
 		return nil, nil, nil, err
 	}
@@ -63,18 +70,18 @@ func (kubeControllerManagerTester) StartTestServer(ctx context.Context, customFl
 
 type cloudControllerManagerTester struct{}
 
-func (cloudControllerManagerTester) StartTestServer(ctx context.Context, customFlags []string) (*options.SecureServingOptionsWithLoopback, *server.SecureServingInfo, func(), error) {
-	gotResult, err := cloudctrlmgrtesting.StartTestServer(ctx, customFlags)
+func (cloudControllerManagerTester) StartTestServer(t *testing.T, ctx context.Context, customFlags []string) (*options.SecureServingOptions, *server.SecureServingInfo, func(), error) {
+	gotResult, err := cloudctrlmgrtesting.StartTestServer(t, ctx, customFlags)
 	if err != nil {
 		return nil, nil, nil, err
 	}
-	return gotResult.Options.SecureServing, gotResult.Config.SecureServing, gotResult.TearDownFn, err
+	return gotResult.Options.SecureServing.SecureServingOptions, gotResult.Config.SecureServing, gotResult.TearDownFn, err
 }
 
 type kubeSchedulerTester struct{}
 
-func (kubeSchedulerTester) StartTestServer(ctx context.Context, customFlags []string) (*options.SecureServingOptionsWithLoopback, *server.SecureServingInfo, func(), error) {
-	gotResult, err := kubeschedulertesting.StartTestServer(ctx, customFlags)
+func (kubeSchedulerTester) StartTestServer(t *testing.T, ctx context.Context, customFlags []string) (*options.SecureServingOptions, *server.SecureServingInfo, func(), error) {
+	gotResult, err := kubeschedulertesting.StartTestServer(t, ctx, customFlags)
 	if err != nil {
 		return nil, nil, nil, err
 	}
@@ -137,10 +144,12 @@ users:
 	apiserverConfig.Close()
 
 	// create BROKEN kubeconfig for the apiserver
+
 	brokenApiserverConfig, err := os.CreateTemp("", "kubeconfig")
 	if err != nil {
 		t.Fatal(err)
 	}
+
 	brokenApiserverConfig.WriteString(fmt.Sprintf(`
 apiVersion: v1
 kind: Config
@@ -228,7 +237,7 @@ func testComponentWithSecureServing(t *testing.T, tester componentTester, kubeco
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			_, ctx := ktesting.NewTestContext(t)
-			secureOptions, secureInfo, tearDownFn, err := tester.StartTestServer(ctx, append(append([]string{}, tt.flags...), extraFlags...))
+			secureOptions, secureInfo, tearDownFn, err := tester.StartTestServer(t, ctx, slices.Concat(tt.flags, extraFlags))
 			if tearDownFn != nil {
 				defer tearDownFn()
 			}
@@ -291,8 +300,7 @@ func fakeCloudProviderFactory(io.Reader) (cloudprovider.Interface, error) {
 	}, nil
 }
 
-func TestKubeControllerManagerServingStatusz(t *testing.T) {
-
+func TestKubeControllerManagerServingZPages(t *testing.T) {
 	// authenticate to apiserver via bearer token
 	token := "flwqkenfjasasdfmwerasd" // Fake token for testing.
 	tokenFile, err := os.CreateTemp("", "kubeconfig")
@@ -345,88 +353,278 @@ users:
 		t.Fatal(err)
 	}
 
-	tests := []struct {
-		name           string
-		flags          []string
-		path           string
-		anonymous      bool // to use the token or not
-		wantErr        bool
-		wantSecureCode *int
+	statuszWantBodyStr := "kube-controller-manager statusz\nWarning: This endpoint is not meant to be machine parseable"
+	statuszWantBodyJSON := &v1alpha1.Statusz{
+		TypeMeta: metav1.TypeMeta{
+			Kind:       "Statusz",
+			APIVersion: "config.k8s.io/v1alpha1",
+		},
+		ObjectMeta: metav1.ObjectMeta{
+			Name: "kube-controller-manager",
+		},
+		Paths: []string{"/configz", "/flagz", "/healthz", "/metrics"},
+	}
+
+	flagzWantBodyStr := "kube-controller-manager flagz\nWarning: This endpoint is not meant to be machine parseable"
+	flagzWantBodyJSON := &flagzv1alpha1.Flagz{
+		TypeMeta: metav1.TypeMeta{
+			Kind:       "Flagz",
+			APIVersion: "config.k8s.io/v1alpha1",
+		},
+		ObjectMeta: metav1.ObjectMeta{
+			Name: "kube-controller-manager",
+		},
+	}
+
+	statuszTestCases := []struct {
+		name         string
+		acceptHeader string
+		wantStatus   int
+		wantBodySub  string            // for text/plain
+		wantJSON     *v1alpha1.Statusz // for structured json
 	}{
-		{"serving /statusz", []string{
-			"--authentication-skip-lookup", // to survive inaccessible extensions-apiserver-authentication configmap
-			"--authentication-kubeconfig", apiserverConfig.Name(),
-			"--authorization-kubeconfig", apiserverConfig.Name(),
-			"--authorization-always-allow-paths", "/statusz",
-			"--kubeconfig", apiserverConfig.Name(),
-			"--leader-elect=false",
-		}, "/statusz", false, false, ptr.To(http.StatusOK)},
+		{
+			name:         "text plain response",
+			acceptHeader: "text/plain",
+			wantStatus:   http.StatusOK,
+			wantBodySub:  statuszWantBodyStr,
+		},
+		{
+			name:         "structured json response",
+			acceptHeader: "application/json;v=v1alpha1;g=config.k8s.io;as=Statusz",
+			wantStatus:   http.StatusOK,
+			wantJSON:     statuszWantBodyJSON,
+		},
+		{
+			name:         "no accept header (defaults to text)",
+			acceptHeader: "",
+			wantStatus:   http.StatusOK,
+			wantBodySub:  statuszWantBodyStr,
+		},
+		{
+			name:         "invalid accept header",
+			acceptHeader: "application/xml",
+			wantStatus:   http.StatusNotAcceptable,
+		},
+		{
+			name:         "application/json without params",
+			acceptHeader: "application/json",
+			wantStatus:   http.StatusNotAcceptable,
+		},
+		{
+			name:         "application/json with missing as",
+			acceptHeader: "application/json;v=v1alpha1;g=config.k8s.io",
+			wantStatus:   http.StatusNotAcceptable,
+		},
+		{
+			name:         "wildcard accept header",
+			acceptHeader: "*/*",
+			wantStatus:   http.StatusOK,
+			wantBodySub:  statuszWantBodyStr,
+		},
+		{
+			name:         "bad json header fall back wildcard",
+			acceptHeader: "application/json;v=foo;g=config.k8s.io;as=Statusz,*/*",
+			wantStatus:   http.StatusOK,
+			wantBodySub:  statuszWantBodyStr,
+		},
 	}
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, zpagesfeatures.ComponentStatusz, true)
-			_, ctx := ktesting.NewTestContext(t)
-			secureOptions, secureInfo, tearDownFn, err := kubeControllerManagerTester{}.StartTestServer(ctx, append(append([]string{}, tt.flags...), []string{}...))
-			if tearDownFn != nil {
-				defer tearDownFn()
+
+	flagzTestCases := []struct {
+		name         string
+		acceptHeader string
+		wantStatus   int
+		wantBodySub  string               // for text/plain
+		wantJSON     *flagzv1alpha1.Flagz // for structured json
+	}{
+		{
+			name:         "text plain response",
+			acceptHeader: "text/plain",
+			wantStatus:   http.StatusOK,
+			wantBodySub:  flagzWantBodyStr,
+		},
+		{
+			name:         "structured json response",
+			acceptHeader: "application/json;v=v1alpha1;g=config.k8s.io;as=Flagz",
+			wantStatus:   http.StatusOK,
+			wantJSON:     flagzWantBodyJSON,
+		},
+		{
+			name:         "no accept header (defaults to text)",
+			acceptHeader: "",
+			wantStatus:   http.StatusOK,
+			wantBodySub:  flagzWantBodyStr,
+		},
+		{
+			name:         "invalid accept header",
+			acceptHeader: "application/xml",
+			wantStatus:   http.StatusNotAcceptable,
+		},
+		{
+			name:         "application/json without params",
+			acceptHeader: "application/json",
+			wantStatus:   http.StatusNotAcceptable,
+		},
+		{
+			name:         "application/json with missing as",
+			acceptHeader: "application/json;v=v1alpha1;g=config.k8s.io",
+			wantStatus:   http.StatusNotAcceptable,
+		},
+		{
+			name:         "wildcard accept header",
+			acceptHeader: "*/*",
+			wantStatus:   http.StatusOK,
+			wantBodySub:  flagzWantBodyStr,
+		},
+		{
+			name:         "bad json header fall back wildcard",
+			acceptHeader: "application/json;v=foo;g=config.k8s.io;as=Flagz,*/*",
+			wantStatus:   http.StatusOK,
+			wantBodySub:  flagzWantBodyStr,
+		},
+	}
+
+	featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, zpagesfeatures.ComponentStatusz, true)
+	featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, zpagesfeatures.ComponentFlagz, true)
+	_, ctx := ktesting.NewTestContext(t)
+	flags := []string{
+		"--authentication-skip-lookup",
+		"--authentication-kubeconfig", apiserverConfig.Name(),
+		"--authorization-kubeconfig", apiserverConfig.Name(),
+		"--authorization-always-allow-paths", "/statusz,/flagz",
+		"--kubeconfig", apiserverConfig.Name(),
+		"--leader-elect=false",
+	}
+	secureOptions, secureInfo, tearDownFn, err := kubeControllerManagerTester{}.StartTestServer(t, ctx, flags)
+	if tearDownFn != nil {
+		defer tearDownFn()
+	}
+	if err != nil {
+		t.Fatalf("StartTestServer() error = %v", err)
+	}
+	if secureInfo == nil {
+		t.Fatalf("SecureServing not enabled")
+	}
+	_, port, err := net.SplitHostPort(secureInfo.Listener.Addr().String())
+	if err != nil {
+		t.Fatalf("could not get host and port from %s : %v", secureInfo.Listener.Addr().String(), err)
+	}
+	statuszURL := fmt.Sprintf("https://127.0.0.1:%s/statusz", port)
+	flagzURL := fmt.Sprintf("https://127.0.0.1:%s/flagz", port)
+
+	// read self-signed server cert disk
+	pool := x509.NewCertPool()
+	serverCertPath := path.Join(secureOptions.ServerCert.CertDirectory, secureOptions.ServerCert.PairName+".crt")
+	serverCert, err := os.ReadFile(serverCertPath)
+	if err != nil {
+		t.Fatalf("Failed to read component server cert %q: %v", serverCertPath, err)
+	}
+	pool.AppendCertsFromPEM(serverCert)
+	tr := &http.Transport{
+		TLSClientConfig: &tls.Config{
+			RootCAs: pool,
+		},
+	}
+	client := &http.Client{Transport: tr}
+
+	for _, tc := range statuszTestCases {
+		t.Run("statusz_"+tc.name, func(t *testing.T) {
+			req, err := http.NewRequest(http.MethodGet, statuszURL, nil)
+			if err != nil {
+				t.Fatal(err)
 			}
-			if (err != nil) != tt.wantErr {
-				t.Fatalf("StartTestServer() error = %v, wantErr %v", err, tt.wantErr)
+
+			req.Header.Set("Accept", tc.acceptHeader)
+			req.Header.Add("Authorization", fmt.Sprintf("Token %s", token))
+			r, err := client.Do(req)
+			if err != nil {
+				t.Fatalf("failed to GET /statusz: %v", err)
 			}
+
+			body, err := io.ReadAll(r.Body)
 			if err != nil {
-				return
+				t.Fatalf("failed to read response body: %v", err)
 			}
 
-			if want, got := tt.wantSecureCode != nil, secureInfo != nil; want != got {
-				t.Errorf("SecureServing enabled: expected=%v got=%v", want, got)
-			} else if want {
-				// only interested on the port, because we are using always localhost
-				_, port, err := net.SplitHostPort(secureInfo.Listener.Addr().String())
-				if err != nil {
-					t.Fatalf("could not get host and port from %s : %v", secureInfo.Listener.Addr().String(), err)
-				}
-				// use IPv4 because the self-signed cert does not support [::]
-				url := fmt.Sprintf("https://127.0.0.1:%s%s", port, tt.path)
+			if err = r.Body.Close(); err != nil {
+				t.Fatalf("failed to close response body: %v", err)
+			}
 
-				// read self-signed server cert disk
-				pool := x509.NewCertPool()
-				serverCertPath := path.Join(secureOptions.ServerCert.CertDirectory, secureOptions.ServerCert.PairName+".crt")
-				serverCert, err := os.ReadFile(serverCertPath)
-				if err != nil {
-					t.Fatalf("Failed to read component server cert %q: %v", serverCertPath, err)
-				}
-				pool.AppendCertsFromPEM(serverCert)
-				tr := &http.Transport{
-					TLSClientConfig: &tls.Config{
-						RootCAs: pool,
-					},
-				}
+			if r.StatusCode != tc.wantStatus {
+				t.Fatalf("want status %d, got %d", tc.wantStatus, r.StatusCode)
+			}
 
-				client := &http.Client{Transport: tr}
-				req, err := http.NewRequest(http.MethodGet, url, nil)
-				req.Header.Set("Accept", "text/plain")
-				if err != nil {
-					t.Fatal(err)
-				}
-				if !tt.anonymous {
-					req.Header.Add("Authorization", fmt.Sprintf("Token %s", token))
+			if tc.wantStatus == http.StatusOK {
+				if tc.wantBodySub != "" {
+					if !strings.Contains(string(body), tc.wantBodySub) {
+						t.Errorf("body missing expected substring: %q\nGot:\n%s", tc.wantBodySub, string(body))
+					}
 				}
-				r, err := client.Do(req)
-				if err != nil {
-					t.Fatalf("failed to GET %s from component: %v", tt.path, err)
+				if tc.wantJSON != nil {
+					var got v1alpha1.Statusz
+					if err := json.Unmarshal(body, &got); err != nil {
+						t.Fatalf("error unmarshalling JSON: %v", err)
+					}
+					// Only check static fields, since others are dynamic
+					if got.TypeMeta != tc.wantJSON.TypeMeta {
+						t.Errorf("TypeMeta mismatch: want %+v, got %+v", tc.wantJSON.TypeMeta, got.TypeMeta)
+					}
+					if got.ObjectMeta.Name != tc.wantJSON.ObjectMeta.Name {
+						t.Errorf("ObjectMeta.Name mismatch: want %q, got %q", tc.wantJSON.ObjectMeta.Name, got.ObjectMeta.Name)
+					}
+					if diff := cmp.Diff(tc.wantJSON.Paths, got.Paths); diff != "" {
+						t.Errorf("Paths mismatch (-want,+got):\n%s", diff)
+					}
 				}
+			}
+		})
+	}
 
-				if _, err = io.ReadAll(r.Body); err != nil {
-					t.Fatalf("failed to read response body: %v", err)
+	for _, tc := range flagzTestCases {
+		t.Run("flagz_"+tc.name, func(t *testing.T) {
+			req, err := http.NewRequest(http.MethodGet, flagzURL, nil)
+			if err != nil {
+				t.Fatal(err)
+			}
+
+			req.Header.Set("Accept", tc.acceptHeader)
+			req.Header.Add("Authorization", fmt.Sprintf("Token %s", token))
+			r, err := client.Do(req)
+			if err != nil {
+				t.Fatalf("failed to GET /flagz: %v", err)
+			}
+
+			body, err := io.ReadAll(r.Body)
+			if err != nil {
+				t.Fatalf("failed to read response body: %v", err)
+			}
+
+			if err = r.Body.Close(); err != nil {
+				t.Fatalf("failed to close response body: %v", err)
+			}
+
+			if r.StatusCode != tc.wantStatus {
+				t.Fatalf("want status %d, got %d", tc.wantStatus, r.StatusCode)
+			}
+
+			if tc.wantStatus == http.StatusOK {
+				if tc.wantBodySub != "" {
+					if !strings.Contains(string(body), tc.wantBodySub) {
+						t.Errorf("body missing expected substring: %q\nGot:\n%s", tc.wantBodySub, string(body))
+					}
 				}
-				defer func() {
-					if err := r.Body.Close(); err != nil {
-						t.Fatalf("Error closing response body: %v", err)
+				if tc.wantJSON != nil {
+					var got flagzv1alpha1.Flagz
+					if err := json.Unmarshal(body, &got); err != nil {
+						t.Fatalf("error unmarshalling JSON: %v", err)
+					}
+					// Only check static fields, since others are dynamic
+					if got.TypeMeta != tc.wantJSON.TypeMeta {
+						t.Errorf("TypeMeta mismatch: want %+v, got %+v", tc.wantJSON.TypeMeta, got.TypeMeta)
+					}
+					if got.ObjectMeta.Name != tc.wantJSON.ObjectMeta.Name {
+						t.Errorf("ObjectMeta.Name mismatch: want %q, got %q", tc.wantJSON.ObjectMeta.Name, got.ObjectMeta.Name)
 					}
-				}()
-
-				if got, expected := r.StatusCode, *tt.wantSecureCode; got != expected {
-					t.Fatalf("expected http %d at %s of component, got: %d", expected, tt.path, got)
 				}
 			}
 		})
diff --git a/test/integration/statefulset/statefulset_test.go b/test/integration/statefulset/statefulset_test.go
index a87bc0eae8b3f..a4689f3c2f96c 100644
--- a/test/integration/statefulset/statefulset_test.go
+++ b/test/integration/statefulset/statefulset_test.go
@@ -32,17 +32,14 @@ import (
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/json"
 	"k8s.io/apimachinery/pkg/util/wait"
-	utilfeature "k8s.io/apiserver/pkg/util/feature"
 	"k8s.io/client-go/dynamic"
 	"k8s.io/client-go/informers"
 	clientset "k8s.io/client-go/kubernetes"
 	restclient "k8s.io/client-go/rest"
-	featuregatetesting "k8s.io/component-base/featuregate/testing"
 	apiservertesting "k8s.io/kubernetes/cmd/kube-apiserver/app/testing"
 	podutil "k8s.io/kubernetes/pkg/api/v1/pod"
 	"k8s.io/kubernetes/pkg/controller/statefulset"
 	"k8s.io/kubernetes/pkg/controlplane"
-	"k8s.io/kubernetes/pkg/features"
 	"k8s.io/kubernetes/test/integration/framework"
 	"k8s.io/kubernetes/test/utils/ktesting"
 	"k8s.io/utils/ptr"
@@ -471,8 +468,6 @@ func TestAutodeleteOwnerRefs(t *testing.T) {
 		},
 	}
 
-	featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.StatefulSetAutoDeletePVC, true)
-
 	tCtx, closeFn, rm, informers, c := scSetup(t)
 	defer closeFn()
 	cancel := runControllerAndInformers(tCtx, rm, informers)
diff --git a/test/integration/storageversion/gc_test.go b/test/integration/storageversion/gc_test.go
index 21bb1082c3cb3..1c73edc5d2215 100644
--- a/test/integration/storageversion/gc_test.go
+++ b/test/integration/storageversion/gc_test.go
@@ -49,8 +49,10 @@ const (
 )
 
 func TestStorageVersionGarbageCollection(t *testing.T) {
-	featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.APIServerIdentity, true)
-	featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.StorageVersionAPI, true)
+	featuregatetesting.SetFeatureGatesDuringTest(t, utilfeature.DefaultFeatureGate, featuregatetesting.FeatureOverrides{
+		features.APIServerIdentity: true,
+		features.StorageVersionAPI: true,
+	})
 	flags := framework.DefaultTestServerFlags()
 	flags = append(flags, fmt.Sprintf("--runtime-config=%s=true", apiserverinternalv1alpha1.SchemeGroupVersion))
 	result := kubeapiservertesting.StartTestServerOrDie(t, nil, flags, framework.SharedEtcd())
diff --git a/test/integration/storageversion/storage_version_filter_test.go b/test/integration/storageversion/storage_version_filter_test.go
index 5e41929cf7b42..8599b0b05a731 100644
--- a/test/integration/storageversion/storage_version_filter_test.go
+++ b/test/integration/storageversion/storage_version_filter_test.go
@@ -168,8 +168,10 @@ func TestStorageVersionBootstrap(t *testing.T) {
 		}
 	}
 	// Restart api server, enable the storage version API and the feature gates.
-	featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.StorageVersionAPI, true)
-	featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.APIServerIdentity, true)
+	featuregatetesting.SetFeatureGatesDuringTest(t, utilfeature.DefaultFeatureGate, featuregatetesting.FeatureOverrides{
+		features.StorageVersionAPI: true,
+		features.APIServerIdentity: true,
+	})
 	server = kubeapiservertesting.StartTestServerOrDie(t,
 		&kubeapiservertesting.TestServerInstanceOptions{
 			StorageVersionWrapFunc: wrapperFunc,
diff --git a/test/integration/storageversionmigrator/storageversionmigrator_test.go b/test/integration/storageversionmigrator/storageversionmigrator_test.go
index 4f9fbb439b832..b102dbd867d96 100644
--- a/test/integration/storageversionmigrator/storageversionmigrator_test.go
+++ b/test/integration/storageversionmigrator/storageversionmigrator_test.go
@@ -26,7 +26,6 @@ import (
 
 	"go.uber.org/goleak"
 
-	svmv1alpha1 "k8s.io/api/storagemigration/v1alpha1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"k8s.io/apimachinery/pkg/util/wait"
@@ -52,8 +51,10 @@ import (
 // 7. Perform another Storage Version Migration for secrets
 // 8. Verify that the resource version of the secret is not updated. i.e. it was a no-op update
 func TestStorageVersionMigration(t *testing.T) {
-	featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.StorageVersionMigrator, true)
-	featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, featuregate.Feature(clientgofeaturegate.InformerResourceVersion), true)
+	featuregatetesting.SetFeatureGatesDuringTest(t, utilfeature.DefaultFeatureGate, featuregatetesting.FeatureOverrides{
+		features.StorageVersionMigrator:                                  true,
+		featuregate.Feature(clientgofeaturegate.InformerResourceVersion): true,
+	})
 
 	// this makes the test super responsive. It's set to a default of 1 minute.
 	encryptionconfigcontroller.EncryptionConfigFileChangePollDuration = time.Second
@@ -78,9 +79,8 @@ func TestStorageVersionMigration(t *testing.T) {
 		ctx,
 		t,
 		svmName,
-		svmv1alpha1.GroupVersionResource{
+		metav1.GroupResource{
 			Group:    "",
-			Version:  "v1",
 			Resource: "secrets",
 		},
 	)
@@ -115,9 +115,8 @@ func TestStorageVersionMigration(t *testing.T) {
 		ctx,
 		t,
 		secondSVMName,
-		svmv1alpha1.GroupVersionResource{
+		metav1.GroupResource{
 			Group:    "",
-			Version:  "v1",
 			Resource: "secrets",
 		},
 	)
@@ -152,8 +151,10 @@ func TestStorageVersionMigration(t *testing.T) {
 // 10. Verify RV and Generations of CRs
 // 11. Verify the list of CRs at v2 works
 func TestStorageVersionMigrationWithCRD(t *testing.T) {
-	featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.StorageVersionMigrator, true)
-	featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, featuregate.Feature(clientgofeaturegate.InformerResourceVersion), true)
+	featuregatetesting.SetFeatureGatesDuringTest(t, utilfeature.DefaultFeatureGate, featuregatetesting.FeatureOverrides{
+		features.StorageVersionMigrator:                                  true,
+		featuregate.Feature(clientgofeaturegate.InformerResourceVersion): true,
+	})
 	// decode errors are expected when using conversation webhooks
 	etcd3watcher.TestOnlySetFatalOnDecodeError(false)
 	t.Cleanup(func() { etcd3watcher.TestOnlySetFatalOnDecodeError(true) })
@@ -254,9 +255,8 @@ func TestStorageVersionMigrationWithCRD(t *testing.T) {
 	// migrate CRs from v1 to v2
 	svm, err := svmTest.createSVMResource(
 		ctx, t, "crdsvm",
-		svmv1alpha1.GroupVersionResource{
+		metav1.GroupResource{
 			Group:    crd.Spec.Group,
-			Version:  "v1",
 			Resource: crd.Spec.Names.Plural,
 		})
 	if err != nil {
@@ -300,8 +300,10 @@ func TestStorageVersionMigrationWithCRD(t *testing.T) {
 // It asserts that all migrations are successful and that none of the static instances
 // were changed after they were initially created (as the migrations must be a no-op).
 func TestStorageVersionMigrationDuringChaos(t *testing.T) {
-	featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.StorageVersionMigrator, true)
-	featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, featuregate.Feature(clientgofeaturegate.InformerResourceVersion), true)
+	featuregatetesting.SetFeatureGatesDuringTest(t, utilfeature.DefaultFeatureGate, featuregatetesting.FeatureOverrides{
+		features.StorageVersionMigrator:                                  true,
+		featuregate.Feature(clientgofeaturegate.InformerResourceVersion): true,
+	})
 
 	ctx := ktesting.Init(t)
 
@@ -332,9 +334,8 @@ func TestStorageVersionMigrationDuringChaos(t *testing.T) {
 
 			svm, err := svmTest.createSVMResource(
 				ctx, t, "chaos-svm-"+strconv.Itoa(i),
-				svmv1alpha1.GroupVersionResource{
+				metav1.GroupResource{
 					Group:    crd.Spec.Group,
-					Version:  "v1",
 					Resource: crd.Spec.Names.Plural,
 				},
 			)
diff --git a/test/integration/storageversionmigrator/util.go b/test/integration/storageversionmigrator/util.go
index c93fa1377dd66..e334f7ce35f88 100644
--- a/test/integration/storageversionmigrator/util.go
+++ b/test/integration/storageversionmigrator/util.go
@@ -38,10 +38,11 @@ import (
 	clientv3 "go.etcd.io/etcd/client/v3"
 
 	corev1 "k8s.io/api/core/v1"
-	svmv1alpha1 "k8s.io/api/storagemigration/v1alpha1"
+	svmv1beta1 "k8s.io/api/storagemigration/v1beta1"
 	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 	apiextensionsclientset "k8s.io/apiextensions-apiserver/pkg/client/clientset/clientset"
 	crdintegration "k8s.io/apiextensions-apiserver/test/integration"
+	metaconditions "k8s.io/apimachinery/pkg/api/meta"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured/unstructuredscheme"
@@ -62,7 +63,6 @@ import (
 	utiltesting "k8s.io/client-go/util/testing"
 	kubeapiservertesting "k8s.io/kubernetes/cmd/kube-apiserver/app/testing"
 	kubecontrollermanagertesting "k8s.io/kubernetes/cmd/kube-controller-manager/app/testing"
-	"k8s.io/kubernetes/pkg/controller/storageversionmigrator"
 	"k8s.io/kubernetes/test/images/agnhost/crd-conversion-webhook/converter"
 	"k8s.io/kubernetes/test/integration"
 	"k8s.io/kubernetes/test/integration/etcd"
@@ -275,14 +275,14 @@ func svmSetup(ctx context.Context, t *testing.T) *svmTest {
 		"--audit-log-mode", "blocking",
 		"--audit-log-path", logFile.Name(),
 		"--authorization-mode=RBAC",
-		fmt.Sprintf("--runtime-config=%s=true", svmv1alpha1.SchemeGroupVersion),
+		fmt.Sprintf("--runtime-config=%s=true", svmv1beta1.SchemeGroupVersion),
 	}
 	storageConfig := framework.SharedEtcd()
 	server := kubeapiservertesting.StartTestServerOrDie(t, nil, apiServerFlags, storageConfig)
 
 	kubeConfigFile := createKubeConfigFileForRestConfig(t, server.ClientConfig)
 
-	kcm := kubecontrollermanagertesting.StartTestServerOrDie(ctx, []string{
+	kcm := kubecontrollermanagertesting.StartTestServerOrDie(t, ctx, []string{
 		"--kubeconfig=" + kubeConfigFile,
 		"--controllers=garbagecollector,svm",     // these are the only controllers needed for this test
 		"--use-service-account-credentials=true", // exercise RBAC of SVM controller
@@ -468,35 +468,34 @@ func (svm *svmTest) updateFile(t *testing.T, configDir, filename string, newCont
 	}
 }
 
-func (svm *svmTest) createSVMResource(ctx context.Context, t *testing.T, name string, gvr svmv1alpha1.GroupVersionResource) (
-	*svmv1alpha1.StorageVersionMigration,
+func (svm *svmTest) createSVMResource(ctx context.Context, t *testing.T, name string, gr metav1.GroupResource) (
+	*svmv1beta1.StorageVersionMigration,
 	error,
 ) {
 	t.Helper()
-	svmResource := &svmv1alpha1.StorageVersionMigration{
+	svmResource := &svmv1beta1.StorageVersionMigration{
 		ObjectMeta: metav1.ObjectMeta{
 			Name: name,
 		},
-		Spec: svmv1alpha1.StorageVersionMigrationSpec{
-			Resource: svmv1alpha1.GroupVersionResource{
-				Group:    gvr.Group,
-				Version:  gvr.Version,
-				Resource: gvr.Resource,
+		Spec: svmv1beta1.StorageVersionMigrationSpec{
+			Resource: metav1.GroupResource{
+				Group:    gr.Group,
+				Resource: gr.Resource,
 			},
 		},
 	}
 
-	return svm.client.StoragemigrationV1alpha1().
+	return svm.client.StoragemigrationV1beta1().
 		StorageVersionMigrations().
 		Create(ctx, svmResource, metav1.CreateOptions{})
 }
 
 func (svm *svmTest) getSVM(ctx context.Context, t *testing.T, name string) (
-	*svmv1alpha1.StorageVersionMigration,
+	*svmv1beta1.StorageVersionMigration,
 	error,
 ) {
 	t.Helper()
-	return svm.client.StoragemigrationV1alpha1().
+	return svm.client.StoragemigrationV1beta1().
 		StorageVersionMigrations().
 		Get(ctx, name, metav1.GetOptions{})
 }
@@ -597,9 +596,10 @@ func (svm *svmTest) waitForResourceMigration(
 			if err != nil {
 				t.Fatalf("Failed to get SVM resource: %v", err)
 			}
+			svmConditions := svmResource.Status.Conditions
 
-			if storageversionmigrator.IsConditionTrue(svmResource, svmv1alpha1.MigrationFailed) {
-				t.Logf("%q SVM has failed migration, %#v", svmName, svmResource.Status.Conditions)
+			if metaconditions.IsStatusConditionTrue(svmConditions, string(svmv1beta1.MigrationFailed)) {
+				t.Logf("%q SVM has failed migration, %#v", svmName, svmConditions)
 				return false, fmt.Errorf("SVM has failed migration")
 			}
 
@@ -608,17 +608,17 @@ func (svm *svmTest) waitForResourceMigration(
 				return false, nil
 			}
 
-			if storageversionmigrator.IsConditionTrue(svmResource, svmv1alpha1.MigrationSucceeded) {
+			if metaconditions.IsStatusConditionTrue(svmConditions, string(svmv1beta1.MigrationSucceeded)) {
 				t.Logf("%q SVM has completed migration", svmName)
 				return true, nil
 			}
 
-			if storageversionmigrator.IsConditionTrue(svmResource, svmv1alpha1.MigrationRunning) {
-				t.Logf("%q SVM migration is running, %#v", svmName, svmResource.Status.Conditions)
+			if metaconditions.IsStatusConditionTrue(svmConditions, string(svmv1beta1.MigrationRunning)) {
+				t.Logf("%q SVM migration is running, %#v", svmName, svmConditions)
 				return false, nil
 			}
 
-			t.Logf("%q SVM has not started migration, %#v", svmName, svmResource.Status.Conditions)
+			t.Logf("%q SVM has not started migration, %#v", svmName, svmConditions)
 
 			// We utilize the LastSyncResourceVersion of the Garbage Collector (GC) to ensure that the cache is up-to-date before proceeding with the migration.
 			// However, in a quiet cluster, the GC may not be updated unless there is some activity or the watch receives a bookmark event after every 10 minutes.
@@ -1087,9 +1087,10 @@ func (svm *svmTest) isCRDMigrated(ctx context.Context, t *testing.T, crdSVMName,
 			if err != nil {
 				t.Fatalf("Failed to get SVM resource: %v", err)
 			}
+			svmConditions := svmResource.Status.Conditions
 
-			if storageversionmigrator.IsConditionTrue(svmResource, svmv1alpha1.MigrationFailed) {
-				t.Logf("%q SVM has failed migration, %#v", crdSVMName, svmResource.Status.Conditions)
+			if metaconditions.IsStatusConditionTrue(svmConditions, string(svmv1beta1.MigrationFailed)) {
+				t.Logf("%q SVM has failed migration, %#v", crdSVMName, svmConditions)
 				return false, fmt.Errorf("SVM has failed migration")
 			}
 
@@ -1098,17 +1099,17 @@ func (svm *svmTest) isCRDMigrated(ctx context.Context, t *testing.T, crdSVMName,
 				return false, nil
 			}
 
-			if storageversionmigrator.IsConditionTrue(svmResource, svmv1alpha1.MigrationSucceeded) {
+			if metaconditions.IsStatusConditionTrue(svmConditions, string(svmv1beta1.MigrationSucceeded)) {
 				t.Logf("%q SVM has completed migration", crdSVMName)
 				return true, nil
 			}
 
-			if storageversionmigrator.IsConditionTrue(svmResource, svmv1alpha1.MigrationRunning) {
-				t.Logf("%q SVM migration is running, %#v", crdSVMName, svmResource.Status.Conditions)
+			if metaconditions.IsStatusConditionTrue(svmConditions, string(svmv1beta1.MigrationRunning)) {
+				t.Logf("%q SVM migration is running, %#v", crdSVMName, svmConditions)
 				return false, nil
 			}
 
-			t.Logf("%q SVM has not started migration, %#v", crdSVMName, svmResource.Status.Conditions)
+			t.Logf("%q SVM has not started migration, %#v", crdSVMName, svmConditions)
 
 			// at this point we know that the RV has been set on the SVM resource,
 			// and we need to make sure that the GC list RV has caught up to that without waiting for a watch bookmark.
diff --git a/test/integration/util/util.go b/test/integration/util/util.go
index de4b2ae625226..8793fd083326d 100644
--- a/test/integration/util/util.go
+++ b/test/integration/util/util.go
@@ -29,6 +29,7 @@ import (
 	v1 "k8s.io/api/core/v1"
 	policy "k8s.io/api/policy/v1"
 	resourceapi "k8s.io/api/resource/v1"
+	schedulingapiv1alpha1 "k8s.io/api/scheduling/v1alpha1"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
@@ -520,6 +521,11 @@ func InitTestAPIServer(t *testing.T, nsPrefix string, admission admission.Interf
 					options.GenericServerRunOptions.RuntimeConfigEmulationForwardCompatible = true
 				}
 			}
+			if utilfeature.DefaultFeatureGate.Enabled(features.GenericWorkload) {
+				options.APIEnablement.RuntimeConfig = cliflag.ConfigurationMap{
+					schedulingapiv1alpha1.SchemeGroupVersion.String(): "true",
+				}
+			}
 		},
 		ModifyServerConfig: func(config *controlplane.Config) {
 			if admission != nil {
diff --git a/test/kubemark/resources/hollow-node_template.yaml b/test/kubemark/resources/hollow-node_template.yaml
index 320a21fa98670..1a51acb7a61a4 100644
--- a/test/kubemark/resources/hollow-node_template.yaml
+++ b/test/kubemark/resources/hollow-node_template.yaml
@@ -99,7 +99,7 @@ spec:
             cpu: {{hollow_proxy_millicpu}}m
             memory: {{hollow_proxy_mem_Ki}}Ki
       - name: hollow-node-problem-detector
-        image: registry.k8s.io/node-problem-detector/node-problem-detector:v0.8.21
+        image: registry.k8s.io/node-problem-detector/node-problem-detector:v1.34.0
         env:
         - name: NODE_NAME
           valueFrom:
diff --git a/test/kubemark/resources/manifests/kube-addon-manager.yaml b/test/kubemark/resources/manifests/kube-addon-manager.yaml
index d171bf9006b9a..1d7d87ebf4144 100644
--- a/test/kubemark/resources/manifests/kube-addon-manager.yaml
+++ b/test/kubemark/resources/manifests/kube-addon-manager.yaml
@@ -9,7 +9,7 @@ spec:
   hostNetwork: true
   containers:
   - name: kube-addon-manager
-    image: {{kube_docker_registry}}/addon-manager/kube-addon-manager:v9.1.7
+    image: {{kube_docker_registry}}/addon-manager/kube-addon-manager:v9.1.8
     command:
     - /bin/bash
     - -c
diff --git a/test/utils/fakedns/fakedns.go b/test/utils/fakedns/fakedns.go
new file mode 100644
index 0000000000000..64aa9c129c8a6
--- /dev/null
+++ b/test/utils/fakedns/fakedns.go
@@ -0,0 +1,129 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package fakedns
+
+import (
+	"fmt"
+	"net"
+	"strings"
+	"sync"
+	"testing"
+	"time"
+
+	netutils "k8s.io/utils/net"
+
+	"golang.org/x/net/dns/dnsmessage"
+
+	nettesting "k8s.io/kubernetes/third_party/forked/golang/net/testing"
+)
+
+// dnsHijackLock is a mutex to ensure that only one test can hijack DNS at a time.
+// This is necessary because net.DefaultResolver is a global variable.
+var dnsHijackLock sync.Mutex
+
+// Server is a fake DNS server that can be used to override DNS resolution in tests.
+// This is particularly useful for testing components that rely on DNS without needing
+// to set up an actual DNS server. The server can be configured with a map of domain
+// names to IP addresses, and it will respond to DNS queries accordingly.
+// To use the fake DNS server, create an instance using NewServer, then call
+// Hijack to redirect DNS queries to the fake server.
+// This helper does not support running tests in parallel.
+type Server struct {
+	dnsServer nettesting.FakeDNSServer
+}
+
+// NewServer creates a new fake DNS server. The hosts map should contain
+// domain names as keys and their corresponding IP addresses as string values.
+// It returns an error if any of the IP addresses are invalid.
+func NewServer(hosts map[string]string) (*Server, error) {
+	parsedHosts := make(map[string]net.IP, len(hosts))
+	for domain, ipStr := range hosts {
+		ip := netutils.ParseIPSloppy(ipStr)
+		if ip == nil {
+			return nil, fmt.Errorf("invalid IP address for domain %s: %s", domain, ipStr)
+		}
+		// Ensure domain is clean without trailing dot for map key
+		parsedHosts[strings.TrimSuffix(domain, ".")] = ip
+	}
+	dnsServer := nettesting.FakeDNSServer{}
+	dnsServer.ResponseHandler = func(n, s string, q dnsmessage.Message, t time.Time) (dnsmessage.Message, error) {
+		resp := dnsmessage.Message{
+			Header: dnsmessage.Header{
+				ID:            q.Header.ID,
+				Response:      true,
+				Authoritative: true,
+			},
+			Questions: q.Questions,
+		}
+
+		if len(q.Questions) == 0 {
+			return resp, nil
+		}
+
+		question := q.Questions[0]
+		domain := strings.TrimSuffix(question.Name.String(), ".")
+
+		if ip, ok := parsedHosts[domain]; ok {
+			var resource dnsmessage.Resource
+			if ipv4 := ip.To4(); ipv4 != nil {
+				resource = dnsmessage.Resource{
+					Header: dnsmessage.ResourceHeader{Name: question.Name, Type: dnsmessage.TypeA, Class: dnsmessage.ClassINET, TTL: 300},
+					Body:   &dnsmessage.AResource{A: [4]byte(ipv4)},
+				}
+			} else { // Assume IPv6
+				resource = dnsmessage.Resource{
+					Header: dnsmessage.ResourceHeader{Name: question.Name, Type: dnsmessage.TypeAAAA, Class: dnsmessage.ClassINET, TTL: 300},
+					Body:   &dnsmessage.AAAAResource{AAAA: [16]byte(ip)},
+				}
+			}
+			resp.Answers = []dnsmessage.Resource{resource}
+		}
+
+		return resp, nil
+	}
+
+	return &Server{
+		dnsServer: dnsServer,
+	}, nil
+}
+
+// Hijack takes control of the net.DefaultResolver to redirect DNS queries
+// to the fake server. It uses t.Cleanup to automatically restore the original
+// resolver after the test.
+// This helper does not support running tests in parallel.
+//
+// Example:
+//
+//	dnsServer, _ := fakedns.NewServer(hosts)
+//	dnsServer.Hijack(t)
+func (s *Server) Hijack(t *testing.T) {
+	t.Helper()
+
+	dnsHijackLock.Lock()
+
+	originalDial := net.DefaultResolver.Dial
+	originalPreferGo := net.DefaultResolver.PreferGo
+
+	net.DefaultResolver.PreferGo = true
+	net.DefaultResolver.Dial = s.dnsServer.DialContext
+
+	t.Cleanup(func() {
+		net.DefaultResolver.Dial = originalDial
+		net.DefaultResolver.PreferGo = originalPreferGo
+		dnsHijackLock.Unlock()
+	})
+}
diff --git a/test/utils/format/format.go b/test/utils/format/format.go
index a77f697ad027c..b337c760d5b47 100644
--- a/test/utils/format/format.go
+++ b/test/utils/format/format.go
@@ -28,6 +28,7 @@ import (
 
 	"github.com/onsi/gomega/format"
 
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"sigs.k8s.io/yaml"
 )
 
@@ -59,7 +60,18 @@ func handleYAML(object interface{}) (string, bool) {
 	return "\n" + strings.TrimSpace(string(y)), true
 }
 
+var unstructuredObjectType = reflect.TypeOf(unstructured.Unstructured{})
+
 func useYAML(t reflect.Type) bool {
+	if t == unstructuredObjectType {
+		// It looks nicer as YAML.
+		//
+		// unstructured.Unstructured is a map, but because
+		// it's wrapped in a struct it does not get recognized
+		// as one by the code below and thus needs a direct check.
+		return true
+	}
+
 	switch t.Kind() {
 	case reflect.Pointer, reflect.Slice, reflect.Array:
 		return useYAML(t.Elem())
diff --git a/test/utils/format/format_test.go b/test/utils/format/format_test.go
index dcc54a9a9f1b2..bfeb9894532f1 100644
--- a/test/utils/format/format_test.go
+++ b/test/utils/format/format_test.go
@@ -25,6 +25,7 @@ import (
 	"github.com/stretchr/testify/assert"
 
 	v1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 )
 
 func TestGomegaFormatObject(t *testing.T) {
@@ -57,6 +58,13 @@ func TestGomegaFormatObject(t *testing.T) {
 		"podlist": {value: v1.PodList{}, expected: `<v1.PodList>: 
     items: null
     metadata: {}`},
+		"unstructured": {value: func() any {
+			var obj unstructured.Unstructured
+			obj.SetName("some-name")
+			return &obj
+		}(), expected: `<*unstructured.Unstructured | <hex>>: 
+    metadata:
+      name: some-name`},
 	} {
 		t.Run(name, func(t *testing.T) {
 			actual := format.Object(test.value, test.indentation)
diff --git a/test/utils/hermeticpodcertificatesigner/hermeticpodcertificatesigner.go b/test/utils/hermeticpodcertificatesigner/hermeticpodcertificatesigner.go
index d79abdcca60c9..0d46c34ab11b3 100644
--- a/test/utils/hermeticpodcertificatesigner/hermeticpodcertificatesigner.go
+++ b/test/utils/hermeticpodcertificatesigner/hermeticpodcertificatesigner.go
@@ -27,16 +27,18 @@ import (
 	"fmt"
 	"net/url"
 	"path"
+	"strings"
 	"time"
 
-	certsv1alpha1 "k8s.io/api/certificates/v1alpha1"
+	certsv1beta1 "k8s.io/api/certificates/v1beta1"
+	apiequality "k8s.io/apimachinery/pkg/api/equality"
 	k8serrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/fields"
 	"k8s.io/apimachinery/pkg/util/wait"
-	certinformersv1alpha1 "k8s.io/client-go/informers/certificates/v1alpha1"
+	certinformersv1beta1 "k8s.io/client-go/informers/certificates/v1beta1"
 	"k8s.io/client-go/kubernetes"
-	certlistersv1alpha1 "k8s.io/client-go/listers/certificates/v1alpha1"
+	certlistersv1beta1 "k8s.io/client-go/listers/certificates/v1beta1"
 	"k8s.io/client-go/tools/cache"
 	"k8s.io/client-go/util/workqueue"
 	"k8s.io/klog/v2"
@@ -44,23 +46,24 @@ import (
 	"k8s.io/utils/ptr"
 )
 
+const SpiffePathKey = "spiffe/path-overriding"
+
 // Controller is an in-memory signing controller for PodCertificateRequests.
 type Controller struct {
-	clock clock.PassiveClock
-
+	clock      clock.PassiveClock
 	signerName string
 
 	kc          kubernetes.Interface
 	pcrInformer cache.SharedIndexInformer
 	pcrQueue    workqueue.TypedRateLimitingInterface[string]
-
-	caKeys  []crypto.PrivateKey
-	caCerts [][]byte
+	pcrLister   certlistersv1beta1.PodCertificateRequestLister
+	caKeys      []crypto.PrivateKey
+	caCerts     [][]byte
 }
 
 // New creates a new Controller.
 func New(clock clock.PassiveClock, signerName string, caKeys []crypto.PrivateKey, caCerts [][]byte, kc kubernetes.Interface) *Controller {
-	pcrInformer := certinformersv1alpha1.NewFilteredPodCertificateRequestInformer(kc, metav1.NamespaceAll, 24*time.Hour, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc},
+	pcrInformer := certinformersv1beta1.NewFilteredPodCertificateRequestInformer(kc, metav1.NamespaceAll, 24*time.Hour, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc},
 		func(opts *metav1.ListOptions) {
 			opts.FieldSelector = fields.OneTermEqualSelector("spec.signerName", signerName).String()
 		},
@@ -72,6 +75,7 @@ func New(clock clock.PassiveClock, signerName string, caKeys []crypto.PrivateKey
 		kc:          kc,
 		pcrInformer: pcrInformer,
 		pcrQueue:    workqueue.NewTypedRateLimitingQueue(workqueue.DefaultTypedControllerRateLimiter[string]()),
+		pcrLister:   certlistersv1beta1.NewPodCertificateRequestLister(pcrInformer.GetIndexer()),
 		caKeys:      caKeys,
 		caCerts:     caCerts,
 	}
@@ -105,15 +109,67 @@ func New(clock clock.PassiveClock, signerName string, caKeys []crypto.PrivateKey
 
 func (c *Controller) Run(ctx context.Context) {
 	defer c.pcrQueue.ShutDown()
+	prefix := strings.Replace(c.signerName, "/", ":", 1)
+	ctbName := prefix + ":primary-bundle"
+	defer func() {
+		klog.Infof("Deleting ClusterTrustBundle %s", ctbName)
+		err := c.kc.CertificatesV1beta1().ClusterTrustBundles().Delete(context.Background(), ctbName, metav1.DeleteOptions{})
+		if err != nil && !k8serrors.IsNotFound(err) {
+			klog.Errorf("Failed to delete ClusterTrustBundle %s: %v", ctbName, err)
+		}
+	}()
+
 	go c.pcrInformer.Run(ctx.Done())
 	if !cache.WaitForCacheSync(ctx.Done(), c.pcrInformer.HasSynced) {
 		return
 	}
 
 	go wait.UntilWithContext(ctx, c.runWorker, time.Second)
+	go wait.JitterUntilWithContext(ctx, c.ensureTrustBundle, 1*time.Minute, 1.0, true)
 	<-ctx.Done()
 }
 
+func (c *Controller) ensureTrustBundle(ctx context.Context) {
+	// Create a ClusterTrustBundle with the signer's CA.
+	prefix := strings.Replace(c.signerName, "/", ":", 1)
+	ctbName := prefix + ":primary-bundle"
+	caCertPEM := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: c.caCerts[0]})
+	wantCTB := &certsv1beta1.ClusterTrustBundle{
+		ObjectMeta: metav1.ObjectMeta{Name: ctbName},
+		Spec: certsv1beta1.ClusterTrustBundleSpec{
+			SignerName:  c.signerName,
+			TrustBundle: string(caCertPEM),
+		},
+	}
+
+	klog.Infof("Getting ClusterTrustBundle %s", ctbName)
+	ctb, err := c.kc.CertificatesV1beta1().ClusterTrustBundles().Get(ctx, wantCTB.ObjectMeta.Name, metav1.GetOptions{})
+	if k8serrors.IsNotFound(err) {
+		_, err := c.kc.CertificatesV1beta1().ClusterTrustBundles().Create(ctx, wantCTB, metav1.CreateOptions{})
+		if err != nil {
+			klog.Errorf("Failed to create ClusterTrustBundle %s: %v", ctbName, err)
+			return
+		}
+		return
+	} else if err != nil {
+		klog.Errorf("Failed to get ClusterTrustBundle %s: %v", ctbName, err)
+		return
+	}
+
+	if apiequality.Semantic.DeepEqual(wantCTB.Spec, ctb.Spec) {
+		klog.Info("ClusterTrustBundle already in correct state")
+		return
+	}
+
+	ctb = ctb.DeepCopy()
+	ctb.Spec = wantCTB.Spec
+
+	_, err = c.kc.CertificatesV1beta1().ClusterTrustBundles().Update(ctx, ctb, metav1.UpdateOptions{})
+	if err != nil {
+		klog.Errorf("Failed to update ClusterTrustBundle %s: %v", ctbName, err)
+	}
+}
+
 func (c *Controller) runWorker(ctx context.Context) {
 	for c.processNextWorkItem(ctx) {
 	}
@@ -134,7 +190,7 @@ func (c *Controller) processNextWorkItem(ctx context.Context) bool {
 		return true
 	}
 
-	pcr, err := certlistersv1alpha1.NewPodCertificateRequestLister(c.pcrInformer.GetIndexer()).PodCertificateRequests(namespace).Get(name)
+	pcr, err := c.pcrLister.PodCertificateRequests(namespace).Get(name)
 	if k8serrors.IsNotFound(err) {
 		c.pcrQueue.Forget(key)
 		return true
@@ -154,7 +210,7 @@ func (c *Controller) processNextWorkItem(ctx context.Context) bool {
 	return true
 }
 
-func (c *Controller) handlePCR(ctx context.Context, pcr *certsv1alpha1.PodCertificateRequest) error {
+func (c *Controller) handlePCR(ctx context.Context, pcr *certsv1beta1.PodCertificateRequest) error {
 	if pcr.Spec.SignerName != c.signerName {
 		return nil
 	}
@@ -187,22 +243,32 @@ func (c *Controller) handlePCR(ctx context.Context, pcr *certsv1alpha1.PodCertif
 	if requestedLifetime < lifetime {
 		lifetime = requestedLifetime
 	}
-
+	path := path.Join("ns", pcr.ObjectMeta.Namespace, "sa", pcr.Spec.ServiceAccountName)
+	if pcr.Spec.UnverifiedUserAnnotations != nil {
+		if value, exist := pcr.Spec.UnverifiedUserAnnotations[SpiffePathKey]; exist {
+			path = value
+		}
+	}
 	spiffeURI := &url.URL{
 		Scheme: "spiffe",
 		Host:   "cluster.local",
-		Path:   path.Join("ns", pcr.ObjectMeta.Namespace, "sa", pcr.Spec.ServiceAccountName),
+		Path:   path,
 	}
 
 	notBefore := c.clock.Now().Add(-2 * time.Minute)
 	notAfter := notBefore.Add(lifetime)
 	beginRefreshAt := notAfter.Add(-30 * time.Minute)
+	// Construct DNS names
+	dnsNames := []string{
+		fmt.Sprintf("server.%s.svc", pcr.ObjectMeta.Namespace),
+	}
 	template := &x509.Certificate{
 		URIs:        []*url.URL{spiffeURI},
 		NotBefore:   notBefore,
 		NotAfter:    notAfter,
 		KeyUsage:    x509.KeyUsageDigitalSignature,
 		ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth},
+		DNSNames:    dnsNames,
 	}
 
 	signingCert, err := x509.ParseCertificate(c.caCerts[len(c.caCerts)-1])
@@ -238,7 +304,7 @@ func (c *Controller) handlePCR(ctx context.Context, pcr *certsv1alpha1.PodCertif
 	pcr = pcr.DeepCopy()
 	pcr.Status.Conditions = []metav1.Condition{
 		{
-			Type:               certsv1alpha1.PodCertificateRequestConditionTypeIssued,
+			Type:               certsv1beta1.PodCertificateRequestConditionTypeIssued,
 			Status:             metav1.ConditionTrue,
 			Reason:             "Reason",
 			Message:            "Issued",
@@ -250,11 +316,10 @@ func (c *Controller) handlePCR(ctx context.Context, pcr *certsv1alpha1.PodCertif
 	pcr.Status.BeginRefreshAt = ptr.To(metav1.NewTime(beginRefreshAt))
 	pcr.Status.NotAfter = ptr.To(metav1.NewTime(notAfter))
 
-	_, err = c.kc.CertificatesV1alpha1().PodCertificateRequests(pcr.ObjectMeta.Namespace).UpdateStatus(ctx, pcr, metav1.UpdateOptions{})
+	_, err = c.kc.CertificatesV1beta1().PodCertificateRequests(pcr.ObjectMeta.Namespace).UpdateStatus(ctx, pcr, metav1.UpdateOptions{})
 	if err != nil {
 		return fmt.Errorf("while updating PodCertificateRequest: %w", err)
 	}
-
 	return nil
 }
 
diff --git a/test/utils/image/manifest.go b/test/utils/image/manifest.go
index 242b286f947b8..f2c4e5e181348 100644
--- a/test/utils/image/manifest.go
+++ b/test/utils/image/manifest.go
@@ -33,7 +33,6 @@ import (
 
 // RegistryList holds public and private image registries
 type RegistryList struct {
-	GcAuthenticatedRegistry  string `yaml:"gcAuthenticatedRegistry"`
 	PromoterE2eRegistry      string `yaml:"promoterE2eRegistry"`
 	BuildImageRegistry       string `yaml:"buildImageRegistry"`
 	InvalidRegistry          string `yaml:"invalidRegistry"`
@@ -129,7 +128,8 @@ func readFromURL(url string, writer io.Writer) error {
 
 var (
 	initRegistry = RegistryList{
-		GcAuthenticatedRegistry:  "gcr.io/authenticated-image-pulling",
+		// TODO: https://github.com/kubernetes/kubernetes/issues/130271
+		// Eliminate PrivateRegistry.
 		PromoterE2eRegistry:      "registry.k8s.io/e2e-test-images",
 		BuildImageRegistry:       "registry.k8s.io/build-image",
 		InvalidRegistry:          "invalid.registry.k8s.io/invalid",
@@ -149,6 +149,8 @@ type ImageID int
 const (
 	// None is to be used for unset/default images
 	None ImageID = iota
+	// AgnhostPrev image
+	AgnhostPrev
 	// Agnhost image
 	Agnhost
 	// AgnhostPrivate image
@@ -157,20 +159,12 @@ const (
 	APIServer
 	// AppArmorLoader image
 	AppArmorLoader
-	// AuthenticatedAlpine image
-	AuthenticatedAlpine
-	// AuthenticatedWindowsNanoServer image
-	AuthenticatedWindowsNanoServer
 	// BusyBox image
 	BusyBox
 	// DistrolessIptables Image
 	DistrolessIptables
 	// Etcd image
 	Etcd
-	// Httpd image
-	Httpd
-	// HttpdNew image
-	HttpdNew
 	// InvalidRegistryImage image
 	InvalidRegistryImage
 	// IpcUtils image
@@ -214,17 +208,14 @@ const (
 
 func initImageConfigs(list RegistryList) (map[ImageID]Config, map[ImageID]Config) {
 	configs := map[ImageID]Config{}
-	configs[Agnhost] = Config{list.PromoterE2eRegistry, "agnhost", "2.56"}
+	configs[AgnhostPrev] = Config{list.PromoterE2eRegistry, "agnhost", "2.55"}
+	configs[Agnhost] = Config{list.PromoterE2eRegistry, "agnhost", "2.59"}
 	configs[AgnhostPrivate] = Config{list.PrivateRegistry, "agnhost", "2.6"}
-	configs[AuthenticatedAlpine] = Config{list.GcAuthenticatedRegistry, "alpine", "3.7"}
-	configs[AuthenticatedWindowsNanoServer] = Config{list.GcAuthenticatedRegistry, "windows-nanoserver", "v1"}
 	configs[APIServer] = Config{list.PromoterE2eRegistry, "sample-apiserver", "1.29.2"}
 	configs[AppArmorLoader] = Config{list.PromoterE2eRegistry, "apparmor-loader", "1.4"}
 	configs[BusyBox] = Config{list.PromoterE2eRegistry, "busybox", "1.37.0-1"}
-	configs[DistrolessIptables] = Config{list.BuildImageRegistry, "distroless-iptables", "v0.7.11"}
-	configs[Etcd] = Config{list.GcEtcdRegistry, "etcd", "3.6.4-0"}
-	configs[Httpd] = Config{list.PromoterE2eRegistry, "httpd", "2.4.38-4"}
-	configs[HttpdNew] = Config{list.PromoterE2eRegistry, "httpd", "2.4.39-4"}
+	configs[DistrolessIptables] = Config{list.BuildImageRegistry, "distroless-iptables", "v0.8.7"}
+	configs[Etcd] = Config{list.GcEtcdRegistry, "etcd", "3.6.6-0"}
 	configs[InvalidRegistryImage] = Config{list.InvalidRegistry, "alpine", "3.1"}
 	configs[IpcUtils] = Config{list.PromoterE2eRegistry, "ipc-utils", "1.3"}
 	configs[JessieDnsutils] = Config{list.PromoterE2eRegistry, "jessie-dnsutils", "1.7"}
@@ -266,8 +257,7 @@ func GetMappedImageConfigs(originalImageConfigs map[ImageID]Config, repo string)
 	configs := make(map[ImageID]Config)
 	for i, config := range originalImageConfigs {
 		switch i {
-		case InvalidRegistryImage, AuthenticatedAlpine,
-			AuthenticatedWindowsNanoServer, AgnhostPrivate:
+		case InvalidRegistryImage, AgnhostPrivate:
 			// These images are special and can't be run out of the cloud - some because they
 			// are authenticated, and others because they are not real images. Tests that depend
 			// on these images can't be run without access to the public internet.
@@ -398,8 +388,6 @@ func replaceRegistryInImageURLWithList(imageURL string, reg RegistryList) (strin
 		registryAndUser = reg.PromoterE2eRegistry
 	case initRegistry.BuildImageRegistry:
 		registryAndUser = reg.BuildImageRegistry
-	case initRegistry.GcAuthenticatedRegistry:
-		registryAndUser = reg.GcAuthenticatedRegistry
 	case initRegistry.DockerLibraryRegistry:
 		registryAndUser = reg.DockerLibraryRegistry
 	case initRegistry.CloudProviderGcpRegistry:
diff --git a/test/utils/image/manifest_test.go b/test/utils/image/manifest_test.go
index a60239e6b7abf..d10e92bc88338 100644
--- a/test/utils/image/manifest_test.go
+++ b/test/utils/image/manifest_test.go
@@ -56,20 +56,16 @@ func BenchmarkReplaceRegistryInImageURL(b *testing.B) {
 		}, {
 			in:  "registry.k8s.io/build-image/test:latest",
 			out: "test.io/build/test:latest",
-		}, {
-			in:  "gcr.io/authenticated-image-pulling/test:latest",
-			out: "test.io/gcAuth/test:latest",
 		},
 	}
 	reg := RegistryList{
-		DockerLibraryRegistry:   "test.io/library",
-		GcRegistry:              "test.io",
-		PrivateRegistry:         "test.io/k8s-authenticated-test",
-		SigStorageRegistry:      "test.io/sig-storage",
-		InvalidRegistry:         "test.io/invalid",
-		PromoterE2eRegistry:     "test.io/promoter",
-		BuildImageRegistry:      "test.io/build",
-		GcAuthenticatedRegistry: "test.io/gcAuth",
+		DockerLibraryRegistry: "test.io/library",
+		GcRegistry:            "test.io",
+		PrivateRegistry:       "test.io/k8s-authenticated-test",
+		SigStorageRegistry:    "test.io/sig-storage",
+		InvalidRegistry:       "test.io/invalid",
+		PromoterE2eRegistry:   "test.io/promoter",
+		BuildImageRegistry:    "test.io/build",
 	}
 	for i := 0; i < b.N; i++ {
 		tt := registryTests[i%len(registryTests)]
@@ -113,9 +109,6 @@ func TestReplaceRegistryInImageURL(t *testing.T) {
 		}, {
 			in:  "registry.k8s.io/build-image/test:latest",
 			out: "test.io/build/test:latest",
-		}, {
-			in:  "gcr.io/authenticated-image-pulling/test:latest",
-			out: "test.io/gcAuth/test:latest",
 		}, {
 			in:        "unknwon.io/google-samples/test:latest",
 			expectErr: fmt.Errorf("Registry: unknwon.io/google-samples is missing in test/utils/image/manifest.go, please add the registry, otherwise the test will fail on air-gapped clusters"),
@@ -124,14 +117,13 @@ func TestReplaceRegistryInImageURL(t *testing.T) {
 
 	// Set custom registries
 	reg := RegistryList{
-		DockerLibraryRegistry:   "test.io/library",
-		GcRegistry:              "test.io",
-		PrivateRegistry:         "test.io/k8s-authenticated-test",
-		SigStorageRegistry:      "test.io/sig-storage",
-		InvalidRegistry:         "test.io/invalid",
-		PromoterE2eRegistry:     "test.io/promoter",
-		BuildImageRegistry:      "test.io/build",
-		GcAuthenticatedRegistry: "test.io/gcAuth",
+		DockerLibraryRegistry: "test.io/library",
+		GcRegistry:            "test.io",
+		PrivateRegistry:       "test.io/k8s-authenticated-test",
+		SigStorageRegistry:    "test.io/sig-storage",
+		InvalidRegistry:       "test.io/invalid",
+		PromoterE2eRegistry:   "test.io/promoter",
+		BuildImageRegistry:    "test.io/build",
 	}
 
 	for _, tt := range registryTests {
@@ -156,7 +148,7 @@ func TestGetOriginalImageConfigs(t *testing.T) {
 
 func TestGetMappedImageConfigs(t *testing.T) {
 	originals := map[ImageID]Config{
-		10: {registry: "docker.io", name: "source/repo", version: "1.0"},
+		1: {registry: "docker.io", name: "source/repo", version: "1.0"},
 	}
 	mapping := GetMappedImageConfigs(originals, "quay.io/repo/for-test")
 
@@ -166,7 +158,7 @@ func TestGetMappedImageConfigs(t *testing.T) {
 		actual[source.GetE2EImage()] = mapping.GetE2EImage()
 	}
 	expected := map[string]string{
-		"docker.io/source/repo:1.0": "quay.io/repo/for-test:e2e-10-docker-io-source-repo-1-0-72R4aXm7YnxQ4_ek",
+		"docker.io/source/repo:1.0": "quay.io/repo/for-test:e2e-1-docker-io-source-repo-1-0-72R4aXm7YnxQ4_ek",
 	}
 	if !reflect.DeepEqual(expected, actual) {
 		t.Fatal(cmp.Diff(expected, actual))
diff --git a/test/utils/ktesting/clientcontext.go b/test/utils/ktesting/clientcontext.go
index 36da9793bdd7b..47c5a4547bf90 100644
--- a/test/utils/ktesting/clientcontext.go
+++ b/test/utils/ktesting/clientcontext.go
@@ -87,7 +87,11 @@ func (cCtx clientContext) ExpectNoError(err error, explain ...interface{}) {
 }
 
 func (cCtx clientContext) Run(name string, cb func(tCtx TContext)) bool {
-	return run(cCtx, name, cb)
+	return run(cCtx, name, false, cb)
+}
+
+func (cCtx clientContext) SyncTest(name string, cb func(tCtx TContext)) bool {
+	return run(cCtx, name, true, cb)
 }
 
 func (cCtx clientContext) Logger() klog.Logger {
diff --git a/test/utils/ktesting/errorcontext.go b/test/utils/ktesting/errorcontext.go
index c3adc913e6b99..d6d22ba2436e2 100644
--- a/test/utils/ktesting/errorcontext.go
+++ b/test/utils/ktesting/errorcontext.go
@@ -173,7 +173,11 @@ func (eCtx *errorContext) ExpectNoError(err error, explain ...interface{}) {
 }
 
 func (cCtx *errorContext) Run(name string, cb func(tCtx TContext)) bool {
-	return run(cCtx, name, cb)
+	return run(cCtx, name, false, cb)
+}
+
+func (cCtx *errorContext) SyncTest(name string, cb func(tCtx TContext)) bool {
+	return run(cCtx, name, true, cb)
 }
 
 func (eCtx *errorContext) Logger() klog.Logger {
diff --git a/test/utils/ktesting/tcontext.go b/test/utils/ktesting/tcontext.go
index 69c2fe1f1968f..deb44a5cb97b5 100644
--- a/test/utils/ktesting/tcontext.go
+++ b/test/utils/ktesting/tcontext.go
@@ -22,6 +22,7 @@ import (
 	"fmt"
 	"strings"
 	"testing"
+	"testing/synctest"
 	"time"
 
 	"github.com/onsi/gomega"
@@ -92,6 +93,31 @@ type TContext interface {
 	// test when called elsewhere.
 	Run(name string, f func(tCtx TContext)) bool
 
+	// SyncTest uses [synctest.Test] to execute the callback inside a bubble.
+	// Creates a new subtest if the name is non-empty, otherwise it creates
+	// the bubble directly in the current test context.
+	//
+	// Only works in Go unit tests.
+	SyncTest(name string, f func(tCtx TContext)) bool
+
+	// IsSyncTest returns true if the context was created by SyncTest.
+	//
+	// Inside such a context, Wait is usable. This can be used in
+	// code which runs inside synctest bubbles and outside:
+	// - Inside a bubble, Wait can be used to block until
+	//   background activity has settled down (= "durably blocked").
+	//   Eventually and Consistently both call Wait and then check
+	//   the condition.
+	// - Outside, polling or some synchronization mechanism has to be used.
+	IsSyncTest() bool
+
+	// Wait calls [synctest.Wait] and thus ensures that all background
+	// activity has settled down (= "durably blocked").
+	//
+	// Only works inside a bubble started by SyncTest (can be checked with
+	// IsSyncTest), panics elsewhere.
+	Wait()
+
 	// Cancel can be invoked to cancel the context before the test is completed.
 	// Tests which use the context to control goroutines and then wait for
 	// termination of those goroutines must call Cancel to avoid a deadlock.
@@ -358,7 +384,8 @@ func InitCtx(ctx context.Context, tb TB, _ ...InitOption) TContext {
 // A simpler API is to use TContext.Run as replacement
 // for [testing.T.Run].
 func WithTB(parentCtx TContext, tb TB) TContext {
-	tCtx := InitCtx(klog.NewContext(parentCtx, newLogger(tb, false /* don't buffer log output */)), tb)
+	// TODO: honor the initial settings for logging.
+	tCtx := InitCtx(klog.NewContext(parentCtx, newLogger(tb, false /* don't buffer log output */)), withKlogHeader(tb))
 
 	tCtx = WithCancel(tCtx)
 	tCtx = WithClients(tCtx,
@@ -371,27 +398,53 @@ func WithTB(parentCtx TContext, tb TB) TContext {
 	return tCtx
 }
 
-// run implements the different Run methods. It's not an exported
+// run implements the different Run and SyncTest methods. It's not an exported
 // method because tCtx.Run is more discoverable (same usage as
 // with normal Go).
-func run(tCtx TContext, name string, cb func(tCtx TContext)) bool {
+func run(tCtx TContext, name string, syncTest bool, cb func(tCtx TContext)) bool {
 	tCtx.Helper()
 	switch tb := tCtx.TB().(type) {
-	case interface {
-		Run(string, func(t *testing.T)) bool
-	}:
+	case *testing.T:
+		if syncTest {
+			f := func(t *testing.T) {
+				// We must not propagate the parent's
+				// cancellation channel into the bubble,
+				// it causes "panic: receive on synctest channel from outside bubble".
+				//
+				// Sync tests shouldn't need the overall suite timeout,
+				// so this seems okay.
+				cb(synctestContext{TContext: WithTB(WithoutCancel(tCtx), t)})
+			}
+			if name != "" {
+				return tb.Run(name, func(t *testing.T) { synctest.Test(t, f) })
+			}
+			synctest.Test(tb, f)
+			return true
+		}
 		return tb.Run(name, func(t *testing.T) { cb(WithTB(tCtx, t)) })
-	case interface {
-		Run(string, func(t *testing.B)) bool
-	}:
-		return tb.Run(name, func(b *testing.B) { cb(WithTB(tCtx, b)) })
-	default:
-		tCtx.Fatalf("Run not implemented, underlying %T does not support it", tCtx.TB())
+	case *testing.B:
+		if !syncTest {
+			return tb.Run(name, func(b *testing.B) { cb(WithTB(tCtx, b)) })
+		}
+	}
+
+	what := "Run"
+	if syncTest {
+		what = "SyncTest"
 	}
+	tCtx.Fatalf("%s not implemented, underlying %T does not support it", what, tCtx.TB())
 
 	return false
 }
 
+type synctestContext struct {
+	TContext
+}
+
+func (s synctestContext) IsSyncTest() bool {
+	return true
+}
+
 // WithContext constructs a new TContext with a different Context instance.
 // This can be used in callbacks which receive a Context, for example
 // from Gomega:
@@ -482,7 +535,19 @@ func cleanupCtx(tCtx TContext, cb func(TContext)) {
 }
 
 func (cCtx tContext) Run(name string, cb func(tCtx TContext)) bool {
-	return run(cCtx, name, cb)
+	return run(cCtx, name, false, cb)
+}
+
+func (cCtx tContext) SyncTest(name string, cb func(tCtx TContext)) bool {
+	return run(cCtx, name, true, cb)
+}
+
+func (cCtx tContext) IsSyncTest() bool {
+	return false
+}
+
+func (cCtx tContext) Wait() {
+	synctest.Wait()
 }
 
 func (tCtx tContext) Logger() klog.Logger {
diff --git a/test/utils/ktesting/withcontext.go b/test/utils/ktesting/withcontext.go
index 6f1ddfa722166..80b02e2d87cc3 100644
--- a/test/utils/ktesting/withcontext.go
+++ b/test/utils/ktesting/withcontext.go
@@ -107,7 +107,11 @@ func (wCtx withContext) ExpectNoError(err error, explain ...interface{}) {
 }
 
 func (cCtx withContext) Run(name string, cb func(tCtx TContext)) bool {
-	return run(cCtx, name, cb)
+	return run(cCtx, name, false, cb)
+}
+
+func (cCtx withContext) SyncTest(name string, cb func(tCtx TContext)) bool {
+	return run(cCtx, name, true, cb)
 }
 
 func (wCtx withContext) Logger() klog.Logger {
diff --git a/test/utils/oidc/handlers/.mockery.yaml b/test/utils/oidc/handlers/.mockery.yaml
index 8895054d2b7cd..66925b365c01b 100644
--- a/test/utils/oidc/handlers/.mockery.yaml
+++ b/test/utils/oidc/handlers/.mockery.yaml
@@ -1,13 +1,12 @@
 ---
 dir: .
-filename: mock_{{.InterfaceName | snakecase}}.go
-boilerplate-file: ../../../../hack/boilerplate/boilerplate.generatego.txt
-inpackage: true
-with-expecter: true
+filename: mocks.go
+template: testify
+template-data:
+  boilerplate-file: ../../../../hack/boilerplate/boilerplate.generatego.txt
+  unroll-variadic: true
 packages:
   k8s.io/kubernetes/test/utils/oidc/handlers:
     interfaces:
-      JWKsHandler:
-        config:
-          filename: mock_jwks_handler.go
-      TokenHandler:
+      JWKsHandler: {}
+      TokenHandler: {}
diff --git a/test/utils/oidc/handlers/mock_jwks_handler.go b/test/utils/oidc/handlers/mock_jwks_handler.go
deleted file mode 100644
index c1955493c7354..0000000000000
--- a/test/utils/oidc/handlers/mock_jwks_handler.go
+++ /dev/null
@@ -1,96 +0,0 @@
-/*
-Copyright The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-// Code generated by mockery v2.53.3. DO NOT EDIT.
-
-package handlers
-
-import (
-	mock "github.com/stretchr/testify/mock"
-	jose "gopkg.in/go-jose/go-jose.v2"
-)
-
-// MockJWKsHandler is an autogenerated mock type for the JWKsHandler type
-type MockJWKsHandler struct {
-	mock.Mock
-}
-
-type MockJWKsHandler_Expecter struct {
-	mock *mock.Mock
-}
-
-func (_m *MockJWKsHandler) EXPECT() *MockJWKsHandler_Expecter {
-	return &MockJWKsHandler_Expecter{mock: &_m.Mock}
-}
-
-// KeySet provides a mock function with no fields
-func (_m *MockJWKsHandler) KeySet() jose.JSONWebKeySet {
-	ret := _m.Called()
-
-	if len(ret) == 0 {
-		panic("no return value specified for KeySet")
-	}
-
-	var r0 jose.JSONWebKeySet
-	if rf, ok := ret.Get(0).(func() jose.JSONWebKeySet); ok {
-		r0 = rf()
-	} else {
-		r0 = ret.Get(0).(jose.JSONWebKeySet)
-	}
-
-	return r0
-}
-
-// MockJWKsHandler_KeySet_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'KeySet'
-type MockJWKsHandler_KeySet_Call struct {
-	*mock.Call
-}
-
-// KeySet is a helper method to define mock.On call
-func (_e *MockJWKsHandler_Expecter) KeySet() *MockJWKsHandler_KeySet_Call {
-	return &MockJWKsHandler_KeySet_Call{Call: _e.mock.On("KeySet")}
-}
-
-func (_c *MockJWKsHandler_KeySet_Call) Run(run func()) *MockJWKsHandler_KeySet_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run()
-	})
-	return _c
-}
-
-func (_c *MockJWKsHandler_KeySet_Call) Return(_a0 jose.JSONWebKeySet) *MockJWKsHandler_KeySet_Call {
-	_c.Call.Return(_a0)
-	return _c
-}
-
-func (_c *MockJWKsHandler_KeySet_Call) RunAndReturn(run func() jose.JSONWebKeySet) *MockJWKsHandler_KeySet_Call {
-	_c.Call.Return(run)
-	return _c
-}
-
-// NewMockJWKsHandler creates a new instance of MockJWKsHandler. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
-// The first argument is typically a *testing.T value.
-func NewMockJWKsHandler(t interface {
-	mock.TestingT
-	Cleanup(func())
-}) *MockJWKsHandler {
-	mock := &MockJWKsHandler{}
-	mock.Mock.Test(t)
-
-	t.Cleanup(func() { mock.AssertExpectations(t) })
-
-	return mock
-}
diff --git a/test/utils/oidc/handlers/mock_token_handler.go b/test/utils/oidc/handlers/mock_token_handler.go
deleted file mode 100644
index 532408d77db25..0000000000000
--- a/test/utils/oidc/handlers/mock_token_handler.go
+++ /dev/null
@@ -1,103 +0,0 @@
-/*
-Copyright The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-// Code generated by mockery v2.53.3. DO NOT EDIT.
-
-package handlers
-
-import mock "github.com/stretchr/testify/mock"
-
-// MockTokenHandler is an autogenerated mock type for the TokenHandler type
-type MockTokenHandler struct {
-	mock.Mock
-}
-
-type MockTokenHandler_Expecter struct {
-	mock *mock.Mock
-}
-
-func (_m *MockTokenHandler) EXPECT() *MockTokenHandler_Expecter {
-	return &MockTokenHandler_Expecter{mock: &_m.Mock}
-}
-
-// Token provides a mock function with no fields
-func (_m *MockTokenHandler) Token() (Token, error) {
-	ret := _m.Called()
-
-	if len(ret) == 0 {
-		panic("no return value specified for Token")
-	}
-
-	var r0 Token
-	var r1 error
-	if rf, ok := ret.Get(0).(func() (Token, error)); ok {
-		return rf()
-	}
-	if rf, ok := ret.Get(0).(func() Token); ok {
-		r0 = rf()
-	} else {
-		r0 = ret.Get(0).(Token)
-	}
-
-	if rf, ok := ret.Get(1).(func() error); ok {
-		r1 = rf()
-	} else {
-		r1 = ret.Error(1)
-	}
-
-	return r0, r1
-}
-
-// MockTokenHandler_Token_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Token'
-type MockTokenHandler_Token_Call struct {
-	*mock.Call
-}
-
-// Token is a helper method to define mock.On call
-func (_e *MockTokenHandler_Expecter) Token() *MockTokenHandler_Token_Call {
-	return &MockTokenHandler_Token_Call{Call: _e.mock.On("Token")}
-}
-
-func (_c *MockTokenHandler_Token_Call) Run(run func()) *MockTokenHandler_Token_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run()
-	})
-	return _c
-}
-
-func (_c *MockTokenHandler_Token_Call) Return(_a0 Token, _a1 error) *MockTokenHandler_Token_Call {
-	_c.Call.Return(_a0, _a1)
-	return _c
-}
-
-func (_c *MockTokenHandler_Token_Call) RunAndReturn(run func() (Token, error)) *MockTokenHandler_Token_Call {
-	_c.Call.Return(run)
-	return _c
-}
-
-// NewMockTokenHandler creates a new instance of MockTokenHandler. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
-// The first argument is typically a *testing.T value.
-func NewMockTokenHandler(t interface {
-	mock.TestingT
-	Cleanup(func())
-}) *MockTokenHandler {
-	mock := &MockTokenHandler{}
-	mock.Mock.Test(t)
-
-	t.Cleanup(func() { mock.AssertExpectations(t) })
-
-	return mock
-}
diff --git a/test/utils/oidc/handlers/mocks.go b/test/utils/oidc/handlers/mocks.go
new file mode 100644
index 0000000000000..1e6ae20a62cad
--- /dev/null
+++ b/test/utils/oidc/handlers/mocks.go
@@ -0,0 +1,177 @@
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by mockery; DO NOT EDIT.
+// github.com/vektra/mockery
+// template: testify
+
+package handlers
+
+import (
+	mock "github.com/stretchr/testify/mock"
+	"gopkg.in/go-jose/go-jose.v2"
+)
+
+// NewMockTokenHandler creates a new instance of MockTokenHandler. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
+// The first argument is typically a *testing.T value.
+func NewMockTokenHandler(t interface {
+	mock.TestingT
+	Cleanup(func())
+}) *MockTokenHandler {
+	mock := &MockTokenHandler{}
+	mock.Mock.Test(t)
+
+	t.Cleanup(func() { mock.AssertExpectations(t) })
+
+	return mock
+}
+
+// MockTokenHandler is an autogenerated mock type for the TokenHandler type
+type MockTokenHandler struct {
+	mock.Mock
+}
+
+type MockTokenHandler_Expecter struct {
+	mock *mock.Mock
+}
+
+func (_m *MockTokenHandler) EXPECT() *MockTokenHandler_Expecter {
+	return &MockTokenHandler_Expecter{mock: &_m.Mock}
+}
+
+// Token provides a mock function for the type MockTokenHandler
+func (_mock *MockTokenHandler) Token() (Token, error) {
+	ret := _mock.Called()
+
+	if len(ret) == 0 {
+		panic("no return value specified for Token")
+	}
+
+	var r0 Token
+	var r1 error
+	if returnFunc, ok := ret.Get(0).(func() (Token, error)); ok {
+		return returnFunc()
+	}
+	if returnFunc, ok := ret.Get(0).(func() Token); ok {
+		r0 = returnFunc()
+	} else {
+		r0 = ret.Get(0).(Token)
+	}
+	if returnFunc, ok := ret.Get(1).(func() error); ok {
+		r1 = returnFunc()
+	} else {
+		r1 = ret.Error(1)
+	}
+	return r0, r1
+}
+
+// MockTokenHandler_Token_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Token'
+type MockTokenHandler_Token_Call struct {
+	*mock.Call
+}
+
+// Token is a helper method to define mock.On call
+func (_e *MockTokenHandler_Expecter) Token() *MockTokenHandler_Token_Call {
+	return &MockTokenHandler_Token_Call{Call: _e.mock.On("Token")}
+}
+
+func (_c *MockTokenHandler_Token_Call) Run(run func()) *MockTokenHandler_Token_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run()
+	})
+	return _c
+}
+
+func (_c *MockTokenHandler_Token_Call) Return(token Token, err error) *MockTokenHandler_Token_Call {
+	_c.Call.Return(token, err)
+	return _c
+}
+
+func (_c *MockTokenHandler_Token_Call) RunAndReturn(run func() (Token, error)) *MockTokenHandler_Token_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// NewMockJWKsHandler creates a new instance of MockJWKsHandler. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
+// The first argument is typically a *testing.T value.
+func NewMockJWKsHandler(t interface {
+	mock.TestingT
+	Cleanup(func())
+}) *MockJWKsHandler {
+	mock := &MockJWKsHandler{}
+	mock.Mock.Test(t)
+
+	t.Cleanup(func() { mock.AssertExpectations(t) })
+
+	return mock
+}
+
+// MockJWKsHandler is an autogenerated mock type for the JWKsHandler type
+type MockJWKsHandler struct {
+	mock.Mock
+}
+
+type MockJWKsHandler_Expecter struct {
+	mock *mock.Mock
+}
+
+func (_m *MockJWKsHandler) EXPECT() *MockJWKsHandler_Expecter {
+	return &MockJWKsHandler_Expecter{mock: &_m.Mock}
+}
+
+// KeySet provides a mock function for the type MockJWKsHandler
+func (_mock *MockJWKsHandler) KeySet() jose.JSONWebKeySet {
+	ret := _mock.Called()
+
+	if len(ret) == 0 {
+		panic("no return value specified for KeySet")
+	}
+
+	var r0 jose.JSONWebKeySet
+	if returnFunc, ok := ret.Get(0).(func() jose.JSONWebKeySet); ok {
+		r0 = returnFunc()
+	} else {
+		r0 = ret.Get(0).(jose.JSONWebKeySet)
+	}
+	return r0
+}
+
+// MockJWKsHandler_KeySet_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'KeySet'
+type MockJWKsHandler_KeySet_Call struct {
+	*mock.Call
+}
+
+// KeySet is a helper method to define mock.On call
+func (_e *MockJWKsHandler_Expecter) KeySet() *MockJWKsHandler_KeySet_Call {
+	return &MockJWKsHandler_KeySet_Call{Call: _e.mock.On("KeySet")}
+}
+
+func (_c *MockJWKsHandler_KeySet_Call) Run(run func()) *MockJWKsHandler_KeySet_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run()
+	})
+	return _c
+}
+
+func (_c *MockJWKsHandler_KeySet_Call) Return(jSONWebKeySet jose.JSONWebKeySet) *MockJWKsHandler_KeySet_Call {
+	_c.Call.Return(jSONWebKeySet)
+	return _c
+}
+
+func (_c *MockJWKsHandler_KeySet_Call) RunAndReturn(run func() jose.JSONWebKeySet) *MockJWKsHandler_KeySet_Call {
+	_c.Call.Return(run)
+	return _c
+}
diff --git a/test/utils/runners.go b/test/utils/runners.go
index c8b8bc9475945..62c769f04050e 100644
--- a/test/utils/runners.go
+++ b/test/utils/runners.go
@@ -28,7 +28,6 @@ import (
 	apps "k8s.io/api/apps/v1"
 	v1 "k8s.io/api/core/v1"
 	storagev1 "k8s.io/api/storage/v1"
-	storagev1beta1 "k8s.io/api/storage/v1beta1"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/api/resource"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -54,13 +53,6 @@ const (
 	nonExist = "NonExist"
 )
 
-func removePtr(replicas *int32) int32 {
-	if replicas == nil {
-		return 0
-	}
-	return *replicas
-}
-
 func waitUntilPodIsScheduled(ctx context.Context, c clientset.Interface, name, namespace string, timeout time.Duration) (*v1.Pod, error) {
 	// Wait until it's scheduled
 	p, err := c.CoreV1().Pods(namespace).Get(ctx, name, metav1.GetOptions{ResourceVersion: "0"})
@@ -356,7 +348,7 @@ func (config *DeploymentConfig) create() error {
 	if err := CreateDeploymentWithRetries(config.Client, config.Namespace, deployment); err != nil {
 		return fmt.Errorf("error creating deployment: %v", err)
 	}
-	config.RCConfigLog("Created deployment with name: %v, namespace: %v, replica count: %v", deployment.Name, config.Namespace, removePtr(deployment.Spec.Replicas))
+	config.RCConfigLog("Created deployment with name: %v, namespace: %v, replica count: %v", deployment.Name, config.Namespace, ptr.Deref(deployment.Spec.Replicas, 0))
 	return nil
 }
 
@@ -427,7 +419,7 @@ func (config *ReplicaSetConfig) create() error {
 	if err := CreateReplicaSetWithRetries(config.Client, config.Namespace, rs); err != nil {
 		return fmt.Errorf("error creating replica set: %v", err)
 	}
-	config.RCConfigLog("Created replica set with name: %v, namespace: %v, replica count: %v", rs.Name, config.Namespace, removePtr(rs.Spec.Replicas))
+	config.RCConfigLog("Created replica set with name: %v, namespace: %v, replica count: %v", rs.Name, config.Namespace, ptr.Deref(rs.Spec.Replicas, 0))
 	return nil
 }
 
@@ -507,7 +499,7 @@ func (config *RCConfig) create() error {
 	if err := CreateRCWithRetries(config.Client, config.Namespace, rc); err != nil {
 		return fmt.Errorf("error creating replication controller: %v", err)
 	}
-	config.RCConfigLog("Created replication controller with name: %v, namespace: %v, replica count: %v", rc.Name, config.Namespace, removePtr(rc.Spec.Replicas))
+	config.RCConfigLog("Created replication controller with name: %v, namespace: %v, replica count: %v", rc.Name, config.Namespace, ptr.Deref(rc.Spec.Replicas, 0))
 	return nil
 }
 
@@ -955,7 +947,7 @@ func (s *NodeAllocatableStrategy) createCSINode(ctx context.Context, nodeName st
 	if apierrors.IsAlreadyExists(err) {
 		// Something created CSINode instance after we checked it did not exist.
 		// Make the caller to re-try PrepareDependentObjects by returning Conflict error
-		err = apierrors.NewConflict(storagev1beta1.Resource("csinodes"), nodeName, err)
+		err = apierrors.NewConflict(storagev1.Resource("csinodes"), nodeName, err)
 	}
 	return err
 }
diff --git a/third_party/forked/golang/expansion/expand.go b/third_party/forked/golang/expansion/expand.go
index 6bf0ea8ce09f6..b42211739fa16 100644
--- a/third_party/forked/golang/expansion/expand.go
+++ b/third_party/forked/golang/expansion/expand.go
@@ -2,6 +2,7 @@ package expansion
 
 import (
 	"bytes"
+	"unicode/utf8"
 )
 
 const (
@@ -79,10 +80,11 @@ func Expand(input string, mapping func(string) string) string {
 //
 // The input string is assumed not to contain the initial operator.
 func tryReadVariableName(input string) (string, bool, int) {
-	switch input[0] {
+	r, size := utf8.DecodeRuneInString(input)
+	switch r {
 	case operator:
 		// Escaped operator; return it.
-		return input[0:1], false, 1
+		return input[0:size], false, size
 	case referenceOpener:
 		// Scan to expression closer
 		for i := 1; i < len(input); i++ {
@@ -97,6 +99,7 @@ func tryReadVariableName(input string) (string, bool, int) {
 		// Not the beginning of an expression, ie, an operator
 		// that doesn't begin an expression.  Return the operator
 		// and the first rune in the string.
-		return (string(operator) + string(input[0])), false, 1
+
+		return string(operator) + string(r), false, size
 	}
 }
diff --git a/third_party/forked/golang/expansion/expand_test.go b/third_party/forked/golang/expansion/expand_test.go
index 55a7f4e263bba..ebc4219acf679 100644
--- a/third_party/forked/golang/expansion/expand_test.go
+++ b/third_party/forked/golang/expansion/expand_test.go
@@ -274,6 +274,21 @@ func doExpansionTest(t *testing.T, mapping func(string) string) {
 			input:    "\n",
 			expected: "\n",
 		},
+		{
+			name:     "dollar sign followed by non-ASCII UTF-8 character",
+			input:    "$£FOO",
+			expected: "$£FOO",
+		},
+		{
+			name:     "dollar sign followed by multi-byte UTF-8 character in middle",
+			input:    "prefix-$€-suffix",
+			expected: "prefix-$€-suffix",
+		},
+		{
+			name:     "dollar sign followed by Chinese character",
+			input:    "$中文",
+			expected: "$中文",
+		},
 	}
 
 	for _, tc := range cases {
diff --git a/third_party/forked/golang/net/testing/fakedns.go b/third_party/forked/golang/net/testing/fakedns.go
new file mode 100644
index 0000000000000..00082466abb5b
--- /dev/null
+++ b/third_party/forked/golang/net/testing/fakedns.go
@@ -0,0 +1,112 @@
+// Copyright 2013 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// This package is copied from Go library net.
+// https://golang.org/src/net/dnsclient_unix_test.go
+// The original private type FakeDNSServer
+// is exported as public type for testing.
+
+package testing
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"net"
+	"time"
+
+	_ "testing"
+
+	"golang.org/x/net/dns/dnsmessage"
+)
+
+type FakeDNSServer struct {
+	ResponseHandler func(n, s string, q dnsmessage.Message, t time.Time) (dnsmessage.Message, error)
+	alwaysTCP       bool
+}
+
+func (server *FakeDNSServer) DialContext(_ context.Context, n, s string) (net.Conn, error) {
+	if server.alwaysTCP || n == "tcp" || n == "tcp4" || n == "tcp6" {
+		return &fakeDNSConn{tcp: true, server: server, n: n, s: s}, nil
+	}
+	return &fakeDNSPacketConn{fakeDNSConn: fakeDNSConn{tcp: false, server: server, n: n, s: s}}, nil
+}
+
+type fakeDNSConn struct {
+	net.Conn
+	tcp    bool
+	server *FakeDNSServer
+	n      string
+	s      string
+	q      dnsmessage.Message
+	t      time.Time
+	buf    []byte
+}
+
+func (f *fakeDNSConn) Close() error {
+	return nil
+}
+
+func (f *fakeDNSConn) Read(b []byte) (int, error) {
+	if len(f.buf) > 0 {
+		n := copy(b, f.buf)
+		f.buf = f.buf[n:]
+		return n, nil
+	}
+
+	resp, err := f.server.ResponseHandler(f.n, f.s, f.q, f.t)
+	if err != nil {
+		return 0, err
+	}
+
+	bb := make([]byte, 2, 514)
+	bb, err = resp.AppendPack(bb)
+	if err != nil {
+		return 0, fmt.Errorf("cannot marshal DNS message: %v", err)
+	}
+
+	if f.tcp {
+		l := len(bb) - 2
+		bb[0] = byte(l >> 8)
+		bb[1] = byte(l)
+		f.buf = bb
+		return f.Read(b)
+	}
+
+	bb = bb[2:]
+	if len(b) < len(bb) {
+		return 0, errors.New("read would fragment DNS message")
+	}
+
+	copy(b, bb)
+	return len(bb), nil
+}
+
+func (f *fakeDNSConn) Write(b []byte) (int, error) {
+	if f.tcp && len(b) >= 2 {
+		b = b[2:]
+	}
+	if f.q.Unpack(b) != nil {
+		return 0, fmt.Errorf("cannot unmarshal DNS message fake %s (%d)", f.n, len(b))
+	}
+	return len(b), nil
+}
+
+func (f *fakeDNSConn) SetDeadline(t time.Time) error {
+	f.t = t
+	return nil
+}
+
+type fakeDNSPacketConn struct {
+	net.PacketConn
+	fakeDNSConn
+}
+
+func (f *fakeDNSPacketConn) SetDeadline(t time.Time) error {
+	return f.fakeDNSConn.SetDeadline(t)
+}
+
+func (f *fakeDNSPacketConn) Close() error {
+	return f.fakeDNSConn.Close()
+}
diff --git a/vendor/cyphar.com/go-pathrs/.golangci.yml b/vendor/cyphar.com/go-pathrs/.golangci.yml
new file mode 100644
index 0000000000000..2778a3268ef14
--- /dev/null
+++ b/vendor/cyphar.com/go-pathrs/.golangci.yml
@@ -0,0 +1,43 @@
+# SPDX-License-Identifier: MPL-2.0
+#
+# libpathrs: safe path resolution on Linux
+# Copyright (C) 2019-2025 Aleksa Sarai <cyphar@cyphar.com>
+# Copyright (C) 2019-2025 SUSE LLC
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at https://mozilla.org/MPL/2.0/.
+
+version: "2"
+linters:
+  enable:
+    - bidichk
+    - cyclop
+    - errname
+    - errorlint
+    - exhaustive
+    - goconst
+    - godot
+    - gomoddirectives
+    - gosec
+    - mirror
+    - misspell
+    - mnd
+    - nilerr
+    - nilnil
+    - perfsprint
+    - prealloc
+    - reassign
+    - revive
+    - unconvert
+    - unparam
+    - usestdlibvars
+    - wastedassign
+formatters:
+  enable:
+    - gofumpt
+    - goimports
+  settings:
+    goimports:
+      local-prefixes:
+        - cyphar.com/go-pathrs
diff --git a/vendor/cyphar.com/go-pathrs/COPYING b/vendor/cyphar.com/go-pathrs/COPYING
new file mode 100644
index 0000000000000..d0a1fa1482eea
--- /dev/null
+++ b/vendor/cyphar.com/go-pathrs/COPYING
@@ -0,0 +1,373 @@
+Mozilla Public License Version 2.0
+==================================
+
+1. Definitions
+--------------
+
+1.1. "Contributor"
+    means each individual or legal entity that creates, contributes to
+    the creation of, or owns Covered Software.
+
+1.2. "Contributor Version"
+    means the combination of the Contributions of others (if any) used
+    by a Contributor and that particular Contributor's Contribution.
+
+1.3. "Contribution"
+    means Covered Software of a particular Contributor.
+
+1.4. "Covered Software"
+    means Source Code Form to which the initial Contributor has attached
+    the notice in Exhibit A, the Executable Form of such Source Code
+    Form, and Modifications of such Source Code Form, in each case
+    including portions thereof.
+
+1.5. "Incompatible With Secondary Licenses"
+    means
+
+    (a) that the initial Contributor has attached the notice described
+        in Exhibit B to the Covered Software; or
+
+    (b) that the Covered Software was made available under the terms of
+        version 1.1 or earlier of the License, but not also under the
+        terms of a Secondary License.
+
+1.6. "Executable Form"
+    means any form of the work other than Source Code Form.
+
+1.7. "Larger Work"
+    means a work that combines Covered Software with other material, in
+    a separate file or files, that is not Covered Software.
+
+1.8. "License"
+    means this document.
+
+1.9. "Licensable"
+    means having the right to grant, to the maximum extent possible,
+    whether at the time of the initial grant or subsequently, any and
+    all of the rights conveyed by this License.
+
+1.10. "Modifications"
+    means any of the following:
+
+    (a) any file in Source Code Form that results from an addition to,
+        deletion from, or modification of the contents of Covered
+        Software; or
+
+    (b) any new file in Source Code Form that contains any Covered
+        Software.
+
+1.11. "Patent Claims" of a Contributor
+    means any patent claim(s), including without limitation, method,
+    process, and apparatus claims, in any patent Licensable by such
+    Contributor that would be infringed, but for the grant of the
+    License, by the making, using, selling, offering for sale, having
+    made, import, or transfer of either its Contributions or its
+    Contributor Version.
+
+1.12. "Secondary License"
+    means either the GNU General Public License, Version 2.0, the GNU
+    Lesser General Public License, Version 2.1, the GNU Affero General
+    Public License, Version 3.0, or any later versions of those
+    licenses.
+
+1.13. "Source Code Form"
+    means the form of the work preferred for making modifications.
+
+1.14. "You" (or "Your")
+    means an individual or a legal entity exercising rights under this
+    License. For legal entities, "You" includes any entity that
+    controls, is controlled by, or is under common control with You. For
+    purposes of this definition, "control" means (a) the power, direct
+    or indirect, to cause the direction or management of such entity,
+    whether by contract or otherwise, or (b) ownership of more than
+    fifty percent (50%) of the outstanding shares or beneficial
+    ownership of such entity.
+
+2. License Grants and Conditions
+--------------------------------
+
+2.1. Grants
+
+Each Contributor hereby grants You a world-wide, royalty-free,
+non-exclusive license:
+
+(a) under intellectual property rights (other than patent or trademark)
+    Licensable by such Contributor to use, reproduce, make available,
+    modify, display, perform, distribute, and otherwise exploit its
+    Contributions, either on an unmodified basis, with Modifications, or
+    as part of a Larger Work; and
+
+(b) under Patent Claims of such Contributor to make, use, sell, offer
+    for sale, have made, import, and otherwise transfer either its
+    Contributions or its Contributor Version.
+
+2.2. Effective Date
+
+The licenses granted in Section 2.1 with respect to any Contribution
+become effective for each Contribution on the date the Contributor first
+distributes such Contribution.
+
+2.3. Limitations on Grant Scope
+
+The licenses granted in this Section 2 are the only rights granted under
+this License. No additional rights or licenses will be implied from the
+distribution or licensing of Covered Software under this License.
+Notwithstanding Section 2.1(b) above, no patent license is granted by a
+Contributor:
+
+(a) for any code that a Contributor has removed from Covered Software;
+    or
+
+(b) for infringements caused by: (i) Your and any other third party's
+    modifications of Covered Software, or (ii) the combination of its
+    Contributions with other software (except as part of its Contributor
+    Version); or
+
+(c) under Patent Claims infringed by Covered Software in the absence of
+    its Contributions.
+
+This License does not grant any rights in the trademarks, service marks,
+or logos of any Contributor (except as may be necessary to comply with
+the notice requirements in Section 3.4).
+
+2.4. Subsequent Licenses
+
+No Contributor makes additional grants as a result of Your choice to
+distribute the Covered Software under a subsequent version of this
+License (see Section 10.2) or under the terms of a Secondary License (if
+permitted under the terms of Section 3.3).
+
+2.5. Representation
+
+Each Contributor represents that the Contributor believes its
+Contributions are its original creation(s) or it has sufficient rights
+to grant the rights to its Contributions conveyed by this License.
+
+2.6. Fair Use
+
+This License is not intended to limit any rights You have under
+applicable copyright doctrines of fair use, fair dealing, or other
+equivalents.
+
+2.7. Conditions
+
+Sections 3.1, 3.2, 3.3, and 3.4 are conditions of the licenses granted
+in Section 2.1.
+
+3. Responsibilities
+-------------------
+
+3.1. Distribution of Source Form
+
+All distribution of Covered Software in Source Code Form, including any
+Modifications that You create or to which You contribute, must be under
+the terms of this License. You must inform recipients that the Source
+Code Form of the Covered Software is governed by the terms of this
+License, and how they can obtain a copy of this License. You may not
+attempt to alter or restrict the recipients' rights in the Source Code
+Form.
+
+3.2. Distribution of Executable Form
+
+If You distribute Covered Software in Executable Form then:
+
+(a) such Covered Software must also be made available in Source Code
+    Form, as described in Section 3.1, and You must inform recipients of
+    the Executable Form how they can obtain a copy of such Source Code
+    Form by reasonable means in a timely manner, at a charge no more
+    than the cost of distribution to the recipient; and
+
+(b) You may distribute such Executable Form under the terms of this
+    License, or sublicense it under different terms, provided that the
+    license for the Executable Form does not attempt to limit or alter
+    the recipients' rights in the Source Code Form under this License.
+
+3.3. Distribution of a Larger Work
+
+You may create and distribute a Larger Work under terms of Your choice,
+provided that You also comply with the requirements of this License for
+the Covered Software. If the Larger Work is a combination of Covered
+Software with a work governed by one or more Secondary Licenses, and the
+Covered Software is not Incompatible With Secondary Licenses, this
+License permits You to additionally distribute such Covered Software
+under the terms of such Secondary License(s), so that the recipient of
+the Larger Work may, at their option, further distribute the Covered
+Software under the terms of either this License or such Secondary
+License(s).
+
+3.4. Notices
+
+You may not remove or alter the substance of any license notices
+(including copyright notices, patent notices, disclaimers of warranty,
+or limitations of liability) contained within the Source Code Form of
+the Covered Software, except that You may alter any license notices to
+the extent required to remedy known factual inaccuracies.
+
+3.5. Application of Additional Terms
+
+You may choose to offer, and to charge a fee for, warranty, support,
+indemnity or liability obligations to one or more recipients of Covered
+Software. However, You may do so only on Your own behalf, and not on
+behalf of any Contributor. You must make it absolutely clear that any
+such warranty, support, indemnity, or liability obligation is offered by
+You alone, and You hereby agree to indemnify every Contributor for any
+liability incurred by such Contributor as a result of warranty, support,
+indemnity or liability terms You offer. You may include additional
+disclaimers of warranty and limitations of liability specific to any
+jurisdiction.
+
+4. Inability to Comply Due to Statute or Regulation
+---------------------------------------------------
+
+If it is impossible for You to comply with any of the terms of this
+License with respect to some or all of the Covered Software due to
+statute, judicial order, or regulation then You must: (a) comply with
+the terms of this License to the maximum extent possible; and (b)
+describe the limitations and the code they affect. Such description must
+be placed in a text file included with all distributions of the Covered
+Software under this License. Except to the extent prohibited by statute
+or regulation, such description must be sufficiently detailed for a
+recipient of ordinary skill to be able to understand it.
+
+5. Termination
+--------------
+
+5.1. The rights granted under this License will terminate automatically
+if You fail to comply with any of its terms. However, if You become
+compliant, then the rights granted under this License from a particular
+Contributor are reinstated (a) provisionally, unless and until such
+Contributor explicitly and finally terminates Your grants, and (b) on an
+ongoing basis, if such Contributor fails to notify You of the
+non-compliance by some reasonable means prior to 60 days after You have
+come back into compliance. Moreover, Your grants from a particular
+Contributor are reinstated on an ongoing basis if such Contributor
+notifies You of the non-compliance by some reasonable means, this is the
+first time You have received notice of non-compliance with this License
+from such Contributor, and You become compliant prior to 30 days after
+Your receipt of the notice.
+
+5.2. If You initiate litigation against any entity by asserting a patent
+infringement claim (excluding declaratory judgment actions,
+counter-claims, and cross-claims) alleging that a Contributor Version
+directly or indirectly infringes any patent, then the rights granted to
+You by any and all Contributors for the Covered Software under Section
+2.1 of this License shall terminate.
+
+5.3. In the event of termination under Sections 5.1 or 5.2 above, all
+end user license agreements (excluding distributors and resellers) which
+have been validly granted by You or Your distributors under this License
+prior to termination shall survive termination.
+
+************************************************************************
+*                                                                      *
+*  6. Disclaimer of Warranty                                           *
+*  -------------------------                                           *
+*                                                                      *
+*  Covered Software is provided under this License on an "as is"       *
+*  basis, without warranty of any kind, either expressed, implied, or  *
+*  statutory, including, without limitation, warranties that the       *
+*  Covered Software is free of defects, merchantable, fit for a        *
+*  particular purpose or non-infringing. The entire risk as to the     *
+*  quality and performance of the Covered Software is with You.        *
+*  Should any Covered Software prove defective in any respect, You     *
+*  (not any Contributor) assume the cost of any necessary servicing,   *
+*  repair, or correction. This disclaimer of warranty constitutes an   *
+*  essential part of this License. No use of any Covered Software is   *
+*  authorized under this License except under this disclaimer.         *
+*                                                                      *
+************************************************************************
+
+************************************************************************
+*                                                                      *
+*  7. Limitation of Liability                                          *
+*  --------------------------                                          *
+*                                                                      *
+*  Under no circumstances and under no legal theory, whether tort      *
+*  (including negligence), contract, or otherwise, shall any           *
+*  Contributor, or anyone who distributes Covered Software as          *
+*  permitted above, be liable to You for any direct, indirect,         *
+*  special, incidental, or consequential damages of any character      *
+*  including, without limitation, damages for lost profits, loss of    *
+*  goodwill, work stoppage, computer failure or malfunction, or any    *
+*  and all other commercial damages or losses, even if such party      *
+*  shall have been informed of the possibility of such damages. This   *
+*  limitation of liability shall not apply to liability for death or   *
+*  personal injury resulting from such party's negligence to the       *
+*  extent applicable law prohibits such limitation. Some               *
+*  jurisdictions do not allow the exclusion or limitation of           *
+*  incidental or consequential damages, so this exclusion and          *
+*  limitation may not apply to You.                                    *
+*                                                                      *
+************************************************************************
+
+8. Litigation
+-------------
+
+Any litigation relating to this License may be brought only in the
+courts of a jurisdiction where the defendant maintains its principal
+place of business and such litigation shall be governed by laws of that
+jurisdiction, without reference to its conflict-of-law provisions.
+Nothing in this Section shall prevent a party's ability to bring
+cross-claims or counter-claims.
+
+9. Miscellaneous
+----------------
+
+This License represents the complete agreement concerning the subject
+matter hereof. If any provision of this License is held to be
+unenforceable, such provision shall be reformed only to the extent
+necessary to make it enforceable. Any law or regulation which provides
+that the language of a contract shall be construed against the drafter
+shall not be used to construe this License against a Contributor.
+
+10. Versions of the License
+---------------------------
+
+10.1. New Versions
+
+Mozilla Foundation is the license steward. Except as provided in Section
+10.3, no one other than the license steward has the right to modify or
+publish new versions of this License. Each version will be given a
+distinguishing version number.
+
+10.2. Effect of New Versions
+
+You may distribute the Covered Software under the terms of the version
+of the License under which You originally received the Covered Software,
+or under the terms of any subsequent version published by the license
+steward.
+
+10.3. Modified Versions
+
+If you create software not governed by this License, and you want to
+create a new license for such software, you may create and use a
+modified version of this License if you rename the license and remove
+any references to the name of the license steward (except to note that
+such modified license differs from this License).
+
+10.4. Distributing Source Code Form that is Incompatible With Secondary
+Licenses
+
+If You choose to distribute Source Code Form that is Incompatible With
+Secondary Licenses under the terms of this version of the License, the
+notice described in Exhibit B of this License must be attached.
+
+Exhibit A - Source Code Form License Notice
+-------------------------------------------
+
+  This Source Code Form is subject to the terms of the Mozilla Public
+  License, v. 2.0. If a copy of the MPL was not distributed with this
+  file, You can obtain one at https://mozilla.org/MPL/2.0/.
+
+If it is not possible or desirable to put the notice in a particular
+file, then You may include the notice in a location (such as a LICENSE
+file in a relevant directory) where a recipient would be likely to look
+for such a notice.
+
+You may add additional accurate notices of copyright ownership.
+
+Exhibit B - "Incompatible With Secondary Licenses" Notice
+---------------------------------------------------------
+
+  This Source Code Form is "Incompatible With Secondary Licenses", as
+  defined by the Mozilla Public License, v. 2.0.
diff --git a/vendor/cyphar.com/go-pathrs/doc.go b/vendor/cyphar.com/go-pathrs/doc.go
new file mode 100644
index 0000000000000..a7ee4bc487fa5
--- /dev/null
+++ b/vendor/cyphar.com/go-pathrs/doc.go
@@ -0,0 +1,14 @@
+// SPDX-License-Identifier: MPL-2.0
+/*
+ * libpathrs: safe path resolution on Linux
+ * Copyright (C) 2019-2025 Aleksa Sarai <cyphar@cyphar.com>
+ * Copyright (C) 2019-2025 SUSE LLC
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at https://mozilla.org/MPL/2.0/.
+ */
+
+// Package pathrs provides bindings for libpathrs, a library for safe path
+// resolution on Linux.
+package pathrs
diff --git a/vendor/cyphar.com/go-pathrs/handle_linux.go b/vendor/cyphar.com/go-pathrs/handle_linux.go
new file mode 100644
index 0000000000000..3221ef6738981
--- /dev/null
+++ b/vendor/cyphar.com/go-pathrs/handle_linux.go
@@ -0,0 +1,114 @@
+//go:build linux
+
+// SPDX-License-Identifier: MPL-2.0
+/*
+ * libpathrs: safe path resolution on Linux
+ * Copyright (C) 2019-2025 Aleksa Sarai <cyphar@cyphar.com>
+ * Copyright (C) 2019-2025 SUSE LLC
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at https://mozilla.org/MPL/2.0/.
+ */
+
+package pathrs
+
+import (
+	"fmt"
+	"os"
+
+	"cyphar.com/go-pathrs/internal/fdutils"
+	"cyphar.com/go-pathrs/internal/libpathrs"
+)
+
+// Handle is a handle for a path within a given [Root]. This handle references
+// an already-resolved path which can be used for only one purpose -- to
+// "re-open" the handle and get an actual [os.File] which can be used for
+// ordinary operations.
+//
+// If you wish to open a file without having an intermediate [Handle] object,
+// you can try to use [Root.Open] or [Root.OpenFile].
+//
+// It is critical that perform all relevant operations through this [Handle]
+// (rather than fetching the file descriptor yourself with [Handle.IntoRaw]),
+// because the security properties of libpathrs depend on users doing all
+// relevant filesystem operations through libpathrs.
+//
+// [os.File]: https://pkg.go.dev/os#File
+type Handle struct {
+	inner *os.File
+}
+
+// HandleFromFile creates a new [Handle] from an existing file handle. The
+// handle will be copied by this method, so the original handle should still be
+// freed by the caller.
+//
+// This is effectively the inverse operation of [Handle.IntoRaw], and is used
+// for "deserialising" pathrs root handles.
+func HandleFromFile(file *os.File) (*Handle, error) {
+	newFile, err := fdutils.DupFile(file)
+	if err != nil {
+		return nil, fmt.Errorf("duplicate handle fd: %w", err)
+	}
+	return &Handle{inner: newFile}, nil
+}
+
+// Open creates an "upgraded" file handle to the file referenced by the
+// [Handle]. Note that the original [Handle] is not consumed by this operation,
+// and can be opened multiple times.
+//
+// The handle returned is only usable for reading, and this is method is
+// shorthand for [Handle.OpenFile] with os.O_RDONLY.
+//
+// TODO: Rename these to "Reopen" or something.
+func (h *Handle) Open() (*os.File, error) {
+	return h.OpenFile(os.O_RDONLY)
+}
+
+// OpenFile creates an "upgraded" file handle to the file referenced by the
+// [Handle]. Note that the original [Handle] is not consumed by this operation,
+// and can be opened multiple times.
+//
+// The provided flags indicate which open(2) flags are used to create the new
+// handle.
+//
+// TODO: Rename these to "Reopen" or something.
+func (h *Handle) OpenFile(flags int) (*os.File, error) {
+	return fdutils.WithFileFd(h.inner, func(fd uintptr) (*os.File, error) {
+		newFd, err := libpathrs.Reopen(fd, flags)
+		if err != nil {
+			return nil, err
+		}
+		return os.NewFile(newFd, h.inner.Name()), nil
+	})
+}
+
+// IntoFile unwraps the [Handle] into its underlying [os.File].
+//
+// You almost certainly want to use [Handle.OpenFile] to get a non-O_PATH
+// version of this [Handle].
+//
+// This operation returns the internal [os.File] of the [Handle] directly, so
+// calling [Handle.Close] will also close any copies of the returned [os.File].
+// If you want to get an independent copy, use [Handle.Clone] followed by
+// [Handle.IntoFile] on the cloned [Handle].
+//
+// [os.File]: https://pkg.go.dev/os#File
+func (h *Handle) IntoFile() *os.File {
+	// TODO: Figure out if we really don't want to make a copy.
+	// TODO: We almost certainly want to clear r.inner here, but we can't do
+	//       that easily atomically (we could use atomic.Value but that'll make
+	//       things quite a bit uglier).
+	return h.inner
+}
+
+// Clone creates a copy of a [Handle], such that it has a separate lifetime to
+// the original (while referring to the same underlying file).
+func (h *Handle) Clone() (*Handle, error) {
+	return HandleFromFile(h.inner)
+}
+
+// Close frees all of the resources used by the [Handle].
+func (h *Handle) Close() error {
+	return h.inner.Close()
+}
diff --git a/vendor/cyphar.com/go-pathrs/internal/fdutils/fd_linux.go b/vendor/cyphar.com/go-pathrs/internal/fdutils/fd_linux.go
new file mode 100644
index 0000000000000..41aea3e4b3de4
--- /dev/null
+++ b/vendor/cyphar.com/go-pathrs/internal/fdutils/fd_linux.go
@@ -0,0 +1,75 @@
+//go:build linux
+
+// SPDX-License-Identifier: MPL-2.0
+/*
+ * libpathrs: safe path resolution on Linux
+ * Copyright (C) 2019-2025 Aleksa Sarai <cyphar@cyphar.com>
+ * Copyright (C) 2019-2025 SUSE LLC
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at https://mozilla.org/MPL/2.0/.
+ */
+
+// Package fdutils contains a few helper methods when dealing with *os.File and
+// file descriptors.
+package fdutils
+
+import (
+	"fmt"
+	"os"
+
+	"golang.org/x/sys/unix"
+
+	"cyphar.com/go-pathrs/internal/libpathrs"
+)
+
+// DupFd makes a duplicate of the given fd.
+func DupFd(fd uintptr, name string) (*os.File, error) {
+	newFd, err := unix.FcntlInt(fd, unix.F_DUPFD_CLOEXEC, 0)
+	if err != nil {
+		return nil, fmt.Errorf("fcntl(F_DUPFD_CLOEXEC): %w", err)
+	}
+	return os.NewFile(uintptr(newFd), name), nil
+}
+
+// WithFileFd is a more ergonomic wrapper around file.SyscallConn().Control().
+func WithFileFd[T any](file *os.File, fn func(fd uintptr) (T, error)) (T, error) {
+	conn, err := file.SyscallConn()
+	if err != nil {
+		return *new(T), err
+	}
+	var (
+		ret      T
+		innerErr error
+	)
+	if err := conn.Control(func(fd uintptr) {
+		ret, innerErr = fn(fd)
+	}); err != nil {
+		return *new(T), err
+	}
+	return ret, innerErr
+}
+
+// DupFile makes a duplicate of the given file.
+func DupFile(file *os.File) (*os.File, error) {
+	return WithFileFd(file, func(fd uintptr) (*os.File, error) {
+		return DupFd(fd, file.Name())
+	})
+}
+
+// MkFile creates a new *os.File from the provided file descriptor. However,
+// unlike os.NewFile, the file's Name is based on the real path (provided by
+// /proc/self/fd/$n).
+func MkFile(fd uintptr) (*os.File, error) {
+	fdPath := fmt.Sprintf("fd/%d", fd)
+	fdName, err := libpathrs.ProcReadlinkat(libpathrs.ProcDefaultRootFd, libpathrs.ProcThreadSelf, fdPath)
+	if err != nil {
+		_ = unix.Close(int(fd))
+		return nil, fmt.Errorf("failed to fetch real name of fd %d: %w", fd, err)
+	}
+	// TODO: Maybe we should prefix this name with something to indicate to
+	// users that they must not use this path as a "safe" path. Something like
+	// "//pathrs-handle:/foo/bar"?
+	return os.NewFile(fd, fdName), nil
+}
diff --git a/vendor/cyphar.com/go-pathrs/internal/libpathrs/error_unix.go b/vendor/cyphar.com/go-pathrs/internal/libpathrs/error_unix.go
new file mode 100644
index 0000000000000..c9f416de01f8f
--- /dev/null
+++ b/vendor/cyphar.com/go-pathrs/internal/libpathrs/error_unix.go
@@ -0,0 +1,40 @@
+//go:build linux
+
+// TODO: Use "go:build unix" once we bump the minimum Go version 1.19.
+
+// SPDX-License-Identifier: MPL-2.0
+/*
+ * libpathrs: safe path resolution on Linux
+ * Copyright (C) 2019-2025 Aleksa Sarai <cyphar@cyphar.com>
+ * Copyright (C) 2019-2025 SUSE LLC
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at https://mozilla.org/MPL/2.0/.
+ */
+
+package libpathrs
+
+import (
+	"syscall"
+)
+
+// Error represents an underlying libpathrs error.
+type Error struct {
+	description string
+	errno       syscall.Errno
+}
+
+// Error returns a textual description of the error.
+func (err *Error) Error() string {
+	return err.description
+}
+
+// Unwrap returns the underlying error which was wrapped by this error (if
+// applicable).
+func (err *Error) Unwrap() error {
+	if err.errno != 0 {
+		return err.errno
+	}
+	return nil
+}
diff --git a/vendor/cyphar.com/go-pathrs/internal/libpathrs/libpathrs_linux.go b/vendor/cyphar.com/go-pathrs/internal/libpathrs/libpathrs_linux.go
new file mode 100644
index 0000000000000..c07b80e307199
--- /dev/null
+++ b/vendor/cyphar.com/go-pathrs/internal/libpathrs/libpathrs_linux.go
@@ -0,0 +1,337 @@
+//go:build linux
+
+// SPDX-License-Identifier: MPL-2.0
+/*
+ * libpathrs: safe path resolution on Linux
+ * Copyright (C) 2019-2025 Aleksa Sarai <cyphar@cyphar.com>
+ * Copyright (C) 2019-2025 SUSE LLC
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at https://mozilla.org/MPL/2.0/.
+ */
+
+// Package libpathrs is an internal thin wrapper around the libpathrs C API.
+package libpathrs
+
+import (
+	"fmt"
+	"syscall"
+	"unsafe"
+)
+
+/*
+// TODO: Figure out if we need to add support for linking against libpathrs
+//       statically even if in dynamically linked builds in order to make
+//       packaging a bit easier (using "-Wl,-Bstatic -lpathrs -Wl,-Bdynamic" or
+//       "-l:pathrs.a").
+#cgo pkg-config: pathrs
+#include <pathrs.h>
+
+// This is a workaround for unsafe.Pointer() not working for non-void pointers.
+char *cast_ptr(void *ptr) { return ptr; }
+*/
+import "C"
+
+func fetchError(errID C.int) error {
+	if errID >= C.__PATHRS_MAX_ERR_VALUE {
+		return nil
+	}
+	cErr := C.pathrs_errorinfo(errID)
+	defer C.pathrs_errorinfo_free(cErr)
+
+	var err error
+	if cErr != nil {
+		err = &Error{
+			errno:       syscall.Errno(cErr.saved_errno),
+			description: C.GoString(cErr.description),
+		}
+	}
+	return err
+}
+
+// OpenRoot wraps pathrs_open_root.
+func OpenRoot(path string) (uintptr, error) {
+	cPath := C.CString(path)
+	defer C.free(unsafe.Pointer(cPath))
+
+	fd := C.pathrs_open_root(cPath)
+	return uintptr(fd), fetchError(fd)
+}
+
+// Reopen wraps pathrs_reopen.
+func Reopen(fd uintptr, flags int) (uintptr, error) {
+	newFd := C.pathrs_reopen(C.int(fd), C.int(flags))
+	return uintptr(newFd), fetchError(newFd)
+}
+
+// InRootResolve wraps pathrs_inroot_resolve.
+func InRootResolve(rootFd uintptr, path string) (uintptr, error) {
+	cPath := C.CString(path)
+	defer C.free(unsafe.Pointer(cPath))
+
+	fd := C.pathrs_inroot_resolve(C.int(rootFd), cPath)
+	return uintptr(fd), fetchError(fd)
+}
+
+// InRootResolveNoFollow wraps pathrs_inroot_resolve_nofollow.
+func InRootResolveNoFollow(rootFd uintptr, path string) (uintptr, error) {
+	cPath := C.CString(path)
+	defer C.free(unsafe.Pointer(cPath))
+
+	fd := C.pathrs_inroot_resolve_nofollow(C.int(rootFd), cPath)
+	return uintptr(fd), fetchError(fd)
+}
+
+// InRootOpen wraps pathrs_inroot_open.
+func InRootOpen(rootFd uintptr, path string, flags int) (uintptr, error) {
+	cPath := C.CString(path)
+	defer C.free(unsafe.Pointer(cPath))
+
+	fd := C.pathrs_inroot_open(C.int(rootFd), cPath, C.int(flags))
+	return uintptr(fd), fetchError(fd)
+}
+
+// InRootReadlink wraps pathrs_inroot_readlink.
+func InRootReadlink(rootFd uintptr, path string) (string, error) {
+	cPath := C.CString(path)
+	defer C.free(unsafe.Pointer(cPath))
+
+	size := 128
+	for {
+		linkBuf := make([]byte, size)
+		n := C.pathrs_inroot_readlink(C.int(rootFd), cPath, C.cast_ptr(unsafe.Pointer(&linkBuf[0])), C.ulong(len(linkBuf)))
+		switch {
+		case int(n) < C.__PATHRS_MAX_ERR_VALUE:
+			return "", fetchError(n)
+		case int(n) <= len(linkBuf):
+			return string(linkBuf[:int(n)]), nil
+		default:
+			// The contents were truncated. Unlike readlinkat, pathrs returns
+			// the size of the link when it checked. So use the returned size
+			// as a basis for the reallocated size (but in order to avoid a DoS
+			// where a magic-link is growing by a single byte each iteration,
+			// make sure we are a fair bit larger).
+			size += int(n)
+		}
+	}
+}
+
+// InRootRmdir wraps pathrs_inroot_rmdir.
+func InRootRmdir(rootFd uintptr, path string) error {
+	cPath := C.CString(path)
+	defer C.free(unsafe.Pointer(cPath))
+
+	err := C.pathrs_inroot_rmdir(C.int(rootFd), cPath)
+	return fetchError(err)
+}
+
+// InRootUnlink wraps pathrs_inroot_unlink.
+func InRootUnlink(rootFd uintptr, path string) error {
+	cPath := C.CString(path)
+	defer C.free(unsafe.Pointer(cPath))
+
+	err := C.pathrs_inroot_unlink(C.int(rootFd), cPath)
+	return fetchError(err)
+}
+
+// InRootRemoveAll wraps pathrs_inroot_remove_all.
+func InRootRemoveAll(rootFd uintptr, path string) error {
+	cPath := C.CString(path)
+	defer C.free(unsafe.Pointer(cPath))
+
+	err := C.pathrs_inroot_remove_all(C.int(rootFd), cPath)
+	return fetchError(err)
+}
+
+// InRootCreat wraps pathrs_inroot_creat.
+func InRootCreat(rootFd uintptr, path string, flags int, mode uint32) (uintptr, error) {
+	cPath := C.CString(path)
+	defer C.free(unsafe.Pointer(cPath))
+
+	fd := C.pathrs_inroot_creat(C.int(rootFd), cPath, C.int(flags), C.uint(mode))
+	return uintptr(fd), fetchError(fd)
+}
+
+// InRootRename wraps pathrs_inroot_rename.
+func InRootRename(rootFd uintptr, src, dst string, flags uint) error {
+	cSrc := C.CString(src)
+	defer C.free(unsafe.Pointer(cSrc))
+
+	cDst := C.CString(dst)
+	defer C.free(unsafe.Pointer(cDst))
+
+	err := C.pathrs_inroot_rename(C.int(rootFd), cSrc, cDst, C.uint(flags))
+	return fetchError(err)
+}
+
+// InRootMkdir wraps pathrs_inroot_mkdir.
+func InRootMkdir(rootFd uintptr, path string, mode uint32) error {
+	cPath := C.CString(path)
+	defer C.free(unsafe.Pointer(cPath))
+
+	err := C.pathrs_inroot_mkdir(C.int(rootFd), cPath, C.uint(mode))
+	return fetchError(err)
+}
+
+// InRootMkdirAll wraps pathrs_inroot_mkdir_all.
+func InRootMkdirAll(rootFd uintptr, path string, mode uint32) (uintptr, error) {
+	cPath := C.CString(path)
+	defer C.free(unsafe.Pointer(cPath))
+
+	fd := C.pathrs_inroot_mkdir_all(C.int(rootFd), cPath, C.uint(mode))
+	return uintptr(fd), fetchError(fd)
+}
+
+// InRootMknod wraps pathrs_inroot_mknod.
+func InRootMknod(rootFd uintptr, path string, mode uint32, dev uint64) error {
+	cPath := C.CString(path)
+	defer C.free(unsafe.Pointer(cPath))
+
+	err := C.pathrs_inroot_mknod(C.int(rootFd), cPath, C.uint(mode), C.dev_t(dev))
+	return fetchError(err)
+}
+
+// InRootSymlink wraps pathrs_inroot_symlink.
+func InRootSymlink(rootFd uintptr, path, target string) error {
+	cPath := C.CString(path)
+	defer C.free(unsafe.Pointer(cPath))
+
+	cTarget := C.CString(target)
+	defer C.free(unsafe.Pointer(cTarget))
+
+	err := C.pathrs_inroot_symlink(C.int(rootFd), cPath, cTarget)
+	return fetchError(err)
+}
+
+// InRootHardlink wraps pathrs_inroot_hardlink.
+func InRootHardlink(rootFd uintptr, path, target string) error {
+	cPath := C.CString(path)
+	defer C.free(unsafe.Pointer(cPath))
+
+	cTarget := C.CString(target)
+	defer C.free(unsafe.Pointer(cTarget))
+
+	err := C.pathrs_inroot_hardlink(C.int(rootFd), cPath, cTarget)
+	return fetchError(err)
+}
+
+// ProcBase is pathrs_proc_base_t (uint64_t).
+type ProcBase C.pathrs_proc_base_t
+
+// FIXME: We need to open-code the constants because CGo unfortunately will
+// implicitly convert any non-literal constants (i.e. those resolved using gcc)
+// to signed integers. See <https://github.com/golang/go/issues/39136> for some
+// more information on the underlying issue (though.
+const (
+	// ProcRoot is PATHRS_PROC_ROOT.
+	ProcRoot ProcBase = 0xFFFF_FFFE_7072_6F63 // C.PATHRS_PROC_ROOT
+	// ProcSelf is PATHRS_PROC_SELF.
+	ProcSelf ProcBase = 0xFFFF_FFFE_091D_5E1F // C.PATHRS_PROC_SELF
+	// ProcThreadSelf is PATHRS_PROC_THREAD_SELF.
+	ProcThreadSelf ProcBase = 0xFFFF_FFFE_3EAD_5E1F // C.PATHRS_PROC_THREAD_SELF
+
+	// ProcBaseTypeMask is __PATHRS_PROC_TYPE_MASK.
+	ProcBaseTypeMask ProcBase = 0xFFFF_FFFF_0000_0000 // C.__PATHRS_PROC_TYPE_MASK
+	// ProcBaseTypePid is __PATHRS_PROC_TYPE_PID.
+	ProcBaseTypePid ProcBase = 0x8000_0000_0000_0000 // C.__PATHRS_PROC_TYPE_PID
+
+	// ProcDefaultRootFd is PATHRS_PROC_DEFAULT_ROOTFD.
+	ProcDefaultRootFd = -int(syscall.EBADF) // C.PATHRS_PROC_DEFAULT_ROOTFD
+)
+
+func assertEqual[T comparable](a, b T, msg string) {
+	if a != b {
+		panic(fmt.Sprintf("%s ((%T) %#v != (%T) %#v)", msg, a, a, b, b))
+	}
+}
+
+// Verify that the values above match the actual C values. Unfortunately, Go
+// only allows us to forcefully cast int64 to uint64 if you use a temporary
+// variable, which means we cannot do it in a const context and thus need to do
+// it at runtime (even though it is a check that fundamentally could be done at
+// compile-time)...
+func init() {
+	var (
+		actualProcRoot       int64 = C.PATHRS_PROC_ROOT
+		actualProcSelf       int64 = C.PATHRS_PROC_SELF
+		actualProcThreadSelf int64 = C.PATHRS_PROC_THREAD_SELF
+	)
+
+	assertEqual(ProcRoot, ProcBase(actualProcRoot), "PATHRS_PROC_ROOT")
+	assertEqual(ProcSelf, ProcBase(actualProcSelf), "PATHRS_PROC_SELF")
+	assertEqual(ProcThreadSelf, ProcBase(actualProcThreadSelf), "PATHRS_PROC_THREAD_SELF")
+
+	var (
+		actualProcBaseTypeMask uint64 = C.__PATHRS_PROC_TYPE_MASK
+		actualProcBaseTypePid  uint64 = C.__PATHRS_PROC_TYPE_PID
+	)
+
+	assertEqual(ProcBaseTypeMask, ProcBase(actualProcBaseTypeMask), "__PATHRS_PROC_TYPE_MASK")
+	assertEqual(ProcBaseTypePid, ProcBase(actualProcBaseTypePid), "__PATHRS_PROC_TYPE_PID")
+
+	assertEqual(ProcDefaultRootFd, int(C.PATHRS_PROC_DEFAULT_ROOTFD), "PATHRS_PROC_DEFAULT_ROOTFD")
+}
+
+// ProcPid reimplements the PROC_PID(x) conversion.
+func ProcPid(pid uint32) ProcBase { return ProcBaseTypePid | ProcBase(pid) }
+
+// ProcOpenat wraps pathrs_proc_openat.
+func ProcOpenat(procRootFd int, base ProcBase, path string, flags int) (uintptr, error) {
+	cBase := C.pathrs_proc_base_t(base)
+
+	cPath := C.CString(path)
+	defer C.free(unsafe.Pointer(cPath))
+
+	fd := C.pathrs_proc_openat(C.int(procRootFd), cBase, cPath, C.int(flags))
+	return uintptr(fd), fetchError(fd)
+}
+
+// ProcReadlinkat wraps pathrs_proc_readlinkat.
+func ProcReadlinkat(procRootFd int, base ProcBase, path string) (string, error) {
+	// TODO: See if we can unify this code with InRootReadlink.
+
+	cBase := C.pathrs_proc_base_t(base)
+
+	cPath := C.CString(path)
+	defer C.free(unsafe.Pointer(cPath))
+
+	size := 128
+	for {
+		linkBuf := make([]byte, size)
+		n := C.pathrs_proc_readlinkat(
+			C.int(procRootFd), cBase, cPath,
+			C.cast_ptr(unsafe.Pointer(&linkBuf[0])), C.ulong(len(linkBuf)))
+		switch {
+		case int(n) < C.__PATHRS_MAX_ERR_VALUE:
+			return "", fetchError(n)
+		case int(n) <= len(linkBuf):
+			return string(linkBuf[:int(n)]), nil
+		default:
+			// The contents were truncated. Unlike readlinkat, pathrs returns
+			// the size of the link when it checked. So use the returned size
+			// as a basis for the reallocated size (but in order to avoid a DoS
+			// where a magic-link is growing by a single byte each iteration,
+			// make sure we are a fair bit larger).
+			size += int(n)
+		}
+	}
+}
+
+// ProcfsOpenHow is pathrs_procfs_open_how (struct).
+type ProcfsOpenHow C.pathrs_procfs_open_how
+
+const (
+	// ProcfsNewUnmasked is PATHRS_PROCFS_NEW_UNMASKED.
+	ProcfsNewUnmasked = C.PATHRS_PROCFS_NEW_UNMASKED
+)
+
+// Flags returns a pointer to the internal flags field to allow other packages
+// to modify structure fields that are internal due to Go's visibility model.
+func (how *ProcfsOpenHow) Flags() *C.uint64_t { return &how.flags }
+
+// ProcfsOpen is pathrs_procfs_open (sizeof(*how) is passed automatically).
+func ProcfsOpen(how *ProcfsOpenHow) (uintptr, error) {
+	fd := C.pathrs_procfs_open((*C.pathrs_procfs_open_how)(how), C.size_t(unsafe.Sizeof(*how)))
+	return uintptr(fd), fetchError(fd)
+}
diff --git a/vendor/cyphar.com/go-pathrs/procfs/procfs_linux.go b/vendor/cyphar.com/go-pathrs/procfs/procfs_linux.go
new file mode 100644
index 0000000000000..5533c427cb74a
--- /dev/null
+++ b/vendor/cyphar.com/go-pathrs/procfs/procfs_linux.go
@@ -0,0 +1,246 @@
+//go:build linux
+
+// SPDX-License-Identifier: MPL-2.0
+/*
+ * libpathrs: safe path resolution on Linux
+ * Copyright (C) 2019-2025 Aleksa Sarai <cyphar@cyphar.com>
+ * Copyright (C) 2019-2025 SUSE LLC
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at https://mozilla.org/MPL/2.0/.
+ */
+
+// Package procfs provides a safe API for operating on /proc on Linux.
+package procfs
+
+import (
+	"os"
+	"runtime"
+
+	"cyphar.com/go-pathrs/internal/fdutils"
+	"cyphar.com/go-pathrs/internal/libpathrs"
+)
+
+// ProcBase is used with [ProcReadlink] and related functions to indicate what
+// /proc subpath path operations should be done relative to.
+type ProcBase struct {
+	inner libpathrs.ProcBase
+}
+
+var (
+	// ProcRoot indicates to use /proc. Note that this mode may be more
+	// expensive because we have to take steps to try to avoid leaking unmasked
+	// procfs handles, so you should use [ProcBaseSelf] if you can.
+	ProcRoot = ProcBase{inner: libpathrs.ProcRoot}
+	// ProcSelf indicates to use /proc/self. For most programs, this is the
+	// standard choice.
+	ProcSelf = ProcBase{inner: libpathrs.ProcSelf}
+	// ProcThreadSelf indicates to use /proc/thread-self. In multi-threaded
+	// programs where one thread has a different CLONE_FS, it is possible for
+	// /proc/self to point the wrong thread and so /proc/thread-self may be
+	// necessary.
+	ProcThreadSelf = ProcBase{inner: libpathrs.ProcThreadSelf}
+)
+
+// ProcPid returns a ProcBase which indicates to use /proc/$pid for the given
+// PID (or TID). Be aware that due to PID recycling, using this is generally
+// not safe except in certain circumstances. Namely:
+//
+//   - PID 1 (the init process), as that PID cannot ever get recycled.
+//   - Your current PID (though you should just use [ProcBaseSelf]).
+//   - Your current TID if you have used [runtime.LockOSThread] (though you
+//     should just use [ProcBaseThreadSelf]).
+//   - PIDs of child processes (as long as you are sure that no other part of
+//     your program incorrectly catches or ignores SIGCHLD, and that you do it
+//     *before* you call wait(2)or any equivalent method that could reap
+//     zombies).
+func ProcPid(pid int) ProcBase {
+	if pid < 0 || pid >= 1<<31 {
+		panic("invalid ProcBasePid value") // TODO: should this be an error?
+	}
+	return ProcBase{inner: libpathrs.ProcPid(uint32(pid))}
+}
+
+// ThreadCloser is a callback that needs to be called when you are done
+// operating on an [os.File] fetched using [Handle.OpenThreadSelf].
+//
+// [os.File]: https://pkg.go.dev/os#File
+type ThreadCloser func()
+
+// Handle is a wrapper around an *os.File handle to "/proc", which can be
+// used to do further procfs-related operations in a safe way.
+type Handle struct {
+	inner *os.File
+}
+
+// Close releases all internal resources for this [Handle].
+//
+// Note that if the handle is actually the global cached handle, this operation
+// is a no-op.
+func (proc *Handle) Close() error {
+	var err error
+	if proc.inner != nil {
+		err = proc.inner.Close()
+	}
+	return err
+}
+
+// OpenOption is a configuration function passed as an argument to [Open].
+type OpenOption func(*libpathrs.ProcfsOpenHow) error
+
+// UnmaskedProcRoot can be passed to [Open] to request an unmasked procfs
+// handle be created.
+//
+//	procfs, err := procfs.OpenRoot(procfs.UnmaskedProcRoot)
+func UnmaskedProcRoot(how *libpathrs.ProcfsOpenHow) error {
+	*how.Flags() |= libpathrs.ProcfsNewUnmasked
+	return nil
+}
+
+// Open creates a new [Handle] to a safe "/proc", based on the passed
+// configuration options (in the form of a series of [OpenOption]s).
+func Open(opts ...OpenOption) (*Handle, error) {
+	var how libpathrs.ProcfsOpenHow
+	for _, opt := range opts {
+		if err := opt(&how); err != nil {
+			return nil, err
+		}
+	}
+	fd, err := libpathrs.ProcfsOpen(&how)
+	if err != nil {
+		return nil, err
+	}
+	var procFile *os.File
+	if int(fd) >= 0 {
+		procFile = os.NewFile(fd, "/proc")
+	}
+	// TODO: Check that fd == PATHRS_PROC_DEFAULT_ROOTFD in the <0 case?
+	return &Handle{inner: procFile}, nil
+}
+
+// TODO: Switch to something fdutils.WithFileFd-like.
+func (proc *Handle) fd() int {
+	if proc.inner != nil {
+		return int(proc.inner.Fd())
+	}
+	return libpathrs.ProcDefaultRootFd
+}
+
+// TODO: Should we expose open?
+func (proc *Handle) open(base ProcBase, path string, flags int) (_ *os.File, Closer ThreadCloser, Err error) {
+	var closer ThreadCloser
+	if base == ProcThreadSelf {
+		runtime.LockOSThread()
+		closer = runtime.UnlockOSThread
+	}
+	defer func() {
+		if closer != nil && Err != nil {
+			closer()
+			Closer = nil
+		}
+	}()
+
+	fd, err := libpathrs.ProcOpenat(proc.fd(), base.inner, path, flags)
+	if err != nil {
+		return nil, nil, err
+	}
+	file, err := fdutils.MkFile(fd)
+	return file, closer, err
+}
+
+// OpenRoot safely opens a given path from inside /proc/.
+//
+// This function must only be used for accessing global information from procfs
+// (such as /proc/cpuinfo) or information about other processes (such as
+// /proc/1). Accessing your own process information should be done using
+// [Handle.OpenSelf] or [Handle.OpenThreadSelf].
+func (proc *Handle) OpenRoot(path string, flags int) (*os.File, error) {
+	file, closer, err := proc.open(ProcRoot, path, flags)
+	if closer != nil {
+		// should not happen
+		panic("non-zero closer returned from procOpen(ProcRoot)")
+	}
+	return file, err
+}
+
+// OpenSelf safely opens a given path from inside /proc/self/.
+//
+// This method is recommend for getting process information about the current
+// process for almost all Go processes *except* for cases where there are
+// [runtime.LockOSThread] threads that have changed some aspect of their state
+// (such as through unshare(CLONE_FS) or changing namespaces).
+//
+// For such non-heterogeneous processes, /proc/self may reference to a task
+// that has different state from the current goroutine and so it may be
+// preferable to use [Handle.OpenThreadSelf]. The same is true if a user
+// really wants to inspect the current OS thread's information (such as
+// /proc/thread-self/stack or /proc/thread-self/status which is always uniquely
+// per-thread).
+//
+// Unlike [Handle.OpenThreadSelf], this method does not involve locking
+// the goroutine to the current OS thread and so is simpler to use and
+// theoretically has slightly less overhead.
+//
+// [runtime.LockOSThread]: https://pkg.go.dev/runtime#LockOSThread
+func (proc *Handle) OpenSelf(path string, flags int) (*os.File, error) {
+	file, closer, err := proc.open(ProcSelf, path, flags)
+	if closer != nil {
+		// should not happen
+		panic("non-zero closer returned from procOpen(ProcSelf)")
+	}
+	return file, err
+}
+
+// OpenPid safely opens a given path from inside /proc/$pid/, where pid can be
+// either a PID or TID.
+//
+// This is effectively equivalent to calling [Handle.OpenRoot] with the
+// pid prefixed to the subpath.
+//
+// Be aware that due to PID recycling, using this is generally not safe except
+// in certain circumstances. See the documentation of [ProcPid] for more
+// details.
+func (proc *Handle) OpenPid(pid int, path string, flags int) (*os.File, error) {
+	file, closer, err := proc.open(ProcPid(pid), path, flags)
+	if closer != nil {
+		// should not happen
+		panic("non-zero closer returned from procOpen(ProcPidOpen)")
+	}
+	return file, err
+}
+
+// OpenThreadSelf safely opens a given path from inside /proc/thread-self/.
+//
+// Most Go processes have heterogeneous threads (all threads have most of the
+// same kernel state such as CLONE_FS) and so [Handle.OpenSelf] is
+// preferable for most users.
+//
+// For non-heterogeneous threads, or users that actually want thread-specific
+// information (such as /proc/thread-self/stack or /proc/thread-self/status),
+// this method is necessary.
+//
+// Because Go can change the running OS thread of your goroutine without notice
+// (and then subsequently kill the old thread), this method will lock the
+// current goroutine to the OS thread (with [runtime.LockOSThread]) and the
+// caller is responsible for unlocking the the OS thread with the
+// [ThreadCloser] callback once they are done using the returned file. This
+// callback MUST be called AFTER you have finished using the returned
+// [os.File]. This callback is completely separate to [os.File.Close], so it
+// must be called regardless of how you close the handle.
+//
+// [runtime.LockOSThread]: https://pkg.go.dev/runtime#LockOSThread
+// [os.File]: https://pkg.go.dev/os#File
+// [os.File.Close]: https://pkg.go.dev/os#File.Close
+func (proc *Handle) OpenThreadSelf(path string, flags int) (*os.File, ThreadCloser, error) {
+	return proc.open(ProcThreadSelf, path, flags)
+}
+
+// Readlink safely reads the contents of a symlink from the given procfs base.
+//
+// This is effectively equivalent to doing an Open*(O_PATH|O_NOFOLLOW) of the
+// path and then doing unix.Readlinkat(fd, ""), but with the benefit that
+// thread locking is not necessary for [ProcThreadSelf].
+func (proc *Handle) Readlink(base ProcBase, path string) (string, error) {
+	return libpathrs.ProcReadlinkat(proc.fd(), base.inner, path)
+}
diff --git a/vendor/cyphar.com/go-pathrs/root_linux.go b/vendor/cyphar.com/go-pathrs/root_linux.go
new file mode 100644
index 0000000000000..edc9e4c87f98b
--- /dev/null
+++ b/vendor/cyphar.com/go-pathrs/root_linux.go
@@ -0,0 +1,367 @@
+//go:build linux
+
+// SPDX-License-Identifier: MPL-2.0
+/*
+ * libpathrs: safe path resolution on Linux
+ * Copyright (C) 2019-2025 Aleksa Sarai <cyphar@cyphar.com>
+ * Copyright (C) 2019-2025 SUSE LLC
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at https://mozilla.org/MPL/2.0/.
+ */
+
+package pathrs
+
+import (
+	"errors"
+	"fmt"
+	"os"
+	"syscall"
+
+	"cyphar.com/go-pathrs/internal/fdutils"
+	"cyphar.com/go-pathrs/internal/libpathrs"
+)
+
+// Root is a handle to the root of a directory tree to resolve within. The only
+// purpose of this "root handle" is to perform operations within the directory
+// tree, or to get a [Handle] to inodes within the directory tree.
+//
+// At time of writing, it is considered a *VERY BAD IDEA* to open a [Root]
+// inside a possibly-attacker-controlled directory tree. While we do have
+// protections that should defend against it, it's far more dangerous than just
+// opening a directory tree which is not inside a potentially-untrusted
+// directory.
+type Root struct {
+	inner *os.File
+}
+
+// OpenRoot creates a new [Root] handle to the directory at the given path.
+func OpenRoot(path string) (*Root, error) {
+	fd, err := libpathrs.OpenRoot(path)
+	if err != nil {
+		return nil, err
+	}
+	file, err := fdutils.MkFile(fd)
+	if err != nil {
+		return nil, err
+	}
+	return &Root{inner: file}, nil
+}
+
+// RootFromFile creates a new [Root] handle from an [os.File] referencing a
+// directory. The provided file will be duplicated, so the original file should
+// still be closed by the caller.
+//
+// This is effectively the inverse operation of [Root.IntoFile].
+//
+// [os.File]: https://pkg.go.dev/os#File
+func RootFromFile(file *os.File) (*Root, error) {
+	newFile, err := fdutils.DupFile(file)
+	if err != nil {
+		return nil, fmt.Errorf("duplicate root fd: %w", err)
+	}
+	return &Root{inner: newFile}, nil
+}
+
+// Resolve resolves the given path within the [Root]'s directory tree, and
+// returns a [Handle] to the resolved path. The path must already exist,
+// otherwise an error will occur.
+//
+// All symlinks (including trailing symlinks) are followed, but they are
+// resolved within the rootfs. If you wish to open a handle to the symlink
+// itself, use [ResolveNoFollow].
+func (r *Root) Resolve(path string) (*Handle, error) {
+	return fdutils.WithFileFd(r.inner, func(rootFd uintptr) (*Handle, error) {
+		handleFd, err := libpathrs.InRootResolve(rootFd, path)
+		if err != nil {
+			return nil, err
+		}
+		handleFile, err := fdutils.MkFile(handleFd)
+		if err != nil {
+			return nil, err
+		}
+		return &Handle{inner: handleFile}, nil
+	})
+}
+
+// ResolveNoFollow is effectively an O_NOFOLLOW version of [Resolve]. Their
+// behaviour is identical, except that *trailing* symlinks will not be
+// followed. If the final component is a trailing symlink, an O_PATH|O_NOFOLLOW
+// handle to the symlink itself is returned.
+func (r *Root) ResolveNoFollow(path string) (*Handle, error) {
+	return fdutils.WithFileFd(r.inner, func(rootFd uintptr) (*Handle, error) {
+		handleFd, err := libpathrs.InRootResolveNoFollow(rootFd, path)
+		if err != nil {
+			return nil, err
+		}
+		handleFile, err := fdutils.MkFile(handleFd)
+		if err != nil {
+			return nil, err
+		}
+		return &Handle{inner: handleFile}, nil
+	})
+}
+
+// Open is effectively shorthand for [Resolve] followed by [Handle.Open], but
+// can be slightly more efficient (it reduces CGo overhead and the number of
+// syscalls used when using the openat2-based resolver) and is arguably more
+// ergonomic to use.
+//
+// This is effectively equivalent to [os.Open].
+//
+// [os.Open]: https://pkg.go.dev/os#Open
+func (r *Root) Open(path string) (*os.File, error) {
+	return r.OpenFile(path, os.O_RDONLY)
+}
+
+// OpenFile is effectively shorthand for [Resolve] followed by
+// [Handle.OpenFile], but can be slightly more efficient (it reduces CGo
+// overhead and the number of syscalls used when using the openat2-based
+// resolver) and is arguably more ergonomic to use.
+//
+// However, if flags contains os.O_NOFOLLOW and the path is a symlink, then
+// OpenFile's behaviour will match that of openat2. In most cases an error will
+// be returned, but if os.O_PATH is provided along with os.O_NOFOLLOW then a
+// file equivalent to [ResolveNoFollow] will be returned instead.
+//
+// This is effectively equivalent to [os.OpenFile], except that os.O_CREAT is
+// not supported.
+//
+// [os.OpenFile]: https://pkg.go.dev/os#OpenFile
+func (r *Root) OpenFile(path string, flags int) (*os.File, error) {
+	return fdutils.WithFileFd(r.inner, func(rootFd uintptr) (*os.File, error) {
+		fd, err := libpathrs.InRootOpen(rootFd, path, flags)
+		if err != nil {
+			return nil, err
+		}
+		return fdutils.MkFile(fd)
+	})
+}
+
+// Create creates a file within the [Root]'s directory tree at the given path,
+// and returns a handle to the file. The provided mode is used for the new file
+// (the process's umask applies).
+//
+// Unlike [os.Create], if the file already exists an error is created rather
+// than the file being opened and truncated.
+//
+// [os.Create]: https://pkg.go.dev/os#Create
+func (r *Root) Create(path string, flags int, mode os.FileMode) (*os.File, error) {
+	unixMode, err := toUnixMode(mode, false)
+	if err != nil {
+		return nil, err
+	}
+	return fdutils.WithFileFd(r.inner, func(rootFd uintptr) (*os.File, error) {
+		handleFd, err := libpathrs.InRootCreat(rootFd, path, flags, unixMode)
+		if err != nil {
+			return nil, err
+		}
+		return fdutils.MkFile(handleFd)
+	})
+}
+
+// Rename two paths within a [Root]'s directory tree. The flags argument is
+// identical to the RENAME_* flags to the renameat2(2) system call.
+func (r *Root) Rename(src, dst string, flags uint) error {
+	_, err := fdutils.WithFileFd(r.inner, func(rootFd uintptr) (struct{}, error) {
+		err := libpathrs.InRootRename(rootFd, src, dst, flags)
+		return struct{}{}, err
+	})
+	return err
+}
+
+// RemoveDir removes the named empty directory within a [Root]'s directory
+// tree.
+func (r *Root) RemoveDir(path string) error {
+	_, err := fdutils.WithFileFd(r.inner, func(rootFd uintptr) (struct{}, error) {
+		err := libpathrs.InRootRmdir(rootFd, path)
+		return struct{}{}, err
+	})
+	return err
+}
+
+// RemoveFile removes the named file within a [Root]'s directory tree.
+func (r *Root) RemoveFile(path string) error {
+	_, err := fdutils.WithFileFd(r.inner, func(rootFd uintptr) (struct{}, error) {
+		err := libpathrs.InRootUnlink(rootFd, path)
+		return struct{}{}, err
+	})
+	return err
+}
+
+// Remove removes the named file or (empty) directory within a [Root]'s
+// directory tree.
+//
+// This is effectively equivalent to [os.Remove].
+//
+// [os.Remove]: https://pkg.go.dev/os#Remove
+func (r *Root) Remove(path string) error {
+	// In order to match os.Remove's implementation we need to also do both
+	// syscalls unconditionally and adjust the error based on whether
+	// pathrs_inroot_rmdir() returned ENOTDIR.
+	unlinkErr := r.RemoveFile(path)
+	if unlinkErr == nil {
+		return nil
+	}
+	rmdirErr := r.RemoveDir(path)
+	if rmdirErr == nil {
+		return nil
+	}
+	// Both failed, adjust the error in the same way that os.Remove does.
+	err := rmdirErr
+	if errors.Is(err, syscall.ENOTDIR) {
+		err = unlinkErr
+	}
+	return err
+}
+
+// RemoveAll recursively deletes a path and all of its children.
+//
+// This is effectively equivalent to [os.RemoveAll].
+//
+// [os.RemoveAll]: https://pkg.go.dev/os#RemoveAll
+func (r *Root) RemoveAll(path string) error {
+	_, err := fdutils.WithFileFd(r.inner, func(rootFd uintptr) (struct{}, error) {
+		err := libpathrs.InRootRemoveAll(rootFd, path)
+		return struct{}{}, err
+	})
+	return err
+}
+
+// Mkdir creates a directory within a [Root]'s directory tree. The provided
+// mode is used for the new directory (the process's umask applies).
+//
+// This is effectively equivalent to [os.Mkdir].
+//
+// [os.Mkdir]: https://pkg.go.dev/os#Mkdir
+func (r *Root) Mkdir(path string, mode os.FileMode) error {
+	unixMode, err := toUnixMode(mode, false)
+	if err != nil {
+		return err
+	}
+
+	_, err = fdutils.WithFileFd(r.inner, func(rootFd uintptr) (struct{}, error) {
+		err := libpathrs.InRootMkdir(rootFd, path, unixMode)
+		return struct{}{}, err
+	})
+	return err
+}
+
+// MkdirAll creates a directory (and any parent path components if they don't
+// exist) within a [Root]'s directory tree. The provided mode is used for any
+// directories created by this function (the process's umask applies).
+//
+// This is effectively equivalent to [os.MkdirAll].
+//
+// [os.MkdirAll]: https://pkg.go.dev/os#MkdirAll
+func (r *Root) MkdirAll(path string, mode os.FileMode) (*Handle, error) {
+	unixMode, err := toUnixMode(mode, false)
+	if err != nil {
+		return nil, err
+	}
+
+	return fdutils.WithFileFd(r.inner, func(rootFd uintptr) (*Handle, error) {
+		handleFd, err := libpathrs.InRootMkdirAll(rootFd, path, unixMode)
+		if err != nil {
+			return nil, err
+		}
+		handleFile, err := fdutils.MkFile(handleFd)
+		if err != nil {
+			return nil, err
+		}
+		return &Handle{inner: handleFile}, err
+	})
+}
+
+// Mknod creates a new device inode of the given type within a [Root]'s
+// directory tree. The provided mode is used for the new directory (the
+// process's umask applies).
+//
+// This is effectively equivalent to [unix.Mknod].
+//
+// [unix.Mknod]: https://pkg.go.dev/golang.org/x/sys/unix#Mknod
+func (r *Root) Mknod(path string, mode os.FileMode, dev uint64) error {
+	unixMode, err := toUnixMode(mode, true)
+	if err != nil {
+		return err
+	}
+
+	_, err = fdutils.WithFileFd(r.inner, func(rootFd uintptr) (struct{}, error) {
+		err := libpathrs.InRootMknod(rootFd, path, unixMode, dev)
+		return struct{}{}, err
+	})
+	return err
+}
+
+// Symlink creates a symlink within a [Root]'s directory tree. The symlink is
+// created at path and is a link to target.
+//
+// This is effectively equivalent to [os.Symlink].
+//
+// [os.Symlink]: https://pkg.go.dev/os#Symlink
+func (r *Root) Symlink(path, target string) error {
+	_, err := fdutils.WithFileFd(r.inner, func(rootFd uintptr) (struct{}, error) {
+		err := libpathrs.InRootSymlink(rootFd, path, target)
+		return struct{}{}, err
+	})
+	return err
+}
+
+// Hardlink creates a hardlink within a [Root]'s directory tree. The hardlink
+// is created at path and is a link to target. Both paths are within the
+// [Root]'s directory tree (you cannot hardlink to a different [Root] or the
+// host).
+//
+// This is effectively equivalent to [os.Link].
+//
+// [os.Link]: https://pkg.go.dev/os#Link
+func (r *Root) Hardlink(path, target string) error {
+	_, err := fdutils.WithFileFd(r.inner, func(rootFd uintptr) (struct{}, error) {
+		err := libpathrs.InRootHardlink(rootFd, path, target)
+		return struct{}{}, err
+	})
+	return err
+}
+
+// Readlink returns the target of a symlink with a [Root]'s directory tree.
+//
+// This is effectively equivalent to [os.Readlink].
+//
+// [os.Readlink]: https://pkg.go.dev/os#Readlink
+func (r *Root) Readlink(path string) (string, error) {
+	return fdutils.WithFileFd(r.inner, func(rootFd uintptr) (string, error) {
+		return libpathrs.InRootReadlink(rootFd, path)
+	})
+}
+
+// IntoFile unwraps the [Root] into its underlying [os.File].
+//
+// It is critical that you do not operate on this file descriptor yourself,
+// because the security properties of libpathrs depend on users doing all
+// relevant filesystem operations through libpathrs.
+//
+// This operation returns the internal [os.File] of the [Root] directly, so
+// calling [Root.Close] will also close any copies of the returned [os.File].
+// If you want to get an independent copy, use [Root.Clone] followed by
+// [Root.IntoFile] on the cloned [Root].
+//
+// [os.File]: https://pkg.go.dev/os#File
+func (r *Root) IntoFile() *os.File {
+	// TODO: Figure out if we really don't want to make a copy.
+	// TODO: We almost certainly want to clear r.inner here, but we can't do
+	//       that easily atomically (we could use atomic.Value but that'll make
+	//       things quite a bit uglier).
+	return r.inner
+}
+
+// Clone creates a copy of a [Root] handle, such that it has a separate
+// lifetime to the original (while referring to the same underlying directory).
+func (r *Root) Clone() (*Root, error) {
+	return RootFromFile(r.inner)
+}
+
+// Close frees all of the resources used by the [Root] handle.
+func (r *Root) Close() error {
+	return r.inner.Close()
+}
diff --git a/vendor/cyphar.com/go-pathrs/utils_linux.go b/vendor/cyphar.com/go-pathrs/utils_linux.go
new file mode 100644
index 0000000000000..2208d608f8df5
--- /dev/null
+++ b/vendor/cyphar.com/go-pathrs/utils_linux.go
@@ -0,0 +1,56 @@
+//go:build linux
+
+// SPDX-License-Identifier: MPL-2.0
+/*
+ * libpathrs: safe path resolution on Linux
+ * Copyright (C) 2019-2025 Aleksa Sarai <cyphar@cyphar.com>
+ * Copyright (C) 2019-2025 SUSE LLC
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at https://mozilla.org/MPL/2.0/.
+ */
+
+package pathrs
+
+import (
+	"fmt"
+	"os"
+
+	"golang.org/x/sys/unix"
+)
+
+//nolint:cyclop // this function needs to handle a lot of cases
+func toUnixMode(mode os.FileMode, needsType bool) (uint32, error) {
+	sysMode := uint32(mode.Perm())
+	switch mode & os.ModeType { //nolint:exhaustive // we only care about ModeType bits
+	case 0:
+		if needsType {
+			sysMode |= unix.S_IFREG
+		}
+	case os.ModeDir:
+		sysMode |= unix.S_IFDIR
+	case os.ModeSymlink:
+		sysMode |= unix.S_IFLNK
+	case os.ModeCharDevice | os.ModeDevice:
+		sysMode |= unix.S_IFCHR
+	case os.ModeDevice:
+		sysMode |= unix.S_IFBLK
+	case os.ModeNamedPipe:
+		sysMode |= unix.S_IFIFO
+	case os.ModeSocket:
+		sysMode |= unix.S_IFSOCK
+	default:
+		return 0, fmt.Errorf("invalid mode filetype %+o", mode)
+	}
+	if mode&os.ModeSetuid != 0 {
+		sysMode |= unix.S_ISUID
+	}
+	if mode&os.ModeSetgid != 0 {
+		sysMode |= unix.S_ISGID
+	}
+	if mode&os.ModeSticky != 0 {
+		sysMode |= unix.S_ISVTX
+	}
+	return sysMode, nil
+}
diff --git a/vendor/github.com/Masterminds/semver/v3/.gitignore b/vendor/github.com/Masterminds/semver/v3/.gitignore
new file mode 100644
index 0000000000000..6b061e6174b3e
--- /dev/null
+++ b/vendor/github.com/Masterminds/semver/v3/.gitignore
@@ -0,0 +1 @@
+_fuzz/
\ No newline at end of file
diff --git a/vendor/github.com/Masterminds/semver/v3/.golangci.yml b/vendor/github.com/Masterminds/semver/v3/.golangci.yml
new file mode 100644
index 0000000000000..fbc6332592f6b
--- /dev/null
+++ b/vendor/github.com/Masterminds/semver/v3/.golangci.yml
@@ -0,0 +1,27 @@
+run:
+  deadline: 2m
+
+linters:
+  disable-all: true
+  enable:
+    - misspell
+    - govet
+    - staticcheck
+    - errcheck
+    - unparam
+    - ineffassign
+    - nakedret
+    - gocyclo
+    - dupl
+    - goimports
+    - revive
+    - gosec
+    - gosimple
+    - typecheck
+    - unused
+
+linters-settings:
+  gofmt:
+    simplify: true
+  dupl:
+    threshold: 600
diff --git a/vendor/github.com/Masterminds/semver/v3/CHANGELOG.md b/vendor/github.com/Masterminds/semver/v3/CHANGELOG.md
new file mode 100644
index 0000000000000..fabe5e43dc8cc
--- /dev/null
+++ b/vendor/github.com/Masterminds/semver/v3/CHANGELOG.md
@@ -0,0 +1,268 @@
+# Changelog
+
+## 3.4.0 (2025-06-27)
+
+### Added
+
+- #268: Added property to Constraints to include prereleases for Check and Validate
+
+### Changed
+
+- #263: Updated Go testing for 1.24, 1.23, and 1.22
+- #269: Updated the error message handling for message case and wrapping errors
+- #266: Restore the ability to have leading 0's when parsing with NewVersion.
+  Opt-out of this by setting CoerceNewVersion to false.
+
+### Fixed
+
+- #257: Fixed the CodeQL link (thanks @dmitris)
+- #262: Restored detailed errors when failed to parse with NewVersion. Opt-out
+  of this by setting DetailedNewVersionErrors to false for faster performance.
+- #267: Handle pre-releases for an "and" group if one constraint includes them
+
+## 3.3.1 (2024-11-19)
+
+### Fixed
+
+- #253: Fix for allowing some version that were invalid
+
+## 3.3.0 (2024-08-27)
+
+### Added
+
+- #238: Add LessThanEqual and GreaterThanEqual functions (thanks @grosser)
+- #213: nil version equality checking (thanks @KnutZuidema)
+
+### Changed
+
+- #241: Simplify StrictNewVersion parsing (thanks @grosser)
+- Testing support up through Go 1.23
+- Minimum version set to 1.21 as this is what's tested now
+- Fuzz testing now supports caching
+
+## 3.2.1 (2023-04-10)
+
+### Changed
+
+- #198: Improved testing around pre-release names
+- #200: Improved code scanning with addition of CodeQL
+- #201: Testing now includes Go 1.20. Go 1.17 has been dropped
+- #202: Migrated Fuzz testing to Go built-in Fuzzing. CI runs daily
+- #203: Docs updated for security details
+
+### Fixed
+
+- #199: Fixed issue with range transformations
+
+## 3.2.0 (2022-11-28)
+
+### Added
+
+- #190: Added text marshaling and unmarshaling
+- #167: Added JSON marshalling for constraints (thanks @SimonTheLeg)
+- #173: Implement encoding.TextMarshaler and encoding.TextUnmarshaler on Version (thanks @MarkRosemaker)
+- #179: Added New() version constructor (thanks @kazhuravlev)
+
+### Changed
+
+- #182/#183: Updated CI testing setup
+
+### Fixed
+
+- #186: Fixing issue where validation of constraint section gave false positives
+- #176: Fix constraints check with *-0 (thanks @mtt0)
+- #181: Fixed Caret operator (^) gives unexpected results when the minor version in constraint is 0 (thanks @arshchimni)
+- #161: Fixed godoc (thanks @afirth)
+
+## 3.1.1 (2020-11-23)
+
+### Fixed
+
+- #158: Fixed issue with generated regex operation order that could cause problem
+
+## 3.1.0 (2020-04-15)
+
+### Added
+
+- #131: Add support for serializing/deserializing SQL (thanks @ryancurrah)
+
+### Changed
+
+- #148: More accurate validation messages on constraints
+
+## 3.0.3 (2019-12-13)
+
+### Fixed
+
+- #141: Fixed issue with <= comparison
+
+## 3.0.2 (2019-11-14)
+
+### Fixed
+
+- #134: Fixed broken constraint checking with ^0.0 (thanks @krmichelos)
+
+## 3.0.1 (2019-09-13)
+
+### Fixed
+
+- #125: Fixes issue with module path for v3
+
+## 3.0.0 (2019-09-12)
+
+This is a major release of the semver package which includes API changes. The Go
+API is compatible with ^1. The Go API was not changed because many people are using
+`go get` without Go modules for their applications and API breaking changes cause
+errors which we have or would need to support.
+
+The changes in this release are the handling based on the data passed into the
+functions. These are described in the added and changed sections below.
+
+### Added
+
+- StrictNewVersion function. This is similar to NewVersion but will return an
+  error if the version passed in is not a strict semantic version. For example,
+  1.2.3 would pass but v1.2.3 or 1.2 would fail because they are not strictly
+  speaking semantic versions. This function is faster, performs fewer operations,
+  and uses fewer allocations than NewVersion.
+- Fuzzing has been performed on NewVersion, StrictNewVersion, and NewConstraint.
+  The Makefile contains the operations used. For more information on you can start
+  on Wikipedia at https://en.wikipedia.org/wiki/Fuzzing
+- Now using Go modules
+
+### Changed
+
+- NewVersion has proper prerelease and metadata validation with error messages
+  to signal an issue with either of them
+- ^ now operates using a similar set of rules to npm/js and Rust/Cargo. If the
+  version is >=1 the ^ ranges works the same as v1. For major versions of 0 the
+  rules have changed. The minor version is treated as the stable version unless
+  a patch is specified and then it is equivalent to =. One difference from npm/js
+  is that prereleases there are only to a specific version (e.g. 1.2.3).
+  Prereleases here look over multiple versions and follow semantic version
+  ordering rules. This pattern now follows along with the expected and requested
+  handling of this packaged by numerous users.
+
+## 1.5.0 (2019-09-11)
+
+### Added
+
+- #103: Add basic fuzzing for `NewVersion()` (thanks @jesse-c)
+
+### Changed
+
+- #82: Clarify wildcard meaning in range constraints and update tests for it (thanks @greysteil)
+- #83: Clarify caret operator range for pre-1.0.0 dependencies (thanks @greysteil)
+- #72: Adding docs comment pointing to vert for a cli
+- #71: Update the docs on pre-release comparator handling
+- #89: Test with new go versions (thanks @thedevsaddam)
+- #87: Added $ to ValidPrerelease for better validation (thanks @jeremycarroll)
+
+### Fixed
+
+- #78: Fix unchecked error in example code (thanks @ravron)
+- #70: Fix the handling of pre-releases and the 0.0.0 release edge case
+- #97: Fixed copyright file for proper display on GitHub
+- #107: Fix handling prerelease when sorting alphanum and num
+- #109: Fixed where Validate sometimes returns wrong message on error
+
+## 1.4.2 (2018-04-10)
+
+### Changed
+
+- #72: Updated the docs to point to vert for a console appliaction
+- #71: Update the docs on pre-release comparator handling
+
+### Fixed
+
+- #70: Fix the handling of pre-releases and the 0.0.0 release edge case
+
+## 1.4.1 (2018-04-02)
+
+### Fixed
+
+- Fixed #64: Fix pre-release precedence issue (thanks @uudashr)
+
+## 1.4.0 (2017-10-04)
+
+### Changed
+
+- #61: Update NewVersion to parse ints with a 64bit int size (thanks @zknill)
+
+## 1.3.1 (2017-07-10)
+
+### Fixed
+
+- Fixed #57: number comparisons in prerelease sometimes inaccurate
+
+## 1.3.0 (2017-05-02)
+
+### Added
+
+- #45: Added json (un)marshaling support (thanks @mh-cbon)
+- Stability marker. See https://masterminds.github.io/stability/
+
+### Fixed
+
+- #51: Fix handling of single digit tilde constraint (thanks @dgodd)
+
+### Changed
+
+- #55: The godoc icon moved from png to svg
+
+## 1.2.3 (2017-04-03)
+
+### Fixed
+
+- #46: Fixed 0.x.x and 0.0.x in constraints being treated as *
+
+## Release 1.2.2 (2016-12-13)
+
+### Fixed
+
+- #34: Fixed issue where hyphen range was not working with pre-release parsing.
+
+## Release 1.2.1 (2016-11-28)
+
+### Fixed
+
+- #24: Fixed edge case issue where constraint "> 0" does not handle "0.0.1-alpha"
+  properly.
+
+## Release 1.2.0 (2016-11-04)
+
+### Added
+
+- #20: Added MustParse function for versions (thanks @adamreese)
+- #15: Added increment methods on versions (thanks @mh-cbon)
+
+### Fixed
+
+- Issue #21: Per the SemVer spec (section 9) a pre-release is unstable and
+  might not satisfy the intended compatibility. The change here ignores pre-releases
+  on constraint checks (e.g., ~ or ^) when a pre-release is not part of the
+  constraint. For example, `^1.2.3` will ignore pre-releases while
+  `^1.2.3-alpha` will include them.
+
+## Release 1.1.1 (2016-06-30)
+
+### Changed
+
+- Issue #9: Speed up version comparison performance (thanks @sdboyer)
+- Issue #8: Added benchmarks (thanks @sdboyer)
+- Updated Go Report Card URL to new location
+- Updated Readme to add code snippet formatting (thanks @mh-cbon)
+- Updating tagging to v[SemVer] structure for compatibility with other tools.
+
+## Release 1.1.0 (2016-03-11)
+
+- Issue #2: Implemented validation to provide reasons a versions failed a
+  constraint.
+
+## Release 1.0.1 (2015-12-31)
+
+- Fixed #1: * constraint failing on valid versions.
+
+## Release 1.0.0 (2015-10-20)
+
+- Initial release
diff --git a/vendor/github.com/Masterminds/semver/v3/LICENSE.txt b/vendor/github.com/Masterminds/semver/v3/LICENSE.txt
new file mode 100644
index 0000000000000..9ff7da9c48b67
--- /dev/null
+++ b/vendor/github.com/Masterminds/semver/v3/LICENSE.txt
@@ -0,0 +1,19 @@
+Copyright (C) 2014-2019, Matt Butcher and Matt Farina
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.
diff --git a/vendor/github.com/Masterminds/semver/v3/Makefile b/vendor/github.com/Masterminds/semver/v3/Makefile
new file mode 100644
index 0000000000000..9ca87a2c79ea2
--- /dev/null
+++ b/vendor/github.com/Masterminds/semver/v3/Makefile
@@ -0,0 +1,31 @@
+GOPATH=$(shell go env GOPATH)
+GOLANGCI_LINT=$(GOPATH)/bin/golangci-lint
+
+.PHONY: lint
+lint: $(GOLANGCI_LINT)
+	@echo "==> Linting codebase"
+	@$(GOLANGCI_LINT) run
+
+.PHONY: test
+test:
+	@echo "==> Running tests"
+	GO111MODULE=on go test -v
+
+.PHONY: test-cover
+test-cover:
+	@echo "==> Running Tests with coverage"
+	GO111MODULE=on go test -cover .
+
+.PHONY: fuzz
+fuzz:
+	@echo "==> Running Fuzz Tests"
+	go env GOCACHE
+	go test -fuzz=FuzzNewVersion -fuzztime=15s .
+	go test -fuzz=FuzzStrictNewVersion -fuzztime=15s .
+	go test -fuzz=FuzzNewConstraint -fuzztime=15s .
+
+$(GOLANGCI_LINT):
+	# Install golangci-lint. The configuration for it is in the .golangci.yml
+	# file in the root of the repository
+	echo ${GOPATH}
+	curl -sfL https://install.goreleaser.com/github.com/golangci/golangci-lint.sh | sh -s -- -b $(GOPATH)/bin v1.56.2
diff --git a/vendor/github.com/Masterminds/semver/v3/README.md b/vendor/github.com/Masterminds/semver/v3/README.md
new file mode 100644
index 0000000000000..2f56c676a5de8
--- /dev/null
+++ b/vendor/github.com/Masterminds/semver/v3/README.md
@@ -0,0 +1,274 @@
+# SemVer
+
+The `semver` package provides the ability to work with [Semantic Versions](http://semver.org) in Go. Specifically it provides the ability to:
+
+* Parse semantic versions
+* Sort semantic versions
+* Check if a semantic version fits within a set of constraints
+* Optionally work with a `v` prefix
+
+[![Stability:
+Active](https://masterminds.github.io/stability/active.svg)](https://masterminds.github.io/stability/active.html)
+[![](https://github.com/Masterminds/semver/workflows/Tests/badge.svg)](https://github.com/Masterminds/semver/actions)
+[![GoDoc](https://img.shields.io/static/v1?label=godoc&message=reference&color=blue)](https://pkg.go.dev/github.com/Masterminds/semver/v3)
+[![Go Report Card](https://goreportcard.com/badge/github.com/Masterminds/semver)](https://goreportcard.com/report/github.com/Masterminds/semver)
+
+## Package Versions
+
+Note, import `github.com/Masterminds/semver/v3` to use the latest version.
+
+There are three major versions fo the `semver` package.
+
+* 3.x.x is the stable and active version. This version is focused on constraint
+  compatibility for range handling in other tools from other languages. It has
+  a similar API to the v1 releases. The development of this version is on the master
+  branch. The documentation for this version is below.
+* 2.x was developed primarily for [dep](https://github.com/golang/dep). There are
+  no tagged releases and the development was performed by [@sdboyer](https://github.com/sdboyer).
+  There are API breaking changes from v1. This version lives on the [2.x branch](https://github.com/Masterminds/semver/tree/2.x).
+* 1.x.x is the original release. It is no longer maintained. You should use the
+  v3 release instead. You can read the documentation for the 1.x.x release
+  [here](https://github.com/Masterminds/semver/blob/release-1/README.md).
+
+## Parsing Semantic Versions
+
+There are two functions that can parse semantic versions. The `StrictNewVersion`
+function only parses valid version 2 semantic versions as outlined in the
+specification. The `NewVersion` function attempts to coerce a version into a
+semantic version and parse it. For example, if there is a leading v or a version
+listed without all 3 parts (e.g. `v1.2`) it will attempt to coerce it into a valid
+semantic version (e.g., 1.2.0). In both cases a `Version` object is returned
+that can be sorted, compared, and used in constraints.
+
+When parsing a version an error is returned if there is an issue parsing the
+version. For example,
+
+    v, err := semver.NewVersion("1.2.3-beta.1+build345")
+
+The version object has methods to get the parts of the version, compare it to
+other versions, convert the version back into a string, and get the original
+string. Getting the original string is useful if the semantic version was coerced
+into a valid form.
+
+There are package level variables that affect how `NewVersion` handles parsing.
+
+- `CoerceNewVersion` is `true` by default. When set to `true` it coerces non-compliant
+  versions into SemVer. For example, allowing a leading 0 in a major, minor, or patch
+  part. This enables the use of CalVer in versions even when not compliant with SemVer.
+  When set to `false` less coercion work is done.
+- `DetailedNewVersionErrors` provides more detailed errors. It only has an affect when
+  `CoerceNewVersion` is set to `false`. When `DetailedNewVersionErrors` is set to `true`
+  it can provide some more insight into why a version is invalid. Setting
+  `DetailedNewVersionErrors` to `false` is faster on performance but provides less
+  detailed error messages if a version fails to parse.
+
+## Sorting Semantic Versions
+
+A set of versions can be sorted using the `sort` package from the standard library.
+For example,
+
+```go
+raw := []string{"1.2.3", "1.0", "1.3", "2", "0.4.2",}
+vs := make([]*semver.Version, len(raw))
+for i, r := range raw {
+    v, err := semver.NewVersion(r)
+    if err != nil {
+        t.Errorf("Error parsing version: %s", err)
+    }
+
+    vs[i] = v
+}
+
+sort.Sort(semver.Collection(vs))
+```
+
+## Checking Version Constraints
+
+There are two methods for comparing versions. One uses comparison methods on
+`Version` instances and the other uses `Constraints`. There are some important
+differences to notes between these two methods of comparison.
+
+1. When two versions are compared using functions such as `Compare`, `LessThan`,
+   and others it will follow the specification and always include pre-releases
+   within the comparison. It will provide an answer that is valid with the
+   comparison section of the spec at https://semver.org/#spec-item-11
+2. When constraint checking is used for checks or validation it will follow a
+   different set of rules that are common for ranges with tools like npm/js
+   and Rust/Cargo. This includes considering pre-releases to be invalid if the
+   ranges does not include one. If you want to have it include pre-releases a
+   simple solution is to include `-0` in your range.
+3. Constraint ranges can have some complex rules including the shorthand use of
+   ~ and ^. For more details on those see the options below.
+
+There are differences between the two methods or checking versions because the
+comparison methods on `Version` follow the specification while comparison ranges
+are not part of the specification. Different packages and tools have taken it
+upon themselves to come up with range rules. This has resulted in differences.
+For example, npm/js and Cargo/Rust follow similar patterns while PHP has a
+different pattern for ^. The comparison features in this package follow the
+npm/js and Cargo/Rust lead because applications using it have followed similar
+patters with their versions.
+
+Checking a version against version constraints is one of the most featureful
+parts of the package.
+
+```go
+c, err := semver.NewConstraint(">= 1.2.3")
+if err != nil {
+    // Handle constraint not being parsable.
+}
+
+v, err := semver.NewVersion("1.3")
+if err != nil {
+    // Handle version not being parsable.
+}
+// Check if the version meets the constraints. The variable a will be true.
+a := c.Check(v)
+```
+
+### Basic Comparisons
+
+There are two elements to the comparisons. First, a comparison string is a list
+of space or comma separated AND comparisons. These are then separated by || (OR)
+comparisons. For example, `">= 1.2 < 3.0.0 || >= 4.2.3"` is looking for a
+comparison that's greater than or equal to 1.2 and less than 3.0.0 or is
+greater than or equal to 4.2.3.
+
+The basic comparisons are:
+
+* `=`: equal (aliased to no operator)
+* `!=`: not equal
+* `>`: greater than
+* `<`: less than
+* `>=`: greater than or equal to
+* `<=`: less than or equal to
+
+### Working With Prerelease Versions
+
+Pre-releases, for those not familiar with them, are used for software releases
+prior to stable or generally available releases. Examples of pre-releases include
+development, alpha, beta, and release candidate releases. A pre-release may be
+a version such as `1.2.3-beta.1` while the stable release would be `1.2.3`. In the
+order of precedence, pre-releases come before their associated releases. In this
+example `1.2.3-beta.1 < 1.2.3`.
+
+According to the Semantic Version specification, pre-releases may not be
+API compliant with their release counterpart. It says,
+
+> A pre-release version indicates that the version is unstable and might not satisfy the intended compatibility requirements as denoted by its associated normal version.
+
+SemVer's comparisons using constraints without a pre-release comparator will skip
+pre-release versions. For example, `>=1.2.3` will skip pre-releases when looking
+at a list of releases while `>=1.2.3-0` will evaluate and find pre-releases.
+
+The reason for the `0` as a pre-release version in the example comparison is
+because pre-releases can only contain ASCII alphanumerics and hyphens (along with
+`.` separators), per the spec. Sorting happens in ASCII sort order, again per the
+spec. The lowest character is a `0` in ASCII sort order
+(see an [ASCII Table](http://www.asciitable.com/))
+
+Understanding ASCII sort ordering is important because A-Z comes before a-z. That
+means `>=1.2.3-BETA` will return `1.2.3-alpha`. What you might expect from case
+sensitivity doesn't apply here. This is due to ASCII sort ordering which is what
+the spec specifies.
+
+The `Constraints` instance returned from `semver.NewConstraint()` has a property
+`IncludePrerelease` that, when set to true, will return prerelease versions when calls
+to `Check()` and `Validate()` are made.
+
+### Hyphen Range Comparisons
+
+There are multiple methods to handle ranges and the first is hyphens ranges.
+These look like:
+
+* `1.2 - 1.4.5` which is equivalent to `>= 1.2 <= 1.4.5`
+* `2.3.4 - 4.5` which is equivalent to `>= 2.3.4 <= 4.5`
+
+Note that `1.2-1.4.5` without whitespace is parsed completely differently; it's
+parsed as a single constraint `1.2.0` with _prerelease_ `1.4.5`.
+
+### Wildcards In Comparisons
+
+The `x`, `X`, and `*` characters can be used as a wildcard character. This works
+for all comparison operators. When used on the `=` operator it falls
+back to the patch level comparison (see tilde below). For example,
+
+* `1.2.x` is equivalent to `>= 1.2.0, < 1.3.0`
+* `>= 1.2.x` is equivalent to `>= 1.2.0`
+* `<= 2.x` is equivalent to `< 3`
+* `*` is equivalent to `>= 0.0.0`
+
+### Tilde Range Comparisons (Patch)
+
+The tilde (`~`) comparison operator is for patch level ranges when a minor
+version is specified and major level changes when the minor number is missing.
+For example,
+
+* `~1.2.3` is equivalent to `>= 1.2.3, < 1.3.0`
+* `~1` is equivalent to `>= 1, < 2`
+* `~2.3` is equivalent to `>= 2.3, < 2.4`
+* `~1.2.x` is equivalent to `>= 1.2.0, < 1.3.0`
+* `~1.x` is equivalent to `>= 1, < 2`
+
+### Caret Range Comparisons (Major)
+
+The caret (`^`) comparison operator is for major level changes once a stable
+(1.0.0) release has occurred. Prior to a 1.0.0 release the minor versions acts
+as the API stability level. This is useful when comparisons of API versions as a
+major change is API breaking. For example,
+
+* `^1.2.3` is equivalent to `>= 1.2.3, < 2.0.0`
+* `^1.2.x` is equivalent to `>= 1.2.0, < 2.0.0`
+* `^2.3` is equivalent to `>= 2.3, < 3`
+* `^2.x` is equivalent to `>= 2.0.0, < 3`
+* `^0.2.3` is equivalent to `>=0.2.3 <0.3.0`
+* `^0.2` is equivalent to `>=0.2.0 <0.3.0`
+* `^0.0.3` is equivalent to `>=0.0.3 <0.0.4`
+* `^0.0` is equivalent to `>=0.0.0 <0.1.0`
+* `^0` is equivalent to `>=0.0.0 <1.0.0`
+
+## Validation
+
+In addition to testing a version against a constraint, a version can be validated
+against a constraint. When validation fails a slice of errors containing why a
+version didn't meet the constraint is returned. For example,
+
+```go
+c, err := semver.NewConstraint("<= 1.2.3, >= 1.4")
+if err != nil {
+    // Handle constraint not being parseable.
+}
+
+v, err := semver.NewVersion("1.3")
+if err != nil {
+    // Handle version not being parseable.
+}
+
+// Validate a version against a constraint.
+a, msgs := c.Validate(v)
+// a is false
+for _, m := range msgs {
+    fmt.Println(m)
+
+    // Loops over the errors which would read
+    // "1.3 is greater than 1.2.3"
+    // "1.3 is less than 1.4"
+}
+```
+
+## Contribute
+
+If you find an issue or want to contribute please file an [issue](https://github.com/Masterminds/semver/issues)
+or [create a pull request](https://github.com/Masterminds/semver/pulls).
+
+## Security
+
+Security is an important consideration for this project. The project currently
+uses the following tools to help discover security issues:
+
+* [CodeQL](https://codeql.github.com)
+* [gosec](https://github.com/securego/gosec)
+* Daily Fuzz testing
+
+If you believe you have found a security vulnerability you can privately disclose
+it through the [GitHub security page](https://github.com/Masterminds/semver/security).
diff --git a/vendor/github.com/Masterminds/semver/v3/SECURITY.md b/vendor/github.com/Masterminds/semver/v3/SECURITY.md
new file mode 100644
index 0000000000000..a30a66b1f7477
--- /dev/null
+++ b/vendor/github.com/Masterminds/semver/v3/SECURITY.md
@@ -0,0 +1,19 @@
+# Security Policy
+
+## Supported Versions
+
+The following versions of semver are currently supported:
+
+| Version | Supported          |
+| ------- | ------------------ |
+| 3.x     | :white_check_mark: |
+| 2.x     | :x:                |
+| 1.x     | :x:                |
+
+Fixes are only released for the latest minor version in the form of a patch release.
+
+## Reporting a Vulnerability
+
+You can privately disclose a vulnerability through GitHubs
+[private vulnerability reporting](https://github.com/Masterminds/semver/security/advisories)
+mechanism.
diff --git a/vendor/github.com/Masterminds/semver/v3/collection.go b/vendor/github.com/Masterminds/semver/v3/collection.go
new file mode 100644
index 0000000000000..a78235895fdcf
--- /dev/null
+++ b/vendor/github.com/Masterminds/semver/v3/collection.go
@@ -0,0 +1,24 @@
+package semver
+
+// Collection is a collection of Version instances and implements the sort
+// interface. See the sort package for more details.
+// https://golang.org/pkg/sort/
+type Collection []*Version
+
+// Len returns the length of a collection. The number of Version instances
+// on the slice.
+func (c Collection) Len() int {
+	return len(c)
+}
+
+// Less is needed for the sort interface to compare two Version objects on the
+// slice. If checks if one is less than the other.
+func (c Collection) Less(i, j int) bool {
+	return c[i].LessThan(c[j])
+}
+
+// Swap is needed for the sort interface to replace the Version objects
+// at two different positions in the slice.
+func (c Collection) Swap(i, j int) {
+	c[i], c[j] = c[j], c[i]
+}
diff --git a/vendor/github.com/Masterminds/semver/v3/constraints.go b/vendor/github.com/Masterminds/semver/v3/constraints.go
new file mode 100644
index 0000000000000..8b7a10f836907
--- /dev/null
+++ b/vendor/github.com/Masterminds/semver/v3/constraints.go
@@ -0,0 +1,601 @@
+package semver
+
+import (
+	"bytes"
+	"errors"
+	"fmt"
+	"regexp"
+	"strings"
+)
+
+// Constraints is one or more constraint that a semantic version can be
+// checked against.
+type Constraints struct {
+	constraints [][]*constraint
+	containsPre []bool
+
+	// IncludePrerelease specifies if pre-releases should be included in
+	// the results. Note, if a constraint range has a prerelease than
+	// prereleases will be included for that AND group even if this is
+	// set to false.
+	IncludePrerelease bool
+}
+
+// NewConstraint returns a Constraints instance that a Version instance can
+// be checked against. If there is a parse error it will be returned.
+func NewConstraint(c string) (*Constraints, error) {
+
+	// Rewrite - ranges into a comparison operation.
+	c = rewriteRange(c)
+
+	ors := strings.Split(c, "||")
+	lenors := len(ors)
+	or := make([][]*constraint, lenors)
+	hasPre := make([]bool, lenors)
+	for k, v := range ors {
+		// Validate the segment
+		if !validConstraintRegex.MatchString(v) {
+			return nil, fmt.Errorf("improper constraint: %s", v)
+		}
+
+		cs := findConstraintRegex.FindAllString(v, -1)
+		if cs == nil {
+			cs = append(cs, v)
+		}
+		result := make([]*constraint, len(cs))
+		for i, s := range cs {
+			pc, err := parseConstraint(s)
+			if err != nil {
+				return nil, err
+			}
+
+			// If one of the constraints has a prerelease record this.
+			// This information is used when checking all in an "and"
+			// group to ensure they all check for prereleases.
+			if pc.con.pre != "" {
+				hasPre[k] = true
+			}
+
+			result[i] = pc
+		}
+		or[k] = result
+	}
+
+	o := &Constraints{
+		constraints: or,
+		containsPre: hasPre,
+	}
+	return o, nil
+}
+
+// Check tests if a version satisfies the constraints.
+func (cs Constraints) Check(v *Version) bool {
+	// TODO(mattfarina): For v4 of this library consolidate the Check and Validate
+	// functions as the underlying functions make that possible now.
+	// loop over the ORs and check the inner ANDs
+	for i, o := range cs.constraints {
+		joy := true
+		for _, c := range o {
+			if check, _ := c.check(v, (cs.IncludePrerelease || cs.containsPre[i])); !check {
+				joy = false
+				break
+			}
+		}
+
+		if joy {
+			return true
+		}
+	}
+
+	return false
+}
+
+// Validate checks if a version satisfies a constraint. If not a slice of
+// reasons for the failure are returned in addition to a bool.
+func (cs Constraints) Validate(v *Version) (bool, []error) {
+	// loop over the ORs and check the inner ANDs
+	var e []error
+
+	// Capture the prerelease message only once. When it happens the first time
+	// this var is marked
+	var prerelesase bool
+	for i, o := range cs.constraints {
+		joy := true
+		for _, c := range o {
+			// Before running the check handle the case there the version is
+			// a prerelease and the check is not searching for prereleases.
+			if !(cs.IncludePrerelease || cs.containsPre[i]) && v.pre != "" {
+				if !prerelesase {
+					em := fmt.Errorf("%s is a prerelease version and the constraint is only looking for release versions", v)
+					e = append(e, em)
+					prerelesase = true
+				}
+				joy = false
+
+			} else {
+
+				if _, err := c.check(v, (cs.IncludePrerelease || cs.containsPre[i])); err != nil {
+					e = append(e, err)
+					joy = false
+				}
+			}
+		}
+
+		if joy {
+			return true, []error{}
+		}
+	}
+
+	return false, e
+}
+
+func (cs Constraints) String() string {
+	buf := make([]string, len(cs.constraints))
+	var tmp bytes.Buffer
+
+	for k, v := range cs.constraints {
+		tmp.Reset()
+		vlen := len(v)
+		for kk, c := range v {
+			tmp.WriteString(c.string())
+
+			// Space separate the AND conditions
+			if vlen > 1 && kk < vlen-1 {
+				tmp.WriteString(" ")
+			}
+		}
+		buf[k] = tmp.String()
+	}
+
+	return strings.Join(buf, " || ")
+}
+
+// UnmarshalText implements the encoding.TextUnmarshaler interface.
+func (cs *Constraints) UnmarshalText(text []byte) error {
+	temp, err := NewConstraint(string(text))
+	if err != nil {
+		return err
+	}
+
+	*cs = *temp
+
+	return nil
+}
+
+// MarshalText implements the encoding.TextMarshaler interface.
+func (cs Constraints) MarshalText() ([]byte, error) {
+	return []byte(cs.String()), nil
+}
+
+var constraintOps map[string]cfunc
+var constraintRegex *regexp.Regexp
+var constraintRangeRegex *regexp.Regexp
+
+// Used to find individual constraints within a multi-constraint string
+var findConstraintRegex *regexp.Regexp
+
+// Used to validate an segment of ANDs is valid
+var validConstraintRegex *regexp.Regexp
+
+const cvRegex string = `v?([0-9|x|X|\*]+)(\.[0-9|x|X|\*]+)?(\.[0-9|x|X|\*]+)?` +
+	`(-([0-9A-Za-z\-]+(\.[0-9A-Za-z\-]+)*))?` +
+	`(\+([0-9A-Za-z\-]+(\.[0-9A-Za-z\-]+)*))?`
+
+func init() {
+	constraintOps = map[string]cfunc{
+		"":   constraintTildeOrEqual,
+		"=":  constraintTildeOrEqual,
+		"!=": constraintNotEqual,
+		">":  constraintGreaterThan,
+		"<":  constraintLessThan,
+		">=": constraintGreaterThanEqual,
+		"=>": constraintGreaterThanEqual,
+		"<=": constraintLessThanEqual,
+		"=<": constraintLessThanEqual,
+		"~":  constraintTilde,
+		"~>": constraintTilde,
+		"^":  constraintCaret,
+	}
+
+	ops := `=||!=|>|<|>=|=>|<=|=<|~|~>|\^`
+
+	constraintRegex = regexp.MustCompile(fmt.Sprintf(
+		`^\s*(%s)\s*(%s)\s*$`,
+		ops,
+		cvRegex))
+
+	constraintRangeRegex = regexp.MustCompile(fmt.Sprintf(
+		`\s*(%s)\s+-\s+(%s)\s*`,
+		cvRegex, cvRegex))
+
+	findConstraintRegex = regexp.MustCompile(fmt.Sprintf(
+		`(%s)\s*(%s)`,
+		ops,
+		cvRegex))
+
+	// The first time a constraint shows up will look slightly different from
+	// future times it shows up due to a leading space or comma in a given
+	// string.
+	validConstraintRegex = regexp.MustCompile(fmt.Sprintf(
+		`^(\s*(%s)\s*(%s)\s*)((?:\s+|,\s*)(%s)\s*(%s)\s*)*$`,
+		ops,
+		cvRegex,
+		ops,
+		cvRegex))
+}
+
+// An individual constraint
+type constraint struct {
+	// The version used in the constraint check. For example, if a constraint
+	// is '<= 2.0.0' the con a version instance representing 2.0.0.
+	con *Version
+
+	// The original parsed version (e.g., 4.x from != 4.x)
+	orig string
+
+	// The original operator for the constraint
+	origfunc string
+
+	// When an x is used as part of the version (e.g., 1.x)
+	minorDirty bool
+	dirty      bool
+	patchDirty bool
+}
+
+// Check if a version meets the constraint
+func (c *constraint) check(v *Version, includePre bool) (bool, error) {
+	return constraintOps[c.origfunc](v, c, includePre)
+}
+
+// String prints an individual constraint into a string
+func (c *constraint) string() string {
+	return c.origfunc + c.orig
+}
+
+type cfunc func(v *Version, c *constraint, includePre bool) (bool, error)
+
+func parseConstraint(c string) (*constraint, error) {
+	if len(c) > 0 {
+		m := constraintRegex.FindStringSubmatch(c)
+		if m == nil {
+			return nil, fmt.Errorf("improper constraint: %s", c)
+		}
+
+		cs := &constraint{
+			orig:     m[2],
+			origfunc: m[1],
+		}
+
+		ver := m[2]
+		minorDirty := false
+		patchDirty := false
+		dirty := false
+		if isX(m[3]) || m[3] == "" {
+			ver = fmt.Sprintf("0.0.0%s", m[6])
+			dirty = true
+		} else if isX(strings.TrimPrefix(m[4], ".")) || m[4] == "" {
+			minorDirty = true
+			dirty = true
+			ver = fmt.Sprintf("%s.0.0%s", m[3], m[6])
+		} else if isX(strings.TrimPrefix(m[5], ".")) || m[5] == "" {
+			dirty = true
+			patchDirty = true
+			ver = fmt.Sprintf("%s%s.0%s", m[3], m[4], m[6])
+		}
+
+		con, err := NewVersion(ver)
+		if err != nil {
+
+			// The constraintRegex should catch any regex parsing errors. So,
+			// we should never get here.
+			return nil, errors.New("constraint parser error")
+		}
+
+		cs.con = con
+		cs.minorDirty = minorDirty
+		cs.patchDirty = patchDirty
+		cs.dirty = dirty
+
+		return cs, nil
+	}
+
+	// The rest is the special case where an empty string was passed in which
+	// is equivalent to * or >=0.0.0
+	con, err := StrictNewVersion("0.0.0")
+	if err != nil {
+
+		// The constraintRegex should catch any regex parsing errors. So,
+		// we should never get here.
+		return nil, errors.New("constraint parser error")
+	}
+
+	cs := &constraint{
+		con:        con,
+		orig:       c,
+		origfunc:   "",
+		minorDirty: false,
+		patchDirty: false,
+		dirty:      true,
+	}
+	return cs, nil
+}
+
+// Constraint functions
+func constraintNotEqual(v *Version, c *constraint, includePre bool) (bool, error) {
+	// The existence of prereleases is checked at the group level and passed in.
+	// Exit early if the version has a prerelease but those are to be ignored.
+	if v.Prerelease() != "" && !includePre {
+		return false, fmt.Errorf("%s is a prerelease version and the constraint is only looking for release versions", v)
+	}
+
+	if c.dirty {
+		if c.con.Major() != v.Major() {
+			return true, nil
+		}
+		if c.con.Minor() != v.Minor() && !c.minorDirty {
+			return true, nil
+		} else if c.minorDirty {
+			return false, fmt.Errorf("%s is equal to %s", v, c.orig)
+		} else if c.con.Patch() != v.Patch() && !c.patchDirty {
+			return true, nil
+		} else if c.patchDirty {
+			// Need to handle prereleases if present
+			if v.Prerelease() != "" || c.con.Prerelease() != "" {
+				eq := comparePrerelease(v.Prerelease(), c.con.Prerelease()) != 0
+				if eq {
+					return true, nil
+				}
+				return false, fmt.Errorf("%s is equal to %s", v, c.orig)
+			}
+			return false, fmt.Errorf("%s is equal to %s", v, c.orig)
+		}
+	}
+
+	eq := v.Equal(c.con)
+	if eq {
+		return false, fmt.Errorf("%s is equal to %s", v, c.orig)
+	}
+
+	return true, nil
+}
+
+func constraintGreaterThan(v *Version, c *constraint, includePre bool) (bool, error) {
+
+	// The existence of prereleases is checked at the group level and passed in.
+	// Exit early if the version has a prerelease but those are to be ignored.
+	if v.Prerelease() != "" && !includePre {
+		return false, fmt.Errorf("%s is a prerelease version and the constraint is only looking for release versions", v)
+	}
+
+	var eq bool
+
+	if !c.dirty {
+		eq = v.Compare(c.con) == 1
+		if eq {
+			return true, nil
+		}
+		return false, fmt.Errorf("%s is less than or equal to %s", v, c.orig)
+	}
+
+	if v.Major() > c.con.Major() {
+		return true, nil
+	} else if v.Major() < c.con.Major() {
+		return false, fmt.Errorf("%s is less than or equal to %s", v, c.orig)
+	} else if c.minorDirty {
+		// This is a range case such as >11. When the version is something like
+		// 11.1.0 is it not > 11. For that we would need 12 or higher
+		return false, fmt.Errorf("%s is less than or equal to %s", v, c.orig)
+	} else if c.patchDirty {
+		// This is for ranges such as >11.1. A version of 11.1.1 is not greater
+		// which one of 11.2.1 is greater
+		eq = v.Minor() > c.con.Minor()
+		if eq {
+			return true, nil
+		}
+		return false, fmt.Errorf("%s is less than or equal to %s", v, c.orig)
+	}
+
+	// If we have gotten here we are not comparing pre-preleases and can use the
+	// Compare function to accomplish that.
+	eq = v.Compare(c.con) == 1
+	if eq {
+		return true, nil
+	}
+	return false, fmt.Errorf("%s is less than or equal to %s", v, c.orig)
+}
+
+func constraintLessThan(v *Version, c *constraint, includePre bool) (bool, error) {
+	// The existence of prereleases is checked at the group level and passed in.
+	// Exit early if the version has a prerelease but those are to be ignored.
+	if v.Prerelease() != "" && !includePre {
+		return false, fmt.Errorf("%s is a prerelease version and the constraint is only looking for release versions", v)
+	}
+
+	eq := v.Compare(c.con) < 0
+	if eq {
+		return true, nil
+	}
+	return false, fmt.Errorf("%s is greater than or equal to %s", v, c.orig)
+}
+
+func constraintGreaterThanEqual(v *Version, c *constraint, includePre bool) (bool, error) {
+
+	// The existence of prereleases is checked at the group level and passed in.
+	// Exit early if the version has a prerelease but those are to be ignored.
+	if v.Prerelease() != "" && !includePre {
+		return false, fmt.Errorf("%s is a prerelease version and the constraint is only looking for release versions", v)
+	}
+
+	eq := v.Compare(c.con) >= 0
+	if eq {
+		return true, nil
+	}
+	return false, fmt.Errorf("%s is less than %s", v, c.orig)
+}
+
+func constraintLessThanEqual(v *Version, c *constraint, includePre bool) (bool, error) {
+	// The existence of prereleases is checked at the group level and passed in.
+	// Exit early if the version has a prerelease but those are to be ignored.
+	if v.Prerelease() != "" && !includePre {
+		return false, fmt.Errorf("%s is a prerelease version and the constraint is only looking for release versions", v)
+	}
+
+	var eq bool
+
+	if !c.dirty {
+		eq = v.Compare(c.con) <= 0
+		if eq {
+			return true, nil
+		}
+		return false, fmt.Errorf("%s is greater than %s", v, c.orig)
+	}
+
+	if v.Major() > c.con.Major() {
+		return false, fmt.Errorf("%s is greater than %s", v, c.orig)
+	} else if v.Major() == c.con.Major() && v.Minor() > c.con.Minor() && !c.minorDirty {
+		return false, fmt.Errorf("%s is greater than %s", v, c.orig)
+	}
+
+	return true, nil
+}
+
+// ~*, ~>* --> >= 0.0.0 (any)
+// ~2, ~2.x, ~2.x.x, ~>2, ~>2.x ~>2.x.x --> >=2.0.0, <3.0.0
+// ~2.0, ~2.0.x, ~>2.0, ~>2.0.x --> >=2.0.0, <2.1.0
+// ~1.2, ~1.2.x, ~>1.2, ~>1.2.x --> >=1.2.0, <1.3.0
+// ~1.2.3, ~>1.2.3 --> >=1.2.3, <1.3.0
+// ~1.2.0, ~>1.2.0 --> >=1.2.0, <1.3.0
+func constraintTilde(v *Version, c *constraint, includePre bool) (bool, error) {
+	// The existence of prereleases is checked at the group level and passed in.
+	// Exit early if the version has a prerelease but those are to be ignored.
+	if v.Prerelease() != "" && !includePre {
+		return false, fmt.Errorf("%s is a prerelease version and the constraint is only looking for release versions", v)
+	}
+
+	if v.LessThan(c.con) {
+		return false, fmt.Errorf("%s is less than %s", v, c.orig)
+	}
+
+	// ~0.0.0 is a special case where all constraints are accepted. It's
+	// equivalent to >= 0.0.0.
+	if c.con.Major() == 0 && c.con.Minor() == 0 && c.con.Patch() == 0 &&
+		!c.minorDirty && !c.patchDirty {
+		return true, nil
+	}
+
+	if v.Major() != c.con.Major() {
+		return false, fmt.Errorf("%s does not have same major version as %s", v, c.orig)
+	}
+
+	if v.Minor() != c.con.Minor() && !c.minorDirty {
+		return false, fmt.Errorf("%s does not have same major and minor version as %s", v, c.orig)
+	}
+
+	return true, nil
+}
+
+// When there is a .x (dirty) status it automatically opts in to ~. Otherwise
+// it's a straight =
+func constraintTildeOrEqual(v *Version, c *constraint, includePre bool) (bool, error) {
+	// The existence of prereleases is checked at the group level and passed in.
+	// Exit early if the version has a prerelease but those are to be ignored.
+	if v.Prerelease() != "" && !includePre {
+		return false, fmt.Errorf("%s is a prerelease version and the constraint is only looking for release versions", v)
+	}
+
+	if c.dirty {
+		return constraintTilde(v, c, includePre)
+	}
+
+	eq := v.Equal(c.con)
+	if eq {
+		return true, nil
+	}
+
+	return false, fmt.Errorf("%s is not equal to %s", v, c.orig)
+}
+
+// ^*      -->  (any)
+// ^1.2.3  -->  >=1.2.3 <2.0.0
+// ^1.2    -->  >=1.2.0 <2.0.0
+// ^1      -->  >=1.0.0 <2.0.0
+// ^0.2.3  -->  >=0.2.3 <0.3.0
+// ^0.2    -->  >=0.2.0 <0.3.0
+// ^0.0.3  -->  >=0.0.3 <0.0.4
+// ^0.0    -->  >=0.0.0 <0.1.0
+// ^0      -->  >=0.0.0 <1.0.0
+func constraintCaret(v *Version, c *constraint, includePre bool) (bool, error) {
+	// The existence of prereleases is checked at the group level and passed in.
+	// Exit early if the version has a prerelease but those are to be ignored.
+	if v.Prerelease() != "" && !includePre {
+		return false, fmt.Errorf("%s is a prerelease version and the constraint is only looking for release versions", v)
+	}
+
+	// This less than handles prereleases
+	if v.LessThan(c.con) {
+		return false, fmt.Errorf("%s is less than %s", v, c.orig)
+	}
+
+	var eq bool
+
+	// ^ when the major > 0 is >=x.y.z < x+1
+	if c.con.Major() > 0 || c.minorDirty {
+
+		// ^ has to be within a major range for > 0. Everything less than was
+		// filtered out with the LessThan call above. This filters out those
+		// that greater but not within the same major range.
+		eq = v.Major() == c.con.Major()
+		if eq {
+			return true, nil
+		}
+		return false, fmt.Errorf("%s does not have same major version as %s", v, c.orig)
+	}
+
+	// ^ when the major is 0 and minor > 0 is >=0.y.z < 0.y+1
+	if c.con.Major() == 0 && v.Major() > 0 {
+		return false, fmt.Errorf("%s does not have same major version as %s", v, c.orig)
+	}
+	// If the con Minor is > 0 it is not dirty
+	if c.con.Minor() > 0 || c.patchDirty {
+		eq = v.Minor() == c.con.Minor()
+		if eq {
+			return true, nil
+		}
+		return false, fmt.Errorf("%s does not have same minor version as %s. Expected minor versions to match when constraint major version is 0", v, c.orig)
+	}
+	// ^ when the minor is 0 and minor > 0 is =0.0.z
+	if c.con.Minor() == 0 && v.Minor() > 0 {
+		return false, fmt.Errorf("%s does not have same minor version as %s", v, c.orig)
+	}
+
+	// At this point the major is 0 and the minor is 0 and not dirty. The patch
+	// is not dirty so we need to check if they are equal. If they are not equal
+	eq = c.con.Patch() == v.Patch()
+	if eq {
+		return true, nil
+	}
+	return false, fmt.Errorf("%s does not equal %s. Expect version and constraint to equal when major and minor versions are 0", v, c.orig)
+}
+
+func isX(x string) bool {
+	switch x {
+	case "x", "*", "X":
+		return true
+	default:
+		return false
+	}
+}
+
+func rewriteRange(i string) string {
+	m := constraintRangeRegex.FindAllStringSubmatch(i, -1)
+	if m == nil {
+		return i
+	}
+	o := i
+	for _, v := range m {
+		t := fmt.Sprintf(">= %s, <= %s ", v[1], v[11])
+		o = strings.Replace(o, v[0], t, 1)
+	}
+
+	return o
+}
diff --git a/vendor/github.com/Masterminds/semver/v3/doc.go b/vendor/github.com/Masterminds/semver/v3/doc.go
new file mode 100644
index 0000000000000..74f97caa57f80
--- /dev/null
+++ b/vendor/github.com/Masterminds/semver/v3/doc.go
@@ -0,0 +1,184 @@
+/*
+Package semver provides the ability to work with Semantic Versions (http://semver.org) in Go.
+
+Specifically it provides the ability to:
+
+  - Parse semantic versions
+  - Sort semantic versions
+  - Check if a semantic version fits within a set of constraints
+  - Optionally work with a `v` prefix
+
+# Parsing Semantic Versions
+
+There are two functions that can parse semantic versions. The `StrictNewVersion`
+function only parses valid version 2 semantic versions as outlined in the
+specification. The `NewVersion` function attempts to coerce a version into a
+semantic version and parse it. For example, if there is a leading v or a version
+listed without all 3 parts (e.g. 1.2) it will attempt to coerce it into a valid
+semantic version (e.g., 1.2.0). In both cases a `Version` object is returned
+that can be sorted, compared, and used in constraints.
+
+When parsing a version an optional error can be returned if there is an issue
+parsing the version. For example,
+
+	v, err := semver.NewVersion("1.2.3-beta.1+b345")
+
+The version object has methods to get the parts of the version, compare it to
+other versions, convert the version back into a string, and get the original
+string. For more details please see the documentation
+at https://godoc.org/github.com/Masterminds/semver.
+
+# Sorting Semantic Versions
+
+A set of versions can be sorted using the `sort` package from the standard library.
+For example,
+
+	    raw := []string{"1.2.3", "1.0", "1.3", "2", "0.4.2",}
+	    vs := make([]*semver.Version, len(raw))
+		for i, r := range raw {
+			v, err := semver.NewVersion(r)
+			if err != nil {
+				t.Errorf("Error parsing version: %s", err)
+			}
+
+			vs[i] = v
+		}
+
+		sort.Sort(semver.Collection(vs))
+
+# Checking Version Constraints and Comparing Versions
+
+There are two methods for comparing versions. One uses comparison methods on
+`Version` instances and the other is using Constraints. There are some important
+differences to notes between these two methods of comparison.
+
+ 1. When two versions are compared using functions such as `Compare`, `LessThan`,
+    and others it will follow the specification and always include prereleases
+    within the comparison. It will provide an answer valid with the comparison
+    spec section at https://semver.org/#spec-item-11
+ 2. When constraint checking is used for checks or validation it will follow a
+    different set of rules that are common for ranges with tools like npm/js
+    and Rust/Cargo. This includes considering prereleases to be invalid if the
+    ranges does not include on. If you want to have it include pre-releases a
+    simple solution is to include `-0` in your range.
+ 3. Constraint ranges can have some complex rules including the shorthard use of
+    ~ and ^. For more details on those see the options below.
+
+There are differences between the two methods or checking versions because the
+comparison methods on `Version` follow the specification while comparison ranges
+are not part of the specification. Different packages and tools have taken it
+upon themselves to come up with range rules. This has resulted in differences.
+For example, npm/js and Cargo/Rust follow similar patterns which PHP has a
+different pattern for ^. The comparison features in this package follow the
+npm/js and Cargo/Rust lead because applications using it have followed similar
+patters with their versions.
+
+Checking a version against version constraints is one of the most featureful
+parts of the package.
+
+	c, err := semver.NewConstraint(">= 1.2.3")
+	if err != nil {
+	    // Handle constraint not being parsable.
+	}
+
+	v, err := semver.NewVersion("1.3")
+	if err != nil {
+	    // Handle version not being parsable.
+	}
+	// Check if the version meets the constraints. The a variable will be true.
+	a := c.Check(v)
+
+# Basic Comparisons
+
+There are two elements to the comparisons. First, a comparison string is a list
+of comma or space separated AND comparisons. These are then separated by || (OR)
+comparisons. For example, `">= 1.2 < 3.0.0 || >= 4.2.3"` is looking for a
+comparison that's greater than or equal to 1.2 and less than 3.0.0 or is
+greater than or equal to 4.2.3. This can also be written as
+`">= 1.2, < 3.0.0 || >= 4.2.3"`
+
+The basic comparisons are:
+
+  - `=`: equal (aliased to no operator)
+  - `!=`: not equal
+  - `>`: greater than
+  - `<`: less than
+  - `>=`: greater than or equal to
+  - `<=`: less than or equal to
+
+# Hyphen Range Comparisons
+
+There are multiple methods to handle ranges and the first is hyphens ranges.
+These look like:
+
+  - `1.2 - 1.4.5` which is equivalent to `>= 1.2, <= 1.4.5`
+  - `2.3.4 - 4.5` which is equivalent to `>= 2.3.4 <= 4.5`
+
+# Wildcards In Comparisons
+
+The `x`, `X`, and `*` characters can be used as a wildcard character. This works
+for all comparison operators. When used on the `=` operator it falls
+back to the tilde operation. For example,
+
+  - `1.2.x` is equivalent to `>= 1.2.0 < 1.3.0`
+  - `>= 1.2.x` is equivalent to `>= 1.2.0`
+  - `<= 2.x` is equivalent to `<= 3`
+  - `*` is equivalent to `>= 0.0.0`
+
+Tilde Range Comparisons (Patch)
+
+The tilde (`~`) comparison operator is for patch level ranges when a minor
+version is specified and major level changes when the minor number is missing.
+For example,
+
+  - `~1.2.3` is equivalent to `>= 1.2.3 < 1.3.0`
+  - `~1` is equivalent to `>= 1, < 2`
+  - `~2.3` is equivalent to `>= 2.3 < 2.4`
+  - `~1.2.x` is equivalent to `>= 1.2.0 < 1.3.0`
+  - `~1.x` is equivalent to `>= 1 < 2`
+
+Caret Range Comparisons (Major)
+
+The caret (`^`) comparison operator is for major level changes once a stable
+(1.0.0) release has occurred. Prior to a 1.0.0 release the minor versions acts
+as the API stability level. This is useful when comparisons of API versions as a
+major change is API breaking. For example,
+
+  - `^1.2.3` is equivalent to `>= 1.2.3, < 2.0.0`
+  - `^1.2.x` is equivalent to `>= 1.2.0, < 2.0.0`
+  - `^2.3` is equivalent to `>= 2.3, < 3`
+  - `^2.x` is equivalent to `>= 2.0.0, < 3`
+  - `^0.2.3` is equivalent to `>=0.2.3 <0.3.0`
+  - `^0.2` is equivalent to `>=0.2.0 <0.3.0`
+  - `^0.0.3` is equivalent to `>=0.0.3 <0.0.4`
+  - `^0.0` is equivalent to `>=0.0.0 <0.1.0`
+  - `^0` is equivalent to `>=0.0.0 <1.0.0`
+
+# Validation
+
+In addition to testing a version against a constraint, a version can be validated
+against a constraint. When validation fails a slice of errors containing why a
+version didn't meet the constraint is returned. For example,
+
+	c, err := semver.NewConstraint("<= 1.2.3, >= 1.4")
+	if err != nil {
+	    // Handle constraint not being parseable.
+	}
+
+	v, _ := semver.NewVersion("1.3")
+	if err != nil {
+	    // Handle version not being parseable.
+	}
+
+	// Validate a version against a constraint.
+	a, msgs := c.Validate(v)
+	// a is false
+	for _, m := range msgs {
+	    fmt.Println(m)
+
+	    // Loops over the errors which would read
+	    // "1.3 is greater than 1.2.3"
+	    // "1.3 is less than 1.4"
+	}
+*/
+package semver
diff --git a/vendor/github.com/Masterminds/semver/v3/version.go b/vendor/github.com/Masterminds/semver/v3/version.go
new file mode 100644
index 0000000000000..7a3ba73887644
--- /dev/null
+++ b/vendor/github.com/Masterminds/semver/v3/version.go
@@ -0,0 +1,788 @@
+package semver
+
+import (
+	"bytes"
+	"database/sql/driver"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"regexp"
+	"strconv"
+	"strings"
+)
+
+// The compiled version of the regex created at init() is cached here so it
+// only needs to be created once.
+var versionRegex *regexp.Regexp
+var looseVersionRegex *regexp.Regexp
+
+// CoerceNewVersion sets if leading 0's are allowd in the version part. Leading 0's are
+// not allowed in a valid semantic version. When set to true, NewVersion will coerce
+// leading 0's into a valid version.
+var CoerceNewVersion = true
+
+// DetailedNewVersionErrors specifies if detailed errors are returned from the NewVersion
+// function. This is used when CoerceNewVersion is set to false. If set to false
+// ErrInvalidSemVer is returned for an invalid version. This does not apply to
+// StrictNewVersion. Setting this function to false returns errors more quickly.
+var DetailedNewVersionErrors = true
+
+var (
+	// ErrInvalidSemVer is returned a version is found to be invalid when
+	// being parsed.
+	ErrInvalidSemVer = errors.New("invalid semantic version")
+
+	// ErrEmptyString is returned when an empty string is passed in for parsing.
+	ErrEmptyString = errors.New("version string empty")
+
+	// ErrInvalidCharacters is returned when invalid characters are found as
+	// part of a version
+	ErrInvalidCharacters = errors.New("invalid characters in version")
+
+	// ErrSegmentStartsZero is returned when a version segment starts with 0.
+	// This is invalid in SemVer.
+	ErrSegmentStartsZero = errors.New("version segment starts with 0")
+
+	// ErrInvalidMetadata is returned when the metadata is an invalid format
+	ErrInvalidMetadata = errors.New("invalid metadata string")
+
+	// ErrInvalidPrerelease is returned when the pre-release is an invalid format
+	ErrInvalidPrerelease = errors.New("invalid prerelease string")
+)
+
+// semVerRegex is the regular expression used to parse a semantic version.
+// This is not the official regex from the semver spec. It has been modified to allow for loose handling
+// where versions like 2.1 are detected.
+const semVerRegex string = `v?(0|[1-9]\d*)(?:\.(0|[1-9]\d*))?(?:\.(0|[1-9]\d*))?` +
+	`(?:-((?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?` +
+	`(?:\+([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?`
+
+// looseSemVerRegex is a regular expression that lets invalid semver expressions through
+// with enough detail that certain errors can be checked for.
+const looseSemVerRegex string = `v?([0-9]+)(\.[0-9]+)?(\.[0-9]+)?` +
+	`(-([0-9A-Za-z\-]+(\.[0-9A-Za-z\-]+)*))?` +
+	`(\+([0-9A-Za-z\-]+(\.[0-9A-Za-z\-]+)*))?`
+
+// Version represents a single semantic version.
+type Version struct {
+	major, minor, patch uint64
+	pre                 string
+	metadata            string
+	original            string
+}
+
+func init() {
+	versionRegex = regexp.MustCompile("^" + semVerRegex + "$")
+	looseVersionRegex = regexp.MustCompile("^" + looseSemVerRegex + "$")
+}
+
+const (
+	num     string = "0123456789"
+	allowed string = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ-" + num
+)
+
+// StrictNewVersion parses a given version and returns an instance of Version or
+// an error if unable to parse the version. Only parses valid semantic versions.
+// Performs checking that can find errors within the version.
+// If you want to coerce a version such as 1 or 1.2 and parse it as the 1.x
+// releases of semver did, use the NewVersion() function.
+func StrictNewVersion(v string) (*Version, error) {
+	// Parsing here does not use RegEx in order to increase performance and reduce
+	// allocations.
+
+	if len(v) == 0 {
+		return nil, ErrEmptyString
+	}
+
+	// Split the parts into [0]major, [1]minor, and [2]patch,prerelease,build
+	parts := strings.SplitN(v, ".", 3)
+	if len(parts) != 3 {
+		return nil, ErrInvalidSemVer
+	}
+
+	sv := &Version{
+		original: v,
+	}
+
+	// Extract build metadata
+	if strings.Contains(parts[2], "+") {
+		extra := strings.SplitN(parts[2], "+", 2)
+		sv.metadata = extra[1]
+		parts[2] = extra[0]
+		if err := validateMetadata(sv.metadata); err != nil {
+			return nil, err
+		}
+	}
+
+	// Extract build prerelease
+	if strings.Contains(parts[2], "-") {
+		extra := strings.SplitN(parts[2], "-", 2)
+		sv.pre = extra[1]
+		parts[2] = extra[0]
+		if err := validatePrerelease(sv.pre); err != nil {
+			return nil, err
+		}
+	}
+
+	// Validate the number segments are valid. This includes only having positive
+	// numbers and no leading 0's.
+	for _, p := range parts {
+		if !containsOnly(p, num) {
+			return nil, ErrInvalidCharacters
+		}
+
+		if len(p) > 1 && p[0] == '0' {
+			return nil, ErrSegmentStartsZero
+		}
+	}
+
+	// Extract major, minor, and patch
+	var err error
+	sv.major, err = strconv.ParseUint(parts[0], 10, 64)
+	if err != nil {
+		return nil, err
+	}
+
+	sv.minor, err = strconv.ParseUint(parts[1], 10, 64)
+	if err != nil {
+		return nil, err
+	}
+
+	sv.patch, err = strconv.ParseUint(parts[2], 10, 64)
+	if err != nil {
+		return nil, err
+	}
+
+	return sv, nil
+}
+
+// NewVersion parses a given version and returns an instance of Version or
+// an error if unable to parse the version. If the version is SemVer-ish it
+// attempts to convert it to SemVer. If you want  to validate it was a strict
+// semantic version at parse time see StrictNewVersion().
+func NewVersion(v string) (*Version, error) {
+	if CoerceNewVersion {
+		return coerceNewVersion(v)
+	}
+	m := versionRegex.FindStringSubmatch(v)
+	if m == nil {
+
+		// Disabling detailed errors is first so that it is in the fast path.
+		if !DetailedNewVersionErrors {
+			return nil, ErrInvalidSemVer
+		}
+
+		// Check for specific errors with the semver string and return a more detailed
+		// error.
+		m = looseVersionRegex.FindStringSubmatch(v)
+		if m == nil {
+			return nil, ErrInvalidSemVer
+		}
+		err := validateVersion(m)
+		if err != nil {
+			return nil, err
+		}
+		return nil, ErrInvalidSemVer
+	}
+
+	sv := &Version{
+		metadata: m[5],
+		pre:      m[4],
+		original: v,
+	}
+
+	var err error
+	sv.major, err = strconv.ParseUint(m[1], 10, 64)
+	if err != nil {
+		return nil, fmt.Errorf("error parsing version segment: %w", err)
+	}
+
+	if m[2] != "" {
+		sv.minor, err = strconv.ParseUint(m[2], 10, 64)
+		if err != nil {
+			return nil, fmt.Errorf("error parsing version segment: %w", err)
+		}
+	} else {
+		sv.minor = 0
+	}
+
+	if m[3] != "" {
+		sv.patch, err = strconv.ParseUint(m[3], 10, 64)
+		if err != nil {
+			return nil, fmt.Errorf("error parsing version segment: %w", err)
+		}
+	} else {
+		sv.patch = 0
+	}
+
+	// Perform some basic due diligence on the extra parts to ensure they are
+	// valid.
+
+	if sv.pre != "" {
+		if err = validatePrerelease(sv.pre); err != nil {
+			return nil, err
+		}
+	}
+
+	if sv.metadata != "" {
+		if err = validateMetadata(sv.metadata); err != nil {
+			return nil, err
+		}
+	}
+
+	return sv, nil
+}
+
+func coerceNewVersion(v string) (*Version, error) {
+	m := looseVersionRegex.FindStringSubmatch(v)
+	if m == nil {
+		return nil, ErrInvalidSemVer
+	}
+
+	sv := &Version{
+		metadata: m[8],
+		pre:      m[5],
+		original: v,
+	}
+
+	var err error
+	sv.major, err = strconv.ParseUint(m[1], 10, 64)
+	if err != nil {
+		return nil, fmt.Errorf("error parsing version segment: %w", err)
+	}
+
+	if m[2] != "" {
+		sv.minor, err = strconv.ParseUint(strings.TrimPrefix(m[2], "."), 10, 64)
+		if err != nil {
+			return nil, fmt.Errorf("error parsing version segment: %w", err)
+		}
+	} else {
+		sv.minor = 0
+	}
+
+	if m[3] != "" {
+		sv.patch, err = strconv.ParseUint(strings.TrimPrefix(m[3], "."), 10, 64)
+		if err != nil {
+			return nil, fmt.Errorf("error parsing version segment: %w", err)
+		}
+	} else {
+		sv.patch = 0
+	}
+
+	// Perform some basic due diligence on the extra parts to ensure they are
+	// valid.
+
+	if sv.pre != "" {
+		if err = validatePrerelease(sv.pre); err != nil {
+			return nil, err
+		}
+	}
+
+	if sv.metadata != "" {
+		if err = validateMetadata(sv.metadata); err != nil {
+			return nil, err
+		}
+	}
+
+	return sv, nil
+}
+
+// New creates a new instance of Version with each of the parts passed in as
+// arguments instead of parsing a version string.
+func New(major, minor, patch uint64, pre, metadata string) *Version {
+	v := Version{
+		major:    major,
+		minor:    minor,
+		patch:    patch,
+		pre:      pre,
+		metadata: metadata,
+		original: "",
+	}
+
+	v.original = v.String()
+
+	return &v
+}
+
+// MustParse parses a given version and panics on error.
+func MustParse(v string) *Version {
+	sv, err := NewVersion(v)
+	if err != nil {
+		panic(err)
+	}
+	return sv
+}
+
+// String converts a Version object to a string.
+// Note, if the original version contained a leading v this version will not.
+// See the Original() method to retrieve the original value. Semantic Versions
+// don't contain a leading v per the spec. Instead it's optional on
+// implementation.
+func (v Version) String() string {
+	var buf bytes.Buffer
+
+	fmt.Fprintf(&buf, "%d.%d.%d", v.major, v.minor, v.patch)
+	if v.pre != "" {
+		fmt.Fprintf(&buf, "-%s", v.pre)
+	}
+	if v.metadata != "" {
+		fmt.Fprintf(&buf, "+%s", v.metadata)
+	}
+
+	return buf.String()
+}
+
+// Original returns the original value passed in to be parsed.
+func (v *Version) Original() string {
+	return v.original
+}
+
+// Major returns the major version.
+func (v Version) Major() uint64 {
+	return v.major
+}
+
+// Minor returns the minor version.
+func (v Version) Minor() uint64 {
+	return v.minor
+}
+
+// Patch returns the patch version.
+func (v Version) Patch() uint64 {
+	return v.patch
+}
+
+// Prerelease returns the pre-release version.
+func (v Version) Prerelease() string {
+	return v.pre
+}
+
+// Metadata returns the metadata on the version.
+func (v Version) Metadata() string {
+	return v.metadata
+}
+
+// originalVPrefix returns the original 'v' prefix if any.
+func (v Version) originalVPrefix() string {
+	// Note, only lowercase v is supported as a prefix by the parser.
+	if v.original != "" && v.original[:1] == "v" {
+		return v.original[:1]
+	}
+	return ""
+}
+
+// IncPatch produces the next patch version.
+// If the current version does not have prerelease/metadata information,
+// it unsets metadata and prerelease values, increments patch number.
+// If the current version has any of prerelease or metadata information,
+// it unsets both values and keeps current patch value
+func (v Version) IncPatch() Version {
+	vNext := v
+	// according to http://semver.org/#spec-item-9
+	// Pre-release versions have a lower precedence than the associated normal version.
+	// according to http://semver.org/#spec-item-10
+	// Build metadata SHOULD be ignored when determining version precedence.
+	if v.pre != "" {
+		vNext.metadata = ""
+		vNext.pre = ""
+	} else {
+		vNext.metadata = ""
+		vNext.pre = ""
+		vNext.patch = v.patch + 1
+	}
+	vNext.original = v.originalVPrefix() + "" + vNext.String()
+	return vNext
+}
+
+// IncMinor produces the next minor version.
+// Sets patch to 0.
+// Increments minor number.
+// Unsets metadata.
+// Unsets prerelease status.
+func (v Version) IncMinor() Version {
+	vNext := v
+	vNext.metadata = ""
+	vNext.pre = ""
+	vNext.patch = 0
+	vNext.minor = v.minor + 1
+	vNext.original = v.originalVPrefix() + "" + vNext.String()
+	return vNext
+}
+
+// IncMajor produces the next major version.
+// Sets patch to 0.
+// Sets minor to 0.
+// Increments major number.
+// Unsets metadata.
+// Unsets prerelease status.
+func (v Version) IncMajor() Version {
+	vNext := v
+	vNext.metadata = ""
+	vNext.pre = ""
+	vNext.patch = 0
+	vNext.minor = 0
+	vNext.major = v.major + 1
+	vNext.original = v.originalVPrefix() + "" + vNext.String()
+	return vNext
+}
+
+// SetPrerelease defines the prerelease value.
+// Value must not include the required 'hyphen' prefix.
+func (v Version) SetPrerelease(prerelease string) (Version, error) {
+	vNext := v
+	if len(prerelease) > 0 {
+		if err := validatePrerelease(prerelease); err != nil {
+			return vNext, err
+		}
+	}
+	vNext.pre = prerelease
+	vNext.original = v.originalVPrefix() + "" + vNext.String()
+	return vNext, nil
+}
+
+// SetMetadata defines metadata value.
+// Value must not include the required 'plus' prefix.
+func (v Version) SetMetadata(metadata string) (Version, error) {
+	vNext := v
+	if len(metadata) > 0 {
+		if err := validateMetadata(metadata); err != nil {
+			return vNext, err
+		}
+	}
+	vNext.metadata = metadata
+	vNext.original = v.originalVPrefix() + "" + vNext.String()
+	return vNext, nil
+}
+
+// LessThan tests if one version is less than another one.
+func (v *Version) LessThan(o *Version) bool {
+	return v.Compare(o) < 0
+}
+
+// LessThanEqual tests if one version is less or equal than another one.
+func (v *Version) LessThanEqual(o *Version) bool {
+	return v.Compare(o) <= 0
+}
+
+// GreaterThan tests if one version is greater than another one.
+func (v *Version) GreaterThan(o *Version) bool {
+	return v.Compare(o) > 0
+}
+
+// GreaterThanEqual tests if one version is greater or equal than another one.
+func (v *Version) GreaterThanEqual(o *Version) bool {
+	return v.Compare(o) >= 0
+}
+
+// Equal tests if two versions are equal to each other.
+// Note, versions can be equal with different metadata since metadata
+// is not considered part of the comparable version.
+func (v *Version) Equal(o *Version) bool {
+	if v == o {
+		return true
+	}
+	if v == nil || o == nil {
+		return false
+	}
+	return v.Compare(o) == 0
+}
+
+// Compare compares this version to another one. It returns -1, 0, or 1 if
+// the version smaller, equal, or larger than the other version.
+//
+// Versions are compared by X.Y.Z. Build metadata is ignored. Prerelease is
+// lower than the version without a prerelease. Compare always takes into account
+// prereleases. If you want to work with ranges using typical range syntaxes that
+// skip prereleases if the range is not looking for them use constraints.
+func (v *Version) Compare(o *Version) int {
+	// Compare the major, minor, and patch version for differences. If a
+	// difference is found return the comparison.
+	if d := compareSegment(v.Major(), o.Major()); d != 0 {
+		return d
+	}
+	if d := compareSegment(v.Minor(), o.Minor()); d != 0 {
+		return d
+	}
+	if d := compareSegment(v.Patch(), o.Patch()); d != 0 {
+		return d
+	}
+
+	// At this point the major, minor, and patch versions are the same.
+	ps := v.pre
+	po := o.Prerelease()
+
+	if ps == "" && po == "" {
+		return 0
+	}
+	if ps == "" {
+		return 1
+	}
+	if po == "" {
+		return -1
+	}
+
+	return comparePrerelease(ps, po)
+}
+
+// UnmarshalJSON implements JSON.Unmarshaler interface.
+func (v *Version) UnmarshalJSON(b []byte) error {
+	var s string
+	if err := json.Unmarshal(b, &s); err != nil {
+		return err
+	}
+	temp, err := NewVersion(s)
+	if err != nil {
+		return err
+	}
+	v.major = temp.major
+	v.minor = temp.minor
+	v.patch = temp.patch
+	v.pre = temp.pre
+	v.metadata = temp.metadata
+	v.original = temp.original
+	return nil
+}
+
+// MarshalJSON implements JSON.Marshaler interface.
+func (v Version) MarshalJSON() ([]byte, error) {
+	return json.Marshal(v.String())
+}
+
+// UnmarshalText implements the encoding.TextUnmarshaler interface.
+func (v *Version) UnmarshalText(text []byte) error {
+	temp, err := NewVersion(string(text))
+	if err != nil {
+		return err
+	}
+
+	*v = *temp
+
+	return nil
+}
+
+// MarshalText implements the encoding.TextMarshaler interface.
+func (v Version) MarshalText() ([]byte, error) {
+	return []byte(v.String()), nil
+}
+
+// Scan implements the SQL.Scanner interface.
+func (v *Version) Scan(value interface{}) error {
+	var s string
+	s, _ = value.(string)
+	temp, err := NewVersion(s)
+	if err != nil {
+		return err
+	}
+	v.major = temp.major
+	v.minor = temp.minor
+	v.patch = temp.patch
+	v.pre = temp.pre
+	v.metadata = temp.metadata
+	v.original = temp.original
+	return nil
+}
+
+// Value implements the Driver.Valuer interface.
+func (v Version) Value() (driver.Value, error) {
+	return v.String(), nil
+}
+
+func compareSegment(v, o uint64) int {
+	if v < o {
+		return -1
+	}
+	if v > o {
+		return 1
+	}
+
+	return 0
+}
+
+func comparePrerelease(v, o string) int {
+	// split the prelease versions by their part. The separator, per the spec,
+	// is a .
+	sparts := strings.Split(v, ".")
+	oparts := strings.Split(o, ".")
+
+	// Find the longer length of the parts to know how many loop iterations to
+	// go through.
+	slen := len(sparts)
+	olen := len(oparts)
+
+	l := slen
+	if olen > slen {
+		l = olen
+	}
+
+	// Iterate over each part of the prereleases to compare the differences.
+	for i := 0; i < l; i++ {
+		// Since the lentgh of the parts can be different we need to create
+		// a placeholder. This is to avoid out of bounds issues.
+		stemp := ""
+		if i < slen {
+			stemp = sparts[i]
+		}
+
+		otemp := ""
+		if i < olen {
+			otemp = oparts[i]
+		}
+
+		d := comparePrePart(stemp, otemp)
+		if d != 0 {
+			return d
+		}
+	}
+
+	// Reaching here means two versions are of equal value but have different
+	// metadata (the part following a +). They are not identical in string form
+	// but the version comparison finds them to be equal.
+	return 0
+}
+
+func comparePrePart(s, o string) int {
+	// Fastpath if they are equal
+	if s == o {
+		return 0
+	}
+
+	// When s or o are empty we can use the other in an attempt to determine
+	// the response.
+	if s == "" {
+		if o != "" {
+			return -1
+		}
+		return 1
+	}
+
+	if o == "" {
+		if s != "" {
+			return 1
+		}
+		return -1
+	}
+
+	// When comparing strings "99" is greater than "103". To handle
+	// cases like this we need to detect numbers and compare them. According
+	// to the semver spec, numbers are always positive. If there is a - at the
+	// start like -99 this is to be evaluated as an alphanum. numbers always
+	// have precedence over alphanum. Parsing as Uints because negative numbers
+	// are ignored.
+
+	oi, n1 := strconv.ParseUint(o, 10, 64)
+	si, n2 := strconv.ParseUint(s, 10, 64)
+
+	// The case where both are strings compare the strings
+	if n1 != nil && n2 != nil {
+		if s > o {
+			return 1
+		}
+		return -1
+	} else if n1 != nil {
+		// o is a string and s is a number
+		return -1
+	} else if n2 != nil {
+		// s is a string and o is a number
+		return 1
+	}
+	// Both are numbers
+	if si > oi {
+		return 1
+	}
+	return -1
+}
+
+// Like strings.ContainsAny but does an only instead of any.
+func containsOnly(s string, comp string) bool {
+	return strings.IndexFunc(s, func(r rune) bool {
+		return !strings.ContainsRune(comp, r)
+	}) == -1
+}
+
+// From the spec, "Identifiers MUST comprise only
+// ASCII alphanumerics and hyphen [0-9A-Za-z-]. Identifiers MUST NOT be empty.
+// Numeric identifiers MUST NOT include leading zeroes.". These segments can
+// be dot separated.
+func validatePrerelease(p string) error {
+	eparts := strings.Split(p, ".")
+	for _, p := range eparts {
+		if p == "" {
+			return ErrInvalidPrerelease
+		} else if containsOnly(p, num) {
+			if len(p) > 1 && p[0] == '0' {
+				return ErrSegmentStartsZero
+			}
+		} else if !containsOnly(p, allowed) {
+			return ErrInvalidPrerelease
+		}
+	}
+
+	return nil
+}
+
+// From the spec, "Build metadata MAY be denoted by
+// appending a plus sign and a series of dot separated identifiers immediately
+// following the patch or pre-release version. Identifiers MUST comprise only
+// ASCII alphanumerics and hyphen [0-9A-Za-z-]. Identifiers MUST NOT be empty."
+func validateMetadata(m string) error {
+	eparts := strings.Split(m, ".")
+	for _, p := range eparts {
+		if p == "" {
+			return ErrInvalidMetadata
+		} else if !containsOnly(p, allowed) {
+			return ErrInvalidMetadata
+		}
+	}
+	return nil
+}
+
+// validateVersion checks for common validation issues but may not catch all errors
+func validateVersion(m []string) error {
+	var err error
+	var v string
+	if m[1] != "" {
+		if len(m[1]) > 1 && m[1][0] == '0' {
+			return ErrSegmentStartsZero
+		}
+		_, err = strconv.ParseUint(m[1], 10, 64)
+		if err != nil {
+			return fmt.Errorf("error parsing version segment: %w", err)
+		}
+	}
+
+	if m[2] != "" {
+		v = strings.TrimPrefix(m[2], ".")
+		if len(v) > 1 && v[0] == '0' {
+			return ErrSegmentStartsZero
+		}
+		_, err = strconv.ParseUint(v, 10, 64)
+		if err != nil {
+			return fmt.Errorf("error parsing version segment: %w", err)
+		}
+	}
+
+	if m[3] != "" {
+		v = strings.TrimPrefix(m[3], ".")
+		if len(v) > 1 && v[0] == '0' {
+			return ErrSegmentStartsZero
+		}
+		_, err = strconv.ParseUint(v, 10, 64)
+		if err != nil {
+			return fmt.Errorf("error parsing version segment: %w", err)
+		}
+	}
+
+	if m[5] != "" {
+		if err = validatePrerelease(m[5]); err != nil {
+			return err
+		}
+	}
+
+	if m[8] != "" {
+		if err = validateMetadata(m[8]); err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
diff --git a/vendor/github.com/Microsoft/hnslib/hcn/hcnglobals.go b/vendor/github.com/Microsoft/hnslib/hcn/hcnglobals.go
index fb74386242678..d9322caab66c5 100644
--- a/vendor/github.com/Microsoft/hnslib/hcn/hcnglobals.go
+++ b/vendor/github.com/Microsoft/hnslib/hcn/hcnglobals.go
@@ -90,6 +90,7 @@ var (
 	// HNS 15.5+ allows for Modify Loadbalancer support in Zn
 	ModifyLoadbalancerVersion = VersionRanges{
 		VersionRange{MinVersion: Version{Major: 15, Minor: 5}, MaxVersion: Version{Major: 15, Minor: math.MaxInt32}},
+		VersionRange{MinVersion: Version{Major: 16, Minor: 0}, MaxVersion: Version{Major: math.MaxInt32, Minor: math.MaxInt32}},
 	}
 	// HNS 15.4 allows for Accelnet support
 	AccelnetVersion = VersionRanges{VersionRange{MinVersion: Version{Major: 15, Minor: 4}, MaxVersion: Version{Major: math.MaxInt32, Minor: math.MaxInt32}}}
diff --git a/vendor/github.com/Microsoft/hnslib/hcn/hcnnetwork.go b/vendor/github.com/Microsoft/hnslib/hcn/hcnnetwork.go
index f3f02c0d01927..c991c74e1e739 100644
--- a/vendor/github.com/Microsoft/hnslib/hcn/hcnnetwork.go
+++ b/vendor/github.com/Microsoft/hnslib/hcn/hcnnetwork.go
@@ -11,6 +11,15 @@ import (
 	"github.com/sirupsen/logrus"
 )
 
+// SubnetFlags represents the flags that can be set on a subnet
+type SubnetFlags uint32
+
+// SubnetFlags constants (based on HNS API documentation)
+const (
+	SubnetFlagsNone                       SubnetFlags = 0
+	SubnetFlagsDoNotReserveGatewayAddress SubnetFlags = 1 // This flag is needed to support scenario  GatewayAddress == ManagementIP
+)
+
 // Route is associated with a subnet.
 type Route struct {
 	NextHop           string `json:",omitempty"`
@@ -23,6 +32,7 @@ type Subnet struct {
 	IpAddressPrefix string            `json:",omitempty"`
 	Policies        []json.RawMessage `json:",omitempty"`
 	Routes          []Route           `json:",omitempty"`
+	Flags           SubnetFlags       `json:",omitempty"`
 }
 
 // Ipam (Internet Protocol Address Management) is associated with a network
diff --git a/vendor/github.com/Microsoft/hnslib/hcn/hcnsupport.go b/vendor/github.com/Microsoft/hnslib/hcn/hcnsupport.go
index a50a9678dde0c..cdde9c0750170 100644
--- a/vendor/github.com/Microsoft/hnslib/hcn/hcnsupport.go
+++ b/vendor/github.com/Microsoft/hnslib/hcn/hcnsupport.go
@@ -3,9 +3,9 @@
 package hcn
 
 import (
+	"fmt"
 	"sync"
 
-	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
 )
 
@@ -87,7 +87,7 @@ func getSupportedFeatures() (SupportedFeatures, error) {
 	globals, err := GetGlobals()
 	if err != nil {
 		// It's expected if this fails once, it should always fail. It should fail on pre 1803 builds for example.
-		return SupportedFeatures{}, errors.Wrap(err, "failed to query HCN version number: this is expected on pre 1803 builds.")
+		return SupportedFeatures{}, fmt.Errorf("failed to query HCN version number (this is expected on pre 1803 builds): %w", err)
 	}
 	features.Acl = AclFeatures{
 		AclAddressLists:       isFeatureSupported(globals.Version, HNSVersion1803),
diff --git a/vendor/github.com/containerd/ttrpc/metadata.go b/vendor/github.com/containerd/ttrpc/metadata.go
index ce8c0d13c41b5..6e00424874292 100644
--- a/vendor/github.com/containerd/ttrpc/metadata.go
+++ b/vendor/github.com/containerd/ttrpc/metadata.go
@@ -62,6 +62,34 @@ func (m MD) Append(key string, values ...string) {
 	}
 }
 
+// Clone returns a copy of MD or nil if it's nil.
+// It's copied from golang's `http.Header.Clone` implementation:
+// https://cs.opensource.google/go/go/+/refs/tags/go1.23.4:src/net/http/header.go;l=94
+func (m MD) Clone() MD {
+	if m == nil {
+		return nil
+	}
+
+	// Find total number of values.
+	nv := 0
+	for _, vv := range m {
+		nv += len(vv)
+	}
+	sv := make([]string, nv) // shared backing array for headers' values
+	m2 := make(MD, len(m))
+	for k, vv := range m {
+		if vv == nil {
+			// Preserve nil values.
+			m2[k] = nil
+			continue
+		}
+		n := copy(sv, vv)
+		m2[k] = sv[:n:n]
+		sv = sv[n:]
+	}
+	return m2
+}
+
 func (m MD) setRequest(r *Request) {
 	for k, values := range m {
 		for _, v := range values {
diff --git a/vendor/github.com/containerd/ttrpc/server.go b/vendor/github.com/containerd/ttrpc/server.go
index 26419831dac6e..bb71de677b0b9 100644
--- a/vendor/github.com/containerd/ttrpc/server.go
+++ b/vendor/github.com/containerd/ttrpc/server.go
@@ -74,9 +74,18 @@ func (s *Server) RegisterService(name string, desc *ServiceDesc) {
 }
 
 func (s *Server) Serve(ctx context.Context, l net.Listener) error {
-	s.addListener(l)
+	s.mu.Lock()
+	s.addListenerLocked(l)
 	defer s.closeListener(l)
 
+	select {
+	case <-s.done:
+		s.mu.Unlock()
+		return ErrServerClosed
+	default:
+	}
+	s.mu.Unlock()
+
 	var (
 		backoff    time.Duration
 		handshaker = s.config.handshaker
@@ -188,9 +197,7 @@ func (s *Server) Close() error {
 	return err
 }
 
-func (s *Server) addListener(l net.Listener) {
-	s.mu.Lock()
-	defer s.mu.Unlock()
+func (s *Server) addListenerLocked(l net.Listener) {
 	s.listeners[l] = struct{}{}
 }
 
diff --git a/vendor/github.com/containerd/typeurl/v2/types.go b/vendor/github.com/containerd/typeurl/v2/types.go
index efc405ddd4865..9bf78104165e9 100644
--- a/vendor/github.com/containerd/typeurl/v2/types.go
+++ b/vendor/github.com/containerd/typeurl/v2/types.go
@@ -39,7 +39,7 @@ type handler interface {
 	Marshaller(interface{}) func() ([]byte, error)
 	Unmarshaller(interface{}) func([]byte) error
 	TypeURL(interface{}) string
-	GetType(url string) reflect.Type
+	GetType(url string) (reflect.Type, bool)
 }
 
 // Definitions of common error types used throughout typeurl.
@@ -240,7 +240,7 @@ func MarshalAnyToProto(from interface{}) (*anypb.Any, error) {
 }
 
 func unmarshal(typeURL string, value []byte, v interface{}) (interface{}, error) {
-	t, err := getTypeByUrl(typeURL)
+	t, isProto, err := getTypeByUrl(typeURL)
 	if err != nil {
 		return nil, err
 	}
@@ -258,14 +258,16 @@ func unmarshal(typeURL string, value []byte, v interface{}) (interface{}, error)
 		}
 	}
 
-	pm, ok := v.(proto.Message)
-	if ok {
-		return v, proto.Unmarshal(value, pm)
-	}
+	if isProto {
+		pm, ok := v.(proto.Message)
+		if ok {
+			return v, proto.Unmarshal(value, pm)
+		}
 
-	for _, h := range handlers {
-		if unmarshal := h.Unmarshaller(v); unmarshal != nil {
-			return v, unmarshal(value)
+		for _, h := range handlers {
+			if unmarshal := h.Unmarshaller(v); unmarshal != nil {
+				return v, unmarshal(value)
+			}
 		}
 	}
 
@@ -273,12 +275,12 @@ func unmarshal(typeURL string, value []byte, v interface{}) (interface{}, error)
 	return v, json.Unmarshal(value, v)
 }
 
-func getTypeByUrl(url string) (reflect.Type, error) {
+func getTypeByUrl(url string) (_ reflect.Type, isProto bool, _ error) {
 	mu.RLock()
 	for t, u := range registry {
 		if u == url {
 			mu.RUnlock()
-			return t, nil
+			return t, false, nil
 		}
 	}
 	mu.RUnlock()
@@ -286,15 +288,15 @@ func getTypeByUrl(url string) (reflect.Type, error) {
 	if err != nil {
 		if errors.Is(err, protoregistry.NotFound) {
 			for _, h := range handlers {
-				if t := h.GetType(url); t != nil {
-					return t, nil
+				if t, isProto := h.GetType(url); t != nil {
+					return t, isProto, nil
 				}
 			}
 		}
-		return nil, fmt.Errorf("type with url %s: %w", url, ErrNotFound)
+		return nil, false, fmt.Errorf("type with url %s: %w", url, ErrNotFound)
 	}
 	empty := mt.New().Interface()
-	return reflect.TypeOf(empty).Elem(), nil
+	return reflect.TypeOf(empty).Elem(), true, nil
 }
 
 func tryDereference(v interface{}) reflect.Type {
diff --git a/vendor/github.com/containerd/typeurl/v2/types_gogo.go b/vendor/github.com/containerd/typeurl/v2/types_gogo.go
index fa293323befb0..adb892ec60cc5 100644
--- a/vendor/github.com/containerd/typeurl/v2/types_gogo.go
+++ b/vendor/github.com/containerd/typeurl/v2/types_gogo.go
@@ -59,10 +59,10 @@ func (gogoHandler) TypeURL(v interface{}) string {
 	return gogoproto.MessageName(pm)
 }
 
-func (gogoHandler) GetType(url string) reflect.Type {
+func (gogoHandler) GetType(url string) (reflect.Type, bool) {
 	t := gogoproto.MessageType(url)
 	if t == nil {
-		return nil
+		return nil, false
 	}
-	return t.Elem()
+	return t.Elem(), true
 }
diff --git a/vendor/github.com/coredns/corefile-migration/migration/versions.go b/vendor/github.com/coredns/corefile-migration/migration/versions.go
index 94908ad9b5df6..38f118c2adb3d 100644
--- a/vendor/github.com/coredns/corefile-migration/migration/versions.go
+++ b/vendor/github.com/coredns/corefile-migration/migration/versions.go
@@ -30,7 +30,37 @@ type release struct {
 
 // Versions holds a map of plugin/option migrations per CoreDNS release (since 1.1.4)
 var Versions = map[string]release{
+	"1.13.1": {
+		priorVersion:   "1.13.0",
+		dockerImageSHA: "9b9128672209474da07c91439bf15ed704ae05ad918dd6454e5b6ae14e35fee6",
+		plugins:        plugins_1_13_0,
+	},
+	"1.13.0": {
+		nextVersion:    "1.13.1",
+		priorVersion:   "1.12.4",
+		dockerImageSHA: "da282c1983a1a330240e6e84eaec9b6120b0de0e7e29e92c44a6acd25f9e0238",
+		plugins:        plugins_1_13_0,
+	},
+	"1.12.4": {
+		nextVersion:    "1.13.0",
+		priorVersion:   "1.12.3",
+		dockerImageSHA: "986f04c2e15e147d00bdd51e8c51bcef3644b13ff806be7d2ff1b261d6dfbae1",
+		plugins:        plugins_1_12_0,
+	},
+	"1.12.3": {
+		nextVersion:    "1.12.4",
+		priorVersion:   "1.12.2",
+		dockerImageSHA: "1391544c978029fcddc65068f6ad67f396e55585b664ecccd7fefba029b9b706",
+		plugins:        plugins_1_12_0,
+	},
+	"1.12.2": {
+		nextVersion:    "1.12.3",
+		priorVersion:   "1.12.1",
+		dockerImageSHA: "af8c8d35a5d184b386c4a6d1a012c8b218d40d1376474c7d071bb6c07201f47d",
+		plugins:        plugins_1_12_0,
+	},
 	"1.12.1": {
+		nextVersion:    "1.12.2",
 		priorVersion:   "1.12.0",
 		dockerImageSHA: "e8c262566636e6bc340ece6473b0eed193cad045384401529721ddbe6463d31c",
 		plugins:        plugins_1_12_0,
@@ -781,6 +811,25 @@ var Versions = map[string]release{
 }`},
 }
 
+var plugins_1_13_0 = map[string]plugin{
+	"errors":       plugins["errors"]["v3"],
+	"log":          plugins["log"]["v1"],
+	"health":       plugins["health"]["v1"],
+	"ready":        {},
+	"autopath":     {},
+	"kubernetes":   plugins["kubernetes"]["v8"],
+	"k8s_external": plugins["k8s_external"]["v2"],
+	"prometheus":   {},
+	"forward":      plugins["forward"]["v5"], // add failfast_all_unhealthy_upstreams option
+	"cache":        plugins["cache"]["v4"],
+	"loop":         {},
+	"reload":       {},
+	"loadbalance":  {},
+	"hosts":        plugins["hosts"]["v1"],
+	"rewrite":      plugins["rewrite"]["v3"],
+	"transfer":     plugins["transfer"]["v1"],
+}
+
 var plugins_1_12_0 = map[string]plugin{
 	"errors":       plugins["errors"]["v3"],
 	"log":          plugins["log"]["v1"],
diff --git a/vendor/github.com/cyphar/filepath-securejoin/.golangci.yml b/vendor/github.com/cyphar/filepath-securejoin/.golangci.yml
new file mode 100644
index 0000000000000..3e8dd99bd7f82
--- /dev/null
+++ b/vendor/github.com/cyphar/filepath-securejoin/.golangci.yml
@@ -0,0 +1,60 @@
+# SPDX-License-Identifier: MPL-2.0
+
+# Copyright (C) 2025 Aleksa Sarai <cyphar@cyphar.com>
+# Copyright (C) 2025 SUSE LLC
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at https://mozilla.org/MPL/2.0/.
+
+version: "2"
+
+run:
+  build-tags:
+    - libpathrs
+
+linters:
+  enable:
+    - asasalint
+    - asciicheck
+    - containedctx
+    - contextcheck
+    - errcheck
+    - errorlint
+    - exhaustive
+    - forcetypeassert
+    - godot
+    - goprintffuncname
+    - govet
+    - importas
+    - ineffassign
+    - makezero
+    - misspell
+    - musttag
+    - nilerr
+    - nilnesserr
+    - nilnil
+    - noctx
+    - prealloc
+    - revive
+    - staticcheck
+    - testifylint
+    - unconvert
+    - unparam
+    - unused
+    - usetesting
+  settings:
+    govet:
+      enable:
+        - nilness
+    testifylint:
+      enable-all: true
+
+formatters:
+  enable:
+    - gofumpt
+    - goimports
+  settings:
+    goimports:
+      local-prefixes:
+        - github.com/cyphar/filepath-securejoin
diff --git a/vendor/github.com/cyphar/filepath-securejoin/CHANGELOG.md b/vendor/github.com/cyphar/filepath-securejoin/CHANGELOG.md
index ca0e3c62c76e6..734cf61e3226a 100644
--- a/vendor/github.com/cyphar/filepath-securejoin/CHANGELOG.md
+++ b/vendor/github.com/cyphar/filepath-securejoin/CHANGELOG.md
@@ -6,6 +6,208 @@ and this project adheres to [Semantic Versioning](http://semver.org/).
 
 ## [Unreleased] ##
 
+## [0.6.0] - 2025-11-03 ##
+
+> By the Power of Greyskull!
+
+While quite small code-wise, this release marks a very key point in the
+development of filepath-securejoin.
+
+filepath-securejoin was originally intended (back in 2017) to simply be a
+single-purpose library that would take some common code used in container
+runtimes (specifically, Docker's `FollowSymlinksInScope`) and make it more
+general-purpose (with the eventual goals of it ending up in the Go stdlib).
+
+Of course, I quickly discovered that this problem was actually far more
+complicated to solve when dealing with racing attackers, which lead to me
+developing `openat2(2)` and [libpathrs][]. I had originally planned for
+libpathrs to completely replace filepath-securejoin "once it was ready" but in
+the interim we needed to fix several race attacks in runc as part of security
+advisories. Obviously we couldn't require the usage of a pre-0.1 Rust library
+in runc so it was necessary to port bits of libpathrs into filepath-securejoin.
+(Ironically the first prototypes of libpathrs were originally written in Go and
+then rewritten to Rust, so the code in filepath-securejoin is actually Go code
+that was rewritten to Rust then re-rewritten to Go.)
+
+It then became clear that pure-Go libraries will likely not be willing to
+require CGo for all of their builds, so it was necessary to accept that
+filepath-securejoin will need to stay. As such, in v0.5.0 we provided more
+pure-Go implementations of features from libpathrs but moved them into
+`pathrs-lite` subpackage to clarify what purpose these helpers serve.
+
+This release finally closes the loop and makes it so that pathrs-lite can
+transparently use libpathrs (via a `libpathrs` build-tag). This means that
+upstream libraries can use the pure Go version if they prefer, but downstreams
+(either downstream library users or even downstream distributions) are able to
+migrate to libpathrs for all usages of pathrs-lite in an entire Go binary.
+
+I should make it clear that I do not plan to port the rest of libpathrs to Go,
+as I do not wish to maintain two copies of the same codebase. pathrs-lite
+already provides the core essentials necessary to operate on paths safely for
+most modern systems. Users who want additional hardening or more ergonomic APIs
+are free to use [`cyphar.com/go-pathrs`][go-pathrs] (libpathrs's Go bindings).
+
+[libpathrs]: https://github.com/cyphar/libpathrs
+[go-pathrs]: https://cyphar.com/go-pathrs
+
+### Breaking ###
+- The deprecated `MkdirAll`, `MkdirAllHandle`, `OpenInRoot`, `OpenatInRoot` and
+  `Reopen` wrappers have been removed. Please switch to using `pathrs-lite`
+  directly.
+
+### Added ###
+- `pathrs-lite` now has support for using [libpathrs][libpathrs] as a backend.
+  This is opt-in and can be enabled at build time with the `libpathrs` build
+  tag. The intention is to allow for downstream libraries and other projects to
+  make use of the pure-Go `github.com/cyphar/filepath-securejoin/pathrs-lite`
+  package and distributors can then opt-in to using `libpathrs` for the entire
+  binary if they wish.
+
+## [0.5.1] - 2025-10-31 ##
+
+> Spooky scary skeletons send shivers down your spine!
+
+### Changed ###
+- `openat2` can return `-EAGAIN` if it detects a possible attack in certain
+  scenarios (namely if there was a rename or mount while walking a path with a
+  `..` component). While this is necessary to avoid a denial-of-service in the
+  kernel, it does require retry loops in userspace.
+
+  In previous versions, `pathrs-lite` would retry `openat2` 32 times before
+  returning an error, but we've received user reports that this limit can be
+  hit on systems with very heavy load. In some synthetic benchmarks (testing
+  the worst-case of an attacker doing renames in a tight loop on every core of
+  a 16-core machine) we managed to get a ~3% failure rate in runc. We have
+  improved this situation in two ways:
+
+  * We have now increased this limit to 128, which should be good enough for
+    most use-cases without becoming a denial-of-service vector (the number of
+    syscalls called by the `O_PATH` resolver in a typical case is within the
+    same ballpark). The same benchmarks show a failure rate of ~0.12% which
+    (while not zero) is probably sufficient for most users.
+
+  * In addition, we now return a `unix.EAGAIN` error that is bubbled up and can
+    be detected by callers. This means that callers with stricter requirements
+    to avoid spurious errors can choose to do their own infinite `EAGAIN` retry
+    loop (though we would strongly recommend users use time-based deadlines in
+    such retry loops to avoid potentially unbounded denials-of-service).
+
+## [0.5.0] - 2025-09-26 ##
+
+> Let the past die. Kill it if you have to.
+
+> **NOTE**: With this release, some parts of
+> `github.com/cyphar/filepath-securejoin` are now licensed under the Mozilla
+> Public License (version 2). Please see [COPYING.md][] as well as the the
+> license header in each file for more details.
+
+[COPYING.md]: ./COPYING.md
+
+### Breaking ###
+- The new API introduced in the [0.3.0][] release has been moved to a new
+  subpackage called `pathrs-lite`. This was primarily done to better indicate
+  the split between the new and old APIs, as well as indicate to users the
+  purpose of this subpackage (it is a less complete version of [libpathrs][]).
+
+  We have added some wrappers to the top-level package to ease the transition,
+  but those are deprecated and will be removed in the next minor release of
+  filepath-securejoin. Users should update their import paths.
+
+  This new subpackage has also been relicensed under the Mozilla Public License
+  (version 2), please see [COPYING.md][] for more details.
+
+### Added ###
+- Most of the key bits the safe `procfs` API have now been exported and are
+  available in `github.com/cyphar/filepath-securejoin/pathrs-lite/procfs`. At
+  the moment this primarily consists of a new `procfs.Handle` API:
+
+   * `OpenProcRoot` returns a new handle to `/proc`, endeavouring to make it
+     safe if possible (`subset=pid` to protect against mistaken write attacks
+     and leaks, as well as using `fsopen(2)` to avoid racing mount attacks).
+
+     `OpenUnsafeProcRoot` returns a handle without attempting to create one
+     with `subset=pid`, which makes it more dangerous to leak. Most users
+     should use `OpenProcRoot` (even if you need to use `ProcRoot` as the base
+     of an operation, as filepath-securejoin will internally open a handle when
+     necessary).
+
+   * The `(*procfs.Handle).Open*` family of methods lets you get a safe
+     `O_PATH` handle to subpaths within `/proc` for certain subpaths.
+
+     For `OpenThreadSelf`, the returned `ProcThreadSelfCloser` needs to be
+     called after you completely finish using the handle (this is necessary
+     because Go is multi-threaded and `ProcThreadSelf` references
+     `/proc/thread-self` which may disappear if we do not
+     `runtime.LockOSThread` -- `ProcThreadSelfCloser` is currently equivalent
+     to `runtime.UnlockOSThread`).
+
+     Note that you cannot open any `procfs` symlinks (most notably magic-links)
+     using this API. At the moment, filepath-securejoin does not support this
+     feature (but [libpathrs][] does).
+
+   * `ProcSelfFdReadlink` lets you get the in-kernel path representation of a
+     file descriptor (think `readlink("/proc/self/fd/...")`), except that we
+     verify that there aren't any tricky overmounts that could fool the
+     process.
+
+     Please be aware that the returned string is simply a snapshot at that
+     particular moment, and an attacker could move the file being pointed to.
+     In addition, complex namespace configurations could result in non-sensical
+     or confusing paths to be returned. The value received from this function
+     should only be used as secondary verification of some security property,
+     not as proof that a particular handle has a particular path.
+
+  The procfs handle used internally by the API is the same as the rest of
+  `filepath-securejoin` (for privileged programs this is usually a private
+  in-process `procfs` instance created with `fsopen(2)`).
+
+  As before, this is intended as a stop-gap before users migrate to
+  [libpathrs][], which provides a far more extensive safe `procfs` API and is
+  generally more robust.
+
+- Previously, the hardened procfs implementation (used internally within
+  `Reopen` and `Open(at)InRoot`) only protected against overmount attacks on
+  systems with `openat2(2)` (Linux 5.6) or systems with `fsopen(2)` or
+  `open_tree(2)` (Linux 5.2) and programs with privileges to use them (with
+  some caveats about locked mounts that probably affect very few users). For
+  other users, an attacker with the ability to create malicious mounts (on most
+  systems, a sysadmin) could trick you into operating on files you didn't
+  expect. This attack only really makes sense in the context of container
+  runtime implementations.
+
+  This was considered a reasonable trade-off, as the long-term intention was to
+  get all users to just switch to [libpathrs][] if they wanted to use the safe
+  `procfs` API (which had more extensive protections, and is what these new
+  protections in `filepath-securejoin` are based on). However, as the API
+  is now being exported it seems unwise to advertise the API as "safe" if we do
+  not protect against known attacks.
+
+  The procfs API is now more protected against attackers on systems lacking the
+  aforementioned protections. However, the most comprehensive of these
+  protections effectively rely on [`statx(STATX_MNT_ID)`][statx.2] (Linux 5.8).
+  On older kernel versions, there is no effective protection (there is some
+  minimal protection against non-`procfs` filesystem components but a
+  sufficiently clever attacker can work around those). In addition,
+  `STATX_MNT_ID` is vulnerable to mount ID reuse attacks by sufficiently
+  motivated and privileged attackers -- this problem is mitigated with
+  `STATX_MNT_ID_UNIQUE` (Linux 6.8) but that raises the minimum kernel version
+  for more protection.
+
+  The fact that these protections are quite limited despite needing a fair bit
+  of extra code to handle was one of the primary reasons we did not initially
+  implement this in `filepath-securejoin` ([libpathrs][] supports all of this,
+  of course).
+
+### Fixed ###
+- RHEL 8 kernels have backports of `fsopen(2)` but in some testing we've found
+  that it has very bad (and very difficult to debug) performance issues, and so
+  we will explicitly refuse to use `fsopen(2)` if the running kernel version is
+  pre-5.2 and will instead fallback to `open("/proc")`.
+
+[CVE-2024-21626]: https://github.com/opencontainers/runc/security/advisories/GHSA-xr7r-f8xq-vfvv
+[libpathrs]: https://github.com/cyphar/libpathrs
+[statx.2]: https://www.man7.org/linux/man-pages/man2/statx.2.html
+
 ## [0.4.1] - 2025-01-28 ##
 
 ### Fixed ###
@@ -173,7 +375,7 @@ and this project adheres to [Semantic Versioning](http://semver.org/).
   safe to start migrating to as we have extensive tests ensuring they behave
   correctly and are safe against various races and other attacks.
 
-[libpathrs]: https://github.com/openSUSE/libpathrs
+[libpathrs]: https://github.com/cyphar/libpathrs
 [open.2]: https://www.man7.org/linux/man-pages/man2/open.2.html
 
 ## [0.2.5] - 2024-05-03 ##
@@ -238,7 +440,10 @@ This is our first release of `github.com/cyphar/filepath-securejoin`,
 containing a full implementation with a coverage of 93.5% (the only missing
 cases are the error cases, which are hard to mocktest at the moment).
 
-[Unreleased]: https://github.com/cyphar/filepath-securejoin/compare/v0.4.1...HEAD
+[Unreleased]: https://github.com/cyphar/filepath-securejoin/compare/v0.6.0...HEAD
+[0.6.0]: https://github.com/cyphar/filepath-securejoin/compare/v0.5.1...v0.6.0
+[0.5.1]: https://github.com/cyphar/filepath-securejoin/compare/v0.5.0...v0.5.1
+[0.5.0]: https://github.com/cyphar/filepath-securejoin/compare/v0.4.1...v0.5.0
 [0.4.1]: https://github.com/cyphar/filepath-securejoin/compare/v0.4.0...v0.4.1
 [0.4.0]: https://github.com/cyphar/filepath-securejoin/compare/v0.3.6...v0.4.0
 [0.3.6]: https://github.com/cyphar/filepath-securejoin/compare/v0.3.5...v0.3.6
diff --git a/vendor/github.com/cyphar/filepath-securejoin/COPYING.md b/vendor/github.com/cyphar/filepath-securejoin/COPYING.md
new file mode 100644
index 0000000000000..520e822b18498
--- /dev/null
+++ b/vendor/github.com/cyphar/filepath-securejoin/COPYING.md
@@ -0,0 +1,447 @@
+## COPYING ##
+
+`SPDX-License-Identifier: BSD-3-Clause AND MPL-2.0`
+
+This project is made up of code licensed under different licenses. Which code
+you use will have an impact on whether only one or both licenses apply to your
+usage of this library.
+
+Note that **each file** in this project individually has a code comment at the
+start describing the license of that particular file -- this is the most
+accurate license information of this project; in case there is any conflict
+between this document and the comment at the start of a file, the comment shall
+take precedence. The only purpose of this document is to work around [a known
+technical limitation of pkg.go.dev's license checking tool when dealing with
+non-trivial project licenses][go75067].
+
+[go75067]: https://go.dev/issue/75067
+
+### `BSD-3-Clause` ###
+
+At time of writing, the following files and directories are licensed under the
+BSD-3-Clause license:
+
+ * `doc.go`
+ * `join*.go`
+ * `vfs.go`
+ * `internal/consts/*.go`
+ * `pathrs-lite/internal/gocompat/*.go`
+ * `pathrs-lite/internal/kernelversion/*.go`
+
+The text of the BSD-3-Clause license used by this project is the following (the
+text is also available from the [`LICENSE.BSD`](./LICENSE.BSD) file):
+
+```
+Copyright (C) 2014-2015 Docker Inc & Go Authors. All rights reserved.
+Copyright (C) 2017-2024 SUSE LLC. All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are
+met:
+
+   * Redistributions of source code must retain the above copyright
+notice, this list of conditions and the following disclaimer.
+   * Redistributions in binary form must reproduce the above
+copyright notice, this list of conditions and the following disclaimer
+in the documentation and/or other materials provided with the
+distribution.
+   * Neither the name of Google Inc. nor the names of its
+contributors may be used to endorse or promote products derived from
+this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+```
+
+### `MPL-2.0` ###
+
+All other files (unless otherwise marked) are licensed under the Mozilla Public
+License (version 2.0).
+
+The text of the Mozilla Public License (version 2.0) is the following (the text
+is also available from the [`LICENSE.MPL-2.0`](./LICENSE.MPL-2.0) file):
+
+```
+Mozilla Public License Version 2.0
+==================================
+
+1. Definitions
+--------------
+
+1.1. "Contributor"
+    means each individual or legal entity that creates, contributes to
+    the creation of, or owns Covered Software.
+
+1.2. "Contributor Version"
+    means the combination of the Contributions of others (if any) used
+    by a Contributor and that particular Contributor's Contribution.
+
+1.3. "Contribution"
+    means Covered Software of a particular Contributor.
+
+1.4. "Covered Software"
+    means Source Code Form to which the initial Contributor has attached
+    the notice in Exhibit A, the Executable Form of such Source Code
+    Form, and Modifications of such Source Code Form, in each case
+    including portions thereof.
+
+1.5. "Incompatible With Secondary Licenses"
+    means
+
+    (a) that the initial Contributor has attached the notice described
+        in Exhibit B to the Covered Software; or
+
+    (b) that the Covered Software was made available under the terms of
+        version 1.1 or earlier of the License, but not also under the
+        terms of a Secondary License.
+
+1.6. "Executable Form"
+    means any form of the work other than Source Code Form.
+
+1.7. "Larger Work"
+    means a work that combines Covered Software with other material, in
+    a separate file or files, that is not Covered Software.
+
+1.8. "License"
+    means this document.
+
+1.9. "Licensable"
+    means having the right to grant, to the maximum extent possible,
+    whether at the time of the initial grant or subsequently, any and
+    all of the rights conveyed by this License.
+
+1.10. "Modifications"
+    means any of the following:
+
+    (a) any file in Source Code Form that results from an addition to,
+        deletion from, or modification of the contents of Covered
+        Software; or
+
+    (b) any new file in Source Code Form that contains any Covered
+        Software.
+
+1.11. "Patent Claims" of a Contributor
+    means any patent claim(s), including without limitation, method,
+    process, and apparatus claims, in any patent Licensable by such
+    Contributor that would be infringed, but for the grant of the
+    License, by the making, using, selling, offering for sale, having
+    made, import, or transfer of either its Contributions or its
+    Contributor Version.
+
+1.12. "Secondary License"
+    means either the GNU General Public License, Version 2.0, the GNU
+    Lesser General Public License, Version 2.1, the GNU Affero General
+    Public License, Version 3.0, or any later versions of those
+    licenses.
+
+1.13. "Source Code Form"
+    means the form of the work preferred for making modifications.
+
+1.14. "You" (or "Your")
+    means an individual or a legal entity exercising rights under this
+    License. For legal entities, "You" includes any entity that
+    controls, is controlled by, or is under common control with You. For
+    purposes of this definition, "control" means (a) the power, direct
+    or indirect, to cause the direction or management of such entity,
+    whether by contract or otherwise, or (b) ownership of more than
+    fifty percent (50%) of the outstanding shares or beneficial
+    ownership of such entity.
+
+2. License Grants and Conditions
+--------------------------------
+
+2.1. Grants
+
+Each Contributor hereby grants You a world-wide, royalty-free,
+non-exclusive license:
+
+(a) under intellectual property rights (other than patent or trademark)
+    Licensable by such Contributor to use, reproduce, make available,
+    modify, display, perform, distribute, and otherwise exploit its
+    Contributions, either on an unmodified basis, with Modifications, or
+    as part of a Larger Work; and
+
+(b) under Patent Claims of such Contributor to make, use, sell, offer
+    for sale, have made, import, and otherwise transfer either its
+    Contributions or its Contributor Version.
+
+2.2. Effective Date
+
+The licenses granted in Section 2.1 with respect to any Contribution
+become effective for each Contribution on the date the Contributor first
+distributes such Contribution.
+
+2.3. Limitations on Grant Scope
+
+The licenses granted in this Section 2 are the only rights granted under
+this License. No additional rights or licenses will be implied from the
+distribution or licensing of Covered Software under this License.
+Notwithstanding Section 2.1(b) above, no patent license is granted by a
+Contributor:
+
+(a) for any code that a Contributor has removed from Covered Software;
+    or
+
+(b) for infringements caused by: (i) Your and any other third party's
+    modifications of Covered Software, or (ii) the combination of its
+    Contributions with other software (except as part of its Contributor
+    Version); or
+
+(c) under Patent Claims infringed by Covered Software in the absence of
+    its Contributions.
+
+This License does not grant any rights in the trademarks, service marks,
+or logos of any Contributor (except as may be necessary to comply with
+the notice requirements in Section 3.4).
+
+2.4. Subsequent Licenses
+
+No Contributor makes additional grants as a result of Your choice to
+distribute the Covered Software under a subsequent version of this
+License (see Section 10.2) or under the terms of a Secondary License (if
+permitted under the terms of Section 3.3).
+
+2.5. Representation
+
+Each Contributor represents that the Contributor believes its
+Contributions are its original creation(s) or it has sufficient rights
+to grant the rights to its Contributions conveyed by this License.
+
+2.6. Fair Use
+
+This License is not intended to limit any rights You have under
+applicable copyright doctrines of fair use, fair dealing, or other
+equivalents.
+
+2.7. Conditions
+
+Sections 3.1, 3.2, 3.3, and 3.4 are conditions of the licenses granted
+in Section 2.1.
+
+3. Responsibilities
+-------------------
+
+3.1. Distribution of Source Form
+
+All distribution of Covered Software in Source Code Form, including any
+Modifications that You create or to which You contribute, must be under
+the terms of this License. You must inform recipients that the Source
+Code Form of the Covered Software is governed by the terms of this
+License, and how they can obtain a copy of this License. You may not
+attempt to alter or restrict the recipients' rights in the Source Code
+Form.
+
+3.2. Distribution of Executable Form
+
+If You distribute Covered Software in Executable Form then:
+
+(a) such Covered Software must also be made available in Source Code
+    Form, as described in Section 3.1, and You must inform recipients of
+    the Executable Form how they can obtain a copy of such Source Code
+    Form by reasonable means in a timely manner, at a charge no more
+    than the cost of distribution to the recipient; and
+
+(b) You may distribute such Executable Form under the terms of this
+    License, or sublicense it under different terms, provided that the
+    license for the Executable Form does not attempt to limit or alter
+    the recipients' rights in the Source Code Form under this License.
+
+3.3. Distribution of a Larger Work
+
+You may create and distribute a Larger Work under terms of Your choice,
+provided that You also comply with the requirements of this License for
+the Covered Software. If the Larger Work is a combination of Covered
+Software with a work governed by one or more Secondary Licenses, and the
+Covered Software is not Incompatible With Secondary Licenses, this
+License permits You to additionally distribute such Covered Software
+under the terms of such Secondary License(s), so that the recipient of
+the Larger Work may, at their option, further distribute the Covered
+Software under the terms of either this License or such Secondary
+License(s).
+
+3.4. Notices
+
+You may not remove or alter the substance of any license notices
+(including copyright notices, patent notices, disclaimers of warranty,
+or limitations of liability) contained within the Source Code Form of
+the Covered Software, except that You may alter any license notices to
+the extent required to remedy known factual inaccuracies.
+
+3.5. Application of Additional Terms
+
+You may choose to offer, and to charge a fee for, warranty, support,
+indemnity or liability obligations to one or more recipients of Covered
+Software. However, You may do so only on Your own behalf, and not on
+behalf of any Contributor. You must make it absolutely clear that any
+such warranty, support, indemnity, or liability obligation is offered by
+You alone, and You hereby agree to indemnify every Contributor for any
+liability incurred by such Contributor as a result of warranty, support,
+indemnity or liability terms You offer. You may include additional
+disclaimers of warranty and limitations of liability specific to any
+jurisdiction.
+
+4. Inability to Comply Due to Statute or Regulation
+---------------------------------------------------
+
+If it is impossible for You to comply with any of the terms of this
+License with respect to some or all of the Covered Software due to
+statute, judicial order, or regulation then You must: (a) comply with
+the terms of this License to the maximum extent possible; and (b)
+describe the limitations and the code they affect. Such description must
+be placed in a text file included with all distributions of the Covered
+Software under this License. Except to the extent prohibited by statute
+or regulation, such description must be sufficiently detailed for a
+recipient of ordinary skill to be able to understand it.
+
+5. Termination
+--------------
+
+5.1. The rights granted under this License will terminate automatically
+if You fail to comply with any of its terms. However, if You become
+compliant, then the rights granted under this License from a particular
+Contributor are reinstated (a) provisionally, unless and until such
+Contributor explicitly and finally terminates Your grants, and (b) on an
+ongoing basis, if such Contributor fails to notify You of the
+non-compliance by some reasonable means prior to 60 days after You have
+come back into compliance. Moreover, Your grants from a particular
+Contributor are reinstated on an ongoing basis if such Contributor
+notifies You of the non-compliance by some reasonable means, this is the
+first time You have received notice of non-compliance with this License
+from such Contributor, and You become compliant prior to 30 days after
+Your receipt of the notice.
+
+5.2. If You initiate litigation against any entity by asserting a patent
+infringement claim (excluding declaratory judgment actions,
+counter-claims, and cross-claims) alleging that a Contributor Version
+directly or indirectly infringes any patent, then the rights granted to
+You by any and all Contributors for the Covered Software under Section
+2.1 of this License shall terminate.
+
+5.3. In the event of termination under Sections 5.1 or 5.2 above, all
+end user license agreements (excluding distributors and resellers) which
+have been validly granted by You or Your distributors under this License
+prior to termination shall survive termination.
+
+************************************************************************
+*                                                                      *
+*  6. Disclaimer of Warranty                                           *
+*  -------------------------                                           *
+*                                                                      *
+*  Covered Software is provided under this License on an "as is"       *
+*  basis, without warranty of any kind, either expressed, implied, or  *
+*  statutory, including, without limitation, warranties that the       *
+*  Covered Software is free of defects, merchantable, fit for a        *
+*  particular purpose or non-infringing. The entire risk as to the     *
+*  quality and performance of the Covered Software is with You.        *
+*  Should any Covered Software prove defective in any respect, You     *
+*  (not any Contributor) assume the cost of any necessary servicing,   *
+*  repair, or correction. This disclaimer of warranty constitutes an   *
+*  essential part of this License. No use of any Covered Software is   *
+*  authorized under this License except under this disclaimer.         *
+*                                                                      *
+************************************************************************
+
+************************************************************************
+*                                                                      *
+*  7. Limitation of Liability                                          *
+*  --------------------------                                          *
+*                                                                      *
+*  Under no circumstances and under no legal theory, whether tort      *
+*  (including negligence), contract, or otherwise, shall any           *
+*  Contributor, or anyone who distributes Covered Software as          *
+*  permitted above, be liable to You for any direct, indirect,         *
+*  special, incidental, or consequential damages of any character      *
+*  including, without limitation, damages for lost profits, loss of    *
+*  goodwill, work stoppage, computer failure or malfunction, or any    *
+*  and all other commercial damages or losses, even if such party      *
+*  shall have been informed of the possibility of such damages. This   *
+*  limitation of liability shall not apply to liability for death or   *
+*  personal injury resulting from such party's negligence to the       *
+*  extent applicable law prohibits such limitation. Some               *
+*  jurisdictions do not allow the exclusion or limitation of           *
+*  incidental or consequential damages, so this exclusion and          *
+*  limitation may not apply to You.                                    *
+*                                                                      *
+************************************************************************
+
+8. Litigation
+-------------
+
+Any litigation relating to this License may be brought only in the
+courts of a jurisdiction where the defendant maintains its principal
+place of business and such litigation shall be governed by laws of that
+jurisdiction, without reference to its conflict-of-law provisions.
+Nothing in this Section shall prevent a party's ability to bring
+cross-claims or counter-claims.
+
+9. Miscellaneous
+----------------
+
+This License represents the complete agreement concerning the subject
+matter hereof. If any provision of this License is held to be
+unenforceable, such provision shall be reformed only to the extent
+necessary to make it enforceable. Any law or regulation which provides
+that the language of a contract shall be construed against the drafter
+shall not be used to construe this License against a Contributor.
+
+10. Versions of the License
+---------------------------
+
+10.1. New Versions
+
+Mozilla Foundation is the license steward. Except as provided in Section
+10.3, no one other than the license steward has the right to modify or
+publish new versions of this License. Each version will be given a
+distinguishing version number.
+
+10.2. Effect of New Versions
+
+You may distribute the Covered Software under the terms of the version
+of the License under which You originally received the Covered Software,
+or under the terms of any subsequent version published by the license
+steward.
+
+10.3. Modified Versions
+
+If you create software not governed by this License, and you want to
+create a new license for such software, you may create and use a
+modified version of this License if you rename the license and remove
+any references to the name of the license steward (except to note that
+such modified license differs from this License).
+
+10.4. Distributing Source Code Form that is Incompatible With Secondary
+Licenses
+
+If You choose to distribute Source Code Form that is Incompatible With
+Secondary Licenses under the terms of this version of the License, the
+notice described in Exhibit B of this License must be attached.
+
+Exhibit A - Source Code Form License Notice
+-------------------------------------------
+
+  This Source Code Form is subject to the terms of the Mozilla Public
+  License, v. 2.0. If a copy of the MPL was not distributed with this
+  file, You can obtain one at https://mozilla.org/MPL/2.0/.
+
+If it is not possible or desirable to put the notice in a particular
+file, then You may include the notice in a location (such as a LICENSE
+file in a relevant directory) where a recipient would be likely to look
+for such a notice.
+
+You may add additional accurate notices of copyright ownership.
+
+Exhibit B - "Incompatible With Secondary Licenses" Notice
+---------------------------------------------------------
+
+  This Source Code Form is "Incompatible With Secondary Licenses", as
+  defined by the Mozilla Public License, v. 2.0.
+```
diff --git a/vendor/github.com/cyphar/filepath-securejoin/LICENSE b/vendor/github.com/cyphar/filepath-securejoin/LICENSE.BSD
similarity index 100%
rename from vendor/github.com/cyphar/filepath-securejoin/LICENSE
rename to vendor/github.com/cyphar/filepath-securejoin/LICENSE.BSD
diff --git a/vendor/github.com/cyphar/filepath-securejoin/LICENSE.MPL-2.0 b/vendor/github.com/cyphar/filepath-securejoin/LICENSE.MPL-2.0
new file mode 100644
index 0000000000000..d0a1fa1482eea
--- /dev/null
+++ b/vendor/github.com/cyphar/filepath-securejoin/LICENSE.MPL-2.0
@@ -0,0 +1,373 @@
+Mozilla Public License Version 2.0
+==================================
+
+1. Definitions
+--------------
+
+1.1. "Contributor"
+    means each individual or legal entity that creates, contributes to
+    the creation of, or owns Covered Software.
+
+1.2. "Contributor Version"
+    means the combination of the Contributions of others (if any) used
+    by a Contributor and that particular Contributor's Contribution.
+
+1.3. "Contribution"
+    means Covered Software of a particular Contributor.
+
+1.4. "Covered Software"
+    means Source Code Form to which the initial Contributor has attached
+    the notice in Exhibit A, the Executable Form of such Source Code
+    Form, and Modifications of such Source Code Form, in each case
+    including portions thereof.
+
+1.5. "Incompatible With Secondary Licenses"
+    means
+
+    (a) that the initial Contributor has attached the notice described
+        in Exhibit B to the Covered Software; or
+
+    (b) that the Covered Software was made available under the terms of
+        version 1.1 or earlier of the License, but not also under the
+        terms of a Secondary License.
+
+1.6. "Executable Form"
+    means any form of the work other than Source Code Form.
+
+1.7. "Larger Work"
+    means a work that combines Covered Software with other material, in
+    a separate file or files, that is not Covered Software.
+
+1.8. "License"
+    means this document.
+
+1.9. "Licensable"
+    means having the right to grant, to the maximum extent possible,
+    whether at the time of the initial grant or subsequently, any and
+    all of the rights conveyed by this License.
+
+1.10. "Modifications"
+    means any of the following:
+
+    (a) any file in Source Code Form that results from an addition to,
+        deletion from, or modification of the contents of Covered
+        Software; or
+
+    (b) any new file in Source Code Form that contains any Covered
+        Software.
+
+1.11. "Patent Claims" of a Contributor
+    means any patent claim(s), including without limitation, method,
+    process, and apparatus claims, in any patent Licensable by such
+    Contributor that would be infringed, but for the grant of the
+    License, by the making, using, selling, offering for sale, having
+    made, import, or transfer of either its Contributions or its
+    Contributor Version.
+
+1.12. "Secondary License"
+    means either the GNU General Public License, Version 2.0, the GNU
+    Lesser General Public License, Version 2.1, the GNU Affero General
+    Public License, Version 3.0, or any later versions of those
+    licenses.
+
+1.13. "Source Code Form"
+    means the form of the work preferred for making modifications.
+
+1.14. "You" (or "Your")
+    means an individual or a legal entity exercising rights under this
+    License. For legal entities, "You" includes any entity that
+    controls, is controlled by, or is under common control with You. For
+    purposes of this definition, "control" means (a) the power, direct
+    or indirect, to cause the direction or management of such entity,
+    whether by contract or otherwise, or (b) ownership of more than
+    fifty percent (50%) of the outstanding shares or beneficial
+    ownership of such entity.
+
+2. License Grants and Conditions
+--------------------------------
+
+2.1. Grants
+
+Each Contributor hereby grants You a world-wide, royalty-free,
+non-exclusive license:
+
+(a) under intellectual property rights (other than patent or trademark)
+    Licensable by such Contributor to use, reproduce, make available,
+    modify, display, perform, distribute, and otherwise exploit its
+    Contributions, either on an unmodified basis, with Modifications, or
+    as part of a Larger Work; and
+
+(b) under Patent Claims of such Contributor to make, use, sell, offer
+    for sale, have made, import, and otherwise transfer either its
+    Contributions or its Contributor Version.
+
+2.2. Effective Date
+
+The licenses granted in Section 2.1 with respect to any Contribution
+become effective for each Contribution on the date the Contributor first
+distributes such Contribution.
+
+2.3. Limitations on Grant Scope
+
+The licenses granted in this Section 2 are the only rights granted under
+this License. No additional rights or licenses will be implied from the
+distribution or licensing of Covered Software under this License.
+Notwithstanding Section 2.1(b) above, no patent license is granted by a
+Contributor:
+
+(a) for any code that a Contributor has removed from Covered Software;
+    or
+
+(b) for infringements caused by: (i) Your and any other third party's
+    modifications of Covered Software, or (ii) the combination of its
+    Contributions with other software (except as part of its Contributor
+    Version); or
+
+(c) under Patent Claims infringed by Covered Software in the absence of
+    its Contributions.
+
+This License does not grant any rights in the trademarks, service marks,
+or logos of any Contributor (except as may be necessary to comply with
+the notice requirements in Section 3.4).
+
+2.4. Subsequent Licenses
+
+No Contributor makes additional grants as a result of Your choice to
+distribute the Covered Software under a subsequent version of this
+License (see Section 10.2) or under the terms of a Secondary License (if
+permitted under the terms of Section 3.3).
+
+2.5. Representation
+
+Each Contributor represents that the Contributor believes its
+Contributions are its original creation(s) or it has sufficient rights
+to grant the rights to its Contributions conveyed by this License.
+
+2.6. Fair Use
+
+This License is not intended to limit any rights You have under
+applicable copyright doctrines of fair use, fair dealing, or other
+equivalents.
+
+2.7. Conditions
+
+Sections 3.1, 3.2, 3.3, and 3.4 are conditions of the licenses granted
+in Section 2.1.
+
+3. Responsibilities
+-------------------
+
+3.1. Distribution of Source Form
+
+All distribution of Covered Software in Source Code Form, including any
+Modifications that You create or to which You contribute, must be under
+the terms of this License. You must inform recipients that the Source
+Code Form of the Covered Software is governed by the terms of this
+License, and how they can obtain a copy of this License. You may not
+attempt to alter or restrict the recipients' rights in the Source Code
+Form.
+
+3.2. Distribution of Executable Form
+
+If You distribute Covered Software in Executable Form then:
+
+(a) such Covered Software must also be made available in Source Code
+    Form, as described in Section 3.1, and You must inform recipients of
+    the Executable Form how they can obtain a copy of such Source Code
+    Form by reasonable means in a timely manner, at a charge no more
+    than the cost of distribution to the recipient; and
+
+(b) You may distribute such Executable Form under the terms of this
+    License, or sublicense it under different terms, provided that the
+    license for the Executable Form does not attempt to limit or alter
+    the recipients' rights in the Source Code Form under this License.
+
+3.3. Distribution of a Larger Work
+
+You may create and distribute a Larger Work under terms of Your choice,
+provided that You also comply with the requirements of this License for
+the Covered Software. If the Larger Work is a combination of Covered
+Software with a work governed by one or more Secondary Licenses, and the
+Covered Software is not Incompatible With Secondary Licenses, this
+License permits You to additionally distribute such Covered Software
+under the terms of such Secondary License(s), so that the recipient of
+the Larger Work may, at their option, further distribute the Covered
+Software under the terms of either this License or such Secondary
+License(s).
+
+3.4. Notices
+
+You may not remove or alter the substance of any license notices
+(including copyright notices, patent notices, disclaimers of warranty,
+or limitations of liability) contained within the Source Code Form of
+the Covered Software, except that You may alter any license notices to
+the extent required to remedy known factual inaccuracies.
+
+3.5. Application of Additional Terms
+
+You may choose to offer, and to charge a fee for, warranty, support,
+indemnity or liability obligations to one or more recipients of Covered
+Software. However, You may do so only on Your own behalf, and not on
+behalf of any Contributor. You must make it absolutely clear that any
+such warranty, support, indemnity, or liability obligation is offered by
+You alone, and You hereby agree to indemnify every Contributor for any
+liability incurred by such Contributor as a result of warranty, support,
+indemnity or liability terms You offer. You may include additional
+disclaimers of warranty and limitations of liability specific to any
+jurisdiction.
+
+4. Inability to Comply Due to Statute or Regulation
+---------------------------------------------------
+
+If it is impossible for You to comply with any of the terms of this
+License with respect to some or all of the Covered Software due to
+statute, judicial order, or regulation then You must: (a) comply with
+the terms of this License to the maximum extent possible; and (b)
+describe the limitations and the code they affect. Such description must
+be placed in a text file included with all distributions of the Covered
+Software under this License. Except to the extent prohibited by statute
+or regulation, such description must be sufficiently detailed for a
+recipient of ordinary skill to be able to understand it.
+
+5. Termination
+--------------
+
+5.1. The rights granted under this License will terminate automatically
+if You fail to comply with any of its terms. However, if You become
+compliant, then the rights granted under this License from a particular
+Contributor are reinstated (a) provisionally, unless and until such
+Contributor explicitly and finally terminates Your grants, and (b) on an
+ongoing basis, if such Contributor fails to notify You of the
+non-compliance by some reasonable means prior to 60 days after You have
+come back into compliance. Moreover, Your grants from a particular
+Contributor are reinstated on an ongoing basis if such Contributor
+notifies You of the non-compliance by some reasonable means, this is the
+first time You have received notice of non-compliance with this License
+from such Contributor, and You become compliant prior to 30 days after
+Your receipt of the notice.
+
+5.2. If You initiate litigation against any entity by asserting a patent
+infringement claim (excluding declaratory judgment actions,
+counter-claims, and cross-claims) alleging that a Contributor Version
+directly or indirectly infringes any patent, then the rights granted to
+You by any and all Contributors for the Covered Software under Section
+2.1 of this License shall terminate.
+
+5.3. In the event of termination under Sections 5.1 or 5.2 above, all
+end user license agreements (excluding distributors and resellers) which
+have been validly granted by You or Your distributors under this License
+prior to termination shall survive termination.
+
+************************************************************************
+*                                                                      *
+*  6. Disclaimer of Warranty                                           *
+*  -------------------------                                           *
+*                                                                      *
+*  Covered Software is provided under this License on an "as is"       *
+*  basis, without warranty of any kind, either expressed, implied, or  *
+*  statutory, including, without limitation, warranties that the       *
+*  Covered Software is free of defects, merchantable, fit for a        *
+*  particular purpose or non-infringing. The entire risk as to the     *
+*  quality and performance of the Covered Software is with You.        *
+*  Should any Covered Software prove defective in any respect, You     *
+*  (not any Contributor) assume the cost of any necessary servicing,   *
+*  repair, or correction. This disclaimer of warranty constitutes an   *
+*  essential part of this License. No use of any Covered Software is   *
+*  authorized under this License except under this disclaimer.         *
+*                                                                      *
+************************************************************************
+
+************************************************************************
+*                                                                      *
+*  7. Limitation of Liability                                          *
+*  --------------------------                                          *
+*                                                                      *
+*  Under no circumstances and under no legal theory, whether tort      *
+*  (including negligence), contract, or otherwise, shall any           *
+*  Contributor, or anyone who distributes Covered Software as          *
+*  permitted above, be liable to You for any direct, indirect,         *
+*  special, incidental, or consequential damages of any character      *
+*  including, without limitation, damages for lost profits, loss of    *
+*  goodwill, work stoppage, computer failure or malfunction, or any    *
+*  and all other commercial damages or losses, even if such party      *
+*  shall have been informed of the possibility of such damages. This   *
+*  limitation of liability shall not apply to liability for death or   *
+*  personal injury resulting from such party's negligence to the       *
+*  extent applicable law prohibits such limitation. Some               *
+*  jurisdictions do not allow the exclusion or limitation of           *
+*  incidental or consequential damages, so this exclusion and          *
+*  limitation may not apply to You.                                    *
+*                                                                      *
+************************************************************************
+
+8. Litigation
+-------------
+
+Any litigation relating to this License may be brought only in the
+courts of a jurisdiction where the defendant maintains its principal
+place of business and such litigation shall be governed by laws of that
+jurisdiction, without reference to its conflict-of-law provisions.
+Nothing in this Section shall prevent a party's ability to bring
+cross-claims or counter-claims.
+
+9. Miscellaneous
+----------------
+
+This License represents the complete agreement concerning the subject
+matter hereof. If any provision of this License is held to be
+unenforceable, such provision shall be reformed only to the extent
+necessary to make it enforceable. Any law or regulation which provides
+that the language of a contract shall be construed against the drafter
+shall not be used to construe this License against a Contributor.
+
+10. Versions of the License
+---------------------------
+
+10.1. New Versions
+
+Mozilla Foundation is the license steward. Except as provided in Section
+10.3, no one other than the license steward has the right to modify or
+publish new versions of this License. Each version will be given a
+distinguishing version number.
+
+10.2. Effect of New Versions
+
+You may distribute the Covered Software under the terms of the version
+of the License under which You originally received the Covered Software,
+or under the terms of any subsequent version published by the license
+steward.
+
+10.3. Modified Versions
+
+If you create software not governed by this License, and you want to
+create a new license for such software, you may create and use a
+modified version of this License if you rename the license and remove
+any references to the name of the license steward (except to note that
+such modified license differs from this License).
+
+10.4. Distributing Source Code Form that is Incompatible With Secondary
+Licenses
+
+If You choose to distribute Source Code Form that is Incompatible With
+Secondary Licenses under the terms of this version of the License, the
+notice described in Exhibit B of this License must be attached.
+
+Exhibit A - Source Code Form License Notice
+-------------------------------------------
+
+  This Source Code Form is subject to the terms of the Mozilla Public
+  License, v. 2.0. If a copy of the MPL was not distributed with this
+  file, You can obtain one at https://mozilla.org/MPL/2.0/.
+
+If it is not possible or desirable to put the notice in a particular
+file, then You may include the notice in a location (such as a LICENSE
+file in a relevant directory) where a recipient would be likely to look
+for such a notice.
+
+You may add additional accurate notices of copyright ownership.
+
+Exhibit B - "Incompatible With Secondary Licenses" Notice
+---------------------------------------------------------
+
+  This Source Code Form is "Incompatible With Secondary Licenses", as
+  defined by the Mozilla Public License, v. 2.0.
diff --git a/vendor/github.com/cyphar/filepath-securejoin/README.md b/vendor/github.com/cyphar/filepath-securejoin/README.md
index eaeb53fcd0ab5..6673abfc842ae 100644
--- a/vendor/github.com/cyphar/filepath-securejoin/README.md
+++ b/vendor/github.com/cyphar/filepath-securejoin/README.md
@@ -67,7 +67,8 @@ func SecureJoin(root, unsafePath string) (string, error) {
 [libpathrs]: https://github.com/openSUSE/libpathrs
 [go#20126]: https://github.com/golang/go/issues/20126
 
-### New API ###
+### <a name="new-api" /> New API ###
+[#new-api]: #new-api
 
 While we recommend users switch to [libpathrs][libpathrs] as soon as it has a
 stable release, some methods implemented by libpathrs have been ported to this
@@ -165,5 +166,19 @@ after `MkdirAll`).
 
 ### License ###
 
-The license of this project is the same as Go, which is a BSD 3-clause license
-available in the `LICENSE` file.
+`SPDX-License-Identifier: BSD-3-Clause AND MPL-2.0`
+
+Some of the code in this project is derived from Go, and is licensed under a
+BSD 3-clause license (available in `LICENSE.BSD`). Other files (many of which
+are derived from [libpathrs][libpathrs]) are licensed under the Mozilla Public
+License version 2.0 (available in `LICENSE.MPL-2.0`). If you are using the
+["New API" described above][#new-api], you are probably using code from files
+released under this license.
+
+Every source file in this project has a copyright header describing its
+license. Please check the license headers of each file to see what license
+applies to it.
+
+See [COPYING.md](./COPYING.md) for some more details.
+
+[umoci]: https://github.com/opencontainers/umoci
diff --git a/vendor/github.com/cyphar/filepath-securejoin/VERSION b/vendor/github.com/cyphar/filepath-securejoin/VERSION
index 267577d47e497..a918a2aa18d5b 100644
--- a/vendor/github.com/cyphar/filepath-securejoin/VERSION
+++ b/vendor/github.com/cyphar/filepath-securejoin/VERSION
@@ -1 +1 @@
-0.4.1
+0.6.0
diff --git a/vendor/github.com/cyphar/filepath-securejoin/codecov.yml b/vendor/github.com/cyphar/filepath-securejoin/codecov.yml
new file mode 100644
index 0000000000000..ff284dbfaf950
--- /dev/null
+++ b/vendor/github.com/cyphar/filepath-securejoin/codecov.yml
@@ -0,0 +1,29 @@
+# SPDX-License-Identifier: MPL-2.0
+
+# Copyright (C) 2025 Aleksa Sarai <cyphar@cyphar.com>
+# Copyright (C) 2025 SUSE LLC
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at https://mozilla.org/MPL/2.0/.
+
+comment:
+  layout: "condensed_header, reach, diff, components, condensed_files, condensed_footer"
+  require_changes: true
+  branches:
+    - main
+
+coverage:
+  range: 60..100
+  status:
+    project:
+      default:
+        target: 85%
+        threshold: 0%
+    patch:
+      default:
+        target: auto
+        informational: true
+
+github_checks:
+  annotations: false
diff --git a/vendor/github.com/cyphar/filepath-securejoin/doc.go b/vendor/github.com/cyphar/filepath-securejoin/doc.go
index 1ec7d065ef41f..1438fc9c09c97 100644
--- a/vendor/github.com/cyphar/filepath-securejoin/doc.go
+++ b/vendor/github.com/cyphar/filepath-securejoin/doc.go
@@ -1,3 +1,5 @@
+// SPDX-License-Identifier: BSD-3-Clause
+
 // Copyright (C) 2014-2015 Docker Inc & Go Authors. All rights reserved.
 // Copyright (C) 2017-2024 SUSE LLC. All rights reserved.
 // Use of this source code is governed by a BSD-style
@@ -14,14 +16,13 @@
 // **not** safe against race conditions where an attacker changes the
 // filesystem after (or during) the [SecureJoin] operation.
 //
-// The new API is made up of [OpenInRoot] and [MkdirAll] (and derived
-// functions). These are safe against racing attackers and have several other
-// protections that are not provided by the legacy API. There are many more
-// operations that most programs expect to be able to do safely, but we do not
-// provide explicit support for them because we want to encourage users to
-// switch to [libpathrs](https://github.com/openSUSE/libpathrs) which is a
-// cross-language next-generation library that is entirely designed around
-// operating on paths safely.
+// The new API is available in the [pathrs-lite] subpackage, and provide
+// protections against racing attackers as well as several other key
+// protections against attacks often seen by container runtimes. As the name
+// suggests, [pathrs-lite] is a stripped down (pure Go) reimplementation of
+// [libpathrs]. The main APIs provided are [OpenInRoot], [MkdirAll], and
+// [procfs.Handle] -- other APIs are not planned to be ported. The long-term
+// goal is for users to migrate to [libpathrs] which is more fully-featured.
 //
 // securejoin has been used by several container runtimes (Docker, runc,
 // Kubernetes, etc) for quite a few years as a de-facto standard for operating
@@ -31,9 +32,16 @@
 // API as soon as possible (or even better, switch to libpathrs).
 //
 // This project was initially intended to be included in the Go standard
-// library, but [it was rejected](https://go.dev/issue/20126). There is now a
-// [new Go proposal](https://go.dev/issue/67002) for a safe path resolution API
-// that shares some of the goals of filepath-securejoin. However, that design
-// is intended to work like `openat2(RESOLVE_BENEATH)` which does not fit the
-// usecase of container runtimes and most system tools.
+// library, but it was rejected (see https://go.dev/issue/20126). Much later,
+// [os.Root] was added to the Go stdlib that shares some of the goals of
+// filepath-securejoin. However, its design is intended to work like
+// openat2(RESOLVE_BENEATH) which does not fit the usecase of container
+// runtimes and most system tools.
+//
+// [pathrs-lite]: https://pkg.go.dev/github.com/cyphar/filepath-securejoin/pathrs-lite
+// [libpathrs]: https://github.com/openSUSE/libpathrs
+// [OpenInRoot]: https://pkg.go.dev/github.com/cyphar/filepath-securejoin/pathrs-lite#OpenInRoot
+// [MkdirAll]: https://pkg.go.dev/github.com/cyphar/filepath-securejoin/pathrs-lite#MkdirAll
+// [procfs.Handle]: https://pkg.go.dev/github.com/cyphar/filepath-securejoin/pathrs-lite/procfs#Handle
+// [os.Root]: https:///pkg.go.dev/os#Root
 package securejoin
diff --git a/vendor/github.com/cyphar/filepath-securejoin/gocompat_errors_go120.go b/vendor/github.com/cyphar/filepath-securejoin/gocompat_errors_go120.go
deleted file mode 100644
index 42452bbf9b0b6..0000000000000
--- a/vendor/github.com/cyphar/filepath-securejoin/gocompat_errors_go120.go
+++ /dev/null
@@ -1,18 +0,0 @@
-//go:build linux && go1.20
-
-// Copyright (C) 2024 SUSE LLC. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package securejoin
-
-import (
-	"fmt"
-)
-
-// wrapBaseError is a helper that is equivalent to fmt.Errorf("%w: %w"), except
-// that on pre-1.20 Go versions only errors.Is() works properly (errors.Unwrap)
-// is only guaranteed to give you baseErr.
-func wrapBaseError(baseErr, extraErr error) error {
-	return fmt.Errorf("%w: %w", extraErr, baseErr)
-}
diff --git a/vendor/github.com/cyphar/filepath-securejoin/gocompat_generics_go121.go b/vendor/github.com/cyphar/filepath-securejoin/gocompat_generics_go121.go
deleted file mode 100644
index ddd6fa9a41c55..0000000000000
--- a/vendor/github.com/cyphar/filepath-securejoin/gocompat_generics_go121.go
+++ /dev/null
@@ -1,32 +0,0 @@
-//go:build linux && go1.21
-
-// Copyright (C) 2024 SUSE LLC. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package securejoin
-
-import (
-	"slices"
-	"sync"
-)
-
-func slices_DeleteFunc[S ~[]E, E any](slice S, delFn func(E) bool) S {
-	return slices.DeleteFunc(slice, delFn)
-}
-
-func slices_Contains[S ~[]E, E comparable](slice S, val E) bool {
-	return slices.Contains(slice, val)
-}
-
-func slices_Clone[S ~[]E, E any](slice S) S {
-	return slices.Clone(slice)
-}
-
-func sync_OnceValue[T any](f func() T) func() T {
-	return sync.OnceValue(f)
-}
-
-func sync_OnceValues[T1, T2 any](f func() (T1, T2)) func() (T1, T2) {
-	return sync.OnceValues(f)
-}
diff --git a/vendor/github.com/cyphar/filepath-securejoin/gocompat_generics_unsupported.go b/vendor/github.com/cyphar/filepath-securejoin/gocompat_generics_unsupported.go
deleted file mode 100644
index f1e6fe7e717b0..0000000000000
--- a/vendor/github.com/cyphar/filepath-securejoin/gocompat_generics_unsupported.go
+++ /dev/null
@@ -1,124 +0,0 @@
-//go:build linux && !go1.21
-
-// Copyright (C) 2024 SUSE LLC. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package securejoin
-
-import (
-	"sync"
-)
-
-// These are very minimal implementations of functions that appear in Go 1.21's
-// stdlib, included so that we can build on older Go versions. Most are
-// borrowed directly from the stdlib, and a few are modified to be "obviously
-// correct" without needing to copy too many other helpers.
-
-// clearSlice is equivalent to the builtin clear from Go 1.21.
-// Copied from the Go 1.24 stdlib implementation.
-func clearSlice[S ~[]E, E any](slice S) {
-	var zero E
-	for i := range slice {
-		slice[i] = zero
-	}
-}
-
-// Copied from the Go 1.24 stdlib implementation.
-func slices_IndexFunc[S ~[]E, E any](s S, f func(E) bool) int {
-	for i := range s {
-		if f(s[i]) {
-			return i
-		}
-	}
-	return -1
-}
-
-// Copied from the Go 1.24 stdlib implementation.
-func slices_DeleteFunc[S ~[]E, E any](s S, del func(E) bool) S {
-	i := slices_IndexFunc(s, del)
-	if i == -1 {
-		return s
-	}
-	// Don't start copying elements until we find one to delete.
-	for j := i + 1; j < len(s); j++ {
-		if v := s[j]; !del(v) {
-			s[i] = v
-			i++
-		}
-	}
-	clearSlice(s[i:]) // zero/nil out the obsolete elements, for GC
-	return s[:i]
-}
-
-// Similar to the stdlib slices.Contains, except that we don't have
-// slices.Index so we need to use slices.IndexFunc for this non-Func helper.
-func slices_Contains[S ~[]E, E comparable](s S, v E) bool {
-	return slices_IndexFunc(s, func(e E) bool { return e == v }) >= 0
-}
-
-// Copied from the Go 1.24 stdlib implementation.
-func slices_Clone[S ~[]E, E any](s S) S {
-	// Preserve nil in case it matters.
-	if s == nil {
-		return nil
-	}
-	return append(S([]E{}), s...)
-}
-
-// Copied from the Go 1.24 stdlib implementation.
-func sync_OnceValue[T any](f func() T) func() T {
-	var (
-		once   sync.Once
-		valid  bool
-		p      any
-		result T
-	)
-	g := func() {
-		defer func() {
-			p = recover()
-			if !valid {
-				panic(p)
-			}
-		}()
-		result = f()
-		f = nil
-		valid = true
-	}
-	return func() T {
-		once.Do(g)
-		if !valid {
-			panic(p)
-		}
-		return result
-	}
-}
-
-// Copied from the Go 1.24 stdlib implementation.
-func sync_OnceValues[T1, T2 any](f func() (T1, T2)) func() (T1, T2) {
-	var (
-		once  sync.Once
-		valid bool
-		p     any
-		r1    T1
-		r2    T2
-	)
-	g := func() {
-		defer func() {
-			p = recover()
-			if !valid {
-				panic(p)
-			}
-		}()
-		r1, r2 = f()
-		f = nil
-		valid = true
-	}
-	return func() (T1, T2) {
-		once.Do(g)
-		if !valid {
-			panic(p)
-		}
-		return r1, r2
-	}
-}
diff --git a/vendor/github.com/cyphar/filepath-securejoin/internal/consts/consts.go b/vendor/github.com/cyphar/filepath-securejoin/internal/consts/consts.go
new file mode 100644
index 0000000000000..c69c4da91eea2
--- /dev/null
+++ b/vendor/github.com/cyphar/filepath-securejoin/internal/consts/consts.go
@@ -0,0 +1,15 @@
+// SPDX-License-Identifier: BSD-3-Clause
+
+// Copyright (C) 2014-2015 Docker Inc & Go Authors. All rights reserved.
+// Copyright (C) 2017-2025 SUSE LLC. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Package consts contains the definitions of internal constants used
+// throughout filepath-securejoin.
+package consts
+
+// MaxSymlinkLimit is the maximum number of symlinks that can be encountered
+// during a single lookup before returning -ELOOP. At time of writing, Linux
+// has an internal limit of 40.
+const MaxSymlinkLimit = 255
diff --git a/vendor/github.com/cyphar/filepath-securejoin/join.go b/vendor/github.com/cyphar/filepath-securejoin/join.go
index e6634d4778f8a..199c1d8392472 100644
--- a/vendor/github.com/cyphar/filepath-securejoin/join.go
+++ b/vendor/github.com/cyphar/filepath-securejoin/join.go
@@ -1,3 +1,5 @@
+// SPDX-License-Identifier: BSD-3-Clause
+
 // Copyright (C) 2014-2015 Docker Inc & Go Authors. All rights reserved.
 // Copyright (C) 2017-2025 SUSE LLC. All rights reserved.
 // Use of this source code is governed by a BSD-style
@@ -11,9 +13,9 @@ import (
 	"path/filepath"
 	"strings"
 	"syscall"
-)
 
-const maxSymlinkLimit = 255
+	"github.com/cyphar/filepath-securejoin/internal/consts"
+)
 
 // IsNotExist tells you if err is an error that implies that either the path
 // accessed does not exist (or path components don't exist). This is
@@ -49,12 +51,13 @@ func hasDotDot(path string) bool {
 	return strings.Contains("/"+path+"/", "/../")
 }
 
-// SecureJoinVFS joins the two given path components (similar to [filepath.Join]) except
-// that the returned path is guaranteed to be scoped inside the provided root
-// path (when evaluated). Any symbolic links in the path are evaluated with the
-// given root treated as the root of the filesystem, similar to a chroot. The
-// filesystem state is evaluated through the given [VFS] interface (if nil, the
-// standard [os].* family of functions are used).
+// SecureJoinVFS joins the two given path components (similar to
+// [filepath.Join]) except that the returned path is guaranteed to be scoped
+// inside the provided root path (when evaluated). Any symbolic links in the
+// path are evaluated with the given root treated as the root of the
+// filesystem, similar to a chroot. The filesystem state is evaluated through
+// the given [VFS] interface (if nil, the standard [os].* family of functions
+// are used).
 //
 // Note that the guarantees provided by this function only apply if the path
 // components in the returned string are not modified (in other words are not
@@ -78,7 +81,7 @@ func hasDotDot(path string) bool {
 // fully resolved using [filepath.EvalSymlinks] or otherwise constructed to
 // avoid containing symlink components. Of course, the root also *must not* be
 // attacker-controlled.
-func SecureJoinVFS(root, unsafePath string, vfs VFS) (string, error) {
+func SecureJoinVFS(root, unsafePath string, vfs VFS) (string, error) { //nolint:revive // name is part of public API
 	// The root path must not contain ".." components, otherwise when we join
 	// the subpath we will end up with a weird path. We could work around this
 	// in other ways but users shouldn't be giving us non-lexical root paths in
@@ -138,7 +141,7 @@ func SecureJoinVFS(root, unsafePath string, vfs VFS) (string, error) {
 		// It's a symlink, so get its contents and expand it by prepending it
 		// to the yet-unparsed path.
 		linksWalked++
-		if linksWalked > maxSymlinkLimit {
+		if linksWalked > consts.MaxSymlinkLimit {
 			return "", &os.PathError{Op: "SecureJoin", Path: root + string(filepath.Separator) + unsafePath, Err: syscall.ELOOP}
 		}
 
diff --git a/vendor/github.com/cyphar/filepath-securejoin/mkdir_linux.go b/vendor/github.com/cyphar/filepath-securejoin/mkdir_linux.go
deleted file mode 100644
index a17ae3b0387ec..0000000000000
--- a/vendor/github.com/cyphar/filepath-securejoin/mkdir_linux.go
+++ /dev/null
@@ -1,236 +0,0 @@
-//go:build linux
-
-// Copyright (C) 2024 SUSE LLC. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package securejoin
-
-import (
-	"errors"
-	"fmt"
-	"os"
-	"path/filepath"
-	"strings"
-
-	"golang.org/x/sys/unix"
-)
-
-var (
-	errInvalidMode    = errors.New("invalid permission mode")
-	errPossibleAttack = errors.New("possible attack detected")
-)
-
-// modePermExt is like os.ModePerm except that it also includes the set[ug]id
-// and sticky bits.
-const modePermExt = os.ModePerm | os.ModeSetuid | os.ModeSetgid | os.ModeSticky
-
-//nolint:cyclop // this function needs to handle a lot of cases
-func toUnixMode(mode os.FileMode) (uint32, error) {
-	sysMode := uint32(mode.Perm())
-	if mode&os.ModeSetuid != 0 {
-		sysMode |= unix.S_ISUID
-	}
-	if mode&os.ModeSetgid != 0 {
-		sysMode |= unix.S_ISGID
-	}
-	if mode&os.ModeSticky != 0 {
-		sysMode |= unix.S_ISVTX
-	}
-	// We don't allow file type bits.
-	if mode&os.ModeType != 0 {
-		return 0, fmt.Errorf("%w %+.3o (%s): type bits not permitted", errInvalidMode, mode, mode)
-	}
-	// We don't allow other unknown modes.
-	if mode&^modePermExt != 0 || sysMode&unix.S_IFMT != 0 {
-		return 0, fmt.Errorf("%w %+.3o (%s): unknown mode bits", errInvalidMode, mode, mode)
-	}
-	return sysMode, nil
-}
-
-// MkdirAllHandle is equivalent to [MkdirAll], except that it is safer to use
-// in two respects:
-//
-//   - The caller provides the root directory as an *[os.File] (preferably O_PATH)
-//     handle. This means that the caller can be sure which root directory is
-//     being used. Note that this can be emulated by using /proc/self/fd/... as
-//     the root path with [os.MkdirAll].
-//
-//   - Once all of the directories have been created, an *[os.File] O_PATH handle
-//     to the directory at unsafePath is returned to the caller. This is done in
-//     an effectively-race-free way (an attacker would only be able to swap the
-//     final directory component), which is not possible to emulate with
-//     [MkdirAll].
-//
-// In addition, the returned handle is obtained far more efficiently than doing
-// a brand new lookup of unsafePath (such as with [SecureJoin] or openat2) after
-// doing [MkdirAll]. If you intend to open the directory after creating it, you
-// should use MkdirAllHandle.
-func MkdirAllHandle(root *os.File, unsafePath string, mode os.FileMode) (_ *os.File, Err error) {
-	unixMode, err := toUnixMode(mode)
-	if err != nil {
-		return nil, err
-	}
-	// On Linux, mkdirat(2) (and os.Mkdir) silently ignore the suid and sgid
-	// bits. We could also silently ignore them but since we have very few
-	// users it seems more prudent to return an error so users notice that
-	// these bits will not be set.
-	if unixMode&^0o1777 != 0 {
-		return nil, fmt.Errorf("%w for mkdir %+.3o: suid and sgid are ignored by mkdir", errInvalidMode, mode)
-	}
-
-	// Try to open as much of the path as possible.
-	currentDir, remainingPath, err := partialLookupInRoot(root, unsafePath)
-	defer func() {
-		if Err != nil {
-			_ = currentDir.Close()
-		}
-	}()
-	if err != nil && !errors.Is(err, unix.ENOENT) {
-		return nil, fmt.Errorf("find existing subpath of %q: %w", unsafePath, err)
-	}
-
-	// If there is an attacker deleting directories as we walk into them,
-	// detect this proactively. Note this is guaranteed to detect if the
-	// attacker deleted any part of the tree up to currentDir.
-	//
-	// Once we walk into a dead directory, partialLookupInRoot would not be
-	// able to walk further down the tree (directories must be empty before
-	// they are deleted), and if the attacker has removed the entire tree we
-	// can be sure that anything that was originally inside a dead directory
-	// must also be deleted and thus is a dead directory in its own right.
-	//
-	// This is mostly a quality-of-life check, because mkdir will simply fail
-	// later if the attacker deletes the tree after this check.
-	if err := isDeadInode(currentDir); err != nil {
-		return nil, fmt.Errorf("finding existing subpath of %q: %w", unsafePath, err)
-	}
-
-	// Re-open the path to match the O_DIRECTORY reopen loop later (so that we
-	// always return a non-O_PATH handle). We also check that we actually got a
-	// directory.
-	if reopenDir, err := Reopen(currentDir, unix.O_DIRECTORY|unix.O_CLOEXEC); errors.Is(err, unix.ENOTDIR) {
-		return nil, fmt.Errorf("cannot create subdirectories in %q: %w", currentDir.Name(), unix.ENOTDIR)
-	} else if err != nil {
-		return nil, fmt.Errorf("re-opening handle to %q: %w", currentDir.Name(), err)
-	} else {
-		_ = currentDir.Close()
-		currentDir = reopenDir
-	}
-
-	remainingParts := strings.Split(remainingPath, string(filepath.Separator))
-	if slices_Contains(remainingParts, "..") {
-		// The path contained ".." components after the end of the "real"
-		// components. We could try to safely resolve ".." here but that would
-		// add a bunch of extra logic for something that it's not clear even
-		// needs to be supported. So just return an error.
-		//
-		// If we do filepath.Clean(remainingPath) then we end up with the
-		// problem that ".." can erase a trailing dangling symlink and produce
-		// a path that doesn't quite match what the user asked for.
-		return nil, fmt.Errorf("%w: yet-to-be-created path %q contains '..' components", unix.ENOENT, remainingPath)
-	}
-
-	// Create the remaining components.
-	for _, part := range remainingParts {
-		switch part {
-		case "", ".":
-			// Skip over no-op paths.
-			continue
-		}
-
-		// NOTE: mkdir(2) will not follow trailing symlinks, so we can safely
-		// create the final component without worrying about symlink-exchange
-		// attacks.
-		//
-		// If we get -EEXIST, it's possible that another program created the
-		// directory at the same time as us. In that case, just continue on as
-		// if we created it (if the created inode is not a directory, the
-		// following open call will fail).
-		if err := unix.Mkdirat(int(currentDir.Fd()), part, unixMode); err != nil && !errors.Is(err, unix.EEXIST) {
-			err = &os.PathError{Op: "mkdirat", Path: currentDir.Name() + "/" + part, Err: err}
-			// Make the error a bit nicer if the directory is dead.
-			if deadErr := isDeadInode(currentDir); deadErr != nil {
-				// TODO: Once we bump the minimum Go version to 1.20, we can use
-				// multiple %w verbs for this wrapping. For now we need to use a
-				// compatibility shim for older Go versions.
-				//err = fmt.Errorf("%w (%w)", err, deadErr)
-				err = wrapBaseError(err, deadErr)
-			}
-			return nil, err
-		}
-
-		// Get a handle to the next component. O_DIRECTORY means we don't need
-		// to use O_PATH.
-		var nextDir *os.File
-		if hasOpenat2() {
-			nextDir, err = openat2File(currentDir, part, &unix.OpenHow{
-				Flags:   unix.O_NOFOLLOW | unix.O_DIRECTORY | unix.O_CLOEXEC,
-				Resolve: unix.RESOLVE_BENEATH | unix.RESOLVE_NO_SYMLINKS | unix.RESOLVE_NO_XDEV,
-			})
-		} else {
-			nextDir, err = openatFile(currentDir, part, unix.O_NOFOLLOW|unix.O_DIRECTORY|unix.O_CLOEXEC, 0)
-		}
-		if err != nil {
-			return nil, err
-		}
-		_ = currentDir.Close()
-		currentDir = nextDir
-
-		// It's possible that the directory we just opened was swapped by an
-		// attacker. Unfortunately there isn't much we can do to protect
-		// against this, and MkdirAll's behaviour is that we will reuse
-		// existing directories anyway so the need to protect against this is
-		// incredibly limited (and arguably doesn't even deserve mention here).
-		//
-		// Ideally we might want to check that the owner and mode match what we
-		// would've created -- unfortunately, it is non-trivial to verify that
-		// the owner and mode of the created directory match. While plain Unix
-		// DAC rules seem simple enough to emulate, there are a bunch of other
-		// factors that can change the mode or owner of created directories
-		// (default POSIX ACLs, mount options like uid=1,gid=2,umask=0 on
-		// filesystems like vfat, etc etc). We used to try to verify this but
-		// it just lead to a series of spurious errors.
-		//
-		// We could also check that the directory is non-empty, but
-		// unfortunately some pseduofilesystems (like cgroupfs) create
-		// non-empty directories, which would result in different spurious
-		// errors.
-	}
-	return currentDir, nil
-}
-
-// MkdirAll is a race-safe alternative to the [os.MkdirAll] function,
-// where the new directory is guaranteed to be within the root directory (if an
-// attacker can move directories from inside the root to outside the root, the
-// created directory tree might be outside of the root but the key constraint
-// is that at no point will we walk outside of the directory tree we are
-// creating).
-//
-// Effectively, MkdirAll(root, unsafePath, mode) is equivalent to
-//
-//	path, _ := securejoin.SecureJoin(root, unsafePath)
-//	err := os.MkdirAll(path, mode)
-//
-// But is much safer. The above implementation is unsafe because if an attacker
-// can modify the filesystem tree between [SecureJoin] and [os.MkdirAll], it is
-// possible for MkdirAll to resolve unsafe symlink components and create
-// directories outside of the root.
-//
-// If you plan to open the directory after you have created it or want to use
-// an open directory handle as the root, you should use [MkdirAllHandle] instead.
-// This function is a wrapper around [MkdirAllHandle].
-func MkdirAll(root, unsafePath string, mode os.FileMode) error {
-	rootDir, err := os.OpenFile(root, unix.O_PATH|unix.O_DIRECTORY|unix.O_CLOEXEC, 0)
-	if err != nil {
-		return err
-	}
-	defer rootDir.Close()
-
-	f, err := MkdirAllHandle(rootDir, unsafePath, mode)
-	if err != nil {
-		return err
-	}
-	_ = f.Close()
-	return nil
-}
diff --git a/vendor/github.com/cyphar/filepath-securejoin/open_linux.go b/vendor/github.com/cyphar/filepath-securejoin/open_linux.go
deleted file mode 100644
index 230be73f0eb39..0000000000000
--- a/vendor/github.com/cyphar/filepath-securejoin/open_linux.go
+++ /dev/null
@@ -1,103 +0,0 @@
-//go:build linux
-
-// Copyright (C) 2024 SUSE LLC. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package securejoin
-
-import (
-	"fmt"
-	"os"
-	"strconv"
-
-	"golang.org/x/sys/unix"
-)
-
-// OpenatInRoot is equivalent to [OpenInRoot], except that the root is provided
-// using an *[os.File] handle, to ensure that the correct root directory is used.
-func OpenatInRoot(root *os.File, unsafePath string) (*os.File, error) {
-	handle, err := completeLookupInRoot(root, unsafePath)
-	if err != nil {
-		return nil, &os.PathError{Op: "securejoin.OpenInRoot", Path: unsafePath, Err: err}
-	}
-	return handle, nil
-}
-
-// OpenInRoot safely opens the provided unsafePath within the root.
-// Effectively, OpenInRoot(root, unsafePath) is equivalent to
-//
-//	path, _ := securejoin.SecureJoin(root, unsafePath)
-//	handle, err := os.OpenFile(path, unix.O_PATH|unix.O_CLOEXEC)
-//
-// But is much safer. The above implementation is unsafe because if an attacker
-// can modify the filesystem tree between [SecureJoin] and [os.OpenFile], it is
-// possible for the returned file to be outside of the root.
-//
-// Note that the returned handle is an O_PATH handle, meaning that only a very
-// limited set of operations will work on the handle. This is done to avoid
-// accidentally opening an untrusted file that could cause issues (such as a
-// disconnected TTY that could cause a DoS, or some other issue). In order to
-// use the returned handle, you can "upgrade" it to a proper handle using
-// [Reopen].
-func OpenInRoot(root, unsafePath string) (*os.File, error) {
-	rootDir, err := os.OpenFile(root, unix.O_PATH|unix.O_DIRECTORY|unix.O_CLOEXEC, 0)
-	if err != nil {
-		return nil, err
-	}
-	defer rootDir.Close()
-	return OpenatInRoot(rootDir, unsafePath)
-}
-
-// Reopen takes an *[os.File] handle and re-opens it through /proc/self/fd.
-// Reopen(file, flags) is effectively equivalent to
-//
-//	fdPath := fmt.Sprintf("/proc/self/fd/%d", file.Fd())
-//	os.OpenFile(fdPath, flags|unix.O_CLOEXEC)
-//
-// But with some extra hardenings to ensure that we are not tricked by a
-// maliciously-configured /proc mount. While this attack scenario is not
-// common, in container runtimes it is possible for higher-level runtimes to be
-// tricked into configuring an unsafe /proc that can be used to attack file
-// operations. See [CVE-2019-19921] for more details.
-//
-// [CVE-2019-19921]: https://github.com/advisories/GHSA-fh74-hm69-rqjw
-func Reopen(handle *os.File, flags int) (*os.File, error) {
-	procRoot, err := getProcRoot()
-	if err != nil {
-		return nil, err
-	}
-
-	// We can't operate on /proc/thread-self/fd/$n directly when doing a
-	// re-open, so we need to open /proc/thread-self/fd and then open a single
-	// final component.
-	procFdDir, closer, err := procThreadSelf(procRoot, "fd/")
-	if err != nil {
-		return nil, fmt.Errorf("get safe /proc/thread-self/fd handle: %w", err)
-	}
-	defer procFdDir.Close()
-	defer closer()
-
-	// Try to detect if there is a mount on top of the magic-link we are about
-	// to open. If we are using unsafeHostProcRoot(), this could change after
-	// we check it (and there's nothing we can do about that) but for
-	// privateProcRoot() this should be guaranteed to be safe (at least since
-	// Linux 5.12[1], when anonymous mount namespaces were completely isolated
-	// from external mounts including mount propagation events).
-	//
-	// [1]: Linux commit ee2e3f50629f ("mount: fix mounting of detached mounts
-	// onto targets that reside on shared mounts").
-	fdStr := strconv.Itoa(int(handle.Fd()))
-	if err := checkSymlinkOvermount(procRoot, procFdDir, fdStr); err != nil {
-		return nil, fmt.Errorf("check safety of /proc/thread-self/fd/%s magiclink: %w", fdStr, err)
-	}
-
-	flags |= unix.O_CLOEXEC
-	// Rather than just wrapping openatFile, open-code it so we can copy
-	// handle.Name().
-	reopenFd, err := unix.Openat(int(procFdDir.Fd()), fdStr, flags, 0)
-	if err != nil {
-		return nil, fmt.Errorf("reopen fd %d: %w", handle.Fd(), err)
-	}
-	return os.NewFile(uintptr(reopenFd), handle.Name()), nil
-}
diff --git a/vendor/github.com/cyphar/filepath-securejoin/openat2_linux.go b/vendor/github.com/cyphar/filepath-securejoin/openat2_linux.go
deleted file mode 100644
index f7a13e69ce8b0..0000000000000
--- a/vendor/github.com/cyphar/filepath-securejoin/openat2_linux.go
+++ /dev/null
@@ -1,127 +0,0 @@
-//go:build linux
-
-// Copyright (C) 2024 SUSE LLC. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package securejoin
-
-import (
-	"errors"
-	"fmt"
-	"os"
-	"path/filepath"
-	"strings"
-
-	"golang.org/x/sys/unix"
-)
-
-var hasOpenat2 = sync_OnceValue(func() bool {
-	fd, err := unix.Openat2(unix.AT_FDCWD, ".", &unix.OpenHow{
-		Flags:   unix.O_PATH | unix.O_CLOEXEC,
-		Resolve: unix.RESOLVE_NO_SYMLINKS | unix.RESOLVE_IN_ROOT,
-	})
-	if err != nil {
-		return false
-	}
-	_ = unix.Close(fd)
-	return true
-})
-
-func scopedLookupShouldRetry(how *unix.OpenHow, err error) bool {
-	// RESOLVE_IN_ROOT (and RESOLVE_BENEATH) can return -EAGAIN if we resolve
-	// ".." while a mount or rename occurs anywhere on the system. This could
-	// happen spuriously, or as the result of an attacker trying to mess with
-	// us during lookup.
-	//
-	// In addition, scoped lookups have a "safety check" at the end of
-	// complete_walk which will return -EXDEV if the final path is not in the
-	// root.
-	return how.Resolve&(unix.RESOLVE_IN_ROOT|unix.RESOLVE_BENEATH) != 0 &&
-		(errors.Is(err, unix.EAGAIN) || errors.Is(err, unix.EXDEV))
-}
-
-const scopedLookupMaxRetries = 10
-
-func openat2File(dir *os.File, path string, how *unix.OpenHow) (*os.File, error) {
-	fullPath := dir.Name() + "/" + path
-	// Make sure we always set O_CLOEXEC.
-	how.Flags |= unix.O_CLOEXEC
-	var tries int
-	for tries < scopedLookupMaxRetries {
-		fd, err := unix.Openat2(int(dir.Fd()), path, how)
-		if err != nil {
-			if scopedLookupShouldRetry(how, err) {
-				// We retry a couple of times to avoid the spurious errors, and
-				// if we are being attacked then returning -EAGAIN is the best
-				// we can do.
-				tries++
-				continue
-			}
-			return nil, &os.PathError{Op: "openat2", Path: fullPath, Err: err}
-		}
-		// If we are using RESOLVE_IN_ROOT, the name we generated may be wrong.
-		// NOTE: The procRoot code MUST NOT use RESOLVE_IN_ROOT, otherwise
-		//       you'll get infinite recursion here.
-		if how.Resolve&unix.RESOLVE_IN_ROOT == unix.RESOLVE_IN_ROOT {
-			if actualPath, err := rawProcSelfFdReadlink(fd); err == nil {
-				fullPath = actualPath
-			}
-		}
-		return os.NewFile(uintptr(fd), fullPath), nil
-	}
-	return nil, &os.PathError{Op: "openat2", Path: fullPath, Err: errPossibleAttack}
-}
-
-func lookupOpenat2(root *os.File, unsafePath string, partial bool) (*os.File, string, error) {
-	if !partial {
-		file, err := openat2File(root, unsafePath, &unix.OpenHow{
-			Flags:   unix.O_PATH | unix.O_CLOEXEC,
-			Resolve: unix.RESOLVE_IN_ROOT | unix.RESOLVE_NO_MAGICLINKS,
-		})
-		return file, "", err
-	}
-	return partialLookupOpenat2(root, unsafePath)
-}
-
-// partialLookupOpenat2 is an alternative implementation of
-// partialLookupInRoot, using openat2(RESOLVE_IN_ROOT) to more safely get a
-// handle to the deepest existing child of the requested path within the root.
-func partialLookupOpenat2(root *os.File, unsafePath string) (*os.File, string, error) {
-	// TODO: Implement this as a git-bisect-like binary search.
-
-	unsafePath = filepath.ToSlash(unsafePath) // noop
-	endIdx := len(unsafePath)
-	var lastError error
-	for endIdx > 0 {
-		subpath := unsafePath[:endIdx]
-
-		handle, err := openat2File(root, subpath, &unix.OpenHow{
-			Flags:   unix.O_PATH | unix.O_CLOEXEC,
-			Resolve: unix.RESOLVE_IN_ROOT | unix.RESOLVE_NO_MAGICLINKS,
-		})
-		if err == nil {
-			// Jump over the slash if we have a non-"" remainingPath.
-			if endIdx < len(unsafePath) {
-				endIdx += 1
-			}
-			// We found a subpath!
-			return handle, unsafePath[endIdx:], lastError
-		}
-		if errors.Is(err, unix.ENOENT) || errors.Is(err, unix.ENOTDIR) {
-			// That path doesn't exist, let's try the next directory up.
-			endIdx = strings.LastIndexByte(subpath, '/')
-			lastError = err
-			continue
-		}
-		return nil, "", fmt.Errorf("open subpath: %w", err)
-	}
-	// If we couldn't open anything, the whole subpath is missing. Return a
-	// copy of the root fd so that the caller doesn't close this one by
-	// accident.
-	rootClone, err := dupFile(root)
-	if err != nil {
-		return nil, "", err
-	}
-	return rootClone, unsafePath, lastError
-}
diff --git a/vendor/github.com/cyphar/filepath-securejoin/openat_linux.go b/vendor/github.com/cyphar/filepath-securejoin/openat_linux.go
deleted file mode 100644
index 949fb5f2d82da..0000000000000
--- a/vendor/github.com/cyphar/filepath-securejoin/openat_linux.go
+++ /dev/null
@@ -1,59 +0,0 @@
-//go:build linux
-
-// Copyright (C) 2024 SUSE LLC. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package securejoin
-
-import (
-	"os"
-	"path/filepath"
-
-	"golang.org/x/sys/unix"
-)
-
-func dupFile(f *os.File) (*os.File, error) {
-	fd, err := unix.FcntlInt(f.Fd(), unix.F_DUPFD_CLOEXEC, 0)
-	if err != nil {
-		return nil, os.NewSyscallError("fcntl(F_DUPFD_CLOEXEC)", err)
-	}
-	return os.NewFile(uintptr(fd), f.Name()), nil
-}
-
-func openatFile(dir *os.File, path string, flags int, mode int) (*os.File, error) {
-	// Make sure we always set O_CLOEXEC.
-	flags |= unix.O_CLOEXEC
-	fd, err := unix.Openat(int(dir.Fd()), path, flags, uint32(mode))
-	if err != nil {
-		return nil, &os.PathError{Op: "openat", Path: dir.Name() + "/" + path, Err: err}
-	}
-	// All of the paths we use with openatFile(2) are guaranteed to be
-	// lexically safe, so we can use path.Join here.
-	fullPath := filepath.Join(dir.Name(), path)
-	return os.NewFile(uintptr(fd), fullPath), nil
-}
-
-func fstatatFile(dir *os.File, path string, flags int) (unix.Stat_t, error) {
-	var stat unix.Stat_t
-	if err := unix.Fstatat(int(dir.Fd()), path, &stat, flags); err != nil {
-		return stat, &os.PathError{Op: "fstatat", Path: dir.Name() + "/" + path, Err: err}
-	}
-	return stat, nil
-}
-
-func readlinkatFile(dir *os.File, path string) (string, error) {
-	size := 4096
-	for {
-		linkBuf := make([]byte, size)
-		n, err := unix.Readlinkat(int(dir.Fd()), path, linkBuf)
-		if err != nil {
-			return "", &os.PathError{Op: "readlinkat", Path: dir.Name() + "/" + path, Err: err}
-		}
-		if n != size {
-			return string(linkBuf[:n]), nil
-		}
-		// Possible truncation, resize the buffer.
-		size *= 2
-	}
-}
diff --git a/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/README.md b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/README.md
new file mode 100644
index 0000000000000..bb95b028c67ae
--- /dev/null
+++ b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/README.md
@@ -0,0 +1,35 @@
+## `pathrs-lite` ##
+
+`github.com/cyphar/filepath-securejoin/pathrs-lite` provides a minimal **pure
+Go** implementation of the core bits of [libpathrs][]. This is not intended to
+be a complete replacement for libpathrs, instead it is mainly intended to be
+useful as a transition tool for existing Go projects.
+
+`pathrs-lite` also provides a very easy way to switch to `libpathrs` (even for
+downstreams where `pathrs-lite` is being used in a third-party package and is
+not interested in using CGo). At build time, if you use the `libpathrs` build
+tag then `pathrs-lite` will use `libpathrs` directly instead of the pure Go
+implementation. The two backends are functionally equivalent (and we have
+integration tests to verify this), so this migration should be very easy with
+no user-visible impact.
+
+[libpathrs]: https://github.com/cyphar/libpathrs
+
+### License ###
+
+Most of this subpackage is licensed under the Mozilla Public License (version
+2.0). For more information, see the top-level [COPYING.md][] and
+[LICENSE.MPL-2.0][] files, as well as the individual license headers for each
+file.
+
+```
+Copyright (C) 2024-2025 Aleksa Sarai <cyphar@cyphar.com>
+Copyright (C) 2024-2025 SUSE LLC
+
+This Source Code Form is subject to the terms of the Mozilla Public
+License, v. 2.0. If a copy of the MPL was not distributed with this
+file, You can obtain one at https://mozilla.org/MPL/2.0/.
+```
+
+[COPYING.md]: ../COPYING.md
+[LICENSE.MPL-2.0]: ../LICENSE.MPL-2.0
diff --git a/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/doc.go b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/doc.go
new file mode 100644
index 0000000000000..61411da37afe4
--- /dev/null
+++ b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/doc.go
@@ -0,0 +1,16 @@
+// SPDX-License-Identifier: MPL-2.0
+
+//go:build linux
+
+// Copyright (C) 2024-2025 Aleksa Sarai <cyphar@cyphar.com>
+// Copyright (C) 2024-2025 SUSE LLC
+//
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at https://mozilla.org/MPL/2.0/.
+
+// Package pathrs (pathrs-lite) is a less complete pure Go implementation of
+// some of the APIs provided by [libpathrs].
+//
+// [libpathrs]: https://github.com/cyphar/libpathrs
+package pathrs
diff --git a/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/assert/assert.go b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/assert/assert.go
new file mode 100644
index 0000000000000..595dfbf1acf6c
--- /dev/null
+++ b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/assert/assert.go
@@ -0,0 +1,30 @@
+// SPDX-License-Identifier: MPL-2.0
+
+// Copyright (C) 2025 Aleksa Sarai <cyphar@cyphar.com>
+// Copyright (C) 2025 SUSE LLC
+//
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at https://mozilla.org/MPL/2.0/.
+
+// Package assert provides some basic assertion helpers for Go.
+package assert
+
+import (
+	"fmt"
+)
+
+// Assert panics if the predicate is false with the provided argument.
+func Assert(predicate bool, msg any) {
+	if !predicate {
+		panic(msg)
+	}
+}
+
+// Assertf panics if the predicate is false and formats the message using the
+// same formatting as [fmt.Printf].
+//
+// [fmt.Printf]: https://pkg.go.dev/fmt#Printf
+func Assertf(predicate bool, fmtMsg string, args ...any) {
+	Assert(predicate, fmt.Sprintf(fmtMsg, args...))
+}
diff --git a/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/errors_linux.go b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/errors_linux.go
new file mode 100644
index 0000000000000..d0b200f4f9a1e
--- /dev/null
+++ b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/errors_linux.go
@@ -0,0 +1,41 @@
+// SPDX-License-Identifier: MPL-2.0
+
+//go:build linux
+
+// Copyright (C) 2024-2025 Aleksa Sarai <cyphar@cyphar.com>
+// Copyright (C) 2024-2025 SUSE LLC
+//
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at https://mozilla.org/MPL/2.0/.
+
+// Package internal contains unexported common code for filepath-securejoin.
+package internal
+
+import (
+	"errors"
+
+	"golang.org/x/sys/unix"
+)
+
+type xdevErrorish struct {
+	description string
+}
+
+func (err xdevErrorish) Error() string        { return err.description }
+func (err xdevErrorish) Is(target error) bool { return target == unix.EXDEV }
+
+var (
+	// ErrPossibleAttack indicates that some attack was detected.
+	ErrPossibleAttack error = xdevErrorish{"possible attack detected"}
+
+	// ErrPossibleBreakout indicates that during an operation we ended up in a
+	// state that could be a breakout but we detected it.
+	ErrPossibleBreakout error = xdevErrorish{"possible breakout detected"}
+
+	// ErrInvalidDirectory indicates an unlinked directory.
+	ErrInvalidDirectory = errors.New("wandered into deleted directory")
+
+	// ErrDeletedInode indicates an unlinked file (non-directory).
+	ErrDeletedInode = errors.New("cannot verify path of deleted inode")
+)
diff --git a/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/fd/at_linux.go b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/fd/at_linux.go
new file mode 100644
index 0000000000000..0910549130460
--- /dev/null
+++ b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/fd/at_linux.go
@@ -0,0 +1,148 @@
+// SPDX-License-Identifier: MPL-2.0
+
+//go:build linux
+
+// Copyright (C) 2024-2025 Aleksa Sarai <cyphar@cyphar.com>
+// Copyright (C) 2024-2025 SUSE LLC
+//
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at https://mozilla.org/MPL/2.0/.
+
+package fd
+
+import (
+	"fmt"
+	"os"
+	"path/filepath"
+	"runtime"
+
+	"golang.org/x/sys/unix"
+
+	"github.com/cyphar/filepath-securejoin/pathrs-lite/internal/gocompat"
+)
+
+// prepareAtWith returns -EBADF (an invalid fd) if dir is nil, otherwise using
+// the dir.Fd(). We use -EBADF because in filepath-securejoin we generally
+// don't want to allow relative-to-cwd paths. The returned path is an
+// *informational* string that describes a reasonable pathname for the given
+// *at(2) arguments. You must not use the full path for any actual filesystem
+// operations.
+func prepareAt(dir Fd, path string) (dirFd int, unsafeUnmaskedPath string) {
+	dirFd, dirPath := -int(unix.EBADF), "."
+	if dir != nil {
+		dirFd, dirPath = int(dir.Fd()), dir.Name()
+	}
+	if !filepath.IsAbs(path) {
+		// only prepend the dirfd path for relative paths
+		path = dirPath + "/" + path
+	}
+	// NOTE: If path is "." or "", the returned path won't be filepath.Clean,
+	// but that's okay since this path is either used for errors (in which case
+	// a trailing "/" or "/." is important information) or will be
+	// filepath.Clean'd later (in the case of fd.Openat).
+	return dirFd, path
+}
+
+// Openat is an [Fd]-based wrapper around unix.Openat.
+func Openat(dir Fd, path string, flags int, mode int) (*os.File, error) { //nolint:unparam // wrapper func
+	dirFd, fullPath := prepareAt(dir, path)
+	// Make sure we always set O_CLOEXEC.
+	flags |= unix.O_CLOEXEC
+	fd, err := unix.Openat(dirFd, path, flags, uint32(mode))
+	if err != nil {
+		return nil, &os.PathError{Op: "openat", Path: fullPath, Err: err}
+	}
+	runtime.KeepAlive(dir)
+	// openat is only used with lexically-safe paths so we can use
+	// filepath.Clean here, and also the path itself is not going to be used
+	// for actual path operations.
+	fullPath = filepath.Clean(fullPath)
+	return os.NewFile(uintptr(fd), fullPath), nil
+}
+
+// Fstatat is an [Fd]-based wrapper around unix.Fstatat.
+func Fstatat(dir Fd, path string, flags int) (unix.Stat_t, error) {
+	dirFd, fullPath := prepareAt(dir, path)
+	var stat unix.Stat_t
+	if err := unix.Fstatat(dirFd, path, &stat, flags); err != nil {
+		return stat, &os.PathError{Op: "fstatat", Path: fullPath, Err: err}
+	}
+	runtime.KeepAlive(dir)
+	return stat, nil
+}
+
+// Faccessat is an [Fd]-based wrapper around unix.Faccessat.
+func Faccessat(dir Fd, path string, mode uint32, flags int) error {
+	dirFd, fullPath := prepareAt(dir, path)
+	err := unix.Faccessat(dirFd, path, mode, flags)
+	if err != nil {
+		err = &os.PathError{Op: "faccessat", Path: fullPath, Err: err}
+	}
+	runtime.KeepAlive(dir)
+	return err
+}
+
+// Readlinkat is an [Fd]-based wrapper around unix.Readlinkat.
+func Readlinkat(dir Fd, path string) (string, error) {
+	dirFd, fullPath := prepareAt(dir, path)
+	size := 4096
+	for {
+		linkBuf := make([]byte, size)
+		n, err := unix.Readlinkat(dirFd, path, linkBuf)
+		if err != nil {
+			return "", &os.PathError{Op: "readlinkat", Path: fullPath, Err: err}
+		}
+		runtime.KeepAlive(dir)
+		if n != size {
+			return string(linkBuf[:n]), nil
+		}
+		// Possible truncation, resize the buffer.
+		size *= 2
+	}
+}
+
+const (
+	// STATX_MNT_ID_UNIQUE is provided in golang.org/x/sys@v0.20.0, but in order to
+	// avoid bumping the requirement for a single constant we can just define it
+	// ourselves.
+	_STATX_MNT_ID_UNIQUE = 0x4000 //nolint:revive // unix.* name
+
+	// We don't care which mount ID we get. The kernel will give us the unique
+	// one if it is supported. If the kernel doesn't support
+	// STATX_MNT_ID_UNIQUE, the bit is ignored and the returned request mask
+	// will only contain STATX_MNT_ID (if supported).
+	wantStatxMntMask = _STATX_MNT_ID_UNIQUE | unix.STATX_MNT_ID
+)
+
+var hasStatxMountID = gocompat.SyncOnceValue(func() bool {
+	var stx unix.Statx_t
+	err := unix.Statx(-int(unix.EBADF), "/", 0, wantStatxMntMask, &stx)
+	return err == nil && stx.Mask&wantStatxMntMask != 0
+})
+
+// GetMountID gets the mount identifier associated with the fd and path
+// combination. It is effectively a wrapper around fetching
+// STATX_MNT_ID{,_UNIQUE} with unix.Statx, but with a fallback to 0 if the
+// kernel doesn't support the feature.
+func GetMountID(dir Fd, path string) (uint64, error) {
+	// If we don't have statx(STATX_MNT_ID*) support, we can't do anything.
+	if !hasStatxMountID() {
+		return 0, nil
+	}
+
+	dirFd, fullPath := prepareAt(dir, path)
+
+	var stx unix.Statx_t
+	err := unix.Statx(dirFd, path, unix.AT_EMPTY_PATH|unix.AT_SYMLINK_NOFOLLOW, wantStatxMntMask, &stx)
+	if stx.Mask&wantStatxMntMask == 0 {
+		// It's not a kernel limitation, for some reason we couldn't get a
+		// mount ID. Assume it's some kind of attack.
+		err = fmt.Errorf("could not get mount id: %w", err)
+	}
+	if err != nil {
+		return 0, &os.PathError{Op: "statx(STATX_MNT_ID_...)", Path: fullPath, Err: err}
+	}
+	runtime.KeepAlive(dir)
+	return stx.Mnt_id, nil
+}
diff --git a/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/fd/fd.go b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/fd/fd.go
new file mode 100644
index 0000000000000..d2206a386f919
--- /dev/null
+++ b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/fd/fd.go
@@ -0,0 +1,55 @@
+// SPDX-License-Identifier: MPL-2.0
+
+// Copyright (C) 2025 Aleksa Sarai <cyphar@cyphar.com>
+// Copyright (C) 2025 SUSE LLC
+//
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at https://mozilla.org/MPL/2.0/.
+
+// Package fd provides a drop-in interface-based replacement of [*os.File] that
+// allows for things like noop-Close wrappers to be used.
+//
+// [*os.File]: https://pkg.go.dev/os#File
+package fd
+
+import (
+	"io"
+	"os"
+)
+
+// Fd is an interface that mirrors most of the API of [*os.File], allowing you
+// to create wrappers that can be used in place of [*os.File].
+//
+// [*os.File]: https://pkg.go.dev/os#File
+type Fd interface {
+	io.Closer
+	Name() string
+	Fd() uintptr
+}
+
+// Compile-time interface checks.
+var (
+	_ Fd = (*os.File)(nil)
+	_ Fd = noClose{}
+)
+
+type noClose struct{ inner Fd }
+
+func (f noClose) Name() string { return f.inner.Name() }
+func (f noClose) Fd() uintptr  { return f.inner.Fd() }
+
+func (f noClose) Close() error { return nil }
+
+// NopCloser returns an [*os.File]-like object where the [Close] method is now
+// a no-op.
+//
+// Note that for [*os.File] and similar objects, the Go garbage collector will
+// still call [Close] on the underlying file unless you use
+// [runtime.SetFinalizer] to disable this behaviour. This is up to the caller
+// to do (if necessary).
+//
+// [*os.File]: https://pkg.go.dev/os#File
+// [Close]: https://pkg.go.dev/io#Closer
+// [runtime.SetFinalizer]: https://pkg.go.dev/runtime#SetFinalizer
+func NopCloser(f Fd) Fd { return noClose{inner: f} }
diff --git a/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/fd/fd_linux.go b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/fd/fd_linux.go
new file mode 100644
index 0000000000000..e1ec3c0b8e421
--- /dev/null
+++ b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/fd/fd_linux.go
@@ -0,0 +1,78 @@
+// SPDX-License-Identifier: MPL-2.0
+
+//go:build linux
+
+// Copyright (C) 2024-2025 Aleksa Sarai <cyphar@cyphar.com>
+// Copyright (C) 2024-2025 SUSE LLC
+//
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at https://mozilla.org/MPL/2.0/.
+
+package fd
+
+import (
+	"fmt"
+	"os"
+	"runtime"
+
+	"golang.org/x/sys/unix"
+
+	"github.com/cyphar/filepath-securejoin/pathrs-lite/internal"
+)
+
+// DupWithName creates a new file descriptor referencing the same underlying
+// file, but with the provided name instead of fd.Name().
+func DupWithName(fd Fd, name string) (*os.File, error) {
+	fd2, err := unix.FcntlInt(fd.Fd(), unix.F_DUPFD_CLOEXEC, 0)
+	if err != nil {
+		return nil, os.NewSyscallError("fcntl(F_DUPFD_CLOEXEC)", err)
+	}
+	runtime.KeepAlive(fd)
+	return os.NewFile(uintptr(fd2), name), nil
+}
+
+// Dup creates a new file description referencing the same underlying file.
+func Dup(fd Fd) (*os.File, error) {
+	return DupWithName(fd, fd.Name())
+}
+
+// Fstat is an [Fd]-based wrapper around unix.Fstat.
+func Fstat(fd Fd) (unix.Stat_t, error) {
+	var stat unix.Stat_t
+	if err := unix.Fstat(int(fd.Fd()), &stat); err != nil {
+		return stat, &os.PathError{Op: "fstat", Path: fd.Name(), Err: err}
+	}
+	runtime.KeepAlive(fd)
+	return stat, nil
+}
+
+// Fstatfs is an [Fd]-based wrapper around unix.Fstatfs.
+func Fstatfs(fd Fd) (unix.Statfs_t, error) {
+	var statfs unix.Statfs_t
+	if err := unix.Fstatfs(int(fd.Fd()), &statfs); err != nil {
+		return statfs, &os.PathError{Op: "fstatfs", Path: fd.Name(), Err: err}
+	}
+	runtime.KeepAlive(fd)
+	return statfs, nil
+}
+
+// IsDeadInode detects whether the file has been unlinked from a filesystem and
+// is thus a "dead inode" from the kernel's perspective.
+func IsDeadInode(file Fd) error {
+	// If the nlink of a file drops to 0, there is an attacker deleting
+	// directories during our walk, which could result in weird /proc values.
+	// It's better to error out in this case.
+	stat, err := Fstat(file)
+	if err != nil {
+		return fmt.Errorf("check for dead inode: %w", err)
+	}
+	if stat.Nlink == 0 {
+		err := internal.ErrDeletedInode
+		if stat.Mode&unix.S_IFMT == unix.S_IFDIR {
+			err = internal.ErrInvalidDirectory
+		}
+		return fmt.Errorf("%w %q", err, file.Name())
+	}
+	return nil
+}
diff --git a/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/fd/mount_linux.go b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/fd/mount_linux.go
new file mode 100644
index 0000000000000..77549c7a993c1
--- /dev/null
+++ b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/fd/mount_linux.go
@@ -0,0 +1,54 @@
+// SPDX-License-Identifier: MPL-2.0
+
+//go:build linux
+
+// Copyright (C) 2024-2025 Aleksa Sarai <cyphar@cyphar.com>
+// Copyright (C) 2024-2025 SUSE LLC
+//
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at https://mozilla.org/MPL/2.0/.
+
+package fd
+
+import (
+	"os"
+	"runtime"
+
+	"golang.org/x/sys/unix"
+)
+
+// Fsopen is an [Fd]-based wrapper around unix.Fsopen.
+func Fsopen(fsName string, flags int) (*os.File, error) {
+	// Make sure we always set O_CLOEXEC.
+	flags |= unix.FSOPEN_CLOEXEC
+	fd, err := unix.Fsopen(fsName, flags)
+	if err != nil {
+		return nil, os.NewSyscallError("fsopen "+fsName, err)
+	}
+	return os.NewFile(uintptr(fd), "fscontext:"+fsName), nil
+}
+
+// Fsmount is an [Fd]-based wrapper around unix.Fsmount.
+func Fsmount(ctx Fd, flags, mountAttrs int) (*os.File, error) {
+	// Make sure we always set O_CLOEXEC.
+	flags |= unix.FSMOUNT_CLOEXEC
+	fd, err := unix.Fsmount(int(ctx.Fd()), flags, mountAttrs)
+	if err != nil {
+		return nil, os.NewSyscallError("fsmount "+ctx.Name(), err)
+	}
+	return os.NewFile(uintptr(fd), "fsmount:"+ctx.Name()), nil
+}
+
+// OpenTree is an [Fd]-based wrapper around unix.OpenTree.
+func OpenTree(dir Fd, path string, flags uint) (*os.File, error) {
+	dirFd, fullPath := prepareAt(dir, path)
+	// Make sure we always set O_CLOEXEC.
+	flags |= unix.OPEN_TREE_CLOEXEC
+	fd, err := unix.OpenTree(dirFd, path, flags)
+	if err != nil {
+		return nil, &os.PathError{Op: "open_tree", Path: fullPath, Err: err}
+	}
+	runtime.KeepAlive(dir)
+	return os.NewFile(uintptr(fd), fullPath), nil
+}
diff --git a/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/fd/openat2_linux.go b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/fd/openat2_linux.go
new file mode 100644
index 0000000000000..3e937fe3c161c
--- /dev/null
+++ b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/fd/openat2_linux.go
@@ -0,0 +1,62 @@
+// SPDX-License-Identifier: MPL-2.0
+
+//go:build linux
+
+// Copyright (C) 2024-2025 Aleksa Sarai <cyphar@cyphar.com>
+// Copyright (C) 2024-2025 SUSE LLC
+//
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at https://mozilla.org/MPL/2.0/.
+
+package fd
+
+import (
+	"errors"
+	"os"
+	"runtime"
+
+	"golang.org/x/sys/unix"
+)
+
+func scopedLookupShouldRetry(how *unix.OpenHow, err error) bool {
+	// RESOLVE_IN_ROOT (and RESOLVE_BENEATH) can return -EAGAIN if we resolve
+	// ".." while a mount or rename occurs anywhere on the system. This could
+	// happen spuriously, or as the result of an attacker trying to mess with
+	// us during lookup.
+	//
+	// In addition, scoped lookups have a "safety check" at the end of
+	// complete_walk which will return -EXDEV if the final path is not in the
+	// root.
+	return how.Resolve&(unix.RESOLVE_IN_ROOT|unix.RESOLVE_BENEATH) != 0 &&
+		(errors.Is(err, unix.EAGAIN) || errors.Is(err, unix.EXDEV))
+}
+
+// This is a fairly arbitrary limit we have just to avoid an attacker being
+// able to make us spin in an infinite retry loop -- callers can choose to
+// retry on EAGAIN if they prefer.
+const scopedLookupMaxRetries = 128
+
+// Openat2 is an [Fd]-based wrapper around unix.Openat2, but with some retry
+// logic in case of EAGAIN errors.
+func Openat2(dir Fd, path string, how *unix.OpenHow) (*os.File, error) {
+	dirFd, fullPath := prepareAt(dir, path)
+	// Make sure we always set O_CLOEXEC.
+	how.Flags |= unix.O_CLOEXEC
+	var tries int
+	for {
+		fd, err := unix.Openat2(dirFd, path, how)
+		if err != nil {
+			if scopedLookupShouldRetry(how, err) && tries < scopedLookupMaxRetries {
+				// We retry a couple of times to avoid the spurious errors, and
+				// if we are being attacked then returning -EAGAIN is the best
+				// we can do.
+				tries++
+				continue
+			}
+			return nil, &os.PathError{Op: "openat2", Path: fullPath, Err: err}
+		}
+		runtime.KeepAlive(dir)
+		return os.NewFile(uintptr(fd), fullPath), nil
+	}
+}
diff --git a/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/gocompat/README.md b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/gocompat/README.md
new file mode 100644
index 0000000000000..5dcb6ae007027
--- /dev/null
+++ b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/gocompat/README.md
@@ -0,0 +1,10 @@
+## gocompat ##
+
+This directory contains backports of stdlib functions from later Go versions so
+the filepath-securejoin can continue to be used by projects that are stuck with
+Go 1.18 support. Note that often filepath-securejoin is added in security
+patches for old releases, so avoiding the need to bump Go compiler requirements
+is a huge plus to downstreams.
+
+The source code is licensed under the same license as the Go stdlib. See the
+source files for the precise license information.
diff --git a/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/gocompat/doc.go b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/gocompat/doc.go
new file mode 100644
index 0000000000000..4b1803f580ad8
--- /dev/null
+++ b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/gocompat/doc.go
@@ -0,0 +1,13 @@
+// SPDX-License-Identifier: BSD-3-Clause
+//go:build linux && go1.20
+
+// Copyright (C) 2025 SUSE LLC. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Package gocompat includes compatibility shims (backported from future Go
+// stdlib versions) to permit filepath-securejoin to be used with older Go
+// versions (often filepath-securejoin is added in security patches for old
+// releases, so avoiding the need to bump Go compiler requirements is a huge
+// plus to downstreams).
+package gocompat
diff --git a/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/gocompat/gocompat_errors_go120.go b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/gocompat/gocompat_errors_go120.go
new file mode 100644
index 0000000000000..4a114bd3da970
--- /dev/null
+++ b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/gocompat/gocompat_errors_go120.go
@@ -0,0 +1,19 @@
+// SPDX-License-Identifier: BSD-3-Clause
+//go:build linux && go1.20
+
+// Copyright (C) 2024 SUSE LLC. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package gocompat
+
+import (
+	"fmt"
+)
+
+// WrapBaseError is a helper that is equivalent to fmt.Errorf("%w: %w"), except
+// that on pre-1.20 Go versions only errors.Is() works properly (errors.Unwrap)
+// is only guaranteed to give you baseErr.
+func WrapBaseError(baseErr, extraErr error) error {
+	return fmt.Errorf("%w: %w", extraErr, baseErr)
+}
diff --git a/vendor/github.com/cyphar/filepath-securejoin/gocompat_errors_unsupported.go b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/gocompat/gocompat_errors_unsupported.go
similarity index 80%
rename from vendor/github.com/cyphar/filepath-securejoin/gocompat_errors_unsupported.go
rename to vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/gocompat/gocompat_errors_unsupported.go
index e7adca3fd121e..3061016a6a693 100644
--- a/vendor/github.com/cyphar/filepath-securejoin/gocompat_errors_unsupported.go
+++ b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/gocompat/gocompat_errors_unsupported.go
@@ -1,10 +1,12 @@
+// SPDX-License-Identifier: BSD-3-Clause
+
 //go:build linux && !go1.20
 
 // Copyright (C) 2024 SUSE LLC. All rights reserved.
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
-package securejoin
+package gocompat
 
 import (
 	"fmt"
@@ -27,10 +29,10 @@ func (err wrappedError) Error() string {
 	return fmt.Sprintf("%v: %v", err.isError, err.inner)
 }
 
-// wrapBaseError is a helper that is equivalent to fmt.Errorf("%w: %w"), except
+// WrapBaseError is a helper that is equivalent to fmt.Errorf("%w: %w"), except
 // that on pre-1.20 Go versions only errors.Is() works properly (errors.Unwrap)
 // is only guaranteed to give you baseErr.
-func wrapBaseError(baseErr, extraErr error) error {
+func WrapBaseError(baseErr, extraErr error) error {
 	return wrappedError{
 		inner:   baseErr,
 		isError: extraErr,
diff --git a/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/gocompat/gocompat_generics_go121.go b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/gocompat/gocompat_generics_go121.go
new file mode 100644
index 0000000000000..d4a938186e480
--- /dev/null
+++ b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/gocompat/gocompat_generics_go121.go
@@ -0,0 +1,53 @@
+// SPDX-License-Identifier: BSD-3-Clause
+
+//go:build linux && go1.21
+
+// Copyright (C) 2024-2025 SUSE LLC. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package gocompat
+
+import (
+	"cmp"
+	"slices"
+	"sync"
+)
+
+// SlicesDeleteFunc is equivalent to Go 1.21's slices.DeleteFunc.
+func SlicesDeleteFunc[S ~[]E, E any](slice S, delFn func(E) bool) S {
+	return slices.DeleteFunc(slice, delFn)
+}
+
+// SlicesContains is equivalent to Go 1.21's slices.Contains.
+func SlicesContains[S ~[]E, E comparable](slice S, val E) bool {
+	return slices.Contains(slice, val)
+}
+
+// SlicesClone is equivalent to Go 1.21's slices.Clone.
+func SlicesClone[S ~[]E, E any](slice S) S {
+	return slices.Clone(slice)
+}
+
+// SyncOnceValue is equivalent to Go 1.21's sync.OnceValue.
+func SyncOnceValue[T any](f func() T) func() T {
+	return sync.OnceValue(f)
+}
+
+// SyncOnceValues is equivalent to Go 1.21's sync.OnceValues.
+func SyncOnceValues[T1, T2 any](f func() (T1, T2)) func() (T1, T2) {
+	return sync.OnceValues(f)
+}
+
+// CmpOrdered is equivalent to Go 1.21's cmp.Ordered generic type definition.
+type CmpOrdered = cmp.Ordered
+
+// CmpCompare is equivalent to Go 1.21's cmp.Compare.
+func CmpCompare[T CmpOrdered](x, y T) int {
+	return cmp.Compare(x, y)
+}
+
+// Max2 is equivalent to Go 1.21's max builtin (but only for two parameters).
+func Max2[T CmpOrdered](x, y T) T {
+	return max(x, y)
+}
diff --git a/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/gocompat/gocompat_generics_unsupported.go b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/gocompat/gocompat_generics_unsupported.go
new file mode 100644
index 0000000000000..0ea6218aa6c8f
--- /dev/null
+++ b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/gocompat/gocompat_generics_unsupported.go
@@ -0,0 +1,187 @@
+// SPDX-License-Identifier: BSD-3-Clause
+
+//go:build linux && !go1.21
+
+// Copyright (C) 2021, 2022 The Go Authors. All rights reserved.
+// Copyright (C) 2024-2025 SUSE LLC. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE.BSD file.
+
+package gocompat
+
+import (
+	"sync"
+)
+
+// These are very minimal implementations of functions that appear in Go 1.21's
+// stdlib, included so that we can build on older Go versions. Most are
+// borrowed directly from the stdlib, and a few are modified to be "obviously
+// correct" without needing to copy too many other helpers.
+
+// clearSlice is equivalent to Go 1.21's builtin clear.
+// Copied from the Go 1.24 stdlib implementation.
+func clearSlice[S ~[]E, E any](slice S) {
+	var zero E
+	for i := range slice {
+		slice[i] = zero
+	}
+}
+
+// slicesIndexFunc is equivalent to Go 1.21's slices.IndexFunc.
+// Copied from the Go 1.24 stdlib implementation.
+func slicesIndexFunc[S ~[]E, E any](s S, f func(E) bool) int {
+	for i := range s {
+		if f(s[i]) {
+			return i
+		}
+	}
+	return -1
+}
+
+// SlicesDeleteFunc is equivalent to Go 1.21's slices.DeleteFunc.
+// Copied from the Go 1.24 stdlib implementation.
+func SlicesDeleteFunc[S ~[]E, E any](s S, del func(E) bool) S {
+	i := slicesIndexFunc(s, del)
+	if i == -1 {
+		return s
+	}
+	// Don't start copying elements until we find one to delete.
+	for j := i + 1; j < len(s); j++ {
+		if v := s[j]; !del(v) {
+			s[i] = v
+			i++
+		}
+	}
+	clearSlice(s[i:]) // zero/nil out the obsolete elements, for GC
+	return s[:i]
+}
+
+// SlicesContains is equivalent to Go 1.21's slices.Contains.
+// Similar to the stdlib slices.Contains, except that we don't have
+// slices.Index so we need to use slices.IndexFunc for this non-Func helper.
+func SlicesContains[S ~[]E, E comparable](s S, v E) bool {
+	return slicesIndexFunc(s, func(e E) bool { return e == v }) >= 0
+}
+
+// SlicesClone is equivalent to Go 1.21's slices.Clone.
+// Copied from the Go 1.24 stdlib implementation.
+func SlicesClone[S ~[]E, E any](s S) S {
+	// Preserve nil in case it matters.
+	if s == nil {
+		return nil
+	}
+	return append(S([]E{}), s...)
+}
+
+// SyncOnceValue is equivalent to Go 1.21's sync.OnceValue.
+// Copied from the Go 1.25 stdlib implementation.
+func SyncOnceValue[T any](f func() T) func() T {
+	// Use a struct so that there's a single heap allocation.
+	d := struct {
+		f      func() T
+		once   sync.Once
+		valid  bool
+		p      any
+		result T
+	}{
+		f: f,
+	}
+	return func() T {
+		d.once.Do(func() {
+			defer func() {
+				d.f = nil
+				d.p = recover()
+				if !d.valid {
+					panic(d.p)
+				}
+			}()
+			d.result = d.f()
+			d.valid = true
+		})
+		if !d.valid {
+			panic(d.p)
+		}
+		return d.result
+	}
+}
+
+// SyncOnceValues is equivalent to Go 1.21's sync.OnceValues.
+// Copied from the Go 1.25 stdlib implementation.
+func SyncOnceValues[T1, T2 any](f func() (T1, T2)) func() (T1, T2) {
+	// Use a struct so that there's a single heap allocation.
+	d := struct {
+		f     func() (T1, T2)
+		once  sync.Once
+		valid bool
+		p     any
+		r1    T1
+		r2    T2
+	}{
+		f: f,
+	}
+	return func() (T1, T2) {
+		d.once.Do(func() {
+			defer func() {
+				d.f = nil
+				d.p = recover()
+				if !d.valid {
+					panic(d.p)
+				}
+			}()
+			d.r1, d.r2 = d.f()
+			d.valid = true
+		})
+		if !d.valid {
+			panic(d.p)
+		}
+		return d.r1, d.r2
+	}
+}
+
+// CmpOrdered is equivalent to Go 1.21's cmp.Ordered generic type definition.
+// Copied from the Go 1.25 stdlib implementation.
+type CmpOrdered interface {
+	~int | ~int8 | ~int16 | ~int32 | ~int64 |
+		~uint | ~uint8 | ~uint16 | ~uint32 | ~uint64 | ~uintptr |
+		~float32 | ~float64 |
+		~string
+}
+
+// isNaN reports whether x is a NaN without requiring the math package.
+// This will always return false if T is not floating-point.
+// Copied from the Go 1.25 stdlib implementation.
+func isNaN[T CmpOrdered](x T) bool {
+	return x != x
+}
+
+// CmpCompare is equivalent to Go 1.21's cmp.Compare.
+// Copied from the Go 1.25 stdlib implementation.
+func CmpCompare[T CmpOrdered](x, y T) int {
+	xNaN := isNaN(x)
+	yNaN := isNaN(y)
+	if xNaN {
+		if yNaN {
+			return 0
+		}
+		return -1
+	}
+	if yNaN {
+		return +1
+	}
+	if x < y {
+		return -1
+	}
+	if x > y {
+		return +1
+	}
+	return 0
+}
+
+// Max2 is equivalent to Go 1.21's max builtin for two parameters.
+func Max2[T CmpOrdered](x, y T) T {
+	m := x
+	if y > m {
+		m = y
+	}
+	return m
+}
diff --git a/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/gopathrs/doc.go b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/gopathrs/doc.go
new file mode 100644
index 0000000000000..2ddb71e844526
--- /dev/null
+++ b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/gopathrs/doc.go
@@ -0,0 +1,16 @@
+// SPDX-License-Identifier: MPL-2.0
+
+//go:build linux
+
+// Copyright (C) 2024-2025 Aleksa Sarai <cyphar@cyphar.com>
+// Copyright (C) 2024-2025 SUSE LLC
+//
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at https://mozilla.org/MPL/2.0/.
+
+// Package gopathrs is a less complete pure Go implementation of some of the
+// APIs provided by [libpathrs].
+//
+// [libpathrs]: https://github.com/cyphar/libpathrs
+package gopathrs
diff --git a/vendor/github.com/cyphar/filepath-securejoin/lookup_linux.go b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/gopathrs/lookup_linux.go
similarity index 85%
rename from vendor/github.com/cyphar/filepath-securejoin/lookup_linux.go
rename to vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/gopathrs/lookup_linux.go
index be81e498d724d..56480f0cee116 100644
--- a/vendor/github.com/cyphar/filepath-securejoin/lookup_linux.go
+++ b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/gopathrs/lookup_linux.go
@@ -1,10 +1,15 @@
+// SPDX-License-Identifier: MPL-2.0
+
 //go:build linux
 
-// Copyright (C) 2024 SUSE LLC. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
+// Copyright (C) 2024-2025 Aleksa Sarai <cyphar@cyphar.com>
+// Copyright (C) 2024-2025 SUSE LLC
+//
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at https://mozilla.org/MPL/2.0/.
 
-package securejoin
+package gopathrs
 
 import (
 	"errors"
@@ -15,6 +20,12 @@ import (
 	"strings"
 
 	"golang.org/x/sys/unix"
+
+	"github.com/cyphar/filepath-securejoin/internal/consts"
+	"github.com/cyphar/filepath-securejoin/pathrs-lite/internal/fd"
+	"github.com/cyphar/filepath-securejoin/pathrs-lite/internal/gocompat"
+	"github.com/cyphar/filepath-securejoin/pathrs-lite/internal/linux"
+	"github.com/cyphar/filepath-securejoin/pathrs-lite/internal/procfs"
 )
 
 type symlinkStackEntry struct {
@@ -112,12 +123,12 @@ func (s *symlinkStack) push(dir *os.File, remainingPath, linkTarget string) erro
 		return nil
 	}
 	// Split the link target and clean up any "" parts.
-	linkTargetParts := slices_DeleteFunc(
+	linkTargetParts := gocompat.SlicesDeleteFunc(
 		strings.Split(linkTarget, "/"),
 		func(part string) bool { return part == "" || part == "." })
 
 	// Copy the directory so the caller doesn't close our copy.
-	dirCopy, err := dupFile(dir)
+	dirCopy, err := fd.Dup(dir)
 	if err != nil {
 		return err
 	}
@@ -155,15 +166,15 @@ func (s *symlinkStack) PopTopSymlink() (*os.File, string, bool) {
 	return tailEntry.dir, tailEntry.remainingPath, true
 }
 
-// partialLookupInRoot tries to lookup as much of the request path as possible
+// PartialLookupInRoot tries to lookup as much of the request path as possible
 // within the provided root (a-la RESOLVE_IN_ROOT) and opens the final existing
 // component of the requested path, returning a file handle to the final
 // existing component and a string containing the remaining path components.
-func partialLookupInRoot(root *os.File, unsafePath string) (*os.File, string, error) {
+func PartialLookupInRoot(root fd.Fd, unsafePath string) (*os.File, string, error) {
 	return lookupInRoot(root, unsafePath, true)
 }
 
-func completeLookupInRoot(root *os.File, unsafePath string) (*os.File, error) {
+func completeLookupInRoot(root fd.Fd, unsafePath string) (*os.File, error) {
 	handle, remainingPath, err := lookupInRoot(root, unsafePath, false)
 	if remainingPath != "" && err == nil {
 		// should never happen
@@ -174,7 +185,7 @@ func completeLookupInRoot(root *os.File, unsafePath string) (*os.File, error) {
 	return handle, err
 }
 
-func lookupInRoot(root *os.File, unsafePath string, partial bool) (Handle *os.File, _ string, _ error) {
+func lookupInRoot(root fd.Fd, unsafePath string, partial bool) (Handle *os.File, _ string, _ error) {
 	unsafePath = filepath.ToSlash(unsafePath) // noop
 
 	// This is very similar to SecureJoin, except that we operate on the
@@ -182,20 +193,20 @@ func lookupInRoot(root *os.File, unsafePath string, partial bool) (Handle *os.Fi
 	// managed open, along with the remaining path components not opened.
 
 	// Try to use openat2 if possible.
-	if hasOpenat2() {
+	if linux.HasOpenat2() {
 		return lookupOpenat2(root, unsafePath, partial)
 	}
 
 	// Get the "actual" root path from /proc/self/fd. This is necessary if the
 	// root is some magic-link like /proc/$pid/root, in which case we want to
-	// make sure when we do checkProcSelfFdPath that we are using the correct
-	// root path.
-	logicalRootPath, err := procSelfFdReadlink(root)
+	// make sure when we do procfs.CheckProcSelfFdPath that we are using the
+	// correct root path.
+	logicalRootPath, err := procfs.ProcSelfFdReadlink(root)
 	if err != nil {
 		return nil, "", fmt.Errorf("get real root path: %w", err)
 	}
 
-	currentDir, err := dupFile(root)
+	currentDir, err := fd.Dup(root)
 	if err != nil {
 		return nil, "", fmt.Errorf("clone root fd: %w", err)
 	}
@@ -260,7 +271,7 @@ func lookupInRoot(root *os.File, unsafePath string, partial bool) (Handle *os.Fi
 				return nil, "", fmt.Errorf("walking into root with part %q failed: %w", part, err)
 			}
 			// Jump to root.
-			rootClone, err := dupFile(root)
+			rootClone, err := fd.Dup(root)
 			if err != nil {
 				return nil, "", fmt.Errorf("clone root fd: %w", err)
 			}
@@ -271,21 +282,21 @@ func lookupInRoot(root *os.File, unsafePath string, partial bool) (Handle *os.Fi
 		}
 
 		// Try to open the next component.
-		nextDir, err := openatFile(currentDir, part, unix.O_PATH|unix.O_NOFOLLOW|unix.O_CLOEXEC, 0)
-		switch {
-		case err == nil:
+		nextDir, err := fd.Openat(currentDir, part, unix.O_PATH|unix.O_NOFOLLOW|unix.O_CLOEXEC, 0)
+		switch err {
+		case nil:
 			st, err := nextDir.Stat()
 			if err != nil {
 				_ = nextDir.Close()
 				return nil, "", fmt.Errorf("stat component %q: %w", part, err)
 			}
 
-			switch st.Mode() & os.ModeType {
+			switch st.Mode() & os.ModeType { //nolint:exhaustive // just a glorified if statement
 			case os.ModeSymlink:
 				// readlinkat implies AT_EMPTY_PATH since Linux 2.6.39. See
 				// Linux commit 65cfc6722361 ("readlinkat(), fchownat() and
 				// fstatat() with empty relative pathnames").
-				linkDest, err := readlinkatFile(nextDir, "")
+				linkDest, err := fd.Readlinkat(nextDir, "")
 				// We don't need the handle anymore.
 				_ = nextDir.Close()
 				if err != nil {
@@ -293,7 +304,7 @@ func lookupInRoot(root *os.File, unsafePath string, partial bool) (Handle *os.Fi
 				}
 
 				linksWalked++
-				if linksWalked > maxSymlinkLimit {
+				if linksWalked > consts.MaxSymlinkLimit {
 					return nil, "", &os.PathError{Op: "securejoin.lookupInRoot", Path: logicalRootPath + "/" + unsafePath, Err: unix.ELOOP}
 				}
 
@@ -307,7 +318,7 @@ func lookupInRoot(root *os.File, unsafePath string, partial bool) (Handle *os.Fi
 				// Absolute symlinks reset any work we've already done.
 				if path.IsAbs(linkDest) {
 					// Jump to root.
-					rootClone, err := dupFile(root)
+					rootClone, err := fd.Dup(root)
 					if err != nil {
 						return nil, "", fmt.Errorf("clone root fd: %w", err)
 					}
@@ -335,12 +346,12 @@ func lookupInRoot(root *os.File, unsafePath string, partial bool) (Handle *os.Fi
 				// rename or mount on the system.
 				if part == ".." {
 					// Make sure the root hasn't moved.
-					if err := checkProcSelfFdPath(logicalRootPath, root); err != nil {
+					if err := procfs.CheckProcSelfFdPath(logicalRootPath, root); err != nil {
 						return nil, "", fmt.Errorf("root path moved during lookup: %w", err)
 					}
 					// Make sure the path is what we expect.
 					fullPath := logicalRootPath + nextPath
-					if err := checkProcSelfFdPath(fullPath, currentDir); err != nil {
+					if err := procfs.CheckProcSelfFdPath(fullPath, currentDir); err != nil {
 						return nil, "", fmt.Errorf("walking into %q had unexpected result: %w", part, err)
 					}
 				}
@@ -371,7 +382,7 @@ func lookupInRoot(root *os.File, unsafePath string, partial bool) (Handle *os.Fi
 	// context of openat2, a trailing slash and a trailing "/." are completely
 	// equivalent.
 	if strings.HasSuffix(unsafePath, "/") {
-		nextDir, err := openatFile(currentDir, ".", unix.O_PATH|unix.O_NOFOLLOW|unix.O_CLOEXEC, 0)
+		nextDir, err := fd.Openat(currentDir, ".", unix.O_PATH|unix.O_NOFOLLOW|unix.O_CLOEXEC, 0)
 		if err != nil {
 			if !partial {
 				_ = currentDir.Close()
diff --git a/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/gopathrs/mkdir_linux.go b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/gopathrs/mkdir_linux.go
new file mode 100644
index 0000000000000..21a5593f44fda
--- /dev/null
+++ b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/gopathrs/mkdir_linux.go
@@ -0,0 +1,212 @@
+// SPDX-License-Identifier: MPL-2.0
+
+//go:build linux
+
+// Copyright (C) 2024-2025 Aleksa Sarai <cyphar@cyphar.com>
+// Copyright (C) 2024-2025 SUSE LLC
+//
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at https://mozilla.org/MPL/2.0/.
+
+package gopathrs
+
+import (
+	"errors"
+	"fmt"
+	"os"
+	"path/filepath"
+	"strings"
+
+	"golang.org/x/sys/unix"
+
+	"github.com/cyphar/filepath-securejoin/pathrs-lite/internal/fd"
+	"github.com/cyphar/filepath-securejoin/pathrs-lite/internal/gocompat"
+	"github.com/cyphar/filepath-securejoin/pathrs-lite/internal/linux"
+	"github.com/cyphar/filepath-securejoin/pathrs-lite/internal/procfs"
+)
+
+// ErrInvalidMode is returned from [MkdirAll] when the requested mode is
+// invalid.
+var ErrInvalidMode = errors.New("invalid permission mode")
+
+// modePermExt is like os.ModePerm except that it also includes the set[ug]id
+// and sticky bits.
+const modePermExt = os.ModePerm | os.ModeSetuid | os.ModeSetgid | os.ModeSticky
+
+//nolint:cyclop // this function needs to handle a lot of cases
+func toUnixMode(mode os.FileMode) (uint32, error) {
+	sysMode := uint32(mode.Perm())
+	if mode&os.ModeSetuid != 0 {
+		sysMode |= unix.S_ISUID
+	}
+	if mode&os.ModeSetgid != 0 {
+		sysMode |= unix.S_ISGID
+	}
+	if mode&os.ModeSticky != 0 {
+		sysMode |= unix.S_ISVTX
+	}
+	// We don't allow file type bits.
+	if mode&os.ModeType != 0 {
+		return 0, fmt.Errorf("%w %+.3o (%s): type bits not permitted", ErrInvalidMode, mode, mode)
+	}
+	// We don't allow other unknown modes.
+	if mode&^modePermExt != 0 || sysMode&unix.S_IFMT != 0 {
+		return 0, fmt.Errorf("%w %+.3o (%s): unknown mode bits", ErrInvalidMode, mode, mode)
+	}
+	return sysMode, nil
+}
+
+// MkdirAllHandle is equivalent to [MkdirAll], except that it is safer to use
+// in two respects:
+//
+//   - The caller provides the root directory as an *[os.File] (preferably O_PATH)
+//     handle. This means that the caller can be sure which root directory is
+//     being used. Note that this can be emulated by using /proc/self/fd/... as
+//     the root path with [os.MkdirAll].
+//
+//   - Once all of the directories have been created, an *[os.File] O_PATH handle
+//     to the directory at unsafePath is returned to the caller. This is done in
+//     an effectively-race-free way (an attacker would only be able to swap the
+//     final directory component), which is not possible to emulate with
+//     [MkdirAll].
+//
+// In addition, the returned handle is obtained far more efficiently than doing
+// a brand new lookup of unsafePath (such as with [SecureJoin] or openat2) after
+// doing [MkdirAll]. If you intend to open the directory after creating it, you
+// should use MkdirAllHandle.
+//
+// [SecureJoin]: https://pkg.go.dev/github.com/cyphar/filepath-securejoin#SecureJoin
+func MkdirAllHandle(root *os.File, unsafePath string, mode os.FileMode) (_ *os.File, Err error) {
+	unixMode, err := toUnixMode(mode)
+	if err != nil {
+		return nil, err
+	}
+	// On Linux, mkdirat(2) (and os.Mkdir) silently ignore the suid and sgid
+	// bits. We could also silently ignore them but since we have very few
+	// users it seems more prudent to return an error so users notice that
+	// these bits will not be set.
+	if unixMode&^0o1777 != 0 {
+		return nil, fmt.Errorf("%w for mkdir %+.3o: suid and sgid are ignored by mkdir", ErrInvalidMode, mode)
+	}
+
+	// Try to open as much of the path as possible.
+	currentDir, remainingPath, err := PartialLookupInRoot(root, unsafePath)
+	defer func() {
+		if Err != nil {
+			_ = currentDir.Close()
+		}
+	}()
+	if err != nil && !errors.Is(err, unix.ENOENT) {
+		return nil, fmt.Errorf("find existing subpath of %q: %w", unsafePath, err)
+	}
+
+	// If there is an attacker deleting directories as we walk into them,
+	// detect this proactively. Note this is guaranteed to detect if the
+	// attacker deleted any part of the tree up to currentDir.
+	//
+	// Once we walk into a dead directory, partialLookupInRoot would not be
+	// able to walk further down the tree (directories must be empty before
+	// they are deleted), and if the attacker has removed the entire tree we
+	// can be sure that anything that was originally inside a dead directory
+	// must also be deleted and thus is a dead directory in its own right.
+	//
+	// This is mostly a quality-of-life check, because mkdir will simply fail
+	// later if the attacker deletes the tree after this check.
+	if err := fd.IsDeadInode(currentDir); err != nil {
+		return nil, fmt.Errorf("finding existing subpath of %q: %w", unsafePath, err)
+	}
+
+	// Re-open the path to match the O_DIRECTORY reopen loop later (so that we
+	// always return a non-O_PATH handle). We also check that we actually got a
+	// directory.
+	if reopenDir, err := procfs.ReopenFd(currentDir, unix.O_DIRECTORY|unix.O_CLOEXEC); errors.Is(err, unix.ENOTDIR) {
+		return nil, fmt.Errorf("cannot create subdirectories in %q: %w", currentDir.Name(), unix.ENOTDIR)
+	} else if err != nil {
+		return nil, fmt.Errorf("re-opening handle to %q: %w", currentDir.Name(), err)
+	} else { //nolint:revive // indent-error-flow lint doesn't make sense here
+		_ = currentDir.Close()
+		currentDir = reopenDir
+	}
+
+	remainingParts := strings.Split(remainingPath, string(filepath.Separator))
+	if gocompat.SlicesContains(remainingParts, "..") {
+		// The path contained ".." components after the end of the "real"
+		// components. We could try to safely resolve ".." here but that would
+		// add a bunch of extra logic for something that it's not clear even
+		// needs to be supported. So just return an error.
+		//
+		// If we do filepath.Clean(remainingPath) then we end up with the
+		// problem that ".." can erase a trailing dangling symlink and produce
+		// a path that doesn't quite match what the user asked for.
+		return nil, fmt.Errorf("%w: yet-to-be-created path %q contains '..' components", unix.ENOENT, remainingPath)
+	}
+
+	// Create the remaining components.
+	for _, part := range remainingParts {
+		switch part {
+		case "", ".":
+			// Skip over no-op paths.
+			continue
+		}
+
+		// NOTE: mkdir(2) will not follow trailing symlinks, so we can safely
+		// create the final component without worrying about symlink-exchange
+		// attacks.
+		//
+		// If we get -EEXIST, it's possible that another program created the
+		// directory at the same time as us. In that case, just continue on as
+		// if we created it (if the created inode is not a directory, the
+		// following open call will fail).
+		if err := unix.Mkdirat(int(currentDir.Fd()), part, unixMode); err != nil && !errors.Is(err, unix.EEXIST) {
+			err = &os.PathError{Op: "mkdirat", Path: currentDir.Name() + "/" + part, Err: err}
+			// Make the error a bit nicer if the directory is dead.
+			if deadErr := fd.IsDeadInode(currentDir); deadErr != nil {
+				// TODO: Once we bump the minimum Go version to 1.20, we can use
+				// multiple %w verbs for this wrapping. For now we need to use a
+				// compatibility shim for older Go versions.
+				// err = fmt.Errorf("%w (%w)", err, deadErr)
+				err = gocompat.WrapBaseError(err, deadErr)
+			}
+			return nil, err
+		}
+
+		// Get a handle to the next component. O_DIRECTORY means we don't need
+		// to use O_PATH.
+		var nextDir *os.File
+		if linux.HasOpenat2() {
+			nextDir, err = openat2(currentDir, part, &unix.OpenHow{
+				Flags:   unix.O_NOFOLLOW | unix.O_DIRECTORY | unix.O_CLOEXEC,
+				Resolve: unix.RESOLVE_BENEATH | unix.RESOLVE_NO_SYMLINKS | unix.RESOLVE_NO_XDEV,
+			})
+		} else {
+			nextDir, err = fd.Openat(currentDir, part, unix.O_NOFOLLOW|unix.O_DIRECTORY|unix.O_CLOEXEC, 0)
+		}
+		if err != nil {
+			return nil, err
+		}
+		_ = currentDir.Close()
+		currentDir = nextDir
+
+		// It's possible that the directory we just opened was swapped by an
+		// attacker. Unfortunately there isn't much we can do to protect
+		// against this, and MkdirAll's behaviour is that we will reuse
+		// existing directories anyway so the need to protect against this is
+		// incredibly limited (and arguably doesn't even deserve mention here).
+		//
+		// Ideally we might want to check that the owner and mode match what we
+		// would've created -- unfortunately, it is non-trivial to verify that
+		// the owner and mode of the created directory match. While plain Unix
+		// DAC rules seem simple enough to emulate, there are a bunch of other
+		// factors that can change the mode or owner of created directories
+		// (default POSIX ACLs, mount options like uid=1,gid=2,umask=0 on
+		// filesystems like vfat, etc etc). We used to try to verify this but
+		// it just lead to a series of spurious errors.
+		//
+		// We could also check that the directory is non-empty, but
+		// unfortunately some pseduofilesystems (like cgroupfs) create
+		// non-empty directories, which would result in different spurious
+		// errors.
+	}
+	return currentDir, nil
+}
diff --git a/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/gopathrs/open_linux.go b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/gopathrs/open_linux.go
new file mode 100644
index 0000000000000..cd9632a9588b4
--- /dev/null
+++ b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/gopathrs/open_linux.go
@@ -0,0 +1,26 @@
+// SPDX-License-Identifier: MPL-2.0
+
+//go:build linux
+
+// Copyright (C) 2024-2025 Aleksa Sarai <cyphar@cyphar.com>
+// Copyright (C) 2024-2025 SUSE LLC
+//
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at https://mozilla.org/MPL/2.0/.
+
+package gopathrs
+
+import (
+	"os"
+)
+
+// OpenatInRoot is equivalent to [OpenInRoot], except that the root is provided
+// using an *[os.File] handle, to ensure that the correct root directory is used.
+func OpenatInRoot(root *os.File, unsafePath string) (*os.File, error) {
+	handle, err := completeLookupInRoot(root, unsafePath)
+	if err != nil {
+		return nil, &os.PathError{Op: "securejoin.OpenInRoot", Path: unsafePath, Err: err}
+	}
+	return handle, nil
+}
diff --git a/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/gopathrs/openat2_linux.go b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/gopathrs/openat2_linux.go
new file mode 100644
index 0000000000000..b80ecd08953fd
--- /dev/null
+++ b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/gopathrs/openat2_linux.go
@@ -0,0 +1,101 @@
+// SPDX-License-Identifier: MPL-2.0
+
+//go:build linux
+
+// Copyright (C) 2024-2025 Aleksa Sarai <cyphar@cyphar.com>
+// Copyright (C) 2024-2025 SUSE LLC
+//
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at https://mozilla.org/MPL/2.0/.
+
+package gopathrs
+
+import (
+	"errors"
+	"fmt"
+	"os"
+	"path/filepath"
+	"strings"
+
+	"golang.org/x/sys/unix"
+
+	"github.com/cyphar/filepath-securejoin/pathrs-lite/internal/fd"
+	"github.com/cyphar/filepath-securejoin/pathrs-lite/procfs"
+)
+
+func openat2(dir fd.Fd, path string, how *unix.OpenHow) (*os.File, error) {
+	file, err := fd.Openat2(dir, path, how)
+	if err != nil {
+		return nil, err
+	}
+	// If we are using RESOLVE_IN_ROOT, the name we generated may be wrong.
+	if how.Resolve&unix.RESOLVE_IN_ROOT == unix.RESOLVE_IN_ROOT {
+		if actualPath, err := procfs.ProcSelfFdReadlink(file); err == nil {
+			// TODO: Ideally we would not need to dup the fd, but you cannot
+			//       easily just swap an *os.File with one from the same fd
+			//       (the GC will close the old one, and you cannot clear the
+			//       finaliser easily because it is associated with an internal
+			//       field of *os.File not *os.File itself).
+			newFile, err := fd.DupWithName(file, actualPath)
+			if err != nil {
+				return nil, err
+			}
+			file = newFile
+		}
+	}
+	return file, nil
+}
+
+func lookupOpenat2(root fd.Fd, unsafePath string, partial bool) (*os.File, string, error) {
+	if !partial {
+		file, err := openat2(root, unsafePath, &unix.OpenHow{
+			Flags:   unix.O_PATH | unix.O_CLOEXEC,
+			Resolve: unix.RESOLVE_IN_ROOT | unix.RESOLVE_NO_MAGICLINKS,
+		})
+		return file, "", err
+	}
+	return partialLookupOpenat2(root, unsafePath)
+}
+
+// partialLookupOpenat2 is an alternative implementation of
+// partialLookupInRoot, using openat2(RESOLVE_IN_ROOT) to more safely get a
+// handle to the deepest existing child of the requested path within the root.
+func partialLookupOpenat2(root fd.Fd, unsafePath string) (*os.File, string, error) {
+	// TODO: Implement this as a git-bisect-like binary search.
+
+	unsafePath = filepath.ToSlash(unsafePath) // noop
+	endIdx := len(unsafePath)
+	var lastError error
+	for endIdx > 0 {
+		subpath := unsafePath[:endIdx]
+
+		handle, err := openat2(root, subpath, &unix.OpenHow{
+			Flags:   unix.O_PATH | unix.O_CLOEXEC,
+			Resolve: unix.RESOLVE_IN_ROOT | unix.RESOLVE_NO_MAGICLINKS,
+		})
+		if err == nil {
+			// Jump over the slash if we have a non-"" remainingPath.
+			if endIdx < len(unsafePath) {
+				endIdx++
+			}
+			// We found a subpath!
+			return handle, unsafePath[endIdx:], lastError
+		}
+		if errors.Is(err, unix.ENOENT) || errors.Is(err, unix.ENOTDIR) {
+			// That path doesn't exist, let's try the next directory up.
+			endIdx = strings.LastIndexByte(subpath, '/')
+			lastError = err
+			continue
+		}
+		return nil, "", fmt.Errorf("open subpath: %w", err)
+	}
+	// If we couldn't open anything, the whole subpath is missing. Return a
+	// copy of the root fd so that the caller doesn't close this one by
+	// accident.
+	rootClone, err := fd.Dup(root)
+	if err != nil {
+		return nil, "", err
+	}
+	return rootClone, unsafePath, lastError
+}
diff --git a/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/kernelversion/kernel_linux.go b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/kernelversion/kernel_linux.go
new file mode 100644
index 0000000000000..cb6de41861fe9
--- /dev/null
+++ b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/kernelversion/kernel_linux.go
@@ -0,0 +1,123 @@
+// SPDX-License-Identifier: BSD-3-Clause
+
+// Copyright (C) 2022 The Go Authors. All rights reserved.
+// Copyright (C) 2025 SUSE LLC. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE.BSD file.
+
+// The parsing logic is very loosely based on the Go stdlib's
+// src/internal/syscall/unix/kernel_version_linux.go but with an API that looks
+// a bit like runc's libcontainer/system/kernelversion.
+//
+// TODO(cyphar): This API has been copied around to a lot of different projects
+// (Docker, containerd, runc, and now filepath-securejoin) -- maybe we should
+// put it in a separate project?
+
+// Package kernelversion provides a simple mechanism for checking whether the
+// running kernel is at least as new as some baseline kernel version. This is
+// often useful when checking for features that would be too complicated to
+// test support for (or in cases where we know that some kernel features in
+// backport-heavy kernels are broken and need to be avoided).
+package kernelversion
+
+import (
+	"bytes"
+	"errors"
+	"fmt"
+	"strconv"
+	"strings"
+
+	"golang.org/x/sys/unix"
+
+	"github.com/cyphar/filepath-securejoin/pathrs-lite/internal/gocompat"
+)
+
+// KernelVersion is a numeric representation of the key numerical elements of a
+// kernel version (for instance, "4.1.2-default-1" would be represented as
+// KernelVersion{4, 1, 2}).
+type KernelVersion []uint64
+
+func (kver KernelVersion) String() string {
+	var str strings.Builder
+	for idx, elem := range kver {
+		if idx != 0 {
+			_, _ = str.WriteRune('.')
+		}
+		_, _ = str.WriteString(strconv.FormatUint(elem, 10))
+	}
+	return str.String()
+}
+
+var errInvalidKernelVersion = errors.New("invalid kernel version")
+
+// parseKernelVersion parses a string and creates a KernelVersion based on it.
+func parseKernelVersion(kverStr string) (KernelVersion, error) {
+	kver := make(KernelVersion, 1, 3)
+	for idx, ch := range kverStr {
+		if '0' <= ch && ch <= '9' {
+			v := &kver[len(kver)-1]
+			*v = (*v * 10) + uint64(ch-'0')
+		} else {
+			if idx == 0 || kverStr[idx-1] < '0' || '9' < kverStr[idx-1] {
+				// "." must be preceded by a digit while in version section
+				return nil, fmt.Errorf("%w %q: kernel version has dot(s) followed by non-digit in version section", errInvalidKernelVersion, kverStr)
+			}
+			if ch != '.' {
+				break
+			}
+			kver = append(kver, 0)
+		}
+	}
+	if len(kver) < 2 {
+		return nil, fmt.Errorf("%w %q: kernel versions must contain at least two components", errInvalidKernelVersion, kverStr)
+	}
+	return kver, nil
+}
+
+// getKernelVersion gets the current kernel version.
+var getKernelVersion = gocompat.SyncOnceValues(func() (KernelVersion, error) {
+	var uts unix.Utsname
+	if err := unix.Uname(&uts); err != nil {
+		return nil, err
+	}
+	// Remove the \x00 from the release.
+	release := uts.Release[:]
+	return parseKernelVersion(string(release[:bytes.IndexByte(release, 0)]))
+})
+
+// GreaterEqualThan returns true if the the host kernel version is greater than
+// or equal to the provided [KernelVersion]. When doing this comparison, any
+// non-numerical suffixes of the host kernel version are ignored.
+//
+// If the number of components provided is not equal to the number of numerical
+// components of the host kernel version, any missing components are treated as
+// 0. This means that GreaterEqualThan(KernelVersion{4}) will be treated the
+// same as GreaterEqualThan(KernelVersion{4, 0, 0, ..., 0, 0}), and that if the
+// host kernel version is "4" then GreaterEqualThan(KernelVersion{4, 1}) will
+// return false (because the host version will be treated as "4.0").
+func GreaterEqualThan(wantKver KernelVersion) (bool, error) {
+	hostKver, err := getKernelVersion()
+	if err != nil {
+		return false, err
+	}
+
+	// Pad out the kernel version lengths to match one another.
+	cmpLen := gocompat.Max2(len(hostKver), len(wantKver))
+	hostKver = append(hostKver, make(KernelVersion, cmpLen-len(hostKver))...)
+	wantKver = append(wantKver, make(KernelVersion, cmpLen-len(wantKver))...)
+
+	for i := 0; i < cmpLen; i++ {
+		switch gocompat.CmpCompare(hostKver[i], wantKver[i]) {
+		case -1:
+			// host < want
+			return false, nil
+		case +1:
+			// host > want
+			return true, nil
+		case 0:
+			continue
+		}
+	}
+	// equal version values
+	return true, nil
+}
diff --git a/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/linux/doc.go b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/linux/doc.go
new file mode 100644
index 0000000000000..4635714f626c3
--- /dev/null
+++ b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/linux/doc.go
@@ -0,0 +1,12 @@
+// SPDX-License-Identifier: MPL-2.0
+
+// Copyright (C) 2024-2025 Aleksa Sarai <cyphar@cyphar.com>
+// Copyright (C) 2024-2025 SUSE LLC
+//
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at https://mozilla.org/MPL/2.0/.
+
+// Package linux returns information about what features are supported on the
+// running kernel.
+package linux
diff --git a/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/linux/mount_linux.go b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/linux/mount_linux.go
new file mode 100644
index 0000000000000..b29905bff66f1
--- /dev/null
+++ b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/linux/mount_linux.go
@@ -0,0 +1,47 @@
+// SPDX-License-Identifier: MPL-2.0
+
+//go:build linux
+
+// Copyright (C) 2024-2025 Aleksa Sarai <cyphar@cyphar.com>
+// Copyright (C) 2024-2025 SUSE LLC
+//
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at https://mozilla.org/MPL/2.0/.
+
+package linux
+
+import (
+	"golang.org/x/sys/unix"
+
+	"github.com/cyphar/filepath-securejoin/pathrs-lite/internal/gocompat"
+	"github.com/cyphar/filepath-securejoin/pathrs-lite/internal/kernelversion"
+)
+
+// HasNewMountAPI returns whether the new fsopen(2) mount API is supported on
+// the running kernel.
+var HasNewMountAPI = gocompat.SyncOnceValue(func() bool {
+	// All of the pieces of the new mount API we use (fsopen, fsconfig,
+	// fsmount, open_tree) were added together in Linux 5.2[1,2], so we can
+	// just check for one of the syscalls and the others should also be
+	// available.
+	//
+	// Just try to use open_tree(2) to open a file without OPEN_TREE_CLONE.
+	// This is equivalent to openat(2), but tells us if open_tree is
+	// available (and thus all of the other basic new mount API syscalls).
+	// open_tree(2) is most light-weight syscall to test here.
+	//
+	// [1]: merge commit 400913252d09
+	// [2]: <https://lore.kernel.org/lkml/153754740781.17872.7869536526927736855.stgit@warthog.procyon.org.uk/>
+	fd, err := unix.OpenTree(-int(unix.EBADF), "/", unix.OPEN_TREE_CLOEXEC)
+	if err != nil {
+		return false
+	}
+	_ = unix.Close(fd)
+
+	// RHEL 8 has a backport of fsopen(2) that appears to have some very
+	// difficult to debug performance pathology. As such, it seems prudent to
+	// simply reject pre-5.2 kernels.
+	isNotBackport, _ := kernelversion.GreaterEqualThan(kernelversion.KernelVersion{5, 2})
+	return isNotBackport
+})
diff --git a/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/linux/openat2_linux.go b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/linux/openat2_linux.go
new file mode 100644
index 0000000000000..399609dc3617c
--- /dev/null
+++ b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/linux/openat2_linux.go
@@ -0,0 +1,31 @@
+// SPDX-License-Identifier: MPL-2.0
+
+//go:build linux
+
+// Copyright (C) 2024-2025 Aleksa Sarai <cyphar@cyphar.com>
+// Copyright (C) 2024-2025 SUSE LLC
+//
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at https://mozilla.org/MPL/2.0/.
+
+package linux
+
+import (
+	"golang.org/x/sys/unix"
+
+	"github.com/cyphar/filepath-securejoin/pathrs-lite/internal/gocompat"
+)
+
+// HasOpenat2 returns whether openat2(2) is supported on the running kernel.
+var HasOpenat2 = gocompat.SyncOnceValue(func() bool {
+	fd, err := unix.Openat2(unix.AT_FDCWD, ".", &unix.OpenHow{
+		Flags:   unix.O_PATH | unix.O_CLOEXEC,
+		Resolve: unix.RESOLVE_NO_SYMLINKS | unix.RESOLVE_IN_ROOT,
+	})
+	if err != nil {
+		return false
+	}
+	_ = unix.Close(fd)
+	return true
+})
diff --git a/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/procfs/procfs_linux.go b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/procfs/procfs_linux.go
new file mode 100644
index 0000000000000..21e0a62e8eca7
--- /dev/null
+++ b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/procfs/procfs_linux.go
@@ -0,0 +1,544 @@
+// SPDX-License-Identifier: MPL-2.0
+
+//go:build linux
+
+// Copyright (C) 2024-2025 Aleksa Sarai <cyphar@cyphar.com>
+// Copyright (C) 2024-2025 SUSE LLC
+//
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at https://mozilla.org/MPL/2.0/.
+
+// Package procfs provides a safe API for operating on /proc on Linux. Note
+// that this is the *internal* procfs API, mainy needed due to Go's
+// restrictions on cyclic dependencies and its incredibly minimal visibility
+// system without making a separate internal/ package.
+package procfs
+
+import (
+	"errors"
+	"fmt"
+	"io"
+	"os"
+	"runtime"
+	"strconv"
+
+	"golang.org/x/sys/unix"
+
+	"github.com/cyphar/filepath-securejoin/pathrs-lite/internal"
+	"github.com/cyphar/filepath-securejoin/pathrs-lite/internal/assert"
+	"github.com/cyphar/filepath-securejoin/pathrs-lite/internal/fd"
+	"github.com/cyphar/filepath-securejoin/pathrs-lite/internal/gocompat"
+	"github.com/cyphar/filepath-securejoin/pathrs-lite/internal/linux"
+)
+
+// The kernel guarantees that the root inode of a procfs mount has an
+// f_type of PROC_SUPER_MAGIC and st_ino of PROC_ROOT_INO.
+const (
+	procSuperMagic = 0x9fa0 // PROC_SUPER_MAGIC
+	procRootIno    = 1      // PROC_ROOT_INO
+)
+
+// verifyProcHandle checks that the handle is from a procfs filesystem.
+// Contrast this to [verifyProcRoot], which also verifies that the handle is
+// the root of a procfs mount.
+func verifyProcHandle(procHandle fd.Fd) error {
+	if statfs, err := fd.Fstatfs(procHandle); err != nil {
+		return err
+	} else if statfs.Type != procSuperMagic {
+		return fmt.Errorf("%w: incorrect procfs root filesystem type 0x%x", errUnsafeProcfs, statfs.Type)
+	}
+	return nil
+}
+
+// verifyProcRoot verifies that the handle is the root of a procfs filesystem.
+// Contrast this to [verifyProcHandle], which only verifies if the handle is
+// some file on procfs (regardless of what file it is).
+func verifyProcRoot(procRoot fd.Fd) error {
+	if err := verifyProcHandle(procRoot); err != nil {
+		return err
+	}
+	if stat, err := fd.Fstat(procRoot); err != nil {
+		return err
+	} else if stat.Ino != procRootIno {
+		return fmt.Errorf("%w: incorrect procfs root inode number %d", errUnsafeProcfs, stat.Ino)
+	}
+	return nil
+}
+
+type procfsFeatures struct {
+	// hasSubsetPid was added in Linux 5.8, along with hidepid=ptraceable (and
+	// string-based hidepid= values). Before this patchset, it was not really
+	// safe to try to modify procfs superblock flags because the superblock was
+	// shared -- so if this feature is not available, **you should not set any
+	// superblock flags**.
+	//
+	// 6814ef2d992a ("proc: add option to mount only a pids subset")
+	// fa10fed30f25 ("proc: allow to mount many instances of proc in one pid namespace")
+	// 24a71ce5c47f ("proc: instantiate only pids that we can ptrace on 'hidepid=4' mount option")
+	// 1c6c4d112e81 ("proc: use human-readable values for hidepid")
+	// 9ff7258575d5 ("Merge branch 'proc-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace")
+	hasSubsetPid bool
+}
+
+var getProcfsFeatures = gocompat.SyncOnceValue(func() procfsFeatures {
+	if !linux.HasNewMountAPI() {
+		return procfsFeatures{}
+	}
+	procfsCtx, err := fd.Fsopen("proc", unix.FSOPEN_CLOEXEC)
+	if err != nil {
+		return procfsFeatures{}
+	}
+	defer procfsCtx.Close() //nolint:errcheck // close failures aren't critical here
+
+	return procfsFeatures{
+		hasSubsetPid: unix.FsconfigSetString(int(procfsCtx.Fd()), "subset", "pid") == nil,
+	}
+})
+
+func newPrivateProcMount(subset bool) (_ *Handle, Err error) {
+	procfsCtx, err := fd.Fsopen("proc", unix.FSOPEN_CLOEXEC)
+	if err != nil {
+		return nil, err
+	}
+	defer procfsCtx.Close() //nolint:errcheck // close failures aren't critical here
+
+	if subset && getProcfsFeatures().hasSubsetPid {
+		// Try to configure hidepid=ptraceable,subset=pid if possible, but
+		// ignore errors.
+		_ = unix.FsconfigSetString(int(procfsCtx.Fd()), "hidepid", "ptraceable")
+		_ = unix.FsconfigSetString(int(procfsCtx.Fd()), "subset", "pid")
+	}
+
+	// Get an actual handle.
+	if err := unix.FsconfigCreate(int(procfsCtx.Fd())); err != nil {
+		return nil, os.NewSyscallError("fsconfig create procfs", err)
+	}
+	// TODO: Output any information from the fscontext log to debug logs.
+	procRoot, err := fd.Fsmount(procfsCtx, unix.FSMOUNT_CLOEXEC, unix.MS_NODEV|unix.MS_NOEXEC|unix.MS_NOSUID)
+	if err != nil {
+		return nil, err
+	}
+	defer func() {
+		if Err != nil {
+			_ = procRoot.Close()
+		}
+	}()
+	return newHandle(procRoot)
+}
+
+func clonePrivateProcMount() (_ *Handle, Err error) {
+	// Try to make a clone without using AT_RECURSIVE if we can. If this works,
+	// we can be sure there are no over-mounts and so if the root is valid then
+	// we're golden. Otherwise, we have to deal with over-mounts.
+	procRoot, err := fd.OpenTree(nil, "/proc", unix.OPEN_TREE_CLONE)
+	if err != nil || hookForcePrivateProcRootOpenTreeAtRecursive(procRoot) {
+		procRoot, err = fd.OpenTree(nil, "/proc", unix.OPEN_TREE_CLONE|unix.AT_RECURSIVE)
+	}
+	if err != nil {
+		return nil, fmt.Errorf("creating a detached procfs clone: %w", err)
+	}
+	defer func() {
+		if Err != nil {
+			_ = procRoot.Close()
+		}
+	}()
+	return newHandle(procRoot)
+}
+
+func privateProcRoot(subset bool) (*Handle, error) {
+	if !linux.HasNewMountAPI() || hookForceGetProcRootUnsafe() {
+		return nil, fmt.Errorf("new mount api: %w", unix.ENOTSUP)
+	}
+	// Try to create a new procfs mount from scratch if we can. This ensures we
+	// can get a procfs mount even if /proc is fake (for whatever reason).
+	procRoot, err := newPrivateProcMount(subset)
+	if err != nil || hookForcePrivateProcRootOpenTree(procRoot) {
+		// Try to clone /proc then...
+		procRoot, err = clonePrivateProcMount()
+	}
+	return procRoot, err
+}
+
+func unsafeHostProcRoot() (_ *Handle, Err error) {
+	procRoot, err := os.OpenFile("/proc", unix.O_PATH|unix.O_NOFOLLOW|unix.O_DIRECTORY|unix.O_CLOEXEC, 0)
+	if err != nil {
+		return nil, err
+	}
+	defer func() {
+		if Err != nil {
+			_ = procRoot.Close()
+		}
+	}()
+	return newHandle(procRoot)
+}
+
+// Handle is a wrapper around an *os.File handle to "/proc", which can be used
+// to do further procfs-related operations in a safe way.
+type Handle struct {
+	Inner fd.Fd
+	// Does this handle have subset=pid set?
+	isSubset bool
+}
+
+func newHandle(procRoot fd.Fd) (*Handle, error) {
+	if err := verifyProcRoot(procRoot); err != nil {
+		// This is only used in methods that
+		_ = procRoot.Close()
+		return nil, err
+	}
+	proc := &Handle{Inner: procRoot}
+	// With subset=pid we can be sure that /proc/uptime will not exist.
+	if err := fd.Faccessat(proc.Inner, "uptime", unix.F_OK, unix.AT_SYMLINK_NOFOLLOW); err != nil {
+		proc.isSubset = errors.Is(err, os.ErrNotExist)
+	}
+	return proc, nil
+}
+
+// Close closes the underlying file for the Handle.
+func (proc *Handle) Close() error { return proc.Inner.Close() }
+
+var getCachedProcRoot = gocompat.SyncOnceValue(func() *Handle {
+	procRoot, err := getProcRoot(true)
+	if err != nil {
+		return nil // just don't cache if we see an error
+	}
+	if !procRoot.isSubset {
+		return nil // we only cache verified subset=pid handles
+	}
+
+	// Disarm (*Handle).Close() to stop someone from accidentally closing
+	// the global handle.
+	procRoot.Inner = fd.NopCloser(procRoot.Inner)
+	return procRoot
+})
+
+// OpenProcRoot tries to open a "safer" handle to "/proc".
+func OpenProcRoot() (*Handle, error) {
+	if proc := getCachedProcRoot(); proc != nil {
+		return proc, nil
+	}
+	return getProcRoot(true)
+}
+
+// OpenUnsafeProcRoot opens a handle to "/proc" without any overmounts or
+// masked paths (but also without "subset=pid").
+func OpenUnsafeProcRoot() (*Handle, error) { return getProcRoot(false) }
+
+func getProcRoot(subset bool) (*Handle, error) {
+	proc, err := privateProcRoot(subset)
+	if err != nil {
+		// Fall back to using a /proc handle if making a private mount failed.
+		// If we have openat2, at least we can avoid some kinds of over-mount
+		// attacks, but without openat2 there's not much we can do.
+		proc, err = unsafeHostProcRoot()
+	}
+	return proc, err
+}
+
+var hasProcThreadSelf = gocompat.SyncOnceValue(func() bool {
+	return unix.Access("/proc/thread-self/", unix.F_OK) == nil
+})
+
+var errUnsafeProcfs = errors.New("unsafe procfs detected")
+
+// lookup is a very minimal wrapper around [procfsLookupInRoot] which is
+// intended to be called from the external API.
+func (proc *Handle) lookup(subpath string) (*os.File, error) {
+	handle, err := procfsLookupInRoot(proc.Inner, subpath)
+	if err != nil {
+		return nil, err
+	}
+	return handle, nil
+}
+
+// procfsBase is an enum indicating the prefix of a subpath in operations
+// involving [Handle]s.
+type procfsBase string
+
+const (
+	// ProcRoot refers to the root of the procfs (i.e., "/proc/<subpath>").
+	ProcRoot procfsBase = "/proc"
+	// ProcSelf refers to the current process' subdirectory (i.e.,
+	// "/proc/self/<subpath>").
+	ProcSelf procfsBase = "/proc/self"
+	// ProcThreadSelf refers to the current thread's subdirectory (i.e.,
+	// "/proc/thread-self/<subpath>"). In multi-threaded programs (i.e., all Go
+	// programs) where one thread has a different CLONE_FS, it is possible for
+	// "/proc/self" to point the wrong thread and so "/proc/thread-self" may be
+	// necessary. Note that on pre-3.17 kernels, "/proc/thread-self" doesn't
+	// exist and so a fallback will be used in that case.
+	ProcThreadSelf procfsBase = "/proc/thread-self"
+	// TODO: Switch to an interface setup so we can have a more type-safe
+	// version of ProcPid and remove the need to worry about invalid string
+	// values.
+)
+
+// prefix returns a prefix that can be used with the given [Handle].
+func (base procfsBase) prefix(proc *Handle) (string, error) {
+	switch base {
+	case ProcRoot:
+		return ".", nil
+	case ProcSelf:
+		return "self", nil
+	case ProcThreadSelf:
+		threadSelf := "thread-self"
+		if !hasProcThreadSelf() || hookForceProcSelfTask() {
+			// Pre-3.17 kernels don't have /proc/thread-self, so do it
+			// manually.
+			threadSelf = "self/task/" + strconv.Itoa(unix.Gettid())
+			if err := fd.Faccessat(proc.Inner, threadSelf, unix.F_OK, unix.AT_SYMLINK_NOFOLLOW); err != nil || hookForceProcSelf() {
+				// In this case, we running in a pid namespace that doesn't
+				// match the /proc mount we have. This can happen inside runc.
+				//
+				// Unfortunately, there is no nice way to get the correct TID
+				// to use here because of the age of the kernel, so we have to
+				// just use /proc/self and hope that it works.
+				threadSelf = "self"
+			}
+		}
+		return threadSelf, nil
+	}
+	return "", fmt.Errorf("invalid procfs base %q", base)
+}
+
+// ProcThreadSelfCloser is a callback that needs to be called when you are done
+// operating on an [os.File] fetched using [ProcThreadSelf].
+//
+// [os.File]: https://pkg.go.dev/os#File
+type ProcThreadSelfCloser func()
+
+// open is the core lookup operation for [Handle]. It returns a handle to
+// "/proc/<base>/<subpath>". If the returned [ProcThreadSelfCloser] is non-nil,
+// you should call it after you are done interacting with the returned handle.
+//
+// In general you should use prefer to use the other helpers, as they remove
+// the need to interact with [procfsBase] and do not return a nil
+// [ProcThreadSelfCloser] for [procfsBase] values other than [ProcThreadSelf]
+// where it is necessary.
+func (proc *Handle) open(base procfsBase, subpath string) (_ *os.File, closer ProcThreadSelfCloser, Err error) {
+	prefix, err := base.prefix(proc)
+	if err != nil {
+		return nil, nil, err
+	}
+	subpath = prefix + "/" + subpath
+
+	switch base {
+	case ProcRoot:
+		file, err := proc.lookup(subpath)
+		if errors.Is(err, os.ErrNotExist) {
+			// The Handle handle in use might be a subset=pid one, which will
+			// result in spurious errors. In this case, just open a temporary
+			// unmasked procfs handle for this operation.
+			proc, err2 := OpenUnsafeProcRoot() // !subset=pid
+			if err2 != nil {
+				return nil, nil, err
+			}
+			defer proc.Close() //nolint:errcheck // close failures aren't critical here
+
+			file, err = proc.lookup(subpath)
+		}
+		return file, nil, err
+
+	case ProcSelf:
+		file, err := proc.lookup(subpath)
+		return file, nil, err
+
+	case ProcThreadSelf:
+		// We need to lock our thread until the caller is done with the handle
+		// because between getting the handle and using it we could get
+		// interrupted by the Go runtime and hit the case where the underlying
+		// thread is swapped out and the original thread is killed, resulting
+		// in pull-your-hair-out-hard-to-debug issues in the caller.
+		runtime.LockOSThread()
+		defer func() {
+			if Err != nil {
+				runtime.UnlockOSThread()
+				closer = nil
+			}
+		}()
+
+		file, err := proc.lookup(subpath)
+		return file, runtime.UnlockOSThread, err
+	}
+	// should never be reached
+	return nil, nil, fmt.Errorf("[internal error] invalid procfs base %q", base)
+}
+
+// OpenThreadSelf returns a handle to "/proc/thread-self/<subpath>" (or an
+// equivalent handle on older kernels where "/proc/thread-self" doesn't exist).
+// Once finished with the handle, you must call the returned closer function
+// (runtime.UnlockOSThread). You must not pass the returned *os.File to other
+// Go threads or use the handle after calling the closer.
+func (proc *Handle) OpenThreadSelf(subpath string) (_ *os.File, _ ProcThreadSelfCloser, Err error) {
+	return proc.open(ProcThreadSelf, subpath)
+}
+
+// OpenSelf returns a handle to /proc/self/<subpath>.
+func (proc *Handle) OpenSelf(subpath string) (*os.File, error) {
+	file, closer, err := proc.open(ProcSelf, subpath)
+	assert.Assert(closer == nil, "closer for ProcSelf must be nil")
+	return file, err
+}
+
+// OpenRoot returns a handle to /proc/<subpath>.
+func (proc *Handle) OpenRoot(subpath string) (*os.File, error) {
+	file, closer, err := proc.open(ProcRoot, subpath)
+	assert.Assert(closer == nil, "closer for ProcRoot must be nil")
+	return file, err
+}
+
+// OpenPid returns a handle to /proc/$pid/<subpath> (pid can be a pid or tid).
+// This is mainly intended for usage when operating on other processes.
+func (proc *Handle) OpenPid(pid int, subpath string) (*os.File, error) {
+	return proc.OpenRoot(strconv.Itoa(pid) + "/" + subpath)
+}
+
+// checkSubpathOvermount checks if the dirfd and path combination is on the
+// same mount as the given root.
+func checkSubpathOvermount(root, dir fd.Fd, path string) error {
+	// Get the mntID of our procfs handle.
+	expectedMountID, err := fd.GetMountID(root, "")
+	if err != nil {
+		return fmt.Errorf("get root mount id: %w", err)
+	}
+	// Get the mntID of the target magic-link.
+	gotMountID, err := fd.GetMountID(dir, path)
+	if err != nil {
+		return fmt.Errorf("get subpath mount id: %w", err)
+	}
+	// As long as the directory mount is alive, even with wrapping mount IDs,
+	// we would expect to see a different mount ID here. (Of course, if we're
+	// using unsafeHostProcRoot() then an attaker could change this after we
+	// did this check.)
+	if expectedMountID != gotMountID {
+		return fmt.Errorf("%w: subpath %s/%s has an overmount obscuring the real path (mount ids do not match %d != %d)",
+			errUnsafeProcfs, dir.Name(), path, expectedMountID, gotMountID)
+	}
+	return nil
+}
+
+// Readlink performs a readlink operation on "/proc/<base>/<subpath>" in a way
+// that should be free from race attacks. This is most commonly used to get the
+// real path of a file by looking at "/proc/self/fd/$n", with the same safety
+// protections as [Open] (as well as some additional checks against
+// overmounts).
+func (proc *Handle) Readlink(base procfsBase, subpath string) (string, error) {
+	link, closer, err := proc.open(base, subpath)
+	if closer != nil {
+		defer closer()
+	}
+	if err != nil {
+		return "", fmt.Errorf("get safe %s/%s handle: %w", base, subpath, err)
+	}
+	defer link.Close() //nolint:errcheck // close failures aren't critical here
+
+	// Try to detect if there is a mount on top of the magic-link. This should
+	// be safe in general (a mount on top of the path afterwards would not
+	// affect the handle itself) and will definitely be safe if we are using
+	// privateProcRoot() (at least since Linux 5.12[1], when anonymous mount
+	// namespaces were completely isolated from external mounts including mount
+	// propagation events).
+	//
+	// [1]: Linux commit ee2e3f50629f ("mount: fix mounting of detached mounts
+	// onto targets that reside on shared mounts").
+	if err := checkSubpathOvermount(proc.Inner, link, ""); err != nil {
+		return "", fmt.Errorf("check safety of %s/%s magiclink: %w", base, subpath, err)
+	}
+
+	// readlinkat implies AT_EMPTY_PATH since Linux 2.6.39. See Linux commit
+	// 65cfc6722361 ("readlinkat(), fchownat() and fstatat() with empty
+	// relative pathnames").
+	return fd.Readlinkat(link, "")
+}
+
+// ProcSelfFdReadlink gets the real path of the given file by looking at
+// readlink(/proc/thread-self/fd/$n).
+//
+// This is just a wrapper around [Handle.Readlink].
+func ProcSelfFdReadlink(fd fd.Fd) (string, error) {
+	procRoot, err := OpenProcRoot() // subset=pid
+	if err != nil {
+		return "", err
+	}
+	defer procRoot.Close() //nolint:errcheck // close failures aren't critical here
+
+	fdPath := "fd/" + strconv.Itoa(int(fd.Fd()))
+	return procRoot.Readlink(ProcThreadSelf, fdPath)
+}
+
+// CheckProcSelfFdPath returns whether the given file handle matches the
+// expected path. (This is inherently racy.)
+func CheckProcSelfFdPath(path string, file fd.Fd) error {
+	if err := fd.IsDeadInode(file); err != nil {
+		return err
+	}
+	actualPath, err := ProcSelfFdReadlink(file)
+	if err != nil {
+		return fmt.Errorf("get path of handle: %w", err)
+	}
+	if actualPath != path {
+		return fmt.Errorf("%w: handle path %q doesn't match expected path %q", internal.ErrPossibleBreakout, actualPath, path)
+	}
+	return nil
+}
+
+// ReopenFd takes an existing file descriptor and "re-opens" it through
+// /proc/thread-self/fd/<fd>. This allows for O_PATH file descriptors to be
+// upgraded to regular file descriptors, as well as changing the open mode of a
+// regular file descriptor. Some filesystems have unique handling of open(2)
+// which make this incredibly useful (such as /dev/ptmx).
+func ReopenFd(handle fd.Fd, flags int) (*os.File, error) {
+	procRoot, err := OpenProcRoot() // subset=pid
+	if err != nil {
+		return nil, err
+	}
+	defer procRoot.Close() //nolint:errcheck // close failures aren't critical here
+
+	// We can't operate on /proc/thread-self/fd/$n directly when doing a
+	// re-open, so we need to open /proc/thread-self/fd and then open a single
+	// final component.
+	procFdDir, closer, err := procRoot.OpenThreadSelf("fd/")
+	if err != nil {
+		return nil, fmt.Errorf("get safe /proc/thread-self/fd handle: %w", err)
+	}
+	defer procFdDir.Close() //nolint:errcheck // close failures aren't critical here
+	defer closer()
+
+	// Try to detect if there is a mount on top of the magic-link we are about
+	// to open. If we are using unsafeHostProcRoot(), this could change after
+	// we check it (and there's nothing we can do about that) but for
+	// privateProcRoot() this should be guaranteed to be safe (at least since
+	// Linux 5.12[1], when anonymous mount namespaces were completely isolated
+	// from external mounts including mount propagation events).
+	//
+	// [1]: Linux commit ee2e3f50629f ("mount: fix mounting of detached mounts
+	// onto targets that reside on shared mounts").
+	fdStr := strconv.Itoa(int(handle.Fd()))
+	if err := checkSubpathOvermount(procRoot.Inner, procFdDir, fdStr); err != nil {
+		return nil, fmt.Errorf("check safety of /proc/thread-self/fd/%s magiclink: %w", fdStr, err)
+	}
+
+	flags |= unix.O_CLOEXEC
+	// Rather than just wrapping fd.Openat, open-code it so we can copy
+	// handle.Name().
+	reopenFd, err := unix.Openat(int(procFdDir.Fd()), fdStr, flags, 0)
+	if err != nil {
+		return nil, fmt.Errorf("reopen fd %d: %w", handle.Fd(), err)
+	}
+	return os.NewFile(uintptr(reopenFd), handle.Name()), nil
+}
+
+// Test hooks used in the procfs tests to verify that the fallback logic works.
+// See testing_mocks_linux_test.go and procfs_linux_test.go for more details.
+var (
+	hookForcePrivateProcRootOpenTree            = hookDummyFile
+	hookForcePrivateProcRootOpenTreeAtRecursive = hookDummyFile
+	hookForceGetProcRootUnsafe                  = hookDummy
+
+	hookForceProcSelfTask = hookDummy
+	hookForceProcSelf     = hookDummy
+)
+
+func hookDummy() bool                { return false }
+func hookDummyFile(_ io.Closer) bool { return false }
diff --git a/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/procfs/procfs_lookup_linux.go b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/procfs/procfs_lookup_linux.go
new file mode 100644
index 0000000000000..1ad1f18eee6ac
--- /dev/null
+++ b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/procfs/procfs_lookup_linux.go
@@ -0,0 +1,222 @@
+// SPDX-License-Identifier: MPL-2.0
+
+//go:build linux
+
+// Copyright (C) 2024-2025 Aleksa Sarai <cyphar@cyphar.com>
+// Copyright (C) 2024-2025 SUSE LLC
+//
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at https://mozilla.org/MPL/2.0/.
+
+// This code is adapted to be a minimal version of the libpathrs proc resolver
+// <https://github.com/opensuse/libpathrs/blob/v0.1.3/src/resolvers/procfs.rs>.
+// As we only need O_PATH|O_NOFOLLOW support, this is not too much to port.
+
+package procfs
+
+import (
+	"fmt"
+	"os"
+	"path"
+	"path/filepath"
+	"strings"
+
+	"golang.org/x/sys/unix"
+
+	"github.com/cyphar/filepath-securejoin/internal/consts"
+	"github.com/cyphar/filepath-securejoin/pathrs-lite/internal"
+	"github.com/cyphar/filepath-securejoin/pathrs-lite/internal/fd"
+	"github.com/cyphar/filepath-securejoin/pathrs-lite/internal/gocompat"
+	"github.com/cyphar/filepath-securejoin/pathrs-lite/internal/linux"
+)
+
+// procfsLookupInRoot is a stripped down version of completeLookupInRoot,
+// entirely designed to support the very small set of features necessary to
+// make procfs handling work. Unlike completeLookupInRoot, we always have
+// O_PATH|O_NOFOLLOW behaviour for trailing symlinks.
+//
+// The main restrictions are:
+//
+//   - ".." is not supported (as it requires either os.Root-style replays,
+//     which is more bug-prone; or procfs verification, which is not possible
+//     due to re-entrancy issues).
+//   - Absolute symlinks for the same reason (and all absolute symlinks in
+//     procfs are magic-links, which we want to skip anyway).
+//   - If statx is supported (checkSymlinkOvermount), any mount-point crossings
+//     (which is the main attack of concern against /proc).
+//   - Partial lookups are not supported, so the symlink stack is not needed.
+//   - Trailing slash special handling is not necessary in most cases (if we
+//     operating on procfs, it's usually with programmer-controlled strings
+//     that will then be re-opened), so we skip it since whatever re-opens it
+//     can deal with it. It's a creature comfort anyway.
+//
+// If the system supports openat2(), this is implemented using equivalent flags
+// (RESOLVE_BENEATH | RESOLVE_NO_XDEV | RESOLVE_NO_MAGICLINKS).
+func procfsLookupInRoot(procRoot fd.Fd, unsafePath string) (Handle *os.File, _ error) {
+	unsafePath = filepath.ToSlash(unsafePath) // noop
+
+	// Make sure that an empty unsafe path still returns something sane, even
+	// with openat2 (which doesn't have AT_EMPTY_PATH semantics yet).
+	if unsafePath == "" {
+		unsafePath = "."
+	}
+
+	// This is already checked by getProcRoot, but make sure here since the
+	// core security of this lookup is based on this assumption.
+	if err := verifyProcRoot(procRoot); err != nil {
+		return nil, err
+	}
+
+	if linux.HasOpenat2() {
+		// We prefer being able to use RESOLVE_NO_XDEV if we can, to be
+		// absolutely sure we are operating on a clean /proc handle that
+		// doesn't have any cheeky overmounts that could trick us (including
+		// symlink mounts on top of /proc/thread-self). RESOLVE_BENEATH isn't
+		// strictly needed, but just use it since we have it.
+		//
+		// NOTE: /proc/self is technically a magic-link (the contents of the
+		//       symlink are generated dynamically), but it doesn't use
+		//       nd_jump_link() so RESOLVE_NO_MAGICLINKS allows it.
+		//
+		// TODO: It would be nice to have RESOLVE_NO_DOTDOT, purely for
+		//       self-consistency with the backup O_PATH resolver.
+		handle, err := fd.Openat2(procRoot, unsafePath, &unix.OpenHow{
+			Flags:   unix.O_PATH | unix.O_NOFOLLOW | unix.O_CLOEXEC,
+			Resolve: unix.RESOLVE_BENEATH | unix.RESOLVE_NO_XDEV | unix.RESOLVE_NO_MAGICLINKS,
+		})
+		if err != nil {
+			// TODO: Once we bump the minimum Go version to 1.20, we can use
+			// multiple %w verbs for this wrapping. For now we need to use a
+			// compatibility shim for older Go versions.
+			// err = fmt.Errorf("%w: %w", errUnsafeProcfs, err)
+			return nil, gocompat.WrapBaseError(err, errUnsafeProcfs)
+		}
+		return handle, nil
+	}
+
+	// To mirror openat2(RESOLVE_BENEATH), we need to return an error if the
+	// path is absolute.
+	if path.IsAbs(unsafePath) {
+		return nil, fmt.Errorf("%w: cannot resolve absolute paths in procfs resolver", internal.ErrPossibleBreakout)
+	}
+
+	currentDir, err := fd.Dup(procRoot)
+	if err != nil {
+		return nil, fmt.Errorf("clone root fd: %w", err)
+	}
+	defer func() {
+		// If a handle is not returned, close the internal handle.
+		if Handle == nil {
+			_ = currentDir.Close()
+		}
+	}()
+
+	var (
+		linksWalked   int
+		currentPath   string
+		remainingPath = unsafePath
+	)
+	for remainingPath != "" {
+		// Get the next path component.
+		var part string
+		if i := strings.IndexByte(remainingPath, '/'); i == -1 {
+			part, remainingPath = remainingPath, ""
+		} else {
+			part, remainingPath = remainingPath[:i], remainingPath[i+1:]
+		}
+		if part == "" {
+			// no-op component, but treat it the same as "."
+			part = "."
+		}
+		if part == ".." {
+			// not permitted
+			return nil, fmt.Errorf("%w: cannot walk into '..' in procfs resolver", internal.ErrPossibleBreakout)
+		}
+
+		// Apply the component lexically to the path we are building.
+		// currentPath does not contain any symlinks, and we are lexically
+		// dealing with a single component, so it's okay to do a filepath.Clean
+		// here. (Not to mention that ".." isn't allowed.)
+		nextPath := path.Join("/", currentPath, part)
+		// If we logically hit the root, just clone the root rather than
+		// opening the part and doing all of the other checks.
+		if nextPath == "/" {
+			// Jump to root.
+			rootClone, err := fd.Dup(procRoot)
+			if err != nil {
+				return nil, fmt.Errorf("clone root fd: %w", err)
+			}
+			_ = currentDir.Close()
+			currentDir = rootClone
+			currentPath = nextPath
+			continue
+		}
+
+		// Try to open the next component.
+		nextDir, err := fd.Openat(currentDir, part, unix.O_PATH|unix.O_NOFOLLOW|unix.O_CLOEXEC, 0)
+		if err != nil {
+			return nil, err
+		}
+
+		// Make sure we are still on procfs and haven't crossed mounts.
+		if err := verifyProcHandle(nextDir); err != nil {
+			_ = nextDir.Close()
+			return nil, fmt.Errorf("check %q component is on procfs: %w", part, err)
+		}
+		if err := checkSubpathOvermount(procRoot, nextDir, ""); err != nil {
+			_ = nextDir.Close()
+			return nil, fmt.Errorf("check %q component is not overmounted: %w", part, err)
+		}
+
+		// We are emulating O_PATH|O_NOFOLLOW, so we only need to traverse into
+		// trailing symlinks if we are not the final component. Otherwise we
+		// can just return the currentDir.
+		if remainingPath != "" {
+			st, err := nextDir.Stat()
+			if err != nil {
+				_ = nextDir.Close()
+				return nil, fmt.Errorf("stat component %q: %w", part, err)
+			}
+
+			if st.Mode()&os.ModeType == os.ModeSymlink {
+				// readlinkat implies AT_EMPTY_PATH since Linux 2.6.39. See
+				// Linux commit 65cfc6722361 ("readlinkat(), fchownat() and
+				// fstatat() with empty relative pathnames").
+				linkDest, err := fd.Readlinkat(nextDir, "")
+				// We don't need the handle anymore.
+				_ = nextDir.Close()
+				if err != nil {
+					return nil, err
+				}
+
+				linksWalked++
+				if linksWalked > consts.MaxSymlinkLimit {
+					return nil, &os.PathError{Op: "securejoin.procfsLookupInRoot", Path: "/proc/" + unsafePath, Err: unix.ELOOP}
+				}
+
+				// Update our logical remaining path.
+				remainingPath = linkDest + "/" + remainingPath
+				// Absolute symlinks are probably magiclinks, we reject them.
+				if path.IsAbs(linkDest) {
+					return nil, fmt.Errorf("%w: cannot jump to / in procfs resolver -- possible magiclink", internal.ErrPossibleBreakout)
+				}
+				continue
+			}
+		}
+
+		// Walk into the next component.
+		_ = currentDir.Close()
+		currentDir = nextDir
+		currentPath = nextPath
+	}
+
+	// One final sanity-check.
+	if err := verifyProcHandle(currentDir); err != nil {
+		return nil, fmt.Errorf("check final handle is on procfs: %w", err)
+	}
+	if err := checkSubpathOvermount(procRoot, currentDir, ""); err != nil {
+		return nil, fmt.Errorf("check final handle is not overmounted: %w", err)
+	}
+	return currentDir, nil
+}
diff --git a/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/mkdir.go b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/mkdir.go
new file mode 100644
index 0000000000000..b43169564af46
--- /dev/null
+++ b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/mkdir.go
@@ -0,0 +1,55 @@
+// SPDX-License-Identifier: MPL-2.0
+
+//go:build linux
+
+// Copyright (C) 2024-2025 Aleksa Sarai <cyphar@cyphar.com>
+// Copyright (C) 2024-2025 SUSE LLC
+//
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at https://mozilla.org/MPL/2.0/.
+
+package pathrs
+
+import (
+	"os"
+
+	"golang.org/x/sys/unix"
+)
+
+// MkdirAll is a race-safe alternative to the [os.MkdirAll] function,
+// where the new directory is guaranteed to be within the root directory (if an
+// attacker can move directories from inside the root to outside the root, the
+// created directory tree might be outside of the root but the key constraint
+// is that at no point will we walk outside of the directory tree we are
+// creating).
+//
+// Effectively, MkdirAll(root, unsafePath, mode) is equivalent to
+//
+//	path, _ := securejoin.SecureJoin(root, unsafePath)
+//	err := os.MkdirAll(path, mode)
+//
+// But is much safer. The above implementation is unsafe because if an attacker
+// can modify the filesystem tree between [SecureJoin] and [os.MkdirAll], it is
+// possible for MkdirAll to resolve unsafe symlink components and create
+// directories outside of the root.
+//
+// If you plan to open the directory after you have created it or want to use
+// an open directory handle as the root, you should use [MkdirAllHandle] instead.
+// This function is a wrapper around [MkdirAllHandle].
+//
+// [SecureJoin]: https://pkg.go.dev/github.com/cyphar/filepath-securejoin#SecureJoin
+func MkdirAll(root, unsafePath string, mode os.FileMode) error {
+	rootDir, err := os.OpenFile(root, unix.O_PATH|unix.O_DIRECTORY|unix.O_CLOEXEC, 0)
+	if err != nil {
+		return err
+	}
+	defer rootDir.Close() //nolint:errcheck // close failures aren't critical here
+
+	f, err := MkdirAllHandle(rootDir, unsafePath, mode)
+	if err != nil {
+		return err
+	}
+	_ = f.Close()
+	return nil
+}
diff --git a/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/mkdir_libpathrs.go b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/mkdir_libpathrs.go
new file mode 100644
index 0000000000000..f864dbc8f3835
--- /dev/null
+++ b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/mkdir_libpathrs.go
@@ -0,0 +1,52 @@
+// SPDX-License-Identifier: MPL-2.0
+
+//go:build libpathrs
+
+// Copyright (C) 2024-2025 Aleksa Sarai <cyphar@cyphar.com>
+// Copyright (C) 2024-2025 SUSE LLC
+//
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at https://mozilla.org/MPL/2.0/.
+
+package pathrs
+
+import (
+	"os"
+
+	"cyphar.com/go-pathrs"
+)
+
+// MkdirAllHandle is equivalent to [MkdirAll], except that it is safer to use
+// in two respects:
+//
+//   - The caller provides the root directory as an *[os.File] (preferably O_PATH)
+//     handle. This means that the caller can be sure which root directory is
+//     being used. Note that this can be emulated by using /proc/self/fd/... as
+//     the root path with [os.MkdirAll].
+//
+//   - Once all of the directories have been created, an *[os.File] O_PATH handle
+//     to the directory at unsafePath is returned to the caller. This is done in
+//     an effectively-race-free way (an attacker would only be able to swap the
+//     final directory component), which is not possible to emulate with
+//     [MkdirAll].
+//
+// In addition, the returned handle is obtained far more efficiently than doing
+// a brand new lookup of unsafePath (such as with [SecureJoin] or openat2) after
+// doing [MkdirAll]. If you intend to open the directory after creating it, you
+// should use MkdirAllHandle.
+//
+// [SecureJoin]: https://pkg.go.dev/github.com/cyphar/filepath-securejoin#SecureJoin
+func MkdirAllHandle(root *os.File, unsafePath string, mode os.FileMode) (*os.File, error) {
+	rootRef, err := pathrs.RootFromFile(root)
+	if err != nil {
+		return nil, err
+	}
+	defer rootRef.Close() //nolint:errcheck // close failures aren't critical here
+
+	handle, err := rootRef.MkdirAll(unsafePath, mode)
+	if err != nil {
+		return nil, err
+	}
+	return handle.IntoFile(), nil
+}
diff --git a/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/mkdir_purego.go b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/mkdir_purego.go
new file mode 100644
index 0000000000000..0369dfe7e664d
--- /dev/null
+++ b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/mkdir_purego.go
@@ -0,0 +1,42 @@
+// SPDX-License-Identifier: MPL-2.0
+
+//go:build linux && !libpathrs
+
+// Copyright (C) 2024-2025 Aleksa Sarai <cyphar@cyphar.com>
+// Copyright (C) 2024-2025 SUSE LLC
+//
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at https://mozilla.org/MPL/2.0/.
+
+package pathrs
+
+import (
+	"os"
+
+	"github.com/cyphar/filepath-securejoin/pathrs-lite/internal/gopathrs"
+)
+
+// MkdirAllHandle is equivalent to [MkdirAll], except that it is safer to use
+// in two respects:
+//
+//   - The caller provides the root directory as an *[os.File] (preferably O_PATH)
+//     handle. This means that the caller can be sure which root directory is
+//     being used. Note that this can be emulated by using /proc/self/fd/... as
+//     the root path with [os.MkdirAll].
+//
+//   - Once all of the directories have been created, an *[os.File] O_PATH handle
+//     to the directory at unsafePath is returned to the caller. This is done in
+//     an effectively-race-free way (an attacker would only be able to swap the
+//     final directory component), which is not possible to emulate with
+//     [MkdirAll].
+//
+// In addition, the returned handle is obtained far more efficiently than doing
+// a brand new lookup of unsafePath (such as with [SecureJoin] or openat2) after
+// doing [MkdirAll]. If you intend to open the directory after creating it, you
+// should use MkdirAllHandle.
+//
+// [SecureJoin]: https://pkg.go.dev/github.com/cyphar/filepath-securejoin#SecureJoin
+func MkdirAllHandle(root *os.File, unsafePath string, mode os.FileMode) (*os.File, error) {
+	return gopathrs.MkdirAllHandle(root, unsafePath, mode)
+}
diff --git a/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/open.go b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/open.go
new file mode 100644
index 0000000000000..41b628907e176
--- /dev/null
+++ b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/open.go
@@ -0,0 +1,45 @@
+// SPDX-License-Identifier: MPL-2.0
+
+//go:build linux
+
+// Copyright (C) 2024-2025 Aleksa Sarai <cyphar@cyphar.com>
+// Copyright (C) 2024-2025 SUSE LLC
+//
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at https://mozilla.org/MPL/2.0/.
+
+package pathrs
+
+import (
+	"os"
+
+	"golang.org/x/sys/unix"
+)
+
+// OpenInRoot safely opens the provided unsafePath within the root.
+// Effectively, OpenInRoot(root, unsafePath) is equivalent to
+//
+//	path, _ := securejoin.SecureJoin(root, unsafePath)
+//	handle, err := os.OpenFile(path, unix.O_PATH|unix.O_CLOEXEC)
+//
+// But is much safer. The above implementation is unsafe because if an attacker
+// can modify the filesystem tree between [SecureJoin] and [os.OpenFile], it is
+// possible for the returned file to be outside of the root.
+//
+// Note that the returned handle is an O_PATH handle, meaning that only a very
+// limited set of operations will work on the handle. This is done to avoid
+// accidentally opening an untrusted file that could cause issues (such as a
+// disconnected TTY that could cause a DoS, or some other issue). In order to
+// use the returned handle, you can "upgrade" it to a proper handle using
+// [Reopen].
+//
+// [SecureJoin]: https://pkg.go.dev/github.com/cyphar/filepath-securejoin#SecureJoin
+func OpenInRoot(root, unsafePath string) (*os.File, error) {
+	rootDir, err := os.OpenFile(root, unix.O_PATH|unix.O_DIRECTORY|unix.O_CLOEXEC, 0)
+	if err != nil {
+		return nil, err
+	}
+	defer rootDir.Close() //nolint:errcheck // close failures aren't critical here
+	return OpenatInRoot(rootDir, unsafePath)
+}
diff --git a/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/open_libpathrs.go b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/open_libpathrs.go
new file mode 100644
index 0000000000000..53352000e61ca
--- /dev/null
+++ b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/open_libpathrs.go
@@ -0,0 +1,57 @@
+// SPDX-License-Identifier: MPL-2.0
+
+//go:build libpathrs
+
+// Copyright (C) 2024-2025 Aleksa Sarai <cyphar@cyphar.com>
+// Copyright (C) 2024-2025 SUSE LLC
+//
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at https://mozilla.org/MPL/2.0/.
+
+package pathrs
+
+import (
+	"os"
+
+	"cyphar.com/go-pathrs"
+)
+
+// OpenatInRoot is equivalent to [OpenInRoot], except that the root is provided
+// using an *[os.File] handle, to ensure that the correct root directory is used.
+func OpenatInRoot(root *os.File, unsafePath string) (*os.File, error) {
+	rootRef, err := pathrs.RootFromFile(root)
+	if err != nil {
+		return nil, err
+	}
+	defer rootRef.Close() //nolint:errcheck // close failures aren't critical here
+
+	handle, err := rootRef.Resolve(unsafePath)
+	if err != nil {
+		return nil, err
+	}
+	return handle.IntoFile(), nil
+}
+
+// Reopen takes an *[os.File] handle and re-opens it through /proc/self/fd.
+// Reopen(file, flags) is effectively equivalent to
+//
+//	fdPath := fmt.Sprintf("/proc/self/fd/%d", file.Fd())
+//	os.OpenFile(fdPath, flags|unix.O_CLOEXEC)
+//
+// But with some extra hardenings to ensure that we are not tricked by a
+// maliciously-configured /proc mount. While this attack scenario is not
+// common, in container runtimes it is possible for higher-level runtimes to be
+// tricked into configuring an unsafe /proc that can be used to attack file
+// operations. See [CVE-2019-19921] for more details.
+//
+// [CVE-2019-19921]: https://github.com/advisories/GHSA-fh74-hm69-rqjw
+func Reopen(file *os.File, flags int) (*os.File, error) {
+	handle, err := pathrs.HandleFromFile(file)
+	if err != nil {
+		return nil, err
+	}
+	defer handle.Close() //nolint:errcheck // close failures aren't critical here
+
+	return handle.OpenFile(flags)
+}
diff --git a/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/open_purego.go b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/open_purego.go
new file mode 100644
index 0000000000000..6d1be12ce5d37
--- /dev/null
+++ b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/open_purego.go
@@ -0,0 +1,42 @@
+// SPDX-License-Identifier: MPL-2.0
+
+//go:build linux && !libpathrs
+
+// Copyright (C) 2024-2025 Aleksa Sarai <cyphar@cyphar.com>
+// Copyright (C) 2024-2025 SUSE LLC
+//
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at https://mozilla.org/MPL/2.0/.
+
+package pathrs
+
+import (
+	"os"
+
+	"github.com/cyphar/filepath-securejoin/pathrs-lite/internal/gopathrs"
+	"github.com/cyphar/filepath-securejoin/pathrs-lite/internal/procfs"
+)
+
+// OpenatInRoot is equivalent to [OpenInRoot], except that the root is provided
+// using an *[os.File] handle, to ensure that the correct root directory is used.
+func OpenatInRoot(root *os.File, unsafePath string) (*os.File, error) {
+	return gopathrs.OpenatInRoot(root, unsafePath)
+}
+
+// Reopen takes an *[os.File] handle and re-opens it through /proc/self/fd.
+// Reopen(file, flags) is effectively equivalent to
+//
+//	fdPath := fmt.Sprintf("/proc/self/fd/%d", file.Fd())
+//	os.OpenFile(fdPath, flags|unix.O_CLOEXEC)
+//
+// But with some extra hardenings to ensure that we are not tricked by a
+// maliciously-configured /proc mount. While this attack scenario is not
+// common, in container runtimes it is possible for higher-level runtimes to be
+// tricked into configuring an unsafe /proc that can be used to attack file
+// operations. See [CVE-2019-19921] for more details.
+//
+// [CVE-2019-19921]: https://github.com/advisories/GHSA-fh74-hm69-rqjw
+func Reopen(handle *os.File, flags int) (*os.File, error) {
+	return procfs.ReopenFd(handle, flags)
+}
diff --git a/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/procfs/procfs_libpathrs.go b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/procfs/procfs_libpathrs.go
new file mode 100644
index 0000000000000..6c4df3763bb97
--- /dev/null
+++ b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/procfs/procfs_libpathrs.go
@@ -0,0 +1,161 @@
+// SPDX-License-Identifier: MPL-2.0
+
+//go:build libpathrs
+
+// Copyright (C) 2024-2025 Aleksa Sarai <cyphar@cyphar.com>
+// Copyright (C) 2024-2025 SUSE LLC
+//
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at https://mozilla.org/MPL/2.0/.
+
+// Package procfs provides a safe API for operating on /proc on Linux.
+package procfs
+
+import (
+	"os"
+	"strconv"
+
+	"cyphar.com/go-pathrs/procfs"
+	"golang.org/x/sys/unix"
+)
+
+// ProcThreadSelfCloser is a callback that needs to be called when you are done
+// operating on an [os.File] fetched using [Handle.OpenThreadSelf].
+//
+// [os.File]: https://pkg.go.dev/os#File
+type ProcThreadSelfCloser = procfs.ThreadCloser
+
+// Handle is a wrapper around an *os.File handle to "/proc", which can be used
+// to do further procfs-related operations in a safe way.
+type Handle struct {
+	inner *procfs.Handle
+}
+
+// Close close the resources associated with this [Handle]. Note that if this
+// [Handle] was created with [OpenProcRoot], on some kernels the underlying
+// procfs handle is cached and so this Close operation may be a no-op. However,
+// you should always call Close on [Handle]s once you are done with them.
+func (proc *Handle) Close() error { return proc.inner.Close() }
+
+// OpenProcRoot tries to open a "safer" handle to "/proc" (i.e., one with the
+// "subset=pid" mount option applied, available from Linux 5.8). Unless you
+// plan to do many [Handle.OpenRoot] operations, users should prefer to use
+// this over [OpenUnsafeProcRoot] which is far more dangerous to keep open.
+//
+// If a safe handle cannot be opened, OpenProcRoot will fall back to opening a
+// regular "/proc" handle.
+//
+// Note that using [Handle.OpenRoot] will still work with handles returned by
+// this function. If a subpath cannot be operated on with a safe "/proc"
+// handle, then [OpenUnsafeProcRoot] will be called internally and a temporary
+// unsafe handle will be used.
+func OpenProcRoot() (*Handle, error) {
+	proc, err := procfs.Open()
+	if err != nil {
+		return nil, err
+	}
+	return &Handle{inner: proc}, nil
+}
+
+// OpenUnsafeProcRoot opens a handle to "/proc" without any overmounts or
+// masked paths. You must be extremely careful to make sure this handle is
+// never leaked to a container and that you program cannot be tricked into
+// writing to arbitrary paths within it.
+//
+// This is not necessary if you just wish to use [Handle.OpenRoot], as handles
+// returned by [OpenProcRoot] will fall back to using a *temporary* unsafe
+// handle in that case. You should only really use this if you need to do many
+// operations with [Handle.OpenRoot] and the performance overhead of making
+// many procfs handles is an issue. If you do use OpenUnsafeProcRoot, you
+// should make sure to close the handle as soon as possible to avoid
+// known-fd-number attacks.
+func OpenUnsafeProcRoot() (*Handle, error) {
+	proc, err := procfs.Open(procfs.UnmaskedProcRoot)
+	if err != nil {
+		return nil, err
+	}
+	return &Handle{inner: proc}, nil
+}
+
+// OpenThreadSelf returns a handle to "/proc/thread-self/<subpath>" (or an
+// equivalent handle on older kernels where "/proc/thread-self" doesn't exist).
+// Once finished with the handle, you must call the returned closer function
+// ([runtime.UnlockOSThread]). You must not pass the returned *os.File to other
+// Go threads or use the handle after calling the closer.
+//
+// [runtime.UnlockOSThread]: https://pkg.go.dev/runtime#UnlockOSThread
+func (proc *Handle) OpenThreadSelf(subpath string) (*os.File, ProcThreadSelfCloser, error) {
+	return proc.inner.OpenThreadSelf(subpath, unix.O_PATH|unix.O_NOFOLLOW)
+}
+
+// OpenSelf returns a handle to /proc/self/<subpath>.
+//
+// Note that in Go programs with non-homogenous threads, this may result in
+// spurious errors. If you are monkeying around with APIs that are
+// thread-specific, you probably want to use [Handle.OpenThreadSelf] instead
+// which will guarantee that the handle refers to the same thread as the caller
+// is executing on.
+func (proc *Handle) OpenSelf(subpath string) (*os.File, error) {
+	return proc.inner.OpenSelf(subpath, unix.O_PATH|unix.O_NOFOLLOW)
+}
+
+// OpenRoot returns a handle to /proc/<subpath>.
+//
+// You should only use this when you need to operate on global procfs files
+// (such as sysctls in /proc/sys). Unlike [Handle.OpenThreadSelf],
+// [Handle.OpenSelf], and [Handle.OpenPid], the procfs handle used internally
+// for this operation will never use "subset=pid", which makes it a more juicy
+// target for [CVE-2024-21626]-style attacks (and doing something like opening
+// a directory with OpenRoot effectively leaks [OpenUnsafeProcRoot] as long as
+// the file descriptor is open).
+//
+// [CVE-2024-21626]: https://github.com/opencontainers/runc/security/advisories/GHSA-xr7r-f8xq-vfvv
+func (proc *Handle) OpenRoot(subpath string) (*os.File, error) {
+	return proc.inner.OpenRoot(subpath, unix.O_PATH|unix.O_NOFOLLOW)
+}
+
+// OpenPid returns a handle to /proc/$pid/<subpath> (pid can be a pid or tid).
+// This is mainly intended for usage when operating on other processes.
+//
+// You should not use this for the current thread, as special handling is
+// needed for /proc/thread-self (or /proc/self/task/<tid>) when dealing with
+// goroutine scheduling -- use [Handle.OpenThreadSelf] instead.
+//
+// To refer to the current thread-group, you should use prefer
+// [Handle.OpenSelf] to passing os.Getpid as the pid argument.
+func (proc *Handle) OpenPid(pid int, subpath string) (*os.File, error) {
+	return proc.inner.OpenPid(pid, subpath, unix.O_PATH|unix.O_NOFOLLOW)
+}
+
+// ProcSelfFdReadlink gets the real path of the given file by looking at
+// /proc/self/fd/<fd> with [readlink]. It is effectively just shorthand for
+// something along the lines of:
+//
+//	proc, err := procfs.OpenProcRoot()
+//	if err != nil {
+//		return err
+//	}
+//	link, err := proc.OpenThreadSelf(fmt.Sprintf("fd/%d", f.Fd()))
+//	if err != nil {
+//		return err
+//	}
+//	defer link.Close()
+//	var buf [4096]byte
+//	n, err := unix.Readlinkat(int(link.Fd()), "", buf[:])
+//	if err != nil {
+//		return err
+//	}
+//	pathname := buf[:n]
+//
+// [readlink]: https://pkg.go.dev/golang.org/x/sys/unix#Readlinkat
+func ProcSelfFdReadlink(f *os.File) (string, error) {
+	proc, err := procfs.Open()
+	if err != nil {
+		return "", err
+	}
+	defer proc.Close() //nolint:errcheck // close failures aren't critical here
+
+	fdPath := "fd/" + strconv.Itoa(int(f.Fd()))
+	return proc.Readlink(procfs.ProcThreadSelf, fdPath)
+}
diff --git a/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/procfs/procfs_purego.go b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/procfs/procfs_purego.go
new file mode 100644
index 0000000000000..9383002f9a9a0
--- /dev/null
+++ b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/procfs/procfs_purego.go
@@ -0,0 +1,157 @@
+// SPDX-License-Identifier: MPL-2.0
+
+//go:build linux && !libpathrs
+
+// Copyright (C) 2024-2025 Aleksa Sarai <cyphar@cyphar.com>
+// Copyright (C) 2024-2025 SUSE LLC
+//
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at https://mozilla.org/MPL/2.0/.
+
+// Package procfs provides a safe API for operating on /proc on Linux.
+package procfs
+
+import (
+	"os"
+
+	"github.com/cyphar/filepath-securejoin/pathrs-lite/internal/procfs"
+)
+
+// This package mostly just wraps internal/procfs APIs. This is necessary
+// because we are forced to export some things from internal/procfs in order to
+// avoid some dependency cycle issues, but we don't want users to see or use
+// them.
+
+// ProcThreadSelfCloser is a callback that needs to be called when you are done
+// operating on an [os.File] fetched using [Handle.OpenThreadSelf].
+//
+// [os.File]: https://pkg.go.dev/os#File
+type ProcThreadSelfCloser = procfs.ProcThreadSelfCloser
+
+// Handle is a wrapper around an *os.File handle to "/proc", which can be used
+// to do further procfs-related operations in a safe way.
+type Handle struct {
+	inner *procfs.Handle
+}
+
+// Close close the resources associated with this [Handle]. Note that if this
+// [Handle] was created with [OpenProcRoot], on some kernels the underlying
+// procfs handle is cached and so this Close operation may be a no-op. However,
+// you should always call Close on [Handle]s once you are done with them.
+func (proc *Handle) Close() error { return proc.inner.Close() }
+
+// OpenProcRoot tries to open a "safer" handle to "/proc" (i.e., one with the
+// "subset=pid" mount option applied, available from Linux 5.8). Unless you
+// plan to do many [Handle.OpenRoot] operations, users should prefer to use
+// this over [OpenUnsafeProcRoot] which is far more dangerous to keep open.
+//
+// If a safe handle cannot be opened, OpenProcRoot will fall back to opening a
+// regular "/proc" handle.
+//
+// Note that using [Handle.OpenRoot] will still work with handles returned by
+// this function. If a subpath cannot be operated on with a safe "/proc"
+// handle, then [OpenUnsafeProcRoot] will be called internally and a temporary
+// unsafe handle will be used.
+func OpenProcRoot() (*Handle, error) {
+	proc, err := procfs.OpenProcRoot()
+	if err != nil {
+		return nil, err
+	}
+	return &Handle{inner: proc}, nil
+}
+
+// OpenUnsafeProcRoot opens a handle to "/proc" without any overmounts or
+// masked paths. You must be extremely careful to make sure this handle is
+// never leaked to a container and that you program cannot be tricked into
+// writing to arbitrary paths within it.
+//
+// This is not necessary if you just wish to use [Handle.OpenRoot], as handles
+// returned by [OpenProcRoot] will fall back to using a *temporary* unsafe
+// handle in that case. You should only really use this if you need to do many
+// operations with [Handle.OpenRoot] and the performance overhead of making
+// many procfs handles is an issue. If you do use OpenUnsafeProcRoot, you
+// should make sure to close the handle as soon as possible to avoid
+// known-fd-number attacks.
+func OpenUnsafeProcRoot() (*Handle, error) {
+	proc, err := procfs.OpenUnsafeProcRoot()
+	if err != nil {
+		return nil, err
+	}
+	return &Handle{inner: proc}, nil
+}
+
+// OpenThreadSelf returns a handle to "/proc/thread-self/<subpath>" (or an
+// equivalent handle on older kernels where "/proc/thread-self" doesn't exist).
+// Once finished with the handle, you must call the returned closer function
+// ([runtime.UnlockOSThread]). You must not pass the returned *os.File to other
+// Go threads or use the handle after calling the closer.
+//
+// [runtime.UnlockOSThread]: https://pkg.go.dev/runtime#UnlockOSThread
+func (proc *Handle) OpenThreadSelf(subpath string) (*os.File, ProcThreadSelfCloser, error) {
+	return proc.inner.OpenThreadSelf(subpath)
+}
+
+// OpenSelf returns a handle to /proc/self/<subpath>.
+//
+// Note that in Go programs with non-homogenous threads, this may result in
+// spurious errors. If you are monkeying around with APIs that are
+// thread-specific, you probably want to use [Handle.OpenThreadSelf] instead
+// which will guarantee that the handle refers to the same thread as the caller
+// is executing on.
+func (proc *Handle) OpenSelf(subpath string) (*os.File, error) {
+	return proc.inner.OpenSelf(subpath)
+}
+
+// OpenRoot returns a handle to /proc/<subpath>.
+//
+// You should only use this when you need to operate on global procfs files
+// (such as sysctls in /proc/sys). Unlike [Handle.OpenThreadSelf],
+// [Handle.OpenSelf], and [Handle.OpenPid], the procfs handle used internally
+// for this operation will never use "subset=pid", which makes it a more juicy
+// target for [CVE-2024-21626]-style attacks (and doing something like opening
+// a directory with OpenRoot effectively leaks [OpenUnsafeProcRoot] as long as
+// the file descriptor is open).
+//
+// [CVE-2024-21626]: https://github.com/opencontainers/runc/security/advisories/GHSA-xr7r-f8xq-vfvv
+func (proc *Handle) OpenRoot(subpath string) (*os.File, error) {
+	return proc.inner.OpenRoot(subpath)
+}
+
+// OpenPid returns a handle to /proc/$pid/<subpath> (pid can be a pid or tid).
+// This is mainly intended for usage when operating on other processes.
+//
+// You should not use this for the current thread, as special handling is
+// needed for /proc/thread-self (or /proc/self/task/<tid>) when dealing with
+// goroutine scheduling -- use [Handle.OpenThreadSelf] instead.
+//
+// To refer to the current thread-group, you should use prefer
+// [Handle.OpenSelf] to passing os.Getpid as the pid argument.
+func (proc *Handle) OpenPid(pid int, subpath string) (*os.File, error) {
+	return proc.inner.OpenPid(pid, subpath)
+}
+
+// ProcSelfFdReadlink gets the real path of the given file by looking at
+// /proc/self/fd/<fd> with [readlink]. It is effectively just shorthand for
+// something along the lines of:
+//
+//	proc, err := procfs.OpenProcRoot()
+//	if err != nil {
+//		return err
+//	}
+//	link, err := proc.OpenThreadSelf(fmt.Sprintf("fd/%d", f.Fd()))
+//	if err != nil {
+//		return err
+//	}
+//	defer link.Close()
+//	var buf [4096]byte
+//	n, err := unix.Readlinkat(int(link.Fd()), "", buf[:])
+//	if err != nil {
+//		return err
+//	}
+//	pathname := buf[:n]
+//
+// [readlink]: https://pkg.go.dev/golang.org/x/sys/unix#Readlinkat
+func ProcSelfFdReadlink(f *os.File) (string, error) {
+	return procfs.ProcSelfFdReadlink(f)
+}
diff --git a/vendor/github.com/cyphar/filepath-securejoin/procfs_linux.go b/vendor/github.com/cyphar/filepath-securejoin/procfs_linux.go
deleted file mode 100644
index 809a579cbdbb1..0000000000000
--- a/vendor/github.com/cyphar/filepath-securejoin/procfs_linux.go
+++ /dev/null
@@ -1,452 +0,0 @@
-//go:build linux
-
-// Copyright (C) 2024 SUSE LLC. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package securejoin
-
-import (
-	"errors"
-	"fmt"
-	"os"
-	"runtime"
-	"strconv"
-
-	"golang.org/x/sys/unix"
-)
-
-func fstat(f *os.File) (unix.Stat_t, error) {
-	var stat unix.Stat_t
-	if err := unix.Fstat(int(f.Fd()), &stat); err != nil {
-		return stat, &os.PathError{Op: "fstat", Path: f.Name(), Err: err}
-	}
-	return stat, nil
-}
-
-func fstatfs(f *os.File) (unix.Statfs_t, error) {
-	var statfs unix.Statfs_t
-	if err := unix.Fstatfs(int(f.Fd()), &statfs); err != nil {
-		return statfs, &os.PathError{Op: "fstatfs", Path: f.Name(), Err: err}
-	}
-	return statfs, nil
-}
-
-// The kernel guarantees that the root inode of a procfs mount has an
-// f_type of PROC_SUPER_MAGIC and st_ino of PROC_ROOT_INO.
-const (
-	procSuperMagic = 0x9fa0 // PROC_SUPER_MAGIC
-	procRootIno    = 1      // PROC_ROOT_INO
-)
-
-func verifyProcRoot(procRoot *os.File) error {
-	if statfs, err := fstatfs(procRoot); err != nil {
-		return err
-	} else if statfs.Type != procSuperMagic {
-		return fmt.Errorf("%w: incorrect procfs root filesystem type 0x%x", errUnsafeProcfs, statfs.Type)
-	}
-	if stat, err := fstat(procRoot); err != nil {
-		return err
-	} else if stat.Ino != procRootIno {
-		return fmt.Errorf("%w: incorrect procfs root inode number %d", errUnsafeProcfs, stat.Ino)
-	}
-	return nil
-}
-
-var hasNewMountApi = sync_OnceValue(func() bool {
-	// All of the pieces of the new mount API we use (fsopen, fsconfig,
-	// fsmount, open_tree) were added together in Linux 5.1[1,2], so we can
-	// just check for one of the syscalls and the others should also be
-	// available.
-	//
-	// Just try to use open_tree(2) to open a file without OPEN_TREE_CLONE.
-	// This is equivalent to openat(2), but tells us if open_tree is
-	// available (and thus all of the other basic new mount API syscalls).
-	// open_tree(2) is most light-weight syscall to test here.
-	//
-	// [1]: merge commit 400913252d09
-	// [2]: <https://lore.kernel.org/lkml/153754740781.17872.7869536526927736855.stgit@warthog.procyon.org.uk/>
-	fd, err := unix.OpenTree(-int(unix.EBADF), "/", unix.OPEN_TREE_CLOEXEC)
-	if err != nil {
-		return false
-	}
-	_ = unix.Close(fd)
-	return true
-})
-
-func fsopen(fsName string, flags int) (*os.File, error) {
-	// Make sure we always set O_CLOEXEC.
-	flags |= unix.FSOPEN_CLOEXEC
-	fd, err := unix.Fsopen(fsName, flags)
-	if err != nil {
-		return nil, os.NewSyscallError("fsopen "+fsName, err)
-	}
-	return os.NewFile(uintptr(fd), "fscontext:"+fsName), nil
-}
-
-func fsmount(ctx *os.File, flags, mountAttrs int) (*os.File, error) {
-	// Make sure we always set O_CLOEXEC.
-	flags |= unix.FSMOUNT_CLOEXEC
-	fd, err := unix.Fsmount(int(ctx.Fd()), flags, mountAttrs)
-	if err != nil {
-		return nil, os.NewSyscallError("fsmount "+ctx.Name(), err)
-	}
-	return os.NewFile(uintptr(fd), "fsmount:"+ctx.Name()), nil
-}
-
-func newPrivateProcMount() (*os.File, error) {
-	procfsCtx, err := fsopen("proc", unix.FSOPEN_CLOEXEC)
-	if err != nil {
-		return nil, err
-	}
-	defer procfsCtx.Close()
-
-	// Try to configure hidepid=ptraceable,subset=pid if possible, but ignore errors.
-	_ = unix.FsconfigSetString(int(procfsCtx.Fd()), "hidepid", "ptraceable")
-	_ = unix.FsconfigSetString(int(procfsCtx.Fd()), "subset", "pid")
-
-	// Get an actual handle.
-	if err := unix.FsconfigCreate(int(procfsCtx.Fd())); err != nil {
-		return nil, os.NewSyscallError("fsconfig create procfs", err)
-	}
-	return fsmount(procfsCtx, unix.FSMOUNT_CLOEXEC, unix.MS_RDONLY|unix.MS_NODEV|unix.MS_NOEXEC|unix.MS_NOSUID)
-}
-
-func openTree(dir *os.File, path string, flags uint) (*os.File, error) {
-	dirFd := -int(unix.EBADF)
-	dirName := "."
-	if dir != nil {
-		dirFd = int(dir.Fd())
-		dirName = dir.Name()
-	}
-	// Make sure we always set O_CLOEXEC.
-	flags |= unix.OPEN_TREE_CLOEXEC
-	fd, err := unix.OpenTree(dirFd, path, flags)
-	if err != nil {
-		return nil, &os.PathError{Op: "open_tree", Path: path, Err: err}
-	}
-	return os.NewFile(uintptr(fd), dirName+"/"+path), nil
-}
-
-func clonePrivateProcMount() (_ *os.File, Err error) {
-	// Try to make a clone without using AT_RECURSIVE if we can. If this works,
-	// we can be sure there are no over-mounts and so if the root is valid then
-	// we're golden. Otherwise, we have to deal with over-mounts.
-	procfsHandle, err := openTree(nil, "/proc", unix.OPEN_TREE_CLONE)
-	if err != nil || hookForcePrivateProcRootOpenTreeAtRecursive(procfsHandle) {
-		procfsHandle, err = openTree(nil, "/proc", unix.OPEN_TREE_CLONE|unix.AT_RECURSIVE)
-	}
-	if err != nil {
-		return nil, fmt.Errorf("creating a detached procfs clone: %w", err)
-	}
-	defer func() {
-		if Err != nil {
-			_ = procfsHandle.Close()
-		}
-	}()
-	if err := verifyProcRoot(procfsHandle); err != nil {
-		return nil, err
-	}
-	return procfsHandle, nil
-}
-
-func privateProcRoot() (*os.File, error) {
-	if !hasNewMountApi() || hookForceGetProcRootUnsafe() {
-		return nil, fmt.Errorf("new mount api: %w", unix.ENOTSUP)
-	}
-	// Try to create a new procfs mount from scratch if we can. This ensures we
-	// can get a procfs mount even if /proc is fake (for whatever reason).
-	procRoot, err := newPrivateProcMount()
-	if err != nil || hookForcePrivateProcRootOpenTree(procRoot) {
-		// Try to clone /proc then...
-		procRoot, err = clonePrivateProcMount()
-	}
-	return procRoot, err
-}
-
-func unsafeHostProcRoot() (_ *os.File, Err error) {
-	procRoot, err := os.OpenFile("/proc", unix.O_PATH|unix.O_NOFOLLOW|unix.O_DIRECTORY|unix.O_CLOEXEC, 0)
-	if err != nil {
-		return nil, err
-	}
-	defer func() {
-		if Err != nil {
-			_ = procRoot.Close()
-		}
-	}()
-	if err := verifyProcRoot(procRoot); err != nil {
-		return nil, err
-	}
-	return procRoot, nil
-}
-
-func doGetProcRoot() (*os.File, error) {
-	procRoot, err := privateProcRoot()
-	if err != nil {
-		// Fall back to using a /proc handle if making a private mount failed.
-		// If we have openat2, at least we can avoid some kinds of over-mount
-		// attacks, but without openat2 there's not much we can do.
-		procRoot, err = unsafeHostProcRoot()
-	}
-	return procRoot, err
-}
-
-var getProcRoot = sync_OnceValues(func() (*os.File, error) {
-	return doGetProcRoot()
-})
-
-var hasProcThreadSelf = sync_OnceValue(func() bool {
-	return unix.Access("/proc/thread-self/", unix.F_OK) == nil
-})
-
-var errUnsafeProcfs = errors.New("unsafe procfs detected")
-
-type procThreadSelfCloser func()
-
-// procThreadSelf returns a handle to /proc/thread-self/<subpath> (or an
-// equivalent handle on older kernels where /proc/thread-self doesn't exist).
-// Once finished with the handle, you must call the returned closer function
-// (runtime.UnlockOSThread). You must not pass the returned *os.File to other
-// Go threads or use the handle after calling the closer.
-//
-// This is similar to ProcThreadSelf from runc, but with extra hardening
-// applied and using *os.File.
-func procThreadSelf(procRoot *os.File, subpath string) (_ *os.File, _ procThreadSelfCloser, Err error) {
-	// We need to lock our thread until the caller is done with the handle
-	// because between getting the handle and using it we could get interrupted
-	// by the Go runtime and hit the case where the underlying thread is
-	// swapped out and the original thread is killed, resulting in
-	// pull-your-hair-out-hard-to-debug issues in the caller.
-	runtime.LockOSThread()
-	defer func() {
-		if Err != nil {
-			runtime.UnlockOSThread()
-		}
-	}()
-
-	// Figure out what prefix we want to use.
-	threadSelf := "thread-self/"
-	if !hasProcThreadSelf() || hookForceProcSelfTask() {
-		/// Pre-3.17 kernels don't have /proc/thread-self, so do it manually.
-		threadSelf = "self/task/" + strconv.Itoa(unix.Gettid()) + "/"
-		if _, err := fstatatFile(procRoot, threadSelf, unix.AT_SYMLINK_NOFOLLOW); err != nil || hookForceProcSelf() {
-			// In this case, we running in a pid namespace that doesn't match
-			// the /proc mount we have. This can happen inside runc.
-			//
-			// Unfortunately, there is no nice way to get the correct TID to
-			// use here because of the age of the kernel, so we have to just
-			// use /proc/self and hope that it works.
-			threadSelf = "self/"
-		}
-	}
-
-	// Grab the handle.
-	var (
-		handle *os.File
-		err    error
-	)
-	if hasOpenat2() {
-		// We prefer being able to use RESOLVE_NO_XDEV if we can, to be
-		// absolutely sure we are operating on a clean /proc handle that
-		// doesn't have any cheeky overmounts that could trick us (including
-		// symlink mounts on top of /proc/thread-self). RESOLVE_BENEATH isn't
-		// strictly needed, but just use it since we have it.
-		//
-		// NOTE: /proc/self is technically a magic-link (the contents of the
-		//       symlink are generated dynamically), but it doesn't use
-		//       nd_jump_link() so RESOLVE_NO_MAGICLINKS allows it.
-		//
-		// NOTE: We MUST NOT use RESOLVE_IN_ROOT here, as openat2File uses
-		//       procSelfFdReadlink to clean up the returned f.Name() if we use
-		//       RESOLVE_IN_ROOT (which would lead to an infinite recursion).
-		handle, err = openat2File(procRoot, threadSelf+subpath, &unix.OpenHow{
-			Flags:   unix.O_PATH | unix.O_NOFOLLOW | unix.O_CLOEXEC,
-			Resolve: unix.RESOLVE_BENEATH | unix.RESOLVE_NO_XDEV | unix.RESOLVE_NO_MAGICLINKS,
-		})
-		if err != nil {
-			// TODO: Once we bump the minimum Go version to 1.20, we can use
-			// multiple %w verbs for this wrapping. For now we need to use a
-			// compatibility shim for older Go versions.
-			//err = fmt.Errorf("%w: %w", errUnsafeProcfs, err)
-			return nil, nil, wrapBaseError(err, errUnsafeProcfs)
-		}
-	} else {
-		handle, err = openatFile(procRoot, threadSelf+subpath, unix.O_PATH|unix.O_NOFOLLOW|unix.O_CLOEXEC, 0)
-		if err != nil {
-			// TODO: Once we bump the minimum Go version to 1.20, we can use
-			// multiple %w verbs for this wrapping. For now we need to use a
-			// compatibility shim for older Go versions.
-			//err = fmt.Errorf("%w: %w", errUnsafeProcfs, err)
-			return nil, nil, wrapBaseError(err, errUnsafeProcfs)
-		}
-		defer func() {
-			if Err != nil {
-				_ = handle.Close()
-			}
-		}()
-		// We can't detect bind-mounts of different parts of procfs on top of
-		// /proc (a-la RESOLVE_NO_XDEV), but we can at least be sure that we
-		// aren't on the wrong filesystem here.
-		if statfs, err := fstatfs(handle); err != nil {
-			return nil, nil, err
-		} else if statfs.Type != procSuperMagic {
-			return nil, nil, fmt.Errorf("%w: incorrect /proc/self/fd filesystem type 0x%x", errUnsafeProcfs, statfs.Type)
-		}
-	}
-	return handle, runtime.UnlockOSThread, nil
-}
-
-// STATX_MNT_ID_UNIQUE is provided in golang.org/x/sys@v0.20.0, but in order to
-// avoid bumping the requirement for a single constant we can just define it
-// ourselves.
-const STATX_MNT_ID_UNIQUE = 0x4000
-
-var hasStatxMountId = sync_OnceValue(func() bool {
-	var (
-		stx unix.Statx_t
-		// We don't care which mount ID we get. The kernel will give us the
-		// unique one if it is supported.
-		wantStxMask uint32 = STATX_MNT_ID_UNIQUE | unix.STATX_MNT_ID
-	)
-	err := unix.Statx(-int(unix.EBADF), "/", 0, int(wantStxMask), &stx)
-	return err == nil && stx.Mask&wantStxMask != 0
-})
-
-func getMountId(dir *os.File, path string) (uint64, error) {
-	// If we don't have statx(STATX_MNT_ID*) support, we can't do anything.
-	if !hasStatxMountId() {
-		return 0, nil
-	}
-
-	var (
-		stx unix.Statx_t
-		// We don't care which mount ID we get. The kernel will give us the
-		// unique one if it is supported.
-		wantStxMask uint32 = STATX_MNT_ID_UNIQUE | unix.STATX_MNT_ID
-	)
-
-	err := unix.Statx(int(dir.Fd()), path, unix.AT_EMPTY_PATH|unix.AT_SYMLINK_NOFOLLOW, int(wantStxMask), &stx)
-	if stx.Mask&wantStxMask == 0 {
-		// It's not a kernel limitation, for some reason we couldn't get a
-		// mount ID. Assume it's some kind of attack.
-		err = fmt.Errorf("%w: could not get mount id", errUnsafeProcfs)
-	}
-	if err != nil {
-		return 0, &os.PathError{Op: "statx(STATX_MNT_ID_...)", Path: dir.Name() + "/" + path, Err: err}
-	}
-	return stx.Mnt_id, nil
-}
-
-func checkSymlinkOvermount(procRoot *os.File, dir *os.File, path string) error {
-	// Get the mntId of our procfs handle.
-	expectedMountId, err := getMountId(procRoot, "")
-	if err != nil {
-		return err
-	}
-	// Get the mntId of the target magic-link.
-	gotMountId, err := getMountId(dir, path)
-	if err != nil {
-		return err
-	}
-	// As long as the directory mount is alive, even with wrapping mount IDs,
-	// we would expect to see a different mount ID here. (Of course, if we're
-	// using unsafeHostProcRoot() then an attaker could change this after we
-	// did this check.)
-	if expectedMountId != gotMountId {
-		return fmt.Errorf("%w: symlink %s/%s has an overmount obscuring the real link (mount ids do not match %d != %d)", errUnsafeProcfs, dir.Name(), path, expectedMountId, gotMountId)
-	}
-	return nil
-}
-
-func doRawProcSelfFdReadlink(procRoot *os.File, fd int) (string, error) {
-	fdPath := fmt.Sprintf("fd/%d", fd)
-	procFdLink, closer, err := procThreadSelf(procRoot, fdPath)
-	if err != nil {
-		return "", fmt.Errorf("get safe /proc/thread-self/%s handle: %w", fdPath, err)
-	}
-	defer procFdLink.Close()
-	defer closer()
-
-	// Try to detect if there is a mount on top of the magic-link. Since we use the handle directly
-	// provide to the closure. If the closure uses the handle directly, this
-	// should be safe in general (a mount on top of the path afterwards would
-	// not affect the handle itself) and will definitely be safe if we are
-	// using privateProcRoot() (at least since Linux 5.12[1], when anonymous
-	// mount namespaces were completely isolated from external mounts including
-	// mount propagation events).
-	//
-	// [1]: Linux commit ee2e3f50629f ("mount: fix mounting of detached mounts
-	// onto targets that reside on shared mounts").
-	if err := checkSymlinkOvermount(procRoot, procFdLink, ""); err != nil {
-		return "", fmt.Errorf("check safety of /proc/thread-self/fd/%d magiclink: %w", fd, err)
-	}
-
-	// readlinkat implies AT_EMPTY_PATH since Linux 2.6.39. See Linux commit
-	// 65cfc6722361 ("readlinkat(), fchownat() and fstatat() with empty
-	// relative pathnames").
-	return readlinkatFile(procFdLink, "")
-}
-
-func rawProcSelfFdReadlink(fd int) (string, error) {
-	procRoot, err := getProcRoot()
-	if err != nil {
-		return "", err
-	}
-	return doRawProcSelfFdReadlink(procRoot, fd)
-}
-
-func procSelfFdReadlink(f *os.File) (string, error) {
-	return rawProcSelfFdReadlink(int(f.Fd()))
-}
-
-var (
-	errPossibleBreakout = errors.New("possible breakout detected")
-	errInvalidDirectory = errors.New("wandered into deleted directory")
-	errDeletedInode     = errors.New("cannot verify path of deleted inode")
-)
-
-func isDeadInode(file *os.File) error {
-	// If the nlink of a file drops to 0, there is an attacker deleting
-	// directories during our walk, which could result in weird /proc values.
-	// It's better to error out in this case.
-	stat, err := fstat(file)
-	if err != nil {
-		return fmt.Errorf("check for dead inode: %w", err)
-	}
-	if stat.Nlink == 0 {
-		err := errDeletedInode
-		if stat.Mode&unix.S_IFMT == unix.S_IFDIR {
-			err = errInvalidDirectory
-		}
-		return fmt.Errorf("%w %q", err, file.Name())
-	}
-	return nil
-}
-
-func checkProcSelfFdPath(path string, file *os.File) error {
-	if err := isDeadInode(file); err != nil {
-		return err
-	}
-	actualPath, err := procSelfFdReadlink(file)
-	if err != nil {
-		return fmt.Errorf("get path of handle: %w", err)
-	}
-	if actualPath != path {
-		return fmt.Errorf("%w: handle path %q doesn't match expected path %q", errPossibleBreakout, actualPath, path)
-	}
-	return nil
-}
-
-// Test hooks used in the procfs tests to verify that the fallback logic works.
-// See testing_mocks_linux_test.go and procfs_linux_test.go for more details.
-var (
-	hookForcePrivateProcRootOpenTree            = hookDummyFile
-	hookForcePrivateProcRootOpenTreeAtRecursive = hookDummyFile
-	hookForceGetProcRootUnsafe                  = hookDummy
-
-	hookForceProcSelfTask = hookDummy
-	hookForceProcSelf     = hookDummy
-)
-
-func hookDummy() bool               { return false }
-func hookDummyFile(_ *os.File) bool { return false }
diff --git a/vendor/github.com/cyphar/filepath-securejoin/vfs.go b/vendor/github.com/cyphar/filepath-securejoin/vfs.go
index 36373f8c51734..4d89a481ca799 100644
--- a/vendor/github.com/cyphar/filepath-securejoin/vfs.go
+++ b/vendor/github.com/cyphar/filepath-securejoin/vfs.go
@@ -1,3 +1,5 @@
+// SPDX-License-Identifier: BSD-3-Clause
+
 // Copyright (C) 2017-2024 SUSE LLC. All rights reserved.
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
diff --git a/vendor/github.com/go-logr/logr/.golangci.yaml b/vendor/github.com/go-logr/logr/.golangci.yaml
index 0cffafa7bf94b..0ed62c1a180d5 100644
--- a/vendor/github.com/go-logr/logr/.golangci.yaml
+++ b/vendor/github.com/go-logr/logr/.golangci.yaml
@@ -1,26 +1,28 @@
+version: "2"
+
 run:
   timeout: 1m
   tests: true
 
 linters:
-  disable-all: true
-  enable:
+  default: none
+  enable: # please keep this alphabetized
+    - asasalint
     - asciicheck
+    - copyloopvar
+    - dupl
     - errcheck
     - forcetypeassert
+    - goconst
     - gocritic
-    - gofmt
-    - goimports
-    - gosimple
     - govet
     - ineffassign
     - misspell
+    - musttag
     - revive
     - staticcheck
-    - typecheck
     - unused
 
 issues:
-  exclude-use-default: false
   max-issues-per-linter: 0
   max-same-issues: 10
diff --git a/vendor/github.com/go-logr/logr/funcr/funcr.go b/vendor/github.com/go-logr/logr/funcr/funcr.go
index 30568e768dce9..b22c57d7137b6 100644
--- a/vendor/github.com/go-logr/logr/funcr/funcr.go
+++ b/vendor/github.com/go-logr/logr/funcr/funcr.go
@@ -77,7 +77,7 @@ func newSink(fn func(prefix, args string), formatter Formatter) logr.LogSink {
 		write:     fn,
 	}
 	// For skipping fnlogger.Info and fnlogger.Error.
-	l.Formatter.AddCallDepth(1)
+	l.AddCallDepth(1) // via Formatter
 	return l
 }
 
@@ -164,17 +164,17 @@ type fnlogger struct {
 }
 
 func (l fnlogger) WithName(name string) logr.LogSink {
-	l.Formatter.AddName(name)
+	l.AddName(name) // via Formatter
 	return &l
 }
 
 func (l fnlogger) WithValues(kvList ...any) logr.LogSink {
-	l.Formatter.AddValues(kvList)
+	l.AddValues(kvList) // via Formatter
 	return &l
 }
 
 func (l fnlogger) WithCallDepth(depth int) logr.LogSink {
-	l.Formatter.AddCallDepth(depth)
+	l.AddCallDepth(depth) // via Formatter
 	return &l
 }
 
diff --git a/vendor/github.com/google/cadvisor/cache/memory/memory.go b/vendor/github.com/google/cadvisor/cache/memory/memory.go
index e30b30fc9e6cf..a43e1b442e05d 100644
--- a/vendor/github.com/google/cadvisor/cache/memory/memory.go
+++ b/vendor/github.com/google/cadvisor/cache/memory/memory.go
@@ -29,38 +29,6 @@ import (
 // ErrDataNotFound is the error resulting if failed to find a container in memory cache.
 var ErrDataNotFound = errors.New("unable to find data in memory cache")
 
-// containerCacheMap is a typed wrapper around sync.Map that eliminates the need
-// for type assertions at every call site. It stores container name strings
-// mapped to *containerCache values.
-type containerCacheMap struct {
-	m sync.Map
-}
-
-// Load retrieves a container cache by name. Returns nil, false if not found.
-func (c *containerCacheMap) Load(name string) (*containerCache, bool) {
-	v, ok := c.m.Load(name)
-	if !ok {
-		return nil, false
-	}
-	return v.(*containerCache), true
-}
-
-// Store saves a container cache with the given name.
-func (c *containerCacheMap) Store(name string, cache *containerCache) {
-	c.m.Store(name, cache)
-}
-
-// LoadOrStore returns the existing cache if present, otherwise stores and returns the given one.
-func (c *containerCacheMap) LoadOrStore(name string, cache *containerCache) (*containerCache, bool) {
-	v, loaded := c.m.LoadOrStore(name, cache)
-	return v.(*containerCache), loaded
-}
-
-// Delete removes a container cache by name.
-func (c *containerCacheMap) Delete(name string) {
-	c.m.Delete(name)
-}
-
 // TODO(vmarmol): See about refactoring this class, we have an unnecessary redirection of containerCache and InMemoryCache.
 // containerCache is used to store per-container information
 type containerCache struct {
@@ -99,18 +67,24 @@ func newContainerStore(ref info.ContainerReference, maxAge time.Duration) *conta
 }
 
 type InMemoryCache struct {
-	containerCacheMap containerCacheMap
+	lock              sync.RWMutex
+	containerCacheMap map[string]*containerCache
 	maxAge            time.Duration
 	backend           []storage.StorageDriver
 }
 
 func (c *InMemoryCache) AddStats(cInfo *info.ContainerInfo, stats *info.ContainerStats) error {
-	name := cInfo.ContainerReference.Name
-	cstore, ok := c.containerCacheMap.Load(name)
-	if !ok {
-		newStore := newContainerStore(cInfo.ContainerReference, c.maxAge)
-		cstore, _ = c.containerCacheMap.LoadOrStore(name, newStore)
-	}
+	var cstore *containerCache
+	var ok bool
+
+	func() {
+		c.lock.Lock()
+		defer c.lock.Unlock()
+		if cstore, ok = c.containerCacheMap[cInfo.ContainerReference.Name]; !ok {
+			cstore = newContainerStore(cInfo.ContainerReference, c.maxAge)
+			c.containerCacheMap[cInfo.ContainerReference.Name] = cstore
+		}
+	}()
 
 	for _, backend := range c.backend {
 		// TODO(monnand): To deal with long delay write operations, we
@@ -124,20 +98,34 @@ func (c *InMemoryCache) AddStats(cInfo *info.ContainerInfo, stats *info.Containe
 }
 
 func (c *InMemoryCache) RecentStats(name string, start, end time.Time, maxStats int) ([]*info.ContainerStats, error) {
-	cstore, ok := c.containerCacheMap.Load(name)
-	if !ok {
-		return nil, ErrDataNotFound
+	var cstore *containerCache
+	var ok bool
+	err := func() error {
+		c.lock.RLock()
+		defer c.lock.RUnlock()
+		if cstore, ok = c.containerCacheMap[name]; !ok {
+			return ErrDataNotFound
+		}
+		return nil
+	}()
+	if err != nil {
+		return nil, err
 	}
+
 	return cstore.RecentStats(start, end, maxStats)
 }
 
 func (c *InMemoryCache) Close() error {
-	c.containerCacheMap = containerCacheMap{}
+	c.lock.Lock()
+	c.containerCacheMap = make(map[string]*containerCache, 32)
+	c.lock.Unlock()
 	return nil
 }
 
 func (c *InMemoryCache) RemoveContainer(containerName string) error {
-	c.containerCacheMap.Delete(containerName)
+	c.lock.Lock()
+	delete(c.containerCacheMap, containerName)
+	c.lock.Unlock()
 	return nil
 }
 
@@ -145,8 +133,10 @@ func New(
 	maxAge time.Duration,
 	backend []storage.StorageDriver,
 ) *InMemoryCache {
-	return &InMemoryCache{
-		maxAge:  maxAge,
-		backend: backend,
+	ret := &InMemoryCache{
+		containerCacheMap: make(map[string]*containerCache, 32),
+		maxAge:            maxAge,
+		backend:           backend,
 	}
+	return ret
 }
diff --git a/vendor/github.com/google/cadvisor/container/common/helpers.go b/vendor/github.com/google/cadvisor/container/common/helpers.go
index f5cbcbd4db937..ae8bb51622f1c 100644
--- a/vendor/github.com/google/cadvisor/container/common/helpers.go
+++ b/vendor/github.com/google/cadvisor/container/common/helpers.go
@@ -15,7 +15,9 @@
 package common
 
 import (
+	"errors"
 	"fmt"
+	"io/fs"
 	"math"
 	"os"
 	"path"
@@ -25,7 +27,6 @@ import (
 
 	"github.com/karrick/godirwalk"
 	"github.com/opencontainers/cgroups"
-	"github.com/pkg/errors"
 	"golang.org/x/sys/unix"
 
 	"github.com/google/cadvisor/container"
@@ -308,7 +309,7 @@ func listDirectories(dirpath string, parent string, recursive bool, output map[s
 	dirents, err := godirwalk.ReadDirents(dirpath, buf)
 	if err != nil {
 		// Ignore if this hierarchy does not exist.
-		if os.IsNotExist(errors.Cause(err)) {
+		if errors.Is(err, fs.ErrNotExist) {
 			err = nil
 		}
 		return err
diff --git a/vendor/github.com/google/cadvisor/container/containerd/factory.go b/vendor/github.com/google/cadvisor/container/containerd/factory.go
index d44abc4eac702..1688bd784510e 100644
--- a/vendor/github.com/google/cadvisor/container/containerd/factory.go
+++ b/vendor/github.com/google/cadvisor/container/containerd/factory.go
@@ -112,7 +112,8 @@ func (f *containerdFactory) CanHandleAndAccept(name string) (bool, bool, error)
 	id := ContainerNameToContainerdID(name)
 	// If container and task lookup in containerd fails then we assume
 	// that the container state is not known to containerd
-	ctx := context.Background()
+	ctx, cancel := context.WithTimeout(context.Background(), connectionTimeout)
+	defer cancel()
 	_, err := f.client.LoadContainer(ctx, id)
 	if err != nil {
 		return false, false, fmt.Errorf("failed to load container: %v", err)
diff --git a/vendor/github.com/google/cadvisor/container/containerd/identifiers/validate.go b/vendor/github.com/google/cadvisor/container/containerd/identifiers/validate.go
index 6a66e69c5b934..9a4b52f38ba86 100644
--- a/vendor/github.com/google/cadvisor/container/containerd/identifiers/validate.go
+++ b/vendor/github.com/google/cadvisor/container/containerd/identifiers/validate.go
@@ -38,10 +38,10 @@
 package identifiers
 
 import (
+	"fmt"
 	"regexp"
 
 	"github.com/containerd/errdefs"
-	"github.com/pkg/errors"
 )
 
 const (
@@ -64,15 +64,15 @@ var (
 // In general identifiers that pass this validation should be safe for use as filesystem path components.
 func Validate(s string) error {
 	if len(s) == 0 {
-		return errors.Wrapf(errdefs.ErrInvalidArgument, "identifier must not be empty")
+		return fmt.Errorf("identifier must not be empty: %w", errdefs.ErrInvalidArgument)
 	}
 
 	if len(s) > maxLength {
-		return errors.Wrapf(errdefs.ErrInvalidArgument, "identifier %q greater than maximum length (%d characters)", s, maxLength)
+		return fmt.Errorf("identifier %q greater than maximum length (%d characters): %w", s, maxLength, errdefs.ErrInvalidArgument)
 	}
 
 	if !identifierRe.MatchString(s) {
-		return errors.Wrapf(errdefs.ErrInvalidArgument, "identifier %q must match %v", s, identifierRe)
+		return fmt.Errorf("identifier %q must match %v: %w", s, identifierRe, errdefs.ErrInvalidArgument)
 	}
 	return nil
 }
diff --git a/vendor/github.com/google/cadvisor/container/containerd/namespaces/context.go b/vendor/github.com/google/cadvisor/container/containerd/namespaces/context.go
index 36c52d81dfdb9..a46c81cddd4a5 100644
--- a/vendor/github.com/google/cadvisor/container/containerd/namespaces/context.go
+++ b/vendor/github.com/google/cadvisor/container/containerd/namespaces/context.go
@@ -31,10 +31,10 @@ package namespaces
 
 import (
 	"context"
+	"fmt"
 	"os"
 
 	"github.com/containerd/errdefs"
-	"github.com/pkg/errors"
 
 	"github.com/google/cadvisor/container/containerd/identifiers"
 )
@@ -83,10 +83,10 @@ func Namespace(ctx context.Context) (string, bool) {
 func NamespaceRequired(ctx context.Context) (string, error) {
 	namespace, ok := Namespace(ctx)
 	if !ok || namespace == "" {
-		return "", errors.Wrapf(errdefs.ErrFailedPrecondition, "namespace is required")
+		return "", fmt.Errorf("namespace is required: %w", errdefs.ErrFailedPrecondition)
 	}
 	if err := identifiers.Validate(namespace); err != nil {
-		return "", errors.Wrap(err, "namespace validation")
+		return "", fmt.Errorf("namespace validation: %w", err)
 	}
 	return namespace, nil
 }
diff --git a/vendor/github.com/google/cadvisor/container/containerd/pkg/dialer/dialer.go b/vendor/github.com/google/cadvisor/container/containerd/pkg/dialer/dialer.go
index b13208d6900b8..54ac0198aa8fb 100644
--- a/vendor/github.com/google/cadvisor/container/containerd/pkg/dialer/dialer.go
+++ b/vendor/github.com/google/cadvisor/container/containerd/pkg/dialer/dialer.go
@@ -31,10 +31,9 @@ package dialer
 
 import (
 	"context"
+	"fmt"
 	"net"
 	"time"
-
-	"github.com/pkg/errors"
 )
 
 type dialResult struct {
@@ -87,6 +86,6 @@ func timeoutDialer(address string, timeout time.Duration) (net.Conn, error) {
 				dr.c.Close()
 			}
 		}()
-		return nil, errors.Errorf("dial %s: timeout", address)
+		return nil, fmt.Errorf("dial %s: timeout", address)
 	}
 }
diff --git a/vendor/github.com/google/cadvisor/manager/container.go b/vendor/github.com/google/cadvisor/manager/container.go
index 58700d116d021..9160aebae03fe 100644
--- a/vendor/github.com/google/cadvisor/manager/container.go
+++ b/vendor/github.com/google/cadvisor/manager/container.go
@@ -64,18 +64,6 @@ type containerInfo struct {
 	Spec          info.ContainerSpec
 }
 
-// atomicTime is a lock-free wrapper for storing and retrieving time values.
-// It stores time as Unix nanoseconds in an atomic.Int64, enabling concurrent
-// reads and writes without mutex contention.
-type atomicTime struct {
-	atomic.Int64
-}
-
-// Time returns the stored time value as a time.Time.
-func (t *atomicTime) Time() time.Time {
-	return time.Unix(0, t.Load())
-}
-
 type containerData struct {
 	oomEvents                uint64
 	handler                  container.ContainerHandler
@@ -89,8 +77,8 @@ type containerData struct {
 	housekeepingInterval     time.Duration
 	maxHousekeepingInterval  time.Duration
 	allowDynamicHousekeeping bool
-	infoLastUpdatedTime      atomicTime // Unix nano
-	statsLastUpdatedTime     atomicTime // Unix nano
+	infoLastUpdatedTime      time.Time
+	statsLastUpdatedTime     time.Time
 	lastErrorTime            time.Time
 	//  used to track time
 	clock clock.Clock
@@ -157,7 +145,9 @@ func (cd *containerData) allowErrorLogging() bool {
 // periodic housekeeping to reset.  This should be used sparingly, as calling OnDemandHousekeeping frequently
 // can have serious performance costs.
 func (cd *containerData) OnDemandHousekeeping(maxAge time.Duration) {
-	timeSinceStatsLastUpdate := cd.clock.Since(cd.statsLastUpdatedTime.Time())
+	cd.lock.Lock()
+	timeSinceStatsLastUpdate := cd.clock.Since(cd.statsLastUpdatedTime)
+	cd.lock.Unlock()
 	if timeSinceStatsLastUpdate > maxAge {
 		housekeepingFinishedChan := make(chan struct{})
 		cd.onDemandChan <- housekeepingFinishedChan
@@ -182,7 +172,7 @@ func (cd *containerData) notifyOnDemand() {
 
 func (cd *containerData) GetInfo(shouldUpdateSubcontainers bool) (*containerInfo, error) {
 	// Get spec and subcontainers.
-	if cd.clock.Since(cd.infoLastUpdatedTime.Time()) > 5*time.Second || shouldUpdateSubcontainers {
+	if cd.clock.Since(cd.infoLastUpdatedTime) > 5*time.Second || shouldUpdateSubcontainers {
 		err := cd.updateSpec()
 		if err != nil {
 			return nil, err
@@ -193,7 +183,7 @@ func (cd *containerData) GetInfo(shouldUpdateSubcontainers bool) (*containerInfo
 				return nil, err
 			}
 		}
-		cd.infoLastUpdatedTime.Store(cd.clock.Now().UnixNano())
+		cd.infoLastUpdatedTime = cd.clock.Now()
 	}
 	cd.lock.Lock()
 	defer cd.lock.Unlock()
@@ -604,7 +594,9 @@ func (cd *containerData) housekeepingTick(timer <-chan time.Time, longHousekeepi
 		klog.V(3).Infof("[%s] Housekeeping took %s", cd.info.Name, duration)
 	}
 	cd.notifyOnDemand()
-	cd.statsLastUpdatedTime.Store(cd.clock.Now().UnixNano())
+	cd.lock.Lock()
+	defer cd.lock.Unlock()
+	cd.statsLastUpdatedTime = cd.clock.Now()
 	return true
 }
 
@@ -732,7 +724,7 @@ func (cd *containerData) updateStats() error {
 		return statsErr
 	}
 	if perfStatsErr != nil {
-		klog.Errorf("error occurred while collecting perf stats for container %s: %s", cInfo.Name, err)
+		klog.Errorf("error occurred while collecting perf stats for container %s: %s", cInfo.Name, perfStatsErr)
 		return perfStatsErr
 	}
 	if resctrlStatsErr != nil {
diff --git a/vendor/github.com/google/cadvisor/manager/manager.go b/vendor/github.com/google/cadvisor/manager/manager.go
index ca16405d4abae..e5f69e7c44999 100644
--- a/vendor/github.com/google/cadvisor/manager/manager.go
+++ b/vendor/github.com/google/cadvisor/manager/manager.go
@@ -191,6 +191,7 @@ func New(memoryCache *memory.InMemoryCache, sysfs sysfs.SysFs, HousekeepingConfi
 	eventsChannel := make(chan watcher.ContainerEvent, 16)
 
 	newManager := &manager{
+		containers:                            make(map[namespacedContainerName]*containerData),
 		quitChannels:                          make([]chan error, 0, 2),
 		memoryCache:                           memoryCache,
 		fsInfo:                                fsInfo,
@@ -244,40 +245,9 @@ type namespacedContainerName struct {
 	Name string
 }
 
-// containerMap is a type-safe wrapper around sync.Map for storing containerData
-// keyed by namespacedContainerName.
-type containerMap struct {
-	m sync.Map
-}
-
-// Load returns the containerData for the given name, or nil if not found.
-func (c *containerMap) Load(name namespacedContainerName) (*containerData, bool) {
-	v, ok := c.m.Load(name)
-	if !ok {
-		return nil, false
-	}
-	return v.(*containerData), true
-}
-
-// Store stores the containerData for the given name.
-func (c *containerMap) Store(name namespacedContainerName, data *containerData) {
-	c.m.Store(name, data)
-}
-
-// Delete removes the containerData for the given name.
-func (c *containerMap) Delete(name namespacedContainerName) {
-	c.m.Delete(name)
-}
-
-// Range calls f for each container in the map. If f returns false, iteration stops.
-func (c *containerMap) Range(f func(name namespacedContainerName, data *containerData) bool) {
-	c.m.Range(func(key, value any) bool {
-		return f(key.(namespacedContainerName), value.(*containerData))
-	})
-}
-
 type manager struct {
-	containers               containerMap
+	containers               map[namespacedContainerName]*containerData
+	containersLock           sync.RWMutex
 	memoryCache              *memory.InMemoryCache
 	fsInfo                   fs.FsInfo
 	sysFs                    sysfs.SysFs
@@ -393,14 +363,10 @@ func (m *manager) Stop() error {
 }
 
 func (m *manager) destroyCollectors() {
-	m.containers.Range(func(_ namespacedContainerName, container *containerData) bool {
-		if container == nil {
-			return true
-		}
+	for _, container := range m.containers {
 		container.perfCollector.Destroy()
 		container.resctrlCollector.Destroy()
-		return true
-	})
+	}
 }
 
 func (m *manager) updateMachineInfo(quit chan error) {
@@ -459,8 +425,17 @@ func (m *manager) globalHousekeeping(quit chan error) {
 }
 
 func (m *manager) getContainerData(containerName string) (*containerData, error) {
-	// Ensure we have the container.
-	cont, ok := m.containers.Load(namespacedContainerName{Name: containerName})
+	var cont *containerData
+	var ok bool
+	func() {
+		m.containersLock.RLock()
+		defer m.containersLock.RUnlock()
+
+		// Ensure we have the container.
+		cont, ok = m.containers[namespacedContainerName{
+			Name: containerName,
+		}]
+	}()
 	if !ok {
 		return nil, fmt.Errorf("unknown container %q", containerName)
 	}
@@ -588,7 +563,9 @@ func (m *manager) containerDataToContainerInfo(cont *containerData, query *info.
 }
 
 func (m *manager) getContainer(containerName string) (*containerData, error) {
-	cont, ok := m.containers.Load(namespacedContainerName{Name: containerName})
+	m.containersLock.RLock()
+	defer m.containersLock.RUnlock()
+	cont, ok := m.containers[namespacedContainerName{Name: containerName}]
 	if !ok {
 		return nil, fmt.Errorf("unknown container %q", containerName)
 	}
@@ -596,20 +573,21 @@ func (m *manager) getContainer(containerName string) (*containerData, error) {
 }
 
 func (m *manager) getSubcontainers(containerName string) map[string]*containerData {
-	matchedName := path.Join(containerName, "/")
-	containersMap := make(map[string]*containerData)
+	m.containersLock.RLock()
+	defer m.containersLock.RUnlock()
+	containersMap := make(map[string]*containerData, len(m.containers))
 
 	// Get all the unique subcontainers of the specified container
-	m.containers.Range(func(_ namespacedContainerName, cont *containerData) bool {
-		if cont == nil {
-			return true
+	matchedName := path.Join(containerName, "/")
+	for i := range m.containers {
+		if m.containers[i] == nil {
+			continue
 		}
-		name := cont.info.Name
+		name := m.containers[i].info.Name
 		if name == containerName || strings.HasPrefix(name, matchedName) {
-			containersMap[name] = cont
+			containersMap[m.containers[i].info.Name] = m.containers[i]
 		}
-		return true
-	})
+	}
 	return containersMap
 }
 
@@ -624,18 +602,16 @@ func (m *manager) SubcontainersInfo(containerName string, query *info.ContainerI
 }
 
 func (m *manager) getAllNamespacedContainers(ns string) map[string]*containerData {
-	containers := make(map[string]*containerData)
+	m.containersLock.RLock()
+	defer m.containersLock.RUnlock()
+	containers := make(map[string]*containerData, len(m.containers))
 
 	// Get containers in a namespace.
-	m.containers.Range(func(name namespacedContainerName, cont *containerData) bool {
-		if cont == nil {
-			return true
-		}
+	for name, cont := range m.containers {
 		if name.Namespace == ns {
 			containers[cont.info.Name] = cont
 		}
-		return true
-	})
+	}
 	return containers
 }
 
@@ -645,32 +621,30 @@ func (m *manager) AllDockerContainers(query *info.ContainerInfoRequest) (map[str
 }
 
 func (m *manager) namespacedContainer(containerName string, ns string) (*containerData, error) {
+	m.containersLock.RLock()
+	defer m.containersLock.RUnlock()
+
 	// Check for the container in the namespace.
-	if cont, ok := m.containers.Load(namespacedContainerName{Namespace: ns, Name: containerName}); ok {
-		return cont, nil
-	}
+	cont, ok := m.containers[namespacedContainerName{
+		Namespace: ns,
+		Name:      containerName,
+	}]
 
 	// Look for container by short prefix name if no exact match found.
-	var cont *containerData
-	var err error
-	m.containers.Range(func(name namespacedContainerName, c *containerData) bool {
-		if name.Namespace == ns && strings.HasPrefix(name.Name, containerName) {
-			if cont == nil {
-				cont = c
-			} else {
-				err = fmt.Errorf("unable to find container in %q namespace. Container %q is not unique", ns, containerName)
-				return false // stop iteration
+	if !ok {
+		for contName, c := range m.containers {
+			if contName.Namespace == ns && strings.HasPrefix(contName.Name, containerName) {
+				if cont == nil {
+					cont = c
+				} else {
+					return nil, fmt.Errorf("unable to find container in %q namespace. Container %q is not unique", ns, containerName)
+				}
 			}
 		}
-		return true
-	})
-
-	if err != nil {
-		return nil, err
-	}
 
-	if cont == nil {
-		return nil, fmt.Errorf("unable to find container %q in %q namespace", containerName, ns)
+		if cont == nil {
+			return nil, fmt.Errorf("unable to find container %q in %q namespace", containerName, ns)
+		}
 	}
 
 	return cont, nil
@@ -863,7 +837,14 @@ func (m *manager) GetVersionInfo() (*info.VersionInfo, error) {
 }
 
 func (m *manager) Exists(containerName string) bool {
-	_, ok := m.containers.Load(namespacedContainerName{Name: containerName})
+	m.containersLock.RLock()
+	defer m.containersLock.RUnlock()
+
+	namespacedName := namespacedContainerName{
+		Name: containerName,
+	}
+
+	_, ok := m.containers[namespacedName]
 	return ok
 }
 
@@ -923,12 +904,19 @@ func (m *manager) registerCollectors(collectorConfigs map[string]string, cont *c
 
 // Create a container.
 func (m *manager) createContainer(containerName string, watchSource watcher.ContainerWatchSource) error {
+	m.containersLock.Lock()
+	defer m.containersLock.Unlock()
+
+	return m.createContainerLocked(containerName, watchSource)
+}
+
+func (m *manager) createContainerLocked(containerName string, watchSource watcher.ContainerWatchSource) error {
 	namespacedName := namespacedContainerName{
 		Name: containerName,
 	}
 
 	// Check that the container didn't already exist.
-	if _, ok := m.containers.Load(namespacedName); ok {
+	if _, ok := m.containers[namespacedName]; ok {
 		return nil
 	}
 
@@ -965,9 +953,12 @@ func (m *manager) createContainer(containerName string, watchSource watcher.Cont
 	}
 
 	if m.includedMetrics.Has(container.ResctrlMetrics) {
+		m.machineMu.Lock()
+		noOfNUMA := len(m.machineInfo.Topology)
+		m.machineMu.Unlock()
 		cont.resctrlCollector, err = m.resctrlManager.GetCollector(containerName, func() ([]string, error) {
 			return cont.getContainerPids(m.inHostNamespace)
-		}, len(m.machineInfo.Topology))
+		}, noOfNUMA)
 		if err != nil {
 			klog.V(4).Infof("resctrl metrics will not be available for container %s: %s", cont.info.Name, err)
 		}
@@ -982,12 +973,12 @@ func (m *manager) createContainer(containerName string, watchSource watcher.Cont
 	}
 
 	// Add the container name and all its aliases. The aliases must be within the namespace of the factory.
-	m.containers.Store(namespacedName, cont)
+	m.containers[namespacedName] = cont
 	for _, alias := range cont.info.Aliases {
-		m.containers.Store(namespacedContainerName{
+		m.containers[namespacedContainerName{
 			Namespace: cont.info.Namespace,
 			Name:      alias,
-		}, cont)
+		}] = cont
 	}
 
 	klog.V(3).Infof("Added container: %q (aliases: %v, namespace: %q)", containerName, cont.info.Aliases, cont.info.Namespace)
@@ -1016,10 +1007,17 @@ func (m *manager) createContainer(containerName string, watchSource watcher.Cont
 }
 
 func (m *manager) destroyContainer(containerName string) error {
+	m.containersLock.Lock()
+	defer m.containersLock.Unlock()
+
+	return m.destroyContainerLocked(containerName)
+}
+
+func (m *manager) destroyContainerLocked(containerName string) error {
 	namespacedName := namespacedContainerName{
 		Name: containerName,
 	}
-	cont, ok := m.containers.Load(namespacedName)
+	cont, ok := m.containers[namespacedName]
 	if !ok {
 		// Already destroyed, done.
 		return nil
@@ -1032,9 +1030,9 @@ func (m *manager) destroyContainer(containerName string) error {
 	}
 
 	// Remove the container from our records (and all its aliases).
-	m.containers.Delete(namespacedName)
+	delete(m.containers, namespacedName)
 	for _, alias := range cont.info.Aliases {
-		m.containers.Delete(namespacedContainerName{
+		delete(m.containers, namespacedContainerName{
 			Namespace: cont.info.Namespace,
 			Name:      alias,
 		})
@@ -1061,7 +1059,11 @@ func (m *manager) destroyContainer(containerName string) error {
 // Detect all containers that have been added or deleted from the specified container.
 func (m *manager) getContainersDiff(containerName string) (added []info.ContainerReference, removed []info.ContainerReference, err error) {
 	// Get all subcontainers recursively.
-	cont, ok := m.containers.Load(namespacedContainerName{Name: containerName})
+	m.containersLock.RLock()
+	cont, ok := m.containers[namespacedContainerName{
+		Name: containerName,
+	}]
+	m.containersLock.RUnlock()
 	if !ok {
 		return nil, nil, fmt.Errorf("failed to find container %q while checking for new containers", containerName)
 	}
@@ -1072,23 +1074,24 @@ func (m *manager) getContainersDiff(containerName string) (added []info.Containe
 	}
 	allContainers = append(allContainers, info.ContainerReference{Name: containerName})
 
+	m.containersLock.RLock()
+	defer m.containersLock.RUnlock()
+
 	// Determine which were added and which were removed.
 	allContainersSet := make(map[string]*containerData)
-	m.containers.Range(func(name namespacedContainerName, cont *containerData) bool {
-		if cont == nil {
-			return true
-		}
+	for name, d := range m.containers {
 		// Only add the canonical name.
-		if cont.info.Name == name.Name {
-			allContainersSet[name.Name] = cont
+		if d.info.Name == name.Name {
+			allContainersSet[name.Name] = d
 		}
-		return true
-	})
+	}
 
 	// Added containers
 	for _, c := range allContainers {
 		delete(allContainersSet, c.Name)
-		_, ok := m.containers.Load(namespacedContainerName{Name: c.Name})
+		_, ok := m.containers[namespacedContainerName{
+			Name: c.Name,
+		}]
 		if !ok {
 			added = append(added, c)
 		}
@@ -1319,13 +1322,16 @@ func (m *manager) DebugInfo() map[string][]string {
 	debugInfo := container.DebugInfo()
 
 	// Get unique containers.
-	conts := make(map[*containerData]struct{})
-	m.containers.Range(func(_ namespacedContainerName, cont *containerData) bool {
-		if cont != nil {
-			conts[cont] = struct{}{}
+	var conts map[*containerData]struct{}
+	func() {
+		m.containersLock.RLock()
+		defer m.containersLock.RUnlock()
+
+		conts = make(map[*containerData]struct{}, len(m.containers))
+		for _, c := range m.containers {
+			conts[c] = struct{}{}
 		}
-		return true
-	})
+	}()
 
 	// List containers.
 	lines := make([]string, 0, len(conts))
diff --git a/vendor/github.com/onsi/ginkgo/v2/.gitignore b/vendor/github.com/onsi/ginkgo/v2/.gitignore
index 18793c248aac4..6faaaf31552cd 100644
--- a/vendor/github.com/onsi/ginkgo/v2/.gitignore
+++ b/vendor/github.com/onsi/ginkgo/v2/.gitignore
@@ -4,4 +4,5 @@ tmp/**/*
 *.coverprofile
 .vscode
 .idea/
-*.log
\ No newline at end of file
+*.log
+*.test
\ No newline at end of file
diff --git a/vendor/github.com/onsi/ginkgo/v2/CHANGELOG.md b/vendor/github.com/onsi/ginkgo/v2/CHANGELOG.md
index 3011efb57a760..0921794114790 100644
--- a/vendor/github.com/onsi/ginkgo/v2/CHANGELOG.md
+++ b/vendor/github.com/onsi/ginkgo/v2/CHANGELOG.md
@@ -1,3 +1,207 @@
+## 2.27.2
+
+### Fixes
+- inline automaxprocs to simplify dependencies; this will be removed when Go 1.26 comes out [a69113a]
+
+### Maintenance
+- Fix syntax errors and typo [a99c6e0]
+- Fix paragraph position error [f993df5]
+
+## 2.27.1
+
+### Fixes
+- Fix Ginkgo Reporter slice-bounds panic [606c1cb]
+- Bug Fix: Add GinkoTBWrapper.Attr() and GinkoTBWrapper.Output() [a6463b3]
+
+## 2.27.0
+
+### Features
+
+#### Transforming Nodes during Tree Construction
+
+This release adds support for `NodeArgsTransformer`s that can be registered with `AddTreeConstructionNodeArgsTransformer`.
+
+These are called during the tree construction phase as nodes are constructed and can modify the node strings and decorators.  This enables frameworks built on top of Ginkgo to modify Ginkgo nodes and enforce conventions.
+
+Learn more [here](https://onsi.github.io/ginkgo/#advanced-transforming-node-arguments-during-tree-construction).
+
+#### Spec Prioritization
+
+A new `SpecPriority(int)` decorator has been added.  Ginkgo will honor priority when ordering specs, ensuring that higher priority specs start running before lower priority specs
+
+Learn more [here](https://onsi.github.io/ginkgo/#prioritizing-specs).
+
+### Maintenance
+- Bump rexml from 3.4.0 to 3.4.2 in /docs (#1595) [1333dae]
+- Bump github.com/gkampitakis/go-snaps from 0.5.14 to 0.5.15 (#1600) [17ae63e]
+
+## 2.26.0
+
+### Features
+
+Ginkgo can now generate json-formatted reports that are compatible with the `go test` json format.  Use `ginkgo --gojson-report=report.go.json`.  This is not intended to be a replacement for Ginkgo's native json format which is more information rich and better models Ginkgo's test structure semantics.
+
+## 2.25.3
+
+### Fixes
+
+- emit --github-output group only for progress report itself [f01aed1]
+
+## 2.25.2
+
+### Fixes
+Add github output group for progress report content
+
+### Maintenance
+Bump Gomega
+
+## 2.25.1
+
+### Fixes
+- fix(types): ignore nameless nodes on FullText() [10866d3]
+- chore: fix some CodeQL warnings [2e42cff]
+
+## 2.25.0
+
+### `AroundNode`
+
+This release introduces a new decorator to support more complex spec setup usecases.
+
+`AroundNode` registers a function that runs before each individual node.  This is considered a more advanced decorator.
+
+Please read the [docs](https://onsi.github.io/ginkgo/#advanced-around-node) for more information and some examples.
+
+Allowed signatures:
+
+- `AroundNode(func())` - `func` will be called before the node is run.
+- `AroundNode(func(ctx context.Context) context.Context)` - `func` can wrap the passed in context and return a new one which will be passed on to the node.
+- `AroundNode(func(ctx context.Context, body func(ctx context.Context)))` - `ctx` is the context for the node and `body` is a function that must be called to run the node.  This gives you complete control over what runs before and after the node.
+
+Multiple `AroundNode` decorators can be applied to a single node and they will run in the order they are applied.
+
+Unlike setup nodes like `BeforeEach` and `DeferCleanup`, `AroundNode` is guaranteed to run in the same goroutine as the decorated node.  This is necessary when working with lower-level libraries that must run on a single thread (you can call `runtime.LockOSThread()` in the `AroundNode` to ensure that the node runs on a single thread).
+
+Since `AroundNode` allows you to modify the context you can also use `AroundNode` to implement shared setup that attaches values to the context.
+
+If applied to a container, `AroundNode` will run before every node in the container.  Including setup nodes like `BeforeEach` and `DeferCleanup`.
+
+`AroundNode` can also be applied to `RunSpecs` to run before every node in the suite.  This opens up new mechanisms for instrumenting individual nodes across an entire suite.
+
+## 2.24.0
+
+### Features
+
+Specs can now be decorated with (e.g.) `SemVerConstraint("2.1.0")` and `ginkgo --sem-ver-filter="2.1.1"` will only run constrained specs that match the requested version.  Learn more in the docs [here](https://onsi.github.io/ginkgo/#spec-semantic-version-filtering)!  Thanks to @Icarus9913 for the PR.
+
+### Fixes
+
+- remove -o from run command [3f5d379].  fixes [#1582](https://github.com/onsi/ginkgo/issues/1582)
+
+### Maintenance
+
+Numerous dependency bumps and documentation fixes
+
+## 2.23.4
+
+Prior to this release Ginkgo would compute the incorrect number of available CPUs when running with `-p` in a linux container.  Thanks to @emirot for the fix!
+
+### Features
+- Add automaxprocs for using CPUQuota [2b9c428]
+
+### Fixes
+- clarify gotchas about -vet flag [1f59d07]
+
+### Maintenance
+- bump dependencies [2d134d5]
+
+## 2.23.3
+
+### Fixes
+
+- allow `-` as a standalone argument [cfcc1a5]
+- Bug Fix: Add GinkoTBWrapper.Chdir() and GinkoTBWrapper.Context() [feaf292]
+- ignore exit code for symbol test on linux [88e2282]
+
+## 2.23.2
+
+🎉🎉🎉
+
+At long last, some long-standing performance gaps between `ginkgo` and `go test` have been resolved!
+
+Ginkgo operates by running `go test -c` to generate test binaries, and then running those binaries.  It turns out that the compilation step of `go test -c` is slower than `go test`'s compilation step because `go test` strips out debug symbols (`ldflags=-w`) whereas `go test -c` does not.
+
+Ginkgo now passes the appropriate `ldflags` to `go test -c` when running specs to strip out symbols.  This is only done when it is safe to do so and symbols are preferred when profiling is enabled and when `ginkgo build` is called explicitly.
+
+This, coupled, with the [instructions for disabling XProtect on MacOS](https://onsi.github.io/ginkgo/#if-you-are-running-on-macos) yields a much better performance experience with Ginkgo.
+
+## 2.23.1
+
+## 🚨 For users on MacOS 🚨
+
+A long-standing Ginkgo performance issue on MacOS seems to be due to mac's antimalware XProtect.  You can follow the instructions [here](https://onsi.github.io/ginkgo/#if-you-are-running-on-macos) to disable it in your terminal.  Doing so sped up Ginkgo's own test suite from 1m8s to 47s.
+
+### Fixes
+
+Ginkgo's CLI is now a bit clearer if you pass flags in incorrectly:
+
+- make it clearer that you need to pass a filename to the various profile flags, not an absolute directory [a0e52ff]
+- emit an error and exit if the ginkgo invocation includes flags after positional arguments [b799d8d]
+
+This might cause existing CI builds to fail.  If so then it's likely that your CI build was misconfigured and should be corrected.  Open an issue if you need help.
+
+## 2.23.0
+
+Ginkgo 2.23.0 adds a handful of methods to `GinkgoT()` to make it compatible with the `testing.TB` interface in Go 1.24.  `GinkgoT().Context()`, in particular, is a useful shorthand for generating a new context that will clean itself up in a `DeferCleanup()`.  This has subtle behavior differences from the golang implementation but should make sense in a Ginkgo... um... context.
+
+### Features
+- bump to go 1.24.0 - support new testing.TB methods and add a test to cover testing.TB regressions [37a511b]
+
+### Fixes
+- fix edge case where build -o is pointing at an explicit file, not a directory [7556a86]
+- Fix binary paths when precompiling multiple suites. [4df06c6]
+
+### Maintenance
+- Fix: Correct Markdown list rendering in MIGRATING_TO_V2.md [cbcf39a]
+- docs: fix test workflow badge (#1512) [9b261ff]
+- Bump golang.org/x/net in /integration/_fixtures/version_mismatch_fixture (#1516) [00f19c8]
+- Bump golang.org/x/tools from 0.28.0 to 0.30.0 (#1515) [e98a4df]
+- Bump activesupport from 6.0.6.1 to 6.1.7.5 in /docs (#1504) [60cc4e2]
+- Bump github-pages from 231 to 232 in /docs (#1447) [fea6f2d]
+- Bump rexml from 3.2.8 to 3.3.9 in /docs (#1497) [31d7813]
+- Bump webrick from 1.8.1 to 1.9.1 in /docs (#1501) [fc3bbd6]
+- Code linting (#1500) [aee0d56]
+- change interface{} to any (#1502) [809a710]
+
+## 2.22.2
+
+### Maintenance
+- Bump github.com/onsi/gomega from 1.36.1 to 1.36.2 (#1499) [cc553ce]
+- Bump golang.org/x/crypto (#1498) [2170370]
+- Bump golang.org/x/net from 0.32.0 to 0.33.0 (#1496) [a96c44f]
+
+## 2.22.1
+
+### Fixes
+Fix CSV encoding
+- Update tests [aab3da6]
+- Properly encode CSV rows [c09df39]
+- Add test case for proper csv escaping [96a80fc]
+- Add meta-test [43dad69]
+
+### Maintenance
+- ensure *.test files are gitignored so we don't accidentally commit compiled tests again [c88c634]
+- remove golang.org/x/net/context in favour of stdlib context [4df44bf]
+
+## 2.22.0
+
+### Features
+- Add label to serial nodes [0fcaa08]
+
+This allows serial tests to be filtered using the `label-filter`
+
+### Maintenance
+Various doc fixes
+
 ## 2.21.0
 
 
@@ -600,7 +804,7 @@ Ginkgo also uses this progress reporting infrastructure under the hood when hand
 ### Features
 - `BeforeSuite`, `AfterSuite`, `SynchronizedBeforeSuite`, `SynchronizedAfterSuite`, and `ReportAfterSuite` now support (the relevant subset of) decorators.  These can be passed in _after_ the callback functions that are usually passed into these nodes.
 
-  As a result the **signature of these methods has changed** and now includes a trailing `args ...interface{}`.  For most users simply using the DSL, this change is transparent.  However if you were assigning one of these functions to a custom variable (or passing it around) then your code may need to change to reflect the new signature.
+  As a result the **signature of these methods has changed** and now includes a trailing `args ...any`.  For most users simply using the DSL, this change is transparent.  However if you were assigning one of these functions to a custom variable (or passing it around) then your code may need to change to reflect the new signature.
 
 ### Maintenance
 - Modernize the invocation of Ginkgo in github actions [0ffde58]
@@ -1012,7 +1216,7 @@ New Features:
 - `ginkgo -tags=TAG_LIST` passes a list of tags down to the `go build` command.
 - `ginkgo --failFast` aborts the test suite after the first failure.
 - `ginkgo generate file_1 file_2` can take multiple file arguments.
-- Ginkgo now summarizes any spec failures that occurred at the end of the test run. 
+- Ginkgo now summarizes any spec failures that occurred at the end of the test run.
 - `ginkgo --randomizeSuites` will run tests *suites* in random order using the generated/passed-in seed.
 
 Improvements:
@@ -1046,7 +1250,7 @@ Bug Fixes:
 Breaking changes:
 
 - `thirdparty/gomocktestreporter` is gone.  Use `GinkgoT()` instead
-- Modified the Reporter interface 
+- Modified the Reporter interface
 - `watch` is now a subcommand, not a flag.
 
 DSL changes:
diff --git a/vendor/github.com/onsi/ginkgo/v2/README.md b/vendor/github.com/onsi/ginkgo/v2/README.md
index cb23ffdf6a87e..7b7ab9e39cbfc 100644
--- a/vendor/github.com/onsi/ginkgo/v2/README.md
+++ b/vendor/github.com/onsi/ginkgo/v2/README.md
@@ -1,6 +1,6 @@
 ![Ginkgo](https://onsi.github.io/ginkgo/images/ginkgo.png)
 
-[![test](https://github.com/onsi/ginkgo/workflows/test/badge.svg?branch=master)](https://github.com/onsi/ginkgo/actions?query=workflow%3Atest+branch%3Amaster) | [Ginkgo Docs](https://onsi.github.io/ginkgo/)
+[![test](https://github.com/onsi/ginkgo/actions/workflows/test.yml/badge.svg?branch=master)](https://github.com/onsi/ginkgo/actions?query=workflow%3Atest+branch%3Amaster) | [Ginkgo Docs](https://onsi.github.io/ginkgo/)
 
 ---
 
@@ -113,3 +113,13 @@ Ginkgo is MIT-Licensed
 ## Contributing
 
 See [CONTRIBUTING.md](CONTRIBUTING.md)
+
+## Sponsors
+
+Sponsors commit to a [sponsorship](https://github.com/sponsors/onsi) for a year.  If you're an organization that makes use of Ginkgo please consider becoming a sponsor!
+
+<p style="font-size:21px; color:black;">Browser testing via 
+    <a href="https://www.lambdatest.com/" target="_blank">
+        <img src="https://www.lambdatest.com/blue-logo.png" style="vertical-align: middle;" width="250" height="45" />
+    </a>
+</p>
diff --git a/vendor/github.com/onsi/ginkgo/v2/core_dsl.go b/vendor/github.com/onsi/ginkgo/v2/core_dsl.go
index a3e8237e938b3..7e165e4738229 100644
--- a/vendor/github.com/onsi/ginkgo/v2/core_dsl.go
+++ b/vendor/github.com/onsi/ginkgo/v2/core_dsl.go
@@ -83,9 +83,9 @@ func exitIfErrors(errors []error) {
 type GinkgoWriterInterface interface {
 	io.Writer
 
-	Print(a ...interface{})
-	Printf(format string, a ...interface{})
-	Println(a ...interface{})
+	Print(a ...any)
+	Printf(format string, a ...any)
+	Println(a ...any)
 
 	TeeTo(writer io.Writer)
 	ClearTeeWriters()
@@ -186,6 +186,20 @@ func GinkgoLabelFilter() string {
 	return suiteConfig.LabelFilter
 }
 
+/*
+GinkgoSemVerFilter() returns the semantic version filter configured for this suite via `--sem-ver-filter`.
+
+You can use this to manually check if a set of semantic version constraints would satisfy the filter via:
+
+	if (SemVerConstraint("> 2.6.0", "< 2.8.0").MatchesSemVerFilter(GinkgoSemVerFilter())) {
+		//...
+	}
+*/
+func GinkgoSemVerFilter() string {
+	suiteConfig, _ := GinkgoConfiguration()
+	return suiteConfig.SemVerFilter
+}
+
 /*
 PauseOutputInterception() pauses Ginkgo's output interception.  This is only relevant
 when running in parallel and output to stdout/stderr is being intercepted.  You generally
@@ -243,7 +257,7 @@ for more on how specs are parallelized in Ginkgo.
 
 You can also pass suite-level Label() decorators to RunSpecs.  The passed-in labels will apply to all specs in the suite.
 */
-func RunSpecs(t GinkgoTestingT, description string, args ...interface{}) bool {
+func RunSpecs(t GinkgoTestingT, description string, args ...any) bool {
 	if suiteDidRun {
 		exitIfErr(types.GinkgoErrors.RerunningSuite())
 	}
@@ -254,7 +268,7 @@ func RunSpecs(t GinkgoTestingT, description string, args ...interface{}) bool {
 	}
 	defer global.PopClone()
 
-	suiteLabels := extractSuiteConfiguration(args)
+	suiteLabels, suiteSemVerConstraints, suiteAroundNodes := extractSuiteConfiguration(args)
 
 	var reporter reporters.Reporter
 	if suiteConfig.ParallelTotal == 1 {
@@ -297,7 +311,7 @@ func RunSpecs(t GinkgoTestingT, description string, args ...interface{}) bool {
 	suitePath, err = filepath.Abs(suitePath)
 	exitIfErr(err)
 
-	passed, hasFocusedTests := global.Suite.Run(description, suiteLabels, suitePath, global.Failer, reporter, writer, outputInterceptor, interrupt_handler.NewInterruptHandler(client), client, internal.RegisterForProgressSignal, suiteConfig)
+	passed, hasFocusedTests := global.Suite.Run(description, suiteLabels, suiteSemVerConstraints, suiteAroundNodes, suitePath, global.Failer, reporter, writer, outputInterceptor, interrupt_handler.NewInterruptHandler(client), client, internal.RegisterForProgressSignal, suiteConfig)
 	outputInterceptor.Shutdown()
 
 	flagSet.ValidateDeprecations(deprecationTracker)
@@ -316,8 +330,10 @@ func RunSpecs(t GinkgoTestingT, description string, args ...interface{}) bool {
 	return passed
 }
 
-func extractSuiteConfiguration(args []interface{}) Labels {
+func extractSuiteConfiguration(args []any) (Labels, SemVerConstraints, types.AroundNodes) {
 	suiteLabels := Labels{}
+	suiteSemVerConstraints := SemVerConstraints{}
+	aroundNodes := types.AroundNodes{}
 	configErrors := []error{}
 	for _, arg := range args {
 		switch arg := arg.(type) {
@@ -327,6 +343,10 @@ func extractSuiteConfiguration(args []interface{}) Labels {
 			reporterConfig = arg
 		case Labels:
 			suiteLabels = append(suiteLabels, arg...)
+		case SemVerConstraints:
+			suiteSemVerConstraints = append(suiteSemVerConstraints, arg...)
+		case types.AroundNodeDecorator:
+			aroundNodes = append(aroundNodes, arg)
 		default:
 			configErrors = append(configErrors, types.GinkgoErrors.UnknownTypePassedToRunSpecs(arg))
 		}
@@ -342,7 +362,7 @@ func extractSuiteConfiguration(args []interface{}) Labels {
 		os.Exit(1)
 	}
 
-	return suiteLabels
+	return suiteLabels, suiteSemVerConstraints, aroundNodes
 }
 
 func getwd() (string, error) {
@@ -365,7 +385,7 @@ func PreviewSpecs(description string, args ...any) Report {
 	}
 	defer global.PopClone()
 
-	suiteLabels := extractSuiteConfiguration(args)
+	suiteLabels, suiteSemVerConstraints, suiteAroundNodes := extractSuiteConfiguration(args)
 	priorDryRun, priorParallelTotal, priorParallelProcess := suiteConfig.DryRun, suiteConfig.ParallelTotal, suiteConfig.ParallelProcess
 	suiteConfig.DryRun, suiteConfig.ParallelTotal, suiteConfig.ParallelProcess = true, 1, 1
 	defer func() {
@@ -383,7 +403,7 @@ func PreviewSpecs(description string, args ...any) Report {
 	suitePath, err = filepath.Abs(suitePath)
 	exitIfErr(err)
 
-	global.Suite.Run(description, suiteLabels, suitePath, global.Failer, reporter, writer, outputInterceptor, interrupt_handler.NewInterruptHandler(client), client, internal.RegisterForProgressSignal, suiteConfig)
+	global.Suite.Run(description, suiteLabels, suiteSemVerConstraints, suiteAroundNodes, suitePath, global.Failer, reporter, writer, outputInterceptor, interrupt_handler.NewInterruptHandler(client), client, internal.RegisterForProgressSignal, suiteConfig)
 
 	return global.Suite.GetPreviewReport()
 }
@@ -481,6 +501,38 @@ func pushNode(node internal.Node, errors []error) bool {
 	return true
 }
 
+// NodeArgsTransformer is a hook which is called by the test construction DSL methods
+// before creating the new node. If it returns any error, the test suite
+// prints those errors and exits. The text and arguments can be modified,
+// which includes directly changing the args slice that is passed in.
+// Arguments have been flattened already, i.e. none of the entries in args is another []any.
+// The result may be nested.
+//
+// The node type is provided for information and remains the same.
+//
+// The offset is valid for calling NewLocation directly in the
+// implementation of TransformNodeArgs to find the location where
+// the Ginkgo DSL function is called. An additional offset supplied
+// by the caller via args is already included.
+//
+// A NodeArgsTransformer can be registered with AddTreeConstructionNodeArgsTransformer.
+type NodeArgsTransformer func(nodeType types.NodeType, offset Offset, text string, args []any) (string, []any, []error)
+
+// AddTreeConstructionNodeArgsTransformer registers a NodeArgsTransformer.
+// Only nodes which get created after registering a NodeArgsTransformer
+// are transformed by it. The returned function can be called to
+// unregister the transformer.
+//
+// Both may only be called during the construction phase.
+//
+// If there is more than one registered transformer, then the most
+// recently added ones get called first.
+func AddTreeConstructionNodeArgsTransformer(transformer NodeArgsTransformer) func() {
+	// This conversion could be avoided with a type alias, but type aliases make
+	// developer documentation less useful.
+	return internal.AddTreeConstructionNodeArgsTransformer(internal.NodeArgsTransformer(transformer))
+}
+
 /*
 Describe nodes are Container nodes that allow you to organize your specs.  A Describe node's closure can contain any number of
 Setup nodes (e.g. BeforeEach, AfterEach, JustBeforeEach), and Subject nodes (i.e. It).
@@ -491,24 +543,24 @@ to Describe the behavior of an object or function and, within that Describe, out
 You can learn more at https://onsi.github.io/ginkgo/#organizing-specs-with-container-nodes
 In addition, container nodes can be decorated with a variety of decorators.  You can learn more here: https://onsi.github.io/ginkgo/#decorator-reference
 */
-func Describe(text string, args ...interface{}) bool {
-	return pushNode(internal.NewNode(deprecationTracker, types.NodeTypeContainer, text, args...))
+func Describe(text string, args ...any) bool {
+	return pushNode(internal.NewNode(internal.TransformNewNodeArgs(exitIfErrors, deprecationTracker, types.NodeTypeContainer, text, args...)))
 }
 
 /*
 FDescribe focuses specs within the Describe block.
 */
-func FDescribe(text string, args ...interface{}) bool {
+func FDescribe(text string, args ...any) bool {
 	args = append(args, internal.Focus)
-	return pushNode(internal.NewNode(deprecationTracker, types.NodeTypeContainer, text, args...))
+	return pushNode(internal.NewNode(internal.TransformNewNodeArgs(exitIfErrors, deprecationTracker, types.NodeTypeContainer, text, args...)))
 }
 
 /*
 PDescribe marks specs within the Describe block as pending.
 */
-func PDescribe(text string, args ...interface{}) bool {
+func PDescribe(text string, args ...any) bool {
 	args = append(args, internal.Pending)
-	return pushNode(internal.NewNode(deprecationTracker, types.NodeTypeContainer, text, args...))
+	return pushNode(internal.NewNode(internal.TransformNewNodeArgs(exitIfErrors, deprecationTracker, types.NodeTypeContainer, text, args...)))
 }
 
 /*
@@ -521,21 +573,21 @@ var XDescribe = PDescribe
 /* Context is an alias for Describe - it generates the exact same kind of Container node */
 var Context, FContext, PContext, XContext = Describe, FDescribe, PDescribe, XDescribe
 
-/* When is an alias for Describe - it generates the exact same kind of Container node */
-func When(text string, args ...interface{}) bool {
-	return pushNode(internal.NewNode(deprecationTracker, types.NodeTypeContainer, "when "+text, args...))
+/* When is an alias for Describe - it generates the exact same kind of Container node with "when " as prefix for the text. */
+func When(text string, args ...any) bool {
+	return pushNode(internal.NewNode(internal.TransformNewNodeArgs(exitIfErrors, deprecationTracker, types.NodeTypeContainer, "when "+text, args...)))
 }
 
-/* When is an alias for Describe - it generates the exact same kind of Container node */
-func FWhen(text string, args ...interface{}) bool {
+/* When is an alias for Describe - it generates the exact same kind of Container node with "when " as prefix for the text. */
+func FWhen(text string, args ...any) bool {
 	args = append(args, internal.Focus)
-	return pushNode(internal.NewNode(deprecationTracker, types.NodeTypeContainer, "when "+text, args...))
+	return pushNode(internal.NewNode(internal.TransformNewNodeArgs(exitIfErrors, deprecationTracker, types.NodeTypeContainer, "when "+text, args...)))
 }
 
 /* When is an alias for Describe - it generates the exact same kind of Container node */
-func PWhen(text string, args ...interface{}) bool {
+func PWhen(text string, args ...any) bool {
 	args = append(args, internal.Pending)
-	return pushNode(internal.NewNode(deprecationTracker, types.NodeTypeContainer, "when "+text, args...))
+	return pushNode(internal.NewNode(internal.TransformNewNodeArgs(exitIfErrors, deprecationTracker, types.NodeTypeContainer, "when "+text, args...)))
 }
 
 var XWhen = PWhen
@@ -550,24 +602,24 @@ You can pass It nodes bare functions (func() {}) or functions that receive a Spe
 You can learn more at https://onsi.github.io/ginkgo/#spec-subjects-it
 In addition, subject nodes can be decorated with a variety of decorators.  You can learn more here: https://onsi.github.io/ginkgo/#decorator-reference
 */
-func It(text string, args ...interface{}) bool {
-	return pushNode(internal.NewNode(deprecationTracker, types.NodeTypeIt, text, args...))
+func It(text string, args ...any) bool {
+	return pushNode(internal.NewNode(internal.TransformNewNodeArgs(exitIfErrors, deprecationTracker, types.NodeTypeIt, text, args...)))
 }
 
 /*
 FIt allows you to focus an individual It.
 */
-func FIt(text string, args ...interface{}) bool {
+func FIt(text string, args ...any) bool {
 	args = append(args, internal.Focus)
-	return pushNode(internal.NewNode(deprecationTracker, types.NodeTypeIt, text, args...))
+	return pushNode(internal.NewNode(internal.TransformNewNodeArgs(exitIfErrors, deprecationTracker, types.NodeTypeIt, text, args...)))
 }
 
 /*
 PIt allows you to mark an individual It as pending.
 */
-func PIt(text string, args ...interface{}) bool {
+func PIt(text string, args ...any) bool {
 	args = append(args, internal.Pending)
-	return pushNode(internal.NewNode(deprecationTracker, types.NodeTypeIt, text, args...))
+	return pushNode(internal.NewNode(internal.TransformNewNodeArgs(exitIfErrors, deprecationTracker, types.NodeTypeIt, text, args...)))
 }
 
 /*
@@ -611,10 +663,10 @@ BeforeSuite can take a func() body, or an interruptible func(SpecContext)/func(c
 You cannot nest any other Ginkgo nodes within a BeforeSuite node's closure.
 You can learn more here: https://onsi.github.io/ginkgo/#suite-setup-and-cleanup-beforesuite-and-aftersuite
 */
-func BeforeSuite(body interface{}, args ...interface{}) bool {
-	combinedArgs := []interface{}{body}
+func BeforeSuite(body any, args ...any) bool {
+	combinedArgs := []any{body}
 	combinedArgs = append(combinedArgs, args...)
-	return pushNode(internal.NewNode(deprecationTracker, types.NodeTypeBeforeSuite, "", combinedArgs...))
+	return pushNode(internal.NewNode(internal.TransformNewNodeArgs(exitIfErrors, deprecationTracker, types.NodeTypeBeforeSuite, "", combinedArgs...)))
 }
 
 /*
@@ -630,10 +682,10 @@ AfterSuite can take a func() body, or an interruptible func(SpecContext)/func(co
 You cannot nest any other Ginkgo nodes within an AfterSuite node's closure.
 You can learn more here: https://onsi.github.io/ginkgo/#suite-setup-and-cleanup-beforesuite-and-aftersuite
 */
-func AfterSuite(body interface{}, args ...interface{}) bool {
-	combinedArgs := []interface{}{body}
+func AfterSuite(body any, args ...any) bool {
+	combinedArgs := []any{body}
 	combinedArgs = append(combinedArgs, args...)
-	return pushNode(internal.NewNode(deprecationTracker, types.NodeTypeAfterSuite, "", combinedArgs...))
+	return pushNode(internal.NewNode(internal.TransformNewNodeArgs(exitIfErrors, deprecationTracker, types.NodeTypeAfterSuite, "", combinedArgs...)))
 }
 
 /*
@@ -667,11 +719,11 @@ If either function receives a context.Context/SpecContext it is considered inter
 You cannot nest any other Ginkgo nodes within an SynchronizedBeforeSuite node's closure.
 You can learn more, and see some examples, here: https://onsi.github.io/ginkgo/#parallel-suite-setup-and-cleanup-synchronizedbeforesuite-and-synchronizedaftersuite
 */
-func SynchronizedBeforeSuite(process1Body interface{}, allProcessBody interface{}, args ...interface{}) bool {
-	combinedArgs := []interface{}{process1Body, allProcessBody}
+func SynchronizedBeforeSuite(process1Body any, allProcessBody any, args ...any) bool {
+	combinedArgs := []any{process1Body, allProcessBody}
 	combinedArgs = append(combinedArgs, args...)
 
-	return pushNode(internal.NewNode(deprecationTracker, types.NodeTypeSynchronizedBeforeSuite, "", combinedArgs...))
+	return pushNode(internal.NewNode(internal.TransformNewNodeArgs(exitIfErrors, deprecationTracker, types.NodeTypeSynchronizedBeforeSuite, "", combinedArgs...)))
 }
 
 /*
@@ -687,11 +739,11 @@ Note that you can also use DeferCleanup() in SynchronizedBeforeSuite to accompli
 You cannot nest any other Ginkgo nodes within an SynchronizedAfterSuite node's closure.
 You can learn more, and see some examples, here: https://onsi.github.io/ginkgo/#parallel-suite-setup-and-cleanup-synchronizedbeforesuite-and-synchronizedaftersuite
 */
-func SynchronizedAfterSuite(allProcessBody interface{}, process1Body interface{}, args ...interface{}) bool {
-	combinedArgs := []interface{}{allProcessBody, process1Body}
+func SynchronizedAfterSuite(allProcessBody any, process1Body any, args ...any) bool {
+	combinedArgs := []any{allProcessBody, process1Body}
 	combinedArgs = append(combinedArgs, args...)
 
-	return pushNode(internal.NewNode(deprecationTracker, types.NodeTypeSynchronizedAfterSuite, "", combinedArgs...))
+	return pushNode(internal.NewNode(internal.TransformNewNodeArgs(exitIfErrors, deprecationTracker, types.NodeTypeSynchronizedAfterSuite, "", combinedArgs...)))
 }
 
 /*
@@ -703,8 +755,8 @@ BeforeEach can take a func() body, or an interruptible func(SpecContext)/func(co
 You cannot nest any other Ginkgo nodes within a BeforeEach node's closure.
 You can learn more here: https://onsi.github.io/ginkgo/#extracting-common-setup-beforeeach
 */
-func BeforeEach(args ...interface{}) bool {
-	return pushNode(internal.NewNode(deprecationTracker, types.NodeTypeBeforeEach, "", args...))
+func BeforeEach(args ...any) bool {
+	return pushNode(internal.NewNode(internal.TransformNewNodeArgs(exitIfErrors, deprecationTracker, types.NodeTypeBeforeEach, "", args...)))
 }
 
 /*
@@ -716,8 +768,8 @@ JustBeforeEach can take a func() body, or an interruptible func(SpecContext)/fun
 You cannot nest any other Ginkgo nodes within a JustBeforeEach node's closure.
 You can learn more and see some examples here: https://onsi.github.io/ginkgo/#separating-creation-and-configuration-justbeforeeach
 */
-func JustBeforeEach(args ...interface{}) bool {
-	return pushNode(internal.NewNode(deprecationTracker, types.NodeTypeJustBeforeEach, "", args...))
+func JustBeforeEach(args ...any) bool {
+	return pushNode(internal.NewNode(internal.TransformNewNodeArgs(exitIfErrors, deprecationTracker, types.NodeTypeJustBeforeEach, "", args...)))
 }
 
 /*
@@ -731,8 +783,8 @@ AfterEach can take a func() body, or an interruptible func(SpecContext)/func(con
 You cannot nest any other Ginkgo nodes within an AfterEach node's closure.
 You can learn more here: https://onsi.github.io/ginkgo/#spec-cleanup-aftereach-and-defercleanup
 */
-func AfterEach(args ...interface{}) bool {
-	return pushNode(internal.NewNode(deprecationTracker, types.NodeTypeAfterEach, "", args...))
+func AfterEach(args ...any) bool {
+	return pushNode(internal.NewNode(internal.TransformNewNodeArgs(exitIfErrors, deprecationTracker, types.NodeTypeAfterEach, "", args...)))
 }
 
 /*
@@ -743,8 +795,8 @@ JustAfterEach can take a func() body, or an interruptible func(SpecContext)/func
 You cannot nest any other Ginkgo nodes within a JustAfterEach node's closure.
 You can learn more and see some examples here: https://onsi.github.io/ginkgo/#separating-diagnostics-collection-and-teardown-justaftereach
 */
-func JustAfterEach(args ...interface{}) bool {
-	return pushNode(internal.NewNode(deprecationTracker, types.NodeTypeJustAfterEach, "", args...))
+func JustAfterEach(args ...any) bool {
+	return pushNode(internal.NewNode(internal.TransformNewNodeArgs(exitIfErrors, deprecationTracker, types.NodeTypeJustAfterEach, "", args...)))
 }
 
 /*
@@ -758,8 +810,8 @@ You cannot nest any other Ginkgo nodes within a BeforeAll node's closure.
 You can learn more about Ordered Containers at: https://onsi.github.io/ginkgo/#ordered-containers
 And you can learn more about BeforeAll at: https://onsi.github.io/ginkgo/#setup-in-ordered-containers-beforeall-and-afterall
 */
-func BeforeAll(args ...interface{}) bool {
-	return pushNode(internal.NewNode(deprecationTracker, types.NodeTypeBeforeAll, "", args...))
+func BeforeAll(args ...any) bool {
+	return pushNode(internal.NewNode(internal.TransformNewNodeArgs(exitIfErrors, deprecationTracker, types.NodeTypeBeforeAll, "", args...)))
 }
 
 /*
@@ -775,8 +827,8 @@ You cannot nest any other Ginkgo nodes within an AfterAll node's closure.
 You can learn more about Ordered Containers at: https://onsi.github.io/ginkgo/#ordered-containers
 And you can learn more about AfterAll at: https://onsi.github.io/ginkgo/#setup-in-ordered-containers-beforeall-and-afterall
 */
-func AfterAll(args ...interface{}) bool {
-	return pushNode(internal.NewNode(deprecationTracker, types.NodeTypeAfterAll, "", args...))
+func AfterAll(args ...any) bool {
+	return pushNode(internal.NewNode(internal.TransformNewNodeArgs(exitIfErrors, deprecationTracker, types.NodeTypeAfterAll, "", args...)))
 }
 
 /*
@@ -818,7 +870,7 @@ When DeferCleanup is called in BeforeSuite, SynchronizedBeforeSuite, AfterSuite,
 Note that DeferCleanup does not represent a node but rather dynamically generates the appropriate type of cleanup node based on the context in which it is called.  As such you must call DeferCleanup within a Setup or Subject node, and not within a Container node.
 You can learn more about DeferCleanup here: https://onsi.github.io/ginkgo/#cleaning-up-our-cleanup-code-defercleanup
 */
-func DeferCleanup(args ...interface{}) {
+func DeferCleanup(args ...any) {
 	fail := func(message string, cl types.CodeLocation) {
 		global.Failer.Fail(message, cl)
 	}
diff --git a/vendor/github.com/onsi/ginkgo/v2/decorator_dsl.go b/vendor/github.com/onsi/ginkgo/v2/decorator_dsl.go
index c65af4ce1cf97..e331d7cf8cdb1 100644
--- a/vendor/github.com/onsi/ginkgo/v2/decorator_dsl.go
+++ b/vendor/github.com/onsi/ginkgo/v2/decorator_dsl.go
@@ -2,6 +2,7 @@ package ginkgo
 
 import (
 	"github.com/onsi/ginkgo/v2/internal"
+	"github.com/onsi/ginkgo/v2/types"
 )
 
 /*
@@ -99,6 +100,23 @@ You can learn more here: https://onsi.github.io/ginkgo/#spec-labels
 */
 type Labels = internal.Labels
 
+/*
+SemVerConstraint decorates specs with SemVerConstraints. Multiple semantic version constraints can be passed to SemVerConstraint and these strings must follow the semantic version constraint rules.
+SemVerConstraints can be applied to container and subject nodes, but not setup nodes. You can provide multiple SemVerConstraints to a given node and a spec's semantic version constraints is the union of all semantic version constraints in its node hierarchy.
+
+You can learn more here: https://onsi.github.io/ginkgo/#spec-semantic-version-filtering
+You can learn more about decorators here: https://onsi.github.io/ginkgo/#decorator-reference
+*/
+func SemVerConstraint(semVerConstraints ...string) SemVerConstraints {
+	return SemVerConstraints(semVerConstraints)
+}
+
+/*
+SemVerConstraints are the type for spec SemVerConstraint decorators. Use SemVerConstraint(...) to construct SemVerConstraints.
+You can learn more here: https://onsi.github.io/ginkgo/#spec-semantic-version-filtering
+*/
+type SemVerConstraints = internal.SemVerConstraints
+
 /*
 PollProgressAfter allows you to override the configured value for --poll-progress-after for a particular node.
 
@@ -136,8 +154,40 @@ Nodes that do not finish within a GracePeriod will be leaked and Ginkgo will pro
 */
 type GracePeriod = internal.GracePeriod
 
+/*
+SpecPriority allows you to assign a priority to a spec or container.
+
+Specs with higher priority will be scheduled to run before specs with lower priority.  The default priority is 0 and negative priorities are allowed.
+*/
+type SpecPriority = internal.SpecPriority
+
 /*
 SuppressProgressReporting is a decorator that allows you to disable progress reporting of a particular node.  This is useful if `ginkgo -v -progress` is generating too much noise; particularly
 if you have a `ReportAfterEach` node that is running for every skipped spec and is generating lots of progress reports.
 */
 const SuppressProgressReporting = internal.SuppressProgressReporting
+
+/*
+AroundNode registers a function that runs before each individual node.  This is considered a more advanced decorator.
+
+Please read the [docs](https://onsi.github.io/ginkgo/#advanced-around-node) for more information.
+
+Allowed signatures:
+
+- AroundNode(func()) - func will be called before the node is run.
+- AroundNode(func(ctx context.Context) context.Context) - func can wrap the passed in context and return a new one which will be passed on to the node.
+- AroundNode(func(ctx context.Context, body func(ctx context.Context))) - ctx is the context for the node and body is a function that must be called to run the node.  This gives you complete control over what runs before and after the node.
+
+Multiple AroundNode decorators can be applied to a single node and they will run in the order they are applied.
+
+Unlike setup nodes like BeforeEach and DeferCleanup, AroundNode is guaranteed to run in the same goroutine as the decorated node.  This is necessary when working with lower-level libraries that must run on a single thread (you can call runtime.LockOSThread() in the AroundNode to ensure that the node runs on a single thread).
+
+Since AroundNode allows you to modify the context you can also use AroundNode to implement shared setup that attaches values to the context.  You must return a context that inherits from the passed in context.
+
+If applied to a container, AroundNode will run before every node in the container.  Including setup nodes like BeforeEach and DeferCleanup.
+
+AroundNode can also be applied to RunSpecs to run before every node in the suite.
+*/
+func AroundNode[F types.AroundNodeAllowedFuncs](f F) types.AroundNodeDecorator {
+	return types.AroundNode(f, types.NewCodeLocation(1))
+}
diff --git a/vendor/github.com/onsi/ginkgo/v2/deprecated_dsl.go b/vendor/github.com/onsi/ginkgo/v2/deprecated_dsl.go
index f912bbec65ab5..fd45b8beabe67 100644
--- a/vendor/github.com/onsi/ginkgo/v2/deprecated_dsl.go
+++ b/vendor/github.com/onsi/ginkgo/v2/deprecated_dsl.go
@@ -118,9 +118,9 @@ Use Gomega's gmeasure package instead.
 You can learn more here: https://onsi.github.io/ginkgo/#benchmarking-code
 */
 type Benchmarker interface {
-	Time(name string, body func(), info ...interface{}) (elapsedTime time.Duration)
-	RecordValue(name string, value float64, info ...interface{})
-	RecordValueWithPrecision(name string, value float64, units string, precision int, info ...interface{})
+	Time(name string, body func(), info ...any) (elapsedTime time.Duration)
+	RecordValue(name string, value float64, info ...any)
+	RecordValueWithPrecision(name string, value float64, units string, precision int, info ...any)
 }
 
 /*
@@ -129,7 +129,7 @@ Deprecated: Measure() has been removed from Ginkgo 2.0
 Use Gomega's gmeasure package instead.
 You can learn more here: https://onsi.github.io/ginkgo/#benchmarking-code
 */
-func Measure(_ ...interface{}) bool {
+func Measure(_ ...any) bool {
 	deprecationTracker.TrackDeprecation(types.Deprecations.Measure(), types.NewCodeLocation(1))
 	return true
 }
diff --git a/vendor/github.com/onsi/ginkgo/v2/formatter/formatter.go b/vendor/github.com/onsi/ginkgo/v2/formatter/formatter.go
index 4d5749114c09c..f61356db19cbc 100644
--- a/vendor/github.com/onsi/ginkgo/v2/formatter/formatter.go
+++ b/vendor/github.com/onsi/ginkgo/v2/formatter/formatter.go
@@ -24,15 +24,15 @@ const (
 
 var SingletonFormatter = New(ColorModeTerminal)
 
-func F(format string, args ...interface{}) string {
+func F(format string, args ...any) string {
 	return SingletonFormatter.F(format, args...)
 }
 
-func Fi(indentation uint, format string, args ...interface{}) string {
+func Fi(indentation uint, format string, args ...any) string {
 	return SingletonFormatter.Fi(indentation, format, args...)
 }
 
-func Fiw(indentation uint, maxWidth uint, format string, args ...interface{}) string {
+func Fiw(indentation uint, maxWidth uint, format string, args ...any) string {
 	return SingletonFormatter.Fiw(indentation, maxWidth, format, args...)
 }
 
@@ -115,15 +115,15 @@ func New(colorMode ColorMode) Formatter {
 	return f
 }
 
-func (f Formatter) F(format string, args ...interface{}) string {
+func (f Formatter) F(format string, args ...any) string {
 	return f.Fi(0, format, args...)
 }
 
-func (f Formatter) Fi(indentation uint, format string, args ...interface{}) string {
+func (f Formatter) Fi(indentation uint, format string, args ...any) string {
 	return f.Fiw(indentation, 0, format, args...)
 }
 
-func (f Formatter) Fiw(indentation uint, maxWidth uint, format string, args ...interface{}) string {
+func (f Formatter) Fiw(indentation uint, maxWidth uint, format string, args ...any) string {
 	out := f.style(format)
 	if len(args) > 0 {
 		out = fmt.Sprintf(out, args...)
diff --git a/vendor/github.com/onsi/ginkgo/v2/ginkgo/automaxprocs.go b/vendor/github.com/onsi/ginkgo/v2/ginkgo/automaxprocs.go
new file mode 100644
index 0000000000000..ee6ac7b5f3885
--- /dev/null
+++ b/vendor/github.com/onsi/ginkgo/v2/ginkgo/automaxprocs.go
@@ -0,0 +1,8 @@
+//go:build !go1.25
+// +build !go1.25
+
+package main
+
+import (
+	_ "github.com/onsi/ginkgo/v2/ginkgo/automaxprocs"
+)
diff --git a/vendor/github.com/onsi/ginkgo/v2/ginkgo/automaxprocs/README.md b/vendor/github.com/onsi/ginkgo/v2/ginkgo/automaxprocs/README.md
new file mode 100644
index 0000000000000..e249ebe8b3834
--- /dev/null
+++ b/vendor/github.com/onsi/ginkgo/v2/ginkgo/automaxprocs/README.md
@@ -0,0 +1,3 @@
+This entire directory is a lightly modified clone of https://github.com/uber-go/automaxprocs
+
+It will be removed when Go 1.26 ships and we no longer need to support Go 1.24 (which does not correctly autodetect maxprocs in containers).
diff --git a/vendor/github.com/onsi/ginkgo/v2/ginkgo/automaxprocs/automaxprocs.go b/vendor/github.com/onsi/ginkgo/v2/ginkgo/automaxprocs/automaxprocs.go
new file mode 100644
index 0000000000000..8a762b51d6137
--- /dev/null
+++ b/vendor/github.com/onsi/ginkgo/v2/ginkgo/automaxprocs/automaxprocs.go
@@ -0,0 +1,71 @@
+// Copyright (c) 2017 Uber Technologies, Inc.
+//
+// Permission is hereby granted, free of charge, to any person obtaining a copy
+// of this software and associated documentation files (the "Software"), to deal
+// in the Software without restriction, including without limitation the rights
+// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+// copies of the Software, and to permit persons to whom the Software is
+// furnished to do so, subject to the following conditions:
+//
+// The above copyright notice and this permission notice shall be included in
+// all copies or substantial portions of the Software.
+//
+// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+// THE SOFTWARE.
+
+// Package maxprocs lets Go programs easily configure runtime.GOMAXPROCS to
+// match the configured Linux CPU quota. Unlike the top-level automaxprocs
+// package, it lets the caller configure logging and handle errors.
+package automaxprocs
+
+import (
+	"os"
+	"runtime"
+)
+
+func init() {
+	Set()
+}
+
+const _maxProcsKey = "GOMAXPROCS"
+
+type config struct {
+	procs          func(int, func(v float64) int) (int, CPUQuotaStatus, error)
+	minGOMAXPROCS  int
+	roundQuotaFunc func(v float64) int
+}
+
+// Set GOMAXPROCS to match the Linux container CPU quota (if any), returning
+// any error encountered and an undo function.
+//
+// Set is a no-op on non-Linux systems and in Linux environments without a
+// configured CPU quota.
+func Set() error {
+	cfg := &config{
+		procs:          CPUQuotaToGOMAXPROCS,
+		roundQuotaFunc: DefaultRoundFunc,
+		minGOMAXPROCS:  1,
+	}
+
+	// Honor the GOMAXPROCS environment variable if present. Otherwise, amend
+	// `runtime.GOMAXPROCS()` with the current process' CPU quota if the OS is
+	// Linux, and guarantee a minimum value of 1. The minimum guaranteed value
+	// can be overridden using `maxprocs.Min()`.
+	if _, exists := os.LookupEnv(_maxProcsKey); exists {
+		return nil
+	}
+	maxProcs, status, err := cfg.procs(cfg.minGOMAXPROCS, cfg.roundQuotaFunc)
+	if err != nil {
+		return err
+	}
+	if status == CPUQuotaUndefined {
+		return nil
+	}
+	runtime.GOMAXPROCS(maxProcs)
+	return nil
+}
diff --git a/vendor/github.com/onsi/ginkgo/v2/ginkgo/automaxprocs/cgroup.go b/vendor/github.com/onsi/ginkgo/v2/ginkgo/automaxprocs/cgroup.go
new file mode 100644
index 0000000000000..a4676933e8f04
--- /dev/null
+++ b/vendor/github.com/onsi/ginkgo/v2/ginkgo/automaxprocs/cgroup.go
@@ -0,0 +1,79 @@
+// Copyright (c) 2017 Uber Technologies, Inc.
+//
+// Permission is hereby granted, free of charge, to any person obtaining a copy
+// of this software and associated documentation files (the "Software"), to deal
+// in the Software without restriction, including without limitation the rights
+// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+// copies of the Software, and to permit persons to whom the Software is
+// furnished to do so, subject to the following conditions:
+//
+// The above copyright notice and this permission notice shall be included in
+// all copies or substantial portions of the Software.
+//
+// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+// THE SOFTWARE.
+
+//go:build linux
+// +build linux
+
+package automaxprocs
+
+import (
+	"bufio"
+	"io"
+	"os"
+	"path/filepath"
+	"strconv"
+)
+
+// CGroup represents the data structure for a Linux control group.
+type CGroup struct {
+	path string
+}
+
+// NewCGroup returns a new *CGroup from a given path.
+func NewCGroup(path string) *CGroup {
+	return &CGroup{path: path}
+}
+
+// Path returns the path of the CGroup*.
+func (cg *CGroup) Path() string {
+	return cg.path
+}
+
+// ParamPath returns the path of the given cgroup param under itself.
+func (cg *CGroup) ParamPath(param string) string {
+	return filepath.Join(cg.path, param)
+}
+
+// readFirstLine reads the first line from a cgroup param file.
+func (cg *CGroup) readFirstLine(param string) (string, error) {
+	paramFile, err := os.Open(cg.ParamPath(param))
+	if err != nil {
+		return "", err
+	}
+	defer paramFile.Close()
+
+	scanner := bufio.NewScanner(paramFile)
+	if scanner.Scan() {
+		return scanner.Text(), nil
+	}
+	if err := scanner.Err(); err != nil {
+		return "", err
+	}
+	return "", io.ErrUnexpectedEOF
+}
+
+// readInt parses the first line from a cgroup param file as int.
+func (cg *CGroup) readInt(param string) (int, error) {
+	text, err := cg.readFirstLine(param)
+	if err != nil {
+		return 0, err
+	}
+	return strconv.Atoi(text)
+}
diff --git a/vendor/github.com/onsi/ginkgo/v2/ginkgo/automaxprocs/cgroups.go b/vendor/github.com/onsi/ginkgo/v2/ginkgo/automaxprocs/cgroups.go
new file mode 100644
index 0000000000000..ed384891efa19
--- /dev/null
+++ b/vendor/github.com/onsi/ginkgo/v2/ginkgo/automaxprocs/cgroups.go
@@ -0,0 +1,118 @@
+// Copyright (c) 2017 Uber Technologies, Inc.
+//
+// Permission is hereby granted, free of charge, to any person obtaining a copy
+// of this software and associated documentation files (the "Software"), to deal
+// in the Software without restriction, including without limitation the rights
+// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+// copies of the Software, and to permit persons to whom the Software is
+// furnished to do so, subject to the following conditions:
+//
+// The above copyright notice and this permission notice shall be included in
+// all copies or substantial portions of the Software.
+//
+// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+// THE SOFTWARE.
+
+//go:build linux
+// +build linux
+
+package automaxprocs
+
+const (
+	// _cgroupFSType is the Linux CGroup file system type used in
+	// `/proc/$PID/mountinfo`.
+	_cgroupFSType = "cgroup"
+	// _cgroupSubsysCPU is the CPU CGroup subsystem.
+	_cgroupSubsysCPU = "cpu"
+	// _cgroupSubsysCPUAcct is the CPU accounting CGroup subsystem.
+	_cgroupSubsysCPUAcct = "cpuacct"
+	// _cgroupSubsysCPUSet is the CPUSet CGroup subsystem.
+	_cgroupSubsysCPUSet = "cpuset"
+	// _cgroupSubsysMemory is the Memory CGroup subsystem.
+	_cgroupSubsysMemory = "memory"
+
+	// _cgroupCPUCFSQuotaUsParam is the file name for the CGroup CFS quota
+	// parameter.
+	_cgroupCPUCFSQuotaUsParam = "cpu.cfs_quota_us"
+	// _cgroupCPUCFSPeriodUsParam is the file name for the CGroup CFS period
+	// parameter.
+	_cgroupCPUCFSPeriodUsParam = "cpu.cfs_period_us"
+)
+
+const (
+	_procPathCGroup    = "/proc/self/cgroup"
+	_procPathMountInfo = "/proc/self/mountinfo"
+)
+
+// CGroups is a map that associates each CGroup with its subsystem name.
+type CGroups map[string]*CGroup
+
+// NewCGroups returns a new *CGroups from given `mountinfo` and `cgroup` files
+// under for some process under `/proc` file system (see also proc(5) for more
+// information).
+func NewCGroups(procPathMountInfo, procPathCGroup string) (CGroups, error) {
+	cgroupSubsystems, err := parseCGroupSubsystems(procPathCGroup)
+	if err != nil {
+		return nil, err
+	}
+
+	cgroups := make(CGroups)
+	newMountPoint := func(mp *MountPoint) error {
+		if mp.FSType != _cgroupFSType {
+			return nil
+		}
+
+		for _, opt := range mp.SuperOptions {
+			subsys, exists := cgroupSubsystems[opt]
+			if !exists {
+				continue
+			}
+
+			cgroupPath, err := mp.Translate(subsys.Name)
+			if err != nil {
+				return err
+			}
+			cgroups[opt] = NewCGroup(cgroupPath)
+		}
+
+		return nil
+	}
+
+	if err := parseMountInfo(procPathMountInfo, newMountPoint); err != nil {
+		return nil, err
+	}
+	return cgroups, nil
+}
+
+// NewCGroupsForCurrentProcess returns a new *CGroups instance for the current
+// process.
+func NewCGroupsForCurrentProcess() (CGroups, error) {
+	return NewCGroups(_procPathMountInfo, _procPathCGroup)
+}
+
+// CPUQuota returns the CPU quota applied with the CPU cgroup controller.
+// It is a result of `cpu.cfs_quota_us / cpu.cfs_period_us`. If the value of
+// `cpu.cfs_quota_us` was not set (-1), the method returns `(-1, nil)`.
+func (cg CGroups) CPUQuota() (float64, bool, error) {
+	cpuCGroup, exists := cg[_cgroupSubsysCPU]
+	if !exists {
+		return -1, false, nil
+	}
+
+	cfsQuotaUs, err := cpuCGroup.readInt(_cgroupCPUCFSQuotaUsParam)
+	if defined := cfsQuotaUs > 0; err != nil || !defined {
+		return -1, defined, err
+	}
+
+	cfsPeriodUs, err := cpuCGroup.readInt(_cgroupCPUCFSPeriodUsParam)
+	if defined := cfsPeriodUs > 0; err != nil || !defined {
+		return -1, defined, err
+	}
+
+	return float64(cfsQuotaUs) / float64(cfsPeriodUs), true, nil
+}
diff --git a/vendor/github.com/onsi/ginkgo/v2/ginkgo/automaxprocs/cgroups2.go b/vendor/github.com/onsi/ginkgo/v2/ginkgo/automaxprocs/cgroups2.go
new file mode 100644
index 0000000000000..69a0be6b716a3
--- /dev/null
+++ b/vendor/github.com/onsi/ginkgo/v2/ginkgo/automaxprocs/cgroups2.go
@@ -0,0 +1,176 @@
+// Copyright (c) 2022 Uber Technologies, Inc.
+//
+// Permission is hereby granted, free of charge, to any person obtaining a copy
+// of this software and associated documentation files (the "Software"), to deal
+// in the Software without restriction, including without limitation the rights
+// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+// copies of the Software, and to permit persons to whom the Software is
+// furnished to do so, subject to the following conditions:
+//
+// The above copyright notice and this permission notice shall be included in
+// all copies or substantial portions of the Software.
+//
+// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+// THE SOFTWARE.
+
+//go:build linux
+// +build linux
+
+package automaxprocs
+
+import (
+	"bufio"
+	"errors"
+	"fmt"
+	"io"
+	"os"
+	"path"
+	"strconv"
+	"strings"
+)
+
+const (
+	// _cgroupv2CPUMax is the file name for the CGroup-V2 CPU max and period
+	// parameter.
+	_cgroupv2CPUMax = "cpu.max"
+	// _cgroupFSType is the Linux CGroup-V2 file system type used in
+	// `/proc/$PID/mountinfo`.
+	_cgroupv2FSType = "cgroup2"
+
+	_cgroupv2MountPoint = "/sys/fs/cgroup"
+
+	_cgroupV2CPUMaxDefaultPeriod = 100000
+	_cgroupV2CPUMaxQuotaMax      = "max"
+)
+
+const (
+	_cgroupv2CPUMaxQuotaIndex = iota
+	_cgroupv2CPUMaxPeriodIndex
+)
+
+// ErrNotV2 indicates that the system is not using cgroups2.
+var ErrNotV2 = errors.New("not using cgroups2")
+
+// CGroups2 provides access to cgroups data for systems using cgroups2.
+type CGroups2 struct {
+	mountPoint string
+	groupPath  string
+	cpuMaxFile string
+}
+
+// NewCGroups2ForCurrentProcess builds a CGroups2 for the current process.
+//
+// This returns ErrNotV2 if the system is not using cgroups2.
+func NewCGroups2ForCurrentProcess() (*CGroups2, error) {
+	return newCGroups2From(_procPathMountInfo, _procPathCGroup)
+}
+
+func newCGroups2From(mountInfoPath, procPathCGroup string) (*CGroups2, error) {
+	isV2, err := isCGroupV2(mountInfoPath)
+	if err != nil {
+		return nil, err
+	}
+
+	if !isV2 {
+		return nil, ErrNotV2
+	}
+
+	subsystems, err := parseCGroupSubsystems(procPathCGroup)
+	if err != nil {
+		return nil, err
+	}
+
+	// Find v2 subsystem by looking for the `0` id
+	var v2subsys *CGroupSubsys
+	for _, subsys := range subsystems {
+		if subsys.ID == 0 {
+			v2subsys = subsys
+			break
+		}
+	}
+
+	if v2subsys == nil {
+		return nil, ErrNotV2
+	}
+
+	return &CGroups2{
+		mountPoint: _cgroupv2MountPoint,
+		groupPath:  v2subsys.Name,
+		cpuMaxFile: _cgroupv2CPUMax,
+	}, nil
+}
+
+func isCGroupV2(procPathMountInfo string) (bool, error) {
+	var (
+		isV2          bool
+		newMountPoint = func(mp *MountPoint) error {
+			isV2 = isV2 || (mp.FSType == _cgroupv2FSType && mp.MountPoint == _cgroupv2MountPoint)
+			return nil
+		}
+	)
+
+	if err := parseMountInfo(procPathMountInfo, newMountPoint); err != nil {
+		return false, err
+	}
+
+	return isV2, nil
+}
+
+// CPUQuota returns the CPU quota applied with the CPU cgroup2 controller.
+// It is a result of reading cpu quota and period from cpu.max file.
+// It will return `cpu.max / cpu.period`. If cpu.max is set to max, it returns
+// (-1, false, nil)
+func (cg *CGroups2) CPUQuota() (float64, bool, error) {
+	cpuMaxParams, err := os.Open(path.Join(cg.mountPoint, cg.groupPath, cg.cpuMaxFile))
+	if err != nil {
+		if os.IsNotExist(err) {
+			return -1, false, nil
+		}
+		return -1, false, err
+	}
+	defer cpuMaxParams.Close()
+
+	scanner := bufio.NewScanner(cpuMaxParams)
+	if scanner.Scan() {
+		fields := strings.Fields(scanner.Text())
+		if len(fields) == 0 || len(fields) > 2 {
+			return -1, false, fmt.Errorf("invalid format")
+		}
+
+		if fields[_cgroupv2CPUMaxQuotaIndex] == _cgroupV2CPUMaxQuotaMax {
+			return -1, false, nil
+		}
+
+		max, err := strconv.Atoi(fields[_cgroupv2CPUMaxQuotaIndex])
+		if err != nil {
+			return -1, false, err
+		}
+
+		var period int
+		if len(fields) == 1 {
+			period = _cgroupV2CPUMaxDefaultPeriod
+		} else {
+			period, err = strconv.Atoi(fields[_cgroupv2CPUMaxPeriodIndex])
+			if err != nil {
+				return -1, false, err
+			}
+
+			if period == 0 {
+				return -1, false, errors.New("zero value for period is not allowed")
+			}
+		}
+
+		return float64(max) / float64(period), true, nil
+	}
+
+	if err := scanner.Err(); err != nil {
+		return -1, false, err
+	}
+
+	return 0, false, io.ErrUnexpectedEOF
+}
diff --git a/vendor/github.com/onsi/ginkgo/v2/ginkgo/automaxprocs/cpu_quota_linux.go b/vendor/github.com/onsi/ginkgo/v2/ginkgo/automaxprocs/cpu_quota_linux.go
new file mode 100644
index 0000000000000..2d83343bd9cd7
--- /dev/null
+++ b/vendor/github.com/onsi/ginkgo/v2/ginkgo/automaxprocs/cpu_quota_linux.go
@@ -0,0 +1,73 @@
+// Copyright (c) 2017 Uber Technologies, Inc.
+//
+// Permission is hereby granted, free of charge, to any person obtaining a copy
+// of this software and associated documentation files (the "Software"), to deal
+// in the Software without restriction, including without limitation the rights
+// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+// copies of the Software, and to permit persons to whom the Software is
+// furnished to do so, subject to the following conditions:
+//
+// The above copyright notice and this permission notice shall be included in
+// all copies or substantial portions of the Software.
+//
+// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+// THE SOFTWARE.
+
+//go:build linux
+// +build linux
+
+package automaxprocs
+
+import (
+	"errors"
+)
+
+// CPUQuotaToGOMAXPROCS converts the CPU quota applied to the calling process
+// to a valid GOMAXPROCS value. The quota is converted from float to int using round.
+// If round == nil, DefaultRoundFunc is used.
+func CPUQuotaToGOMAXPROCS(minValue int, round func(v float64) int) (int, CPUQuotaStatus, error) {
+	if round == nil {
+		round = DefaultRoundFunc
+	}
+	cgroups, err := _newQueryer()
+	if err != nil {
+		return -1, CPUQuotaUndefined, err
+	}
+
+	quota, defined, err := cgroups.CPUQuota()
+	if !defined || err != nil {
+		return -1, CPUQuotaUndefined, err
+	}
+
+	maxProcs := round(quota)
+	if minValue > 0 && maxProcs < minValue {
+		return minValue, CPUQuotaMinUsed, nil
+	}
+	return maxProcs, CPUQuotaUsed, nil
+}
+
+type queryer interface {
+	CPUQuota() (float64, bool, error)
+}
+
+var (
+	_newCgroups2 = NewCGroups2ForCurrentProcess
+	_newCgroups  = NewCGroupsForCurrentProcess
+	_newQueryer  = newQueryer
+)
+
+func newQueryer() (queryer, error) {
+	cgroups, err := _newCgroups2()
+	if err == nil {
+		return cgroups, nil
+	}
+	if errors.Is(err, ErrNotV2) {
+		return _newCgroups()
+	}
+	return nil, err
+}
diff --git a/vendor/github.com/onsi/ginkgo/v2/ginkgo/automaxprocs/cpu_quota_unsupported.go b/vendor/github.com/onsi/ginkgo/v2/ginkgo/automaxprocs/cpu_quota_unsupported.go
new file mode 100644
index 0000000000000..d2d61e8941fc0
--- /dev/null
+++ b/vendor/github.com/onsi/ginkgo/v2/ginkgo/automaxprocs/cpu_quota_unsupported.go
@@ -0,0 +1,31 @@
+// Copyright (c) 2017 Uber Technologies, Inc.
+//
+// Permission is hereby granted, free of charge, to any person obtaining a copy
+// of this software and associated documentation files (the "Software"), to deal
+// in the Software without restriction, including without limitation the rights
+// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+// copies of the Software, and to permit persons to whom the Software is
+// furnished to do so, subject to the following conditions:
+//
+// The above copyright notice and this permission notice shall be included in
+// all copies or substantial portions of the Software.
+//
+// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+// THE SOFTWARE.
+
+//go:build !linux
+// +build !linux
+
+package automaxprocs
+
+// CPUQuotaToGOMAXPROCS converts the CPU quota applied to the calling process
+// to a valid GOMAXPROCS value. This is Linux-specific and not supported in the
+// current OS.
+func CPUQuotaToGOMAXPROCS(_ int, _ func(v float64) int) (int, CPUQuotaStatus, error) {
+	return -1, CPUQuotaUndefined, nil
+}
diff --git a/vendor/github.com/onsi/ginkgo/v2/ginkgo/automaxprocs/errors.go b/vendor/github.com/onsi/ginkgo/v2/ginkgo/automaxprocs/errors.go
new file mode 100644
index 0000000000000..2e235d7d65de1
--- /dev/null
+++ b/vendor/github.com/onsi/ginkgo/v2/ginkgo/automaxprocs/errors.go
@@ -0,0 +1,52 @@
+// Copyright (c) 2017 Uber Technologies, Inc.
+//
+// Permission is hereby granted, free of charge, to any person obtaining a copy
+// of this software and associated documentation files (the "Software"), to deal
+// in the Software without restriction, including without limitation the rights
+// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+// copies of the Software, and to permit persons to whom the Software is
+// furnished to do so, subject to the following conditions:
+//
+// The above copyright notice and this permission notice shall be included in
+// all copies or substantial portions of the Software.
+//
+// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+// THE SOFTWARE.
+
+//go:build linux
+// +build linux
+
+package automaxprocs
+
+import "fmt"
+
+type cgroupSubsysFormatInvalidError struct {
+	line string
+}
+
+type mountPointFormatInvalidError struct {
+	line string
+}
+
+type pathNotExposedFromMountPointError struct {
+	mountPoint string
+	root       string
+	path       string
+}
+
+func (err cgroupSubsysFormatInvalidError) Error() string {
+	return fmt.Sprintf("invalid format for CGroupSubsys: %q", err.line)
+}
+
+func (err mountPointFormatInvalidError) Error() string {
+	return fmt.Sprintf("invalid format for MountPoint: %q", err.line)
+}
+
+func (err pathNotExposedFromMountPointError) Error() string {
+	return fmt.Sprintf("path %q is not a descendant of mount point root %q and cannot be exposed from %q", err.path, err.root, err.mountPoint)
+}
diff --git a/vendor/github.com/onsi/ginkgo/v2/ginkgo/automaxprocs/mountpoint.go b/vendor/github.com/onsi/ginkgo/v2/ginkgo/automaxprocs/mountpoint.go
new file mode 100644
index 0000000000000..7c3fa306efb6a
--- /dev/null
+++ b/vendor/github.com/onsi/ginkgo/v2/ginkgo/automaxprocs/mountpoint.go
@@ -0,0 +1,171 @@
+// Copyright (c) 2017 Uber Technologies, Inc.
+//
+// Permission is hereby granted, free of charge, to any person obtaining a copy
+// of this software and associated documentation files (the "Software"), to deal
+// in the Software without restriction, including without limitation the rights
+// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+// copies of the Software, and to permit persons to whom the Software is
+// furnished to do so, subject to the following conditions:
+//
+// The above copyright notice and this permission notice shall be included in
+// all copies or substantial portions of the Software.
+//
+// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+// THE SOFTWARE.
+
+//go:build linux
+// +build linux
+
+package automaxprocs
+
+import (
+	"bufio"
+	"os"
+	"path/filepath"
+	"strconv"
+	"strings"
+)
+
+const (
+	_mountInfoSep               = " "
+	_mountInfoOptsSep           = ","
+	_mountInfoOptionalFieldsSep = "-"
+)
+
+const (
+	_miFieldIDMountID = iota
+	_miFieldIDParentID
+	_miFieldIDDeviceID
+	_miFieldIDRoot
+	_miFieldIDMountPoint
+	_miFieldIDOptions
+	_miFieldIDOptionalFields
+
+	_miFieldCountFirstHalf
+)
+
+const (
+	_miFieldOffsetFSType = iota
+	_miFieldOffsetMountSource
+	_miFieldOffsetSuperOptions
+
+	_miFieldCountSecondHalf
+)
+
+const _miFieldCountMin = _miFieldCountFirstHalf + _miFieldCountSecondHalf
+
+// MountPoint is the data structure for the mount points in
+// `/proc/$PID/mountinfo`. See also proc(5) for more information.
+type MountPoint struct {
+	MountID        int
+	ParentID       int
+	DeviceID       string
+	Root           string
+	MountPoint     string
+	Options        []string
+	OptionalFields []string
+	FSType         string
+	MountSource    string
+	SuperOptions   []string
+}
+
+// NewMountPointFromLine parses a line read from `/proc/$PID/mountinfo` and
+// returns a new *MountPoint.
+func NewMountPointFromLine(line string) (*MountPoint, error) {
+	fields := strings.Split(line, _mountInfoSep)
+
+	if len(fields) < _miFieldCountMin {
+		return nil, mountPointFormatInvalidError{line}
+	}
+
+	mountID, err := strconv.Atoi(fields[_miFieldIDMountID])
+	if err != nil {
+		return nil, err
+	}
+
+	parentID, err := strconv.Atoi(fields[_miFieldIDParentID])
+	if err != nil {
+		return nil, err
+	}
+
+	for i, field := range fields[_miFieldIDOptionalFields:] {
+		if field == _mountInfoOptionalFieldsSep {
+			// End of optional fields.
+			fsTypeStart := _miFieldIDOptionalFields + i + 1
+
+			// Now we know where the optional fields end, split the line again with a
+			// limit to avoid issues with spaces in super options as present on WSL.
+			fields = strings.SplitN(line, _mountInfoSep, fsTypeStart+_miFieldCountSecondHalf)
+			if len(fields) != fsTypeStart+_miFieldCountSecondHalf {
+				return nil, mountPointFormatInvalidError{line}
+			}
+
+			miFieldIDFSType := _miFieldOffsetFSType + fsTypeStart
+			miFieldIDMountSource := _miFieldOffsetMountSource + fsTypeStart
+			miFieldIDSuperOptions := _miFieldOffsetSuperOptions + fsTypeStart
+
+			return &MountPoint{
+				MountID:        mountID,
+				ParentID:       parentID,
+				DeviceID:       fields[_miFieldIDDeviceID],
+				Root:           fields[_miFieldIDRoot],
+				MountPoint:     fields[_miFieldIDMountPoint],
+				Options:        strings.Split(fields[_miFieldIDOptions], _mountInfoOptsSep),
+				OptionalFields: fields[_miFieldIDOptionalFields:(fsTypeStart - 1)],
+				FSType:         fields[miFieldIDFSType],
+				MountSource:    fields[miFieldIDMountSource],
+				SuperOptions:   strings.Split(fields[miFieldIDSuperOptions], _mountInfoOptsSep),
+			}, nil
+		}
+	}
+
+	return nil, mountPointFormatInvalidError{line}
+}
+
+// Translate converts an absolute path inside the *MountPoint's file system to
+// the host file system path in the mount namespace the *MountPoint belongs to.
+func (mp *MountPoint) Translate(absPath string) (string, error) {
+	relPath, err := filepath.Rel(mp.Root, absPath)
+
+	if err != nil {
+		return "", err
+	}
+	if relPath == ".." || strings.HasPrefix(relPath, "../") {
+		return "", pathNotExposedFromMountPointError{
+			mountPoint: mp.MountPoint,
+			root:       mp.Root,
+			path:       absPath,
+		}
+	}
+
+	return filepath.Join(mp.MountPoint, relPath), nil
+}
+
+// parseMountInfo parses procPathMountInfo (usually at `/proc/$PID/mountinfo`)
+// and yields parsed *MountPoint into newMountPoint.
+func parseMountInfo(procPathMountInfo string, newMountPoint func(*MountPoint) error) error {
+	mountInfoFile, err := os.Open(procPathMountInfo)
+	if err != nil {
+		return err
+	}
+	defer mountInfoFile.Close()
+
+	scanner := bufio.NewScanner(mountInfoFile)
+
+	for scanner.Scan() {
+		mountPoint, err := NewMountPointFromLine(scanner.Text())
+		if err != nil {
+			return err
+		}
+		if err := newMountPoint(mountPoint); err != nil {
+			return err
+		}
+	}
+
+	return scanner.Err()
+}
diff --git a/vendor/github.com/onsi/ginkgo/v2/ginkgo/automaxprocs/runtime.go b/vendor/github.com/onsi/ginkgo/v2/ginkgo/automaxprocs/runtime.go
new file mode 100644
index 0000000000000..b8ec7e502a7cf
--- /dev/null
+++ b/vendor/github.com/onsi/ginkgo/v2/ginkgo/automaxprocs/runtime.go
@@ -0,0 +1,40 @@
+// Copyright (c) 2017 Uber Technologies, Inc.
+//
+// Permission is hereby granted, free of charge, to any person obtaining a copy
+// of this software and associated documentation files (the "Software"), to deal
+// in the Software without restriction, including without limitation the rights
+// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+// copies of the Software, and to permit persons to whom the Software is
+// furnished to do so, subject to the following conditions:
+//
+// The above copyright notice and this permission notice shall be included in
+// all copies or substantial portions of the Software.
+//
+// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+// THE SOFTWARE.
+
+package automaxprocs
+
+import "math"
+
+// CPUQuotaStatus presents the status of how CPU quota is used
+type CPUQuotaStatus int
+
+const (
+	// CPUQuotaUndefined is returned when CPU quota is undefined
+	CPUQuotaUndefined CPUQuotaStatus = iota
+	// CPUQuotaUsed is returned when a valid CPU quota can be used
+	CPUQuotaUsed
+	// CPUQuotaMinUsed is returned when CPU quota is smaller than the min value
+	CPUQuotaMinUsed
+)
+
+// DefaultRoundFunc is the default function to convert CPU quota from float to int. It rounds the value down (floor).
+func DefaultRoundFunc(v float64) int {
+	return int(math.Floor(v))
+}
diff --git a/vendor/github.com/onsi/ginkgo/v2/ginkgo/automaxprocs/subsys.go b/vendor/github.com/onsi/ginkgo/v2/ginkgo/automaxprocs/subsys.go
new file mode 100644
index 0000000000000..881ebd59028ec
--- /dev/null
+++ b/vendor/github.com/onsi/ginkgo/v2/ginkgo/automaxprocs/subsys.go
@@ -0,0 +1,103 @@
+// Copyright (c) 2017 Uber Technologies, Inc.
+//
+// Permission is hereby granted, free of charge, to any person obtaining a copy
+// of this software and associated documentation files (the "Software"), to deal
+// in the Software without restriction, including without limitation the rights
+// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+// copies of the Software, and to permit persons to whom the Software is
+// furnished to do so, subject to the following conditions:
+//
+// The above copyright notice and this permission notice shall be included in
+// all copies or substantial portions of the Software.
+//
+// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+// THE SOFTWARE.
+
+//go:build linux
+// +build linux
+
+package automaxprocs
+
+import (
+	"bufio"
+	"os"
+	"strconv"
+	"strings"
+)
+
+const (
+	_cgroupSep       = ":"
+	_cgroupSubsysSep = ","
+)
+
+const (
+	_csFieldIDID = iota
+	_csFieldIDSubsystems
+	_csFieldIDName
+	_csFieldCount
+)
+
+// CGroupSubsys represents the data structure for entities in
+// `/proc/$PID/cgroup`. See also proc(5) for more information.
+type CGroupSubsys struct {
+	ID         int
+	Subsystems []string
+	Name       string
+}
+
+// NewCGroupSubsysFromLine returns a new *CGroupSubsys by parsing a string in
+// the format of `/proc/$PID/cgroup`
+func NewCGroupSubsysFromLine(line string) (*CGroupSubsys, error) {
+	fields := strings.SplitN(line, _cgroupSep, _csFieldCount)
+
+	if len(fields) != _csFieldCount {
+		return nil, cgroupSubsysFormatInvalidError{line}
+	}
+
+	id, err := strconv.Atoi(fields[_csFieldIDID])
+	if err != nil {
+		return nil, err
+	}
+
+	cgroup := &CGroupSubsys{
+		ID:         id,
+		Subsystems: strings.Split(fields[_csFieldIDSubsystems], _cgroupSubsysSep),
+		Name:       fields[_csFieldIDName],
+	}
+
+	return cgroup, nil
+}
+
+// parseCGroupSubsystems parses procPathCGroup (usually at `/proc/$PID/cgroup`)
+// and returns a new map[string]*CGroupSubsys.
+func parseCGroupSubsystems(procPathCGroup string) (map[string]*CGroupSubsys, error) {
+	cgroupFile, err := os.Open(procPathCGroup)
+	if err != nil {
+		return nil, err
+	}
+	defer cgroupFile.Close()
+
+	scanner := bufio.NewScanner(cgroupFile)
+	subsystems := make(map[string]*CGroupSubsys)
+
+	for scanner.Scan() {
+		cgroup, err := NewCGroupSubsysFromLine(scanner.Text())
+		if err != nil {
+			return nil, err
+		}
+		for _, subsys := range cgroup.Subsystems {
+			subsystems[subsys] = cgroup
+		}
+	}
+
+	if err := scanner.Err(); err != nil {
+		return nil, err
+	}
+
+	return subsystems, nil
+}
diff --git a/vendor/github.com/onsi/ginkgo/v2/ginkgo/build/build_command.go b/vendor/github.com/onsi/ginkgo/v2/ginkgo/build/build_command.go
index fd172608437ca..3021dfec2eb5e 100644
--- a/vendor/github.com/onsi/ginkgo/v2/ginkgo/build/build_command.go
+++ b/vendor/github.com/onsi/ginkgo/v2/ginkgo/build/build_command.go
@@ -29,7 +29,6 @@ func BuildBuildCommand() command.Command {
 			var errors []error
 			cliConfig, goFlagsConfig, errors = types.VetAndInitializeCLIAndGoConfig(cliConfig, goFlagsConfig)
 			command.AbortIfErrors("Ginkgo detected configuration issues:", errors)
-
 			buildSpecs(args, cliConfig, goFlagsConfig)
 		},
 	}
@@ -44,7 +43,7 @@ func buildSpecs(args []string, cliConfig types.CLIConfig, goFlagsConfig types.Go
 	internal.VerifyCLIAndFrameworkVersion(suites)
 
 	opc := internal.NewOrderedParallelCompiler(cliConfig.ComputedNumCompilers())
-	opc.StartCompiling(suites, goFlagsConfig)
+	opc.StartCompiling(suites, goFlagsConfig, true)
 
 	for {
 		suiteIdx, suite := opc.Next()
@@ -55,18 +54,22 @@ func buildSpecs(args []string, cliConfig types.CLIConfig, goFlagsConfig types.Go
 		if suite.State.Is(internal.TestSuiteStateFailedToCompile) {
 			fmt.Println(suite.CompilationError.Error())
 		} else {
-			if len(goFlagsConfig.O) == 0 {
-				goFlagsConfig.O = path.Join(suite.Path, suite.PackageName+".test")
-			} else {
+			var testBinPath string
+			if len(goFlagsConfig.O) != 0 {
 				stat, err := os.Stat(goFlagsConfig.O)
 				if err != nil {
 					panic(err)
 				}
 				if stat.IsDir() {
-					goFlagsConfig.O += "/" + suite.PackageName + ".test"
+					testBinPath = goFlagsConfig.O + "/" + suite.PackageName + ".test"
+				} else {
+					testBinPath = goFlagsConfig.O
 				}
 			}
-			fmt.Printf("Compiled %s\n", goFlagsConfig.O)
+			if len(testBinPath) == 0 {
+				testBinPath = path.Join(suite.Path, suite.PackageName+".test")
+			}
+			fmt.Printf("Compiled %s\n", testBinPath)
 		}
 	}
 
diff --git a/vendor/github.com/onsi/ginkgo/v2/ginkgo/command/abort.go b/vendor/github.com/onsi/ginkgo/v2/ginkgo/command/abort.go
index 2efd286088673..f0e7331f7df28 100644
--- a/vendor/github.com/onsi/ginkgo/v2/ginkgo/command/abort.go
+++ b/vendor/github.com/onsi/ginkgo/v2/ginkgo/command/abort.go
@@ -12,7 +12,7 @@ func Abort(details AbortDetails) {
 	panic(details)
 }
 
-func AbortGracefullyWith(format string, args ...interface{}) {
+func AbortGracefullyWith(format string, args ...any) {
 	Abort(AbortDetails{
 		ExitCode:  0,
 		Error:     fmt.Errorf(format, args...),
@@ -20,7 +20,7 @@ func AbortGracefullyWith(format string, args ...interface{}) {
 	})
 }
 
-func AbortWith(format string, args ...interface{}) {
+func AbortWith(format string, args ...any) {
 	Abort(AbortDetails{
 		ExitCode:  1,
 		Error:     fmt.Errorf(format, args...),
@@ -28,7 +28,7 @@ func AbortWith(format string, args ...interface{}) {
 	})
 }
 
-func AbortWithUsage(format string, args ...interface{}) {
+func AbortWithUsage(format string, args ...any) {
 	Abort(AbortDetails{
 		ExitCode:  1,
 		Error:     fmt.Errorf(format, args...),
diff --git a/vendor/github.com/onsi/ginkgo/v2/ginkgo/command/command.go b/vendor/github.com/onsi/ginkgo/v2/ginkgo/command/command.go
index 12e0e5659140b..79b83a3af1899 100644
--- a/vendor/github.com/onsi/ginkgo/v2/ginkgo/command/command.go
+++ b/vendor/github.com/onsi/ginkgo/v2/ginkgo/command/command.go
@@ -24,7 +24,11 @@ func (c Command) Run(args []string, additionalArgs []string) {
 	if err != nil {
 		AbortWithUsage(err.Error())
 	}
-
+	for _, arg := range args {
+		if len(arg) > 1 && strings.HasPrefix(arg, "-") {
+			AbortWith(types.GinkgoErrors.FlagAfterPositionalParameter().Error())
+		}
+	}
 	c.Command(args, additionalArgs)
 }
 
diff --git a/vendor/github.com/onsi/ginkgo/v2/ginkgo/command/program.go b/vendor/github.com/onsi/ginkgo/v2/ginkgo/command/program.go
index 88dd8d6b07e14..c3f6d3a11efa9 100644
--- a/vendor/github.com/onsi/ginkgo/v2/ginkgo/command/program.go
+++ b/vendor/github.com/onsi/ginkgo/v2/ginkgo/command/program.go
@@ -68,7 +68,6 @@ func (p Program) RunAndExit(osArgs []string) {
 			fmt.Fprintln(p.ErrWriter, deprecationTracker.DeprecationsReport())
 		}
 		p.Exiter(exitCode)
-		return
 	}()
 
 	args, additionalArgs := []string{}, []string{}
@@ -157,7 +156,6 @@ func (p Program) handleHelpRequestsAndExit(writer io.Writer, args []string) {
 		p.EmitUsage(writer)
 		Abort(AbortDetails{ExitCode: 1})
 	}
-	return
 }
 
 func (p Program) EmitUsage(writer io.Writer) {
diff --git a/vendor/github.com/onsi/ginkgo/v2/ginkgo/internal/compile.go b/vendor/github.com/onsi/ginkgo/v2/ginkgo/internal/compile.go
index 48827cc5efc54..7bbe6be0fc7ee 100644
--- a/vendor/github.com/onsi/ginkgo/v2/ginkgo/internal/compile.go
+++ b/vendor/github.com/onsi/ginkgo/v2/ginkgo/internal/compile.go
@@ -11,7 +11,7 @@ import (
 	"github.com/onsi/ginkgo/v2/types"
 )
 
-func CompileSuite(suite TestSuite, goFlagsConfig types.GoFlagsConfig) TestSuite {
+func CompileSuite(suite TestSuite, goFlagsConfig types.GoFlagsConfig, preserveSymbols bool) TestSuite {
 	if suite.PathToCompiledTest != "" {
 		return suite
 	}
@@ -46,7 +46,7 @@ func CompileSuite(suite TestSuite, goFlagsConfig types.GoFlagsConfig) TestSuite
 		suite.CompilationError = fmt.Errorf("Failed to get relative path from package to the current working directory:\n%s", err.Error())
 		return suite
 	}
-	args, err := types.GenerateGoTestCompileArgs(goFlagsConfig, "./", pathToInvocationPath)
+	args, err := types.GenerateGoTestCompileArgs(goFlagsConfig, "./", pathToInvocationPath, preserveSymbols)
 	if err != nil {
 		suite.State = TestSuiteStateFailedToCompile
 		suite.CompilationError = fmt.Errorf("Failed to generate go test compile flags:\n%s", err.Error())
@@ -120,7 +120,7 @@ func NewOrderedParallelCompiler(numCompilers int) *OrderedParallelCompiler {
 	}
 }
 
-func (opc *OrderedParallelCompiler) StartCompiling(suites TestSuites, goFlagsConfig types.GoFlagsConfig) {
+func (opc *OrderedParallelCompiler) StartCompiling(suites TestSuites, goFlagsConfig types.GoFlagsConfig, preserveSymbols bool) {
 	opc.stopped = false
 	opc.idx = 0
 	opc.numSuites = len(suites)
@@ -135,7 +135,7 @@ func (opc *OrderedParallelCompiler) StartCompiling(suites TestSuites, goFlagsCon
 				stopped := opc.stopped
 				opc.mutex.Unlock()
 				if !stopped {
-					suite = CompileSuite(suite, goFlagsConfig)
+					suite = CompileSuite(suite, goFlagsConfig, preserveSymbols)
 				}
 				c <- suite
 			}
diff --git a/vendor/github.com/onsi/ginkgo/v2/ginkgo/internal/gocovmerge.go b/vendor/github.com/onsi/ginkgo/v2/ginkgo/internal/gocovmerge.go
index 3c5079ff4c743..87cfa111944dd 100644
--- a/vendor/github.com/onsi/ginkgo/v2/ginkgo/internal/gocovmerge.go
+++ b/vendor/github.com/onsi/ginkgo/v2/ginkgo/internal/gocovmerge.go
@@ -89,7 +89,7 @@ func mergeProfileBlock(p *cover.Profile, pb cover.ProfileBlock, startIndex int)
 	}
 
 	i := 0
-	if sortFunc(i) != true {
+	if !sortFunc(i) {
 		i = sort.Search(len(p.Blocks)-startIndex, sortFunc)
 	}
 
diff --git a/vendor/github.com/onsi/ginkgo/v2/ginkgo/internal/profiles_and_reports.go b/vendor/github.com/onsi/ginkgo/v2/ginkgo/internal/profiles_and_reports.go
index 8e16d2bb034bd..f3439a3f0cb79 100644
--- a/vendor/github.com/onsi/ginkgo/v2/ginkgo/internal/profiles_and_reports.go
+++ b/vendor/github.com/onsi/ginkgo/v2/ginkgo/internal/profiles_and_reports.go
@@ -90,6 +90,9 @@ func FinalizeProfilesAndReportsForSuites(suites TestSuites, cliConfig types.CLIC
 	if reporterConfig.JSONReport != "" {
 		reportFormats = append(reportFormats, reportFormat{ReportName: reporterConfig.JSONReport, GenerateFunc: reporters.GenerateJSONReport, MergeFunc: reporters.MergeAndCleanupJSONReports})
 	}
+	if reporterConfig.GoJSONReport != "" {
+		reportFormats = append(reportFormats, reportFormat{ReportName: reporterConfig.GoJSONReport, GenerateFunc: reporters.GenerateGoTestJSONReport, MergeFunc: reporters.MergeAndCleanupGoTestJSONReports})
+	}
 	if reporterConfig.JUnitReport != "" {
 		reportFormats = append(reportFormats, reportFormat{ReportName: reporterConfig.JUnitReport, GenerateFunc: reporters.GenerateJUnitReport, MergeFunc: reporters.MergeAndCleanupJUnitReports})
 	}
diff --git a/vendor/github.com/onsi/ginkgo/v2/ginkgo/internal/run.go b/vendor/github.com/onsi/ginkgo/v2/ginkgo/internal/run.go
index 41052ea19db22..30d8096cd627e 100644
--- a/vendor/github.com/onsi/ginkgo/v2/ginkgo/internal/run.go
+++ b/vendor/github.com/onsi/ginkgo/v2/ginkgo/internal/run.go
@@ -107,6 +107,9 @@ func runSerial(suite TestSuite, ginkgoConfig types.SuiteConfig, reporterConfig t
 	if reporterConfig.JSONReport != "" {
 		reporterConfig.JSONReport = AbsPathForGeneratedAsset(reporterConfig.JSONReport, suite, cliConfig, 0)
 	}
+	if reporterConfig.GoJSONReport != "" {
+		reporterConfig.GoJSONReport = AbsPathForGeneratedAsset(reporterConfig.GoJSONReport, suite, cliConfig, 0)
+	}
 	if reporterConfig.JUnitReport != "" {
 		reporterConfig.JUnitReport = AbsPathForGeneratedAsset(reporterConfig.JUnitReport, suite, cliConfig, 0)
 	}
@@ -179,6 +182,9 @@ func runParallel(suite TestSuite, ginkgoConfig types.SuiteConfig, reporterConfig
 	if reporterConfig.JSONReport != "" {
 		reporterConfig.JSONReport = AbsPathForGeneratedAsset(reporterConfig.JSONReport, suite, cliConfig, 0)
 	}
+	if reporterConfig.GoJSONReport != "" {
+		reporterConfig.GoJSONReport = AbsPathForGeneratedAsset(reporterConfig.GoJSONReport, suite, cliConfig, 0)
+	}
 	if reporterConfig.JUnitReport != "" {
 		reporterConfig.JUnitReport = AbsPathForGeneratedAsset(reporterConfig.JUnitReport, suite, cliConfig, 0)
 	}
diff --git a/vendor/github.com/onsi/ginkgo/v2/ginkgo/main.go b/vendor/github.com/onsi/ginkgo/v2/ginkgo/main.go
index e9abb27d8bf83..419589b48c5ba 100644
--- a/vendor/github.com/onsi/ginkgo/v2/ginkgo/main.go
+++ b/vendor/github.com/onsi/ginkgo/v2/ginkgo/main.go
@@ -3,7 +3,6 @@ package main
 import (
 	"fmt"
 	"os"
-
 	"github.com/onsi/ginkgo/v2/ginkgo/build"
 	"github.com/onsi/ginkgo/v2/ginkgo/command"
 	"github.com/onsi/ginkgo/v2/ginkgo/generators"
diff --git a/vendor/github.com/onsi/ginkgo/v2/ginkgo/outline/outline.go b/vendor/github.com/onsi/ginkgo/v2/ginkgo/outline/outline.go
index c2327cda8cf4e..e99d557d1faa7 100644
--- a/vendor/github.com/onsi/ginkgo/v2/ginkgo/outline/outline.go
+++ b/vendor/github.com/onsi/ginkgo/v2/ginkgo/outline/outline.go
@@ -1,10 +1,13 @@
 package outline
 
 import (
+	"bytes"
+	"encoding/csv"
 	"encoding/json"
 	"fmt"
 	"go/ast"
 	"go/token"
+	"strconv"
 	"strings"
 
 	"golang.org/x/tools/go/ast/inspector"
@@ -84,9 +87,11 @@ func (o *outline) String() string {
 // StringIndent returns a CSV-formated outline, but every line is indented by
 // one 'width' of spaces for every level of nesting.
 func (o *outline) StringIndent(width int) string {
-	var b strings.Builder
+	var b bytes.Buffer
 	b.WriteString("Name,Text,Start,End,Spec,Focused,Pending,Labels\n")
 
+	csvWriter := csv.NewWriter(&b)
+
 	currentIndent := 0
 	pre := func(n *ginkgoNode) {
 		b.WriteString(fmt.Sprintf("%*s", currentIndent, ""))
@@ -96,8 +101,22 @@ func (o *outline) StringIndent(width int) string {
 		} else {
 			labels = strings.Join(n.Labels, ", ")
 		}
-		//enclosing labels in a double quoted comma separate listed so that when inmported into a CSV app the Labels column has comma separate strings
-		b.WriteString(fmt.Sprintf("%s,%s,%d,%d,%t,%t,%t,\"%s\"\n", n.Name, n.Text, n.Start, n.End, n.Spec, n.Focused, n.Pending, labels))
+
+		row := []string{
+			n.Name,
+			n.Text,
+			strconv.Itoa(n.Start),
+			strconv.Itoa(n.End),
+			strconv.FormatBool(n.Spec),
+			strconv.FormatBool(n.Focused),
+			strconv.FormatBool(n.Pending),
+			labels,
+		}
+		csvWriter.Write(row)
+
+		// Ensure we write to `b' before the next `b.WriteString()', which might be adding indentation
+		csvWriter.Flush()
+
 		currentIndent += width
 	}
 	post := func(n *ginkgoNode) {
@@ -106,5 +125,6 @@ func (o *outline) StringIndent(width int) string {
 	for _, n := range o.Nodes {
 		n.Walk(pre, post)
 	}
+
 	return b.String()
 }
diff --git a/vendor/github.com/onsi/ginkgo/v2/ginkgo/run/run_command.go b/vendor/github.com/onsi/ginkgo/v2/ginkgo/run/run_command.go
index aaed4d570e973..03875b979641f 100644
--- a/vendor/github.com/onsi/ginkgo/v2/ginkgo/run/run_command.go
+++ b/vendor/github.com/onsi/ginkgo/v2/ginkgo/run/run_command.go
@@ -107,7 +107,7 @@ OUTER_LOOP:
 		}
 
 		opc := internal.NewOrderedParallelCompiler(r.cliConfig.ComputedNumCompilers())
-		opc.StartCompiling(suites, r.goFlagsConfig)
+		opc.StartCompiling(suites, r.goFlagsConfig, false)
 
 	SUITE_LOOP:
 		for {
@@ -142,7 +142,7 @@ OUTER_LOOP:
 			}
 
 			if !endTime.IsZero() {
-				r.suiteConfig.Timeout = endTime.Sub(time.Now())
+				r.suiteConfig.Timeout = time.Until(endTime)
 				if r.suiteConfig.Timeout <= 0 {
 					suites[suiteIdx].State = internal.TestSuiteStateFailedDueToTimeout
 					opc.StopAndDrain()
diff --git a/vendor/github.com/onsi/ginkgo/v2/ginkgo/watch/dependencies.go b/vendor/github.com/onsi/ginkgo/v2/ginkgo/watch/dependencies.go
index a34d94354d9b2..75cbdb496258f 100644
--- a/vendor/github.com/onsi/ginkgo/v2/ginkgo/watch/dependencies.go
+++ b/vendor/github.com/onsi/ginkgo/v2/ginkgo/watch/dependencies.go
@@ -2,12 +2,9 @@ package watch
 
 import (
 	"go/build"
-	"regexp"
+	"strings"
 )
 
-var ginkgoAndGomegaFilter = regexp.MustCompile(`github\.com/onsi/ginkgo|github\.com/onsi/gomega`)
-var ginkgoIntegrationTestFilter = regexp.MustCompile(`github\.com/onsi/ginkgo/integration`) //allow us to integration test this thing
-
 type Dependencies struct {
 	deps map[string]int
 }
@@ -78,7 +75,7 @@ func (d Dependencies) resolveAndAdd(deps []string, depth int) {
 		if err != nil {
 			continue
 		}
-		if !pkg.Goroot && (!ginkgoAndGomegaFilter.MatchString(pkg.Dir) || ginkgoIntegrationTestFilter.MatchString(pkg.Dir)) {
+		if !pkg.Goroot && (!matchesGinkgoOrGomega(pkg.Dir) || matchesGinkgoIntegration(pkg.Dir)) {
 			d.addDepIfNotPresent(pkg.Dir, depth)
 		}
 	}
@@ -90,3 +87,11 @@ func (d Dependencies) addDepIfNotPresent(dep string, depth int) {
 		d.deps[dep] = depth
 	}
 }
+
+func matchesGinkgoOrGomega(s string) bool {
+	return strings.Contains(s, "github.com/onsi/ginkgo") || strings.Contains(s, "github.com/onsi/gomega")
+}
+
+func matchesGinkgoIntegration(s string) bool {
+	return strings.Contains(s, "github.com/onsi/ginkgo/integration") // allow us to integration test this thing
+}
diff --git a/vendor/github.com/onsi/ginkgo/v2/ginkgo/watch/watch_command.go b/vendor/github.com/onsi/ginkgo/v2/ginkgo/watch/watch_command.go
index bde4193ce718b..fe1ca30519cdb 100644
--- a/vendor/github.com/onsi/ginkgo/v2/ginkgo/watch/watch_command.go
+++ b/vendor/github.com/onsi/ginkgo/v2/ginkgo/watch/watch_command.go
@@ -153,7 +153,7 @@ func (w *SpecWatcher) WatchSpecs(args []string, additionalArgs []string) {
 }
 
 func (w *SpecWatcher) compileAndRun(suite internal.TestSuite, additionalArgs []string) internal.TestSuite {
-	suite = internal.CompileSuite(suite, w.goFlagsConfig)
+	suite = internal.CompileSuite(suite, w.goFlagsConfig, false)
 	if suite.State.Is(internal.TestSuiteStateFailedToCompile) {
 		fmt.Println(suite.CompilationError.Error())
 		return suite
diff --git a/vendor/github.com/onsi/ginkgo/v2/ginkgo_t_dsl.go b/vendor/github.com/onsi/ginkgo/v2/ginkgo_t_dsl.go
index 02c6739e5be7d..40d1e1ab5ce96 100644
--- a/vendor/github.com/onsi/ginkgo/v2/ginkgo_t_dsl.go
+++ b/vendor/github.com/onsi/ginkgo/v2/ginkgo_t_dsl.go
@@ -1,6 +1,8 @@
 package ginkgo
 
 import (
+	"context"
+	"io"
 	"testing"
 
 	"github.com/onsi/ginkgo/v2/internal/testingtproxy"
@@ -48,6 +50,8 @@ The portion of the interface returned by GinkgoT() that maps onto methods in the
 */
 type GinkgoTInterface interface {
 	Cleanup(func())
+	Chdir(dir string)
+	Context() context.Context
 	Setenv(kev, value string)
 	Error(args ...any)
 	Errorf(format string, args ...any)
@@ -66,6 +70,8 @@ type GinkgoTInterface interface {
 	Skipf(format string, args ...any)
 	Skipped() bool
 	TempDir() string
+	Attr(key, value string)
+	Output() io.Writer
 }
 
 /*
@@ -127,6 +133,12 @@ type GinkgoTBWrapper struct {
 func (g *GinkgoTBWrapper) Cleanup(f func()) {
 	g.GinkgoT.Cleanup(f)
 }
+func (g *GinkgoTBWrapper) Chdir(dir string) {
+	g.GinkgoT.Chdir(dir)
+}
+func (g *GinkgoTBWrapper) Context() context.Context {
+	return g.GinkgoT.Context()
+}
 func (g *GinkgoTBWrapper) Error(args ...any) {
 	g.GinkgoT.Error(args...)
 }
@@ -178,3 +190,9 @@ func (g *GinkgoTBWrapper) Skipped() bool {
 func (g *GinkgoTBWrapper) TempDir() string {
 	return g.GinkgoT.TempDir()
 }
+func (g *GinkgoTBWrapper) Attr(key, value string) {
+	g.GinkgoT.Attr(key, value)
+}
+func (g *GinkgoTBWrapper) Output() io.Writer {
+	return g.GinkgoT.Output()
+}
diff --git a/vendor/github.com/onsi/ginkgo/v2/internal/around_node.go b/vendor/github.com/onsi/ginkgo/v2/internal/around_node.go
new file mode 100644
index 0000000000000..c96571020597f
--- /dev/null
+++ b/vendor/github.com/onsi/ginkgo/v2/internal/around_node.go
@@ -0,0 +1,34 @@
+package internal
+
+import (
+	"github.com/onsi/ginkgo/v2/types"
+)
+
+func ComputeAroundNodes(specs Specs) Specs {
+	out := Specs{}
+	for _, spec := range specs {
+		nodes := Nodes{}
+		currentNestingLevel := 0
+		aroundNodes := types.AroundNodes{}
+		nestingLevelIndices := []int{}
+		for _, node := range spec.Nodes {
+			switch node.NodeType {
+			case types.NodeTypeContainer:
+				currentNestingLevel = node.NestingLevel + 1
+				nestingLevelIndices = append(nestingLevelIndices, len(aroundNodes))
+				aroundNodes = aroundNodes.Append(node.AroundNodes...)
+				nodes = append(nodes, node)
+			default:
+				if currentNestingLevel > node.NestingLevel {
+					currentNestingLevel = node.NestingLevel
+					aroundNodes = aroundNodes[:nestingLevelIndices[currentNestingLevel]]
+				}
+				node.AroundNodes = types.AroundNodes{}.Append(aroundNodes...).Append(node.AroundNodes...)
+				nodes = append(nodes, node)
+			}
+		}
+		spec.Nodes = nodes
+		out = append(out, spec)
+	}
+	return out
+}
diff --git a/vendor/github.com/onsi/ginkgo/v2/internal/failer.go b/vendor/github.com/onsi/ginkgo/v2/internal/failer.go
index e9bd9565fc7b3..8c5de9c160381 100644
--- a/vendor/github.com/onsi/ginkgo/v2/internal/failer.go
+++ b/vendor/github.com/onsi/ginkgo/v2/internal/failer.go
@@ -32,7 +32,7 @@ func (f *Failer) GetFailure() types.Failure {
 	return f.failure
 }
 
-func (f *Failer) Panic(location types.CodeLocation, forwardedPanic interface{}) {
+func (f *Failer) Panic(location types.CodeLocation, forwardedPanic any) {
 	f.lock.Lock()
 	defer f.lock.Unlock()
 
diff --git a/vendor/github.com/onsi/ginkgo/v2/internal/focus.go b/vendor/github.com/onsi/ginkgo/v2/internal/focus.go
index e3da7d14dd1f0..a39daf5a60ba6 100644
--- a/vendor/github.com/onsi/ginkgo/v2/internal/focus.go
+++ b/vendor/github.com/onsi/ginkgo/v2/internal/focus.go
@@ -56,7 +56,7 @@ This function sets the `Skip` property on specs by applying Ginkgo's focus polic
 
 *Note:* specs with pending nodes are Skipped when created by NewSpec.
 */
-func ApplyFocusToSpecs(specs Specs, description string, suiteLabels Labels, suiteConfig types.SuiteConfig) (Specs, bool) {
+func ApplyFocusToSpecs(specs Specs, description string, suiteLabels Labels, suiteSemVerConstraints SemVerConstraints, suiteConfig types.SuiteConfig) (Specs, bool) {
 	focusString := strings.Join(suiteConfig.FocusStrings, "|")
 	skipString := strings.Join(suiteConfig.SkipStrings, "|")
 
@@ -84,6 +84,13 @@ func ApplyFocusToSpecs(specs Specs, description string, suiteLabels Labels, suit
 		})
 	}
 
+	if suiteConfig.SemVerFilter != "" {
+		semVerFilter, _ := types.ParseSemVerFilter(suiteConfig.SemVerFilter)
+		skipChecks = append(skipChecks, func(spec Spec) bool {
+			return !semVerFilter(UnionOfSemVerConstraints(suiteSemVerConstraints, spec.Nodes.UnionOfSemVerConstraints()))
+		})
+	}
+
 	if len(suiteConfig.FocusFiles) > 0 {
 		focusFilters, _ := types.ParseFileFilters(suiteConfig.FocusFiles)
 		skipChecks = append(skipChecks, func(spec Spec) bool { return !focusFilters.Matches(spec.Nodes.CodeLocations()) })
diff --git a/vendor/github.com/onsi/ginkgo/v2/internal/group.go b/vendor/github.com/onsi/ginkgo/v2/internal/group.go
index 02c9fe4fcd401..cc794903e7e3e 100644
--- a/vendor/github.com/onsi/ginkgo/v2/internal/group.go
+++ b/vendor/github.com/onsi/ginkgo/v2/internal/group.go
@@ -110,21 +110,53 @@ func newGroup(suite *Suite) *group {
 	}
 }
 
+// initialReportForSpec constructs a new SpecReport right before running the spec.
 func (g *group) initialReportForSpec(spec Spec) types.SpecReport {
 	return types.SpecReport{
-		ContainerHierarchyTexts:     spec.Nodes.WithType(types.NodeTypeContainer).Texts(),
-		ContainerHierarchyLocations: spec.Nodes.WithType(types.NodeTypeContainer).CodeLocations(),
-		ContainerHierarchyLabels:    spec.Nodes.WithType(types.NodeTypeContainer).Labels(),
-		LeafNodeLocation:            spec.FirstNodeWithType(types.NodeTypeIt).CodeLocation,
-		LeafNodeType:                types.NodeTypeIt,
-		LeafNodeText:                spec.FirstNodeWithType(types.NodeTypeIt).Text,
-		LeafNodeLabels:              []string(spec.FirstNodeWithType(types.NodeTypeIt).Labels),
-		ParallelProcess:             g.suite.config.ParallelProcess,
-		RunningInParallel:           g.suite.isRunningInParallel(),
-		IsSerial:                    spec.Nodes.HasNodeMarkedSerial(),
-		IsInOrderedContainer:        !spec.Nodes.FirstNodeMarkedOrdered().IsZero(),
-		MaxFlakeAttempts:            spec.Nodes.GetMaxFlakeAttempts(),
-		MaxMustPassRepeatedly:       spec.Nodes.GetMaxMustPassRepeatedly(),
+		ContainerHierarchyTexts:             spec.Nodes.WithType(types.NodeTypeContainer).Texts(),
+		ContainerHierarchyLocations:         spec.Nodes.WithType(types.NodeTypeContainer).CodeLocations(),
+		ContainerHierarchyLabels:            spec.Nodes.WithType(types.NodeTypeContainer).Labels(),
+		ContainerHierarchySemVerConstraints: spec.Nodes.WithType(types.NodeTypeContainer).SemVerConstraints(),
+		LeafNodeLocation:                    spec.FirstNodeWithType(types.NodeTypeIt).CodeLocation,
+		LeafNodeType:                        types.NodeTypeIt,
+		LeafNodeText:                        spec.FirstNodeWithType(types.NodeTypeIt).Text,
+		LeafNodeLabels:                      []string(spec.FirstNodeWithType(types.NodeTypeIt).Labels),
+		LeafNodeSemVerConstraints:           []string(spec.FirstNodeWithType(types.NodeTypeIt).SemVerConstraints),
+		ParallelProcess:                     g.suite.config.ParallelProcess,
+		RunningInParallel:                   g.suite.isRunningInParallel(),
+		IsSerial:                            spec.Nodes.HasNodeMarkedSerial(),
+		IsInOrderedContainer:                !spec.Nodes.FirstNodeMarkedOrdered().IsZero(),
+		MaxFlakeAttempts:                    spec.Nodes.GetMaxFlakeAttempts(),
+		MaxMustPassRepeatedly:               spec.Nodes.GetMaxMustPassRepeatedly(),
+		SpecPriority:                        spec.Nodes.GetSpecPriority(),
+	}
+}
+
+// constructionNodeReportForTreeNode constructs a new SpecReport right before invoking the body
+// of a container node during construction of the full tree.
+func constructionNodeReportForTreeNode(node *TreeNode) *types.ConstructionNodeReport {
+	var report types.ConstructionNodeReport
+	// Walk up the tree and set attributes accordingly.
+	addNodeToReportForNode(&report, node)
+	return &report
+}
+
+// addNodeToReportForNode is conceptually similar to initialReportForSpec and therefore placed here
+// although it doesn't do anything with a group.
+func addNodeToReportForNode(report *types.ConstructionNodeReport, node *TreeNode) {
+	if node.Parent != nil {
+		// First add the parent node, then the current one.
+		addNodeToReportForNode(report, node.Parent)
+	}
+	report.ContainerHierarchyTexts = append(report.ContainerHierarchyTexts, node.Node.Text)
+	report.ContainerHierarchyLocations = append(report.ContainerHierarchyLocations, node.Node.CodeLocation)
+	report.ContainerHierarchyLabels = append(report.ContainerHierarchyLabels, node.Node.Labels)
+	report.ContainerHierarchySemVerConstraints = append(report.ContainerHierarchySemVerConstraints, node.Node.SemVerConstraints)
+	if node.Node.MarkedSerial {
+		report.IsSerial = true
+	}
+	if node.Node.MarkedOrdered {
+		report.IsInOrderedContainer = true
 	}
 }
 
diff --git a/vendor/github.com/onsi/ginkgo/v2/internal/interrupt_handler/interrupt_handler.go b/vendor/github.com/onsi/ginkgo/v2/internal/interrupt_handler/interrupt_handler.go
index 8ed86111f786c..79bfa87db22c2 100644
--- a/vendor/github.com/onsi/ginkgo/v2/internal/interrupt_handler/interrupt_handler.go
+++ b/vendor/github.com/onsi/ginkgo/v2/internal/interrupt_handler/interrupt_handler.go
@@ -40,7 +40,7 @@ func (ic InterruptCause) String() string {
 }
 
 type InterruptStatus struct {
-	Channel chan interface{}
+	Channel chan any
 	Level   InterruptLevel
 	Cause   InterruptCause
 }
@@ -62,14 +62,14 @@ type InterruptHandlerInterface interface {
 }
 
 type InterruptHandler struct {
-	c                 chan interface{}
+	c                 chan any
 	lock              *sync.Mutex
 	level             InterruptLevel
 	cause             InterruptCause
 	client            parallel_support.Client
-	stop              chan interface{}
+	stop              chan any
 	signals           []os.Signal
-	requestAbortCheck chan interface{}
+	requestAbortCheck chan any
 }
 
 func NewInterruptHandler(client parallel_support.Client, signals ...os.Signal) *InterruptHandler {
@@ -77,10 +77,10 @@ func NewInterruptHandler(client parallel_support.Client, signals ...os.Signal) *
 		signals = []os.Signal{os.Interrupt, syscall.SIGTERM}
 	}
 	handler := &InterruptHandler{
-		c:                 make(chan interface{}),
+		c:                 make(chan any),
 		lock:              &sync.Mutex{},
-		stop:              make(chan interface{}),
-		requestAbortCheck: make(chan interface{}),
+		stop:              make(chan any),
+		requestAbortCheck: make(chan any),
 		client:            client,
 		signals:           signals,
 	}
@@ -98,9 +98,9 @@ func (handler *InterruptHandler) registerForInterrupts() {
 	signal.Notify(signalChannel, handler.signals...)
 
 	// cross-process abort handling
-	var abortChannel chan interface{}
+	var abortChannel chan any
 	if handler.client != nil {
-		abortChannel = make(chan interface{})
+		abortChannel = make(chan any)
 		go func() {
 			pollTicker := time.NewTicker(ABORT_POLLING_INTERVAL)
 			for {
@@ -125,7 +125,7 @@ func (handler *InterruptHandler) registerForInterrupts() {
 		}()
 	}
 
-	go func(abortChannel chan interface{}) {
+	go func(abortChannel chan any) {
 		var interruptCause InterruptCause
 		for {
 			select {
@@ -151,7 +151,7 @@ func (handler *InterruptHandler) registerForInterrupts() {
 			}
 			if handler.level != oldLevel {
 				close(handler.c)
-				handler.c = make(chan interface{})
+				handler.c = make(chan any)
 			}
 			handler.lock.Unlock()
 		}
diff --git a/vendor/github.com/onsi/ginkgo/v2/internal/node.go b/vendor/github.com/onsi/ginkgo/v2/internal/node.go
index 6a15f19ae04ae..2bccec2dbf0b3 100644
--- a/vendor/github.com/onsi/ginkgo/v2/internal/node.go
+++ b/vendor/github.com/onsi/ginkgo/v2/internal/node.go
@@ -4,6 +4,7 @@ import (
 	"context"
 	"fmt"
 	"reflect"
+	"slices"
 	"sort"
 	"sync"
 	"time"
@@ -46,20 +47,24 @@ type Node struct {
 	ReportEachBody  func(SpecContext, types.SpecReport)
 	ReportSuiteBody func(SpecContext, types.Report)
 
-	MarkedFocus             bool
-	MarkedPending           bool
-	MarkedSerial            bool
-	MarkedOrdered           bool
-	MarkedContinueOnFailure bool
-	MarkedOncePerOrdered    bool
-	FlakeAttempts           int
-	MustPassRepeatedly      int
-	Labels                  Labels
-	PollProgressAfter       time.Duration
-	PollProgressInterval    time.Duration
-	NodeTimeout             time.Duration
-	SpecTimeout             time.Duration
-	GracePeriod             time.Duration
+	MarkedFocus                  bool
+	MarkedPending                bool
+	MarkedSerial                 bool
+	MarkedOrdered                bool
+	MarkedContinueOnFailure      bool
+	MarkedOncePerOrdered         bool
+	FlakeAttempts                int
+	MustPassRepeatedly           int
+	Labels                       Labels
+	SemVerConstraints            SemVerConstraints
+	PollProgressAfter            time.Duration
+	PollProgressInterval         time.Duration
+	NodeTimeout                  time.Duration
+	SpecTimeout                  time.Duration
+	GracePeriod                  time.Duration
+	AroundNodes                  types.AroundNodes
+	HasExplicitlySetSpecPriority bool
+	SpecPriority                 int
 
 	NodeIDWhereCleanupWasGenerated uint
 }
@@ -84,35 +89,51 @@ const SuppressProgressReporting = suppressProgressReporting(true)
 type FlakeAttempts uint
 type MustPassRepeatedly uint
 type Offset uint
-type Done chan<- interface{} // Deprecated Done Channel for asynchronous testing
-type Labels []string
+type Done chan<- any // Deprecated Done Channel for asynchronous testing
 type PollProgressInterval time.Duration
 type PollProgressAfter time.Duration
 type NodeTimeout time.Duration
 type SpecTimeout time.Duration
 type GracePeriod time.Duration
+type SpecPriority int
+
+type Labels []string
 
 func (l Labels) MatchesLabelFilter(query string) bool {
 	return types.MustParseLabelFilter(query)(l)
 }
 
-func UnionOfLabels(labels ...Labels) Labels {
-	out := Labels{}
-	seen := map[string]bool{}
-	for _, labelSet := range labels {
-		for _, label := range labelSet {
-			if !seen[label] {
-				seen[label] = true
-				out = append(out, label)
+type SemVerConstraints []string
+
+func (svc SemVerConstraints) MatchesSemVerFilter(version string) bool {
+	return types.MustParseSemVerFilter(version)(svc)
+}
+
+func unionOf[S ~[]E, E comparable](slices ...S) S {
+	out := S{}
+	seen := map[E]bool{}
+	for _, slice := range slices {
+		for _, item := range slice {
+			if !seen[item] {
+				seen[item] = true
+				out = append(out, item)
 			}
 		}
 	}
 	return out
 }
 
-func PartitionDecorations(args ...interface{}) ([]interface{}, []interface{}) {
-	decorations := []interface{}{}
-	remainingArgs := []interface{}{}
+func UnionOfLabels(labels ...Labels) Labels {
+	return unionOf(labels...)
+}
+
+func UnionOfSemVerConstraints(semVerConstraints ...SemVerConstraints) SemVerConstraints {
+	return unionOf(semVerConstraints...)
+}
+
+func PartitionDecorations(args ...any) ([]any, []any) {
+	decorations := []any{}
+	remainingArgs := []any{}
 	for _, arg := range args {
 		if isDecoration(arg) {
 			decorations = append(decorations, arg)
@@ -123,7 +144,7 @@ func PartitionDecorations(args ...interface{}) ([]interface{}, []interface{}) {
 	return decorations, remainingArgs
 }
 
-func isDecoration(arg interface{}) bool {
+func isDecoration(arg any) bool {
 	switch t := reflect.TypeOf(arg); {
 	case t == nil:
 		return false
@@ -151,6 +172,8 @@ func isDecoration(arg interface{}) bool {
 		return true
 	case t == reflect.TypeOf(Labels{}):
 		return true
+	case t == reflect.TypeOf(SemVerConstraints{}):
+		return true
 	case t == reflect.TypeOf(PollProgressInterval(0)):
 		return true
 	case t == reflect.TypeOf(PollProgressAfter(0)):
@@ -161,6 +184,10 @@ func isDecoration(arg interface{}) bool {
 		return true
 	case t == reflect.TypeOf(GracePeriod(0)):
 		return true
+	case t == reflect.TypeOf(types.AroundNodeDecorator{}):
+		return true
+	case t == reflect.TypeOf(SpecPriority(0)):
+		return true
 	case t.Kind() == reflect.Slice && isSliceOfDecorations(arg):
 		return true
 	default:
@@ -168,7 +195,7 @@ func isDecoration(arg interface{}) bool {
 	}
 }
 
-func isSliceOfDecorations(slice interface{}) bool {
+func isSliceOfDecorations(slice any) bool {
 	vSlice := reflect.ValueOf(slice)
 	if vSlice.Len() == 0 {
 		return false
@@ -184,13 +211,14 @@ func isSliceOfDecorations(slice interface{}) bool {
 var contextType = reflect.TypeOf(new(context.Context)).Elem()
 var specContextType = reflect.TypeOf(new(SpecContext)).Elem()
 
-func NewNode(deprecationTracker *types.DeprecationTracker, nodeType types.NodeType, text string, args ...interface{}) (Node, []error) {
+func NewNode(deprecationTracker *types.DeprecationTracker, nodeType types.NodeType, text string, args ...any) (Node, []error) {
 	baseOffset := 2
 	node := Node{
 		ID:                   UniqueNodeID(),
 		NodeType:             nodeType,
 		Text:                 text,
 		Labels:               Labels{},
+		SemVerConstraints:    SemVerConstraints{},
 		CodeLocation:         types.NewCodeLocation(baseOffset),
 		NestingLevel:         -1,
 		PollProgressAfter:    -1,
@@ -205,9 +233,9 @@ func NewNode(deprecationTracker *types.DeprecationTracker, nodeType types.NodeTy
 		}
 	}
 
-	args = unrollInterfaceSlice(args)
+	args = UnrollInterfaceSlice(args)
 
-	remainingArgs := []interface{}{}
+	remainingArgs := []any{}
 	// First get the CodeLocation up-to-date
 	for _, arg := range args {
 		switch v := arg.(type) {
@@ -221,9 +249,10 @@ func NewNode(deprecationTracker *types.DeprecationTracker, nodeType types.NodeTy
 	}
 
 	labelsSeen := map[string]bool{}
+	semVerConstraintsSeen := map[string]bool{}
 	trackedFunctionError := false
 	args = remainingArgs
-	remainingArgs = []interface{}{}
+	remainingArgs = []any{}
 	// now process the rest of the args
 	for _, arg := range args {
 		switch t := reflect.TypeOf(arg); {
@@ -241,6 +270,9 @@ func NewNode(deprecationTracker *types.DeprecationTracker, nodeType types.NodeTy
 			}
 		case t == reflect.TypeOf(Serial):
 			node.MarkedSerial = bool(arg.(serialType))
+			if !labelsSeen["Serial"] {
+				node.Labels = append(node.Labels, "Serial")
+			}
 			if !nodeType.Is(types.NodeTypesForContainerAndIt) {
 				appendError(types.GinkgoErrors.InvalidDecoratorForNodeType(node.CodeLocation, nodeType, "Serial"))
 			}
@@ -296,6 +328,14 @@ func NewNode(deprecationTracker *types.DeprecationTracker, nodeType types.NodeTy
 			if nodeType.Is(types.NodeTypeContainer) {
 				appendError(types.GinkgoErrors.InvalidDecoratorForNodeType(node.CodeLocation, nodeType, "GracePeriod"))
 			}
+		case t == reflect.TypeOf(SpecPriority(0)):
+			if !nodeType.Is(types.NodeTypesForContainerAndIt) {
+				appendError(types.GinkgoErrors.InvalidDecoratorForNodeType(node.CodeLocation, nodeType, "SpecPriority"))
+			}
+			node.SpecPriority = int(arg.(SpecPriority))
+			node.HasExplicitlySetSpecPriority = true
+		case t == reflect.TypeOf(types.AroundNodeDecorator{}):
+			node.AroundNodes = append(node.AroundNodes, arg.(types.AroundNodeDecorator))
 		case t == reflect.TypeOf(Labels{}):
 			if !nodeType.Is(types.NodeTypesForContainerAndIt) {
 				appendError(types.GinkgoErrors.InvalidDecoratorForNodeType(node.CodeLocation, nodeType, "Label"))
@@ -308,6 +348,18 @@ func NewNode(deprecationTracker *types.DeprecationTracker, nodeType types.NodeTy
 					appendError(err)
 				}
 			}
+		case t == reflect.TypeOf(SemVerConstraints{}):
+			if !nodeType.Is(types.NodeTypesForContainerAndIt) {
+				appendError(types.GinkgoErrors.InvalidDecoratorForNodeType(node.CodeLocation, nodeType, "SemVerConstraint"))
+			}
+			for _, semVerConstraint := range arg.(SemVerConstraints) {
+				if !semVerConstraintsSeen[semVerConstraint] {
+					semVerConstraintsSeen[semVerConstraint] = true
+					semVerConstraint, err := types.ValidateAndCleanupSemVerConstraint(semVerConstraint, node.CodeLocation)
+					node.SemVerConstraints = append(node.SemVerConstraints, semVerConstraint)
+					appendError(err)
+				}
+			}
 		case t.Kind() == reflect.Func:
 			if nodeType.Is(types.NodeTypeContainer) {
 				if node.Body != nil {
@@ -448,7 +500,7 @@ func NewNode(deprecationTracker *types.DeprecationTracker, nodeType types.NodeTy
 
 var doneType = reflect.TypeOf(make(Done))
 
-func extractBodyFunction(deprecationTracker *types.DeprecationTracker, cl types.CodeLocation, arg interface{}) (func(SpecContext), bool) {
+func extractBodyFunction(deprecationTracker *types.DeprecationTracker, cl types.CodeLocation, arg any) (func(SpecContext), bool) {
 	t := reflect.TypeOf(arg)
 	if t.NumOut() > 0 || t.NumIn() > 1 {
 		return nil, false
@@ -474,7 +526,7 @@ func extractBodyFunction(deprecationTracker *types.DeprecationTracker, cl types.
 
 var byteType = reflect.TypeOf([]byte{})
 
-func extractSynchronizedBeforeSuiteProc1Body(arg interface{}) (func(SpecContext) []byte, bool) {
+func extractSynchronizedBeforeSuiteProc1Body(arg any) (func(SpecContext) []byte, bool) {
 	t := reflect.TypeOf(arg)
 	v := reflect.ValueOf(arg)
 
@@ -502,7 +554,7 @@ func extractSynchronizedBeforeSuiteProc1Body(arg interface{}) (func(SpecContext)
 	}, hasContext
 }
 
-func extractSynchronizedBeforeSuiteAllProcsBody(arg interface{}) (func(SpecContext, []byte), bool) {
+func extractSynchronizedBeforeSuiteAllProcsBody(arg any) (func(SpecContext, []byte), bool) {
 	t := reflect.TypeOf(arg)
 	v := reflect.ValueOf(arg)
 	hasContext, hasByte := false, false
@@ -533,11 +585,11 @@ func extractSynchronizedBeforeSuiteAllProcsBody(arg interface{}) (func(SpecConte
 
 var errInterface = reflect.TypeOf((*error)(nil)).Elem()
 
-func NewCleanupNode(deprecationTracker *types.DeprecationTracker, fail func(string, types.CodeLocation), args ...interface{}) (Node, []error) {
+func NewCleanupNode(deprecationTracker *types.DeprecationTracker, fail func(string, types.CodeLocation), args ...any) (Node, []error) {
 	decorations, remainingArgs := PartitionDecorations(args...)
 	baseOffset := 2
 	cl := types.NewCodeLocation(baseOffset)
-	finalArgs := []interface{}{}
+	finalArgs := []any{}
 	for _, arg := range decorations {
 		switch t := reflect.TypeOf(arg); {
 		case t == reflect.TypeOf(Offset(0)):
@@ -596,7 +648,7 @@ func NewCleanupNode(deprecationTracker *types.DeprecationTracker, fail func(stri
 		})
 	}
 
-	return NewNode(deprecationTracker, types.NodeTypeCleanupInvalid, "", finalArgs...)
+	return NewNode(deprecationTracker, types.NodeTypeCleanupInvalid, "", finalArgs)
 }
 
 func (n Node) IsZero() bool {
@@ -821,6 +873,32 @@ func (n Nodes) UnionOfLabels() []string {
 	return out
 }
 
+func (n Nodes) SemVerConstraints() [][]string {
+	out := make([][]string, len(n))
+	for i := range n {
+		if n[i].SemVerConstraints == nil {
+			out[i] = []string{}
+		} else {
+			out[i] = []string(n[i].SemVerConstraints)
+		}
+	}
+	return out
+}
+
+func (n Nodes) UnionOfSemVerConstraints() []string {
+	out := []string{}
+	seen := map[string]bool{}
+	for i := range n {
+		for _, constraint := range n[i].SemVerConstraints {
+			if !seen[constraint] {
+				seen[constraint] = true
+				out = append(out, constraint)
+			}
+		}
+	}
+	return out
+}
+
 func (n Nodes) CodeLocations() []types.CodeLocation {
 	out := make([]types.CodeLocation, len(n))
 	for i := range n {
@@ -917,19 +995,84 @@ func (n Nodes) GetMaxMustPassRepeatedly() int {
 	return maxMustPassRepeatedly
 }
 
-func unrollInterfaceSlice(args interface{}) []interface{} {
+func (n Nodes) GetSpecPriority() int {
+	for i := len(n) - 1; i >= 0; i-- {
+		if n[i].HasExplicitlySetSpecPriority {
+			return n[i].SpecPriority
+		}
+	}
+	return 0
+}
+
+func UnrollInterfaceSlice(args any) []any {
 	v := reflect.ValueOf(args)
 	if v.Kind() != reflect.Slice {
-		return []interface{}{args}
+		return []any{args}
 	}
-	out := []interface{}{}
+	out := []any{}
 	for i := 0; i < v.Len(); i++ {
 		el := reflect.ValueOf(v.Index(i).Interface())
-		if el.Kind() == reflect.Slice && el.Type() != reflect.TypeOf(Labels{}) {
-			out = append(out, unrollInterfaceSlice(el.Interface())...)
+		if el.Kind() == reflect.Slice && el.Type() != reflect.TypeOf(Labels{}) && el.Type() != reflect.TypeOf(SemVerConstraints{}) {
+			out = append(out, UnrollInterfaceSlice(el.Interface())...)
 		} else {
 			out = append(out, v.Index(i).Interface())
 		}
 	}
 	return out
 }
+
+type NodeArgsTransformer func(nodeType types.NodeType, offset Offset, text string, args []any) (string, []any, []error)
+
+func AddTreeConstructionNodeArgsTransformer(transformer NodeArgsTransformer) func() {
+	id := nodeArgsTransformerCounter
+	nodeArgsTransformerCounter++
+	nodeArgsTransformers = append(nodeArgsTransformers, registeredNodeArgsTransformer{id, transformer})
+	return func() {
+		nodeArgsTransformers = slices.DeleteFunc(nodeArgsTransformers, func(transformer registeredNodeArgsTransformer) bool {
+			return transformer.id == id
+		})
+	}
+}
+
+var (
+	nodeArgsTransformerCounter int64
+	nodeArgsTransformers       []registeredNodeArgsTransformer
+)
+
+type registeredNodeArgsTransformer struct {
+	id          int64
+	transformer NodeArgsTransformer
+}
+
+// TransformNewNodeArgs is the helper for DSL functions which handles NodeArgsTransformers.
+//
+// Its return valus are intentionally the same as the internal.NewNode parameters,
+// which makes it possible to chain the invocations:
+//
+//	NewNode(transformNewNodeArgs(...))
+func TransformNewNodeArgs(exitIfErrors func([]error), deprecationTracker *types.DeprecationTracker, nodeType types.NodeType, text string, args ...any) (*types.DeprecationTracker, types.NodeType, string, []any) {
+	var errs []error
+
+	// Most recent first...
+	//
+	// This intentionally doesn't use slices.Backward because
+	// using iterators influences stack unwinding.
+	for i := len(nodeArgsTransformers) - 1; i >= 0; i-- {
+		transformer := nodeArgsTransformers[i].transformer
+		args = UnrollInterfaceSlice(args)
+
+		// We do not really need to recompute this on additional loop iterations,
+		// but its fast and simpler this way.
+		var offset Offset
+		for _, arg := range args {
+			if o, ok := arg.(Offset); ok {
+				offset = o
+			}
+		}
+		offset += 3 // The DSL function, this helper, and the TransformNodeArgs implementation.
+
+		text, args, errs = transformer(nodeType, offset, text, args)
+		exitIfErrors(errs)
+	}
+	return deprecationTracker, nodeType, text, args
+}
diff --git a/vendor/github.com/onsi/ginkgo/v2/internal/ordering.go b/vendor/github.com/onsi/ginkgo/v2/internal/ordering.go
index 84eea0a59e653..da58d54f95730 100644
--- a/vendor/github.com/onsi/ginkgo/v2/internal/ordering.go
+++ b/vendor/github.com/onsi/ginkgo/v2/internal/ordering.go
@@ -125,7 +125,7 @@ func OrderSpecs(specs Specs, suiteConfig types.SuiteConfig) (GroupedSpecIndices,
 		// pick out a representative spec
 		representativeSpec := specs[executionGroups[groupID][0]]
 
-		// and grab the node on the spec that will represent which shufflable group this execution group belongs tu
+		// and grab the node on the spec that will represent which shufflable group this execution group belongs to
 		shufflableGroupingNode := representativeSpec.Nodes.FirstNodeWithType(nodeTypesToShuffle)
 
 		//add the execution group to its shufflable group
@@ -138,14 +138,35 @@ func OrderSpecs(specs Specs, suiteConfig types.SuiteConfig) (GroupedSpecIndices,
 		}
 	}
 
+	// now, for each shuffleable group, we compute the priority
+	shufflableGroupingIDPriorities := map[uint]int{}
+	for shufflableGroupingID, groupIDs := range shufflableGroupingIDToGroupIDs {
+		// the priority of a shufflable grouping is the max priority of any spec in any execution group in the shufflable grouping
+		maxPriority := -1 << 31 // min int
+		for _, groupID := range groupIDs {
+			for _, specIdx := range executionGroups[groupID] {
+				specPriority := specs[specIdx].Nodes.GetSpecPriority()
+				maxPriority = max(specPriority, maxPriority)
+			}
+		}
+		shufflableGroupingIDPriorities[shufflableGroupingID] = maxPriority
+	}
+
 	// now we permute the sorted shufflable grouping IDs and build the ordered Groups
-	orderedGroups := GroupedSpecIndices{}
 	permutation := r.Perm(len(shufflableGroupingIDs))
-	for _, j := range permutation {
-		//let's get the execution group IDs for this shufflable group:
-		executionGroupIDsForJ := shufflableGroupingIDToGroupIDs[shufflableGroupingIDs[j]]
-		// and we'll add their associated specindices to the orderedGroups slice:
-		for _, executionGroupID := range executionGroupIDsForJ {
+	shuffledGroupingIds := make([]uint, len(shufflableGroupingIDs))
+	for i, j := range permutation {
+		shuffledGroupingIds[i] = shufflableGroupingIDs[j]
+	}
+	// now, we need to stable sort the shuffledGroupingIds by priority (higher priority first)
+	sort.SliceStable(shuffledGroupingIds, func(i, j int) bool {
+		return shufflableGroupingIDPriorities[shuffledGroupingIds[i]] > shufflableGroupingIDPriorities[shuffledGroupingIds[j]]
+	})
+
+	// we can now take these prioritized, shuffled, groupings and form the final set of ordered spec groups
+	orderedGroups := GroupedSpecIndices{}
+	for _, id := range shuffledGroupingIds {
+		for _, executionGroupID := range shufflableGroupingIDToGroupIDs[id] {
 			orderedGroups = append(orderedGroups, executionGroups[executionGroupID])
 		}
 	}
diff --git a/vendor/github.com/onsi/ginkgo/v2/internal/output_interceptor.go b/vendor/github.com/onsi/ginkgo/v2/internal/output_interceptor.go
index 4a1c0946127b1..5598f15cbbf9b 100644
--- a/vendor/github.com/onsi/ginkgo/v2/internal/output_interceptor.go
+++ b/vendor/github.com/onsi/ginkgo/v2/internal/output_interceptor.go
@@ -69,7 +69,7 @@ type pipePair struct {
 	writer *os.File
 }
 
-func startPipeFactory(pipeChannel chan pipePair, shutdown chan interface{}) {
+func startPipeFactory(pipeChannel chan pipePair, shutdown chan any) {
 	for {
 		//make the next pipe...
 		pair := pipePair{}
@@ -101,8 +101,8 @@ type genericOutputInterceptor struct {
 	stderrClone *os.File
 	pipe        pipePair
 
-	shutdown           chan interface{}
-	emergencyBailout   chan interface{}
+	shutdown           chan any
+	emergencyBailout   chan any
 	pipeChannel        chan pipePair
 	interceptedContent chan string
 
@@ -139,7 +139,7 @@ func (interceptor *genericOutputInterceptor) ResumeIntercepting() {
 	interceptor.intercepting = true
 	if interceptor.stdoutClone == nil {
 		interceptor.stdoutClone, interceptor.stderrClone = interceptor.implementation.CreateStdoutStderrClones()
-		interceptor.shutdown = make(chan interface{})
+		interceptor.shutdown = make(chan any)
 		go startPipeFactory(interceptor.pipeChannel, interceptor.shutdown)
 	}
 
@@ -147,13 +147,13 @@ func (interceptor *genericOutputInterceptor) ResumeIntercepting() {
 	// we get the pipe from our pipe factory.  it runs in the background so we can request the next pipe while the spec being intercepted is running
 	interceptor.pipe = <-interceptor.pipeChannel
 
-	interceptor.emergencyBailout = make(chan interface{})
+	interceptor.emergencyBailout = make(chan any)
 
 	//Spin up a goroutine to copy data from the pipe into a buffer, this is how we capture any output the user is emitting
 	go func() {
 		buffer := &bytes.Buffer{}
 		destination := io.MultiWriter(buffer, interceptor.forwardTo)
-		copyFinished := make(chan interface{})
+		copyFinished := make(chan any)
 		reader := interceptor.pipe.reader
 		go func() {
 			io.Copy(destination, reader)
@@ -224,7 +224,7 @@ func NewOSGlobalReassigningOutputInterceptor() OutputInterceptor {
 	return &genericOutputInterceptor{
 		interceptedContent: make(chan string),
 		pipeChannel:        make(chan pipePair),
-		shutdown:           make(chan interface{}),
+		shutdown:           make(chan any),
 		implementation:     &osGlobalReassigningOutputInterceptorImpl{},
 	}
 }
diff --git a/vendor/github.com/onsi/ginkgo/v2/internal/output_interceptor_unix.go b/vendor/github.com/onsi/ginkgo/v2/internal/output_interceptor_unix.go
index 8a237f4463749..e0f1431d5122a 100644
--- a/vendor/github.com/onsi/ginkgo/v2/internal/output_interceptor_unix.go
+++ b/vendor/github.com/onsi/ginkgo/v2/internal/output_interceptor_unix.go
@@ -13,7 +13,7 @@ func NewOutputInterceptor() OutputInterceptor {
 	return &genericOutputInterceptor{
 		interceptedContent: make(chan string),
 		pipeChannel:        make(chan pipePair),
-		shutdown:           make(chan interface{}),
+		shutdown:           make(chan any),
 		implementation:     &dupSyscallOutputInterceptorImpl{},
 	}
 }
diff --git a/vendor/github.com/onsi/ginkgo/v2/internal/parallel_support/client_server.go b/vendor/github.com/onsi/ginkgo/v2/internal/parallel_support/client_server.go
index b3cd64292abb7..4234d802cf30d 100644
--- a/vendor/github.com/onsi/ginkgo/v2/internal/parallel_support/client_server.go
+++ b/vendor/github.com/onsi/ginkgo/v2/internal/parallel_support/client_server.go
@@ -30,7 +30,7 @@ type Server interface {
 	Close()
 	Address() string
 	RegisterAlive(node int, alive func() bool)
-	GetSuiteDone() chan interface{}
+	GetSuiteDone() chan any
 	GetOutputDestination() io.Writer
 	SetOutputDestination(io.Writer)
 }
diff --git a/vendor/github.com/onsi/ginkgo/v2/internal/parallel_support/http_client.go b/vendor/github.com/onsi/ginkgo/v2/internal/parallel_support/http_client.go
index 6547c7a66e5b7..4aa10ae4f99ca 100644
--- a/vendor/github.com/onsi/ginkgo/v2/internal/parallel_support/http_client.go
+++ b/vendor/github.com/onsi/ginkgo/v2/internal/parallel_support/http_client.go
@@ -34,7 +34,7 @@ func (client *httpClient) Close() error {
 	return nil
 }
 
-func (client *httpClient) post(path string, data interface{}) error {
+func (client *httpClient) post(path string, data any) error {
 	var body io.Reader
 	if data != nil {
 		encoded, err := json.Marshal(data)
@@ -54,7 +54,7 @@ func (client *httpClient) post(path string, data interface{}) error {
 	return nil
 }
 
-func (client *httpClient) poll(path string, data interface{}) error {
+func (client *httpClient) poll(path string, data any) error {
 	for {
 		resp, err := http.Get(client.serverHost + path)
 		if err != nil {
@@ -153,10 +153,7 @@ func (client *httpClient) PostAbort() error {
 
 func (client *httpClient) ShouldAbort() bool {
 	err := client.poll("/abort", nil)
-	if err == ErrorGone {
-		return true
-	}
-	return false
+	return err == ErrorGone
 }
 
 func (client *httpClient) Write(p []byte) (int, error) {
diff --git a/vendor/github.com/onsi/ginkgo/v2/internal/parallel_support/http_server.go b/vendor/github.com/onsi/ginkgo/v2/internal/parallel_support/http_server.go
index d2c71ab1b259e..8a1b7a5bbe879 100644
--- a/vendor/github.com/onsi/ginkgo/v2/internal/parallel_support/http_server.go
+++ b/vendor/github.com/onsi/ginkgo/v2/internal/parallel_support/http_server.go
@@ -75,7 +75,7 @@ func (server *httpServer) Address() string {
 	return "http://" + server.listener.Addr().String()
 }
 
-func (server *httpServer) GetSuiteDone() chan interface{} {
+func (server *httpServer) GetSuiteDone() chan any {
 	return server.handler.done
 }
 
@@ -96,7 +96,7 @@ func (server *httpServer) RegisterAlive(node int, alive func() bool) {
 //
 
 // The server will forward all received messages to Ginkgo reporters registered with `RegisterReporters`
-func (server *httpServer) decode(writer http.ResponseWriter, request *http.Request, object interface{}) bool {
+func (server *httpServer) decode(writer http.ResponseWriter, request *http.Request, object any) bool {
 	defer request.Body.Close()
 	if json.NewDecoder(request.Body).Decode(object) != nil {
 		writer.WriteHeader(http.StatusBadRequest)
diff --git a/vendor/github.com/onsi/ginkgo/v2/internal/parallel_support/rpc_client.go b/vendor/github.com/onsi/ginkgo/v2/internal/parallel_support/rpc_client.go
index 59e8e6fd0a6f5..bb4675a02c15f 100644
--- a/vendor/github.com/onsi/ginkgo/v2/internal/parallel_support/rpc_client.go
+++ b/vendor/github.com/onsi/ginkgo/v2/internal/parallel_support/rpc_client.go
@@ -35,7 +35,7 @@ func (client *rpcClient) Close() error {
 	return client.client.Close()
 }
 
-func (client *rpcClient) poll(method string, data interface{}) error {
+func (client *rpcClient) poll(method string, data any) error {
 	for {
 		err := client.client.Call(method, voidSender, data)
 		if err == nil {
diff --git a/vendor/github.com/onsi/ginkgo/v2/internal/parallel_support/rpc_server.go b/vendor/github.com/onsi/ginkgo/v2/internal/parallel_support/rpc_server.go
index 2620fd562d38b..1574f99ac4f15 100644
--- a/vendor/github.com/onsi/ginkgo/v2/internal/parallel_support/rpc_server.go
+++ b/vendor/github.com/onsi/ginkgo/v2/internal/parallel_support/rpc_server.go
@@ -25,7 +25,7 @@ type RPCServer struct {
 	handler  *ServerHandler
 }
 
-//Create a new server, automatically selecting a port
+// Create a new server, automatically selecting a port
 func newRPCServer(parallelTotal int, reporter reporters.Reporter) (*RPCServer, error) {
 	listener, err := net.Listen("tcp", "127.0.0.1:0")
 	if err != nil {
@@ -37,7 +37,7 @@ func newRPCServer(parallelTotal int, reporter reporters.Reporter) (*RPCServer, e
 	}, nil
 }
 
-//Start the server.  You don't need to `go s.Start()`, just `s.Start()`
+// Start the server.  You don't need to `go s.Start()`, just `s.Start()`
 func (server *RPCServer) Start() {
 	rpcServer := rpc.NewServer()
 	rpcServer.RegisterName("Server", server.handler) //register the handler's methods as the server
@@ -48,17 +48,17 @@ func (server *RPCServer) Start() {
 	go httpServer.Serve(server.listener)
 }
 
-//Stop the server
+// Stop the server
 func (server *RPCServer) Close() {
 	server.listener.Close()
 }
 
-//The address the server can be reached it.  Pass this into the `ForwardingReporter`.
+// The address the server can be reached it.  Pass this into the `ForwardingReporter`.
 func (server *RPCServer) Address() string {
 	return server.listener.Addr().String()
 }
 
-func (server *RPCServer) GetSuiteDone() chan interface{} {
+func (server *RPCServer) GetSuiteDone() chan any {
 	return server.handler.done
 }
 
diff --git a/vendor/github.com/onsi/ginkgo/v2/internal/parallel_support/server_handler.go b/vendor/github.com/onsi/ginkgo/v2/internal/parallel_support/server_handler.go
index a6d98793e9fca..ab9e11372ca11 100644
--- a/vendor/github.com/onsi/ginkgo/v2/internal/parallel_support/server_handler.go
+++ b/vendor/github.com/onsi/ginkgo/v2/internal/parallel_support/server_handler.go
@@ -18,7 +18,7 @@ var voidSender Void
 // It handles all the business logic to avoid duplication between the two servers
 
 type ServerHandler struct {
-	done                   chan interface{}
+	done                   chan any
 	outputDestination      io.Writer
 	reporter               reporters.Reporter
 	alives                 []func() bool
@@ -46,7 +46,7 @@ func newServerHandler(parallelTotal int, reporter reporters.Reporter) *ServerHan
 
 		parallelTotal:     parallelTotal,
 		outputDestination: os.Stdout,
-		done:              make(chan interface{}),
+		done:              make(chan any),
 	}
 }
 
diff --git a/vendor/github.com/onsi/ginkgo/v2/internal/progress_report.go b/vendor/github.com/onsi/ginkgo/v2/internal/progress_report.go
index 11269cf1f2429..165cbc4b67820 100644
--- a/vendor/github.com/onsi/ginkgo/v2/internal/progress_report.go
+++ b/vendor/github.com/onsi/ginkgo/v2/internal/progress_report.go
@@ -236,7 +236,7 @@ func extractRunningGoroutines() ([]types.Goroutine, error) {
 		}
 		functionCall.Filename = line[:delimiterIdx]
 		line = strings.Split(line[delimiterIdx+1:], " ")[0]
-		lineNumber, err := strconv.ParseInt(line, 10, 64)
+		lineNumber, err := strconv.ParseInt(line, 10, 32)
 		functionCall.Line = int(lineNumber)
 		if err != nil {
 			return nil, types.GinkgoErrors.FailedToParseStackTrace(fmt.Sprintf("Invalid function call line number: %s\n%s", line, err.Error()))
diff --git a/vendor/github.com/onsi/ginkgo/v2/internal/report_entry.go b/vendor/github.com/onsi/ginkgo/v2/internal/report_entry.go
index cc351a39bd622..9c18dc8e5866e 100644
--- a/vendor/github.com/onsi/ginkgo/v2/internal/report_entry.go
+++ b/vendor/github.com/onsi/ginkgo/v2/internal/report_entry.go
@@ -8,7 +8,7 @@ import (
 
 type ReportEntry = types.ReportEntry
 
-func NewReportEntry(name string, cl types.CodeLocation, args ...interface{}) (ReportEntry, error) {
+func NewReportEntry(name string, cl types.CodeLocation, args ...any) (ReportEntry, error) {
 	out := ReportEntry{
 		Visibility: types.ReportEntryVisibilityAlways,
 		Name:       name,
diff --git a/vendor/github.com/onsi/ginkgo/v2/internal/reporters/gojson.go b/vendor/github.com/onsi/ginkgo/v2/internal/reporters/gojson.go
new file mode 100644
index 0000000000000..8b7a9ceabf730
--- /dev/null
+++ b/vendor/github.com/onsi/ginkgo/v2/internal/reporters/gojson.go
@@ -0,0 +1,158 @@
+package reporters
+
+import (
+	"errors"
+	"fmt"
+	"strings"
+	"time"
+
+	"github.com/onsi/ginkgo/v2/types"
+	"golang.org/x/tools/go/packages"
+)
+
+func ptr[T any](in T) *T {
+	return &in
+}
+
+type encoder interface {
+	Encode(v any) error
+}
+
+// gojsonEvent matches the format from go internals
+// https://github.com/golang/go/blob/master/src/cmd/internal/test2json/test2json.go#L31-L41
+// https://pkg.go.dev/cmd/test2json
+type gojsonEvent struct {
+	Time        *time.Time `json:",omitempty"`
+	Action      GoJSONAction
+	Package     string   `json:",omitempty"`
+	Test        string   `json:",omitempty"`
+	Elapsed     *float64 `json:",omitempty"`
+	Output      *string  `json:",omitempty"`
+	FailedBuild string   `json:",omitempty"`
+}
+
+type GoJSONAction string
+
+const (
+	// start  - the test binary is about to be executed
+	GoJSONStart GoJSONAction = "start"
+	// run    - the test has started running
+	GoJSONRun GoJSONAction = "run"
+	// pause  - the test has been paused
+	GoJSONPause GoJSONAction = "pause"
+	// cont   - the test has continued running
+	GoJSONCont GoJSONAction = "cont"
+	// pass   - the test passed
+	GoJSONPass GoJSONAction = "pass"
+	// bench  - the benchmark printed log output but did not fail
+	GoJSONBench GoJSONAction = "bench"
+	// fail   - the test or benchmark failed
+	GoJSONFail GoJSONAction = "fail"
+	// output - the test printed output
+	GoJSONOutput GoJSONAction = "output"
+	// skip   - the test was skipped or the package contained no tests
+	GoJSONSkip GoJSONAction = "skip"
+)
+
+func goJSONActionFromSpecState(state types.SpecState) GoJSONAction {
+	switch state {
+	case types.SpecStateInvalid:
+		return GoJSONFail
+	case types.SpecStatePending:
+		return GoJSONSkip
+	case types.SpecStateSkipped:
+		return GoJSONSkip
+	case types.SpecStatePassed:
+		return GoJSONPass
+	case types.SpecStateFailed:
+		return GoJSONFail
+	case types.SpecStateAborted:
+		return GoJSONFail
+	case types.SpecStatePanicked:
+		return GoJSONFail
+	case types.SpecStateInterrupted:
+		return GoJSONFail
+	case types.SpecStateTimedout:
+		return GoJSONFail
+	default:
+		panic("unexpected state should not happen")
+	}
+}
+
+// gojsonReport wraps types.Report and calcualtes extra fields requires by gojson
+type gojsonReport struct {
+	o types.Report
+	// Extra calculated fields
+	goPkg string
+	elapsed float64
+}
+
+func newReport(in types.Report) *gojsonReport {
+	return &gojsonReport{
+		o: in,
+	}
+}
+
+func (r *gojsonReport) Fill() error {
+	// NOTE: could the types.Report include the go package name?
+	goPkg, err := suitePathToPkg(r.o.SuitePath)
+	if err != nil {
+		return err
+	}
+	r.goPkg = goPkg
+	r.elapsed = r.o.RunTime.Seconds()
+	return nil
+}
+
+// gojsonSpecReport wraps types.SpecReport and calculates extra fields required by gojson
+type gojsonSpecReport struct {
+	o types.SpecReport
+	// extra calculated fields
+	testName string
+	elapsed float64
+	action GoJSONAction
+}
+
+func newSpecReport(in types.SpecReport) *gojsonSpecReport {
+	return &gojsonSpecReport{
+		o: in,
+	}
+}
+
+func (sr *gojsonSpecReport) Fill() error {
+	sr.elapsed = sr.o.RunTime.Seconds()
+	sr.testName = createTestName(sr.o)
+	sr.action = goJSONActionFromSpecState(sr.o.State)
+	return nil
+}
+
+func suitePathToPkg(dir string) (string, error) {
+	cfg := &packages.Config{
+		Mode: packages.NeedFiles | packages.NeedSyntax,
+	}
+	pkgs, err := packages.Load(cfg, dir)
+	if err != nil {
+		return "", err
+	}
+	if len(pkgs) != 1 {
+		return "", errors.New("error")
+	}
+	return pkgs[0].ID, nil
+}
+
+func createTestName(spec types.SpecReport) string {
+		name := fmt.Sprintf("[%s]", spec.LeafNodeType)
+		if spec.FullText() != "" {
+			name = name + " " + spec.FullText()
+		}
+		labels := spec.Labels()
+		if len(labels) > 0 {
+			name = name + " [" + strings.Join(labels, ", ") + "]"
+		}
+		semVerConstraints := spec.SemVerConstraints()
+		if len(semVerConstraints) > 0 {
+			name = name + " [" + strings.Join(semVerConstraints, ", ") + "]"
+		}
+		name = strings.TrimSpace(name)
+		return name
+}
diff --git a/vendor/github.com/onsi/ginkgo/v2/internal/reporters/gojson_event_writer.go b/vendor/github.com/onsi/ginkgo/v2/internal/reporters/gojson_event_writer.go
new file mode 100644
index 0000000000000..ec5311d069c6a
--- /dev/null
+++ b/vendor/github.com/onsi/ginkgo/v2/internal/reporters/gojson_event_writer.go
@@ -0,0 +1,111 @@
+package reporters
+
+type GoJSONEventWriter struct {
+	enc encoder
+	specSystemErrFn specSystemExtractFn
+	specSystemOutFn specSystemExtractFn
+}
+
+func NewGoJSONEventWriter(enc encoder, errFn specSystemExtractFn, outFn specSystemExtractFn) *GoJSONEventWriter {
+	return &GoJSONEventWriter{
+		enc: enc,
+		specSystemErrFn: errFn,
+		specSystemOutFn: outFn,
+	}
+}
+
+func (r *GoJSONEventWriter) writeEvent(e *gojsonEvent) error {
+	return r.enc.Encode(e)
+}
+
+func (r *GoJSONEventWriter) WriteSuiteStart(report *gojsonReport) error {
+	e := &gojsonEvent{
+		Time:        &report.o.StartTime,
+		Action:      GoJSONStart,
+		Package:     report.goPkg,
+		Output:      nil,
+		FailedBuild: "",
+	}
+	return r.writeEvent(e)
+}
+
+func (r *GoJSONEventWriter) WriteSuiteResult(report *gojsonReport) error {
+	var action GoJSONAction
+	switch {
+	case report.o.PreRunStats.SpecsThatWillRun == 0:
+		action = GoJSONSkip
+	case report.o.SuiteSucceeded:
+		action = GoJSONPass
+	default:
+		action = GoJSONFail
+	}
+	e := &gojsonEvent{
+		Time:        &report.o.EndTime,
+		Action:      action,
+		Package:     report.goPkg,
+		Output:      nil,
+		FailedBuild: "",
+		Elapsed:     ptr(report.elapsed),
+	}
+	return r.writeEvent(e)
+}
+
+func (r *GoJSONEventWriter) WriteSpecStart(report *gojsonReport, specReport *gojsonSpecReport) error {
+	e := &gojsonEvent{
+		Time:        &specReport.o.StartTime,
+		Action:      GoJSONRun,
+		Test:        specReport.testName,
+		Package:     report.goPkg,
+		Output:      nil,
+		FailedBuild: "",
+	}
+	return r.writeEvent(e)
+}
+
+func (r *GoJSONEventWriter) WriteSpecOut(report *gojsonReport, specReport *gojsonSpecReport) error {
+	events := []*gojsonEvent{}
+
+	stdErr := r.specSystemErrFn(specReport.o)
+	if stdErr != "" {
+		events = append(events, &gojsonEvent{
+			Time:        &specReport.o.EndTime,
+			Action:      GoJSONOutput,
+			Test:        specReport.testName,
+			Package:     report.goPkg,
+			Output:      ptr(stdErr),
+			FailedBuild: "",
+		})
+	}
+	stdOut := r.specSystemOutFn(specReport.o)
+	if stdOut != "" {
+		events = append(events, &gojsonEvent{
+			Time:        &specReport.o.EndTime,
+			Action:      GoJSONOutput,
+			Test:        specReport.testName,
+			Package:     report.goPkg,
+			Output:      ptr(stdOut),
+			FailedBuild: "",
+		})
+	}
+
+	for _, ev := range events {
+		err := r.writeEvent(ev)
+		if err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func (r *GoJSONEventWriter) WriteSpecResult(report *gojsonReport, specReport *gojsonSpecReport) error {
+	e := &gojsonEvent{
+		Time:        &specReport.o.EndTime,
+		Action:      specReport.action,
+		Test:        specReport.testName,
+		Package:     report.goPkg,
+		Elapsed:     ptr(specReport.elapsed),
+		Output:      nil,
+		FailedBuild: "",
+	}
+	return r.writeEvent(e)
+}
diff --git a/vendor/github.com/onsi/ginkgo/v2/internal/reporters/gojson_reporter.go b/vendor/github.com/onsi/ginkgo/v2/internal/reporters/gojson_reporter.go
new file mode 100644
index 0000000000000..633e49b88d5e9
--- /dev/null
+++ b/vendor/github.com/onsi/ginkgo/v2/internal/reporters/gojson_reporter.go
@@ -0,0 +1,45 @@
+package reporters
+
+import (
+	"github.com/onsi/ginkgo/v2/types"
+)
+
+type GoJSONReporter struct {
+	ev *GoJSONEventWriter
+}
+
+type specSystemExtractFn func (spec types.SpecReport) string
+
+func NewGoJSONReporter(enc encoder, errFn specSystemExtractFn, outFn specSystemExtractFn) *GoJSONReporter {
+	return &GoJSONReporter{
+		ev: NewGoJSONEventWriter(enc, errFn, outFn),
+	}
+}
+
+func (r *GoJSONReporter) Write(originalReport types.Report) error {
+	// suite start events
+	report := newReport(originalReport)
+	err := report.Fill()
+	if err != nil {
+		return err
+	}
+	r.ev.WriteSuiteStart(report)
+	for _, originalSpecReport := range originalReport.SpecReports {
+		specReport := newSpecReport(originalSpecReport)
+		err := specReport.Fill()
+		if err != nil {
+			return err
+		}
+		if specReport.o.LeafNodeType == types.NodeTypeIt {
+			// handle any It leaf node as a spec
+			r.ev.WriteSpecStart(report, specReport)
+			r.ev.WriteSpecOut(report, specReport)
+			r.ev.WriteSpecResult(report, specReport)
+		} else {
+			// handle any other leaf node as generic output
+			r.ev.WriteSpecOut(report, specReport)
+		}
+	}
+	r.ev.WriteSuiteResult(report)
+	return nil
+}
diff --git a/vendor/github.com/onsi/ginkgo/v2/internal/spec_context.go b/vendor/github.com/onsi/ginkgo/v2/internal/spec_context.go
index 2d2ea2fc3577f..99c9c5f5beee2 100644
--- a/vendor/github.com/onsi/ginkgo/v2/internal/spec_context.go
+++ b/vendor/github.com/onsi/ginkgo/v2/internal/spec_context.go
@@ -2,6 +2,7 @@ package internal
 
 import (
 	"context"
+	"reflect"
 
 	"github.com/onsi/ginkgo/v2/types"
 )
@@ -11,6 +12,7 @@ type SpecContext interface {
 
 	SpecReport() types.SpecReport
 	AttachProgressReporter(func() string) func()
+	WrappedContext() context.Context
 }
 
 type specContext struct {
@@ -45,3 +47,28 @@ func NewSpecContext(suite *Suite) *specContext {
 func (sc *specContext) SpecReport() types.SpecReport {
 	return sc.suite.CurrentSpecReport()
 }
+
+func (sc *specContext) WrappedContext() context.Context {
+	return sc.Context
+}
+
+/*
+The user is allowed to wrap `SpecContext` in a new context.Context when using AroundNodes.  But body functions expect SpecContext.
+We support this by taking their context.Context and returning a SpecContext that wraps it.
+*/
+func wrapContextChain(ctx context.Context) SpecContext {
+	if ctx == nil {
+		return nil
+	}
+	if reflect.TypeOf(ctx) == reflect.TypeOf(&specContext{}) {
+		return ctx.(*specContext)
+	} else if sc, ok := ctx.Value("GINKGO_SPEC_CONTEXT").(*specContext); ok {
+		return &specContext{
+			Context:                 ctx,
+			ProgressReporterManager: sc.ProgressReporterManager,
+			cancel:                  sc.cancel,
+			suite:                   sc.suite,
+		}
+	}
+	return nil
+}
diff --git a/vendor/github.com/onsi/ginkgo/v2/internal/suite.go b/vendor/github.com/onsi/ginkgo/v2/internal/suite.go
index 12e50b8a95bf6..204446e820125 100644
--- a/vendor/github.com/onsi/ginkgo/v2/internal/suite.go
+++ b/vendor/github.com/onsi/ginkgo/v2/internal/suite.go
@@ -1,6 +1,7 @@
 package internal
 
 import (
+	"context"
 	"fmt"
 	"sync"
 	"time"
@@ -9,7 +10,6 @@ import (
 	"github.com/onsi/ginkgo/v2/internal/parallel_support"
 	"github.com/onsi/ginkgo/v2/reporters"
 	"github.com/onsi/ginkgo/v2/types"
-	"golang.org/x/net/context"
 )
 
 type Phase uint
@@ -20,7 +20,7 @@ const (
 	PhaseRun
 )
 
-var PROGRESS_REPORTER_DEADLING = 5 * time.Second
+const ProgressReporterDeadline = 5 * time.Second
 
 type Suite struct {
 	tree               *TreeNode
@@ -32,6 +32,7 @@ type Suite struct {
 
 	suiteNodes   Nodes
 	cleanupNodes Nodes
+	aroundNodes  types.AroundNodes
 
 	failer            *Failer
 	reporter          reporters.Reporter
@@ -41,6 +42,8 @@ type Suite struct {
 	config            types.SuiteConfig
 	deadline          time.Time
 
+	currentConstructionNodeReport *types.ConstructionNodeReport
+
 	skipAll              bool
 	report               types.Report
 	currentSpecReport    types.SpecReport
@@ -89,6 +92,7 @@ func (suite *Suite) Clone() (*Suite, error) {
 		ProgressReporterManager: NewProgressReporterManager(),
 		topLevelContainers:      suite.topLevelContainers.Clone(),
 		suiteNodes:              suite.suiteNodes.Clone(),
+		aroundNodes:             suite.aroundNodes.Clone(),
 		selectiveLock:           &sync.Mutex{},
 	}, nil
 }
@@ -106,7 +110,7 @@ func (suite *Suite) BuildTree() error {
 	return nil
 }
 
-func (suite *Suite) Run(description string, suiteLabels Labels, suitePath string, failer *Failer, reporter reporters.Reporter, writer WriterInterface, outputInterceptor OutputInterceptor, interruptHandler interrupt_handler.InterruptHandlerInterface, client parallel_support.Client, progressSignalRegistrar ProgressSignalRegistrar, suiteConfig types.SuiteConfig) (bool, bool) {
+func (suite *Suite) Run(description string, suiteLabels Labels, suiteSemVerConstraints SemVerConstraints, suiteAroundNodes types.AroundNodes, suitePath string, failer *Failer, reporter reporters.Reporter, writer WriterInterface, outputInterceptor OutputInterceptor, interruptHandler interrupt_handler.InterruptHandlerInterface, client parallel_support.Client, progressSignalRegistrar ProgressSignalRegistrar, suiteConfig types.SuiteConfig) (bool, bool) {
 	if suite.phase != PhaseBuildTree {
 		panic("cannot run before building the tree = call suite.BuildTree() first")
 	}
@@ -117,7 +121,8 @@ func (suite *Suite) Run(description string, suiteLabels Labels, suitePath string
 			suite.annotateFn(spec.Text(), spec)
 		}
 	}
-	specs, hasProgrammaticFocus := ApplyFocusToSpecs(specs, description, suiteLabels, suiteConfig)
+	specs, hasProgrammaticFocus := ApplyFocusToSpecs(specs, description, suiteLabels, suiteSemVerConstraints, suiteConfig)
+	specs = ComputeAroundNodes(specs)
 
 	suite.phase = PhaseRun
 	suite.client = client
@@ -127,6 +132,7 @@ func (suite *Suite) Run(description string, suiteLabels Labels, suitePath string
 	suite.outputInterceptor = outputInterceptor
 	suite.interruptHandler = interruptHandler
 	suite.config = suiteConfig
+	suite.aroundNodes = suiteAroundNodes
 
 	if suite.config.Timeout > 0 {
 		suite.deadline = time.Now().Add(suite.config.Timeout)
@@ -134,7 +140,7 @@ func (suite *Suite) Run(description string, suiteLabels Labels, suitePath string
 
 	cancelProgressHandler := progressSignalRegistrar(suite.handleProgressSignal)
 
-	success := suite.runSpecs(description, suiteLabels, suitePath, hasProgrammaticFocus, specs)
+	success := suite.runSpecs(description, suiteLabels, suiteSemVerConstraints, suitePath, hasProgrammaticFocus, specs)
 
 	cancelProgressHandler()
 
@@ -206,6 +212,14 @@ func (suite *Suite) PushNode(node Node) error {
 						err = types.GinkgoErrors.CaughtPanicDuringABuildPhase(e, node.CodeLocation)
 					}
 				}()
+
+				// Ensure that code running in the body of the container node
+				// has access to information about the current container node(s).
+				suite.currentConstructionNodeReport = constructionNodeReportForTreeNode(suite.tree)
+				defer func() {
+					suite.currentConstructionNodeReport = nil
+				}()
+
 				node.Body(nil)
 				return err
 			}()
@@ -266,6 +280,7 @@ func (suite *Suite) pushCleanupNode(node Node) error {
 
 	node.NodeIDWhereCleanupWasGenerated = suite.currentNode.ID
 	node.NestingLevel = suite.currentNode.NestingLevel
+	node.AroundNodes = types.AroundNodes{}.Append(suite.currentNode.AroundNodes...).Append(node.AroundNodes...)
 	suite.selectiveLock.Lock()
 	suite.cleanupNodes = append(suite.cleanupNodes, node)
 	suite.selectiveLock.Unlock()
@@ -334,6 +349,16 @@ func (suite *Suite) By(text string, callback ...func()) error {
 	return nil
 }
 
+func (suite *Suite) CurrentConstructionNodeReport() types.ConstructionNodeReport {
+	suite.selectiveLock.Lock()
+	defer suite.selectiveLock.Unlock()
+	report := suite.currentConstructionNodeReport
+	if report == nil {
+		panic("CurrentConstructionNodeReport may only be called during construction of the spec tree")
+	}
+	return *report
+}
+
 /*
 Spec Running methods - used during PhaseRun
 */
@@ -377,7 +402,7 @@ func (suite *Suite) generateProgressReport(fullReport bool) types.ProgressReport
 	suite.selectiveLock.Lock()
 	defer suite.selectiveLock.Unlock()
 
-	deadline, cancel := context.WithTimeout(context.Background(), PROGRESS_REPORTER_DEADLING)
+	deadline, cancel := context.WithTimeout(context.Background(), ProgressReporterDeadline)
 	defer cancel()
 	var additionalReports []string
 	if suite.currentSpecContext != nil {
@@ -435,13 +460,14 @@ func (suite *Suite) processCurrentSpecReport() {
 	}
 }
 
-func (suite *Suite) runSpecs(description string, suiteLabels Labels, suitePath string, hasProgrammaticFocus bool, specs Specs) bool {
+func (suite *Suite) runSpecs(description string, suiteLabels Labels, suiteSemVerConstraints SemVerConstraints, suitePath string, hasProgrammaticFocus bool, specs Specs) bool {
 	numSpecsThatWillBeRun := specs.CountWithoutSkip()
 
 	suite.report = types.Report{
 		SuitePath:                 suitePath,
 		SuiteDescription:          description,
 		SuiteLabels:               suiteLabels,
+		SuiteSemVerConstraints:    suiteSemVerConstraints,
 		SuiteConfig:               suite.config,
 		SuiteHasProgrammaticFocus: hasProgrammaticFocus,
 		PreRunStats: types.PreRunStats{
@@ -898,7 +924,30 @@ func (suite *Suite) runNode(node Node, specDeadline time.Time, text string) (typ
 			failureC <- failureFromRun
 		}()
 
-		node.Body(sc)
+		aroundNodes := types.AroundNodes{}.Append(suite.aroundNodes...).Append(node.AroundNodes...)
+		if len(aroundNodes) > 0 {
+			i := 0
+			var f func(context.Context)
+			f = func(c context.Context) {
+				sc := wrapContextChain(c)
+				if sc == nil {
+					suite.failer.Fail("An AroundNode failed to pass a valid Ginkgo SpecContext in.  You must always pass in a context derived from the context passed to you.", aroundNodes[i].CodeLocation)
+					return
+				}
+				i++
+				if i < len(aroundNodes) {
+					aroundNodes[i].Body(sc, f)
+				} else {
+					node.Body(sc)
+				}
+			}
+			aroundNodes[0].Body(sc, f)
+			if i != len(aroundNodes) {
+				suite.failer.Fail("An AroundNode failed to call the passed in function.", aroundNodes[i].CodeLocation)
+			}
+		} else {
+			node.Body(sc)
+		}
 		finished = true
 	}()
 
diff --git a/vendor/github.com/onsi/ginkgo/v2/internal/suite_patch.go b/vendor/github.com/onsi/ginkgo/v2/internal/suite_patch.go
index 29eae02832497..2f0ccfc5751b3 100644
--- a/vendor/github.com/onsi/ginkgo/v2/internal/suite_patch.go
+++ b/vendor/github.com/onsi/ginkgo/v2/internal/suite_patch.go
@@ -65,7 +65,7 @@ func (suite *Suite) RunSpec(spec types.TestSpec, suiteLabels Labels, suiteDescri
 	suite.interruptHandler = interrupt_handler.NewInterruptHandler(nil)
 	suite.config = suiteConfig
 
-	success := suite.runSpecs(suiteDescription, suiteLabels, suitePath, false, []Spec{spec.(Spec)})
+	success := suite.runSpecs(suiteDescription, suiteLabels, SemVerConstraints{}, suitePath, false, []Spec{spec.(Spec)})
 
 	return success, false
 }
diff --git a/vendor/github.com/onsi/ginkgo/v2/internal/testingtproxy/testing_t_proxy.go b/vendor/github.com/onsi/ginkgo/v2/internal/testingtproxy/testing_t_proxy.go
index 73e26556568ee..9806e315a61a6 100644
--- a/vendor/github.com/onsi/ginkgo/v2/internal/testingtproxy/testing_t_proxy.go
+++ b/vendor/github.com/onsi/ginkgo/v2/internal/testingtproxy/testing_t_proxy.go
@@ -1,6 +1,7 @@
 package testingtproxy
 
 import (
+	"context"
 	"fmt"
 	"io"
 	"os"
@@ -19,9 +20,9 @@ type addReportEntryFunc func(names string, args ...any)
 type ginkgoWriterInterface interface {
 	io.Writer
 
-	Print(a ...interface{})
-	Printf(format string, a ...interface{})
-	Println(a ...interface{})
+	Print(a ...any)
+	Printf(format string, a ...any)
+	Println(a ...any)
 }
 type ginkgoRecoverFunc func()
 type attachProgressReporterFunc func(func() string) func()
@@ -80,11 +81,31 @@ func (t *ginkgoTestingTProxy) Setenv(key, value string) {
 	}
 }
 
-func (t *ginkgoTestingTProxy) Error(args ...interface{}) {
+func (t *ginkgoTestingTProxy) Chdir(dir string) {
+	currentDir, err := os.Getwd()
+	if err != nil {
+		t.fail(fmt.Sprintf("Failed to get current directory: %v", err), 1)
+	}
+
+	t.cleanup(os.Chdir, currentDir, internal.Offset(1))
+
+	err = os.Chdir(dir)
+	if err != nil {
+		t.fail(fmt.Sprintf("Failed to change directory: %v", err), 1)
+	}
+}
+
+func (t *ginkgoTestingTProxy) Context() context.Context {
+	ctx, cancel := context.WithCancel(context.Background())
+	t.cleanup(cancel, internal.Offset(1))
+	return ctx
+}
+
+func (t *ginkgoTestingTProxy) Error(args ...any) {
 	t.fail(fmt.Sprintln(args...), t.offset)
 }
 
-func (t *ginkgoTestingTProxy) Errorf(format string, args ...interface{}) {
+func (t *ginkgoTestingTProxy) Errorf(format string, args ...any) {
 	t.fail(fmt.Sprintf(format, args...), t.offset)
 }
 
@@ -100,11 +121,11 @@ func (t *ginkgoTestingTProxy) Failed() bool {
 	return t.report().Failed()
 }
 
-func (t *ginkgoTestingTProxy) Fatal(args ...interface{}) {
+func (t *ginkgoTestingTProxy) Fatal(args ...any) {
 	t.fail(fmt.Sprintln(args...), t.offset)
 }
 
-func (t *ginkgoTestingTProxy) Fatalf(format string, args ...interface{}) {
+func (t *ginkgoTestingTProxy) Fatalf(format string, args ...any) {
 	t.fail(fmt.Sprintf(format, args...), t.offset)
 }
 
@@ -112,11 +133,11 @@ func (t *ginkgoTestingTProxy) Helper() {
 	types.MarkAsHelper(1)
 }
 
-func (t *ginkgoTestingTProxy) Log(args ...interface{}) {
+func (t *ginkgoTestingTProxy) Log(args ...any) {
 	fmt.Fprintln(t.writer, args...)
 }
 
-func (t *ginkgoTestingTProxy) Logf(format string, args ...interface{}) {
+func (t *ginkgoTestingTProxy) Logf(format string, args ...any) {
 	t.Log(fmt.Sprintf(format, args...))
 }
 
@@ -128,7 +149,7 @@ func (t *ginkgoTestingTProxy) Parallel() {
 	// No-op
 }
 
-func (t *ginkgoTestingTProxy) Skip(args ...interface{}) {
+func (t *ginkgoTestingTProxy) Skip(args ...any) {
 	t.skip(fmt.Sprintln(args...), t.offset)
 }
 
@@ -136,7 +157,7 @@ func (t *ginkgoTestingTProxy) SkipNow() {
 	t.skip("skip", t.offset)
 }
 
-func (t *ginkgoTestingTProxy) Skipf(format string, args ...interface{}) {
+func (t *ginkgoTestingTProxy) Skipf(format string, args ...any) {
 	t.skip(fmt.Sprintf(format, args...), t.offset)
 }
 
@@ -208,3 +229,9 @@ func (t *ginkgoTestingTProxy) ParallelTotal() int {
 func (t *ginkgoTestingTProxy) AttachProgressReporter(f func() string) func() {
 	return t.attachProgressReporter(f)
 }
+func (t *ginkgoTestingTProxy) Output() io.Writer {
+	return t.writer
+}
+func (t *ginkgoTestingTProxy) Attr(key, value string) {
+	t.addReportEntry(key, value, internal.Offset(1), types.ReportEntryVisibilityFailureOrVerbose)
+}
diff --git a/vendor/github.com/onsi/ginkgo/v2/internal/writer.go b/vendor/github.com/onsi/ginkgo/v2/internal/writer.go
index aab42d5fb3c1d..1c4e0534e4c2d 100644
--- a/vendor/github.com/onsi/ginkgo/v2/internal/writer.go
+++ b/vendor/github.com/onsi/ginkgo/v2/internal/writer.go
@@ -121,15 +121,15 @@ func (w *Writer) ClearTeeWriters() {
 	w.teeWriters = []io.Writer{}
 }
 
-func (w *Writer) Print(a ...interface{}) {
+func (w *Writer) Print(a ...any) {
 	fmt.Fprint(w, a...)
 }
 
-func (w *Writer) Printf(format string, a ...interface{}) {
+func (w *Writer) Printf(format string, a ...any) {
 	fmt.Fprintf(w, format, a...)
 }
 
-func (w *Writer) Println(a ...interface{}) {
+func (w *Writer) Println(a ...any) {
 	fmt.Fprintln(w, a...)
 }
 
diff --git a/vendor/github.com/onsi/ginkgo/v2/reporters/default_reporter.go b/vendor/github.com/onsi/ginkgo/v2/reporters/default_reporter.go
index 480730486af4e..026d9cf9b37f1 100644
--- a/vendor/github.com/onsi/ginkgo/v2/reporters/default_reporter.go
+++ b/vendor/github.com/onsi/ginkgo/v2/reporters/default_reporter.go
@@ -72,6 +72,9 @@ func (r *DefaultReporter) SuiteWillBegin(report types.Report) {
 		if len(report.SuiteLabels) > 0 {
 			r.emit(r.f("{{coral}}[%s]{{/}} ", strings.Join(report.SuiteLabels, ", ")))
 		}
+		if len(report.SuiteSemVerConstraints) > 0 {
+			r.emit(r.f("{{coral}}[%s]{{/}} ", strings.Join(report.SuiteSemVerConstraints, ", ")))
+		}
 		r.emit(r.f("- %d/%d specs ", report.PreRunStats.SpecsThatWillRun, report.PreRunStats.TotalSpecs))
 		if report.SuiteConfig.ParallelTotal > 1 {
 			r.emit(r.f("- %d procs ", report.SuiteConfig.ParallelTotal))
@@ -87,6 +90,13 @@ func (r *DefaultReporter) SuiteWillBegin(report types.Report) {
 				bannerWidth = len(labels) + 2
 			}
 		}
+		if len(report.SuiteSemVerConstraints) > 0 {
+			semVerConstraints := strings.Join(report.SuiteSemVerConstraints, ", ")
+			r.emitBlock(r.f("{{coral}}[%s]{{/}} ", semVerConstraints))
+			if len(semVerConstraints)+2 > bannerWidth {
+				bannerWidth = len(semVerConstraints) + 2
+			}
+		}
 		r.emitBlock(strings.Repeat("=", bannerWidth))
 
 		out := r.f("Random Seed: {{bold}}%d{{/}}", report.SuiteConfig.RandomSeed)
@@ -371,13 +381,22 @@ func (r *DefaultReporter) emitTimeline(indent uint, report types.SpecReport, tim
 	cursor := 0
 	for _, entry := range timeline {
 		tl := entry.GetTimelineLocation()
-		if tl.Offset < len(gw) {
-			r.emit(r.fi(indent, "%s", gw[cursor:tl.Offset]))
-			cursor = tl.Offset
-		} else if cursor < len(gw) {
+
+		end := tl.Offset
+		if end > len(gw) {
+			end = len(gw)
+		}
+		if end < cursor {
+			end = cursor
+		}
+		if cursor < end && cursor <= len(gw) && end <= len(gw) {
+			r.emit(r.fi(indent, "%s", gw[cursor:end]))
+			cursor = end
+		} else if cursor < len(gw) && end == len(gw) {
 			r.emit(r.fi(indent, "%s", gw[cursor:]))
 			cursor = len(gw)
 		}
+
 		switch x := entry.(type) {
 		case types.Failure:
 			if isVeryVerbose {
@@ -394,7 +413,7 @@ func (r *DefaultReporter) emitTimeline(indent uint, report types.SpecReport, tim
 		case types.ReportEntry:
 			r.emitReportEntry(indent, x)
 		case types.ProgressReport:
-			r.emitProgressReport(indent, false, x)
+			r.emitProgressReport(indent, false, isVeryVerbose, x)
 		case types.SpecEvent:
 			if isVeryVerbose || !x.IsOnlyVisibleAtVeryVerbose() || r.conf.ShowNodeEvents {
 				r.emitSpecEvent(indent, x, isVeryVerbose)
@@ -448,7 +467,7 @@ func (r *DefaultReporter) emitFailure(indent uint, state types.SpecState, failur
 
 	if !failure.ProgressReport.IsZero() {
 		r.emitBlock("\n")
-		r.emitProgressReport(indent, false, failure.ProgressReport)
+		r.emitProgressReport(indent, false, false, failure.ProgressReport)
 	}
 
 	if failure.AdditionalFailure != nil && includeAdditionalFailure {
@@ -464,11 +483,11 @@ func (r *DefaultReporter) EmitProgressReport(report types.ProgressReport) {
 		r.emit(r.fi(1, "{{coral}}Progress Report for Ginkgo Process #{{bold}}%d{{/}}\n", report.ParallelProcess))
 	}
 	shouldEmitGW := report.RunningInParallel || r.conf.Verbosity().LT(types.VerbosityLevelVerbose)
-	r.emitProgressReport(1, shouldEmitGW, report)
+	r.emitProgressReport(1, shouldEmitGW, true, report)
 	r.emitDelimiter(1)
 }
 
-func (r *DefaultReporter) emitProgressReport(indent uint, emitGinkgoWriterOutput bool, report types.ProgressReport) {
+func (r *DefaultReporter) emitProgressReport(indent uint, emitGinkgoWriterOutput, emitGroup bool, report types.ProgressReport) {
 	if report.Message != "" {
 		r.emitBlock(r.fi(indent, report.Message+"\n"))
 		indent += 1
@@ -504,6 +523,10 @@ func (r *DefaultReporter) emitProgressReport(indent uint, emitGinkgoWriterOutput
 		indent -= 1
 	}
 
+	if r.conf.GithubOutput && emitGroup {
+		r.emitBlock(r.fi(indent, "::group::Progress Report"))
+	}
+
 	if emitGinkgoWriterOutput && report.CapturedGinkgoWriterOutput != "" {
 		r.emit("\n")
 		r.emitBlock(r.fi(indent, "{{gray}}Begin Captured GinkgoWriter Output >>{{/}}"))
@@ -550,6 +573,10 @@ func (r *DefaultReporter) emitProgressReport(indent uint, emitGinkgoWriterOutput
 		r.emit(r.fi(indent, "{{gray}}{{bold}}{{underline}}Other Goroutines{{/}}\n"))
 		r.emitGoroutines(indent, otherGoroutines...)
 	}
+
+	if r.conf.GithubOutput && emitGroup {
+		r.emitBlock(r.fi(indent, "::endgroup::"))
+	}
 }
 
 func (r *DefaultReporter) EmitReportEntry(entry types.ReportEntry) {
@@ -685,11 +712,11 @@ func (r *DefaultReporter) _emit(s string, block bool, isDelimiter bool) {
 }
 
 /* Rendering text */
-func (r *DefaultReporter) f(format string, args ...interface{}) string {
+func (r *DefaultReporter) f(format string, args ...any) string {
 	return r.formatter.F(format, args...)
 }
 
-func (r *DefaultReporter) fi(indentation uint, format string, args ...interface{}) string {
+func (r *DefaultReporter) fi(indentation uint, format string, args ...any) string {
 	return r.formatter.Fi(indentation, format, args...)
 }
 
@@ -698,8 +725,8 @@ func (r *DefaultReporter) cycleJoin(elements []string, joiner string) string {
 }
 
 func (r *DefaultReporter) codeLocationBlock(report types.SpecReport, highlightColor string, veryVerbose bool, usePreciseFailureLocation bool) string {
-	texts, locations, labels := []string{}, []types.CodeLocation{}, [][]string{}
-	texts, locations, labels = append(texts, report.ContainerHierarchyTexts...), append(locations, report.ContainerHierarchyLocations...), append(labels, report.ContainerHierarchyLabels...)
+	texts, locations, labels, semVerConstraints := []string{}, []types.CodeLocation{}, [][]string{}, [][]string{}
+	texts, locations, labels, semVerConstraints = append(texts, report.ContainerHierarchyTexts...), append(locations, report.ContainerHierarchyLocations...), append(labels, report.ContainerHierarchyLabels...), append(semVerConstraints, report.ContainerHierarchySemVerConstraints...)
 
 	if report.LeafNodeType.Is(types.NodeTypesForSuiteLevelNodes) {
 		texts = append(texts, r.f("[%s] %s", report.LeafNodeType, report.LeafNodeText))
@@ -707,6 +734,7 @@ func (r *DefaultReporter) codeLocationBlock(report types.SpecReport, highlightCo
 		texts = append(texts, r.f(report.LeafNodeText))
 	}
 	labels = append(labels, report.LeafNodeLabels)
+	semVerConstraints = append(semVerConstraints, report.LeafNodeSemVerConstraints)
 	locations = append(locations, report.LeafNodeLocation)
 
 	failureLocation := report.Failure.FailureNodeLocation
@@ -720,6 +748,7 @@ func (r *DefaultReporter) codeLocationBlock(report types.SpecReport, highlightCo
 		texts = append([]string{fmt.Sprintf("TOP-LEVEL [%s]", report.Failure.FailureNodeType)}, texts...)
 		locations = append([]types.CodeLocation{failureLocation}, locations...)
 		labels = append([][]string{{}}, labels...)
+		semVerConstraints = append([][]string{{}}, semVerConstraints...)
 		highlightIndex = 0
 	case types.FailureNodeInContainer:
 		i := report.Failure.FailureNodeContainerIndex
@@ -747,6 +776,9 @@ func (r *DefaultReporter) codeLocationBlock(report types.SpecReport, highlightCo
 			if len(labels[i]) > 0 {
 				out += r.f(" {{coral}}[%s]{{/}}", strings.Join(labels[i], ", "))
 			}
+			if len(semVerConstraints[i]) > 0 {
+				out += r.f(" {{coral}}[%s]{{/}}", strings.Join(semVerConstraints[i], ", "))
+			}
 			out += "\n"
 			out += r.fi(uint(i), "{{gray}}%s{{/}}\n", locations[i])
 		}
@@ -770,6 +802,10 @@ func (r *DefaultReporter) codeLocationBlock(report types.SpecReport, highlightCo
 		if len(flattenedLabels) > 0 {
 			out += r.f(" {{coral}}[%s]{{/}}", strings.Join(flattenedLabels, ", "))
 		}
+		flattenedSemVerConstraints := report.SemVerConstraints()
+		if len(flattenedSemVerConstraints) > 0 {
+			out += r.f(" {{coral}}[%s]{{/}}", strings.Join(flattenedSemVerConstraints, ", "))
+		}
 		out += "\n"
 		if usePreciseFailureLocation {
 			out += r.f("{{gray}}%s{{/}}", failureLocation)
diff --git a/vendor/github.com/onsi/ginkgo/v2/reporters/gojson_report.go b/vendor/github.com/onsi/ginkgo/v2/reporters/gojson_report.go
new file mode 100644
index 0000000000000..d02fb7a1ae5cd
--- /dev/null
+++ b/vendor/github.com/onsi/ginkgo/v2/reporters/gojson_report.go
@@ -0,0 +1,61 @@
+package reporters
+
+import (
+	"encoding/json"
+	"fmt"
+	"os"
+	"path"
+
+	"github.com/onsi/ginkgo/v2/internal/reporters"
+	"github.com/onsi/ginkgo/v2/types"
+)
+
+// GenerateGoTestJSONReport produces a JSON-formatted in the test2json format used by `go test -json`
+func GenerateGoTestJSONReport(report types.Report, destination string) error {
+	// walk report and generate test2json-compatible objects
+	// JSON-encode the objects into filename
+	if err := os.MkdirAll(path.Dir(destination), 0770); err != nil {
+		return err
+	}
+	f, err := os.Create(destination)
+	if err != nil {
+		return err
+	}
+	defer f.Close()
+	enc := json.NewEncoder(f)
+	r := reporters.NewGoJSONReporter(
+		enc,
+		systemErrForUnstructuredReporters,
+		systemOutForUnstructuredReporters,
+	)
+	return r.Write(report)
+}
+
+// MergeJSONReports produces a single JSON-formatted report at the passed in destination by merging the JSON-formatted reports provided in sources
+// It skips over reports that fail to decode but reports on them via the returned messages []string
+func MergeAndCleanupGoTestJSONReports(sources []string, destination string) ([]string, error) {
+	messages := []string{}
+	if err := os.MkdirAll(path.Dir(destination), 0770); err != nil {
+		return messages, err
+	}
+	f, err := os.Create(destination)
+	if err != nil {
+		return messages, err
+	}
+	defer f.Close()
+
+	for _, source := range sources {
+		data, err := os.ReadFile(source)
+		if err != nil {
+			messages = append(messages, fmt.Sprintf("Could not open %s:\n%s", source, err.Error()))
+			continue
+		}
+		_, err = f.Write(data)
+		if err != nil {
+			messages = append(messages, fmt.Sprintf("Could not write to %s:\n%s", destination, err.Error()))
+			continue
+		}
+		os.Remove(source)
+	}
+	return messages, nil
+}
diff --git a/vendor/github.com/onsi/ginkgo/v2/reporters/junit_report.go b/vendor/github.com/onsi/ginkgo/v2/reporters/junit_report.go
index 562e0f62ba282..828f893fb8fed 100644
--- a/vendor/github.com/onsi/ginkgo/v2/reporters/junit_report.go
+++ b/vendor/github.com/onsi/ginkgo/v2/reporters/junit_report.go
@@ -36,6 +36,9 @@ type JunitReportConfig struct {
 	// Enable OmitSpecLabels to prevent labels from appearing in the spec name
 	OmitSpecLabels bool
 
+	// Enable OmitSpecSemVerConstraints to prevent semantic version constraints from appearing in the spec name
+	OmitSpecSemVerConstraints bool
+
 	// Enable OmitLeafNodeType to prevent the spec leaf node type from appearing in the spec name
 	OmitLeafNodeType bool
 
@@ -169,9 +172,11 @@ func GenerateJUnitReportWithConfig(report types.Report, dst string, config Junit
 				{"SuiteHasProgrammaticFocus", fmt.Sprintf("%t", report.SuiteHasProgrammaticFocus)},
 				{"SpecialSuiteFailureReason", strings.Join(report.SpecialSuiteFailureReasons, ",")},
 				{"SuiteLabels", fmt.Sprintf("[%s]", strings.Join(report.SuiteLabels, ","))},
+				{"SuiteSemVerConstraints", fmt.Sprintf("[%s]", strings.Join(report.SuiteSemVerConstraints, ","))},
 				{"RandomSeed", fmt.Sprintf("%d", report.SuiteConfig.RandomSeed)},
 				{"RandomizeAllSpecs", fmt.Sprintf("%t", report.SuiteConfig.RandomizeAllSpecs)},
 				{"LabelFilter", report.SuiteConfig.LabelFilter},
+				{"SemVerFilter", report.SuiteConfig.SemVerFilter},
 				{"FocusStrings", strings.Join(report.SuiteConfig.FocusStrings, ",")},
 				{"SkipStrings", strings.Join(report.SuiteConfig.SkipStrings, ",")},
 				{"FocusFiles", strings.Join(report.SuiteConfig.FocusFiles, ";")},
@@ -207,6 +212,10 @@ func GenerateJUnitReportWithConfig(report types.Report, dst string, config Junit
 				owner = matches[1]
 			}
 		}
+		semVerConstraints := spec.SemVerConstraints()
+		if len(semVerConstraints) > 0 && !config.OmitSpecSemVerConstraints {
+			name = name + " [" + strings.Join(semVerConstraints, ", ") + "]"
+		}
 		name = strings.TrimSpace(name)
 
 		test := JUnitTestCase{
diff --git a/vendor/github.com/onsi/ginkgo/v2/reporters/teamcity_report.go b/vendor/github.com/onsi/ginkgo/v2/reporters/teamcity_report.go
index e990ad82e1384..55e1d1f4f79c5 100644
--- a/vendor/github.com/onsi/ginkgo/v2/reporters/teamcity_report.go
+++ b/vendor/github.com/onsi/ginkgo/v2/reporters/teamcity_report.go
@@ -38,9 +38,13 @@ func GenerateTeamcityReport(report types.Report, dst string) error {
 
 	name := report.SuiteDescription
 	labels := report.SuiteLabels
+	semVerConstraints := report.SuiteSemVerConstraints
 	if len(labels) > 0 {
 		name = name + " [" + strings.Join(labels, ", ") + "]"
 	}
+	if len(semVerConstraints) > 0 {
+		name = name + " [" + strings.Join(semVerConstraints, ", ") + "]"
+	}
 	fmt.Fprintf(f, "##teamcity[testSuiteStarted name='%s']\n", tcEscape(name))
 	for _, spec := range report.SpecReports {
 		name := fmt.Sprintf("[%s]", spec.LeafNodeType)
@@ -51,6 +55,10 @@ func GenerateTeamcityReport(report types.Report, dst string) error {
 		if len(labels) > 0 {
 			name = name + " [" + strings.Join(labels, ", ") + "]"
 		}
+		semVerConstraints := spec.SemVerConstraints()
+		if len(semVerConstraints) > 0 {
+			name = name + " [" + strings.Join(semVerConstraints, ", ") + "]"
+		}
 
 		name = tcEscape(name)
 		fmt.Fprintf(f, "##teamcity[testStarted name='%s']\n", name)
diff --git a/vendor/github.com/onsi/ginkgo/v2/reporting_dsl.go b/vendor/github.com/onsi/ginkgo/v2/reporting_dsl.go
index aa1a35176aa3d..4e86dba84d8cc 100644
--- a/vendor/github.com/onsi/ginkgo/v2/reporting_dsl.go
+++ b/vendor/github.com/onsi/ginkgo/v2/reporting_dsl.go
@@ -27,6 +27,8 @@ CurrentSpecReport returns information about the current running spec.
 The returned object is a types.SpecReport which includes helper methods
 to make extracting information about the spec easier.
 
+During construction of the test tree the result is empty.
+
 You can learn more about SpecReport here: https://pkg.go.dev/github.com/onsi/ginkgo/types#SpecReport
 You can learn more about CurrentSpecReport() here: https://onsi.github.io/ginkgo/#getting-a-report-for-the-current-spec
 */
@@ -34,6 +36,31 @@ func CurrentSpecReport() SpecReport {
 	return global.Suite.CurrentSpecReport()
 }
 
+/*
+ConstructionNodeReport describes the container nodes during construction of
+the spec tree. It provides a subset of the information that is provided
+by SpecReport at runtime.
+
+It is documented here: [types.ConstructionNodeReport]
+*/
+type ConstructionNodeReport = types.ConstructionNodeReport
+
+/*
+CurrentConstructionNodeReport returns information about the current container nodes
+that are leading to the current path in the spec tree.
+The returned object is a types.ConstructionNodeReport which includes helper methods
+to make extracting information about the spec easier.
+
+May only be called during construction of the spec tree. It panics when
+called while tests are running. Use CurrentSpecReport instead in that
+phase.
+
+You can learn more about ConstructionNodeReport here: [types.ConstructionNodeReport]
+*/
+func CurrentTreeConstructionNodeReport() ConstructionNodeReport {
+	return global.Suite.CurrentConstructionNodeReport()
+}
+
 /*
 	ReportEntryVisibility governs the visibility of ReportEntries in Ginkgo's console reporter
 
@@ -60,7 +87,7 @@ AddReportEntry() must be called within a Subject or Setup node - not in a Contai
 
 You can learn more about Report Entries here: https://onsi.github.io/ginkgo/#attaching-data-to-reports
 */
-func AddReportEntry(name string, args ...interface{}) {
+func AddReportEntry(name string, args ...any) {
 	cl := types.NewCodeLocation(1)
 	reportEntry, err := internal.NewReportEntry(name, cl, args...)
 	if err != nil {
@@ -89,10 +116,10 @@ You can learn more about ReportBeforeEach here: https://onsi.github.io/ginkgo/#g
 You can learn about interruptible nodes here: https://onsi.github.io/ginkgo/#spec-timeouts-and-interruptible-nodes
 */
 func ReportBeforeEach(body any, args ...any) bool {
-	combinedArgs := []interface{}{body}
+	combinedArgs := []any{body}
 	combinedArgs = append(combinedArgs, args...)
 
-	return pushNode(internal.NewNode(deprecationTracker, types.NodeTypeReportBeforeEach, "", combinedArgs...))
+	return pushNode(internal.NewNode(internal.TransformNewNodeArgs(exitIfErrors, deprecationTracker, types.NodeTypeReportBeforeEach, "", combinedArgs...)))
 }
 
 /*
@@ -113,10 +140,10 @@ You can learn more about ReportAfterEach here: https://onsi.github.io/ginkgo/#ge
 You can learn about interruptible nodes here: https://onsi.github.io/ginkgo/#spec-timeouts-and-interruptible-nodes
 */
 func ReportAfterEach(body any, args ...any) bool {
-	combinedArgs := []interface{}{body}
+	combinedArgs := []any{body}
 	combinedArgs = append(combinedArgs, args...)
 
-	return pushNode(internal.NewNode(deprecationTracker, types.NodeTypeReportAfterEach, "", combinedArgs...))
+	return pushNode(internal.NewNode(internal.TransformNewNodeArgs(exitIfErrors, deprecationTracker, types.NodeTypeReportAfterEach, "", combinedArgs...)))
 }
 
 /*
@@ -143,9 +170,9 @@ You can learn more about Ginkgo's reporting infrastructure, including generating
 You can learn about interruptible nodes here: https://onsi.github.io/ginkgo/#spec-timeouts-and-interruptible-nodes
 */
 func ReportBeforeSuite(body any, args ...any) bool {
-	combinedArgs := []interface{}{body}
+	combinedArgs := []any{body}
 	combinedArgs = append(combinedArgs, args...)
-	return pushNode(internal.NewNode(deprecationTracker, types.NodeTypeReportBeforeSuite, "", combinedArgs...))
+	return pushNode(internal.NewNode(internal.TransformNewNodeArgs(exitIfErrors, deprecationTracker, types.NodeTypeReportBeforeSuite, "", combinedArgs...)))
 }
 
 /*
@@ -165,7 +192,7 @@ ReportAfterSuite nodes must be created at the top-level (i.e. not nested in a Co
 When running in parallel, Ginkgo ensures that only one of the parallel nodes runs the ReportAfterSuite and that it is passed a report that is aggregated across
 all parallel nodes
 
-In addition to using ReportAfterSuite to programmatically generate suite reports, you can also generate JSON, JUnit, and Teamcity formatted reports using the --json-report, --junit-report, and --teamcity-report ginkgo CLI flags.
+In addition to using ReportAfterSuite to programmatically generate suite reports, you can also generate JSON, GoJSON, JUnit, and Teamcity formatted reports using the --json-report, --gojson-report, --junit-report, and --teamcity-report ginkgo CLI flags.
 
 You cannot nest any other Ginkgo nodes within a ReportAfterSuite node's closure.
 You can learn more about ReportAfterSuite here: https://onsi.github.io/ginkgo/#generating-reports-programmatically
@@ -174,10 +201,10 @@ You can learn more about Ginkgo's reporting infrastructure, including generating
 
 You can learn about interruptible nodes here: https://onsi.github.io/ginkgo/#spec-timeouts-and-interruptible-nodes
 */
-func ReportAfterSuite(text string, body any, args ...interface{}) bool {
-	combinedArgs := []interface{}{body}
+func ReportAfterSuite(text string, body any, args ...any) bool {
+	combinedArgs := []any{body}
 	combinedArgs = append(combinedArgs, args...)
-	return pushNode(internal.NewNode(deprecationTracker, types.NodeTypeReportAfterSuite, text, combinedArgs...))
+	return pushNode(internal.NewNode(internal.TransformNewNodeArgs(exitIfErrors, deprecationTracker, types.NodeTypeReportAfterSuite, text, combinedArgs...)))
 }
 
 func registerReportAfterSuiteNodeForAutogeneratedReports(reporterConfig types.ReporterConfig) {
@@ -188,6 +215,12 @@ func registerReportAfterSuiteNodeForAutogeneratedReports(reporterConfig types.Re
 				Fail(fmt.Sprintf("Failed to generate JSON report:\n%s", err.Error()))
 			}
 		}
+		if reporterConfig.GoJSONReport != "" {
+			err := reporters.GenerateGoTestJSONReport(report, reporterConfig.GoJSONReport)
+			if err != nil {
+				Fail(fmt.Sprintf("Failed to generate Go JSON report:\n%s", err.Error()))
+			}
+		}
 		if reporterConfig.JUnitReport != "" {
 			err := reporters.GenerateJUnitReport(report, reporterConfig.JUnitReport)
 			if err != nil {
@@ -206,6 +239,9 @@ func registerReportAfterSuiteNodeForAutogeneratedReports(reporterConfig types.Re
 	if reporterConfig.JSONReport != "" {
 		flags = append(flags, "--json-report")
 	}
+	if reporterConfig.GoJSONReport != "" {
+		flags = append(flags, "--gojson-report")
+	}
 	if reporterConfig.JUnitReport != "" {
 		flags = append(flags, "--junit-report")
 	}
@@ -213,9 +249,11 @@ func registerReportAfterSuiteNodeForAutogeneratedReports(reporterConfig types.Re
 		flags = append(flags, "--teamcity-report")
 	}
 	pushNode(internal.NewNode(
-		deprecationTracker, types.NodeTypeReportAfterSuite,
-		fmt.Sprintf("Autogenerated ReportAfterSuite for %s", strings.Join(flags, " ")),
-		body,
-		types.NewCustomCodeLocation("autogenerated by Ginkgo"),
+		internal.TransformNewNodeArgs(
+			exitIfErrors, deprecationTracker, types.NodeTypeReportAfterSuite,
+			fmt.Sprintf("Autogenerated ReportAfterSuite for %s", strings.Join(flags, " ")),
+			body,
+			types.NewCustomCodeLocation("autogenerated by Ginkgo"),
+		),
 	))
 }
diff --git a/vendor/github.com/onsi/ginkgo/v2/table_dsl.go b/vendor/github.com/onsi/ginkgo/v2/table_dsl.go
index c7de7a8be094a..1031aa8554522 100644
--- a/vendor/github.com/onsi/ginkgo/v2/table_dsl.go
+++ b/vendor/github.com/onsi/ginkgo/v2/table_dsl.go
@@ -23,7 +23,7 @@ You can learn more about generating EntryDescriptions here: https://onsi.github.
 */
 type EntryDescription string
 
-func (ed EntryDescription) render(args ...interface{}) string {
+func (ed EntryDescription) render(args ...any) string {
 	return fmt.Sprintf(string(ed), args...)
 }
 
@@ -44,7 +44,7 @@ For example:
 You can learn more about DescribeTable here: https://onsi.github.io/ginkgo/#table-specs
 And can explore some Table patterns here: https://onsi.github.io/ginkgo/#table-specs-patterns
 */
-func DescribeTable(description string, args ...interface{}) bool {
+func DescribeTable(description string, args ...any) bool {
 	GinkgoHelper()
 	generateTable(description, false, args...)
 	return true
@@ -53,7 +53,7 @@ func DescribeTable(description string, args ...interface{}) bool {
 /*
 You can focus a table with `FDescribeTable`.  This is equivalent to `FDescribe`.
 */
-func FDescribeTable(description string, args ...interface{}) bool {
+func FDescribeTable(description string, args ...any) bool {
 	GinkgoHelper()
 	args = append(args, internal.Focus)
 	generateTable(description, false, args...)
@@ -63,7 +63,7 @@ func FDescribeTable(description string, args ...interface{}) bool {
 /*
 You can mark a table as pending with `PDescribeTable`.  This is equivalent to `PDescribe`.
 */
-func PDescribeTable(description string, args ...interface{}) bool {
+func PDescribeTable(description string, args ...any) bool {
 	GinkgoHelper()
 	args = append(args, internal.Pending)
 	generateTable(description, false, args...)
@@ -95,7 +95,7 @@ For example:
 			})
 
 			It("should return the expected message", func() {
-				body, err := ioutil.ReadAll(resp.Body)
+				body, err := io.ReadAll(resp.Body)
 				Expect(err).NotTo(HaveOccurred())
 				Expect(string(body)).To(Equal(message))
 			})
@@ -109,7 +109,7 @@ Note that you **must** place define an It inside the body function.
 You can learn more about DescribeTableSubtree here: https://onsi.github.io/ginkgo/#table-specs
 And can explore some Table patterns here: https://onsi.github.io/ginkgo/#table-specs-patterns
 */
-func DescribeTableSubtree(description string, args ...interface{}) bool {
+func DescribeTableSubtree(description string, args ...any) bool {
 	GinkgoHelper()
 	generateTable(description, true, args...)
 	return true
@@ -118,7 +118,7 @@ func DescribeTableSubtree(description string, args ...interface{}) bool {
 /*
 You can focus a table with `FDescribeTableSubtree`.  This is equivalent to `FDescribe`.
 */
-func FDescribeTableSubtree(description string, args ...interface{}) bool {
+func FDescribeTableSubtree(description string, args ...any) bool {
 	GinkgoHelper()
 	args = append(args, internal.Focus)
 	generateTable(description, true, args...)
@@ -128,7 +128,7 @@ func FDescribeTableSubtree(description string, args ...interface{}) bool {
 /*
 You can mark a table as pending with `PDescribeTableSubtree`.  This is equivalent to `PDescribe`.
 */
-func PDescribeTableSubtree(description string, args ...interface{}) bool {
+func PDescribeTableSubtree(description string, args ...any) bool {
 	GinkgoHelper()
 	args = append(args, internal.Pending)
 	generateTable(description, true, args...)
@@ -144,9 +144,9 @@ var XDescribeTableSubtree = PDescribeTableSubtree
 TableEntry represents an entry in a table test.  You generally use the `Entry` constructor.
 */
 type TableEntry struct {
-	description  interface{}
-	decorations  []interface{}
-	parameters   []interface{}
+	description  any
+	decorations  []any
+	parameters   []any
 	codeLocation types.CodeLocation
 }
 
@@ -162,7 +162,7 @@ If you want to generate interruptible specs simply write a Table function that a
 
 You can learn more about Entry here: https://onsi.github.io/ginkgo/#table-specs
 */
-func Entry(description interface{}, args ...interface{}) TableEntry {
+func Entry(description any, args ...any) TableEntry {
 	GinkgoHelper()
 	decorations, parameters := internal.PartitionDecorations(args...)
 	return TableEntry{description: description, decorations: decorations, parameters: parameters, codeLocation: types.NewCodeLocation(0)}
@@ -171,7 +171,7 @@ func Entry(description interface{}, args ...interface{}) TableEntry {
 /*
 You can focus a particular entry with FEntry.  This is equivalent to FIt.
 */
-func FEntry(description interface{}, args ...interface{}) TableEntry {
+func FEntry(description any, args ...any) TableEntry {
 	GinkgoHelper()
 	decorations, parameters := internal.PartitionDecorations(args...)
 	decorations = append(decorations, internal.Focus)
@@ -181,7 +181,7 @@ func FEntry(description interface{}, args ...interface{}) TableEntry {
 /*
 You can mark a particular entry as pending with PEntry.  This is equivalent to PIt.
 */
-func PEntry(description interface{}, args ...interface{}) TableEntry {
+func PEntry(description any, args ...any) TableEntry {
 	GinkgoHelper()
 	decorations, parameters := internal.PartitionDecorations(args...)
 	decorations = append(decorations, internal.Pending)
@@ -196,17 +196,17 @@ var XEntry = PEntry
 var contextType = reflect.TypeOf(new(context.Context)).Elem()
 var specContextType = reflect.TypeOf(new(SpecContext)).Elem()
 
-func generateTable(description string, isSubtree bool, args ...interface{}) {
+func generateTable(description string, isSubtree bool, args ...any) {
 	GinkgoHelper()
 	cl := types.NewCodeLocation(0)
-	containerNodeArgs := []interface{}{cl}
+	containerNodeArgs := []any{cl}
 
 	entries := []TableEntry{}
-	var internalBody interface{}
+	var internalBody any
 	var internalBodyType reflect.Type
 
-	var tableLevelEntryDescription interface{}
-	tableLevelEntryDescription = func(args ...interface{}) string {
+	var tableLevelEntryDescription any
+	tableLevelEntryDescription = func(args ...any) string {
 		out := []string{}
 		for _, arg := range args {
 			out = append(out, fmt.Sprint(arg))
@@ -265,7 +265,7 @@ func generateTable(description string, isSubtree bool, args ...interface{}) {
 				err = types.GinkgoErrors.InvalidEntryDescription(entry.codeLocation)
 			}
 
-			internalNodeArgs := []interface{}{entry.codeLocation}
+			internalNodeArgs := []any{entry.codeLocation}
 			internalNodeArgs = append(internalNodeArgs, entry.decorations...)
 
 			hasContext := false
@@ -290,7 +290,7 @@ func generateTable(description string, isSubtree bool, args ...interface{}) {
 					if err != nil {
 						panic(err)
 					}
-					invokeFunction(internalBody, append([]interface{}{c}, entry.parameters...))
+					invokeFunction(internalBody, append([]any{c}, entry.parameters...))
 				})
 				if isSubtree {
 					exitIfErr(types.GinkgoErrors.ContextsCannotBeUsedInSubtreeTables(cl))
@@ -309,14 +309,14 @@ func generateTable(description string, isSubtree bool, args ...interface{}) {
 				internalNodeType = types.NodeTypeContainer
 			}
 
-			pushNode(internal.NewNode(deprecationTracker, internalNodeType, description, internalNodeArgs...))
+			pushNode(internal.NewNode(internal.TransformNewNodeArgs(exitIfErrors, deprecationTracker, internalNodeType, description, internalNodeArgs...)))
 		}
 	})
 
-	pushNode(internal.NewNode(deprecationTracker, types.NodeTypeContainer, description, containerNodeArgs...))
+	pushNode(internal.NewNode(internal.TransformNewNodeArgs(exitIfErrors, deprecationTracker, types.NodeTypeContainer, description, containerNodeArgs...)))
 }
 
-func invokeFunction(function interface{}, parameters []interface{}) []reflect.Value {
+func invokeFunction(function any, parameters []any) []reflect.Value {
 	inValues := make([]reflect.Value, len(parameters))
 
 	funcType := reflect.TypeOf(function)
@@ -339,7 +339,7 @@ func invokeFunction(function interface{}, parameters []interface{}) []reflect.Va
 	return reflect.ValueOf(function).Call(inValues)
 }
 
-func validateParameters(function interface{}, parameters []interface{}, kind string, cl types.CodeLocation, hasContext bool) error {
+func validateParameters(function any, parameters []any, kind string, cl types.CodeLocation, hasContext bool) error {
 	funcType := reflect.TypeOf(function)
 	limit := funcType.NumIn()
 	offset := 0
@@ -377,7 +377,7 @@ func validateParameters(function interface{}, parameters []interface{}, kind str
 	return nil
 }
 
-func computeValue(parameter interface{}, t reflect.Type) reflect.Value {
+func computeValue(parameter any, t reflect.Type) reflect.Value {
 	if parameter == nil {
 		return reflect.Zero(t)
 	} else {
diff --git a/vendor/github.com/onsi/ginkgo/v2/types/around_node.go b/vendor/github.com/onsi/ginkgo/v2/types/around_node.go
new file mode 100644
index 0000000000000..a069e0623d2af
--- /dev/null
+++ b/vendor/github.com/onsi/ginkgo/v2/types/around_node.go
@@ -0,0 +1,56 @@
+package types
+
+import (
+	"context"
+)
+
+type AroundNodeAllowedFuncs interface {
+	~func(context.Context, func(context.Context)) | ~func(context.Context) context.Context | ~func()
+}
+type AroundNodeFunc func(ctx context.Context, body func(ctx context.Context))
+
+func AroundNode[F AroundNodeAllowedFuncs](f F, cl CodeLocation) AroundNodeDecorator {
+	if f == nil {
+		panic("BuildAroundNode cannot be called with a nil function.")
+	}
+	var aroundNodeFunc func(context.Context, func(context.Context))
+	switch x := any(f).(type) {
+	case func(context.Context, func(context.Context)):
+		aroundNodeFunc = x
+	case func(context.Context) context.Context:
+		aroundNodeFunc = func(ctx context.Context, body func(context.Context)) {
+			ctx = x(ctx)
+			body(ctx)
+		}
+	case func():
+		aroundNodeFunc = func(ctx context.Context, body func(context.Context)) {
+			x()
+			body(ctx)
+		}
+	}
+
+	return AroundNodeDecorator{
+		Body:         aroundNodeFunc,
+		CodeLocation: cl,
+	}
+}
+
+type AroundNodeDecorator struct {
+	Body         AroundNodeFunc
+	CodeLocation CodeLocation
+}
+
+type AroundNodes []AroundNodeDecorator
+
+func (an AroundNodes) Clone() AroundNodes {
+	out := make(AroundNodes, len(an))
+	copy(out, an)
+	return out
+}
+
+func (an AroundNodes) Append(other ...AroundNodeDecorator) AroundNodes {
+	out := make(AroundNodes, len(an)+len(other))
+	copy(out, an)
+	copy(out[len(an):], other)
+	return out
+}
diff --git a/vendor/github.com/onsi/ginkgo/v2/types/config.go b/vendor/github.com/onsi/ginkgo/v2/types/config.go
index 8c0dfab8c0ea5..f84703604686d 100644
--- a/vendor/github.com/onsi/ginkgo/v2/types/config.go
+++ b/vendor/github.com/onsi/ginkgo/v2/types/config.go
@@ -24,6 +24,7 @@ type SuiteConfig struct {
 	FocusFiles            []string
 	SkipFiles             []string
 	LabelFilter           string
+	SemVerFilter          string
 	FailOnPending         bool
 	FailOnEmpty           bool
 	FailFast              bool
@@ -95,6 +96,7 @@ type ReporterConfig struct {
 	ForceNewlines  bool
 
 	JSONReport     string
+	GoJSONReport   string
 	JUnitReport    string
 	TeamcityReport string
 }
@@ -111,7 +113,7 @@ func (rc ReporterConfig) Verbosity() VerbosityLevel {
 }
 
 func (rc ReporterConfig) WillGenerateReport() bool {
-	return rc.JSONReport != "" || rc.JUnitReport != "" || rc.TeamcityReport != ""
+	return rc.JSONReport != "" || rc.GoJSONReport != "" || rc.JUnitReport != "" || rc.TeamcityReport != ""
 }
 
 func NewDefaultReporterConfig() ReporterConfig {
@@ -159,7 +161,7 @@ func (g CLIConfig) ComputedProcs() int {
 
 	n := 1
 	if g.Parallel {
-		n = runtime.NumCPU()
+		n = runtime.GOMAXPROCS(-1)
 		if n > 4 {
 			n = n - 1
 		}
@@ -172,7 +174,7 @@ func (g CLIConfig) ComputedNumCompilers() int {
 		return g.NumCompilers
 	}
 
-	return runtime.NumCPU()
+	return runtime.GOMAXPROCS(-1)
 }
 
 // Configuration for the Ginkgo CLI capturing available go flags
@@ -231,6 +233,10 @@ func (g GoFlagsConfig) BinaryMustBePreserved() bool {
 	return g.BlockProfile != "" || g.CPUProfile != "" || g.MemProfile != "" || g.MutexProfile != ""
 }
 
+func (g GoFlagsConfig) NeedsSymbols() bool {
+	return g.BinaryMustBePreserved()
+}
+
 // Configuration that were deprecated in 2.0
 type deprecatedConfig struct {
 	DebugParallel                   bool
@@ -257,8 +263,12 @@ var FlagSections = GinkgoFlagSections{
 	{Key: "filter", Style: "{{cyan}}", Heading: "Filtering Tests"},
 	{Key: "failure", Style: "{{red}}", Heading: "Failure Handling"},
 	{Key: "output", Style: "{{magenta}}", Heading: "Controlling Output Formatting"},
-	{Key: "code-and-coverage-analysis", Style: "{{orange}}", Heading: "Code and Coverage Analysis"},
-	{Key: "performance-analysis", Style: "{{coral}}", Heading: "Performance Analysis"},
+	{Key: "code-and-coverage-analysis", Style: "{{orange}}", Heading: "Code and Coverage Analysis",
+		Description: "When generating a cover files, please pass a filename {{bold}}not{{/}} a path.  To specify a different directory use {{magenta}}--output-dir{{/}}.",
+	},
+	{Key: "performance-analysis", Style: "{{coral}}", Heading: "Performance Analysis",
+		Description: "When generating profile files, please pass filenames {{bold}}not{{/}} a path.  Ginkgo will generate a profile file with the given name in the package's directory.  To specify a different directory use {{magenta}}--output-dir{{/}}.",
+	},
 	{Key: "debug", Style: "{{blue}}", Heading: "Debugging Tests",
 		Description: "In addition to these flags, Ginkgo supports a few debugging environment variables.  To change the parallel server protocol set {{blue}}GINKGO_PARALLEL_PROTOCOL{{/}} to {{bold}}HTTP{{/}}.  To avoid pruning callstacks set {{blue}}GINKGO_PRUNE_STACK{{/}} to {{bold}}FALSE{{/}}."},
 	{Key: "watch", Style: "{{light-yellow}}", Heading: "Controlling Ginkgo Watch"},
@@ -300,6 +310,8 @@ var SuiteConfigFlags = GinkgoFlags{
 
 	{KeyPath: "S.LabelFilter", Name: "label-filter", SectionKey: "filter", UsageArgument: "expression",
 		Usage: "If set, ginkgo will only run specs with labels that match the label-filter.  The passed-in expression can include boolean operations (!, &&, ||, ','), groupings via '()', and regular expressions '/regexp/'.  e.g. '(cat || dog) && !fruit'"},
+	{KeyPath: "S.SemVerFilter", Name: "sem-ver-filter", SectionKey: "filter", UsageArgument: "version",
+		Usage: "If set, ginkgo will only run specs with semantic version constraints that are satisfied by the provided version. e.g. '2.1.0'"},
 	{KeyPath: "S.FocusStrings", Name: "focus", SectionKey: "filter",
 		Usage: "If set, ginkgo will only run specs that match this regular expression. Can be specified multiple times, values are ORed."},
 	{KeyPath: "S.SkipStrings", Name: "skip", SectionKey: "filter",
@@ -348,6 +360,8 @@ var ReporterConfigFlags = GinkgoFlags{
 
 	{KeyPath: "R.JSONReport", Name: "json-report", UsageArgument: "filename.json", SectionKey: "output",
 		Usage: "If set, Ginkgo will generate a JSON-formatted test report at the specified location."},
+	{KeyPath: "R.GoJSONReport", Name: "gojson-report", UsageArgument: "filename.json", SectionKey: "output",
+		Usage: "If set, Ginkgo will generate a Go JSON-formatted test report at the specified location."},
 	{KeyPath: "R.JUnitReport", Name: "junit-report", UsageArgument: "filename.xml", SectionKey: "output", DeprecatedName: "reportFile", DeprecatedDocLink: "improved-reporting-infrastructure",
 		Usage: "If set, Ginkgo will generate a conformant junit test report in the specified file."},
 	{KeyPath: "R.TeamcityReport", Name: "teamcity-report", UsageArgument: "filename", SectionKey: "output",
@@ -365,7 +379,7 @@ var ReporterConfigFlags = GinkgoFlags{
 func BuildTestSuiteFlagSet(suiteConfig *SuiteConfig, reporterConfig *ReporterConfig) (GinkgoFlagSet, error) {
 	flags := SuiteConfigFlags.CopyAppend(ParallelConfigFlags...).CopyAppend(ReporterConfigFlags...)
 	flags = flags.WithPrefix("ginkgo")
-	bindings := map[string]interface{}{
+	bindings := map[string]any{
 		"S": suiteConfig,
 		"R": reporterConfig,
 		"D": &deprecatedConfig{},
@@ -435,6 +449,13 @@ func VetConfig(flagSet GinkgoFlagSet, suiteConfig SuiteConfig, reporterConfig Re
 		}
 	}
 
+	if suiteConfig.SemVerFilter != "" {
+		_, err := ParseSemVerFilter(suiteConfig.SemVerFilter)
+		if err != nil {
+			errors = append(errors, err)
+		}
+	}
+
 	switch strings.ToLower(suiteConfig.OutputInterceptorMode) {
 	case "", "dup", "swap", "none":
 	default:
@@ -515,7 +536,7 @@ var GoBuildFlags = GinkgoFlags{
 	{KeyPath: "Go.Race", Name: "race", SectionKey: "code-and-coverage-analysis",
 		Usage: "enable data race detection. Supported on linux/amd64, linux/ppc64le, linux/arm64, linux/s390x, freebsd/amd64, netbsd/amd64, darwin/amd64, darwin/arm64, and windows/amd64."},
 	{KeyPath: "Go.Vet", Name: "vet", UsageArgument: "list", SectionKey: "code-and-coverage-analysis",
-		Usage: `Configure the invocation of "go vet" during "go test" to use the comma-separated list of vet checks.  If list is empty, "go test" runs "go vet" with a curated list of checks believed to be always worth addressing.  If list is "off", "go test" does not run "go vet" at all.  Available checks can be found by running 'go doc cmd/vet'`},
+		Usage: `Configure the invocation of "go vet" during "go test" to use the comma-separated list of vet checks.  If list is empty (by explicitly passing --vet=""), "go test" runs "go vet" with a curated list of checks believed to be always worth addressing.  If list is "off", "go test" does not run "go vet" at all.  Available checks can be found by running 'go doc cmd/vet'`},
 	{KeyPath: "Go.Cover", Name: "cover", SectionKey: "code-and-coverage-analysis",
 		Usage: "Enable coverage analysis.	Note that because coverage works by annotating the source code before compilation, compilation and test failures with coverage enabled may report line numbers that don't correspond to the original sources."},
 	{KeyPath: "Go.CoverMode", Name: "covermode", UsageArgument: "set,count,atomic", SectionKey: "code-and-coverage-analysis",
@@ -565,6 +586,9 @@ var GoBuildFlags = GinkgoFlags{
 		Usage: "print the name of the temporary work directory and do not delete it when exiting."},
 	{KeyPath: "Go.X", Name: "x", SectionKey: "go-build",
 		Usage: "print the commands."},
+}
+
+var GoBuildOFlags = GinkgoFlags{
 	{KeyPath: "Go.O", Name: "o", SectionKey: "go-build",
 		Usage: "output binary path (including name)."},
 }
@@ -572,7 +596,7 @@ var GoBuildFlags = GinkgoFlags{
 // GoRunFlags provides flags for the Ginkgo CLI  run, and watch commands that capture go's run-time flags.  These are passed to the compiled test binary by the ginkgo CLI
 var GoRunFlags = GinkgoFlags{
 	{KeyPath: "Go.CoverProfile", Name: "coverprofile", UsageArgument: "file", SectionKey: "code-and-coverage-analysis",
-		Usage: `Write a coverage profile to the file after all tests have passed. Sets -cover.`},
+		Usage: `Write a coverage profile to the file after all tests have passed. Sets -cover.  Must be passed a filename, not a path.  Use output-dir to control the location of the output.`},
 	{KeyPath: "Go.BlockProfile", Name: "blockprofile", UsageArgument: "file", SectionKey: "performance-analysis",
 		Usage: `Write a goroutine blocking profile to the specified file when all tests are complete. Preserves test binary.`},
 	{KeyPath: "Go.BlockProfileRate", Name: "blockprofilerate", UsageArgument: "rate", SectionKey: "performance-analysis",
@@ -600,6 +624,22 @@ func VetAndInitializeCLIAndGoConfig(cliConfig CLIConfig, goFlagsConfig GoFlagsCo
 		errors = append(errors, GinkgoErrors.BothRepeatAndUntilItFails())
 	}
 
+	if strings.ContainsRune(goFlagsConfig.CoverProfile, os.PathSeparator) {
+		errors = append(errors, GinkgoErrors.ExpectFilenameNotPath("--coverprofile", goFlagsConfig.CoverProfile))
+	}
+	if strings.ContainsRune(goFlagsConfig.CPUProfile, os.PathSeparator) {
+		errors = append(errors, GinkgoErrors.ExpectFilenameNotPath("--cpuprofile", goFlagsConfig.CPUProfile))
+	}
+	if strings.ContainsRune(goFlagsConfig.MemProfile, os.PathSeparator) {
+		errors = append(errors, GinkgoErrors.ExpectFilenameNotPath("--memprofile", goFlagsConfig.MemProfile))
+	}
+	if strings.ContainsRune(goFlagsConfig.BlockProfile, os.PathSeparator) {
+		errors = append(errors, GinkgoErrors.ExpectFilenameNotPath("--blockprofile", goFlagsConfig.BlockProfile))
+	}
+	if strings.ContainsRune(goFlagsConfig.MutexProfile, os.PathSeparator) {
+		errors = append(errors, GinkgoErrors.ExpectFilenameNotPath("--mutexprofile", goFlagsConfig.MutexProfile))
+	}
+
 	//initialize the output directory
 	if cliConfig.OutputDir != "" {
 		err := os.MkdirAll(cliConfig.OutputDir, 0777)
@@ -620,7 +660,7 @@ func VetAndInitializeCLIAndGoConfig(cliConfig CLIConfig, goFlagsConfig GoFlagsCo
 }
 
 // GenerateGoTestCompileArgs is used by the Ginkgo CLI to generate command line arguments to pass to the go test -c command when compiling the test
-func GenerateGoTestCompileArgs(goFlagsConfig GoFlagsConfig, packageToBuild string, pathToInvocationPath string) ([]string, error) {
+func GenerateGoTestCompileArgs(goFlagsConfig GoFlagsConfig, packageToBuild string, pathToInvocationPath string, preserveSymbols bool) ([]string, error) {
 	// if the user has set the CoverProfile run-time flag make sure to set the build-time cover flag to make sure
 	// the built test binary can generate a coverprofile
 	if goFlagsConfig.CoverProfile != "" {
@@ -643,10 +683,14 @@ func GenerateGoTestCompileArgs(goFlagsConfig GoFlagsConfig, packageToBuild strin
 		goFlagsConfig.CoverPkg = strings.Join(adjustedCoverPkgs, ",")
 	}
 
+	if !goFlagsConfig.NeedsSymbols() && goFlagsConfig.LDFlags == "" && !preserveSymbols {
+		goFlagsConfig.LDFlags = "-w -s"
+	}
+
 	args := []string{"test", "-c", packageToBuild}
 	goArgs, err := GenerateFlagArgs(
-		GoBuildFlags,
-		map[string]interface{}{
+		GoBuildFlags.CopyAppend(GoBuildOFlags...),
+		map[string]any{
 			"Go": &goFlagsConfig,
 		},
 	)
@@ -665,7 +709,7 @@ func GenerateGinkgoTestRunArgs(suiteConfig SuiteConfig, reporterConfig ReporterC
 	flags = flags.CopyAppend(ParallelConfigFlags.WithPrefix("ginkgo")...)
 	flags = flags.CopyAppend(ReporterConfigFlags.WithPrefix("ginkgo")...)
 	flags = flags.CopyAppend(GoRunFlags.WithPrefix("test")...)
-	bindings := map[string]interface{}{
+	bindings := map[string]any{
 		"S":  &suiteConfig,
 		"R":  &reporterConfig,
 		"Go": &goFlagsConfig,
@@ -677,7 +721,7 @@ func GenerateGinkgoTestRunArgs(suiteConfig SuiteConfig, reporterConfig ReporterC
 // GenerateGoTestRunArgs is used by the Ginkgo CLI to generate command line arguments to pass to the compiled non-Ginkgo test binary
 func GenerateGoTestRunArgs(goFlagsConfig GoFlagsConfig) ([]string, error) {
 	flags := GoRunFlags.WithPrefix("test")
-	bindings := map[string]interface{}{
+	bindings := map[string]any{
 		"Go": &goFlagsConfig,
 	}
 
@@ -699,7 +743,7 @@ func BuildRunCommandFlagSet(suiteConfig *SuiteConfig, reporterConfig *ReporterCo
 	flags = flags.CopyAppend(GoBuildFlags...)
 	flags = flags.CopyAppend(GoRunFlags...)
 
-	bindings := map[string]interface{}{
+	bindings := map[string]any{
 		"S":  suiteConfig,
 		"R":  reporterConfig,
 		"C":  cliConfig,
@@ -720,7 +764,7 @@ func BuildWatchCommandFlagSet(suiteConfig *SuiteConfig, reporterConfig *Reporter
 	flags = flags.CopyAppend(GoBuildFlags...)
 	flags = flags.CopyAppend(GoRunFlags...)
 
-	bindings := map[string]interface{}{
+	bindings := map[string]any{
 		"S":  suiteConfig,
 		"R":  reporterConfig,
 		"C":  cliConfig,
@@ -735,8 +779,9 @@ func BuildWatchCommandFlagSet(suiteConfig *SuiteConfig, reporterConfig *Reporter
 func BuildBuildCommandFlagSet(cliConfig *CLIConfig, goFlagsConfig *GoFlagsConfig) (GinkgoFlagSet, error) {
 	flags := GinkgoCLISharedFlags
 	flags = flags.CopyAppend(GoBuildFlags...)
+	flags = flags.CopyAppend(GoBuildOFlags...)
 
-	bindings := map[string]interface{}{
+	bindings := map[string]any{
 		"C":  cliConfig,
 		"Go": goFlagsConfig,
 		"D":  &deprecatedConfig{},
@@ -760,7 +805,7 @@ func BuildBuildCommandFlagSet(cliConfig *CLIConfig, goFlagsConfig *GoFlagsConfig
 func BuildLabelsCommandFlagSet(cliConfig *CLIConfig) (GinkgoFlagSet, error) {
 	flags := GinkgoCLISharedFlags.SubsetWithNames("r", "skip-package")
 
-	bindings := map[string]interface{}{
+	bindings := map[string]any{
 		"C": cliConfig,
 	}
 
diff --git a/vendor/github.com/onsi/ginkgo/v2/types/deprecated_types.go b/vendor/github.com/onsi/ginkgo/v2/types/deprecated_types.go
index 17922304b63c0..518989a84403a 100644
--- a/vendor/github.com/onsi/ginkgo/v2/types/deprecated_types.go
+++ b/vendor/github.com/onsi/ginkgo/v2/types/deprecated_types.go
@@ -113,7 +113,7 @@ type DeprecatedSpecFailure struct {
 
 type DeprecatedSpecMeasurement struct {
 	Name  string
-	Info  interface{}
+	Info  any
 	Order int
 
 	Results []float64
diff --git a/vendor/github.com/onsi/ginkgo/v2/types/errors.go b/vendor/github.com/onsi/ginkgo/v2/types/errors.go
index 6bb72d00ccdad..59313238cfc55 100644
--- a/vendor/github.com/onsi/ginkgo/v2/types/errors.go
+++ b/vendor/github.com/onsi/ginkgo/v2/types/errors.go
@@ -88,7 +88,7 @@ body of a {{bold}}Describe{{/}}, {{bold}}Context{{/}}, or {{bold}}When{{/}}.`, n
 	}
 }
 
-func (g ginkgoErrors) CaughtPanicDuringABuildPhase(caughtPanic interface{}, cl CodeLocation) error {
+func (g ginkgoErrors) CaughtPanicDuringABuildPhase(caughtPanic any, cl CodeLocation) error {
 	return GinkgoError{
 		Heading: "Assertion or Panic detected during tree construction",
 		Message: formatter.F(
@@ -189,7 +189,7 @@ func (g ginkgoErrors) InvalidDeclarationOfFlakeAttemptsAndMustPassRepeatedly(cl
 	}
 }
 
-func (g ginkgoErrors) UnknownDecorator(cl CodeLocation, nodeType NodeType, decorator interface{}) error {
+func (g ginkgoErrors) UnknownDecorator(cl CodeLocation, nodeType NodeType, decorator any) error {
 	return GinkgoError{
 		Heading:      "Unknown Decorator",
 		Message:      formatter.F(`[%s] node was passed an unknown decorator: '%#v'`, nodeType, decorator),
@@ -345,7 +345,7 @@ func (g ginkgoErrors) PushingCleanupInCleanupNode(cl CodeLocation) error {
 }
 
 /* ReportEntry errors */
-func (g ginkgoErrors) TooManyReportEntryValues(cl CodeLocation, arg interface{}) error {
+func (g ginkgoErrors) TooManyReportEntryValues(cl CodeLocation, arg any) error {
 	return GinkgoError{
 		Heading:      "Too Many ReportEntry Values",
 		Message:      formatter.F(`{{bold}}AddGinkgoReport{{/}} can only be given one value. Got unexpected value: %#v`, arg),
@@ -432,6 +432,24 @@ func (g ginkgoErrors) InvalidEmptyLabel(cl CodeLocation) error {
 	}
 }
 
+func (g ginkgoErrors) InvalidSemVerConstraint(semVerConstraint, errMsg string, cl CodeLocation) error {
+	return GinkgoError{
+		Heading:      "Invalid SemVerConstraint",
+		Message:      fmt.Sprintf("'%s' is an invalid SemVerConstraint: %s", semVerConstraint, errMsg),
+		CodeLocation: cl,
+		DocLink:      "spec-semantic-version-filtering",
+	}
+}
+
+func (g ginkgoErrors) InvalidEmptySemVerConstraint(cl CodeLocation) error {
+	return GinkgoError{
+		Heading:      "Invalid Empty SemVerConstraint",
+		Message:      "SemVerConstraint cannot be empty",
+		CodeLocation: cl,
+		DocLink:      "spec-semantic-version-filtering",
+	}
+}
+
 /* Table errors */
 func (g ginkgoErrors) MultipleEntryBodyFunctionsForTable(cl CodeLocation) error {
 	return GinkgoError{
@@ -539,7 +557,7 @@ func (g ginkgoErrors) SynchronizedBeforeSuiteDisappearedOnProc1() error {
 
 /* Configuration errors */
 
-func (g ginkgoErrors) UnknownTypePassedToRunSpecs(value interface{}) error {
+func (g ginkgoErrors) UnknownTypePassedToRunSpecs(value any) error {
 	return GinkgoError{
 		Heading: "Unknown Type passed to RunSpecs",
 		Message: fmt.Sprintf("RunSpecs() accepts labels, and configuration of type types.SuiteConfig and/or types.ReporterConfig.\n You passed in: %v", value),
@@ -629,6 +647,20 @@ func (g ginkgoErrors) BothRepeatAndUntilItFails() error {
 	}
 }
 
+func (g ginkgoErrors) ExpectFilenameNotPath(flag string, path string) error {
+	return GinkgoError{
+		Heading: fmt.Sprintf("%s expects a filename but was given a path: %s", flag, path),
+		Message: fmt.Sprintf("%s takes a filename, not a path.  Use --output-dir to specify a directory to collect all test outputs.", flag),
+	}
+}
+
+func (g ginkgoErrors) FlagAfterPositionalParameter() error {
+	return GinkgoError{
+		Heading: "Malformed arguments - detected a flag after the package liste",
+		Message: "Make sure all flags appear {{bold}}after{{/}} the Ginkgo subcommand and {{bold}}before{{/}} your list of packages (or './...').\n{{gray}}e.g. 'ginkgo run -p my_package' is valid but `ginkgo -p run my_package` is not.\n{{gray}}e.g. 'ginkgo -p -vet=\"\" ./...' is valid but 'ginkgo -p ./... -vet=\"\"' is not{{/}}",
+	}
+}
+
 /* Stack-Trace parsing errors */
 
 func (g ginkgoErrors) FailedToParseStackTrace(message string) error {
diff --git a/vendor/github.com/onsi/ginkgo/v2/types/flags.go b/vendor/github.com/onsi/ginkgo/v2/types/flags.go
index de69f3022def9..8409653f971dd 100644
--- a/vendor/github.com/onsi/ginkgo/v2/types/flags.go
+++ b/vendor/github.com/onsi/ginkgo/v2/types/flags.go
@@ -92,7 +92,7 @@ func (gfs GinkgoFlagSections) Lookup(key string) (GinkgoFlagSection, bool) {
 
 type GinkgoFlagSet struct {
 	flags    GinkgoFlags
-	bindings interface{}
+	bindings any
 
 	sections            GinkgoFlagSections
 	extraGoFlagsSection GinkgoFlagSection
@@ -101,7 +101,7 @@ type GinkgoFlagSet struct {
 }
 
 // Call NewGinkgoFlagSet to create GinkgoFlagSet that creates and binds to it's own *flag.FlagSet
-func NewGinkgoFlagSet(flags GinkgoFlags, bindings interface{}, sections GinkgoFlagSections) (GinkgoFlagSet, error) {
+func NewGinkgoFlagSet(flags GinkgoFlags, bindings any, sections GinkgoFlagSections) (GinkgoFlagSet, error) {
 	return bindFlagSet(GinkgoFlagSet{
 		flags:    flags,
 		bindings: bindings,
@@ -110,7 +110,7 @@ func NewGinkgoFlagSet(flags GinkgoFlags, bindings interface{}, sections GinkgoFl
 }
 
 // Call NewGinkgoFlagSet to create GinkgoFlagSet that extends an existing *flag.FlagSet
-func NewAttachedGinkgoFlagSet(flagSet *flag.FlagSet, flags GinkgoFlags, bindings interface{}, sections GinkgoFlagSections, extraGoFlagsSection GinkgoFlagSection) (GinkgoFlagSet, error) {
+func NewAttachedGinkgoFlagSet(flagSet *flag.FlagSet, flags GinkgoFlags, bindings any, sections GinkgoFlagSections, extraGoFlagsSection GinkgoFlagSection) (GinkgoFlagSet, error) {
 	return bindFlagSet(GinkgoFlagSet{
 		flags:               flags,
 		bindings:            bindings,
@@ -335,7 +335,7 @@ func (f GinkgoFlagSet) substituteUsage() {
 	fmt.Fprintln(f.flagSet.Output(), f.Usage())
 }
 
-func valueAtKeyPath(root interface{}, keyPath string) (reflect.Value, bool) {
+func valueAtKeyPath(root any, keyPath string) (reflect.Value, bool) {
 	if len(keyPath) == 0 {
 		return reflect.Value{}, false
 	}
@@ -433,7 +433,7 @@ func (ssv stringSliceVar) Set(s string) error {
 }
 
 // given a set of GinkgoFlags and bindings, generate flag arguments suitable to be passed to an application with that set of flags configured.
-func GenerateFlagArgs(flags GinkgoFlags, bindings interface{}) ([]string, error) {
+func GenerateFlagArgs(flags GinkgoFlags, bindings any) ([]string, error) {
 	result := []string{}
 	for _, flag := range flags {
 		name := flag.ExportAs
diff --git a/vendor/github.com/onsi/ginkgo/v2/types/label_filter.go b/vendor/github.com/onsi/ginkgo/v2/types/label_filter.go
index 7fdc8aa23f392..40a909b6d5430 100644
--- a/vendor/github.com/onsi/ginkgo/v2/types/label_filter.go
+++ b/vendor/github.com/onsi/ginkgo/v2/types/label_filter.go
@@ -343,7 +343,7 @@ func tokenize(input string) func() (*treeNode, error) {
 	consumeUntil := func(cutset string) (string, int) {
 		j := i
 		for ; j < len(runes); j++ {
-			if strings.IndexRune(cutset, runes[j]) >= 0 {
+			if strings.ContainsRune(cutset, runes[j]) {
 				break
 			}
 		}
diff --git a/vendor/github.com/onsi/ginkgo/v2/types/report_entry.go b/vendor/github.com/onsi/ginkgo/v2/types/report_entry.go
index 7b1524b52e85b..63f7a9f6dad38 100644
--- a/vendor/github.com/onsi/ginkgo/v2/types/report_entry.go
+++ b/vendor/github.com/onsi/ginkgo/v2/types/report_entry.go
@@ -9,18 +9,18 @@ import (
 // ReportEntryValue wraps a report entry's value ensuring it can be encoded and decoded safely into reports
 // and across the network connection when running in parallel
 type ReportEntryValue struct {
-	raw            interface{} //unexported to prevent gob from freaking out about unregistered structs
+	raw            any //unexported to prevent gob from freaking out about unregistered structs
 	AsJSON         string
 	Representation string
 }
 
-func WrapEntryValue(value interface{}) ReportEntryValue {
+func WrapEntryValue(value any) ReportEntryValue {
 	return ReportEntryValue{
 		raw: value,
 	}
 }
 
-func (rev ReportEntryValue) GetRawValue() interface{} {
+func (rev ReportEntryValue) GetRawValue() any {
 	return rev.raw
 }
 
@@ -118,7 +118,7 @@ func (entry ReportEntry) StringRepresentation() string {
 // If used from a rehydrated JSON file _or_ in a ReportAfterSuite when running in parallel this will be
 // a JSON-decoded {}interface.  If you want to reconstitute your original object you can decode the entry.Value.AsJSON
 // field yourself.
-func (entry ReportEntry) GetRawValue() interface{} {
+func (entry ReportEntry) GetRawValue() any {
 	return entry.Value.GetRawValue()
 }
 
diff --git a/vendor/github.com/onsi/ginkgo/v2/types/semver_filter.go b/vendor/github.com/onsi/ginkgo/v2/types/semver_filter.go
new file mode 100644
index 0000000000000..3fc2ed144bdc5
--- /dev/null
+++ b/vendor/github.com/onsi/ginkgo/v2/types/semver_filter.go
@@ -0,0 +1,60 @@
+package types
+
+import (
+	"fmt"
+
+	"github.com/Masterminds/semver/v3"
+)
+
+type SemVerFilter func([]string) bool
+
+func MustParseSemVerFilter(input string) SemVerFilter {
+	filter, err := ParseSemVerFilter(input)
+	if err != nil {
+		panic(err)
+	}
+	return filter
+}
+
+func ParseSemVerFilter(filterVersion string) (SemVerFilter, error) {
+	if filterVersion == "" {
+		return func(_ []string) bool { return true }, nil
+	}
+
+	targetVersion, err := semver.NewVersion(filterVersion)
+	if err != nil {
+		return nil, fmt.Errorf("invalid filter version: %w", err)
+	}
+
+	return func(constraints []string) bool {
+		// unconstrained specs always run
+		if len(constraints) == 0 {
+			return true
+		}
+
+		for _, constraintStr := range constraints {
+			constraint, err := semver.NewConstraint(constraintStr)
+			if err != nil {
+				return false
+			}
+
+			if !constraint.Check(targetVersion) {
+				return false
+			}
+		}
+
+		return true
+	}, nil
+}
+
+func ValidateAndCleanupSemVerConstraint(semVerConstraint string, cl CodeLocation) (string, error) {
+	if len(semVerConstraint) == 0 {
+		return "", GinkgoErrors.InvalidEmptySemVerConstraint(cl)
+	}
+	_, err := semver.NewConstraint(semVerConstraint)
+	if err != nil {
+		return "", GinkgoErrors.InvalidSemVerConstraint(semVerConstraint, err.Error(), cl)
+	}
+
+	return semVerConstraint, nil
+}
diff --git a/vendor/github.com/onsi/ginkgo/v2/types/types.go b/vendor/github.com/onsi/ginkgo/v2/types/types.go
index ddcbec1ba8ad3..9981a0dd686e2 100644
--- a/vendor/github.com/onsi/ginkgo/v2/types/types.go
+++ b/vendor/github.com/onsi/ginkgo/v2/types/types.go
@@ -4,6 +4,7 @@ import (
 	"encoding/json"
 	"fmt"
 	"os"
+	"slices"
 	"sort"
 	"strings"
 	"time"
@@ -19,6 +20,57 @@ func init() {
 	}
 }
 
+// ConstructionNodeReport captures information about a Ginkgo spec.
+type ConstructionNodeReport struct {
+	// ContainerHierarchyTexts is a slice containing the text strings of
+	// all Describe/Context/When containers in this spec's hierarchy.
+	ContainerHierarchyTexts []string
+
+	// ContainerHierarchyLocations is a slice containing the CodeLocations of
+	// all Describe/Context/When containers in this spec's hierarchy.
+	ContainerHierarchyLocations []CodeLocation
+
+	// ContainerHierarchyLabels is a slice containing the labels of
+	// all Describe/Context/When containers in this spec's hierarchy
+	ContainerHierarchyLabels [][]string
+
+	// ContainerHierarchySemVerConstraints is a slice containing the semVerConstraints of
+	// all Describe/Context/When containers in this spec's hierarchy
+	ContainerHierarchySemVerConstraints [][]string
+
+	// IsSerial captures whether the any container has the Serial decorator
+	IsSerial bool
+
+	// IsInOrderedContainer captures whether any container is an Ordered container
+	IsInOrderedContainer bool
+}
+
+// FullText returns a concatenation of all the report.ContainerHierarchyTexts and report.LeafNodeText
+func (report ConstructionNodeReport) FullText() string {
+	texts := []string{}
+	texts = append(texts, report.ContainerHierarchyTexts...)
+	texts = slices.DeleteFunc(texts, func(t string) bool {
+		return t == ""
+	})
+	return strings.Join(texts, " ")
+}
+
+// Labels returns a deduped set of all the spec's Labels.
+func (report ConstructionNodeReport) Labels() []string {
+	out := []string{}
+	seen := map[string]bool{}
+	for _, labels := range report.ContainerHierarchyLabels {
+		for _, label := range labels {
+			if !seen[label] {
+				seen[label] = true
+				out = append(out, label)
+			}
+		}
+	}
+
+	return out
+}
+
 // Report captures information about a Ginkgo test run
 type Report struct {
 	//SuitePath captures the absolute path to the test suite
@@ -30,6 +82,9 @@ type Report struct {
 	//SuiteLabels captures any labels attached to the suite by the DSL's RunSpecs() function
 	SuiteLabels []string
 
+	//SuiteSemVerConstraints captures any semVerConstraints attached to the suite by the DSL's RunSpecs() function
+	SuiteSemVerConstraints []string
+
 	//SuiteSucceeded captures the success or failure status of the test run
 	//If true, the test run is considered successful.
 	//If false, the test run is considered unsuccessful
@@ -129,13 +184,21 @@ type SpecReport struct {
 	// all Describe/Context/When containers in this spec's hierarchy
 	ContainerHierarchyLabels [][]string
 
-	// LeafNodeType, LeadNodeLocation, LeafNodeLabels and LeafNodeText capture the NodeType, CodeLocation, and text
+	// ContainerHierarchySemVerConstraints is a slice containing the semVerConstraints of
+	// all Describe/Context/When containers in this spec's hierarchy
+	ContainerHierarchySemVerConstraints [][]string
+
+	// LeafNodeType, LeafNodeLocation, LeafNodeLabels, LeafNodeSemVerConstraints and LeafNodeText capture the NodeType, CodeLocation, and text
 	// of the Ginkgo node being tested (typically an NodeTypeIt node, though this can also be
 	// one of the NodeTypesForSuiteLevelNodes node types)
-	LeafNodeType     NodeType
-	LeafNodeLocation CodeLocation
-	LeafNodeLabels   []string
-	LeafNodeText     string
+	LeafNodeType              NodeType
+	LeafNodeLocation          CodeLocation
+	LeafNodeLabels            []string
+	LeafNodeSemVerConstraints []string
+	LeafNodeText              string
+
+	// Captures the Spec Priority
+	SpecPriority int
 
 	// State captures whether the spec has passed, failed, etc.
 	State SpecState
@@ -198,48 +261,52 @@ type SpecReport struct {
 func (report SpecReport) MarshalJSON() ([]byte, error) {
 	//All this to avoid emitting an empty Failure struct in the JSON
 	out := struct {
-		ContainerHierarchyTexts     []string
-		ContainerHierarchyLocations []CodeLocation
-		ContainerHierarchyLabels    [][]string
-		LeafNodeType                NodeType
-		LeafNodeLocation            CodeLocation
-		LeafNodeLabels              []string
-		LeafNodeText                string
-		State                       SpecState
-		StartTime                   time.Time
-		EndTime                     time.Time
-		RunTime                     time.Duration
-		ParallelProcess             int
-		Failure                     *Failure `json:",omitempty"`
-		NumAttempts                 int
-		MaxFlakeAttempts            int
-		MaxMustPassRepeatedly       int
-		CapturedGinkgoWriterOutput  string              `json:",omitempty"`
-		CapturedStdOutErr           string              `json:",omitempty"`
-		ReportEntries               ReportEntries       `json:",omitempty"`
-		ProgressReports             []ProgressReport    `json:",omitempty"`
-		AdditionalFailures          []AdditionalFailure `json:",omitempty"`
-		SpecEvents                  SpecEvents          `json:",omitempty"`
+		ContainerHierarchyTexts             []string
+		ContainerHierarchyLocations         []CodeLocation
+		ContainerHierarchyLabels            [][]string
+		ContainerHierarchySemVerConstraints [][]string
+		LeafNodeType                        NodeType
+		LeafNodeLocation                    CodeLocation
+		LeafNodeLabels                      []string
+		LeafNodeSemVerConstraints           []string
+		LeafNodeText                        string
+		State                               SpecState
+		StartTime                           time.Time
+		EndTime                             time.Time
+		RunTime                             time.Duration
+		ParallelProcess                     int
+		Failure                             *Failure `json:",omitempty"`
+		NumAttempts                         int
+		MaxFlakeAttempts                    int
+		MaxMustPassRepeatedly               int
+		CapturedGinkgoWriterOutput          string              `json:",omitempty"`
+		CapturedStdOutErr                   string              `json:",omitempty"`
+		ReportEntries                       ReportEntries       `json:",omitempty"`
+		ProgressReports                     []ProgressReport    `json:",omitempty"`
+		AdditionalFailures                  []AdditionalFailure `json:",omitempty"`
+		SpecEvents                          SpecEvents          `json:",omitempty"`
 	}{
-		ContainerHierarchyTexts:     report.ContainerHierarchyTexts,
-		ContainerHierarchyLocations: report.ContainerHierarchyLocations,
-		ContainerHierarchyLabels:    report.ContainerHierarchyLabels,
-		LeafNodeType:                report.LeafNodeType,
-		LeafNodeLocation:            report.LeafNodeLocation,
-		LeafNodeLabels:              report.LeafNodeLabels,
-		LeafNodeText:                report.LeafNodeText,
-		State:                       report.State,
-		StartTime:                   report.StartTime,
-		EndTime:                     report.EndTime,
-		RunTime:                     report.RunTime,
-		ParallelProcess:             report.ParallelProcess,
-		Failure:                     nil,
-		ReportEntries:               nil,
-		NumAttempts:                 report.NumAttempts,
-		MaxFlakeAttempts:            report.MaxFlakeAttempts,
-		MaxMustPassRepeatedly:       report.MaxMustPassRepeatedly,
-		CapturedGinkgoWriterOutput:  report.CapturedGinkgoWriterOutput,
-		CapturedStdOutErr:           report.CapturedStdOutErr,
+		ContainerHierarchyTexts:             report.ContainerHierarchyTexts,
+		ContainerHierarchyLocations:         report.ContainerHierarchyLocations,
+		ContainerHierarchyLabels:            report.ContainerHierarchyLabels,
+		ContainerHierarchySemVerConstraints: report.ContainerHierarchySemVerConstraints,
+		LeafNodeType:                        report.LeafNodeType,
+		LeafNodeLocation:                    report.LeafNodeLocation,
+		LeafNodeLabels:                      report.LeafNodeLabels,
+		LeafNodeSemVerConstraints:           report.LeafNodeSemVerConstraints,
+		LeafNodeText:                        report.LeafNodeText,
+		State:                               report.State,
+		StartTime:                           report.StartTime,
+		EndTime:                             report.EndTime,
+		RunTime:                             report.RunTime,
+		ParallelProcess:                     report.ParallelProcess,
+		Failure:                             nil,
+		ReportEntries:                       nil,
+		NumAttempts:                         report.NumAttempts,
+		MaxFlakeAttempts:                    report.MaxFlakeAttempts,
+		MaxMustPassRepeatedly:               report.MaxMustPassRepeatedly,
+		CapturedGinkgoWriterOutput:          report.CapturedGinkgoWriterOutput,
+		CapturedStdOutErr:                   report.CapturedStdOutErr,
 	}
 
 	if !report.Failure.IsZero() {
@@ -287,6 +354,9 @@ func (report SpecReport) FullText() string {
 	if report.LeafNodeText != "" {
 		texts = append(texts, report.LeafNodeText)
 	}
+	texts = slices.DeleteFunc(texts, func(t string) bool {
+		return t == ""
+	})
 	return strings.Join(texts, " ")
 }
 
@@ -312,6 +382,28 @@ func (report SpecReport) Labels() []string {
 	return out
 }
 
+// SemVerConstraints returns a deduped set of all the spec's SemVerConstraints.
+func (report SpecReport) SemVerConstraints() []string {
+	out := []string{}
+	seen := map[string]bool{}
+	for _, semVerConstraints := range report.ContainerHierarchySemVerConstraints {
+		for _, semVerConstraint := range semVerConstraints {
+			if !seen[semVerConstraint] {
+				seen[semVerConstraint] = true
+				out = append(out, semVerConstraint)
+			}
+		}
+	}
+	for _, semVerConstraint := range report.LeafNodeSemVerConstraints {
+		if !seen[semVerConstraint] {
+			seen[semVerConstraint] = true
+			out = append(out, semVerConstraint)
+		}
+	}
+
+	return out
+}
+
 // MatchesLabelFilter returns true if the spec satisfies the passed in label filter query
 func (report SpecReport) MatchesLabelFilter(query string) (bool, error) {
 	filter, err := ParseLabelFilter(query)
@@ -321,6 +413,15 @@ func (report SpecReport) MatchesLabelFilter(query string) (bool, error) {
 	return filter(report.Labels()), nil
 }
 
+// MatchesSemVerFilter returns true if the spec satisfies the passed in label filter query
+func (report SpecReport) MatchesSemVerFilter(version string) (bool, error) {
+	filter, err := ParseSemVerFilter(version)
+	if err != nil {
+		return false, err
+	}
+	return filter(report.SemVerConstraints()), nil
+}
+
 // FileName() returns the name of the file containing the spec
 func (report SpecReport) FileName() string {
 	return report.LeafNodeLocation.FileName
diff --git a/vendor/github.com/onsi/ginkgo/v2/types/version.go b/vendor/github.com/onsi/ginkgo/v2/types/version.go
index caf3c9f5e7807..b9c1ea9856afc 100644
--- a/vendor/github.com/onsi/ginkgo/v2/types/version.go
+++ b/vendor/github.com/onsi/ginkgo/v2/types/version.go
@@ -1,3 +1,3 @@
 package types
 
-const VERSION = "2.21.0"
+const VERSION = "2.27.2"
diff --git a/vendor/github.com/onsi/gomega/CHANGELOG.md b/vendor/github.com/onsi/gomega/CHANGELOG.md
index 9f6090b8d3cb8..b7d7309f3f23c 100644
--- a/vendor/github.com/onsi/gomega/CHANGELOG.md
+++ b/vendor/github.com/onsi/gomega/CHANGELOG.md
@@ -1,3 +1,76 @@
+## 1.38.2
+
+- roll back to go 1.23.0 [c404969]
+
+## 1.38.1
+
+### Fixes
+
+Numerous minor fixes and dependency bumps
+
+## 1.38.0
+
+### Features
+- gstruct handles extra unexported fields [4ee7ed0]
+
+### Fixes
+- support [] in IgnoringTopFunction function signatures (#851) [36bbf72]
+
+### Maintenance
+- Bump golang.org/x/net from 0.40.0 to 0.41.0 (#846) [529d408]
+- Fix typo [acd1f55]
+- Bump google.golang.org/protobuf from 1.36.5 to 1.36.6 (#835) [bae65a0]
+- Bump nokogiri from 1.18.4 to 1.18.8 in /docs (#842) [8dda91f]
+- Bump golang.org/x/net from 0.39.0 to 0.40.0 (#843) [212d812]
+- Bump github.com/onsi/ginkgo/v2 from 2.23.3 to 2.23.4 (#839) [59bd7f9]
+- Bump nokogiri from 1.18.1 to 1.18.4 in /docs (#834) [328c729]
+- Bump uri from 1.0.2 to 1.0.3 in /docs (#826) [9a798a1]
+- Bump golang.org/x/net from 0.37.0 to 0.39.0 (#841) [04a72c6]
+
+## 1.37.0
+
+### Features
+- add To/ToNot/NotTo aliases for AsyncAssertion [5666f98]
+
+## 1.36.3
+
+### Maintenance
+
+- bump all the things [adb8b49]
+- chore: replace `interface{}` with `any` [7613216]
+- Bump google.golang.org/protobuf from 1.36.1 to 1.36.5 (#822) [9fe5259]
+- remove spurious "toolchain" from go.mod (#819) [a0e85b9]
+- Bump golang.org/x/net from 0.33.0 to 0.35.0 (#823) [604a8b1]
+- Bump activesupport from 6.0.6.1 to 6.1.7.5 in /docs (#772) [36fbc84]
+- Bump github-pages from 231 to 232 in /docs (#778) [ced70d7]
+- Bump rexml from 3.2.6 to 3.3.9 in /docs (#788) [c8b4a07]
+- Bump github.com/onsi/ginkgo/v2 from 2.22.1 to 2.22.2 (#812) [06431b9]
+- Bump webrick from 1.8.1 to 1.9.1 in /docs (#800) [b55a92d]
+- Fix typos (#813) [a1d518b]
+
+## 1.36.2
+
+### Maintenance
+- Bump google.golang.org/protobuf from 1.35.1 to 1.36.1 (#810) [9a7609d]
+- Bump golang.org/x/net from 0.30.0 to 0.33.0 (#807) [b6cb028]
+- Bump github.com/onsi/ginkgo/v2 from 2.20.1 to 2.22.1 (#808) [5756529]
+- Bump nokogiri from 1.16.3 to 1.16.5 in /docs (#757) [dabc12e]
+
+## 1.36.1
+
+### Fixes
+- Fix https://github.com/onsi/gomega/issues/803 [1c6c112]
+- resolves onsi/gomega#696: make HaveField great on pointer receivers given only a non-addressable value [4feb9d7]
+
+## 1.36.0
+
+### Features
+- new: make collection-related matchers Go 1.23 iterator aware [4c964c6]
+
+### Maintenance
+- Replace min/max helpers with built-in min/max [ece6872]
+- Fix some typos in docs [8e924d7]
+
 ## 1.35.1
 
 ### Fixes
@@ -299,7 +372,7 @@ Require Go 1.22+
 
 ### Features
 
-Introducting [gcustom](https://onsi.github.io/gomega/#gcustom-a-convenient-mechanism-for-buildling-custom-matchers) - a convenient mechanism for building custom matchers.
+Introducing [gcustom](https://onsi.github.io/gomega/#gcustom-a-convenient-mechanism-for-buildling-custom-matchers) - a convenient mechanism for building custom matchers.
 
 This is an RC release for `gcustom`.  The external API may be tweaked in response to feedback however it is expected to remain mostly stable.
 
@@ -438,7 +511,7 @@ These improvements are all documented in [Gomega's docs](https://onsi.github.io/
 - Fix max number of samples in experiments on non-64-bit systems. (#528) [1c84497]
 - Remove dependency on ginkgo v1.16.4 (#530) [4dea8d5]
 - Fix for Go 1.18 (#532) [56d2a29]
-- Document precendence of timeouts (#533) [b607941]
+- Document precedence of timeouts (#533) [b607941]
 
 ## 1.18.1
 
@@ -455,7 +528,7 @@ These improvements are all documented in [Gomega's docs](https://onsi.github.io/
 ## Fixes
 - Gomega now uses ioutil for Go 1.15 and lower (#492) - official support is only for the most recent two major versions of Go but this will unblock users who need to stay on older unsupported versions of Go. [c29c1c0]
 
-## Maintenace
+## Maintenance
 - Remove Travis workflow (#491) [72e6040]
 - Upgrade to Ginkgo 2.0.0 GA [f383637]
 - chore: fix description of HaveField matcher (#487) [2b4b2c0]
@@ -703,7 +776,7 @@ Improvements:
 
 - Added `BeSent` which attempts to send a value down a channel and fails if the attempt blocks.  Can be paired with `Eventually` to safely send a value down a channel with a timeout.
 - `Ω`, `Expect`, `Eventually`, and `Consistently` now immediately `panic` if there is no registered fail handler.  This is always a mistake that can hide failing tests.
-- `Receive()` no longer errors when passed a closed channel, it's perfectly fine to attempt to read from a closed channel so Ω(c).Should(Receive()) always fails and Ω(c).ShoudlNot(Receive()) always passes with a closed channel.
+- `Receive()` no longer errors when passed a closed channel, it's perfectly fine to attempt to read from a closed channel so Ω(c).Should(Receive()) always fails and Ω(c).ShouldNot(Receive()) always passes with a closed channel.
 - Added `HavePrefix` and `HaveSuffix` matchers.
 - `ghttp` can now handle concurrent requests.
 - Added `Succeed` which allows one to write `Ω(MyFunction()).Should(Succeed())`.
@@ -713,7 +786,7 @@ Improvements:
 - `ghttp` servers can take an `io.Writer`.  `ghttp` will write a line to the writer when each request arrives.
 - Added `WithTransform` matcher to allow munging input data before feeding into the relevant matcher
 - Added boolean `And`, `Or`, and `Not` matchers to allow creating composite matchers
-- Added `gbytes.TimeoutCloser`, `gbytes.TimeoutReader`, and `gbytes.TimeoutWriter` - these are convenience wrappers that timeout if the underlying Closer/Reader/Writer does not return within the alloted time.
+- Added `gbytes.TimeoutCloser`, `gbytes.TimeoutReader`, and `gbytes.TimeoutWriter` - these are convenience wrappers that timeout if the underlying Closer/Reader/Writer does not return within the allotted time.
 - Added `gbytes.BufferReader` - this constructs a `gbytes.Buffer` that asynchronously reads the passed-in `io.Reader` into its buffer.
 
 Bug Fixes:
@@ -758,7 +831,7 @@ New Matchers:
 
 Updated Matchers:
 
-- `Receive` matcher can take a matcher as an argument and passes only if the channel under test receives an objet that satisfies the passed-in matcher.
+- `Receive` matcher can take a matcher as an argument and passes only if the channel under test receives an object that satisfies the passed-in matcher.
 - Matchers that implement `MatchMayChangeInTheFuture(actual interface{}) bool` can inform `Eventually` and/or `Consistently` when a match has no chance of changing status in the future.  For example, `Receive` returns `false` when a channel is closed.
 
 Misc:
diff --git a/vendor/github.com/onsi/gomega/format/format.go b/vendor/github.com/onsi/gomega/format/format.go
index 6c1680638bf92..96f04b21045e6 100644
--- a/vendor/github.com/onsi/gomega/format/format.go
+++ b/vendor/github.com/onsi/gomega/format/format.go
@@ -57,7 +57,7 @@ var Indent = "    "
 
 var longFormThreshold = 20
 
-// GomegaStringer allows for custom formating of objects for gomega.
+// GomegaStringer allows for custom formatting of objects for gomega.
 type GomegaStringer interface {
 	// GomegaString will be used to custom format an object.
 	// It does not follow UseStringerRepresentation value and will always be called regardless.
@@ -73,7 +73,7 @@ If the CustomFormatter does not want to handle the object it should return ("",
 
 Strings returned by CustomFormatters are not truncated
 */
-type CustomFormatter func(value interface{}) (string, bool)
+type CustomFormatter func(value any) (string, bool)
 type CustomFormatterKey uint
 
 var customFormatterKey CustomFormatterKey = 1
@@ -125,7 +125,7 @@ If expected is omitted, then the message looks like:
 		<pretty printed actual>
 	<message>
 */
-func Message(actual interface{}, message string, expected ...interface{}) string {
+func Message(actual any, message string, expected ...any) string {
 	if len(expected) == 0 {
 		return fmt.Sprintf("Expected\n%s\n%s", Object(actual, 1), message)
 	}
@@ -255,7 +255,7 @@ recursing into the object.
 
 Set PrintContextObjects to true to print the content of objects implementing context.Context
 */
-func Object(object interface{}, indentation uint) string {
+func Object(object any, indentation uint) string {
 	indent := strings.Repeat(Indent, int(indentation))
 	value := reflect.ValueOf(object)
 	commonRepresentation := ""
@@ -392,7 +392,7 @@ func formatValue(value reflect.Value, indentation uint) string {
 	}
 }
 
-func formatString(object interface{}, indentation uint) string {
+func formatString(object any, indentation uint) string {
 	if indentation == 1 {
 		s := fmt.Sprintf("%s", object)
 		components := strings.Split(s, "\n")
diff --git a/vendor/github.com/onsi/gomega/gcustom/make_matcher.go b/vendor/github.com/onsi/gomega/gcustom/make_matcher.go
index 5372fa441e1b6..ca556ceb002bf 100644
--- a/vendor/github.com/onsi/gomega/gcustom/make_matcher.go
+++ b/vendor/github.com/onsi/gomega/gcustom/make_matcher.go
@@ -12,7 +12,7 @@ import (
 	"github.com/onsi/gomega/format"
 )
 
-var interfaceType = reflect.TypeOf((*interface{})(nil)).Elem()
+var interfaceType = reflect.TypeOf((*any)(nil)).Elem()
 var errInterface = reflect.TypeOf((*error)(nil)).Elem()
 
 var defaultTemplate = template.Must(ParseTemplate("{{if .Failure}}Custom matcher failed for:{{else}}Custom matcher succeeded (but was expected to fail) for:{{end}}\n{{.FormattedActual}}"))
@@ -191,7 +191,7 @@ func (c CustomGomegaMatcher) WithTemplate(templ string, data ...any) CustomGomeg
 /*
 WithPrecompiledTemplate returns a CustomGomegaMatcher configured to use the passed-in template.  The template should be precompiled with gcustom.ParseTemplate().
 
-As with WithTemplate() you can provide a single pice of additional data as an optional argument.  This is accessed in the template via {{.Data}}
+As with WithTemplate() you can provide a single piece of additional data as an optional argument.  This is accessed in the template via {{.Data}}
 */
 func (c CustomGomegaMatcher) WithPrecompiledTemplate(templ *template.Template, data ...any) CustomGomegaMatcher {
 	c.templateMessage = templ
diff --git a/vendor/github.com/onsi/gomega/gmeasure/cache.go b/vendor/github.com/onsi/gomega/gmeasure/cache.go
index 27fab63757a1c..4717e8df33a9c 100644
--- a/vendor/github.com/onsi/gomega/gmeasure/cache.go
+++ b/vendor/github.com/onsi/gomega/gmeasure/cache.go
@@ -106,7 +106,7 @@ func (cache ExperimentCache) Clear() error {
 }
 
 /*
-Load fetches an experiment from the cache.  Lookup occurs by name.  Load requires that the version numer in the cache is equal to or greater than the passed-in version.
+Load fetches an experiment from the cache.  Lookup occurs by name.  Load requires that the version number in the cache is equal to or greater than the passed-in version.
 
 If an experiment with corresponding name and version >= the passed-in version is found, it is unmarshaled and returned.
 
@@ -114,42 +114,42 @@ If no experiment is found, or the cached version is smaller than the passed-in v
 
 When paired with Ginkgo you can cache experiments and prevent potentially expensive recomputation with this pattern:
 
-	const EXPERIMENT_VERSION = 1 //bump this to bust the cache and recompute _all_ experiments
-
-    Describe("some experiments", func() {
-    	var cache gmeasure.ExperimentCache
-    	var experiment *gmeasure.Experiment
-
-    	BeforeEach(func() {
-    		cache = gmeasure.NewExperimentCache("./gmeasure-cache")
-    		name := CurrentSpecReport().LeafNodeText
-    		experiment = cache.Load(name, EXPERIMENT_VERSION)
-    		if experiment != nil {
-    			AddReportEntry(experiment)
-    			Skip("cached")
-    		}
-    		experiment = gmeasure.NewExperiment(name)
-			AddReportEntry(experiment)
-    	})
-
-    	It("foo runtime", func() {
-    		experiment.SampleDuration("runtime", func() {
-    			//do stuff
-    		}, gmeasure.SamplingConfig{N:100})
-    	})
-
-    	It("bar runtime", func() {
-    		experiment.SampleDuration("runtime", func() {
-    			//do stuff
-    		}, gmeasure.SamplingConfig{N:100})
-    	})
-
-    	AfterEach(func() {
-    		if !CurrentSpecReport().State.Is(types.SpecStateSkipped) {
-	    		cache.Save(experiment.Name, EXPERIMENT_VERSION, experiment)
-	    	}
-    	})
-    })
+		const EXPERIMENT_VERSION = 1 //bump this to bust the cache and recompute _all_ experiments
+
+	    Describe("some experiments", func() {
+	    	var cache gmeasure.ExperimentCache
+	    	var experiment *gmeasure.Experiment
+
+	    	BeforeEach(func() {
+	    		cache = gmeasure.NewExperimentCache("./gmeasure-cache")
+	    		name := CurrentSpecReport().LeafNodeText
+	    		experiment = cache.Load(name, EXPERIMENT_VERSION)
+	    		if experiment != nil {
+	    			AddReportEntry(experiment)
+	    			Skip("cached")
+	    		}
+	    		experiment = gmeasure.NewExperiment(name)
+				AddReportEntry(experiment)
+	    	})
+
+	    	It("foo runtime", func() {
+	    		experiment.SampleDuration("runtime", func() {
+	    			//do stuff
+	    		}, gmeasure.SamplingConfig{N:100})
+	    	})
+
+	    	It("bar runtime", func() {
+	    		experiment.SampleDuration("runtime", func() {
+	    			//do stuff
+	    		}, gmeasure.SamplingConfig{N:100})
+	    	})
+
+	    	AfterEach(func() {
+	    		if !CurrentSpecReport().State.Is(types.SpecStateSkipped) {
+		    		cache.Save(experiment.Name, EXPERIMENT_VERSION, experiment)
+		    	}
+	    	})
+	    })
 */
 func (cache ExperimentCache) Load(name string, version int) *Experiment {
 	path := filepath.Join(cache.Path, cache.hashOf(name)+CACHE_EXT)
diff --git a/vendor/github.com/onsi/gomega/gmeasure/experiment.go b/vendor/github.com/onsi/gomega/gmeasure/experiment.go
index a8341c5e662f6..9d1b74a78b8a4 100644
--- a/vendor/github.com/onsi/gomega/gmeasure/experiment.go
+++ b/vendor/github.com/onsi/gomega/gmeasure/experiment.go
@@ -22,9 +22,9 @@ Once measurements are complete, an Experiment can generate a comprehensive repor
 
 Users can also access and analyze the resulting Measurements directly.  Use Experiment.Get(NAME) to fetch the Measurement named NAME.  This returned struct will have fields containing
 all the data points and annotations recorded by the experiment.  You can subsequently fetch the Measurement.Stats() to get a Stats struct that contains basic statistical information about the
-Measurement (min, max, median, mean, standard deviation).  You can order these Stats objects using RankStats() to identify best/worst performers across multpile experiments or measurements.
+Measurement (min, max, median, mean, standard deviation).  You can order these Stats objects using RankStats() to identify best/worst performers across multiple experiments or measurements.
 
-gmeasure also supports caching Experiments via an ExperimentCache.  The cache supports storing and retreiving experiments by name and version.  This allows you to rerun code without
+gmeasure also supports caching Experiments via an ExperimentCache.  The cache supports storing and retrieving experiments by name and version.  This allows you to rerun code without
 repeating expensive experiments that may not have changed (which can be controlled by the cache version number).  It also enables you to compare new experiment runs with older runs to detect
 variations in performance/behavior.
 
@@ -66,8 +66,8 @@ type SamplingConfig struct {
 
 // The Units decorator allows you to specify units (an arbitrary string) when recording values.  It is ignored when recording durations.
 //
-//     e := gmeasure.NewExperiment("My Experiment")
-//     e.RecordValue("length", 3.141, gmeasure.Units("inches"))
+//	e := gmeasure.NewExperiment("My Experiment")
+//	e.RecordValue("length", 3.141, gmeasure.Units("inches"))
 //
 // Units are only set the first time a value of a given name is recorded.  In the example above any subsequent calls to e.RecordValue("length", X) will maintain the "inches" units even if a new set of Units("UNIT") are passed in later.
 type Units string
@@ -76,9 +76,9 @@ type Units string
 //
 // For example:
 //
-//     e := gmeasure.NewExperiment("My Experiment")
-//     e.RecordValue("length", 3.141, gmeasure.Annotation("bob"))
-//     e.RecordValue("length", 2.71, gmeasure.Annotation("jane"))
+//	e := gmeasure.NewExperiment("My Experiment")
+//	e.RecordValue("length", 3.141, gmeasure.Annotation("bob"))
+//	e.RecordValue("length", 2.71, gmeasure.Annotation("jane"))
 //
 // ...will result in a Measurement named "length" that records two values )[3.141, 2.71]) annotation with (["bob", "jane"])
 type Annotation string
@@ -88,11 +88,11 @@ type Annotation string
 //
 // For example:
 //
-//     e := gmeasure.NewExperiment("My Experiment")
-//     e.RecordValue("length", 3.141, gmeasure.Style("{{blue}}{{bold}}"))
-//     e.RecordValue("length", 2.71)
-//     e.RecordDuration("cooking time", 3 * time.Second, gmeasure.Style("{{red}}{{underline}}"))
-//     e.RecordDuration("cooking time", 2 * time.Second)
+//	e := gmeasure.NewExperiment("My Experiment")
+//	e.RecordValue("length", 3.141, gmeasure.Style("{{blue}}{{bold}}"))
+//	e.RecordValue("length", 2.71)
+//	e.RecordDuration("cooking time", 3 * time.Second, gmeasure.Style("{{red}}{{underline}}"))
+//	e.RecordDuration("cooking time", 2 * time.Second)
 //
 // will emit a report with blue bold entries for the length measurement and red underlined entries for the cooking time measurement.
 //
@@ -112,12 +112,12 @@ type PrecisionBundle struct {
 //
 // For example:
 //
-//     e := gmeasure.NewExperiment("My Experiment")
-//     e.RecordValue("length", 3.141, gmeasure.Precision(2))
-//     e.RecordValue("length", 2.71)
-//     e.RecordDuration("cooking time", 3214 * time.Millisecond, gmeasure.Precision(100*time.Millisecond))
-//     e.RecordDuration("cooking time", 2623 * time.Millisecond)
-func Precision(p interface{}) PrecisionBundle {
+//	e := gmeasure.NewExperiment("My Experiment")
+//	e.RecordValue("length", 3.141, gmeasure.Precision(2))
+//	e.RecordValue("length", 2.71)
+//	e.RecordDuration("cooking time", 3214 * time.Millisecond, gmeasure.Precision(100*time.Millisecond))
+//	e.RecordDuration("cooking time", 2623 * time.Millisecond)
+func Precision(p any) PrecisionBundle {
 	out := DefaultPrecisionBundle
 	switch reflect.TypeOf(p) {
 	case reflect.TypeOf(time.Duration(0)):
@@ -143,7 +143,7 @@ type extractedDecorations struct {
 	style           Style
 }
 
-func extractDecorations(args []interface{}) extractedDecorations {
+func extractDecorations(args []any) extractedDecorations {
 	var out extractedDecorations
 	out.precisionBundle = DefaultPrecisionBundle
 
@@ -248,7 +248,7 @@ RecordNote records a Measurement of type MeasurementTypeNote - this is simply a
 
 RecordNote supports the Style() decoration.
 */
-func (e *Experiment) RecordNote(note string, args ...interface{}) {
+func (e *Experiment) RecordNote(note string, args ...any) {
 	decorations := extractDecorations(args)
 
 	e.lock.Lock()
@@ -266,7 +266,7 @@ RecordDuration records the passed-in duration on a Duration Measurement with the
 
 RecordDuration supports the Style(), Precision(), and Annotation() decorations.
 */
-func (e *Experiment) RecordDuration(name string, duration time.Duration, args ...interface{}) {
+func (e *Experiment) RecordDuration(name string, duration time.Duration, args ...any) {
 	decorations := extractDecorations(args)
 	e.recordDuration(name, duration, decorations)
 }
@@ -276,7 +276,7 @@ MeasureDuration runs the passed-in callback and times how long it takes to compl
 
 MeasureDuration supports the Style(), Precision(), and Annotation() decorations.
 */
-func (e *Experiment) MeasureDuration(name string, callback func(), args ...interface{}) time.Duration {
+func (e *Experiment) MeasureDuration(name string, callback func(), args ...any) time.Duration {
 	t := time.Now()
 	callback()
 	duration := time.Since(t)
@@ -292,7 +292,7 @@ The callback is given a zero-based index that increments by one between samples.
 
 SampleDuration supports the Style(), Precision(), and Annotation() decorations.  When passed an Annotation() the same annotation is applied to all sample measurements.
 */
-func (e *Experiment) SampleDuration(name string, callback func(idx int), samplingConfig SamplingConfig, args ...interface{}) {
+func (e *Experiment) SampleDuration(name string, callback func(idx int), samplingConfig SamplingConfig, args ...any) {
 	decorations := extractDecorations(args)
 	e.Sample(func(idx int) {
 		t := time.Now()
@@ -308,11 +308,11 @@ The resulting durations are recorded on a Duration Measurement with the passed-i
 
 The callback is given a zero-based index that increments by one between samples.  The callback must return an Annotation - this annotation is attached to the measured duration.
 
-The Sampling is configured via the passed-in SamplingConfig
+# The Sampling is configured via the passed-in SamplingConfig
 
 SampleAnnotatedDuration supports the Style() and Precision() decorations.
 */
-func (e *Experiment) SampleAnnotatedDuration(name string, callback func(idx int) Annotation, samplingConfig SamplingConfig, args ...interface{}) {
+func (e *Experiment) SampleAnnotatedDuration(name string, callback func(idx int) Annotation, samplingConfig SamplingConfig, args ...any) {
 	decorations := extractDecorations(args)
 	e.Sample(func(idx int) {
 		t := time.Now()
@@ -359,7 +359,7 @@ RecordValue records the passed-in value on a Value Measurement with the passed-i
 
 RecordValue supports the Style(), Units(), Precision(), and Annotation() decorations.
 */
-func (e *Experiment) RecordValue(name string, value float64, args ...interface{}) {
+func (e *Experiment) RecordValue(name string, value float64, args ...any) {
 	decorations := extractDecorations(args)
 	e.recordValue(name, value, decorations)
 }
@@ -369,7 +369,7 @@ MeasureValue runs the passed-in callback and records the return value on a Value
 
 MeasureValue supports the Style(), Units(), Precision(), and Annotation() decorations.
 */
-func (e *Experiment) MeasureValue(name string, callback func() float64, args ...interface{}) float64 {
+func (e *Experiment) MeasureValue(name string, callback func() float64, args ...any) float64 {
 	value := callback()
 	e.RecordValue(name, value, args...)
 	return value
@@ -382,7 +382,7 @@ The callback is given a zero-based index that increments by one between samples.
 
 SampleValue supports the Style(), Units(), Precision(), and Annotation() decorations.  When passed an Annotation() the same annotation is applied to all sample measurements.
 */
-func (e *Experiment) SampleValue(name string, callback func(idx int) float64, samplingConfig SamplingConfig, args ...interface{}) {
+func (e *Experiment) SampleValue(name string, callback func(idx int) float64, samplingConfig SamplingConfig, args ...any) {
 	decorations := extractDecorations(args)
 	e.Sample(func(idx int) {
 		value := callback(idx)
@@ -395,11 +395,11 @@ SampleAnnotatedValue samples the passed-in callback and records the return value
 
 The callback is given a zero-based index that increments by one between samples.  The callback must return a float64 and an Annotation - the annotation is attached to the recorded value.
 
-The Sampling is configured via the passed-in SamplingConfig
+# The Sampling is configured via the passed-in SamplingConfig
 
 SampleValue supports the Style(), Units(), and Precision() decorations.
 */
-func (e *Experiment) SampleAnnotatedValue(name string, callback func(idx int) (float64, Annotation), samplingConfig SamplingConfig, args ...interface{}) {
+func (e *Experiment) SampleAnnotatedValue(name string, callback func(idx int) (float64, Annotation), samplingConfig SamplingConfig, args ...any) {
 	decorations := extractDecorations(args)
 	e.Sample(func(idx int) {
 		var value float64
@@ -463,13 +463,19 @@ func (e *Experiment) Sample(callback func(idx int), samplingConfig SamplingConfi
 	minSamplingInterval := samplingConfig.MinSamplingInterval
 
 	work := make(chan int)
-	defer close(work)
+	var wg sync.WaitGroup
+	defer func() {
+		close(work)
+		wg.Wait()
+	}()
 	if numParallel > 1 {
+		wg.Add(numParallel)
 		for worker := 0; worker < numParallel; worker++ {
 			go func() {
 				for idx := range work {
 					callback(idx)
 				}
+				wg.Done()
 			}()
 		}
 	}
diff --git a/vendor/github.com/onsi/gomega/gmeasure/rank.go b/vendor/github.com/onsi/gomega/gmeasure/rank.go
index 1544cd8f4de81..6be9105e8967c 100644
--- a/vendor/github.com/onsi/gomega/gmeasure/rank.go
+++ b/vendor/github.com/onsi/gomega/gmeasure/rank.go
@@ -34,7 +34,7 @@ func (s *RankingCriteria) UnmarshalJSON(b []byte) error {
 func (s RankingCriteria) MarshalJSON() ([]byte, error) { return rcEnumSupport.MarshJSON(uint(s)) }
 
 /*
-Ranking ranks a set of Stats by a specified RankingCritera.  Use RankStats to create a Ranking.
+Ranking ranks a set of Stats by a specified RankingCriteria.  Use RankStats to create a Ranking.
 
 When using Ginkgo, you can register Rankings as Report Entries via AddReportEntry.  This will emit a formatted table representing the Stats in rank-order when Ginkgo generates the report.
 */
diff --git a/vendor/github.com/onsi/gomega/gmeasure/stats.go b/vendor/github.com/onsi/gomega/gmeasure/stats.go
index 8c02e1bdf1f51..52b75a7d389be 100644
--- a/vendor/github.com/onsi/gomega/gmeasure/stats.go
+++ b/vendor/github.com/onsi/gomega/gmeasure/stats.go
@@ -75,7 +75,7 @@ type Stats struct {
 	// If Type is StatTypeValue then PrecisionBundle.ValueFormat is used to format any values before presentation
 	PrecisionBundle PrecisionBundle
 
-	// N represents the total number of data points in the Meassurement from which this Stat is derived
+	// N represents the total number of data points in the Measurement from which this Stat is derived
 	N int
 
 	// If Type is StatTypeValue, ValueBundle will be populated with float64s representing this Stat's statistics
@@ -97,7 +97,7 @@ func (s Stats) String() string {
 // ValueFor returns the float64 value for a particular Stat.  You should only use this if the Stats has Type StatsTypeValue
 // For example:
 //
-//    median := experiment.GetStats("length").ValueFor(gmeasure.StatMedian)
+//	median := experiment.GetStats("length").ValueFor(gmeasure.StatMedian)
 //
 // will return the median data point for the "length" Measurement.
 func (s Stats) ValueFor(stat Stat) float64 {
@@ -107,7 +107,7 @@ func (s Stats) ValueFor(stat Stat) float64 {
 // DurationFor returns the time.Duration for a particular Stat.  You should only use this if the Stats has Type StatsTypeDuration
 // For example:
 //
-//    mean := experiment.GetStats("runtime").ValueFor(gmeasure.StatMean)
+//	mean := experiment.GetStats("runtime").ValueFor(gmeasure.StatMean)
 //
 // will return the mean duration for the "runtime" Measurement.
 func (s Stats) DurationFor(stat Stat) time.Duration {
diff --git a/vendor/github.com/onsi/gomega/gmeasure/stopwatch.go b/vendor/github.com/onsi/gomega/gmeasure/stopwatch.go
index 634f11f2a4694..0da22f863e848 100644
--- a/vendor/github.com/onsi/gomega/gmeasure/stopwatch.go
+++ b/vendor/github.com/onsi/gomega/gmeasure/stopwatch.go
@@ -44,17 +44,17 @@ Record takes all the decorators that experiment.RecordDuration takes (e.g. Annot
 
 Note that Record does not Reset the Stopwatch.  It does, however, return the Stopwatch so the following pattern is common:
 
-    stopwatch := experiment.NewStopwatch()
-    // first expensive operation
-    stopwatch.Record("first operation").Reset() //records the duration of the first operation and resets the stopwatch.
-    // second expensive operation
-    stopwatch.Record("second operation").Reset() //records the duration of the second operation and resets the stopwatch.
+	stopwatch := experiment.NewStopwatch()
+	// first expensive operation
+	stopwatch.Record("first operation").Reset() //records the duration of the first operation and resets the stopwatch.
+	// second expensive operation
+	stopwatch.Record("second operation").Reset() //records the duration of the second operation and resets the stopwatch.
 
 omitting the Reset() after the first operation would cause the duration recorded for the second operation to include the time elapsed by both the first _and_ second operations.
 
 The Stopwatch must be running (i.e. not paused) when Record is called.
 */
-func (s *Stopwatch) Record(name string, args ...interface{}) *Stopwatch {
+func (s *Stopwatch) Record(name string, args ...any) *Stopwatch {
 	if !s.running {
 		panic("stopwatch is not running - call Resume or Reset before calling Record")
 	}
@@ -80,16 +80,15 @@ Note: You must call Resume() before you can Record() subsequent measurements.
 
 For example:
 
-    stopwatch := experiment.NewStopwatch()
-    // first expensive operation
-    stopwatch.Record("first operation").Reset()
-    // second expensive operation - part 1
-    stopwatch.Pause()
-    // something expensive that we don't care about
-    stopwatch.Resume()
-    // second expensive operation - part 2
-    stopwatch.Record("second operation").Reset() // the recorded duration captures the time elapsed during parts 1 and 2 of the second expensive operation, but not the bit in between
-
+	stopwatch := experiment.NewStopwatch()
+	// first expensive operation
+	stopwatch.Record("first operation").Reset()
+	// second expensive operation - part 1
+	stopwatch.Pause()
+	// something expensive that we don't care about
+	stopwatch.Resume()
+	// second expensive operation - part 2
+	stopwatch.Record("second operation").Reset() // the recorded duration captures the time elapsed during parts 1 and 2 of the second expensive operation, but not the bit in between
 
 The Stopwatch must be running when Pause is called.
 */
diff --git a/vendor/github.com/onsi/gomega/gmeasure/table/table.go b/vendor/github.com/onsi/gomega/gmeasure/table/table.go
index f980b9c7aac01..0a0df3b7ae82a 100644
--- a/vendor/github.com/onsi/gomega/gmeasure/table/table.go
+++ b/vendor/github.com/onsi/gomega/gmeasure/table/table.go
@@ -24,7 +24,7 @@ type Row struct {
 	Style   string
 }
 
-func R(args ...interface{}) *Row {
+func R(args ...any) *Row {
 	r := &Row{
 		Divider: "-",
 	}
@@ -94,7 +94,7 @@ type Cell struct {
 	Align    AlignType
 }
 
-func C(contents string, args ...interface{}) Cell {
+func C(contents string, args ...any) Cell {
 	c := Cell{
 		Contents: strings.Split(contents, "\n"),
 	}
@@ -354,17 +354,3 @@ func sum(s []int) int {
 	}
 	return out
 }
-
-func min(a int, b int) int {
-	if a < b {
-		return a
-	}
-	return b
-}
-
-func max(a int, b int) int {
-	if a > b {
-		return a
-	}
-	return b
-}
diff --git a/vendor/github.com/onsi/gomega/gomega_dsl.go b/vendor/github.com/onsi/gomega/gomega_dsl.go
index 1038d7dd41d18..fdba34ee9dd00 100644
--- a/vendor/github.com/onsi/gomega/gomega_dsl.go
+++ b/vendor/github.com/onsi/gomega/gomega_dsl.go
@@ -22,7 +22,7 @@ import (
 	"github.com/onsi/gomega/types"
 )
 
-const GOMEGA_VERSION = "1.35.1"
+const GOMEGA_VERSION = "1.38.2"
 
 const nilGomegaPanic = `You are trying to make an assertion, but haven't registered Gomega's fail handler.
 If you're using Ginkgo then you probably forgot to put your assertion in an It().
@@ -178,7 +178,7 @@ func ensureDefaultGomegaIsConfigured() {
 // All subsequent arguments will be required to be nil/zero.
 //
 // This is convenient if you want to make an assertion on a method/function that returns
-// a value and an error - a common patter in Go.
+// a value and an error - a common pattern in Go.
 //
 // For example, given a function with signature:
 //
@@ -191,7 +191,7 @@ func ensureDefaultGomegaIsConfigured() {
 // Will succeed only if `MyAmazingThing()` returns `(3, nil)`
 //
 // Ω and Expect are identical
-func Ω(actual interface{}, extra ...interface{}) Assertion {
+func Ω(actual any, extra ...any) Assertion {
 	ensureDefaultGomegaIsConfigured()
 	return Default.Ω(actual, extra...)
 }
@@ -217,7 +217,7 @@ func Ω(actual interface{}, extra ...interface{}) Assertion {
 // Will succeed only if `MyAmazingThing()` returns `(3, nil)`
 //
 // Expect and Ω are identical
-func Expect(actual interface{}, extra ...interface{}) Assertion {
+func Expect(actual any, extra ...any) Assertion {
 	ensureDefaultGomegaIsConfigured()
 	return Default.Expect(actual, extra...)
 }
@@ -233,7 +233,7 @@ func Expect(actual interface{}, extra ...interface{}) Assertion {
 // This is most useful in helper functions that make assertions.  If you want Gomega's
 // error message to refer to the calling line in the test (as opposed to the line in the helper function)
 // set the first argument of `ExpectWithOffset` appropriately.
-func ExpectWithOffset(offset int, actual interface{}, extra ...interface{}) Assertion {
+func ExpectWithOffset(offset int, actual any, extra ...any) Assertion {
 	ensureDefaultGomegaIsConfigured()
 	return Default.ExpectWithOffset(offset, actual, extra...)
 }
@@ -319,19 +319,19 @@ you an also use Eventually().WithContext(ctx) to pass in the context.  Passed-in
 		Eventually(client.FetchCount).WithContext(ctx).WithArguments("/users").Should(BeNumerically(">=", 17))
 	}, SpecTimeout(time.Second))
 
-Either way the context pasesd to Eventually is also passed to the underlying function.  Now, when Ginkgo cancels the context both the FetchCount client and Gomega will be informed and can exit.
+Either way the context passed to Eventually is also passed to the underlying function.  Now, when Ginkgo cancels the context both the FetchCount client and Gomega will be informed and can exit.
 
 By default, when a context is passed to Eventually *without* an explicit timeout, Gomega will rely solely on the context's cancellation to determine when to stop polling.  If you want to specify a timeout in addition to the context you can do so using the .WithTimeout() method.  For example:
 
 	Eventually(client.FetchCount).WithContext(ctx).WithTimeout(10*time.Second).Should(BeNumerically(">=", 17))
 
-now either the context cacnellation or the timeout will cause Eventually to stop polling.
+now either the context cancellation or the timeout will cause Eventually to stop polling.
 
 If, instead, you would like to opt out of this behavior and have Gomega's default timeouts govern Eventuallys that take a context you can call:
 
 	EnforceDefaultTimeoutsWhenUsingContexts()
 
-in the DSL (or on a Gomega instance).  Now all calls to Eventually that take a context will fail if eitehr the context is cancelled or the default timeout elapses.
+in the DSL (or on a Gomega instance).  Now all calls to Eventually that take a context will fail if either the context is cancelled or the default timeout elapses.
 
 **Category 3: Making assertions _in_ the function passed into Eventually**
 
@@ -390,7 +390,7 @@ is equivalent to
 
 	Eventually(...).WithTimeout(10*time.Second).WithPolling(2*time.Second).WithContext(ctx).Should(...)
 */
-func Eventually(actualOrCtx interface{}, args ...interface{}) AsyncAssertion {
+func Eventually(actualOrCtx any, args ...any) AsyncAssertion {
 	ensureDefaultGomegaIsConfigured()
 	return Default.Eventually(actualOrCtx, args...)
 }
@@ -404,7 +404,7 @@ func Eventually(actualOrCtx interface{}, args ...interface{}) AsyncAssertion {
 // `EventuallyWithOffset` specifying a timeout interval (and an optional polling interval) are
 // the same as `Eventually(...).WithOffset(...).WithTimeout` or
 // `Eventually(...).WithOffset(...).WithTimeout(...).WithPolling`.
-func EventuallyWithOffset(offset int, actualOrCtx interface{}, args ...interface{}) AsyncAssertion {
+func EventuallyWithOffset(offset int, actualOrCtx any, args ...any) AsyncAssertion {
 	ensureDefaultGomegaIsConfigured()
 	return Default.EventuallyWithOffset(offset, actualOrCtx, args...)
 }
@@ -424,7 +424,7 @@ Consistently is useful in cases where you want to assert that something *does no
 
 This will block for 200 milliseconds and repeatedly check the channel and ensure nothing has been received.
 */
-func Consistently(actualOrCtx interface{}, args ...interface{}) AsyncAssertion {
+func Consistently(actualOrCtx any, args ...any) AsyncAssertion {
 	ensureDefaultGomegaIsConfigured()
 	return Default.Consistently(actualOrCtx, args...)
 }
@@ -435,13 +435,13 @@ func Consistently(actualOrCtx interface{}, args ...interface{}) AsyncAssertion {
 //
 // `ConsistentlyWithOffset` is the same as `Consistently(...).WithOffset` and
 // optional `WithTimeout` and `WithPolling`.
-func ConsistentlyWithOffset(offset int, actualOrCtx interface{}, args ...interface{}) AsyncAssertion {
+func ConsistentlyWithOffset(offset int, actualOrCtx any, args ...any) AsyncAssertion {
 	ensureDefaultGomegaIsConfigured()
 	return Default.ConsistentlyWithOffset(offset, actualOrCtx, args...)
 }
 
 /*
-StopTrying can be used to signal to Eventually and Consistentlythat they should abort and stop trying.  This always results in a failure of the assertion - and the failure message is the content of the StopTrying signal.
+StopTrying can be used to signal to Eventually and Consistently that they should abort and stop trying.  This always results in a failure of the assertion - and the failure message is the content of the StopTrying signal.
 
 You can send the StopTrying signal by either returning StopTrying("message") as an error from your passed-in function _or_ by calling StopTrying("message").Now() to trigger a panic and end execution.
 
diff --git a/vendor/github.com/onsi/gomega/gstruct/elements.go b/vendor/github.com/onsi/gomega/gstruct/elements.go
index b5e5ef2e45958..4a6114ab8ffc4 100644
--- a/vendor/github.com/onsi/gomega/gstruct/elements.go
+++ b/vendor/github.com/onsi/gomega/gstruct/elements.go
@@ -14,16 +14,17 @@ import (
 	"github.com/onsi/gomega/types"
 )
 
-//MatchAllElements succeeds if every element of a slice matches the element matcher it maps to
-//through the id function, and every element matcher is matched.
-//    idFn := func(element interface{}) string {
-//        return fmt.Sprintf("%v", element)
-//    }
+// MatchAllElements succeeds if every element of a slice matches the element matcher it maps to
+// through the id function, and every element matcher is matched.
 //
-//    Expect([]string{"a", "b"}).To(MatchAllElements(idFn, Elements{
-//        "a": Equal("a"),
-//        "b": Equal("b"),
-//    }))
+//	idFn := func(element any) string {
+//	    return fmt.Sprintf("%v", element)
+//	}
+//
+//	Expect([]string{"a", "b"}).To(MatchAllElements(idFn, Elements{
+//	    "a": Equal("a"),
+//	    "b": Equal("b"),
+//	}))
 func MatchAllElements(identifier Identifier, elements Elements) types.GomegaMatcher {
 	return &ElementsMatcher{
 		Identifier: identifier,
@@ -31,16 +32,17 @@ func MatchAllElements(identifier Identifier, elements Elements) types.GomegaMatc
 	}
 }
 
-//MatchAllElementsWithIndex succeeds if every element of a slice matches the element matcher it maps to
-//through the id with index function, and every element matcher is matched.
-//    idFn := func(index int, element interface{}) string {
-//        return strconv.Itoa(index)
-//    }
+// MatchAllElementsWithIndex succeeds if every element of a slice matches the element matcher it maps to
+// through the id with index function, and every element matcher is matched.
+//
+//	idFn := func(index int, element any) string {
+//	    return strconv.Itoa(index)
+//	}
 //
-//    Expect([]string{"a", "b"}).To(MatchAllElements(idFn, Elements{
-//        "0": Equal("a"),
-//        "1": Equal("b"),
-//    }))
+//	Expect([]string{"a", "b"}).To(MatchAllElements(idFn, Elements{
+//	    "0": Equal("a"),
+//	    "1": Equal("b"),
+//	}))
 func MatchAllElementsWithIndex(identifier IdentifierWithIndex, elements Elements) types.GomegaMatcher {
 	return &ElementsMatcher{
 		Identifier: identifier,
@@ -48,22 +50,23 @@ func MatchAllElementsWithIndex(identifier IdentifierWithIndex, elements Elements
 	}
 }
 
-//MatchElements succeeds if each element of a slice matches the element matcher it maps to
-//through the id function. It can ignore extra elements and/or missing elements.
-//    idFn := func(element interface{}) string {
-//        return fmt.Sprintf("%v", element)
-//    }
+// MatchElements succeeds if each element of a slice matches the element matcher it maps to
+// through the id function. It can ignore extra elements and/or missing elements.
 //
-//    Expect([]string{"a", "b", "c"}).To(MatchElements(idFn, IgnoreExtras, Elements{
-//        "a": Equal("a"),
-//        "b": Equal("b"),
-//    }))
-//    Expect([]string{"a", "c"}).To(MatchElements(idFn, IgnoreMissing, Elements{
-//        "a": Equal("a"),
-//        "b": Equal("b"),
-//        "c": Equal("c"),
-//        "d": Equal("d"),
-//    }))
+//	idFn := func(element any) string {
+//	    return fmt.Sprintf("%v", element)
+//	}
+//
+//	Expect([]string{"a", "b", "c"}).To(MatchElements(idFn, IgnoreExtras, Elements{
+//	    "a": Equal("a"),
+//	    "b": Equal("b"),
+//	}))
+//	Expect([]string{"a", "c"}).To(MatchElements(idFn, IgnoreMissing, Elements{
+//	    "a": Equal("a"),
+//	    "b": Equal("b"),
+//	    "c": Equal("c"),
+//	    "d": Equal("d"),
+//	}))
 func MatchElements(identifier Identifier, options Options, elements Elements) types.GomegaMatcher {
 	return &ElementsMatcher{
 		Identifier:      identifier,
@@ -74,22 +77,23 @@ func MatchElements(identifier Identifier, options Options, elements Elements) ty
 	}
 }
 
-//MatchElementsWithIndex succeeds if each element of a slice matches the element matcher it maps to
-//through the id with index function. It can ignore extra elements and/or missing elements.
-//    idFn := func(index int, element interface{}) string {
-//        return strconv.Itoa(index)
-//    }
+// MatchElementsWithIndex succeeds if each element of a slice matches the element matcher it maps to
+// through the id with index function. It can ignore extra elements and/or missing elements.
+//
+//	idFn := func(index int, element any) string {
+//	    return strconv.Itoa(index)
+//	}
 //
-//    Expect([]string{"a", "b", "c"}).To(MatchElements(idFn, IgnoreExtras, Elements{
-//        "0": Equal("a"),
-//        "1": Equal("b"),
-//    }))
-//    Expect([]string{"a", "c"}).To(MatchElements(idFn, IgnoreMissing, Elements{
-//        "0": Equal("a"),
-//        "1": Equal("b"),
-//        "2": Equal("c"),
-//        "3": Equal("d"),
-//    }))
+//	Expect([]string{"a", "b", "c"}).To(MatchElements(idFn, IgnoreExtras, Elements{
+//	    "0": Equal("a"),
+//	    "1": Equal("b"),
+//	}))
+//	Expect([]string{"a", "c"}).To(MatchElements(idFn, IgnoreMissing, Elements{
+//	    "0": Equal("a"),
+//	    "1": Equal("b"),
+//	    "2": Equal("c"),
+//	    "3": Equal("d"),
+//	}))
 func MatchElementsWithIndex(identifier IdentifierWithIndex, options Options, elements Elements) types.GomegaMatcher {
 	return &ElementsMatcher{
 		Identifier:      identifier,
@@ -124,35 +128,35 @@ type ElementsMatcher struct {
 type Elements map[string]types.GomegaMatcher
 
 // Function for identifying (mapping) elements.
-type Identifier func(element interface{}) string
+type Identifier func(element any) string
 
-// Calls the underlying fucntion with the provided params.
+// Calls the underlying function with the provided params.
 // Identifier drops the index.
-func (i Identifier) WithIndexAndElement(index int, element interface{}) string {
+func (i Identifier) WithIndexAndElement(index int, element any) string {
 	return i(element)
 }
 
 // Uses the index and element to generate an element name
-type IdentifierWithIndex func(index int, element interface{}) string
+type IdentifierWithIndex func(index int, element any) string
 
-// Calls the underlying fucntion with the provided params.
+// Calls the underlying function with the provided params.
 // IdentifierWithIndex uses the index.
-func (i IdentifierWithIndex) WithIndexAndElement(index int, element interface{}) string {
+func (i IdentifierWithIndex) WithIndexAndElement(index int, element any) string {
 	return i(index, element)
 }
 
-// Interface for identifing the element
+// Interface for identifying the element
 type Identify interface {
-	WithIndexAndElement(i int, element interface{}) string
+	WithIndexAndElement(i int, element any) string
 }
 
 // IndexIdentity is a helper function for using an index as
 // the key in the element map
-func IndexIdentity(index int, _ interface{}) string {
+func IndexIdentity(index int, _ any) string {
 	return strconv.Itoa(index)
 }
 
-func (m *ElementsMatcher) Match(actual interface{}) (success bool, err error) {
+func (m *ElementsMatcher) Match(actual any) (success bool, err error) {
 	if reflect.TypeOf(actual).Kind() != reflect.Slice {
 		return false, fmt.Errorf("%v is type %T, expected slice", actual, actual)
 	}
@@ -164,7 +168,7 @@ func (m *ElementsMatcher) Match(actual interface{}) (success bool, err error) {
 	return true, nil
 }
 
-func (m *ElementsMatcher) matchElements(actual interface{}) (errs []error) {
+func (m *ElementsMatcher) matchElements(actual any) (errs []error) {
 	// Provide more useful error messages in the case of a panic.
 	defer func() {
 		if err := recover(); err != nil {
@@ -217,12 +221,12 @@ func (m *ElementsMatcher) matchElements(actual interface{}) (errs []error) {
 	return errs
 }
 
-func (m *ElementsMatcher) FailureMessage(actual interface{}) (message string) {
+func (m *ElementsMatcher) FailureMessage(actual any) (message string) {
 	failure := errorsutil.AggregateError(m.failures)
 	return format.Message(actual, fmt.Sprintf("to match elements: %v", failure))
 }
 
-func (m *ElementsMatcher) NegatedFailureMessage(actual interface{}) (message string) {
+func (m *ElementsMatcher) NegatedFailureMessage(actual any) (message string) {
 	return format.Message(actual, "not to match elements")
 }
 
diff --git a/vendor/github.com/onsi/gomega/gstruct/fields.go b/vendor/github.com/onsi/gomega/gstruct/fields.go
index faf07b1a25d23..2f4685fc48806 100644
--- a/vendor/github.com/onsi/gomega/gstruct/fields.go
+++ b/vendor/github.com/onsi/gomega/gstruct/fields.go
@@ -8,61 +8,65 @@ import (
 	"reflect"
 	"runtime/debug"
 	"strings"
+	"unicode"
 
 	"github.com/onsi/gomega/format"
 	errorsutil "github.com/onsi/gomega/gstruct/errors"
 	"github.com/onsi/gomega/types"
 )
 
-//MatchAllFields succeeds if every field of a struct matches the field matcher associated with
-//it, and every element matcher is matched.
-//    actual := struct{
-//      A int
-//      B []bool
-//      C string
-//    }{
-//      A: 5,
-//      B: []bool{true, false},
-//      C: "foo",
-//    }
+// MatchAllFields succeeds if every field of a struct matches the field matcher associated with
+// it, and every element matcher is matched.
 //
-//    Expect(actual).To(MatchAllFields(Fields{
-//      "A": Equal(5),
-//      "B": ConsistOf(true, false),
-//      "C": Equal("foo"),
-//    }))
+//	actual := struct{
+//	  A int
+//	  B []bool
+//	  C string
+//	}{
+//	  A: 5,
+//	  B: []bool{true, false},
+//	  C: "foo",
+//	}
+//
+//	Expect(actual).To(MatchAllFields(Fields{
+//	  "A": Equal(5),
+//	  "B": ConsistOf(true, false),
+//	  "C": Equal("foo"),
+//	}))
 func MatchAllFields(fields Fields) types.GomegaMatcher {
 	return &FieldsMatcher{
 		Fields: fields,
 	}
 }
 
-//MatchFields succeeds if each element of a struct matches the field matcher associated with
-//it. It can ignore extra fields and/or missing fields.
-//    actual := struct{
-//      A int
-//      B []bool
-//      C string
-//    }{
-//      A: 5,
-//      B: []bool{true, false},
-//      C: "foo",
-//    }
+// MatchFields succeeds if each element of a struct matches the field matcher associated with
+// it. It can ignore extra fields and/or missing fields.
+//
+//	actual := struct{
+//	  A int
+//	  B []bool
+//	  C string
+//	}{
+//	  A: 5,
+//	  B: []bool{true, false},
+//	  C: "foo",
+//	}
 //
-//    Expect(actual).To(MatchFields(IgnoreExtras, Fields{
-//      "A": Equal(5),
-//      "B": ConsistOf(true, false),
-//    }))
-//    Expect(actual).To(MatchFields(IgnoreMissing, Fields{
-//      "A": Equal(5),
-//      "B": ConsistOf(true, false),
-//      "C": Equal("foo"),
-//      "D": Equal("extra"),
-//    }))
+//	Expect(actual).To(MatchFields(IgnoreExtras, Fields{
+//	  "A": Equal(5),
+//	  "B": ConsistOf(true, false),
+//	}))
+//	Expect(actual).To(MatchFields(IgnoreMissing, Fields{
+//	  "A": Equal(5),
+//	  "B": ConsistOf(true, false),
+//	  "C": Equal("foo"),
+//	  "D": Equal("extra"),
+//	}))
 func MatchFields(options Options, fields Fields) types.GomegaMatcher {
 	return &FieldsMatcher{
 		Fields:        fields,
 		IgnoreExtras:  options&IgnoreExtras != 0,
+		IgnoreUnexportedExtras: options&IgnoreUnexportedExtras != 0,
 		IgnoreMissing: options&IgnoreMissing != 0,
 	}
 }
@@ -73,6 +77,8 @@ type FieldsMatcher struct {
 
 	// Whether to ignore extra elements or consider it an error.
 	IgnoreExtras bool
+	// Whether to ignore unexported extra elements or consider it an error.
+	IgnoreUnexportedExtras bool
 	// Whether to ignore missing elements or consider it an error.
 	IgnoreMissing bool
 
@@ -83,7 +89,7 @@ type FieldsMatcher struct {
 // Field name to matcher.
 type Fields map[string]types.GomegaMatcher
 
-func (m *FieldsMatcher) Match(actual interface{}) (success bool, err error) {
+func (m *FieldsMatcher) Match(actual any) (success bool, err error) {
 	if reflect.TypeOf(actual).Kind() != reflect.Struct {
 		return false, fmt.Errorf("%v is type %T, expected struct", actual, actual)
 	}
@@ -95,7 +101,15 @@ func (m *FieldsMatcher) Match(actual interface{}) (success bool, err error) {
 	return true, nil
 }
 
-func (m *FieldsMatcher) matchFields(actual interface{}) (errs []error) {
+func isExported(fieldName string) bool {
+	if fieldName == "" {
+		return false
+	}
+	r := []rune(fieldName)[0]
+	return unicode.IsUpper(r)
+}
+
+func (m *FieldsMatcher) matchFields(actual any) (errs []error) {
 	val := reflect.ValueOf(actual)
 	typ := val.Type()
 	fields := map[string]bool{}
@@ -114,13 +128,21 @@ func (m *FieldsMatcher) matchFields(actual interface{}) (errs []error) {
 
 			matcher, expected := m.Fields[fieldName]
 			if !expected {
+				if m.IgnoreUnexportedExtras && !isExported(fieldName) {
+					return nil
+				}
 				if !m.IgnoreExtras {
 					return fmt.Errorf("unexpected field %s: %+v", fieldName, actual)
 				}
 				return nil
 			}
 
-			field := val.Field(i).Interface()
+			var field any
+			if _, isIgnoreMatcher := matcher.(*IgnoreMatcher) ; isIgnoreMatcher {
+				field = struct {}{} // the matcher does not care about the actual value
+			} else {
+				field = val.Field(i).Interface()
+			}
 
 			match, err := matcher.Match(field)
 			if err != nil {
@@ -147,7 +169,7 @@ func (m *FieldsMatcher) matchFields(actual interface{}) (errs []error) {
 	return errs
 }
 
-func (m *FieldsMatcher) FailureMessage(actual interface{}) (message string) {
+func (m *FieldsMatcher) FailureMessage(actual any) (message string) {
 	failures := make([]string, len(m.failures))
 	for i := range m.failures {
 		failures[i] = m.failures[i].Error()
@@ -156,7 +178,7 @@ func (m *FieldsMatcher) FailureMessage(actual interface{}) (message string) {
 		fmt.Sprintf("to match fields: {\n%v\n}\n", strings.Join(failures, "\n")))
 }
 
-func (m *FieldsMatcher) NegatedFailureMessage(actual interface{}) (message string) {
+func (m *FieldsMatcher) NegatedFailureMessage(actual any) (message string) {
 	return format.Message(actual, "not to match fields")
 }
 
diff --git a/vendor/github.com/onsi/gomega/gstruct/ignore.go b/vendor/github.com/onsi/gomega/gstruct/ignore.go
index 4396573e440e5..c8238d58fda58 100644
--- a/vendor/github.com/onsi/gomega/gstruct/ignore.go
+++ b/vendor/github.com/onsi/gomega/gstruct/ignore.go
@@ -6,17 +6,19 @@ import (
 	"github.com/onsi/gomega/types"
 )
 
-//Ignore ignores the actual value and always succeeds.
-//  Expect(nil).To(Ignore())
-//  Expect(true).To(Ignore())
+// Ignore ignores the actual value and always succeeds.
+//
+//	Expect(nil).To(Ignore())
+//	Expect(true).To(Ignore())
 func Ignore() types.GomegaMatcher {
 	return &IgnoreMatcher{true}
 }
 
-//Reject ignores the actual value and always fails. It can be used in conjunction with IgnoreMissing
-//to catch problematic elements, or to verify tests are running.
-//  Expect(nil).NotTo(Reject())
-//  Expect(true).NotTo(Reject())
+// Reject ignores the actual value and always fails. It can be used in conjunction with IgnoreMissing
+// to catch problematic elements, or to verify tests are running.
+//
+//	Expect(nil).NotTo(Reject())
+//	Expect(true).NotTo(Reject())
 func Reject() types.GomegaMatcher {
 	return &IgnoreMatcher{false}
 }
@@ -26,14 +28,14 @@ type IgnoreMatcher struct {
 	Succeed bool
 }
 
-func (m *IgnoreMatcher) Match(actual interface{}) (bool, error) {
+func (m *IgnoreMatcher) Match(actual any) (bool, error) {
 	return m.Succeed, nil
 }
 
-func (m *IgnoreMatcher) FailureMessage(_ interface{}) (message string) {
+func (m *IgnoreMatcher) FailureMessage(_ any) (message string) {
 	return "Unconditional failure"
 }
 
-func (m *IgnoreMatcher) NegatedFailureMessage(_ interface{}) (message string) {
+func (m *IgnoreMatcher) NegatedFailureMessage(_ any) (message string) {
 	return "Unconditional success"
 }
diff --git a/vendor/github.com/onsi/gomega/gstruct/keys.go b/vendor/github.com/onsi/gomega/gstruct/keys.go
index 56aed4bab7235..807a450b6f2ed 100644
--- a/vendor/github.com/onsi/gomega/gstruct/keys.go
+++ b/vendor/github.com/onsi/gomega/gstruct/keys.go
@@ -41,9 +41,9 @@ type KeysMatcher struct {
 	failures []error
 }
 
-type Keys map[interface{}]types.GomegaMatcher
+type Keys map[any]types.GomegaMatcher
 
-func (m *KeysMatcher) Match(actual interface{}) (success bool, err error) {
+func (m *KeysMatcher) Match(actual any) (success bool, err error) {
 	if reflect.TypeOf(actual).Kind() != reflect.Map {
 		return false, fmt.Errorf("%v is type %T, expected map", actual, actual)
 	}
@@ -55,9 +55,9 @@ func (m *KeysMatcher) Match(actual interface{}) (success bool, err error) {
 	return true, nil
 }
 
-func (m *KeysMatcher) matchKeys(actual interface{}) (errs []error) {
+func (m *KeysMatcher) matchKeys(actual any) (errs []error) {
 	actualValue := reflect.ValueOf(actual)
-	keys := map[interface{}]bool{}
+	keys := map[any]bool{}
 	for _, keyValue := range actualValue.MapKeys() {
 		key := keyValue.Interface()
 		keys[key] = true
@@ -108,7 +108,7 @@ func (m *KeysMatcher) matchKeys(actual interface{}) (errs []error) {
 	return errs
 }
 
-func (m *KeysMatcher) FailureMessage(actual interface{}) (message string) {
+func (m *KeysMatcher) FailureMessage(actual any) (message string) {
 	failures := make([]string, len(m.failures))
 	for i := range m.failures {
 		failures[i] = m.failures[i].Error()
@@ -117,7 +117,7 @@ func (m *KeysMatcher) FailureMessage(actual interface{}) (message string) {
 		fmt.Sprintf("to match keys: {\n%v\n}\n", strings.Join(failures, "\n")))
 }
 
-func (m *KeysMatcher) NegatedFailureMessage(actual interface{}) (message string) {
+func (m *KeysMatcher) NegatedFailureMessage(actual any) (message string) {
 	return format.Message(actual, "not to match keys")
 }
 
diff --git a/vendor/github.com/onsi/gomega/gstruct/pointer.go b/vendor/github.com/onsi/gomega/gstruct/pointer.go
index cc828a3251da1..54c9557fecf7f 100644
--- a/vendor/github.com/onsi/gomega/gstruct/pointer.go
+++ b/vendor/github.com/onsi/gomega/gstruct/pointer.go
@@ -10,10 +10,11 @@ import (
 	"github.com/onsi/gomega/types"
 )
 
-//PointTo applies the given matcher to the value pointed to by actual. It fails if the pointer is
-//nil.
-//  actual := 5
-//  Expect(&actual).To(PointTo(Equal(5)))
+// PointTo applies the given matcher to the value pointed to by actual. It fails if the pointer is
+// nil.
+//
+//	actual := 5
+//	Expect(&actual).To(PointTo(Equal(5)))
 func PointTo(matcher types.GomegaMatcher) types.GomegaMatcher {
 	return &PointerMatcher{
 		Matcher: matcher,
@@ -27,7 +28,7 @@ type PointerMatcher struct {
 	failure string
 }
 
-func (m *PointerMatcher) Match(actual interface{}) (bool, error) {
+func (m *PointerMatcher) Match(actual any) (bool, error) {
 	val := reflect.ValueOf(actual)
 
 	// return error if actual type is not a pointer
@@ -49,10 +50,10 @@ func (m *PointerMatcher) Match(actual interface{}) (bool, error) {
 	return match, err
 }
 
-func (m *PointerMatcher) FailureMessage(_ interface{}) (message string) {
+func (m *PointerMatcher) FailureMessage(_ any) (message string) {
 	return m.failure
 }
 
-func (m *PointerMatcher) NegatedFailureMessage(actual interface{}) (message string) {
+func (m *PointerMatcher) NegatedFailureMessage(actual any) (message string) {
 	return m.Matcher.NegatedFailureMessage(actual)
 }
diff --git a/vendor/github.com/onsi/gomega/gstruct/types.go b/vendor/github.com/onsi/gomega/gstruct/types.go
index 48cbbe8f66707..a5f6c390bd854 100644
--- a/vendor/github.com/onsi/gomega/gstruct/types.go
+++ b/vendor/github.com/onsi/gomega/gstruct/types.go
@@ -1,6 +1,6 @@
 package gstruct
 
-//Options is the type for options passed to some matchers.
+// Options is the type for options passed to some matchers.
 type Options int
 
 const (
@@ -9,7 +9,11 @@ const (
 	//IgnoreMissing tells the matcher to ignore missing elements or fields, rather than triggering a failure.
 	IgnoreMissing
 	//AllowDuplicates tells the matcher to permit multiple members of the slice to produce the same ID when
-	//considered by the indentifier function. All members that map to a given key must still match successfully
+	//considered by the identifier function. All members that map to a given key must still match successfully
 	//with the matcher that is provided for that key.
 	AllowDuplicates
+	//IgnoreUnexportedExtras tells the matcher to ignore extra unexported fields, rather than triggering a failure.
+	//it is not possible to check the value of unexported fields, so this option is only useful when you want to
+	//check every exported fields, but you don't care about extra unexported fields.
+	IgnoreUnexportedExtras
 )
diff --git a/vendor/github.com/onsi/gomega/internal/assertion.go b/vendor/github.com/onsi/gomega/internal/assertion.go
index 08356a610bb56..cc846e7ce7a28 100644
--- a/vendor/github.com/onsi/gomega/internal/assertion.go
+++ b/vendor/github.com/onsi/gomega/internal/assertion.go
@@ -9,19 +9,19 @@ import (
 )
 
 type Assertion struct {
-	actuals     []interface{} // actual value plus all extra values
-	actualIndex int           // value to pass to the matcher
-	vet         vetinari      // the vet to call before calling Gomega matcher
+	actuals     []any    // actual value plus all extra values
+	actualIndex int      // value to pass to the matcher
+	vet         vetinari // the vet to call before calling Gomega matcher
 	offset      int
 	g           *Gomega
 }
 
 // ...obligatory discworld reference, as "vetineer" doesn't sound ... quite right.
-type vetinari func(assertion *Assertion, optionalDescription ...interface{}) bool
+type vetinari func(assertion *Assertion, optionalDescription ...any) bool
 
-func NewAssertion(actualInput interface{}, g *Gomega, offset int, extra ...interface{}) *Assertion {
+func NewAssertion(actualInput any, g *Gomega, offset int, extra ...any) *Assertion {
 	return &Assertion{
-		actuals:     append([]interface{}{actualInput}, extra...),
+		actuals:     append([]any{actualInput}, extra...),
 		actualIndex: 0,
 		vet:         (*Assertion).vetActuals,
 		offset:      offset,
@@ -44,37 +44,37 @@ func (assertion *Assertion) Error() types.Assertion {
 	}
 }
 
-func (assertion *Assertion) Should(matcher types.GomegaMatcher, optionalDescription ...interface{}) bool {
+func (assertion *Assertion) Should(matcher types.GomegaMatcher, optionalDescription ...any) bool {
 	assertion.g.THelper()
 	vetOptionalDescription("Assertion", optionalDescription...)
 	return assertion.vet(assertion, optionalDescription...) && assertion.match(matcher, true, optionalDescription...)
 }
 
-func (assertion *Assertion) ShouldNot(matcher types.GomegaMatcher, optionalDescription ...interface{}) bool {
+func (assertion *Assertion) ShouldNot(matcher types.GomegaMatcher, optionalDescription ...any) bool {
 	assertion.g.THelper()
 	vetOptionalDescription("Assertion", optionalDescription...)
 	return assertion.vet(assertion, optionalDescription...) && assertion.match(matcher, false, optionalDescription...)
 }
 
-func (assertion *Assertion) To(matcher types.GomegaMatcher, optionalDescription ...interface{}) bool {
+func (assertion *Assertion) To(matcher types.GomegaMatcher, optionalDescription ...any) bool {
 	assertion.g.THelper()
 	vetOptionalDescription("Assertion", optionalDescription...)
 	return assertion.vet(assertion, optionalDescription...) && assertion.match(matcher, true, optionalDescription...)
 }
 
-func (assertion *Assertion) ToNot(matcher types.GomegaMatcher, optionalDescription ...interface{}) bool {
+func (assertion *Assertion) ToNot(matcher types.GomegaMatcher, optionalDescription ...any) bool {
 	assertion.g.THelper()
 	vetOptionalDescription("Assertion", optionalDescription...)
 	return assertion.vet(assertion, optionalDescription...) && assertion.match(matcher, false, optionalDescription...)
 }
 
-func (assertion *Assertion) NotTo(matcher types.GomegaMatcher, optionalDescription ...interface{}) bool {
+func (assertion *Assertion) NotTo(matcher types.GomegaMatcher, optionalDescription ...any) bool {
 	assertion.g.THelper()
 	vetOptionalDescription("Assertion", optionalDescription...)
 	return assertion.vet(assertion, optionalDescription...) && assertion.match(matcher, false, optionalDescription...)
 }
 
-func (assertion *Assertion) buildDescription(optionalDescription ...interface{}) string {
+func (assertion *Assertion) buildDescription(optionalDescription ...any) string {
 	switch len(optionalDescription) {
 	case 0:
 		return ""
@@ -86,7 +86,7 @@ func (assertion *Assertion) buildDescription(optionalDescription ...interface{})
 	return fmt.Sprintf(optionalDescription[0].(string), optionalDescription[1:]...) + "\n"
 }
 
-func (assertion *Assertion) match(matcher types.GomegaMatcher, desiredMatch bool, optionalDescription ...interface{}) bool {
+func (assertion *Assertion) match(matcher types.GomegaMatcher, desiredMatch bool, optionalDescription ...any) bool {
 	actualInput := assertion.actuals[assertion.actualIndex]
 	matches, err := matcher.Match(actualInput)
 	assertion.g.THelper()
@@ -113,7 +113,7 @@ func (assertion *Assertion) match(matcher types.GomegaMatcher, desiredMatch bool
 // vetActuals vets the actual values, with the (optional) exception of a
 // specific value, such as the first value in case non-error assertions, or the
 // last value in case of Error()-based assertions.
-func (assertion *Assertion) vetActuals(optionalDescription ...interface{}) bool {
+func (assertion *Assertion) vetActuals(optionalDescription ...any) bool {
 	success, message := vetActuals(assertion.actuals, assertion.actualIndex)
 	if success {
 		return true
@@ -129,7 +129,7 @@ func (assertion *Assertion) vetActuals(optionalDescription ...interface{}) bool
 // the final error value is non-zero. Otherwise, it doesn't vet the actual
 // values, as these are allowed to take on any values unless there is a non-zero
 // error value.
-func (assertion *Assertion) vetError(optionalDescription ...interface{}) bool {
+func (assertion *Assertion) vetError(optionalDescription ...any) bool {
 	if err := assertion.actuals[assertion.actualIndex]; err != nil {
 		// Go error result idiom: all other actual values must be zero values.
 		return assertion.vetActuals(optionalDescription...)
@@ -139,7 +139,7 @@ func (assertion *Assertion) vetError(optionalDescription ...interface{}) bool {
 
 // vetActuals vets a slice of actual values, optionally skipping a particular
 // value slice element, such as the first or last value slice element.
-func vetActuals(actuals []interface{}, skipIndex int) (bool, string) {
+func vetActuals(actuals []any, skipIndex int) (bool, string) {
 	for i, actual := range actuals {
 		if i == skipIndex {
 			continue
diff --git a/vendor/github.com/onsi/gomega/internal/async_assertion.go b/vendor/github.com/onsi/gomega/internal/async_assertion.go
index 8b4cd1f5b7937..4121505b627da 100644
--- a/vendor/github.com/onsi/gomega/internal/async_assertion.go
+++ b/vendor/github.com/onsi/gomega/internal/async_assertion.go
@@ -69,8 +69,8 @@ type AsyncAssertion struct {
 	asyncType AsyncAssertionType
 
 	actualIsFunc  bool
-	actual        interface{}
-	argsToForward []interface{}
+	actual        any
+	argsToForward []any
 
 	timeoutInterval    time.Duration
 	pollingInterval    time.Duration
@@ -80,7 +80,7 @@ type AsyncAssertion struct {
 	g                  *Gomega
 }
 
-func NewAsyncAssertion(asyncType AsyncAssertionType, actualInput interface{}, g *Gomega, timeoutInterval time.Duration, pollingInterval time.Duration, mustPassRepeatedly int, ctx context.Context, offset int) *AsyncAssertion {
+func NewAsyncAssertion(asyncType AsyncAssertionType, actualInput any, g *Gomega, timeoutInterval time.Duration, pollingInterval time.Duration, mustPassRepeatedly int, ctx context.Context, offset int) *AsyncAssertion {
 	out := &AsyncAssertion{
 		asyncType:          asyncType,
 		timeoutInterval:    timeoutInterval,
@@ -129,7 +129,7 @@ func (assertion *AsyncAssertion) WithContext(ctx context.Context) types.AsyncAss
 	return assertion
 }
 
-func (assertion *AsyncAssertion) WithArguments(argsToForward ...interface{}) types.AsyncAssertion {
+func (assertion *AsyncAssertion) WithArguments(argsToForward ...any) types.AsyncAssertion {
 	assertion.argsToForward = argsToForward
 	return assertion
 }
@@ -139,19 +139,31 @@ func (assertion *AsyncAssertion) MustPassRepeatedly(count int) types.AsyncAssert
 	return assertion
 }
 
-func (assertion *AsyncAssertion) Should(matcher types.GomegaMatcher, optionalDescription ...interface{}) bool {
+func (assertion *AsyncAssertion) Should(matcher types.GomegaMatcher, optionalDescription ...any) bool {
 	assertion.g.THelper()
 	vetOptionalDescription("Asynchronous assertion", optionalDescription...)
 	return assertion.match(matcher, true, optionalDescription...)
 }
 
-func (assertion *AsyncAssertion) ShouldNot(matcher types.GomegaMatcher, optionalDescription ...interface{}) bool {
+func (assertion *AsyncAssertion) To(matcher types.GomegaMatcher, optionalDescription ...any) bool {
+	return assertion.Should(matcher, optionalDescription...)
+}
+
+func (assertion *AsyncAssertion) ShouldNot(matcher types.GomegaMatcher, optionalDescription ...any) bool {
 	assertion.g.THelper()
 	vetOptionalDescription("Asynchronous assertion", optionalDescription...)
 	return assertion.match(matcher, false, optionalDescription...)
 }
 
-func (assertion *AsyncAssertion) buildDescription(optionalDescription ...interface{}) string {
+func (assertion *AsyncAssertion) ToNot(matcher types.GomegaMatcher, optionalDescription ...any) bool {
+	return assertion.ShouldNot(matcher, optionalDescription...)
+}
+
+func (assertion *AsyncAssertion) NotTo(matcher types.GomegaMatcher, optionalDescription ...any) bool {
+	return assertion.ShouldNot(matcher, optionalDescription...)
+}
+
+func (assertion *AsyncAssertion) buildDescription(optionalDescription ...any) string {
 	switch len(optionalDescription) {
 	case 0:
 		return ""
@@ -163,7 +175,7 @@ func (assertion *AsyncAssertion) buildDescription(optionalDescription ...interfa
 	return fmt.Sprintf(optionalDescription[0].(string), optionalDescription[1:]...) + "\n"
 }
 
-func (assertion *AsyncAssertion) processReturnValues(values []reflect.Value) (interface{}, error) {
+func (assertion *AsyncAssertion) processReturnValues(values []reflect.Value) (any, error) {
 	if len(values) == 0 {
 		return nil, &asyncPolledActualError{
 			message: fmt.Sprintf("The function passed to %s did not return any values", assertion.asyncType),
@@ -224,7 +236,7 @@ func (assertion *AsyncAssertion) argumentMismatchError(t reflect.Type, numProvid
 	if numProvided == 1 {
 		have = "has"
 	}
-	return fmt.Errorf(`The function passed to %s has signature %s takes %d arguments but %d %s been provided.  Please use %s().WithArguments() to pass the corect set of arguments.
+	return fmt.Errorf(`The function passed to %s has signature %s takes %d arguments but %d %s been provided.  Please use %s().WithArguments() to pass the correct set of arguments.
 
 You can learn more at https://onsi.github.io/gomega/#eventually
 `, assertion.asyncType, t, t.NumIn(), numProvided, have, assertion.asyncType)
@@ -237,9 +249,9 @@ You can learn more at https://onsi.github.io/gomega/#eventually
 `, assertion.asyncType, reason)
 }
 
-func (assertion *AsyncAssertion) buildActualPoller() (func() (interface{}, error), error) {
+func (assertion *AsyncAssertion) buildActualPoller() (func() (any, error), error) {
 	if !assertion.actualIsFunc {
-		return func() (interface{}, error) { return assertion.actual, nil }, nil
+		return func() (any, error) { return assertion.actual, nil }, nil
 	}
 	actualValue := reflect.ValueOf(assertion.actual)
 	actualType := reflect.TypeOf(assertion.actual)
@@ -301,7 +313,7 @@ func (assertion *AsyncAssertion) buildActualPoller() (func() (interface{}, error
 		return nil, assertion.invalidMustPassRepeatedlyError("parameter can't be < 1")
 	}
 
-	return func() (actual interface{}, err error) {
+	return func() (actual any, err error) {
 		var values []reflect.Value
 		assertionFailure = nil
 		defer func() {
@@ -354,14 +366,14 @@ func (assertion *AsyncAssertion) afterPolling() <-chan time.Time {
 	}
 }
 
-func (assertion *AsyncAssertion) matcherSaysStopTrying(matcher types.GomegaMatcher, value interface{}) bool {
+func (assertion *AsyncAssertion) matcherSaysStopTrying(matcher types.GomegaMatcher, value any) bool {
 	if assertion.actualIsFunc || types.MatchMayChangeInTheFuture(matcher, value) {
 		return false
 	}
 	return true
 }
 
-func (assertion *AsyncAssertion) pollMatcher(matcher types.GomegaMatcher, value interface{}) (matches bool, err error) {
+func (assertion *AsyncAssertion) pollMatcher(matcher types.GomegaMatcher, value any) (matches bool, err error) {
 	defer func() {
 		if e := recover(); e != nil {
 			if _, isAsyncError := AsPollingSignalError(e); isAsyncError {
@@ -377,13 +389,13 @@ func (assertion *AsyncAssertion) pollMatcher(matcher types.GomegaMatcher, value
 	return
 }
 
-func (assertion *AsyncAssertion) match(matcher types.GomegaMatcher, desiredMatch bool, optionalDescription ...interface{}) bool {
+func (assertion *AsyncAssertion) match(matcher types.GomegaMatcher, desiredMatch bool, optionalDescription ...any) bool {
 	timer := time.Now()
 	timeout := assertion.afterTimeout()
 	lock := sync.Mutex{}
 
 	var matches, hasLastValidActual bool
-	var actual, lastValidActual interface{}
+	var actual, lastValidActual any
 	var actualErr, matcherErr error
 	var oracleMatcherSaysStop bool
 
@@ -440,7 +452,7 @@ func (assertion *AsyncAssertion) match(matcher types.GomegaMatcher, desiredMatch
 				}
 			} else {
 				var fgErr formattedGomegaError
-				if errors.As(actualErr, &fgErr) {
+				if errors.As(matcherErr, &fgErr) {
 					message += fgErr.FormattedGomegaError() + "\n"
 				} else {
 					message += renderError(fmt.Sprintf("The matcher passed to %s returned the following error:", assertion.asyncType), matcherErr)
diff --git a/vendor/github.com/onsi/gomega/internal/duration_bundle.go b/vendor/github.com/onsi/gomega/internal/duration_bundle.go
index 2e026c336f2f1..1019deb88e461 100644
--- a/vendor/github.com/onsi/gomega/internal/duration_bundle.go
+++ b/vendor/github.com/onsi/gomega/internal/duration_bundle.go
@@ -49,7 +49,7 @@ func durationFromEnv(key string, defaultDuration time.Duration) time.Duration {
 	return duration
 }
 
-func toDuration(input interface{}) (time.Duration, error) {
+func toDuration(input any) (time.Duration, error) {
 	duration, ok := input.(time.Duration)
 	if ok {
 		return duration, nil
diff --git a/vendor/github.com/onsi/gomega/internal/gomega.go b/vendor/github.com/onsi/gomega/internal/gomega.go
index c6e2fcc0ed46d..66dfe7d041187 100644
--- a/vendor/github.com/onsi/gomega/internal/gomega.go
+++ b/vendor/github.com/onsi/gomega/internal/gomega.go
@@ -40,45 +40,45 @@ func (g *Gomega) ConfigureWithT(t types.GomegaTestingT) *Gomega {
 	return g
 }
 
-func (g *Gomega) Ω(actual interface{}, extra ...interface{}) types.Assertion {
+func (g *Gomega) Ω(actual any, extra ...any) types.Assertion {
 	return g.ExpectWithOffset(0, actual, extra...)
 }
 
-func (g *Gomega) Expect(actual interface{}, extra ...interface{}) types.Assertion {
+func (g *Gomega) Expect(actual any, extra ...any) types.Assertion {
 	return g.ExpectWithOffset(0, actual, extra...)
 }
 
-func (g *Gomega) ExpectWithOffset(offset int, actual interface{}, extra ...interface{}) types.Assertion {
+func (g *Gomega) ExpectWithOffset(offset int, actual any, extra ...any) types.Assertion {
 	return NewAssertion(actual, g, offset, extra...)
 }
 
-func (g *Gomega) Eventually(actualOrCtx interface{}, args ...interface{}) types.AsyncAssertion {
+func (g *Gomega) Eventually(actualOrCtx any, args ...any) types.AsyncAssertion {
 	return g.makeAsyncAssertion(AsyncAssertionTypeEventually, 0, actualOrCtx, args...)
 }
 
-func (g *Gomega) EventuallyWithOffset(offset int, actualOrCtx interface{}, args ...interface{}) types.AsyncAssertion {
+func (g *Gomega) EventuallyWithOffset(offset int, actualOrCtx any, args ...any) types.AsyncAssertion {
 	return g.makeAsyncAssertion(AsyncAssertionTypeEventually, offset, actualOrCtx, args...)
 }
 
-func (g *Gomega) Consistently(actualOrCtx interface{}, args ...interface{}) types.AsyncAssertion {
+func (g *Gomega) Consistently(actualOrCtx any, args ...any) types.AsyncAssertion {
 	return g.makeAsyncAssertion(AsyncAssertionTypeConsistently, 0, actualOrCtx, args...)
 }
 
-func (g *Gomega) ConsistentlyWithOffset(offset int, actualOrCtx interface{}, args ...interface{}) types.AsyncAssertion {
+func (g *Gomega) ConsistentlyWithOffset(offset int, actualOrCtx any, args ...any) types.AsyncAssertion {
 	return g.makeAsyncAssertion(AsyncAssertionTypeConsistently, offset, actualOrCtx, args...)
 }
 
-func (g *Gomega) makeAsyncAssertion(asyncAssertionType AsyncAssertionType, offset int, actualOrCtx interface{}, args ...interface{}) types.AsyncAssertion {
+func (g *Gomega) makeAsyncAssertion(asyncAssertionType AsyncAssertionType, offset int, actualOrCtx any, args ...any) types.AsyncAssertion {
 	baseOffset := 3
 	timeoutInterval := -time.Duration(1)
 	pollingInterval := -time.Duration(1)
-	intervals := []interface{}{}
+	intervals := []any{}
 	var ctx context.Context
 
 	actual := actualOrCtx
 	startingIndex := 0
 	if _, isCtx := actualOrCtx.(context.Context); isCtx && len(args) > 0 {
-		// the first argument is a context, we should accept it as the context _only if_ it is **not** the only argumnent **and** the second argument is not a parseable duration
+		// the first argument is a context, we should accept it as the context _only if_ it is **not** the only argument **and** the second argument is not a parseable duration
 		// this is due to an unfortunate ambiguity in early version of Gomega in which multi-type durations are allowed after the actual
 		if _, err := toDuration(args[0]); err != nil {
 			ctx = actualOrCtx.(context.Context)
diff --git a/vendor/github.com/onsi/gomega/internal/polling_signal_error.go b/vendor/github.com/onsi/gomega/internal/polling_signal_error.go
index 3a4f7ddd90cdc..450c403330110 100644
--- a/vendor/github.com/onsi/gomega/internal/polling_signal_error.go
+++ b/vendor/github.com/onsi/gomega/internal/polling_signal_error.go
@@ -100,7 +100,7 @@ func (s *PollingSignalErrorImpl) TryAgainDuration() time.Duration {
 	return s.duration
 }
 
-func AsPollingSignalError(actual interface{}) (*PollingSignalErrorImpl, bool) {
+func AsPollingSignalError(actual any) (*PollingSignalErrorImpl, bool) {
 	if actual == nil {
 		return nil, false
 	}
diff --git a/vendor/github.com/onsi/gomega/internal/vetoptdesc.go b/vendor/github.com/onsi/gomega/internal/vetoptdesc.go
index f2958764171ba..b748de41f1101 100644
--- a/vendor/github.com/onsi/gomega/internal/vetoptdesc.go
+++ b/vendor/github.com/onsi/gomega/internal/vetoptdesc.go
@@ -10,7 +10,7 @@ import (
 // Gomega matcher at the beginning it panics. This allows for rendering Gomega
 // matchers as part of an optional Description, as long as they're not in the
 // first slot.
-func vetOptionalDescription(assertion string, optionalDescription ...interface{}) {
+func vetOptionalDescription(assertion string, optionalDescription ...any) {
 	if len(optionalDescription) == 0 {
 		return
 	}
diff --git a/vendor/github.com/onsi/gomega/matchers.go b/vendor/github.com/onsi/gomega/matchers.go
index 7ef27dc9c9556..10b6693fd63ed 100644
--- a/vendor/github.com/onsi/gomega/matchers.go
+++ b/vendor/github.com/onsi/gomega/matchers.go
@@ -12,7 +12,7 @@ import (
 // Equal uses reflect.DeepEqual to compare actual with expected.  Equal is strict about
 // types when performing comparisons.
 // It is an error for both actual and expected to be nil.  Use BeNil() instead.
-func Equal(expected interface{}) types.GomegaMatcher {
+func Equal(expected any) types.GomegaMatcher {
 	return &matchers.EqualMatcher{
 		Expected: expected,
 	}
@@ -22,7 +22,7 @@ func Equal(expected interface{}) types.GomegaMatcher {
 // This is done by converting actual to have the type of expected before
 // attempting equality with reflect.DeepEqual.
 // It is an error for actual and expected to be nil.  Use BeNil() instead.
-func BeEquivalentTo(expected interface{}) types.GomegaMatcher {
+func BeEquivalentTo(expected any) types.GomegaMatcher {
 	return &matchers.BeEquivalentToMatcher{
 		Expected: expected,
 	}
@@ -31,7 +31,7 @@ func BeEquivalentTo(expected interface{}) types.GomegaMatcher {
 // BeComparableTo uses gocmp.Equal from github.com/google/go-cmp (instead of reflect.DeepEqual) to perform a deep comparison.
 // You can pass cmp.Option as options.
 // It is an error for actual and expected to be nil.  Use BeNil() instead.
-func BeComparableTo(expected interface{}, opts ...cmp.Option) types.GomegaMatcher {
+func BeComparableTo(expected any, opts ...cmp.Option) types.GomegaMatcher {
 	return &matchers.BeComparableToMatcher{
 		Expected: expected,
 		Options:  opts,
@@ -41,7 +41,7 @@ func BeComparableTo(expected interface{}, opts ...cmp.Option) types.GomegaMatche
 // BeIdenticalTo uses the == operator to compare actual with expected.
 // BeIdenticalTo is strict about types when performing comparisons.
 // It is an error for both actual and expected to be nil.  Use BeNil() instead.
-func BeIdenticalTo(expected interface{}) types.GomegaMatcher {
+func BeIdenticalTo(expected any) types.GomegaMatcher {
 	return &matchers.BeIdenticalToMatcher{
 		Expected: expected,
 	}
@@ -139,7 +139,7 @@ func Succeed() types.GomegaMatcher {
 // Error interface
 //
 // The optional second argument is a description of the error function, if used.  This is required when passing a function but is ignored in all other cases.
-func MatchError(expected interface{}, functionErrorDescription ...any) types.GomegaMatcher {
+func MatchError(expected any, functionErrorDescription ...any) types.GomegaMatcher {
 	return &matchers.MatchErrorMatcher{
 		Expected:           expected,
 		FuncErrDescription: functionErrorDescription,
@@ -202,11 +202,11 @@ func BeClosed() types.GomegaMatcher {
 //	Expect(myThing.IsValid()).Should(BeTrue())
 //
 // Finally, if you want to match the received object as well as get the actual received value into a variable, so you can reason further about the value received,
-// you can pass a pointer to a variable of the approriate type first, and second a matcher:
+// you can pass a pointer to a variable of the appropriate type first, and second a matcher:
 //
 //	var myThing thing
 //	Eventually(thingChan).Should(Receive(&myThing, ContainSubstring("bar")))
-func Receive(args ...interface{}) types.GomegaMatcher {
+func Receive(args ...any) types.GomegaMatcher {
 	return &matchers.ReceiveMatcher{
 		Args: args,
 	}
@@ -224,7 +224,7 @@ func Receive(args ...interface{}) types.GomegaMatcher {
 //
 // Of course, the value is actually sent to the channel.  The point of `BeSent` is less to make an assertion about the availability of the channel (which is typically an implementation detail that your test should not be concerned with).
 // Rather, the point of `BeSent` is to make it possible to easily and expressively write tests that can timeout on blocked channel sends.
-func BeSent(arg interface{}) types.GomegaMatcher {
+func BeSent(arg any) types.GomegaMatcher {
 	return &matchers.BeSentMatcher{
 		Arg: arg,
 	}
@@ -233,7 +233,7 @@ func BeSent(arg interface{}) types.GomegaMatcher {
 // MatchRegexp succeeds if actual is a string or stringer that matches the
 // passed-in regexp.  Optional arguments can be provided to construct a regexp
 // via fmt.Sprintf().
-func MatchRegexp(regexp string, args ...interface{}) types.GomegaMatcher {
+func MatchRegexp(regexp string, args ...any) types.GomegaMatcher {
 	return &matchers.MatchRegexpMatcher{
 		Regexp: regexp,
 		Args:   args,
@@ -243,7 +243,7 @@ func MatchRegexp(regexp string, args ...interface{}) types.GomegaMatcher {
 // ContainSubstring succeeds if actual is a string or stringer that contains the
 // passed-in substring.  Optional arguments can be provided to construct the substring
 // via fmt.Sprintf().
-func ContainSubstring(substr string, args ...interface{}) types.GomegaMatcher {
+func ContainSubstring(substr string, args ...any) types.GomegaMatcher {
 	return &matchers.ContainSubstringMatcher{
 		Substr: substr,
 		Args:   args,
@@ -253,7 +253,7 @@ func ContainSubstring(substr string, args ...interface{}) types.GomegaMatcher {
 // HavePrefix succeeds if actual is a string or stringer that contains the
 // passed-in string as a prefix.  Optional arguments can be provided to construct
 // via fmt.Sprintf().
-func HavePrefix(prefix string, args ...interface{}) types.GomegaMatcher {
+func HavePrefix(prefix string, args ...any) types.GomegaMatcher {
 	return &matchers.HavePrefixMatcher{
 		Prefix: prefix,
 		Args:   args,
@@ -263,7 +263,7 @@ func HavePrefix(prefix string, args ...interface{}) types.GomegaMatcher {
 // HaveSuffix succeeds if actual is a string or stringer that contains the
 // passed-in string as a suffix.  Optional arguments can be provided to construct
 // via fmt.Sprintf().
-func HaveSuffix(suffix string, args ...interface{}) types.GomegaMatcher {
+func HaveSuffix(suffix string, args ...any) types.GomegaMatcher {
 	return &matchers.HaveSuffixMatcher{
 		Suffix: suffix,
 		Args:   args,
@@ -273,7 +273,7 @@ func HaveSuffix(suffix string, args ...interface{}) types.GomegaMatcher {
 // MatchJSON succeeds if actual is a string or stringer of JSON that matches
 // the expected JSON.  The JSONs are decoded and the resulting objects are compared via
 // reflect.DeepEqual so things like key-ordering and whitespace shouldn't matter.
-func MatchJSON(json interface{}) types.GomegaMatcher {
+func MatchJSON(json any) types.GomegaMatcher {
 	return &matchers.MatchJSONMatcher{
 		JSONToMatch: json,
 	}
@@ -282,7 +282,7 @@ func MatchJSON(json interface{}) types.GomegaMatcher {
 // MatchXML succeeds if actual is a string or stringer of XML that matches
 // the expected XML.  The XMLs are decoded and the resulting objects are compared via
 // reflect.DeepEqual so things like whitespaces shouldn't matter.
-func MatchXML(xml interface{}) types.GomegaMatcher {
+func MatchXML(xml any) types.GomegaMatcher {
 	return &matchers.MatchXMLMatcher{
 		XMLToMatch: xml,
 	}
@@ -291,7 +291,7 @@ func MatchXML(xml interface{}) types.GomegaMatcher {
 // MatchYAML succeeds if actual is a string or stringer of YAML that matches
 // the expected YAML.  The YAML's are decoded and the resulting objects are compared via
 // reflect.DeepEqual so things like key-ordering and whitespace shouldn't matter.
-func MatchYAML(yaml interface{}) types.GomegaMatcher {
+func MatchYAML(yaml any) types.GomegaMatcher {
 	return &matchers.MatchYAMLMatcher{
 		YAMLToMatch: yaml,
 	}
@@ -338,7 +338,7 @@ func BeZero() types.GomegaMatcher {
 //
 //	var findings []string
 //	Expect([]string{"Foo", "FooBar"}).Should(ContainElement(ContainSubString("Bar", &findings)))
-func ContainElement(element interface{}, result ...interface{}) types.GomegaMatcher {
+func ContainElement(element any, result ...any) types.GomegaMatcher {
 	return &matchers.ContainElementMatcher{
 		Element: element,
 		Result:  result,
@@ -358,7 +358,7 @@ func ContainElement(element interface{}, result ...interface{}) types.GomegaMatc
 //	Expect(2).Should(BeElementOf(1, 2))
 //
 // Actual must be typed.
-func BeElementOf(elements ...interface{}) types.GomegaMatcher {
+func BeElementOf(elements ...any) types.GomegaMatcher {
 	return &matchers.BeElementOfMatcher{
 		Elements: elements,
 	}
@@ -368,7 +368,7 @@ func BeElementOf(elements ...interface{}) types.GomegaMatcher {
 // BeKeyOf() always uses Equal() to perform the match between actual and the map keys.
 //
 //	Expect("foo").Should(BeKeyOf(map[string]bool{"foo": true, "bar": false}))
-func BeKeyOf(element interface{}) types.GomegaMatcher {
+func BeKeyOf(element any) types.GomegaMatcher {
 	return &matchers.BeKeyOfMatcher{
 		Map: element,
 	}
@@ -388,14 +388,14 @@ func BeKeyOf(element interface{}) types.GomegaMatcher {
 //
 //	Expect([]string{"Foo", "FooBar"}).Should(ConsistOf([]string{"FooBar", "Foo"}))
 //
-// Note that Go's type system does not allow you to write this as ConsistOf([]string{"FooBar", "Foo"}...) as []string and []interface{} are different types - hence the need for this special rule.
-func ConsistOf(elements ...interface{}) types.GomegaMatcher {
+// Note that Go's type system does not allow you to write this as ConsistOf([]string{"FooBar", "Foo"}...) as []string and []any are different types - hence the need for this special rule.
+func ConsistOf(elements ...any) types.GomegaMatcher {
 	return &matchers.ConsistOfMatcher{
 		Elements: elements,
 	}
 }
 
-// HaveExactElements succeeds if actual contains elements that precisely match the elemets passed into the matcher. The ordering of the elements does matter.
+// HaveExactElements succeeds if actual contains elements that precisely match the elements passed into the matcher. The ordering of the elements does matter.
 // By default HaveExactElements() uses Equal() to match the elements, however custom matchers can be passed in instead.  Here are some examples:
 //
 //	Expect([]string{"Foo", "FooBar"}).Should(HaveExactElements("Foo", "FooBar"))
@@ -403,7 +403,7 @@ func ConsistOf(elements ...interface{}) types.GomegaMatcher {
 //	Expect([]string{"Foo", "FooBar"}).Should(HaveExactElements(ContainSubstring("Foo"), ContainSubstring("Foo")))
 //
 // Actual must be an array or slice.
-func HaveExactElements(elements ...interface{}) types.GomegaMatcher {
+func HaveExactElements(elements ...any) types.GomegaMatcher {
 	return &matchers.HaveExactElementsMatcher{
 		Elements: elements,
 	}
@@ -417,7 +417,7 @@ func HaveExactElements(elements ...interface{}) types.GomegaMatcher {
 //
 // Actual must be an array, slice or map.
 // For maps, ContainElements searches through the map's values.
-func ContainElements(elements ...interface{}) types.GomegaMatcher {
+func ContainElements(elements ...any) types.GomegaMatcher {
 	return &matchers.ContainElementsMatcher{
 		Elements: elements,
 	}
@@ -432,7 +432,7 @@ func ContainElements(elements ...interface{}) types.GomegaMatcher {
 //
 // Actual must be an array, slice or map.
 // For maps, HaveEach searches through the map's values.
-func HaveEach(element interface{}) types.GomegaMatcher {
+func HaveEach(element any) types.GomegaMatcher {
 	return &matchers.HaveEachMatcher{
 		Element: element,
 	}
@@ -443,7 +443,7 @@ func HaveEach(element interface{}) types.GomegaMatcher {
 // matcher can be passed in instead:
 //
 //	Expect(map[string]string{"Foo": "Bar", "BazFoo": "Duck"}).Should(HaveKey(MatchRegexp(`.+Foo$`)))
-func HaveKey(key interface{}) types.GomegaMatcher {
+func HaveKey(key any) types.GomegaMatcher {
 	return &matchers.HaveKeyMatcher{
 		Key: key,
 	}
@@ -455,7 +455,7 @@ func HaveKey(key interface{}) types.GomegaMatcher {
 //
 //	Expect(map[string]string{"Foo": "Bar", "BazFoo": "Duck"}).Should(HaveKeyWithValue("Foo", "Bar"))
 //	Expect(map[string]string{"Foo": "Bar", "BazFoo": "Duck"}).Should(HaveKeyWithValue(MatchRegexp(`.+Foo$`), "Bar"))
-func HaveKeyWithValue(key interface{}, value interface{}) types.GomegaMatcher {
+func HaveKeyWithValue(key any, value any) types.GomegaMatcher {
 	return &matchers.HaveKeyWithValueMatcher{
 		Key:   key,
 		Value: value,
@@ -483,7 +483,7 @@ func HaveKeyWithValue(key interface{}, value interface{}) types.GomegaMatcher {
 //	Expect(book).To(HaveField("Title", ContainSubstring("Les"))
 //	Expect(book).To(HaveField("Author.FirstName", Equal("Victor"))
 //	Expect(book).To(HaveField("Author.DOB.Year()", BeNumerically("<", 1900))
-func HaveField(field string, expected interface{}) types.GomegaMatcher {
+func HaveField(field string, expected any) types.GomegaMatcher {
 	return &matchers.HaveFieldMatcher{
 		Field:    field,
 		Expected: expected,
@@ -535,7 +535,7 @@ func HaveValue(matcher types.GomegaMatcher) types.GomegaMatcher {
 //	Expect(1.0).Should(BeNumerically(">=", 1.0))
 //	Expect(1.0).Should(BeNumerically("<", 3))
 //	Expect(1.0).Should(BeNumerically("<=", 1.0))
-func BeNumerically(comparator string, compareTo ...interface{}) types.GomegaMatcher {
+func BeNumerically(comparator string, compareTo ...any) types.GomegaMatcher {
 	return &matchers.BeNumericallyMatcher{
 		Comparator: comparator,
 		CompareTo:  compareTo,
@@ -562,7 +562,7 @@ func BeTemporally(comparator string, compareTo time.Time, threshold ...time.Dura
 //	Expect(5).Should(BeAssignableToTypeOf(-1))        // different values same type
 //	Expect("foo").Should(BeAssignableToTypeOf("bar")) // different values same type
 //	Expect(struct{ Foo string }{}).Should(BeAssignableToTypeOf(struct{ Foo string }{}))
-func BeAssignableToTypeOf(expected interface{}) types.GomegaMatcher {
+func BeAssignableToTypeOf(expected any) types.GomegaMatcher {
 	return &matchers.AssignableToTypeOfMatcher{
 		Expected: expected,
 	}
@@ -581,7 +581,7 @@ func Panic() types.GomegaMatcher {
 // matcher can be passed in instead:
 //
 //	Expect(fn).Should(PanicWith(MatchRegexp(`.+Foo$`)))
-func PanicWith(expected interface{}) types.GomegaMatcher {
+func PanicWith(expected any) types.GomegaMatcher {
 	return &matchers.PanicMatcher{Expected: expected}
 }
 
@@ -610,7 +610,7 @@ func BeADirectory() types.GomegaMatcher {
 //	Expect(resp).Should(HaveHTTPStatus(http.StatusOK))   // asserts that resp.StatusCode == 200
 //	Expect(resp).Should(HaveHTTPStatus("404 Not Found")) // asserts that resp.Status == "404 Not Found"
 //	Expect(resp).Should(HaveHTTPStatus(http.StatusOK, http.StatusNoContent))   // asserts that resp.StatusCode == 200 || resp.StatusCode == 204
-func HaveHTTPStatus(expected ...interface{}) types.GomegaMatcher {
+func HaveHTTPStatus(expected ...any) types.GomegaMatcher {
 	return &matchers.HaveHTTPStatusMatcher{Expected: expected}
 }
 
@@ -618,7 +618,7 @@ func HaveHTTPStatus(expected ...interface{}) types.GomegaMatcher {
 // Actual must be either a *http.Response or *httptest.ResponseRecorder.
 // Expected must be a string header name, followed by a header value which
 // can be a string, or another matcher.
-func HaveHTTPHeaderWithValue(header string, value interface{}) types.GomegaMatcher {
+func HaveHTTPHeaderWithValue(header string, value any) types.GomegaMatcher {
 	return &matchers.HaveHTTPHeaderWithValueMatcher{
 		Header: header,
 		Value:  value,
@@ -628,7 +628,7 @@ func HaveHTTPHeaderWithValue(header string, value interface{}) types.GomegaMatch
 // HaveHTTPBody matches if the body matches.
 // Actual must be either a *http.Response or *httptest.ResponseRecorder.
 // Expected must be either a string, []byte, or other matcher
-func HaveHTTPBody(expected interface{}) types.GomegaMatcher {
+func HaveHTTPBody(expected any) types.GomegaMatcher {
 	return &matchers.HaveHTTPBodyMatcher{Expected: expected}
 }
 
@@ -687,15 +687,15 @@ func Not(matcher types.GomegaMatcher) types.GomegaMatcher {
 //	 Expect(1).To(WithTransform(failingplus1, Equal(2)))
 //
 // And(), Or(), Not() and WithTransform() allow matchers to be composed into complex expressions.
-func WithTransform(transform interface{}, matcher types.GomegaMatcher) types.GomegaMatcher {
+func WithTransform(transform any, matcher types.GomegaMatcher) types.GomegaMatcher {
 	return matchers.NewWithTransformMatcher(transform, matcher)
 }
 
 // Satisfy matches the actual value against the `predicate` function.
-// The given predicate must be a function of one paramter that returns bool.
+// The given predicate must be a function of one parameter that returns bool.
 //
 //	var isEven = func(i int) bool { return i%2 == 0 }
 //	Expect(2).To(Satisfy(isEven))
-func Satisfy(predicate interface{}) types.GomegaMatcher {
+func Satisfy(predicate any) types.GomegaMatcher {
 	return matchers.NewSatisfyMatcher(predicate)
 }
diff --git a/vendor/github.com/onsi/gomega/matchers/and.go b/vendor/github.com/onsi/gomega/matchers/and.go
index 6bd826adc5c3a..db48e90b3762b 100644
--- a/vendor/github.com/onsi/gomega/matchers/and.go
+++ b/vendor/github.com/onsi/gomega/matchers/and.go
@@ -14,7 +14,7 @@ type AndMatcher struct {
 	firstFailedMatcher types.GomegaMatcher
 }
 
-func (m *AndMatcher) Match(actual interface{}) (success bool, err error) {
+func (m *AndMatcher) Match(actual any) (success bool, err error) {
 	m.firstFailedMatcher = nil
 	for _, matcher := range m.Matchers {
 		success, err := matcher.Match(actual)
@@ -26,16 +26,16 @@ func (m *AndMatcher) Match(actual interface{}) (success bool, err error) {
 	return true, nil
 }
 
-func (m *AndMatcher) FailureMessage(actual interface{}) (message string) {
+func (m *AndMatcher) FailureMessage(actual any) (message string) {
 	return m.firstFailedMatcher.FailureMessage(actual)
 }
 
-func (m *AndMatcher) NegatedFailureMessage(actual interface{}) (message string) {
+func (m *AndMatcher) NegatedFailureMessage(actual any) (message string) {
 	// not the most beautiful list of matchers, but not bad either...
 	return format.Message(actual, fmt.Sprintf("To not satisfy all of these matchers: %s", m.Matchers))
 }
 
-func (m *AndMatcher) MatchMayChangeInTheFuture(actual interface{}) bool {
+func (m *AndMatcher) MatchMayChangeInTheFuture(actual any) bool {
 	/*
 		Example with 3 matchers: A, B, C
 
diff --git a/vendor/github.com/onsi/gomega/matchers/assignable_to_type_of_matcher.go b/vendor/github.com/onsi/gomega/matchers/assignable_to_type_of_matcher.go
index be483952018ff..a100e5c07e8f0 100644
--- a/vendor/github.com/onsi/gomega/matchers/assignable_to_type_of_matcher.go
+++ b/vendor/github.com/onsi/gomega/matchers/assignable_to_type_of_matcher.go
@@ -10,10 +10,10 @@ import (
 )
 
 type AssignableToTypeOfMatcher struct {
-	Expected interface{}
+	Expected any
 }
 
-func (matcher *AssignableToTypeOfMatcher) Match(actual interface{}) (success bool, err error) {
+func (matcher *AssignableToTypeOfMatcher) Match(actual any) (success bool, err error) {
 	if actual == nil && matcher.Expected == nil {
 		return false, fmt.Errorf("Refusing to compare <nil> to <nil>.\nBe explicit and use BeNil() instead.  This is to avoid mistakes where both sides of an assertion are erroneously uninitialized.")
 	} else if matcher.Expected == nil {
@@ -28,10 +28,10 @@ func (matcher *AssignableToTypeOfMatcher) Match(actual interface{}) (success boo
 	return actualType.AssignableTo(expectedType), nil
 }
 
-func (matcher *AssignableToTypeOfMatcher) FailureMessage(actual interface{}) string {
+func (matcher *AssignableToTypeOfMatcher) FailureMessage(actual any) string {
 	return format.Message(actual, fmt.Sprintf("to be assignable to the type: %T", matcher.Expected))
 }
 
-func (matcher *AssignableToTypeOfMatcher) NegatedFailureMessage(actual interface{}) string {
+func (matcher *AssignableToTypeOfMatcher) NegatedFailureMessage(actual any) string {
 	return format.Message(actual, fmt.Sprintf("not to be assignable to the type: %T", matcher.Expected))
 }
diff --git a/vendor/github.com/onsi/gomega/matchers/be_a_directory.go b/vendor/github.com/onsi/gomega/matchers/be_a_directory.go
index 93d4497c7058f..1d8236048425b 100644
--- a/vendor/github.com/onsi/gomega/matchers/be_a_directory.go
+++ b/vendor/github.com/onsi/gomega/matchers/be_a_directory.go
@@ -24,11 +24,11 @@ func (t notADirectoryError) Error() string {
 }
 
 type BeADirectoryMatcher struct {
-	expected interface{}
+	expected any
 	err      error
 }
 
-func (matcher *BeADirectoryMatcher) Match(actual interface{}) (success bool, err error) {
+func (matcher *BeADirectoryMatcher) Match(actual any) (success bool, err error) {
 	actualFilename, ok := actual.(string)
 	if !ok {
 		return false, fmt.Errorf("BeADirectoryMatcher matcher expects a file path")
@@ -47,10 +47,10 @@ func (matcher *BeADirectoryMatcher) Match(actual interface{}) (success bool, err
 	return true, nil
 }
 
-func (matcher *BeADirectoryMatcher) FailureMessage(actual interface{}) (message string) {
+func (matcher *BeADirectoryMatcher) FailureMessage(actual any) (message string) {
 	return format.Message(actual, fmt.Sprintf("to be a directory: %s", matcher.err))
 }
 
-func (matcher *BeADirectoryMatcher) NegatedFailureMessage(actual interface{}) (message string) {
+func (matcher *BeADirectoryMatcher) NegatedFailureMessage(actual any) (message string) {
 	return format.Message(actual, "not be a directory")
 }
diff --git a/vendor/github.com/onsi/gomega/matchers/be_a_regular_file.go b/vendor/github.com/onsi/gomega/matchers/be_a_regular_file.go
index 8fefc4deb7a32..3e53d6285b5c1 100644
--- a/vendor/github.com/onsi/gomega/matchers/be_a_regular_file.go
+++ b/vendor/github.com/onsi/gomega/matchers/be_a_regular_file.go
@@ -24,11 +24,11 @@ func (t notARegularFileError) Error() string {
 }
 
 type BeARegularFileMatcher struct {
-	expected interface{}
+	expected any
 	err      error
 }
 
-func (matcher *BeARegularFileMatcher) Match(actual interface{}) (success bool, err error) {
+func (matcher *BeARegularFileMatcher) Match(actual any) (success bool, err error) {
 	actualFilename, ok := actual.(string)
 	if !ok {
 		return false, fmt.Errorf("BeARegularFileMatcher matcher expects a file path")
@@ -47,10 +47,10 @@ func (matcher *BeARegularFileMatcher) Match(actual interface{}) (success bool, e
 	return true, nil
 }
 
-func (matcher *BeARegularFileMatcher) FailureMessage(actual interface{}) (message string) {
+func (matcher *BeARegularFileMatcher) FailureMessage(actual any) (message string) {
 	return format.Message(actual, fmt.Sprintf("to be a regular file: %s", matcher.err))
 }
 
-func (matcher *BeARegularFileMatcher) NegatedFailureMessage(actual interface{}) (message string) {
+func (matcher *BeARegularFileMatcher) NegatedFailureMessage(actual any) (message string) {
 	return format.Message(actual, "not be a regular file")
 }
diff --git a/vendor/github.com/onsi/gomega/matchers/be_an_existing_file.go b/vendor/github.com/onsi/gomega/matchers/be_an_existing_file.go
index e2bdd28113b3f..04f156db39404 100644
--- a/vendor/github.com/onsi/gomega/matchers/be_an_existing_file.go
+++ b/vendor/github.com/onsi/gomega/matchers/be_an_existing_file.go
@@ -10,10 +10,10 @@ import (
 )
 
 type BeAnExistingFileMatcher struct {
-	expected interface{}
+	expected any
 }
 
-func (matcher *BeAnExistingFileMatcher) Match(actual interface{}) (success bool, err error) {
+func (matcher *BeAnExistingFileMatcher) Match(actual any) (success bool, err error) {
 	actualFilename, ok := actual.(string)
 	if !ok {
 		return false, fmt.Errorf("BeAnExistingFileMatcher matcher expects a file path")
@@ -31,10 +31,10 @@ func (matcher *BeAnExistingFileMatcher) Match(actual interface{}) (success bool,
 	return true, nil
 }
 
-func (matcher *BeAnExistingFileMatcher) FailureMessage(actual interface{}) (message string) {
+func (matcher *BeAnExistingFileMatcher) FailureMessage(actual any) (message string) {
 	return format.Message(actual, "to exist")
 }
 
-func (matcher *BeAnExistingFileMatcher) NegatedFailureMessage(actual interface{}) (message string) {
+func (matcher *BeAnExistingFileMatcher) NegatedFailureMessage(actual any) (message string) {
 	return format.Message(actual, "not to exist")
 }
diff --git a/vendor/github.com/onsi/gomega/matchers/be_closed_matcher.go b/vendor/github.com/onsi/gomega/matchers/be_closed_matcher.go
index f13c24490f872..4319dde455132 100644
--- a/vendor/github.com/onsi/gomega/matchers/be_closed_matcher.go
+++ b/vendor/github.com/onsi/gomega/matchers/be_closed_matcher.go
@@ -12,7 +12,7 @@ import (
 type BeClosedMatcher struct {
 }
 
-func (matcher *BeClosedMatcher) Match(actual interface{}) (success bool, err error) {
+func (matcher *BeClosedMatcher) Match(actual any) (success bool, err error) {
 	if !isChan(actual) {
 		return false, fmt.Errorf("BeClosed matcher expects a channel.  Got:\n%s", format.Object(actual, 1))
 	}
@@ -39,10 +39,10 @@ func (matcher *BeClosedMatcher) Match(actual interface{}) (success bool, err err
 	return closed, nil
 }
 
-func (matcher *BeClosedMatcher) FailureMessage(actual interface{}) (message string) {
+func (matcher *BeClosedMatcher) FailureMessage(actual any) (message string) {
 	return format.Message(actual, "to be closed")
 }
 
-func (matcher *BeClosedMatcher) NegatedFailureMessage(actual interface{}) (message string) {
+func (matcher *BeClosedMatcher) NegatedFailureMessage(actual any) (message string) {
 	return format.Message(actual, "to be open")
 }
diff --git a/vendor/github.com/onsi/gomega/matchers/be_comparable_to_matcher.go b/vendor/github.com/onsi/gomega/matchers/be_comparable_to_matcher.go
index 4e3897858c779..ce74eee4c709b 100644
--- a/vendor/github.com/onsi/gomega/matchers/be_comparable_to_matcher.go
+++ b/vendor/github.com/onsi/gomega/matchers/be_comparable_to_matcher.go
@@ -2,6 +2,7 @@ package matchers
 
 import (
 	"bytes"
+	"errors"
 	"fmt"
 
 	"github.com/google/go-cmp/cmp"
@@ -9,11 +10,11 @@ import (
 )
 
 type BeComparableToMatcher struct {
-	Expected interface{}
+	Expected any
 	Options  cmp.Options
 }
 
-func (matcher *BeComparableToMatcher) Match(actual interface{}) (success bool, matchErr error) {
+func (matcher *BeComparableToMatcher) Match(actual any) (success bool, matchErr error) {
 	if actual == nil && matcher.Expected == nil {
 		return false, fmt.Errorf("Refusing to compare <nil> to <nil>.\nBe explicit and use BeNil() instead.  This is to avoid mistakes where both sides of an assertion are erroneously uninitialized.")
 	}
@@ -32,7 +33,7 @@ func (matcher *BeComparableToMatcher) Match(actual interface{}) (success bool, m
 			if err, ok := r.(error); ok {
 				matchErr = err
 			} else if errMsg, ok := r.(string); ok {
-				matchErr = fmt.Errorf(errMsg)
+				matchErr = errors.New(errMsg)
 			}
 		}
 	}()
@@ -40,10 +41,10 @@ func (matcher *BeComparableToMatcher) Match(actual interface{}) (success bool, m
 	return cmp.Equal(actual, matcher.Expected, matcher.Options...), nil
 }
 
-func (matcher *BeComparableToMatcher) FailureMessage(actual interface{}) (message string) {
+func (matcher *BeComparableToMatcher) FailureMessage(actual any) (message string) {
 	return fmt.Sprint("Expected object to be comparable, diff: ", cmp.Diff(actual, matcher.Expected, matcher.Options...))
 }
 
-func (matcher *BeComparableToMatcher) NegatedFailureMessage(actual interface{}) (message string) {
+func (matcher *BeComparableToMatcher) NegatedFailureMessage(actual any) (message string) {
 	return format.Message(actual, "not to be comparable to", matcher.Expected)
 }
diff --git a/vendor/github.com/onsi/gomega/matchers/be_element_of_matcher.go b/vendor/github.com/onsi/gomega/matchers/be_element_of_matcher.go
index 9ee75a5d51159..406fe54843b21 100644
--- a/vendor/github.com/onsi/gomega/matchers/be_element_of_matcher.go
+++ b/vendor/github.com/onsi/gomega/matchers/be_element_of_matcher.go
@@ -10,10 +10,10 @@ import (
 )
 
 type BeElementOfMatcher struct {
-	Elements []interface{}
+	Elements []any
 }
 
-func (matcher *BeElementOfMatcher) Match(actual interface{}) (success bool, err error) {
+func (matcher *BeElementOfMatcher) Match(actual any) (success bool, err error) {
 	if reflect.TypeOf(actual) == nil {
 		return false, fmt.Errorf("BeElement matcher expects actual to be typed")
 	}
@@ -34,10 +34,10 @@ func (matcher *BeElementOfMatcher) Match(actual interface{}) (success bool, err
 	return false, lastError
 }
 
-func (matcher *BeElementOfMatcher) FailureMessage(actual interface{}) (message string) {
+func (matcher *BeElementOfMatcher) FailureMessage(actual any) (message string) {
 	return format.Message(actual, "to be an element of", presentable(matcher.Elements))
 }
 
-func (matcher *BeElementOfMatcher) NegatedFailureMessage(actual interface{}) (message string) {
+func (matcher *BeElementOfMatcher) NegatedFailureMessage(actual any) (message string) {
 	return format.Message(actual, "not to be an element of", presentable(matcher.Elements))
 }
diff --git a/vendor/github.com/onsi/gomega/matchers/be_empty_matcher.go b/vendor/github.com/onsi/gomega/matchers/be_empty_matcher.go
index 527c1a1c10476..e9e0644f32e74 100644
--- a/vendor/github.com/onsi/gomega/matchers/be_empty_matcher.go
+++ b/vendor/github.com/onsi/gomega/matchers/be_empty_matcher.go
@@ -4,26 +4,40 @@ package matchers
 
 import (
 	"fmt"
+	"reflect"
 
 	"github.com/onsi/gomega/format"
+	"github.com/onsi/gomega/matchers/internal/miter"
 )
 
 type BeEmptyMatcher struct {
 }
 
-func (matcher *BeEmptyMatcher) Match(actual interface{}) (success bool, err error) {
+func (matcher *BeEmptyMatcher) Match(actual any) (success bool, err error) {
+	// short-circuit the iterator case, as we only need to see the first
+	// element, if any.
+	if miter.IsIter(actual) {
+		var length int
+		if miter.IsSeq2(actual) {
+			miter.IterateKV(actual, func(k, v reflect.Value) bool { length++; return false })
+		} else {
+			miter.IterateV(actual, func(v reflect.Value) bool { length++; return false })
+		}
+		return length == 0, nil
+	}
+
 	length, ok := lengthOf(actual)
 	if !ok {
-		return false, fmt.Errorf("BeEmpty matcher expects a string/array/map/channel/slice.  Got:\n%s", format.Object(actual, 1))
+		return false, fmt.Errorf("BeEmpty matcher expects a string/array/map/channel/slice/iterator.  Got:\n%s", format.Object(actual, 1))
 	}
 
 	return length == 0, nil
 }
 
-func (matcher *BeEmptyMatcher) FailureMessage(actual interface{}) (message string) {
+func (matcher *BeEmptyMatcher) FailureMessage(actual any) (message string) {
 	return format.Message(actual, "to be empty")
 }
 
-func (matcher *BeEmptyMatcher) NegatedFailureMessage(actual interface{}) (message string) {
+func (matcher *BeEmptyMatcher) NegatedFailureMessage(actual any) (message string) {
 	return format.Message(actual, "not to be empty")
 }
diff --git a/vendor/github.com/onsi/gomega/matchers/be_equivalent_to_matcher.go b/vendor/github.com/onsi/gomega/matchers/be_equivalent_to_matcher.go
index 263627f4083e2..37b3080ba7788 100644
--- a/vendor/github.com/onsi/gomega/matchers/be_equivalent_to_matcher.go
+++ b/vendor/github.com/onsi/gomega/matchers/be_equivalent_to_matcher.go
@@ -10,10 +10,10 @@ import (
 )
 
 type BeEquivalentToMatcher struct {
-	Expected interface{}
+	Expected any
 }
 
-func (matcher *BeEquivalentToMatcher) Match(actual interface{}) (success bool, err error) {
+func (matcher *BeEquivalentToMatcher) Match(actual any) (success bool, err error) {
 	if actual == nil && matcher.Expected == nil {
 		return false, fmt.Errorf("Both actual and expected must not be nil.")
 	}
@@ -27,10 +27,10 @@ func (matcher *BeEquivalentToMatcher) Match(actual interface{}) (success bool, e
 	return reflect.DeepEqual(convertedActual, matcher.Expected), nil
 }
 
-func (matcher *BeEquivalentToMatcher) FailureMessage(actual interface{}) (message string) {
+func (matcher *BeEquivalentToMatcher) FailureMessage(actual any) (message string) {
 	return format.Message(actual, "to be equivalent to", matcher.Expected)
 }
 
-func (matcher *BeEquivalentToMatcher) NegatedFailureMessage(actual interface{}) (message string) {
+func (matcher *BeEquivalentToMatcher) NegatedFailureMessage(actual any) (message string) {
 	return format.Message(actual, "not to be equivalent to", matcher.Expected)
 }
diff --git a/vendor/github.com/onsi/gomega/matchers/be_false_matcher.go b/vendor/github.com/onsi/gomega/matchers/be_false_matcher.go
index 8ee2b1c51e792..55e869515afb4 100644
--- a/vendor/github.com/onsi/gomega/matchers/be_false_matcher.go
+++ b/vendor/github.com/onsi/gomega/matchers/be_false_matcher.go
@@ -12,7 +12,7 @@ type BeFalseMatcher struct {
 	Reason string
 }
 
-func (matcher *BeFalseMatcher) Match(actual interface{}) (success bool, err error) {
+func (matcher *BeFalseMatcher) Match(actual any) (success bool, err error) {
 	if !isBool(actual) {
 		return false, fmt.Errorf("Expected a boolean.  Got:\n%s", format.Object(actual, 1))
 	}
@@ -20,7 +20,7 @@ func (matcher *BeFalseMatcher) Match(actual interface{}) (success bool, err erro
 	return actual == false, nil
 }
 
-func (matcher *BeFalseMatcher) FailureMessage(actual interface{}) (message string) {
+func (matcher *BeFalseMatcher) FailureMessage(actual any) (message string) {
 	if matcher.Reason == "" {
 		return format.Message(actual, "to be false")
 	} else {
@@ -28,7 +28,7 @@ func (matcher *BeFalseMatcher) FailureMessage(actual interface{}) (message strin
 	}
 }
 
-func (matcher *BeFalseMatcher) NegatedFailureMessage(actual interface{}) (message string) {
+func (matcher *BeFalseMatcher) NegatedFailureMessage(actual any) (message string) {
 	if matcher.Reason == "" {
 		return format.Message(actual, "not to be false")
 	} else {
diff --git a/vendor/github.com/onsi/gomega/matchers/be_identical_to.go b/vendor/github.com/onsi/gomega/matchers/be_identical_to.go
index 631ce11e33b15..579aa41b313fa 100644
--- a/vendor/github.com/onsi/gomega/matchers/be_identical_to.go
+++ b/vendor/github.com/onsi/gomega/matchers/be_identical_to.go
@@ -10,10 +10,10 @@ import (
 )
 
 type BeIdenticalToMatcher struct {
-	Expected interface{}
+	Expected any
 }
 
-func (matcher *BeIdenticalToMatcher) Match(actual interface{}) (success bool, matchErr error) {
+func (matcher *BeIdenticalToMatcher) Match(actual any) (success bool, matchErr error) {
 	if actual == nil && matcher.Expected == nil {
 		return false, fmt.Errorf("Refusing to compare <nil> to <nil>.\nBe explicit and use BeNil() instead.  This is to avoid mistakes where both sides of an assertion are erroneously uninitialized.")
 	}
@@ -30,10 +30,10 @@ func (matcher *BeIdenticalToMatcher) Match(actual interface{}) (success bool, ma
 	return actual == matcher.Expected, nil
 }
 
-func (matcher *BeIdenticalToMatcher) FailureMessage(actual interface{}) string {
+func (matcher *BeIdenticalToMatcher) FailureMessage(actual any) string {
 	return format.Message(actual, "to be identical to", matcher.Expected)
 }
 
-func (matcher *BeIdenticalToMatcher) NegatedFailureMessage(actual interface{}) string {
+func (matcher *BeIdenticalToMatcher) NegatedFailureMessage(actual any) string {
 	return format.Message(actual, "not to be identical to", matcher.Expected)
 }
diff --git a/vendor/github.com/onsi/gomega/matchers/be_key_of_matcher.go b/vendor/github.com/onsi/gomega/matchers/be_key_of_matcher.go
index 449a291ef9a87..3fff3df784b7e 100644
--- a/vendor/github.com/onsi/gomega/matchers/be_key_of_matcher.go
+++ b/vendor/github.com/onsi/gomega/matchers/be_key_of_matcher.go
@@ -8,10 +8,10 @@ import (
 )
 
 type BeKeyOfMatcher struct {
-	Map interface{}
+	Map any
 }
 
-func (matcher *BeKeyOfMatcher) Match(actual interface{}) (success bool, err error) {
+func (matcher *BeKeyOfMatcher) Match(actual any) (success bool, err error) {
 	if !isMap(matcher.Map) {
 		return false, fmt.Errorf("BeKeyOf matcher needs expected to be a map type")
 	}
@@ -36,10 +36,10 @@ func (matcher *BeKeyOfMatcher) Match(actual interface{}) (success bool, err erro
 	return false, lastError
 }
 
-func (matcher *BeKeyOfMatcher) FailureMessage(actual interface{}) (message string) {
+func (matcher *BeKeyOfMatcher) FailureMessage(actual any) (message string) {
 	return format.Message(actual, "to be a key of", presentable(valuesOf(matcher.Map)))
 }
 
-func (matcher *BeKeyOfMatcher) NegatedFailureMessage(actual interface{}) (message string) {
+func (matcher *BeKeyOfMatcher) NegatedFailureMessage(actual any) (message string) {
 	return format.Message(actual, "not to be a key of", presentable(valuesOf(matcher.Map)))
 }
diff --git a/vendor/github.com/onsi/gomega/matchers/be_nil_matcher.go b/vendor/github.com/onsi/gomega/matchers/be_nil_matcher.go
index 551d99d7474e4..cab37f4f957fe 100644
--- a/vendor/github.com/onsi/gomega/matchers/be_nil_matcher.go
+++ b/vendor/github.com/onsi/gomega/matchers/be_nil_matcher.go
@@ -7,14 +7,14 @@ import "github.com/onsi/gomega/format"
 type BeNilMatcher struct {
 }
 
-func (matcher *BeNilMatcher) Match(actual interface{}) (success bool, err error) {
+func (matcher *BeNilMatcher) Match(actual any) (success bool, err error) {
 	return isNil(actual), nil
 }
 
-func (matcher *BeNilMatcher) FailureMessage(actual interface{}) (message string) {
+func (matcher *BeNilMatcher) FailureMessage(actual any) (message string) {
 	return format.Message(actual, "to be nil")
 }
 
-func (matcher *BeNilMatcher) NegatedFailureMessage(actual interface{}) (message string) {
+func (matcher *BeNilMatcher) NegatedFailureMessage(actual any) (message string) {
 	return format.Message(actual, "not to be nil")
 }
diff --git a/vendor/github.com/onsi/gomega/matchers/be_numerically_matcher.go b/vendor/github.com/onsi/gomega/matchers/be_numerically_matcher.go
index 100735de32508..7e6ce154e1e8a 100644
--- a/vendor/github.com/onsi/gomega/matchers/be_numerically_matcher.go
+++ b/vendor/github.com/onsi/gomega/matchers/be_numerically_matcher.go
@@ -11,18 +11,18 @@ import (
 
 type BeNumericallyMatcher struct {
 	Comparator string
-	CompareTo  []interface{}
+	CompareTo  []any
 }
 
-func (matcher *BeNumericallyMatcher) FailureMessage(actual interface{}) (message string) {
+func (matcher *BeNumericallyMatcher) FailureMessage(actual any) (message string) {
 	return matcher.FormatFailureMessage(actual, false)
 }
 
-func (matcher *BeNumericallyMatcher) NegatedFailureMessage(actual interface{}) (message string) {
+func (matcher *BeNumericallyMatcher) NegatedFailureMessage(actual any) (message string) {
 	return matcher.FormatFailureMessage(actual, true)
 }
 
-func (matcher *BeNumericallyMatcher) FormatFailureMessage(actual interface{}, negated bool) (message string) {
+func (matcher *BeNumericallyMatcher) FormatFailureMessage(actual any, negated bool) (message string) {
 	if len(matcher.CompareTo) == 1 {
 		message = fmt.Sprintf("to be %s", matcher.Comparator)
 	} else {
@@ -34,7 +34,7 @@ func (matcher *BeNumericallyMatcher) FormatFailureMessage(actual interface{}, ne
 	return format.Message(actual, message, matcher.CompareTo[0])
 }
 
-func (matcher *BeNumericallyMatcher) Match(actual interface{}) (success bool, err error) {
+func (matcher *BeNumericallyMatcher) Match(actual any) (success bool, err error) {
 	if len(matcher.CompareTo) == 0 || len(matcher.CompareTo) > 2 {
 		return false, fmt.Errorf("BeNumerically requires 1 or 2 CompareTo arguments.  Got:\n%s", format.Object(matcher.CompareTo, 1))
 	}
diff --git a/vendor/github.com/onsi/gomega/matchers/be_sent_matcher.go b/vendor/github.com/onsi/gomega/matchers/be_sent_matcher.go
index cf582a3fcbd3e..14ffbf6c4c06f 100644
--- a/vendor/github.com/onsi/gomega/matchers/be_sent_matcher.go
+++ b/vendor/github.com/onsi/gomega/matchers/be_sent_matcher.go
@@ -10,11 +10,11 @@ import (
 )
 
 type BeSentMatcher struct {
-	Arg           interface{}
+	Arg           any
 	channelClosed bool
 }
 
-func (matcher *BeSentMatcher) Match(actual interface{}) (success bool, err error) {
+func (matcher *BeSentMatcher) Match(actual any) (success bool, err error) {
 	if !isChan(actual) {
 		return false, fmt.Errorf("BeSent expects a channel.  Got:\n%s", format.Object(actual, 1))
 	}
@@ -56,15 +56,15 @@ func (matcher *BeSentMatcher) Match(actual interface{}) (success bool, err error
 	return didSend, nil
 }
 
-func (matcher *BeSentMatcher) FailureMessage(actual interface{}) (message string) {
+func (matcher *BeSentMatcher) FailureMessage(actual any) (message string) {
 	return format.Message(actual, "to send:", matcher.Arg)
 }
 
-func (matcher *BeSentMatcher) NegatedFailureMessage(actual interface{}) (message string) {
+func (matcher *BeSentMatcher) NegatedFailureMessage(actual any) (message string) {
 	return format.Message(actual, "not to send:", matcher.Arg)
 }
 
-func (matcher *BeSentMatcher) MatchMayChangeInTheFuture(actual interface{}) bool {
+func (matcher *BeSentMatcher) MatchMayChangeInTheFuture(actual any) bool {
 	if !isChan(actual) {
 		return false
 	}
diff --git a/vendor/github.com/onsi/gomega/matchers/be_temporally_matcher.go b/vendor/github.com/onsi/gomega/matchers/be_temporally_matcher.go
index dec4db024e400..edb647c6f22b5 100644
--- a/vendor/github.com/onsi/gomega/matchers/be_temporally_matcher.go
+++ b/vendor/github.com/onsi/gomega/matchers/be_temporally_matcher.go
@@ -15,17 +15,17 @@ type BeTemporallyMatcher struct {
 	Threshold  []time.Duration
 }
 
-func (matcher *BeTemporallyMatcher) FailureMessage(actual interface{}) (message string) {
+func (matcher *BeTemporallyMatcher) FailureMessage(actual any) (message string) {
 	return format.Message(actual, fmt.Sprintf("to be %s", matcher.Comparator), matcher.CompareTo)
 }
 
-func (matcher *BeTemporallyMatcher) NegatedFailureMessage(actual interface{}) (message string) {
+func (matcher *BeTemporallyMatcher) NegatedFailureMessage(actual any) (message string) {
 	return format.Message(actual, fmt.Sprintf("not to be %s", matcher.Comparator), matcher.CompareTo)
 }
 
-func (matcher *BeTemporallyMatcher) Match(actual interface{}) (bool, error) {
+func (matcher *BeTemporallyMatcher) Match(actual any) (bool, error) {
 	// predicate to test for time.Time type
-	isTime := func(t interface{}) bool {
+	isTime := func(t any) bool {
 		_, ok := t.(time.Time)
 		return ok
 	}
diff --git a/vendor/github.com/onsi/gomega/matchers/be_true_matcher.go b/vendor/github.com/onsi/gomega/matchers/be_true_matcher.go
index 3576aac884e39..a010bec5ad62e 100644
--- a/vendor/github.com/onsi/gomega/matchers/be_true_matcher.go
+++ b/vendor/github.com/onsi/gomega/matchers/be_true_matcher.go
@@ -12,7 +12,7 @@ type BeTrueMatcher struct {
 	Reason string
 }
 
-func (matcher *BeTrueMatcher) Match(actual interface{}) (success bool, err error) {
+func (matcher *BeTrueMatcher) Match(actual any) (success bool, err error) {
 	if !isBool(actual) {
 		return false, fmt.Errorf("Expected a boolean.  Got:\n%s", format.Object(actual, 1))
 	}
@@ -20,7 +20,7 @@ func (matcher *BeTrueMatcher) Match(actual interface{}) (success bool, err error
 	return actual.(bool), nil
 }
 
-func (matcher *BeTrueMatcher) FailureMessage(actual interface{}) (message string) {
+func (matcher *BeTrueMatcher) FailureMessage(actual any) (message string) {
 	if matcher.Reason == "" {
 		return format.Message(actual, "to be true")
 	} else {
@@ -28,7 +28,7 @@ func (matcher *BeTrueMatcher) FailureMessage(actual interface{}) (message string
 	}
 }
 
-func (matcher *BeTrueMatcher) NegatedFailureMessage(actual interface{}) (message string) {
+func (matcher *BeTrueMatcher) NegatedFailureMessage(actual any) (message string) {
 	if matcher.Reason == "" {
 		return format.Message(actual, "not to be true")
 	} else {
diff --git a/vendor/github.com/onsi/gomega/matchers/be_zero_matcher.go b/vendor/github.com/onsi/gomega/matchers/be_zero_matcher.go
index 26196f168f415..f5f5d7f7d7733 100644
--- a/vendor/github.com/onsi/gomega/matchers/be_zero_matcher.go
+++ b/vendor/github.com/onsi/gomega/matchers/be_zero_matcher.go
@@ -9,7 +9,7 @@ import (
 type BeZeroMatcher struct {
 }
 
-func (matcher *BeZeroMatcher) Match(actual interface{}) (success bool, err error) {
+func (matcher *BeZeroMatcher) Match(actual any) (success bool, err error) {
 	if actual == nil {
 		return true, nil
 	}
@@ -19,10 +19,10 @@ func (matcher *BeZeroMatcher) Match(actual interface{}) (success bool, err error
 
 }
 
-func (matcher *BeZeroMatcher) FailureMessage(actual interface{}) (message string) {
+func (matcher *BeZeroMatcher) FailureMessage(actual any) (message string) {
 	return format.Message(actual, "to be zero-valued")
 }
 
-func (matcher *BeZeroMatcher) NegatedFailureMessage(actual interface{}) (message string) {
+func (matcher *BeZeroMatcher) NegatedFailureMessage(actual any) (message string) {
 	return format.Message(actual, "not to be zero-valued")
 }
diff --git a/vendor/github.com/onsi/gomega/matchers/consist_of.go b/vendor/github.com/onsi/gomega/matchers/consist_of.go
index f69037a4f0ef1..05c751b6649c9 100644
--- a/vendor/github.com/onsi/gomega/matchers/consist_of.go
+++ b/vendor/github.com/onsi/gomega/matchers/consist_of.go
@@ -7,18 +7,19 @@ import (
 	"reflect"
 
 	"github.com/onsi/gomega/format"
+	"github.com/onsi/gomega/matchers/internal/miter"
 	"github.com/onsi/gomega/matchers/support/goraph/bipartitegraph"
 )
 
 type ConsistOfMatcher struct {
-	Elements        []interface{}
-	missingElements []interface{}
-	extraElements   []interface{}
+	Elements        []any
+	missingElements []any
+	extraElements   []any
 }
 
-func (matcher *ConsistOfMatcher) Match(actual interface{}) (success bool, err error) {
-	if !isArrayOrSlice(actual) && !isMap(actual) {
-		return false, fmt.Errorf("ConsistOf matcher expects an array/slice/map.  Got:\n%s", format.Object(actual, 1))
+func (matcher *ConsistOfMatcher) Match(actual any) (success bool, err error) {
+	if !isArrayOrSlice(actual) && !isMap(actual) && !miter.IsIter(actual) {
+		return false, fmt.Errorf("ConsistOf matcher expects an array/slice/map/iter.Seq/iter.Seq2.  Got:\n%s", format.Object(actual, 1))
 	}
 
 	matchers := matchers(matcher.Elements)
@@ -34,19 +35,19 @@ func (matcher *ConsistOfMatcher) Match(actual interface{}) (success bool, err er
 		return true, nil
 	}
 
-	var missingMatchers []interface{}
+	var missingMatchers []any
 	matcher.extraElements, missingMatchers = bipartiteGraph.FreeLeftRight(edges)
 	matcher.missingElements = equalMatchersToElements(missingMatchers)
 
 	return false, nil
 }
 
-func neighbours(value, matcher interface{}) (bool, error) {
+func neighbours(value, matcher any) (bool, error) {
 	match, err := matcher.(omegaMatcher).Match(value)
 	return match && err == nil, nil
 }
 
-func equalMatchersToElements(matchers []interface{}) (elements []interface{}) {
+func equalMatchersToElements(matchers []any) (elements []any) {
 	for _, matcher := range matchers {
 		if equalMatcher, ok := matcher.(*EqualMatcher); ok {
 			elements = append(elements, equalMatcher.Expected)
@@ -59,20 +60,31 @@ func equalMatchersToElements(matchers []interface{}) (elements []interface{}) {
 	return
 }
 
-func flatten(elems []interface{}) []interface{} {
-	if len(elems) != 1 || !isArrayOrSlice(elems[0]) {
+func flatten(elems []any) []any {
+	if len(elems) != 1 ||
+		!(isArrayOrSlice(elems[0]) ||
+			(miter.IsIter(elems[0]) && !miter.IsSeq2(elems[0]))) {
 		return elems
 	}
 
+	if miter.IsIter(elems[0]) {
+		flattened := []any{}
+		miter.IterateV(elems[0], func(v reflect.Value) bool {
+			flattened = append(flattened, v.Interface())
+			return true
+		})
+		return flattened
+	}
+
 	value := reflect.ValueOf(elems[0])
-	flattened := make([]interface{}, value.Len())
+	flattened := make([]any, value.Len())
 	for i := 0; i < value.Len(); i++ {
 		flattened[i] = value.Index(i).Interface()
 	}
 	return flattened
 }
 
-func matchers(expectedElems []interface{}) (matchers []interface{}) {
+func matchers(expectedElems []any) (matchers []any) {
 	for _, e := range flatten(expectedElems) {
 		if e == nil {
 			matchers = append(matchers, &BeNilMatcher{})
@@ -85,11 +97,11 @@ func matchers(expectedElems []interface{}) (matchers []interface{}) {
 	return
 }
 
-func presentable(elems []interface{}) interface{} {
+func presentable(elems []any) any {
 	elems = flatten(elems)
 
 	if len(elems) == 0 {
-		return []interface{}{}
+		return []any{}
 	}
 
 	sv := reflect.ValueOf(elems)
@@ -113,10 +125,22 @@ func presentable(elems []interface{}) interface{} {
 	return ss.Interface()
 }
 
-func valuesOf(actual interface{}) []interface{} {
+func valuesOf(actual any) []any {
 	value := reflect.ValueOf(actual)
-	values := []interface{}{}
-	if isMap(actual) {
+	values := []any{}
+	if miter.IsIter(actual) {
+		if miter.IsSeq2(actual) {
+			miter.IterateKV(actual, func(k, v reflect.Value) bool {
+				values = append(values, v.Interface())
+				return true
+			})
+		} else {
+			miter.IterateV(actual, func(v reflect.Value) bool {
+				values = append(values, v.Interface())
+				return true
+			})
+		}
+	} else if isMap(actual) {
 		keys := value.MapKeys()
 		for i := 0; i < value.Len(); i++ {
 			values = append(values, value.MapIndex(keys[i]).Interface())
@@ -130,7 +154,7 @@ func valuesOf(actual interface{}) []interface{} {
 	return values
 }
 
-func (matcher *ConsistOfMatcher) FailureMessage(actual interface{}) (message string) {
+func (matcher *ConsistOfMatcher) FailureMessage(actual any) (message string) {
 	message = format.Message(actual, "to consist of", presentable(matcher.Elements))
 	message = appendMissingElements(message, matcher.missingElements)
 	if len(matcher.extraElements) > 0 {
@@ -140,7 +164,7 @@ func (matcher *ConsistOfMatcher) FailureMessage(actual interface{}) (message str
 	return
 }
 
-func appendMissingElements(message string, missingElements []interface{}) string {
+func appendMissingElements(message string, missingElements []any) string {
 	if len(missingElements) == 0 {
 		return message
 	}
@@ -148,6 +172,6 @@ func appendMissingElements(message string, missingElements []interface{}) string
 		format.Object(presentable(missingElements), 1))
 }
 
-func (matcher *ConsistOfMatcher) NegatedFailureMessage(actual interface{}) (message string) {
+func (matcher *ConsistOfMatcher) NegatedFailureMessage(actual any) (message string) {
 	return format.Message(actual, "not to consist of", presentable(matcher.Elements))
 }
diff --git a/vendor/github.com/onsi/gomega/matchers/contain_element_matcher.go b/vendor/github.com/onsi/gomega/matchers/contain_element_matcher.go
index 3d45c9ebc696d..8337a5261c7be 100644
--- a/vendor/github.com/onsi/gomega/matchers/contain_element_matcher.go
+++ b/vendor/github.com/onsi/gomega/matchers/contain_element_matcher.go
@@ -8,24 +8,27 @@ import (
 	"reflect"
 
 	"github.com/onsi/gomega/format"
+	"github.com/onsi/gomega/matchers/internal/miter"
 )
 
 type ContainElementMatcher struct {
-	Element interface{}
-	Result  []interface{}
+	Element any
+	Result  []any
 }
 
-func (matcher *ContainElementMatcher) Match(actual interface{}) (success bool, err error) {
-	if !isArrayOrSlice(actual) && !isMap(actual) {
-		return false, fmt.Errorf("ContainElement matcher expects an array/slice/map.  Got:\n%s", format.Object(actual, 1))
+func (matcher *ContainElementMatcher) Match(actual any) (success bool, err error) {
+	if !isArrayOrSlice(actual) && !isMap(actual) && !miter.IsIter(actual) {
+		return false, fmt.Errorf("ContainElement matcher expects an array/slice/map/iterator.  Got:\n%s", format.Object(actual, 1))
 	}
 
 	var actualT reflect.Type
 	var result reflect.Value
-	switch l := len(matcher.Result); {
-	case l > 1:
+	switch numResultArgs := len(matcher.Result); {
+	case numResultArgs > 1:
 		return false, errors.New("ContainElement matcher expects at most a single optional pointer to store its findings at")
-	case l == 1:
+	case numResultArgs == 1:
+		// Check the optional result arg to point to a single value/array/slice/map
+		// of a type compatible with the actual value.
 		if reflect.ValueOf(matcher.Result[0]).Kind() != reflect.Ptr {
 			return false, fmt.Errorf("ContainElement matcher expects a non-nil pointer to store its findings at.  Got\n%s",
 				format.Object(matcher.Result[0], 1))
@@ -34,93 +37,209 @@ func (matcher *ContainElementMatcher) Match(actual interface{}) (success bool, e
 		resultReference := matcher.Result[0]
 		result = reflect.ValueOf(resultReference).Elem() // what ResultReference points to, to stash away our findings
 		switch result.Kind() {
-		case reflect.Array:
+		case reflect.Array: // result arrays are not supported, as they cannot be dynamically sized.
+			if miter.IsIter(actual) {
+				_, actualvT := miter.IterKVTypes(actual)
+				return false, fmt.Errorf("ContainElement cannot return findings.  Need *%s, got *%s",
+					reflect.SliceOf(actualvT), result.Type().String())
+			}
 			return false, fmt.Errorf("ContainElement cannot return findings.  Need *%s, got *%s",
 				reflect.SliceOf(actualT.Elem()).String(), result.Type().String())
-		case reflect.Slice:
-			if !isArrayOrSlice(actual) {
+
+		case reflect.Slice: // result slice
+			// can we assign elements in actual to elements in what the result
+			// arg points to?
+			//   - ✔ actual is an array or slice
+			//   - ✔ actual is an iter.Seq producing "v" elements
+			//   - ✔ actual is an iter.Seq2 producing "v" elements, ignoring
+			//     the "k" elements.
+			switch {
+			case isArrayOrSlice(actual):
+				if !actualT.Elem().AssignableTo(result.Type().Elem()) {
+					return false, fmt.Errorf("ContainElement cannot return findings.  Need *%s, got *%s",
+						actualT.String(), result.Type().String())
+				}
+
+			case miter.IsIter(actual):
+				_, actualvT := miter.IterKVTypes(actual)
+				if !actualvT.AssignableTo(result.Type().Elem()) {
+					return false, fmt.Errorf("ContainElement cannot return findings.  Need *%s, got *%s",
+						actualvT.String(), result.Type().String())
+				}
+
+			default: // incompatible result reference
 				return false, fmt.Errorf("ContainElement cannot return findings.  Need *%s, got *%s",
 					reflect.MapOf(actualT.Key(), actualT.Elem()).String(), result.Type().String())
 			}
-			if !actualT.Elem().AssignableTo(result.Type().Elem()) {
-				return false, fmt.Errorf("ContainElement cannot return findings.  Need *%s, got *%s",
-					actualT.String(), result.Type().String())
-			}
-		case reflect.Map:
-			if !isMap(actual) {
-				return false, fmt.Errorf("ContainElement cannot return findings.  Need *%s, got *%s",
-					actualT.String(), result.Type().String())
-			}
-			if !actualT.AssignableTo(result.Type()) {
+
+		case reflect.Map: // result map
+			// can we assign elements in actual to elements in what the result
+			// arg points to?
+			//   - ✔ actual is a map
+			//   - ✔ actual is an iter.Seq2 (iter.Seq doesn't fit though)
+			switch {
+			case isMap(actual):
+				if !actualT.AssignableTo(result.Type()) {
+					return false, fmt.Errorf("ContainElement cannot return findings.  Need *%s, got *%s",
+						actualT.String(), result.Type().String())
+				}
+
+			case miter.IsIter(actual):
+				actualkT, actualvT := miter.IterKVTypes(actual)
+				if actualkT == nil {
+					return false, fmt.Errorf("ContainElement cannot return findings.  Need *%s, got *%s",
+						reflect.SliceOf(actualvT).String(), result.Type().String())
+				}
+				if !reflect.MapOf(actualkT, actualvT).AssignableTo(result.Type()) {
+					return false, fmt.Errorf("ContainElement cannot return findings.  Need *%s, got *%s",
+						reflect.MapOf(actualkT, actualvT), result.Type().String())
+				}
+
+			default: // incompatible result reference
 				return false, fmt.Errorf("ContainElement cannot return findings.  Need *%s, got *%s",
 					actualT.String(), result.Type().String())
 			}
+
 		default:
-			if !actualT.Elem().AssignableTo(result.Type()) {
-				return false, fmt.Errorf("ContainElement cannot return findings.  Need *%s, got *%s",
-					actualT.Elem().String(), result.Type().String())
+			// can we assign a (single) element in actual to what the result arg
+			// points to?
+			switch {
+			case miter.IsIter(actual):
+				_, actualvT := miter.IterKVTypes(actual)
+				if !actualvT.AssignableTo(result.Type()) {
+					return false, fmt.Errorf("ContainElement cannot return findings.  Need *%s, got *%s",
+						actualvT.String(), result.Type().String())
+				}
+			default:
+				if !actualT.Elem().AssignableTo(result.Type()) {
+					return false, fmt.Errorf("ContainElement cannot return findings.  Need *%s, got *%s",
+						actualT.Elem().String(), result.Type().String())
+				}
 			}
 		}
 	}
 
+	// If the supplied matcher isn't an Omega matcher, default to the Equal
+	// matcher.
 	elemMatcher, elementIsMatcher := matcher.Element.(omegaMatcher)
 	if !elementIsMatcher {
 		elemMatcher = &EqualMatcher{Expected: matcher.Element}
 	}
 
 	value := reflect.ValueOf(actual)
-	var valueAt func(int) interface{}
 
-	var getFindings func() reflect.Value
-	var foundAt func(int)
+	var getFindings func() reflect.Value // abstracts how the findings are collected and stored
+	var lastError error
 
-	if isMap(actual) {
-		keys := value.MapKeys()
-		valueAt = func(i int) interface{} {
-			return value.MapIndex(keys[i]).Interface()
+	if !miter.IsIter(actual) {
+		var valueAt func(int) any
+		var foundAt func(int)
+		// We're dealing with an array/slice/map, so in all cases we can iterate
+		// over the elements in actual using indices (that can be considered
+		// keys in case of maps).
+		if isMap(actual) {
+			keys := value.MapKeys()
+			valueAt = func(i int) any {
+				return value.MapIndex(keys[i]).Interface()
+			}
+			if result.Kind() != reflect.Invalid {
+				fm := reflect.MakeMap(actualT)
+				getFindings = func() reflect.Value { return fm }
+				foundAt = func(i int) {
+					fm.SetMapIndex(keys[i], value.MapIndex(keys[i]))
+				}
+			}
+		} else {
+			valueAt = func(i int) any {
+				return value.Index(i).Interface()
+			}
+			if result.Kind() != reflect.Invalid {
+				var fsl reflect.Value
+				if result.Kind() == reflect.Slice {
+					fsl = reflect.MakeSlice(result.Type(), 0, 0)
+				} else {
+					fsl = reflect.MakeSlice(reflect.SliceOf(result.Type()), 0, 0)
+				}
+				getFindings = func() reflect.Value { return fsl }
+				foundAt = func(i int) {
+					fsl = reflect.Append(fsl, value.Index(i))
+				}
+			}
 		}
-		if result.Kind() != reflect.Invalid {
-			fm := reflect.MakeMap(actualT)
-			getFindings = func() reflect.Value {
-				return fm
+
+		for i := 0; i < value.Len(); i++ {
+			elem := valueAt(i)
+			success, err := elemMatcher.Match(elem)
+			if err != nil {
+				lastError = err
+				continue
 			}
-			foundAt = func(i int) {
-				fm.SetMapIndex(keys[i], value.MapIndex(keys[i]))
+			if success {
+				if result.Kind() == reflect.Invalid {
+					return true, nil
+				}
+				foundAt(i)
 			}
 		}
 	} else {
-		valueAt = func(i int) interface{} {
-			return value.Index(i).Interface()
-		}
+		// We're dealing with an iterator as a first-class construct, so things
+		// are slightly different: there is no index defined as in case of
+		// arrays/slices/maps, just "ooooorder"
+		var found func(k, v reflect.Value)
 		if result.Kind() != reflect.Invalid {
-			var f reflect.Value
-			if result.Kind() == reflect.Slice {
-				f = reflect.MakeSlice(result.Type(), 0, 0)
+			if result.Kind() == reflect.Map {
+				fm := reflect.MakeMap(result.Type())
+				getFindings = func() reflect.Value { return fm }
+				found = func(k, v reflect.Value) { fm.SetMapIndex(k, v) }
 			} else {
-				f = reflect.MakeSlice(reflect.SliceOf(result.Type()), 0, 0)
-			}
-			getFindings = func() reflect.Value {
-				return f
-			}
-			foundAt = func(i int) {
-				f = reflect.Append(f, value.Index(i))
+				var fsl reflect.Value
+				if result.Kind() == reflect.Slice {
+					fsl = reflect.MakeSlice(result.Type(), 0, 0)
+				} else {
+					fsl = reflect.MakeSlice(reflect.SliceOf(result.Type()), 0, 0)
+				}
+				getFindings = func() reflect.Value { return fsl }
+				found = func(_, v reflect.Value) { fsl = reflect.Append(fsl, v) }
 			}
 		}
-	}
 
-	var lastError error
-	for i := 0; i < value.Len(); i++ {
-		elem := valueAt(i)
-		success, err := elemMatcher.Match(elem)
-		if err != nil {
-			lastError = err
-			continue
+		success := false
+		actualkT, _ := miter.IterKVTypes(actual)
+		if actualkT == nil {
+			miter.IterateV(actual, func(v reflect.Value) bool {
+				var err error
+				success, err = elemMatcher.Match(v.Interface())
+				if err != nil {
+					lastError = err
+					return true // iterate on...
+				}
+				if success {
+					if result.Kind() == reflect.Invalid {
+						return false // a match and no result needed, so we're done
+					}
+					found(reflect.Value{}, v)
+				}
+				return true // iterate on...
+			})
+		} else {
+			miter.IterateKV(actual, func(k, v reflect.Value) bool {
+				var err error
+				success, err = elemMatcher.Match(v.Interface())
+				if err != nil {
+					lastError = err
+					return true // iterate on...
+				}
+				if success {
+					if result.Kind() == reflect.Invalid {
+						return false // a match and no result needed, so we're done
+					}
+					found(k, v)
+				}
+				return true // iterate on...
+			})
 		}
-		if success {
-			if result.Kind() == reflect.Invalid {
-				return true, nil
-			}
-			foundAt(i)
+		if success && result.Kind() == reflect.Invalid {
+			return true, nil
 		}
 	}
 
@@ -132,7 +251,7 @@ func (matcher *ContainElementMatcher) Match(actual interface{}) (success bool, e
 	}
 
 	// pick up any findings the test is interested in as it specified a non-nil
-	// result reference. However, the expection always is that there are at
+	// result reference. However, the expectation always is that there are at
 	// least one or multiple findings. So, if a result is expected, but we had
 	// no findings, then this is an error.
 	findings := getFindings()
@@ -165,10 +284,10 @@ func (matcher *ContainElementMatcher) Match(actual interface{}) (success bool, e
 	return true, nil
 }
 
-func (matcher *ContainElementMatcher) FailureMessage(actual interface{}) (message string) {
+func (matcher *ContainElementMatcher) FailureMessage(actual any) (message string) {
 	return format.Message(actual, "to contain element matching", matcher.Element)
 }
 
-func (matcher *ContainElementMatcher) NegatedFailureMessage(actual interface{}) (message string) {
+func (matcher *ContainElementMatcher) NegatedFailureMessage(actual any) (message string) {
 	return format.Message(actual, "not to contain element matching", matcher.Element)
 }
diff --git a/vendor/github.com/onsi/gomega/matchers/contain_elements_matcher.go b/vendor/github.com/onsi/gomega/matchers/contain_elements_matcher.go
index 946cd8bea526d..ce3041892b39b 100644
--- a/vendor/github.com/onsi/gomega/matchers/contain_elements_matcher.go
+++ b/vendor/github.com/onsi/gomega/matchers/contain_elements_matcher.go
@@ -4,17 +4,18 @@ import (
 	"fmt"
 
 	"github.com/onsi/gomega/format"
+	"github.com/onsi/gomega/matchers/internal/miter"
 	"github.com/onsi/gomega/matchers/support/goraph/bipartitegraph"
 )
 
 type ContainElementsMatcher struct {
-	Elements        []interface{}
-	missingElements []interface{}
+	Elements        []any
+	missingElements []any
 }
 
-func (matcher *ContainElementsMatcher) Match(actual interface{}) (success bool, err error) {
-	if !isArrayOrSlice(actual) && !isMap(actual) {
-		return false, fmt.Errorf("ContainElements matcher expects an array/slice/map.  Got:\n%s", format.Object(actual, 1))
+func (matcher *ContainElementsMatcher) Match(actual any) (success bool, err error) {
+	if !isArrayOrSlice(actual) && !isMap(actual) && !miter.IsIter(actual) {
+		return false, fmt.Errorf("ContainElements matcher expects an array/slice/map/iter.Seq/iter.Seq2.  Got:\n%s", format.Object(actual, 1))
 	}
 
 	matchers := matchers(matcher.Elements)
@@ -34,11 +35,11 @@ func (matcher *ContainElementsMatcher) Match(actual interface{}) (success bool,
 	return false, nil
 }
 
-func (matcher *ContainElementsMatcher) FailureMessage(actual interface{}) (message string) {
+func (matcher *ContainElementsMatcher) FailureMessage(actual any) (message string) {
 	message = format.Message(actual, "to contain elements", presentable(matcher.Elements))
 	return appendMissingElements(message, matcher.missingElements)
 }
 
-func (matcher *ContainElementsMatcher) NegatedFailureMessage(actual interface{}) (message string) {
+func (matcher *ContainElementsMatcher) NegatedFailureMessage(actual any) (message string) {
 	return format.Message(actual, "not to contain elements", presentable(matcher.Elements))
 }
diff --git a/vendor/github.com/onsi/gomega/matchers/contain_substring_matcher.go b/vendor/github.com/onsi/gomega/matchers/contain_substring_matcher.go
index e725f8c275391..d9980ee26b2bf 100644
--- a/vendor/github.com/onsi/gomega/matchers/contain_substring_matcher.go
+++ b/vendor/github.com/onsi/gomega/matchers/contain_substring_matcher.go
@@ -11,10 +11,10 @@ import (
 
 type ContainSubstringMatcher struct {
 	Substr string
-	Args   []interface{}
+	Args   []any
 }
 
-func (matcher *ContainSubstringMatcher) Match(actual interface{}) (success bool, err error) {
+func (matcher *ContainSubstringMatcher) Match(actual any) (success bool, err error) {
 	actualString, ok := toString(actual)
 	if !ok {
 		return false, fmt.Errorf("ContainSubstring matcher requires a string or stringer.  Got:\n%s", format.Object(actual, 1))
@@ -31,10 +31,10 @@ func (matcher *ContainSubstringMatcher) stringToMatch() string {
 	return stringToMatch
 }
 
-func (matcher *ContainSubstringMatcher) FailureMessage(actual interface{}) (message string) {
+func (matcher *ContainSubstringMatcher) FailureMessage(actual any) (message string) {
 	return format.Message(actual, "to contain substring", matcher.stringToMatch())
 }
 
-func (matcher *ContainSubstringMatcher) NegatedFailureMessage(actual interface{}) (message string) {
+func (matcher *ContainSubstringMatcher) NegatedFailureMessage(actual any) (message string) {
 	return format.Message(actual, "not to contain substring", matcher.stringToMatch())
 }
diff --git a/vendor/github.com/onsi/gomega/matchers/equal_matcher.go b/vendor/github.com/onsi/gomega/matchers/equal_matcher.go
index befb7bdfd8f9b..4ad166157a6c5 100644
--- a/vendor/github.com/onsi/gomega/matchers/equal_matcher.go
+++ b/vendor/github.com/onsi/gomega/matchers/equal_matcher.go
@@ -9,10 +9,10 @@ import (
 )
 
 type EqualMatcher struct {
-	Expected interface{}
+	Expected any
 }
 
-func (matcher *EqualMatcher) Match(actual interface{}) (success bool, err error) {
+func (matcher *EqualMatcher) Match(actual any) (success bool, err error) {
 	if actual == nil && matcher.Expected == nil {
 		return false, fmt.Errorf("Refusing to compare <nil> to <nil>.\nBe explicit and use BeNil() instead.  This is to avoid mistakes where both sides of an assertion are erroneously uninitialized.")
 	}
@@ -27,7 +27,7 @@ func (matcher *EqualMatcher) Match(actual interface{}) (success bool, err error)
 	return reflect.DeepEqual(actual, matcher.Expected), nil
 }
 
-func (matcher *EqualMatcher) FailureMessage(actual interface{}) (message string) {
+func (matcher *EqualMatcher) FailureMessage(actual any) (message string) {
 	actualString, actualOK := actual.(string)
 	expectedString, expectedOK := matcher.Expected.(string)
 	if actualOK && expectedOK {
@@ -37,6 +37,6 @@ func (matcher *EqualMatcher) FailureMessage(actual interface{}) (message string)
 	return format.Message(actual, "to equal", matcher.Expected)
 }
 
-func (matcher *EqualMatcher) NegatedFailureMessage(actual interface{}) (message string) {
+func (matcher *EqualMatcher) NegatedFailureMessage(actual any) (message string) {
 	return format.Message(actual, "not to equal", matcher.Expected)
 }
diff --git a/vendor/github.com/onsi/gomega/matchers/have_cap_matcher.go b/vendor/github.com/onsi/gomega/matchers/have_cap_matcher.go
index 9856752f13ff7..a4fcfc425a64e 100644
--- a/vendor/github.com/onsi/gomega/matchers/have_cap_matcher.go
+++ b/vendor/github.com/onsi/gomega/matchers/have_cap_matcher.go
@@ -12,7 +12,7 @@ type HaveCapMatcher struct {
 	Count int
 }
 
-func (matcher *HaveCapMatcher) Match(actual interface{}) (success bool, err error) {
+func (matcher *HaveCapMatcher) Match(actual any) (success bool, err error) {
 	length, ok := capOf(actual)
 	if !ok {
 		return false, fmt.Errorf("HaveCap matcher expects a array/channel/slice.  Got:\n%s", format.Object(actual, 1))
@@ -21,10 +21,10 @@ func (matcher *HaveCapMatcher) Match(actual interface{}) (success bool, err erro
 	return length == matcher.Count, nil
 }
 
-func (matcher *HaveCapMatcher) FailureMessage(actual interface{}) (message string) {
+func (matcher *HaveCapMatcher) FailureMessage(actual any) (message string) {
 	return fmt.Sprintf("Expected\n%s\nto have capacity %d", format.Object(actual, 1), matcher.Count)
 }
 
-func (matcher *HaveCapMatcher) NegatedFailureMessage(actual interface{}) (message string) {
+func (matcher *HaveCapMatcher) NegatedFailureMessage(actual any) (message string) {
 	return fmt.Sprintf("Expected\n%s\nnot to have capacity %d", format.Object(actual, 1), matcher.Count)
 }
diff --git a/vendor/github.com/onsi/gomega/matchers/have_each_matcher.go b/vendor/github.com/onsi/gomega/matchers/have_each_matcher.go
index 025b6e1ac2c28..4c45063bd8a16 100644
--- a/vendor/github.com/onsi/gomega/matchers/have_each_matcher.go
+++ b/vendor/github.com/onsi/gomega/matchers/have_each_matcher.go
@@ -5,15 +5,16 @@ import (
 	"reflect"
 
 	"github.com/onsi/gomega/format"
+	"github.com/onsi/gomega/matchers/internal/miter"
 )
 
 type HaveEachMatcher struct {
-	Element interface{}
+	Element any
 }
 
-func (matcher *HaveEachMatcher) Match(actual interface{}) (success bool, err error) {
-	if !isArrayOrSlice(actual) && !isMap(actual) {
-		return false, fmt.Errorf("HaveEach matcher expects an array/slice/map.  Got:\n%s",
+func (matcher *HaveEachMatcher) Match(actual any) (success bool, err error) {
+	if !isArrayOrSlice(actual) && !isMap(actual) && !miter.IsIter(actual) {
+		return false, fmt.Errorf("HaveEach matcher expects an array/slice/map/iter.Seq/iter.Seq2.  Got:\n%s",
 			format.Object(actual, 1))
 	}
 
@@ -22,25 +23,58 @@ func (matcher *HaveEachMatcher) Match(actual interface{}) (success bool, err err
 		elemMatcher = &EqualMatcher{Expected: matcher.Element}
 	}
 
+	if miter.IsIter(actual) {
+		// rejecting the non-elements case works different for iterators as we
+		// don't want to fetch all elements into a slice first.
+		count := 0
+		var success bool
+		var err error
+		if miter.IsSeq2(actual) {
+			miter.IterateKV(actual, func(k, v reflect.Value) bool {
+				count++
+				success, err = elemMatcher.Match(v.Interface())
+				if err != nil {
+					return false
+				}
+				return success
+			})
+		} else {
+			miter.IterateV(actual, func(v reflect.Value) bool {
+				count++
+				success, err = elemMatcher.Match(v.Interface())
+				if err != nil {
+					return false
+				}
+				return success
+			})
+		}
+		if count == 0 {
+			return false, fmt.Errorf("HaveEach matcher expects a non-empty iter.Seq/iter.Seq2.  Got:\n%s",
+				format.Object(actual, 1))
+		}
+		return success, err
+	}
+
 	value := reflect.ValueOf(actual)
 	if value.Len() == 0 {
 		return false, fmt.Errorf("HaveEach matcher expects a non-empty array/slice/map.  Got:\n%s",
 			format.Object(actual, 1))
 	}
 
-	var valueAt func(int) interface{}
+	var valueAt func(int) any
 	if isMap(actual) {
 		keys := value.MapKeys()
-		valueAt = func(i int) interface{} {
+		valueAt = func(i int) any {
 			return value.MapIndex(keys[i]).Interface()
 		}
 	} else {
-		valueAt = func(i int) interface{} {
+		valueAt = func(i int) any {
 			return value.Index(i).Interface()
 		}
 	}
 
-	// if there are no elements, then HaveEach will match.
+	// if we never failed then we succeed; the empty/nil cases have already been
+	// rejected above.
 	for i := 0; i < value.Len(); i++ {
 		success, err := elemMatcher.Match(valueAt(i))
 		if err != nil {
@@ -55,11 +89,11 @@ func (matcher *HaveEachMatcher) Match(actual interface{}) (success bool, err err
 }
 
 // FailureMessage returns a suitable failure message.
-func (matcher *HaveEachMatcher) FailureMessage(actual interface{}) (message string) {
+func (matcher *HaveEachMatcher) FailureMessage(actual any) (message string) {
 	return format.Message(actual, "to contain element matching", matcher.Element)
 }
 
 // NegatedFailureMessage returns a suitable negated failure message.
-func (matcher *HaveEachMatcher) NegatedFailureMessage(actual interface{}) (message string) {
+func (matcher *HaveEachMatcher) NegatedFailureMessage(actual any) (message string) {
 	return format.Message(actual, "not to contain element matching", matcher.Element)
 }
diff --git a/vendor/github.com/onsi/gomega/matchers/have_exact_elements.go b/vendor/github.com/onsi/gomega/matchers/have_exact_elements.go
index 5a236d7d699b3..8b2d297c574c8 100644
--- a/vendor/github.com/onsi/gomega/matchers/have_exact_elements.go
+++ b/vendor/github.com/onsi/gomega/matchers/have_exact_elements.go
@@ -2,8 +2,10 @@ package matchers
 
 import (
 	"fmt"
+	"reflect"
 
 	"github.com/onsi/gomega/format"
+	"github.com/onsi/gomega/matchers/internal/miter"
 )
 
 type mismatchFailure struct {
@@ -12,26 +14,67 @@ type mismatchFailure struct {
 }
 
 type HaveExactElementsMatcher struct {
-	Elements         []interface{}
+	Elements         []any
 	mismatchFailures []mismatchFailure
 	missingIndex     int
 	extraIndex       int
 }
 
-func (matcher *HaveExactElementsMatcher) Match(actual interface{}) (success bool, err error) {
+func (matcher *HaveExactElementsMatcher) Match(actual any) (success bool, err error) {
 	matcher.resetState()
 
-	if isMap(actual) {
-		return false, fmt.Errorf("error")
+	if isMap(actual) || miter.IsSeq2(actual) {
+		return false, fmt.Errorf("HaveExactElements matcher doesn't work on map or iter.Seq2.  Got:\n%s", format.Object(actual, 1))
 	}
 
 	matchers := matchers(matcher.Elements)
-	values := valuesOf(actual)
-
 	lenMatchers := len(matchers)
-	lenValues := len(values)
+
 	success = true
 
+	if miter.IsIter(actual) {
+		// In the worst case, we need to see everything before we can give our
+		// verdict. The only exception is fast fail.
+		i := 0
+		miter.IterateV(actual, func(v reflect.Value) bool {
+			if i >= lenMatchers {
+				// the iterator produces more values than we got matchers: this
+				// is not good.
+				matcher.extraIndex = i
+				success = false
+				return false
+			}
+
+			elemMatcher := matchers[i].(omegaMatcher)
+			match, err := elemMatcher.Match(v.Interface())
+			if err != nil {
+				matcher.mismatchFailures = append(matcher.mismatchFailures, mismatchFailure{
+					index:   i,
+					failure: err.Error(),
+				})
+				success = false
+			} else if !match {
+				matcher.mismatchFailures = append(matcher.mismatchFailures, mismatchFailure{
+					index:   i,
+					failure: elemMatcher.FailureMessage(v.Interface()),
+				})
+				success = false
+			}
+			i++
+			return true
+		})
+		if i < len(matchers) {
+			// the iterator produced less values than we got matchers: this is
+			// no good, no no no.
+			matcher.missingIndex = i
+			success = false
+		}
+		return success, nil
+	}
+
+	values := valuesOf(actual)
+	lenValues := len(values)
+
 	for i := 0; i < lenMatchers || i < lenValues; i++ {
 		if i >= lenMatchers {
 			matcher.extraIndex = i
@@ -65,7 +108,7 @@ func (matcher *HaveExactElementsMatcher) Match(actual interface{}) (success bool
 	return success, nil
 }
 
-func (matcher *HaveExactElementsMatcher) FailureMessage(actual interface{}) (message string) {
+func (matcher *HaveExactElementsMatcher) FailureMessage(actual any) (message string) {
 	message = format.Message(actual, "to have exact elements with", presentable(matcher.Elements))
 	if matcher.missingIndex > 0 {
 		message = fmt.Sprintf("%s\nthe missing elements start from index %d", message, matcher.missingIndex)
@@ -82,7 +125,7 @@ func (matcher *HaveExactElementsMatcher) FailureMessage(actual interface{}) (mes
 	return
 }
 
-func (matcher *HaveExactElementsMatcher) NegatedFailureMessage(actual interface{}) (message string) {
+func (matcher *HaveExactElementsMatcher) NegatedFailureMessage(actual any) (message string) {
 	return format.Message(actual, "not to contain elements", presentable(matcher.Elements))
 }
 
diff --git a/vendor/github.com/onsi/gomega/matchers/have_existing_field_matcher.go b/vendor/github.com/onsi/gomega/matchers/have_existing_field_matcher.go
index b57018745fae0..a5a028e9a6af4 100644
--- a/vendor/github.com/onsi/gomega/matchers/have_existing_field_matcher.go
+++ b/vendor/github.com/onsi/gomega/matchers/have_existing_field_matcher.go
@@ -11,7 +11,7 @@ type HaveExistingFieldMatcher struct {
 	Field string
 }
 
-func (matcher *HaveExistingFieldMatcher) Match(actual interface{}) (success bool, err error) {
+func (matcher *HaveExistingFieldMatcher) Match(actual any) (success bool, err error) {
 	// we don't care about the field's actual value, just about any error in
 	// trying to find the field (or method).
 	_, err = extractField(actual, matcher.Field, "HaveExistingField")
@@ -27,10 +27,10 @@ func (matcher *HaveExistingFieldMatcher) Match(actual interface{}) (success bool
 	return false, err
 }
 
-func (matcher *HaveExistingFieldMatcher) FailureMessage(actual interface{}) (message string) {
+func (matcher *HaveExistingFieldMatcher) FailureMessage(actual any) (message string) {
 	return fmt.Sprintf("Expected\n%s\nto have field '%s'", format.Object(actual, 1), matcher.Field)
 }
 
-func (matcher *HaveExistingFieldMatcher) NegatedFailureMessage(actual interface{}) (message string) {
+func (matcher *HaveExistingFieldMatcher) NegatedFailureMessage(actual any) (message string) {
 	return fmt.Sprintf("Expected\n%s\nnot to have field '%s'", format.Object(actual, 1), matcher.Field)
 }
diff --git a/vendor/github.com/onsi/gomega/matchers/have_field.go b/vendor/github.com/onsi/gomega/matchers/have_field.go
index 8dd3f871a85b9..d9fbeaf752215 100644
--- a/vendor/github.com/onsi/gomega/matchers/have_field.go
+++ b/vendor/github.com/onsi/gomega/matchers/have_field.go
@@ -17,7 +17,7 @@ func (e missingFieldError) Error() string {
 	return string(e)
 }
 
-func extractField(actual interface{}, field string, matchername string) (any, error) {
+func extractField(actual any, field string, matchername string) (any, error) {
 	fields := strings.SplitN(field, ".", 2)
 	actualValue := reflect.ValueOf(actual)
 
@@ -40,7 +40,12 @@ func extractField(actual interface{}, field string, matchername string) (any, er
 			extractedValue = actualValue.Addr().MethodByName(strings.TrimSuffix(fields[0], "()"))
 		}
 		if extractedValue == (reflect.Value{}) {
-			return nil, missingFieldError(fmt.Sprintf("%s could not find method named '%s' in struct of type %T.", matchername, fields[0], actual))
+			ptr := reflect.New(actualValue.Type())
+			ptr.Elem().Set(actualValue)
+			extractedValue = ptr.MethodByName(strings.TrimSuffix(fields[0], "()"))
+			if extractedValue == (reflect.Value{}) {
+				return nil, missingFieldError(fmt.Sprintf("%s could not find method named '%s' in struct of type %T.", matchername, fields[0], actual))
+			}
 		}
 		t := extractedValue.Type()
 		if t.NumIn() != 0 || t.NumOut() != 1 {
@@ -63,7 +68,7 @@ func extractField(actual interface{}, field string, matchername string) (any, er
 
 type HaveFieldMatcher struct {
 	Field    string
-	Expected interface{}
+	Expected any
 }
 
 func (matcher *HaveFieldMatcher) expectedMatcher() omegaMatcher {
@@ -75,7 +80,7 @@ func (matcher *HaveFieldMatcher) expectedMatcher() omegaMatcher {
 	return expectedMatcher
 }
 
-func (matcher *HaveFieldMatcher) Match(actual interface{}) (success bool, err error) {
+func (matcher *HaveFieldMatcher) Match(actual any) (success bool, err error) {
 	extractedField, err := extractField(actual, matcher.Field, "HaveField")
 	if err != nil {
 		return false, err
@@ -84,7 +89,7 @@ func (matcher *HaveFieldMatcher) Match(actual interface{}) (success bool, err er
 	return matcher.expectedMatcher().Match(extractedField)
 }
 
-func (matcher *HaveFieldMatcher) FailureMessage(actual interface{}) (message string) {
+func (matcher *HaveFieldMatcher) FailureMessage(actual any) (message string) {
 	extractedField, err := extractField(actual, matcher.Field, "HaveField")
 	if err != nil {
 		// this really shouldn't happen
@@ -96,7 +101,7 @@ func (matcher *HaveFieldMatcher) FailureMessage(actual interface{}) (message str
 	return message
 }
 
-func (matcher *HaveFieldMatcher) NegatedFailureMessage(actual interface{}) (message string) {
+func (matcher *HaveFieldMatcher) NegatedFailureMessage(actual any) (message string) {
 	extractedField, err := extractField(actual, matcher.Field, "HaveField")
 	if err != nil {
 		// this really shouldn't happen
diff --git a/vendor/github.com/onsi/gomega/matchers/have_http_body_matcher.go b/vendor/github.com/onsi/gomega/matchers/have_http_body_matcher.go
index d14d9e5fc60ef..2d561b9a22060 100644
--- a/vendor/github.com/onsi/gomega/matchers/have_http_body_matcher.go
+++ b/vendor/github.com/onsi/gomega/matchers/have_http_body_matcher.go
@@ -11,12 +11,12 @@ import (
 )
 
 type HaveHTTPBodyMatcher struct {
-	Expected       interface{}
-	cachedResponse interface{}
+	Expected       any
+	cachedResponse any
 	cachedBody     []byte
 }
 
-func (matcher *HaveHTTPBodyMatcher) Match(actual interface{}) (bool, error) {
+func (matcher *HaveHTTPBodyMatcher) Match(actual any) (bool, error) {
 	body, err := matcher.body(actual)
 	if err != nil {
 		return false, err
@@ -34,7 +34,7 @@ func (matcher *HaveHTTPBodyMatcher) Match(actual interface{}) (bool, error) {
 	}
 }
 
-func (matcher *HaveHTTPBodyMatcher) FailureMessage(actual interface{}) (message string) {
+func (matcher *HaveHTTPBodyMatcher) FailureMessage(actual any) (message string) {
 	body, err := matcher.body(actual)
 	if err != nil {
 		return fmt.Sprintf("failed to read body: %s", err)
@@ -52,7 +52,7 @@ func (matcher *HaveHTTPBodyMatcher) FailureMessage(actual interface{}) (message
 	}
 }
 
-func (matcher *HaveHTTPBodyMatcher) NegatedFailureMessage(actual interface{}) (message string) {
+func (matcher *HaveHTTPBodyMatcher) NegatedFailureMessage(actual any) (message string) {
 	body, err := matcher.body(actual)
 	if err != nil {
 		return fmt.Sprintf("failed to read body: %s", err)
@@ -73,7 +73,7 @@ func (matcher *HaveHTTPBodyMatcher) NegatedFailureMessage(actual interface{}) (m
 // body returns the body. It is cached because once we read it in Match()
 // the Reader is closed and it is not readable again in FailureMessage()
 // or NegatedFailureMessage()
-func (matcher *HaveHTTPBodyMatcher) body(actual interface{}) ([]byte, error) {
+func (matcher *HaveHTTPBodyMatcher) body(actual any) ([]byte, error) {
 	if matcher.cachedResponse == actual && matcher.cachedBody != nil {
 		return matcher.cachedBody, nil
 	}
diff --git a/vendor/github.com/onsi/gomega/matchers/have_http_header_with_value_matcher.go b/vendor/github.com/onsi/gomega/matchers/have_http_header_with_value_matcher.go
index c256f452e84f7..756722659b14b 100644
--- a/vendor/github.com/onsi/gomega/matchers/have_http_header_with_value_matcher.go
+++ b/vendor/github.com/onsi/gomega/matchers/have_http_header_with_value_matcher.go
@@ -11,10 +11,10 @@ import (
 
 type HaveHTTPHeaderWithValueMatcher struct {
 	Header string
-	Value  interface{}
+	Value  any
 }
 
-func (matcher *HaveHTTPHeaderWithValueMatcher) Match(actual interface{}) (success bool, err error) {
+func (matcher *HaveHTTPHeaderWithValueMatcher) Match(actual any) (success bool, err error) {
 	headerValue, err := matcher.extractHeader(actual)
 	if err != nil {
 		return false, err
@@ -28,7 +28,7 @@ func (matcher *HaveHTTPHeaderWithValueMatcher) Match(actual interface{}) (succes
 	return headerMatcher.Match(headerValue)
 }
 
-func (matcher *HaveHTTPHeaderWithValueMatcher) FailureMessage(actual interface{}) string {
+func (matcher *HaveHTTPHeaderWithValueMatcher) FailureMessage(actual any) string {
 	headerValue, err := matcher.extractHeader(actual)
 	if err != nil {
 		panic(err) // protected by Match()
@@ -43,7 +43,7 @@ func (matcher *HaveHTTPHeaderWithValueMatcher) FailureMessage(actual interface{}
 	return fmt.Sprintf("HTTP header %q:\n%s", matcher.Header, diff)
 }
 
-func (matcher *HaveHTTPHeaderWithValueMatcher) NegatedFailureMessage(actual interface{}) (message string) {
+func (matcher *HaveHTTPHeaderWithValueMatcher) NegatedFailureMessage(actual any) (message string) {
 	headerValue, err := matcher.extractHeader(actual)
 	if err != nil {
 		panic(err) // protected by Match()
@@ -69,7 +69,7 @@ func (matcher *HaveHTTPHeaderWithValueMatcher) getSubMatcher() (types.GomegaMatc
 	}
 }
 
-func (matcher *HaveHTTPHeaderWithValueMatcher) extractHeader(actual interface{}) (string, error) {
+func (matcher *HaveHTTPHeaderWithValueMatcher) extractHeader(actual any) (string, error) {
 	switch r := actual.(type) {
 	case *http.Response:
 		return r.Header.Get(matcher.Header), nil
diff --git a/vendor/github.com/onsi/gomega/matchers/have_http_status_matcher.go b/vendor/github.com/onsi/gomega/matchers/have_http_status_matcher.go
index 0f66e46ece470..8b25b3a9f9d29 100644
--- a/vendor/github.com/onsi/gomega/matchers/have_http_status_matcher.go
+++ b/vendor/github.com/onsi/gomega/matchers/have_http_status_matcher.go
@@ -12,10 +12,10 @@ import (
 )
 
 type HaveHTTPStatusMatcher struct {
-	Expected []interface{}
+	Expected []any
 }
 
-func (matcher *HaveHTTPStatusMatcher) Match(actual interface{}) (success bool, err error) {
+func (matcher *HaveHTTPStatusMatcher) Match(actual any) (success bool, err error) {
 	var resp *http.Response
 	switch a := actual.(type) {
 	case *http.Response:
@@ -48,11 +48,11 @@ func (matcher *HaveHTTPStatusMatcher) Match(actual interface{}) (success bool, e
 	return false, nil
 }
 
-func (matcher *HaveHTTPStatusMatcher) FailureMessage(actual interface{}) (message string) {
+func (matcher *HaveHTTPStatusMatcher) FailureMessage(actual any) (message string) {
 	return fmt.Sprintf("Expected\n%s\n%s\n%s", formatHttpResponse(actual), "to have HTTP status", matcher.expectedString())
 }
 
-func (matcher *HaveHTTPStatusMatcher) NegatedFailureMessage(actual interface{}) (message string) {
+func (matcher *HaveHTTPStatusMatcher) NegatedFailureMessage(actual any) (message string) {
 	return fmt.Sprintf("Expected\n%s\n%s\n%s", formatHttpResponse(actual), "not to have HTTP status", matcher.expectedString())
 }
 
@@ -64,7 +64,7 @@ func (matcher *HaveHTTPStatusMatcher) expectedString() string {
 	return strings.Join(lines, "\n")
 }
 
-func formatHttpResponse(input interface{}) string {
+func formatHttpResponse(input any) string {
 	var resp *http.Response
 	switch r := input.(type) {
 	case *http.Response:
diff --git a/vendor/github.com/onsi/gomega/matchers/have_key_matcher.go b/vendor/github.com/onsi/gomega/matchers/have_key_matcher.go
index 00cffec70e0a8..9e16dcf5d6cab 100644
--- a/vendor/github.com/onsi/gomega/matchers/have_key_matcher.go
+++ b/vendor/github.com/onsi/gomega/matchers/have_key_matcher.go
@@ -7,15 +7,16 @@ import (
 	"reflect"
 
 	"github.com/onsi/gomega/format"
+	"github.com/onsi/gomega/matchers/internal/miter"
 )
 
 type HaveKeyMatcher struct {
-	Key interface{}
+	Key any
 }
 
-func (matcher *HaveKeyMatcher) Match(actual interface{}) (success bool, err error) {
-	if !isMap(actual) {
-		return false, fmt.Errorf("HaveKey matcher expects a map.  Got:%s", format.Object(actual, 1))
+func (matcher *HaveKeyMatcher) Match(actual any) (success bool, err error) {
+	if !isMap(actual) && !miter.IsSeq2(actual) {
+		return false, fmt.Errorf("HaveKey matcher expects a map/iter.Seq2.  Got:%s", format.Object(actual, 1))
 	}
 
 	keyMatcher, keyIsMatcher := matcher.Key.(omegaMatcher)
@@ -23,6 +24,20 @@ func (matcher *HaveKeyMatcher) Match(actual interface{}) (success bool, err erro
 		keyMatcher = &EqualMatcher{Expected: matcher.Key}
 	}
 
+	if miter.IsSeq2(actual) {
+		var success bool
+		var err error
+		miter.IterateKV(actual, func(k, v reflect.Value) bool {
+			success, err = keyMatcher.Match(k.Interface())
+			if err != nil {
+				err = fmt.Errorf("HaveKey's key matcher failed with:\n%s%s", format.Indent, err.Error())
+				return false
+			}
+			return !success
+		})
+		return success, err
+	}
+
 	keys := reflect.ValueOf(actual).MapKeys()
 	for i := 0; i < len(keys); i++ {
 		success, err := keyMatcher.Match(keys[i].Interface())
@@ -37,7 +52,7 @@ func (matcher *HaveKeyMatcher) Match(actual interface{}) (success bool, err erro
 	return false, nil
 }
 
-func (matcher *HaveKeyMatcher) FailureMessage(actual interface{}) (message string) {
+func (matcher *HaveKeyMatcher) FailureMessage(actual any) (message string) {
 	switch matcher.Key.(type) {
 	case omegaMatcher:
 		return format.Message(actual, "to have key matching", matcher.Key)
@@ -46,7 +61,7 @@ func (matcher *HaveKeyMatcher) FailureMessage(actual interface{}) (message strin
 	}
 }
 
-func (matcher *HaveKeyMatcher) NegatedFailureMessage(actual interface{}) (message string) {
+func (matcher *HaveKeyMatcher) NegatedFailureMessage(actual any) (message string) {
 	switch matcher.Key.(type) {
 	case omegaMatcher:
 		return format.Message(actual, "not to have key matching", matcher.Key)
diff --git a/vendor/github.com/onsi/gomega/matchers/have_key_with_value_matcher.go b/vendor/github.com/onsi/gomega/matchers/have_key_with_value_matcher.go
index 4c59168047031..1c53f1e56af24 100644
--- a/vendor/github.com/onsi/gomega/matchers/have_key_with_value_matcher.go
+++ b/vendor/github.com/onsi/gomega/matchers/have_key_with_value_matcher.go
@@ -7,16 +7,17 @@ import (
 	"reflect"
 
 	"github.com/onsi/gomega/format"
+	"github.com/onsi/gomega/matchers/internal/miter"
 )
 
 type HaveKeyWithValueMatcher struct {
-	Key   interface{}
-	Value interface{}
+	Key   any
+	Value any
 }
 
-func (matcher *HaveKeyWithValueMatcher) Match(actual interface{}) (success bool, err error) {
-	if !isMap(actual) {
-		return false, fmt.Errorf("HaveKeyWithValue matcher expects a map.  Got:%s", format.Object(actual, 1))
+func (matcher *HaveKeyWithValueMatcher) Match(actual any) (success bool, err error) {
+	if !isMap(actual) && !miter.IsSeq2(actual) {
+		return false, fmt.Errorf("HaveKeyWithValue matcher expects a map/iter.Seq2.  Got:%s", format.Object(actual, 1))
 	}
 
 	keyMatcher, keyIsMatcher := matcher.Key.(omegaMatcher)
@@ -29,6 +30,27 @@ func (matcher *HaveKeyWithValueMatcher) Match(actual interface{}) (success bool,
 		valueMatcher = &EqualMatcher{Expected: matcher.Value}
 	}
 
+	if miter.IsSeq2(actual) {
+		var success bool
+		var err error
+		miter.IterateKV(actual, func(k, v reflect.Value) bool {
+			success, err = keyMatcher.Match(k.Interface())
+			if err != nil {
+				err = fmt.Errorf("HaveKey's key matcher failed with:\n%s%s", format.Indent, err.Error())
+				return false
+			}
+			if success {
+				success, err = valueMatcher.Match(v.Interface())
+				if err != nil {
+					err = fmt.Errorf("HaveKeyWithValue's value matcher failed with:\n%s%s", format.Indent, err.Error())
+					return false
+				}
+			}
+			return !success
+		})
+		return success, err
+	}
+
 	keys := reflect.ValueOf(actual).MapKeys()
 	for i := 0; i < len(keys); i++ {
 		success, err := keyMatcher.Match(keys[i].Interface())
@@ -48,7 +70,7 @@ func (matcher *HaveKeyWithValueMatcher) Match(actual interface{}) (success bool,
 	return false, nil
 }
 
-func (matcher *HaveKeyWithValueMatcher) FailureMessage(actual interface{}) (message string) {
+func (matcher *HaveKeyWithValueMatcher) FailureMessage(actual any) (message string) {
 	str := "to have {key: value}"
 	if _, ok := matcher.Key.(omegaMatcher); ok {
 		str += " matching"
@@ -56,12 +78,12 @@ func (matcher *HaveKeyWithValueMatcher) FailureMessage(actual interface{}) (mess
 		str += " matching"
 	}
 
-	expect := make(map[interface{}]interface{}, 1)
+	expect := make(map[any]any, 1)
 	expect[matcher.Key] = matcher.Value
 	return format.Message(actual, str, expect)
 }
 
-func (matcher *HaveKeyWithValueMatcher) NegatedFailureMessage(actual interface{}) (message string) {
+func (matcher *HaveKeyWithValueMatcher) NegatedFailureMessage(actual any) (message string) {
 	kStr := "not to have key"
 	if _, ok := matcher.Key.(omegaMatcher); ok {
 		kStr = "not to have key matching"
diff --git a/vendor/github.com/onsi/gomega/matchers/have_len_matcher.go b/vendor/github.com/onsi/gomega/matchers/have_len_matcher.go
index ee4276189de7e..c334d4c0aa0a0 100644
--- a/vendor/github.com/onsi/gomega/matchers/have_len_matcher.go
+++ b/vendor/github.com/onsi/gomega/matchers/have_len_matcher.go
@@ -10,19 +10,19 @@ type HaveLenMatcher struct {
 	Count int
 }
 
-func (matcher *HaveLenMatcher) Match(actual interface{}) (success bool, err error) {
+func (matcher *HaveLenMatcher) Match(actual any) (success bool, err error) {
 	length, ok := lengthOf(actual)
 	if !ok {
-		return false, fmt.Errorf("HaveLen matcher expects a string/array/map/channel/slice.  Got:\n%s", format.Object(actual, 1))
+		return false, fmt.Errorf("HaveLen matcher expects a string/array/map/channel/slice/iterator.  Got:\n%s", format.Object(actual, 1))
 	}
 
 	return length == matcher.Count, nil
 }
 
-func (matcher *HaveLenMatcher) FailureMessage(actual interface{}) (message string) {
+func (matcher *HaveLenMatcher) FailureMessage(actual any) (message string) {
 	return fmt.Sprintf("Expected\n%s\nto have length %d", format.Object(actual, 1), matcher.Count)
 }
 
-func (matcher *HaveLenMatcher) NegatedFailureMessage(actual interface{}) (message string) {
+func (matcher *HaveLenMatcher) NegatedFailureMessage(actual any) (message string) {
 	return fmt.Sprintf("Expected\n%s\nnot to have length %d", format.Object(actual, 1), matcher.Count)
 }
diff --git a/vendor/github.com/onsi/gomega/matchers/have_occurred_matcher.go b/vendor/github.com/onsi/gomega/matchers/have_occurred_matcher.go
index 22a1b67306fc6..a240f1a1c7416 100644
--- a/vendor/github.com/onsi/gomega/matchers/have_occurred_matcher.go
+++ b/vendor/github.com/onsi/gomega/matchers/have_occurred_matcher.go
@@ -11,7 +11,7 @@ import (
 type HaveOccurredMatcher struct {
 }
 
-func (matcher *HaveOccurredMatcher) Match(actual interface{}) (success bool, err error) {
+func (matcher *HaveOccurredMatcher) Match(actual any) (success bool, err error) {
 	// is purely nil?
 	if actual == nil {
 		return false, nil
@@ -26,10 +26,10 @@ func (matcher *HaveOccurredMatcher) Match(actual interface{}) (success bool, err
 	return !isNil(actual), nil
 }
 
-func (matcher *HaveOccurredMatcher) FailureMessage(actual interface{}) (message string) {
+func (matcher *HaveOccurredMatcher) FailureMessage(actual any) (message string) {
 	return fmt.Sprintf("Expected an error to have occurred.  Got:\n%s", format.Object(actual, 1))
 }
 
-func (matcher *HaveOccurredMatcher) NegatedFailureMessage(actual interface{}) (message string) {
+func (matcher *HaveOccurredMatcher) NegatedFailureMessage(actual any) (message string) {
 	return fmt.Sprintf("Unexpected error:\n%s\n%s", format.Object(actual, 1), "occurred")
 }
diff --git a/vendor/github.com/onsi/gomega/matchers/have_prefix_matcher.go b/vendor/github.com/onsi/gomega/matchers/have_prefix_matcher.go
index 1d8e80270b346..7987d41f7b1d2 100644
--- a/vendor/github.com/onsi/gomega/matchers/have_prefix_matcher.go
+++ b/vendor/github.com/onsi/gomega/matchers/have_prefix_matcher.go
@@ -8,10 +8,10 @@ import (
 
 type HavePrefixMatcher struct {
 	Prefix string
-	Args   []interface{}
+	Args   []any
 }
 
-func (matcher *HavePrefixMatcher) Match(actual interface{}) (success bool, err error) {
+func (matcher *HavePrefixMatcher) Match(actual any) (success bool, err error) {
 	actualString, ok := toString(actual)
 	if !ok {
 		return false, fmt.Errorf("HavePrefix matcher requires a string or stringer.  Got:\n%s", format.Object(actual, 1))
@@ -27,10 +27,10 @@ func (matcher *HavePrefixMatcher) prefix() string {
 	return matcher.Prefix
 }
 
-func (matcher *HavePrefixMatcher) FailureMessage(actual interface{}) (message string) {
+func (matcher *HavePrefixMatcher) FailureMessage(actual any) (message string) {
 	return format.Message(actual, "to have prefix", matcher.prefix())
 }
 
-func (matcher *HavePrefixMatcher) NegatedFailureMessage(actual interface{}) (message string) {
+func (matcher *HavePrefixMatcher) NegatedFailureMessage(actual any) (message string) {
 	return format.Message(actual, "not to have prefix", matcher.prefix())
 }
diff --git a/vendor/github.com/onsi/gomega/matchers/have_suffix_matcher.go b/vendor/github.com/onsi/gomega/matchers/have_suffix_matcher.go
index 40a3526eb2dac..2aa4ceacbc55b 100644
--- a/vendor/github.com/onsi/gomega/matchers/have_suffix_matcher.go
+++ b/vendor/github.com/onsi/gomega/matchers/have_suffix_matcher.go
@@ -8,10 +8,10 @@ import (
 
 type HaveSuffixMatcher struct {
 	Suffix string
-	Args   []interface{}
+	Args   []any
 }
 
-func (matcher *HaveSuffixMatcher) Match(actual interface{}) (success bool, err error) {
+func (matcher *HaveSuffixMatcher) Match(actual any) (success bool, err error) {
 	actualString, ok := toString(actual)
 	if !ok {
 		return false, fmt.Errorf("HaveSuffix matcher requires a string or stringer.  Got:\n%s", format.Object(actual, 1))
@@ -27,10 +27,10 @@ func (matcher *HaveSuffixMatcher) suffix() string {
 	return matcher.Suffix
 }
 
-func (matcher *HaveSuffixMatcher) FailureMessage(actual interface{}) (message string) {
+func (matcher *HaveSuffixMatcher) FailureMessage(actual any) (message string) {
 	return format.Message(actual, "to have suffix", matcher.suffix())
 }
 
-func (matcher *HaveSuffixMatcher) NegatedFailureMessage(actual interface{}) (message string) {
+func (matcher *HaveSuffixMatcher) NegatedFailureMessage(actual any) (message string) {
 	return format.Message(actual, "not to have suffix", matcher.suffix())
 }
diff --git a/vendor/github.com/onsi/gomega/matchers/have_value.go b/vendor/github.com/onsi/gomega/matchers/have_value.go
index f672528357003..4c39e0db00fc7 100644
--- a/vendor/github.com/onsi/gomega/matchers/have_value.go
+++ b/vendor/github.com/onsi/gomega/matchers/have_value.go
@@ -12,10 +12,10 @@ const maxIndirections = 31
 
 type HaveValueMatcher struct {
 	Matcher        types.GomegaMatcher // the matcher to apply to the "resolved" actual value.
-	resolvedActual interface{}         // the ("resolved") value.
+	resolvedActual any                 // the ("resolved") value.
 }
 
-func (m *HaveValueMatcher) Match(actual interface{}) (bool, error) {
+func (m *HaveValueMatcher) Match(actual any) (bool, error) {
 	val := reflect.ValueOf(actual)
 	for allowedIndirs := maxIndirections; allowedIndirs > 0; allowedIndirs-- {
 		// return an error if value isn't valid. Please note that we cannot
@@ -45,10 +45,10 @@ func (m *HaveValueMatcher) Match(actual interface{}) (bool, error) {
 	return false, errors.New(format.Message(actual, "too many indirections"))
 }
 
-func (m *HaveValueMatcher) FailureMessage(_ interface{}) (message string) {
+func (m *HaveValueMatcher) FailureMessage(_ any) (message string) {
 	return m.Matcher.FailureMessage(m.resolvedActual)
 }
 
-func (m *HaveValueMatcher) NegatedFailureMessage(_ interface{}) (message string) {
+func (m *HaveValueMatcher) NegatedFailureMessage(_ any) (message string) {
 	return m.Matcher.NegatedFailureMessage(m.resolvedActual)
 }
diff --git a/vendor/github.com/onsi/gomega/matchers/internal/miter/type_support_iter.go b/vendor/github.com/onsi/gomega/matchers/internal/miter/type_support_iter.go
new file mode 100644
index 0000000000000..d8837a4d09380
--- /dev/null
+++ b/vendor/github.com/onsi/gomega/matchers/internal/miter/type_support_iter.go
@@ -0,0 +1,128 @@
+//go:build go1.23
+
+package miter
+
+import (
+	"reflect"
+)
+
+// HasIterators always returns false for Go versions before 1.23.
+func HasIterators() bool { return true }
+
+// IsIter returns true if the specified value is a function type that can be
+// range-d over, otherwise false.
+//
+// We don't use reflect's CanSeq and CanSeq2 directly, as these would return
+// true also for other value types that are range-able, such as integers,
+// slices, et cetera. Here, we aim only at range-able (iterator) functions.
+func IsIter(it any) bool {
+	if it == nil { // on purpose we only test for untyped nil.
+		return false
+	}
+	// reject all non-iterator-func values, even if they're range-able.
+	t := reflect.TypeOf(it)
+	if t.Kind() != reflect.Func {
+		return false
+	}
+	return t.CanSeq() || t.CanSeq2()
+}
+
+// IterKVTypes returns the reflection types of an iterator's yield function's K
+// and optional V arguments, otherwise nil K and V reflection types.
+func IterKVTypes(it any) (k, v reflect.Type) {
+	if it == nil {
+		return
+	}
+	// reject all non-iterator-func values, even if they're range-able.
+	t := reflect.TypeOf(it)
+	if t.Kind() != reflect.Func {
+		return
+	}
+	// get the reflection types for V, and where applicable, K.
+	switch {
+	case t.CanSeq():
+		v = t. /*iterator fn*/ In(0). /*yield fn*/ In(0)
+	case t.CanSeq2():
+		yieldfn := t. /*iterator fn*/ In(0)
+		k = yieldfn.In(0)
+		v = yieldfn.In(1)
+	}
+	return
+}
+
+// IsSeq2 returns true if the passed iterator function is compatible with
+// iter.Seq2, otherwise false.
+//
+// IsSeq2 hides the Go 1.23+ specific reflect.Type.CanSeq2 behind a facade which
+// is empty for Go versions before 1.23.
+func IsSeq2(it any) bool {
+	if it == nil {
+		return false
+	}
+	t := reflect.TypeOf(it)
+	return t.Kind() == reflect.Func && t.CanSeq2()
+}
+
+// isNilly returns true if v is either an untyped nil, or is a nil function (not
+// necessarily an iterator function).
+func isNilly(v any) bool {
+	if v == nil {
+		return true
+	}
+	rv := reflect.ValueOf(v)
+	return rv.Kind() == reflect.Func && rv.IsNil()
+}
+
+// IterateV loops over the elements produced by an iterator function, passing
+// the elements to the specified yield function individually and stopping only
+// when either the iterator function runs out of elements or the yield function
+// tell us to stop it.
+//
+// IterateV works very much like reflect.Value.Seq but hides the Go 1.23+
+// specific parts behind a facade which is empty for Go versions before 1.23, in
+// order to simplify code maintenance for matchers when using older Go versions.
+func IterateV(it any, yield func(v reflect.Value) bool) {
+	if isNilly(it) {
+		return
+	}
+	// reject all non-iterator-func values, even if they're range-able.
+	t := reflect.TypeOf(it)
+	if t.Kind() != reflect.Func || !t.CanSeq() {
+		return
+	}
+	// Call the specified iterator function, handing it our adaptor to call the
+	// specified generic reflection yield function.
+	reflectedYield := reflect.MakeFunc(
+		t. /*iterator fn*/ In(0),
+		func(args []reflect.Value) []reflect.Value {
+			return []reflect.Value{reflect.ValueOf(yield(args[0]))}
+		})
+	reflect.ValueOf(it).Call([]reflect.Value{reflectedYield})
+}
+
+// IterateKV loops over the key-value elements produced by an iterator function,
+// passing the elements to the specified yield function individually and
+// stopping only when either the iterator function runs out of elements or the
+// yield function tell us to stop it.
+//
+// IterateKV works very much like reflect.Value.Seq2 but hides the Go 1.23+
+// specific parts behind a facade which is empty for Go versions before 1.23, in
+// order to simplify code maintenance for matchers when using older Go versions.
+func IterateKV(it any, yield func(k, v reflect.Value) bool) {
+	if isNilly(it) {
+		return
+	}
+	// reject all non-iterator-func values, even if they're range-able.
+	t := reflect.TypeOf(it)
+	if t.Kind() != reflect.Func || !t.CanSeq2() {
+		return
+	}
+	// Call the specified iterator function, handing it our adaptor to call the
+	// specified generic reflection yield function.
+	reflectedYield := reflect.MakeFunc(
+		t. /*iterator fn*/ In(0),
+		func(args []reflect.Value) []reflect.Value {
+			return []reflect.Value{reflect.ValueOf(yield(args[0], args[1]))}
+		})
+	reflect.ValueOf(it).Call([]reflect.Value{reflectedYield})
+}
diff --git a/vendor/github.com/onsi/gomega/matchers/internal/miter/type_support_noiter.go b/vendor/github.com/onsi/gomega/matchers/internal/miter/type_support_noiter.go
new file mode 100644
index 0000000000000..4b8fcc55bde1e
--- /dev/null
+++ b/vendor/github.com/onsi/gomega/matchers/internal/miter/type_support_noiter.go
@@ -0,0 +1,44 @@
+//go:build !go1.23
+
+/*
+Gomega matchers
+
+This package implements the Gomega matchers and does not typically need to be imported.
+See the docs for Gomega for documentation on the matchers
+
+http://onsi.github.io/gomega/
+*/
+
+package miter
+
+import "reflect"
+
+// HasIterators always returns false for Go versions before 1.23.
+func HasIterators() bool { return false }
+
+// IsIter always returns false for Go versions before 1.23 as there is no
+// iterator (function) pattern defined yet; see also:
+// https://tip.golang.org/blog/range-functions.
+func IsIter(i any) bool { return false }
+
+// IsSeq2 always returns false for Go versions before 1.23 as there is no
+// iterator (function) pattern defined yet; see also:
+// https://tip.golang.org/blog/range-functions.
+func IsSeq2(it any) bool { return false }
+
+// IterKVTypes always returns nil reflection types for Go versions before 1.23
+// as there is no iterator (function) pattern defined yet; see also:
+// https://tip.golang.org/blog/range-functions.
+func IterKVTypes(i any) (k, v reflect.Type) {
+	return
+}
+
+// IterateV never loops over what has been passed to it as an iterator for Go
+// versions before 1.23 as there is no iterator (function) pattern defined yet;
+// see also: https://tip.golang.org/blog/range-functions.
+func IterateV(it any, yield func(v reflect.Value) bool) {}
+
+// IterateKV never loops over what has been passed to it as an iterator for Go
+// versions before 1.23 as there is no iterator (function) pattern defined yet;
+// see also: https://tip.golang.org/blog/range-functions.
+func IterateKV(it any, yield func(k, v reflect.Value) bool) {}
diff --git a/vendor/github.com/onsi/gomega/matchers/match_error_matcher.go b/vendor/github.com/onsi/gomega/matchers/match_error_matcher.go
index c539dd389c840..f9d313772fc3b 100644
--- a/vendor/github.com/onsi/gomega/matchers/match_error_matcher.go
+++ b/vendor/github.com/onsi/gomega/matchers/match_error_matcher.go
@@ -71,14 +71,14 @@ func (matcher *MatchErrorMatcher) Match(actual any) (success bool, err error) {
 		format.Object(expected, 1))
 }
 
-func (matcher *MatchErrorMatcher) FailureMessage(actual interface{}) (message string) {
+func (matcher *MatchErrorMatcher) FailureMessage(actual any) (message string) {
 	if matcher.isFunc {
 		return format.Message(actual, fmt.Sprintf("to match error function %s", matcher.FuncErrDescription[0]))
 	}
 	return format.Message(actual, "to match error", matcher.Expected)
 }
 
-func (matcher *MatchErrorMatcher) NegatedFailureMessage(actual interface{}) (message string) {
+func (matcher *MatchErrorMatcher) NegatedFailureMessage(actual any) (message string) {
 	if matcher.isFunc {
 		return format.Message(actual, fmt.Sprintf("not to match error function %s", matcher.FuncErrDescription[0]))
 	}
diff --git a/vendor/github.com/onsi/gomega/matchers/match_json_matcher.go b/vendor/github.com/onsi/gomega/matchers/match_json_matcher.go
index f962f139ff8fc..331f289abca96 100644
--- a/vendor/github.com/onsi/gomega/matchers/match_json_matcher.go
+++ b/vendor/github.com/onsi/gomega/matchers/match_json_matcher.go
@@ -9,18 +9,18 @@ import (
 )
 
 type MatchJSONMatcher struct {
-	JSONToMatch      interface{}
-	firstFailurePath []interface{}
+	JSONToMatch      any
+	firstFailurePath []any
 }
 
-func (matcher *MatchJSONMatcher) Match(actual interface{}) (success bool, err error) {
+func (matcher *MatchJSONMatcher) Match(actual any) (success bool, err error) {
 	actualString, expectedString, err := matcher.prettyPrint(actual)
 	if err != nil {
 		return false, err
 	}
 
-	var aval interface{}
-	var eval interface{}
+	var aval any
+	var eval any
 
 	// this is guarded by prettyPrint
 	json.Unmarshal([]byte(actualString), &aval)
@@ -30,17 +30,17 @@ func (matcher *MatchJSONMatcher) Match(actual interface{}) (success bool, err er
 	return equal, nil
 }
 
-func (matcher *MatchJSONMatcher) FailureMessage(actual interface{}) (message string) {
+func (matcher *MatchJSONMatcher) FailureMessage(actual any) (message string) {
 	actualString, expectedString, _ := matcher.prettyPrint(actual)
 	return formattedMessage(format.Message(actualString, "to match JSON of", expectedString), matcher.firstFailurePath)
 }
 
-func (matcher *MatchJSONMatcher) NegatedFailureMessage(actual interface{}) (message string) {
+func (matcher *MatchJSONMatcher) NegatedFailureMessage(actual any) (message string) {
 	actualString, expectedString, _ := matcher.prettyPrint(actual)
 	return formattedMessage(format.Message(actualString, "not to match JSON of", expectedString), matcher.firstFailurePath)
 }
 
-func (matcher *MatchJSONMatcher) prettyPrint(actual interface{}) (actualFormatted, expectedFormatted string, err error) {
+func (matcher *MatchJSONMatcher) prettyPrint(actual any) (actualFormatted, expectedFormatted string, err error) {
 	actualString, ok := toString(actual)
 	if !ok {
 		return "", "", fmt.Errorf("MatchJSONMatcher matcher requires a string, stringer, or []byte.  Got actual:\n%s", format.Object(actual, 1))
diff --git a/vendor/github.com/onsi/gomega/matchers/match_regexp_matcher.go b/vendor/github.com/onsi/gomega/matchers/match_regexp_matcher.go
index adac5db6b8ef0..779be683e0975 100644
--- a/vendor/github.com/onsi/gomega/matchers/match_regexp_matcher.go
+++ b/vendor/github.com/onsi/gomega/matchers/match_regexp_matcher.go
@@ -9,10 +9,10 @@ import (
 
 type MatchRegexpMatcher struct {
 	Regexp string
-	Args   []interface{}
+	Args   []any
 }
 
-func (matcher *MatchRegexpMatcher) Match(actual interface{}) (success bool, err error) {
+func (matcher *MatchRegexpMatcher) Match(actual any) (success bool, err error) {
 	actualString, ok := toString(actual)
 	if !ok {
 		return false, fmt.Errorf("RegExp matcher requires a string or stringer.\nGot:%s", format.Object(actual, 1))
@@ -26,11 +26,11 @@ func (matcher *MatchRegexpMatcher) Match(actual interface{}) (success bool, err
 	return match, nil
 }
 
-func (matcher *MatchRegexpMatcher) FailureMessage(actual interface{}) (message string) {
+func (matcher *MatchRegexpMatcher) FailureMessage(actual any) (message string) {
 	return format.Message(actual, "to match regular expression", matcher.regexp())
 }
 
-func (matcher *MatchRegexpMatcher) NegatedFailureMessage(actual interface{}) (message string) {
+func (matcher *MatchRegexpMatcher) NegatedFailureMessage(actual any) (message string) {
 	return format.Message(actual, "not to match regular expression", matcher.regexp())
 }
 
diff --git a/vendor/github.com/onsi/gomega/matchers/match_xml_matcher.go b/vendor/github.com/onsi/gomega/matchers/match_xml_matcher.go
index 5c815f5af7409..f7dcaf6fdcdbb 100644
--- a/vendor/github.com/onsi/gomega/matchers/match_xml_matcher.go
+++ b/vendor/github.com/onsi/gomega/matchers/match_xml_matcher.go
@@ -15,10 +15,10 @@ import (
 )
 
 type MatchXMLMatcher struct {
-	XMLToMatch interface{}
+	XMLToMatch any
 }
 
-func (matcher *MatchXMLMatcher) Match(actual interface{}) (success bool, err error) {
+func (matcher *MatchXMLMatcher) Match(actual any) (success bool, err error) {
 	actualString, expectedString, err := matcher.formattedPrint(actual)
 	if err != nil {
 		return false, err
@@ -37,17 +37,17 @@ func (matcher *MatchXMLMatcher) Match(actual interface{}) (success bool, err err
 	return reflect.DeepEqual(aval, eval), nil
 }
 
-func (matcher *MatchXMLMatcher) FailureMessage(actual interface{}) (message string) {
+func (matcher *MatchXMLMatcher) FailureMessage(actual any) (message string) {
 	actualString, expectedString, _ := matcher.formattedPrint(actual)
 	return fmt.Sprintf("Expected\n%s\nto match XML of\n%s", actualString, expectedString)
 }
 
-func (matcher *MatchXMLMatcher) NegatedFailureMessage(actual interface{}) (message string) {
+func (matcher *MatchXMLMatcher) NegatedFailureMessage(actual any) (message string) {
 	actualString, expectedString, _ := matcher.formattedPrint(actual)
 	return fmt.Sprintf("Expected\n%s\nnot to match XML of\n%s", actualString, expectedString)
 }
 
-func (matcher *MatchXMLMatcher) formattedPrint(actual interface{}) (actualString, expectedString string, err error) {
+func (matcher *MatchXMLMatcher) formattedPrint(actual any) (actualString, expectedString string, err error) {
 	var ok bool
 	actualString, ok = toString(actual)
 	if !ok {
diff --git a/vendor/github.com/onsi/gomega/matchers/match_yaml_matcher.go b/vendor/github.com/onsi/gomega/matchers/match_yaml_matcher.go
index 2cb6b47db9525..c3da9bd48b28a 100644
--- a/vendor/github.com/onsi/gomega/matchers/match_yaml_matcher.go
+++ b/vendor/github.com/onsi/gomega/matchers/match_yaml_matcher.go
@@ -5,22 +5,22 @@ import (
 	"strings"
 
 	"github.com/onsi/gomega/format"
-	"gopkg.in/yaml.v3"
+	"go.yaml.in/yaml/v3"
 )
 
 type MatchYAMLMatcher struct {
-	YAMLToMatch      interface{}
-	firstFailurePath []interface{}
+	YAMLToMatch      any
+	firstFailurePath []any
 }
 
-func (matcher *MatchYAMLMatcher) Match(actual interface{}) (success bool, err error) {
+func (matcher *MatchYAMLMatcher) Match(actual any) (success bool, err error) {
 	actualString, expectedString, err := matcher.toStrings(actual)
 	if err != nil {
 		return false, err
 	}
 
-	var aval interface{}
-	var eval interface{}
+	var aval any
+	var eval any
 
 	if err := yaml.Unmarshal([]byte(actualString), &aval); err != nil {
 		return false, fmt.Errorf("Actual '%s' should be valid YAML, but it is not.\nUnderlying error:%s", actualString, err)
@@ -34,23 +34,23 @@ func (matcher *MatchYAMLMatcher) Match(actual interface{}) (success bool, err er
 	return equal, nil
 }
 
-func (matcher *MatchYAMLMatcher) FailureMessage(actual interface{}) (message string) {
+func (matcher *MatchYAMLMatcher) FailureMessage(actual any) (message string) {
 	actualString, expectedString, _ := matcher.toNormalisedStrings(actual)
 	return formattedMessage(format.Message(actualString, "to match YAML of", expectedString), matcher.firstFailurePath)
 }
 
-func (matcher *MatchYAMLMatcher) NegatedFailureMessage(actual interface{}) (message string) {
+func (matcher *MatchYAMLMatcher) NegatedFailureMessage(actual any) (message string) {
 	actualString, expectedString, _ := matcher.toNormalisedStrings(actual)
 	return formattedMessage(format.Message(actualString, "not to match YAML of", expectedString), matcher.firstFailurePath)
 }
 
-func (matcher *MatchYAMLMatcher) toNormalisedStrings(actual interface{}) (actualFormatted, expectedFormatted string, err error) {
+func (matcher *MatchYAMLMatcher) toNormalisedStrings(actual any) (actualFormatted, expectedFormatted string, err error) {
 	actualString, expectedString, err := matcher.toStrings(actual)
 	return normalise(actualString), normalise(expectedString), err
 }
 
 func normalise(input string) string {
-	var val interface{}
+	var val any
 	err := yaml.Unmarshal([]byte(input), &val)
 	if err != nil {
 		panic(err) // unreachable since Match already calls Unmarshal
@@ -62,7 +62,7 @@ func normalise(input string) string {
 	return strings.TrimSpace(string(output))
 }
 
-func (matcher *MatchYAMLMatcher) toStrings(actual interface{}) (actualFormatted, expectedFormatted string, err error) {
+func (matcher *MatchYAMLMatcher) toStrings(actual any) (actualFormatted, expectedFormatted string, err error) {
 	actualString, ok := toString(actual)
 	if !ok {
 		return "", "", fmt.Errorf("MatchYAMLMatcher matcher requires a string, stringer, or []byte.  Got actual:\n%s", format.Object(actual, 1))
diff --git a/vendor/github.com/onsi/gomega/matchers/not.go b/vendor/github.com/onsi/gomega/matchers/not.go
index 78b71910d12f8..c598b7899a92b 100644
--- a/vendor/github.com/onsi/gomega/matchers/not.go
+++ b/vendor/github.com/onsi/gomega/matchers/not.go
@@ -8,7 +8,7 @@ type NotMatcher struct {
 	Matcher types.GomegaMatcher
 }
 
-func (m *NotMatcher) Match(actual interface{}) (bool, error) {
+func (m *NotMatcher) Match(actual any) (bool, error) {
 	success, err := m.Matcher.Match(actual)
 	if err != nil {
 		return false, err
@@ -16,14 +16,14 @@ func (m *NotMatcher) Match(actual interface{}) (bool, error) {
 	return !success, nil
 }
 
-func (m *NotMatcher) FailureMessage(actual interface{}) (message string) {
+func (m *NotMatcher) FailureMessage(actual any) (message string) {
 	return m.Matcher.NegatedFailureMessage(actual) // works beautifully
 }
 
-func (m *NotMatcher) NegatedFailureMessage(actual interface{}) (message string) {
+func (m *NotMatcher) NegatedFailureMessage(actual any) (message string) {
 	return m.Matcher.FailureMessage(actual) // works beautifully
 }
 
-func (m *NotMatcher) MatchMayChangeInTheFuture(actual interface{}) bool {
+func (m *NotMatcher) MatchMayChangeInTheFuture(actual any) bool {
 	return types.MatchMayChangeInTheFuture(m.Matcher, actual) // just return m.Matcher's value
 }
diff --git a/vendor/github.com/onsi/gomega/matchers/or.go b/vendor/github.com/onsi/gomega/matchers/or.go
index 841ae26ab0788..6578404b0ee94 100644
--- a/vendor/github.com/onsi/gomega/matchers/or.go
+++ b/vendor/github.com/onsi/gomega/matchers/or.go
@@ -14,7 +14,7 @@ type OrMatcher struct {
 	firstSuccessfulMatcher types.GomegaMatcher
 }
 
-func (m *OrMatcher) Match(actual interface{}) (success bool, err error) {
+func (m *OrMatcher) Match(actual any) (success bool, err error) {
 	m.firstSuccessfulMatcher = nil
 	for _, matcher := range m.Matchers {
 		success, err := matcher.Match(actual)
@@ -29,16 +29,16 @@ func (m *OrMatcher) Match(actual interface{}) (success bool, err error) {
 	return false, nil
 }
 
-func (m *OrMatcher) FailureMessage(actual interface{}) (message string) {
+func (m *OrMatcher) FailureMessage(actual any) (message string) {
 	// not the most beautiful list of matchers, but not bad either...
 	return format.Message(actual, fmt.Sprintf("To satisfy at least one of these matchers: %s", m.Matchers))
 }
 
-func (m *OrMatcher) NegatedFailureMessage(actual interface{}) (message string) {
+func (m *OrMatcher) NegatedFailureMessage(actual any) (message string) {
 	return m.firstSuccessfulMatcher.NegatedFailureMessage(actual)
 }
 
-func (m *OrMatcher) MatchMayChangeInTheFuture(actual interface{}) bool {
+func (m *OrMatcher) MatchMayChangeInTheFuture(actual any) bool {
 	/*
 		Example with 3 matchers: A, B, C
 
diff --git a/vendor/github.com/onsi/gomega/matchers/panic_matcher.go b/vendor/github.com/onsi/gomega/matchers/panic_matcher.go
index adc8cee630659..8be5a7ccf3ef4 100644
--- a/vendor/github.com/onsi/gomega/matchers/panic_matcher.go
+++ b/vendor/github.com/onsi/gomega/matchers/panic_matcher.go
@@ -8,11 +8,11 @@ import (
 )
 
 type PanicMatcher struct {
-	Expected interface{}
-	object   interface{}
+	Expected any
+	object   any
 }
 
-func (matcher *PanicMatcher) Match(actual interface{}) (success bool, err error) {
+func (matcher *PanicMatcher) Match(actual any) (success bool, err error) {
 	if actual == nil {
 		return false, fmt.Errorf("PanicMatcher expects a non-nil actual.")
 	}
@@ -52,7 +52,7 @@ func (matcher *PanicMatcher) Match(actual interface{}) (success bool, err error)
 	return
 }
 
-func (matcher *PanicMatcher) FailureMessage(actual interface{}) (message string) {
+func (matcher *PanicMatcher) FailureMessage(actual any) (message string) {
 	if matcher.Expected == nil {
 		// We wanted any panic to occur, but none did.
 		return format.Message(actual, "to panic")
@@ -91,7 +91,7 @@ func (matcher *PanicMatcher) FailureMessage(actual interface{}) (message string)
 	}
 }
 
-func (matcher *PanicMatcher) NegatedFailureMessage(actual interface{}) (message string) {
+func (matcher *PanicMatcher) NegatedFailureMessage(actual any) (message string) {
 	if matcher.Expected == nil {
 		// We didn't want any panic to occur, but one did.
 		return format.Message(actual, fmt.Sprintf("not to panic, but panicked with\n%s", format.Object(matcher.object, 1)))
diff --git a/vendor/github.com/onsi/gomega/matchers/receive_matcher.go b/vendor/github.com/onsi/gomega/matchers/receive_matcher.go
index 948164eaf88be..1d9f61d6360b3 100644
--- a/vendor/github.com/onsi/gomega/matchers/receive_matcher.go
+++ b/vendor/github.com/onsi/gomega/matchers/receive_matcher.go
@@ -11,12 +11,12 @@ import (
 )
 
 type ReceiveMatcher struct {
-	Args          []interface{}
+	Args          []any
 	receivedValue reflect.Value
 	channelClosed bool
 }
 
-func (matcher *ReceiveMatcher) Match(actual interface{}) (success bool, err error) {
+func (matcher *ReceiveMatcher) Match(actual any) (success bool, err error) {
 	if !isChan(actual) {
 		return false, fmt.Errorf("ReceiveMatcher expects a channel.  Got:\n%s", format.Object(actual, 1))
 	}
@@ -30,7 +30,7 @@ func (matcher *ReceiveMatcher) Match(actual interface{}) (success bool, err erro
 
 	var subMatcher omegaMatcher
 	var hasSubMatcher bool
-	var resultReference interface{}
+	var resultReference any
 
 	// Valid arg formats are as follows, always with optional POINTER before
 	// optional MATCHER:
@@ -115,8 +115,8 @@ func (matcher *ReceiveMatcher) Match(actual interface{}) (success bool, err erro
 	return false, nil
 }
 
-func (matcher *ReceiveMatcher) FailureMessage(actual interface{}) (message string) {
-	var matcherArg interface{}
+func (matcher *ReceiveMatcher) FailureMessage(actual any) (message string) {
+	var matcherArg any
 	if len(matcher.Args) > 0 {
 		matcherArg = matcher.Args[len(matcher.Args)-1]
 	}
@@ -136,8 +136,8 @@ func (matcher *ReceiveMatcher) FailureMessage(actual interface{}) (message strin
 	return format.Message(actual, "to receive something."+closedAddendum)
 }
 
-func (matcher *ReceiveMatcher) NegatedFailureMessage(actual interface{}) (message string) {
-	var matcherArg interface{}
+func (matcher *ReceiveMatcher) NegatedFailureMessage(actual any) (message string) {
+	var matcherArg any
 	if len(matcher.Args) > 0 {
 		matcherArg = matcher.Args[len(matcher.Args)-1]
 	}
@@ -157,7 +157,7 @@ func (matcher *ReceiveMatcher) NegatedFailureMessage(actual interface{}) (messag
 	return format.Message(actual, "not to receive anything."+closedAddendum)
 }
 
-func (matcher *ReceiveMatcher) MatchMayChangeInTheFuture(actual interface{}) bool {
+func (matcher *ReceiveMatcher) MatchMayChangeInTheFuture(actual any) bool {
 	if !isChan(actual) {
 		return false
 	}
diff --git a/vendor/github.com/onsi/gomega/matchers/satisfy_matcher.go b/vendor/github.com/onsi/gomega/matchers/satisfy_matcher.go
index ec68fe8b62c06..2adc4825aacac 100644
--- a/vendor/github.com/onsi/gomega/matchers/satisfy_matcher.go
+++ b/vendor/github.com/onsi/gomega/matchers/satisfy_matcher.go
@@ -8,13 +8,13 @@ import (
 )
 
 type SatisfyMatcher struct {
-	Predicate interface{}
+	Predicate any
 
 	// cached type
 	predicateArgType reflect.Type
 }
 
-func NewSatisfyMatcher(predicate interface{}) *SatisfyMatcher {
+func NewSatisfyMatcher(predicate any) *SatisfyMatcher {
 	if predicate == nil {
 		panic("predicate cannot be nil")
 	}
@@ -35,7 +35,7 @@ func NewSatisfyMatcher(predicate interface{}) *SatisfyMatcher {
 	}
 }
 
-func (m *SatisfyMatcher) Match(actual interface{}) (success bool, err error) {
+func (m *SatisfyMatcher) Match(actual any) (success bool, err error) {
 	// prepare a parameter to pass to the predicate
 	var param reflect.Value
 	if actual != nil && reflect.TypeOf(actual).AssignableTo(m.predicateArgType) {
@@ -57,10 +57,10 @@ func (m *SatisfyMatcher) Match(actual interface{}) (success bool, err error) {
 	return result[0].Bool(), nil
 }
 
-func (m *SatisfyMatcher) FailureMessage(actual interface{}) (message string) {
+func (m *SatisfyMatcher) FailureMessage(actual any) (message string) {
 	return format.Message(actual, "to satisfy predicate", m.Predicate)
 }
 
-func (m *SatisfyMatcher) NegatedFailureMessage(actual interface{}) (message string) {
+func (m *SatisfyMatcher) NegatedFailureMessage(actual any) (message string) {
 	return format.Message(actual, "to not satisfy predicate", m.Predicate)
 }
diff --git a/vendor/github.com/onsi/gomega/matchers/semi_structured_data_support.go b/vendor/github.com/onsi/gomega/matchers/semi_structured_data_support.go
index 1369c1e87f7d6..30dd58f4a58a4 100644
--- a/vendor/github.com/onsi/gomega/matchers/semi_structured_data_support.go
+++ b/vendor/github.com/onsi/gomega/matchers/semi_structured_data_support.go
@@ -8,7 +8,7 @@ import (
 	"strings"
 )
 
-func formattedMessage(comparisonMessage string, failurePath []interface{}) string {
+func formattedMessage(comparisonMessage string, failurePath []any) string {
 	var diffMessage string
 	if len(failurePath) == 0 {
 		diffMessage = ""
@@ -18,7 +18,7 @@ func formattedMessage(comparisonMessage string, failurePath []interface{}) strin
 	return fmt.Sprintf("%s%s", comparisonMessage, diffMessage)
 }
 
-func formattedFailurePath(failurePath []interface{}) string {
+func formattedFailurePath(failurePath []any) string {
 	formattedPaths := []string{}
 	for i := len(failurePath) - 1; i >= 0; i-- {
 		switch p := failurePath[i].(type) {
@@ -34,33 +34,33 @@ func formattedFailurePath(failurePath []interface{}) string {
 	return strings.Join(formattedPaths, "")
 }
 
-func deepEqual(a interface{}, b interface{}) (bool, []interface{}) {
-	var errorPath []interface{}
+func deepEqual(a any, b any) (bool, []any) {
+	var errorPath []any
 	if reflect.TypeOf(a) != reflect.TypeOf(b) {
 		return false, errorPath
 	}
 
 	switch a.(type) {
-	case []interface{}:
-		if len(a.([]interface{})) != len(b.([]interface{})) {
+	case []any:
+		if len(a.([]any)) != len(b.([]any)) {
 			return false, errorPath
 		}
 
-		for i, v := range a.([]interface{}) {
-			elementEqual, keyPath := deepEqual(v, b.([]interface{})[i])
+		for i, v := range a.([]any) {
+			elementEqual, keyPath := deepEqual(v, b.([]any)[i])
 			if !elementEqual {
 				return false, append(keyPath, i)
 			}
 		}
 		return true, errorPath
 
-	case map[interface{}]interface{}:
-		if len(a.(map[interface{}]interface{})) != len(b.(map[interface{}]interface{})) {
+	case map[any]any:
+		if len(a.(map[any]any)) != len(b.(map[any]any)) {
 			return false, errorPath
 		}
 
-		for k, v1 := range a.(map[interface{}]interface{}) {
-			v2, ok := b.(map[interface{}]interface{})[k]
+		for k, v1 := range a.(map[any]any) {
+			v2, ok := b.(map[any]any)[k]
 			if !ok {
 				return false, errorPath
 			}
@@ -71,13 +71,13 @@ func deepEqual(a interface{}, b interface{}) (bool, []interface{}) {
 		}
 		return true, errorPath
 
-	case map[string]interface{}:
-		if len(a.(map[string]interface{})) != len(b.(map[string]interface{})) {
+	case map[string]any:
+		if len(a.(map[string]any)) != len(b.(map[string]any)) {
 			return false, errorPath
 		}
 
-		for k, v1 := range a.(map[string]interface{}) {
-			v2, ok := b.(map[string]interface{})[k]
+		for k, v1 := range a.(map[string]any) {
+			v2, ok := b.(map[string]any)[k]
 			if !ok {
 				return false, errorPath
 			}
diff --git a/vendor/github.com/onsi/gomega/matchers/succeed_matcher.go b/vendor/github.com/onsi/gomega/matchers/succeed_matcher.go
index 327350f7b7130..f0b2c4aa66517 100644
--- a/vendor/github.com/onsi/gomega/matchers/succeed_matcher.go
+++ b/vendor/github.com/onsi/gomega/matchers/succeed_matcher.go
@@ -14,7 +14,7 @@ type formattedGomegaError interface {
 type SucceedMatcher struct {
 }
 
-func (matcher *SucceedMatcher) Match(actual interface{}) (success bool, err error) {
+func (matcher *SucceedMatcher) Match(actual any) (success bool, err error) {
 	// is purely nil?
 	if actual == nil {
 		return true, nil
@@ -29,7 +29,7 @@ func (matcher *SucceedMatcher) Match(actual interface{}) (success bool, err erro
 	return isNil(actual), nil
 }
 
-func (matcher *SucceedMatcher) FailureMessage(actual interface{}) (message string) {
+func (matcher *SucceedMatcher) FailureMessage(actual any) (message string) {
 	var fgErr formattedGomegaError
 	if errors.As(actual.(error), &fgErr) {
 		return fgErr.FormattedGomegaError()
@@ -37,6 +37,6 @@ func (matcher *SucceedMatcher) FailureMessage(actual interface{}) (message strin
 	return fmt.Sprintf("Expected success, but got an error:\n%s", format.Object(actual, 1))
 }
 
-func (matcher *SucceedMatcher) NegatedFailureMessage(actual interface{}) (message string) {
+func (matcher *SucceedMatcher) NegatedFailureMessage(actual any) (message string) {
 	return "Expected failure, but got no error."
 }
diff --git a/vendor/github.com/onsi/gomega/matchers/support/goraph/bipartitegraph/bipartitegraph.go b/vendor/github.com/onsi/gomega/matchers/support/goraph/bipartitegraph/bipartitegraph.go
index 830e308274ee1..0d78779d474be 100644
--- a/vendor/github.com/onsi/gomega/matchers/support/goraph/bipartitegraph/bipartitegraph.go
+++ b/vendor/github.com/onsi/gomega/matchers/support/goraph/bipartitegraph/bipartitegraph.go
@@ -11,7 +11,7 @@ type BipartiteGraph struct {
 	Edges EdgeSet
 }
 
-func NewBipartiteGraph(leftValues, rightValues []interface{}, neighbours func(interface{}, interface{}) (bool, error)) (*BipartiteGraph, error) {
+func NewBipartiteGraph(leftValues, rightValues []any, neighbours func(any, any) (bool, error)) (*BipartiteGraph, error) {
 	left := NodeOrderedSet{}
 	for i, v := range leftValues {
 		left = append(left, Node{ID: i, Value: v})
@@ -41,7 +41,7 @@ func NewBipartiteGraph(leftValues, rightValues []interface{}, neighbours func(in
 
 // FreeLeftRight returns left node values and right node values
 // of the BipartiteGraph's nodes which are not part of the given edges.
-func (bg *BipartiteGraph) FreeLeftRight(edges EdgeSet) (leftValues, rightValues []interface{}) {
+func (bg *BipartiteGraph) FreeLeftRight(edges EdgeSet) (leftValues, rightValues []any) {
 	for _, node := range bg.Left {
 		if edges.Free(node) {
 			leftValues = append(leftValues, node.Value)
diff --git a/vendor/github.com/onsi/gomega/matchers/support/goraph/node/node.go b/vendor/github.com/onsi/gomega/matchers/support/goraph/node/node.go
index cd597a2f22060..66d3578d5187e 100644
--- a/vendor/github.com/onsi/gomega/matchers/support/goraph/node/node.go
+++ b/vendor/github.com/onsi/gomega/matchers/support/goraph/node/node.go
@@ -2,7 +2,7 @@ package node
 
 type Node struct {
 	ID    int
-	Value interface{}
+	Value any
 }
 
 type NodeOrderedSet []Node
diff --git a/vendor/github.com/onsi/gomega/matchers/type_support.go b/vendor/github.com/onsi/gomega/matchers/type_support.go
index dced2419eadf0..d020dedc30f26 100644
--- a/vendor/github.com/onsi/gomega/matchers/type_support.go
+++ b/vendor/github.com/onsi/gomega/matchers/type_support.go
@@ -15,19 +15,21 @@ import (
 	"encoding/json"
 	"fmt"
 	"reflect"
+
+	"github.com/onsi/gomega/matchers/internal/miter"
 )
 
 type omegaMatcher interface {
-	Match(actual interface{}) (success bool, err error)
-	FailureMessage(actual interface{}) (message string)
-	NegatedFailureMessage(actual interface{}) (message string)
+	Match(actual any) (success bool, err error)
+	FailureMessage(actual any) (message string)
+	NegatedFailureMessage(actual any) (message string)
 }
 
-func isBool(a interface{}) bool {
+func isBool(a any) bool {
 	return reflect.TypeOf(a).Kind() == reflect.Bool
 }
 
-func isNumber(a interface{}) bool {
+func isNumber(a any) bool {
 	if a == nil {
 		return false
 	}
@@ -35,22 +37,22 @@ func isNumber(a interface{}) bool {
 	return reflect.Int <= kind && kind <= reflect.Float64
 }
 
-func isInteger(a interface{}) bool {
+func isInteger(a any) bool {
 	kind := reflect.TypeOf(a).Kind()
 	return reflect.Int <= kind && kind <= reflect.Int64
 }
 
-func isUnsignedInteger(a interface{}) bool {
+func isUnsignedInteger(a any) bool {
 	kind := reflect.TypeOf(a).Kind()
 	return reflect.Uint <= kind && kind <= reflect.Uint64
 }
 
-func isFloat(a interface{}) bool {
+func isFloat(a any) bool {
 	kind := reflect.TypeOf(a).Kind()
 	return reflect.Float32 <= kind && kind <= reflect.Float64
 }
 
-func toInteger(a interface{}) int64 {
+func toInteger(a any) int64 {
 	if isInteger(a) {
 		return reflect.ValueOf(a).Int()
 	} else if isUnsignedInteger(a) {
@@ -61,7 +63,7 @@ func toInteger(a interface{}) int64 {
 	panic(fmt.Sprintf("Expected a number!  Got <%T> %#v", a, a))
 }
 
-func toUnsignedInteger(a interface{}) uint64 {
+func toUnsignedInteger(a any) uint64 {
 	if isInteger(a) {
 		return uint64(reflect.ValueOf(a).Int())
 	} else if isUnsignedInteger(a) {
@@ -72,7 +74,7 @@ func toUnsignedInteger(a interface{}) uint64 {
 	panic(fmt.Sprintf("Expected a number!  Got <%T> %#v", a, a))
 }
 
-func toFloat(a interface{}) float64 {
+func toFloat(a any) float64 {
 	if isInteger(a) {
 		return float64(reflect.ValueOf(a).Int())
 	} else if isUnsignedInteger(a) {
@@ -83,26 +85,26 @@ func toFloat(a interface{}) float64 {
 	panic(fmt.Sprintf("Expected a number!  Got <%T> %#v", a, a))
 }
 
-func isError(a interface{}) bool {
+func isError(a any) bool {
 	_, ok := a.(error)
 	return ok
 }
 
-func isChan(a interface{}) bool {
+func isChan(a any) bool {
 	if isNil(a) {
 		return false
 	}
 	return reflect.TypeOf(a).Kind() == reflect.Chan
 }
 
-func isMap(a interface{}) bool {
+func isMap(a any) bool {
 	if a == nil {
 		return false
 	}
 	return reflect.TypeOf(a).Kind() == reflect.Map
 }
 
-func isArrayOrSlice(a interface{}) bool {
+func isArrayOrSlice(a any) bool {
 	if a == nil {
 		return false
 	}
@@ -114,14 +116,14 @@ func isArrayOrSlice(a interface{}) bool {
 	}
 }
 
-func isString(a interface{}) bool {
+func isString(a any) bool {
 	if a == nil {
 		return false
 	}
 	return reflect.TypeOf(a).Kind() == reflect.String
 }
 
-func toString(a interface{}) (string, bool) {
+func toString(a any) (string, bool) {
 	aString, isString := a.(string)
 	if isString {
 		return aString, true
@@ -145,18 +147,29 @@ func toString(a interface{}) (string, bool) {
 	return "", false
 }
 
-func lengthOf(a interface{}) (int, bool) {
+func lengthOf(a any) (int, bool) {
 	if a == nil {
 		return 0, false
 	}
 	switch reflect.TypeOf(a).Kind() {
 	case reflect.Map, reflect.Array, reflect.String, reflect.Chan, reflect.Slice:
 		return reflect.ValueOf(a).Len(), true
+	case reflect.Func:
+		if !miter.IsIter(a) {
+			return 0, false
+		}
+		var l int
+		if miter.IsSeq2(a) {
+			miter.IterateKV(a, func(k, v reflect.Value) bool { l++; return true })
+		} else {
+			miter.IterateV(a, func(v reflect.Value) bool { l++; return true })
+		}
+		return l, true
 	default:
 		return 0, false
 	}
 }
-func capOf(a interface{}) (int, bool) {
+func capOf(a any) (int, bool) {
 	if a == nil {
 		return 0, false
 	}
@@ -168,7 +181,7 @@ func capOf(a interface{}) (int, bool) {
 	}
 }
 
-func isNil(a interface{}) bool {
+func isNil(a any) bool {
 	if a == nil {
 		return true
 	}
diff --git a/vendor/github.com/onsi/gomega/matchers/with_transform.go b/vendor/github.com/onsi/gomega/matchers/with_transform.go
index 6f743b1b32d23..6231c3b476a11 100644
--- a/vendor/github.com/onsi/gomega/matchers/with_transform.go
+++ b/vendor/github.com/onsi/gomega/matchers/with_transform.go
@@ -9,20 +9,20 @@ import (
 
 type WithTransformMatcher struct {
 	// input
-	Transform interface{} // must be a function of one parameter that returns one value and an optional error
+	Transform any // must be a function of one parameter that returns one value and an optional error
 	Matcher   types.GomegaMatcher
 
 	// cached value
 	transformArgType reflect.Type
 
 	// state
-	transformedValue interface{}
+	transformedValue any
 }
 
 // reflect.Type for error
 var errorT = reflect.TypeOf((*error)(nil)).Elem()
 
-func NewWithTransformMatcher(transform interface{}, matcher types.GomegaMatcher) *WithTransformMatcher {
+func NewWithTransformMatcher(transform any, matcher types.GomegaMatcher) *WithTransformMatcher {
 	if transform == nil {
 		panic("transform function cannot be nil")
 	}
@@ -43,7 +43,7 @@ func NewWithTransformMatcher(transform interface{}, matcher types.GomegaMatcher)
 	}
 }
 
-func (m *WithTransformMatcher) Match(actual interface{}) (bool, error) {
+func (m *WithTransformMatcher) Match(actual any) (bool, error) {
 	// prepare a parameter to pass to the Transform function
 	var param reflect.Value
 	if actual != nil && reflect.TypeOf(actual).AssignableTo(m.transformArgType) {
@@ -72,15 +72,15 @@ func (m *WithTransformMatcher) Match(actual interface{}) (bool, error) {
 	return m.Matcher.Match(m.transformedValue)
 }
 
-func (m *WithTransformMatcher) FailureMessage(_ interface{}) (message string) {
+func (m *WithTransformMatcher) FailureMessage(_ any) (message string) {
 	return m.Matcher.FailureMessage(m.transformedValue)
 }
 
-func (m *WithTransformMatcher) NegatedFailureMessage(_ interface{}) (message string) {
+func (m *WithTransformMatcher) NegatedFailureMessage(_ any) (message string) {
 	return m.Matcher.NegatedFailureMessage(m.transformedValue)
 }
 
-func (m *WithTransformMatcher) MatchMayChangeInTheFuture(_ interface{}) bool {
+func (m *WithTransformMatcher) MatchMayChangeInTheFuture(_ any) bool {
 	// TODO: Maybe this should always just return true? (Only an issue for non-deterministic transformers.)
 	//
 	// Querying the next matcher is fine if the transformer always will return the same value.
diff --git a/vendor/github.com/onsi/gomega/types/types.go b/vendor/github.com/onsi/gomega/types/types.go
index 30f2beed30f11..685a46f373e3b 100644
--- a/vendor/github.com/onsi/gomega/types/types.go
+++ b/vendor/github.com/onsi/gomega/types/types.go
@@ -10,20 +10,20 @@ type GomegaFailHandler func(message string, callerSkip ...int)
 // A simple *testing.T interface wrapper
 type GomegaTestingT interface {
 	Helper()
-	Fatalf(format string, args ...interface{})
+	Fatalf(format string, args ...any)
 }
 
-// Gomega represents an object that can perform synchronous and assynchronous assertions with Gomega matchers
+// Gomega represents an object that can perform synchronous and asynchronous assertions with Gomega matchers
 type Gomega interface {
-	Ω(actual interface{}, extra ...interface{}) Assertion
-	Expect(actual interface{}, extra ...interface{}) Assertion
-	ExpectWithOffset(offset int, actual interface{}, extra ...interface{}) Assertion
+	Ω(actual any, extra ...any) Assertion
+	Expect(actual any, extra ...any) Assertion
+	ExpectWithOffset(offset int, actual any, extra ...any) Assertion
 
-	Eventually(actualOrCtx interface{}, args ...interface{}) AsyncAssertion
-	EventuallyWithOffset(offset int, actualOrCtx interface{}, args ...interface{}) AsyncAssertion
+	Eventually(actualOrCtx any, args ...any) AsyncAssertion
+	EventuallyWithOffset(offset int, actualOrCtx any, args ...any) AsyncAssertion
 
-	Consistently(actualOrCtx interface{}, args ...interface{}) AsyncAssertion
-	ConsistentlyWithOffset(offset int, actualOrCtx interface{}, args ...interface{}) AsyncAssertion
+	Consistently(actualOrCtx any, args ...any) AsyncAssertion
+	ConsistentlyWithOffset(offset int, actualOrCtx any, args ...any) AsyncAssertion
 
 	SetDefaultEventuallyTimeout(time.Duration)
 	SetDefaultEventuallyPollingInterval(time.Duration)
@@ -37,9 +37,9 @@ type Gomega interface {
 //
 // For details on writing custom matchers, check out: http://onsi.github.io/gomega/#adding-your-own-matchers
 type GomegaMatcher interface {
-	Match(actual interface{}) (success bool, err error)
-	FailureMessage(actual interface{}) (message string)
-	NegatedFailureMessage(actual interface{}) (message string)
+	Match(actual any) (success bool, err error)
+	FailureMessage(actual any) (message string)
+	NegatedFailureMessage(actual any) (message string)
 }
 
 /*
@@ -52,10 +52,10 @@ For example, a process' exit code can never change.  So, gexec's Exit matcher re
 for `MatchMayChangeInTheFuture` until the process exits, at which point it returns `false` forevermore.
 */
 type OracleMatcher interface {
-	MatchMayChangeInTheFuture(actual interface{}) bool
+	MatchMayChangeInTheFuture(actual any) bool
 }
 
-func MatchMayChangeInTheFuture(matcher GomegaMatcher, value interface{}) bool {
+func MatchMayChangeInTheFuture(matcher GomegaMatcher, value any) bool {
 	oracleMatcher, ok := matcher.(OracleMatcher)
 	if !ok {
 		return true
@@ -67,8 +67,13 @@ func MatchMayChangeInTheFuture(matcher GomegaMatcher, value interface{}) bool {
 // AsyncAssertions are returned by Eventually and Consistently and enable matchers to be polled repeatedly to ensure
 // they are eventually satisfied
 type AsyncAssertion interface {
-	Should(matcher GomegaMatcher, optionalDescription ...interface{}) bool
-	ShouldNot(matcher GomegaMatcher, optionalDescription ...interface{}) bool
+	Should(matcher GomegaMatcher, optionalDescription ...any) bool
+	ShouldNot(matcher GomegaMatcher, optionalDescription ...any) bool
+
+	// equivalent to above
+	To(matcher GomegaMatcher, optionalDescription ...any) bool
+	ToNot(matcher GomegaMatcher, optionalDescription ...any) bool
+	NotTo(matcher GomegaMatcher, optionalDescription ...any) bool
 
 	WithOffset(offset int) AsyncAssertion
 	WithTimeout(interval time.Duration) AsyncAssertion
@@ -76,18 +81,18 @@ type AsyncAssertion interface {
 	Within(timeout time.Duration) AsyncAssertion
 	ProbeEvery(interval time.Duration) AsyncAssertion
 	WithContext(ctx context.Context) AsyncAssertion
-	WithArguments(argsToForward ...interface{}) AsyncAssertion
+	WithArguments(argsToForward ...any) AsyncAssertion
 	MustPassRepeatedly(count int) AsyncAssertion
 }
 
 // Assertions are returned by Ω and Expect and enable assertions against Gomega matchers
 type Assertion interface {
-	Should(matcher GomegaMatcher, optionalDescription ...interface{}) bool
-	ShouldNot(matcher GomegaMatcher, optionalDescription ...interface{}) bool
+	Should(matcher GomegaMatcher, optionalDescription ...any) bool
+	ShouldNot(matcher GomegaMatcher, optionalDescription ...any) bool
 
-	To(matcher GomegaMatcher, optionalDescription ...interface{}) bool
-	ToNot(matcher GomegaMatcher, optionalDescription ...interface{}) bool
-	NotTo(matcher GomegaMatcher, optionalDescription ...interface{}) bool
+	To(matcher GomegaMatcher, optionalDescription ...any) bool
+	ToNot(matcher GomegaMatcher, optionalDescription ...any) bool
+	NotTo(matcher GomegaMatcher, optionalDescription ...any) bool
 
 	WithOffset(offset int) Assertion
 
diff --git a/vendor/github.com/opencontainers/runc/LICENSE b/vendor/github.com/opencontainers/runc/LICENSE
deleted file mode 100644
index 27448585ad49c..0000000000000
--- a/vendor/github.com/opencontainers/runc/LICENSE
+++ /dev/null
@@ -1,191 +0,0 @@
-
-                                 Apache License
-                           Version 2.0, January 2004
-                        http://www.apache.org/licenses/
-
-   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
-
-   1. Definitions.
-
-      "License" shall mean the terms and conditions for use, reproduction,
-      and distribution as defined by Sections 1 through 9 of this document.
-
-      "Licensor" shall mean the copyright owner or entity authorized by
-      the copyright owner that is granting the License.
-
-      "Legal Entity" shall mean the union of the acting entity and all
-      other entities that control, are controlled by, or are under common
-      control with that entity. For the purposes of this definition,
-      "control" means (i) the power, direct or indirect, to cause the
-      direction or management of such entity, whether by contract or
-      otherwise, or (ii) ownership of fifty percent (50%) or more of the
-      outstanding shares, or (iii) beneficial ownership of such entity.
-
-      "You" (or "Your") shall mean an individual or Legal Entity
-      exercising permissions granted by this License.
-
-      "Source" form shall mean the preferred form for making modifications,
-      including but not limited to software source code, documentation
-      source, and configuration files.
-
-      "Object" form shall mean any form resulting from mechanical
-      transformation or translation of a Source form, including but
-      not limited to compiled object code, generated documentation,
-      and conversions to other media types.
-
-      "Work" shall mean the work of authorship, whether in Source or
-      Object form, made available under the License, as indicated by a
-      copyright notice that is included in or attached to the work
-      (an example is provided in the Appendix below).
-
-      "Derivative Works" shall mean any work, whether in Source or Object
-      form, that is based on (or derived from) the Work and for which the
-      editorial revisions, annotations, elaborations, or other modifications
-      represent, as a whole, an original work of authorship. For the purposes
-      of this License, Derivative Works shall not include works that remain
-      separable from, or merely link (or bind by name) to the interfaces of,
-      the Work and Derivative Works thereof.
-
-      "Contribution" shall mean any work of authorship, including
-      the original version of the Work and any modifications or additions
-      to that Work or Derivative Works thereof, that is intentionally
-      submitted to Licensor for inclusion in the Work by the copyright owner
-      or by an individual or Legal Entity authorized to submit on behalf of
-      the copyright owner. For the purposes of this definition, "submitted"
-      means any form of electronic, verbal, or written communication sent
-      to the Licensor or its representatives, including but not limited to
-      communication on electronic mailing lists, source code control systems,
-      and issue tracking systems that are managed by, or on behalf of, the
-      Licensor for the purpose of discussing and improving the Work, but
-      excluding communication that is conspicuously marked or otherwise
-      designated in writing by the copyright owner as "Not a Contribution."
-
-      "Contributor" shall mean Licensor and any individual or Legal Entity
-      on behalf of whom a Contribution has been received by Licensor and
-      subsequently incorporated within the Work.
-
-   2. Grant of Copyright License. Subject to the terms and conditions of
-      this License, each Contributor hereby grants to You a perpetual,
-      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
-      copyright license to reproduce, prepare Derivative Works of,
-      publicly display, publicly perform, sublicense, and distribute the
-      Work and such Derivative Works in Source or Object form.
-
-   3. Grant of Patent License. Subject to the terms and conditions of
-      this License, each Contributor hereby grants to You a perpetual,
-      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
-      (except as stated in this section) patent license to make, have made,
-      use, offer to sell, sell, import, and otherwise transfer the Work,
-      where such license applies only to those patent claims licensable
-      by such Contributor that are necessarily infringed by their
-      Contribution(s) alone or by combination of their Contribution(s)
-      with the Work to which such Contribution(s) was submitted. If You
-      institute patent litigation against any entity (including a
-      cross-claim or counterclaim in a lawsuit) alleging that the Work
-      or a Contribution incorporated within the Work constitutes direct
-      or contributory patent infringement, then any patent licenses
-      granted to You under this License for that Work shall terminate
-      as of the date such litigation is filed.
-
-   4. Redistribution. You may reproduce and distribute copies of the
-      Work or Derivative Works thereof in any medium, with or without
-      modifications, and in Source or Object form, provided that You
-      meet the following conditions:
-
-      (a) You must give any other recipients of the Work or
-          Derivative Works a copy of this License; and
-
-      (b) You must cause any modified files to carry prominent notices
-          stating that You changed the files; and
-
-      (c) You must retain, in the Source form of any Derivative Works
-          that You distribute, all copyright, patent, trademark, and
-          attribution notices from the Source form of the Work,
-          excluding those notices that do not pertain to any part of
-          the Derivative Works; and
-
-      (d) If the Work includes a "NOTICE" text file as part of its
-          distribution, then any Derivative Works that You distribute must
-          include a readable copy of the attribution notices contained
-          within such NOTICE file, excluding those notices that do not
-          pertain to any part of the Derivative Works, in at least one
-          of the following places: within a NOTICE text file distributed
-          as part of the Derivative Works; within the Source form or
-          documentation, if provided along with the Derivative Works; or,
-          within a display generated by the Derivative Works, if and
-          wherever such third-party notices normally appear. The contents
-          of the NOTICE file are for informational purposes only and
-          do not modify the License. You may add Your own attribution
-          notices within Derivative Works that You distribute, alongside
-          or as an addendum to the NOTICE text from the Work, provided
-          that such additional attribution notices cannot be construed
-          as modifying the License.
-
-      You may add Your own copyright statement to Your modifications and
-      may provide additional or different license terms and conditions
-      for use, reproduction, or distribution of Your modifications, or
-      for any such Derivative Works as a whole, provided Your use,
-      reproduction, and distribution of the Work otherwise complies with
-      the conditions stated in this License.
-
-   5. Submission of Contributions. Unless You explicitly state otherwise,
-      any Contribution intentionally submitted for inclusion in the Work
-      by You to the Licensor shall be under the terms and conditions of
-      this License, without any additional terms or conditions.
-      Notwithstanding the above, nothing herein shall supersede or modify
-      the terms of any separate license agreement you may have executed
-      with Licensor regarding such Contributions.
-
-   6. Trademarks. This License does not grant permission to use the trade
-      names, trademarks, service marks, or product names of the Licensor,
-      except as required for reasonable and customary use in describing the
-      origin of the Work and reproducing the content of the NOTICE file.
-
-   7. Disclaimer of Warranty. Unless required by applicable law or
-      agreed to in writing, Licensor provides the Work (and each
-      Contributor provides its Contributions) on an "AS IS" BASIS,
-      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
-      implied, including, without limitation, any warranties or conditions
-      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
-      PARTICULAR PURPOSE. You are solely responsible for determining the
-      appropriateness of using or redistributing the Work and assume any
-      risks associated with Your exercise of permissions under this License.
-
-   8. Limitation of Liability. In no event and under no legal theory,
-      whether in tort (including negligence), contract, or otherwise,
-      unless required by applicable law (such as deliberate and grossly
-      negligent acts) or agreed to in writing, shall any Contributor be
-      liable to You for damages, including any direct, indirect, special,
-      incidental, or consequential damages of any character arising as a
-      result of this License or out of the use or inability to use the
-      Work (including but not limited to damages for loss of goodwill,
-      work stoppage, computer failure or malfunction, or any and all
-      other commercial damages or losses), even if such Contributor
-      has been advised of the possibility of such damages.
-
-   9. Accepting Warranty or Additional Liability. While redistributing
-      the Work or Derivative Works thereof, You may choose to offer,
-      and charge a fee for, acceptance of support, warranty, indemnity,
-      or other liability obligations and/or rights consistent with this
-      License. However, in accepting such obligations, You may act only
-      on Your own behalf and on Your sole responsibility, not on behalf
-      of any other Contributor, and only if You agree to indemnify,
-      defend, and hold each Contributor harmless for any liability
-      incurred by, or claims asserted against, such Contributor by reason
-      of your accepting any such warranty or additional liability.
-
-   END OF TERMS AND CONDITIONS
-
-   Copyright 2014 Docker, Inc.
-
-   Licensed under the Apache License, Version 2.0 (the "License");
-   you may not use this file except in compliance with the License.
-   You may obtain a copy of the License at
-
-       http://www.apache.org/licenses/LICENSE-2.0
-
-   Unless required by applicable law or agreed to in writing, software
-   distributed under the License is distributed on an "AS IS" BASIS,
-   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-   See the License for the specific language governing permissions and
-   limitations under the License.
diff --git a/vendor/github.com/opencontainers/runc/NOTICE b/vendor/github.com/opencontainers/runc/NOTICE
deleted file mode 100644
index c29775c0d9df4..0000000000000
--- a/vendor/github.com/opencontainers/runc/NOTICE
+++ /dev/null
@@ -1,17 +0,0 @@
-runc
-
-Copyright 2012-2015 Docker, Inc.
-
-This product includes software developed at Docker, Inc. (http://www.docker.com).
-
-The following is courtesy of our legal counsel:
-
-
-Use and transfer of Docker may be subject to certain restrictions by the
-United States and other governments.
-It is your responsibility to ensure that your use and/or transfer does not
-violate applicable laws.
-
-For more information, please see http://www.bis.doc.gov
-
-See also http://www.apache.org/dev/crypto.html and/or seek legal counsel.
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/cgroups/cgroups.go b/vendor/github.com/opencontainers/runc/libcontainer/cgroups/cgroups.go
deleted file mode 100644
index 53e194c74dcf0..0000000000000
--- a/vendor/github.com/opencontainers/runc/libcontainer/cgroups/cgroups.go
+++ /dev/null
@@ -1,80 +0,0 @@
-package cgroups
-
-import (
-	"errors"
-
-	"github.com/opencontainers/runc/libcontainer/configs"
-)
-
-var (
-	// ErrDevicesUnsupported is an error returned when a cgroup manager
-	// is not configured to set device rules.
-	ErrDevicesUnsupported = errors.New("cgroup manager is not configured to set device rules")
-
-	// ErrRootless is returned by [Manager.Apply] when there is an error
-	// creating cgroup directory, and cgroup.Rootless is set. In general,
-	// this error is to be ignored.
-	ErrRootless = errors.New("cgroup manager can not access cgroup (rootless container)")
-
-	// DevicesSetV1 and DevicesSetV2 are functions to set devices for
-	// cgroup v1 and v2, respectively. Unless
-	// [github.com/opencontainers/runc/libcontainer/cgroups/devices]
-	// package is imported, it is set to nil, so cgroup managers can't
-	// manage devices.
-	DevicesSetV1 func(path string, r *configs.Resources) error
-	DevicesSetV2 func(path string, r *configs.Resources) error
-)
-
-type Manager interface {
-	// Apply creates a cgroup, if not yet created, and adds a process
-	// with the specified pid into that cgroup.  A special value of -1
-	// can be used to merely create a cgroup.
-	Apply(pid int) error
-
-	// GetPids returns the PIDs of all processes inside the cgroup.
-	GetPids() ([]int, error)
-
-	// GetAllPids returns the PIDs of all processes inside the cgroup
-	// any all its sub-cgroups.
-	GetAllPids() ([]int, error)
-
-	// GetStats returns cgroups statistics.
-	GetStats() (*Stats, error)
-
-	// Freeze sets the freezer cgroup to the specified state.
-	Freeze(state configs.FreezerState) error
-
-	// Destroy removes cgroup.
-	Destroy() error
-
-	// Path returns a cgroup path to the specified controller/subsystem.
-	// For cgroupv2, the argument is unused and can be empty.
-	Path(string) string
-
-	// Set sets cgroup resources parameters/limits. If the argument is nil,
-	// the resources specified during Manager creation (or the previous call
-	// to Set) are used.
-	Set(r *configs.Resources) error
-
-	// GetPaths returns cgroup path(s) to save in a state file in order to
-	// restore later.
-	//
-	// For cgroup v1, a key is cgroup subsystem name, and the value is the
-	// path to the cgroup for this subsystem.
-	//
-	// For cgroup v2 unified hierarchy, a key is "", and the value is the
-	// unified path.
-	GetPaths() map[string]string
-
-	// GetCgroups returns the cgroup data as configured.
-	GetCgroups() (*configs.Cgroup, error)
-
-	// GetFreezerState retrieves the current FreezerState of the cgroup.
-	GetFreezerState() (configs.FreezerState, error)
-
-	// Exists returns whether the cgroup path exists or not.
-	Exists() bool
-
-	// OOMKillCount reports OOM kill count for the cgroup.
-	OOMKillCount() (uint64, error)
-}
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/cgroups/file.go b/vendor/github.com/opencontainers/runc/libcontainer/cgroups/file.go
deleted file mode 100644
index 78c5bcf0d3706..0000000000000
--- a/vendor/github.com/opencontainers/runc/libcontainer/cgroups/file.go
+++ /dev/null
@@ -1,216 +0,0 @@
-package cgroups
-
-import (
-	"bytes"
-	"errors"
-	"fmt"
-	"os"
-	"path"
-	"strconv"
-	"strings"
-	"sync"
-
-	"github.com/opencontainers/runc/libcontainer/utils"
-	"github.com/sirupsen/logrus"
-	"golang.org/x/sys/unix"
-)
-
-// OpenFile opens a cgroup file in a given dir with given flags.
-// It is supposed to be used for cgroup files only, and returns
-// an error if the file is not a cgroup file.
-//
-// Arguments dir and file are joined together to form an absolute path
-// to a file being opened.
-func OpenFile(dir, file string, flags int) (*os.File, error) {
-	if dir == "" {
-		return nil, fmt.Errorf("no directory specified for %s", file)
-	}
-	return openFile(dir, file, flags)
-}
-
-// ReadFile reads data from a cgroup file in dir.
-// It is supposed to be used for cgroup files only.
-func ReadFile(dir, file string) (string, error) {
-	fd, err := OpenFile(dir, file, unix.O_RDONLY)
-	if err != nil {
-		return "", err
-	}
-	defer fd.Close()
-	var buf bytes.Buffer
-
-	_, err = buf.ReadFrom(fd)
-	return buf.String(), err
-}
-
-// WriteFile writes data to a cgroup file in dir.
-// It is supposed to be used for cgroup files only.
-func WriteFile(dir, file, data string) error {
-	fd, err := OpenFile(dir, file, unix.O_WRONLY)
-	if err != nil {
-		return err
-	}
-	defer fd.Close()
-	if _, err := fd.WriteString(data); err != nil {
-		// Having data in the error message helps in debugging.
-		return fmt.Errorf("failed to write %q: %w", data, err)
-	}
-	return nil
-}
-
-// WriteFileByLine is the same as WriteFile, except if data contains newlines,
-// it is written line by line.
-func WriteFileByLine(dir, file, data string) error {
-	i := strings.Index(data, "\n")
-	if i == -1 {
-		return WriteFile(dir, file, data)
-	}
-
-	fd, err := OpenFile(dir, file, unix.O_WRONLY)
-	if err != nil {
-		return err
-	}
-	defer fd.Close()
-	start := 0
-	for {
-		var line string
-		if i == -1 {
-			line = data[start:]
-		} else {
-			line = data[start : start+i+1]
-		}
-		_, err := fd.WriteString(line)
-		if err != nil {
-			return fmt.Errorf("failed to write %q: %w", line, err)
-		}
-		if i == -1 {
-			break
-		}
-		start += i + 1
-		i = strings.Index(data[start:], "\n")
-	}
-	return nil
-}
-
-const (
-	cgroupfsDir    = "/sys/fs/cgroup"
-	cgroupfsPrefix = cgroupfsDir + "/"
-)
-
-var (
-	// TestMode is set to true by unit tests that need "fake" cgroupfs.
-	TestMode bool
-
-	cgroupRootHandle *os.File
-	prepOnce         sync.Once
-	prepErr          error
-	resolveFlags     uint64
-)
-
-func prepareOpenat2() error {
-	prepOnce.Do(func() {
-		fd, err := unix.Openat2(-1, cgroupfsDir, &unix.OpenHow{
-			Flags: unix.O_DIRECTORY | unix.O_PATH | unix.O_CLOEXEC,
-		})
-		if err != nil {
-			prepErr = &os.PathError{Op: "openat2", Path: cgroupfsDir, Err: err}
-			if err != unix.ENOSYS {
-				logrus.Warnf("falling back to securejoin: %s", prepErr)
-			} else {
-				logrus.Debug("openat2 not available, falling back to securejoin")
-			}
-			return
-		}
-		file := os.NewFile(uintptr(fd), cgroupfsDir)
-
-		var st unix.Statfs_t
-		if err := unix.Fstatfs(int(file.Fd()), &st); err != nil {
-			prepErr = &os.PathError{Op: "statfs", Path: cgroupfsDir, Err: err}
-			logrus.Warnf("falling back to securejoin: %s", prepErr)
-			return
-		}
-
-		cgroupRootHandle = file
-		resolveFlags = unix.RESOLVE_BENEATH | unix.RESOLVE_NO_MAGICLINKS
-		if st.Type == unix.CGROUP2_SUPER_MAGIC {
-			// cgroupv2 has a single mountpoint and no "cpu,cpuacct" symlinks
-			resolveFlags |= unix.RESOLVE_NO_XDEV | unix.RESOLVE_NO_SYMLINKS
-		}
-	})
-
-	return prepErr
-}
-
-func openFile(dir, file string, flags int) (*os.File, error) {
-	mode := os.FileMode(0)
-	if TestMode && flags&os.O_WRONLY != 0 {
-		// "emulate" cgroup fs for unit tests
-		flags |= os.O_TRUNC | os.O_CREATE
-		mode = 0o600
-	}
-	path := path.Join(dir, utils.CleanPath(file))
-	if prepareOpenat2() != nil {
-		return openFallback(path, flags, mode)
-	}
-	relPath := strings.TrimPrefix(path, cgroupfsPrefix)
-	if len(relPath) == len(path) { // non-standard path, old system?
-		return openFallback(path, flags, mode)
-	}
-
-	fd, err := unix.Openat2(int(cgroupRootHandle.Fd()), relPath,
-		&unix.OpenHow{
-			Resolve: resolveFlags,
-			Flags:   uint64(flags) | unix.O_CLOEXEC,
-			Mode:    uint64(mode),
-		})
-	if err != nil {
-		err = &os.PathError{Op: "openat2", Path: path, Err: err}
-		// Check if cgroupRootHandle is still opened to cgroupfsDir
-		// (happens when this package is incorrectly used
-		// across the chroot/pivot_root/mntns boundary, or
-		// when /sys/fs/cgroup is remounted).
-		//
-		// TODO: if such usage will ever be common, amend this
-		// to reopen cgroupRootHandle and retry openat2.
-		fdPath, closer := utils.ProcThreadSelf("fd/" + strconv.Itoa(int(cgroupRootHandle.Fd())))
-		defer closer()
-		fdDest, _ := os.Readlink(fdPath)
-		if fdDest != cgroupfsDir {
-			// Wrap the error so it is clear that cgroupRootHandle
-			// is opened to an unexpected/wrong directory.
-			err = fmt.Errorf("cgroupRootHandle %d unexpectedly opened to %s != %s: %w",
-				cgroupRootHandle.Fd(), fdDest, cgroupfsDir, err)
-		}
-		return nil, err
-	}
-
-	return os.NewFile(uintptr(fd), path), nil
-}
-
-var errNotCgroupfs = errors.New("not a cgroup file")
-
-// Can be changed by unit tests.
-var openFallback = openAndCheck
-
-// openAndCheck is used when openat2(2) is not available. It checks the opened
-// file is on cgroupfs, returning an error otherwise.
-func openAndCheck(path string, flags int, mode os.FileMode) (*os.File, error) {
-	fd, err := os.OpenFile(path, flags, mode)
-	if err != nil {
-		return nil, err
-	}
-	if TestMode {
-		return fd, nil
-	}
-	// Check this is a cgroupfs file.
-	var st unix.Statfs_t
-	if err := unix.Fstatfs(int(fd.Fd()), &st); err != nil {
-		_ = fd.Close()
-		return nil, &os.PathError{Op: "statfs", Path: path, Err: err}
-	}
-	if st.Type != unix.CGROUP_SUPER_MAGIC && st.Type != unix.CGROUP2_SUPER_MAGIC {
-		_ = fd.Close()
-		return nil, &os.PathError{Op: "open", Path: path, Err: errNotCgroupfs}
-	}
-
-	return fd, nil
-}
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/cgroups/getallpids.go b/vendor/github.com/opencontainers/runc/libcontainer/cgroups/getallpids.go
deleted file mode 100644
index 1355a5101055b..0000000000000
--- a/vendor/github.com/opencontainers/runc/libcontainer/cgroups/getallpids.go
+++ /dev/null
@@ -1,27 +0,0 @@
-package cgroups
-
-import (
-	"io/fs"
-	"path/filepath"
-)
-
-// GetAllPids returns all pids from the cgroup identified by path, and all its
-// sub-cgroups.
-func GetAllPids(path string) ([]int, error) {
-	var pids []int
-	err := filepath.WalkDir(path, func(p string, d fs.DirEntry, iErr error) error {
-		if iErr != nil {
-			return iErr
-		}
-		if !d.IsDir() {
-			return nil
-		}
-		cPids, err := readProcsFile(p)
-		if err != nil {
-			return err
-		}
-		pids = append(pids, cPids...)
-		return nil
-	})
-	return pids, err
-}
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/cgroups/stats.go b/vendor/github.com/opencontainers/runc/libcontainer/cgroups/stats.go
deleted file mode 100644
index b475567d821cb..0000000000000
--- a/vendor/github.com/opencontainers/runc/libcontainer/cgroups/stats.go
+++ /dev/null
@@ -1,200 +0,0 @@
-package cgroups
-
-type ThrottlingData struct {
-	// Number of periods with throttling active
-	Periods uint64 `json:"periods,omitempty"`
-	// Number of periods when the container hit its throttling limit.
-	ThrottledPeriods uint64 `json:"throttled_periods,omitempty"`
-	// Aggregate time the container was throttled for in nanoseconds.
-	ThrottledTime uint64 `json:"throttled_time,omitempty"`
-}
-
-// CpuUsage denotes the usage of a CPU.
-// All CPU stats are aggregate since container inception.
-type CpuUsage struct {
-	// Total CPU time consumed.
-	// Units: nanoseconds.
-	TotalUsage uint64 `json:"total_usage,omitempty"`
-	// Total CPU time consumed per core.
-	// Units: nanoseconds.
-	PercpuUsage []uint64 `json:"percpu_usage,omitempty"`
-	// CPU time consumed per core in kernel mode
-	// Units: nanoseconds.
-	PercpuUsageInKernelmode []uint64 `json:"percpu_usage_in_kernelmode"`
-	// CPU time consumed per core in user mode
-	// Units: nanoseconds.
-	PercpuUsageInUsermode []uint64 `json:"percpu_usage_in_usermode"`
-	// Time spent by tasks of the cgroup in kernel mode.
-	// Units: nanoseconds.
-	UsageInKernelmode uint64 `json:"usage_in_kernelmode"`
-	// Time spent by tasks of the cgroup in user mode.
-	// Units: nanoseconds.
-	UsageInUsermode uint64 `json:"usage_in_usermode"`
-}
-
-type PSIData struct {
-	Avg10  float64 `json:"avg10"`
-	Avg60  float64 `json:"avg60"`
-	Avg300 float64 `json:"avg300"`
-	Total  uint64  `json:"total"`
-}
-
-type PSIStats struct {
-	Some PSIData `json:"some,omitempty"`
-	Full PSIData `json:"full,omitempty"`
-}
-
-type CpuStats struct {
-	CpuUsage       CpuUsage       `json:"cpu_usage,omitempty"`
-	ThrottlingData ThrottlingData `json:"throttling_data,omitempty"`
-	PSI            *PSIStats      `json:"psi,omitempty"`
-}
-
-type CPUSetStats struct {
-	// List of the physical numbers of the CPUs on which processes
-	// in that cpuset are allowed to execute
-	CPUs []uint16 `json:"cpus,omitempty"`
-	// cpu_exclusive flag
-	CPUExclusive uint64 `json:"cpu_exclusive"`
-	// List of memory nodes on which processes in that cpuset
-	// are allowed to allocate memory
-	Mems []uint16 `json:"mems,omitempty"`
-	// mem_hardwall flag
-	MemHardwall uint64 `json:"mem_hardwall"`
-	// mem_exclusive flag
-	MemExclusive uint64 `json:"mem_exclusive"`
-	// memory_migrate flag
-	MemoryMigrate uint64 `json:"memory_migrate"`
-	// memory_spread page flag
-	MemorySpreadPage uint64 `json:"memory_spread_page"`
-	// memory_spread slab flag
-	MemorySpreadSlab uint64 `json:"memory_spread_slab"`
-	// memory_pressure
-	MemoryPressure uint64 `json:"memory_pressure"`
-	// sched_load balance flag
-	SchedLoadBalance uint64 `json:"sched_load_balance"`
-	// sched_relax_domain_level
-	SchedRelaxDomainLevel int64 `json:"sched_relax_domain_level"`
-}
-
-type MemoryData struct {
-	Usage    uint64 `json:"usage,omitempty"`
-	MaxUsage uint64 `json:"max_usage,omitempty"`
-	Failcnt  uint64 `json:"failcnt"`
-	Limit    uint64 `json:"limit"`
-}
-
-type MemoryStats struct {
-	// memory used for cache
-	Cache uint64 `json:"cache,omitempty"`
-	// usage of memory
-	Usage MemoryData `json:"usage,omitempty"`
-	// usage of memory + swap
-	SwapUsage MemoryData `json:"swap_usage,omitempty"`
-	// usage of swap only
-	SwapOnlyUsage MemoryData `json:"swap_only_usage,omitempty"`
-	// usage of kernel memory
-	KernelUsage MemoryData `json:"kernel_usage,omitempty"`
-	// usage of kernel TCP memory
-	KernelTCPUsage MemoryData `json:"kernel_tcp_usage,omitempty"`
-	// usage of memory pages by NUMA node
-	// see chapter 5.6 of memory controller documentation
-	PageUsageByNUMA PageUsageByNUMA `json:"page_usage_by_numa,omitempty"`
-	// if true, memory usage is accounted for throughout a hierarchy of cgroups.
-	UseHierarchy bool `json:"use_hierarchy"`
-
-	Stats map[string]uint64 `json:"stats,omitempty"`
-	PSI   *PSIStats         `json:"psi,omitempty"`
-}
-
-type PageUsageByNUMA struct {
-	// Embedding is used as types can't be recursive.
-	PageUsageByNUMAInner
-	Hierarchical PageUsageByNUMAInner `json:"hierarchical,omitempty"`
-}
-
-type PageUsageByNUMAInner struct {
-	Total       PageStats `json:"total,omitempty"`
-	File        PageStats `json:"file,omitempty"`
-	Anon        PageStats `json:"anon,omitempty"`
-	Unevictable PageStats `json:"unevictable,omitempty"`
-}
-
-type PageStats struct {
-	Total uint64           `json:"total,omitempty"`
-	Nodes map[uint8]uint64 `json:"nodes,omitempty"`
-}
-
-type PidsStats struct {
-	// number of pids in the cgroup
-	Current uint64 `json:"current,omitempty"`
-	// active pids hard limit
-	Limit uint64 `json:"limit,omitempty"`
-}
-
-type BlkioStatEntry struct {
-	Major uint64 `json:"major,omitempty"`
-	Minor uint64 `json:"minor,omitempty"`
-	Op    string `json:"op,omitempty"`
-	Value uint64 `json:"value,omitempty"`
-}
-
-type BlkioStats struct {
-	// number of bytes transferred to and from the block device
-	IoServiceBytesRecursive []BlkioStatEntry `json:"io_service_bytes_recursive,omitempty"`
-	IoServicedRecursive     []BlkioStatEntry `json:"io_serviced_recursive,omitempty"`
-	IoQueuedRecursive       []BlkioStatEntry `json:"io_queue_recursive,omitempty"`
-	IoServiceTimeRecursive  []BlkioStatEntry `json:"io_service_time_recursive,omitempty"`
-	IoWaitTimeRecursive     []BlkioStatEntry `json:"io_wait_time_recursive,omitempty"`
-	IoMergedRecursive       []BlkioStatEntry `json:"io_merged_recursive,omitempty"`
-	IoTimeRecursive         []BlkioStatEntry `json:"io_time_recursive,omitempty"`
-	SectorsRecursive        []BlkioStatEntry `json:"sectors_recursive,omitempty"`
-	PSI                     *PSIStats        `json:"psi,omitempty"`
-}
-
-type HugetlbStats struct {
-	// current res_counter usage for hugetlb
-	Usage uint64 `json:"usage,omitempty"`
-	// maximum usage ever recorded.
-	MaxUsage uint64 `json:"max_usage,omitempty"`
-	// number of times hugetlb usage allocation failure.
-	Failcnt uint64 `json:"failcnt"`
-}
-
-type RdmaEntry struct {
-	Device     string `json:"device,omitempty"`
-	HcaHandles uint32 `json:"hca_handles,omitempty"`
-	HcaObjects uint32 `json:"hca_objects,omitempty"`
-}
-
-type RdmaStats struct {
-	RdmaLimit   []RdmaEntry `json:"rdma_limit,omitempty"`
-	RdmaCurrent []RdmaEntry `json:"rdma_current,omitempty"`
-}
-
-type MiscStats struct {
-	// current resource usage for a key in misc
-	Usage uint64 `json:"usage,omitempty"`
-	// number of times the resource usage was about to go over the max boundary
-	Events uint64 `json:"events,omitempty"`
-}
-
-type Stats struct {
-	CpuStats    CpuStats    `json:"cpu_stats,omitempty"`
-	CPUSetStats CPUSetStats `json:"cpuset_stats,omitempty"`
-	MemoryStats MemoryStats `json:"memory_stats,omitempty"`
-	PidsStats   PidsStats   `json:"pids_stats,omitempty"`
-	BlkioStats  BlkioStats  `json:"blkio_stats,omitempty"`
-	// the map is in the format "size of hugepage: stats of the hugepage"
-	HugetlbStats map[string]HugetlbStats `json:"hugetlb_stats,omitempty"`
-	RdmaStats    RdmaStats               `json:"rdma_stats,omitempty"`
-	// the map is in the format "misc resource name: stats of the key"
-	MiscStats map[string]MiscStats `json:"misc_stats,omitempty"`
-}
-
-func NewStats() *Stats {
-	memoryStats := MemoryStats{Stats: make(map[string]uint64)}
-	hugetlbStats := make(map[string]HugetlbStats)
-	miscStats := make(map[string]MiscStats)
-	return &Stats{MemoryStats: memoryStats, HugetlbStats: hugetlbStats, MiscStats: miscStats}
-}
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/cgroups/utils.go b/vendor/github.com/opencontainers/runc/libcontainer/cgroups/utils.go
deleted file mode 100644
index d404647c8c08e..0000000000000
--- a/vendor/github.com/opencontainers/runc/libcontainer/cgroups/utils.go
+++ /dev/null
@@ -1,468 +0,0 @@
-package cgroups
-
-import (
-	"bufio"
-	"errors"
-	"fmt"
-	"io"
-	"os"
-	"path/filepath"
-	"strconv"
-	"strings"
-	"sync"
-	"time"
-
-	"github.com/moby/sys/userns"
-	"github.com/sirupsen/logrus"
-	"golang.org/x/sys/unix"
-)
-
-const (
-	CgroupProcesses   = "cgroup.procs"
-	unifiedMountpoint = "/sys/fs/cgroup"
-	hybridMountpoint  = "/sys/fs/cgroup/unified"
-)
-
-var (
-	isUnifiedOnce sync.Once
-	isUnified     bool
-	isHybridOnce  sync.Once
-	isHybrid      bool
-)
-
-// IsCgroup2UnifiedMode returns whether we are running in cgroup v2 unified mode.
-func IsCgroup2UnifiedMode() bool {
-	isUnifiedOnce.Do(func() {
-		var st unix.Statfs_t
-		err := unix.Statfs(unifiedMountpoint, &st)
-		if err != nil {
-			level := logrus.WarnLevel
-			if os.IsNotExist(err) && userns.RunningInUserNS() {
-				// For rootless containers, sweep it under the rug.
-				level = logrus.DebugLevel
-			}
-			logrus.StandardLogger().Logf(level,
-				"statfs %s: %v; assuming cgroup v1", unifiedMountpoint, err)
-		}
-		isUnified = st.Type == unix.CGROUP2_SUPER_MAGIC
-	})
-	return isUnified
-}
-
-// IsCgroup2HybridMode returns whether we are running in cgroup v2 hybrid mode.
-func IsCgroup2HybridMode() bool {
-	isHybridOnce.Do(func() {
-		var st unix.Statfs_t
-		err := unix.Statfs(hybridMountpoint, &st)
-		if err != nil {
-			isHybrid = false
-			if !os.IsNotExist(err) {
-				// Report unexpected errors.
-				logrus.WithError(err).Debugf("statfs(%q) failed", hybridMountpoint)
-			}
-			return
-		}
-		isHybrid = st.Type == unix.CGROUP2_SUPER_MAGIC
-	})
-	return isHybrid
-}
-
-type Mount struct {
-	Mountpoint string
-	Root       string
-	Subsystems []string
-}
-
-// GetCgroupMounts returns the mounts for the cgroup subsystems.
-// all indicates whether to return just the first instance or all the mounts.
-// This function should not be used from cgroupv2 code, as in this case
-// all the controllers are available under the constant unifiedMountpoint.
-func GetCgroupMounts(all bool) ([]Mount, error) {
-	if IsCgroup2UnifiedMode() {
-		// TODO: remove cgroupv2 case once all external users are converted
-		availableControllers, err := GetAllSubsystems()
-		if err != nil {
-			return nil, err
-		}
-		m := Mount{
-			Mountpoint: unifiedMountpoint,
-			Root:       unifiedMountpoint,
-			Subsystems: availableControllers,
-		}
-		return []Mount{m}, nil
-	}
-
-	return getCgroupMountsV1(all)
-}
-
-// GetAllSubsystems returns all the cgroup subsystems supported by the kernel
-func GetAllSubsystems() ([]string, error) {
-	// /proc/cgroups is meaningless for v2
-	// https://github.com/torvalds/linux/blob/v5.3/Documentation/admin-guide/cgroup-v2.rst#deprecated-v1-core-features
-	if IsCgroup2UnifiedMode() {
-		// "pseudo" controllers do not appear in /sys/fs/cgroup/cgroup.controllers.
-		// - devices: implemented in kernel 4.15
-		// - freezer: implemented in kernel 5.2
-		// We assume these are always available, as it is hard to detect availability.
-		pseudo := []string{"devices", "freezer"}
-		data, err := ReadFile("/sys/fs/cgroup", "cgroup.controllers")
-		if err != nil {
-			return nil, err
-		}
-		subsystems := append(pseudo, strings.Fields(data)...)
-		return subsystems, nil
-	}
-	f, err := os.Open("/proc/cgroups")
-	if err != nil {
-		return nil, err
-	}
-	defer f.Close()
-
-	subsystems := []string{}
-
-	s := bufio.NewScanner(f)
-	for s.Scan() {
-		text := s.Text()
-		if text[0] != '#' {
-			parts := strings.Fields(text)
-			if len(parts) >= 4 && parts[3] != "0" {
-				subsystems = append(subsystems, parts[0])
-			}
-		}
-	}
-	if err := s.Err(); err != nil {
-		return nil, err
-	}
-	return subsystems, nil
-}
-
-func readProcsFile(dir string) (out []int, _ error) {
-	file := CgroupProcesses
-	retry := true
-
-again:
-	f, err := OpenFile(dir, file, os.O_RDONLY)
-	if err != nil {
-		return nil, err
-	}
-	defer f.Close()
-
-	s := bufio.NewScanner(f)
-	for s.Scan() {
-		if t := s.Text(); t != "" {
-			pid, err := strconv.Atoi(t)
-			if err != nil {
-				return nil, err
-			}
-			out = append(out, pid)
-		}
-	}
-	if errors.Is(s.Err(), unix.ENOTSUP) && retry {
-		// For a threaded cgroup, read returns ENOTSUP, and we should
-		// read from cgroup.threads instead.
-		file = "cgroup.threads"
-		retry = false
-		goto again
-	}
-	return out, s.Err()
-}
-
-// ParseCgroupFile parses the given cgroup file, typically /proc/self/cgroup
-// or /proc/<pid>/cgroup, into a map of subsystems to cgroup paths, e.g.
-//
-//	"cpu": "/user.slice/user-1000.slice"
-//	"pids": "/user.slice/user-1000.slice"
-//
-// etc.
-//
-// Note that for cgroup v2 unified hierarchy, there are no per-controller
-// cgroup paths, so the resulting map will have a single element where the key
-// is empty string ("") and the value is the cgroup path the <pid> is in.
-func ParseCgroupFile(path string) (map[string]string, error) {
-	f, err := os.Open(path)
-	if err != nil {
-		return nil, err
-	}
-	defer f.Close()
-
-	return parseCgroupFromReader(f)
-}
-
-// helper function for ParseCgroupFile to make testing easier
-func parseCgroupFromReader(r io.Reader) (map[string]string, error) {
-	s := bufio.NewScanner(r)
-	cgroups := make(map[string]string)
-
-	for s.Scan() {
-		text := s.Text()
-		// from cgroups(7):
-		// /proc/[pid]/cgroup
-		// ...
-		// For each cgroup hierarchy ... there is one entry
-		// containing three colon-separated fields of the form:
-		//     hierarchy-ID:subsystem-list:cgroup-path
-		parts := strings.SplitN(text, ":", 3)
-		if len(parts) < 3 {
-			return nil, fmt.Errorf("invalid cgroup entry: must contain at least two colons: %v", text)
-		}
-
-		for _, subs := range strings.Split(parts[1], ",") {
-			cgroups[subs] = parts[2]
-		}
-	}
-	if err := s.Err(); err != nil {
-		return nil, err
-	}
-
-	return cgroups, nil
-}
-
-func PathExists(path string) bool {
-	if _, err := os.Stat(path); err != nil {
-		return false
-	}
-	return true
-}
-
-// rmdir tries to remove a directory, optionally retrying on EBUSY.
-func rmdir(path string, retry bool) error {
-	delay := time.Millisecond
-	tries := 10
-
-again:
-	err := unix.Rmdir(path)
-	switch err { // nolint:errorlint // unix errors are bare
-	case nil, unix.ENOENT:
-		return nil
-	case unix.EINTR:
-		goto again
-	case unix.EBUSY:
-		if retry && tries > 0 {
-			time.Sleep(delay)
-			delay *= 2
-			tries--
-			goto again
-
-		}
-	}
-	return &os.PathError{Op: "rmdir", Path: path, Err: err}
-}
-
-// RemovePath aims to remove cgroup path. It does so recursively,
-// by removing any subdirectories (sub-cgroups) first.
-func RemovePath(path string) error {
-	// Try the fast path first; don't retry on EBUSY yet.
-	if err := rmdir(path, false); err == nil {
-		return nil
-	}
-
-	// There are many reasons why rmdir can fail, including:
-	// 1. cgroup have existing sub-cgroups;
-	// 2. cgroup (still) have some processes (that are about to vanish);
-	// 3. lack of permission (one example is read-only /sys/fs/cgroup mount,
-	//    in which case rmdir returns EROFS even for for a non-existent path,
-	//    see issue 4518).
-	//
-	// Using os.ReadDir here kills two birds with one stone: check if
-	// the directory exists (handling scenario 3 above), and use
-	// directory contents to remove sub-cgroups (handling scenario 1).
-	infos, err := os.ReadDir(path)
-	if err != nil {
-		if os.IsNotExist(err) {
-			return nil
-		}
-		return err
-	}
-	// Let's remove sub-cgroups, if any.
-	for _, info := range infos {
-		if info.IsDir() {
-			if err = RemovePath(filepath.Join(path, info.Name())); err != nil {
-				return err
-			}
-		}
-	}
-	// Finally, try rmdir again, this time with retries on EBUSY,
-	// which may help with scenario 2 above.
-	return rmdir(path, true)
-}
-
-// RemovePaths iterates over the provided paths removing them.
-func RemovePaths(paths map[string]string) (err error) {
-	for s, p := range paths {
-		if err := RemovePath(p); err == nil {
-			delete(paths, s)
-		}
-	}
-	if len(paths) == 0 {
-		clear(paths)
-		return nil
-	}
-	return fmt.Errorf("Failed to remove paths: %v", paths)
-}
-
-var (
-	hugePageSizes []string
-	initHPSOnce   sync.Once
-)
-
-func HugePageSizes() []string {
-	initHPSOnce.Do(func() {
-		dir, err := os.OpenFile("/sys/kernel/mm/hugepages", unix.O_DIRECTORY|unix.O_RDONLY, 0)
-		if err != nil {
-			return
-		}
-		files, err := dir.Readdirnames(0)
-		dir.Close()
-		if err != nil {
-			return
-		}
-
-		hugePageSizes, err = getHugePageSizeFromFilenames(files)
-		if err != nil {
-			logrus.Warn("HugePageSizes: ", err)
-		}
-	})
-
-	return hugePageSizes
-}
-
-func getHugePageSizeFromFilenames(fileNames []string) ([]string, error) {
-	pageSizes := make([]string, 0, len(fileNames))
-	var warn error
-
-	for _, file := range fileNames {
-		// example: hugepages-1048576kB
-		val := strings.TrimPrefix(file, "hugepages-")
-		if len(val) == len(file) {
-			// Unexpected file name: no prefix found, ignore it.
-			continue
-		}
-		// The suffix is always "kB" (as of Linux 5.13). If we find
-		// something else, produce an error but keep going.
-		eLen := len(val) - 2
-		val = strings.TrimSuffix(val, "kB")
-		if len(val) != eLen {
-			// Highly unlikely.
-			if warn == nil {
-				warn = errors.New(file + `: invalid suffix (expected "kB")`)
-			}
-			continue
-		}
-		size, err := strconv.Atoi(val)
-		if err != nil {
-			// Highly unlikely.
-			if warn == nil {
-				warn = fmt.Errorf("%s: %w", file, err)
-			}
-			continue
-		}
-		// Model after https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/mm/hugetlb_cgroup.c?id=eff48ddeab782e35e58ccc8853f7386bbae9dec4#n574
-		// but in our case the size is in KB already.
-		if size >= (1 << 20) {
-			val = strconv.Itoa(size>>20) + "GB"
-		} else if size >= (1 << 10) {
-			val = strconv.Itoa(size>>10) + "MB"
-		} else {
-			val += "KB"
-		}
-		pageSizes = append(pageSizes, val)
-	}
-
-	return pageSizes, warn
-}
-
-// GetPids returns all pids, that were added to cgroup at path.
-func GetPids(dir string) ([]int, error) {
-	return readProcsFile(dir)
-}
-
-// WriteCgroupProc writes the specified pid into the cgroup's cgroup.procs file
-func WriteCgroupProc(dir string, pid int) error {
-	// Normally dir should not be empty, one case is that cgroup subsystem
-	// is not mounted, we will get empty dir, and we want it fail here.
-	if dir == "" {
-		return fmt.Errorf("no such directory for %s", CgroupProcesses)
-	}
-
-	// Dont attach any pid to the cgroup if -1 is specified as a pid
-	if pid == -1 {
-		return nil
-	}
-
-	file, err := OpenFile(dir, CgroupProcesses, os.O_WRONLY)
-	if err != nil {
-		return fmt.Errorf("failed to write %v: %w", pid, err)
-	}
-	defer file.Close()
-
-	for i := 0; i < 5; i++ {
-		_, err = file.WriteString(strconv.Itoa(pid))
-		if err == nil {
-			return nil
-		}
-
-		// EINVAL might mean that the task being added to cgroup.procs is in state
-		// TASK_NEW. We should attempt to do so again.
-		if errors.Is(err, unix.EINVAL) {
-			time.Sleep(30 * time.Millisecond)
-			continue
-		}
-
-		return fmt.Errorf("failed to write %v: %w", pid, err)
-	}
-	return err
-}
-
-// Since the OCI spec is designed for cgroup v1, in some cases
-// there is need to convert from the cgroup v1 configuration to cgroup v2
-// the formula for cpuShares is y = (1 + ((x - 2) * 9999) / 262142)
-// convert from [2-262144] to [1-10000]
-// 262144 comes from Linux kernel definition "#define MAX_SHARES (1UL << 18)"
-func ConvertCPUSharesToCgroupV2Value(cpuShares uint64) uint64 {
-	if cpuShares == 0 {
-		return 0
-	}
-	return (1 + ((cpuShares-2)*9999)/262142)
-}
-
-// ConvertMemorySwapToCgroupV2Value converts MemorySwap value from OCI spec
-// for use by cgroup v2 drivers. A conversion is needed since Resources.MemorySwap
-// is defined as memory+swap combined, while in cgroup v2 swap is a separate value,
-// so we need to subtract memory from it where it makes sense.
-func ConvertMemorySwapToCgroupV2Value(memorySwap, memory int64) (int64, error) {
-	switch {
-	case memory == -1 && memorySwap == 0:
-		// For compatibility with cgroup1 controller, set swap to unlimited in
-		// case the memory is set to unlimited and the swap is not explicitly set,
-		// treating the request as "set both memory and swap to unlimited".
-		return -1, nil
-	case memorySwap == -1, memorySwap == 0:
-		// Treat -1 ("max") and 0 ("unset") swap as is.
-		return memorySwap, nil
-	case memory == -1:
-		// Unlimited memory, so treat swap as is.
-		return memorySwap, nil
-	case memory == 0:
-		// Unset or unknown memory, can't calculate swap.
-		return 0, errors.New("unable to set swap limit without memory limit")
-	case memory < 0:
-		// Does not make sense to subtract a negative value.
-		return 0, fmt.Errorf("invalid memory value: %d", memory)
-	case memorySwap < memory:
-		// Sanity check.
-		return 0, errors.New("memory+swap limit should be >= memory limit")
-	}
-
-	return memorySwap - memory, nil
-}
-
-// Since the OCI spec is designed for cgroup v1, in some cases
-// there is need to convert from the cgroup v1 configuration to cgroup v2
-// the formula for BlkIOWeight to IOWeight is y = (1 + (x - 10) * 9999 / 990)
-// convert linearly from [10-1000] to [1-10000]
-func ConvertBlkIOToIOWeightValue(blkIoWeight uint16) uint64 {
-	if blkIoWeight == 0 {
-		return 0
-	}
-	return 1 + (uint64(blkIoWeight)-10)*9999/990
-}
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/cgroups/v1_utils.go b/vendor/github.com/opencontainers/runc/libcontainer/cgroups/v1_utils.go
deleted file mode 100644
index 81193e2098315..0000000000000
--- a/vendor/github.com/opencontainers/runc/libcontainer/cgroups/v1_utils.go
+++ /dev/null
@@ -1,277 +0,0 @@
-package cgroups
-
-import (
-	"errors"
-	"fmt"
-	"os"
-	"path/filepath"
-	"strings"
-	"sync"
-	"syscall"
-
-	securejoin "github.com/cyphar/filepath-securejoin"
-	"github.com/moby/sys/mountinfo"
-	"golang.org/x/sys/unix"
-)
-
-// Code in this source file are specific to cgroup v1,
-// and must not be used from any cgroup v2 code.
-
-const (
-	CgroupNamePrefix = "name="
-	defaultPrefix    = "/sys/fs/cgroup"
-)
-
-var (
-	errUnified     = errors.New("not implemented for cgroup v2 unified hierarchy")
-	ErrV1NoUnified = errors.New("invalid configuration: cannot use unified on cgroup v1")
-
-	readMountinfoOnce sync.Once
-	readMountinfoErr  error
-	cgroupMountinfo   []*mountinfo.Info
-)
-
-type NotFoundError struct {
-	Subsystem string
-}
-
-func (e *NotFoundError) Error() string {
-	return fmt.Sprintf("mountpoint for %s not found", e.Subsystem)
-}
-
-func NewNotFoundError(sub string) error {
-	return &NotFoundError{
-		Subsystem: sub,
-	}
-}
-
-func IsNotFound(err error) bool {
-	var nfErr *NotFoundError
-	return errors.As(err, &nfErr)
-}
-
-func tryDefaultPath(cgroupPath, subsystem string) string {
-	if !strings.HasPrefix(defaultPrefix, cgroupPath) {
-		return ""
-	}
-
-	// remove possible prefix
-	subsystem = strings.TrimPrefix(subsystem, CgroupNamePrefix)
-
-	// Make sure we're still under defaultPrefix, and resolve
-	// a possible symlink (like cpu -> cpu,cpuacct).
-	path, err := securejoin.SecureJoin(defaultPrefix, subsystem)
-	if err != nil {
-		return ""
-	}
-
-	// (1) path should be a directory.
-	st, err := os.Lstat(path)
-	if err != nil || !st.IsDir() {
-		return ""
-	}
-
-	// (2) path should be a mount point.
-	pst, err := os.Lstat(filepath.Dir(path))
-	if err != nil {
-		return ""
-	}
-
-	if st.Sys().(*syscall.Stat_t).Dev == pst.Sys().(*syscall.Stat_t).Dev {
-		// parent dir has the same dev -- path is not a mount point
-		return ""
-	}
-
-	// (3) path should have 'cgroup' fs type.
-	fst := unix.Statfs_t{}
-	err = unix.Statfs(path, &fst)
-	if err != nil || fst.Type != unix.CGROUP_SUPER_MAGIC {
-		return ""
-	}
-
-	return path
-}
-
-// readCgroupMountinfo returns a list of cgroup v1 mounts (i.e. the ones
-// with fstype of "cgroup") for the current running process.
-//
-// The results are cached (to avoid re-reading mountinfo which is relatively
-// expensive), so it is assumed that cgroup mounts are not being changed.
-func readCgroupMountinfo() ([]*mountinfo.Info, error) {
-	readMountinfoOnce.Do(func() {
-		// mountinfo.GetMounts uses /proc/thread-self, so we can use it without
-		// issues.
-		cgroupMountinfo, readMountinfoErr = mountinfo.GetMounts(
-			mountinfo.FSTypeFilter("cgroup"),
-		)
-	})
-	return cgroupMountinfo, readMountinfoErr
-}
-
-// https://www.kernel.org/doc/Documentation/cgroup-v1/cgroups.txt
-func FindCgroupMountpoint(cgroupPath, subsystem string) (string, error) {
-	if IsCgroup2UnifiedMode() {
-		return "", errUnified
-	}
-
-	// If subsystem is empty, we look for the cgroupv2 hybrid path.
-	if len(subsystem) == 0 {
-		return hybridMountpoint, nil
-	}
-
-	// Avoid parsing mountinfo by trying the default path first, if possible.
-	if path := tryDefaultPath(cgroupPath, subsystem); path != "" {
-		return path, nil
-	}
-
-	mnt, _, err := FindCgroupMountpointAndRoot(cgroupPath, subsystem)
-	return mnt, err
-}
-
-func FindCgroupMountpointAndRoot(cgroupPath, subsystem string) (string, string, error) {
-	if IsCgroup2UnifiedMode() {
-		return "", "", errUnified
-	}
-
-	mi, err := readCgroupMountinfo()
-	if err != nil {
-		return "", "", err
-	}
-
-	return findCgroupMountpointAndRootFromMI(mi, cgroupPath, subsystem)
-}
-
-func findCgroupMountpointAndRootFromMI(mounts []*mountinfo.Info, cgroupPath, subsystem string) (string, string, error) {
-	for _, mi := range mounts {
-		if strings.HasPrefix(mi.Mountpoint, cgroupPath) {
-			for _, opt := range strings.Split(mi.VFSOptions, ",") {
-				if opt == subsystem {
-					return mi.Mountpoint, mi.Root, nil
-				}
-			}
-		}
-	}
-
-	return "", "", NewNotFoundError(subsystem)
-}
-
-func (m Mount) GetOwnCgroup(cgroups map[string]string) (string, error) {
-	if len(m.Subsystems) == 0 {
-		return "", errors.New("no subsystem for mount")
-	}
-
-	return getControllerPath(m.Subsystems[0], cgroups)
-}
-
-func getCgroupMountsHelper(ss map[string]bool, mounts []*mountinfo.Info, all bool) ([]Mount, error) {
-	res := make([]Mount, 0, len(ss))
-	numFound := 0
-	for _, mi := range mounts {
-		m := Mount{
-			Mountpoint: mi.Mountpoint,
-			Root:       mi.Root,
-		}
-		for _, opt := range strings.Split(mi.VFSOptions, ",") {
-			seen, known := ss[opt]
-			if !known || (!all && seen) {
-				continue
-			}
-			ss[opt] = true
-			opt = strings.TrimPrefix(opt, CgroupNamePrefix)
-			m.Subsystems = append(m.Subsystems, opt)
-			numFound++
-		}
-		if len(m.Subsystems) > 0 || all {
-			res = append(res, m)
-		}
-		if !all && numFound >= len(ss) {
-			break
-		}
-	}
-	return res, nil
-}
-
-func getCgroupMountsV1(all bool) ([]Mount, error) {
-	mi, err := readCgroupMountinfo()
-	if err != nil {
-		return nil, err
-	}
-
-	// We don't need to use /proc/thread-self here because runc always runs
-	// with every thread in the same cgroup. This lets us avoid having to do
-	// runtime.LockOSThread.
-	allSubsystems, err := ParseCgroupFile("/proc/self/cgroup")
-	if err != nil {
-		return nil, err
-	}
-
-	allMap := make(map[string]bool)
-	for s := range allSubsystems {
-		allMap[s] = false
-	}
-
-	return getCgroupMountsHelper(allMap, mi, all)
-}
-
-// GetOwnCgroup returns the relative path to the cgroup docker is running in.
-func GetOwnCgroup(subsystem string) (string, error) {
-	if IsCgroup2UnifiedMode() {
-		return "", errUnified
-	}
-
-	// We don't need to use /proc/thread-self here because runc always runs
-	// with every thread in the same cgroup. This lets us avoid having to do
-	// runtime.LockOSThread.
-	cgroups, err := ParseCgroupFile("/proc/self/cgroup")
-	if err != nil {
-		return "", err
-	}
-
-	return getControllerPath(subsystem, cgroups)
-}
-
-func GetOwnCgroupPath(subsystem string) (string, error) {
-	cgroup, err := GetOwnCgroup(subsystem)
-	if err != nil {
-		return "", err
-	}
-
-	// If subsystem is empty, we look for the cgroupv2 hybrid path.
-	if len(subsystem) == 0 {
-		return hybridMountpoint, nil
-	}
-
-	return getCgroupPathHelper(subsystem, cgroup)
-}
-
-func getCgroupPathHelper(subsystem, cgroup string) (string, error) {
-	mnt, root, err := FindCgroupMountpointAndRoot("", subsystem)
-	if err != nil {
-		return "", err
-	}
-
-	// This is needed for nested containers, because in /proc/self/cgroup we
-	// see paths from host, which don't exist in container.
-	relCgroup, err := filepath.Rel(root, cgroup)
-	if err != nil {
-		return "", err
-	}
-
-	return filepath.Join(mnt, relCgroup), nil
-}
-
-func getControllerPath(subsystem string, cgroups map[string]string) (string, error) {
-	if IsCgroup2UnifiedMode() {
-		return "", errUnified
-	}
-
-	if p, ok := cgroups[subsystem]; ok {
-		return p, nil
-	}
-
-	if p, ok := cgroups[CgroupNamePrefix+subsystem]; ok {
-		return p, nil
-	}
-
-	return "", NewNotFoundError(subsystem)
-}
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/configs/blkio_device.go b/vendor/github.com/opencontainers/runc/libcontainer/configs/blkio_device.go
deleted file mode 100644
index 865344f99c425..0000000000000
--- a/vendor/github.com/opencontainers/runc/libcontainer/configs/blkio_device.go
+++ /dev/null
@@ -1,66 +0,0 @@
-package configs
-
-import "fmt"
-
-// BlockIODevice holds major:minor format supported in blkio cgroup.
-type BlockIODevice struct {
-	// Major is the device's major number
-	Major int64 `json:"major"`
-	// Minor is the device's minor number
-	Minor int64 `json:"minor"`
-}
-
-// WeightDevice struct holds a `major:minor weight`|`major:minor leaf_weight` pair
-type WeightDevice struct {
-	BlockIODevice
-	// Weight is the bandwidth rate for the device, range is from 10 to 1000
-	Weight uint16 `json:"weight"`
-	// LeafWeight is the bandwidth rate for the device while competing with the cgroup's child cgroups, range is from 10 to 1000, cfq scheduler only
-	LeafWeight uint16 `json:"leafWeight"`
-}
-
-// NewWeightDevice returns a configured WeightDevice pointer
-func NewWeightDevice(major, minor int64, weight, leafWeight uint16) *WeightDevice {
-	wd := &WeightDevice{}
-	wd.Major = major
-	wd.Minor = minor
-	wd.Weight = weight
-	wd.LeafWeight = leafWeight
-	return wd
-}
-
-// WeightString formats the struct to be writable to the cgroup specific file
-func (wd *WeightDevice) WeightString() string {
-	return fmt.Sprintf("%d:%d %d", wd.Major, wd.Minor, wd.Weight)
-}
-
-// LeafWeightString formats the struct to be writable to the cgroup specific file
-func (wd *WeightDevice) LeafWeightString() string {
-	return fmt.Sprintf("%d:%d %d", wd.Major, wd.Minor, wd.LeafWeight)
-}
-
-// ThrottleDevice struct holds a `major:minor rate_per_second` pair
-type ThrottleDevice struct {
-	BlockIODevice
-	// Rate is the IO rate limit per cgroup per device
-	Rate uint64 `json:"rate"`
-}
-
-// NewThrottleDevice returns a configured ThrottleDevice pointer
-func NewThrottleDevice(major, minor int64, rate uint64) *ThrottleDevice {
-	td := &ThrottleDevice{}
-	td.Major = major
-	td.Minor = minor
-	td.Rate = rate
-	return td
-}
-
-// String formats the struct to be writable to the cgroup specific file
-func (td *ThrottleDevice) String() string {
-	return fmt.Sprintf("%d:%d %d", td.Major, td.Minor, td.Rate)
-}
-
-// StringName formats the struct to be writable to the cgroup specific file
-func (td *ThrottleDevice) StringName(name string) string {
-	return fmt.Sprintf("%d:%d %s=%d", td.Major, td.Minor, name, td.Rate)
-}
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/configs/cgroup_linux.go b/vendor/github.com/opencontainers/runc/libcontainer/configs/cgroup_linux.go
deleted file mode 100644
index 4a34cf76fc5bb..0000000000000
--- a/vendor/github.com/opencontainers/runc/libcontainer/configs/cgroup_linux.go
+++ /dev/null
@@ -1,169 +0,0 @@
-package configs
-
-import (
-	systemdDbus "github.com/coreos/go-systemd/v22/dbus"
-	"github.com/opencontainers/runc/libcontainer/devices"
-)
-
-type FreezerState string
-
-const (
-	Undefined FreezerState = ""
-	Frozen    FreezerState = "FROZEN"
-	Thawed    FreezerState = "THAWED"
-)
-
-// Cgroup holds properties of a cgroup on Linux.
-type Cgroup struct {
-	// Name specifies the name of the cgroup
-	Name string `json:"name,omitempty"`
-
-	// Parent specifies the name of parent of cgroup or slice
-	Parent string `json:"parent,omitempty"`
-
-	// Path specifies the path to cgroups that are created and/or joined by the container.
-	// The path is assumed to be relative to the host system cgroup mountpoint.
-	Path string `json:"path"`
-
-	// ScopePrefix describes prefix for the scope name
-	ScopePrefix string `json:"scope_prefix"`
-
-	// Resources contains various cgroups settings to apply
-	*Resources
-
-	// Systemd tells if systemd should be used to manage cgroups.
-	Systemd bool
-
-	// SystemdProps are any additional properties for systemd,
-	// derived from org.systemd.property.xxx annotations.
-	// Ignored unless systemd is used for managing cgroups.
-	SystemdProps []systemdDbus.Property `json:"-"`
-
-	// Rootless tells if rootless cgroups should be used.
-	Rootless bool
-
-	// The host UID that should own the cgroup, or nil to accept
-	// the default ownership.  This should only be set when the
-	// cgroupfs is to be mounted read/write.
-	// Not all cgroup manager implementations support changing
-	// the ownership.
-	OwnerUID *int `json:"owner_uid,omitempty"`
-}
-
-type Resources struct {
-	// Devices is the set of access rules for devices in the container.
-	Devices []*devices.Rule `json:"devices"`
-
-	// Memory limit (in bytes)
-	Memory int64 `json:"memory"`
-
-	// Memory reservation or soft_limit (in bytes)
-	MemoryReservation int64 `json:"memory_reservation"`
-
-	// Total memory usage (memory + swap); set `-1` to enable unlimited swap
-	MemorySwap int64 `json:"memory_swap"`
-
-	// CPU shares (relative weight vs. other containers)
-	CpuShares uint64 `json:"cpu_shares"`
-
-	// CPU hardcap limit (in usecs). Allowed cpu time in a given period.
-	CpuQuota int64 `json:"cpu_quota"`
-
-	// CPU hardcap burst limit (in usecs). Allowed accumulated cpu time additionally for burst in a given period.
-	CpuBurst *uint64 `json:"cpu_burst"` //nolint:revive
-
-	// CPU period to be used for hardcapping (in usecs). 0 to use system default.
-	CpuPeriod uint64 `json:"cpu_period"`
-
-	// How many time CPU will use in realtime scheduling (in usecs).
-	CpuRtRuntime int64 `json:"cpu_rt_quota"`
-
-	// CPU period to be used for realtime scheduling (in usecs).
-	CpuRtPeriod uint64 `json:"cpu_rt_period"`
-
-	// CPU to use
-	CpusetCpus string `json:"cpuset_cpus"`
-
-	// MEM to use
-	CpusetMems string `json:"cpuset_mems"`
-
-	// cgroup SCHED_IDLE
-	CPUIdle *int64 `json:"cpu_idle,omitempty"`
-
-	// Process limit; set <= `0' to disable limit.
-	PidsLimit int64 `json:"pids_limit"`
-
-	// Specifies per cgroup weight, range is from 10 to 1000.
-	BlkioWeight uint16 `json:"blkio_weight"`
-
-	// Specifies tasks' weight in the given cgroup while competing with the cgroup's child cgroups, range is from 10 to 1000, cfq scheduler only
-	BlkioLeafWeight uint16 `json:"blkio_leaf_weight"`
-
-	// Weight per cgroup per device, can override BlkioWeight.
-	BlkioWeightDevice []*WeightDevice `json:"blkio_weight_device"`
-
-	// IO read rate limit per cgroup per device, bytes per second.
-	BlkioThrottleReadBpsDevice []*ThrottleDevice `json:"blkio_throttle_read_bps_device"`
-
-	// IO write rate limit per cgroup per device, bytes per second.
-	BlkioThrottleWriteBpsDevice []*ThrottleDevice `json:"blkio_throttle_write_bps_device"`
-
-	// IO read rate limit per cgroup per device, IO per second.
-	BlkioThrottleReadIOPSDevice []*ThrottleDevice `json:"blkio_throttle_read_iops_device"`
-
-	// IO write rate limit per cgroup per device, IO per second.
-	BlkioThrottleWriteIOPSDevice []*ThrottleDevice `json:"blkio_throttle_write_iops_device"`
-
-	// set the freeze value for the process
-	Freezer FreezerState `json:"freezer"`
-
-	// Hugetlb limit (in bytes)
-	HugetlbLimit []*HugepageLimit `json:"hugetlb_limit"`
-
-	// Whether to disable OOM Killer
-	OomKillDisable bool `json:"oom_kill_disable"`
-
-	// Tuning swappiness behaviour per cgroup
-	MemorySwappiness *uint64 `json:"memory_swappiness"`
-
-	// Set priority of network traffic for container
-	NetPrioIfpriomap []*IfPrioMap `json:"net_prio_ifpriomap"`
-
-	// Set class identifier for container's network packets
-	NetClsClassid uint32 `json:"net_cls_classid_u"`
-
-	// Rdma resource restriction configuration
-	Rdma map[string]LinuxRdma `json:"rdma"`
-
-	// Used on cgroups v2:
-
-	// CpuWeight sets a proportional bandwidth limit.
-	CpuWeight uint64 `json:"cpu_weight"`
-
-	// Unified is cgroupv2-only key-value map.
-	Unified map[string]string `json:"unified"`
-
-	// SkipDevices allows to skip configuring device permissions.
-	// Used by e.g. kubelet while creating a parent cgroup (kubepods)
-	// common for many containers, and by runc update.
-	//
-	// NOTE it is impossible to start a container which has this flag set.
-	SkipDevices bool `json:"-"`
-
-	// SkipFreezeOnSet is a flag for cgroup manager to skip the cgroup
-	// freeze when setting resources. Only applicable to systemd legacy
-	// (i.e. cgroup v1) manager (which uses freeze by default to avoid
-	// spurious permission errors caused by systemd inability to update
-	// device rules in a non-disruptive manner).
-	//
-	// If not set, a few methods (such as looking into cgroup's
-	// devices.list and querying the systemd unit properties) are used
-	// during Set() to figure out whether the freeze is required. Those
-	// methods may be relatively slow, thus this flag.
-	SkipFreezeOnSet bool `json:"-"`
-
-	// MemoryCheckBeforeUpdate is a flag for cgroup v2 managers to check
-	// if the new memory limits (Memory and MemorySwap) being set are lower
-	// than the current memory usage, and reject if so.
-	MemoryCheckBeforeUpdate bool `json:"memory_check_before_update"`
-}
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/configs/cgroup_unsupported.go b/vendor/github.com/opencontainers/runc/libcontainer/configs/cgroup_unsupported.go
deleted file mode 100644
index 53f5ec5a0dab0..0000000000000
--- a/vendor/github.com/opencontainers/runc/libcontainer/configs/cgroup_unsupported.go
+++ /dev/null
@@ -1,8 +0,0 @@
-//go:build !linux
-
-package configs
-
-// Cgroup holds properties of a cgroup on Linux
-// TODO Windows: This can ultimately be entirely factored out on Windows as
-// cgroups are a Unix-specific construct.
-type Cgroup struct{}
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/configs/config.go b/vendor/github.com/opencontainers/runc/libcontainer/configs/config.go
deleted file mode 100644
index 22fe0f9b4c1e9..0000000000000
--- a/vendor/github.com/opencontainers/runc/libcontainer/configs/config.go
+++ /dev/null
@@ -1,508 +0,0 @@
-package configs
-
-import (
-	"bytes"
-	"encoding/json"
-	"fmt"
-	"os/exec"
-	"time"
-
-	"github.com/sirupsen/logrus"
-	"golang.org/x/sys/unix"
-
-	"github.com/opencontainers/runc/libcontainer/devices"
-	"github.com/opencontainers/runtime-spec/specs-go"
-)
-
-type Rlimit struct {
-	Type int    `json:"type"`
-	Hard uint64 `json:"hard"`
-	Soft uint64 `json:"soft"`
-}
-
-// IDMap represents UID/GID Mappings for User Namespaces.
-type IDMap struct {
-	ContainerID int64 `json:"container_id"`
-	HostID      int64 `json:"host_id"`
-	Size        int64 `json:"size"`
-}
-
-// Seccomp represents syscall restrictions
-// By default, only the native architecture of the kernel is allowed to be used
-// for syscalls. Additional architectures can be added by specifying them in
-// Architectures.
-type Seccomp struct {
-	DefaultAction    Action                   `json:"default_action"`
-	Architectures    []string                 `json:"architectures"`
-	Flags            []specs.LinuxSeccompFlag `json:"flags"`
-	Syscalls         []*Syscall               `json:"syscalls"`
-	DefaultErrnoRet  *uint                    `json:"default_errno_ret"`
-	ListenerPath     string                   `json:"listener_path,omitempty"`
-	ListenerMetadata string                   `json:"listener_metadata,omitempty"`
-}
-
-// Action is taken upon rule match in Seccomp
-type Action int
-
-const (
-	Kill Action = iota + 1
-	Errno
-	Trap
-	Allow
-	Trace
-	Log
-	Notify
-	KillThread
-	KillProcess
-)
-
-// Operator is a comparison operator to be used when matching syscall arguments in Seccomp
-type Operator int
-
-const (
-	EqualTo Operator = iota + 1
-	NotEqualTo
-	GreaterThan
-	GreaterThanOrEqualTo
-	LessThan
-	LessThanOrEqualTo
-	MaskEqualTo
-)
-
-// Arg is a rule to match a specific syscall argument in Seccomp
-type Arg struct {
-	Index    uint     `json:"index"`
-	Value    uint64   `json:"value"`
-	ValueTwo uint64   `json:"value_two"`
-	Op       Operator `json:"op"`
-}
-
-// Syscall is a rule to match a syscall in Seccomp
-type Syscall struct {
-	Name     string `json:"name"`
-	Action   Action `json:"action"`
-	ErrnoRet *uint  `json:"errnoRet"`
-	Args     []*Arg `json:"args"`
-}
-
-// Config defines configuration options for executing a process inside a contained environment.
-type Config struct {
-	// NoPivotRoot will use MS_MOVE and a chroot to jail the process into the container's rootfs
-	// This is a common option when the container is running in ramdisk
-	NoPivotRoot bool `json:"no_pivot_root"`
-
-	// ParentDeathSignal specifies the signal that is sent to the container's process in the case
-	// that the parent process dies.
-	ParentDeathSignal int `json:"parent_death_signal"`
-
-	// Path to a directory containing the container's root filesystem.
-	Rootfs string `json:"rootfs"`
-
-	// Umask is the umask to use inside of the container.
-	Umask *uint32 `json:"umask"`
-
-	// Readonlyfs will remount the container's rootfs as readonly where only externally mounted
-	// bind mounts are writtable.
-	Readonlyfs bool `json:"readonlyfs"`
-
-	// Specifies the mount propagation flags to be applied to /.
-	RootPropagation int `json:"rootPropagation"`
-
-	// Mounts specify additional source and destination paths that will be mounted inside the container's
-	// rootfs and mount namespace if specified
-	Mounts []*Mount `json:"mounts"`
-
-	// The device nodes that should be automatically created within the container upon container start.  Note, make sure that the node is marked as allowed in the cgroup as well!
-	Devices []*devices.Device `json:"devices"`
-
-	MountLabel string `json:"mount_label"`
-
-	// Hostname optionally sets the container's hostname if provided
-	Hostname string `json:"hostname"`
-
-	// Domainname optionally sets the container's domainname if provided
-	Domainname string `json:"domainname"`
-
-	// Namespaces specifies the container's namespaces that it should setup when cloning the init process
-	// If a namespace is not provided that namespace is shared from the container's parent process
-	Namespaces Namespaces `json:"namespaces"`
-
-	// Capabilities specify the capabilities to keep when executing the process inside the container
-	// All capabilities not specified will be dropped from the processes capability mask
-	Capabilities *Capabilities `json:"capabilities"`
-
-	// Networks specifies the container's network setup to be created
-	Networks []*Network `json:"networks"`
-
-	// Routes can be specified to create entries in the route table as the container is started
-	Routes []*Route `json:"routes"`
-
-	// Cgroups specifies specific cgroup settings for the various subsystems that the container is
-	// placed into to limit the resources the container has available
-	Cgroups *Cgroup `json:"cgroups"`
-
-	// AppArmorProfile specifies the profile to apply to the process running in the container and is
-	// change at the time the process is execed
-	AppArmorProfile string `json:"apparmor_profile,omitempty"`
-
-	// ProcessLabel specifies the label to apply to the process running in the container.  It is
-	// commonly used by selinux
-	ProcessLabel string `json:"process_label,omitempty"`
-
-	// Rlimits specifies the resource limits, such as max open files, to set in the container
-	// If Rlimits are not set, the container will inherit rlimits from the parent process
-	Rlimits []Rlimit `json:"rlimits,omitempty"`
-
-	// OomScoreAdj specifies the adjustment to be made by the kernel when calculating oom scores
-	// for a process. Valid values are between the range [-1000, '1000'], where processes with
-	// higher scores are preferred for being killed. If it is unset then we don't touch the current
-	// value.
-	// More information about kernel oom score calculation here: https://lwn.net/Articles/317814/
-	OomScoreAdj *int `json:"oom_score_adj,omitempty"`
-
-	// UIDMappings is an array of User ID mappings for User Namespaces
-	UIDMappings []IDMap `json:"uid_mappings"`
-
-	// GIDMappings is an array of Group ID mappings for User Namespaces
-	GIDMappings []IDMap `json:"gid_mappings"`
-
-	// MaskPaths specifies paths within the container's rootfs to mask over with a bind
-	// mount pointing to /dev/null as to prevent reads of the file.
-	MaskPaths []string `json:"mask_paths"`
-
-	// ReadonlyPaths specifies paths within the container's rootfs to remount as read-only
-	// so that these files prevent any writes.
-	ReadonlyPaths []string `json:"readonly_paths"`
-
-	// Sysctl is a map of properties and their values. It is the equivalent of using
-	// sysctl -w my.property.name value in Linux.
-	Sysctl map[string]string `json:"sysctl"`
-
-	// Seccomp allows actions to be taken whenever a syscall is made within the container.
-	// A number of rules are given, each having an action to be taken if a syscall matches it.
-	// A default action to be taken if no rules match is also given.
-	Seccomp *Seccomp `json:"seccomp"`
-
-	// NoNewPrivileges controls whether processes in the container can gain additional privileges.
-	NoNewPrivileges bool `json:"no_new_privileges,omitempty"`
-
-	// Hooks are a collection of actions to perform at various container lifecycle events.
-	// CommandHooks are serialized to JSON, but other hooks are not.
-	Hooks Hooks
-
-	// Version is the version of opencontainer specification that is supported.
-	Version string `json:"version"`
-
-	// Labels are user defined metadata that is stored in the config and populated on the state
-	Labels []string `json:"labels"`
-
-	// NoNewKeyring will not allocated a new session keyring for the container.  It will use the
-	// callers keyring in this case.
-	NoNewKeyring bool `json:"no_new_keyring"`
-
-	// IntelRdt specifies settings for Intel RDT group that the container is placed into
-	// to limit the resources (e.g., L3 cache, memory bandwidth) the container has available
-	IntelRdt *IntelRdt `json:"intel_rdt,omitempty"`
-
-	// RootlessEUID is set when the runc was launched with non-zero EUID.
-	// Note that RootlessEUID is set to false when launched with EUID=0 in userns.
-	// When RootlessEUID is set, runc creates a new userns for the container.
-	// (config.json needs to contain userns settings)
-	RootlessEUID bool `json:"rootless_euid,omitempty"`
-
-	// RootlessCgroups is set when unlikely to have the full access to cgroups.
-	// When RootlessCgroups is set, cgroups errors are ignored.
-	RootlessCgroups bool `json:"rootless_cgroups,omitempty"`
-
-	// TimeOffsets specifies the offset for supporting time namespaces.
-	TimeOffsets map[string]specs.LinuxTimeOffset `json:"time_offsets,omitempty"`
-
-	// Scheduler represents the scheduling attributes for a process.
-	Scheduler *Scheduler `json:"scheduler,omitempty"`
-
-	// Personality contains configuration for the Linux personality syscall.
-	Personality *LinuxPersonality `json:"personality,omitempty"`
-
-	// IOPriority is the container's I/O priority.
-	IOPriority *IOPriority `json:"io_priority,omitempty"`
-}
-
-// Scheduler is based on the Linux sched_setattr(2) syscall.
-type Scheduler = specs.Scheduler
-
-// ToSchedAttr is to convert *configs.Scheduler to *unix.SchedAttr.
-func ToSchedAttr(scheduler *Scheduler) (*unix.SchedAttr, error) {
-	var policy uint32
-	switch scheduler.Policy {
-	case specs.SchedOther:
-		policy = 0
-	case specs.SchedFIFO:
-		policy = 1
-	case specs.SchedRR:
-		policy = 2
-	case specs.SchedBatch:
-		policy = 3
-	case specs.SchedISO:
-		policy = 4
-	case specs.SchedIdle:
-		policy = 5
-	case specs.SchedDeadline:
-		policy = 6
-	default:
-		return nil, fmt.Errorf("invalid scheduler policy: %s", scheduler.Policy)
-	}
-
-	var flags uint64
-	for _, flag := range scheduler.Flags {
-		switch flag {
-		case specs.SchedFlagResetOnFork:
-			flags |= 0x01
-		case specs.SchedFlagReclaim:
-			flags |= 0x02
-		case specs.SchedFlagDLOverrun:
-			flags |= 0x04
-		case specs.SchedFlagKeepPolicy:
-			flags |= 0x08
-		case specs.SchedFlagKeepParams:
-			flags |= 0x10
-		case specs.SchedFlagUtilClampMin:
-			flags |= 0x20
-		case specs.SchedFlagUtilClampMax:
-			flags |= 0x40
-		default:
-			return nil, fmt.Errorf("invalid scheduler flag: %s", flag)
-		}
-	}
-
-	return &unix.SchedAttr{
-		Size:     unix.SizeofSchedAttr,
-		Policy:   policy,
-		Flags:    flags,
-		Nice:     scheduler.Nice,
-		Priority: uint32(scheduler.Priority),
-		Runtime:  scheduler.Runtime,
-		Deadline: scheduler.Deadline,
-		Period:   scheduler.Period,
-	}, nil
-}
-
-var IOPrioClassMapping = map[specs.IOPriorityClass]int{
-	specs.IOPRIO_CLASS_RT:   1,
-	specs.IOPRIO_CLASS_BE:   2,
-	specs.IOPRIO_CLASS_IDLE: 3,
-}
-
-type IOPriority = specs.LinuxIOPriority
-
-type (
-	HookName string
-	HookList []Hook
-	Hooks    map[HookName]HookList
-)
-
-const (
-	// Prestart commands are executed after the container namespaces are created,
-	// but before the user supplied command is executed from init.
-	// Note: This hook is now deprecated
-	// Prestart commands are called in the Runtime namespace.
-	Prestart HookName = "prestart"
-
-	// CreateRuntime commands MUST be called as part of the create operation after
-	// the runtime environment has been created but before the pivot_root has been executed.
-	// CreateRuntime is called immediately after the deprecated Prestart hook.
-	// CreateRuntime commands are called in the Runtime Namespace.
-	CreateRuntime HookName = "createRuntime"
-
-	// CreateContainer commands MUST be called as part of the create operation after
-	// the runtime environment has been created but before the pivot_root has been executed.
-	// CreateContainer commands are called in the Container namespace.
-	CreateContainer HookName = "createContainer"
-
-	// StartContainer commands MUST be called as part of the start operation and before
-	// the container process is started.
-	// StartContainer commands are called in the Container namespace.
-	StartContainer HookName = "startContainer"
-
-	// Poststart commands are executed after the container init process starts.
-	// Poststart commands are called in the Runtime Namespace.
-	Poststart HookName = "poststart"
-
-	// Poststop commands are executed after the container init process exits.
-	// Poststop commands are called in the Runtime Namespace.
-	Poststop HookName = "poststop"
-)
-
-// KnownHookNames returns the known hook names.
-// Used by `runc features`.
-func KnownHookNames() []string {
-	return []string{
-		string(Prestart), // deprecated
-		string(CreateRuntime),
-		string(CreateContainer),
-		string(StartContainer),
-		string(Poststart),
-		string(Poststop),
-	}
-}
-
-type Capabilities struct {
-	// Bounding is the set of capabilities checked by the kernel.
-	Bounding []string
-	// Effective is the set of capabilities checked by the kernel.
-	Effective []string
-	// Inheritable is the capabilities preserved across execve.
-	Inheritable []string
-	// Permitted is the limiting superset for effective capabilities.
-	Permitted []string
-	// Ambient is the ambient set of capabilities that are kept.
-	Ambient []string
-}
-
-// Deprecated: use (Hooks).Run instead.
-func (hooks HookList) RunHooks(state *specs.State) error {
-	for i, h := range hooks {
-		if err := h.Run(state); err != nil {
-			return fmt.Errorf("error running hook #%d: %w", i, err)
-		}
-	}
-
-	return nil
-}
-
-func (hooks *Hooks) UnmarshalJSON(b []byte) error {
-	var state map[HookName][]CommandHook
-
-	if err := json.Unmarshal(b, &state); err != nil {
-		return err
-	}
-
-	*hooks = Hooks{}
-	for n, commandHooks := range state {
-		if len(commandHooks) == 0 {
-			continue
-		}
-
-		(*hooks)[n] = HookList{}
-		for _, h := range commandHooks {
-			(*hooks)[n] = append((*hooks)[n], h)
-		}
-	}
-
-	return nil
-}
-
-func (hooks *Hooks) MarshalJSON() ([]byte, error) {
-	serialize := func(hooks []Hook) (serializableHooks []CommandHook) {
-		for _, hook := range hooks {
-			switch chook := hook.(type) {
-			case CommandHook:
-				serializableHooks = append(serializableHooks, chook)
-			default:
-				logrus.Warnf("cannot serialize hook of type %T, skipping", hook)
-			}
-		}
-
-		return serializableHooks
-	}
-
-	return json.Marshal(map[string]interface{}{
-		"prestart":        serialize((*hooks)[Prestart]),
-		"createRuntime":   serialize((*hooks)[CreateRuntime]),
-		"createContainer": serialize((*hooks)[CreateContainer]),
-		"startContainer":  serialize((*hooks)[StartContainer]),
-		"poststart":       serialize((*hooks)[Poststart]),
-		"poststop":        serialize((*hooks)[Poststop]),
-	})
-}
-
-// Run executes all hooks for the given hook name.
-func (hooks Hooks) Run(name HookName, state *specs.State) error {
-	list := hooks[name]
-	for i, h := range list {
-		if err := h.Run(state); err != nil {
-			return fmt.Errorf("error running %s hook #%d: %w", name, i, err)
-		}
-	}
-
-	return nil
-}
-
-type Hook interface {
-	// Run executes the hook with the provided state.
-	Run(*specs.State) error
-}
-
-// NewFunctionHook will call the provided function when the hook is run.
-func NewFunctionHook(f func(*specs.State) error) FuncHook {
-	return FuncHook{
-		run: f,
-	}
-}
-
-type FuncHook struct {
-	run func(*specs.State) error
-}
-
-func (f FuncHook) Run(s *specs.State) error {
-	return f.run(s)
-}
-
-type Command struct {
-	Path    string         `json:"path"`
-	Args    []string       `json:"args"`
-	Env     []string       `json:"env"`
-	Dir     string         `json:"dir"`
-	Timeout *time.Duration `json:"timeout"`
-}
-
-// NewCommandHook will execute the provided command when the hook is run.
-func NewCommandHook(cmd Command) CommandHook {
-	return CommandHook{
-		Command: cmd,
-	}
-}
-
-type CommandHook struct {
-	Command
-}
-
-func (c Command) Run(s *specs.State) error {
-	b, err := json.Marshal(s)
-	if err != nil {
-		return err
-	}
-	var stdout, stderr bytes.Buffer
-	cmd := exec.Cmd{
-		Path:   c.Path,
-		Args:   c.Args,
-		Env:    c.Env,
-		Stdin:  bytes.NewReader(b),
-		Stdout: &stdout,
-		Stderr: &stderr,
-	}
-	if err := cmd.Start(); err != nil {
-		return err
-	}
-	errC := make(chan error, 1)
-	go func() {
-		err := cmd.Wait()
-		if err != nil {
-			err = fmt.Errorf("%w, stdout: %s, stderr: %s", err, stdout.String(), stderr.String())
-		}
-		errC <- err
-	}()
-	var timerCh <-chan time.Time
-	if c.Timeout != nil {
-		timer := time.NewTimer(*c.Timeout)
-		defer timer.Stop()
-		timerCh = timer.C
-	}
-	select {
-	case err := <-errC:
-		return err
-	case <-timerCh:
-		_ = cmd.Process.Kill()
-		<-errC
-		return fmt.Errorf("hook ran past specified timeout of %.1fs", c.Timeout.Seconds())
-	}
-}
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/configs/config_linux.go b/vendor/github.com/opencontainers/runc/libcontainer/configs/config_linux.go
deleted file mode 100644
index e401f5331b454..0000000000000
--- a/vendor/github.com/opencontainers/runc/libcontainer/configs/config_linux.go
+++ /dev/null
@@ -1,97 +0,0 @@
-package configs
-
-import (
-	"errors"
-	"fmt"
-	"math"
-)
-
-var (
-	errNoUIDMap = errors.New("user namespaces enabled, but no uid mappings found")
-	errNoGIDMap = errors.New("user namespaces enabled, but no gid mappings found")
-)
-
-// Please check https://man7.org/linux/man-pages/man2/personality.2.html for const details.
-// https://raw.githubusercontent.com/torvalds/linux/master/include/uapi/linux/personality.h
-const (
-	PerLinux   = 0x0000
-	PerLinux32 = 0x0008
-)
-
-type LinuxPersonality struct {
-	// Domain for the personality
-	// can only contain values "LINUX" and "LINUX32"
-	Domain int `json:"domain"`
-}
-
-// HostUID gets the translated uid for the process on host which could be
-// different when user namespaces are enabled.
-func (c Config) HostUID(containerId int) (int, error) {
-	if c.Namespaces.Contains(NEWUSER) {
-		if len(c.UIDMappings) == 0 {
-			return -1, errNoUIDMap
-		}
-		id, found := c.hostIDFromMapping(int64(containerId), c.UIDMappings)
-		if !found {
-			return -1, fmt.Errorf("user namespaces enabled, but no mapping found for uid %d", containerId)
-		}
-		// If we are a 32-bit binary running on a 64-bit system, it's possible
-		// the mapped user is too large to store in an int, which means we
-		// cannot do the mapping. We can't just return an int64, because
-		// os.Setuid() takes an int.
-		if id > math.MaxInt {
-			return -1, fmt.Errorf("mapping for uid %d (host id %d) is larger than native integer size (%d)", containerId, id, math.MaxInt)
-		}
-		return int(id), nil
-	}
-	// Return unchanged id.
-	return containerId, nil
-}
-
-// HostRootUID gets the root uid for the process on host which could be non-zero
-// when user namespaces are enabled.
-func (c Config) HostRootUID() (int, error) {
-	return c.HostUID(0)
-}
-
-// HostGID gets the translated gid for the process on host which could be
-// different when user namespaces are enabled.
-func (c Config) HostGID(containerId int) (int, error) {
-	if c.Namespaces.Contains(NEWUSER) {
-		if len(c.GIDMappings) == 0 {
-			return -1, errNoGIDMap
-		}
-		id, found := c.hostIDFromMapping(int64(containerId), c.GIDMappings)
-		if !found {
-			return -1, fmt.Errorf("user namespaces enabled, but no mapping found for gid %d", containerId)
-		}
-		// If we are a 32-bit binary running on a 64-bit system, it's possible
-		// the mapped user is too large to store in an int, which means we
-		// cannot do the mapping. We can't just return an int64, because
-		// os.Setgid() takes an int.
-		if id > math.MaxInt {
-			return -1, fmt.Errorf("mapping for gid %d (host id %d) is larger than native integer size (%d)", containerId, id, math.MaxInt)
-		}
-		return int(id), nil
-	}
-	// Return unchanged id.
-	return containerId, nil
-}
-
-// HostRootGID gets the root gid for the process on host which could be non-zero
-// when user namespaces are enabled.
-func (c Config) HostRootGID() (int, error) {
-	return c.HostGID(0)
-}
-
-// Utility function that gets a host ID for a container ID from user namespace map
-// if that ID is present in the map.
-func (c Config) hostIDFromMapping(containerID int64, uMap []IDMap) (int64, bool) {
-	for _, m := range uMap {
-		if (containerID >= m.ContainerID) && (containerID <= (m.ContainerID + m.Size - 1)) {
-			hostID := m.HostID + (containerID - m.ContainerID)
-			return hostID, true
-		}
-	}
-	return -1, false
-}
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/configs/configs_fuzzer.go b/vendor/github.com/opencontainers/runc/libcontainer/configs/configs_fuzzer.go
deleted file mode 100644
index 1fd87ce6a4b3a..0000000000000
--- a/vendor/github.com/opencontainers/runc/libcontainer/configs/configs_fuzzer.go
+++ /dev/null
@@ -1,9 +0,0 @@
-//go:build gofuzz
-
-package configs
-
-func FuzzUnmarshalJSON(data []byte) int {
-	hooks := Hooks{}
-	_ = hooks.UnmarshalJSON(data)
-	return 1
-}
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/configs/hugepage_limit.go b/vendor/github.com/opencontainers/runc/libcontainer/configs/hugepage_limit.go
deleted file mode 100644
index d30216380b50d..0000000000000
--- a/vendor/github.com/opencontainers/runc/libcontainer/configs/hugepage_limit.go
+++ /dev/null
@@ -1,9 +0,0 @@
-package configs
-
-type HugepageLimit struct {
-	// which type of hugepage to limit.
-	Pagesize string `json:"page_size"`
-
-	// usage limit for hugepage.
-	Limit uint64 `json:"limit"`
-}
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/configs/intelrdt.go b/vendor/github.com/opencontainers/runc/libcontainer/configs/intelrdt.go
deleted file mode 100644
index f8d951ab8b9d3..0000000000000
--- a/vendor/github.com/opencontainers/runc/libcontainer/configs/intelrdt.go
+++ /dev/null
@@ -1,16 +0,0 @@
-package configs
-
-type IntelRdt struct {
-	// The identity for RDT Class of Service
-	ClosID string `json:"closID,omitempty"`
-
-	// The schema for L3 cache id and capacity bitmask (CBM)
-	// Format: "L3:<cache_id0>=<cbm0>;<cache_id1>=<cbm1>;..."
-	L3CacheSchema string `json:"l3_cache_schema,omitempty"`
-
-	// The schema of memory bandwidth per L3 cache id
-	// Format: "MB:<cache_id0>=bandwidth0;<cache_id1>=bandwidth1;..."
-	// The unit of memory bandwidth is specified in "percentages" by
-	// default, and in "MBps" if MBA Software Controller is enabled.
-	MemBwSchema string `json:"memBwSchema,omitempty"`
-}
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/configs/interface_priority_map.go b/vendor/github.com/opencontainers/runc/libcontainer/configs/interface_priority_map.go
deleted file mode 100644
index 9a0395eaf5ff6..0000000000000
--- a/vendor/github.com/opencontainers/runc/libcontainer/configs/interface_priority_map.go
+++ /dev/null
@@ -1,14 +0,0 @@
-package configs
-
-import (
-	"fmt"
-)
-
-type IfPrioMap struct {
-	Interface string `json:"interface"`
-	Priority  int64  `json:"priority"`
-}
-
-func (i *IfPrioMap) CgroupString() string {
-	return fmt.Sprintf("%s %d", i.Interface, i.Priority)
-}
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/configs/mount.go b/vendor/github.com/opencontainers/runc/libcontainer/configs/mount.go
deleted file mode 100644
index bfd356e497f4d..0000000000000
--- a/vendor/github.com/opencontainers/runc/libcontainer/configs/mount.go
+++ /dev/null
@@ -1,7 +0,0 @@
-package configs
-
-const (
-	// EXT_COPYUP is a directive to copy up the contents of a directory when
-	// a tmpfs is mounted over it.
-	EXT_COPYUP = 1 << iota //nolint:golint,revive // ignore "don't use ALL_CAPS" warning
-)
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/configs/mount_linux.go b/vendor/github.com/opencontainers/runc/libcontainer/configs/mount_linux.go
deleted file mode 100644
index b69e9ab238edd..0000000000000
--- a/vendor/github.com/opencontainers/runc/libcontainer/configs/mount_linux.go
+++ /dev/null
@@ -1,66 +0,0 @@
-package configs
-
-import "golang.org/x/sys/unix"
-
-type MountIDMapping struct {
-	// Recursive indicates if the mapping needs to be recursive.
-	Recursive bool `json:"recursive"`
-
-	// UserNSPath is a path to a user namespace that indicates the necessary
-	// id-mappings for MOUNT_ATTR_IDMAP. If set to non-"", UIDMappings and
-	// GIDMappings must be set to nil.
-	UserNSPath string `json:"userns_path,omitempty"`
-
-	// UIDMappings is the uid mapping set for this mount, to be used with
-	// MOUNT_ATTR_IDMAP.
-	UIDMappings []IDMap `json:"uid_mappings,omitempty"`
-
-	// GIDMappings is the gid mapping set for this mount, to be used with
-	// MOUNT_ATTR_IDMAP.
-	GIDMappings []IDMap `json:"gid_mappings,omitempty"`
-}
-
-type Mount struct {
-	// Source path for the mount.
-	Source string `json:"source"`
-
-	// Destination path for the mount inside the container.
-	Destination string `json:"destination"`
-
-	// Device the mount is for.
-	Device string `json:"device"`
-
-	// Mount flags.
-	Flags int `json:"flags"`
-
-	// Mount flags that were explicitly cleared in the configuration (meaning
-	// the user explicitly requested that these flags *not* be set).
-	ClearedFlags int `json:"cleared_flags"`
-
-	// Propagation Flags
-	PropagationFlags []int `json:"propagation_flags"`
-
-	// Mount data applied to the mount.
-	Data string `json:"data"`
-
-	// Relabel source if set, "z" indicates shared, "Z" indicates unshared.
-	Relabel string `json:"relabel"`
-
-	// RecAttr represents mount properties to be applied recursively (AT_RECURSIVE), see mount_setattr(2).
-	RecAttr *unix.MountAttr `json:"rec_attr"`
-
-	// Extensions are additional flags that are specific to runc.
-	Extensions int `json:"extensions"`
-
-	// Mapping is the MOUNT_ATTR_IDMAP configuration for the mount. If non-nil,
-	// the mount is configured to use MOUNT_ATTR_IDMAP-style id mappings.
-	IDMapping *MountIDMapping `json:"id_mapping,omitempty"`
-}
-
-func (m *Mount) IsBind() bool {
-	return m.Flags&unix.MS_BIND != 0
-}
-
-func (m *Mount) IsIDMapped() bool {
-	return m.IDMapping != nil
-}
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/configs/mount_unsupported.go b/vendor/github.com/opencontainers/runc/libcontainer/configs/mount_unsupported.go
deleted file mode 100644
index 1d4d9fe52a5f3..0000000000000
--- a/vendor/github.com/opencontainers/runc/libcontainer/configs/mount_unsupported.go
+++ /dev/null
@@ -1,9 +0,0 @@
-//go:build !linux
-
-package configs
-
-type Mount struct{}
-
-func (m *Mount) IsBind() bool {
-	return false
-}
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/configs/namespaces.go b/vendor/github.com/opencontainers/runc/libcontainer/configs/namespaces.go
deleted file mode 100644
index a3329a31a9cb6..0000000000000
--- a/vendor/github.com/opencontainers/runc/libcontainer/configs/namespaces.go
+++ /dev/null
@@ -1,5 +0,0 @@
-package configs
-
-type NamespaceType string
-
-type Namespaces []Namespace
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/configs/namespaces_linux.go b/vendor/github.com/opencontainers/runc/libcontainer/configs/namespaces_linux.go
deleted file mode 100644
index 898f96fd0f594..0000000000000
--- a/vendor/github.com/opencontainers/runc/libcontainer/configs/namespaces_linux.go
+++ /dev/null
@@ -1,133 +0,0 @@
-package configs
-
-import (
-	"fmt"
-	"os"
-	"sync"
-)
-
-const (
-	NEWNET    NamespaceType = "NEWNET"
-	NEWPID    NamespaceType = "NEWPID"
-	NEWNS     NamespaceType = "NEWNS"
-	NEWUTS    NamespaceType = "NEWUTS"
-	NEWIPC    NamespaceType = "NEWIPC"
-	NEWUSER   NamespaceType = "NEWUSER"
-	NEWCGROUP NamespaceType = "NEWCGROUP"
-	NEWTIME   NamespaceType = "NEWTIME"
-)
-
-var (
-	nsLock              sync.Mutex
-	supportedNamespaces = make(map[NamespaceType]bool)
-)
-
-// NsName converts the namespace type to its filename
-func NsName(ns NamespaceType) string {
-	switch ns {
-	case NEWNET:
-		return "net"
-	case NEWNS:
-		return "mnt"
-	case NEWPID:
-		return "pid"
-	case NEWIPC:
-		return "ipc"
-	case NEWUSER:
-		return "user"
-	case NEWUTS:
-		return "uts"
-	case NEWCGROUP:
-		return "cgroup"
-	case NEWTIME:
-		return "time"
-	}
-	return ""
-}
-
-// IsNamespaceSupported returns whether a namespace is available or
-// not
-func IsNamespaceSupported(ns NamespaceType) bool {
-	nsLock.Lock()
-	defer nsLock.Unlock()
-	supported, ok := supportedNamespaces[ns]
-	if ok {
-		return supported
-	}
-	nsFile := NsName(ns)
-	// if the namespace type is unknown, just return false
-	if nsFile == "" {
-		return false
-	}
-	// We don't need to use /proc/thread-self here because the list of
-	// namespace types is unrelated to the thread. This lets us avoid having to
-	// do runtime.LockOSThread.
-	_, err := os.Stat("/proc/self/ns/" + nsFile)
-	// a namespace is supported if it exists and we have permissions to read it
-	supported = err == nil
-	supportedNamespaces[ns] = supported
-	return supported
-}
-
-func NamespaceTypes() []NamespaceType {
-	return []NamespaceType{
-		NEWUSER, // Keep user NS always first, don't move it.
-		NEWIPC,
-		NEWUTS,
-		NEWNET,
-		NEWPID,
-		NEWNS,
-		NEWCGROUP,
-		NEWTIME,
-	}
-}
-
-// Namespace defines configuration for each namespace.  It specifies an
-// alternate path that is able to be joined via setns.
-type Namespace struct {
-	Type NamespaceType `json:"type"`
-	Path string        `json:"path"`
-}
-
-func (n *Namespace) GetPath(pid int) string {
-	return fmt.Sprintf("/proc/%d/ns/%s", pid, NsName(n.Type))
-}
-
-func (n *Namespaces) Remove(t NamespaceType) bool {
-	i := n.index(t)
-	if i == -1 {
-		return false
-	}
-	*n = append((*n)[:i], (*n)[i+1:]...)
-	return true
-}
-
-func (n *Namespaces) Add(t NamespaceType, path string) {
-	i := n.index(t)
-	if i == -1 {
-		*n = append(*n, Namespace{Type: t, Path: path})
-		return
-	}
-	(*n)[i].Path = path
-}
-
-func (n *Namespaces) index(t NamespaceType) int {
-	for i, ns := range *n {
-		if ns.Type == t {
-			return i
-		}
-	}
-	return -1
-}
-
-func (n *Namespaces) Contains(t NamespaceType) bool {
-	return n.index(t) != -1
-}
-
-func (n *Namespaces) PathOf(t NamespaceType) string {
-	i := n.index(t)
-	if i == -1 {
-		return ""
-	}
-	return (*n)[i].Path
-}
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/configs/namespaces_syscall.go b/vendor/github.com/opencontainers/runc/libcontainer/configs/namespaces_syscall.go
deleted file mode 100644
index 26b70b26fa1f1..0000000000000
--- a/vendor/github.com/opencontainers/runc/libcontainer/configs/namespaces_syscall.go
+++ /dev/null
@@ -1,45 +0,0 @@
-//go:build linux
-
-package configs
-
-import "golang.org/x/sys/unix"
-
-func (n *Namespace) Syscall() int {
-	return namespaceInfo[n.Type]
-}
-
-var namespaceInfo = map[NamespaceType]int{
-	NEWNET:    unix.CLONE_NEWNET,
-	NEWNS:     unix.CLONE_NEWNS,
-	NEWUSER:   unix.CLONE_NEWUSER,
-	NEWIPC:    unix.CLONE_NEWIPC,
-	NEWUTS:    unix.CLONE_NEWUTS,
-	NEWPID:    unix.CLONE_NEWPID,
-	NEWCGROUP: unix.CLONE_NEWCGROUP,
-	NEWTIME:   unix.CLONE_NEWTIME,
-}
-
-// CloneFlags parses the container's Namespaces options to set the correct
-// flags on clone, unshare. This function returns flags only for new namespaces.
-func (n *Namespaces) CloneFlags() uintptr {
-	var flag int
-	for _, v := range *n {
-		if v.Path != "" {
-			continue
-		}
-		flag |= namespaceInfo[v.Type]
-	}
-	return uintptr(flag)
-}
-
-// IsPrivate tells whether the namespace of type t is configured as private
-// (i.e. it exists and is not shared).
-func (n Namespaces) IsPrivate(t NamespaceType) bool {
-	for _, v := range n {
-		if v.Type == t {
-			return v.Path == ""
-		}
-	}
-	// Not found, so implicitly sharing a parent namespace.
-	return false
-}
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/configs/namespaces_syscall_unsupported.go b/vendor/github.com/opencontainers/runc/libcontainer/configs/namespaces_syscall_unsupported.go
deleted file mode 100644
index 10bf243650215..0000000000000
--- a/vendor/github.com/opencontainers/runc/libcontainer/configs/namespaces_syscall_unsupported.go
+++ /dev/null
@@ -1,13 +0,0 @@
-//go:build !linux && !windows
-
-package configs
-
-func (n *Namespace) Syscall() int {
-	panic("No namespace syscall support")
-}
-
-// CloneFlags parses the container's Namespaces options to set the correct
-// flags on clone, unshare. This function returns flags only for new namespaces.
-func (n *Namespaces) CloneFlags() uintptr {
-	panic("No namespace syscall support")
-}
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/configs/namespaces_unsupported.go b/vendor/github.com/opencontainers/runc/libcontainer/configs/namespaces_unsupported.go
deleted file mode 100644
index 914684993c934..0000000000000
--- a/vendor/github.com/opencontainers/runc/libcontainer/configs/namespaces_unsupported.go
+++ /dev/null
@@ -1,7 +0,0 @@
-//go:build !linux
-
-package configs
-
-// Namespace defines configuration for each namespace.  It specifies an
-// alternate path that is able to be joined via setns.
-type Namespace struct{}
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/configs/network.go b/vendor/github.com/opencontainers/runc/libcontainer/configs/network.go
deleted file mode 100644
index c44c3ea71b8f7..0000000000000
--- a/vendor/github.com/opencontainers/runc/libcontainer/configs/network.go
+++ /dev/null
@@ -1,75 +0,0 @@
-package configs
-
-// Network defines configuration for a container's networking stack
-//
-// The network configuration can be omitted from a container causing the
-// container to be setup with the host's networking stack
-type Network struct {
-	// Type sets the networks type, commonly veth and loopback
-	Type string `json:"type"`
-
-	// Name of the network interface
-	Name string `json:"name"`
-
-	// The bridge to use.
-	Bridge string `json:"bridge"`
-
-	// MacAddress contains the MAC address to set on the network interface
-	MacAddress string `json:"mac_address"`
-
-	// Address contains the IPv4 and mask to set on the network interface
-	Address string `json:"address"`
-
-	// Gateway sets the gateway address that is used as the default for the interface
-	Gateway string `json:"gateway"`
-
-	// IPv6Address contains the IPv6 and mask to set on the network interface
-	IPv6Address string `json:"ipv6_address"`
-
-	// IPv6Gateway sets the ipv6 gateway address that is used as the default for the interface
-	IPv6Gateway string `json:"ipv6_gateway"`
-
-	// Mtu sets the mtu value for the interface and will be mirrored on both the host and
-	// container's interfaces if a pair is created, specifically in the case of type veth
-	// Note: This does not apply to loopback interfaces.
-	Mtu int `json:"mtu"`
-
-	// TxQueueLen sets the tx_queuelen value for the interface and will be mirrored on both the host and
-	// container's interfaces if a pair is created, specifically in the case of type veth
-	// Note: This does not apply to loopback interfaces.
-	TxQueueLen int `json:"txqueuelen"`
-
-	// HostInterfaceName is a unique name of a veth pair that resides on in the host interface of the
-	// container.
-	HostInterfaceName string `json:"host_interface_name"`
-
-	// HairpinMode specifies if hairpin NAT should be enabled on the virtual interface
-	// bridge port in the case of type veth
-	// Note: This is unsupported on some systems.
-	// Note: This does not apply to loopback interfaces.
-	HairpinMode bool `json:"hairpin_mode"`
-}
-
-// Route defines a routing table entry.
-//
-// Routes can be specified to create entries in the routing table as the container
-// is started.
-//
-// All of destination, source, and gateway should be either IPv4 or IPv6.
-// One of the three options must be present, and omitted entries will use their
-// IP family default for the route table.  For IPv4 for example, setting the
-// gateway to 1.2.3.4 and the interface to eth0 will set up a standard
-// destination of 0.0.0.0(or *) when viewed in the route table.
-type Route struct {
-	// Destination specifies the destination IP address and mask in the CIDR form.
-	Destination string `json:"destination"`
-
-	// Source specifies the source IP address and mask in the CIDR form.
-	Source string `json:"source"`
-
-	// Gateway specifies the gateway IP address.
-	Gateway string `json:"gateway"`
-
-	// InterfaceName specifies the device to set this route up for, for example eth0.
-	InterfaceName string `json:"interface_name"`
-}
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/configs/rdma.go b/vendor/github.com/opencontainers/runc/libcontainer/configs/rdma.go
deleted file mode 100644
index c69f2c8024bc1..0000000000000
--- a/vendor/github.com/opencontainers/runc/libcontainer/configs/rdma.go
+++ /dev/null
@@ -1,9 +0,0 @@
-package configs
-
-// LinuxRdma for Linux cgroup 'rdma' resource management (Linux 4.11)
-type LinuxRdma struct {
-	// Maximum number of HCA handles that can be opened. Default is "no limit".
-	HcaHandles *uint32 `json:"hca_handles,omitempty"`
-	// Maximum number of HCA objects that can be created. Default is "no limit".
-	HcaObjects *uint32 `json:"hca_objects,omitempty"`
-}
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/devices/device.go b/vendor/github.com/opencontainers/runc/libcontainer/devices/device.go
deleted file mode 100644
index c2c2b3bb7c0b4..0000000000000
--- a/vendor/github.com/opencontainers/runc/libcontainer/devices/device.go
+++ /dev/null
@@ -1,174 +0,0 @@
-package devices
-
-import (
-	"fmt"
-	"os"
-	"strconv"
-)
-
-const (
-	Wildcard = -1
-)
-
-type Device struct {
-	Rule
-
-	// Path to the device.
-	Path string `json:"path"`
-
-	// FileMode permission bits for the device.
-	FileMode os.FileMode `json:"file_mode"`
-
-	// Uid of the device.
-	Uid uint32 `json:"uid"`
-
-	// Gid of the device.
-	Gid uint32 `json:"gid"`
-}
-
-// Permissions is a cgroupv1-style string to represent device access. It
-// has to be a string for backward compatibility reasons, hence why it has
-// methods to do set operations.
-type Permissions string
-
-const (
-	deviceRead uint = (1 << iota)
-	deviceWrite
-	deviceMknod
-)
-
-func (p Permissions) toSet() uint {
-	var set uint
-	for _, perm := range p {
-		switch perm {
-		case 'r':
-			set |= deviceRead
-		case 'w':
-			set |= deviceWrite
-		case 'm':
-			set |= deviceMknod
-		}
-	}
-	return set
-}
-
-func fromSet(set uint) Permissions {
-	var perm string
-	if set&deviceRead == deviceRead {
-		perm += "r"
-	}
-	if set&deviceWrite == deviceWrite {
-		perm += "w"
-	}
-	if set&deviceMknod == deviceMknod {
-		perm += "m"
-	}
-	return Permissions(perm)
-}
-
-// Union returns the union of the two sets of Permissions.
-func (p Permissions) Union(o Permissions) Permissions {
-	lhs := p.toSet()
-	rhs := o.toSet()
-	return fromSet(lhs | rhs)
-}
-
-// Difference returns the set difference of the two sets of Permissions.
-// In set notation, A.Difference(B) gives you A\B.
-func (p Permissions) Difference(o Permissions) Permissions {
-	lhs := p.toSet()
-	rhs := o.toSet()
-	return fromSet(lhs &^ rhs)
-}
-
-// Intersection computes the intersection of the two sets of Permissions.
-func (p Permissions) Intersection(o Permissions) Permissions {
-	lhs := p.toSet()
-	rhs := o.toSet()
-	return fromSet(lhs & rhs)
-}
-
-// IsEmpty returns whether the set of permissions in a Permissions is
-// empty.
-func (p Permissions) IsEmpty() bool {
-	return p == Permissions("")
-}
-
-// IsValid returns whether the set of permissions is a subset of valid
-// permissions (namely, {r,w,m}).
-func (p Permissions) IsValid() bool {
-	return p == fromSet(p.toSet())
-}
-
-type Type rune
-
-const (
-	WildcardDevice Type = 'a'
-	BlockDevice    Type = 'b'
-	CharDevice     Type = 'c' // or 'u'
-	FifoDevice     Type = 'p'
-)
-
-func (t Type) IsValid() bool {
-	switch t {
-	case WildcardDevice, BlockDevice, CharDevice, FifoDevice:
-		return true
-	default:
-		return false
-	}
-}
-
-func (t Type) CanMknod() bool {
-	switch t {
-	case BlockDevice, CharDevice, FifoDevice:
-		return true
-	default:
-		return false
-	}
-}
-
-func (t Type) CanCgroup() bool {
-	switch t {
-	case WildcardDevice, BlockDevice, CharDevice:
-		return true
-	default:
-		return false
-	}
-}
-
-type Rule struct {
-	// Type of device ('c' for char, 'b' for block). If set to 'a', this rule
-	// acts as a wildcard and all fields other than Allow are ignored.
-	Type Type `json:"type"`
-
-	// Major is the device's major number.
-	Major int64 `json:"major"`
-
-	// Minor is the device's minor number.
-	Minor int64 `json:"minor"`
-
-	// Permissions is the set of permissions that this rule applies to (in the
-	// cgroupv1 format -- any combination of "rwm").
-	Permissions Permissions `json:"permissions"`
-
-	// Allow specifies whether this rule is allowed.
-	Allow bool `json:"allow"`
-}
-
-func (d *Rule) CgroupString() string {
-	var (
-		major = strconv.FormatInt(d.Major, 10)
-		minor = strconv.FormatInt(d.Minor, 10)
-	)
-	if d.Major == Wildcard {
-		major = "*"
-	}
-	if d.Minor == Wildcard {
-		minor = "*"
-	}
-	return fmt.Sprintf("%c %s:%s %s", d.Type, major, minor, d.Permissions)
-}
-
-func (d *Rule) Mkdev() (uint64, error) {
-	return mkDev(d)
-}
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/devices/device_unix.go b/vendor/github.com/opencontainers/runc/libcontainer/devices/device_unix.go
deleted file mode 100644
index d00775f51426f..0000000000000
--- a/vendor/github.com/opencontainers/runc/libcontainer/devices/device_unix.go
+++ /dev/null
@@ -1,119 +0,0 @@
-//go:build !windows
-
-package devices
-
-import (
-	"errors"
-	"os"
-	"path/filepath"
-
-	"golang.org/x/sys/unix"
-)
-
-// ErrNotADevice denotes that a file is not a valid linux device.
-var ErrNotADevice = errors.New("not a device node")
-
-// Testing dependencies
-var (
-	unixLstat = unix.Lstat
-	osReadDir = os.ReadDir
-)
-
-func mkDev(d *Rule) (uint64, error) {
-	if d.Major == Wildcard || d.Minor == Wildcard {
-		return 0, errors.New("cannot mkdev() device with wildcards")
-	}
-	return unix.Mkdev(uint32(d.Major), uint32(d.Minor)), nil
-}
-
-// DeviceFromPath takes the path to a device and its cgroup_permissions (which
-// cannot be easily queried) to look up the information about a linux device
-// and returns that information as a Device struct.
-func DeviceFromPath(path, permissions string) (*Device, error) {
-	var stat unix.Stat_t
-	err := unixLstat(path, &stat)
-	if err != nil {
-		return nil, err
-	}
-
-	var (
-		devType   Type
-		mode      = stat.Mode
-		devNumber = uint64(stat.Rdev) //nolint:unconvert // Rdev is uint32 on e.g. MIPS.
-		major     = unix.Major(devNumber)
-		minor     = unix.Minor(devNumber)
-	)
-	switch mode & unix.S_IFMT {
-	case unix.S_IFBLK:
-		devType = BlockDevice
-	case unix.S_IFCHR:
-		devType = CharDevice
-	case unix.S_IFIFO:
-		devType = FifoDevice
-	default:
-		return nil, ErrNotADevice
-	}
-	return &Device{
-		Rule: Rule{
-			Type:        devType,
-			Major:       int64(major),
-			Minor:       int64(minor),
-			Permissions: Permissions(permissions),
-		},
-		Path:     path,
-		FileMode: os.FileMode(mode &^ unix.S_IFMT),
-		Uid:      stat.Uid,
-		Gid:      stat.Gid,
-	}, nil
-}
-
-// HostDevices returns all devices that can be found under /dev directory.
-func HostDevices() ([]*Device, error) {
-	return GetDevices("/dev")
-}
-
-// GetDevices recursively traverses a directory specified by path
-// and returns all devices found there.
-func GetDevices(path string) ([]*Device, error) {
-	files, err := osReadDir(path)
-	if err != nil {
-		return nil, err
-	}
-	var out []*Device
-	for _, f := range files {
-		switch {
-		case f.IsDir():
-			switch f.Name() {
-			// ".lxc" & ".lxd-mounts" added to address https://github.com/lxc/lxd/issues/2825
-			// ".udev" added to address https://github.com/opencontainers/runc/issues/2093
-			case "pts", "shm", "fd", "mqueue", ".lxc", ".lxd-mounts", ".udev":
-				continue
-			default:
-				sub, err := GetDevices(filepath.Join(path, f.Name()))
-				if err != nil {
-					return nil, err
-				}
-
-				out = append(out, sub...)
-				continue
-			}
-		case f.Name() == "console":
-			continue
-		}
-		device, err := DeviceFromPath(filepath.Join(path, f.Name()), "rwm")
-		if err != nil {
-			if errors.Is(err, ErrNotADevice) {
-				continue
-			}
-			if os.IsNotExist(err) {
-				continue
-			}
-			return nil, err
-		}
-		if device.Type == FifoDevice {
-			continue
-		}
-		out = append(out, device)
-	}
-	return out, nil
-}
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/utils/cmsg.go b/vendor/github.com/opencontainers/runc/libcontainer/utils/cmsg.go
deleted file mode 100644
index 2edd1417af3d0..0000000000000
--- a/vendor/github.com/opencontainers/runc/libcontainer/utils/cmsg.go
+++ /dev/null
@@ -1,119 +0,0 @@
-package utils
-
-/*
- * Copyright 2016, 2017 SUSE LLC
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-import (
-	"fmt"
-	"os"
-	"runtime"
-
-	"golang.org/x/sys/unix"
-)
-
-// MaxNameLen is the maximum length of the name of a file descriptor being sent
-// using SendFile. The name of the file handle returned by RecvFile will never be
-// larger than this value.
-const MaxNameLen = 4096
-
-// oobSpace is the size of the oob slice required to store a single FD. Note
-// that unix.UnixRights appears to make the assumption that fd is always int32,
-// so sizeof(fd) = 4.
-var oobSpace = unix.CmsgSpace(4)
-
-// RecvFile waits for a file descriptor to be sent over the given AF_UNIX
-// socket. The file name of the remote file descriptor will be recreated
-// locally (it is sent as non-auxiliary data in the same payload).
-func RecvFile(socket *os.File) (_ *os.File, Err error) {
-	name := make([]byte, MaxNameLen)
-	oob := make([]byte, oobSpace)
-
-	sockfd := socket.Fd()
-	n, oobn, _, _, err := unix.Recvmsg(int(sockfd), name, oob, unix.MSG_CMSG_CLOEXEC)
-	if err != nil {
-		return nil, err
-	}
-	if n >= MaxNameLen || oobn != oobSpace {
-		return nil, fmt.Errorf("recvfile: incorrect number of bytes read (n=%d oobn=%d)", n, oobn)
-	}
-	// Truncate.
-	name = name[:n]
-	oob = oob[:oobn]
-
-	scms, err := unix.ParseSocketControlMessage(oob)
-	if err != nil {
-		return nil, err
-	}
-
-	// We cannot control how many SCM_RIGHTS we receive, and upon receiving
-	// them all of the descriptors are installed in our fd table, so we need to
-	// parse all of the SCM_RIGHTS we received in order to close all of the
-	// descriptors on error.
-	var fds []int
-	defer func() {
-		for i, fd := range fds {
-			if i == 0 && Err == nil {
-				// Only close the first one on error.
-				continue
-			}
-			// Always close extra ones.
-			_ = unix.Close(fd)
-		}
-	}()
-	var lastErr error
-	for _, scm := range scms {
-		if scm.Header.Type == unix.SCM_RIGHTS {
-			scmFds, err := unix.ParseUnixRights(&scm)
-			if err != nil {
-				lastErr = err
-			} else {
-				fds = append(fds, scmFds...)
-			}
-		}
-	}
-	if lastErr != nil {
-		return nil, lastErr
-	}
-
-	// We do this after collecting the fds to make sure we close them all when
-	// returning an error here.
-	if len(scms) != 1 {
-		return nil, fmt.Errorf("recvfd: number of SCMs is not 1: %d", len(scms))
-	}
-	if len(fds) != 1 {
-		return nil, fmt.Errorf("recvfd: number of fds is not 1: %d", len(fds))
-	}
-	return os.NewFile(uintptr(fds[0]), string(name)), nil
-}
-
-// SendFile sends a file over the given AF_UNIX socket. file.Name() is also
-// included so that if the other end uses RecvFile, the file will have the same
-// name information.
-func SendFile(socket *os.File, file *os.File) error {
-	name := file.Name()
-	if len(name) >= MaxNameLen {
-		return fmt.Errorf("sendfd: filename too long: %s", name)
-	}
-	err := SendRawFd(socket, name, file.Fd())
-	runtime.KeepAlive(file)
-	return err
-}
-
-// SendRawFd sends a specific file descriptor over the given AF_UNIX socket.
-func SendRawFd(socket *os.File, msg string, fd uintptr) error {
-	oob := unix.UnixRights(int(fd))
-	return unix.Sendmsg(int(socket.Fd()), []byte(msg), oob, nil, 0)
-}
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/utils/utils.go b/vendor/github.com/opencontainers/runc/libcontainer/utils/utils.go
deleted file mode 100644
index db420ea688d3d..0000000000000
--- a/vendor/github.com/opencontainers/runc/libcontainer/utils/utils.go
+++ /dev/null
@@ -1,115 +0,0 @@
-package utils
-
-import (
-	"encoding/json"
-	"io"
-	"os"
-	"path/filepath"
-	"strings"
-
-	"golang.org/x/sys/unix"
-)
-
-const (
-	exitSignalOffset = 128
-)
-
-// ExitStatus returns the correct exit status for a process based on if it
-// was signaled or exited cleanly
-func ExitStatus(status unix.WaitStatus) int {
-	if status.Signaled() {
-		return exitSignalOffset + int(status.Signal())
-	}
-	return status.ExitStatus()
-}
-
-// WriteJSON writes the provided struct v to w using standard json marshaling
-// without a trailing newline. This is used instead of json.Encoder because
-// there might be a problem in json decoder in some cases, see:
-// https://github.com/docker/docker/issues/14203#issuecomment-174177790
-func WriteJSON(w io.Writer, v interface{}) error {
-	data, err := json.Marshal(v)
-	if err != nil {
-		return err
-	}
-	_, err = w.Write(data)
-	return err
-}
-
-// CleanPath makes a path safe for use with filepath.Join. This is done by not
-// only cleaning the path, but also (if the path is relative) adding a leading
-// '/' and cleaning it (then removing the leading '/'). This ensures that a
-// path resulting from prepending another path will always resolve to lexically
-// be a subdirectory of the prefixed path. This is all done lexically, so paths
-// that include symlinks won't be safe as a result of using CleanPath.
-func CleanPath(path string) string {
-	// Deal with empty strings nicely.
-	if path == "" {
-		return ""
-	}
-
-	// Ensure that all paths are cleaned (especially problematic ones like
-	// "/../../../../../" which can cause lots of issues).
-	path = filepath.Clean(path)
-
-	// If the path isn't absolute, we need to do more processing to fix paths
-	// such as "../../../../<etc>/some/path". We also shouldn't convert absolute
-	// paths to relative ones.
-	if !filepath.IsAbs(path) {
-		path = filepath.Clean(string(os.PathSeparator) + path)
-		// This can't fail, as (by definition) all paths are relative to root.
-		path, _ = filepath.Rel(string(os.PathSeparator), path)
-	}
-
-	// Clean the path again for good measure.
-	return filepath.Clean(path)
-}
-
-// stripRoot returns the passed path, stripping the root path if it was
-// (lexicially) inside it. Note that both passed paths will always be treated
-// as absolute, and the returned path will also always be absolute. In
-// addition, the paths are cleaned before stripping the root.
-func stripRoot(root, path string) string {
-	// Make the paths clean and absolute.
-	root, path = CleanPath("/"+root), CleanPath("/"+path)
-	switch {
-	case path == root:
-		path = "/"
-	case root == "/":
-		// do nothing
-	case strings.HasPrefix(path, root+"/"):
-		path = strings.TrimPrefix(path, root+"/")
-	}
-	return CleanPath("/" + path)
-}
-
-// SearchLabels searches through a list of key=value pairs for a given key,
-// returning its value, and the binary flag telling whether the key exist.
-func SearchLabels(labels []string, key string) (string, bool) {
-	key += "="
-	for _, s := range labels {
-		if strings.HasPrefix(s, key) {
-			return s[len(key):], true
-		}
-	}
-	return "", false
-}
-
-// Annotations returns the bundle path and user defined annotations from the
-// libcontainer state.  We need to remove the bundle because that is a label
-// added by libcontainer.
-func Annotations(labels []string) (bundle string, userAnnotations map[string]string) {
-	userAnnotations = make(map[string]string)
-	for _, l := range labels {
-		name, value, ok := strings.Cut(l, "=")
-		if !ok {
-			continue
-		}
-		if name == "bundle" {
-			bundle = value
-		} else {
-			userAnnotations[name] = value
-		}
-	}
-	return
-}
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/utils/utils_unix.go b/vendor/github.com/opencontainers/runc/libcontainer/utils/utils_unix.go
deleted file mode 100644
index 8f179b6aa2563..0000000000000
--- a/vendor/github.com/opencontainers/runc/libcontainer/utils/utils_unix.go
+++ /dev/null
@@ -1,360 +0,0 @@
-//go:build !windows
-
-package utils
-
-import (
-	"fmt"
-	"math"
-	"os"
-	"path/filepath"
-	"runtime"
-	"strconv"
-	"strings"
-	"sync"
-	_ "unsafe" // for go:linkname
-
-	securejoin "github.com/cyphar/filepath-securejoin"
-	"github.com/sirupsen/logrus"
-	"golang.org/x/sys/unix"
-)
-
-// EnsureProcHandle returns whether or not the given file handle is on procfs.
-func EnsureProcHandle(fh *os.File) error {
-	var buf unix.Statfs_t
-	if err := unix.Fstatfs(int(fh.Fd()), &buf); err != nil {
-		return fmt.Errorf("ensure %s is on procfs: %w", fh.Name(), err)
-	}
-	if buf.Type != unix.PROC_SUPER_MAGIC {
-		return fmt.Errorf("%s is not on procfs", fh.Name())
-	}
-	return nil
-}
-
-var (
-	haveCloseRangeCloexecBool bool
-	haveCloseRangeCloexecOnce sync.Once
-)
-
-func haveCloseRangeCloexec() bool {
-	haveCloseRangeCloexecOnce.Do(func() {
-		// Make sure we're not closing a random file descriptor.
-		tmpFd, err := unix.FcntlInt(0, unix.F_DUPFD_CLOEXEC, 0)
-		if err != nil {
-			return
-		}
-		defer unix.Close(tmpFd)
-
-		err = unix.CloseRange(uint(tmpFd), uint(tmpFd), unix.CLOSE_RANGE_CLOEXEC)
-		// Any error means we cannot use close_range(CLOSE_RANGE_CLOEXEC).
-		// -ENOSYS and -EINVAL ultimately mean we don't have support, but any
-		// other potential error would imply that even the most basic close
-		// operation wouldn't work.
-		haveCloseRangeCloexecBool = err == nil
-	})
-	return haveCloseRangeCloexecBool
-}
-
-type fdFunc func(fd int)
-
-// fdRangeFrom calls the passed fdFunc for each file descriptor that is open in
-// the current process.
-func fdRangeFrom(minFd int, fn fdFunc) error {
-	procSelfFd, closer := ProcThreadSelf("fd")
-	defer closer()
-
-	fdDir, err := os.Open(procSelfFd)
-	if err != nil {
-		return err
-	}
-	defer fdDir.Close()
-
-	if err := EnsureProcHandle(fdDir); err != nil {
-		return err
-	}
-
-	fdList, err := fdDir.Readdirnames(-1)
-	if err != nil {
-		return err
-	}
-	for _, fdStr := range fdList {
-		fd, err := strconv.Atoi(fdStr)
-		// Ignore non-numeric file names.
-		if err != nil {
-			continue
-		}
-		// Ignore descriptors lower than our specified minimum.
-		if fd < minFd {
-			continue
-		}
-		// Ignore the file descriptor we used for readdir, as it will be closed
-		// when we return.
-		if uintptr(fd) == fdDir.Fd() {
-			continue
-		}
-		// Run the closure.
-		fn(fd)
-	}
-	return nil
-}
-
-// CloseExecFrom sets the O_CLOEXEC flag on all file descriptors greater or
-// equal to minFd in the current process.
-func CloseExecFrom(minFd int) error {
-	// Use close_range(CLOSE_RANGE_CLOEXEC) if possible.
-	if haveCloseRangeCloexec() {
-		err := unix.CloseRange(uint(minFd), math.MaxUint, unix.CLOSE_RANGE_CLOEXEC)
-		return os.NewSyscallError("close_range", err)
-	}
-	// Otherwise, fall back to the standard loop.
-	return fdRangeFrom(minFd, unix.CloseOnExec)
-}
-
-//go:linkname runtime_IsPollDescriptor internal/poll.IsPollDescriptor
-
-// In order to make sure we do not close the internal epoll descriptors the Go
-// runtime uses, we need to ensure that we skip descriptors that match
-// "internal/poll".IsPollDescriptor. Yes, this is a Go runtime internal thing,
-// unfortunately there's no other way to be sure we're only keeping the file
-// descriptors the Go runtime needs. Hopefully nothing blows up doing this...
-func runtime_IsPollDescriptor(fd uintptr) bool //nolint:revive
-
-// UnsafeCloseFrom closes all file descriptors greater or equal to minFd in the
-// current process, except for those critical to Go's runtime (such as the
-// netpoll management descriptors).
-//
-// NOTE: That this function is incredibly dangerous to use in most Go code, as
-// closing file descriptors from underneath *os.File handles can lead to very
-// bad behaviour (the closed file descriptor can be re-used and then any
-// *os.File operations would apply to the wrong file). This function is only
-// intended to be called from the last stage of runc init.
-func UnsafeCloseFrom(minFd int) error {
-	// We cannot use close_range(2) even if it is available, because we must
-	// not close some file descriptors.
-	return fdRangeFrom(minFd, func(fd int) {
-		if runtime_IsPollDescriptor(uintptr(fd)) {
-			// These are the Go runtimes internal netpoll file descriptors.
-			// These file descriptors are operated on deep in the Go scheduler,
-			// and closing those files from underneath Go can result in panics.
-			// There is no issue with keeping them because they are not
-			// executable and are not useful to an attacker anyway. Also we
-			// don't have any choice.
-			return
-		}
-		// There's nothing we can do about errors from close(2), and the
-		// only likely error to be seen is EBADF which indicates the fd was
-		// already closed (in which case, we got what we wanted).
-		_ = unix.Close(fd)
-	})
-}
-
-// NewSockPair returns a new SOCK_STREAM unix socket pair.
-func NewSockPair(name string) (parent, child *os.File, err error) {
-	fds, err := unix.Socketpair(unix.AF_LOCAL, unix.SOCK_STREAM|unix.SOCK_CLOEXEC, 0)
-	if err != nil {
-		return nil, nil, err
-	}
-	return os.NewFile(uintptr(fds[1]), name+"-p"), os.NewFile(uintptr(fds[0]), name+"-c"), nil
-}
-
-// WithProcfd runs the passed closure with a procfd path (/proc/self/fd/...)
-// corresponding to the unsafePath resolved within the root. Before passing the
-// fd, this path is verified to have been inside the root -- so operating on it
-// through the passed fdpath should be safe. Do not access this path through
-// the original path strings, and do not attempt to use the pathname outside of
-// the passed closure (the file handle will be freed once the closure returns).
-func WithProcfd(root, unsafePath string, fn func(procfd string) error) error {
-	// Remove the root then forcefully resolve inside the root.
-	unsafePath = stripRoot(root, unsafePath)
-	path, err := securejoin.SecureJoin(root, unsafePath)
-	if err != nil {
-		return fmt.Errorf("resolving path inside rootfs failed: %w", err)
-	}
-
-	procSelfFd, closer := ProcThreadSelf("fd/")
-	defer closer()
-
-	// Open the target path.
-	fh, err := os.OpenFile(path, unix.O_PATH|unix.O_CLOEXEC, 0)
-	if err != nil {
-		return fmt.Errorf("open o_path procfd: %w", err)
-	}
-	defer fh.Close()
-
-	procfd := filepath.Join(procSelfFd, strconv.Itoa(int(fh.Fd())))
-	// Double-check the path is the one we expected.
-	if realpath, err := os.Readlink(procfd); err != nil {
-		return fmt.Errorf("procfd verification failed: %w", err)
-	} else if realpath != path {
-		return fmt.Errorf("possibly malicious path detected -- refusing to operate on %s", realpath)
-	}
-
-	return fn(procfd)
-}
-
-type ProcThreadSelfCloser func()
-
-var (
-	haveProcThreadSelf     bool
-	haveProcThreadSelfOnce sync.Once
-)
-
-// ProcThreadSelf returns a string that is equivalent to
-// /proc/thread-self/<subpath>, with a graceful fallback on older kernels where
-// /proc/thread-self doesn't exist. This method DOES NOT use SecureJoin,
-// meaning that the passed string needs to be trusted. The caller _must_ call
-// the returned procThreadSelfCloser function (which is runtime.UnlockOSThread)
-// *only once* after it has finished using the returned path string.
-func ProcThreadSelf(subpath string) (string, ProcThreadSelfCloser) {
-	haveProcThreadSelfOnce.Do(func() {
-		if _, err := os.Stat("/proc/thread-self/"); err == nil {
-			haveProcThreadSelf = true
-		} else {
-			logrus.Debugf("cannot stat /proc/thread-self (%v), falling back to /proc/self/task/<tid>", err)
-		}
-	})
-
-	// We need to lock our thread until the caller is done with the path string
-	// because any non-atomic operation on the path (such as opening a file,
-	// then reading it) could be interrupted by the Go runtime where the
-	// underlying thread is swapped out and the original thread is killed,
-	// resulting in pull-your-hair-out-hard-to-debug issues in the caller. In
-	// addition, the pre-3.17 fallback makes everything non-atomic because the
-	// same thing could happen between unix.Gettid() and the path operations.
-	//
-	// In theory, we don't need to lock in the atomic user case when using
-	// /proc/thread-self/, but it's better to be safe than sorry (and there are
-	// only one or two truly atomic users of /proc/thread-self/).
-	runtime.LockOSThread()
-
-	threadSelf := "/proc/thread-self/"
-	if !haveProcThreadSelf {
-		// Pre-3.17 kernels did not have /proc/thread-self, so do it manually.
-		threadSelf = "/proc/self/task/" + strconv.Itoa(unix.Gettid()) + "/"
-		if _, err := os.Stat(threadSelf); err != nil {
-			// Unfortunately, this code is called from rootfs_linux.go where we
-			// are running inside the pid namespace of the container but /proc
-			// is the host's procfs. Unfortunately there is no real way to get
-			// the correct tid to use here (the kernel age means we cannot do
-			// things like set up a private fsopen("proc") -- even scanning
-			// NSpid in all of the tasks in /proc/self/task/*/status requires
-			// Linux 4.1).
-			//
-			// So, we just have to assume that /proc/self is acceptable in this
-			// one specific case.
-			if os.Getpid() == 1 {
-				logrus.Debugf("/proc/thread-self (tid=%d) cannot be emulated inside the initial container setup -- using /proc/self instead: %v", unix.Gettid(), err)
-			} else {
-				// This should never happen, but the fallback should work in most cases...
-				logrus.Warnf("/proc/thread-self could not be emulated for pid=%d (tid=%d) -- using more buggy /proc/self fallback instead: %v", os.Getpid(), unix.Gettid(), err)
-			}
-			threadSelf = "/proc/self/"
-		}
-	}
-	return threadSelf + subpath, runtime.UnlockOSThread
-}
-
-// ProcThreadSelfFd is small wrapper around ProcThreadSelf to make it easier to
-// create a /proc/thread-self handle for given file descriptor.
-//
-// It is basically equivalent to ProcThreadSelf(fmt.Sprintf("fd/%d", fd)), but
-// without using fmt.Sprintf to avoid unneeded overhead.
-func ProcThreadSelfFd(fd uintptr) (string, ProcThreadSelfCloser) {
-	return ProcThreadSelf("fd/" + strconv.FormatUint(uint64(fd), 10))
-}
-
-// IsLexicallyInRoot is shorthand for strings.HasPrefix(path+"/", root+"/"),
-// but properly handling the case where path or root are "/".
-//
-// NOTE: The return value only make sense if the path doesn't contain "..".
-func IsLexicallyInRoot(root, path string) bool {
-	if root != "/" {
-		root += "/"
-	}
-	if path != "/" {
-		path += "/"
-	}
-	return strings.HasPrefix(path, root)
-}
-
-// MkdirAllInRootOpen attempts to make
-//
-//	path, _ := securejoin.SecureJoin(root, unsafePath)
-//	os.MkdirAll(path, mode)
-//	os.Open(path)
-//
-// safer against attacks where components in the path are changed between
-// SecureJoin returning and MkdirAll (or Open) being called. In particular, we
-// try to detect any symlink components in the path while we are doing the
-// MkdirAll.
-//
-// NOTE: If unsafePath is a subpath of root, we assume that you have already
-// called SecureJoin and so we use the provided path verbatim without resolving
-// any symlinks (this is done in a way that avoids symlink-exchange races).
-// This means that the path also must not contain ".." elements, otherwise an
-// error will occur.
-//
-// This uses securejoin.MkdirAllHandle under the hood, but it has special
-// handling if unsafePath has already been scoped within the rootfs (this is
-// needed for a lot of runc callers and fixing this would require reworking a
-// lot of path logic).
-func MkdirAllInRootOpen(root, unsafePath string, mode os.FileMode) (_ *os.File, Err error) {
-	// If the path is already "within" the root, get the path relative to the
-	// root and use that as the unsafe path. This is necessary because a lot of
-	// MkdirAllInRootOpen callers have already done SecureJoin, and refactoring
-	// all of them to stop using these SecureJoin'd paths would require a fair
-	// amount of work.
-	// TODO(cyphar): Do the refactor to libpathrs once it's ready.
-	if IsLexicallyInRoot(root, unsafePath) {
-		subPath, err := filepath.Rel(root, unsafePath)
-		if err != nil {
-			return nil, err
-		}
-		unsafePath = subPath
-	}
-
-	// Check for any silly mode bits.
-	if mode&^0o7777 != 0 {
-		return nil, fmt.Errorf("tried to include non-mode bits in MkdirAll mode: 0o%.3o", mode)
-	}
-	// Linux (and thus os.MkdirAll) silently ignores the suid and sgid bits if
-	// passed. While it would make sense to return an error in that case (since
-	// the user has asked for a mode that won't be applied), for compatibility
-	// reasons we have to ignore these bits.
-	if ignoredBits := mode &^ 0o1777; ignoredBits != 0 {
-		logrus.Warnf("MkdirAll called with no-op mode bits that are ignored by Linux: 0o%.3o", ignoredBits)
-		mode &= 0o1777
-	}
-
-	rootDir, err := os.OpenFile(root, unix.O_DIRECTORY|unix.O_CLOEXEC, 0)
-	if err != nil {
-		return nil, fmt.Errorf("open root handle: %w", err)
-	}
-	defer rootDir.Close()
-
-	return securejoin.MkdirAllHandle(rootDir, unsafePath, mode)
-}
-
-// MkdirAllInRoot is a wrapper around MkdirAllInRootOpen which closes the
-// returned handle, for callers that don't need to use it.
-func MkdirAllInRoot(root, unsafePath string, mode os.FileMode) error {
-	f, err := MkdirAllInRootOpen(root, unsafePath, mode)
-	if err == nil {
-		_ = f.Close()
-	}
-	return err
-}
-
-// Openat is a Go-friendly openat(2) wrapper.
-func Openat(dir *os.File, path string, flags int, mode uint32) (*os.File, error) {
-	dirFd := unix.AT_FDCWD
-	if dir != nil {
-		dirFd = int(dir.Fd())
-	}
-	flags |= unix.O_CLOEXEC
-
-	fd, err := unix.Openat(dirFd, path, flags, mode)
-	if err != nil {
-		return nil, &os.PathError{Op: "openat", Path: path, Err: err}
-	}
-	return os.NewFile(uintptr(fd), dir.Name()+"/"+path), nil
-}
diff --git a/vendor/github.com/opencontainers/runtime-spec/specs-go/config.go b/vendor/github.com/opencontainers/runtime-spec/specs-go/config.go
index d1236ba7213e9..1aa0693b57d19 100644
--- a/vendor/github.com/opencontainers/runtime-spec/specs-go/config.go
+++ b/vendor/github.com/opencontainers/runtime-spec/specs-go/config.go
@@ -83,7 +83,7 @@ type Process struct {
 	// Rlimits specifies rlimit options to apply to the process.
 	Rlimits []POSIXRlimit `json:"rlimits,omitempty" platform:"linux,solaris,zos"`
 	// NoNewPrivileges controls whether additional privileges could be gained by processes in the container.
-	NoNewPrivileges bool `json:"noNewPrivileges,omitempty" platform:"linux"`
+	NoNewPrivileges bool `json:"noNewPrivileges,omitempty" platform:"linux,zos"`
 	// ApparmorProfile specifies the apparmor profile for the container.
 	ApparmorProfile string `json:"apparmorProfile,omitempty" platform:"linux"`
 	// Specify an oom_score_adj for the container.
@@ -94,10 +94,12 @@ type Process struct {
 	SelinuxLabel string `json:"selinuxLabel,omitempty" platform:"linux"`
 	// IOPriority contains the I/O priority settings for the cgroup.
 	IOPriority *LinuxIOPriority `json:"ioPriority,omitempty" platform:"linux"`
+	// ExecCPUAffinity specifies CPU affinity for exec processes.
+	ExecCPUAffinity *CPUAffinity `json:"execCPUAffinity,omitempty" platform:"linux"`
 }
 
 // LinuxCapabilities specifies the list of allowed capabilities that are kept for a process.
-// http://man7.org/linux/man-pages/man7/capabilities.7.html
+// https://man7.org/linux/man-pages/man7/capabilities.7.html
 type LinuxCapabilities struct {
 	// Bounding is the set of capabilities checked by the kernel.
 	Bounding []string `json:"bounding,omitempty" platform:"linux"`
@@ -127,6 +129,12 @@ const (
 	IOPRIO_CLASS_IDLE IOPriorityClass = "IOPRIO_CLASS_IDLE"
 )
 
+// CPUAffinity specifies process' CPU affinity.
+type CPUAffinity struct {
+	Initial string `json:"initial,omitempty"`
+	Final   string `json:"final,omitempty"`
+}
+
 // Box specifies dimensions of a rectangle. Used for specifying the size of a console.
 type Box struct {
 	// Height is the vertical dimension of a box.
@@ -627,6 +635,17 @@ type WindowsCPUResources struct {
 	// cycles per 10,000 cycles. Set processor `maximum` to a percentage times
 	// 100.
 	Maximum *uint16 `json:"maximum,omitempty"`
+	// Set of CPUs to affinitize for this container.
+	Affinity []WindowsCPUGroupAffinity `json:"affinity,omitempty"`
+}
+
+// Similar to _GROUP_AFFINITY struct defined in
+// https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/miniport/ns-miniport-_group_affinity
+type WindowsCPUGroupAffinity struct {
+	// CPU mask relative to this CPU group.
+	Mask uint64 `json:"mask,omitempty"`
+	// Processor group the mask refers to, as returned by GetLogicalProcessorInformationEx.
+	Group uint32 `json:"group,omitempty"`
 }
 
 // WindowsStorageResources contains storage resource management settings.
@@ -751,6 +770,10 @@ const (
 	ArchPARISC      Arch = "SCMP_ARCH_PARISC"
 	ArchPARISC64    Arch = "SCMP_ARCH_PARISC64"
 	ArchRISCV64     Arch = "SCMP_ARCH_RISCV64"
+	ArchLOONGARCH64 Arch = "SCMP_ARCH_LOONGARCH64"
+	ArchM68K        Arch = "SCMP_ARCH_M68K"
+	ArchSH          Arch = "SCMP_ARCH_SH"
+	ArchSHEB        Arch = "SCMP_ARCH_SHEB"
 )
 
 // LinuxSeccompAction taken upon Seccomp rule match
@@ -826,28 +849,33 @@ type LinuxIntelRdt struct {
 
 // ZOS contains platform-specific configuration for z/OS based containers.
 type ZOS struct {
-	// Devices are a list of device nodes that are created for the container
-	Devices []ZOSDevice `json:"devices,omitempty"`
+	// Namespaces contains the namespaces that are created and/or joined by the container
+	Namespaces []ZOSNamespace `json:"namespaces,omitempty"`
 }
 
-// ZOSDevice represents the mknod information for a z/OS special device file
-type ZOSDevice struct {
-	// Path to the device.
-	Path string `json:"path"`
-	// Device type, block, char, etc.
-	Type string `json:"type"`
-	// Major is the device's major number.
-	Major int64 `json:"major"`
-	// Minor is the device's minor number.
-	Minor int64 `json:"minor"`
-	// FileMode permission bits for the device.
-	FileMode *os.FileMode `json:"fileMode,omitempty"`
-	// UID of the device.
-	UID *uint32 `json:"uid,omitempty"`
-	// Gid of the device.
-	GID *uint32 `json:"gid,omitempty"`
+// ZOSNamespace is the configuration for a z/OS namespace
+type ZOSNamespace struct {
+	// Type is the type of namespace
+	Type ZOSNamespaceType `json:"type"`
+	// Path is a path to an existing namespace persisted on disk that can be joined
+	// and is of the same type
+	Path string `json:"path,omitempty"`
 }
 
+// ZOSNamespaceType is one of the z/OS namespaces
+type ZOSNamespaceType string
+
+const (
+	// PIDNamespace for isolating process IDs
+	ZOSPIDNamespace ZOSNamespaceType = "pid"
+	// MountNamespace for isolating mount points
+	ZOSMountNamespace ZOSNamespaceType = "mount"
+	// IPCNamespace for isolating System V IPC, POSIX message queues
+	ZOSIPCNamespace ZOSNamespaceType = "ipc"
+	// UTSNamespace for isolating hostname and NIS domain name
+	ZOSUTSNamespace ZOSNamespaceType = "uts"
+)
+
 // LinuxSchedulerPolicy represents different scheduling policies used with the Linux Scheduler
 type LinuxSchedulerPolicy string
 
diff --git a/vendor/github.com/opencontainers/runtime-spec/specs-go/version.go b/vendor/github.com/opencontainers/runtime-spec/specs-go/version.go
index 503971e058b66..23234a9c583a9 100644
--- a/vendor/github.com/opencontainers/runtime-spec/specs-go/version.go
+++ b/vendor/github.com/opencontainers/runtime-spec/specs-go/version.go
@@ -8,7 +8,7 @@ const (
 	// VersionMinor is for functionality in a backwards-compatible manner
 	VersionMinor = 2
 	// VersionPatch is for backwards-compatible bug fixes
-	VersionPatch = 0
+	VersionPatch = 1
 
 	// VersionDev indicates development branch. Releases will be empty string.
 	VersionDev = ""
diff --git a/vendor/github.com/opencontainers/selinux/go-selinux/label/label.go b/vendor/github.com/opencontainers/selinux/go-selinux/label/label.go
index 07e0f77dc278a..884a8b805936e 100644
--- a/vendor/github.com/opencontainers/selinux/go-selinux/label/label.go
+++ b/vendor/github.com/opencontainers/selinux/go-selinux/label/label.go
@@ -6,78 +6,11 @@ import (
 	"github.com/opencontainers/selinux/go-selinux"
 )
 
-// Deprecated: use selinux.ROFileLabel
-var ROMountLabel = selinux.ROFileLabel
-
-// SetProcessLabel takes a process label and tells the kernel to assign the
-// label to the next program executed by the current process.
-// Deprecated: use selinux.SetExecLabel
-var SetProcessLabel = selinux.SetExecLabel
-
-// ProcessLabel returns the process label that the kernel will assign
-// to the next program executed by the current process.  If "" is returned
-// this indicates that the default labeling will happen for the process.
-// Deprecated: use selinux.ExecLabel
-var ProcessLabel = selinux.ExecLabel
-
-// SetSocketLabel takes a process label and tells the kernel to assign the
-// label to the next socket that gets created
-// Deprecated: use selinux.SetSocketLabel
-var SetSocketLabel = selinux.SetSocketLabel
-
-// SocketLabel retrieves the current default socket label setting
-// Deprecated: use selinux.SocketLabel
-var SocketLabel = selinux.SocketLabel
-
-// SetKeyLabel takes a process label and tells the kernel to assign the
-// label to the next kernel keyring that gets created
-// Deprecated: use selinux.SetKeyLabel
-var SetKeyLabel = selinux.SetKeyLabel
-
-// KeyLabel retrieves the current default kernel keyring label setting
-// Deprecated: use selinux.KeyLabel
-var KeyLabel = selinux.KeyLabel
-
-// FileLabel returns the label for specified path
-// Deprecated: use selinux.FileLabel
-var FileLabel = selinux.FileLabel
-
-// PidLabel will return the label of the process running with the specified pid
-// Deprecated: use selinux.PidLabel
-var PidLabel = selinux.PidLabel
-
 // Init initialises the labeling system
 func Init() {
 	_ = selinux.GetEnabled()
 }
 
-// ClearLabels will clear all reserved labels
-// Deprecated: use selinux.ClearLabels
-var ClearLabels = selinux.ClearLabels
-
-// ReserveLabel will record the fact that the MCS label has already been used.
-// This will prevent InitLabels from using the MCS label in a newly created
-// container
-// Deprecated: use selinux.ReserveLabel
-func ReserveLabel(label string) error {
-	selinux.ReserveLabel(label)
-	return nil
-}
-
-// ReleaseLabel will remove the reservation of the MCS label.
-// This will allow InitLabels to use the MCS label in a newly created
-// containers
-// Deprecated: use selinux.ReleaseLabel
-func ReleaseLabel(label string) error {
-	selinux.ReleaseLabel(label)
-	return nil
-}
-
-// DupSecOpt takes a process label and returns security options that
-// can be used to set duplicate labels on future container processes
-// Deprecated: use selinux.DupSecOpt
-var DupSecOpt = selinux.DupSecOpt
-
 // FormatMountLabel returns a string to be used by the mount command. Using
 // the SELinux `context` mount option. Changing labels of files on mount
 // points with this option can never be changed.
diff --git a/vendor/github.com/opencontainers/selinux/go-selinux/label/label_linux.go b/vendor/github.com/opencontainers/selinux/go-selinux/label/label_linux.go
index e49e6d53f7d62..95f29e21f4e84 100644
--- a/vendor/github.com/opencontainers/selinux/go-selinux/label/label_linux.go
+++ b/vendor/github.com/opencontainers/selinux/go-selinux/label/label_linux.go
@@ -18,7 +18,7 @@ var validOptions = map[string]bool{
 	"level":    true,
 }
 
-var ErrIncompatibleLabel = errors.New("Bad SELinux option z and Z can not be used together")
+var ErrIncompatibleLabel = errors.New("bad SELinux option: z and Z can not be used together")
 
 // InitLabels returns the process label and file labels to be used within
 // the container.  A list of options can be passed into this function to alter
@@ -52,11 +52,11 @@ func InitLabels(options []string) (plabel string, mlabel string, retErr error) {
 				return "", selinux.PrivContainerMountLabel(), nil
 			}
 			if i := strings.Index(opt, ":"); i == -1 {
-				return "", "", fmt.Errorf("Bad label option %q, valid options 'disable' or \n'user, role, level, type, filetype' followed by ':' and a value", opt)
+				return "", "", fmt.Errorf("bad label option %q, valid options 'disable' or \n'user, role, level, type, filetype' followed by ':' and a value", opt)
 			}
 			con := strings.SplitN(opt, ":", 2)
 			if !validOptions[con[0]] {
-				return "", "", fmt.Errorf("Bad label option %q, valid options 'disable, user, role, level, type, filetype'", con[0])
+				return "", "", fmt.Errorf("bad label option %q, valid options 'disable, user, role, level, type, filetype'", con[0])
 			}
 			if con[0] == "filetype" {
 				mcon["type"] = con[1]
@@ -79,12 +79,6 @@ func InitLabels(options []string) (plabel string, mlabel string, retErr error) {
 	return processLabel, mountLabel, nil
 }
 
-// Deprecated: The GenLabels function is only to be used during the transition
-// to the official API. Use InitLabels(strings.Fields(options)) instead.
-func GenLabels(options string) (string, string, error) {
-	return InitLabels(strings.Fields(options))
-}
-
 // SetFileLabel modifies the "path" label to the specified file label
 func SetFileLabel(path string, fileLabel string) error {
 	if !selinux.GetEnabled() || fileLabel == "" {
@@ -123,11 +117,6 @@ func Relabel(path string, fileLabel string, shared bool) error {
 	return selinux.Chcon(path, fileLabel, true)
 }
 
-// DisableSecOpt returns a security opt that can disable labeling
-// support for future container processes
-// Deprecated: use selinux.DisableSecOpt
-var DisableSecOpt = selinux.DisableSecOpt
-
 // Validate checks that the label does not include unexpected options
 func Validate(label string) error {
 	if strings.Contains(label, "z") && strings.Contains(label, "Z") {
diff --git a/vendor/github.com/opencontainers/selinux/go-selinux/label/label_stub.go b/vendor/github.com/opencontainers/selinux/go-selinux/label/label_stub.go
index 1c260cb27d9a7..7a54afc5e6d16 100644
--- a/vendor/github.com/opencontainers/selinux/go-selinux/label/label_stub.go
+++ b/vendor/github.com/opencontainers/selinux/go-selinux/label/label_stub.go
@@ -10,12 +10,6 @@ func InitLabels([]string) (string, string, error) {
 	return "", "", nil
 }
 
-// Deprecated: The GenLabels function is only to be used during the transition
-// to the official API. Use InitLabels(strings.Fields(options)) instead.
-func GenLabels(string) (string, string, error) {
-	return "", "", nil
-}
-
 func SetFileLabel(string, string) error {
 	return nil
 }
diff --git a/vendor/github.com/opencontainers/selinux/go-selinux/selinux.go b/vendor/github.com/opencontainers/selinux/go-selinux/selinux.go
index af058b84b1325..15150d4752819 100644
--- a/vendor/github.com/opencontainers/selinux/go-selinux/selinux.go
+++ b/vendor/github.com/opencontainers/selinux/go-selinux/selinux.go
@@ -41,6 +41,10 @@ var (
 	// ErrVerifierNil is returned when a context verifier function is nil.
 	ErrVerifierNil = errors.New("verifier function is nil")
 
+	// ErrNotTGLeader is returned by [SetKeyLabel] if the calling thread
+	// is not the thread group leader.
+	ErrNotTGLeader = errors.New("calling thread is not the thread group leader")
+
 	// CategoryRange allows the upper bound on the category range to be adjusted
 	CategoryRange = DefaultCategoryRange
 
@@ -149,7 +153,7 @@ func CalculateGlbLub(sourceRange, targetRange string) (string, error) {
 // of the program is finished to guarantee another goroutine does not migrate to the current
 // thread before execution is complete.
 func SetExecLabel(label string) error {
-	return writeCon(attrPath("exec"), label)
+	return writeConThreadSelf("attr/exec", label)
 }
 
 // SetTaskLabel sets the SELinux label for the current thread, or an error.
@@ -157,7 +161,7 @@ func SetExecLabel(label string) error {
 // be wrapped in runtime.LockOSThread()/runtime.UnlockOSThread() to guarantee
 // the current thread does not run in a new mislabeled thread.
 func SetTaskLabel(label string) error {
-	return writeCon(attrPath("current"), label)
+	return writeConThreadSelf("attr/current", label)
 }
 
 // SetSocketLabel takes a process label and tells the kernel to assign the
@@ -166,12 +170,12 @@ func SetTaskLabel(label string) error {
 // the socket is created to guarantee another goroutine does not migrate
 // to the current thread before execution is complete.
 func SetSocketLabel(label string) error {
-	return writeCon(attrPath("sockcreate"), label)
+	return writeConThreadSelf("attr/sockcreate", label)
 }
 
 // SocketLabel retrieves the current socket label setting
 func SocketLabel() (string, error) {
-	return readCon(attrPath("sockcreate"))
+	return readConThreadSelf("attr/sockcreate")
 }
 
 // PeerLabel retrieves the label of the client on the other side of a socket
@@ -180,17 +184,21 @@ func PeerLabel(fd uintptr) (string, error) {
 }
 
 // SetKeyLabel takes a process label and tells the kernel to assign the
-// label to the next kernel keyring that gets created. Calls to SetKeyLabel
-// should be wrapped in runtime.LockOSThread()/runtime.UnlockOSThread() until
-// the kernel keyring is created to guarantee another goroutine does not migrate
-// to the current thread before execution is complete.
+// label to the next kernel keyring that gets created.
+//
+// Calls to SetKeyLabel should be wrapped in
+// runtime.LockOSThread()/runtime.UnlockOSThread() until the kernel keyring is
+// created to guarantee another goroutine does not migrate to the current
+// thread before execution is complete.
+//
+// Only the thread group leader can set key label.
 func SetKeyLabel(label string) error {
 	return setKeyLabel(label)
 }
 
 // KeyLabel retrieves the current kernel keyring label setting
 func KeyLabel() (string, error) {
-	return readCon("/proc/self/attr/keycreate")
+	return keyLabel()
 }
 
 // Get returns the Context as a string
diff --git a/vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go b/vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go
index c80c10971b97b..6d7f8e270bd73 100644
--- a/vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go
+++ b/vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go
@@ -17,8 +17,11 @@ import (
 	"strings"
 	"sync"
 
-	"github.com/opencontainers/selinux/pkg/pwalkdir"
+	"github.com/cyphar/filepath-securejoin/pathrs-lite"
+	"github.com/cyphar/filepath-securejoin/pathrs-lite/procfs"
 	"golang.org/x/sys/unix"
+
+	"github.com/opencontainers/selinux/pkg/pwalkdir"
 )
 
 const (
@@ -45,7 +48,7 @@ type selinuxState struct {
 
 type level struct {
 	cats *big.Int
-	sens uint
+	sens int
 }
 
 type mlsRange struct {
@@ -73,10 +76,6 @@ var (
 		mcsList: make(map[string]bool),
 	}
 
-	// for attrPath()
-	attrPathOnce   sync.Once
-	haveThreadSelf bool
-
 	// for policyRoot()
 	policyRootOnce sync.Once
 	policyRootVal  string
@@ -138,6 +137,7 @@ func verifySELinuxfsMount(mnt string) bool {
 		return false
 	}
 
+	//#nosec G115 -- there is no overflow here.
 	if uint32(buf.Type) != uint32(unix.SELINUX_MAGIC) {
 		return false
 	}
@@ -255,48 +255,183 @@ func readConfig(target string) string {
 	return ""
 }
 
-func isProcHandle(fh *os.File) error {
-	var buf unix.Statfs_t
+func readConFd(in *os.File) (string, error) {
+	data, err := io.ReadAll(in)
+	if err != nil {
+		return "", err
+	}
+	return string(bytes.TrimSuffix(data, []byte{0})), nil
+}
 
-	for {
-		err := unix.Fstatfs(int(fh.Fd()), &buf)
-		if err == nil {
-			break
-		}
-		if err != unix.EINTR {
-			return &os.PathError{Op: "fstatfs", Path: fh.Name(), Err: err}
-		}
+func writeConFd(out *os.File, val string) error {
+	var err error
+	if val != "" {
+		_, err = out.Write([]byte(val))
+	} else {
+		_, err = out.Write(nil)
 	}
-	if buf.Type != unix.PROC_SUPER_MAGIC {
-		return fmt.Errorf("file %q is not on procfs", fh.Name())
+	return err
+}
+
+// openProcThreadSelf is a small wrapper around [procfs.Handle.OpenThreadSelf]
+// and [pathrs.Reopen] to make "one-shot opens" slightly more ergonomic. The
+// provided mode must be os.O_* flags to indicate what mode the returned file
+// should be opened with (flags like os.O_CREAT and os.O_EXCL are not
+// supported).
+//
+// If no error occurred, the returned handle is guaranteed to be exactly
+// /proc/thread-self/<subpath> with no tricky mounts or symlinks causing you to
+// operate on an unexpected path (with some caveats on pre-openat2 or
+// pre-fsopen kernels).
+func openProcThreadSelf(subpath string, mode int) (*os.File, procfs.ProcThreadSelfCloser, error) {
+	if subpath == "" {
+		return nil, nil, ErrEmptyPath
 	}
 
-	return nil
-}
+	proc, err := procfs.OpenProcRoot()
+	if err != nil {
+		return nil, nil, err
+	}
+	defer proc.Close()
 
-func readCon(fpath string) (string, error) {
-	if fpath == "" {
-		return "", ErrEmptyPath
+	handle, closer, err := proc.OpenThreadSelf(subpath)
+	if err != nil {
+		return nil, nil, fmt.Errorf("open /proc/thread-self/%s handle: %w", subpath, err)
+	}
+	defer handle.Close() // we will return a re-opened handle
+
+	file, err := pathrs.Reopen(handle, mode)
+	if err != nil {
+		closer()
+		return nil, nil, fmt.Errorf("reopen /proc/thread-self/%s handle (%#x): %w", subpath, mode, err)
 	}
+	return file, closer, nil
+}
 
-	in, err := os.Open(fpath)
+// Read the contents of /proc/thread-self/<fpath>.
+func readConThreadSelf(fpath string) (string, error) {
+	in, closer, err := openProcThreadSelf(fpath, os.O_RDONLY|unix.O_CLOEXEC)
 	if err != nil {
 		return "", err
 	}
+	defer closer()
 	defer in.Close()
 
-	if err := isProcHandle(in); err != nil {
+	return readConFd(in)
+}
+
+// Write <val> to /proc/thread-self/<fpath>.
+func writeConThreadSelf(fpath, val string) error {
+	if val == "" {
+		if !getEnabled() {
+			return nil
+		}
+	}
+
+	out, closer, err := openProcThreadSelf(fpath, os.O_WRONLY|unix.O_CLOEXEC)
+	if err != nil {
+		return err
+	}
+	defer closer()
+	defer out.Close()
+
+	return writeConFd(out, val)
+}
+
+// openProcSelf is a small wrapper around [procfs.Handle.OpenSelf] and
+// [pathrs.Reopen] to make "one-shot opens" slightly more ergonomic. The
+// provided mode must be os.O_* flags to indicate what mode the returned file
+// should be opened with (flags like os.O_CREAT and os.O_EXCL are not
+// supported).
+//
+// If no error occurred, the returned handle is guaranteed to be exactly
+// /proc/self/<subpath> with no tricky mounts or symlinks causing you to
+// operate on an unexpected path (with some caveats on pre-openat2 or
+// pre-fsopen kernels).
+func openProcSelf(subpath string, mode int) (*os.File, error) {
+	if subpath == "" {
+		return nil, ErrEmptyPath
+	}
+
+	proc, err := procfs.OpenProcRoot()
+	if err != nil {
+		return nil, err
+	}
+	defer proc.Close()
+
+	handle, err := proc.OpenSelf(subpath)
+	if err != nil {
+		return nil, fmt.Errorf("open /proc/self/%s handle: %w", subpath, err)
+	}
+	defer handle.Close() // we will return a re-opened handle
+
+	file, err := pathrs.Reopen(handle, mode)
+	if err != nil {
+		return nil, fmt.Errorf("reopen /proc/self/%s handle (%#x): %w", subpath, mode, err)
+	}
+	return file, nil
+}
+
+// Read the contents of /proc/self/<fpath>.
+func readConSelf(fpath string) (string, error) {
+	in, err := openProcSelf(fpath, os.O_RDONLY|unix.O_CLOEXEC)
+	if err != nil {
 		return "", err
 	}
+	defer in.Close()
+
 	return readConFd(in)
 }
 
-func readConFd(in *os.File) (string, error) {
-	data, err := io.ReadAll(in)
+// Write <val> to /proc/self/<fpath>.
+func writeConSelf(fpath, val string) error {
+	if val == "" {
+		if !getEnabled() {
+			return nil
+		}
+	}
+
+	out, err := openProcSelf(fpath, os.O_WRONLY|unix.O_CLOEXEC)
 	if err != nil {
-		return "", err
+		return err
 	}
-	return string(bytes.TrimSuffix(data, []byte{0})), nil
+	defer out.Close()
+
+	return writeConFd(out, val)
+}
+
+// openProcPid is a small wrapper around [procfs.Handle.OpenPid] and
+// [pathrs.Reopen] to make "one-shot opens" slightly more ergonomic. The
+// provided mode must be os.O_* flags to indicate what mode the returned file
+// should be opened with (flags like os.O_CREAT and os.O_EXCL are not
+// supported).
+//
+// If no error occurred, the returned handle is guaranteed to be exactly
+// /proc/self/<subpath> with no tricky mounts or symlinks causing you to
+// operate on an unexpected path (with some caveats on pre-openat2 or
+// pre-fsopen kernels).
+func openProcPid(pid int, subpath string, mode int) (*os.File, error) {
+	if subpath == "" {
+		return nil, ErrEmptyPath
+	}
+
+	proc, err := procfs.OpenProcRoot()
+	if err != nil {
+		return nil, err
+	}
+	defer proc.Close()
+
+	handle, err := proc.OpenPid(pid, subpath)
+	if err != nil {
+		return nil, fmt.Errorf("open /proc/%d/%s handle: %w", pid, subpath, err)
+	}
+	defer handle.Close() // we will return a re-opened handle
+
+	file, err := pathrs.Reopen(handle, mode)
+	if err != nil {
+		return nil, fmt.Errorf("reopen /proc/%d/%s handle (%#x): %w", pid, subpath, mode, err)
+	}
+	return file, nil
 }
 
 // classIndex returns the int index for an object class in the loaded policy,
@@ -392,78 +527,34 @@ func lFileLabel(fpath string) (string, error) {
 }
 
 func setFSCreateLabel(label string) error {
-	return writeCon(attrPath("fscreate"), label)
+	return writeConThreadSelf("attr/fscreate", label)
 }
 
 // fsCreateLabel returns the default label the kernel which the kernel is using
 // for file system objects created by this task. "" indicates default.
 func fsCreateLabel() (string, error) {
-	return readCon(attrPath("fscreate"))
+	return readConThreadSelf("attr/fscreate")
 }
 
 // currentLabel returns the SELinux label of the current process thread, or an error.
 func currentLabel() (string, error) {
-	return readCon(attrPath("current"))
+	return readConThreadSelf("attr/current")
 }
 
 // pidLabel returns the SELinux label of the given pid, or an error.
 func pidLabel(pid int) (string, error) {
-	return readCon(fmt.Sprintf("/proc/%d/attr/current", pid))
+	it, err := openProcPid(pid, "attr/current", os.O_RDONLY|unix.O_CLOEXEC)
+	if err != nil {
+		return "", nil
+	}
+	defer it.Close()
+	return readConFd(it)
 }
 
 // ExecLabel returns the SELinux label that the kernel will use for any programs
 // that are executed by the current process thread, or an error.
 func execLabel() (string, error) {
-	return readCon(attrPath("exec"))
-}
-
-func writeCon(fpath, val string) error {
-	if fpath == "" {
-		return ErrEmptyPath
-	}
-	if val == "" {
-		if !getEnabled() {
-			return nil
-		}
-	}
-
-	out, err := os.OpenFile(fpath, os.O_WRONLY, 0)
-	if err != nil {
-		return err
-	}
-	defer out.Close()
-
-	if err := isProcHandle(out); err != nil {
-		return err
-	}
-
-	if val != "" {
-		_, err = out.Write([]byte(val))
-	} else {
-		_, err = out.Write(nil)
-	}
-	if err != nil {
-		return err
-	}
-	return nil
-}
-
-func attrPath(attr string) string {
-	// Linux >= 3.17 provides this
-	const threadSelfPrefix = "/proc/thread-self/attr"
-
-	attrPathOnce.Do(func() {
-		st, err := os.Stat(threadSelfPrefix)
-		if err == nil && st.Mode().IsDir() {
-			haveThreadSelf = true
-		}
-	})
-
-	if haveThreadSelf {
-		return filepath.Join(threadSelfPrefix, attr)
-	}
-
-	return filepath.Join("/proc/self/task", strconv.Itoa(unix.Gettid()), "attr", attr)
+	return readConThreadSelf("exec")
 }
 
 // canonicalizeContext takes a context string and writes it to the kernel
@@ -501,14 +592,14 @@ func catsToBitset(cats string) (*big.Int, error) {
 				return nil, err
 			}
 			for i := catstart; i <= catend; i++ {
-				bitset.SetBit(bitset, int(i), 1)
+				bitset.SetBit(bitset, i, 1)
 			}
 		} else {
 			cat, err := parseLevelItem(ranges[0], category)
 			if err != nil {
 				return nil, err
 			}
-			bitset.SetBit(bitset, int(cat), 1)
+			bitset.SetBit(bitset, cat, 1)
 		}
 	}
 
@@ -516,16 +607,17 @@ func catsToBitset(cats string) (*big.Int, error) {
 }
 
 // parseLevelItem parses and verifies that a sensitivity or category are valid
-func parseLevelItem(s string, sep levelItem) (uint, error) {
+func parseLevelItem(s string, sep levelItem) (int, error) {
 	if len(s) < minSensLen || levelItem(s[0]) != sep {
 		return 0, ErrLevelSyntax
 	}
-	val, err := strconv.ParseUint(s[1:], 10, 32)
+	const bitSize = 31 // Make sure the result fits into signed int32.
+	val, err := strconv.ParseUint(s[1:], 10, bitSize)
 	if err != nil {
 		return 0, err
 	}
 
-	return uint(val), nil
+	return int(val), nil
 }
 
 // parseLevel fills a level from a string that contains
@@ -582,7 +674,8 @@ func bitsetToStr(c *big.Int) string {
 	var str string
 
 	length := 0
-	for i := int(c.TrailingZeroBits()); i < c.BitLen(); i++ {
+	i0 := int(c.TrailingZeroBits()) //#nosec G115 -- don't expect TralingZeroBits to return values with highest bit set.
+	for i := i0; i < c.BitLen(); i++ {
 		if c.Bit(i) == 0 {
 			continue
 		}
@@ -622,7 +715,7 @@ func (l *level) equal(l2 *level) bool {
 
 // String returns an mlsRange as a string.
 func (m mlsRange) String() string {
-	low := "s" + strconv.Itoa(int(m.low.sens))
+	low := "s" + strconv.Itoa(m.low.sens)
 	if m.low.cats != nil && m.low.cats.BitLen() > 0 {
 		low += ":" + bitsetToStr(m.low.cats)
 	}
@@ -631,7 +724,7 @@ func (m mlsRange) String() string {
 		return low
 	}
 
-	high := "s" + strconv.Itoa(int(m.high.sens))
+	high := "s" + strconv.Itoa(m.high.sens)
 	if m.high.cats != nil && m.high.cats.BitLen() > 0 {
 		high += ":" + bitsetToStr(m.high.cats)
 	}
@@ -639,15 +732,16 @@ func (m mlsRange) String() string {
 	return low + "-" + high
 }
 
-// TODO: remove min and max once Go < 1.21 is not supported.
-func max(a, b uint) uint {
+// TODO: remove these in favor of built-in min/max
+// once we stop supporting Go < 1.21.
+func maxInt(a, b int) int {
 	if a > b {
 		return a
 	}
 	return b
 }
 
-func min(a, b uint) uint {
+func minInt(a, b int) int {
 	if a < b {
 		return a
 	}
@@ -676,10 +770,10 @@ func calculateGlbLub(sourceRange, targetRange string) (string, error) {
 	outrange := &mlsRange{low: &level{}, high: &level{}}
 
 	/* take the greatest of the low */
-	outrange.low.sens = max(s.low.sens, t.low.sens)
+	outrange.low.sens = maxInt(s.low.sens, t.low.sens)
 
 	/* take the least of the high */
-	outrange.high.sens = min(s.high.sens, t.high.sens)
+	outrange.high.sens = minInt(s.high.sens, t.high.sens)
 
 	/* find the intersecting categories */
 	if s.low.cats != nil && t.low.cats != nil {
@@ -724,16 +818,29 @@ func peerLabel(fd uintptr) (string, error) {
 // setKeyLabel takes a process label and tells the kernel to assign the
 // label to the next kernel keyring that gets created
 func setKeyLabel(label string) error {
-	err := writeCon("/proc/self/attr/keycreate", label)
+	// Rather than using /proc/thread-self, we want to use /proc/self to
+	// operate on the thread-group leader.
+	err := writeConSelf("attr/keycreate", label)
 	if errors.Is(err, os.ErrNotExist) {
 		return nil
 	}
 	if label == "" && errors.Is(err, os.ErrPermission) {
 		return nil
 	}
+	if errors.Is(err, unix.EACCES) && unix.Getpid() != unix.Gettid() {
+		return ErrNotTGLeader
+	}
 	return err
 }
 
+// KeyLabel retrieves the current kernel keyring label setting for this
+// thread-group.
+func keyLabel() (string, error) {
+	// Rather than using /proc/thread-self, we want to use /proc/self to
+	// operate on the thread-group leader.
+	return readConSelf("attr/keycreate")
+}
+
 // get returns the Context as a string
 func (c Context) get() string {
 	if l := c["level"]; l != "" {
@@ -809,8 +916,7 @@ func enforceMode() int {
 // setEnforceMode sets the current SELinux mode Enforcing, Permissive.
 // Disabled is not valid, since this needs to be set at boot time.
 func setEnforceMode(mode int) error {
-	//nolint:gosec // ignore G306: permissions to be 0600 or less.
-	return os.WriteFile(selinuxEnforcePath(), []byte(strconv.Itoa(mode)), 0o644)
+	return os.WriteFile(selinuxEnforcePath(), []byte(strconv.Itoa(mode)), 0)
 }
 
 // defaultEnforceMode returns the systems default SELinux mode Enforcing,
@@ -1017,8 +1123,7 @@ func addMcs(processLabel, fileLabel string) (string, string) {
 
 // securityCheckContext validates that the SELinux label is understood by the kernel
 func securityCheckContext(val string) error {
-	//nolint:gosec // ignore G306: permissions to be 0600 or less.
-	return os.WriteFile(filepath.Join(getSelinuxMountPoint(), "context"), []byte(val), 0o644)
+	return os.WriteFile(filepath.Join(getSelinuxMountPoint(), "context"), []byte(val), 0)
 }
 
 // copyLevel returns a label with the MLS/MCS level from src label replaced on
diff --git a/vendor/github.com/opencontainers/selinux/go-selinux/selinux_stub.go b/vendor/github.com/opencontainers/selinux/go-selinux/selinux_stub.go
index 0889fbe0e0731..382244e5036b8 100644
--- a/vendor/github.com/opencontainers/selinux/go-selinux/selinux_stub.go
+++ b/vendor/github.com/opencontainers/selinux/go-selinux/selinux_stub.go
@@ -3,15 +3,11 @@
 
 package selinux
 
-func attrPath(string) string {
-	return ""
-}
-
-func readCon(string) (string, error) {
+func readConThreadSelf(string) (string, error) {
 	return "", nil
 }
 
-func writeCon(string, string) error {
+func writeConThreadSelf(string, string) error {
 	return nil
 }
 
@@ -81,6 +77,10 @@ func setKeyLabel(string) error {
 	return nil
 }
 
+func keyLabel() (string, error) {
+	return "", nil
+}
+
 func (c Context) get() string {
 	return ""
 }
diff --git a/vendor/github.com/openshift-eng/openshift-tests-extension/pkg/cmd/cmdrun/runsuite.go b/vendor/github.com/openshift-eng/openshift-tests-extension/pkg/cmd/cmdrun/runsuite.go
index d81d07cb2b15a..998fd70409e70 100644
--- a/vendor/github.com/openshift-eng/openshift-tests-extension/pkg/cmd/cmdrun/runsuite.go
+++ b/vendor/github.com/openshift-eng/openshift-tests-extension/pkg/cmd/cmdrun/runsuite.go
@@ -2,9 +2,11 @@ package cmdrun
 
 import (
 	"context"
+	"encoding/json"
 	"fmt"
 	"os"
 	"os/signal"
+	"path/filepath"
 	"syscall"
 	"time"
 
@@ -22,11 +24,13 @@ func NewRunSuiteCommand(registry *extension.Registry) *cobra.Command {
 		outputFlags      *flags.OutputFlags
 		concurrencyFlags *flags.ConcurrencyFlags
 		junitPath        string
+		htmlPath         string
 	}{
 		componentFlags:   flags.NewComponentFlags(),
 		outputFlags:      flags.NewOutputFlags(),
 		concurrencyFlags: flags.NewConcurrencyFlags(),
 		junitPath:        "",
+		htmlPath:         "",
 	}
 
 	cmd := &cobra.Command{
@@ -88,6 +92,14 @@ func NewRunSuiteCommand(registry *extension.Registry) *cobra.Command {
 				}
 				compositeWriter.AddWriter(junitWriter)
 			}
+			// HTML writer if needed
+			if opts.htmlPath != "" {
+				htmlWriter, err := extensiontests.NewHTMLResultWriter(opts.htmlPath, suite.Name)
+				if err != nil {
+					return errors.Wrap(err, "couldn't create html writer")
+				}
+				compositeWriter.AddWriter(htmlWriter)
+			}
 
 			// JSON writer
 			jsonWriter, err := extensiontests.NewJSONResultWriter(os.Stdout,
@@ -102,13 +114,40 @@ func NewRunSuiteCommand(registry *extension.Registry) *cobra.Command {
 				return errors.Wrap(err, "couldn't filter specs")
 			}
 
-			return specs.Run(ctx, compositeWriter, opts.concurrencyFlags.MaxConcurency)
+			concurrency := opts.concurrencyFlags.MaxConcurency
+			if suite.Parallelism > 0 {
+				concurrency = min(concurrency, suite.Parallelism)
+			}
+			results, runErr := specs.Run(ctx, compositeWriter, concurrency)
+			if opts.junitPath != "" {
+				// we want to commit the results to disk regardless of the success or failure of the specs
+				if err := writeResults(opts.junitPath, results); err != nil {
+					fmt.Fprintf(os.Stderr, "Failed to write test results to disk: %v\n", err)
+				}
+			}
+			return runErr
 		},
 	}
 	opts.componentFlags.BindFlags(cmd.Flags())
 	opts.outputFlags.BindFlags(cmd.Flags())
 	opts.concurrencyFlags.BindFlags(cmd.Flags())
 	cmd.Flags().StringVarP(&opts.junitPath, "junit-path", "j", opts.junitPath, "write results to junit XML")
+	cmd.Flags().StringVar(&opts.htmlPath, "html-path", opts.htmlPath, "write results to summary HTML")
 
 	return cmd
 }
+
+func writeResults(jUnitPath string, results []*extensiontests.ExtensionTestResult) error {
+	jUnitDir := filepath.Dir(jUnitPath)
+	if err := os.MkdirAll(jUnitDir, 0755); err != nil {
+		return fmt.Errorf("failed to create output directory: %v", err)
+	}
+
+	encodedResults, err := json.MarshalIndent(results, "", "  ")
+	if err != nil {
+		return fmt.Errorf("failed to marshal results: %v", err)
+	}
+
+	outputPath := filepath.Join(jUnitDir, fmt.Sprintf("extension_test_result_e2e_%s.json", time.Now().UTC().Format("20060102-150405")))
+	return os.WriteFile(outputPath, encodedResults, 0644)
+}
diff --git a/vendor/github.com/openshift-eng/openshift-tests-extension/pkg/cmd/cmdrun/runtest.go b/vendor/github.com/openshift-eng/openshift-tests-extension/pkg/cmd/cmdrun/runtest.go
index c06894ed99721..c62021e7ecec8 100644
--- a/vendor/github.com/openshift-eng/openshift-tests-extension/pkg/cmd/cmdrun/runtest.go
+++ b/vendor/github.com/openshift-eng/openshift-tests-extension/pkg/cmd/cmdrun/runtest.go
@@ -3,9 +3,9 @@ package cmdrun
 import (
 	"bufio"
 	"context"
+	"errors"
 	"fmt"
 	"os"
-	"errors"
 	"os/signal"
 	"syscall"
 	"time"
@@ -100,7 +100,8 @@ func NewRunTestCommand(registry *extension.Registry) *cobra.Command {
 			}
 			defer w.Flush()
 
-			return specs.Run(ctx, w, opts.concurrencyFlags.MaxConcurency)
+			_, err = specs.Run(ctx, w, opts.concurrencyFlags.MaxConcurency)
+			return err
 		},
 	}
 	opts.componentFlags.BindFlags(cmd.Flags())
diff --git a/vendor/github.com/openshift-eng/openshift-tests-extension/pkg/extension/extensiontests/result.go b/vendor/github.com/openshift-eng/openshift-tests-extension/pkg/extension/extensiontests/result.go
index 2e36969fe6bc8..9c03a0a84babe 100644
--- a/vendor/github.com/openshift-eng/openshift-tests-extension/pkg/extension/extensiontests/result.go
+++ b/vendor/github.com/openshift-eng/openshift-tests-extension/pkg/extension/extensiontests/result.go
@@ -1,8 +1,12 @@
 package extensiontests
 
 import (
+	"bytes"
+	_ "embed"
+	"encoding/json"
 	"fmt"
 	"strings"
+	"text/template"
 
 	"github.com/openshift-eng/openshift-tests-extension/pkg/junit"
 )
@@ -67,3 +71,55 @@ func (results ExtensionTestResults) ToJUnit(suiteName string) junit.TestSuite {
 
 	return suite
 }
+
+//go:embed viewer.html
+var viewerHtml []byte
+
+// RenderResultsHTML renders the HTML viewer template with the provided JSON data.
+// The caller is responsible for marshaling their results to JSON. This allows
+// callers with different result struct types to use the same HTML viewer.
+func RenderResultsHTML(jsonData []byte, suiteName string) ([]byte, error) {
+	tmpl, err := template.New("viewer").Parse(string(viewerHtml))
+	if err != nil {
+		return nil, fmt.Errorf("failed to parse template: %w", err)
+	}
+	var out bytes.Buffer
+	if err := tmpl.Execute(&out, struct {
+		Data      string
+		SuiteName string
+	}{
+		string(jsonData),
+		suiteName,
+	}); err != nil {
+		return nil, fmt.Errorf("failed to execute template: %w", err)
+	}
+	return out.Bytes(), nil
+}
+
+func (results ExtensionTestResults) ToHTML(suiteName string) ([]byte, error) {
+	encoded, err := json.Marshal(results)
+	if err != nil {
+		return nil, fmt.Errorf("failed to marshal extension test results: %w", err)
+	}
+	// pare down the output if there's a lot, we want this to load in some reasonable amount of time
+	if len(encoded) > 2<<20 {
+		// n.b. this is wasteful, but we want to mutate our inputs in a safe manner, so the encode/decode/encode
+		// pass is useful as a deep copy
+		var copiedResults ExtensionTestResults
+		if err := json.Unmarshal(encoded, &copiedResults); err != nil {
+			return nil, fmt.Errorf("failed to unmarshal extension test results: %w", err)
+		}
+		copiedResults.Walk(func(result *ExtensionTestResult) {
+			if result.Result == ResultPassed {
+				result.Error = ""
+				result.Output = ""
+				result.Details = nil
+			}
+		})
+		encoded, err = json.Marshal(copiedResults)
+		if err != nil {
+			return nil, fmt.Errorf("failed to marshal extension test results: %w", err)
+		}
+	}
+	return RenderResultsHTML(encoded, suiteName)
+}
diff --git a/vendor/github.com/openshift-eng/openshift-tests-extension/pkg/extension/extensiontests/result_writer.go b/vendor/github.com/openshift-eng/openshift-tests-extension/pkg/extension/extensiontests/result_writer.go
index aedc409c1795d..f9ca434cad846 100644
--- a/vendor/github.com/openshift-eng/openshift-tests-extension/pkg/extension/extensiontests/result_writer.go
+++ b/vendor/github.com/openshift-eng/openshift-tests-extension/pkg/extension/extensiontests/result_writer.go
@@ -124,8 +124,9 @@ func NewJSONResultWriter(out io.Writer, format ResultFormat) (*JSONResultWriter,
 	}
 
 	return &JSONResultWriter{
-		out:    out,
-		format: format,
+		out:     out,
+		format:  format,
+		results: ExtensionTestResults{},
 	}, nil
 }
 
@@ -162,3 +163,51 @@ func (w *JSONResultWriter) Flush() error {
 
 	return nil
 }
+
+type HTMLResultWriter struct {
+	lock      sync.Mutex
+	testSuite *junit.TestSuite
+	out       *os.File
+	suiteName string
+	path      string
+	results   ExtensionTestResults
+}
+
+func NewHTMLResultWriter(path, suiteName string) (ResultWriter, error) {
+	file, err := os.Create(path)
+	if err != nil {
+		return nil, err
+	}
+
+	return &HTMLResultWriter{
+		testSuite: &junit.TestSuite{
+			Name: suiteName,
+		},
+		out:       file,
+		suiteName: suiteName,
+		path:      path,
+	}, nil
+}
+
+func (w *HTMLResultWriter) Write(res *ExtensionTestResult) {
+	w.lock.Lock()
+	defer w.lock.Unlock()
+	w.results = append(w.results, res)
+}
+
+func (w *HTMLResultWriter) Flush() error {
+	w.lock.Lock()
+	defer w.lock.Unlock()
+	data, err := w.results.ToHTML(w.suiteName)
+	if err != nil {
+		return fmt.Errorf("failed to create result HTML: %w", err)
+	}
+	if _, err := w.out.Write(data); err != nil {
+		return err
+	}
+	if err := w.out.Close(); err != nil {
+		return err
+	}
+
+	return nil
+}
\ No newline at end of file
diff --git a/vendor/github.com/openshift-eng/openshift-tests-extension/pkg/extension/extensiontests/spec.go b/vendor/github.com/openshift-eng/openshift-tests-extension/pkg/extension/extensiontests/spec.go
index 4ac540dc248e3..e87809c8a2a1b 100644
--- a/vendor/github.com/openshift-eng/openshift-tests-extension/pkg/extension/extensiontests/spec.go
+++ b/vendor/github.com/openshift-eng/openshift-tests-extension/pkg/extension/extensiontests/spec.go
@@ -3,6 +3,7 @@ package extensiontests
 import (
 	"context"
 	"fmt"
+	"os"
 	"strings"
 	"sync"
 	"sync/atomic"
@@ -106,18 +107,32 @@ func (specs ExtensionTestSpecs) MustSelectAll(selectFns []SelectFunction) (Exten
 	return filtered, nil
 }
 
-// ModuleTestsOnly ensures that ginkgo tests from vendored sources aren't selected,
-// except for the Origin extended util packages, that may contain Ginkgo nodes but
-// should not cause a test exclusion.
+// ModuleTestsOnly ensures that ginkgo tests from vendored sources aren't selected. Unfortunately, making
+// use of kubernetes test helpers results in the entire Ginkgo suite being initialized (ginkgo loves global state),
+// so we need to be careful about which tests we select.
+//
+// A test is excluded if ALL of its code locations with full paths are external (vendored or from external test
+// suites). If at least one code location with a full path is from the local module, the test is included, because
+// local tests may legitimately call helper functions from vendored test frameworks.
 func ModuleTestsOnly() SelectFunction {
 	return func(spec *ExtensionTestSpec) bool {
+		hasLocalCode := false
+
 		for _, cl := range spec.CodeLocations {
-			if strings.Contains(cl, "/vendor/") && !strings.Contains(cl, "github.com/openshift/origin/test/extended/util") {
-				return false
+			// Short-form code locations (e.g., "set up framework | framework.go:200") are ignored in this determination.
+			if !strings.Contains(cl, "/") {
+				continue
+			}
+
+			// If this code location is not external (vendored or k8s test), it's local code
+			if !(strings.Contains(cl, "/vendor/") || strings.HasPrefix(cl, "k8s.io/kubernetes")) {
+				hasLocalCode = true
+				break
 			}
 		}
 
-		return true
+		// Include the test only if it has at least one local code location
+		return hasLocalCode
 	}
 }
 
@@ -181,9 +196,10 @@ func (specs ExtensionTestSpecs) Names() []string {
 // are written to the given ResultWriter after each spec has completed execution.  BeforeEach,
 // BeforeAll, AfterEach, AfterAll hooks are executed when specified. "Each" hooks must be thread
 // safe. Returns an error if any test spec failed, indicating the quantity of failures.
-func (specs ExtensionTestSpecs) Run(ctx context.Context, w ResultWriter, maxConcurrent int) error {
+func (specs ExtensionTestSpecs) Run(ctx context.Context, w ResultWriter, maxConcurrent int) ([]*ExtensionTestResult, error) {
 	queue := make(chan *ExtensionTestSpec)
-	failures := atomic.Int64{}
+	terminalFailures := atomic.Int64{}
+	nonTerminalFailures := atomic.Int64{}
 
 	// Execute beforeAll
 	for _, spec := range specs {
@@ -208,6 +224,7 @@ func (specs ExtensionTestSpecs) Run(ctx context.Context, w ResultWriter, maxConc
 
 	// Start consumers
 	var wg sync.WaitGroup
+	resultChan := make(chan *ExtensionTestResult, len(specs))
 	for i := 0; i < maxConcurrent; i++ {
 		wg.Add(1)
 		go func() {
@@ -219,7 +236,11 @@ func (specs ExtensionTestSpecs) Run(ctx context.Context, w ResultWriter, maxConc
 
 				res := runSpec(ctx, spec, runSingleSpec)
 				if res.Result == ResultFailed {
-					failures.Add(1)
+					if res.Lifecycle.IsTerminal() {
+						terminalFailures.Add(1)
+					} else {
+						nonTerminalFailures.Add(1)
+					}
 				}
 
 				for _, afterEachTask := range spec.afterEach {
@@ -230,12 +251,14 @@ func (specs ExtensionTestSpecs) Run(ctx context.Context, w ResultWriter, maxConc
 				// it does, we may want to modify it (e.g. k8s-tests for annotations currently).
 				res.Name = spec.Name
 				w.Write(res)
+				resultChan <- res
 			}
 		}()
 	}
 
 	// Wait for all consumers to finish
 	wg.Wait()
+	close(resultChan)
 
 	// Execute afterAll
 	for _, spec := range specs {
@@ -244,11 +267,28 @@ func (specs ExtensionTestSpecs) Run(ctx context.Context, w ResultWriter, maxConc
 		}
 	}
 
-	failCount := failures.Load()
-	if failCount > 0 {
-		return fmt.Errorf("%d tests failed", failCount)
+	var results []*ExtensionTestResult
+	for res := range resultChan {
+		results = append(results, res)
 	}
-	return nil
+
+	terminalFailCount := terminalFailures.Load()
+	nonTerminalFailCount := nonTerminalFailures.Load()
+
+	// Non-terminal failures don't cause exit 1, but we still log them
+	if nonTerminalFailCount > 0 {
+		fmt.Fprintf(os.Stderr, "%d informing tests failed (not terminal)\n", nonTerminalFailCount)
+	}
+
+	// Only exit with error if terminal lifecycle tests failed
+	if terminalFailCount > 0 {
+		if nonTerminalFailCount > 0 {
+			return results, fmt.Errorf("%d tests failed (%d informing)", terminalFailCount+nonTerminalFailCount, nonTerminalFailCount)
+		}
+		return results, fmt.Errorf("%d tests failed", terminalFailCount)
+	}
+
+	return results, nil
 }
 
 // AddBeforeAll adds a function to be run once before all tests start executing.
diff --git a/vendor/github.com/openshift-eng/openshift-tests-extension/pkg/extension/extensiontests/types.go b/vendor/github.com/openshift-eng/openshift-tests-extension/pkg/extension/extensiontests/types.go
index a1143cc717b7e..cd23be81ff08c 100644
--- a/vendor/github.com/openshift-eng/openshift-tests-extension/pkg/extension/extensiontests/types.go
+++ b/vendor/github.com/openshift-eng/openshift-tests-extension/pkg/extension/extensiontests/types.go
@@ -12,6 +12,12 @@ type Lifecycle string
 var LifecycleInforming Lifecycle = "informing"
 var LifecycleBlocking Lifecycle = "blocking"
 
+// IsTerminal returns true if failures in tests with this lifecycle should cause
+// the test run to exit with a non-zero exit code.
+func (l Lifecycle) IsTerminal() bool {
+	return l != LifecycleInforming
+}
+
 type ExtensionTestSpecs []*ExtensionTestSpec
 
 type ExtensionTestSpec struct {
@@ -68,8 +74,10 @@ type Resources struct {
 }
 
 type Isolation struct {
-	Mode     string   `json:"mode,omitempty"`
-	Conflict []string `json:"conflict,omitempty"`
+	Mode       string   `json:"mode,omitempty"`
+	Conflict   []string `json:"conflict,omitempty"`
+	Taint      []string `json:"taint,omitempty"`
+	Toleration []string `json:"toleration,omitempty"`
 }
 
 type EnvironmentSelector struct {
diff --git a/vendor/github.com/openshift-eng/openshift-tests-extension/pkg/extension/extensiontests/viewer.html b/vendor/github.com/openshift-eng/openshift-tests-extension/pkg/extension/extensiontests/viewer.html
new file mode 100644
index 0000000000000..2ff236aa32710
--- /dev/null
+++ b/vendor/github.com/openshift-eng/openshift-tests-extension/pkg/extension/extensiontests/viewer.html
@@ -0,0 +1,1520 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+    <meta charset="UTF-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1.0">
+    <title>Results for {{ .SuiteName }}</title>
+    <style>
+        :root {
+            --bg-primary: #0d1117;
+            --bg-secondary: #161b22;
+            --bg-tertiary: #21262d;
+            --border-color: #30363d;
+            --text-primary: #c9d1d9;
+            --text-secondary: #8b949e;
+            --text-muted: #6e7681;
+            --success: #238636;
+            --success-bg: #1a4721;
+            --failure: #da3633;
+            --failure-bg: #4a1d1d;
+            --skipped: #6e7681;
+            --skipped-bg: #2d333b;
+            --flaky: #d29922;
+            --flaky-bg: #3d2e0a;
+            --accent: #58a6ff;
+            --accent-hover: #79c0ff;
+        }
+
+        * {
+            box-sizing: border-box;
+            margin: 0;
+            padding: 0;
+        }
+
+        body {
+            font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', 'Noto Sans', Helvetica, Arial, sans-serif;
+            background-color: var(--bg-primary);
+            color: var(--text-primary);
+            line-height: 1.5;
+            min-height: 100vh;
+        }
+
+        .container {
+            max-width: 1400px;
+            margin: 0 auto;
+            padding: 24px;
+        }
+
+        header {
+            margin-bottom: 24px;
+        }
+
+        h1 {
+            font-size: 24px;
+            font-weight: 600;
+            margin-bottom: 8px;
+            display: flex;
+            align-items: center;
+            gap: 12px;
+        }
+
+        .file-info {
+            color: var(--text-secondary);
+            font-size: 14px;
+        }
+
+        /* File Drop Zone */
+        .drop-zone {
+            border: 2px dashed var(--border-color);
+            border-radius: 12px;
+            padding: 48px;
+            text-align: center;
+            background: var(--bg-secondary);
+            transition: all 0.2s;
+            cursor: pointer;
+            margin-bottom: 24px;
+        }
+
+        .drop-zone:hover, .drop-zone.drag-over {
+            border-color: var(--accent);
+            background: var(--bg-tertiary);
+        }
+
+        .drop-zone h2 {
+            font-size: 20px;
+            margin-bottom: 8px;
+            color: var(--text-primary);
+        }
+
+        .drop-zone p {
+            color: var(--text-secondary);
+            margin-bottom: 16px;
+        }
+
+        .drop-zone input[type="file"] {
+            display: none;
+        }
+
+        .drop-zone .btn {
+            display: inline-block;
+            padding: 10px 20px;
+            background: var(--accent);
+            color: #fff;
+            border-radius: 6px;
+            font-weight: 500;
+            cursor: pointer;
+            transition: background 0.2s;
+        }
+
+        .drop-zone .btn:hover {
+            background: var(--accent-hover);
+        }
+
+        /* Summary Cards */
+        .summary {
+            display: grid;
+            grid-template-columns: repeat(auto-fit, minmax(150px, 1fr));
+            gap: 16px;
+            margin-bottom: 24px;
+        }
+
+        .summary-card {
+            background: var(--bg-secondary);
+            border: 1px solid var(--border-color);
+            border-radius: 8px;
+            padding: 16px;
+            text-align: center;
+            cursor: pointer;
+            transition: all 0.2s;
+        }
+
+        .summary-card:hover {
+            border-color: var(--accent);
+        }
+
+        .summary-card.active {
+            border-color: var(--accent);
+            box-shadow: 0 0 0 1px var(--accent);
+        }
+
+        .summary-card .count {
+            font-size: 32px;
+            font-weight: 700;
+            line-height: 1.2;
+        }
+
+        .summary-card .label {
+            font-size: 12px;
+            font-weight: 500;
+            text-transform: uppercase;
+            letter-spacing: 0.5px;
+            color: var(--text-secondary);
+        }
+
+        .summary-card.passed .count { color: var(--success); }
+        .summary-card.failed .count { color: var(--failure); }
+        .summary-card.skipped .count { color: var(--skipped); }
+        .summary-card.flaky .count { color: var(--flaky); }
+        .summary-card.total .count { color: var(--accent); }
+
+        /* Time Slider */
+        .time-slider-group {
+            grid-column: 1 / -1;
+            padding-top: 8px;
+            border-top: 1px solid var(--border-color);
+            margin-top: 8px;
+        }
+
+        .time-slider-header {
+            display: flex;
+            justify-content: space-between;
+            align-items: center;
+            margin-bottom: 12px;
+        }
+
+        .time-slider-label {
+            font-size: 12px;
+            font-weight: 500;
+            text-transform: uppercase;
+            letter-spacing: 0.5px;
+            color: var(--text-secondary);
+        }
+
+        .time-slider-values {
+            font-size: 13px;
+            color: var(--text-primary);
+            font-family: 'SF Mono', 'Consolas', 'Monaco', monospace;
+        }
+
+        .time-slider-track {
+            position: relative;
+            height: 24px;
+            background: var(--bg-tertiary);
+            border-radius: 4px;
+            cursor: pointer;
+        }
+
+        .time-slider-range {
+            position: absolute;
+            height: 100%;
+            background: var(--accent);
+            opacity: 0.3;
+            border-radius: 4px;
+        }
+
+        .time-slider-handle {
+            position: absolute;
+            top: 50%;
+            transform: translate(-50%, -50%);
+            width: 16px;
+            height: 16px;
+            background: var(--accent);
+            border: 2px solid var(--bg-primary);
+            border-radius: 50%;
+            cursor: grab;
+            z-index: 2;
+        }
+
+        .time-slider-handle:hover {
+            background: var(--accent-hover);
+        }
+
+        .time-slider-handle:active {
+            cursor: grabbing;
+        }
+
+        .time-slider-ticks {
+            display: flex;
+            justify-content: space-between;
+            margin-top: 4px;
+            font-size: 10px;
+            color: var(--text-muted);
+        }
+
+        /* Filters */
+        .filters {
+            background: var(--bg-secondary);
+            border: 1px solid var(--border-color);
+            border-radius: 8px;
+            padding: 16px;
+            margin-bottom: 24px;
+            display: grid;
+            grid-template-columns: repeat(auto-fit, minmax(200px, 1fr));
+            gap: 16px;
+        }
+
+        .filter-group {
+            display: flex;
+            flex-direction: column;
+            gap: 6px;
+        }
+
+        .filter-group label {
+            font-size: 12px;
+            font-weight: 500;
+            color: var(--text-secondary);
+            text-transform: uppercase;
+            letter-spacing: 0.5px;
+        }
+
+        .filter-group input,
+        .filter-group select {
+            background: var(--bg-tertiary);
+            border: 1px solid var(--border-color);
+            border-radius: 6px;
+            padding: 8px 12px;
+            color: var(--text-primary);
+            font-size: 14px;
+            outline: none;
+            transition: border-color 0.2s;
+        }
+
+        .filter-group input:focus,
+        .filter-group select:focus {
+            border-color: var(--accent);
+        }
+
+        .filter-group input::placeholder {
+            color: var(--text-muted);
+        }
+
+        .filter-actions {
+            display: flex;
+            align-items: flex-end;
+            gap: 8px;
+        }
+
+        .btn-clear {
+            padding: 8px 16px;
+            background: var(--bg-tertiary);
+            border: 1px solid var(--border-color);
+            border-radius: 6px;
+            color: var(--text-secondary);
+            font-size: 14px;
+            cursor: pointer;
+            transition: all 0.2s;
+        }
+
+        .btn-clear:hover {
+            border-color: var(--accent);
+            color: var(--text-primary);
+        }
+
+        /* Results Count */
+        .results-header {
+            display: flex;
+            justify-content: space-between;
+            align-items: center;
+            margin-bottom: 16px;
+            padding: 0 4px;
+        }
+
+        .results-count {
+            font-size: 14px;
+            color: var(--text-secondary);
+        }
+
+        .sort-options {
+            display: flex;
+            gap: 8px;
+            align-items: center;
+        }
+
+        .sort-options label {
+            font-size: 14px;
+            color: var(--text-secondary);
+        }
+
+        .sort-options select {
+            background: var(--bg-tertiary);
+            border: 1px solid var(--border-color);
+            border-radius: 6px;
+            padding: 6px 10px;
+            color: var(--text-primary);
+            font-size: 14px;
+            outline: none;
+        }
+
+        /* Test List */
+        .test-list {
+            display: flex;
+            flex-direction: column;
+            gap: 8px;
+        }
+
+        .test-item {
+            background: var(--bg-secondary);
+            border: 1px solid var(--border-color);
+            border-radius: 8px;
+            overflow: hidden;
+            transition: border-color 0.2s;
+        }
+
+        .test-item:hover {
+            border-color: var(--text-muted);
+        }
+
+        .test-header {
+            padding: 12px 16px;
+            cursor: pointer;
+            display: flex;
+            align-items: flex-start;
+            gap: 12px;
+        }
+
+        .test-status {
+            flex-shrink: 0;
+            width: 10px;
+            height: 10px;
+            border-radius: 50%;
+            margin-top: 6px;
+        }
+
+        .test-status.passed { background: var(--success); }
+        .test-status.failed { background: var(--failure); }
+        .test-status.skipped { background: var(--skipped); }
+        .test-status.flaky { background: var(--flaky); }
+
+        .test-info {
+            flex: 1;
+            min-width: 0;
+        }
+
+        .test-name {
+            font-size: 14px;
+            font-weight: 500;
+            word-break: break-word;
+            margin-bottom: 4px;
+        }
+
+        .test-meta {
+            display: flex;
+            flex-wrap: wrap;
+            gap: 8px;
+            font-size: 12px;
+            color: var(--text-secondary);
+        }
+
+        .test-meta-item {
+            display: inline-flex;
+            align-items: center;
+            gap: 4px;
+        }
+
+        .tag {
+            display: inline-block;
+            padding: 2px 8px;
+            border-radius: 12px;
+            font-size: 11px;
+            font-weight: 500;
+        }
+
+        .tag.passed { background: var(--success-bg); color: #3fb950; }
+        .tag.failed { background: var(--failure-bg); color: #f85149; }
+        .tag.skipped { background: var(--skipped-bg); color: #8b949e; }
+        .tag.flaky { background: var(--flaky-bg); color: #d29922; }
+
+        .copy-btn {
+            flex-shrink: 0;
+            width: 32px;
+            height: 32px;
+            display: flex;
+            align-items: center;
+            justify-content: center;
+            background: var(--bg-tertiary);
+            border: 1px solid var(--border-color);
+            border-radius: 6px;
+            color: var(--text-muted);
+            cursor: pointer;
+            transition: all 0.2s;
+        }
+
+        .copy-btn:hover {
+            border-color: var(--accent);
+            color: var(--text-primary);
+        }
+
+        .copy-btn.copied {
+            border-color: var(--success);
+            color: var(--success);
+        }
+
+        .test-toggle {
+            flex-shrink: 0;
+            width: 20px;
+            height: 20px;
+            display: flex;
+            align-items: center;
+            justify-content: center;
+            color: var(--text-muted);
+            transition: transform 0.2s;
+        }
+
+        .test-item.expanded .test-toggle {
+            transform: rotate(90deg);
+        }
+
+        .test-output {
+            display: none;
+            border-top: 1px solid var(--border-color);
+            background: var(--bg-primary);
+        }
+
+        .test-item.expanded .test-output {
+            display: block;
+        }
+
+        .test-details-panel {
+            padding: 16px;
+            background: var(--bg-secondary);
+            border-bottom: 1px solid var(--border-color);
+        }
+
+        .details-grid {
+            display: grid;
+            grid-template-columns: repeat(auto-fill, minmax(220px, 1fr));
+            gap: 12px;
+        }
+
+        .detail-item {
+            display: flex;
+            flex-direction: column;
+            gap: 4px;
+            min-width: 0;
+        }
+
+        .detail-label {
+            font-size: 11px;
+            font-weight: 500;
+            text-transform: uppercase;
+            letter-spacing: 0.5px;
+            color: var(--text-muted);
+        }
+
+        .detail-value {
+            font-size: 13px;
+            color: var(--text-primary);
+            word-break: break-all;
+            overflow-wrap: break-word;
+        }
+
+        .detail-value.mono {
+            font-family: 'SF Mono', 'Consolas', 'Monaco', monospace;
+            font-size: 12px;
+        }
+
+        .tag-subtle {
+            color: var(--text-secondary);
+            font-size: 12px;
+        }
+
+        .output-section {
+            border-bottom: 1px solid var(--border-color);
+        }
+
+        .output-section:last-child {
+            border-bottom: none;
+        }
+
+        .output-label {
+            padding: 8px 16px;
+            font-size: 12px;
+            font-weight: 600;
+            text-transform: uppercase;
+            letter-spacing: 0.5px;
+            color: var(--text-secondary);
+            background: var(--bg-tertiary);
+            border-bottom: 1px solid var(--border-color);
+        }
+
+        .output-section:first-child .output-label {
+            background: var(--failure-bg);
+            color: #f85149;
+        }
+
+        .output-content {
+            padding: 16px;
+            font-family: 'SF Mono', 'Consolas', 'Monaco', monospace;
+            font-size: 12px;
+            line-height: 1.6;
+            white-space: pre-wrap;
+            word-break: break-word;
+            overflow-x: auto;
+            max-height: 500px;
+            overflow-y: auto;
+        }
+
+        .output-content.error-content {
+            background: rgba(248, 81, 73, 0.05);
+        }
+
+        .output-content .log-line {
+            padding: 1px 0;
+        }
+
+        .output-content .log-step {
+            color: #58a6ff;
+            font-weight: 500;
+        }
+
+        .output-content .log-info {
+            color: #8b949e;
+        }
+
+        .output-content .log-error {
+            color: #f85149;
+        }
+
+        .output-content .log-warning {
+            color: #d29922;
+        }
+
+        .output-content .log-success {
+            color: #3fb950;
+        }
+
+        .output-content .log-skip {
+            color: #a371f7;
+        }
+
+        /* Empty State */
+        .empty-state {
+            text-align: center;
+            padding: 64px 24px;
+            color: var(--text-secondary);
+        }
+
+        .empty-state h3 {
+            font-size: 18px;
+            margin-bottom: 8px;
+            color: var(--text-primary);
+        }
+
+        /* Loading */
+        .loading {
+            display: flex;
+            align-items: center;
+            justify-content: center;
+            padding: 48px;
+            color: var(--text-secondary);
+        }
+
+        .spinner {
+            width: 24px;
+            height: 24px;
+            border: 2px solid var(--border-color);
+            border-top-color: var(--accent);
+            border-radius: 50%;
+            animation: spin 0.8s linear infinite;
+            margin-right: 12px;
+        }
+
+        @keyframes spin {
+            to { transform: rotate(360deg); }
+        }
+
+        /* Hidden */
+        .hidden {
+            display: none !important;
+        }
+
+        /* Scrollbar */
+        ::-webkit-scrollbar {
+            width: 8px;
+            height: 8px;
+        }
+
+        ::-webkit-scrollbar-track {
+            background: var(--bg-secondary);
+        }
+
+        ::-webkit-scrollbar-thumb {
+            background: var(--border-color);
+            border-radius: 4px;
+        }
+
+        ::-webkit-scrollbar-thumb:hover {
+            background: var(--text-muted);
+        }
+
+        /* Pagination */
+        .pagination {
+            display: flex;
+            justify-content: center;
+            align-items: center;
+            gap: 8px;
+            margin-top: 24px;
+            padding: 16px;
+        }
+
+        .pagination button {
+            padding: 8px 16px;
+            background: var(--bg-secondary);
+            border: 1px solid var(--border-color);
+            border-radius: 6px;
+            color: var(--text-primary);
+            font-size: 14px;
+            cursor: pointer;
+            transition: all 0.2s;
+        }
+
+        .pagination button:hover:not(:disabled) {
+            border-color: var(--accent);
+        }
+
+        .pagination button:disabled {
+            opacity: 0.5;
+            cursor: not-allowed;
+        }
+
+        .pagination .page-info {
+            color: var(--text-secondary);
+            font-size: 14px;
+            padding: 0 16px;
+        }
+
+        /* Duration bar */
+        .duration-bar {
+            height: 3px;
+            background: var(--border-color);
+            border-radius: 2px;
+            margin-top: 8px;
+            overflow: hidden;
+        }
+
+        .duration-bar-fill {
+            height: 100%;
+            background: var(--accent);
+            border-radius: 2px;
+            transition: width 0.3s;
+        }
+
+        /* Search highlighting */
+        .search-highlight {
+            background: #5c4d1a;
+            color: #ffd700;
+            padding: 1px 2px;
+            border-radius: 2px;
+        }
+    </style>
+</head>
+<body>
+    <div class="container">
+        <header>
+            <h1>
+                <svg width="24" height="24" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2">
+                    <path d="M9 11l3 3L22 4"/>
+                    <path d="M21 12v7a2 2 0 01-2 2H5a2 2 0 01-2-2V5a2 2 0 012-2h11"/>
+                </svg>
+                <span id="pageTitle">Results for {{ .SuiteName }}</span>
+            </h1>
+            <p class="file-info" id="fileInfo">No file loaded</p>
+        </header>
+
+        <div class="drop-zone" id="dropZone">
+            <h2>Load Test Results</h2>
+            <p>Drag and drop a JSON test results file here, or click to browse</p>
+            <label class="btn">
+                Choose File
+                <input type="file" id="fileInput" accept=".json">
+            </label>
+        </div>
+
+        <div id="resultsContainer" class="hidden">
+            <div class="summary" id="summary">
+                <div class="summary-card total" data-filter="all">
+                    <div class="count" id="totalCount">0</div>
+                    <div class="label">Total</div>
+                </div>
+                <div class="summary-card passed" data-filter="passed">
+                    <div class="count" id="passedCount">0</div>
+                    <div class="label">Passed</div>
+                </div>
+                <div class="summary-card failed" data-filter="failed">
+                    <div class="count" id="failedCount">0</div>
+                    <div class="label">Failed</div>
+                </div>
+                <div class="summary-card flaky" data-filter="flaky">
+                    <div class="count" id="flakyCount">0</div>
+                    <div class="label">Flaky</div>
+                </div>
+                <div class="summary-card skipped" data-filter="skipped">
+                    <div class="count" id="skippedCount">0</div>
+                    <div class="label">Skipped</div>
+                </div>
+            </div>
+
+            <div class="filters">
+                <div class="filter-group">
+                    <label for="nameFilter">Test Name</label>
+                    <input type="text" id="nameFilter" placeholder="Filter by name...">
+                </div>
+                <div class="filter-group">
+                    <label for="outputFilter">Output / Error</label>
+                    <input type="text" id="outputFilter" placeholder="Search (regex supported)...">
+                </div>
+                <div class="filter-group">
+                    <label for="lifecycleFilter">Lifecycle</label>
+                    <select id="lifecycleFilter">
+                        <option value="">All</option>
+                    </select>
+                </div>
+                <div class="filter-group hidden" id="binaryFilterGroup">
+                    <label for="binaryFilter">Binary</label>
+                    <select id="binaryFilter">
+                        <option value="">All</option>
+                    </select>
+                </div>
+                <div class="filter-group hidden" id="imageFilterGroup">
+                    <label for="imageFilter">Image</label>
+                    <select id="imageFilter">
+                        <option value="">All</option>
+                    </select>
+                </div>
+                <div class="filter-actions">
+                    <button class="btn-clear" id="clearFilters">Clear Filters</button>
+                </div>
+                <div class="filter-group time-slider-group" id="timeSliderContainer">
+                    <div class="time-slider-header">
+                        <label class="time-slider-label">Time Range</label>
+                        <span class="time-slider-values" id="timeSliderValues">0ms - 0ms</span>
+                        <button class="btn-clear" id="resetTimeSlider">Reset</button>
+                    </div>
+                    <div class="time-slider-track" id="timeSliderTrack">
+                        <div class="time-slider-range" id="timeSliderRange"></div>
+                        <div class="time-slider-handle" id="timeSliderStart" data-handle="start"></div>
+                        <div class="time-slider-handle" id="timeSliderEnd" data-handle="end"></div>
+                    </div>
+                    <div class="time-slider-ticks">
+                        <span id="timeTickStart">0ms</span>
+                        <span id="timeTickEnd">0ms</span>
+                    </div>
+                </div>
+            </div>
+
+            <div class="results-header">
+                <span class="results-count" id="resultsCount">0 tests</span>
+                <div class="sort-options">
+                    <label for="sortBy">Sort by:</label>
+                    <select id="sortBy">
+                        <option value="startTime" selected>Start Time</option>
+                        <option value="name">Name</option>
+                        <option value="duration-desc">Duration (longest first)</option>
+                        <option value="duration-asc">Duration (shortest first)</option>
+                        <option value="status">Status</option>
+                    </select>
+                </div>
+            </div>
+
+            <div class="test-list" id="testList"></div>
+
+            <div class="pagination" id="pagination">
+                <button id="prevPage">Previous</button>
+                <span class="page-info" id="pageInfo">Page 1 of 1</span>
+                <button id="nextPage">Next</button>
+            </div>
+        </div>
+
+        <div class="empty-state hidden" id="emptyState">
+            <h3>No tests match your filters</h3>
+            <p>Try adjusting your search criteria</p>
+        </div>
+    </div>
+
+    <script id="test-data" type="application/json">{{ .Data }}</script>
+    <script>
+        // State
+        let rawData = null;
+        try {
+            const dataEl = document.getElementById('test-data');
+            // Check for unrendered Go template - but not just any double-braces which may appear in test output
+            const isUnrenderedTemplate = dataEl && dataEl.textContent.trim().startsWith('{' + '{ .Data }' + '}');
+            if (dataEl && dataEl.textContent.trim() && !isUnrenderedTemplate) {
+                rawData = JSON.parse(dataEl.textContent);
+            }
+        } catch(e) {
+            console.error('Failed to parse embedded test data:', e);
+        }
+        let allTests = [];
+        let filteredTests = [];
+        let currentPage = 1;
+        const pageSize = 50;
+        let activeStatusFilter = 'all';
+        let runStartTime = 0;
+        let runEndTime = 0;
+        let totalRunDuration = 0;
+        let timeFilterStart = 0;
+        let timeFilterEnd = 0;
+        let outputSearchTerm = '';
+        let hasBinaryField = false;
+        let hasImageField = false;
+
+        // DOM Elements
+        const dropZone = document.getElementById('dropZone');
+        const fileInput = document.getElementById('fileInput');
+        const fileInfo = document.getElementById('fileInfo');
+        const resultsContainer = document.getElementById('resultsContainer');
+        const testList = document.getElementById('testList');
+        const emptyState = document.getElementById('emptyState');
+
+        // Initialize
+        function init() {
+            // Fix title if it contains template literal (no inline data)
+            const pageTitle = document.getElementById('pageTitle');
+            if (pageTitle && pageTitle.textContent.includes('{' + '{')) {
+                pageTitle.textContent = 'Test Results';
+                document.title = 'Test Results';
+            }
+
+            setupDragAndDrop();
+            setupFilters();
+            setupPagination();
+            setupSummaryCards();
+            setupTimeSlider();
+
+            if (rawData) {
+                processData(rawData, null);
+            }
+        }
+
+        // Drag and Drop
+        function setupDragAndDrop() {
+            dropZone.addEventListener('dragover', (e) => {
+                e.preventDefault();
+                dropZone.classList.add('drag-over');
+            });
+
+            dropZone.addEventListener('dragleave', () => {
+                dropZone.classList.remove('drag-over');
+            });
+
+            dropZone.addEventListener('drop', (e) => {
+                e.preventDefault();
+                dropZone.classList.remove('drag-over');
+                const file = e.dataTransfer.files[0];
+                if (file) loadFile(file);
+            });
+
+            dropZone.addEventListener('click', (e) => {
+                // Avoid double-triggering when clicking the label/button
+                if (e.target.tagName !== 'LABEL' && !e.target.closest('label')) {
+                    fileInput.click();
+                }
+            });
+            fileInput.addEventListener('change', (e) => {
+                if (e.target.files[0]) loadFile(e.target.files[0]);
+            });
+        }
+
+        // Load File
+        function loadFile(file) {
+            if (!file.name.endsWith('.json')) {
+                alert('Please select a JSON file');
+                return;
+            }
+
+            const reader = new FileReader();
+            reader.onload = (e) => {
+                try {
+                    const data = JSON.parse(e.target.result);
+                    processData(data, file.name);
+                } catch (err) {
+                    alert('Error parsing JSON file: ' + err.message);
+                }
+            };
+            reader.readAsText(file);
+        }
+
+        // Process Data
+        function processData(data, filename) {
+            // Handle both array and object with tests property
+            allTests = Array.isArray(data) ? data : (data.tests || []);
+
+            // Detect flaky tests (tests with multiple runs where at least one passed and one didn't)
+            const testsByName = {};
+            allTests.forEach(test => {
+                if (!testsByName[test.name]) {
+                    testsByName[test.name] = [];
+                }
+                testsByName[test.name].push(test);
+            });
+
+            const flakyTestNames = new Set();
+            Object.entries(testsByName).forEach(([name, tests]) => {
+                if (tests.length > 1) {
+                    const hasPassed = tests.some(t => t.result === 'passed');
+                    const hasNonPassed = tests.some(t => t.result !== 'passed');
+                    if (hasPassed && hasNonPassed) {
+                        flakyTestNames.add(name);
+                    }
+                }
+            });
+
+            // Parse timestamps and extract metadata
+            allTests = allTests.map(test => {
+                const startMs = test.startTime ? new Date(test.startTime.replace(' UTC', 'Z').replace(' ', 'T')).getTime() : 0;
+                const endMs = test.endTime ? new Date(test.endTime.replace(' UTC', 'Z').replace(' ', 'T')).getTime() : 0;
+                return {
+                    ...test,
+                    durationMs: test.duration || 0,
+                    startMs: startMs,
+                    endMs: endMs,
+                    isFlaky: flakyTestNames.has(test.name),
+                    displayResult: flakyTestNames.has(test.name) ? 'flaky' : test.result
+                };
+            });
+
+            // Calculate overall run timespan
+            const validStartTimes = allTests.filter(t => t.startMs > 0).map(t => t.startMs);
+            const validEndTimes = allTests.filter(t => t.endMs > 0).map(t => t.endMs);
+            runStartTime = validStartTimes.length > 0 ? Math.min(...validStartTimes) : 0;
+            runEndTime = validEndTimes.length > 0 ? Math.max(...validEndTimes) : 0;
+            totalRunDuration = runEndTime - runStartTime;
+
+            // Initialize time filter to full range
+            timeFilterStart = runStartTime;
+            timeFilterEnd = runEndTime;
+
+            // Update time slider ticks and UI
+            document.getElementById('timeTickStart').textContent = formatTimestamp(runStartTime);
+            document.getElementById('timeTickEnd').textContent = formatTimestamp(runEndTime);
+            if (window.updateTimeSliderUI) window.updateTimeSliderUI();
+
+            // Update file info and title
+            fileInfo.textContent = filename ? `${filename} - ${allTests.length} tests` : `${allTests.length} tests`;
+
+            // Update title if it contains template literal (file was loaded via picker)
+            const pageTitle = document.getElementById('pageTitle');
+            if (pageTitle && pageTitle.textContent.includes('{' + '{')) {
+                pageTitle.textContent = 'Test Results';
+                document.title = 'Test Results';
+            }
+
+            // Populate filters
+            populateFilters();
+
+            // Update counts
+            updateCounts();
+
+            // Show results
+            dropZone.classList.add('hidden');
+            resultsContainer.classList.remove('hidden');
+
+            // Apply filters and render
+            applyFilters();
+        }
+
+        // Populate filter dropdowns
+        function populateFilters() {
+            const lifecycles = [...new Set(allTests.map(t => t.lifecycle).filter(Boolean))].sort();
+
+            const lifecycleFilter = document.getElementById('lifecycleFilter');
+            lifecycleFilter.innerHTML = '<option value="">All</option>' +
+                lifecycles.map(l => `<option value="${l}">${l}</option>`).join('');
+
+            // Check for binary/image fields and populate if present
+            const binaries = [...new Set(allTests.map(t => t.source?.source_binary).filter(Boolean))].sort();
+            const images = [...new Set(allTests.map(t => t.source?.source_image).filter(Boolean))].sort();
+
+            hasBinaryField = binaries.length > 0;
+            hasImageField = images.length > 0;
+
+            const binaryFilterGroup = document.getElementById('binaryFilterGroup');
+            const imageFilterGroup = document.getElementById('imageFilterGroup');
+
+            if (hasBinaryField) {
+                binaryFilterGroup.classList.remove('hidden');
+                const binaryFilter = document.getElementById('binaryFilter');
+                binaryFilter.innerHTML = '<option value="">All</option>' +
+                    binaries.map(b => `<option value="${escapeHtml(b)}">${escapeHtml(b)}</option>`).join('');
+            } else {
+                binaryFilterGroup.classList.add('hidden');
+            }
+
+            if (hasImageField) {
+                imageFilterGroup.classList.remove('hidden');
+                const imageFilter = document.getElementById('imageFilter');
+                imageFilter.innerHTML = '<option value="">All</option>' +
+                    images.map(i => `<option value="${escapeHtml(i)}">${escapeHtml(i)}</option>`).join('');
+            } else {
+                imageFilterGroup.classList.add('hidden');
+            }
+        }
+
+        // Update summary counts
+        function updateCounts() {
+            const counts = {
+                total: allTests.length,
+                passed: allTests.filter(t => t.displayResult === 'passed').length,
+                failed: allTests.filter(t => t.displayResult === 'failed').length,
+                skipped: allTests.filter(t => t.displayResult === 'skipped').length,
+                flaky: allTests.filter(t => t.displayResult === 'flaky').length
+            };
+
+            document.getElementById('totalCount').textContent = counts.total;
+            document.getElementById('passedCount').textContent = counts.passed;
+            document.getElementById('failedCount').textContent = counts.failed;
+            document.getElementById('skippedCount').textContent = counts.skipped;
+            document.getElementById('flakyCount').textContent = counts.flaky;
+        }
+
+        // Setup summary card clicks
+        function setupSummaryCards() {
+            document.querySelectorAll('.summary-card').forEach(card => {
+                card.addEventListener('click', () => {
+                    const filter = card.dataset.filter;
+
+                    // Toggle active state
+                    document.querySelectorAll('.summary-card').forEach(c => c.classList.remove('active'));
+
+                    if (activeStatusFilter === filter) {
+                        activeStatusFilter = 'all';
+                    } else {
+                        activeStatusFilter = filter;
+                        card.classList.add('active');
+                    }
+
+                    applyFilters();
+                });
+            });
+        }
+
+        // Setup time slider
+        function setupTimeSlider() {
+            const track = document.getElementById('timeSliderTrack');
+            const startHandle = document.getElementById('timeSliderStart');
+            const endHandle = document.getElementById('timeSliderEnd');
+            const range = document.getElementById('timeSliderRange');
+            let dragging = null;
+
+            function updateSliderUI() {
+                if (totalRunDuration <= 0) return;
+                const startPercent = ((timeFilterStart - runStartTime) / totalRunDuration) * 100;
+                const endPercent = ((timeFilterEnd - runStartTime) / totalRunDuration) * 100;
+                startHandle.style.left = startPercent + '%';
+                endHandle.style.left = endPercent + '%';
+                range.style.left = startPercent + '%';
+                range.style.width = (endPercent - startPercent) + '%';
+                document.getElementById('timeSliderValues').textContent =
+                    formatTimestamp(timeFilterStart) + ' - ' + formatTimestamp(timeFilterEnd);
+            }
+
+            function handleDrag(e) {
+                if (!dragging || totalRunDuration <= 0) return;
+                const rect = track.getBoundingClientRect();
+                let percent = (e.clientX - rect.left) / rect.width;
+                percent = Math.max(0, Math.min(1, percent));
+                const time = runStartTime + (percent * totalRunDuration);
+
+                if (dragging === 'start') {
+                    timeFilterStart = Math.min(time, timeFilterEnd - 1);
+                } else {
+                    timeFilterEnd = Math.max(time, timeFilterStart + 1);
+                }
+                updateSliderUI();
+            }
+
+            function stopDrag() {
+                if (dragging) {
+                    dragging = null;
+                    applyFilters();
+                }
+                document.removeEventListener('mousemove', handleDrag);
+                document.removeEventListener('mouseup', stopDrag);
+            }
+
+            startHandle.addEventListener('mousedown', (e) => {
+                e.preventDefault();
+                dragging = 'start';
+                document.addEventListener('mousemove', handleDrag);
+                document.addEventListener('mouseup', stopDrag);
+            });
+
+            endHandle.addEventListener('mousedown', (e) => {
+                e.preventDefault();
+                dragging = 'end';
+                document.addEventListener('mousemove', handleDrag);
+                document.addEventListener('mouseup', stopDrag);
+            });
+
+            // Click on track to move nearest handle
+            track.addEventListener('click', (e) => {
+                if (e.target === startHandle || e.target === endHandle) return;
+                const rect = track.getBoundingClientRect();
+                const percent = (e.clientX - rect.left) / rect.width;
+                const time = runStartTime + (percent * totalRunDuration);
+                const distToStart = Math.abs(time - timeFilterStart);
+                const distToEnd = Math.abs(time - timeFilterEnd);
+                if (distToStart < distToEnd) {
+                    timeFilterStart = Math.min(time, timeFilterEnd - 1);
+                } else {
+                    timeFilterEnd = Math.max(time, timeFilterStart + 1);
+                }
+                updateSliderUI();
+                applyFilters();
+            });
+
+            // Reset button
+            document.getElementById('resetTimeSlider').addEventListener('click', () => {
+                timeFilterStart = runStartTime;
+                timeFilterEnd = runEndTime;
+                updateSliderUI();
+                applyFilters();
+            });
+
+            // Expose update function globally
+            window.updateTimeSliderUI = updateSliderUI;
+        }
+
+        // Setup filters
+        function setupFilters() {
+            const nameFilter = document.getElementById('nameFilter');
+            const outputFilter = document.getElementById('outputFilter');
+            const lifecycleFilter = document.getElementById('lifecycleFilter');
+            const binaryFilter = document.getElementById('binaryFilter');
+            const imageFilter = document.getElementById('imageFilter');
+            const sortBy = document.getElementById('sortBy');
+            const clearFilters = document.getElementById('clearFilters');
+
+            let debounceTimer;
+            nameFilter.addEventListener('input', () => {
+                clearTimeout(debounceTimer);
+                debounceTimer = setTimeout(() => applyFilters(), 300);
+            });
+
+            outputFilter.addEventListener('input', () => {
+                clearTimeout(debounceTimer);
+                debounceTimer = setTimeout(() => {
+                    outputSearchTerm = outputFilter.value;
+                    applyFilters();
+                }, 300);
+            });
+
+            [lifecycleFilter, binaryFilter, imageFilter, sortBy].forEach(el => {
+                el.addEventListener('change', () => applyFilters());
+            });
+
+            clearFilters.addEventListener('click', () => {
+                nameFilter.value = '';
+                outputFilter.value = '';
+                outputSearchTerm = '';
+                lifecycleFilter.value = '';
+                binaryFilter.value = '';
+                imageFilter.value = '';
+                activeStatusFilter = 'all';
+                document.querySelectorAll('.summary-card').forEach(c => c.classList.remove('active'));
+                applyFilters();
+            });
+        }
+
+        // Apply filters
+        function applyFilters() {
+            const nameFilter = document.getElementById('nameFilter').value.toLowerCase();
+            const lifecycleFilter = document.getElementById('lifecycleFilter').value;
+            const binaryFilter = document.getElementById('binaryFilter').value;
+            const imageFilter = document.getElementById('imageFilter').value;
+            const sortBy = document.getElementById('sortBy').value;
+            const outputSearch = outputSearchTerm.toLowerCase();
+
+            filteredTests = allTests.filter(test => {
+                if (activeStatusFilter !== 'all' && test.displayResult !== activeStatusFilter) return false;
+                if (nameFilter && !test.name.toLowerCase().includes(nameFilter)) return false;
+                if (lifecycleFilter && test.lifecycle !== lifecycleFilter) return false;
+                if (binaryFilter && (test.source?.source_binary || '') !== binaryFilter) return false;
+                if (imageFilter && (test.source?.source_image || '') !== imageFilter) return false;
+                // Output/error search filter (supports regex)
+                if (outputSearch) {
+                    const output = test.output || '';
+                    const error = test.error || '';
+                    try {
+                        const regex = new RegExp(outputSearchTerm, 'i');
+                        if (!regex.test(output) && !regex.test(error)) return false;
+                    } catch (e) {
+                        // Invalid regex, fall back to literal search
+                        if (!output.toLowerCase().includes(outputSearch) && !error.toLowerCase().includes(outputSearch)) return false;
+                    }
+                }
+                // Time range filter: include test if it overlaps with the selected range
+                if (test.startMs > 0 && totalRunDuration > 0) {
+                    const testEnd = test.endMs || (test.startMs + test.durationMs);
+                    if (testEnd < timeFilterStart || test.startMs > timeFilterEnd) return false;
+                }
+                return true;
+            });
+
+            // Sort
+            filteredTests.sort((a, b) => {
+                switch (sortBy) {
+                    case 'duration-desc':
+                        return b.durationMs - a.durationMs;
+                    case 'duration-asc':
+                        return a.durationMs - b.durationMs;
+                    case 'status':
+                        const order = { failed: 0, flaky: 1, passed: 2, skipped: 3 };
+                        return (order[a.displayResult] || 4) - (order[b.displayResult] || 4);
+                    case 'startTime':
+                        return (a.startMs || 0) - (b.startMs || 0);
+                    default:
+                        return a.name.localeCompare(b.name);
+                }
+            });
+
+            currentPage = 1;
+            renderTests();
+            updatePagination();
+        }
+
+        // Render tests
+        function renderTests() {
+            const start = (currentPage - 1) * pageSize;
+            const end = start + pageSize;
+            const pageTests = filteredTests.slice(start, end);
+
+            document.getElementById('resultsCount').textContent =
+                `${filteredTests.length} test${filteredTests.length !== 1 ? 's' : ''}`;
+
+            if (pageTests.length === 0) {
+                testList.innerHTML = '';
+                emptyState.classList.remove('hidden');
+                document.getElementById('pagination').classList.add('hidden');
+                return;
+            }
+
+            emptyState.classList.add('hidden');
+            document.getElementById('pagination').classList.remove('hidden');
+
+            testList.innerHTML = pageTests.map((test, idx) => `
+                <div class="test-item" data-index="${start + idx}">
+                    <div class="test-header" onclick="toggleTest(this.parentElement)">
+                        <div class="test-status ${test.displayResult}"></div>
+                        <div class="test-info">
+                            <div class="test-name">${escapeHtml(test.name)}</div>
+                            <div class="test-meta">
+                                <span class="tag ${test.displayResult}">${test.displayResult}</span>
+                                ${test.isFlaky ? `<span class="test-meta-item">(${test.result})</span>` : ''}
+                                ${test.lifecycle ? `<span class="test-meta-item">${escapeHtml(test.lifecycle)}</span>` : ''}
+                                <span class="test-meta-item">${formatDuration(test.durationMs)}</span>
+                                ${test.startTime ? `<span class="test-meta-item">${escapeHtml(test.startTime)}</span>` : ''}
+                            </div>
+                            ${totalRunDuration > 0 && test.startMs > 0 ? `
+                            <div class="duration-bar">
+                                <div class="duration-bar-fill" style="margin-left: ${((test.startMs - runStartTime) / totalRunDuration) * 100}%; width: ${Math.max((test.durationMs / totalRunDuration) * 100, 0.5)}%"></div>
+                            </div>
+                            ` : ''}
+                        </div>
+                        <button class="copy-btn" onclick="event.stopPropagation(); copyTestJson(${start + idx})" title="Copy JSON to clipboard">
+                            <svg width="16" height="16" viewBox="0 0 16 16" fill="currentColor">
+                                <path d="M0 6.75C0 5.784.784 5 1.75 5h1.5a.75.75 0 010 1.5h-1.5a.25.25 0 00-.25.25v7.5c0 .138.112.25.25.25h7.5a.25.25 0 00.25-.25v-1.5a.75.75 0 011.5 0v1.5A1.75 1.75 0 019.25 16h-7.5A1.75 1.75 0 010 14.25v-7.5z"/>
+                                <path d="M5 1.75C5 .784 5.784 0 6.75 0h7.5C15.216 0 16 .784 16 1.75v7.5A1.75 1.75 0 0114.25 11h-7.5A1.75 1.75 0 015 9.25v-7.5zm1.75-.25a.25.25 0 00-.25.25v7.5c0 .138.112.25.25.25h7.5a.25.25 0 00.25-.25v-7.5a.25.25 0 00-.25-.25h-7.5z"/>
+                            </svg>
+                        </button>
+                        <div class="test-toggle">
+                            <svg width="16" height="16" viewBox="0 0 16 16" fill="currentColor">
+                                <path d="M6 12l4-4-4-4"/>
+                            </svg>
+                        </div>
+                    </div>
+                    <div class="test-output">
+                        <div class="test-details-panel">
+                            <div class="details-grid">
+                                <div class="detail-item">
+                                    <span class="detail-label">Status</span>
+                                    <span class="detail-value"><span class="tag ${test.displayResult}">${test.displayResult}</span>${test.isFlaky ? ` <span class="tag-subtle">(${test.result})</span>` : ''}</span>
+                                </div>
+                                <div class="detail-item">
+                                    <span class="detail-label">Duration</span>
+                                    <span class="detail-value">${formatDuration(test.durationMs)}</span>
+                                </div>
+                                <div class="detail-item">
+                                    <span class="detail-label">Start Time</span>
+                                    <span class="detail-value">${escapeHtml(test.startTime || 'N/A')}</span>
+                                </div>
+                                <div class="detail-item">
+                                    <span class="detail-label">End Time</span>
+                                    <span class="detail-value">${escapeHtml(test.endTime || 'N/A')}</span>
+                                </div>
+                                ${test.lifecycle ? `
+                                <div class="detail-item">
+                                    <span class="detail-label">Lifecycle</span>
+                                    <span class="detail-value">${escapeHtml(test.lifecycle)}</span>
+                                </div>
+                                ` : ''}
+                                ${test.source ? `
+                                ${test.source.source_binary ? `
+                                <div class="detail-item">
+                                    <span class="detail-label">Binary</span>
+                                    <span class="detail-value mono">${escapeHtml(test.source.source_binary)}</span>
+                                </div>
+                                ` : ''}
+                                ${test.source.source_image ? `
+                                <div class="detail-item">
+                                    <span class="detail-label">Image</span>
+                                    <span class="detail-value mono">${escapeHtml(test.source.source_image)}</span>
+                                </div>
+                                ` : ''}
+                                ${test.source.commit ? `
+                                <div class="detail-item">
+                                    <span class="detail-label">Commit</span>
+                                    <span class="detail-value mono">${escapeHtml(test.source.commit)}</span>
+                                </div>
+                                ` : ''}
+                                ${test.source.build_date ? `
+                                <div class="detail-item">
+                                    <span class="detail-label">Build Date</span>
+                                    <span class="detail-value">${escapeHtml(test.source.build_date)}</span>
+                                </div>
+                                ` : ''}
+                                ${test.source.git_tree_state ? `
+                                <div class="detail-item">
+                                    <span class="detail-label">Git State</span>
+                                    <span class="detail-value">${escapeHtml(test.source.git_tree_state)}</span>
+                                </div>
+                                ` : ''}
+                                ` : ''}
+                            </div>
+                        </div>
+                        ${test.error ? `
+                        <div class="output-section">
+                            <div class="output-label">Error</div>
+                            <div class="output-content error-content">${formatOutput(test.error)}</div>
+                        </div>
+                        ` : ''}
+                        <div class="output-section">
+                            <div class="output-label">Output</div>
+                            <div class="output-content">${formatOutput(test.output || 'No output available')}</div>
+                        </div>
+                    </div>
+                </div>
+            `).join('');
+        }
+
+        // Toggle test expansion
+        window.toggleTest = function(element) {
+            element.classList.toggle('expanded');
+        }
+
+        // Copy test JSON to clipboard
+        window.copyTestJson = function(index) {
+            const test = filteredTests[index];
+            if (!test) return;
+
+            // Get original test data (without computed properties)
+            const originalTest = {
+                name: test.name,
+                lifecycle: test.lifecycle,
+                duration: test.duration,
+                startTime: test.startTime,
+                endTime: test.endTime,
+                result: test.result,
+                error: test.error,
+                output: test.output,
+                source: test.source
+            };
+
+            const json = JSON.stringify(originalTest, null, 2);
+
+            navigator.clipboard.writeText(json).then(() => {
+                // Show feedback
+                const btn = document.querySelector(`[data-index="${index}"] .copy-btn`);
+                if (btn) {
+                    btn.classList.add('copied');
+                    setTimeout(() => btn.classList.remove('copied'), 1500);
+                }
+            }).catch(err => {
+                console.error('Failed to copy:', err);
+                alert('Failed to copy to clipboard');
+            });
+        }
+
+        // Format duration
+        function formatDuration(ms) {
+            if (!ms) return '0ms';
+            if (ms < 1000) return `${ms}ms`;
+            if (ms < 60000) return `${(ms / 1000).toFixed(2)}s`;
+            const mins = Math.floor(ms / 60000);
+            const secs = ((ms % 60000) / 1000).toFixed(1);
+            return `${mins}m ${secs}s`;
+        }
+
+        // Format timestamp as HH:MM:SS
+        function formatTimestamp(ms) {
+            if (!ms) return '--:--:--';
+            const date = new Date(ms);
+            return date.toTimeString().split(' ')[0];
+        }
+
+        // Format output with syntax highlighting
+        function formatOutput(output) {
+            return escapeHtml(output)
+                .split('\n')
+                .map(line => {
+                    let className = '';
+                    if (line.includes('STEP:')) className = 'log-step';
+                    else if (line.match(/error|fail|panic/i)) className = 'log-error';
+                    else if (line.match(/warn/i)) className = 'log-warning';
+                    else if (line.match(/success|pass/i)) className = 'log-success';
+                    else if (line.match(/skip/i)) className = 'log-skip';
+                    else if (line.match(/^I\d{4}/)) className = 'log-info';
+
+                    // Highlight search matches (supports regex)
+                    let highlightedLine = line;
+                    if (outputSearchTerm) {
+                        try {
+                            const regex = new RegExp(`(${outputSearchTerm})`, 'gi');
+                            highlightedLine = line.replace(regex, '<span class="search-highlight">$1</span>');
+                        } catch (e) {
+                            // Invalid regex, fall back to literal search
+                            const escapedTerm = escapeHtml(outputSearchTerm).replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
+                            const literalRegex = new RegExp(`(${escapedTerm})`, 'gi');
+                            highlightedLine = line.replace(literalRegex, '<span class="search-highlight">$1</span>');
+                        }
+                    }
+
+                    return `<div class="log-line ${className}">${highlightedLine}</div>`;
+                })
+                .join('');
+        }
+
+        // Escape HTML
+        function escapeHtml(str) {
+            if (!str) return '';
+            const div = document.createElement('div');
+            div.textContent = str;
+            return div.innerHTML;
+        }
+
+        // Setup pagination
+        function setupPagination() {
+            document.getElementById('prevPage').addEventListener('click', () => {
+                if (currentPage > 1) {
+                    currentPage--;
+                    renderTests();
+                    updatePagination();
+                    window.scrollTo(0, 0);
+                }
+            });
+
+            document.getElementById('nextPage').addEventListener('click', () => {
+                const totalPages = Math.ceil(filteredTests.length / pageSize);
+                if (currentPage < totalPages) {
+                    currentPage++;
+                    renderTests();
+                    updatePagination();
+                    window.scrollTo(0, 0);
+                }
+            });
+        }
+
+        // Update pagination
+        function updatePagination() {
+            const totalPages = Math.max(1, Math.ceil(filteredTests.length / pageSize));
+            document.getElementById('pageInfo').textContent = `Page ${currentPage} of ${totalPages}`;
+            document.getElementById('prevPage').disabled = currentPage === 1;
+            document.getElementById('nextPage').disabled = currentPage >= totalPages;
+        }
+
+        // Initialize on load
+        init();
+    </script>
+</body>
+</html>
diff --git a/vendor/github.com/openshift-eng/openshift-tests-extension/pkg/extension/types.go b/vendor/github.com/openshift-eng/openshift-tests-extension/pkg/extension/types.go
index 3b51674f4aa89..00d2d9d6633fc 100644
--- a/vendor/github.com/openshift-eng/openshift-tests-extension/pkg/extension/types.go
+++ b/vendor/github.com/openshift-eng/openshift-tests-extension/pkg/extension/types.go
@@ -88,4 +88,7 @@ type Image struct {
 	Registry string `json:"registry"`
 	Name     string `json:"name"`
 	Version  string `json:"version"`
+	// Mapped is the image reference that this image is mirrored to by the image mirror tool.
+	// This field should be populated if the mirrored image reference is predetermined by the test extensions.
+	Mapped *Image `json:"mapped,omitempty"`
 }
diff --git a/vendor/github.com/openshift-eng/openshift-tests-extension/pkg/ginkgo/logging.go b/vendor/github.com/openshift-eng/openshift-tests-extension/pkg/ginkgo/logging.go
index 0b84ca41cfd9f..1cf299a7c0a0b 100644
--- a/vendor/github.com/openshift-eng/openshift-tests-extension/pkg/ginkgo/logging.go
+++ b/vendor/github.com/openshift-eng/openshift-tests-extension/pkg/ginkgo/logging.go
@@ -17,5 +17,9 @@ func GinkgoLogrFunc(writer ginkgo.GinkgoWriterInterface) logr.Logger {
 		} else {
 			writer.Printf("%s %s\n", prefix, args)
 		}
-	}, funcr.Options{})
+	}, funcr.Options{
+		// LogTimestamp adds timestamps to log lines using the format "2006-01-02 15:04:05.000000"
+		// See: https://github.com/go-logr/logr/blob/bb8ea8159175ccb4eddf4ac8704f84e40ac6d9b0/funcr/funcr.go#L211
+		LogTimestamp: true,
+	})
 }
diff --git a/vendor/github.com/openshift-eng/openshift-tests-extension/pkg/ginkgo/util.go b/vendor/github.com/openshift-eng/openshift-tests-extension/pkg/ginkgo/util.go
index 308576c633d5c..e970d46ad4176 100644
--- a/vendor/github.com/openshift-eng/openshift-tests-extension/pkg/ginkgo/util.go
+++ b/vendor/github.com/openshift-eng/openshift-tests-extension/pkg/ginkgo/util.go
@@ -115,7 +115,7 @@ func BuildExtensionTestSpecsFromOpenShiftGinkgoSuite(selectFns ...ext.SelectFunc
 							summary.Failure.ForwardedPanic,
 						)
 					}
-				case summary.State == types.SpecStateFailed, summary.State == types.SpecStatePanicked, summary.State == types.SpecStateInterrupted:
+				case summary.State == types.SpecStateFailed, summary.State == types.SpecStatePanicked, summary.State == types.SpecStateInterrupted, summary.State == types.SpecStateAborted:
 					result.Result = ext.ResultFailed
 					var errors []string
 					if len(summary.Failure.ForwardedPanic) > 0 {
@@ -126,6 +126,17 @@ func BuildExtensionTestSpecsFromOpenShiftGinkgoSuite(selectFns ...ext.SelectFunc
 					}
 					errors = append(errors, fmt.Sprintf("fail [%s:%d]: %s", lastFilenameSegment(summary.Failure.Location.FileName), summary.Failure.Location.LineNumber, summary.Failure.Message))
 					result.Error = strings.Join(errors, "\n")
+				case summary.State == types.SpecStateTimedout:
+					result.Result = ext.ResultFailed
+					var errors []string
+					for _, additionalFailure := range summary.AdditionalFailures {
+						collectAdditionalFailures(&errors, "  ", additionalFailure.Failure)
+					}
+					if summary.Failure.AdditionalFailure != nil {
+						collectAdditionalFailures(&errors, "  ", summary.Failure.AdditionalFailure.Failure)
+					}
+					errors = append(errors, fmt.Sprintf("fail [%s:%d]: %s", lastFilenameSegment(summary.Failure.Location.FileName), summary.Failure.Location.LineNumber, summary.Failure.Message))
+					result.Error = strings.Join(errors, "\n")
 				default:
 					panic(fmt.Sprintf("test produced unknown outcome: %#v", summary))
 				}
@@ -198,3 +209,21 @@ func lastFilenameSegment(filename string) string {
 	}
 	return filename
 }
+
+func collectAdditionalFailures(errors *[]string, suffix string, failure types.Failure) {
+	if failure.IsZero() {
+		return
+	}
+
+	if len(failure.ForwardedPanic) > 0 {
+		if len(failure.Location.FullStackTrace) > 0 {
+			*errors = append(*errors, fmt.Sprintf("\n%s\n", failure.Location.FullStackTrace))
+		}
+		*errors = append(*errors, fmt.Sprintf("fail [%s:%d]: Test Panicked: %s%s", lastFilenameSegment(failure.Location.FileName), failure.Location.LineNumber, failure.ForwardedPanic, suffix))
+	}
+	*errors = append(*errors, fmt.Sprintf("fail [%s:%d] %s%s", lastFilenameSegment(failure.Location.FileName), failure.Location.LineNumber, failure.Message, suffix))
+
+	if failure.AdditionalFailure != nil {
+		collectAdditionalFailures(errors, "  ", failure.AdditionalFailure.Failure)
+	}
+}
diff --git a/vendor/github.com/openshift/api/apps/v1/generated.pb.go b/vendor/github.com/openshift/api/apps/v1/generated.pb.go
index 18ed8b9310a6f..af082325972df 100644
--- a/vendor/github.com/openshift/api/apps/v1/generated.pb.go
+++ b/vendor/github.com/openshift/api/apps/v1/generated.pb.go
@@ -7,14 +7,12 @@ import (
 	fmt "fmt"
 
 	io "io"
+	"sort"
 
-	proto "github.com/gogo/protobuf/proto"
-	github_com_gogo_protobuf_sortkeys "github.com/gogo/protobuf/sortkeys"
 	k8s_io_api_core_v1 "k8s.io/api/core/v1"
 	v1 "k8s.io/api/core/v1"
 	v11 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
-	math "math"
 	math_bits "math/bits"
 	reflect "reflect"
 	strings "strings"
@@ -22,856 +20,51 @@ import (
 	intstr "k8s.io/apimachinery/pkg/util/intstr"
 )
 
-// Reference imports to suppress errors if they are not otherwise used.
-var _ = proto.Marshal
-var _ = fmt.Errorf
-var _ = math.Inf
+func (m *CustomDeploymentStrategyParams) Reset() { *m = CustomDeploymentStrategyParams{} }
 
-// This is a compile-time assertion to ensure that this generated file
-// is compatible with the proto package it is being compiled against.
-// A compilation error at this line likely means your copy of the
-// proto package needs to be updated.
-const _ = proto.GoGoProtoPackageIsVersion3 // please upgrade the proto package
+func (m *DeploymentCause) Reset() { *m = DeploymentCause{} }
 
-func (m *CustomDeploymentStrategyParams) Reset()      { *m = CustomDeploymentStrategyParams{} }
-func (*CustomDeploymentStrategyParams) ProtoMessage() {}
-func (*CustomDeploymentStrategyParams) Descriptor() ([]byte, []int) {
-	return fileDescriptor_8f1b1bee37da74c1, []int{0}
-}
-func (m *CustomDeploymentStrategyParams) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *CustomDeploymentStrategyParams) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *CustomDeploymentStrategyParams) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_CustomDeploymentStrategyParams.Merge(m, src)
-}
-func (m *CustomDeploymentStrategyParams) XXX_Size() int {
-	return m.Size()
-}
-func (m *CustomDeploymentStrategyParams) XXX_DiscardUnknown() {
-	xxx_messageInfo_CustomDeploymentStrategyParams.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_CustomDeploymentStrategyParams proto.InternalMessageInfo
-
-func (m *DeploymentCause) Reset()      { *m = DeploymentCause{} }
-func (*DeploymentCause) ProtoMessage() {}
-func (*DeploymentCause) Descriptor() ([]byte, []int) {
-	return fileDescriptor_8f1b1bee37da74c1, []int{1}
-}
-func (m *DeploymentCause) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *DeploymentCause) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *DeploymentCause) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_DeploymentCause.Merge(m, src)
-}
-func (m *DeploymentCause) XXX_Size() int {
-	return m.Size()
-}
-func (m *DeploymentCause) XXX_DiscardUnknown() {
-	xxx_messageInfo_DeploymentCause.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_DeploymentCause proto.InternalMessageInfo
-
-func (m *DeploymentCauseImageTrigger) Reset()      { *m = DeploymentCauseImageTrigger{} }
-func (*DeploymentCauseImageTrigger) ProtoMessage() {}
-func (*DeploymentCauseImageTrigger) Descriptor() ([]byte, []int) {
-	return fileDescriptor_8f1b1bee37da74c1, []int{2}
-}
-func (m *DeploymentCauseImageTrigger) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *DeploymentCauseImageTrigger) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *DeploymentCauseImageTrigger) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_DeploymentCauseImageTrigger.Merge(m, src)
-}
-func (m *DeploymentCauseImageTrigger) XXX_Size() int {
-	return m.Size()
-}
-func (m *DeploymentCauseImageTrigger) XXX_DiscardUnknown() {
-	xxx_messageInfo_DeploymentCauseImageTrigger.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_DeploymentCauseImageTrigger proto.InternalMessageInfo
-
-func (m *DeploymentCondition) Reset()      { *m = DeploymentCondition{} }
-func (*DeploymentCondition) ProtoMessage() {}
-func (*DeploymentCondition) Descriptor() ([]byte, []int) {
-	return fileDescriptor_8f1b1bee37da74c1, []int{3}
-}
-func (m *DeploymentCondition) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *DeploymentCondition) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *DeploymentCondition) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_DeploymentCondition.Merge(m, src)
-}
-func (m *DeploymentCondition) XXX_Size() int {
-	return m.Size()
-}
-func (m *DeploymentCondition) XXX_DiscardUnknown() {
-	xxx_messageInfo_DeploymentCondition.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_DeploymentCondition proto.InternalMessageInfo
-
-func (m *DeploymentConfig) Reset()      { *m = DeploymentConfig{} }
-func (*DeploymentConfig) ProtoMessage() {}
-func (*DeploymentConfig) Descriptor() ([]byte, []int) {
-	return fileDescriptor_8f1b1bee37da74c1, []int{4}
-}
-func (m *DeploymentConfig) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *DeploymentConfig) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *DeploymentConfig) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_DeploymentConfig.Merge(m, src)
-}
-func (m *DeploymentConfig) XXX_Size() int {
-	return m.Size()
-}
-func (m *DeploymentConfig) XXX_DiscardUnknown() {
-	xxx_messageInfo_DeploymentConfig.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_DeploymentConfig proto.InternalMessageInfo
-
-func (m *DeploymentConfigList) Reset()      { *m = DeploymentConfigList{} }
-func (*DeploymentConfigList) ProtoMessage() {}
-func (*DeploymentConfigList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_8f1b1bee37da74c1, []int{5}
-}
-func (m *DeploymentConfigList) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *DeploymentConfigList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *DeploymentConfigList) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_DeploymentConfigList.Merge(m, src)
-}
-func (m *DeploymentConfigList) XXX_Size() int {
-	return m.Size()
-}
-func (m *DeploymentConfigList) XXX_DiscardUnknown() {
-	xxx_messageInfo_DeploymentConfigList.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_DeploymentConfigList proto.InternalMessageInfo
-
-func (m *DeploymentConfigRollback) Reset()      { *m = DeploymentConfigRollback{} }
-func (*DeploymentConfigRollback) ProtoMessage() {}
-func (*DeploymentConfigRollback) Descriptor() ([]byte, []int) {
-	return fileDescriptor_8f1b1bee37da74c1, []int{6}
-}
-func (m *DeploymentConfigRollback) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *DeploymentConfigRollback) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *DeploymentConfigRollback) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_DeploymentConfigRollback.Merge(m, src)
-}
-func (m *DeploymentConfigRollback) XXX_Size() int {
-	return m.Size()
-}
-func (m *DeploymentConfigRollback) XXX_DiscardUnknown() {
-	xxx_messageInfo_DeploymentConfigRollback.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_DeploymentConfigRollback proto.InternalMessageInfo
-
-func (m *DeploymentConfigRollbackSpec) Reset()      { *m = DeploymentConfigRollbackSpec{} }
-func (*DeploymentConfigRollbackSpec) ProtoMessage() {}
-func (*DeploymentConfigRollbackSpec) Descriptor() ([]byte, []int) {
-	return fileDescriptor_8f1b1bee37da74c1, []int{7}
-}
-func (m *DeploymentConfigRollbackSpec) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *DeploymentConfigRollbackSpec) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *DeploymentConfigRollbackSpec) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_DeploymentConfigRollbackSpec.Merge(m, src)
-}
-func (m *DeploymentConfigRollbackSpec) XXX_Size() int {
-	return m.Size()
-}
-func (m *DeploymentConfigRollbackSpec) XXX_DiscardUnknown() {
-	xxx_messageInfo_DeploymentConfigRollbackSpec.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_DeploymentConfigRollbackSpec proto.InternalMessageInfo
-
-func (m *DeploymentConfigSpec) Reset()      { *m = DeploymentConfigSpec{} }
-func (*DeploymentConfigSpec) ProtoMessage() {}
-func (*DeploymentConfigSpec) Descriptor() ([]byte, []int) {
-	return fileDescriptor_8f1b1bee37da74c1, []int{8}
-}
-func (m *DeploymentConfigSpec) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *DeploymentConfigSpec) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *DeploymentConfigSpec) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_DeploymentConfigSpec.Merge(m, src)
-}
-func (m *DeploymentConfigSpec) XXX_Size() int {
-	return m.Size()
-}
-func (m *DeploymentConfigSpec) XXX_DiscardUnknown() {
-	xxx_messageInfo_DeploymentConfigSpec.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_DeploymentConfigSpec proto.InternalMessageInfo
-
-func (m *DeploymentConfigStatus) Reset()      { *m = DeploymentConfigStatus{} }
-func (*DeploymentConfigStatus) ProtoMessage() {}
-func (*DeploymentConfigStatus) Descriptor() ([]byte, []int) {
-	return fileDescriptor_8f1b1bee37da74c1, []int{9}
-}
-func (m *DeploymentConfigStatus) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *DeploymentConfigStatus) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *DeploymentConfigStatus) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_DeploymentConfigStatus.Merge(m, src)
-}
-func (m *DeploymentConfigStatus) XXX_Size() int {
-	return m.Size()
-}
-func (m *DeploymentConfigStatus) XXX_DiscardUnknown() {
-	xxx_messageInfo_DeploymentConfigStatus.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_DeploymentConfigStatus proto.InternalMessageInfo
-
-func (m *DeploymentDetails) Reset()      { *m = DeploymentDetails{} }
-func (*DeploymentDetails) ProtoMessage() {}
-func (*DeploymentDetails) Descriptor() ([]byte, []int) {
-	return fileDescriptor_8f1b1bee37da74c1, []int{10}
-}
-func (m *DeploymentDetails) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *DeploymentDetails) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *DeploymentDetails) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_DeploymentDetails.Merge(m, src)
-}
-func (m *DeploymentDetails) XXX_Size() int {
-	return m.Size()
-}
-func (m *DeploymentDetails) XXX_DiscardUnknown() {
-	xxx_messageInfo_DeploymentDetails.DiscardUnknown(m)
-}
+func (m *DeploymentCauseImageTrigger) Reset() { *m = DeploymentCauseImageTrigger{} }
 
-var xxx_messageInfo_DeploymentDetails proto.InternalMessageInfo
+func (m *DeploymentCondition) Reset() { *m = DeploymentCondition{} }
 
-func (m *DeploymentLog) Reset()      { *m = DeploymentLog{} }
-func (*DeploymentLog) ProtoMessage() {}
-func (*DeploymentLog) Descriptor() ([]byte, []int) {
-	return fileDescriptor_8f1b1bee37da74c1, []int{11}
-}
-func (m *DeploymentLog) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *DeploymentLog) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *DeploymentLog) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_DeploymentLog.Merge(m, src)
-}
-func (m *DeploymentLog) XXX_Size() int {
-	return m.Size()
-}
-func (m *DeploymentLog) XXX_DiscardUnknown() {
-	xxx_messageInfo_DeploymentLog.DiscardUnknown(m)
-}
+func (m *DeploymentConfig) Reset() { *m = DeploymentConfig{} }
 
-var xxx_messageInfo_DeploymentLog proto.InternalMessageInfo
+func (m *DeploymentConfigList) Reset() { *m = DeploymentConfigList{} }
 
-func (m *DeploymentLogOptions) Reset()      { *m = DeploymentLogOptions{} }
-func (*DeploymentLogOptions) ProtoMessage() {}
-func (*DeploymentLogOptions) Descriptor() ([]byte, []int) {
-	return fileDescriptor_8f1b1bee37da74c1, []int{12}
-}
-func (m *DeploymentLogOptions) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *DeploymentLogOptions) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *DeploymentLogOptions) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_DeploymentLogOptions.Merge(m, src)
-}
-func (m *DeploymentLogOptions) XXX_Size() int {
-	return m.Size()
-}
-func (m *DeploymentLogOptions) XXX_DiscardUnknown() {
-	xxx_messageInfo_DeploymentLogOptions.DiscardUnknown(m)
-}
+func (m *DeploymentConfigRollback) Reset() { *m = DeploymentConfigRollback{} }
 
-var xxx_messageInfo_DeploymentLogOptions proto.InternalMessageInfo
+func (m *DeploymentConfigRollbackSpec) Reset() { *m = DeploymentConfigRollbackSpec{} }
 
-func (m *DeploymentRequest) Reset()      { *m = DeploymentRequest{} }
-func (*DeploymentRequest) ProtoMessage() {}
-func (*DeploymentRequest) Descriptor() ([]byte, []int) {
-	return fileDescriptor_8f1b1bee37da74c1, []int{13}
-}
-func (m *DeploymentRequest) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *DeploymentRequest) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *DeploymentRequest) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_DeploymentRequest.Merge(m, src)
-}
-func (m *DeploymentRequest) XXX_Size() int {
-	return m.Size()
-}
-func (m *DeploymentRequest) XXX_DiscardUnknown() {
-	xxx_messageInfo_DeploymentRequest.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_DeploymentRequest proto.InternalMessageInfo
-
-func (m *DeploymentStrategy) Reset()      { *m = DeploymentStrategy{} }
-func (*DeploymentStrategy) ProtoMessage() {}
-func (*DeploymentStrategy) Descriptor() ([]byte, []int) {
-	return fileDescriptor_8f1b1bee37da74c1, []int{14}
-}
-func (m *DeploymentStrategy) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *DeploymentStrategy) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *DeploymentStrategy) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_DeploymentStrategy.Merge(m, src)
-}
-func (m *DeploymentStrategy) XXX_Size() int {
-	return m.Size()
-}
-func (m *DeploymentStrategy) XXX_DiscardUnknown() {
-	xxx_messageInfo_DeploymentStrategy.DiscardUnknown(m)
-}
+func (m *DeploymentConfigSpec) Reset() { *m = DeploymentConfigSpec{} }
 
-var xxx_messageInfo_DeploymentStrategy proto.InternalMessageInfo
+func (m *DeploymentConfigStatus) Reset() { *m = DeploymentConfigStatus{} }
 
-func (m *DeploymentTriggerImageChangeParams) Reset()      { *m = DeploymentTriggerImageChangeParams{} }
-func (*DeploymentTriggerImageChangeParams) ProtoMessage() {}
-func (*DeploymentTriggerImageChangeParams) Descriptor() ([]byte, []int) {
-	return fileDescriptor_8f1b1bee37da74c1, []int{15}
-}
-func (m *DeploymentTriggerImageChangeParams) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *DeploymentTriggerImageChangeParams) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *DeploymentTriggerImageChangeParams) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_DeploymentTriggerImageChangeParams.Merge(m, src)
-}
-func (m *DeploymentTriggerImageChangeParams) XXX_Size() int {
-	return m.Size()
-}
-func (m *DeploymentTriggerImageChangeParams) XXX_DiscardUnknown() {
-	xxx_messageInfo_DeploymentTriggerImageChangeParams.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_DeploymentTriggerImageChangeParams proto.InternalMessageInfo
-
-func (m *DeploymentTriggerPolicies) Reset()      { *m = DeploymentTriggerPolicies{} }
-func (*DeploymentTriggerPolicies) ProtoMessage() {}
-func (*DeploymentTriggerPolicies) Descriptor() ([]byte, []int) {
-	return fileDescriptor_8f1b1bee37da74c1, []int{16}
-}
-func (m *DeploymentTriggerPolicies) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *DeploymentTriggerPolicies) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *DeploymentTriggerPolicies) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_DeploymentTriggerPolicies.Merge(m, src)
-}
-func (m *DeploymentTriggerPolicies) XXX_Size() int {
-	return m.Size()
-}
-func (m *DeploymentTriggerPolicies) XXX_DiscardUnknown() {
-	xxx_messageInfo_DeploymentTriggerPolicies.DiscardUnknown(m)
-}
+func (m *DeploymentDetails) Reset() { *m = DeploymentDetails{} }
 
-var xxx_messageInfo_DeploymentTriggerPolicies proto.InternalMessageInfo
+func (m *DeploymentLog) Reset() { *m = DeploymentLog{} }
 
-func (m *DeploymentTriggerPolicy) Reset()      { *m = DeploymentTriggerPolicy{} }
-func (*DeploymentTriggerPolicy) ProtoMessage() {}
-func (*DeploymentTriggerPolicy) Descriptor() ([]byte, []int) {
-	return fileDescriptor_8f1b1bee37da74c1, []int{17}
-}
-func (m *DeploymentTriggerPolicy) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *DeploymentTriggerPolicy) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *DeploymentTriggerPolicy) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_DeploymentTriggerPolicy.Merge(m, src)
-}
-func (m *DeploymentTriggerPolicy) XXX_Size() int {
-	return m.Size()
-}
-func (m *DeploymentTriggerPolicy) XXX_DiscardUnknown() {
-	xxx_messageInfo_DeploymentTriggerPolicy.DiscardUnknown(m)
-}
+func (m *DeploymentLogOptions) Reset() { *m = DeploymentLogOptions{} }
 
-var xxx_messageInfo_DeploymentTriggerPolicy proto.InternalMessageInfo
+func (m *DeploymentRequest) Reset() { *m = DeploymentRequest{} }
 
-func (m *ExecNewPodHook) Reset()      { *m = ExecNewPodHook{} }
-func (*ExecNewPodHook) ProtoMessage() {}
-func (*ExecNewPodHook) Descriptor() ([]byte, []int) {
-	return fileDescriptor_8f1b1bee37da74c1, []int{18}
-}
-func (m *ExecNewPodHook) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ExecNewPodHook) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ExecNewPodHook) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ExecNewPodHook.Merge(m, src)
-}
-func (m *ExecNewPodHook) XXX_Size() int {
-	return m.Size()
-}
-func (m *ExecNewPodHook) XXX_DiscardUnknown() {
-	xxx_messageInfo_ExecNewPodHook.DiscardUnknown(m)
-}
+func (m *DeploymentStrategy) Reset() { *m = DeploymentStrategy{} }
 
-var xxx_messageInfo_ExecNewPodHook proto.InternalMessageInfo
+func (m *DeploymentTriggerImageChangeParams) Reset() { *m = DeploymentTriggerImageChangeParams{} }
 
-func (m *LifecycleHook) Reset()      { *m = LifecycleHook{} }
-func (*LifecycleHook) ProtoMessage() {}
-func (*LifecycleHook) Descriptor() ([]byte, []int) {
-	return fileDescriptor_8f1b1bee37da74c1, []int{19}
-}
-func (m *LifecycleHook) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *LifecycleHook) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *LifecycleHook) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_LifecycleHook.Merge(m, src)
-}
-func (m *LifecycleHook) XXX_Size() int {
-	return m.Size()
-}
-func (m *LifecycleHook) XXX_DiscardUnknown() {
-	xxx_messageInfo_LifecycleHook.DiscardUnknown(m)
-}
+func (m *DeploymentTriggerPolicies) Reset() { *m = DeploymentTriggerPolicies{} }
 
-var xxx_messageInfo_LifecycleHook proto.InternalMessageInfo
+func (m *DeploymentTriggerPolicy) Reset() { *m = DeploymentTriggerPolicy{} }
 
-func (m *RecreateDeploymentStrategyParams) Reset()      { *m = RecreateDeploymentStrategyParams{} }
-func (*RecreateDeploymentStrategyParams) ProtoMessage() {}
-func (*RecreateDeploymentStrategyParams) Descriptor() ([]byte, []int) {
-	return fileDescriptor_8f1b1bee37da74c1, []int{20}
-}
-func (m *RecreateDeploymentStrategyParams) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *RecreateDeploymentStrategyParams) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *RecreateDeploymentStrategyParams) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_RecreateDeploymentStrategyParams.Merge(m, src)
-}
-func (m *RecreateDeploymentStrategyParams) XXX_Size() int {
-	return m.Size()
-}
-func (m *RecreateDeploymentStrategyParams) XXX_DiscardUnknown() {
-	xxx_messageInfo_RecreateDeploymentStrategyParams.DiscardUnknown(m)
-}
+func (m *ExecNewPodHook) Reset() { *m = ExecNewPodHook{} }
 
-var xxx_messageInfo_RecreateDeploymentStrategyParams proto.InternalMessageInfo
+func (m *LifecycleHook) Reset() { *m = LifecycleHook{} }
 
-func (m *RollingDeploymentStrategyParams) Reset()      { *m = RollingDeploymentStrategyParams{} }
-func (*RollingDeploymentStrategyParams) ProtoMessage() {}
-func (*RollingDeploymentStrategyParams) Descriptor() ([]byte, []int) {
-	return fileDescriptor_8f1b1bee37da74c1, []int{21}
-}
-func (m *RollingDeploymentStrategyParams) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *RollingDeploymentStrategyParams) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *RollingDeploymentStrategyParams) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_RollingDeploymentStrategyParams.Merge(m, src)
-}
-func (m *RollingDeploymentStrategyParams) XXX_Size() int {
-	return m.Size()
-}
-func (m *RollingDeploymentStrategyParams) XXX_DiscardUnknown() {
-	xxx_messageInfo_RollingDeploymentStrategyParams.DiscardUnknown(m)
-}
+func (m *RecreateDeploymentStrategyParams) Reset() { *m = RecreateDeploymentStrategyParams{} }
 
-var xxx_messageInfo_RollingDeploymentStrategyParams proto.InternalMessageInfo
+func (m *RollingDeploymentStrategyParams) Reset() { *m = RollingDeploymentStrategyParams{} }
 
-func (m *TagImageHook) Reset()      { *m = TagImageHook{} }
-func (*TagImageHook) ProtoMessage() {}
-func (*TagImageHook) Descriptor() ([]byte, []int) {
-	return fileDescriptor_8f1b1bee37da74c1, []int{22}
-}
-func (m *TagImageHook) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *TagImageHook) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *TagImageHook) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_TagImageHook.Merge(m, src)
-}
-func (m *TagImageHook) XXX_Size() int {
-	return m.Size()
-}
-func (m *TagImageHook) XXX_DiscardUnknown() {
-	xxx_messageInfo_TagImageHook.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_TagImageHook proto.InternalMessageInfo
-
-func init() {
-	proto.RegisterType((*CustomDeploymentStrategyParams)(nil), "github.com.openshift.api.apps.v1.CustomDeploymentStrategyParams")
-	proto.RegisterType((*DeploymentCause)(nil), "github.com.openshift.api.apps.v1.DeploymentCause")
-	proto.RegisterType((*DeploymentCauseImageTrigger)(nil), "github.com.openshift.api.apps.v1.DeploymentCauseImageTrigger")
-	proto.RegisterType((*DeploymentCondition)(nil), "github.com.openshift.api.apps.v1.DeploymentCondition")
-	proto.RegisterType((*DeploymentConfig)(nil), "github.com.openshift.api.apps.v1.DeploymentConfig")
-	proto.RegisterType((*DeploymentConfigList)(nil), "github.com.openshift.api.apps.v1.DeploymentConfigList")
-	proto.RegisterType((*DeploymentConfigRollback)(nil), "github.com.openshift.api.apps.v1.DeploymentConfigRollback")
-	proto.RegisterMapType((map[string]string)(nil), "github.com.openshift.api.apps.v1.DeploymentConfigRollback.UpdatedAnnotationsEntry")
-	proto.RegisterType((*DeploymentConfigRollbackSpec)(nil), "github.com.openshift.api.apps.v1.DeploymentConfigRollbackSpec")
-	proto.RegisterType((*DeploymentConfigSpec)(nil), "github.com.openshift.api.apps.v1.DeploymentConfigSpec")
-	proto.RegisterMapType((map[string]string)(nil), "github.com.openshift.api.apps.v1.DeploymentConfigSpec.SelectorEntry")
-	proto.RegisterType((*DeploymentConfigStatus)(nil), "github.com.openshift.api.apps.v1.DeploymentConfigStatus")
-	proto.RegisterType((*DeploymentDetails)(nil), "github.com.openshift.api.apps.v1.DeploymentDetails")
-	proto.RegisterType((*DeploymentLog)(nil), "github.com.openshift.api.apps.v1.DeploymentLog")
-	proto.RegisterType((*DeploymentLogOptions)(nil), "github.com.openshift.api.apps.v1.DeploymentLogOptions")
-	proto.RegisterType((*DeploymentRequest)(nil), "github.com.openshift.api.apps.v1.DeploymentRequest")
-	proto.RegisterType((*DeploymentStrategy)(nil), "github.com.openshift.api.apps.v1.DeploymentStrategy")
-	proto.RegisterMapType((map[string]string)(nil), "github.com.openshift.api.apps.v1.DeploymentStrategy.AnnotationsEntry")
-	proto.RegisterMapType((map[string]string)(nil), "github.com.openshift.api.apps.v1.DeploymentStrategy.LabelsEntry")
-	proto.RegisterType((*DeploymentTriggerImageChangeParams)(nil), "github.com.openshift.api.apps.v1.DeploymentTriggerImageChangeParams")
-	proto.RegisterType((*DeploymentTriggerPolicies)(nil), "github.com.openshift.api.apps.v1.DeploymentTriggerPolicies")
-	proto.RegisterType((*DeploymentTriggerPolicy)(nil), "github.com.openshift.api.apps.v1.DeploymentTriggerPolicy")
-	proto.RegisterType((*ExecNewPodHook)(nil), "github.com.openshift.api.apps.v1.ExecNewPodHook")
-	proto.RegisterType((*LifecycleHook)(nil), "github.com.openshift.api.apps.v1.LifecycleHook")
-	proto.RegisterType((*RecreateDeploymentStrategyParams)(nil), "github.com.openshift.api.apps.v1.RecreateDeploymentStrategyParams")
-	proto.RegisterType((*RollingDeploymentStrategyParams)(nil), "github.com.openshift.api.apps.v1.RollingDeploymentStrategyParams")
-	proto.RegisterType((*TagImageHook)(nil), "github.com.openshift.api.apps.v1.TagImageHook")
-}
-
-func init() {
-	proto.RegisterFile("github.com/openshift/api/apps/v1/generated.proto", fileDescriptor_8f1b1bee37da74c1)
-}
-
-var fileDescriptor_8f1b1bee37da74c1 = []byte{
-	// 2523 bytes of a gzipped FileDescriptorProto
-	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xac, 0x5a, 0xcd, 0x6f, 0x1c, 0x49,
-	0x15, 0x77, 0x7b, 0x66, 0xec, 0x99, 0xe7, 0xaf, 0xb8, 0x9c, 0x8f, 0x59, 0x2f, 0xf2, 0x58, 0xb3,
-	0xda, 0xc5, 0xc0, 0x32, 0xb3, 0xf1, 0x86, 0xd5, 0x26, 0xd1, 0x2e, 0x78, 0x1c, 0x67, 0xd7, 0xd1,
-	0x38, 0x31, 0x65, 0x27, 0x21, 0x11, 0x82, 0x94, 0x7b, 0xca, 0xe3, 0x5a, 0x77, 0x77, 0x0d, 0xdd,
-	0x35, 0x93, 0x0c, 0x42, 0x68, 0x2f, 0x20, 0x21, 0xed, 0x81, 0x23, 0x5c, 0x10, 0x07, 0xae, 0x20,
-	0x0e, 0xdc, 0x11, 0x07, 0xa4, 0x1c, 0x40, 0x5a, 0x09, 0x09, 0x56, 0x08, 0x59, 0x1b, 0x73, 0xe3,
-	0x4f, 0xc8, 0x09, 0xd5, 0x47, 0x7f, 0xcd, 0x47, 0xec, 0x71, 0x72, 0x73, 0xbf, 0x8f, 0xdf, 0x7b,
-	0xf5, 0xea, 0xbd, 0x57, 0xaf, 0x6a, 0x0c, 0xef, 0x34, 0x99, 0x38, 0x68, 0xef, 0x55, 0x6c, 0xee,
-	0x56, 0x79, 0x8b, 0x7a, 0xc1, 0x01, 0xdb, 0x17, 0x55, 0xd2, 0x62, 0x55, 0xd2, 0x6a, 0x05, 0xd5,
-	0xce, 0xe5, 0x6a, 0x93, 0x7a, 0xd4, 0x27, 0x82, 0x36, 0x2a, 0x2d, 0x9f, 0x0b, 0x8e, 0x96, 0x63,
-	0x8d, 0x4a, 0xa4, 0x51, 0x21, 0x2d, 0x56, 0x91, 0x1a, 0x95, 0xce, 0xe5, 0xc5, 0x6f, 0x26, 0x30,
-	0x9b, 0xbc, 0xc9, 0xab, 0x4a, 0x71, 0xaf, 0xbd, 0xaf, 0xbe, 0xd4, 0x87, 0xfa, 0x4b, 0x03, 0x2e,
-	0x96, 0x0f, 0xdf, 0x0f, 0x2a, 0x8c, 0x2b, 0xa3, 0x36, 0xf7, 0xe9, 0x00, 0xa3, 0x8b, 0x57, 0x62,
-	0x19, 0x97, 0xd8, 0x07, 0xcc, 0xa3, 0x7e, 0xb7, 0xda, 0x3a, 0x6c, 0x4a, 0x42, 0x50, 0x75, 0xa9,
-	0x20, 0x83, 0xb4, 0xde, 0x1b, 0xa6, 0xe5, 0xb7, 0x3d, 0xc1, 0x5c, 0x5a, 0x0d, 0xec, 0x03, 0xea,
-	0x92, 0x3e, 0xbd, 0x77, 0x87, 0xe9, 0xb5, 0x05, 0x73, 0xaa, 0xcc, 0x13, 0x81, 0xf0, 0x7b, 0x95,
-	0xca, 0x7f, 0xb6, 0x60, 0x69, 0xbd, 0x1d, 0x08, 0xee, 0xde, 0xa0, 0x2d, 0x87, 0x77, 0x5d, 0xea,
-	0x89, 0x1d, 0x21, 0x25, 0x9a, 0xdd, 0x6d, 0xe2, 0x13, 0x37, 0x40, 0x6f, 0x40, 0x8e, 0xb9, 0xa4,
-	0x49, 0x8b, 0xd6, 0xb2, 0xb5, 0x52, 0xa8, 0xcd, 0x3c, 0x3d, 0x2a, 0x8d, 0x1d, 0x1f, 0x95, 0x72,
-	0x9b, 0x92, 0x88, 0x35, 0x0f, 0x7d, 0x17, 0xa6, 0xa8, 0xd7, 0x61, 0x3e, 0xf7, 0x24, 0x42, 0x71,
-	0x7c, 0x39, 0xb3, 0x32, 0xb5, 0xba, 0x58, 0xd1, 0x2e, 0xa9, 0x38, 0xcb, 0x20, 0x55, 0x3a, 0x97,
-	0x2b, 0x1b, 0x5e, 0xe7, 0x1e, 0xf1, 0x6b, 0x0b, 0x06, 0x66, 0x6a, 0x23, 0x56, 0xc3, 0x49, 0x0c,
-	0xf4, 0x26, 0x4c, 0xda, 0xdc, 0x75, 0x89, 0xd7, 0x28, 0x66, 0x96, 0x33, 0x2b, 0x85, 0xda, 0xd4,
-	0xf1, 0x51, 0x69, 0x72, 0x5d, 0x93, 0x70, 0xc8, 0x2b, 0xff, 0xc5, 0x82, 0xb9, 0xd8, 0xf7, 0x75,
-	0xd2, 0x0e, 0x28, 0xba, 0x0a, 0x59, 0xd1, 0x6d, 0x85, 0x1e, 0xbf, 0x69, 0x4c, 0x65, 0x77, 0xbb,
-	0x2d, 0xfa, 0xfc, 0xa8, 0x74, 0x21, 0x16, 0xdf, 0xf5, 0x59, 0xb3, 0x49, 0x7d, 0xc9, 0xc0, 0x4a,
-	0x05, 0x05, 0x30, 0xad, 0x56, 0x64, 0x38, 0xc5, 0xf1, 0x65, 0x6b, 0x65, 0x6a, 0xf5, 0x83, 0xca,
-	0x49, 0xf9, 0x53, 0xe9, 0xf1, 0x61, 0x33, 0x01, 0x52, 0x3b, 0x77, 0x7c, 0x54, 0x9a, 0x4e, 0x52,
-	0x70, 0xca, 0x48, 0xb9, 0x01, 0xaf, 0xbf, 0x40, 0x1d, 0x6d, 0x40, 0x76, 0xdf, 0xe7, 0xae, 0x5a,
-	0xce, 0xd4, 0xea, 0x1b, 0x83, 0xa2, 0x7a, 0x67, 0xef, 0x13, 0x6a, 0x0b, 0x4c, 0xf7, 0xa9, 0x4f,
-	0x3d, 0x9b, 0xd6, 0xa6, 0xc3, 0x35, 0xdf, 0xf4, 0xb9, 0x8b, 0x95, 0x7a, 0xf9, 0x5f, 0x19, 0x58,
-	0x48, 0x98, 0xe1, 0x5e, 0x83, 0x09, 0xc6, 0x3d, 0x74, 0x3d, 0x15, 0xad, 0xaf, 0xf6, 0x44, 0xeb,
-	0xd2, 0x00, 0x95, 0x44, 0xbc, 0xea, 0x30, 0x11, 0x08, 0x22, 0xda, 0x81, 0x8a, 0x54, 0xa1, 0x76,
-	0xc5, 0xa8, 0x4f, 0xec, 0x28, 0xea, 0xf3, 0xa3, 0xd2, 0x80, 0x4a, 0xa9, 0x44, 0x48, 0x5a, 0x0a,
-	0x1b, 0x0c, 0xf4, 0x09, 0xcc, 0x3a, 0x24, 0x10, 0x77, 0x5b, 0x0d, 0x22, 0xe8, 0x2e, 0x73, 0x69,
-	0x71, 0x42, 0xad, 0xf9, 0xeb, 0x89, 0x35, 0x47, 0xc9, 0x5d, 0x69, 0x1d, 0x36, 0x25, 0x21, 0xa8,
-	0xc8, 0x52, 0x92, 0x51, 0x90, 0x1a, 0xb5, 0x8b, 0xc6, 0x83, 0xd9, 0x7a, 0x0a, 0x09, 0xf7, 0x20,
-	0xa3, 0x0e, 0x20, 0x49, 0xd9, 0xf5, 0x89, 0x17, 0xe8, 0x55, 0x49, 0x7b, 0x99, 0x91, 0xed, 0x2d,
-	0x1a, 0x7b, 0xa8, 0xde, 0x87, 0x86, 0x07, 0x58, 0x40, 0x6f, 0xc1, 0x84, 0x4f, 0x49, 0xc0, 0xbd,
-	0x62, 0x56, 0x45, 0x6c, 0x36, 0x8c, 0x18, 0x56, 0x54, 0x6c, 0xb8, 0xe8, 0x6b, 0x30, 0xe9, 0xd2,
-	0x20, 0x90, 0x95, 0x97, 0x53, 0x82, 0x73, 0x46, 0x70, 0x72, 0x4b, 0x93, 0x71, 0xc8, 0x2f, 0xff,
-	0x71, 0x1c, 0xce, 0xa5, 0xb6, 0x69, 0x9f, 0x35, 0xd1, 0x23, 0xc8, 0x4b, 0x3f, 0x1b, 0x44, 0x10,
-	0x93, 0x39, 0xef, 0x9c, 0x6e, 0x55, 0x3a, 0x97, 0xb6, 0xa8, 0x20, 0x35, 0x64, 0x4c, 0x42, 0x4c,
-	0xc3, 0x11, 0x2a, 0xfa, 0x1e, 0x64, 0x83, 0x16, 0xb5, 0x4d, 0x8d, 0xbc, 0x37, 0x52, 0x8d, 0x28,
-	0x1f, 0x77, 0x5a, 0xd4, 0x8e, 0x53, 0x55, 0x7e, 0x61, 0x85, 0x88, 0x1e, 0x45, 0x59, 0xa5, 0xf7,
-	0xe3, 0xfd, 0x33, 0x60, 0x2b, 0xfd, 0x38, 0xba, 0xe9, 0x4c, 0x2b, 0xff, 0xdd, 0x82, 0xf3, 0xbd,
-	0x2a, 0x75, 0x16, 0x08, 0xf4, 0xfd, 0xbe, 0xb0, 0x55, 0x4e, 0x17, 0x36, 0xa9, 0xad, 0x82, 0x76,
-	0xce, 0x98, 0xcc, 0x87, 0x94, 0x44, 0xc8, 0xee, 0x43, 0x8e, 0x09, 0xea, 0x06, 0xa6, 0x43, 0xae,
-	0x8e, 0xbe, 0xae, 0x44, 0x03, 0x96, 0x40, 0x58, 0xe3, 0x95, 0x7f, 0x9e, 0x81, 0x62, 0xaf, 0x28,
-	0xe6, 0x8e, 0xb3, 0x47, 0xec, 0x43, 0xb4, 0x0c, 0x59, 0x8f, 0xb8, 0x61, 0x85, 0x47, 0x01, 0xbf,
-	0x4d, 0x5c, 0x8a, 0x15, 0x07, 0xfd, 0xc6, 0x02, 0xd4, 0x56, 0xb5, 0xd1, 0x58, 0xf3, 0x3c, 0x2e,
-	0x88, 0x4c, 0xd7, 0xd0, 0x4b, 0x3c, 0xba, 0x97, 0xa1, 0xe9, 0xca, 0xdd, 0x3e, 0xd0, 0x0d, 0x4f,
-	0xf8, 0xdd, 0xb8, 0x6a, 0xfa, 0x05, 0xf0, 0x00, 0x4f, 0xd0, 0x23, 0x93, 0x6b, 0x3a, 0x1f, 0x3e,
-	0x3c, 0xbb, 0x47, 0xc3, 0x72, 0x6e, 0x71, 0x03, 0x2e, 0x0d, 0x71, 0x16, 0x9d, 0x83, 0xcc, 0x21,
-	0xed, 0xea, 0xf0, 0x61, 0xf9, 0x27, 0x3a, 0x0f, 0xb9, 0x0e, 0x71, 0xda, 0x54, 0x77, 0x3d, 0xac,
-	0x3f, 0xae, 0x8d, 0xbf, 0x6f, 0x95, 0xff, 0x94, 0x81, 0xaf, 0xbc, 0xc8, 0xf6, 0x2b, 0xea, 0xe6,
-	0xe8, 0x6d, 0xc8, 0xfb, 0xb4, 0xc3, 0x02, 0xc6, 0x3d, 0xe5, 0x44, 0x26, 0xce, 0x3b, 0x6c, 0xe8,
-	0x38, 0x92, 0x40, 0x6b, 0x30, 0xc7, 0x3c, 0xdb, 0x69, 0x37, 0xc2, 0x43, 0x45, 0x57, 0x56, 0xbe,
-	0x76, 0xc9, 0x28, 0xcd, 0x6d, 0xa6, 0xd9, 0xb8, 0x57, 0x3e, 0x09, 0x41, 0xdd, 0x96, 0x43, 0x04,
-	0x55, 0x0d, 0x6c, 0x00, 0x84, 0x61, 0xe3, 0x5e, 0x79, 0x74, 0x0f, 0x2e, 0x1a, 0x12, 0xa6, 0x2d,
-	0x87, 0xd9, 0x2a, 0xc6, 0xb2, 0x42, 0x54, 0x87, 0xcb, 0xd7, 0x96, 0x0c, 0xd2, 0xc5, 0xcd, 0x81,
-	0x52, 0x78, 0x88, 0x76, 0xc2, 0xb5, 0x70, 0x76, 0x51, 0xe7, 0x46, 0xbf, 0x6b, 0x21, 0x1b, 0xf7,
-	0xca, 0x97, 0xff, 0x97, 0xeb, 0xef, 0x07, 0x6a, 0xbb, 0xf6, 0x20, 0x1f, 0x84, 0xa0, 0x7a, 0xcb,
-	0xae, 0x8c, 0x92, 0x7c, 0xa1, 0x81, 0x78, 0x77, 0x22, 0x1f, 0x22, 0x5c, 0xe9, 0xbf, 0xcb, 0x3c,
-	0x4c, 0x49, 0xa3, 0xbb, 0x43, 0x6d, 0xee, 0x35, 0x82, 0x62, 0x61, 0xd9, 0x5a, 0xc9, 0xc5, 0xfe,
-	0x6f, 0xa5, 0xd9, 0xb8, 0x57, 0x1e, 0x51, 0xc8, 0x8b, 0x70, 0x67, 0x75, 0x3f, 0xbe, 0x3e, 0x8a,
-	0x9b, 0x66, 0x97, 0xb7, 0xb9, 0xc3, 0x6c, 0x46, 0x83, 0xda, 0xb4, 0xf4, 0x34, 0xca, 0x85, 0x08,
-	0x5a, 0x67, 0x9d, 0x0a, 0xbe, 0x4e, 0xa0, 0x5c, 0x32, 0xeb, 0x34, 0x1d, 0x47, 0x12, 0xa8, 0x0e,
-	0xe7, 0xc3, 0x0c, 0xfc, 0x98, 0x05, 0x82, 0xfb, 0xdd, 0x3a, 0x73, 0x99, 0x50, 0x79, 0x93, 0xab,
-	0x15, 0x8f, 0x8f, 0x4a, 0xe7, 0xf1, 0x00, 0x3e, 0x1e, 0xa8, 0x25, 0xbb, 0x98, 0xa0, 0x81, 0x30,
-	0xb9, 0x12, 0xd5, 0xc4, 0x2e, 0x0d, 0x04, 0x56, 0x1c, 0x79, 0xb4, 0xb6, 0xe4, 0xf4, 0xd4, 0x30,
-	0xdb, 0x1f, 0x35, 0xff, 0x6d, 0x45, 0xc5, 0x86, 0x8b, 0x7c, 0xc8, 0x07, 0xd4, 0xa1, 0xb6, 0xe0,
-	0x7e, 0x71, 0x52, 0xb5, 0xb8, 0x1b, 0x67, 0x3b, 0xbc, 0x2a, 0x3b, 0x06, 0x46, 0x37, 0xb5, 0x78,
-	0x8f, 0x0d, 0x19, 0x47, 0x76, 0xd0, 0x16, 0xe4, 0x45, 0x58, 0x37, 0xf9, 0xe1, 0xa5, 0xbf, 0xcd,
-	0x1b, 0x61, 0xb9, 0xe8, 0x4e, 0xa5, 0x36, 0x22, 0xac, 0xa8, 0x08, 0x62, 0xf1, 0x3a, 0xcc, 0xa4,
-	0x6c, 0x8f, 0xd4, 0xa3, 0xfe, 0x90, 0x83, 0x8b, 0x83, 0xcf, 0x4b, 0x74, 0x1d, 0x66, 0x24, 0x7e,
-	0x20, 0xee, 0x51, 0x5f, 0xf5, 0x16, 0x4b, 0xf5, 0x96, 0x0b, 0x66, 0x65, 0x33, 0xf5, 0x24, 0x13,
-	0xa7, 0x65, 0xd1, 0x2d, 0x40, 0x7c, 0x2f, 0xa0, 0x7e, 0x87, 0x36, 0x3e, 0xd2, 0x17, 0x8d, 0xb8,
-	0x3b, 0x45, 0x0d, 0xff, 0x4e, 0x9f, 0x04, 0x1e, 0xa0, 0x35, 0x62, 0xa6, 0xad, 0xc1, 0x9c, 0x39,
-	0x34, 0x42, 0xa6, 0x49, 0xb2, 0xa8, 0x82, 0xee, 0xa6, 0xd9, 0xb8, 0x57, 0x1e, 0x7d, 0x04, 0xf3,
-	0xa4, 0x43, 0x98, 0x43, 0xf6, 0x1c, 0x1a, 0x81, 0xe4, 0x14, 0xc8, 0x6b, 0x06, 0x64, 0x7e, 0xad,
-	0x57, 0x00, 0xf7, 0xeb, 0xa0, 0x2d, 0x58, 0x68, 0x7b, 0xfd, 0x50, 0x13, 0x0a, 0xea, 0x75, 0x03,
-	0xb5, 0x70, 0xb7, 0x5f, 0x04, 0x0f, 0xd2, 0x43, 0x0f, 0x61, 0xb2, 0x41, 0x05, 0x61, 0x4e, 0x50,
-	0x9c, 0x54, 0x79, 0xf3, 0xee, 0x28, 0xb9, 0x7a, 0x43, 0xab, 0xea, 0xcb, 0x93, 0xf9, 0xc0, 0x21,
-	0x20, 0x62, 0x00, 0x76, 0x38, 0x8a, 0x07, 0xc5, 0xbc, 0x2a, 0x85, 0x6f, 0x8d, 0x58, 0x0a, 0x5a,
-	0x3b, 0x1e, 0x15, 0x23, 0x52, 0x80, 0x13, 0xe0, 0x32, 0xb1, 0x7c, 0xd9, 0xb0, 0xa2, 0x78, 0xe8,
-	0x0e, 0x17, 0x25, 0x16, 0x4e, 0x32, 0x71, 0x5a, 0xb6, 0xfc, 0x6b, 0x0b, 0xe6, 0xfb, 0xd6, 0x94,
-	0x9c, 0x90, 0xad, 0x17, 0x4f, 0xc8, 0xe8, 0x01, 0x4c, 0xd8, 0xb2, 0xf6, 0xc3, 0x91, 0xe6, 0xf2,
-	0xc8, 0x17, 0xba, 0xb8, 0x99, 0xa8, 0xcf, 0x00, 0x1b, 0xc0, 0xf2, 0x1c, 0xcc, 0xc4, 0xa2, 0x75,
-	0xde, 0x2c, 0x7f, 0x96, 0x4d, 0x1e, 0x25, 0x75, 0xde, 0xbc, 0xd3, 0xd2, 0x21, 0xa8, 0x42, 0xc1,
-	0xe6, 0x9e, 0x20, 0x72, 0x80, 0x34, 0x1e, 0xcf, 0x1b, 0xd0, 0xc2, 0x7a, 0xc8, 0xc0, 0xb1, 0x8c,
-	0xec, 0x67, 0xfb, 0xdc, 0x71, 0xf8, 0x63, 0x55, 0x43, 0x89, 0x7e, 0x76, 0x53, 0x51, 0xb1, 0xe1,
-	0xca, 0x5a, 0x69, 0xc9, 0x96, 0xc9, 0xdb, 0xe1, 0xb1, 0x1e, 0xd5, 0xca, 0xb6, 0xa1, 0xe3, 0x48,
-	0x02, 0x5d, 0x81, 0xe9, 0x80, 0x79, 0x36, 0x0d, 0x8f, 0x9a, 0xac, 0x9e, 0x1e, 0xe4, 0x1d, 0x75,
-	0x27, 0x41, 0xc7, 0x29, 0x29, 0x74, 0x1f, 0x0a, 0xea, 0x5b, 0xdd, 0x92, 0x72, 0x23, 0xdf, 0x92,
-	0x66, 0xe4, 0x22, 0x77, 0x42, 0x00, 0x1c, 0x63, 0xa1, 0x55, 0x00, 0xc1, 0x5c, 0x1a, 0x08, 0xe2,
-	0xb6, 0x02, 0xd3, 0xb8, 0xa3, 0x64, 0xda, 0x8d, 0x38, 0x38, 0x21, 0x85, 0xbe, 0x01, 0x05, 0x99,
-	0x02, 0x75, 0xe6, 0x51, 0x5d, 0x15, 0x19, 0x6d, 0x60, 0x37, 0x24, 0xe2, 0x98, 0x8f, 0x2a, 0x00,
-	0x8e, 0x3c, 0x40, 0x6a, 0x5d, 0x41, 0x03, 0xd5, 0x7b, 0x33, 0xb5, 0x59, 0x09, 0x5e, 0x8f, 0xa8,
-	0x38, 0x21, 0x21, 0xa3, 0xee, 0xf1, 0xc7, 0x84, 0x09, 0x95, 0xa2, 0x89, 0xa8, 0xdf, 0xe6, 0xf7,
-	0x09, 0x13, 0xd8, 0x70, 0xd1, 0x9b, 0x30, 0xd9, 0x31, 0x4d, 0x12, 0x14, 0xa8, 0xaa, 0xb1, 0xb0,
-	0x35, 0x86, 0xbc, 0xf2, 0xbf, 0x53, 0xb9, 0x8b, 0xe9, 0x8f, 0xda, 0xf2, 0xa8, 0x3a, 0x79, 0x24,
-	0x7f, 0x0b, 0x26, 0x74, 0x77, 0xed, 0xdd, 0x7c, 0xdd, 0x82, 0xb1, 0xe1, 0xa2, 0x37, 0x20, 0xb7,
-	0xcf, 0x7d, 0x9b, 0x9a, 0x9d, 0x8f, 0xae, 0x07, 0x37, 0x25, 0x11, 0x6b, 0x1e, 0xba, 0x07, 0x73,
-	0xf4, 0x49, 0x7a, 0xfe, 0xcb, 0xaa, 0x47, 0x95, 0xb7, 0x65, 0x6f, 0xdc, 0x48, 0xb3, 0x86, 0xbf,
-	0x91, 0xf4, 0x82, 0x94, 0xff, 0x31, 0x09, 0xa8, 0x7f, 0xd8, 0x41, 0xd7, 0x52, 0x4f, 0x0a, 0x6f,
-	0xf5, 0x3c, 0x29, 0x5c, 0xec, 0xd7, 0x48, 0xbc, 0x28, 0x74, 0x60, 0xda, 0x56, 0x2f, 0x52, 0xfa,
-	0xfd, 0xc9, 0x4c, 0x33, 0xdf, 0x39, 0xb9, 0x60, 0x5f, 0xfc, 0x8e, 0xa5, 0x13, 0x7c, 0x3d, 0x81,
-	0x8c, 0x53, 0x76, 0xd0, 0x4f, 0x61, 0xd6, 0xa7, 0xb6, 0x4f, 0x89, 0xa0, 0xc6, 0xb2, 0xbe, 0x6b,
-	0xd4, 0x4e, 0xb6, 0x8c, 0x8d, 0xde, 0x50, 0xdb, 0xe8, 0xf8, 0xa8, 0x34, 0x8b, 0x53, 0xe8, 0xb8,
-	0xc7, 0x1a, 0xfa, 0x31, 0xcc, 0xf8, 0xdc, 0x71, 0x98, 0xd7, 0x34, 0xe6, 0xb3, 0xca, 0xfc, 0xda,
-	0x29, 0xcc, 0x6b, 0xb5, 0xa1, 0xd6, 0xe7, 0x55, 0x7f, 0x4d, 0x62, 0xe3, 0xb4, 0x29, 0xf4, 0x00,
-	0x0a, 0x3e, 0x0d, 0x78, 0xdb, 0xb7, 0x69, 0x60, 0x8a, 0x7b, 0x65, 0xd0, 0x74, 0x82, 0x8d, 0x90,
-	0xcc, 0x62, 0xe6, 0x53, 0x69, 0x2b, 0x88, 0x7b, 0x58, 0xc8, 0x0d, 0x70, 0x8c, 0x86, 0x0e, 0x64,
-	0x1a, 0xef, 0x51, 0x47, 0x96, 0x76, 0xe6, 0x74, 0x1b, 0xd9, 0xbf, 0x90, 0x4a, 0x5d, 0x41, 0xe8,
-	0x29, 0x2b, 0x51, 0x08, 0x92, 0x88, 0x0d, 0x3e, 0xfa, 0x09, 0x4c, 0x91, 0xc4, 0xdd, 0x55, 0x0f,
-	0x76, 0x1b, 0x67, 0x32, 0xd7, 0x77, 0x5d, 0x8d, 0x9e, 0x2b, 0x93, 0xf7, 0xd4, 0xa4, 0x39, 0x74,
-	0x07, 0x2e, 0x10, 0x5b, 0xb0, 0x0e, 0xbd, 0x41, 0x49, 0xc3, 0x61, 0x5e, 0xd4, 0x5e, 0x75, 0xc3,
-	0x79, 0xed, 0xf8, 0xa8, 0x74, 0x61, 0x6d, 0x90, 0x00, 0x1e, 0xac, 0xb7, 0x78, 0x15, 0xa6, 0x12,
-	0xab, 0x1e, 0x65, 0xbe, 0x5b, 0xfc, 0x10, 0xce, 0xbd, 0xd4, 0x1d, 0xf6, 0x77, 0xe3, 0x50, 0xee,
-	0x6b, 0x00, 0xea, 0x49, 0x72, 0xfd, 0x80, 0x78, 0xcd, 0x30, 0x63, 0xab, 0x50, 0x20, 0x6d, 0xc1,
-	0x5d, 0x22, 0x98, 0xad, 0x80, 0xf3, 0x71, 0x2e, 0xac, 0x85, 0x0c, 0x1c, 0xcb, 0xa0, 0x6b, 0x30,
-	0x1b, 0x1d, 0x6e, 0xb2, 0xd3, 0xe9, 0xd3, 0xb8, 0xa0, 0xcb, 0x63, 0x3d, 0xc5, 0xc1, 0x3d, 0x92,
-	0xd1, 0xb5, 0x39, 0xf3, 0x72, 0xd7, 0xe6, 0x5b, 0xe1, 0xab, 0x9f, 0x5a, 0x13, 0x6d, 0xa8, 0x55,
-	0x99, 0x97, 0xb8, 0x9e, 0x97, 0xbc, 0xa4, 0x04, 0x1e, 0xa0, 0x55, 0xfe, 0x99, 0x05, 0xaf, 0x0d,
-	0xbd, 0x42, 0xa1, 0x1f, 0x84, 0x4f, 0x3d, 0x96, 0x4a, 0xc4, 0xab, 0x67, 0xbd, 0x8e, 0x75, 0x07,
-	0xbf, 0xf8, 0x5c, 0xcb, 0xff, 0xea, 0xb7, 0xa5, 0xb1, 0x4f, 0xff, 0xb3, 0x3c, 0x56, 0xfe, 0xd2,
-	0x82, 0x4b, 0x43, 0x74, 0x5f, 0xe6, 0x29, 0xfc, 0x17, 0x16, 0xcc, 0xb3, 0xde, 0x4d, 0x37, 0xed,
-	0xf8, 0xc6, 0x19, 0x56, 0xd3, 0x97, 0x40, 0xb5, 0x0b, 0x72, 0xa6, 0xee, 0x23, 0xe3, 0x7e, 0xab,
-	0xe5, 0x7f, 0x5a, 0x30, 0xbb, 0xf1, 0x84, 0xda, 0xb7, 0xe9, 0xe3, 0x6d, 0xde, 0xf8, 0x98, 0xf3,
-	0xc3, 0xe4, 0xef, 0x03, 0xd6, 0xf0, 0xdf, 0x07, 0xd0, 0x55, 0xc8, 0x50, 0xaf, 0x73, 0x8a, 0x5f,
-	0x24, 0xa6, 0x4c, 0x6c, 0x32, 0x1b, 0x5e, 0x07, 0x4b, 0x1d, 0x39, 0xb2, 0xa6, 0x92, 0x50, 0xe5,
-	0x5e, 0x21, 0x1e, 0x59, 0x53, 0x19, 0x8b, 0xd3, 0xb2, 0x6a, 0x3a, 0xe0, 0x4e, 0x5b, 0x26, 0x79,
-	0x36, 0x76, 0xef, 0x9e, 0x26, 0xe1, 0x90, 0x57, 0xfe, 0xfd, 0x38, 0xcc, 0xd4, 0xd9, 0x3e, 0xb5,
-	0xbb, 0xb6, 0x43, 0xd5, 0xba, 0x1e, 0xc0, 0xcc, 0x3e, 0x61, 0x4e, 0xdb, 0xa7, 0x7a, 0x0b, 0xcd,
-	0xd6, 0xbd, 0x1b, 0x5a, 0xbd, 0x99, 0x64, 0x3e, 0x3f, 0x2a, 0x2d, 0xa6, 0xd4, 0x53, 0x5c, 0x9c,
-	0x46, 0x42, 0x8f, 0x00, 0x68, 0x14, 0x44, 0xb3, 0x93, 0xef, 0x9c, 0xbc, 0x93, 0xe9, 0xc0, 0xeb,
-	0xd9, 0x29, 0xa6, 0xe1, 0x04, 0x26, 0xfa, 0xa1, 0x1c, 0xcc, 0x9a, 0x6a, 0x4b, 0x03, 0xf5, 0xb3,
-	0xcd, 0xd4, 0x6a, 0xe5, 0x64, 0x03, 0xbb, 0x46, 0x45, 0xc1, 0x47, 0x2d, 0x24, 0xa4, 0xaa, 0x61,
-	0xce, 0xfc, 0x59, 0xfe, 0xeb, 0x38, 0x2c, 0x9f, 0x74, 0xdc, 0xca, 0x3e, 0x23, 0x87, 0x45, 0xde,
-	0x16, 0x61, 0x13, 0xd6, 0xb7, 0x58, 0xd5, 0x67, 0x76, 0x53, 0x1c, 0xdc, 0x23, 0x89, 0x6e, 0x41,
-	0xa6, 0xe5, 0x53, 0x13, 0x9c, 0xea, 0xc9, 0xbe, 0xa7, 0xa2, 0x5f, 0x9b, 0x94, 0x09, 0xb4, 0xed,
-	0x53, 0x2c, 0x41, 0x24, 0x96, 0xcb, 0x1a, 0xa6, 0x65, 0x9d, 0x0d, 0x6b, 0x8b, 0x35, 0xb0, 0x04,
-	0x41, 0x5b, 0x90, 0x6d, 0xf1, 0x40, 0x98, 0xa9, 0x60, 0x64, 0xb0, 0xbc, 0xac, 0xfa, 0x6d, 0x1e,
-	0x08, 0xac, 0x60, 0xca, 0x7f, 0xcb, 0x42, 0xe9, 0x84, 0xb9, 0x01, 0x6d, 0xc2, 0x82, 0xbe, 0x24,
-	0x6f, 0x53, 0x9f, 0xf1, 0x46, 0x3a, 0x96, 0x97, 0xd4, 0x25, 0xb6, 0x9f, 0x8d, 0x07, 0xe9, 0xa0,
-	0x0f, 0x60, 0x8e, 0x79, 0x82, 0xfa, 0x1d, 0xe2, 0x84, 0x30, 0xfa, 0x59, 0x60, 0x41, 0xbf, 0xce,
-	0xa5, 0x58, 0xb8, 0x57, 0x76, 0xc0, 0x86, 0x66, 0x4e, 0xbd, 0xa1, 0x0e, 0xcc, 0xba, 0xe4, 0x49,
-	0xe2, 0xba, 0x6d, 0x42, 0x38, 0xfc, 0xd7, 0x90, 0xb6, 0x60, 0x4e, 0x45, 0xff, 0x60, 0x5a, 0xd9,
-	0xf4, 0xc4, 0x1d, 0x7f, 0x47, 0xf8, 0xcc, 0x6b, 0x6a, 0x6b, 0x5b, 0x29, 0x2c, 0xdc, 0x83, 0x8d,
-	0x1e, 0x42, 0xde, 0x25, 0x4f, 0x76, 0xda, 0x7e, 0x33, 0xbc, 0x25, 0x8d, 0x6e, 0x47, 0xbd, 0xf9,
-	0x6c, 0x19, 0x14, 0x1c, 0xe1, 0x85, 0xa9, 0x39, 0xf9, 0x2a, 0x52, 0x33, 0x4c, 0xa7, 0xfc, 0xab,
-	0x49, 0xa7, 0xcf, 0x2c, 0x98, 0x4e, 0x56, 0x71, 0x7f, 0xef, 0xb4, 0x46, 0xe8, 0x9d, 0xdf, 0x86,
-	0x71, 0xc1, 0x4d, 0x09, 0x9e, 0xea, 0xa4, 0x07, 0x03, 0x3b, 0xbe, 0xcb, 0xf1, 0xb8, 0xe0, 0xb5,
-	0x9b, 0x4f, 0x9f, 0x2d, 0x8d, 0x7d, 0xfe, 0x6c, 0x69, 0xec, 0x8b, 0x67, 0x4b, 0x63, 0x9f, 0x1e,
-	0x2f, 0x59, 0x4f, 0x8f, 0x97, 0xac, 0xcf, 0x8f, 0x97, 0xac, 0x2f, 0x8e, 0x97, 0xac, 0x2f, 0x8f,
-	0x97, 0xac, 0x5f, 0xfe, 0x77, 0x69, 0xec, 0xe1, 0xf2, 0x49, 0xff, 0x46, 0xf0, 0xff, 0x00, 0x00,
-	0x00, 0xff, 0xff, 0x5e, 0x3a, 0xd7, 0x70, 0x69, 0x20, 0x00, 0x00,
-}
+func (m *TagImageHook) Reset() { *m = TagImageHook{} }
 
 func (m *CustomDeploymentStrategyParams) Marshal() (dAtA []byte, err error) {
 	size := m.Size()
@@ -1195,7 +388,7 @@ func (m *DeploymentConfigRollback) MarshalToSizedBuffer(dAtA []byte) (int, error
 		for k := range m.UpdatedAnnotations {
 			keysForUpdatedAnnotations = append(keysForUpdatedAnnotations, string(k))
 		}
-		github_com_gogo_protobuf_sortkeys.Strings(keysForUpdatedAnnotations)
+		sort.Strings(keysForUpdatedAnnotations)
 		for iNdEx := len(keysForUpdatedAnnotations) - 1; iNdEx >= 0; iNdEx-- {
 			v := m.UpdatedAnnotations[string(keysForUpdatedAnnotations[iNdEx])]
 			baseI := i
@@ -1330,7 +523,7 @@ func (m *DeploymentConfigSpec) MarshalToSizedBuffer(dAtA []byte) (int, error) {
 		for k := range m.Selector {
 			keysForSelector = append(keysForSelector, string(k))
 		}
-		github_com_gogo_protobuf_sortkeys.Strings(keysForSelector)
+		sort.Strings(keysForSelector)
 		for iNdEx := len(keysForSelector) - 1; iNdEx >= 0; iNdEx-- {
 			v := m.Selector[string(keysForSelector[iNdEx])]
 			baseI := i
@@ -1708,7 +901,7 @@ func (m *DeploymentStrategy) MarshalToSizedBuffer(dAtA []byte) (int, error) {
 		for k := range m.Annotations {
 			keysForAnnotations = append(keysForAnnotations, string(k))
 		}
-		github_com_gogo_protobuf_sortkeys.Strings(keysForAnnotations)
+		sort.Strings(keysForAnnotations)
 		for iNdEx := len(keysForAnnotations) - 1; iNdEx >= 0; iNdEx-- {
 			v := m.Annotations[string(keysForAnnotations[iNdEx])]
 			baseI := i
@@ -1732,7 +925,7 @@ func (m *DeploymentStrategy) MarshalToSizedBuffer(dAtA []byte) (int, error) {
 		for k := range m.Labels {
 			keysForLabels = append(keysForLabels, string(k))
 		}
-		github_com_gogo_protobuf_sortkeys.Strings(keysForLabels)
+		sort.Strings(keysForLabels)
 		for iNdEx := len(keysForLabels) - 1; iNdEx >= 0; iNdEx-- {
 			v := m.Labels[string(keysForLabels[iNdEx])]
 			baseI := i
@@ -2835,7 +2028,7 @@ func (this *DeploymentConfigRollback) String() string {
 	for k := range this.UpdatedAnnotations {
 		keysForUpdatedAnnotations = append(keysForUpdatedAnnotations, k)
 	}
-	github_com_gogo_protobuf_sortkeys.Strings(keysForUpdatedAnnotations)
+	sort.Strings(keysForUpdatedAnnotations)
 	mapStringForUpdatedAnnotations := "map[string]string{"
 	for _, k := range keysForUpdatedAnnotations {
 		mapStringForUpdatedAnnotations += fmt.Sprintf("%v: %v,", k, this.UpdatedAnnotations[k])
@@ -2872,7 +2065,7 @@ func (this *DeploymentConfigSpec) String() string {
 	for k := range this.Selector {
 		keysForSelector = append(keysForSelector, k)
 	}
-	github_com_gogo_protobuf_sortkeys.Strings(keysForSelector)
+	sort.Strings(keysForSelector)
 	mapStringForSelector := "map[string]string{"
 	for _, k := range keysForSelector {
 		mapStringForSelector += fmt.Sprintf("%v: %v,", k, this.Selector[k])
@@ -2980,7 +2173,7 @@ func (this *DeploymentStrategy) String() string {
 	for k := range this.Labels {
 		keysForLabels = append(keysForLabels, k)
 	}
-	github_com_gogo_protobuf_sortkeys.Strings(keysForLabels)
+	sort.Strings(keysForLabels)
 	mapStringForLabels := "map[string]string{"
 	for _, k := range keysForLabels {
 		mapStringForLabels += fmt.Sprintf("%v: %v,", k, this.Labels[k])
@@ -2990,7 +2183,7 @@ func (this *DeploymentStrategy) String() string {
 	for k := range this.Annotations {
 		keysForAnnotations = append(keysForAnnotations, k)
 	}
-	github_com_gogo_protobuf_sortkeys.Strings(keysForAnnotations)
+	sort.Strings(keysForAnnotations)
 	mapStringForAnnotations := "map[string]string{"
 	for _, k := range keysForAnnotations {
 		mapStringForAnnotations += fmt.Sprintf("%v: %v,", k, this.Annotations[k])
diff --git a/vendor/github.com/openshift/api/apps/v1/generated.protomessage.pb.go b/vendor/github.com/openshift/api/apps/v1/generated.protomessage.pb.go
new file mode 100644
index 0000000000000..55ce7a3d26734
--- /dev/null
+++ b/vendor/github.com/openshift/api/apps/v1/generated.protomessage.pb.go
@@ -0,0 +1,52 @@
+//go:build kubernetes_protomessage_one_more_release
+// +build kubernetes_protomessage_one_more_release
+
+// Code generated by go-to-protobuf. DO NOT EDIT.
+
+package v1
+
+func (*CustomDeploymentStrategyParams) ProtoMessage() {}
+
+func (*DeploymentCause) ProtoMessage() {}
+
+func (*DeploymentCauseImageTrigger) ProtoMessage() {}
+
+func (*DeploymentCondition) ProtoMessage() {}
+
+func (*DeploymentConfig) ProtoMessage() {}
+
+func (*DeploymentConfigList) ProtoMessage() {}
+
+func (*DeploymentConfigRollback) ProtoMessage() {}
+
+func (*DeploymentConfigRollbackSpec) ProtoMessage() {}
+
+func (*DeploymentConfigSpec) ProtoMessage() {}
+
+func (*DeploymentConfigStatus) ProtoMessage() {}
+
+func (*DeploymentDetails) ProtoMessage() {}
+
+func (*DeploymentLog) ProtoMessage() {}
+
+func (*DeploymentLogOptions) ProtoMessage() {}
+
+func (*DeploymentRequest) ProtoMessage() {}
+
+func (*DeploymentStrategy) ProtoMessage() {}
+
+func (*DeploymentTriggerImageChangeParams) ProtoMessage() {}
+
+func (*DeploymentTriggerPolicies) ProtoMessage() {}
+
+func (*DeploymentTriggerPolicy) ProtoMessage() {}
+
+func (*ExecNewPodHook) ProtoMessage() {}
+
+func (*LifecycleHook) ProtoMessage() {}
+
+func (*RecreateDeploymentStrategyParams) ProtoMessage() {}
+
+func (*RollingDeploymentStrategyParams) ProtoMessage() {}
+
+func (*TagImageHook) ProtoMessage() {}
diff --git a/vendor/github.com/openshift/api/authorization/v1/generated.pb.go b/vendor/github.com/openshift/api/authorization/v1/generated.pb.go
index c52cebf07ac09..7db96e17e4d98 100644
--- a/vendor/github.com/openshift/api/authorization/v1/generated.pb.go
+++ b/vendor/github.com/openshift/api/authorization/v1/generated.pb.go
@@ -8,1169 +8,84 @@ import (
 
 	io "io"
 
-	proto "github.com/gogo/protobuf/proto"
 	v12 "k8s.io/api/core/v1"
 	v11 "k8s.io/api/rbac/v1"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
-	math "math"
 	math_bits "math/bits"
 	reflect "reflect"
 	strings "strings"
 )
 
-// Reference imports to suppress errors if they are not otherwise used.
-var _ = proto.Marshal
-var _ = fmt.Errorf
-var _ = math.Inf
+func (m *Action) Reset() { *m = Action{} }
 
-// This is a compile-time assertion to ensure that this generated file
-// is compatible with the proto package it is being compiled against.
-// A compilation error at this line likely means your copy of the
-// proto package needs to be updated.
-const _ = proto.GoGoProtoPackageIsVersion3 // please upgrade the proto package
+func (m *ClusterRole) Reset() { *m = ClusterRole{} }
 
-func (m *Action) Reset()      { *m = Action{} }
-func (*Action) ProtoMessage() {}
-func (*Action) Descriptor() ([]byte, []int) {
-	return fileDescriptor_39b89822f939ca46, []int{0}
-}
-func (m *Action) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *Action) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *Action) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_Action.Merge(m, src)
-}
-func (m *Action) XXX_Size() int {
-	return m.Size()
-}
-func (m *Action) XXX_DiscardUnknown() {
-	xxx_messageInfo_Action.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_Action proto.InternalMessageInfo
-
-func (m *ClusterRole) Reset()      { *m = ClusterRole{} }
-func (*ClusterRole) ProtoMessage() {}
-func (*ClusterRole) Descriptor() ([]byte, []int) {
-	return fileDescriptor_39b89822f939ca46, []int{1}
-}
-func (m *ClusterRole) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ClusterRole) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ClusterRole) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ClusterRole.Merge(m, src)
-}
-func (m *ClusterRole) XXX_Size() int {
-	return m.Size()
-}
-func (m *ClusterRole) XXX_DiscardUnknown() {
-	xxx_messageInfo_ClusterRole.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_ClusterRole proto.InternalMessageInfo
-
-func (m *ClusterRoleBinding) Reset()      { *m = ClusterRoleBinding{} }
-func (*ClusterRoleBinding) ProtoMessage() {}
-func (*ClusterRoleBinding) Descriptor() ([]byte, []int) {
-	return fileDescriptor_39b89822f939ca46, []int{2}
-}
-func (m *ClusterRoleBinding) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ClusterRoleBinding) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ClusterRoleBinding) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ClusterRoleBinding.Merge(m, src)
-}
-func (m *ClusterRoleBinding) XXX_Size() int {
-	return m.Size()
-}
-func (m *ClusterRoleBinding) XXX_DiscardUnknown() {
-	xxx_messageInfo_ClusterRoleBinding.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_ClusterRoleBinding proto.InternalMessageInfo
-
-func (m *ClusterRoleBindingList) Reset()      { *m = ClusterRoleBindingList{} }
-func (*ClusterRoleBindingList) ProtoMessage() {}
-func (*ClusterRoleBindingList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_39b89822f939ca46, []int{3}
-}
-func (m *ClusterRoleBindingList) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ClusterRoleBindingList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ClusterRoleBindingList) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ClusterRoleBindingList.Merge(m, src)
-}
-func (m *ClusterRoleBindingList) XXX_Size() int {
-	return m.Size()
-}
-func (m *ClusterRoleBindingList) XXX_DiscardUnknown() {
-	xxx_messageInfo_ClusterRoleBindingList.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_ClusterRoleBindingList proto.InternalMessageInfo
-
-func (m *ClusterRoleList) Reset()      { *m = ClusterRoleList{} }
-func (*ClusterRoleList) ProtoMessage() {}
-func (*ClusterRoleList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_39b89822f939ca46, []int{4}
-}
-func (m *ClusterRoleList) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ClusterRoleList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ClusterRoleList) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ClusterRoleList.Merge(m, src)
-}
-func (m *ClusterRoleList) XXX_Size() int {
-	return m.Size()
-}
-func (m *ClusterRoleList) XXX_DiscardUnknown() {
-	xxx_messageInfo_ClusterRoleList.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_ClusterRoleList proto.InternalMessageInfo
-
-func (m *GroupRestriction) Reset()      { *m = GroupRestriction{} }
-func (*GroupRestriction) ProtoMessage() {}
-func (*GroupRestriction) Descriptor() ([]byte, []int) {
-	return fileDescriptor_39b89822f939ca46, []int{5}
-}
-func (m *GroupRestriction) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *GroupRestriction) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *GroupRestriction) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_GroupRestriction.Merge(m, src)
-}
-func (m *GroupRestriction) XXX_Size() int {
-	return m.Size()
-}
-func (m *GroupRestriction) XXX_DiscardUnknown() {
-	xxx_messageInfo_GroupRestriction.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_GroupRestriction proto.InternalMessageInfo
-
-func (m *IsPersonalSubjectAccessReview) Reset()      { *m = IsPersonalSubjectAccessReview{} }
-func (*IsPersonalSubjectAccessReview) ProtoMessage() {}
-func (*IsPersonalSubjectAccessReview) Descriptor() ([]byte, []int) {
-	return fileDescriptor_39b89822f939ca46, []int{6}
-}
-func (m *IsPersonalSubjectAccessReview) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *IsPersonalSubjectAccessReview) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *IsPersonalSubjectAccessReview) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_IsPersonalSubjectAccessReview.Merge(m, src)
-}
-func (m *IsPersonalSubjectAccessReview) XXX_Size() int {
-	return m.Size()
-}
-func (m *IsPersonalSubjectAccessReview) XXX_DiscardUnknown() {
-	xxx_messageInfo_IsPersonalSubjectAccessReview.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_IsPersonalSubjectAccessReview proto.InternalMessageInfo
-
-func (m *LocalResourceAccessReview) Reset()      { *m = LocalResourceAccessReview{} }
-func (*LocalResourceAccessReview) ProtoMessage() {}
-func (*LocalResourceAccessReview) Descriptor() ([]byte, []int) {
-	return fileDescriptor_39b89822f939ca46, []int{7}
-}
-func (m *LocalResourceAccessReview) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *LocalResourceAccessReview) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *LocalResourceAccessReview) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_LocalResourceAccessReview.Merge(m, src)
-}
-func (m *LocalResourceAccessReview) XXX_Size() int {
-	return m.Size()
-}
-func (m *LocalResourceAccessReview) XXX_DiscardUnknown() {
-	xxx_messageInfo_LocalResourceAccessReview.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_LocalResourceAccessReview proto.InternalMessageInfo
-
-func (m *LocalSubjectAccessReview) Reset()      { *m = LocalSubjectAccessReview{} }
-func (*LocalSubjectAccessReview) ProtoMessage() {}
-func (*LocalSubjectAccessReview) Descriptor() ([]byte, []int) {
-	return fileDescriptor_39b89822f939ca46, []int{8}
-}
-func (m *LocalSubjectAccessReview) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *LocalSubjectAccessReview) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *LocalSubjectAccessReview) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_LocalSubjectAccessReview.Merge(m, src)
-}
-func (m *LocalSubjectAccessReview) XXX_Size() int {
-	return m.Size()
-}
-func (m *LocalSubjectAccessReview) XXX_DiscardUnknown() {
-	xxx_messageInfo_LocalSubjectAccessReview.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_LocalSubjectAccessReview proto.InternalMessageInfo
-
-func (m *NamedClusterRole) Reset()      { *m = NamedClusterRole{} }
-func (*NamedClusterRole) ProtoMessage() {}
-func (*NamedClusterRole) Descriptor() ([]byte, []int) {
-	return fileDescriptor_39b89822f939ca46, []int{9}
-}
-func (m *NamedClusterRole) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *NamedClusterRole) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *NamedClusterRole) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_NamedClusterRole.Merge(m, src)
-}
-func (m *NamedClusterRole) XXX_Size() int {
-	return m.Size()
-}
-func (m *NamedClusterRole) XXX_DiscardUnknown() {
-	xxx_messageInfo_NamedClusterRole.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_NamedClusterRole proto.InternalMessageInfo
-
-func (m *NamedClusterRoleBinding) Reset()      { *m = NamedClusterRoleBinding{} }
-func (*NamedClusterRoleBinding) ProtoMessage() {}
-func (*NamedClusterRoleBinding) Descriptor() ([]byte, []int) {
-	return fileDescriptor_39b89822f939ca46, []int{10}
-}
-func (m *NamedClusterRoleBinding) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *NamedClusterRoleBinding) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *NamedClusterRoleBinding) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_NamedClusterRoleBinding.Merge(m, src)
-}
-func (m *NamedClusterRoleBinding) XXX_Size() int {
-	return m.Size()
-}
-func (m *NamedClusterRoleBinding) XXX_DiscardUnknown() {
-	xxx_messageInfo_NamedClusterRoleBinding.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_NamedClusterRoleBinding proto.InternalMessageInfo
-
-func (m *NamedRole) Reset()      { *m = NamedRole{} }
-func (*NamedRole) ProtoMessage() {}
-func (*NamedRole) Descriptor() ([]byte, []int) {
-	return fileDescriptor_39b89822f939ca46, []int{11}
-}
-func (m *NamedRole) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *NamedRole) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *NamedRole) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_NamedRole.Merge(m, src)
-}
-func (m *NamedRole) XXX_Size() int {
-	return m.Size()
-}
-func (m *NamedRole) XXX_DiscardUnknown() {
-	xxx_messageInfo_NamedRole.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_NamedRole proto.InternalMessageInfo
-
-func (m *NamedRoleBinding) Reset()      { *m = NamedRoleBinding{} }
-func (*NamedRoleBinding) ProtoMessage() {}
-func (*NamedRoleBinding) Descriptor() ([]byte, []int) {
-	return fileDescriptor_39b89822f939ca46, []int{12}
-}
-func (m *NamedRoleBinding) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *NamedRoleBinding) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *NamedRoleBinding) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_NamedRoleBinding.Merge(m, src)
-}
-func (m *NamedRoleBinding) XXX_Size() int {
-	return m.Size()
-}
-func (m *NamedRoleBinding) XXX_DiscardUnknown() {
-	xxx_messageInfo_NamedRoleBinding.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_NamedRoleBinding proto.InternalMessageInfo
-
-func (m *OptionalNames) Reset()      { *m = OptionalNames{} }
-func (*OptionalNames) ProtoMessage() {}
-func (*OptionalNames) Descriptor() ([]byte, []int) {
-	return fileDescriptor_39b89822f939ca46, []int{13}
-}
-func (m *OptionalNames) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *OptionalNames) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *OptionalNames) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_OptionalNames.Merge(m, src)
-}
-func (m *OptionalNames) XXX_Size() int {
-	return m.Size()
-}
-func (m *OptionalNames) XXX_DiscardUnknown() {
-	xxx_messageInfo_OptionalNames.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_OptionalNames proto.InternalMessageInfo
-
-func (m *OptionalScopes) Reset()      { *m = OptionalScopes{} }
-func (*OptionalScopes) ProtoMessage() {}
-func (*OptionalScopes) Descriptor() ([]byte, []int) {
-	return fileDescriptor_39b89822f939ca46, []int{14}
-}
-func (m *OptionalScopes) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *OptionalScopes) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *OptionalScopes) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_OptionalScopes.Merge(m, src)
-}
-func (m *OptionalScopes) XXX_Size() int {
-	return m.Size()
-}
-func (m *OptionalScopes) XXX_DiscardUnknown() {
-	xxx_messageInfo_OptionalScopes.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_OptionalScopes proto.InternalMessageInfo
-
-func (m *PolicyRule) Reset()      { *m = PolicyRule{} }
-func (*PolicyRule) ProtoMessage() {}
-func (*PolicyRule) Descriptor() ([]byte, []int) {
-	return fileDescriptor_39b89822f939ca46, []int{15}
-}
-func (m *PolicyRule) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *PolicyRule) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *PolicyRule) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_PolicyRule.Merge(m, src)
-}
-func (m *PolicyRule) XXX_Size() int {
-	return m.Size()
-}
-func (m *PolicyRule) XXX_DiscardUnknown() {
-	xxx_messageInfo_PolicyRule.DiscardUnknown(m)
-}
+func (m *ClusterRoleBinding) Reset() { *m = ClusterRoleBinding{} }
 
-var xxx_messageInfo_PolicyRule proto.InternalMessageInfo
+func (m *ClusterRoleBindingList) Reset() { *m = ClusterRoleBindingList{} }
 
-func (m *ResourceAccessReview) Reset()      { *m = ResourceAccessReview{} }
-func (*ResourceAccessReview) ProtoMessage() {}
-func (*ResourceAccessReview) Descriptor() ([]byte, []int) {
-	return fileDescriptor_39b89822f939ca46, []int{16}
-}
-func (m *ResourceAccessReview) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ResourceAccessReview) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ResourceAccessReview) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ResourceAccessReview.Merge(m, src)
-}
-func (m *ResourceAccessReview) XXX_Size() int {
-	return m.Size()
-}
-func (m *ResourceAccessReview) XXX_DiscardUnknown() {
-	xxx_messageInfo_ResourceAccessReview.DiscardUnknown(m)
-}
+func (m *ClusterRoleList) Reset() { *m = ClusterRoleList{} }
 
-var xxx_messageInfo_ResourceAccessReview proto.InternalMessageInfo
+func (m *GroupRestriction) Reset() { *m = GroupRestriction{} }
 
-func (m *ResourceAccessReviewResponse) Reset()      { *m = ResourceAccessReviewResponse{} }
-func (*ResourceAccessReviewResponse) ProtoMessage() {}
-func (*ResourceAccessReviewResponse) Descriptor() ([]byte, []int) {
-	return fileDescriptor_39b89822f939ca46, []int{17}
-}
-func (m *ResourceAccessReviewResponse) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ResourceAccessReviewResponse) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ResourceAccessReviewResponse) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ResourceAccessReviewResponse.Merge(m, src)
-}
-func (m *ResourceAccessReviewResponse) XXX_Size() int {
-	return m.Size()
-}
-func (m *ResourceAccessReviewResponse) XXX_DiscardUnknown() {
-	xxx_messageInfo_ResourceAccessReviewResponse.DiscardUnknown(m)
-}
+func (m *IsPersonalSubjectAccessReview) Reset() { *m = IsPersonalSubjectAccessReview{} }
 
-var xxx_messageInfo_ResourceAccessReviewResponse proto.InternalMessageInfo
+func (m *LocalResourceAccessReview) Reset() { *m = LocalResourceAccessReview{} }
 
-func (m *Role) Reset()      { *m = Role{} }
-func (*Role) ProtoMessage() {}
-func (*Role) Descriptor() ([]byte, []int) {
-	return fileDescriptor_39b89822f939ca46, []int{18}
-}
-func (m *Role) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *Role) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *Role) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_Role.Merge(m, src)
-}
-func (m *Role) XXX_Size() int {
-	return m.Size()
-}
-func (m *Role) XXX_DiscardUnknown() {
-	xxx_messageInfo_Role.DiscardUnknown(m)
-}
+func (m *LocalSubjectAccessReview) Reset() { *m = LocalSubjectAccessReview{} }
 
-var xxx_messageInfo_Role proto.InternalMessageInfo
+func (m *NamedClusterRole) Reset() { *m = NamedClusterRole{} }
 
-func (m *RoleBinding) Reset()      { *m = RoleBinding{} }
-func (*RoleBinding) ProtoMessage() {}
-func (*RoleBinding) Descriptor() ([]byte, []int) {
-	return fileDescriptor_39b89822f939ca46, []int{19}
-}
-func (m *RoleBinding) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *RoleBinding) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *RoleBinding) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_RoleBinding.Merge(m, src)
-}
-func (m *RoleBinding) XXX_Size() int {
-	return m.Size()
-}
-func (m *RoleBinding) XXX_DiscardUnknown() {
-	xxx_messageInfo_RoleBinding.DiscardUnknown(m)
-}
+func (m *NamedClusterRoleBinding) Reset() { *m = NamedClusterRoleBinding{} }
 
-var xxx_messageInfo_RoleBinding proto.InternalMessageInfo
+func (m *NamedRole) Reset() { *m = NamedRole{} }
 
-func (m *RoleBindingList) Reset()      { *m = RoleBindingList{} }
-func (*RoleBindingList) ProtoMessage() {}
-func (*RoleBindingList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_39b89822f939ca46, []int{20}
-}
-func (m *RoleBindingList) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *RoleBindingList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *RoleBindingList) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_RoleBindingList.Merge(m, src)
-}
-func (m *RoleBindingList) XXX_Size() int {
-	return m.Size()
-}
-func (m *RoleBindingList) XXX_DiscardUnknown() {
-	xxx_messageInfo_RoleBindingList.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_RoleBindingList proto.InternalMessageInfo
-
-func (m *RoleBindingRestriction) Reset()      { *m = RoleBindingRestriction{} }
-func (*RoleBindingRestriction) ProtoMessage() {}
-func (*RoleBindingRestriction) Descriptor() ([]byte, []int) {
-	return fileDescriptor_39b89822f939ca46, []int{21}
-}
-func (m *RoleBindingRestriction) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *RoleBindingRestriction) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *RoleBindingRestriction) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_RoleBindingRestriction.Merge(m, src)
-}
-func (m *RoleBindingRestriction) XXX_Size() int {
-	return m.Size()
-}
-func (m *RoleBindingRestriction) XXX_DiscardUnknown() {
-	xxx_messageInfo_RoleBindingRestriction.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_RoleBindingRestriction proto.InternalMessageInfo
+func (m *NamedRoleBinding) Reset() { *m = NamedRoleBinding{} }
 
-func (m *RoleBindingRestrictionList) Reset()      { *m = RoleBindingRestrictionList{} }
-func (*RoleBindingRestrictionList) ProtoMessage() {}
-func (*RoleBindingRestrictionList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_39b89822f939ca46, []int{22}
-}
-func (m *RoleBindingRestrictionList) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *RoleBindingRestrictionList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *RoleBindingRestrictionList) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_RoleBindingRestrictionList.Merge(m, src)
-}
-func (m *RoleBindingRestrictionList) XXX_Size() int {
-	return m.Size()
-}
-func (m *RoleBindingRestrictionList) XXX_DiscardUnknown() {
-	xxx_messageInfo_RoleBindingRestrictionList.DiscardUnknown(m)
-}
+func (m *OptionalNames) Reset() { *m = OptionalNames{} }
 
-var xxx_messageInfo_RoleBindingRestrictionList proto.InternalMessageInfo
-
-func (m *RoleBindingRestrictionSpec) Reset()      { *m = RoleBindingRestrictionSpec{} }
-func (*RoleBindingRestrictionSpec) ProtoMessage() {}
-func (*RoleBindingRestrictionSpec) Descriptor() ([]byte, []int) {
-	return fileDescriptor_39b89822f939ca46, []int{23}
-}
-func (m *RoleBindingRestrictionSpec) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *RoleBindingRestrictionSpec) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *RoleBindingRestrictionSpec) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_RoleBindingRestrictionSpec.Merge(m, src)
-}
-func (m *RoleBindingRestrictionSpec) XXX_Size() int {
-	return m.Size()
-}
-func (m *RoleBindingRestrictionSpec) XXX_DiscardUnknown() {
-	xxx_messageInfo_RoleBindingRestrictionSpec.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_RoleBindingRestrictionSpec proto.InternalMessageInfo
-
-func (m *RoleList) Reset()      { *m = RoleList{} }
-func (*RoleList) ProtoMessage() {}
-func (*RoleList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_39b89822f939ca46, []int{24}
-}
-func (m *RoleList) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *RoleList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *RoleList) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_RoleList.Merge(m, src)
-}
-func (m *RoleList) XXX_Size() int {
-	return m.Size()
-}
-func (m *RoleList) XXX_DiscardUnknown() {
-	xxx_messageInfo_RoleList.DiscardUnknown(m)
-}
+func (m *OptionalScopes) Reset() { *m = OptionalScopes{} }
 
-var xxx_messageInfo_RoleList proto.InternalMessageInfo
+func (m *PolicyRule) Reset() { *m = PolicyRule{} }
 
-func (m *SelfSubjectRulesReview) Reset()      { *m = SelfSubjectRulesReview{} }
-func (*SelfSubjectRulesReview) ProtoMessage() {}
-func (*SelfSubjectRulesReview) Descriptor() ([]byte, []int) {
-	return fileDescriptor_39b89822f939ca46, []int{25}
-}
-func (m *SelfSubjectRulesReview) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *SelfSubjectRulesReview) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *SelfSubjectRulesReview) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_SelfSubjectRulesReview.Merge(m, src)
-}
-func (m *SelfSubjectRulesReview) XXX_Size() int {
-	return m.Size()
-}
-func (m *SelfSubjectRulesReview) XXX_DiscardUnknown() {
-	xxx_messageInfo_SelfSubjectRulesReview.DiscardUnknown(m)
-}
+func (m *ResourceAccessReview) Reset() { *m = ResourceAccessReview{} }
 
-var xxx_messageInfo_SelfSubjectRulesReview proto.InternalMessageInfo
+func (m *ResourceAccessReviewResponse) Reset() { *m = ResourceAccessReviewResponse{} }
 
-func (m *SelfSubjectRulesReviewSpec) Reset()      { *m = SelfSubjectRulesReviewSpec{} }
-func (*SelfSubjectRulesReviewSpec) ProtoMessage() {}
-func (*SelfSubjectRulesReviewSpec) Descriptor() ([]byte, []int) {
-	return fileDescriptor_39b89822f939ca46, []int{26}
-}
-func (m *SelfSubjectRulesReviewSpec) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *SelfSubjectRulesReviewSpec) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *SelfSubjectRulesReviewSpec) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_SelfSubjectRulesReviewSpec.Merge(m, src)
-}
-func (m *SelfSubjectRulesReviewSpec) XXX_Size() int {
-	return m.Size()
-}
-func (m *SelfSubjectRulesReviewSpec) XXX_DiscardUnknown() {
-	xxx_messageInfo_SelfSubjectRulesReviewSpec.DiscardUnknown(m)
-}
+func (m *Role) Reset() { *m = Role{} }
 
-var xxx_messageInfo_SelfSubjectRulesReviewSpec proto.InternalMessageInfo
+func (m *RoleBinding) Reset() { *m = RoleBinding{} }
 
-func (m *ServiceAccountReference) Reset()      { *m = ServiceAccountReference{} }
-func (*ServiceAccountReference) ProtoMessage() {}
-func (*ServiceAccountReference) Descriptor() ([]byte, []int) {
-	return fileDescriptor_39b89822f939ca46, []int{27}
-}
-func (m *ServiceAccountReference) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ServiceAccountReference) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ServiceAccountReference) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ServiceAccountReference.Merge(m, src)
-}
-func (m *ServiceAccountReference) XXX_Size() int {
-	return m.Size()
-}
-func (m *ServiceAccountReference) XXX_DiscardUnknown() {
-	xxx_messageInfo_ServiceAccountReference.DiscardUnknown(m)
-}
+func (m *RoleBindingList) Reset() { *m = RoleBindingList{} }
 
-var xxx_messageInfo_ServiceAccountReference proto.InternalMessageInfo
+func (m *RoleBindingRestriction) Reset() { *m = RoleBindingRestriction{} }
 
-func (m *ServiceAccountRestriction) Reset()      { *m = ServiceAccountRestriction{} }
-func (*ServiceAccountRestriction) ProtoMessage() {}
-func (*ServiceAccountRestriction) Descriptor() ([]byte, []int) {
-	return fileDescriptor_39b89822f939ca46, []int{28}
-}
-func (m *ServiceAccountRestriction) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ServiceAccountRestriction) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ServiceAccountRestriction) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ServiceAccountRestriction.Merge(m, src)
-}
-func (m *ServiceAccountRestriction) XXX_Size() int {
-	return m.Size()
-}
-func (m *ServiceAccountRestriction) XXX_DiscardUnknown() {
-	xxx_messageInfo_ServiceAccountRestriction.DiscardUnknown(m)
-}
+func (m *RoleBindingRestrictionList) Reset() { *m = RoleBindingRestrictionList{} }
 
-var xxx_messageInfo_ServiceAccountRestriction proto.InternalMessageInfo
+func (m *RoleBindingRestrictionSpec) Reset() { *m = RoleBindingRestrictionSpec{} }
 
-func (m *SubjectAccessReview) Reset()      { *m = SubjectAccessReview{} }
-func (*SubjectAccessReview) ProtoMessage() {}
-func (*SubjectAccessReview) Descriptor() ([]byte, []int) {
-	return fileDescriptor_39b89822f939ca46, []int{29}
-}
-func (m *SubjectAccessReview) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *SubjectAccessReview) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *SubjectAccessReview) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_SubjectAccessReview.Merge(m, src)
-}
-func (m *SubjectAccessReview) XXX_Size() int {
-	return m.Size()
-}
-func (m *SubjectAccessReview) XXX_DiscardUnknown() {
-	xxx_messageInfo_SubjectAccessReview.DiscardUnknown(m)
-}
+func (m *RoleList) Reset() { *m = RoleList{} }
 
-var xxx_messageInfo_SubjectAccessReview proto.InternalMessageInfo
+func (m *SelfSubjectRulesReview) Reset() { *m = SelfSubjectRulesReview{} }
 
-func (m *SubjectAccessReviewResponse) Reset()      { *m = SubjectAccessReviewResponse{} }
-func (*SubjectAccessReviewResponse) ProtoMessage() {}
-func (*SubjectAccessReviewResponse) Descriptor() ([]byte, []int) {
-	return fileDescriptor_39b89822f939ca46, []int{30}
-}
-func (m *SubjectAccessReviewResponse) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *SubjectAccessReviewResponse) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *SubjectAccessReviewResponse) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_SubjectAccessReviewResponse.Merge(m, src)
-}
-func (m *SubjectAccessReviewResponse) XXX_Size() int {
-	return m.Size()
-}
-func (m *SubjectAccessReviewResponse) XXX_DiscardUnknown() {
-	xxx_messageInfo_SubjectAccessReviewResponse.DiscardUnknown(m)
-}
+func (m *SelfSubjectRulesReviewSpec) Reset() { *m = SelfSubjectRulesReviewSpec{} }
 
-var xxx_messageInfo_SubjectAccessReviewResponse proto.InternalMessageInfo
+func (m *ServiceAccountReference) Reset() { *m = ServiceAccountReference{} }
 
-func (m *SubjectRulesReview) Reset()      { *m = SubjectRulesReview{} }
-func (*SubjectRulesReview) ProtoMessage() {}
-func (*SubjectRulesReview) Descriptor() ([]byte, []int) {
-	return fileDescriptor_39b89822f939ca46, []int{31}
-}
-func (m *SubjectRulesReview) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *SubjectRulesReview) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *SubjectRulesReview) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_SubjectRulesReview.Merge(m, src)
-}
-func (m *SubjectRulesReview) XXX_Size() int {
-	return m.Size()
-}
-func (m *SubjectRulesReview) XXX_DiscardUnknown() {
-	xxx_messageInfo_SubjectRulesReview.DiscardUnknown(m)
-}
+func (m *ServiceAccountRestriction) Reset() { *m = ServiceAccountRestriction{} }
 
-var xxx_messageInfo_SubjectRulesReview proto.InternalMessageInfo
+func (m *SubjectAccessReview) Reset() { *m = SubjectAccessReview{} }
 
-func (m *SubjectRulesReviewSpec) Reset()      { *m = SubjectRulesReviewSpec{} }
-func (*SubjectRulesReviewSpec) ProtoMessage() {}
-func (*SubjectRulesReviewSpec) Descriptor() ([]byte, []int) {
-	return fileDescriptor_39b89822f939ca46, []int{32}
-}
-func (m *SubjectRulesReviewSpec) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *SubjectRulesReviewSpec) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *SubjectRulesReviewSpec) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_SubjectRulesReviewSpec.Merge(m, src)
-}
-func (m *SubjectRulesReviewSpec) XXX_Size() int {
-	return m.Size()
-}
-func (m *SubjectRulesReviewSpec) XXX_DiscardUnknown() {
-	xxx_messageInfo_SubjectRulesReviewSpec.DiscardUnknown(m)
-}
+func (m *SubjectAccessReviewResponse) Reset() { *m = SubjectAccessReviewResponse{} }
 
-var xxx_messageInfo_SubjectRulesReviewSpec proto.InternalMessageInfo
+func (m *SubjectRulesReview) Reset() { *m = SubjectRulesReview{} }
 
-func (m *SubjectRulesReviewStatus) Reset()      { *m = SubjectRulesReviewStatus{} }
-func (*SubjectRulesReviewStatus) ProtoMessage() {}
-func (*SubjectRulesReviewStatus) Descriptor() ([]byte, []int) {
-	return fileDescriptor_39b89822f939ca46, []int{33}
-}
-func (m *SubjectRulesReviewStatus) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *SubjectRulesReviewStatus) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *SubjectRulesReviewStatus) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_SubjectRulesReviewStatus.Merge(m, src)
-}
-func (m *SubjectRulesReviewStatus) XXX_Size() int {
-	return m.Size()
-}
-func (m *SubjectRulesReviewStatus) XXX_DiscardUnknown() {
-	xxx_messageInfo_SubjectRulesReviewStatus.DiscardUnknown(m)
-}
+func (m *SubjectRulesReviewSpec) Reset() { *m = SubjectRulesReviewSpec{} }
 
-var xxx_messageInfo_SubjectRulesReviewStatus proto.InternalMessageInfo
+func (m *SubjectRulesReviewStatus) Reset() { *m = SubjectRulesReviewStatus{} }
 
-func (m *UserRestriction) Reset()      { *m = UserRestriction{} }
-func (*UserRestriction) ProtoMessage() {}
-func (*UserRestriction) Descriptor() ([]byte, []int) {
-	return fileDescriptor_39b89822f939ca46, []int{34}
-}
-func (m *UserRestriction) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *UserRestriction) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *UserRestriction) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_UserRestriction.Merge(m, src)
-}
-func (m *UserRestriction) XXX_Size() int {
-	return m.Size()
-}
-func (m *UserRestriction) XXX_DiscardUnknown() {
-	xxx_messageInfo_UserRestriction.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_UserRestriction proto.InternalMessageInfo
-
-func init() {
-	proto.RegisterType((*Action)(nil), "github.com.openshift.api.authorization.v1.Action")
-	proto.RegisterType((*ClusterRole)(nil), "github.com.openshift.api.authorization.v1.ClusterRole")
-	proto.RegisterType((*ClusterRoleBinding)(nil), "github.com.openshift.api.authorization.v1.ClusterRoleBinding")
-	proto.RegisterType((*ClusterRoleBindingList)(nil), "github.com.openshift.api.authorization.v1.ClusterRoleBindingList")
-	proto.RegisterType((*ClusterRoleList)(nil), "github.com.openshift.api.authorization.v1.ClusterRoleList")
-	proto.RegisterType((*GroupRestriction)(nil), "github.com.openshift.api.authorization.v1.GroupRestriction")
-	proto.RegisterType((*IsPersonalSubjectAccessReview)(nil), "github.com.openshift.api.authorization.v1.IsPersonalSubjectAccessReview")
-	proto.RegisterType((*LocalResourceAccessReview)(nil), "github.com.openshift.api.authorization.v1.LocalResourceAccessReview")
-	proto.RegisterType((*LocalSubjectAccessReview)(nil), "github.com.openshift.api.authorization.v1.LocalSubjectAccessReview")
-	proto.RegisterType((*NamedClusterRole)(nil), "github.com.openshift.api.authorization.v1.NamedClusterRole")
-	proto.RegisterType((*NamedClusterRoleBinding)(nil), "github.com.openshift.api.authorization.v1.NamedClusterRoleBinding")
-	proto.RegisterType((*NamedRole)(nil), "github.com.openshift.api.authorization.v1.NamedRole")
-	proto.RegisterType((*NamedRoleBinding)(nil), "github.com.openshift.api.authorization.v1.NamedRoleBinding")
-	proto.RegisterType((*OptionalNames)(nil), "github.com.openshift.api.authorization.v1.OptionalNames")
-	proto.RegisterType((*OptionalScopes)(nil), "github.com.openshift.api.authorization.v1.OptionalScopes")
-	proto.RegisterType((*PolicyRule)(nil), "github.com.openshift.api.authorization.v1.PolicyRule")
-	proto.RegisterType((*ResourceAccessReview)(nil), "github.com.openshift.api.authorization.v1.ResourceAccessReview")
-	proto.RegisterType((*ResourceAccessReviewResponse)(nil), "github.com.openshift.api.authorization.v1.ResourceAccessReviewResponse")
-	proto.RegisterType((*Role)(nil), "github.com.openshift.api.authorization.v1.Role")
-	proto.RegisterType((*RoleBinding)(nil), "github.com.openshift.api.authorization.v1.RoleBinding")
-	proto.RegisterType((*RoleBindingList)(nil), "github.com.openshift.api.authorization.v1.RoleBindingList")
-	proto.RegisterType((*RoleBindingRestriction)(nil), "github.com.openshift.api.authorization.v1.RoleBindingRestriction")
-	proto.RegisterType((*RoleBindingRestrictionList)(nil), "github.com.openshift.api.authorization.v1.RoleBindingRestrictionList")
-	proto.RegisterType((*RoleBindingRestrictionSpec)(nil), "github.com.openshift.api.authorization.v1.RoleBindingRestrictionSpec")
-	proto.RegisterType((*RoleList)(nil), "github.com.openshift.api.authorization.v1.RoleList")
-	proto.RegisterType((*SelfSubjectRulesReview)(nil), "github.com.openshift.api.authorization.v1.SelfSubjectRulesReview")
-	proto.RegisterType((*SelfSubjectRulesReviewSpec)(nil), "github.com.openshift.api.authorization.v1.SelfSubjectRulesReviewSpec")
-	proto.RegisterType((*ServiceAccountReference)(nil), "github.com.openshift.api.authorization.v1.ServiceAccountReference")
-	proto.RegisterType((*ServiceAccountRestriction)(nil), "github.com.openshift.api.authorization.v1.ServiceAccountRestriction")
-	proto.RegisterType((*SubjectAccessReview)(nil), "github.com.openshift.api.authorization.v1.SubjectAccessReview")
-	proto.RegisterType((*SubjectAccessReviewResponse)(nil), "github.com.openshift.api.authorization.v1.SubjectAccessReviewResponse")
-	proto.RegisterType((*SubjectRulesReview)(nil), "github.com.openshift.api.authorization.v1.SubjectRulesReview")
-	proto.RegisterType((*SubjectRulesReviewSpec)(nil), "github.com.openshift.api.authorization.v1.SubjectRulesReviewSpec")
-	proto.RegisterType((*SubjectRulesReviewStatus)(nil), "github.com.openshift.api.authorization.v1.SubjectRulesReviewStatus")
-	proto.RegisterType((*UserRestriction)(nil), "github.com.openshift.api.authorization.v1.UserRestriction")
-}
-
-func init() {
-	proto.RegisterFile("github.com/openshift/api/authorization/v1/generated.proto", fileDescriptor_39b89822f939ca46)
-}
-
-var fileDescriptor_39b89822f939ca46 = []byte{
-	// 1841 bytes of a gzipped FileDescriptorProto
-	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xec, 0x1a, 0xcd, 0x6f, 0x1b, 0x4b,
-	0x3d, 0x63, 0x3b, 0x8e, 0xfd, 0x73, 0x13, 0xe7, 0x4d, 0xf3, 0xd2, 0x6d, 0xa0, 0xb6, 0xb5, 0x20,
-	0x48, 0x05, 0x6f, 0x4d, 0x02, 0x94, 0xb6, 0x4f, 0xe8, 0xc9, 0xee, 0x8b, 0xaa, 0x48, 0xa5, 0xc9,
-	0x9b, 0xf0, 0x9e, 0xaa, 0xf2, 0x21, 0xd6, 0x9b, 0x89, 0xbd, 0x64, 0xbd, 0x6b, 0xed, 0xac, 0x53,
-	0x0a, 0x42, 0x2a, 0x48, 0x1c, 0xb8, 0x20, 0x4e, 0x88, 0x23, 0x88, 0x3f, 0x00, 0x71, 0x41, 0x02,
-	0x09, 0x4e, 0x1c, 0x82, 0x84, 0x50, 0x25, 0x2e, 0x15, 0x42, 0x86, 0xba, 0x9c, 0x38, 0x72, 0xe1,
-	0x8a, 0x66, 0x76, 0xd6, 0xfb, 0x61, 0x5b, 0xf1, 0x26, 0x24, 0xbc, 0x56, 0xbd, 0x79, 0xe7, 0xf7,
-	0xfd, 0x9b, 0xdf, 0xe7, 0x24, 0x70, 0xab, 0x6d, 0x7a, 0x9d, 0x7e, 0x4b, 0x33, 0x9c, 0x6e, 0xdd,
-	0xe9, 0x51, 0x9b, 0x75, 0xcc, 0x03, 0xaf, 0xae, 0xf7, 0xcc, 0xba, 0xde, 0xf7, 0x3a, 0x8e, 0x6b,
-	0x7e, 0x5b, 0xf7, 0x4c, 0xc7, 0xae, 0x1f, 0x6d, 0xd4, 0xdb, 0xd4, 0xa6, 0xae, 0xee, 0xd1, 0x7d,
-	0xad, 0xe7, 0x3a, 0x9e, 0x83, 0xaf, 0x87, 0xa4, 0xda, 0x88, 0x54, 0xd3, 0x7b, 0xa6, 0x16, 0x23,
-	0xd5, 0x8e, 0x36, 0xd6, 0xde, 0x8a, 0x48, 0x69, 0x3b, 0x6d, 0xa7, 0x2e, 0x38, 0xb4, 0xfa, 0x07,
-	0xe2, 0x4b, 0x7c, 0x88, 0x5f, 0x3e, 0xe7, 0x35, 0xf5, 0xf0, 0x26, 0xd3, 0x4c, 0x47, 0xa8, 0x61,
-	0x38, 0x2e, 0x9d, 0x20, 0x3d, 0x86, 0xe3, 0xb6, 0x74, 0x63, 0x12, 0xce, 0xe7, 0x42, 0x9c, 0xae,
-	0x6e, 0x74, 0x4c, 0x9b, 0xba, 0x8f, 0xeb, 0xbd, 0xc3, 0x36, 0x3f, 0x60, 0xf5, 0x2e, 0xf5, 0xf4,
-	0x49, 0x54, 0xf5, 0x69, 0x54, 0x6e, 0xdf, 0xf6, 0xcc, 0x2e, 0x1d, 0x23, 0xb8, 0x71, 0x12, 0x01,
-	0x33, 0x3a, 0xb4, 0xab, 0x27, 0xe9, 0xd4, 0xef, 0xe5, 0x20, 0xdf, 0x30, 0xb8, 0x8f, 0x70, 0x1d,
-	0x8a, 0xb6, 0xde, 0xa5, 0xac, 0xa7, 0x1b, 0x54, 0x41, 0x35, 0xb4, 0x5e, 0x6c, 0xbe, 0x71, 0x3c,
-	0xa8, 0xce, 0x0d, 0x07, 0xd5, 0xe2, 0xfd, 0x00, 0x40, 0x42, 0x1c, 0x5c, 0x83, 0xdc, 0x11, 0x75,
-	0x5b, 0x4a, 0x46, 0xe0, 0x5e, 0x92, 0xb8, 0xb9, 0x0f, 0xa8, 0xdb, 0x22, 0x02, 0x82, 0x6f, 0xc1,
-	0xb2, 0x4b, 0x99, 0xd3, 0x77, 0x0d, 0xda, 0xd8, 0xdd, 0xbe, 0xeb, 0x3a, 0xfd, 0x9e, 0x92, 0x15,
-	0xd8, 0x8b, 0x12, 0x7b, 0x5e, 0x1c, 0x92, 0x31, 0x34, 0xfc, 0x0e, 0xe0, 0xc8, 0xd9, 0x07, 0xd4,
-	0x65, 0xa6, 0x63, 0x2b, 0x39, 0x41, 0x5c, 0x96, 0xc4, 0x0b, 0xf2, 0x98, 0x4c, 0x40, 0xc5, 0x9f,
-	0x86, 0x42, 0x70, 0xaa, 0xcc, 0x0b, 0xb2, 0x65, 0x49, 0x56, 0x20, 0xf2, 0x9c, 0x8c, 0x30, 0xf0,
-	0x4d, 0xb8, 0x14, 0xfc, 0xe6, 0xb6, 0x2a, 0x79, 0x41, 0xb1, 0x22, 0x29, 0x2e, 0x91, 0x08, 0x8c,
-	0xc4, 0x30, 0xb9, 0x17, 0x7a, 0xba, 0xd7, 0x51, 0x0a, 0x71, 0x2f, 0xec, 0xea, 0x5e, 0x87, 0x08,
-	0x08, 0x7e, 0x17, 0x96, 0x4d, 0x76, 0xdf, 0xb1, 0x03, 0x26, 0xef, 0x93, 0x7b, 0x4a, 0xb1, 0x86,
-	0xd6, 0x0b, 0x4d, 0x45, 0x62, 0x2f, 0x6f, 0x27, 0xe0, 0x64, 0x8c, 0x02, 0x3f, 0x80, 0x05, 0xc3,
-	0xb1, 0x3d, 0x6a, 0x7b, 0xca, 0x42, 0x0d, 0xad, 0x97, 0x36, 0xdf, 0xd2, 0xfc, 0x3b, 0xd7, 0xa2,
-	0x77, 0xae, 0xf5, 0x0e, 0xdb, 0x9a, 0xbc, 0x73, 0x8d, 0xe8, 0x8f, 0xb6, 0xbe, 0xe5, 0x51, 0x9b,
-	0xfb, 0x23, 0x74, 0xda, 0x1d, 0x9f, 0x0b, 0x09, 0xd8, 0xa9, 0xbf, 0xcc, 0x40, 0xe9, 0x8e, 0xd5,
-	0x67, 0x1e, 0x75, 0x89, 0x63, 0x51, 0xfc, 0x0d, 0x28, 0xf0, 0xb8, 0xdc, 0xd7, 0x3d, 0x5d, 0xc4,
-	0x41, 0x69, 0xf3, 0x33, 0x53, 0x45, 0xf1, 0x28, 0xd6, 0x38, 0xb6, 0x76, 0xb4, 0xa1, 0xed, 0xb4,
-	0xbe, 0x49, 0x0d, 0xef, 0x4b, 0xd4, 0xd3, 0x9b, 0x58, 0x4a, 0x83, 0xf0, 0x8c, 0x8c, 0xb8, 0xe2,
-	0x87, 0x30, 0xef, 0xf6, 0x2d, 0xca, 0x94, 0x4c, 0x2d, 0xbb, 0x5e, 0xda, 0xfc, 0xbc, 0x36, 0x73,
-	0x1a, 0x6b, 0xbb, 0x8e, 0x65, 0x1a, 0x8f, 0x49, 0xdf, 0xa2, 0x61, 0x0c, 0xf1, 0x2f, 0x46, 0x7c,
-	0x96, 0xb8, 0x05, 0x65, 0xbd, 0xdd, 0x76, 0x69, 0x5b, 0x90, 0x70, 0x90, 0x08, 0xb9, 0xd2, 0xe6,
-	0xc7, 0x22, 0x46, 0x68, 0x3c, 0x5d, 0x39, 0xbb, 0x46, 0x1c, 0xb5, 0x79, 0x79, 0x38, 0xa8, 0x96,
-	0x13, 0x87, 0x24, 0xc9, 0x50, 0xfd, 0x57, 0x16, 0x70, 0xc4, 0x63, 0x4d, 0xd3, 0xde, 0x37, 0xed,
-	0xf6, 0x05, 0x38, 0x8e, 0x42, 0xb1, 0xcf, 0xa8, 0x2b, 0xd2, 0x51, 0xe4, 0x5d, 0x69, 0xf3, 0x66,
-	0x0a, 0xe7, 0xed, 0xf4, 0xf8, 0x2f, 0xdd, 0x12, 0xf4, 0xcd, 0x45, 0x9e, 0xd9, 0xef, 0x07, 0xec,
-	0x48, 0xc8, 0x19, 0x77, 0x00, 0xda, 0x3c, 0x0b, 0x7d, 0x39, 0xd9, 0x33, 0xca, 0x59, 0xe2, 0xe6,
-	0xdc, 0x1d, 0xf1, 0x23, 0x11, 0xde, 0xf8, 0x3d, 0x28, 0xb0, 0xbe, 0xb0, 0x94, 0x29, 0x39, 0x11,
-	0x0c, 0xb1, 0x6b, 0xe2, 0x95, 0x37, 0x74, 0x10, 0xa1, 0x07, 0xd4, 0xa5, 0xb6, 0x41, 0xc3, 0x54,
-	0xde, 0x93, 0xc4, 0x64, 0xc4, 0x06, 0xdf, 0x87, 0x05, 0xd7, 0xb1, 0x28, 0xa1, 0x07, 0x22, 0xef,
-	0x67, 0xe4, 0x38, 0x4a, 0x0f, 0xe2, 0xd3, 0x92, 0x80, 0x89, 0xfa, 0x57, 0x04, 0xab, 0xe3, 0x97,
-	0x7d, 0xcf, 0x64, 0x1e, 0xfe, 0xea, 0xd8, 0x85, 0x6b, 0xb3, 0x5d, 0x38, 0xa7, 0x16, 0xd7, 0x3d,
-	0x32, 0x24, 0x38, 0x89, 0x5c, 0x76, 0x0b, 0xe6, 0x4d, 0x8f, 0x76, 0x83, 0x2c, 0xf9, 0x62, 0x8a,
-	0x0b, 0x18, 0xd7, 0x37, 0xcc, 0x96, 0x6d, 0xce, 0x93, 0xf8, 0xac, 0xd5, 0x3f, 0x21, 0x28, 0x47,
-	0x90, 0x2f, 0xc0, 0xaa, 0xaf, 0xc4, 0xad, 0xba, 0x71, 0x4a, 0xab, 0x26, 0x9b, 0xf3, 0x13, 0x04,
-	0xcb, 0x7e, 0x47, 0xa1, 0xcc, 0x73, 0x4d, 0xbf, 0xb1, 0xa9, 0x90, 0x17, 0x11, 0xc7, 0x14, 0x54,
-	0xcb, 0xae, 0x17, 0x9b, 0x30, 0x1c, 0x54, 0xf3, 0x02, 0x8b, 0x11, 0x09, 0xc1, 0x5f, 0x87, 0xbc,
-	0xa5, 0xb7, 0xa8, 0x15, 0xa8, 0xf5, 0xd9, 0x19, 0x2d, 0xe6, 0x34, 0x7b, 0xd4, 0xa2, 0x86, 0xe7,
-	0xb8, 0x61, 0xbb, 0x0c, 0x4e, 0x18, 0x91, 0x5c, 0xd5, 0x2a, 0x5c, 0xdb, 0x66, 0xbb, 0xd4, 0x65,
-	0x3c, 0x2d, 0x64, 0xd0, 0x36, 0x0c, 0x83, 0x32, 0x46, 0xe8, 0x91, 0x49, 0x1f, 0xa9, 0x7f, 0x46,
-	0x70, 0xf5, 0x9e, 0x63, 0xe8, 0x56, 0x50, 0xf3, 0xa3, 0xd0, 0x58, 0x65, 0xc9, 0x9c, 0x4b, 0x65,
-	0xd9, 0x09, 0xe6, 0x00, 0x79, 0xe5, 0x1b, 0x29, 0xee, 0xc5, 0x27, 0x6c, 0xe6, 0xb8, 0x00, 0x22,
-	0xd9, 0xa8, 0xff, 0xc9, 0x80, 0x22, 0x0c, 0x9a, 0x60, 0x6d, 0xcc, 0x9e, 0xf9, 0x97, 0xc2, 0x1e,
-	0xde, 0xe7, 0x79, 0x81, 0x4c, 0x4e, 0x3b, 0xbc, 0x7e, 0x12, 0x01, 0xc1, 0x9f, 0x1c, 0xc5, 0x59,
-	0x56, 0xc4, 0x59, 0x79, 0x38, 0xa8, 0x96, 0xfc, 0x38, 0xdb, 0xb3, 0x4c, 0x83, 0x8e, 0x82, 0xed,
-	0x6b, 0x90, 0x67, 0x86, 0xd3, 0xa3, 0x4c, 0xcc, 0x33, 0xa5, 0xcd, 0x5b, 0xa7, 0x28, 0xad, 0x7b,
-	0x82, 0x81, 0x1f, 0xcb, 0xfe, 0x6f, 0x22, 0x99, 0xaa, 0x3f, 0x42, 0xb0, 0xcc, 0xab, 0xeb, 0x7e,
-	0xb4, 0xa9, 0xd7, 0x20, 0xc7, 0x27, 0x37, 0x39, 0xd8, 0x8d, 0xd4, 0x17, 0x03, 0x8d, 0x80, 0xe0,
-	0x07, 0x90, 0xe3, 0x25, 0x4f, 0xc6, 0xd7, 0x69, 0xf3, 0x72, 0xc4, 0x59, 0xd4, 0x51, 0xc1, 0x51,
-	0xfd, 0x15, 0x82, 0x2b, 0x49, 0x85, 0x82, 0x9e, 0x79, 0xb2, 0x5e, 0x1e, 0x94, 0xdc, 0x90, 0x40,
-	0xaa, 0x77, 0xc6, 0x62, 0x78, 0x59, 0xca, 0x29, 0x45, 0x0e, 0x49, 0x54, 0x8c, 0xfa, 0x04, 0x81,
-	0x98, 0x7a, 0xf7, 0x67, 0xf4, 0xde, 0x7b, 0x31, 0xef, 0xd5, 0x53, 0xa8, 0x37, 0xd5, 0x6d, 0xbf,
-	0x08, 0xee, 0x31, 0x9d, 0xbf, 0xba, 0x93, 0xfc, 0x75, 0x23, 0xad, 0x42, 0x33, 0x3b, 0xea, 0x36,
-	0x2c, 0xc6, 0xda, 0x3d, 0xae, 0x06, 0x05, 0xde, 0xaf, 0xb6, 0xc5, 0x64, 0x91, 0xbe, 0x5d, 0xf8,
-	0xe9, 0xcf, 0xaa, 0x73, 0x4f, 0xfe, 0x56, 0x9b, 0x53, 0xdf, 0x86, 0xa5, 0x78, 0x3c, 0xa7, 0x21,
-	0xfe, 0x61, 0x16, 0x20, 0x9c, 0x06, 0x39, 0x25, 0xdf, 0x39, 0x62, 0x94, 0x7c, 0x15, 0x61, 0xc4,
-	0x3f, 0xc7, 0xdf, 0x47, 0xf0, 0xa6, 0xee, 0x79, 0xae, 0xd9, 0xea, 0x7b, 0x34, 0xd2, 0x1f, 0x82,
-	0x41, 0x2a, 0xe5, 0x3c, 0x7d, 0x4d, 0x7a, 0xe6, 0xcd, 0xc6, 0x24, 0x9e, 0x64, 0xb2, 0x28, 0xfc,
-	0x29, 0x28, 0xea, 0x3d, 0xf3, 0x6e, 0xb4, 0x4c, 0x88, 0x31, 0x2c, 0xd8, 0x7b, 0x18, 0x09, 0xe1,
-	0x1c, 0x39, 0x58, 0x35, 0xfc, 0xe9, 0x48, 0x22, 0x07, 0x2d, 0x82, 0x91, 0x10, 0x8e, 0xbf, 0x00,
-	0x8b, 0xd1, 0xbd, 0x84, 0x29, 0xf3, 0x82, 0xe0, 0x8d, 0xe1, 0xa0, 0xba, 0x18, 0x5d, 0x5f, 0x18,
-	0x89, 0xe3, 0xe1, 0x26, 0x94, 0xed, 0xd8, 0xaa, 0xc1, 0x94, 0xbc, 0x20, 0x55, 0x86, 0x83, 0xea,
-	0x4a, 0x7c, 0x0b, 0x91, 0x85, 0x2c, 0x49, 0xa0, 0xfe, 0x11, 0xc1, 0xca, 0xab, 0xd2, 0xb8, 0xfe,
-	0x8e, 0xe0, 0xa3, 0x93, 0x6c, 0x21, 0x94, 0xf5, 0x1c, 0x9b, 0xd1, 0xf4, 0x8b, 0xf2, 0xc7, 0x61,
-	0x9e, 0x37, 0x08, 0x7f, 0xb6, 0x28, 0xfa, 0xf3, 0x30, 0xef, 0x1b, 0xd2, 0x9b, 0x3e, 0x70, 0xf6,
-	0xf6, 0xf1, 0x0e, 0x2c, 0xd1, 0x23, 0xdd, 0xea, 0x73, 0x6d, 0xb7, 0x5c, 0xd7, 0x71, 0xe5, 0x5a,
-	0x7c, 0x45, 0x2a, 0x51, 0xde, 0xe2, 0x50, 0x7d, 0x04, 0x26, 0x09, 0x74, 0xf5, 0x0f, 0x08, 0x72,
-	0x2f, 0xff, 0xa6, 0xa7, 0xbe, 0xc8, 0x42, 0xe9, 0xf5, 0xfa, 0xf5, 0xaa, 0xaf, 0x5f, 0x7c, 0x43,
-	0xb9, 0xd8, 0xbd, 0xeb, 0x0c, 0x1b, 0xca, 0xc9, 0x0b, 0xd7, 0x0b, 0x04, 0xab, 0xd1, 0x5e, 0x1a,
-	0xd9, 0x53, 0xce, 0x3f, 0x7e, 0xdb, 0x90, 0x63, 0x3d, 0x6a, 0xc8, 0xd0, 0xdd, 0x3a, 0x9d, 0x61,
-	0x11, 0x95, 0xf7, 0x7a, 0xd4, 0x08, 0x67, 0x10, 0xfe, 0x45, 0x84, 0x00, 0x75, 0x88, 0x60, 0x6d,
-	0x32, 0xc9, 0x05, 0xdc, 0xdf, 0x41, 0xfc, 0xfe, 0x1a, 0x67, 0x36, 0x73, 0xca, 0x55, 0xfe, 0x36,
-	0x3b, 0xcd, 0x48, 0xee, 0x09, 0xfc, 0x18, 0xca, 0x3c, 0xa5, 0xdd, 0xf0, 0x58, 0xda, 0x7a, 0x3b,
-	0x85, 0x42, 0x62, 0xbd, 0x88, 0x68, 0x22, 0xde, 0xa7, 0x12, 0x87, 0x24, 0x29, 0x07, 0x7f, 0x17,
-	0x96, 0x45, 0x92, 0x47, 0x65, 0xfb, 0x77, 0xfe, 0x76, 0x0a, 0xd9, 0xc9, 0x45, 0xba, 0xb9, 0x32,
-	0x1c, 0x54, 0xc7, 0xd6, 0x6b, 0x32, 0x26, 0x0a, 0xff, 0x1c, 0xc1, 0x55, 0x46, 0xdd, 0x23, 0xd3,
-	0xa0, 0xba, 0x61, 0x38, 0x7d, 0xdb, 0x8b, 0x2a, 0xe2, 0xd7, 0xb3, 0x77, 0x53, 0x28, 0xb2, 0xe7,
-	0xf3, 0x6a, 0xf8, 0xbc, 0xa2, 0x1a, 0x5d, 0x1b, 0x0e, 0xaa, 0x57, 0xa7, 0x82, 0xc9, 0x74, 0x2d,
-	0xd4, 0xdf, 0x23, 0x28, 0x5c, 0xd0, 0x8b, 0xc7, 0x97, 0xe3, 0xf1, 0x98, 0x7a, 0x37, 0x98, 0x1c,
-	0x7d, 0x4f, 0x33, 0xb0, 0xba, 0x47, 0xad, 0x03, 0x59, 0x82, 0xfd, 0xce, 0x38, 0x3e, 0x74, 0x65,
-	0xcf, 0xb5, 0x90, 0xa0, 0xd4, 0x85, 0x64, 0xb2, 0xca, 0xd3, 0x0a, 0x09, 0x3e, 0x84, 0x3c, 0xf3,
-	0x74, 0xaf, 0x1f, 0xb4, 0xdb, 0x3b, 0x69, 0x44, 0x8d, 0x8b, 0x11, 0xac, 0x9a, 0x4b, 0x52, 0x50,
-	0xde, 0xff, 0x26, 0x52, 0x84, 0xfa, 0x1d, 0x58, 0x9b, 0xae, 0x5e, 0x64, 0x6b, 0x47, 0xe7, 0xb1,
-	0xb5, 0x5b, 0x70, 0x25, 0x19, 0xc8, 0xb2, 0x39, 0xce, 0xb0, 0xf3, 0xc5, 0x46, 0xd2, 0xcc, 0xc9,
-	0x23, 0xa9, 0xfa, 0x17, 0x04, 0xd3, 0xf3, 0x06, 0xff, 0x00, 0x41, 0x39, 0x9e, 0x3a, 0xfe, 0x5a,
-	0x55, 0xda, 0x6c, 0x9e, 0x21, 0x6d, 0x83, 0x5e, 0x3f, 0x9a, 0x53, 0xe3, 0x08, 0x8c, 0x24, 0x65,
-	0x62, 0x0d, 0x60, 0xa4, 0x72, 0x6c, 0x7a, 0x1e, 0xd9, 0xc4, 0x48, 0x04, 0x43, 0xfd, 0x77, 0x06,
-	0x2e, 0xbf, 0x7e, 0x6e, 0xba, 0xe0, 0xe7, 0xa6, 0x7f, 0x22, 0xf8, 0xc8, 0x04, 0xa7, 0x9f, 0x7e,
-	0x5d, 0xba, 0x0e, 0x0b, 0xba, 0x65, 0x39, 0x8f, 0xe8, 0xbe, 0xb0, 0xbe, 0x10, 0x0e, 0x87, 0x0d,
-	0xff, 0x98, 0x04, 0x70, 0xfc, 0x09, 0xc8, 0xbb, 0x54, 0x67, 0xb2, 0xab, 0x14, 0xc3, 0xcc, 0x26,
-	0xe2, 0x94, 0x48, 0x28, 0x6e, 0x40, 0x99, 0xc6, 0x97, 0xa2, 0x93, 0x76, 0xa6, 0x24, 0xbe, 0x7a,
-	0x9c, 0x01, 0xfc, 0x7f, 0xa9, 0xb5, 0x46, 0xac, 0xd6, 0x36, 0xce, 0x56, 0x00, 0x3f, 0x14, 0x75,
-	0xf6, 0x77, 0x08, 0x56, 0xa7, 0x14, 0xd9, 0x20, 0xec, 0xd1, 0xd4, 0xb0, 0x0f, 0x5f, 0xf3, 0x33,
-	0x53, 0x5f, 0xf3, 0xc3, 0x88, 0xcf, 0x9e, 0x47, 0xc4, 0xff, 0x06, 0x81, 0x32, 0xcd, 0xe8, 0x70,
-	0xe3, 0x45, 0xff, 0xfb, 0xbf, 0x6d, 0x4e, 0x08, 0xe3, 0x4c, 0xca, 0x30, 0xfe, 0x35, 0x82, 0xe4,
-	0xfc, 0x88, 0xab, 0xc1, 0xfb, 0x44, 0xe4, 0xe9, 0x4c, 0xbc, 0x4f, 0x04, 0x4f, 0x13, 0xb3, 0xf8,
-	0x3c, 0xfc, 0x0b, 0x4a, 0xf6, 0x3c, 0xfe, 0x82, 0xd2, 0xdc, 0x39, 0x7e, 0x5e, 0x99, 0x7b, 0xfa,
-	0xbc, 0x32, 0xf7, 0xec, 0x79, 0x65, 0xee, 0xc9, 0xb0, 0x82, 0x8e, 0x87, 0x15, 0xf4, 0x74, 0x58,
-	0x41, 0xcf, 0x86, 0x15, 0xf4, 0x8f, 0x61, 0x05, 0xfd, 0xf8, 0x45, 0x65, 0xee, 0xe1, 0xf5, 0x99,
-	0xff, 0x97, 0xe4, 0xbf, 0x01, 0x00, 0x00, 0xff, 0xff, 0xa0, 0x1c, 0xfa, 0x7f, 0x77, 0x22, 0x00,
-	0x00,
-}
+func (m *UserRestriction) Reset() { *m = UserRestriction{} }
 
 func (m *Action) Marshal() (dAtA []byte, err error) {
 	size := m.Size()
diff --git a/vendor/github.com/openshift/api/authorization/v1/generated.protomessage.pb.go b/vendor/github.com/openshift/api/authorization/v1/generated.protomessage.pb.go
new file mode 100644
index 0000000000000..eec7f53344638
--- /dev/null
+++ b/vendor/github.com/openshift/api/authorization/v1/generated.protomessage.pb.go
@@ -0,0 +1,76 @@
+//go:build kubernetes_protomessage_one_more_release
+// +build kubernetes_protomessage_one_more_release
+
+// Code generated by go-to-protobuf. DO NOT EDIT.
+
+package v1
+
+func (*Action) ProtoMessage() {}
+
+func (*ClusterRole) ProtoMessage() {}
+
+func (*ClusterRoleBinding) ProtoMessage() {}
+
+func (*ClusterRoleBindingList) ProtoMessage() {}
+
+func (*ClusterRoleList) ProtoMessage() {}
+
+func (*GroupRestriction) ProtoMessage() {}
+
+func (*IsPersonalSubjectAccessReview) ProtoMessage() {}
+
+func (*LocalResourceAccessReview) ProtoMessage() {}
+
+func (*LocalSubjectAccessReview) ProtoMessage() {}
+
+func (*NamedClusterRole) ProtoMessage() {}
+
+func (*NamedClusterRoleBinding) ProtoMessage() {}
+
+func (*NamedRole) ProtoMessage() {}
+
+func (*NamedRoleBinding) ProtoMessage() {}
+
+func (*OptionalNames) ProtoMessage() {}
+
+func (*OptionalScopes) ProtoMessage() {}
+
+func (*PolicyRule) ProtoMessage() {}
+
+func (*ResourceAccessReview) ProtoMessage() {}
+
+func (*ResourceAccessReviewResponse) ProtoMessage() {}
+
+func (*Role) ProtoMessage() {}
+
+func (*RoleBinding) ProtoMessage() {}
+
+func (*RoleBindingList) ProtoMessage() {}
+
+func (*RoleBindingRestriction) ProtoMessage() {}
+
+func (*RoleBindingRestrictionList) ProtoMessage() {}
+
+func (*RoleBindingRestrictionSpec) ProtoMessage() {}
+
+func (*RoleList) ProtoMessage() {}
+
+func (*SelfSubjectRulesReview) ProtoMessage() {}
+
+func (*SelfSubjectRulesReviewSpec) ProtoMessage() {}
+
+func (*ServiceAccountReference) ProtoMessage() {}
+
+func (*ServiceAccountRestriction) ProtoMessage() {}
+
+func (*SubjectAccessReview) ProtoMessage() {}
+
+func (*SubjectAccessReviewResponse) ProtoMessage() {}
+
+func (*SubjectRulesReview) ProtoMessage() {}
+
+func (*SubjectRulesReviewSpec) ProtoMessage() {}
+
+func (*SubjectRulesReviewStatus) ProtoMessage() {}
+
+func (*UserRestriction) ProtoMessage() {}
diff --git a/vendor/github.com/openshift/api/build/v1/generated.pb.go b/vendor/github.com/openshift/api/build/v1/generated.pb.go
index 1b026f354dc64..9ffe8ebd78c6b 100644
--- a/vendor/github.com/openshift/api/build/v1/generated.pb.go
+++ b/vendor/github.com/openshift/api/build/v1/generated.pb.go
@@ -7,2058 +7,137 @@ import (
 	fmt "fmt"
 
 	io "io"
+	"sort"
 
-	proto "github.com/gogo/protobuf/proto"
-	github_com_gogo_protobuf_sortkeys "github.com/gogo/protobuf/sortkeys"
 	k8s_io_api_core_v1 "k8s.io/api/core/v1"
 	v11 "k8s.io/api/core/v1"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
-	math "math"
 	math_bits "math/bits"
 	reflect "reflect"
 	strings "strings"
 	time "time"
 )
 
-// Reference imports to suppress errors if they are not otherwise used.
-var _ = proto.Marshal
-var _ = fmt.Errorf
-var _ = math.Inf
-var _ = time.Kitchen
-
-// This is a compile-time assertion to ensure that this generated file
-// is compatible with the proto package it is being compiled against.
-// A compilation error at this line likely means your copy of the
-// proto package needs to be updated.
-const _ = proto.GoGoProtoPackageIsVersion3 // please upgrade the proto package
-
-func (m *BinaryBuildRequestOptions) Reset()      { *m = BinaryBuildRequestOptions{} }
-func (*BinaryBuildRequestOptions) ProtoMessage() {}
-func (*BinaryBuildRequestOptions) Descriptor() ([]byte, []int) {
-	return fileDescriptor_2ba579f6f004cb75, []int{0}
-}
-func (m *BinaryBuildRequestOptions) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *BinaryBuildRequestOptions) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *BinaryBuildRequestOptions) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_BinaryBuildRequestOptions.Merge(m, src)
-}
-func (m *BinaryBuildRequestOptions) XXX_Size() int {
-	return m.Size()
-}
-func (m *BinaryBuildRequestOptions) XXX_DiscardUnknown() {
-	xxx_messageInfo_BinaryBuildRequestOptions.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_BinaryBuildRequestOptions proto.InternalMessageInfo
-
-func (m *BinaryBuildSource) Reset()      { *m = BinaryBuildSource{} }
-func (*BinaryBuildSource) ProtoMessage() {}
-func (*BinaryBuildSource) Descriptor() ([]byte, []int) {
-	return fileDescriptor_2ba579f6f004cb75, []int{1}
-}
-func (m *BinaryBuildSource) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *BinaryBuildSource) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *BinaryBuildSource) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_BinaryBuildSource.Merge(m, src)
-}
-func (m *BinaryBuildSource) XXX_Size() int {
-	return m.Size()
-}
-func (m *BinaryBuildSource) XXX_DiscardUnknown() {
-	xxx_messageInfo_BinaryBuildSource.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_BinaryBuildSource proto.InternalMessageInfo
-
-func (m *BitbucketWebHookCause) Reset()      { *m = BitbucketWebHookCause{} }
-func (*BitbucketWebHookCause) ProtoMessage() {}
-func (*BitbucketWebHookCause) Descriptor() ([]byte, []int) {
-	return fileDescriptor_2ba579f6f004cb75, []int{2}
-}
-func (m *BitbucketWebHookCause) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *BitbucketWebHookCause) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *BitbucketWebHookCause) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_BitbucketWebHookCause.Merge(m, src)
-}
-func (m *BitbucketWebHookCause) XXX_Size() int {
-	return m.Size()
-}
-func (m *BitbucketWebHookCause) XXX_DiscardUnknown() {
-	xxx_messageInfo_BitbucketWebHookCause.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_BitbucketWebHookCause proto.InternalMessageInfo
-
-func (m *Build) Reset()      { *m = Build{} }
-func (*Build) ProtoMessage() {}
-func (*Build) Descriptor() ([]byte, []int) {
-	return fileDescriptor_2ba579f6f004cb75, []int{3}
-}
-func (m *Build) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *Build) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *Build) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_Build.Merge(m, src)
-}
-func (m *Build) XXX_Size() int {
-	return m.Size()
-}
-func (m *Build) XXX_DiscardUnknown() {
-	xxx_messageInfo_Build.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_Build proto.InternalMessageInfo
-
-func (m *BuildCondition) Reset()      { *m = BuildCondition{} }
-func (*BuildCondition) ProtoMessage() {}
-func (*BuildCondition) Descriptor() ([]byte, []int) {
-	return fileDescriptor_2ba579f6f004cb75, []int{4}
-}
-func (m *BuildCondition) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *BuildCondition) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *BuildCondition) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_BuildCondition.Merge(m, src)
-}
-func (m *BuildCondition) XXX_Size() int {
-	return m.Size()
-}
-func (m *BuildCondition) XXX_DiscardUnknown() {
-	xxx_messageInfo_BuildCondition.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_BuildCondition proto.InternalMessageInfo
-
-func (m *BuildConfig) Reset()      { *m = BuildConfig{} }
-func (*BuildConfig) ProtoMessage() {}
-func (*BuildConfig) Descriptor() ([]byte, []int) {
-	return fileDescriptor_2ba579f6f004cb75, []int{5}
-}
-func (m *BuildConfig) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *BuildConfig) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *BuildConfig) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_BuildConfig.Merge(m, src)
-}
-func (m *BuildConfig) XXX_Size() int {
-	return m.Size()
-}
-func (m *BuildConfig) XXX_DiscardUnknown() {
-	xxx_messageInfo_BuildConfig.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_BuildConfig proto.InternalMessageInfo
-
-func (m *BuildConfigList) Reset()      { *m = BuildConfigList{} }
-func (*BuildConfigList) ProtoMessage() {}
-func (*BuildConfigList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_2ba579f6f004cb75, []int{6}
-}
-func (m *BuildConfigList) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *BuildConfigList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *BuildConfigList) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_BuildConfigList.Merge(m, src)
-}
-func (m *BuildConfigList) XXX_Size() int {
-	return m.Size()
-}
-func (m *BuildConfigList) XXX_DiscardUnknown() {
-	xxx_messageInfo_BuildConfigList.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_BuildConfigList proto.InternalMessageInfo
-
-func (m *BuildConfigSpec) Reset()      { *m = BuildConfigSpec{} }
-func (*BuildConfigSpec) ProtoMessage() {}
-func (*BuildConfigSpec) Descriptor() ([]byte, []int) {
-	return fileDescriptor_2ba579f6f004cb75, []int{7}
-}
-func (m *BuildConfigSpec) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *BuildConfigSpec) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *BuildConfigSpec) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_BuildConfigSpec.Merge(m, src)
-}
-func (m *BuildConfigSpec) XXX_Size() int {
-	return m.Size()
-}
-func (m *BuildConfigSpec) XXX_DiscardUnknown() {
-	xxx_messageInfo_BuildConfigSpec.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_BuildConfigSpec proto.InternalMessageInfo
-
-func (m *BuildConfigStatus) Reset()      { *m = BuildConfigStatus{} }
-func (*BuildConfigStatus) ProtoMessage() {}
-func (*BuildConfigStatus) Descriptor() ([]byte, []int) {
-	return fileDescriptor_2ba579f6f004cb75, []int{8}
-}
-func (m *BuildConfigStatus) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *BuildConfigStatus) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *BuildConfigStatus) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_BuildConfigStatus.Merge(m, src)
-}
-func (m *BuildConfigStatus) XXX_Size() int {
-	return m.Size()
-}
-func (m *BuildConfigStatus) XXX_DiscardUnknown() {
-	xxx_messageInfo_BuildConfigStatus.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_BuildConfigStatus proto.InternalMessageInfo
-
-func (m *BuildList) Reset()      { *m = BuildList{} }
-func (*BuildList) ProtoMessage() {}
-func (*BuildList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_2ba579f6f004cb75, []int{9}
-}
-func (m *BuildList) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *BuildList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *BuildList) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_BuildList.Merge(m, src)
-}
-func (m *BuildList) XXX_Size() int {
-	return m.Size()
-}
-func (m *BuildList) XXX_DiscardUnknown() {
-	xxx_messageInfo_BuildList.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_BuildList proto.InternalMessageInfo
-
-func (m *BuildLog) Reset()      { *m = BuildLog{} }
-func (*BuildLog) ProtoMessage() {}
-func (*BuildLog) Descriptor() ([]byte, []int) {
-	return fileDescriptor_2ba579f6f004cb75, []int{10}
-}
-func (m *BuildLog) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *BuildLog) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *BuildLog) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_BuildLog.Merge(m, src)
-}
-func (m *BuildLog) XXX_Size() int {
-	return m.Size()
-}
-func (m *BuildLog) XXX_DiscardUnknown() {
-	xxx_messageInfo_BuildLog.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_BuildLog proto.InternalMessageInfo
-
-func (m *BuildLogOptions) Reset()      { *m = BuildLogOptions{} }
-func (*BuildLogOptions) ProtoMessage() {}
-func (*BuildLogOptions) Descriptor() ([]byte, []int) {
-	return fileDescriptor_2ba579f6f004cb75, []int{11}
-}
-func (m *BuildLogOptions) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *BuildLogOptions) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *BuildLogOptions) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_BuildLogOptions.Merge(m, src)
-}
-func (m *BuildLogOptions) XXX_Size() int {
-	return m.Size()
-}
-func (m *BuildLogOptions) XXX_DiscardUnknown() {
-	xxx_messageInfo_BuildLogOptions.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_BuildLogOptions proto.InternalMessageInfo
-
-func (m *BuildOutput) Reset()      { *m = BuildOutput{} }
-func (*BuildOutput) ProtoMessage() {}
-func (*BuildOutput) Descriptor() ([]byte, []int) {
-	return fileDescriptor_2ba579f6f004cb75, []int{12}
-}
-func (m *BuildOutput) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *BuildOutput) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *BuildOutput) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_BuildOutput.Merge(m, src)
-}
-func (m *BuildOutput) XXX_Size() int {
-	return m.Size()
-}
-func (m *BuildOutput) XXX_DiscardUnknown() {
-	xxx_messageInfo_BuildOutput.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_BuildOutput proto.InternalMessageInfo
-
-func (m *BuildPostCommitSpec) Reset()      { *m = BuildPostCommitSpec{} }
-func (*BuildPostCommitSpec) ProtoMessage() {}
-func (*BuildPostCommitSpec) Descriptor() ([]byte, []int) {
-	return fileDescriptor_2ba579f6f004cb75, []int{13}
-}
-func (m *BuildPostCommitSpec) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *BuildPostCommitSpec) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *BuildPostCommitSpec) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_BuildPostCommitSpec.Merge(m, src)
-}
-func (m *BuildPostCommitSpec) XXX_Size() int {
-	return m.Size()
-}
-func (m *BuildPostCommitSpec) XXX_DiscardUnknown() {
-	xxx_messageInfo_BuildPostCommitSpec.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_BuildPostCommitSpec proto.InternalMessageInfo
-
-func (m *BuildRequest) Reset()      { *m = BuildRequest{} }
-func (*BuildRequest) ProtoMessage() {}
-func (*BuildRequest) Descriptor() ([]byte, []int) {
-	return fileDescriptor_2ba579f6f004cb75, []int{14}
-}
-func (m *BuildRequest) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *BuildRequest) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *BuildRequest) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_BuildRequest.Merge(m, src)
-}
-func (m *BuildRequest) XXX_Size() int {
-	return m.Size()
-}
-func (m *BuildRequest) XXX_DiscardUnknown() {
-	xxx_messageInfo_BuildRequest.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_BuildRequest proto.InternalMessageInfo
-
-func (m *BuildSource) Reset()      { *m = BuildSource{} }
-func (*BuildSource) ProtoMessage() {}
-func (*BuildSource) Descriptor() ([]byte, []int) {
-	return fileDescriptor_2ba579f6f004cb75, []int{15}
-}
-func (m *BuildSource) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *BuildSource) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *BuildSource) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_BuildSource.Merge(m, src)
-}
-func (m *BuildSource) XXX_Size() int {
-	return m.Size()
-}
-func (m *BuildSource) XXX_DiscardUnknown() {
-	xxx_messageInfo_BuildSource.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_BuildSource proto.InternalMessageInfo
-
-func (m *BuildSpec) Reset()      { *m = BuildSpec{} }
-func (*BuildSpec) ProtoMessage() {}
-func (*BuildSpec) Descriptor() ([]byte, []int) {
-	return fileDescriptor_2ba579f6f004cb75, []int{16}
-}
-func (m *BuildSpec) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *BuildSpec) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *BuildSpec) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_BuildSpec.Merge(m, src)
-}
-func (m *BuildSpec) XXX_Size() int {
-	return m.Size()
-}
-func (m *BuildSpec) XXX_DiscardUnknown() {
-	xxx_messageInfo_BuildSpec.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_BuildSpec proto.InternalMessageInfo
-
-func (m *BuildStatus) Reset()      { *m = BuildStatus{} }
-func (*BuildStatus) ProtoMessage() {}
-func (*BuildStatus) Descriptor() ([]byte, []int) {
-	return fileDescriptor_2ba579f6f004cb75, []int{17}
-}
-func (m *BuildStatus) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *BuildStatus) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *BuildStatus) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_BuildStatus.Merge(m, src)
-}
-func (m *BuildStatus) XXX_Size() int {
-	return m.Size()
-}
-func (m *BuildStatus) XXX_DiscardUnknown() {
-	xxx_messageInfo_BuildStatus.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_BuildStatus proto.InternalMessageInfo
-
-func (m *BuildStatusOutput) Reset()      { *m = BuildStatusOutput{} }
-func (*BuildStatusOutput) ProtoMessage() {}
-func (*BuildStatusOutput) Descriptor() ([]byte, []int) {
-	return fileDescriptor_2ba579f6f004cb75, []int{18}
-}
-func (m *BuildStatusOutput) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *BuildStatusOutput) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *BuildStatusOutput) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_BuildStatusOutput.Merge(m, src)
-}
-func (m *BuildStatusOutput) XXX_Size() int {
-	return m.Size()
-}
-func (m *BuildStatusOutput) XXX_DiscardUnknown() {
-	xxx_messageInfo_BuildStatusOutput.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_BuildStatusOutput proto.InternalMessageInfo
-
-func (m *BuildStatusOutputTo) Reset()      { *m = BuildStatusOutputTo{} }
-func (*BuildStatusOutputTo) ProtoMessage() {}
-func (*BuildStatusOutputTo) Descriptor() ([]byte, []int) {
-	return fileDescriptor_2ba579f6f004cb75, []int{19}
-}
-func (m *BuildStatusOutputTo) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *BuildStatusOutputTo) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *BuildStatusOutputTo) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_BuildStatusOutputTo.Merge(m, src)
-}
-func (m *BuildStatusOutputTo) XXX_Size() int {
-	return m.Size()
-}
-func (m *BuildStatusOutputTo) XXX_DiscardUnknown() {
-	xxx_messageInfo_BuildStatusOutputTo.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_BuildStatusOutputTo proto.InternalMessageInfo
-
-func (m *BuildStrategy) Reset()      { *m = BuildStrategy{} }
-func (*BuildStrategy) ProtoMessage() {}
-func (*BuildStrategy) Descriptor() ([]byte, []int) {
-	return fileDescriptor_2ba579f6f004cb75, []int{20}
-}
-func (m *BuildStrategy) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *BuildStrategy) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *BuildStrategy) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_BuildStrategy.Merge(m, src)
-}
-func (m *BuildStrategy) XXX_Size() int {
-	return m.Size()
-}
-func (m *BuildStrategy) XXX_DiscardUnknown() {
-	xxx_messageInfo_BuildStrategy.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_BuildStrategy proto.InternalMessageInfo
-
-func (m *BuildTriggerCause) Reset()      { *m = BuildTriggerCause{} }
-func (*BuildTriggerCause) ProtoMessage() {}
-func (*BuildTriggerCause) Descriptor() ([]byte, []int) {
-	return fileDescriptor_2ba579f6f004cb75, []int{21}
-}
-func (m *BuildTriggerCause) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *BuildTriggerCause) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *BuildTriggerCause) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_BuildTriggerCause.Merge(m, src)
-}
-func (m *BuildTriggerCause) XXX_Size() int {
-	return m.Size()
-}
-func (m *BuildTriggerCause) XXX_DiscardUnknown() {
-	xxx_messageInfo_BuildTriggerCause.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_BuildTriggerCause proto.InternalMessageInfo
-
-func (m *BuildTriggerPolicy) Reset()      { *m = BuildTriggerPolicy{} }
-func (*BuildTriggerPolicy) ProtoMessage() {}
-func (*BuildTriggerPolicy) Descriptor() ([]byte, []int) {
-	return fileDescriptor_2ba579f6f004cb75, []int{22}
-}
-func (m *BuildTriggerPolicy) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *BuildTriggerPolicy) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *BuildTriggerPolicy) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_BuildTriggerPolicy.Merge(m, src)
-}
-func (m *BuildTriggerPolicy) XXX_Size() int {
-	return m.Size()
-}
-func (m *BuildTriggerPolicy) XXX_DiscardUnknown() {
-	xxx_messageInfo_BuildTriggerPolicy.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_BuildTriggerPolicy proto.InternalMessageInfo
-
-func (m *BuildVolume) Reset()      { *m = BuildVolume{} }
-func (*BuildVolume) ProtoMessage() {}
-func (*BuildVolume) Descriptor() ([]byte, []int) {
-	return fileDescriptor_2ba579f6f004cb75, []int{23}
-}
-func (m *BuildVolume) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *BuildVolume) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *BuildVolume) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_BuildVolume.Merge(m, src)
-}
-func (m *BuildVolume) XXX_Size() int {
-	return m.Size()
-}
-func (m *BuildVolume) XXX_DiscardUnknown() {
-	xxx_messageInfo_BuildVolume.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_BuildVolume proto.InternalMessageInfo
-
-func (m *BuildVolumeMount) Reset()      { *m = BuildVolumeMount{} }
-func (*BuildVolumeMount) ProtoMessage() {}
-func (*BuildVolumeMount) Descriptor() ([]byte, []int) {
-	return fileDescriptor_2ba579f6f004cb75, []int{24}
-}
-func (m *BuildVolumeMount) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *BuildVolumeMount) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *BuildVolumeMount) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_BuildVolumeMount.Merge(m, src)
-}
-func (m *BuildVolumeMount) XXX_Size() int {
-	return m.Size()
-}
-func (m *BuildVolumeMount) XXX_DiscardUnknown() {
-	xxx_messageInfo_BuildVolumeMount.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_BuildVolumeMount proto.InternalMessageInfo
-
-func (m *BuildVolumeSource) Reset()      { *m = BuildVolumeSource{} }
-func (*BuildVolumeSource) ProtoMessage() {}
-func (*BuildVolumeSource) Descriptor() ([]byte, []int) {
-	return fileDescriptor_2ba579f6f004cb75, []int{25}
-}
-func (m *BuildVolumeSource) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *BuildVolumeSource) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *BuildVolumeSource) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_BuildVolumeSource.Merge(m, src)
-}
-func (m *BuildVolumeSource) XXX_Size() int {
-	return m.Size()
-}
-func (m *BuildVolumeSource) XXX_DiscardUnknown() {
-	xxx_messageInfo_BuildVolumeSource.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_BuildVolumeSource proto.InternalMessageInfo
-
-func (m *CommonSpec) Reset()      { *m = CommonSpec{} }
-func (*CommonSpec) ProtoMessage() {}
-func (*CommonSpec) Descriptor() ([]byte, []int) {
-	return fileDescriptor_2ba579f6f004cb75, []int{26}
-}
-func (m *CommonSpec) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *CommonSpec) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *CommonSpec) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_CommonSpec.Merge(m, src)
-}
-func (m *CommonSpec) XXX_Size() int {
-	return m.Size()
-}
-func (m *CommonSpec) XXX_DiscardUnknown() {
-	xxx_messageInfo_CommonSpec.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_CommonSpec proto.InternalMessageInfo
-
-func (m *CommonWebHookCause) Reset()      { *m = CommonWebHookCause{} }
-func (*CommonWebHookCause) ProtoMessage() {}
-func (*CommonWebHookCause) Descriptor() ([]byte, []int) {
-	return fileDescriptor_2ba579f6f004cb75, []int{27}
-}
-func (m *CommonWebHookCause) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *CommonWebHookCause) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *CommonWebHookCause) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_CommonWebHookCause.Merge(m, src)
-}
-func (m *CommonWebHookCause) XXX_Size() int {
-	return m.Size()
-}
-func (m *CommonWebHookCause) XXX_DiscardUnknown() {
-	xxx_messageInfo_CommonWebHookCause.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_CommonWebHookCause proto.InternalMessageInfo
-
-func (m *ConfigMapBuildSource) Reset()      { *m = ConfigMapBuildSource{} }
-func (*ConfigMapBuildSource) ProtoMessage() {}
-func (*ConfigMapBuildSource) Descriptor() ([]byte, []int) {
-	return fileDescriptor_2ba579f6f004cb75, []int{28}
-}
-func (m *ConfigMapBuildSource) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ConfigMapBuildSource) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ConfigMapBuildSource) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ConfigMapBuildSource.Merge(m, src)
-}
-func (m *ConfigMapBuildSource) XXX_Size() int {
-	return m.Size()
-}
-func (m *ConfigMapBuildSource) XXX_DiscardUnknown() {
-	xxx_messageInfo_ConfigMapBuildSource.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_ConfigMapBuildSource proto.InternalMessageInfo
-
-func (m *CustomBuildStrategy) Reset()      { *m = CustomBuildStrategy{} }
-func (*CustomBuildStrategy) ProtoMessage() {}
-func (*CustomBuildStrategy) Descriptor() ([]byte, []int) {
-	return fileDescriptor_2ba579f6f004cb75, []int{29}
-}
-func (m *CustomBuildStrategy) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *CustomBuildStrategy) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *CustomBuildStrategy) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_CustomBuildStrategy.Merge(m, src)
-}
-func (m *CustomBuildStrategy) XXX_Size() int {
-	return m.Size()
-}
-func (m *CustomBuildStrategy) XXX_DiscardUnknown() {
-	xxx_messageInfo_CustomBuildStrategy.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_CustomBuildStrategy proto.InternalMessageInfo
-
-func (m *DockerBuildStrategy) Reset()      { *m = DockerBuildStrategy{} }
-func (*DockerBuildStrategy) ProtoMessage() {}
-func (*DockerBuildStrategy) Descriptor() ([]byte, []int) {
-	return fileDescriptor_2ba579f6f004cb75, []int{30}
-}
-func (m *DockerBuildStrategy) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *DockerBuildStrategy) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *DockerBuildStrategy) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_DockerBuildStrategy.Merge(m, src)
-}
-func (m *DockerBuildStrategy) XXX_Size() int {
-	return m.Size()
-}
-func (m *DockerBuildStrategy) XXX_DiscardUnknown() {
-	xxx_messageInfo_DockerBuildStrategy.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_DockerBuildStrategy proto.InternalMessageInfo
-
-func (m *DockerStrategyOptions) Reset()      { *m = DockerStrategyOptions{} }
-func (*DockerStrategyOptions) ProtoMessage() {}
-func (*DockerStrategyOptions) Descriptor() ([]byte, []int) {
-	return fileDescriptor_2ba579f6f004cb75, []int{31}
-}
-func (m *DockerStrategyOptions) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *DockerStrategyOptions) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *DockerStrategyOptions) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_DockerStrategyOptions.Merge(m, src)
-}
-func (m *DockerStrategyOptions) XXX_Size() int {
-	return m.Size()
-}
-func (m *DockerStrategyOptions) XXX_DiscardUnknown() {
-	xxx_messageInfo_DockerStrategyOptions.DiscardUnknown(m)
-}
+func (m *BinaryBuildRequestOptions) Reset() { *m = BinaryBuildRequestOptions{} }
 
-var xxx_messageInfo_DockerStrategyOptions proto.InternalMessageInfo
+func (m *BinaryBuildSource) Reset() { *m = BinaryBuildSource{} }
 
-func (m *GenericWebHookCause) Reset()      { *m = GenericWebHookCause{} }
-func (*GenericWebHookCause) ProtoMessage() {}
-func (*GenericWebHookCause) Descriptor() ([]byte, []int) {
-	return fileDescriptor_2ba579f6f004cb75, []int{32}
-}
-func (m *GenericWebHookCause) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *GenericWebHookCause) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *GenericWebHookCause) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_GenericWebHookCause.Merge(m, src)
-}
-func (m *GenericWebHookCause) XXX_Size() int {
-	return m.Size()
-}
-func (m *GenericWebHookCause) XXX_DiscardUnknown() {
-	xxx_messageInfo_GenericWebHookCause.DiscardUnknown(m)
-}
+func (m *BitbucketWebHookCause) Reset() { *m = BitbucketWebHookCause{} }
 
-var xxx_messageInfo_GenericWebHookCause proto.InternalMessageInfo
+func (m *Build) Reset() { *m = Build{} }
 
-func (m *GenericWebHookEvent) Reset()      { *m = GenericWebHookEvent{} }
-func (*GenericWebHookEvent) ProtoMessage() {}
-func (*GenericWebHookEvent) Descriptor() ([]byte, []int) {
-	return fileDescriptor_2ba579f6f004cb75, []int{33}
-}
-func (m *GenericWebHookEvent) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *GenericWebHookEvent) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *GenericWebHookEvent) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_GenericWebHookEvent.Merge(m, src)
-}
-func (m *GenericWebHookEvent) XXX_Size() int {
-	return m.Size()
-}
-func (m *GenericWebHookEvent) XXX_DiscardUnknown() {
-	xxx_messageInfo_GenericWebHookEvent.DiscardUnknown(m)
-}
+func (m *BuildCondition) Reset() { *m = BuildCondition{} }
 
-var xxx_messageInfo_GenericWebHookEvent proto.InternalMessageInfo
+func (m *BuildConfig) Reset() { *m = BuildConfig{} }
 
-func (m *GitBuildSource) Reset()      { *m = GitBuildSource{} }
-func (*GitBuildSource) ProtoMessage() {}
-func (*GitBuildSource) Descriptor() ([]byte, []int) {
-	return fileDescriptor_2ba579f6f004cb75, []int{34}
-}
-func (m *GitBuildSource) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *GitBuildSource) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *GitBuildSource) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_GitBuildSource.Merge(m, src)
-}
-func (m *GitBuildSource) XXX_Size() int {
-	return m.Size()
-}
-func (m *GitBuildSource) XXX_DiscardUnknown() {
-	xxx_messageInfo_GitBuildSource.DiscardUnknown(m)
-}
+func (m *BuildConfigList) Reset() { *m = BuildConfigList{} }
 
-var xxx_messageInfo_GitBuildSource proto.InternalMessageInfo
+func (m *BuildConfigSpec) Reset() { *m = BuildConfigSpec{} }
 
-func (m *GitHubWebHookCause) Reset()      { *m = GitHubWebHookCause{} }
-func (*GitHubWebHookCause) ProtoMessage() {}
-func (*GitHubWebHookCause) Descriptor() ([]byte, []int) {
-	return fileDescriptor_2ba579f6f004cb75, []int{35}
-}
-func (m *GitHubWebHookCause) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *GitHubWebHookCause) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *GitHubWebHookCause) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_GitHubWebHookCause.Merge(m, src)
-}
-func (m *GitHubWebHookCause) XXX_Size() int {
-	return m.Size()
-}
-func (m *GitHubWebHookCause) XXX_DiscardUnknown() {
-	xxx_messageInfo_GitHubWebHookCause.DiscardUnknown(m)
-}
+func (m *BuildConfigStatus) Reset() { *m = BuildConfigStatus{} }
 
-var xxx_messageInfo_GitHubWebHookCause proto.InternalMessageInfo
+func (m *BuildList) Reset() { *m = BuildList{} }
 
-func (m *GitInfo) Reset()      { *m = GitInfo{} }
-func (*GitInfo) ProtoMessage() {}
-func (*GitInfo) Descriptor() ([]byte, []int) {
-	return fileDescriptor_2ba579f6f004cb75, []int{36}
-}
-func (m *GitInfo) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *GitInfo) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *GitInfo) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_GitInfo.Merge(m, src)
-}
-func (m *GitInfo) XXX_Size() int {
-	return m.Size()
-}
-func (m *GitInfo) XXX_DiscardUnknown() {
-	xxx_messageInfo_GitInfo.DiscardUnknown(m)
-}
+func (m *BuildLog) Reset() { *m = BuildLog{} }
 
-var xxx_messageInfo_GitInfo proto.InternalMessageInfo
+func (m *BuildLogOptions) Reset() { *m = BuildLogOptions{} }
 
-func (m *GitLabWebHookCause) Reset()      { *m = GitLabWebHookCause{} }
-func (*GitLabWebHookCause) ProtoMessage() {}
-func (*GitLabWebHookCause) Descriptor() ([]byte, []int) {
-	return fileDescriptor_2ba579f6f004cb75, []int{37}
-}
-func (m *GitLabWebHookCause) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *GitLabWebHookCause) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *GitLabWebHookCause) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_GitLabWebHookCause.Merge(m, src)
-}
-func (m *GitLabWebHookCause) XXX_Size() int {
-	return m.Size()
-}
-func (m *GitLabWebHookCause) XXX_DiscardUnknown() {
-	xxx_messageInfo_GitLabWebHookCause.DiscardUnknown(m)
-}
+func (m *BuildOutput) Reset() { *m = BuildOutput{} }
 
-var xxx_messageInfo_GitLabWebHookCause proto.InternalMessageInfo
+func (m *BuildPostCommitSpec) Reset() { *m = BuildPostCommitSpec{} }
 
-func (m *GitRefInfo) Reset()      { *m = GitRefInfo{} }
-func (*GitRefInfo) ProtoMessage() {}
-func (*GitRefInfo) Descriptor() ([]byte, []int) {
-	return fileDescriptor_2ba579f6f004cb75, []int{38}
-}
-func (m *GitRefInfo) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *GitRefInfo) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *GitRefInfo) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_GitRefInfo.Merge(m, src)
-}
-func (m *GitRefInfo) XXX_Size() int {
-	return m.Size()
-}
-func (m *GitRefInfo) XXX_DiscardUnknown() {
-	xxx_messageInfo_GitRefInfo.DiscardUnknown(m)
-}
+func (m *BuildRequest) Reset() { *m = BuildRequest{} }
 
-var xxx_messageInfo_GitRefInfo proto.InternalMessageInfo
+func (m *BuildSource) Reset() { *m = BuildSource{} }
 
-func (m *GitSourceRevision) Reset()      { *m = GitSourceRevision{} }
-func (*GitSourceRevision) ProtoMessage() {}
-func (*GitSourceRevision) Descriptor() ([]byte, []int) {
-	return fileDescriptor_2ba579f6f004cb75, []int{39}
-}
-func (m *GitSourceRevision) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *GitSourceRevision) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *GitSourceRevision) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_GitSourceRevision.Merge(m, src)
-}
-func (m *GitSourceRevision) XXX_Size() int {
-	return m.Size()
-}
-func (m *GitSourceRevision) XXX_DiscardUnknown() {
-	xxx_messageInfo_GitSourceRevision.DiscardUnknown(m)
-}
+func (m *BuildSpec) Reset() { *m = BuildSpec{} }
 
-var xxx_messageInfo_GitSourceRevision proto.InternalMessageInfo
+func (m *BuildStatus) Reset() { *m = BuildStatus{} }
 
-func (m *ImageChangeCause) Reset()      { *m = ImageChangeCause{} }
-func (*ImageChangeCause) ProtoMessage() {}
-func (*ImageChangeCause) Descriptor() ([]byte, []int) {
-	return fileDescriptor_2ba579f6f004cb75, []int{40}
-}
-func (m *ImageChangeCause) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ImageChangeCause) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ImageChangeCause) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ImageChangeCause.Merge(m, src)
-}
-func (m *ImageChangeCause) XXX_Size() int {
-	return m.Size()
-}
-func (m *ImageChangeCause) XXX_DiscardUnknown() {
-	xxx_messageInfo_ImageChangeCause.DiscardUnknown(m)
-}
+func (m *BuildStatusOutput) Reset() { *m = BuildStatusOutput{} }
 
-var xxx_messageInfo_ImageChangeCause proto.InternalMessageInfo
+func (m *BuildStatusOutputTo) Reset() { *m = BuildStatusOutputTo{} }
 
-func (m *ImageChangeTrigger) Reset()      { *m = ImageChangeTrigger{} }
-func (*ImageChangeTrigger) ProtoMessage() {}
-func (*ImageChangeTrigger) Descriptor() ([]byte, []int) {
-	return fileDescriptor_2ba579f6f004cb75, []int{41}
-}
-func (m *ImageChangeTrigger) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ImageChangeTrigger) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ImageChangeTrigger) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ImageChangeTrigger.Merge(m, src)
-}
-func (m *ImageChangeTrigger) XXX_Size() int {
-	return m.Size()
-}
-func (m *ImageChangeTrigger) XXX_DiscardUnknown() {
-	xxx_messageInfo_ImageChangeTrigger.DiscardUnknown(m)
-}
+func (m *BuildStrategy) Reset() { *m = BuildStrategy{} }
 
-var xxx_messageInfo_ImageChangeTrigger proto.InternalMessageInfo
+func (m *BuildTriggerCause) Reset() { *m = BuildTriggerCause{} }
 
-func (m *ImageChangeTriggerStatus) Reset()      { *m = ImageChangeTriggerStatus{} }
-func (*ImageChangeTriggerStatus) ProtoMessage() {}
-func (*ImageChangeTriggerStatus) Descriptor() ([]byte, []int) {
-	return fileDescriptor_2ba579f6f004cb75, []int{42}
-}
-func (m *ImageChangeTriggerStatus) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ImageChangeTriggerStatus) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ImageChangeTriggerStatus) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ImageChangeTriggerStatus.Merge(m, src)
-}
-func (m *ImageChangeTriggerStatus) XXX_Size() int {
-	return m.Size()
-}
-func (m *ImageChangeTriggerStatus) XXX_DiscardUnknown() {
-	xxx_messageInfo_ImageChangeTriggerStatus.DiscardUnknown(m)
-}
+func (m *BuildTriggerPolicy) Reset() { *m = BuildTriggerPolicy{} }
 
-var xxx_messageInfo_ImageChangeTriggerStatus proto.InternalMessageInfo
+func (m *BuildVolume) Reset() { *m = BuildVolume{} }
 
-func (m *ImageLabel) Reset()      { *m = ImageLabel{} }
-func (*ImageLabel) ProtoMessage() {}
-func (*ImageLabel) Descriptor() ([]byte, []int) {
-	return fileDescriptor_2ba579f6f004cb75, []int{43}
-}
-func (m *ImageLabel) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ImageLabel) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ImageLabel) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ImageLabel.Merge(m, src)
-}
-func (m *ImageLabel) XXX_Size() int {
-	return m.Size()
-}
-func (m *ImageLabel) XXX_DiscardUnknown() {
-	xxx_messageInfo_ImageLabel.DiscardUnknown(m)
-}
+func (m *BuildVolumeMount) Reset() { *m = BuildVolumeMount{} }
 
-var xxx_messageInfo_ImageLabel proto.InternalMessageInfo
+func (m *BuildVolumeSource) Reset() { *m = BuildVolumeSource{} }
 
-func (m *ImageSource) Reset()      { *m = ImageSource{} }
-func (*ImageSource) ProtoMessage() {}
-func (*ImageSource) Descriptor() ([]byte, []int) {
-	return fileDescriptor_2ba579f6f004cb75, []int{44}
-}
-func (m *ImageSource) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ImageSource) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ImageSource) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ImageSource.Merge(m, src)
-}
-func (m *ImageSource) XXX_Size() int {
-	return m.Size()
-}
-func (m *ImageSource) XXX_DiscardUnknown() {
-	xxx_messageInfo_ImageSource.DiscardUnknown(m)
-}
+func (m *CommonSpec) Reset() { *m = CommonSpec{} }
 
-var xxx_messageInfo_ImageSource proto.InternalMessageInfo
+func (m *CommonWebHookCause) Reset() { *m = CommonWebHookCause{} }
 
-func (m *ImageSourcePath) Reset()      { *m = ImageSourcePath{} }
-func (*ImageSourcePath) ProtoMessage() {}
-func (*ImageSourcePath) Descriptor() ([]byte, []int) {
-	return fileDescriptor_2ba579f6f004cb75, []int{45}
-}
-func (m *ImageSourcePath) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ImageSourcePath) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ImageSourcePath) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ImageSourcePath.Merge(m, src)
-}
-func (m *ImageSourcePath) XXX_Size() int {
-	return m.Size()
-}
-func (m *ImageSourcePath) XXX_DiscardUnknown() {
-	xxx_messageInfo_ImageSourcePath.DiscardUnknown(m)
-}
+func (m *ConfigMapBuildSource) Reset() { *m = ConfigMapBuildSource{} }
 
-var xxx_messageInfo_ImageSourcePath proto.InternalMessageInfo
+func (m *CustomBuildStrategy) Reset() { *m = CustomBuildStrategy{} }
 
-func (m *ImageStreamTagReference) Reset()      { *m = ImageStreamTagReference{} }
-func (*ImageStreamTagReference) ProtoMessage() {}
-func (*ImageStreamTagReference) Descriptor() ([]byte, []int) {
-	return fileDescriptor_2ba579f6f004cb75, []int{46}
-}
-func (m *ImageStreamTagReference) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ImageStreamTagReference) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ImageStreamTagReference) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ImageStreamTagReference.Merge(m, src)
-}
-func (m *ImageStreamTagReference) XXX_Size() int {
-	return m.Size()
-}
-func (m *ImageStreamTagReference) XXX_DiscardUnknown() {
-	xxx_messageInfo_ImageStreamTagReference.DiscardUnknown(m)
-}
+func (m *DockerBuildStrategy) Reset() { *m = DockerBuildStrategy{} }
 
-var xxx_messageInfo_ImageStreamTagReference proto.InternalMessageInfo
+func (m *DockerStrategyOptions) Reset() { *m = DockerStrategyOptions{} }
 
-func (m *JenkinsPipelineBuildStrategy) Reset()      { *m = JenkinsPipelineBuildStrategy{} }
-func (*JenkinsPipelineBuildStrategy) ProtoMessage() {}
-func (*JenkinsPipelineBuildStrategy) Descriptor() ([]byte, []int) {
-	return fileDescriptor_2ba579f6f004cb75, []int{47}
-}
-func (m *JenkinsPipelineBuildStrategy) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *JenkinsPipelineBuildStrategy) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *JenkinsPipelineBuildStrategy) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_JenkinsPipelineBuildStrategy.Merge(m, src)
-}
-func (m *JenkinsPipelineBuildStrategy) XXX_Size() int {
-	return m.Size()
-}
-func (m *JenkinsPipelineBuildStrategy) XXX_DiscardUnknown() {
-	xxx_messageInfo_JenkinsPipelineBuildStrategy.DiscardUnknown(m)
-}
+func (m *GenericWebHookCause) Reset() { *m = GenericWebHookCause{} }
 
-var xxx_messageInfo_JenkinsPipelineBuildStrategy proto.InternalMessageInfo
+func (m *GenericWebHookEvent) Reset() { *m = GenericWebHookEvent{} }
 
-func (m *OptionalNodeSelector) Reset()      { *m = OptionalNodeSelector{} }
-func (*OptionalNodeSelector) ProtoMessage() {}
-func (*OptionalNodeSelector) Descriptor() ([]byte, []int) {
-	return fileDescriptor_2ba579f6f004cb75, []int{48}
-}
-func (m *OptionalNodeSelector) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *OptionalNodeSelector) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *OptionalNodeSelector) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_OptionalNodeSelector.Merge(m, src)
-}
-func (m *OptionalNodeSelector) XXX_Size() int {
-	return m.Size()
-}
-func (m *OptionalNodeSelector) XXX_DiscardUnknown() {
-	xxx_messageInfo_OptionalNodeSelector.DiscardUnknown(m)
-}
+func (m *GitBuildSource) Reset() { *m = GitBuildSource{} }
 
-var xxx_messageInfo_OptionalNodeSelector proto.InternalMessageInfo
+func (m *GitHubWebHookCause) Reset() { *m = GitHubWebHookCause{} }
 
-func (m *ProxyConfig) Reset()      { *m = ProxyConfig{} }
-func (*ProxyConfig) ProtoMessage() {}
-func (*ProxyConfig) Descriptor() ([]byte, []int) {
-	return fileDescriptor_2ba579f6f004cb75, []int{49}
-}
-func (m *ProxyConfig) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ProxyConfig) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ProxyConfig) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ProxyConfig.Merge(m, src)
-}
-func (m *ProxyConfig) XXX_Size() int {
-	return m.Size()
-}
-func (m *ProxyConfig) XXX_DiscardUnknown() {
-	xxx_messageInfo_ProxyConfig.DiscardUnknown(m)
-}
+func (m *GitInfo) Reset() { *m = GitInfo{} }
 
-var xxx_messageInfo_ProxyConfig proto.InternalMessageInfo
+func (m *GitLabWebHookCause) Reset() { *m = GitLabWebHookCause{} }
 
-func (m *SecretBuildSource) Reset()      { *m = SecretBuildSource{} }
-func (*SecretBuildSource) ProtoMessage() {}
-func (*SecretBuildSource) Descriptor() ([]byte, []int) {
-	return fileDescriptor_2ba579f6f004cb75, []int{50}
-}
-func (m *SecretBuildSource) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *SecretBuildSource) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *SecretBuildSource) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_SecretBuildSource.Merge(m, src)
-}
-func (m *SecretBuildSource) XXX_Size() int {
-	return m.Size()
-}
-func (m *SecretBuildSource) XXX_DiscardUnknown() {
-	xxx_messageInfo_SecretBuildSource.DiscardUnknown(m)
-}
+func (m *GitRefInfo) Reset() { *m = GitRefInfo{} }
 
-var xxx_messageInfo_SecretBuildSource proto.InternalMessageInfo
+func (m *GitSourceRevision) Reset() { *m = GitSourceRevision{} }
 
-func (m *SecretLocalReference) Reset()      { *m = SecretLocalReference{} }
-func (*SecretLocalReference) ProtoMessage() {}
-func (*SecretLocalReference) Descriptor() ([]byte, []int) {
-	return fileDescriptor_2ba579f6f004cb75, []int{51}
-}
-func (m *SecretLocalReference) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *SecretLocalReference) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *SecretLocalReference) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_SecretLocalReference.Merge(m, src)
-}
-func (m *SecretLocalReference) XXX_Size() int {
-	return m.Size()
-}
-func (m *SecretLocalReference) XXX_DiscardUnknown() {
-	xxx_messageInfo_SecretLocalReference.DiscardUnknown(m)
-}
+func (m *ImageChangeCause) Reset() { *m = ImageChangeCause{} }
 
-var xxx_messageInfo_SecretLocalReference proto.InternalMessageInfo
+func (m *ImageChangeTrigger) Reset() { *m = ImageChangeTrigger{} }
 
-func (m *SecretSpec) Reset()      { *m = SecretSpec{} }
-func (*SecretSpec) ProtoMessage() {}
-func (*SecretSpec) Descriptor() ([]byte, []int) {
-	return fileDescriptor_2ba579f6f004cb75, []int{52}
-}
-func (m *SecretSpec) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *SecretSpec) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *SecretSpec) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_SecretSpec.Merge(m, src)
-}
-func (m *SecretSpec) XXX_Size() int {
-	return m.Size()
-}
-func (m *SecretSpec) XXX_DiscardUnknown() {
-	xxx_messageInfo_SecretSpec.DiscardUnknown(m)
-}
+func (m *ImageChangeTriggerStatus) Reset() { *m = ImageChangeTriggerStatus{} }
 
-var xxx_messageInfo_SecretSpec proto.InternalMessageInfo
+func (m *ImageLabel) Reset() { *m = ImageLabel{} }
 
-func (m *SourceBuildStrategy) Reset()      { *m = SourceBuildStrategy{} }
-func (*SourceBuildStrategy) ProtoMessage() {}
-func (*SourceBuildStrategy) Descriptor() ([]byte, []int) {
-	return fileDescriptor_2ba579f6f004cb75, []int{53}
-}
-func (m *SourceBuildStrategy) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *SourceBuildStrategy) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *SourceBuildStrategy) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_SourceBuildStrategy.Merge(m, src)
-}
-func (m *SourceBuildStrategy) XXX_Size() int {
-	return m.Size()
-}
-func (m *SourceBuildStrategy) XXX_DiscardUnknown() {
-	xxx_messageInfo_SourceBuildStrategy.DiscardUnknown(m)
-}
+func (m *ImageSource) Reset() { *m = ImageSource{} }
 
-var xxx_messageInfo_SourceBuildStrategy proto.InternalMessageInfo
+func (m *ImageSourcePath) Reset() { *m = ImageSourcePath{} }
 
-func (m *SourceControlUser) Reset()      { *m = SourceControlUser{} }
-func (*SourceControlUser) ProtoMessage() {}
-func (*SourceControlUser) Descriptor() ([]byte, []int) {
-	return fileDescriptor_2ba579f6f004cb75, []int{54}
-}
-func (m *SourceControlUser) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *SourceControlUser) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *SourceControlUser) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_SourceControlUser.Merge(m, src)
-}
-func (m *SourceControlUser) XXX_Size() int {
-	return m.Size()
-}
-func (m *SourceControlUser) XXX_DiscardUnknown() {
-	xxx_messageInfo_SourceControlUser.DiscardUnknown(m)
-}
+func (m *ImageStreamTagReference) Reset() { *m = ImageStreamTagReference{} }
 
-var xxx_messageInfo_SourceControlUser proto.InternalMessageInfo
+func (m *JenkinsPipelineBuildStrategy) Reset() { *m = JenkinsPipelineBuildStrategy{} }
 
-func (m *SourceRevision) Reset()      { *m = SourceRevision{} }
-func (*SourceRevision) ProtoMessage() {}
-func (*SourceRevision) Descriptor() ([]byte, []int) {
-	return fileDescriptor_2ba579f6f004cb75, []int{55}
-}
-func (m *SourceRevision) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *SourceRevision) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *SourceRevision) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_SourceRevision.Merge(m, src)
-}
-func (m *SourceRevision) XXX_Size() int {
-	return m.Size()
-}
-func (m *SourceRevision) XXX_DiscardUnknown() {
-	xxx_messageInfo_SourceRevision.DiscardUnknown(m)
-}
+func (m *OptionalNodeSelector) Reset() { *m = OptionalNodeSelector{} }
 
-var xxx_messageInfo_SourceRevision proto.InternalMessageInfo
+func (m *ProxyConfig) Reset() { *m = ProxyConfig{} }
 
-func (m *SourceStrategyOptions) Reset()      { *m = SourceStrategyOptions{} }
-func (*SourceStrategyOptions) ProtoMessage() {}
-func (*SourceStrategyOptions) Descriptor() ([]byte, []int) {
-	return fileDescriptor_2ba579f6f004cb75, []int{56}
-}
-func (m *SourceStrategyOptions) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *SourceStrategyOptions) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *SourceStrategyOptions) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_SourceStrategyOptions.Merge(m, src)
-}
-func (m *SourceStrategyOptions) XXX_Size() int {
-	return m.Size()
-}
-func (m *SourceStrategyOptions) XXX_DiscardUnknown() {
-	xxx_messageInfo_SourceStrategyOptions.DiscardUnknown(m)
-}
+func (m *SecretBuildSource) Reset() { *m = SecretBuildSource{} }
 
-var xxx_messageInfo_SourceStrategyOptions proto.InternalMessageInfo
+func (m *SecretLocalReference) Reset() { *m = SecretLocalReference{} }
 
-func (m *StageInfo) Reset()      { *m = StageInfo{} }
-func (*StageInfo) ProtoMessage() {}
-func (*StageInfo) Descriptor() ([]byte, []int) {
-	return fileDescriptor_2ba579f6f004cb75, []int{57}
-}
-func (m *StageInfo) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *StageInfo) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *StageInfo) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_StageInfo.Merge(m, src)
-}
-func (m *StageInfo) XXX_Size() int {
-	return m.Size()
-}
-func (m *StageInfo) XXX_DiscardUnknown() {
-	xxx_messageInfo_StageInfo.DiscardUnknown(m)
-}
+func (m *SecretSpec) Reset() { *m = SecretSpec{} }
 
-var xxx_messageInfo_StageInfo proto.InternalMessageInfo
+func (m *SourceBuildStrategy) Reset() { *m = SourceBuildStrategy{} }
 
-func (m *StepInfo) Reset()      { *m = StepInfo{} }
-func (*StepInfo) ProtoMessage() {}
-func (*StepInfo) Descriptor() ([]byte, []int) {
-	return fileDescriptor_2ba579f6f004cb75, []int{58}
-}
-func (m *StepInfo) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *StepInfo) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *StepInfo) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_StepInfo.Merge(m, src)
-}
-func (m *StepInfo) XXX_Size() int {
-	return m.Size()
-}
-func (m *StepInfo) XXX_DiscardUnknown() {
-	xxx_messageInfo_StepInfo.DiscardUnknown(m)
-}
+func (m *SourceControlUser) Reset() { *m = SourceControlUser{} }
 
-var xxx_messageInfo_StepInfo proto.InternalMessageInfo
+func (m *SourceRevision) Reset() { *m = SourceRevision{} }
 
-func (m *WebHookTrigger) Reset()      { *m = WebHookTrigger{} }
-func (*WebHookTrigger) ProtoMessage() {}
-func (*WebHookTrigger) Descriptor() ([]byte, []int) {
-	return fileDescriptor_2ba579f6f004cb75, []int{59}
-}
-func (m *WebHookTrigger) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *WebHookTrigger) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *WebHookTrigger) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_WebHookTrigger.Merge(m, src)
-}
-func (m *WebHookTrigger) XXX_Size() int {
-	return m.Size()
-}
-func (m *WebHookTrigger) XXX_DiscardUnknown() {
-	xxx_messageInfo_WebHookTrigger.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_WebHookTrigger proto.InternalMessageInfo
-
-func init() {
-	proto.RegisterType((*BinaryBuildRequestOptions)(nil), "github.com.openshift.api.build.v1.BinaryBuildRequestOptions")
-	proto.RegisterType((*BinaryBuildSource)(nil), "github.com.openshift.api.build.v1.BinaryBuildSource")
-	proto.RegisterType((*BitbucketWebHookCause)(nil), "github.com.openshift.api.build.v1.BitbucketWebHookCause")
-	proto.RegisterType((*Build)(nil), "github.com.openshift.api.build.v1.Build")
-	proto.RegisterType((*BuildCondition)(nil), "github.com.openshift.api.build.v1.BuildCondition")
-	proto.RegisterType((*BuildConfig)(nil), "github.com.openshift.api.build.v1.BuildConfig")
-	proto.RegisterType((*BuildConfigList)(nil), "github.com.openshift.api.build.v1.BuildConfigList")
-	proto.RegisterType((*BuildConfigSpec)(nil), "github.com.openshift.api.build.v1.BuildConfigSpec")
-	proto.RegisterType((*BuildConfigStatus)(nil), "github.com.openshift.api.build.v1.BuildConfigStatus")
-	proto.RegisterType((*BuildList)(nil), "github.com.openshift.api.build.v1.BuildList")
-	proto.RegisterType((*BuildLog)(nil), "github.com.openshift.api.build.v1.BuildLog")
-	proto.RegisterType((*BuildLogOptions)(nil), "github.com.openshift.api.build.v1.BuildLogOptions")
-	proto.RegisterType((*BuildOutput)(nil), "github.com.openshift.api.build.v1.BuildOutput")
-	proto.RegisterType((*BuildPostCommitSpec)(nil), "github.com.openshift.api.build.v1.BuildPostCommitSpec")
-	proto.RegisterType((*BuildRequest)(nil), "github.com.openshift.api.build.v1.BuildRequest")
-	proto.RegisterType((*BuildSource)(nil), "github.com.openshift.api.build.v1.BuildSource")
-	proto.RegisterType((*BuildSpec)(nil), "github.com.openshift.api.build.v1.BuildSpec")
-	proto.RegisterType((*BuildStatus)(nil), "github.com.openshift.api.build.v1.BuildStatus")
-	proto.RegisterType((*BuildStatusOutput)(nil), "github.com.openshift.api.build.v1.BuildStatusOutput")
-	proto.RegisterType((*BuildStatusOutputTo)(nil), "github.com.openshift.api.build.v1.BuildStatusOutputTo")
-	proto.RegisterType((*BuildStrategy)(nil), "github.com.openshift.api.build.v1.BuildStrategy")
-	proto.RegisterType((*BuildTriggerCause)(nil), "github.com.openshift.api.build.v1.BuildTriggerCause")
-	proto.RegisterType((*BuildTriggerPolicy)(nil), "github.com.openshift.api.build.v1.BuildTriggerPolicy")
-	proto.RegisterType((*BuildVolume)(nil), "github.com.openshift.api.build.v1.BuildVolume")
-	proto.RegisterType((*BuildVolumeMount)(nil), "github.com.openshift.api.build.v1.BuildVolumeMount")
-	proto.RegisterType((*BuildVolumeSource)(nil), "github.com.openshift.api.build.v1.BuildVolumeSource")
-	proto.RegisterType((*CommonSpec)(nil), "github.com.openshift.api.build.v1.CommonSpec")
-	proto.RegisterType((*CommonWebHookCause)(nil), "github.com.openshift.api.build.v1.CommonWebHookCause")
-	proto.RegisterType((*ConfigMapBuildSource)(nil), "github.com.openshift.api.build.v1.ConfigMapBuildSource")
-	proto.RegisterType((*CustomBuildStrategy)(nil), "github.com.openshift.api.build.v1.CustomBuildStrategy")
-	proto.RegisterType((*DockerBuildStrategy)(nil), "github.com.openshift.api.build.v1.DockerBuildStrategy")
-	proto.RegisterType((*DockerStrategyOptions)(nil), "github.com.openshift.api.build.v1.DockerStrategyOptions")
-	proto.RegisterType((*GenericWebHookCause)(nil), "github.com.openshift.api.build.v1.GenericWebHookCause")
-	proto.RegisterType((*GenericWebHookEvent)(nil), "github.com.openshift.api.build.v1.GenericWebHookEvent")
-	proto.RegisterType((*GitBuildSource)(nil), "github.com.openshift.api.build.v1.GitBuildSource")
-	proto.RegisterType((*GitHubWebHookCause)(nil), "github.com.openshift.api.build.v1.GitHubWebHookCause")
-	proto.RegisterType((*GitInfo)(nil), "github.com.openshift.api.build.v1.GitInfo")
-	proto.RegisterType((*GitLabWebHookCause)(nil), "github.com.openshift.api.build.v1.GitLabWebHookCause")
-	proto.RegisterType((*GitRefInfo)(nil), "github.com.openshift.api.build.v1.GitRefInfo")
-	proto.RegisterType((*GitSourceRevision)(nil), "github.com.openshift.api.build.v1.GitSourceRevision")
-	proto.RegisterType((*ImageChangeCause)(nil), "github.com.openshift.api.build.v1.ImageChangeCause")
-	proto.RegisterType((*ImageChangeTrigger)(nil), "github.com.openshift.api.build.v1.ImageChangeTrigger")
-	proto.RegisterType((*ImageChangeTriggerStatus)(nil), "github.com.openshift.api.build.v1.ImageChangeTriggerStatus")
-	proto.RegisterType((*ImageLabel)(nil), "github.com.openshift.api.build.v1.ImageLabel")
-	proto.RegisterType((*ImageSource)(nil), "github.com.openshift.api.build.v1.ImageSource")
-	proto.RegisterType((*ImageSourcePath)(nil), "github.com.openshift.api.build.v1.ImageSourcePath")
-	proto.RegisterType((*ImageStreamTagReference)(nil), "github.com.openshift.api.build.v1.ImageStreamTagReference")
-	proto.RegisterType((*JenkinsPipelineBuildStrategy)(nil), "github.com.openshift.api.build.v1.JenkinsPipelineBuildStrategy")
-	proto.RegisterType((*OptionalNodeSelector)(nil), "github.com.openshift.api.build.v1.OptionalNodeSelector")
-	proto.RegisterMapType((map[string]string)(nil), "github.com.openshift.api.build.v1.OptionalNodeSelector.ItemsEntry")
-	proto.RegisterType((*ProxyConfig)(nil), "github.com.openshift.api.build.v1.ProxyConfig")
-	proto.RegisterType((*SecretBuildSource)(nil), "github.com.openshift.api.build.v1.SecretBuildSource")
-	proto.RegisterType((*SecretLocalReference)(nil), "github.com.openshift.api.build.v1.SecretLocalReference")
-	proto.RegisterType((*SecretSpec)(nil), "github.com.openshift.api.build.v1.SecretSpec")
-	proto.RegisterType((*SourceBuildStrategy)(nil), "github.com.openshift.api.build.v1.SourceBuildStrategy")
-	proto.RegisterType((*SourceControlUser)(nil), "github.com.openshift.api.build.v1.SourceControlUser")
-	proto.RegisterType((*SourceRevision)(nil), "github.com.openshift.api.build.v1.SourceRevision")
-	proto.RegisterType((*SourceStrategyOptions)(nil), "github.com.openshift.api.build.v1.SourceStrategyOptions")
-	proto.RegisterType((*StageInfo)(nil), "github.com.openshift.api.build.v1.StageInfo")
-	proto.RegisterType((*StepInfo)(nil), "github.com.openshift.api.build.v1.StepInfo")
-	proto.RegisterType((*WebHookTrigger)(nil), "github.com.openshift.api.build.v1.WebHookTrigger")
-}
-
-func init() {
-	proto.RegisterFile("github.com/openshift/api/build/v1/generated.proto", fileDescriptor_2ba579f6f004cb75)
-}
-
-var fileDescriptor_2ba579f6f004cb75 = []byte{
-	// 4386 bytes of a gzipped FileDescriptorProto
-	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xe4, 0x5c, 0x4d, 0x6c, 0x1c, 0x47,
-	0x76, 0x56, 0xcf, 0x0f, 0x67, 0xe6, 0x0d, 0x45, 0x52, 0x45, 0xc9, 0x1a, 0x69, 0xb5, 0x1c, 0xb9,
-	0x1d, 0x1b, 0x76, 0x6c, 0x0f, 0x57, 0xb2, 0xa4, 0xc8, 0x36, 0xe2, 0x80, 0x43, 0x52, 0x32, 0xb5,
-	0x23, 0x89, 0xa8, 0xa1, 0x65, 0xef, 0x5a, 0xd8, 0xa4, 0xd9, 0x53, 0x33, 0x6c, 0x73, 0xa6, 0x7b,
-	0xdc, 0xd5, 0x43, 0x9b, 0x0b, 0x04, 0x58, 0x04, 0x58, 0x24, 0xeb, 0xbd, 0x64, 0x2f, 0x8b, 0x24,
-	0x97, 0x24, 0x58, 0xe4, 0x94, 0x53, 0x02, 0x04, 0xd8, 0x60, 0x2f, 0x01, 0xb2, 0x07, 0x1f, 0x12,
-	0x60, 0x83, 0x04, 0x88, 0x81, 0x5d, 0x0c, 0x62, 0xe6, 0x10, 0x20, 0x87, 0x00, 0xb9, 0xea, 0x10,
-	0x04, 0xf5, 0xd3, 0xdd, 0x55, 0x3d, 0x3d, 0x54, 0x0f, 0x25, 0x3b, 0x9b, 0xe4, 0xc6, 0xa9, 0xf7,
-	0xde, 0xf7, 0xea, 0xe7, 0xd5, 0xab, 0xf7, 0x5e, 0x55, 0x13, 0xae, 0xf4, 0x9c, 0x60, 0x6f, 0xb4,
-	0xdb, 0xb0, 0xbd, 0xc1, 0xaa, 0x37, 0x24, 0x2e, 0xdd, 0x73, 0xba, 0xc1, 0xaa, 0x35, 0x74, 0x56,
-	0x77, 0x47, 0x4e, 0xbf, 0xb3, 0x7a, 0x70, 0x65, 0xb5, 0x47, 0x5c, 0xe2, 0x5b, 0x01, 0xe9, 0x34,
-	0x86, 0xbe, 0x17, 0x78, 0xe8, 0xd9, 0x58, 0xa4, 0x11, 0x89, 0x34, 0xac, 0xa1, 0xd3, 0xe0, 0x22,
-	0x8d, 0x83, 0x2b, 0x17, 0x5f, 0x55, 0x50, 0x7b, 0x5e, 0xcf, 0x5b, 0xe5, 0x92, 0xbb, 0xa3, 0x2e,
-	0xff, 0xc5, 0x7f, 0xf0, 0xbf, 0x04, 0xe2, 0x45, 0x73, 0xff, 0x26, 0x6d, 0x38, 0x1e, 0x57, 0x6b,
-	0x7b, 0x3e, 0x49, 0xd1, 0x7a, 0xf1, 0x5a, 0xcc, 0x33, 0xb0, 0xec, 0x3d, 0xc7, 0x25, 0xfe, 0xe1,
-	0xea, 0x70, 0xbf, 0xc7, 0x1a, 0xe8, 0xea, 0x80, 0x04, 0x56, 0x9a, 0xd4, 0x8d, 0x69, 0x52, 0xfe,
-	0xc8, 0x0d, 0x9c, 0x01, 0x59, 0xa5, 0xf6, 0x1e, 0x19, 0x58, 0x49, 0x39, 0xf3, 0x6f, 0x0a, 0x70,
-	0xa1, 0xe9, 0xb8, 0x96, 0x7f, 0xd8, 0x64, 0x63, 0xc2, 0xe4, 0xc3, 0x11, 0xa1, 0xc1, 0xfd, 0x61,
-	0xe0, 0x78, 0x2e, 0x45, 0xbf, 0x05, 0x65, 0xa6, 0xb0, 0x63, 0x05, 0x56, 0xcd, 0xb8, 0x6c, 0xbc,
-	0x58, 0xbd, 0xfa, 0xb5, 0x86, 0x50, 0xd4, 0x50, 0x15, 0x35, 0x86, 0xfb, 0x3d, 0xd6, 0x40, 0x1b,
-	0x8c, 0xbb, 0x71, 0x70, 0xa5, 0x71, 0x7f, 0xf7, 0x03, 0x62, 0x07, 0x77, 0x49, 0x60, 0x35, 0xd1,
-	0xa7, 0xe3, 0xfa, 0xa9, 0xa3, 0x71, 0x1d, 0xe2, 0x36, 0x1c, 0xa1, 0xa2, 0x17, 0x60, 0xce, 0xa2,
-	0xb7, 0x9c, 0x3e, 0xa9, 0xe5, 0x2e, 0x1b, 0x2f, 0x56, 0x9a, 0x0b, 0x92, 0x7b, 0x6e, 0x8d, 0xb7,
-	0x62, 0x49, 0x45, 0x37, 0x60, 0xc1, 0x27, 0x07, 0x0e, 0x75, 0x3c, 0x77, 0xdd, 0x1b, 0x0c, 0x9c,
-	0xa0, 0x96, 0xd7, 0xf9, 0x45, 0x2b, 0x4e, 0x70, 0xa1, 0xd7, 0x61, 0x31, 0x6c, 0xb9, 0x4b, 0x28,
-	0xb5, 0x7a, 0xa4, 0x56, 0xe0, 0x82, 0x8b, 0x52, 0xb0, 0x24, 0x9b, 0x71, 0x92, 0x0f, 0x35, 0x01,
-	0x85, 0x4d, 0x6b, 0xa3, 0x60, 0xcf, 0xf3, 0xef, 0x59, 0x03, 0x52, 0x2b, 0x72, 0xe9, 0x68, 0x50,
-	0x31, 0x05, 0xa7, 0x70, 0xa3, 0x4d, 0x58, 0xd6, 0x5b, 0x37, 0x07, 0x96, 0xd3, 0xaf, 0xcd, 0x71,
-	0x90, 0x65, 0x09, 0x52, 0x55, 0x48, 0x38, 0x8d, 0x1f, 0x7d, 0x1d, 0xce, 0xe9, 0xe3, 0x0a, 0x88,
-	0xe8, 0x4d, 0x89, 0x03, 0x9d, 0x93, 0x40, 0xa7, 0x35, 0x22, 0x4e, 0x97, 0x41, 0xf7, 0xe0, 0x99,
-	0x09, 0x82, 0xe8, 0x56, 0x99, 0xa3, 0x3d, 0x23, 0xd1, 0x16, 0x74, 0x2a, 0x9e, 0x22, 0x65, 0xbe,
-	0x09, 0x67, 0x14, 0x0b, 0x6a, 0x7b, 0x23, 0xdf, 0x26, 0xca, 0xba, 0x1a, 0xc7, 0xad, 0xab, 0xf9,
-	0x89, 0x01, 0xe7, 0x9a, 0x4e, 0xb0, 0x3b, 0xb2, 0xf7, 0x49, 0xf0, 0x2e, 0xd9, 0x7d, 0xdb, 0xf3,
-	0xf6, 0xd7, 0xad, 0x11, 0x25, 0xe8, 0x43, 0x00, 0xdb, 0x1b, 0x0c, 0x3c, 0xb7, 0x3d, 0x24, 0xb6,
-	0xb4, 0xbe, 0xeb, 0x8d, 0xc7, 0x6e, 0xc9, 0xc6, 0x3a, 0x17, 0x52, 0xa1, 0x9a, 0x17, 0xa5, 0x72,
-	0x34, 0x49, 0xc3, 0x8a, 0x12, 0xf3, 0x07, 0x39, 0x28, 0xf2, 0x41, 0x7c, 0x09, 0x86, 0x7f, 0x0f,
-	0x0a, 0x94, 0x0d, 0x2c, 0xc7, 0xd1, 0x5f, 0xc9, 0x30, 0x30, 0x31, 0xbd, 0x43, 0x62, 0x37, 0xe7,
-	0x25, 0x72, 0x81, 0xfd, 0xc2, 0x1c, 0x07, 0x3d, 0x80, 0x39, 0x1a, 0x58, 0xc1, 0x88, 0xf2, 0x8d,
-	0x51, 0xbd, 0xda, 0xc8, 0x8c, 0xc8, 0xa5, 0xe2, 0x05, 0x12, 0xbf, 0xb1, 0x44, 0x33, 0xff, 0x3e,
-	0x0f, 0x0b, 0x9c, 0x6f, 0xdd, 0x73, 0x3b, 0x0e, 0x73, 0x0b, 0xe8, 0x06, 0x14, 0x82, 0xc3, 0x61,
-	0xb8, 0xb2, 0x66, 0xd8, 0x99, 0x9d, 0xc3, 0x21, 0x79, 0x34, 0xae, 0x23, 0x9d, 0x9b, 0xb5, 0x62,
-	0xce, 0x8f, 0x5a, 0x51, 0x17, 0xc5, 0x5e, 0xbf, 0xa6, 0xab, 0x7c, 0x34, 0xae, 0xa7, 0xf8, 0xc7,
-	0x46, 0x84, 0xa4, 0x77, 0x0c, 0x7d, 0x00, 0x0b, 0x7d, 0x8b, 0x06, 0xef, 0x0c, 0x3b, 0x56, 0x40,
-	0x76, 0x9c, 0x01, 0xe1, 0xbb, 0xaa, 0x7a, 0xf5, 0x57, 0xb3, 0x2d, 0x14, 0x93, 0x88, 0x4d, 0xbd,
-	0xa5, 0x21, 0xe1, 0x04, 0x32, 0x3a, 0x00, 0xc4, 0x5a, 0x76, 0x7c, 0xcb, 0xa5, 0x62, 0x54, 0x4c,
-	0x5f, 0x7e, 0x66, 0x7d, 0x91, 0x21, 0xb6, 0x26, 0xd0, 0x70, 0x8a, 0x06, 0xb6, 0x8b, 0x7c, 0x62,
-	0x51, 0xcf, 0x95, 0x4e, 0x2b, 0x5a, 0x24, 0xcc, 0x5b, 0xb1, 0xa4, 0xa2, 0x97, 0xa0, 0x34, 0x90,
-	0xde, 0xad, 0x98, 0xee, 0xdd, 0x42, 0xba, 0xf9, 0xa3, 0x1c, 0x54, 0xc3, 0x15, 0xea, 0x3a, 0xbd,
-	0x2f, 0xc1, 0xd2, 0x77, 0x34, 0x4b, 0xbf, 0x9a, 0xd5, 0x2e, 0x45, 0xff, 0xa6, 0xda, 0xfb, 0xc3,
-	0x84, 0xbd, 0x5f, 0x9b, 0x11, 0xf7, 0x78, 0xab, 0xff, 0xa9, 0x01, 0x8b, 0x0a, 0x77, 0xcb, 0xa1,
-	0x01, 0x7a, 0x38, 0x31, 0x53, 0x8d, 0x6c, 0x33, 0xc5, 0xa4, 0xf9, 0x3c, 0x2d, 0x49, 0x6d, 0xe5,
-	0xb0, 0x45, 0x99, 0xa5, 0x36, 0x14, 0x9d, 0x80, 0x0c, 0xd8, 0xde, 0xc8, 0xcf, 0xb2, 0x7d, 0x45,
-	0x07, 0x9b, 0xa7, 0x25, 0x74, 0x71, 0x8b, 0x81, 0x60, 0x81, 0x65, 0xfe, 0x22, 0xaf, 0x0d, 0x83,
-	0x4d, 0x1f, 0xb2, 0xa1, 0x1c, 0xf8, 0x4e, 0xaf, 0x47, 0x7c, 0x5a, 0x33, 0xb8, 0xae, 0xeb, 0x59,
-	0x75, 0xed, 0x08, 0xb9, 0x6d, 0xaf, 0xef, 0xd8, 0x87, 0xf1, 0x68, 0x64, 0x33, 0xc5, 0x11, 0x30,
-	0x5a, 0x83, 0x8a, 0x3f, 0x72, 0x05, 0xa3, 0xdc, 0xed, 0xcf, 0x49, 0xf6, 0x0a, 0x0e, 0x09, 0x8f,
-	0xc6, 0x75, 0xe1, 0x5a, 0xa2, 0x16, 0x1c, 0x4b, 0x21, 0x4b, 0xf3, 0xff, 0x62, 0x91, 0x5f, 0xcd,
-	0xec, 0xff, 0xb9, 0xdd, 0x44, 0x76, 0x19, 0xb7, 0xa9, 0xfe, 0x1e, 0x75, 0xe0, 0x12, 0x1d, 0xd9,
-	0x36, 0xa1, 0xb4, 0x3b, 0xea, 0xf3, 0x9e, 0xd0, 0xb7, 0x1d, 0x1a, 0x78, 0xfe, 0x61, 0xcb, 0x61,
-	0x21, 0x06, 0xdb, 0x74, 0xc5, 0xe6, 0xe5, 0xa3, 0x71, 0xfd, 0x52, 0xfb, 0x18, 0x3e, 0x7c, 0x2c,
-	0x0a, 0x7a, 0x0f, 0x6a, 0x5d, 0xcb, 0xe9, 0x93, 0x4e, 0x8a, 0x86, 0x22, 0xd7, 0x70, 0xe9, 0x68,
-	0x5c, 0xaf, 0xdd, 0x9a, 0xc2, 0x83, 0xa7, 0x4a, 0x9b, 0xff, 0x6c, 0xc0, 0x99, 0x09, 0x9b, 0x46,
-	0xd7, 0xa1, 0xca, 0x5c, 0xc9, 0x03, 0xe2, 0xb3, 0xc3, 0x9a, 0x9b, 0x6a, 0x3e, 0x8e, 0x35, 0x5a,
-	0x31, 0x09, 0xab, 0x7c, 0xe8, 0x13, 0x03, 0x96, 0x9d, 0x81, 0xd5, 0x23, 0xeb, 0x7b, 0x96, 0xdb,
-	0x23, 0xe1, 0xa2, 0x4a, 0x7b, 0x7c, 0x33, 0xc3, 0xcc, 0x6f, 0x4d, 0x48, 0xcb, 0x5d, 0xf6, 0x15,
-	0xa9, 0x7c, 0x79, 0x92, 0x83, 0xe2, 0x34, 0xa5, 0xe6, 0x8f, 0x0d, 0xa8, 0xf0, 0x91, 0x7d, 0x09,
-	0x3b, 0xef, 0xae, 0xbe, 0xf3, 0x5e, 0xcc, 0xba, 0x1b, 0xa6, 0xec, 0x39, 0x80, 0xb2, 0xe8, 0xb9,
-	0xd7, 0x33, 0xff, 0xb3, 0x20, 0xf7, 0x5f, 0xcb, 0xeb, 0x85, 0x31, 0xf5, 0x2a, 0x54, 0x6c, 0xcf,
-	0x0d, 0x2c, 0xd6, 0x65, 0x79, 0x84, 0x9e, 0x09, 0xb7, 0xc6, 0x7a, 0x48, 0xc0, 0x31, 0x0f, 0x3b,
-	0x04, 0xba, 0x5e, 0xbf, 0xef, 0x7d, 0xc4, 0x37, 0x52, 0x39, 0xf6, 0x59, 0xb7, 0x78, 0x2b, 0x96,
-	0x54, 0xf4, 0x0a, 0x94, 0x87, 0x2c, 0x44, 0xf3, 0xa4, 0x4f, 0x2c, 0xc7, 0xa3, 0xde, 0x96, 0xed,
-	0x38, 0xe2, 0x40, 0xd7, 0x60, 0x9e, 0x3a, 0xae, 0x4d, 0xda, 0xc4, 0xf6, 0xdc, 0x0e, 0xe5, 0xb6,
-	0x9e, 0x6f, 0x2e, 0x1d, 0x8d, 0xeb, 0xf3, 0x6d, 0xa5, 0x1d, 0x6b, 0x5c, 0xe8, 0x5d, 0xa8, 0xf0,
-	0xdf, 0xfc, 0xfc, 0x2b, 0xce, 0x7c, 0xfe, 0x9d, 0x66, 0x83, 0x6c, 0x87, 0x00, 0x38, 0xc6, 0x42,
-	0x57, 0x01, 0x58, 0x9a, 0x42, 0x03, 0x6b, 0x30, 0xa4, 0xfc, 0x24, 0x2f, 0xc7, 0xdb, 0x77, 0x27,
-	0xa2, 0x60, 0x85, 0x0b, 0xbd, 0x0c, 0x95, 0xc0, 0x72, 0xfa, 0x2d, 0xc7, 0x25, 0x94, 0x47, 0xc2,
-	0x79, 0xa1, 0x60, 0x27, 0x6c, 0xc4, 0x31, 0x1d, 0x35, 0x00, 0xfa, 0x6c, 0xd3, 0x34, 0x0f, 0x03,
-	0x42, 0x79, 0xa4, 0x9b, 0x6f, 0x2e, 0x30, 0xf0, 0x56, 0xd4, 0x8a, 0x15, 0x0e, 0x36, 0xeb, 0xae,
-	0xf7, 0x91, 0xe5, 0x04, 0xb5, 0x8a, 0x3e, 0xeb, 0xf7, 0xbc, 0x77, 0x2d, 0x27, 0xc0, 0x92, 0x8a,
-	0x9e, 0x87, 0xd2, 0x81, 0xdc, 0x69, 0xc0, 0x41, 0xab, 0xec, 0xd8, 0x0d, 0x77, 0x58, 0x48, 0x43,
-	0x7b, 0x70, 0xc9, 0x71, 0x29, 0xb1, 0x47, 0x3e, 0x69, 0xef, 0x3b, 0xc3, 0x9d, 0x56, 0xfb, 0x01,
-	0xf1, 0x9d, 0xee, 0x61, 0xd3, 0xb2, 0xf7, 0x89, 0xdb, 0xa9, 0x55, 0xb9, 0x92, 0x5f, 0x91, 0x4a,
-	0x2e, 0x6d, 0x1d, 0xc3, 0x8b, 0x8f, 0x45, 0x32, 0x3f, 0x09, 0x0f, 0xf8, 0xfb, 0xa3, 0x60, 0x38,
-	0x0a, 0xd0, 0x9b, 0x90, 0x0b, 0x3c, 0xb9, 0x6d, 0x9e, 0x53, 0xd6, 0xaa, 0xc1, 0x02, 0xac, 0xf8,
-	0x20, 0xc7, 0xa4, 0x4b, 0x7c, 0xe2, 0xda, 0xa4, 0x39, 0x77, 0x34, 0xae, 0xe7, 0x76, 0x3c, 0x9c,
-	0x0b, 0x3c, 0xf4, 0x1e, 0xc0, 0x70, 0x44, 0xf7, 0xda, 0xc4, 0xf6, 0x49, 0x20, 0x4f, 0xf0, 0x17,
-	0xd3, 0x40, 0x5a, 0x9e, 0x6d, 0xf5, 0x93, 0x48, 0x7c, 0x7e, 0xb7, 0x23, 0x79, 0xac, 0x60, 0xa1,
-	0x0e, 0x54, 0xf9, 0xc6, 0x6f, 0x59, 0xbb, 0xa4, 0xcf, 0x0c, 0x36, 0x9f, 0xd1, 0xbf, 0x6f, 0x45,
-	0x52, 0xb1, 0x53, 0x8b, 0xdb, 0x28, 0x56, 0x61, 0xcd, 0xdf, 0x31, 0x60, 0x99, 0x4f, 0xc6, 0xb6,
-	0x47, 0x03, 0x91, 0xb7, 0x70, 0xcf, 0xff, 0x3c, 0x94, 0xd8, 0x39, 0x60, 0xb9, 0x1d, 0x7e, 0x06,
-	0x56, 0xc4, 0xaa, 0xad, 0x8b, 0x26, 0x1c, 0xd2, 0xd0, 0x25, 0x28, 0x58, 0x7e, 0x4f, 0x78, 0x86,
-	0x4a, 0xb3, 0xcc, 0x42, 0x90, 0x35, 0xbf, 0x47, 0x31, 0x6f, 0x65, 0x26, 0x42, 0x6d, 0xdf, 0x19,
-	0x4e, 0xe4, 0xa2, 0x6d, 0xde, 0x8a, 0x25, 0xd5, 0xfc, 0x69, 0x09, 0xe6, 0xd5, 0xec, 0xfa, 0x4b,
-	0x88, 0xb9, 0xde, 0x87, 0x72, 0x98, 0xad, 0xc9, 0x55, 0xbb, 0x92, 0x61, 0x6a, 0x45, 0xee, 0x86,
-	0xa5, 0x60, 0x73, 0x9e, 0xb9, 0x8e, 0xf0, 0x17, 0x8e, 0x00, 0x11, 0x81, 0x25, 0x79, 0xd0, 0x93,
-	0x4e, 0xf3, 0x90, 0xcf, 0xbd, 0x3c, 0x9f, 0x33, 0xd9, 0xd7, 0xd9, 0xa3, 0x71, 0x7d, 0x69, 0x27,
-	0x01, 0x80, 0x27, 0x20, 0xd1, 0x1a, 0x14, 0xba, 0xbe, 0x37, 0xe0, 0x9e, 0x29, 0x23, 0x34, 0x5f,
-	0xa1, 0x5b, 0xbe, 0x37, 0xc0, 0x5c, 0x14, 0xbd, 0x07, 0x73, 0xbb, 0x3c, 0x35, 0x95, 0xbe, 0x2a,
-	0x53, 0x90, 0x98, 0xcc, 0x65, 0x9b, 0xc0, 0xd6, 0x54, 0x34, 0x63, 0x89, 0x87, 0xae, 0xe8, 0x87,
-	0xec, 0x1c, 0xdf, 0xfa, 0x8b, 0xc7, 0x1e, 0xb0, 0xaf, 0x43, 0x9e, 0xb8, 0x07, 0xb5, 0x12, 0xb7,
-	0xf4, 0x8b, 0x69, 0xc3, 0xd9, 0x74, 0x0f, 0x1e, 0x58, 0x7e, 0xb3, 0x2a, 0x97, 0x36, 0xbf, 0xe9,
-	0x1e, 0x60, 0x26, 0x83, 0xf6, 0xa1, 0xaa, 0x4c, 0x4f, 0xad, 0xcc, 0x21, 0xae, 0xcd, 0x18, 0xb6,
-	0x89, 0x5c, 0x38, 0xda, 0x33, 0xca, 0x0a, 0x60, 0x15, 0x1d, 0x7d, 0xcf, 0x80, 0x73, 0x1d, 0xcf,
-	0xde, 0x67, 0xc7, 0xb7, 0x6f, 0x05, 0xa4, 0x77, 0x28, 0x8f, 0x2e, 0xee, 0x09, 0xab, 0x57, 0x6f,
-	0x66, 0xd0, 0xbb, 0x91, 0x26, 0xdf, 0xbc, 0x70, 0x34, 0xae, 0x9f, 0x4b, 0x25, 0xe1, 0x74, 0x8d,
-	0xbc, 0x2f, 0x94, 0xaf, 0x42, 0xb2, 0x2f, 0x90, 0xb9, 0x2f, 0xed, 0x34, 0x79, 0xd1, 0x97, 0x54,
-	0x12, 0x4e, 0xd7, 0x68, 0xfe, 0x53, 0x51, 0x3a, 0x56, 0x59, 0xe2, 0x78, 0x4d, 0x4b, 0x83, 0xeb,
-	0x89, 0x34, 0x78, 0x51, 0x61, 0x55, 0x72, 0xe0, 0xd8, 0x22, 0x73, 0x4f, 0xd9, 0x22, 0x1b, 0x00,
-	0x62, 0x0e, 0xbb, 0x4e, 0x9f, 0x84, 0x1e, 0x89, 0x39, 0x88, 0x8d, 0xa8, 0x15, 0x2b, 0x1c, 0xa8,
-	0x05, 0xf9, 0x9e, 0x8c, 0x71, 0xb3, 0x79, 0x87, 0xdb, 0x4e, 0xa0, 0xf6, 0xa1, 0xc4, 0x2c, 0xf4,
-	0xb6, 0x13, 0x60, 0x06, 0x83, 0x1e, 0xc0, 0x1c, 0xf7, 0xbb, 0xb4, 0x56, 0xcc, 0x9c, 0xbf, 0xf0,
-	0x6d, 0x2e, 0xd1, 0x22, 0xdf, 0xc9, 0x1b, 0x29, 0x96, 0x68, 0x2c, 0x2e, 0x60, 0x91, 0x10, 0xf9,
-	0x38, 0xd8, 0x70, 0x7c, 0x59, 0x37, 0x53, 0xc2, 0xfa, 0x90, 0x82, 0x15, 0x2e, 0xf4, 0x2d, 0x98,
-	0x97, 0x2b, 0x28, 0x8e, 0xad, 0xd2, 0x8c, 0xc7, 0x96, 0x08, 0x82, 0x14, 0x04, 0xac, 0xe1, 0xa1,
-	0xdf, 0x84, 0x12, 0xe5, 0x7f, 0xd1, 0x19, 0x76, 0xa2, 0x90, 0x55, 0x27, 0x30, 0xca, 0xd1, 0x05,
-	0x89, 0xe2, 0x10, 0x15, 0xed, 0xf3, 0x41, 0x77, 0x9d, 0xde, 0x5d, 0x6b, 0xc8, 0x76, 0x1d, 0xd3,
-	0xf1, 0x6b, 0x99, 0x52, 0x1f, 0x29, 0xa4, 0xaa, 0x51, 0x67, 0x4b, 0x42, 0x62, 0x05, 0xde, 0xfc,
-	0x79, 0x18, 0x6a, 0xf3, 0x83, 0xd1, 0x4a, 0xa9, 0xba, 0x3d, 0xe5, 0xac, 0x2b, 0xe1, 0xcc, 0x72,
-	0x5f, 0xa4, 0x33, 0x33, 0xff, 0xa3, 0x14, 0x6e, 0x5a, 0x91, 0x1c, 0x5d, 0x81, 0xe2, 0x70, 0xcf,
-	0xa2, 0xe1, 0xae, 0x0d, 0x33, 0x93, 0xe2, 0x36, 0x6b, 0x7c, 0x34, 0xae, 0x83, 0x88, 0x16, 0xd8,
-	0x2f, 0x2c, 0x38, 0x79, 0xc0, 0x6e, 0xb9, 0x36, 0xe9, 0xf7, 0x49, 0x47, 0x86, 0xe0, 0x71, 0xc0,
-	0x1e, 0x12, 0x70, 0xcc, 0x83, 0x6e, 0x44, 0x55, 0x1b, 0xb1, 0x0b, 0x57, 0xf4, 0xaa, 0xcd, 0x23,
-	0x66, 0x5d, 0xa2, 0xdc, 0x30, 0xb5, 0x8a, 0x53, 0x38, 0xbe, 0x8a, 0x83, 0xba, 0xb0, 0x40, 0x03,
-	0xcb, 0x0f, 0xa2, 0xc8, 0xf8, 0x04, 0xc1, 0x38, 0x3a, 0x1a, 0xd7, 0x17, 0xda, 0x1a, 0x0a, 0x4e,
-	0xa0, 0xa2, 0x11, 0x2c, 0xdb, 0xde, 0x60, 0xd8, 0x27, 0x61, 0x49, 0x4a, 0x28, 0x9b, 0xbd, 0xd2,
-	0x76, 0x9e, 0xa5, 0x7f, 0xeb, 0x93, 0x50, 0x38, 0x0d, 0x1f, 0xfd, 0x3a, 0x94, 0x3b, 0x23, 0xdf,
-	0x62, 0x8d, 0x32, 0xb0, 0x7f, 0x36, 0x4c, 0x65, 0x36, 0x64, 0xfb, 0xa3, 0x71, 0xfd, 0x34, 0xcb,
-	0x05, 0x1a, 0x61, 0x03, 0x8e, 0x44, 0xd0, 0x2e, 0x5c, 0xf4, 0x78, 0xf0, 0x2b, 0x5c, 0x9f, 0x08,
-	0x30, 0xc2, 0xed, 0x2d, 0xab, 0xdc, 0x61, 0xd9, 0xf2, 0xe2, 0xfd, 0xa9, 0x9c, 0xf8, 0x18, 0x14,
-	0x74, 0x1b, 0xe6, 0xc4, 0x26, 0x92, 0xa7, 0x62, 0xa6, 0xf8, 0x04, 0xc4, 0x4d, 0x05, 0x13, 0xc3,
-	0x52, 0x1c, 0x3d, 0x84, 0x39, 0xa1, 0x46, 0x1e, 0x69, 0xd7, 0x66, 0x2b, 0xdc, 0x8a, 0xee, 0xc7,
-	0xfe, 0x53, 0xfc, 0xc6, 0x12, 0x13, 0xed, 0xf0, 0x32, 0x19, 0xf3, 0xcb, 0x55, 0xbe, 0xcf, 0xb2,
-	0x14, 0x9a, 0xdb, 0x4c, 0x60, 0xcb, 0xed, 0x7a, 0x5a, 0x79, 0x8c, 0x7b, 0x65, 0x81, 0xc5, 0xbc,
-	0x72, 0xdf, 0xeb, 0xb5, 0x5d, 0x67, 0x38, 0x24, 0x41, 0x6d, 0x5e, 0xf7, 0xca, 0xad, 0x88, 0x82,
-	0x15, 0x2e, 0x44, 0xb8, 0x53, 0x13, 0xa5, 0x5c, 0x5a, 0x3b, 0xcd, 0x7b, 0x73, 0x65, 0x86, 0x2a,
-	0x97, 0x90, 0xd4, 0xdc, 0x99, 0x04, 0xc3, 0x0a, 0xb0, 0x69, 0xcb, 0x92, 0x88, 0x3a, 0x3b, 0xe8,
-	0x9e, 0x92, 0x03, 0xdd, 0x38, 0xc9, 0xfc, 0xee, 0x78, 0x6a, 0x5a, 0x64, 0xb6, 0x64, 0x56, 0xa1,
-	0xb3, 0xa0, 0xeb, 0x32, 0xa7, 0xd9, 0x70, 0x7a, 0x84, 0x06, 0xd2, 0xc5, 0xe8, 0x49, 0x8a, 0x20,
-	0x61, 0x95, 0xcf, 0xfc, 0x49, 0x01, 0x4e, 0x4b, 0x38, 0x11, 0x71, 0xa0, 0xeb, 0x5a, 0x68, 0xf1,
-	0x6c, 0x22, 0xb4, 0x38, 0xa3, 0x31, 0x2b, 0xc1, 0x85, 0x0f, 0x0b, 0x7a, 0x18, 0x25, 0x83, 0x8c,
-	0x1b, 0x99, 0x23, 0x36, 0x0d, 0x59, 0x78, 0x08, 0x3d, 0x5e, 0xc3, 0x09, 0x0d, 0x4c, 0xa7, 0x1e,
-	0x2e, 0xc9, 0x54, 0xe0, 0x46, 0xe6, 0xc8, 0x2c, 0x45, 0xa7, 0x1e, 0x97, 0xe1, 0x84, 0x06, 0xa6,
-	0xd3, 0x1e, 0xd1, 0xc0, 0x1b, 0x44, 0x3a, 0x0b, 0x99, 0x75, 0xae, 0x73, 0xc1, 0x14, 0x9d, 0xeb,
-	0x1a, 0x22, 0x4e, 0x68, 0x40, 0x3f, 0x34, 0xe0, 0xfc, 0x07, 0xc4, 0xdd, 0x77, 0x5c, 0xba, 0xed,
-	0x0c, 0x49, 0xdf, 0x71, 0xe3, 0x11, 0x0b, 0xdf, 0xfb, 0x1b, 0x19, 0xb4, 0xdf, 0xd1, 0x11, 0xf4,
-	0x6e, 0x7c, 0xe5, 0x68, 0x5c, 0x3f, 0x7f, 0x27, 0x5d, 0x07, 0x9e, 0xa6, 0xdc, 0xfc, 0x6e, 0x51,
-	0x5a, 0xbc, 0x7a, 0x32, 0xaa, 0x67, 0x89, 0xf1, 0x98, 0xb3, 0xc4, 0x87, 0x05, 0x7e, 0x2b, 0xec,
-	0xd8, 0xf2, 0x62, 0x6c, 0x06, 0xab, 0xb9, 0xad, 0x09, 0x8a, 0x43, 0x99, 0xcf, 0xa6, 0x4e, 0xc0,
-	0x09, 0x0d, 0xc8, 0x85, 0xd3, 0x02, 0x3c, 0x54, 0x99, 0xcf, 0x7c, 0xbf, 0x77, 0xdb, 0x09, 0xde,
-	0x8e, 0xe4, 0x84, 0xc6, 0x33, 0x47, 0xe3, 0xfa, 0x69, 0xad, 0x1d, 0xeb, 0xf0, 0x68, 0x04, 0x4b,
-	0x4a, 0x99, 0x91, 0x4f, 0x97, 0xb4, 0x99, 0xd7, 0x66, 0x2b, 0x6c, 0x0a, 0x85, 0x3c, 0x85, 0xdd,
-	0x4a, 0x00, 0xe2, 0x09, 0x15, 0x72, 0x98, 0x7d, 0x2b, 0x1a, 0x66, 0x71, 0x96, 0x61, 0xb6, 0xac,
-	0xf4, 0x61, 0xc6, 0xed, 0x58, 0x87, 0x47, 0xdf, 0x86, 0xa5, 0xdd, 0xc4, 0x65, 0xaa, 0x3c, 0xab,
-	0x6f, 0x66, 0xca, 0x33, 0x52, 0xee, 0x61, 0xc5, 0x58, 0x93, 0x24, 0x3c, 0xa1, 0xc7, 0xfc, 0x71,
-	0x01, 0xd0, 0xe4, 0x2d, 0x01, 0xba, 0xa6, 0xb9, 0xb2, 0xcb, 0x09, 0x57, 0xb6, 0xa4, 0x4a, 0x28,
-	0x9e, 0xec, 0x21, 0xcc, 0x89, 0xfe, 0xce, 0x50, 0xbd, 0x90, 0x1d, 0x91, 0x60, 0x69, 0x46, 0x21,
-	0x31, 0x59, 0x00, 0x2f, 0xed, 0x51, 0xda, 0xdd, 0x09, 0xe0, 0xd3, 0xac, 0x3c, 0x44, 0x45, 0x7b,
-	0xf2, 0x20, 0x10, 0xb6, 0x20, 0x2d, 0xed, 0xfa, 0x89, 0x4a, 0xe8, 0xa2, 0xa8, 0xa0, 0xb4, 0x63,
-	0x15, 0x5a, 0x4e, 0x54, 0xdf, 0xda, 0x95, 0xa6, 0xf5, 0x04, 0x13, 0xa5, 0x98, 0x95, 0xc4, 0x44,
-	0x04, 0x2a, 0xd1, 0x3a, 0x4b, 0x43, 0x3a, 0x81, 0x82, 0x74, 0x0b, 0x8a, 0x91, 0xcd, 0x7f, 0x37,
-	0x64, 0x90, 0xfe, 0xc0, 0xeb, 0x8f, 0x06, 0x04, 0x5d, 0x86, 0x82, 0x6b, 0x0d, 0x42, 0x9b, 0x89,
-	0x6e, 0xff, 0xf8, 0xa3, 0x06, 0x4e, 0xe1, 0xb7, 0x7f, 0xfc, 0x4c, 0x98, 0x25, 0x8d, 0x8e, 0x35,
-	0x24, 0x93, 0x4e, 0x59, 0xf8, 0x92, 0x98, 0xe8, 0x7d, 0x98, 0x1b, 0x78, 0x23, 0x37, 0x08, 0xcb,
-	0x92, 0xaf, 0xcd, 0x86, 0x7e, 0x97, 0xc9, 0xc6, 0xe0, 0xfc, 0x27, 0xc5, 0x12, 0xd2, 0x7c, 0x07,
-	0x96, 0x92, 0xbc, 0x68, 0x0d, 0x16, 0x3b, 0x84, 0x06, 0x8e, 0xcb, 0xe3, 0xd7, 0x6d, 0x2b, 0xd8,
-	0x93, 0x63, 0x3f, 0x2f, 0x41, 0x16, 0x37, 0x74, 0x32, 0x4e, 0xf2, 0x9b, 0x7f, 0x99, 0x93, 0xc7,
-	0x80, 0x3a, 0x42, 0xf4, 0xba, 0xb6, 0xfb, 0x9e, 0x4f, 0xec, 0xbe, 0x73, 0x13, 0x02, 0xca, 0x16,
-	0xbc, 0x03, 0x73, 0x54, 0x2d, 0xfb, 0xbe, 0x90, 0x16, 0xe0, 0x8a, 0xd4, 0x55, 0x9b, 0x54, 0x1e,
-	0xe3, 0xca, 0xbc, 0x59, 0x22, 0xa0, 0x07, 0xfc, 0xce, 0x43, 0x64, 0x9c, 0x72, 0xcb, 0xbd, 0x94,
-	0x06, 0x17, 0xa5, 0xa8, 0x1a, 0xe2, 0x69, 0x79, 0x35, 0x22, 0x48, 0x38, 0x86, 0x42, 0x6f, 0x41,
-	0xde, 0xa6, 0xce, 0x71, 0x15, 0xc2, 0xf5, 0xf6, 0x96, 0x86, 0xc5, 0xab, 0x16, 0xeb, 0xed, 0x2d,
-	0xcc, 0x04, 0xcd, 0xdf, 0x2b, 0x81, 0x92, 0xa5, 0xa2, 0xb7, 0x60, 0x81, 0x12, 0xff, 0xc0, 0xb1,
-	0xc9, 0x9a, 0x6d, 0xb3, 0x85, 0x91, 0xf3, 0x16, 0x3d, 0x13, 0x68, 0x6b, 0x54, 0x9c, 0xe0, 0xe6,
-	0x6f, 0x30, 0x54, 0xab, 0xcc, 0xfe, 0x06, 0xe3, 0x71, 0xf6, 0x18, 0x57, 0x73, 0xf3, 0x4f, 0xbb,
-	0x9a, 0xfb, 0x2d, 0x28, 0x53, 0x3d, 0x8c, 0xfa, 0x5a, 0xf6, 0x08, 0x59, 0x46, 0x2e, 0xd1, 0x45,
-	0x53, 0x14, 0xae, 0x44, 0x98, 0x6c, 0x52, 0x64, 0x7e, 0x53, 0x9c, 0x6d, 0x52, 0x1e, 0x93, 0xd9,
-	0x7c, 0x03, 0x2a, 0x3e, 0x11, 0x13, 0x44, 0xa5, 0x6f, 0x4a, 0x2d, 0xf1, 0x60, 0xc9, 0x84, 0xc9,
-	0x87, 0x23, 0xc7, 0x27, 0x03, 0xe2, 0x06, 0x34, 0x4e, 0xe0, 0x43, 0x2a, 0xc5, 0x31, 0x1a, 0xfa,
-	0x00, 0x60, 0x18, 0xdd, 0x17, 0xc8, 0xf2, 0x51, 0xe6, 0xb4, 0x41, 0xbf, 0x69, 0x88, 0xf3, 0x95,
-	0xb8, 0x1d, 0x2b, 0xe8, 0xe8, 0x7d, 0xb8, 0x10, 0x67, 0xc0, 0x1b, 0xc4, 0xea, 0xf0, 0xe0, 0x4e,
-	0x5e, 0xca, 0x89, 0x6b, 0xaa, 0xaf, 0x1e, 0x8d, 0xeb, 0x17, 0xd6, 0xa7, 0x31, 0xe1, 0xe9, 0xf2,
-	0x68, 0x00, 0xf3, 0xae, 0xd7, 0x21, 0x6d, 0xd2, 0x27, 0x76, 0xe0, 0xf9, 0x32, 0x55, 0xcd, 0x52,
-	0x4a, 0x12, 0x45, 0x4f, 0xab, 0x7f, 0x4f, 0x11, 0x17, 0x85, 0x31, 0xb5, 0x05, 0x6b, 0xf0, 0xe8,
-	0x0d, 0x58, 0xe0, 0x4e, 0x6e, 0xc7, 0x1f, 0xd1, 0x80, 0x74, 0xd6, 0xd7, 0x78, 0x4a, 0x5b, 0x16,
-	0x67, 0xe5, 0x5d, 0x8d, 0x82, 0x13, 0x9c, 0xe6, 0x1f, 0x1a, 0x90, 0xf2, 0x3c, 0x4b, 0x33, 0x7d,
-	0xe3, 0x69, 0x9b, 0xfe, 0x0b, 0x9a, 0x8b, 0x53, 0x2f, 0x70, 0x34, 0xf7, 0x65, 0xfe, 0x85, 0x01,
-	0x67, 0xd3, 0x6a, 0x6b, 0xcc, 0x06, 0x63, 0xbf, 0x66, 0xcc, 0x58, 0x66, 0x54, 0x6f, 0x7d, 0xd3,
-	0x5c, 0xdb, 0x82, 0xe2, 0xe2, 0x37, 0x1c, 0x5f, 0xf6, 0x31, 0xf2, 0x45, 0x1b, 0x1a, 0x15, 0x27,
-	0xb8, 0xcd, 0xef, 0x17, 0x60, 0x39, 0x25, 0xd7, 0x41, 0x9b, 0xf2, 0x56, 0x65, 0x86, 0x0b, 0xc1,
-	0xe8, 0x00, 0xd6, 0x6e, 0x56, 0x60, 0x38, 0xea, 0xf7, 0x9f, 0xec, 0x62, 0x30, 0x94, 0xc7, 0x0a,
-	0x56, 0x78, 0x4d, 0x92, 0x3f, 0xc1, 0x35, 0xc9, 0x1d, 0x40, 0xe4, 0xe3, 0xa1, 0x47, 0x89, 0xcc,
-	0x59, 0x3d, 0x1e, 0xb7, 0x14, 0xb8, 0x0d, 0x46, 0x4f, 0xaf, 0x36, 0x27, 0x38, 0x70, 0x8a, 0x14,
-	0x5a, 0x85, 0x4a, 0xd7, 0xf3, 0x6d, 0xc2, 0x7a, 0xc9, 0x3d, 0x97, 0x52, 0xf5, 0xbb, 0x15, 0x12,
-	0x70, 0xcc, 0x83, 0xde, 0x8b, 0xab, 0xc2, 0x73, 0x99, 0x2f, 0x33, 0xc5, 0x98, 0xb9, 0xa3, 0x98,
-	0x5e, 0x0e, 0x5e, 0x83, 0x45, 0x2e, 0xb0, 0xb6, 0xbd, 0x15, 0xde, 0x37, 0x95, 0xf4, 0xe8, 0xa0,
-	0xa9, 0x93, 0x71, 0x92, 0xdf, 0xfc, 0x51, 0x11, 0x96, 0x53, 0x32, 0xfc, 0xe8, 0x8e, 0xcd, 0x78,
-	0x92, 0x3b, 0xb6, 0x2f, 0xca, 0x12, 0x5e, 0x82, 0x92, 0xeb, 0xad, 0x5b, 0xf6, 0x1e, 0x91, 0xef,
-	0x19, 0xa2, 0x29, 0xba, 0x27, 0x9a, 0x71, 0x48, 0x0f, 0x8d, 0xa6, 0x70, 0x02, 0xa3, 0x99, 0x79,
-	0xa1, 0xdf, 0x0a, 0xab, 0x2c, 0x5d, 0xa7, 0x4f, 0x78, 0xac, 0x36, 0x97, 0xd8, 0x99, 0x1a, 0x15,
-	0x27, 0xb8, 0xd1, 0xd7, 0xa1, 0x22, 0x96, 0xc7, 0xef, 0xd1, 0x0c, 0xb7, 0x81, 0x51, 0x67, 0x9a,
-	0xa1, 0x10, 0x8e, 0xe5, 0xd1, 0x10, 0xce, 0xf3, 0x74, 0x80, 0xf9, 0xeb, 0x81, 0xf3, 0x6d, 0x11,
-	0x0f, 0x8a, 0x67, 0x57, 0xa2, 0xce, 0x79, 0xe3, 0x68, 0x5c, 0x3f, 0xbf, 0x95, 0xce, 0xf2, 0x68,
-	0x3a, 0x09, 0x4f, 0x83, 0x45, 0xdf, 0x80, 0xd2, 0x01, 0x8f, 0xa8, 0xc2, 0x9b, 0x89, 0xc6, 0x6c,
-	0xd1, 0x71, 0xbc, 0x8a, 0xe2, 0x37, 0xc5, 0x21, 0x9e, 0xf9, 0x7d, 0x03, 0xd2, 0xaf, 0x07, 0xf5,
-	0x39, 0x33, 0x9e, 0x70, 0xce, 0x9e, 0x8f, 0xed, 0x4a, 0x94, 0xf3, 0xab, 0x69, 0x36, 0x65, 0xfe,
-	0x91, 0x01, 0xcb, 0x29, 0xf5, 0x8d, 0x5f, 0x8e, 0x23, 0xe9, 0xb3, 0x5c, 0xb2, 0x73, 0x9b, 0x07,
-	0xc4, 0x0d, 0x4e, 0x76, 0x29, 0xb9, 0x29, 0xae, 0x02, 0x73, 0xb2, 0xaa, 0x9f, 0xa9, 0x38, 0xc1,
-	0xeb, 0xc3, 0xfa, 0x1d, 0xe0, 0x13, 0x78, 0xee, 0xe9, 0x77, 0xce, 0x85, 0x2f, 0xfb, 0xce, 0xd9,
-	0xfc, 0x2b, 0x03, 0x16, 0xf4, 0xbb, 0x4e, 0xf4, 0x55, 0xc8, 0x8f, 0x7c, 0x47, 0x4e, 0x6a, 0xd4,
-	0xfb, 0x77, 0xf0, 0x16, 0x66, 0xed, 0x8c, 0xec, 0x93, 0xae, 0x5c, 0xb1, 0x88, 0x8c, 0x49, 0x17,
-	0xb3, 0x76, 0x44, 0xa0, 0x3a, 0xf4, 0xbd, 0x8f, 0x0f, 0xc5, 0x39, 0x3f, 0xc3, 0xfb, 0xec, 0xed,
-	0x58, 0x2a, 0x2e, 0x23, 0x2b, 0x8d, 0x58, 0xc5, 0xe5, 0x11, 0xd4, 0x64, 0x71, 0xec, 0x97, 0xc3,
-	0x5c, 0xff, 0x2e, 0x07, 0x25, 0x69, 0x34, 0xe8, 0x43, 0x58, 0xe8, 0x69, 0xd3, 0x3b, 0x43, 0xb7,
-	0x12, 0x77, 0xd0, 0x91, 0xcb, 0xd5, 0xdb, 0x71, 0x42, 0x01, 0xfa, 0x6d, 0x38, 0xd3, 0x73, 0x02,
-	0x7d, 0x4c, 0x33, 0x54, 0x0e, 0x6e, 0x27, 0x65, 0x9b, 0x17, 0xa4, 0xe2, 0x33, 0x13, 0x24, 0x3c,
-	0xa9, 0x09, 0xdd, 0x87, 0x82, 0x4f, 0xba, 0xb3, 0x3c, 0x72, 0x62, 0x7b, 0x8a, 0x74, 0xf9, 0x1e,
-	0x8b, 0xa2, 0x2f, 0x4c, 0xba, 0x14, 0x73, 0x20, 0xf3, 0x77, 0xc5, 0x52, 0x27, 0x0a, 0x84, 0xff,
-	0x13, 0x9f, 0x4c, 0xfc, 0x97, 0x01, 0x10, 0x77, 0xf6, 0xff, 0xdf, 0xda, 0x9a, 0x7f, 0x9e, 0x83,
-	0x49, 0x46, 0xb6, 0x2f, 0x6c, 0x91, 0x3d, 0x1a, 0xa9, 0x9f, 0x29, 0x49, 0x2a, 0x7a, 0x08, 0x73,
-	0x16, 0xff, 0xce, 0x67, 0x86, 0x1e, 0x0b, 0x55, 0xeb, 0x9e, 0x1b, 0xf8, 0x5e, 0xff, 0x1d, 0x4a,
-	0x7c, 0xe5, 0xe3, 0x1a, 0x8e, 0x85, 0x25, 0x26, 0x22, 0x2c, 0x3d, 0x91, 0xdf, 0xea, 0xcc, 0xf0,
-	0x4c, 0x7e, 0x52, 0x81, 0x92, 0xaa, 0x48, 0x38, 0x1c, 0x23, 0xcf, 0x70, 0x6f, 0x6d, 0x7e, 0xcf,
-	0x80, 0xa5, 0x64, 0x35, 0x9d, 0xc9, 0xf3, 0x60, 0x63, 0x6b, 0x23, 0x79, 0x57, 0xb1, 0x25, 0x9a,
-	0x71, 0x48, 0x47, 0x77, 0xa0, 0xc4, 0x82, 0x4e, 0x2c, 0xbd, 0x6d, 0xc6, 0x90, 0x95, 0x9f, 0xef,
-	0xb7, 0x84, 0x1c, 0x0e, 0x01, 0xcc, 0x7f, 0x30, 0x00, 0x4d, 0xd6, 0x5b, 0xd1, 0x36, 0x9c, 0x15,
-	0x5f, 0x62, 0xc8, 0x47, 0x04, 0x5b, 0x5a, 0xd7, 0x2e, 0xc9, 0xae, 0x9d, 0x6d, 0xa5, 0xf0, 0xe0,
-	0x54, 0xc9, 0x28, 0xc8, 0xce, 0x9d, 0x3c, 0xc8, 0x7e, 0x01, 0xe6, 0x86, 0x6c, 0xae, 0x3a, 0x32,
-	0x12, 0x8e, 0x56, 0x7c, 0x9b, 0xb7, 0x62, 0x49, 0x35, 0xff, 0x3a, 0x07, 0xb5, 0x69, 0xcf, 0xb0,
-	0xbf, 0x80, 0x91, 0x3d, 0xd4, 0x46, 0xf6, 0x46, 0xe6, 0x37, 0x3f, 0x81, 0x4f, 0xac, 0xc1, 0x8e,
-	0xd5, 0x3b, 0x3e, 0xc7, 0x1c, 0xc0, 0xa2, 0xa2, 0xf5, 0x84, 0x9f, 0xdc, 0x44, 0x39, 0x52, 0x4b,
-	0x87, 0xc2, 0x49, 0x6c, 0xb3, 0x0d, 0x10, 0xbf, 0x23, 0xcd, 0x50, 0x83, 0x7e, 0x0e, 0x8a, 0x07,
-	0x56, 0x7f, 0x14, 0x7e, 0xb9, 0x18, 0xbd, 0x06, 0x7f, 0xc0, 0x1a, 0xb1, 0xa0, 0x99, 0x7f, 0x9c,
-	0x83, 0xaa, 0xf2, 0xce, 0xe9, 0x69, 0xa5, 0xdf, 0xcf, 0x40, 0xce, 0xa2, 0x3c, 0xdd, 0xa9, 0x88,
-	0x8b, 0xe9, 0x35, 0x8a, 0x73, 0x16, 0x45, 0xef, 0x42, 0x71, 0x68, 0x05, 0x7b, 0xe1, 0x5b, 0xf6,
-	0xab, 0xb3, 0xbd, 0xc2, 0x62, 0xe9, 0x49, 0x3c, 0x0e, 0xf6, 0x8b, 0x62, 0x81, 0x97, 0xc8, 0xf2,
-	0xf2, 0x4f, 0x2f, 0xcb, 0x33, 0xbf, 0x6b, 0xc0, 0x62, 0xa2, 0x0f, 0xe8, 0x2a, 0x00, 0x8d, 0x7e,
-	0xc9, 0x25, 0x88, 0x0a, 0x69, 0x31, 0x1f, 0x56, 0xb8, 0x9e, 0xb8, 0x60, 0xd2, 0x87, 0xf3, 0x53,
-	0x8c, 0x93, 0xa5, 0x88, 0x6c, 0xc5, 0xe9, 0xd0, 0xb2, 0x49, 0xf2, 0xc9, 0xfe, 0xbd, 0x90, 0x80,
-	0x63, 0x9e, 0xc8, 0x78, 0x72, 0xd3, 0x8c, 0xc7, 0xfc, 0x47, 0x03, 0x2e, 0x1d, 0x77, 0x19, 0xcc,
-	0x92, 0x7e, 0x79, 0xe3, 0x1b, 0xa5, 0x99, 0x89, 0x2b, 0x81, 0x3b, 0x3a, 0x19, 0x27, 0xf9, 0xd1,
-	0x75, 0xa8, 0x2a, 0x4d, 0xb2, 0x33, 0x51, 0x1c, 0xa9, 0x88, 0x63, 0x95, 0xef, 0x09, 0xc2, 0x78,
-	0xf3, 0x6f, 0x0d, 0x38, 0x9b, 0x56, 0x39, 0x44, 0xbd, 0xf0, 0x1b, 0x0b, 0x91, 0xbb, 0x35, 0x4f,
-	0x58, 0x81, 0x6c, 0xf0, 0x2f, 0x2d, 0x36, 0xdd, 0xc0, 0x3f, 0x4c, 0xff, 0xfa, 0xe2, 0xe2, 0x4d,
-	0x80, 0x98, 0x07, 0x2d, 0x41, 0x7e, 0x9f, 0x1c, 0x8a, 0x89, 0xc3, 0xec, 0x4f, 0x74, 0x56, 0xdb,
-	0xb4, 0x72, 0x97, 0xbe, 0x91, 0xbb, 0x69, 0xbc, 0x51, 0xfe, 0x83, 0x3f, 0xa9, 0x9f, 0xfa, 0xce,
-	0x2f, 0x2e, 0x9f, 0x32, 0x7f, 0x60, 0x80, 0x1a, 0x65, 0xa3, 0x97, 0xa1, 0xb2, 0x17, 0x04, 0x43,
-	0xde, 0x24, 0x9f, 0x74, 0xf1, 0x2b, 0x89, 0xb7, 0x77, 0x76, 0xb6, 0x79, 0x23, 0x8e, 0xe9, 0xa8,
-	0x01, 0xc0, 0x7e, 0x50, 0xc1, 0x5d, 0x88, 0x9f, 0x61, 0x32, 0xee, 0xb6, 0x60, 0x57, 0x38, 0x44,
-	0x32, 0x2a, 0x98, 0xc5, 0xa7, 0x7b, 0x32, 0x19, 0x15, 0x9c, 0x21, 0xcd, 0xfc, 0x33, 0x03, 0xce,
-	0x4c, 0x3c, 0x21, 0x44, 0xdb, 0x51, 0xf8, 0x3d, 0x6b, 0xf1, 0x71, 0x4a, 0xa0, 0xfe, 0xc4, 0xbb,
-	0xe8, 0x26, 0x9c, 0x15, 0x88, 0x5c, 0x6b, 0xbc, 0x85, 0x1e, 0xeb, 0x4e, 0xcd, 0x3f, 0x35, 0x00,
-	0xe2, 0x72, 0x18, 0xda, 0x85, 0x79, 0xd1, 0x25, 0x2d, 0x8e, 0xcc, 0x3e, 0xc0, 0xb3, 0x52, 0xc5,
-	0x7c, 0x5b, 0x41, 0xc1, 0x1a, 0x26, 0xdb, 0xd7, 0xbc, 0x0a, 0xcd, 0x77, 0x57, 0x4e, 0xdf, 0xd7,
-	0x77, 0x43, 0x02, 0x8e, 0x79, 0xcc, 0x9f, 0xe7, 0x61, 0x39, 0xe5, 0xd1, 0xca, 0xff, 0xe9, 0xa2,
-	0xea, 0x4b, 0x50, 0x12, 0xdf, 0x31, 0xd0, 0x64, 0x74, 0x27, 0x3e, 0x73, 0xa0, 0x38, 0xa4, 0xa3,
-	0x2b, 0x50, 0x75, 0x5c, 0x5b, 0xdc, 0xb1, 0x58, 0x61, 0x31, 0x4d, 0xdc, 0x5f, 0xc7, 0xcd, 0x58,
-	0xe5, 0xd1, 0xab, 0x6f, 0x73, 0x19, 0xaa, 0x6f, 0x5f, 0x60, 0xf9, 0xe9, 0x9b, 0x70, 0x66, 0x22,
-	0xf4, 0xcd, 0x16, 0x07, 0x10, 0xfe, 0xf9, 0x7c, 0x22, 0x0e, 0x10, 0x5f, 0xcd, 0x0b, 0x9a, 0xf9,
-	0x43, 0x03, 0x16, 0x12, 0x39, 0xc2, 0x89, 0x4a, 0x35, 0xf7, 0xd5, 0x52, 0xcd, 0xc9, 0xf2, 0x1b,
-	0xad, 0x68, 0x63, 0xde, 0x81, 0xf4, 0x57, 0xf0, 0xc9, 0xc5, 0x34, 0x1e, 0xbf, 0x98, 0xe6, 0x4f,
-	0x72, 0x50, 0x89, 0x1e, 0x0f, 0xa2, 0x57, 0xb5, 0x99, 0xbb, 0xa0, 0xce, 0xdc, 0xa3, 0x71, 0x5d,
-	0x30, 0x2a, 0xd3, 0xf8, 0x3e, 0x54, 0xa2, 0xc7, 0xa7, 0x51, 0x29, 0x2a, 0x7b, 0x9c, 0x17, 0x59,
-	0x4d, 0xf4, 0xa2, 0x15, 0xc7, 0x78, 0x2c, 0xf4, 0x0d, 0x5f, 0x87, 0xde, 0x75, 0xfa, 0x7d, 0x87,
-	0xca, 0x0b, 0xb6, 0x3c, 0xbf, 0x60, 0x8b, 0x42, 0xdf, 0x8d, 0x14, 0x1e, 0x9c, 0x2a, 0x89, 0xb6,
-	0xa1, 0x48, 0x03, 0x32, 0xa4, 0xb2, 0xe6, 0xfc, 0x72, 0xa6, 0x77, 0x95, 0x64, 0xc8, 0x53, 0xfa,
-	0xc8, 0x44, 0x58, 0x0b, 0xc5, 0x02, 0xc8, 0xfc, 0x37, 0x03, 0xca, 0x21, 0x0b, 0x7a, 0x45, 0x9b,
-	0xbc, 0x5a, 0x62, 0xf2, 0x38, 0xdf, 0xff, 0xda, 0xb9, 0x33, 0xc7, 0x06, 0x2c, 0xe8, 0x6f, 0x44,
-	0x94, 0x42, 0x92, 0x71, 0x5c, 0x21, 0x09, 0xbd, 0x02, 0x65, 0xab, 0xdf, 0xf7, 0x3e, 0xda, 0x74,
-	0x0f, 0x64, 0xf1, 0x36, 0xba, 0x7b, 0x5e, 0x93, 0xed, 0x38, 0xe2, 0x40, 0x07, 0xb0, 0x28, 0xe4,
-	0xe2, 0xd7, 0xbf, 0xf9, 0xcc, 0x57, 0xa0, 0x69, 0xe7, 0x58, 0x73, 0x99, 0x45, 0x5e, 0x6d, 0x1d,
-	0x13, 0x27, 0x95, 0x34, 0x6f, 0x7f, 0xfa, 0xf9, 0xca, 0xa9, 0x9f, 0x7d, 0xbe, 0x72, 0xea, 0xb3,
-	0xcf, 0x57, 0x4e, 0x7d, 0xe7, 0x68, 0xc5, 0xf8, 0xf4, 0x68, 0xc5, 0xf8, 0xd9, 0xd1, 0x8a, 0xf1,
-	0xd9, 0xd1, 0x8a, 0xf1, 0x2f, 0x47, 0x2b, 0xc6, 0xef, 0xff, 0xeb, 0xca, 0xa9, 0x6f, 0x3e, 0xfb,
-	0xd8, 0x7f, 0x49, 0xf3, 0xdf, 0x01, 0x00, 0x00, 0xff, 0xff, 0x88, 0x7d, 0x3c, 0xce, 0xb6, 0x46,
-	0x00, 0x00,
-}
+func (m *SourceStrategyOptions) Reset() { *m = SourceStrategyOptions{} }
+
+func (m *StageInfo) Reset() { *m = StageInfo{} }
+
+func (m *StepInfo) Reset() { *m = StepInfo{} }
+
+func (m *WebHookTrigger) Reset() { *m = WebHookTrigger{} }
 
 func (m *BinaryBuildRequestOptions) Marshal() (dAtA []byte, err error) {
 	size := m.Size()
@@ -4882,7 +2961,7 @@ func (m OptionalNodeSelector) MarshalToSizedBuffer(dAtA []byte) (int, error) {
 		for k := range m {
 			keysForItems = append(keysForItems, string(k))
 		}
-		github_com_gogo_protobuf_sortkeys.Strings(keysForItems)
+		sort.Strings(keysForItems)
 		for iNdEx := len(keysForItems) - 1; iNdEx >= 0; iNdEx-- {
 			v := m[string(keysForItems[iNdEx])]
 			baseI := i
diff --git a/vendor/github.com/openshift/api/build/v1/generated.protomessage.pb.go b/vendor/github.com/openshift/api/build/v1/generated.protomessage.pb.go
new file mode 100644
index 0000000000000..02886028cabcc
--- /dev/null
+++ b/vendor/github.com/openshift/api/build/v1/generated.protomessage.pb.go
@@ -0,0 +1,126 @@
+//go:build kubernetes_protomessage_one_more_release
+// +build kubernetes_protomessage_one_more_release
+
+// Code generated by go-to-protobuf. DO NOT EDIT.
+
+package v1
+
+func (*BinaryBuildRequestOptions) ProtoMessage() {}
+
+func (*BinaryBuildSource) ProtoMessage() {}
+
+func (*BitbucketWebHookCause) ProtoMessage() {}
+
+func (*Build) ProtoMessage() {}
+
+func (*BuildCondition) ProtoMessage() {}
+
+func (*BuildConfig) ProtoMessage() {}
+
+func (*BuildConfigList) ProtoMessage() {}
+
+func (*BuildConfigSpec) ProtoMessage() {}
+
+func (*BuildConfigStatus) ProtoMessage() {}
+
+func (*BuildList) ProtoMessage() {}
+
+func (*BuildLog) ProtoMessage() {}
+
+func (*BuildLogOptions) ProtoMessage() {}
+
+func (*BuildOutput) ProtoMessage() {}
+
+func (*BuildPostCommitSpec) ProtoMessage() {}
+
+func (*BuildRequest) ProtoMessage() {}
+
+func (*BuildSource) ProtoMessage() {}
+
+func (*BuildSpec) ProtoMessage() {}
+
+func (*BuildStatus) ProtoMessage() {}
+
+func (*BuildStatusOutput) ProtoMessage() {}
+
+func (*BuildStatusOutputTo) ProtoMessage() {}
+
+func (*BuildStrategy) ProtoMessage() {}
+
+func (*BuildTriggerCause) ProtoMessage() {}
+
+func (*BuildTriggerPolicy) ProtoMessage() {}
+
+func (*BuildVolume) ProtoMessage() {}
+
+func (*BuildVolumeMount) ProtoMessage() {}
+
+func (*BuildVolumeSource) ProtoMessage() {}
+
+func (*CommonSpec) ProtoMessage() {}
+
+func (*CommonWebHookCause) ProtoMessage() {}
+
+func (*ConfigMapBuildSource) ProtoMessage() {}
+
+func (*CustomBuildStrategy) ProtoMessage() {}
+
+func (*DockerBuildStrategy) ProtoMessage() {}
+
+func (*DockerStrategyOptions) ProtoMessage() {}
+
+func (*GenericWebHookCause) ProtoMessage() {}
+
+func (*GenericWebHookEvent) ProtoMessage() {}
+
+func (*GitBuildSource) ProtoMessage() {}
+
+func (*GitHubWebHookCause) ProtoMessage() {}
+
+func (*GitInfo) ProtoMessage() {}
+
+func (*GitLabWebHookCause) ProtoMessage() {}
+
+func (*GitRefInfo) ProtoMessage() {}
+
+func (*GitSourceRevision) ProtoMessage() {}
+
+func (*ImageChangeCause) ProtoMessage() {}
+
+func (*ImageChangeTrigger) ProtoMessage() {}
+
+func (*ImageChangeTriggerStatus) ProtoMessage() {}
+
+func (*ImageLabel) ProtoMessage() {}
+
+func (*ImageSource) ProtoMessage() {}
+
+func (*ImageSourcePath) ProtoMessage() {}
+
+func (*ImageStreamTagReference) ProtoMessage() {}
+
+func (*JenkinsPipelineBuildStrategy) ProtoMessage() {}
+
+func (*OptionalNodeSelector) ProtoMessage() {}
+
+func (*ProxyConfig) ProtoMessage() {}
+
+func (*SecretBuildSource) ProtoMessage() {}
+
+func (*SecretLocalReference) ProtoMessage() {}
+
+func (*SecretSpec) ProtoMessage() {}
+
+func (*SourceBuildStrategy) ProtoMessage() {}
+
+func (*SourceControlUser) ProtoMessage() {}
+
+func (*SourceRevision) ProtoMessage() {}
+
+func (*SourceStrategyOptions) ProtoMessage() {}
+
+func (*StageInfo) ProtoMessage() {}
+
+func (*StepInfo) ProtoMessage() {}
+
+func (*WebHookTrigger) ProtoMessage() {}
diff --git a/vendor/github.com/openshift/api/config/v1/register.go b/vendor/github.com/openshift/api/config/v1/register.go
index eac29a236785a..222c7f0cc731a 100644
--- a/vendor/github.com/openshift/api/config/v1/register.go
+++ b/vendor/github.com/openshift/api/config/v1/register.go
@@ -76,6 +76,8 @@ func addKnownTypes(scheme *runtime.Scheme) error {
 		&ImagePolicyList{},
 		&ClusterImagePolicy{},
 		&ClusterImagePolicyList{},
+		&InsightsDataGather{},
+		&InsightsDataGatherList{},
 	)
 	metav1.AddToGroupVersion(scheme, GroupVersion)
 	return nil
diff --git a/vendor/github.com/openshift/api/config/v1/types_apiserver.go b/vendor/github.com/openshift/api/config/v1/types_apiserver.go
index 0afe7b1d8dee7..31d8881858e2c 100644
--- a/vendor/github.com/openshift/api/config/v1/types_apiserver.go
+++ b/vendor/github.com/openshift/api/config/v1/types_apiserver.go
@@ -212,6 +212,7 @@ type APIServerEncryption struct {
 
 // +openshift:validation:FeatureGateAwareEnum:featureGate="",enum="";identity;aescbc;aesgcm
 // +openshift:validation:FeatureGateAwareEnum:featureGate=KMSEncryptionProvider,enum="";identity;aescbc;aesgcm;KMS
+// +openshift:validation:FeatureGateAwareEnum:featureGate=KMSEncryption,enum="";identity;aescbc;aesgcm;KMS
 type EncryptionType string
 
 const (
diff --git a/vendor/github.com/openshift/api/config/v1/types_authentication.go b/vendor/github.com/openshift/api/config/v1/types_authentication.go
index 52a41b2fef280..e7433281f4a33 100644
--- a/vendor/github.com/openshift/api/config/v1/types_authentication.go
+++ b/vendor/github.com/openshift/api/config/v1/types_authentication.go
@@ -5,7 +5,7 @@ import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 // +genclient
 // +genclient:nonNamespaced
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
-// +openshift:validation:FeatureGateAwareXValidation:featureGate=ExternalOIDC;ExternalOIDCWithUIDAndExtraClaimMappings,rule="!has(self.spec.oidcProviders) || self.spec.oidcProviders.all(p, !has(p.oidcClients) || p.oidcClients.all(specC, self.status.oidcClients.exists(statusC, statusC.componentNamespace == specC.componentNamespace && statusC.componentName == specC.componentName) || (has(oldSelf.spec.oidcProviders) && oldSelf.spec.oidcProviders.exists(oldP, oldP.name == p.name && has(oldP.oidcClients) && oldP.oidcClients.exists(oldC, oldC.componentNamespace == specC.componentNamespace && oldC.componentName == specC.componentName)))))",message="all oidcClients in the oidcProviders must match their componentName and componentNamespace to either a previously configured oidcClient or they must exist in the status.oidcClients"
+// +openshift:validation:FeatureGateAwareXValidation:featureGate=ExternalOIDC;ExternalOIDCWithUIDAndExtraClaimMappings;ExternalOIDCWithUpstreamParity,rule="!has(self.spec.oidcProviders) || self.spec.oidcProviders.all(p, !has(p.oidcClients) || p.oidcClients.all(specC, self.status.oidcClients.exists(statusC, statusC.componentNamespace == specC.componentNamespace && statusC.componentName == specC.componentName) || (has(oldSelf.spec.oidcProviders) && oldSelf.spec.oidcProviders.exists(oldP, oldP.name == p.name && has(oldP.oidcClients) && oldP.oidcClients.exists(oldC, oldC.componentNamespace == specC.componentNamespace && oldC.componentName == specC.componentName)))))",message="all oidcClients in the oidcProviders must match their componentName and componentNamespace to either a previously configured oidcClient or they must exist in the status.oidcClients"
 
 // Authentication specifies cluster-wide settings for authentication (like OAuth and
 // webhook token authenticators). The canonical name of an instance is `cluster`.
@@ -80,8 +80,7 @@ type AuthenticationSpec struct {
 	// +optional
 	ServiceAccountIssuer string `json:"serviceAccountIssuer"`
 
-	// oidcProviders are OIDC identity providers that can issue tokens
-	// for this cluster
+	// oidcProviders are OIDC identity providers that can issue tokens for this cluster
 	// Can only be set if "Type" is set to "OIDC".
 	//
 	// At most one provider can be configured.
@@ -91,6 +90,7 @@ type AuthenticationSpec struct {
 	// +kubebuilder:validation:MaxItems=1
 	// +openshift:enable:FeatureGate=ExternalOIDC
 	// +openshift:enable:FeatureGate=ExternalOIDCWithUIDAndExtraClaimMappings
+	// +openshift:enable:FeatureGate=ExternalOIDCWithUpstreamParity
 	// +optional
 	OIDCProviders []OIDCProvider `json:"oidcProviders,omitempty"`
 }
@@ -112,8 +112,7 @@ type AuthenticationStatus struct {
 	// +optional
 	IntegratedOAuthMetadata ConfigMapNameReference `json:"integratedOAuthMetadata"`
 
-	// oidcClients is where participating operators place the current OIDC client status
-	// for OIDC clients that can be customized by the cluster-admin.
+	// oidcClients is where participating operators place the current OIDC client status for OIDC clients that can be customized by the cluster-admin.
 	//
 	// +listType=map
 	// +listMapKey=componentNamespace
@@ -145,8 +144,7 @@ type AuthenticationType string
 
 const (
 	// None means that no cluster managed authentication system is in place.
-	// Note that user login will only work if a manually configured system is in place and
-	// referenced in authentication spec via oauthMetadata and
+	// Note that user login will only work if a manually configured system is in place and referenced in authentication spec via oauthMetadata and
 	// webhookTokenAuthenticator/oidcProviders
 	AuthenticationTypeNone AuthenticationType = "None"
 
@@ -198,10 +196,8 @@ const (
 )
 
 type OIDCProvider struct {
-	// name is a required field that configures the unique human-readable identifier
-	// associated with the identity provider.
-	// It is used to distinguish between multiple identity providers
-	// and has no impact on token validation or authentication mechanics.
+	// name is a required field that configures the unique human-readable identifier associated with the identity provider.
+	// It is used to distinguish between multiple identity providers and has no impact on token validation or authentication mechanics.
 	//
 	// name must not be an empty string ("").
 	//
@@ -209,15 +205,12 @@ type OIDCProvider struct {
 	// +required
 	Name string `json:"name"`
 
-	// issuer is a required field that configures how the platform interacts
-	// with the identity provider and how tokens issued from the identity provider
-	// are evaluated by the Kubernetes API server.
+	// issuer is a required field that configures how the platform interacts with the identity provider and how tokens issued from the identity provider are evaluated by the Kubernetes API server.
 	//
 	// +required
 	Issuer TokenIssuer `json:"issuer"`
 
-	// oidcClients is an optional field that configures how on-cluster,
-	// platform clients should request tokens from the identity provider.
+	// oidcClients is an optional field that configures how on-cluster, platform clients should request tokens from the identity provider.
 	// oidcClients must not exceed 20 entries and entries must have unique namespace/name pairs.
 	//
 	// +listType=map
@@ -227,32 +220,40 @@ type OIDCProvider struct {
 	// +optional
 	OIDCClients []OIDCClientConfig `json:"oidcClients"`
 
-	// claimMappings is a required field that configures the rules to be used by
-	// the Kubernetes API server for translating claims in a JWT token, issued
-	// by the identity provider, to a cluster identity.
+	// claimMappings is a required field that configures the rules to be used by the Kubernetes API server for translating claims in a JWT token, issued by the identity provider, to a cluster identity.
 	//
 	// +required
 	ClaimMappings TokenClaimMappings `json:"claimMappings"`
 
-	// claimValidationRules is an optional field that configures the rules to
-	// be used by the Kubernetes API server for validating the claims in a JWT
-	// token issued by the identity provider.
+	// claimValidationRules is an optional field that configures the rules to be used by the Kubernetes API server for validating the claims in a JWT token issued by the identity provider.
 	//
 	// Validation rules are joined via an AND operation.
 	//
 	// +listType=atomic
 	// +optional
 	ClaimValidationRules []TokenClaimValidationRule `json:"claimValidationRules,omitempty"`
+
+	// userValidationRules is an optional field that configures the set of rules used to validate the cluster user identity that was constructed via mapping token claims to user identity attributes.
+	// Rules are CEL expressions that must evaluate to 'true' for authentication to succeed.
+	// If any rule in the chain of rules evaluates to 'false', authentication will fail.
+	// When specified, at least one rule must be specified and no more than 64 rules may be specified.
+	//
+	// +kubebuilder:validation:MaxItems=64
+	// +kubebuilder:validation:MinItems=1
+	// +listType=map
+	// +listMapKey=expression
+	// +optional
+	// +openshift:enable:FeatureGate=ExternalOIDCWithUpstreamParity
+	UserValidationRules []TokenUserValidationRule `json:"userValidationRules,omitempty"`
 }
 
 // +kubebuilder:validation:MinLength=1
 type TokenAudience string
 
+// +openshift:validation:FeatureGateAwareXValidation:featureGate=ExternalOIDCWithUpstreamParity,rule="self.?discoveryURL.orValue(\"\").size() > 0 ? (self.issuerURL.size() == 0 || self.discoveryURL.find('^.+[^/]') != self.issuerURL.find('^.+[^/]')) : true",message="discoveryURL must be different from issuerURL"
 type TokenIssuer struct {
-	// issuerURL is a required field that configures the URL used to issue tokens
-	// by the identity provider.
-	// The Kubernetes API server determines how authentication tokens should be handled
-	// by matching the 'iss' claim in the JWT to the issuerURL of configured identity providers.
+	// issuerURL is a required field that configures the URL used to issue tokens by the identity provider.
+	// The Kubernetes API server determines how authentication tokens should be handled by matching the 'iss' claim in the JWT to the issuerURL of configured identity providers.
 	//
 	// Must be at least 1 character and must not exceed 512 characters in length.
 	// Must be a valid URL that uses the 'https' scheme and does not contain a query, fragment or user.
@@ -267,8 +268,7 @@ type TokenIssuer struct {
 	// +required
 	URL string `json:"issuerURL"`
 
-	// audiences is a required field that configures the acceptable audiences
-	// the JWT token, issued by the identity provider, must be issued to.
+	// audiences is a required field that configures the acceptable audiences the JWT token, issued by the identity provider, must be issued to.
 	// At least one of the entries must match the 'aud' claim in the JWT token.
 	//
 	// audiences must contain at least one entry and must not exceed ten entries.
@@ -279,54 +279,65 @@ type TokenIssuer struct {
 	// +required
 	Audiences []TokenAudience `json:"audiences"`
 
-	// issuerCertificateAuthority is an optional field that configures the
-	// certificate authority, used by the Kubernetes API server, to validate
-	// the connection to the identity provider when fetching discovery information.
+	// issuerCertificateAuthority is an optional field that configures the certificate authority, used by the Kubernetes API server, to validate the connection to the identity provider when fetching discovery information.
 	//
 	// When not specified, the system trust is used.
 	//
-	// When specified, it must reference a ConfigMap in the openshift-config
-	// namespace containing the PEM-encoded CA certificates under the 'ca-bundle.crt'
-	// key in the data field of the ConfigMap.
+	// When specified, it must reference a ConfigMap in the openshift-config namespace containing the PEM-encoded CA certificates under the 'ca-bundle.crt' key in the data field of the ConfigMap.
 	//
 	// +optional
 	CertificateAuthority ConfigMapNameReference `json:"issuerCertificateAuthority"`
+	// discoveryURL is an optional field that, if specified, overrides the default discovery endpoint used to retrieve OIDC configuration metadata.
+	// By default, the discovery URL is derived from `issuerURL` as "{issuerURL}/.well-known/openid-configuration".
+	//
+	// The discoveryURL must be a valid absolute HTTPS URL.
+	// It must not contain query parameters, user information, or fragments.
+	// Additionally, it must differ from the value of `issuerURL` (ignoring trailing slashes).
+	// The discoveryURL value must be at least 1 character long and no longer than 2048 characters.
+	//
+	// +optional
+	// +openshift:enable:FeatureGate=ExternalOIDCWithUpstreamParity
+	// +kubebuilder:validation:XValidation:rule="isURL(self)",message="discoveryURL must be a valid URL"
+	// +kubebuilder:validation:XValidation:rule="url(self).getScheme() == 'https'",message="discoveryURL must be a valid https URL"
+	// +kubebuilder:validation:XValidation:rule="url(self).getQuery().size() == 0",message="discoveryURL must not contain query parameters"
+	// +kubebuilder:validation:XValidation:rule="self.matches('^[^#]*$')",message="discoveryURL must not contain fragments"
+	// +kubebuilder:validation:XValidation:rule="!self.matches('^https://.+:.+@.+/.*$')",message="discoveryURL must not contain user info"
+	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:validation:MaxLength=2048
+	DiscoveryURL string `json:"discoveryURL,omitempty"`
 }
 
 type TokenClaimMappings struct {
-	// username is a required field that configures how the username of a cluster identity
-	// should be constructed from the claims in a JWT token issued by the identity provider.
+	// username is a required field that configures how the username of a cluster identity should be constructed from the claims in a JWT token issued by the identity provider.
 	//
 	// +required
 	Username UsernameClaimMapping `json:"username"`
 
-	// groups is an optional field that configures how the groups of a cluster identity
-	// should be constructed from the claims in a JWT token issued
-	// by the identity provider.
-	// When referencing a claim, if the claim is present in the JWT
-	// token, its value must be a list of groups separated by a comma (',').
+	// groups is an optional field that configures how the groups of a cluster identity should be constructed from the claims in a JWT token issued by the identity provider.
+	//
+	// When referencing a claim, if the claim is present in the JWT token, its value must be a list of groups separated by a comma (',').
+	//
 	// For example - '"example"' and '"exampleOne", "exampleTwo", "exampleThree"' are valid claim values.
 	//
 	// +optional
 	Groups PrefixedClaimMapping `json:"groups,omitempty"`
 
-	// uid is an optional field for configuring the claim mapping
-	// used to construct the uid for the cluster identity.
+	// uid is an optional field for configuring the claim mapping used to construct the uid for the cluster identity.
 	//
 	// When using uid.claim to specify the claim it must be a single string value.
 	// When using uid.expression the expression must result in a single string value.
 	//
-	// When omitted, this means the user has no opinion and the platform
-	// is left to choose a default, which is subject to change over time.
+	// When omitted, this means the user has no opinion and the platform is left to choose a default, which is subject to change over time.
+	//
 	// The current default is to use the 'sub' claim.
 	//
 	// +optional
 	// +openshift:enable:FeatureGate=ExternalOIDCWithUIDAndExtraClaimMappings
 	UID *TokenClaimOrExpressionMapping `json:"uid,omitempty"`
 
-	// extra is an optional field for configuring the mappings
-	// used to construct the extra attribute for the cluster identity.
+	// extra is an optional field for configuring the mappings used to construct the extra attribute for the cluster identity.
 	// When omitted, no extra attributes will be present on the cluster identity.
+	//
 	// key values for extra mappings must be unique.
 	// A maximum of 32 extra attribute mappings may be provided.
 	//
@@ -338,52 +349,39 @@ type TokenClaimMappings struct {
 	Extra []ExtraMapping `json:"extra,omitempty"`
 }
 
-// TokenClaimMapping allows specifying a JWT token
-// claim to be used when mapping claims from an
-// authentication token to cluster identities.
+// TokenClaimMapping allows specifying a JWT token claim to be used when mapping claims from an authentication token to cluster identities.
 type TokenClaimMapping struct {
-	// claim is a required field that configures the JWT token
-	// claim whose value is assigned to the cluster identity
-	// field associated with this mapping.
+	// claim is a required field that configures the JWT token claim whose value is assigned to the cluster identity field associated with this mapping.
 	//
 	// +required
 	Claim string `json:"claim"`
 }
 
-// TokenClaimOrExpressionMapping allows specifying either a JWT
-// token claim or CEL expression to be used when mapping claims
-// from an authentication token to cluster identities.
+// TokenClaimOrExpressionMapping allows specifying either a JWT token claim or CEL expression to be used when mapping claims from an authentication token to cluster identities.
 // +kubebuilder:validation:XValidation:rule="has(self.claim) ? !has(self.expression) : has(self.expression)",message="precisely one of claim or expression must be set"
 type TokenClaimOrExpressionMapping struct {
-	// claim is an optional field for specifying the
-	// JWT token claim that is used in the mapping.
-	// The value of this claim will be assigned to
-	// the field in which this mapping is associated.
+	// claim is an optional field for specifying the JWT token claim that is used in the mapping.
+	// The value of this claim will be assigned to the field in which this mapping is associated.
 	//
 	// Precisely one of claim or expression must be set.
 	// claim must not be specified when expression is set.
-	// When specified, claim must be at least 1 character in length
-	// and must not exceed 256 characters in length.
+	// When specified, claim must be at least 1 character in length and must not exceed 256 characters in length.
 	//
 	// +optional
 	// +kubebuilder:validation:MaxLength=256
 	// +kubebuilder:validation:MinLength=1
 	Claim string `json:"claim,omitempty"`
 
-	// expression is an optional field for specifying a
-	// CEL expression that produces a string value from
-	// JWT token claims.
+	// expression is an optional field for specifying a CEL expression that produces a string value from JWT token claims.
 	//
-	// CEL expressions have access to the token claims
-	// through a CEL variable, 'claims'.
+	// CEL expressions have access to the token claims through a CEL variable, 'claims'.
 	// 'claims' is a map of claim names to claim values.
 	// For example, the 'sub' claim value can be accessed as 'claims.sub'.
 	// Nested claims can be accessed using dot notation ('claims.foo.bar').
 	//
 	// Precisely one of claim or expression must be set.
 	// expression must not be specified when claim is set.
-	// When specified, expression must be at least 1 character in length
-	// and must not exceed 1024 characters in length.
+	// When specified, expression must be at least 1 character in length and must not exceed 1024 characters in length.
 	//
 	// +optional
 	// +kubebuilder:validation:MaxLength=1024
@@ -391,13 +389,10 @@ type TokenClaimOrExpressionMapping struct {
 	Expression string `json:"expression,omitempty"`
 }
 
-// ExtraMapping allows specifying a key and CEL expression
-// to evaluate the keys' value. It is used to create additional
-// mappings and attributes added to a cluster identity from
-// a provided authentication token.
+// ExtraMapping allows specifying a key and CEL expression to evaluate the keys' value.
+// It is used to create additional mappings and attributes added to a cluster identity from a provided authentication token.
 type ExtraMapping struct {
-	// key is a required field that specifies the string
-	// to use as the extra attribute key.
+	// key is a required field that specifies the string to use as the extra attribute key.
 	//
 	// key must be a domain-prefix path (e.g 'example.org/foo').
 	// key must not exceed 510 characters in length.
@@ -410,8 +405,7 @@ type ExtraMapping struct {
 	// It must only contain lower case alphanumeric characters and '-' or '.'.
 	// It must not use the reserved domains, or be subdomains of, "kubernetes.io", "k8s.io", and "openshift.io".
 	//
-	// The path portion of the key (string of characters after the '/') must not be empty and must consist of at least one
-	// alphanumeric character, percent-encoded octets, '-', '.', '_', '~', '!', '$', '&', ''', '(', ')', '*', '+', ',', ';', '=', and ':'.
+	// The path portion of the key (string of characters after the '/') must not be empty and must consist of at least one alphanumeric character, percent-encoded octets, '-', '.', '_', '~', '!', '$', '&', ''', '(', ')', '*', '+', ',', ';', '=', and ':'.
 	// It must not exceed 256 characters in length.
 	//
 	// +required
@@ -433,14 +427,12 @@ type ExtraMapping struct {
 	// +kubebuilder:validation:XValidation:rule="self.split('/', 2)[1].size() <= 256",message="the path of the key must not exceed 256 characters in length"
 	Key string `json:"key"`
 
-	// valueExpression is a required field to specify the CEL expression to extract
-	// the extra attribute value from a JWT token's claims.
+	// valueExpression is a required field to specify the CEL expression to extract the extra attribute value from a JWT token's claims.
 	// valueExpression must produce a string or string array value.
 	// "", [], and null are treated as the extra mapping not being present.
 	// Empty string values within an array are filtered out.
 	//
-	// CEL expressions have access to the token claims
-	// through a CEL variable, 'claims'.
+	// CEL expressions have access to the token claims through a CEL variable, 'claims'.
 	// 'claims' is a map of claim names to claim values.
 	// For example, the 'sub' claim value can be accessed as 'claims.sub'.
 	// Nested claims can be accessed using dot notation ('claims.foo.bar').
@@ -454,12 +446,10 @@ type ExtraMapping struct {
 	ValueExpression string `json:"valueExpression"`
 }
 
-// OIDCClientConfig configures how platform clients
-// interact with identity providers as an authentication
-// method
+// OIDCClientConfig configures how platform clients interact with identity providers as an authentication method.
 type OIDCClientConfig struct {
-	// componentName is a required field that specifies the name of the platform
-	// component being configured to use the identity provider as an authentication mode.
+	// componentName is a required field that specifies the name of the platform component being configured to use the identity provider as an authentication mode.
+	//
 	// It is used in combination with componentNamespace as a unique identifier.
 	//
 	// componentName must not be an empty string ("") and must not exceed 256 characters in length.
@@ -469,9 +459,8 @@ type OIDCClientConfig struct {
 	// +required
 	ComponentName string `json:"componentName"`
 
-	// componentNamespace is a required field that specifies the namespace in which the
-	// platform component being configured to use the identity provider as an authentication
-	// mode is running.
+	// componentNamespace is a required field that specifies the namespace in which the platform component being configured to use the identity provider as an authentication mode is running.
+	//
 	// It is used in combination with componentName as a unique identifier.
 	//
 	// componentNamespace must not be an empty string ("") and must not exceed 63 characters in length.
@@ -481,11 +470,8 @@ type OIDCClientConfig struct {
 	// +required
 	ComponentNamespace string `json:"componentNamespace"`
 
-	// clientID is a required field that configures the client identifier, from
-	// the identity provider, that the platform component uses for authentication
-	// requests made to the identity provider.
-	// The identity provider must accept this identifier for platform components
-	// to be able to use the identity provider as an authentication mode.
+	// clientID is a required field that configures the client identifier, from the identity provider, that the platform component uses for authentication requests made to the identity provider.
+	// The identity provider must accept this identifier for platform components to be able to use the identity provider as an authentication mode.
 	//
 	// clientID must not be an empty string ("").
 	//
@@ -493,27 +479,21 @@ type OIDCClientConfig struct {
 	// +required
 	ClientID string `json:"clientID"`
 
-	// clientSecret is an optional field that configures the client secret used
-	// by the platform component when making authentication requests to the identity provider.
+	// clientSecret is an optional field that configures the client secret used by the platform component when making authentication requests to the identity provider.
 	//
-	// When not specified, no client secret will be used when making authentication requests
-	// to the identity provider.
+	// When not specified, no client secret will be used when making authentication requests to the identity provider.
+	//
+	// When specified, clientSecret references a Secret in the 'openshift-config' namespace that contains the client secret in the 'clientSecret' key of the '.data' field.
 	//
-	// When specified, clientSecret references a Secret in the 'openshift-config'
-	// namespace that contains the client secret in the 'clientSecret' key of the '.data' field.
 	// The client secret will be used when making authentication requests to the identity provider.
 	//
-	// Public clients do not require a client secret but private
-	// clients do require a client secret to work with the identity provider.
+	// Public clients do not require a client secret but private clients do require a client secret to work with the identity provider.
 	//
 	// +optional
 	ClientSecret SecretNameReference `json:"clientSecret"`
 
-	// extraScopes is an optional field that configures the extra scopes that should
-	// be requested by the platform component when making authentication requests to the
-	// identity provider.
-	// This is useful if you have configured claim mappings that requires specific
-	// scopes to be requested beyond the standard OIDC scopes.
+	// extraScopes is an optional field that configures the extra scopes that should be requested by the platform component when making authentication requests to the identity provider.
+	// This is useful if you have configured claim mappings that requires specific scopes to be requested beyond the standard OIDC scopes.
 	//
 	// When omitted, no additional scopes are requested.
 	//
@@ -526,8 +506,7 @@ type OIDCClientConfig struct {
 // of platform components and how they interact with
 // the configured identity providers.
 type OIDCClientStatus struct {
-	// componentName is a required field that specifies the name of the platform
-	// component using the identity provider as an authentication mode.
+	// componentName is a required field that specifies the name of the platform component using the identity provider as an authentication mode.
 	// It is used in combination with componentNamespace as a unique identifier.
 	//
 	// componentName must not be an empty string ("") and must not exceed 256 characters in length.
@@ -537,9 +516,8 @@ type OIDCClientStatus struct {
 	// +required
 	ComponentName string `json:"componentName"`
 
-	// componentNamespace is a required field that specifies the namespace in which the
-	// platform component using the identity provider as an authentication
-	// mode is running.
+	// componentNamespace is a required field that specifies the namespace in which the platform component using the identity provider as an authentication mode is running.
+	//
 	// It is used in combination with componentName as a unique identifier.
 	//
 	// componentNamespace must not be an empty string ("") and must not exceed 63 characters in length.
@@ -550,6 +528,7 @@ type OIDCClientStatus struct {
 	ComponentNamespace string `json:"componentNamespace"`
 
 	// currentOIDCClients is an optional list of clients that the component is currently using.
+	//
 	// Entries must have unique issuerURL/clientID pairs.
 	//
 	// +listType=map
@@ -558,8 +537,7 @@ type OIDCClientStatus struct {
 	// +optional
 	CurrentOIDCClients []OIDCClientReference `json:"currentOIDCClients"`
 
-	// consumingUsers is an optional list of ServiceAccounts requiring
-	// read permissions on the `clientSecret` secret.
+	// consumingUsers is an optional list of ServiceAccounts requiring read permissions on the `clientSecret` secret.
 	//
 	// consumingUsers must not exceed 5 entries.
 	//
@@ -585,8 +563,7 @@ type OIDCClientStatus struct {
 // OIDCClientReference is a reference to a platform component
 // client configuration.
 type OIDCClientReference struct {
-	// oidcProviderName is a required reference to the 'name' of the identity provider
-	// configured in 'oidcProviders' that this client is associated with.
+	// oidcProviderName is a required reference to the 'name' of the identity provider configured in 'oidcProviders' that this client is associated with.
 	//
 	// oidcProviderName must not be an empty string ("").
 	//
@@ -594,8 +571,7 @@ type OIDCClientReference struct {
 	// +required
 	OIDCProviderName string `json:"oidcProviderName"`
 
-	// issuerURL is a required field that specifies the URL of the identity
-	// provider that this client is configured to make requests against.
+	// issuerURL is a required field that specifies the URL of the identity provider that this client is configured to make requests against.
 	//
 	// issuerURL must use the 'https' scheme.
 	//
@@ -603,9 +579,7 @@ type OIDCClientReference struct {
 	// +required
 	IssuerURL string `json:"issuerURL"`
 
-	// clientID is a required field that specifies the client identifier, from
-	// the identity provider, that the platform component is using for authentication
-	// requests made to the identity provider.
+	// clientID is a required field that specifies the client identifier, from the identity provider, that the platform component is using for authentication requests made to the identity provider.
 	//
 	// clientID must not be empty.
 	//
@@ -617,9 +591,7 @@ type OIDCClientReference struct {
 // +kubebuilder:validation:XValidation:rule="has(self.prefixPolicy) && self.prefixPolicy == 'Prefix' ? (has(self.prefix) && size(self.prefix.prefixString) > 0) : !has(self.prefix)",message="prefix must be set if prefixPolicy is 'Prefix', but must remain unset otherwise"
 // +union
 type UsernameClaimMapping struct {
-	// claim is a required field that configures the JWT token
-	// claim whose value is assigned to the cluster identity
-	// field associated with this mapping.
+	// claim is a required field that configures the JWT token claim whose value is assigned to the cluster identity field associated with this mapping.
 	//
 	// claim must not be an empty string ("") and must not exceed 256 characters.
 	//
@@ -628,23 +600,21 @@ type UsernameClaimMapping struct {
 	// +kubebuilder:validation:MaxLength:=256
 	Claim string `json:"claim"`
 
-	// prefixPolicy is an optional field that configures how a prefix should be
-	// applied to the value of the JWT claim specified in the 'claim' field.
+	// prefixPolicy is an optional field that configures how a prefix should be applied to the value of the JWT claim specified in the 'claim' field.
 	//
 	// Allowed values are 'Prefix', 'NoPrefix', and omitted (not provided or an empty string).
 	//
-	// When set to 'Prefix', the value specified in the prefix field will be
-	// prepended to the value of the JWT claim.
+	// When set to 'Prefix', the value specified in the prefix field will be prepended to the value of the JWT claim.
+	//
 	// The prefix field must be set when prefixPolicy is 'Prefix'.
 	//
-	// When set to 'NoPrefix', no prefix will be prepended to the value
-	// of the JWT claim.
+	// When set to 'NoPrefix', no prefix will be prepended to the value of the JWT claim.
+	//
+	// When omitted, this means no opinion and the platform is left to choose any prefixes that are applied which is subject to change over time.
+	// Currently, the platform prepends `{issuerURL}#` to the value of the JWT claim when the claim is not 'email'.
 	//
-	// When omitted, this means no opinion and the platform is left to choose
-	// any prefixes that are applied which is subject to change over time.
-	// Currently, the platform prepends `{issuerURL}#` to the value of the JWT claim
-	// when the claim is not 'email'.
 	// As an example, consider the following scenario:
+	//
 	//    `prefix` is unset, `issuerURL` is set to `https://myoidc.tld`,
 	//    the JWT claims include "username":"userA" and "email":"userA@myoidc.tld",
 	//    and `claim` is set to:
@@ -656,8 +626,7 @@ type UsernameClaimMapping struct {
 	// +unionDiscriminator
 	PrefixPolicy UsernamePrefixPolicy `json:"prefixPolicy"`
 
-	// prefix configures the prefix that should be prepended to the value
-	// of the JWT claim.
+	// prefix configures the prefix that should be prepended to the value of the JWT claim.
 	//
 	// prefix must be set when prefixPolicy is set to 'Prefix' and must be unset otherwise.
 	//
@@ -666,9 +635,7 @@ type UsernameClaimMapping struct {
 	Prefix *UsernamePrefix `json:"prefix"`
 }
 
-// UsernamePrefixPolicy configures how prefixes should be applied
-// to values extracted from the JWT claims during the process of mapping
-// JWT claims to cluster identity attributes.
+// UsernamePrefixPolicy configures how prefixes should be applied to values extracted from the JWT claims during the process of mapping JWT claims to cluster identity attributes.
 // +enum
 type UsernamePrefixPolicy string
 
@@ -687,9 +654,7 @@ var (
 // UsernamePrefix configures the string that should
 // be used as a prefix for username claim mappings.
 type UsernamePrefix struct {
-	// prefixString is a required field that configures the prefix that will
-	// be applied to cluster identity username attribute
-	// during the process of mapping JWT claims to cluster identity attributes.
+	// prefixString is a required field that configures the prefix that will be applied to cluster identity username attribute during the process of mapping JWT claims to cluster identity attributes.
 	//
 	// prefixString must not be an empty string ("").
 	//
@@ -703,51 +668,62 @@ type UsernamePrefix struct {
 type PrefixedClaimMapping struct {
 	TokenClaimMapping `json:",inline"`
 
-	// prefix is an optional field that configures the prefix that will be
-	// applied to the cluster identity attribute during the process of mapping
-	// JWT claims to cluster identity attributes.
+	// prefix is an optional field that configures the prefix that will be applied to the cluster identity attribute during the process of mapping JWT claims to cluster identity attributes.
 	//
 	// When omitted (""), no prefix is applied to the cluster identity attribute.
 	//
-	// Example: if `prefix` is set to "myoidc:" and the `claim` in JWT contains
-	// an array of strings "a", "b" and  "c", the mapping will result in an
-	// array of string "myoidc:a", "myoidc:b" and "myoidc:c".
+	// Example: if `prefix` is set to "myoidc:" and the `claim` in JWT contains an array of strings "a", "b" and "c", the mapping will result in an array of string "myoidc:a", "myoidc:b" and "myoidc:c".
 	//
 	// +optional
 	Prefix string `json:"prefix"`
 }
 
-// TokenValidationRuleType represents the different
-// claim validation rule types that can be configured.
+// TokenValidationRuleType defines the type of token validation rule.
 // +enum
+// +openshift:validation:FeatureGateAwareEnum:featureGate="",enum="RequiredClaim";
+// +openshift:validation:FeatureGateAwareEnum:featureGate=ExternalOIDC,enum="RequiredClaim";
+// +openshift:validation:FeatureGateAwareEnum:featureGate=ExternalOIDCWithUIDAndExtraClaimMappings,enum="RequiredClaim";
+// +openshift:validation:FeatureGateAwareEnum:featureGate=ExternalOIDCWithUpstreamParity,enum="RequiredClaim";"CEL"
 type TokenValidationRuleType string
 
 const (
+	// TokenValidationRuleTypeRequiredClaim indicates that the token must contain a specific claim.
+	// Used as a value for TokenValidationRuleType.
 	TokenValidationRuleTypeRequiredClaim = "RequiredClaim"
+	// TokenValidationRuleTypeCEL indicates that the token validation is defined via a CEL expression.
+	// Used as a value for TokenValidationRuleType.
+	TokenValidationRuleTypeCEL = "CEL"
 )
 
+// TokenClaimValidationRule represents a validation rule based on token claims.
+// If type is RequiredClaim, requiredClaim must be set.
+// If Type is CEL, CEL must be set and RequiredClaim must be omitted.
+//
+// +kubebuilder:validation:XValidation:rule="has(self.type) && self.type == 'RequiredClaim' ? has(self.requiredClaim) : !has(self.requiredClaim)",message="requiredClaim must be set when type is 'RequiredClaim', and forbidden otherwise"
+// +openshift:validation:FeatureGateAwareXValidation:featureGate=ExternalOIDCWithUpstreamParity,rule="has(self.type) && self.type == 'CEL' ? has(self.cel) : !has(self.cel)",message="cel must be set when type is 'CEL', and forbidden otherwise"
 type TokenClaimValidationRule struct {
 	// type is an optional field that configures the type of the validation rule.
 	//
-	// Allowed values are 'RequiredClaim' and omitted (not provided or an empty string).
-	//
-	// When set to 'RequiredClaim', the Kubernetes API server
-	// will be configured to validate that the incoming JWT
-	// contains the required claim and that its value matches
-	// the required value.
+	// Allowed values are "RequiredClaim" and "CEL".
 	//
-	// Defaults to 'RequiredClaim'.
+	// When set to 'RequiredClaim', the Kubernetes API server will be configured to validate that the incoming JWT contains the required claim and that its value matches the required value.
 	//
-	// +kubebuilder:validation:Enum={"RequiredClaim"}
-	// +kubebuilder:default="RequiredClaim"
+	// When set to 'CEL', the Kubernetes API server will be configured to validate the incoming JWT against the configured CEL expression.
+	// +required
 	Type TokenValidationRuleType `json:"type"`
 
-	// requiredClaim is an optional field that configures the required claim
-	// and value that the Kubernetes API server will use to validate if an incoming
-	// JWT is valid for this identity provider.
+	// requiredClaim allows configuring a required claim name and its expected value.
+	// This field is required when `type` is set to RequiredClaim, and must be omitted when `type` is set to any other value.
+	// The Kubernetes API server uses this field to validate if an incoming JWT is valid for this identity provider.
 	//
 	// +optional
 	RequiredClaim *TokenRequiredClaim `json:"requiredClaim,omitempty"`
+
+	// cel holds the CEL expression and message for validation.
+	// Must be set when Type is "CEL", and forbidden otherwise.
+	// +optional
+	// +openshift:enable:FeatureGate=ExternalOIDCWithUpstreamParity
+	CEL TokenClaimValidationCELRule `json:"cel,omitempty,omitzero"`
 }
 
 type TokenRequiredClaim struct {
@@ -760,10 +736,8 @@ type TokenRequiredClaim struct {
 	// +required
 	Claim string `json:"claim"`
 
-	// requiredValue is a required field that configures the value that 'claim' must
-	// have when taken from the incoming JWT claims.
-	// If the value in the JWT claims does not match, the token
-	// will be rejected for authentication.
+	// requiredValue is a required field that configures the value that 'claim' must have when taken from the incoming JWT claims.
+	// If the value in the JWT claims does not match, the token will be rejected for authentication.
 	//
 	// requiredValue must not be an empty string ("").
 	//
@@ -771,3 +745,43 @@ type TokenRequiredClaim struct {
 	// +required
 	RequiredValue string `json:"requiredValue"`
 }
+
+type TokenClaimValidationCELRule struct {
+	// expression is a CEL expression evaluated against token claims.
+	// expression is required, must be at least 1 character in length and must not exceed 1024 characters.
+	// The expression must return a boolean value where 'true' signals a valid token and 'false' an invalid one.
+	//
+	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:validation:MaxLength=1024
+	// +required
+	Expression string `json:"expression,omitempty"`
+
+	// message is a required human-readable message to be logged by the Kubernetes API server if the CEL expression defined in 'expression' fails.
+	// message must be at least 1 character in length and must not exceed 256 characters.
+	// +required
+	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:validation:MaxLength=256
+	Message string `json:"message,omitempty"`
+}
+
+// TokenUserValidationRule provides a CEL-based rule used to validate a token subject.
+// Each rule contains a CEL expression that is evaluated against the token’s claims.
+type TokenUserValidationRule struct {
+	// expression is a required CEL expression that performs a validation on cluster user identity attributes like username, groups, etc.
+	//
+	// The expression must evaluate to a boolean value.
+	// When the expression evaluates to 'true', the cluster user identity is considered valid.
+	// When the expression evaluates to 'false', the cluster user identity is not considered valid.
+	// expression must be at least 1 character in length and must not exceed 1024 characters.
+	//
+	// +required
+	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:validation:MaxLength=1024
+	Expression string `json:"expression,omitempty"`
+	// message is a required human-readable message to be logged by the Kubernetes API server if the CEL expression defined in 'expression' fails.
+	// message must be at least 1 character in length and must not exceed 256 characters.
+	// +required
+	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:validation:MaxLength=256
+	Message string `json:"message,omitempty"`
+}
diff --git a/vendor/github.com/openshift/api/config/v1/types_cluster_image_policy.go b/vendor/github.com/openshift/api/config/v1/types_cluster_image_policy.go
index ca604e05c5bd6..491390098c37f 100644
--- a/vendor/github.com/openshift/api/config/v1/types_cluster_image_policy.go
+++ b/vendor/github.com/openshift/api/config/v1/types_cluster_image_policy.go
@@ -52,7 +52,7 @@ type ClusterImagePolicySpec struct {
 	// policy is a required field that contains configuration to allow scopes to be verified, and defines how
 	// images not matching the verification policy will be treated.
 	// +required
-	Policy Policy `json:"policy"`
+	Policy ImageSigstoreVerificationPolicy `json:"policy"`
 }
 
 // +k8s:deepcopy-gen=true
diff --git a/vendor/github.com/openshift/api/config/v1/types_cluster_version.go b/vendor/github.com/openshift/api/config/v1/types_cluster_version.go
index e5aad151eada1..5f36f693de1ac 100644
--- a/vendor/github.com/openshift/api/config/v1/types_cluster_version.go
+++ b/vendor/github.com/openshift/api/config/v1/types_cluster_version.go
@@ -199,9 +199,23 @@ type ClusterVersionStatus struct {
 	// availableUpdates. This list may be empty if no updates are
 	// recommended, if the update service is unavailable, or if an empty
 	// or invalid channel has been specified.
+	// +kubebuilder:validation:MaxItems=500
 	// +listType=atomic
 	// +optional
 	ConditionalUpdates []ConditionalUpdate `json:"conditionalUpdates,omitempty"`
+
+	// conditionalUpdateRisks contains the list of risks associated with conditionalUpdates.
+	// When performing a conditional update, all its associated risks will be compared with the set of accepted risks in the spec.desiredUpdate.acceptRisks field.
+	// If all risks for a conditional update are included in the spec.desiredUpdate.acceptRisks set, the conditional update can proceed, otherwise it is blocked.
+	// The risk names in the list must be unique.
+	// conditionalUpdateRisks must not contain more than 500 entries.
+	// +openshift:enable:FeatureGate=ClusterUpdateAcceptRisks
+	// +kubebuilder:validation:MaxItems=500
+	// +kubebuilder:validation:MinItems=1
+	// +listType=map
+	// +listMapKey=name
+	// +optional
+	ConditionalUpdateRisks []ConditionalUpdateRisk `json:"conditionalUpdateRisks,omitempty"`
 }
 
 // UpdateState is a constant representing whether an update was successfully
@@ -258,7 +272,7 @@ type UpdateHistory struct {
 	Verified bool `json:"verified"`
 
 	// acceptedRisks records risks which were accepted to initiate the update.
-	// For example, it may menition an Upgradeable=False or missing signature
+	// For example, it may mention an Upgradeable=False or missing signature
 	// that was overridden via desiredUpdate.force, or an update that was
 	// initiated despite not being in the availableUpdates set of recommended
 	// update targets.
@@ -732,6 +746,30 @@ type Update struct {
 	//
 	// +optional
 	Force bool `json:"force"`
+
+	// acceptRisks is an optional set of names of conditional update risks that are considered acceptable.
+	// A conditional update is performed only if all of its risks are acceptable.
+	// This list may contain entries that apply to current, previous or future updates.
+	// The entries therefore may not map directly to a risk in .status.conditionalUpdateRisks.
+	// acceptRisks must not contain more than 1000 entries.
+	// Entries in this list must be unique.
+	// +openshift:enable:FeatureGate=ClusterUpdateAcceptRisks
+	// +kubebuilder:validation:MaxItems=1000
+	// +kubebuilder:validation:MinItems=1
+	// +listType=map
+	// +listMapKey=name
+	// +optional
+	AcceptRisks []AcceptRisk `json:"acceptRisks,omitempty"`
+}
+
+// AcceptRisk represents a risk that is considered acceptable.
+type AcceptRisk struct {
+	// name is the name of the acceptable risk.
+	// It must be a non-empty string and must not exceed 256 characters.
+	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:validation:MaxLength=256
+	// +required
+	Name string `json:"name,omitempty"`
 }
 
 // Release represents an OpenShift release image and associated metadata.
@@ -787,12 +825,27 @@ type ConditionalUpdate struct {
 	// +required
 	Release Release `json:"release"`
 
+	// riskNames represents the set of the names of conditionalUpdateRisks that are relevant to this update for some clusters.
+	// The Applies condition of each conditionalUpdateRisks entry declares if that risk applies to this cluster.
+	// A conditional update is accepted only if each of its risks either does not apply to the cluster or is considered acceptable by the cluster administrator.
+	// The latter means that the risk names are included in value of the spec.desiredUpdate.acceptRisks field.
+	// Entries must be unique and must not exceed 256 characters.
+	// riskNames must not contain more than 500 entries.
+	// +openshift:enable:FeatureGate=ClusterUpdateAcceptRisks
+	// +kubebuilder:validation:MinItems=1
+	// +kubebuilder:validation:items:MaxLength=256
+	// +kubebuilder:validation:MaxItems=500
+	// +listType=set
+	// +optional
+	RiskNames []string `json:"riskNames,omitempty"`
+
 	// risks represents the range of issues associated with
 	// updating to the target release. The cluster-version
 	// operator will evaluate all entries, and only recommend the
 	// update if there is at least one entry and all entries
 	// recommend the update.
 	// +kubebuilder:validation:MinItems=1
+	// +kubebuilder:validation:MaxItems=200
 	// +patchMergeKey=name
 	// +patchStrategy=merge
 	// +listType=map
@@ -813,6 +866,20 @@ type ConditionalUpdate struct {
 // for not recommending a conditional update.
 // +k8s:deepcopy-gen=true
 type ConditionalUpdateRisk struct {
+	// conditions represents the observations of the conditional update
+	// risk's current status. Known types are:
+	// * Applies, for whether the risk applies to the current cluster.
+	// The condition's types in the list must be unique.
+	// conditions must not contain more than one entry.
+	// +openshift:enable:FeatureGate=ClusterUpdateAcceptRisks
+	// +kubebuilder:validation:XValidation:rule="self.exists_one(x, x.type == 'Applies')",message="must contain a condition of type 'Applies'"
+	// +kubebuilder:validation:MaxItems=8
+	// +kubebuilder:validation:MinItems=1
+	// +listType=map
+	// +listMapKey=type
+	// +optional
+	Conditions []metav1.Condition `json:"conditions,omitempty"`
+
 	// url contains information about this risk.
 	// +kubebuilder:validation:Format=uri
 	// +kubebuilder:validation:MinLength=1
diff --git a/vendor/github.com/openshift/api/config/v1/types_image_policy.go b/vendor/github.com/openshift/api/config/v1/types_image_policy.go
index a6a64051300f8..3cc46141c9c97 100644
--- a/vendor/github.com/openshift/api/config/v1/types_image_policy.go
+++ b/vendor/github.com/openshift/api/config/v1/types_image_policy.go
@@ -51,7 +51,7 @@ type ImagePolicySpec struct {
 	// policy is a required field that contains configuration to allow scopes to be verified, and defines how
 	// images not matching the verification policy will be treated.
 	// +required
-	Policy Policy `json:"policy"`
+	Policy ImageSigstoreVerificationPolicy `json:"policy"`
 }
 
 // +kubebuilder:validation:XValidation:rule="size(self.split('/')[0].split('.')) == 1 ? self.split('/')[0].split('.')[0].split(':')[0] == 'localhost' : true",message="invalid image scope format, scope must contain a fully qualified domain name or 'localhost'"
@@ -60,8 +60,8 @@ type ImagePolicySpec struct {
 // +kubebuilder:validation:MaxLength=512
 type ImageScope string
 
-// Policy defines the verification policy for the items in the scopes list.
-type Policy struct {
+// ImageSigstoreVerificationPolicy defines the verification policy for the items in the scopes list.
+type ImageSigstoreVerificationPolicy struct {
 	// rootOfTrust is a required field that defines the root of trust for verifying image signatures during retrieval.
 	// This allows image consumers to specify policyType and corresponding configuration of the policy, matching how the policy was generated.
 	// +required
@@ -89,18 +89,18 @@ type PolicyRootOfTrust struct {
 	// publicKey defines the root of trust configuration based on a sigstore public key. Optionally include a Rekor public key for Rekor verification.
 	// publicKey is required when policyType is PublicKey, and forbidden otherwise.
 	// +optional
-	PublicKey *PublicKey `json:"publicKey,omitempty"`
+	PublicKey *ImagePolicyPublicKeyRootOfTrust `json:"publicKey,omitempty"`
 	// fulcioCAWithRekor defines the root of trust configuration based on the Fulcio certificate and the Rekor public key.
 	// fulcioCAWithRekor is required when policyType is FulcioCAWithRekor, and forbidden otherwise
 	// For more information about Fulcio and Rekor, please refer to the document at:
 	// https://github.com/sigstore/fulcio and https://github.com/sigstore/rekor
 	// +optional
-	FulcioCAWithRekor *FulcioCAWithRekor `json:"fulcioCAWithRekor,omitempty"`
+	FulcioCAWithRekor *ImagePolicyFulcioCAWithRekorRootOfTrust `json:"fulcioCAWithRekor,omitempty"`
 	// pki defines the root of trust configuration based on Bring Your Own Public Key Infrastructure (BYOPKI) Root CA(s) and corresponding intermediate certificates.
 	// pki is required when policyType is PKI, and forbidden otherwise.
 	// +optional
 	// +openshift:enable:FeatureGate=SigstoreImageVerificationPKI
-	PKI *PKI `json:"pki,omitempty"`
+	PKI *ImagePolicyPKIRootOfTrust `json:"pki,omitempty"`
 }
 
 // +openshift:validation:FeatureGateAwareEnum:featureGate="",enum=PublicKey;FulcioCAWithRekor
@@ -113,8 +113,8 @@ const (
 	PKIRootOfTrust               PolicyType = "PKI"
 )
 
-// PublicKey defines the root of trust based on a sigstore public key.
-type PublicKey struct {
+// ImagePolicyPublicKeyRootOfTrust defines the root of trust based on a sigstore public key.
+type ImagePolicyPublicKeyRootOfTrust struct {
 	// keyData is a required field contains inline base64-encoded data for the PEM format public key.
 	// keyData must be at most 8192 characters.
 	// +required
@@ -132,8 +132,8 @@ type PublicKey struct {
 	RekorKeyData []byte `json:"rekorKeyData,omitempty"`
 }
 
-// FulcioCAWithRekor defines the root of trust based on the Fulcio certificate and the Rekor public key.
-type FulcioCAWithRekor struct {
+// ImagePolicyFulcioCAWithRekorRootOfTrust defines the root of trust based on the Fulcio certificate and the Rekor public key.
+type ImagePolicyFulcioCAWithRekorRootOfTrust struct {
 	// fulcioCAData is a required field contains inline base64-encoded data for the PEM format fulcio CA.
 	// fulcioCAData must be at most 8192 characters.
 	// +required
@@ -172,8 +172,8 @@ type PolicyFulcioSubject struct {
 	SignedEmail string `json:"signedEmail"`
 }
 
-// PKI defines the root of trust based on Root CA(s) and corresponding intermediate certificates.
-type PKI struct {
+// ImagePolicyPKIRootOfTrust defines the root of trust based on Root CA(s) and corresponding intermediate certificates.
+type ImagePolicyPKIRootOfTrust struct {
 	// caRootsData contains base64-encoded data of a certificate bundle PEM file, which contains one or more CA roots in the PEM format. The total length of the data must not exceed 8192 characters.
 	// +required
 	// +kubebuilder:validation:MaxLength=8192
diff --git a/vendor/github.com/openshift/api/config/v1/types_infrastructure.go b/vendor/github.com/openshift/api/config/v1/types_infrastructure.go
index 313ed57a41446..369ba1e7a0002 100644
--- a/vendor/github.com/openshift/api/config/v1/types_infrastructure.go
+++ b/vendor/github.com/openshift/api/config/v1/types_infrastructure.go
@@ -302,9 +302,10 @@ type PlatformSpec struct {
 	// balancers, dynamic volume provisioning, machine creation and deletion, and
 	// other integrations are enabled. If None, no infrastructure automation is
 	// enabled. Allowed values are "AWS", "Azure", "BareMetal", "GCP", "Libvirt",
-	// "OpenStack", "VSphere", "oVirt", "KubeVirt", "EquinixMetal", "PowerVS",
-	// "AlibabaCloud", "Nutanix" and "None". Individual components may not support all platforms,
-	// and must handle unrecognized platforms as None if they do not support that platform.
+	// "OpenStack", "VSphere", "oVirt", "IBMCloud", "KubeVirt", "EquinixMetal",
+	// "PowerVS", "AlibabaCloud", "Nutanix", "External", and "None". Individual
+	// components may not support all platforms, and must handle unrecognized
+	// platforms as None if they do not support that platform.
 	//
 	// +unionDiscriminator
 	Type PlatformType `json:"type"`
diff --git a/vendor/github.com/openshift/api/config/v1/types_insights.go b/vendor/github.com/openshift/api/config/v1/types_insights.go
new file mode 100644
index 0000000000000..710d4303da222
--- /dev/null
+++ b/vendor/github.com/openshift/api/config/v1/types_insights.go
@@ -0,0 +1,231 @@
+package v1
+
+import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+// InsightsDataGather provides data gather configuration options for the Insights Operator.
+//
+// +genclient
+// +genclient:nonNamespaced
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+//
+// +kubebuilder:object:root=true
+// +kubebuilder:resource:path=insightsdatagathers,scope=Cluster
+// +openshift:api-approved.openshift.io=https://github.com/openshift/api/pull/2448
+// +openshift:file-pattern=cvoRunLevel=0000_10,operatorName=config-operator,operatorOrdering=01
+// +openshift:enable:FeatureGate=InsightsConfig
+// +openshift:capability=Insights
+//
+// Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
+// +openshift:compatibility-gen:level=1
+type InsightsDataGather struct {
+	metav1.TypeMeta `json:",inline"`
+	// metadata is the standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	// +optional
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+	// spec holds user settable values for configuration
+	// +required
+	Spec InsightsDataGatherSpec `json:"spec,omitempty,omitzero"`
+}
+
+// InsightsDataGatherSpec contains the configuration for the data gathering.
+type InsightsDataGatherSpec struct {
+	// gatherConfig is a required spec attribute that includes all the configuration options related to gathering of the Insights data and its uploading to the ingress.
+	// +required
+	GatherConfig GatherConfig `json:"gatherConfig,omitempty,omitzero"`
+}
+
+// GatherConfig provides data gathering configuration options.
+type GatherConfig struct {
+	// dataPolicy is an optional list of DataPolicyOptions that allows user to enable additional obfuscation of the Insights archive data.
+	// It may not exceed 2 items and must not contain duplicates.
+	// Valid values are ObfuscateNetworking and WorkloadNames.
+	// When set to ObfuscateNetworking the IP addresses and the cluster domain name are obfuscated.
+	// When set to WorkloadNames, the gathered data about cluster resources will not contain the workload names for your deployments. Resources UIDs will be used instead.
+	// When omitted no obfuscation is applied.
+	// +kubebuilder:validation:MinItems=1
+	// +kubebuilder:validation:MaxItems=2
+	// +kubebuilder:validation:XValidation:rule="self.all(x, self.exists_one(y, x == y))",message="dataPolicy items must be unique"
+	// +listType=atomic
+	// +optional
+	DataPolicy []DataPolicyOption `json:"dataPolicy,omitempty"`
+	// gatherers is a required field that specifies the configuration of the gatherers.
+	// +required
+	Gatherers Gatherers `json:"gatherers,omitempty,omitzero"`
+	// storage is an optional field that allows user to define persistent storage for gathering jobs to store the Insights data archive.
+	// If omitted, the gathering job will use ephemeral storage.
+	// +optional
+	Storage Storage `json:"storage,omitempty,omitzero"`
+}
+
+// Gatherers specifies the configuration of the gatherers
+// +kubebuilder:validation:XValidation:rule="has(self.mode) && self.mode == 'Custom' ?  has(self.custom) : !has(self.custom)",message="custom is required when mode is Custom, and forbidden otherwise"
+// +union
+type Gatherers struct {
+	// mode is a required field that specifies the mode for gatherers. Allowed values are All, None, and Custom.
+	// When set to All, all gatherers will run and gather data.
+	// When set to None, all gatherers will be disabled and no data will be gathered.
+	// When set to Custom, the custom configuration from the custom field will be applied.
+	// +unionDiscriminator
+	// +required
+	Mode GatheringMode `json:"mode,omitempty"`
+	// custom provides gathering configuration.
+	// It is required when mode is Custom, and forbidden otherwise.
+	// Custom configuration allows user to disable only a subset of gatherers.
+	// Gatherers that are not explicitly disabled in custom configuration will run.
+	// +unionMember
+	// +optional
+	Custom Custom `json:"custom,omitempty,omitzero"`
+}
+
+// Custom provides the custom configuration of gatherers
+type Custom struct {
+	// configs is a required list of gatherers configurations that can be used to enable or disable specific gatherers.
+	// It may not exceed 100 items and each gatherer can be present only once.
+	// It is possible to disable an entire set of gatherers while allowing a specific function within that set.
+	// The particular gatherers IDs can be found at https://github.com/openshift/insights-operator/blob/master/docs/gathered-data.md.
+	// Run the following command to get the names of last active gatherers:
+	// "oc get insightsoperators.operator.openshift.io cluster -o json | jq '.status.gatherStatus.gatherers[].name'"
+	// +kubebuilder:validation:MinItems=1
+	// +kubebuilder:validation:MaxItems=100
+	// +listType=map
+	// +listMapKey=name
+	// +required
+	Configs []GathererConfig `json:"configs,omitempty"`
+}
+
+// GatheringMode defines the valid gathering modes.
+// +kubebuilder:validation:Enum=All;None;Custom
+type GatheringMode string
+
+const (
+	// Enabled enables all gatherers
+	GatheringModeAll GatheringMode = "All"
+	// Disabled disables all gatherers
+	GatheringModeNone GatheringMode = "None"
+	// Custom applies the configuration from GatheringConfig.
+	GatheringModeCustom GatheringMode = "Custom"
+)
+
+// DataPolicyOption declares valid data policy options
+// +kubebuilder:validation:Enum=ObfuscateNetworking;WorkloadNames
+type DataPolicyOption string
+
+const (
+	// IP addresses and cluster domain name are obfuscated
+	DataPolicyOptionObfuscateNetworking DataPolicyOption = "ObfuscateNetworking"
+	// Data from Deployment Validation Operator are obfuscated
+	DataPolicyOptionObfuscateWorkloadNames DataPolicyOption = "WorkloadNames"
+)
+
+// Storage provides persistent storage configuration options for gathering jobs.
+// If the type is set to PersistentVolume, then the PersistentVolume must be defined.
+// If the type is set to Ephemeral, then the PersistentVolume must not be defined.
+// +kubebuilder:validation:XValidation:rule="has(self.type) && self.type == 'PersistentVolume' ?  has(self.persistentVolume) : !has(self.persistentVolume)",message="persistentVolume is required when type is PersistentVolume, and forbidden otherwise"
+// +union
+type Storage struct {
+	// type is a required field that specifies the type of storage that will be used to store the Insights data archive.
+	// Valid values are "PersistentVolume" and "Ephemeral".
+	// When set to Ephemeral, the Insights data archive is stored in the ephemeral storage of the gathering job.
+	// When set to PersistentVolume, the Insights data archive is stored in the PersistentVolume that is defined by the persistentVolume field.
+	// +unionDiscriminator
+	// +required
+	Type StorageType `json:"type,omitempty"`
+	// persistentVolume is an optional field that specifies the PersistentVolume that will be used to store the Insights data archive.
+	// The PersistentVolume must be created in the openshift-insights namespace.
+	// +unionMember
+	// +optional
+	PersistentVolume PersistentVolumeConfig `json:"persistentVolume,omitempty,omitzero"`
+}
+
+// StorageType declares valid storage types
+// +kubebuilder:validation:Enum=PersistentVolume;Ephemeral
+type StorageType string
+
+const (
+	// StorageTypePersistentVolume storage type
+	StorageTypePersistentVolume StorageType = "PersistentVolume"
+	// StorageTypeEphemeral storage type
+	StorageTypeEphemeral StorageType = "Ephemeral"
+)
+
+// PersistentVolumeConfig provides configuration options for PersistentVolume storage.
+type PersistentVolumeConfig struct {
+	// claim is a required field that specifies the configuration of the PersistentVolumeClaim that will be used to store the Insights data archive.
+	// The PersistentVolumeClaim must be created in the openshift-insights namespace.
+	// +required
+	Claim PersistentVolumeClaimReference `json:"claim,omitempty,omitzero"`
+	// mountPath is an optional field specifying the directory where the PVC will be mounted inside the Insights data gathering Pod.
+	// When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time.
+	// The current default mount path is /var/lib/insights-operator
+	// The path may not exceed 1024 characters and must not contain a colon.
+	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:validation:MaxLength=1024
+	// +kubebuilder:validation:XValidation:rule="!self.contains(':')",message="mountPath must not contain a colon"
+	// +optional
+	MountPath string `json:"mountPath,omitempty"`
+}
+
+// PersistentVolumeClaimReference is a reference to a PersistentVolumeClaim.
+type PersistentVolumeClaimReference struct {
+	// name is the name of the PersistentVolumeClaim that will be used to store the Insights data archive.
+	// It is a string that follows the DNS1123 subdomain format.
+	// It must be at most 253 characters in length, and must consist only of lower case alphanumeric characters, '-' and '.', and must start and end with an alphanumeric character.
+	// +kubebuilder:validation:XValidation:rule="!format.dns1123Subdomain().validate(self).hasValue()",message="a lowercase RFC 1123 subdomain must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character."
+	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:validation:MaxLength=253
+	// +required
+	Name string `json:"name,omitempty"`
+}
+
+// GathererConfig allows to configure specific gatherers
+type GathererConfig struct {
+	// name is the required name of a specific gatherer.
+	// It may not exceed 256 characters.
+	// The format for a gatherer name is: {gatherer}/{function} where the function is optional.
+	// Gatherer consists of a lowercase letters only that may include underscores (_).
+	// Function consists of a lowercase letters only that may include underscores (_) and is separated from the gatherer by a forward slash (/).
+	// The particular gatherers can be found at https://github.com/openshift/insights-operator/blob/master/docs/gathered-data.md.
+	// Run the following command to get the names of last active gatherers:
+	// "oc get insightsoperators.operator.openshift.io cluster -o json | jq '.status.gatherStatus.gatherers[].name'"
+	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:validation:MaxLength=256
+	// +kubebuilder:validation:XValidation:rule=`self.matches("^[a-z]+[_a-z]*[a-z]([/a-z][_a-z]*)?[a-z]$")`,message=`gatherer name must be in the format of {gatherer}/{function} where the gatherer and function are lowercase letters only that may include underscores (_) and are separated by a forward slash (/) if the function is provided`
+	// +required
+	Name string `json:"name,omitempty"`
+	// state is a required field that allows you to configure specific gatherer. Valid values are "Enabled" and "Disabled".
+	// When set to Enabled the gatherer will run.
+	// When set to Disabled the gatherer will not run.
+	// +required
+	State GathererState `json:"state,omitempty"`
+}
+
+// GathererState declares valid gatherer state types.
+// +kubebuilder:validation:Enum=Enabled;Disabled
+type GathererState string
+
+const (
+	// GathererStateEnabled gatherer state, which means that the gatherer will run.
+	GathererStateEnabled GathererState = "Enabled"
+	// GathererStateDisabled gatherer state, which means that the gatherer will not run.
+	GathererStateDisabled GathererState = "Disabled"
+)
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// InsightsDataGatherList is a collection of items
+// Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
+// +openshift:compatibility-gen:level=1
+type InsightsDataGatherList struct {
+	metav1.TypeMeta `json:",inline"`
+	// metadata is the required standard list's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	// +required
+	metav1.ListMeta `json:"metadata,omitempty"`
+	// items is the required list of InsightsDataGather objects
+	// it may not exceed 100 items
+	// +kubebuilder:validation:MinItems=0
+	// +kubebuilder:validation:MaxItems=100
+	// +required
+	Items []InsightsDataGather `json:"items,omitempty"`
+}
diff --git a/vendor/github.com/openshift/api/config/v1/types_network.go b/vendor/github.com/openshift/api/config/v1/types_network.go
index c0d1602b3766f..fb8ed2fff743d 100644
--- a/vendor/github.com/openshift/api/config/v1/types_network.go
+++ b/vendor/github.com/openshift/api/config/v1/types_network.go
@@ -41,7 +41,7 @@ type Network struct {
 // As a general rule, this SHOULD NOT be read directly. Instead, you should
 // consume the NetworkStatus, as it indicates the currently deployed configuration.
 // Currently, most spec fields are immutable after installation. Please view the individual ones for further details on each.
-// +openshift:validation:FeatureGateAwareXValidation:featureGate=NetworkDiagnosticsConfig,rule="!has(self.networkDiagnostics) || !has(self.networkDiagnostics.mode) || self.networkDiagnostics.mode!='Disabled' || !has(self.networkDiagnostics.sourcePlacement) && !has(self.networkDiagnostics.targetPlacement)",message="cannot set networkDiagnostics.sourcePlacement and networkDiagnostics.targetPlacement when networkDiagnostics.mode is Disabled"
+// +kubebuilder:validation:XValidation:rule="!has(self.networkDiagnostics) || !has(self.networkDiagnostics.mode) || self.networkDiagnostics.mode!='Disabled' || !has(self.networkDiagnostics.sourcePlacement) && !has(self.networkDiagnostics.targetPlacement)",message="cannot set networkDiagnostics.sourcePlacement and networkDiagnostics.targetPlacement when networkDiagnostics.mode is Disabled"
 type NetworkSpec struct {
 	// IP address pool to use for pod IPs.
 	// This field is immutable after installation.
@@ -85,7 +85,6 @@ type NetworkSpec struct {
 	// the network diagnostics feature will be disabled.
 	//
 	// +optional
-	// +openshift:enable:FeatureGate=NetworkDiagnosticsConfig
 	NetworkDiagnostics NetworkDiagnostics `json:"networkDiagnostics"`
 }
 
@@ -119,7 +118,6 @@ type NetworkStatus struct {
 	// +optional
 	// +listType=map
 	// +listMapKey=type
-	// +openshift:enable:FeatureGate=NetworkDiagnosticsConfig
 	Conditions []metav1.Condition `json:"conditions,omitempty"`
 }
 
diff --git a/vendor/github.com/openshift/api/config/v1/types_tlssecurityprofile.go b/vendor/github.com/openshift/api/config/v1/types_tlssecurityprofile.go
index b18ef647c2fca..1e5189796e4c5 100644
--- a/vendor/github.com/openshift/api/config/v1/types_tlssecurityprofile.go
+++ b/vendor/github.com/openshift/api/config/v1/types_tlssecurityprofile.go
@@ -4,178 +4,130 @@ package v1
 // is used by operators to apply TLS security settings to operands.
 // +union
 type TLSSecurityProfile struct {
-	// type is one of Old, Intermediate, Modern or Custom. Custom provides
-	// the ability to specify individual TLS security profile parameters.
-	// Old, Intermediate and Modern are TLS security profiles based on:
+	// type is one of Old, Intermediate, Modern or Custom. Custom provides the
+	// ability to specify individual TLS security profile parameters.
 	//
-	// https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations
+	// The profiles are currently based on version 5.0 of the Mozilla Server Side TLS
+	// configuration guidelines (released 2019-06-28) with TLS 1.3 ciphers added for
+	// forward compatibility. See: https://ssl-config.mozilla.org/guidelines/5.0.json
 	//
-	// The profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers
-	// are found to be insecure.  Depending on precisely which ciphers are available to a process, the list may be
-	// reduced.
-	//
-	// Note that the Modern profile is currently not supported because it is not
-	// yet well adopted by common software libraries.
+	// The profiles are intent based, so they may change over time as new ciphers are
+	// developed and existing ciphers are found to be insecure. Depending on
+	// precisely which ciphers are available to a process, the list may be reduced.
 	//
 	// +unionDiscriminator
 	// +optional
 	Type TLSProfileType `json:"type"`
-	// old is a TLS security profile based on:
-	//
-	// https://wiki.mozilla.org/Security/Server_Side_TLS#Old_backward_compatibility
+
+	// old is a TLS profile for use when services need to be accessed by very old
+	// clients or libraries and should be used only as a last resort.
 	//
-	// and looks like this (yaml):
+	// The cipher list includes TLS 1.3 ciphers for forward compatibility, followed
+	// by the "old" profile ciphers.
 	//
+	// This profile is equivalent to a Custom profile specified as:
+	//   minTLSVersion: VersionTLS10
 	//   ciphers:
-	//
 	//     - TLS_AES_128_GCM_SHA256
-	//
 	//     - TLS_AES_256_GCM_SHA384
-	//
 	//     - TLS_CHACHA20_POLY1305_SHA256
-	//
 	//     - ECDHE-ECDSA-AES128-GCM-SHA256
-	//
 	//     - ECDHE-RSA-AES128-GCM-SHA256
-	//
 	//     - ECDHE-ECDSA-AES256-GCM-SHA384
-	//
 	//     - ECDHE-RSA-AES256-GCM-SHA384
-	//
 	//     - ECDHE-ECDSA-CHACHA20-POLY1305
-	//
 	//     - ECDHE-RSA-CHACHA20-POLY1305
-	//
 	//     - DHE-RSA-AES128-GCM-SHA256
-	//
 	//     - DHE-RSA-AES256-GCM-SHA384
-	//
 	//     - DHE-RSA-CHACHA20-POLY1305
-	//
 	//     - ECDHE-ECDSA-AES128-SHA256
-	//
 	//     - ECDHE-RSA-AES128-SHA256
-	//
 	//     - ECDHE-ECDSA-AES128-SHA
-	//
 	//     - ECDHE-RSA-AES128-SHA
-	//
 	//     - ECDHE-ECDSA-AES256-SHA384
-	//
 	//     - ECDHE-RSA-AES256-SHA384
-	//
 	//     - ECDHE-ECDSA-AES256-SHA
-	//
 	//     - ECDHE-RSA-AES256-SHA
-	//
 	//     - DHE-RSA-AES128-SHA256
-	//
 	//     - DHE-RSA-AES256-SHA256
-	//
 	//     - AES128-GCM-SHA256
-	//
 	//     - AES256-GCM-SHA384
-	//
 	//     - AES128-SHA256
-	//
 	//     - AES256-SHA256
-	//
 	//     - AES128-SHA
-	//
 	//     - AES256-SHA
-	//
 	//     - DES-CBC3-SHA
 	//
-	//   minTLSVersion: VersionTLS10
-	//
 	// +optional
 	// +nullable
 	Old *OldTLSProfile `json:"old,omitempty"`
-	// intermediate is a TLS security profile based on:
-	//
-	// https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28recommended.29
+
+	// intermediate is a TLS profile for use when you do not need compatibility with
+	// legacy clients and want to remain highly secure while being compatible with
+	// most clients currently in use.
 	//
-	// and looks like this (yaml):
+	// The cipher list includes TLS 1.3 ciphers for forward compatibility, followed
+	// by the "intermediate" profile ciphers.
 	//
+	// This profile is equivalent to a Custom profile specified as:
+	//   minTLSVersion: VersionTLS12
 	//   ciphers:
-	//
 	//     - TLS_AES_128_GCM_SHA256
-	//
 	//     - TLS_AES_256_GCM_SHA384
-	//
 	//     - TLS_CHACHA20_POLY1305_SHA256
-	//
 	//     - ECDHE-ECDSA-AES128-GCM-SHA256
-	//
 	//     - ECDHE-RSA-AES128-GCM-SHA256
-	//
 	//     - ECDHE-ECDSA-AES256-GCM-SHA384
-	//
 	//     - ECDHE-RSA-AES256-GCM-SHA384
-	//
 	//     - ECDHE-ECDSA-CHACHA20-POLY1305
-	//
 	//     - ECDHE-RSA-CHACHA20-POLY1305
-	//
 	//     - DHE-RSA-AES128-GCM-SHA256
-	//
 	//     - DHE-RSA-AES256-GCM-SHA384
 	//
-	//   minTLSVersion: VersionTLS12
-	//
 	// +optional
 	// +nullable
 	Intermediate *IntermediateTLSProfile `json:"intermediate,omitempty"`
-	// modern is a TLS security profile based on:
-	//
-	// https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility
-	//
-	// and looks like this (yaml):
+
+	// modern is a TLS security profile for use with clients that support TLS 1.3 and
+	// do not need backward compatibility for older clients.
 	//
+	// This profile is equivalent to a Custom profile specified as:
+	//   minTLSVersion: VersionTLS13
 	//   ciphers:
-	//
 	//     - TLS_AES_128_GCM_SHA256
-	//
 	//     - TLS_AES_256_GCM_SHA384
-	//
 	//     - TLS_CHACHA20_POLY1305_SHA256
 	//
-	//   minTLSVersion: VersionTLS13
-	//
 	// +optional
 	// +nullable
 	Modern *ModernTLSProfile `json:"modern,omitempty"`
+
 	// custom is a user-defined TLS security profile. Be extremely careful using a custom
 	// profile as invalid configurations can be catastrophic. An example custom profile
 	// looks like this:
 	//
+	//   minTLSVersion: VersionTLS11
 	//   ciphers:
-	//
 	//     - ECDHE-ECDSA-CHACHA20-POLY1305
-	//
 	//     - ECDHE-RSA-CHACHA20-POLY1305
-	//
 	//     - ECDHE-RSA-AES128-GCM-SHA256
-	//
 	//     - ECDHE-ECDSA-AES128-GCM-SHA256
 	//
-	//   minTLSVersion: VersionTLS11
-	//
 	// +optional
 	// +nullable
 	Custom *CustomTLSProfile `json:"custom,omitempty"`
 }
 
-// OldTLSProfile is a TLS security profile based on:
-// https://wiki.mozilla.org/Security/Server_Side_TLS#Old_backward_compatibility
+// OldTLSProfile is a TLS security profile based on the "old" configuration of
+// the Mozilla Server Side TLS configuration guidelines.
 type OldTLSProfile struct{}
 
-// IntermediateTLSProfile is a TLS security profile based on:
-// https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28default.29
+// IntermediateTLSProfile is a TLS security profile based on the "intermediate"
+// configuration of the Mozilla Server Side TLS configuration guidelines.
 type IntermediateTLSProfile struct{}
 
-// ModernTLSProfile is a TLS security profile based on:
-// https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility
+// ModernTLSProfile is a TLS security profile based on the "modern" configuration
+// of the Mozilla Server Side TLS configuration guidelines.
 type ModernTLSProfile struct{}
 
 // CustomTLSProfile is a user-defined TLS security profile. Be extremely careful
@@ -189,16 +141,19 @@ type CustomTLSProfile struct {
 type TLSProfileType string
 
 const (
-	// Old is a TLS security profile based on:
-	// https://wiki.mozilla.org/Security/Server_Side_TLS#Old_backward_compatibility
+	// TLSProfileOldType sets parameters based on the "old" configuration of
+	// the Mozilla Server Side TLS configuration guidelines.
 	TLSProfileOldType TLSProfileType = "Old"
-	// Intermediate is a TLS security profile based on:
-	// https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28default.29
+
+	// TLSProfileIntermediateType sets parameters based on the "intermediate"
+	// configuration of the Mozilla Server Side TLS configuration guidelines.
 	TLSProfileIntermediateType TLSProfileType = "Intermediate"
-	// Modern is a TLS security profile based on:
-	// https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility
+
+	// TLSProfileModernType sets parameters based on the "modern" configuration
+	// of the Mozilla Server Side TLS configuration guidelines.
 	TLSProfileModernType TLSProfileType = "Modern"
-	// Custom is a TLS security profile that allows for user-defined parameters.
+
+	// TLSProfileCustomType is a TLS security profile that allows for user-defined parameters.
 	TLSProfileCustomType TLSProfileType = "Custom"
 )
 
@@ -219,8 +174,6 @@ type TLSProfileSpec struct {
 	//
 	//   minTLSVersion: VersionTLS11
 	//
-	// NOTE: currently the highest minTLSVersion allowed is VersionTLS12
-	//
 	MinTLSVersion TLSProtocolVersion `json:"minTLSVersion"`
 }
 
@@ -245,11 +198,16 @@ const (
 	VersionTLS13 TLSProtocolVersion = "VersionTLS13"
 )
 
-// TLSProfiles Contains a map of TLSProfileType names to TLSProfileSpec.
+// TLSProfiles contains a map of TLSProfileType names to TLSProfileSpec.
+//
+// These profiles are based on version 5.0 of the Mozilla Server Side TLS
+// configuration guidelines (2019-06-28) with TLS 1.3 cipher suites prepended for
+// forward compatibility. See: https://ssl-config.mozilla.org/guidelines/5.0.json
 //
-// NOTE: The caller needs to make sure to check that these constants are valid for their binary. Not all
-// entries map to values for all binaries.  In the case of ties, the kube-apiserver wins.  Do not fail,
-// just be sure to whitelist only and everything will be ok.
+// NOTE: The caller needs to make sure to check that these constants are valid
+// for their binary. Not all entries map to values for all binaries. In the case
+// of ties, the kube-apiserver wins. Do not fail, just be sure to include only
+// valid entries and everything will be ok.
 var TLSProfiles = map[TLSProfileType]*TLSProfileSpec{
 	TLSProfileOldType: {
 		Ciphers: []string{
diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.deepcopy.go b/vendor/github.com/openshift/api/config/v1/zz_generated.deepcopy.go
index fe8c1122735b8..30b85b78e9666 100644
--- a/vendor/github.com/openshift/api/config/v1/zz_generated.deepcopy.go
+++ b/vendor/github.com/openshift/api/config/v1/zz_generated.deepcopy.go
@@ -316,6 +316,22 @@ func (in *AWSServiceEndpoint) DeepCopy() *AWSServiceEndpoint {
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *AcceptRisk) DeepCopyInto(out *AcceptRisk) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AcceptRisk.
+func (in *AcceptRisk) DeepCopy() *AcceptRisk {
+	if in == nil {
+		return nil
+	}
+	out := new(AcceptRisk)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *AdmissionConfig) DeepCopyInto(out *AdmissionConfig) {
 	*out = *in
@@ -1393,7 +1409,7 @@ func (in *ClusterVersionSpec) DeepCopyInto(out *ClusterVersionSpec) {
 	if in.DesiredUpdate != nil {
 		in, out := &in.DesiredUpdate, &out.DesiredUpdate
 		*out = new(Update)
-		**out = **in
+		(*in).DeepCopyInto(*out)
 	}
 	if in.Capabilities != nil {
 		in, out := &in.Capabilities, &out.Capabilities
@@ -1456,6 +1472,13 @@ func (in *ClusterVersionStatus) DeepCopyInto(out *ClusterVersionStatus) {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
+	if in.ConditionalUpdateRisks != nil {
+		in, out := &in.ConditionalUpdateRisks, &out.ConditionalUpdateRisks
+		*out = make([]ConditionalUpdateRisk, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	return
 }
 
@@ -1544,6 +1567,11 @@ func (in *ComponentRouteStatus) DeepCopy() *ComponentRouteStatus {
 func (in *ConditionalUpdate) DeepCopyInto(out *ConditionalUpdate) {
 	*out = *in
 	in.Release.DeepCopyInto(&out.Release)
+	if in.RiskNames != nil {
+		in, out := &in.RiskNames, &out.RiskNames
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
 	if in.Risks != nil {
 		in, out := &in.Risks, &out.Risks
 		*out = make([]ConditionalUpdateRisk, len(*in))
@@ -1574,6 +1602,13 @@ func (in *ConditionalUpdate) DeepCopy() *ConditionalUpdate {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ConditionalUpdateRisk) DeepCopyInto(out *ConditionalUpdateRisk) {
 	*out = *in
+	if in.Conditions != nil {
+		in, out := &in.Conditions, &out.Conditions
+		*out = make([]metav1.Condition, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.MatchingRules != nil {
 		in, out := &in.MatchingRules, &out.MatchingRules
 		*out = make([]ClusterCondition, len(*in))
@@ -1736,6 +1771,27 @@ func (in *ConsoleStatus) DeepCopy() *ConsoleStatus {
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *Custom) DeepCopyInto(out *Custom) {
+	*out = *in
+	if in.Configs != nil {
+		in, out := &in.Configs, &out.Configs
+		*out = make([]GathererConfig, len(*in))
+		copy(*out, *in)
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Custom.
+func (in *Custom) DeepCopy() *Custom {
+	if in == nil {
+		return nil
+	}
+	out := new(Custom)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *CustomFeatureGates) DeepCopyInto(out *CustomFeatureGates) {
 	*out = *in
@@ -2340,33 +2396,6 @@ func (in *FeatureGateTests) DeepCopy() *FeatureGateTests {
 	return out
 }
 
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *FulcioCAWithRekor) DeepCopyInto(out *FulcioCAWithRekor) {
-	*out = *in
-	if in.FulcioCAData != nil {
-		in, out := &in.FulcioCAData, &out.FulcioCAData
-		*out = make([]byte, len(*in))
-		copy(*out, *in)
-	}
-	if in.RekorKeyData != nil {
-		in, out := &in.RekorKeyData, &out.RekorKeyData
-		*out = make([]byte, len(*in))
-		copy(*out, *in)
-	}
-	out.FulcioSubject = in.FulcioSubject
-	return
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FulcioCAWithRekor.
-func (in *FulcioCAWithRekor) DeepCopy() *FulcioCAWithRekor {
-	if in == nil {
-		return nil
-	}
-	out := new(FulcioCAWithRekor)
-	in.DeepCopyInto(out)
-	return out
-}
-
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *GCPPlatformSpec) DeepCopyInto(out *GCPPlatformSpec) {
 	*out = *in
@@ -2446,6 +2475,62 @@ func (in *GCPResourceTag) DeepCopy() *GCPResourceTag {
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *GatherConfig) DeepCopyInto(out *GatherConfig) {
+	*out = *in
+	if in.DataPolicy != nil {
+		in, out := &in.DataPolicy, &out.DataPolicy
+		*out = make([]DataPolicyOption, len(*in))
+		copy(*out, *in)
+	}
+	in.Gatherers.DeepCopyInto(&out.Gatherers)
+	out.Storage = in.Storage
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GatherConfig.
+func (in *GatherConfig) DeepCopy() *GatherConfig {
+	if in == nil {
+		return nil
+	}
+	out := new(GatherConfig)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *GathererConfig) DeepCopyInto(out *GathererConfig) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GathererConfig.
+func (in *GathererConfig) DeepCopy() *GathererConfig {
+	if in == nil {
+		return nil
+	}
+	out := new(GathererConfig)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *Gatherers) DeepCopyInto(out *Gatherers) {
+	*out = *in
+	in.Custom.DeepCopyInto(&out.Custom)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Gatherers.
+func (in *Gatherers) DeepCopy() *Gatherers {
+	if in == nil {
+		return nil
+	}
+	out := new(Gatherers)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *GenericAPIServerConfig) DeepCopyInto(out *GenericAPIServerConfig) {
 	*out = *in
@@ -3067,6 +3152,33 @@ func (in *ImagePolicy) DeepCopyObject() runtime.Object {
 	return nil
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ImagePolicyFulcioCAWithRekorRootOfTrust) DeepCopyInto(out *ImagePolicyFulcioCAWithRekorRootOfTrust) {
+	*out = *in
+	if in.FulcioCAData != nil {
+		in, out := &in.FulcioCAData, &out.FulcioCAData
+		*out = make([]byte, len(*in))
+		copy(*out, *in)
+	}
+	if in.RekorKeyData != nil {
+		in, out := &in.RekorKeyData, &out.RekorKeyData
+		*out = make([]byte, len(*in))
+		copy(*out, *in)
+	}
+	out.FulcioSubject = in.FulcioSubject
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImagePolicyFulcioCAWithRekorRootOfTrust.
+func (in *ImagePolicyFulcioCAWithRekorRootOfTrust) DeepCopy() *ImagePolicyFulcioCAWithRekorRootOfTrust {
+	if in == nil {
+		return nil
+	}
+	out := new(ImagePolicyFulcioCAWithRekorRootOfTrust)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ImagePolicyList) DeepCopyInto(out *ImagePolicyList) {
 	*out = *in
@@ -3100,6 +3212,59 @@ func (in *ImagePolicyList) DeepCopyObject() runtime.Object {
 	return nil
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ImagePolicyPKIRootOfTrust) DeepCopyInto(out *ImagePolicyPKIRootOfTrust) {
+	*out = *in
+	if in.CertificateAuthorityRootsData != nil {
+		in, out := &in.CertificateAuthorityRootsData, &out.CertificateAuthorityRootsData
+		*out = make([]byte, len(*in))
+		copy(*out, *in)
+	}
+	if in.CertificateAuthorityIntermediatesData != nil {
+		in, out := &in.CertificateAuthorityIntermediatesData, &out.CertificateAuthorityIntermediatesData
+		*out = make([]byte, len(*in))
+		copy(*out, *in)
+	}
+	out.PKICertificateSubject = in.PKICertificateSubject
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImagePolicyPKIRootOfTrust.
+func (in *ImagePolicyPKIRootOfTrust) DeepCopy() *ImagePolicyPKIRootOfTrust {
+	if in == nil {
+		return nil
+	}
+	out := new(ImagePolicyPKIRootOfTrust)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ImagePolicyPublicKeyRootOfTrust) DeepCopyInto(out *ImagePolicyPublicKeyRootOfTrust) {
+	*out = *in
+	if in.KeyData != nil {
+		in, out := &in.KeyData, &out.KeyData
+		*out = make([]byte, len(*in))
+		copy(*out, *in)
+	}
+	if in.RekorKeyData != nil {
+		in, out := &in.RekorKeyData, &out.RekorKeyData
+		*out = make([]byte, len(*in))
+		copy(*out, *in)
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImagePolicyPublicKeyRootOfTrust.
+func (in *ImagePolicyPublicKeyRootOfTrust) DeepCopy() *ImagePolicyPublicKeyRootOfTrust {
+	if in == nil {
+		return nil
+	}
+	out := new(ImagePolicyPublicKeyRootOfTrust)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ImagePolicySpec) DeepCopyInto(out *ImagePolicySpec) {
 	*out = *in
@@ -3145,6 +3310,28 @@ func (in *ImagePolicyStatus) DeepCopy() *ImagePolicyStatus {
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ImageSigstoreVerificationPolicy) DeepCopyInto(out *ImageSigstoreVerificationPolicy) {
+	*out = *in
+	in.RootOfTrust.DeepCopyInto(&out.RootOfTrust)
+	if in.SignedIdentity != nil {
+		in, out := &in.SignedIdentity, &out.SignedIdentity
+		*out = new(PolicyIdentity)
+		(*in).DeepCopyInto(*out)
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImageSigstoreVerificationPolicy.
+func (in *ImageSigstoreVerificationPolicy) DeepCopy() *ImageSigstoreVerificationPolicy {
+	if in == nil {
+		return nil
+	}
+	out := new(ImageSigstoreVerificationPolicy)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ImageSpec) DeepCopyInto(out *ImageSpec) {
 	*out = *in
@@ -3549,6 +3736,83 @@ func (in *IngressStatus) DeepCopy() *IngressStatus {
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *InsightsDataGather) DeepCopyInto(out *InsightsDataGather) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new InsightsDataGather.
+func (in *InsightsDataGather) DeepCopy() *InsightsDataGather {
+	if in == nil {
+		return nil
+	}
+	out := new(InsightsDataGather)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *InsightsDataGather) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *InsightsDataGatherList) DeepCopyInto(out *InsightsDataGatherList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]InsightsDataGather, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new InsightsDataGatherList.
+func (in *InsightsDataGatherList) DeepCopy() *InsightsDataGatherList {
+	if in == nil {
+		return nil
+	}
+	out := new(InsightsDataGatherList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *InsightsDataGatherList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *InsightsDataGatherSpec) DeepCopyInto(out *InsightsDataGatherSpec) {
+	*out = *in
+	in.GatherConfig.DeepCopyInto(&out.GatherConfig)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new InsightsDataGatherSpec.
+func (in *InsightsDataGatherSpec) DeepCopy() *InsightsDataGatherSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(InsightsDataGatherSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *IntermediateTLSProfile) DeepCopyInto(out *IntermediateTLSProfile) {
 	*out = *in
@@ -4578,6 +4842,11 @@ func (in *OIDCProvider) DeepCopyInto(out *OIDCProvider) {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
+	if in.UserValidationRules != nil {
+		in, out := &in.UserValidationRules, &out.UserValidationRules
+		*out = make([]TokenUserValidationRule, len(*in))
+		copy(*out, *in)
+	}
 	return
 }
 
@@ -4956,44 +5225,50 @@ func (in *OvirtPlatformStatus) DeepCopy() *OvirtPlatformStatus {
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *PKI) DeepCopyInto(out *PKI) {
+func (in *PKICertificateSubject) DeepCopyInto(out *PKICertificateSubject) {
 	*out = *in
-	if in.CertificateAuthorityRootsData != nil {
-		in, out := &in.CertificateAuthorityRootsData, &out.CertificateAuthorityRootsData
-		*out = make([]byte, len(*in))
-		copy(*out, *in)
-	}
-	if in.CertificateAuthorityIntermediatesData != nil {
-		in, out := &in.CertificateAuthorityIntermediatesData, &out.CertificateAuthorityIntermediatesData
-		*out = make([]byte, len(*in))
-		copy(*out, *in)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PKICertificateSubject.
+func (in *PKICertificateSubject) DeepCopy() *PKICertificateSubject {
+	if in == nil {
+		return nil
 	}
-	out.PKICertificateSubject = in.PKICertificateSubject
+	out := new(PKICertificateSubject)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *PersistentVolumeClaimReference) DeepCopyInto(out *PersistentVolumeClaimReference) {
+	*out = *in
 	return
 }
 
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PKI.
-func (in *PKI) DeepCopy() *PKI {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PersistentVolumeClaimReference.
+func (in *PersistentVolumeClaimReference) DeepCopy() *PersistentVolumeClaimReference {
 	if in == nil {
 		return nil
 	}
-	out := new(PKI)
+	out := new(PersistentVolumeClaimReference)
 	in.DeepCopyInto(out)
 	return out
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *PKICertificateSubject) DeepCopyInto(out *PKICertificateSubject) {
+func (in *PersistentVolumeConfig) DeepCopyInto(out *PersistentVolumeConfig) {
 	*out = *in
+	out.Claim = in.Claim
 	return
 }
 
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PKICertificateSubject.
-func (in *PKICertificateSubject) DeepCopy() *PKICertificateSubject {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PersistentVolumeConfig.
+func (in *PersistentVolumeConfig) DeepCopy() *PersistentVolumeConfig {
 	if in == nil {
 		return nil
 	}
-	out := new(PKICertificateSubject)
+	out := new(PersistentVolumeConfig)
 	in.DeepCopyInto(out)
 	return out
 }
@@ -5170,28 +5445,6 @@ func (in *PlatformStatus) DeepCopy() *PlatformStatus {
 	return out
 }
 
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *Policy) DeepCopyInto(out *Policy) {
-	*out = *in
-	in.RootOfTrust.DeepCopyInto(&out.RootOfTrust)
-	if in.SignedIdentity != nil {
-		in, out := &in.SignedIdentity, &out.SignedIdentity
-		*out = new(PolicyIdentity)
-		(*in).DeepCopyInto(*out)
-	}
-	return
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Policy.
-func (in *Policy) DeepCopy() *Policy {
-	if in == nil {
-		return nil
-	}
-	out := new(Policy)
-	in.DeepCopyInto(out)
-	return out
-}
-
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *PolicyFulcioSubject) DeepCopyInto(out *PolicyFulcioSubject) {
 	*out = *in
@@ -5271,17 +5524,17 @@ func (in *PolicyRootOfTrust) DeepCopyInto(out *PolicyRootOfTrust) {
 	*out = *in
 	if in.PublicKey != nil {
 		in, out := &in.PublicKey, &out.PublicKey
-		*out = new(PublicKey)
+		*out = new(ImagePolicyPublicKeyRootOfTrust)
 		(*in).DeepCopyInto(*out)
 	}
 	if in.FulcioCAWithRekor != nil {
 		in, out := &in.FulcioCAWithRekor, &out.FulcioCAWithRekor
-		*out = new(FulcioCAWithRekor)
+		*out = new(ImagePolicyFulcioCAWithRekorRootOfTrust)
 		(*in).DeepCopyInto(*out)
 	}
 	if in.PKI != nil {
 		in, out := &in.PKI, &out.PKI
-		*out = new(PKI)
+		*out = new(ImagePolicyPKIRootOfTrust)
 		(*in).DeepCopyInto(*out)
 	}
 	return
@@ -5597,32 +5850,6 @@ func (in *ProxyStatus) DeepCopy() *ProxyStatus {
 	return out
 }
 
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *PublicKey) DeepCopyInto(out *PublicKey) {
-	*out = *in
-	if in.KeyData != nil {
-		in, out := &in.KeyData, &out.KeyData
-		*out = make([]byte, len(*in))
-		copy(*out, *in)
-	}
-	if in.RekorKeyData != nil {
-		in, out := &in.RekorKeyData, &out.RekorKeyData
-		*out = make([]byte, len(*in))
-		copy(*out, *in)
-	}
-	return
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PublicKey.
-func (in *PublicKey) DeepCopy() *PublicKey {
-	if in == nil {
-		return nil
-	}
-	out := new(PublicKey)
-	in.DeepCopyInto(out)
-	return out
-}
-
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *RegistryLocation) DeepCopyInto(out *RegistryLocation) {
 	*out = *in
@@ -5960,6 +6187,23 @@ func (in *SignatureStore) DeepCopy() *SignatureStore {
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *Storage) DeepCopyInto(out *Storage) {
+	*out = *in
+	out.PersistentVolume = in.PersistentVolume
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Storage.
+func (in *Storage) DeepCopy() *Storage {
+	if in == nil {
+		return nil
+	}
+	out := new(Storage)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *StringSource) DeepCopyInto(out *StringSource) {
 	*out = *in
@@ -6201,6 +6445,22 @@ func (in *TokenClaimOrExpressionMapping) DeepCopy() *TokenClaimOrExpressionMappi
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *TokenClaimValidationCELRule) DeepCopyInto(out *TokenClaimValidationCELRule) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TokenClaimValidationCELRule.
+func (in *TokenClaimValidationCELRule) DeepCopy() *TokenClaimValidationCELRule {
+	if in == nil {
+		return nil
+	}
+	out := new(TokenClaimValidationCELRule)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TokenClaimValidationRule) DeepCopyInto(out *TokenClaimValidationRule) {
 	*out = *in
@@ -6209,6 +6469,7 @@ func (in *TokenClaimValidationRule) DeepCopyInto(out *TokenClaimValidationRule)
 		*out = new(TokenRequiredClaim)
 		**out = **in
 	}
+	out.CEL = in.CEL
 	return
 }
 
@@ -6281,9 +6542,30 @@ func (in *TokenRequiredClaim) DeepCopy() *TokenRequiredClaim {
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *TokenUserValidationRule) DeepCopyInto(out *TokenUserValidationRule) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TokenUserValidationRule.
+func (in *TokenUserValidationRule) DeepCopy() *TokenUserValidationRule {
+	if in == nil {
+		return nil
+	}
+	out := new(TokenUserValidationRule)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *Update) DeepCopyInto(out *Update) {
 	*out = *in
+	if in.AcceptRisks != nil {
+		in, out := &in.AcceptRisks, &out.AcceptRisks
+		*out = make([]AcceptRisk, len(*in))
+		copy(*out, *in)
+	}
 	return
 }
 
diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.featuregated-crd-manifests.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.featuregated-crd-manifests.yaml
index e56c1a15a9d8c..eb7c485e03fcb 100644
--- a/vendor/github.com/openshift/api/config/v1/zz_generated.featuregated-crd-manifests.yaml
+++ b/vendor/github.com/openshift/api/config/v1/zz_generated.featuregated-crd-manifests.yaml
@@ -6,6 +6,7 @@ apiservers.config.openshift.io:
   Capability: ""
   Category: ""
   FeatureGates:
+  - KMSEncryption
   - KMSEncryptionProvider
   FilenameOperatorName: config-operator
   FilenameOperatorOrdering: "01"
@@ -31,6 +32,7 @@ authentications.config.openshift.io:
   FeatureGates:
   - ExternalOIDC
   - ExternalOIDCWithUIDAndExtraClaimMappings
+  - ExternalOIDCWithUpstreamParity
   FilenameOperatorName: config-operator
   FilenameOperatorOrdering: "01"
   FilenameRunLevel: "0000_10"
@@ -141,6 +143,7 @@ clusterversions.config.openshift.io:
   Capability: ""
   Category: ""
   FeatureGates:
+  - ClusterUpdateAcceptRisks
   - ImageStreamImportMode
   - SignatureStores
   FilenameOperatorName: cluster-version-operator
@@ -410,6 +413,29 @@ ingresses.config.openshift.io:
   TopLevelFeatureGates: []
   Version: v1
 
+insightsdatagathers.config.openshift.io:
+  Annotations: {}
+  ApprovedPRNumber: https://github.com/openshift/api/pull/2448
+  CRDName: insightsdatagathers.config.openshift.io
+  Capability: Insights
+  Category: ""
+  FeatureGates:
+  - InsightsConfig
+  FilenameOperatorName: config-operator
+  FilenameOperatorOrdering: "01"
+  FilenameRunLevel: "0000_10"
+  GroupName: config.openshift.io
+  HasStatus: false
+  KindName: InsightsDataGather
+  Labels: {}
+  PluralName: insightsdatagathers
+  PrinterColumns: []
+  Scope: Cluster
+  ShortNames: null
+  TopLevelFeatureGates:
+  - InsightsConfig
+  Version: v1
+
 networks.config.openshift.io:
   Annotations:
     release.openshift.io/bootstrap-required: "true"
@@ -417,8 +443,7 @@ networks.config.openshift.io:
   CRDName: networks.config.openshift.io
   Capability: ""
   Category: ""
-  FeatureGates:
-  - NetworkDiagnosticsConfig
+  FeatureGates: []
   FilenameOperatorName: config-operator
   FilenameOperatorOrdering: "01"
   FilenameRunLevel: "0000_10"
diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.swagger_doc_generated.go b/vendor/github.com/openshift/api/config/v1/zz_generated.swagger_doc_generated.go
index 766ac5ddab3e4..7f0018950a9d0 100644
--- a/vendor/github.com/openshift/api/config/v1/zz_generated.swagger_doc_generated.go
+++ b/vendor/github.com/openshift/api/config/v1/zz_generated.swagger_doc_generated.go
@@ -407,11 +407,11 @@ func (ExtraMapping) SwaggerDoc() map[string]string {
 }
 
 var map_OIDCClientConfig = map[string]string{
-	"":                   "OIDCClientConfig configures how platform clients interact with identity providers as an authentication method",
-	"componentName":      "componentName is a required field that specifies the name of the platform component being configured to use the identity provider as an authentication mode. It is used in combination with componentNamespace as a unique identifier.\n\ncomponentName must not be an empty string (\"\") and must not exceed 256 characters in length.",
-	"componentNamespace": "componentNamespace is a required field that specifies the namespace in which the platform component being configured to use the identity provider as an authentication mode is running. It is used in combination with componentName as a unique identifier.\n\ncomponentNamespace must not be an empty string (\"\") and must not exceed 63 characters in length.",
+	"":                   "OIDCClientConfig configures how platform clients interact with identity providers as an authentication method.",
+	"componentName":      "componentName is a required field that specifies the name of the platform component being configured to use the identity provider as an authentication mode.\n\nIt is used in combination with componentNamespace as a unique identifier.\n\ncomponentName must not be an empty string (\"\") and must not exceed 256 characters in length.",
+	"componentNamespace": "componentNamespace is a required field that specifies the namespace in which the platform component being configured to use the identity provider as an authentication mode is running.\n\nIt is used in combination with componentName as a unique identifier.\n\ncomponentNamespace must not be an empty string (\"\") and must not exceed 63 characters in length.",
 	"clientID":           "clientID is a required field that configures the client identifier, from the identity provider, that the platform component uses for authentication requests made to the identity provider. The identity provider must accept this identifier for platform components to be able to use the identity provider as an authentication mode.\n\nclientID must not be an empty string (\"\").",
-	"clientSecret":       "clientSecret is an optional field that configures the client secret used by the platform component when making authentication requests to the identity provider.\n\nWhen not specified, no client secret will be used when making authentication requests to the identity provider.\n\nWhen specified, clientSecret references a Secret in the 'openshift-config' namespace that contains the client secret in the 'clientSecret' key of the '.data' field. The client secret will be used when making authentication requests to the identity provider.\n\nPublic clients do not require a client secret but private clients do require a client secret to work with the identity provider.",
+	"clientSecret":       "clientSecret is an optional field that configures the client secret used by the platform component when making authentication requests to the identity provider.\n\nWhen not specified, no client secret will be used when making authentication requests to the identity provider.\n\nWhen specified, clientSecret references a Secret in the 'openshift-config' namespace that contains the client secret in the 'clientSecret' key of the '.data' field.\n\nThe client secret will be used when making authentication requests to the identity provider.\n\nPublic clients do not require a client secret but private clients do require a client secret to work with the identity provider.",
 	"extraScopes":        "extraScopes is an optional field that configures the extra scopes that should be requested by the platform component when making authentication requests to the identity provider. This is useful if you have configured claim mappings that requires specific scopes to be requested beyond the standard OIDC scopes.\n\nWhen omitted, no additional scopes are requested.",
 }
 
@@ -433,8 +433,8 @@ func (OIDCClientReference) SwaggerDoc() map[string]string {
 var map_OIDCClientStatus = map[string]string{
 	"":                   "OIDCClientStatus represents the current state of platform components and how they interact with the configured identity providers.",
 	"componentName":      "componentName is a required field that specifies the name of the platform component using the identity provider as an authentication mode. It is used in combination with componentNamespace as a unique identifier.\n\ncomponentName must not be an empty string (\"\") and must not exceed 256 characters in length.",
-	"componentNamespace": "componentNamespace is a required field that specifies the namespace in which the platform component using the identity provider as an authentication mode is running. It is used in combination with componentName as a unique identifier.\n\ncomponentNamespace must not be an empty string (\"\") and must not exceed 63 characters in length.",
-	"currentOIDCClients": "currentOIDCClients is an optional list of clients that the component is currently using. Entries must have unique issuerURL/clientID pairs.",
+	"componentNamespace": "componentNamespace is a required field that specifies the namespace in which the platform component using the identity provider as an authentication mode is running.\n\nIt is used in combination with componentName as a unique identifier.\n\ncomponentNamespace must not be an empty string (\"\") and must not exceed 63 characters in length.",
+	"currentOIDCClients": "currentOIDCClients is an optional list of clients that the component is currently using.\n\nEntries must have unique issuerURL/clientID pairs.",
 	"consumingUsers":     "consumingUsers is an optional list of ServiceAccounts requiring read permissions on the `clientSecret` secret.\n\nconsumingUsers must not exceed 5 entries.",
 	"conditions":         "conditions are used to communicate the state of the `oidcClients` entry.\n\nSupported conditions include Available, Degraded and Progressing.\n\nIf Available is true, the component is successfully using the configured client. If Degraded is true, that means something has gone wrong trying to handle the client configuration. If Progressing is true, that means the component is taking some action related to the `oidcClients` entry.",
 }
@@ -449,6 +449,7 @@ var map_OIDCProvider = map[string]string{
 	"oidcClients":          "oidcClients is an optional field that configures how on-cluster, platform clients should request tokens from the identity provider. oidcClients must not exceed 20 entries and entries must have unique namespace/name pairs.",
 	"claimMappings":        "claimMappings is a required field that configures the rules to be used by the Kubernetes API server for translating claims in a JWT token, issued by the identity provider, to a cluster identity.",
 	"claimValidationRules": "claimValidationRules is an optional field that configures the rules to be used by the Kubernetes API server for validating the claims in a JWT token issued by the identity provider.\n\nValidation rules are joined via an AND operation.",
+	"userValidationRules":  "userValidationRules is an optional field that configures the set of rules used to validate the cluster user identity that was constructed via mapping token claims to user identity attributes. Rules are CEL expressions that must evaluate to 'true' for authentication to succeed. If any rule in the chain of rules evaluates to 'false', authentication will fail. When specified, at least one rule must be specified and no more than 64 rules may be specified.",
 }
 
 func (OIDCProvider) SwaggerDoc() map[string]string {
@@ -457,7 +458,7 @@ func (OIDCProvider) SwaggerDoc() map[string]string {
 
 var map_PrefixedClaimMapping = map[string]string{
 	"":       "PrefixedClaimMapping configures a claim mapping that allows for an optional prefix.",
-	"prefix": "prefix is an optional field that configures the prefix that will be applied to the cluster identity attribute during the process of mapping JWT claims to cluster identity attributes.\n\nWhen omitted (\"\"), no prefix is applied to the cluster identity attribute.\n\nExample: if `prefix` is set to \"myoidc:\" and the `claim` in JWT contains an array of strings \"a\", \"b\" and  \"c\", the mapping will result in an array of string \"myoidc:a\", \"myoidc:b\" and \"myoidc:c\".",
+	"prefix": "prefix is an optional field that configures the prefix that will be applied to the cluster identity attribute during the process of mapping JWT claims to cluster identity attributes.\n\nWhen omitted (\"\"), no prefix is applied to the cluster identity attribute.\n\nExample: if `prefix` is set to \"myoidc:\" and the `claim` in JWT contains an array of strings \"a\", \"b\" and \"c\", the mapping will result in an array of string \"myoidc:a\", \"myoidc:b\" and \"myoidc:c\".",
 }
 
 func (PrefixedClaimMapping) SwaggerDoc() map[string]string {
@@ -475,9 +476,9 @@ func (TokenClaimMapping) SwaggerDoc() map[string]string {
 
 var map_TokenClaimMappings = map[string]string{
 	"username": "username is a required field that configures how the username of a cluster identity should be constructed from the claims in a JWT token issued by the identity provider.",
-	"groups":   "groups is an optional field that configures how the groups of a cluster identity should be constructed from the claims in a JWT token issued by the identity provider. When referencing a claim, if the claim is present in the JWT token, its value must be a list of groups separated by a comma (','). For example - '\"example\"' and '\"exampleOne\", \"exampleTwo\", \"exampleThree\"' are valid claim values.",
-	"uid":      "uid is an optional field for configuring the claim mapping used to construct the uid for the cluster identity.\n\nWhen using uid.claim to specify the claim it must be a single string value. When using uid.expression the expression must result in a single string value.\n\nWhen omitted, this means the user has no opinion and the platform is left to choose a default, which is subject to change over time. The current default is to use the 'sub' claim.",
-	"extra":    "extra is an optional field for configuring the mappings used to construct the extra attribute for the cluster identity. When omitted, no extra attributes will be present on the cluster identity. key values for extra mappings must be unique. A maximum of 32 extra attribute mappings may be provided.",
+	"groups":   "groups is an optional field that configures how the groups of a cluster identity should be constructed from the claims in a JWT token issued by the identity provider.\n\nWhen referencing a claim, if the claim is present in the JWT token, its value must be a list of groups separated by a comma (',').\n\nFor example - '\"example\"' and '\"exampleOne\", \"exampleTwo\", \"exampleThree\"' are valid claim values.",
+	"uid":      "uid is an optional field for configuring the claim mapping used to construct the uid for the cluster identity.\n\nWhen using uid.claim to specify the claim it must be a single string value. When using uid.expression the expression must result in a single string value.\n\nWhen omitted, this means the user has no opinion and the platform is left to choose a default, which is subject to change over time.\n\nThe current default is to use the 'sub' claim.",
+	"extra":    "extra is an optional field for configuring the mappings used to construct the extra attribute for the cluster identity. When omitted, no extra attributes will be present on the cluster identity.\n\nkey values for extra mappings must be unique. A maximum of 32 extra attribute mappings may be provided.",
 }
 
 func (TokenClaimMappings) SwaggerDoc() map[string]string {
@@ -494,9 +495,20 @@ func (TokenClaimOrExpressionMapping) SwaggerDoc() map[string]string {
 	return map_TokenClaimOrExpressionMapping
 }
 
+var map_TokenClaimValidationCELRule = map[string]string{
+	"expression": "expression is a CEL expression evaluated against token claims. expression is required, must be at least 1 character in length and must not exceed 1024 characters. The expression must return a boolean value where 'true' signals a valid token and 'false' an invalid one.",
+	"message":    "message is a required human-readable message to be logged by the Kubernetes API server if the CEL expression defined in 'expression' fails. message must be at least 1 character in length and must not exceed 256 characters.",
+}
+
+func (TokenClaimValidationCELRule) SwaggerDoc() map[string]string {
+	return map_TokenClaimValidationCELRule
+}
+
 var map_TokenClaimValidationRule = map[string]string{
-	"type":          "type is an optional field that configures the type of the validation rule.\n\nAllowed values are 'RequiredClaim' and omitted (not provided or an empty string).\n\nWhen set to 'RequiredClaim', the Kubernetes API server will be configured to validate that the incoming JWT contains the required claim and that its value matches the required value.\n\nDefaults to 'RequiredClaim'.",
-	"requiredClaim": "requiredClaim is an optional field that configures the required claim and value that the Kubernetes API server will use to validate if an incoming JWT is valid for this identity provider.",
+	"":              "TokenClaimValidationRule represents a validation rule based on token claims. If type is RequiredClaim, requiredClaim must be set. If Type is CEL, CEL must be set and RequiredClaim must be omitted.",
+	"type":          "type is an optional field that configures the type of the validation rule.\n\nAllowed values are \"RequiredClaim\" and \"CEL\".\n\nWhen set to 'RequiredClaim', the Kubernetes API server will be configured to validate that the incoming JWT contains the required claim and that its value matches the required value.\n\nWhen set to 'CEL', the Kubernetes API server will be configured to validate the incoming JWT against the configured CEL expression.",
+	"requiredClaim": "requiredClaim allows configuring a required claim name and its expected value. This field is required when `type` is set to RequiredClaim, and must be omitted when `type` is set to any other value. The Kubernetes API server uses this field to validate if an incoming JWT is valid for this identity provider.",
+	"cel":           "cel holds the CEL expression and message for validation. Must be set when Type is \"CEL\", and forbidden otherwise.",
 }
 
 func (TokenClaimValidationRule) SwaggerDoc() map[string]string {
@@ -507,6 +519,7 @@ var map_TokenIssuer = map[string]string{
 	"issuerURL":                  "issuerURL is a required field that configures the URL used to issue tokens by the identity provider. The Kubernetes API server determines how authentication tokens should be handled by matching the 'iss' claim in the JWT to the issuerURL of configured identity providers.\n\nMust be at least 1 character and must not exceed 512 characters in length. Must be a valid URL that uses the 'https' scheme and does not contain a query, fragment or user.",
 	"audiences":                  "audiences is a required field that configures the acceptable audiences the JWT token, issued by the identity provider, must be issued to. At least one of the entries must match the 'aud' claim in the JWT token.\n\naudiences must contain at least one entry and must not exceed ten entries.",
 	"issuerCertificateAuthority": "issuerCertificateAuthority is an optional field that configures the certificate authority, used by the Kubernetes API server, to validate the connection to the identity provider when fetching discovery information.\n\nWhen not specified, the system trust is used.\n\nWhen specified, it must reference a ConfigMap in the openshift-config namespace containing the PEM-encoded CA certificates under the 'ca-bundle.crt' key in the data field of the ConfigMap.",
+	"discoveryURL":               "discoveryURL is an optional field that, if specified, overrides the default discovery endpoint used to retrieve OIDC configuration metadata. By default, the discovery URL is derived from `issuerURL` as \"{issuerURL}/.well-known/openid-configuration\".\n\nThe discoveryURL must be a valid absolute HTTPS URL. It must not contain query parameters, user information, or fragments. Additionally, it must differ from the value of `issuerURL` (ignoring trailing slashes). The discoveryURL value must be at least 1 character long and no longer than 2048 characters.",
 }
 
 func (TokenIssuer) SwaggerDoc() map[string]string {
@@ -522,9 +535,19 @@ func (TokenRequiredClaim) SwaggerDoc() map[string]string {
 	return map_TokenRequiredClaim
 }
 
+var map_TokenUserValidationRule = map[string]string{
+	"":           "TokenUserValidationRule provides a CEL-based rule used to validate a token subject. Each rule contains a CEL expression that is evaluated against the token’s claims.",
+	"expression": "expression is a required CEL expression that performs a validation on cluster user identity attributes like username, groups, etc.\n\nThe expression must evaluate to a boolean value. When the expression evaluates to 'true', the cluster user identity is considered valid. When the expression evaluates to 'false', the cluster user identity is not considered valid. expression must be at least 1 character in length and must not exceed 1024 characters.",
+	"message":    "message is a required human-readable message to be logged by the Kubernetes API server if the CEL expression defined in 'expression' fails. message must be at least 1 character in length and must not exceed 256 characters.",
+}
+
+func (TokenUserValidationRule) SwaggerDoc() map[string]string {
+	return map_TokenUserValidationRule
+}
+
 var map_UsernameClaimMapping = map[string]string{
 	"claim":        "claim is a required field that configures the JWT token claim whose value is assigned to the cluster identity field associated with this mapping.\n\nclaim must not be an empty string (\"\") and must not exceed 256 characters.",
-	"prefixPolicy": "prefixPolicy is an optional field that configures how a prefix should be applied to the value of the JWT claim specified in the 'claim' field.\n\nAllowed values are 'Prefix', 'NoPrefix', and omitted (not provided or an empty string).\n\nWhen set to 'Prefix', the value specified in the prefix field will be prepended to the value of the JWT claim. The prefix field must be set when prefixPolicy is 'Prefix'.\n\nWhen set to 'NoPrefix', no prefix will be prepended to the value of the JWT claim.\n\nWhen omitted, this means no opinion and the platform is left to choose any prefixes that are applied which is subject to change over time. Currently, the platform prepends `{issuerURL}#` to the value of the JWT claim when the claim is not 'email'. As an example, consider the following scenario:\n   `prefix` is unset, `issuerURL` is set to `https://myoidc.tld`,\n   the JWT claims include \"username\":\"userA\" and \"email\":\"userA@myoidc.tld\",\n   and `claim` is set to:\n   - \"username\": the mapped value will be \"https://myoidc.tld#userA\"\n   - \"email\": the mapped value will be \"userA@myoidc.tld\"",
+	"prefixPolicy": "prefixPolicy is an optional field that configures how a prefix should be applied to the value of the JWT claim specified in the 'claim' field.\n\nAllowed values are 'Prefix', 'NoPrefix', and omitted (not provided or an empty string).\n\nWhen set to 'Prefix', the value specified in the prefix field will be prepended to the value of the JWT claim.\n\nThe prefix field must be set when prefixPolicy is 'Prefix'.\n\nWhen set to 'NoPrefix', no prefix will be prepended to the value of the JWT claim.\n\nWhen omitted, this means no opinion and the platform is left to choose any prefixes that are applied which is subject to change over time. Currently, the platform prepends `{issuerURL}#` to the value of the JWT claim when the claim is not 'email'.\n\nAs an example, consider the following scenario:\n\n   `prefix` is unset, `issuerURL` is set to `https://myoidc.tld`,\n   the JWT claims include \"username\":\"userA\" and \"email\":\"userA@myoidc.tld\",\n   and `claim` is set to:\n   - \"username\": the mapped value will be \"https://myoidc.tld#userA\"\n   - \"email\": the mapped value will be \"userA@myoidc.tld\"",
 	"prefix":       "prefix configures the prefix that should be prepended to the value of the JWT claim.\n\nprefix must be set when prefixPolicy is set to 'Prefix' and must be unset otherwise.",
 }
 
@@ -724,6 +747,15 @@ func (OperandVersion) SwaggerDoc() map[string]string {
 	return map_OperandVersion
 }
 
+var map_AcceptRisk = map[string]string{
+	"":     "AcceptRisk represents a risk that is considered acceptable.",
+	"name": "name is the name of the acceptable risk. It must be a non-empty string and must not exceed 256 characters.",
+}
+
+func (AcceptRisk) SwaggerDoc() map[string]string {
+	return map_AcceptRisk
+}
+
 var map_ClusterCondition = map[string]string{
 	"":       "ClusterCondition is a union of typed cluster conditions.  The 'type' property determines which of the type-specific properties are relevant. When evaluated on a cluster, the condition may match, not match, or fail to evaluate.",
 	"type":   "type represents the cluster-condition type. This defines the members and semantics of any additional properties.",
@@ -790,15 +822,16 @@ func (ClusterVersionSpec) SwaggerDoc() map[string]string {
 }
 
 var map_ClusterVersionStatus = map[string]string{
-	"":                   "ClusterVersionStatus reports the status of the cluster versioning, including any upgrades that are in progress. The current field will be set to whichever version the cluster is reconciling to, and the conditions array will report whether the update succeeded, is in progress, or is failing.",
-	"desired":            "desired is the version that the cluster is reconciling towards. If the cluster is not yet fully initialized desired will be set with the information available, which may be an image or a tag.",
-	"history":            "history contains a list of the most recent versions applied to the cluster. This value may be empty during cluster startup, and then will be updated when a new update is being applied. The newest update is first in the list and it is ordered by recency. Updates in the history have state Completed if the rollout completed - if an update was failing or halfway applied the state will be Partial. Only a limited amount of update history is preserved.",
-	"observedGeneration": "observedGeneration reports which version of the spec is being synced. If this value is not equal to metadata.generation, then the desired and conditions fields may represent a previous version.",
-	"versionHash":        "versionHash is a fingerprint of the content that the cluster will be updated with. It is used by the operator to avoid unnecessary work and is for internal use only.",
-	"capabilities":       "capabilities describes the state of optional, core cluster components.",
-	"conditions":         "conditions provides information about the cluster version. The condition \"Available\" is set to true if the desiredUpdate has been reached. The condition \"Progressing\" is set to true if an update is being applied. The condition \"Degraded\" is set to true if an update is currently blocked by a temporary or permanent error. Conditions are only valid for the current desiredUpdate when metadata.generation is equal to status.generation.",
-	"availableUpdates":   "availableUpdates contains updates recommended for this cluster. Updates which appear in conditionalUpdates but not in availableUpdates may expose this cluster to known issues. This list may be empty if no updates are recommended, if the update service is unavailable, or if an invalid channel has been specified.",
-	"conditionalUpdates": "conditionalUpdates contains the list of updates that may be recommended for this cluster if it meets specific required conditions. Consumers interested in the set of updates that are actually recommended for this cluster should use availableUpdates. This list may be empty if no updates are recommended, if the update service is unavailable, or if an empty or invalid channel has been specified.",
+	"":                       "ClusterVersionStatus reports the status of the cluster versioning, including any upgrades that are in progress. The current field will be set to whichever version the cluster is reconciling to, and the conditions array will report whether the update succeeded, is in progress, or is failing.",
+	"desired":                "desired is the version that the cluster is reconciling towards. If the cluster is not yet fully initialized desired will be set with the information available, which may be an image or a tag.",
+	"history":                "history contains a list of the most recent versions applied to the cluster. This value may be empty during cluster startup, and then will be updated when a new update is being applied. The newest update is first in the list and it is ordered by recency. Updates in the history have state Completed if the rollout completed - if an update was failing or halfway applied the state will be Partial. Only a limited amount of update history is preserved.",
+	"observedGeneration":     "observedGeneration reports which version of the spec is being synced. If this value is not equal to metadata.generation, then the desired and conditions fields may represent a previous version.",
+	"versionHash":            "versionHash is a fingerprint of the content that the cluster will be updated with. It is used by the operator to avoid unnecessary work and is for internal use only.",
+	"capabilities":           "capabilities describes the state of optional, core cluster components.",
+	"conditions":             "conditions provides information about the cluster version. The condition \"Available\" is set to true if the desiredUpdate has been reached. The condition \"Progressing\" is set to true if an update is being applied. The condition \"Degraded\" is set to true if an update is currently blocked by a temporary or permanent error. Conditions are only valid for the current desiredUpdate when metadata.generation is equal to status.generation.",
+	"availableUpdates":       "availableUpdates contains updates recommended for this cluster. Updates which appear in conditionalUpdates but not in availableUpdates may expose this cluster to known issues. This list may be empty if no updates are recommended, if the update service is unavailable, or if an invalid channel has been specified.",
+	"conditionalUpdates":     "conditionalUpdates contains the list of updates that may be recommended for this cluster if it meets specific required conditions. Consumers interested in the set of updates that are actually recommended for this cluster should use availableUpdates. This list may be empty if no updates are recommended, if the update service is unavailable, or if an empty or invalid channel has been specified.",
+	"conditionalUpdateRisks": "conditionalUpdateRisks contains the list of risks associated with conditionalUpdates. When performing a conditional update, all its associated risks will be compared with the set of accepted risks in the spec.desiredUpdate.acceptRisks field. If all risks for a conditional update are included in the spec.desiredUpdate.acceptRisks set, the conditional update can proceed, otherwise it is blocked. The risk names in the list must be unique. conditionalUpdateRisks must not contain more than 500 entries.",
 }
 
 func (ClusterVersionStatus) SwaggerDoc() map[string]string {
@@ -821,6 +854,7 @@ func (ComponentOverride) SwaggerDoc() map[string]string {
 var map_ConditionalUpdate = map[string]string{
 	"":           "ConditionalUpdate represents an update which is recommended to some clusters on the version the current cluster is reconciling, but which may not be recommended for the current cluster.",
 	"release":    "release is the target of the update.",
+	"riskNames":  "riskNames represents the set of the names of conditionalUpdateRisks that are relevant to this update for some clusters. The Applies condition of each conditionalUpdateRisks entry declares if that risk applies to this cluster. A conditional update is accepted only if each of its risks either does not apply to the cluster or is considered acceptable by the cluster administrator. The latter means that the risk names are included in value of the spec.desiredUpdate.acceptRisks field. Entries must be unique and must not exceed 256 characters. riskNames must not contain more than 500 entries.",
 	"risks":      "risks represents the range of issues associated with updating to the target release. The cluster-version operator will evaluate all entries, and only recommend the update if there is at least one entry and all entries recommend the update.",
 	"conditions": "conditions represents the observations of the conditional update's current status. Known types are: * Recommended, for whether the update is recommended for the current cluster.",
 }
@@ -831,6 +865,7 @@ func (ConditionalUpdate) SwaggerDoc() map[string]string {
 
 var map_ConditionalUpdateRisk = map[string]string{
 	"":              "ConditionalUpdateRisk represents a reason and cluster-state for not recommending a conditional update.",
+	"conditions":    "conditions represents the observations of the conditional update risk's current status. Known types are: * Applies, for whether the risk applies to the current cluster. The condition's types in the list must be unique. conditions must not contain more than one entry.",
 	"url":           "url contains information about this risk.",
 	"name":          "name is the CamelCase reason for not recommending a conditional update, in the event that matchingRules match the cluster state.",
 	"message":       "message provides additional information about the risk of updating, in the event that matchingRules match the cluster state. This is only to be consumed by humans. It may contain Line Feed characters (U+000A), which should be rendered as new lines.",
@@ -879,6 +914,7 @@ var map_Update = map[string]string{
 	"version":      "version is a semantic version identifying the update version. version is required if architecture is specified. If both version and image are set, the version extracted from the referenced image must match the specified version.",
 	"image":        "image is a container image location that contains the update. image should be used when the desired version does not exist in availableUpdates or history. When image is set, architecture cannot be specified. If both version and image are set, the version extracted from the referenced image must match the specified version.",
 	"force":        "force allows an administrator to update to an image that has failed verification or upgradeable checks that are designed to keep your cluster safe. Only use this if: * you are testing unsigned release images in short-lived test clusters or * you are working around a known bug in the cluster-version\n  operator and you have verified the authenticity of the provided\n  image yourself.\nThe provided image will run with full administrative access to the cluster. Do not use this flag with images that come from unknown or potentially malicious sources.",
+	"acceptRisks":  "acceptRisks is an optional set of names of conditional update risks that are considered acceptable. A conditional update is performed only if all of its risks are acceptable. This list may contain entries that apply to current, previous or future updates. The entries therefore may not map directly to a risk in .status.conditionalUpdateRisks. acceptRisks must not contain more than 1000 entries. Entries in this list must be unique.",
 }
 
 func (Update) SwaggerDoc() map[string]string {
@@ -893,7 +929,7 @@ var map_UpdateHistory = map[string]string{
 	"version":        "version is a semantic version identifying the update version. If the requested image does not define a version, or if a failure occurs retrieving the image, this value may be empty.",
 	"image":          "image is a container image location that contains the update. This value is always populated.",
 	"verified":       "verified indicates whether the provided update was properly verified before it was installed. If this is false the cluster may not be trusted. Verified does not cover upgradeable checks that depend on the cluster state at the time when the update target was accepted.",
-	"acceptedRisks":  "acceptedRisks records risks which were accepted to initiate the update. For example, it may menition an Upgradeable=False or missing signature that was overridden via desiredUpdate.force, or an update that was initiated despite not being in the availableUpdates set of recommended update targets.",
+	"acceptedRisks":  "acceptedRisks records risks which were accepted to initiate the update. For example, it may mention an Upgradeable=False or missing signature that was overridden via desiredUpdate.force, or an update that was initiated despite not being in the availableUpdates set of recommended update targets.",
 }
 
 func (UpdateHistory) SwaggerDoc() map[string]string {
@@ -1214,17 +1250,6 @@ func (ImageDigestMirrors) SwaggerDoc() map[string]string {
 	return map_ImageDigestMirrors
 }
 
-var map_FulcioCAWithRekor = map[string]string{
-	"":              "FulcioCAWithRekor defines the root of trust based on the Fulcio certificate and the Rekor public key.",
-	"fulcioCAData":  "fulcioCAData is a required field contains inline base64-encoded data for the PEM format fulcio CA. fulcioCAData must be at most 8192 characters. ",
-	"rekorKeyData":  "rekorKeyData is a required field contains inline base64-encoded data for the PEM format from the Rekor public key. rekorKeyData must be at most 8192 characters. ",
-	"fulcioSubject": "fulcioSubject is a required field specifies OIDC issuer and the email of the Fulcio authentication configuration.",
-}
-
-func (FulcioCAWithRekor) SwaggerDoc() map[string]string {
-	return map_FulcioCAWithRekor
-}
-
 var map_ImagePolicy = map[string]string{
 	"":         "ImagePolicy holds namespace-wide configuration for image signature verification\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).",
 	"metadata": "metadata is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
@@ -1236,6 +1261,17 @@ func (ImagePolicy) SwaggerDoc() map[string]string {
 	return map_ImagePolicy
 }
 
+var map_ImagePolicyFulcioCAWithRekorRootOfTrust = map[string]string{
+	"":              "ImagePolicyFulcioCAWithRekorRootOfTrust defines the root of trust based on the Fulcio certificate and the Rekor public key.",
+	"fulcioCAData":  "fulcioCAData is a required field contains inline base64-encoded data for the PEM format fulcio CA. fulcioCAData must be at most 8192 characters. ",
+	"rekorKeyData":  "rekorKeyData is a required field contains inline base64-encoded data for the PEM format from the Rekor public key. rekorKeyData must be at most 8192 characters. ",
+	"fulcioSubject": "fulcioSubject is a required field specifies OIDC issuer and the email of the Fulcio authentication configuration.",
+}
+
+func (ImagePolicyFulcioCAWithRekorRootOfTrust) SwaggerDoc() map[string]string {
+	return map_ImagePolicyFulcioCAWithRekorRootOfTrust
+}
+
 var map_ImagePolicyList = map[string]string{
 	"":         "ImagePolicyList is a list of ImagePolicy resources\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).",
 	"metadata": "metadata is the standard list's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
@@ -1246,6 +1282,27 @@ func (ImagePolicyList) SwaggerDoc() map[string]string {
 	return map_ImagePolicyList
 }
 
+var map_ImagePolicyPKIRootOfTrust = map[string]string{
+	"":                      "ImagePolicyPKIRootOfTrust defines the root of trust based on Root CA(s) and corresponding intermediate certificates.",
+	"caRootsData":           "caRootsData contains base64-encoded data of a certificate bundle PEM file, which contains one or more CA roots in the PEM format. The total length of the data must not exceed 8192 characters. ",
+	"caIntermediatesData":   "caIntermediatesData contains base64-encoded data of a certificate bundle PEM file, which contains one or more intermediate certificates in the PEM format. The total length of the data must not exceed 8192 characters. caIntermediatesData requires caRootsData to be set. ",
+	"pkiCertificateSubject": "pkiCertificateSubject defines the requirements imposed on the subject to which the certificate was issued.",
+}
+
+func (ImagePolicyPKIRootOfTrust) SwaggerDoc() map[string]string {
+	return map_ImagePolicyPKIRootOfTrust
+}
+
+var map_ImagePolicyPublicKeyRootOfTrust = map[string]string{
+	"":             "ImagePolicyPublicKeyRootOfTrust defines the root of trust based on a sigstore public key.",
+	"keyData":      "keyData is a required field contains inline base64-encoded data for the PEM format public key. keyData must be at most 8192 characters. ",
+	"rekorKeyData": "rekorKeyData is an optional field contains inline base64-encoded data for the PEM format from the Rekor public key. rekorKeyData must be at most 8192 characters. ",
+}
+
+func (ImagePolicyPublicKeyRootOfTrust) SwaggerDoc() map[string]string {
+	return map_ImagePolicyPublicKeyRootOfTrust
+}
+
 var map_ImagePolicySpec = map[string]string{
 	"":       "ImagePolicySpec is the specification of the ImagePolicy CRD.",
 	"scopes": "scopes is a required field that defines the list of image identities assigned to a policy. Each item refers to a scope in a registry implementing the \"Docker Registry HTTP API V2\". Scopes matching individual images are named Docker references in the fully expanded form, either using a tag or digest. For example, docker.io/library/busybox:latest (not busybox:latest). More general scopes are prefixes of individual-image scopes, and specify a repository (by omitting the tag or digest), a repository namespace, or a registry host (by only specifying the host name and possibly a port number) or a wildcard expression starting with `*.`, for matching all subdomains (not including a port number). Wildcards are only supported for subdomain matching, and may not be used in the middle of the host, i.e.  *.example.com is a valid case, but example*.*.com is not. This support no more than 256 scopes in one object. If multiple scopes match a given image, only the policy requirements for the most specific scope apply. The policy requirements for more general scopes are ignored. In addition to setting a policy appropriate for your own deployed applications, make sure that a policy on the OpenShift image repositories quay.io/openshift-release-dev/ocp-release, quay.io/openshift-release-dev/ocp-v4.0-art-dev (or on a more general scope) allows deployment of the OpenShift images required for cluster operation. If a scope is configured in both the ClusterImagePolicy and the ImagePolicy, or if the scope in ImagePolicy is nested under one of the scopes from the ClusterImagePolicy, only the policy from the ClusterImagePolicy will be applied. For additional details about the format, please refer to the document explaining the docker transport field, which can be found at: https://github.com/containers/image/blob/main/docs/containers-policy.json.5.md#docker",
@@ -1264,15 +1321,14 @@ func (ImagePolicyStatus) SwaggerDoc() map[string]string {
 	return map_ImagePolicyStatus
 }
 
-var map_PKI = map[string]string{
-	"":                      "PKI defines the root of trust based on Root CA(s) and corresponding intermediate certificates.",
-	"caRootsData":           "caRootsData contains base64-encoded data of a certificate bundle PEM file, which contains one or more CA roots in the PEM format. The total length of the data must not exceed 8192 characters. ",
-	"caIntermediatesData":   "caIntermediatesData contains base64-encoded data of a certificate bundle PEM file, which contains one or more intermediate certificates in the PEM format. The total length of the data must not exceed 8192 characters. caIntermediatesData requires caRootsData to be set. ",
-	"pkiCertificateSubject": "pkiCertificateSubject defines the requirements imposed on the subject to which the certificate was issued.",
+var map_ImageSigstoreVerificationPolicy = map[string]string{
+	"":               "ImageSigstoreVerificationPolicy defines the verification policy for the items in the scopes list.",
+	"rootOfTrust":    "rootOfTrust is a required field that defines the root of trust for verifying image signatures during retrieval. This allows image consumers to specify policyType and corresponding configuration of the policy, matching how the policy was generated.",
+	"signedIdentity": "signedIdentity is an optional field specifies what image identity the signature claims about the image. This is useful when the image identity in the signature differs from the original image spec, such as when mirror registry is configured for the image scope, the signature from the mirror registry contains the image identity of the mirror instead of the original scope. The required matchPolicy field specifies the approach used in the verification process to verify the identity in the signature and the actual image identity, the default matchPolicy is \"MatchRepoDigestOrExact\".",
 }
 
-func (PKI) SwaggerDoc() map[string]string {
-	return map_PKI
+func (ImageSigstoreVerificationPolicy) SwaggerDoc() map[string]string {
+	return map_ImageSigstoreVerificationPolicy
 }
 
 var map_PKICertificateSubject = map[string]string{
@@ -1285,16 +1341,6 @@ func (PKICertificateSubject) SwaggerDoc() map[string]string {
 	return map_PKICertificateSubject
 }
 
-var map_Policy = map[string]string{
-	"":               "Policy defines the verification policy for the items in the scopes list.",
-	"rootOfTrust":    "rootOfTrust is a required field that defines the root of trust for verifying image signatures during retrieval. This allows image consumers to specify policyType and corresponding configuration of the policy, matching how the policy was generated.",
-	"signedIdentity": "signedIdentity is an optional field specifies what image identity the signature claims about the image. This is useful when the image identity in the signature differs from the original image spec, such as when mirror registry is configured for the image scope, the signature from the mirror registry contains the image identity of the mirror instead of the original scope. The required matchPolicy field specifies the approach used in the verification process to verify the identity in the signature and the actual image identity, the default matchPolicy is \"MatchRepoDigestOrExact\".",
-}
-
-func (Policy) SwaggerDoc() map[string]string {
-	return map_Policy
-}
-
 var map_PolicyFulcioSubject = map[string]string{
 	"":            "PolicyFulcioSubject defines the OIDC issuer and the email of the Fulcio authentication configuration.",
 	"oidcIssuer":  "oidcIssuer is a required filed contains the expected OIDC issuer. The oidcIssuer must be a valid URL and at most 2048 characters in length. It will be verified that the Fulcio-issued certificate contains a (Fulcio-defined) certificate extension pointing at this OIDC issuer URL. When Fulcio issues certificates, it includes a value based on an URL inside the client-provided ID token. Example: \"https://expected.OIDC.issuer/\"",
@@ -1345,16 +1391,6 @@ func (PolicyRootOfTrust) SwaggerDoc() map[string]string {
 	return map_PolicyRootOfTrust
 }
 
-var map_PublicKey = map[string]string{
-	"":             "PublicKey defines the root of trust based on a sigstore public key.",
-	"keyData":      "keyData is a required field contains inline base64-encoded data for the PEM format public key. keyData must be at most 8192 characters. ",
-	"rekorKeyData": "rekorKeyData is an optional field contains inline base64-encoded data for the PEM format from the Rekor public key. rekorKeyData must be at most 8192 characters. ",
-}
-
-func (PublicKey) SwaggerDoc() map[string]string {
-	return map_PublicKey
-}
-
 var map_ImageTagMirrorSet = map[string]string{
 	"":         "ImageTagMirrorSet holds cluster-wide information about how to handle registry mirror rules on using tag pull specification. When multiple policies are defined, the outcome of the behavior is defined on each field.\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).",
 	"metadata": "metadata is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
@@ -1888,7 +1924,7 @@ func (OvirtPlatformStatus) SwaggerDoc() map[string]string {
 
 var map_PlatformSpec = map[string]string{
 	"":             "PlatformSpec holds the desired state specific to the underlying infrastructure provider of the current cluster. Since these are used at spec-level for the underlying cluster, it is supposed that only one of the spec structs is set.",
-	"type":         "type is the underlying infrastructure provider for the cluster. This value controls whether infrastructure automation such as service load balancers, dynamic volume provisioning, machine creation and deletion, and other integrations are enabled. If None, no infrastructure automation is enabled. Allowed values are \"AWS\", \"Azure\", \"BareMetal\", \"GCP\", \"Libvirt\", \"OpenStack\", \"VSphere\", \"oVirt\", \"KubeVirt\", \"EquinixMetal\", \"PowerVS\", \"AlibabaCloud\", \"Nutanix\" and \"None\". Individual components may not support all platforms, and must handle unrecognized platforms as None if they do not support that platform.",
+	"type":         "type is the underlying infrastructure provider for the cluster. This value controls whether infrastructure automation such as service load balancers, dynamic volume provisioning, machine creation and deletion, and other integrations are enabled. If None, no infrastructure automation is enabled. Allowed values are \"AWS\", \"Azure\", \"BareMetal\", \"GCP\", \"Libvirt\", \"OpenStack\", \"VSphere\", \"oVirt\", \"IBMCloud\", \"KubeVirt\", \"EquinixMetal\", \"PowerVS\", \"AlibabaCloud\", \"Nutanix\", \"External\", and \"None\". Individual components may not support all platforms, and must handle unrecognized platforms as None if they do not support that platform.",
 	"aws":          "aws contains settings specific to the Amazon Web Services infrastructure provider.",
 	"azure":        "azure contains settings specific to the Azure infrastructure provider.",
 	"gcp":          "gcp contains settings specific to the Google Cloud Platform infrastructure provider.",
@@ -2191,6 +2227,104 @@ func (LoadBalancer) SwaggerDoc() map[string]string {
 	return map_LoadBalancer
 }
 
+var map_Custom = map[string]string{
+	"":        "Custom provides the custom configuration of gatherers",
+	"configs": "configs is a required list of gatherers configurations that can be used to enable or disable specific gatherers. It may not exceed 100 items and each gatherer can be present only once. It is possible to disable an entire set of gatherers while allowing a specific function within that set. The particular gatherers IDs can be found at https://github.com/openshift/insights-operator/blob/master/docs/gathered-data.md. Run the following command to get the names of last active gatherers: \"oc get insightsoperators.operator.openshift.io cluster -o json | jq '.status.gatherStatus.gatherers[].name'\"",
+}
+
+func (Custom) SwaggerDoc() map[string]string {
+	return map_Custom
+}
+
+var map_GatherConfig = map[string]string{
+	"":           "GatherConfig provides data gathering configuration options.",
+	"dataPolicy": "dataPolicy is an optional list of DataPolicyOptions that allows user to enable additional obfuscation of the Insights archive data. It may not exceed 2 items and must not contain duplicates. Valid values are ObfuscateNetworking and WorkloadNames. When set to ObfuscateNetworking the IP addresses and the cluster domain name are obfuscated. When set to WorkloadNames, the gathered data about cluster resources will not contain the workload names for your deployments. Resources UIDs will be used instead. When omitted no obfuscation is applied.",
+	"gatherers":  "gatherers is a required field that specifies the configuration of the gatherers.",
+	"storage":    "storage is an optional field that allows user to define persistent storage for gathering jobs to store the Insights data archive. If omitted, the gathering job will use ephemeral storage.",
+}
+
+func (GatherConfig) SwaggerDoc() map[string]string {
+	return map_GatherConfig
+}
+
+var map_GathererConfig = map[string]string{
+	"":      "GathererConfig allows to configure specific gatherers",
+	"name":  "name is the required name of a specific gatherer. It may not exceed 256 characters. The format for a gatherer name is: {gatherer}/{function} where the function is optional. Gatherer consists of a lowercase letters only that may include underscores (_). Function consists of a lowercase letters only that may include underscores (_) and is separated from the gatherer by a forward slash (/). The particular gatherers can be found at https://github.com/openshift/insights-operator/blob/master/docs/gathered-data.md. Run the following command to get the names of last active gatherers: \"oc get insightsoperators.operator.openshift.io cluster -o json | jq '.status.gatherStatus.gatherers[].name'\"",
+	"state": "state is a required field that allows you to configure specific gatherer. Valid values are \"Enabled\" and \"Disabled\". When set to Enabled the gatherer will run. When set to Disabled the gatherer will not run.",
+}
+
+func (GathererConfig) SwaggerDoc() map[string]string {
+	return map_GathererConfig
+}
+
+var map_Gatherers = map[string]string{
+	"":       "Gatherers specifies the configuration of the gatherers",
+	"mode":   "mode is a required field that specifies the mode for gatherers. Allowed values are All, None, and Custom. When set to All, all gatherers will run and gather data. When set to None, all gatherers will be disabled and no data will be gathered. When set to Custom, the custom configuration from the custom field will be applied.",
+	"custom": "custom provides gathering configuration. It is required when mode is Custom, and forbidden otherwise. Custom configuration allows user to disable only a subset of gatherers. Gatherers that are not explicitly disabled in custom configuration will run.",
+}
+
+func (Gatherers) SwaggerDoc() map[string]string {
+	return map_Gatherers
+}
+
+var map_InsightsDataGather = map[string]string{
+	"":         "InsightsDataGather provides data gather configuration options for the Insights Operator.\n\n\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).",
+	"metadata": "metadata is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
+	"spec":     "spec holds user settable values for configuration",
+}
+
+func (InsightsDataGather) SwaggerDoc() map[string]string {
+	return map_InsightsDataGather
+}
+
+var map_InsightsDataGatherList = map[string]string{
+	"":         "InsightsDataGatherList is a collection of items Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).",
+	"metadata": "metadata is the required standard list's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
+	"items":    "items is the required list of InsightsDataGather objects it may not exceed 100 items",
+}
+
+func (InsightsDataGatherList) SwaggerDoc() map[string]string {
+	return map_InsightsDataGatherList
+}
+
+var map_InsightsDataGatherSpec = map[string]string{
+	"":             "InsightsDataGatherSpec contains the configuration for the data gathering.",
+	"gatherConfig": "gatherConfig is a required spec attribute that includes all the configuration options related to gathering of the Insights data and its uploading to the ingress.",
+}
+
+func (InsightsDataGatherSpec) SwaggerDoc() map[string]string {
+	return map_InsightsDataGatherSpec
+}
+
+var map_PersistentVolumeClaimReference = map[string]string{
+	"":     "PersistentVolumeClaimReference is a reference to a PersistentVolumeClaim.",
+	"name": "name is the name of the PersistentVolumeClaim that will be used to store the Insights data archive. It is a string that follows the DNS1123 subdomain format. It must be at most 253 characters in length, and must consist only of lower case alphanumeric characters, '-' and '.', and must start and end with an alphanumeric character.",
+}
+
+func (PersistentVolumeClaimReference) SwaggerDoc() map[string]string {
+	return map_PersistentVolumeClaimReference
+}
+
+var map_PersistentVolumeConfig = map[string]string{
+	"":          "PersistentVolumeConfig provides configuration options for PersistentVolume storage.",
+	"claim":     "claim is a required field that specifies the configuration of the PersistentVolumeClaim that will be used to store the Insights data archive. The PersistentVolumeClaim must be created in the openshift-insights namespace.",
+	"mountPath": "mountPath is an optional field specifying the directory where the PVC will be mounted inside the Insights data gathering Pod. When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. The current default mount path is /var/lib/insights-operator The path may not exceed 1024 characters and must not contain a colon.",
+}
+
+func (PersistentVolumeConfig) SwaggerDoc() map[string]string {
+	return map_PersistentVolumeConfig
+}
+
+var map_Storage = map[string]string{
+	"":                 "Storage provides persistent storage configuration options for gathering jobs. If the type is set to PersistentVolume, then the PersistentVolume must be defined. If the type is set to Ephemeral, then the PersistentVolume must not be defined.",
+	"type":             "type is a required field that specifies the type of storage that will be used to store the Insights data archive. Valid values are \"PersistentVolume\" and \"Ephemeral\". When set to Ephemeral, the Insights data archive is stored in the ephemeral storage of the gathering job. When set to PersistentVolume, the Insights data archive is stored in the PersistentVolume that is defined by the persistentVolume field.",
+	"persistentVolume": "persistentVolume is an optional field that specifies the PersistentVolume that will be used to store the Insights data archive. The PersistentVolume must be created in the openshift-insights namespace.",
+}
+
+func (Storage) SwaggerDoc() map[string]string {
+	return map_Storage
+}
+
 var map_AWSKMSConfig = map[string]string{
 	"":       "AWSKMSConfig defines the KMS config specific to AWS KMS provider",
 	"keyARN": "keyARN specifies the Amazon Resource Name (ARN) of the AWS KMS key used for encryption. The value must adhere to the format `arn:aws:kms:<region>:<account_id>:key/<key_id>`, where: - `<region>` is the AWS region consisting of lowercase letters and hyphens followed by a number. - `<account_id>` is a 12-digit numeric identifier for the AWS account. - `<key_id>` is a unique identifier for the KMS key, consisting of lowercase hexadecimal characters and hyphens.",
@@ -2845,7 +2979,7 @@ func (CustomTLSProfile) SwaggerDoc() map[string]string {
 }
 
 var map_IntermediateTLSProfile = map[string]string{
-	"": "IntermediateTLSProfile is a TLS security profile based on: https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28default.29",
+	"": "IntermediateTLSProfile is a TLS security profile based on the \"intermediate\" configuration of the Mozilla Server Side TLS configuration guidelines.",
 }
 
 func (IntermediateTLSProfile) SwaggerDoc() map[string]string {
@@ -2853,7 +2987,7 @@ func (IntermediateTLSProfile) SwaggerDoc() map[string]string {
 }
 
 var map_ModernTLSProfile = map[string]string{
-	"": "ModernTLSProfile is a TLS security profile based on: https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility",
+	"": "ModernTLSProfile is a TLS security profile based on the \"modern\" configuration of the Mozilla Server Side TLS configuration guidelines.",
 }
 
 func (ModernTLSProfile) SwaggerDoc() map[string]string {
@@ -2861,7 +2995,7 @@ func (ModernTLSProfile) SwaggerDoc() map[string]string {
 }
 
 var map_OldTLSProfile = map[string]string{
-	"": "OldTLSProfile is a TLS security profile based on: https://wiki.mozilla.org/Security/Server_Side_TLS#Old_backward_compatibility",
+	"": "OldTLSProfile is a TLS security profile based on the \"old\" configuration of the Mozilla Server Side TLS configuration guidelines.",
 }
 
 func (OldTLSProfile) SwaggerDoc() map[string]string {
@@ -2871,7 +3005,7 @@ func (OldTLSProfile) SwaggerDoc() map[string]string {
 var map_TLSProfileSpec = map[string]string{
 	"":              "TLSProfileSpec is the desired behavior of a TLSSecurityProfile.",
 	"ciphers":       "ciphers is used to specify the cipher algorithms that are negotiated during the TLS handshake.  Operators may remove entries their operands do not support.  For example, to use DES-CBC3-SHA  (yaml):\n\n  ciphers:\n    - DES-CBC3-SHA",
-	"minTLSVersion": "minTLSVersion is used to specify the minimal version of the TLS protocol that is negotiated during the TLS handshake. For example, to use TLS versions 1.1, 1.2 and 1.3 (yaml):\n\n  minTLSVersion: VersionTLS11\n\nNOTE: currently the highest minTLSVersion allowed is VersionTLS12",
+	"minTLSVersion": "minTLSVersion is used to specify the minimal version of the TLS protocol that is negotiated during the TLS handshake. For example, to use TLS versions 1.1, 1.2 and 1.3 (yaml):\n\n  minTLSVersion: VersionTLS11",
 }
 
 func (TLSProfileSpec) SwaggerDoc() map[string]string {
@@ -2880,11 +3014,11 @@ func (TLSProfileSpec) SwaggerDoc() map[string]string {
 
 var map_TLSSecurityProfile = map[string]string{
 	"":             "TLSSecurityProfile defines the schema for a TLS security profile. This object is used by operators to apply TLS security settings to operands.",
-	"type":         "type is one of Old, Intermediate, Modern or Custom. Custom provides the ability to specify individual TLS security profile parameters. Old, Intermediate and Modern are TLS security profiles based on:\n\nhttps://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations\n\nThe profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers are found to be insecure.  Depending on precisely which ciphers are available to a process, the list may be reduced.\n\nNote that the Modern profile is currently not supported because it is not yet well adopted by common software libraries.",
-	"old":          "old is a TLS security profile based on:\n\nhttps://wiki.mozilla.org/Security/Server_Side_TLS#Old_backward_compatibility\n\nand looks like this (yaml):\n\n  ciphers:\n\n    - TLS_AES_128_GCM_SHA256\n\n    - TLS_AES_256_GCM_SHA384\n\n    - TLS_CHACHA20_POLY1305_SHA256\n\n    - ECDHE-ECDSA-AES128-GCM-SHA256\n\n    - ECDHE-RSA-AES128-GCM-SHA256\n\n    - ECDHE-ECDSA-AES256-GCM-SHA384\n\n    - ECDHE-RSA-AES256-GCM-SHA384\n\n    - ECDHE-ECDSA-CHACHA20-POLY1305\n\n    - ECDHE-RSA-CHACHA20-POLY1305\n\n    - DHE-RSA-AES128-GCM-SHA256\n\n    - DHE-RSA-AES256-GCM-SHA384\n\n    - DHE-RSA-CHACHA20-POLY1305\n\n    - ECDHE-ECDSA-AES128-SHA256\n\n    - ECDHE-RSA-AES128-SHA256\n\n    - ECDHE-ECDSA-AES128-SHA\n\n    - ECDHE-RSA-AES128-SHA\n\n    - ECDHE-ECDSA-AES256-SHA384\n\n    - ECDHE-RSA-AES256-SHA384\n\n    - ECDHE-ECDSA-AES256-SHA\n\n    - ECDHE-RSA-AES256-SHA\n\n    - DHE-RSA-AES128-SHA256\n\n    - DHE-RSA-AES256-SHA256\n\n    - AES128-GCM-SHA256\n\n    - AES256-GCM-SHA384\n\n    - AES128-SHA256\n\n    - AES256-SHA256\n\n    - AES128-SHA\n\n    - AES256-SHA\n\n    - DES-CBC3-SHA\n\n  minTLSVersion: VersionTLS10",
-	"intermediate": "intermediate is a TLS security profile based on:\n\nhttps://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28recommended.29\n\nand looks like this (yaml):\n\n  ciphers:\n\n    - TLS_AES_128_GCM_SHA256\n\n    - TLS_AES_256_GCM_SHA384\n\n    - TLS_CHACHA20_POLY1305_SHA256\n\n    - ECDHE-ECDSA-AES128-GCM-SHA256\n\n    - ECDHE-RSA-AES128-GCM-SHA256\n\n    - ECDHE-ECDSA-AES256-GCM-SHA384\n\n    - ECDHE-RSA-AES256-GCM-SHA384\n\n    - ECDHE-ECDSA-CHACHA20-POLY1305\n\n    - ECDHE-RSA-CHACHA20-POLY1305\n\n    - DHE-RSA-AES128-GCM-SHA256\n\n    - DHE-RSA-AES256-GCM-SHA384\n\n  minTLSVersion: VersionTLS12",
-	"modern":       "modern is a TLS security profile based on:\n\nhttps://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility\n\nand looks like this (yaml):\n\n  ciphers:\n\n    - TLS_AES_128_GCM_SHA256\n\n    - TLS_AES_256_GCM_SHA384\n\n    - TLS_CHACHA20_POLY1305_SHA256\n\n  minTLSVersion: VersionTLS13",
-	"custom":       "custom is a user-defined TLS security profile. Be extremely careful using a custom profile as invalid configurations can be catastrophic. An example custom profile looks like this:\n\n  ciphers:\n\n    - ECDHE-ECDSA-CHACHA20-POLY1305\n\n    - ECDHE-RSA-CHACHA20-POLY1305\n\n    - ECDHE-RSA-AES128-GCM-SHA256\n\n    - ECDHE-ECDSA-AES128-GCM-SHA256\n\n  minTLSVersion: VersionTLS11",
+	"type":         "type is one of Old, Intermediate, Modern or Custom. Custom provides the ability to specify individual TLS security profile parameters.\n\nThe profiles are currently based on version 5.0 of the Mozilla Server Side TLS configuration guidelines (released 2019-06-28) with TLS 1.3 ciphers added for forward compatibility. See: https://ssl-config.mozilla.org/guidelines/5.0.json\n\nThe profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers are found to be insecure. Depending on precisely which ciphers are available to a process, the list may be reduced.",
+	"old":          "old is a TLS profile for use when services need to be accessed by very old clients or libraries and should be used only as a last resort.\n\nThe cipher list includes TLS 1.3 ciphers for forward compatibility, followed by the \"old\" profile ciphers.\n\nThis profile is equivalent to a Custom profile specified as:\n  minTLSVersion: VersionTLS10\n  ciphers:\n    - TLS_AES_128_GCM_SHA256\n    - TLS_AES_256_GCM_SHA384\n    - TLS_CHACHA20_POLY1305_SHA256\n    - ECDHE-ECDSA-AES128-GCM-SHA256\n    - ECDHE-RSA-AES128-GCM-SHA256\n    - ECDHE-ECDSA-AES256-GCM-SHA384\n    - ECDHE-RSA-AES256-GCM-SHA384\n    - ECDHE-ECDSA-CHACHA20-POLY1305\n    - ECDHE-RSA-CHACHA20-POLY1305\n    - DHE-RSA-AES128-GCM-SHA256\n    - DHE-RSA-AES256-GCM-SHA384\n    - DHE-RSA-CHACHA20-POLY1305\n    - ECDHE-ECDSA-AES128-SHA256\n    - ECDHE-RSA-AES128-SHA256\n    - ECDHE-ECDSA-AES128-SHA\n    - ECDHE-RSA-AES128-SHA\n    - ECDHE-ECDSA-AES256-SHA384\n    - ECDHE-RSA-AES256-SHA384\n    - ECDHE-ECDSA-AES256-SHA\n    - ECDHE-RSA-AES256-SHA\n    - DHE-RSA-AES128-SHA256\n    - DHE-RSA-AES256-SHA256\n    - AES128-GCM-SHA256\n    - AES256-GCM-SHA384\n    - AES128-SHA256\n    - AES256-SHA256\n    - AES128-SHA\n    - AES256-SHA\n    - DES-CBC3-SHA",
+	"intermediate": "intermediate is a TLS profile for use when you do not need compatibility with legacy clients and want to remain highly secure while being compatible with most clients currently in use.\n\nThe cipher list includes TLS 1.3 ciphers for forward compatibility, followed by the \"intermediate\" profile ciphers.\n\nThis profile is equivalent to a Custom profile specified as:\n  minTLSVersion: VersionTLS12\n  ciphers:\n    - TLS_AES_128_GCM_SHA256\n    - TLS_AES_256_GCM_SHA384\n    - TLS_CHACHA20_POLY1305_SHA256\n    - ECDHE-ECDSA-AES128-GCM-SHA256\n    - ECDHE-RSA-AES128-GCM-SHA256\n    - ECDHE-ECDSA-AES256-GCM-SHA384\n    - ECDHE-RSA-AES256-GCM-SHA384\n    - ECDHE-ECDSA-CHACHA20-POLY1305\n    - ECDHE-RSA-CHACHA20-POLY1305\n    - DHE-RSA-AES128-GCM-SHA256\n    - DHE-RSA-AES256-GCM-SHA384",
+	"modern":       "modern is a TLS security profile for use with clients that support TLS 1.3 and do not need backward compatibility for older clients.\n\nThis profile is equivalent to a Custom profile specified as:\n  minTLSVersion: VersionTLS13\n  ciphers:\n    - TLS_AES_128_GCM_SHA256\n    - TLS_AES_256_GCM_SHA384\n    - TLS_CHACHA20_POLY1305_SHA256",
+	"custom":       "custom is a user-defined TLS security profile. Be extremely careful using a custom profile as invalid configurations can be catastrophic. An example custom profile looks like this:\n\n  minTLSVersion: VersionTLS11\n  ciphers:\n    - ECDHE-ECDSA-CHACHA20-POLY1305\n    - ECDHE-RSA-CHACHA20-POLY1305\n    - ECDHE-RSA-AES128-GCM-SHA256\n    - ECDHE-ECDSA-AES128-GCM-SHA256",
 }
 
 func (TLSSecurityProfile) SwaggerDoc() map[string]string {
diff --git a/vendor/github.com/openshift/api/config/v1alpha1/register.go b/vendor/github.com/openshift/api/config/v1alpha1/register.go
index 4b30ea380b1d3..c90962495050d 100644
--- a/vendor/github.com/openshift/api/config/v1alpha1/register.go
+++ b/vendor/github.com/openshift/api/config/v1alpha1/register.go
@@ -40,6 +40,8 @@ func addKnownTypes(scheme *runtime.Scheme) error {
 		&ImagePolicyList{},
 		&ClusterImagePolicy{},
 		&ClusterImagePolicyList{},
+		&CRIOCredentialProviderConfig{},
+		&CRIOCredentialProviderConfigList{},
 	)
 	metav1.AddToGroupVersion(scheme, GroupVersion)
 	return nil
diff --git a/vendor/github.com/openshift/api/config/v1alpha1/types_backup.go b/vendor/github.com/openshift/api/config/v1alpha1/types_backup.go
index 77df372d43ef5..0f3da5184752c 100644
--- a/vendor/github.com/openshift/api/config/v1alpha1/types_backup.go
+++ b/vendor/github.com/openshift/api/config/v1alpha1/types_backup.go
@@ -93,7 +93,7 @@ type EtcdBackupSpec struct {
 	PVCName string `json:"pvcName"`
 }
 
-// RetentionType is the enumeration of valid retention policy types
+// RetentionType is the enumeration of valid retention policy types.
 // +enum
 // +kubebuilder:validation:Enum:="RetentionNumber";"RetentionSize"
 type RetentionType string
@@ -115,7 +115,6 @@ type RetentionPolicy struct {
 	// The current default is RetentionNumber with 15 backups kept.
 	// +unionDiscriminator
 	// +required
-	// +kubebuilder:validation:Enum:="";"RetentionNumber";"RetentionSize"
 	RetentionType RetentionType `json:"retentionType"`
 
 	// retentionNumber configures the retention policy based on the number of backups
diff --git a/vendor/github.com/openshift/api/config/v1alpha1/types_cluster_image_policy.go b/vendor/github.com/openshift/api/config/v1alpha1/types_cluster_image_policy.go
index 107b9e29a484a..e8d7603d7b69f 100644
--- a/vendor/github.com/openshift/api/config/v1alpha1/types_cluster_image_policy.go
+++ b/vendor/github.com/openshift/api/config/v1alpha1/types_cluster_image_policy.go
@@ -51,7 +51,7 @@ type ClusterImagePolicySpec struct {
 	// policy contains configuration to allow scopes to be verified, and defines how
 	// images not matching the verification policy will be treated.
 	// +required
-	Policy Policy `json:"policy"`
+	Policy ImageSigstoreVerificationPolicy `json:"policy"`
 }
 
 // +k8s:deepcopy-gen=true
diff --git a/vendor/github.com/openshift/api/config/v1alpha1/types_cluster_monitoring.go b/vendor/github.com/openshift/api/config/v1alpha1/types_cluster_monitoring.go
index 0653eeb5a5ede..29bf8ba4884ea 100644
--- a/vendor/github.com/openshift/api/config/v1alpha1/types_cluster_monitoring.go
+++ b/vendor/github.com/openshift/api/config/v1alpha1/types_cluster_monitoring.go
@@ -94,6 +94,11 @@ type ClusterMonitoringSpec struct {
 	// When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time.
 	// +optional
 	MetricsServerConfig MetricsServerConfig `json:"metricsServerConfig,omitempty,omitzero"`
+	// prometheusOperatorConfig is an optional field that can be used to configure the Prometheus Operator component.
+	// Specifically, it can configure how the Prometheus Operator instance is deployed, pod scheduling, and resource allocation.
+	// When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time.
+	// +optional
+	PrometheusOperatorConfig PrometheusOperatorConfig `json:"prometheusOperatorConfig,omitempty,omitzero"`
 }
 
 // UserDefinedMonitoring config for user-defined projects.
@@ -185,6 +190,7 @@ type AlertmanagerCustomConfig struct {
 	//      limit: null
 	// Maximum length for this list is 10.
 	// Minimum length for this list is 1.
+	// Each resource name must be unique within this list.
 	// +optional
 	// +listType=map
 	// +listMapKey=name
@@ -218,8 +224,8 @@ type AlertmanagerCustomConfig struct {
 	// When omitted, this means the user has no opinion and the platform is left
 	// to choose reasonable defaults. These defaults are subject to change over time.
 	// Defaults are empty/unset.
-	// Maximum length for this list is 10
-	// Minimum length for this list is 1
+	// Maximum length for this list is 10.
+	// Minimum length for this list is 1.
 	// +kubebuilder:validation:MaxItems=10
 	// +kubebuilder:validation:MinItems=1
 	// +listType=atomic
@@ -235,7 +241,7 @@ type AlertmanagerCustomConfig struct {
 	// This field maps directly to the `topologySpreadConstraints` field in the Pod spec.
 	// Default is empty list.
 	// Maximum length for this list is 10.
-	// Minimum length for this list is 1
+	// Minimum length for this list is 1.
 	// Entries must have unique topologyKey and whenUnsatisfiable pairs.
 	// +kubebuilder:validation:MaxItems=10
 	// +kubebuilder:validation:MinItems=1
@@ -356,8 +362,8 @@ type MetricsServerConfig struct {
 	// When omitted, this means the user has no opinion and the platform is left
 	// to choose reasonable defaults. These defaults are subject to change over time.
 	// Defaults are empty/unset.
-	// Maximum length for this list is 10
-	// Minimum length for this list is 1
+	// Maximum length for this list is 10.
+	// Minimum length for this list is 1.
 	// +kubebuilder:validation:MaxItems=10
 	// +kubebuilder:validation:MinItems=1
 	// +listType=atomic
@@ -389,6 +395,7 @@ type MetricsServerConfig struct {
 	//      limit: null
 	// Maximum length for this list is 10.
 	// Minimum length for this list is 1.
+	// Each resource name must be unique within this list.
 	// +optional
 	// +listType=map
 	// +listMapKey=name
@@ -405,7 +412,91 @@ type MetricsServerConfig struct {
 	// This field maps directly to the `topologySpreadConstraints` field in the Pod spec.
 	// Default is empty list.
 	// Maximum length for this list is 10.
-	// Minimum length for this list is 1
+	// Minimum length for this list is 1.
+	// Entries must have unique topologyKey and whenUnsatisfiable pairs.
+	// +kubebuilder:validation:MaxItems=10
+	// +kubebuilder:validation:MinItems=1
+	// +listType=map
+	// +listMapKey=topologyKey
+	// +listMapKey=whenUnsatisfiable
+	// +optional
+	TopologySpreadConstraints []v1.TopologySpreadConstraint `json:"topologySpreadConstraints,omitempty"`
+}
+
+// PrometheusOperatorConfig provides configuration options for the Prometheus Operator instance
+// Use this configuration to control how the Prometheus Operator instance is deployed, how it logs, and how its pods are scheduled.
+// +kubebuilder:validation:MinProperties=1
+type PrometheusOperatorConfig struct {
+	// logLevel defines the verbosity of logs emitted by Prometheus Operator.
+	// This field allows users to control the amount and severity of logs generated, which can be useful
+	// for debugging issues or reducing noise in production environments.
+	// Allowed values are Error, Warn, Info, and Debug.
+	// When set to Error, only errors will be logged.
+	// When set to Warn, both warnings and errors will be logged.
+	// When set to Info, general information, warnings, and errors will all be logged.
+	// When set to Debug, detailed debugging information will be logged.
+	// When omitted, this means no opinion and the platform is left to choose a reasonable default, that is subject to change over time.
+	// The current default value is `Info`.
+	// +optional
+	LogLevel LogLevel `json:"logLevel,omitempty"`
+	// nodeSelector defines the nodes on which the Pods are scheduled
+	// nodeSelector is optional.
+	//
+	// When omitted, this means the user has no opinion and the platform is left
+	// to choose reasonable defaults. These defaults are subject to change over time.
+	// The current default value is `kubernetes.io/os: linux`.
+	// When specified, nodeSelector must contain at least 1 entry and must not contain more than 10 entries.
+	// +optional
+	// +kubebuilder:validation:MinProperties=1
+	// +kubebuilder:validation:MaxProperties=10
+	NodeSelector map[string]string `json:"nodeSelector,omitempty"`
+	// resources defines the compute resource requests and limits for the Prometheus Operator container.
+	// This includes CPU, memory and HugePages constraints to help control scheduling and resource usage.
+	// When not specified, defaults are used by the platform. Requests cannot exceed limits.
+	// This field is optional.
+	// More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+	// This is a simplified API that maps to Kubernetes ResourceRequirements.
+	// The current default values are:
+	//   resources:
+	//    - name: cpu
+	//      request: 4m
+	//      limit: null
+	//    - name: memory
+	//      request: 40Mi
+	//      limit: null
+	// Maximum length for this list is 10.
+	// Minimum length for this list is 1.
+	// Each resource name must be unique within this list.
+	// +optional
+	// +listType=map
+	// +listMapKey=name
+	// +kubebuilder:validation:MaxItems=10
+	// +kubebuilder:validation:MinItems=1
+	Resources []ContainerResource `json:"resources,omitempty"`
+	// tolerations defines tolerations for the pods.
+	// tolerations is optional.
+	//
+	// When omitted, this means the user has no opinion and the platform is left
+	// to choose reasonable defaults. These defaults are subject to change over time.
+	// Defaults are empty/unset.
+	// Maximum length for this list is 10.
+	// Minimum length for this list is 1.
+	// +kubebuilder:validation:MaxItems=10
+	// +kubebuilder:validation:MinItems=1
+	// +listType=atomic
+	// +optional
+	Tolerations []v1.Toleration `json:"tolerations,omitempty"`
+	// topologySpreadConstraints defines rules for how Prometheus Operator Pods should be distributed
+	// across topology domains such as zones, nodes, or other user-defined labels.
+	// topologySpreadConstraints is optional.
+	// This helps improve high availability and resource efficiency by avoiding placing
+	// too many replicas in the same failure domain.
+	//
+	// When omitted, this means no opinion and the platform is left to choose a default, which is subject to change over time.
+	// This field maps directly to the `topologySpreadConstraints` field in the Pod spec.
+	// Default is empty list.
+	// Maximum length for this list is 10.
+	// Minimum length for this list is 1.
 	// Entries must have unique topologyKey and whenUnsatisfiable pairs.
 	// +kubebuilder:validation:MaxItems=10
 	// +kubebuilder:validation:MinItems=1
diff --git a/vendor/github.com/openshift/api/config/v1alpha1/types_crio_credential_provider_config.go b/vendor/github.com/openshift/api/config/v1alpha1/types_crio_credential_provider_config.go
new file mode 100644
index 0000000000000..9e2e0d39d28fe
--- /dev/null
+++ b/vendor/github.com/openshift/api/config/v1alpha1/types_crio_credential_provider_config.go
@@ -0,0 +1,186 @@
+package v1alpha1
+
+import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+// +genclient
+// +genclient:nonNamespaced
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// CRIOCredentialProviderConfig holds cluster-wide singleton resource configurations for CRI-O credential provider, the name of this instance is "cluster". CRI-O credential provider is a binary shipped with CRI-O that provides a way to obtain container image pull credentials from external sources.
+// For example, it can be used to fetch mirror registry credentials from secrets resources in the cluster within the same namespace the pod will be running in.
+// CRIOCredentialProviderConfig configuration specifies the pod image sources registries that should trigger the CRI-O credential provider execution, which will resolve the CRI-O mirror configurations and obtain the necessary credentials for pod creation.
+// Note: Configuration changes will only take effect after the kubelet restarts, which is automatically managed by the cluster during rollout.
+//
+// The resource is a singleton named "cluster".
+//
+// Compatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.
+// +kubebuilder:object:root=true
+// +kubebuilder:resource:path=criocredentialproviderconfigs,scope=Cluster
+// +kubebuilder:subresource:status
+// +openshift:api-approved.openshift.io=https://github.com/openshift/api/pull/2557
+// +openshift:file-pattern=cvoRunLevel=0000_10,operatorName=config-operator,operatorOrdering=01
+// +openshift:enable:FeatureGate=CRIOCredentialProviderConfig
+// +openshift:compatibility-gen:level=4
+// +kubebuilder:validation:XValidation:rule="self.metadata.name == 'cluster'",message="criocredentialproviderconfig is a singleton, .metadata.name must be 'cluster'"
+type CRIOCredentialProviderConfig struct {
+	metav1.TypeMeta `json:",inline"`
+
+	// metadata is the standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	// +optional
+	metav1.ObjectMeta `json:"metadata,omitzero"`
+
+	// spec defines the desired configuration of the CRI-O Credential Provider.
+	// This field is required and must be provided when creating the resource.
+	// +required
+	Spec *CRIOCredentialProviderConfigSpec `json:"spec,omitempty,omitzero"`
+
+	// status represents the current state of the CRIOCredentialProviderConfig.
+	// When omitted or nil, it indicates that the status has not yet been set by the controller.
+	// The controller will populate this field with validation conditions and operational state.
+	// +optional
+	Status CRIOCredentialProviderConfigStatus `json:"status,omitzero,omitempty"`
+}
+
+// CRIOCredentialProviderConfigSpec defines the desired configuration of the CRI-O Credential Provider.
+// +kubebuilder:validation:MinProperties=0
+type CRIOCredentialProviderConfigSpec struct {
+	// matchImages is a list of string patterns used to determine whether
+	// the CRI-O credential provider should be invoked for a given image. This list is
+	// passed to the kubelet CredentialProviderConfig, and if any pattern matches
+	// the requested image, CRI-O credential provider will be invoked to obtain credentials for pulling
+	// that image or its mirrors.
+	// Depending on the platform, the CRI-O credential provider may be installed alongside an existing platform specific provider.
+	// Conflicts between the existing platform specific provider image match configuration and this list will be handled by
+	// the following precedence rule: credentials from built-in kubelet providers (e.g., ECR, GCR, ACR) take precedence over those
+	// from the CRIOCredentialProviderConfig when both match the same image.
+	// To avoid uncertainty, it is recommended to avoid configuring your private image patterns to overlap with
+	// existing platform specific provider config(e.g., the entries from https://github.com/openshift/machine-config-operator/blob/main/templates/common/aws/files/etc-kubernetes-credential-providers-ecr-credential-provider.yaml).
+	// You can check the resource's Status conditions
+	// to see if any entries were ignored due to exact matches with known built-in provider patterns.
+	//
+	// This field is optional, the items of the list must contain between 1 and 50 entries.
+	// The list is treated as a set, so duplicate entries are not allowed.
+	//
+	// For more details, see:
+	// https://kubernetes.io/docs/tasks/administer-cluster/kubelet-credential-provider/
+	// https://github.com/cri-o/crio-credential-provider#architecture
+	//
+	// Each entry in matchImages is a pattern which can optionally contain a port and a path. Each entry must be no longer than 512 characters.
+	// Wildcards ('*') are supported for full subdomain labels, such as '*.k8s.io' or 'k8s.*.io',
+	// and for top-level domains, such as 'k8s.*' (which matches 'k8s.io' or 'k8s.net').
+	// A global wildcard '*' (matching any domain) is not allowed.
+	// Wildcards may replace an entire hostname label (e.g., *.example.com), but they cannot appear within a label (e.g., f*oo.example.com) and are not allowed in the port or path.
+	// For example, 'example.*.com' is valid, but 'exa*mple.*.com' is not.
+	// Each wildcard matches only a single domain label,
+	// so '*.io' does **not** match '*.k8s.io'.
+	//
+	// A match exists between an image and a matchImage when all of the below are true:
+	// Both contain the same number of domain parts and each part matches.
+	// The URL path of an matchImages must be a prefix of the target image URL path.
+	// If the matchImages contains a port, then the port must match in the image as well.
+	//
+	// Example values of matchImages:
+	// - 123456789.dkr.ecr.us-east-1.amazonaws.com
+	// - *.azurecr.io
+	// - gcr.io
+	// - *.*.registry.io
+	// - registry.io:8080/path
+	//
+	// +kubebuilder:validation:MaxItems=50
+	// +kubebuilder:validation:MinItems=1
+	// +listType=set
+	// +optional
+	MatchImages []MatchImage `json:"matchImages,omitempty"`
+}
+
+// MatchImage is a string pattern used to match container image registry addresses.
+// It must be a valid fully qualified domain name with optional wildcard, port, and path.
+// The maximum length is 512 characters.
+//
+// Wildcards ('*') are supported for full subdomain labels and top-level domains.
+// Each entry can optionally contain a port (e.g., :8080) and a path (e.g., /path).
+// Wildcards are not allowed in the port or path portions.
+//
+// Examples:
+// - "registry.io" - matches exactly registry.io
+// - "*.azurecr.io" - matches any single subdomain of azurecr.io
+// - "registry.io:8080/path" - matches with specific port and path prefix
+//
+// +kubebuilder:validation:MaxLength=512
+// +kubebuilder:validation:MinLength=1
+// +kubebuilder:validation:XValidation:rule="self != '*'",message="global wildcard '*' is not allowed"
+// +kubebuilder:validation:XValidation:rule=`self.matches('^((\\*|[a-z0-9]([a-z0-9-]*[a-z0-9])?)(\\.(\\*|[a-z0-9]([a-z0-9-]*[a-z0-9])?))*)(:[0-9]+)?(/[-a-z0-9._/]*)?$')`,message="invalid matchImages value, must be a valid fully qualified domain name in lowercase with optional wildcard, port, and path"
+type MatchImage string
+
+// +k8s:deepcopy-gen=true
+// CRIOCredentialProviderConfigStatus defines the observed state of CRIOCredentialProviderConfig
+// +kubebuilder:validation:MinProperties=1
+type CRIOCredentialProviderConfigStatus struct {
+	// conditions represent the latest available observations of the configuration state.
+	// When omitted, it indicates that no conditions have been reported yet.
+	// The maximum number of conditions is 16.
+	// Conditions are stored as a map keyed by condition type, ensuring uniqueness.
+	//
+	// Expected condition types include:
+	// "Validated": indicates whether the matchImages configuration is valid
+	// +optional
+	// +kubebuilder:validation:MaxItems=16
+	// +kubebuilder:validation:MinItems=1
+	// +listType=map
+	// +listMapKey=type
+	Conditions []metav1.Condition `json:"conditions,omitempty"`
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// CRIOCredentialProviderConfigList contains a list of CRIOCredentialProviderConfig resources
+//
+// Compatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.
+// +openshift:compatibility-gen:level=4
+type CRIOCredentialProviderConfigList struct {
+	metav1.TypeMeta `json:",inline"`
+
+	// metadata is the standard list's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	metav1.ListMeta `json:"metadata"`
+
+	Items []CRIOCredentialProviderConfig `json:"items"`
+}
+
+const (
+	// ConditionTypeValidated is a condition type that indicates whether the CRIOCredentialProviderConfig
+	// matchImages configuration has been validated successfully.
+	// When True, all matchImage patterns are valid and have been applied.
+	// When False, the configuration contains errors (see Reason for details).
+	// Possible reasons for False status:
+	// - ValidationFailed: matchImages contains invalid patterns
+	// - ConfigurationPartiallyApplied: some matchImage entries were ignored due to conflicts
+	ConditionTypeValidated = "Validated"
+
+	// ReasonValidationFailed is a condition reason used with ConditionTypeValidated=False
+	// to indicate that the matchImages configuration contains one or more invalid registry patterns
+	// that do not conform to the required format (valid FQDN with optional wildcard, port, and path).
+	ReasonValidationFailed = "ValidationFailed"
+
+	// ReasonConfigurationPartiallyApplied is a condition reason used with ConditionTypeValidated=False
+	// to indicate that some matchImage entries were ignored due to conflicts or overlapping patterns.
+	// The condition message will contain details about which entries were ignored and why.
+	ReasonConfigurationPartiallyApplied = "ConfigurationPartiallyApplied"
+
+	// ConditionTypeMachineConfigRendered is a condition type that indicates whether
+	// the CRIOCredentialProviderConfig has been successfully rendered into a
+	// MachineConfig object.
+	// When True, the corresponding MachineConfig is present in the cluster.
+	// When False, rendering failed.
+	ConditionTypeMachineConfigRendered = "MachineConfigRendered"
+
+	// ReasonMachineConfigRenderingSucceeded is a condition reason used with ConditionTypeMachineConfigRendered=True
+	// to indicate that the MachineConfig was successfully created/updated in the API server.
+	ReasonMachineConfigRenderingSucceeded = "MachineConfigRenderingSucceeded"
+
+	// ReasonMachineConfigRenderingFailed is a condition reason used with ConditionTypeMachineConfigRendered=False
+	// to indicate that the MachineConfig creation/update failed.
+	// The condition message will contain details about the failure.
+	ReasonMachineConfigRenderingFailed = "MachineConfigRenderingFailed"
+)
diff --git a/vendor/github.com/openshift/api/config/v1alpha1/types_image_policy.go b/vendor/github.com/openshift/api/config/v1alpha1/types_image_policy.go
index 64a89e4a63f15..977ca3dde325e 100644
--- a/vendor/github.com/openshift/api/config/v1alpha1/types_image_policy.go
+++ b/vendor/github.com/openshift/api/config/v1alpha1/types_image_policy.go
@@ -50,7 +50,7 @@ type ImagePolicySpec struct {
 	// policy contains configuration to allow scopes to be verified, and defines how
 	// images not matching the verification policy will be treated.
 	// +required
-	Policy Policy `json:"policy"`
+	Policy ImageSigstoreVerificationPolicy `json:"policy"`
 }
 
 // +kubebuilder:validation:XValidation:rule="size(self.split('/')[0].split('.')) == 1 ? self.split('/')[0].split('.')[0].split(':')[0] == 'localhost' : true",message="invalid image scope format, scope must contain a fully qualified domain name or 'localhost'"
@@ -59,8 +59,8 @@ type ImagePolicySpec struct {
 // +kubebuilder:validation:MaxLength=512
 type ImageScope string
 
-// Policy defines the verification policy for the items in the scopes list.
-type Policy struct {
+// ImageSigstoreVerificationPolicy defines the verification policy for the items in the scopes list.
+type ImageSigstoreVerificationPolicy struct {
 	// rootOfTrust specifies the root of trust for the policy.
 	// +required
 	RootOfTrust PolicyRootOfTrust `json:"rootOfTrust"`
@@ -84,16 +84,16 @@ type PolicyRootOfTrust struct {
 	PolicyType PolicyType `json:"policyType"`
 	// publicKey defines the root of trust based on a sigstore public key.
 	// +optional
-	PublicKey *PublicKey `json:"publicKey,omitempty"`
+	PublicKey *ImagePolicyPublicKeyRootOfTrust `json:"publicKey,omitempty"`
 	// fulcioCAWithRekor defines the root of trust based on the Fulcio certificate and the Rekor public key.
 	// For more information about Fulcio and Rekor, please refer to the document at:
 	// https://github.com/sigstore/fulcio and https://github.com/sigstore/rekor
 	// +optional
-	FulcioCAWithRekor *FulcioCAWithRekor `json:"fulcioCAWithRekor,omitempty"`
+	FulcioCAWithRekor *ImagePolicyFulcioCAWithRekorRootOfTrust `json:"fulcioCAWithRekor,omitempty"`
 	// pki defines the root of trust based on Bring Your Own Public Key Infrastructure (BYOPKI) Root CA(s) and corresponding intermediate certificates.
 	// +optional
 	// +openshift:enable:FeatureGate=SigstoreImageVerificationPKI
-	PKI *PKI `json:"pki,omitempty"`
+	PKI *ImagePolicyPKIRootOfTrust `json:"pki,omitempty"`
 }
 
 // +openshift:validation:FeatureGateAwareEnum:featureGate="",enum=PublicKey;FulcioCAWithRekor
@@ -106,8 +106,8 @@ const (
 	PKIRootOfTrust               PolicyType = "PKI"
 )
 
-// PublicKey defines the root of trust based on a sigstore public key.
-type PublicKey struct {
+// ImagePolicyPublicKeyRootOfTrust defines the root of trust based on a sigstore public key.
+type ImagePolicyPublicKeyRootOfTrust struct {
 	// keyData contains inline base64-encoded data for the PEM format public key.
 	// KeyData must be at most 8192 characters.
 	// +required
@@ -120,8 +120,8 @@ type PublicKey struct {
 	RekorKeyData []byte `json:"rekorKeyData,omitempty"`
 }
 
-// FulcioCAWithRekor defines the root of trust based on the Fulcio certificate and the Rekor public key.
-type FulcioCAWithRekor struct {
+// ImagePolicyFulcioCAWithRekorRootOfTrust defines the root of trust based on the Fulcio certificate and the Rekor public key.
+type ImagePolicyFulcioCAWithRekorRootOfTrust struct {
 	// fulcioCAData contains inline base64-encoded data for the PEM format fulcio CA.
 	// fulcioCAData must be at most 8192 characters.
 	// +required
@@ -151,8 +151,8 @@ type PolicyFulcioSubject struct {
 	SignedEmail string `json:"signedEmail"`
 }
 
-// PKI defines the root of trust based on Root CA(s) and corresponding intermediate certificates.
-type PKI struct {
+// ImagePolicyPKIRootOfTrust defines the root of trust based on Root CA(s) and corresponding intermediate certificates.
+type ImagePolicyPKIRootOfTrust struct {
 	// caRootsData contains base64-encoded data of a certificate bundle PEM file, which contains one or more CA roots in the PEM format. The total length of the data must not exceed 8192 characters.
 	// +required
 	// +kubebuilder:validation:MaxLength=8192
diff --git a/vendor/github.com/openshift/api/config/v1alpha1/types_insights.go b/vendor/github.com/openshift/api/config/v1alpha1/types_insights.go
index 46666ae3b23be..bef31b905abae 100644
--- a/vendor/github.com/openshift/api/config/v1alpha1/types_insights.go
+++ b/vendor/github.com/openshift/api/config/v1alpha1/types_insights.go
@@ -16,6 +16,7 @@ import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 // +openshift:file-pattern=cvoRunLevel=0000_10,operatorName=config-operator,operatorOrdering=01
 // +openshift:enable:FeatureGate=InsightsConfig
 // +openshift:compatibility-gen:level=4
+// +openshift:capability=Insights
 type InsightsDataGather struct {
 	metav1.TypeMeta `json:",inline"`
 
diff --git a/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.deepcopy.go b/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.deepcopy.go
index 6549f6cbe4370..dc51326b9702d 100644
--- a/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.deepcopy.go
+++ b/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.deepcopy.go
@@ -192,6 +192,115 @@ func (in *BackupStatus) DeepCopy() *BackupStatus {
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CRIOCredentialProviderConfig) DeepCopyInto(out *CRIOCredentialProviderConfig) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	if in.Spec != nil {
+		in, out := &in.Spec, &out.Spec
+		*out = new(CRIOCredentialProviderConfigSpec)
+		(*in).DeepCopyInto(*out)
+	}
+	in.Status.DeepCopyInto(&out.Status)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CRIOCredentialProviderConfig.
+func (in *CRIOCredentialProviderConfig) DeepCopy() *CRIOCredentialProviderConfig {
+	if in == nil {
+		return nil
+	}
+	out := new(CRIOCredentialProviderConfig)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *CRIOCredentialProviderConfig) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CRIOCredentialProviderConfigList) DeepCopyInto(out *CRIOCredentialProviderConfigList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]CRIOCredentialProviderConfig, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CRIOCredentialProviderConfigList.
+func (in *CRIOCredentialProviderConfigList) DeepCopy() *CRIOCredentialProviderConfigList {
+	if in == nil {
+		return nil
+	}
+	out := new(CRIOCredentialProviderConfigList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *CRIOCredentialProviderConfigList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CRIOCredentialProviderConfigSpec) DeepCopyInto(out *CRIOCredentialProviderConfigSpec) {
+	*out = *in
+	if in.MatchImages != nil {
+		in, out := &in.MatchImages, &out.MatchImages
+		*out = make([]MatchImage, len(*in))
+		copy(*out, *in)
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CRIOCredentialProviderConfigSpec.
+func (in *CRIOCredentialProviderConfigSpec) DeepCopy() *CRIOCredentialProviderConfigSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(CRIOCredentialProviderConfigSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CRIOCredentialProviderConfigStatus) DeepCopyInto(out *CRIOCredentialProviderConfigStatus) {
+	*out = *in
+	if in.Conditions != nil {
+		in, out := &in.Conditions, &out.Conditions
+		*out = make([]metav1.Condition, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CRIOCredentialProviderConfigStatus.
+func (in *CRIOCredentialProviderConfigStatus) DeepCopy() *CRIOCredentialProviderConfigStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(CRIOCredentialProviderConfigStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ClusterImagePolicy) DeepCopyInto(out *ClusterImagePolicy) {
 	*out = *in
@@ -365,6 +474,7 @@ func (in *ClusterMonitoringSpec) DeepCopyInto(out *ClusterMonitoringSpec) {
 	out.UserDefined = in.UserDefined
 	in.AlertmanagerConfig.DeepCopyInto(&out.AlertmanagerConfig)
 	in.MetricsServerConfig.DeepCopyInto(&out.MetricsServerConfig)
+	in.PrometheusOperatorConfig.DeepCopyInto(&out.PrometheusOperatorConfig)
 	return
 }
 
@@ -429,33 +539,6 @@ func (in *EtcdBackupSpec) DeepCopy() *EtcdBackupSpec {
 	return out
 }
 
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *FulcioCAWithRekor) DeepCopyInto(out *FulcioCAWithRekor) {
-	*out = *in
-	if in.FulcioCAData != nil {
-		in, out := &in.FulcioCAData, &out.FulcioCAData
-		*out = make([]byte, len(*in))
-		copy(*out, *in)
-	}
-	if in.RekorKeyData != nil {
-		in, out := &in.RekorKeyData, &out.RekorKeyData
-		*out = make([]byte, len(*in))
-		copy(*out, *in)
-	}
-	out.FulcioSubject = in.FulcioSubject
-	return
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FulcioCAWithRekor.
-func (in *FulcioCAWithRekor) DeepCopy() *FulcioCAWithRekor {
-	if in == nil {
-		return nil
-	}
-	out := new(FulcioCAWithRekor)
-	in.DeepCopyInto(out)
-	return out
-}
-
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *GatherConfig) DeepCopyInto(out *GatherConfig) {
 	*out = *in
@@ -510,6 +593,33 @@ func (in *ImagePolicy) DeepCopyObject() runtime.Object {
 	return nil
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ImagePolicyFulcioCAWithRekorRootOfTrust) DeepCopyInto(out *ImagePolicyFulcioCAWithRekorRootOfTrust) {
+	*out = *in
+	if in.FulcioCAData != nil {
+		in, out := &in.FulcioCAData, &out.FulcioCAData
+		*out = make([]byte, len(*in))
+		copy(*out, *in)
+	}
+	if in.RekorKeyData != nil {
+		in, out := &in.RekorKeyData, &out.RekorKeyData
+		*out = make([]byte, len(*in))
+		copy(*out, *in)
+	}
+	out.FulcioSubject = in.FulcioSubject
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImagePolicyFulcioCAWithRekorRootOfTrust.
+func (in *ImagePolicyFulcioCAWithRekorRootOfTrust) DeepCopy() *ImagePolicyFulcioCAWithRekorRootOfTrust {
+	if in == nil {
+		return nil
+	}
+	out := new(ImagePolicyFulcioCAWithRekorRootOfTrust)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ImagePolicyList) DeepCopyInto(out *ImagePolicyList) {
 	*out = *in
@@ -543,6 +653,59 @@ func (in *ImagePolicyList) DeepCopyObject() runtime.Object {
 	return nil
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ImagePolicyPKIRootOfTrust) DeepCopyInto(out *ImagePolicyPKIRootOfTrust) {
+	*out = *in
+	if in.CertificateAuthorityRootsData != nil {
+		in, out := &in.CertificateAuthorityRootsData, &out.CertificateAuthorityRootsData
+		*out = make([]byte, len(*in))
+		copy(*out, *in)
+	}
+	if in.CertificateAuthorityIntermediatesData != nil {
+		in, out := &in.CertificateAuthorityIntermediatesData, &out.CertificateAuthorityIntermediatesData
+		*out = make([]byte, len(*in))
+		copy(*out, *in)
+	}
+	out.PKICertificateSubject = in.PKICertificateSubject
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImagePolicyPKIRootOfTrust.
+func (in *ImagePolicyPKIRootOfTrust) DeepCopy() *ImagePolicyPKIRootOfTrust {
+	if in == nil {
+		return nil
+	}
+	out := new(ImagePolicyPKIRootOfTrust)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ImagePolicyPublicKeyRootOfTrust) DeepCopyInto(out *ImagePolicyPublicKeyRootOfTrust) {
+	*out = *in
+	if in.KeyData != nil {
+		in, out := &in.KeyData, &out.KeyData
+		*out = make([]byte, len(*in))
+		copy(*out, *in)
+	}
+	if in.RekorKeyData != nil {
+		in, out := &in.RekorKeyData, &out.RekorKeyData
+		*out = make([]byte, len(*in))
+		copy(*out, *in)
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImagePolicyPublicKeyRootOfTrust.
+func (in *ImagePolicyPublicKeyRootOfTrust) DeepCopy() *ImagePolicyPublicKeyRootOfTrust {
+	if in == nil {
+		return nil
+	}
+	out := new(ImagePolicyPublicKeyRootOfTrust)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ImagePolicySpec) DeepCopyInto(out *ImagePolicySpec) {
 	*out = *in
@@ -588,6 +751,24 @@ func (in *ImagePolicyStatus) DeepCopy() *ImagePolicyStatus {
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ImageSigstoreVerificationPolicy) DeepCopyInto(out *ImageSigstoreVerificationPolicy) {
+	*out = *in
+	in.RootOfTrust.DeepCopyInto(&out.RootOfTrust)
+	in.SignedIdentity.DeepCopyInto(&out.SignedIdentity)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImageSigstoreVerificationPolicy.
+func (in *ImageSigstoreVerificationPolicy) DeepCopy() *ImageSigstoreVerificationPolicy {
+	if in == nil {
+		return nil
+	}
+	out := new(ImageSigstoreVerificationPolicy)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *InsightsDataGather) DeepCopyInto(out *InsightsDataGather) {
 	*out = *in
@@ -727,33 +908,6 @@ func (in *MetricsServerConfig) DeepCopy() *MetricsServerConfig {
 	return out
 }
 
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *PKI) DeepCopyInto(out *PKI) {
-	*out = *in
-	if in.CertificateAuthorityRootsData != nil {
-		in, out := &in.CertificateAuthorityRootsData, &out.CertificateAuthorityRootsData
-		*out = make([]byte, len(*in))
-		copy(*out, *in)
-	}
-	if in.CertificateAuthorityIntermediatesData != nil {
-		in, out := &in.CertificateAuthorityIntermediatesData, &out.CertificateAuthorityIntermediatesData
-		*out = make([]byte, len(*in))
-		copy(*out, *in)
-	}
-	out.PKICertificateSubject = in.PKICertificateSubject
-	return
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PKI.
-func (in *PKI) DeepCopy() *PKI {
-	if in == nil {
-		return nil
-	}
-	out := new(PKI)
-	in.DeepCopyInto(out)
-	return out
-}
-
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *PKICertificateSubject) DeepCopyInto(out *PKICertificateSubject) {
 	*out = *in
@@ -803,24 +957,6 @@ func (in *PersistentVolumeConfig) DeepCopy() *PersistentVolumeConfig {
 	return out
 }
 
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *Policy) DeepCopyInto(out *Policy) {
-	*out = *in
-	in.RootOfTrust.DeepCopyInto(&out.RootOfTrust)
-	in.SignedIdentity.DeepCopyInto(&out.SignedIdentity)
-	return
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Policy.
-func (in *Policy) DeepCopy() *Policy {
-	if in == nil {
-		return nil
-	}
-	out := new(Policy)
-	in.DeepCopyInto(out)
-	return out
-}
-
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *PolicyFulcioSubject) DeepCopyInto(out *PolicyFulcioSubject) {
 	*out = *in
@@ -900,17 +1036,17 @@ func (in *PolicyRootOfTrust) DeepCopyInto(out *PolicyRootOfTrust) {
 	*out = *in
 	if in.PublicKey != nil {
 		in, out := &in.PublicKey, &out.PublicKey
-		*out = new(PublicKey)
+		*out = new(ImagePolicyPublicKeyRootOfTrust)
 		(*in).DeepCopyInto(*out)
 	}
 	if in.FulcioCAWithRekor != nil {
 		in, out := &in.FulcioCAWithRekor, &out.FulcioCAWithRekor
-		*out = new(FulcioCAWithRekor)
+		*out = new(ImagePolicyFulcioCAWithRekorRootOfTrust)
 		(*in).DeepCopyInto(*out)
 	}
 	if in.PKI != nil {
 		in, out := &in.PKI, &out.PKI
-		*out = new(PKI)
+		*out = new(ImagePolicyPKIRootOfTrust)
 		(*in).DeepCopyInto(*out)
 	}
 	return
@@ -927,27 +1063,45 @@ func (in *PolicyRootOfTrust) DeepCopy() *PolicyRootOfTrust {
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *PublicKey) DeepCopyInto(out *PublicKey) {
+func (in *PrometheusOperatorConfig) DeepCopyInto(out *PrometheusOperatorConfig) {
 	*out = *in
-	if in.KeyData != nil {
-		in, out := &in.KeyData, &out.KeyData
-		*out = make([]byte, len(*in))
-		copy(*out, *in)
+	if in.NodeSelector != nil {
+		in, out := &in.NodeSelector, &out.NodeSelector
+		*out = make(map[string]string, len(*in))
+		for key, val := range *in {
+			(*out)[key] = val
+		}
 	}
-	if in.RekorKeyData != nil {
-		in, out := &in.RekorKeyData, &out.RekorKeyData
-		*out = make([]byte, len(*in))
-		copy(*out, *in)
+	if in.Resources != nil {
+		in, out := &in.Resources, &out.Resources
+		*out = make([]ContainerResource, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Tolerations != nil {
+		in, out := &in.Tolerations, &out.Tolerations
+		*out = make([]v1.Toleration, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.TopologySpreadConstraints != nil {
+		in, out := &in.TopologySpreadConstraints, &out.TopologySpreadConstraints
+		*out = make([]v1.TopologySpreadConstraint, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
 	}
 	return
 }
 
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PublicKey.
-func (in *PublicKey) DeepCopy() *PublicKey {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PrometheusOperatorConfig.
+func (in *PrometheusOperatorConfig) DeepCopy() *PrometheusOperatorConfig {
 	if in == nil {
 		return nil
 	}
-	out := new(PublicKey)
+	out := new(PrometheusOperatorConfig)
 	in.DeepCopyInto(out)
 	return out
 }
diff --git a/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.featuregated-crd-manifests.yaml b/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.featuregated-crd-manifests.yaml
index 2f79f801dd404..14091b5872b14 100644
--- a/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.featuregated-crd-manifests.yaml
+++ b/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.featuregated-crd-manifests.yaml
@@ -21,6 +21,29 @@ backups.config.openshift.io:
   - AutomatedEtcdBackup
   Version: v1alpha1
 
+criocredentialproviderconfigs.config.openshift.io:
+  Annotations: {}
+  ApprovedPRNumber: https://github.com/openshift/api/pull/2557
+  CRDName: criocredentialproviderconfigs.config.openshift.io
+  Capability: ""
+  Category: ""
+  FeatureGates:
+  - CRIOCredentialProviderConfig
+  FilenameOperatorName: config-operator
+  FilenameOperatorOrdering: "01"
+  FilenameRunLevel: "0000_10"
+  GroupName: config.openshift.io
+  HasStatus: true
+  KindName: CRIOCredentialProviderConfig
+  Labels: {}
+  PluralName: criocredentialproviderconfigs
+  PrinterColumns: []
+  Scope: Cluster
+  ShortNames: null
+  TopLevelFeatureGates:
+  - CRIOCredentialProviderConfig
+  Version: v1alpha1
+
 clusterimagepolicies.config.openshift.io:
   Annotations: {}
   ApprovedPRNumber: https://github.com/openshift/api/pull/1457
@@ -97,7 +120,7 @@ insightsdatagathers.config.openshift.io:
   Annotations: {}
   ApprovedPRNumber: https://github.com/openshift/api/pull/1245
   CRDName: insightsdatagathers.config.openshift.io
-  Capability: ""
+  Capability: Insights
   Category: ""
   FeatureGates:
   - InsightsConfig
diff --git a/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.swagger_doc_generated.go b/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.swagger_doc_generated.go
index 6ba6ad11f440e..c060ce8746736 100644
--- a/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.swagger_doc_generated.go
+++ b/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.swagger_doc_generated.go
@@ -132,10 +132,10 @@ var map_AlertmanagerCustomConfig = map[string]string{
 	"":                          "AlertmanagerCustomConfig represents the configuration for a custom Alertmanager deployment. alertmanagerCustomConfig provides configuration options for the default Alertmanager instance that runs in the `openshift-monitoring` namespace. Use this configuration to control whether the default Alertmanager is deployed, how it logs, and how its pods are scheduled.",
 	"logLevel":                  "logLevel defines the verbosity of logs emitted by Alertmanager. This field allows users to control the amount and severity of logs generated, which can be useful for debugging issues or reducing noise in production environments. Allowed values are Error, Warn, Info, and Debug. When set to Error, only errors will be logged. When set to Warn, both warnings and errors will be logged. When set to Info, general information, warnings, and errors will all be logged. When set to Debug, detailed debugging information will be logged. When omitted, this means no opinion and the platform is left to choose a reasonable default, that is subject to change over time. The current default value is `Info`.",
 	"nodeSelector":              "nodeSelector defines the nodes on which the Pods are scheduled nodeSelector is optional.\n\nWhen omitted, this means the user has no opinion and the platform is left to choose reasonable defaults. These defaults are subject to change over time. The current default value is `kubernetes.io/os: linux`.",
-	"resources":                 "resources defines the compute resource requests and limits for the Alertmanager container. This includes CPU, memory and HugePages constraints to help control scheduling and resource usage. When not specified, defaults are used by the platform. Requests cannot exceed limits. This field is optional. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ This is a simplified API that maps to Kubernetes ResourceRequirements. The current default values are:\n  resources:\n   - name: cpu\n     request: 4m\n     limit: null\n   - name: memory\n     request: 40Mi\n     limit: null\nMaximum length for this list is 10. Minimum length for this list is 1.",
+	"resources":                 "resources defines the compute resource requests and limits for the Alertmanager container. This includes CPU, memory and HugePages constraints to help control scheduling and resource usage. When not specified, defaults are used by the platform. Requests cannot exceed limits. This field is optional. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ This is a simplified API that maps to Kubernetes ResourceRequirements. The current default values are:\n  resources:\n   - name: cpu\n     request: 4m\n     limit: null\n   - name: memory\n     request: 40Mi\n     limit: null\nMaximum length for this list is 10. Minimum length for this list is 1. Each resource name must be unique within this list.",
 	"secrets":                   "secrets defines a list of secrets that need to be mounted into the Alertmanager. The secrets must reside within the same namespace as the Alertmanager object. They will be added as volumes named secret-<secret-name> and mounted at /etc/alertmanager/secrets/<secret-name> within the 'alertmanager' container of the Alertmanager Pods.\n\nThese secrets can be used to authenticate Alertmanager with endpoint receivers. For example, you can use secrets to: - Provide certificates for TLS authentication with receivers that require private CA certificates - Store credentials for Basic HTTP authentication with receivers that require password-based auth - Store any other authentication credentials needed by your alert receivers\n\nThis field is optional. Maximum length for this list is 10. Minimum length for this list is 1. Entries in this list must be unique.",
-	"tolerations":               "tolerations defines tolerations for the pods. tolerations is optional.\n\nWhen omitted, this means the user has no opinion and the platform is left to choose reasonable defaults. These defaults are subject to change over time. Defaults are empty/unset. Maximum length for this list is 10 Minimum length for this list is 1",
-	"topologySpreadConstraints": "topologySpreadConstraints defines rules for how Alertmanager Pods should be distributed across topology domains such as zones, nodes, or other user-defined labels. topologySpreadConstraints is optional. This helps improve high availability and resource efficiency by avoiding placing too many replicas in the same failure domain.\n\nWhen omitted, this means no opinion and the platform is left to choose a default, which is subject to change over time. This field maps directly to the `topologySpreadConstraints` field in the Pod spec. Default is empty list. Maximum length for this list is 10. Minimum length for this list is 1 Entries must have unique topologyKey and whenUnsatisfiable pairs.",
+	"tolerations":               "tolerations defines tolerations for the pods. tolerations is optional.\n\nWhen omitted, this means the user has no opinion and the platform is left to choose reasonable defaults. These defaults are subject to change over time. Defaults are empty/unset. Maximum length for this list is 10. Minimum length for this list is 1.",
+	"topologySpreadConstraints": "topologySpreadConstraints defines rules for how Alertmanager Pods should be distributed across topology domains such as zones, nodes, or other user-defined labels. topologySpreadConstraints is optional. This helps improve high availability and resource efficiency by avoiding placing too many replicas in the same failure domain.\n\nWhen omitted, this means no opinion and the platform is left to choose a default, which is subject to change over time. This field maps directly to the `topologySpreadConstraints` field in the Pod spec. Default is empty list. Maximum length for this list is 10. Minimum length for this list is 1. Entries must have unique topologyKey and whenUnsatisfiable pairs.",
 	"volumeClaimTemplate":       "volumeClaimTemplate Defines persistent storage for Alertmanager. Use this setting to configure the persistent volume claim, including storage class, volume size, and name. If omitted, the Pod uses ephemeral storage and alert data will not persist across restarts. This field is optional.",
 }
 
@@ -174,10 +174,11 @@ func (ClusterMonitoringList) SwaggerDoc() map[string]string {
 }
 
 var map_ClusterMonitoringSpec = map[string]string{
-	"":                    "ClusterMonitoringSpec defines the desired state of Cluster Monitoring Operator",
-	"userDefined":         "userDefined set the deployment mode for user-defined monitoring in addition to the default platform monitoring. userDefined is optional. When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. The current default value is `Disabled`.",
-	"alertmanagerConfig":  "alertmanagerConfig allows users to configure how the default Alertmanager instance should be deployed in the `openshift-monitoring` namespace. alertmanagerConfig is optional. When omitted, this means no opinion and the platform is left to choose a reasonable default, that is subject to change over time. The current default value is `DefaultConfig`.",
-	"metricsServerConfig": "metricsServerConfig is an optional field that can be used to configure the Kubernetes Metrics Server that runs in the openshift-monitoring namespace. Specifically, it can configure how the Metrics Server instance is deployed, pod scheduling, its audit policy and log verbosity. When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time.",
+	"":                         "ClusterMonitoringSpec defines the desired state of Cluster Monitoring Operator",
+	"userDefined":              "userDefined set the deployment mode for user-defined monitoring in addition to the default platform monitoring. userDefined is optional. When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. The current default value is `Disabled`.",
+	"alertmanagerConfig":       "alertmanagerConfig allows users to configure how the default Alertmanager instance should be deployed in the `openshift-monitoring` namespace. alertmanagerConfig is optional. When omitted, this means no opinion and the platform is left to choose a reasonable default, that is subject to change over time. The current default value is `DefaultConfig`.",
+	"metricsServerConfig":      "metricsServerConfig is an optional field that can be used to configure the Kubernetes Metrics Server that runs in the openshift-monitoring namespace. Specifically, it can configure how the Metrics Server instance is deployed, pod scheduling, its audit policy and log verbosity. When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time.",
+	"prometheusOperatorConfig": "prometheusOperatorConfig is an optional field that can be used to configure the Prometheus Operator component. Specifically, it can configure how the Prometheus Operator instance is deployed, pod scheduling, and resource allocation. When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time.",
 }
 
 func (ClusterMonitoringSpec) SwaggerDoc() map[string]string {
@@ -207,16 +208,29 @@ var map_MetricsServerConfig = map[string]string{
 	"":                          "MetricsServerConfig provides configuration options for the Metrics Server instance that runs in the `openshift-monitoring` namespace. Use this configuration to control how the Metrics Server instance is deployed, how it logs, and how its pods are scheduled.",
 	"audit":                     "audit defines the audit configuration used by the Metrics Server instance. audit is optional. When omitted, this means no opinion and the platform is left to choose a reasonable default, that is subject to change over time. The current default sets audit.profile to Metadata",
 	"nodeSelector":              "nodeSelector defines the nodes on which the Pods are scheduled nodeSelector is optional.\n\nWhen omitted, this means the user has no opinion and the platform is left to choose reasonable defaults. These defaults are subject to change over time. The current default value is `kubernetes.io/os: linux`.",
-	"tolerations":               "tolerations defines tolerations for the pods. tolerations is optional.\n\nWhen omitted, this means the user has no opinion and the platform is left to choose reasonable defaults. These defaults are subject to change over time. Defaults are empty/unset. Maximum length for this list is 10 Minimum length for this list is 1",
+	"tolerations":               "tolerations defines tolerations for the pods. tolerations is optional.\n\nWhen omitted, this means the user has no opinion and the platform is left to choose reasonable defaults. These defaults are subject to change over time. Defaults are empty/unset. Maximum length for this list is 10. Minimum length for this list is 1.",
 	"verbosity":                 "verbosity defines the verbosity of log messages for Metrics Server. Valid values are Errors, Info, Trace, TraceAll and omitted. When set to Errors, only critical messages and errors are logged. When set to Info, only basic information messages are logged. When set to Trace, information useful for general debugging is logged. When set to TraceAll, detailed information about metric scraping is logged. When omitted, this means no opinion and the platform is left to choose a reasonable default, that is subject to change over time. The current default value is `Errors`",
-	"resources":                 "resources defines the compute resource requests and limits for the Metrics Server container. This includes CPU, memory and HugePages constraints to help control scheduling and resource usage. When not specified, defaults are used by the platform. Requests cannot exceed limits. This field is optional. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ This is a simplified API that maps to Kubernetes ResourceRequirements. The current default values are:\n  resources:\n   - name: cpu\n     request: 4m\n     limit: null\n   - name: memory\n     request: 40Mi\n     limit: null\nMaximum length for this list is 10. Minimum length for this list is 1.",
-	"topologySpreadConstraints": "topologySpreadConstraints defines rules for how Metrics Server Pods should be distributed across topology domains such as zones, nodes, or other user-defined labels. topologySpreadConstraints is optional. This helps improve high availability and resource efficiency by avoiding placing too many replicas in the same failure domain.\n\nWhen omitted, this means no opinion and the platform is left to choose a default, which is subject to change over time. This field maps directly to the `topologySpreadConstraints` field in the Pod spec. Default is empty list. Maximum length for this list is 10. Minimum length for this list is 1 Entries must have unique topologyKey and whenUnsatisfiable pairs.",
+	"resources":                 "resources defines the compute resource requests and limits for the Metrics Server container. This includes CPU, memory and HugePages constraints to help control scheduling and resource usage. When not specified, defaults are used by the platform. Requests cannot exceed limits. This field is optional. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ This is a simplified API that maps to Kubernetes ResourceRequirements. The current default values are:\n  resources:\n   - name: cpu\n     request: 4m\n     limit: null\n   - name: memory\n     request: 40Mi\n     limit: null\nMaximum length for this list is 10. Minimum length for this list is 1. Each resource name must be unique within this list.",
+	"topologySpreadConstraints": "topologySpreadConstraints defines rules for how Metrics Server Pods should be distributed across topology domains such as zones, nodes, or other user-defined labels. topologySpreadConstraints is optional. This helps improve high availability and resource efficiency by avoiding placing too many replicas in the same failure domain.\n\nWhen omitted, this means no opinion and the platform is left to choose a default, which is subject to change over time. This field maps directly to the `topologySpreadConstraints` field in the Pod spec. Default is empty list. Maximum length for this list is 10. Minimum length for this list is 1. Entries must have unique topologyKey and whenUnsatisfiable pairs.",
 }
 
 func (MetricsServerConfig) SwaggerDoc() map[string]string {
 	return map_MetricsServerConfig
 }
 
+var map_PrometheusOperatorConfig = map[string]string{
+	"":                          "PrometheusOperatorConfig provides configuration options for the Prometheus Operator instance Use this configuration to control how the Prometheus Operator instance is deployed, how it logs, and how its pods are scheduled.",
+	"logLevel":                  "logLevel defines the verbosity of logs emitted by Prometheus Operator. This field allows users to control the amount and severity of logs generated, which can be useful for debugging issues or reducing noise in production environments. Allowed values are Error, Warn, Info, and Debug. When set to Error, only errors will be logged. When set to Warn, both warnings and errors will be logged. When set to Info, general information, warnings, and errors will all be logged. When set to Debug, detailed debugging information will be logged. When omitted, this means no opinion and the platform is left to choose a reasonable default, that is subject to change over time. The current default value is `Info`.",
+	"nodeSelector":              "nodeSelector defines the nodes on which the Pods are scheduled nodeSelector is optional.\n\nWhen omitted, this means the user has no opinion and the platform is left to choose reasonable defaults. These defaults are subject to change over time. The current default value is `kubernetes.io/os: linux`. When specified, nodeSelector must contain at least 1 entry and must not contain more than 10 entries.",
+	"resources":                 "resources defines the compute resource requests and limits for the Prometheus Operator container. This includes CPU, memory and HugePages constraints to help control scheduling and resource usage. When not specified, defaults are used by the platform. Requests cannot exceed limits. This field is optional. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ This is a simplified API that maps to Kubernetes ResourceRequirements. The current default values are:\n  resources:\n   - name: cpu\n     request: 4m\n     limit: null\n   - name: memory\n     request: 40Mi\n     limit: null\nMaximum length for this list is 10. Minimum length for this list is 1. Each resource name must be unique within this list.",
+	"tolerations":               "tolerations defines tolerations for the pods. tolerations is optional.\n\nWhen omitted, this means the user has no opinion and the platform is left to choose reasonable defaults. These defaults are subject to change over time. Defaults are empty/unset. Maximum length for this list is 10. Minimum length for this list is 1.",
+	"topologySpreadConstraints": "topologySpreadConstraints defines rules for how Prometheus Operator Pods should be distributed across topology domains such as zones, nodes, or other user-defined labels. topologySpreadConstraints is optional. This helps improve high availability and resource efficiency by avoiding placing too many replicas in the same failure domain.\n\nWhen omitted, this means no opinion and the platform is left to choose a default, which is subject to change over time. This field maps directly to the `topologySpreadConstraints` field in the Pod spec. Default is empty list. Maximum length for this list is 10. Minimum length for this list is 1. Entries must have unique topologyKey and whenUnsatisfiable pairs.",
+}
+
+func (PrometheusOperatorConfig) SwaggerDoc() map[string]string {
+	return map_PrometheusOperatorConfig
+}
+
 var map_UserDefinedMonitoring = map[string]string{
 	"":     "UserDefinedMonitoring config for user-defined projects.",
 	"mode": "mode defines the different configurations of UserDefinedMonitoring Valid values are Disabled and NamespaceIsolated Disabled disables monitoring for user-defined projects. This restricts the default monitoring stack, installed in the openshift-monitoring project, to monitor only platform namespaces, which prevents any custom monitoring configurations or resources from being applied to user-defined namespaces. NamespaceIsolated enables monitoring for user-defined projects with namespace-scoped tenancy. This ensures that metrics, alerts, and monitoring data are isolated at the namespace level. The current default value is `Disabled`.",
@@ -226,15 +240,42 @@ func (UserDefinedMonitoring) SwaggerDoc() map[string]string {
 	return map_UserDefinedMonitoring
 }
 
-var map_FulcioCAWithRekor = map[string]string{
-	"":              "FulcioCAWithRekor defines the root of trust based on the Fulcio certificate and the Rekor public key.",
-	"fulcioCAData":  "fulcioCAData contains inline base64-encoded data for the PEM format fulcio CA. fulcioCAData must be at most 8192 characters.",
-	"rekorKeyData":  "rekorKeyData contains inline base64-encoded data for the PEM format from the Rekor public key. rekorKeyData must be at most 8192 characters.",
-	"fulcioSubject": "fulcioSubject specifies OIDC issuer and the email of the Fulcio authentication configuration.",
+var map_CRIOCredentialProviderConfig = map[string]string{
+	"":         "CRIOCredentialProviderConfig holds cluster-wide singleton resource configurations for CRI-O credential provider, the name of this instance is \"cluster\". CRI-O credential provider is a binary shipped with CRI-O that provides a way to obtain container image pull credentials from external sources. For example, it can be used to fetch mirror registry credentials from secrets resources in the cluster within the same namespace the pod will be running in. CRIOCredentialProviderConfig configuration specifies the pod image sources registries that should trigger the CRI-O credential provider execution, which will resolve the CRI-O mirror configurations and obtain the necessary credentials for pod creation. Note: Configuration changes will only take effect after the kubelet restarts, which is automatically managed by the cluster during rollout.\n\nThe resource is a singleton named \"cluster\".\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.",
+	"metadata": "metadata is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
+	"spec":     "spec defines the desired configuration of the CRI-O Credential Provider. This field is required and must be provided when creating the resource.",
+	"status":   "status represents the current state of the CRIOCredentialProviderConfig. When omitted or nil, it indicates that the status has not yet been set by the controller. The controller will populate this field with validation conditions and operational state.",
+}
+
+func (CRIOCredentialProviderConfig) SwaggerDoc() map[string]string {
+	return map_CRIOCredentialProviderConfig
+}
+
+var map_CRIOCredentialProviderConfigList = map[string]string{
+	"":         "CRIOCredentialProviderConfigList contains a list of CRIOCredentialProviderConfig resources\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.",
+	"metadata": "metadata is the standard list's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
+}
+
+func (CRIOCredentialProviderConfigList) SwaggerDoc() map[string]string {
+	return map_CRIOCredentialProviderConfigList
 }
 
-func (FulcioCAWithRekor) SwaggerDoc() map[string]string {
-	return map_FulcioCAWithRekor
+var map_CRIOCredentialProviderConfigSpec = map[string]string{
+	"":            "CRIOCredentialProviderConfigSpec defines the desired configuration of the CRI-O Credential Provider.",
+	"matchImages": "matchImages is a list of string patterns used to determine whether the CRI-O credential provider should be invoked for a given image. This list is passed to the kubelet CredentialProviderConfig, and if any pattern matches the requested image, CRI-O credential provider will be invoked to obtain credentials for pulling that image or its mirrors. Depending on the platform, the CRI-O credential provider may be installed alongside an existing platform specific provider. Conflicts between the existing platform specific provider image match configuration and this list will be handled by the following precedence rule: credentials from built-in kubelet providers (e.g., ECR, GCR, ACR) take precedence over those from the CRIOCredentialProviderConfig when both match the same image. To avoid uncertainty, it is recommended to avoid configuring your private image patterns to overlap with existing platform specific provider config(e.g., the entries from https://github.com/openshift/machine-config-operator/blob/main/templates/common/aws/files/etc-kubernetes-credential-providers-ecr-credential-provider.yaml). You can check the resource's Status conditions to see if any entries were ignored due to exact matches with known built-in provider patterns.\n\nThis field is optional, the items of the list must contain between 1 and 50 entries. The list is treated as a set, so duplicate entries are not allowed.\n\nFor more details, see: https://kubernetes.io/docs/tasks/administer-cluster/kubelet-credential-provider/ https://github.com/cri-o/crio-credential-provider#architecture\n\nEach entry in matchImages is a pattern which can optionally contain a port and a path. Each entry must be no longer than 512 characters. Wildcards ('*') are supported for full subdomain labels, such as '*.k8s.io' or 'k8s.*.io', and for top-level domains, such as 'k8s.*' (which matches 'k8s.io' or 'k8s.net'). A global wildcard '*' (matching any domain) is not allowed. Wildcards may replace an entire hostname label (e.g., *.example.com), but they cannot appear within a label (e.g., f*oo.example.com) and are not allowed in the port or path. For example, 'example.*.com' is valid, but 'exa*mple.*.com' is not. Each wildcard matches only a single domain label, so '*.io' does **not** match '*.k8s.io'.\n\nA match exists between an image and a matchImage when all of the below are true: Both contain the same number of domain parts and each part matches. The URL path of an matchImages must be a prefix of the target image URL path. If the matchImages contains a port, then the port must match in the image as well.\n\nExample values of matchImages: - 123456789.dkr.ecr.us-east-1.amazonaws.com - *.azurecr.io - gcr.io - *.*.registry.io - registry.io:8080/path",
+}
+
+func (CRIOCredentialProviderConfigSpec) SwaggerDoc() map[string]string {
+	return map_CRIOCredentialProviderConfigSpec
+}
+
+var map_CRIOCredentialProviderConfigStatus = map[string]string{
+	"":           "CRIOCredentialProviderConfigStatus defines the observed state of CRIOCredentialProviderConfig",
+	"conditions": "conditions represent the latest available observations of the configuration state. When omitted, it indicates that no conditions have been reported yet. The maximum number of conditions is 16. Conditions are stored as a map keyed by condition type, ensuring uniqueness.\n\nExpected condition types include: \"Validated\": indicates whether the matchImages configuration is valid",
+}
+
+func (CRIOCredentialProviderConfigStatus) SwaggerDoc() map[string]string {
+	return map_CRIOCredentialProviderConfigStatus
 }
 
 var map_ImagePolicy = map[string]string{
@@ -248,6 +289,17 @@ func (ImagePolicy) SwaggerDoc() map[string]string {
 	return map_ImagePolicy
 }
 
+var map_ImagePolicyFulcioCAWithRekorRootOfTrust = map[string]string{
+	"":              "ImagePolicyFulcioCAWithRekorRootOfTrust defines the root of trust based on the Fulcio certificate and the Rekor public key.",
+	"fulcioCAData":  "fulcioCAData contains inline base64-encoded data for the PEM format fulcio CA. fulcioCAData must be at most 8192 characters.",
+	"rekorKeyData":  "rekorKeyData contains inline base64-encoded data for the PEM format from the Rekor public key. rekorKeyData must be at most 8192 characters.",
+	"fulcioSubject": "fulcioSubject specifies OIDC issuer and the email of the Fulcio authentication configuration.",
+}
+
+func (ImagePolicyFulcioCAWithRekorRootOfTrust) SwaggerDoc() map[string]string {
+	return map_ImagePolicyFulcioCAWithRekorRootOfTrust
+}
+
 var map_ImagePolicyList = map[string]string{
 	"":         "ImagePolicyList is a list of ImagePolicy resources\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.",
 	"metadata": "metadata is the standard list's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
@@ -257,6 +309,27 @@ func (ImagePolicyList) SwaggerDoc() map[string]string {
 	return map_ImagePolicyList
 }
 
+var map_ImagePolicyPKIRootOfTrust = map[string]string{
+	"":                      "ImagePolicyPKIRootOfTrust defines the root of trust based on Root CA(s) and corresponding intermediate certificates.",
+	"caRootsData":           "caRootsData contains base64-encoded data of a certificate bundle PEM file, which contains one or more CA roots in the PEM format. The total length of the data must not exceed 8192 characters. ",
+	"caIntermediatesData":   "caIntermediatesData contains base64-encoded data of a certificate bundle PEM file, which contains one or more intermediate certificates in the PEM format. The total length of the data must not exceed 8192 characters. caIntermediatesData requires caRootsData to be set. ",
+	"pkiCertificateSubject": "pkiCertificateSubject defines the requirements imposed on the subject to which the certificate was issued.",
+}
+
+func (ImagePolicyPKIRootOfTrust) SwaggerDoc() map[string]string {
+	return map_ImagePolicyPKIRootOfTrust
+}
+
+var map_ImagePolicyPublicKeyRootOfTrust = map[string]string{
+	"":             "ImagePolicyPublicKeyRootOfTrust defines the root of trust based on a sigstore public key.",
+	"keyData":      "keyData contains inline base64-encoded data for the PEM format public key. KeyData must be at most 8192 characters.",
+	"rekorKeyData": "rekorKeyData contains inline base64-encoded data for the PEM format from the Rekor public key. rekorKeyData must be at most 8192 characters.",
+}
+
+func (ImagePolicyPublicKeyRootOfTrust) SwaggerDoc() map[string]string {
+	return map_ImagePolicyPublicKeyRootOfTrust
+}
+
 var map_ImagePolicySpec = map[string]string{
 	"":       "ImagePolicySpec is the specification of the ImagePolicy CRD.",
 	"scopes": "scopes defines the list of image identities assigned to a policy. Each item refers to a scope in a registry implementing the \"Docker Registry HTTP API V2\". Scopes matching individual images are named Docker references in the fully expanded form, either using a tag or digest. For example, docker.io/library/busybox:latest (not busybox:latest). More general scopes are prefixes of individual-image scopes, and specify a repository (by omitting the tag or digest), a repository namespace, or a registry host (by only specifying the host name and possibly a port number) or a wildcard expression starting with `*.`, for matching all subdomains (not including a port number). Wildcards are only supported for subdomain matching, and may not be used in the middle of the host, i.e.  *.example.com is a valid case, but example*.*.com is not. If multiple scopes match a given image, only the policy requirements for the most specific scope apply. The policy requirements for more general scopes are ignored. In addition to setting a policy appropriate for your own deployed applications, make sure that a policy on the OpenShift image repositories quay.io/openshift-release-dev/ocp-release, quay.io/openshift-release-dev/ocp-v4.0-art-dev (or on a more general scope) allows deployment of the OpenShift images required for cluster operation. If a scope is configured in both the ClusterImagePolicy and the ImagePolicy, or if the scope in ImagePolicy is nested under one of the scopes from the ClusterImagePolicy, only the policy from the ClusterImagePolicy will be applied. For additional details about the format, please refer to the document explaining the docker transport field, which can be found at: https://github.com/containers/image/blob/main/docs/containers-policy.json.5.md#docker",
@@ -275,15 +348,14 @@ func (ImagePolicyStatus) SwaggerDoc() map[string]string {
 	return map_ImagePolicyStatus
 }
 
-var map_PKI = map[string]string{
-	"":                      "PKI defines the root of trust based on Root CA(s) and corresponding intermediate certificates.",
-	"caRootsData":           "caRootsData contains base64-encoded data of a certificate bundle PEM file, which contains one or more CA roots in the PEM format. The total length of the data must not exceed 8192 characters. ",
-	"caIntermediatesData":   "caIntermediatesData contains base64-encoded data of a certificate bundle PEM file, which contains one or more intermediate certificates in the PEM format. The total length of the data must not exceed 8192 characters. caIntermediatesData requires caRootsData to be set. ",
-	"pkiCertificateSubject": "pkiCertificateSubject defines the requirements imposed on the subject to which the certificate was issued.",
+var map_ImageSigstoreVerificationPolicy = map[string]string{
+	"":               "ImageSigstoreVerificationPolicy defines the verification policy for the items in the scopes list.",
+	"rootOfTrust":    "rootOfTrust specifies the root of trust for the policy.",
+	"signedIdentity": "signedIdentity specifies what image identity the signature claims about the image. The required matchPolicy field specifies the approach used in the verification process to verify the identity in the signature and the actual image identity, the default matchPolicy is \"MatchRepoDigestOrExact\".",
 }
 
-func (PKI) SwaggerDoc() map[string]string {
-	return map_PKI
+func (ImageSigstoreVerificationPolicy) SwaggerDoc() map[string]string {
+	return map_ImageSigstoreVerificationPolicy
 }
 
 var map_PKICertificateSubject = map[string]string{
@@ -296,16 +368,6 @@ func (PKICertificateSubject) SwaggerDoc() map[string]string {
 	return map_PKICertificateSubject
 }
 
-var map_Policy = map[string]string{
-	"":               "Policy defines the verification policy for the items in the scopes list.",
-	"rootOfTrust":    "rootOfTrust specifies the root of trust for the policy.",
-	"signedIdentity": "signedIdentity specifies what image identity the signature claims about the image. The required matchPolicy field specifies the approach used in the verification process to verify the identity in the signature and the actual image identity, the default matchPolicy is \"MatchRepoDigestOrExact\".",
-}
-
-func (Policy) SwaggerDoc() map[string]string {
-	return map_Policy
-}
-
 var map_PolicyFulcioSubject = map[string]string{
 	"":            "PolicyFulcioSubject defines the OIDC issuer and the email of the Fulcio authentication configuration.",
 	"oidcIssuer":  "oidcIssuer contains the expected OIDC issuer. It will be verified that the Fulcio-issued certificate contains a (Fulcio-defined) certificate extension pointing at this OIDC issuer URL. When Fulcio issues certificates, it includes a value based on an URL inside the client-provided ID token. Example: \"https://expected.OIDC.issuer/\"",
@@ -356,16 +418,6 @@ func (PolicyRootOfTrust) SwaggerDoc() map[string]string {
 	return map_PolicyRootOfTrust
 }
 
-var map_PublicKey = map[string]string{
-	"":             "PublicKey defines the root of trust based on a sigstore public key.",
-	"keyData":      "keyData contains inline base64-encoded data for the PEM format public key. KeyData must be at most 8192 characters.",
-	"rekorKeyData": "rekorKeyData contains inline base64-encoded data for the PEM format from the Rekor public key. rekorKeyData must be at most 8192 characters.",
-}
-
-func (PublicKey) SwaggerDoc() map[string]string {
-	return map_PublicKey
-}
-
 var map_GatherConfig = map[string]string{
 	"":                  "gatherConfig provides data gathering configuration options.",
 	"dataPolicy":        "dataPolicy allows user to enable additional global obfuscation of the IP addresses and base domain in the Insights archive data. Valid values are \"None\" and \"ObfuscateNetworking\". When set to None the data is not obfuscated. When set to ObfuscateNetworking the IP addresses and the cluster domain name are obfuscated. When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time.",
diff --git a/vendor/github.com/openshift/api/config/v1alpha2/types_insights.go b/vendor/github.com/openshift/api/config/v1alpha2/types_insights.go
index d59f5920b1ffc..fbe666249a14b 100644
--- a/vendor/github.com/openshift/api/config/v1alpha2/types_insights.go
+++ b/vendor/github.com/openshift/api/config/v1alpha2/types_insights.go
@@ -16,6 +16,7 @@ import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 // +openshift:file-pattern=cvoRunLevel=0000_10,operatorName=config-operator,operatorOrdering=01
 // +openshift:enable:FeatureGate=InsightsConfig
 // +openshift:compatibility-gen:level=4
+// +openshift:capability=Insights
 type InsightsDataGather struct {
 	metav1.TypeMeta `json:",inline"`
 	// metadata is the standard object's metadata.
diff --git a/vendor/github.com/openshift/api/config/v1alpha2/zz_generated.featuregated-crd-manifests.yaml b/vendor/github.com/openshift/api/config/v1alpha2/zz_generated.featuregated-crd-manifests.yaml
index 99fe308ef811c..1f73e723eb338 100644
--- a/vendor/github.com/openshift/api/config/v1alpha2/zz_generated.featuregated-crd-manifests.yaml
+++ b/vendor/github.com/openshift/api/config/v1alpha2/zz_generated.featuregated-crd-manifests.yaml
@@ -2,7 +2,7 @@ insightsdatagathers.config.openshift.io:
   Annotations: {}
   ApprovedPRNumber: https://github.com/openshift/api/pull/2195
   CRDName: insightsdatagathers.config.openshift.io
-  Capability: ""
+  Capability: Insights
   Category: ""
   FeatureGates:
   - InsightsConfig
diff --git a/vendor/github.com/openshift/api/features/features.go b/vendor/github.com/openshift/api/features/features.go
index fdecf485b7b7e..c460e6309f475 100644
--- a/vendor/github.com/openshift/api/features/features.go
+++ b/vendor/github.com/openshift/api/features/features.go
@@ -131,13 +131,13 @@ var (
 						enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade, configv1.Default, configv1.OKD).
 						mustRegister()
 
-	FeatureGateAlibabaPlatform = newFeatureGate("AlibabaPlatform").
-					reportProblemsToJiraComponent("cloud-provider").
-					contactPerson("jspeed").
-					productScope(ocpSpecific).
-					enhancementPR(legacyFeatureGateWithoutEnhancement).
-					enableIn(configv1.Default, configv1.OKD, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade).
-					mustRegister()
+	FeatureGateCRIOCredentialProviderConfig = newFeatureGate("CRIOCredentialProviderConfig").
+						reportProblemsToJiraComponent("node").
+						contactPerson("QiWang").
+						productScope(ocpSpecific).
+						enhancementPR("https://github.com/openshift/enhancements/pull/1861").
+						enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade).
+						mustRegister()
 
 	FeatureGateVSphereHostVMGroupZonal = newFeatureGate("VSphereHostVMGroupZonal").
 						reportProblemsToJiraComponent("splat").
@@ -171,53 +171,21 @@ var (
 						enableIn(configv1.Default, configv1.OKD, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade).
 						mustRegister()
 
-	FeatureGateAdminNetworkPolicy = newFeatureGate("AdminNetworkPolicy").
-					reportProblemsToJiraComponent("Networking/ovn-kubernetes").
-					contactPerson("tssurya").
-					productScope(ocpSpecific).
-					enhancementPR(legacyFeatureGateWithoutEnhancement).
-					enableIn(configv1.Default, configv1.OKD, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade).
-					mustRegister()
-
-	FeatureGateNetworkSegmentation = newFeatureGate("NetworkSegmentation").
+	FeatureGateNetworkConnect = newFeatureGate("NetworkConnect").
 					reportProblemsToJiraComponent("Networking/ovn-kubernetes").
 					contactPerson("tssurya").
 					productScope(ocpSpecific).
-					enhancementPR("https://github.com/openshift/enhancements/pull/1623").
-					enableIn(configv1.Default, configv1.OKD, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade).
-					mustRegister()
-
-	FeatureGateAdditionalRoutingCapabilities = newFeatureGate("AdditionalRoutingCapabilities").
-							reportProblemsToJiraComponent("Networking/cluster-network-operator").
-							contactPerson("jcaamano").
-							productScope(ocpSpecific).
-							enhancementPR(legacyFeatureGateWithoutEnhancement).
-							enableIn(configv1.Default, configv1.OKD, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade).
-							mustRegister()
-
-	FeatureGateRouteAdvertisements = newFeatureGate("RouteAdvertisements").
-					reportProblemsToJiraComponent("Networking/ovn-kubernetes").
-					contactPerson("jcaamano").
-					productScope(ocpSpecific).
-					enhancementPR(legacyFeatureGateWithoutEnhancement).
-					enableIn(configv1.Default, configv1.OKD, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade).
-					mustRegister()
-
-	FeatureGateNetworkLiveMigration = newFeatureGate("NetworkLiveMigration").
-					reportProblemsToJiraComponent("Networking/ovn-kubernetes").
-					contactPerson("pliu").
-					productScope(ocpSpecific).
-					enhancementPR(legacyFeatureGateWithoutEnhancement).
-					enableIn(configv1.Default, configv1.OKD, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade).
+					enhancementPR("https://github.com/ovn-kubernetes/ovn-kubernetes/pull/5246").
+					enableIn(configv1.DevPreviewNoUpgrade).
 					mustRegister()
 
-	FeatureGateNetworkDiagnosticsConfig = newFeatureGate("NetworkDiagnosticsConfig").
-						reportProblemsToJiraComponent("Networking/cluster-network-operator").
-						contactPerson("kyrtapz").
-						productScope(ocpSpecific).
-						enhancementPR(legacyFeatureGateWithoutEnhancement).
-						enableIn(configv1.Default, configv1.OKD, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade).
-						mustRegister()
+	FeatureGateEVPN = newFeatureGate("EVPN").
+			reportProblemsToJiraComponent("Networking/ovn-kubernetes").
+			contactPerson("jcaamano").
+			productScope(ocpSpecific).
+			enhancementPR("https://github.com/openshift/enhancements/pull/1862").
+			enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade).
+			mustRegister()
 
 	FeatureGateOVNObservability = newFeatureGate("OVNObservability").
 					reportProblemsToJiraComponent("Networking").
@@ -350,7 +318,7 @@ var (
 						contactPerson("djoshy").
 						productScope(ocpSpecific).
 						enhancementPR("https://github.com/openshift/enhancements/pull/1818").
-						enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade).
+						enableIn(configv1.Default, configv1.OKD, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade).
 						mustRegister()
 
 	FeatureGateBootImageSkewEnforcement = newFeatureGate("BootImageSkewEnforcement").
@@ -401,14 +369,6 @@ var (
 					enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade, configv1.Default, configv1.OKD).
 					mustRegister()
 
-	FeatureGateVolumeAttributesClass = newFeatureGate("VolumeAttributesClass").
-						reportProblemsToJiraComponent("Storage / Kubernetes External Components").
-						contactPerson("dfajmon").
-						productScope(kubernetes).
-						enhancementPR("https://github.com/kubernetes/enhancements/issues/3751").
-						enableIn(configv1.Default, configv1.OKD, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade).
-						mustRegister()
-
 	FeatureGateVolumeGroupSnapshot = newFeatureGate("VolumeGroupSnapshot").
 					reportProblemsToJiraComponent("Storage / Kubernetes External Components").
 					contactPerson("fbertina").
@@ -441,6 +401,14 @@ var (
 								enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade, configv1.Default, configv1.OKD).
 								mustRegister()
 
+	FeatureGateExternalOIDCWithUpstreamParity = newFeatureGate("ExternalOIDCWithUpstreamParity").
+							reportProblemsToJiraComponent("authentication").
+							contactPerson("saldawam").
+							productScope(ocpSpecific).
+							enhancementPR("https://github.com/openshift/enhancements/pull/1763").
+							enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade).
+							mustRegister()
+
 	FeatureGateExample = newFeatureGate("Example").
 				reportProblemsToJiraComponent("cluster-config").
 				contactPerson("deads").
@@ -486,7 +454,7 @@ var (
 						contactPerson("nschieder").
 						productScope(ocpSpecific).
 						enhancementPR("https://github.com/openshift/enhancements/pull/1849").
-						enableForClusterProfile(SelfManaged, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade).
+						enableForClusterProfile(SelfManaged, configv1.Default, configv1.OKD, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade).
 						mustRegister()
 
 	FeatureGateNewOLMWebhookProviderOpenshiftServiceCA = newFeatureGate("NewOLMWebhookProviderOpenshiftServiceCA").
@@ -502,6 +470,7 @@ var (
 						contactPerson("pegoncal").
 						productScope(ocpSpecific).
 						enhancementPR("https://github.com/openshift/enhancements/pull/1890").
+						enableForClusterProfile(SelfManaged, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade).
 						mustRegister()
 
 	FeatureGateInsightsOnDemandDataGather = newFeatureGate("InsightsOnDemandDataGather").
@@ -602,14 +571,6 @@ var (
 							enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade, configv1.Default, configv1.OKD).
 							mustRegister()
 
-	FeatureGateProcMountType = newFeatureGate("ProcMountType").
-					reportProblemsToJiraComponent("Node").
-					contactPerson("haircommander").
-					productScope(kubernetes).
-					enhancementPR("https://github.com/kubernetes/enhancements/issues/4265").
-					enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade, configv1.Default, configv1.OKD).
-					mustRegister()
-
 	FeatureGateVSphereMultiNetworks = newFeatureGate("VSphereMultiNetworks").
 					reportProblemsToJiraComponent("SPLAT").
 					contactPerson("rvanderp").
@@ -622,8 +583,8 @@ var (
 								reportProblemsToJiraComponent("Networking/router").
 								contactPerson("miciah").
 								productScope(ocpSpecific).
-								enhancementPR(legacyFeatureGateWithoutEnhancement).
-								enableIn(configv1.DevPreviewNoUpgrade).
+								enhancementPR("https://github.com/openshift/enhancements/pull/1687").
+								enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade).
 								mustRegister()
 
 	FeatureGateMinimumKubeletVersion = newFeatureGate("MinimumKubeletVersion").
@@ -647,9 +608,17 @@ var (
 						contactPerson("swghosh").
 						productScope(ocpSpecific).
 						enhancementPR("https://github.com/openshift/enhancements/pull/1682").
-						enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade).
+						enableIn(configv1.DevPreviewNoUpgrade).
 						mustRegister()
 
+	FeatureGateKMSEncryption = newFeatureGate("KMSEncryption").
+					reportProblemsToJiraComponent("kube-apiserver").
+					contactPerson("ardaguclu").
+					productScope(ocpSpecific).
+					enhancementPR("https://github.com/openshift/enhancements/pull/1900").
+					enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade).
+					mustRegister()
+
 	FeatureGateHighlyAvailableArbiter = newFeatureGate("HighlyAvailableArbiter").
 						reportProblemsToJiraComponent("Two Node with Arbiter").
 						contactPerson("eggfoobar").
@@ -666,6 +635,14 @@ var (
 					enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade).
 					mustRegister()
 
+	FeatureGateClusterUpdateAcceptRisks = newFeatureGate("ClusterUpdateAcceptRisks").
+						reportProblemsToJiraComponent("Cluster Version Operator").
+						contactPerson("hongkliu").
+						productScope(ocpSpecific).
+						enhancementPR("https://github.com/openshift/enhancements/pull/1807").
+						enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade).
+						mustRegister()
+
 	FeatureGateGCPCustomAPIEndpoints = newFeatureGate("GCPCustomAPIEndpoints").
 						reportProblemsToJiraComponent("Installer").
 						contactPerson("barbacbd").
@@ -766,14 +743,6 @@ var (
 					enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade).
 					mustRegister()
 
-	FeatureGatePreconfiguredUDNAddresses = newFeatureGate("PreconfiguredUDNAddresses").
-						reportProblemsToJiraComponent("Networking/ovn-kubernetes").
-						contactPerson("kyrtapz").
-						productScope(ocpSpecific).
-						enhancementPR("https://github.com/openshift/enhancements/pull/1793").
-						enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade, configv1.Default, configv1.OKD).
-						mustRegister()
-
 	FeatureGateAWSServiceLBNetworkSecurityGroup = newFeatureGate("AWSServiceLBNetworkSecurityGroup").
 							reportProblemsToJiraComponent("Cloud Compute / Cloud Controller Manager").
 							contactPerson("mtulio").
@@ -783,7 +752,7 @@ var (
 							mustRegister()
 
 	FeatureGateImageVolume = newFeatureGate("ImageVolume").
-			reportProblemsToJiraComponent("Node").
+				reportProblemsToJiraComponent("Node").
 				contactPerson("haircommander").
 				productScope(kubernetes).
 				enhancementPR("https://github.com/openshift/enhancements/pull/1792").
@@ -889,7 +858,7 @@ var (
 							contactPerson("jsafrane").
 							productScope(kubernetes).
 							enhancementPR("https://github.com/kubernetes/enhancements/issues/4876").
-							enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade).
+							enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade, configv1.Default, configv1.OKD).
 							mustRegister()
 	FeatureGateOSStreams = newFeatureGate("OSStreams").
 				reportProblemsToJiraComponent("MachineConfigOperator").
@@ -929,4 +898,36 @@ var (
 								enhancementPR("https://github.com/kubernetes/enhancements/issues/4381").
 								enableForClusterProfile(Hypershift, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade, configv1.Default, configv1.OKD).
 								mustRegister()
+
+	FeatureGateDRAPartitionableDevices = newFeatureGate("DRAPartitionableDevices").
+						reportProblemsToJiraComponent("Node").
+						contactPerson("harche").
+						productScope(kubernetes).
+						enhancementPR("https://github.com/kubernetes/enhancements/issues/4815").
+						enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade).
+						mustRegister()
+
+	FeatureGateConfigurablePKI = newFeatureGate("ConfigurablePKI").
+					reportProblemsToJiraComponent("kube-apiserver").
+					contactPerson("sanchezl").
+					productScope(ocpSpecific).
+					enhancementPR("https://github.com/openshift/enhancements/pull/1882").
+					enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade).
+					mustRegister()
+
+	FeatureGateClusterAPIControlPlaneInstall = newFeatureGate("ClusterAPIControlPlaneInstall").
+							reportProblemsToJiraComponent("Installer / openshift-installer").
+							contactPerson("patrickdillon").
+							productScope(ocpSpecific).
+							enhancementPR("https://github.com/openshift/enhancements/pull/1465").
+							enableIn(configv1.DevPreviewNoUpgrade).
+							mustRegister()
+
+	FeatureGateClusterAPIComputeInstall = newFeatureGate("ClusterAPIComputeInstall").
+						reportProblemsToJiraComponent("Installer / openshift-installer").
+						contactPerson("patrickdillon").
+						productScope(ocpSpecific).
+						enhancementPR("https://github.com/openshift/enhancements/pull/1465").
+						enableIn(configv1.DevPreviewNoUpgrade).
+						mustRegister()
 )
diff --git a/vendor/github.com/openshift/api/features/legacyfeaturegates.go b/vendor/github.com/openshift/api/features/legacyfeaturegates.go
index dd11fdf6632ab..a92c0b9bb90fe 100644
--- a/vendor/github.com/openshift/api/features/legacyfeaturegates.go
+++ b/vendor/github.com/openshift/api/features/legacyfeaturegates.go
@@ -7,10 +7,6 @@ var legacyFeatureGates = sets.New(
 	// never add to this list, if you think you have an exception ask @deads2k
 	"AWSEFSDriverVolumeMetrics",
 	// never add to this list, if you think you have an exception ask @deads2k
-	"AdditionalRoutingCapabilities",
-	// never add to this list, if you think you have an exception ask @deads2k
-	"AdminNetworkPolicy",
-	// never add to this list, if you think you have an exception ask @deads2k
 	"AlibabaPlatform",
 	// never add to this list, if you think you have an exception ask @deads2k
 	"AutomatedEtcdBackup",
@@ -79,12 +75,6 @@ var legacyFeatureGates = sets.New(
 	// never add to this list, if you think you have an exception ask @deads2k
 	"MultiArchInstallGCP",
 	// never add to this list, if you think you have an exception ask @deads2k
-	"NetworkDiagnosticsConfig",
-	// never add to this list, if you think you have an exception ask @deads2k
-	"NetworkLiveMigration",
-	// never add to this list, if you think you have an exception ask @deads2k
-	"NetworkSegmentation",
-	// never add to this list, if you think you have an exception ask @deads2k
 	"NewOLM",
 	// never add to this list, if you think you have an exception ask @deads2k
 	"OVNObservability",
@@ -95,8 +85,6 @@ var legacyFeatureGates = sets.New(
 	// never add to this list, if you think you have an exception ask @deads2k
 	"PrivateHostedZoneAWS",
 	// never add to this list, if you think you have an exception ask @deads2k
-	"RouteAdvertisements",
-	// never add to this list, if you think you have an exception ask @deads2k
 	"RouteExternalCertificate",
 	// never add to this list, if you think you have an exception ask @deads2k
 	"SetEIPForNLBIngressController",
diff --git a/vendor/github.com/openshift/api/features/util.go b/vendor/github.com/openshift/api/features/util.go
index 59bb7bff4078a..8606b6befd5db 100644
--- a/vendor/github.com/openshift/api/features/util.go
+++ b/vendor/github.com/openshift/api/features/util.go
@@ -2,9 +2,10 @@ package features
 
 import (
 	"fmt"
-	configv1 "github.com/openshift/api/config/v1"
 	"net/url"
 	"strings"
+
+	configv1 "github.com/openshift/api/config/v1"
 )
 
 // FeatureGateDescription is a golang-only interface used to contains details for a feature gate.
@@ -133,8 +134,10 @@ func (b *featureGateBuilder) register() (configv1.FeatureGateName, error) {
 	case len(b.enhancementPRURL) == 0:
 		return "", fmt.Errorf("FeatureGate/%s is missing an enhancementPR with GA Graduation Criteria like https://github.com/openshift/enhancements/pull/#### or https://github.com/kubernetes/enhancements/issues/####", b.name)
 
-	case !strings.HasPrefix(b.enhancementPRURL, "https://github.com/openshift/enhancements/pull/") && !strings.HasPrefix(b.enhancementPRURL, "https://github.com/kubernetes/enhancements/issues/"):
-		return "", fmt.Errorf("FeatureGate/%s enhancementPR format is incorrect; must be like https://github.com/openshift/enhancements/pull/#### or https://github.com/kubernetes/enhancements/issues/####", b.name)
+	case !strings.HasPrefix(b.enhancementPRURL, "https://github.com/openshift/enhancements/pull/") &&
+		!strings.HasPrefix(b.enhancementPRURL, "https://github.com/kubernetes/enhancements/issues/") &&
+		!strings.HasPrefix(b.enhancementPRURL, "https://github.com/ovn-kubernetes/ovn-kubernetes/pull/"):
+		return "", fmt.Errorf("FeatureGate/%s enhancementPR format is incorrect; must be like https://github.com/openshift/enhancements/pull/#### or https://github.com/kubernetes/enhancements/issues/#### or https://github.com/ovn-kubernetes/ovn-kubernetes/pull/####", b.name)
 
 	case enhancementPRErr != nil:
 		return "", fmt.Errorf("FeatureGate/%s is enhancementPR is invalid: %w", b.name, enhancementPRErr)
diff --git a/vendor/github.com/openshift/api/image/v1/generated.pb.go b/vendor/github.com/openshift/api/image/v1/generated.pb.go
index ac776ad64d98c..c10c09b3c6cca 100644
--- a/vendor/github.com/openshift/api/image/v1/generated.pb.go
+++ b/vendor/github.com/openshift/api/image/v1/generated.pb.go
@@ -7,1315 +7,92 @@ import (
 	fmt "fmt"
 
 	io "io"
+	"sort"
 
-	proto "github.com/gogo/protobuf/proto"
-	github_com_gogo_protobuf_sortkeys "github.com/gogo/protobuf/sortkeys"
 	k8s_io_api_core_v1 "k8s.io/api/core/v1"
 	v11 "k8s.io/api/core/v1"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
-	math "math"
 	math_bits "math/bits"
 	reflect "reflect"
 	strings "strings"
 )
 
-// Reference imports to suppress errors if they are not otherwise used.
-var _ = proto.Marshal
-var _ = fmt.Errorf
-var _ = math.Inf
+func (m *DockerImageReference) Reset() { *m = DockerImageReference{} }
 
-// This is a compile-time assertion to ensure that this generated file
-// is compatible with the proto package it is being compiled against.
-// A compilation error at this line likely means your copy of the
-// proto package needs to be updated.
-const _ = proto.GoGoProtoPackageIsVersion3 // please upgrade the proto package
+func (m *Image) Reset() { *m = Image{} }
 
-func (m *DockerImageReference) Reset()      { *m = DockerImageReference{} }
-func (*DockerImageReference) ProtoMessage() {}
-func (*DockerImageReference) Descriptor() ([]byte, []int) {
-	return fileDescriptor_650a0b34f65fde60, []int{0}
-}
-func (m *DockerImageReference) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *DockerImageReference) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *DockerImageReference) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_DockerImageReference.Merge(m, src)
-}
-func (m *DockerImageReference) XXX_Size() int {
-	return m.Size()
-}
-func (m *DockerImageReference) XXX_DiscardUnknown() {
-	xxx_messageInfo_DockerImageReference.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_DockerImageReference proto.InternalMessageInfo
-
-func (m *Image) Reset()      { *m = Image{} }
-func (*Image) ProtoMessage() {}
-func (*Image) Descriptor() ([]byte, []int) {
-	return fileDescriptor_650a0b34f65fde60, []int{1}
-}
-func (m *Image) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *Image) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *Image) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_Image.Merge(m, src)
-}
-func (m *Image) XXX_Size() int {
-	return m.Size()
-}
-func (m *Image) XXX_DiscardUnknown() {
-	xxx_messageInfo_Image.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_Image proto.InternalMessageInfo
-
-func (m *ImageBlobReferences) Reset()      { *m = ImageBlobReferences{} }
-func (*ImageBlobReferences) ProtoMessage() {}
-func (*ImageBlobReferences) Descriptor() ([]byte, []int) {
-	return fileDescriptor_650a0b34f65fde60, []int{2}
-}
-func (m *ImageBlobReferences) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ImageBlobReferences) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ImageBlobReferences) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ImageBlobReferences.Merge(m, src)
-}
-func (m *ImageBlobReferences) XXX_Size() int {
-	return m.Size()
-}
-func (m *ImageBlobReferences) XXX_DiscardUnknown() {
-	xxx_messageInfo_ImageBlobReferences.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_ImageBlobReferences proto.InternalMessageInfo
-
-func (m *ImageImportSpec) Reset()      { *m = ImageImportSpec{} }
-func (*ImageImportSpec) ProtoMessage() {}
-func (*ImageImportSpec) Descriptor() ([]byte, []int) {
-	return fileDescriptor_650a0b34f65fde60, []int{3}
-}
-func (m *ImageImportSpec) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ImageImportSpec) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ImageImportSpec) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ImageImportSpec.Merge(m, src)
-}
-func (m *ImageImportSpec) XXX_Size() int {
-	return m.Size()
-}
-func (m *ImageImportSpec) XXX_DiscardUnknown() {
-	xxx_messageInfo_ImageImportSpec.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_ImageImportSpec proto.InternalMessageInfo
-
-func (m *ImageImportStatus) Reset()      { *m = ImageImportStatus{} }
-func (*ImageImportStatus) ProtoMessage() {}
-func (*ImageImportStatus) Descriptor() ([]byte, []int) {
-	return fileDescriptor_650a0b34f65fde60, []int{4}
-}
-func (m *ImageImportStatus) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ImageImportStatus) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ImageImportStatus) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ImageImportStatus.Merge(m, src)
-}
-func (m *ImageImportStatus) XXX_Size() int {
-	return m.Size()
-}
-func (m *ImageImportStatus) XXX_DiscardUnknown() {
-	xxx_messageInfo_ImageImportStatus.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_ImageImportStatus proto.InternalMessageInfo
-
-func (m *ImageLayer) Reset()      { *m = ImageLayer{} }
-func (*ImageLayer) ProtoMessage() {}
-func (*ImageLayer) Descriptor() ([]byte, []int) {
-	return fileDescriptor_650a0b34f65fde60, []int{5}
-}
-func (m *ImageLayer) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ImageLayer) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ImageLayer) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ImageLayer.Merge(m, src)
-}
-func (m *ImageLayer) XXX_Size() int {
-	return m.Size()
-}
-func (m *ImageLayer) XXX_DiscardUnknown() {
-	xxx_messageInfo_ImageLayer.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_ImageLayer proto.InternalMessageInfo
-
-func (m *ImageLayerData) Reset()      { *m = ImageLayerData{} }
-func (*ImageLayerData) ProtoMessage() {}
-func (*ImageLayerData) Descriptor() ([]byte, []int) {
-	return fileDescriptor_650a0b34f65fde60, []int{6}
-}
-func (m *ImageLayerData) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ImageLayerData) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ImageLayerData) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ImageLayerData.Merge(m, src)
-}
-func (m *ImageLayerData) XXX_Size() int {
-	return m.Size()
-}
-func (m *ImageLayerData) XXX_DiscardUnknown() {
-	xxx_messageInfo_ImageLayerData.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_ImageLayerData proto.InternalMessageInfo
-
-func (m *ImageList) Reset()      { *m = ImageList{} }
-func (*ImageList) ProtoMessage() {}
-func (*ImageList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_650a0b34f65fde60, []int{7}
-}
-func (m *ImageList) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ImageList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ImageList) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ImageList.Merge(m, src)
-}
-func (m *ImageList) XXX_Size() int {
-	return m.Size()
-}
-func (m *ImageList) XXX_DiscardUnknown() {
-	xxx_messageInfo_ImageList.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_ImageList proto.InternalMessageInfo
-
-func (m *ImageLookupPolicy) Reset()      { *m = ImageLookupPolicy{} }
-func (*ImageLookupPolicy) ProtoMessage() {}
-func (*ImageLookupPolicy) Descriptor() ([]byte, []int) {
-	return fileDescriptor_650a0b34f65fde60, []int{8}
-}
-func (m *ImageLookupPolicy) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ImageLookupPolicy) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ImageLookupPolicy) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ImageLookupPolicy.Merge(m, src)
-}
-func (m *ImageLookupPolicy) XXX_Size() int {
-	return m.Size()
-}
-func (m *ImageLookupPolicy) XXX_DiscardUnknown() {
-	xxx_messageInfo_ImageLookupPolicy.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_ImageLookupPolicy proto.InternalMessageInfo
-
-func (m *ImageManifest) Reset()      { *m = ImageManifest{} }
-func (*ImageManifest) ProtoMessage() {}
-func (*ImageManifest) Descriptor() ([]byte, []int) {
-	return fileDescriptor_650a0b34f65fde60, []int{9}
-}
-func (m *ImageManifest) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ImageManifest) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ImageManifest) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ImageManifest.Merge(m, src)
-}
-func (m *ImageManifest) XXX_Size() int {
-	return m.Size()
-}
-func (m *ImageManifest) XXX_DiscardUnknown() {
-	xxx_messageInfo_ImageManifest.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_ImageManifest proto.InternalMessageInfo
-
-func (m *ImageSignature) Reset()      { *m = ImageSignature{} }
-func (*ImageSignature) ProtoMessage() {}
-func (*ImageSignature) Descriptor() ([]byte, []int) {
-	return fileDescriptor_650a0b34f65fde60, []int{10}
-}
-func (m *ImageSignature) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ImageSignature) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ImageSignature) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ImageSignature.Merge(m, src)
-}
-func (m *ImageSignature) XXX_Size() int {
-	return m.Size()
-}
-func (m *ImageSignature) XXX_DiscardUnknown() {
-	xxx_messageInfo_ImageSignature.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_ImageSignature proto.InternalMessageInfo
-
-func (m *ImageStream) Reset()      { *m = ImageStream{} }
-func (*ImageStream) ProtoMessage() {}
-func (*ImageStream) Descriptor() ([]byte, []int) {
-	return fileDescriptor_650a0b34f65fde60, []int{11}
-}
-func (m *ImageStream) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ImageStream) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ImageStream) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ImageStream.Merge(m, src)
-}
-func (m *ImageStream) XXX_Size() int {
-	return m.Size()
-}
-func (m *ImageStream) XXX_DiscardUnknown() {
-	xxx_messageInfo_ImageStream.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_ImageStream proto.InternalMessageInfo
-
-func (m *ImageStreamImage) Reset()      { *m = ImageStreamImage{} }
-func (*ImageStreamImage) ProtoMessage() {}
-func (*ImageStreamImage) Descriptor() ([]byte, []int) {
-	return fileDescriptor_650a0b34f65fde60, []int{12}
-}
-func (m *ImageStreamImage) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ImageStreamImage) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ImageStreamImage) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ImageStreamImage.Merge(m, src)
-}
-func (m *ImageStreamImage) XXX_Size() int {
-	return m.Size()
-}
-func (m *ImageStreamImage) XXX_DiscardUnknown() {
-	xxx_messageInfo_ImageStreamImage.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_ImageStreamImage proto.InternalMessageInfo
-
-func (m *ImageStreamImport) Reset()      { *m = ImageStreamImport{} }
-func (*ImageStreamImport) ProtoMessage() {}
-func (*ImageStreamImport) Descriptor() ([]byte, []int) {
-	return fileDescriptor_650a0b34f65fde60, []int{13}
-}
-func (m *ImageStreamImport) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ImageStreamImport) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ImageStreamImport) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ImageStreamImport.Merge(m, src)
-}
-func (m *ImageStreamImport) XXX_Size() int {
-	return m.Size()
-}
-func (m *ImageStreamImport) XXX_DiscardUnknown() {
-	xxx_messageInfo_ImageStreamImport.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_ImageStreamImport proto.InternalMessageInfo
-
-func (m *ImageStreamImportSpec) Reset()      { *m = ImageStreamImportSpec{} }
-func (*ImageStreamImportSpec) ProtoMessage() {}
-func (*ImageStreamImportSpec) Descriptor() ([]byte, []int) {
-	return fileDescriptor_650a0b34f65fde60, []int{14}
-}
-func (m *ImageStreamImportSpec) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ImageStreamImportSpec) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ImageStreamImportSpec) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ImageStreamImportSpec.Merge(m, src)
-}
-func (m *ImageStreamImportSpec) XXX_Size() int {
-	return m.Size()
-}
-func (m *ImageStreamImportSpec) XXX_DiscardUnknown() {
-	xxx_messageInfo_ImageStreamImportSpec.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_ImageStreamImportSpec proto.InternalMessageInfo
-
-func (m *ImageStreamImportStatus) Reset()      { *m = ImageStreamImportStatus{} }
-func (*ImageStreamImportStatus) ProtoMessage() {}
-func (*ImageStreamImportStatus) Descriptor() ([]byte, []int) {
-	return fileDescriptor_650a0b34f65fde60, []int{15}
-}
-func (m *ImageStreamImportStatus) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ImageStreamImportStatus) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ImageStreamImportStatus) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ImageStreamImportStatus.Merge(m, src)
-}
-func (m *ImageStreamImportStatus) XXX_Size() int {
-	return m.Size()
-}
-func (m *ImageStreamImportStatus) XXX_DiscardUnknown() {
-	xxx_messageInfo_ImageStreamImportStatus.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_ImageStreamImportStatus proto.InternalMessageInfo
-
-func (m *ImageStreamLayers) Reset()      { *m = ImageStreamLayers{} }
-func (*ImageStreamLayers) ProtoMessage() {}
-func (*ImageStreamLayers) Descriptor() ([]byte, []int) {
-	return fileDescriptor_650a0b34f65fde60, []int{16}
-}
-func (m *ImageStreamLayers) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ImageStreamLayers) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ImageStreamLayers) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ImageStreamLayers.Merge(m, src)
-}
-func (m *ImageStreamLayers) XXX_Size() int {
-	return m.Size()
-}
-func (m *ImageStreamLayers) XXX_DiscardUnknown() {
-	xxx_messageInfo_ImageStreamLayers.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_ImageStreamLayers proto.InternalMessageInfo
-
-func (m *ImageStreamList) Reset()      { *m = ImageStreamList{} }
-func (*ImageStreamList) ProtoMessage() {}
-func (*ImageStreamList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_650a0b34f65fde60, []int{17}
-}
-func (m *ImageStreamList) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ImageStreamList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ImageStreamList) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ImageStreamList.Merge(m, src)
-}
-func (m *ImageStreamList) XXX_Size() int {
-	return m.Size()
-}
-func (m *ImageStreamList) XXX_DiscardUnknown() {
-	xxx_messageInfo_ImageStreamList.DiscardUnknown(m)
-}
+func (m *ImageBlobReferences) Reset() { *m = ImageBlobReferences{} }
 
-var xxx_messageInfo_ImageStreamList proto.InternalMessageInfo
+func (m *ImageImportSpec) Reset() { *m = ImageImportSpec{} }
 
-func (m *ImageStreamMapping) Reset()      { *m = ImageStreamMapping{} }
-func (*ImageStreamMapping) ProtoMessage() {}
-func (*ImageStreamMapping) Descriptor() ([]byte, []int) {
-	return fileDescriptor_650a0b34f65fde60, []int{18}
-}
-func (m *ImageStreamMapping) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ImageStreamMapping) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ImageStreamMapping) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ImageStreamMapping.Merge(m, src)
-}
-func (m *ImageStreamMapping) XXX_Size() int {
-	return m.Size()
-}
-func (m *ImageStreamMapping) XXX_DiscardUnknown() {
-	xxx_messageInfo_ImageStreamMapping.DiscardUnknown(m)
-}
+func (m *ImageImportStatus) Reset() { *m = ImageImportStatus{} }
 
-var xxx_messageInfo_ImageStreamMapping proto.InternalMessageInfo
+func (m *ImageLayer) Reset() { *m = ImageLayer{} }
 
-func (m *ImageStreamSpec) Reset()      { *m = ImageStreamSpec{} }
-func (*ImageStreamSpec) ProtoMessage() {}
-func (*ImageStreamSpec) Descriptor() ([]byte, []int) {
-	return fileDescriptor_650a0b34f65fde60, []int{19}
-}
-func (m *ImageStreamSpec) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ImageStreamSpec) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ImageStreamSpec) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ImageStreamSpec.Merge(m, src)
-}
-func (m *ImageStreamSpec) XXX_Size() int {
-	return m.Size()
-}
-func (m *ImageStreamSpec) XXX_DiscardUnknown() {
-	xxx_messageInfo_ImageStreamSpec.DiscardUnknown(m)
-}
+func (m *ImageLayerData) Reset() { *m = ImageLayerData{} }
 
-var xxx_messageInfo_ImageStreamSpec proto.InternalMessageInfo
+func (m *ImageList) Reset() { *m = ImageList{} }
 
-func (m *ImageStreamStatus) Reset()      { *m = ImageStreamStatus{} }
-func (*ImageStreamStatus) ProtoMessage() {}
-func (*ImageStreamStatus) Descriptor() ([]byte, []int) {
-	return fileDescriptor_650a0b34f65fde60, []int{20}
-}
-func (m *ImageStreamStatus) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ImageStreamStatus) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ImageStreamStatus) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ImageStreamStatus.Merge(m, src)
-}
-func (m *ImageStreamStatus) XXX_Size() int {
-	return m.Size()
-}
-func (m *ImageStreamStatus) XXX_DiscardUnknown() {
-	xxx_messageInfo_ImageStreamStatus.DiscardUnknown(m)
-}
+func (m *ImageLookupPolicy) Reset() { *m = ImageLookupPolicy{} }
 
-var xxx_messageInfo_ImageStreamStatus proto.InternalMessageInfo
+func (m *ImageManifest) Reset() { *m = ImageManifest{} }
 
-func (m *ImageStreamTag) Reset()      { *m = ImageStreamTag{} }
-func (*ImageStreamTag) ProtoMessage() {}
-func (*ImageStreamTag) Descriptor() ([]byte, []int) {
-	return fileDescriptor_650a0b34f65fde60, []int{21}
-}
-func (m *ImageStreamTag) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ImageStreamTag) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ImageStreamTag) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ImageStreamTag.Merge(m, src)
-}
-func (m *ImageStreamTag) XXX_Size() int {
-	return m.Size()
-}
-func (m *ImageStreamTag) XXX_DiscardUnknown() {
-	xxx_messageInfo_ImageStreamTag.DiscardUnknown(m)
-}
+func (m *ImageSignature) Reset() { *m = ImageSignature{} }
 
-var xxx_messageInfo_ImageStreamTag proto.InternalMessageInfo
+func (m *ImageStream) Reset() { *m = ImageStream{} }
 
-func (m *ImageStreamTagList) Reset()      { *m = ImageStreamTagList{} }
-func (*ImageStreamTagList) ProtoMessage() {}
-func (*ImageStreamTagList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_650a0b34f65fde60, []int{22}
-}
-func (m *ImageStreamTagList) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ImageStreamTagList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ImageStreamTagList) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ImageStreamTagList.Merge(m, src)
-}
-func (m *ImageStreamTagList) XXX_Size() int {
-	return m.Size()
-}
-func (m *ImageStreamTagList) XXX_DiscardUnknown() {
-	xxx_messageInfo_ImageStreamTagList.DiscardUnknown(m)
-}
+func (m *ImageStreamImage) Reset() { *m = ImageStreamImage{} }
 
-var xxx_messageInfo_ImageStreamTagList proto.InternalMessageInfo
+func (m *ImageStreamImport) Reset() { *m = ImageStreamImport{} }
 
-func (m *ImageTag) Reset()      { *m = ImageTag{} }
-func (*ImageTag) ProtoMessage() {}
-func (*ImageTag) Descriptor() ([]byte, []int) {
-	return fileDescriptor_650a0b34f65fde60, []int{23}
-}
-func (m *ImageTag) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ImageTag) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ImageTag) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ImageTag.Merge(m, src)
-}
-func (m *ImageTag) XXX_Size() int {
-	return m.Size()
-}
-func (m *ImageTag) XXX_DiscardUnknown() {
-	xxx_messageInfo_ImageTag.DiscardUnknown(m)
-}
+func (m *ImageStreamImportSpec) Reset() { *m = ImageStreamImportSpec{} }
 
-var xxx_messageInfo_ImageTag proto.InternalMessageInfo
+func (m *ImageStreamImportStatus) Reset() { *m = ImageStreamImportStatus{} }
 
-func (m *ImageTagList) Reset()      { *m = ImageTagList{} }
-func (*ImageTagList) ProtoMessage() {}
-func (*ImageTagList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_650a0b34f65fde60, []int{24}
-}
-func (m *ImageTagList) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ImageTagList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ImageTagList) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ImageTagList.Merge(m, src)
-}
-func (m *ImageTagList) XXX_Size() int {
-	return m.Size()
-}
-func (m *ImageTagList) XXX_DiscardUnknown() {
-	xxx_messageInfo_ImageTagList.DiscardUnknown(m)
-}
+func (m *ImageStreamLayers) Reset() { *m = ImageStreamLayers{} }
 
-var xxx_messageInfo_ImageTagList proto.InternalMessageInfo
+func (m *ImageStreamList) Reset() { *m = ImageStreamList{} }
 
-func (m *NamedTagEventList) Reset()      { *m = NamedTagEventList{} }
-func (*NamedTagEventList) ProtoMessage() {}
-func (*NamedTagEventList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_650a0b34f65fde60, []int{25}
-}
-func (m *NamedTagEventList) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *NamedTagEventList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *NamedTagEventList) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_NamedTagEventList.Merge(m, src)
-}
-func (m *NamedTagEventList) XXX_Size() int {
-	return m.Size()
-}
-func (m *NamedTagEventList) XXX_DiscardUnknown() {
-	xxx_messageInfo_NamedTagEventList.DiscardUnknown(m)
-}
+func (m *ImageStreamMapping) Reset() { *m = ImageStreamMapping{} }
 
-var xxx_messageInfo_NamedTagEventList proto.InternalMessageInfo
+func (m *ImageStreamSpec) Reset() { *m = ImageStreamSpec{} }
 
-func (m *RepositoryImportSpec) Reset()      { *m = RepositoryImportSpec{} }
-func (*RepositoryImportSpec) ProtoMessage() {}
-func (*RepositoryImportSpec) Descriptor() ([]byte, []int) {
-	return fileDescriptor_650a0b34f65fde60, []int{26}
-}
-func (m *RepositoryImportSpec) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *RepositoryImportSpec) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *RepositoryImportSpec) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_RepositoryImportSpec.Merge(m, src)
-}
-func (m *RepositoryImportSpec) XXX_Size() int {
-	return m.Size()
-}
-func (m *RepositoryImportSpec) XXX_DiscardUnknown() {
-	xxx_messageInfo_RepositoryImportSpec.DiscardUnknown(m)
-}
+func (m *ImageStreamStatus) Reset() { *m = ImageStreamStatus{} }
 
-var xxx_messageInfo_RepositoryImportSpec proto.InternalMessageInfo
+func (m *ImageStreamTag) Reset() { *m = ImageStreamTag{} }
 
-func (m *RepositoryImportStatus) Reset()      { *m = RepositoryImportStatus{} }
-func (*RepositoryImportStatus) ProtoMessage() {}
-func (*RepositoryImportStatus) Descriptor() ([]byte, []int) {
-	return fileDescriptor_650a0b34f65fde60, []int{27}
-}
-func (m *RepositoryImportStatus) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *RepositoryImportStatus) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *RepositoryImportStatus) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_RepositoryImportStatus.Merge(m, src)
-}
-func (m *RepositoryImportStatus) XXX_Size() int {
-	return m.Size()
-}
-func (m *RepositoryImportStatus) XXX_DiscardUnknown() {
-	xxx_messageInfo_RepositoryImportStatus.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_RepositoryImportStatus proto.InternalMessageInfo
+func (m *ImageStreamTagList) Reset() { *m = ImageStreamTagList{} }
 
-func (m *SecretList) Reset()      { *m = SecretList{} }
-func (*SecretList) ProtoMessage() {}
-func (*SecretList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_650a0b34f65fde60, []int{28}
-}
-func (m *SecretList) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *SecretList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *SecretList) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_SecretList.Merge(m, src)
-}
-func (m *SecretList) XXX_Size() int {
-	return m.Size()
-}
-func (m *SecretList) XXX_DiscardUnknown() {
-	xxx_messageInfo_SecretList.DiscardUnknown(m)
-}
+func (m *ImageTag) Reset() { *m = ImageTag{} }
 
-var xxx_messageInfo_SecretList proto.InternalMessageInfo
+func (m *ImageTagList) Reset() { *m = ImageTagList{} }
 
-func (m *SignatureCondition) Reset()      { *m = SignatureCondition{} }
-func (*SignatureCondition) ProtoMessage() {}
-func (*SignatureCondition) Descriptor() ([]byte, []int) {
-	return fileDescriptor_650a0b34f65fde60, []int{29}
-}
-func (m *SignatureCondition) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *SignatureCondition) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *SignatureCondition) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_SignatureCondition.Merge(m, src)
-}
-func (m *SignatureCondition) XXX_Size() int {
-	return m.Size()
-}
-func (m *SignatureCondition) XXX_DiscardUnknown() {
-	xxx_messageInfo_SignatureCondition.DiscardUnknown(m)
-}
+func (m *NamedTagEventList) Reset() { *m = NamedTagEventList{} }
 
-var xxx_messageInfo_SignatureCondition proto.InternalMessageInfo
+func (m *RepositoryImportSpec) Reset() { *m = RepositoryImportSpec{} }
 
-func (m *SignatureGenericEntity) Reset()      { *m = SignatureGenericEntity{} }
-func (*SignatureGenericEntity) ProtoMessage() {}
-func (*SignatureGenericEntity) Descriptor() ([]byte, []int) {
-	return fileDescriptor_650a0b34f65fde60, []int{30}
-}
-func (m *SignatureGenericEntity) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *SignatureGenericEntity) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *SignatureGenericEntity) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_SignatureGenericEntity.Merge(m, src)
-}
-func (m *SignatureGenericEntity) XXX_Size() int {
-	return m.Size()
-}
-func (m *SignatureGenericEntity) XXX_DiscardUnknown() {
-	xxx_messageInfo_SignatureGenericEntity.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_SignatureGenericEntity proto.InternalMessageInfo
-
-func (m *SignatureIssuer) Reset()      { *m = SignatureIssuer{} }
-func (*SignatureIssuer) ProtoMessage() {}
-func (*SignatureIssuer) Descriptor() ([]byte, []int) {
-	return fileDescriptor_650a0b34f65fde60, []int{31}
-}
-func (m *SignatureIssuer) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *SignatureIssuer) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *SignatureIssuer) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_SignatureIssuer.Merge(m, src)
-}
-func (m *SignatureIssuer) XXX_Size() int {
-	return m.Size()
-}
-func (m *SignatureIssuer) XXX_DiscardUnknown() {
-	xxx_messageInfo_SignatureIssuer.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_SignatureIssuer proto.InternalMessageInfo
-
-func (m *SignatureSubject) Reset()      { *m = SignatureSubject{} }
-func (*SignatureSubject) ProtoMessage() {}
-func (*SignatureSubject) Descriptor() ([]byte, []int) {
-	return fileDescriptor_650a0b34f65fde60, []int{32}
-}
-func (m *SignatureSubject) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *SignatureSubject) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *SignatureSubject) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_SignatureSubject.Merge(m, src)
-}
-func (m *SignatureSubject) XXX_Size() int {
-	return m.Size()
-}
-func (m *SignatureSubject) XXX_DiscardUnknown() {
-	xxx_messageInfo_SignatureSubject.DiscardUnknown(m)
-}
+func (m *RepositoryImportStatus) Reset() { *m = RepositoryImportStatus{} }
 
-var xxx_messageInfo_SignatureSubject proto.InternalMessageInfo
+func (m *SecretList) Reset() { *m = SecretList{} }
 
-func (m *TagEvent) Reset()      { *m = TagEvent{} }
-func (*TagEvent) ProtoMessage() {}
-func (*TagEvent) Descriptor() ([]byte, []int) {
-	return fileDescriptor_650a0b34f65fde60, []int{33}
-}
-func (m *TagEvent) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *TagEvent) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *TagEvent) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_TagEvent.Merge(m, src)
-}
-func (m *TagEvent) XXX_Size() int {
-	return m.Size()
-}
-func (m *TagEvent) XXX_DiscardUnknown() {
-	xxx_messageInfo_TagEvent.DiscardUnknown(m)
-}
+func (m *SignatureCondition) Reset() { *m = SignatureCondition{} }
 
-var xxx_messageInfo_TagEvent proto.InternalMessageInfo
+func (m *SignatureGenericEntity) Reset() { *m = SignatureGenericEntity{} }
 
-func (m *TagEventCondition) Reset()      { *m = TagEventCondition{} }
-func (*TagEventCondition) ProtoMessage() {}
-func (*TagEventCondition) Descriptor() ([]byte, []int) {
-	return fileDescriptor_650a0b34f65fde60, []int{34}
-}
-func (m *TagEventCondition) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *TagEventCondition) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *TagEventCondition) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_TagEventCondition.Merge(m, src)
-}
-func (m *TagEventCondition) XXX_Size() int {
-	return m.Size()
-}
-func (m *TagEventCondition) XXX_DiscardUnknown() {
-	xxx_messageInfo_TagEventCondition.DiscardUnknown(m)
-}
+func (m *SignatureIssuer) Reset() { *m = SignatureIssuer{} }
 
-var xxx_messageInfo_TagEventCondition proto.InternalMessageInfo
+func (m *SignatureSubject) Reset() { *m = SignatureSubject{} }
 
-func (m *TagImportPolicy) Reset()      { *m = TagImportPolicy{} }
-func (*TagImportPolicy) ProtoMessage() {}
-func (*TagImportPolicy) Descriptor() ([]byte, []int) {
-	return fileDescriptor_650a0b34f65fde60, []int{35}
-}
-func (m *TagImportPolicy) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *TagImportPolicy) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *TagImportPolicy) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_TagImportPolicy.Merge(m, src)
-}
-func (m *TagImportPolicy) XXX_Size() int {
-	return m.Size()
-}
-func (m *TagImportPolicy) XXX_DiscardUnknown() {
-	xxx_messageInfo_TagImportPolicy.DiscardUnknown(m)
-}
+func (m *TagEvent) Reset() { *m = TagEvent{} }
 
-var xxx_messageInfo_TagImportPolicy proto.InternalMessageInfo
+func (m *TagEventCondition) Reset() { *m = TagEventCondition{} }
 
-func (m *TagReference) Reset()      { *m = TagReference{} }
-func (*TagReference) ProtoMessage() {}
-func (*TagReference) Descriptor() ([]byte, []int) {
-	return fileDescriptor_650a0b34f65fde60, []int{36}
-}
-func (m *TagReference) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *TagReference) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *TagReference) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_TagReference.Merge(m, src)
-}
-func (m *TagReference) XXX_Size() int {
-	return m.Size()
-}
-func (m *TagReference) XXX_DiscardUnknown() {
-	xxx_messageInfo_TagReference.DiscardUnknown(m)
-}
+func (m *TagImportPolicy) Reset() { *m = TagImportPolicy{} }
 
-var xxx_messageInfo_TagReference proto.InternalMessageInfo
+func (m *TagReference) Reset() { *m = TagReference{} }
 
-func (m *TagReferencePolicy) Reset()      { *m = TagReferencePolicy{} }
-func (*TagReferencePolicy) ProtoMessage() {}
-func (*TagReferencePolicy) Descriptor() ([]byte, []int) {
-	return fileDescriptor_650a0b34f65fde60, []int{37}
-}
-func (m *TagReferencePolicy) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *TagReferencePolicy) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *TagReferencePolicy) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_TagReferencePolicy.Merge(m, src)
-}
-func (m *TagReferencePolicy) XXX_Size() int {
-	return m.Size()
-}
-func (m *TagReferencePolicy) XXX_DiscardUnknown() {
-	xxx_messageInfo_TagReferencePolicy.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_TagReferencePolicy proto.InternalMessageInfo
-
-func init() {
-	proto.RegisterType((*DockerImageReference)(nil), "github.com.openshift.api.image.v1.DockerImageReference")
-	proto.RegisterType((*Image)(nil), "github.com.openshift.api.image.v1.Image")
-	proto.RegisterType((*ImageBlobReferences)(nil), "github.com.openshift.api.image.v1.ImageBlobReferences")
-	proto.RegisterType((*ImageImportSpec)(nil), "github.com.openshift.api.image.v1.ImageImportSpec")
-	proto.RegisterType((*ImageImportStatus)(nil), "github.com.openshift.api.image.v1.ImageImportStatus")
-	proto.RegisterType((*ImageLayer)(nil), "github.com.openshift.api.image.v1.ImageLayer")
-	proto.RegisterType((*ImageLayerData)(nil), "github.com.openshift.api.image.v1.ImageLayerData")
-	proto.RegisterType((*ImageList)(nil), "github.com.openshift.api.image.v1.ImageList")
-	proto.RegisterType((*ImageLookupPolicy)(nil), "github.com.openshift.api.image.v1.ImageLookupPolicy")
-	proto.RegisterType((*ImageManifest)(nil), "github.com.openshift.api.image.v1.ImageManifest")
-	proto.RegisterType((*ImageSignature)(nil), "github.com.openshift.api.image.v1.ImageSignature")
-	proto.RegisterMapType((map[string]string)(nil), "github.com.openshift.api.image.v1.ImageSignature.SignedClaimsEntry")
-	proto.RegisterType((*ImageStream)(nil), "github.com.openshift.api.image.v1.ImageStream")
-	proto.RegisterType((*ImageStreamImage)(nil), "github.com.openshift.api.image.v1.ImageStreamImage")
-	proto.RegisterType((*ImageStreamImport)(nil), "github.com.openshift.api.image.v1.ImageStreamImport")
-	proto.RegisterType((*ImageStreamImportSpec)(nil), "github.com.openshift.api.image.v1.ImageStreamImportSpec")
-	proto.RegisterType((*ImageStreamImportStatus)(nil), "github.com.openshift.api.image.v1.ImageStreamImportStatus")
-	proto.RegisterType((*ImageStreamLayers)(nil), "github.com.openshift.api.image.v1.ImageStreamLayers")
-	proto.RegisterMapType((map[string]ImageLayerData)(nil), "github.com.openshift.api.image.v1.ImageStreamLayers.BlobsEntry")
-	proto.RegisterMapType((map[string]ImageBlobReferences)(nil), "github.com.openshift.api.image.v1.ImageStreamLayers.ImagesEntry")
-	proto.RegisterType((*ImageStreamList)(nil), "github.com.openshift.api.image.v1.ImageStreamList")
-	proto.RegisterType((*ImageStreamMapping)(nil), "github.com.openshift.api.image.v1.ImageStreamMapping")
-	proto.RegisterType((*ImageStreamSpec)(nil), "github.com.openshift.api.image.v1.ImageStreamSpec")
-	proto.RegisterType((*ImageStreamStatus)(nil), "github.com.openshift.api.image.v1.ImageStreamStatus")
-	proto.RegisterType((*ImageStreamTag)(nil), "github.com.openshift.api.image.v1.ImageStreamTag")
-	proto.RegisterType((*ImageStreamTagList)(nil), "github.com.openshift.api.image.v1.ImageStreamTagList")
-	proto.RegisterType((*ImageTag)(nil), "github.com.openshift.api.image.v1.ImageTag")
-	proto.RegisterType((*ImageTagList)(nil), "github.com.openshift.api.image.v1.ImageTagList")
-	proto.RegisterType((*NamedTagEventList)(nil), "github.com.openshift.api.image.v1.NamedTagEventList")
-	proto.RegisterType((*RepositoryImportSpec)(nil), "github.com.openshift.api.image.v1.RepositoryImportSpec")
-	proto.RegisterType((*RepositoryImportStatus)(nil), "github.com.openshift.api.image.v1.RepositoryImportStatus")
-	proto.RegisterType((*SecretList)(nil), "github.com.openshift.api.image.v1.SecretList")
-	proto.RegisterType((*SignatureCondition)(nil), "github.com.openshift.api.image.v1.SignatureCondition")
-	proto.RegisterType((*SignatureGenericEntity)(nil), "github.com.openshift.api.image.v1.SignatureGenericEntity")
-	proto.RegisterType((*SignatureIssuer)(nil), "github.com.openshift.api.image.v1.SignatureIssuer")
-	proto.RegisterType((*SignatureSubject)(nil), "github.com.openshift.api.image.v1.SignatureSubject")
-	proto.RegisterType((*TagEvent)(nil), "github.com.openshift.api.image.v1.TagEvent")
-	proto.RegisterType((*TagEventCondition)(nil), "github.com.openshift.api.image.v1.TagEventCondition")
-	proto.RegisterType((*TagImportPolicy)(nil), "github.com.openshift.api.image.v1.TagImportPolicy")
-	proto.RegisterType((*TagReference)(nil), "github.com.openshift.api.image.v1.TagReference")
-	proto.RegisterMapType((map[string]string)(nil), "github.com.openshift.api.image.v1.TagReference.AnnotationsEntry")
-	proto.RegisterType((*TagReferencePolicy)(nil), "github.com.openshift.api.image.v1.TagReferencePolicy")
-}
-
-func init() {
-	proto.RegisterFile("github.com/openshift/api/image/v1/generated.proto", fileDescriptor_650a0b34f65fde60)
-}
-
-var fileDescriptor_650a0b34f65fde60 = []byte{
-	// 2691 bytes of a gzipped FileDescriptorProto
-	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xd4, 0x5a, 0x4d, 0x6c, 0x1b, 0xc7,
-	0x15, 0xf6, 0xf2, 0x4f, 0xd4, 0x13, 0x25, 0x59, 0x63, 0xcb, 0x61, 0x68, 0x47, 0x92, 0xd7, 0xb5,
-	0xe1, 0x34, 0x0e, 0x19, 0xa9, 0x4e, 0x2a, 0xbb, 0x40, 0x1d, 0xd3, 0x74, 0x0d, 0xb6, 0x62, 0xac,
-	0x8c, 0x58, 0xa3, 0x35, 0x5c, 0xa0, 0xab, 0xe5, 0x68, 0xb5, 0x15, 0xb9, 0xcb, 0xee, 0x2e, 0x95,
-	0xc8, 0x68, 0x81, 0xa2, 0x28, 0x82, 0x1c, 0x7a, 0x68, 0xcf, 0x39, 0x16, 0x41, 0x51, 0x14, 0xe8,
-	0xa5, 0x68, 0xd0, 0x53, 0x2f, 0x4d, 0x01, 0xa3, 0xa7, 0x20, 0xe8, 0x21, 0x97, 0x0a, 0xb1, 0xda,
-	0x73, 0x6f, 0xbd, 0xf8, 0x54, 0xcc, 0xcf, 0xfe, 0x72, 0x29, 0xed, 0xaa, 0x16, 0xdb, 0xdc, 0xc8,
-	0x79, 0xef, 0x7d, 0x6f, 0xe6, 0xbd, 0x37, 0xef, 0xbd, 0x99, 0x59, 0x58, 0xd6, 0x74, 0x67, 0x7b,
-	0xb0, 0x59, 0x55, 0xcd, 0x5e, 0xcd, 0xec, 0x13, 0xc3, 0xde, 0xd6, 0xb7, 0x9c, 0x9a, 0xd2, 0xd7,
-	0x6b, 0x7a, 0x4f, 0xd1, 0x48, 0x6d, 0x77, 0xb9, 0xa6, 0x11, 0x83, 0x58, 0x8a, 0x43, 0x3a, 0xd5,
-	0xbe, 0x65, 0x3a, 0x26, 0xba, 0xe8, 0x8b, 0x54, 0x3d, 0x91, 0xaa, 0xd2, 0xd7, 0xab, 0x4c, 0xa4,
-	0xba, 0xbb, 0x5c, 0x79, 0x35, 0x80, 0xaa, 0x99, 0x9a, 0x59, 0x63, 0x92, 0x9b, 0x83, 0x2d, 0xf6,
-	0x8f, 0xfd, 0x61, 0xbf, 0x38, 0x62, 0x45, 0xde, 0x59, 0xb5, 0xab, 0xba, 0xc9, 0xd4, 0xaa, 0xa6,
-	0x15, 0xa7, 0xb5, 0x72, 0xdd, 0xe7, 0xe9, 0x29, 0xea, 0xb6, 0x6e, 0x10, 0x6b, 0xaf, 0xd6, 0xdf,
-	0xd1, 0xe8, 0x80, 0x5d, 0xeb, 0x11, 0x47, 0x89, 0x93, 0xaa, 0x8d, 0x92, 0xb2, 0x06, 0x86, 0xa3,
-	0xf7, 0xc8, 0x90, 0xc0, 0x1b, 0x47, 0x09, 0xd8, 0xea, 0x36, 0xe9, 0x29, 0x51, 0x39, 0xf9, 0x53,
-	0x09, 0xce, 0x36, 0x4c, 0x75, 0x87, 0x58, 0x4d, 0x6a, 0x04, 0x4c, 0xb6, 0x88, 0x45, 0x0c, 0x95,
-	0xa0, 0x6b, 0x50, 0xb4, 0x88, 0xa6, 0xdb, 0x8e, 0xb5, 0x57, 0x96, 0x96, 0xa4, 0xab, 0x93, 0xf5,
-	0xd3, 0x4f, 0xf6, 0x17, 0x4f, 0x1d, 0xec, 0x2f, 0x16, 0xb1, 0x18, 0xc7, 0x1e, 0x07, 0xaa, 0xc1,
-	0xa4, 0xa1, 0xf4, 0x88, 0xdd, 0x57, 0x54, 0x52, 0xce, 0x30, 0xf6, 0x39, 0xc1, 0x3e, 0xf9, 0x96,
-	0x4b, 0xc0, 0x3e, 0x0f, 0x5a, 0x82, 0x1c, 0xfd, 0x53, 0xce, 0x32, 0xde, 0x92, 0xe0, 0xcd, 0x51,
-	0x5e, 0xcc, 0x28, 0xe8, 0x25, 0xc8, 0x3a, 0x8a, 0x56, 0xce, 0x31, 0x86, 0x29, 0xc1, 0x90, 0x6d,
-	0x2b, 0x1a, 0xa6, 0xe3, 0xa8, 0x02, 0x19, 0xbd, 0x51, 0xce, 0x33, 0x2a, 0x08, 0x6a, 0xa6, 0xd9,
-	0xc0, 0x19, 0xbd, 0x21, 0xff, 0xad, 0x08, 0x79, 0xb6, 0x1c, 0xf4, 0x7d, 0x28, 0x52, 0x13, 0x77,
-	0x14, 0x47, 0x61, 0xab, 0x98, 0x5a, 0x79, 0xad, 0xca, 0x2d, 0x55, 0x0d, 0x5a, 0xaa, 0xda, 0xdf,
-	0xd1, 0xe8, 0x80, 0x5d, 0xa5, 0xdc, 0xd5, 0xdd, 0xe5, 0xea, 0xfd, 0xcd, 0x1f, 0x10, 0xd5, 0x69,
-	0x11, 0x47, 0xa9, 0x23, 0x81, 0x0e, 0xfe, 0x18, 0xf6, 0x50, 0xd1, 0x3a, 0x9c, 0xed, 0xc4, 0xd8,
-	0x4f, 0x18, 0xe1, 0x82, 0x90, 0x8d, 0xb5, 0x31, 0x8e, 0x95, 0x44, 0x3f, 0x82, 0x33, 0x81, 0xf1,
-	0x96, 0x3b, 0xfd, 0x2c, 0x9b, 0xfe, 0xab, 0x23, 0xa7, 0x2f, 0x1c, 0x5d, 0xc5, 0xca, 0x3b, 0x77,
-	0xdf, 0x75, 0x88, 0x61, 0xeb, 0xa6, 0x51, 0x3f, 0x2f, 0xf4, 0x9f, 0x69, 0x0c, 0x23, 0xe2, 0x38,
-	0x35, 0x68, 0x13, 0x2a, 0x31, 0xc3, 0x0f, 0x88, 0x45, 0xf1, 0x84, 0x37, 0x64, 0x81, 0x5a, 0x69,
-	0x8c, 0xe4, 0xc4, 0x87, 0xa0, 0xa0, 0x56, 0x78, 0x85, 0x8a, 0xa1, 0x6f, 0x11, 0xdb, 0x11, 0xce,
-	0x8c, 0x9d, 0xb2, 0x60, 0xc1, 0x71, 0x72, 0x68, 0x17, 0xe6, 0x02, 0xc3, 0x6b, 0xca, 0x1e, 0xb1,
-	0xec, 0x72, 0x61, 0x29, 0xcb, 0xcc, 0x75, 0xe4, 0xa6, 0xaf, 0xfa, 0x52, 0xf5, 0x17, 0x85, 0xee,
-	0xb9, 0x46, 0x14, 0x0f, 0x0f, 0xab, 0x40, 0x04, 0xc0, 0xd6, 0x35, 0x43, 0x71, 0x06, 0x16, 0xb1,
-	0xcb, 0x13, 0x4c, 0xe1, 0x72, 0x52, 0x85, 0x1b, 0xae, 0xa4, 0x1f, 0x5f, 0xde, 0x90, 0x8d, 0x03,
-	0xc0, 0xe8, 0x3e, 0xcc, 0x07, 0x74, 0xfb, 0x4c, 0xe5, 0xe2, 0x52, 0xf6, 0x6a, 0xa9, 0xfe, 0xe2,
-	0xc1, 0xfe, 0xe2, 0x7c, 0x23, 0x8e, 0x01, 0xc7, 0xcb, 0xa1, 0x6d, 0xb8, 0x10, 0x63, 0xc6, 0x16,
-	0xe9, 0xe8, 0x4a, 0x7b, 0xaf, 0x4f, 0xca, 0x93, 0xcc, 0x0f, 0x5f, 0x12, 0xd3, 0xba, 0xd0, 0x38,
-	0x84, 0x17, 0x1f, 0x8a, 0x84, 0xee, 0x85, 0x3c, 0x73, 0xc7, 0x34, 0xb6, 0x74, 0xad, 0x0c, 0x0c,
-	0x3e, 0xce, 0xd4, 0x9c, 0x01, 0x0f, 0xcb, 0xa0, 0x9f, 0x4a, 0xa1, 0x6d, 0xe6, 0x6a, 0xb2, 0xcb,
-	0x53, 0xcc, 0xea, 0xaf, 0x25, 0xb5, 0xba, 0x2b, 0x18, 0xbb, 0x31, 0x3d, 0x54, 0x1c, 0xab, 0x4b,
-	0xfe, 0x58, 0x82, 0x33, 0x6c, 0xa8, 0xde, 0x35, 0x37, 0xbd, 0xfd, 0x6a, 0xa3, 0x55, 0x28, 0x31,
-	0x2d, 0x2d, 0xdd, 0xb6, 0x75, 0x43, 0x63, 0x3b, 0xb5, 0x58, 0x3f, 0x2b, 0x34, 0x94, 0x9a, 0x01,
-	0x1a, 0x0e, 0x71, 0x22, 0x19, 0x0a, 0x5d, 0x1e, 0xae, 0xd2, 0x52, 0x96, 0x26, 0xb2, 0x83, 0xfd,
-	0xc5, 0x82, 0x08, 0x38, 0x41, 0xa1, 0x3c, 0x2a, 0x37, 0x1c, 0x4f, 0x29, 0x8c, 0x47, 0x58, 0x4a,
-	0x50, 0xd0, 0x2b, 0x30, 0xd9, 0xf3, 0x4c, 0x92, 0x63, 0x50, 0xd3, 0x34, 0xf5, 0xfa, 0x2b, 0xf2,
-	0xe9, 0xf2, 0x5f, 0xb2, 0x30, 0xcb, 0xe6, 0xd4, 0xec, 0xf5, 0x4d, 0xcb, 0xd9, 0xe8, 0x13, 0x15,
-	0xdd, 0x85, 0xdc, 0x96, 0x65, 0xf6, 0x44, 0x8e, 0xbc, 0x14, 0x48, 0x32, 0x55, 0x5a, 0xd8, 0xfc,
-	0x8c, 0xe8, 0x2d, 0xdb, 0xcf, 0xd9, 0xdf, 0xb0, 0xcc, 0x1e, 0x66, 0xe2, 0xe8, 0x4d, 0xc8, 0x38,
-	0x26, 0x9b, 0xe7, 0xd4, 0xca, 0xd5, 0x38, 0x90, 0x35, 0x53, 0x55, 0xba, 0x51, 0xa4, 0x02, 0x4d,
-	0xdd, 0x6d, 0x13, 0x67, 0x1c, 0x13, 0x75, 0xa9, 0x2d, 0xe9, 0xb4, 0xd6, 0xcd, 0xae, 0xae, 0xee,
-	0x89, 0xac, 0xb7, 0x92, 0xc0, 0xbf, 0x6d, 0x45, 0x6b, 0x06, 0x24, 0x83, 0xf6, 0xf7, 0x47, 0x71,
-	0x08, 0x1d, 0xbd, 0x0b, 0xb3, 0x96, 0x3b, 0x0d, 0xa1, 0x30, 0xcf, 0x14, 0xbe, 0x9e, 0x4c, 0x21,
-	0x0e, 0x0b, 0xd7, 0x5f, 0x10, 0x3a, 0x67, 0x23, 0x04, 0x1c, 0x55, 0x83, 0x6e, 0xc3, 0xac, 0x6e,
-	0xa8, 0xdd, 0x41, 0xc7, 0x4f, 0x7f, 0x39, 0x16, 0x36, 0x1e, 0x44, 0x33, 0x4c, 0xc6, 0x51, 0x7e,
-	0xf9, 0x77, 0x19, 0x98, 0x0b, 0xfa, 0xd1, 0x51, 0x9c, 0x81, 0x8d, 0xda, 0x50, 0xb0, 0xd9, 0x2f,
-	0xe1, 0xcb, 0x6b, 0xc9, 0xea, 0x1d, 0x97, 0xae, 0xcf, 0x08, 0xed, 0x05, 0xfe, 0x1f, 0x0b, 0x2c,
-	0xd4, 0x84, 0x3c, 0x5b, 0xb7, 0xe7, 0xdb, 0x84, 0xfb, 0xad, 0x3e, 0x79, 0xb0, 0xbf, 0xc8, 0x6b,
-	0x31, 0xe6, 0x08, 0x6e, 0x5d, 0xcf, 0x8e, 0xa8, 0xeb, 0xdf, 0x8d, 0x86, 0x72, 0x1a, 0x6d, 0x5e,
-	0xcf, 0x11, 0x1b, 0xf8, 0xef, 0x49, 0x00, 0x7e, 0xfe, 0xf6, 0x5a, 0x10, 0x69, 0x64, 0x0b, 0x72,
-	0x19, 0x72, 0xb6, 0xfe, 0x98, 0x2f, 0x3a, 0xeb, 0x83, 0x33, 0xf1, 0x0d, 0xfd, 0x31, 0xc1, 0x8c,
-	0x4c, 0x9b, 0x9f, 0x9e, 0x97, 0x3c, 0xb3, 0xe1, 0xe6, 0xc7, 0xcf, 0x94, 0x3e, 0x8f, 0xdc, 0x81,
-	0x19, 0x7f, 0x1e, 0x0d, 0x5a, 0x75, 0x2f, 0x0a, 0x4d, 0x12, 0xd3, 0x34, 0x7d, 0xa4, 0x96, 0x4c,
-	0x02, 0x2d, 0x7f, 0x94, 0x60, 0x92, 0xab, 0xd1, 0x6d, 0x07, 0x3d, 0x1a, 0xea, 0x84, 0xaa, 0xc9,
-	0x22, 0x83, 0x4a, 0xb3, 0x3e, 0xc8, 0xeb, 0xff, 0xdc, 0x91, 0x40, 0x17, 0xd4, 0x82, 0xbc, 0xee,
-	0x90, 0x9e, 0x5d, 0xce, 0xa4, 0xf4, 0xd8, 0xb4, 0x00, 0xcd, 0x37, 0xa9, 0x38, 0xe6, 0x28, 0xf2,
-	0xaa, 0x88, 0xec, 0x35, 0xd3, 0xdc, 0x19, 0xf4, 0xc5, 0x96, 0xb9, 0x04, 0xf9, 0x2e, 0x4d, 0x1f,
-	0x22, 0xbf, 0x7a, 0x92, 0x2c, 0xa7, 0x60, 0x4e, 0x93, 0x7f, 0x95, 0x81, 0xe9, 0x70, 0x77, 0x70,
-	0x05, 0x0a, 0x1d, 0x5d, 0xa3, 0x1b, 0x8c, 0x3b, 0xda, 0x0b, 0xf1, 0x06, 0x1b, 0xc5, 0x82, 0x9a,
-	0xda, 0xbe, 0x34, 0xed, 0xbb, 0xb1, 0x45, 0xdd, 0xc4, 0xa6, 0x95, 0xf5, 0xd3, 0x4e, 0x2b, 0x40,
-	0xc3, 0x21, 0x4e, 0x2a, 0xa9, 0x58, 0xea, 0xb6, 0xee, 0x10, 0x95, 0x56, 0x64, 0xd1, 0x55, 0x79,
-	0x92, 0xb7, 0x03, 0x34, 0x1c, 0xe2, 0xa4, 0x5d, 0xaf, 0x69, 0x47, 0xbb, 0xde, 0xfb, 0x1b, 0x38,
-	0x63, 0xda, 0xe8, 0x65, 0x98, 0xd8, 0x55, 0x2c, 0x5d, 0x31, 0x9c, 0x72, 0x81, 0x31, 0xcc, 0x0a,
-	0x86, 0x89, 0x07, 0x7c, 0x18, 0xbb, 0x74, 0xf9, 0xf7, 0x05, 0x11, 0x81, 0x5e, 0x57, 0x30, 0x86,
-	0x4e, 0x79, 0x09, 0x72, 0x8e, 0x6f, 0x5b, 0x6f, 0xbf, 0x31, 0xb3, 0x32, 0x0a, 0xba, 0x0c, 0x13,
-	0xaa, 0x69, 0x38, 0xc4, 0x70, 0x98, 0x31, 0x4b, 0xf5, 0x29, 0x3a, 0xfb, 0x3b, 0x7c, 0x08, 0xbb,
-	0x34, 0xa4, 0x03, 0xa8, 0xa6, 0xd1, 0xd1, 0x1d, 0xdd, 0x34, 0xdc, 0x1c, 0x91, 0x24, 0x61, 0x7b,
-	0x8b, 0xbd, 0xe3, 0x4a, 0xfb, 0x33, 0xf6, 0x86, 0x6c, 0x1c, 0x00, 0x47, 0x5f, 0x83, 0x69, 0x26,
-	0xde, 0xec, 0x10, 0xc3, 0xd1, 0x9d, 0x3d, 0x61, 0xfa, 0x79, 0x21, 0xc6, 0x43, 0xcd, 0x25, 0xe2,
-	0x30, 0x2f, 0xfa, 0x31, 0x94, 0x68, 0x1b, 0x47, 0x3a, 0x77, 0xba, 0x8a, 0xde, 0x73, 0x5b, 0xd2,
-	0x3b, 0xa9, 0x3b, 0x44, 0x36, 0x71, 0x17, 0xe5, 0xae, 0xe1, 0x58, 0x81, 0xe2, 0x16, 0x24, 0xe1,
-	0x90, 0x3a, 0xf4, 0x36, 0x4c, 0xa8, 0x16, 0xa1, 0x67, 0xbd, 0xf2, 0x04, 0x73, 0xe8, 0x97, 0x93,
-	0x39, 0xb4, 0xad, 0xf7, 0x88, 0xb0, 0x3c, 0x17, 0xc7, 0x2e, 0x0e, 0x4d, 0x22, 0xba, 0x6d, 0x0f,
-	0x48, 0xa7, 0xbe, 0x57, 0x2e, 0x26, 0xae, 0xcc, 0xde, 0x42, 0x9a, 0x54, 0xd6, 0xaa, 0x97, 0x68,
-	0x12, 0x69, 0x0a, 0x1c, 0xec, 0x21, 0xa2, 0xef, 0xb9, 0xe8, 0x6d, 0x93, 0xf5, 0xa0, 0x53, 0x2b,
-	0x5f, 0x49, 0x83, 0xbe, 0x31, 0x60, 0x51, 0x17, 0x84, 0x6f, 0x9b, 0xd8, 0x83, 0xac, 0xdc, 0x82,
-	0xb9, 0x21, 0x43, 0xa2, 0xd3, 0x90, 0xdd, 0x21, 0xe2, 0x84, 0x8b, 0xe9, 0x4f, 0x74, 0x16, 0xf2,
-	0xbb, 0x4a, 0x77, 0x20, 0xe2, 0x14, 0xf3, 0x3f, 0x37, 0x33, 0xab, 0x12, 0xcd, 0x2d, 0x53, 0xdc,
-	0x33, 0x8e, 0x45, 0x94, 0xde, 0x18, 0xb6, 0x4c, 0x1b, 0x72, 0x76, 0x9f, 0xa8, 0xa2, 0xea, 0xae,
-	0x24, 0x8e, 0x1c, 0x36, 0x3f, 0xda, 0xd8, 0xf9, 0xdb, 0x8c, 0xfe, 0xc3, 0x0c, 0x0d, 0x3d, 0xf2,
-	0x5a, 0x04, 0xde, 0x5d, 0x5d, 0x4f, 0x89, 0x7b, 0x68, 0xab, 0x20, 0xff, 0x59, 0x82, 0xd3, 0x01,
-	0xee, 0x71, 0x9d, 0xc3, 0x5b, 0xc7, 0xed, 0x50, 0xfc, 0x0a, 0x14, 0xe8, 0x52, 0xe4, 0x3f, 0xb8,
-	0xcd, 0x95, 0xbb, 0x0a, 0xda, 0x62, 0x8d, 0x61, 0x19, 0x0f, 0x43, 0x1e, 0x5f, 0x4d, 0xe7, 0x19,
-	0xbf, 0xa1, 0x8f, 0xf5, 0xfb, 0x66, 0xc4, 0xef, 0x37, 0x8f, 0x85, 0x7e, 0xb8, 0xf7, 0x7f, 0x96,
-	0x81, 0xf9, 0xd8, 0x19, 0xd1, 0x3a, 0xcc, 0x7b, 0x6f, 0x66, 0xb9, 0xa2, 0x8f, 0xc0, 0x79, 0xb0,
-	0xa0, 0x22, 0x0d, 0xc0, 0x22, 0x7d, 0xd3, 0xd6, 0x1d, 0xd3, 0xda, 0x13, 0x76, 0xf8, 0x6a, 0x82,
-	0x99, 0x62, 0x4f, 0x28, 0x60, 0x86, 0x19, 0x6a, 0x68, 0x9f, 0x82, 0x03, 0xd0, 0xe8, 0x21, 0x9d,
-	0x90, 0xa2, 0x11, 0x6a, 0x8e, 0x6c, 0x9a, 0xed, 0x15, 0xc4, 0xf7, 0x17, 0x41, 0x91, 0xb0, 0x40,
-	0x94, 0x3f, 0xca, 0xc0, 0x0b, 0x23, 0x4c, 0x87, 0x70, 0xc8, 0x10, 0xb4, 0x0f, 0x4b, 0xe5, 0x06,
-	0x7e, 0x00, 0x8c, 0x18, 0x4d, 0x8f, 0x31, 0xda, 0x8d, 0xe3, 0x18, 0x4d, 0x78, 0xf7, 0x10, 0xb3,
-	0x3d, 0x8a, 0x98, 0xed, 0x7a, 0x4a, 0xb3, 0x45, 0xe2, 0x27, 0x62, 0xb8, 0x0f, 0x73, 0xa1, 0x7d,
-	0x27, 0x6e, 0x5a, 0x4e, 0x7e, 0xdf, 0x75, 0x20, 0xbf, 0xd9, 0x35, 0x37, 0xdd, 0x06, 0xf6, 0x56,
-	0x3a, 0x9f, 0xf0, 0x69, 0x56, 0xeb, 0x14, 0x81, 0x17, 0x68, 0x2f, 0xab, 0xb0, 0x31, 0xcc, 0xc1,
-	0xd1, 0x76, 0xc4, 0x76, 0x6f, 0x1e, 0x4b, 0x0d, 0x37, 0x19, 0xd7, 0x33, 0xc2, 0x8e, 0x95, 0x1d,
-	0x00, 0x7f, 0x36, 0x31, 0x55, 0xee, 0x5e, 0xb0, 0xca, 0xa5, 0xb8, 0xb6, 0xf2, 0x8e, 0x2c, 0x81,
-	0xc2, 0x58, 0xf9, 0xa1, 0xa8, 0x8b, 0x23, 0xb5, 0xad, 0x85, 0xb5, 0xbd, 0x91, 0x38, 0x39, 0x87,
-	0x2e, 0x5a, 0x82, 0xb5, 0xf8, 0x63, 0x49, 0x5c, 0x62, 0x08, 0xcb, 0x9c, 0xfc, 0x11, 0x67, 0x23,
-	0x7c, 0xc4, 0x49, 0xbb, 0x6b, 0xe3, 0x0f, 0x3a, 0xff, 0x94, 0x00, 0x05, 0xb8, 0x5a, 0x4a, 0xbf,
-	0xaf, 0x1b, 0xda, 0x17, 0xae, 0x5c, 0x1e, 0x71, 0xa8, 0x97, 0x7f, 0x93, 0x09, 0x79, 0x8b, 0xd5,
-	0x03, 0x03, 0x4a, 0xdd, 0xc0, 0xf1, 0x2e, 0x6d, 0x2f, 0x12, 0x3c, 0x1a, 0xfa, 0xed, 0x70, 0x70,
-	0x14, 0x87, 0xf0, 0xd1, 0x46, 0xe8, 0x1a, 0xd5, 0x4f, 0x6e, 0xe2, 0x58, 0xf8, 0x92, 0x80, 0x98,
-	0x6f, 0xc4, 0x31, 0xe1, 0x78, 0x59, 0xf4, 0x36, 0xe4, 0x1c, 0x45, 0x73, 0x63, 0xa2, 0x96, 0xf2,
-	0xd6, 0x28, 0x70, 0x08, 0x52, 0x34, 0x1b, 0x33, 0x28, 0xf9, 0xd7, 0xe1, 0xce, 0x43, 0x14, 0x8d,
-	0x13, 0x99, 0x3d, 0x81, 0xf3, 0xfd, 0xc1, 0x66, 0x57, 0x57, 0x63, 0xa5, 0x84, 0x37, 0x2f, 0x09,
-	0xe8, 0xf3, 0xeb, 0xa3, 0x59, 0xf1, 0x61, 0x38, 0xe8, 0x41, 0xc8, 0x48, 0x49, 0x3c, 0xfc, 0x96,
-	0xd2, 0x23, 0x9d, 0xb6, 0xa2, 0xdd, 0xdd, 0x25, 0x86, 0x43, 0xf7, 0x62, 0xac, 0xa5, 0x3e, 0xc8,
-	0xb9, 0xa7, 0x58, 0x66, 0xa9, 0xb6, 0x32, 0x8e, 0x8d, 0xf3, 0x4d, 0x1e, 0xe9, 0x7c, 0xdb, 0xa4,
-	0x76, 0xf8, 0x44, 0xe8, 0xae, 0x6b, 0x05, 0x40, 0xbc, 0xc7, 0xe9, 0xa6, 0x21, 0xee, 0x0f, 0x3c,
-	0xed, 0xf7, 0x3c, 0x0a, 0x0e, 0x70, 0x0d, 0x6d, 0x9b, 0xc2, 0x09, 0x6f, 0x9b, 0xed, 0x98, 0xc3,
-	0xf6, 0xf5, 0x64, 0xcb, 0x66, 0xde, 0x4b, 0x7e, 0xd6, 0xf6, 0x52, 0x52, 0xfe, 0xb9, 0x74, 0xf0,
-	0x7f, 0x0d, 0xa7, 0xd6, 0xb6, 0xa2, 0x8d, 0xa1, 0x48, 0x3c, 0x08, 0x17, 0x89, 0xe5, 0x74, 0x45,
-	0xa2, 0xad, 0x68, 0x23, 0xea, 0xc4, 0xe7, 0x19, 0x28, 0x32, 0xc6, 0xf1, 0x04, 0x79, 0x2b, 0x74,
-	0x0a, 0x49, 0x1d, 0xe5, 0xc5, 0xc8, 0xc1, 0xe3, 0x3b, 0xc7, 0x38, 0x70, 0x0e, 0xa7, 0x00, 0x38,
-	0xec, 0x5e, 0x3a, 0xf7, 0xdf, 0xde, 0x4b, 0xcb, 0x7f, 0x92, 0xa0, 0xe4, 0x9a, 0x78, 0x0c, 0x91,
-	0xb2, 0x1e, 0x8e, 0x94, 0x57, 0x92, 0xce, 0x7c, 0x74, 0x8c, 0xfc, 0x4b, 0x82, 0xb9, 0x21, 0xab,
-	0xb9, 0x95, 0x59, 0x1a, 0x71, 0xdd, 0x7e, 0x8c, 0x69, 0xb8, 0xf0, 0xf1, 0xd3, 0x88, 0x24, 0x8c,
-	0xec, 0xc9, 0x25, 0x0c, 0xf9, 0xfd, 0x2c, 0x9c, 0x8d, 0x3b, 0xf5, 0x3d, 0xaf, 0xd7, 0xac, 0xe8,
-	0x5b, 0x54, 0x66, 0xdc, 0x6f, 0x51, 0xb9, 0xff, 0xd9, 0x5b, 0x54, 0x36, 0xe5, 0x5b, 0xd4, 0xfb,
-	0x19, 0x38, 0x17, 0x7f, 0x96, 0x3c, 0xa1, 0x07, 0x29, 0xff, 0x14, 0x9a, 0x79, 0xfe, 0xa7, 0x50,
-	0x74, 0x13, 0x66, 0x94, 0x0e, 0x0f, 0x33, 0xa5, 0x4b, 0x3b, 0x0e, 0x16, 0xc7, 0x93, 0x75, 0x74,
-	0xb0, 0xbf, 0x38, 0x73, 0x3b, 0x44, 0xc1, 0x11, 0x4e, 0xf9, 0xb7, 0x12, 0xc0, 0x06, 0x51, 0x2d,
-	0xe2, 0x8c, 0x21, 0x8b, 0xdc, 0x0a, 0x6f, 0xdf, 0x4a, 0x5c, 0xa8, 0xf3, 0xc9, 0x8c, 0x48, 0x1a,
-	0x9f, 0x66, 0x01, 0x0d, 0xdf, 0x8b, 0xa3, 0x9b, 0xe2, 0xae, 0x9e, 0xa7, 0x8d, 0x2b, 0xc1, 0xbb,
-	0xfa, 0x67, 0xfb, 0x8b, 0xe7, 0x86, 0x25, 0x02, 0xb7, 0xf8, 0x6b, 0x9e, 0xc3, 0xf9, 0x4d, 0xff,
-	0xf5, 0xb0, 0x0b, 0x9f, 0xed, 0x2f, 0xc6, 0x7c, 0x37, 0x55, 0xf5, 0x90, 0x22, 0x8e, 0xd6, 0x60,
-	0xba, 0xab, 0xd8, 0xce, 0xba, 0x65, 0x6e, 0x92, 0xb6, 0x2e, 0xbe, 0x18, 0x4a, 0x77, 0x97, 0xed,
-	0xdd, 0xd6, 0xaf, 0x05, 0x81, 0x70, 0x18, 0x17, 0xed, 0x02, 0xa2, 0x03, 0x6d, 0x4b, 0x31, 0x6c,
-	0xbe, 0x24, 0xaa, 0x2d, 0x97, 0x5a, 0x5b, 0x45, 0x68, 0x43, 0x6b, 0x43, 0x68, 0x38, 0x46, 0x03,
-	0xba, 0x02, 0x05, 0x8b, 0x28, 0xb6, 0x69, 0x88, 0xb7, 0x05, 0x2f, 0x26, 0x31, 0x1b, 0xc5, 0x82,
-	0x8a, 0x5e, 0x86, 0x89, 0x1e, 0xb1, 0x6d, 0x5a, 0xec, 0x22, 0xcf, 0x3b, 0x2d, 0x3e, 0x8c, 0x5d,
-	0xba, 0xfc, 0x9e, 0x04, 0xbe, 0x8b, 0x58, 0x1f, 0xa9, 0xab, 0x77, 0xf9, 0x9b, 0xc4, 0x2a, 0x94,
-	0x4c, 0x4b, 0x53, 0x0c, 0xfd, 0x31, 0x6f, 0x3a, 0xa5, 0xf0, 0xd3, 0xd3, 0xfd, 0x00, 0x0d, 0x87,
-	0x38, 0x69, 0xb3, 0xaa, 0x9a, 0xbd, 0x9e, 0x69, 0xd0, 0x1a, 0x23, 0x5c, 0x1b, 0xc8, 0xd0, 0x2e,
-	0x05, 0x07, 0xb8, 0xe4, 0x0f, 0x25, 0x98, 0x8d, 0xdc, 0xfe, 0xa3, 0x5f, 0x4a, 0x70, 0xce, 0x8e,
-	0x9d, 0x9c, 0xd8, 0x1f, 0x37, 0xd2, 0x5c, 0xfa, 0x87, 0x00, 0xea, 0x0b, 0x62, 0x3e, 0x23, 0x56,
-	0x8f, 0x47, 0x28, 0x96, 0xff, 0x2e, 0xc1, 0xe9, 0xe8, 0x3b, 0xc2, 0xff, 0xe3, 0x44, 0xd1, 0xeb,
-	0x30, 0xc5, 0x4f, 0x5a, 0xdf, 0x22, 0x7b, 0xcd, 0x86, 0xf0, 0xc2, 0x19, 0x01, 0x36, 0xb5, 0xee,
-	0x93, 0x70, 0x90, 0x4f, 0xfe, 0x79, 0x06, 0x8a, 0x6e, 0x7d, 0x45, 0xdf, 0xf6, 0xdf, 0x85, 0xa4,
-	0xd4, 0xd1, 0xed, 0x05, 0xdd, 0xd0, 0xdb, 0xd0, 0xf3, 0xff, 0x10, 0xee, 0x92, 0xdb, 0xdc, 0xf1,
-	0x83, 0x68, 0xfc, 0xcd, 0x43, 0xf8, 0x0c, 0x95, 0x4b, 0x72, 0x86, 0x92, 0x3f, 0xc8, 0xc2, 0xdc,
-	0x50, 0xbb, 0x81, 0x6e, 0x84, 0x72, 0xde, 0xe5, 0x48, 0xce, 0x9b, 0x1f, 0x12, 0x38, 0xb1, 0x94,
-	0x17, 0x9f, 0x89, 0xb2, 0x63, 0xcc, 0x44, 0xb9, 0xa4, 0x99, 0x28, 0x7f, 0x78, 0x26, 0x8a, 0x78,
-	0xa7, 0x90, 0xc8, 0x3b, 0x1f, 0x49, 0x30, 0x1b, 0x69, 0xa0, 0xd0, 0x35, 0x28, 0xea, 0x86, 0x4d,
-	0xd4, 0x81, 0x45, 0xc4, 0xf3, 0x81, 0x57, 0x15, 0x9b, 0x62, 0x1c, 0x7b, 0x1c, 0xa8, 0x06, 0x93,
-	0xb6, 0xba, 0x4d, 0x3a, 0x83, 0x2e, 0xe9, 0x30, 0x8f, 0x14, 0xfd, 0xa7, 0xfc, 0x0d, 0x97, 0x80,
-	0x7d, 0x1e, 0xd4, 0x00, 0xe0, 0xbd, 0x58, 0xcb, 0xec, 0xb8, 0xe1, 0xe6, 0x7e, 0xff, 0x06, 0x4d,
-	0x8f, 0xf2, 0x6c, 0x7f, 0x71, 0xc6, 0xff, 0xc7, 0xfc, 0x1f, 0x90, 0x93, 0xff, 0x9d, 0x83, 0x52,
-	0xb0, 0x11, 0x4b, 0xf0, 0x85, 0xc9, 0x3b, 0x30, 0xa5, 0x18, 0x86, 0xe9, 0x28, 0xbc, 0x5b, 0xce,
-	0x24, 0xbe, 0x15, 0x0e, 0xea, 0xa9, 0xde, 0xf6, 0x21, 0xf8, 0xad, 0xb0, 0x97, 0x11, 0x02, 0x14,
-	0x1c, 0xd4, 0x84, 0x6e, 0x8b, 0x16, 0x39, 0x9b, 0xbc, 0x45, 0x2e, 0x46, 0xda, 0xe3, 0x1a, 0x4c,
-	0x7a, 0x9d, 0xa4, 0xf8, 0x78, 0xc9, 0xb3, 0xb2, 0xbf, 0xb5, 0x7d, 0x1e, 0x54, 0x0d, 0x05, 0x43,
-	0x9e, 0x05, 0xc3, 0xcc, 0x21, 0x57, 0x1d, 0xd1, 0xfe, 0xbb, 0x30, 0xee, 0xfe, 0x7b, 0x62, 0x2c,
-	0xfd, 0x77, 0xe5, 0xeb, 0x70, 0x3a, 0xea, 0xc1, 0x54, 0xef, 0xd2, 0xeb, 0x80, 0x86, 0xf5, 0x1f,
-	0xd5, 0xc2, 0x0d, 0x4b, 0xf8, 0xf9, 0xac, 0x7e, 0xef, 0xc9, 0xd3, 0x85, 0x53, 0x9f, 0x3c, 0x5d,
-	0x38, 0xf5, 0xd9, 0xd3, 0x85, 0x53, 0x3f, 0x39, 0x58, 0x90, 0x9e, 0x1c, 0x2c, 0x48, 0x9f, 0x1c,
-	0x2c, 0x48, 0x9f, 0x1d, 0x2c, 0x48, 0x9f, 0x1f, 0x2c, 0x48, 0xbf, 0xf8, 0xc7, 0xc2, 0xa9, 0x87,
-	0x17, 0x8f, 0xfc, 0x06, 0xff, 0x3f, 0x01, 0x00, 0x00, 0xff, 0xff, 0xd0, 0xa8, 0x38, 0xe0, 0xa7,
-	0x2f, 0x00, 0x00,
-}
+func (m *TagReferencePolicy) Reset() { *m = TagReferencePolicy{} }
 
 func (m *DockerImageReference) Marshal() (dAtA []byte, err error) {
 	size := m.Size()
@@ -1936,7 +713,7 @@ func (m *ImageSignature) MarshalToSizedBuffer(dAtA []byte) (int, error) {
 		for k := range m.SignedClaims {
 			keysForSignedClaims = append(keysForSignedClaims, string(k))
 		}
-		github_com_gogo_protobuf_sortkeys.Strings(keysForSignedClaims)
+		sort.Strings(keysForSignedClaims)
 		for iNdEx := len(keysForSignedClaims) - 1; iNdEx >= 0; iNdEx-- {
 			v := m.SignedClaims[string(keysForSignedClaims[iNdEx])]
 			baseI := i
@@ -2291,7 +1068,7 @@ func (m *ImageStreamLayers) MarshalToSizedBuffer(dAtA []byte) (int, error) {
 		for k := range m.Images {
 			keysForImages = append(keysForImages, string(k))
 		}
-		github_com_gogo_protobuf_sortkeys.Strings(keysForImages)
+		sort.Strings(keysForImages)
 		for iNdEx := len(keysForImages) - 1; iNdEx >= 0; iNdEx-- {
 			v := m.Images[string(keysForImages[iNdEx])]
 			baseI := i
@@ -2320,7 +1097,7 @@ func (m *ImageStreamLayers) MarshalToSizedBuffer(dAtA []byte) (int, error) {
 		for k := range m.Blobs {
 			keysForBlobs = append(keysForBlobs, string(k))
 		}
-		github_com_gogo_protobuf_sortkeys.Strings(keysForBlobs)
+		sort.Strings(keysForBlobs)
 		for iNdEx := len(keysForBlobs) - 1; iNdEx >= 0; iNdEx-- {
 			v := m.Blobs[string(keysForBlobs[iNdEx])]
 			baseI := i
@@ -3399,7 +2176,7 @@ func (m *TagReference) MarshalToSizedBuffer(dAtA []byte) (int, error) {
 		for k := range m.Annotations {
 			keysForAnnotations = append(keysForAnnotations, string(k))
 		}
-		github_com_gogo_protobuf_sortkeys.Strings(keysForAnnotations)
+		sort.Strings(keysForAnnotations)
 		for iNdEx := len(keysForAnnotations) - 1; iNdEx >= 0; iNdEx-- {
 			v := m.Annotations[string(keysForAnnotations[iNdEx])]
 			baseI := i
@@ -4393,7 +3170,7 @@ func (this *ImageSignature) String() string {
 	for k := range this.SignedClaims {
 		keysForSignedClaims = append(keysForSignedClaims, k)
 	}
-	github_com_gogo_protobuf_sortkeys.Strings(keysForSignedClaims)
+	sort.Strings(keysForSignedClaims)
 	mapStringForSignedClaims := "map[string]string{"
 	for _, k := range keysForSignedClaims {
 		mapStringForSignedClaims += fmt.Sprintf("%v: %v,", k, this.SignedClaims[k])
@@ -4490,7 +3267,7 @@ func (this *ImageStreamLayers) String() string {
 	for k := range this.Blobs {
 		keysForBlobs = append(keysForBlobs, k)
 	}
-	github_com_gogo_protobuf_sortkeys.Strings(keysForBlobs)
+	sort.Strings(keysForBlobs)
 	mapStringForBlobs := "map[string]ImageLayerData{"
 	for _, k := range keysForBlobs {
 		mapStringForBlobs += fmt.Sprintf("%v: %v,", k, this.Blobs[k])
@@ -4500,7 +3277,7 @@ func (this *ImageStreamLayers) String() string {
 	for k := range this.Images {
 		keysForImages = append(keysForImages, k)
 	}
-	github_com_gogo_protobuf_sortkeys.Strings(keysForImages)
+	sort.Strings(keysForImages)
 	mapStringForImages := "map[string]ImageBlobReferences{"
 	for _, k := range keysForImages {
 		mapStringForImages += fmt.Sprintf("%v: %v,", k, this.Images[k])
@@ -4804,7 +3581,7 @@ func (this *TagReference) String() string {
 	for k := range this.Annotations {
 		keysForAnnotations = append(keysForAnnotations, k)
 	}
-	github_com_gogo_protobuf_sortkeys.Strings(keysForAnnotations)
+	sort.Strings(keysForAnnotations)
 	mapStringForAnnotations := "map[string]string{"
 	for _, k := range keysForAnnotations {
 		mapStringForAnnotations += fmt.Sprintf("%v: %v,", k, this.Annotations[k])
diff --git a/vendor/github.com/openshift/api/image/v1/generated.protomessage.pb.go b/vendor/github.com/openshift/api/image/v1/generated.protomessage.pb.go
new file mode 100644
index 0000000000000..68da6c96015a8
--- /dev/null
+++ b/vendor/github.com/openshift/api/image/v1/generated.protomessage.pb.go
@@ -0,0 +1,82 @@
+//go:build kubernetes_protomessage_one_more_release
+// +build kubernetes_protomessage_one_more_release
+
+// Code generated by go-to-protobuf. DO NOT EDIT.
+
+package v1
+
+func (*DockerImageReference) ProtoMessage() {}
+
+func (*Image) ProtoMessage() {}
+
+func (*ImageBlobReferences) ProtoMessage() {}
+
+func (*ImageImportSpec) ProtoMessage() {}
+
+func (*ImageImportStatus) ProtoMessage() {}
+
+func (*ImageLayer) ProtoMessage() {}
+
+func (*ImageLayerData) ProtoMessage() {}
+
+func (*ImageList) ProtoMessage() {}
+
+func (*ImageLookupPolicy) ProtoMessage() {}
+
+func (*ImageManifest) ProtoMessage() {}
+
+func (*ImageSignature) ProtoMessage() {}
+
+func (*ImageStream) ProtoMessage() {}
+
+func (*ImageStreamImage) ProtoMessage() {}
+
+func (*ImageStreamImport) ProtoMessage() {}
+
+func (*ImageStreamImportSpec) ProtoMessage() {}
+
+func (*ImageStreamImportStatus) ProtoMessage() {}
+
+func (*ImageStreamLayers) ProtoMessage() {}
+
+func (*ImageStreamList) ProtoMessage() {}
+
+func (*ImageStreamMapping) ProtoMessage() {}
+
+func (*ImageStreamSpec) ProtoMessage() {}
+
+func (*ImageStreamStatus) ProtoMessage() {}
+
+func (*ImageStreamTag) ProtoMessage() {}
+
+func (*ImageStreamTagList) ProtoMessage() {}
+
+func (*ImageTag) ProtoMessage() {}
+
+func (*ImageTagList) ProtoMessage() {}
+
+func (*NamedTagEventList) ProtoMessage() {}
+
+func (*RepositoryImportSpec) ProtoMessage() {}
+
+func (*RepositoryImportStatus) ProtoMessage() {}
+
+func (*SecretList) ProtoMessage() {}
+
+func (*SignatureCondition) ProtoMessage() {}
+
+func (*SignatureGenericEntity) ProtoMessage() {}
+
+func (*SignatureIssuer) ProtoMessage() {}
+
+func (*SignatureSubject) ProtoMessage() {}
+
+func (*TagEvent) ProtoMessage() {}
+
+func (*TagEventCondition) ProtoMessage() {}
+
+func (*TagImportPolicy) ProtoMessage() {}
+
+func (*TagReference) ProtoMessage() {}
+
+func (*TagReferencePolicy) ProtoMessage() {}
diff --git a/vendor/github.com/openshift/api/network/v1/generated.pb.go b/vendor/github.com/openshift/api/network/v1/generated.pb.go
index 9534e3715561c..9261110b3dcdf 100644
--- a/vendor/github.com/openshift/api/network/v1/generated.pb.go
+++ b/vendor/github.com/openshift/api/network/v1/generated.pb.go
@@ -8,446 +8,34 @@ import (
 
 	io "io"
 
-	proto "github.com/gogo/protobuf/proto"
-
-	math "math"
 	math_bits "math/bits"
 	reflect "reflect"
 	strings "strings"
 )
 
-// Reference imports to suppress errors if they are not otherwise used.
-var _ = proto.Marshal
-var _ = fmt.Errorf
-var _ = math.Inf
-
-// This is a compile-time assertion to ensure that this generated file
-// is compatible with the proto package it is being compiled against.
-// A compilation error at this line likely means your copy of the
-// proto package needs to be updated.
-const _ = proto.GoGoProtoPackageIsVersion3 // please upgrade the proto package
+func (m *ClusterNetwork) Reset() { *m = ClusterNetwork{} }
 
-func (m *ClusterNetwork) Reset()      { *m = ClusterNetwork{} }
-func (*ClusterNetwork) ProtoMessage() {}
-func (*ClusterNetwork) Descriptor() ([]byte, []int) {
-	return fileDescriptor_38d1cb27735fa5d9, []int{0}
-}
-func (m *ClusterNetwork) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ClusterNetwork) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ClusterNetwork) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ClusterNetwork.Merge(m, src)
-}
-func (m *ClusterNetwork) XXX_Size() int {
-	return m.Size()
-}
-func (m *ClusterNetwork) XXX_DiscardUnknown() {
-	xxx_messageInfo_ClusterNetwork.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_ClusterNetwork proto.InternalMessageInfo
-
-func (m *ClusterNetworkEntry) Reset()      { *m = ClusterNetworkEntry{} }
-func (*ClusterNetworkEntry) ProtoMessage() {}
-func (*ClusterNetworkEntry) Descriptor() ([]byte, []int) {
-	return fileDescriptor_38d1cb27735fa5d9, []int{1}
-}
-func (m *ClusterNetworkEntry) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ClusterNetworkEntry) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ClusterNetworkEntry) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ClusterNetworkEntry.Merge(m, src)
-}
-func (m *ClusterNetworkEntry) XXX_Size() int {
-	return m.Size()
-}
-func (m *ClusterNetworkEntry) XXX_DiscardUnknown() {
-	xxx_messageInfo_ClusterNetworkEntry.DiscardUnknown(m)
-}
+func (m *ClusterNetworkEntry) Reset() { *m = ClusterNetworkEntry{} }
 
-var xxx_messageInfo_ClusterNetworkEntry proto.InternalMessageInfo
+func (m *ClusterNetworkList) Reset() { *m = ClusterNetworkList{} }
 
-func (m *ClusterNetworkList) Reset()      { *m = ClusterNetworkList{} }
-func (*ClusterNetworkList) ProtoMessage() {}
-func (*ClusterNetworkList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_38d1cb27735fa5d9, []int{2}
-}
-func (m *ClusterNetworkList) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ClusterNetworkList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ClusterNetworkList) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ClusterNetworkList.Merge(m, src)
-}
-func (m *ClusterNetworkList) XXX_Size() int {
-	return m.Size()
-}
-func (m *ClusterNetworkList) XXX_DiscardUnknown() {
-	xxx_messageInfo_ClusterNetworkList.DiscardUnknown(m)
-}
+func (m *EgressNetworkPolicy) Reset() { *m = EgressNetworkPolicy{} }
 
-var xxx_messageInfo_ClusterNetworkList proto.InternalMessageInfo
+func (m *EgressNetworkPolicyList) Reset() { *m = EgressNetworkPolicyList{} }
 
-func (m *EgressNetworkPolicy) Reset()      { *m = EgressNetworkPolicy{} }
-func (*EgressNetworkPolicy) ProtoMessage() {}
-func (*EgressNetworkPolicy) Descriptor() ([]byte, []int) {
-	return fileDescriptor_38d1cb27735fa5d9, []int{3}
-}
-func (m *EgressNetworkPolicy) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *EgressNetworkPolicy) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *EgressNetworkPolicy) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_EgressNetworkPolicy.Merge(m, src)
-}
-func (m *EgressNetworkPolicy) XXX_Size() int {
-	return m.Size()
-}
-func (m *EgressNetworkPolicy) XXX_DiscardUnknown() {
-	xxx_messageInfo_EgressNetworkPolicy.DiscardUnknown(m)
-}
+func (m *EgressNetworkPolicyPeer) Reset() { *m = EgressNetworkPolicyPeer{} }
 
-var xxx_messageInfo_EgressNetworkPolicy proto.InternalMessageInfo
+func (m *EgressNetworkPolicyRule) Reset() { *m = EgressNetworkPolicyRule{} }
 
-func (m *EgressNetworkPolicyList) Reset()      { *m = EgressNetworkPolicyList{} }
-func (*EgressNetworkPolicyList) ProtoMessage() {}
-func (*EgressNetworkPolicyList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_38d1cb27735fa5d9, []int{4}
-}
-func (m *EgressNetworkPolicyList) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *EgressNetworkPolicyList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *EgressNetworkPolicyList) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_EgressNetworkPolicyList.Merge(m, src)
-}
-func (m *EgressNetworkPolicyList) XXX_Size() int {
-	return m.Size()
-}
-func (m *EgressNetworkPolicyList) XXX_DiscardUnknown() {
-	xxx_messageInfo_EgressNetworkPolicyList.DiscardUnknown(m)
-}
+func (m *EgressNetworkPolicySpec) Reset() { *m = EgressNetworkPolicySpec{} }
 
-var xxx_messageInfo_EgressNetworkPolicyList proto.InternalMessageInfo
+func (m *HostSubnet) Reset() { *m = HostSubnet{} }
 
-func (m *EgressNetworkPolicyPeer) Reset()      { *m = EgressNetworkPolicyPeer{} }
-func (*EgressNetworkPolicyPeer) ProtoMessage() {}
-func (*EgressNetworkPolicyPeer) Descriptor() ([]byte, []int) {
-	return fileDescriptor_38d1cb27735fa5d9, []int{5}
-}
-func (m *EgressNetworkPolicyPeer) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *EgressNetworkPolicyPeer) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *EgressNetworkPolicyPeer) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_EgressNetworkPolicyPeer.Merge(m, src)
-}
-func (m *EgressNetworkPolicyPeer) XXX_Size() int {
-	return m.Size()
-}
-func (m *EgressNetworkPolicyPeer) XXX_DiscardUnknown() {
-	xxx_messageInfo_EgressNetworkPolicyPeer.DiscardUnknown(m)
-}
+func (m *HostSubnetList) Reset() { *m = HostSubnetList{} }
 
-var xxx_messageInfo_EgressNetworkPolicyPeer proto.InternalMessageInfo
+func (m *NetNamespace) Reset() { *m = NetNamespace{} }
 
-func (m *EgressNetworkPolicyRule) Reset()      { *m = EgressNetworkPolicyRule{} }
-func (*EgressNetworkPolicyRule) ProtoMessage() {}
-func (*EgressNetworkPolicyRule) Descriptor() ([]byte, []int) {
-	return fileDescriptor_38d1cb27735fa5d9, []int{6}
-}
-func (m *EgressNetworkPolicyRule) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *EgressNetworkPolicyRule) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *EgressNetworkPolicyRule) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_EgressNetworkPolicyRule.Merge(m, src)
-}
-func (m *EgressNetworkPolicyRule) XXX_Size() int {
-	return m.Size()
-}
-func (m *EgressNetworkPolicyRule) XXX_DiscardUnknown() {
-	xxx_messageInfo_EgressNetworkPolicyRule.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_EgressNetworkPolicyRule proto.InternalMessageInfo
-
-func (m *EgressNetworkPolicySpec) Reset()      { *m = EgressNetworkPolicySpec{} }
-func (*EgressNetworkPolicySpec) ProtoMessage() {}
-func (*EgressNetworkPolicySpec) Descriptor() ([]byte, []int) {
-	return fileDescriptor_38d1cb27735fa5d9, []int{7}
-}
-func (m *EgressNetworkPolicySpec) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *EgressNetworkPolicySpec) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *EgressNetworkPolicySpec) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_EgressNetworkPolicySpec.Merge(m, src)
-}
-func (m *EgressNetworkPolicySpec) XXX_Size() int {
-	return m.Size()
-}
-func (m *EgressNetworkPolicySpec) XXX_DiscardUnknown() {
-	xxx_messageInfo_EgressNetworkPolicySpec.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_EgressNetworkPolicySpec proto.InternalMessageInfo
-
-func (m *HostSubnet) Reset()      { *m = HostSubnet{} }
-func (*HostSubnet) ProtoMessage() {}
-func (*HostSubnet) Descriptor() ([]byte, []int) {
-	return fileDescriptor_38d1cb27735fa5d9, []int{8}
-}
-func (m *HostSubnet) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *HostSubnet) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *HostSubnet) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_HostSubnet.Merge(m, src)
-}
-func (m *HostSubnet) XXX_Size() int {
-	return m.Size()
-}
-func (m *HostSubnet) XXX_DiscardUnknown() {
-	xxx_messageInfo_HostSubnet.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_HostSubnet proto.InternalMessageInfo
-
-func (m *HostSubnetList) Reset()      { *m = HostSubnetList{} }
-func (*HostSubnetList) ProtoMessage() {}
-func (*HostSubnetList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_38d1cb27735fa5d9, []int{9}
-}
-func (m *HostSubnetList) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *HostSubnetList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *HostSubnetList) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_HostSubnetList.Merge(m, src)
-}
-func (m *HostSubnetList) XXX_Size() int {
-	return m.Size()
-}
-func (m *HostSubnetList) XXX_DiscardUnknown() {
-	xxx_messageInfo_HostSubnetList.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_HostSubnetList proto.InternalMessageInfo
-
-func (m *NetNamespace) Reset()      { *m = NetNamespace{} }
-func (*NetNamespace) ProtoMessage() {}
-func (*NetNamespace) Descriptor() ([]byte, []int) {
-	return fileDescriptor_38d1cb27735fa5d9, []int{10}
-}
-func (m *NetNamespace) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *NetNamespace) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *NetNamespace) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_NetNamespace.Merge(m, src)
-}
-func (m *NetNamespace) XXX_Size() int {
-	return m.Size()
-}
-func (m *NetNamespace) XXX_DiscardUnknown() {
-	xxx_messageInfo_NetNamespace.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_NetNamespace proto.InternalMessageInfo
-
-func (m *NetNamespaceList) Reset()      { *m = NetNamespaceList{} }
-func (*NetNamespaceList) ProtoMessage() {}
-func (*NetNamespaceList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_38d1cb27735fa5d9, []int{11}
-}
-func (m *NetNamespaceList) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *NetNamespaceList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *NetNamespaceList) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_NetNamespaceList.Merge(m, src)
-}
-func (m *NetNamespaceList) XXX_Size() int {
-	return m.Size()
-}
-func (m *NetNamespaceList) XXX_DiscardUnknown() {
-	xxx_messageInfo_NetNamespaceList.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_NetNamespaceList proto.InternalMessageInfo
-
-func init() {
-	proto.RegisterType((*ClusterNetwork)(nil), "github.com.openshift.api.network.v1.ClusterNetwork")
-	proto.RegisterType((*ClusterNetworkEntry)(nil), "github.com.openshift.api.network.v1.ClusterNetworkEntry")
-	proto.RegisterType((*ClusterNetworkList)(nil), "github.com.openshift.api.network.v1.ClusterNetworkList")
-	proto.RegisterType((*EgressNetworkPolicy)(nil), "github.com.openshift.api.network.v1.EgressNetworkPolicy")
-	proto.RegisterType((*EgressNetworkPolicyList)(nil), "github.com.openshift.api.network.v1.EgressNetworkPolicyList")
-	proto.RegisterType((*EgressNetworkPolicyPeer)(nil), "github.com.openshift.api.network.v1.EgressNetworkPolicyPeer")
-	proto.RegisterType((*EgressNetworkPolicyRule)(nil), "github.com.openshift.api.network.v1.EgressNetworkPolicyRule")
-	proto.RegisterType((*EgressNetworkPolicySpec)(nil), "github.com.openshift.api.network.v1.EgressNetworkPolicySpec")
-	proto.RegisterType((*HostSubnet)(nil), "github.com.openshift.api.network.v1.HostSubnet")
-	proto.RegisterType((*HostSubnetList)(nil), "github.com.openshift.api.network.v1.HostSubnetList")
-	proto.RegisterType((*NetNamespace)(nil), "github.com.openshift.api.network.v1.NetNamespace")
-	proto.RegisterType((*NetNamespaceList)(nil), "github.com.openshift.api.network.v1.NetNamespaceList")
-}
-
-func init() {
-	proto.RegisterFile("github.com/openshift/api/network/v1/generated.proto", fileDescriptor_38d1cb27735fa5d9)
-}
-
-var fileDescriptor_38d1cb27735fa5d9 = []byte{
-	// 996 bytes of a gzipped FileDescriptorProto
-	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xbc, 0x56, 0x4f, 0x6f, 0xe3, 0x44,
-	0x14, 0xaf, 0xf3, 0xa7, 0x6d, 0x26, 0x6d, 0x5a, 0xcd, 0x56, 0xac, 0x29, 0x92, 0x13, 0xb9, 0x02,
-	0x82, 0x56, 0xd8, 0xb4, 0x8b, 0x50, 0x0f, 0x08, 0xb4, 0x6e, 0x2b, 0x6d, 0xa4, 0x6e, 0x88, 0x26,
-	0x65, 0x55, 0x21, 0x40, 0xb8, 0xce, 0xac, 0x63, 0x9a, 0xd8, 0x96, 0x67, 0x12, 0x88, 0x10, 0x7f,
-	0x2e, 0xdc, 0xf9, 0x00, 0x7c, 0x0c, 0x3e, 0x02, 0x87, 0x1e, 0x38, 0xec, 0x09, 0xf6, 0x14, 0x51,
-	0x73, 0xe7, 0x03, 0xf4, 0x84, 0x66, 0x3c, 0x8e, 0xed, 0xac, 0x2b, 0xa2, 0x22, 0x72, 0x4a, 0xe6,
-	0xfd, 0xde, 0xdf, 0xf9, 0xbd, 0xf7, 0xc6, 0xe0, 0xa1, 0xed, 0xd0, 0xfe, 0xe8, 0x42, 0xb3, 0xbc,
-	0xa1, 0xee, 0xf9, 0xd8, 0x25, 0x7d, 0xe7, 0x19, 0xd5, 0x4d, 0xdf, 0xd1, 0x5d, 0x4c, 0xbf, 0xf2,
-	0x82, 0x4b, 0x7d, 0xbc, 0xaf, 0xdb, 0xd8, 0xc5, 0x81, 0x49, 0x71, 0x4f, 0xf3, 0x03, 0x8f, 0x7a,
-	0x70, 0x2f, 0x31, 0xd2, 0x66, 0x46, 0x9a, 0xe9, 0x3b, 0x9a, 0x30, 0xd2, 0xc6, 0xfb, 0xbb, 0x6f,
-	0xa7, 0x3c, 0xdb, 0x9e, 0xed, 0xe9, 0xdc, 0xf6, 0x62, 0xf4, 0x8c, 0x9f, 0xf8, 0x81, 0xff, 0x8b,
-	0x7c, 0xee, 0xbe, 0x7b, 0x79, 0x48, 0x34, 0xc7, 0x63, 0xa1, 0x87, 0xa6, 0xd5, 0x77, 0x5c, 0x1c,
-	0x4c, 0x74, 0xff, 0xd2, 0x66, 0x02, 0xa2, 0x0f, 0x31, 0x35, 0x73, 0x32, 0xd9, 0x7d, 0xef, 0x36,
-	0xab, 0x60, 0xe4, 0x52, 0x67, 0x88, 0x75, 0x62, 0xf5, 0xf1, 0xd0, 0x9c, 0xb7, 0x53, 0x7f, 0x2e,
-	0x81, 0xda, 0xd1, 0x60, 0x44, 0x28, 0x0e, 0xda, 0x51, 0xca, 0xf0, 0x0b, 0xb0, 0xce, 0xa2, 0xf4,
-	0x4c, 0x6a, 0xca, 0x52, 0x43, 0x6a, 0x56, 0x0f, 0xde, 0xd1, 0x22, 0xef, 0x5a, 0xda, 0xbb, 0xe6,
-	0x5f, 0xda, 0x4c, 0x40, 0x34, 0xa6, 0xad, 0x8d, 0xf7, 0xb5, 0x8f, 0x2e, 0xbe, 0xc4, 0x16, 0x7d,
-	0x82, 0xa9, 0x69, 0xc0, 0xab, 0x69, 0x7d, 0x25, 0x9c, 0xd6, 0x41, 0x22, 0x43, 0x33, 0xaf, 0xf0,
-	0x2d, 0xb0, 0x26, 0xee, 0x47, 0x2e, 0x34, 0xa4, 0x66, 0xc5, 0xd8, 0x12, 0xea, 0x6b, 0x22, 0x07,
-	0x14, 0xe3, 0xf0, 0x18, 0x6c, 0xf7, 0x3d, 0x42, 0xc9, 0xe8, 0xc2, 0xc5, 0x74, 0x80, 0x5d, 0x9b,
-	0xf6, 0xe5, 0x62, 0x43, 0x6a, 0x6e, 0x1a, 0xb2, 0xb0, 0xd9, 0x7e, 0xec, 0x11, 0xda, 0xe5, 0xf8,
-	0x29, 0xc7, 0xd1, 0x4b, 0x16, 0xf0, 0x03, 0x50, 0x23, 0x38, 0x18, 0x3b, 0x16, 0x16, 0x01, 0xe4,
-	0x12, 0x8f, 0xfb, 0x8a, 0xf0, 0x51, 0xeb, 0x66, 0x50, 0x34, 0xa7, 0x0d, 0x0f, 0x00, 0xf0, 0x07,
-	0x23, 0xdb, 0x71, 0xdb, 0xe6, 0x10, 0xcb, 0x65, 0x6e, 0x3b, 0x2b, 0xb1, 0x33, 0x43, 0x50, 0x4a,
-	0x0b, 0x7e, 0x03, 0xb6, 0xac, 0xcc, 0xc5, 0x12, 0x79, 0xb5, 0x51, 0x6c, 0x56, 0x0f, 0x0e, 0xb5,
-	0x05, 0xba, 0x46, 0xcb, 0x92, 0x72, 0xe2, 0xd2, 0x60, 0x62, 0xdc, 0x17, 0x21, 0xb7, 0xb2, 0x20,
-	0x41, 0xf3, 0x91, 0xe0, 0x03, 0x50, 0x19, 0x7f, 0x3d, 0x30, 0xdd, 0x8e, 0x17, 0x50, 0x79, 0x8d,
-	0xdf, 0xd7, 0x66, 0x38, 0xad, 0x57, 0x9e, 0x9e, 0x9f, 0x3e, 0x6a, 0x33, 0x21, 0x4a, 0x70, 0xf8,
-	0x2a, 0x28, 0x0e, 0xe9, 0x48, 0x5e, 0xe7, 0x6a, 0x6b, 0xe1, 0xb4, 0x5e, 0x7c, 0x72, 0xf6, 0x31,
-	0x62, 0x32, 0xf5, 0x5b, 0x70, 0x2f, 0x27, 0x11, 0xd8, 0x00, 0x25, 0xcb, 0xe9, 0x05, 0xbc, 0x3d,
-	0x2a, 0xc6, 0x86, 0x48, 0xab, 0x74, 0xd4, 0x3a, 0x46, 0x88, 0x23, 0x31, 0x6f, 0x69, 0x5e, 0x38,
-	0xd7, 0xff, 0xca, 0x5b, 0x5a, 0xa2, 0xfe, 0x26, 0x01, 0x98, 0x8d, 0x7f, 0xea, 0x10, 0x0a, 0x3f,
-	0x7d, 0xa9, 0x43, 0xb5, 0xc5, 0x3a, 0x94, 0x59, 0xf3, 0xfe, 0xdc, 0x16, 0x49, 0xac, 0xc7, 0x92,
-	0x54, 0x77, 0x9e, 0x83, 0xb2, 0x43, 0xf1, 0x90, 0xc8, 0x05, 0x4e, 0xd7, 0xc3, 0x3b, 0xd0, 0x65,
-	0x6c, 0x0a, 0xff, 0xe5, 0x16, 0xf3, 0x84, 0x22, 0x87, 0xea, 0x1f, 0x12, 0xb8, 0x77, 0x62, 0x07,
-	0x98, 0x10, 0xa1, 0xd7, 0xf1, 0x06, 0x8e, 0x35, 0x59, 0xc2, 0xc4, 0x7d, 0x0e, 0x4a, 0xc4, 0xc7,
-	0x16, 0xa7, 0xa0, 0x7a, 0xf0, 0xfe, 0x42, 0x25, 0xe5, 0x64, 0xda, 0xf5, 0xb1, 0x95, 0xd0, 0xcd,
-	0x4e, 0x88, 0xfb, 0x55, 0x7f, 0x97, 0xc0, 0xfd, 0x1c, 0xfd, 0x25, 0xb0, 0xf5, 0x59, 0x96, 0xad,
-	0xc3, 0xbb, 0x96, 0x76, 0x0b, 0x65, 0xdf, 0xe5, 0xd6, 0xd5, 0xc1, 0x38, 0x80, 0x87, 0x60, 0x83,
-	0xb5, 0x7a, 0x17, 0x0f, 0xb0, 0x45, 0xbd, 0x78, 0x18, 0x76, 0x84, 0x9b, 0x0d, 0x36, 0x0c, 0x31,
-	0x86, 0x32, 0x9a, 0x6c, 0xff, 0xf5, 0x5c, 0xc2, 0x77, 0xc9, 0xdc, 0xfe, 0x3b, 0x6e, 0x77, 0xf9,
-	0x22, 0x89, 0x71, 0xf5, 0x97, 0xfc, 0x8b, 0x45, 0xa3, 0x01, 0x86, 0x1f, 0x82, 0x12, 0x9d, 0xf8,
-	0x58, 0x04, 0x7e, 0x10, 0xd3, 0x72, 0x36, 0xf1, 0xf1, 0xcd, 0xb4, 0xfe, 0xda, 0x2d, 0x66, 0x0c,
-	0x46, 0xdc, 0x10, 0x9e, 0x83, 0x02, 0xf5, 0xfe, 0x6b, 0x4f, 0xb0, 0xbb, 0x30, 0x80, 0x08, 0x5e,
-	0x38, 0xf3, 0x50, 0x81, 0x7a, 0xea, 0xf7, 0xb9, 0x59, 0xb3, 0x86, 0x81, 0x3d, 0xb0, 0x8a, 0x39,
-	0x24, 0x4b, 0x9c, 0xb1, 0x3b, 0x07, 0x66, 0xc5, 0x18, 0x35, 0x11, 0x78, 0x35, 0x52, 0x40, 0xc2,
-	0xb7, 0xfa, 0x77, 0x01, 0x80, 0x64, 0xc1, 0x2c, 0x61, 0xc2, 0x1a, 0xa0, 0xc4, 0xd6, 0x97, 0x20,
-	0x74, 0x36, 0x23, 0x2c, 0x07, 0xc4, 0x11, 0xf8, 0x06, 0x58, 0x65, 0xbf, 0xad, 0x0e, 0x7f, 0xc0,
-	0x2a, 0x49, 0xea, 0x8f, 0xb9, 0x14, 0x09, 0x94, 0xe9, 0x45, 0x8f, 0x97, 0x78, 0xa4, 0x66, 0x7a,
-	0x51, 0x2d, 0x48, 0xa0, 0xf0, 0x11, 0xa8, 0x44, 0xc5, 0xb6, 0x3a, 0x44, 0x2e, 0x37, 0x8a, 0xcd,
-	0x8a, 0xb1, 0xc7, 0x76, 0xfc, 0x49, 0x2c, 0xbc, 0x99, 0xd6, 0x61, 0x72, 0x07, 0xb1, 0x18, 0x25,
-	0x56, 0xb0, 0x05, 0xaa, 0xd1, 0x81, 0x35, 0x6b, 0xf4, 0x3e, 0x55, 0x8c, 0x37, 0xc3, 0x69, 0xbd,
-	0x7a, 0x92, 0x88, 0x6f, 0xa6, 0xf5, 0x9d, 0x79, 0x37, 0x7c, 0xd3, 0xa7, 0x6d, 0xd5, 0x5f, 0x25,
-	0x50, 0x4b, 0x6d, 0xf4, 0xff, 0x7f, 0xf0, 0xcf, 0xb2, 0x83, 0xaf, 0x2f, 0xd4, 0x46, 0x49, 0x86,
-	0xb7, 0xcc, 0xfb, 0x8f, 0x05, 0xb0, 0xd1, 0xc6, 0x94, 0xcd, 0x1e, 0xf1, 0x4d, 0x0b, 0x2f, 0xed,
-	0x6b, 0xc8, 0xcd, 0xd9, 0x06, 0x22, 0x11, 0x14, 0xe3, 0x70, 0x0f, 0x94, 0x5d, 0x4c, 0x9d, 0x9e,
-	0xf8, 0x04, 0x9a, 0x95, 0xd0, 0xc6, 0xb4, 0x75, 0x8c, 0x22, 0x0c, 0x1e, 0xa5, 0xfb, 0xa2, 0xc4,
-	0x29, 0x7d, 0x7d, 0xbe, 0x2f, 0x76, 0xd2, 0x35, 0xe6, 0x74, 0x86, 0x7a, 0x25, 0x81, 0xed, 0xb4,
-	0xce, 0x12, 0x08, 0x7d, 0x9a, 0x25, 0x74, 0x7f, 0x21, 0x42, 0xd3, 0x39, 0xe6, 0x53, 0x6a, 0xb4,
-	0xae, 0xae, 0x95, 0x95, 0xe7, 0xd7, 0xca, 0xca, 0x8b, 0x6b, 0x65, 0xe5, 0x87, 0x50, 0x91, 0xae,
-	0x42, 0x45, 0x7a, 0x1e, 0x2a, 0xd2, 0x8b, 0x50, 0x91, 0xfe, 0x0c, 0x15, 0xe9, 0xa7, 0xbf, 0x94,
-	0x95, 0x4f, 0xf6, 0x16, 0xf8, 0xfe, 0xff, 0x27, 0x00, 0x00, 0xff, 0xff, 0x6b, 0x4d, 0xd5, 0x11,
-	0x25, 0x0c, 0x00, 0x00,
-}
+func (m *NetNamespaceList) Reset() { *m = NetNamespaceList{} }
 
 func (m *ClusterNetwork) Marshal() (dAtA []byte, err error) {
 	size := m.Size()
diff --git a/vendor/github.com/openshift/api/network/v1/generated.protomessage.pb.go b/vendor/github.com/openshift/api/network/v1/generated.protomessage.pb.go
new file mode 100644
index 0000000000000..b19b7e3fe598b
--- /dev/null
+++ b/vendor/github.com/openshift/api/network/v1/generated.protomessage.pb.go
@@ -0,0 +1,30 @@
+//go:build kubernetes_protomessage_one_more_release
+// +build kubernetes_protomessage_one_more_release
+
+// Code generated by go-to-protobuf. DO NOT EDIT.
+
+package v1
+
+func (*ClusterNetwork) ProtoMessage() {}
+
+func (*ClusterNetworkEntry) ProtoMessage() {}
+
+func (*ClusterNetworkList) ProtoMessage() {}
+
+func (*EgressNetworkPolicy) ProtoMessage() {}
+
+func (*EgressNetworkPolicyList) ProtoMessage() {}
+
+func (*EgressNetworkPolicyPeer) ProtoMessage() {}
+
+func (*EgressNetworkPolicyRule) ProtoMessage() {}
+
+func (*EgressNetworkPolicySpec) ProtoMessage() {}
+
+func (*HostSubnet) ProtoMessage() {}
+
+func (*HostSubnetList) ProtoMessage() {}
+
+func (*NetNamespace) ProtoMessage() {}
+
+func (*NetNamespaceList) ProtoMessage() {}
diff --git a/vendor/github.com/openshift/api/oauth/v1/generated.pb.go b/vendor/github.com/openshift/api/oauth/v1/generated.pb.go
index a79c46802051a..312c4f34eb866 100644
--- a/vendor/github.com/openshift/api/oauth/v1/generated.pb.go
+++ b/vendor/github.com/openshift/api/oauth/v1/generated.pb.go
@@ -8,521 +8,38 @@ import (
 
 	io "io"
 
-	proto "github.com/gogo/protobuf/proto"
-
-	math "math"
 	math_bits "math/bits"
 	reflect "reflect"
 	strings "strings"
 )
 
-// Reference imports to suppress errors if they are not otherwise used.
-var _ = proto.Marshal
-var _ = fmt.Errorf
-var _ = math.Inf
+func (m *ClusterRoleScopeRestriction) Reset() { *m = ClusterRoleScopeRestriction{} }
 
-// This is a compile-time assertion to ensure that this generated file
-// is compatible with the proto package it is being compiled against.
-// A compilation error at this line likely means your copy of the
-// proto package needs to be updated.
-const _ = proto.GoGoProtoPackageIsVersion3 // please upgrade the proto package
+func (m *OAuthAccessToken) Reset() { *m = OAuthAccessToken{} }
 
-func (m *ClusterRoleScopeRestriction) Reset()      { *m = ClusterRoleScopeRestriction{} }
-func (*ClusterRoleScopeRestriction) ProtoMessage() {}
-func (*ClusterRoleScopeRestriction) Descriptor() ([]byte, []int) {
-	return fileDescriptor_bd688dca7ea39c8a, []int{0}
-}
-func (m *ClusterRoleScopeRestriction) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ClusterRoleScopeRestriction) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ClusterRoleScopeRestriction) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ClusterRoleScopeRestriction.Merge(m, src)
-}
-func (m *ClusterRoleScopeRestriction) XXX_Size() int {
-	return m.Size()
-}
-func (m *ClusterRoleScopeRestriction) XXX_DiscardUnknown() {
-	xxx_messageInfo_ClusterRoleScopeRestriction.DiscardUnknown(m)
-}
+func (m *OAuthAccessTokenList) Reset() { *m = OAuthAccessTokenList{} }
 
-var xxx_messageInfo_ClusterRoleScopeRestriction proto.InternalMessageInfo
+func (m *OAuthAuthorizeToken) Reset() { *m = OAuthAuthorizeToken{} }
 
-func (m *OAuthAccessToken) Reset()      { *m = OAuthAccessToken{} }
-func (*OAuthAccessToken) ProtoMessage() {}
-func (*OAuthAccessToken) Descriptor() ([]byte, []int) {
-	return fileDescriptor_bd688dca7ea39c8a, []int{1}
-}
-func (m *OAuthAccessToken) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *OAuthAccessToken) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *OAuthAccessToken) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_OAuthAccessToken.Merge(m, src)
-}
-func (m *OAuthAccessToken) XXX_Size() int {
-	return m.Size()
-}
-func (m *OAuthAccessToken) XXX_DiscardUnknown() {
-	xxx_messageInfo_OAuthAccessToken.DiscardUnknown(m)
-}
+func (m *OAuthAuthorizeTokenList) Reset() { *m = OAuthAuthorizeTokenList{} }
 
-var xxx_messageInfo_OAuthAccessToken proto.InternalMessageInfo
+func (m *OAuthClient) Reset() { *m = OAuthClient{} }
 
-func (m *OAuthAccessTokenList) Reset()      { *m = OAuthAccessTokenList{} }
-func (*OAuthAccessTokenList) ProtoMessage() {}
-func (*OAuthAccessTokenList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_bd688dca7ea39c8a, []int{2}
-}
-func (m *OAuthAccessTokenList) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *OAuthAccessTokenList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *OAuthAccessTokenList) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_OAuthAccessTokenList.Merge(m, src)
-}
-func (m *OAuthAccessTokenList) XXX_Size() int {
-	return m.Size()
-}
-func (m *OAuthAccessTokenList) XXX_DiscardUnknown() {
-	xxx_messageInfo_OAuthAccessTokenList.DiscardUnknown(m)
-}
+func (m *OAuthClientAuthorization) Reset() { *m = OAuthClientAuthorization{} }
 
-var xxx_messageInfo_OAuthAccessTokenList proto.InternalMessageInfo
+func (m *OAuthClientAuthorizationList) Reset() { *m = OAuthClientAuthorizationList{} }
 
-func (m *OAuthAuthorizeToken) Reset()      { *m = OAuthAuthorizeToken{} }
-func (*OAuthAuthorizeToken) ProtoMessage() {}
-func (*OAuthAuthorizeToken) Descriptor() ([]byte, []int) {
-	return fileDescriptor_bd688dca7ea39c8a, []int{3}
-}
-func (m *OAuthAuthorizeToken) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *OAuthAuthorizeToken) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *OAuthAuthorizeToken) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_OAuthAuthorizeToken.Merge(m, src)
-}
-func (m *OAuthAuthorizeToken) XXX_Size() int {
-	return m.Size()
-}
-func (m *OAuthAuthorizeToken) XXX_DiscardUnknown() {
-	xxx_messageInfo_OAuthAuthorizeToken.DiscardUnknown(m)
-}
+func (m *OAuthClientList) Reset() { *m = OAuthClientList{} }
 
-var xxx_messageInfo_OAuthAuthorizeToken proto.InternalMessageInfo
+func (m *OAuthRedirectReference) Reset() { *m = OAuthRedirectReference{} }
 
-func (m *OAuthAuthorizeTokenList) Reset()      { *m = OAuthAuthorizeTokenList{} }
-func (*OAuthAuthorizeTokenList) ProtoMessage() {}
-func (*OAuthAuthorizeTokenList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_bd688dca7ea39c8a, []int{4}
-}
-func (m *OAuthAuthorizeTokenList) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *OAuthAuthorizeTokenList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *OAuthAuthorizeTokenList) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_OAuthAuthorizeTokenList.Merge(m, src)
-}
-func (m *OAuthAuthorizeTokenList) XXX_Size() int {
-	return m.Size()
-}
-func (m *OAuthAuthorizeTokenList) XXX_DiscardUnknown() {
-	xxx_messageInfo_OAuthAuthorizeTokenList.DiscardUnknown(m)
-}
+func (m *RedirectReference) Reset() { *m = RedirectReference{} }
 
-var xxx_messageInfo_OAuthAuthorizeTokenList proto.InternalMessageInfo
+func (m *ScopeRestriction) Reset() { *m = ScopeRestriction{} }
 
-func (m *OAuthClient) Reset()      { *m = OAuthClient{} }
-func (*OAuthClient) ProtoMessage() {}
-func (*OAuthClient) Descriptor() ([]byte, []int) {
-	return fileDescriptor_bd688dca7ea39c8a, []int{5}
-}
-func (m *OAuthClient) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *OAuthClient) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *OAuthClient) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_OAuthClient.Merge(m, src)
-}
-func (m *OAuthClient) XXX_Size() int {
-	return m.Size()
-}
-func (m *OAuthClient) XXX_DiscardUnknown() {
-	xxx_messageInfo_OAuthClient.DiscardUnknown(m)
-}
+func (m *UserOAuthAccessToken) Reset() { *m = UserOAuthAccessToken{} }
 
-var xxx_messageInfo_OAuthClient proto.InternalMessageInfo
-
-func (m *OAuthClientAuthorization) Reset()      { *m = OAuthClientAuthorization{} }
-func (*OAuthClientAuthorization) ProtoMessage() {}
-func (*OAuthClientAuthorization) Descriptor() ([]byte, []int) {
-	return fileDescriptor_bd688dca7ea39c8a, []int{6}
-}
-func (m *OAuthClientAuthorization) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *OAuthClientAuthorization) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *OAuthClientAuthorization) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_OAuthClientAuthorization.Merge(m, src)
-}
-func (m *OAuthClientAuthorization) XXX_Size() int {
-	return m.Size()
-}
-func (m *OAuthClientAuthorization) XXX_DiscardUnknown() {
-	xxx_messageInfo_OAuthClientAuthorization.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_OAuthClientAuthorization proto.InternalMessageInfo
-
-func (m *OAuthClientAuthorizationList) Reset()      { *m = OAuthClientAuthorizationList{} }
-func (*OAuthClientAuthorizationList) ProtoMessage() {}
-func (*OAuthClientAuthorizationList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_bd688dca7ea39c8a, []int{7}
-}
-func (m *OAuthClientAuthorizationList) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *OAuthClientAuthorizationList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *OAuthClientAuthorizationList) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_OAuthClientAuthorizationList.Merge(m, src)
-}
-func (m *OAuthClientAuthorizationList) XXX_Size() int {
-	return m.Size()
-}
-func (m *OAuthClientAuthorizationList) XXX_DiscardUnknown() {
-	xxx_messageInfo_OAuthClientAuthorizationList.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_OAuthClientAuthorizationList proto.InternalMessageInfo
-
-func (m *OAuthClientList) Reset()      { *m = OAuthClientList{} }
-func (*OAuthClientList) ProtoMessage() {}
-func (*OAuthClientList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_bd688dca7ea39c8a, []int{8}
-}
-func (m *OAuthClientList) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *OAuthClientList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *OAuthClientList) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_OAuthClientList.Merge(m, src)
-}
-func (m *OAuthClientList) XXX_Size() int {
-	return m.Size()
-}
-func (m *OAuthClientList) XXX_DiscardUnknown() {
-	xxx_messageInfo_OAuthClientList.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_OAuthClientList proto.InternalMessageInfo
-
-func (m *OAuthRedirectReference) Reset()      { *m = OAuthRedirectReference{} }
-func (*OAuthRedirectReference) ProtoMessage() {}
-func (*OAuthRedirectReference) Descriptor() ([]byte, []int) {
-	return fileDescriptor_bd688dca7ea39c8a, []int{9}
-}
-func (m *OAuthRedirectReference) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *OAuthRedirectReference) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *OAuthRedirectReference) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_OAuthRedirectReference.Merge(m, src)
-}
-func (m *OAuthRedirectReference) XXX_Size() int {
-	return m.Size()
-}
-func (m *OAuthRedirectReference) XXX_DiscardUnknown() {
-	xxx_messageInfo_OAuthRedirectReference.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_OAuthRedirectReference proto.InternalMessageInfo
-
-func (m *RedirectReference) Reset()      { *m = RedirectReference{} }
-func (*RedirectReference) ProtoMessage() {}
-func (*RedirectReference) Descriptor() ([]byte, []int) {
-	return fileDescriptor_bd688dca7ea39c8a, []int{10}
-}
-func (m *RedirectReference) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *RedirectReference) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *RedirectReference) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_RedirectReference.Merge(m, src)
-}
-func (m *RedirectReference) XXX_Size() int {
-	return m.Size()
-}
-func (m *RedirectReference) XXX_DiscardUnknown() {
-	xxx_messageInfo_RedirectReference.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_RedirectReference proto.InternalMessageInfo
-
-func (m *ScopeRestriction) Reset()      { *m = ScopeRestriction{} }
-func (*ScopeRestriction) ProtoMessage() {}
-func (*ScopeRestriction) Descriptor() ([]byte, []int) {
-	return fileDescriptor_bd688dca7ea39c8a, []int{11}
-}
-func (m *ScopeRestriction) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ScopeRestriction) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ScopeRestriction) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ScopeRestriction.Merge(m, src)
-}
-func (m *ScopeRestriction) XXX_Size() int {
-	return m.Size()
-}
-func (m *ScopeRestriction) XXX_DiscardUnknown() {
-	xxx_messageInfo_ScopeRestriction.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_ScopeRestriction proto.InternalMessageInfo
-
-func (m *UserOAuthAccessToken) Reset()      { *m = UserOAuthAccessToken{} }
-func (*UserOAuthAccessToken) ProtoMessage() {}
-func (*UserOAuthAccessToken) Descriptor() ([]byte, []int) {
-	return fileDescriptor_bd688dca7ea39c8a, []int{12}
-}
-func (m *UserOAuthAccessToken) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *UserOAuthAccessToken) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *UserOAuthAccessToken) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_UserOAuthAccessToken.Merge(m, src)
-}
-func (m *UserOAuthAccessToken) XXX_Size() int {
-	return m.Size()
-}
-func (m *UserOAuthAccessToken) XXX_DiscardUnknown() {
-	xxx_messageInfo_UserOAuthAccessToken.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_UserOAuthAccessToken proto.InternalMessageInfo
-
-func (m *UserOAuthAccessTokenList) Reset()      { *m = UserOAuthAccessTokenList{} }
-func (*UserOAuthAccessTokenList) ProtoMessage() {}
-func (*UserOAuthAccessTokenList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_bd688dca7ea39c8a, []int{13}
-}
-func (m *UserOAuthAccessTokenList) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *UserOAuthAccessTokenList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *UserOAuthAccessTokenList) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_UserOAuthAccessTokenList.Merge(m, src)
-}
-func (m *UserOAuthAccessTokenList) XXX_Size() int {
-	return m.Size()
-}
-func (m *UserOAuthAccessTokenList) XXX_DiscardUnknown() {
-	xxx_messageInfo_UserOAuthAccessTokenList.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_UserOAuthAccessTokenList proto.InternalMessageInfo
-
-func init() {
-	proto.RegisterType((*ClusterRoleScopeRestriction)(nil), "github.com.openshift.api.oauth.v1.ClusterRoleScopeRestriction")
-	proto.RegisterType((*OAuthAccessToken)(nil), "github.com.openshift.api.oauth.v1.OAuthAccessToken")
-	proto.RegisterType((*OAuthAccessTokenList)(nil), "github.com.openshift.api.oauth.v1.OAuthAccessTokenList")
-	proto.RegisterType((*OAuthAuthorizeToken)(nil), "github.com.openshift.api.oauth.v1.OAuthAuthorizeToken")
-	proto.RegisterType((*OAuthAuthorizeTokenList)(nil), "github.com.openshift.api.oauth.v1.OAuthAuthorizeTokenList")
-	proto.RegisterType((*OAuthClient)(nil), "github.com.openshift.api.oauth.v1.OAuthClient")
-	proto.RegisterType((*OAuthClientAuthorization)(nil), "github.com.openshift.api.oauth.v1.OAuthClientAuthorization")
-	proto.RegisterType((*OAuthClientAuthorizationList)(nil), "github.com.openshift.api.oauth.v1.OAuthClientAuthorizationList")
-	proto.RegisterType((*OAuthClientList)(nil), "github.com.openshift.api.oauth.v1.OAuthClientList")
-	proto.RegisterType((*OAuthRedirectReference)(nil), "github.com.openshift.api.oauth.v1.OAuthRedirectReference")
-	proto.RegisterType((*RedirectReference)(nil), "github.com.openshift.api.oauth.v1.RedirectReference")
-	proto.RegisterType((*ScopeRestriction)(nil), "github.com.openshift.api.oauth.v1.ScopeRestriction")
-	proto.RegisterType((*UserOAuthAccessToken)(nil), "github.com.openshift.api.oauth.v1.UserOAuthAccessToken")
-	proto.RegisterType((*UserOAuthAccessTokenList)(nil), "github.com.openshift.api.oauth.v1.UserOAuthAccessTokenList")
-}
-
-func init() {
-	proto.RegisterFile("github.com/openshift/api/oauth/v1/generated.proto", fileDescriptor_bd688dca7ea39c8a)
-}
-
-var fileDescriptor_bd688dca7ea39c8a = []byte{
-	// 1272 bytes of a gzipped FileDescriptorProto
-	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xec, 0x58, 0xcf, 0x6f, 0x1b, 0xc5,
-	0x17, 0xcf, 0x36, 0x76, 0x62, 0x3f, 0x37, 0xbf, 0x26, 0x4d, 0xbb, 0xdf, 0xb6, 0x5f, 0xdb, 0x75,
-	0x24, 0x1a, 0x04, 0xac, 0x49, 0x28, 0xa5, 0x52, 0xa5, 0x4a, 0x76, 0xa8, 0x4a, 0x04, 0x69, 0xa5,
-	0x49, 0x03, 0x15, 0xf4, 0xd0, 0xe9, 0xee, 0x8b, 0x3d, 0x64, 0xbd, 0xbb, 0xec, 0x8c, 0x43, 0x83,
-	0x7a, 0xe0, 0xc2, 0x9d, 0x7f, 0x84, 0x0b, 0x77, 0x0e, 0x48, 0x1c, 0x7a, 0x42, 0x3d, 0x20, 0xd4,
-	0x93, 0x45, 0x8c, 0x38, 0xf0, 0x2f, 0x70, 0x42, 0x3b, 0xbb, 0xde, 0x1f, 0x8e, 0x4d, 0xdc, 0x03,
-	0x11, 0x87, 0xde, 0xbc, 0xef, 0x7d, 0x3e, 0x6f, 0xde, 0xcc, 0xbc, 0xcf, 0x9b, 0x19, 0xc3, 0x7a,
-	0x8b, 0xcb, 0x76, 0xf7, 0xb1, 0x61, 0xba, 0x9d, 0xba, 0xeb, 0xa1, 0x23, 0xda, 0x7c, 0x4f, 0xd6,
-	0x99, 0xc7, 0xeb, 0x2e, 0xeb, 0xca, 0x76, 0xfd, 0x60, 0xbd, 0xde, 0x42, 0x07, 0x7d, 0x26, 0xd1,
-	0x32, 0x3c, 0xdf, 0x95, 0x2e, 0xb9, 0x92, 0x50, 0x8c, 0x98, 0x62, 0x30, 0x8f, 0x1b, 0x8a, 0x62,
-	0x1c, 0xac, 0x5f, 0x7c, 0x2b, 0x15, 0xb5, 0xe5, 0xb6, 0xdc, 0xba, 0x62, 0x3e, 0xee, 0xee, 0xa9,
-	0x2f, 0xf5, 0xa1, 0x7e, 0x85, 0x11, 0x2f, 0x5e, 0xdb, 0xbf, 0x21, 0x0c, 0xee, 0x06, 0xc3, 0x76,
-	0x98, 0xd9, 0xe6, 0x0e, 0xfa, 0x87, 0x75, 0x6f, 0xbf, 0x15, 0x18, 0x44, 0xbd, 0x83, 0x92, 0x8d,
-	0xc8, 0xe3, 0xe2, 0xf5, 0x71, 0x2c, 0xbf, 0xeb, 0x48, 0xde, 0xc1, 0xba, 0x30, 0xdb, 0xd8, 0x61,
-	0xc3, 0xbc, 0xda, 0x0f, 0x1a, 0x5c, 0xda, 0xb4, 0xbb, 0x42, 0xa2, 0x4f, 0x5d, 0x1b, 0x77, 0x4c,
-	0xd7, 0x43, 0x8a, 0x42, 0xfa, 0xdc, 0x94, 0xdc, 0x75, 0xc8, 0x1b, 0x50, 0xf4, 0x5d, 0x1b, 0xef,
-	0xb2, 0x0e, 0x0a, 0x5d, 0xab, 0x4e, 0xaf, 0x15, 0x9b, 0x73, 0xfd, 0x5e, 0xa5, 0x48, 0x07, 0x46,
-	0x9a, 0xf8, 0x89, 0x01, 0xe0, 0x04, 0x3f, 0x3c, 0x66, 0xa2, 0xd0, 0xcf, 0x28, 0xf4, 0x7c, 0xbf,
-	0x57, 0x81, 0xbb, 0xb1, 0x95, 0xa6, 0x10, 0xa4, 0x01, 0x0b, 0xcc, 0xb6, 0xdd, 0x2f, 0x6f, 0x0b,
-	0x93, 0xd9, 0x2c, 0x18, 0x4f, 0x9f, 0xae, 0x6a, 0x6b, 0x85, 0xe6, 0x85, 0x67, 0xbd, 0xca, 0x54,
-	0xbf, 0x57, 0x59, 0x68, 0x64, 0xdd, 0x74, 0x18, 0x5f, 0xfb, 0x23, 0x07, 0x8b, 0xf7, 0x1a, 0x5d,
-	0xd9, 0x6e, 0x98, 0x26, 0x0a, 0x71, 0xdf, 0xdd, 0x47, 0x87, 0x3c, 0x82, 0x42, 0xb0, 0x4e, 0x16,
-	0x93, 0x4c, 0xd7, 0xaa, 0xda, 0x5a, 0x69, 0xe3, 0x6d, 0x23, 0x5c, 0x1f, 0x23, 0xbd, 0x3e, 0x86,
-	0xb7, 0xdf, 0x0a, 0x0c, 0xc2, 0x08, 0xd0, 0xc6, 0xc1, 0xba, 0x71, 0xef, 0xf1, 0xe7, 0x68, 0xca,
-	0x6d, 0x94, 0xac, 0x49, 0xa2, 0x14, 0x20, 0xb1, 0xd1, 0x38, 0x2a, 0xd9, 0x00, 0x30, 0x6d, 0x8e,
-	0x8e, 0x0c, 0x66, 0xa6, 0x9f, 0xa9, 0x6a, 0x6b, 0xc5, 0x84, 0xb1, 0x19, 0x7b, 0x68, 0x0a, 0x45,
-	0xea, 0x50, 0xc4, 0x27, 0x1e, 0xf7, 0x51, 0x6c, 0x85, 0xf3, 0x9c, 0x6e, 0x2e, 0x45, 0x94, 0xe2,
-	0xed, 0x81, 0x83, 0x26, 0x18, 0x52, 0x83, 0x19, 0x11, 0xec, 0x87, 0xd0, 0x73, 0x6a, 0x29, 0xa1,
-	0xdf, 0xab, 0xcc, 0xa8, 0x1d, 0x12, 0x34, 0xf2, 0x90, 0x77, 0xa1, 0xe4, 0xa3, 0xc5, 0x7d, 0x34,
-	0xe5, 0x2e, 0xdd, 0xd2, 0xf3, 0x2a, 0x93, 0xe5, 0x28, 0x6c, 0x89, 0x26, 0x2e, 0x9a, 0xc6, 0x91,
-	0x37, 0xa1, 0xd0, 0x15, 0xe8, 0xab, 0xec, 0x67, 0x14, 0x67, 0x31, 0xe2, 0x14, 0x76, 0x23, 0x3b,
-	0x8d, 0x11, 0xe4, 0x75, 0x98, 0x0d, 0x7e, 0xef, 0x6e, 0xbd, 0xaf, 0xcf, 0x2a, 0xf0, 0x42, 0x04,
-	0x9e, 0xdd, 0x0d, 0xcd, 0x74, 0xe0, 0x27, 0xb7, 0x60, 0x3e, 0xa8, 0x7b, 0xd7, 0xe7, 0x5f, 0xa1,
-	0xda, 0x0c, 0xbd, 0xa0, 0x18, 0xe7, 0x23, 0xc6, 0x7c, 0x23, 0xe3, 0xa5, 0x43, 0x68, 0x72, 0x03,
-	0xce, 0xfa, 0xb8, 0xe7, 0xa3, 0x68, 0x87, 0xec, 0xa2, 0x62, 0x9f, 0x8b, 0xd8, 0x67, 0x69, 0xca,
-	0x47, 0x33, 0x48, 0xf2, 0x10, 0x74, 0xee, 0x30, 0x53, 0xf2, 0x03, 0x2e, 0x0f, 0xef, 0xf3, 0x0e,
-	0xba, 0x5d, 0xb9, 0x83, 0xa6, 0xeb, 0x58, 0x42, 0x87, 0xaa, 0xb6, 0x96, 0x6f, 0x56, 0xa3, 0x28,
-	0xfa, 0xd6, 0x18, 0x1c, 0x1d, 0x1b, 0xa1, 0xf6, 0xb3, 0x06, 0xe7, 0x86, 0xeb, 0xec, 0x23, 0x2e,
-	0x24, 0x79, 0x78, 0xac, 0xd6, 0x8c, 0xc9, 0x6a, 0x2d, 0x60, 0xab, 0x4a, 0x8b, 0x57, 0x7e, 0x60,
-	0x49, 0xd5, 0xd9, 0x03, 0xc8, 0x73, 0x89, 0x9d, 0x50, 0x4c, 0xa5, 0x8d, 0x77, 0x8c, 0x13, 0xdb,
-	0x8d, 0x31, 0x9c, 0x65, 0x73, 0x2e, 0x8a, 0x9f, 0xdf, 0x0a, 0x22, 0xd1, 0x30, 0x60, 0xed, 0xc7,
-	0x1c, 0x2c, 0x87, 0xd0, 0xec, 0x06, 0xbc, 0xd2, 0xce, 0x49, 0xda, 0x59, 0x85, 0xbc, 0x90, 0x4c,
-	0x0e, 0x84, 0x13, 0x2f, 0xef, 0x4e, 0x60, 0xa4, 0xa1, 0x2f, 0x23, 0xb0, 0xd9, 0x97, 0x11, 0x58,
-	0xe1, 0x04, 0x81, 0xdd, 0x84, 0x39, 0xd3, 0xb5, 0x70, 0xb3, 0xcd, 0x6c, 0x1b, 0x9d, 0x16, 0x46,
-	0x0a, 0x59, 0x89, 0x08, 0x73, 0x9b, 0x69, 0x27, 0xcd, 0x62, 0xc9, 0x36, 0x2c, 0x67, 0x0c, 0xdb,
-	0x28, 0xdb, 0xae, 0xa5, 0xe4, 0x51, 0x6c, 0x5e, 0x8a, 0x42, 0x2c, 0x6f, 0x1e, 0x87, 0xd0, 0x51,
-	0xbc, 0xda, 0x2f, 0x1a, 0x5c, 0x18, 0x51, 0x43, 0xa7, 0xa0, 0x8b, 0xcf, 0xb2, 0xba, 0xb8, 0x3e,
-	0xb1, 0x2e, 0x32, 0x89, 0x8e, 0x91, 0xc6, 0x37, 0x33, 0x50, 0x52, 0xe8, 0xb0, 0x18, 0x4f, 0x41,
-	0x12, 0xaf, 0xc1, 0x8c, 0x40, 0xd3, 0x47, 0x19, 0xc9, 0x61, 0x3e, 0x42, 0xcf, 0xec, 0x28, 0x2b,
-	0x8d, 0xbc, 0x64, 0x13, 0x96, 0x98, 0x65, 0xf1, 0xe0, 0xe4, 0x63, 0x76, 0xe8, 0x13, 0xfa, 0xb4,
-	0x2a, 0xf0, 0x95, 0x7e, 0xaf, 0xb2, 0xd4, 0x18, 0x76, 0xd2, 0xe3, 0x78, 0xb2, 0x03, 0x2b, 0x3e,
-	0x0a, 0xcf, 0x75, 0xac, 0x4f, 0xb8, 0x6c, 0xc7, 0x7b, 0x1a, 0x28, 0x25, 0x38, 0x7b, 0xff, 0x1f,
-	0x8d, 0xbd, 0x42, 0x47, 0x81, 0xe8, 0x68, 0x2e, 0xb9, 0x16, 0xf4, 0xed, 0x58, 0x23, 0x42, 0xcf,
-	0xab, 0xa4, 0x16, 0xc3, 0x9e, 0x9d, 0xd8, 0x69, 0x06, 0x45, 0xb6, 0xa0, 0xd4, 0xf2, 0x99, 0x23,
-	0xa3, 0x3a, 0x0c, 0x05, 0x75, 0x75, 0xa0, 0xc0, 0x3b, 0x89, 0xeb, 0xaf, 0x5e, 0x65, 0x51, 0x7d,
-	0x7e, 0xc0, 0x1c, 0xcb, 0x46, 0xff, 0xfe, 0xa1, 0x87, 0x34, 0xcd, 0x25, 0x4f, 0x61, 0x49, 0x0c,
-	0x5d, 0x5e, 0x84, 0x3e, 0x3b, 0x71, 0xd7, 0x1c, 0xbe, 0xf8, 0x34, 0xff, 0x17, 0x65, 0xb1, 0x34,
-	0xec, 0x11, 0xf4, 0xf8, 0x40, 0xe4, 0x01, 0xe8, 0x2c, 0x69, 0xb9, 0xdb, 0xec, 0x49, 0xa3, 0x85,
-	0x83, 0xc3, 0xa7, 0xa0, 0x0e, 0x9f, 0xcb, 0xc1, 0xc1, 0xd3, 0x18, 0x83, 0xa1, 0x63, 0xd9, 0xe4,
-	0x10, 0x56, 0x53, 0xbe, 0x71, 0x27, 0x97, 0xea, 0x02, 0xf9, 0xe6, 0xd5, 0x7e, 0xaf, 0xb2, 0xda,
-	0x38, 0x19, 0x4e, 0x27, 0x89, 0x59, 0xfb, 0xee, 0x0c, 0xe8, 0x29, 0x1d, 0x0c, 0xb4, 0xa3, 0x2e,
-	0x5e, 0xff, 0xd1, 0x73, 0x22, 0xdd, 0x76, 0xa7, 0x5f, 0xa6, 0xed, 0xe6, 0x4e, 0x68, 0xbb, 0xc9,
-	0x79, 0x92, 0x1f, 0x77, 0x9e, 0xd4, 0x7a, 0x1a, 0x5c, 0x1e, 0xb7, 0x5e, 0xa7, 0xd0, 0x13, 0x1f,
-	0x65, 0x7b, 0xe2, 0xcd, 0x49, 0x7b, 0xe2, 0x88, 0x6c, 0xc7, 0x34, 0xc6, 0x9f, 0x34, 0x58, 0x48,
-	0x51, 0x4e, 0x61, 0x4e, 0x3b, 0xd9, 0x39, 0x19, 0x2f, 0x37, 0xa7, 0x31, 0xd3, 0x38, 0xd2, 0xe0,
-	0xbc, 0x42, 0x0d, 0x3a, 0x13, 0xc5, 0x3d, 0xf4, 0xd1, 0x31, 0xf1, 0x14, 0xaa, 0x1a, 0xa1, 0xe8,
-	0x0f, 0x86, 0x53, 0x45, 0x5d, 0xda, 0xb8, 0x36, 0xc1, 0xac, 0x8e, 0xa5, 0x9a, 0xdc, 0x7f, 0x62,
-	0x13, 0x4d, 0x22, 0xd7, 0x9e, 0xc2, 0xd2, 0xf1, 0xd9, 0xad, 0x42, 0xbe, 0xe5, 0xbb, 0x5d, 0x4f,
-	0x4d, 0x2d, 0x75, 0x73, 0xb9, 0x13, 0x18, 0x69, 0xe8, 0x23, 0x55, 0xc8, 0xed, 0x73, 0xc7, 0x8a,
-	0x04, 0x77, 0x36, 0xc2, 0xe4, 0x3e, 0xe4, 0x8e, 0x45, 0x95, 0x27, 0x40, 0x38, 0x89, 0xc0, 0x62,
-	0x84, 0x12, 0x97, 0xf2, 0xd4, 0xbe, 0xd7, 0x60, 0x71, 0xc4, 0x53, 0xb2, 0x60, 0x73, 0x89, 0x3e,
-	0xb3, 0x07, 0x2f, 0xc9, 0x85, 0xa0, 0xcb, 0xdf, 0x7e, 0xc2, 0x4c, 0xf9, 0x31, 0xb3, 0xbb, 0x28,
-	0x68, 0x0c, 0x20, 0x5f, 0x40, 0xc9, 0x4c, 0x9e, 0xa5, 0xd1, 0x42, 0xdd, 0x9a, 0x60, 0xa1, 0xfe,
-	0xe1, 0x31, 0x1b, 0x8e, 0x97, 0x02, 0xd0, 0xf4, 0x18, 0xb5, 0x3f, 0x73, 0x70, 0x2e, 0xd0, 0xfd,
-	0xab, 0xe7, 0xe4, 0xab, 0xe7, 0xe4, 0xbf, 0xfd, 0x9c, 0xfc, 0x55, 0x03, 0x7d, 0x54, 0xad, 0x9d,
-	0x42, 0x4b, 0x7d, 0x98, 0x6d, 0xa9, 0xef, 0x4d, 0xa0, 0xa9, 0x51, 0x99, 0x8e, 0xee, 0xad, 0xcd,
-	0x3b, 0xcf, 0x8e, 0xca, 0x53, 0xcf, 0x8f, 0xca, 0x53, 0x2f, 0x8e, 0xca, 0x53, 0x5f, 0xf7, 0xcb,
-	0xda, 0xb3, 0x7e, 0x59, 0x7b, 0xde, 0x2f, 0x6b, 0x2f, 0xfa, 0x65, 0xed, 0xb7, 0x7e, 0x59, 0xfb,
-	0xf6, 0xf7, 0xf2, 0xd4, 0xa7, 0x57, 0x4e, 0xfc, 0xa3, 0xed, 0xef, 0x00, 0x00, 0x00, 0xff, 0xff,
-	0xc6, 0xcf, 0x36, 0xd6, 0x8c, 0x13, 0x00, 0x00,
-}
+func (m *UserOAuthAccessTokenList) Reset() { *m = UserOAuthAccessTokenList{} }
 
 func (m *ClusterRoleScopeRestriction) Marshal() (dAtA []byte, err error) {
 	size := m.Size()
diff --git a/vendor/github.com/openshift/api/oauth/v1/generated.protomessage.pb.go b/vendor/github.com/openshift/api/oauth/v1/generated.protomessage.pb.go
new file mode 100644
index 0000000000000..45e1009d2e864
--- /dev/null
+++ b/vendor/github.com/openshift/api/oauth/v1/generated.protomessage.pb.go
@@ -0,0 +1,34 @@
+//go:build kubernetes_protomessage_one_more_release
+// +build kubernetes_protomessage_one_more_release
+
+// Code generated by go-to-protobuf. DO NOT EDIT.
+
+package v1
+
+func (*ClusterRoleScopeRestriction) ProtoMessage() {}
+
+func (*OAuthAccessToken) ProtoMessage() {}
+
+func (*OAuthAccessTokenList) ProtoMessage() {}
+
+func (*OAuthAuthorizeToken) ProtoMessage() {}
+
+func (*OAuthAuthorizeTokenList) ProtoMessage() {}
+
+func (*OAuthClient) ProtoMessage() {}
+
+func (*OAuthClientAuthorization) ProtoMessage() {}
+
+func (*OAuthClientAuthorizationList) ProtoMessage() {}
+
+func (*OAuthClientList) ProtoMessage() {}
+
+func (*OAuthRedirectReference) ProtoMessage() {}
+
+func (*RedirectReference) ProtoMessage() {}
+
+func (*ScopeRestriction) ProtoMessage() {}
+
+func (*UserOAuthAccessToken) ProtoMessage() {}
+
+func (*UserOAuthAccessTokenList) ProtoMessage() {}
diff --git a/vendor/github.com/openshift/api/operator/v1/types_console.go b/vendor/github.com/openshift/api/operator/v1/types_console.go
index e030a65c86013..35795b2b71b84 100644
--- a/vendor/github.com/openshift/api/operator/v1/types_console.go
+++ b/vendor/github.com/openshift/api/operator/v1/types_console.go
@@ -107,6 +107,9 @@ const (
 
 	// gettingStartedBanner is the name of the 'Getting started resources' banner in the console UI Overview page.
 	GettingStartedBanner ConsoleCapabilityName = "GettingStartedBanner"
+
+	// guidedTour is the name of the 'Guided Tour' feature in console UI.
+	GuidedTour ConsoleCapabilityName = "GuidedTour"
 )
 
 // CapabilityState defines the state of the capability in the console UI.
@@ -134,8 +137,8 @@ type CapabilityVisibility struct {
 // Capabilities contains set of UI capabilities and their state in the console UI.
 type Capability struct {
 	// name is the unique name of a capability.
-	// Available capabilities are LightspeedButton and GettingStartedBanner.
-	// +kubebuilder:validation:Enum:="LightspeedButton";"GettingStartedBanner"
+	// Available capabilities are LightspeedButton, GettingStartedBanner, and GuidedTour.
+	// +kubebuilder:validation:Enum:="LightspeedButton";"GettingStartedBanner";"GuidedTour"
 	// +required
 	Name ConsoleCapabilityName `json:"name"`
 	// visibility defines the visibility state of the capability.
@@ -281,10 +284,10 @@ type ConsoleCustomization struct {
 
 	// capabilities defines an array of capabilities that can be interacted with in the console UI.
 	// Each capability defines a visual state that can be interacted with the console to render in the UI.
-	// Available capabilities are LightspeedButton and GettingStartedBanner.
+	// Available capabilities are LightspeedButton, GettingStartedBanner, and GuidedTour.
 	// Each of the available capabilities may appear only once in the list.
 	// +kubebuilder:validation:MinItems=1
-	// +kubebuilder:validation:MaxItems=2
+	// +kubebuilder:validation:MaxItems=3
 	// +listType=map
 	// +listMapKey=name
 	// +optional
diff --git a/vendor/github.com/openshift/api/operator/v1/types_machineconfiguration.go b/vendor/github.com/openshift/api/operator/v1/types_machineconfiguration.go
index c6bcd22bc0fc0..f5836af0f8cc8 100644
--- a/vendor/github.com/openshift/api/operator/v1/types_machineconfiguration.go
+++ b/vendor/github.com/openshift/api/operator/v1/types_machineconfiguration.go
@@ -18,7 +18,8 @@ import (
 // Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
 // +openshift:compatibility-gen:level=1
 // +openshift:validation:FeatureGateAwareXValidation:featureGate=BootImageSkewEnforcement,rule="self.?status.bootImageSkewEnforcementStatus.mode.orValue(\"\") == 'Automatic' ? self.?spec.managedBootImages.hasValue() || self.?status.managedBootImagesStatus.hasValue() : true",message="when skew enforcement is in Automatic mode, a boot image configuration is required"
-// +openshift:validation:FeatureGateAwareXValidation:featureGate=BootImageSkewEnforcement,rule="self.?status.bootImageSkewEnforcementStatus.mode.orValue(\"\") == 'Automatic' ? !(self.?spec.managedBootImages.machineManagers.hasValue()) || self.spec.managedBootImages.machineManagers.exists(m, m.selection.mode == 'All' && m.resource == 'machinesets' && m.apiGroup == 'machine.openshift.io') : true",message="when skew enforcement is in Automatic mode, managedBootImages must contain a MachineManager opting in all MachineAPI MachineSets"
+// +openshift:validation:FeatureGateAwareXValidation:featureGate=BootImageSkewEnforcement,rule="self.?status.bootImageSkewEnforcementStatus.mode.orValue(\"\") == 'Automatic' ? !(self.?spec.managedBootImages.machineManagers.hasValue()) || size(self.spec.managedBootImages.machineManagers) > 0 : true",message="when skew enforcement is in Automatic mode, managedBootImages.machineManagers must not be an empty list"
+// +openshift:validation:FeatureGateAwareXValidation:featureGate=BootImageSkewEnforcement,rule="self.?status.bootImageSkewEnforcementStatus.mode.orValue(\"\") == 'Automatic' ? !(self.?spec.managedBootImages.machineManagers.hasValue()) || !self.spec.managedBootImages.machineManagers.exists(m, m.resource == 'machinesets' && m.apiGroup == 'machine.openshift.io') || self.spec.managedBootImages.machineManagers.exists(m, m.resource == 'machinesets' && m.apiGroup == 'machine.openshift.io' && m.selection.mode == 'All') : true",message="when skew enforcement is in Automatic mode, any MachineAPI MachineSet MachineManager must use selection mode 'All'"
 // +openshift:validation:FeatureGateAwareXValidation:featureGate=BootImageSkewEnforcement,rule="self.?status.bootImageSkewEnforcementStatus.mode.orValue(\"\") == 'Automatic' ? !(self.?status.managedBootImagesStatus.machineManagers.hasValue()) || self.status.managedBootImagesStatus.machineManagers.exists(m, m.selection.mode == 'All' && m.resource == 'machinesets' && m.apiGroup == 'machine.openshift.io'): true",message="when skew enforcement is in Automatic mode, managedBootImagesStatus must contain a MachineManager opting in all MachineAPI MachineSets"
 type MachineConfiguration struct {
 	metav1.TypeMeta `json:",inline"`
diff --git a/vendor/github.com/openshift/api/operator/v1/types_network.go b/vendor/github.com/openshift/api/operator/v1/types_network.go
index 111240eecff05..1cf56f549bfca 100644
--- a/vendor/github.com/openshift/api/operator/v1/types_network.go
+++ b/vendor/github.com/openshift/api/operator/v1/types_network.go
@@ -54,7 +54,7 @@ type NetworkList struct {
 
 // NetworkSpec is the top-level network configuration object.
 // +kubebuilder:validation:XValidation:rule="!has(self.defaultNetwork) || !has(self.defaultNetwork.ovnKubernetesConfig) || !has(self.defaultNetwork.ovnKubernetesConfig.gatewayConfig) || !has(self.defaultNetwork.ovnKubernetesConfig.gatewayConfig.ipForwarding) || self.defaultNetwork.ovnKubernetesConfig.gatewayConfig.ipForwarding == oldSelf.defaultNetwork.ovnKubernetesConfig.gatewayConfig.ipForwarding || self.defaultNetwork.ovnKubernetesConfig.gatewayConfig.ipForwarding == 'Restricted' || self.defaultNetwork.ovnKubernetesConfig.gatewayConfig.ipForwarding == 'Global'",message="invalid value for IPForwarding, valid values are 'Restricted' or 'Global'"
-// +openshift:validation:FeatureGateAwareXValidation:featureGate=RouteAdvertisements,rule="(has(self.additionalRoutingCapabilities) && ('FRR' in self.additionalRoutingCapabilities.providers)) || !has(self.defaultNetwork) || !has(self.defaultNetwork.ovnKubernetesConfig) || !has(self.defaultNetwork.ovnKubernetesConfig.routeAdvertisements) || self.defaultNetwork.ovnKubernetesConfig.routeAdvertisements != 'Enabled'",message="Route advertisements cannot be Enabled if 'FRR' routing capability provider is not available"
+// +kubebuilder:validation:XValidation:rule="(has(self.additionalRoutingCapabilities) && ('FRR' in self.additionalRoutingCapabilities.providers)) || !has(self.defaultNetwork) || !has(self.defaultNetwork.ovnKubernetesConfig) || !has(self.defaultNetwork.ovnKubernetesConfig.routeAdvertisements) || self.defaultNetwork.ovnKubernetesConfig.routeAdvertisements != 'Enabled'",message="Route advertisements cannot be Enabled if 'FRR' routing capability provider is not available"
 type NetworkSpec struct {
 	OperatorSpec `json:",inline"`
 
@@ -136,7 +136,6 @@ type NetworkSpec struct {
 	// capabilities acquired through the enablement of these components but may
 	// require specific configuration on their side to do so; refer to their
 	// respective documentation and configuration options.
-	// +openshift:enable:FeatureGate=AdditionalRoutingCapabilities
 	// +optional
 	AdditionalRoutingCapabilities *AdditionalRoutingCapabilities `json:"additionalRoutingCapabilities,omitempty"`
 }
@@ -157,7 +156,7 @@ const (
 )
 
 // NetworkMigration represents the cluster network migration configuration.
-// +openshift:validation:FeatureGateAwareXValidation:featureGate=NetworkLiveMigration,rule="!has(self.mtu) || !has(self.networkType) || self.networkType == \"\" || has(self.mode) && self.mode == 'Live'",message="networkType migration in mode other than 'Live' may not be configured at the same time as mtu migration"
+// +kubebuilder:validation:XValidation:rule="!has(self.mtu) || !has(self.networkType) || self.networkType == \"\" || has(self.mode) && self.mode == 'Live'",message="networkType migration in mode other than 'Live' may not be configured at the same time as mtu migration"
 type NetworkMigration struct {
 	// mtu contains the MTU migration configuration. Set this to allow changing
 	// the MTU values for the default network. If unset, the operation of
@@ -465,7 +464,6 @@ type OVNKubernetesConfig struct {
 	// means the user has no opinion and the platform is left to choose
 	// reasonable defaults. These defaults are subject to change over time. The
 	// current default is "Disabled".
-	// +openshift:enable:FeatureGate=RouteAdvertisements
 	// +optional
 	RouteAdvertisements RouteAdvertisementsEnablement `json:"routeAdvertisements,omitempty"`
 }
diff --git a/vendor/github.com/openshift/api/operator/v1/zz_generated.featuregated-crd-manifests.yaml b/vendor/github.com/openshift/api/operator/v1/zz_generated.featuregated-crd-manifests.yaml
index e7c94e2869467..51a758804d604 100644
--- a/vendor/github.com/openshift/api/operator/v1/zz_generated.featuregated-crd-manifests.yaml
+++ b/vendor/github.com/openshift/api/operator/v1/zz_generated.featuregated-crd-manifests.yaml
@@ -327,10 +327,7 @@ networks.operator.openshift.io:
   CRDName: networks.operator.openshift.io
   Capability: ""
   Category: ""
-  FeatureGates:
-  - AdditionalRoutingCapabilities
-  - NetworkLiveMigration
-  - RouteAdvertisements
+  FeatureGates: []
   FilenameOperatorName: network
   FilenameOperatorOrdering: "01"
   FilenameRunLevel: "0000_70"
diff --git a/vendor/github.com/openshift/api/operator/v1/zz_generated.swagger_doc_generated.go b/vendor/github.com/openshift/api/operator/v1/zz_generated.swagger_doc_generated.go
index 06096a6c81e21..64aac26eb383d 100644
--- a/vendor/github.com/openshift/api/operator/v1/zz_generated.swagger_doc_generated.go
+++ b/vendor/github.com/openshift/api/operator/v1/zz_generated.swagger_doc_generated.go
@@ -210,7 +210,7 @@ func (AddPage) SwaggerDoc() map[string]string {
 
 var map_Capability = map[string]string{
 	"":           "Capabilities contains set of UI capabilities and their state in the console UI.",
-	"name":       "name is the unique name of a capability. Available capabilities are LightspeedButton and GettingStartedBanner.",
+	"name":       "name is the unique name of a capability. Available capabilities are LightspeedButton, GettingStartedBanner, and GuidedTour.",
 	"visibility": "visibility defines the visibility state of the capability.",
 }
 
@@ -259,7 +259,7 @@ func (ConsoleConfigRoute) SwaggerDoc() map[string]string {
 var map_ConsoleCustomization = map[string]string{
 	"":                     "ConsoleCustomization defines a list of optional configuration for the console UI. Ensure that Logos and CustomLogoFile cannot be set at the same time.",
 	"logos":                "logos is used to replace the OpenShift Masthead and Favicon logos in the console UI with custom logos. logos is an optional field that allows a list of logos. Only one of logos or customLogoFile can be set at a time. If logos is set, customLogoFile must be unset. When specified, there must be at least one entry and no more than 2 entries. Each type must appear only once in the list.",
-	"capabilities":         "capabilities defines an array of capabilities that can be interacted with in the console UI. Each capability defines a visual state that can be interacted with the console to render in the UI. Available capabilities are LightspeedButton and GettingStartedBanner. Each of the available capabilities may appear only once in the list.",
+	"capabilities":         "capabilities defines an array of capabilities that can be interacted with in the console UI. Each capability defines a visual state that can be interacted with the console to render in the UI. Available capabilities are LightspeedButton, GettingStartedBanner, and GuidedTour. Each of the available capabilities may appear only once in the list.",
 	"brand":                "brand is the default branding of the web console which can be overridden by providing the brand field.  There is a limited set of specific brand options. This field controls elements of the console such as the logo. Invalid value will prevent a console rollout.",
 	"documentationBaseURL": "documentationBaseURL links to external documentation are shown in various sections of the web console.  Providing documentationBaseURL will override the default documentation URL. Invalid value will prevent a console rollout.",
 	"customProductName":    "customProductName is the name that will be displayed in page titles, logo alt text, and the about dialog instead of the normal OpenShift product name.",
diff --git a/vendor/github.com/openshift/api/project/v1/generated.pb.go b/vendor/github.com/openshift/api/project/v1/generated.pb.go
index 822dbbc301320..9e71e711dcd5d 100644
--- a/vendor/github.com/openshift/api/project/v1/generated.pb.go
+++ b/vendor/github.com/openshift/api/project/v1/generated.pb.go
@@ -8,218 +8,23 @@ import (
 
 	io "io"
 
-	proto "github.com/gogo/protobuf/proto"
 	k8s_io_api_core_v1 "k8s.io/api/core/v1"
 	v11 "k8s.io/api/core/v1"
 
-	math "math"
 	math_bits "math/bits"
 	reflect "reflect"
 	strings "strings"
 )
 
-// Reference imports to suppress errors if they are not otherwise used.
-var _ = proto.Marshal
-var _ = fmt.Errorf
-var _ = math.Inf
+func (m *Project) Reset() { *m = Project{} }
 
-// This is a compile-time assertion to ensure that this generated file
-// is compatible with the proto package it is being compiled against.
-// A compilation error at this line likely means your copy of the
-// proto package needs to be updated.
-const _ = proto.GoGoProtoPackageIsVersion3 // please upgrade the proto package
+func (m *ProjectList) Reset() { *m = ProjectList{} }
 
-func (m *Project) Reset()      { *m = Project{} }
-func (*Project) ProtoMessage() {}
-func (*Project) Descriptor() ([]byte, []int) {
-	return fileDescriptor_fbf46eaac05029bf, []int{0}
-}
-func (m *Project) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *Project) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *Project) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_Project.Merge(m, src)
-}
-func (m *Project) XXX_Size() int {
-	return m.Size()
-}
-func (m *Project) XXX_DiscardUnknown() {
-	xxx_messageInfo_Project.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_Project proto.InternalMessageInfo
-
-func (m *ProjectList) Reset()      { *m = ProjectList{} }
-func (*ProjectList) ProtoMessage() {}
-func (*ProjectList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_fbf46eaac05029bf, []int{1}
-}
-func (m *ProjectList) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ProjectList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ProjectList) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ProjectList.Merge(m, src)
-}
-func (m *ProjectList) XXX_Size() int {
-	return m.Size()
-}
-func (m *ProjectList) XXX_DiscardUnknown() {
-	xxx_messageInfo_ProjectList.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_ProjectList proto.InternalMessageInfo
-
-func (m *ProjectRequest) Reset()      { *m = ProjectRequest{} }
-func (*ProjectRequest) ProtoMessage() {}
-func (*ProjectRequest) Descriptor() ([]byte, []int) {
-	return fileDescriptor_fbf46eaac05029bf, []int{2}
-}
-func (m *ProjectRequest) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ProjectRequest) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ProjectRequest) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ProjectRequest.Merge(m, src)
-}
-func (m *ProjectRequest) XXX_Size() int {
-	return m.Size()
-}
-func (m *ProjectRequest) XXX_DiscardUnknown() {
-	xxx_messageInfo_ProjectRequest.DiscardUnknown(m)
-}
+func (m *ProjectRequest) Reset() { *m = ProjectRequest{} }
 
-var xxx_messageInfo_ProjectRequest proto.InternalMessageInfo
+func (m *ProjectSpec) Reset() { *m = ProjectSpec{} }
 
-func (m *ProjectSpec) Reset()      { *m = ProjectSpec{} }
-func (*ProjectSpec) ProtoMessage() {}
-func (*ProjectSpec) Descriptor() ([]byte, []int) {
-	return fileDescriptor_fbf46eaac05029bf, []int{3}
-}
-func (m *ProjectSpec) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ProjectSpec) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ProjectSpec) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ProjectSpec.Merge(m, src)
-}
-func (m *ProjectSpec) XXX_Size() int {
-	return m.Size()
-}
-func (m *ProjectSpec) XXX_DiscardUnknown() {
-	xxx_messageInfo_ProjectSpec.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_ProjectSpec proto.InternalMessageInfo
-
-func (m *ProjectStatus) Reset()      { *m = ProjectStatus{} }
-func (*ProjectStatus) ProtoMessage() {}
-func (*ProjectStatus) Descriptor() ([]byte, []int) {
-	return fileDescriptor_fbf46eaac05029bf, []int{4}
-}
-func (m *ProjectStatus) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ProjectStatus) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ProjectStatus) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ProjectStatus.Merge(m, src)
-}
-func (m *ProjectStatus) XXX_Size() int {
-	return m.Size()
-}
-func (m *ProjectStatus) XXX_DiscardUnknown() {
-	xxx_messageInfo_ProjectStatus.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_ProjectStatus proto.InternalMessageInfo
-
-func init() {
-	proto.RegisterType((*Project)(nil), "github.com.openshift.api.project.v1.Project")
-	proto.RegisterType((*ProjectList)(nil), "github.com.openshift.api.project.v1.ProjectList")
-	proto.RegisterType((*ProjectRequest)(nil), "github.com.openshift.api.project.v1.ProjectRequest")
-	proto.RegisterType((*ProjectSpec)(nil), "github.com.openshift.api.project.v1.ProjectSpec")
-	proto.RegisterType((*ProjectStatus)(nil), "github.com.openshift.api.project.v1.ProjectStatus")
-}
-
-func init() {
-	proto.RegisterFile("github.com/openshift/api/project/v1/generated.proto", fileDescriptor_fbf46eaac05029bf)
-}
-
-var fileDescriptor_fbf46eaac05029bf = []byte{
-	// 573 bytes of a gzipped FileDescriptorProto
-	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xbc, 0x94, 0x4d, 0x6f, 0xd3, 0x30,
-	0x18, 0xc7, 0x9b, 0x6d, 0x1d, 0xab, 0xcb, 0x26, 0x14, 0x2e, 0x55, 0x0f, 0x69, 0xc9, 0x24, 0xd4,
-	0x03, 0x38, 0xb4, 0xbc, 0x88, 0x73, 0x40, 0x88, 0x49, 0xbc, 0x0c, 0x73, 0xab, 0x38, 0xe0, 0xa6,
-	0x6e, 0x6a, 0xba, 0xc4, 0x26, 0x76, 0x2b, 0x8d, 0x13, 0x1f, 0x81, 0x3b, 0x9f, 0x83, 0x2b, 0xe7,
-	0x1e, 0x77, 0xdc, 0xa9, 0x5a, 0xc3, 0xb7, 0xd8, 0x09, 0xd9, 0x71, 0x93, 0xc0, 0x8a, 0xd4, 0x5d,
-	0xb8, 0xd5, 0x4f, 0xfe, 0xbf, 0x9f, 0xed, 0xe7, 0x49, 0x03, 0x1e, 0x86, 0x54, 0x8e, 0xa7, 0x03,
-	0x18, 0xb0, 0xc8, 0x63, 0x9c, 0xc4, 0x62, 0x4c, 0x47, 0xd2, 0xc3, 0x9c, 0x7a, 0x3c, 0x61, 0x9f,
-	0x48, 0x20, 0xbd, 0x59, 0xd7, 0x0b, 0x49, 0x4c, 0x12, 0x2c, 0xc9, 0x10, 0xf2, 0x84, 0x49, 0x66,
-	0x1f, 0x16, 0x10, 0xcc, 0x21, 0x88, 0x39, 0x85, 0x06, 0x82, 0xb3, 0x6e, 0xf3, 0x7e, 0xc9, 0x1c,
-	0xb2, 0x90, 0x79, 0x9a, 0x1d, 0x4c, 0x47, 0x7a, 0xa5, 0x17, 0xfa, 0x57, 0xe6, 0x6c, 0xba, 0x93,
-	0xa7, 0x02, 0x52, 0xa6, 0xb7, 0x0e, 0x58, 0x42, 0xd6, 0xec, 0xdb, 0x7c, 0x54, 0x64, 0x22, 0x1c,
-	0x8c, 0x69, 0x4c, 0x92, 0x53, 0x8f, 0x4f, 0x42, 0x55, 0x10, 0x5e, 0x44, 0x24, 0x5e, 0x47, 0x3d,
-	0xf9, 0x17, 0x95, 0x4c, 0x63, 0x49, 0x23, 0xe2, 0x89, 0x60, 0x4c, 0x22, 0xfc, 0x37, 0xe7, 0x7e,
-	0xdf, 0x02, 0x37, 0x8e, 0xb3, 0xfb, 0xd8, 0x1f, 0xc1, 0x9e, 0xd2, 0x0f, 0xb1, 0xc4, 0x0d, 0xab,
-	0x6d, 0x75, 0xea, 0xbd, 0x07, 0x30, 0xd3, 0xc2, 0xb2, 0x16, 0xf2, 0x49, 0xa8, 0x0a, 0x02, 0xaa,
-	0x34, 0x9c, 0x75, 0xe1, 0xdb, 0x81, 0xe2, 0x5f, 0x13, 0x89, 0x7d, 0x7b, 0xbe, 0x68, 0x55, 0xd2,
-	0x45, 0x0b, 0x14, 0x35, 0x94, 0x5b, 0x6d, 0x04, 0x76, 0x04, 0x27, 0x41, 0x63, 0xcb, 0xd8, 0x37,
-	0x68, 0x31, 0x34, 0xa7, 0x7b, 0xcf, 0x49, 0xe0, 0xdf, 0x34, 0xf6, 0x1d, 0xb5, 0x42, 0xda, 0x65,
-	0xf7, 0xc1, 0xae, 0x90, 0x58, 0x4e, 0x45, 0x63, 0x5b, 0x5b, 0x7b, 0xd7, 0xb2, 0x6a, 0xd2, 0x3f,
-	0x30, 0xde, 0xdd, 0x6c, 0x8d, 0x8c, 0xd1, 0xfd, 0x69, 0x81, 0xba, 0x49, 0xbe, 0xa2, 0x42, 0xda,
-	0x1f, 0xae, 0x74, 0x08, 0x6e, 0xd6, 0x21, 0x45, 0xeb, 0xfe, 0xdc, 0x32, 0x3b, 0xed, 0xad, 0x2a,
-	0xa5, 0xee, 0xbc, 0x03, 0x55, 0x2a, 0x49, 0x24, 0x1a, 0x5b, 0xed, 0xed, 0x4e, 0xbd, 0x77, 0xef,
-	0x3a, 0x17, 0xf1, 0xf7, 0x8d, 0xb8, 0x7a, 0xa4, 0x14, 0x28, 0x33, 0xb9, 0x17, 0x16, 0x38, 0x30,
-	0x09, 0x44, 0x3e, 0x4f, 0x89, 0xf8, 0x1f, 0x53, 0x7e, 0x0c, 0xea, 0x43, 0x2a, 0xf8, 0x09, 0x3e,
-	0x7d, 0x83, 0x23, 0xa2, 0x87, 0x5d, 0xf3, 0x6f, 0x1b, 0xa4, 0xfe, 0xbc, 0x78, 0x84, 0xca, 0x39,
-	0x8d, 0x11, 0x11, 0x24, 0x94, 0x4b, 0xca, 0x62, 0x3d, 0xcd, 0x32, 0x56, 0x3c, 0x42, 0xe5, 0x9c,
-	0x8b, 0xf3, 0x11, 0xa9, 0x97, 0xc2, 0x46, 0x00, 0x8c, 0x68, 0x8c, 0x4f, 0xe8, 0x17, 0x92, 0x88,
-	0x86, 0xd5, 0xde, 0xee, 0xd4, 0xfc, 0x9e, 0x3a, 0xea, 0x8b, 0xbc, 0x7a, 0xb9, 0x68, 0xb5, 0xaf,
-	0xfe, 0x11, 0x61, 0x1e, 0xd0, 0x47, 0x2b, 0x59, 0xdc, 0x1f, 0x16, 0xd8, 0xff, 0xe3, 0x85, 0xb1,
-	0x5f, 0x82, 0x2a, 0x1f, 0x63, 0x41, 0x74, 0x07, 0x6b, 0x7e, 0x6f, 0xd5, 0xfc, 0x63, 0x55, 0xbc,
-	0x5c, 0xb4, 0xee, 0xac, 0xf1, 0x2b, 0xad, 0xe0, 0x38, 0x20, 0x3a, 0x84, 0x32, 0x81, 0xdd, 0x07,
-	0x20, 0x60, 0xf1, 0x90, 0xaa, 0xbb, 0xac, 0x26, 0x7f, 0xb7, 0x34, 0x10, 0xa8, 0x70, 0x58, 0xc6,
-	0x9f, 0xad, 0xe2, 0xc5, 0x18, 0xf2, 0x92, 0x40, 0x25, 0x9b, 0x7f, 0x34, 0x5f, 0x3a, 0x95, 0xb3,
-	0xa5, 0x53, 0x39, 0x5f, 0x3a, 0x95, 0xaf, 0xa9, 0x63, 0xcd, 0x53, 0xc7, 0x3a, 0x4b, 0x1d, 0xeb,
-	0x3c, 0x75, 0xac, 0x8b, 0xd4, 0xb1, 0xbe, 0xfd, 0x72, 0x2a, 0xfd, 0xc3, 0x0d, 0xbe, 0x8e, 0xbf,
-	0x03, 0x00, 0x00, 0xff, 0xff, 0xb3, 0x9b, 0x1f, 0xba, 0x43, 0x05, 0x00, 0x00,
-}
+func (m *ProjectStatus) Reset() { *m = ProjectStatus{} }
 
 func (m *Project) Marshal() (dAtA []byte, err error) {
 	size := m.Size()
diff --git a/vendor/github.com/openshift/api/project/v1/generated.protomessage.pb.go b/vendor/github.com/openshift/api/project/v1/generated.protomessage.pb.go
new file mode 100644
index 0000000000000..feaab85c78df8
--- /dev/null
+++ b/vendor/github.com/openshift/api/project/v1/generated.protomessage.pb.go
@@ -0,0 +1,16 @@
+//go:build kubernetes_protomessage_one_more_release
+// +build kubernetes_protomessage_one_more_release
+
+// Code generated by go-to-protobuf. DO NOT EDIT.
+
+package v1
+
+func (*Project) ProtoMessage() {}
+
+func (*ProjectList) ProtoMessage() {}
+
+func (*ProjectRequest) ProtoMessage() {}
+
+func (*ProjectSpec) ProtoMessage() {}
+
+func (*ProjectStatus) ProtoMessage() {}
diff --git a/vendor/github.com/openshift/api/quota/v1/generated.pb.go b/vendor/github.com/openshift/api/quota/v1/generated.pb.go
index 7556462cffa37..f71af7cfa7243 100644
--- a/vendor/github.com/openshift/api/quota/v1/generated.pb.go
+++ b/vendor/github.com/openshift/api/quota/v1/generated.pb.go
@@ -7,316 +7,30 @@ import (
 	fmt "fmt"
 
 	io "io"
+	"sort"
 
-	proto "github.com/gogo/protobuf/proto"
-	github_com_gogo_protobuf_sortkeys "github.com/gogo/protobuf/sortkeys"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
-	math "math"
 	math_bits "math/bits"
 	reflect "reflect"
 	strings "strings"
 )
 
-// Reference imports to suppress errors if they are not otherwise used.
-var _ = proto.Marshal
-var _ = fmt.Errorf
-var _ = math.Inf
+func (m *AppliedClusterResourceQuota) Reset() { *m = AppliedClusterResourceQuota{} }
 
-// This is a compile-time assertion to ensure that this generated file
-// is compatible with the proto package it is being compiled against.
-// A compilation error at this line likely means your copy of the
-// proto package needs to be updated.
-const _ = proto.GoGoProtoPackageIsVersion3 // please upgrade the proto package
+func (m *AppliedClusterResourceQuotaList) Reset() { *m = AppliedClusterResourceQuotaList{} }
 
-func (m *AppliedClusterResourceQuota) Reset()      { *m = AppliedClusterResourceQuota{} }
-func (*AppliedClusterResourceQuota) ProtoMessage() {}
-func (*AppliedClusterResourceQuota) Descriptor() ([]byte, []int) {
-	return fileDescriptor_f605e5b8440aecb8, []int{0}
-}
-func (m *AppliedClusterResourceQuota) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *AppliedClusterResourceQuota) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *AppliedClusterResourceQuota) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_AppliedClusterResourceQuota.Merge(m, src)
-}
-func (m *AppliedClusterResourceQuota) XXX_Size() int {
-	return m.Size()
-}
-func (m *AppliedClusterResourceQuota) XXX_DiscardUnknown() {
-	xxx_messageInfo_AppliedClusterResourceQuota.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_AppliedClusterResourceQuota proto.InternalMessageInfo
-
-func (m *AppliedClusterResourceQuotaList) Reset()      { *m = AppliedClusterResourceQuotaList{} }
-func (*AppliedClusterResourceQuotaList) ProtoMessage() {}
-func (*AppliedClusterResourceQuotaList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_f605e5b8440aecb8, []int{1}
-}
-func (m *AppliedClusterResourceQuotaList) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *AppliedClusterResourceQuotaList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *AppliedClusterResourceQuotaList) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_AppliedClusterResourceQuotaList.Merge(m, src)
-}
-func (m *AppliedClusterResourceQuotaList) XXX_Size() int {
-	return m.Size()
-}
-func (m *AppliedClusterResourceQuotaList) XXX_DiscardUnknown() {
-	xxx_messageInfo_AppliedClusterResourceQuotaList.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_AppliedClusterResourceQuotaList proto.InternalMessageInfo
-
-func (m *ClusterResourceQuota) Reset()      { *m = ClusterResourceQuota{} }
-func (*ClusterResourceQuota) ProtoMessage() {}
-func (*ClusterResourceQuota) Descriptor() ([]byte, []int) {
-	return fileDescriptor_f605e5b8440aecb8, []int{2}
-}
-func (m *ClusterResourceQuota) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ClusterResourceQuota) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ClusterResourceQuota) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ClusterResourceQuota.Merge(m, src)
-}
-func (m *ClusterResourceQuota) XXX_Size() int {
-	return m.Size()
-}
-func (m *ClusterResourceQuota) XXX_DiscardUnknown() {
-	xxx_messageInfo_ClusterResourceQuota.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_ClusterResourceQuota proto.InternalMessageInfo
-
-func (m *ClusterResourceQuotaList) Reset()      { *m = ClusterResourceQuotaList{} }
-func (*ClusterResourceQuotaList) ProtoMessage() {}
-func (*ClusterResourceQuotaList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_f605e5b8440aecb8, []int{3}
-}
-func (m *ClusterResourceQuotaList) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ClusterResourceQuotaList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ClusterResourceQuotaList) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ClusterResourceQuotaList.Merge(m, src)
-}
-func (m *ClusterResourceQuotaList) XXX_Size() int {
-	return m.Size()
-}
-func (m *ClusterResourceQuotaList) XXX_DiscardUnknown() {
-	xxx_messageInfo_ClusterResourceQuotaList.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_ClusterResourceQuotaList proto.InternalMessageInfo
-
-func (m *ClusterResourceQuotaSelector) Reset()      { *m = ClusterResourceQuotaSelector{} }
-func (*ClusterResourceQuotaSelector) ProtoMessage() {}
-func (*ClusterResourceQuotaSelector) Descriptor() ([]byte, []int) {
-	return fileDescriptor_f605e5b8440aecb8, []int{4}
-}
-func (m *ClusterResourceQuotaSelector) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ClusterResourceQuotaSelector) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ClusterResourceQuotaSelector) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ClusterResourceQuotaSelector.Merge(m, src)
-}
-func (m *ClusterResourceQuotaSelector) XXX_Size() int {
-	return m.Size()
-}
-func (m *ClusterResourceQuotaSelector) XXX_DiscardUnknown() {
-	xxx_messageInfo_ClusterResourceQuotaSelector.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_ClusterResourceQuotaSelector proto.InternalMessageInfo
-
-func (m *ClusterResourceQuotaSpec) Reset()      { *m = ClusterResourceQuotaSpec{} }
-func (*ClusterResourceQuotaSpec) ProtoMessage() {}
-func (*ClusterResourceQuotaSpec) Descriptor() ([]byte, []int) {
-	return fileDescriptor_f605e5b8440aecb8, []int{5}
-}
-func (m *ClusterResourceQuotaSpec) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ClusterResourceQuotaSpec) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ClusterResourceQuotaSpec) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ClusterResourceQuotaSpec.Merge(m, src)
-}
-func (m *ClusterResourceQuotaSpec) XXX_Size() int {
-	return m.Size()
-}
-func (m *ClusterResourceQuotaSpec) XXX_DiscardUnknown() {
-	xxx_messageInfo_ClusterResourceQuotaSpec.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_ClusterResourceQuotaSpec proto.InternalMessageInfo
-
-func (m *ClusterResourceQuotaStatus) Reset()      { *m = ClusterResourceQuotaStatus{} }
-func (*ClusterResourceQuotaStatus) ProtoMessage() {}
-func (*ClusterResourceQuotaStatus) Descriptor() ([]byte, []int) {
-	return fileDescriptor_f605e5b8440aecb8, []int{6}
-}
-func (m *ClusterResourceQuotaStatus) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ClusterResourceQuotaStatus) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ClusterResourceQuotaStatus) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ClusterResourceQuotaStatus.Merge(m, src)
-}
-func (m *ClusterResourceQuotaStatus) XXX_Size() int {
-	return m.Size()
-}
-func (m *ClusterResourceQuotaStatus) XXX_DiscardUnknown() {
-	xxx_messageInfo_ClusterResourceQuotaStatus.DiscardUnknown(m)
-}
+func (m *ClusterResourceQuota) Reset() { *m = ClusterResourceQuota{} }
 
-var xxx_messageInfo_ClusterResourceQuotaStatus proto.InternalMessageInfo
-
-func (m *ResourceQuotaStatusByNamespace) Reset()      { *m = ResourceQuotaStatusByNamespace{} }
-func (*ResourceQuotaStatusByNamespace) ProtoMessage() {}
-func (*ResourceQuotaStatusByNamespace) Descriptor() ([]byte, []int) {
-	return fileDescriptor_f605e5b8440aecb8, []int{7}
-}
-func (m *ResourceQuotaStatusByNamespace) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ResourceQuotaStatusByNamespace) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ResourceQuotaStatusByNamespace) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ResourceQuotaStatusByNamespace.Merge(m, src)
-}
-func (m *ResourceQuotaStatusByNamespace) XXX_Size() int {
-	return m.Size()
-}
-func (m *ResourceQuotaStatusByNamespace) XXX_DiscardUnknown() {
-	xxx_messageInfo_ResourceQuotaStatusByNamespace.DiscardUnknown(m)
-}
+func (m *ClusterResourceQuotaList) Reset() { *m = ClusterResourceQuotaList{} }
 
-var xxx_messageInfo_ResourceQuotaStatusByNamespace proto.InternalMessageInfo
+func (m *ClusterResourceQuotaSelector) Reset() { *m = ClusterResourceQuotaSelector{} }
 
-func init() {
-	proto.RegisterType((*AppliedClusterResourceQuota)(nil), "github.com.openshift.api.quota.v1.AppliedClusterResourceQuota")
-	proto.RegisterType((*AppliedClusterResourceQuotaList)(nil), "github.com.openshift.api.quota.v1.AppliedClusterResourceQuotaList")
-	proto.RegisterType((*ClusterResourceQuota)(nil), "github.com.openshift.api.quota.v1.ClusterResourceQuota")
-	proto.RegisterType((*ClusterResourceQuotaList)(nil), "github.com.openshift.api.quota.v1.ClusterResourceQuotaList")
-	proto.RegisterType((*ClusterResourceQuotaSelector)(nil), "github.com.openshift.api.quota.v1.ClusterResourceQuotaSelector")
-	proto.RegisterMapType((map[string]string)(nil), "github.com.openshift.api.quota.v1.ClusterResourceQuotaSelector.AnnotationsEntry")
-	proto.RegisterType((*ClusterResourceQuotaSpec)(nil), "github.com.openshift.api.quota.v1.ClusterResourceQuotaSpec")
-	proto.RegisterType((*ClusterResourceQuotaStatus)(nil), "github.com.openshift.api.quota.v1.ClusterResourceQuotaStatus")
-	proto.RegisterType((*ResourceQuotaStatusByNamespace)(nil), "github.com.openshift.api.quota.v1.ResourceQuotaStatusByNamespace")
-}
+func (m *ClusterResourceQuotaSpec) Reset() { *m = ClusterResourceQuotaSpec{} }
 
-func init() {
-	proto.RegisterFile("github.com/openshift/api/quota/v1/generated.proto", fileDescriptor_f605e5b8440aecb8)
-}
+func (m *ClusterResourceQuotaStatus) Reset() { *m = ClusterResourceQuotaStatus{} }
 
-var fileDescriptor_f605e5b8440aecb8 = []byte{
-	// 716 bytes of a gzipped FileDescriptorProto
-	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xec, 0x56, 0x41, 0x6f, 0xd3, 0x3e,
-	0x1c, 0x6d, 0xba, 0x75, 0x5a, 0xbd, 0xff, 0xfe, 0xda, 0xac, 0x1d, 0xaa, 0x82, 0xd2, 0x2d, 0x12,
-	0x62, 0x17, 0x1c, 0x3a, 0x10, 0x4c, 0x20, 0x86, 0x16, 0x84, 0x10, 0x68, 0x30, 0x08, 0x9c, 0xd0,
-	0x40, 0xb8, 0x99, 0xd7, 0x86, 0x26, 0x71, 0x88, 0x9d, 0x4a, 0xbd, 0xf1, 0x09, 0x10, 0x9f, 0x81,
-	0x0f, 0xc2, 0x0d, 0x69, 0x37, 0x76, 0x01, 0xed, 0x34, 0xd1, 0xc0, 0x07, 0x41, 0x76, 0xdc, 0xa4,
-	0xdb, 0xda, 0xad, 0x6c, 0x07, 0x2e, 0xdc, 0xe2, 0x5f, 0xfd, 0xde, 0xfb, 0xfd, 0x5e, 0x9e, 0xdd,
-	0x80, 0x7a, 0xd3, 0xe5, 0xad, 0xb8, 0x81, 0x1c, 0xea, 0x9b, 0x34, 0x24, 0x01, 0x6b, 0xb9, 0x3b,
-	0xdc, 0xc4, 0xa1, 0x6b, 0xbe, 0x8b, 0x29, 0xc7, 0x66, 0xa7, 0x6e, 0x36, 0x49, 0x40, 0x22, 0xcc,
-	0xc9, 0x36, 0x0a, 0x23, 0xca, 0x29, 0x5c, 0xca, 0x21, 0x28, 0x83, 0x20, 0x1c, 0xba, 0x48, 0x42,
-	0x50, 0xa7, 0x5e, 0xbd, 0x32, 0xc0, 0xda, 0xa4, 0x4d, 0x6a, 0x4a, 0x64, 0x23, 0xde, 0x91, 0x2b,
-	0xb9, 0x90, 0x4f, 0x29, 0x63, 0xd5, 0x68, 0xaf, 0x32, 0xe4, 0x52, 0x29, 0xeb, 0xd0, 0x88, 0x0c,
-	0x51, 0xad, 0x5e, 0xcf, 0xf7, 0xf8, 0xd8, 0x69, 0xb9, 0x01, 0x89, 0xba, 0x66, 0xd8, 0x6e, 0x8a,
-	0x02, 0x33, 0x7d, 0x32, 0xb4, 0xd7, 0xea, 0x8d, 0x51, 0xa8, 0x28, 0x0e, 0xb8, 0xeb, 0x13, 0x93,
-	0x39, 0x2d, 0xe2, 0xe3, 0xa3, 0x38, 0xe3, 0x4b, 0x11, 0x5c, 0x58, 0x0f, 0x43, 0xcf, 0x25, 0xdb,
-	0xf7, 0xbc, 0x98, 0x71, 0x12, 0xd9, 0x84, 0xd1, 0x38, 0x72, 0xc8, 0x33, 0x31, 0x23, 0x7c, 0x03,
-	0xa6, 0x85, 0xe4, 0x36, 0xe6, 0xb8, 0xa2, 0x2d, 0x6a, 0xcb, 0x33, 0x2b, 0x57, 0x51, 0x2a, 0x85,
-	0x06, 0xa5, 0x50, 0xd8, 0x6e, 0x8a, 0x02, 0x43, 0x62, 0x37, 0xea, 0xd4, 0xd1, 0x66, 0xe3, 0x2d,
-	0x71, 0xf8, 0x63, 0xc2, 0xb1, 0x05, 0x77, 0x0f, 0x6a, 0x85, 0xe4, 0xa0, 0x06, 0xf2, 0x9a, 0x9d,
-	0xb1, 0xc2, 0x57, 0x60, 0x92, 0x85, 0xc4, 0xa9, 0x14, 0x25, 0xfb, 0x6d, 0x74, 0xaa, 0xe9, 0x68,
-	0x58, 0xa3, 0xcf, 0x43, 0xe2, 0x58, 0xff, 0x29, 0xa1, 0x49, 0xb1, 0xb2, 0x25, 0x2d, 0x24, 0x60,
-	0x8a, 0x71, 0xcc, 0x63, 0x56, 0x99, 0x90, 0x02, 0x77, 0xce, 0x2a, 0x20, 0x49, 0xac, 0xff, 0x95,
-	0xc4, 0x54, 0xba, 0xb6, 0x15, 0xb9, 0xf1, 0x4b, 0x03, 0xb5, 0x13, 0x7c, 0xdc, 0x70, 0x19, 0x87,
-	0x5b, 0xc7, 0xbc, 0x44, 0xe3, 0x79, 0x29, 0xd0, 0xd2, 0xc9, 0x39, 0xa5, 0x3e, 0xdd, 0xaf, 0x0c,
-	0xf8, 0xe8, 0x80, 0x92, 0xcb, 0x89, 0xcf, 0x2a, 0xc5, 0xc5, 0x89, 0xe5, 0x99, 0x95, 0xb5, 0x31,
-	0xe6, 0x3c, 0xa1, 0x61, 0x6b, 0x56, 0x49, 0x95, 0x1e, 0x0a, 0x52, 0x3b, 0xe5, 0x36, 0x3e, 0x17,
-	0xc1, 0xc2, 0xbf, 0x9c, 0x9c, 0x23, 0x27, 0xdf, 0x35, 0x50, 0xf9, 0x4b, 0x01, 0xd9, 0x3a, 0x1c,
-	0x90, 0x9b, 0x67, 0x1c, 0x70, 0x44, 0x32, 0xbe, 0x16, 0xc1, 0xc5, 0xa1, 0x7e, 0x10, 0x8f, 0x38,
-	0x9c, 0x46, 0xf0, 0x35, 0x98, 0xf2, 0x70, 0x83, 0x78, 0x4c, 0x8d, 0x76, 0x6d, 0xcc, 0xd1, 0x04,
-	0xa6, 0x4f, 0x62, 0xcd, 0x27, 0x07, 0xb5, 0xd9, 0x43, 0x25, 0x5b, 0xb1, 0xc2, 0x0f, 0x1a, 0x98,
-	0xc1, 0x41, 0x40, 0x39, 0xe6, 0x2e, 0x0d, 0xfa, 0x53, 0x3e, 0x3d, 0xeb, 0x6b, 0x54, 0xf4, 0x68,
-	0x3d, 0xa7, 0xbc, 0x1f, 0xf0, 0xa8, 0x6b, 0x55, 0xd5, 0xf8, 0x30, 0xff, 0x25, 0xeb, 0x65, 0xb0,
-	0x81, 0xea, 0x1a, 0x98, 0x3b, 0x0a, 0x86, 0x73, 0x60, 0xa2, 0x4d, 0xba, 0xd2, 0x81, 0xb2, 0x2d,
-	0x1e, 0xe1, 0x02, 0x28, 0x75, 0xb0, 0x17, 0x13, 0x99, 0xeb, 0xb2, 0x9d, 0x2e, 0x6e, 0x15, 0x57,
-	0x35, 0xe3, 0xdb, 0x88, 0xa8, 0x88, 0xd0, 0x42, 0x1f, 0x4c, 0x33, 0xa5, 0xaa, 0xfc, 0xbc, 0x7b,
-	0xce, 0x49, 0xf3, 0xec, 0x64, 0xe3, 0x64, 0x12, 0xf0, 0x11, 0x28, 0x49, 0x12, 0x75, 0xfa, 0x2e,
-	0x0d, 0xbc, 0x3b, 0x24, 0xfe, 0xc8, 0x04, 0xf9, 0xf1, 0x73, 0x96, 0x25, 0x45, 0x96, 0xec, 0x94,
-	0xc2, 0xe8, 0x69, 0xa0, 0x3a, 0xfa, 0xe4, 0xc0, 0x0d, 0x50, 0xe2, 0x94, 0x63, 0x4f, 0x8d, 0x75,
-	0xf9, 0x74, 0xa9, 0xf4, 0xc4, 0x65, 0x62, 0x2f, 0x04, 0xda, 0x4e, 0x49, 0x60, 0x0c, 0x40, 0x80,
-	0x7d, 0xc2, 0x42, 0xec, 0x90, 0x7e, 0x26, 0xd6, 0xc7, 0x70, 0x6a, 0x98, 0x42, 0xf7, 0x49, 0x9f,
-	0x29, 0xbf, 0xaa, 0xb2, 0x12, 0xb3, 0x07, 0x84, 0x8c, 0x4f, 0x1a, 0xd0, 0x4f, 0xa6, 0x80, 0x26,
-	0x28, 0x67, 0x80, 0x34, 0x10, 0xd6, 0xbc, 0x62, 0x2d, 0x67, 0xbb, 0xec, 0x7c, 0x0f, 0xdc, 0xcc,
-	0x6e, 0xa8, 0xe2, 0x9f, 0x39, 0x33, 0xe2, 0x2e, 0xb2, 0x1e, 0xec, 0xf6, 0xf4, 0xc2, 0x5e, 0x4f,
-	0x2f, 0xec, 0xf7, 0xf4, 0xc2, 0xfb, 0x44, 0xd7, 0x76, 0x13, 0x5d, 0xdb, 0x4b, 0x74, 0x6d, 0x3f,
-	0xd1, 0xb5, 0x1f, 0x89, 0xae, 0x7d, 0xfc, 0xa9, 0x17, 0x5e, 0x2e, 0x9d, 0xfa, 0xe1, 0xf4, 0x3b,
-	0x00, 0x00, 0xff, 0xff, 0xda, 0x49, 0x50, 0x7b, 0x5c, 0x09, 0x00, 0x00,
-}
+func (m *ResourceQuotaStatusByNamespace) Reset() { *m = ResourceQuotaStatusByNamespace{} }
 
 func (m *AppliedClusterResourceQuota) Marshal() (dAtA []byte, err error) {
 	size := m.Size()
@@ -543,7 +257,7 @@ func (m *ClusterResourceQuotaSelector) MarshalToSizedBuffer(dAtA []byte) (int, e
 		for k := range m.AnnotationSelector {
 			keysForAnnotationSelector = append(keysForAnnotationSelector, string(k))
 		}
-		github_com_gogo_protobuf_sortkeys.Strings(keysForAnnotationSelector)
+		sort.Strings(keysForAnnotationSelector)
 		for iNdEx := len(keysForAnnotationSelector) - 1; iNdEx >= 0; iNdEx-- {
 			v := m.AnnotationSelector[string(keysForAnnotationSelector[iNdEx])]
 			baseI := i
@@ -914,7 +628,7 @@ func (this *ClusterResourceQuotaSelector) String() string {
 	for k := range this.AnnotationSelector {
 		keysForAnnotationSelector = append(keysForAnnotationSelector, k)
 	}
-	github_com_gogo_protobuf_sortkeys.Strings(keysForAnnotationSelector)
+	sort.Strings(keysForAnnotationSelector)
 	mapStringForAnnotationSelector := "map[string]string{"
 	for _, k := range keysForAnnotationSelector {
 		mapStringForAnnotationSelector += fmt.Sprintf("%v: %v,", k, this.AnnotationSelector[k])
diff --git a/vendor/github.com/openshift/api/quota/v1/generated.protomessage.pb.go b/vendor/github.com/openshift/api/quota/v1/generated.protomessage.pb.go
new file mode 100644
index 0000000000000..6158307d76d29
--- /dev/null
+++ b/vendor/github.com/openshift/api/quota/v1/generated.protomessage.pb.go
@@ -0,0 +1,22 @@
+//go:build kubernetes_protomessage_one_more_release
+// +build kubernetes_protomessage_one_more_release
+
+// Code generated by go-to-protobuf. DO NOT EDIT.
+
+package v1
+
+func (*AppliedClusterResourceQuota) ProtoMessage() {}
+
+func (*AppliedClusterResourceQuotaList) ProtoMessage() {}
+
+func (*ClusterResourceQuota) ProtoMessage() {}
+
+func (*ClusterResourceQuotaList) ProtoMessage() {}
+
+func (*ClusterResourceQuotaSelector) ProtoMessage() {}
+
+func (*ClusterResourceQuotaSpec) ProtoMessage() {}
+
+func (*ClusterResourceQuotaStatus) ProtoMessage() {}
+
+func (*ResourceQuotaStatusByNamespace) ProtoMessage() {}
diff --git a/vendor/github.com/openshift/api/route/v1/generated.pb.go b/vendor/github.com/openshift/api/route/v1/generated.pb.go
index 2adcd1cc86920..31367ac7e6622 100644
--- a/vendor/github.com/openshift/api/route/v1/generated.pb.go
+++ b/vendor/github.com/openshift/api/route/v1/generated.pb.go
@@ -8,591 +8,45 @@ import (
 
 	io "io"
 
-	proto "github.com/gogo/protobuf/proto"
-
 	k8s_io_api_core_v1 "k8s.io/api/core/v1"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
-	math "math"
 	math_bits "math/bits"
 	reflect "reflect"
 	strings "strings"
 )
 
-// Reference imports to suppress errors if they are not otherwise used.
-var _ = proto.Marshal
-var _ = fmt.Errorf
-var _ = math.Inf
+func (m *LocalObjectReference) Reset() { *m = LocalObjectReference{} }
 
-// This is a compile-time assertion to ensure that this generated file
-// is compatible with the proto package it is being compiled against.
-// A compilation error at this line likely means your copy of the
-// proto package needs to be updated.
-const _ = proto.GoGoProtoPackageIsVersion3 // please upgrade the proto package
+func (m *Route) Reset() { *m = Route{} }
 
-func (m *LocalObjectReference) Reset()      { *m = LocalObjectReference{} }
-func (*LocalObjectReference) ProtoMessage() {}
-func (*LocalObjectReference) Descriptor() ([]byte, []int) {
-	return fileDescriptor_373b8fa7ff738721, []int{0}
-}
-func (m *LocalObjectReference) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *LocalObjectReference) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *LocalObjectReference) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_LocalObjectReference.Merge(m, src)
-}
-func (m *LocalObjectReference) XXX_Size() int {
-	return m.Size()
-}
-func (m *LocalObjectReference) XXX_DiscardUnknown() {
-	xxx_messageInfo_LocalObjectReference.DiscardUnknown(m)
-}
+func (m *RouteHTTPHeader) Reset() { *m = RouteHTTPHeader{} }
 
-var xxx_messageInfo_LocalObjectReference proto.InternalMessageInfo
+func (m *RouteHTTPHeaderActionUnion) Reset() { *m = RouteHTTPHeaderActionUnion{} }
 
-func (m *Route) Reset()      { *m = Route{} }
-func (*Route) ProtoMessage() {}
-func (*Route) Descriptor() ([]byte, []int) {
-	return fileDescriptor_373b8fa7ff738721, []int{1}
-}
-func (m *Route) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *Route) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *Route) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_Route.Merge(m, src)
-}
-func (m *Route) XXX_Size() int {
-	return m.Size()
-}
-func (m *Route) XXX_DiscardUnknown() {
-	xxx_messageInfo_Route.DiscardUnknown(m)
-}
+func (m *RouteHTTPHeaderActions) Reset() { *m = RouteHTTPHeaderActions{} }
 
-var xxx_messageInfo_Route proto.InternalMessageInfo
+func (m *RouteHTTPHeaders) Reset() { *m = RouteHTTPHeaders{} }
 
-func (m *RouteHTTPHeader) Reset()      { *m = RouteHTTPHeader{} }
-func (*RouteHTTPHeader) ProtoMessage() {}
-func (*RouteHTTPHeader) Descriptor() ([]byte, []int) {
-	return fileDescriptor_373b8fa7ff738721, []int{2}
-}
-func (m *RouteHTTPHeader) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *RouteHTTPHeader) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *RouteHTTPHeader) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_RouteHTTPHeader.Merge(m, src)
-}
-func (m *RouteHTTPHeader) XXX_Size() int {
-	return m.Size()
-}
-func (m *RouteHTTPHeader) XXX_DiscardUnknown() {
-	xxx_messageInfo_RouteHTTPHeader.DiscardUnknown(m)
-}
+func (m *RouteIngress) Reset() { *m = RouteIngress{} }
 
-var xxx_messageInfo_RouteHTTPHeader proto.InternalMessageInfo
+func (m *RouteIngressCondition) Reset() { *m = RouteIngressCondition{} }
 
-func (m *RouteHTTPHeaderActionUnion) Reset()      { *m = RouteHTTPHeaderActionUnion{} }
-func (*RouteHTTPHeaderActionUnion) ProtoMessage() {}
-func (*RouteHTTPHeaderActionUnion) Descriptor() ([]byte, []int) {
-	return fileDescriptor_373b8fa7ff738721, []int{3}
-}
-func (m *RouteHTTPHeaderActionUnion) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *RouteHTTPHeaderActionUnion) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *RouteHTTPHeaderActionUnion) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_RouteHTTPHeaderActionUnion.Merge(m, src)
-}
-func (m *RouteHTTPHeaderActionUnion) XXX_Size() int {
-	return m.Size()
-}
-func (m *RouteHTTPHeaderActionUnion) XXX_DiscardUnknown() {
-	xxx_messageInfo_RouteHTTPHeaderActionUnion.DiscardUnknown(m)
-}
+func (m *RouteList) Reset() { *m = RouteList{} }
 
-var xxx_messageInfo_RouteHTTPHeaderActionUnion proto.InternalMessageInfo
+func (m *RoutePort) Reset() { *m = RoutePort{} }
 
-func (m *RouteHTTPHeaderActions) Reset()      { *m = RouteHTTPHeaderActions{} }
-func (*RouteHTTPHeaderActions) ProtoMessage() {}
-func (*RouteHTTPHeaderActions) Descriptor() ([]byte, []int) {
-	return fileDescriptor_373b8fa7ff738721, []int{4}
-}
-func (m *RouteHTTPHeaderActions) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *RouteHTTPHeaderActions) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *RouteHTTPHeaderActions) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_RouteHTTPHeaderActions.Merge(m, src)
-}
-func (m *RouteHTTPHeaderActions) XXX_Size() int {
-	return m.Size()
-}
-func (m *RouteHTTPHeaderActions) XXX_DiscardUnknown() {
-	xxx_messageInfo_RouteHTTPHeaderActions.DiscardUnknown(m)
-}
+func (m *RouteSetHTTPHeader) Reset() { *m = RouteSetHTTPHeader{} }
 
-var xxx_messageInfo_RouteHTTPHeaderActions proto.InternalMessageInfo
-
-func (m *RouteHTTPHeaders) Reset()      { *m = RouteHTTPHeaders{} }
-func (*RouteHTTPHeaders) ProtoMessage() {}
-func (*RouteHTTPHeaders) Descriptor() ([]byte, []int) {
-	return fileDescriptor_373b8fa7ff738721, []int{5}
-}
-func (m *RouteHTTPHeaders) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *RouteHTTPHeaders) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *RouteHTTPHeaders) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_RouteHTTPHeaders.Merge(m, src)
-}
-func (m *RouteHTTPHeaders) XXX_Size() int {
-	return m.Size()
-}
-func (m *RouteHTTPHeaders) XXX_DiscardUnknown() {
-	xxx_messageInfo_RouteHTTPHeaders.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_RouteHTTPHeaders proto.InternalMessageInfo
-
-func (m *RouteIngress) Reset()      { *m = RouteIngress{} }
-func (*RouteIngress) ProtoMessage() {}
-func (*RouteIngress) Descriptor() ([]byte, []int) {
-	return fileDescriptor_373b8fa7ff738721, []int{6}
-}
-func (m *RouteIngress) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *RouteIngress) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *RouteIngress) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_RouteIngress.Merge(m, src)
-}
-func (m *RouteIngress) XXX_Size() int {
-	return m.Size()
-}
-func (m *RouteIngress) XXX_DiscardUnknown() {
-	xxx_messageInfo_RouteIngress.DiscardUnknown(m)
-}
+func (m *RouteSpec) Reset() { *m = RouteSpec{} }
 
-var xxx_messageInfo_RouteIngress proto.InternalMessageInfo
+func (m *RouteStatus) Reset() { *m = RouteStatus{} }
 
-func (m *RouteIngressCondition) Reset()      { *m = RouteIngressCondition{} }
-func (*RouteIngressCondition) ProtoMessage() {}
-func (*RouteIngressCondition) Descriptor() ([]byte, []int) {
-	return fileDescriptor_373b8fa7ff738721, []int{7}
-}
-func (m *RouteIngressCondition) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *RouteIngressCondition) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *RouteIngressCondition) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_RouteIngressCondition.Merge(m, src)
-}
-func (m *RouteIngressCondition) XXX_Size() int {
-	return m.Size()
-}
-func (m *RouteIngressCondition) XXX_DiscardUnknown() {
-	xxx_messageInfo_RouteIngressCondition.DiscardUnknown(m)
-}
+func (m *RouteTargetReference) Reset() { *m = RouteTargetReference{} }
 
-var xxx_messageInfo_RouteIngressCondition proto.InternalMessageInfo
+func (m *RouterShard) Reset() { *m = RouterShard{} }
 
-func (m *RouteList) Reset()      { *m = RouteList{} }
-func (*RouteList) ProtoMessage() {}
-func (*RouteList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_373b8fa7ff738721, []int{8}
-}
-func (m *RouteList) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *RouteList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *RouteList) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_RouteList.Merge(m, src)
-}
-func (m *RouteList) XXX_Size() int {
-	return m.Size()
-}
-func (m *RouteList) XXX_DiscardUnknown() {
-	xxx_messageInfo_RouteList.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_RouteList proto.InternalMessageInfo
-
-func (m *RoutePort) Reset()      { *m = RoutePort{} }
-func (*RoutePort) ProtoMessage() {}
-func (*RoutePort) Descriptor() ([]byte, []int) {
-	return fileDescriptor_373b8fa7ff738721, []int{9}
-}
-func (m *RoutePort) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *RoutePort) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *RoutePort) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_RoutePort.Merge(m, src)
-}
-func (m *RoutePort) XXX_Size() int {
-	return m.Size()
-}
-func (m *RoutePort) XXX_DiscardUnknown() {
-	xxx_messageInfo_RoutePort.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_RoutePort proto.InternalMessageInfo
-
-func (m *RouteSetHTTPHeader) Reset()      { *m = RouteSetHTTPHeader{} }
-func (*RouteSetHTTPHeader) ProtoMessage() {}
-func (*RouteSetHTTPHeader) Descriptor() ([]byte, []int) {
-	return fileDescriptor_373b8fa7ff738721, []int{10}
-}
-func (m *RouteSetHTTPHeader) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *RouteSetHTTPHeader) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *RouteSetHTTPHeader) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_RouteSetHTTPHeader.Merge(m, src)
-}
-func (m *RouteSetHTTPHeader) XXX_Size() int {
-	return m.Size()
-}
-func (m *RouteSetHTTPHeader) XXX_DiscardUnknown() {
-	xxx_messageInfo_RouteSetHTTPHeader.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_RouteSetHTTPHeader proto.InternalMessageInfo
-
-func (m *RouteSpec) Reset()      { *m = RouteSpec{} }
-func (*RouteSpec) ProtoMessage() {}
-func (*RouteSpec) Descriptor() ([]byte, []int) {
-	return fileDescriptor_373b8fa7ff738721, []int{11}
-}
-func (m *RouteSpec) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *RouteSpec) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *RouteSpec) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_RouteSpec.Merge(m, src)
-}
-func (m *RouteSpec) XXX_Size() int {
-	return m.Size()
-}
-func (m *RouteSpec) XXX_DiscardUnknown() {
-	xxx_messageInfo_RouteSpec.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_RouteSpec proto.InternalMessageInfo
-
-func (m *RouteStatus) Reset()      { *m = RouteStatus{} }
-func (*RouteStatus) ProtoMessage() {}
-func (*RouteStatus) Descriptor() ([]byte, []int) {
-	return fileDescriptor_373b8fa7ff738721, []int{12}
-}
-func (m *RouteStatus) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *RouteStatus) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *RouteStatus) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_RouteStatus.Merge(m, src)
-}
-func (m *RouteStatus) XXX_Size() int {
-	return m.Size()
-}
-func (m *RouteStatus) XXX_DiscardUnknown() {
-	xxx_messageInfo_RouteStatus.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_RouteStatus proto.InternalMessageInfo
-
-func (m *RouteTargetReference) Reset()      { *m = RouteTargetReference{} }
-func (*RouteTargetReference) ProtoMessage() {}
-func (*RouteTargetReference) Descriptor() ([]byte, []int) {
-	return fileDescriptor_373b8fa7ff738721, []int{13}
-}
-func (m *RouteTargetReference) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *RouteTargetReference) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *RouteTargetReference) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_RouteTargetReference.Merge(m, src)
-}
-func (m *RouteTargetReference) XXX_Size() int {
-	return m.Size()
-}
-func (m *RouteTargetReference) XXX_DiscardUnknown() {
-	xxx_messageInfo_RouteTargetReference.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_RouteTargetReference proto.InternalMessageInfo
-
-func (m *RouterShard) Reset()      { *m = RouterShard{} }
-func (*RouterShard) ProtoMessage() {}
-func (*RouterShard) Descriptor() ([]byte, []int) {
-	return fileDescriptor_373b8fa7ff738721, []int{14}
-}
-func (m *RouterShard) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *RouterShard) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *RouterShard) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_RouterShard.Merge(m, src)
-}
-func (m *RouterShard) XXX_Size() int {
-	return m.Size()
-}
-func (m *RouterShard) XXX_DiscardUnknown() {
-	xxx_messageInfo_RouterShard.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_RouterShard proto.InternalMessageInfo
-
-func (m *TLSConfig) Reset()      { *m = TLSConfig{} }
-func (*TLSConfig) ProtoMessage() {}
-func (*TLSConfig) Descriptor() ([]byte, []int) {
-	return fileDescriptor_373b8fa7ff738721, []int{15}
-}
-func (m *TLSConfig) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *TLSConfig) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *TLSConfig) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_TLSConfig.Merge(m, src)
-}
-func (m *TLSConfig) XXX_Size() int {
-	return m.Size()
-}
-func (m *TLSConfig) XXX_DiscardUnknown() {
-	xxx_messageInfo_TLSConfig.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_TLSConfig proto.InternalMessageInfo
-
-func init() {
-	proto.RegisterType((*LocalObjectReference)(nil), "github.com.openshift.api.route.v1.LocalObjectReference")
-	proto.RegisterType((*Route)(nil), "github.com.openshift.api.route.v1.Route")
-	proto.RegisterType((*RouteHTTPHeader)(nil), "github.com.openshift.api.route.v1.RouteHTTPHeader")
-	proto.RegisterType((*RouteHTTPHeaderActionUnion)(nil), "github.com.openshift.api.route.v1.RouteHTTPHeaderActionUnion")
-	proto.RegisterType((*RouteHTTPHeaderActions)(nil), "github.com.openshift.api.route.v1.RouteHTTPHeaderActions")
-	proto.RegisterType((*RouteHTTPHeaders)(nil), "github.com.openshift.api.route.v1.RouteHTTPHeaders")
-	proto.RegisterType((*RouteIngress)(nil), "github.com.openshift.api.route.v1.RouteIngress")
-	proto.RegisterType((*RouteIngressCondition)(nil), "github.com.openshift.api.route.v1.RouteIngressCondition")
-	proto.RegisterType((*RouteList)(nil), "github.com.openshift.api.route.v1.RouteList")
-	proto.RegisterType((*RoutePort)(nil), "github.com.openshift.api.route.v1.RoutePort")
-	proto.RegisterType((*RouteSetHTTPHeader)(nil), "github.com.openshift.api.route.v1.RouteSetHTTPHeader")
-	proto.RegisterType((*RouteSpec)(nil), "github.com.openshift.api.route.v1.RouteSpec")
-	proto.RegisterType((*RouteStatus)(nil), "github.com.openshift.api.route.v1.RouteStatus")
-	proto.RegisterType((*RouteTargetReference)(nil), "github.com.openshift.api.route.v1.RouteTargetReference")
-	proto.RegisterType((*RouterShard)(nil), "github.com.openshift.api.route.v1.RouterShard")
-	proto.RegisterType((*TLSConfig)(nil), "github.com.openshift.api.route.v1.TLSConfig")
-}
-
-func init() {
-	proto.RegisterFile("github.com/openshift/api/route/v1/generated.proto", fileDescriptor_373b8fa7ff738721)
-}
-
-var fileDescriptor_373b8fa7ff738721 = []byte{
-	// 1420 bytes of a gzipped FileDescriptorProto
-	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xac, 0x58, 0xdd, 0x6e, 0x13, 0xc7,
-	0x17, 0xcf, 0xc6, 0x76, 0x1c, 0x8f, 0xf9, 0x1c, 0xbe, 0x4c, 0x24, 0x6c, 0xd8, 0xbf, 0xf4, 0x17,
-	0x54, 0x74, 0xdd, 0x04, 0x68, 0x41, 0x15, 0x17, 0x6c, 0x40, 0x10, 0x30, 0x21, 0x1a, 0xbb, 0xa0,
-	0x22, 0x2a, 0x75, 0xb2, 0x3b, 0xb6, 0xa7, 0xb1, 0x67, 0x97, 0x99, 0x71, 0x20, 0x37, 0x15, 0x6a,
-	0x5f, 0x80, 0xde, 0xf6, 0x15, 0xaa, 0xde, 0xf7, 0x11, 0xb8, 0xe4, 0x92, 0xde, 0x58, 0x8d, 0x7b,
-	0xd9, 0x37, 0xc8, 0x55, 0x35, 0xb3, 0xe3, 0xdd, 0xb5, 0x63, 0x13, 0x07, 0xf5, 0xce, 0x7b, 0xce,
-	0xf9, 0xfd, 0xce, 0xc7, 0x9c, 0x39, 0x67, 0x12, 0xb0, 0xdc, 0xa2, 0xb2, 0xdd, 0xdb, 0x74, 0xbc,
-	0xa0, 0x5b, 0x0d, 0x42, 0xc2, 0x44, 0x9b, 0x36, 0x65, 0x15, 0x87, 0xb4, 0xca, 0x83, 0x9e, 0x24,
-	0xd5, 0xed, 0xe5, 0x6a, 0x8b, 0x30, 0xc2, 0xb1, 0x24, 0xbe, 0x13, 0xf2, 0x40, 0x06, 0xf0, 0x52,
-	0x02, 0x71, 0x62, 0x88, 0x83, 0x43, 0xea, 0x68, 0x88, 0xb3, 0xbd, 0xbc, 0xf4, 0x79, 0x8a, 0xb5,
-	0x15, 0xb4, 0x82, 0xaa, 0x46, 0x6e, 0xf6, 0x9a, 0xfa, 0x4b, 0x7f, 0xe8, 0x5f, 0x11, 0xe3, 0x92,
-	0xbd, 0x75, 0x53, 0x38, 0x34, 0xd0, 0x6e, 0xbd, 0x80, 0x4f, 0xf2, 0xba, 0x74, 0x3d, 0xb1, 0xe9,
-	0x62, 0xaf, 0x4d, 0x19, 0xe1, 0x3b, 0xd5, 0x70, 0xab, 0xa5, 0x04, 0xa2, 0xda, 0x25, 0x12, 0x4f,
-	0x42, 0x7d, 0x39, 0x0d, 0xc5, 0x7b, 0x4c, 0xd2, 0x2e, 0xa9, 0x0a, 0xaf, 0x4d, 0xba, 0x78, 0x1f,
-	0xee, 0xda, 0x34, 0x5c, 0x4f, 0xd2, 0x4e, 0x95, 0x32, 0x29, 0x24, 0x1f, 0x07, 0xd9, 0x37, 0xc1,
-	0xe9, 0x5a, 0xe0, 0xe1, 0xce, 0x93, 0xcd, 0x1f, 0x88, 0x27, 0x11, 0x69, 0x12, 0x4e, 0x98, 0x47,
-	0xe0, 0x45, 0x90, 0x65, 0xb8, 0x4b, 0x4a, 0xd6, 0x45, 0xeb, 0x72, 0xc1, 0x3d, 0xf2, 0xae, 0x5f,
-	0x99, 0x1b, 0xf4, 0x2b, 0xd9, 0x75, 0xdc, 0x25, 0x48, 0x6b, 0xec, 0x5f, 0xe6, 0x41, 0x0e, 0xa9,
-	0xe2, 0xc1, 0xef, 0xc1, 0xa2, 0xca, 0xc5, 0xc7, 0x12, 0x6b, 0xfb, 0xe2, 0xca, 0x17, 0x4e, 0x14,
-	0x8b, 0x93, 0x8e, 0xc5, 0x09, 0xb7, 0x5a, 0x4a, 0x20, 0x1c, 0x65, 0xed, 0x6c, 0x2f, 0x3b, 0x91,
-	0xd3, 0xc7, 0x44, 0x62, 0x17, 0x1a, 0x0f, 0x20, 0x91, 0xa1, 0x98, 0x15, 0xae, 0x83, 0xac, 0x08,
-	0x89, 0x57, 0x9a, 0xd7, 0xec, 0x57, 0x9d, 0x03, 0x4f, 0xd3, 0xd1, 0x91, 0xd5, 0x43, 0xe2, 0x25,
-	0xb1, 0xab, 0x2f, 0xa4, 0x79, 0xe0, 0x53, 0xb0, 0x20, 0x24, 0x96, 0x3d, 0x51, 0xca, 0x68, 0x46,
-	0x67, 0x66, 0x46, 0x8d, 0x72, 0x8f, 0x19, 0xce, 0x85, 0xe8, 0x1b, 0x19, 0x36, 0xfb, 0x57, 0x0b,
-	0x1c, 0xd7, 0x76, 0x0f, 0x1a, 0x8d, 0x8d, 0x07, 0x04, 0xfb, 0x84, 0x1f, 0x5c, 0x49, 0x48, 0xc0,
-	0x02, 0xf6, 0x24, 0x0d, 0x98, 0xc9, 0xef, 0xf6, 0xac, 0xd1, 0x24, 0x5e, 0xee, 0x68, 0xfc, 0x37,
-	0x8c, 0x06, 0x2c, 0x09, 0x2e, 0x12, 0x22, 0x43, 0x6e, 0xff, 0x6e, 0x81, 0xa5, 0xe9, 0x30, 0x78,
-	0x1b, 0x64, 0xe5, 0x4e, 0x38, 0x8c, 0xf3, 0xca, 0x30, 0xce, 0xc6, 0x4e, 0x48, 0xf6, 0xfa, 0x95,
-	0xf3, 0x13, 0x91, 0x4a, 0x89, 0x34, 0x0c, 0x6e, 0x80, 0x8c, 0x20, 0xd2, 0x64, 0x70, 0x63, 0xe6,
-	0x7a, 0x12, 0x99, 0x70, 0xba, 0xf9, 0x41, 0xbf, 0x92, 0xa9, 0x13, 0x89, 0x14, 0x95, 0xfd, 0xa7,
-	0x05, 0xce, 0x4e, 0xf4, 0x2a, 0x54, 0xc7, 0x71, 0x22, 0xc2, 0x80, 0x09, 0x15, 0x6f, 0xe6, 0x72,
-	0x71, 0x65, 0xe5, 0xf0, 0x35, 0x73, 0x4f, 0x98, 0x1c, 0x17, 0x91, 0xe1, 0x42, 0x31, 0x2b, 0xfc,
-	0x0e, 0xe4, 0x39, 0x79, 0xd9, 0x23, 0x42, 0xa5, 0xf4, 0xa9, 0x0e, 0x8e, 0x1b, 0x07, 0x79, 0x14,
-	0x51, 0xa1, 0x21, 0xa7, 0xfd, 0x1a, 0x9c, 0x18, 0x33, 0x16, 0xd0, 0x07, 0xf9, 0xe8, 0xa4, 0x84,
-	0xb9, 0x45, 0xb7, 0x3e, 0xb5, 0x0f, 0x44, 0xe2, 0xd9, 0x08, 0xd0, 0x90, 0xda, 0xfe, 0x39, 0x03,
-	0x8e, 0x68, 0xd0, 0x1a, 0x6b, 0x71, 0x22, 0x84, 0xea, 0xcf, 0x76, 0x20, 0xe4, 0x78, 0x7f, 0x3e,
-	0x08, 0x84, 0x44, 0x5a, 0x03, 0x57, 0x00, 0xd0, 0xfe, 0xb8, 0xea, 0x59, 0x7d, 0xc2, 0x85, 0xe4,
-	0xbe, 0xa2, 0x58, 0x83, 0x52, 0x56, 0xb0, 0x03, 0x80, 0x17, 0x30, 0x9f, 0x46, 0xf9, 0x64, 0x74,
-	0x09, 0x6f, 0xce, 0x9a, 0x8f, 0x09, 0x6d, 0x75, 0x48, 0x90, 0x78, 0x8b, 0x45, 0x02, 0xa5, 0xf8,
-	0x61, 0x03, 0x1c, 0x7b, 0x45, 0x3b, 0xbe, 0x87, 0xb9, 0xbf, 0x11, 0x74, 0xa8, 0xb7, 0x53, 0xca,
-	0xea, 0x28, 0xaf, 0x1a, 0xdc, 0xb1, 0x67, 0x23, 0xda, 0xbd, 0x7e, 0x05, 0x8e, 0x4a, 0x74, 0x23,
-	0x8f, 0x71, 0xc0, 0x6f, 0xc1, 0xb9, 0x28, 0xa3, 0x55, 0xcc, 0x02, 0x46, 0x3d, 0xdc, 0x51, 0x45,
-	0xd1, 0x97, 0x39, 0xa7, 0xe9, 0x2b, 0x86, 0xfe, 0x1c, 0x9a, 0x6c, 0x86, 0xa6, 0xe1, 0xed, 0x7f,
-	0xe6, 0xc1, 0x99, 0x89, 0xa9, 0xce, 0x74, 0x0d, 0xc7, 0x41, 0xa9, 0x6b, 0x58, 0x8b, 0x27, 0x5b,
-	0x74, 0x4e, 0xd7, 0x47, 0x27, 0xd5, 0x5e, 0xbf, 0x32, 0x61, 0x71, 0x39, 0x31, 0xd3, 0xe8, 0x3c,
-	0x83, 0xff, 0x07, 0x0b, 0x9c, 0x60, 0x11, 0x30, 0x3d, 0x27, 0x0b, 0xc9, 0x68, 0x41, 0x5a, 0x8a,
-	0x8c, 0x16, 0x5e, 0x01, 0xf9, 0x2e, 0x11, 0x02, 0xb7, 0x88, 0x29, 0x7c, 0xdc, 0x7f, 0x8f, 0x23,
-	0x31, 0x1a, 0xea, 0x21, 0x07, 0xb0, 0x83, 0x85, 0x6c, 0x70, 0xcc, 0x44, 0x14, 0x3c, 0x35, 0xf5,
-	0x2c, 0xae, 0x7c, 0x36, 0xdb, 0xda, 0x50, 0x08, 0xf7, 0xec, 0xa0, 0x5f, 0x81, 0xb5, 0x7d, 0x4c,
-	0x68, 0x02, 0xbb, 0xfd, 0x87, 0x05, 0x0a, 0xba, 0x70, 0x35, 0x2a, 0x24, 0x7c, 0xb1, 0x6f, 0x5d,
-	0x39, 0xb3, 0xf9, 0x55, 0x68, 0xbd, 0xac, 0xe2, 0xc1, 0x31, 0x94, 0xa4, 0x56, 0xd5, 0x63, 0x90,
-	0xa3, 0x92, 0x74, 0x85, 0x19, 0x1b, 0x97, 0x67, 0xed, 0x79, 0xf7, 0xa8, 0x21, 0xcd, 0xad, 0x29,
-	0x38, 0x8a, 0x58, 0xec, 0x97, 0x26, 0xf2, 0x8d, 0x80, 0x4b, 0xe8, 0x03, 0x20, 0x31, 0x6f, 0x11,
-	0xa9, 0xbe, 0x0e, 0x5c, 0xb5, 0x6a, 0xed, 0x3b, 0xd1, 0xda, 0x77, 0xd6, 0x98, 0x7c, 0xc2, 0xeb,
-	0x92, 0x53, 0xd6, 0x4a, 0x2e, 0x53, 0x23, 0xe6, 0x42, 0x29, 0x5e, 0xfb, 0x16, 0x80, 0xfb, 0x67,
-	0x33, 0xfc, 0x1f, 0xc8, 0x6d, 0xe3, 0x4e, 0x6f, 0xd8, 0x98, 0x71, 0xb4, 0x4f, 0x95, 0x10, 0x45,
-	0x3a, 0xfb, 0xb7, 0x9c, 0x09, 0x57, 0xed, 0xda, 0x19, 0x26, 0x4b, 0x15, 0x14, 0x44, 0x6f, 0xd3,
-	0x0f, 0xba, 0x98, 0xb2, 0xd2, 0xa2, 0x36, 0x3b, 0x69, 0xcc, 0x0a, 0xf5, 0xa1, 0x02, 0x25, 0x36,
-	0x8a, 0x32, 0xc4, 0xb2, 0x6d, 0x9a, 0x3b, 0xa6, 0xdc, 0xc0, 0xb2, 0x8d, 0xb4, 0x06, 0xd6, 0xc1,
-	0xbc, 0x0c, 0xcc, 0x5a, 0xff, 0x6a, 0xd6, 0xe2, 0x47, 0x95, 0x88, 0x5f, 0x3f, 0x2e, 0x30, 0xc4,
-	0xf3, 0x8d, 0x00, 0xcd, 0xcb, 0x00, 0xbe, 0xb1, 0xc0, 0x49, 0xdc, 0x91, 0x84, 0x33, 0x2c, 0x89,
-	0x8b, 0xbd, 0x2d, 0xc2, 0x7c, 0x51, 0xca, 0xea, 0x13, 0xfe, 0x64, 0x27, 0xe7, 0x8d, 0x93, 0x93,
-	0x77, 0xc6, 0x99, 0xd1, 0x7e, 0x67, 0xf0, 0x21, 0xc8, 0x86, 0xea, 0xd4, 0x73, 0x87, 0x7b, 0x02,
-	0xa9, 0x13, 0x75, 0x17, 0x75, 0x8d, 0xd4, 0x39, 0x6b, 0x0e, 0x78, 0x1f, 0x64, 0x64, 0x47, 0x94,
-	0x16, 0x66, 0xa6, 0x6a, 0xd4, 0xea, 0xab, 0x01, 0x6b, 0xd2, 0x56, 0xb4, 0xa2, 0x1b, 0xb5, 0x3a,
-	0x52, 0x0c, 0x13, 0xe6, 0x6e, 0xfe, 0x3f, 0x98, 0xbb, 0x4d, 0x50, 0x6c, 0x4b, 0x19, 0x9a, 0xbd,
-	0x58, 0x2a, 0xe8, 0x30, 0xaf, 0x1d, 0x7e, 0x19, 0x0a, 0xf7, 0xf8, 0xa0, 0x5f, 0x29, 0xa6, 0x04,
-	0x28, 0x4d, 0x6c, 0x53, 0x50, 0x4c, 0x3d, 0xea, 0xe0, 0x73, 0x90, 0xa7, 0xd1, 0x60, 0x35, 0x6f,
-	0x8a, 0xea, 0x21, 0xf7, 0x55, 0x32, 0xf5, 0x8c, 0x00, 0x0d, 0x09, 0xed, 0x1f, 0xc1, 0xe9, 0x49,
-	0x3d, 0xa0, 0xfa, 0x79, 0x8b, 0x32, 0x7f, 0xfc, 0x8a, 0x3c, 0xa2, 0xcc, 0x47, 0x5a, 0x13, 0x3f,
-	0x1f, 0xe7, 0xa7, 0x3e, 0x1f, 0x6d, 0xb0, 0xf0, 0x8a, 0xd0, 0x56, 0x5b, 0xea, 0xae, 0xcf, 0xb9,
-	0x40, 0x0d, 0xe8, 0x67, 0x5a, 0x82, 0x8c, 0xc6, 0x0e, 0x4c, 0xaa, 0xbc, 0xde, 0xc6, 0xdc, 0xd7,
-	0xf7, 0x4e, 0xfd, 0x58, 0x4f, 0x1e, 0xa6, 0xc9, 0xbd, 0x1b, 0x2a, 0x50, 0x62, 0xa3, 0x00, 0x3e,
-	0x13, 0xf5, 0x5e, 0xb3, 0x49, 0x5f, 0x9b, 0x50, 0x62, 0xc0, 0xdd, 0xf5, 0x7a, 0xa4, 0x40, 0x89,
-	0x8d, 0xbd, 0x9b, 0x05, 0x85, 0xb8, 0x6b, 0xe0, 0x23, 0x50, 0x94, 0x84, 0x77, 0x29, 0xc3, 0xfa,
-	0x99, 0x3b, 0xba, 0xdb, 0x8a, 0x8d, 0x44, 0xa5, 0x3a, 0xa4, 0x51, 0xab, 0xa7, 0x24, 0xba, 0x43,
-	0xd2, 0x68, 0x78, 0x03, 0x14, 0x3d, 0xc2, 0x25, 0x6d, 0x52, 0x0f, 0xcb, 0x61, 0x61, 0x4e, 0x0d,
-	0xc9, 0x56, 0x13, 0x15, 0x4a, 0xdb, 0xc1, 0x0b, 0x20, 0xb3, 0x45, 0x76, 0xcc, 0x22, 0x2b, 0x1a,
-	0xf3, 0xcc, 0x23, 0xb2, 0x83, 0x94, 0x1c, 0x7e, 0x0d, 0x8e, 0x7a, 0x38, 0x05, 0x36, 0x8b, 0xec,
-	0x8c, 0x31, 0x3c, 0xba, 0x7a, 0x27, 0xcd, 0x3c, 0x6a, 0x0b, 0x5f, 0x80, 0x92, 0x4f, 0x84, 0x34,
-	0x11, 0x8e, 0x98, 0x9a, 0xa7, 0xc2, 0x45, 0xc3, 0x53, 0xba, 0x3b, 0xc5, 0x0e, 0x4d, 0x65, 0x80,
-	0x6f, 0x2d, 0x70, 0x81, 0x32, 0x41, 0xbc, 0x1e, 0x27, 0xf7, 0xfc, 0x16, 0x49, 0x55, 0xc7, 0xdc,
-	0xba, 0x05, 0xed, 0xe3, 0xa1, 0xf1, 0x71, 0x61, 0xed, 0x63, 0xc6, 0x7b, 0xfd, 0xca, 0xa5, 0x8f,
-	0x1a, 0xe8, 0x8a, 0x7f, 0xdc, 0x21, 0xfc, 0xc9, 0x02, 0xa7, 0xc8, 0x6b, 0x3d, 0xa3, 0x3a, 0xe9,
-	0x64, 0xf3, 0x33, 0xcf, 0xdd, 0x49, 0x7f, 0x75, 0xba, 0xe7, 0x06, 0xfd, 0xca, 0xa9, 0x7b, 0xfb,
-	0x79, 0xd1, 0x24, 0x67, 0xee, 0xfd, 0x77, 0xbb, 0xe5, 0xb9, 0xf7, 0xbb, 0xe5, 0xb9, 0x0f, 0xbb,
-	0xe5, 0xb9, 0x37, 0x83, 0xb2, 0xf5, 0x6e, 0x50, 0xb6, 0xde, 0x0f, 0xca, 0xd6, 0x87, 0x41, 0xd9,
-	0xfa, 0x6b, 0x50, 0xb6, 0xde, 0xfe, 0x5d, 0x9e, 0x7b, 0x7e, 0xe9, 0xc0, 0xff, 0x16, 0xfc, 0x1b,
-	0x00, 0x00, 0xff, 0xff, 0x62, 0x5d, 0xac, 0x2e, 0x51, 0x10, 0x00, 0x00,
-}
+func (m *TLSConfig) Reset() { *m = TLSConfig{} }
 
 func (m *LocalObjectReference) Marshal() (dAtA []byte, err error) {
 	size := m.Size()
diff --git a/vendor/github.com/openshift/api/route/v1/generated.protomessage.pb.go b/vendor/github.com/openshift/api/route/v1/generated.protomessage.pb.go
new file mode 100644
index 0000000000000..97af0f1837513
--- /dev/null
+++ b/vendor/github.com/openshift/api/route/v1/generated.protomessage.pb.go
@@ -0,0 +1,38 @@
+//go:build kubernetes_protomessage_one_more_release
+// +build kubernetes_protomessage_one_more_release
+
+// Code generated by go-to-protobuf. DO NOT EDIT.
+
+package v1
+
+func (*LocalObjectReference) ProtoMessage() {}
+
+func (*Route) ProtoMessage() {}
+
+func (*RouteHTTPHeader) ProtoMessage() {}
+
+func (*RouteHTTPHeaderActionUnion) ProtoMessage() {}
+
+func (*RouteHTTPHeaderActions) ProtoMessage() {}
+
+func (*RouteHTTPHeaders) ProtoMessage() {}
+
+func (*RouteIngress) ProtoMessage() {}
+
+func (*RouteIngressCondition) ProtoMessage() {}
+
+func (*RouteList) ProtoMessage() {}
+
+func (*RoutePort) ProtoMessage() {}
+
+func (*RouteSetHTTPHeader) ProtoMessage() {}
+
+func (*RouteSpec) ProtoMessage() {}
+
+func (*RouteStatus) ProtoMessage() {}
+
+func (*RouteTargetReference) ProtoMessage() {}
+
+func (*RouterShard) ProtoMessage() {}
+
+func (*TLSConfig) ProtoMessage() {}
diff --git a/vendor/github.com/openshift/api/security/v1/generated.pb.go b/vendor/github.com/openshift/api/security/v1/generated.pb.go
index e28b5958412c2..608d2f010f09f 100644
--- a/vendor/github.com/openshift/api/security/v1/generated.pb.go
+++ b/vendor/github.com/openshift/api/security/v1/generated.pb.go
@@ -8,705 +8,55 @@ import (
 
 	io "io"
 
-	proto "github.com/gogo/protobuf/proto"
 	k8s_io_api_core_v1 "k8s.io/api/core/v1"
 	v11 "k8s.io/api/core/v1"
 
-	math "math"
 	math_bits "math/bits"
 	reflect "reflect"
 	strings "strings"
 )
 
-// Reference imports to suppress errors if they are not otherwise used.
-var _ = proto.Marshal
-var _ = fmt.Errorf
-var _ = math.Inf
+func (m *AllowedFlexVolume) Reset() { *m = AllowedFlexVolume{} }
 
-// This is a compile-time assertion to ensure that this generated file
-// is compatible with the proto package it is being compiled against.
-// A compilation error at this line likely means your copy of the
-// proto package needs to be updated.
-const _ = proto.GoGoProtoPackageIsVersion3 // please upgrade the proto package
+func (m *FSGroupStrategyOptions) Reset() { *m = FSGroupStrategyOptions{} }
 
-func (m *AllowedFlexVolume) Reset()      { *m = AllowedFlexVolume{} }
-func (*AllowedFlexVolume) ProtoMessage() {}
-func (*AllowedFlexVolume) Descriptor() ([]byte, []int) {
-	return fileDescriptor_af65d9655aa67551, []int{0}
-}
-func (m *AllowedFlexVolume) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *AllowedFlexVolume) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *AllowedFlexVolume) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_AllowedFlexVolume.Merge(m, src)
-}
-func (m *AllowedFlexVolume) XXX_Size() int {
-	return m.Size()
-}
-func (m *AllowedFlexVolume) XXX_DiscardUnknown() {
-	xxx_messageInfo_AllowedFlexVolume.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_AllowedFlexVolume proto.InternalMessageInfo
-
-func (m *FSGroupStrategyOptions) Reset()      { *m = FSGroupStrategyOptions{} }
-func (*FSGroupStrategyOptions) ProtoMessage() {}
-func (*FSGroupStrategyOptions) Descriptor() ([]byte, []int) {
-	return fileDescriptor_af65d9655aa67551, []int{1}
-}
-func (m *FSGroupStrategyOptions) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *FSGroupStrategyOptions) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *FSGroupStrategyOptions) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_FSGroupStrategyOptions.Merge(m, src)
-}
-func (m *FSGroupStrategyOptions) XXX_Size() int {
-	return m.Size()
-}
-func (m *FSGroupStrategyOptions) XXX_DiscardUnknown() {
-	xxx_messageInfo_FSGroupStrategyOptions.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_FSGroupStrategyOptions proto.InternalMessageInfo
-
-func (m *IDRange) Reset()      { *m = IDRange{} }
-func (*IDRange) ProtoMessage() {}
-func (*IDRange) Descriptor() ([]byte, []int) {
-	return fileDescriptor_af65d9655aa67551, []int{2}
-}
-func (m *IDRange) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *IDRange) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *IDRange) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_IDRange.Merge(m, src)
-}
-func (m *IDRange) XXX_Size() int {
-	return m.Size()
-}
-func (m *IDRange) XXX_DiscardUnknown() {
-	xxx_messageInfo_IDRange.DiscardUnknown(m)
-}
+func (m *IDRange) Reset() { *m = IDRange{} }
 
-var xxx_messageInfo_IDRange proto.InternalMessageInfo
+func (m *PodSecurityPolicyReview) Reset() { *m = PodSecurityPolicyReview{} }
 
-func (m *PodSecurityPolicyReview) Reset()      { *m = PodSecurityPolicyReview{} }
-func (*PodSecurityPolicyReview) ProtoMessage() {}
-func (*PodSecurityPolicyReview) Descriptor() ([]byte, []int) {
-	return fileDescriptor_af65d9655aa67551, []int{3}
-}
-func (m *PodSecurityPolicyReview) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *PodSecurityPolicyReview) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *PodSecurityPolicyReview) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_PodSecurityPolicyReview.Merge(m, src)
-}
-func (m *PodSecurityPolicyReview) XXX_Size() int {
-	return m.Size()
-}
-func (m *PodSecurityPolicyReview) XXX_DiscardUnknown() {
-	xxx_messageInfo_PodSecurityPolicyReview.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_PodSecurityPolicyReview proto.InternalMessageInfo
+func (m *PodSecurityPolicyReviewSpec) Reset() { *m = PodSecurityPolicyReviewSpec{} }
 
-func (m *PodSecurityPolicyReviewSpec) Reset()      { *m = PodSecurityPolicyReviewSpec{} }
-func (*PodSecurityPolicyReviewSpec) ProtoMessage() {}
-func (*PodSecurityPolicyReviewSpec) Descriptor() ([]byte, []int) {
-	return fileDescriptor_af65d9655aa67551, []int{4}
-}
-func (m *PodSecurityPolicyReviewSpec) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *PodSecurityPolicyReviewSpec) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *PodSecurityPolicyReviewSpec) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_PodSecurityPolicyReviewSpec.Merge(m, src)
-}
-func (m *PodSecurityPolicyReviewSpec) XXX_Size() int {
-	return m.Size()
-}
-func (m *PodSecurityPolicyReviewSpec) XXX_DiscardUnknown() {
-	xxx_messageInfo_PodSecurityPolicyReviewSpec.DiscardUnknown(m)
-}
+func (m *PodSecurityPolicyReviewStatus) Reset() { *m = PodSecurityPolicyReviewStatus{} }
 
-var xxx_messageInfo_PodSecurityPolicyReviewSpec proto.InternalMessageInfo
-
-func (m *PodSecurityPolicyReviewStatus) Reset()      { *m = PodSecurityPolicyReviewStatus{} }
-func (*PodSecurityPolicyReviewStatus) ProtoMessage() {}
-func (*PodSecurityPolicyReviewStatus) Descriptor() ([]byte, []int) {
-	return fileDescriptor_af65d9655aa67551, []int{5}
-}
-func (m *PodSecurityPolicyReviewStatus) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *PodSecurityPolicyReviewStatus) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *PodSecurityPolicyReviewStatus) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_PodSecurityPolicyReviewStatus.Merge(m, src)
-}
-func (m *PodSecurityPolicyReviewStatus) XXX_Size() int {
-	return m.Size()
-}
-func (m *PodSecurityPolicyReviewStatus) XXX_DiscardUnknown() {
-	xxx_messageInfo_PodSecurityPolicyReviewStatus.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_PodSecurityPolicyReviewStatus proto.InternalMessageInfo
-
-func (m *PodSecurityPolicySelfSubjectReview) Reset()      { *m = PodSecurityPolicySelfSubjectReview{} }
-func (*PodSecurityPolicySelfSubjectReview) ProtoMessage() {}
-func (*PodSecurityPolicySelfSubjectReview) Descriptor() ([]byte, []int) {
-	return fileDescriptor_af65d9655aa67551, []int{6}
-}
-func (m *PodSecurityPolicySelfSubjectReview) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *PodSecurityPolicySelfSubjectReview) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *PodSecurityPolicySelfSubjectReview) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_PodSecurityPolicySelfSubjectReview.Merge(m, src)
-}
-func (m *PodSecurityPolicySelfSubjectReview) XXX_Size() int {
-	return m.Size()
-}
-func (m *PodSecurityPolicySelfSubjectReview) XXX_DiscardUnknown() {
-	xxx_messageInfo_PodSecurityPolicySelfSubjectReview.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_PodSecurityPolicySelfSubjectReview proto.InternalMessageInfo
+func (m *PodSecurityPolicySelfSubjectReview) Reset() { *m = PodSecurityPolicySelfSubjectReview{} }
 
 func (m *PodSecurityPolicySelfSubjectReviewSpec) Reset() {
 	*m = PodSecurityPolicySelfSubjectReviewSpec{}
 }
-func (*PodSecurityPolicySelfSubjectReviewSpec) ProtoMessage() {}
-func (*PodSecurityPolicySelfSubjectReviewSpec) Descriptor() ([]byte, []int) {
-	return fileDescriptor_af65d9655aa67551, []int{7}
-}
-func (m *PodSecurityPolicySelfSubjectReviewSpec) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *PodSecurityPolicySelfSubjectReviewSpec) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *PodSecurityPolicySelfSubjectReviewSpec) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_PodSecurityPolicySelfSubjectReviewSpec.Merge(m, src)
-}
-func (m *PodSecurityPolicySelfSubjectReviewSpec) XXX_Size() int {
-	return m.Size()
-}
-func (m *PodSecurityPolicySelfSubjectReviewSpec) XXX_DiscardUnknown() {
-	xxx_messageInfo_PodSecurityPolicySelfSubjectReviewSpec.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_PodSecurityPolicySelfSubjectReviewSpec proto.InternalMessageInfo
-
-func (m *PodSecurityPolicySubjectReview) Reset()      { *m = PodSecurityPolicySubjectReview{} }
-func (*PodSecurityPolicySubjectReview) ProtoMessage() {}
-func (*PodSecurityPolicySubjectReview) Descriptor() ([]byte, []int) {
-	return fileDescriptor_af65d9655aa67551, []int{8}
-}
-func (m *PodSecurityPolicySubjectReview) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *PodSecurityPolicySubjectReview) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *PodSecurityPolicySubjectReview) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_PodSecurityPolicySubjectReview.Merge(m, src)
-}
-func (m *PodSecurityPolicySubjectReview) XXX_Size() int {
-	return m.Size()
-}
-func (m *PodSecurityPolicySubjectReview) XXX_DiscardUnknown() {
-	xxx_messageInfo_PodSecurityPolicySubjectReview.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_PodSecurityPolicySubjectReview proto.InternalMessageInfo
-
-func (m *PodSecurityPolicySubjectReviewSpec) Reset()      { *m = PodSecurityPolicySubjectReviewSpec{} }
-func (*PodSecurityPolicySubjectReviewSpec) ProtoMessage() {}
-func (*PodSecurityPolicySubjectReviewSpec) Descriptor() ([]byte, []int) {
-	return fileDescriptor_af65d9655aa67551, []int{9}
-}
-func (m *PodSecurityPolicySubjectReviewSpec) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *PodSecurityPolicySubjectReviewSpec) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *PodSecurityPolicySubjectReviewSpec) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_PodSecurityPolicySubjectReviewSpec.Merge(m, src)
-}
-func (m *PodSecurityPolicySubjectReviewSpec) XXX_Size() int {
-	return m.Size()
-}
-func (m *PodSecurityPolicySubjectReviewSpec) XXX_DiscardUnknown() {
-	xxx_messageInfo_PodSecurityPolicySubjectReviewSpec.DiscardUnknown(m)
-}
 
-var xxx_messageInfo_PodSecurityPolicySubjectReviewSpec proto.InternalMessageInfo
+func (m *PodSecurityPolicySubjectReview) Reset() { *m = PodSecurityPolicySubjectReview{} }
 
-func (m *PodSecurityPolicySubjectReviewStatus) Reset()      { *m = PodSecurityPolicySubjectReviewStatus{} }
-func (*PodSecurityPolicySubjectReviewStatus) ProtoMessage() {}
-func (*PodSecurityPolicySubjectReviewStatus) Descriptor() ([]byte, []int) {
-	return fileDescriptor_af65d9655aa67551, []int{10}
-}
-func (m *PodSecurityPolicySubjectReviewStatus) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *PodSecurityPolicySubjectReviewStatus) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *PodSecurityPolicySubjectReviewStatus) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_PodSecurityPolicySubjectReviewStatus.Merge(m, src)
-}
-func (m *PodSecurityPolicySubjectReviewStatus) XXX_Size() int {
-	return m.Size()
-}
-func (m *PodSecurityPolicySubjectReviewStatus) XXX_DiscardUnknown() {
-	xxx_messageInfo_PodSecurityPolicySubjectReviewStatus.DiscardUnknown(m)
-}
+func (m *PodSecurityPolicySubjectReviewSpec) Reset() { *m = PodSecurityPolicySubjectReviewSpec{} }
 
-var xxx_messageInfo_PodSecurityPolicySubjectReviewStatus proto.InternalMessageInfo
+func (m *PodSecurityPolicySubjectReviewStatus) Reset() { *m = PodSecurityPolicySubjectReviewStatus{} }
 
-func (m *RangeAllocation) Reset()      { *m = RangeAllocation{} }
-func (*RangeAllocation) ProtoMessage() {}
-func (*RangeAllocation) Descriptor() ([]byte, []int) {
-	return fileDescriptor_af65d9655aa67551, []int{11}
-}
-func (m *RangeAllocation) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *RangeAllocation) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *RangeAllocation) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_RangeAllocation.Merge(m, src)
-}
-func (m *RangeAllocation) XXX_Size() int {
-	return m.Size()
-}
-func (m *RangeAllocation) XXX_DiscardUnknown() {
-	xxx_messageInfo_RangeAllocation.DiscardUnknown(m)
-}
+func (m *RangeAllocation) Reset() { *m = RangeAllocation{} }
 
-var xxx_messageInfo_RangeAllocation proto.InternalMessageInfo
-
-func (m *RangeAllocationList) Reset()      { *m = RangeAllocationList{} }
-func (*RangeAllocationList) ProtoMessage() {}
-func (*RangeAllocationList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_af65d9655aa67551, []int{12}
-}
-func (m *RangeAllocationList) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *RangeAllocationList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *RangeAllocationList) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_RangeAllocationList.Merge(m, src)
-}
-func (m *RangeAllocationList) XXX_Size() int {
-	return m.Size()
-}
-func (m *RangeAllocationList) XXX_DiscardUnknown() {
-	xxx_messageInfo_RangeAllocationList.DiscardUnknown(m)
-}
+func (m *RangeAllocationList) Reset() { *m = RangeAllocationList{} }
 
-var xxx_messageInfo_RangeAllocationList proto.InternalMessageInfo
+func (m *RunAsUserStrategyOptions) Reset() { *m = RunAsUserStrategyOptions{} }
 
-func (m *RunAsUserStrategyOptions) Reset()      { *m = RunAsUserStrategyOptions{} }
-func (*RunAsUserStrategyOptions) ProtoMessage() {}
-func (*RunAsUserStrategyOptions) Descriptor() ([]byte, []int) {
-	return fileDescriptor_af65d9655aa67551, []int{13}
-}
-func (m *RunAsUserStrategyOptions) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *RunAsUserStrategyOptions) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *RunAsUserStrategyOptions) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_RunAsUserStrategyOptions.Merge(m, src)
-}
-func (m *RunAsUserStrategyOptions) XXX_Size() int {
-	return m.Size()
-}
-func (m *RunAsUserStrategyOptions) XXX_DiscardUnknown() {
-	xxx_messageInfo_RunAsUserStrategyOptions.DiscardUnknown(m)
-}
+func (m *SELinuxContextStrategyOptions) Reset() { *m = SELinuxContextStrategyOptions{} }
 
-var xxx_messageInfo_RunAsUserStrategyOptions proto.InternalMessageInfo
+func (m *SecurityContextConstraints) Reset() { *m = SecurityContextConstraints{} }
 
-func (m *SELinuxContextStrategyOptions) Reset()      { *m = SELinuxContextStrategyOptions{} }
-func (*SELinuxContextStrategyOptions) ProtoMessage() {}
-func (*SELinuxContextStrategyOptions) Descriptor() ([]byte, []int) {
-	return fileDescriptor_af65d9655aa67551, []int{14}
-}
-func (m *SELinuxContextStrategyOptions) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *SELinuxContextStrategyOptions) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *SELinuxContextStrategyOptions) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_SELinuxContextStrategyOptions.Merge(m, src)
-}
-func (m *SELinuxContextStrategyOptions) XXX_Size() int {
-	return m.Size()
-}
-func (m *SELinuxContextStrategyOptions) XXX_DiscardUnknown() {
-	xxx_messageInfo_SELinuxContextStrategyOptions.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_SELinuxContextStrategyOptions proto.InternalMessageInfo
-
-func (m *SecurityContextConstraints) Reset()      { *m = SecurityContextConstraints{} }
-func (*SecurityContextConstraints) ProtoMessage() {}
-func (*SecurityContextConstraints) Descriptor() ([]byte, []int) {
-	return fileDescriptor_af65d9655aa67551, []int{15}
-}
-func (m *SecurityContextConstraints) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *SecurityContextConstraints) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *SecurityContextConstraints) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_SecurityContextConstraints.Merge(m, src)
-}
-func (m *SecurityContextConstraints) XXX_Size() int {
-	return m.Size()
-}
-func (m *SecurityContextConstraints) XXX_DiscardUnknown() {
-	xxx_messageInfo_SecurityContextConstraints.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_SecurityContextConstraints proto.InternalMessageInfo
-
-func (m *SecurityContextConstraintsList) Reset()      { *m = SecurityContextConstraintsList{} }
-func (*SecurityContextConstraintsList) ProtoMessage() {}
-func (*SecurityContextConstraintsList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_af65d9655aa67551, []int{16}
-}
-func (m *SecurityContextConstraintsList) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *SecurityContextConstraintsList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *SecurityContextConstraintsList) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_SecurityContextConstraintsList.Merge(m, src)
-}
-func (m *SecurityContextConstraintsList) XXX_Size() int {
-	return m.Size()
-}
-func (m *SecurityContextConstraintsList) XXX_DiscardUnknown() {
-	xxx_messageInfo_SecurityContextConstraintsList.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_SecurityContextConstraintsList proto.InternalMessageInfo
+func (m *SecurityContextConstraintsList) Reset() { *m = SecurityContextConstraintsList{} }
 
 func (m *ServiceAccountPodSecurityPolicyReviewStatus) Reset() {
 	*m = ServiceAccountPodSecurityPolicyReviewStatus{}
 }
-func (*ServiceAccountPodSecurityPolicyReviewStatus) ProtoMessage() {}
-func (*ServiceAccountPodSecurityPolicyReviewStatus) Descriptor() ([]byte, []int) {
-	return fileDescriptor_af65d9655aa67551, []int{17}
-}
-func (m *ServiceAccountPodSecurityPolicyReviewStatus) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ServiceAccountPodSecurityPolicyReviewStatus) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ServiceAccountPodSecurityPolicyReviewStatus) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ServiceAccountPodSecurityPolicyReviewStatus.Merge(m, src)
-}
-func (m *ServiceAccountPodSecurityPolicyReviewStatus) XXX_Size() int {
-	return m.Size()
-}
-func (m *ServiceAccountPodSecurityPolicyReviewStatus) XXX_DiscardUnknown() {
-	xxx_messageInfo_ServiceAccountPodSecurityPolicyReviewStatus.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_ServiceAccountPodSecurityPolicyReviewStatus proto.InternalMessageInfo
-
-func (m *SupplementalGroupsStrategyOptions) Reset()      { *m = SupplementalGroupsStrategyOptions{} }
-func (*SupplementalGroupsStrategyOptions) ProtoMessage() {}
-func (*SupplementalGroupsStrategyOptions) Descriptor() ([]byte, []int) {
-	return fileDescriptor_af65d9655aa67551, []int{18}
-}
-func (m *SupplementalGroupsStrategyOptions) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *SupplementalGroupsStrategyOptions) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *SupplementalGroupsStrategyOptions) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_SupplementalGroupsStrategyOptions.Merge(m, src)
-}
-func (m *SupplementalGroupsStrategyOptions) XXX_Size() int {
-	return m.Size()
-}
-func (m *SupplementalGroupsStrategyOptions) XXX_DiscardUnknown() {
-	xxx_messageInfo_SupplementalGroupsStrategyOptions.DiscardUnknown(m)
-}
 
-var xxx_messageInfo_SupplementalGroupsStrategyOptions proto.InternalMessageInfo
-
-func init() {
-	proto.RegisterType((*AllowedFlexVolume)(nil), "github.com.openshift.api.security.v1.AllowedFlexVolume")
-	proto.RegisterType((*FSGroupStrategyOptions)(nil), "github.com.openshift.api.security.v1.FSGroupStrategyOptions")
-	proto.RegisterType((*IDRange)(nil), "github.com.openshift.api.security.v1.IDRange")
-	proto.RegisterType((*PodSecurityPolicyReview)(nil), "github.com.openshift.api.security.v1.PodSecurityPolicyReview")
-	proto.RegisterType((*PodSecurityPolicyReviewSpec)(nil), "github.com.openshift.api.security.v1.PodSecurityPolicyReviewSpec")
-	proto.RegisterType((*PodSecurityPolicyReviewStatus)(nil), "github.com.openshift.api.security.v1.PodSecurityPolicyReviewStatus")
-	proto.RegisterType((*PodSecurityPolicySelfSubjectReview)(nil), "github.com.openshift.api.security.v1.PodSecurityPolicySelfSubjectReview")
-	proto.RegisterType((*PodSecurityPolicySelfSubjectReviewSpec)(nil), "github.com.openshift.api.security.v1.PodSecurityPolicySelfSubjectReviewSpec")
-	proto.RegisterType((*PodSecurityPolicySubjectReview)(nil), "github.com.openshift.api.security.v1.PodSecurityPolicySubjectReview")
-	proto.RegisterType((*PodSecurityPolicySubjectReviewSpec)(nil), "github.com.openshift.api.security.v1.PodSecurityPolicySubjectReviewSpec")
-	proto.RegisterType((*PodSecurityPolicySubjectReviewStatus)(nil), "github.com.openshift.api.security.v1.PodSecurityPolicySubjectReviewStatus")
-	proto.RegisterType((*RangeAllocation)(nil), "github.com.openshift.api.security.v1.RangeAllocation")
-	proto.RegisterType((*RangeAllocationList)(nil), "github.com.openshift.api.security.v1.RangeAllocationList")
-	proto.RegisterType((*RunAsUserStrategyOptions)(nil), "github.com.openshift.api.security.v1.RunAsUserStrategyOptions")
-	proto.RegisterType((*SELinuxContextStrategyOptions)(nil), "github.com.openshift.api.security.v1.SELinuxContextStrategyOptions")
-	proto.RegisterType((*SecurityContextConstraints)(nil), "github.com.openshift.api.security.v1.SecurityContextConstraints")
-	proto.RegisterType((*SecurityContextConstraintsList)(nil), "github.com.openshift.api.security.v1.SecurityContextConstraintsList")
-	proto.RegisterType((*ServiceAccountPodSecurityPolicyReviewStatus)(nil), "github.com.openshift.api.security.v1.ServiceAccountPodSecurityPolicyReviewStatus")
-	proto.RegisterType((*SupplementalGroupsStrategyOptions)(nil), "github.com.openshift.api.security.v1.SupplementalGroupsStrategyOptions")
-}
-
-func init() {
-	proto.RegisterFile("github.com/openshift/api/security/v1/generated.proto", fileDescriptor_af65d9655aa67551)
-}
-
-var fileDescriptor_af65d9655aa67551 = []byte{
-	// 1803 bytes of a gzipped FileDescriptorProto
-	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xcc, 0x59, 0xcd, 0x6f, 0x1b, 0xc7,
-	0x15, 0xd7, 0x8a, 0xfa, 0xe2, 0x48, 0x96, 0xe4, 0x91, 0x2c, 0x4f, 0xd4, 0x98, 0x54, 0xd7, 0x6e,
-	0x60, 0xb4, 0xcd, 0x32, 0x36, 0xd2, 0xc6, 0x45, 0x1a, 0x23, 0x5c, 0x31, 0x72, 0x14, 0xc8, 0x31,
-	0x33, 0x8c, 0x82, 0x22, 0x08, 0x8a, 0x8c, 0x96, 0x43, 0x7a, 0xac, 0xe5, 0xee, 0x76, 0x67, 0x56,
-	0x16, 0xd1, 0x4b, 0x81, 0xfe, 0x03, 0x05, 0x7a, 0xef, 0xb9, 0xfd, 0x07, 0x7a, 0x29, 0xda, 0x5e,
-	0x0d, 0xb4, 0x45, 0x73, 0x2a, 0x72, 0x22, 0x6a, 0x16, 0xbd, 0xf4, 0xda, 0x9b, 0x0f, 0x45, 0x31,
-	0xc3, 0xe1, 0xc7, 0x2e, 0x77, 0xe9, 0x4d, 0x6a, 0x0b, 0xbd, 0x69, 0xdf, 0xc7, 0xef, 0xfd, 0xde,
-	0xcc, 0xbc, 0x37, 0x6f, 0x28, 0xf0, 0x66, 0x9b, 0x89, 0x87, 0xd1, 0x89, 0xe5, 0xf8, 0x9d, 0x8a,
-	0x1f, 0x50, 0x8f, 0x3f, 0x64, 0x2d, 0x51, 0x21, 0x01, 0xab, 0x70, 0xea, 0x44, 0x21, 0x13, 0xdd,
-	0xca, 0xd9, 0xad, 0x4a, 0x9b, 0x7a, 0x34, 0x24, 0x82, 0x36, 0xad, 0x20, 0xf4, 0x85, 0x0f, 0x6f,
-	0x8c, 0xbd, 0xac, 0x91, 0x97, 0x45, 0x02, 0x66, 0x0d, 0xbd, 0xac, 0xb3, 0x5b, 0xbb, 0xaf, 0x4f,
-	0x60, 0xb7, 0xfd, 0xb6, 0x5f, 0x51, 0xce, 0x27, 0x51, 0x4b, 0x7d, 0xa9, 0x0f, 0xf5, 0xd7, 0x00,
-	0x74, 0xd7, 0x3c, 0xbd, 0xc3, 0x2d, 0xe6, 0xab, 0xe0, 0x8e, 0x1f, 0xd2, 0x94, 0xc0, 0xbb, 0x6f,
-	0x8e, 0x6d, 0x3a, 0xc4, 0x79, 0xc8, 0x3c, 0x1a, 0x76, 0x2b, 0xc1, 0x69, 0x5b, 0x0a, 0x78, 0xa5,
-	0x43, 0x05, 0x49, 0xf3, 0xfa, 0x7e, 0x96, 0x57, 0x18, 0x79, 0x82, 0x75, 0x68, 0x85, 0x3b, 0x0f,
-	0x69, 0x87, 0x24, 0xfd, 0xcc, 0xb7, 0xc1, 0xe5, 0xaa, 0xeb, 0xfa, 0x8f, 0x69, 0xf3, 0xc0, 0xa5,
-	0xe7, 0x9f, 0xf8, 0x6e, 0xd4, 0xa1, 0xf0, 0x35, 0xb0, 0xd4, 0x0c, 0xd9, 0x19, 0x0d, 0x91, 0xb1,
-	0x67, 0xdc, 0x2c, 0xda, 0xeb, 0x4f, 0x7a, 0xe5, 0xb9, 0x7e, 0xaf, 0xbc, 0x54, 0x53, 0x52, 0xac,
-	0xb5, 0xe6, 0xaf, 0x0d, 0xb0, 0x73, 0xd0, 0xb8, 0x17, 0xfa, 0x51, 0xd0, 0x10, 0x12, 0xb5, 0xdd,
-	0x7d, 0x10, 0x08, 0xe6, 0x7b, 0x1c, 0xbe, 0x05, 0x16, 0x44, 0x37, 0xa0, 0x1a, 0xe0, 0xba, 0x06,
-	0x58, 0xf8, 0xb8, 0x1b, 0xd0, 0x67, 0xbd, 0xf2, 0x56, 0xc2, 0x4b, 0x8a, 0xb1, 0x72, 0x80, 0xc7,
-	0x60, 0x29, 0x24, 0x5e, 0x9b, 0x72, 0x34, 0xbf, 0x57, 0xb8, 0xb9, 0x7a, 0xfb, 0x75, 0x2b, 0xcf,
-	0x46, 0x58, 0x87, 0x35, 0x2c, 0xbd, 0xc6, 0x54, 0xd5, 0x27, 0xc7, 0x1a, 0xcc, 0xbc, 0x07, 0x96,
-	0xb5, 0x09, 0xbc, 0x06, 0x0a, 0x1d, 0xe6, 0x29, 0x66, 0x05, 0x7b, 0x55, 0xdb, 0x17, 0xee, 0x33,
-	0x0f, 0x4b, 0xb9, 0x52, 0x93, 0x73, 0x34, 0x9f, 0x50, 0x93, 0x73, 0x2c, 0xe5, 0xe6, 0x5f, 0xe6,
-	0xc1, 0xd5, 0xba, 0xdf, 0x6c, 0xe8, 0xd8, 0x75, 0xdf, 0x65, 0x4e, 0x17, 0xd3, 0x33, 0x46, 0x1f,
-	0xc3, 0xcf, 0xc1, 0x8a, 0xdc, 0x9f, 0x26, 0x11, 0x04, 0x15, 0xf6, 0x8c, 0x9b, 0xab, 0xb7, 0xdf,
-	0xb0, 0x06, 0xfb, 0x62, 0x4d, 0xee, 0x8b, 0x15, 0x9c, 0xb6, 0xa5, 0x80, 0x5b, 0xd2, 0x5a, 0xb2,
-	0x7f, 0x70, 0xf2, 0x88, 0x3a, 0xe2, 0x3e, 0x15, 0xc4, 0x86, 0x3a, 0x22, 0x18, 0xcb, 0xf0, 0x08,
-	0x15, 0x3a, 0x60, 0x81, 0x07, 0xd4, 0x51, 0xe4, 0x57, 0x6f, 0x57, 0xf3, 0xad, 0x4d, 0x06, 0xdd,
-	0x46, 0x40, 0x1d, 0x7b, 0x6d, 0xb8, 0x33, 0xf2, 0x0b, 0x2b, 0x70, 0x78, 0x0a, 0x96, 0xb8, 0x20,
-	0x22, 0xe2, 0x6a, 0x11, 0x56, 0x6f, 0xef, 0xff, 0x6f, 0x61, 0x14, 0xd4, 0x78, 0x63, 0x06, 0xdf,
-	0x58, 0x87, 0x30, 0x7f, 0x67, 0x80, 0x6f, 0xcc, 0x20, 0x08, 0x3f, 0x02, 0x2b, 0x82, 0x76, 0x02,
-	0x97, 0x08, 0xaa, 0xb3, 0xbe, 0x3e, 0xb1, 0xa6, 0x96, 0xac, 0x22, 0x1d, 0xfc, 0x63, 0x6d, 0xa6,
-	0xf2, 0xda, 0xd4, 0xe1, 0x56, 0x86, 0x52, 0x3c, 0x82, 0x81, 0x87, 0x60, 0x8b, 0xd3, 0xf0, 0x8c,
-	0x39, 0xb4, 0xea, 0x38, 0x7e, 0xe4, 0x89, 0x0f, 0x49, 0x47, 0x9f, 0xb7, 0xa2, 0x7d, 0xb5, 0xdf,
-	0x2b, 0x6f, 0x35, 0xa6, 0xd5, 0x38, 0xcd, 0xc7, 0xfc, 0x93, 0x01, 0xae, 0xcd, 0xcc, 0x1b, 0xfe,
-	0xc6, 0x00, 0x3b, 0x64, 0x50, 0x61, 0x71, 0x54, 0x8e, 0x0c, 0x75, 0xc0, 0x3f, 0xca, 0xb7, 0xba,
-	0x71, 0xe7, 0xd9, 0x6b, 0x5d, 0xd2, 0xc9, 0xef, 0x54, 0x53, 0x03, 0xe3, 0x0c, 0x42, 0xe6, 0xbf,
-	0xe6, 0x81, 0x39, 0x85, 0xdc, 0xa0, 0x6e, 0xab, 0x11, 0xa9, 0xc3, 0x78, 0x61, 0xc7, 0xdc, 0x8b,
-	0x1d, 0xf3, 0xa3, 0xaf, 0x79, 0xfe, 0xa6, 0x98, 0x67, 0x9e, 0xf8, 0x30, 0x71, 0xe2, 0x3f, 0xf8,
-	0xba, 0x11, 0x63, 0xd1, 0x66, 0x1f, 0xfc, 0x9f, 0x82, 0xd7, 0xf2, 0x31, 0x7e, 0x09, 0x25, 0x60,
-	0xf6, 0xe7, 0x41, 0x69, 0x36, 0xfb, 0x0b, 0xd8, 0xe5, 0x47, 0xb1, 0x5d, 0x7e, 0xff, 0x85, 0xac,
-	0xf9, 0xff, 0xd3, 0x0e, 0xff, 0xde, 0x48, 0x2b, 0xa7, 0x0b, 0xd8, 0x5e, 0xb8, 0x07, 0x16, 0x22,
-	0x4e, 0x43, 0x95, 0x6b, 0x71, 0xbc, 0x1e, 0xc7, 0x9c, 0x86, 0x58, 0x69, 0xa0, 0x09, 0x96, 0xda,
-	0xf2, 0x06, 0xe6, 0xa8, 0xa0, 0xda, 0x1e, 0x90, 0xfc, 0xd5, 0x9d, 0xcc, 0xb1, 0xd6, 0x98, 0xff,
-	0x36, 0xc0, 0x8d, 0x3c, 0x0b, 0x00, 0xeb, 0xa0, 0xa8, 0x3b, 0x8a, 0xdd, 0x9d, 0x95, 0xc2, 0x03,
-	0xed, 0xda, 0xa2, 0x21, 0xf5, 0x1c, 0x6a, 0x5f, 0xea, 0xf7, 0xca, 0xc5, 0xea, 0xd0, 0x13, 0x8f,
-	0x41, 0xe4, 0x04, 0x12, 0x52, 0xc2, 0x7d, 0x4f, 0xa7, 0x30, 0xbe, 0xd6, 0x95, 0x14, 0x6b, 0x6d,
-	0x6c, 0xed, 0x0a, 0x2f, 0xa6, 0x34, 0x7e, 0x6b, 0x80, 0x0d, 0x35, 0x28, 0x48, 0x62, 0x0e, 0x91,
-	0xe3, 0x4c, 0xac, 0x16, 0x8c, 0x97, 0x52, 0x0b, 0xd7, 0xc1, 0xa2, 0x9a, 0x54, 0x74, 0xbe, 0x97,
-	0xb4, 0xf1, 0xa2, 0x62, 0x82, 0x07, 0x3a, 0xf8, 0x2a, 0x58, 0x18, 0x95, 0xe3, 0x9a, 0xbd, 0x22,
-	0xb7, 0xb4, 0x46, 0x04, 0xc1, 0x4a, 0x6a, 0xfe, 0xd5, 0x00, 0x5b, 0x09, 0xe2, 0x47, 0x8c, 0x0b,
-	0xf8, 0xd9, 0x14, 0x79, 0x2b, 0x1f, 0x79, 0xe9, 0xad, 0xa8, 0x8f, 0x96, 0x6b, 0x28, 0x99, 0x20,
-	0xfe, 0x29, 0x58, 0x64, 0x82, 0x76, 0x86, 0xe3, 0xda, 0xf7, 0xf2, 0xd5, 0x55, 0x82, 0xe7, 0x38,
-	0xdf, 0x43, 0x89, 0x85, 0x07, 0x90, 0xe6, 0xdf, 0x0c, 0x80, 0x70, 0xe4, 0x55, 0xb9, 0x3c, 0xb8,
-	0xc9, 0x09, 0xf3, 0x07, 0xb1, 0x09, 0xf3, 0x5b, 0x89, 0x09, 0xf3, 0xca, 0x94, 0xdf, 0xc4, 0x8c,
-	0xf9, 0x0a, 0x28, 0x44, 0xac, 0xa9, 0x47, 0xbc, 0x65, 0x39, 0xde, 0x1d, 0x1f, 0xd6, 0xb0, 0x94,
-	0xc1, 0x5b, 0x60, 0x35, 0x62, 0x4d, 0x45, 0xef, 0x3e, 0xf3, 0xd4, 0x4a, 0x17, 0xec, 0x8d, 0x7e,
-	0xaf, 0xbc, 0x7a, 0xac, 0xe7, 0x47, 0x39, 0x28, 0x4e, 0xda, 0xc4, 0x5c, 0xc8, 0x39, 0x5a, 0x48,
-	0x71, 0x21, 0xe7, 0x78, 0xd2, 0xc6, 0xfc, 0xa3, 0x01, 0xae, 0x35, 0xde, 0x3b, 0x62, 0x5e, 0x74,
-	0xbe, 0xef, 0x7b, 0x82, 0x9e, 0x8b, 0x64, 0x76, 0x77, 0x63, 0xd9, 0x7d, 0x3b, 0x91, 0xdd, 0x6e,
-	0xba, 0xf3, 0x44, 0x8a, 0x3f, 0x06, 0xeb, 0x9c, 0x2a, 0x1b, 0x8d, 0xa8, 0xfb, 0x9e, 0x99, 0x56,
-	0x1e, 0x1a, 0x4d, 0x5b, 0xda, 0xb0, 0xdf, 0x2b, 0xaf, 0xc7, 0x65, 0x38, 0x81, 0x66, 0xfe, 0xe7,
-	0x32, 0xd8, 0x1d, 0x36, 0x06, 0xcd, 0x62, 0xdf, 0xf7, 0xb8, 0x08, 0x09, 0xf3, 0x04, 0xbf, 0x80,
-	0x82, 0xb9, 0x09, 0x56, 0x82, 0x90, 0xf9, 0x32, 0xbe, 0x4a, 0x6d, 0xd1, 0x5e, 0x93, 0x27, 0xb4,
-	0xae, 0x65, 0x78, 0xa4, 0x85, 0x9f, 0x01, 0xa4, 0x1a, 0x4b, 0x3d, 0x64, 0x67, 0xcc, 0xa5, 0x6d,
-	0xda, 0x94, 0x84, 0x89, 0x24, 0xa0, 0xf6, 0x77, 0xc5, 0xde, 0xd3, 0x91, 0x50, 0x35, 0xc3, 0x0e,
-	0x67, 0x22, 0x40, 0x0e, 0x76, 0x9a, 0xb4, 0x45, 0x22, 0x57, 0x54, 0x9b, 0xcd, 0x7d, 0x12, 0x90,
-	0x13, 0xe6, 0x32, 0xc1, 0x28, 0x47, 0x0b, 0xaa, 0xb1, 0xbe, 0x2d, 0xe7, 0xb0, 0x5a, 0xaa, 0xc5,
-	0xb3, 0x5e, 0xf9, 0xda, 0xf4, 0x83, 0xd0, 0x1a, 0x99, 0x74, 0x71, 0x06, 0x34, 0xec, 0x02, 0x14,
-	0xd2, 0x9f, 0x44, 0x2c, 0xa4, 0xcd, 0x5a, 0xe8, 0x07, 0xb1, 0xb0, 0x8b, 0x2a, 0xec, 0x3b, 0x32,
-	0x1d, 0x9c, 0x61, 0xf3, 0xfc, 0xc0, 0x99, 0xf0, 0xf0, 0x11, 0xd8, 0xd2, 0x6d, 0x3a, 0x16, 0x75,
-	0x49, 0x45, 0xbd, 0x23, 0x87, 0xe7, 0xea, 0xb4, 0xfa, 0xf9, 0x01, 0xd3, 0x40, 0x47, 0x3b, 0xf7,
-	0xbe, 0xcf, 0x45, 0x8d, 0x85, 0x83, 0xd7, 0x69, 0xdd, 0x8d, 0xda, 0xcc, 0x43, 0xcb, 0x29, 0x3b,
-	0x97, 0x62, 0x87, 0x33, 0x11, 0x60, 0x05, 0x2c, 0x9f, 0xa9, 0x6f, 0x8e, 0x56, 0x14, 0xfb, 0x2b,
-	0xfd, 0x5e, 0x79, 0x79, 0x60, 0x22, 0x19, 0x2f, 0x1d, 0x34, 0x54, 0x41, 0x0d, 0xad, 0xe0, 0xcf,
-	0x0d, 0x00, 0x49, 0xf2, 0xb1, 0xcc, 0xd1, 0x15, 0xd5, 0xf8, 0xde, 0xca, 0xd7, 0xf8, 0xa6, 0x1e,
-	0xdb, 0xf6, 0xae, 0x4e, 0x01, 0x4e, 0xa9, 0x38, 0x4e, 0x09, 0x07, 0x6b, 0x60, 0x73, 0x94, 0xd2,
-	0x87, 0x54, 0x3c, 0xf6, 0xc3, 0x53, 0x54, 0x54, 0x8b, 0x81, 0x34, 0xd2, 0x66, 0x35, 0xa1, 0xc7,
-	0x53, 0x1e, 0xf0, 0x2e, 0x58, 0x1f, 0xc9, 0xea, 0x7e, 0x28, 0x38, 0x02, 0x0a, 0x63, 0x47, 0x63,
-	0xac, 0x57, 0x63, 0x5a, 0x9c, 0xb0, 0x86, 0x77, 0xc0, 0xda, 0x58, 0x72, 0x58, 0x43, 0xab, 0xca,
-	0x7b, 0x5b, 0x7b, 0xaf, 0x55, 0x27, 0x74, 0x38, 0x66, 0x19, 0xf3, 0x3c, 0xac, 0xef, 0xa3, 0xb5,
-	0x0c, 0xcf, 0xc3, 0xfa, 0x3e, 0x8e, 0x59, 0xc2, 0xcf, 0x01, 0x94, 0xb3, 0x8b, 0x7a, 0x79, 0x05,
-	0xc4, 0xa1, 0x47, 0xf4, 0x8c, 0xba, 0x68, 0x57, 0x75, 0xc8, 0x37, 0x86, 0xab, 0x78, 0x3c, 0x65,
-	0xf1, 0xac, 0x57, 0x86, 0x71, 0x89, 0xda, 0xd6, 0x14, 0x2c, 0xd8, 0x01, 0xe5, 0x61, 0xc5, 0xc5,
-	0xea, 0xfd, 0x3d, 0xee, 0x10, 0x57, 0xdd, 0x54, 0x68, 0x47, 0xd1, 0xbd, 0xde, 0xef, 0x95, 0xcb,
-	0xb5, 0xd9, 0xa6, 0xf8, 0x79, 0x58, 0xf0, 0x47, 0xc9, 0xce, 0x34, 0x11, 0xe7, 0xaa, 0x8a, 0xf3,
-	0xea, 0x74, 0x57, 0x9a, 0x08, 0x90, 0xe9, 0x2d, 0x8f, 0xea, 0xb0, 0x63, 0xeb, 0xee, 0x8c, 0x2e,
-	0x7d, 0x95, 0xb7, 0xfc, 0xcc, 0xcb, 0x69, 0x7c, 0x48, 0xe2, 0x66, 0x38, 0x11, 0x12, 0xfa, 0xa0,
-	0x18, 0x0e, 0xaf, 0x61, 0xb4, 0xae, 0xe2, 0xdf, 0xcd, 0x39, 0x1f, 0x64, 0xdc, 0xfa, 0xf6, 0x65,
-	0x1d, 0xba, 0x38, 0xb2, 0xc0, 0xe3, 0x18, 0xf0, 0x97, 0x06, 0x80, 0x3c, 0x0a, 0x02, 0x97, 0x76,
-	0xa8, 0x27, 0x88, 0x3b, 0x18, 0x68, 0xd1, 0x86, 0x0a, 0x7d, 0x2f, 0x67, 0xea, 0x53, 0xfe, 0x49,
-	0x0e, 0xa3, 0x8a, 0x9d, 0x36, 0xc5, 0x29, 0xe1, 0x61, 0x1b, 0x2c, 0xb7, 0xb8, 0xfa, 0x1b, 0x6d,
-	0x2a, 0x26, 0x3f, 0xcc, 0xc7, 0x24, 0xfd, 0xa7, 0x35, 0x7b, 0x43, 0x87, 0x5f, 0xd6, 0x7a, 0x3c,
-	0x44, 0x87, 0x9f, 0x80, 0x9d, 0x90, 0x92, 0xe6, 0x03, 0xcf, 0xed, 0x62, 0xdf, 0x17, 0x07, 0xcc,
-	0xa5, 0xbc, 0xcb, 0x05, 0xed, 0xa0, 0xcb, 0xea, 0x34, 0x8d, 0x7e, 0x17, 0xc0, 0xa9, 0x56, 0x38,
-	0xc3, 0x1b, 0x96, 0xc1, 0xa2, 0x2c, 0x16, 0x8e, 0xa0, 0xea, 0x93, 0x45, 0x39, 0xa8, 0xc9, 0xf5,
-	0xe6, 0x78, 0x20, 0x9f, 0x78, 0x4d, 0x6c, 0x65, 0xbd, 0x26, 0xe0, 0x3b, 0x60, 0x83, 0x53, 0xc7,
-	0xf1, 0x3b, 0x41, 0x3d, 0xf4, 0x5b, 0x12, 0x1c, 0x6d, 0x2b, 0xe3, 0xad, 0x7e, 0xaf, 0xbc, 0xd1,
-	0x88, 0xab, 0x70, 0xd2, 0x16, 0x1e, 0x81, 0x6d, 0xdd, 0x0c, 0x8f, 0x3d, 0x4e, 0x5a, 0xb4, 0xd1,
-	0xe5, 0x8e, 0x70, 0x39, 0x42, 0x0a, 0x03, 0xf5, 0x7b, 0xe5, 0xed, 0x6a, 0x8a, 0x1e, 0xa7, 0x7a,
-	0xc1, 0x77, 0xc1, 0x66, 0xcb, 0x0f, 0x4f, 0x58, 0xb3, 0x49, 0xbd, 0x21, 0xd2, 0x2b, 0x0a, 0x69,
-	0x5b, 0x36, 0xd0, 0x83, 0x84, 0x0e, 0x4f, 0x59, 0x9b, 0xff, 0x34, 0x40, 0x29, 0x7b, 0x00, 0xba,
-	0x80, 0xc1, 0x9b, 0xc6, 0x07, 0xef, 0x77, 0xf3, 0xfe, 0x8c, 0x94, 0x45, 0x39, 0x63, 0x06, 0xff,
-	0xd5, 0x3c, 0xf8, 0xce, 0x57, 0xf8, 0xed, 0x09, 0xfe, 0xd9, 0x00, 0x37, 0x82, 0x1c, 0x8f, 0x46,
-	0xbd, 0x22, 0x2f, 0xf2, 0x1d, 0xfe, 0x5d, 0x9d, 0x40, 0xae, 0x47, 0x2b, 0xce, 0xc5, 0x52, 0xbe,
-	0xa4, 0x3d, 0xd2, 0xa1, 0xc9, 0x97, 0xb4, 0xbc, 0x37, 0xb0, 0xd2, 0x98, 0x7f, 0x30, 0xc0, 0x37,
-	0x9f, 0xdb, 0x33, 0xa0, 0x1d, 0x9b, 0xe7, 0xad, 0xc4, 0x3c, 0x5f, 0xca, 0x06, 0x78, 0xe9, 0x3f,
-	0x8d, 0xdb, 0x1f, 0x3c, 0x79, 0x5a, 0x9a, 0xfb, 0xe2, 0x69, 0x69, 0xee, 0xcb, 0xa7, 0xa5, 0xb9,
-	0x9f, 0xf5, 0x4b, 0xc6, 0x93, 0x7e, 0xc9, 0xf8, 0xa2, 0x5f, 0x32, 0xbe, 0xec, 0x97, 0x8c, 0xbf,
-	0xf7, 0x4b, 0xc6, 0x2f, 0xfe, 0x51, 0x9a, 0xfb, 0xf4, 0x46, 0x9e, 0xff, 0xa2, 0xfc, 0x37, 0x00,
-	0x00, 0xff, 0xff, 0xb7, 0xb2, 0xaf, 0x36, 0x6c, 0x19, 0x00, 0x00,
-}
+func (m *SupplementalGroupsStrategyOptions) Reset() { *m = SupplementalGroupsStrategyOptions{} }
 
 func (m *AllowedFlexVolume) Marshal() (dAtA []byte, err error) {
 	size := m.Size()
diff --git a/vendor/github.com/openshift/api/security/v1/generated.protomessage.pb.go b/vendor/github.com/openshift/api/security/v1/generated.protomessage.pb.go
new file mode 100644
index 0000000000000..de536ddeb9af3
--- /dev/null
+++ b/vendor/github.com/openshift/api/security/v1/generated.protomessage.pb.go
@@ -0,0 +1,44 @@
+//go:build kubernetes_protomessage_one_more_release
+// +build kubernetes_protomessage_one_more_release
+
+// Code generated by go-to-protobuf. DO NOT EDIT.
+
+package v1
+
+func (*AllowedFlexVolume) ProtoMessage() {}
+
+func (*FSGroupStrategyOptions) ProtoMessage() {}
+
+func (*IDRange) ProtoMessage() {}
+
+func (*PodSecurityPolicyReview) ProtoMessage() {}
+
+func (*PodSecurityPolicyReviewSpec) ProtoMessage() {}
+
+func (*PodSecurityPolicyReviewStatus) ProtoMessage() {}
+
+func (*PodSecurityPolicySelfSubjectReview) ProtoMessage() {}
+
+func (*PodSecurityPolicySelfSubjectReviewSpec) ProtoMessage() {}
+
+func (*PodSecurityPolicySubjectReview) ProtoMessage() {}
+
+func (*PodSecurityPolicySubjectReviewSpec) ProtoMessage() {}
+
+func (*PodSecurityPolicySubjectReviewStatus) ProtoMessage() {}
+
+func (*RangeAllocation) ProtoMessage() {}
+
+func (*RangeAllocationList) ProtoMessage() {}
+
+func (*RunAsUserStrategyOptions) ProtoMessage() {}
+
+func (*SELinuxContextStrategyOptions) ProtoMessage() {}
+
+func (*SecurityContextConstraints) ProtoMessage() {}
+
+func (*SecurityContextConstraintsList) ProtoMessage() {}
+
+func (*ServiceAccountPodSecurityPolicyReviewStatus) ProtoMessage() {}
+
+func (*SupplementalGroupsStrategyOptions) ProtoMessage() {}
diff --git a/vendor/github.com/openshift/api/template/v1/generated.pb.go b/vendor/github.com/openshift/api/template/v1/generated.pb.go
index df724d89d451a..52d46eaa9266f 100644
--- a/vendor/github.com/openshift/api/template/v1/generated.pb.go
+++ b/vendor/github.com/openshift/api/template/v1/generated.pb.go
@@ -7,526 +7,44 @@ import (
 	fmt "fmt"
 
 	io "io"
+	"sort"
 
-	proto "github.com/gogo/protobuf/proto"
-	github_com_gogo_protobuf_sortkeys "github.com/gogo/protobuf/sortkeys"
 	k8s_io_api_core_v1 "k8s.io/api/core/v1"
 	v11 "k8s.io/api/core/v1"
 	runtime "k8s.io/apimachinery/pkg/runtime"
 
-	math "math"
 	math_bits "math/bits"
 	reflect "reflect"
 	strings "strings"
 )
 
-// Reference imports to suppress errors if they are not otherwise used.
-var _ = proto.Marshal
-var _ = fmt.Errorf
-var _ = math.Inf
+func (m *BrokerTemplateInstance) Reset() { *m = BrokerTemplateInstance{} }
 
-// This is a compile-time assertion to ensure that this generated file
-// is compatible with the proto package it is being compiled against.
-// A compilation error at this line likely means your copy of the
-// proto package needs to be updated.
-const _ = proto.GoGoProtoPackageIsVersion3 // please upgrade the proto package
+func (m *BrokerTemplateInstanceList) Reset() { *m = BrokerTemplateInstanceList{} }
 
-func (m *BrokerTemplateInstance) Reset()      { *m = BrokerTemplateInstance{} }
-func (*BrokerTemplateInstance) ProtoMessage() {}
-func (*BrokerTemplateInstance) Descriptor() ([]byte, []int) {
-	return fileDescriptor_8d3ee9f55fa8363e, []int{0}
-}
-func (m *BrokerTemplateInstance) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *BrokerTemplateInstance) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *BrokerTemplateInstance) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_BrokerTemplateInstance.Merge(m, src)
-}
-func (m *BrokerTemplateInstance) XXX_Size() int {
-	return m.Size()
-}
-func (m *BrokerTemplateInstance) XXX_DiscardUnknown() {
-	xxx_messageInfo_BrokerTemplateInstance.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_BrokerTemplateInstance proto.InternalMessageInfo
-
-func (m *BrokerTemplateInstanceList) Reset()      { *m = BrokerTemplateInstanceList{} }
-func (*BrokerTemplateInstanceList) ProtoMessage() {}
-func (*BrokerTemplateInstanceList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_8d3ee9f55fa8363e, []int{1}
-}
-func (m *BrokerTemplateInstanceList) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *BrokerTemplateInstanceList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *BrokerTemplateInstanceList) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_BrokerTemplateInstanceList.Merge(m, src)
-}
-func (m *BrokerTemplateInstanceList) XXX_Size() int {
-	return m.Size()
-}
-func (m *BrokerTemplateInstanceList) XXX_DiscardUnknown() {
-	xxx_messageInfo_BrokerTemplateInstanceList.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_BrokerTemplateInstanceList proto.InternalMessageInfo
-
-func (m *BrokerTemplateInstanceSpec) Reset()      { *m = BrokerTemplateInstanceSpec{} }
-func (*BrokerTemplateInstanceSpec) ProtoMessage() {}
-func (*BrokerTemplateInstanceSpec) Descriptor() ([]byte, []int) {
-	return fileDescriptor_8d3ee9f55fa8363e, []int{2}
-}
-func (m *BrokerTemplateInstanceSpec) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *BrokerTemplateInstanceSpec) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *BrokerTemplateInstanceSpec) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_BrokerTemplateInstanceSpec.Merge(m, src)
-}
-func (m *BrokerTemplateInstanceSpec) XXX_Size() int {
-	return m.Size()
-}
-func (m *BrokerTemplateInstanceSpec) XXX_DiscardUnknown() {
-	xxx_messageInfo_BrokerTemplateInstanceSpec.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_BrokerTemplateInstanceSpec proto.InternalMessageInfo
-
-func (m *ExtraValue) Reset()      { *m = ExtraValue{} }
-func (*ExtraValue) ProtoMessage() {}
-func (*ExtraValue) Descriptor() ([]byte, []int) {
-	return fileDescriptor_8d3ee9f55fa8363e, []int{3}
-}
-func (m *ExtraValue) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *ExtraValue) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *ExtraValue) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ExtraValue.Merge(m, src)
-}
-func (m *ExtraValue) XXX_Size() int {
-	return m.Size()
-}
-func (m *ExtraValue) XXX_DiscardUnknown() {
-	xxx_messageInfo_ExtraValue.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_ExtraValue proto.InternalMessageInfo
-
-func (m *Parameter) Reset()      { *m = Parameter{} }
-func (*Parameter) ProtoMessage() {}
-func (*Parameter) Descriptor() ([]byte, []int) {
-	return fileDescriptor_8d3ee9f55fa8363e, []int{4}
-}
-func (m *Parameter) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *Parameter) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *Parameter) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_Parameter.Merge(m, src)
-}
-func (m *Parameter) XXX_Size() int {
-	return m.Size()
-}
-func (m *Parameter) XXX_DiscardUnknown() {
-	xxx_messageInfo_Parameter.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_Parameter proto.InternalMessageInfo
-
-func (m *Template) Reset()      { *m = Template{} }
-func (*Template) ProtoMessage() {}
-func (*Template) Descriptor() ([]byte, []int) {
-	return fileDescriptor_8d3ee9f55fa8363e, []int{5}
-}
-func (m *Template) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *Template) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *Template) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_Template.Merge(m, src)
-}
-func (m *Template) XXX_Size() int {
-	return m.Size()
-}
-func (m *Template) XXX_DiscardUnknown() {
-	xxx_messageInfo_Template.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_Template proto.InternalMessageInfo
-
-func (m *TemplateInstance) Reset()      { *m = TemplateInstance{} }
-func (*TemplateInstance) ProtoMessage() {}
-func (*TemplateInstance) Descriptor() ([]byte, []int) {
-	return fileDescriptor_8d3ee9f55fa8363e, []int{6}
-}
-func (m *TemplateInstance) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *TemplateInstance) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *TemplateInstance) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_TemplateInstance.Merge(m, src)
-}
-func (m *TemplateInstance) XXX_Size() int {
-	return m.Size()
-}
-func (m *TemplateInstance) XXX_DiscardUnknown() {
-	xxx_messageInfo_TemplateInstance.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_TemplateInstance proto.InternalMessageInfo
+func (m *BrokerTemplateInstanceSpec) Reset() { *m = BrokerTemplateInstanceSpec{} }
 
-func (m *TemplateInstanceCondition) Reset()      { *m = TemplateInstanceCondition{} }
-func (*TemplateInstanceCondition) ProtoMessage() {}
-func (*TemplateInstanceCondition) Descriptor() ([]byte, []int) {
-	return fileDescriptor_8d3ee9f55fa8363e, []int{7}
-}
-func (m *TemplateInstanceCondition) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *TemplateInstanceCondition) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *TemplateInstanceCondition) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_TemplateInstanceCondition.Merge(m, src)
-}
-func (m *TemplateInstanceCondition) XXX_Size() int {
-	return m.Size()
-}
-func (m *TemplateInstanceCondition) XXX_DiscardUnknown() {
-	xxx_messageInfo_TemplateInstanceCondition.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_TemplateInstanceCondition proto.InternalMessageInfo
-
-func (m *TemplateInstanceList) Reset()      { *m = TemplateInstanceList{} }
-func (*TemplateInstanceList) ProtoMessage() {}
-func (*TemplateInstanceList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_8d3ee9f55fa8363e, []int{8}
-}
-func (m *TemplateInstanceList) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *TemplateInstanceList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *TemplateInstanceList) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_TemplateInstanceList.Merge(m, src)
-}
-func (m *TemplateInstanceList) XXX_Size() int {
-	return m.Size()
-}
-func (m *TemplateInstanceList) XXX_DiscardUnknown() {
-	xxx_messageInfo_TemplateInstanceList.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_TemplateInstanceList proto.InternalMessageInfo
-
-func (m *TemplateInstanceObject) Reset()      { *m = TemplateInstanceObject{} }
-func (*TemplateInstanceObject) ProtoMessage() {}
-func (*TemplateInstanceObject) Descriptor() ([]byte, []int) {
-	return fileDescriptor_8d3ee9f55fa8363e, []int{9}
-}
-func (m *TemplateInstanceObject) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *TemplateInstanceObject) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *TemplateInstanceObject) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_TemplateInstanceObject.Merge(m, src)
-}
-func (m *TemplateInstanceObject) XXX_Size() int {
-	return m.Size()
-}
-func (m *TemplateInstanceObject) XXX_DiscardUnknown() {
-	xxx_messageInfo_TemplateInstanceObject.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_TemplateInstanceObject proto.InternalMessageInfo
-
-func (m *TemplateInstanceRequester) Reset()      { *m = TemplateInstanceRequester{} }
-func (*TemplateInstanceRequester) ProtoMessage() {}
-func (*TemplateInstanceRequester) Descriptor() ([]byte, []int) {
-	return fileDescriptor_8d3ee9f55fa8363e, []int{10}
-}
-func (m *TemplateInstanceRequester) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *TemplateInstanceRequester) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *TemplateInstanceRequester) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_TemplateInstanceRequester.Merge(m, src)
-}
-func (m *TemplateInstanceRequester) XXX_Size() int {
-	return m.Size()
-}
-func (m *TemplateInstanceRequester) XXX_DiscardUnknown() {
-	xxx_messageInfo_TemplateInstanceRequester.DiscardUnknown(m)
-}
+func (m *ExtraValue) Reset() { *m = ExtraValue{} }
 
-var xxx_messageInfo_TemplateInstanceRequester proto.InternalMessageInfo
+func (m *Parameter) Reset() { *m = Parameter{} }
 
-func (m *TemplateInstanceSpec) Reset()      { *m = TemplateInstanceSpec{} }
-func (*TemplateInstanceSpec) ProtoMessage() {}
-func (*TemplateInstanceSpec) Descriptor() ([]byte, []int) {
-	return fileDescriptor_8d3ee9f55fa8363e, []int{11}
-}
-func (m *TemplateInstanceSpec) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *TemplateInstanceSpec) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *TemplateInstanceSpec) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_TemplateInstanceSpec.Merge(m, src)
-}
-func (m *TemplateInstanceSpec) XXX_Size() int {
-	return m.Size()
-}
-func (m *TemplateInstanceSpec) XXX_DiscardUnknown() {
-	xxx_messageInfo_TemplateInstanceSpec.DiscardUnknown(m)
-}
+func (m *Template) Reset() { *m = Template{} }
 
-var xxx_messageInfo_TemplateInstanceSpec proto.InternalMessageInfo
+func (m *TemplateInstance) Reset() { *m = TemplateInstance{} }
 
-func (m *TemplateInstanceStatus) Reset()      { *m = TemplateInstanceStatus{} }
-func (*TemplateInstanceStatus) ProtoMessage() {}
-func (*TemplateInstanceStatus) Descriptor() ([]byte, []int) {
-	return fileDescriptor_8d3ee9f55fa8363e, []int{12}
-}
-func (m *TemplateInstanceStatus) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *TemplateInstanceStatus) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *TemplateInstanceStatus) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_TemplateInstanceStatus.Merge(m, src)
-}
-func (m *TemplateInstanceStatus) XXX_Size() int {
-	return m.Size()
-}
-func (m *TemplateInstanceStatus) XXX_DiscardUnknown() {
-	xxx_messageInfo_TemplateInstanceStatus.DiscardUnknown(m)
-}
+func (m *TemplateInstanceCondition) Reset() { *m = TemplateInstanceCondition{} }
 
-var xxx_messageInfo_TemplateInstanceStatus proto.InternalMessageInfo
+func (m *TemplateInstanceList) Reset() { *m = TemplateInstanceList{} }
 
-func (m *TemplateList) Reset()      { *m = TemplateList{} }
-func (*TemplateList) ProtoMessage() {}
-func (*TemplateList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_8d3ee9f55fa8363e, []int{13}
-}
-func (m *TemplateList) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *TemplateList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *TemplateList) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_TemplateList.Merge(m, src)
-}
-func (m *TemplateList) XXX_Size() int {
-	return m.Size()
-}
-func (m *TemplateList) XXX_DiscardUnknown() {
-	xxx_messageInfo_TemplateList.DiscardUnknown(m)
-}
+func (m *TemplateInstanceObject) Reset() { *m = TemplateInstanceObject{} }
 
-var xxx_messageInfo_TemplateList proto.InternalMessageInfo
+func (m *TemplateInstanceRequester) Reset() { *m = TemplateInstanceRequester{} }
 
-func init() {
-	proto.RegisterType((*BrokerTemplateInstance)(nil), "github.com.openshift.api.template.v1.BrokerTemplateInstance")
-	proto.RegisterType((*BrokerTemplateInstanceList)(nil), "github.com.openshift.api.template.v1.BrokerTemplateInstanceList")
-	proto.RegisterType((*BrokerTemplateInstanceSpec)(nil), "github.com.openshift.api.template.v1.BrokerTemplateInstanceSpec")
-	proto.RegisterType((*ExtraValue)(nil), "github.com.openshift.api.template.v1.ExtraValue")
-	proto.RegisterType((*Parameter)(nil), "github.com.openshift.api.template.v1.Parameter")
-	proto.RegisterType((*Template)(nil), "github.com.openshift.api.template.v1.Template")
-	proto.RegisterMapType((map[string]string)(nil), "github.com.openshift.api.template.v1.Template.LabelsEntry")
-	proto.RegisterType((*TemplateInstance)(nil), "github.com.openshift.api.template.v1.TemplateInstance")
-	proto.RegisterType((*TemplateInstanceCondition)(nil), "github.com.openshift.api.template.v1.TemplateInstanceCondition")
-	proto.RegisterType((*TemplateInstanceList)(nil), "github.com.openshift.api.template.v1.TemplateInstanceList")
-	proto.RegisterType((*TemplateInstanceObject)(nil), "github.com.openshift.api.template.v1.TemplateInstanceObject")
-	proto.RegisterType((*TemplateInstanceRequester)(nil), "github.com.openshift.api.template.v1.TemplateInstanceRequester")
-	proto.RegisterMapType((map[string]ExtraValue)(nil), "github.com.openshift.api.template.v1.TemplateInstanceRequester.ExtraEntry")
-	proto.RegisterType((*TemplateInstanceSpec)(nil), "github.com.openshift.api.template.v1.TemplateInstanceSpec")
-	proto.RegisterType((*TemplateInstanceStatus)(nil), "github.com.openshift.api.template.v1.TemplateInstanceStatus")
-	proto.RegisterType((*TemplateList)(nil), "github.com.openshift.api.template.v1.TemplateList")
-}
+func (m *TemplateInstanceSpec) Reset() { *m = TemplateInstanceSpec{} }
 
-func init() {
-	proto.RegisterFile("github.com/openshift/api/template/v1/generated.proto", fileDescriptor_8d3ee9f55fa8363e)
-}
+func (m *TemplateInstanceStatus) Reset() { *m = TemplateInstanceStatus{} }
 
-var fileDescriptor_8d3ee9f55fa8363e = []byte{
-	// 1246 bytes of a gzipped FileDescriptorProto
-	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xc4, 0x57, 0x4d, 0x6f, 0x5b, 0x45,
-	0x17, 0xf6, 0xf5, 0x57, 0xec, 0x71, 0xdb, 0x37, 0x9a, 0xb7, 0xaa, 0x2e, 0x96, 0x6a, 0x5b, 0xb7,
-	0x15, 0x0a, 0xa8, 0xb9, 0x26, 0x51, 0x28, 0x25, 0x42, 0x02, 0x2e, 0x49, 0xab, 0x94, 0x14, 0xd0,
-	0x24, 0x45, 0x08, 0xb2, 0x60, 0x7c, 0x3d, 0x76, 0x6e, 0xe3, 0xfb, 0xc1, 0xcc, 0x38, 0xd4, 0xbb,
-	0x2e, 0xf8, 0x01, 0x2c, 0x59, 0xf2, 0x13, 0x58, 0xb2, 0x42, 0x62, 0x97, 0x65, 0xd9, 0x75, 0x01,
-	0x16, 0x31, 0x2b, 0xfe, 0x00, 0x48, 0x65, 0x83, 0x66, 0xee, 0xdc, 0x0f, 0x7f, 0x51, 0x27, 0x95,
-	0xda, 0x9d, 0xef, 0x99, 0xf3, 0x3c, 0x67, 0xce, 0x99, 0x33, 0xcf, 0x1c, 0x83, 0x8d, 0xae, 0xc3,
-	0x0f, 0xfb, 0x2d, 0xd3, 0xf6, 0xdd, 0xa6, 0x1f, 0x10, 0x8f, 0x1d, 0x3a, 0x1d, 0xde, 0xc4, 0x81,
-	0xd3, 0xe4, 0xc4, 0x0d, 0x7a, 0x98, 0x93, 0xe6, 0xf1, 0x5a, 0xb3, 0x4b, 0x3c, 0x42, 0x31, 0x27,
-	0x6d, 0x33, 0xa0, 0x3e, 0xf7, 0xe1, 0xf5, 0x04, 0x65, 0xc6, 0x28, 0x13, 0x07, 0x8e, 0x19, 0xa1,
-	0xcc, 0xe3, 0xb5, 0xea, 0x6a, 0x8a, 0xbb, 0xeb, 0x77, 0xfd, 0xa6, 0x04, 0xb7, 0xfa, 0x1d, 0xf9,
-	0x25, 0x3f, 0xe4, 0xaf, 0x90, 0xb4, 0x6a, 0x1c, 0xdd, 0x62, 0xa6, 0xe3, 0xcb, 0xe0, 0xb6, 0x4f,
-	0x67, 0x05, 0xae, 0x6e, 0x24, 0x3e, 0x2e, 0xb6, 0x0f, 0x1d, 0x8f, 0xd0, 0x41, 0x33, 0x38, 0xea,
-	0x0a, 0x03, 0x6b, 0xba, 0x84, 0xe3, 0x59, 0xa8, 0xe6, 0x3c, 0x14, 0xed, 0x7b, 0xdc, 0x71, 0xc9,
-	0x14, 0xe0, 0xe6, 0xb3, 0x00, 0xcc, 0x3e, 0x24, 0x2e, 0x9e, 0xc4, 0x19, 0x43, 0x0d, 0x5c, 0xb1,
-	0xa8, 0x7f, 0x44, 0xe8, 0xbe, 0xaa, 0xc3, 0x8e, 0xc7, 0x38, 0xf6, 0x6c, 0x02, 0xbf, 0x04, 0x25,
-	0xb1, 0xbd, 0x36, 0xe6, 0x58, 0xd7, 0x1a, 0xda, 0x4a, 0x65, 0xfd, 0x0d, 0x33, 0x8c, 0x62, 0xa6,
-	0xa3, 0x98, 0xc1, 0x51, 0x57, 0x18, 0x98, 0x29, 0xbc, 0xcd, 0xe3, 0x35, 0xf3, 0xe3, 0xd6, 0x03,
-	0x62, 0xf3, 0x7b, 0x84, 0x63, 0x0b, 0x9e, 0x0c, 0xeb, 0x99, 0xd1, 0xb0, 0x0e, 0x12, 0x1b, 0x8a,
-	0x59, 0x61, 0x0b, 0xe4, 0x59, 0x40, 0x6c, 0x3d, 0x2b, 0xd9, 0xdf, 0x33, 0x17, 0x39, 0x23, 0x73,
-	0xf6, 0x6e, 0xf7, 0x02, 0x62, 0x5b, 0x17, 0x54, 0xb4, 0xbc, 0xf8, 0x42, 0x92, 0xdb, 0xf8, 0x4d,
-	0x03, 0xd5, 0xd9, 0x90, 0x5d, 0x87, 0x71, 0x78, 0x30, 0x95, 0xa4, 0xb9, 0x58, 0x92, 0x02, 0x2d,
-	0x53, 0x5c, 0x56, 0x41, 0x4b, 0x91, 0x25, 0x95, 0x20, 0x06, 0x05, 0x87, 0x13, 0x97, 0xe9, 0xd9,
-	0x46, 0x6e, 0xa5, 0xb2, 0xfe, 0xce, 0xf3, 0x64, 0x68, 0x5d, 0x54, 0x81, 0x0a, 0x3b, 0x82, 0x12,
-	0x85, 0xcc, 0xc6, 0x37, 0xd9, 0x79, 0xf9, 0x89, 0x22, 0x40, 0x07, 0x2c, 0xf3, 0x09, 0xbb, 0xca,
-	0xf3, 0x5a, 0x2a, 0x4f, 0x53, 0x74, 0x6f, 0x72, 0x74, 0x88, 0x74, 0x08, 0x25, 0x22, 0xa6, 0xae,
-	0x62, 0x2e, 0x4f, 0x92, 0xa3, 0x29, 0x5a, 0xf8, 0x21, 0x28, 0x32, 0x62, 0x53, 0xc2, 0xd5, 0x79,
-	0x2e, 0x14, 0xe0, 0x92, 0x0a, 0x50, 0xdc, 0x93, 0x50, 0xa4, 0x28, 0xa0, 0x09, 0x40, 0xcb, 0xf1,
-	0xda, 0x8e, 0xd7, 0xdd, 0xd9, 0x62, 0x7a, 0xae, 0x91, 0x5b, 0x29, 0x5b, 0x97, 0x44, 0x23, 0x59,
-	0xb1, 0x15, 0xa5, 0x3c, 0x8c, 0xb7, 0x00, 0xd8, 0x7e, 0xc8, 0x29, 0xfe, 0x14, 0xf7, 0xfa, 0x04,
-	0xd6, 0xa3, 0xba, 0x6b, 0x12, 0x58, 0x9e, 0xac, 0xda, 0x66, 0xe9, 0xbb, 0xef, 0xeb, 0x99, 0x47,
-	0xbf, 0x36, 0x32, 0xc6, 0x4f, 0x59, 0x50, 0xfe, 0x04, 0x53, 0xec, 0x12, 0x4e, 0x28, 0x6c, 0x80,
-	0xbc, 0x87, 0xdd, 0xb0, 0x44, 0xe5, 0xa4, 0x9f, 0x3e, 0xc2, 0x2e, 0x41, 0x72, 0x05, 0xbe, 0x09,
-	0x2a, 0x6d, 0x87, 0x05, 0x3d, 0x3c, 0x10, 0x46, 0x99, 0x6a, 0xd9, 0xfa, 0xbf, 0x72, 0xac, 0x6c,
-	0x25, 0x4b, 0x28, 0xed, 0x27, 0x61, 0x84, 0xd9, 0xd4, 0x09, 0xb8, 0xe3, 0x7b, 0x7a, 0x6e, 0x02,
-	0x96, 0x2c, 0xa1, 0xb4, 0x1f, 0xbc, 0x06, 0x0a, 0xc7, 0x22, 0x23, 0x3d, 0x2f, 0x01, 0x71, 0x0b,
-	0xc8, 0x34, 0x51, 0xb8, 0x06, 0x6f, 0x80, 0x52, 0x74, 0xad, 0xf5, 0x82, 0xf4, 0x8b, 0x7b, 0xf2,
-	0x8e, 0xb2, 0xa3, 0xd8, 0x43, 0xa4, 0xd8, 0xa1, 0xbe, 0xab, 0x17, 0xc7, 0x53, 0xbc, 0x4d, 0x7d,
-	0x17, 0xc9, 0x15, 0xc1, 0x47, 0xc9, 0x57, 0x7d, 0x87, 0x92, 0xb6, 0xbe, 0xd4, 0xd0, 0x56, 0x4a,
-	0x09, 0x1f, 0x52, 0x76, 0x14, 0x7b, 0x18, 0xff, 0xe4, 0x40, 0x29, 0xea, 0x8e, 0x17, 0xa0, 0x19,
-	0xaf, 0x81, 0x25, 0x97, 0x30, 0x86, 0xbb, 0x51, 0xed, 0xff, 0xa7, 0xdc, 0x97, 0xee, 0x85, 0x66,
-	0x14, 0xad, 0xc3, 0xcf, 0xc0, 0x92, 0x2f, 0x29, 0xc2, 0x06, 0xaa, 0xac, 0xaf, 0xce, 0xdd, 0x8b,
-	0x52, 0x49, 0x13, 0xe1, 0xaf, 0xb7, 0x1f, 0x72, 0xe2, 0x31, 0xc7, 0xf7, 0x12, 0xe6, 0x70, 0x23,
-	0x0c, 0x45, 0x74, 0xd0, 0x06, 0x20, 0x88, 0x7a, 0x86, 0xe9, 0x79, 0x49, 0xde, 0x5c, 0xec, 0x72,
-	0xc7, 0xbd, 0x96, 0xe4, 0x19, 0x9b, 0x18, 0x4a, 0xd1, 0xc2, 0x43, 0x50, 0xec, 0xe1, 0x16, 0xe9,
-	0x31, 0xbd, 0x20, 0x03, 0x6c, 0x2e, 0x16, 0x20, 0x3a, 0x0b, 0x73, 0x57, 0x82, 0xb7, 0x3d, 0x4e,
-	0x07, 0xd6, 0x65, 0x15, 0xeb, 0x42, 0x98, 0x4a, 0xb8, 0x84, 0x14, 0x7f, 0xf5, 0x6d, 0x50, 0x49,
-	0x39, 0xc3, 0x65, 0x90, 0x3b, 0x22, 0x83, 0xf0, 0x0e, 0x20, 0xf1, 0x13, 0x5e, 0x8e, 0xda, 0x50,
-	0x96, 0x5c, 0xf5, 0xdd, 0x66, 0xf6, 0x96, 0x66, 0xfc, 0x98, 0x05, 0xcb, 0x2f, 0xe1, 0xe5, 0x38,
-	0x18, 0x7b, 0x39, 0xce, 0x58, 0x99, 0x67, 0xbd, 0x19, 0xb0, 0x0d, 0x8a, 0x8c, 0x63, 0xde, 0x67,
-	0xf2, 0x9e, 0x2e, 0xac, 0xdb, 0x53, 0xfc, 0x92, 0x23, 0x25, 0x71, 0xf2, 0x1b, 0x29, 0x6e, 0xe3,
-	0xef, 0x2c, 0x78, 0x65, 0x12, 0xf2, 0x81, 0xef, 0xb5, 0x1d, 0x79, 0xf3, 0xdf, 0x07, 0x79, 0x3e,
-	0x08, 0x22, 0x25, 0x5a, 0x8d, 0x76, 0xb9, 0x3f, 0x08, 0xc8, 0xd3, 0x61, 0xfd, 0xea, 0x5c, 0xa0,
-	0x70, 0x40, 0x12, 0x0a, 0x77, 0xe3, 0x34, 0xc2, 0x9b, 0xb2, 0x31, 0xbe, 0x91, 0xa7, 0xc3, 0xfa,
-	0x8c, 0x01, 0xc6, 0x8c, 0x99, 0xc6, 0xb7, 0x0b, 0x8f, 0x01, 0xec, 0x61, 0xc6, 0xf7, 0x29, 0xf6,
-	0x58, 0x18, 0xc9, 0x71, 0x89, 0x2a, 0xd0, 0xeb, 0x8b, 0x1d, 0xaf, 0x40, 0x58, 0x55, 0xb5, 0x0b,
-	0xb8, 0x3b, 0xc5, 0x86, 0x66, 0x44, 0x80, 0xaf, 0x82, 0x22, 0x25, 0x98, 0xf9, 0x9e, 0xd2, 0xc0,
-	0xb8, 0x9c, 0x48, 0x5a, 0x91, 0x5a, 0x4d, 0x0b, 0x43, 0xe1, 0xbf, 0x85, 0xc1, 0xf8, 0x45, 0x03,
-	0x97, 0x5f, 0xc2, 0x34, 0xf0, 0xc5, 0xf8, 0x34, 0x70, 0xf3, 0x7c, 0x5d, 0x35, 0x67, 0x0e, 0x38,
-	0x00, 0x57, 0x26, 0x3d, 0xc3, 0x9b, 0x03, 0x2d, 0x90, 0xa3, 0xa4, 0x73, 0x96, 0x57, 0xbf, 0xa2,
-	0x22, 0xe4, 0x10, 0xe9, 0x20, 0x01, 0x36, 0xfe, 0x9c, 0xd1, 0xab, 0xe2, 0x2d, 0x20, 0x4c, 0xbc,
-	0x9a, 0x37, 0x40, 0xa9, 0xcf, 0x08, 0x4d, 0xbd, 0x9c, 0x71, 0x19, 0xee, 0x2b, 0x3b, 0x8a, 0x3d,
-	0xe0, 0x55, 0x90, 0xeb, 0x3b, 0x6d, 0xd5, 0x93, 0x71, 0xa8, 0xfb, 0x3b, 0x5b, 0x48, 0xd8, 0xa1,
-	0x01, 0x8a, 0x5d, 0xea, 0xf7, 0x83, 0xe8, 0xd5, 0x07, 0xe2, 0xac, 0xef, 0x48, 0x0b, 0x52, 0x2b,
-	0xd0, 0x07, 0x05, 0x22, 0x5e, 0x7b, 0x25, 0xbd, 0x77, 0xcf, 0x57, 0xc9, 0x38, 0x01, 0x53, 0x8e,
-	0x0e, 0xa1, 0x52, 0xc6, 0xd5, 0x95, 0x36, 0x14, 0xc6, 0xa9, 0x3e, 0x50, 0xe3, 0xc5, 0x3c, 0x81,
-	0xbc, 0x9d, 0x16, 0x48, 0x21, 0x77, 0x0b, 0x6d, 0x28, 0x99, 0x58, 0xd2, 0x92, 0xfa, 0x43, 0x76,
-	0xba, 0x3b, 0xe5, 0x2c, 0x77, 0x00, 0x4a, 0x11, 0x3a, 0xee, 0xce, 0x33, 0x25, 0x9e, 0x1c, 0x4b,
-	0x64, 0x41, 0x31, 0xa3, 0x54, 0x8b, 0xf4, 0xf8, 0xb6, 0x32, 0xab, 0x53, 0x76, 0x7d, 0x1b, 0xf7,
-	0x26, 0xdb, 0x05, 0xcc, 0x98, 0xdf, 0x7a, 0xa0, 0x4c, 0xa3, 0xf2, 0x2a, 0x91, 0x78, 0xf7, 0x39,
-	0x4f, 0xc9, 0xba, 0x38, 0x1a, 0xd6, 0xcb, 0xf1, 0x27, 0x4a, 0x02, 0x18, 0x7f, 0x69, 0xd3, 0xdd,
-	0x1f, 0xca, 0x17, 0x64, 0x00, 0xd8, 0x91, 0xa2, 0x85, 0xf3, 0xe0, 0xb9, 0x77, 0x12, 0x2b, 0x63,
-	0xf2, 0x38, 0xc5, 0x26, 0x86, 0x52, 0x61, 0x60, 0x37, 0x99, 0x3c, 0xce, 0x34, 0xf9, 0xcf, 0xbe,
-	0xc1, 0xf3, 0x07, 0x11, 0xe3, 0x67, 0x0d, 0x5c, 0x88, 0x40, 0x2f, 0x40, 0xc1, 0xf6, 0xc6, 0x15,
-	0xec, 0xac, 0xed, 0x37, 0x53, 0xb9, 0xac, 0xbb, 0x27, 0xa7, 0xb5, 0xcc, 0xe3, 0xd3, 0x5a, 0xe6,
-	0xc9, 0x69, 0x2d, 0xf3, 0x68, 0x54, 0xd3, 0x4e, 0x46, 0x35, 0xed, 0xf1, 0xa8, 0xa6, 0x3d, 0x19,
-	0xd5, 0xb4, 0xdf, 0x47, 0x35, 0xed, 0xdb, 0x3f, 0x6a, 0x99, 0xcf, 0xaf, 0x2f, 0xf2, 0xb7, 0xff,
-	0xdf, 0x00, 0x00, 0x00, 0xff, 0xff, 0xd0, 0x61, 0xc4, 0xab, 0x1d, 0x10, 0x00, 0x00,
-}
+func (m *TemplateList) Reset() { *m = TemplateList{} }
 
 func (m *BrokerTemplateInstance) Marshal() (dAtA []byte, err error) {
 	size := m.Size()
@@ -788,7 +306,7 @@ func (m *Template) MarshalToSizedBuffer(dAtA []byte) (int, error) {
 		for k := range m.ObjectLabels {
 			keysForObjectLabels = append(keysForObjectLabels, string(k))
 		}
-		github_com_gogo_protobuf_sortkeys.Strings(keysForObjectLabels)
+		sort.Strings(keysForObjectLabels)
 		for iNdEx := len(keysForObjectLabels) - 1; iNdEx >= 0; iNdEx-- {
 			v := m.ObjectLabels[string(keysForObjectLabels[iNdEx])]
 			baseI := i
@@ -1064,7 +582,7 @@ func (m *TemplateInstanceRequester) MarshalToSizedBuffer(dAtA []byte) (int, erro
 		for k := range m.Extra {
 			keysForExtra = append(keysForExtra, string(k))
 		}
-		github_com_gogo_protobuf_sortkeys.Strings(keysForExtra)
+		sort.Strings(keysForExtra)
 		for iNdEx := len(keysForExtra) - 1; iNdEx >= 0; iNdEx-- {
 			v := m.Extra[string(keysForExtra[iNdEx])]
 			baseI := i
@@ -1621,7 +1139,7 @@ func (this *Template) String() string {
 	for k := range this.ObjectLabels {
 		keysForObjectLabels = append(keysForObjectLabels, k)
 	}
-	github_com_gogo_protobuf_sortkeys.Strings(keysForObjectLabels)
+	sort.Strings(keysForObjectLabels)
 	mapStringForObjectLabels := "map[string]string{"
 	for _, k := range keysForObjectLabels {
 		mapStringForObjectLabels += fmt.Sprintf("%v: %v,", k, this.ObjectLabels[k])
@@ -1697,7 +1215,7 @@ func (this *TemplateInstanceRequester) String() string {
 	for k := range this.Extra {
 		keysForExtra = append(keysForExtra, k)
 	}
-	github_com_gogo_protobuf_sortkeys.Strings(keysForExtra)
+	sort.Strings(keysForExtra)
 	mapStringForExtra := "map[string]ExtraValue{"
 	for _, k := range keysForExtra {
 		mapStringForExtra += fmt.Sprintf("%v: %v,", k, this.Extra[k])
diff --git a/vendor/github.com/openshift/api/template/v1/generated.protomessage.pb.go b/vendor/github.com/openshift/api/template/v1/generated.protomessage.pb.go
new file mode 100644
index 0000000000000..f01e3f0f3891a
--- /dev/null
+++ b/vendor/github.com/openshift/api/template/v1/generated.protomessage.pb.go
@@ -0,0 +1,34 @@
+//go:build kubernetes_protomessage_one_more_release
+// +build kubernetes_protomessage_one_more_release
+
+// Code generated by go-to-protobuf. DO NOT EDIT.
+
+package v1
+
+func (*BrokerTemplateInstance) ProtoMessage() {}
+
+func (*BrokerTemplateInstanceList) ProtoMessage() {}
+
+func (*BrokerTemplateInstanceSpec) ProtoMessage() {}
+
+func (*ExtraValue) ProtoMessage() {}
+
+func (*Parameter) ProtoMessage() {}
+
+func (*Template) ProtoMessage() {}
+
+func (*TemplateInstance) ProtoMessage() {}
+
+func (*TemplateInstanceCondition) ProtoMessage() {}
+
+func (*TemplateInstanceList) ProtoMessage() {}
+
+func (*TemplateInstanceObject) ProtoMessage() {}
+
+func (*TemplateInstanceRequester) ProtoMessage() {}
+
+func (*TemplateInstanceSpec) ProtoMessage() {}
+
+func (*TemplateInstanceStatus) ProtoMessage() {}
+
+func (*TemplateList) ProtoMessage() {}
diff --git a/vendor/github.com/openshift/api/user/v1/generated.pb.go b/vendor/github.com/openshift/api/user/v1/generated.pb.go
index 0689ed38990ea..fb671559c9622 100644
--- a/vendor/github.com/openshift/api/user/v1/generated.pb.go
+++ b/vendor/github.com/openshift/api/user/v1/generated.pb.go
@@ -7,316 +7,28 @@ import (
 	fmt "fmt"
 
 	io "io"
+	"sort"
 
-	proto "github.com/gogo/protobuf/proto"
-	github_com_gogo_protobuf_sortkeys "github.com/gogo/protobuf/sortkeys"
-
-	math "math"
 	math_bits "math/bits"
 	reflect "reflect"
 	strings "strings"
 )
 
-// Reference imports to suppress errors if they are not otherwise used.
-var _ = proto.Marshal
-var _ = fmt.Errorf
-var _ = math.Inf
+func (m *Group) Reset() { *m = Group{} }
 
-// This is a compile-time assertion to ensure that this generated file
-// is compatible with the proto package it is being compiled against.
-// A compilation error at this line likely means your copy of the
-// proto package needs to be updated.
-const _ = proto.GoGoProtoPackageIsVersion3 // please upgrade the proto package
+func (m *GroupList) Reset() { *m = GroupList{} }
 
-func (m *Group) Reset()      { *m = Group{} }
-func (*Group) ProtoMessage() {}
-func (*Group) Descriptor() ([]byte, []int) {
-	return fileDescriptor_ea159b02d89a1362, []int{0}
-}
-func (m *Group) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *Group) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *Group) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_Group.Merge(m, src)
-}
-func (m *Group) XXX_Size() int {
-	return m.Size()
-}
-func (m *Group) XXX_DiscardUnknown() {
-	xxx_messageInfo_Group.DiscardUnknown(m)
-}
+func (m *Identity) Reset() { *m = Identity{} }
 
-var xxx_messageInfo_Group proto.InternalMessageInfo
+func (m *IdentityList) Reset() { *m = IdentityList{} }
 
-func (m *GroupList) Reset()      { *m = GroupList{} }
-func (*GroupList) ProtoMessage() {}
-func (*GroupList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_ea159b02d89a1362, []int{1}
-}
-func (m *GroupList) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *GroupList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *GroupList) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_GroupList.Merge(m, src)
-}
-func (m *GroupList) XXX_Size() int {
-	return m.Size()
-}
-func (m *GroupList) XXX_DiscardUnknown() {
-	xxx_messageInfo_GroupList.DiscardUnknown(m)
-}
+func (m *OptionalNames) Reset() { *m = OptionalNames{} }
 
-var xxx_messageInfo_GroupList proto.InternalMessageInfo
+func (m *User) Reset() { *m = User{} }
 
-func (m *Identity) Reset()      { *m = Identity{} }
-func (*Identity) ProtoMessage() {}
-func (*Identity) Descriptor() ([]byte, []int) {
-	return fileDescriptor_ea159b02d89a1362, []int{2}
-}
-func (m *Identity) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *Identity) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *Identity) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_Identity.Merge(m, src)
-}
-func (m *Identity) XXX_Size() int {
-	return m.Size()
-}
-func (m *Identity) XXX_DiscardUnknown() {
-	xxx_messageInfo_Identity.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_Identity proto.InternalMessageInfo
-
-func (m *IdentityList) Reset()      { *m = IdentityList{} }
-func (*IdentityList) ProtoMessage() {}
-func (*IdentityList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_ea159b02d89a1362, []int{3}
-}
-func (m *IdentityList) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *IdentityList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *IdentityList) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_IdentityList.Merge(m, src)
-}
-func (m *IdentityList) XXX_Size() int {
-	return m.Size()
-}
-func (m *IdentityList) XXX_DiscardUnknown() {
-	xxx_messageInfo_IdentityList.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_IdentityList proto.InternalMessageInfo
+func (m *UserIdentityMapping) Reset() { *m = UserIdentityMapping{} }
 
-func (m *OptionalNames) Reset()      { *m = OptionalNames{} }
-func (*OptionalNames) ProtoMessage() {}
-func (*OptionalNames) Descriptor() ([]byte, []int) {
-	return fileDescriptor_ea159b02d89a1362, []int{4}
-}
-func (m *OptionalNames) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *OptionalNames) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *OptionalNames) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_OptionalNames.Merge(m, src)
-}
-func (m *OptionalNames) XXX_Size() int {
-	return m.Size()
-}
-func (m *OptionalNames) XXX_DiscardUnknown() {
-	xxx_messageInfo_OptionalNames.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_OptionalNames proto.InternalMessageInfo
-
-func (m *User) Reset()      { *m = User{} }
-func (*User) ProtoMessage() {}
-func (*User) Descriptor() ([]byte, []int) {
-	return fileDescriptor_ea159b02d89a1362, []int{5}
-}
-func (m *User) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *User) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *User) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_User.Merge(m, src)
-}
-func (m *User) XXX_Size() int {
-	return m.Size()
-}
-func (m *User) XXX_DiscardUnknown() {
-	xxx_messageInfo_User.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_User proto.InternalMessageInfo
-
-func (m *UserIdentityMapping) Reset()      { *m = UserIdentityMapping{} }
-func (*UserIdentityMapping) ProtoMessage() {}
-func (*UserIdentityMapping) Descriptor() ([]byte, []int) {
-	return fileDescriptor_ea159b02d89a1362, []int{6}
-}
-func (m *UserIdentityMapping) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *UserIdentityMapping) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *UserIdentityMapping) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_UserIdentityMapping.Merge(m, src)
-}
-func (m *UserIdentityMapping) XXX_Size() int {
-	return m.Size()
-}
-func (m *UserIdentityMapping) XXX_DiscardUnknown() {
-	xxx_messageInfo_UserIdentityMapping.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_UserIdentityMapping proto.InternalMessageInfo
-
-func (m *UserList) Reset()      { *m = UserList{} }
-func (*UserList) ProtoMessage() {}
-func (*UserList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_ea159b02d89a1362, []int{7}
-}
-func (m *UserList) XXX_Unmarshal(b []byte) error {
-	return m.Unmarshal(b)
-}
-func (m *UserList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	b = b[:cap(b)]
-	n, err := m.MarshalToSizedBuffer(b)
-	if err != nil {
-		return nil, err
-	}
-	return b[:n], nil
-}
-func (m *UserList) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_UserList.Merge(m, src)
-}
-func (m *UserList) XXX_Size() int {
-	return m.Size()
-}
-func (m *UserList) XXX_DiscardUnknown() {
-	xxx_messageInfo_UserList.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_UserList proto.InternalMessageInfo
-
-func init() {
-	proto.RegisterType((*Group)(nil), "github.com.openshift.api.user.v1.Group")
-	proto.RegisterType((*GroupList)(nil), "github.com.openshift.api.user.v1.GroupList")
-	proto.RegisterType((*Identity)(nil), "github.com.openshift.api.user.v1.Identity")
-	proto.RegisterMapType((map[string]string)(nil), "github.com.openshift.api.user.v1.Identity.ExtraEntry")
-	proto.RegisterType((*IdentityList)(nil), "github.com.openshift.api.user.v1.IdentityList")
-	proto.RegisterType((*OptionalNames)(nil), "github.com.openshift.api.user.v1.OptionalNames")
-	proto.RegisterType((*User)(nil), "github.com.openshift.api.user.v1.User")
-	proto.RegisterType((*UserIdentityMapping)(nil), "github.com.openshift.api.user.v1.UserIdentityMapping")
-	proto.RegisterType((*UserList)(nil), "github.com.openshift.api.user.v1.UserList")
-}
-
-func init() {
-	proto.RegisterFile("github.com/openshift/api/user/v1/generated.proto", fileDescriptor_ea159b02d89a1362)
-}
-
-var fileDescriptor_ea159b02d89a1362 = []byte{
-	// 726 bytes of a gzipped FileDescriptorProto
-	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xbc, 0x56, 0x3d, 0x6f, 0x13, 0x4b,
-	0x14, 0xf5, 0xc4, 0xde, 0xc8, 0x9e, 0x38, 0x4f, 0xd6, 0xbe, 0x14, 0x2b, 0x17, 0x6b, 0x6b, 0x9f,
-	0xf4, 0x88, 0x10, 0xcc, 0x26, 0x11, 0x20, 0x2b, 0xa5, 0x45, 0x82, 0x22, 0x12, 0x12, 0x46, 0xa2,
-	0x89, 0x28, 0x98, 0xd8, 0xe3, 0xf5, 0x60, 0xef, 0x87, 0x76, 0x67, 0x2d, 0xdc, 0xe5, 0x27, 0x40,
-	0x47, 0xc9, 0x9f, 0x40, 0x14, 0x88, 0x3e, 0x74, 0x29, 0x53, 0x20, 0x8b, 0x2c, 0x1d, 0xbf, 0x02,
-	0xcd, 0xec, 0x87, 0xd7, 0xf9, 0x90, 0x23, 0x21, 0xb9, 0xdb, 0xb9, 0x73, 0xcf, 0x99, 0x73, 0xcf,
-	0xbd, 0xd7, 0x32, 0xdc, 0xb0, 0x18, 0xef, 0x87, 0x27, 0xa8, 0xe3, 0xda, 0xa6, 0xeb, 0x51, 0x27,
-	0xe8, 0xb3, 0x1e, 0x37, 0x89, 0xc7, 0xcc, 0x30, 0xa0, 0xbe, 0x39, 0xda, 0x34, 0x2d, 0xea, 0x50,
-	0x9f, 0x70, 0xda, 0x45, 0x9e, 0xef, 0x72, 0x57, 0x6d, 0x4e, 0x11, 0x28, 0x43, 0x20, 0xe2, 0x31,
-	0x24, 0x10, 0x68, 0xb4, 0x59, 0x7f, 0x98, 0xe3, 0xb4, 0x5c, 0xcb, 0x35, 0x25, 0xf0, 0x24, 0xec,
-	0xc9, 0x93, 0x3c, 0xc8, 0xaf, 0x98, 0xb0, 0x6e, 0x0c, 0x5a, 0x01, 0x62, 0xae, 0x7c, 0xb4, 0xe3,
-	0xfa, 0xf4, 0x86, 0x47, 0xeb, 0x8f, 0xa6, 0x39, 0x36, 0xe9, 0xf4, 0x99, 0x43, 0xfd, 0xb1, 0xe9,
-	0x0d, 0x2c, 0x11, 0x08, 0x4c, 0x9b, 0x72, 0x72, 0x13, 0xea, 0xc9, 0x6d, 0x28, 0x3f, 0x74, 0x38,
-	0xb3, 0xa9, 0x19, 0x74, 0xfa, 0xd4, 0x26, 0x57, 0x71, 0xc6, 0x57, 0x00, 0x95, 0x67, 0xbe, 0x1b,
-	0x7a, 0xea, 0x1b, 0x58, 0x16, 0xe4, 0x5d, 0xc2, 0x89, 0x06, 0x9a, 0x60, 0x7d, 0x65, 0x6b, 0x03,
-	0xc5, 0xa4, 0x28, 0x4f, 0x8a, 0xbc, 0x81, 0x25, 0x02, 0x01, 0x12, 0xd9, 0x68, 0xb4, 0x89, 0x0e,
-	0x4f, 0xde, 0xd2, 0x0e, 0x3f, 0xa0, 0x9c, 0xb4, 0xd5, 0xb3, 0x49, 0xa3, 0x10, 0x4d, 0x1a, 0x70,
-	0x1a, 0xc3, 0x19, 0xab, 0x7a, 0x04, 0x15, 0xe1, 0x5b, 0xa0, 0x2d, 0x49, 0x7a, 0x13, 0xcd, 0xb3,
-	0x17, 0x1d, 0x7a, 0x9c, 0xb9, 0x0e, 0x19, 0xbe, 0x20, 0x36, 0x0d, 0xda, 0x95, 0x68, 0xd2, 0x50,
-	0x5e, 0x09, 0x06, 0x1c, 0x13, 0x19, 0x5f, 0x00, 0xac, 0x48, 0xf5, 0xfb, 0x2c, 0xe0, 0xea, 0xeb,
-	0x6b, 0x15, 0xa0, 0xbb, 0x55, 0x20, 0xd0, 0x52, 0x7f, 0x2d, 0xd1, 0x5f, 0x4e, 0x23, 0x39, 0xf5,
-	0xfb, 0x50, 0x61, 0x9c, 0xda, 0x42, 0x7d, 0x71, 0x7d, 0x65, 0xeb, 0xde, 0x7c, 0xf5, 0x52, 0x59,
-	0x7b, 0x35, 0xe1, 0x54, 0xf6, 0x04, 0x1a, 0xc7, 0x24, 0xc6, 0xf7, 0x22, 0x2c, 0xef, 0x75, 0xa9,
-	0xc3, 0x19, 0x1f, 0x2f, 0xc0, 0xfa, 0x16, 0xac, 0x7a, 0xbe, 0x3b, 0x62, 0x5d, 0xea, 0x0b, 0x2f,
-	0x65, 0x07, 0x2a, 0xed, 0xb5, 0x04, 0x53, 0x3d, 0xca, 0xdd, 0xe1, 0x99, 0x4c, 0xf5, 0x29, 0xac,
-	0xa5, 0x67, 0x61, 0xbd, 0x44, 0x17, 0x25, 0x5a, 0x4b, 0xd0, 0xb5, 0xa3, 0x2b, 0xf7, 0xf8, 0x1a,
-	0x42, 0xdd, 0x81, 0x25, 0xe1, 0x8a, 0x56, 0x92, 0xd5, 0xfd, 0x97, 0xab, 0x0e, 0x89, 0x3d, 0x98,
-	0xd6, 0x82, 0x69, 0x8f, 0xfa, 0xd4, 0xe9, 0xd0, 0x76, 0x35, 0xa1, 0x2f, 0x09, 0x12, 0x2c, 0xe1,
-	0xea, 0x31, 0x54, 0xe8, 0x3b, 0xee, 0x13, 0x4d, 0x91, 0x3d, 0x78, 0x3c, 0xbf, 0x07, 0xa9, 0xc7,
-	0x68, 0x47, 0xe0, 0x76, 0x1c, 0xee, 0x8f, 0xa7, 0x1d, 0x91, 0x31, 0x1c, 0x53, 0xd6, 0x5b, 0x10,
-	0x4e, 0x73, 0xd4, 0x1a, 0x2c, 0x0e, 0xe8, 0x58, 0x76, 0xa3, 0x82, 0xc5, 0xa7, 0xba, 0x06, 0x95,
-	0x11, 0x19, 0x86, 0x89, 0x77, 0x38, 0x3e, 0x6c, 0x2f, 0xb5, 0x80, 0xf1, 0x0d, 0xc0, 0x6a, 0xfa,
-	0xce, 0x02, 0x06, 0xf1, 0x70, 0x76, 0x10, 0xef, 0xdf, 0xdd, 0x84, 0x5b, 0x66, 0x71, 0x1b, 0xae,
-	0xce, 0x2c, 0x9a, 0xda, 0x48, 0x5f, 0x00, 0xcd, 0xe2, 0x7a, 0x25, 0xde, 0xbb, 0x3c, 0x62, 0xbb,
-	0xfc, 0xf1, 0x53, 0xa3, 0x70, 0xfa, 0xa3, 0x59, 0x30, 0x7e, 0x03, 0x28, 0x1b, 0xb4, 0x80, 0x19,
-	0x7e, 0x00, 0xcb, 0xbd, 0x70, 0x38, 0xcc, 0xcd, 0x6f, 0xe6, 0xd2, 0x6e, 0x12, 0xc7, 0x59, 0x86,
-	0x8a, 0x20, 0x64, 0x71, 0xd9, 0x8c, 0x06, 0x5a, 0x51, 0x16, 0xf2, 0x8f, 0xe0, 0xde, 0xcb, 0xa2,
-	0x38, 0x97, 0xa1, 0x1a, 0x70, 0xd9, 0x12, 0xfb, 0x1a, 0x68, 0x25, 0x99, 0x0b, 0xa3, 0x49, 0x63,
-	0x59, 0x6e, 0x70, 0x80, 0x93, 0x1b, 0xe3, 0xc3, 0x12, 0xfc, 0x57, 0x14, 0x9b, 0xfa, 0x79, 0x40,
-	0x3c, 0x8f, 0x39, 0xd6, 0x02, 0x6a, 0x7f, 0x09, 0xcb, 0x89, 0xd6, 0x71, 0xf2, 0xeb, 0x79, 0xa7,
-	0x1d, 0xca, 0x0c, 0x4a, 0x15, 0xe3, 0x8c, 0x26, 0x5b, 0xc9, 0xe2, 0x5f, 0xad, 0xa4, 0xf1, 0x19,
-	0xc0, 0xb2, 0x38, 0x2e, 0x60, 0xf0, 0x9f, 0xcf, 0x0e, 0xfe, 0xff, 0xf3, 0x07, 0x5f, 0x08, 0xbb,
-	0x79, 0xe8, 0xdb, 0xbb, 0x67, 0x97, 0x7a, 0xe1, 0xfc, 0x52, 0x2f, 0x5c, 0x5c, 0xea, 0x85, 0xd3,
-	0x48, 0x07, 0x67, 0x91, 0x0e, 0xce, 0x23, 0x1d, 0x5c, 0x44, 0x3a, 0xf8, 0x19, 0xe9, 0xe0, 0xfd,
-	0x2f, 0xbd, 0x70, 0xdc, 0x9c, 0xf7, 0x9f, 0xe1, 0x4f, 0x00, 0x00, 0x00, 0xff, 0xff, 0x45, 0x85,
-	0x81, 0x86, 0x56, 0x08, 0x00, 0x00,
-}
+func (m *UserList) Reset() { *m = UserList{} }
 
 func (m *Group) Marshal() (dAtA []byte, err error) {
 	size := m.Size()
@@ -435,7 +147,7 @@ func (m *Identity) MarshalToSizedBuffer(dAtA []byte) (int, error) {
 		for k := range m.Extra {
 			keysForExtra = append(keysForExtra, string(k))
 		}
-		github_com_gogo_protobuf_sortkeys.Strings(keysForExtra)
+		sort.Strings(keysForExtra)
 		for iNdEx := len(keysForExtra) - 1; iNdEx >= 0; iNdEx-- {
 			v := m.Extra[string(keysForExtra[iNdEx])]
 			baseI := i
@@ -920,7 +632,7 @@ func (this *Identity) String() string {
 	for k := range this.Extra {
 		keysForExtra = append(keysForExtra, k)
 	}
-	github_com_gogo_protobuf_sortkeys.Strings(keysForExtra)
+	sort.Strings(keysForExtra)
 	mapStringForExtra := "map[string]string{"
 	for _, k := range keysForExtra {
 		mapStringForExtra += fmt.Sprintf("%v: %v,", k, this.Extra[k])
diff --git a/vendor/github.com/openshift/api/user/v1/generated.protomessage.pb.go b/vendor/github.com/openshift/api/user/v1/generated.protomessage.pb.go
new file mode 100644
index 0000000000000..deab8656e099d
--- /dev/null
+++ b/vendor/github.com/openshift/api/user/v1/generated.protomessage.pb.go
@@ -0,0 +1,22 @@
+//go:build kubernetes_protomessage_one_more_release
+// +build kubernetes_protomessage_one_more_release
+
+// Code generated by go-to-protobuf. DO NOT EDIT.
+
+package v1
+
+func (*Group) ProtoMessage() {}
+
+func (*GroupList) ProtoMessage() {}
+
+func (*Identity) ProtoMessage() {}
+
+func (*IdentityList) ProtoMessage() {}
+
+func (*OptionalNames) ProtoMessage() {}
+
+func (*User) ProtoMessage() {}
+
+func (*UserIdentityMapping) ProtoMessage() {}
+
+func (*UserList) ProtoMessage() {}
diff --git a/vendor/github.com/openshift/apiserver-library-go/pkg/securitycontextconstraints/sccadmission/admission.go b/vendor/github.com/openshift/apiserver-library-go/pkg/securitycontextconstraints/sccadmission/admission.go
index 02ceaacd4026e..1a17b1802cc85 100644
--- a/vendor/github.com/openshift/apiserver-library-go/pkg/securitycontextconstraints/sccadmission/admission.go
+++ b/vendor/github.com/openshift/apiserver-library-go/pkg/securitycontextconstraints/sccadmission/admission.go
@@ -81,7 +81,7 @@ func NewConstraint() *constraint {
 // any change that claims the pod is no longer privileged will be removed.  That should hold until
 // we get a true old/new set of objects in.
 func (c *constraint) Admit(ctx context.Context, a admission.Attributes, _ admission.ObjectInterfaces) error {
-	if ignore, err := shouldIgnore(a); err != nil {
+	if ignore, err := shouldSkipSCCEvaluation(a); err != nil {
 		return err
 	} else if ignore {
 		return nil
@@ -131,7 +131,7 @@ func (c *constraint) Admit(ctx context.Context, a admission.Attributes, _ admiss
 }
 
 func (c *constraint) Validate(ctx context.Context, a admission.Attributes, _ admission.ObjectInterfaces) error {
-	if ignore, err := shouldIgnore(a); err != nil {
+	if ignore, err := shouldSkipSCCEvaluation(a); err != nil {
 		return err
 	} else if ignore {
 		return nil
@@ -420,7 +420,14 @@ var ignoredAnnotations = sets.NewString(
 	"k8s.ovn.org/pod-networks",
 )
 
-func shouldIgnore(a admission.Attributes) (bool, error) {
+// shouldSkipSCCEvaluation skips evaluation for:
+// - non-Pod resources,
+// - specific subresources that don't affect Pod security context (e.g., exec, attach, log),
+// - Windows Pods (SCC is not applied),
+// - update operations that only change fields like SchedulingGates or non-critical metadata.
+// If the request is malformed (e.g., object can't be cast to a Pod), it fails closed to avoid
+// bypassing security enforcement unintentionally.
+func shouldSkipSCCEvaluation(a admission.Attributes) (bool, error) {
 	if a.GetResource().GroupResource() != coreapi.Resource("pods") {
 		return true, nil
 	}
@@ -448,14 +455,17 @@ func shouldIgnore(a admission.Attributes) (bool, error) {
 			return false, admission.NewForbidden(a, fmt.Errorf("object was marked as kind pod but was unable to be converted: %v", a.GetOldObject()))
 		}
 
-		// never ignore any spec changes
-		if !kapihelper.Semantic.DeepEqual(pod.Spec, oldPod.Spec) {
+		// Create deep copies to avoid mutating the original objects
+		podWithoutSchedulingGates := pod.DeepCopy()
+		// Skip SchedulingGates when comparing specs
+		podWithoutSchedulingGates.Spec.SchedulingGates = oldPod.Spec.SchedulingGates
+		if !kapihelper.Semantic.DeepEqual(podWithoutSchedulingGates.Spec, oldPod.Spec) {
 			return false, nil
 		}
 
 		// see if we are only doing meta changes that should be ignored during admission
 		// for example, the OVN controller adds informative networking annotations that shouldn't cause the pod to go through admission again
-		if shouldIgnoreMetaChanges(pod, oldPod) {
+		if shouldIgnoreMetaChanges(podWithoutSchedulingGates, oldPod) {
 			return true, nil
 		}
 	}
@@ -463,9 +473,10 @@ func shouldIgnore(a admission.Attributes) (bool, error) {
 	return false, nil
 }
 
-func shouldIgnoreMetaChanges(newPod, oldPod *coreapi.Pod) bool {
+// newPodCopy is expected to be a copy of the original Pod that we can safely mutate
+func shouldIgnoreMetaChanges(newPodCopy, oldPod *coreapi.Pod) bool {
 	// check if we're adding or changing only annotations from the ignore list
-	for key, newVal := range newPod.ObjectMeta.Annotations {
+	for key, newVal := range newPodCopy.ObjectMeta.Annotations {
 		if oldVal, ok := oldPod.ObjectMeta.Annotations[key]; ok && newVal == oldVal {
 			continue
 		}
@@ -477,7 +488,7 @@ func shouldIgnoreMetaChanges(newPod, oldPod *coreapi.Pod) bool {
 
 	// check if we're removing only annotations from the ignore list
 	for key := range oldPod.ObjectMeta.Annotations {
-		if _, ok := newPod.ObjectMeta.Annotations[key]; ok {
+		if _, ok := newPodCopy.ObjectMeta.Annotations[key]; ok {
 			continue
 		}
 
@@ -486,12 +497,11 @@ func shouldIgnoreMetaChanges(newPod, oldPod *coreapi.Pod) bool {
 		}
 	}
 
-	newPodCopy := newPod.DeepCopyObject()
-	newPodCopyMeta, err := meta.Accessor(newPodCopy)
+	newPodCopyWithoutSchedulingGatesCopyMeta, err := meta.Accessor(newPodCopy)
 	if err != nil {
 		return false
 	}
-	newPodCopyMeta.SetAnnotations(oldPod.ObjectMeta.Annotations)
+	newPodCopyWithoutSchedulingGatesCopyMeta.SetAnnotations(oldPod.ObjectMeta.Annotations)
 
 	// see if we are only updating the ownerRef. Garbage collection does this
 	// and we should allow it in general, since you had the power to update and the power to delete.
diff --git a/vendor/github.com/openshift/apiserver-library-go/pkg/securitycontextconstraints/sccmatching/matcher.go b/vendor/github.com/openshift/apiserver-library-go/pkg/securitycontextconstraints/sccmatching/matcher.go
index 09a084483d631..2d13d95a42f7a 100644
--- a/vendor/github.com/openshift/apiserver-library-go/pkg/securitycontextconstraints/sccmatching/matcher.go
+++ b/vendor/github.com/openshift/apiserver-library-go/pkg/securitycontextconstraints/sccmatching/matcher.go
@@ -121,7 +121,7 @@ func AssignSecurityContext(provider SecurityContextConstraintsProvider, pod *kap
 
 	pod.Spec.SecurityContext = psc
 	pod.Annotations = generatedAnnotations
-	errs = append(errs, provider.ValidatePodSecurityContext(pod, fldPath.Child("spec", "securityContext"))...)
+	errs = append(errs, provider.ValidatePodSecurityContext(pod, fldPath.Child("spec"))...)
 
 	podhelpers.VisitContainersWithPath(&pod.Spec, fldPath, func(container *kapi.Container, path *field.Path) bool {
 		errs = append(errs, assignContainerSecurityContext(provider, pod, container, path)...)
diff --git a/vendor/github.com/openshift/apiserver-library-go/pkg/securitycontextconstraints/sccmatching/provider.go b/vendor/github.com/openshift/apiserver-library-go/pkg/securitycontextconstraints/sccmatching/provider.go
index 6acd3913d2c2d..af865b70e9efd 100644
--- a/vendor/github.com/openshift/apiserver-library-go/pkg/securitycontextconstraints/sccmatching/provider.go
+++ b/vendor/github.com/openshift/apiserver-library-go/pkg/securitycontextconstraints/sccmatching/provider.go
@@ -254,7 +254,8 @@ func (s *simpleProvider) CreateContainerSecurityContext(pod *api.Pod, container
 }
 
 // Ensure a pod's SecurityContext is in compliance with the given constraints.
-func (s *simpleProvider) ValidatePodSecurityContext(pod *api.Pod, fldPath *field.Path) field.ErrorList {
+func (s *simpleProvider) ValidatePodSecurityContext(pod *api.Pod, specPath *field.Path) field.ErrorList {
+	scPath := specPath.Child("securityContext")
 	allErrs := field.ErrorList{}
 
 	sc := securitycontext.NewPodSecurityContextAccessor(pod.Spec.SecurityContext)
@@ -263,26 +264,26 @@ func (s *simpleProvider) ValidatePodSecurityContext(pod *api.Pod, fldPath *field
 	if fsGroup := sc.FSGroup(); fsGroup != nil {
 		fsGroups = append(fsGroups, *fsGroup)
 	}
-	allErrs = append(allErrs, s.fsGroupStrategy.Validate(fldPath, pod, fsGroups)...)
-	allErrs = append(allErrs, s.supplementalGroupStrategy.Validate(fldPath, pod, sc.SupplementalGroups())...)
+	allErrs = append(allErrs, s.fsGroupStrategy.Validate(scPath, pod, fsGroups)...)
+	allErrs = append(allErrs, s.supplementalGroupStrategy.Validate(scPath, pod, sc.SupplementalGroups())...)
 	allErrs = append(allErrs, s.seccompStrategy.ValidatePod(pod)...)
 
-	allErrs = append(allErrs, s.seLinuxStrategy.Validate(fldPath.Child("seLinuxOptions"), pod, nil, sc.SELinuxOptions())...)
+	allErrs = append(allErrs, s.seLinuxStrategy.Validate(scPath.Child("seLinuxOptions"), pod, nil, sc.SELinuxOptions())...)
 
 	if !s.scc.AllowHostNetwork && sc.HostNetwork() {
-		allErrs = append(allErrs, field.Invalid(fldPath.Child("hostNetwork"), sc.HostNetwork(), "Host network is not allowed to be used"))
+		allErrs = append(allErrs, field.Invalid(specPath.Child("hostNetwork"), sc.HostNetwork(), "Host network is not allowed to be used"))
 	}
 
 	if !s.scc.AllowHostPID && sc.HostPID() {
-		allErrs = append(allErrs, field.Invalid(fldPath.Child("hostPID"), sc.HostPID(), "Host PID is not allowed to be used"))
+		allErrs = append(allErrs, field.Invalid(specPath.Child("hostPID"), sc.HostPID(), "Host PID is not allowed to be used"))
 	}
 
 	if !s.scc.AllowHostIPC && sc.HostIPC() {
-		allErrs = append(allErrs, field.Invalid(fldPath.Child("hostIPC"), sc.HostIPC(), "Host IPC is not allowed to be used"))
+		allErrs = append(allErrs, field.Invalid(specPath.Child("hostIPC"), sc.HostIPC(), "Host IPC is not allowed to be used"))
 	}
 
 	if s.scc.UserNamespaceLevel == securityv1.NamespaceLevelRequirePod && (sc.HostUsers() == nil || *sc.HostUsers()) {
-		allErrs = append(allErrs, field.Invalid(fldPath.Child("hostUsers"), sc.HostUsers(), "Host Users must be set to false"))
+		allErrs = append(allErrs, field.Invalid(specPath.Child("hostUsers"), sc.HostUsers(), "Host Users must be set to false"))
 	}
 
 	allErrs = append(allErrs, s.sysctlsStrategy.Validate(pod)...)
@@ -292,13 +293,13 @@ func (s *simpleProvider) ValidatePodSecurityContext(pod *api.Pod, fldPath *field
 		for i, v := range pod.Spec.Volumes {
 			fsType, err := sccutil.GetVolumeFSType(v)
 			if err != nil {
-				allErrs = append(allErrs, field.Invalid(field.NewPath("spec", "volumes").Index(i), string(fsType), err.Error()))
+				allErrs = append(allErrs, field.Invalid(specPath.Child("volumes").Index(i), string(fsType), err.Error()))
 				continue
 			}
 
 			if !allowsVolumeType(allowedVolumes, fsType, v.VolumeSource) {
 				allErrs = append(allErrs, field.Invalid(
-					field.NewPath("spec", "volumes").Index(i), string(fsType),
+					specPath.Child("volumes").Index(i), string(fsType),
 					fmt.Sprintf("%s volumes are not allowed to be used", string(fsType))))
 			}
 		}
@@ -320,7 +321,7 @@ func (s *simpleProvider) ValidatePodSecurityContext(pod *api.Pod, fldPath *field
 			}
 			if !found {
 				allErrs = append(allErrs,
-					field.Invalid(fldPath.Child("volumes").Index(i).Child("driver"), driver,
+					field.Invalid(specPath.Child("volumes").Index(i).Child("flexVolume", "driver"), driver,
 						"Flexvolume driver is not allowed to be used"))
 			}
 		}
diff --git a/vendor/github.com/openshift/apiserver-library-go/pkg/securitycontextconstraints/seccomp/strategy.go b/vendor/github.com/openshift/apiserver-library-go/pkg/securitycontextconstraints/seccomp/strategy.go
index 0d24eda6a668d..1616a71dd352b 100644
--- a/vendor/github.com/openshift/apiserver-library-go/pkg/securitycontextconstraints/seccomp/strategy.go
+++ b/vendor/github.com/openshift/apiserver-library-go/pkg/securitycontextconstraints/seccomp/strategy.go
@@ -82,7 +82,7 @@ func (s *strategy) Generate(podAnnotations map[string]string, pod *api.Pod) (str
 // of the strategy.
 func (s *strategy) ValidatePod(pod *api.Pod) field.ErrorList {
 	allErrs := field.ErrorList{}
-	podSpecFieldPath := field.NewPath("pod", "metadata", "annotations").Key(api.SeccompPodAnnotationKey)
+	podSpecFieldPath := field.NewPath("metadata", "annotations").Key(api.SeccompPodAnnotationKey)
 	podProfile := pod.Annotations[api.SeccompPodAnnotationKey]
 	// if the annotation is not set, see if the field is set and derive the corresponding annotation value
 	// We are keeping annotations for backward compatibility - in case the pod is
@@ -102,7 +102,7 @@ func (s *strategy) ValidatePod(pod *api.Pod) field.ErrorList {
 // the range of the strategy.
 func (s *strategy) ValidateContainer(pod *api.Pod, container *api.Container) field.ErrorList {
 	allErrs := field.ErrorList{}
-	fieldPath := field.NewPath("pod", "metadata", "annotations").Key(api.SeccompContainerAnnotationKeyPrefix + container.Name)
+	fieldPath := field.NewPath("metadata", "annotations").Key(api.SeccompContainerAnnotationKeyPrefix + container.Name)
 	containerProfile := profileForContainer(pod, container)
 
 	if err := s.validateProfile(fieldPath, containerProfile); err != nil {
diff --git a/vendor/github.com/openshift/apiserver-library-go/pkg/securitycontextconstraints/sysctl/mustmatchpatterns.go b/vendor/github.com/openshift/apiserver-library-go/pkg/securitycontextconstraints/sysctl/mustmatchpatterns.go
index bd307b42498f0..06fcbea72a094 100644
--- a/vendor/github.com/openshift/apiserver-library-go/pkg/securitycontextconstraints/sysctl/mustmatchpatterns.go
+++ b/vendor/github.com/openshift/apiserver-library-go/pkg/securitycontextconstraints/sysctl/mustmatchpatterns.go
@@ -166,7 +166,7 @@ func (s *mustMatchPatterns) Validate(pod *api.Pod) field.ErrorList {
 		sysctls = pod.Spec.SecurityContext.Sysctls
 	}
 
-	fieldPath := field.NewPath("pod", "spec", "securityContext").Child("sysctls")
+	fieldPath := field.NewPath("spec", "securityContext").Child("sysctls")
 
 	for i, sysctl := range sysctls {
 		switch {
diff --git a/vendor/github.com/openshift/client-go/apiserver/applyconfigurations/apiserver/v1/apirequestcount.go b/vendor/github.com/openshift/client-go/apiserver/applyconfigurations/apiserver/v1/apirequestcount.go
index 7370fe1812314..dcb996e39dd99 100644
--- a/vendor/github.com/openshift/client-go/apiserver/applyconfigurations/apiserver/v1/apirequestcount.go
+++ b/vendor/github.com/openshift/client-go/apiserver/applyconfigurations/apiserver/v1/apirequestcount.go
@@ -13,11 +13,20 @@ import (
 
 // APIRequestCountApplyConfiguration represents a declarative configuration of the APIRequestCount type for use
 // with apply.
+//
+// APIRequestCount tracks requests made to an API. The instance name must
+// be of the form `resource.version.group`, matching the resource.
+//
+// Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
 type APIRequestCountApplyConfiguration struct {
-	metav1.TypeMetaApplyConfiguration    `json:",inline"`
+	metav1.TypeMetaApplyConfiguration `json:",inline"`
+	// metadata is the standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	*metav1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Spec                                 *APIRequestCountSpecApplyConfiguration   `json:"spec,omitempty"`
-	Status                               *APIRequestCountStatusApplyConfiguration `json:"status,omitempty"`
+	// spec defines the characteristics of the resource.
+	Spec *APIRequestCountSpecApplyConfiguration `json:"spec,omitempty"`
+	// status contains the observed state of the resource.
+	Status *APIRequestCountStatusApplyConfiguration `json:"status,omitempty"`
 }
 
 // APIRequestCount constructs a declarative configuration of the APIRequestCount type for use with
@@ -30,6 +39,26 @@ func APIRequestCount(name string) *APIRequestCountApplyConfiguration {
 	return b
 }
 
+// ExtractAPIRequestCountFrom extracts the applied configuration owned by fieldManager from
+// aPIRequestCount for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
+// aPIRequestCount must be a unmodified APIRequestCount API object that was retrieved from the Kubernetes API.
+// ExtractAPIRequestCountFrom provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractAPIRequestCountFrom(aPIRequestCount *apiserverv1.APIRequestCount, fieldManager string, subresource string) (*APIRequestCountApplyConfiguration, error) {
+	b := &APIRequestCountApplyConfiguration{}
+	err := managedfields.ExtractInto(aPIRequestCount, internal.Parser().Type("com.github.openshift.api.apiserver.v1.APIRequestCount"), fieldManager, b, subresource)
+	if err != nil {
+		return nil, err
+	}
+	b.WithName(aPIRequestCount.Name)
+
+	b.WithKind("APIRequestCount")
+	b.WithAPIVersion("apiserver.openshift.io/v1")
+	return b, nil
+}
+
 // ExtractAPIRequestCount extracts the applied configuration owned by fieldManager from
 // aPIRequestCount. If no managedFields are found in aPIRequestCount for fieldManager, a
 // APIRequestCountApplyConfiguration is returned with only the Name, Namespace (if applicable),
@@ -40,30 +69,16 @@ func APIRequestCount(name string) *APIRequestCountApplyConfiguration {
 // ExtractAPIRequestCount provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
 func ExtractAPIRequestCount(aPIRequestCount *apiserverv1.APIRequestCount, fieldManager string) (*APIRequestCountApplyConfiguration, error) {
-	return extractAPIRequestCount(aPIRequestCount, fieldManager, "")
+	return ExtractAPIRequestCountFrom(aPIRequestCount, fieldManager, "")
 }
 
-// ExtractAPIRequestCountStatus is the same as ExtractAPIRequestCount except
-// that it extracts the status subresource applied configuration.
-// Experimental!
+// ExtractAPIRequestCountStatus extracts the applied configuration owned by fieldManager from
+// aPIRequestCount for the status subresource.
 func ExtractAPIRequestCountStatus(aPIRequestCount *apiserverv1.APIRequestCount, fieldManager string) (*APIRequestCountApplyConfiguration, error) {
-	return extractAPIRequestCount(aPIRequestCount, fieldManager, "status")
+	return ExtractAPIRequestCountFrom(aPIRequestCount, fieldManager, "status")
 }
 
-func extractAPIRequestCount(aPIRequestCount *apiserverv1.APIRequestCount, fieldManager string, subresource string) (*APIRequestCountApplyConfiguration, error) {
-	b := &APIRequestCountApplyConfiguration{}
-	err := managedfields.ExtractInto(aPIRequestCount, internal.Parser().Type("com.github.openshift.api.apiserver.v1.APIRequestCount"), fieldManager, b, subresource)
-	if err != nil {
-		return nil, err
-	}
-	b.WithName(aPIRequestCount.Name)
-
-	b.WithKind("APIRequestCount")
-	b.WithAPIVersion("apiserver.openshift.io/v1")
-	return b, nil
-}
 func (b APIRequestCountApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/vendor/github.com/openshift/client-go/apiserver/applyconfigurations/apiserver/v1/apirequestcountspec.go b/vendor/github.com/openshift/client-go/apiserver/applyconfigurations/apiserver/v1/apirequestcountspec.go
index 4a5400c64e244..efbb15049f8c6 100644
--- a/vendor/github.com/openshift/client-go/apiserver/applyconfigurations/apiserver/v1/apirequestcountspec.go
+++ b/vendor/github.com/openshift/client-go/apiserver/applyconfigurations/apiserver/v1/apirequestcountspec.go
@@ -5,6 +5,8 @@ package v1
 // APIRequestCountSpecApplyConfiguration represents a declarative configuration of the APIRequestCountSpec type for use
 // with apply.
 type APIRequestCountSpecApplyConfiguration struct {
+	// numberOfUsersToReport is the number of users to include in the report.
+	// If unspecified or zero, the default is ten.  This is default is subject to change.
 	NumberOfUsersToReport *int64 `json:"numberOfUsersToReport,omitempty"`
 }
 
diff --git a/vendor/github.com/openshift/client-go/apiserver/applyconfigurations/apiserver/v1/apirequestcountstatus.go b/vendor/github.com/openshift/client-go/apiserver/applyconfigurations/apiserver/v1/apirequestcountstatus.go
index d6d33904b36a8..22f3e2739ce56 100644
--- a/vendor/github.com/openshift/client-go/apiserver/applyconfigurations/apiserver/v1/apirequestcountstatus.go
+++ b/vendor/github.com/openshift/client-go/apiserver/applyconfigurations/apiserver/v1/apirequestcountstatus.go
@@ -9,11 +9,19 @@ import (
 // APIRequestCountStatusApplyConfiguration represents a declarative configuration of the APIRequestCountStatus type for use
 // with apply.
 type APIRequestCountStatusApplyConfiguration struct {
-	Conditions       []metav1.ConditionApplyConfiguration         `json:"conditions,omitempty"`
-	RemovedInRelease *string                                      `json:"removedInRelease,omitempty"`
-	RequestCount     *int64                                       `json:"requestCount,omitempty"`
-	CurrentHour      *PerResourceAPIRequestLogApplyConfiguration  `json:"currentHour,omitempty"`
-	Last24h          []PerResourceAPIRequestLogApplyConfiguration `json:"last24h,omitempty"`
+	// conditions contains details of the current status of this API Resource.
+	Conditions []metav1.ConditionApplyConfiguration `json:"conditions,omitempty"`
+	// removedInRelease is when the API will be removed.
+	RemovedInRelease *string `json:"removedInRelease,omitempty"`
+	// requestCount is a sum of all requestCounts across all current hours, nodes, and users.
+	RequestCount *int64 `json:"requestCount,omitempty"`
+	// currentHour contains request history for the current hour. This is porcelain to make the API
+	// easier to read by humans seeing if they addressed a problem. This field is reset on the hour.
+	CurrentHour *PerResourceAPIRequestLogApplyConfiguration `json:"currentHour,omitempty"`
+	// last24h contains request history for the last 24 hours, indexed by the hour, so
+	// 12:00AM-12:59 is in index 0, 6am-6:59am is index 6, etc. The index of the current hour
+	// is updated live and then duplicated into the requestsLastHour field.
+	Last24h []PerResourceAPIRequestLogApplyConfiguration `json:"last24h,omitempty"`
 }
 
 // APIRequestCountStatusApplyConfiguration constructs a declarative configuration of the APIRequestCountStatus type for use with
diff --git a/vendor/github.com/openshift/client-go/apiserver/applyconfigurations/apiserver/v1/pernodeapirequestlog.go b/vendor/github.com/openshift/client-go/apiserver/applyconfigurations/apiserver/v1/pernodeapirequestlog.go
index d55d2ab7222fa..ed55851287ad7 100644
--- a/vendor/github.com/openshift/client-go/apiserver/applyconfigurations/apiserver/v1/pernodeapirequestlog.go
+++ b/vendor/github.com/openshift/client-go/apiserver/applyconfigurations/apiserver/v1/pernodeapirequestlog.go
@@ -4,10 +4,18 @@ package v1
 
 // PerNodeAPIRequestLogApplyConfiguration represents a declarative configuration of the PerNodeAPIRequestLog type for use
 // with apply.
+//
+// PerNodeAPIRequestLog contains logs of requests to a certain node.
 type PerNodeAPIRequestLogApplyConfiguration struct {
-	NodeName     *string                                    `json:"nodeName,omitempty"`
-	RequestCount *int64                                     `json:"requestCount,omitempty"`
-	ByUser       []PerUserAPIRequestCountApplyConfiguration `json:"byUser,omitempty"`
+	// nodeName where the request are being handled.
+	NodeName *string `json:"nodeName,omitempty"`
+	// requestCount is a sum of all requestCounts across all users, even those outside of the top 10 users.
+	RequestCount *int64 `json:"requestCount,omitempty"`
+	// byUser contains request details by top .spec.numberOfUsersToReport users.
+	// Note that because in the case of an apiserver, restart the list of top users is determined on a best-effort basis,
+	// the list might be imprecise.
+	// In addition, some system users may be explicitly included in the list.
+	ByUser []PerUserAPIRequestCountApplyConfiguration `json:"byUser,omitempty"`
 }
 
 // PerNodeAPIRequestLogApplyConfiguration constructs a declarative configuration of the PerNodeAPIRequestLog type for use with
diff --git a/vendor/github.com/openshift/client-go/apiserver/applyconfigurations/apiserver/v1/perresourceapirequestlog.go b/vendor/github.com/openshift/client-go/apiserver/applyconfigurations/apiserver/v1/perresourceapirequestlog.go
index 27dfc5b3d1be6..e15a773939149 100644
--- a/vendor/github.com/openshift/client-go/apiserver/applyconfigurations/apiserver/v1/perresourceapirequestlog.go
+++ b/vendor/github.com/openshift/client-go/apiserver/applyconfigurations/apiserver/v1/perresourceapirequestlog.go
@@ -4,9 +4,13 @@ package v1
 
 // PerResourceAPIRequestLogApplyConfiguration represents a declarative configuration of the PerResourceAPIRequestLog type for use
 // with apply.
+//
+// PerResourceAPIRequestLog logs request for various nodes.
 type PerResourceAPIRequestLogApplyConfiguration struct {
-	ByNode       []PerNodeAPIRequestLogApplyConfiguration `json:"byNode,omitempty"`
-	RequestCount *int64                                   `json:"requestCount,omitempty"`
+	// byNode contains logs of requests per node.
+	ByNode []PerNodeAPIRequestLogApplyConfiguration `json:"byNode,omitempty"`
+	// requestCount is a sum of all requestCounts across nodes.
+	RequestCount *int64 `json:"requestCount,omitempty"`
 }
 
 // PerResourceAPIRequestLogApplyConfiguration constructs a declarative configuration of the PerResourceAPIRequestLog type for use with
diff --git a/vendor/github.com/openshift/client-go/apiserver/applyconfigurations/apiserver/v1/peruserapirequestcount.go b/vendor/github.com/openshift/client-go/apiserver/applyconfigurations/apiserver/v1/peruserapirequestcount.go
index 5b35a28e8e4fe..7bf86a95bce59 100644
--- a/vendor/github.com/openshift/client-go/apiserver/applyconfigurations/apiserver/v1/peruserapirequestcount.go
+++ b/vendor/github.com/openshift/client-go/apiserver/applyconfigurations/apiserver/v1/peruserapirequestcount.go
@@ -4,11 +4,20 @@ package v1
 
 // PerUserAPIRequestCountApplyConfiguration represents a declarative configuration of the PerUserAPIRequestCount type for use
 // with apply.
+//
+// PerUserAPIRequestCount contains logs of a user's requests.
 type PerUserAPIRequestCountApplyConfiguration struct {
-	UserName     *string                                    `json:"username,omitempty"`
-	UserAgent    *string                                    `json:"userAgent,omitempty"`
-	RequestCount *int64                                     `json:"requestCount,omitempty"`
-	ByVerb       []PerVerbAPIRequestCountApplyConfiguration `json:"byVerb,omitempty"`
+	// username that made the request.
+	UserName *string `json:"username,omitempty"`
+	// userAgent that made the request.
+	// The same user often has multiple binaries which connect (pods with many containers).  The different binaries
+	// will have different userAgents, but the same user.  In addition, we have userAgents with version information
+	// embedded and the userName isn't likely to change.
+	UserAgent *string `json:"userAgent,omitempty"`
+	// requestCount of requests by the user across all verbs.
+	RequestCount *int64 `json:"requestCount,omitempty"`
+	// byVerb details by verb.
+	ByVerb []PerVerbAPIRequestCountApplyConfiguration `json:"byVerb,omitempty"`
 }
 
 // PerUserAPIRequestCountApplyConfiguration constructs a declarative configuration of the PerUserAPIRequestCount type for use with
diff --git a/vendor/github.com/openshift/client-go/apiserver/applyconfigurations/apiserver/v1/perverbapirequestcount.go b/vendor/github.com/openshift/client-go/apiserver/applyconfigurations/apiserver/v1/perverbapirequestcount.go
index 569f8b4930d9b..8770656757d10 100644
--- a/vendor/github.com/openshift/client-go/apiserver/applyconfigurations/apiserver/v1/perverbapirequestcount.go
+++ b/vendor/github.com/openshift/client-go/apiserver/applyconfigurations/apiserver/v1/perverbapirequestcount.go
@@ -4,9 +4,13 @@ package v1
 
 // PerVerbAPIRequestCountApplyConfiguration represents a declarative configuration of the PerVerbAPIRequestCount type for use
 // with apply.
+//
+// PerVerbAPIRequestCount requestCounts requests by API request verb.
 type PerVerbAPIRequestCountApplyConfiguration struct {
-	Verb         *string `json:"verb,omitempty"`
-	RequestCount *int64  `json:"requestCount,omitempty"`
+	// verb of API request (get, list, create, etc...)
+	Verb *string `json:"verb,omitempty"`
+	// requestCount of requests for verb.
+	RequestCount *int64 `json:"requestCount,omitempty"`
 }
 
 // PerVerbAPIRequestCountApplyConfiguration constructs a declarative configuration of the PerVerbAPIRequestCount type for use with
diff --git a/vendor/github.com/openshift/client-go/apiserver/clientset/versioned/fake/clientset_generated.go b/vendor/github.com/openshift/client-go/apiserver/clientset/versioned/fake/clientset_generated.go
index 02dd33c9c8830..eb4cc6660c3a4 100644
--- a/vendor/github.com/openshift/client-go/apiserver/clientset/versioned/fake/clientset_generated.go
+++ b/vendor/github.com/openshift/client-go/apiserver/clientset/versioned/fake/clientset_generated.go
@@ -20,7 +20,7 @@ import (
 // without applying any field management, validations and/or defaults. It shouldn't be considered a replacement
 // for a real clientset and is mostly useful in simple unit tests.
 //
-// DEPRECATED: NewClientset replaces this with support for field management, which significantly improves
+// Deprecated: NewClientset replaces this with support for field management, which significantly improves
 // server side apply testing. NewClientset is only available when apply configurations are generated (e.g.
 // via --with-applyconfig).
 func NewSimpleClientset(objects ...runtime.Object) *Clientset {
@@ -36,8 +36,8 @@ func NewSimpleClientset(objects ...runtime.Object) *Clientset {
 	cs.AddReactor("*", "*", testing.ObjectReaction(o))
 	cs.AddWatchReactor("*", func(action testing.Action) (handled bool, ret watch.Interface, err error) {
 		var opts metav1.ListOptions
-		if watchActcion, ok := action.(testing.WatchActionImpl); ok {
-			opts = watchActcion.ListOptions
+		if watchAction, ok := action.(testing.WatchActionImpl); ok {
+			opts = watchAction.ListOptions
 		}
 		gvr := action.GetResource()
 		ns := action.GetNamespace()
@@ -68,6 +68,17 @@ func (c *Clientset) Tracker() testing.ObjectTracker {
 	return c.tracker
 }
 
+// IsWatchListSemanticsSupported informs the reflector that this client
+// doesn't support WatchList semantics.
+//
+// This is a synthetic method whose sole purpose is to satisfy the optional
+// interface check performed by the reflector.
+// Returning true signals that WatchList can NOT be used.
+// No additional logic is implemented here.
+func (c *Clientset) IsWatchListSemanticsUnSupported() bool {
+	return true
+}
+
 // NewClientset returns a clientset that will respond with the provided objects.
 // It's backed by a very simple object tracker that processes creates, updates and deletions as-is,
 // without applying any validations and/or defaults. It shouldn't be considered a replacement
diff --git a/vendor/github.com/openshift/client-go/apps/applyconfigurations/apps/v1/customdeploymentstrategyparams.go b/vendor/github.com/openshift/client-go/apps/applyconfigurations/apps/v1/customdeploymentstrategyparams.go
index 10d56cc323341..c2d652c9eab45 100644
--- a/vendor/github.com/openshift/client-go/apps/applyconfigurations/apps/v1/customdeploymentstrategyparams.go
+++ b/vendor/github.com/openshift/client-go/apps/applyconfigurations/apps/v1/customdeploymentstrategyparams.go
@@ -8,10 +8,15 @@ import (
 
 // CustomDeploymentStrategyParamsApplyConfiguration represents a declarative configuration of the CustomDeploymentStrategyParams type for use
 // with apply.
+//
+// CustomDeploymentStrategyParams are the input to the Custom deployment strategy.
 type CustomDeploymentStrategyParamsApplyConfiguration struct {
-	Image       *string         `json:"image,omitempty"`
+	// image specifies a container image which can carry out a deployment.
+	Image *string `json:"image,omitempty"`
+	// environment holds the environment which will be given to the container for Image.
 	Environment []corev1.EnvVar `json:"environment,omitempty"`
-	Command     []string        `json:"command,omitempty"`
+	// command is optional and overrides CMD in the container Image.
+	Command []string `json:"command,omitempty"`
 }
 
 // CustomDeploymentStrategyParamsApplyConfiguration constructs a declarative configuration of the CustomDeploymentStrategyParams type for use with
diff --git a/vendor/github.com/openshift/client-go/apps/applyconfigurations/apps/v1/deploymentcause.go b/vendor/github.com/openshift/client-go/apps/applyconfigurations/apps/v1/deploymentcause.go
index d772740d0e533..05df614c2548d 100644
--- a/vendor/github.com/openshift/client-go/apps/applyconfigurations/apps/v1/deploymentcause.go
+++ b/vendor/github.com/openshift/client-go/apps/applyconfigurations/apps/v1/deploymentcause.go
@@ -8,8 +8,12 @@ import (
 
 // DeploymentCauseApplyConfiguration represents a declarative configuration of the DeploymentCause type for use
 // with apply.
+//
+// DeploymentCause captures information about a particular cause of a deployment.
 type DeploymentCauseApplyConfiguration struct {
-	Type         *appsv1.DeploymentTriggerType                  `json:"type,omitempty"`
+	// type of the trigger that resulted in the creation of a new deployment
+	Type *appsv1.DeploymentTriggerType `json:"type,omitempty"`
+	// imageTrigger contains the image trigger details, if this trigger was fired based on an image change
 	ImageTrigger *DeploymentCauseImageTriggerApplyConfiguration `json:"imageTrigger,omitempty"`
 }
 
diff --git a/vendor/github.com/openshift/client-go/apps/applyconfigurations/apps/v1/deploymentcauseimagetrigger.go b/vendor/github.com/openshift/client-go/apps/applyconfigurations/apps/v1/deploymentcauseimagetrigger.go
index 05e3a794f0bc1..c0eb8f3c40b9a 100644
--- a/vendor/github.com/openshift/client-go/apps/applyconfigurations/apps/v1/deploymentcauseimagetrigger.go
+++ b/vendor/github.com/openshift/client-go/apps/applyconfigurations/apps/v1/deploymentcauseimagetrigger.go
@@ -8,7 +8,12 @@ import (
 
 // DeploymentCauseImageTriggerApplyConfiguration represents a declarative configuration of the DeploymentCauseImageTrigger type for use
 // with apply.
+//
+// DeploymentCauseImageTrigger represents details about the cause of a deployment originating
+// from an image change trigger
 type DeploymentCauseImageTriggerApplyConfiguration struct {
+	// from is a reference to the changed object which triggered a deployment. The field may have
+	// the kinds DockerImage, ImageStreamTag, or ImageStreamImage.
 	From *corev1.ObjectReference `json:"from,omitempty"`
 }
 
diff --git a/vendor/github.com/openshift/client-go/apps/applyconfigurations/apps/v1/deploymentcondition.go b/vendor/github.com/openshift/client-go/apps/applyconfigurations/apps/v1/deploymentcondition.go
index b5ffab10c8267..3f1847380ec09 100644
--- a/vendor/github.com/openshift/client-go/apps/applyconfigurations/apps/v1/deploymentcondition.go
+++ b/vendor/github.com/openshift/client-go/apps/applyconfigurations/apps/v1/deploymentcondition.go
@@ -10,13 +10,21 @@ import (
 
 // DeploymentConditionApplyConfiguration represents a declarative configuration of the DeploymentCondition type for use
 // with apply.
+//
+// DeploymentCondition describes the state of a deployment config at a certain point.
 type DeploymentConditionApplyConfiguration struct {
-	Type               *appsv1.DeploymentConditionType `json:"type,omitempty"`
-	Status             *corev1.ConditionStatus         `json:"status,omitempty"`
-	LastUpdateTime     *metav1.Time                    `json:"lastUpdateTime,omitempty"`
-	LastTransitionTime *metav1.Time                    `json:"lastTransitionTime,omitempty"`
-	Reason             *string                         `json:"reason,omitempty"`
-	Message            *string                         `json:"message,omitempty"`
+	// type of deployment condition.
+	Type *appsv1.DeploymentConditionType `json:"type,omitempty"`
+	// status of the condition, one of True, False, Unknown.
+	Status *corev1.ConditionStatus `json:"status,omitempty"`
+	// The last time this condition was updated.
+	LastUpdateTime *metav1.Time `json:"lastUpdateTime,omitempty"`
+	// The last time the condition transitioned from one status to another.
+	LastTransitionTime *metav1.Time `json:"lastTransitionTime,omitempty"`
+	// The reason for the condition's last transition.
+	Reason *string `json:"reason,omitempty"`
+	// A human readable message indicating details about the transition.
+	Message *string `json:"message,omitempty"`
 }
 
 // DeploymentConditionApplyConfiguration constructs a declarative configuration of the DeploymentCondition type for use with
diff --git a/vendor/github.com/openshift/client-go/apps/applyconfigurations/apps/v1/deploymentconfig.go b/vendor/github.com/openshift/client-go/apps/applyconfigurations/apps/v1/deploymentconfig.go
index 8e5ee738c359c..68759972f357e 100644
--- a/vendor/github.com/openshift/client-go/apps/applyconfigurations/apps/v1/deploymentconfig.go
+++ b/vendor/github.com/openshift/client-go/apps/applyconfigurations/apps/v1/deploymentconfig.go
@@ -13,11 +13,28 @@ import (
 
 // DeploymentConfigApplyConfiguration represents a declarative configuration of the DeploymentConfig type for use
 // with apply.
+//
+// Deployment Configs define the template for a pod and manages deploying new images or configuration changes.
+// A single deployment configuration is usually analogous to a single micro-service. Can support many different
+// deployment patterns, including full restart, customizable rolling updates, and  fully custom behaviors, as
+// well as pre- and post- deployment hooks. Each individual deployment is represented as a replication controller.
+//
+// A deployment is "triggered" when its configuration is changed or a tag in an Image Stream is changed.
+// Triggers can be disabled to allow manual control over a deployment. The "strategy" determines how the deployment
+// is carried out and may be changed at any time. The `latestVersion` field is updated when a new deployment
+// is triggered by any means.
+//
+// Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
+// Deprecated: Use deployments or other means for declarative updates for pods instead.
 type DeploymentConfigApplyConfiguration struct {
-	metav1.TypeMetaApplyConfiguration    `json:",inline"`
+	metav1.TypeMetaApplyConfiguration `json:",inline"`
+	// metadata is the standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	*metav1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Spec                                 *DeploymentConfigSpecApplyConfiguration   `json:"spec,omitempty"`
-	Status                               *DeploymentConfigStatusApplyConfiguration `json:"status,omitempty"`
+	// spec represents a desired deployment state and how to deploy to it.
+	Spec *DeploymentConfigSpecApplyConfiguration `json:"spec,omitempty"`
+	// status represents the current deployment state.
+	Status *DeploymentConfigStatusApplyConfiguration `json:"status,omitempty"`
 }
 
 // DeploymentConfig constructs a declarative configuration of the DeploymentConfig type for use with
@@ -31,6 +48,27 @@ func DeploymentConfig(name, namespace string) *DeploymentConfigApplyConfiguratio
 	return b
 }
 
+// ExtractDeploymentConfigFrom extracts the applied configuration owned by fieldManager from
+// deploymentConfig for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
+// deploymentConfig must be a unmodified DeploymentConfig API object that was retrieved from the Kubernetes API.
+// ExtractDeploymentConfigFrom provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractDeploymentConfigFrom(deploymentConfig *appsv1.DeploymentConfig, fieldManager string, subresource string) (*DeploymentConfigApplyConfiguration, error) {
+	b := &DeploymentConfigApplyConfiguration{}
+	err := managedfields.ExtractInto(deploymentConfig, internal.Parser().Type("com.github.openshift.api.apps.v1.DeploymentConfig"), fieldManager, b, subresource)
+	if err != nil {
+		return nil, err
+	}
+	b.WithName(deploymentConfig.Name)
+	b.WithNamespace(deploymentConfig.Namespace)
+
+	b.WithKind("DeploymentConfig")
+	b.WithAPIVersion("apps.openshift.io/v1")
+	return b, nil
+}
+
 // ExtractDeploymentConfig extracts the applied configuration owned by fieldManager from
 // deploymentConfig. If no managedFields are found in deploymentConfig for fieldManager, a
 // DeploymentConfigApplyConfiguration is returned with only the Name, Namespace (if applicable),
@@ -41,31 +79,34 @@ func DeploymentConfig(name, namespace string) *DeploymentConfigApplyConfiguratio
 // ExtractDeploymentConfig provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
 func ExtractDeploymentConfig(deploymentConfig *appsv1.DeploymentConfig, fieldManager string) (*DeploymentConfigApplyConfiguration, error) {
-	return extractDeploymentConfig(deploymentConfig, fieldManager, "")
+	return ExtractDeploymentConfigFrom(deploymentConfig, fieldManager, "")
 }
 
-// ExtractDeploymentConfigStatus is the same as ExtractDeploymentConfig except
-// that it extracts the status subresource applied configuration.
-// Experimental!
-func ExtractDeploymentConfigStatus(deploymentConfig *appsv1.DeploymentConfig, fieldManager string) (*DeploymentConfigApplyConfiguration, error) {
-	return extractDeploymentConfig(deploymentConfig, fieldManager, "status")
+// ExtractDeploymentConfigInstantiate extracts the applied configuration owned by fieldManager from
+// deploymentConfig for the instantiate subresource.
+func ExtractDeploymentConfigInstantiate(deploymentConfig *appsv1.DeploymentConfig, fieldManager string) (*DeploymentConfigApplyConfiguration, error) {
+	return ExtractDeploymentConfigFrom(deploymentConfig, fieldManager, "instantiate")
 }
 
-func extractDeploymentConfig(deploymentConfig *appsv1.DeploymentConfig, fieldManager string, subresource string) (*DeploymentConfigApplyConfiguration, error) {
-	b := &DeploymentConfigApplyConfiguration{}
-	err := managedfields.ExtractInto(deploymentConfig, internal.Parser().Type("com.github.openshift.api.apps.v1.DeploymentConfig"), fieldManager, b, subresource)
-	if err != nil {
-		return nil, err
-	}
-	b.WithName(deploymentConfig.Name)
-	b.WithNamespace(deploymentConfig.Namespace)
+// ExtractDeploymentConfigRollback extracts the applied configuration owned by fieldManager from
+// deploymentConfig for the rollback subresource.
+func ExtractDeploymentConfigRollback(deploymentConfig *appsv1.DeploymentConfig, fieldManager string) (*DeploymentConfigApplyConfiguration, error) {
+	return ExtractDeploymentConfigFrom(deploymentConfig, fieldManager, "rollback")
+}
 
-	b.WithKind("DeploymentConfig")
-	b.WithAPIVersion("apps.openshift.io/v1")
-	return b, nil
+// ExtractDeploymentConfigScale extracts the applied configuration owned by fieldManager from
+// deploymentConfig for the scale subresource.
+func ExtractDeploymentConfigScale(deploymentConfig *appsv1.DeploymentConfig, fieldManager string) (*DeploymentConfigApplyConfiguration, error) {
+	return ExtractDeploymentConfigFrom(deploymentConfig, fieldManager, "scale")
 }
+
+// ExtractDeploymentConfigStatus extracts the applied configuration owned by fieldManager from
+// deploymentConfig for the status subresource.
+func ExtractDeploymentConfigStatus(deploymentConfig *appsv1.DeploymentConfig, fieldManager string) (*DeploymentConfigApplyConfiguration, error) {
+	return ExtractDeploymentConfigFrom(deploymentConfig, fieldManager, "status")
+}
+
 func (b DeploymentConfigApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/vendor/github.com/openshift/client-go/apps/applyconfigurations/apps/v1/deploymentconfigspec.go b/vendor/github.com/openshift/client-go/apps/applyconfigurations/apps/v1/deploymentconfigspec.go
index 90d869ace885e..e9f080aee2442 100644
--- a/vendor/github.com/openshift/client-go/apps/applyconfigurations/apps/v1/deploymentconfigspec.go
+++ b/vendor/github.com/openshift/client-go/apps/applyconfigurations/apps/v1/deploymentconfigspec.go
@@ -9,16 +9,37 @@ import (
 
 // DeploymentConfigSpecApplyConfiguration represents a declarative configuration of the DeploymentConfigSpec type for use
 // with apply.
+//
+// DeploymentConfigSpec represents the desired state of the deployment.
 type DeploymentConfigSpecApplyConfiguration struct {
-	Strategy             *DeploymentStrategyApplyConfiguration `json:"strategy,omitempty"`
-	MinReadySeconds      *int32                                `json:"minReadySeconds,omitempty"`
-	Triggers             *appsv1.DeploymentTriggerPolicies     `json:"triggers,omitempty"`
-	Replicas             *int32                                `json:"replicas,omitempty"`
-	RevisionHistoryLimit *int32                                `json:"revisionHistoryLimit,omitempty"`
-	Test                 *bool                                 `json:"test,omitempty"`
-	Paused               *bool                                 `json:"paused,omitempty"`
-	Selector             map[string]string                     `json:"selector,omitempty"`
-	Template             *corev1.PodTemplateSpec               `json:"template,omitempty"`
+	// strategy describes how a deployment is executed.
+	Strategy *DeploymentStrategyApplyConfiguration `json:"strategy,omitempty"`
+	// minReadySeconds is the minimum number of seconds for which a newly created pod should
+	// be ready without any of its container crashing, for it to be considered available.
+	// Defaults to 0 (pod will be considered available as soon as it is ready)
+	MinReadySeconds *int32 `json:"minReadySeconds,omitempty"`
+	// triggers determine how updates to a DeploymentConfig result in new deployments. If no triggers
+	// are defined, a new deployment can only occur as a result of an explicit client update to the
+	// DeploymentConfig with a new LatestVersion. If null, defaults to having a config change trigger.
+	Triggers *appsv1.DeploymentTriggerPolicies `json:"triggers,omitempty"`
+	// replicas is the number of desired replicas.
+	Replicas *int32 `json:"replicas,omitempty"`
+	// revisionHistoryLimit is the number of old ReplicationControllers to retain to allow for rollbacks.
+	// This field is a pointer to allow for differentiation between an explicit zero and not specified.
+	// Defaults to 10. (This only applies to DeploymentConfigs created via the new group API resource, not the legacy resource.)
+	RevisionHistoryLimit *int32 `json:"revisionHistoryLimit,omitempty"`
+	// test ensures that this deployment config will have zero replicas except while a deployment is running. This allows the
+	// deployment config to be used as a continuous deployment test - triggering on images, running the deployment, and then succeeding
+	// or failing. Post strategy hooks and After actions can be used to integrate successful deployment with an action.
+	Test *bool `json:"test,omitempty"`
+	// paused indicates that the deployment config is paused resulting in no new deployments on template
+	// changes or changes in the template caused by other triggers.
+	Paused *bool `json:"paused,omitempty"`
+	// selector is a label query over pods that should match the Replicas count.
+	Selector map[string]string `json:"selector,omitempty"`
+	// template is the object that describes the pod that will be created if
+	// insufficient replicas are detected.
+	Template *corev1.PodTemplateSpec `json:"template,omitempty"`
 }
 
 // DeploymentConfigSpecApplyConfiguration constructs a declarative configuration of the DeploymentConfigSpec type for use with
diff --git a/vendor/github.com/openshift/client-go/apps/applyconfigurations/apps/v1/deploymentconfigstatus.go b/vendor/github.com/openshift/client-go/apps/applyconfigurations/apps/v1/deploymentconfigstatus.go
index 1ae86c5653dd9..f1e87cb5c5295 100644
--- a/vendor/github.com/openshift/client-go/apps/applyconfigurations/apps/v1/deploymentconfigstatus.go
+++ b/vendor/github.com/openshift/client-go/apps/applyconfigurations/apps/v1/deploymentconfigstatus.go
@@ -4,16 +4,30 @@ package v1
 
 // DeploymentConfigStatusApplyConfiguration represents a declarative configuration of the DeploymentConfigStatus type for use
 // with apply.
+//
+// DeploymentConfigStatus represents the current deployment state.
 type DeploymentConfigStatusApplyConfiguration struct {
-	LatestVersion       *int64                                  `json:"latestVersion,omitempty"`
-	ObservedGeneration  *int64                                  `json:"observedGeneration,omitempty"`
-	Replicas            *int32                                  `json:"replicas,omitempty"`
-	UpdatedReplicas     *int32                                  `json:"updatedReplicas,omitempty"`
-	AvailableReplicas   *int32                                  `json:"availableReplicas,omitempty"`
-	UnavailableReplicas *int32                                  `json:"unavailableReplicas,omitempty"`
-	Details             *DeploymentDetailsApplyConfiguration    `json:"details,omitempty"`
-	Conditions          []DeploymentConditionApplyConfiguration `json:"conditions,omitempty"`
-	ReadyReplicas       *int32                                  `json:"readyReplicas,omitempty"`
+	// latestVersion is used to determine whether the current deployment associated with a deployment
+	// config is out of sync.
+	LatestVersion *int64 `json:"latestVersion,omitempty"`
+	// observedGeneration is the most recent generation observed by the deployment config controller.
+	ObservedGeneration *int64 `json:"observedGeneration,omitempty"`
+	// replicas is the total number of pods targeted by this deployment config.
+	Replicas *int32 `json:"replicas,omitempty"`
+	// updatedReplicas is the total number of non-terminated pods targeted by this deployment config
+	// that have the desired template spec.
+	UpdatedReplicas *int32 `json:"updatedReplicas,omitempty"`
+	// availableReplicas is the total number of available pods targeted by this deployment config.
+	AvailableReplicas *int32 `json:"availableReplicas,omitempty"`
+	// unavailableReplicas is the total number of unavailable pods targeted by this deployment config.
+	UnavailableReplicas *int32 `json:"unavailableReplicas,omitempty"`
+	// details are the reasons for the update to this deployment config.
+	// This could be based on a change made by the user or caused by an automatic trigger
+	Details *DeploymentDetailsApplyConfiguration `json:"details,omitempty"`
+	// conditions represents the latest available observations of a deployment config's current state.
+	Conditions []DeploymentConditionApplyConfiguration `json:"conditions,omitempty"`
+	// Total number of ready pods targeted by this deployment.
+	ReadyReplicas *int32 `json:"readyReplicas,omitempty"`
 }
 
 // DeploymentConfigStatusApplyConfiguration constructs a declarative configuration of the DeploymentConfigStatus type for use with
diff --git a/vendor/github.com/openshift/client-go/apps/applyconfigurations/apps/v1/deploymentdetails.go b/vendor/github.com/openshift/client-go/apps/applyconfigurations/apps/v1/deploymentdetails.go
index e2f8e4c31002c..85ea5dc1d3ea3 100644
--- a/vendor/github.com/openshift/client-go/apps/applyconfigurations/apps/v1/deploymentdetails.go
+++ b/vendor/github.com/openshift/client-go/apps/applyconfigurations/apps/v1/deploymentdetails.go
@@ -4,9 +4,13 @@ package v1
 
 // DeploymentDetailsApplyConfiguration represents a declarative configuration of the DeploymentDetails type for use
 // with apply.
+//
+// DeploymentDetails captures information about the causes of a deployment.
 type DeploymentDetailsApplyConfiguration struct {
-	Message *string                             `json:"message,omitempty"`
-	Causes  []DeploymentCauseApplyConfiguration `json:"causes,omitempty"`
+	// message is the user specified change message, if this deployment was triggered manually by the user
+	Message *string `json:"message,omitempty"`
+	// causes are extended data associated with all the causes for creating a new deployment
+	Causes []DeploymentCauseApplyConfiguration `json:"causes,omitempty"`
 }
 
 // DeploymentDetailsApplyConfiguration constructs a declarative configuration of the DeploymentDetails type for use with
diff --git a/vendor/github.com/openshift/client-go/apps/applyconfigurations/apps/v1/deploymentstrategy.go b/vendor/github.com/openshift/client-go/apps/applyconfigurations/apps/v1/deploymentstrategy.go
index 021626305100c..efcfb7b76e4f0 100644
--- a/vendor/github.com/openshift/client-go/apps/applyconfigurations/apps/v1/deploymentstrategy.go
+++ b/vendor/github.com/openshift/client-go/apps/applyconfigurations/apps/v1/deploymentstrategy.go
@@ -9,15 +9,28 @@ import (
 
 // DeploymentStrategyApplyConfiguration represents a declarative configuration of the DeploymentStrategy type for use
 // with apply.
+//
+// DeploymentStrategy describes how to perform a deployment.
 type DeploymentStrategyApplyConfiguration struct {
-	Type                  *appsv1.DeploymentStrategyType                      `json:"type,omitempty"`
-	CustomParams          *CustomDeploymentStrategyParamsApplyConfiguration   `json:"customParams,omitempty"`
-	RecreateParams        *RecreateDeploymentStrategyParamsApplyConfiguration `json:"recreateParams,omitempty"`
-	RollingParams         *RollingDeploymentStrategyParamsApplyConfiguration  `json:"rollingParams,omitempty"`
-	Resources             *corev1.ResourceRequirements                        `json:"resources,omitempty"`
-	Labels                map[string]string                                   `json:"labels,omitempty"`
-	Annotations           map[string]string                                   `json:"annotations,omitempty"`
-	ActiveDeadlineSeconds *int64                                              `json:"activeDeadlineSeconds,omitempty"`
+	// type is the name of a deployment strategy.
+	Type *appsv1.DeploymentStrategyType `json:"type,omitempty"`
+	// customParams are the input to the Custom deployment strategy, and may also
+	// be specified for the Recreate and Rolling strategies to customize the execution
+	// process that runs the deployment.
+	CustomParams *CustomDeploymentStrategyParamsApplyConfiguration `json:"customParams,omitempty"`
+	// recreateParams are the input to the Recreate deployment strategy.
+	RecreateParams *RecreateDeploymentStrategyParamsApplyConfiguration `json:"recreateParams,omitempty"`
+	// rollingParams are the input to the Rolling deployment strategy.
+	RollingParams *RollingDeploymentStrategyParamsApplyConfiguration `json:"rollingParams,omitempty"`
+	// resources contains resource requirements to execute the deployment and any hooks.
+	Resources *corev1.ResourceRequirements `json:"resources,omitempty"`
+	// labels is a set of key, value pairs added to custom deployer and lifecycle pre/post hook pods.
+	Labels map[string]string `json:"labels,omitempty"`
+	// annotations is a set of key, value pairs added to custom deployer and lifecycle pre/post hook pods.
+	Annotations map[string]string `json:"annotations,omitempty"`
+	// activeDeadlineSeconds is the duration in seconds that the deployer pods for this deployment
+	// config may be active on a node before the system actively tries to terminate them.
+	ActiveDeadlineSeconds *int64 `json:"activeDeadlineSeconds,omitempty"`
 }
 
 // DeploymentStrategyApplyConfiguration constructs a declarative configuration of the DeploymentStrategy type for use with
diff --git a/vendor/github.com/openshift/client-go/apps/applyconfigurations/apps/v1/deploymenttriggerimagechangeparams.go b/vendor/github.com/openshift/client-go/apps/applyconfigurations/apps/v1/deploymenttriggerimagechangeparams.go
index f8db16284607d..31e7a2237cbe6 100644
--- a/vendor/github.com/openshift/client-go/apps/applyconfigurations/apps/v1/deploymenttriggerimagechangeparams.go
+++ b/vendor/github.com/openshift/client-go/apps/applyconfigurations/apps/v1/deploymenttriggerimagechangeparams.go
@@ -8,11 +8,23 @@ import (
 
 // DeploymentTriggerImageChangeParamsApplyConfiguration represents a declarative configuration of the DeploymentTriggerImageChangeParams type for use
 // with apply.
+//
+// DeploymentTriggerImageChangeParams represents the parameters to the ImageChange trigger.
 type DeploymentTriggerImageChangeParamsApplyConfiguration struct {
-	Automatic          *bool                   `json:"automatic,omitempty"`
-	ContainerNames     []string                `json:"containerNames,omitempty"`
-	From               *corev1.ObjectReference `json:"from,omitempty"`
-	LastTriggeredImage *string                 `json:"lastTriggeredImage,omitempty"`
+	// automatic means that the detection of a new tag value should result in an image update
+	// inside the pod template.
+	Automatic *bool `json:"automatic,omitempty"`
+	// containerNames is used to restrict tag updates to the specified set of container names in a pod.
+	// If multiple triggers point to the same containers, the resulting behavior is undefined. Future
+	// API versions will make this a validation error. If ContainerNames does not point to a valid container,
+	// the trigger will be ignored. Future API versions will make this a validation error.
+	ContainerNames []string `json:"containerNames,omitempty"`
+	// from is a reference to an image stream tag to watch for changes. From.Name is the only
+	// required subfield - if From.Namespace is blank, the namespace of the current deployment
+	// trigger will be used.
+	From *corev1.ObjectReference `json:"from,omitempty"`
+	// lastTriggeredImage is the last image to be triggered.
+	LastTriggeredImage *string `json:"lastTriggeredImage,omitempty"`
 }
 
 // DeploymentTriggerImageChangeParamsApplyConfiguration constructs a declarative configuration of the DeploymentTriggerImageChangeParams type for use with
diff --git a/vendor/github.com/openshift/client-go/apps/applyconfigurations/apps/v1/deploymenttriggerpolicy.go b/vendor/github.com/openshift/client-go/apps/applyconfigurations/apps/v1/deploymenttriggerpolicy.go
index 7e6dc5b5b601a..3a08c01c448fe 100644
--- a/vendor/github.com/openshift/client-go/apps/applyconfigurations/apps/v1/deploymenttriggerpolicy.go
+++ b/vendor/github.com/openshift/client-go/apps/applyconfigurations/apps/v1/deploymenttriggerpolicy.go
@@ -8,8 +8,12 @@ import (
 
 // DeploymentTriggerPolicyApplyConfiguration represents a declarative configuration of the DeploymentTriggerPolicy type for use
 // with apply.
+//
+// DeploymentTriggerPolicy describes a policy for a single trigger that results in a new deployment.
 type DeploymentTriggerPolicyApplyConfiguration struct {
-	Type              *appsv1.DeploymentTriggerType                         `json:"type,omitempty"`
+	// type of the trigger
+	Type *appsv1.DeploymentTriggerType `json:"type,omitempty"`
+	// imageChangeParams represents the parameters for the ImageChange trigger.
 	ImageChangeParams *DeploymentTriggerImageChangeParamsApplyConfiguration `json:"imageChangeParams,omitempty"`
 }
 
diff --git a/vendor/github.com/openshift/client-go/apps/applyconfigurations/apps/v1/execnewpodhook.go b/vendor/github.com/openshift/client-go/apps/applyconfigurations/apps/v1/execnewpodhook.go
index ae81c4ef53286..ef70e3500edbf 100644
--- a/vendor/github.com/openshift/client-go/apps/applyconfigurations/apps/v1/execnewpodhook.go
+++ b/vendor/github.com/openshift/client-go/apps/applyconfigurations/apps/v1/execnewpodhook.go
@@ -8,11 +8,22 @@ import (
 
 // ExecNewPodHookApplyConfiguration represents a declarative configuration of the ExecNewPodHook type for use
 // with apply.
+//
+// ExecNewPodHook is a hook implementation which runs a command in a new pod
+// based on the specified container which is assumed to be part of the
+// deployment template.
 type ExecNewPodHookApplyConfiguration struct {
-	Command       []string        `json:"command,omitempty"`
-	Env           []corev1.EnvVar `json:"env,omitempty"`
-	ContainerName *string         `json:"containerName,omitempty"`
-	Volumes       []string        `json:"volumes,omitempty"`
+	// command is the action command and its arguments.
+	Command []string `json:"command,omitempty"`
+	// env is a set of environment variables to supply to the hook pod's container.
+	Env []corev1.EnvVar `json:"env,omitempty"`
+	// containerName is the name of a container in the deployment pod template
+	// whose container image will be used for the hook pod's container.
+	ContainerName *string `json:"containerName,omitempty"`
+	// volumes is a list of named volumes from the pod template which should be
+	// copied to the hook pod. Volumes names not found in pod spec are ignored.
+	// An empty list means no volumes will be copied.
+	Volumes []string `json:"volumes,omitempty"`
 }
 
 // ExecNewPodHookApplyConfiguration constructs a declarative configuration of the ExecNewPodHook type for use with
diff --git a/vendor/github.com/openshift/client-go/apps/applyconfigurations/apps/v1/lifecyclehook.go b/vendor/github.com/openshift/client-go/apps/applyconfigurations/apps/v1/lifecyclehook.go
index 637f064e48e70..cf4649db2d245 100644
--- a/vendor/github.com/openshift/client-go/apps/applyconfigurations/apps/v1/lifecyclehook.go
+++ b/vendor/github.com/openshift/client-go/apps/applyconfigurations/apps/v1/lifecyclehook.go
@@ -8,10 +8,15 @@ import (
 
 // LifecycleHookApplyConfiguration represents a declarative configuration of the LifecycleHook type for use
 // with apply.
+//
+// LifecycleHook defines a specific deployment lifecycle action. Only one type of action may be specified at any time.
 type LifecycleHookApplyConfiguration struct {
+	// failurePolicy specifies what action to take if the hook fails.
 	FailurePolicy *appsv1.LifecycleHookFailurePolicy `json:"failurePolicy,omitempty"`
-	ExecNewPod    *ExecNewPodHookApplyConfiguration  `json:"execNewPod,omitempty"`
-	TagImages     []TagImageHookApplyConfiguration   `json:"tagImages,omitempty"`
+	// execNewPod specifies the options for a lifecycle hook backed by a pod.
+	ExecNewPod *ExecNewPodHookApplyConfiguration `json:"execNewPod,omitempty"`
+	// tagImages instructs the deployer to tag the current image referenced under a container onto an image stream tag.
+	TagImages []TagImageHookApplyConfiguration `json:"tagImages,omitempty"`
 }
 
 // LifecycleHookApplyConfiguration constructs a declarative configuration of the LifecycleHook type for use with
diff --git a/vendor/github.com/openshift/client-go/apps/applyconfigurations/apps/v1/recreatedeploymentstrategyparams.go b/vendor/github.com/openshift/client-go/apps/applyconfigurations/apps/v1/recreatedeploymentstrategyparams.go
index 4766c8bdd1830..07023ffb17d8d 100644
--- a/vendor/github.com/openshift/client-go/apps/applyconfigurations/apps/v1/recreatedeploymentstrategyparams.go
+++ b/vendor/github.com/openshift/client-go/apps/applyconfigurations/apps/v1/recreatedeploymentstrategyparams.go
@@ -4,11 +4,22 @@ package v1
 
 // RecreateDeploymentStrategyParamsApplyConfiguration represents a declarative configuration of the RecreateDeploymentStrategyParams type for use
 // with apply.
+//
+// RecreateDeploymentStrategyParams are the input to the Recreate deployment
+// strategy.
 type RecreateDeploymentStrategyParamsApplyConfiguration struct {
-	TimeoutSeconds *int64                           `json:"timeoutSeconds,omitempty"`
-	Pre            *LifecycleHookApplyConfiguration `json:"pre,omitempty"`
-	Mid            *LifecycleHookApplyConfiguration `json:"mid,omitempty"`
-	Post           *LifecycleHookApplyConfiguration `json:"post,omitempty"`
+	// timeoutSeconds is the time to wait for updates before giving up. If the
+	// value is nil, a default will be used.
+	TimeoutSeconds *int64 `json:"timeoutSeconds,omitempty"`
+	// pre is a lifecycle hook which is executed before the strategy manipulates
+	// the deployment. All LifecycleHookFailurePolicy values are supported.
+	Pre *LifecycleHookApplyConfiguration `json:"pre,omitempty"`
+	// mid is a lifecycle hook which is executed while the deployment is scaled down to zero before the first new
+	// pod is created. All LifecycleHookFailurePolicy values are supported.
+	Mid *LifecycleHookApplyConfiguration `json:"mid,omitempty"`
+	// post is a lifecycle hook which is executed after the strategy has
+	// finished all deployment logic. All LifecycleHookFailurePolicy values are supported.
+	Post *LifecycleHookApplyConfiguration `json:"post,omitempty"`
 }
 
 // RecreateDeploymentStrategyParamsApplyConfiguration constructs a declarative configuration of the RecreateDeploymentStrategyParams type for use with
diff --git a/vendor/github.com/openshift/client-go/apps/applyconfigurations/apps/v1/rollingdeploymentstrategyparams.go b/vendor/github.com/openshift/client-go/apps/applyconfigurations/apps/v1/rollingdeploymentstrategyparams.go
index 60158d11950c8..734196b1a7931 100644
--- a/vendor/github.com/openshift/client-go/apps/applyconfigurations/apps/v1/rollingdeploymentstrategyparams.go
+++ b/vendor/github.com/openshift/client-go/apps/applyconfigurations/apps/v1/rollingdeploymentstrategyparams.go
@@ -8,14 +8,52 @@ import (
 
 // RollingDeploymentStrategyParamsApplyConfiguration represents a declarative configuration of the RollingDeploymentStrategyParams type for use
 // with apply.
+//
+// RollingDeploymentStrategyParams are the input to the Rolling deployment
+// strategy.
 type RollingDeploymentStrategyParamsApplyConfiguration struct {
-	UpdatePeriodSeconds *int64                           `json:"updatePeriodSeconds,omitempty"`
-	IntervalSeconds     *int64                           `json:"intervalSeconds,omitempty"`
-	TimeoutSeconds      *int64                           `json:"timeoutSeconds,omitempty"`
-	MaxUnavailable      *intstr.IntOrString              `json:"maxUnavailable,omitempty"`
-	MaxSurge            *intstr.IntOrString              `json:"maxSurge,omitempty"`
-	Pre                 *LifecycleHookApplyConfiguration `json:"pre,omitempty"`
-	Post                *LifecycleHookApplyConfiguration `json:"post,omitempty"`
+	// updatePeriodSeconds is the time to wait between individual pod updates.
+	// If the value is nil, a default will be used.
+	UpdatePeriodSeconds *int64 `json:"updatePeriodSeconds,omitempty"`
+	// intervalSeconds is the time to wait between polling deployment status
+	// after update. If the value is nil, a default will be used.
+	IntervalSeconds *int64 `json:"intervalSeconds,omitempty"`
+	// timeoutSeconds is the time to wait for updates before giving up. If the
+	// value is nil, a default will be used.
+	TimeoutSeconds *int64 `json:"timeoutSeconds,omitempty"`
+	// maxUnavailable is the maximum number of pods that can be unavailable
+	// during the update. Value can be an absolute number (ex: 5) or a
+	// percentage of total pods at the start of update (ex: 10%). Absolute
+	// number is calculated from percentage by rounding down.
+	//
+	// This cannot be 0 if MaxSurge is 0. By default, 25% is used.
+	//
+	// Example: when this is set to 30%, the old RC can be scaled down by 30%
+	// immediately when the rolling update starts. Once new pods are ready, old
+	// RC can be scaled down further, followed by scaling up the new RC,
+	// ensuring that at least 70% of original number of pods are available at
+	// all times during the update.
+	MaxUnavailable *intstr.IntOrString `json:"maxUnavailable,omitempty"`
+	// maxSurge is the maximum number of pods that can be scheduled above the
+	// original number of pods. Value can be an absolute number (ex: 5) or a
+	// percentage of total pods at the start of the update (ex: 10%). Absolute
+	// number is calculated from percentage by rounding up.
+	//
+	// This cannot be 0 if MaxUnavailable is 0. By default, 25% is used.
+	//
+	// Example: when this is set to 30%, the new RC can be scaled up by 30%
+	// immediately when the rolling update starts. Once old pods have been
+	// killed, new RC can be scaled up further, ensuring that total number of
+	// pods running at any time during the update is atmost 130% of original
+	// pods.
+	MaxSurge *intstr.IntOrString `json:"maxSurge,omitempty"`
+	// pre is a lifecycle hook which is executed before the deployment process
+	// begins. All LifecycleHookFailurePolicy values are supported.
+	Pre *LifecycleHookApplyConfiguration `json:"pre,omitempty"`
+	// post is a lifecycle hook which is executed after the strategy has
+	// finished all deployment logic. All LifecycleHookFailurePolicy values
+	// are supported.
+	Post *LifecycleHookApplyConfiguration `json:"post,omitempty"`
 }
 
 // RollingDeploymentStrategyParamsApplyConfiguration constructs a declarative configuration of the RollingDeploymentStrategyParams type for use with
diff --git a/vendor/github.com/openshift/client-go/apps/applyconfigurations/apps/v1/tagimagehook.go b/vendor/github.com/openshift/client-go/apps/applyconfigurations/apps/v1/tagimagehook.go
index 6b88c2f5084c3..465ba731d7032 100644
--- a/vendor/github.com/openshift/client-go/apps/applyconfigurations/apps/v1/tagimagehook.go
+++ b/vendor/github.com/openshift/client-go/apps/applyconfigurations/apps/v1/tagimagehook.go
@@ -8,9 +8,14 @@ import (
 
 // TagImageHookApplyConfiguration represents a declarative configuration of the TagImageHook type for use
 // with apply.
+//
+// TagImageHook is a request to tag the image in a particular container onto an ImageStreamTag.
 type TagImageHookApplyConfiguration struct {
-	ContainerName *string                 `json:"containerName,omitempty"`
-	To            *corev1.ObjectReference `json:"to,omitempty"`
+	// containerName is the name of a container in the deployment config whose image value will be used as the source of the tag. If there is only a single
+	// container this value will be defaulted to the name of that container.
+	ContainerName *string `json:"containerName,omitempty"`
+	// to is the target ImageStreamTag to set the container's image onto.
+	To *corev1.ObjectReference `json:"to,omitempty"`
 }
 
 // TagImageHookApplyConfiguration constructs a declarative configuration of the TagImageHook type for use with
diff --git a/vendor/github.com/openshift/client-go/apps/informers/externalversions/apps/v1/deploymentconfig.go b/vendor/github.com/openshift/client-go/apps/informers/externalversions/apps/v1/deploymentconfig.go
index 5a8b03027c497..e2beccfd80702 100644
--- a/vendor/github.com/openshift/client-go/apps/informers/externalversions/apps/v1/deploymentconfig.go
+++ b/vendor/github.com/openshift/client-go/apps/informers/externalversions/apps/v1/deploymentconfig.go
@@ -41,7 +41,7 @@ func NewDeploymentConfigInformer(client versioned.Interface, namespace string, r
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredDeploymentConfigInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options metav1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -66,7 +66,7 @@ func NewFilteredDeploymentConfigInformer(client versioned.Interface, namespace s
 				}
 				return client.AppsV1().DeploymentConfigs(namespace).Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apiappsv1.DeploymentConfig{},
 		resyncPeriod,
 		indexers,
diff --git a/vendor/github.com/openshift/client-go/apps/informers/externalversions/factory.go b/vendor/github.com/openshift/client-go/apps/informers/externalversions/factory.go
index 6eb7324817809..825dd4566b795 100644
--- a/vendor/github.com/openshift/client-go/apps/informers/externalversions/factory.go
+++ b/vendor/github.com/openshift/client-go/apps/informers/externalversions/factory.go
@@ -81,6 +81,7 @@ func NewSharedInformerFactory(client versioned.Interface, defaultResync time.Dur
 // NewFilteredSharedInformerFactory constructs a new instance of sharedInformerFactory.
 // Listers obtained via this SharedInformerFactory will be subject to the same filters
 // as specified here.
+//
 // Deprecated: Please use NewSharedInformerFactoryWithOptions instead
 func NewFilteredSharedInformerFactory(client versioned.Interface, defaultResync time.Duration, namespace string, tweakListOptions internalinterfaces.TweakListOptionsFunc) SharedInformerFactory {
 	return NewSharedInformerFactoryWithOptions(client, defaultResync, WithNamespace(namespace), WithTweakListOptions(tweakListOptions))
@@ -188,7 +189,7 @@ func (f *sharedInformerFactory) InformerFor(obj runtime.Object, newFunc internal
 //
 // It is typically used like this:
 //
-//	ctx, cancel := context.Background()
+//	ctx, cancel := context.WithCancel(context.Background())
 //	defer cancel()
 //	factory := NewSharedInformerFactory(client, resyncPeriod)
 //	defer factory.WaitForStop()    // Returns immediately if nothing was started.
diff --git a/vendor/github.com/openshift/client-go/authorization/applyconfigurations/authorization/v1/clusterrole.go b/vendor/github.com/openshift/client-go/authorization/applyconfigurations/authorization/v1/clusterrole.go
index 9e4e4cda59599..58b687189f168 100644
--- a/vendor/github.com/openshift/client-go/authorization/applyconfigurations/authorization/v1/clusterrole.go
+++ b/vendor/github.com/openshift/client-go/authorization/applyconfigurations/authorization/v1/clusterrole.go
@@ -14,11 +14,21 @@ import (
 
 // ClusterRoleApplyConfiguration represents a declarative configuration of the ClusterRole type for use
 // with apply.
+//
+// ClusterRole is a logical grouping of PolicyRules that can be referenced as a unit by ClusterRoleBindings.
+//
+// Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
 type ClusterRoleApplyConfiguration struct {
-	metav1.TypeMetaApplyConfiguration    `json:",inline"`
+	metav1.TypeMetaApplyConfiguration `json:",inline"`
+	// metadata is the standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	*metav1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Rules                                []PolicyRuleApplyConfiguration `json:"rules,omitempty"`
-	AggregationRule                      *rbacv1.AggregationRule        `json:"aggregationRule,omitempty"`
+	// rules holds all the PolicyRules for this ClusterRole
+	Rules []PolicyRuleApplyConfiguration `json:"rules,omitempty"`
+	// aggregationRule is an optional field that describes how to build the Rules for this ClusterRole.
+	// If AggregationRule is set, then the Rules are controller managed and direct changes to Rules will be
+	// stomped by the controller.
+	AggregationRule *rbacv1.AggregationRule `json:"aggregationRule,omitempty"`
 }
 
 // ClusterRole constructs a declarative configuration of the ClusterRole type for use with
@@ -31,29 +41,14 @@ func ClusterRole(name string) *ClusterRoleApplyConfiguration {
 	return b
 }
 
-// ExtractClusterRole extracts the applied configuration owned by fieldManager from
-// clusterRole. If no managedFields are found in clusterRole for fieldManager, a
-// ClusterRoleApplyConfiguration is returned with only the Name, Namespace (if applicable),
-// APIVersion and Kind populated. It is possible that no managed fields were found for because other
-// field managers have taken ownership of all the fields previously owned by fieldManager, or because
-// the fieldManager never owned fields any fields.
+// ExtractClusterRoleFrom extracts the applied configuration owned by fieldManager from
+// clusterRole for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
 // clusterRole must be a unmodified ClusterRole API object that was retrieved from the Kubernetes API.
-// ExtractClusterRole provides a way to perform a extract/modify-in-place/apply workflow.
+// ExtractClusterRoleFrom provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
-func ExtractClusterRole(clusterRole *authorizationv1.ClusterRole, fieldManager string) (*ClusterRoleApplyConfiguration, error) {
-	return extractClusterRole(clusterRole, fieldManager, "")
-}
-
-// ExtractClusterRoleStatus is the same as ExtractClusterRole except
-// that it extracts the status subresource applied configuration.
-// Experimental!
-func ExtractClusterRoleStatus(clusterRole *authorizationv1.ClusterRole, fieldManager string) (*ClusterRoleApplyConfiguration, error) {
-	return extractClusterRole(clusterRole, fieldManager, "status")
-}
-
-func extractClusterRole(clusterRole *authorizationv1.ClusterRole, fieldManager string, subresource string) (*ClusterRoleApplyConfiguration, error) {
+func ExtractClusterRoleFrom(clusterRole *authorizationv1.ClusterRole, fieldManager string, subresource string) (*ClusterRoleApplyConfiguration, error) {
 	b := &ClusterRoleApplyConfiguration{}
 	err := managedfields.ExtractInto(clusterRole, internal.Parser().Type("com.github.openshift.api.authorization.v1.ClusterRole"), fieldManager, b, subresource)
 	if err != nil {
@@ -65,6 +60,21 @@ func extractClusterRole(clusterRole *authorizationv1.ClusterRole, fieldManager s
 	b.WithAPIVersion("authorization.openshift.io/v1")
 	return b, nil
 }
+
+// ExtractClusterRole extracts the applied configuration owned by fieldManager from
+// clusterRole. If no managedFields are found in clusterRole for fieldManager, a
+// ClusterRoleApplyConfiguration is returned with only the Name, Namespace (if applicable),
+// APIVersion and Kind populated. It is possible that no managed fields were found for because other
+// field managers have taken ownership of all the fields previously owned by fieldManager, or because
+// the fieldManager never owned fields any fields.
+// clusterRole must be a unmodified ClusterRole API object that was retrieved from the Kubernetes API.
+// ExtractClusterRole provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractClusterRole(clusterRole *authorizationv1.ClusterRole, fieldManager string) (*ClusterRoleApplyConfiguration, error) {
+	return ExtractClusterRoleFrom(clusterRole, fieldManager, "")
+}
+
 func (b ClusterRoleApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/vendor/github.com/openshift/client-go/authorization/applyconfigurations/authorization/v1/clusterrolebinding.go b/vendor/github.com/openshift/client-go/authorization/applyconfigurations/authorization/v1/clusterrolebinding.go
index 7c321a83e0f78..6f63c85d44519 100644
--- a/vendor/github.com/openshift/client-go/authorization/applyconfigurations/authorization/v1/clusterrolebinding.go
+++ b/vendor/github.com/openshift/client-go/authorization/applyconfigurations/authorization/v1/clusterrolebinding.go
@@ -14,13 +14,35 @@ import (
 
 // ClusterRoleBindingApplyConfiguration represents a declarative configuration of the ClusterRoleBinding type for use
 // with apply.
+//
+// ClusterRoleBinding references a ClusterRole, but not contain it.  It can reference any ClusterRole in the same namespace or in the global namespace.
+// It adds who information via (Users and Groups) OR Subjects and namespace information by which namespace it exists in.
+// ClusterRoleBindings in a given namespace only have effect in that namespace (excepting the master namespace which has power in all namespaces).
+//
+// Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
 type ClusterRoleBindingApplyConfiguration struct {
-	metav1.TypeMetaApplyConfiguration    `json:",inline"`
+	metav1.TypeMetaApplyConfiguration `json:",inline"`
+	// metadata is the standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	*metav1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	UserNames                            *authorizationv1.OptionalNames `json:"userNames,omitempty"`
-	GroupNames                           *authorizationv1.OptionalNames `json:"groupNames,omitempty"`
-	Subjects                             []corev1.ObjectReference       `json:"subjects,omitempty"`
-	RoleRef                              *corev1.ObjectReference        `json:"roleRef,omitempty"`
+	// userNames holds all the usernames directly bound to the role.
+	// This field should only be specified when supporting legacy clients and servers.
+	// See Subjects for further details.
+	UserNames *authorizationv1.OptionalNames `json:"userNames,omitempty"`
+	// groupNames holds all the groups directly bound to the role.
+	// This field should only be specified when supporting legacy clients and servers.
+	// See Subjects for further details.
+	GroupNames *authorizationv1.OptionalNames `json:"groupNames,omitempty"`
+	// subjects hold object references to authorize with this rule.
+	// This field is ignored if UserNames or GroupNames are specified to support legacy clients and servers.
+	// Thus newer clients that do not need to support backwards compatibility should send
+	// only fully qualified Subjects and should omit the UserNames and GroupNames fields.
+	// Clients that need to support backwards compatibility can use this field to build the UserNames and GroupNames.
+	Subjects []corev1.ObjectReference `json:"subjects,omitempty"`
+	// roleRef can only reference the current namespace and the global namespace.
+	// If the ClusterRoleRef cannot be resolved, the Authorizer must return an error.
+	// Since Policy is a singleton, this is sufficient knowledge to locate a role.
+	RoleRef *corev1.ObjectReference `json:"roleRef,omitempty"`
 }
 
 // ClusterRoleBinding constructs a declarative configuration of the ClusterRoleBinding type for use with
@@ -33,29 +55,14 @@ func ClusterRoleBinding(name string) *ClusterRoleBindingApplyConfiguration {
 	return b
 }
 
-// ExtractClusterRoleBinding extracts the applied configuration owned by fieldManager from
-// clusterRoleBinding. If no managedFields are found in clusterRoleBinding for fieldManager, a
-// ClusterRoleBindingApplyConfiguration is returned with only the Name, Namespace (if applicable),
-// APIVersion and Kind populated. It is possible that no managed fields were found for because other
-// field managers have taken ownership of all the fields previously owned by fieldManager, or because
-// the fieldManager never owned fields any fields.
+// ExtractClusterRoleBindingFrom extracts the applied configuration owned by fieldManager from
+// clusterRoleBinding for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
 // clusterRoleBinding must be a unmodified ClusterRoleBinding API object that was retrieved from the Kubernetes API.
-// ExtractClusterRoleBinding provides a way to perform a extract/modify-in-place/apply workflow.
+// ExtractClusterRoleBindingFrom provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
-func ExtractClusterRoleBinding(clusterRoleBinding *authorizationv1.ClusterRoleBinding, fieldManager string) (*ClusterRoleBindingApplyConfiguration, error) {
-	return extractClusterRoleBinding(clusterRoleBinding, fieldManager, "")
-}
-
-// ExtractClusterRoleBindingStatus is the same as ExtractClusterRoleBinding except
-// that it extracts the status subresource applied configuration.
-// Experimental!
-func ExtractClusterRoleBindingStatus(clusterRoleBinding *authorizationv1.ClusterRoleBinding, fieldManager string) (*ClusterRoleBindingApplyConfiguration, error) {
-	return extractClusterRoleBinding(clusterRoleBinding, fieldManager, "status")
-}
-
-func extractClusterRoleBinding(clusterRoleBinding *authorizationv1.ClusterRoleBinding, fieldManager string, subresource string) (*ClusterRoleBindingApplyConfiguration, error) {
+func ExtractClusterRoleBindingFrom(clusterRoleBinding *authorizationv1.ClusterRoleBinding, fieldManager string, subresource string) (*ClusterRoleBindingApplyConfiguration, error) {
 	b := &ClusterRoleBindingApplyConfiguration{}
 	err := managedfields.ExtractInto(clusterRoleBinding, internal.Parser().Type("com.github.openshift.api.authorization.v1.ClusterRoleBinding"), fieldManager, b, subresource)
 	if err != nil {
@@ -67,6 +74,21 @@ func extractClusterRoleBinding(clusterRoleBinding *authorizationv1.ClusterRoleBi
 	b.WithAPIVersion("authorization.openshift.io/v1")
 	return b, nil
 }
+
+// ExtractClusterRoleBinding extracts the applied configuration owned by fieldManager from
+// clusterRoleBinding. If no managedFields are found in clusterRoleBinding for fieldManager, a
+// ClusterRoleBindingApplyConfiguration is returned with only the Name, Namespace (if applicable),
+// APIVersion and Kind populated. It is possible that no managed fields were found for because other
+// field managers have taken ownership of all the fields previously owned by fieldManager, or because
+// the fieldManager never owned fields any fields.
+// clusterRoleBinding must be a unmodified ClusterRoleBinding API object that was retrieved from the Kubernetes API.
+// ExtractClusterRoleBinding provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractClusterRoleBinding(clusterRoleBinding *authorizationv1.ClusterRoleBinding, fieldManager string) (*ClusterRoleBindingApplyConfiguration, error) {
+	return ExtractClusterRoleBindingFrom(clusterRoleBinding, fieldManager, "")
+}
+
 func (b ClusterRoleBindingApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/vendor/github.com/openshift/client-go/authorization/applyconfigurations/authorization/v1/grouprestriction.go b/vendor/github.com/openshift/client-go/authorization/applyconfigurations/authorization/v1/grouprestriction.go
index 3bb799f3948e1..25709fa836fc8 100644
--- a/vendor/github.com/openshift/client-go/authorization/applyconfigurations/authorization/v1/grouprestriction.go
+++ b/vendor/github.com/openshift/client-go/authorization/applyconfigurations/authorization/v1/grouprestriction.go
@@ -8,8 +8,15 @@ import (
 
 // GroupRestrictionApplyConfiguration represents a declarative configuration of the GroupRestriction type for use
 // with apply.
+//
+// GroupRestriction matches a group either by a string match on the group name
+// or a label selector applied to group labels.
 type GroupRestrictionApplyConfiguration struct {
-	Groups    []string                                 `json:"groups,omitempty"`
+	// groups is a list of groups used to match against an individual user's
+	// groups. If the user is a member of one of the whitelisted groups, the user
+	// is allowed to be bound to a role.
+	Groups []string `json:"groups,omitempty"`
+	// Selectors specifies a list of label selectors over group labels.
 	Selectors []metav1.LabelSelectorApplyConfiguration `json:"labels,omitempty"`
 }
 
diff --git a/vendor/github.com/openshift/client-go/authorization/applyconfigurations/authorization/v1/policyrule.go b/vendor/github.com/openshift/client-go/authorization/applyconfigurations/authorization/v1/policyrule.go
index 16765a14ee1a5..066f81da25dd3 100644
--- a/vendor/github.com/openshift/client-go/authorization/applyconfigurations/authorization/v1/policyrule.go
+++ b/vendor/github.com/openshift/client-go/authorization/applyconfigurations/authorization/v1/policyrule.go
@@ -8,13 +8,26 @@ import (
 
 // PolicyRuleApplyConfiguration represents a declarative configuration of the PolicyRule type for use
 // with apply.
+//
+// PolicyRule holds information that describes a policy rule, but does not contain information
+// about who the rule applies to or which namespace the rule applies to.
 type PolicyRuleApplyConfiguration struct {
-	Verbs                 []string              `json:"verbs,omitempty"`
+	// verbs is a list of Verbs that apply to ALL the ResourceKinds and AttributeRestrictions contained in this rule.  VerbAll represents all kinds.
+	Verbs []string `json:"verbs,omitempty"`
+	// attributeRestrictions will vary depending on what the Authorizer/AuthorizationAttributeBuilder pair supports.
+	// If the Authorizer does not recognize how to handle the AttributeRestrictions, the Authorizer should report an error.
 	AttributeRestrictions *runtime.RawExtension `json:"attributeRestrictions,omitempty"`
-	APIGroups             []string              `json:"apiGroups,omitempty"`
-	Resources             []string              `json:"resources,omitempty"`
-	ResourceNames         []string              `json:"resourceNames,omitempty"`
-	NonResourceURLsSlice  []string              `json:"nonResourceURLs,omitempty"`
+	// apiGroups is the name of the APIGroup that contains the resources.  If this field is empty, then both kubernetes and origin API groups are assumed.
+	// That means that if an action is requested against one of the enumerated resources in either the kubernetes or the origin API group, the request
+	// will be allowed
+	APIGroups []string `json:"apiGroups,omitempty"`
+	// resources is a list of resources this rule applies to.  ResourceAll represents all resources.
+	Resources []string `json:"resources,omitempty"`
+	// resourceNames is an optional white list of names that the rule applies to.  An empty set means that everything is allowed.
+	ResourceNames []string `json:"resourceNames,omitempty"`
+	// NonResourceURLsSlice is a set of partial urls that a user should have access to.  *s are allowed, but only as the full, final step in the path
+	// This name is intentionally different than the internal type so that the DefaultConvert works nicely and because the ordering may be different.
+	NonResourceURLsSlice []string `json:"nonResourceURLs,omitempty"`
 }
 
 // PolicyRuleApplyConfiguration constructs a declarative configuration of the PolicyRule type for use with
diff --git a/vendor/github.com/openshift/client-go/authorization/applyconfigurations/authorization/v1/role.go b/vendor/github.com/openshift/client-go/authorization/applyconfigurations/authorization/v1/role.go
index ae43f93ab9006..1bf700223f94c 100644
--- a/vendor/github.com/openshift/client-go/authorization/applyconfigurations/authorization/v1/role.go
+++ b/vendor/github.com/openshift/client-go/authorization/applyconfigurations/authorization/v1/role.go
@@ -13,10 +13,17 @@ import (
 
 // RoleApplyConfiguration represents a declarative configuration of the Role type for use
 // with apply.
+//
+// Role is a logical grouping of PolicyRules that can be referenced as a unit by RoleBindings.
+//
+// Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
 type RoleApplyConfiguration struct {
-	metav1.TypeMetaApplyConfiguration    `json:",inline"`
+	metav1.TypeMetaApplyConfiguration `json:",inline"`
+	// metadata is the standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	*metav1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Rules                                []PolicyRuleApplyConfiguration `json:"rules,omitempty"`
+	// rules holds all the PolicyRules for this Role
+	Rules []PolicyRuleApplyConfiguration `json:"rules,omitempty"`
 }
 
 // Role constructs a declarative configuration of the Role type for use with
@@ -30,29 +37,14 @@ func Role(name, namespace string) *RoleApplyConfiguration {
 	return b
 }
 
-// ExtractRole extracts the applied configuration owned by fieldManager from
-// role. If no managedFields are found in role for fieldManager, a
-// RoleApplyConfiguration is returned with only the Name, Namespace (if applicable),
-// APIVersion and Kind populated. It is possible that no managed fields were found for because other
-// field managers have taken ownership of all the fields previously owned by fieldManager, or because
-// the fieldManager never owned fields any fields.
+// ExtractRoleFrom extracts the applied configuration owned by fieldManager from
+// role for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
 // role must be a unmodified Role API object that was retrieved from the Kubernetes API.
-// ExtractRole provides a way to perform a extract/modify-in-place/apply workflow.
+// ExtractRoleFrom provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
-func ExtractRole(role *authorizationv1.Role, fieldManager string) (*RoleApplyConfiguration, error) {
-	return extractRole(role, fieldManager, "")
-}
-
-// ExtractRoleStatus is the same as ExtractRole except
-// that it extracts the status subresource applied configuration.
-// Experimental!
-func ExtractRoleStatus(role *authorizationv1.Role, fieldManager string) (*RoleApplyConfiguration, error) {
-	return extractRole(role, fieldManager, "status")
-}
-
-func extractRole(role *authorizationv1.Role, fieldManager string, subresource string) (*RoleApplyConfiguration, error) {
+func ExtractRoleFrom(role *authorizationv1.Role, fieldManager string, subresource string) (*RoleApplyConfiguration, error) {
 	b := &RoleApplyConfiguration{}
 	err := managedfields.ExtractInto(role, internal.Parser().Type("com.github.openshift.api.authorization.v1.Role"), fieldManager, b, subresource)
 	if err != nil {
@@ -65,6 +57,21 @@ func extractRole(role *authorizationv1.Role, fieldManager string, subresource st
 	b.WithAPIVersion("authorization.openshift.io/v1")
 	return b, nil
 }
+
+// ExtractRole extracts the applied configuration owned by fieldManager from
+// role. If no managedFields are found in role for fieldManager, a
+// RoleApplyConfiguration is returned with only the Name, Namespace (if applicable),
+// APIVersion and Kind populated. It is possible that no managed fields were found for because other
+// field managers have taken ownership of all the fields previously owned by fieldManager, or because
+// the fieldManager never owned fields any fields.
+// role must be a unmodified Role API object that was retrieved from the Kubernetes API.
+// ExtractRole provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractRole(role *authorizationv1.Role, fieldManager string) (*RoleApplyConfiguration, error) {
+	return ExtractRoleFrom(role, fieldManager, "")
+}
+
 func (b RoleApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/vendor/github.com/openshift/client-go/authorization/applyconfigurations/authorization/v1/rolebinding.go b/vendor/github.com/openshift/client-go/authorization/applyconfigurations/authorization/v1/rolebinding.go
index 73c066867bc64..8bb57c4958efe 100644
--- a/vendor/github.com/openshift/client-go/authorization/applyconfigurations/authorization/v1/rolebinding.go
+++ b/vendor/github.com/openshift/client-go/authorization/applyconfigurations/authorization/v1/rolebinding.go
@@ -14,13 +14,35 @@ import (
 
 // RoleBindingApplyConfiguration represents a declarative configuration of the RoleBinding type for use
 // with apply.
+//
+// RoleBinding references a Role, but not contain it.  It can reference any Role in the same namespace or in the global namespace.
+// It adds who information via (Users and Groups) OR Subjects and namespace information by which namespace it exists in.
+// RoleBindings in a given namespace only have effect in that namespace (excepting the master namespace which has power in all namespaces).
+//
+// Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
 type RoleBindingApplyConfiguration struct {
-	metav1.TypeMetaApplyConfiguration    `json:",inline"`
+	metav1.TypeMetaApplyConfiguration `json:",inline"`
+	// metadata is the standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	*metav1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	UserNames                            *authorizationv1.OptionalNames `json:"userNames,omitempty"`
-	GroupNames                           *authorizationv1.OptionalNames `json:"groupNames,omitempty"`
-	Subjects                             []corev1.ObjectReference       `json:"subjects,omitempty"`
-	RoleRef                              *corev1.ObjectReference        `json:"roleRef,omitempty"`
+	// userNames holds all the usernames directly bound to the role.
+	// This field should only be specified when supporting legacy clients and servers.
+	// See Subjects for further details.
+	UserNames *authorizationv1.OptionalNames `json:"userNames,omitempty"`
+	// groupNames holds all the groups directly bound to the role.
+	// This field should only be specified when supporting legacy clients and servers.
+	// See Subjects for further details.
+	GroupNames *authorizationv1.OptionalNames `json:"groupNames,omitempty"`
+	// subjects hold object references to authorize with this rule.
+	// This field is ignored if UserNames or GroupNames are specified to support legacy clients and servers.
+	// Thus newer clients that do not need to support backwards compatibility should send
+	// only fully qualified Subjects and should omit the UserNames and GroupNames fields.
+	// Clients that need to support backwards compatibility can use this field to build the UserNames and GroupNames.
+	Subjects []corev1.ObjectReference `json:"subjects,omitempty"`
+	// roleRef can only reference the current namespace and the global namespace.
+	// If the RoleRef cannot be resolved, the Authorizer must return an error.
+	// Since Policy is a singleton, this is sufficient knowledge to locate a role.
+	RoleRef *corev1.ObjectReference `json:"roleRef,omitempty"`
 }
 
 // RoleBinding constructs a declarative configuration of the RoleBinding type for use with
@@ -34,29 +56,14 @@ func RoleBinding(name, namespace string) *RoleBindingApplyConfiguration {
 	return b
 }
 
-// ExtractRoleBinding extracts the applied configuration owned by fieldManager from
-// roleBinding. If no managedFields are found in roleBinding for fieldManager, a
-// RoleBindingApplyConfiguration is returned with only the Name, Namespace (if applicable),
-// APIVersion and Kind populated. It is possible that no managed fields were found for because other
-// field managers have taken ownership of all the fields previously owned by fieldManager, or because
-// the fieldManager never owned fields any fields.
+// ExtractRoleBindingFrom extracts the applied configuration owned by fieldManager from
+// roleBinding for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
 // roleBinding must be a unmodified RoleBinding API object that was retrieved from the Kubernetes API.
-// ExtractRoleBinding provides a way to perform a extract/modify-in-place/apply workflow.
+// ExtractRoleBindingFrom provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
-func ExtractRoleBinding(roleBinding *authorizationv1.RoleBinding, fieldManager string) (*RoleBindingApplyConfiguration, error) {
-	return extractRoleBinding(roleBinding, fieldManager, "")
-}
-
-// ExtractRoleBindingStatus is the same as ExtractRoleBinding except
-// that it extracts the status subresource applied configuration.
-// Experimental!
-func ExtractRoleBindingStatus(roleBinding *authorizationv1.RoleBinding, fieldManager string) (*RoleBindingApplyConfiguration, error) {
-	return extractRoleBinding(roleBinding, fieldManager, "status")
-}
-
-func extractRoleBinding(roleBinding *authorizationv1.RoleBinding, fieldManager string, subresource string) (*RoleBindingApplyConfiguration, error) {
+func ExtractRoleBindingFrom(roleBinding *authorizationv1.RoleBinding, fieldManager string, subresource string) (*RoleBindingApplyConfiguration, error) {
 	b := &RoleBindingApplyConfiguration{}
 	err := managedfields.ExtractInto(roleBinding, internal.Parser().Type("com.github.openshift.api.authorization.v1.RoleBinding"), fieldManager, b, subresource)
 	if err != nil {
@@ -69,6 +76,21 @@ func extractRoleBinding(roleBinding *authorizationv1.RoleBinding, fieldManager s
 	b.WithAPIVersion("authorization.openshift.io/v1")
 	return b, nil
 }
+
+// ExtractRoleBinding extracts the applied configuration owned by fieldManager from
+// roleBinding. If no managedFields are found in roleBinding for fieldManager, a
+// RoleBindingApplyConfiguration is returned with only the Name, Namespace (if applicable),
+// APIVersion and Kind populated. It is possible that no managed fields were found for because other
+// field managers have taken ownership of all the fields previously owned by fieldManager, or because
+// the fieldManager never owned fields any fields.
+// roleBinding must be a unmodified RoleBinding API object that was retrieved from the Kubernetes API.
+// ExtractRoleBinding provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractRoleBinding(roleBinding *authorizationv1.RoleBinding, fieldManager string) (*RoleBindingApplyConfiguration, error) {
+	return ExtractRoleBindingFrom(roleBinding, fieldManager, "")
+}
+
 func (b RoleBindingApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/vendor/github.com/openshift/client-go/authorization/applyconfigurations/authorization/v1/rolebindingrestriction.go b/vendor/github.com/openshift/client-go/authorization/applyconfigurations/authorization/v1/rolebindingrestriction.go
index 98366e07abf75..b2a2d224403c0 100644
--- a/vendor/github.com/openshift/client-go/authorization/applyconfigurations/authorization/v1/rolebindingrestriction.go
+++ b/vendor/github.com/openshift/client-go/authorization/applyconfigurations/authorization/v1/rolebindingrestriction.go
@@ -13,10 +13,21 @@ import (
 
 // RoleBindingRestrictionApplyConfiguration represents a declarative configuration of the RoleBindingRestriction type for use
 // with apply.
+//
+// RoleBindingRestriction is an object that can be matched against a subject
+// (user, group, or service account) to determine whether rolebindings on that
+// subject are allowed in the namespace to which the RoleBindingRestriction
+// belongs.  If any one of those RoleBindingRestriction objects matches
+// a subject, rolebindings on that subject in the namespace are allowed.
+//
+// Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
 type RoleBindingRestrictionApplyConfiguration struct {
-	metav1.TypeMetaApplyConfiguration    `json:",inline"`
+	metav1.TypeMetaApplyConfiguration `json:",inline"`
+	// metadata is the standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	*metav1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Spec                                 *RoleBindingRestrictionSpecApplyConfiguration `json:"spec,omitempty"`
+	// spec defines the matcher.
+	Spec *RoleBindingRestrictionSpecApplyConfiguration `json:"spec,omitempty"`
 }
 
 // RoleBindingRestriction constructs a declarative configuration of the RoleBindingRestriction type for use with
@@ -30,29 +41,14 @@ func RoleBindingRestriction(name, namespace string) *RoleBindingRestrictionApply
 	return b
 }
 
-// ExtractRoleBindingRestriction extracts the applied configuration owned by fieldManager from
-// roleBindingRestriction. If no managedFields are found in roleBindingRestriction for fieldManager, a
-// RoleBindingRestrictionApplyConfiguration is returned with only the Name, Namespace (if applicable),
-// APIVersion and Kind populated. It is possible that no managed fields were found for because other
-// field managers have taken ownership of all the fields previously owned by fieldManager, or because
-// the fieldManager never owned fields any fields.
+// ExtractRoleBindingRestrictionFrom extracts the applied configuration owned by fieldManager from
+// roleBindingRestriction for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
 // roleBindingRestriction must be a unmodified RoleBindingRestriction API object that was retrieved from the Kubernetes API.
-// ExtractRoleBindingRestriction provides a way to perform a extract/modify-in-place/apply workflow.
+// ExtractRoleBindingRestrictionFrom provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
-func ExtractRoleBindingRestriction(roleBindingRestriction *authorizationv1.RoleBindingRestriction, fieldManager string) (*RoleBindingRestrictionApplyConfiguration, error) {
-	return extractRoleBindingRestriction(roleBindingRestriction, fieldManager, "")
-}
-
-// ExtractRoleBindingRestrictionStatus is the same as ExtractRoleBindingRestriction except
-// that it extracts the status subresource applied configuration.
-// Experimental!
-func ExtractRoleBindingRestrictionStatus(roleBindingRestriction *authorizationv1.RoleBindingRestriction, fieldManager string) (*RoleBindingRestrictionApplyConfiguration, error) {
-	return extractRoleBindingRestriction(roleBindingRestriction, fieldManager, "status")
-}
-
-func extractRoleBindingRestriction(roleBindingRestriction *authorizationv1.RoleBindingRestriction, fieldManager string, subresource string) (*RoleBindingRestrictionApplyConfiguration, error) {
+func ExtractRoleBindingRestrictionFrom(roleBindingRestriction *authorizationv1.RoleBindingRestriction, fieldManager string, subresource string) (*RoleBindingRestrictionApplyConfiguration, error) {
 	b := &RoleBindingRestrictionApplyConfiguration{}
 	err := managedfields.ExtractInto(roleBindingRestriction, internal.Parser().Type("com.github.openshift.api.authorization.v1.RoleBindingRestriction"), fieldManager, b, subresource)
 	if err != nil {
@@ -65,6 +61,21 @@ func extractRoleBindingRestriction(roleBindingRestriction *authorizationv1.RoleB
 	b.WithAPIVersion("authorization.openshift.io/v1")
 	return b, nil
 }
+
+// ExtractRoleBindingRestriction extracts the applied configuration owned by fieldManager from
+// roleBindingRestriction. If no managedFields are found in roleBindingRestriction for fieldManager, a
+// RoleBindingRestrictionApplyConfiguration is returned with only the Name, Namespace (if applicable),
+// APIVersion and Kind populated. It is possible that no managed fields were found for because other
+// field managers have taken ownership of all the fields previously owned by fieldManager, or because
+// the fieldManager never owned fields any fields.
+// roleBindingRestriction must be a unmodified RoleBindingRestriction API object that was retrieved from the Kubernetes API.
+// ExtractRoleBindingRestriction provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractRoleBindingRestriction(roleBindingRestriction *authorizationv1.RoleBindingRestriction, fieldManager string) (*RoleBindingRestrictionApplyConfiguration, error) {
+	return ExtractRoleBindingRestrictionFrom(roleBindingRestriction, fieldManager, "")
+}
+
 func (b RoleBindingRestrictionApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/vendor/github.com/openshift/client-go/authorization/applyconfigurations/authorization/v1/rolebindingrestrictionspec.go b/vendor/github.com/openshift/client-go/authorization/applyconfigurations/authorization/v1/rolebindingrestrictionspec.go
index 9482ebcce6951..1f8aa72cb4847 100644
--- a/vendor/github.com/openshift/client-go/authorization/applyconfigurations/authorization/v1/rolebindingrestrictionspec.go
+++ b/vendor/github.com/openshift/client-go/authorization/applyconfigurations/authorization/v1/rolebindingrestrictionspec.go
@@ -4,9 +4,15 @@ package v1
 
 // RoleBindingRestrictionSpecApplyConfiguration represents a declarative configuration of the RoleBindingRestrictionSpec type for use
 // with apply.
+//
+// RoleBindingRestrictionSpec defines a rolebinding restriction.  Exactly one
+// field must be non-nil.
 type RoleBindingRestrictionSpecApplyConfiguration struct {
-	UserRestriction           *UserRestrictionApplyConfiguration           `json:"userrestriction,omitempty"`
-	GroupRestriction          *GroupRestrictionApplyConfiguration          `json:"grouprestriction,omitempty"`
+	// userrestriction matches against user subjects.
+	UserRestriction *UserRestrictionApplyConfiguration `json:"userrestriction,omitempty"`
+	// grouprestriction matches against group subjects.
+	GroupRestriction *GroupRestrictionApplyConfiguration `json:"grouprestriction,omitempty"`
+	// serviceaccountrestriction matches against service-account subjects.
 	ServiceAccountRestriction *ServiceAccountRestrictionApplyConfiguration `json:"serviceaccountrestriction,omitempty"`
 }
 
diff --git a/vendor/github.com/openshift/client-go/authorization/applyconfigurations/authorization/v1/serviceaccountreference.go b/vendor/github.com/openshift/client-go/authorization/applyconfigurations/authorization/v1/serviceaccountreference.go
index 9f22961ff487a..500be2867f034 100644
--- a/vendor/github.com/openshift/client-go/authorization/applyconfigurations/authorization/v1/serviceaccountreference.go
+++ b/vendor/github.com/openshift/client-go/authorization/applyconfigurations/authorization/v1/serviceaccountreference.go
@@ -4,8 +4,16 @@ package v1
 
 // ServiceAccountReferenceApplyConfiguration represents a declarative configuration of the ServiceAccountReference type for use
 // with apply.
+//
+// ServiceAccountReference specifies a service account and namespace by their
+// names.
 type ServiceAccountReferenceApplyConfiguration struct {
-	Name      *string `json:"name,omitempty"`
+	// name is the name of the service account.
+	Name *string `json:"name,omitempty"`
+	// namespace is the namespace of the service account.  Service accounts from
+	// inside the whitelisted namespaces are allowed to be bound to roles.  If
+	// Namespace is empty, then the namespace of the RoleBindingRestriction in
+	// which the ServiceAccountReference is embedded is used.
 	Namespace *string `json:"namespace,omitempty"`
 }
 
diff --git a/vendor/github.com/openshift/client-go/authorization/applyconfigurations/authorization/v1/serviceaccountrestriction.go b/vendor/github.com/openshift/client-go/authorization/applyconfigurations/authorization/v1/serviceaccountrestriction.go
index 9d0f1fcf9609a..649d7131af464 100644
--- a/vendor/github.com/openshift/client-go/authorization/applyconfigurations/authorization/v1/serviceaccountrestriction.go
+++ b/vendor/github.com/openshift/client-go/authorization/applyconfigurations/authorization/v1/serviceaccountrestriction.go
@@ -4,9 +4,15 @@ package v1
 
 // ServiceAccountRestrictionApplyConfiguration represents a declarative configuration of the ServiceAccountRestriction type for use
 // with apply.
+//
+// ServiceAccountRestriction matches a service account by a string match on
+// either the service-account name or the name of the service account's
+// namespace.
 type ServiceAccountRestrictionApplyConfiguration struct {
+	// serviceaccounts specifies a list of literal service-account names.
 	ServiceAccounts []ServiceAccountReferenceApplyConfiguration `json:"serviceaccounts,omitempty"`
-	Namespaces      []string                                    `json:"namespaces,omitempty"`
+	// namespaces specifies a list of literal namespace names.
+	Namespaces []string `json:"namespaces,omitempty"`
 }
 
 // ServiceAccountRestrictionApplyConfiguration constructs a declarative configuration of the ServiceAccountRestriction type for use with
diff --git a/vendor/github.com/openshift/client-go/authorization/applyconfigurations/authorization/v1/userrestriction.go b/vendor/github.com/openshift/client-go/authorization/applyconfigurations/authorization/v1/userrestriction.go
index dc931b60ed82d..ce08226d9b273 100644
--- a/vendor/github.com/openshift/client-go/authorization/applyconfigurations/authorization/v1/userrestriction.go
+++ b/vendor/github.com/openshift/client-go/authorization/applyconfigurations/authorization/v1/userrestriction.go
@@ -8,9 +8,16 @@ import (
 
 // UserRestrictionApplyConfiguration represents a declarative configuration of the UserRestriction type for use
 // with apply.
+//
+// UserRestriction matches a user either by a string match on the user name,
+// a string match on the name of a group to which the user belongs, or a label
+// selector applied to the user labels.
 type UserRestrictionApplyConfiguration struct {
-	Users     []string                                 `json:"users,omitempty"`
-	Groups    []string                                 `json:"groups,omitempty"`
+	// users specifies a list of literal user names.
+	Users []string `json:"users,omitempty"`
+	// groups specifies a list of literal group names.
+	Groups []string `json:"groups,omitempty"`
+	// Selectors specifies a list of label selectors over user labels.
 	Selectors []metav1.LabelSelectorApplyConfiguration `json:"labels,omitempty"`
 }
 
diff --git a/vendor/github.com/openshift/client-go/authorization/clientset/versioned/fake/clientset_generated.go b/vendor/github.com/openshift/client-go/authorization/clientset/versioned/fake/clientset_generated.go
index 784915c15fe80..90fbf555b84c1 100644
--- a/vendor/github.com/openshift/client-go/authorization/clientset/versioned/fake/clientset_generated.go
+++ b/vendor/github.com/openshift/client-go/authorization/clientset/versioned/fake/clientset_generated.go
@@ -20,7 +20,7 @@ import (
 // without applying any field management, validations and/or defaults. It shouldn't be considered a replacement
 // for a real clientset and is mostly useful in simple unit tests.
 //
-// DEPRECATED: NewClientset replaces this with support for field management, which significantly improves
+// Deprecated: NewClientset replaces this with support for field management, which significantly improves
 // server side apply testing. NewClientset is only available when apply configurations are generated (e.g.
 // via --with-applyconfig).
 func NewSimpleClientset(objects ...runtime.Object) *Clientset {
@@ -36,8 +36,8 @@ func NewSimpleClientset(objects ...runtime.Object) *Clientset {
 	cs.AddReactor("*", "*", testing.ObjectReaction(o))
 	cs.AddWatchReactor("*", func(action testing.Action) (handled bool, ret watch.Interface, err error) {
 		var opts metav1.ListOptions
-		if watchActcion, ok := action.(testing.WatchActionImpl); ok {
-			opts = watchActcion.ListOptions
+		if watchAction, ok := action.(testing.WatchActionImpl); ok {
+			opts = watchAction.ListOptions
 		}
 		gvr := action.GetResource()
 		ns := action.GetNamespace()
@@ -68,6 +68,17 @@ func (c *Clientset) Tracker() testing.ObjectTracker {
 	return c.tracker
 }
 
+// IsWatchListSemanticsSupported informs the reflector that this client
+// doesn't support WatchList semantics.
+//
+// This is a synthetic method whose sole purpose is to satisfy the optional
+// interface check performed by the reflector.
+// Returning true signals that WatchList can NOT be used.
+// No additional logic is implemented here.
+func (c *Clientset) IsWatchListSemanticsUnSupported() bool {
+	return true
+}
+
 // NewClientset returns a clientset that will respond with the provided objects.
 // It's backed by a very simple object tracker that processes creates, updates and deletions as-is,
 // without applying any validations and/or defaults. It shouldn't be considered a replacement
diff --git a/vendor/github.com/openshift/client-go/authorization/informers/externalversions/authorization/v1/clusterrole.go b/vendor/github.com/openshift/client-go/authorization/informers/externalversions/authorization/v1/clusterrole.go
index 54e01589ee715..6d9624151b97e 100644
--- a/vendor/github.com/openshift/client-go/authorization/informers/externalversions/authorization/v1/clusterrole.go
+++ b/vendor/github.com/openshift/client-go/authorization/informers/externalversions/authorization/v1/clusterrole.go
@@ -40,7 +40,7 @@ func NewClusterRoleInformer(client versioned.Interface, resyncPeriod time.Durati
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredClusterRoleInformer(client versioned.Interface, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options metav1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -65,7 +65,7 @@ func NewFilteredClusterRoleInformer(client versioned.Interface, resyncPeriod tim
 				}
 				return client.AuthorizationV1().ClusterRoles().Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apiauthorizationv1.ClusterRole{},
 		resyncPeriod,
 		indexers,
diff --git a/vendor/github.com/openshift/client-go/authorization/informers/externalversions/authorization/v1/clusterrolebinding.go b/vendor/github.com/openshift/client-go/authorization/informers/externalversions/authorization/v1/clusterrolebinding.go
index 04216726c2316..65af8d1b23990 100644
--- a/vendor/github.com/openshift/client-go/authorization/informers/externalversions/authorization/v1/clusterrolebinding.go
+++ b/vendor/github.com/openshift/client-go/authorization/informers/externalversions/authorization/v1/clusterrolebinding.go
@@ -40,7 +40,7 @@ func NewClusterRoleBindingInformer(client versioned.Interface, resyncPeriod time
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredClusterRoleBindingInformer(client versioned.Interface, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options metav1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -65,7 +65,7 @@ func NewFilteredClusterRoleBindingInformer(client versioned.Interface, resyncPer
 				}
 				return client.AuthorizationV1().ClusterRoleBindings().Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apiauthorizationv1.ClusterRoleBinding{},
 		resyncPeriod,
 		indexers,
diff --git a/vendor/github.com/openshift/client-go/authorization/informers/externalversions/authorization/v1/role.go b/vendor/github.com/openshift/client-go/authorization/informers/externalversions/authorization/v1/role.go
index b478def84b22c..167f82e730b94 100644
--- a/vendor/github.com/openshift/client-go/authorization/informers/externalversions/authorization/v1/role.go
+++ b/vendor/github.com/openshift/client-go/authorization/informers/externalversions/authorization/v1/role.go
@@ -41,7 +41,7 @@ func NewRoleInformer(client versioned.Interface, namespace string, resyncPeriod
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredRoleInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options metav1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -66,7 +66,7 @@ func NewFilteredRoleInformer(client versioned.Interface, namespace string, resyn
 				}
 				return client.AuthorizationV1().Roles(namespace).Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apiauthorizationv1.Role{},
 		resyncPeriod,
 		indexers,
diff --git a/vendor/github.com/openshift/client-go/authorization/informers/externalversions/authorization/v1/rolebinding.go b/vendor/github.com/openshift/client-go/authorization/informers/externalversions/authorization/v1/rolebinding.go
index e0a9f1a295ef9..efb1341dc9bdf 100644
--- a/vendor/github.com/openshift/client-go/authorization/informers/externalversions/authorization/v1/rolebinding.go
+++ b/vendor/github.com/openshift/client-go/authorization/informers/externalversions/authorization/v1/rolebinding.go
@@ -41,7 +41,7 @@ func NewRoleBindingInformer(client versioned.Interface, namespace string, resync
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredRoleBindingInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options metav1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -66,7 +66,7 @@ func NewFilteredRoleBindingInformer(client versioned.Interface, namespace string
 				}
 				return client.AuthorizationV1().RoleBindings(namespace).Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apiauthorizationv1.RoleBinding{},
 		resyncPeriod,
 		indexers,
diff --git a/vendor/github.com/openshift/client-go/authorization/informers/externalversions/authorization/v1/rolebindingrestriction.go b/vendor/github.com/openshift/client-go/authorization/informers/externalversions/authorization/v1/rolebindingrestriction.go
index 6b4fa3cf71a61..5b8b65b1aebed 100644
--- a/vendor/github.com/openshift/client-go/authorization/informers/externalversions/authorization/v1/rolebindingrestriction.go
+++ b/vendor/github.com/openshift/client-go/authorization/informers/externalversions/authorization/v1/rolebindingrestriction.go
@@ -41,7 +41,7 @@ func NewRoleBindingRestrictionInformer(client versioned.Interface, namespace str
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredRoleBindingRestrictionInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options metav1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -66,7 +66,7 @@ func NewFilteredRoleBindingRestrictionInformer(client versioned.Interface, names
 				}
 				return client.AuthorizationV1().RoleBindingRestrictions(namespace).Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apiauthorizationv1.RoleBindingRestriction{},
 		resyncPeriod,
 		indexers,
diff --git a/vendor/github.com/openshift/client-go/authorization/informers/externalversions/factory.go b/vendor/github.com/openshift/client-go/authorization/informers/externalversions/factory.go
index 56ad0bda3daf4..49671d70a1f8d 100644
--- a/vendor/github.com/openshift/client-go/authorization/informers/externalversions/factory.go
+++ b/vendor/github.com/openshift/client-go/authorization/informers/externalversions/factory.go
@@ -81,6 +81,7 @@ func NewSharedInformerFactory(client versioned.Interface, defaultResync time.Dur
 // NewFilteredSharedInformerFactory constructs a new instance of sharedInformerFactory.
 // Listers obtained via this SharedInformerFactory will be subject to the same filters
 // as specified here.
+//
 // Deprecated: Please use NewSharedInformerFactoryWithOptions instead
 func NewFilteredSharedInformerFactory(client versioned.Interface, defaultResync time.Duration, namespace string, tweakListOptions internalinterfaces.TweakListOptionsFunc) SharedInformerFactory {
 	return NewSharedInformerFactoryWithOptions(client, defaultResync, WithNamespace(namespace), WithTweakListOptions(tweakListOptions))
@@ -188,7 +189,7 @@ func (f *sharedInformerFactory) InformerFor(obj runtime.Object, newFunc internal
 //
 // It is typically used like this:
 //
-//	ctx, cancel := context.Background()
+//	ctx, cancel := context.WithCancel(context.Background())
 //	defer cancel()
 //	factory := NewSharedInformerFactory(client, resyncPeriod)
 //	defer factory.WaitForStop()    // Returns immediately if nothing was started.
diff --git a/vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/binarybuildsource.go b/vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/binarybuildsource.go
index 45e7cc53f5454..ae9e6eede0c39 100644
--- a/vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/binarybuildsource.go
+++ b/vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/binarybuildsource.go
@@ -4,7 +4,16 @@ package v1
 
 // BinaryBuildSourceApplyConfiguration represents a declarative configuration of the BinaryBuildSource type for use
 // with apply.
+//
+// BinaryBuildSource describes a binary file to be used for the Docker and Source build strategies,
+// where the file will be extracted and used as the build source.
 type BinaryBuildSourceApplyConfiguration struct {
+	// asFile indicates that the provided binary input should be considered a single file
+	// within the build input. For example, specifying "webapp.war" would place the provided
+	// binary as `/webapp.war` for the builder. If left empty, the Docker and Source build
+	// strategies assume this file is a zip, tar, or tar.gz file and extract it as the source.
+	// The custom strategy receives this binary as standard input. This filename may not
+	// contain slashes or be '..' or '.'.
 	AsFile *string `json:"asFile,omitempty"`
 }
 
diff --git a/vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/bitbucketwebhookcause.go b/vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/bitbucketwebhookcause.go
index 2a40f7f544732..bc3a266054862 100644
--- a/vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/bitbucketwebhookcause.go
+++ b/vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/bitbucketwebhookcause.go
@@ -4,6 +4,9 @@ package v1
 
 // BitbucketWebHookCauseApplyConfiguration represents a declarative configuration of the BitbucketWebHookCause type for use
 // with apply.
+//
+// BitbucketWebHookCause has information about a Bitbucket webhook that triggered a
+// build.
 type BitbucketWebHookCauseApplyConfiguration struct {
 	CommonWebHookCauseApplyConfiguration `json:",inline"`
 }
diff --git a/vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/build.go b/vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/build.go
index 263e866ae6520..a4c589cfecd59 100644
--- a/vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/build.go
+++ b/vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/build.go
@@ -13,11 +13,20 @@ import (
 
 // BuildApplyConfiguration represents a declarative configuration of the Build type for use
 // with apply.
+//
+// Build encapsulates the inputs needed to produce a new deployable image, as well as
+// the status of the execution and a reference to the Pod which executed the build.
+//
+// Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
 type BuildApplyConfiguration struct {
-	metav1.TypeMetaApplyConfiguration    `json:",inline"`
+	metav1.TypeMetaApplyConfiguration `json:",inline"`
+	// metadata is the standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	*metav1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Spec                                 *BuildSpecApplyConfiguration   `json:"spec,omitempty"`
-	Status                               *BuildStatusApplyConfiguration `json:"status,omitempty"`
+	// spec is all the inputs used to execute the build.
+	Spec *BuildSpecApplyConfiguration `json:"spec,omitempty"`
+	// status is the current status of the build.
+	Status *BuildStatusApplyConfiguration `json:"status,omitempty"`
 }
 
 // Build constructs a declarative configuration of the Build type for use with
@@ -31,6 +40,27 @@ func Build(name, namespace string) *BuildApplyConfiguration {
 	return b
 }
 
+// ExtractBuildFrom extracts the applied configuration owned by fieldManager from
+// build for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
+// build must be a unmodified Build API object that was retrieved from the Kubernetes API.
+// ExtractBuildFrom provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractBuildFrom(build *buildv1.Build, fieldManager string, subresource string) (*BuildApplyConfiguration, error) {
+	b := &BuildApplyConfiguration{}
+	err := managedfields.ExtractInto(build, internal.Parser().Type("com.github.openshift.api.build.v1.Build"), fieldManager, b, subresource)
+	if err != nil {
+		return nil, err
+	}
+	b.WithName(build.Name)
+	b.WithNamespace(build.Namespace)
+
+	b.WithKind("Build")
+	b.WithAPIVersion("build.openshift.io/v1")
+	return b, nil
+}
+
 // ExtractBuild extracts the applied configuration owned by fieldManager from
 // build. If no managedFields are found in build for fieldManager, a
 // BuildApplyConfiguration is returned with only the Name, Namespace (if applicable),
@@ -41,31 +71,28 @@ func Build(name, namespace string) *BuildApplyConfiguration {
 // ExtractBuild provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
 func ExtractBuild(build *buildv1.Build, fieldManager string) (*BuildApplyConfiguration, error) {
-	return extractBuild(build, fieldManager, "")
+	return ExtractBuildFrom(build, fieldManager, "")
 }
 
-// ExtractBuildStatus is the same as ExtractBuild except
-// that it extracts the status subresource applied configuration.
-// Experimental!
-func ExtractBuildStatus(build *buildv1.Build, fieldManager string) (*BuildApplyConfiguration, error) {
-	return extractBuild(build, fieldManager, "status")
+// ExtractBuildClone extracts the applied configuration owned by fieldManager from
+// build for the clone subresource.
+func ExtractBuildClone(build *buildv1.Build, fieldManager string) (*BuildApplyConfiguration, error) {
+	return ExtractBuildFrom(build, fieldManager, "clone")
 }
 
-func extractBuild(build *buildv1.Build, fieldManager string, subresource string) (*BuildApplyConfiguration, error) {
-	b := &BuildApplyConfiguration{}
-	err := managedfields.ExtractInto(build, internal.Parser().Type("com.github.openshift.api.build.v1.Build"), fieldManager, b, subresource)
-	if err != nil {
-		return nil, err
-	}
-	b.WithName(build.Name)
-	b.WithNamespace(build.Namespace)
+// ExtractBuildDetails extracts the applied configuration owned by fieldManager from
+// build for the details subresource.
+func ExtractBuildDetails(build *buildv1.Build, fieldManager string) (*BuildApplyConfiguration, error) {
+	return ExtractBuildFrom(build, fieldManager, "details")
+}
 
-	b.WithKind("Build")
-	b.WithAPIVersion("build.openshift.io/v1")
-	return b, nil
+// ExtractBuildStatus extracts the applied configuration owned by fieldManager from
+// build for the status subresource.
+func ExtractBuildStatus(build *buildv1.Build, fieldManager string) (*BuildApplyConfiguration, error) {
+	return ExtractBuildFrom(build, fieldManager, "status")
 }
+
 func (b BuildApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/buildcondition.go b/vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/buildcondition.go
index 0f58e891b8136..e75a396a27140 100644
--- a/vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/buildcondition.go
+++ b/vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/buildcondition.go
@@ -10,13 +10,21 @@ import (
 
 // BuildConditionApplyConfiguration represents a declarative configuration of the BuildCondition type for use
 // with apply.
+//
+// BuildCondition describes the state of a build at a certain point.
 type BuildConditionApplyConfiguration struct {
-	Type               *buildv1.BuildConditionType `json:"type,omitempty"`
-	Status             *corev1.ConditionStatus     `json:"status,omitempty"`
-	LastUpdateTime     *metav1.Time                `json:"lastUpdateTime,omitempty"`
-	LastTransitionTime *metav1.Time                `json:"lastTransitionTime,omitempty"`
-	Reason             *string                     `json:"reason,omitempty"`
-	Message            *string                     `json:"message,omitempty"`
+	// type of build condition.
+	Type *buildv1.BuildConditionType `json:"type,omitempty"`
+	// status of the condition, one of True, False, Unknown.
+	Status *corev1.ConditionStatus `json:"status,omitempty"`
+	// The last time this condition was updated.
+	LastUpdateTime *metav1.Time `json:"lastUpdateTime,omitempty"`
+	// The last time the condition transitioned from one status to another.
+	LastTransitionTime *metav1.Time `json:"lastTransitionTime,omitempty"`
+	// The reason for the condition's last transition.
+	Reason *string `json:"reason,omitempty"`
+	// A human readable message indicating details about the transition.
+	Message *string `json:"message,omitempty"`
 }
 
 // BuildConditionApplyConfiguration constructs a declarative configuration of the BuildCondition type for use with
diff --git a/vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/buildconfig.go b/vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/buildconfig.go
index 4bd504ccbcbad..1c56c6030f497 100644
--- a/vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/buildconfig.go
+++ b/vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/buildconfig.go
@@ -13,11 +13,22 @@ import (
 
 // BuildConfigApplyConfiguration represents a declarative configuration of the BuildConfig type for use
 // with apply.
+//
+// Build configurations define a build process for new container images. There are three types of builds possible - a container image build using a Dockerfile, a Source-to-Image build that uses a specially prepared base image that accepts source code that it can make runnable, and a custom build that can run // arbitrary container images as a base and accept the build parameters. Builds run on the cluster and on completion are pushed to the container image registry specified in the "output" section. A build can be triggered via a webhook, when the base image changes, or when a user manually requests a new build be // created.
+//
+// Each build created by a build configuration is numbered and refers back to its parent configuration. Multiple builds can be triggered at once. Builds that do not have "output" set can be used to test code or run a verification build.
+//
+// Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
 type BuildConfigApplyConfiguration struct {
-	metav1.TypeMetaApplyConfiguration    `json:",inline"`
+	metav1.TypeMetaApplyConfiguration `json:",inline"`
+	// metadata is the standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	*metav1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Spec                                 *BuildConfigSpecApplyConfiguration   `json:"spec,omitempty"`
-	Status                               *BuildConfigStatusApplyConfiguration `json:"status,omitempty"`
+	// spec holds all the input necessary to produce a new build, and the conditions when
+	// to trigger them.
+	Spec *BuildConfigSpecApplyConfiguration `json:"spec,omitempty"`
+	// status holds any relevant information about a build config
+	Status *BuildConfigStatusApplyConfiguration `json:"status,omitempty"`
 }
 
 // BuildConfig constructs a declarative configuration of the BuildConfig type for use with
@@ -31,6 +42,27 @@ func BuildConfig(name, namespace string) *BuildConfigApplyConfiguration {
 	return b
 }
 
+// ExtractBuildConfigFrom extracts the applied configuration owned by fieldManager from
+// buildConfig for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
+// buildConfig must be a unmodified BuildConfig API object that was retrieved from the Kubernetes API.
+// ExtractBuildConfigFrom provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractBuildConfigFrom(buildConfig *buildv1.BuildConfig, fieldManager string, subresource string) (*BuildConfigApplyConfiguration, error) {
+	b := &BuildConfigApplyConfiguration{}
+	err := managedfields.ExtractInto(buildConfig, internal.Parser().Type("com.github.openshift.api.build.v1.BuildConfig"), fieldManager, b, subresource)
+	if err != nil {
+		return nil, err
+	}
+	b.WithName(buildConfig.Name)
+	b.WithNamespace(buildConfig.Namespace)
+
+	b.WithKind("BuildConfig")
+	b.WithAPIVersion("build.openshift.io/v1")
+	return b, nil
+}
+
 // ExtractBuildConfig extracts the applied configuration owned by fieldManager from
 // buildConfig. If no managedFields are found in buildConfig for fieldManager, a
 // BuildConfigApplyConfiguration is returned with only the Name, Namespace (if applicable),
@@ -41,31 +73,22 @@ func BuildConfig(name, namespace string) *BuildConfigApplyConfiguration {
 // ExtractBuildConfig provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
 func ExtractBuildConfig(buildConfig *buildv1.BuildConfig, fieldManager string) (*BuildConfigApplyConfiguration, error) {
-	return extractBuildConfig(buildConfig, fieldManager, "")
+	return ExtractBuildConfigFrom(buildConfig, fieldManager, "")
 }
 
-// ExtractBuildConfigStatus is the same as ExtractBuildConfig except
-// that it extracts the status subresource applied configuration.
-// Experimental!
-func ExtractBuildConfigStatus(buildConfig *buildv1.BuildConfig, fieldManager string) (*BuildConfigApplyConfiguration, error) {
-	return extractBuildConfig(buildConfig, fieldManager, "status")
+// ExtractBuildConfigInstantiate extracts the applied configuration owned by fieldManager from
+// buildConfig for the instantiate subresource.
+func ExtractBuildConfigInstantiate(buildConfig *buildv1.BuildConfig, fieldManager string) (*BuildConfigApplyConfiguration, error) {
+	return ExtractBuildConfigFrom(buildConfig, fieldManager, "instantiate")
 }
 
-func extractBuildConfig(buildConfig *buildv1.BuildConfig, fieldManager string, subresource string) (*BuildConfigApplyConfiguration, error) {
-	b := &BuildConfigApplyConfiguration{}
-	err := managedfields.ExtractInto(buildConfig, internal.Parser().Type("com.github.openshift.api.build.v1.BuildConfig"), fieldManager, b, subresource)
-	if err != nil {
-		return nil, err
-	}
-	b.WithName(buildConfig.Name)
-	b.WithNamespace(buildConfig.Namespace)
-
-	b.WithKind("BuildConfig")
-	b.WithAPIVersion("build.openshift.io/v1")
-	return b, nil
+// ExtractBuildConfigStatus extracts the applied configuration owned by fieldManager from
+// buildConfig for the status subresource.
+func ExtractBuildConfigStatus(buildConfig *buildv1.BuildConfig, fieldManager string) (*BuildConfigApplyConfiguration, error) {
+	return ExtractBuildConfigFrom(buildConfig, fieldManager, "status")
 }
+
 func (b BuildConfigApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/buildconfigspec.go b/vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/buildconfigspec.go
index 07a5a0e1ac2cb..7edd11c6d1537 100644
--- a/vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/buildconfigspec.go
+++ b/vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/buildconfigspec.go
@@ -9,12 +9,27 @@ import (
 
 // BuildConfigSpecApplyConfiguration represents a declarative configuration of the BuildConfigSpec type for use
 // with apply.
+//
+// BuildConfigSpec describes when and how builds are created
 type BuildConfigSpecApplyConfiguration struct {
-	Triggers                     []BuildTriggerPolicyApplyConfiguration `json:"triggers,omitempty"`
-	RunPolicy                    *buildv1.BuildRunPolicy                `json:"runPolicy,omitempty"`
+	// triggers determine how new Builds can be launched from a BuildConfig. If
+	// no triggers are defined, a new build can only occur as a result of an
+	// explicit client build creation.
+	Triggers []BuildTriggerPolicyApplyConfiguration `json:"triggers,omitempty"`
+	// runPolicy describes how the new build created from this build
+	// configuration will be scheduled for execution.
+	// This is optional, if not specified we default to "Serial".
+	RunPolicy *buildv1.BuildRunPolicy `json:"runPolicy,omitempty"`
+	// CommonSpec is the desired build specification
 	CommonSpecApplyConfiguration `json:",inline"`
+	// successfulBuildsHistoryLimit is the number of old successful builds to retain.
+	// When a BuildConfig is created, the 5 most recent successful builds are retained unless this value is set.
+	// If removed after the BuildConfig has been created, all successful builds are retained.
 	SuccessfulBuildsHistoryLimit *int32 `json:"successfulBuildsHistoryLimit,omitempty"`
-	FailedBuildsHistoryLimit     *int32 `json:"failedBuildsHistoryLimit,omitempty"`
+	// failedBuildsHistoryLimit is the number of old failed builds to retain.
+	// When a BuildConfig is created, the 5 most recent failed builds are retained unless this value is set.
+	// If removed after the BuildConfig has been created, all failed builds are retained.
+	FailedBuildsHistoryLimit *int32 `json:"failedBuildsHistoryLimit,omitempty"`
 }
 
 // BuildConfigSpecApplyConfiguration constructs a declarative configuration of the BuildConfigSpec type for use with
diff --git a/vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/buildconfigstatus.go b/vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/buildconfigstatus.go
index 9f63f635f9e56..4406b67105427 100644
--- a/vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/buildconfigstatus.go
+++ b/vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/buildconfigstatus.go
@@ -4,8 +4,14 @@ package v1
 
 // BuildConfigStatusApplyConfiguration represents a declarative configuration of the BuildConfigStatus type for use
 // with apply.
+//
+// BuildConfigStatus contains current state of the build config object.
 type BuildConfigStatusApplyConfiguration struct {
-	LastVersion         *int64                                       `json:"lastVersion,omitempty"`
+	// lastVersion is used to inform about number of last triggered build.
+	LastVersion *int64 `json:"lastVersion,omitempty"`
+	// imageChangeTriggers captures the runtime state of any ImageChangeTrigger specified in the BuildConfigSpec,
+	// including the value reconciled by the OpenShift APIServer for the lastTriggeredImageID. There is a single entry
+	// in this array for each image change trigger in spec. Each trigger status references the ImageStreamTag that acts as the source of the trigger.
 	ImageChangeTriggers []ImageChangeTriggerStatusApplyConfiguration `json:"imageChangeTriggers,omitempty"`
 }
 
diff --git a/vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/buildoutput.go b/vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/buildoutput.go
index 0becc3d82af33..657b97936c1bd 100644
--- a/vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/buildoutput.go
+++ b/vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/buildoutput.go
@@ -8,9 +8,22 @@ import (
 
 // BuildOutputApplyConfiguration represents a declarative configuration of the BuildOutput type for use
 // with apply.
+//
+// BuildOutput is input to a build strategy and describes the container image that the strategy
+// should produce.
 type BuildOutputApplyConfiguration struct {
-	To          *corev1.ObjectReference        `json:"to,omitempty"`
-	PushSecret  *corev1.LocalObjectReference   `json:"pushSecret,omitempty"`
+	// to defines an optional location to push the output of this build to.
+	// Kind must be one of 'ImageStreamTag' or 'DockerImage'.
+	// This value will be used to look up a container image repository to push to.
+	// In the case of an ImageStreamTag, the ImageStreamTag will be looked for in the namespace of
+	// the build unless Namespace is specified.
+	To *corev1.ObjectReference `json:"to,omitempty"`
+	// pushSecret is the name of a Secret that would be used for setting
+	// up the authentication for executing the Docker push to authentication
+	// enabled Docker Registry (or Docker Hub).
+	PushSecret *corev1.LocalObjectReference `json:"pushSecret,omitempty"`
+	// imageLabels define a list of labels that are applied to the resulting image. If there
+	// are multiple labels with the same name then the last one in the list is used.
 	ImageLabels []ImageLabelApplyConfiguration `json:"imageLabels,omitempty"`
 }
 
diff --git a/vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/buildpostcommitspec.go b/vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/buildpostcommitspec.go
index 573e478436141..4dfba5ab8ceaa 100644
--- a/vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/buildpostcommitspec.go
+++ b/vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/buildpostcommitspec.go
@@ -4,10 +4,93 @@ package v1
 
 // BuildPostCommitSpecApplyConfiguration represents a declarative configuration of the BuildPostCommitSpec type for use
 // with apply.
+//
+// A BuildPostCommitSpec holds a build post commit hook specification. The hook
+// executes a command in a temporary container running the build output image,
+// immediately after the last layer of the image is committed and before the
+// image is pushed to a registry. The command is executed with the current
+// working directory ($PWD) set to the image's WORKDIR.
+//
+// The build will be marked as failed if the hook execution fails. It will fail
+// if the script or command return a non-zero exit code, or if there is any
+// other error related to starting the temporary container.
+//
+// There are five different ways to configure the hook. As an example, all forms
+// below are equivalent and will execute `rake test --verbose`.
+//
+// 1. Shell script:
+//
+// "postCommit": {
+// "script": "rake test --verbose",
+// }
+//
+// The above is a convenient form which is equivalent to:
+//
+// "postCommit": {
+// "command": ["/bin/sh", "-ic"],
+// "args":    ["rake test --verbose"]
+// }
+//
+// 2. A command as the image entrypoint:
+//
+// "postCommit": {
+// "commit": ["rake", "test", "--verbose"]
+// }
+//
+// Command overrides the image entrypoint in the exec form, as documented in
+// Docker: https://docs.docker.com/engine/reference/builder/#entrypoint.
+//
+// 3. Pass arguments to the default entrypoint:
+//
+// "postCommit": {
+// "args": ["rake", "test", "--verbose"]
+// }
+//
+// This form is only useful if the image entrypoint can handle arguments.
+//
+// 4. Shell script with arguments:
+//
+// "postCommit": {
+// "script": "rake test $1",
+// "args":   ["--verbose"]
+// }
+//
+// This form is useful if you need to pass arguments that would otherwise be
+// hard to quote properly in the shell script. In the script, $0 will be
+// "/bin/sh" and $1, $2, etc, are the positional arguments from Args.
+//
+// 5. Command with arguments:
+//
+// "postCommit": {
+// "command": ["rake", "test"],
+// "args":    ["--verbose"]
+// }
+//
+// This form is equivalent to appending the arguments to the Command slice.
+//
+// It is invalid to provide both Script and Command simultaneously. If none of
+// the fields are specified, the hook is not executed.
 type BuildPostCommitSpecApplyConfiguration struct {
+	// command is the command to run. It may not be specified with Script.
+	// This might be needed if the image doesn't have `/bin/sh`, or if you
+	// do not want to use a shell. In all other cases, using Script might be
+	// more convenient.
 	Command []string `json:"command,omitempty"`
-	Args    []string `json:"args,omitempty"`
-	Script  *string  `json:"script,omitempty"`
+	// args is a list of arguments that are provided to either Command,
+	// Script or the container image's default entrypoint. The arguments are
+	// placed immediately after the command to be run.
+	Args []string `json:"args,omitempty"`
+	// script is a shell script to be run with `/bin/sh -ic`. It may not be
+	// specified with Command. Use Script when a shell script is appropriate
+	// to execute the post build hook, for example for running unit tests
+	// with `rake test`. If you need control over the image entrypoint, or
+	// if the image does not have `/bin/sh`, use Command and/or Args.
+	// The `-i` flag is needed to support CentOS and RHEL images that use
+	// Software Collections (SCL), in order to have the appropriate
+	// collections enabled in the shell. E.g., in the Ruby image, this is
+	// necessary to make `ruby`, `bundle` and other binaries available in
+	// the PATH.
+	Script *string `json:"script,omitempty"`
 }
 
 // BuildPostCommitSpecApplyConfiguration constructs a declarative configuration of the BuildPostCommitSpec type for use with
diff --git a/vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/buildsource.go b/vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/buildsource.go
index d42919a7d8268..51bb4eb8a7339 100644
--- a/vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/buildsource.go
+++ b/vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/buildsource.go
@@ -9,16 +9,46 @@ import (
 
 // BuildSourceApplyConfiguration represents a declarative configuration of the BuildSource type for use
 // with apply.
+//
+// BuildSource is the SCM used for the build.
 type BuildSourceApplyConfiguration struct {
-	Type         *buildv1.BuildSourceType                 `json:"type,omitempty"`
-	Binary       *BinaryBuildSourceApplyConfiguration     `json:"binary,omitempty"`
-	Dockerfile   *string                                  `json:"dockerfile,omitempty"`
-	Git          *GitBuildSourceApplyConfiguration        `json:"git,omitempty"`
-	Images       []ImageSourceApplyConfiguration          `json:"images,omitempty"`
-	ContextDir   *string                                  `json:"contextDir,omitempty"`
-	SourceSecret *corev1.LocalObjectReference             `json:"sourceSecret,omitempty"`
-	Secrets      []SecretBuildSourceApplyConfiguration    `json:"secrets,omitempty"`
-	ConfigMaps   []ConfigMapBuildSourceApplyConfiguration `json:"configMaps,omitempty"`
+	// type of build input to accept
+	Type *buildv1.BuildSourceType `json:"type,omitempty"`
+	// binary builds accept a binary as their input. The binary is generally assumed to be a tar,
+	// gzipped tar, or zip file depending on the strategy. For container image builds, this is the build
+	// context and an optional Dockerfile may be specified to override any Dockerfile in the
+	// build context. For Source builds, this is assumed to be an archive as described above. For
+	// Source and container image builds, if binary.asFile is set the build will receive a directory with
+	// a single file. contextDir may be used when an archive is provided. Custom builds will
+	// receive this binary as input on STDIN.
+	Binary *BinaryBuildSourceApplyConfiguration `json:"binary,omitempty"`
+	// dockerfile is the raw contents of a Dockerfile which should be built. When this option is
+	// specified, the FROM may be modified based on your strategy base image and additional ENV
+	// stanzas from your strategy environment will be added after the FROM, but before the rest
+	// of your Dockerfile stanzas. The Dockerfile source type may be used with other options like
+	// git - in those cases the Git repo will have any innate Dockerfile replaced in the context
+	// dir.
+	Dockerfile *string `json:"dockerfile,omitempty"`
+	// git contains optional information about git build source
+	Git *GitBuildSourceApplyConfiguration `json:"git,omitempty"`
+	// images describes a set of images to be used to provide source for the build
+	Images []ImageSourceApplyConfiguration `json:"images,omitempty"`
+	// contextDir specifies the sub-directory where the source code for the application exists.
+	// This allows to have buildable sources in directory other than root of
+	// repository.
+	ContextDir *string `json:"contextDir,omitempty"`
+	// sourceSecret is the name of a Secret that would be used for setting
+	// up the authentication for cloning private repository.
+	// The secret contains valid credentials for remote repository, where the
+	// data's key represent the authentication method to be used and value is
+	// the base64 encoded credentials. Supported auth methods are: ssh-privatekey.
+	SourceSecret *corev1.LocalObjectReference `json:"sourceSecret,omitempty"`
+	// secrets represents a list of secrets and their destinations that will
+	// be used only for the build.
+	Secrets []SecretBuildSourceApplyConfiguration `json:"secrets,omitempty"`
+	// configMaps represents a list of configMaps and their destinations that will
+	// be used for the build.
+	ConfigMaps []ConfigMapBuildSourceApplyConfiguration `json:"configMaps,omitempty"`
 }
 
 // BuildSourceApplyConfiguration constructs a declarative configuration of the BuildSource type for use with
diff --git a/vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/buildspec.go b/vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/buildspec.go
index 3cb68d7988619..9bb63f81453fa 100644
--- a/vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/buildspec.go
+++ b/vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/buildspec.go
@@ -9,9 +9,15 @@ import (
 
 // BuildSpecApplyConfiguration represents a declarative configuration of the BuildSpec type for use
 // with apply.
+//
+// BuildSpec has the information to represent a build and also additional
+// information about a build
 type BuildSpecApplyConfiguration struct {
+	// CommonSpec is the information that represents a build
 	CommonSpecApplyConfiguration `json:",inline"`
-	TriggeredBy                  []BuildTriggerCauseApplyConfiguration `json:"triggeredBy,omitempty"`
+	// triggeredBy describes which triggers started the most recent update to the
+	// build configuration and contains information about those triggers.
+	TriggeredBy []BuildTriggerCauseApplyConfiguration `json:"triggeredBy,omitempty"`
 }
 
 // BuildSpecApplyConfiguration constructs a declarative configuration of the BuildSpec type for use with
diff --git a/vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/buildstatus.go b/vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/buildstatus.go
index 7124372c151fe..ff1331c630d6a 100644
--- a/vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/buildstatus.go
+++ b/vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/buildstatus.go
@@ -12,20 +12,46 @@ import (
 
 // BuildStatusApplyConfiguration represents a declarative configuration of the BuildStatus type for use
 // with apply.
+//
+// BuildStatus contains the status of a build
 type BuildStatusApplyConfiguration struct {
-	Phase                      *buildv1.BuildPhase                  `json:"phase,omitempty"`
-	Cancelled                  *bool                                `json:"cancelled,omitempty"`
-	Reason                     *buildv1.StatusReason                `json:"reason,omitempty"`
-	Message                    *string                              `json:"message,omitempty"`
-	StartTimestamp             *metav1.Time                         `json:"startTimestamp,omitempty"`
-	CompletionTimestamp        *metav1.Time                         `json:"completionTimestamp,omitempty"`
-	Duration                   *time.Duration                       `json:"duration,omitempty"`
-	OutputDockerImageReference *string                              `json:"outputDockerImageReference,omitempty"`
-	Config                     *corev1.ObjectReference              `json:"config,omitempty"`
-	Output                     *BuildStatusOutputApplyConfiguration `json:"output,omitempty"`
-	Stages                     []StageInfoApplyConfiguration        `json:"stages,omitempty"`
-	LogSnippet                 *string                              `json:"logSnippet,omitempty"`
-	Conditions                 []BuildConditionApplyConfiguration   `json:"conditions,omitempty"`
+	// phase is the point in the build lifecycle. Possible values are
+	// "New", "Pending", "Running", "Complete", "Failed", "Error", and "Cancelled".
+	Phase *buildv1.BuildPhase `json:"phase,omitempty"`
+	// cancelled describes if a cancel event was triggered for the build.
+	Cancelled *bool `json:"cancelled,omitempty"`
+	// reason is a brief CamelCase string that describes any failure and is meant for machine parsing and tidy display in the CLI.
+	Reason *buildv1.StatusReason `json:"reason,omitempty"`
+	// message is a human-readable message indicating details about why the build has this status.
+	Message *string `json:"message,omitempty"`
+	// startTimestamp is a timestamp representing the server time when this Build started
+	// running in a Pod.
+	// It is represented in RFC3339 form and is in UTC.
+	StartTimestamp *metav1.Time `json:"startTimestamp,omitempty"`
+	// completionTimestamp is a timestamp representing the server time when this Build was
+	// finished, whether that build failed or succeeded.  It reflects the time at which
+	// the Pod running the Build terminated.
+	// It is represented in RFC3339 form and is in UTC.
+	CompletionTimestamp *metav1.Time `json:"completionTimestamp,omitempty"`
+	// duration contains time.Duration object describing build time.
+	Duration *time.Duration `json:"duration,omitempty"`
+	// outputDockerImageReference contains a reference to the container image that
+	// will be built by this build. Its value is computed from
+	// Build.Spec.Output.To, and should include the registry address, so that
+	// it can be used to push and pull the image.
+	OutputDockerImageReference *string `json:"outputDockerImageReference,omitempty"`
+	// config is an ObjectReference to the BuildConfig this Build is based on.
+	Config *corev1.ObjectReference `json:"config,omitempty"`
+	// output describes the container image the build has produced.
+	Output *BuildStatusOutputApplyConfiguration `json:"output,omitempty"`
+	// stages contains details about each stage that occurs during the build
+	// including start time, duration (in milliseconds), and the steps that
+	// occured within each stage.
+	Stages []StageInfoApplyConfiguration `json:"stages,omitempty"`
+	// logSnippet is the last few lines of the build log.  This value is only set for builds that failed.
+	LogSnippet *string `json:"logSnippet,omitempty"`
+	// conditions represents the latest available observations of a build's current state.
+	Conditions []BuildConditionApplyConfiguration `json:"conditions,omitempty"`
 }
 
 // BuildStatusApplyConfiguration constructs a declarative configuration of the BuildStatus type for use with
diff --git a/vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/buildstatusoutput.go b/vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/buildstatusoutput.go
index 55523d3dfb821..ad2e016257647 100644
--- a/vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/buildstatusoutput.go
+++ b/vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/buildstatusoutput.go
@@ -4,7 +4,10 @@ package v1
 
 // BuildStatusOutputApplyConfiguration represents a declarative configuration of the BuildStatusOutput type for use
 // with apply.
+//
+// BuildStatusOutput contains the status of the built image.
 type BuildStatusOutputApplyConfiguration struct {
+	// to describes the status of the built image being pushed to a registry.
 	To *BuildStatusOutputToApplyConfiguration `json:"to,omitempty"`
 }
 
diff --git a/vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/buildstatusoutputto.go b/vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/buildstatusoutputto.go
index 44149a6ba7b84..fbdbcdd501ff1 100644
--- a/vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/buildstatusoutputto.go
+++ b/vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/buildstatusoutputto.go
@@ -4,7 +4,16 @@ package v1
 
 // BuildStatusOutputToApplyConfiguration represents a declarative configuration of the BuildStatusOutputTo type for use
 // with apply.
+//
+// BuildStatusOutputTo describes the status of the built image with regards to
+// image registry to which it was supposed to be pushed.
 type BuildStatusOutputToApplyConfiguration struct {
+	// imageDigest is the digest of the built container image. The digest uniquely
+	// identifies the image in the registry to which it was pushed.
+	//
+	// Please note that this field may not always be set even if the push
+	// completes successfully - e.g. when the registry returns no digest or
+	// returns it in a format that the builder doesn't understand.
 	ImageDigest *string `json:"imageDigest,omitempty"`
 }
 
diff --git a/vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/buildstrategy.go b/vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/buildstrategy.go
index 5ad290331fd1d..7d5fabe0f0b81 100644
--- a/vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/buildstrategy.go
+++ b/vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/buildstrategy.go
@@ -8,11 +8,19 @@ import (
 
 // BuildStrategyApplyConfiguration represents a declarative configuration of the BuildStrategy type for use
 // with apply.
+//
+// BuildStrategy contains the details of how to perform a build.
 type BuildStrategyApplyConfiguration struct {
-	Type                    *buildv1.BuildStrategyType                      `json:"type,omitempty"`
-	DockerStrategy          *DockerBuildStrategyApplyConfiguration          `json:"dockerStrategy,omitempty"`
-	SourceStrategy          *SourceBuildStrategyApplyConfiguration          `json:"sourceStrategy,omitempty"`
-	CustomStrategy          *CustomBuildStrategyApplyConfiguration          `json:"customStrategy,omitempty"`
+	// type is the kind of build strategy.
+	Type *buildv1.BuildStrategyType `json:"type,omitempty"`
+	// dockerStrategy holds the parameters to the container image build strategy.
+	DockerStrategy *DockerBuildStrategyApplyConfiguration `json:"dockerStrategy,omitempty"`
+	// sourceStrategy holds the parameters to the Source build strategy.
+	SourceStrategy *SourceBuildStrategyApplyConfiguration `json:"sourceStrategy,omitempty"`
+	// customStrategy holds the parameters to the Custom build strategy
+	CustomStrategy *CustomBuildStrategyApplyConfiguration `json:"customStrategy,omitempty"`
+	// jenkinsPipelineStrategy holds the parameters to the Jenkins Pipeline build strategy.
+	// Deprecated: use OpenShift Pipelines
 	JenkinsPipelineStrategy *JenkinsPipelineBuildStrategyApplyConfiguration `json:"jenkinsPipelineStrategy,omitempty"`
 }
 
diff --git a/vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/buildtriggercause.go b/vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/buildtriggercause.go
index 47f8f2df5c314..23193fc81e9d4 100644
--- a/vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/buildtriggercause.go
+++ b/vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/buildtriggercause.go
@@ -4,12 +4,28 @@ package v1
 
 // BuildTriggerCauseApplyConfiguration represents a declarative configuration of the BuildTriggerCause type for use
 // with apply.
+//
+// BuildTriggerCause holds information about a triggered build. It is used for
+// displaying build trigger data for each build and build configuration in oc
+// describe. It is also used to describe which triggers led to the most recent
+// update in the build configuration.
 type BuildTriggerCauseApplyConfiguration struct {
-	Message          *string                                  `json:"message,omitempty"`
-	GenericWebHook   *GenericWebHookCauseApplyConfiguration   `json:"genericWebHook,omitempty"`
-	GitHubWebHook    *GitHubWebHookCauseApplyConfiguration    `json:"githubWebHook,omitempty"`
-	ImageChangeBuild *ImageChangeCauseApplyConfiguration      `json:"imageChangeBuild,omitempty"`
-	GitLabWebHook    *GitLabWebHookCauseApplyConfiguration    `json:"gitlabWebHook,omitempty"`
+	// message is used to store a human readable message for why the build was
+	// triggered. E.g.: "Manually triggered by user", "Configuration change",etc.
+	Message *string `json:"message,omitempty"`
+	// genericWebHook holds data about a builds generic webhook trigger.
+	GenericWebHook *GenericWebHookCauseApplyConfiguration `json:"genericWebHook,omitempty"`
+	// githubWebHook represents data for a GitHub webhook that fired a
+	// specific build.
+	GitHubWebHook *GitHubWebHookCauseApplyConfiguration `json:"githubWebHook,omitempty"`
+	// imageChangeBuild stores information about an imagechange event
+	// that triggered a new build.
+	ImageChangeBuild *ImageChangeCauseApplyConfiguration `json:"imageChangeBuild,omitempty"`
+	// gitlabWebHook represents data for a GitLab webhook that fired a specific
+	// build.
+	GitLabWebHook *GitLabWebHookCauseApplyConfiguration `json:"gitlabWebHook,omitempty"`
+	// bitbucketWebHook represents data for a Bitbucket webhook that fired a
+	// specific build.
 	BitbucketWebHook *BitbucketWebHookCauseApplyConfiguration `json:"bitbucketWebHook,omitempty"`
 }
 
diff --git a/vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/buildtriggerpolicy.go b/vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/buildtriggerpolicy.go
index 4cbcbff4842e2..6005bffaf0f7a 100644
--- a/vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/buildtriggerpolicy.go
+++ b/vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/buildtriggerpolicy.go
@@ -8,13 +8,46 @@ import (
 
 // BuildTriggerPolicyApplyConfiguration represents a declarative configuration of the BuildTriggerPolicy type for use
 // with apply.
+//
+// BuildTriggerPolicy describes a policy for a single trigger that results in a new Build.
 type BuildTriggerPolicyApplyConfiguration struct {
-	Type             *buildv1.BuildTriggerType             `json:"type,omitempty"`
-	GitHubWebHook    *WebHookTriggerApplyConfiguration     `json:"github,omitempty"`
-	GenericWebHook   *WebHookTriggerApplyConfiguration     `json:"generic,omitempty"`
-	ImageChange      *ImageChangeTriggerApplyConfiguration `json:"imageChange,omitempty"`
-	GitLabWebHook    *WebHookTriggerApplyConfiguration     `json:"gitlab,omitempty"`
-	BitbucketWebHook *WebHookTriggerApplyConfiguration     `json:"bitbucket,omitempty"`
+	// type is the type of build trigger. Valid values:
+	//
+	// - GitHub
+	// GitHubWebHookBuildTriggerType represents a trigger that launches builds on
+	// GitHub webhook invocations
+	//
+	// - Generic
+	// GenericWebHookBuildTriggerType represents a trigger that launches builds on
+	// generic webhook invocations
+	//
+	// - GitLab
+	// GitLabWebHookBuildTriggerType represents a trigger that launches builds on
+	// GitLab webhook invocations
+	//
+	// - Bitbucket
+	// BitbucketWebHookBuildTriggerType represents a trigger that launches builds on
+	// Bitbucket webhook invocations
+	//
+	// - ImageChange
+	// ImageChangeBuildTriggerType represents a trigger that launches builds on
+	// availability of a new version of an image
+	//
+	// - ConfigChange
+	// ConfigChangeBuildTriggerType will trigger a build on an initial build config creation
+	// WARNING: In the future the behavior will change to trigger a build on any config change
+	Type *buildv1.BuildTriggerType `json:"type,omitempty"`
+	// github contains the parameters for a GitHub webhook type of trigger
+	GitHubWebHook *WebHookTriggerApplyConfiguration `json:"github,omitempty"`
+	// generic contains the parameters for a Generic webhook type of trigger
+	GenericWebHook *WebHookTriggerApplyConfiguration `json:"generic,omitempty"`
+	// imageChange contains parameters for an ImageChange type of trigger
+	ImageChange *ImageChangeTriggerApplyConfiguration `json:"imageChange,omitempty"`
+	// GitLabWebHook contains the parameters for a GitLab webhook type of trigger
+	GitLabWebHook *WebHookTriggerApplyConfiguration `json:"gitlab,omitempty"`
+	// BitbucketWebHook contains the parameters for a Bitbucket webhook type of
+	// trigger
+	BitbucketWebHook *WebHookTriggerApplyConfiguration `json:"bitbucket,omitempty"`
 }
 
 // BuildTriggerPolicyApplyConfiguration constructs a declarative configuration of the BuildTriggerPolicy type for use with
diff --git a/vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/buildvolume.go b/vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/buildvolume.go
index 07cb53bf25dd9..a441cb3273f1b 100644
--- a/vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/buildvolume.go
+++ b/vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/buildvolume.go
@@ -4,9 +4,20 @@ package v1
 
 // BuildVolumeApplyConfiguration represents a declarative configuration of the BuildVolume type for use
 // with apply.
+//
+// BuildVolume describes a volume that is made available to build pods,
+// such that it can be mounted into buildah's runtime environment.
+// Only a subset of Kubernetes Volume sources are supported.
 type BuildVolumeApplyConfiguration struct {
-	Name   *string                              `json:"name,omitempty"`
+	// name is a unique identifier for this BuildVolume.
+	// It must conform to the Kubernetes DNS label standard and be unique within the pod.
+	// Names that collide with those added by the build controller will result in a
+	// failed build with an error message detailing which name caused the error.
+	// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+	Name *string `json:"name,omitempty"`
+	// source represents the location and type of the mounted volume.
 	Source *BuildVolumeSourceApplyConfiguration `json:"source,omitempty"`
+	// mounts represents the location of the volume in the image build container
 	Mounts []BuildVolumeMountApplyConfiguration `json:"mounts,omitempty"`
 }
 
diff --git a/vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/buildvolumemount.go b/vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/buildvolumemount.go
index 521664df32889..f14f5f9d25901 100644
--- a/vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/buildvolumemount.go
+++ b/vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/buildvolumemount.go
@@ -4,7 +4,15 @@ package v1
 
 // BuildVolumeMountApplyConfiguration represents a declarative configuration of the BuildVolumeMount type for use
 // with apply.
+//
+// BuildVolumeMount describes the mounting of a Volume within buildah's runtime environment.
 type BuildVolumeMountApplyConfiguration struct {
+	// destinationPath is the path within the buildah runtime environment at which the volume should be mounted.
+	// The transient mount within the build image and the backing volume will both be mounted read only.
+	// Must be an absolute path, must not contain '..' or ':', and must not collide with a destination path generated
+	// by the builder process
+	// Paths that collide with those added by the build controller will result in a
+	// failed build with an error message detailing which path caused the error.
 	DestinationPath *string `json:"destinationPath,omitempty"`
 }
 
diff --git a/vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/buildvolumesource.go b/vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/buildvolumesource.go
index 96e8f7a1c2073..1de8916118228 100644
--- a/vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/buildvolumesource.go
+++ b/vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/buildvolumesource.go
@@ -9,11 +9,21 @@ import (
 
 // BuildVolumeSourceApplyConfiguration represents a declarative configuration of the BuildVolumeSource type for use
 // with apply.
+//
+// BuildVolumeSource represents the source of a volume to mount
+// Only one of its supported types may be specified at any given time.
 type BuildVolumeSourceApplyConfiguration struct {
-	Type      *buildv1.BuildVolumeSourceType `json:"type,omitempty"`
-	Secret    *corev1.SecretVolumeSource     `json:"secret,omitempty"`
-	ConfigMap *corev1.ConfigMapVolumeSource  `json:"configMap,omitempty"`
-	CSI       *corev1.CSIVolumeSource        `json:"csi,omitempty"`
+	// type is the BuildVolumeSourceType for the volume source.
+	// Type must match the populated volume source.
+	// Valid types are: Secret, ConfigMap
+	Type *buildv1.BuildVolumeSourceType `json:"type,omitempty"`
+	// secret represents a Secret that should populate this volume.
+	// More info: https://kubernetes.io/docs/concepts/storage/volumes#secret
+	Secret *corev1.SecretVolumeSource `json:"secret,omitempty"`
+	// configMap represents a ConfigMap that should populate this volume
+	ConfigMap *corev1.ConfigMapVolumeSource `json:"configMap,omitempty"`
+	// csi represents ephemeral storage provided by external CSI drivers which support this capability
+	CSI *corev1.CSIVolumeSource `json:"csi,omitempty"`
 }
 
 // BuildVolumeSourceApplyConfiguration constructs a declarative configuration of the BuildVolumeSource type for use with
diff --git a/vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/commonspec.go b/vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/commonspec.go
index fc02e12c473ab..69845ec7ce933 100644
--- a/vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/commonspec.go
+++ b/vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/commonspec.go
@@ -9,17 +9,46 @@ import (
 
 // CommonSpecApplyConfiguration represents a declarative configuration of the CommonSpec type for use
 // with apply.
+//
+// CommonSpec encapsulates all the inputs necessary to represent a build.
 type CommonSpecApplyConfiguration struct {
-	ServiceAccount            *string                                `json:"serviceAccount,omitempty"`
-	Source                    *BuildSourceApplyConfiguration         `json:"source,omitempty"`
-	Revision                  *SourceRevisionApplyConfiguration      `json:"revision,omitempty"`
-	Strategy                  *BuildStrategyApplyConfiguration       `json:"strategy,omitempty"`
-	Output                    *BuildOutputApplyConfiguration         `json:"output,omitempty"`
-	Resources                 *corev1.ResourceRequirements           `json:"resources,omitempty"`
-	PostCommit                *BuildPostCommitSpecApplyConfiguration `json:"postCommit,omitempty"`
-	CompletionDeadlineSeconds *int64                                 `json:"completionDeadlineSeconds,omitempty"`
-	NodeSelector              *buildv1.OptionalNodeSelector          `json:"nodeSelector,omitempty"`
-	MountTrustedCA            *bool                                  `json:"mountTrustedCA,omitempty"`
+	// serviceAccount is the name of the ServiceAccount to use to run the pod
+	// created by this build.
+	// The pod will be allowed to use secrets referenced by the ServiceAccount
+	ServiceAccount *string `json:"serviceAccount,omitempty"`
+	// source describes the SCM in use.
+	Source *BuildSourceApplyConfiguration `json:"source,omitempty"`
+	// revision is the information from the source for a specific repo snapshot.
+	// This is optional.
+	Revision *SourceRevisionApplyConfiguration `json:"revision,omitempty"`
+	// strategy defines how to perform a build.
+	Strategy *BuildStrategyApplyConfiguration `json:"strategy,omitempty"`
+	// output describes the container image the Strategy should produce.
+	Output *BuildOutputApplyConfiguration `json:"output,omitempty"`
+	// resources computes resource requirements to execute the build.
+	Resources *corev1.ResourceRequirements `json:"resources,omitempty"`
+	// postCommit is a build hook executed after the build output image is
+	// committed, before it is pushed to a registry.
+	PostCommit *BuildPostCommitSpecApplyConfiguration `json:"postCommit,omitempty"`
+	// completionDeadlineSeconds is an optional duration in seconds, counted from
+	// the time when a build pod gets scheduled in the system, that the build may
+	// be active on a node before the system actively tries to terminate the
+	// build; value must be positive integer
+	CompletionDeadlineSeconds *int64 `json:"completionDeadlineSeconds,omitempty"`
+	// nodeSelector is a selector which must be true for the build pod to fit on a node
+	// If nil, it can be overridden by default build nodeselector values for the cluster.
+	// If set to an empty map or a map with any values, default build nodeselector values
+	// are ignored.
+	NodeSelector *buildv1.OptionalNodeSelector `json:"nodeSelector,omitempty"`
+	// mountTrustedCA bind mounts the cluster's trusted certificate authorities, as defined in
+	// the cluster's proxy configuration, into the build. This lets processes within a build trust
+	// components signed by custom PKI certificate authorities, such as private artifact
+	// repositories and HTTPS proxies.
+	//
+	// When this field is set to true, the contents of `/etc/pki/ca-trust` within the build are
+	// managed by the build container, and any changes to this directory or its subdirectories (for
+	// example - within a Dockerfile `RUN` instruction) are not persisted in the build's output image.
+	MountTrustedCA *bool `json:"mountTrustedCA,omitempty"`
 }
 
 // CommonSpecApplyConfiguration constructs a declarative configuration of the CommonSpec type for use with
diff --git a/vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/commonwebhookcause.go b/vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/commonwebhookcause.go
index 793dd7a0160c2..b896992e3d0db 100644
--- a/vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/commonwebhookcause.go
+++ b/vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/commonwebhookcause.go
@@ -4,9 +4,15 @@ package v1
 
 // CommonWebHookCauseApplyConfiguration represents a declarative configuration of the CommonWebHookCause type for use
 // with apply.
+//
+// CommonWebHookCause factors out the identical format of these webhook
+// causes into struct so we can share it in the specific causes;  it is too late for
+// GitHub and Generic but we can leverage this pattern with GitLab and Bitbucket.
 type CommonWebHookCauseApplyConfiguration struct {
+	// revision is the git source revision information of the trigger.
 	Revision *SourceRevisionApplyConfiguration `json:"revision,omitempty"`
-	Secret   *string                           `json:"secret,omitempty"`
+	// secret is the obfuscated webhook secret that triggered a build.
+	Secret *string `json:"secret,omitempty"`
 }
 
 // CommonWebHookCauseApplyConfiguration constructs a declarative configuration of the CommonWebHookCause type for use with
diff --git a/vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/configmapbuildsource.go b/vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/configmapbuildsource.go
index 420b86656f935..a0cd39a8c6854 100644
--- a/vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/configmapbuildsource.go
+++ b/vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/configmapbuildsource.go
@@ -8,9 +8,22 @@ import (
 
 // ConfigMapBuildSourceApplyConfiguration represents a declarative configuration of the ConfigMapBuildSource type for use
 // with apply.
+//
+// ConfigMapBuildSource describes a configmap and its destination directory that will be
+// used only at the build time. The content of the configmap referenced here will
+// be copied into the destination directory instead of mounting.
 type ConfigMapBuildSourceApplyConfiguration struct {
-	ConfigMap      *corev1.LocalObjectReference `json:"configMap,omitempty"`
-	DestinationDir *string                      `json:"destinationDir,omitempty"`
+	// configMap is a reference to an existing configmap that you want to use in your
+	// build.
+	ConfigMap *corev1.LocalObjectReference `json:"configMap,omitempty"`
+	// destinationDir is the directory where the files from the configmap should be
+	// available for the build time.
+	// For the Source build strategy, these will be injected into a container
+	// where the assemble script runs.
+	// For the container image build strategy, these will be copied into the build
+	// directory, where the Dockerfile is located, so users can ADD or COPY them
+	// during container image build.
+	DestinationDir *string `json:"destinationDir,omitempty"`
 }
 
 // ConfigMapBuildSourceApplyConfiguration constructs a declarative configuration of the ConfigMapBuildSource type for use with
diff --git a/vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/custombuildstrategy.go b/vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/custombuildstrategy.go
index b445ef5c24c4b..2cd8080141b1c 100644
--- a/vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/custombuildstrategy.go
+++ b/vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/custombuildstrategy.go
@@ -8,14 +8,29 @@ import (
 
 // CustomBuildStrategyApplyConfiguration represents a declarative configuration of the CustomBuildStrategy type for use
 // with apply.
+//
+// CustomBuildStrategy defines input parameters specific to Custom build.
 type CustomBuildStrategyApplyConfiguration struct {
-	From               *corev1.ObjectReference        `json:"from,omitempty"`
-	PullSecret         *corev1.LocalObjectReference   `json:"pullSecret,omitempty"`
-	Env                []corev1.EnvVar                `json:"env,omitempty"`
-	ExposeDockerSocket *bool                          `json:"exposeDockerSocket,omitempty"`
-	ForcePull          *bool                          `json:"forcePull,omitempty"`
-	Secrets            []SecretSpecApplyConfiguration `json:"secrets,omitempty"`
-	BuildAPIVersion    *string                        `json:"buildAPIVersion,omitempty"`
+	// from is reference to an DockerImage, ImageStreamTag, or ImageStreamImage from which
+	// the container image should be pulled
+	From *corev1.ObjectReference `json:"from,omitempty"`
+	// pullSecret is the name of a Secret that would be used for setting up
+	// the authentication for pulling the container images from the private Docker
+	// registries
+	PullSecret *corev1.LocalObjectReference `json:"pullSecret,omitempty"`
+	// env contains additional environment variables you want to pass into a builder container.
+	Env []corev1.EnvVar `json:"env,omitempty"`
+	// exposeDockerSocket will allow running Docker commands (and build container images) from
+	// inside the container.
+	// TODO: Allow admins to enforce 'false' for this option
+	ExposeDockerSocket *bool `json:"exposeDockerSocket,omitempty"`
+	// forcePull describes if the controller should configure the build pod to always pull the images
+	// for the builder or only pull if it is not present locally
+	ForcePull *bool `json:"forcePull,omitempty"`
+	// secrets is a list of additional secrets that will be included in the build pod
+	Secrets []SecretSpecApplyConfiguration `json:"secrets,omitempty"`
+	// buildAPIVersion is the requested API version for the Build object serialized and passed to the custom builder
+	BuildAPIVersion *string `json:"buildAPIVersion,omitempty"`
 }
 
 // CustomBuildStrategyApplyConfiguration constructs a declarative configuration of the CustomBuildStrategy type for use with
diff --git a/vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/dockerbuildstrategy.go b/vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/dockerbuildstrategy.go
index c37b95463fe33..db0d74be5d1ea 100644
--- a/vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/dockerbuildstrategy.go
+++ b/vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/dockerbuildstrategy.go
@@ -9,16 +9,45 @@ import (
 
 // DockerBuildStrategyApplyConfiguration represents a declarative configuration of the DockerBuildStrategy type for use
 // with apply.
+//
+// DockerBuildStrategy defines input parameters specific to container image build.
 type DockerBuildStrategyApplyConfiguration struct {
-	From                    *corev1.ObjectReference          `json:"from,omitempty"`
-	PullSecret              *corev1.LocalObjectReference     `json:"pullSecret,omitempty"`
-	NoCache                 *bool                            `json:"noCache,omitempty"`
-	Env                     []corev1.EnvVar                  `json:"env,omitempty"`
-	ForcePull               *bool                            `json:"forcePull,omitempty"`
-	DockerfilePath          *string                          `json:"dockerfilePath,omitempty"`
-	BuildArgs               []corev1.EnvVar                  `json:"buildArgs,omitempty"`
+	// from is a reference to an DockerImage, ImageStreamTag, or ImageStreamImage which overrides
+	// the FROM image in the Dockerfile for the build. If the Dockerfile uses multi-stage builds,
+	// this will replace the image in the last FROM directive of the file.
+	From *corev1.ObjectReference `json:"from,omitempty"`
+	// pullSecret is the name of a Secret that would be used for setting up
+	// the authentication for pulling the container images from the private Docker
+	// registries
+	PullSecret *corev1.LocalObjectReference `json:"pullSecret,omitempty"`
+	// noCache if set to true indicates that the container image build must be executed with the
+	// --no-cache=true flag
+	NoCache *bool `json:"noCache,omitempty"`
+	// env contains additional environment variables you want to pass into a builder container.
+	Env []corev1.EnvVar `json:"env,omitempty"`
+	// forcePull describes if the builder should pull the images from registry prior to building.
+	ForcePull *bool `json:"forcePull,omitempty"`
+	// dockerfilePath is the path of the Dockerfile that will be used to build the container image,
+	// relative to the root of the context (contextDir).
+	// Defaults to `Dockerfile` if unset.
+	DockerfilePath *string `json:"dockerfilePath,omitempty"`
+	// buildArgs contains build arguments that will be resolved in the Dockerfile.  See
+	// https://docs.docker.com/engine/reference/builder/#/arg for more details.
+	// NOTE: Only the 'name' and 'value' fields are supported. Any settings on the 'valueFrom' field
+	// are ignored.
+	BuildArgs []corev1.EnvVar `json:"buildArgs,omitempty"`
+	// imageOptimizationPolicy describes what optimizations the system can use when building images
+	// to reduce the final size or time spent building the image. The default policy is 'None' which
+	// means the final build image will be equivalent to an image created by the container image build API.
+	// The experimental policy 'SkipLayers' will avoid commiting new layers in between each
+	// image step, and will fail if the Dockerfile cannot provide compatibility with the 'None'
+	// policy. An additional experimental policy 'SkipLayersAndWarn' is the same as
+	// 'SkipLayers' but simply warns if compatibility cannot be preserved.
 	ImageOptimizationPolicy *buildv1.ImageOptimizationPolicy `json:"imageOptimizationPolicy,omitempty"`
-	Volumes                 []BuildVolumeApplyConfiguration  `json:"volumes,omitempty"`
+	// volumes is a list of input volumes that can be mounted into the builds runtime environment.
+	// Only a subset of Kubernetes Volume sources are supported by builds.
+	// More info: https://kubernetes.io/docs/concepts/storage/volumes
+	Volumes []BuildVolumeApplyConfiguration `json:"volumes,omitempty"`
 }
 
 // DockerBuildStrategyApplyConfiguration constructs a declarative configuration of the DockerBuildStrategy type for use with
diff --git a/vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/genericwebhookcause.go b/vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/genericwebhookcause.go
index b11d67359e67e..f7597ac268515 100644
--- a/vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/genericwebhookcause.go
+++ b/vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/genericwebhookcause.go
@@ -4,9 +4,15 @@ package v1
 
 // GenericWebHookCauseApplyConfiguration represents a declarative configuration of the GenericWebHookCause type for use
 // with apply.
+//
+// GenericWebHookCause holds information about a generic WebHook that
+// triggered a build.
 type GenericWebHookCauseApplyConfiguration struct {
+	// revision is an optional field that stores the git source revision
+	// information of the generic webhook trigger when it is available.
 	Revision *SourceRevisionApplyConfiguration `json:"revision,omitempty"`
-	Secret   *string                           `json:"secret,omitempty"`
+	// secret is the obfuscated webhook secret that triggered a build.
+	Secret *string `json:"secret,omitempty"`
 }
 
 // GenericWebHookCauseApplyConfiguration constructs a declarative configuration of the GenericWebHookCause type for use with
diff --git a/vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/gitbuildsource.go b/vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/gitbuildsource.go
index f0426254bf865..7584101b02868 100644
--- a/vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/gitbuildsource.go
+++ b/vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/gitbuildsource.go
@@ -4,9 +4,16 @@ package v1
 
 // GitBuildSourceApplyConfiguration represents a declarative configuration of the GitBuildSource type for use
 // with apply.
+//
+// GitBuildSource defines the parameters of a Git SCM
 type GitBuildSourceApplyConfiguration struct {
-	URI                           *string `json:"uri,omitempty"`
-	Ref                           *string `json:"ref,omitempty"`
+	// uri points to the source that will be built. The structure of the source
+	// will depend on the type of build to run
+	URI *string `json:"uri,omitempty"`
+	// ref is the branch/tag/ref to build.
+	Ref *string `json:"ref,omitempty"`
+	// proxyConfig defines the proxies to use for the git clone operation. Values
+	// not set here are inherited from cluster-wide build git proxy settings.
 	ProxyConfigApplyConfiguration `json:",inline"`
 }
 
diff --git a/vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/githubwebhookcause.go b/vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/githubwebhookcause.go
index 7aef57d741a13..5cc4d839b6291 100644
--- a/vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/githubwebhookcause.go
+++ b/vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/githubwebhookcause.go
@@ -4,9 +4,14 @@ package v1
 
 // GitHubWebHookCauseApplyConfiguration represents a declarative configuration of the GitHubWebHookCause type for use
 // with apply.
+//
+// GitHubWebHookCause has information about a GitHub webhook that triggered a
+// build.
 type GitHubWebHookCauseApplyConfiguration struct {
+	// revision is the git revision information of the trigger.
 	Revision *SourceRevisionApplyConfiguration `json:"revision,omitempty"`
-	Secret   *string                           `json:"secret,omitempty"`
+	// secret is the obfuscated webhook secret that triggered a build.
+	Secret *string `json:"secret,omitempty"`
 }
 
 // GitHubWebHookCauseApplyConfiguration constructs a declarative configuration of the GitHubWebHookCause type for use with
diff --git a/vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/gitlabwebhookcause.go b/vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/gitlabwebhookcause.go
index db55e91b8d73a..7f4e88cf7fa80 100644
--- a/vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/gitlabwebhookcause.go
+++ b/vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/gitlabwebhookcause.go
@@ -4,6 +4,9 @@ package v1
 
 // GitLabWebHookCauseApplyConfiguration represents a declarative configuration of the GitLabWebHookCause type for use
 // with apply.
+//
+// GitLabWebHookCause has information about a GitLab webhook that triggered a
+// build.
 type GitLabWebHookCauseApplyConfiguration struct {
 	CommonWebHookCauseApplyConfiguration `json:",inline"`
 }
diff --git a/vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/gitsourcerevision.go b/vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/gitsourcerevision.go
index ffe7bcf8e4ed0..925869724ea7e 100644
--- a/vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/gitsourcerevision.go
+++ b/vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/gitsourcerevision.go
@@ -4,11 +4,17 @@ package v1
 
 // GitSourceRevisionApplyConfiguration represents a declarative configuration of the GitSourceRevision type for use
 // with apply.
+//
+// GitSourceRevision is the commit information from a git source for a build
 type GitSourceRevisionApplyConfiguration struct {
-	Commit    *string                              `json:"commit,omitempty"`
-	Author    *SourceControlUserApplyConfiguration `json:"author,omitempty"`
+	// commit is the commit hash identifying a specific commit
+	Commit *string `json:"commit,omitempty"`
+	// author is the author of a specific commit
+	Author *SourceControlUserApplyConfiguration `json:"author,omitempty"`
+	// committer is the committer of a specific commit
 	Committer *SourceControlUserApplyConfiguration `json:"committer,omitempty"`
-	Message   *string                              `json:"message,omitempty"`
+	// message is the description of a specific commit
+	Message *string `json:"message,omitempty"`
 }
 
 // GitSourceRevisionApplyConfiguration constructs a declarative configuration of the GitSourceRevision type for use with
diff --git a/vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/imagechangecause.go b/vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/imagechangecause.go
index 7c0bf8ca3fb7e..517bced0da85a 100644
--- a/vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/imagechangecause.go
+++ b/vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/imagechangecause.go
@@ -8,8 +8,14 @@ import (
 
 // ImageChangeCauseApplyConfiguration represents a declarative configuration of the ImageChangeCause type for use
 // with apply.
+//
+// ImageChangeCause contains information about the image that triggered a
+// build
 type ImageChangeCauseApplyConfiguration struct {
-	ImageID *string                 `json:"imageID,omitempty"`
+	// imageID is the ID of the image that triggered a new build.
+	ImageID *string `json:"imageID,omitempty"`
+	// fromRef contains detailed information about an image that triggered a
+	// build.
 	FromRef *corev1.ObjectReference `json:"fromRef,omitempty"`
 }
 
diff --git a/vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/imagechangetrigger.go b/vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/imagechangetrigger.go
index fe8b27ade8c10..b10650a307759 100644
--- a/vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/imagechangetrigger.go
+++ b/vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/imagechangetrigger.go
@@ -8,10 +8,21 @@ import (
 
 // ImageChangeTriggerApplyConfiguration represents a declarative configuration of the ImageChangeTrigger type for use
 // with apply.
+//
+// ImageChangeTrigger allows builds to be triggered when an ImageStream changes
 type ImageChangeTriggerApplyConfiguration struct {
-	LastTriggeredImageID *string                 `json:"lastTriggeredImageID,omitempty"`
-	From                 *corev1.ObjectReference `json:"from,omitempty"`
-	Paused               *bool                   `json:"paused,omitempty"`
+	// lastTriggeredImageID is used internally by the ImageChangeController to save last
+	// used image ID for build
+	// This field is deprecated and will be removed in a future release.
+	// Deprecated
+	LastTriggeredImageID *string `json:"lastTriggeredImageID,omitempty"`
+	// from is a reference to an ImageStreamTag that will trigger a build when updated
+	// It is optional. If no From is specified, the From image from the build strategy
+	// will be used. Only one ImageChangeTrigger with an empty From reference is allowed in
+	// a build configuration.
+	From *corev1.ObjectReference `json:"from,omitempty"`
+	// paused is true if this trigger is temporarily disabled. Optional.
+	Paused *bool `json:"paused,omitempty"`
 }
 
 // ImageChangeTriggerApplyConfiguration constructs a declarative configuration of the ImageChangeTrigger type for use with
diff --git a/vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/imagechangetriggerstatus.go b/vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/imagechangetriggerstatus.go
index ecaf5aab1367e..2eabf523354f8 100644
--- a/vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/imagechangetriggerstatus.go
+++ b/vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/imagechangetriggerstatus.go
@@ -8,10 +8,18 @@ import (
 
 // ImageChangeTriggerStatusApplyConfiguration represents a declarative configuration of the ImageChangeTriggerStatus type for use
 // with apply.
+//
+// ImageChangeTriggerStatus tracks the latest resolved status of the associated ImageChangeTrigger policy
+// specified in the BuildConfigSpec.Triggers struct.
 type ImageChangeTriggerStatusApplyConfiguration struct {
-	LastTriggeredImageID *string                                    `json:"lastTriggeredImageID,omitempty"`
-	From                 *ImageStreamTagReferenceApplyConfiguration `json:"from,omitempty"`
-	LastTriggerTime      *metav1.Time                               `json:"lastTriggerTime,omitempty"`
+	// lastTriggeredImageID represents the sha/id of the ImageStreamTag when a Build for this BuildConfig was started.
+	// The lastTriggeredImageID is updated each time a Build for this BuildConfig is started, even if this ImageStreamTag is not the reason the Build is started.
+	LastTriggeredImageID *string `json:"lastTriggeredImageID,omitempty"`
+	// from is the ImageStreamTag that is the source of the trigger.
+	From *ImageStreamTagReferenceApplyConfiguration `json:"from,omitempty"`
+	// lastTriggerTime is the last time this particular ImageStreamTag triggered a Build to start.
+	// This field is only updated when this trigger specifically started a Build.
+	LastTriggerTime *metav1.Time `json:"lastTriggerTime,omitempty"`
 }
 
 // ImageChangeTriggerStatusApplyConfiguration constructs a declarative configuration of the ImageChangeTriggerStatus type for use with
diff --git a/vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/imagelabel.go b/vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/imagelabel.go
index 1d19105474467..dcbec3619afa3 100644
--- a/vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/imagelabel.go
+++ b/vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/imagelabel.go
@@ -4,8 +4,12 @@ package v1
 
 // ImageLabelApplyConfiguration represents a declarative configuration of the ImageLabel type for use
 // with apply.
+//
+// ImageLabel represents a label applied to the resulting image.
 type ImageLabelApplyConfiguration struct {
-	Name  *string `json:"name,omitempty"`
+	// name defines the name of the label. It must have non-zero length.
+	Name *string `json:"name,omitempty"`
+	// value defines the literal value of the label.
 	Value *string `json:"value,omitempty"`
 }
 
diff --git a/vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/imagesource.go b/vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/imagesource.go
index fb46f9affa785..44a0d220fc5c1 100644
--- a/vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/imagesource.go
+++ b/vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/imagesource.go
@@ -8,11 +8,31 @@ import (
 
 // ImageSourceApplyConfiguration represents a declarative configuration of the ImageSource type for use
 // with apply.
+//
+// ImageSource is used to describe build source that will be extracted from an image or used during a
+// multi stage build. A reference of type ImageStreamTag, ImageStreamImage or DockerImage may be used.
+// A pull secret can be specified to pull the image from an external registry or override the default
+// service account secret if pulling from the internal registry. Image sources can either be used to
+// extract content from an image and place it into the build context along with the repository source,
+// or used directly during a multi-stage container image build to allow content to be copied without overwriting
+// the contents of the repository source (see the 'paths' and 'as' fields).
 type ImageSourceApplyConfiguration struct {
-	From       *corev1.ObjectReference             `json:"from,omitempty"`
-	As         []string                            `json:"as,omitempty"`
-	Paths      []ImageSourcePathApplyConfiguration `json:"paths,omitempty"`
-	PullSecret *corev1.LocalObjectReference        `json:"pullSecret,omitempty"`
+	// from is a reference to an ImageStreamTag, ImageStreamImage, or DockerImage to
+	// copy source from.
+	From *corev1.ObjectReference `json:"from,omitempty"`
+	// A list of image names that this source will be used in place of during a multi-stage container image
+	// build. For instance, a Dockerfile that uses "COPY --from=nginx:latest" will first check for an image
+	// source that has "nginx:latest" in this field before attempting to pull directly. If the Dockerfile
+	// does not reference an image source it is ignored. This field and paths may both be set, in which case
+	// the contents will be used twice.
+	As []string `json:"as,omitempty"`
+	// paths is a list of source and destination paths to copy from the image. This content will be copied
+	// into the build context prior to starting the build. If no paths are set, the build context will
+	// not be altered.
+	Paths []ImageSourcePathApplyConfiguration `json:"paths,omitempty"`
+	// pullSecret is a reference to a secret to be used to pull the image from a registry
+	// If the image is pulled from the OpenShift registry, this field does not need to be set.
+	PullSecret *corev1.LocalObjectReference `json:"pullSecret,omitempty"`
 }
 
 // ImageSourceApplyConfiguration constructs a declarative configuration of the ImageSource type for use with
diff --git a/vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/imagesourcepath.go b/vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/imagesourcepath.go
index d212ffd32f0f0..8aaaa9df6cef6 100644
--- a/vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/imagesourcepath.go
+++ b/vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/imagesourcepath.go
@@ -4,8 +4,16 @@ package v1
 
 // ImageSourcePathApplyConfiguration represents a declarative configuration of the ImageSourcePath type for use
 // with apply.
+//
+// ImageSourcePath describes a path to be copied from a source image and its destination within the build directory.
 type ImageSourcePathApplyConfiguration struct {
-	SourcePath     *string `json:"sourcePath,omitempty"`
+	// sourcePath is the absolute path of the file or directory inside the image to
+	// copy to the build directory.  If the source path ends in /. then the content of
+	// the directory will be copied, but the directory itself will not be created at the
+	// destination.
+	SourcePath *string `json:"sourcePath,omitempty"`
+	// destinationDir is the relative directory within the build directory
+	// where files copied from the image are placed.
 	DestinationDir *string `json:"destinationDir,omitempty"`
 }
 
diff --git a/vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/imagestreamtagreference.go b/vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/imagestreamtagreference.go
index 0e6445f15d195..fde53f54e696f 100644
--- a/vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/imagestreamtagreference.go
+++ b/vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/imagestreamtagreference.go
@@ -4,9 +4,13 @@ package v1
 
 // ImageStreamTagReferenceApplyConfiguration represents a declarative configuration of the ImageStreamTagReference type for use
 // with apply.
+//
+// ImageStreamTagReference references the ImageStreamTag in an image change trigger by namespace and name.
 type ImageStreamTagReferenceApplyConfiguration struct {
+	// namespace is the namespace where the ImageStreamTag for an ImageChangeTrigger is located
 	Namespace *string `json:"namespace,omitempty"`
-	Name      *string `json:"name,omitempty"`
+	// name is the name of the ImageStreamTag for an ImageChangeTrigger
+	Name *string `json:"name,omitempty"`
 }
 
 // ImageStreamTagReferenceApplyConfiguration constructs a declarative configuration of the ImageStreamTagReference type for use with
diff --git a/vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/jenkinspipelinebuildstrategy.go b/vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/jenkinspipelinebuildstrategy.go
index 940caa1b304c9..f080bb0eb523f 100644
--- a/vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/jenkinspipelinebuildstrategy.go
+++ b/vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/jenkinspipelinebuildstrategy.go
@@ -8,10 +8,18 @@ import (
 
 // JenkinsPipelineBuildStrategyApplyConfiguration represents a declarative configuration of the JenkinsPipelineBuildStrategy type for use
 // with apply.
+//
+// JenkinsPipelineBuildStrategy holds parameters specific to a Jenkins Pipeline build.
+// Deprecated: use OpenShift Pipelines
 type JenkinsPipelineBuildStrategyApplyConfiguration struct {
-	JenkinsfilePath *string         `json:"jenkinsfilePath,omitempty"`
-	Jenkinsfile     *string         `json:"jenkinsfile,omitempty"`
-	Env             []corev1.EnvVar `json:"env,omitempty"`
+	// jenkinsfilePath is the optional path of the Jenkinsfile that will be used to configure the pipeline
+	// relative to the root of the context (contextDir). If both JenkinsfilePath & Jenkinsfile are
+	// both not specified, this defaults to Jenkinsfile in the root of the specified contextDir.
+	JenkinsfilePath *string `json:"jenkinsfilePath,omitempty"`
+	// jenkinsfile defines the optional raw contents of a Jenkinsfile which defines a Jenkins pipeline build.
+	Jenkinsfile *string `json:"jenkinsfile,omitempty"`
+	// env contains additional environment variables you want to pass into a build pipeline.
+	Env []corev1.EnvVar `json:"env,omitempty"`
 }
 
 // JenkinsPipelineBuildStrategyApplyConfiguration constructs a declarative configuration of the JenkinsPipelineBuildStrategy type for use with
diff --git a/vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/proxyconfig.go b/vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/proxyconfig.go
index db62ad5e5b4c3..8c9dd45778308 100644
--- a/vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/proxyconfig.go
+++ b/vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/proxyconfig.go
@@ -4,10 +4,15 @@ package v1
 
 // ProxyConfigApplyConfiguration represents a declarative configuration of the ProxyConfig type for use
 // with apply.
+//
+// ProxyConfig defines what proxies to use for an operation
 type ProxyConfigApplyConfiguration struct {
-	HTTPProxy  *string `json:"httpProxy,omitempty"`
+	// httpProxy is a proxy used to reach the git repository over http
+	HTTPProxy *string `json:"httpProxy,omitempty"`
+	// httpsProxy is a proxy used to reach the git repository over https
 	HTTPSProxy *string `json:"httpsProxy,omitempty"`
-	NoProxy    *string `json:"noProxy,omitempty"`
+	// noProxy is the list of domains for which the proxy should not be used
+	NoProxy *string `json:"noProxy,omitempty"`
 }
 
 // ProxyConfigApplyConfiguration constructs a declarative configuration of the ProxyConfig type for use with
diff --git a/vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/secretbuildsource.go b/vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/secretbuildsource.go
index 7c6d9c83a234e..5762391b779f5 100644
--- a/vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/secretbuildsource.go
+++ b/vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/secretbuildsource.go
@@ -8,9 +8,23 @@ import (
 
 // SecretBuildSourceApplyConfiguration represents a declarative configuration of the SecretBuildSource type for use
 // with apply.
+//
+// SecretBuildSource describes a secret and its destination directory that will be
+// used only at the build time. The content of the secret referenced here will
+// be copied into the destination directory instead of mounting.
 type SecretBuildSourceApplyConfiguration struct {
-	Secret         *corev1.LocalObjectReference `json:"secret,omitempty"`
-	DestinationDir *string                      `json:"destinationDir,omitempty"`
+	// secret is a reference to an existing secret that you want to use in your
+	// build.
+	Secret *corev1.LocalObjectReference `json:"secret,omitempty"`
+	// destinationDir is the directory where the files from the secret should be
+	// available for the build time.
+	// For the Source build strategy, these will be injected into a container
+	// where the assemble script runs. Later, when the script finishes, all files
+	// injected will be truncated to zero length.
+	// For the container image build strategy, these will be copied into the build
+	// directory, where the Dockerfile is located, so users can ADD or COPY them
+	// during container image build.
+	DestinationDir *string `json:"destinationDir,omitempty"`
 }
 
 // SecretBuildSourceApplyConfiguration constructs a declarative configuration of the SecretBuildSource type for use with
diff --git a/vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/secretlocalreference.go b/vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/secretlocalreference.go
index b5713fc6c702d..6740219a1beb9 100644
--- a/vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/secretlocalreference.go
+++ b/vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/secretlocalreference.go
@@ -4,7 +4,10 @@ package v1
 
 // SecretLocalReferenceApplyConfiguration represents a declarative configuration of the SecretLocalReference type for use
 // with apply.
+//
+// SecretLocalReference contains information that points to the local secret being used
 type SecretLocalReferenceApplyConfiguration struct {
+	// name is the name of the resource in the same namespace being referenced
 	Name *string `json:"name,omitempty"`
 }
 
diff --git a/vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/secretspec.go b/vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/secretspec.go
index b46ebed22397e..4f3a24866ae60 100644
--- a/vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/secretspec.go
+++ b/vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/secretspec.go
@@ -8,9 +8,13 @@ import (
 
 // SecretSpecApplyConfiguration represents a declarative configuration of the SecretSpec type for use
 // with apply.
+//
+// SecretSpec specifies a secret to be included in a build pod and its corresponding mount point
 type SecretSpecApplyConfiguration struct {
+	// secretSource is a reference to the secret
 	SecretSource *corev1.LocalObjectReference `json:"secretSource,omitempty"`
-	MountPath    *string                      `json:"mountPath,omitempty"`
+	// mountPath is the path at which to mount the secret
+	MountPath *string `json:"mountPath,omitempty"`
 }
 
 // SecretSpecApplyConfiguration constructs a declarative configuration of the SecretSpec type for use with
diff --git a/vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/sourcebuildstrategy.go b/vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/sourcebuildstrategy.go
index ade973c2ef3b2..f5727823fa4e2 100644
--- a/vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/sourcebuildstrategy.go
+++ b/vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/sourcebuildstrategy.go
@@ -8,14 +8,28 @@ import (
 
 // SourceBuildStrategyApplyConfiguration represents a declarative configuration of the SourceBuildStrategy type for use
 // with apply.
+//
+// SourceBuildStrategy defines input parameters specific to an Source build.
 type SourceBuildStrategyApplyConfiguration struct {
-	From        *corev1.ObjectReference         `json:"from,omitempty"`
-	PullSecret  *corev1.LocalObjectReference    `json:"pullSecret,omitempty"`
-	Env         []corev1.EnvVar                 `json:"env,omitempty"`
-	Scripts     *string                         `json:"scripts,omitempty"`
-	Incremental *bool                           `json:"incremental,omitempty"`
-	ForcePull   *bool                           `json:"forcePull,omitempty"`
-	Volumes     []BuildVolumeApplyConfiguration `json:"volumes,omitempty"`
+	// from is reference to an DockerImage, ImageStreamTag, or ImageStreamImage from which
+	// the container image should be pulled
+	From *corev1.ObjectReference `json:"from,omitempty"`
+	// pullSecret is the name of a Secret that would be used for setting up
+	// the authentication for pulling the container images from the private Docker
+	// registries
+	PullSecret *corev1.LocalObjectReference `json:"pullSecret,omitempty"`
+	// env contains additional environment variables you want to pass into a builder container.
+	Env []corev1.EnvVar `json:"env,omitempty"`
+	// scripts is the location of Source scripts
+	Scripts *string `json:"scripts,omitempty"`
+	// incremental flag forces the Source build to do incremental builds if true.
+	Incremental *bool `json:"incremental,omitempty"`
+	// forcePull describes if the builder should pull the images from registry prior to building.
+	ForcePull *bool `json:"forcePull,omitempty"`
+	// volumes is a list of input volumes that can be mounted into the builds runtime environment.
+	// Only a subset of Kubernetes Volume sources are supported by builds.
+	// More info: https://kubernetes.io/docs/concepts/storage/volumes
+	Volumes []BuildVolumeApplyConfiguration `json:"volumes,omitempty"`
 }
 
 // SourceBuildStrategyApplyConfiguration constructs a declarative configuration of the SourceBuildStrategy type for use with
diff --git a/vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/sourcecontroluser.go b/vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/sourcecontroluser.go
index eddaf6a1d223b..8fb62c5faa7a5 100644
--- a/vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/sourcecontroluser.go
+++ b/vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/sourcecontroluser.go
@@ -4,8 +4,12 @@ package v1
 
 // SourceControlUserApplyConfiguration represents a declarative configuration of the SourceControlUser type for use
 // with apply.
+//
+// SourceControlUser defines the identity of a user of source control
 type SourceControlUserApplyConfiguration struct {
-	Name  *string `json:"name,omitempty"`
+	// name of the source control user
+	Name *string `json:"name,omitempty"`
+	// email of the source control user
 	Email *string `json:"email,omitempty"`
 }
 
diff --git a/vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/sourcerevision.go b/vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/sourcerevision.go
index e99261ac85fff..d7929c4e4523e 100644
--- a/vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/sourcerevision.go
+++ b/vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/sourcerevision.go
@@ -8,9 +8,13 @@ import (
 
 // SourceRevisionApplyConfiguration represents a declarative configuration of the SourceRevision type for use
 // with apply.
+//
+// SourceRevision is the revision or commit information from the source for the build
 type SourceRevisionApplyConfiguration struct {
-	Type *buildv1.BuildSourceType             `json:"type,omitempty"`
-	Git  *GitSourceRevisionApplyConfiguration `json:"git,omitempty"`
+	// type of the build source, may be one of 'Source', 'Dockerfile', 'Binary', or 'Images'
+	Type *buildv1.BuildSourceType `json:"type,omitempty"`
+	// git contains information about git-based build source
+	Git *GitSourceRevisionApplyConfiguration `json:"git,omitempty"`
 }
 
 // SourceRevisionApplyConfiguration constructs a declarative configuration of the SourceRevision type for use with
diff --git a/vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/stageinfo.go b/vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/stageinfo.go
index 1f7e390bb4018..a7ffb12e4d98c 100644
--- a/vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/stageinfo.go
+++ b/vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/stageinfo.go
@@ -9,11 +9,22 @@ import (
 
 // StageInfoApplyConfiguration represents a declarative configuration of the StageInfo type for use
 // with apply.
+//
+// StageInfo contains details about a build stage.
 type StageInfoApplyConfiguration struct {
-	Name                 *buildv1.StageName           `json:"name,omitempty"`
-	StartTime            *metav1.Time                 `json:"startTime,omitempty"`
-	DurationMilliseconds *int64                       `json:"durationMilliseconds,omitempty"`
-	Steps                []StepInfoApplyConfiguration `json:"steps,omitempty"`
+	// name is a unique identifier for each build stage that occurs.
+	Name *buildv1.StageName `json:"name,omitempty"`
+	// startTime is a timestamp representing the server time when this Stage started.
+	// It is represented in RFC3339 form and is in UTC.
+	StartTime *metav1.Time `json:"startTime,omitempty"`
+	// durationMilliseconds identifies how long the stage took
+	// to complete in milliseconds.
+	// Note: the duration of a stage can exceed the sum of the duration of the steps within
+	// the stage as not all actions are accounted for in explicit build steps.
+	DurationMilliseconds *int64 `json:"durationMilliseconds,omitempty"`
+	// steps contains details about each step that occurs during a build stage
+	// including start time and duration in milliseconds.
+	Steps []StepInfoApplyConfiguration `json:"steps,omitempty"`
 }
 
 // StageInfoApplyConfiguration constructs a declarative configuration of the StageInfo type for use with
diff --git a/vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/stepinfo.go b/vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/stepinfo.go
index 4049aa5e53880..d33fa378ac4e8 100644
--- a/vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/stepinfo.go
+++ b/vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/stepinfo.go
@@ -9,10 +9,17 @@ import (
 
 // StepInfoApplyConfiguration represents a declarative configuration of the StepInfo type for use
 // with apply.
+//
+// StepInfo contains details about a build step.
 type StepInfoApplyConfiguration struct {
-	Name                 *buildv1.StepName `json:"name,omitempty"`
-	StartTime            *metav1.Time      `json:"startTime,omitempty"`
-	DurationMilliseconds *int64            `json:"durationMilliseconds,omitempty"`
+	// name is a unique identifier for each build step.
+	Name *buildv1.StepName `json:"name,omitempty"`
+	// startTime is a timestamp representing the server time when this Step started.
+	// it is represented in RFC3339 form and is in UTC.
+	StartTime *metav1.Time `json:"startTime,omitempty"`
+	// durationMilliseconds identifies how long the step took
+	// to complete in milliseconds.
+	DurationMilliseconds *int64 `json:"durationMilliseconds,omitempty"`
 }
 
 // StepInfoApplyConfiguration constructs a declarative configuration of the StepInfo type for use with
diff --git a/vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/webhooktrigger.go b/vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/webhooktrigger.go
index f094a74e6ab81..e3dd4b0cbc276 100644
--- a/vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/webhooktrigger.go
+++ b/vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/webhooktrigger.go
@@ -4,9 +4,19 @@ package v1
 
 // WebHookTriggerApplyConfiguration represents a declarative configuration of the WebHookTrigger type for use
 // with apply.
+//
+// WebHookTrigger is a trigger that gets invoked using a webhook type of post
 type WebHookTriggerApplyConfiguration struct {
-	Secret          *string                                 `json:"secret,omitempty"`
-	AllowEnv        *bool                                   `json:"allowEnv,omitempty"`
+	// secret used to validate requests.
+	// Deprecated: use SecretReference instead.
+	Secret *string `json:"secret,omitempty"`
+	// allowEnv determines whether the webhook can set environment variables; can only
+	// be set to true for GenericWebHook.
+	AllowEnv *bool `json:"allowEnv,omitempty"`
+	// secretReference is a reference to a secret in the same namespace,
+	// containing the value to be validated when the webhook is invoked.
+	// The secret being referenced must contain a key named "WebHookSecretKey", the value
+	// of which will be checked against the value supplied in the webhook invocation.
 	SecretReference *SecretLocalReferenceApplyConfiguration `json:"secretReference,omitempty"`
 }
 
diff --git a/vendor/github.com/openshift/client-go/build/informers/externalversions/build/v1/build.go b/vendor/github.com/openshift/client-go/build/informers/externalversions/build/v1/build.go
index 7eca6d52741f2..4e99781005b83 100644
--- a/vendor/github.com/openshift/client-go/build/informers/externalversions/build/v1/build.go
+++ b/vendor/github.com/openshift/client-go/build/informers/externalversions/build/v1/build.go
@@ -41,7 +41,7 @@ func NewBuildInformer(client versioned.Interface, namespace string, resyncPeriod
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredBuildInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options metav1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -66,7 +66,7 @@ func NewFilteredBuildInformer(client versioned.Interface, namespace string, resy
 				}
 				return client.BuildV1().Builds(namespace).Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apibuildv1.Build{},
 		resyncPeriod,
 		indexers,
diff --git a/vendor/github.com/openshift/client-go/build/informers/externalversions/build/v1/buildconfig.go b/vendor/github.com/openshift/client-go/build/informers/externalversions/build/v1/buildconfig.go
index efd79cd39431c..a523b4abc6890 100644
--- a/vendor/github.com/openshift/client-go/build/informers/externalversions/build/v1/buildconfig.go
+++ b/vendor/github.com/openshift/client-go/build/informers/externalversions/build/v1/buildconfig.go
@@ -41,7 +41,7 @@ func NewBuildConfigInformer(client versioned.Interface, namespace string, resync
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredBuildConfigInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options metav1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -66,7 +66,7 @@ func NewFilteredBuildConfigInformer(client versioned.Interface, namespace string
 				}
 				return client.BuildV1().BuildConfigs(namespace).Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apibuildv1.BuildConfig{},
 		resyncPeriod,
 		indexers,
diff --git a/vendor/github.com/openshift/client-go/build/informers/externalversions/factory.go b/vendor/github.com/openshift/client-go/build/informers/externalversions/factory.go
index 0d3e90f3376db..4ccf074e8da02 100644
--- a/vendor/github.com/openshift/client-go/build/informers/externalversions/factory.go
+++ b/vendor/github.com/openshift/client-go/build/informers/externalversions/factory.go
@@ -81,6 +81,7 @@ func NewSharedInformerFactory(client versioned.Interface, defaultResync time.Dur
 // NewFilteredSharedInformerFactory constructs a new instance of sharedInformerFactory.
 // Listers obtained via this SharedInformerFactory will be subject to the same filters
 // as specified here.
+//
 // Deprecated: Please use NewSharedInformerFactoryWithOptions instead
 func NewFilteredSharedInformerFactory(client versioned.Interface, defaultResync time.Duration, namespace string, tweakListOptions internalinterfaces.TweakListOptionsFunc) SharedInformerFactory {
 	return NewSharedInformerFactoryWithOptions(client, defaultResync, WithNamespace(namespace), WithTweakListOptions(tweakListOptions))
@@ -188,7 +189,7 @@ func (f *sharedInformerFactory) InformerFor(obj runtime.Object, newFunc internal
 //
 // It is typically used like this:
 //
-//	ctx, cancel := context.Background()
+//	ctx, cancel := context.WithCancel(context.Background())
 //	defer cancel()
 //	factory := NewSharedInformerFactory(client, resyncPeriod)
 //	defer factory.WaitForStop()    // Returns immediately if nothing was started.
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/acceptrisk.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/acceptrisk.go
new file mode 100644
index 0000000000000..09f56804c892c
--- /dev/null
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/acceptrisk.go
@@ -0,0 +1,27 @@
+// Code generated by applyconfiguration-gen. DO NOT EDIT.
+
+package v1
+
+// AcceptRiskApplyConfiguration represents a declarative configuration of the AcceptRisk type for use
+// with apply.
+//
+// AcceptRisk represents a risk that is considered acceptable.
+type AcceptRiskApplyConfiguration struct {
+	// name is the name of the acceptable risk.
+	// It must be a non-empty string and must not exceed 256 characters.
+	Name *string `json:"name,omitempty"`
+}
+
+// AcceptRiskApplyConfiguration constructs a declarative configuration of the AcceptRisk type for use with
+// apply.
+func AcceptRisk() *AcceptRiskApplyConfiguration {
+	return &AcceptRiskApplyConfiguration{}
+}
+
+// WithName sets the Name field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Name field is set to the value of the last call.
+func (b *AcceptRiskApplyConfiguration) WithName(value string) *AcceptRiskApplyConfiguration {
+	b.Name = &value
+	return b
+}
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/alibabacloudplatformstatus.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/alibabacloudplatformstatus.go
index e763d14f6e33d..9a3e53e19af2d 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/alibabacloudplatformstatus.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/alibabacloudplatformstatus.go
@@ -4,10 +4,15 @@ package v1
 
 // AlibabaCloudPlatformStatusApplyConfiguration represents a declarative configuration of the AlibabaCloudPlatformStatus type for use
 // with apply.
+//
+// AlibabaCloudPlatformStatus holds the current status of the Alibaba Cloud infrastructure provider.
 type AlibabaCloudPlatformStatusApplyConfiguration struct {
-	Region          *string                                     `json:"region,omitempty"`
-	ResourceGroupID *string                                     `json:"resourceGroupID,omitempty"`
-	ResourceTags    []AlibabaCloudResourceTagApplyConfiguration `json:"resourceTags,omitempty"`
+	// region specifies the region for Alibaba Cloud resources created for the cluster.
+	Region *string `json:"region,omitempty"`
+	// resourceGroupID is the ID of the resource group for the cluster.
+	ResourceGroupID *string `json:"resourceGroupID,omitempty"`
+	// resourceTags is a list of additional tags to apply to Alibaba Cloud resources created for the cluster.
+	ResourceTags []AlibabaCloudResourceTagApplyConfiguration `json:"resourceTags,omitempty"`
 }
 
 // AlibabaCloudPlatformStatusApplyConfiguration constructs a declarative configuration of the AlibabaCloudPlatformStatus type for use with
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/alibabacloudresourcetag.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/alibabacloudresourcetag.go
index 38fef6d50a30c..179408726f579 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/alibabacloudresourcetag.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/alibabacloudresourcetag.go
@@ -4,8 +4,12 @@ package v1
 
 // AlibabaCloudResourceTagApplyConfiguration represents a declarative configuration of the AlibabaCloudResourceTag type for use
 // with apply.
+//
+// AlibabaCloudResourceTag is the set of tags to add to apply to resources.
 type AlibabaCloudResourceTagApplyConfiguration struct {
-	Key   *string `json:"key,omitempty"`
+	// key is the key of the tag.
+	Key *string `json:"key,omitempty"`
+	// value is the value of the tag.
 	Value *string `json:"value,omitempty"`
 }
 
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/apiserver.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/apiserver.go
index df593a6662704..7189ef6172e64 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/apiserver.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/apiserver.go
@@ -13,11 +13,21 @@ import (
 
 // APIServerApplyConfiguration represents a declarative configuration of the APIServer type for use
 // with apply.
+//
+// APIServer holds configuration (like serving certificates, client CA and CORS domains)
+// shared by all API servers in the system, among them especially kube-apiserver
+// and openshift-apiserver. The canonical name of an instance is 'cluster'.
+//
+// Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
 type APIServerApplyConfiguration struct {
-	metav1.TypeMetaApplyConfiguration    `json:",inline"`
+	metav1.TypeMetaApplyConfiguration `json:",inline"`
+	// metadata is the standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	*metav1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Spec                                 *APIServerSpecApplyConfiguration `json:"spec,omitempty"`
-	Status                               *configv1.APIServerStatus        `json:"status,omitempty"`
+	// spec holds user settable values for configuration
+	Spec *APIServerSpecApplyConfiguration `json:"spec,omitempty"`
+	// status holds observed values from the cluster. They may not be overridden.
+	Status *configv1.APIServerStatus `json:"status,omitempty"`
 }
 
 // APIServer constructs a declarative configuration of the APIServer type for use with
@@ -30,6 +40,26 @@ func APIServer(name string) *APIServerApplyConfiguration {
 	return b
 }
 
+// ExtractAPIServerFrom extracts the applied configuration owned by fieldManager from
+// aPIServer for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
+// aPIServer must be a unmodified APIServer API object that was retrieved from the Kubernetes API.
+// ExtractAPIServerFrom provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractAPIServerFrom(aPIServer *configv1.APIServer, fieldManager string, subresource string) (*APIServerApplyConfiguration, error) {
+	b := &APIServerApplyConfiguration{}
+	err := managedfields.ExtractInto(aPIServer, internal.Parser().Type("com.github.openshift.api.config.v1.APIServer"), fieldManager, b, subresource)
+	if err != nil {
+		return nil, err
+	}
+	b.WithName(aPIServer.Name)
+
+	b.WithKind("APIServer")
+	b.WithAPIVersion("config.openshift.io/v1")
+	return b, nil
+}
+
 // ExtractAPIServer extracts the applied configuration owned by fieldManager from
 // aPIServer. If no managedFields are found in aPIServer for fieldManager, a
 // APIServerApplyConfiguration is returned with only the Name, Namespace (if applicable),
@@ -40,30 +70,16 @@ func APIServer(name string) *APIServerApplyConfiguration {
 // ExtractAPIServer provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
 func ExtractAPIServer(aPIServer *configv1.APIServer, fieldManager string) (*APIServerApplyConfiguration, error) {
-	return extractAPIServer(aPIServer, fieldManager, "")
+	return ExtractAPIServerFrom(aPIServer, fieldManager, "")
 }
 
-// ExtractAPIServerStatus is the same as ExtractAPIServer except
-// that it extracts the status subresource applied configuration.
-// Experimental!
+// ExtractAPIServerStatus extracts the applied configuration owned by fieldManager from
+// aPIServer for the status subresource.
 func ExtractAPIServerStatus(aPIServer *configv1.APIServer, fieldManager string) (*APIServerApplyConfiguration, error) {
-	return extractAPIServer(aPIServer, fieldManager, "status")
+	return ExtractAPIServerFrom(aPIServer, fieldManager, "status")
 }
 
-func extractAPIServer(aPIServer *configv1.APIServer, fieldManager string, subresource string) (*APIServerApplyConfiguration, error) {
-	b := &APIServerApplyConfiguration{}
-	err := managedfields.ExtractInto(aPIServer, internal.Parser().Type("com.github.openshift.api.config.v1.APIServer"), fieldManager, b, subresource)
-	if err != nil {
-		return nil, err
-	}
-	b.WithName(aPIServer.Name)
-
-	b.WithKind("APIServer")
-	b.WithAPIVersion("config.openshift.io/v1")
-	return b, nil
-}
 func (b APIServerApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/apiserverencryption.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/apiserverencryption.go
index 06b34856cf1f5..f4214f6a9d6ee 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/apiserverencryption.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/apiserverencryption.go
@@ -8,9 +8,31 @@ import (
 
 // APIServerEncryptionApplyConfiguration represents a declarative configuration of the APIServerEncryption type for use
 // with apply.
+//
+// APIServerEncryption is used to encrypt sensitive resources on the cluster.
 type APIServerEncryptionApplyConfiguration struct {
-	Type *configv1.EncryptionType     `json:"type,omitempty"`
-	KMS  *KMSConfigApplyConfiguration `json:"kms,omitempty"`
+	// type defines what encryption type should be used to encrypt resources at the datastore layer.
+	// When this field is unset (i.e. when it is set to the empty string), identity is implied.
+	// The behavior of unset can and will change over time.  Even if encryption is enabled by default,
+	// the meaning of unset may change to a different encryption type based on changes in best practices.
+	//
+	// When encryption is enabled, all sensitive resources shipped with the platform are encrypted.
+	// This list of sensitive resources can and will change over time.  The current authoritative list is:
+	//
+	// 1. secrets
+	// 2. configmaps
+	// 3. routes.route.openshift.io
+	// 4. oauthaccesstokens.oauth.openshift.io
+	// 5. oauthauthorizetokens.oauth.openshift.io
+	Type *configv1.EncryptionType `json:"type,omitempty"`
+	// kms defines the configuration for the external KMS instance that manages the encryption keys,
+	// when KMS encryption is enabled sensitive resources will be encrypted using keys managed by an
+	// externally configured KMS instance.
+	//
+	// The Key Management Service (KMS) instance provides symmetric encryption and is responsible for
+	// managing the lifecyle of the encryption keys outside of the control plane.
+	// This allows integration with an external provider to manage the data encryption keys securely.
+	KMS *KMSConfigApplyConfiguration `json:"kms,omitempty"`
 }
 
 // APIServerEncryptionApplyConfiguration constructs a declarative configuration of the APIServerEncryption type for use with
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/apiservernamedservingcert.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/apiservernamedservingcert.go
index ae1f76215d75b..385ad9563c3ac 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/apiservernamedservingcert.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/apiservernamedservingcert.go
@@ -4,8 +4,17 @@ package v1
 
 // APIServerNamedServingCertApplyConfiguration represents a declarative configuration of the APIServerNamedServingCert type for use
 // with apply.
+//
+// APIServerNamedServingCert maps a server DNS name, as understood by a client, to a certificate.
 type APIServerNamedServingCertApplyConfiguration struct {
-	Names              []string                               `json:"names,omitempty"`
+	// names is a optional list of explicit DNS names (leading wildcards allowed) that should use this certificate to
+	// serve secure traffic. If no names are provided, the implicit names will be extracted from the certificates.
+	// Exact names trump over wildcard names. Explicit names defined here trump over extracted implicit names.
+	Names []string `json:"names,omitempty"`
+	// servingCertificate references a kubernetes.io/tls type secret containing the TLS cert info for serving secure traffic.
+	// The secret must exist in the openshift-config namespace and contain the following required fields:
+	// - Secret.Data["tls.key"] - TLS private key.
+	// - Secret.Data["tls.crt"] - TLS certificate.
 	ServingCertificate *SecretNameReferenceApplyConfiguration `json:"servingCertificate,omitempty"`
 }
 
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/apiserverservingcerts.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/apiserverservingcerts.go
index 963bea3053b11..4972c3c94037f 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/apiserverservingcerts.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/apiserverservingcerts.go
@@ -5,6 +5,9 @@ package v1
 // APIServerServingCertsApplyConfiguration represents a declarative configuration of the APIServerServingCerts type for use
 // with apply.
 type APIServerServingCertsApplyConfiguration struct {
+	// namedCertificates references secrets containing the TLS cert info for serving secure traffic to specific hostnames.
+	// If no named certificates are provided, or no named certificates match the server name as understood by a client,
+	// the defaultServingCertificate will be used.
 	NamedCertificates []APIServerNamedServingCertApplyConfiguration `json:"namedCertificates,omitempty"`
 }
 
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/apiserverspec.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/apiserverspec.go
index 58f4b0eece5d1..5b674ae05d8a4 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/apiserverspec.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/apiserverspec.go
@@ -5,12 +5,30 @@ package v1
 // APIServerSpecApplyConfiguration represents a declarative configuration of the APIServerSpec type for use
 // with apply.
 type APIServerSpecApplyConfiguration struct {
-	ServingCerts                 *APIServerServingCertsApplyConfiguration  `json:"servingCerts,omitempty"`
-	ClientCA                     *ConfigMapNameReferenceApplyConfiguration `json:"clientCA,omitempty"`
-	AdditionalCORSAllowedOrigins []string                                  `json:"additionalCORSAllowedOrigins,omitempty"`
-	Encryption                   *APIServerEncryptionApplyConfiguration    `json:"encryption,omitempty"`
-	TLSSecurityProfile           *TLSSecurityProfileApplyConfiguration     `json:"tlsSecurityProfile,omitempty"`
-	Audit                        *AuditApplyConfiguration                  `json:"audit,omitempty"`
+	// servingCert is the TLS cert info for serving secure traffic. If not specified, operator managed certificates
+	// will be used for serving secure traffic.
+	ServingCerts *APIServerServingCertsApplyConfiguration `json:"servingCerts,omitempty"`
+	// clientCA references a ConfigMap containing a certificate bundle for the signers that will be recognized for
+	// incoming client certificates in addition to the operator managed signers. If this is empty, then only operator managed signers are valid.
+	// You usually only have to set this if you have your own PKI you wish to honor client certificates from.
+	// The ConfigMap must exist in the openshift-config namespace and contain the following required fields:
+	// - ConfigMap.Data["ca-bundle.crt"] - CA bundle.
+	ClientCA *ConfigMapNameReferenceApplyConfiguration `json:"clientCA,omitempty"`
+	// additionalCORSAllowedOrigins lists additional, user-defined regular expressions describing hosts for which the
+	// API server allows access using the CORS headers. This may be needed to access the API and the integrated OAuth
+	// server from JavaScript applications.
+	// The values are regular expressions that correspond to the Golang regular expression language.
+	AdditionalCORSAllowedOrigins []string `json:"additionalCORSAllowedOrigins,omitempty"`
+	// encryption allows the configuration of encryption of resources at the datastore layer.
+	Encryption *APIServerEncryptionApplyConfiguration `json:"encryption,omitempty"`
+	// tlsSecurityProfile specifies settings for TLS connections for externally exposed servers.
+	//
+	// When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time.
+	// The current default is the Intermediate profile.
+	TLSSecurityProfile *TLSSecurityProfileApplyConfiguration `json:"tlsSecurityProfile,omitempty"`
+	// audit specifies the settings for audit configuration to be applied to all OpenShift-provided
+	// API servers in the cluster.
+	Audit *AuditApplyConfiguration `json:"audit,omitempty"`
 }
 
 // APIServerSpecApplyConfiguration constructs a declarative configuration of the APIServerSpec type for use with
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/audit.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/audit.go
index a07c9788c3852..a5483d5c7fc2c 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/audit.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/audit.go
@@ -9,7 +9,31 @@ import (
 // AuditApplyConfiguration represents a declarative configuration of the Audit type for use
 // with apply.
 type AuditApplyConfiguration struct {
-	Profile     *configv1.AuditProfileType          `json:"profile,omitempty"`
+	// profile specifies the name of the desired top-level audit profile to be applied to all requests
+	// sent to any of the OpenShift-provided API servers in the cluster (kube-apiserver,
+	// openshift-apiserver and oauth-apiserver), with the exception of those requests that match
+	// one or more of the customRules.
+	//
+	// The following profiles are provided:
+	// - Default: default policy which means MetaData level logging with the exception of events
+	// (not logged at all), oauthaccesstokens and oauthauthorizetokens (both logged at RequestBody
+	// level).
+	// - WriteRequestBodies: like 'Default', but logs request and response HTTP payloads for
+	// write requests (create, update, patch).
+	// - AllRequestBodies: like 'WriteRequestBodies', but also logs request and response
+	// HTTP payloads for read requests (get, list).
+	// - None: no requests are logged at all, not even oauthaccesstokens and oauthauthorizetokens.
+	//
+	// Warning: It is not recommended to disable audit logging by using the `None` profile unless you
+	// are fully aware of the risks of not logging data that can be beneficial when troubleshooting issues.
+	// If you disable audit logging and a support situation arises, you might need to enable audit logging
+	// and reproduce the issue in order to troubleshoot properly.
+	//
+	// If unset, the 'Default' profile is used as the default.
+	Profile *configv1.AuditProfileType `json:"profile,omitempty"`
+	// customRules specify profiles per group. These profile take precedence over the
+	// top-level profile field if they apply. They are evaluation from top to bottom and
+	// the first one that matches, applies.
 	CustomRules []AuditCustomRuleApplyConfiguration `json:"customRules,omitempty"`
 }
 
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/auditcustomrule.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/auditcustomrule.go
index 33a696d77f087..f029288aabb61 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/auditcustomrule.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/auditcustomrule.go
@@ -8,8 +8,24 @@ import (
 
 // AuditCustomRuleApplyConfiguration represents a declarative configuration of the AuditCustomRule type for use
 // with apply.
+//
+// AuditCustomRule describes a custom rule for an audit profile that takes precedence over
+// the top-level profile.
 type AuditCustomRuleApplyConfiguration struct {
-	Group   *string                    `json:"group,omitempty"`
+	// group is a name of group a request user must be member of in order to this profile to apply.
+	Group *string `json:"group,omitempty"`
+	// profile specifies the name of the desired audit policy configuration to be deployed to
+	// all OpenShift-provided API servers in the cluster.
+	//
+	// The following profiles are provided:
+	// - Default: the existing default policy.
+	// - WriteRequestBodies: like 'Default', but logs request and response HTTP payloads for
+	// write requests (create, update, patch).
+	// - AllRequestBodies: like 'WriteRequestBodies', but also logs request and response
+	// HTTP payloads for read requests (get, list).
+	// - None: no requests are logged at all, not even oauthaccesstokens and oauthauthorizetokens.
+	//
+	// If unset, the 'Default' profile is used as the default.
 	Profile *configv1.AuditProfileType `json:"profile,omitempty"`
 }
 
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/authentication.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/authentication.go
index 39d260e546167..f407d372c5960 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/authentication.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/authentication.go
@@ -13,11 +13,20 @@ import (
 
 // AuthenticationApplyConfiguration represents a declarative configuration of the Authentication type for use
 // with apply.
+//
+// Authentication specifies cluster-wide settings for authentication (like OAuth and
+// webhook token authenticators). The canonical name of an instance is `cluster`.
+//
+// Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
 type AuthenticationApplyConfiguration struct {
-	metav1.TypeMetaApplyConfiguration    `json:",inline"`
+	metav1.TypeMetaApplyConfiguration `json:",inline"`
+	// metadata is the standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	*metav1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Spec                                 *AuthenticationSpecApplyConfiguration   `json:"spec,omitempty"`
-	Status                               *AuthenticationStatusApplyConfiguration `json:"status,omitempty"`
+	// spec holds user settable values for configuration
+	Spec *AuthenticationSpecApplyConfiguration `json:"spec,omitempty"`
+	// status holds observed values from the cluster. They may not be overridden.
+	Status *AuthenticationStatusApplyConfiguration `json:"status,omitempty"`
 }
 
 // Authentication constructs a declarative configuration of the Authentication type for use with
@@ -30,6 +39,26 @@ func Authentication(name string) *AuthenticationApplyConfiguration {
 	return b
 }
 
+// ExtractAuthenticationFrom extracts the applied configuration owned by fieldManager from
+// authentication for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
+// authentication must be a unmodified Authentication API object that was retrieved from the Kubernetes API.
+// ExtractAuthenticationFrom provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractAuthenticationFrom(authentication *configv1.Authentication, fieldManager string, subresource string) (*AuthenticationApplyConfiguration, error) {
+	b := &AuthenticationApplyConfiguration{}
+	err := managedfields.ExtractInto(authentication, internal.Parser().Type("com.github.openshift.api.config.v1.Authentication"), fieldManager, b, subresource)
+	if err != nil {
+		return nil, err
+	}
+	b.WithName(authentication.Name)
+
+	b.WithKind("Authentication")
+	b.WithAPIVersion("config.openshift.io/v1")
+	return b, nil
+}
+
 // ExtractAuthentication extracts the applied configuration owned by fieldManager from
 // authentication. If no managedFields are found in authentication for fieldManager, a
 // AuthenticationApplyConfiguration is returned with only the Name, Namespace (if applicable),
@@ -40,30 +69,16 @@ func Authentication(name string) *AuthenticationApplyConfiguration {
 // ExtractAuthentication provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
 func ExtractAuthentication(authentication *configv1.Authentication, fieldManager string) (*AuthenticationApplyConfiguration, error) {
-	return extractAuthentication(authentication, fieldManager, "")
+	return ExtractAuthenticationFrom(authentication, fieldManager, "")
 }
 
-// ExtractAuthenticationStatus is the same as ExtractAuthentication except
-// that it extracts the status subresource applied configuration.
-// Experimental!
+// ExtractAuthenticationStatus extracts the applied configuration owned by fieldManager from
+// authentication for the status subresource.
 func ExtractAuthenticationStatus(authentication *configv1.Authentication, fieldManager string) (*AuthenticationApplyConfiguration, error) {
-	return extractAuthentication(authentication, fieldManager, "status")
+	return ExtractAuthenticationFrom(authentication, fieldManager, "status")
 }
 
-func extractAuthentication(authentication *configv1.Authentication, fieldManager string, subresource string) (*AuthenticationApplyConfiguration, error) {
-	b := &AuthenticationApplyConfiguration{}
-	err := managedfields.ExtractInto(authentication, internal.Parser().Type("com.github.openshift.api.config.v1.Authentication"), fieldManager, b, subresource)
-	if err != nil {
-		return nil, err
-	}
-	b.WithName(authentication.Name)
-
-	b.WithKind("Authentication")
-	b.WithAPIVersion("config.openshift.io/v1")
-	return b, nil
-}
 func (b AuthenticationApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/authenticationspec.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/authenticationspec.go
index b2ac362786cd6..3653cf676a53c 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/authenticationspec.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/authenticationspec.go
@@ -9,12 +9,46 @@ import (
 // AuthenticationSpecApplyConfiguration represents a declarative configuration of the AuthenticationSpec type for use
 // with apply.
 type AuthenticationSpecApplyConfiguration struct {
-	Type                       *configv1.AuthenticationType                            `json:"type,omitempty"`
-	OAuthMetadata              *ConfigMapNameReferenceApplyConfiguration               `json:"oauthMetadata,omitempty"`
+	// type identifies the cluster managed, user facing authentication mode in use.
+	// Specifically, it manages the component that responds to login attempts.
+	// The default is IntegratedOAuth.
+	Type *configv1.AuthenticationType `json:"type,omitempty"`
+	// oauthMetadata contains the discovery endpoint data for OAuth 2.0
+	// Authorization Server Metadata for an external OAuth server.
+	// This discovery document can be viewed from its served location:
+	// oc get --raw '/.well-known/oauth-authorization-server'
+	// For further details, see the IETF Draft:
+	// https://tools.ietf.org/html/draft-ietf-oauth-discovery-04#section-2
+	// If oauthMetadata.name is non-empty, this value has precedence
+	// over any metadata reference stored in status.
+	// The key "oauthMetadata" is used to locate the data.
+	// If specified and the config map or expected key is not found, no metadata is served.
+	// If the specified metadata is not valid, no metadata is served.
+	// The namespace for this config map is openshift-config.
+	OAuthMetadata *ConfigMapNameReferenceApplyConfiguration `json:"oauthMetadata,omitempty"`
+	// webhookTokenAuthenticators is DEPRECATED, setting it has no effect.
 	WebhookTokenAuthenticators []DeprecatedWebhookTokenAuthenticatorApplyConfiguration `json:"webhookTokenAuthenticators,omitempty"`
-	WebhookTokenAuthenticator  *WebhookTokenAuthenticatorApplyConfiguration            `json:"webhookTokenAuthenticator,omitempty"`
-	ServiceAccountIssuer       *string                                                 `json:"serviceAccountIssuer,omitempty"`
-	OIDCProviders              []OIDCProviderApplyConfiguration                        `json:"oidcProviders,omitempty"`
+	// webhookTokenAuthenticator configures a remote token reviewer.
+	// These remote authentication webhooks can be used to verify bearer tokens
+	// via the tokenreviews.authentication.k8s.io REST API. This is required to
+	// honor bearer tokens that are provisioned by an external authentication service.
+	//
+	// Can only be set if "Type" is set to "None".
+	WebhookTokenAuthenticator *WebhookTokenAuthenticatorApplyConfiguration `json:"webhookTokenAuthenticator,omitempty"`
+	// serviceAccountIssuer is the identifier of the bound service account token
+	// issuer.
+	// The default is https://kubernetes.default.svc
+	// WARNING: Updating this field will not result in immediate invalidation of all bound tokens with the
+	// previous issuer value. Instead, the tokens issued by previous service account issuer will continue to
+	// be trusted for a time period chosen by the platform (currently set to 24h).
+	// This time period is subject to change over time.
+	// This allows internal components to transition to use new service account issuer without service distruption.
+	ServiceAccountIssuer *string `json:"serviceAccountIssuer,omitempty"`
+	// oidcProviders are OIDC identity providers that can issue tokens for this cluster
+	// Can only be set if "Type" is set to "OIDC".
+	//
+	// At most one provider can be configured.
+	OIDCProviders []OIDCProviderApplyConfiguration `json:"oidcProviders,omitempty"`
 }
 
 // AuthenticationSpecApplyConfiguration constructs a declarative configuration of the AuthenticationSpec type for use with
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/authenticationstatus.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/authenticationstatus.go
index 1539f164b4ba9..e8ae75aea7297 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/authenticationstatus.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/authenticationstatus.go
@@ -5,8 +5,22 @@ package v1
 // AuthenticationStatusApplyConfiguration represents a declarative configuration of the AuthenticationStatus type for use
 // with apply.
 type AuthenticationStatusApplyConfiguration struct {
+	// integratedOAuthMetadata contains the discovery endpoint data for OAuth 2.0
+	// Authorization Server Metadata for the in-cluster integrated OAuth server.
+	// This discovery document can be viewed from its served location:
+	// oc get --raw '/.well-known/oauth-authorization-server'
+	// For further details, see the IETF Draft:
+	// https://tools.ietf.org/html/draft-ietf-oauth-discovery-04#section-2
+	// This contains the observed value based on cluster state.
+	// An explicitly set value in spec.oauthMetadata has precedence over this field.
+	// This field has no meaning if authentication spec.type is not set to IntegratedOAuth.
+	// The key "oauthMetadata" is used to locate the data.
+	// If the config map or expected key is not found, no metadata is served.
+	// If the specified metadata is not valid, no metadata is served.
+	// The namespace for this config map is openshift-config-managed.
 	IntegratedOAuthMetadata *ConfigMapNameReferenceApplyConfiguration `json:"integratedOAuthMetadata,omitempty"`
-	OIDCClients             []OIDCClientStatusApplyConfiguration      `json:"oidcClients,omitempty"`
+	// oidcClients is where participating operators place the current OIDC client status for OIDC clients that can be customized by the cluster-admin.
+	OIDCClients []OIDCClientStatusApplyConfiguration `json:"oidcClients,omitempty"`
 }
 
 // AuthenticationStatusApplyConfiguration constructs a declarative configuration of the AuthenticationStatus type for use with
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/awsdnsspec.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/awsdnsspec.go
index 8ad662e23c9c3..ec57615082cac 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/awsdnsspec.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/awsdnsspec.go
@@ -4,7 +4,12 @@ package v1
 
 // AWSDNSSpecApplyConfiguration represents a declarative configuration of the AWSDNSSpec type for use
 // with apply.
+//
+// AWSDNSSpec contains DNS configuration specific to the Amazon Web Services cloud provider.
 type AWSDNSSpecApplyConfiguration struct {
+	// privateZoneIAMRole contains the ARN of an IAM role that should be assumed when performing
+	// operations on the cluster's private hosted zone specified in the cluster DNS config.
+	// When left empty, no role should be assumed.
 	PrivateZoneIAMRole *string `json:"privateZoneIAMRole,omitempty"`
 }
 
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/awsingressspec.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/awsingressspec.go
index e67e671117c7f..8b36891a58f3d 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/awsingressspec.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/awsingressspec.go
@@ -8,7 +8,25 @@ import (
 
 // AWSIngressSpecApplyConfiguration represents a declarative configuration of the AWSIngressSpec type for use
 // with apply.
+//
+// AWSIngressSpec holds the desired state of the Ingress for Amazon Web Services infrastructure provider.
+// This only includes fields that can be modified in the cluster.
 type AWSIngressSpecApplyConfiguration struct {
+	// type allows user to set a load balancer type.
+	// When this field is set the default ingresscontroller will get created using the specified LBType.
+	// If this field is not set then the default ingress controller of LBType Classic will be created.
+	// Valid values are:
+	//
+	// * "Classic": A Classic Load Balancer that makes routing decisions at either
+	// the transport layer (TCP/SSL) or the application layer (HTTP/HTTPS). See
+	// the following for additional details:
+	//
+	// https://docs.aws.amazon.com/AmazonECS/latest/developerguide/load-balancer-types.html#clb
+	//
+	// * "NLB": A Network Load Balancer that makes routing decisions at the
+	// transport layer (TCP/SSL). See the following for additional details:
+	//
+	// https://docs.aws.amazon.com/AmazonECS/latest/developerguide/load-balancer-types.html#nlb
 	Type *configv1.AWSLBType `json:"type,omitempty"`
 }
 
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/awskmsconfig.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/awskmsconfig.go
index d09f6cbf61963..483e570da2dd2 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/awskmsconfig.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/awskmsconfig.go
@@ -4,8 +4,18 @@ package v1
 
 // AWSKMSConfigApplyConfiguration represents a declarative configuration of the AWSKMSConfig type for use
 // with apply.
+//
+// AWSKMSConfig defines the KMS config specific to AWS KMS provider
 type AWSKMSConfigApplyConfiguration struct {
+	// keyARN specifies the Amazon Resource Name (ARN) of the AWS KMS key used for encryption.
+	// The value must adhere to the format `arn:aws:kms:<region>:<account_id>:key/<key_id>`, where:
+	// - `<region>` is the AWS region consisting of lowercase letters and hyphens followed by a number.
+	// - `<account_id>` is a 12-digit numeric identifier for the AWS account.
+	// - `<key_id>` is a unique identifier for the KMS key, consisting of lowercase hexadecimal characters and hyphens.
 	KeyARN *string `json:"keyARN,omitempty"`
+	// region specifies the AWS region where the KMS instance exists, and follows the format
+	// `<region-prefix>-<region-name>-<number>`, e.g.: `us-east-1`.
+	// Only lowercase letters and hyphens followed by numbers are allowed.
 	Region *string `json:"region,omitempty"`
 }
 
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/awsplatformspec.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/awsplatformspec.go
index 85361e7a2ced6..710a769f99b7b 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/awsplatformspec.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/awsplatformspec.go
@@ -4,7 +4,13 @@ package v1
 
 // AWSPlatformSpecApplyConfiguration represents a declarative configuration of the AWSPlatformSpec type for use
 // with apply.
+//
+// AWSPlatformSpec holds the desired state of the Amazon Web Services infrastructure provider.
+// This only includes fields that can be modified in the cluster.
 type AWSPlatformSpecApplyConfiguration struct {
+	// serviceEndpoints list contains custom endpoints which will override default
+	// service endpoint of AWS Services.
+	// There must be only one ServiceEndpoint for a service.
 	ServiceEndpoints []AWSServiceEndpointApplyConfiguration `json:"serviceEndpoints,omitempty"`
 }
 
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/awsplatformstatus.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/awsplatformstatus.go
index 53d86d2fdd9ce..33007c2103c8e 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/awsplatformstatus.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/awsplatformstatus.go
@@ -8,12 +8,32 @@ import (
 
 // AWSPlatformStatusApplyConfiguration represents a declarative configuration of the AWSPlatformStatus type for use
 // with apply.
+//
+// AWSPlatformStatus holds the current status of the Amazon Web Services infrastructure provider.
 type AWSPlatformStatusApplyConfiguration struct {
-	Region                  *string                                    `json:"region,omitempty"`
-	ServiceEndpoints        []AWSServiceEndpointApplyConfiguration     `json:"serviceEndpoints,omitempty"`
-	ResourceTags            []AWSResourceTagApplyConfiguration         `json:"resourceTags,omitempty"`
+	// region holds the default AWS region for new AWS resources created by the cluster.
+	Region *string `json:"region,omitempty"`
+	// serviceEndpoints list contains custom endpoints which will override default
+	// service endpoint of AWS Services.
+	// There must be only one ServiceEndpoint for a service.
+	ServiceEndpoints []AWSServiceEndpointApplyConfiguration `json:"serviceEndpoints,omitempty"`
+	// resourceTags is a list of additional tags to apply to AWS resources created for the cluster.
+	// See https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html for information on tagging AWS resources.
+	// AWS supports a maximum of 50 tags per resource. OpenShift reserves 25 tags for its use, leaving 25 tags
+	// available for the user.
+	ResourceTags []AWSResourceTagApplyConfiguration `json:"resourceTags,omitempty"`
+	// cloudLoadBalancerConfig holds configuration related to DNS and cloud
+	// load balancers. It allows configuration of in-cluster DNS as an alternative
+	// to the platform default DNS implementation.
+	// When using the ClusterHosted DNS type, Load Balancer IP addresses
+	// must be provided for the API and internal API load balancers as well as the
+	// ingress load balancer.
 	CloudLoadBalancerConfig *CloudLoadBalancerConfigApplyConfiguration `json:"cloudLoadBalancerConfig,omitempty"`
-	IPFamily                *configv1.IPFamilyType                     `json:"ipFamily,omitempty"`
+	// ipFamily specifies the IP protocol family that should be used for AWS
+	// network resources. This controls whether AWS resources are created with
+	// IPv4-only, or dual-stack networking with IPv4 or IPv6 as the primary
+	// protocol family.
+	IPFamily *configv1.IPFamilyType `json:"ipFamily,omitempty"`
 }
 
 // AWSPlatformStatusApplyConfiguration constructs a declarative configuration of the AWSPlatformStatus type for use with
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/awsresourcetag.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/awsresourcetag.go
index 766157a0732c7..d602bdeae5c8e 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/awsresourcetag.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/awsresourcetag.go
@@ -4,8 +4,18 @@ package v1
 
 // AWSResourceTagApplyConfiguration represents a declarative configuration of the AWSResourceTag type for use
 // with apply.
+//
+// AWSResourceTag is a tag to apply to AWS resources created for the cluster.
 type AWSResourceTagApplyConfiguration struct {
-	Key   *string `json:"key,omitempty"`
+	// key sets the key of the AWS resource tag key-value pair. Key is required when defining an AWS resource tag.
+	// Key should consist of between 1 and 128 characters, and may
+	// contain only the set of alphanumeric characters, space (' '), '_', '.', '/', '=', '+', '-', ':', and '@'.
+	Key *string `json:"key,omitempty"`
+	// value sets the value of the AWS resource tag key-value pair. Value is required when defining an AWS resource tag.
+	// Value should consist of between 1 and 256 characters, and may
+	// contain only the set of alphanumeric characters, space (' '), '_', '.', '/', '=', '+', '-', ':', and '@'.
+	// Some AWS service do not support empty values. Since tags are added to resources in many services, the
+	// length of the tag value must meet the requirements of all services.
 	Value *string `json:"value,omitempty"`
 }
 
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/awsserviceendpoint.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/awsserviceendpoint.go
index 5d4f38882ed5c..cde2d5cbf1946 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/awsserviceendpoint.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/awsserviceendpoint.go
@@ -4,9 +4,18 @@ package v1
 
 // AWSServiceEndpointApplyConfiguration represents a declarative configuration of the AWSServiceEndpoint type for use
 // with apply.
+//
+// AWSServiceEndpoint store the configuration of a custom url to
+// override existing defaults of AWS Services.
 type AWSServiceEndpointApplyConfiguration struct {
+	// name is the name of the AWS service.
+	// The list of all the service names can be found at https://docs.aws.amazon.com/general/latest/gr/aws-service-information.html
+	// This must be provided and cannot be empty.
 	Name *string `json:"name,omitempty"`
-	URL  *string `json:"url,omitempty"`
+	// url is fully qualified URI with scheme https, that overrides the default generated
+	// endpoint for a client.
+	// This must be provided and cannot be empty.
+	URL *string `json:"url,omitempty"`
 }
 
 // AWSServiceEndpointApplyConfiguration constructs a declarative configuration of the AWSServiceEndpoint type for use with
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/azureplatformstatus.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/azureplatformstatus.go
index 774641c8290a2..a3cf6c97c6b7e 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/azureplatformstatus.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/azureplatformstatus.go
@@ -8,14 +8,37 @@ import (
 
 // AzurePlatformStatusApplyConfiguration represents a declarative configuration of the AzurePlatformStatus type for use
 // with apply.
+//
+// AzurePlatformStatus holds the current status of the Azure infrastructure provider.
 type AzurePlatformStatusApplyConfiguration struct {
-	ResourceGroupName        *string                                    `json:"resourceGroupName,omitempty"`
-	NetworkResourceGroupName *string                                    `json:"networkResourceGroupName,omitempty"`
-	CloudName                *configv1.AzureCloudEnvironment            `json:"cloudName,omitempty"`
-	ARMEndpoint              *string                                    `json:"armEndpoint,omitempty"`
-	ResourceTags             []AzureResourceTagApplyConfiguration       `json:"resourceTags,omitempty"`
-	CloudLoadBalancerConfig  *CloudLoadBalancerConfigApplyConfiguration `json:"cloudLoadBalancerConfig,omitempty"`
-	IPFamily                 *configv1.IPFamilyType                     `json:"ipFamily,omitempty"`
+	// resourceGroupName is the Resource Group for new Azure resources created for the cluster.
+	ResourceGroupName *string `json:"resourceGroupName,omitempty"`
+	// networkResourceGroupName is the Resource Group for network resources like the Virtual Network and Subnets used by the cluster.
+	// If empty, the value is same as ResourceGroupName.
+	NetworkResourceGroupName *string `json:"networkResourceGroupName,omitempty"`
+	// cloudName is the name of the Azure cloud environment which can be used to configure the Azure SDK
+	// with the appropriate Azure API endpoints.
+	// If empty, the value is equal to `AzurePublicCloud`.
+	CloudName *configv1.AzureCloudEnvironment `json:"cloudName,omitempty"`
+	// armEndpoint specifies a URL to use for resource management in non-soverign clouds such as Azure Stack.
+	ARMEndpoint *string `json:"armEndpoint,omitempty"`
+	// resourceTags is a list of additional tags to apply to Azure resources created for the cluster.
+	// See https://docs.microsoft.com/en-us/rest/api/resources/tags for information on tagging Azure resources.
+	// Due to limitations on Automation, Content Delivery Network, DNS Azure resources, a maximum of 15 tags
+	// may be applied. OpenShift reserves 5 tags for internal use, allowing 10 tags for user configuration.
+	ResourceTags []AzureResourceTagApplyConfiguration `json:"resourceTags,omitempty"`
+	// cloudLoadBalancerConfig holds configuration related to DNS and cloud
+	// load balancers. It allows configuration of in-cluster DNS as an alternative
+	// to the platform default DNS implementation.
+	// When using the ClusterHosted DNS type, Load Balancer IP addresses
+	// must be provided for the API and internal API load balancers as well as the
+	// ingress load balancer.
+	CloudLoadBalancerConfig *CloudLoadBalancerConfigApplyConfiguration `json:"cloudLoadBalancerConfig,omitempty"`
+	// ipFamily specifies the IP protocol family that should be used for Azure
+	// network resources. This controls whether Azure resources are created with
+	// IPv4-only, or dual-stack networking with IPv4 or IPv6 as the primary
+	// protocol family.
+	IPFamily *configv1.IPFamilyType `json:"ipFamily,omitempty"`
 }
 
 // AzurePlatformStatusApplyConfiguration constructs a declarative configuration of the AzurePlatformStatus type for use with
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/azureresourcetag.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/azureresourcetag.go
index 980d2a1684082..6a170ace00333 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/azureresourcetag.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/azureresourcetag.go
@@ -4,8 +4,15 @@ package v1
 
 // AzureResourceTagApplyConfiguration represents a declarative configuration of the AzureResourceTag type for use
 // with apply.
+//
+// AzureResourceTag is a tag to apply to Azure resources created for the cluster.
 type AzureResourceTagApplyConfiguration struct {
-	Key   *string `json:"key,omitempty"`
+	// key is the key part of the tag. A tag key can have a maximum of 128 characters and cannot be empty. Key
+	// must begin with a letter, end with a letter, number or underscore, and must contain only alphanumeric
+	// characters and the following special characters `_ . -`.
+	Key *string `json:"key,omitempty"`
+	// value is the value part of the tag. A tag value can have a maximum of 256 characters and cannot be empty. Value
+	// must contain only alphanumeric characters and the following special characters `_ + , - . / : ; < = > ? @`.
 	Value *string `json:"value,omitempty"`
 }
 
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/baremetalplatformloadbalancer.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/baremetalplatformloadbalancer.go
index 4a7405ad89756..feef004d01c22 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/baremetalplatformloadbalancer.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/baremetalplatformloadbalancer.go
@@ -8,7 +8,18 @@ import (
 
 // BareMetalPlatformLoadBalancerApplyConfiguration represents a declarative configuration of the BareMetalPlatformLoadBalancer type for use
 // with apply.
+//
+// BareMetalPlatformLoadBalancer defines the load balancer used by the cluster on BareMetal platform.
 type BareMetalPlatformLoadBalancerApplyConfiguration struct {
+	// type defines the type of load balancer used by the cluster on BareMetal platform
+	// which can be a user-managed or openshift-managed load balancer
+	// that is to be used for the OpenShift API and Ingress endpoints.
+	// When set to OpenShiftManagedDefault the static pods in charge of API and Ingress traffic load-balancing
+	// defined in the machine config operator will be deployed.
+	// When set to UserManaged these static pods will not be deployed and it is expected that
+	// the load balancer is configured out of band by the deployer.
+	// When omitted, this means no opinion and the platform is left to choose a reasonable default.
+	// The default value is OpenShiftManagedDefault.
 	Type *configv1.PlatformLoadBalancerType `json:"type,omitempty"`
 }
 
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/baremetalplatformspec.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/baremetalplatformspec.go
index 81d8087751fd8..bb3e073e71420 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/baremetalplatformspec.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/baremetalplatformspec.go
@@ -8,10 +8,33 @@ import (
 
 // BareMetalPlatformSpecApplyConfiguration represents a declarative configuration of the BareMetalPlatformSpec type for use
 // with apply.
+//
+// BareMetalPlatformSpec holds the desired state of the BareMetal infrastructure provider.
+// This only includes fields that can be modified in the cluster.
 type BareMetalPlatformSpecApplyConfiguration struct {
-	APIServerInternalIPs []configv1.IP   `json:"apiServerInternalIPs,omitempty"`
-	IngressIPs           []configv1.IP   `json:"ingressIPs,omitempty"`
-	MachineNetworks      []configv1.CIDR `json:"machineNetworks,omitempty"`
+	// apiServerInternalIPs are the IP addresses to contact the Kubernetes API
+	// server that can be used by components inside the cluster, like kubelets
+	// using the infrastructure rather than Kubernetes networking. These are the
+	// IPs for a self-hosted load balancer in front of the API servers.
+	// In dual stack clusters this list contains two IP addresses, one from IPv4
+	// family and one from IPv6.
+	// In single stack clusters a single IP address is expected.
+	// When omitted, values from the status.apiServerInternalIPs will be used.
+	// Once set, the list cannot be completely removed (but its second entry can).
+	APIServerInternalIPs []configv1.IP `json:"apiServerInternalIPs,omitempty"`
+	// ingressIPs are the external IPs which route to the default ingress
+	// controller. The IPs are suitable targets of a wildcard DNS record used to
+	// resolve default route host names.
+	// In dual stack clusters this list contains two IP addresses, one from IPv4
+	// family and one from IPv6.
+	// In single stack clusters a single IP address is expected.
+	// When omitted, values from the status.ingressIPs will be used.
+	// Once set, the list cannot be completely removed (but its second entry can).
+	IngressIPs []configv1.IP `json:"ingressIPs,omitempty"`
+	// machineNetworks are IP networks used to connect all the OpenShift cluster
+	// nodes. Each network is provided in the CIDR format and should be IPv4 or IPv6,
+	// for example "10.0.0.0/8" or "fd00::/8".
+	MachineNetworks []configv1.CIDR `json:"machineNetworks,omitempty"`
 }
 
 // BareMetalPlatformSpecApplyConfiguration constructs a declarative configuration of the BareMetalPlatformSpec type for use with
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/baremetalplatformstatus.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/baremetalplatformstatus.go
index 315dc309cab55..1f6dd6df6b212 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/baremetalplatformstatus.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/baremetalplatformstatus.go
@@ -8,15 +8,58 @@ import (
 
 // BareMetalPlatformStatusApplyConfiguration represents a declarative configuration of the BareMetalPlatformStatus type for use
 // with apply.
+//
+// BareMetalPlatformStatus holds the current status of the BareMetal infrastructure provider.
+// For more information about the network architecture used with the BareMetal platform type, see:
+// https://github.com/openshift/installer/blob/master/docs/design/baremetal/networking-infrastructure.md
 type BareMetalPlatformStatusApplyConfiguration struct {
-	APIServerInternalIP  *string                                          `json:"apiServerInternalIP,omitempty"`
-	APIServerInternalIPs []string                                         `json:"apiServerInternalIPs,omitempty"`
-	IngressIP            *string                                          `json:"ingressIP,omitempty"`
-	IngressIPs           []string                                         `json:"ingressIPs,omitempty"`
-	NodeDNSIP            *string                                          `json:"nodeDNSIP,omitempty"`
-	LoadBalancer         *BareMetalPlatformLoadBalancerApplyConfiguration `json:"loadBalancer,omitempty"`
-	DNSRecordsType       *configv1.DNSRecordsType                         `json:"dnsRecordsType,omitempty"`
-	MachineNetworks      []configv1.CIDR                                  `json:"machineNetworks,omitempty"`
+	// apiServerInternalIP is an IP address to contact the Kubernetes API server that can be used
+	// by components inside the cluster, like kubelets using the infrastructure rather
+	// than Kubernetes networking. It is the IP that the Infrastructure.status.apiServerInternalURI
+	// points to. It is the IP for a self-hosted load balancer in front of the API servers.
+	//
+	// Deprecated: Use APIServerInternalIPs instead.
+	APIServerInternalIP *string `json:"apiServerInternalIP,omitempty"`
+	// apiServerInternalIPs are the IP addresses to contact the Kubernetes API
+	// server that can be used by components inside the cluster, like kubelets
+	// using the infrastructure rather than Kubernetes networking. These are the
+	// IPs for a self-hosted load balancer in front of the API servers. In dual
+	// stack clusters this list contains two IPs otherwise only one.
+	APIServerInternalIPs []string `json:"apiServerInternalIPs,omitempty"`
+	// ingressIP is an external IP which routes to the default ingress controller.
+	// The IP is a suitable target of a wildcard DNS record used to resolve default route host names.
+	//
+	// Deprecated: Use IngressIPs instead.
+	IngressIP *string `json:"ingressIP,omitempty"`
+	// ingressIPs are the external IPs which route to the default ingress
+	// controller. The IPs are suitable targets of a wildcard DNS record used to
+	// resolve default route host names. In dual stack clusters this list
+	// contains two IPs otherwise only one.
+	IngressIPs []string `json:"ingressIPs,omitempty"`
+	// nodeDNSIP is the IP address for the internal DNS used by the
+	// nodes. Unlike the one managed by the DNS operator, `NodeDNSIP`
+	// provides name resolution for the nodes themselves. There is no DNS-as-a-service for
+	// BareMetal deployments. In order to minimize necessary changes to the
+	// datacenter DNS, a DNS service is hosted as a static pod to serve those hostnames
+	// to the nodes in the cluster.
+	NodeDNSIP *string `json:"nodeDNSIP,omitempty"`
+	// loadBalancer defines how the load balancer used by the cluster is configured.
+	LoadBalancer *BareMetalPlatformLoadBalancerApplyConfiguration `json:"loadBalancer,omitempty"`
+	// dnsRecordsType determines whether records for api, api-int, and ingress
+	// are provided by the internal DNS service or externally.
+	// Allowed values are `Internal`, `External`, and omitted.
+	// When set to `Internal`, records are provided by the internal infrastructure and
+	// no additional user configuration is required for the cluster to function.
+	// When set to `External`, records are not provided by the internal infrastructure
+	// and must be configured by the user on a DNS server outside the cluster.
+	// Cluster nodes must use this external server for their upstream DNS requests.
+	// This value may only be set when loadBalancer.type is set to UserManaged.
+	// When omitted, this means the user has no opinion and the platform is left
+	// to choose reasonable defaults. These defaults are subject to change over time.
+	// The current default is `Internal`.
+	DNSRecordsType *configv1.DNSRecordsType `json:"dnsRecordsType,omitempty"`
+	// machineNetworks are IP networks used to connect all the OpenShift cluster nodes.
+	MachineNetworks []configv1.CIDR `json:"machineNetworks,omitempty"`
 }
 
 // BareMetalPlatformStatusApplyConfiguration constructs a declarative configuration of the BareMetalPlatformStatus type for use with
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/basicauthidentityprovider.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/basicauthidentityprovider.go
index 88f30314dfeb3..68b7cb106e1be 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/basicauthidentityprovider.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/basicauthidentityprovider.go
@@ -4,7 +4,10 @@ package v1
 
 // BasicAuthIdentityProviderApplyConfiguration represents a declarative configuration of the BasicAuthIdentityProvider type for use
 // with apply.
+//
+// BasicAuthPasswordIdentityProvider provides identities for users authenticating using HTTP basic auth credentials
 type BasicAuthIdentityProviderApplyConfiguration struct {
+	// OAuthRemoteConnectionInfo contains information about how to connect to the external basic auth server
 	OAuthRemoteConnectionInfoApplyConfiguration `json:",inline"`
 }
 
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/build.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/build.go
index 6065052817e28..f44c227ace79a 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/build.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/build.go
@@ -13,10 +13,20 @@ import (
 
 // BuildApplyConfiguration represents a declarative configuration of the Build type for use
 // with apply.
+//
+// Build configures the behavior of OpenShift builds for the entire cluster.
+// This includes default settings that can be overridden in BuildConfig objects, and overrides which are applied to all builds.
+//
+// The canonical name is "cluster"
+//
+// Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
 type BuildApplyConfiguration struct {
-	metav1.TypeMetaApplyConfiguration    `json:",inline"`
+	metav1.TypeMetaApplyConfiguration `json:",inline"`
+	// metadata is the standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	*metav1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Spec                                 *BuildSpecApplyConfiguration `json:"spec,omitempty"`
+	// spec holds user-settable values for the build controller configuration
+	Spec *BuildSpecApplyConfiguration `json:"spec,omitempty"`
 }
 
 // Build constructs a declarative configuration of the Build type for use with
@@ -29,29 +39,14 @@ func Build(name string) *BuildApplyConfiguration {
 	return b
 }
 
-// ExtractBuild extracts the applied configuration owned by fieldManager from
-// build. If no managedFields are found in build for fieldManager, a
-// BuildApplyConfiguration is returned with only the Name, Namespace (if applicable),
-// APIVersion and Kind populated. It is possible that no managed fields were found for because other
-// field managers have taken ownership of all the fields previously owned by fieldManager, or because
-// the fieldManager never owned fields any fields.
+// ExtractBuildFrom extracts the applied configuration owned by fieldManager from
+// build for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
 // build must be a unmodified Build API object that was retrieved from the Kubernetes API.
-// ExtractBuild provides a way to perform a extract/modify-in-place/apply workflow.
+// ExtractBuildFrom provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
-func ExtractBuild(build *configv1.Build, fieldManager string) (*BuildApplyConfiguration, error) {
-	return extractBuild(build, fieldManager, "")
-}
-
-// ExtractBuildStatus is the same as ExtractBuild except
-// that it extracts the status subresource applied configuration.
-// Experimental!
-func ExtractBuildStatus(build *configv1.Build, fieldManager string) (*BuildApplyConfiguration, error) {
-	return extractBuild(build, fieldManager, "status")
-}
-
-func extractBuild(build *configv1.Build, fieldManager string, subresource string) (*BuildApplyConfiguration, error) {
+func ExtractBuildFrom(build *configv1.Build, fieldManager string, subresource string) (*BuildApplyConfiguration, error) {
 	b := &BuildApplyConfiguration{}
 	err := managedfields.ExtractInto(build, internal.Parser().Type("com.github.openshift.api.config.v1.Build"), fieldManager, b, subresource)
 	if err != nil {
@@ -63,6 +58,21 @@ func extractBuild(build *configv1.Build, fieldManager string, subresource string
 	b.WithAPIVersion("config.openshift.io/v1")
 	return b, nil
 }
+
+// ExtractBuild extracts the applied configuration owned by fieldManager from
+// build. If no managedFields are found in build for fieldManager, a
+// BuildApplyConfiguration is returned with only the Name, Namespace (if applicable),
+// APIVersion and Kind populated. It is possible that no managed fields were found for because other
+// field managers have taken ownership of all the fields previously owned by fieldManager, or because
+// the fieldManager never owned fields any fields.
+// build must be a unmodified Build API object that was retrieved from the Kubernetes API.
+// ExtractBuild provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractBuild(build *configv1.Build, fieldManager string) (*BuildApplyConfiguration, error) {
+	return ExtractBuildFrom(build, fieldManager, "")
+}
+
 func (b BuildApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/builddefaults.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/builddefaults.go
index ece9244191b41..33fa94f145409 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/builddefaults.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/builddefaults.go
@@ -9,11 +9,26 @@ import (
 // BuildDefaultsApplyConfiguration represents a declarative configuration of the BuildDefaults type for use
 // with apply.
 type BuildDefaultsApplyConfiguration struct {
-	DefaultProxy *ProxySpecApplyConfiguration   `json:"defaultProxy,omitempty"`
-	GitProxy     *ProxySpecApplyConfiguration   `json:"gitProxy,omitempty"`
-	Env          []corev1.EnvVar                `json:"env,omitempty"`
-	ImageLabels  []ImageLabelApplyConfiguration `json:"imageLabels,omitempty"`
-	Resources    *corev1.ResourceRequirements   `json:"resources,omitempty"`
+	// defaultProxy contains the default proxy settings for all build operations, including image pull/push
+	// and source download.
+	//
+	// Values can be overrode by setting the `HTTP_PROXY`, `HTTPS_PROXY`, and `NO_PROXY` environment variables
+	// in the build config's strategy.
+	DefaultProxy *ProxySpecApplyConfiguration `json:"defaultProxy,omitempty"`
+	// gitProxy contains the proxy settings for git operations only. If set, this will override
+	// any Proxy settings for all git commands, such as git clone.
+	//
+	// Values that are not set here will be inherited from DefaultProxy.
+	GitProxy *ProxySpecApplyConfiguration `json:"gitProxy,omitempty"`
+	// env is a set of default environment variables that will be applied to the
+	// build if the specified variables do not exist on the build
+	Env []corev1.EnvVar `json:"env,omitempty"`
+	// imageLabels is a list of docker labels that are applied to the resulting image.
+	// User can override a default label by providing a label with the same name in their
+	// Build/BuildConfig.
+	ImageLabels []ImageLabelApplyConfiguration `json:"imageLabels,omitempty"`
+	// resources defines resource requirements to execute the build.
+	Resources *corev1.ResourceRequirements `json:"resources,omitempty"`
 }
 
 // BuildDefaultsApplyConfiguration constructs a declarative configuration of the BuildDefaults type for use with
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/buildoverrides.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/buildoverrides.go
index 948bc9e8a2e08..669d5e02cd665 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/buildoverrides.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/buildoverrides.go
@@ -9,10 +9,20 @@ import (
 // BuildOverridesApplyConfiguration represents a declarative configuration of the BuildOverrides type for use
 // with apply.
 type BuildOverridesApplyConfiguration struct {
-	ImageLabels  []ImageLabelApplyConfiguration `json:"imageLabels,omitempty"`
-	NodeSelector map[string]string              `json:"nodeSelector,omitempty"`
-	Tolerations  []corev1.Toleration            `json:"tolerations,omitempty"`
-	ForcePull    *bool                          `json:"forcePull,omitempty"`
+	// imageLabels is a list of docker labels that are applied to the resulting image.
+	// If user provided a label in their Build/BuildConfig with the same name as one in this
+	// list, the user's label will be overwritten.
+	ImageLabels []ImageLabelApplyConfiguration `json:"imageLabels,omitempty"`
+	// nodeSelector is a selector which must be true for the build pod to fit on a node
+	NodeSelector map[string]string `json:"nodeSelector,omitempty"`
+	// tolerations is a list of Tolerations that will override any existing
+	// tolerations set on a build pod.
+	Tolerations []corev1.Toleration `json:"tolerations,omitempty"`
+	// forcePull overrides, if set, the equivalent value in the builds,
+	// i.e. false disables force pull for all builds,
+	// true enables force pull for all builds,
+	// independently of what each build specifies itself
+	ForcePull *bool `json:"forcePull,omitempty"`
 }
 
 // BuildOverridesApplyConfiguration constructs a declarative configuration of the BuildOverrides type for use with
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/buildspec.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/buildspec.go
index 1b8cb7054e271..e30fd76f1c026 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/buildspec.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/buildspec.go
@@ -5,9 +5,17 @@ package v1
 // BuildSpecApplyConfiguration represents a declarative configuration of the BuildSpec type for use
 // with apply.
 type BuildSpecApplyConfiguration struct {
+	// additionalTrustedCA is a reference to a ConfigMap containing additional CAs that
+	// should be trusted for image pushes and pulls during builds.
+	// The namespace for this config map is openshift-config.
+	//
+	// DEPRECATED: Additional CAs for image pull and push should be set on
+	// image.config.openshift.io/cluster instead.
 	AdditionalTrustedCA *ConfigMapNameReferenceApplyConfiguration `json:"additionalTrustedCA,omitempty"`
-	BuildDefaults       *BuildDefaultsApplyConfiguration          `json:"buildDefaults,omitempty"`
-	BuildOverrides      *BuildOverridesApplyConfiguration         `json:"buildOverrides,omitempty"`
+	// buildDefaults controls the default information for Builds
+	BuildDefaults *BuildDefaultsApplyConfiguration `json:"buildDefaults,omitempty"`
+	// buildOverrides controls override settings for builds
+	BuildOverrides *BuildOverridesApplyConfiguration `json:"buildOverrides,omitempty"`
 }
 
 // BuildSpecApplyConfiguration constructs a declarative configuration of the BuildSpec type for use with
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/cloudcontrollermanagerstatus.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/cloudcontrollermanagerstatus.go
index 79850b75e138b..efc48bab6205e 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/cloudcontrollermanagerstatus.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/cloudcontrollermanagerstatus.go
@@ -8,7 +8,18 @@ import (
 
 // CloudControllerManagerStatusApplyConfiguration represents a declarative configuration of the CloudControllerManagerStatus type for use
 // with apply.
+//
+// CloudControllerManagerStatus holds the state of Cloud Controller Manager (a.k.a. CCM or CPI) related settings
 type CloudControllerManagerStatusApplyConfiguration struct {
+	// state determines whether or not an external Cloud Controller Manager is expected to
+	// be installed within the cluster.
+	// https://kubernetes.io/docs/tasks/administer-cluster/running-cloud-controller/#running-cloud-controller-manager
+	//
+	// Valid values are "External", "None" and omitted.
+	// When set to "External", new nodes will be tainted as uninitialized when created,
+	// preventing them from running workloads until they are initialized by the cloud controller manager.
+	// When omitted or set to "None", new nodes will be not tainted
+	// and no extra initialization from the cloud controller manager is expected.
 	State *configv1.CloudControllerManagerState `json:"state,omitempty"`
 }
 
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/cloudloadbalancerconfig.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/cloudloadbalancerconfig.go
index d73faf3f20a0a..e4677d1974d54 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/cloudloadbalancerconfig.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/cloudloadbalancerconfig.go
@@ -8,8 +8,27 @@ import (
 
 // CloudLoadBalancerConfigApplyConfiguration represents a declarative configuration of the CloudLoadBalancerConfig type for use
 // with apply.
+//
+// CloudLoadBalancerConfig contains an union discriminator indicating the type of DNS
+// solution in use within the cluster. When the DNSType is `ClusterHosted`, the cloud's
+// Load Balancer configuration needs to be provided so that the DNS solution hosted
+// within the cluster can be configured with those values.
 type CloudLoadBalancerConfigApplyConfiguration struct {
-	DNSType       *configv1.DNSType                       `json:"dnsType,omitempty"`
+	// dnsType indicates the type of DNS solution in use within the cluster. Its default value of
+	// `PlatformDefault` indicates that the cluster's DNS is the default provided by the cloud platform.
+	// It can be set to `ClusterHosted` to bypass the configuration of the cloud default DNS. In this mode,
+	// the cluster needs to provide a self-hosted DNS solution for the cluster's installation to succeed.
+	// The cluster's use of the cloud's Load Balancers is unaffected by this setting.
+	// The value is immutable after it has been set at install time.
+	// Currently, there is no way for the customer to add additional DNS entries into the cluster hosted DNS.
+	// Enabling this functionality allows the user to start their own DNS solution outside the cluster after
+	// installation is complete. The customer would be responsible for configuring this custom DNS solution,
+	// and it can be run in addition to the in-cluster DNS solution.
+	DNSType *configv1.DNSType `json:"dnsType,omitempty"`
+	// clusterHosted holds the IP addresses of API, API-Int and Ingress Load
+	// Balancers on Cloud Platforms. The DNS solution hosted within the cluster
+	// use these IP addresses to provide resolution for API, API-Int and Ingress
+	// services.
 	ClusterHosted *CloudLoadBalancerIPsApplyConfiguration `json:"clusterHosted,omitempty"`
 }
 
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/cloudloadbalancerips.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/cloudloadbalancerips.go
index ce7f258509a02..1ac93beee0536 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/cloudloadbalancerips.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/cloudloadbalancerips.go
@@ -8,9 +8,27 @@ import (
 
 // CloudLoadBalancerIPsApplyConfiguration represents a declarative configuration of the CloudLoadBalancerIPs type for use
 // with apply.
+//
+// CloudLoadBalancerIPs contains the Load Balancer IPs for the cloud's API,
+// API-Int and Ingress Load balancers. They will be populated as soon as the
+// respective Load Balancers have been configured. These values are utilized
+// to configure the DNS solution hosted within the cluster.
 type CloudLoadBalancerIPsApplyConfiguration struct {
-	APIIntLoadBalancerIPs  []configv1.IP `json:"apiIntLoadBalancerIPs,omitempty"`
-	APILoadBalancerIPs     []configv1.IP `json:"apiLoadBalancerIPs,omitempty"`
+	// apiIntLoadBalancerIPs holds Load Balancer IPs for the internal API service.
+	// These Load Balancer IP addresses can be IPv4 and/or IPv6 addresses.
+	// Entries in the apiIntLoadBalancerIPs must be unique.
+	// A maximum of 16 IP addresses are permitted.
+	APIIntLoadBalancerIPs []configv1.IP `json:"apiIntLoadBalancerIPs,omitempty"`
+	// apiLoadBalancerIPs holds Load Balancer IPs for the API service.
+	// These Load Balancer IP addresses can be IPv4 and/or IPv6 addresses.
+	// Could be empty for private clusters.
+	// Entries in the apiLoadBalancerIPs must be unique.
+	// A maximum of 16 IP addresses are permitted.
+	APILoadBalancerIPs []configv1.IP `json:"apiLoadBalancerIPs,omitempty"`
+	// ingressLoadBalancerIPs holds IPs for Ingress Load Balancers.
+	// These Load Balancer IP addresses can be IPv4 and/or IPv6 addresses.
+	// Entries in the ingressLoadBalancerIPs must be unique.
+	// A maximum of 16 IP addresses are permitted.
 	IngressLoadBalancerIPs []configv1.IP `json:"ingressLoadBalancerIPs,omitempty"`
 }
 
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/clustercondition.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/clustercondition.go
index d71c182cf1dc1..fddf4243d6d79 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/clustercondition.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/clustercondition.go
@@ -4,8 +4,16 @@ package v1
 
 // ClusterConditionApplyConfiguration represents a declarative configuration of the ClusterCondition type for use
 // with apply.
+//
+// ClusterCondition is a union of typed cluster conditions.  The 'type'
+// property determines which of the type-specific properties are relevant.
+// When evaluated on a cluster, the condition may match, not match, or
+// fail to evaluate.
 type ClusterConditionApplyConfiguration struct {
-	Type   *string                                   `json:"type,omitempty"`
+	// type represents the cluster-condition type. This defines
+	// the members and semantics of any additional properties.
+	Type *string `json:"type,omitempty"`
+	// promql represents a cluster condition based on PromQL.
 	PromQL *PromQLClusterConditionApplyConfiguration `json:"promql,omitempty"`
 }
 
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/clusterimagepolicy.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/clusterimagepolicy.go
index eb722c57256d2..82e34d1129027 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/clusterimagepolicy.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/clusterimagepolicy.go
@@ -13,11 +13,19 @@ import (
 
 // ClusterImagePolicyApplyConfiguration represents a declarative configuration of the ClusterImagePolicy type for use
 // with apply.
+//
+// # ClusterImagePolicy holds cluster-wide configuration for image signature verification
+//
+// Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
 type ClusterImagePolicyApplyConfiguration struct {
-	metav1.TypeMetaApplyConfiguration    `json:",inline"`
+	metav1.TypeMetaApplyConfiguration `json:",inline"`
+	// metadata is the standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	*metav1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Spec                                 *ClusterImagePolicySpecApplyConfiguration   `json:"spec,omitempty"`
-	Status                               *ClusterImagePolicyStatusApplyConfiguration `json:"status,omitempty"`
+	// spec contains the configuration for the cluster image policy.
+	Spec *ClusterImagePolicySpecApplyConfiguration `json:"spec,omitempty"`
+	// status contains the observed state of the resource.
+	Status *ClusterImagePolicyStatusApplyConfiguration `json:"status,omitempty"`
 }
 
 // ClusterImagePolicy constructs a declarative configuration of the ClusterImagePolicy type for use with
@@ -30,6 +38,26 @@ func ClusterImagePolicy(name string) *ClusterImagePolicyApplyConfiguration {
 	return b
 }
 
+// ExtractClusterImagePolicyFrom extracts the applied configuration owned by fieldManager from
+// clusterImagePolicy for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
+// clusterImagePolicy must be a unmodified ClusterImagePolicy API object that was retrieved from the Kubernetes API.
+// ExtractClusterImagePolicyFrom provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractClusterImagePolicyFrom(clusterImagePolicy *configv1.ClusterImagePolicy, fieldManager string, subresource string) (*ClusterImagePolicyApplyConfiguration, error) {
+	b := &ClusterImagePolicyApplyConfiguration{}
+	err := managedfields.ExtractInto(clusterImagePolicy, internal.Parser().Type("com.github.openshift.api.config.v1.ClusterImagePolicy"), fieldManager, b, subresource)
+	if err != nil {
+		return nil, err
+	}
+	b.WithName(clusterImagePolicy.Name)
+
+	b.WithKind("ClusterImagePolicy")
+	b.WithAPIVersion("config.openshift.io/v1")
+	return b, nil
+}
+
 // ExtractClusterImagePolicy extracts the applied configuration owned by fieldManager from
 // clusterImagePolicy. If no managedFields are found in clusterImagePolicy for fieldManager, a
 // ClusterImagePolicyApplyConfiguration is returned with only the Name, Namespace (if applicable),
@@ -40,30 +68,16 @@ func ClusterImagePolicy(name string) *ClusterImagePolicyApplyConfiguration {
 // ExtractClusterImagePolicy provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
 func ExtractClusterImagePolicy(clusterImagePolicy *configv1.ClusterImagePolicy, fieldManager string) (*ClusterImagePolicyApplyConfiguration, error) {
-	return extractClusterImagePolicy(clusterImagePolicy, fieldManager, "")
+	return ExtractClusterImagePolicyFrom(clusterImagePolicy, fieldManager, "")
 }
 
-// ExtractClusterImagePolicyStatus is the same as ExtractClusterImagePolicy except
-// that it extracts the status subresource applied configuration.
-// Experimental!
+// ExtractClusterImagePolicyStatus extracts the applied configuration owned by fieldManager from
+// clusterImagePolicy for the status subresource.
 func ExtractClusterImagePolicyStatus(clusterImagePolicy *configv1.ClusterImagePolicy, fieldManager string) (*ClusterImagePolicyApplyConfiguration, error) {
-	return extractClusterImagePolicy(clusterImagePolicy, fieldManager, "status")
+	return ExtractClusterImagePolicyFrom(clusterImagePolicy, fieldManager, "status")
 }
 
-func extractClusterImagePolicy(clusterImagePolicy *configv1.ClusterImagePolicy, fieldManager string, subresource string) (*ClusterImagePolicyApplyConfiguration, error) {
-	b := &ClusterImagePolicyApplyConfiguration{}
-	err := managedfields.ExtractInto(clusterImagePolicy, internal.Parser().Type("com.github.openshift.api.config.v1.ClusterImagePolicy"), fieldManager, b, subresource)
-	if err != nil {
-		return nil, err
-	}
-	b.WithName(clusterImagePolicy.Name)
-
-	b.WithKind("ClusterImagePolicy")
-	b.WithAPIVersion("config.openshift.io/v1")
-	return b, nil
-}
 func (b ClusterImagePolicyApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/clusterimagepolicyspec.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/clusterimagepolicyspec.go
index 6c86d66d472b4..fc0abdc0b648a 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/clusterimagepolicyspec.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/clusterimagepolicyspec.go
@@ -8,9 +8,24 @@ import (
 
 // ClusterImagePolicySpecApplyConfiguration represents a declarative configuration of the ClusterImagePolicySpec type for use
 // with apply.
+//
+// CLusterImagePolicySpec is the specification of the ClusterImagePolicy custom resource.
 type ClusterImagePolicySpecApplyConfiguration struct {
-	Scopes []configv1.ImageScope     `json:"scopes,omitempty"`
-	Policy *PolicyApplyConfiguration `json:"policy,omitempty"`
+	// scopes is a required field that defines the list of image identities assigned to a policy. Each item refers to a scope in a registry implementing the "Docker Registry HTTP API V2".
+	// Scopes matching individual images are named Docker references in the fully expanded form, either using a tag or digest. For example, docker.io/library/busybox:latest (not busybox:latest).
+	// More general scopes are prefixes of individual-image scopes, and specify a repository (by omitting the tag or digest), a repository
+	// namespace, or a registry host (by only specifying the host name and possibly a port number) or a wildcard expression starting with `*.`, for matching all subdomains (not including a port number).
+	// Wildcards are only supported for subdomain matching, and may not be used in the middle of the host, i.e.  *.example.com is a valid case, but example*.*.com is not.
+	// This support no more than 256 scopes in one object. If multiple scopes match a given image, only the policy requirements for the most specific scope apply. The policy requirements for more general scopes are ignored.
+	// In addition to setting a policy appropriate for your own deployed applications, make sure that a policy on the OpenShift image repositories
+	// quay.io/openshift-release-dev/ocp-release, quay.io/openshift-release-dev/ocp-v4.0-art-dev (or on a more general scope) allows deployment of the OpenShift images required for cluster operation.
+	// If a scope is configured in both the ClusterImagePolicy and the ImagePolicy, or if the scope in ImagePolicy is nested under one of the scopes from the ClusterImagePolicy, only the policy from the ClusterImagePolicy will be applied.
+	// For additional details about the format, please refer to the document explaining the docker transport field,
+	// which can be found at: https://github.com/containers/image/blob/main/docs/containers-policy.json.5.md#docker
+	Scopes []configv1.ImageScope `json:"scopes,omitempty"`
+	// policy is a required field that contains configuration to allow scopes to be verified, and defines how
+	// images not matching the verification policy will be treated.
+	Policy *ImageSigstoreVerificationPolicyApplyConfiguration `json:"policy,omitempty"`
 }
 
 // ClusterImagePolicySpecApplyConfiguration constructs a declarative configuration of the ClusterImagePolicySpec type for use with
@@ -32,7 +47,7 @@ func (b *ClusterImagePolicySpecApplyConfiguration) WithScopes(values ...configv1
 // WithPolicy sets the Policy field in the declarative configuration to the given value
 // and returns the receiver, so that objects can be built by chaining "With" function invocations.
 // If called multiple times, the Policy field is set to the value of the last call.
-func (b *ClusterImagePolicySpecApplyConfiguration) WithPolicy(value *PolicyApplyConfiguration) *ClusterImagePolicySpecApplyConfiguration {
+func (b *ClusterImagePolicySpecApplyConfiguration) WithPolicy(value *ImageSigstoreVerificationPolicyApplyConfiguration) *ClusterImagePolicySpecApplyConfiguration {
 	b.Policy = value
 	return b
 }
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/clusterimagepolicystatus.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/clusterimagepolicystatus.go
index f508f70912d51..abcfa5ea82d43 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/clusterimagepolicystatus.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/clusterimagepolicystatus.go
@@ -9,6 +9,7 @@ import (
 // ClusterImagePolicyStatusApplyConfiguration represents a declarative configuration of the ClusterImagePolicyStatus type for use
 // with apply.
 type ClusterImagePolicyStatusApplyConfiguration struct {
+	// conditions provide details on the status of this API Resource.
 	Conditions []metav1.ConditionApplyConfiguration `json:"conditions,omitempty"`
 }
 
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/clusternetworkentry.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/clusternetworkentry.go
index ac180f893d332..790ab500f515e 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/clusternetworkentry.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/clusternetworkentry.go
@@ -4,8 +4,14 @@ package v1
 
 // ClusterNetworkEntryApplyConfiguration represents a declarative configuration of the ClusterNetworkEntry type for use
 // with apply.
+//
+// ClusterNetworkEntry is a contiguous block of IP addresses from which pod IPs
+// are allocated.
 type ClusterNetworkEntryApplyConfiguration struct {
-	CIDR       *string `json:"cidr,omitempty"`
+	// The complete block for pod IPs.
+	CIDR *string `json:"cidr,omitempty"`
+	// The size (prefix) of block to allocate to each node. If this
+	// field is not used by the plugin, it can be left unset.
 	HostPrefix *uint32 `json:"hostPrefix,omitempty"`
 }
 
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/clusteroperator.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/clusteroperator.go
index 66f1d19881b61..d0adae3dcb302 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/clusteroperator.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/clusteroperator.go
@@ -13,11 +13,21 @@ import (
 
 // ClusterOperatorApplyConfiguration represents a declarative configuration of the ClusterOperator type for use
 // with apply.
+//
+// ClusterOperator holds the status of a core or optional OpenShift component
+// managed by the Cluster Version Operator (CVO). This object is used by
+// operators to convey their state to the rest of the cluster.
+// Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
 type ClusterOperatorApplyConfiguration struct {
-	metav1.TypeMetaApplyConfiguration    `json:",inline"`
+	metav1.TypeMetaApplyConfiguration `json:",inline"`
+	// metadata is the standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	*metav1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Spec                                 *configv1.ClusterOperatorSpec            `json:"spec,omitempty"`
-	Status                               *ClusterOperatorStatusApplyConfiguration `json:"status,omitempty"`
+	// spec holds configuration that could apply to any operator.
+	Spec *configv1.ClusterOperatorSpec `json:"spec,omitempty"`
+	// status holds the information about the state of an operator.  It is consistent with status information across
+	// the Kubernetes ecosystem.
+	Status *ClusterOperatorStatusApplyConfiguration `json:"status,omitempty"`
 }
 
 // ClusterOperator constructs a declarative configuration of the ClusterOperator type for use with
@@ -30,6 +40,26 @@ func ClusterOperator(name string) *ClusterOperatorApplyConfiguration {
 	return b
 }
 
+// ExtractClusterOperatorFrom extracts the applied configuration owned by fieldManager from
+// clusterOperator for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
+// clusterOperator must be a unmodified ClusterOperator API object that was retrieved from the Kubernetes API.
+// ExtractClusterOperatorFrom provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractClusterOperatorFrom(clusterOperator *configv1.ClusterOperator, fieldManager string, subresource string) (*ClusterOperatorApplyConfiguration, error) {
+	b := &ClusterOperatorApplyConfiguration{}
+	err := managedfields.ExtractInto(clusterOperator, internal.Parser().Type("com.github.openshift.api.config.v1.ClusterOperator"), fieldManager, b, subresource)
+	if err != nil {
+		return nil, err
+	}
+	b.WithName(clusterOperator.Name)
+
+	b.WithKind("ClusterOperator")
+	b.WithAPIVersion("config.openshift.io/v1")
+	return b, nil
+}
+
 // ExtractClusterOperator extracts the applied configuration owned by fieldManager from
 // clusterOperator. If no managedFields are found in clusterOperator for fieldManager, a
 // ClusterOperatorApplyConfiguration is returned with only the Name, Namespace (if applicable),
@@ -40,30 +70,16 @@ func ClusterOperator(name string) *ClusterOperatorApplyConfiguration {
 // ExtractClusterOperator provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
 func ExtractClusterOperator(clusterOperator *configv1.ClusterOperator, fieldManager string) (*ClusterOperatorApplyConfiguration, error) {
-	return extractClusterOperator(clusterOperator, fieldManager, "")
+	return ExtractClusterOperatorFrom(clusterOperator, fieldManager, "")
 }
 
-// ExtractClusterOperatorStatus is the same as ExtractClusterOperator except
-// that it extracts the status subresource applied configuration.
-// Experimental!
+// ExtractClusterOperatorStatus extracts the applied configuration owned by fieldManager from
+// clusterOperator for the status subresource.
 func ExtractClusterOperatorStatus(clusterOperator *configv1.ClusterOperator, fieldManager string) (*ClusterOperatorApplyConfiguration, error) {
-	return extractClusterOperator(clusterOperator, fieldManager, "status")
+	return ExtractClusterOperatorFrom(clusterOperator, fieldManager, "status")
 }
 
-func extractClusterOperator(clusterOperator *configv1.ClusterOperator, fieldManager string, subresource string) (*ClusterOperatorApplyConfiguration, error) {
-	b := &ClusterOperatorApplyConfiguration{}
-	err := managedfields.ExtractInto(clusterOperator, internal.Parser().Type("com.github.openshift.api.config.v1.ClusterOperator"), fieldManager, b, subresource)
-	if err != nil {
-		return nil, err
-	}
-	b.WithName(clusterOperator.Name)
-
-	b.WithKind("ClusterOperator")
-	b.WithAPIVersion("config.openshift.io/v1")
-	return b, nil
-}
 func (b ClusterOperatorApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/clusteroperatorstatus.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/clusteroperatorstatus.go
index d5a1989655c5b..48e7396909f04 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/clusteroperatorstatus.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/clusteroperatorstatus.go
@@ -8,11 +8,23 @@ import (
 
 // ClusterOperatorStatusApplyConfiguration represents a declarative configuration of the ClusterOperatorStatus type for use
 // with apply.
+//
+// ClusterOperatorStatus provides information about the status of the operator.
 type ClusterOperatorStatusApplyConfiguration struct {
-	Conditions     []ClusterOperatorStatusConditionApplyConfiguration `json:"conditions,omitempty"`
-	Versions       []OperandVersionApplyConfiguration                 `json:"versions,omitempty"`
-	RelatedObjects []ObjectReferenceApplyConfiguration                `json:"relatedObjects,omitempty"`
-	Extension      *runtime.RawExtension                              `json:"extension,omitempty"`
+	// conditions describes the state of the operator's managed and monitored components.
+	Conditions []ClusterOperatorStatusConditionApplyConfiguration `json:"conditions,omitempty"`
+	// versions is a slice of operator and operand version tuples.  Operators which manage multiple operands will have multiple
+	// operand entries in the array.  Available operators must report the version of the operator itself with the name "operator".
+	// An operator reports a new "operator" version when it has rolled out the new version to all of its operands.
+	Versions []OperandVersionApplyConfiguration `json:"versions,omitempty"`
+	// relatedObjects is a list of objects that are "interesting" or related to this operator.  Common uses are:
+	// 1. the detailed resource driving the operator
+	// 2. operator namespaces
+	// 3. operand namespaces
+	RelatedObjects []ObjectReferenceApplyConfiguration `json:"relatedObjects,omitempty"`
+	// extension contains any additional status information specific to the
+	// operator which owns this status object.
+	Extension *runtime.RawExtension `json:"extension,omitempty"`
 }
 
 // ClusterOperatorStatusApplyConfiguration constructs a declarative configuration of the ClusterOperatorStatus type for use with
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/clusteroperatorstatuscondition.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/clusteroperatorstatuscondition.go
index 3e58daa811581..f7ac19e2b0938 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/clusteroperatorstatuscondition.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/clusteroperatorstatuscondition.go
@@ -9,12 +9,22 @@ import (
 
 // ClusterOperatorStatusConditionApplyConfiguration represents a declarative configuration of the ClusterOperatorStatusCondition type for use
 // with apply.
+//
+// ClusterOperatorStatusCondition represents the state of the operator's
+// managed and monitored components.
 type ClusterOperatorStatusConditionApplyConfiguration struct {
-	Type               *configv1.ClusterStatusConditionType `json:"type,omitempty"`
-	Status             *configv1.ConditionStatus            `json:"status,omitempty"`
-	LastTransitionTime *metav1.Time                         `json:"lastTransitionTime,omitempty"`
-	Reason             *string                              `json:"reason,omitempty"`
-	Message            *string                              `json:"message,omitempty"`
+	// type specifies the aspect reported by this condition.
+	Type *configv1.ClusterStatusConditionType `json:"type,omitempty"`
+	// status of the condition, one of True, False, Unknown.
+	Status *configv1.ConditionStatus `json:"status,omitempty"`
+	// lastTransitionTime is the time of the last update to the current status property.
+	LastTransitionTime *metav1.Time `json:"lastTransitionTime,omitempty"`
+	// reason is the CamelCase reason for the condition's current status.
+	Reason *string `json:"reason,omitempty"`
+	// message provides additional information about the current condition.
+	// This is only to be consumed by humans.  It may contain Line Feed
+	// characters (U+000A), which should be rendered as new lines.
+	Message *string `json:"message,omitempty"`
 }
 
 // ClusterOperatorStatusConditionApplyConfiguration constructs a declarative configuration of the ClusterOperatorStatusCondition type for use with
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/clusterversion.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/clusterversion.go
index b85a770ed24b6..5cfcb7ea16f1c 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/clusterversion.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/clusterversion.go
@@ -13,11 +13,22 @@ import (
 
 // ClusterVersionApplyConfiguration represents a declarative configuration of the ClusterVersion type for use
 // with apply.
+//
+// ClusterVersion is the configuration for the ClusterVersionOperator. This is where
+// parameters related to automatic updates can be set.
+//
+// Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
 type ClusterVersionApplyConfiguration struct {
-	metav1.TypeMetaApplyConfiguration    `json:",inline"`
+	metav1.TypeMetaApplyConfiguration `json:",inline"`
+	// metadata is the standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	*metav1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Spec                                 *ClusterVersionSpecApplyConfiguration   `json:"spec,omitempty"`
-	Status                               *ClusterVersionStatusApplyConfiguration `json:"status,omitempty"`
+	// spec is the desired state of the cluster version - the operator will work
+	// to ensure that the desired version is applied to the cluster.
+	Spec *ClusterVersionSpecApplyConfiguration `json:"spec,omitempty"`
+	// status contains information about the available updates and any in-progress
+	// updates.
+	Status *ClusterVersionStatusApplyConfiguration `json:"status,omitempty"`
 }
 
 // ClusterVersion constructs a declarative configuration of the ClusterVersion type for use with
@@ -30,6 +41,26 @@ func ClusterVersion(name string) *ClusterVersionApplyConfiguration {
 	return b
 }
 
+// ExtractClusterVersionFrom extracts the applied configuration owned by fieldManager from
+// clusterVersion for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
+// clusterVersion must be a unmodified ClusterVersion API object that was retrieved from the Kubernetes API.
+// ExtractClusterVersionFrom provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractClusterVersionFrom(clusterVersion *configv1.ClusterVersion, fieldManager string, subresource string) (*ClusterVersionApplyConfiguration, error) {
+	b := &ClusterVersionApplyConfiguration{}
+	err := managedfields.ExtractInto(clusterVersion, internal.Parser().Type("com.github.openshift.api.config.v1.ClusterVersion"), fieldManager, b, subresource)
+	if err != nil {
+		return nil, err
+	}
+	b.WithName(clusterVersion.Name)
+
+	b.WithKind("ClusterVersion")
+	b.WithAPIVersion("config.openshift.io/v1")
+	return b, nil
+}
+
 // ExtractClusterVersion extracts the applied configuration owned by fieldManager from
 // clusterVersion. If no managedFields are found in clusterVersion for fieldManager, a
 // ClusterVersionApplyConfiguration is returned with only the Name, Namespace (if applicable),
@@ -40,30 +71,16 @@ func ClusterVersion(name string) *ClusterVersionApplyConfiguration {
 // ExtractClusterVersion provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
 func ExtractClusterVersion(clusterVersion *configv1.ClusterVersion, fieldManager string) (*ClusterVersionApplyConfiguration, error) {
-	return extractClusterVersion(clusterVersion, fieldManager, "")
+	return ExtractClusterVersionFrom(clusterVersion, fieldManager, "")
 }
 
-// ExtractClusterVersionStatus is the same as ExtractClusterVersion except
-// that it extracts the status subresource applied configuration.
-// Experimental!
+// ExtractClusterVersionStatus extracts the applied configuration owned by fieldManager from
+// clusterVersion for the status subresource.
 func ExtractClusterVersionStatus(clusterVersion *configv1.ClusterVersion, fieldManager string) (*ClusterVersionApplyConfiguration, error) {
-	return extractClusterVersion(clusterVersion, fieldManager, "status")
+	return ExtractClusterVersionFrom(clusterVersion, fieldManager, "status")
 }
 
-func extractClusterVersion(clusterVersion *configv1.ClusterVersion, fieldManager string, subresource string) (*ClusterVersionApplyConfiguration, error) {
-	b := &ClusterVersionApplyConfiguration{}
-	err := managedfields.ExtractInto(clusterVersion, internal.Parser().Type("com.github.openshift.api.config.v1.ClusterVersion"), fieldManager, b, subresource)
-	if err != nil {
-		return nil, err
-	}
-	b.WithName(clusterVersion.Name)
-
-	b.WithKind("ClusterVersion")
-	b.WithAPIVersion("config.openshift.io/v1")
-	return b, nil
-}
 func (b ClusterVersionApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/clusterversioncapabilitiesspec.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/clusterversioncapabilitiesspec.go
index feb03e3c36be6..ba8a408f23e40 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/clusterversioncapabilitiesspec.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/clusterversioncapabilitiesspec.go
@@ -8,9 +8,20 @@ import (
 
 // ClusterVersionCapabilitiesSpecApplyConfiguration represents a declarative configuration of the ClusterVersionCapabilitiesSpec type for use
 // with apply.
+//
+// ClusterVersionCapabilitiesSpec selects the managed set of
+// optional, core cluster components.
 type ClusterVersionCapabilitiesSpecApplyConfiguration struct {
-	BaselineCapabilitySet         *configv1.ClusterVersionCapabilitySet `json:"baselineCapabilitySet,omitempty"`
-	AdditionalEnabledCapabilities []configv1.ClusterVersionCapability   `json:"additionalEnabledCapabilities,omitempty"`
+	// baselineCapabilitySet selects an initial set of
+	// optional capabilities to enable, which can be extended via
+	// additionalEnabledCapabilities.  If unset, the cluster will
+	// choose a default, and the default may change over time.
+	// The current default is vCurrent.
+	BaselineCapabilitySet *configv1.ClusterVersionCapabilitySet `json:"baselineCapabilitySet,omitempty"`
+	// additionalEnabledCapabilities extends the set of managed
+	// capabilities beyond the baseline defined in
+	// baselineCapabilitySet.  The default is an empty set.
+	AdditionalEnabledCapabilities []configv1.ClusterVersionCapability `json:"additionalEnabledCapabilities,omitempty"`
 }
 
 // ClusterVersionCapabilitiesSpecApplyConfiguration constructs a declarative configuration of the ClusterVersionCapabilitiesSpec type for use with
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/clusterversioncapabilitiesstatus.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/clusterversioncapabilitiesstatus.go
index 2a8807fe2a081..6198d46c781ff 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/clusterversioncapabilitiesstatus.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/clusterversioncapabilitiesstatus.go
@@ -8,9 +8,14 @@ import (
 
 // ClusterVersionCapabilitiesStatusApplyConfiguration represents a declarative configuration of the ClusterVersionCapabilitiesStatus type for use
 // with apply.
+//
+// ClusterVersionCapabilitiesStatus describes the state of optional,
+// core cluster components.
 type ClusterVersionCapabilitiesStatusApplyConfiguration struct {
+	// enabledCapabilities lists all the capabilities that are currently managed.
 	EnabledCapabilities []configv1.ClusterVersionCapability `json:"enabledCapabilities,omitempty"`
-	KnownCapabilities   []configv1.ClusterVersionCapability `json:"knownCapabilities,omitempty"`
+	// knownCapabilities lists all the capabilities known to the current cluster.
+	KnownCapabilities []configv1.ClusterVersionCapability `json:"knownCapabilities,omitempty"`
 }
 
 // ClusterVersionCapabilitiesStatusApplyConfiguration constructs a declarative configuration of the ClusterVersionCapabilitiesStatus type for use with
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/clusterversionspec.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/clusterversionspec.go
index 926f2955720f9..bb8e4f50d11dd 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/clusterversionspec.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/clusterversionspec.go
@@ -8,14 +8,66 @@ import (
 
 // ClusterVersionSpecApplyConfiguration represents a declarative configuration of the ClusterVersionSpec type for use
 // with apply.
+//
+// ClusterVersionSpec is the desired version state of the cluster. It includes
+// the version the cluster should be at, how the cluster is identified, and
+// where the cluster should look for version updates.
 type ClusterVersionSpecApplyConfiguration struct {
-	ClusterID       *configv1.ClusterID                               `json:"clusterID,omitempty"`
-	DesiredUpdate   *UpdateApplyConfiguration                         `json:"desiredUpdate,omitempty"`
-	Upstream        *configv1.URL                                     `json:"upstream,omitempty"`
-	Channel         *string                                           `json:"channel,omitempty"`
-	Capabilities    *ClusterVersionCapabilitiesSpecApplyConfiguration `json:"capabilities,omitempty"`
-	SignatureStores []SignatureStoreApplyConfiguration                `json:"signatureStores,omitempty"`
-	Overrides       []ComponentOverrideApplyConfiguration             `json:"overrides,omitempty"`
+	// clusterID uniquely identifies this cluster. This is expected to be
+	// an RFC4122 UUID value (xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx in
+	// hexadecimal values). This is a required field.
+	ClusterID *configv1.ClusterID `json:"clusterID,omitempty"`
+	// desiredUpdate is an optional field that indicates the desired value of
+	// the cluster version. Setting this value will trigger an upgrade (if
+	// the current version does not match the desired version). The set of
+	// recommended update values is listed as part of available updates in
+	// status, and setting values outside that range may cause the upgrade
+	// to fail.
+	//
+	// Some of the fields are inter-related with restrictions and meanings described here.
+	// 1. image is specified, version is specified, architecture is specified. API validation error.
+	// 2. image is specified, version is specified, architecture is not specified. The version extracted from the referenced image must match the specified version.
+	// 3. image is specified, version is not specified, architecture is specified. API validation error.
+	// 4. image is specified, version is not specified, architecture is not specified. image is used.
+	// 5. image is not specified, version is specified, architecture is specified. version and desired architecture are used to select an image.
+	// 6. image is not specified, version is specified, architecture is not specified. version and current architecture are used to select an image.
+	// 7. image is not specified, version is not specified, architecture is specified. API validation error.
+	// 8. image is not specified, version is not specified, architecture is not specified. API validation error.
+	//
+	// If an upgrade fails the operator will halt and report status
+	// about the failing component. Setting the desired update value back to
+	// the previous version will cause a rollback to be attempted if the
+	// previous version is within the current minor version. Not all
+	// rollbacks will succeed, and some may unrecoverably break the
+	// cluster.
+	DesiredUpdate *UpdateApplyConfiguration `json:"desiredUpdate,omitempty"`
+	// upstream may be used to specify the preferred update server. By default
+	// it will use the appropriate update server for the cluster and region.
+	Upstream *configv1.URL `json:"upstream,omitempty"`
+	// channel is an identifier for explicitly requesting a non-default set
+	// of updates to be applied to this cluster. The default channel will
+	// contain stable updates that are appropriate for production clusters.
+	Channel *string `json:"channel,omitempty"`
+	// capabilities configures the installation of optional, core
+	// cluster components.  A null value here is identical to an
+	// empty object; see the child properties for default semantics.
+	Capabilities *ClusterVersionCapabilitiesSpecApplyConfiguration `json:"capabilities,omitempty"`
+	// signatureStores contains the upstream URIs to verify release signatures and optional
+	// reference to a config map by name containing the PEM-encoded CA bundle.
+	//
+	// By default, CVO will use existing signature stores if this property is empty.
+	// The CVO will check the release signatures in the local ConfigMaps first. It will search for a valid signature
+	// in these stores in parallel only when local ConfigMaps did not include a valid signature.
+	// Validation will fail if none of the signature stores reply with valid signature before timeout.
+	// Setting signatureStores will replace the default signature stores with custom signature stores.
+	// Default stores can be used with custom signature stores by adding them manually.
+	//
+	// A maximum of 32 signature stores may be configured.
+	SignatureStores []SignatureStoreApplyConfiguration `json:"signatureStores,omitempty"`
+	// overrides is list of overides for components that are managed by
+	// cluster version operator. Marking a component unmanaged will prevent
+	// the operator from creating or updating the object.
+	Overrides []ComponentOverrideApplyConfiguration `json:"overrides,omitempty"`
 }
 
 // ClusterVersionSpecApplyConfiguration constructs a declarative configuration of the ClusterVersionSpec type for use with
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/clusterversionstatus.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/clusterversionstatus.go
index e966cf424211c..3d68af9ea5714 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/clusterversionstatus.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/clusterversionstatus.go
@@ -4,15 +4,63 @@ package v1
 
 // ClusterVersionStatusApplyConfiguration represents a declarative configuration of the ClusterVersionStatus type for use
 // with apply.
+//
+// ClusterVersionStatus reports the status of the cluster versioning,
+// including any upgrades that are in progress. The current field will
+// be set to whichever version the cluster is reconciling to, and the
+// conditions array will report whether the update succeeded, is in
+// progress, or is failing.
 type ClusterVersionStatusApplyConfiguration struct {
-	Desired            *ReleaseApplyConfiguration                          `json:"desired,omitempty"`
-	History            []UpdateHistoryApplyConfiguration                   `json:"history,omitempty"`
-	ObservedGeneration *int64                                              `json:"observedGeneration,omitempty"`
-	VersionHash        *string                                             `json:"versionHash,omitempty"`
-	Capabilities       *ClusterVersionCapabilitiesStatusApplyConfiguration `json:"capabilities,omitempty"`
-	Conditions         []ClusterOperatorStatusConditionApplyConfiguration  `json:"conditions,omitempty"`
-	AvailableUpdates   []ReleaseApplyConfiguration                         `json:"availableUpdates,omitempty"`
-	ConditionalUpdates []ConditionalUpdateApplyConfiguration               `json:"conditionalUpdates,omitempty"`
+	// desired is the version that the cluster is reconciling towards.
+	// If the cluster is not yet fully initialized desired will be set
+	// with the information available, which may be an image or a tag.
+	Desired *ReleaseApplyConfiguration `json:"desired,omitempty"`
+	// history contains a list of the most recent versions applied to the cluster.
+	// This value may be empty during cluster startup, and then will be updated
+	// when a new update is being applied. The newest update is first in the
+	// list and it is ordered by recency. Updates in the history have state
+	// Completed if the rollout completed - if an update was failing or halfway
+	// applied the state will be Partial. Only a limited amount of update history
+	// is preserved.
+	History []UpdateHistoryApplyConfiguration `json:"history,omitempty"`
+	// observedGeneration reports which version of the spec is being synced.
+	// If this value is not equal to metadata.generation, then the desired
+	// and conditions fields may represent a previous version.
+	ObservedGeneration *int64 `json:"observedGeneration,omitempty"`
+	// versionHash is a fingerprint of the content that the cluster will be
+	// updated with. It is used by the operator to avoid unnecessary work
+	// and is for internal use only.
+	VersionHash *string `json:"versionHash,omitempty"`
+	// capabilities describes the state of optional, core cluster components.
+	Capabilities *ClusterVersionCapabilitiesStatusApplyConfiguration `json:"capabilities,omitempty"`
+	// conditions provides information about the cluster version. The condition
+	// "Available" is set to true if the desiredUpdate has been reached. The
+	// condition "Progressing" is set to true if an update is being applied.
+	// The condition "Degraded" is set to true if an update is currently blocked
+	// by a temporary or permanent error. Conditions are only valid for the
+	// current desiredUpdate when metadata.generation is equal to
+	// status.generation.
+	Conditions []ClusterOperatorStatusConditionApplyConfiguration `json:"conditions,omitempty"`
+	// availableUpdates contains updates recommended for this
+	// cluster. Updates which appear in conditionalUpdates but not in
+	// availableUpdates may expose this cluster to known issues. This list
+	// may be empty if no updates are recommended, if the update service
+	// is unavailable, or if an invalid channel has been specified.
+	AvailableUpdates []ReleaseApplyConfiguration `json:"availableUpdates,omitempty"`
+	// conditionalUpdates contains the list of updates that may be
+	// recommended for this cluster if it meets specific required
+	// conditions. Consumers interested in the set of updates that are
+	// actually recommended for this cluster should use
+	// availableUpdates. This list may be empty if no updates are
+	// recommended, if the update service is unavailable, or if an empty
+	// or invalid channel has been specified.
+	ConditionalUpdates []ConditionalUpdateApplyConfiguration `json:"conditionalUpdates,omitempty"`
+	// conditionalUpdateRisks contains the list of risks associated with conditionalUpdates.
+	// When performing a conditional update, all its associated risks will be compared with the set of accepted risks in the spec.desiredUpdate.acceptRisks field.
+	// If all risks for a conditional update are included in the spec.desiredUpdate.acceptRisks set, the conditional update can proceed, otherwise it is blocked.
+	// The risk names in the list must be unique.
+	// conditionalUpdateRisks must not contain more than 500 entries.
+	ConditionalUpdateRisks []ConditionalUpdateRiskApplyConfiguration `json:"conditionalUpdateRisks,omitempty"`
 }
 
 // ClusterVersionStatusApplyConfiguration constructs a declarative configuration of the ClusterVersionStatus type for use with
@@ -104,3 +152,16 @@ func (b *ClusterVersionStatusApplyConfiguration) WithConditionalUpdates(values .
 	}
 	return b
 }
+
+// WithConditionalUpdateRisks adds the given value to the ConditionalUpdateRisks field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, values provided by each call will be appended to the ConditionalUpdateRisks field.
+func (b *ClusterVersionStatusApplyConfiguration) WithConditionalUpdateRisks(values ...*ConditionalUpdateRiskApplyConfiguration) *ClusterVersionStatusApplyConfiguration {
+	for i := range values {
+		if values[i] == nil {
+			panic("nil value passed to WithConditionalUpdateRisks")
+		}
+		b.ConditionalUpdateRisks = append(b.ConditionalUpdateRisks, *values[i])
+	}
+	return b
+}
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/componentoverride.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/componentoverride.go
index e87332d896590..b304cd6b44f05 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/componentoverride.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/componentoverride.go
@@ -4,12 +4,23 @@ package v1
 
 // ComponentOverrideApplyConfiguration represents a declarative configuration of the ComponentOverride type for use
 // with apply.
+//
+// ComponentOverride allows overriding cluster version operator's behavior
+// for a component.
 type ComponentOverrideApplyConfiguration struct {
-	Kind      *string `json:"kind,omitempty"`
-	Group     *string `json:"group,omitempty"`
+	// kind indentifies which object to override.
+	Kind *string `json:"kind,omitempty"`
+	// group identifies the API group that the kind is in.
+	Group *string `json:"group,omitempty"`
+	// namespace is the component's namespace. If the resource is cluster
+	// scoped, the namespace should be empty.
 	Namespace *string `json:"namespace,omitempty"`
-	Name      *string `json:"name,omitempty"`
-	Unmanaged *bool   `json:"unmanaged,omitempty"`
+	// name is the component's name.
+	Name *string `json:"name,omitempty"`
+	// unmanaged controls if cluster version operator should stop managing the
+	// resources in this cluster.
+	// Default: false
+	Unmanaged *bool `json:"unmanaged,omitempty"`
 }
 
 // ComponentOverrideApplyConfiguration constructs a declarative configuration of the ComponentOverride type for use with
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/componentroutespec.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/componentroutespec.go
index beebd2b0246dc..f4e3838447ecd 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/componentroutespec.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/componentroutespec.go
@@ -8,10 +8,25 @@ import (
 
 // ComponentRouteSpecApplyConfiguration represents a declarative configuration of the ComponentRouteSpec type for use
 // with apply.
+//
+// ComponentRouteSpec allows for configuration of a route's hostname and serving certificate.
 type ComponentRouteSpecApplyConfiguration struct {
-	Namespace                *string                                `json:"namespace,omitempty"`
-	Name                     *string                                `json:"name,omitempty"`
-	Hostname                 *configv1.Hostname                     `json:"hostname,omitempty"`
+	// namespace is the namespace of the route to customize.
+	//
+	// The namespace and name of this componentRoute must match a corresponding
+	// entry in the list of status.componentRoutes if the route is to be customized.
+	Namespace *string `json:"namespace,omitempty"`
+	// name is the logical name of the route to customize.
+	//
+	// The namespace and name of this componentRoute must match a corresponding
+	// entry in the list of status.componentRoutes if the route is to be customized.
+	Name *string `json:"name,omitempty"`
+	// hostname is the hostname that should be used by the route.
+	Hostname *configv1.Hostname `json:"hostname,omitempty"`
+	// servingCertKeyPairSecret is a reference to a secret of type `kubernetes.io/tls` in the openshift-config namespace.
+	// The serving cert/key pair must match and will be used by the operator to fulfill the intent of serving with this name.
+	// If the custom hostname uses the default routing suffix of the cluster,
+	// the Secret specification for a serving certificate will not be needed.
 	ServingCertKeyPairSecret *SecretNameReferenceApplyConfiguration `json:"servingCertKeyPairSecret,omitempty"`
 }
 
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/componentroutestatus.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/componentroutestatus.go
index ae955388217d0..6d364d906d4d8 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/componentroutestatus.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/componentroutestatus.go
@@ -9,14 +9,43 @@ import (
 
 // ComponentRouteStatusApplyConfiguration represents a declarative configuration of the ComponentRouteStatus type for use
 // with apply.
+//
+// ComponentRouteStatus contains information allowing configuration of a route's hostname and serving certificate.
 type ComponentRouteStatusApplyConfiguration struct {
-	Namespace        *string                              `json:"namespace,omitempty"`
-	Name             *string                              `json:"name,omitempty"`
-	DefaultHostname  *configv1.Hostname                   `json:"defaultHostname,omitempty"`
-	ConsumingUsers   []configv1.ConsumingUser             `json:"consumingUsers,omitempty"`
-	CurrentHostnames []configv1.Hostname                  `json:"currentHostnames,omitempty"`
-	Conditions       []metav1.ConditionApplyConfiguration `json:"conditions,omitempty"`
-	RelatedObjects   []ObjectReferenceApplyConfiguration  `json:"relatedObjects,omitempty"`
+	// namespace is the namespace of the route to customize. It must be a real namespace. Using an actual namespace
+	// ensures that no two components will conflict and the same component can be installed multiple times.
+	//
+	// The namespace and name of this componentRoute must match a corresponding
+	// entry in the list of spec.componentRoutes if the route is to be customized.
+	Namespace *string `json:"namespace,omitempty"`
+	// name is the logical name of the route to customize. It does not have to be the actual name of a route resource
+	// but it cannot be renamed.
+	//
+	// The namespace and name of this componentRoute must match a corresponding
+	// entry in the list of spec.componentRoutes if the route is to be customized.
+	Name *string `json:"name,omitempty"`
+	// defaultHostname is the hostname of this route prior to customization.
+	DefaultHostname *configv1.Hostname `json:"defaultHostname,omitempty"`
+	// consumingUsers is a slice of ServiceAccounts that need to have read permission on the servingCertKeyPairSecret secret.
+	ConsumingUsers []configv1.ConsumingUser `json:"consumingUsers,omitempty"`
+	// currentHostnames is the list of current names used by the route. Typically, this list should consist of a single
+	// hostname, but if multiple hostnames are supported by the route the operator may write multiple entries to this list.
+	CurrentHostnames []configv1.Hostname `json:"currentHostnames,omitempty"`
+	// conditions are used to communicate the state of the componentRoutes entry.
+	//
+	// Supported conditions include Available, Degraded and Progressing.
+	//
+	// If available is true, the content served by the route can be accessed by users. This includes cases
+	// where a default may continue to serve content while the customized route specified by the cluster-admin
+	// is being configured.
+	//
+	// If Degraded is true, that means something has gone wrong trying to handle the componentRoutes entry.
+	// The currentHostnames field may or may not be in effect.
+	//
+	// If Progressing is true, that means the component is taking some action related to the componentRoutes entry.
+	Conditions []metav1.ConditionApplyConfiguration `json:"conditions,omitempty"`
+	// relatedObjects is a list of resources which are useful when debugging or inspecting how spec.componentRoutes is applied.
+	RelatedObjects []ObjectReferenceApplyConfiguration `json:"relatedObjects,omitempty"`
 }
 
 // ComponentRouteStatusApplyConfiguration constructs a declarative configuration of the ComponentRouteStatus type for use with
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/conditionalupdate.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/conditionalupdate.go
index f183fc6e252ba..a771436b65ca0 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/conditionalupdate.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/conditionalupdate.go
@@ -8,10 +8,30 @@ import (
 
 // ConditionalUpdateApplyConfiguration represents a declarative configuration of the ConditionalUpdate type for use
 // with apply.
+//
+// ConditionalUpdate represents an update which is recommended to some
+// clusters on the version the current cluster is reconciling, but which
+// may not be recommended for the current cluster.
 type ConditionalUpdateApplyConfiguration struct {
-	Release    *ReleaseApplyConfiguration                `json:"release,omitempty"`
-	Risks      []ConditionalUpdateRiskApplyConfiguration `json:"risks,omitempty"`
-	Conditions []metav1.ConditionApplyConfiguration      `json:"conditions,omitempty"`
+	// release is the target of the update.
+	Release *ReleaseApplyConfiguration `json:"release,omitempty"`
+	// riskNames represents the set of the names of conditionalUpdateRisks that are relevant to this update for some clusters.
+	// The Applies condition of each conditionalUpdateRisks entry declares if that risk applies to this cluster.
+	// A conditional update is accepted only if each of its risks either does not apply to the cluster or is considered acceptable by the cluster administrator.
+	// The latter means that the risk names are included in value of the spec.desiredUpdate.acceptRisks field.
+	// Entries must be unique and must not exceed 256 characters.
+	// riskNames must not contain more than 500 entries.
+	RiskNames []string `json:"riskNames,omitempty"`
+	// risks represents the range of issues associated with
+	// updating to the target release. The cluster-version
+	// operator will evaluate all entries, and only recommend the
+	// update if there is at least one entry and all entries
+	// recommend the update.
+	Risks []ConditionalUpdateRiskApplyConfiguration `json:"risks,omitempty"`
+	// conditions represents the observations of the conditional update's
+	// current status. Known types are:
+	// * Recommended, for whether the update is recommended for the current cluster.
+	Conditions []metav1.ConditionApplyConfiguration `json:"conditions,omitempty"`
 }
 
 // ConditionalUpdateApplyConfiguration constructs a declarative configuration of the ConditionalUpdate type for use with
@@ -28,6 +48,16 @@ func (b *ConditionalUpdateApplyConfiguration) WithRelease(value *ReleaseApplyCon
 	return b
 }
 
+// WithRiskNames adds the given value to the RiskNames field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, values provided by each call will be appended to the RiskNames field.
+func (b *ConditionalUpdateApplyConfiguration) WithRiskNames(values ...string) *ConditionalUpdateApplyConfiguration {
+	for i := range values {
+		b.RiskNames = append(b.RiskNames, values[i])
+	}
+	return b
+}
+
 // WithRisks adds the given value to the Risks field in the declarative configuration
 // and returns the receiver, so that objects can be build by chaining "With" function invocations.
 // If called multiple times, values provided by each call will be appended to the Risks field.
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/conditionalupdaterisk.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/conditionalupdaterisk.go
index 6debb6e624574..faf72ba828889 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/conditionalupdaterisk.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/conditionalupdaterisk.go
@@ -2,12 +2,40 @@
 
 package v1
 
+import (
+	metav1 "k8s.io/client-go/applyconfigurations/meta/v1"
+)
+
 // ConditionalUpdateRiskApplyConfiguration represents a declarative configuration of the ConditionalUpdateRisk type for use
 // with apply.
+//
+// ConditionalUpdateRisk represents a reason and cluster-state
+// for not recommending a conditional update.
 type ConditionalUpdateRiskApplyConfiguration struct {
-	URL           *string                              `json:"url,omitempty"`
-	Name          *string                              `json:"name,omitempty"`
-	Message       *string                              `json:"message,omitempty"`
+	// conditions represents the observations of the conditional update
+	// risk's current status. Known types are:
+	// * Applies, for whether the risk applies to the current cluster.
+	// The condition's types in the list must be unique.
+	// conditions must not contain more than one entry.
+	Conditions []metav1.ConditionApplyConfiguration `json:"conditions,omitempty"`
+	// url contains information about this risk.
+	URL *string `json:"url,omitempty"`
+	// name is the CamelCase reason for not recommending a
+	// conditional update, in the event that matchingRules match the
+	// cluster state.
+	Name *string `json:"name,omitempty"`
+	// message provides additional information about the risk of
+	// updating, in the event that matchingRules match the cluster
+	// state. This is only to be consumed by humans. It may
+	// contain Line Feed characters (U+000A), which should be
+	// rendered as new lines.
+	Message *string `json:"message,omitempty"`
+	// matchingRules is a slice of conditions for deciding which
+	// clusters match the risk and which do not. The slice is
+	// ordered by decreasing precedence. The cluster-version
+	// operator will walk the slice in order, and stop after the
+	// first it can successfully evaluate. If no condition can be
+	// successfully evaluated, the update will not be recommended.
 	MatchingRules []ClusterConditionApplyConfiguration `json:"matchingRules,omitempty"`
 }
 
@@ -17,6 +45,19 @@ func ConditionalUpdateRisk() *ConditionalUpdateRiskApplyConfiguration {
 	return &ConditionalUpdateRiskApplyConfiguration{}
 }
 
+// WithConditions adds the given value to the Conditions field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, values provided by each call will be appended to the Conditions field.
+func (b *ConditionalUpdateRiskApplyConfiguration) WithConditions(values ...*metav1.ConditionApplyConfiguration) *ConditionalUpdateRiskApplyConfiguration {
+	for i := range values {
+		if values[i] == nil {
+			panic("nil value passed to WithConditions")
+		}
+		b.Conditions = append(b.Conditions, *values[i])
+	}
+	return b
+}
+
 // WithURL sets the URL field in the declarative configuration to the given value
 // and returns the receiver, so that objects can be built by chaining "With" function invocations.
 // If called multiple times, the URL field is set to the value of the last call.
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/configmapfilereference.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/configmapfilereference.go
index 3c70be2c1e8a1..fd04f126c50a7 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/configmapfilereference.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/configmapfilereference.go
@@ -4,9 +4,13 @@ package v1
 
 // ConfigMapFileReferenceApplyConfiguration represents a declarative configuration of the ConfigMapFileReference type for use
 // with apply.
+//
+// ConfigMapFileReference references a config map in a specific namespace.
+// The namespace must be specified at the point of use.
 type ConfigMapFileReferenceApplyConfiguration struct {
 	Name *string `json:"name,omitempty"`
-	Key  *string `json:"key,omitempty"`
+	// key allows pointing to a specific key/value inside of the configmap.  This is useful for logical file references.
+	Key *string `json:"key,omitempty"`
 }
 
 // ConfigMapFileReferenceApplyConfiguration constructs a declarative configuration of the ConfigMapFileReference type for use with
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/configmapnamereference.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/configmapnamereference.go
index 8236ba12331ef..4c67ee7f95b7e 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/configmapnamereference.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/configmapnamereference.go
@@ -4,7 +4,11 @@ package v1
 
 // ConfigMapNameReferenceApplyConfiguration represents a declarative configuration of the ConfigMapNameReference type for use
 // with apply.
+//
+// ConfigMapNameReference references a config map in a specific namespace.
+// The namespace must be specified at the point of use.
 type ConfigMapNameReferenceApplyConfiguration struct {
+	// name is the metadata.name of the referenced config map
 	Name *string `json:"name,omitempty"`
 }
 
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/console.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/console.go
index e4d496e1a8f36..09039257c60a0 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/console.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/console.go
@@ -13,11 +13,21 @@ import (
 
 // ConsoleApplyConfiguration represents a declarative configuration of the Console type for use
 // with apply.
+//
+// Console holds cluster-wide configuration for the web console, including the
+// logout URL, and reports the public URL of the console. The canonical name is
+// `cluster`.
+//
+// Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
 type ConsoleApplyConfiguration struct {
-	metav1.TypeMetaApplyConfiguration    `json:",inline"`
+	metav1.TypeMetaApplyConfiguration `json:",inline"`
+	// metadata is the standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	*metav1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Spec                                 *ConsoleSpecApplyConfiguration   `json:"spec,omitempty"`
-	Status                               *ConsoleStatusApplyConfiguration `json:"status,omitempty"`
+	// spec holds user settable values for configuration
+	Spec *ConsoleSpecApplyConfiguration `json:"spec,omitempty"`
+	// status holds observed values from the cluster. They may not be overridden.
+	Status *ConsoleStatusApplyConfiguration `json:"status,omitempty"`
 }
 
 // Console constructs a declarative configuration of the Console type for use with
@@ -30,6 +40,26 @@ func Console(name string) *ConsoleApplyConfiguration {
 	return b
 }
 
+// ExtractConsoleFrom extracts the applied configuration owned by fieldManager from
+// console for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
+// console must be a unmodified Console API object that was retrieved from the Kubernetes API.
+// ExtractConsoleFrom provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractConsoleFrom(console *configv1.Console, fieldManager string, subresource string) (*ConsoleApplyConfiguration, error) {
+	b := &ConsoleApplyConfiguration{}
+	err := managedfields.ExtractInto(console, internal.Parser().Type("com.github.openshift.api.config.v1.Console"), fieldManager, b, subresource)
+	if err != nil {
+		return nil, err
+	}
+	b.WithName(console.Name)
+
+	b.WithKind("Console")
+	b.WithAPIVersion("config.openshift.io/v1")
+	return b, nil
+}
+
 // ExtractConsole extracts the applied configuration owned by fieldManager from
 // console. If no managedFields are found in console for fieldManager, a
 // ConsoleApplyConfiguration is returned with only the Name, Namespace (if applicable),
@@ -40,30 +70,16 @@ func Console(name string) *ConsoleApplyConfiguration {
 // ExtractConsole provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
 func ExtractConsole(console *configv1.Console, fieldManager string) (*ConsoleApplyConfiguration, error) {
-	return extractConsole(console, fieldManager, "")
+	return ExtractConsoleFrom(console, fieldManager, "")
 }
 
-// ExtractConsoleStatus is the same as ExtractConsole except
-// that it extracts the status subresource applied configuration.
-// Experimental!
+// ExtractConsoleStatus extracts the applied configuration owned by fieldManager from
+// console for the status subresource.
 func ExtractConsoleStatus(console *configv1.Console, fieldManager string) (*ConsoleApplyConfiguration, error) {
-	return extractConsole(console, fieldManager, "status")
+	return ExtractConsoleFrom(console, fieldManager, "status")
 }
 
-func extractConsole(console *configv1.Console, fieldManager string, subresource string) (*ConsoleApplyConfiguration, error) {
-	b := &ConsoleApplyConfiguration{}
-	err := managedfields.ExtractInto(console, internal.Parser().Type("com.github.openshift.api.config.v1.Console"), fieldManager, b, subresource)
-	if err != nil {
-		return nil, err
-	}
-	b.WithName(console.Name)
-
-	b.WithKind("Console")
-	b.WithAPIVersion("config.openshift.io/v1")
-	return b, nil
-}
 func (b ConsoleApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/consoleauthentication.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/consoleauthentication.go
index cdc3aa73202b5..a1d5c9e00963b 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/consoleauthentication.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/consoleauthentication.go
@@ -4,7 +4,19 @@ package v1
 
 // ConsoleAuthenticationApplyConfiguration represents a declarative configuration of the ConsoleAuthentication type for use
 // with apply.
+//
+// ConsoleAuthentication defines a list of optional configuration for console authentication.
 type ConsoleAuthenticationApplyConfiguration struct {
+	// An optional, absolute URL to redirect web browsers to after logging out of
+	// the console. If not specified, it will redirect to the default login page.
+	// This is required when using an identity provider that supports single
+	// sign-on (SSO) such as:
+	// - OpenID (Keycloak, Azure)
+	// - RequestHeader (GSSAPI, SSPI, SAML)
+	// - OAuth (GitHub, GitLab, Google)
+	// Logging out of the console will destroy the user's token. The logoutRedirect
+	// provides the user the option to perform single logout (SLO) through the identity
+	// provider to destroy their single sign-on session.
 	LogoutRedirect *string `json:"logoutRedirect,omitempty"`
 }
 
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/consolespec.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/consolespec.go
index 0ce163b2bb90c..6760392ae89d1 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/consolespec.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/consolespec.go
@@ -4,6 +4,8 @@ package v1
 
 // ConsoleSpecApplyConfiguration represents a declarative configuration of the ConsoleSpec type for use
 // with apply.
+//
+// ConsoleSpec is the specification of the desired behavior of the Console.
 type ConsoleSpecApplyConfiguration struct {
 	Authentication *ConsoleAuthenticationApplyConfiguration `json:"authentication,omitempty"`
 }
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/consolestatus.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/consolestatus.go
index f1336def37eb4..cbc5a94966464 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/consolestatus.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/consolestatus.go
@@ -4,7 +4,11 @@ package v1
 
 // ConsoleStatusApplyConfiguration represents a declarative configuration of the ConsoleStatus type for use
 // with apply.
+//
+// ConsoleStatus defines the observed status of the Console.
 type ConsoleStatusApplyConfiguration struct {
+	// The URL for the console. This will be derived from the host for the route that
+	// is created for the console.
 	ConsoleURL *string `json:"consoleURL,omitempty"`
 }
 
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/custom.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/custom.go
new file mode 100644
index 0000000000000..0de7826f953bb
--- /dev/null
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/custom.go
@@ -0,0 +1,36 @@
+// Code generated by applyconfiguration-gen. DO NOT EDIT.
+
+package v1
+
+// CustomApplyConfiguration represents a declarative configuration of the Custom type for use
+// with apply.
+//
+// Custom provides the custom configuration of gatherers
+type CustomApplyConfiguration struct {
+	// configs is a required list of gatherers configurations that can be used to enable or disable specific gatherers.
+	// It may not exceed 100 items and each gatherer can be present only once.
+	// It is possible to disable an entire set of gatherers while allowing a specific function within that set.
+	// The particular gatherers IDs can be found at https://github.com/openshift/insights-operator/blob/master/docs/gathered-data.md.
+	// Run the following command to get the names of last active gatherers:
+	// "oc get insightsoperators.operator.openshift.io cluster -o json | jq '.status.gatherStatus.gatherers[].name'"
+	Configs []GathererConfigApplyConfiguration `json:"configs,omitempty"`
+}
+
+// CustomApplyConfiguration constructs a declarative configuration of the Custom type for use with
+// apply.
+func Custom() *CustomApplyConfiguration {
+	return &CustomApplyConfiguration{}
+}
+
+// WithConfigs adds the given value to the Configs field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, values provided by each call will be appended to the Configs field.
+func (b *CustomApplyConfiguration) WithConfigs(values ...*GathererConfigApplyConfiguration) *CustomApplyConfiguration {
+	for i := range values {
+		if values[i] == nil {
+			panic("nil value passed to WithConfigs")
+		}
+		b.Configs = append(b.Configs, *values[i])
+	}
+	return b
+}
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/customfeaturegates.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/customfeaturegates.go
index 7cd70c7ee2712..84d6febb5153f 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/customfeaturegates.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/customfeaturegates.go
@@ -9,7 +9,9 @@ import (
 // CustomFeatureGatesApplyConfiguration represents a declarative configuration of the CustomFeatureGates type for use
 // with apply.
 type CustomFeatureGatesApplyConfiguration struct {
-	Enabled  []configv1.FeatureGateName `json:"enabled,omitempty"`
+	// enabled is a list of all feature gates that you want to force on
+	Enabled []configv1.FeatureGateName `json:"enabled,omitempty"`
+	// disabled is a list of all feature gates that you want to force off
 	Disabled []configv1.FeatureGateName `json:"disabled,omitempty"`
 }
 
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/customtlsprofile.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/customtlsprofile.go
index ae03671cd3f89..7df6a4be9e695 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/customtlsprofile.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/customtlsprofile.go
@@ -8,6 +8,9 @@ import (
 
 // CustomTLSProfileApplyConfiguration represents a declarative configuration of the CustomTLSProfile type for use
 // with apply.
+//
+// CustomTLSProfile is a user-defined TLS security profile. Be extremely careful
+// using a custom TLS profile as invalid configurations can be catastrophic.
 type CustomTLSProfileApplyConfiguration struct {
 	TLSProfileSpecApplyConfiguration `json:",inline"`
 }
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/deprecatedwebhooktokenauthenticator.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/deprecatedwebhooktokenauthenticator.go
index 20742aec97472..0efc3268051a7 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/deprecatedwebhooktokenauthenticator.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/deprecatedwebhooktokenauthenticator.go
@@ -4,7 +4,17 @@ package v1
 
 // DeprecatedWebhookTokenAuthenticatorApplyConfiguration represents a declarative configuration of the DeprecatedWebhookTokenAuthenticator type for use
 // with apply.
+//
+// deprecatedWebhookTokenAuthenticator holds the necessary configuration options for a remote token authenticator.
+// It's the same as WebhookTokenAuthenticator but it's missing the 'required' validation on KubeConfig field.
 type DeprecatedWebhookTokenAuthenticatorApplyConfiguration struct {
+	// kubeConfig contains kube config file data which describes how to access the remote webhook service.
+	// For further details, see:
+	// https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication
+	// The key "kubeConfig" is used to locate the data.
+	// If the secret or expected key is not found, the webhook is not honored.
+	// If the specified kube config data is not valid, the webhook is not honored.
+	// The namespace for this secret is determined by the point of use.
 	KubeConfig *SecretNameReferenceApplyConfiguration `json:"kubeConfig,omitempty"`
 }
 
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/dns.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/dns.go
index 2ff9dc857f179..18e5d1483470e 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/dns.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/dns.go
@@ -13,11 +13,19 @@ import (
 
 // DNSApplyConfiguration represents a declarative configuration of the DNS type for use
 // with apply.
+//
+// DNS holds cluster-wide information about DNS. The canonical name is `cluster`
+//
+// Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
 type DNSApplyConfiguration struct {
-	metav1.TypeMetaApplyConfiguration    `json:",inline"`
+	metav1.TypeMetaApplyConfiguration `json:",inline"`
+	// metadata is the standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	*metav1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Spec                                 *DNSSpecApplyConfiguration `json:"spec,omitempty"`
-	Status                               *configv1.DNSStatus        `json:"status,omitempty"`
+	// spec holds user settable values for configuration
+	Spec *DNSSpecApplyConfiguration `json:"spec,omitempty"`
+	// status holds observed values from the cluster. They may not be overridden.
+	Status *configv1.DNSStatus `json:"status,omitempty"`
 }
 
 // DNS constructs a declarative configuration of the DNS type for use with
@@ -30,6 +38,26 @@ func DNS(name string) *DNSApplyConfiguration {
 	return b
 }
 
+// ExtractDNSFrom extracts the applied configuration owned by fieldManager from
+// dNS for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
+// dNS must be a unmodified DNS API object that was retrieved from the Kubernetes API.
+// ExtractDNSFrom provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractDNSFrom(dNS *configv1.DNS, fieldManager string, subresource string) (*DNSApplyConfiguration, error) {
+	b := &DNSApplyConfiguration{}
+	err := managedfields.ExtractInto(dNS, internal.Parser().Type("com.github.openshift.api.config.v1.DNS"), fieldManager, b, subresource)
+	if err != nil {
+		return nil, err
+	}
+	b.WithName(dNS.Name)
+
+	b.WithKind("DNS")
+	b.WithAPIVersion("config.openshift.io/v1")
+	return b, nil
+}
+
 // ExtractDNS extracts the applied configuration owned by fieldManager from
 // dNS. If no managedFields are found in dNS for fieldManager, a
 // DNSApplyConfiguration is returned with only the Name, Namespace (if applicable),
@@ -40,30 +68,16 @@ func DNS(name string) *DNSApplyConfiguration {
 // ExtractDNS provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
 func ExtractDNS(dNS *configv1.DNS, fieldManager string) (*DNSApplyConfiguration, error) {
-	return extractDNS(dNS, fieldManager, "")
+	return ExtractDNSFrom(dNS, fieldManager, "")
 }
 
-// ExtractDNSStatus is the same as ExtractDNS except
-// that it extracts the status subresource applied configuration.
-// Experimental!
+// ExtractDNSStatus extracts the applied configuration owned by fieldManager from
+// dNS for the status subresource.
 func ExtractDNSStatus(dNS *configv1.DNS, fieldManager string) (*DNSApplyConfiguration, error) {
-	return extractDNS(dNS, fieldManager, "status")
+	return ExtractDNSFrom(dNS, fieldManager, "status")
 }
 
-func extractDNS(dNS *configv1.DNS, fieldManager string, subresource string) (*DNSApplyConfiguration, error) {
-	b := &DNSApplyConfiguration{}
-	err := managedfields.ExtractInto(dNS, internal.Parser().Type("com.github.openshift.api.config.v1.DNS"), fieldManager, b, subresource)
-	if err != nil {
-		return nil, err
-	}
-	b.WithName(dNS.Name)
-
-	b.WithKind("DNS")
-	b.WithAPIVersion("config.openshift.io/v1")
-	return b, nil
-}
 func (b DNSApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/dnsplatformspec.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/dnsplatformspec.go
index 46bf616b268f8..d77bcf2c35ccc 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/dnsplatformspec.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/dnsplatformspec.go
@@ -8,9 +8,18 @@ import (
 
 // DNSPlatformSpecApplyConfiguration represents a declarative configuration of the DNSPlatformSpec type for use
 // with apply.
+//
+// DNSPlatformSpec holds cloud-provider-specific configuration
+// for DNS administration.
 type DNSPlatformSpecApplyConfiguration struct {
-	Type *configv1.PlatformType        `json:"type,omitempty"`
-	AWS  *AWSDNSSpecApplyConfiguration `json:"aws,omitempty"`
+	// type is the underlying infrastructure provider for the cluster.
+	// Allowed values: "", "AWS".
+	//
+	// Individual components may not support all platforms,
+	// and must handle unrecognized platforms with best-effort defaults.
+	Type *configv1.PlatformType `json:"type,omitempty"`
+	// aws contains DNS configuration specific to the Amazon Web Services cloud provider.
+	AWS *AWSDNSSpecApplyConfiguration `json:"aws,omitempty"`
 }
 
 // DNSPlatformSpecApplyConfiguration constructs a declarative configuration of the DNSPlatformSpec type for use with
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/dnsspec.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/dnsspec.go
index fbc8b60e71787..efb839645b6a7 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/dnsspec.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/dnsspec.go
@@ -5,10 +5,33 @@ package v1
 // DNSSpecApplyConfiguration represents a declarative configuration of the DNSSpec type for use
 // with apply.
 type DNSSpecApplyConfiguration struct {
-	BaseDomain  *string                            `json:"baseDomain,omitempty"`
-	PublicZone  *DNSZoneApplyConfiguration         `json:"publicZone,omitempty"`
-	PrivateZone *DNSZoneApplyConfiguration         `json:"privateZone,omitempty"`
-	Platform    *DNSPlatformSpecApplyConfiguration `json:"platform,omitempty"`
+	// baseDomain is the base domain of the cluster. All managed DNS records will
+	// be sub-domains of this base.
+	//
+	// For example, given the base domain `openshift.example.com`, an API server
+	// DNS record may be created for `cluster-api.openshift.example.com`.
+	//
+	// Once set, this field cannot be changed.
+	BaseDomain *string `json:"baseDomain,omitempty"`
+	// publicZone is the location where all the DNS records that are publicly accessible to
+	// the internet exist.
+	//
+	// If this field is nil, no public records should be created.
+	//
+	// Once set, this field cannot be changed.
+	PublicZone *DNSZoneApplyConfiguration `json:"publicZone,omitempty"`
+	// privateZone is the location where all the DNS records that are only available internally
+	// to the cluster exist.
+	//
+	// If this field is nil, no private records should be created.
+	//
+	// Once set, this field cannot be changed.
+	PrivateZone *DNSZoneApplyConfiguration `json:"privateZone,omitempty"`
+	// platform holds configuration specific to the underlying
+	// infrastructure provider for DNS.
+	// When omitted, this means the user has no opinion and the platform is left
+	// to choose reasonable defaults. These defaults are subject to change over time.
+	Platform *DNSPlatformSpecApplyConfiguration `json:"platform,omitempty"`
 }
 
 // DNSSpecApplyConfiguration constructs a declarative configuration of the DNSSpec type for use with
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/dnszone.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/dnszone.go
index 39ef2776e53eb..c637c6efb360f 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/dnszone.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/dnszone.go
@@ -4,8 +4,25 @@ package v1
 
 // DNSZoneApplyConfiguration represents a declarative configuration of the DNSZone type for use
 // with apply.
+//
+// DNSZone is used to define a DNS hosted zone.
+// A zone can be identified by an ID or tags.
 type DNSZoneApplyConfiguration struct {
-	ID   *string           `json:"id,omitempty"`
+	// id is the identifier that can be used to find the DNS hosted zone.
+	//
+	// on AWS zone can be fetched using `ID` as id in [1]
+	// on Azure zone can be fetched using `ID` as a pre-determined name in [2],
+	// on GCP zone can be fetched using `ID` as a pre-determined name in [3].
+	//
+	// [1]: https://docs.aws.amazon.com/cli/latest/reference/route53/get-hosted-zone.html#options
+	// [2]: https://docs.microsoft.com/en-us/cli/azure/network/dns/zone?view=azure-cli-latest#az-network-dns-zone-show
+	// [3]: https://cloud.google.com/dns/docs/reference/v1/managedZones/get
+	ID *string `json:"id,omitempty"`
+	// tags can be used to query the DNS hosted zone.
+	//
+	// on AWS, resourcegroupstaggingapi [1] can be used to fetch a zone using `Tags` as tag-filters,
+	//
+	// [1]: https://docs.aws.amazon.com/cli/latest/reference/resourcegroupstaggingapi/get-resources.html#options
 	Tags map[string]string `json:"tags,omitempty"`
 }
 
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/equinixmetalplatformstatus.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/equinixmetalplatformstatus.go
index 8e17df603f881..e39fcf9d056ed 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/equinixmetalplatformstatus.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/equinixmetalplatformstatus.go
@@ -4,9 +4,17 @@ package v1
 
 // EquinixMetalPlatformStatusApplyConfiguration represents a declarative configuration of the EquinixMetalPlatformStatus type for use
 // with apply.
+//
+// EquinixMetalPlatformStatus holds the current status of the Equinix Metal infrastructure provider.
 type EquinixMetalPlatformStatusApplyConfiguration struct {
+	// apiServerInternalIP is an IP address to contact the Kubernetes API server that can be used
+	// by components inside the cluster, like kubelets using the infrastructure rather
+	// than Kubernetes networking. It is the IP that the Infrastructure.status.apiServerInternalURI
+	// points to. It is the IP for a self-hosted load balancer in front of the API servers.
 	APIServerInternalIP *string `json:"apiServerInternalIP,omitempty"`
-	IngressIP           *string `json:"ingressIP,omitempty"`
+	// ingressIP is an external IP which routes to the default ingress controller.
+	// The IP is a suitable target of a wildcard DNS record used to resolve default route host names.
+	IngressIP *string `json:"ingressIP,omitempty"`
 }
 
 // EquinixMetalPlatformStatusApplyConfiguration constructs a declarative configuration of the EquinixMetalPlatformStatus type for use with
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/externalipconfig.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/externalipconfig.go
index d3b9c17466e22..e2dc0ddef846d 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/externalipconfig.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/externalipconfig.go
@@ -4,9 +4,21 @@ package v1
 
 // ExternalIPConfigApplyConfiguration represents a declarative configuration of the ExternalIPConfig type for use
 // with apply.
+//
+// ExternalIPConfig specifies some IP blocks relevant for the ExternalIP field
+// of a Service resource.
 type ExternalIPConfigApplyConfiguration struct {
-	Policy          *ExternalIPPolicyApplyConfiguration `json:"policy,omitempty"`
-	AutoAssignCIDRs []string                            `json:"autoAssignCIDRs,omitempty"`
+	// policy is a set of restrictions applied to the ExternalIP field.
+	// If nil or empty, then ExternalIP is not allowed to be set.
+	Policy *ExternalIPPolicyApplyConfiguration `json:"policy,omitempty"`
+	// autoAssignCIDRs is a list of CIDRs from which to automatically assign
+	// Service.ExternalIP. These are assigned when the service is of type
+	// LoadBalancer. In general, this is only useful for bare-metal clusters.
+	// In Openshift 3.x, this was misleadingly called "IngressIPs".
+	// Automatically assigned External IPs are not affected by any
+	// ExternalIPPolicy rules.
+	// Currently, only one entry may be provided.
+	AutoAssignCIDRs []string `json:"autoAssignCIDRs,omitempty"`
 }
 
 // ExternalIPConfigApplyConfiguration constructs a declarative configuration of the ExternalIPConfig type for use with
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/externalippolicy.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/externalippolicy.go
index 269d934b90cab..ae29697ff50f3 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/externalippolicy.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/externalippolicy.go
@@ -4,8 +4,15 @@ package v1
 
 // ExternalIPPolicyApplyConfiguration represents a declarative configuration of the ExternalIPPolicy type for use
 // with apply.
+//
+// ExternalIPPolicy configures exactly which IPs are allowed for the ExternalIP
+// field in a Service. If the zero struct is supplied, then none are permitted.
+// The policy controller always allows automatically assigned external IPs.
 type ExternalIPPolicyApplyConfiguration struct {
-	AllowedCIDRs  []string `json:"allowedCIDRs,omitempty"`
+	// allowedCIDRs is the list of allowed CIDRs.
+	AllowedCIDRs []string `json:"allowedCIDRs,omitempty"`
+	// rejectedCIDRs is the list of disallowed CIDRs. These take precedence
+	// over allowedCIDRs.
 	RejectedCIDRs []string `json:"rejectedCIDRs,omitempty"`
 }
 
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/externalplatformspec.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/externalplatformspec.go
index d7640e14298bb..1d48611bdac13 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/externalplatformspec.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/externalplatformspec.go
@@ -4,7 +4,11 @@ package v1
 
 // ExternalPlatformSpecApplyConfiguration represents a declarative configuration of the ExternalPlatformSpec type for use
 // with apply.
+//
+// ExternalPlatformSpec holds the desired state for the generic External infrastructure provider.
 type ExternalPlatformSpecApplyConfiguration struct {
+	// platformName holds the arbitrary string representing the infrastructure provider name, expected to be set at the installation time.
+	// This field is solely for informational and reporting purposes and is not expected to be used for decision-making.
 	PlatformName *string `json:"platformName,omitempty"`
 }
 
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/externalplatformstatus.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/externalplatformstatus.go
index 65f8f2b109c2a..f9b6e4c79b50e 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/externalplatformstatus.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/externalplatformstatus.go
@@ -4,7 +4,12 @@ package v1
 
 // ExternalPlatformStatusApplyConfiguration represents a declarative configuration of the ExternalPlatformStatus type for use
 // with apply.
+//
+// ExternalPlatformStatus holds the current status of the generic External infrastructure provider.
 type ExternalPlatformStatusApplyConfiguration struct {
+	// cloudControllerManager contains settings specific to the external Cloud Controller Manager (a.k.a. CCM or CPI).
+	// When omitted, new nodes will be not tainted
+	// and no extra initialization from the cloud controller manager is expected.
 	CloudControllerManager *CloudControllerManagerStatusApplyConfiguration `json:"cloudControllerManager,omitempty"`
 }
 
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/extramapping.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/extramapping.go
index 4100ed7ed321b..46fa7c46c555b 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/extramapping.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/extramapping.go
@@ -4,8 +4,38 @@ package v1
 
 // ExtraMappingApplyConfiguration represents a declarative configuration of the ExtraMapping type for use
 // with apply.
+//
+// ExtraMapping allows specifying a key and CEL expression to evaluate the keys' value.
+// It is used to create additional mappings and attributes added to a cluster identity from a provided authentication token.
 type ExtraMappingApplyConfiguration struct {
-	Key             *string `json:"key,omitempty"`
+	// key is a required field that specifies the string to use as the extra attribute key.
+	//
+	// key must be a domain-prefix path (e.g 'example.org/foo').
+	// key must not exceed 510 characters in length.
+	// key must contain the '/' character, separating the domain and path characters.
+	// key must not be empty.
+	//
+	// The domain portion of the key (string of characters prior to the '/') must be a valid RFC1123 subdomain.
+	// It must not exceed 253 characters in length.
+	// It must start and end with an alphanumeric character.
+	// It must only contain lower case alphanumeric characters and '-' or '.'.
+	// It must not use the reserved domains, or be subdomains of, "kubernetes.io", "k8s.io", and "openshift.io".
+	//
+	// The path portion of the key (string of characters after the '/') must not be empty and must consist of at least one alphanumeric character, percent-encoded octets, '-', '.', '_', '~', '!', '$', '&', ”', '(', ')', '*', '+', ',', ';', '=', and ':'.
+	// It must not exceed 256 characters in length.
+	Key *string `json:"key,omitempty"`
+	// valueExpression is a required field to specify the CEL expression to extract the extra attribute value from a JWT token's claims.
+	// valueExpression must produce a string or string array value.
+	// "", [], and null are treated as the extra mapping not being present.
+	// Empty string values within an array are filtered out.
+	//
+	// CEL expressions have access to the token claims through a CEL variable, 'claims'.
+	// 'claims' is a map of claim names to claim values.
+	// For example, the 'sub' claim value can be accessed as 'claims.sub'.
+	// Nested claims can be accessed using dot notation ('claims.foo.bar').
+	//
+	// valueExpression must not exceed 1024 characters in length.
+	// valueExpression must not be empty.
 	ValueExpression *string `json:"valueExpression,omitempty"`
 }
 
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/featuregate.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/featuregate.go
index 2ec8b3af41890..a32c2bbeee089 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/featuregate.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/featuregate.go
@@ -13,11 +13,19 @@ import (
 
 // FeatureGateApplyConfiguration represents a declarative configuration of the FeatureGate type for use
 // with apply.
+//
+// Feature holds cluster-wide information about feature gates.  The canonical name is `cluster`
+//
+// Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
 type FeatureGateApplyConfiguration struct {
-	metav1.TypeMetaApplyConfiguration    `json:",inline"`
+	metav1.TypeMetaApplyConfiguration `json:",inline"`
+	// metadata is the standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	*metav1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Spec                                 *FeatureGateSpecApplyConfiguration   `json:"spec,omitempty"`
-	Status                               *FeatureGateStatusApplyConfiguration `json:"status,omitempty"`
+	// spec holds user settable values for configuration
+	Spec *FeatureGateSpecApplyConfiguration `json:"spec,omitempty"`
+	// status holds observed values from the cluster. They may not be overridden.
+	Status *FeatureGateStatusApplyConfiguration `json:"status,omitempty"`
 }
 
 // FeatureGate constructs a declarative configuration of the FeatureGate type for use with
@@ -30,6 +38,26 @@ func FeatureGate(name string) *FeatureGateApplyConfiguration {
 	return b
 }
 
+// ExtractFeatureGateFrom extracts the applied configuration owned by fieldManager from
+// featureGate for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
+// featureGate must be a unmodified FeatureGate API object that was retrieved from the Kubernetes API.
+// ExtractFeatureGateFrom provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractFeatureGateFrom(featureGate *configv1.FeatureGate, fieldManager string, subresource string) (*FeatureGateApplyConfiguration, error) {
+	b := &FeatureGateApplyConfiguration{}
+	err := managedfields.ExtractInto(featureGate, internal.Parser().Type("com.github.openshift.api.config.v1.FeatureGate"), fieldManager, b, subresource)
+	if err != nil {
+		return nil, err
+	}
+	b.WithName(featureGate.Name)
+
+	b.WithKind("FeatureGate")
+	b.WithAPIVersion("config.openshift.io/v1")
+	return b, nil
+}
+
 // ExtractFeatureGate extracts the applied configuration owned by fieldManager from
 // featureGate. If no managedFields are found in featureGate for fieldManager, a
 // FeatureGateApplyConfiguration is returned with only the Name, Namespace (if applicable),
@@ -40,30 +68,16 @@ func FeatureGate(name string) *FeatureGateApplyConfiguration {
 // ExtractFeatureGate provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
 func ExtractFeatureGate(featureGate *configv1.FeatureGate, fieldManager string) (*FeatureGateApplyConfiguration, error) {
-	return extractFeatureGate(featureGate, fieldManager, "")
+	return ExtractFeatureGateFrom(featureGate, fieldManager, "")
 }
 
-// ExtractFeatureGateStatus is the same as ExtractFeatureGate except
-// that it extracts the status subresource applied configuration.
-// Experimental!
+// ExtractFeatureGateStatus extracts the applied configuration owned by fieldManager from
+// featureGate for the status subresource.
 func ExtractFeatureGateStatus(featureGate *configv1.FeatureGate, fieldManager string) (*FeatureGateApplyConfiguration, error) {
-	return extractFeatureGate(featureGate, fieldManager, "status")
+	return ExtractFeatureGateFrom(featureGate, fieldManager, "status")
 }
 
-func extractFeatureGate(featureGate *configv1.FeatureGate, fieldManager string, subresource string) (*FeatureGateApplyConfiguration, error) {
-	b := &FeatureGateApplyConfiguration{}
-	err := managedfields.ExtractInto(featureGate, internal.Parser().Type("com.github.openshift.api.config.v1.FeatureGate"), fieldManager, b, subresource)
-	if err != nil {
-		return nil, err
-	}
-	b.WithName(featureGate.Name)
-
-	b.WithKind("FeatureGate")
-	b.WithAPIVersion("config.openshift.io/v1")
-	return b, nil
-}
 func (b FeatureGateApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/featuregateattributes.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/featuregateattributes.go
index 7884ec2872aff..9a800ca4aa990 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/featuregateattributes.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/featuregateattributes.go
@@ -9,6 +9,7 @@ import (
 // FeatureGateAttributesApplyConfiguration represents a declarative configuration of the FeatureGateAttributes type for use
 // with apply.
 type FeatureGateAttributesApplyConfiguration struct {
+	// name is the name of the FeatureGate.
 	Name *configv1.FeatureGateName `json:"name,omitempty"`
 }
 
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/featuregatedetails.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/featuregatedetails.go
index c451f74dfdc24..3aa4b84e65721 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/featuregatedetails.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/featuregatedetails.go
@@ -5,8 +5,11 @@ package v1
 // FeatureGateDetailsApplyConfiguration represents a declarative configuration of the FeatureGateDetails type for use
 // with apply.
 type FeatureGateDetailsApplyConfiguration struct {
-	Version  *string                                   `json:"version,omitempty"`
-	Enabled  []FeatureGateAttributesApplyConfiguration `json:"enabled,omitempty"`
+	// version matches the version provided by the ClusterVersion and in the ClusterOperator.Status.Versions field.
+	Version *string `json:"version,omitempty"`
+	// enabled is a list of all feature gates that are enabled in the cluster for the named version.
+	Enabled []FeatureGateAttributesApplyConfiguration `json:"enabled,omitempty"`
+	// disabled is a list of all feature gates that are disabled in the cluster for the named version.
 	Disabled []FeatureGateAttributesApplyConfiguration `json:"disabled,omitempty"`
 }
 
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/featuregateselection.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/featuregateselection.go
index b79d3f883c9b8..a5225476df333 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/featuregateselection.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/featuregateselection.go
@@ -9,7 +9,12 @@ import (
 // FeatureGateSelectionApplyConfiguration represents a declarative configuration of the FeatureGateSelection type for use
 // with apply.
 type FeatureGateSelectionApplyConfiguration struct {
-	FeatureSet      *configv1.FeatureSet                  `json:"featureSet,omitempty"`
+	// featureSet changes the list of features in the cluster.  The default is empty.  Be very careful adjusting this setting.
+	// Turning on or off features may cause irreversible changes in your cluster which cannot be undone.
+	FeatureSet *configv1.FeatureSet `json:"featureSet,omitempty"`
+	// customNoUpgrade allows the enabling or disabling of any feature. Turning this feature set on IS NOT SUPPORTED, CANNOT BE UNDONE, and PREVENTS UPGRADES.
+	// Because of its nature, this setting cannot be validated.  If you have any typos or accidentally apply invalid combinations
+	// your cluster may fail in an unrecoverable way.  featureSet must equal "CustomNoUpgrade" must be set to use this field.
 	CustomNoUpgrade *CustomFeatureGatesApplyConfiguration `json:"customNoUpgrade,omitempty"`
 }
 
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/featuregatestatus.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/featuregatestatus.go
index 705c3d0cffc25..ca90fe317d7ad 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/featuregatestatus.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/featuregatestatus.go
@@ -9,7 +9,17 @@ import (
 // FeatureGateStatusApplyConfiguration represents a declarative configuration of the FeatureGateStatus type for use
 // with apply.
 type FeatureGateStatusApplyConfiguration struct {
-	Conditions   []metav1.ConditionApplyConfiguration   `json:"conditions,omitempty"`
+	// conditions represent the observations of the current state.
+	// Known .status.conditions.type are: "DeterminationDegraded"
+	Conditions []metav1.ConditionApplyConfiguration `json:"conditions,omitempty"`
+	// featureGates contains a list of enabled and disabled featureGates that are keyed by payloadVersion.
+	// Operators other than the CVO and cluster-config-operator, must read the .status.featureGates, locate
+	// the version they are managing, find the enabled/disabled featuregates and make the operand and operator match.
+	// The enabled/disabled values for a particular version may change during the life of the cluster as various
+	// .spec.featureSet values are selected.
+	// Operators may choose to restart their processes to pick up these changes, but remembering past enable/disable
+	// lists is beyond the scope of this API and is the responsibility of individual operators.
+	// Only featureGates with .version in the ClusterVersion.status will be present in this list.
 	FeatureGates []FeatureGateDetailsApplyConfiguration `json:"featureGates,omitempty"`
 }
 
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/fulciocawithrekor.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/fulciocawithrekor.go
deleted file mode 100644
index 48b553580d3e9..0000000000000
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/fulciocawithrekor.go
+++ /dev/null
@@ -1,45 +0,0 @@
-// Code generated by applyconfiguration-gen. DO NOT EDIT.
-
-package v1
-
-// FulcioCAWithRekorApplyConfiguration represents a declarative configuration of the FulcioCAWithRekor type for use
-// with apply.
-type FulcioCAWithRekorApplyConfiguration struct {
-	FulcioCAData  []byte                                 `json:"fulcioCAData,omitempty"`
-	RekorKeyData  []byte                                 `json:"rekorKeyData,omitempty"`
-	FulcioSubject *PolicyFulcioSubjectApplyConfiguration `json:"fulcioSubject,omitempty"`
-}
-
-// FulcioCAWithRekorApplyConfiguration constructs a declarative configuration of the FulcioCAWithRekor type for use with
-// apply.
-func FulcioCAWithRekor() *FulcioCAWithRekorApplyConfiguration {
-	return &FulcioCAWithRekorApplyConfiguration{}
-}
-
-// WithFulcioCAData adds the given value to the FulcioCAData field in the declarative configuration
-// and returns the receiver, so that objects can be build by chaining "With" function invocations.
-// If called multiple times, values provided by each call will be appended to the FulcioCAData field.
-func (b *FulcioCAWithRekorApplyConfiguration) WithFulcioCAData(values ...byte) *FulcioCAWithRekorApplyConfiguration {
-	for i := range values {
-		b.FulcioCAData = append(b.FulcioCAData, values[i])
-	}
-	return b
-}
-
-// WithRekorKeyData adds the given value to the RekorKeyData field in the declarative configuration
-// and returns the receiver, so that objects can be build by chaining "With" function invocations.
-// If called multiple times, values provided by each call will be appended to the RekorKeyData field.
-func (b *FulcioCAWithRekorApplyConfiguration) WithRekorKeyData(values ...byte) *FulcioCAWithRekorApplyConfiguration {
-	for i := range values {
-		b.RekorKeyData = append(b.RekorKeyData, values[i])
-	}
-	return b
-}
-
-// WithFulcioSubject sets the FulcioSubject field in the declarative configuration to the given value
-// and returns the receiver, so that objects can be built by chaining "With" function invocations.
-// If called multiple times, the FulcioSubject field is set to the value of the last call.
-func (b *FulcioCAWithRekorApplyConfiguration) WithFulcioSubject(value *PolicyFulcioSubjectApplyConfiguration) *FulcioCAWithRekorApplyConfiguration {
-	b.FulcioSubject = value
-	return b
-}
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/gatherconfig.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/gatherconfig.go
new file mode 100644
index 0000000000000..8013512a5fed7
--- /dev/null
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/gatherconfig.go
@@ -0,0 +1,58 @@
+// Code generated by applyconfiguration-gen. DO NOT EDIT.
+
+package v1
+
+import (
+	configv1 "github.com/openshift/api/config/v1"
+)
+
+// GatherConfigApplyConfiguration represents a declarative configuration of the GatherConfig type for use
+// with apply.
+//
+// GatherConfig provides data gathering configuration options.
+type GatherConfigApplyConfiguration struct {
+	// dataPolicy is an optional list of DataPolicyOptions that allows user to enable additional obfuscation of the Insights archive data.
+	// It may not exceed 2 items and must not contain duplicates.
+	// Valid values are ObfuscateNetworking and WorkloadNames.
+	// When set to ObfuscateNetworking the IP addresses and the cluster domain name are obfuscated.
+	// When set to WorkloadNames, the gathered data about cluster resources will not contain the workload names for your deployments. Resources UIDs will be used instead.
+	// When omitted no obfuscation is applied.
+	DataPolicy []configv1.DataPolicyOption `json:"dataPolicy,omitempty"`
+	// gatherers is a required field that specifies the configuration of the gatherers.
+	Gatherers *GatherersApplyConfiguration `json:"gatherers,omitempty"`
+	// storage is an optional field that allows user to define persistent storage for gathering jobs to store the Insights data archive.
+	// If omitted, the gathering job will use ephemeral storage.
+	Storage *StorageApplyConfiguration `json:"storage,omitempty"`
+}
+
+// GatherConfigApplyConfiguration constructs a declarative configuration of the GatherConfig type for use with
+// apply.
+func GatherConfig() *GatherConfigApplyConfiguration {
+	return &GatherConfigApplyConfiguration{}
+}
+
+// WithDataPolicy adds the given value to the DataPolicy field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, values provided by each call will be appended to the DataPolicy field.
+func (b *GatherConfigApplyConfiguration) WithDataPolicy(values ...configv1.DataPolicyOption) *GatherConfigApplyConfiguration {
+	for i := range values {
+		b.DataPolicy = append(b.DataPolicy, values[i])
+	}
+	return b
+}
+
+// WithGatherers sets the Gatherers field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Gatherers field is set to the value of the last call.
+func (b *GatherConfigApplyConfiguration) WithGatherers(value *GatherersApplyConfiguration) *GatherConfigApplyConfiguration {
+	b.Gatherers = value
+	return b
+}
+
+// WithStorage sets the Storage field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Storage field is set to the value of the last call.
+func (b *GatherConfigApplyConfiguration) WithStorage(value *StorageApplyConfiguration) *GatherConfigApplyConfiguration {
+	b.Storage = value
+	return b
+}
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/gathererconfig.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/gathererconfig.go
new file mode 100644
index 0000000000000..d63c4d4f0da73
--- /dev/null
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/gathererconfig.go
@@ -0,0 +1,49 @@
+// Code generated by applyconfiguration-gen. DO NOT EDIT.
+
+package v1
+
+import (
+	configv1 "github.com/openshift/api/config/v1"
+)
+
+// GathererConfigApplyConfiguration represents a declarative configuration of the GathererConfig type for use
+// with apply.
+//
+// GathererConfig allows to configure specific gatherers
+type GathererConfigApplyConfiguration struct {
+	// name is the required name of a specific gatherer.
+	// It may not exceed 256 characters.
+	// The format for a gatherer name is: {gatherer}/{function} where the function is optional.
+	// Gatherer consists of a lowercase letters only that may include underscores (_).
+	// Function consists of a lowercase letters only that may include underscores (_) and is separated from the gatherer by a forward slash (/).
+	// The particular gatherers can be found at https://github.com/openshift/insights-operator/blob/master/docs/gathered-data.md.
+	// Run the following command to get the names of last active gatherers:
+	// "oc get insightsoperators.operator.openshift.io cluster -o json | jq '.status.gatherStatus.gatherers[].name'"
+	Name *string `json:"name,omitempty"`
+	// state is a required field that allows you to configure specific gatherer. Valid values are "Enabled" and "Disabled".
+	// When set to Enabled the gatherer will run.
+	// When set to Disabled the gatherer will not run.
+	State *configv1.GathererState `json:"state,omitempty"`
+}
+
+// GathererConfigApplyConfiguration constructs a declarative configuration of the GathererConfig type for use with
+// apply.
+func GathererConfig() *GathererConfigApplyConfiguration {
+	return &GathererConfigApplyConfiguration{}
+}
+
+// WithName sets the Name field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Name field is set to the value of the last call.
+func (b *GathererConfigApplyConfiguration) WithName(value string) *GathererConfigApplyConfiguration {
+	b.Name = &value
+	return b
+}
+
+// WithState sets the State field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the State field is set to the value of the last call.
+func (b *GathererConfigApplyConfiguration) WithState(value configv1.GathererState) *GathererConfigApplyConfiguration {
+	b.State = &value
+	return b
+}
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/gatherers.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/gatherers.go
new file mode 100644
index 0000000000000..06ee2cf6aaaf8
--- /dev/null
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/gatherers.go
@@ -0,0 +1,46 @@
+// Code generated by applyconfiguration-gen. DO NOT EDIT.
+
+package v1
+
+import (
+	configv1 "github.com/openshift/api/config/v1"
+)
+
+// GatherersApplyConfiguration represents a declarative configuration of the Gatherers type for use
+// with apply.
+//
+// Gatherers specifies the configuration of the gatherers
+type GatherersApplyConfiguration struct {
+	// mode is a required field that specifies the mode for gatherers. Allowed values are All, None, and Custom.
+	// When set to All, all gatherers will run and gather data.
+	// When set to None, all gatherers will be disabled and no data will be gathered.
+	// When set to Custom, the custom configuration from the custom field will be applied.
+	Mode *configv1.GatheringMode `json:"mode,omitempty"`
+	// custom provides gathering configuration.
+	// It is required when mode is Custom, and forbidden otherwise.
+	// Custom configuration allows user to disable only a subset of gatherers.
+	// Gatherers that are not explicitly disabled in custom configuration will run.
+	Custom *CustomApplyConfiguration `json:"custom,omitempty"`
+}
+
+// GatherersApplyConfiguration constructs a declarative configuration of the Gatherers type for use with
+// apply.
+func Gatherers() *GatherersApplyConfiguration {
+	return &GatherersApplyConfiguration{}
+}
+
+// WithMode sets the Mode field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Mode field is set to the value of the last call.
+func (b *GatherersApplyConfiguration) WithMode(value configv1.GatheringMode) *GatherersApplyConfiguration {
+	b.Mode = &value
+	return b
+}
+
+// WithCustom sets the Custom field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Custom field is set to the value of the last call.
+func (b *GatherersApplyConfiguration) WithCustom(value *CustomApplyConfiguration) *GatherersApplyConfiguration {
+	b.Custom = value
+	return b
+}
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/gcpplatformstatus.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/gcpplatformstatus.go
index 9c28888cf9a46..bf4c761d1a34c 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/gcpplatformstatus.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/gcpplatformstatus.go
@@ -4,11 +4,28 @@ package v1
 
 // GCPPlatformStatusApplyConfiguration represents a declarative configuration of the GCPPlatformStatus type for use
 // with apply.
+//
+// GCPPlatformStatus holds the current status of the Google Cloud Platform infrastructure provider.
 type GCPPlatformStatusApplyConfiguration struct {
-	ProjectID               *string                                    `json:"projectID,omitempty"`
-	Region                  *string                                    `json:"region,omitempty"`
-	ResourceLabels          []GCPResourceLabelApplyConfiguration       `json:"resourceLabels,omitempty"`
-	ResourceTags            []GCPResourceTagApplyConfiguration         `json:"resourceTags,omitempty"`
+	// resourceGroupName is the Project ID for new GCP resources created for the cluster.
+	ProjectID *string `json:"projectID,omitempty"`
+	// region holds the region for new GCP resources created for the cluster.
+	Region *string `json:"region,omitempty"`
+	// resourceLabels is a list of additional labels to apply to GCP resources created for the cluster.
+	// See https://cloud.google.com/compute/docs/labeling-resources for information on labeling GCP resources.
+	// GCP supports a maximum of 64 labels per resource. OpenShift reserves 32 labels for internal use,
+	// allowing 32 labels for user configuration.
+	ResourceLabels []GCPResourceLabelApplyConfiguration `json:"resourceLabels,omitempty"`
+	// resourceTags is a list of additional tags to apply to GCP resources created for the cluster.
+	// See https://cloud.google.com/resource-manager/docs/tags/tags-overview for information on
+	// tagging GCP resources. GCP supports a maximum of 50 tags per resource.
+	ResourceTags []GCPResourceTagApplyConfiguration `json:"resourceTags,omitempty"`
+	// cloudLoadBalancerConfig holds configuration related to DNS and cloud
+	// load balancers. It allows configuration of in-cluster DNS as an alternative
+	// to the platform default DNS implementation.
+	// When using the ClusterHosted DNS type, Load Balancer IP addresses
+	// must be provided for the API and internal API load balancers as well as the
+	// ingress load balancer.
 	CloudLoadBalancerConfig *CloudLoadBalancerConfigApplyConfiguration `json:"cloudLoadBalancerConfig,omitempty"`
 }
 
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/gcpresourcelabel.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/gcpresourcelabel.go
index 5d408e45ede9c..1c2f5b570a002 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/gcpresourcelabel.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/gcpresourcelabel.go
@@ -4,8 +4,16 @@ package v1
 
 // GCPResourceLabelApplyConfiguration represents a declarative configuration of the GCPResourceLabel type for use
 // with apply.
+//
+// GCPResourceLabel is a label to apply to GCP resources created for the cluster.
 type GCPResourceLabelApplyConfiguration struct {
-	Key   *string `json:"key,omitempty"`
+	// key is the key part of the label. A label key can have a maximum of 63 characters and cannot be empty.
+	// Label key must begin with a lowercase letter, and must contain only lowercase letters, numeric characters,
+	// and the following special characters `_-`. Label key must not have the reserved prefixes `kubernetes-io`
+	// and `openshift-io`.
+	Key *string `json:"key,omitempty"`
+	// value is the value part of the label. A label value can have a maximum of 63 characters and cannot be empty.
+	// Value must contain only lowercase letters, numeric characters, and the following special characters `_-`.
 	Value *string `json:"value,omitempty"`
 }
 
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/gcpresourcetag.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/gcpresourcetag.go
index 8f22d3a54edd1..7652b2886c7d3 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/gcpresourcetag.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/gcpresourcetag.go
@@ -4,10 +4,25 @@ package v1
 
 // GCPResourceTagApplyConfiguration represents a declarative configuration of the GCPResourceTag type for use
 // with apply.
+//
+// GCPResourceTag is a tag to apply to GCP resources created for the cluster.
 type GCPResourceTagApplyConfiguration struct {
+	// parentID is the ID of the hierarchical resource where the tags are defined,
+	// e.g. at the Organization or the Project level. To find the Organization or Project ID refer to the following pages:
+	// https://cloud.google.com/resource-manager/docs/creating-managing-organization#retrieving_your_organization_id,
+	// https://cloud.google.com/resource-manager/docs/creating-managing-projects#identifying_projects.
+	// An OrganizationID must consist of decimal numbers, and cannot have leading zeroes.
+	// A ProjectID must be 6 to 30 characters in length, can only contain lowercase letters, numbers,
+	// and hyphens, and must start with a letter, and cannot end with a hyphen.
 	ParentID *string `json:"parentID,omitempty"`
-	Key      *string `json:"key,omitempty"`
-	Value    *string `json:"value,omitempty"`
+	// key is the key part of the tag. A tag key can have a maximum of 63 characters and cannot be empty.
+	// Tag key must begin and end with an alphanumeric character, and must contain only uppercase, lowercase
+	// alphanumeric characters, and the following special characters `._-`.
+	Key *string `json:"key,omitempty"`
+	// value is the value part of the tag. A tag value can have a maximum of 63 characters and cannot be empty.
+	// Tag value must begin and end with an alphanumeric character, and must contain only uppercase, lowercase
+	// alphanumeric characters, and the following special characters `_-.@%=+:,*#&(){}[]` and spaces.
+	Value *string `json:"value,omitempty"`
 }
 
 // GCPResourceTagApplyConfiguration constructs a declarative configuration of the GCPResourceTag type for use with
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/githubidentityprovider.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/githubidentityprovider.go
index c797463d3691f..4d91aa7347644 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/githubidentityprovider.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/githubidentityprovider.go
@@ -4,13 +4,33 @@ package v1
 
 // GitHubIdentityProviderApplyConfiguration represents a declarative configuration of the GitHubIdentityProvider type for use
 // with apply.
+//
+// GitHubIdentityProvider provides identities for users authenticating using GitHub credentials
 type GitHubIdentityProviderApplyConfiguration struct {
-	ClientID      *string                                   `json:"clientID,omitempty"`
-	ClientSecret  *SecretNameReferenceApplyConfiguration    `json:"clientSecret,omitempty"`
-	Organizations []string                                  `json:"organizations,omitempty"`
-	Teams         []string                                  `json:"teams,omitempty"`
-	Hostname      *string                                   `json:"hostname,omitempty"`
-	CA            *ConfigMapNameReferenceApplyConfiguration `json:"ca,omitempty"`
+	// clientID is the oauth client ID
+	ClientID *string `json:"clientID,omitempty"`
+	// clientSecret is a required reference to the secret by name containing the oauth client secret.
+	// The key "clientSecret" is used to locate the data.
+	// If the secret or expected key is not found, the identity provider is not honored.
+	// The namespace for this secret is openshift-config.
+	ClientSecret *SecretNameReferenceApplyConfiguration `json:"clientSecret,omitempty"`
+	// organizations optionally restricts which organizations are allowed to log in
+	Organizations []string `json:"organizations,omitempty"`
+	// teams optionally restricts which teams are allowed to log in. Format is <org>/<team>.
+	Teams []string `json:"teams,omitempty"`
+	// hostname is the optional domain (e.g. "mycompany.com") for use with a hosted instance of
+	// GitHub Enterprise.
+	// It must match the GitHub Enterprise settings value configured at /setup/settings#hostname.
+	Hostname *string `json:"hostname,omitempty"`
+	// ca is an optional reference to a config map by name containing the PEM-encoded CA bundle.
+	// It is used as a trust anchor to validate the TLS certificate presented by the remote server.
+	// The key "ca.crt" is used to locate the data.
+	// If specified and the config map or expected key is not found, the identity provider is not honored.
+	// If the specified ca data is not valid, the identity provider is not honored.
+	// If empty, the default system roots are used.
+	// This can only be configured when hostname is set to a non-empty value.
+	// The namespace for this config map is openshift-config.
+	CA *ConfigMapNameReferenceApplyConfiguration `json:"ca,omitempty"`
 }
 
 // GitHubIdentityProviderApplyConfiguration constructs a declarative configuration of the GitHubIdentityProvider type for use with
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/gitlabidentityprovider.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/gitlabidentityprovider.go
index e6a542e1c0e40..8faa741aecac2 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/gitlabidentityprovider.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/gitlabidentityprovider.go
@@ -4,11 +4,26 @@ package v1
 
 // GitLabIdentityProviderApplyConfiguration represents a declarative configuration of the GitLabIdentityProvider type for use
 // with apply.
+//
+// GitLabIdentityProvider provides identities for users authenticating using GitLab credentials
 type GitLabIdentityProviderApplyConfiguration struct {
-	ClientID     *string                                   `json:"clientID,omitempty"`
-	ClientSecret *SecretNameReferenceApplyConfiguration    `json:"clientSecret,omitempty"`
-	URL          *string                                   `json:"url,omitempty"`
-	CA           *ConfigMapNameReferenceApplyConfiguration `json:"ca,omitempty"`
+	// clientID is the oauth client ID
+	ClientID *string `json:"clientID,omitempty"`
+	// clientSecret is a required reference to the secret by name containing the oauth client secret.
+	// The key "clientSecret" is used to locate the data.
+	// If the secret or expected key is not found, the identity provider is not honored.
+	// The namespace for this secret is openshift-config.
+	ClientSecret *SecretNameReferenceApplyConfiguration `json:"clientSecret,omitempty"`
+	// url is the oauth server base URL
+	URL *string `json:"url,omitempty"`
+	// ca is an optional reference to a config map by name containing the PEM-encoded CA bundle.
+	// It is used as a trust anchor to validate the TLS certificate presented by the remote server.
+	// The key "ca.crt" is used to locate the data.
+	// If specified and the config map or expected key is not found, the identity provider is not honored.
+	// If the specified ca data is not valid, the identity provider is not honored.
+	// If empty, the default system roots are used.
+	// The namespace for this config map is openshift-config.
+	CA *ConfigMapNameReferenceApplyConfiguration `json:"ca,omitempty"`
 }
 
 // GitLabIdentityProviderApplyConfiguration constructs a declarative configuration of the GitLabIdentityProvider type for use with
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/googleidentityprovider.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/googleidentityprovider.go
index d828680696519..f6d6a381d1da9 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/googleidentityprovider.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/googleidentityprovider.go
@@ -4,10 +4,18 @@ package v1
 
 // GoogleIdentityProviderApplyConfiguration represents a declarative configuration of the GoogleIdentityProvider type for use
 // with apply.
+//
+// GoogleIdentityProvider provides identities for users authenticating using Google credentials
 type GoogleIdentityProviderApplyConfiguration struct {
-	ClientID     *string                                `json:"clientID,omitempty"`
+	// clientID is the oauth client ID
+	ClientID *string `json:"clientID,omitempty"`
+	// clientSecret is a required reference to the secret by name containing the oauth client secret.
+	// The key "clientSecret" is used to locate the data.
+	// If the secret or expected key is not found, the identity provider is not honored.
+	// The namespace for this secret is openshift-config.
 	ClientSecret *SecretNameReferenceApplyConfiguration `json:"clientSecret,omitempty"`
-	HostedDomain *string                                `json:"hostedDomain,omitempty"`
+	// hostedDomain is the optional Google App domain (e.g. "mycompany.com") to restrict logins to
+	HostedDomain *string `json:"hostedDomain,omitempty"`
 }
 
 // GoogleIdentityProviderApplyConfiguration constructs a declarative configuration of the GoogleIdentityProvider type for use with
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/htpasswdidentityprovider.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/htpasswdidentityprovider.go
index f5c689bbe280d..8ebbe1602ff8e 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/htpasswdidentityprovider.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/htpasswdidentityprovider.go
@@ -4,7 +4,14 @@ package v1
 
 // HTPasswdIdentityProviderApplyConfiguration represents a declarative configuration of the HTPasswdIdentityProvider type for use
 // with apply.
+//
+// HTPasswdPasswordIdentityProvider provides identities for users authenticating using htpasswd credentials
 type HTPasswdIdentityProviderApplyConfiguration struct {
+	// fileData is a required reference to a secret by name containing the data to use as the htpasswd file.
+	// The key "htpasswd" is used to locate the data.
+	// If the secret or expected key is not found, the identity provider is not honored.
+	// If the specified htpasswd data is not valid, the identity provider is not honored.
+	// The namespace for this secret is openshift-config.
 	FileData *SecretNameReferenceApplyConfiguration `json:"fileData,omitempty"`
 }
 
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/hubsource.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/hubsource.go
index 333802bfecede..dbe7b9c8d11ac 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/hubsource.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/hubsource.go
@@ -4,9 +4,13 @@ package v1
 
 // HubSourceApplyConfiguration represents a declarative configuration of the HubSource type for use
 // with apply.
+//
+// HubSource is used to specify the hub source and its configuration
 type HubSourceApplyConfiguration struct {
-	Name     *string `json:"name,omitempty"`
-	Disabled *bool   `json:"disabled,omitempty"`
+	// name is the name of one of the default hub sources
+	Name *string `json:"name,omitempty"`
+	// disabled is used to disable a default hub source on cluster
+	Disabled *bool `json:"disabled,omitempty"`
 }
 
 // HubSourceApplyConfiguration constructs a declarative configuration of the HubSource type for use with
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/hubsourcestatus.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/hubsourcestatus.go
index 1688b1ce41cd9..539e70b4e53eb 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/hubsourcestatus.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/hubsourcestatus.go
@@ -4,10 +4,15 @@ package v1
 
 // HubSourceStatusApplyConfiguration represents a declarative configuration of the HubSourceStatus type for use
 // with apply.
+//
+// HubSourceStatus is used to reflect the current state of applying the
+// configuration to a default source
 type HubSourceStatusApplyConfiguration struct {
 	*HubSourceApplyConfiguration `json:"HubSource,omitempty"`
-	Status                       *string `json:"status,omitempty"`
-	Message                      *string `json:"message,omitempty"`
+	// status indicates success or failure in applying the configuration
+	Status *string `json:"status,omitempty"`
+	// message provides more information regarding failures
+	Message *string `json:"message,omitempty"`
 }
 
 // HubSourceStatusApplyConfiguration constructs a declarative configuration of the HubSourceStatus type for use with
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/ibmcloudplatformspec.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/ibmcloudplatformspec.go
index 7e0a8326df9dd..43fa282c63c67 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/ibmcloudplatformspec.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/ibmcloudplatformspec.go
@@ -4,7 +4,17 @@ package v1
 
 // IBMCloudPlatformSpecApplyConfiguration represents a declarative configuration of the IBMCloudPlatformSpec type for use
 // with apply.
+//
+// IBMCloudPlatformSpec holds the desired state of the IBMCloud infrastructure provider.
+// This only includes fields that can be modified in the cluster.
 type IBMCloudPlatformSpecApplyConfiguration struct {
+	// serviceEndpoints is a list of custom endpoints which will override the default
+	// service endpoints of an IBM service. These endpoints are used by components
+	// within the cluster when trying to reach the IBM Cloud Services that have been
+	// overridden. The CCCMO reads in the IBMCloudPlatformSpec and validates each
+	// endpoint is resolvable. Once validated, the cloud config and IBMCloudPlatformStatus
+	// are updated to reflect the same custom endpoints.
+	// A maximum of 13 service endpoints overrides are supported.
 	ServiceEndpoints []IBMCloudServiceEndpointApplyConfiguration `json:"serviceEndpoints,omitempty"`
 }
 
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/ibmcloudplatformstatus.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/ibmcloudplatformstatus.go
index 48c17c9cb5672..a3fd567bb0763 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/ibmcloudplatformstatus.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/ibmcloudplatformstatus.go
@@ -8,13 +8,28 @@ import (
 
 // IBMCloudPlatformStatusApplyConfiguration represents a declarative configuration of the IBMCloudPlatformStatus type for use
 // with apply.
+//
+// IBMCloudPlatformStatus holds the current status of the IBMCloud infrastructure provider.
 type IBMCloudPlatformStatusApplyConfiguration struct {
-	Location          *string                                     `json:"location,omitempty"`
-	ResourceGroupName *string                                     `json:"resourceGroupName,omitempty"`
-	ProviderType      *configv1.IBMCloudProviderType              `json:"providerType,omitempty"`
-	CISInstanceCRN    *string                                     `json:"cisInstanceCRN,omitempty"`
-	DNSInstanceCRN    *string                                     `json:"dnsInstanceCRN,omitempty"`
-	ServiceEndpoints  []IBMCloudServiceEndpointApplyConfiguration `json:"serviceEndpoints,omitempty"`
+	// location is where the cluster has been deployed
+	Location *string `json:"location,omitempty"`
+	// resourceGroupName is the Resource Group for new IBMCloud resources created for the cluster.
+	ResourceGroupName *string `json:"resourceGroupName,omitempty"`
+	// providerType indicates the type of cluster that was created
+	ProviderType *configv1.IBMCloudProviderType `json:"providerType,omitempty"`
+	// cisInstanceCRN is the CRN of the Cloud Internet Services instance managing
+	// the DNS zone for the cluster's base domain
+	CISInstanceCRN *string `json:"cisInstanceCRN,omitempty"`
+	// dnsInstanceCRN is the CRN of the DNS Services instance managing the DNS zone
+	// for the cluster's base domain
+	DNSInstanceCRN *string `json:"dnsInstanceCRN,omitempty"`
+	// serviceEndpoints is a list of custom endpoints which will override the default
+	// service endpoints of an IBM service. These endpoints are used by components
+	// within the cluster when trying to reach the IBM Cloud Services that have been
+	// overridden. The CCCMO reads in the IBMCloudPlatformSpec and validates each
+	// endpoint is resolvable. Once validated, the cloud config and IBMCloudPlatformStatus
+	// are updated to reflect the same custom endpoints.
+	ServiceEndpoints []IBMCloudServiceEndpointApplyConfiguration `json:"serviceEndpoints,omitempty"`
 }
 
 // IBMCloudPlatformStatusApplyConfiguration constructs a declarative configuration of the IBMCloudPlatformStatus type for use with
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/ibmcloudserviceendpoint.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/ibmcloudserviceendpoint.go
index daec88ba5d486..825d9b6cbb468 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/ibmcloudserviceendpoint.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/ibmcloudserviceendpoint.go
@@ -8,9 +8,22 @@ import (
 
 // IBMCloudServiceEndpointApplyConfiguration represents a declarative configuration of the IBMCloudServiceEndpoint type for use
 // with apply.
+//
+// IBMCloudServiceEndpoint stores the configuration of a custom url to
+// override existing defaults of IBM Cloud Services.
 type IBMCloudServiceEndpointApplyConfiguration struct {
+	// name is the name of the IBM Cloud service.
+	// Possible values are: CIS, COS, COSConfig, DNSServices, GlobalCatalog, GlobalSearch, GlobalTagging, HyperProtect, IAM, KeyProtect, ResourceController, ResourceManager, or VPC.
+	// For example, the IBM Cloud Private IAM service could be configured with the
+	// service `name` of `IAM` and `url` of `https://private.iam.cloud.ibm.com`
+	// Whereas the IBM Cloud Private VPC service for US South (Dallas) could be configured
+	// with the service `name` of `VPC` and `url` of `https://us.south.private.iaas.cloud.ibm.com`
 	Name *configv1.IBMCloudServiceName `json:"name,omitempty"`
-	URL  *string                       `json:"url,omitempty"`
+	// url is fully qualified URI with scheme https, that overrides the default generated
+	// endpoint for a client.
+	// This must be provided and cannot be empty. The path must follow the pattern
+	// /v[0,9]+ or /api/v[0,9]+
+	URL *string `json:"url,omitempty"`
 }
 
 // IBMCloudServiceEndpointApplyConfiguration constructs a declarative configuration of the IBMCloudServiceEndpoint type for use with
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/identityprovider.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/identityprovider.go
index 4e726d0859b0d..7dc10c3e9e257 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/identityprovider.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/identityprovider.go
@@ -8,8 +8,16 @@ import (
 
 // IdentityProviderApplyConfiguration represents a declarative configuration of the IdentityProvider type for use
 // with apply.
+//
+// IdentityProvider provides identities for users authenticating using credentials
 type IdentityProviderApplyConfiguration struct {
-	Name                                     *string                     `json:"name,omitempty"`
+	// name is used to qualify the identities returned by this provider.
+	// - It MUST be unique and not shared by any other identity provider used
+	// - It MUST be a valid path segment: name cannot equal "." or ".." or contain "/" or "%" or ":"
+	// Ref: https://godoc.org/github.com/openshift/origin/pkg/user/apis/user/validation#ValidateIdentityProviderName
+	Name *string `json:"name,omitempty"`
+	// mappingMethod determines how identities from this provider are mapped to users
+	// Defaults to "claim"
 	MappingMethod                            *configv1.MappingMethodType `json:"mappingMethod,omitempty"`
 	IdentityProviderConfigApplyConfiguration `json:",inline"`
 }
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/identityproviderconfig.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/identityproviderconfig.go
index 1ff6d99a7b805..f0bcdab706b88 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/identityproviderconfig.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/identityproviderconfig.go
@@ -8,16 +8,28 @@ import (
 
 // IdentityProviderConfigApplyConfiguration represents a declarative configuration of the IdentityProviderConfig type for use
 // with apply.
+//
+// IdentityProviderConfig contains configuration for using a specific identity provider
 type IdentityProviderConfigApplyConfiguration struct {
-	Type          *configv1.IdentityProviderType                   `json:"type,omitempty"`
-	BasicAuth     *BasicAuthIdentityProviderApplyConfiguration     `json:"basicAuth,omitempty"`
-	GitHub        *GitHubIdentityProviderApplyConfiguration        `json:"github,omitempty"`
-	GitLab        *GitLabIdentityProviderApplyConfiguration        `json:"gitlab,omitempty"`
-	Google        *GoogleIdentityProviderApplyConfiguration        `json:"google,omitempty"`
-	HTPasswd      *HTPasswdIdentityProviderApplyConfiguration      `json:"htpasswd,omitempty"`
-	Keystone      *KeystoneIdentityProviderApplyConfiguration      `json:"keystone,omitempty"`
-	LDAP          *LDAPIdentityProviderApplyConfiguration          `json:"ldap,omitempty"`
-	OpenID        *OpenIDIdentityProviderApplyConfiguration        `json:"openID,omitempty"`
+	// type identifies the identity provider type for this entry.
+	Type *configv1.IdentityProviderType `json:"type,omitempty"`
+	// basicAuth contains configuration options for the BasicAuth IdP
+	BasicAuth *BasicAuthIdentityProviderApplyConfiguration `json:"basicAuth,omitempty"`
+	// github enables user authentication using GitHub credentials
+	GitHub *GitHubIdentityProviderApplyConfiguration `json:"github,omitempty"`
+	// gitlab enables user authentication using GitLab credentials
+	GitLab *GitLabIdentityProviderApplyConfiguration `json:"gitlab,omitempty"`
+	// google enables user authentication using Google credentials
+	Google *GoogleIdentityProviderApplyConfiguration `json:"google,omitempty"`
+	// htpasswd enables user authentication using an HTPasswd file to validate credentials
+	HTPasswd *HTPasswdIdentityProviderApplyConfiguration `json:"htpasswd,omitempty"`
+	// keystone enables user authentication using keystone password credentials
+	Keystone *KeystoneIdentityProviderApplyConfiguration `json:"keystone,omitempty"`
+	// ldap enables user authentication using LDAP credentials
+	LDAP *LDAPIdentityProviderApplyConfiguration `json:"ldap,omitempty"`
+	// openID enables user authentication using OpenID credentials
+	OpenID *OpenIDIdentityProviderApplyConfiguration `json:"openID,omitempty"`
+	// requestHeader enables user authentication using request header credentials
 	RequestHeader *RequestHeaderIdentityProviderApplyConfiguration `json:"requestHeader,omitempty"`
 }
 
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/image.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/image.go
index 666ef86eb1e8a..7007b836b7863 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/image.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/image.go
@@ -13,11 +13,24 @@ import (
 
 // ImageApplyConfiguration represents a declarative configuration of the Image type for use
 // with apply.
+//
+// Image governs policies related to imagestream imports and runtime configuration
+// for external registries. It allows cluster admins to configure which registries
+// OpenShift is allowed to import images from, extra CA trust bundles for external
+// registries, and policies to block or allow registry hostnames.
+// When exposing OpenShift's image registry to the public, this also lets cluster
+// admins specify the external hostname.
+//
+// Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
 type ImageApplyConfiguration struct {
-	metav1.TypeMetaApplyConfiguration    `json:",inline"`
+	metav1.TypeMetaApplyConfiguration `json:",inline"`
+	// metadata is the standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	*metav1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Spec                                 *ImageSpecApplyConfiguration   `json:"spec,omitempty"`
-	Status                               *ImageStatusApplyConfiguration `json:"status,omitempty"`
+	// spec holds user settable values for configuration
+	Spec *ImageSpecApplyConfiguration `json:"spec,omitempty"`
+	// status holds observed values from the cluster. They may not be overridden.
+	Status *ImageStatusApplyConfiguration `json:"status,omitempty"`
 }
 
 // Image constructs a declarative configuration of the Image type for use with
@@ -30,6 +43,26 @@ func Image(name string) *ImageApplyConfiguration {
 	return b
 }
 
+// ExtractImageFrom extracts the applied configuration owned by fieldManager from
+// image for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
+// image must be a unmodified Image API object that was retrieved from the Kubernetes API.
+// ExtractImageFrom provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractImageFrom(image *configv1.Image, fieldManager string, subresource string) (*ImageApplyConfiguration, error) {
+	b := &ImageApplyConfiguration{}
+	err := managedfields.ExtractInto(image, internal.Parser().Type("com.github.openshift.api.config.v1.Image"), fieldManager, b, subresource)
+	if err != nil {
+		return nil, err
+	}
+	b.WithName(image.Name)
+
+	b.WithKind("Image")
+	b.WithAPIVersion("config.openshift.io/v1")
+	return b, nil
+}
+
 // ExtractImage extracts the applied configuration owned by fieldManager from
 // image. If no managedFields are found in image for fieldManager, a
 // ImageApplyConfiguration is returned with only the Name, Namespace (if applicable),
@@ -40,30 +73,16 @@ func Image(name string) *ImageApplyConfiguration {
 // ExtractImage provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
 func ExtractImage(image *configv1.Image, fieldManager string) (*ImageApplyConfiguration, error) {
-	return extractImage(image, fieldManager, "")
+	return ExtractImageFrom(image, fieldManager, "")
 }
 
-// ExtractImageStatus is the same as ExtractImage except
-// that it extracts the status subresource applied configuration.
-// Experimental!
+// ExtractImageStatus extracts the applied configuration owned by fieldManager from
+// image for the status subresource.
 func ExtractImageStatus(image *configv1.Image, fieldManager string) (*ImageApplyConfiguration, error) {
-	return extractImage(image, fieldManager, "status")
+	return ExtractImageFrom(image, fieldManager, "status")
 }
 
-func extractImage(image *configv1.Image, fieldManager string, subresource string) (*ImageApplyConfiguration, error) {
-	b := &ImageApplyConfiguration{}
-	err := managedfields.ExtractInto(image, internal.Parser().Type("com.github.openshift.api.config.v1.Image"), fieldManager, b, subresource)
-	if err != nil {
-		return nil, err
-	}
-	b.WithName(image.Name)
-
-	b.WithKind("Image")
-	b.WithAPIVersion("config.openshift.io/v1")
-	return b, nil
-}
 func (b ImageApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/imagecontentpolicy.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/imagecontentpolicy.go
index 4235d2f51b6bc..8dfc184b0b864 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/imagecontentpolicy.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/imagecontentpolicy.go
@@ -13,10 +13,18 @@ import (
 
 // ImageContentPolicyApplyConfiguration represents a declarative configuration of the ImageContentPolicy type for use
 // with apply.
+//
+// ImageContentPolicy holds cluster-wide information about how to handle registry mirror rules.
+// When multiple policies are defined, the outcome of the behavior is defined on each field.
+//
+// Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
 type ImageContentPolicyApplyConfiguration struct {
-	metav1.TypeMetaApplyConfiguration    `json:",inline"`
+	metav1.TypeMetaApplyConfiguration `json:",inline"`
+	// metadata is the standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	*metav1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Spec                                 *ImageContentPolicySpecApplyConfiguration `json:"spec,omitempty"`
+	// spec holds user settable values for configuration
+	Spec *ImageContentPolicySpecApplyConfiguration `json:"spec,omitempty"`
 }
 
 // ImageContentPolicy constructs a declarative configuration of the ImageContentPolicy type for use with
@@ -29,29 +37,14 @@ func ImageContentPolicy(name string) *ImageContentPolicyApplyConfiguration {
 	return b
 }
 
-// ExtractImageContentPolicy extracts the applied configuration owned by fieldManager from
-// imageContentPolicy. If no managedFields are found in imageContentPolicy for fieldManager, a
-// ImageContentPolicyApplyConfiguration is returned with only the Name, Namespace (if applicable),
-// APIVersion and Kind populated. It is possible that no managed fields were found for because other
-// field managers have taken ownership of all the fields previously owned by fieldManager, or because
-// the fieldManager never owned fields any fields.
+// ExtractImageContentPolicyFrom extracts the applied configuration owned by fieldManager from
+// imageContentPolicy for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
 // imageContentPolicy must be a unmodified ImageContentPolicy API object that was retrieved from the Kubernetes API.
-// ExtractImageContentPolicy provides a way to perform a extract/modify-in-place/apply workflow.
+// ExtractImageContentPolicyFrom provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
-func ExtractImageContentPolicy(imageContentPolicy *configv1.ImageContentPolicy, fieldManager string) (*ImageContentPolicyApplyConfiguration, error) {
-	return extractImageContentPolicy(imageContentPolicy, fieldManager, "")
-}
-
-// ExtractImageContentPolicyStatus is the same as ExtractImageContentPolicy except
-// that it extracts the status subresource applied configuration.
-// Experimental!
-func ExtractImageContentPolicyStatus(imageContentPolicy *configv1.ImageContentPolicy, fieldManager string) (*ImageContentPolicyApplyConfiguration, error) {
-	return extractImageContentPolicy(imageContentPolicy, fieldManager, "status")
-}
-
-func extractImageContentPolicy(imageContentPolicy *configv1.ImageContentPolicy, fieldManager string, subresource string) (*ImageContentPolicyApplyConfiguration, error) {
+func ExtractImageContentPolicyFrom(imageContentPolicy *configv1.ImageContentPolicy, fieldManager string, subresource string) (*ImageContentPolicyApplyConfiguration, error) {
 	b := &ImageContentPolicyApplyConfiguration{}
 	err := managedfields.ExtractInto(imageContentPolicy, internal.Parser().Type("com.github.openshift.api.config.v1.ImageContentPolicy"), fieldManager, b, subresource)
 	if err != nil {
@@ -63,6 +56,21 @@ func extractImageContentPolicy(imageContentPolicy *configv1.ImageContentPolicy,
 	b.WithAPIVersion("config.openshift.io/v1")
 	return b, nil
 }
+
+// ExtractImageContentPolicy extracts the applied configuration owned by fieldManager from
+// imageContentPolicy. If no managedFields are found in imageContentPolicy for fieldManager, a
+// ImageContentPolicyApplyConfiguration is returned with only the Name, Namespace (if applicable),
+// APIVersion and Kind populated. It is possible that no managed fields were found for because other
+// field managers have taken ownership of all the fields previously owned by fieldManager, or because
+// the fieldManager never owned fields any fields.
+// imageContentPolicy must be a unmodified ImageContentPolicy API object that was retrieved from the Kubernetes API.
+// ExtractImageContentPolicy provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractImageContentPolicy(imageContentPolicy *configv1.ImageContentPolicy, fieldManager string) (*ImageContentPolicyApplyConfiguration, error) {
+	return ExtractImageContentPolicyFrom(imageContentPolicy, fieldManager, "")
+}
+
 func (b ImageContentPolicyApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/imagecontentpolicyspec.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/imagecontentpolicyspec.go
index ea674157cb5f2..35a08240833d1 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/imagecontentpolicyspec.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/imagecontentpolicyspec.go
@@ -4,7 +4,27 @@ package v1
 
 // ImageContentPolicySpecApplyConfiguration represents a declarative configuration of the ImageContentPolicySpec type for use
 // with apply.
+//
+// ImageContentPolicySpec is the specification of the ImageContentPolicy CRD.
 type ImageContentPolicySpecApplyConfiguration struct {
+	// repositoryDigestMirrors allows images referenced by image digests in pods to be
+	// pulled from alternative mirrored repository locations. The image pull specification
+	// provided to the pod will be compared to the source locations described in RepositoryDigestMirrors
+	// and the image may be pulled down from any of the mirrors in the list instead of the
+	// specified repository allowing administrators to choose a potentially faster mirror.
+	// To pull image from mirrors by tags, should set the "allowMirrorByTags".
+	//
+	// Each “source” repository is treated independently; configurations for different “source”
+	// repositories don’t interact.
+	//
+	// If the "mirrors" is not specified, the image will continue to be pulled from the specified
+	// repository in the pull spec.
+	//
+	// When multiple policies are defined for the same “source” repository, the sets of defined
+	// mirrors will be merged together, preserving the relative order of the mirrors, if possible.
+	// For example, if policy A has mirrors `a, b, c` and policy B has mirrors `c, d, e`, the
+	// mirrors will be used in the order `a, b, c, d, e`.  If the orders of mirror entries conflict
+	// (e.g. `a, b` vs. `b, a`) the configuration is not rejected but the resulting order is unspecified.
 	RepositoryDigestMirrors []RepositoryDigestMirrorsApplyConfiguration `json:"repositoryDigestMirrors,omitempty"`
 }
 
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/imagedigestmirrors.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/imagedigestmirrors.go
index d6c57cb7f56a6..367135ed1fe0b 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/imagedigestmirrors.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/imagedigestmirrors.go
@@ -8,9 +8,42 @@ import (
 
 // ImageDigestMirrorsApplyConfiguration represents a declarative configuration of the ImageDigestMirrors type for use
 // with apply.
+//
+// ImageDigestMirrors holds cluster-wide information about how to handle mirrors in the registries config.
 type ImageDigestMirrorsApplyConfiguration struct {
-	Source             *string                      `json:"source,omitempty"`
-	Mirrors            []configv1.ImageMirror       `json:"mirrors,omitempty"`
+	// source matches the repository that users refer to, e.g. in image pull specifications. Setting source to a registry hostname
+	// e.g. docker.io. quay.io, or registry.redhat.io, will match the image pull specification of corressponding registry.
+	// "source" uses one of the following formats:
+	// host[:port]
+	// host[:port]/namespace[/namespace…]
+	// host[:port]/namespace[/namespace…]/repo
+	// [*.]host
+	// for more information about the format, see the document about the location field:
+	// https://github.com/containers/image/blob/main/docs/containers-registries.conf.5.md#choosing-a-registry-toml-table
+	Source *string `json:"source,omitempty"`
+	// mirrors is zero or more locations that may also contain the same images. No mirror will be configured if not specified.
+	// Images can be pulled from these mirrors only if they are referenced by their digests.
+	// The mirrored location is obtained by replacing the part of the input reference that
+	// matches source by the mirrors entry, e.g. for registry.redhat.io/product/repo reference,
+	// a (source, mirror) pair *.redhat.io, mirror.local/redhat causes a mirror.local/redhat/product/repo
+	// repository to be used.
+	// The order of mirrors in this list is treated as the user's desired priority, while source
+	// is by default considered lower priority than all mirrors.
+	// If no mirror is specified or all image pulls from the mirror list fail, the image will continue to be
+	// pulled from the repository in the pull spec unless explicitly prohibited by "mirrorSourcePolicy"
+	// Other cluster configuration, including (but not limited to) other imageDigestMirrors objects,
+	// may impact the exact order mirrors are contacted in, or some mirrors may be contacted
+	// in parallel, so this should be considered a preference rather than a guarantee of ordering.
+	// "mirrors" uses one of the following formats:
+	// host[:port]
+	// host[:port]/namespace[/namespace…]
+	// host[:port]/namespace[/namespace…]/repo
+	// for more information about the format, see the document about the location field:
+	// https://github.com/containers/image/blob/main/docs/containers-registries.conf.5.md#choosing-a-registry-toml-table
+	Mirrors []configv1.ImageMirror `json:"mirrors,omitempty"`
+	// mirrorSourcePolicy defines the fallback policy if fails to pull image from the mirrors.
+	// If unset, the image will continue to be pulled from the the repository in the pull spec.
+	// sourcePolicy is valid configuration only when one or more mirrors are in the mirror list.
 	MirrorSourcePolicy *configv1.MirrorSourcePolicy `json:"mirrorSourcePolicy,omitempty"`
 }
 
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/imagedigestmirrorset.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/imagedigestmirrorset.go
index 1e4bb2857112a..e811970ae3b21 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/imagedigestmirrorset.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/imagedigestmirrorset.go
@@ -13,11 +13,20 @@ import (
 
 // ImageDigestMirrorSetApplyConfiguration represents a declarative configuration of the ImageDigestMirrorSet type for use
 // with apply.
+//
+// ImageDigestMirrorSet holds cluster-wide information about how to handle registry mirror rules on using digest pull specification.
+// When multiple policies are defined, the outcome of the behavior is defined on each field.
+//
+// Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
 type ImageDigestMirrorSetApplyConfiguration struct {
-	metav1.TypeMetaApplyConfiguration    `json:",inline"`
+	metav1.TypeMetaApplyConfiguration `json:",inline"`
+	// metadata is the standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	*metav1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Spec                                 *ImageDigestMirrorSetSpecApplyConfiguration `json:"spec,omitempty"`
-	Status                               *configv1.ImageDigestMirrorSetStatus        `json:"status,omitempty"`
+	// spec holds user settable values for configuration
+	Spec *ImageDigestMirrorSetSpecApplyConfiguration `json:"spec,omitempty"`
+	// status contains the observed state of the resource.
+	Status *configv1.ImageDigestMirrorSetStatus `json:"status,omitempty"`
 }
 
 // ImageDigestMirrorSet constructs a declarative configuration of the ImageDigestMirrorSet type for use with
@@ -30,6 +39,26 @@ func ImageDigestMirrorSet(name string) *ImageDigestMirrorSetApplyConfiguration {
 	return b
 }
 
+// ExtractImageDigestMirrorSetFrom extracts the applied configuration owned by fieldManager from
+// imageDigestMirrorSet for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
+// imageDigestMirrorSet must be a unmodified ImageDigestMirrorSet API object that was retrieved from the Kubernetes API.
+// ExtractImageDigestMirrorSetFrom provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractImageDigestMirrorSetFrom(imageDigestMirrorSet *configv1.ImageDigestMirrorSet, fieldManager string, subresource string) (*ImageDigestMirrorSetApplyConfiguration, error) {
+	b := &ImageDigestMirrorSetApplyConfiguration{}
+	err := managedfields.ExtractInto(imageDigestMirrorSet, internal.Parser().Type("com.github.openshift.api.config.v1.ImageDigestMirrorSet"), fieldManager, b, subresource)
+	if err != nil {
+		return nil, err
+	}
+	b.WithName(imageDigestMirrorSet.Name)
+
+	b.WithKind("ImageDigestMirrorSet")
+	b.WithAPIVersion("config.openshift.io/v1")
+	return b, nil
+}
+
 // ExtractImageDigestMirrorSet extracts the applied configuration owned by fieldManager from
 // imageDigestMirrorSet. If no managedFields are found in imageDigestMirrorSet for fieldManager, a
 // ImageDigestMirrorSetApplyConfiguration is returned with only the Name, Namespace (if applicable),
@@ -40,30 +69,16 @@ func ImageDigestMirrorSet(name string) *ImageDigestMirrorSetApplyConfiguration {
 // ExtractImageDigestMirrorSet provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
 func ExtractImageDigestMirrorSet(imageDigestMirrorSet *configv1.ImageDigestMirrorSet, fieldManager string) (*ImageDigestMirrorSetApplyConfiguration, error) {
-	return extractImageDigestMirrorSet(imageDigestMirrorSet, fieldManager, "")
+	return ExtractImageDigestMirrorSetFrom(imageDigestMirrorSet, fieldManager, "")
 }
 
-// ExtractImageDigestMirrorSetStatus is the same as ExtractImageDigestMirrorSet except
-// that it extracts the status subresource applied configuration.
-// Experimental!
+// ExtractImageDigestMirrorSetStatus extracts the applied configuration owned by fieldManager from
+// imageDigestMirrorSet for the status subresource.
 func ExtractImageDigestMirrorSetStatus(imageDigestMirrorSet *configv1.ImageDigestMirrorSet, fieldManager string) (*ImageDigestMirrorSetApplyConfiguration, error) {
-	return extractImageDigestMirrorSet(imageDigestMirrorSet, fieldManager, "status")
+	return ExtractImageDigestMirrorSetFrom(imageDigestMirrorSet, fieldManager, "status")
 }
 
-func extractImageDigestMirrorSet(imageDigestMirrorSet *configv1.ImageDigestMirrorSet, fieldManager string, subresource string) (*ImageDigestMirrorSetApplyConfiguration, error) {
-	b := &ImageDigestMirrorSetApplyConfiguration{}
-	err := managedfields.ExtractInto(imageDigestMirrorSet, internal.Parser().Type("com.github.openshift.api.config.v1.ImageDigestMirrorSet"), fieldManager, b, subresource)
-	if err != nil {
-		return nil, err
-	}
-	b.WithName(imageDigestMirrorSet.Name)
-
-	b.WithKind("ImageDigestMirrorSet")
-	b.WithAPIVersion("config.openshift.io/v1")
-	return b, nil
-}
 func (b ImageDigestMirrorSetApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/imagedigestmirrorsetspec.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/imagedigestmirrorsetspec.go
index fbb9d48ca3530..298071a6bc3dc 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/imagedigestmirrorsetspec.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/imagedigestmirrorsetspec.go
@@ -4,7 +4,34 @@ package v1
 
 // ImageDigestMirrorSetSpecApplyConfiguration represents a declarative configuration of the ImageDigestMirrorSetSpec type for use
 // with apply.
+//
+// ImageDigestMirrorSetSpec is the specification of the ImageDigestMirrorSet CRD.
 type ImageDigestMirrorSetSpecApplyConfiguration struct {
+	// imageDigestMirrors allows images referenced by image digests in pods to be
+	// pulled from alternative mirrored repository locations. The image pull specification
+	// provided to the pod will be compared to the source locations described in imageDigestMirrors
+	// and the image may be pulled down from any of the mirrors in the list instead of the
+	// specified repository allowing administrators to choose a potentially faster mirror.
+	// To use mirrors to pull images using tag specification, users should configure
+	// a list of mirrors using "ImageTagMirrorSet" CRD.
+	//
+	// If the image pull specification matches the repository of "source" in multiple imagedigestmirrorset objects,
+	// only the objects which define the most specific namespace match will be used.
+	// For example, if there are objects using quay.io/libpod and quay.io/libpod/busybox as
+	// the "source", only the objects using quay.io/libpod/busybox are going to apply
+	// for pull specification quay.io/libpod/busybox.
+	// Each “source” repository is treated independently; configurations for different “source”
+	// repositories don’t interact.
+	//
+	// If the "mirrors" is not specified, the image will continue to be pulled from the specified
+	// repository in the pull spec.
+	//
+	// When multiple policies are defined for the same “source” repository, the sets of defined
+	// mirrors will be merged together, preserving the relative order of the mirrors, if possible.
+	// For example, if policy A has mirrors `a, b, c` and policy B has mirrors `c, d, e`, the
+	// mirrors will be used in the order `a, b, c, d, e`.  If the orders of mirror entries conflict
+	// (e.g. `a, b` vs. `b, a`) the configuration is not rejected but the resulting order is unspecified.
+	// Users who want to use a specific order of mirrors, should configure them into one list of mirrors using the expected order.
 	ImageDigestMirrors []ImageDigestMirrorsApplyConfiguration `json:"imageDigestMirrors,omitempty"`
 }
 
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/imagelabel.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/imagelabel.go
index 1d19105474467..6f970d19c9c63 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/imagelabel.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/imagelabel.go
@@ -5,7 +5,9 @@ package v1
 // ImageLabelApplyConfiguration represents a declarative configuration of the ImageLabel type for use
 // with apply.
 type ImageLabelApplyConfiguration struct {
-	Name  *string `json:"name,omitempty"`
+	// name defines the name of the label. It must have non-zero length.
+	Name *string `json:"name,omitempty"`
+	// value defines the literal value of the label.
 	Value *string `json:"value,omitempty"`
 }
 
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/imagepolicy.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/imagepolicy.go
index 6ae64c679e579..87162e7b32355 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/imagepolicy.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/imagepolicy.go
@@ -13,11 +13,19 @@ import (
 
 // ImagePolicyApplyConfiguration represents a declarative configuration of the ImagePolicy type for use
 // with apply.
+//
+// # ImagePolicy holds namespace-wide configuration for image signature verification
+//
+// Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
 type ImagePolicyApplyConfiguration struct {
-	metav1.TypeMetaApplyConfiguration    `json:",inline"`
+	metav1.TypeMetaApplyConfiguration `json:",inline"`
+	// metadata is the standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	*metav1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Spec                                 *ImagePolicySpecApplyConfiguration   `json:"spec,omitempty"`
-	Status                               *ImagePolicyStatusApplyConfiguration `json:"status,omitempty"`
+	// spec holds user settable values for configuration
+	Spec *ImagePolicySpecApplyConfiguration `json:"spec,omitempty"`
+	// status contains the observed state of the resource.
+	Status *ImagePolicyStatusApplyConfiguration `json:"status,omitempty"`
 }
 
 // ImagePolicy constructs a declarative configuration of the ImagePolicy type for use with
@@ -31,6 +39,27 @@ func ImagePolicy(name, namespace string) *ImagePolicyApplyConfiguration {
 	return b
 }
 
+// ExtractImagePolicyFrom extracts the applied configuration owned by fieldManager from
+// imagePolicy for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
+// imagePolicy must be a unmodified ImagePolicy API object that was retrieved from the Kubernetes API.
+// ExtractImagePolicyFrom provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractImagePolicyFrom(imagePolicy *configv1.ImagePolicy, fieldManager string, subresource string) (*ImagePolicyApplyConfiguration, error) {
+	b := &ImagePolicyApplyConfiguration{}
+	err := managedfields.ExtractInto(imagePolicy, internal.Parser().Type("com.github.openshift.api.config.v1.ImagePolicy"), fieldManager, b, subresource)
+	if err != nil {
+		return nil, err
+	}
+	b.WithName(imagePolicy.Name)
+	b.WithNamespace(imagePolicy.Namespace)
+
+	b.WithKind("ImagePolicy")
+	b.WithAPIVersion("config.openshift.io/v1")
+	return b, nil
+}
+
 // ExtractImagePolicy extracts the applied configuration owned by fieldManager from
 // imagePolicy. If no managedFields are found in imagePolicy for fieldManager, a
 // ImagePolicyApplyConfiguration is returned with only the Name, Namespace (if applicable),
@@ -41,31 +70,16 @@ func ImagePolicy(name, namespace string) *ImagePolicyApplyConfiguration {
 // ExtractImagePolicy provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
 func ExtractImagePolicy(imagePolicy *configv1.ImagePolicy, fieldManager string) (*ImagePolicyApplyConfiguration, error) {
-	return extractImagePolicy(imagePolicy, fieldManager, "")
+	return ExtractImagePolicyFrom(imagePolicy, fieldManager, "")
 }
 
-// ExtractImagePolicyStatus is the same as ExtractImagePolicy except
-// that it extracts the status subresource applied configuration.
-// Experimental!
+// ExtractImagePolicyStatus extracts the applied configuration owned by fieldManager from
+// imagePolicy for the status subresource.
 func ExtractImagePolicyStatus(imagePolicy *configv1.ImagePolicy, fieldManager string) (*ImagePolicyApplyConfiguration, error) {
-	return extractImagePolicy(imagePolicy, fieldManager, "status")
+	return ExtractImagePolicyFrom(imagePolicy, fieldManager, "status")
 }
 
-func extractImagePolicy(imagePolicy *configv1.ImagePolicy, fieldManager string, subresource string) (*ImagePolicyApplyConfiguration, error) {
-	b := &ImagePolicyApplyConfiguration{}
-	err := managedfields.ExtractInto(imagePolicy, internal.Parser().Type("com.github.openshift.api.config.v1.ImagePolicy"), fieldManager, b, subresource)
-	if err != nil {
-		return nil, err
-	}
-	b.WithName(imagePolicy.Name)
-	b.WithNamespace(imagePolicy.Namespace)
-
-	b.WithKind("ImagePolicy")
-	b.WithAPIVersion("config.openshift.io/v1")
-	return b, nil
-}
 func (b ImagePolicyApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/imagepolicyfulciocawithrekorrootoftrust.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/imagepolicyfulciocawithrekorrootoftrust.go
new file mode 100644
index 0000000000000..6baec09e73a79
--- /dev/null
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/imagepolicyfulciocawithrekorrootoftrust.go
@@ -0,0 +1,52 @@
+// Code generated by applyconfiguration-gen. DO NOT EDIT.
+
+package v1
+
+// ImagePolicyFulcioCAWithRekorRootOfTrustApplyConfiguration represents a declarative configuration of the ImagePolicyFulcioCAWithRekorRootOfTrust type for use
+// with apply.
+//
+// ImagePolicyFulcioCAWithRekorRootOfTrust defines the root of trust based on the Fulcio certificate and the Rekor public key.
+type ImagePolicyFulcioCAWithRekorRootOfTrustApplyConfiguration struct {
+	// fulcioCAData is a required field contains inline base64-encoded data for the PEM format fulcio CA.
+	// fulcioCAData must be at most 8192 characters.
+	FulcioCAData []byte `json:"fulcioCAData,omitempty"`
+	// rekorKeyData is a required field contains inline base64-encoded data for the PEM format from the Rekor public key.
+	// rekorKeyData must be at most 8192 characters.
+	RekorKeyData []byte `json:"rekorKeyData,omitempty"`
+	// fulcioSubject is a required field specifies OIDC issuer and the email of the Fulcio authentication configuration.
+	FulcioSubject *PolicyFulcioSubjectApplyConfiguration `json:"fulcioSubject,omitempty"`
+}
+
+// ImagePolicyFulcioCAWithRekorRootOfTrustApplyConfiguration constructs a declarative configuration of the ImagePolicyFulcioCAWithRekorRootOfTrust type for use with
+// apply.
+func ImagePolicyFulcioCAWithRekorRootOfTrust() *ImagePolicyFulcioCAWithRekorRootOfTrustApplyConfiguration {
+	return &ImagePolicyFulcioCAWithRekorRootOfTrustApplyConfiguration{}
+}
+
+// WithFulcioCAData adds the given value to the FulcioCAData field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, values provided by each call will be appended to the FulcioCAData field.
+func (b *ImagePolicyFulcioCAWithRekorRootOfTrustApplyConfiguration) WithFulcioCAData(values ...byte) *ImagePolicyFulcioCAWithRekorRootOfTrustApplyConfiguration {
+	for i := range values {
+		b.FulcioCAData = append(b.FulcioCAData, values[i])
+	}
+	return b
+}
+
+// WithRekorKeyData adds the given value to the RekorKeyData field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, values provided by each call will be appended to the RekorKeyData field.
+func (b *ImagePolicyFulcioCAWithRekorRootOfTrustApplyConfiguration) WithRekorKeyData(values ...byte) *ImagePolicyFulcioCAWithRekorRootOfTrustApplyConfiguration {
+	for i := range values {
+		b.RekorKeyData = append(b.RekorKeyData, values[i])
+	}
+	return b
+}
+
+// WithFulcioSubject sets the FulcioSubject field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the FulcioSubject field is set to the value of the last call.
+func (b *ImagePolicyFulcioCAWithRekorRootOfTrustApplyConfiguration) WithFulcioSubject(value *PolicyFulcioSubjectApplyConfiguration) *ImagePolicyFulcioCAWithRekorRootOfTrustApplyConfiguration {
+	b.FulcioSubject = value
+	return b
+}
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/imagepolicypkirootoftrust.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/imagepolicypkirootoftrust.go
new file mode 100644
index 0000000000000..71b17fd0a10ba
--- /dev/null
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/imagepolicypkirootoftrust.go
@@ -0,0 +1,51 @@
+// Code generated by applyconfiguration-gen. DO NOT EDIT.
+
+package v1
+
+// ImagePolicyPKIRootOfTrustApplyConfiguration represents a declarative configuration of the ImagePolicyPKIRootOfTrust type for use
+// with apply.
+//
+// ImagePolicyPKIRootOfTrust defines the root of trust based on Root CA(s) and corresponding intermediate certificates.
+type ImagePolicyPKIRootOfTrustApplyConfiguration struct {
+	// caRootsData contains base64-encoded data of a certificate bundle PEM file, which contains one or more CA roots in the PEM format. The total length of the data must not exceed 8192 characters.
+	CertificateAuthorityRootsData []byte `json:"caRootsData,omitempty"`
+	// caIntermediatesData contains base64-encoded data of a certificate bundle PEM file, which contains one or more intermediate certificates in the PEM format. The total length of the data must not exceed 8192 characters.
+	// caIntermediatesData requires caRootsData to be set.
+	CertificateAuthorityIntermediatesData []byte `json:"caIntermediatesData,omitempty"`
+	// pkiCertificateSubject defines the requirements imposed on the subject to which the certificate was issued.
+	PKICertificateSubject *PKICertificateSubjectApplyConfiguration `json:"pkiCertificateSubject,omitempty"`
+}
+
+// ImagePolicyPKIRootOfTrustApplyConfiguration constructs a declarative configuration of the ImagePolicyPKIRootOfTrust type for use with
+// apply.
+func ImagePolicyPKIRootOfTrust() *ImagePolicyPKIRootOfTrustApplyConfiguration {
+	return &ImagePolicyPKIRootOfTrustApplyConfiguration{}
+}
+
+// WithCertificateAuthorityRootsData adds the given value to the CertificateAuthorityRootsData field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, values provided by each call will be appended to the CertificateAuthorityRootsData field.
+func (b *ImagePolicyPKIRootOfTrustApplyConfiguration) WithCertificateAuthorityRootsData(values ...byte) *ImagePolicyPKIRootOfTrustApplyConfiguration {
+	for i := range values {
+		b.CertificateAuthorityRootsData = append(b.CertificateAuthorityRootsData, values[i])
+	}
+	return b
+}
+
+// WithCertificateAuthorityIntermediatesData adds the given value to the CertificateAuthorityIntermediatesData field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, values provided by each call will be appended to the CertificateAuthorityIntermediatesData field.
+func (b *ImagePolicyPKIRootOfTrustApplyConfiguration) WithCertificateAuthorityIntermediatesData(values ...byte) *ImagePolicyPKIRootOfTrustApplyConfiguration {
+	for i := range values {
+		b.CertificateAuthorityIntermediatesData = append(b.CertificateAuthorityIntermediatesData, values[i])
+	}
+	return b
+}
+
+// WithPKICertificateSubject sets the PKICertificateSubject field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the PKICertificateSubject field is set to the value of the last call.
+func (b *ImagePolicyPKIRootOfTrustApplyConfiguration) WithPKICertificateSubject(value *PKICertificateSubjectApplyConfiguration) *ImagePolicyPKIRootOfTrustApplyConfiguration {
+	b.PKICertificateSubject = value
+	return b
+}
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/imagepolicypublickeyrootoftrust.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/imagepolicypublickeyrootoftrust.go
new file mode 100644
index 0000000000000..d7fa7f790e973
--- /dev/null
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/imagepolicypublickeyrootoftrust.go
@@ -0,0 +1,42 @@
+// Code generated by applyconfiguration-gen. DO NOT EDIT.
+
+package v1
+
+// ImagePolicyPublicKeyRootOfTrustApplyConfiguration represents a declarative configuration of the ImagePolicyPublicKeyRootOfTrust type for use
+// with apply.
+//
+// ImagePolicyPublicKeyRootOfTrust defines the root of trust based on a sigstore public key.
+type ImagePolicyPublicKeyRootOfTrustApplyConfiguration struct {
+	// keyData is a required field contains inline base64-encoded data for the PEM format public key.
+	// keyData must be at most 8192 characters.
+	KeyData []byte `json:"keyData,omitempty"`
+	// rekorKeyData is an optional field contains inline base64-encoded data for the PEM format from the Rekor public key.
+	// rekorKeyData must be at most 8192 characters.
+	RekorKeyData []byte `json:"rekorKeyData,omitempty"`
+}
+
+// ImagePolicyPublicKeyRootOfTrustApplyConfiguration constructs a declarative configuration of the ImagePolicyPublicKeyRootOfTrust type for use with
+// apply.
+func ImagePolicyPublicKeyRootOfTrust() *ImagePolicyPublicKeyRootOfTrustApplyConfiguration {
+	return &ImagePolicyPublicKeyRootOfTrustApplyConfiguration{}
+}
+
+// WithKeyData adds the given value to the KeyData field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, values provided by each call will be appended to the KeyData field.
+func (b *ImagePolicyPublicKeyRootOfTrustApplyConfiguration) WithKeyData(values ...byte) *ImagePolicyPublicKeyRootOfTrustApplyConfiguration {
+	for i := range values {
+		b.KeyData = append(b.KeyData, values[i])
+	}
+	return b
+}
+
+// WithRekorKeyData adds the given value to the RekorKeyData field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, values provided by each call will be appended to the RekorKeyData field.
+func (b *ImagePolicyPublicKeyRootOfTrustApplyConfiguration) WithRekorKeyData(values ...byte) *ImagePolicyPublicKeyRootOfTrustApplyConfiguration {
+	for i := range values {
+		b.RekorKeyData = append(b.RekorKeyData, values[i])
+	}
+	return b
+}
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/imagepolicyspec.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/imagepolicyspec.go
index b75165c8d05ee..64f972bd62923 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/imagepolicyspec.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/imagepolicyspec.go
@@ -8,9 +8,24 @@ import (
 
 // ImagePolicySpecApplyConfiguration represents a declarative configuration of the ImagePolicySpec type for use
 // with apply.
+//
+// ImagePolicySpec is the specification of the ImagePolicy CRD.
 type ImagePolicySpecApplyConfiguration struct {
-	Scopes []configv1.ImageScope     `json:"scopes,omitempty"`
-	Policy *PolicyApplyConfiguration `json:"policy,omitempty"`
+	// scopes is a required field that defines the list of image identities assigned to a policy. Each item refers to a scope in a registry implementing the "Docker Registry HTTP API V2".
+	// Scopes matching individual images are named Docker references in the fully expanded form, either using a tag or digest. For example, docker.io/library/busybox:latest (not busybox:latest).
+	// More general scopes are prefixes of individual-image scopes, and specify a repository (by omitting the tag or digest), a repository
+	// namespace, or a registry host (by only specifying the host name and possibly a port number) or a wildcard expression starting with `*.`, for matching all subdomains (not including a port number).
+	// Wildcards are only supported for subdomain matching, and may not be used in the middle of the host, i.e.  *.example.com is a valid case, but example*.*.com is not.
+	// This support no more than 256 scopes in one object. If multiple scopes match a given image, only the policy requirements for the most specific scope apply. The policy requirements for more general scopes are ignored.
+	// In addition to setting a policy appropriate for your own deployed applications, make sure that a policy on the OpenShift image repositories
+	// quay.io/openshift-release-dev/ocp-release, quay.io/openshift-release-dev/ocp-v4.0-art-dev (or on a more general scope) allows deployment of the OpenShift images required for cluster operation.
+	// If a scope is configured in both the ClusterImagePolicy and the ImagePolicy, or if the scope in ImagePolicy is nested under one of the scopes from the ClusterImagePolicy, only the policy from the ClusterImagePolicy will be applied.
+	// For additional details about the format, please refer to the document explaining the docker transport field,
+	// which can be found at: https://github.com/containers/image/blob/main/docs/containers-policy.json.5.md#docker
+	Scopes []configv1.ImageScope `json:"scopes,omitempty"`
+	// policy is a required field that contains configuration to allow scopes to be verified, and defines how
+	// images not matching the verification policy will be treated.
+	Policy *ImageSigstoreVerificationPolicyApplyConfiguration `json:"policy,omitempty"`
 }
 
 // ImagePolicySpecApplyConfiguration constructs a declarative configuration of the ImagePolicySpec type for use with
@@ -32,7 +47,7 @@ func (b *ImagePolicySpecApplyConfiguration) WithScopes(values ...configv1.ImageS
 // WithPolicy sets the Policy field in the declarative configuration to the given value
 // and returns the receiver, so that objects can be built by chaining "With" function invocations.
 // If called multiple times, the Policy field is set to the value of the last call.
-func (b *ImagePolicySpecApplyConfiguration) WithPolicy(value *PolicyApplyConfiguration) *ImagePolicySpecApplyConfiguration {
+func (b *ImagePolicySpecApplyConfiguration) WithPolicy(value *ImageSigstoreVerificationPolicyApplyConfiguration) *ImagePolicySpecApplyConfiguration {
 	b.Policy = value
 	return b
 }
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/imagepolicystatus.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/imagepolicystatus.go
index aebb2698c9370..560eccb341997 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/imagepolicystatus.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/imagepolicystatus.go
@@ -9,6 +9,8 @@ import (
 // ImagePolicyStatusApplyConfiguration represents a declarative configuration of the ImagePolicyStatus type for use
 // with apply.
 type ImagePolicyStatusApplyConfiguration struct {
+	// conditions provide details on the status of this API Resource.
+	// condition type 'Pending' indicates that the customer resource contains a policy that cannot take effect. It is either overwritten by a global policy or the image scope is not valid.
 	Conditions []metav1.ConditionApplyConfiguration `json:"conditions,omitempty"`
 }
 
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/imagesigstoreverificationpolicy.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/imagesigstoreverificationpolicy.go
new file mode 100644
index 0000000000000..c4fd11c68542b
--- /dev/null
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/imagesigstoreverificationpolicy.go
@@ -0,0 +1,38 @@
+// Code generated by applyconfiguration-gen. DO NOT EDIT.
+
+package v1
+
+// ImageSigstoreVerificationPolicyApplyConfiguration represents a declarative configuration of the ImageSigstoreVerificationPolicy type for use
+// with apply.
+//
+// ImageSigstoreVerificationPolicy defines the verification policy for the items in the scopes list.
+type ImageSigstoreVerificationPolicyApplyConfiguration struct {
+	// rootOfTrust is a required field that defines the root of trust for verifying image signatures during retrieval.
+	// This allows image consumers to specify policyType and corresponding configuration of the policy, matching how the policy was generated.
+	RootOfTrust *PolicyRootOfTrustApplyConfiguration `json:"rootOfTrust,omitempty"`
+	// signedIdentity is an optional field specifies what image identity the signature claims about the image. This is useful when the image identity in the signature differs from the original image spec, such as when mirror registry is configured for the image scope, the signature from the mirror registry contains the image identity of the mirror instead of the original scope.
+	// The required matchPolicy field specifies the approach used in the verification process to verify the identity in the signature and the actual image identity, the default matchPolicy is "MatchRepoDigestOrExact".
+	SignedIdentity *PolicyIdentityApplyConfiguration `json:"signedIdentity,omitempty"`
+}
+
+// ImageSigstoreVerificationPolicyApplyConfiguration constructs a declarative configuration of the ImageSigstoreVerificationPolicy type for use with
+// apply.
+func ImageSigstoreVerificationPolicy() *ImageSigstoreVerificationPolicyApplyConfiguration {
+	return &ImageSigstoreVerificationPolicyApplyConfiguration{}
+}
+
+// WithRootOfTrust sets the RootOfTrust field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the RootOfTrust field is set to the value of the last call.
+func (b *ImageSigstoreVerificationPolicyApplyConfiguration) WithRootOfTrust(value *PolicyRootOfTrustApplyConfiguration) *ImageSigstoreVerificationPolicyApplyConfiguration {
+	b.RootOfTrust = value
+	return b
+}
+
+// WithSignedIdentity sets the SignedIdentity field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the SignedIdentity field is set to the value of the last call.
+func (b *ImageSigstoreVerificationPolicyApplyConfiguration) WithSignedIdentity(value *PolicyIdentityApplyConfiguration) *ImageSigstoreVerificationPolicyApplyConfiguration {
+	b.SignedIdentity = value
+	return b
+}
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/imagespec.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/imagespec.go
index 2c3bf26874200..401fa0f857c95 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/imagespec.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/imagespec.go
@@ -9,11 +9,40 @@ import (
 // ImageSpecApplyConfiguration represents a declarative configuration of the ImageSpec type for use
 // with apply.
 type ImageSpecApplyConfiguration struct {
-	AllowedRegistriesForImport []RegistryLocationApplyConfiguration      `json:"allowedRegistriesForImport,omitempty"`
-	ExternalRegistryHostnames  []string                                  `json:"externalRegistryHostnames,omitempty"`
-	AdditionalTrustedCA        *ConfigMapNameReferenceApplyConfiguration `json:"additionalTrustedCA,omitempty"`
-	RegistrySources            *RegistrySourcesApplyConfiguration        `json:"registrySources,omitempty"`
-	ImageStreamImportMode      *configv1.ImportModeType                  `json:"imageStreamImportMode,omitempty"`
+	// allowedRegistriesForImport limits the container image registries that normal users may import
+	// images from. Set this list to the registries that you trust to contain valid Docker
+	// images and that you want applications to be able to import from. Users with
+	// permission to create Images or ImageStreamMappings via the API are not affected by
+	// this policy - typically only administrators or system integrations will have those
+	// permissions.
+	AllowedRegistriesForImport []RegistryLocationApplyConfiguration `json:"allowedRegistriesForImport,omitempty"`
+	// externalRegistryHostnames provides the hostnames for the default external image
+	// registry. The external hostname should be set only when the image registry
+	// is exposed externally. The first value is used in 'publicDockerImageRepository'
+	// field in ImageStreams. The value must be in "hostname[:port]" format.
+	ExternalRegistryHostnames []string `json:"externalRegistryHostnames,omitempty"`
+	// additionalTrustedCA is a reference to a ConfigMap containing additional CAs that
+	// should be trusted during imagestream import, pod image pull, build image pull, and
+	// imageregistry pullthrough.
+	// The namespace for this config map is openshift-config.
+	AdditionalTrustedCA *ConfigMapNameReferenceApplyConfiguration `json:"additionalTrustedCA,omitempty"`
+	// registrySources contains configuration that determines how the container runtime
+	// should treat individual registries when accessing images for builds+pods. (e.g.
+	// whether or not to allow insecure access).  It does not contain configuration for the
+	// internal cluster registry.
+	RegistrySources *RegistrySourcesApplyConfiguration `json:"registrySources,omitempty"`
+	// imageStreamImportMode controls the import mode behaviour of imagestreams.
+	// It can be set to `Legacy` or `PreserveOriginal` or the empty string. If this value
+	// is specified, this setting is applied to all newly created imagestreams which do not have the
+	// value set. `Legacy` indicates that the legacy behaviour should be used.
+	// For manifest lists, the legacy behaviour will discard the manifest list and import a single
+	// sub-manifest. In this case, the platform is chosen in the following order of priority:
+	// 1. tag annotations; 2. control plane arch/os; 3. linux/amd64; 4. the first manifest in the list.
+	// `PreserveOriginal` indicates that the original manifest will be preserved. For manifest lists,
+	// the manifest list and all its sub-manifests will be imported. When empty, the behaviour will be
+	// decided based on the payload type advertised by the ClusterVersion status, i.e single arch payload
+	// implies the import mode is Legacy and multi payload implies PreserveOriginal.
+	ImageStreamImportMode *configv1.ImportModeType `json:"imageStreamImportMode,omitempty"`
 }
 
 // ImageSpecApplyConfiguration constructs a declarative configuration of the ImageSpec type for use with
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/imagestatus.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/imagestatus.go
index cbf8a208a9515..df2a4d53ea401 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/imagestatus.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/imagestatus.go
@@ -9,9 +9,27 @@ import (
 // ImageStatusApplyConfiguration represents a declarative configuration of the ImageStatus type for use
 // with apply.
 type ImageStatusApplyConfiguration struct {
-	InternalRegistryHostname  *string                  `json:"internalRegistryHostname,omitempty"`
-	ExternalRegistryHostnames []string                 `json:"externalRegistryHostnames,omitempty"`
-	ImageStreamImportMode     *configv1.ImportModeType `json:"imageStreamImportMode,omitempty"`
+	// internalRegistryHostname sets the hostname for the default internal image
+	// registry. The value must be in "hostname[:port]" format.
+	// This value is set by the image registry operator which controls the internal registry
+	// hostname.
+	InternalRegistryHostname *string `json:"internalRegistryHostname,omitempty"`
+	// externalRegistryHostnames provides the hostnames for the default external image
+	// registry. The external hostname should be set only when the image registry
+	// is exposed externally. The first value is used in 'publicDockerImageRepository'
+	// field in ImageStreams. The value must be in "hostname[:port]" format.
+	ExternalRegistryHostnames []string `json:"externalRegistryHostnames,omitempty"`
+	// imageStreamImportMode controls the import mode behaviour of imagestreams. It can be
+	// `Legacy` or `PreserveOriginal`. `Legacy` indicates that the legacy behaviour should be used.
+	// For manifest lists, the legacy behaviour will discard the manifest list and import a single
+	// sub-manifest. In this case, the platform is chosen in the following order of priority:
+	// 1. tag annotations; 2. control plane arch/os; 3. linux/amd64; 4. the first manifest in the list.
+	// `PreserveOriginal` indicates that the original manifest will be preserved. For manifest lists,
+	// the manifest list and all its sub-manifests will be imported. This value will be reconciled based
+	// on either the spec value or if no spec value is specified, the image registry operator would look
+	// at the ClusterVersion status to determine the payload type and set the import mode accordingly,
+	// i.e single arch payload implies the import mode is Legacy and multi payload implies PreserveOriginal.
+	ImageStreamImportMode *configv1.ImportModeType `json:"imageStreamImportMode,omitempty"`
 }
 
 // ImageStatusApplyConfiguration constructs a declarative configuration of the ImageStatus type for use with
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/imagetagmirrors.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/imagetagmirrors.go
index e0baa99fc5611..3ee7f2592cfe0 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/imagetagmirrors.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/imagetagmirrors.go
@@ -8,9 +8,44 @@ import (
 
 // ImageTagMirrorsApplyConfiguration represents a declarative configuration of the ImageTagMirrors type for use
 // with apply.
+//
+// ImageTagMirrors holds cluster-wide information about how to handle mirrors in the registries config.
 type ImageTagMirrorsApplyConfiguration struct {
-	Source             *string                      `json:"source,omitempty"`
-	Mirrors            []configv1.ImageMirror       `json:"mirrors,omitempty"`
+	// source matches the repository that users refer to, e.g. in image pull specifications. Setting source to a registry hostname
+	// e.g. docker.io. quay.io, or registry.redhat.io, will match the image pull specification of corressponding registry.
+	// "source" uses one of the following formats:
+	// host[:port]
+	// host[:port]/namespace[/namespace…]
+	// host[:port]/namespace[/namespace…]/repo
+	// [*.]host
+	// for more information about the format, see the document about the location field:
+	// https://github.com/containers/image/blob/main/docs/containers-registries.conf.5.md#choosing-a-registry-toml-table
+	Source *string `json:"source,omitempty"`
+	// mirrors is zero or more locations that may also contain the same images. No mirror will be configured if not specified.
+	// Images can be pulled from these mirrors only if they are referenced by their tags.
+	// The mirrored location is obtained by replacing the part of the input reference that
+	// matches source by the mirrors entry, e.g. for registry.redhat.io/product/repo reference,
+	// a (source, mirror) pair *.redhat.io, mirror.local/redhat causes a mirror.local/redhat/product/repo
+	// repository to be used.
+	// Pulling images by tag can potentially yield different images, depending on which endpoint we pull from.
+	// Configuring a list of mirrors using "ImageDigestMirrorSet" CRD and forcing digest-pulls for mirrors avoids that issue.
+	// The order of mirrors in this list is treated as the user's desired priority, while source
+	// is by default considered lower priority than all mirrors.
+	// If no mirror is specified or all image pulls from the mirror list fail, the image will continue to be
+	// pulled from the repository in the pull spec unless explicitly prohibited by "mirrorSourcePolicy".
+	// Other cluster configuration, including (but not limited to) other imageTagMirrors objects,
+	// may impact the exact order mirrors are contacted in, or some mirrors may be contacted
+	// in parallel, so this should be considered a preference rather than a guarantee of ordering.
+	// "mirrors" uses one of the following formats:
+	// host[:port]
+	// host[:port]/namespace[/namespace…]
+	// host[:port]/namespace[/namespace…]/repo
+	// for more information about the format, see the document about the location field:
+	// https://github.com/containers/image/blob/main/docs/containers-registries.conf.5.md#choosing-a-registry-toml-table
+	Mirrors []configv1.ImageMirror `json:"mirrors,omitempty"`
+	// mirrorSourcePolicy defines the fallback policy if fails to pull image from the mirrors.
+	// If unset, the image will continue to be pulled from the repository in the pull spec.
+	// sourcePolicy is valid configuration only when one or more mirrors are in the mirror list.
 	MirrorSourcePolicy *configv1.MirrorSourcePolicy `json:"mirrorSourcePolicy,omitempty"`
 }
 
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/imagetagmirrorset.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/imagetagmirrorset.go
index 3a7328112e07d..6c7a72b065f65 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/imagetagmirrorset.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/imagetagmirrorset.go
@@ -13,11 +13,20 @@ import (
 
 // ImageTagMirrorSetApplyConfiguration represents a declarative configuration of the ImageTagMirrorSet type for use
 // with apply.
+//
+// ImageTagMirrorSet holds cluster-wide information about how to handle registry mirror rules on using tag pull specification.
+// When multiple policies are defined, the outcome of the behavior is defined on each field.
+//
+// Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
 type ImageTagMirrorSetApplyConfiguration struct {
-	metav1.TypeMetaApplyConfiguration    `json:",inline"`
+	metav1.TypeMetaApplyConfiguration `json:",inline"`
+	// metadata is the standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	*metav1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Spec                                 *ImageTagMirrorSetSpecApplyConfiguration `json:"spec,omitempty"`
-	Status                               *configv1.ImageTagMirrorSetStatus        `json:"status,omitempty"`
+	// spec holds user settable values for configuration
+	Spec *ImageTagMirrorSetSpecApplyConfiguration `json:"spec,omitempty"`
+	// status contains the observed state of the resource.
+	Status *configv1.ImageTagMirrorSetStatus `json:"status,omitempty"`
 }
 
 // ImageTagMirrorSet constructs a declarative configuration of the ImageTagMirrorSet type for use with
@@ -30,6 +39,26 @@ func ImageTagMirrorSet(name string) *ImageTagMirrorSetApplyConfiguration {
 	return b
 }
 
+// ExtractImageTagMirrorSetFrom extracts the applied configuration owned by fieldManager from
+// imageTagMirrorSet for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
+// imageTagMirrorSet must be a unmodified ImageTagMirrorSet API object that was retrieved from the Kubernetes API.
+// ExtractImageTagMirrorSetFrom provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractImageTagMirrorSetFrom(imageTagMirrorSet *configv1.ImageTagMirrorSet, fieldManager string, subresource string) (*ImageTagMirrorSetApplyConfiguration, error) {
+	b := &ImageTagMirrorSetApplyConfiguration{}
+	err := managedfields.ExtractInto(imageTagMirrorSet, internal.Parser().Type("com.github.openshift.api.config.v1.ImageTagMirrorSet"), fieldManager, b, subresource)
+	if err != nil {
+		return nil, err
+	}
+	b.WithName(imageTagMirrorSet.Name)
+
+	b.WithKind("ImageTagMirrorSet")
+	b.WithAPIVersion("config.openshift.io/v1")
+	return b, nil
+}
+
 // ExtractImageTagMirrorSet extracts the applied configuration owned by fieldManager from
 // imageTagMirrorSet. If no managedFields are found in imageTagMirrorSet for fieldManager, a
 // ImageTagMirrorSetApplyConfiguration is returned with only the Name, Namespace (if applicable),
@@ -40,30 +69,16 @@ func ImageTagMirrorSet(name string) *ImageTagMirrorSetApplyConfiguration {
 // ExtractImageTagMirrorSet provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
 func ExtractImageTagMirrorSet(imageTagMirrorSet *configv1.ImageTagMirrorSet, fieldManager string) (*ImageTagMirrorSetApplyConfiguration, error) {
-	return extractImageTagMirrorSet(imageTagMirrorSet, fieldManager, "")
+	return ExtractImageTagMirrorSetFrom(imageTagMirrorSet, fieldManager, "")
 }
 
-// ExtractImageTagMirrorSetStatus is the same as ExtractImageTagMirrorSet except
-// that it extracts the status subresource applied configuration.
-// Experimental!
+// ExtractImageTagMirrorSetStatus extracts the applied configuration owned by fieldManager from
+// imageTagMirrorSet for the status subresource.
 func ExtractImageTagMirrorSetStatus(imageTagMirrorSet *configv1.ImageTagMirrorSet, fieldManager string) (*ImageTagMirrorSetApplyConfiguration, error) {
-	return extractImageTagMirrorSet(imageTagMirrorSet, fieldManager, "status")
+	return ExtractImageTagMirrorSetFrom(imageTagMirrorSet, fieldManager, "status")
 }
 
-func extractImageTagMirrorSet(imageTagMirrorSet *configv1.ImageTagMirrorSet, fieldManager string, subresource string) (*ImageTagMirrorSetApplyConfiguration, error) {
-	b := &ImageTagMirrorSetApplyConfiguration{}
-	err := managedfields.ExtractInto(imageTagMirrorSet, internal.Parser().Type("com.github.openshift.api.config.v1.ImageTagMirrorSet"), fieldManager, b, subresource)
-	if err != nil {
-		return nil, err
-	}
-	b.WithName(imageTagMirrorSet.Name)
-
-	b.WithKind("ImageTagMirrorSet")
-	b.WithAPIVersion("config.openshift.io/v1")
-	return b, nil
-}
 func (b ImageTagMirrorSetApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/imagetagmirrorsetspec.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/imagetagmirrorsetspec.go
index ca59c387148dd..0642d9edef8f7 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/imagetagmirrorsetspec.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/imagetagmirrorsetspec.go
@@ -4,7 +4,34 @@ package v1
 
 // ImageTagMirrorSetSpecApplyConfiguration represents a declarative configuration of the ImageTagMirrorSetSpec type for use
 // with apply.
+//
+// ImageTagMirrorSetSpec is the specification of the ImageTagMirrorSet CRD.
 type ImageTagMirrorSetSpecApplyConfiguration struct {
+	// imageTagMirrors allows images referenced by image tags in pods to be
+	// pulled from alternative mirrored repository locations. The image pull specification
+	// provided to the pod will be compared to the source locations described in imageTagMirrors
+	// and the image may be pulled down from any of the mirrors in the list instead of the
+	// specified repository allowing administrators to choose a potentially faster mirror.
+	// To use mirrors to pull images using digest specification only, users should configure
+	// a list of mirrors using "ImageDigestMirrorSet" CRD.
+	//
+	// If the image pull specification matches the repository of "source" in multiple imagetagmirrorset objects,
+	// only the objects which define the most specific namespace match will be used.
+	// For example, if there are objects using quay.io/libpod and quay.io/libpod/busybox as
+	// the "source", only the objects using quay.io/libpod/busybox are going to apply
+	// for pull specification quay.io/libpod/busybox.
+	// Each “source” repository is treated independently; configurations for different “source”
+	// repositories don’t interact.
+	//
+	// If the "mirrors" is not specified, the image will continue to be pulled from the specified
+	// repository in the pull spec.
+	//
+	// When multiple policies are defined for the same “source” repository, the sets of defined
+	// mirrors will be merged together, preserving the relative order of the mirrors, if possible.
+	// For example, if policy A has mirrors `a, b, c` and policy B has mirrors `c, d, e`, the
+	// mirrors will be used in the order `a, b, c, d, e`.  If the orders of mirror entries conflict
+	// (e.g. `a, b` vs. `b, a`) the configuration is not rejected but the resulting order is unspecified.
+	// Users who want to use a deterministic order of mirrors, should configure them into one list of mirrors using the expected order.
 	ImageTagMirrors []ImageTagMirrorsApplyConfiguration `json:"imageTagMirrors,omitempty"`
 }
 
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/infrastructure.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/infrastructure.go
index b98a229482c32..98e5a1b164c4c 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/infrastructure.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/infrastructure.go
@@ -13,11 +13,19 @@ import (
 
 // InfrastructureApplyConfiguration represents a declarative configuration of the Infrastructure type for use
 // with apply.
+//
+// Infrastructure holds cluster-wide information about Infrastructure.  The canonical name is `cluster`
+//
+// Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
 type InfrastructureApplyConfiguration struct {
-	metav1.TypeMetaApplyConfiguration    `json:",inline"`
+	metav1.TypeMetaApplyConfiguration `json:",inline"`
+	// metadata is the standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	*metav1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Spec                                 *InfrastructureSpecApplyConfiguration   `json:"spec,omitempty"`
-	Status                               *InfrastructureStatusApplyConfiguration `json:"status,omitempty"`
+	// spec holds user settable values for configuration
+	Spec *InfrastructureSpecApplyConfiguration `json:"spec,omitempty"`
+	// status holds observed values from the cluster. They may not be overridden.
+	Status *InfrastructureStatusApplyConfiguration `json:"status,omitempty"`
 }
 
 // Infrastructure constructs a declarative configuration of the Infrastructure type for use with
@@ -30,6 +38,26 @@ func Infrastructure(name string) *InfrastructureApplyConfiguration {
 	return b
 }
 
+// ExtractInfrastructureFrom extracts the applied configuration owned by fieldManager from
+// infrastructure for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
+// infrastructure must be a unmodified Infrastructure API object that was retrieved from the Kubernetes API.
+// ExtractInfrastructureFrom provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractInfrastructureFrom(infrastructure *configv1.Infrastructure, fieldManager string, subresource string) (*InfrastructureApplyConfiguration, error) {
+	b := &InfrastructureApplyConfiguration{}
+	err := managedfields.ExtractInto(infrastructure, internal.Parser().Type("com.github.openshift.api.config.v1.Infrastructure"), fieldManager, b, subresource)
+	if err != nil {
+		return nil, err
+	}
+	b.WithName(infrastructure.Name)
+
+	b.WithKind("Infrastructure")
+	b.WithAPIVersion("config.openshift.io/v1")
+	return b, nil
+}
+
 // ExtractInfrastructure extracts the applied configuration owned by fieldManager from
 // infrastructure. If no managedFields are found in infrastructure for fieldManager, a
 // InfrastructureApplyConfiguration is returned with only the Name, Namespace (if applicable),
@@ -40,30 +68,16 @@ func Infrastructure(name string) *InfrastructureApplyConfiguration {
 // ExtractInfrastructure provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
 func ExtractInfrastructure(infrastructure *configv1.Infrastructure, fieldManager string) (*InfrastructureApplyConfiguration, error) {
-	return extractInfrastructure(infrastructure, fieldManager, "")
+	return ExtractInfrastructureFrom(infrastructure, fieldManager, "")
 }
 
-// ExtractInfrastructureStatus is the same as ExtractInfrastructure except
-// that it extracts the status subresource applied configuration.
-// Experimental!
+// ExtractInfrastructureStatus extracts the applied configuration owned by fieldManager from
+// infrastructure for the status subresource.
 func ExtractInfrastructureStatus(infrastructure *configv1.Infrastructure, fieldManager string) (*InfrastructureApplyConfiguration, error) {
-	return extractInfrastructure(infrastructure, fieldManager, "status")
+	return ExtractInfrastructureFrom(infrastructure, fieldManager, "status")
 }
 
-func extractInfrastructure(infrastructure *configv1.Infrastructure, fieldManager string, subresource string) (*InfrastructureApplyConfiguration, error) {
-	b := &InfrastructureApplyConfiguration{}
-	err := managedfields.ExtractInto(infrastructure, internal.Parser().Type("com.github.openshift.api.config.v1.Infrastructure"), fieldManager, b, subresource)
-	if err != nil {
-		return nil, err
-	}
-	b.WithName(infrastructure.Name)
-
-	b.WithKind("Infrastructure")
-	b.WithAPIVersion("config.openshift.io/v1")
-	return b, nil
-}
 func (b InfrastructureApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/infrastructurespec.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/infrastructurespec.go
index 83dccde29ee7e..e48e1368b3691 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/infrastructurespec.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/infrastructurespec.go
@@ -4,9 +4,25 @@ package v1
 
 // InfrastructureSpecApplyConfiguration represents a declarative configuration of the InfrastructureSpec type for use
 // with apply.
+//
+// InfrastructureSpec contains settings that apply to the cluster infrastructure.
 type InfrastructureSpecApplyConfiguration struct {
-	CloudConfig  *ConfigMapFileReferenceApplyConfiguration `json:"cloudConfig,omitempty"`
-	PlatformSpec *PlatformSpecApplyConfiguration           `json:"platformSpec,omitempty"`
+	// cloudConfig is a reference to a ConfigMap containing the cloud provider configuration file.
+	// This configuration file is used to configure the Kubernetes cloud provider integration
+	// when using the built-in cloud provider integration or the external cloud controller manager.
+	// The namespace for this config map is openshift-config.
+	//
+	// cloudConfig should only be consumed by the kube_cloud_config controller.
+	// The controller is responsible for using the user configuration in the spec
+	// for various platforms and combining that with the user provided ConfigMap in this field
+	// to create a stitched kube cloud config.
+	// The controller generates a ConfigMap `kube-cloud-config` in `openshift-config-managed` namespace
+	// with the kube cloud config is stored in `cloud.conf` key.
+	// All the clients are expected to use the generated ConfigMap only.
+	CloudConfig *ConfigMapFileReferenceApplyConfiguration `json:"cloudConfig,omitempty"`
+	// platformSpec holds desired information specific to the underlying
+	// infrastructure provider.
+	PlatformSpec *PlatformSpecApplyConfiguration `json:"platformSpec,omitempty"`
 }
 
 // InfrastructureSpecApplyConfiguration constructs a declarative configuration of the InfrastructureSpec type for use with
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/infrastructurestatus.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/infrastructurestatus.go
index 5b5d8288c2720..f5c63c6ae9e10 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/infrastructurestatus.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/infrastructurestatus.go
@@ -8,16 +8,56 @@ import (
 
 // InfrastructureStatusApplyConfiguration represents a declarative configuration of the InfrastructureStatus type for use
 // with apply.
+//
+// InfrastructureStatus describes the infrastructure the cluster is leveraging.
 type InfrastructureStatusApplyConfiguration struct {
-	InfrastructureName     *string                           `json:"infrastructureName,omitempty"`
-	Platform               *configv1.PlatformType            `json:"platform,omitempty"`
-	PlatformStatus         *PlatformStatusApplyConfiguration `json:"platformStatus,omitempty"`
-	EtcdDiscoveryDomain    *string                           `json:"etcdDiscoveryDomain,omitempty"`
-	APIServerURL           *string                           `json:"apiServerURL,omitempty"`
-	APIServerInternalURL   *string                           `json:"apiServerInternalURI,omitempty"`
-	ControlPlaneTopology   *configv1.TopologyMode            `json:"controlPlaneTopology,omitempty"`
-	InfrastructureTopology *configv1.TopologyMode            `json:"infrastructureTopology,omitempty"`
-	CPUPartitioning        *configv1.CPUPartitioningMode     `json:"cpuPartitioning,omitempty"`
+	// infrastructureName uniquely identifies a cluster with a human friendly name.
+	// Once set it should not be changed. Must be of max length 27 and must have only
+	// alphanumeric or hyphen characters.
+	InfrastructureName *string `json:"infrastructureName,omitempty"`
+	// platform is the underlying infrastructure provider for the cluster.
+	//
+	// Deprecated: Use platformStatus.type instead.
+	Platform *configv1.PlatformType `json:"platform,omitempty"`
+	// platformStatus holds status information specific to the underlying
+	// infrastructure provider.
+	PlatformStatus *PlatformStatusApplyConfiguration `json:"platformStatus,omitempty"`
+	// etcdDiscoveryDomain is the domain used to fetch the SRV records for discovering
+	// etcd servers and clients.
+	// For more info: https://github.com/etcd-io/etcd/blob/329be66e8b3f9e2e6af83c123ff89297e49ebd15/Documentation/op-guide/clustering.md#dns-discovery
+	// deprecated: as of 4.7, this field is no longer set or honored.  It will be removed in a future release.
+	EtcdDiscoveryDomain *string `json:"etcdDiscoveryDomain,omitempty"`
+	// apiServerURL is a valid URI with scheme 'https', address and
+	// optionally a port (defaulting to 443).  apiServerURL can be used by components like the web console
+	// to tell users where to find the Kubernetes API.
+	APIServerURL *string `json:"apiServerURL,omitempty"`
+	// apiServerInternalURL is a valid URI with scheme 'https',
+	// address and optionally a port (defaulting to 443).  apiServerInternalURL can be used by components
+	// like kubelets, to contact the Kubernetes API server using the
+	// infrastructure provider rather than Kubernetes networking.
+	APIServerInternalURL *string `json:"apiServerInternalURI,omitempty"`
+	// controlPlaneTopology expresses the expectations for operands that normally run on control nodes.
+	// The default is 'HighlyAvailable', which represents the behavior operators have in a "normal" cluster.
+	// The 'SingleReplica' mode will be used in single-node deployments
+	// and the operators should not configure the operand for highly-available operation
+	// The 'External' mode indicates that the control plane is hosted externally to the cluster and that
+	// its components are not visible within the cluster.
+	ControlPlaneTopology *configv1.TopologyMode `json:"controlPlaneTopology,omitempty"`
+	// infrastructureTopology expresses the expectations for infrastructure services that do not run on control
+	// plane nodes, usually indicated by a node selector for a `role` value
+	// other than `master`.
+	// The default is 'HighlyAvailable', which represents the behavior operators have in a "normal" cluster.
+	// The 'SingleReplica' mode will be used in single-node deployments
+	// and the operators should not configure the operand for highly-available operation
+	// NOTE: External topology mode is not applicable for this field.
+	InfrastructureTopology *configv1.TopologyMode `json:"infrastructureTopology,omitempty"`
+	// cpuPartitioning expresses if CPU partitioning is a currently enabled feature in the cluster.
+	// CPU Partitioning means that this cluster can support partitioning workloads to specific CPU Sets.
+	// Valid values are "None" and "AllNodes". When omitted, the default value is "None".
+	// The default value of "None" indicates that no nodes will be setup with CPU partitioning.
+	// The "AllNodes" value indicates that all nodes have been setup with CPU partitioning,
+	// and can then be further configured via the PerformanceProfile API.
+	CPUPartitioning *configv1.CPUPartitioningMode `json:"cpuPartitioning,omitempty"`
 }
 
 // InfrastructureStatusApplyConfiguration constructs a declarative configuration of the InfrastructureStatus type for use with
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/ingress.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/ingress.go
index b1680f352a5d2..af5121aa3c782 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/ingress.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/ingress.go
@@ -13,11 +13,20 @@ import (
 
 // IngressApplyConfiguration represents a declarative configuration of the Ingress type for use
 // with apply.
+//
+// Ingress holds cluster-wide information about ingress, including the default ingress domain
+// used for routes. The canonical name is `cluster`.
+//
+// Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
 type IngressApplyConfiguration struct {
-	metav1.TypeMetaApplyConfiguration    `json:",inline"`
+	metav1.TypeMetaApplyConfiguration `json:",inline"`
+	// metadata is the standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	*metav1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Spec                                 *IngressSpecApplyConfiguration   `json:"spec,omitempty"`
-	Status                               *IngressStatusApplyConfiguration `json:"status,omitempty"`
+	// spec holds user settable values for configuration
+	Spec *IngressSpecApplyConfiguration `json:"spec,omitempty"`
+	// status holds observed values from the cluster. They may not be overridden.
+	Status *IngressStatusApplyConfiguration `json:"status,omitempty"`
 }
 
 // Ingress constructs a declarative configuration of the Ingress type for use with
@@ -30,6 +39,26 @@ func Ingress(name string) *IngressApplyConfiguration {
 	return b
 }
 
+// ExtractIngressFrom extracts the applied configuration owned by fieldManager from
+// ingress for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
+// ingress must be a unmodified Ingress API object that was retrieved from the Kubernetes API.
+// ExtractIngressFrom provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractIngressFrom(ingress *configv1.Ingress, fieldManager string, subresource string) (*IngressApplyConfiguration, error) {
+	b := &IngressApplyConfiguration{}
+	err := managedfields.ExtractInto(ingress, internal.Parser().Type("com.github.openshift.api.config.v1.Ingress"), fieldManager, b, subresource)
+	if err != nil {
+		return nil, err
+	}
+	b.WithName(ingress.Name)
+
+	b.WithKind("Ingress")
+	b.WithAPIVersion("config.openshift.io/v1")
+	return b, nil
+}
+
 // ExtractIngress extracts the applied configuration owned by fieldManager from
 // ingress. If no managedFields are found in ingress for fieldManager, a
 // IngressApplyConfiguration is returned with only the Name, Namespace (if applicable),
@@ -40,30 +69,16 @@ func Ingress(name string) *IngressApplyConfiguration {
 // ExtractIngress provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
 func ExtractIngress(ingress *configv1.Ingress, fieldManager string) (*IngressApplyConfiguration, error) {
-	return extractIngress(ingress, fieldManager, "")
+	return ExtractIngressFrom(ingress, fieldManager, "")
 }
 
-// ExtractIngressStatus is the same as ExtractIngress except
-// that it extracts the status subresource applied configuration.
-// Experimental!
+// ExtractIngressStatus extracts the applied configuration owned by fieldManager from
+// ingress for the status subresource.
 func ExtractIngressStatus(ingress *configv1.Ingress, fieldManager string) (*IngressApplyConfiguration, error) {
-	return extractIngress(ingress, fieldManager, "status")
+	return ExtractIngressFrom(ingress, fieldManager, "status")
 }
 
-func extractIngress(ingress *configv1.Ingress, fieldManager string, subresource string) (*IngressApplyConfiguration, error) {
-	b := &IngressApplyConfiguration{}
-	err := managedfields.ExtractInto(ingress, internal.Parser().Type("com.github.openshift.api.config.v1.Ingress"), fieldManager, b, subresource)
-	if err != nil {
-		return nil, err
-	}
-	b.WithName(ingress.Name)
-
-	b.WithKind("Ingress")
-	b.WithAPIVersion("config.openshift.io/v1")
-	return b, nil
-}
 func (b IngressApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/ingressplatformspec.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/ingressplatformspec.go
index ed5c265315ba2..7d42ec243e6d3 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/ingressplatformspec.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/ingressplatformspec.go
@@ -8,9 +8,19 @@ import (
 
 // IngressPlatformSpecApplyConfiguration represents a declarative configuration of the IngressPlatformSpec type for use
 // with apply.
+//
+// IngressPlatformSpec holds the desired state of Ingress specific to the underlying infrastructure provider
+// of the current cluster. Since these are used at spec-level for the underlying cluster, it
+// is supposed that only one of the spec structs is set.
 type IngressPlatformSpecApplyConfiguration struct {
-	Type *configv1.PlatformType            `json:"type,omitempty"`
-	AWS  *AWSIngressSpecApplyConfiguration `json:"aws,omitempty"`
+	// type is the underlying infrastructure provider for the cluster.
+	// Allowed values are "AWS", "Azure", "BareMetal", "GCP", "Libvirt",
+	// "OpenStack", "VSphere", "oVirt", "KubeVirt", "EquinixMetal", "PowerVS",
+	// "AlibabaCloud", "Nutanix" and "None". Individual components may not support all platforms,
+	// and must handle unrecognized platforms as None if they do not support that platform.
+	Type *configv1.PlatformType `json:"type,omitempty"`
+	// aws contains settings specific to the Amazon Web Services infrastructure provider.
+	AWS *AWSIngressSpecApplyConfiguration `json:"aws,omitempty"`
 }
 
 // IngressPlatformSpecApplyConfiguration constructs a declarative configuration of the IngressPlatformSpec type for use with
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/ingressspec.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/ingressspec.go
index a9b09512caa5f..ed804bd000db8 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/ingressspec.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/ingressspec.go
@@ -5,11 +5,58 @@ package v1
 // IngressSpecApplyConfiguration represents a declarative configuration of the IngressSpec type for use
 // with apply.
 type IngressSpecApplyConfiguration struct {
-	Domain               *string                                `json:"domain,omitempty"`
-	AppsDomain           *string                                `json:"appsDomain,omitempty"`
-	ComponentRoutes      []ComponentRouteSpecApplyConfiguration `json:"componentRoutes,omitempty"`
+	// domain is used to generate a default host name for a route when the
+	// route's host name is empty. The generated host name will follow this
+	// pattern: "<route-name>.<route-namespace>.<domain>".
+	//
+	// It is also used as the default wildcard domain suffix for ingress. The
+	// default ingresscontroller domain will follow this pattern: "*.<domain>".
+	//
+	// Once set, changing domain is not currently supported.
+	Domain *string `json:"domain,omitempty"`
+	// appsDomain is an optional domain to use instead of the one specified
+	// in the domain field when a Route is created without specifying an explicit
+	// host. If appsDomain is nonempty, this value is used to generate default
+	// host values for Route. Unlike domain, appsDomain may be modified after
+	// installation.
+	// This assumes a new ingresscontroller has been setup with a wildcard
+	// certificate.
+	AppsDomain *string `json:"appsDomain,omitempty"`
+	// componentRoutes is an optional list of routes that are managed by OpenShift components
+	// that a cluster-admin is able to configure the hostname and serving certificate for.
+	// The namespace and name of each route in this list should match an existing entry in the
+	// status.componentRoutes list.
+	//
+	// To determine the set of configurable Routes, look at namespace and name of entries in the
+	// .status.componentRoutes list, where participating operators write the status of
+	// configurable routes.
+	ComponentRoutes []ComponentRouteSpecApplyConfiguration `json:"componentRoutes,omitempty"`
+	// requiredHSTSPolicies specifies HSTS policies that are required to be set on newly created  or updated routes
+	// matching the domainPattern/s and namespaceSelector/s that are specified in the policy.
+	// Each requiredHSTSPolicy must have at least a domainPattern and a maxAge to validate a route HSTS Policy route
+	// annotation, and affect route admission.
+	//
+	// A candidate route is checked for HSTS Policies if it has the HSTS Policy route annotation:
+	// "haproxy.router.openshift.io/hsts_header"
+	// E.g. haproxy.router.openshift.io/hsts_header: max-age=31536000;preload;includeSubDomains
+	//
+	// - For each candidate route, if it matches a requiredHSTSPolicy domainPattern and optional namespaceSelector,
+	// then the maxAge, preloadPolicy, and includeSubdomainsPolicy must be valid to be admitted.  Otherwise, the route
+	// is rejected.
+	// - The first match, by domainPattern and optional namespaceSelector, in the ordering of the RequiredHSTSPolicies
+	// determines the route's admission status.
+	// - If the candidate route doesn't match any requiredHSTSPolicy domainPattern and optional namespaceSelector,
+	// then it may use any HSTS Policy annotation.
+	//
+	// The HSTS policy configuration may be changed after routes have already been created. An update to a previously
+	// admitted route may then fail if the updated route does not conform to the updated HSTS policy configuration.
+	// However, changing the HSTS policy configuration will not cause a route that is already admitted to stop working.
+	//
+	// Note that if there are no RequiredHSTSPolicies, any HSTS Policy annotation on the route is valid.
 	RequiredHSTSPolicies []RequiredHSTSPolicyApplyConfiguration `json:"requiredHSTSPolicies,omitempty"`
-	LoadBalancer         *LoadBalancerApplyConfiguration        `json:"loadBalancer,omitempty"`
+	// loadBalancer contains the load balancer details in general which are not only specific to the underlying infrastructure
+	// provider of the current cluster and are required for Ingress Controller to work on OpenShift.
+	LoadBalancer *LoadBalancerApplyConfiguration `json:"loadBalancer,omitempty"`
 }
 
 // IngressSpecApplyConfiguration constructs a declarative configuration of the IngressSpec type for use with
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/ingressstatus.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/ingressstatus.go
index 792bcd75519bc..f9bf00a41cda1 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/ingressstatus.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/ingressstatus.go
@@ -9,8 +9,22 @@ import (
 // IngressStatusApplyConfiguration represents a declarative configuration of the IngressStatus type for use
 // with apply.
 type IngressStatusApplyConfiguration struct {
-	ComponentRoutes  []ComponentRouteStatusApplyConfiguration `json:"componentRoutes,omitempty"`
-	DefaultPlacement *configv1.DefaultPlacement               `json:"defaultPlacement,omitempty"`
+	// componentRoutes is where participating operators place the current route status for routes whose
+	// hostnames and serving certificates can be customized by the cluster-admin.
+	ComponentRoutes []ComponentRouteStatusApplyConfiguration `json:"componentRoutes,omitempty"`
+	// defaultPlacement is set at installation time to control which
+	// nodes will host the ingress router pods by default. The options are
+	// control-plane nodes or worker nodes.
+	//
+	// This field works by dictating how the Cluster Ingress Operator will
+	// consider unset replicas and nodePlacement fields in IngressController
+	// resources when creating the corresponding Deployments.
+	//
+	// See the documentation for the IngressController replicas and nodePlacement
+	// fields for more information.
+	//
+	// When omitted, the default value is Workers
+	DefaultPlacement *configv1.DefaultPlacement `json:"defaultPlacement,omitempty"`
 }
 
 // IngressStatusApplyConfiguration constructs a declarative configuration of the IngressStatus type for use with
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/insightsdatagather.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/insightsdatagather.go
new file mode 100644
index 0000000000000..4ad9a53edfb76
--- /dev/null
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/insightsdatagather.go
@@ -0,0 +1,261 @@
+// Code generated by applyconfiguration-gen. DO NOT EDIT.
+
+package v1
+
+import (
+	configv1 "github.com/openshift/api/config/v1"
+	internal "github.com/openshift/client-go/config/applyconfigurations/internal"
+	apismetav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	types "k8s.io/apimachinery/pkg/types"
+	managedfields "k8s.io/apimachinery/pkg/util/managedfields"
+	metav1 "k8s.io/client-go/applyconfigurations/meta/v1"
+)
+
+// InsightsDataGatherApplyConfiguration represents a declarative configuration of the InsightsDataGather type for use
+// with apply.
+//
+// InsightsDataGather provides data gather configuration options for the Insights Operator.
+//
+// Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
+type InsightsDataGatherApplyConfiguration struct {
+	metav1.TypeMetaApplyConfiguration `json:",inline"`
+	// metadata is the standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	*metav1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
+	// spec holds user settable values for configuration
+	Spec *InsightsDataGatherSpecApplyConfiguration `json:"spec,omitempty"`
+}
+
+// InsightsDataGather constructs a declarative configuration of the InsightsDataGather type for use with
+// apply.
+func InsightsDataGather(name string) *InsightsDataGatherApplyConfiguration {
+	b := &InsightsDataGatherApplyConfiguration{}
+	b.WithName(name)
+	b.WithKind("InsightsDataGather")
+	b.WithAPIVersion("config.openshift.io/v1")
+	return b
+}
+
+// ExtractInsightsDataGatherFrom extracts the applied configuration owned by fieldManager from
+// insightsDataGather for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
+// insightsDataGather must be a unmodified InsightsDataGather API object that was retrieved from the Kubernetes API.
+// ExtractInsightsDataGatherFrom provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractInsightsDataGatherFrom(insightsDataGather *configv1.InsightsDataGather, fieldManager string, subresource string) (*InsightsDataGatherApplyConfiguration, error) {
+	b := &InsightsDataGatherApplyConfiguration{}
+	err := managedfields.ExtractInto(insightsDataGather, internal.Parser().Type("com.github.openshift.api.config.v1.InsightsDataGather"), fieldManager, b, subresource)
+	if err != nil {
+		return nil, err
+	}
+	b.WithName(insightsDataGather.Name)
+
+	b.WithKind("InsightsDataGather")
+	b.WithAPIVersion("config.openshift.io/v1")
+	return b, nil
+}
+
+// ExtractInsightsDataGather extracts the applied configuration owned by fieldManager from
+// insightsDataGather. If no managedFields are found in insightsDataGather for fieldManager, a
+// InsightsDataGatherApplyConfiguration is returned with only the Name, Namespace (if applicable),
+// APIVersion and Kind populated. It is possible that no managed fields were found for because other
+// field managers have taken ownership of all the fields previously owned by fieldManager, or because
+// the fieldManager never owned fields any fields.
+// insightsDataGather must be a unmodified InsightsDataGather API object that was retrieved from the Kubernetes API.
+// ExtractInsightsDataGather provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractInsightsDataGather(insightsDataGather *configv1.InsightsDataGather, fieldManager string) (*InsightsDataGatherApplyConfiguration, error) {
+	return ExtractInsightsDataGatherFrom(insightsDataGather, fieldManager, "")
+}
+
+func (b InsightsDataGatherApplyConfiguration) IsApplyConfiguration() {}
+
+// WithKind sets the Kind field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Kind field is set to the value of the last call.
+func (b *InsightsDataGatherApplyConfiguration) WithKind(value string) *InsightsDataGatherApplyConfiguration {
+	b.TypeMetaApplyConfiguration.Kind = &value
+	return b
+}
+
+// WithAPIVersion sets the APIVersion field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the APIVersion field is set to the value of the last call.
+func (b *InsightsDataGatherApplyConfiguration) WithAPIVersion(value string) *InsightsDataGatherApplyConfiguration {
+	b.TypeMetaApplyConfiguration.APIVersion = &value
+	return b
+}
+
+// WithName sets the Name field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Name field is set to the value of the last call.
+func (b *InsightsDataGatherApplyConfiguration) WithName(value string) *InsightsDataGatherApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	b.ObjectMetaApplyConfiguration.Name = &value
+	return b
+}
+
+// WithGenerateName sets the GenerateName field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the GenerateName field is set to the value of the last call.
+func (b *InsightsDataGatherApplyConfiguration) WithGenerateName(value string) *InsightsDataGatherApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	b.ObjectMetaApplyConfiguration.GenerateName = &value
+	return b
+}
+
+// WithNamespace sets the Namespace field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Namespace field is set to the value of the last call.
+func (b *InsightsDataGatherApplyConfiguration) WithNamespace(value string) *InsightsDataGatherApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	b.ObjectMetaApplyConfiguration.Namespace = &value
+	return b
+}
+
+// WithUID sets the UID field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the UID field is set to the value of the last call.
+func (b *InsightsDataGatherApplyConfiguration) WithUID(value types.UID) *InsightsDataGatherApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	b.ObjectMetaApplyConfiguration.UID = &value
+	return b
+}
+
+// WithResourceVersion sets the ResourceVersion field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the ResourceVersion field is set to the value of the last call.
+func (b *InsightsDataGatherApplyConfiguration) WithResourceVersion(value string) *InsightsDataGatherApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	b.ObjectMetaApplyConfiguration.ResourceVersion = &value
+	return b
+}
+
+// WithGeneration sets the Generation field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Generation field is set to the value of the last call.
+func (b *InsightsDataGatherApplyConfiguration) WithGeneration(value int64) *InsightsDataGatherApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	b.ObjectMetaApplyConfiguration.Generation = &value
+	return b
+}
+
+// WithCreationTimestamp sets the CreationTimestamp field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the CreationTimestamp field is set to the value of the last call.
+func (b *InsightsDataGatherApplyConfiguration) WithCreationTimestamp(value apismetav1.Time) *InsightsDataGatherApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	b.ObjectMetaApplyConfiguration.CreationTimestamp = &value
+	return b
+}
+
+// WithDeletionTimestamp sets the DeletionTimestamp field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the DeletionTimestamp field is set to the value of the last call.
+func (b *InsightsDataGatherApplyConfiguration) WithDeletionTimestamp(value apismetav1.Time) *InsightsDataGatherApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	b.ObjectMetaApplyConfiguration.DeletionTimestamp = &value
+	return b
+}
+
+// WithDeletionGracePeriodSeconds sets the DeletionGracePeriodSeconds field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the DeletionGracePeriodSeconds field is set to the value of the last call.
+func (b *InsightsDataGatherApplyConfiguration) WithDeletionGracePeriodSeconds(value int64) *InsightsDataGatherApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	b.ObjectMetaApplyConfiguration.DeletionGracePeriodSeconds = &value
+	return b
+}
+
+// WithLabels puts the entries into the Labels field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, the entries provided by each call will be put on the Labels field,
+// overwriting an existing map entries in Labels field with the same key.
+func (b *InsightsDataGatherApplyConfiguration) WithLabels(entries map[string]string) *InsightsDataGatherApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	if b.ObjectMetaApplyConfiguration.Labels == nil && len(entries) > 0 {
+		b.ObjectMetaApplyConfiguration.Labels = make(map[string]string, len(entries))
+	}
+	for k, v := range entries {
+		b.ObjectMetaApplyConfiguration.Labels[k] = v
+	}
+	return b
+}
+
+// WithAnnotations puts the entries into the Annotations field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, the entries provided by each call will be put on the Annotations field,
+// overwriting an existing map entries in Annotations field with the same key.
+func (b *InsightsDataGatherApplyConfiguration) WithAnnotations(entries map[string]string) *InsightsDataGatherApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	if b.ObjectMetaApplyConfiguration.Annotations == nil && len(entries) > 0 {
+		b.ObjectMetaApplyConfiguration.Annotations = make(map[string]string, len(entries))
+	}
+	for k, v := range entries {
+		b.ObjectMetaApplyConfiguration.Annotations[k] = v
+	}
+	return b
+}
+
+// WithOwnerReferences adds the given value to the OwnerReferences field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, values provided by each call will be appended to the OwnerReferences field.
+func (b *InsightsDataGatherApplyConfiguration) WithOwnerReferences(values ...*metav1.OwnerReferenceApplyConfiguration) *InsightsDataGatherApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	for i := range values {
+		if values[i] == nil {
+			panic("nil value passed to WithOwnerReferences")
+		}
+		b.ObjectMetaApplyConfiguration.OwnerReferences = append(b.ObjectMetaApplyConfiguration.OwnerReferences, *values[i])
+	}
+	return b
+}
+
+// WithFinalizers adds the given value to the Finalizers field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, values provided by each call will be appended to the Finalizers field.
+func (b *InsightsDataGatherApplyConfiguration) WithFinalizers(values ...string) *InsightsDataGatherApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	for i := range values {
+		b.ObjectMetaApplyConfiguration.Finalizers = append(b.ObjectMetaApplyConfiguration.Finalizers, values[i])
+	}
+	return b
+}
+
+func (b *InsightsDataGatherApplyConfiguration) ensureObjectMetaApplyConfigurationExists() {
+	if b.ObjectMetaApplyConfiguration == nil {
+		b.ObjectMetaApplyConfiguration = &metav1.ObjectMetaApplyConfiguration{}
+	}
+}
+
+// WithSpec sets the Spec field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Spec field is set to the value of the last call.
+func (b *InsightsDataGatherApplyConfiguration) WithSpec(value *InsightsDataGatherSpecApplyConfiguration) *InsightsDataGatherApplyConfiguration {
+	b.Spec = value
+	return b
+}
+
+// GetKind retrieves the value of the Kind field in the declarative configuration.
+func (b *InsightsDataGatherApplyConfiguration) GetKind() *string {
+	return b.TypeMetaApplyConfiguration.Kind
+}
+
+// GetAPIVersion retrieves the value of the APIVersion field in the declarative configuration.
+func (b *InsightsDataGatherApplyConfiguration) GetAPIVersion() *string {
+	return b.TypeMetaApplyConfiguration.APIVersion
+}
+
+// GetName retrieves the value of the Name field in the declarative configuration.
+func (b *InsightsDataGatherApplyConfiguration) GetName() *string {
+	b.ensureObjectMetaApplyConfigurationExists()
+	return b.ObjectMetaApplyConfiguration.Name
+}
+
+// GetNamespace retrieves the value of the Namespace field in the declarative configuration.
+func (b *InsightsDataGatherApplyConfiguration) GetNamespace() *string {
+	b.ensureObjectMetaApplyConfigurationExists()
+	return b.ObjectMetaApplyConfiguration.Namespace
+}
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/insightsdatagatherspec.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/insightsdatagatherspec.go
new file mode 100644
index 0000000000000..0d3bc710a0cce
--- /dev/null
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/insightsdatagatherspec.go
@@ -0,0 +1,26 @@
+// Code generated by applyconfiguration-gen. DO NOT EDIT.
+
+package v1
+
+// InsightsDataGatherSpecApplyConfiguration represents a declarative configuration of the InsightsDataGatherSpec type for use
+// with apply.
+//
+// InsightsDataGatherSpec contains the configuration for the data gathering.
+type InsightsDataGatherSpecApplyConfiguration struct {
+	// gatherConfig is a required spec attribute that includes all the configuration options related to gathering of the Insights data and its uploading to the ingress.
+	GatherConfig *GatherConfigApplyConfiguration `json:"gatherConfig,omitempty"`
+}
+
+// InsightsDataGatherSpecApplyConfiguration constructs a declarative configuration of the InsightsDataGatherSpec type for use with
+// apply.
+func InsightsDataGatherSpec() *InsightsDataGatherSpecApplyConfiguration {
+	return &InsightsDataGatherSpecApplyConfiguration{}
+}
+
+// WithGatherConfig sets the GatherConfig field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the GatherConfig field is set to the value of the last call.
+func (b *InsightsDataGatherSpecApplyConfiguration) WithGatherConfig(value *GatherConfigApplyConfiguration) *InsightsDataGatherSpecApplyConfiguration {
+	b.GatherConfig = value
+	return b
+}
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/keystoneidentityprovider.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/keystoneidentityprovider.go
index abbb9ef152be1..a1c62e0e102d3 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/keystoneidentityprovider.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/keystoneidentityprovider.go
@@ -4,9 +4,13 @@ package v1
 
 // KeystoneIdentityProviderApplyConfiguration represents a declarative configuration of the KeystoneIdentityProvider type for use
 // with apply.
+//
+// KeystonePasswordIdentityProvider provides identities for users authenticating using keystone password credentials
 type KeystoneIdentityProviderApplyConfiguration struct {
+	// OAuthRemoteConnectionInfo contains information about how to connect to the keystone server
 	OAuthRemoteConnectionInfoApplyConfiguration `json:",inline"`
-	DomainName                                  *string `json:"domainName,omitempty"`
+	// domainName is required for keystone v3
+	DomainName *string `json:"domainName,omitempty"`
 }
 
 // KeystoneIdentityProviderApplyConfiguration constructs a declarative configuration of the KeystoneIdentityProvider type for use with
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/kmsconfig.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/kmsconfig.go
index 564619f418556..3590aae2411dc 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/kmsconfig.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/kmsconfig.go
@@ -8,9 +8,17 @@ import (
 
 // KMSConfigApplyConfiguration represents a declarative configuration of the KMSConfig type for use
 // with apply.
+//
+// KMSConfig defines the configuration for the KMS instance
+// that will be used with KMSEncryptionProvider encryption
 type KMSConfigApplyConfiguration struct {
-	Type *configv1.KMSProviderType       `json:"type,omitempty"`
-	AWS  *AWSKMSConfigApplyConfiguration `json:"aws,omitempty"`
+	// type defines the kind of platform for the KMS provider.
+	// Available provider types are AWS only.
+	Type *configv1.KMSProviderType `json:"type,omitempty"`
+	// aws defines the key config for using an AWS KMS instance
+	// for the encryption. The AWS KMS instance is managed
+	// by the user outside the purview of the control plane.
+	AWS *AWSKMSConfigApplyConfiguration `json:"aws,omitempty"`
 }
 
 // KMSConfigApplyConfiguration constructs a declarative configuration of the KMSConfig type for use with
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/kubevirtplatformstatus.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/kubevirtplatformstatus.go
index 3d136c53b2c01..ca4614297e83f 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/kubevirtplatformstatus.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/kubevirtplatformstatus.go
@@ -4,9 +4,17 @@ package v1
 
 // KubevirtPlatformStatusApplyConfiguration represents a declarative configuration of the KubevirtPlatformStatus type for use
 // with apply.
+//
+// KubevirtPlatformStatus holds the current status of the kubevirt infrastructure provider.
 type KubevirtPlatformStatusApplyConfiguration struct {
+	// apiServerInternalIP is an IP address to contact the Kubernetes API server that can be used
+	// by components inside the cluster, like kubelets using the infrastructure rather
+	// than Kubernetes networking. It is the IP that the Infrastructure.status.apiServerInternalURI
+	// points to. It is the IP for a self-hosted load balancer in front of the API servers.
 	APIServerInternalIP *string `json:"apiServerInternalIP,omitempty"`
-	IngressIP           *string `json:"ingressIP,omitempty"`
+	// ingressIP is an external IP which routes to the default ingress controller.
+	// The IP is a suitable target of a wildcard DNS record used to resolve default route host names.
+	IngressIP *string `json:"ingressIP,omitempty"`
 }
 
 // KubevirtPlatformStatusApplyConfiguration constructs a declarative configuration of the KubevirtPlatformStatus type for use with
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/ldapattributemapping.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/ldapattributemapping.go
index b618065cea58c..29c14570ec66e 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/ldapattributemapping.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/ldapattributemapping.go
@@ -4,11 +4,24 @@ package v1
 
 // LDAPAttributeMappingApplyConfiguration represents a declarative configuration of the LDAPAttributeMapping type for use
 // with apply.
+//
+// LDAPAttributeMapping maps LDAP attributes to OpenShift identity fields
 type LDAPAttributeMappingApplyConfiguration struct {
-	ID                []string `json:"id,omitempty"`
+	// id is the list of attributes whose values should be used as the user ID. Required.
+	// First non-empty attribute is used. At least one attribute is required. If none of the listed
+	// attribute have a value, authentication fails.
+	// LDAP standard identity attribute is "dn"
+	ID []string `json:"id,omitempty"`
+	// preferredUsername is the list of attributes whose values should be used as the preferred username.
+	// LDAP standard login attribute is "uid"
 	PreferredUsername []string `json:"preferredUsername,omitempty"`
-	Name              []string `json:"name,omitempty"`
-	Email             []string `json:"email,omitempty"`
+	// name is the list of attributes whose values should be used as the display name. Optional.
+	// If unspecified, no display name is set for the identity
+	// LDAP standard display name attribute is "cn"
+	Name []string `json:"name,omitempty"`
+	// email is the list of attributes whose values should be used as the email address. Optional.
+	// If unspecified, no email is set for the identity
+	Email []string `json:"email,omitempty"`
 }
 
 // LDAPAttributeMappingApplyConfiguration constructs a declarative configuration of the LDAPAttributeMapping type for use with
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/ldapidentityprovider.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/ldapidentityprovider.go
index 90bdfe34c21e4..cd45699e74d61 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/ldapidentityprovider.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/ldapidentityprovider.go
@@ -4,13 +4,37 @@ package v1
 
 // LDAPIdentityProviderApplyConfiguration represents a declarative configuration of the LDAPIdentityProvider type for use
 // with apply.
+//
+// LDAPPasswordIdentityProvider provides identities for users authenticating using LDAP credentials
 type LDAPIdentityProviderApplyConfiguration struct {
-	URL          *string                                   `json:"url,omitempty"`
-	BindDN       *string                                   `json:"bindDN,omitempty"`
-	BindPassword *SecretNameReferenceApplyConfiguration    `json:"bindPassword,omitempty"`
-	Insecure     *bool                                     `json:"insecure,omitempty"`
-	CA           *ConfigMapNameReferenceApplyConfiguration `json:"ca,omitempty"`
-	Attributes   *LDAPAttributeMappingApplyConfiguration   `json:"attributes,omitempty"`
+	// url is an RFC 2255 URL which specifies the LDAP search parameters to use.
+	// The syntax of the URL is:
+	// ldap://host:port/basedn?attribute?scope?filter
+	URL *string `json:"url,omitempty"`
+	// bindDN is an optional DN to bind with during the search phase.
+	BindDN *string `json:"bindDN,omitempty"`
+	// bindPassword is an optional reference to a secret by name
+	// containing a password to bind with during the search phase.
+	// The key "bindPassword" is used to locate the data.
+	// If specified and the secret or expected key is not found, the identity provider is not honored.
+	// The namespace for this secret is openshift-config.
+	BindPassword *SecretNameReferenceApplyConfiguration `json:"bindPassword,omitempty"`
+	// insecure, if true, indicates the connection should not use TLS
+	// WARNING: Should not be set to `true` with the URL scheme "ldaps://" as "ldaps://" URLs always
+	// attempt to connect using TLS, even when `insecure` is set to `true`
+	// When `true`, "ldap://" URLS connect insecurely. When `false`, "ldap://" URLs are upgraded to
+	// a TLS connection using StartTLS as specified in https://tools.ietf.org/html/rfc2830.
+	Insecure *bool `json:"insecure,omitempty"`
+	// ca is an optional reference to a config map by name containing the PEM-encoded CA bundle.
+	// It is used as a trust anchor to validate the TLS certificate presented by the remote server.
+	// The key "ca.crt" is used to locate the data.
+	// If specified and the config map or expected key is not found, the identity provider is not honored.
+	// If the specified ca data is not valid, the identity provider is not honored.
+	// If empty, the default system roots are used.
+	// The namespace for this config map is openshift-config.
+	CA *ConfigMapNameReferenceApplyConfiguration `json:"ca,omitempty"`
+	// attributes maps LDAP attributes to identities
+	Attributes *LDAPAttributeMappingApplyConfiguration `json:"attributes,omitempty"`
 }
 
 // LDAPIdentityProviderApplyConfiguration constructs a declarative configuration of the LDAPIdentityProvider type for use with
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/loadbalancer.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/loadbalancer.go
index 0dfc67c8f36fb..0607773875280 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/loadbalancer.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/loadbalancer.go
@@ -5,6 +5,10 @@ package v1
 // LoadBalancerApplyConfiguration represents a declarative configuration of the LoadBalancer type for use
 // with apply.
 type LoadBalancerApplyConfiguration struct {
+	// platform holds configuration specific to the underlying
+	// infrastructure provider for the ingress load balancers.
+	// When omitted, this means the user has no opinion and the platform is left
+	// to choose reasonable defaults. These defaults are subject to change over time.
 	Platform *IngressPlatformSpecApplyConfiguration `json:"platform,omitempty"`
 }
 
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/maxagepolicy.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/maxagepolicy.go
index faa8e1dd565b6..027b5d38dd9b0 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/maxagepolicy.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/maxagepolicy.go
@@ -4,8 +4,16 @@ package v1
 
 // MaxAgePolicyApplyConfiguration represents a declarative configuration of the MaxAgePolicy type for use
 // with apply.
+//
+// MaxAgePolicy contains a numeric range for specifying a compliant HSTS max-age for the enclosing RequiredHSTSPolicy
 type MaxAgePolicyApplyConfiguration struct {
-	LargestMaxAge  *int32 `json:"largestMaxAge,omitempty"`
+	// The largest allowed value (in seconds) of the RequiredHSTSPolicy max-age
+	// This value can be left unspecified, in which case no upper limit is enforced.
+	LargestMaxAge *int32 `json:"largestMaxAge,omitempty"`
+	// The smallest allowed value (in seconds) of the RequiredHSTSPolicy max-age
+	// Setting max-age=0 allows the deletion of an existing HSTS header from a host.  This is a necessary
+	// tool for administrators to quickly correct mistakes.
+	// This value can be left unspecified, in which case no lower limit is enforced.
 	SmallestMaxAge *int32 `json:"smallestMaxAge,omitempty"`
 }
 
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/mtumigration.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/mtumigration.go
index 9db99100ee847..fc3229da674aa 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/mtumigration.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/mtumigration.go
@@ -4,8 +4,12 @@ package v1
 
 // MTUMigrationApplyConfiguration represents a declarative configuration of the MTUMigration type for use
 // with apply.
+//
+// MTUMigration contains infomation about MTU migration.
 type MTUMigrationApplyConfiguration struct {
+	// network contains MTU migration configuration for the default network.
 	Network *MTUMigrationValuesApplyConfiguration `json:"network,omitempty"`
+	// machine contains MTU migration configuration for the machine's uplink.
 	Machine *MTUMigrationValuesApplyConfiguration `json:"machine,omitempty"`
 }
 
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/mtumigrationvalues.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/mtumigrationvalues.go
index 8d346f25f4967..f9c51c216b7ff 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/mtumigrationvalues.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/mtumigrationvalues.go
@@ -4,8 +4,12 @@ package v1
 
 // MTUMigrationValuesApplyConfiguration represents a declarative configuration of the MTUMigrationValues type for use
 // with apply.
+//
+// MTUMigrationValues contains the values for a MTU migration.
 type MTUMigrationValuesApplyConfiguration struct {
-	To   *uint32 `json:"to,omitempty"`
+	// to is the MTU to migrate to.
+	To *uint32 `json:"to,omitempty"`
+	// from is the MTU to migrate from.
 	From *uint32 `json:"from,omitempty"`
 }
 
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/network.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/network.go
index 3502e69546fd2..4394aa2e54373 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/network.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/network.go
@@ -13,11 +13,23 @@ import (
 
 // NetworkApplyConfiguration represents a declarative configuration of the Network type for use
 // with apply.
+//
+// Network holds cluster-wide information about Network. The canonical name is `cluster`. It is used to configure the desired network configuration, such as: IP address pools for services/pod IPs, network plugin, etc.
+// Please view network.spec for an explanation on what applies when configuring this resource.
+//
+// Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
 type NetworkApplyConfiguration struct {
-	metav1.TypeMetaApplyConfiguration    `json:",inline"`
+	metav1.TypeMetaApplyConfiguration `json:",inline"`
+	// metadata is the standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	*metav1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Spec                                 *NetworkSpecApplyConfiguration   `json:"spec,omitempty"`
-	Status                               *NetworkStatusApplyConfiguration `json:"status,omitempty"`
+	// spec holds user settable values for configuration.
+	// As a general rule, this SHOULD NOT be read directly. Instead, you should
+	// consume the NetworkStatus, as it indicates the currently deployed configuration.
+	// Currently, most spec fields are immutable after installation. Please view the individual ones for further details on each.
+	Spec *NetworkSpecApplyConfiguration `json:"spec,omitempty"`
+	// status holds observed values from the cluster. They may not be overridden.
+	Status *NetworkStatusApplyConfiguration `json:"status,omitempty"`
 }
 
 // Network constructs a declarative configuration of the Network type for use with
@@ -30,6 +42,26 @@ func Network(name string) *NetworkApplyConfiguration {
 	return b
 }
 
+// ExtractNetworkFrom extracts the applied configuration owned by fieldManager from
+// network for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
+// network must be a unmodified Network API object that was retrieved from the Kubernetes API.
+// ExtractNetworkFrom provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractNetworkFrom(network *configv1.Network, fieldManager string, subresource string) (*NetworkApplyConfiguration, error) {
+	b := &NetworkApplyConfiguration{}
+	err := managedfields.ExtractInto(network, internal.Parser().Type("com.github.openshift.api.config.v1.Network"), fieldManager, b, subresource)
+	if err != nil {
+		return nil, err
+	}
+	b.WithName(network.Name)
+
+	b.WithKind("Network")
+	b.WithAPIVersion("config.openshift.io/v1")
+	return b, nil
+}
+
 // ExtractNetwork extracts the applied configuration owned by fieldManager from
 // network. If no managedFields are found in network for fieldManager, a
 // NetworkApplyConfiguration is returned with only the Name, Namespace (if applicable),
@@ -40,30 +72,16 @@ func Network(name string) *NetworkApplyConfiguration {
 // ExtractNetwork provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
 func ExtractNetwork(network *configv1.Network, fieldManager string) (*NetworkApplyConfiguration, error) {
-	return extractNetwork(network, fieldManager, "")
+	return ExtractNetworkFrom(network, fieldManager, "")
 }
 
-// ExtractNetworkStatus is the same as ExtractNetwork except
-// that it extracts the status subresource applied configuration.
-// Experimental!
+// ExtractNetworkStatus extracts the applied configuration owned by fieldManager from
+// network for the status subresource.
 func ExtractNetworkStatus(network *configv1.Network, fieldManager string) (*NetworkApplyConfiguration, error) {
-	return extractNetwork(network, fieldManager, "status")
+	return ExtractNetworkFrom(network, fieldManager, "status")
 }
 
-func extractNetwork(network *configv1.Network, fieldManager string, subresource string) (*NetworkApplyConfiguration, error) {
-	b := &NetworkApplyConfiguration{}
-	err := managedfields.ExtractInto(network, internal.Parser().Type("com.github.openshift.api.config.v1.Network"), fieldManager, b, subresource)
-	if err != nil {
-		return nil, err
-	}
-	b.WithName(network.Name)
-
-	b.WithKind("Network")
-	b.WithAPIVersion("config.openshift.io/v1")
-	return b, nil
-}
 func (b NetworkApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/networkdiagnostics.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/networkdiagnostics.go
index a2624dc5bccb8..3e8db03d52a29 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/networkdiagnostics.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/networkdiagnostics.go
@@ -8,9 +8,22 @@ import (
 
 // NetworkDiagnosticsApplyConfiguration represents a declarative configuration of the NetworkDiagnostics type for use
 // with apply.
+//
+// NetworkDiagnostics defines network diagnostics configuration
 type NetworkDiagnosticsApplyConfiguration struct {
-	Mode            *configv1.NetworkDiagnosticsMode                     `json:"mode,omitempty"`
+	// mode controls the network diagnostics mode
+	//
+	// When omitted, this means the user has no opinion and the platform is left
+	// to choose reasonable defaults. These defaults are subject to change over time.
+	// The current default is All.
+	Mode *configv1.NetworkDiagnosticsMode `json:"mode,omitempty"`
+	// sourcePlacement controls the scheduling of network diagnostics source deployment
+	//
+	// See NetworkDiagnosticsSourcePlacement for more details about default values.
 	SourcePlacement *NetworkDiagnosticsSourcePlacementApplyConfiguration `json:"sourcePlacement,omitempty"`
+	// targetPlacement controls the scheduling of network diagnostics target daemonset
+	//
+	// See NetworkDiagnosticsTargetPlacement for more details about default values.
 	TargetPlacement *NetworkDiagnosticsTargetPlacementApplyConfiguration `json:"targetPlacement,omitempty"`
 }
 
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/networkdiagnosticssourceplacement.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/networkdiagnosticssourceplacement.go
index a1960ba9fe7f7..9b21cd5e7049d 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/networkdiagnosticssourceplacement.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/networkdiagnosticssourceplacement.go
@@ -8,9 +8,21 @@ import (
 
 // NetworkDiagnosticsSourcePlacementApplyConfiguration represents a declarative configuration of the NetworkDiagnosticsSourcePlacement type for use
 // with apply.
+//
+// NetworkDiagnosticsSourcePlacement defines node scheduling configuration network diagnostics source components
 type NetworkDiagnosticsSourcePlacementApplyConfiguration struct {
-	NodeSelector map[string]string   `json:"nodeSelector,omitempty"`
-	Tolerations  []corev1.Toleration `json:"tolerations,omitempty"`
+	// nodeSelector is the node selector applied to network diagnostics components
+	//
+	// When omitted, this means the user has no opinion and the platform is left
+	// to choose reasonable defaults. These defaults are subject to change over time.
+	// The current default is `kubernetes.io/os: linux`.
+	NodeSelector map[string]string `json:"nodeSelector,omitempty"`
+	// tolerations is a list of tolerations applied to network diagnostics components
+	//
+	// When omitted, this means the user has no opinion and the platform is left
+	// to choose reasonable defaults. These defaults are subject to change over time.
+	// The current default is an empty list.
+	Tolerations []corev1.Toleration `json:"tolerations,omitempty"`
 }
 
 // NetworkDiagnosticsSourcePlacementApplyConfiguration constructs a declarative configuration of the NetworkDiagnosticsSourcePlacement type for use with
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/networkdiagnosticstargetplacement.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/networkdiagnosticstargetplacement.go
index ba0dbab8a0f34..f6bd8fb82beb1 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/networkdiagnosticstargetplacement.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/networkdiagnosticstargetplacement.go
@@ -8,9 +8,21 @@ import (
 
 // NetworkDiagnosticsTargetPlacementApplyConfiguration represents a declarative configuration of the NetworkDiagnosticsTargetPlacement type for use
 // with apply.
+//
+// NetworkDiagnosticsTargetPlacement defines node scheduling configuration network diagnostics target components
 type NetworkDiagnosticsTargetPlacementApplyConfiguration struct {
-	NodeSelector map[string]string   `json:"nodeSelector,omitempty"`
-	Tolerations  []corev1.Toleration `json:"tolerations,omitempty"`
+	// nodeSelector is the node selector applied to network diagnostics components
+	//
+	// When omitted, this means the user has no opinion and the platform is left
+	// to choose reasonable defaults. These defaults are subject to change over time.
+	// The current default is `kubernetes.io/os: linux`.
+	NodeSelector map[string]string `json:"nodeSelector,omitempty"`
+	// tolerations is a list of tolerations applied to network diagnostics components
+	//
+	// When omitted, this means the user has no opinion and the platform is left
+	// to choose reasonable defaults. These defaults are subject to change over time.
+	// The current default is `- operator: "Exists"` which means that all taints are tolerated.
+	Tolerations []corev1.Toleration `json:"tolerations,omitempty"`
 }
 
 // NetworkDiagnosticsTargetPlacementApplyConfiguration constructs a declarative configuration of the NetworkDiagnosticsTargetPlacement type for use with
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/networkmigration.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/networkmigration.go
index 9c829474626d3..d6fffb5970ce8 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/networkmigration.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/networkmigration.go
@@ -4,9 +4,15 @@ package v1
 
 // NetworkMigrationApplyConfiguration represents a declarative configuration of the NetworkMigration type for use
 // with apply.
+//
+// NetworkMigration represents the network migration status.
 type NetworkMigrationApplyConfiguration struct {
-	NetworkType *string                         `json:"networkType,omitempty"`
-	MTU         *MTUMigrationApplyConfiguration `json:"mtu,omitempty"`
+	// networkType is the target plugin that is being deployed.
+	// DEPRECATED: network type migration is no longer supported,
+	// so this should always be unset.
+	NetworkType *string `json:"networkType,omitempty"`
+	// mtu is the MTU configuration that is being deployed.
+	MTU *MTUMigrationApplyConfiguration `json:"mtu,omitempty"`
 }
 
 // NetworkMigrationApplyConfiguration constructs a declarative configuration of the NetworkMigration type for use with
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/networkspec.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/networkspec.go
index d4e970e34f707..4a3f9b7b892d8 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/networkspec.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/networkspec.go
@@ -4,13 +4,44 @@ package v1
 
 // NetworkSpecApplyConfiguration represents a declarative configuration of the NetworkSpec type for use
 // with apply.
+//
+// NetworkSpec is the desired network configuration.
+// As a general rule, this SHOULD NOT be read directly. Instead, you should
+// consume the NetworkStatus, as it indicates the currently deployed configuration.
+// Currently, most spec fields are immutable after installation. Please view the individual ones for further details on each.
 type NetworkSpecApplyConfiguration struct {
-	ClusterNetwork       []ClusterNetworkEntryApplyConfiguration `json:"clusterNetwork,omitempty"`
-	ServiceNetwork       []string                                `json:"serviceNetwork,omitempty"`
-	NetworkType          *string                                 `json:"networkType,omitempty"`
-	ExternalIP           *ExternalIPConfigApplyConfiguration     `json:"externalIP,omitempty"`
-	ServiceNodePortRange *string                                 `json:"serviceNodePortRange,omitempty"`
-	NetworkDiagnostics   *NetworkDiagnosticsApplyConfiguration   `json:"networkDiagnostics,omitempty"`
+	// IP address pool to use for pod IPs.
+	// This field is immutable after installation.
+	ClusterNetwork []ClusterNetworkEntryApplyConfiguration `json:"clusterNetwork,omitempty"`
+	// IP address pool for services.
+	// Currently, we only support a single entry here.
+	// This field is immutable after installation.
+	ServiceNetwork []string `json:"serviceNetwork,omitempty"`
+	// networkType is the plugin that is to be deployed (e.g. OVNKubernetes).
+	// This should match a value that the cluster-network-operator understands,
+	// or else no networking will be installed.
+	// Currently supported values are:
+	// - OVNKubernetes
+	// This field is immutable after installation.
+	NetworkType *string `json:"networkType,omitempty"`
+	// externalIP defines configuration for controllers that
+	// affect Service.ExternalIP. If nil, then ExternalIP is
+	// not allowed to be set.
+	ExternalIP *ExternalIPConfigApplyConfiguration `json:"externalIP,omitempty"`
+	// The port range allowed for Services of type NodePort.
+	// If not specified, the default of 30000-32767 will be used.
+	// Such Services without a NodePort specified will have one
+	// automatically allocated from this range.
+	// This parameter can be updated after the cluster is
+	// installed.
+	ServiceNodePortRange *string `json:"serviceNodePortRange,omitempty"`
+	// networkDiagnostics defines network diagnostics configuration.
+	//
+	// Takes precedence over spec.disableNetworkDiagnostics in network.operator.openshift.io.
+	// If networkDiagnostics is not specified or is empty,
+	// and the spec.disableNetworkDiagnostics flag in network.operator.openshift.io is set to true,
+	// the network diagnostics feature will be disabled.
+	NetworkDiagnostics *NetworkDiagnosticsApplyConfiguration `json:"networkDiagnostics,omitempty"`
 }
 
 // NetworkSpecApplyConfiguration constructs a declarative configuration of the NetworkSpec type for use with
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/networkstatus.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/networkstatus.go
index de3697ed71a84..43a1533c15a5b 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/networkstatus.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/networkstatus.go
@@ -8,13 +8,23 @@ import (
 
 // NetworkStatusApplyConfiguration represents a declarative configuration of the NetworkStatus type for use
 // with apply.
+//
+// NetworkStatus is the current network configuration.
 type NetworkStatusApplyConfiguration struct {
-	ClusterNetwork    []ClusterNetworkEntryApplyConfiguration `json:"clusterNetwork,omitempty"`
-	ServiceNetwork    []string                                `json:"serviceNetwork,omitempty"`
-	NetworkType       *string                                 `json:"networkType,omitempty"`
-	ClusterNetworkMTU *int                                    `json:"clusterNetworkMTU,omitempty"`
-	Migration         *NetworkMigrationApplyConfiguration     `json:"migration,omitempty"`
-	Conditions        []metav1.ConditionApplyConfiguration    `json:"conditions,omitempty"`
+	// IP address pool to use for pod IPs.
+	ClusterNetwork []ClusterNetworkEntryApplyConfiguration `json:"clusterNetwork,omitempty"`
+	// IP address pool for services.
+	// Currently, we only support a single entry here.
+	ServiceNetwork []string `json:"serviceNetwork,omitempty"`
+	// networkType is the plugin that is deployed (e.g. OVNKubernetes).
+	NetworkType *string `json:"networkType,omitempty"`
+	// clusterNetworkMTU is the MTU for inter-pod networking.
+	ClusterNetworkMTU *int `json:"clusterNetworkMTU,omitempty"`
+	// migration contains the cluster network migration configuration.
+	Migration *NetworkMigrationApplyConfiguration `json:"migration,omitempty"`
+	// conditions represents the observations of a network.config current state.
+	// Known .status.conditions.type are: "NetworkDiagnosticsAvailable"
+	Conditions []metav1.ConditionApplyConfiguration `json:"conditions,omitempty"`
 }
 
 // NetworkStatusApplyConfiguration constructs a declarative configuration of the NetworkStatus type for use with
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/node.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/node.go
index c663572296670..973b721a01c59 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/node.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/node.go
@@ -13,11 +13,19 @@ import (
 
 // NodeApplyConfiguration represents a declarative configuration of the Node type for use
 // with apply.
+//
+// Node holds cluster-wide information about node specific features.
+//
+// Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
 type NodeApplyConfiguration struct {
-	metav1.TypeMetaApplyConfiguration    `json:",inline"`
+	metav1.TypeMetaApplyConfiguration `json:",inline"`
+	// metadata is the standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	*metav1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Spec                                 *NodeSpecApplyConfiguration   `json:"spec,omitempty"`
-	Status                               *NodeStatusApplyConfiguration `json:"status,omitempty"`
+	// spec holds user settable values for configuration
+	Spec *NodeSpecApplyConfiguration `json:"spec,omitempty"`
+	// status holds observed values.
+	Status *NodeStatusApplyConfiguration `json:"status,omitempty"`
 }
 
 // Node constructs a declarative configuration of the Node type for use with
@@ -30,6 +38,26 @@ func Node(name string) *NodeApplyConfiguration {
 	return b
 }
 
+// ExtractNodeFrom extracts the applied configuration owned by fieldManager from
+// node for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
+// node must be a unmodified Node API object that was retrieved from the Kubernetes API.
+// ExtractNodeFrom provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractNodeFrom(node *configv1.Node, fieldManager string, subresource string) (*NodeApplyConfiguration, error) {
+	b := &NodeApplyConfiguration{}
+	err := managedfields.ExtractInto(node, internal.Parser().Type("com.github.openshift.api.config.v1.Node"), fieldManager, b, subresource)
+	if err != nil {
+		return nil, err
+	}
+	b.WithName(node.Name)
+
+	b.WithKind("Node")
+	b.WithAPIVersion("config.openshift.io/v1")
+	return b, nil
+}
+
 // ExtractNode extracts the applied configuration owned by fieldManager from
 // node. If no managedFields are found in node for fieldManager, a
 // NodeApplyConfiguration is returned with only the Name, Namespace (if applicable),
@@ -40,30 +68,16 @@ func Node(name string) *NodeApplyConfiguration {
 // ExtractNode provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
 func ExtractNode(node *configv1.Node, fieldManager string) (*NodeApplyConfiguration, error) {
-	return extractNode(node, fieldManager, "")
+	return ExtractNodeFrom(node, fieldManager, "")
 }
 
-// ExtractNodeStatus is the same as ExtractNode except
-// that it extracts the status subresource applied configuration.
-// Experimental!
+// ExtractNodeStatus extracts the applied configuration owned by fieldManager from
+// node for the status subresource.
 func ExtractNodeStatus(node *configv1.Node, fieldManager string) (*NodeApplyConfiguration, error) {
-	return extractNode(node, fieldManager, "status")
+	return ExtractNodeFrom(node, fieldManager, "status")
 }
 
-func extractNode(node *configv1.Node, fieldManager string, subresource string) (*NodeApplyConfiguration, error) {
-	b := &NodeApplyConfiguration{}
-	err := managedfields.ExtractInto(node, internal.Parser().Type("com.github.openshift.api.config.v1.Node"), fieldManager, b, subresource)
-	if err != nil {
-		return nil, err
-	}
-	b.WithName(node.Name)
-
-	b.WithKind("Node")
-	b.WithAPIVersion("config.openshift.io/v1")
-	return b, nil
-}
 func (b NodeApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/nodespec.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/nodespec.go
index a0732e78a398d..33b70402d0851 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/nodespec.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/nodespec.go
@@ -9,9 +9,25 @@ import (
 // NodeSpecApplyConfiguration represents a declarative configuration of the NodeSpec type for use
 // with apply.
 type NodeSpecApplyConfiguration struct {
-	CgroupMode            *configv1.CgroupMode               `json:"cgroupMode,omitempty"`
-	WorkerLatencyProfile  *configv1.WorkerLatencyProfileType `json:"workerLatencyProfile,omitempty"`
-	MinimumKubeletVersion *string                            `json:"minimumKubeletVersion,omitempty"`
+	// cgroupMode determines the cgroups version on the node
+	CgroupMode *configv1.CgroupMode `json:"cgroupMode,omitempty"`
+	// workerLatencyProfile determins the how fast the kubelet is updating
+	// the status and corresponding reaction of the cluster
+	WorkerLatencyProfile *configv1.WorkerLatencyProfileType `json:"workerLatencyProfile,omitempty"`
+	// minimumKubeletVersion is the lowest version of a kubelet that can join the cluster.
+	// Specifically, the apiserver will deny most authorization requests of kubelets that are older
+	// than the specified version, only allowing the kubelet to get and update its node object, and perform
+	// subjectaccessreviews.
+	// This means any kubelet that attempts to join the cluster will not be able to run any assigned workloads,
+	// and will eventually be marked as not ready.
+	// Its max length is 8, so maximum version allowed is either "9.999.99" or "99.99.99".
+	// Since the kubelet reports the version of the kubernetes release, not Openshift, this field references
+	// the underlying kubernetes version this version of Openshift is based off of.
+	// In other words: if an admin wishes to ensure no nodes run an older version than Openshift 4.17, then
+	// they should set the minimumKubeletVersion to 1.30.0.
+	// When comparing versions, the kubelet's version is stripped of any contents outside of major.minor.patch version.
+	// Thus, a kubelet with version "1.0.0-ec.0" will be compatible with minimumKubeletVersion "1.0.0" or earlier.
+	MinimumKubeletVersion *string `json:"minimumKubeletVersion,omitempty"`
 }
 
 // NodeSpecApplyConfiguration constructs a declarative configuration of the NodeSpec type for use with
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/nodestatus.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/nodestatus.go
index ee6ebd99ee60f..009495ca5dcef 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/nodestatus.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/nodestatus.go
@@ -9,6 +9,7 @@ import (
 // NodeStatusApplyConfiguration represents a declarative configuration of the NodeStatus type for use
 // with apply.
 type NodeStatusApplyConfiguration struct {
+	// conditions contain the details and the current state of the nodes.config object
 	Conditions []metav1.ConditionApplyConfiguration `json:"conditions,omitempty"`
 }
 
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/nutanixfailuredomain.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/nutanixfailuredomain.go
index 31d77a83e2e1a..98f175f5538dc 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/nutanixfailuredomain.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/nutanixfailuredomain.go
@@ -4,9 +4,23 @@ package v1
 
 // NutanixFailureDomainApplyConfiguration represents a declarative configuration of the NutanixFailureDomain type for use
 // with apply.
+//
+// NutanixFailureDomain configures failure domain information for the Nutanix platform.
 type NutanixFailureDomainApplyConfiguration struct {
-	Name    *string                                       `json:"name,omitempty"`
-	Cluster *NutanixResourceIdentifierApplyConfiguration  `json:"cluster,omitempty"`
+	// name defines the unique name of a failure domain.
+	// Name is required and must be at most 64 characters in length.
+	// It must consist of only lower case alphanumeric characters and hyphens (-).
+	// It must start and end with an alphanumeric character.
+	// This value is arbitrary and is used to identify the failure domain within the platform.
+	Name *string `json:"name,omitempty"`
+	// cluster is to identify the cluster (the Prism Element under management of the Prism Central),
+	// in which the Machine's VM will be created. The cluster identifier (uuid or name) can be obtained
+	// from the Prism Central console or using the prism_central API.
+	Cluster *NutanixResourceIdentifierApplyConfiguration `json:"cluster,omitempty"`
+	// subnets holds a list of identifiers (one or more) of the cluster's network subnets
+	// If the feature gate NutanixMultiSubnets is enabled, up to 32 subnets may be configured.
+	// for the Machine's VM to connect to. The subnet identifiers (uuid or name) can be
+	// obtained from the Prism Central console or using the prism_central API.
 	Subnets []NutanixResourceIdentifierApplyConfiguration `json:"subnets,omitempty"`
 }
 
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/nutanixplatformloadbalancer.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/nutanixplatformloadbalancer.go
index 84d3b7ade3563..6f90a6fe0b3e5 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/nutanixplatformloadbalancer.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/nutanixplatformloadbalancer.go
@@ -8,7 +8,18 @@ import (
 
 // NutanixPlatformLoadBalancerApplyConfiguration represents a declarative configuration of the NutanixPlatformLoadBalancer type for use
 // with apply.
+//
+// NutanixPlatformLoadBalancer defines the load balancer used by the cluster on Nutanix platform.
 type NutanixPlatformLoadBalancerApplyConfiguration struct {
+	// type defines the type of load balancer used by the cluster on Nutanix platform
+	// which can be a user-managed or openshift-managed load balancer
+	// that is to be used for the OpenShift API and Ingress endpoints.
+	// When set to OpenShiftManagedDefault the static pods in charge of API and Ingress traffic load-balancing
+	// defined in the machine config operator will be deployed.
+	// When set to UserManaged these static pods will not be deployed and it is expected that
+	// the load balancer is configured out of band by the deployer.
+	// When omitted, this means no opinion and the platform is left to choose a reasonable default.
+	// The default value is OpenShiftManagedDefault.
 	Type *configv1.PlatformLoadBalancerType `json:"type,omitempty"`
 }
 
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/nutanixplatformspec.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/nutanixplatformspec.go
index 8f7cb98423627..f23258e5092ab 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/nutanixplatformspec.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/nutanixplatformspec.go
@@ -4,10 +4,25 @@ package v1
 
 // NutanixPlatformSpecApplyConfiguration represents a declarative configuration of the NutanixPlatformSpec type for use
 // with apply.
+//
+// NutanixPlatformSpec holds the desired state of the Nutanix infrastructure provider.
+// This only includes fields that can be modified in the cluster.
 type NutanixPlatformSpecApplyConfiguration struct {
-	PrismCentral   *NutanixPrismEndpointApplyConfiguration         `json:"prismCentral,omitempty"`
-	PrismElements  []NutanixPrismElementEndpointApplyConfiguration `json:"prismElements,omitempty"`
-	FailureDomains []NutanixFailureDomainApplyConfiguration        `json:"failureDomains,omitempty"`
+	// prismCentral holds the endpoint address and port to access the Nutanix Prism Central.
+	// When a cluster-wide proxy is installed, by default, this endpoint will be accessed via the proxy.
+	// Should you wish for communication with this endpoint not to be proxied, please add the endpoint to the
+	// proxy spec.noProxy list.
+	PrismCentral *NutanixPrismEndpointApplyConfiguration `json:"prismCentral,omitempty"`
+	// prismElements holds one or more endpoint address and port data to access the Nutanix
+	// Prism Elements (clusters) of the Nutanix Prism Central. Currently we only support one
+	// Prism Element (cluster) for an OpenShift cluster, where all the Nutanix resources (VMs, subnets, volumes, etc.)
+	// used in the OpenShift cluster are located. In the future, we may support Nutanix resources (VMs, etc.)
+	// spread over multiple Prism Elements (clusters) of the Prism Central.
+	PrismElements []NutanixPrismElementEndpointApplyConfiguration `json:"prismElements,omitempty"`
+	// failureDomains configures failure domains information for the Nutanix platform.
+	// When set, the failure domains defined here may be used to spread Machines across
+	// prism element clusters to improve fault tolerance of the cluster.
+	FailureDomains []NutanixFailureDomainApplyConfiguration `json:"failureDomains,omitempty"`
 }
 
 // NutanixPlatformSpecApplyConfiguration constructs a declarative configuration of the NutanixPlatformSpec type for use with
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/nutanixplatformstatus.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/nutanixplatformstatus.go
index 5c61ef980181a..ea9c150d7a447 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/nutanixplatformstatus.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/nutanixplatformstatus.go
@@ -8,13 +8,47 @@ import (
 
 // NutanixPlatformStatusApplyConfiguration represents a declarative configuration of the NutanixPlatformStatus type for use
 // with apply.
+//
+// NutanixPlatformStatus holds the current status of the Nutanix infrastructure provider.
 type NutanixPlatformStatusApplyConfiguration struct {
-	APIServerInternalIP  *string                                        `json:"apiServerInternalIP,omitempty"`
-	APIServerInternalIPs []string                                       `json:"apiServerInternalIPs,omitempty"`
-	IngressIP            *string                                        `json:"ingressIP,omitempty"`
-	IngressIPs           []string                                       `json:"ingressIPs,omitempty"`
-	LoadBalancer         *NutanixPlatformLoadBalancerApplyConfiguration `json:"loadBalancer,omitempty"`
-	DNSRecordsType       *configv1.DNSRecordsType                       `json:"dnsRecordsType,omitempty"`
+	// apiServerInternalIP is an IP address to contact the Kubernetes API server that can be used
+	// by components inside the cluster, like kubelets using the infrastructure rather
+	// than Kubernetes networking. It is the IP that the Infrastructure.status.apiServerInternalURI
+	// points to. It is the IP for a self-hosted load balancer in front of the API servers.
+	//
+	// Deprecated: Use APIServerInternalIPs instead.
+	APIServerInternalIP *string `json:"apiServerInternalIP,omitempty"`
+	// apiServerInternalIPs are the IP addresses to contact the Kubernetes API
+	// server that can be used by components inside the cluster, like kubelets
+	// using the infrastructure rather than Kubernetes networking. These are the
+	// IPs for a self-hosted load balancer in front of the API servers. In dual
+	// stack clusters this list contains two IPs otherwise only one.
+	APIServerInternalIPs []string `json:"apiServerInternalIPs,omitempty"`
+	// ingressIP is an external IP which routes to the default ingress controller.
+	// The IP is a suitable target of a wildcard DNS record used to resolve default route host names.
+	//
+	// Deprecated: Use IngressIPs instead.
+	IngressIP *string `json:"ingressIP,omitempty"`
+	// ingressIPs are the external IPs which route to the default ingress
+	// controller. The IPs are suitable targets of a wildcard DNS record used to
+	// resolve default route host names. In dual stack clusters this list
+	// contains two IPs otherwise only one.
+	IngressIPs []string `json:"ingressIPs,omitempty"`
+	// loadBalancer defines how the load balancer used by the cluster is configured.
+	LoadBalancer *NutanixPlatformLoadBalancerApplyConfiguration `json:"loadBalancer,omitempty"`
+	// dnsRecordsType determines whether records for api, api-int, and ingress
+	// are provided by the internal DNS service or externally.
+	// Allowed values are `Internal`, `External`, and omitted.
+	// When set to `Internal`, records are provided by the internal infrastructure and
+	// no additional user configuration is required for the cluster to function.
+	// When set to `External`, records are not provided by the internal infrastructure
+	// and must be configured by the user on a DNS server outside the cluster.
+	// Cluster nodes must use this external server for their upstream DNS requests.
+	// This value may only be set when loadBalancer.type is set to UserManaged.
+	// When omitted, this means the user has no opinion and the platform is left
+	// to choose reasonable defaults. These defaults are subject to change over time.
+	// The current default is `Internal`.
+	DNSRecordsType *configv1.DNSRecordsType `json:"dnsRecordsType,omitempty"`
 }
 
 // NutanixPlatformStatusApplyConfiguration constructs a declarative configuration of the NutanixPlatformStatus type for use with
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/nutanixprismelementendpoint.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/nutanixprismelementendpoint.go
index 2e59ff235a601..82fd902fddb43 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/nutanixprismelementendpoint.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/nutanixprismelementendpoint.go
@@ -4,8 +4,16 @@ package v1
 
 // NutanixPrismElementEndpointApplyConfiguration represents a declarative configuration of the NutanixPrismElementEndpoint type for use
 // with apply.
+//
+// NutanixPrismElementEndpoint holds the name and endpoint data for a Prism Element (cluster)
 type NutanixPrismElementEndpointApplyConfiguration struct {
-	Name     *string                                 `json:"name,omitempty"`
+	// name is the name of the Prism Element (cluster). This value will correspond with
+	// the cluster field configured on other resources (eg Machines, PVCs, etc).
+	Name *string `json:"name,omitempty"`
+	// endpoint holds the endpoint address and port data of the Prism Element (cluster).
+	// When a cluster-wide proxy is installed, by default, this endpoint will be accessed via the proxy.
+	// Should you wish for communication with this endpoint not to be proxied, please add the endpoint to the
+	// proxy spec.noProxy list.
 	Endpoint *NutanixPrismEndpointApplyConfiguration `json:"endpoint,omitempty"`
 }
 
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/nutanixprismendpoint.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/nutanixprismendpoint.go
index 8012c2cb23a73..8df7c656d46fe 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/nutanixprismendpoint.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/nutanixprismendpoint.go
@@ -4,9 +4,13 @@ package v1
 
 // NutanixPrismEndpointApplyConfiguration represents a declarative configuration of the NutanixPrismEndpoint type for use
 // with apply.
+//
+// NutanixPrismEndpoint holds the endpoint address and port to access the Nutanix Prism Central or Element (cluster)
 type NutanixPrismEndpointApplyConfiguration struct {
+	// address is the endpoint address (DNS name or IP address) of the Nutanix Prism Central or Element (cluster)
 	Address *string `json:"address,omitempty"`
-	Port    *int32  `json:"port,omitempty"`
+	// port is the port number to access the Nutanix Prism Central or Element (cluster)
+	Port *int32 `json:"port,omitempty"`
 }
 
 // NutanixPrismEndpointApplyConfiguration constructs a declarative configuration of the NutanixPrismEndpoint type for use with
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/nutanixresourceidentifier.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/nutanixresourceidentifier.go
index 5e9b095d83b62..35ac7b08f2ad2 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/nutanixresourceidentifier.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/nutanixresourceidentifier.go
@@ -8,10 +8,15 @@ import (
 
 // NutanixResourceIdentifierApplyConfiguration represents a declarative configuration of the NutanixResourceIdentifier type for use
 // with apply.
+//
+// NutanixResourceIdentifier holds the identity of a Nutanix PC resource (cluster, image, subnet, etc.)
 type NutanixResourceIdentifierApplyConfiguration struct {
+	// type is the identifier type to use for this resource.
 	Type *configv1.NutanixIdentifierType `json:"type,omitempty"`
-	UUID *string                         `json:"uuid,omitempty"`
-	Name *string                         `json:"name,omitempty"`
+	// uuid is the UUID of the resource in the PC. It cannot be empty if the type is UUID.
+	UUID *string `json:"uuid,omitempty"`
+	// name is the resource name in the PC. It cannot be empty if the type is Name.
+	Name *string `json:"name,omitempty"`
 }
 
 // NutanixResourceIdentifierApplyConfiguration constructs a declarative configuration of the NutanixResourceIdentifier type for use with
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/oauth.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/oauth.go
index 37725fb7c3796..05ca605059016 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/oauth.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/oauth.go
@@ -13,11 +13,21 @@ import (
 
 // OAuthApplyConfiguration represents a declarative configuration of the OAuth type for use
 // with apply.
+//
+// OAuth holds cluster-wide information about OAuth.  The canonical name is `cluster`.
+// It is used to configure the integrated OAuth server.
+// This configuration is only honored when the top level Authentication config has type set to IntegratedOAuth.
+//
+// Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
 type OAuthApplyConfiguration struct {
-	metav1.TypeMetaApplyConfiguration    `json:",inline"`
+	metav1.TypeMetaApplyConfiguration `json:",inline"`
+	// metadata is the standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	*metav1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Spec                                 *OAuthSpecApplyConfiguration `json:"spec,omitempty"`
-	Status                               *configv1.OAuthStatus        `json:"status,omitempty"`
+	// spec holds user settable values for configuration
+	Spec *OAuthSpecApplyConfiguration `json:"spec,omitempty"`
+	// status holds observed values from the cluster. They may not be overridden.
+	Status *configv1.OAuthStatus `json:"status,omitempty"`
 }
 
 // OAuth constructs a declarative configuration of the OAuth type for use with
@@ -30,6 +40,26 @@ func OAuth(name string) *OAuthApplyConfiguration {
 	return b
 }
 
+// ExtractOAuthFrom extracts the applied configuration owned by fieldManager from
+// oAuth for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
+// oAuth must be a unmodified OAuth API object that was retrieved from the Kubernetes API.
+// ExtractOAuthFrom provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractOAuthFrom(oAuth *configv1.OAuth, fieldManager string, subresource string) (*OAuthApplyConfiguration, error) {
+	b := &OAuthApplyConfiguration{}
+	err := managedfields.ExtractInto(oAuth, internal.Parser().Type("com.github.openshift.api.config.v1.OAuth"), fieldManager, b, subresource)
+	if err != nil {
+		return nil, err
+	}
+	b.WithName(oAuth.Name)
+
+	b.WithKind("OAuth")
+	b.WithAPIVersion("config.openshift.io/v1")
+	return b, nil
+}
+
 // ExtractOAuth extracts the applied configuration owned by fieldManager from
 // oAuth. If no managedFields are found in oAuth for fieldManager, a
 // OAuthApplyConfiguration is returned with only the Name, Namespace (if applicable),
@@ -40,30 +70,16 @@ func OAuth(name string) *OAuthApplyConfiguration {
 // ExtractOAuth provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
 func ExtractOAuth(oAuth *configv1.OAuth, fieldManager string) (*OAuthApplyConfiguration, error) {
-	return extractOAuth(oAuth, fieldManager, "")
+	return ExtractOAuthFrom(oAuth, fieldManager, "")
 }
 
-// ExtractOAuthStatus is the same as ExtractOAuth except
-// that it extracts the status subresource applied configuration.
-// Experimental!
+// ExtractOAuthStatus extracts the applied configuration owned by fieldManager from
+// oAuth for the status subresource.
 func ExtractOAuthStatus(oAuth *configv1.OAuth, fieldManager string) (*OAuthApplyConfiguration, error) {
-	return extractOAuth(oAuth, fieldManager, "status")
+	return ExtractOAuthFrom(oAuth, fieldManager, "status")
 }
 
-func extractOAuth(oAuth *configv1.OAuth, fieldManager string, subresource string) (*OAuthApplyConfiguration, error) {
-	b := &OAuthApplyConfiguration{}
-	err := managedfields.ExtractInto(oAuth, internal.Parser().Type("com.github.openshift.api.config.v1.OAuth"), fieldManager, b, subresource)
-	if err != nil {
-		return nil, err
-	}
-	b.WithName(oAuth.Name)
-
-	b.WithKind("OAuth")
-	b.WithAPIVersion("config.openshift.io/v1")
-	return b, nil
-}
 func (b OAuthApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/oauthremoteconnectioninfo.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/oauthremoteconnectioninfo.go
index 3b348819d9010..7d52703092ba5 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/oauthremoteconnectioninfo.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/oauthremoteconnectioninfo.go
@@ -4,11 +4,33 @@ package v1
 
 // OAuthRemoteConnectionInfoApplyConfiguration represents a declarative configuration of the OAuthRemoteConnectionInfo type for use
 // with apply.
+//
+// OAuthRemoteConnectionInfo holds information necessary for establishing a remote connection
 type OAuthRemoteConnectionInfoApplyConfiguration struct {
-	URL           *string                                   `json:"url,omitempty"`
-	CA            *ConfigMapNameReferenceApplyConfiguration `json:"ca,omitempty"`
-	TLSClientCert *SecretNameReferenceApplyConfiguration    `json:"tlsClientCert,omitempty"`
-	TLSClientKey  *SecretNameReferenceApplyConfiguration    `json:"tlsClientKey,omitempty"`
+	// url is the remote URL to connect to
+	URL *string `json:"url,omitempty"`
+	// ca is an optional reference to a config map by name containing the PEM-encoded CA bundle.
+	// It is used as a trust anchor to validate the TLS certificate presented by the remote server.
+	// The key "ca.crt" is used to locate the data.
+	// If specified and the config map or expected key is not found, the identity provider is not honored.
+	// If the specified ca data is not valid, the identity provider is not honored.
+	// If empty, the default system roots are used.
+	// The namespace for this config map is openshift-config.
+	CA *ConfigMapNameReferenceApplyConfiguration `json:"ca,omitempty"`
+	// tlsClientCert is an optional reference to a secret by name that contains the
+	// PEM-encoded TLS client certificate to present when connecting to the server.
+	// The key "tls.crt" is used to locate the data.
+	// If specified and the secret or expected key is not found, the identity provider is not honored.
+	// If the specified certificate data is not valid, the identity provider is not honored.
+	// The namespace for this secret is openshift-config.
+	TLSClientCert *SecretNameReferenceApplyConfiguration `json:"tlsClientCert,omitempty"`
+	// tlsClientKey is an optional reference to a secret by name that contains the
+	// PEM-encoded TLS private key for the client certificate referenced in tlsClientCert.
+	// The key "tls.key" is used to locate the data.
+	// If specified and the secret or expected key is not found, the identity provider is not honored.
+	// If the specified certificate data is not valid, the identity provider is not honored.
+	// The namespace for this secret is openshift-config.
+	TLSClientKey *SecretNameReferenceApplyConfiguration `json:"tlsClientKey,omitempty"`
 }
 
 // OAuthRemoteConnectionInfoApplyConfiguration constructs a declarative configuration of the OAuthRemoteConnectionInfo type for use with
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/oauthspec.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/oauthspec.go
index 5eacc05cb4b33..1ea678273cd7f 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/oauthspec.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/oauthspec.go
@@ -4,10 +4,16 @@ package v1
 
 // OAuthSpecApplyConfiguration represents a declarative configuration of the OAuthSpec type for use
 // with apply.
+//
+// OAuthSpec contains desired cluster auth configuration
 type OAuthSpecApplyConfiguration struct {
+	// identityProviders is an ordered list of ways for a user to identify themselves.
+	// When this list is empty, no identities are provisioned for users.
 	IdentityProviders []IdentityProviderApplyConfiguration `json:"identityProviders,omitempty"`
-	TokenConfig       *TokenConfigApplyConfiguration       `json:"tokenConfig,omitempty"`
-	Templates         *OAuthTemplatesApplyConfiguration    `json:"templates,omitempty"`
+	// tokenConfig contains options for authorization and access tokens
+	TokenConfig *TokenConfigApplyConfiguration `json:"tokenConfig,omitempty"`
+	// templates allow you to customize pages like the login page.
+	Templates *OAuthTemplatesApplyConfiguration `json:"templates,omitempty"`
 }
 
 // OAuthSpecApplyConfiguration constructs a declarative configuration of the OAuthSpec type for use with
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/oauthtemplates.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/oauthtemplates.go
index 98bc5a0db9451..85ec763fcc3eb 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/oauthtemplates.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/oauthtemplates.go
@@ -4,10 +4,32 @@ package v1
 
 // OAuthTemplatesApplyConfiguration represents a declarative configuration of the OAuthTemplates type for use
 // with apply.
+//
+// OAuthTemplates allow for customization of pages like the login page
 type OAuthTemplatesApplyConfiguration struct {
-	Login             *SecretNameReferenceApplyConfiguration `json:"login,omitempty"`
+	// login is the name of a secret that specifies a go template to use to render the login page.
+	// The key "login.html" is used to locate the template data.
+	// If specified and the secret or expected key is not found, the default login page is used.
+	// If the specified template is not valid, the default login page is used.
+	// If unspecified, the default login page is used.
+	// The namespace for this secret is openshift-config.
+	Login *SecretNameReferenceApplyConfiguration `json:"login,omitempty"`
+	// providerSelection is the name of a secret that specifies a go template to use to render
+	// the provider selection page.
+	// The key "providers.html" is used to locate the template data.
+	// If specified and the secret or expected key is not found, the default provider selection page is used.
+	// If the specified template is not valid, the default provider selection page is used.
+	// If unspecified, the default provider selection page is used.
+	// The namespace for this secret is openshift-config.
 	ProviderSelection *SecretNameReferenceApplyConfiguration `json:"providerSelection,omitempty"`
-	Error             *SecretNameReferenceApplyConfiguration `json:"error,omitempty"`
+	// error is the name of a secret that specifies a go template to use to render error pages
+	// during the authentication or grant flow.
+	// The key "errors.html" is used to locate the template data.
+	// If specified and the secret or expected key is not found, the default error page is used.
+	// If the specified template is not valid, the default error page is used.
+	// If unspecified, the default error page is used.
+	// The namespace for this secret is openshift-config.
+	Error *SecretNameReferenceApplyConfiguration `json:"error,omitempty"`
 }
 
 // OAuthTemplatesApplyConfiguration constructs a declarative configuration of the OAuthTemplates type for use with
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/objectreference.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/objectreference.go
index dfbc465e7176d..96ce2cb965a7f 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/objectreference.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/objectreference.go
@@ -4,11 +4,17 @@ package v1
 
 // ObjectReferenceApplyConfiguration represents a declarative configuration of the ObjectReference type for use
 // with apply.
+//
+// ObjectReference contains enough information to let you inspect or modify the referred object.
 type ObjectReferenceApplyConfiguration struct {
-	Group     *string `json:"group,omitempty"`
-	Resource  *string `json:"resource,omitempty"`
+	// group of the referent.
+	Group *string `json:"group,omitempty"`
+	// resource of the referent.
+	Resource *string `json:"resource,omitempty"`
+	// namespace of the referent.
 	Namespace *string `json:"namespace,omitempty"`
-	Name      *string `json:"name,omitempty"`
+	// name of the referent.
+	Name *string `json:"name,omitempty"`
 }
 
 // ObjectReferenceApplyConfiguration constructs a declarative configuration of the ObjectReference type for use with
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/oidcclientconfig.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/oidcclientconfig.go
index 65fa3dd46249e..a3d4e7471e14f 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/oidcclientconfig.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/oidcclientconfig.go
@@ -4,12 +4,41 @@ package v1
 
 // OIDCClientConfigApplyConfiguration represents a declarative configuration of the OIDCClientConfig type for use
 // with apply.
+//
+// OIDCClientConfig configures how platform clients interact with identity providers as an authentication method.
 type OIDCClientConfigApplyConfiguration struct {
-	ComponentName      *string                                `json:"componentName,omitempty"`
-	ComponentNamespace *string                                `json:"componentNamespace,omitempty"`
-	ClientID           *string                                `json:"clientID,omitempty"`
-	ClientSecret       *SecretNameReferenceApplyConfiguration `json:"clientSecret,omitempty"`
-	ExtraScopes        []string                               `json:"extraScopes,omitempty"`
+	// componentName is a required field that specifies the name of the platform component being configured to use the identity provider as an authentication mode.
+	//
+	// It is used in combination with componentNamespace as a unique identifier.
+	//
+	// componentName must not be an empty string ("") and must not exceed 256 characters in length.
+	ComponentName *string `json:"componentName,omitempty"`
+	// componentNamespace is a required field that specifies the namespace in which the platform component being configured to use the identity provider as an authentication mode is running.
+	//
+	// It is used in combination with componentName as a unique identifier.
+	//
+	// componentNamespace must not be an empty string ("") and must not exceed 63 characters in length.
+	ComponentNamespace *string `json:"componentNamespace,omitempty"`
+	// clientID is a required field that configures the client identifier, from the identity provider, that the platform component uses for authentication requests made to the identity provider.
+	// The identity provider must accept this identifier for platform components to be able to use the identity provider as an authentication mode.
+	//
+	// clientID must not be an empty string ("").
+	ClientID *string `json:"clientID,omitempty"`
+	// clientSecret is an optional field that configures the client secret used by the platform component when making authentication requests to the identity provider.
+	//
+	// When not specified, no client secret will be used when making authentication requests to the identity provider.
+	//
+	// When specified, clientSecret references a Secret in the 'openshift-config' namespace that contains the client secret in the 'clientSecret' key of the '.data' field.
+	//
+	// The client secret will be used when making authentication requests to the identity provider.
+	//
+	// Public clients do not require a client secret but private clients do require a client secret to work with the identity provider.
+	ClientSecret *SecretNameReferenceApplyConfiguration `json:"clientSecret,omitempty"`
+	// extraScopes is an optional field that configures the extra scopes that should be requested by the platform component when making authentication requests to the identity provider.
+	// This is useful if you have configured claim mappings that requires specific scopes to be requested beyond the standard OIDC scopes.
+	//
+	// When omitted, no additional scopes are requested.
+	ExtraScopes []string `json:"extraScopes,omitempty"`
 }
 
 // OIDCClientConfigApplyConfiguration constructs a declarative configuration of the OIDCClientConfig type for use with
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/oidcclientreference.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/oidcclientreference.go
index 5109305b23dbd..f99461c402986 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/oidcclientreference.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/oidcclientreference.go
@@ -4,10 +4,22 @@ package v1
 
 // OIDCClientReferenceApplyConfiguration represents a declarative configuration of the OIDCClientReference type for use
 // with apply.
+//
+// OIDCClientReference is a reference to a platform component
+// client configuration.
 type OIDCClientReferenceApplyConfiguration struct {
+	// oidcProviderName is a required reference to the 'name' of the identity provider configured in 'oidcProviders' that this client is associated with.
+	//
+	// oidcProviderName must not be an empty string ("").
 	OIDCProviderName *string `json:"oidcProviderName,omitempty"`
-	IssuerURL        *string `json:"issuerURL,omitempty"`
-	ClientID         *string `json:"clientID,omitempty"`
+	// issuerURL is a required field that specifies the URL of the identity provider that this client is configured to make requests against.
+	//
+	// issuerURL must use the 'https' scheme.
+	IssuerURL *string `json:"issuerURL,omitempty"`
+	// clientID is a required field that specifies the client identifier, from the identity provider, that the platform component is using for authentication requests made to the identity provider.
+	//
+	// clientID must not be empty.
+	ClientID *string `json:"clientID,omitempty"`
 }
 
 // OIDCClientReferenceApplyConfiguration constructs a declarative configuration of the OIDCClientReference type for use with
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/oidcclientstatus.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/oidcclientstatus.go
index 5d365a87ecb35..24b7cedb70ced 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/oidcclientstatus.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/oidcclientstatus.go
@@ -9,12 +9,38 @@ import (
 
 // OIDCClientStatusApplyConfiguration represents a declarative configuration of the OIDCClientStatus type for use
 // with apply.
+//
+// OIDCClientStatus represents the current state
+// of platform components and how they interact with
+// the configured identity providers.
 type OIDCClientStatusApplyConfiguration struct {
-	ComponentName      *string                                 `json:"componentName,omitempty"`
-	ComponentNamespace *string                                 `json:"componentNamespace,omitempty"`
+	// componentName is a required field that specifies the name of the platform component using the identity provider as an authentication mode.
+	// It is used in combination with componentNamespace as a unique identifier.
+	//
+	// componentName must not be an empty string ("") and must not exceed 256 characters in length.
+	ComponentName *string `json:"componentName,omitempty"`
+	// componentNamespace is a required field that specifies the namespace in which the platform component using the identity provider as an authentication mode is running.
+	//
+	// It is used in combination with componentName as a unique identifier.
+	//
+	// componentNamespace must not be an empty string ("") and must not exceed 63 characters in length.
+	ComponentNamespace *string `json:"componentNamespace,omitempty"`
+	// currentOIDCClients is an optional list of clients that the component is currently using.
+	//
+	// Entries must have unique issuerURL/clientID pairs.
 	CurrentOIDCClients []OIDCClientReferenceApplyConfiguration `json:"currentOIDCClients,omitempty"`
-	ConsumingUsers     []configv1.ConsumingUser                `json:"consumingUsers,omitempty"`
-	Conditions         []metav1.ConditionApplyConfiguration    `json:"conditions,omitempty"`
+	// consumingUsers is an optional list of ServiceAccounts requiring read permissions on the `clientSecret` secret.
+	//
+	// consumingUsers must not exceed 5 entries.
+	ConsumingUsers []configv1.ConsumingUser `json:"consumingUsers,omitempty"`
+	// conditions are used to communicate the state of the `oidcClients` entry.
+	//
+	// Supported conditions include Available, Degraded and Progressing.
+	//
+	// If Available is true, the component is successfully using the configured client.
+	// If Degraded is true, that means something has gone wrong trying to handle the client configuration.
+	// If Progressing is true, that means the component is taking some action related to the `oidcClients` entry.
+	Conditions []metav1.ConditionApplyConfiguration `json:"conditions,omitempty"`
 }
 
 // OIDCClientStatusApplyConfiguration constructs a declarative configuration of the OIDCClientStatus type for use with
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/oidcprovider.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/oidcprovider.go
index 7d93003673645..6f5a249a707e6 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/oidcprovider.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/oidcprovider.go
@@ -5,11 +5,27 @@ package v1
 // OIDCProviderApplyConfiguration represents a declarative configuration of the OIDCProvider type for use
 // with apply.
 type OIDCProviderApplyConfiguration struct {
-	Name                 *string                                      `json:"name,omitempty"`
-	Issuer               *TokenIssuerApplyConfiguration               `json:"issuer,omitempty"`
-	OIDCClients          []OIDCClientConfigApplyConfiguration         `json:"oidcClients,omitempty"`
-	ClaimMappings        *TokenClaimMappingsApplyConfiguration        `json:"claimMappings,omitempty"`
+	// name is a required field that configures the unique human-readable identifier associated with the identity provider.
+	// It is used to distinguish between multiple identity providers and has no impact on token validation or authentication mechanics.
+	//
+	// name must not be an empty string ("").
+	Name *string `json:"name,omitempty"`
+	// issuer is a required field that configures how the platform interacts with the identity provider and how tokens issued from the identity provider are evaluated by the Kubernetes API server.
+	Issuer *TokenIssuerApplyConfiguration `json:"issuer,omitempty"`
+	// oidcClients is an optional field that configures how on-cluster, platform clients should request tokens from the identity provider.
+	// oidcClients must not exceed 20 entries and entries must have unique namespace/name pairs.
+	OIDCClients []OIDCClientConfigApplyConfiguration `json:"oidcClients,omitempty"`
+	// claimMappings is a required field that configures the rules to be used by the Kubernetes API server for translating claims in a JWT token, issued by the identity provider, to a cluster identity.
+	ClaimMappings *TokenClaimMappingsApplyConfiguration `json:"claimMappings,omitempty"`
+	// claimValidationRules is an optional field that configures the rules to be used by the Kubernetes API server for validating the claims in a JWT token issued by the identity provider.
+	//
+	// Validation rules are joined via an AND operation.
 	ClaimValidationRules []TokenClaimValidationRuleApplyConfiguration `json:"claimValidationRules,omitempty"`
+	// userValidationRules is an optional field that configures the set of rules used to validate the cluster user identity that was constructed via mapping token claims to user identity attributes.
+	// Rules are CEL expressions that must evaluate to 'true' for authentication to succeed.
+	// If any rule in the chain of rules evaluates to 'false', authentication will fail.
+	// When specified, at least one rule must be specified and no more than 64 rules may be specified.
+	UserValidationRules []TokenUserValidationRuleApplyConfiguration `json:"userValidationRules,omitempty"`
 }
 
 // OIDCProviderApplyConfiguration constructs a declarative configuration of the OIDCProvider type for use with
@@ -67,3 +83,16 @@ func (b *OIDCProviderApplyConfiguration) WithClaimValidationRules(values ...*Tok
 	}
 	return b
 }
+
+// WithUserValidationRules adds the given value to the UserValidationRules field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, values provided by each call will be appended to the UserValidationRules field.
+func (b *OIDCProviderApplyConfiguration) WithUserValidationRules(values ...*TokenUserValidationRuleApplyConfiguration) *OIDCProviderApplyConfiguration {
+	for i := range values {
+		if values[i] == nil {
+			panic("nil value passed to WithUserValidationRules")
+		}
+		b.UserValidationRules = append(b.UserValidationRules, *values[i])
+	}
+	return b
+}
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/openidclaims.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/openidclaims.go
index 8f11192c5b5af..b1edbc525fdad 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/openidclaims.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/openidclaims.go
@@ -8,11 +8,22 @@ import (
 
 // OpenIDClaimsApplyConfiguration represents a declarative configuration of the OpenIDClaims type for use
 // with apply.
+//
+// OpenIDClaims contains a list of OpenID claims to use when authenticating with an OpenID identity provider
 type OpenIDClaimsApplyConfiguration struct {
-	PreferredUsername []string               `json:"preferredUsername,omitempty"`
-	Name              []string               `json:"name,omitempty"`
-	Email             []string               `json:"email,omitempty"`
-	Groups            []configv1.OpenIDClaim `json:"groups,omitempty"`
+	// preferredUsername is the list of claims whose values should be used as the preferred username.
+	// If unspecified, the preferred username is determined from the value of the sub claim
+	PreferredUsername []string `json:"preferredUsername,omitempty"`
+	// name is the list of claims whose values should be used as the display name. Optional.
+	// If unspecified, no display name is set for the identity
+	Name []string `json:"name,omitempty"`
+	// email is the list of claims whose values should be used as the email address. Optional.
+	// If unspecified, no email is set for the identity
+	Email []string `json:"email,omitempty"`
+	// groups is the list of claims value of which should be used to synchronize groups
+	// from the OIDC provider to OpenShift for the user.
+	// If multiple claims are specified, the first one with a non-empty value is used.
+	Groups []configv1.OpenIDClaim `json:"groups,omitempty"`
 }
 
 // OpenIDClaimsApplyConfiguration constructs a declarative configuration of the OpenIDClaims type for use with
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/openididentityprovider.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/openididentityprovider.go
index 9372178cf2815..83029b444f81e 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/openididentityprovider.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/openididentityprovider.go
@@ -4,14 +4,33 @@ package v1
 
 // OpenIDIdentityProviderApplyConfiguration represents a declarative configuration of the OpenIDIdentityProvider type for use
 // with apply.
+//
+// OpenIDIdentityProvider provides identities for users authenticating using OpenID credentials
 type OpenIDIdentityProviderApplyConfiguration struct {
-	ClientID                 *string                                   `json:"clientID,omitempty"`
-	ClientSecret             *SecretNameReferenceApplyConfiguration    `json:"clientSecret,omitempty"`
-	CA                       *ConfigMapNameReferenceApplyConfiguration `json:"ca,omitempty"`
-	ExtraScopes              []string                                  `json:"extraScopes,omitempty"`
-	ExtraAuthorizeParameters map[string]string                         `json:"extraAuthorizeParameters,omitempty"`
-	Issuer                   *string                                   `json:"issuer,omitempty"`
-	Claims                   *OpenIDClaimsApplyConfiguration           `json:"claims,omitempty"`
+	// clientID is the oauth client ID
+	ClientID *string `json:"clientID,omitempty"`
+	// clientSecret is a required reference to the secret by name containing the oauth client secret.
+	// The key "clientSecret" is used to locate the data.
+	// If the secret or expected key is not found, the identity provider is not honored.
+	// The namespace for this secret is openshift-config.
+	ClientSecret *SecretNameReferenceApplyConfiguration `json:"clientSecret,omitempty"`
+	// ca is an optional reference to a config map by name containing the PEM-encoded CA bundle.
+	// It is used as a trust anchor to validate the TLS certificate presented by the remote server.
+	// The key "ca.crt" is used to locate the data.
+	// If specified and the config map or expected key is not found, the identity provider is not honored.
+	// If the specified ca data is not valid, the identity provider is not honored.
+	// If empty, the default system roots are used.
+	// The namespace for this config map is openshift-config.
+	CA *ConfigMapNameReferenceApplyConfiguration `json:"ca,omitempty"`
+	// extraScopes are any scopes to request in addition to the standard "openid" scope.
+	ExtraScopes []string `json:"extraScopes,omitempty"`
+	// extraAuthorizeParameters are any custom parameters to add to the authorize request.
+	ExtraAuthorizeParameters map[string]string `json:"extraAuthorizeParameters,omitempty"`
+	// issuer is the URL that the OpenID Provider asserts as its Issuer Identifier.
+	// It must use the https scheme with no query or fragment component.
+	Issuer *string `json:"issuer,omitempty"`
+	// claims mappings
+	Claims *OpenIDClaimsApplyConfiguration `json:"claims,omitempty"`
 }
 
 // OpenIDIdentityProviderApplyConfiguration constructs a declarative configuration of the OpenIDIdentityProvider type for use with
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/openstackplatformloadbalancer.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/openstackplatformloadbalancer.go
index f65d682d57ace..bec239f9bc308 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/openstackplatformloadbalancer.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/openstackplatformloadbalancer.go
@@ -8,7 +8,18 @@ import (
 
 // OpenStackPlatformLoadBalancerApplyConfiguration represents a declarative configuration of the OpenStackPlatformLoadBalancer type for use
 // with apply.
+//
+// OpenStackPlatformLoadBalancer defines the load balancer used by the cluster on OpenStack platform.
 type OpenStackPlatformLoadBalancerApplyConfiguration struct {
+	// type defines the type of load balancer used by the cluster on OpenStack platform
+	// which can be a user-managed or openshift-managed load balancer
+	// that is to be used for the OpenShift API and Ingress endpoints.
+	// When set to OpenShiftManagedDefault the static pods in charge of API and Ingress traffic load-balancing
+	// defined in the machine config operator will be deployed.
+	// When set to UserManaged these static pods will not be deployed and it is expected that
+	// the load balancer is configured out of band by the deployer.
+	// When omitted, this means no opinion and the platform is left to choose a reasonable default.
+	// The default value is OpenShiftManagedDefault.
 	Type *configv1.PlatformLoadBalancerType `json:"type,omitempty"`
 }
 
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/openstackplatformspec.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/openstackplatformspec.go
index af43c83306909..863d1b0ea0480 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/openstackplatformspec.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/openstackplatformspec.go
@@ -8,10 +8,33 @@ import (
 
 // OpenStackPlatformSpecApplyConfiguration represents a declarative configuration of the OpenStackPlatformSpec type for use
 // with apply.
+//
+// OpenStackPlatformSpec holds the desired state of the OpenStack infrastructure provider.
+// This only includes fields that can be modified in the cluster.
 type OpenStackPlatformSpecApplyConfiguration struct {
-	APIServerInternalIPs []configv1.IP   `json:"apiServerInternalIPs,omitempty"`
-	IngressIPs           []configv1.IP   `json:"ingressIPs,omitempty"`
-	MachineNetworks      []configv1.CIDR `json:"machineNetworks,omitempty"`
+	// apiServerInternalIPs are the IP addresses to contact the Kubernetes API
+	// server that can be used by components inside the cluster, like kubelets
+	// using the infrastructure rather than Kubernetes networking. These are the
+	// IPs for a self-hosted load balancer in front of the API servers.
+	// In dual stack clusters this list contains two IP addresses, one from IPv4
+	// family and one from IPv6.
+	// In single stack clusters a single IP address is expected.
+	// When omitted, values from the status.apiServerInternalIPs will be used.
+	// Once set, the list cannot be completely removed (but its second entry can).
+	APIServerInternalIPs []configv1.IP `json:"apiServerInternalIPs,omitempty"`
+	// ingressIPs are the external IPs which route to the default ingress
+	// controller. The IPs are suitable targets of a wildcard DNS record used to
+	// resolve default route host names.
+	// In dual stack clusters this list contains two IP addresses, one from IPv4
+	// family and one from IPv6.
+	// In single stack clusters a single IP address is expected.
+	// When omitted, values from the status.ingressIPs will be used.
+	// Once set, the list cannot be completely removed (but its second entry can).
+	IngressIPs []configv1.IP `json:"ingressIPs,omitempty"`
+	// machineNetworks are IP networks used to connect all the OpenShift cluster
+	// nodes. Each network is provided in the CIDR format and should be IPv4 or IPv6,
+	// for example "10.0.0.0/8" or "fd00::/8".
+	MachineNetworks []configv1.CIDR `json:"machineNetworks,omitempty"`
 }
 
 // OpenStackPlatformSpecApplyConfiguration constructs a declarative configuration of the OpenStackPlatformSpec type for use with
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/openstackplatformstatus.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/openstackplatformstatus.go
index 4052769489854..7ecab51177e90 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/openstackplatformstatus.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/openstackplatformstatus.go
@@ -8,16 +8,59 @@ import (
 
 // OpenStackPlatformStatusApplyConfiguration represents a declarative configuration of the OpenStackPlatformStatus type for use
 // with apply.
+//
+// OpenStackPlatformStatus holds the current status of the OpenStack infrastructure provider.
 type OpenStackPlatformStatusApplyConfiguration struct {
-	APIServerInternalIP  *string                                          `json:"apiServerInternalIP,omitempty"`
-	APIServerInternalIPs []string                                         `json:"apiServerInternalIPs,omitempty"`
-	CloudName            *string                                          `json:"cloudName,omitempty"`
-	IngressIP            *string                                          `json:"ingressIP,omitempty"`
-	IngressIPs           []string                                         `json:"ingressIPs,omitempty"`
-	NodeDNSIP            *string                                          `json:"nodeDNSIP,omitempty"`
-	LoadBalancer         *OpenStackPlatformLoadBalancerApplyConfiguration `json:"loadBalancer,omitempty"`
-	DNSRecordsType       *configv1.DNSRecordsType                         `json:"dnsRecordsType,omitempty"`
-	MachineNetworks      []configv1.CIDR                                  `json:"machineNetworks,omitempty"`
+	// apiServerInternalIP is an IP address to contact the Kubernetes API server that can be used
+	// by components inside the cluster, like kubelets using the infrastructure rather
+	// than Kubernetes networking. It is the IP that the Infrastructure.status.apiServerInternalURI
+	// points to. It is the IP for a self-hosted load balancer in front of the API servers.
+	//
+	// Deprecated: Use APIServerInternalIPs instead.
+	APIServerInternalIP *string `json:"apiServerInternalIP,omitempty"`
+	// apiServerInternalIPs are the IP addresses to contact the Kubernetes API
+	// server that can be used by components inside the cluster, like kubelets
+	// using the infrastructure rather than Kubernetes networking. These are the
+	// IPs for a self-hosted load balancer in front of the API servers. In dual
+	// stack clusters this list contains two IPs otherwise only one.
+	APIServerInternalIPs []string `json:"apiServerInternalIPs,omitempty"`
+	// cloudName is the name of the desired OpenStack cloud in the
+	// client configuration file (`clouds.yaml`).
+	CloudName *string `json:"cloudName,omitempty"`
+	// ingressIP is an external IP which routes to the default ingress controller.
+	// The IP is a suitable target of a wildcard DNS record used to resolve default route host names.
+	//
+	// Deprecated: Use IngressIPs instead.
+	IngressIP *string `json:"ingressIP,omitempty"`
+	// ingressIPs are the external IPs which route to the default ingress
+	// controller. The IPs are suitable targets of a wildcard DNS record used to
+	// resolve default route host names. In dual stack clusters this list
+	// contains two IPs otherwise only one.
+	IngressIPs []string `json:"ingressIPs,omitempty"`
+	// nodeDNSIP is the IP address for the internal DNS used by the
+	// nodes. Unlike the one managed by the DNS operator, `NodeDNSIP`
+	// provides name resolution for the nodes themselves. There is no DNS-as-a-service for
+	// OpenStack deployments. In order to minimize necessary changes to the
+	// datacenter DNS, a DNS service is hosted as a static pod to serve those hostnames
+	// to the nodes in the cluster.
+	NodeDNSIP *string `json:"nodeDNSIP,omitempty"`
+	// loadBalancer defines how the load balancer used by the cluster is configured.
+	LoadBalancer *OpenStackPlatformLoadBalancerApplyConfiguration `json:"loadBalancer,omitempty"`
+	// dnsRecordsType determines whether records for api, api-int, and ingress
+	// are provided by the internal DNS service or externally.
+	// Allowed values are `Internal`, `External`, and omitted.
+	// When set to `Internal`, records are provided by the internal infrastructure and
+	// no additional user configuration is required for the cluster to function.
+	// When set to `External`, records are not provided by the internal infrastructure
+	// and must be configured by the user on a DNS server outside the cluster.
+	// Cluster nodes must use this external server for their upstream DNS requests.
+	// This value may only be set when loadBalancer.type is set to UserManaged.
+	// When omitted, this means the user has no opinion and the platform is left
+	// to choose reasonable defaults. These defaults are subject to change over time.
+	// The current default is `Internal`.
+	DNSRecordsType *configv1.DNSRecordsType `json:"dnsRecordsType,omitempty"`
+	// machineNetworks are IP networks used to connect all the OpenShift cluster nodes.
+	MachineNetworks []configv1.CIDR `json:"machineNetworks,omitempty"`
 }
 
 // OpenStackPlatformStatusApplyConfiguration constructs a declarative configuration of the OpenStackPlatformStatus type for use with
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/operandversion.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/operandversion.go
index 6c4336d6eb562..67d5c56c17790 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/operandversion.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/operandversion.go
@@ -5,7 +5,11 @@ package v1
 // OperandVersionApplyConfiguration represents a declarative configuration of the OperandVersion type for use
 // with apply.
 type OperandVersionApplyConfiguration struct {
-	Name    *string `json:"name,omitempty"`
+	// name is the name of the particular operand this version is for.  It usually matches container images, not operators.
+	Name *string `json:"name,omitempty"`
+	// version indicates which version of a particular operand is currently being managed.  It must always match the Available
+	// operand.  If 1.0.0 is Available, then this must indicate 1.0.0 even if the operator is trying to rollout
+	// 1.1.0
 	Version *string `json:"version,omitempty"`
 }
 
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/operatorhub.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/operatorhub.go
index 0dbba79c4d477..5f86f3b572835 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/operatorhub.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/operatorhub.go
@@ -13,8 +13,16 @@ import (
 
 // OperatorHubApplyConfiguration represents a declarative configuration of the OperatorHub type for use
 // with apply.
+//
+// OperatorHub is the Schema for the operatorhubs API. It can be used to change
+// the state of the default hub sources for OperatorHub on the cluster from
+// enabled to disabled and vice versa.
+//
+// Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
 type OperatorHubApplyConfiguration struct {
-	metav1.TypeMetaApplyConfiguration    `json:",inline"`
+	metav1.TypeMetaApplyConfiguration `json:",inline"`
+	// metadata is the standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	*metav1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
 	Spec                                 *OperatorHubSpecApplyConfiguration   `json:"spec,omitempty"`
 	Status                               *OperatorHubStatusApplyConfiguration `json:"status,omitempty"`
@@ -30,6 +38,26 @@ func OperatorHub(name string) *OperatorHubApplyConfiguration {
 	return b
 }
 
+// ExtractOperatorHubFrom extracts the applied configuration owned by fieldManager from
+// operatorHub for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
+// operatorHub must be a unmodified OperatorHub API object that was retrieved from the Kubernetes API.
+// ExtractOperatorHubFrom provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractOperatorHubFrom(operatorHub *configv1.OperatorHub, fieldManager string, subresource string) (*OperatorHubApplyConfiguration, error) {
+	b := &OperatorHubApplyConfiguration{}
+	err := managedfields.ExtractInto(operatorHub, internal.Parser().Type("com.github.openshift.api.config.v1.OperatorHub"), fieldManager, b, subresource)
+	if err != nil {
+		return nil, err
+	}
+	b.WithName(operatorHub.Name)
+
+	b.WithKind("OperatorHub")
+	b.WithAPIVersion("config.openshift.io/v1")
+	return b, nil
+}
+
 // ExtractOperatorHub extracts the applied configuration owned by fieldManager from
 // operatorHub. If no managedFields are found in operatorHub for fieldManager, a
 // OperatorHubApplyConfiguration is returned with only the Name, Namespace (if applicable),
@@ -40,30 +68,16 @@ func OperatorHub(name string) *OperatorHubApplyConfiguration {
 // ExtractOperatorHub provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
 func ExtractOperatorHub(operatorHub *configv1.OperatorHub, fieldManager string) (*OperatorHubApplyConfiguration, error) {
-	return extractOperatorHub(operatorHub, fieldManager, "")
+	return ExtractOperatorHubFrom(operatorHub, fieldManager, "")
 }
 
-// ExtractOperatorHubStatus is the same as ExtractOperatorHub except
-// that it extracts the status subresource applied configuration.
-// Experimental!
+// ExtractOperatorHubStatus extracts the applied configuration owned by fieldManager from
+// operatorHub for the status subresource.
 func ExtractOperatorHubStatus(operatorHub *configv1.OperatorHub, fieldManager string) (*OperatorHubApplyConfiguration, error) {
-	return extractOperatorHub(operatorHub, fieldManager, "status")
+	return ExtractOperatorHubFrom(operatorHub, fieldManager, "status")
 }
 
-func extractOperatorHub(operatorHub *configv1.OperatorHub, fieldManager string, subresource string) (*OperatorHubApplyConfiguration, error) {
-	b := &OperatorHubApplyConfiguration{}
-	err := managedfields.ExtractInto(operatorHub, internal.Parser().Type("com.github.openshift.api.config.v1.OperatorHub"), fieldManager, b, subresource)
-	if err != nil {
-		return nil, err
-	}
-	b.WithName(operatorHub.Name)
-
-	b.WithKind("OperatorHub")
-	b.WithAPIVersion("config.openshift.io/v1")
-	return b, nil
-}
 func (b OperatorHubApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/operatorhubspec.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/operatorhubspec.go
index 56179c4cf9dad..dac0696c5fb6e 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/operatorhubspec.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/operatorhubspec.go
@@ -4,9 +4,22 @@ package v1
 
 // OperatorHubSpecApplyConfiguration represents a declarative configuration of the OperatorHubSpec type for use
 // with apply.
+//
+// OperatorHubSpec defines the desired state of OperatorHub
 type OperatorHubSpecApplyConfiguration struct {
-	DisableAllDefaultSources *bool                         `json:"disableAllDefaultSources,omitempty"`
-	Sources                  []HubSourceApplyConfiguration `json:"sources,omitempty"`
+	// disableAllDefaultSources allows you to disable all the default hub
+	// sources. If this is true, a specific entry in sources can be used to
+	// enable a default source. If this is false, a specific entry in
+	// sources can be used to disable or enable a default source.
+	DisableAllDefaultSources *bool `json:"disableAllDefaultSources,omitempty"`
+	// sources is the list of default hub sources and their configuration.
+	// If the list is empty, it implies that the default hub sources are
+	// enabled on the cluster unless disableAllDefaultSources is true.
+	// If disableAllDefaultSources is true and sources is not empty,
+	// the configuration present in sources will take precedence. The list of
+	// default hub sources and their current state will always be reflected in
+	// the status block.
+	Sources []HubSourceApplyConfiguration `json:"sources,omitempty"`
 }
 
 // OperatorHubSpecApplyConfiguration constructs a declarative configuration of the OperatorHubSpec type for use with
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/operatorhubstatus.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/operatorhubstatus.go
index 7e7cda1ac6e35..26c8fc5004230 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/operatorhubstatus.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/operatorhubstatus.go
@@ -4,7 +4,12 @@ package v1
 
 // OperatorHubStatusApplyConfiguration represents a declarative configuration of the OperatorHubStatus type for use
 // with apply.
+//
+// OperatorHubStatus defines the observed state of OperatorHub. The current
+// state of the default hub sources will always be reflected here.
 type OperatorHubStatusApplyConfiguration struct {
+	// sources encapsulates the result of applying the configuration for each
+	// hub source
 	Sources []HubSourceStatusApplyConfiguration `json:"sources,omitempty"`
 }
 
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/ovirtplatformloadbalancer.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/ovirtplatformloadbalancer.go
index e81d48044dc23..9b8aa08dd51a4 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/ovirtplatformloadbalancer.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/ovirtplatformloadbalancer.go
@@ -8,7 +8,18 @@ import (
 
 // OvirtPlatformLoadBalancerApplyConfiguration represents a declarative configuration of the OvirtPlatformLoadBalancer type for use
 // with apply.
+//
+// OvirtPlatformLoadBalancer defines the load balancer used by the cluster on Ovirt platform.
 type OvirtPlatformLoadBalancerApplyConfiguration struct {
+	// type defines the type of load balancer used by the cluster on Ovirt platform
+	// which can be a user-managed or openshift-managed load balancer
+	// that is to be used for the OpenShift API and Ingress endpoints.
+	// When set to OpenShiftManagedDefault the static pods in charge of API and Ingress traffic load-balancing
+	// defined in the machine config operator will be deployed.
+	// When set to UserManaged these static pods will not be deployed and it is expected that
+	// the load balancer is configured out of band by the deployer.
+	// When omitted, this means no opinion and the platform is left to choose a reasonable default.
+	// The default value is OpenShiftManagedDefault.
 	Type *configv1.PlatformLoadBalancerType `json:"type,omitempty"`
 }
 
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/ovirtplatformstatus.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/ovirtplatformstatus.go
index dab2c7a101f60..ba460372927d4 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/ovirtplatformstatus.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/ovirtplatformstatus.go
@@ -8,14 +8,49 @@ import (
 
 // OvirtPlatformStatusApplyConfiguration represents a declarative configuration of the OvirtPlatformStatus type for use
 // with apply.
+//
+// OvirtPlatformStatus holds the current status of the  oVirt infrastructure provider.
 type OvirtPlatformStatusApplyConfiguration struct {
-	APIServerInternalIP  *string                                      `json:"apiServerInternalIP,omitempty"`
-	APIServerInternalIPs []string                                     `json:"apiServerInternalIPs,omitempty"`
-	IngressIP            *string                                      `json:"ingressIP,omitempty"`
-	IngressIPs           []string                                     `json:"ingressIPs,omitempty"`
-	NodeDNSIP            *string                                      `json:"nodeDNSIP,omitempty"`
-	LoadBalancer         *OvirtPlatformLoadBalancerApplyConfiguration `json:"loadBalancer,omitempty"`
-	DNSRecordsType       *configv1.DNSRecordsType                     `json:"dnsRecordsType,omitempty"`
+	// apiServerInternalIP is an IP address to contact the Kubernetes API server that can be used
+	// by components inside the cluster, like kubelets using the infrastructure rather
+	// than Kubernetes networking. It is the IP that the Infrastructure.status.apiServerInternalURI
+	// points to. It is the IP for a self-hosted load balancer in front of the API servers.
+	//
+	// Deprecated: Use APIServerInternalIPs instead.
+	APIServerInternalIP *string `json:"apiServerInternalIP,omitempty"`
+	// apiServerInternalIPs are the IP addresses to contact the Kubernetes API
+	// server that can be used by components inside the cluster, like kubelets
+	// using the infrastructure rather than Kubernetes networking. These are the
+	// IPs for a self-hosted load balancer in front of the API servers. In dual
+	// stack clusters this list contains two IPs otherwise only one.
+	APIServerInternalIPs []string `json:"apiServerInternalIPs,omitempty"`
+	// ingressIP is an external IP which routes to the default ingress controller.
+	// The IP is a suitable target of a wildcard DNS record used to resolve default route host names.
+	//
+	// Deprecated: Use IngressIPs instead.
+	IngressIP *string `json:"ingressIP,omitempty"`
+	// ingressIPs are the external IPs which route to the default ingress
+	// controller. The IPs are suitable targets of a wildcard DNS record used to
+	// resolve default route host names. In dual stack clusters this list
+	// contains two IPs otherwise only one.
+	IngressIPs []string `json:"ingressIPs,omitempty"`
+	// deprecated: as of 4.6, this field is no longer set or honored.  It will be removed in a future release.
+	NodeDNSIP *string `json:"nodeDNSIP,omitempty"`
+	// loadBalancer defines how the load balancer used by the cluster is configured.
+	LoadBalancer *OvirtPlatformLoadBalancerApplyConfiguration `json:"loadBalancer,omitempty"`
+	// dnsRecordsType determines whether records for api, api-int, and ingress
+	// are provided by the internal DNS service or externally.
+	// Allowed values are `Internal`, `External`, and omitted.
+	// When set to `Internal`, records are provided by the internal infrastructure and
+	// no additional user configuration is required for the cluster to function.
+	// When set to `External`, records are not provided by the internal infrastructure
+	// and must be configured by the user on a DNS server outside the cluster.
+	// Cluster nodes must use this external server for their upstream DNS requests.
+	// This value may only be set when loadBalancer.type is set to UserManaged.
+	// When omitted, this means the user has no opinion and the platform is left
+	// to choose reasonable defaults. These defaults are subject to change over time.
+	// The current default is `Internal`.
+	DNSRecordsType *configv1.DNSRecordsType `json:"dnsRecordsType,omitempty"`
 }
 
 // OvirtPlatformStatusApplyConfiguration constructs a declarative configuration of the OvirtPlatformStatus type for use with
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/persistentvolumeclaimreference.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/persistentvolumeclaimreference.go
new file mode 100644
index 0000000000000..9a557f2dd25d2
--- /dev/null
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/persistentvolumeclaimreference.go
@@ -0,0 +1,28 @@
+// Code generated by applyconfiguration-gen. DO NOT EDIT.
+
+package v1
+
+// PersistentVolumeClaimReferenceApplyConfiguration represents a declarative configuration of the PersistentVolumeClaimReference type for use
+// with apply.
+//
+// PersistentVolumeClaimReference is a reference to a PersistentVolumeClaim.
+type PersistentVolumeClaimReferenceApplyConfiguration struct {
+	// name is the name of the PersistentVolumeClaim that will be used to store the Insights data archive.
+	// It is a string that follows the DNS1123 subdomain format.
+	// It must be at most 253 characters in length, and must consist only of lower case alphanumeric characters, '-' and '.', and must start and end with an alphanumeric character.
+	Name *string `json:"name,omitempty"`
+}
+
+// PersistentVolumeClaimReferenceApplyConfiguration constructs a declarative configuration of the PersistentVolumeClaimReference type for use with
+// apply.
+func PersistentVolumeClaimReference() *PersistentVolumeClaimReferenceApplyConfiguration {
+	return &PersistentVolumeClaimReferenceApplyConfiguration{}
+}
+
+// WithName sets the Name field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Name field is set to the value of the last call.
+func (b *PersistentVolumeClaimReferenceApplyConfiguration) WithName(value string) *PersistentVolumeClaimReferenceApplyConfiguration {
+	b.Name = &value
+	return b
+}
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/persistentvolumeconfig.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/persistentvolumeconfig.go
new file mode 100644
index 0000000000000..ce5e58a999289
--- /dev/null
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/persistentvolumeconfig.go
@@ -0,0 +1,40 @@
+// Code generated by applyconfiguration-gen. DO NOT EDIT.
+
+package v1
+
+// PersistentVolumeConfigApplyConfiguration represents a declarative configuration of the PersistentVolumeConfig type for use
+// with apply.
+//
+// PersistentVolumeConfig provides configuration options for PersistentVolume storage.
+type PersistentVolumeConfigApplyConfiguration struct {
+	// claim is a required field that specifies the configuration of the PersistentVolumeClaim that will be used to store the Insights data archive.
+	// The PersistentVolumeClaim must be created in the openshift-insights namespace.
+	Claim *PersistentVolumeClaimReferenceApplyConfiguration `json:"claim,omitempty"`
+	// mountPath is an optional field specifying the directory where the PVC will be mounted inside the Insights data gathering Pod.
+	// When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time.
+	// The current default mount path is /var/lib/insights-operator
+	// The path may not exceed 1024 characters and must not contain a colon.
+	MountPath *string `json:"mountPath,omitempty"`
+}
+
+// PersistentVolumeConfigApplyConfiguration constructs a declarative configuration of the PersistentVolumeConfig type for use with
+// apply.
+func PersistentVolumeConfig() *PersistentVolumeConfigApplyConfiguration {
+	return &PersistentVolumeConfigApplyConfiguration{}
+}
+
+// WithClaim sets the Claim field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Claim field is set to the value of the last call.
+func (b *PersistentVolumeConfigApplyConfiguration) WithClaim(value *PersistentVolumeClaimReferenceApplyConfiguration) *PersistentVolumeConfigApplyConfiguration {
+	b.Claim = value
+	return b
+}
+
+// WithMountPath sets the MountPath field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the MountPath field is set to the value of the last call.
+func (b *PersistentVolumeConfigApplyConfiguration) WithMountPath(value string) *PersistentVolumeConfigApplyConfiguration {
+	b.MountPath = &value
+	return b
+}
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/pki.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/pki.go
deleted file mode 100644
index 65f27edf8ed51..0000000000000
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/pki.go
+++ /dev/null
@@ -1,45 +0,0 @@
-// Code generated by applyconfiguration-gen. DO NOT EDIT.
-
-package v1
-
-// PKIApplyConfiguration represents a declarative configuration of the PKI type for use
-// with apply.
-type PKIApplyConfiguration struct {
-	CertificateAuthorityRootsData         []byte                                   `json:"caRootsData,omitempty"`
-	CertificateAuthorityIntermediatesData []byte                                   `json:"caIntermediatesData,omitempty"`
-	PKICertificateSubject                 *PKICertificateSubjectApplyConfiguration `json:"pkiCertificateSubject,omitempty"`
-}
-
-// PKIApplyConfiguration constructs a declarative configuration of the PKI type for use with
-// apply.
-func PKI() *PKIApplyConfiguration {
-	return &PKIApplyConfiguration{}
-}
-
-// WithCertificateAuthorityRootsData adds the given value to the CertificateAuthorityRootsData field in the declarative configuration
-// and returns the receiver, so that objects can be build by chaining "With" function invocations.
-// If called multiple times, values provided by each call will be appended to the CertificateAuthorityRootsData field.
-func (b *PKIApplyConfiguration) WithCertificateAuthorityRootsData(values ...byte) *PKIApplyConfiguration {
-	for i := range values {
-		b.CertificateAuthorityRootsData = append(b.CertificateAuthorityRootsData, values[i])
-	}
-	return b
-}
-
-// WithCertificateAuthorityIntermediatesData adds the given value to the CertificateAuthorityIntermediatesData field in the declarative configuration
-// and returns the receiver, so that objects can be build by chaining "With" function invocations.
-// If called multiple times, values provided by each call will be appended to the CertificateAuthorityIntermediatesData field.
-func (b *PKIApplyConfiguration) WithCertificateAuthorityIntermediatesData(values ...byte) *PKIApplyConfiguration {
-	for i := range values {
-		b.CertificateAuthorityIntermediatesData = append(b.CertificateAuthorityIntermediatesData, values[i])
-	}
-	return b
-}
-
-// WithPKICertificateSubject sets the PKICertificateSubject field in the declarative configuration to the given value
-// and returns the receiver, so that objects can be built by chaining "With" function invocations.
-// If called multiple times, the PKICertificateSubject field is set to the value of the last call.
-func (b *PKIApplyConfiguration) WithPKICertificateSubject(value *PKICertificateSubjectApplyConfiguration) *PKIApplyConfiguration {
-	b.PKICertificateSubject = value
-	return b
-}
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/pkicertificatesubject.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/pkicertificatesubject.go
index 70181700b39c8..63fd15879acf0 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/pkicertificatesubject.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/pkicertificatesubject.go
@@ -4,8 +4,15 @@ package v1
 
 // PKICertificateSubjectApplyConfiguration represents a declarative configuration of the PKICertificateSubject type for use
 // with apply.
+//
+// PKICertificateSubject defines the requirements imposed on the subject to which the certificate was issued.
 type PKICertificateSubjectApplyConfiguration struct {
-	Email    *string `json:"email,omitempty"`
+	// email specifies the expected email address imposed on the subject to which the certificate was issued, and must match the email address listed in the Subject Alternative Name (SAN) field of the certificate.
+	// The email must be a valid email address and at most 320 characters in length.
+	Email *string `json:"email,omitempty"`
+	// hostname specifies the expected hostname imposed on the subject to which the certificate was issued, and it must match the hostname listed in the Subject Alternative Name (SAN) DNS field of the certificate.
+	// The hostname must be a valid dns 1123 subdomain name, optionally prefixed by '*.', and at most 253 characters in length.
+	// It must consist only of lowercase alphanumeric characters, hyphens, periods and the optional preceding asterisk.
 	Hostname *string `json:"hostname,omitempty"`
 }
 
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/platformspec.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/platformspec.go
index 54ae2fcd383e1..5034ec734280c 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/platformspec.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/platformspec.go
@@ -8,22 +8,50 @@ import (
 
 // PlatformSpecApplyConfiguration represents a declarative configuration of the PlatformSpec type for use
 // with apply.
+//
+// PlatformSpec holds the desired state specific to the underlying infrastructure provider
+// of the current cluster. Since these are used at spec-level for the underlying cluster, it
+// is supposed that only one of the spec structs is set.
 type PlatformSpecApplyConfiguration struct {
-	Type         *configv1.PlatformType                   `json:"type,omitempty"`
-	AWS          *AWSPlatformSpecApplyConfiguration       `json:"aws,omitempty"`
-	Azure        *configv1.AzurePlatformSpec              `json:"azure,omitempty"`
-	GCP          *configv1.GCPPlatformSpec                `json:"gcp,omitempty"`
-	BareMetal    *BareMetalPlatformSpecApplyConfiguration `json:"baremetal,omitempty"`
-	OpenStack    *OpenStackPlatformSpecApplyConfiguration `json:"openstack,omitempty"`
-	Ovirt        *configv1.OvirtPlatformSpec              `json:"ovirt,omitempty"`
-	VSphere      *VSpherePlatformSpecApplyConfiguration   `json:"vsphere,omitempty"`
-	IBMCloud     *IBMCloudPlatformSpecApplyConfiguration  `json:"ibmcloud,omitempty"`
-	Kubevirt     *configv1.KubevirtPlatformSpec           `json:"kubevirt,omitempty"`
-	EquinixMetal *configv1.EquinixMetalPlatformSpec       `json:"equinixMetal,omitempty"`
-	PowerVS      *PowerVSPlatformSpecApplyConfiguration   `json:"powervs,omitempty"`
-	AlibabaCloud *configv1.AlibabaCloudPlatformSpec       `json:"alibabaCloud,omitempty"`
-	Nutanix      *NutanixPlatformSpecApplyConfiguration   `json:"nutanix,omitempty"`
-	External     *ExternalPlatformSpecApplyConfiguration  `json:"external,omitempty"`
+	// type is the underlying infrastructure provider for the cluster. This
+	// value controls whether infrastructure automation such as service load
+	// balancers, dynamic volume provisioning, machine creation and deletion, and
+	// other integrations are enabled. If None, no infrastructure automation is
+	// enabled. Allowed values are "AWS", "Azure", "BareMetal", "GCP", "Libvirt",
+	// "OpenStack", "VSphere", "oVirt", "IBMCloud", "KubeVirt", "EquinixMetal",
+	// "PowerVS", "AlibabaCloud", "Nutanix", "External", and "None". Individual
+	// components may not support all platforms, and must handle unrecognized
+	// platforms as None if they do not support that platform.
+	Type *configv1.PlatformType `json:"type,omitempty"`
+	// aws contains settings specific to the Amazon Web Services infrastructure provider.
+	AWS *AWSPlatformSpecApplyConfiguration `json:"aws,omitempty"`
+	// azure contains settings specific to the Azure infrastructure provider.
+	Azure *configv1.AzurePlatformSpec `json:"azure,omitempty"`
+	// gcp contains settings specific to the Google Cloud Platform infrastructure provider.
+	GCP *configv1.GCPPlatformSpec `json:"gcp,omitempty"`
+	// baremetal contains settings specific to the BareMetal platform.
+	BareMetal *BareMetalPlatformSpecApplyConfiguration `json:"baremetal,omitempty"`
+	// openstack contains settings specific to the OpenStack infrastructure provider.
+	OpenStack *OpenStackPlatformSpecApplyConfiguration `json:"openstack,omitempty"`
+	// ovirt contains settings specific to the oVirt infrastructure provider.
+	Ovirt *configv1.OvirtPlatformSpec `json:"ovirt,omitempty"`
+	// vsphere contains settings specific to the VSphere infrastructure provider.
+	VSphere *VSpherePlatformSpecApplyConfiguration `json:"vsphere,omitempty"`
+	// ibmcloud contains settings specific to the IBMCloud infrastructure provider.
+	IBMCloud *IBMCloudPlatformSpecApplyConfiguration `json:"ibmcloud,omitempty"`
+	// kubevirt contains settings specific to the kubevirt infrastructure provider.
+	Kubevirt *configv1.KubevirtPlatformSpec `json:"kubevirt,omitempty"`
+	// equinixMetal contains settings specific to the Equinix Metal infrastructure provider.
+	EquinixMetal *configv1.EquinixMetalPlatformSpec `json:"equinixMetal,omitempty"`
+	// powervs contains settings specific to the IBM Power Systems Virtual Servers infrastructure provider.
+	PowerVS *PowerVSPlatformSpecApplyConfiguration `json:"powervs,omitempty"`
+	// alibabaCloud contains settings specific to the Alibaba Cloud infrastructure provider.
+	AlibabaCloud *configv1.AlibabaCloudPlatformSpec `json:"alibabaCloud,omitempty"`
+	// nutanix contains settings specific to the Nutanix infrastructure provider.
+	Nutanix *NutanixPlatformSpecApplyConfiguration `json:"nutanix,omitempty"`
+	// ExternalPlatformType represents generic infrastructure provider.
+	// Platform-specific components should be supplemented separately.
+	External *ExternalPlatformSpecApplyConfiguration `json:"external,omitempty"`
 }
 
 // PlatformSpecApplyConfiguration constructs a declarative configuration of the PlatformSpec type for use with
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/platformstatus.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/platformstatus.go
index e470ebd96af5f..a24f6d2079f07 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/platformstatus.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/platformstatus.go
@@ -8,22 +8,51 @@ import (
 
 // PlatformStatusApplyConfiguration represents a declarative configuration of the PlatformStatus type for use
 // with apply.
+//
+// PlatformStatus holds the current status specific to the underlying infrastructure provider
+// of the current cluster. Since these are used at status-level for the underlying cluster, it
+// is supposed that only one of the status structs is set.
 type PlatformStatusApplyConfiguration struct {
-	Type         *configv1.PlatformType                        `json:"type,omitempty"`
-	AWS          *AWSPlatformStatusApplyConfiguration          `json:"aws,omitempty"`
-	Azure        *AzurePlatformStatusApplyConfiguration        `json:"azure,omitempty"`
-	GCP          *GCPPlatformStatusApplyConfiguration          `json:"gcp,omitempty"`
-	BareMetal    *BareMetalPlatformStatusApplyConfiguration    `json:"baremetal,omitempty"`
-	OpenStack    *OpenStackPlatformStatusApplyConfiguration    `json:"openstack,omitempty"`
-	Ovirt        *OvirtPlatformStatusApplyConfiguration        `json:"ovirt,omitempty"`
-	VSphere      *VSpherePlatformStatusApplyConfiguration      `json:"vsphere,omitempty"`
-	IBMCloud     *IBMCloudPlatformStatusApplyConfiguration     `json:"ibmcloud,omitempty"`
-	Kubevirt     *KubevirtPlatformStatusApplyConfiguration     `json:"kubevirt,omitempty"`
+	// type is the underlying infrastructure provider for the cluster. This
+	// value controls whether infrastructure automation such as service load
+	// balancers, dynamic volume provisioning, machine creation and deletion, and
+	// other integrations are enabled. If None, no infrastructure automation is
+	// enabled. Allowed values are "AWS", "Azure", "BareMetal", "GCP", "Libvirt",
+	// "OpenStack", "VSphere", "oVirt", "EquinixMetal", "PowerVS", "AlibabaCloud", "Nutanix" and "None".
+	// Individual components may not support all platforms, and must handle
+	// unrecognized platforms as None if they do not support that platform.
+	//
+	// This value will be synced with to the `status.platform` and `status.platformStatus.type`.
+	// Currently this value cannot be changed once set.
+	Type *configv1.PlatformType `json:"type,omitempty"`
+	// aws contains settings specific to the Amazon Web Services infrastructure provider.
+	AWS *AWSPlatformStatusApplyConfiguration `json:"aws,omitempty"`
+	// azure contains settings specific to the Azure infrastructure provider.
+	Azure *AzurePlatformStatusApplyConfiguration `json:"azure,omitempty"`
+	// gcp contains settings specific to the Google Cloud Platform infrastructure provider.
+	GCP *GCPPlatformStatusApplyConfiguration `json:"gcp,omitempty"`
+	// baremetal contains settings specific to the BareMetal platform.
+	BareMetal *BareMetalPlatformStatusApplyConfiguration `json:"baremetal,omitempty"`
+	// openstack contains settings specific to the OpenStack infrastructure provider.
+	OpenStack *OpenStackPlatformStatusApplyConfiguration `json:"openstack,omitempty"`
+	// ovirt contains settings specific to the oVirt infrastructure provider.
+	Ovirt *OvirtPlatformStatusApplyConfiguration `json:"ovirt,omitempty"`
+	// vsphere contains settings specific to the VSphere infrastructure provider.
+	VSphere *VSpherePlatformStatusApplyConfiguration `json:"vsphere,omitempty"`
+	// ibmcloud contains settings specific to the IBMCloud infrastructure provider.
+	IBMCloud *IBMCloudPlatformStatusApplyConfiguration `json:"ibmcloud,omitempty"`
+	// kubevirt contains settings specific to the kubevirt infrastructure provider.
+	Kubevirt *KubevirtPlatformStatusApplyConfiguration `json:"kubevirt,omitempty"`
+	// equinixMetal contains settings specific to the Equinix Metal infrastructure provider.
 	EquinixMetal *EquinixMetalPlatformStatusApplyConfiguration `json:"equinixMetal,omitempty"`
-	PowerVS      *PowerVSPlatformStatusApplyConfiguration      `json:"powervs,omitempty"`
+	// powervs contains settings specific to the Power Systems Virtual Servers infrastructure provider.
+	PowerVS *PowerVSPlatformStatusApplyConfiguration `json:"powervs,omitempty"`
+	// alibabaCloud contains settings specific to the Alibaba Cloud infrastructure provider.
 	AlibabaCloud *AlibabaCloudPlatformStatusApplyConfiguration `json:"alibabaCloud,omitempty"`
-	Nutanix      *NutanixPlatformStatusApplyConfiguration      `json:"nutanix,omitempty"`
-	External     *ExternalPlatformStatusApplyConfiguration     `json:"external,omitempty"`
+	// nutanix contains settings specific to the Nutanix infrastructure provider.
+	Nutanix *NutanixPlatformStatusApplyConfiguration `json:"nutanix,omitempty"`
+	// external contains settings specific to the generic External infrastructure provider.
+	External *ExternalPlatformStatusApplyConfiguration `json:"external,omitempty"`
 }
 
 // PlatformStatusApplyConfiguration constructs a declarative configuration of the PlatformStatus type for use with
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/policy.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/policy.go
deleted file mode 100644
index 3e29510bf1486..0000000000000
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/policy.go
+++ /dev/null
@@ -1,32 +0,0 @@
-// Code generated by applyconfiguration-gen. DO NOT EDIT.
-
-package v1
-
-// PolicyApplyConfiguration represents a declarative configuration of the Policy type for use
-// with apply.
-type PolicyApplyConfiguration struct {
-	RootOfTrust    *PolicyRootOfTrustApplyConfiguration `json:"rootOfTrust,omitempty"`
-	SignedIdentity *PolicyIdentityApplyConfiguration    `json:"signedIdentity,omitempty"`
-}
-
-// PolicyApplyConfiguration constructs a declarative configuration of the Policy type for use with
-// apply.
-func Policy() *PolicyApplyConfiguration {
-	return &PolicyApplyConfiguration{}
-}
-
-// WithRootOfTrust sets the RootOfTrust field in the declarative configuration to the given value
-// and returns the receiver, so that objects can be built by chaining "With" function invocations.
-// If called multiple times, the RootOfTrust field is set to the value of the last call.
-func (b *PolicyApplyConfiguration) WithRootOfTrust(value *PolicyRootOfTrustApplyConfiguration) *PolicyApplyConfiguration {
-	b.RootOfTrust = value
-	return b
-}
-
-// WithSignedIdentity sets the SignedIdentity field in the declarative configuration to the given value
-// and returns the receiver, so that objects can be built by chaining "With" function invocations.
-// If called multiple times, the SignedIdentity field is set to the value of the last call.
-func (b *PolicyApplyConfiguration) WithSignedIdentity(value *PolicyIdentityApplyConfiguration) *PolicyApplyConfiguration {
-	b.SignedIdentity = value
-	return b
-}
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/policyfulciosubject.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/policyfulciosubject.go
index 7f61d420c0d91..d477226102686 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/policyfulciosubject.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/policyfulciosubject.go
@@ -4,8 +4,17 @@ package v1
 
 // PolicyFulcioSubjectApplyConfiguration represents a declarative configuration of the PolicyFulcioSubject type for use
 // with apply.
+//
+// PolicyFulcioSubject defines the OIDC issuer and the email of the Fulcio authentication configuration.
 type PolicyFulcioSubjectApplyConfiguration struct {
-	OIDCIssuer  *string `json:"oidcIssuer,omitempty"`
+	// oidcIssuer is a required filed contains the expected OIDC issuer. The oidcIssuer must be a valid URL and at most 2048 characters in length.
+	// It will be verified that the Fulcio-issued certificate contains a (Fulcio-defined) certificate extension pointing at this OIDC issuer URL.
+	// When Fulcio issues certificates, it includes a value based on an URL inside the client-provided ID token.
+	// Example: "https://expected.OIDC.issuer/"
+	OIDCIssuer *string `json:"oidcIssuer,omitempty"`
+	// signedEmail is a required field holds the email address that the Fulcio certificate is issued for.
+	// The signedEmail must be a valid email address and at most 320 characters in length.
+	// Example: "expected-signing-user@example.com"
 	SignedEmail *string `json:"signedEmail,omitempty"`
 }
 
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/policyidentity.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/policyidentity.go
index 0e4e46be6900a..9c5728218f145 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/policyidentity.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/policyidentity.go
@@ -8,10 +8,22 @@ import (
 
 // PolicyIdentityApplyConfiguration represents a declarative configuration of the PolicyIdentity type for use
 // with apply.
+//
+// PolicyIdentity defines image identity the signature claims about the image. When omitted, the default matchPolicy is "MatchRepoDigestOrExact".
 type PolicyIdentityApplyConfiguration struct {
-	MatchPolicy                *configv1.IdentityMatchPolicy                 `json:"matchPolicy,omitempty"`
+	// matchPolicy is a required filed specifies matching strategy to verify the image identity in the signature against the image scope.
+	// Allowed values are "MatchRepoDigestOrExact", "MatchRepository", "ExactRepository", "RemapIdentity". When omitted, the default value is "MatchRepoDigestOrExact".
+	// When set to "MatchRepoDigestOrExact", the identity in the signature must be in the same repository as the image identity if the image identity is referenced by a digest. Otherwise, the identity in the signature must be the same as the image identity.
+	// When set to "MatchRepository", the identity in the signature must be in the same repository as the image identity.
+	// When set to "ExactRepository", the exactRepository must be specified. The identity in the signature must be in the same repository as a specific identity specified by "repository".
+	// When set to "RemapIdentity", the remapIdentity must be specified. The signature must be in the same as the remapped image identity. Remapped image identity is obtained by replacing the "prefix" with the specified “signedPrefix” if the the image identity matches the specified remapPrefix.
+	MatchPolicy *configv1.IdentityMatchPolicy `json:"matchPolicy,omitempty"`
+	// exactRepository specifies the repository that must be exactly matched by the identity in the signature.
+	// exactRepository is required if matchPolicy is set to "ExactRepository". It is used to verify that the signature claims an identity matching this exact repository, rather than the original image identity.
 	PolicyMatchExactRepository *PolicyMatchExactRepositoryApplyConfiguration `json:"exactRepository,omitempty"`
-	PolicyMatchRemapIdentity   *PolicyMatchRemapIdentityApplyConfiguration   `json:"remapIdentity,omitempty"`
+	// remapIdentity specifies the prefix remapping rule for verifying image identity.
+	// remapIdentity is required if matchPolicy is set to "RemapIdentity". It is used to verify that the signature claims a different registry/repository prefix than the original image.
+	PolicyMatchRemapIdentity *PolicyMatchRemapIdentityApplyConfiguration `json:"remapIdentity,omitempty"`
 }
 
 // PolicyIdentityApplyConfiguration constructs a declarative configuration of the PolicyIdentity type for use with
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/policymatchexactrepository.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/policymatchexactrepository.go
index 3b4fcbd9ce3d7..2b988ad4c7a87 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/policymatchexactrepository.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/policymatchexactrepository.go
@@ -9,6 +9,9 @@ import (
 // PolicyMatchExactRepositoryApplyConfiguration represents a declarative configuration of the PolicyMatchExactRepository type for use
 // with apply.
 type PolicyMatchExactRepositoryApplyConfiguration struct {
+	// repository is the reference of the image identity to be matched.
+	// repository is required if matchPolicy is set to "ExactRepository".
+	// The value should be a repository name (by omitting the tag or digest) in a registry implementing the "Docker Registry HTTP API V2". For example, docker.io/library/busybox
 	Repository *configv1.IdentityRepositoryPrefix `json:"repository,omitempty"`
 }
 
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/policymatchremapidentity.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/policymatchremapidentity.go
index 3cf5ccf68cd3f..a12763447a886 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/policymatchremapidentity.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/policymatchremapidentity.go
@@ -9,7 +9,18 @@ import (
 // PolicyMatchRemapIdentityApplyConfiguration represents a declarative configuration of the PolicyMatchRemapIdentity type for use
 // with apply.
 type PolicyMatchRemapIdentityApplyConfiguration struct {
-	Prefix       *configv1.IdentityRepositoryPrefix `json:"prefix,omitempty"`
+	// prefix is required if matchPolicy is set to "RemapIdentity".
+	// prefix is the prefix of the image identity to be matched.
+	// If the image identity matches the specified prefix, that prefix is replaced by the specified “signedPrefix” (otherwise it is used as unchanged and no remapping takes place).
+	// This is useful when verifying signatures for a mirror of some other repository namespace that preserves the vendor’s repository structure.
+	// The prefix and signedPrefix values can be either host[:port] values (matching exactly the same host[:port], string), repository namespaces,
+	// or repositories (i.e. they must not contain tags/digests), and match as prefixes of the fully expanded form.
+	// For example, docker.io/library/busybox (not busybox) to specify that single repository, or docker.io/library (not an empty string) to specify the parent namespace of docker.io/library/busybox.
+	Prefix *configv1.IdentityRepositoryPrefix `json:"prefix,omitempty"`
+	// signedPrefix is required if matchPolicy is set to "RemapIdentity".
+	// signedPrefix is the prefix of the image identity to be matched in the signature. The format is the same as "prefix". The values can be either host[:port] values (matching exactly the same host[:port], string), repository namespaces,
+	// or repositories (i.e. they must not contain tags/digests), and match as prefixes of the fully expanded form.
+	// For example, docker.io/library/busybox (not busybox) to specify that single repository, or docker.io/library (not an empty string) to specify the parent namespace of docker.io/library/busybox.
 	SignedPrefix *configv1.IdentityRepositoryPrefix `json:"signedPrefix,omitempty"`
 }
 
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/policyrootoftrust.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/policyrootoftrust.go
index f1ff91ffbd67e..78463deb6c647 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/policyrootoftrust.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/policyrootoftrust.go
@@ -8,11 +8,26 @@ import (
 
 // PolicyRootOfTrustApplyConfiguration represents a declarative configuration of the PolicyRootOfTrust type for use
 // with apply.
+//
+// PolicyRootOfTrust defines the root of trust based on the selected policyType.
 type PolicyRootOfTrustApplyConfiguration struct {
-	PolicyType        *configv1.PolicyType                 `json:"policyType,omitempty"`
-	PublicKey         *PublicKeyApplyConfiguration         `json:"publicKey,omitempty"`
-	FulcioCAWithRekor *FulcioCAWithRekorApplyConfiguration `json:"fulcioCAWithRekor,omitempty"`
-	PKI               *PKIApplyConfiguration               `json:"pki,omitempty"`
+	// policyType is a required field specifies the type of the policy for verification. This field must correspond to how the policy was generated.
+	// Allowed values are "PublicKey", "FulcioCAWithRekor", and "PKI".
+	// When set to "PublicKey", the policy relies on a sigstore publicKey and may optionally use a Rekor verification.
+	// When set to "FulcioCAWithRekor", the policy is based on the Fulcio certification and incorporates a Rekor verification.
+	// When set to "PKI", the policy is based on the certificates from Bring Your Own Public Key Infrastructure (BYOPKI).
+	PolicyType *configv1.PolicyType `json:"policyType,omitempty"`
+	// publicKey defines the root of trust configuration based on a sigstore public key. Optionally include a Rekor public key for Rekor verification.
+	// publicKey is required when policyType is PublicKey, and forbidden otherwise.
+	PublicKey *ImagePolicyPublicKeyRootOfTrustApplyConfiguration `json:"publicKey,omitempty"`
+	// fulcioCAWithRekor defines the root of trust configuration based on the Fulcio certificate and the Rekor public key.
+	// fulcioCAWithRekor is required when policyType is FulcioCAWithRekor, and forbidden otherwise
+	// For more information about Fulcio and Rekor, please refer to the document at:
+	// https://github.com/sigstore/fulcio and https://github.com/sigstore/rekor
+	FulcioCAWithRekor *ImagePolicyFulcioCAWithRekorRootOfTrustApplyConfiguration `json:"fulcioCAWithRekor,omitempty"`
+	// pki defines the root of trust configuration based on Bring Your Own Public Key Infrastructure (BYOPKI) Root CA(s) and corresponding intermediate certificates.
+	// pki is required when policyType is PKI, and forbidden otherwise.
+	PKI *ImagePolicyPKIRootOfTrustApplyConfiguration `json:"pki,omitempty"`
 }
 
 // PolicyRootOfTrustApplyConfiguration constructs a declarative configuration of the PolicyRootOfTrust type for use with
@@ -32,7 +47,7 @@ func (b *PolicyRootOfTrustApplyConfiguration) WithPolicyType(value configv1.Poli
 // WithPublicKey sets the PublicKey field in the declarative configuration to the given value
 // and returns the receiver, so that objects can be built by chaining "With" function invocations.
 // If called multiple times, the PublicKey field is set to the value of the last call.
-func (b *PolicyRootOfTrustApplyConfiguration) WithPublicKey(value *PublicKeyApplyConfiguration) *PolicyRootOfTrustApplyConfiguration {
+func (b *PolicyRootOfTrustApplyConfiguration) WithPublicKey(value *ImagePolicyPublicKeyRootOfTrustApplyConfiguration) *PolicyRootOfTrustApplyConfiguration {
 	b.PublicKey = value
 	return b
 }
@@ -40,7 +55,7 @@ func (b *PolicyRootOfTrustApplyConfiguration) WithPublicKey(value *PublicKeyAppl
 // WithFulcioCAWithRekor sets the FulcioCAWithRekor field in the declarative configuration to the given value
 // and returns the receiver, so that objects can be built by chaining "With" function invocations.
 // If called multiple times, the FulcioCAWithRekor field is set to the value of the last call.
-func (b *PolicyRootOfTrustApplyConfiguration) WithFulcioCAWithRekor(value *FulcioCAWithRekorApplyConfiguration) *PolicyRootOfTrustApplyConfiguration {
+func (b *PolicyRootOfTrustApplyConfiguration) WithFulcioCAWithRekor(value *ImagePolicyFulcioCAWithRekorRootOfTrustApplyConfiguration) *PolicyRootOfTrustApplyConfiguration {
 	b.FulcioCAWithRekor = value
 	return b
 }
@@ -48,7 +63,7 @@ func (b *PolicyRootOfTrustApplyConfiguration) WithFulcioCAWithRekor(value *Fulci
 // WithPKI sets the PKI field in the declarative configuration to the given value
 // and returns the receiver, so that objects can be built by chaining "With" function invocations.
 // If called multiple times, the PKI field is set to the value of the last call.
-func (b *PolicyRootOfTrustApplyConfiguration) WithPKI(value *PKIApplyConfiguration) *PolicyRootOfTrustApplyConfiguration {
+func (b *PolicyRootOfTrustApplyConfiguration) WithPKI(value *ImagePolicyPKIRootOfTrustApplyConfiguration) *PolicyRootOfTrustApplyConfiguration {
 	b.PKI = value
 	return b
 }
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/powervsplatformspec.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/powervsplatformspec.go
index db3c3d1d932cd..3ec6312ba9f25 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/powervsplatformspec.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/powervsplatformspec.go
@@ -4,7 +4,12 @@ package v1
 
 // PowerVSPlatformSpecApplyConfiguration represents a declarative configuration of the PowerVSPlatformSpec type for use
 // with apply.
+//
+// PowerVSPlatformSpec holds the desired state of the IBM Power Systems Virtual Servers infrastructure provider.
+// This only includes fields that can be modified in the cluster.
 type PowerVSPlatformSpecApplyConfiguration struct {
+	// serviceEndpoints is a list of custom endpoints which will override the default
+	// service endpoints of a Power VS service.
 	ServiceEndpoints []PowerVSServiceEndpointApplyConfiguration `json:"serviceEndpoints,omitempty"`
 }
 
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/powervsplatformstatus.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/powervsplatformstatus.go
index f40099f16f830..8d6b0b3ad7c3c 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/powervsplatformstatus.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/powervsplatformstatus.go
@@ -4,13 +4,29 @@ package v1
 
 // PowerVSPlatformStatusApplyConfiguration represents a declarative configuration of the PowerVSPlatformStatus type for use
 // with apply.
+//
+// PowerVSPlatformStatus holds the current status of the IBM Power Systems Virtual Servers infrastrucutre provider.
 type PowerVSPlatformStatusApplyConfiguration struct {
-	Region           *string                                    `json:"region,omitempty"`
-	Zone             *string                                    `json:"zone,omitempty"`
-	ResourceGroup    *string                                    `json:"resourceGroup,omitempty"`
+	// region holds the default Power VS region for new Power VS resources created by the cluster.
+	Region *string `json:"region,omitempty"`
+	// zone holds the default zone for the new Power VS resources created by the cluster.
+	// Note: Currently only single-zone OCP clusters are supported
+	Zone *string `json:"zone,omitempty"`
+	// resourceGroup is the resource group name for new IBMCloud resources created for a cluster.
+	// The resource group specified here will be used by cluster-image-registry-operator to set up a COS Instance in IBMCloud for the cluster registry.
+	// More about resource groups can be found here: https://cloud.ibm.com/docs/account?topic=account-rgs.
+	// When omitted, the image registry operator won't be able to configure storage,
+	// which results in the image registry cluster operator not being in an available state.
+	ResourceGroup *string `json:"resourceGroup,omitempty"`
+	// serviceEndpoints is a list of custom endpoints which will override the default
+	// service endpoints of a Power VS service.
 	ServiceEndpoints []PowerVSServiceEndpointApplyConfiguration `json:"serviceEndpoints,omitempty"`
-	CISInstanceCRN   *string                                    `json:"cisInstanceCRN,omitempty"`
-	DNSInstanceCRN   *string                                    `json:"dnsInstanceCRN,omitempty"`
+	// cisInstanceCRN is the CRN of the Cloud Internet Services instance managing
+	// the DNS zone for the cluster's base domain
+	CISInstanceCRN *string `json:"cisInstanceCRN,omitempty"`
+	// dnsInstanceCRN is the CRN of the DNS Services instance managing the DNS zone
+	// for the cluster's base domain
+	DNSInstanceCRN *string `json:"dnsInstanceCRN,omitempty"`
 }
 
 // PowerVSPlatformStatusApplyConfiguration constructs a declarative configuration of the PowerVSPlatformStatus type for use with
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/powervsserviceendpoint.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/powervsserviceendpoint.go
index 8fd231a2ab9ff..e2b1fac87dd23 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/powervsserviceendpoint.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/powervsserviceendpoint.go
@@ -4,9 +4,20 @@ package v1
 
 // PowerVSServiceEndpointApplyConfiguration represents a declarative configuration of the PowerVSServiceEndpoint type for use
 // with apply.
+//
+// PowervsServiceEndpoint stores the configuration of a custom url to
+// override existing defaults of PowerVS Services.
 type PowerVSServiceEndpointApplyConfiguration struct {
+	// name is the name of the Power VS service.
+	// Few of the services are
+	// IAM - https://cloud.ibm.com/apidocs/iam-identity-token-api
+	// ResourceController - https://cloud.ibm.com/apidocs/resource-controller/resource-controller
+	// Power Cloud - https://cloud.ibm.com/apidocs/power-cloud
 	Name *string `json:"name,omitempty"`
-	URL  *string `json:"url,omitempty"`
+	// url is fully qualified URI with scheme https, that overrides the default generated
+	// endpoint for a client.
+	// This must be provided and cannot be empty.
+	URL *string `json:"url,omitempty"`
 }
 
 // PowerVSServiceEndpointApplyConfiguration constructs a declarative configuration of the PowerVSServiceEndpoint type for use with
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/prefixedclaimmapping.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/prefixedclaimmapping.go
index 2455204339727..24d8261c9cb3d 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/prefixedclaimmapping.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/prefixedclaimmapping.go
@@ -4,9 +4,17 @@ package v1
 
 // PrefixedClaimMappingApplyConfiguration represents a declarative configuration of the PrefixedClaimMapping type for use
 // with apply.
+//
+// PrefixedClaimMapping configures a claim mapping
+// that allows for an optional prefix.
 type PrefixedClaimMappingApplyConfiguration struct {
 	TokenClaimMappingApplyConfiguration `json:",inline"`
-	Prefix                              *string `json:"prefix,omitempty"`
+	// prefix is an optional field that configures the prefix that will be applied to the cluster identity attribute during the process of mapping JWT claims to cluster identity attributes.
+	//
+	// When omitted (""), no prefix is applied to the cluster identity attribute.
+	//
+	// Example: if `prefix` is set to "myoidc:" and the `claim` in JWT contains an array of strings "a", "b" and "c", the mapping will result in an array of string "myoidc:a", "myoidc:b" and "myoidc:c".
+	Prefix *string `json:"prefix,omitempty"`
 }
 
 // PrefixedClaimMappingApplyConfiguration constructs a declarative configuration of the PrefixedClaimMapping type for use with
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/profilecustomizations.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/profilecustomizations.go
index c2392bab98101..034c969240b12 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/profilecustomizations.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/profilecustomizations.go
@@ -8,7 +8,17 @@ import (
 
 // ProfileCustomizationsApplyConfiguration represents a declarative configuration of the ProfileCustomizations type for use
 // with apply.
+//
+// ProfileCustomizations contains various parameters for modifying the default behavior of certain profiles
 type ProfileCustomizationsApplyConfiguration struct {
+	// dynamicResourceAllocation allows to enable or disable dynamic resource allocation within the scheduler.
+	// Dynamic resource allocation is an API for requesting and sharing resources between pods and containers inside a pod.
+	// Third-party resource drivers are responsible for tracking and allocating resources.
+	// Different kinds of resources support arbitrary parameters for defining requirements and initialization.
+	// Valid values are Enabled, Disabled and omitted.
+	// When omitted, this means no opinion and the platform is left to choose a reasonable default,
+	// which is subject to change over time.
+	// The current default is Disabled.
 	DynamicResourceAllocation *configv1.DRAEnablement `json:"dynamicResourceAllocation,omitempty"`
 }
 
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/project.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/project.go
index e9b7c2c6b6ccc..5bcc3a26ef7fc 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/project.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/project.go
@@ -13,11 +13,19 @@ import (
 
 // ProjectApplyConfiguration represents a declarative configuration of the Project type for use
 // with apply.
+//
+// Project holds cluster-wide information about Project.  The canonical name is `cluster`
+//
+// Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
 type ProjectApplyConfiguration struct {
-	metav1.TypeMetaApplyConfiguration    `json:",inline"`
+	metav1.TypeMetaApplyConfiguration `json:",inline"`
+	// metadata is the standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	*metav1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Spec                                 *ProjectSpecApplyConfiguration `json:"spec,omitempty"`
-	Status                               *configv1.ProjectStatus        `json:"status,omitempty"`
+	// spec holds user settable values for configuration
+	Spec *ProjectSpecApplyConfiguration `json:"spec,omitempty"`
+	// status holds observed values from the cluster. They may not be overridden.
+	Status *configv1.ProjectStatus `json:"status,omitempty"`
 }
 
 // Project constructs a declarative configuration of the Project type for use with
@@ -30,6 +38,26 @@ func Project(name string) *ProjectApplyConfiguration {
 	return b
 }
 
+// ExtractProjectFrom extracts the applied configuration owned by fieldManager from
+// project for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
+// project must be a unmodified Project API object that was retrieved from the Kubernetes API.
+// ExtractProjectFrom provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractProjectFrom(project *configv1.Project, fieldManager string, subresource string) (*ProjectApplyConfiguration, error) {
+	b := &ProjectApplyConfiguration{}
+	err := managedfields.ExtractInto(project, internal.Parser().Type("com.github.openshift.api.config.v1.Project"), fieldManager, b, subresource)
+	if err != nil {
+		return nil, err
+	}
+	b.WithName(project.Name)
+
+	b.WithKind("Project")
+	b.WithAPIVersion("config.openshift.io/v1")
+	return b, nil
+}
+
 // ExtractProject extracts the applied configuration owned by fieldManager from
 // project. If no managedFields are found in project for fieldManager, a
 // ProjectApplyConfiguration is returned with only the Name, Namespace (if applicable),
@@ -40,30 +68,16 @@ func Project(name string) *ProjectApplyConfiguration {
 // ExtractProject provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
 func ExtractProject(project *configv1.Project, fieldManager string) (*ProjectApplyConfiguration, error) {
-	return extractProject(project, fieldManager, "")
+	return ExtractProjectFrom(project, fieldManager, "")
 }
 
-// ExtractProjectStatus is the same as ExtractProject except
-// that it extracts the status subresource applied configuration.
-// Experimental!
+// ExtractProjectStatus extracts the applied configuration owned by fieldManager from
+// project for the status subresource.
 func ExtractProjectStatus(project *configv1.Project, fieldManager string) (*ProjectApplyConfiguration, error) {
-	return extractProject(project, fieldManager, "status")
+	return ExtractProjectFrom(project, fieldManager, "status")
 }
 
-func extractProject(project *configv1.Project, fieldManager string, subresource string) (*ProjectApplyConfiguration, error) {
-	b := &ProjectApplyConfiguration{}
-	err := managedfields.ExtractInto(project, internal.Parser().Type("com.github.openshift.api.config.v1.Project"), fieldManager, b, subresource)
-	if err != nil {
-		return nil, err
-	}
-	b.WithName(project.Name)
-
-	b.WithKind("Project")
-	b.WithAPIVersion("config.openshift.io/v1")
-	return b, nil
-}
 func (b ProjectApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/projectspec.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/projectspec.go
index 417be90be423b..bb1ba853526fb 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/projectspec.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/projectspec.go
@@ -4,8 +4,14 @@ package v1
 
 // ProjectSpecApplyConfiguration represents a declarative configuration of the ProjectSpec type for use
 // with apply.
+//
+// ProjectSpec holds the project creation configuration.
 type ProjectSpecApplyConfiguration struct {
-	ProjectRequestMessage  *string                              `json:"projectRequestMessage,omitempty"`
+	// projectRequestMessage is the string presented to a user if they are unable to request a project via the projectrequest api endpoint
+	ProjectRequestMessage *string `json:"projectRequestMessage,omitempty"`
+	// projectRequestTemplate is the template to use for creating projects in response to projectrequest.
+	// This must point to a template in 'openshift-config' namespace. It is optional.
+	// If it is not specified, a default template is used.
 	ProjectRequestTemplate *TemplateReferenceApplyConfiguration `json:"projectRequestTemplate,omitempty"`
 }
 
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/promqlclustercondition.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/promqlclustercondition.go
index e3f40e4f9ee6a..fcb66c6fd8b33 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/promqlclustercondition.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/promqlclustercondition.go
@@ -4,7 +4,14 @@ package v1
 
 // PromQLClusterConditionApplyConfiguration represents a declarative configuration of the PromQLClusterCondition type for use
 // with apply.
+//
+// PromQLClusterCondition represents a cluster condition based on PromQL.
 type PromQLClusterConditionApplyConfiguration struct {
+	// promql is a PromQL query classifying clusters. This query
+	// query should return a 1 in the match case and a 0 in the
+	// does-not-match case. Queries which return no time
+	// series, or which return values besides 0 or 1, are
+	// evaluation failures.
 	PromQL *string `json:"promql,omitempty"`
 }
 
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/proxy.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/proxy.go
index 7992e28f2162e..155de1eaf9045 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/proxy.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/proxy.go
@@ -13,11 +13,19 @@ import (
 
 // ProxyApplyConfiguration represents a declarative configuration of the Proxy type for use
 // with apply.
+//
+// Proxy holds cluster-wide information on how to configure default proxies for the cluster. The canonical name is `cluster`
+//
+// Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
 type ProxyApplyConfiguration struct {
-	metav1.TypeMetaApplyConfiguration    `json:",inline"`
+	metav1.TypeMetaApplyConfiguration `json:",inline"`
+	// metadata is the standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	*metav1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Spec                                 *ProxySpecApplyConfiguration   `json:"spec,omitempty"`
-	Status                               *ProxyStatusApplyConfiguration `json:"status,omitempty"`
+	// spec holds user-settable values for the proxy configuration
+	Spec *ProxySpecApplyConfiguration `json:"spec,omitempty"`
+	// status holds observed values from the cluster. They may not be overridden.
+	Status *ProxyStatusApplyConfiguration `json:"status,omitempty"`
 }
 
 // Proxy constructs a declarative configuration of the Proxy type for use with
@@ -30,6 +38,26 @@ func Proxy(name string) *ProxyApplyConfiguration {
 	return b
 }
 
+// ExtractProxyFrom extracts the applied configuration owned by fieldManager from
+// proxy for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
+// proxy must be a unmodified Proxy API object that was retrieved from the Kubernetes API.
+// ExtractProxyFrom provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractProxyFrom(proxy *configv1.Proxy, fieldManager string, subresource string) (*ProxyApplyConfiguration, error) {
+	b := &ProxyApplyConfiguration{}
+	err := managedfields.ExtractInto(proxy, internal.Parser().Type("com.github.openshift.api.config.v1.Proxy"), fieldManager, b, subresource)
+	if err != nil {
+		return nil, err
+	}
+	b.WithName(proxy.Name)
+
+	b.WithKind("Proxy")
+	b.WithAPIVersion("config.openshift.io/v1")
+	return b, nil
+}
+
 // ExtractProxy extracts the applied configuration owned by fieldManager from
 // proxy. If no managedFields are found in proxy for fieldManager, a
 // ProxyApplyConfiguration is returned with only the Name, Namespace (if applicable),
@@ -40,30 +68,16 @@ func Proxy(name string) *ProxyApplyConfiguration {
 // ExtractProxy provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
 func ExtractProxy(proxy *configv1.Proxy, fieldManager string) (*ProxyApplyConfiguration, error) {
-	return extractProxy(proxy, fieldManager, "")
+	return ExtractProxyFrom(proxy, fieldManager, "")
 }
 
-// ExtractProxyStatus is the same as ExtractProxy except
-// that it extracts the status subresource applied configuration.
-// Experimental!
+// ExtractProxyStatus extracts the applied configuration owned by fieldManager from
+// proxy for the status subresource.
 func ExtractProxyStatus(proxy *configv1.Proxy, fieldManager string) (*ProxyApplyConfiguration, error) {
-	return extractProxy(proxy, fieldManager, "status")
+	return ExtractProxyFrom(proxy, fieldManager, "status")
 }
 
-func extractProxy(proxy *configv1.Proxy, fieldManager string, subresource string) (*ProxyApplyConfiguration, error) {
-	b := &ProxyApplyConfiguration{}
-	err := managedfields.ExtractInto(proxy, internal.Parser().Type("com.github.openshift.api.config.v1.Proxy"), fieldManager, b, subresource)
-	if err != nil {
-		return nil, err
-	}
-	b.WithName(proxy.Name)
-
-	b.WithKind("Proxy")
-	b.WithAPIVersion("config.openshift.io/v1")
-	return b, nil
-}
 func (b ProxyApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/proxyspec.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/proxyspec.go
index bd2cf66570db3..6ddce630fa952 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/proxyspec.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/proxyspec.go
@@ -4,12 +4,42 @@ package v1
 
 // ProxySpecApplyConfiguration represents a declarative configuration of the ProxySpec type for use
 // with apply.
+//
+// ProxySpec contains cluster proxy creation configuration.
 type ProxySpecApplyConfiguration struct {
-	HTTPProxy          *string                                   `json:"httpProxy,omitempty"`
-	HTTPSProxy         *string                                   `json:"httpsProxy,omitempty"`
-	NoProxy            *string                                   `json:"noProxy,omitempty"`
-	ReadinessEndpoints []string                                  `json:"readinessEndpoints,omitempty"`
-	TrustedCA          *ConfigMapNameReferenceApplyConfiguration `json:"trustedCA,omitempty"`
+	// httpProxy is the URL of the proxy for HTTP requests.  Empty means unset and will not result in an env var.
+	HTTPProxy *string `json:"httpProxy,omitempty"`
+	// httpsProxy is the URL of the proxy for HTTPS requests.  Empty means unset and will not result in an env var.
+	HTTPSProxy *string `json:"httpsProxy,omitempty"`
+	// noProxy is a comma-separated list of hostnames and/or CIDRs and/or IPs for which the proxy should not be used.
+	// Empty means unset and will not result in an env var.
+	NoProxy *string `json:"noProxy,omitempty"`
+	// readinessEndpoints is a list of endpoints used to verify readiness of the proxy.
+	ReadinessEndpoints []string `json:"readinessEndpoints,omitempty"`
+	// trustedCA is a reference to a ConfigMap containing a CA certificate bundle.
+	// The trustedCA field should only be consumed by a proxy validator. The
+	// validator is responsible for reading the certificate bundle from the required
+	// key "ca-bundle.crt", merging it with the system default trust bundle,
+	// and writing the merged trust bundle to a ConfigMap named "trusted-ca-bundle"
+	// in the "openshift-config-managed" namespace. Clients that expect to make
+	// proxy connections must use the trusted-ca-bundle for all HTTPS requests to
+	// the proxy, and may use the trusted-ca-bundle for non-proxy HTTPS requests as
+	// well.
+	//
+	// The namespace for the ConfigMap referenced by trustedCA is
+	// "openshift-config". Here is an example ConfigMap (in yaml):
+	//
+	// apiVersion: v1
+	// kind: ConfigMap
+	// metadata:
+	// name: user-ca-bundle
+	// namespace: openshift-config
+	// data:
+	// ca-bundle.crt: |
+	// -----BEGIN CERTIFICATE-----
+	// Custom CA certificate bundle.
+	// -----END CERTIFICATE-----
+	TrustedCA *ConfigMapNameReferenceApplyConfiguration `json:"trustedCA,omitempty"`
 }
 
 // ProxySpecApplyConfiguration constructs a declarative configuration of the ProxySpec type for use with
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/proxystatus.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/proxystatus.go
index 784afdff6f7d4..7b6b58ff43995 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/proxystatus.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/proxystatus.go
@@ -4,10 +4,15 @@ package v1
 
 // ProxyStatusApplyConfiguration represents a declarative configuration of the ProxyStatus type for use
 // with apply.
+//
+// ProxyStatus shows current known state of the cluster proxy.
 type ProxyStatusApplyConfiguration struct {
-	HTTPProxy  *string `json:"httpProxy,omitempty"`
+	// httpProxy is the URL of the proxy for HTTP requests.
+	HTTPProxy *string `json:"httpProxy,omitempty"`
+	// httpsProxy is the URL of the proxy for HTTPS requests.
 	HTTPSProxy *string `json:"httpsProxy,omitempty"`
-	NoProxy    *string `json:"noProxy,omitempty"`
+	// noProxy is a comma-separated list of hostnames and/or CIDRs for which the proxy should not be used.
+	NoProxy *string `json:"noProxy,omitempty"`
 }
 
 // ProxyStatusApplyConfiguration constructs a declarative configuration of the ProxyStatus type for use with
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/publickey.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/publickey.go
deleted file mode 100644
index c1073e882f699..0000000000000
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/publickey.go
+++ /dev/null
@@ -1,36 +0,0 @@
-// Code generated by applyconfiguration-gen. DO NOT EDIT.
-
-package v1
-
-// PublicKeyApplyConfiguration represents a declarative configuration of the PublicKey type for use
-// with apply.
-type PublicKeyApplyConfiguration struct {
-	KeyData      []byte `json:"keyData,omitempty"`
-	RekorKeyData []byte `json:"rekorKeyData,omitempty"`
-}
-
-// PublicKeyApplyConfiguration constructs a declarative configuration of the PublicKey type for use with
-// apply.
-func PublicKey() *PublicKeyApplyConfiguration {
-	return &PublicKeyApplyConfiguration{}
-}
-
-// WithKeyData adds the given value to the KeyData field in the declarative configuration
-// and returns the receiver, so that objects can be build by chaining "With" function invocations.
-// If called multiple times, values provided by each call will be appended to the KeyData field.
-func (b *PublicKeyApplyConfiguration) WithKeyData(values ...byte) *PublicKeyApplyConfiguration {
-	for i := range values {
-		b.KeyData = append(b.KeyData, values[i])
-	}
-	return b
-}
-
-// WithRekorKeyData adds the given value to the RekorKeyData field in the declarative configuration
-// and returns the receiver, so that objects can be build by chaining "With" function invocations.
-// If called multiple times, values provided by each call will be appended to the RekorKeyData field.
-func (b *PublicKeyApplyConfiguration) WithRekorKeyData(values ...byte) *PublicKeyApplyConfiguration {
-	for i := range values {
-		b.RekorKeyData = append(b.RekorKeyData, values[i])
-	}
-	return b
-}
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/registrylocation.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/registrylocation.go
index d4aaa4e1e8d84..1994631dd51f8 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/registrylocation.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/registrylocation.go
@@ -4,9 +4,17 @@ package v1
 
 // RegistryLocationApplyConfiguration represents a declarative configuration of the RegistryLocation type for use
 // with apply.
+//
+// RegistryLocation contains a location of the registry specified by the registry domain
+// name. The domain name might include wildcards, like '*' or '??'.
 type RegistryLocationApplyConfiguration struct {
+	// domainName specifies a domain name for the registry
+	// In case the registry use non-standard (80 or 443) port, the port should be included
+	// in the domain name as well.
 	DomainName *string `json:"domainName,omitempty"`
-	Insecure   *bool   `json:"insecure,omitempty"`
+	// insecure indicates whether the registry is secure (https) or insecure (http)
+	// By default (if not specified) the registry is assumed as secure.
+	Insecure *bool `json:"insecure,omitempty"`
 }
 
 // RegistryLocationApplyConfiguration constructs a declarative configuration of the RegistryLocation type for use with
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/registrysources.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/registrysources.go
index a92592f304552..61fc436e6f6d6 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/registrysources.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/registrysources.go
@@ -4,10 +4,22 @@ package v1
 
 // RegistrySourcesApplyConfiguration represents a declarative configuration of the RegistrySources type for use
 // with apply.
+//
+// RegistrySources holds cluster-wide information about how to handle the registries config.
 type RegistrySourcesApplyConfiguration struct {
-	InsecureRegistries               []string `json:"insecureRegistries,omitempty"`
-	BlockedRegistries                []string `json:"blockedRegistries,omitempty"`
-	AllowedRegistries                []string `json:"allowedRegistries,omitempty"`
+	// insecureRegistries are registries which do not have a valid TLS certificates or only support HTTP connections.
+	InsecureRegistries []string `json:"insecureRegistries,omitempty"`
+	// blockedRegistries cannot be used for image pull and push actions. All other registries are permitted.
+	//
+	// Only one of BlockedRegistries or AllowedRegistries may be set.
+	BlockedRegistries []string `json:"blockedRegistries,omitempty"`
+	// allowedRegistries are the only registries permitted for image pull and push actions. All other registries are denied.
+	//
+	// Only one of BlockedRegistries or AllowedRegistries may be set.
+	AllowedRegistries []string `json:"allowedRegistries,omitempty"`
+	// containerRuntimeSearchRegistries are registries that will be searched when pulling images that do not have fully qualified
+	// domains in their pull specs. Registries will be searched in the order provided in the list.
+	// Note: this search list only works with the container runtime, i.e CRI-O. Will NOT work with builds or imagestream imports.
 	ContainerRuntimeSearchRegistries []string `json:"containerRuntimeSearchRegistries,omitempty"`
 }
 
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/release.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/release.go
index c8275fcde24d8..488e486b8571c 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/release.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/release.go
@@ -8,12 +8,31 @@ import (
 
 // ReleaseApplyConfiguration represents a declarative configuration of the Release type for use
 // with apply.
+//
+// Release represents an OpenShift release image and associated metadata.
 type ReleaseApplyConfiguration struct {
+	// architecture is an optional field that indicates the
+	// value of the cluster architecture. In this context cluster
+	// architecture means either a single architecture or a multi
+	// architecture.
+	// Valid values are 'Multi' and empty.
 	Architecture *configv1.ClusterVersionArchitecture `json:"architecture,omitempty"`
-	Version      *string                              `json:"version,omitempty"`
-	Image        *string                              `json:"image,omitempty"`
-	URL          *configv1.URL                        `json:"url,omitempty"`
-	Channels     []string                             `json:"channels,omitempty"`
+	// version is a semantic version identifying the update version. When this
+	// field is part of spec, version is optional if image is specified.
+	Version *string `json:"version,omitempty"`
+	// image is a container image location that contains the update. When this
+	// field is part of spec, image is optional if version is specified and the
+	// availableUpdates field contains a matching version.
+	Image *string `json:"image,omitempty"`
+	// url contains information about this release. This URL is set by
+	// the 'url' metadata property on a release or the metadata returned by
+	// the update API and should be displayed as a link in user
+	// interfaces. The URL field may not be set for test or nightly
+	// releases.
+	URL *configv1.URL `json:"url,omitempty"`
+	// channels is the set of Cincinnati channels to which the release
+	// currently belongs.
+	Channels []string `json:"channels,omitempty"`
 }
 
 // ReleaseApplyConfiguration constructs a declarative configuration of the Release type for use with
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/repositorydigestmirrors.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/repositorydigestmirrors.go
index 96f7240951abe..8a211863b190a 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/repositorydigestmirrors.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/repositorydigestmirrors.go
@@ -8,10 +8,24 @@ import (
 
 // RepositoryDigestMirrorsApplyConfiguration represents a declarative configuration of the RepositoryDigestMirrors type for use
 // with apply.
+//
+// RepositoryDigestMirrors holds cluster-wide information about how to handle mirrors in the registries config.
 type RepositoryDigestMirrorsApplyConfiguration struct {
-	Source            *string           `json:"source,omitempty"`
-	AllowMirrorByTags *bool             `json:"allowMirrorByTags,omitempty"`
-	Mirrors           []configv1.Mirror `json:"mirrors,omitempty"`
+	// source is the repository that users refer to, e.g. in image pull specifications.
+	Source *string `json:"source,omitempty"`
+	// allowMirrorByTags if true, the mirrors can be used to pull the images that are referenced by their tags. Default is false, the mirrors only work when pulling the images that are referenced by their digests.
+	// Pulling images by tag can potentially yield different images, depending on which endpoint
+	// we pull from. Forcing digest-pulls for mirrors avoids that issue.
+	AllowMirrorByTags *bool `json:"allowMirrorByTags,omitempty"`
+	// mirrors is zero or more repositories that may also contain the same images.
+	// If the "mirrors" is not specified, the image will continue to be pulled from the specified
+	// repository in the pull spec. No mirror will be configured.
+	// The order of mirrors in this list is treated as the user's desired priority, while source
+	// is by default considered lower priority than all mirrors. Other cluster configuration,
+	// including (but not limited to) other repositoryDigestMirrors objects,
+	// may impact the exact order mirrors are contacted in, or some mirrors may be contacted
+	// in parallel, so this should be considered a preference rather than a guarantee of ordering.
+	Mirrors []configv1.Mirror `json:"mirrors,omitempty"`
 }
 
 // RepositoryDigestMirrorsApplyConfiguration constructs a declarative configuration of the RepositoryDigestMirrors type for use with
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/requestheaderidentityprovider.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/requestheaderidentityprovider.go
index 2911473d024bc..674bf56e1d394 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/requestheaderidentityprovider.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/requestheaderidentityprovider.go
@@ -4,15 +4,45 @@ package v1
 
 // RequestHeaderIdentityProviderApplyConfiguration represents a declarative configuration of the RequestHeaderIdentityProvider type for use
 // with apply.
+//
+// RequestHeaderIdentityProvider provides identities for users authenticating using request header credentials
 type RequestHeaderIdentityProviderApplyConfiguration struct {
-	LoginURL                 *string                                   `json:"loginURL,omitempty"`
-	ChallengeURL             *string                                   `json:"challengeURL,omitempty"`
-	ClientCA                 *ConfigMapNameReferenceApplyConfiguration `json:"ca,omitempty"`
-	ClientCommonNames        []string                                  `json:"clientCommonNames,omitempty"`
-	Headers                  []string                                  `json:"headers,omitempty"`
-	PreferredUsernameHeaders []string                                  `json:"preferredUsernameHeaders,omitempty"`
-	NameHeaders              []string                                  `json:"nameHeaders,omitempty"`
-	EmailHeaders             []string                                  `json:"emailHeaders,omitempty"`
+	// loginURL is a URL to redirect unauthenticated /authorize requests to
+	// Unauthenticated requests from OAuth clients which expect interactive logins will be redirected here
+	// ${url} is replaced with the current URL, escaped to be safe in a query parameter
+	// https://www.example.com/sso-login?then=${url}
+	// ${query} is replaced with the current query string
+	// https://www.example.com/auth-proxy/oauth/authorize?${query}
+	// Required when login is set to true.
+	LoginURL *string `json:"loginURL,omitempty"`
+	// challengeURL is a URL to redirect unauthenticated /authorize requests to
+	// Unauthenticated requests from OAuth clients which expect WWW-Authenticate challenges will be
+	// redirected here.
+	// ${url} is replaced with the current URL, escaped to be safe in a query parameter
+	// https://www.example.com/sso-login?then=${url}
+	// ${query} is replaced with the current query string
+	// https://www.example.com/auth-proxy/oauth/authorize?${query}
+	// Required when challenge is set to true.
+	ChallengeURL *string `json:"challengeURL,omitempty"`
+	// ca is a required reference to a config map by name containing the PEM-encoded CA bundle.
+	// It is used as a trust anchor to validate the TLS certificate presented by the remote server.
+	// Specifically, it allows verification of incoming requests to prevent header spoofing.
+	// The key "ca.crt" is used to locate the data.
+	// If the config map or expected key is not found, the identity provider is not honored.
+	// If the specified ca data is not valid, the identity provider is not honored.
+	// The namespace for this config map is openshift-config.
+	ClientCA *ConfigMapNameReferenceApplyConfiguration `json:"ca,omitempty"`
+	// clientCommonNames is an optional list of common names to require a match from. If empty, any
+	// client certificate validated against the clientCA bundle is considered authoritative.
+	ClientCommonNames []string `json:"clientCommonNames,omitempty"`
+	// headers is the set of headers to check for identity information
+	Headers []string `json:"headers,omitempty"`
+	// preferredUsernameHeaders is the set of headers to check for the preferred username
+	PreferredUsernameHeaders []string `json:"preferredUsernameHeaders,omitempty"`
+	// nameHeaders is the set of headers to check for the display name
+	NameHeaders []string `json:"nameHeaders,omitempty"`
+	// emailHeaders is the set of headers to check for the email address
+	EmailHeaders []string `json:"emailHeaders,omitempty"`
 }
 
 // RequestHeaderIdentityProviderApplyConfiguration constructs a declarative configuration of the RequestHeaderIdentityProvider type for use with
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/requiredhstspolicy.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/requiredhstspolicy.go
index c68466123a223..e78614500926e 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/requiredhstspolicy.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/requiredhstspolicy.go
@@ -10,11 +10,34 @@ import (
 // RequiredHSTSPolicyApplyConfiguration represents a declarative configuration of the RequiredHSTSPolicy type for use
 // with apply.
 type RequiredHSTSPolicyApplyConfiguration struct {
-	NamespaceSelector       *metav1.LabelSelectorApplyConfiguration `json:"namespaceSelector,omitempty"`
-	DomainPatterns          []string                                `json:"domainPatterns,omitempty"`
-	MaxAge                  *MaxAgePolicyApplyConfiguration         `json:"maxAge,omitempty"`
-	PreloadPolicy           *configv1.PreloadPolicy                 `json:"preloadPolicy,omitempty"`
-	IncludeSubDomainsPolicy *configv1.IncludeSubDomainsPolicy       `json:"includeSubDomainsPolicy,omitempty"`
+	// namespaceSelector specifies a label selector such that the policy applies only to those routes that
+	// are in namespaces with labels that match the selector, and are in one of the DomainPatterns.
+	// Defaults to the empty LabelSelector, which matches everything.
+	NamespaceSelector *metav1.LabelSelectorApplyConfiguration `json:"namespaceSelector,omitempty"`
+	// domainPatterns is a list of domains for which the desired HSTS annotations are required.
+	// If domainPatterns is specified and a route is created with a spec.host matching one of the domains,
+	// the route must specify the HSTS Policy components described in the matching RequiredHSTSPolicy.
+	//
+	// The use of wildcards is allowed like this: *.foo.com matches everything under foo.com.
+	// foo.com only matches foo.com, so to cover foo.com and everything under it, you must specify *both*.
+	DomainPatterns []string `json:"domainPatterns,omitempty"`
+	// maxAge is the delta time range in seconds during which hosts are regarded as HSTS hosts.
+	// If set to 0, it negates the effect, and hosts are removed as HSTS hosts.
+	// If set to 0 and includeSubdomains is specified, all subdomains of the host are also removed as HSTS hosts.
+	// maxAge is a time-to-live value, and if this policy is not refreshed on a client, the HSTS
+	// policy will eventually expire on that client.
+	MaxAge *MaxAgePolicyApplyConfiguration `json:"maxAge,omitempty"`
+	// preloadPolicy directs the client to include hosts in its host preload list so that
+	// it never needs to do an initial load to get the HSTS header (note that this is not defined
+	// in RFC 6797 and is therefore client implementation-dependent).
+	PreloadPolicy *configv1.PreloadPolicy `json:"preloadPolicy,omitempty"`
+	// includeSubDomainsPolicy means the HSTS Policy should apply to any subdomains of the host's
+	// domain name.  Thus, for the host bar.foo.com, if includeSubDomainsPolicy was set to RequireIncludeSubDomains:
+	// - the host app.bar.foo.com would inherit the HSTS Policy of bar.foo.com
+	// - the host bar.foo.com would inherit the HSTS Policy of bar.foo.com
+	// - the host foo.com would NOT inherit the HSTS Policy of bar.foo.com
+	// - the host def.foo.com would NOT inherit the HSTS Policy of bar.foo.com
+	IncludeSubDomainsPolicy *configv1.IncludeSubDomainsPolicy `json:"includeSubDomainsPolicy,omitempty"`
 }
 
 // RequiredHSTSPolicyApplyConfiguration constructs a declarative configuration of the RequiredHSTSPolicy type for use with
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/scheduler.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/scheduler.go
index 2f04f83ede8b8..3e6a193936103 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/scheduler.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/scheduler.go
@@ -13,11 +13,20 @@ import (
 
 // SchedulerApplyConfiguration represents a declarative configuration of the Scheduler type for use
 // with apply.
+//
+// Scheduler holds cluster-wide config information to run the Kubernetes Scheduler
+// and influence its placement decisions. The canonical name for this config is `cluster`.
+//
+// Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
 type SchedulerApplyConfiguration struct {
-	metav1.TypeMetaApplyConfiguration    `json:",inline"`
+	metav1.TypeMetaApplyConfiguration `json:",inline"`
+	// metadata is the standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	*metav1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Spec                                 *SchedulerSpecApplyConfiguration `json:"spec,omitempty"`
-	Status                               *configv1.SchedulerStatus        `json:"status,omitempty"`
+	// spec holds user settable values for configuration
+	Spec *SchedulerSpecApplyConfiguration `json:"spec,omitempty"`
+	// status holds observed values from the cluster. They may not be overridden.
+	Status *configv1.SchedulerStatus `json:"status,omitempty"`
 }
 
 // Scheduler constructs a declarative configuration of the Scheduler type for use with
@@ -30,6 +39,26 @@ func Scheduler(name string) *SchedulerApplyConfiguration {
 	return b
 }
 
+// ExtractSchedulerFrom extracts the applied configuration owned by fieldManager from
+// scheduler for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
+// scheduler must be a unmodified Scheduler API object that was retrieved from the Kubernetes API.
+// ExtractSchedulerFrom provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractSchedulerFrom(scheduler *configv1.Scheduler, fieldManager string, subresource string) (*SchedulerApplyConfiguration, error) {
+	b := &SchedulerApplyConfiguration{}
+	err := managedfields.ExtractInto(scheduler, internal.Parser().Type("com.github.openshift.api.config.v1.Scheduler"), fieldManager, b, subresource)
+	if err != nil {
+		return nil, err
+	}
+	b.WithName(scheduler.Name)
+
+	b.WithKind("Scheduler")
+	b.WithAPIVersion("config.openshift.io/v1")
+	return b, nil
+}
+
 // ExtractScheduler extracts the applied configuration owned by fieldManager from
 // scheduler. If no managedFields are found in scheduler for fieldManager, a
 // SchedulerApplyConfiguration is returned with only the Name, Namespace (if applicable),
@@ -40,30 +69,16 @@ func Scheduler(name string) *SchedulerApplyConfiguration {
 // ExtractScheduler provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
 func ExtractScheduler(scheduler *configv1.Scheduler, fieldManager string) (*SchedulerApplyConfiguration, error) {
-	return extractScheduler(scheduler, fieldManager, "")
+	return ExtractSchedulerFrom(scheduler, fieldManager, "")
 }
 
-// ExtractSchedulerStatus is the same as ExtractScheduler except
-// that it extracts the status subresource applied configuration.
-// Experimental!
+// ExtractSchedulerStatus extracts the applied configuration owned by fieldManager from
+// scheduler for the status subresource.
 func ExtractSchedulerStatus(scheduler *configv1.Scheduler, fieldManager string) (*SchedulerApplyConfiguration, error) {
-	return extractScheduler(scheduler, fieldManager, "status")
+	return ExtractSchedulerFrom(scheduler, fieldManager, "status")
 }
 
-func extractScheduler(scheduler *configv1.Scheduler, fieldManager string, subresource string) (*SchedulerApplyConfiguration, error) {
-	b := &SchedulerApplyConfiguration{}
-	err := managedfields.ExtractInto(scheduler, internal.Parser().Type("com.github.openshift.api.config.v1.Scheduler"), fieldManager, b, subresource)
-	if err != nil {
-		return nil, err
-	}
-	b.WithName(scheduler.Name)
-
-	b.WithKind("Scheduler")
-	b.WithAPIVersion("config.openshift.io/v1")
-	return b, nil
-}
 func (b SchedulerApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/schedulerspec.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/schedulerspec.go
index 2160ab2ff5316..64d0aab0799e2 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/schedulerspec.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/schedulerspec.go
@@ -9,11 +9,52 @@ import (
 // SchedulerSpecApplyConfiguration represents a declarative configuration of the SchedulerSpec type for use
 // with apply.
 type SchedulerSpecApplyConfiguration struct {
-	Policy                *ConfigMapNameReferenceApplyConfiguration `json:"policy,omitempty"`
-	Profile               *configv1.SchedulerProfile                `json:"profile,omitempty"`
-	ProfileCustomizations *ProfileCustomizationsApplyConfiguration  `json:"profileCustomizations,omitempty"`
-	DefaultNodeSelector   *string                                   `json:"defaultNodeSelector,omitempty"`
-	MastersSchedulable    *bool                                     `json:"mastersSchedulable,omitempty"`
+	// DEPRECATED: the scheduler Policy API has been deprecated and will be removed in a future release.
+	// policy is a reference to a ConfigMap containing scheduler policy which has
+	// user specified predicates and priorities. If this ConfigMap is not available
+	// scheduler will default to use DefaultAlgorithmProvider.
+	// The namespace for this configmap is openshift-config.
+	Policy *ConfigMapNameReferenceApplyConfiguration `json:"policy,omitempty"`
+	// profile sets which scheduling profile should be set in order to configure scheduling
+	// decisions for new pods.
+	//
+	// Valid values are "LowNodeUtilization", "HighNodeUtilization", "NoScoring"
+	// Defaults to "LowNodeUtilization"
+	Profile *configv1.SchedulerProfile `json:"profile,omitempty"`
+	// profileCustomizations contains configuration for modifying the default behavior of existing scheduler profiles.
+	// Deprecated: no longer needed, since DRA is GA starting with 4.21, and
+	// is enabled by' default in the cluster, this field will be removed in 4.24.
+	ProfileCustomizations *ProfileCustomizationsApplyConfiguration `json:"profileCustomizations,omitempty"`
+	// defaultNodeSelector helps set the cluster-wide default node selector to
+	// restrict pod placement to specific nodes. This is applied to the pods
+	// created in all namespaces and creates an intersection with any existing
+	// nodeSelectors already set on a pod, additionally constraining that pod's selector.
+	// For example,
+	// defaultNodeSelector: "type=user-node,region=east" would set nodeSelector
+	// field in pod spec to "type=user-node,region=east" to all pods created
+	// in all namespaces. Namespaces having project-wide node selectors won't be
+	// impacted even if this field is set. This adds an annotation section to
+	// the namespace.
+	// For example, if a new namespace is created with
+	// node-selector='type=user-node,region=east',
+	// the annotation openshift.io/node-selector: type=user-node,region=east
+	// gets added to the project. When the openshift.io/node-selector annotation
+	// is set on the project the value is used in preference to the value we are setting
+	// for defaultNodeSelector field.
+	// For instance,
+	// openshift.io/node-selector: "type=user-node,region=west" means
+	// that the default of "type=user-node,region=east" set in defaultNodeSelector
+	// would not be applied.
+	DefaultNodeSelector *string `json:"defaultNodeSelector,omitempty"`
+	// mastersSchedulable allows masters nodes to be schedulable. When this flag is
+	// turned on, all the master nodes in the cluster will be made schedulable,
+	// so that workload pods can run on them. The default value for this field is false,
+	// meaning none of the master nodes are schedulable.
+	// Important Note: Once the workload pods start running on the master nodes,
+	// extreme care must be taken to ensure that cluster-critical control plane components
+	// are not impacted.
+	// Please turn on this field after doing due diligence.
+	MastersSchedulable *bool `json:"mastersSchedulable,omitempty"`
 }
 
 // SchedulerSpecApplyConfiguration constructs a declarative configuration of the SchedulerSpec type for use with
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/secretnamereference.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/secretnamereference.go
index 692056c6b8794..110052b0c5460 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/secretnamereference.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/secretnamereference.go
@@ -4,7 +4,11 @@ package v1
 
 // SecretNameReferenceApplyConfiguration represents a declarative configuration of the SecretNameReference type for use
 // with apply.
+//
+// SecretNameReference references a secret in a specific namespace.
+// The namespace must be specified at the point of use.
 type SecretNameReferenceApplyConfiguration struct {
+	// name is the metadata.name of the referenced secret
 	Name *string `json:"name,omitempty"`
 }
 
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/signaturestore.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/signaturestore.go
index 918f13df6a709..cb2e6a2f2024a 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/signaturestore.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/signaturestore.go
@@ -4,9 +4,21 @@ package v1
 
 // SignatureStoreApplyConfiguration represents a declarative configuration of the SignatureStore type for use
 // with apply.
+//
+// SignatureStore represents the URL of custom Signature Store
 type SignatureStoreApplyConfiguration struct {
-	URL *string                                   `json:"url,omitempty"`
-	CA  *ConfigMapNameReferenceApplyConfiguration `json:"ca,omitempty"`
+	// url contains the upstream custom signature store URL.
+	// url should be a valid absolute http/https URI of an upstream signature store as per rfc1738.
+	// This must be provided and cannot be empty.
+	URL *string `json:"url,omitempty"`
+	// ca is an optional reference to a config map by name containing the PEM-encoded CA bundle.
+	// It is used as a trust anchor to validate the TLS certificate presented by the remote server.
+	// The key "ca.crt" is used to locate the data.
+	// If specified and the config map or expected key is not found, the signature store is not honored.
+	// If the specified ca data is not valid, the signature store is not honored.
+	// If empty, we fall back to the CA configured via Proxy, which is appended to the default system roots.
+	// The namespace for this config map is openshift-config.
+	CA *ConfigMapNameReferenceApplyConfiguration `json:"ca,omitempty"`
 }
 
 // SignatureStoreApplyConfiguration constructs a declarative configuration of the SignatureStore type for use with
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/storage.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/storage.go
new file mode 100644
index 0000000000000..c55fd9ef5cb9b
--- /dev/null
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/storage.go
@@ -0,0 +1,46 @@
+// Code generated by applyconfiguration-gen. DO NOT EDIT.
+
+package v1
+
+import (
+	configv1 "github.com/openshift/api/config/v1"
+)
+
+// StorageApplyConfiguration represents a declarative configuration of the Storage type for use
+// with apply.
+//
+// Storage provides persistent storage configuration options for gathering jobs.
+// If the type is set to PersistentVolume, then the PersistentVolume must be defined.
+// If the type is set to Ephemeral, then the PersistentVolume must not be defined.
+type StorageApplyConfiguration struct {
+	// type is a required field that specifies the type of storage that will be used to store the Insights data archive.
+	// Valid values are "PersistentVolume" and "Ephemeral".
+	// When set to Ephemeral, the Insights data archive is stored in the ephemeral storage of the gathering job.
+	// When set to PersistentVolume, the Insights data archive is stored in the PersistentVolume that is defined by the persistentVolume field.
+	Type *configv1.StorageType `json:"type,omitempty"`
+	// persistentVolume is an optional field that specifies the PersistentVolume that will be used to store the Insights data archive.
+	// The PersistentVolume must be created in the openshift-insights namespace.
+	PersistentVolume *PersistentVolumeConfigApplyConfiguration `json:"persistentVolume,omitempty"`
+}
+
+// StorageApplyConfiguration constructs a declarative configuration of the Storage type for use with
+// apply.
+func Storage() *StorageApplyConfiguration {
+	return &StorageApplyConfiguration{}
+}
+
+// WithType sets the Type field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Type field is set to the value of the last call.
+func (b *StorageApplyConfiguration) WithType(value configv1.StorageType) *StorageApplyConfiguration {
+	b.Type = &value
+	return b
+}
+
+// WithPersistentVolume sets the PersistentVolume field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the PersistentVolume field is set to the value of the last call.
+func (b *StorageApplyConfiguration) WithPersistentVolume(value *PersistentVolumeConfigApplyConfiguration) *StorageApplyConfiguration {
+	b.PersistentVolume = value
+	return b
+}
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/templatereference.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/templatereference.go
index 30112046a0dbc..be63642b6daf1 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/templatereference.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/templatereference.go
@@ -4,7 +4,11 @@ package v1
 
 // TemplateReferenceApplyConfiguration represents a declarative configuration of the TemplateReference type for use
 // with apply.
+//
+// TemplateReference references a template in a specific namespace.
+// The namespace must be specified at the point of use.
 type TemplateReferenceApplyConfiguration struct {
+	// name is the metadata.name of the referenced project request template
 	Name *string `json:"name,omitempty"`
 }
 
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/tlsprofilespec.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/tlsprofilespec.go
index 43590d0ef3643..8baa161fef033 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/tlsprofilespec.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/tlsprofilespec.go
@@ -8,8 +8,21 @@ import (
 
 // TLSProfileSpecApplyConfiguration represents a declarative configuration of the TLSProfileSpec type for use
 // with apply.
+//
+// TLSProfileSpec is the desired behavior of a TLSSecurityProfile.
 type TLSProfileSpecApplyConfiguration struct {
-	Ciphers       []string                     `json:"ciphers,omitempty"`
+	// ciphers is used to specify the cipher algorithms that are negotiated
+	// during the TLS handshake.  Operators may remove entries their operands
+	// do not support.  For example, to use DES-CBC3-SHA  (yaml):
+	//
+	// ciphers:
+	// - DES-CBC3-SHA
+	Ciphers []string `json:"ciphers,omitempty"`
+	// minTLSVersion is used to specify the minimal version of the TLS protocol
+	// that is negotiated during the TLS handshake. For example, to use TLS
+	// versions 1.1, 1.2 and 1.3 (yaml):
+	//
+	// minTLSVersion: VersionTLS11
 	MinTLSVersion *configv1.TLSProtocolVersion `json:"minTLSVersion,omitempty"`
 }
 
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/tlssecurityprofile.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/tlssecurityprofile.go
index e5806e33c4dd1..2b8ce0b5b24de 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/tlssecurityprofile.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/tlssecurityprofile.go
@@ -8,12 +8,103 @@ import (
 
 // TLSSecurityProfileApplyConfiguration represents a declarative configuration of the TLSSecurityProfile type for use
 // with apply.
+//
+// TLSSecurityProfile defines the schema for a TLS security profile. This object
+// is used by operators to apply TLS security settings to operands.
 type TLSSecurityProfileApplyConfiguration struct {
-	Type         *configv1.TLSProfileType            `json:"type,omitempty"`
-	Old          *configv1.OldTLSProfile             `json:"old,omitempty"`
-	Intermediate *configv1.IntermediateTLSProfile    `json:"intermediate,omitempty"`
-	Modern       *configv1.ModernTLSProfile          `json:"modern,omitempty"`
-	Custom       *CustomTLSProfileApplyConfiguration `json:"custom,omitempty"`
+	// type is one of Old, Intermediate, Modern or Custom. Custom provides the
+	// ability to specify individual TLS security profile parameters.
+	//
+	// The profiles are currently based on version 5.0 of the Mozilla Server Side TLS
+	// configuration guidelines (released 2019-06-28) with TLS 1.3 ciphers added for
+	// forward compatibility. See: https://ssl-config.mozilla.org/guidelines/5.0.json
+	//
+	// The profiles are intent based, so they may change over time as new ciphers are
+	// developed and existing ciphers are found to be insecure. Depending on
+	// precisely which ciphers are available to a process, the list may be reduced.
+	Type *configv1.TLSProfileType `json:"type,omitempty"`
+	// old is a TLS profile for use when services need to be accessed by very old
+	// clients or libraries and should be used only as a last resort.
+	//
+	// The cipher list includes TLS 1.3 ciphers for forward compatibility, followed
+	// by the "old" profile ciphers.
+	//
+	// This profile is equivalent to a Custom profile specified as:
+	// minTLSVersion: VersionTLS10
+	// ciphers:
+	// - TLS_AES_128_GCM_SHA256
+	// - TLS_AES_256_GCM_SHA384
+	// - TLS_CHACHA20_POLY1305_SHA256
+	// - ECDHE-ECDSA-AES128-GCM-SHA256
+	// - ECDHE-RSA-AES128-GCM-SHA256
+	// - ECDHE-ECDSA-AES256-GCM-SHA384
+	// - ECDHE-RSA-AES256-GCM-SHA384
+	// - ECDHE-ECDSA-CHACHA20-POLY1305
+	// - ECDHE-RSA-CHACHA20-POLY1305
+	// - DHE-RSA-AES128-GCM-SHA256
+	// - DHE-RSA-AES256-GCM-SHA384
+	// - DHE-RSA-CHACHA20-POLY1305
+	// - ECDHE-ECDSA-AES128-SHA256
+	// - ECDHE-RSA-AES128-SHA256
+	// - ECDHE-ECDSA-AES128-SHA
+	// - ECDHE-RSA-AES128-SHA
+	// - ECDHE-ECDSA-AES256-SHA384
+	// - ECDHE-RSA-AES256-SHA384
+	// - ECDHE-ECDSA-AES256-SHA
+	// - ECDHE-RSA-AES256-SHA
+	// - DHE-RSA-AES128-SHA256
+	// - DHE-RSA-AES256-SHA256
+	// - AES128-GCM-SHA256
+	// - AES256-GCM-SHA384
+	// - AES128-SHA256
+	// - AES256-SHA256
+	// - AES128-SHA
+	// - AES256-SHA
+	// - DES-CBC3-SHA
+	Old *configv1.OldTLSProfile `json:"old,omitempty"`
+	// intermediate is a TLS profile for use when you do not need compatibility with
+	// legacy clients and want to remain highly secure while being compatible with
+	// most clients currently in use.
+	//
+	// The cipher list includes TLS 1.3 ciphers for forward compatibility, followed
+	// by the "intermediate" profile ciphers.
+	//
+	// This profile is equivalent to a Custom profile specified as:
+	// minTLSVersion: VersionTLS12
+	// ciphers:
+	// - TLS_AES_128_GCM_SHA256
+	// - TLS_AES_256_GCM_SHA384
+	// - TLS_CHACHA20_POLY1305_SHA256
+	// - ECDHE-ECDSA-AES128-GCM-SHA256
+	// - ECDHE-RSA-AES128-GCM-SHA256
+	// - ECDHE-ECDSA-AES256-GCM-SHA384
+	// - ECDHE-RSA-AES256-GCM-SHA384
+	// - ECDHE-ECDSA-CHACHA20-POLY1305
+	// - ECDHE-RSA-CHACHA20-POLY1305
+	// - DHE-RSA-AES128-GCM-SHA256
+	// - DHE-RSA-AES256-GCM-SHA384
+	Intermediate *configv1.IntermediateTLSProfile `json:"intermediate,omitempty"`
+	// modern is a TLS security profile for use with clients that support TLS 1.3 and
+	// do not need backward compatibility for older clients.
+	//
+	// This profile is equivalent to a Custom profile specified as:
+	// minTLSVersion: VersionTLS13
+	// ciphers:
+	// - TLS_AES_128_GCM_SHA256
+	// - TLS_AES_256_GCM_SHA384
+	// - TLS_CHACHA20_POLY1305_SHA256
+	Modern *configv1.ModernTLSProfile `json:"modern,omitempty"`
+	// custom is a user-defined TLS security profile. Be extremely careful using a custom
+	// profile as invalid configurations can be catastrophic. An example custom profile
+	// looks like this:
+	//
+	// minTLSVersion: VersionTLS11
+	// ciphers:
+	// - ECDHE-ECDSA-CHACHA20-POLY1305
+	// - ECDHE-RSA-CHACHA20-POLY1305
+	// - ECDHE-RSA-AES128-GCM-SHA256
+	// - ECDHE-ECDSA-AES128-GCM-SHA256
+	Custom *CustomTLSProfileApplyConfiguration `json:"custom,omitempty"`
 }
 
 // TLSSecurityProfileApplyConfiguration constructs a declarative configuration of the TLSSecurityProfile type for use with
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/tokenclaimmapping.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/tokenclaimmapping.go
index dbd509f06820a..7b1f0da7800a3 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/tokenclaimmapping.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/tokenclaimmapping.go
@@ -4,7 +4,10 @@ package v1
 
 // TokenClaimMappingApplyConfiguration represents a declarative configuration of the TokenClaimMapping type for use
 // with apply.
+//
+// TokenClaimMapping allows specifying a JWT token claim to be used when mapping claims from an authentication token to cluster identities.
 type TokenClaimMappingApplyConfiguration struct {
+	// claim is a required field that configures the JWT token claim whose value is assigned to the cluster identity field associated with this mapping.
 	Claim *string `json:"claim,omitempty"`
 }
 
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/tokenclaimmappings.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/tokenclaimmappings.go
index c748c311152a1..bb704d34f27e0 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/tokenclaimmappings.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/tokenclaimmappings.go
@@ -5,10 +5,29 @@ package v1
 // TokenClaimMappingsApplyConfiguration represents a declarative configuration of the TokenClaimMappings type for use
 // with apply.
 type TokenClaimMappingsApplyConfiguration struct {
-	Username *UsernameClaimMappingApplyConfiguration          `json:"username,omitempty"`
-	Groups   *PrefixedClaimMappingApplyConfiguration          `json:"groups,omitempty"`
-	UID      *TokenClaimOrExpressionMappingApplyConfiguration `json:"uid,omitempty"`
-	Extra    []ExtraMappingApplyConfiguration                 `json:"extra,omitempty"`
+	// username is a required field that configures how the username of a cluster identity should be constructed from the claims in a JWT token issued by the identity provider.
+	Username *UsernameClaimMappingApplyConfiguration `json:"username,omitempty"`
+	// groups is an optional field that configures how the groups of a cluster identity should be constructed from the claims in a JWT token issued by the identity provider.
+	//
+	// When referencing a claim, if the claim is present in the JWT token, its value must be a list of groups separated by a comma (',').
+	//
+	// For example - '"example"' and '"exampleOne", "exampleTwo", "exampleThree"' are valid claim values.
+	Groups *PrefixedClaimMappingApplyConfiguration `json:"groups,omitempty"`
+	// uid is an optional field for configuring the claim mapping used to construct the uid for the cluster identity.
+	//
+	// When using uid.claim to specify the claim it must be a single string value.
+	// When using uid.expression the expression must result in a single string value.
+	//
+	// When omitted, this means the user has no opinion and the platform is left to choose a default, which is subject to change over time.
+	//
+	// The current default is to use the 'sub' claim.
+	UID *TokenClaimOrExpressionMappingApplyConfiguration `json:"uid,omitempty"`
+	// extra is an optional field for configuring the mappings used to construct the extra attribute for the cluster identity.
+	// When omitted, no extra attributes will be present on the cluster identity.
+	//
+	// key values for extra mappings must be unique.
+	// A maximum of 32 extra attribute mappings may be provided.
+	Extra []ExtraMappingApplyConfiguration `json:"extra,omitempty"`
 }
 
 // TokenClaimMappingsApplyConfiguration constructs a declarative configuration of the TokenClaimMappings type for use with
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/tokenclaimorexpressionmapping.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/tokenclaimorexpressionmapping.go
index 6aab9e0b5d98c..e4f62674df8a6 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/tokenclaimorexpressionmapping.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/tokenclaimorexpressionmapping.go
@@ -4,8 +4,26 @@ package v1
 
 // TokenClaimOrExpressionMappingApplyConfiguration represents a declarative configuration of the TokenClaimOrExpressionMapping type for use
 // with apply.
+//
+// TokenClaimOrExpressionMapping allows specifying either a JWT token claim or CEL expression to be used when mapping claims from an authentication token to cluster identities.
 type TokenClaimOrExpressionMappingApplyConfiguration struct {
-	Claim      *string `json:"claim,omitempty"`
+	// claim is an optional field for specifying the JWT token claim that is used in the mapping.
+	// The value of this claim will be assigned to the field in which this mapping is associated.
+	//
+	// Precisely one of claim or expression must be set.
+	// claim must not be specified when expression is set.
+	// When specified, claim must be at least 1 character in length and must not exceed 256 characters in length.
+	Claim *string `json:"claim,omitempty"`
+	// expression is an optional field for specifying a CEL expression that produces a string value from JWT token claims.
+	//
+	// CEL expressions have access to the token claims through a CEL variable, 'claims'.
+	// 'claims' is a map of claim names to claim values.
+	// For example, the 'sub' claim value can be accessed as 'claims.sub'.
+	// Nested claims can be accessed using dot notation ('claims.foo.bar').
+	//
+	// Precisely one of claim or expression must be set.
+	// expression must not be specified when claim is set.
+	// When specified, expression must be at least 1 character in length and must not exceed 1024 characters in length.
 	Expression *string `json:"expression,omitempty"`
 }
 
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/tokenclaimvalidationcelrule.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/tokenclaimvalidationcelrule.go
new file mode 100644
index 0000000000000..72df2376cb979
--- /dev/null
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/tokenclaimvalidationcelrule.go
@@ -0,0 +1,37 @@
+// Code generated by applyconfiguration-gen. DO NOT EDIT.
+
+package v1
+
+// TokenClaimValidationCELRuleApplyConfiguration represents a declarative configuration of the TokenClaimValidationCELRule type for use
+// with apply.
+type TokenClaimValidationCELRuleApplyConfiguration struct {
+	// expression is a CEL expression evaluated against token claims.
+	// expression is required, must be at least 1 character in length and must not exceed 1024 characters.
+	// The expression must return a boolean value where 'true' signals a valid token and 'false' an invalid one.
+	Expression *string `json:"expression,omitempty"`
+	// message is a required human-readable message to be logged by the Kubernetes API server if the CEL expression defined in 'expression' fails.
+	// message must be at least 1 character in length and must not exceed 256 characters.
+	Message *string `json:"message,omitempty"`
+}
+
+// TokenClaimValidationCELRuleApplyConfiguration constructs a declarative configuration of the TokenClaimValidationCELRule type for use with
+// apply.
+func TokenClaimValidationCELRule() *TokenClaimValidationCELRuleApplyConfiguration {
+	return &TokenClaimValidationCELRuleApplyConfiguration{}
+}
+
+// WithExpression sets the Expression field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Expression field is set to the value of the last call.
+func (b *TokenClaimValidationCELRuleApplyConfiguration) WithExpression(value string) *TokenClaimValidationCELRuleApplyConfiguration {
+	b.Expression = &value
+	return b
+}
+
+// WithMessage sets the Message field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Message field is set to the value of the last call.
+func (b *TokenClaimValidationCELRuleApplyConfiguration) WithMessage(value string) *TokenClaimValidationCELRuleApplyConfiguration {
+	b.Message = &value
+	return b
+}
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/tokenclaimvalidationrule.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/tokenclaimvalidationrule.go
index 74e9f61091f2b..53a70c17a8173 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/tokenclaimvalidationrule.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/tokenclaimvalidationrule.go
@@ -8,9 +8,26 @@ import (
 
 // TokenClaimValidationRuleApplyConfiguration represents a declarative configuration of the TokenClaimValidationRule type for use
 // with apply.
+//
+// TokenClaimValidationRule represents a validation rule based on token claims.
+// If type is RequiredClaim, requiredClaim must be set.
+// If Type is CEL, CEL must be set and RequiredClaim must be omitted.
 type TokenClaimValidationRuleApplyConfiguration struct {
-	Type          *configv1.TokenValidationRuleType     `json:"type,omitempty"`
+	// type is an optional field that configures the type of the validation rule.
+	//
+	// Allowed values are "RequiredClaim" and "CEL".
+	//
+	// When set to 'RequiredClaim', the Kubernetes API server will be configured to validate that the incoming JWT contains the required claim and that its value matches the required value.
+	//
+	// When set to 'CEL', the Kubernetes API server will be configured to validate the incoming JWT against the configured CEL expression.
+	Type *configv1.TokenValidationRuleType `json:"type,omitempty"`
+	// requiredClaim allows configuring a required claim name and its expected value.
+	// This field is required when `type` is set to RequiredClaim, and must be omitted when `type` is set to any other value.
+	// The Kubernetes API server uses this field to validate if an incoming JWT is valid for this identity provider.
 	RequiredClaim *TokenRequiredClaimApplyConfiguration `json:"requiredClaim,omitempty"`
+	// cel holds the CEL expression and message for validation.
+	// Must be set when Type is "CEL", and forbidden otherwise.
+	CEL *TokenClaimValidationCELRuleApplyConfiguration `json:"cel,omitempty"`
 }
 
 // TokenClaimValidationRuleApplyConfiguration constructs a declarative configuration of the TokenClaimValidationRule type for use with
@@ -34,3 +51,11 @@ func (b *TokenClaimValidationRuleApplyConfiguration) WithRequiredClaim(value *To
 	b.RequiredClaim = value
 	return b
 }
+
+// WithCEL sets the CEL field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the CEL field is set to the value of the last call.
+func (b *TokenClaimValidationRuleApplyConfiguration) WithCEL(value *TokenClaimValidationCELRuleApplyConfiguration) *TokenClaimValidationRuleApplyConfiguration {
+	b.CEL = value
+	return b
+}
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/tokenconfig.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/tokenconfig.go
index e1b6c4b511d32..fffc18a98fcd7 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/tokenconfig.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/tokenconfig.go
@@ -8,10 +8,27 @@ import (
 
 // TokenConfigApplyConfiguration represents a declarative configuration of the TokenConfig type for use
 // with apply.
+//
+// TokenConfig holds the necessary configuration options for authorization and access tokens
 type TokenConfigApplyConfiguration struct {
-	AccessTokenMaxAgeSeconds            *int32           `json:"accessTokenMaxAgeSeconds,omitempty"`
-	AccessTokenInactivityTimeoutSeconds *int32           `json:"accessTokenInactivityTimeoutSeconds,omitempty"`
-	AccessTokenInactivityTimeout        *metav1.Duration `json:"accessTokenInactivityTimeout,omitempty"`
+	// accessTokenMaxAgeSeconds defines the maximum age of access tokens
+	AccessTokenMaxAgeSeconds *int32 `json:"accessTokenMaxAgeSeconds,omitempty"`
+	// accessTokenInactivityTimeoutSeconds - DEPRECATED: setting this field has no effect.
+	AccessTokenInactivityTimeoutSeconds *int32 `json:"accessTokenInactivityTimeoutSeconds,omitempty"`
+	// accessTokenInactivityTimeout defines the token inactivity timeout
+	// for tokens granted by any client.
+	// The value represents the maximum amount of time that can occur between
+	// consecutive uses of the token. Tokens become invalid if they are not
+	// used within this temporal window. The user will need to acquire a new
+	// token to regain access once a token times out. Takes valid time
+	// duration string such as "5m", "1.5h" or "2h45m". The minimum allowed
+	// value for duration is 300s (5 minutes). If the timeout is configured
+	// per client, then that value takes precedence. If the timeout value is
+	// not specified and the client does not override the value, then tokens
+	// are valid until their lifetime.
+	//
+	// WARNING: existing tokens' timeout will not be affected (lowered) by changing this value
+	AccessTokenInactivityTimeout *metav1.Duration `json:"accessTokenInactivityTimeout,omitempty"`
 }
 
 // TokenConfigApplyConfiguration constructs a declarative configuration of the TokenConfig type for use with
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/tokenissuer.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/tokenissuer.go
index 68f590abc6ede..0675a9b3aa307 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/tokenissuer.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/tokenissuer.go
@@ -9,9 +9,31 @@ import (
 // TokenIssuerApplyConfiguration represents a declarative configuration of the TokenIssuer type for use
 // with apply.
 type TokenIssuerApplyConfiguration struct {
-	URL                  *string                                   `json:"issuerURL,omitempty"`
-	Audiences            []configv1.TokenAudience                  `json:"audiences,omitempty"`
+	// issuerURL is a required field that configures the URL used to issue tokens by the identity provider.
+	// The Kubernetes API server determines how authentication tokens should be handled by matching the 'iss' claim in the JWT to the issuerURL of configured identity providers.
+	//
+	// Must be at least 1 character and must not exceed 512 characters in length.
+	// Must be a valid URL that uses the 'https' scheme and does not contain a query, fragment or user.
+	URL *string `json:"issuerURL,omitempty"`
+	// audiences is a required field that configures the acceptable audiences the JWT token, issued by the identity provider, must be issued to.
+	// At least one of the entries must match the 'aud' claim in the JWT token.
+	//
+	// audiences must contain at least one entry and must not exceed ten entries.
+	Audiences []configv1.TokenAudience `json:"audiences,omitempty"`
+	// issuerCertificateAuthority is an optional field that configures the certificate authority, used by the Kubernetes API server, to validate the connection to the identity provider when fetching discovery information.
+	//
+	// When not specified, the system trust is used.
+	//
+	// When specified, it must reference a ConfigMap in the openshift-config namespace containing the PEM-encoded CA certificates under the 'ca-bundle.crt' key in the data field of the ConfigMap.
 	CertificateAuthority *ConfigMapNameReferenceApplyConfiguration `json:"issuerCertificateAuthority,omitempty"`
+	// discoveryURL is an optional field that, if specified, overrides the default discovery endpoint used to retrieve OIDC configuration metadata.
+	// By default, the discovery URL is derived from `issuerURL` as "{issuerURL}/.well-known/openid-configuration".
+	//
+	// The discoveryURL must be a valid absolute HTTPS URL.
+	// It must not contain query parameters, user information, or fragments.
+	// Additionally, it must differ from the value of `issuerURL` (ignoring trailing slashes).
+	// The discoveryURL value must be at least 1 character long and no longer than 2048 characters.
+	DiscoveryURL *string `json:"discoveryURL,omitempty"`
 }
 
 // TokenIssuerApplyConfiguration constructs a declarative configuration of the TokenIssuer type for use with
@@ -45,3 +67,11 @@ func (b *TokenIssuerApplyConfiguration) WithCertificateAuthority(value *ConfigMa
 	b.CertificateAuthority = value
 	return b
 }
+
+// WithDiscoveryURL sets the DiscoveryURL field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the DiscoveryURL field is set to the value of the last call.
+func (b *TokenIssuerApplyConfiguration) WithDiscoveryURL(value string) *TokenIssuerApplyConfiguration {
+	b.DiscoveryURL = &value
+	return b
+}
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/tokenrequiredclaim.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/tokenrequiredclaim.go
index 6dec5b2a19517..1e1003d9464a1 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/tokenrequiredclaim.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/tokenrequiredclaim.go
@@ -5,7 +5,15 @@ package v1
 // TokenRequiredClaimApplyConfiguration represents a declarative configuration of the TokenRequiredClaim type for use
 // with apply.
 type TokenRequiredClaimApplyConfiguration struct {
-	Claim         *string `json:"claim,omitempty"`
+	// claim is a required field that configures the name of the required claim.
+	// When taken from the JWT claims, claim must be a string value.
+	//
+	// claim must not be an empty string ("").
+	Claim *string `json:"claim,omitempty"`
+	// requiredValue is a required field that configures the value that 'claim' must have when taken from the incoming JWT claims.
+	// If the value in the JWT claims does not match, the token will be rejected for authentication.
+	//
+	// requiredValue must not be an empty string ("").
 	RequiredValue *string `json:"requiredValue,omitempty"`
 }
 
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/tokenuservalidationrule.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/tokenuservalidationrule.go
new file mode 100644
index 0000000000000..9e0a2bdc08a88
--- /dev/null
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/tokenuservalidationrule.go
@@ -0,0 +1,43 @@
+// Code generated by applyconfiguration-gen. DO NOT EDIT.
+
+package v1
+
+// TokenUserValidationRuleApplyConfiguration represents a declarative configuration of the TokenUserValidationRule type for use
+// with apply.
+//
+// TokenUserValidationRule provides a CEL-based rule used to validate a token subject.
+// Each rule contains a CEL expression that is evaluated against the token’s claims.
+type TokenUserValidationRuleApplyConfiguration struct {
+	// expression is a required CEL expression that performs a validation on cluster user identity attributes like username, groups, etc.
+	//
+	// The expression must evaluate to a boolean value.
+	// When the expression evaluates to 'true', the cluster user identity is considered valid.
+	// When the expression evaluates to 'false', the cluster user identity is not considered valid.
+	// expression must be at least 1 character in length and must not exceed 1024 characters.
+	Expression *string `json:"expression,omitempty"`
+	// message is a required human-readable message to be logged by the Kubernetes API server if the CEL expression defined in 'expression' fails.
+	// message must be at least 1 character in length and must not exceed 256 characters.
+	Message *string `json:"message,omitempty"`
+}
+
+// TokenUserValidationRuleApplyConfiguration constructs a declarative configuration of the TokenUserValidationRule type for use with
+// apply.
+func TokenUserValidationRule() *TokenUserValidationRuleApplyConfiguration {
+	return &TokenUserValidationRuleApplyConfiguration{}
+}
+
+// WithExpression sets the Expression field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Expression field is set to the value of the last call.
+func (b *TokenUserValidationRuleApplyConfiguration) WithExpression(value string) *TokenUserValidationRuleApplyConfiguration {
+	b.Expression = &value
+	return b
+}
+
+// WithMessage sets the Message field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Message field is set to the value of the last call.
+func (b *TokenUserValidationRuleApplyConfiguration) WithMessage(value string) *TokenUserValidationRuleApplyConfiguration {
+	b.Message = &value
+	return b
+}
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/update.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/update.go
index 004d1bac22418..6151b6b13a108 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/update.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/update.go
@@ -8,11 +8,45 @@ import (
 
 // UpdateApplyConfiguration represents a declarative configuration of the Update type for use
 // with apply.
+//
+// Update represents an administrator update request.
 type UpdateApplyConfiguration struct {
+	// architecture is an optional field that indicates the desired
+	// value of the cluster architecture. In this context cluster
+	// architecture means either a single architecture or a multi
+	// architecture. architecture can only be set to Multi thereby
+	// only allowing updates from single to multi architecture. If
+	// architecture is set, image cannot be set and version must be
+	// set.
+	// Valid values are 'Multi' and empty.
 	Architecture *configv1.ClusterVersionArchitecture `json:"architecture,omitempty"`
-	Version      *string                              `json:"version,omitempty"`
-	Image        *string                              `json:"image,omitempty"`
-	Force        *bool                                `json:"force,omitempty"`
+	// version is a semantic version identifying the update version.
+	// version is required if architecture is specified.
+	// If both version and image are set, the version extracted from the referenced image must match the specified version.
+	Version *string `json:"version,omitempty"`
+	// image is a container image location that contains the update.
+	// image should be used when the desired version does not exist in availableUpdates or history.
+	// When image is set, architecture cannot be specified.
+	// If both version and image are set, the version extracted from the referenced image must match the specified version.
+	Image *string `json:"image,omitempty"`
+	// force allows an administrator to update to an image that has failed
+	// verification or upgradeable checks that are designed to keep your
+	// cluster safe. Only use this if:
+	// * you are testing unsigned release images in short-lived test clusters or
+	// * you are working around a known bug in the cluster-version
+	// operator and you have verified the authenticity of the provided
+	// image yourself.
+	// The provided image will run with full administrative access
+	// to the cluster. Do not use this flag with images that come from unknown
+	// or potentially malicious sources.
+	Force *bool `json:"force,omitempty"`
+	// acceptRisks is an optional set of names of conditional update risks that are considered acceptable.
+	// A conditional update is performed only if all of its risks are acceptable.
+	// This list may contain entries that apply to current, previous or future updates.
+	// The entries therefore may not map directly to a risk in .status.conditionalUpdateRisks.
+	// acceptRisks must not contain more than 1000 entries.
+	// Entries in this list must be unique.
+	AcceptRisks []AcceptRiskApplyConfiguration `json:"acceptRisks,omitempty"`
 }
 
 // UpdateApplyConfiguration constructs a declarative configuration of the Update type for use with
@@ -52,3 +86,16 @@ func (b *UpdateApplyConfiguration) WithForce(value bool) *UpdateApplyConfigurati
 	b.Force = &value
 	return b
 }
+
+// WithAcceptRisks adds the given value to the AcceptRisks field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, values provided by each call will be appended to the AcceptRisks field.
+func (b *UpdateApplyConfiguration) WithAcceptRisks(values ...*AcceptRiskApplyConfiguration) *UpdateApplyConfiguration {
+	for i := range values {
+		if values[i] == nil {
+			panic("nil value passed to WithAcceptRisks")
+		}
+		b.AcceptRisks = append(b.AcceptRisks, *values[i])
+	}
+	return b
+}
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/updatehistory.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/updatehistory.go
index b7998eb610ca7..6e5f4e98ea0e1 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/updatehistory.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/updatehistory.go
@@ -9,14 +9,39 @@ import (
 
 // UpdateHistoryApplyConfiguration represents a declarative configuration of the UpdateHistory type for use
 // with apply.
+//
+// UpdateHistory is a single attempted update to the cluster.
 type UpdateHistoryApplyConfiguration struct {
-	State          *configv1.UpdateState `json:"state,omitempty"`
-	StartedTime    *metav1.Time          `json:"startedTime,omitempty"`
-	CompletionTime *metav1.Time          `json:"completionTime,omitempty"`
-	Version        *string               `json:"version,omitempty"`
-	Image          *string               `json:"image,omitempty"`
-	Verified       *bool                 `json:"verified,omitempty"`
-	AcceptedRisks  *string               `json:"acceptedRisks,omitempty"`
+	// state reflects whether the update was fully applied. The Partial state
+	// indicates the update is not fully applied, while the Completed state
+	// indicates the update was successfully rolled out at least once (all
+	// parts of the update successfully applied).
+	State *configv1.UpdateState `json:"state,omitempty"`
+	// startedTime is the time at which the update was started.
+	StartedTime *metav1.Time `json:"startedTime,omitempty"`
+	// completionTime, if set, is when the update was fully applied. The update
+	// that is currently being applied will have a null completion time.
+	// Completion time will always be set for entries that are not the current
+	// update (usually to the started time of the next update).
+	CompletionTime *metav1.Time `json:"completionTime,omitempty"`
+	// version is a semantic version identifying the update version. If the
+	// requested image does not define a version, or if a failure occurs
+	// retrieving the image, this value may be empty.
+	Version *string `json:"version,omitempty"`
+	// image is a container image location that contains the update. This value
+	// is always populated.
+	Image *string `json:"image,omitempty"`
+	// verified indicates whether the provided update was properly verified
+	// before it was installed. If this is false the cluster may not be trusted.
+	// Verified does not cover upgradeable checks that depend on the cluster
+	// state at the time when the update target was accepted.
+	Verified *bool `json:"verified,omitempty"`
+	// acceptedRisks records risks which were accepted to initiate the update.
+	// For example, it may mention an Upgradeable=False or missing signature
+	// that was overridden via desiredUpdate.force, or an update that was
+	// initiated despite not being in the availableUpdates set of recommended
+	// update targets.
+	AcceptedRisks *string `json:"acceptedRisks,omitempty"`
 }
 
 // UpdateHistoryApplyConfiguration constructs a declarative configuration of the UpdateHistory type for use with
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/usernameclaimmapping.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/usernameclaimmapping.go
index 2045ee5039073..dd359d69a62b8 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/usernameclaimmapping.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/usernameclaimmapping.go
@@ -9,9 +9,35 @@ import (
 // UsernameClaimMappingApplyConfiguration represents a declarative configuration of the UsernameClaimMapping type for use
 // with apply.
 type UsernameClaimMappingApplyConfiguration struct {
-	Claim        *string                           `json:"claim,omitempty"`
-	PrefixPolicy *configv1.UsernamePrefixPolicy    `json:"prefixPolicy,omitempty"`
-	Prefix       *UsernamePrefixApplyConfiguration `json:"prefix,omitempty"`
+	// claim is a required field that configures the JWT token claim whose value is assigned to the cluster identity field associated with this mapping.
+	//
+	// claim must not be an empty string ("") and must not exceed 256 characters.
+	Claim *string `json:"claim,omitempty"`
+	// prefixPolicy is an optional field that configures how a prefix should be applied to the value of the JWT claim specified in the 'claim' field.
+	//
+	// Allowed values are 'Prefix', 'NoPrefix', and omitted (not provided or an empty string).
+	//
+	// When set to 'Prefix', the value specified in the prefix field will be prepended to the value of the JWT claim.
+	//
+	// The prefix field must be set when prefixPolicy is 'Prefix'.
+	//
+	// When set to 'NoPrefix', no prefix will be prepended to the value of the JWT claim.
+	//
+	// When omitted, this means no opinion and the platform is left to choose any prefixes that are applied which is subject to change over time.
+	// Currently, the platform prepends `{issuerURL}#` to the value of the JWT claim when the claim is not 'email'.
+	//
+	// As an example, consider the following scenario:
+	//
+	// `prefix` is unset, `issuerURL` is set to `https://myoidc.tld`,
+	// the JWT claims include "username":"userA" and "email":"userA@myoidc.tld",
+	// and `claim` is set to:
+	// - "username": the mapped value will be "https://myoidc.tld#userA"
+	// - "email": the mapped value will be "userA@myoidc.tld"
+	PrefixPolicy *configv1.UsernamePrefixPolicy `json:"prefixPolicy,omitempty"`
+	// prefix configures the prefix that should be prepended to the value of the JWT claim.
+	//
+	// prefix must be set when prefixPolicy is set to 'Prefix' and must be unset otherwise.
+	Prefix *UsernamePrefixApplyConfiguration `json:"prefix,omitempty"`
 }
 
 // UsernameClaimMappingApplyConfiguration constructs a declarative configuration of the UsernameClaimMapping type for use with
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/usernameprefix.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/usernameprefix.go
index 03720723bd374..e05bf0087a31f 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/usernameprefix.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/usernameprefix.go
@@ -4,7 +4,13 @@ package v1
 
 // UsernamePrefixApplyConfiguration represents a declarative configuration of the UsernamePrefix type for use
 // with apply.
+//
+// UsernamePrefix configures the string that should
+// be used as a prefix for username claim mappings.
 type UsernamePrefixApplyConfiguration struct {
+	// prefixString is a required field that configures the prefix that will be applied to cluster identity username attribute during the process of mapping JWT claims to cluster identity attributes.
+	//
+	// prefixString must not be an empty string ("").
 	PrefixString *string `json:"prefixString,omitempty"`
 }
 
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/vspherefailuredomainhostgroup.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/vspherefailuredomainhostgroup.go
index f590263a1f0c2..651fb4e5ef965 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/vspherefailuredomainhostgroup.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/vspherefailuredomainhostgroup.go
@@ -4,9 +4,22 @@ package v1
 
 // VSphereFailureDomainHostGroupApplyConfiguration represents a declarative configuration of the VSphereFailureDomainHostGroup type for use
 // with apply.
+//
+// VSphereFailureDomainHostGroup holds the vmGroup and the hostGroup names in vCenter
+// corresponds to a vm-host group of type Virtual Machine and Host respectively. Is also
+// contains the vmHostRule which is an affinity vm-host rule in vCenter.
 type VSphereFailureDomainHostGroupApplyConfiguration struct {
-	VMGroup    *string `json:"vmGroup,omitempty"`
-	HostGroup  *string `json:"hostGroup,omitempty"`
+	// vmGroup is the name of the vm-host group of type virtual machine within vCenter for this failure domain.
+	// vmGroup is limited to 80 characters.
+	// This field is required when the VSphereFailureDomain ZoneType is HostGroup
+	VMGroup *string `json:"vmGroup,omitempty"`
+	// hostGroup is the name of the vm-host group of type host within vCenter for this failure domain.
+	// hostGroup is limited to 80 characters.
+	// This field is required when the VSphereFailureDomain ZoneType is HostGroup
+	HostGroup *string `json:"hostGroup,omitempty"`
+	// vmHostRule is the name of the affinity vm-host rule within vCenter for this failure domain.
+	// vmHostRule is limited to 80 characters.
+	// This field is required when the VSphereFailureDomain ZoneType is HostGroup
 	VMHostRule *string `json:"vmHostRule,omitempty"`
 }
 
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/vspherefailuredomainregionaffinity.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/vspherefailuredomainregionaffinity.go
index bf923d829803e..83f1253c3fa12 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/vspherefailuredomainregionaffinity.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/vspherefailuredomainregionaffinity.go
@@ -8,7 +8,14 @@ import (
 
 // VSphereFailureDomainRegionAffinityApplyConfiguration represents a declarative configuration of the VSphereFailureDomainRegionAffinity type for use
 // with apply.
+//
+// VSphereFailureDomainRegionAffinity contains the region type which is the string representation of the
+// VSphereFailureDomainRegionType with available options of Datacenter and ComputeCluster.
 type VSphereFailureDomainRegionAffinityApplyConfiguration struct {
+	// type determines the vSphere object type for a region within this failure domain.
+	// Available types are Datacenter and ComputeCluster.
+	// When set to Datacenter, this means the vCenter Datacenter defined is the region.
+	// When set to ComputeCluster, this means the vCenter cluster defined is the region.
 	Type *configv1.VSphereFailureDomainRegionType `json:"type,omitempty"`
 }
 
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/vspherefailuredomainzoneaffinity.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/vspherefailuredomainzoneaffinity.go
index 5bbbe95560d32..1cbb05bedd1ec 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/vspherefailuredomainzoneaffinity.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/vspherefailuredomainzoneaffinity.go
@@ -8,8 +8,21 @@ import (
 
 // VSphereFailureDomainZoneAffinityApplyConfiguration represents a declarative configuration of the VSphereFailureDomainZoneAffinity type for use
 // with apply.
+//
+// VSphereFailureDomainZoneAffinity contains the vCenter cluster vm-host group (virtual machine and host types)
+// and the vm-host affinity rule that together creates an affinity configuration for vm-host based zonal.
+// This configuration within vCenter creates the required association between a failure domain, virtual machines
+// and ESXi hosts to create a vm-host based zone.
 type VSphereFailureDomainZoneAffinityApplyConfiguration struct {
-	Type      *configv1.VSphereFailureDomainZoneType           `json:"type,omitempty"`
+	// type determines the vSphere object type for a zone within this failure domain.
+	// Available types are ComputeCluster and HostGroup.
+	// When set to ComputeCluster, this means the vCenter cluster defined is the zone.
+	// When set to HostGroup, hostGroup must be configured with hostGroup, vmGroup and vmHostRule and
+	// this means the zone is defined by the grouping of those fields.
+	Type *configv1.VSphereFailureDomainZoneType `json:"type,omitempty"`
+	// hostGroup holds the vmGroup and the hostGroup names in vCenter
+	// corresponds to a vm-host group of type Virtual Machine and Host respectively. Is also
+	// contains the vmHostRule which is an affinity vm-host rule in vCenter.
 	HostGroup *VSphereFailureDomainHostGroupApplyConfiguration `json:"hostGroup,omitempty"`
 }
 
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/vsphereplatformfailuredomainspec.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/vsphereplatformfailuredomainspec.go
index aeb2388825fda..4f3d37e0f10f4 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/vsphereplatformfailuredomainspec.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/vsphereplatformfailuredomainspec.go
@@ -4,14 +4,34 @@ package v1
 
 // VSpherePlatformFailureDomainSpecApplyConfiguration represents a declarative configuration of the VSpherePlatformFailureDomainSpec type for use
 // with apply.
+//
+// VSpherePlatformFailureDomainSpec holds the region and zone failure domain and the vCenter topology of that failure domain.
 type VSpherePlatformFailureDomainSpecApplyConfiguration struct {
-	Name           *string                                               `json:"name,omitempty"`
-	Region         *string                                               `json:"region,omitempty"`
-	Zone           *string                                               `json:"zone,omitempty"`
+	// name defines the arbitrary but unique name
+	// of a failure domain.
+	Name *string `json:"name,omitempty"`
+	// region defines the name of a region tag that will
+	// be attached to a vCenter datacenter. The tag
+	// category in vCenter must be named openshift-region.
+	Region *string `json:"region,omitempty"`
+	// zone defines the name of a zone tag that will
+	// be attached to a vCenter cluster. The tag
+	// category in vCenter must be named openshift-zone.
+	Zone *string `json:"zone,omitempty"`
+	// regionAffinity holds the type of region, Datacenter or ComputeCluster.
+	// When set to Datacenter, this means the region is a vCenter Datacenter as defined in topology.
+	// When set to ComputeCluster, this means the region is a vCenter Cluster as defined in topology.
 	RegionAffinity *VSphereFailureDomainRegionAffinityApplyConfiguration `json:"regionAffinity,omitempty"`
-	ZoneAffinity   *VSphereFailureDomainZoneAffinityApplyConfiguration   `json:"zoneAffinity,omitempty"`
-	Server         *string                                               `json:"server,omitempty"`
-	Topology       *VSpherePlatformTopologyApplyConfiguration            `json:"topology,omitempty"`
+	// zoneAffinity holds the type of the zone and the hostGroup which
+	// vmGroup and the hostGroup names in vCenter corresponds to
+	// a vm-host group of type Virtual Machine and Host respectively. Is also
+	// contains the vmHostRule which is an affinity vm-host rule in vCenter.
+	ZoneAffinity *VSphereFailureDomainZoneAffinityApplyConfiguration `json:"zoneAffinity,omitempty"`
+	// server is the fully-qualified domain name or the IP address of the vCenter server.
+	// ---
+	Server *string `json:"server,omitempty"`
+	// topology describes a given failure domain using vSphere constructs
+	Topology *VSpherePlatformTopologyApplyConfiguration `json:"topology,omitempty"`
 }
 
 // VSpherePlatformFailureDomainSpecApplyConfiguration constructs a declarative configuration of the VSpherePlatformFailureDomainSpec type for use with
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/vsphereplatformloadbalancer.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/vsphereplatformloadbalancer.go
index 9eb2f57aabc23..be5b90e628113 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/vsphereplatformloadbalancer.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/vsphereplatformloadbalancer.go
@@ -8,7 +8,18 @@ import (
 
 // VSpherePlatformLoadBalancerApplyConfiguration represents a declarative configuration of the VSpherePlatformLoadBalancer type for use
 // with apply.
+//
+// VSpherePlatformLoadBalancer defines the load balancer used by the cluster on VSphere platform.
 type VSpherePlatformLoadBalancerApplyConfiguration struct {
+	// type defines the type of load balancer used by the cluster on VSphere platform
+	// which can be a user-managed or openshift-managed load balancer
+	// that is to be used for the OpenShift API and Ingress endpoints.
+	// When set to OpenShiftManagedDefault the static pods in charge of API and Ingress traffic load-balancing
+	// defined in the machine config operator will be deployed.
+	// When set to UserManaged these static pods will not be deployed and it is expected that
+	// the load balancer is configured out of band by the deployer.
+	// When omitted, this means no opinion and the platform is left to choose a reasonable default.
+	// The default value is OpenShiftManagedDefault.
 	Type *configv1.PlatformLoadBalancerType `json:"type,omitempty"`
 }
 
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/vsphereplatformnodenetworking.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/vsphereplatformnodenetworking.go
index f83a0c50a7ad7..8926b249a6cb7 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/vsphereplatformnodenetworking.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/vsphereplatformnodenetworking.go
@@ -4,8 +4,12 @@ package v1
 
 // VSpherePlatformNodeNetworkingApplyConfiguration represents a declarative configuration of the VSpherePlatformNodeNetworking type for use
 // with apply.
+//
+// VSpherePlatformNodeNetworking holds the external and internal node networking spec.
 type VSpherePlatformNodeNetworkingApplyConfiguration struct {
+	// external represents the network configuration of the node that is externally routable.
 	External *VSpherePlatformNodeNetworkingSpecApplyConfiguration `json:"external,omitempty"`
+	// internal represents the network configuration of the node that is routable only within the cluster.
 	Internal *VSpherePlatformNodeNetworkingSpecApplyConfiguration `json:"internal,omitempty"`
 }
 
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/vsphereplatformnodenetworkingspec.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/vsphereplatformnodenetworkingspec.go
index 670448d3c19a8..e909504930cd5 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/vsphereplatformnodenetworkingspec.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/vsphereplatformnodenetworkingspec.go
@@ -4,9 +4,27 @@ package v1
 
 // VSpherePlatformNodeNetworkingSpecApplyConfiguration represents a declarative configuration of the VSpherePlatformNodeNetworkingSpec type for use
 // with apply.
+//
+// VSpherePlatformNodeNetworkingSpec holds the network CIDR(s) and port group name for
+// including and excluding IP ranges in the cloud provider.
+// This would be used for example when multiple network adapters are attached to
+// a guest to help determine which IP address the cloud config manager should use
+// for the external and internal node networking.
 type VSpherePlatformNodeNetworkingSpecApplyConfiguration struct {
-	NetworkSubnetCIDR        []string `json:"networkSubnetCidr,omitempty"`
-	Network                  *string  `json:"network,omitempty"`
+	// networkSubnetCidr IP address on VirtualMachine's network interfaces included in the fields' CIDRs
+	// that will be used in respective status.addresses fields.
+	// ---
+	NetworkSubnetCIDR []string `json:"networkSubnetCidr,omitempty"`
+	// network VirtualMachine's VM Network names that will be used to when searching
+	// for status.addresses fields. Note that if internal.networkSubnetCIDR and
+	// external.networkSubnetCIDR are not set, then the vNIC associated to this network must
+	// only have a single IP address assigned to it.
+	// The available networks (port groups) can be listed using
+	// `govc ls 'network/*'`
+	Network *string `json:"network,omitempty"`
+	// excludeNetworkSubnetCidr IP addresses in subnet ranges will be excluded when selecting
+	// the IP address from the VirtualMachine's VM for use in the status.addresses fields.
+	// ---
 	ExcludeNetworkSubnetCIDR []string `json:"excludeNetworkSubnetCidr,omitempty"`
 }
 
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/vsphereplatformspec.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/vsphereplatformspec.go
index d0d191331eab5..f8037b67a1bfc 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/vsphereplatformspec.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/vsphereplatformspec.go
@@ -8,13 +8,52 @@ import (
 
 // VSpherePlatformSpecApplyConfiguration represents a declarative configuration of the VSpherePlatformSpec type for use
 // with apply.
+//
+// VSpherePlatformSpec holds the desired state of the vSphere infrastructure provider.
+// In the future the cloud provider operator, storage operator and machine operator will
+// use these fields for configuration.
 type VSpherePlatformSpecApplyConfiguration struct {
-	VCenters             []VSpherePlatformVCenterSpecApplyConfiguration       `json:"vcenters,omitempty"`
-	FailureDomains       []VSpherePlatformFailureDomainSpecApplyConfiguration `json:"failureDomains,omitempty"`
-	NodeNetworking       *VSpherePlatformNodeNetworkingApplyConfiguration     `json:"nodeNetworking,omitempty"`
-	APIServerInternalIPs []configv1.IP                                        `json:"apiServerInternalIPs,omitempty"`
-	IngressIPs           []configv1.IP                                        `json:"ingressIPs,omitempty"`
-	MachineNetworks      []configv1.CIDR                                      `json:"machineNetworks,omitempty"`
+	// vcenters holds the connection details for services to communicate with vCenter.
+	// Currently, only a single vCenter is supported, but in tech preview 3 vCenters are supported.
+	// Once the cluster has been installed, you are unable to change the current number of defined
+	// vCenters except in the case where the cluster has been upgraded from a version of OpenShift
+	// where the vsphere platform spec was not present.  You may make modifications to the existing
+	// vCenters that are defined in the vcenters list in order to match with any added or modified
+	// failure domains.
+	// ---
+	VCenters []VSpherePlatformVCenterSpecApplyConfiguration `json:"vcenters,omitempty"`
+	// failureDomains contains the definition of region, zone and the vCenter topology.
+	// If this is omitted failure domains (regions and zones) will not be used.
+	FailureDomains []VSpherePlatformFailureDomainSpecApplyConfiguration `json:"failureDomains,omitempty"`
+	// nodeNetworking contains the definition of internal and external network constraints for
+	// assigning the node's networking.
+	// If this field is omitted, networking defaults to the legacy
+	// address selection behavior which is to only support a single address and
+	// return the first one found.
+	NodeNetworking *VSpherePlatformNodeNetworkingApplyConfiguration `json:"nodeNetworking,omitempty"`
+	// apiServerInternalIPs are the IP addresses to contact the Kubernetes API
+	// server that can be used by components inside the cluster, like kubelets
+	// using the infrastructure rather than Kubernetes networking. These are the
+	// IPs for a self-hosted load balancer in front of the API servers.
+	// In dual stack clusters this list contains two IP addresses, one from IPv4
+	// family and one from IPv6.
+	// In single stack clusters a single IP address is expected.
+	// When omitted, values from the status.apiServerInternalIPs will be used.
+	// Once set, the list cannot be completely removed (but its second entry can).
+	APIServerInternalIPs []configv1.IP `json:"apiServerInternalIPs,omitempty"`
+	// ingressIPs are the external IPs which route to the default ingress
+	// controller. The IPs are suitable targets of a wildcard DNS record used to
+	// resolve default route host names.
+	// In dual stack clusters this list contains two IP addresses, one from IPv4
+	// family and one from IPv6.
+	// In single stack clusters a single IP address is expected.
+	// When omitted, values from the status.ingressIPs will be used.
+	// Once set, the list cannot be completely removed (but its second entry can).
+	IngressIPs []configv1.IP `json:"ingressIPs,omitempty"`
+	// machineNetworks are IP networks used to connect all the OpenShift cluster
+	// nodes. Each network is provided in the CIDR format and should be IPv4 or IPv6,
+	// for example "10.0.0.0/8" or "fd00::/8".
+	MachineNetworks []configv1.CIDR `json:"machineNetworks,omitempty"`
 }
 
 // VSpherePlatformSpecApplyConfiguration constructs a declarative configuration of the VSpherePlatformSpec type for use with
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/vsphereplatformstatus.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/vsphereplatformstatus.go
index a3cfc9b1c7c34..6d7ca4e859f65 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/vsphereplatformstatus.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/vsphereplatformstatus.go
@@ -8,15 +8,56 @@ import (
 
 // VSpherePlatformStatusApplyConfiguration represents a declarative configuration of the VSpherePlatformStatus type for use
 // with apply.
+//
+// VSpherePlatformStatus holds the current status of the vSphere infrastructure provider.
 type VSpherePlatformStatusApplyConfiguration struct {
-	APIServerInternalIP  *string                                        `json:"apiServerInternalIP,omitempty"`
-	APIServerInternalIPs []string                                       `json:"apiServerInternalIPs,omitempty"`
-	IngressIP            *string                                        `json:"ingressIP,omitempty"`
-	IngressIPs           []string                                       `json:"ingressIPs,omitempty"`
-	NodeDNSIP            *string                                        `json:"nodeDNSIP,omitempty"`
-	LoadBalancer         *VSpherePlatformLoadBalancerApplyConfiguration `json:"loadBalancer,omitempty"`
-	DNSRecordsType       *configv1.DNSRecordsType                       `json:"dnsRecordsType,omitempty"`
-	MachineNetworks      []configv1.CIDR                                `json:"machineNetworks,omitempty"`
+	// apiServerInternalIP is an IP address to contact the Kubernetes API server that can be used
+	// by components inside the cluster, like kubelets using the infrastructure rather
+	// than Kubernetes networking. It is the IP that the Infrastructure.status.apiServerInternalURI
+	// points to. It is the IP for a self-hosted load balancer in front of the API servers.
+	//
+	// Deprecated: Use APIServerInternalIPs instead.
+	APIServerInternalIP *string `json:"apiServerInternalIP,omitempty"`
+	// apiServerInternalIPs are the IP addresses to contact the Kubernetes API
+	// server that can be used by components inside the cluster, like kubelets
+	// using the infrastructure rather than Kubernetes networking. These are the
+	// IPs for a self-hosted load balancer in front of the API servers. In dual
+	// stack clusters this list contains two IPs otherwise only one.
+	APIServerInternalIPs []string `json:"apiServerInternalIPs,omitempty"`
+	// ingressIP is an external IP which routes to the default ingress controller.
+	// The IP is a suitable target of a wildcard DNS record used to resolve default route host names.
+	//
+	// Deprecated: Use IngressIPs instead.
+	IngressIP *string `json:"ingressIP,omitempty"`
+	// ingressIPs are the external IPs which route to the default ingress
+	// controller. The IPs are suitable targets of a wildcard DNS record used to
+	// resolve default route host names. In dual stack clusters this list
+	// contains two IPs otherwise only one.
+	IngressIPs []string `json:"ingressIPs,omitempty"`
+	// nodeDNSIP is the IP address for the internal DNS used by the
+	// nodes. Unlike the one managed by the DNS operator, `NodeDNSIP`
+	// provides name resolution for the nodes themselves. There is no DNS-as-a-service for
+	// vSphere deployments. In order to minimize necessary changes to the
+	// datacenter DNS, a DNS service is hosted as a static pod to serve those hostnames
+	// to the nodes in the cluster.
+	NodeDNSIP *string `json:"nodeDNSIP,omitempty"`
+	// loadBalancer defines how the load balancer used by the cluster is configured.
+	LoadBalancer *VSpherePlatformLoadBalancerApplyConfiguration `json:"loadBalancer,omitempty"`
+	// dnsRecordsType determines whether records for api, api-int, and ingress
+	// are provided by the internal DNS service or externally.
+	// Allowed values are `Internal`, `External`, and omitted.
+	// When set to `Internal`, records are provided by the internal infrastructure and
+	// no additional user configuration is required for the cluster to function.
+	// When set to `External`, records are not provided by the internal infrastructure
+	// and must be configured by the user on a DNS server outside the cluster.
+	// Cluster nodes must use this external server for their upstream DNS requests.
+	// This value may only be set when loadBalancer.type is set to UserManaged.
+	// When omitted, this means the user has no opinion and the platform is left
+	// to choose reasonable defaults. These defaults are subject to change over time.
+	// The current default is `Internal`.
+	DNSRecordsType *configv1.DNSRecordsType `json:"dnsRecordsType,omitempty"`
+	// machineNetworks are IP networks used to connect all the OpenShift cluster nodes.
+	MachineNetworks []configv1.CIDR `json:"machineNetworks,omitempty"`
 }
 
 // VSpherePlatformStatusApplyConfiguration constructs a declarative configuration of the VSpherePlatformStatus type for use with
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/vsphereplatformtopology.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/vsphereplatformtopology.go
index a3036a5cfea81..411f55207d674 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/vsphereplatformtopology.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/vsphereplatformtopology.go
@@ -4,14 +4,51 @@ package v1
 
 // VSpherePlatformTopologyApplyConfiguration represents a declarative configuration of the VSpherePlatformTopology type for use
 // with apply.
+//
+// VSpherePlatformTopology holds the required and optional vCenter objects - datacenter,
+// computeCluster, networks, datastore and resourcePool - to provision virtual machines.
 type VSpherePlatformTopologyApplyConfiguration struct {
-	Datacenter     *string  `json:"datacenter,omitempty"`
-	ComputeCluster *string  `json:"computeCluster,omitempty"`
-	Networks       []string `json:"networks,omitempty"`
-	Datastore      *string  `json:"datastore,omitempty"`
-	ResourcePool   *string  `json:"resourcePool,omitempty"`
-	Folder         *string  `json:"folder,omitempty"`
-	Template       *string  `json:"template,omitempty"`
+	// datacenter is the name of vCenter datacenter in which virtual machines will be located.
+	// The maximum length of the datacenter name is 80 characters.
+	Datacenter *string `json:"datacenter,omitempty"`
+	// computeCluster the absolute path of the vCenter cluster
+	// in which virtual machine will be located.
+	// The absolute path is of the form /<datacenter>/host/<cluster>.
+	// The maximum length of the path is 2048 characters.
+	ComputeCluster *string `json:"computeCluster,omitempty"`
+	// networks is the list of port group network names within this failure domain.
+	// If feature gate VSphereMultiNetworks is enabled, up to 10 network adapters may be defined.
+	// 10 is the maximum number of virtual network devices which may be attached to a VM as defined by:
+	// https://configmax.esp.vmware.com/guest?vmwareproduct=vSphere&release=vSphere%208.0&categories=1-0
+	// The available networks (port groups) can be listed using
+	// `govc ls 'network/*'`
+	// Networks should be in the form of an absolute path:
+	// /<datacenter>/network/<portgroup>.
+	Networks []string `json:"networks,omitempty"`
+	// datastore is the absolute path of the datastore in which the
+	// virtual machine is located.
+	// The absolute path is of the form /<datacenter>/datastore/<datastore>
+	// The maximum length of the path is 2048 characters.
+	Datastore *string `json:"datastore,omitempty"`
+	// resourcePool is the absolute path of the resource pool where virtual machines will be
+	// created. The absolute path is of the form /<datacenter>/host/<cluster>/Resources/<resourcepool>.
+	// The maximum length of the path is 2048 characters.
+	ResourcePool *string `json:"resourcePool,omitempty"`
+	// folder is the absolute path of the folder where
+	// virtual machines are located. The absolute path
+	// is of the form /<datacenter>/vm/<folder>.
+	// The maximum length of the path is 2048 characters.
+	Folder *string `json:"folder,omitempty"`
+	// template is the full inventory path of the virtual machine or template
+	// that will be cloned when creating new machines in this failure domain.
+	// The maximum length of the path is 2048 characters.
+	//
+	// When omitted, the template will be calculated by the control plane
+	// machineset operator based on the region and zone defined in
+	// VSpherePlatformFailureDomainSpec.
+	// For example, for zone=zonea, region=region1, and infrastructure name=test,
+	// the template path would be calculated as /<datacenter>/vm/test-rhcos-region1-zonea.
+	Template *string `json:"template,omitempty"`
 }
 
 // VSpherePlatformTopologyApplyConfiguration constructs a declarative configuration of the VSpherePlatformTopology type for use with
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/vsphereplatformvcenterspec.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/vsphereplatformvcenterspec.go
index ff652761863cf..6a05ec6b6ab3f 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/vsphereplatformvcenterspec.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/vsphereplatformvcenterspec.go
@@ -4,9 +4,24 @@ package v1
 
 // VSpherePlatformVCenterSpecApplyConfiguration represents a declarative configuration of the VSpherePlatformVCenterSpec type for use
 // with apply.
+//
+// VSpherePlatformVCenterSpec stores the vCenter connection fields.
+// This is used by the vSphere CCM.
 type VSpherePlatformVCenterSpecApplyConfiguration struct {
-	Server      *string  `json:"server,omitempty"`
-	Port        *int32   `json:"port,omitempty"`
+	// server is the fully-qualified domain name or the IP address of the vCenter server.
+	// ---
+	Server *string `json:"server,omitempty"`
+	// port is the TCP port that will be used to communicate to
+	// the vCenter endpoint.
+	// When omitted, this means the user has no opinion and
+	// it is up to the platform to choose a sensible default,
+	// which is subject to change over time.
+	Port *int32 `json:"port,omitempty"`
+	// The vCenter Datacenters in which the RHCOS
+	// vm guests are located. This field will
+	// be used by the Cloud Controller Manager.
+	// Each datacenter listed here should be used within
+	// a topology.
 	Datacenters []string `json:"datacenters,omitempty"`
 }
 
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/webhooktokenauthenticator.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/webhooktokenauthenticator.go
index 4ed9e2d2d4907..24caa55d8f6ef 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/webhooktokenauthenticator.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/webhooktokenauthenticator.go
@@ -4,7 +4,20 @@ package v1
 
 // WebhookTokenAuthenticatorApplyConfiguration represents a declarative configuration of the WebhookTokenAuthenticator type for use
 // with apply.
+//
+// webhookTokenAuthenticator holds the necessary configuration options for a remote token authenticator
 type WebhookTokenAuthenticatorApplyConfiguration struct {
+	// kubeConfig references a secret that contains kube config file data which
+	// describes how to access the remote webhook service.
+	// The namespace for the referenced secret is openshift-config.
+	//
+	// For further details, see:
+	//
+	// https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication
+	//
+	// The key "kubeConfig" is used to locate the data.
+	// If the secret or expected key is not found, the webhook is not honored.
+	// If the specified kube config data is not valid, the webhook is not honored.
 	KubeConfig *SecretNameReferenceApplyConfiguration `json:"kubeConfig,omitempty"`
 }
 
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/alertmanagerconfig.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/alertmanagerconfig.go
index 44b5aa40b3e9a..6ba6270f3f074 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/alertmanagerconfig.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/alertmanagerconfig.go
@@ -8,9 +8,21 @@ import (
 
 // AlertmanagerConfigApplyConfiguration represents a declarative configuration of the AlertmanagerConfig type for use
 // with apply.
+//
+// alertmanagerConfig provides configuration options for the default Alertmanager instance
+// that runs in the `openshift-monitoring` namespace. Use this configuration to control
+// whether the default Alertmanager is deployed, how it logs, and how its pods are scheduled.
 type AlertmanagerConfigApplyConfiguration struct {
-	DeploymentMode *configv1alpha1.AlertManagerDeployMode      `json:"deploymentMode,omitempty"`
-	CustomConfig   *AlertmanagerCustomConfigApplyConfiguration `json:"customConfig,omitempty"`
+	// deploymentMode determines whether the default Alertmanager instance should be deployed
+	// as part of the monitoring stack.
+	// Allowed values are Disabled, DefaultConfig, and CustomConfig.
+	// When set to Disabled, the Alertmanager instance will not be deployed.
+	// When set to DefaultConfig, the platform will deploy Alertmanager with default settings.
+	// When set to CustomConfig, the Alertmanager will be deployed with custom configuration.
+	DeploymentMode *configv1alpha1.AlertManagerDeployMode `json:"deploymentMode,omitempty"`
+	// customConfig must be set when deploymentMode is CustomConfig, and must be unset otherwise.
+	// When set to CustomConfig, the Alertmanager will be deployed with custom configuration.
+	CustomConfig *AlertmanagerCustomConfigApplyConfiguration `json:"customConfig,omitempty"`
 }
 
 // AlertmanagerConfigApplyConfiguration constructs a declarative configuration of the AlertmanagerConfig type for use with
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/alertmanagercustomconfig.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/alertmanagercustomconfig.go
index c22f3232b4081..ebc4e4a6be343 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/alertmanagercustomconfig.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/alertmanagercustomconfig.go
@@ -9,14 +9,94 @@ import (
 
 // AlertmanagerCustomConfigApplyConfiguration represents a declarative configuration of the AlertmanagerCustomConfig type for use
 // with apply.
+//
+// AlertmanagerCustomConfig represents the configuration for a custom Alertmanager deployment.
+// alertmanagerCustomConfig provides configuration options for the default Alertmanager instance
+// that runs in the `openshift-monitoring` namespace. Use this configuration to control
+// whether the default Alertmanager is deployed, how it logs, and how its pods are scheduled.
 type AlertmanagerCustomConfigApplyConfiguration struct {
-	LogLevel                  *configv1alpha1.LogLevel              `json:"logLevel,omitempty"`
-	NodeSelector              map[string]string                     `json:"nodeSelector,omitempty"`
-	Resources                 []ContainerResourceApplyConfiguration `json:"resources,omitempty"`
-	Secrets                   []configv1alpha1.SecretName           `json:"secrets,omitempty"`
-	Tolerations               []v1.Toleration                       `json:"tolerations,omitempty"`
-	TopologySpreadConstraints []v1.TopologySpreadConstraint         `json:"topologySpreadConstraints,omitempty"`
-	VolumeClaimTemplate       *v1.PersistentVolumeClaim             `json:"volumeClaimTemplate,omitempty"`
+	// logLevel defines the verbosity of logs emitted by Alertmanager.
+	// This field allows users to control the amount and severity of logs generated, which can be useful
+	// for debugging issues or reducing noise in production environments.
+	// Allowed values are Error, Warn, Info, and Debug.
+	// When set to Error, only errors will be logged.
+	// When set to Warn, both warnings and errors will be logged.
+	// When set to Info, general information, warnings, and errors will all be logged.
+	// When set to Debug, detailed debugging information will be logged.
+	// When omitted, this means no opinion and the platform is left to choose a reasonable default, that is subject to change over time.
+	// The current default value is `Info`.
+	LogLevel *configv1alpha1.LogLevel `json:"logLevel,omitempty"`
+	// nodeSelector defines the nodes on which the Pods are scheduled
+	// nodeSelector is optional.
+	//
+	// When omitted, this means the user has no opinion and the platform is left
+	// to choose reasonable defaults. These defaults are subject to change over time.
+	// The current default value is `kubernetes.io/os: linux`.
+	NodeSelector map[string]string `json:"nodeSelector,omitempty"`
+	// resources defines the compute resource requests and limits for the Alertmanager container.
+	// This includes CPU, memory and HugePages constraints to help control scheduling and resource usage.
+	// When not specified, defaults are used by the platform. Requests cannot exceed limits.
+	// This field is optional.
+	// More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+	// This is a simplified API that maps to Kubernetes ResourceRequirements.
+	// The current default values are:
+	// resources:
+	// - name: cpu
+	// request: 4m
+	// limit: null
+	// - name: memory
+	// request: 40Mi
+	// limit: null
+	// Maximum length for this list is 10.
+	// Minimum length for this list is 1.
+	// Each resource name must be unique within this list.
+	Resources []ContainerResourceApplyConfiguration `json:"resources,omitempty"`
+	// secrets defines a list of secrets that need to be mounted into the Alertmanager.
+	// The secrets must reside within the same namespace as the Alertmanager object.
+	// They will be added as volumes named secret-<secret-name> and mounted at
+	// /etc/alertmanager/secrets/<secret-name> within the 'alertmanager' container of
+	// the Alertmanager Pods.
+	//
+	// These secrets can be used to authenticate Alertmanager with endpoint receivers.
+	// For example, you can use secrets to:
+	// - Provide certificates for TLS authentication with receivers that require private CA certificates
+	// - Store credentials for Basic HTTP authentication with receivers that require password-based auth
+	// - Store any other authentication credentials needed by your alert receivers
+	//
+	// This field is optional.
+	// Maximum length for this list is 10.
+	// Minimum length for this list is 1.
+	// Entries in this list must be unique.
+	Secrets []configv1alpha1.SecretName `json:"secrets,omitempty"`
+	// tolerations defines tolerations for the pods.
+	// tolerations is optional.
+	//
+	// When omitted, this means the user has no opinion and the platform is left
+	// to choose reasonable defaults. These defaults are subject to change over time.
+	// Defaults are empty/unset.
+	// Maximum length for this list is 10.
+	// Minimum length for this list is 1.
+	Tolerations []v1.Toleration `json:"tolerations,omitempty"`
+	// topologySpreadConstraints defines rules for how Alertmanager Pods should be distributed
+	// across topology domains such as zones, nodes, or other user-defined labels.
+	// topologySpreadConstraints is optional.
+	// This helps improve high availability and resource efficiency by avoiding placing
+	// too many replicas in the same failure domain.
+	//
+	// When omitted, this means no opinion and the platform is left to choose a default, which is subject to change over time.
+	// This field maps directly to the `topologySpreadConstraints` field in the Pod spec.
+	// Default is empty list.
+	// Maximum length for this list is 10.
+	// Minimum length for this list is 1.
+	// Entries must have unique topologyKey and whenUnsatisfiable pairs.
+	TopologySpreadConstraints []v1.TopologySpreadConstraint `json:"topologySpreadConstraints,omitempty"`
+	// volumeClaimTemplate Defines persistent storage for Alertmanager. Use this setting to
+	// configure the persistent volume claim, including storage class, volume
+	// size, and name.
+	// If omitted, the Pod uses ephemeral storage and alert data will not persist
+	// across restarts.
+	// This field is optional.
+	VolumeClaimTemplate *v1.PersistentVolumeClaim `json:"volumeClaimTemplate,omitempty"`
 }
 
 // AlertmanagerCustomConfigApplyConfiguration constructs a declarative configuration of the AlertmanagerCustomConfig type for use with
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/audit.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/audit.go
index 9caf3a0384e94..f58feeb54a929 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/audit.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/audit.go
@@ -8,7 +8,18 @@ import (
 
 // AuditApplyConfiguration represents a declarative configuration of the Audit type for use
 // with apply.
+//
+// Audit profile configurations
 type AuditApplyConfiguration struct {
+	// profile is a required field for configuring the audit log level of the Kubernetes Metrics Server.
+	// Allowed values are None, Metadata, Request, or RequestResponse.
+	// When set to None, audit logging is disabled and no audit events are recorded.
+	// When set to Metadata, only request metadata (such as requesting user, timestamp, resource, verb, etc.) is logged, but not the request or response body.
+	// When set to Request, event metadata and the request body are logged, but not the response body.
+	// When set to RequestResponse, event metadata, request body, and response body are all logged, providing the most detailed audit information.
+	//
+	// See: https://kubernetes.io/docs/tasks/debug-application-cluster/audit/#audit-policy
+	// for more information about auditing and log levels.
 	Profile *configv1alpha1.AuditProfile `json:"profile,omitempty"`
 }
 
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/backup.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/backup.go
index b9a92ae68e881..f1abc8ab77669 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/backup.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/backup.go
@@ -13,11 +13,19 @@ import (
 
 // BackupApplyConfiguration represents a declarative configuration of the Backup type for use
 // with apply.
+//
+// Backup provides configuration for performing backups of the openshift cluster.
+//
+// Compatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.
 type BackupApplyConfiguration struct {
-	v1.TypeMetaApplyConfiguration    `json:",inline"`
+	v1.TypeMetaApplyConfiguration `json:",inline"`
+	// metadata is the standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	*v1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Spec                             *BackupSpecApplyConfiguration `json:"spec,omitempty"`
-	Status                           *configv1alpha1.BackupStatus  `json:"status,omitempty"`
+	// spec holds user settable values for configuration
+	Spec *BackupSpecApplyConfiguration `json:"spec,omitempty"`
+	// status holds observed values from the cluster. They may not be overridden.
+	Status *configv1alpha1.BackupStatus `json:"status,omitempty"`
 }
 
 // Backup constructs a declarative configuration of the Backup type for use with
@@ -30,6 +38,26 @@ func Backup(name string) *BackupApplyConfiguration {
 	return b
 }
 
+// ExtractBackupFrom extracts the applied configuration owned by fieldManager from
+// backup for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
+// backup must be a unmodified Backup API object that was retrieved from the Kubernetes API.
+// ExtractBackupFrom provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractBackupFrom(backup *configv1alpha1.Backup, fieldManager string, subresource string) (*BackupApplyConfiguration, error) {
+	b := &BackupApplyConfiguration{}
+	err := managedfields.ExtractInto(backup, internal.Parser().Type("com.github.openshift.api.config.v1alpha1.Backup"), fieldManager, b, subresource)
+	if err != nil {
+		return nil, err
+	}
+	b.WithName(backup.Name)
+
+	b.WithKind("Backup")
+	b.WithAPIVersion("config.openshift.io/v1alpha1")
+	return b, nil
+}
+
 // ExtractBackup extracts the applied configuration owned by fieldManager from
 // backup. If no managedFields are found in backup for fieldManager, a
 // BackupApplyConfiguration is returned with only the Name, Namespace (if applicable),
@@ -40,30 +68,16 @@ func Backup(name string) *BackupApplyConfiguration {
 // ExtractBackup provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
 func ExtractBackup(backup *configv1alpha1.Backup, fieldManager string) (*BackupApplyConfiguration, error) {
-	return extractBackup(backup, fieldManager, "")
+	return ExtractBackupFrom(backup, fieldManager, "")
 }
 
-// ExtractBackupStatus is the same as ExtractBackup except
-// that it extracts the status subresource applied configuration.
-// Experimental!
+// ExtractBackupStatus extracts the applied configuration owned by fieldManager from
+// backup for the status subresource.
 func ExtractBackupStatus(backup *configv1alpha1.Backup, fieldManager string) (*BackupApplyConfiguration, error) {
-	return extractBackup(backup, fieldManager, "status")
+	return ExtractBackupFrom(backup, fieldManager, "status")
 }
 
-func extractBackup(backup *configv1alpha1.Backup, fieldManager string, subresource string) (*BackupApplyConfiguration, error) {
-	b := &BackupApplyConfiguration{}
-	err := managedfields.ExtractInto(backup, internal.Parser().Type("com.github.openshift.api.config.v1alpha1.Backup"), fieldManager, b, subresource)
-	if err != nil {
-		return nil, err
-	}
-	b.WithName(backup.Name)
-
-	b.WithKind("Backup")
-	b.WithAPIVersion("config.openshift.io/v1alpha1")
-	return b, nil
-}
 func (b BackupApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/backupspec.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/backupspec.go
index 9bca4aca57770..01ff3f7dc8f28 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/backupspec.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/backupspec.go
@@ -5,6 +5,7 @@ package v1alpha1
 // BackupSpecApplyConfiguration represents a declarative configuration of the BackupSpec type for use
 // with apply.
 type BackupSpecApplyConfiguration struct {
+	// etcd specifies the configuration for periodic backups of the etcd cluster
 	EtcdBackupSpec *EtcdBackupSpecApplyConfiguration `json:"etcd,omitempty"`
 }
 
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/clusterimagepolicy.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/clusterimagepolicy.go
index 36b6250b46ed6..19a6917f99012 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/clusterimagepolicy.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/clusterimagepolicy.go
@@ -13,11 +13,19 @@ import (
 
 // ClusterImagePolicyApplyConfiguration represents a declarative configuration of the ClusterImagePolicy type for use
 // with apply.
+//
+// # ClusterImagePolicy holds cluster-wide configuration for image signature verification
+//
+// Compatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.
 type ClusterImagePolicyApplyConfiguration struct {
-	v1.TypeMetaApplyConfiguration    `json:",inline"`
+	v1.TypeMetaApplyConfiguration `json:",inline"`
+	// metadata is the standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	*v1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Spec                             *ClusterImagePolicySpecApplyConfiguration   `json:"spec,omitempty"`
-	Status                           *ClusterImagePolicyStatusApplyConfiguration `json:"status,omitempty"`
+	// spec contains the configuration for the cluster image policy.
+	Spec *ClusterImagePolicySpecApplyConfiguration `json:"spec,omitempty"`
+	// status contains the observed state of the resource.
+	Status *ClusterImagePolicyStatusApplyConfiguration `json:"status,omitempty"`
 }
 
 // ClusterImagePolicy constructs a declarative configuration of the ClusterImagePolicy type for use with
@@ -30,6 +38,26 @@ func ClusterImagePolicy(name string) *ClusterImagePolicyApplyConfiguration {
 	return b
 }
 
+// ExtractClusterImagePolicyFrom extracts the applied configuration owned by fieldManager from
+// clusterImagePolicy for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
+// clusterImagePolicy must be a unmodified ClusterImagePolicy API object that was retrieved from the Kubernetes API.
+// ExtractClusterImagePolicyFrom provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractClusterImagePolicyFrom(clusterImagePolicy *configv1alpha1.ClusterImagePolicy, fieldManager string, subresource string) (*ClusterImagePolicyApplyConfiguration, error) {
+	b := &ClusterImagePolicyApplyConfiguration{}
+	err := managedfields.ExtractInto(clusterImagePolicy, internal.Parser().Type("com.github.openshift.api.config.v1alpha1.ClusterImagePolicy"), fieldManager, b, subresource)
+	if err != nil {
+		return nil, err
+	}
+	b.WithName(clusterImagePolicy.Name)
+
+	b.WithKind("ClusterImagePolicy")
+	b.WithAPIVersion("config.openshift.io/v1alpha1")
+	return b, nil
+}
+
 // ExtractClusterImagePolicy extracts the applied configuration owned by fieldManager from
 // clusterImagePolicy. If no managedFields are found in clusterImagePolicy for fieldManager, a
 // ClusterImagePolicyApplyConfiguration is returned with only the Name, Namespace (if applicable),
@@ -40,30 +68,16 @@ func ClusterImagePolicy(name string) *ClusterImagePolicyApplyConfiguration {
 // ExtractClusterImagePolicy provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
 func ExtractClusterImagePolicy(clusterImagePolicy *configv1alpha1.ClusterImagePolicy, fieldManager string) (*ClusterImagePolicyApplyConfiguration, error) {
-	return extractClusterImagePolicy(clusterImagePolicy, fieldManager, "")
+	return ExtractClusterImagePolicyFrom(clusterImagePolicy, fieldManager, "")
 }
 
-// ExtractClusterImagePolicyStatus is the same as ExtractClusterImagePolicy except
-// that it extracts the status subresource applied configuration.
-// Experimental!
+// ExtractClusterImagePolicyStatus extracts the applied configuration owned by fieldManager from
+// clusterImagePolicy for the status subresource.
 func ExtractClusterImagePolicyStatus(clusterImagePolicy *configv1alpha1.ClusterImagePolicy, fieldManager string) (*ClusterImagePolicyApplyConfiguration, error) {
-	return extractClusterImagePolicy(clusterImagePolicy, fieldManager, "status")
+	return ExtractClusterImagePolicyFrom(clusterImagePolicy, fieldManager, "status")
 }
 
-func extractClusterImagePolicy(clusterImagePolicy *configv1alpha1.ClusterImagePolicy, fieldManager string, subresource string) (*ClusterImagePolicyApplyConfiguration, error) {
-	b := &ClusterImagePolicyApplyConfiguration{}
-	err := managedfields.ExtractInto(clusterImagePolicy, internal.Parser().Type("com.github.openshift.api.config.v1alpha1.ClusterImagePolicy"), fieldManager, b, subresource)
-	if err != nil {
-		return nil, err
-	}
-	b.WithName(clusterImagePolicy.Name)
-
-	b.WithKind("ClusterImagePolicy")
-	b.WithAPIVersion("config.openshift.io/v1alpha1")
-	return b, nil
-}
 func (b ClusterImagePolicyApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/clusterimagepolicyspec.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/clusterimagepolicyspec.go
index e4a3470c45736..135aa592aa2a9 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/clusterimagepolicyspec.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/clusterimagepolicyspec.go
@@ -8,9 +8,24 @@ import (
 
 // ClusterImagePolicySpecApplyConfiguration represents a declarative configuration of the ClusterImagePolicySpec type for use
 // with apply.
+//
+// CLusterImagePolicySpec is the specification of the ClusterImagePolicy custom resource.
 type ClusterImagePolicySpecApplyConfiguration struct {
+	// scopes defines the list of image identities assigned to a policy. Each item refers to a scope in a registry implementing the "Docker Registry HTTP API V2".
+	// Scopes matching individual images are named Docker references in the fully expanded form, either using a tag or digest. For example, docker.io/library/busybox:latest (not busybox:latest).
+	// More general scopes are prefixes of individual-image scopes, and specify a repository (by omitting the tag or digest), a repository
+	// namespace, or a registry host (by only specifying the host name and possibly a port number) or a wildcard expression starting with `*.`, for matching all subdomains (not including a port number).
+	// Wildcards are only supported for subdomain matching, and may not be used in the middle of the host, i.e.  *.example.com is a valid case, but example*.*.com is not.
+	// If multiple scopes match a given image, only the policy requirements for the most specific scope apply. The policy requirements for more general scopes are ignored.
+	// In addition to setting a policy appropriate for your own deployed applications, make sure that a policy on the OpenShift image repositories
+	// quay.io/openshift-release-dev/ocp-release, quay.io/openshift-release-dev/ocp-v4.0-art-dev (or on a more general scope) allows deployment of the OpenShift images required for cluster operation.
+	// If a scope is configured in both the ClusterImagePolicy and the ImagePolicy, or if the scope in ImagePolicy is nested under one of the scopes from the ClusterImagePolicy, only the policy from the ClusterImagePolicy will be applied.
+	// For additional details about the format, please refer to the document explaining the docker transport field,
+	// which can be found at: https://github.com/containers/image/blob/main/docs/containers-policy.json.5.md#docker
 	Scopes []configv1alpha1.ImageScope `json:"scopes,omitempty"`
-	Policy *PolicyApplyConfiguration   `json:"policy,omitempty"`
+	// policy contains configuration to allow scopes to be verified, and defines how
+	// images not matching the verification policy will be treated.
+	Policy *ImageSigstoreVerificationPolicyApplyConfiguration `json:"policy,omitempty"`
 }
 
 // ClusterImagePolicySpecApplyConfiguration constructs a declarative configuration of the ClusterImagePolicySpec type for use with
@@ -32,7 +47,7 @@ func (b *ClusterImagePolicySpecApplyConfiguration) WithScopes(values ...configv1
 // WithPolicy sets the Policy field in the declarative configuration to the given value
 // and returns the receiver, so that objects can be built by chaining "With" function invocations.
 // If called multiple times, the Policy field is set to the value of the last call.
-func (b *ClusterImagePolicySpecApplyConfiguration) WithPolicy(value *PolicyApplyConfiguration) *ClusterImagePolicySpecApplyConfiguration {
+func (b *ClusterImagePolicySpecApplyConfiguration) WithPolicy(value *ImageSigstoreVerificationPolicyApplyConfiguration) *ClusterImagePolicySpecApplyConfiguration {
 	b.Policy = value
 	return b
 }
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/clusterimagepolicystatus.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/clusterimagepolicystatus.go
index b5b4a82581723..e01b2cac3429f 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/clusterimagepolicystatus.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/clusterimagepolicystatus.go
@@ -9,6 +9,7 @@ import (
 // ClusterImagePolicyStatusApplyConfiguration represents a declarative configuration of the ClusterImagePolicyStatus type for use
 // with apply.
 type ClusterImagePolicyStatusApplyConfiguration struct {
+	// conditions provide details on the status of this API Resource.
 	Conditions []v1.ConditionApplyConfiguration `json:"conditions,omitempty"`
 }
 
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/clustermonitoring.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/clustermonitoring.go
index c788283cf8f21..155e5328bbc70 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/clustermonitoring.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/clustermonitoring.go
@@ -13,11 +13,19 @@ import (
 
 // ClusterMonitoringApplyConfiguration represents a declarative configuration of the ClusterMonitoring type for use
 // with apply.
+//
+// ClusterMonitoring is the Custom Resource object which holds the current status of Cluster Monitoring Operator. CMO is a central component of the monitoring stack.
+//
+// Compatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.
+// ClusterMonitoring is the Schema for the Cluster Monitoring Operators API
 type ClusterMonitoringApplyConfiguration struct {
-	v1.TypeMetaApplyConfiguration    `json:",inline"`
+	v1.TypeMetaApplyConfiguration `json:",inline"`
+	// metadata is the standard object metadata.
 	*v1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Spec                             *ClusterMonitoringSpecApplyConfiguration `json:"spec,omitempty"`
-	Status                           *configv1alpha1.ClusterMonitoringStatus  `json:"status,omitempty"`
+	// spec holds user configuration for the Cluster Monitoring Operator
+	Spec *ClusterMonitoringSpecApplyConfiguration `json:"spec,omitempty"`
+	// status holds observed values from the cluster. They may not be overridden.
+	Status *configv1alpha1.ClusterMonitoringStatus `json:"status,omitempty"`
 }
 
 // ClusterMonitoring constructs a declarative configuration of the ClusterMonitoring type for use with
@@ -30,6 +38,26 @@ func ClusterMonitoring(name string) *ClusterMonitoringApplyConfiguration {
 	return b
 }
 
+// ExtractClusterMonitoringFrom extracts the applied configuration owned by fieldManager from
+// clusterMonitoring for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
+// clusterMonitoring must be a unmodified ClusterMonitoring API object that was retrieved from the Kubernetes API.
+// ExtractClusterMonitoringFrom provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractClusterMonitoringFrom(clusterMonitoring *configv1alpha1.ClusterMonitoring, fieldManager string, subresource string) (*ClusterMonitoringApplyConfiguration, error) {
+	b := &ClusterMonitoringApplyConfiguration{}
+	err := managedfields.ExtractInto(clusterMonitoring, internal.Parser().Type("com.github.openshift.api.config.v1alpha1.ClusterMonitoring"), fieldManager, b, subresource)
+	if err != nil {
+		return nil, err
+	}
+	b.WithName(clusterMonitoring.Name)
+
+	b.WithKind("ClusterMonitoring")
+	b.WithAPIVersion("config.openshift.io/v1alpha1")
+	return b, nil
+}
+
 // ExtractClusterMonitoring extracts the applied configuration owned by fieldManager from
 // clusterMonitoring. If no managedFields are found in clusterMonitoring for fieldManager, a
 // ClusterMonitoringApplyConfiguration is returned with only the Name, Namespace (if applicable),
@@ -40,30 +68,16 @@ func ClusterMonitoring(name string) *ClusterMonitoringApplyConfiguration {
 // ExtractClusterMonitoring provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
 func ExtractClusterMonitoring(clusterMonitoring *configv1alpha1.ClusterMonitoring, fieldManager string) (*ClusterMonitoringApplyConfiguration, error) {
-	return extractClusterMonitoring(clusterMonitoring, fieldManager, "")
+	return ExtractClusterMonitoringFrom(clusterMonitoring, fieldManager, "")
 }
 
-// ExtractClusterMonitoringStatus is the same as ExtractClusterMonitoring except
-// that it extracts the status subresource applied configuration.
-// Experimental!
+// ExtractClusterMonitoringStatus extracts the applied configuration owned by fieldManager from
+// clusterMonitoring for the status subresource.
 func ExtractClusterMonitoringStatus(clusterMonitoring *configv1alpha1.ClusterMonitoring, fieldManager string) (*ClusterMonitoringApplyConfiguration, error) {
-	return extractClusterMonitoring(clusterMonitoring, fieldManager, "status")
+	return ExtractClusterMonitoringFrom(clusterMonitoring, fieldManager, "status")
 }
 
-func extractClusterMonitoring(clusterMonitoring *configv1alpha1.ClusterMonitoring, fieldManager string, subresource string) (*ClusterMonitoringApplyConfiguration, error) {
-	b := &ClusterMonitoringApplyConfiguration{}
-	err := managedfields.ExtractInto(clusterMonitoring, internal.Parser().Type("com.github.openshift.api.config.v1alpha1.ClusterMonitoring"), fieldManager, b, subresource)
-	if err != nil {
-		return nil, err
-	}
-	b.WithName(clusterMonitoring.Name)
-
-	b.WithKind("ClusterMonitoring")
-	b.WithAPIVersion("config.openshift.io/v1alpha1")
-	return b, nil
-}
 func (b ClusterMonitoringApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/clustermonitoringspec.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/clustermonitoringspec.go
index 7fcce84b5cf3f..7684ff01a626e 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/clustermonitoringspec.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/clustermonitoringspec.go
@@ -4,10 +4,28 @@ package v1alpha1
 
 // ClusterMonitoringSpecApplyConfiguration represents a declarative configuration of the ClusterMonitoringSpec type for use
 // with apply.
+//
+// ClusterMonitoringSpec defines the desired state of Cluster Monitoring Operator
 type ClusterMonitoringSpecApplyConfiguration struct {
-	UserDefined         *UserDefinedMonitoringApplyConfiguration `json:"userDefined,omitempty"`
-	AlertmanagerConfig  *AlertmanagerConfigApplyConfiguration    `json:"alertmanagerConfig,omitempty"`
-	MetricsServerConfig *MetricsServerConfigApplyConfiguration   `json:"metricsServerConfig,omitempty"`
+	// userDefined set the deployment mode for user-defined monitoring in addition to the default platform monitoring.
+	// userDefined is optional.
+	// When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time.
+	// The current default value is `Disabled`.
+	UserDefined *UserDefinedMonitoringApplyConfiguration `json:"userDefined,omitempty"`
+	// alertmanagerConfig allows users to configure how the default Alertmanager instance
+	// should be deployed in the `openshift-monitoring` namespace.
+	// alertmanagerConfig is optional.
+	// When omitted, this means no opinion and the platform is left to choose a reasonable default, that is subject to change over time.
+	// The current default value is `DefaultConfig`.
+	AlertmanagerConfig *AlertmanagerConfigApplyConfiguration `json:"alertmanagerConfig,omitempty"`
+	// metricsServerConfig is an optional field that can be used to configure the Kubernetes Metrics Server that runs in the openshift-monitoring namespace.
+	// Specifically, it can configure how the Metrics Server instance is deployed, pod scheduling, its audit policy and log verbosity.
+	// When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time.
+	MetricsServerConfig *MetricsServerConfigApplyConfiguration `json:"metricsServerConfig,omitempty"`
+	// prometheusOperatorConfig is an optional field that can be used to configure the Prometheus Operator component.
+	// Specifically, it can configure how the Prometheus Operator instance is deployed, pod scheduling, and resource allocation.
+	// When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time.
+	PrometheusOperatorConfig *PrometheusOperatorConfigApplyConfiguration `json:"prometheusOperatorConfig,omitempty"`
 }
 
 // ClusterMonitoringSpecApplyConfiguration constructs a declarative configuration of the ClusterMonitoringSpec type for use with
@@ -39,3 +57,11 @@ func (b *ClusterMonitoringSpecApplyConfiguration) WithMetricsServerConfig(value
 	b.MetricsServerConfig = value
 	return b
 }
+
+// WithPrometheusOperatorConfig sets the PrometheusOperatorConfig field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the PrometheusOperatorConfig field is set to the value of the last call.
+func (b *ClusterMonitoringSpecApplyConfiguration) WithPrometheusOperatorConfig(value *PrometheusOperatorConfigApplyConfiguration) *ClusterMonitoringSpecApplyConfiguration {
+	b.PrometheusOperatorConfig = value
+	return b
+}
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/containerresource.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/containerresource.go
index b1f3ac898dbb5..d600828b01ee1 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/containerresource.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/containerresource.go
@@ -8,10 +8,22 @@ import (
 
 // ContainerResourceApplyConfiguration represents a declarative configuration of the ContainerResource type for use
 // with apply.
+//
+// ContainerResource defines a single resource requirement for a container.
 type ContainerResourceApplyConfiguration struct {
-	Name    *string            `json:"name,omitempty"`
+	// name of the resource (e.g. "cpu", "memory", "hugepages-2Mi").
+	// This field is required.
+	// name must consist only of alphanumeric characters, `-`, `_` and `.` and must start and end with an alphanumeric character.
+	Name *string `json:"name,omitempty"`
+	// request is the minimum amount of the resource required (e.g. "2Mi", "1Gi").
+	// This field is optional.
+	// When limit is specified, request cannot be greater than limit.
 	Request *resource.Quantity `json:"request,omitempty"`
-	Limit   *resource.Quantity `json:"limit,omitempty"`
+	// limit is the maximum amount of the resource allowed (e.g. "2Mi", "1Gi").
+	// This field is optional.
+	// When request is specified, limit cannot be less than request.
+	// The value must be greater than 0 when specified.
+	Limit *resource.Quantity `json:"limit,omitempty"`
 }
 
 // ContainerResourceApplyConfiguration constructs a declarative configuration of the ContainerResource type for use with
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/criocredentialproviderconfig.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/criocredentialproviderconfig.go
new file mode 100644
index 0000000000000..61ef90155d1dd
--- /dev/null
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/criocredentialproviderconfig.go
@@ -0,0 +1,285 @@
+// Code generated by applyconfiguration-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	configv1alpha1 "github.com/openshift/api/config/v1alpha1"
+	internal "github.com/openshift/client-go/config/applyconfigurations/internal"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	types "k8s.io/apimachinery/pkg/types"
+	managedfields "k8s.io/apimachinery/pkg/util/managedfields"
+	v1 "k8s.io/client-go/applyconfigurations/meta/v1"
+)
+
+// CRIOCredentialProviderConfigApplyConfiguration represents a declarative configuration of the CRIOCredentialProviderConfig type for use
+// with apply.
+//
+// CRIOCredentialProviderConfig holds cluster-wide singleton resource configurations for CRI-O credential provider, the name of this instance is "cluster". CRI-O credential provider is a binary shipped with CRI-O that provides a way to obtain container image pull credentials from external sources.
+// For example, it can be used to fetch mirror registry credentials from secrets resources in the cluster within the same namespace the pod will be running in.
+// CRIOCredentialProviderConfig configuration specifies the pod image sources registries that should trigger the CRI-O credential provider execution, which will resolve the CRI-O mirror configurations and obtain the necessary credentials for pod creation.
+// Note: Configuration changes will only take effect after the kubelet restarts, which is automatically managed by the cluster during rollout.
+//
+// The resource is a singleton named "cluster".
+//
+// Compatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.
+type CRIOCredentialProviderConfigApplyConfiguration struct {
+	v1.TypeMetaApplyConfiguration `json:",inline"`
+	// metadata is the standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	*v1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
+	// spec defines the desired configuration of the CRI-O Credential Provider.
+	// This field is required and must be provided when creating the resource.
+	Spec *CRIOCredentialProviderConfigSpecApplyConfiguration `json:"spec,omitempty"`
+	// status represents the current state of the CRIOCredentialProviderConfig.
+	// When omitted or nil, it indicates that the status has not yet been set by the controller.
+	// The controller will populate this field with validation conditions and operational state.
+	Status *CRIOCredentialProviderConfigStatusApplyConfiguration `json:"status,omitempty"`
+}
+
+// CRIOCredentialProviderConfig constructs a declarative configuration of the CRIOCredentialProviderConfig type for use with
+// apply.
+func CRIOCredentialProviderConfig(name string) *CRIOCredentialProviderConfigApplyConfiguration {
+	b := &CRIOCredentialProviderConfigApplyConfiguration{}
+	b.WithName(name)
+	b.WithKind("CRIOCredentialProviderConfig")
+	b.WithAPIVersion("config.openshift.io/v1alpha1")
+	return b
+}
+
+// ExtractCRIOCredentialProviderConfigFrom extracts the applied configuration owned by fieldManager from
+// cRIOCredentialProviderConfig for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
+// cRIOCredentialProviderConfig must be a unmodified CRIOCredentialProviderConfig API object that was retrieved from the Kubernetes API.
+// ExtractCRIOCredentialProviderConfigFrom provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractCRIOCredentialProviderConfigFrom(cRIOCredentialProviderConfig *configv1alpha1.CRIOCredentialProviderConfig, fieldManager string, subresource string) (*CRIOCredentialProviderConfigApplyConfiguration, error) {
+	b := &CRIOCredentialProviderConfigApplyConfiguration{}
+	err := managedfields.ExtractInto(cRIOCredentialProviderConfig, internal.Parser().Type("com.github.openshift.api.config.v1alpha1.CRIOCredentialProviderConfig"), fieldManager, b, subresource)
+	if err != nil {
+		return nil, err
+	}
+	b.WithName(cRIOCredentialProviderConfig.Name)
+
+	b.WithKind("CRIOCredentialProviderConfig")
+	b.WithAPIVersion("config.openshift.io/v1alpha1")
+	return b, nil
+}
+
+// ExtractCRIOCredentialProviderConfig extracts the applied configuration owned by fieldManager from
+// cRIOCredentialProviderConfig. If no managedFields are found in cRIOCredentialProviderConfig for fieldManager, a
+// CRIOCredentialProviderConfigApplyConfiguration is returned with only the Name, Namespace (if applicable),
+// APIVersion and Kind populated. It is possible that no managed fields were found for because other
+// field managers have taken ownership of all the fields previously owned by fieldManager, or because
+// the fieldManager never owned fields any fields.
+// cRIOCredentialProviderConfig must be a unmodified CRIOCredentialProviderConfig API object that was retrieved from the Kubernetes API.
+// ExtractCRIOCredentialProviderConfig provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractCRIOCredentialProviderConfig(cRIOCredentialProviderConfig *configv1alpha1.CRIOCredentialProviderConfig, fieldManager string) (*CRIOCredentialProviderConfigApplyConfiguration, error) {
+	return ExtractCRIOCredentialProviderConfigFrom(cRIOCredentialProviderConfig, fieldManager, "")
+}
+
+// ExtractCRIOCredentialProviderConfigStatus extracts the applied configuration owned by fieldManager from
+// cRIOCredentialProviderConfig for the status subresource.
+func ExtractCRIOCredentialProviderConfigStatus(cRIOCredentialProviderConfig *configv1alpha1.CRIOCredentialProviderConfig, fieldManager string) (*CRIOCredentialProviderConfigApplyConfiguration, error) {
+	return ExtractCRIOCredentialProviderConfigFrom(cRIOCredentialProviderConfig, fieldManager, "status")
+}
+
+func (b CRIOCredentialProviderConfigApplyConfiguration) IsApplyConfiguration() {}
+
+// WithKind sets the Kind field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Kind field is set to the value of the last call.
+func (b *CRIOCredentialProviderConfigApplyConfiguration) WithKind(value string) *CRIOCredentialProviderConfigApplyConfiguration {
+	b.TypeMetaApplyConfiguration.Kind = &value
+	return b
+}
+
+// WithAPIVersion sets the APIVersion field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the APIVersion field is set to the value of the last call.
+func (b *CRIOCredentialProviderConfigApplyConfiguration) WithAPIVersion(value string) *CRIOCredentialProviderConfigApplyConfiguration {
+	b.TypeMetaApplyConfiguration.APIVersion = &value
+	return b
+}
+
+// WithName sets the Name field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Name field is set to the value of the last call.
+func (b *CRIOCredentialProviderConfigApplyConfiguration) WithName(value string) *CRIOCredentialProviderConfigApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	b.ObjectMetaApplyConfiguration.Name = &value
+	return b
+}
+
+// WithGenerateName sets the GenerateName field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the GenerateName field is set to the value of the last call.
+func (b *CRIOCredentialProviderConfigApplyConfiguration) WithGenerateName(value string) *CRIOCredentialProviderConfigApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	b.ObjectMetaApplyConfiguration.GenerateName = &value
+	return b
+}
+
+// WithNamespace sets the Namespace field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Namespace field is set to the value of the last call.
+func (b *CRIOCredentialProviderConfigApplyConfiguration) WithNamespace(value string) *CRIOCredentialProviderConfigApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	b.ObjectMetaApplyConfiguration.Namespace = &value
+	return b
+}
+
+// WithUID sets the UID field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the UID field is set to the value of the last call.
+func (b *CRIOCredentialProviderConfigApplyConfiguration) WithUID(value types.UID) *CRIOCredentialProviderConfigApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	b.ObjectMetaApplyConfiguration.UID = &value
+	return b
+}
+
+// WithResourceVersion sets the ResourceVersion field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the ResourceVersion field is set to the value of the last call.
+func (b *CRIOCredentialProviderConfigApplyConfiguration) WithResourceVersion(value string) *CRIOCredentialProviderConfigApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	b.ObjectMetaApplyConfiguration.ResourceVersion = &value
+	return b
+}
+
+// WithGeneration sets the Generation field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Generation field is set to the value of the last call.
+func (b *CRIOCredentialProviderConfigApplyConfiguration) WithGeneration(value int64) *CRIOCredentialProviderConfigApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	b.ObjectMetaApplyConfiguration.Generation = &value
+	return b
+}
+
+// WithCreationTimestamp sets the CreationTimestamp field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the CreationTimestamp field is set to the value of the last call.
+func (b *CRIOCredentialProviderConfigApplyConfiguration) WithCreationTimestamp(value metav1.Time) *CRIOCredentialProviderConfigApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	b.ObjectMetaApplyConfiguration.CreationTimestamp = &value
+	return b
+}
+
+// WithDeletionTimestamp sets the DeletionTimestamp field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the DeletionTimestamp field is set to the value of the last call.
+func (b *CRIOCredentialProviderConfigApplyConfiguration) WithDeletionTimestamp(value metav1.Time) *CRIOCredentialProviderConfigApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	b.ObjectMetaApplyConfiguration.DeletionTimestamp = &value
+	return b
+}
+
+// WithDeletionGracePeriodSeconds sets the DeletionGracePeriodSeconds field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the DeletionGracePeriodSeconds field is set to the value of the last call.
+func (b *CRIOCredentialProviderConfigApplyConfiguration) WithDeletionGracePeriodSeconds(value int64) *CRIOCredentialProviderConfigApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	b.ObjectMetaApplyConfiguration.DeletionGracePeriodSeconds = &value
+	return b
+}
+
+// WithLabels puts the entries into the Labels field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, the entries provided by each call will be put on the Labels field,
+// overwriting an existing map entries in Labels field with the same key.
+func (b *CRIOCredentialProviderConfigApplyConfiguration) WithLabels(entries map[string]string) *CRIOCredentialProviderConfigApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	if b.ObjectMetaApplyConfiguration.Labels == nil && len(entries) > 0 {
+		b.ObjectMetaApplyConfiguration.Labels = make(map[string]string, len(entries))
+	}
+	for k, v := range entries {
+		b.ObjectMetaApplyConfiguration.Labels[k] = v
+	}
+	return b
+}
+
+// WithAnnotations puts the entries into the Annotations field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, the entries provided by each call will be put on the Annotations field,
+// overwriting an existing map entries in Annotations field with the same key.
+func (b *CRIOCredentialProviderConfigApplyConfiguration) WithAnnotations(entries map[string]string) *CRIOCredentialProviderConfigApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	if b.ObjectMetaApplyConfiguration.Annotations == nil && len(entries) > 0 {
+		b.ObjectMetaApplyConfiguration.Annotations = make(map[string]string, len(entries))
+	}
+	for k, v := range entries {
+		b.ObjectMetaApplyConfiguration.Annotations[k] = v
+	}
+	return b
+}
+
+// WithOwnerReferences adds the given value to the OwnerReferences field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, values provided by each call will be appended to the OwnerReferences field.
+func (b *CRIOCredentialProviderConfigApplyConfiguration) WithOwnerReferences(values ...*v1.OwnerReferenceApplyConfiguration) *CRIOCredentialProviderConfigApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	for i := range values {
+		if values[i] == nil {
+			panic("nil value passed to WithOwnerReferences")
+		}
+		b.ObjectMetaApplyConfiguration.OwnerReferences = append(b.ObjectMetaApplyConfiguration.OwnerReferences, *values[i])
+	}
+	return b
+}
+
+// WithFinalizers adds the given value to the Finalizers field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, values provided by each call will be appended to the Finalizers field.
+func (b *CRIOCredentialProviderConfigApplyConfiguration) WithFinalizers(values ...string) *CRIOCredentialProviderConfigApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	for i := range values {
+		b.ObjectMetaApplyConfiguration.Finalizers = append(b.ObjectMetaApplyConfiguration.Finalizers, values[i])
+	}
+	return b
+}
+
+func (b *CRIOCredentialProviderConfigApplyConfiguration) ensureObjectMetaApplyConfigurationExists() {
+	if b.ObjectMetaApplyConfiguration == nil {
+		b.ObjectMetaApplyConfiguration = &v1.ObjectMetaApplyConfiguration{}
+	}
+}
+
+// WithSpec sets the Spec field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Spec field is set to the value of the last call.
+func (b *CRIOCredentialProviderConfigApplyConfiguration) WithSpec(value *CRIOCredentialProviderConfigSpecApplyConfiguration) *CRIOCredentialProviderConfigApplyConfiguration {
+	b.Spec = value
+	return b
+}
+
+// WithStatus sets the Status field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Status field is set to the value of the last call.
+func (b *CRIOCredentialProviderConfigApplyConfiguration) WithStatus(value *CRIOCredentialProviderConfigStatusApplyConfiguration) *CRIOCredentialProviderConfigApplyConfiguration {
+	b.Status = value
+	return b
+}
+
+// GetKind retrieves the value of the Kind field in the declarative configuration.
+func (b *CRIOCredentialProviderConfigApplyConfiguration) GetKind() *string {
+	return b.TypeMetaApplyConfiguration.Kind
+}
+
+// GetAPIVersion retrieves the value of the APIVersion field in the declarative configuration.
+func (b *CRIOCredentialProviderConfigApplyConfiguration) GetAPIVersion() *string {
+	return b.TypeMetaApplyConfiguration.APIVersion
+}
+
+// GetName retrieves the value of the Name field in the declarative configuration.
+func (b *CRIOCredentialProviderConfigApplyConfiguration) GetName() *string {
+	b.ensureObjectMetaApplyConfigurationExists()
+	return b.ObjectMetaApplyConfiguration.Name
+}
+
+// GetNamespace retrieves the value of the Namespace field in the declarative configuration.
+func (b *CRIOCredentialProviderConfigApplyConfiguration) GetNamespace() *string {
+	b.ensureObjectMetaApplyConfigurationExists()
+	return b.ObjectMetaApplyConfiguration.Namespace
+}
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/criocredentialproviderconfigspec.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/criocredentialproviderconfigspec.go
new file mode 100644
index 0000000000000..6f37cef51af76
--- /dev/null
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/criocredentialproviderconfigspec.go
@@ -0,0 +1,72 @@
+// Code generated by applyconfiguration-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	configv1alpha1 "github.com/openshift/api/config/v1alpha1"
+)
+
+// CRIOCredentialProviderConfigSpecApplyConfiguration represents a declarative configuration of the CRIOCredentialProviderConfigSpec type for use
+// with apply.
+//
+// CRIOCredentialProviderConfigSpec defines the desired configuration of the CRI-O Credential Provider.
+type CRIOCredentialProviderConfigSpecApplyConfiguration struct {
+	// matchImages is a list of string patterns used to determine whether
+	// the CRI-O credential provider should be invoked for a given image. This list is
+	// passed to the kubelet CredentialProviderConfig, and if any pattern matches
+	// the requested image, CRI-O credential provider will be invoked to obtain credentials for pulling
+	// that image or its mirrors.
+	// Depending on the platform, the CRI-O credential provider may be installed alongside an existing platform specific provider.
+	// Conflicts between the existing platform specific provider image match configuration and this list will be handled by
+	// the following precedence rule: credentials from built-in kubelet providers (e.g., ECR, GCR, ACR) take precedence over those
+	// from the CRIOCredentialProviderConfig when both match the same image.
+	// To avoid uncertainty, it is recommended to avoid configuring your private image patterns to overlap with
+	// existing platform specific provider config(e.g., the entries from https://github.com/openshift/machine-config-operator/blob/main/templates/common/aws/files/etc-kubernetes-credential-providers-ecr-credential-provider.yaml).
+	// You can check the resource's Status conditions
+	// to see if any entries were ignored due to exact matches with known built-in provider patterns.
+	//
+	// This field is optional, the items of the list must contain between 1 and 50 entries.
+	// The list is treated as a set, so duplicate entries are not allowed.
+	//
+	// For more details, see:
+	// https://kubernetes.io/docs/tasks/administer-cluster/kubelet-credential-provider/
+	// https://github.com/cri-o/crio-credential-provider#architecture
+	//
+	// Each entry in matchImages is a pattern which can optionally contain a port and a path. Each entry must be no longer than 512 characters.
+	// Wildcards ('*') are supported for full subdomain labels, such as '*.k8s.io' or 'k8s.*.io',
+	// and for top-level domains, such as 'k8s.*' (which matches 'k8s.io' or 'k8s.net').
+	// A global wildcard '*' (matching any domain) is not allowed.
+	// Wildcards may replace an entire hostname label (e.g., *.example.com), but they cannot appear within a label (e.g., f*oo.example.com) and are not allowed in the port or path.
+	// For example, 'example.*.com' is valid, but 'exa*mple.*.com' is not.
+	// Each wildcard matches only a single domain label,
+	// so '*.io' does **not** match '*.k8s.io'.
+	//
+	// A match exists between an image and a matchImage when all of the below are true:
+	// Both contain the same number of domain parts and each part matches.
+	// The URL path of an matchImages must be a prefix of the target image URL path.
+	// If the matchImages contains a port, then the port must match in the image as well.
+	//
+	// Example values of matchImages:
+	// - 123456789.dkr.ecr.us-east-1.amazonaws.com
+	// - *.azurecr.io
+	// - gcr.io
+	// - *.*.registry.io
+	// - registry.io:8080/path
+	MatchImages []configv1alpha1.MatchImage `json:"matchImages,omitempty"`
+}
+
+// CRIOCredentialProviderConfigSpecApplyConfiguration constructs a declarative configuration of the CRIOCredentialProviderConfigSpec type for use with
+// apply.
+func CRIOCredentialProviderConfigSpec() *CRIOCredentialProviderConfigSpecApplyConfiguration {
+	return &CRIOCredentialProviderConfigSpecApplyConfiguration{}
+}
+
+// WithMatchImages adds the given value to the MatchImages field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, values provided by each call will be appended to the MatchImages field.
+func (b *CRIOCredentialProviderConfigSpecApplyConfiguration) WithMatchImages(values ...configv1alpha1.MatchImage) *CRIOCredentialProviderConfigSpecApplyConfiguration {
+	for i := range values {
+		b.MatchImages = append(b.MatchImages, values[i])
+	}
+	return b
+}
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/criocredentialproviderconfigstatus.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/criocredentialproviderconfigstatus.go
new file mode 100644
index 0000000000000..090b044a58221
--- /dev/null
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/criocredentialproviderconfigstatus.go
@@ -0,0 +1,41 @@
+// Code generated by applyconfiguration-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	v1 "k8s.io/client-go/applyconfigurations/meta/v1"
+)
+
+// CRIOCredentialProviderConfigStatusApplyConfiguration represents a declarative configuration of the CRIOCredentialProviderConfigStatus type for use
+// with apply.
+//
+// CRIOCredentialProviderConfigStatus defines the observed state of CRIOCredentialProviderConfig
+type CRIOCredentialProviderConfigStatusApplyConfiguration struct {
+	// conditions represent the latest available observations of the configuration state.
+	// When omitted, it indicates that no conditions have been reported yet.
+	// The maximum number of conditions is 16.
+	// Conditions are stored as a map keyed by condition type, ensuring uniqueness.
+	//
+	// Expected condition types include:
+	// "Validated": indicates whether the matchImages configuration is valid
+	Conditions []v1.ConditionApplyConfiguration `json:"conditions,omitempty"`
+}
+
+// CRIOCredentialProviderConfigStatusApplyConfiguration constructs a declarative configuration of the CRIOCredentialProviderConfigStatus type for use with
+// apply.
+func CRIOCredentialProviderConfigStatus() *CRIOCredentialProviderConfigStatusApplyConfiguration {
+	return &CRIOCredentialProviderConfigStatusApplyConfiguration{}
+}
+
+// WithConditions adds the given value to the Conditions field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, values provided by each call will be appended to the Conditions field.
+func (b *CRIOCredentialProviderConfigStatusApplyConfiguration) WithConditions(values ...*v1.ConditionApplyConfiguration) *CRIOCredentialProviderConfigStatusApplyConfiguration {
+	for i := range values {
+		if values[i] == nil {
+			panic("nil value passed to WithConditions")
+		}
+		b.Conditions = append(b.Conditions, *values[i])
+	}
+	return b
+}
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/etcdbackupspec.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/etcdbackupspec.go
index ab631f302cbae..edef778d810ee 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/etcdbackupspec.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/etcdbackupspec.go
@@ -4,11 +4,27 @@ package v1alpha1
 
 // EtcdBackupSpecApplyConfiguration represents a declarative configuration of the EtcdBackupSpec type for use
 // with apply.
+//
+// EtcdBackupSpec provides configuration for automated etcd backups to the cluster-etcd-operator
 type EtcdBackupSpecApplyConfiguration struct {
-	Schedule        *string                            `json:"schedule,omitempty"`
-	TimeZone        *string                            `json:"timeZone,omitempty"`
+	// schedule defines the recurring backup schedule in Cron format
+	// every 2 hours: 0 */2 * * *
+	// every day at 3am: 0 3 * * *
+	// Empty string means no opinion and the platform is left to choose a reasonable default which is subject to change without notice.
+	// The current default is "no backups", but will change in the future.
+	Schedule *string `json:"schedule,omitempty"`
+	// The time zone name for the given schedule, see https://en.wikipedia.org/wiki/List_of_tz_database_time_zones.
+	// If not specified, this will default to the time zone of the kube-controller-manager process.
+	// See https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/#time-zones
+	TimeZone *string `json:"timeZone,omitempty"`
+	// retentionPolicy defines the retention policy for retaining and deleting existing backups.
 	RetentionPolicy *RetentionPolicyApplyConfiguration `json:"retentionPolicy,omitempty"`
-	PVCName         *string                            `json:"pvcName,omitempty"`
+	// pvcName specifies the name of the PersistentVolumeClaim (PVC) which binds a PersistentVolume where the
+	// etcd backup files would be saved
+	// The PVC itself must always be created in the "openshift-etcd" namespace
+	// If the PVC is left unspecified "" then the platform will choose a reasonable default location to save the backup.
+	// In the future this would be backups saved across the control-plane master nodes.
+	PVCName *string `json:"pvcName,omitempty"`
 }
 
 // EtcdBackupSpecApplyConfiguration constructs a declarative configuration of the EtcdBackupSpec type for use with
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/fulciocawithrekor.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/fulciocawithrekor.go
deleted file mode 100644
index 2a907a7e9729b..0000000000000
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/fulciocawithrekor.go
+++ /dev/null
@@ -1,45 +0,0 @@
-// Code generated by applyconfiguration-gen. DO NOT EDIT.
-
-package v1alpha1
-
-// FulcioCAWithRekorApplyConfiguration represents a declarative configuration of the FulcioCAWithRekor type for use
-// with apply.
-type FulcioCAWithRekorApplyConfiguration struct {
-	FulcioCAData  []byte                                 `json:"fulcioCAData,omitempty"`
-	RekorKeyData  []byte                                 `json:"rekorKeyData,omitempty"`
-	FulcioSubject *PolicyFulcioSubjectApplyConfiguration `json:"fulcioSubject,omitempty"`
-}
-
-// FulcioCAWithRekorApplyConfiguration constructs a declarative configuration of the FulcioCAWithRekor type for use with
-// apply.
-func FulcioCAWithRekor() *FulcioCAWithRekorApplyConfiguration {
-	return &FulcioCAWithRekorApplyConfiguration{}
-}
-
-// WithFulcioCAData adds the given value to the FulcioCAData field in the declarative configuration
-// and returns the receiver, so that objects can be build by chaining "With" function invocations.
-// If called multiple times, values provided by each call will be appended to the FulcioCAData field.
-func (b *FulcioCAWithRekorApplyConfiguration) WithFulcioCAData(values ...byte) *FulcioCAWithRekorApplyConfiguration {
-	for i := range values {
-		b.FulcioCAData = append(b.FulcioCAData, values[i])
-	}
-	return b
-}
-
-// WithRekorKeyData adds the given value to the RekorKeyData field in the declarative configuration
-// and returns the receiver, so that objects can be build by chaining "With" function invocations.
-// If called multiple times, values provided by each call will be appended to the RekorKeyData field.
-func (b *FulcioCAWithRekorApplyConfiguration) WithRekorKeyData(values ...byte) *FulcioCAWithRekorApplyConfiguration {
-	for i := range values {
-		b.RekorKeyData = append(b.RekorKeyData, values[i])
-	}
-	return b
-}
-
-// WithFulcioSubject sets the FulcioSubject field in the declarative configuration to the given value
-// and returns the receiver, so that objects can be built by chaining "With" function invocations.
-// If called multiple times, the FulcioSubject field is set to the value of the last call.
-func (b *FulcioCAWithRekorApplyConfiguration) WithFulcioSubject(value *PolicyFulcioSubjectApplyConfiguration) *FulcioCAWithRekorApplyConfiguration {
-	b.FulcioSubject = value
-	return b
-}
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/gatherconfig.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/gatherconfig.go
index 2e6395ccde492..c5748c3d761ba 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/gatherconfig.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/gatherconfig.go
@@ -8,10 +8,28 @@ import (
 
 // GatherConfigApplyConfiguration represents a declarative configuration of the GatherConfig type for use
 // with apply.
+//
+// gatherConfig provides data gathering configuration options.
 type GatherConfigApplyConfiguration struct {
-	DataPolicy        *configv1alpha1.DataPolicy        `json:"dataPolicy,omitempty"`
+	// dataPolicy allows user to enable additional global obfuscation of the IP addresses and base domain in the Insights archive data.
+	// Valid values are "None" and "ObfuscateNetworking".
+	// When set to None the data is not obfuscated.
+	// When set to ObfuscateNetworking the IP addresses and the cluster domain name are obfuscated.
+	// When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time.
+	DataPolicy *configv1alpha1.DataPolicy `json:"dataPolicy,omitempty"`
+	// disabledGatherers is a list of gatherers to be excluded from the gathering. All the gatherers can be disabled by providing "all" value.
+	// If all the gatherers are disabled, the Insights operator does not gather any data.
+	// The format for the disabledGatherer should be: {gatherer}/{function} where the function is optional.
+	// Gatherer consists of a lowercase letters only that may include underscores (_).
+	// Function consists of a lowercase letters only that may include underscores (_) and is separated from the gatherer by a forward slash (/).
+	// The particular gatherers IDs can be found at https://github.com/openshift/insights-operator/blob/master/docs/gathered-data.md.
+	// Run the following command to get the names of last active gatherers:
+	// "oc get insightsoperators.operator.openshift.io cluster -o json | jq '.status.gatherStatus.gatherers[].name'"
+	// An example of disabling gatherers looks like this: `disabledGatherers: ["clusterconfig/machine_configs", "workloads/workload_info"]`
 	DisabledGatherers []configv1alpha1.DisabledGatherer `json:"disabledGatherers,omitempty"`
-	StorageSpec       *StorageApplyConfiguration        `json:"storage,omitempty"`
+	// storage is an optional field that allows user to define persistent storage for gathering jobs to store the Insights data archive.
+	// If omitted, the gathering job will use ephemeral storage.
+	StorageSpec *StorageApplyConfiguration `json:"storage,omitempty"`
 }
 
 // GatherConfigApplyConfiguration constructs a declarative configuration of the GatherConfig type for use with
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/imagepolicy.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/imagepolicy.go
index 0a8fcee7411a8..68a813c1afc96 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/imagepolicy.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/imagepolicy.go
@@ -13,11 +13,19 @@ import (
 
 // ImagePolicyApplyConfiguration represents a declarative configuration of the ImagePolicy type for use
 // with apply.
+//
+// # ImagePolicy holds namespace-wide configuration for image signature verification
+//
+// Compatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.
 type ImagePolicyApplyConfiguration struct {
-	v1.TypeMetaApplyConfiguration    `json:",inline"`
+	v1.TypeMetaApplyConfiguration `json:",inline"`
+	// metadata is the standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	*v1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Spec                             *ImagePolicySpecApplyConfiguration   `json:"spec,omitempty"`
-	Status                           *ImagePolicyStatusApplyConfiguration `json:"status,omitempty"`
+	// spec holds user settable values for configuration
+	Spec *ImagePolicySpecApplyConfiguration `json:"spec,omitempty"`
+	// status contains the observed state of the resource.
+	Status *ImagePolicyStatusApplyConfiguration `json:"status,omitempty"`
 }
 
 // ImagePolicy constructs a declarative configuration of the ImagePolicy type for use with
@@ -31,6 +39,27 @@ func ImagePolicy(name, namespace string) *ImagePolicyApplyConfiguration {
 	return b
 }
 
+// ExtractImagePolicyFrom extracts the applied configuration owned by fieldManager from
+// imagePolicy for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
+// imagePolicy must be a unmodified ImagePolicy API object that was retrieved from the Kubernetes API.
+// ExtractImagePolicyFrom provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractImagePolicyFrom(imagePolicy *configv1alpha1.ImagePolicy, fieldManager string, subresource string) (*ImagePolicyApplyConfiguration, error) {
+	b := &ImagePolicyApplyConfiguration{}
+	err := managedfields.ExtractInto(imagePolicy, internal.Parser().Type("com.github.openshift.api.config.v1alpha1.ImagePolicy"), fieldManager, b, subresource)
+	if err != nil {
+		return nil, err
+	}
+	b.WithName(imagePolicy.Name)
+	b.WithNamespace(imagePolicy.Namespace)
+
+	b.WithKind("ImagePolicy")
+	b.WithAPIVersion("config.openshift.io/v1alpha1")
+	return b, nil
+}
+
 // ExtractImagePolicy extracts the applied configuration owned by fieldManager from
 // imagePolicy. If no managedFields are found in imagePolicy for fieldManager, a
 // ImagePolicyApplyConfiguration is returned with only the Name, Namespace (if applicable),
@@ -41,31 +70,16 @@ func ImagePolicy(name, namespace string) *ImagePolicyApplyConfiguration {
 // ExtractImagePolicy provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
 func ExtractImagePolicy(imagePolicy *configv1alpha1.ImagePolicy, fieldManager string) (*ImagePolicyApplyConfiguration, error) {
-	return extractImagePolicy(imagePolicy, fieldManager, "")
+	return ExtractImagePolicyFrom(imagePolicy, fieldManager, "")
 }
 
-// ExtractImagePolicyStatus is the same as ExtractImagePolicy except
-// that it extracts the status subresource applied configuration.
-// Experimental!
+// ExtractImagePolicyStatus extracts the applied configuration owned by fieldManager from
+// imagePolicy for the status subresource.
 func ExtractImagePolicyStatus(imagePolicy *configv1alpha1.ImagePolicy, fieldManager string) (*ImagePolicyApplyConfiguration, error) {
-	return extractImagePolicy(imagePolicy, fieldManager, "status")
+	return ExtractImagePolicyFrom(imagePolicy, fieldManager, "status")
 }
 
-func extractImagePolicy(imagePolicy *configv1alpha1.ImagePolicy, fieldManager string, subresource string) (*ImagePolicyApplyConfiguration, error) {
-	b := &ImagePolicyApplyConfiguration{}
-	err := managedfields.ExtractInto(imagePolicy, internal.Parser().Type("com.github.openshift.api.config.v1alpha1.ImagePolicy"), fieldManager, b, subresource)
-	if err != nil {
-		return nil, err
-	}
-	b.WithName(imagePolicy.Name)
-	b.WithNamespace(imagePolicy.Namespace)
-
-	b.WithKind("ImagePolicy")
-	b.WithAPIVersion("config.openshift.io/v1alpha1")
-	return b, nil
-}
 func (b ImagePolicyApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/imagepolicyfulciocawithrekorrootoftrust.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/imagepolicyfulciocawithrekorrootoftrust.go
new file mode 100644
index 0000000000000..c9299e50000e0
--- /dev/null
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/imagepolicyfulciocawithrekorrootoftrust.go
@@ -0,0 +1,52 @@
+// Code generated by applyconfiguration-gen. DO NOT EDIT.
+
+package v1alpha1
+
+// ImagePolicyFulcioCAWithRekorRootOfTrustApplyConfiguration represents a declarative configuration of the ImagePolicyFulcioCAWithRekorRootOfTrust type for use
+// with apply.
+//
+// ImagePolicyFulcioCAWithRekorRootOfTrust defines the root of trust based on the Fulcio certificate and the Rekor public key.
+type ImagePolicyFulcioCAWithRekorRootOfTrustApplyConfiguration struct {
+	// fulcioCAData contains inline base64-encoded data for the PEM format fulcio CA.
+	// fulcioCAData must be at most 8192 characters.
+	FulcioCAData []byte `json:"fulcioCAData,omitempty"`
+	// rekorKeyData contains inline base64-encoded data for the PEM format from the Rekor public key.
+	// rekorKeyData must be at most 8192 characters.
+	RekorKeyData []byte `json:"rekorKeyData,omitempty"`
+	// fulcioSubject specifies OIDC issuer and the email of the Fulcio authentication configuration.
+	FulcioSubject *PolicyFulcioSubjectApplyConfiguration `json:"fulcioSubject,omitempty"`
+}
+
+// ImagePolicyFulcioCAWithRekorRootOfTrustApplyConfiguration constructs a declarative configuration of the ImagePolicyFulcioCAWithRekorRootOfTrust type for use with
+// apply.
+func ImagePolicyFulcioCAWithRekorRootOfTrust() *ImagePolicyFulcioCAWithRekorRootOfTrustApplyConfiguration {
+	return &ImagePolicyFulcioCAWithRekorRootOfTrustApplyConfiguration{}
+}
+
+// WithFulcioCAData adds the given value to the FulcioCAData field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, values provided by each call will be appended to the FulcioCAData field.
+func (b *ImagePolicyFulcioCAWithRekorRootOfTrustApplyConfiguration) WithFulcioCAData(values ...byte) *ImagePolicyFulcioCAWithRekorRootOfTrustApplyConfiguration {
+	for i := range values {
+		b.FulcioCAData = append(b.FulcioCAData, values[i])
+	}
+	return b
+}
+
+// WithRekorKeyData adds the given value to the RekorKeyData field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, values provided by each call will be appended to the RekorKeyData field.
+func (b *ImagePolicyFulcioCAWithRekorRootOfTrustApplyConfiguration) WithRekorKeyData(values ...byte) *ImagePolicyFulcioCAWithRekorRootOfTrustApplyConfiguration {
+	for i := range values {
+		b.RekorKeyData = append(b.RekorKeyData, values[i])
+	}
+	return b
+}
+
+// WithFulcioSubject sets the FulcioSubject field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the FulcioSubject field is set to the value of the last call.
+func (b *ImagePolicyFulcioCAWithRekorRootOfTrustApplyConfiguration) WithFulcioSubject(value *PolicyFulcioSubjectApplyConfiguration) *ImagePolicyFulcioCAWithRekorRootOfTrustApplyConfiguration {
+	b.FulcioSubject = value
+	return b
+}
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/imagepolicypkirootoftrust.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/imagepolicypkirootoftrust.go
new file mode 100644
index 0000000000000..42c3c0aa7cc9b
--- /dev/null
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/imagepolicypkirootoftrust.go
@@ -0,0 +1,51 @@
+// Code generated by applyconfiguration-gen. DO NOT EDIT.
+
+package v1alpha1
+
+// ImagePolicyPKIRootOfTrustApplyConfiguration represents a declarative configuration of the ImagePolicyPKIRootOfTrust type for use
+// with apply.
+//
+// ImagePolicyPKIRootOfTrust defines the root of trust based on Root CA(s) and corresponding intermediate certificates.
+type ImagePolicyPKIRootOfTrustApplyConfiguration struct {
+	// caRootsData contains base64-encoded data of a certificate bundle PEM file, which contains one or more CA roots in the PEM format. The total length of the data must not exceed 8192 characters.
+	CertificateAuthorityRootsData []byte `json:"caRootsData,omitempty"`
+	// caIntermediatesData contains base64-encoded data of a certificate bundle PEM file, which contains one or more intermediate certificates in the PEM format. The total length of the data must not exceed 8192 characters.
+	// caIntermediatesData requires caRootsData to be set.
+	CertificateAuthorityIntermediatesData []byte `json:"caIntermediatesData,omitempty"`
+	// pkiCertificateSubject defines the requirements imposed on the subject to which the certificate was issued.
+	PKICertificateSubject *PKICertificateSubjectApplyConfiguration `json:"pkiCertificateSubject,omitempty"`
+}
+
+// ImagePolicyPKIRootOfTrustApplyConfiguration constructs a declarative configuration of the ImagePolicyPKIRootOfTrust type for use with
+// apply.
+func ImagePolicyPKIRootOfTrust() *ImagePolicyPKIRootOfTrustApplyConfiguration {
+	return &ImagePolicyPKIRootOfTrustApplyConfiguration{}
+}
+
+// WithCertificateAuthorityRootsData adds the given value to the CertificateAuthorityRootsData field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, values provided by each call will be appended to the CertificateAuthorityRootsData field.
+func (b *ImagePolicyPKIRootOfTrustApplyConfiguration) WithCertificateAuthorityRootsData(values ...byte) *ImagePolicyPKIRootOfTrustApplyConfiguration {
+	for i := range values {
+		b.CertificateAuthorityRootsData = append(b.CertificateAuthorityRootsData, values[i])
+	}
+	return b
+}
+
+// WithCertificateAuthorityIntermediatesData adds the given value to the CertificateAuthorityIntermediatesData field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, values provided by each call will be appended to the CertificateAuthorityIntermediatesData field.
+func (b *ImagePolicyPKIRootOfTrustApplyConfiguration) WithCertificateAuthorityIntermediatesData(values ...byte) *ImagePolicyPKIRootOfTrustApplyConfiguration {
+	for i := range values {
+		b.CertificateAuthorityIntermediatesData = append(b.CertificateAuthorityIntermediatesData, values[i])
+	}
+	return b
+}
+
+// WithPKICertificateSubject sets the PKICertificateSubject field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the PKICertificateSubject field is set to the value of the last call.
+func (b *ImagePolicyPKIRootOfTrustApplyConfiguration) WithPKICertificateSubject(value *PKICertificateSubjectApplyConfiguration) *ImagePolicyPKIRootOfTrustApplyConfiguration {
+	b.PKICertificateSubject = value
+	return b
+}
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/imagepolicypublickeyrootoftrust.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/imagepolicypublickeyrootoftrust.go
new file mode 100644
index 0000000000000..317b1be6ad013
--- /dev/null
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/imagepolicypublickeyrootoftrust.go
@@ -0,0 +1,42 @@
+// Code generated by applyconfiguration-gen. DO NOT EDIT.
+
+package v1alpha1
+
+// ImagePolicyPublicKeyRootOfTrustApplyConfiguration represents a declarative configuration of the ImagePolicyPublicKeyRootOfTrust type for use
+// with apply.
+//
+// ImagePolicyPublicKeyRootOfTrust defines the root of trust based on a sigstore public key.
+type ImagePolicyPublicKeyRootOfTrustApplyConfiguration struct {
+	// keyData contains inline base64-encoded data for the PEM format public key.
+	// KeyData must be at most 8192 characters.
+	KeyData []byte `json:"keyData,omitempty"`
+	// rekorKeyData contains inline base64-encoded data for the PEM format from the Rekor public key.
+	// rekorKeyData must be at most 8192 characters.
+	RekorKeyData []byte `json:"rekorKeyData,omitempty"`
+}
+
+// ImagePolicyPublicKeyRootOfTrustApplyConfiguration constructs a declarative configuration of the ImagePolicyPublicKeyRootOfTrust type for use with
+// apply.
+func ImagePolicyPublicKeyRootOfTrust() *ImagePolicyPublicKeyRootOfTrustApplyConfiguration {
+	return &ImagePolicyPublicKeyRootOfTrustApplyConfiguration{}
+}
+
+// WithKeyData adds the given value to the KeyData field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, values provided by each call will be appended to the KeyData field.
+func (b *ImagePolicyPublicKeyRootOfTrustApplyConfiguration) WithKeyData(values ...byte) *ImagePolicyPublicKeyRootOfTrustApplyConfiguration {
+	for i := range values {
+		b.KeyData = append(b.KeyData, values[i])
+	}
+	return b
+}
+
+// WithRekorKeyData adds the given value to the RekorKeyData field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, values provided by each call will be appended to the RekorKeyData field.
+func (b *ImagePolicyPublicKeyRootOfTrustApplyConfiguration) WithRekorKeyData(values ...byte) *ImagePolicyPublicKeyRootOfTrustApplyConfiguration {
+	for i := range values {
+		b.RekorKeyData = append(b.RekorKeyData, values[i])
+	}
+	return b
+}
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/imagepolicyspec.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/imagepolicyspec.go
index ac08e9cf4e53a..0d8cbf64b7110 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/imagepolicyspec.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/imagepolicyspec.go
@@ -8,9 +8,24 @@ import (
 
 // ImagePolicySpecApplyConfiguration represents a declarative configuration of the ImagePolicySpec type for use
 // with apply.
+//
+// ImagePolicySpec is the specification of the ImagePolicy CRD.
 type ImagePolicySpecApplyConfiguration struct {
+	// scopes defines the list of image identities assigned to a policy. Each item refers to a scope in a registry implementing the "Docker Registry HTTP API V2".
+	// Scopes matching individual images are named Docker references in the fully expanded form, either using a tag or digest. For example, docker.io/library/busybox:latest (not busybox:latest).
+	// More general scopes are prefixes of individual-image scopes, and specify a repository (by omitting the tag or digest), a repository
+	// namespace, or a registry host (by only specifying the host name and possibly a port number) or a wildcard expression starting with `*.`, for matching all subdomains (not including a port number).
+	// Wildcards are only supported for subdomain matching, and may not be used in the middle of the host, i.e.  *.example.com is a valid case, but example*.*.com is not.
+	// If multiple scopes match a given image, only the policy requirements for the most specific scope apply. The policy requirements for more general scopes are ignored.
+	// In addition to setting a policy appropriate for your own deployed applications, make sure that a policy on the OpenShift image repositories
+	// quay.io/openshift-release-dev/ocp-release, quay.io/openshift-release-dev/ocp-v4.0-art-dev (or on a more general scope) allows deployment of the OpenShift images required for cluster operation.
+	// If a scope is configured in both the ClusterImagePolicy and the ImagePolicy, or if the scope in ImagePolicy is nested under one of the scopes from the ClusterImagePolicy, only the policy from the ClusterImagePolicy will be applied.
+	// For additional details about the format, please refer to the document explaining the docker transport field,
+	// which can be found at: https://github.com/containers/image/blob/main/docs/containers-policy.json.5.md#docker
 	Scopes []configv1alpha1.ImageScope `json:"scopes,omitempty"`
-	Policy *PolicyApplyConfiguration   `json:"policy,omitempty"`
+	// policy contains configuration to allow scopes to be verified, and defines how
+	// images not matching the verification policy will be treated.
+	Policy *ImageSigstoreVerificationPolicyApplyConfiguration `json:"policy,omitempty"`
 }
 
 // ImagePolicySpecApplyConfiguration constructs a declarative configuration of the ImagePolicySpec type for use with
@@ -32,7 +47,7 @@ func (b *ImagePolicySpecApplyConfiguration) WithScopes(values ...configv1alpha1.
 // WithPolicy sets the Policy field in the declarative configuration to the given value
 // and returns the receiver, so that objects can be built by chaining "With" function invocations.
 // If called multiple times, the Policy field is set to the value of the last call.
-func (b *ImagePolicySpecApplyConfiguration) WithPolicy(value *PolicyApplyConfiguration) *ImagePolicySpecApplyConfiguration {
+func (b *ImagePolicySpecApplyConfiguration) WithPolicy(value *ImageSigstoreVerificationPolicyApplyConfiguration) *ImagePolicySpecApplyConfiguration {
 	b.Policy = value
 	return b
 }
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/imagepolicystatus.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/imagepolicystatus.go
index d5c664772d953..59fc11856150c 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/imagepolicystatus.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/imagepolicystatus.go
@@ -9,6 +9,7 @@ import (
 // ImagePolicyStatusApplyConfiguration represents a declarative configuration of the ImagePolicyStatus type for use
 // with apply.
 type ImagePolicyStatusApplyConfiguration struct {
+	// conditions provide details on the status of this API Resource.
 	Conditions []v1.ConditionApplyConfiguration `json:"conditions,omitempty"`
 }
 
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/imagesigstoreverificationpolicy.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/imagesigstoreverificationpolicy.go
new file mode 100644
index 0000000000000..3fa4e27478338
--- /dev/null
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/imagesigstoreverificationpolicy.go
@@ -0,0 +1,36 @@
+// Code generated by applyconfiguration-gen. DO NOT EDIT.
+
+package v1alpha1
+
+// ImageSigstoreVerificationPolicyApplyConfiguration represents a declarative configuration of the ImageSigstoreVerificationPolicy type for use
+// with apply.
+//
+// ImageSigstoreVerificationPolicy defines the verification policy for the items in the scopes list.
+type ImageSigstoreVerificationPolicyApplyConfiguration struct {
+	// rootOfTrust specifies the root of trust for the policy.
+	RootOfTrust *PolicyRootOfTrustApplyConfiguration `json:"rootOfTrust,omitempty"`
+	// signedIdentity specifies what image identity the signature claims about the image. The required matchPolicy field specifies the approach used in the verification process to verify the identity in the signature and the actual image identity, the default matchPolicy is "MatchRepoDigestOrExact".
+	SignedIdentity *PolicyIdentityApplyConfiguration `json:"signedIdentity,omitempty"`
+}
+
+// ImageSigstoreVerificationPolicyApplyConfiguration constructs a declarative configuration of the ImageSigstoreVerificationPolicy type for use with
+// apply.
+func ImageSigstoreVerificationPolicy() *ImageSigstoreVerificationPolicyApplyConfiguration {
+	return &ImageSigstoreVerificationPolicyApplyConfiguration{}
+}
+
+// WithRootOfTrust sets the RootOfTrust field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the RootOfTrust field is set to the value of the last call.
+func (b *ImageSigstoreVerificationPolicyApplyConfiguration) WithRootOfTrust(value *PolicyRootOfTrustApplyConfiguration) *ImageSigstoreVerificationPolicyApplyConfiguration {
+	b.RootOfTrust = value
+	return b
+}
+
+// WithSignedIdentity sets the SignedIdentity field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the SignedIdentity field is set to the value of the last call.
+func (b *ImageSigstoreVerificationPolicyApplyConfiguration) WithSignedIdentity(value *PolicyIdentityApplyConfiguration) *ImageSigstoreVerificationPolicyApplyConfiguration {
+	b.SignedIdentity = value
+	return b
+}
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/insightsdatagather.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/insightsdatagather.go
index f96ab510175ff..5f47a1a7188bc 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/insightsdatagather.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/insightsdatagather.go
@@ -13,11 +13,19 @@ import (
 
 // InsightsDataGatherApplyConfiguration represents a declarative configuration of the InsightsDataGather type for use
 // with apply.
+//
+// InsightsDataGather provides data gather configuration options for the the Insights Operator.
+//
+// Compatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.
 type InsightsDataGatherApplyConfiguration struct {
-	v1.TypeMetaApplyConfiguration    `json:",inline"`
+	v1.TypeMetaApplyConfiguration `json:",inline"`
+	// metadata is the standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	*v1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Spec                             *InsightsDataGatherSpecApplyConfiguration `json:"spec,omitempty"`
-	Status                           *configv1alpha1.InsightsDataGatherStatus  `json:"status,omitempty"`
+	// spec holds user settable values for configuration
+	Spec *InsightsDataGatherSpecApplyConfiguration `json:"spec,omitempty"`
+	// status holds observed values from the cluster. They may not be overridden.
+	Status *configv1alpha1.InsightsDataGatherStatus `json:"status,omitempty"`
 }
 
 // InsightsDataGather constructs a declarative configuration of the InsightsDataGather type for use with
@@ -30,6 +38,26 @@ func InsightsDataGather(name string) *InsightsDataGatherApplyConfiguration {
 	return b
 }
 
+// ExtractInsightsDataGatherFrom extracts the applied configuration owned by fieldManager from
+// insightsDataGather for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
+// insightsDataGather must be a unmodified InsightsDataGather API object that was retrieved from the Kubernetes API.
+// ExtractInsightsDataGatherFrom provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractInsightsDataGatherFrom(insightsDataGather *configv1alpha1.InsightsDataGather, fieldManager string, subresource string) (*InsightsDataGatherApplyConfiguration, error) {
+	b := &InsightsDataGatherApplyConfiguration{}
+	err := managedfields.ExtractInto(insightsDataGather, internal.Parser().Type("com.github.openshift.api.config.v1alpha1.InsightsDataGather"), fieldManager, b, subresource)
+	if err != nil {
+		return nil, err
+	}
+	b.WithName(insightsDataGather.Name)
+
+	b.WithKind("InsightsDataGather")
+	b.WithAPIVersion("config.openshift.io/v1alpha1")
+	return b, nil
+}
+
 // ExtractInsightsDataGather extracts the applied configuration owned by fieldManager from
 // insightsDataGather. If no managedFields are found in insightsDataGather for fieldManager, a
 // InsightsDataGatherApplyConfiguration is returned with only the Name, Namespace (if applicable),
@@ -40,30 +68,16 @@ func InsightsDataGather(name string) *InsightsDataGatherApplyConfiguration {
 // ExtractInsightsDataGather provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
 func ExtractInsightsDataGather(insightsDataGather *configv1alpha1.InsightsDataGather, fieldManager string) (*InsightsDataGatherApplyConfiguration, error) {
-	return extractInsightsDataGather(insightsDataGather, fieldManager, "")
+	return ExtractInsightsDataGatherFrom(insightsDataGather, fieldManager, "")
 }
 
-// ExtractInsightsDataGatherStatus is the same as ExtractInsightsDataGather except
-// that it extracts the status subresource applied configuration.
-// Experimental!
+// ExtractInsightsDataGatherStatus extracts the applied configuration owned by fieldManager from
+// insightsDataGather for the status subresource.
 func ExtractInsightsDataGatherStatus(insightsDataGather *configv1alpha1.InsightsDataGather, fieldManager string) (*InsightsDataGatherApplyConfiguration, error) {
-	return extractInsightsDataGather(insightsDataGather, fieldManager, "status")
+	return ExtractInsightsDataGatherFrom(insightsDataGather, fieldManager, "status")
 }
 
-func extractInsightsDataGather(insightsDataGather *configv1alpha1.InsightsDataGather, fieldManager string, subresource string) (*InsightsDataGatherApplyConfiguration, error) {
-	b := &InsightsDataGatherApplyConfiguration{}
-	err := managedfields.ExtractInto(insightsDataGather, internal.Parser().Type("com.github.openshift.api.config.v1alpha1.InsightsDataGather"), fieldManager, b, subresource)
-	if err != nil {
-		return nil, err
-	}
-	b.WithName(insightsDataGather.Name)
-
-	b.WithKind("InsightsDataGather")
-	b.WithAPIVersion("config.openshift.io/v1alpha1")
-	return b, nil
-}
 func (b InsightsDataGatherApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/insightsdatagatherspec.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/insightsdatagatherspec.go
index 51b0ba6295ae8..b59b9d08316c8 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/insightsdatagatherspec.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/insightsdatagatherspec.go
@@ -5,6 +5,7 @@ package v1alpha1
 // InsightsDataGatherSpecApplyConfiguration represents a declarative configuration of the InsightsDataGatherSpec type for use
 // with apply.
 type InsightsDataGatherSpecApplyConfiguration struct {
+	// gatherConfig spec attribute includes all the configuration options related to gathering of the Insights data and its uploading to the ingress.
 	GatherConfig *GatherConfigApplyConfiguration `json:"gatherConfig,omitempty"`
 }
 
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/metricsserverconfig.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/metricsserverconfig.go
index 428b7a065aef7..ea4d945563084 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/metricsserverconfig.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/metricsserverconfig.go
@@ -9,13 +9,72 @@ import (
 
 // MetricsServerConfigApplyConfiguration represents a declarative configuration of the MetricsServerConfig type for use
 // with apply.
+//
+// MetricsServerConfig provides configuration options for the Metrics Server instance
+// that runs in the `openshift-monitoring` namespace. Use this configuration to control
+// how the Metrics Server instance is deployed, how it logs, and how its pods are scheduled.
 type MetricsServerConfigApplyConfiguration struct {
-	Audit                     *AuditApplyConfiguration              `json:"audit,omitempty"`
-	NodeSelector              map[string]string                     `json:"nodeSelector,omitempty"`
-	Tolerations               []v1.Toleration                       `json:"tolerations,omitempty"`
-	Verbosity                 *configv1alpha1.VerbosityLevel        `json:"verbosity,omitempty"`
-	Resources                 []ContainerResourceApplyConfiguration `json:"resources,omitempty"`
-	TopologySpreadConstraints []v1.TopologySpreadConstraint         `json:"topologySpreadConstraints,omitempty"`
+	// audit defines the audit configuration used by the Metrics Server instance.
+	// audit is optional.
+	// When omitted, this means no opinion and the platform is left to choose a reasonable default, that is subject to change over time.
+	// The current default sets audit.profile to Metadata
+	Audit *AuditApplyConfiguration `json:"audit,omitempty"`
+	// nodeSelector defines the nodes on which the Pods are scheduled
+	// nodeSelector is optional.
+	//
+	// When omitted, this means the user has no opinion and the platform is left
+	// to choose reasonable defaults. These defaults are subject to change over time.
+	// The current default value is `kubernetes.io/os: linux`.
+	NodeSelector map[string]string `json:"nodeSelector,omitempty"`
+	// tolerations defines tolerations for the pods.
+	// tolerations is optional.
+	//
+	// When omitted, this means the user has no opinion and the platform is left
+	// to choose reasonable defaults. These defaults are subject to change over time.
+	// Defaults are empty/unset.
+	// Maximum length for this list is 10.
+	// Minimum length for this list is 1.
+	Tolerations []v1.Toleration `json:"tolerations,omitempty"`
+	// verbosity defines the verbosity of log messages for Metrics Server.
+	// Valid values are Errors, Info, Trace, TraceAll and omitted.
+	// When set to Errors, only critical messages and errors are logged.
+	// When set to Info, only basic information messages are logged.
+	// When set to Trace, information useful for general debugging is logged.
+	// When set to TraceAll, detailed information about metric scraping is logged.
+	// When omitted, this means no opinion and the platform is left to choose a reasonable default, that is subject to change over time.
+	// The current default value is `Errors`
+	Verbosity *configv1alpha1.VerbosityLevel `json:"verbosity,omitempty"`
+	// resources defines the compute resource requests and limits for the Metrics Server container.
+	// This includes CPU, memory and HugePages constraints to help control scheduling and resource usage.
+	// When not specified, defaults are used by the platform. Requests cannot exceed limits.
+	// This field is optional.
+	// More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+	// This is a simplified API that maps to Kubernetes ResourceRequirements.
+	// The current default values are:
+	// resources:
+	// - name: cpu
+	// request: 4m
+	// limit: null
+	// - name: memory
+	// request: 40Mi
+	// limit: null
+	// Maximum length for this list is 10.
+	// Minimum length for this list is 1.
+	// Each resource name must be unique within this list.
+	Resources []ContainerResourceApplyConfiguration `json:"resources,omitempty"`
+	// topologySpreadConstraints defines rules for how Metrics Server Pods should be distributed
+	// across topology domains such as zones, nodes, or other user-defined labels.
+	// topologySpreadConstraints is optional.
+	// This helps improve high availability and resource efficiency by avoiding placing
+	// too many replicas in the same failure domain.
+	//
+	// When omitted, this means no opinion and the platform is left to choose a default, which is subject to change over time.
+	// This field maps directly to the `topologySpreadConstraints` field in the Pod spec.
+	// Default is empty list.
+	// Maximum length for this list is 10.
+	// Minimum length for this list is 1.
+	// Entries must have unique topologyKey and whenUnsatisfiable pairs.
+	TopologySpreadConstraints []v1.TopologySpreadConstraint `json:"topologySpreadConstraints,omitempty"`
 }
 
 // MetricsServerConfigApplyConfiguration constructs a declarative configuration of the MetricsServerConfig type for use with
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/persistentvolumeclaimreference.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/persistentvolumeclaimreference.go
index ccb7b7a69b78f..093947c7afcc7 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/persistentvolumeclaimreference.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/persistentvolumeclaimreference.go
@@ -4,7 +4,11 @@ package v1alpha1
 
 // PersistentVolumeClaimReferenceApplyConfiguration represents a declarative configuration of the PersistentVolumeClaimReference type for use
 // with apply.
+//
+// persistentVolumeClaimReference is a reference to a PersistentVolumeClaim.
 type PersistentVolumeClaimReferenceApplyConfiguration struct {
+	// name is a string that follows the DNS1123 subdomain format.
+	// It must be at most 253 characters in length, and must consist only of lower case alphanumeric characters, '-' and '.', and must start and end with an alphanumeric character.
 	Name *string `json:"name,omitempty"`
 }
 
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/persistentvolumeconfig.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/persistentvolumeconfig.go
index 9fd4d09d34c56..0d001e282fef6 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/persistentvolumeconfig.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/persistentvolumeconfig.go
@@ -4,9 +4,17 @@ package v1alpha1
 
 // PersistentVolumeConfigApplyConfiguration represents a declarative configuration of the PersistentVolumeConfig type for use
 // with apply.
+//
+// persistentVolumeConfig provides configuration options for PersistentVolume storage.
 type PersistentVolumeConfigApplyConfiguration struct {
-	Claim     *PersistentVolumeClaimReferenceApplyConfiguration `json:"claim,omitempty"`
-	MountPath *string                                           `json:"mountPath,omitempty"`
+	// claim is a required field that specifies the configuration of the PersistentVolumeClaim that will be used to store the Insights data archive.
+	// The PersistentVolumeClaim must be created in the openshift-insights namespace.
+	Claim *PersistentVolumeClaimReferenceApplyConfiguration `json:"claim,omitempty"`
+	// mountPath is an optional field specifying the directory where the PVC will be mounted inside the Insights data gathering Pod.
+	// When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time.
+	// The current default mount path is /var/lib/insights-operator
+	// The path may not exceed 1024 characters and must not contain a colon.
+	MountPath *string `json:"mountPath,omitempty"`
 }
 
 // PersistentVolumeConfigApplyConfiguration constructs a declarative configuration of the PersistentVolumeConfig type for use with
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/pki.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/pki.go
deleted file mode 100644
index 455abe02a2d96..0000000000000
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/pki.go
+++ /dev/null
@@ -1,45 +0,0 @@
-// Code generated by applyconfiguration-gen. DO NOT EDIT.
-
-package v1alpha1
-
-// PKIApplyConfiguration represents a declarative configuration of the PKI type for use
-// with apply.
-type PKIApplyConfiguration struct {
-	CertificateAuthorityRootsData         []byte                                   `json:"caRootsData,omitempty"`
-	CertificateAuthorityIntermediatesData []byte                                   `json:"caIntermediatesData,omitempty"`
-	PKICertificateSubject                 *PKICertificateSubjectApplyConfiguration `json:"pkiCertificateSubject,omitempty"`
-}
-
-// PKIApplyConfiguration constructs a declarative configuration of the PKI type for use with
-// apply.
-func PKI() *PKIApplyConfiguration {
-	return &PKIApplyConfiguration{}
-}
-
-// WithCertificateAuthorityRootsData adds the given value to the CertificateAuthorityRootsData field in the declarative configuration
-// and returns the receiver, so that objects can be build by chaining "With" function invocations.
-// If called multiple times, values provided by each call will be appended to the CertificateAuthorityRootsData field.
-func (b *PKIApplyConfiguration) WithCertificateAuthorityRootsData(values ...byte) *PKIApplyConfiguration {
-	for i := range values {
-		b.CertificateAuthorityRootsData = append(b.CertificateAuthorityRootsData, values[i])
-	}
-	return b
-}
-
-// WithCertificateAuthorityIntermediatesData adds the given value to the CertificateAuthorityIntermediatesData field in the declarative configuration
-// and returns the receiver, so that objects can be build by chaining "With" function invocations.
-// If called multiple times, values provided by each call will be appended to the CertificateAuthorityIntermediatesData field.
-func (b *PKIApplyConfiguration) WithCertificateAuthorityIntermediatesData(values ...byte) *PKIApplyConfiguration {
-	for i := range values {
-		b.CertificateAuthorityIntermediatesData = append(b.CertificateAuthorityIntermediatesData, values[i])
-	}
-	return b
-}
-
-// WithPKICertificateSubject sets the PKICertificateSubject field in the declarative configuration to the given value
-// and returns the receiver, so that objects can be built by chaining "With" function invocations.
-// If called multiple times, the PKICertificateSubject field is set to the value of the last call.
-func (b *PKIApplyConfiguration) WithPKICertificateSubject(value *PKICertificateSubjectApplyConfiguration) *PKIApplyConfiguration {
-	b.PKICertificateSubject = value
-	return b
-}
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/pkicertificatesubject.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/pkicertificatesubject.go
index bfb8a5449d511..c9c93a2806619 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/pkicertificatesubject.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/pkicertificatesubject.go
@@ -4,8 +4,15 @@ package v1alpha1
 
 // PKICertificateSubjectApplyConfiguration represents a declarative configuration of the PKICertificateSubject type for use
 // with apply.
+//
+// PKICertificateSubject defines the requirements imposed on the subject to which the certificate was issued.
 type PKICertificateSubjectApplyConfiguration struct {
-	Email    *string `json:"email,omitempty"`
+	// email specifies the expected email address imposed on the subject to which the certificate was issued, and must match the email address listed in the Subject Alternative Name (SAN) field of the certificate.
+	// The email should be a valid email address and at most 320 characters in length.
+	Email *string `json:"email,omitempty"`
+	// hostname specifies the expected hostname imposed on the subject to which the certificate was issued, and it must match the hostname listed in the Subject Alternative Name (SAN) DNS field of the certificate.
+	// The hostname should be a valid dns 1123 subdomain name, optionally prefixed by '*.', and at most 253 characters in length.
+	// It should consist only of lowercase alphanumeric characters, hyphens, periods and the optional preceding asterisk.
 	Hostname *string `json:"hostname,omitempty"`
 }
 
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/policy.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/policy.go
deleted file mode 100644
index 61e4856642940..0000000000000
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/policy.go
+++ /dev/null
@@ -1,32 +0,0 @@
-// Code generated by applyconfiguration-gen. DO NOT EDIT.
-
-package v1alpha1
-
-// PolicyApplyConfiguration represents a declarative configuration of the Policy type for use
-// with apply.
-type PolicyApplyConfiguration struct {
-	RootOfTrust    *PolicyRootOfTrustApplyConfiguration `json:"rootOfTrust,omitempty"`
-	SignedIdentity *PolicyIdentityApplyConfiguration    `json:"signedIdentity,omitempty"`
-}
-
-// PolicyApplyConfiguration constructs a declarative configuration of the Policy type for use with
-// apply.
-func Policy() *PolicyApplyConfiguration {
-	return &PolicyApplyConfiguration{}
-}
-
-// WithRootOfTrust sets the RootOfTrust field in the declarative configuration to the given value
-// and returns the receiver, so that objects can be built by chaining "With" function invocations.
-// If called multiple times, the RootOfTrust field is set to the value of the last call.
-func (b *PolicyApplyConfiguration) WithRootOfTrust(value *PolicyRootOfTrustApplyConfiguration) *PolicyApplyConfiguration {
-	b.RootOfTrust = value
-	return b
-}
-
-// WithSignedIdentity sets the SignedIdentity field in the declarative configuration to the given value
-// and returns the receiver, so that objects can be built by chaining "With" function invocations.
-// If called multiple times, the SignedIdentity field is set to the value of the last call.
-func (b *PolicyApplyConfiguration) WithSignedIdentity(value *PolicyIdentityApplyConfiguration) *PolicyApplyConfiguration {
-	b.SignedIdentity = value
-	return b
-}
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/policyfulciosubject.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/policyfulciosubject.go
index c4608f47a2dd5..5c7bd5ed9e165 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/policyfulciosubject.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/policyfulciosubject.go
@@ -4,8 +4,14 @@ package v1alpha1
 
 // PolicyFulcioSubjectApplyConfiguration represents a declarative configuration of the PolicyFulcioSubject type for use
 // with apply.
+//
+// PolicyFulcioSubject defines the OIDC issuer and the email of the Fulcio authentication configuration.
 type PolicyFulcioSubjectApplyConfiguration struct {
-	OIDCIssuer  *string `json:"oidcIssuer,omitempty"`
+	// oidcIssuer contains the expected OIDC issuer. It will be verified that the Fulcio-issued certificate contains a (Fulcio-defined) certificate extension pointing at this OIDC issuer URL. When Fulcio issues certificates, it includes a value based on an URL inside the client-provided ID token.
+	// Example: "https://expected.OIDC.issuer/"
+	OIDCIssuer *string `json:"oidcIssuer,omitempty"`
+	// signedEmail holds the email address the the Fulcio certificate is issued for.
+	// Example: "expected-signing-user@example.com"
 	SignedEmail *string `json:"signedEmail,omitempty"`
 }
 
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/policyidentity.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/policyidentity.go
index c03a2d6634023..822e75677473c 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/policyidentity.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/policyidentity.go
@@ -8,10 +8,22 @@ import (
 
 // PolicyIdentityApplyConfiguration represents a declarative configuration of the PolicyIdentity type for use
 // with apply.
+//
+// PolicyIdentity defines image identity the signature claims about the image. When omitted, the default matchPolicy is "MatchRepoDigestOrExact".
 type PolicyIdentityApplyConfiguration struct {
-	MatchPolicy                *configv1alpha1.IdentityMatchPolicy           `json:"matchPolicy,omitempty"`
+	// matchPolicy sets the type of matching to be used.
+	// Valid values are "MatchRepoDigestOrExact", "MatchRepository", "ExactRepository", "RemapIdentity". When omitted, the default value is "MatchRepoDigestOrExact".
+	// If set matchPolicy to ExactRepository, then the exactRepository must be specified.
+	// If set matchPolicy to RemapIdentity, then the remapIdentity must be specified.
+	// "MatchRepoDigestOrExact" means that the identity in the signature must be in the same repository as the image identity if the image identity is referenced by a digest. Otherwise, the identity in the signature must be the same as the image identity.
+	// "MatchRepository" means that the identity in the signature must be in the same repository as the image identity.
+	// "ExactRepository" means that the identity in the signature must be in the same repository as a specific identity specified by "repository".
+	// "RemapIdentity" means that the signature must be in the same as the remapped image identity. Remapped image identity is obtained by replacing the "prefix" with the specified “signedPrefix” if the the image identity matches the specified remapPrefix.
+	MatchPolicy *configv1alpha1.IdentityMatchPolicy `json:"matchPolicy,omitempty"`
+	// exactRepository is required if matchPolicy is set to "ExactRepository".
 	PolicyMatchExactRepository *PolicyMatchExactRepositoryApplyConfiguration `json:"exactRepository,omitempty"`
-	PolicyMatchRemapIdentity   *PolicyMatchRemapIdentityApplyConfiguration   `json:"remapIdentity,omitempty"`
+	// remapIdentity is required if matchPolicy is set to "RemapIdentity".
+	PolicyMatchRemapIdentity *PolicyMatchRemapIdentityApplyConfiguration `json:"remapIdentity,omitempty"`
 }
 
 // PolicyIdentityApplyConfiguration constructs a declarative configuration of the PolicyIdentity type for use with
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/policymatchexactrepository.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/policymatchexactrepository.go
index 58870d5eb867d..6420b8ed9e952 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/policymatchexactrepository.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/policymatchexactrepository.go
@@ -9,6 +9,8 @@ import (
 // PolicyMatchExactRepositoryApplyConfiguration represents a declarative configuration of the PolicyMatchExactRepository type for use
 // with apply.
 type PolicyMatchExactRepositoryApplyConfiguration struct {
+	// repository is the reference of the image identity to be matched.
+	// The value should be a repository name (by omitting the tag or digest) in a registry implementing the "Docker Registry HTTP API V2". For example, docker.io/library/busybox
 	Repository *configv1alpha1.IdentityRepositoryPrefix `json:"repository,omitempty"`
 }
 
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/policymatchremapidentity.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/policymatchremapidentity.go
index 09075d0bea7ef..0b1a5098fa0d8 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/policymatchremapidentity.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/policymatchremapidentity.go
@@ -9,7 +9,16 @@ import (
 // PolicyMatchRemapIdentityApplyConfiguration represents a declarative configuration of the PolicyMatchRemapIdentity type for use
 // with apply.
 type PolicyMatchRemapIdentityApplyConfiguration struct {
-	Prefix       *configv1alpha1.IdentityRepositoryPrefix `json:"prefix,omitempty"`
+	// prefix is the prefix of the image identity to be matched.
+	// If the image identity matches the specified prefix, that prefix is replaced by the specified “signedPrefix” (otherwise it is used as unchanged and no remapping takes place).
+	// This useful when verifying signatures for a mirror of some other repository namespace that preserves the vendor’s repository structure.
+	// The prefix and signedPrefix values can be either host[:port] values (matching exactly the same host[:port], string), repository namespaces,
+	// or repositories (i.e. they must not contain tags/digests), and match as prefixes of the fully expanded form.
+	// For example, docker.io/library/busybox (not busybox) to specify that single repository, or docker.io/library (not an empty string) to specify the parent namespace of docker.io/library/busybox.
+	Prefix *configv1alpha1.IdentityRepositoryPrefix `json:"prefix,omitempty"`
+	// signedPrefix is the prefix of the image identity to be matched in the signature. The format is the same as "prefix". The values can be either host[:port] values (matching exactly the same host[:port], string), repository namespaces,
+	// or repositories (i.e. they must not contain tags/digests), and match as prefixes of the fully expanded form.
+	// For example, docker.io/library/busybox (not busybox) to specify that single repository, or docker.io/library (not an empty string) to specify the parent namespace of docker.io/library/busybox.
 	SignedPrefix *configv1alpha1.IdentityRepositoryPrefix `json:"signedPrefix,omitempty"`
 }
 
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/policyrootoftrust.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/policyrootoftrust.go
index 5de792be6381b..b7a1877fc4141 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/policyrootoftrust.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/policyrootoftrust.go
@@ -8,11 +8,22 @@ import (
 
 // PolicyRootOfTrustApplyConfiguration represents a declarative configuration of the PolicyRootOfTrust type for use
 // with apply.
+//
+// PolicyRootOfTrust defines the root of trust based on the selected policyType.
 type PolicyRootOfTrustApplyConfiguration struct {
-	PolicyType        *configv1alpha1.PolicyType           `json:"policyType,omitempty"`
-	PublicKey         *PublicKeyApplyConfiguration         `json:"publicKey,omitempty"`
-	FulcioCAWithRekor *FulcioCAWithRekorApplyConfiguration `json:"fulcioCAWithRekor,omitempty"`
-	PKI               *PKIApplyConfiguration               `json:"pki,omitempty"`
+	// policyType serves as the union's discriminator. Users are required to assign a value to this field, choosing one of the policy types that define the root of trust.
+	// "PublicKey" indicates that the policy relies on a sigstore publicKey and may optionally use a Rekor verification.
+	// "FulcioCAWithRekor" indicates that the policy is based on the Fulcio certification and incorporates a Rekor verification.
+	// "PKI" indicates that the policy is based on the certificates from Bring Your Own Public Key Infrastructure (BYOPKI). This value is enabled by turning on the SigstoreImageVerificationPKI feature gate.
+	PolicyType *configv1alpha1.PolicyType `json:"policyType,omitempty"`
+	// publicKey defines the root of trust based on a sigstore public key.
+	PublicKey *ImagePolicyPublicKeyRootOfTrustApplyConfiguration `json:"publicKey,omitempty"`
+	// fulcioCAWithRekor defines the root of trust based on the Fulcio certificate and the Rekor public key.
+	// For more information about Fulcio and Rekor, please refer to the document at:
+	// https://github.com/sigstore/fulcio and https://github.com/sigstore/rekor
+	FulcioCAWithRekor *ImagePolicyFulcioCAWithRekorRootOfTrustApplyConfiguration `json:"fulcioCAWithRekor,omitempty"`
+	// pki defines the root of trust based on Bring Your Own Public Key Infrastructure (BYOPKI) Root CA(s) and corresponding intermediate certificates.
+	PKI *ImagePolicyPKIRootOfTrustApplyConfiguration `json:"pki,omitempty"`
 }
 
 // PolicyRootOfTrustApplyConfiguration constructs a declarative configuration of the PolicyRootOfTrust type for use with
@@ -32,7 +43,7 @@ func (b *PolicyRootOfTrustApplyConfiguration) WithPolicyType(value configv1alpha
 // WithPublicKey sets the PublicKey field in the declarative configuration to the given value
 // and returns the receiver, so that objects can be built by chaining "With" function invocations.
 // If called multiple times, the PublicKey field is set to the value of the last call.
-func (b *PolicyRootOfTrustApplyConfiguration) WithPublicKey(value *PublicKeyApplyConfiguration) *PolicyRootOfTrustApplyConfiguration {
+func (b *PolicyRootOfTrustApplyConfiguration) WithPublicKey(value *ImagePolicyPublicKeyRootOfTrustApplyConfiguration) *PolicyRootOfTrustApplyConfiguration {
 	b.PublicKey = value
 	return b
 }
@@ -40,7 +51,7 @@ func (b *PolicyRootOfTrustApplyConfiguration) WithPublicKey(value *PublicKeyAppl
 // WithFulcioCAWithRekor sets the FulcioCAWithRekor field in the declarative configuration to the given value
 // and returns the receiver, so that objects can be built by chaining "With" function invocations.
 // If called multiple times, the FulcioCAWithRekor field is set to the value of the last call.
-func (b *PolicyRootOfTrustApplyConfiguration) WithFulcioCAWithRekor(value *FulcioCAWithRekorApplyConfiguration) *PolicyRootOfTrustApplyConfiguration {
+func (b *PolicyRootOfTrustApplyConfiguration) WithFulcioCAWithRekor(value *ImagePolicyFulcioCAWithRekorRootOfTrustApplyConfiguration) *PolicyRootOfTrustApplyConfiguration {
 	b.FulcioCAWithRekor = value
 	return b
 }
@@ -48,7 +59,7 @@ func (b *PolicyRootOfTrustApplyConfiguration) WithFulcioCAWithRekor(value *Fulci
 // WithPKI sets the PKI field in the declarative configuration to the given value
 // and returns the receiver, so that objects can be built by chaining "With" function invocations.
 // If called multiple times, the PKI field is set to the value of the last call.
-func (b *PolicyRootOfTrustApplyConfiguration) WithPKI(value *PKIApplyConfiguration) *PolicyRootOfTrustApplyConfiguration {
+func (b *PolicyRootOfTrustApplyConfiguration) WithPKI(value *ImagePolicyPKIRootOfTrustApplyConfiguration) *PolicyRootOfTrustApplyConfiguration {
 	b.PKI = value
 	return b
 }
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/prometheusoperatorconfig.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/prometheusoperatorconfig.go
new file mode 100644
index 0000000000000..261292625505d
--- /dev/null
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/prometheusoperatorconfig.go
@@ -0,0 +1,136 @@
+// Code generated by applyconfiguration-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	configv1alpha1 "github.com/openshift/api/config/v1alpha1"
+	v1 "k8s.io/api/core/v1"
+)
+
+// PrometheusOperatorConfigApplyConfiguration represents a declarative configuration of the PrometheusOperatorConfig type for use
+// with apply.
+//
+// PrometheusOperatorConfig provides configuration options for the Prometheus Operator instance
+// Use this configuration to control how the Prometheus Operator instance is deployed, how it logs, and how its pods are scheduled.
+type PrometheusOperatorConfigApplyConfiguration struct {
+	// logLevel defines the verbosity of logs emitted by Prometheus Operator.
+	// This field allows users to control the amount and severity of logs generated, which can be useful
+	// for debugging issues or reducing noise in production environments.
+	// Allowed values are Error, Warn, Info, and Debug.
+	// When set to Error, only errors will be logged.
+	// When set to Warn, both warnings and errors will be logged.
+	// When set to Info, general information, warnings, and errors will all be logged.
+	// When set to Debug, detailed debugging information will be logged.
+	// When omitted, this means no opinion and the platform is left to choose a reasonable default, that is subject to change over time.
+	// The current default value is `Info`.
+	LogLevel *configv1alpha1.LogLevel `json:"logLevel,omitempty"`
+	// nodeSelector defines the nodes on which the Pods are scheduled
+	// nodeSelector is optional.
+	//
+	// When omitted, this means the user has no opinion and the platform is left
+	// to choose reasonable defaults. These defaults are subject to change over time.
+	// The current default value is `kubernetes.io/os: linux`.
+	// When specified, nodeSelector must contain at least 1 entry and must not contain more than 10 entries.
+	NodeSelector map[string]string `json:"nodeSelector,omitempty"`
+	// resources defines the compute resource requests and limits for the Prometheus Operator container.
+	// This includes CPU, memory and HugePages constraints to help control scheduling and resource usage.
+	// When not specified, defaults are used by the platform. Requests cannot exceed limits.
+	// This field is optional.
+	// More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+	// This is a simplified API that maps to Kubernetes ResourceRequirements.
+	// The current default values are:
+	// resources:
+	// - name: cpu
+	// request: 4m
+	// limit: null
+	// - name: memory
+	// request: 40Mi
+	// limit: null
+	// Maximum length for this list is 10.
+	// Minimum length for this list is 1.
+	// Each resource name must be unique within this list.
+	Resources []ContainerResourceApplyConfiguration `json:"resources,omitempty"`
+	// tolerations defines tolerations for the pods.
+	// tolerations is optional.
+	//
+	// When omitted, this means the user has no opinion and the platform is left
+	// to choose reasonable defaults. These defaults are subject to change over time.
+	// Defaults are empty/unset.
+	// Maximum length for this list is 10.
+	// Minimum length for this list is 1.
+	Tolerations []v1.Toleration `json:"tolerations,omitempty"`
+	// topologySpreadConstraints defines rules for how Prometheus Operator Pods should be distributed
+	// across topology domains such as zones, nodes, or other user-defined labels.
+	// topologySpreadConstraints is optional.
+	// This helps improve high availability and resource efficiency by avoiding placing
+	// too many replicas in the same failure domain.
+	//
+	// When omitted, this means no opinion and the platform is left to choose a default, which is subject to change over time.
+	// This field maps directly to the `topologySpreadConstraints` field in the Pod spec.
+	// Default is empty list.
+	// Maximum length for this list is 10.
+	// Minimum length for this list is 1.
+	// Entries must have unique topologyKey and whenUnsatisfiable pairs.
+	TopologySpreadConstraints []v1.TopologySpreadConstraint `json:"topologySpreadConstraints,omitempty"`
+}
+
+// PrometheusOperatorConfigApplyConfiguration constructs a declarative configuration of the PrometheusOperatorConfig type for use with
+// apply.
+func PrometheusOperatorConfig() *PrometheusOperatorConfigApplyConfiguration {
+	return &PrometheusOperatorConfigApplyConfiguration{}
+}
+
+// WithLogLevel sets the LogLevel field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the LogLevel field is set to the value of the last call.
+func (b *PrometheusOperatorConfigApplyConfiguration) WithLogLevel(value configv1alpha1.LogLevel) *PrometheusOperatorConfigApplyConfiguration {
+	b.LogLevel = &value
+	return b
+}
+
+// WithNodeSelector puts the entries into the NodeSelector field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, the entries provided by each call will be put on the NodeSelector field,
+// overwriting an existing map entries in NodeSelector field with the same key.
+func (b *PrometheusOperatorConfigApplyConfiguration) WithNodeSelector(entries map[string]string) *PrometheusOperatorConfigApplyConfiguration {
+	if b.NodeSelector == nil && len(entries) > 0 {
+		b.NodeSelector = make(map[string]string, len(entries))
+	}
+	for k, v := range entries {
+		b.NodeSelector[k] = v
+	}
+	return b
+}
+
+// WithResources adds the given value to the Resources field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, values provided by each call will be appended to the Resources field.
+func (b *PrometheusOperatorConfigApplyConfiguration) WithResources(values ...*ContainerResourceApplyConfiguration) *PrometheusOperatorConfigApplyConfiguration {
+	for i := range values {
+		if values[i] == nil {
+			panic("nil value passed to WithResources")
+		}
+		b.Resources = append(b.Resources, *values[i])
+	}
+	return b
+}
+
+// WithTolerations adds the given value to the Tolerations field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, values provided by each call will be appended to the Tolerations field.
+func (b *PrometheusOperatorConfigApplyConfiguration) WithTolerations(values ...v1.Toleration) *PrometheusOperatorConfigApplyConfiguration {
+	for i := range values {
+		b.Tolerations = append(b.Tolerations, values[i])
+	}
+	return b
+}
+
+// WithTopologySpreadConstraints adds the given value to the TopologySpreadConstraints field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, values provided by each call will be appended to the TopologySpreadConstraints field.
+func (b *PrometheusOperatorConfigApplyConfiguration) WithTopologySpreadConstraints(values ...v1.TopologySpreadConstraint) *PrometheusOperatorConfigApplyConfiguration {
+	for i := range values {
+		b.TopologySpreadConstraints = append(b.TopologySpreadConstraints, values[i])
+	}
+	return b
+}
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/publickey.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/publickey.go
deleted file mode 100644
index 91665a90b7407..0000000000000
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/publickey.go
+++ /dev/null
@@ -1,36 +0,0 @@
-// Code generated by applyconfiguration-gen. DO NOT EDIT.
-
-package v1alpha1
-
-// PublicKeyApplyConfiguration represents a declarative configuration of the PublicKey type for use
-// with apply.
-type PublicKeyApplyConfiguration struct {
-	KeyData      []byte `json:"keyData,omitempty"`
-	RekorKeyData []byte `json:"rekorKeyData,omitempty"`
-}
-
-// PublicKeyApplyConfiguration constructs a declarative configuration of the PublicKey type for use with
-// apply.
-func PublicKey() *PublicKeyApplyConfiguration {
-	return &PublicKeyApplyConfiguration{}
-}
-
-// WithKeyData adds the given value to the KeyData field in the declarative configuration
-// and returns the receiver, so that objects can be build by chaining "With" function invocations.
-// If called multiple times, values provided by each call will be appended to the KeyData field.
-func (b *PublicKeyApplyConfiguration) WithKeyData(values ...byte) *PublicKeyApplyConfiguration {
-	for i := range values {
-		b.KeyData = append(b.KeyData, values[i])
-	}
-	return b
-}
-
-// WithRekorKeyData adds the given value to the RekorKeyData field in the declarative configuration
-// and returns the receiver, so that objects can be build by chaining "With" function invocations.
-// If called multiple times, values provided by each call will be appended to the RekorKeyData field.
-func (b *PublicKeyApplyConfiguration) WithRekorKeyData(values ...byte) *PublicKeyApplyConfiguration {
-	for i := range values {
-		b.RekorKeyData = append(b.RekorKeyData, values[i])
-	}
-	return b
-}
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/retentionnumberconfig.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/retentionnumberconfig.go
index f6a787171789f..9e3994eb903de 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/retentionnumberconfig.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/retentionnumberconfig.go
@@ -4,7 +4,12 @@ package v1alpha1
 
 // RetentionNumberConfigApplyConfiguration represents a declarative configuration of the RetentionNumberConfig type for use
 // with apply.
+//
+// RetentionNumberConfig specifies the configuration of the retention policy on the number of backups
 type RetentionNumberConfigApplyConfiguration struct {
+	// maxNumberOfBackups defines the maximum number of backups to retain.
+	// If the existing number of backups saved is equal to MaxNumberOfBackups then
+	// the oldest backup will be removed before a new backup is initiated.
 	MaxNumberOfBackups *int `json:"maxNumberOfBackups,omitempty"`
 }
 
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/retentionpolicy.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/retentionpolicy.go
index 981fb25737e07..c653590aacd51 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/retentionpolicy.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/retentionpolicy.go
@@ -8,10 +8,19 @@ import (
 
 // RetentionPolicyApplyConfiguration represents a declarative configuration of the RetentionPolicy type for use
 // with apply.
+//
+// RetentionPolicy defines the retention policy for retaining and deleting existing backups.
+// This struct is a discriminated union that allows users to select the type of retention policy from the supported types.
 type RetentionPolicyApplyConfiguration struct {
-	RetentionType   *configv1alpha1.RetentionType            `json:"retentionType,omitempty"`
+	// retentionType sets the type of retention policy.
+	// Currently, the only valid policies are retention by number of backups (RetentionNumber), by the size of backups (RetentionSize). More policies or types may be added in the future.
+	// Empty string means no opinion and the platform is left to choose a reasonable default which is subject to change without notice.
+	// The current default is RetentionNumber with 15 backups kept.
+	RetentionType *configv1alpha1.RetentionType `json:"retentionType,omitempty"`
+	// retentionNumber configures the retention policy based on the number of backups
 	RetentionNumber *RetentionNumberConfigApplyConfiguration `json:"retentionNumber,omitempty"`
-	RetentionSize   *RetentionSizeConfigApplyConfiguration   `json:"retentionSize,omitempty"`
+	// retentionSize configures the retention policy based on the size of backups
+	RetentionSize *RetentionSizeConfigApplyConfiguration `json:"retentionSize,omitempty"`
 }
 
 // RetentionPolicyApplyConfiguration constructs a declarative configuration of the RetentionPolicy type for use with
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/retentionsizeconfig.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/retentionsizeconfig.go
index 96b723be4c6be..45b2eb8ae6700 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/retentionsizeconfig.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/retentionsizeconfig.go
@@ -4,7 +4,12 @@ package v1alpha1
 
 // RetentionSizeConfigApplyConfiguration represents a declarative configuration of the RetentionSizeConfig type for use
 // with apply.
+//
+// RetentionSizeConfig specifies the configuration of the retention policy on the total size of backups
 type RetentionSizeConfigApplyConfiguration struct {
+	// maxSizeOfBackupsGb defines the total size in GB of backups to retain.
+	// If the current total size backups exceeds MaxSizeOfBackupsGb then
+	// the oldest backup will be removed before a new backup is initiated.
 	MaxSizeOfBackupsGb *int `json:"maxSizeOfBackupsGb,omitempty"`
 }
 
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/storage.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/storage.go
index ef24da3d80949..69b743f3123e9 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/storage.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/storage.go
@@ -8,8 +8,18 @@ import (
 
 // StorageApplyConfiguration represents a declarative configuration of the Storage type for use
 // with apply.
+//
+// storage provides persistent storage configuration options for gathering jobs.
+// If the type is set to PersistentVolume, then the PersistentVolume must be defined.
+// If the type is set to Ephemeral, then the PersistentVolume must not be defined.
 type StorageApplyConfiguration struct {
-	Type             *configv1alpha1.StorageType               `json:"type,omitempty"`
+	// type is a required field that specifies the type of storage that will be used to store the Insights data archive.
+	// Valid values are "PersistentVolume" and "Ephemeral".
+	// When set to Ephemeral, the Insights data archive is stored in the ephemeral storage of the gathering job.
+	// When set to PersistentVolume, the Insights data archive is stored in the PersistentVolume that is defined by the persistentVolume field.
+	Type *configv1alpha1.StorageType `json:"type,omitempty"`
+	// persistentVolume is an optional field that specifies the PersistentVolume that will be used to store the Insights data archive.
+	// The PersistentVolume must be created in the openshift-insights namespace.
 	PersistentVolume *PersistentVolumeConfigApplyConfiguration `json:"persistentVolume,omitempty"`
 }
 
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/userdefinedmonitoring.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/userdefinedmonitoring.go
index 5aa6998f987f1..a17f0b13f3a8b 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/userdefinedmonitoring.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/userdefinedmonitoring.go
@@ -8,7 +8,14 @@ import (
 
 // UserDefinedMonitoringApplyConfiguration represents a declarative configuration of the UserDefinedMonitoring type for use
 // with apply.
+//
+// UserDefinedMonitoring config for user-defined projects.
 type UserDefinedMonitoringApplyConfiguration struct {
+	// mode defines the different configurations of UserDefinedMonitoring
+	// Valid values are Disabled and NamespaceIsolated
+	// Disabled disables monitoring for user-defined projects. This restricts the default monitoring stack, installed in the openshift-monitoring project, to monitor only platform namespaces, which prevents any custom monitoring configurations or resources from being applied to user-defined namespaces.
+	// NamespaceIsolated enables monitoring for user-defined projects with namespace-scoped tenancy. This ensures that metrics, alerts, and monitoring data are isolated at the namespace level.
+	// The current default value is `Disabled`.
 	Mode *configv1alpha1.UserDefinedMode `json:"mode,omitempty"`
 }
 
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha2/custom.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha2/custom.go
index 3903cf882ec07..fba2d19c429b1 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha2/custom.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha2/custom.go
@@ -4,7 +4,15 @@ package v1alpha2
 
 // CustomApplyConfiguration represents a declarative configuration of the Custom type for use
 // with apply.
+//
+// custom provides the custom configuration of gatherers
 type CustomApplyConfiguration struct {
+	// configs is a required list of gatherers configurations that can be used to enable or disable specific gatherers.
+	// It may not exceed 100 items and each gatherer can be present only once.
+	// It is possible to disable an entire set of gatherers while allowing a specific function within that set.
+	// The particular gatherers IDs can be found at https://github.com/openshift/insights-operator/blob/master/docs/gathered-data.md.
+	// Run the following command to get the names of last active gatherers:
+	// "oc get insightsoperators.operator.openshift.io cluster -o json | jq '.status.gatherStatus.gatherers[].name'"
 	Configs []GathererConfigApplyConfiguration `json:"configs,omitempty"`
 }
 
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha2/gatherconfig.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha2/gatherconfig.go
index 6a11bada8a257..41e0b873fcfbe 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha2/gatherconfig.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha2/gatherconfig.go
@@ -8,10 +8,21 @@ import (
 
 // GatherConfigApplyConfiguration represents a declarative configuration of the GatherConfig type for use
 // with apply.
+//
+// gatherConfig provides data gathering configuration options.
 type GatherConfigApplyConfiguration struct {
+	// dataPolicy is an optional list of DataPolicyOptions that allows user to enable additional obfuscation of the Insights archive data.
+	// It may not exceed 2 items and must not contain duplicates.
+	// Valid values are ObfuscateNetworking and WorkloadNames.
+	// When set to ObfuscateNetworking the IP addresses and the cluster domain name are obfuscated.
+	// When set to WorkloadNames, the gathered data about cluster resources will not contain the workload names for your deployments. Resources UIDs will be used instead.
+	// When omitted no obfuscation is applied.
 	DataPolicy []configv1alpha2.DataPolicyOption `json:"dataPolicy,omitempty"`
-	Gatherers  *GatherersApplyConfiguration      `json:"gatherers,omitempty"`
-	Storage    *StorageApplyConfiguration        `json:"storage,omitempty"`
+	// gatherers is a required field that specifies the configuration of the gatherers.
+	Gatherers *GatherersApplyConfiguration `json:"gatherers,omitempty"`
+	// storage is an optional field that allows user to define persistent storage for gathering jobs to store the Insights data archive.
+	// If omitted, the gathering job will use ephemeral storage.
+	Storage *StorageApplyConfiguration `json:"storage,omitempty"`
 }
 
 // GatherConfigApplyConfiguration constructs a declarative configuration of the GatherConfig type for use with
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha2/gathererconfig.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha2/gathererconfig.go
index bbcd7464ec046..5e2f628176bcf 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha2/gathererconfig.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha2/gathererconfig.go
@@ -8,8 +8,21 @@ import (
 
 // GathererConfigApplyConfiguration represents a declarative configuration of the GathererConfig type for use
 // with apply.
+//
+// gathererConfig allows to configure specific gatherers
 type GathererConfigApplyConfiguration struct {
-	Name  *string                       `json:"name,omitempty"`
+	// name is the required name of a specific gatherer
+	// It may not exceed 256 characters.
+	// The format for a gatherer name is: {gatherer}/{function} where the function is optional.
+	// Gatherer consists of a lowercase letters only that may include underscores (_).
+	// Function consists of a lowercase letters only that may include underscores (_) and is separated from the gatherer by a forward slash (/).
+	// The particular gatherers can be found at https://github.com/openshift/insights-operator/blob/master/docs/gathered-data.md.
+	// Run the following command to get the names of last active gatherers:
+	// "oc get insightsoperators.operator.openshift.io cluster -o json | jq '.status.gatherStatus.gatherers[].name'"
+	Name *string `json:"name,omitempty"`
+	// state is a required field that allows you to configure specific gatherer. Valid values are "Enabled" and "Disabled".
+	// When set to Enabled the gatherer will run.
+	// When set to Disabled the gatherer will not run.
 	State *configv1alpha2.GathererState `json:"state,omitempty"`
 }
 
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha2/gatherers.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha2/gatherers.go
index 328f1efda5d65..68ac2e7473313 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha2/gatherers.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha2/gatherers.go
@@ -9,8 +9,16 @@ import (
 // GatherersApplyConfiguration represents a declarative configuration of the Gatherers type for use
 // with apply.
 type GatherersApplyConfiguration struct {
-	Mode   *configv1alpha2.GatheringMode `json:"mode,omitempty"`
-	Custom *CustomApplyConfiguration     `json:"custom,omitempty"`
+	// mode is a required field that specifies the mode for gatherers. Allowed values are All, None, and Custom.
+	// When set to All, all gatherers wil run and gather data.
+	// When set to None, all gatherers will be disabled and no data will be gathered.
+	// When set to Custom, the custom configuration from the custom field will be applied.
+	Mode *configv1alpha2.GatheringMode `json:"mode,omitempty"`
+	// custom provides gathering configuration.
+	// It is required when mode is Custom, and forbidden otherwise.
+	// Custom configuration allows user to disable only a subset of gatherers.
+	// Gatherers that are not explicitly disabled in custom configuration will run.
+	Custom *CustomApplyConfiguration `json:"custom,omitempty"`
 }
 
 // GatherersApplyConfiguration constructs a declarative configuration of the Gatherers type for use with
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha2/insightsdatagather.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha2/insightsdatagather.go
index 6f20059cf6710..50ee477138061 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha2/insightsdatagather.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha2/insightsdatagather.go
@@ -13,11 +13,19 @@ import (
 
 // InsightsDataGatherApplyConfiguration represents a declarative configuration of the InsightsDataGather type for use
 // with apply.
+//
+// InsightsDataGather provides data gather configuration options for the the Insights Operator.
+//
+// Compatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.
 type InsightsDataGatherApplyConfiguration struct {
-	v1.TypeMetaApplyConfiguration    `json:",inline"`
+	v1.TypeMetaApplyConfiguration `json:",inline"`
+	// metadata is the standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	*v1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Spec                             *InsightsDataGatherSpecApplyConfiguration `json:"spec,omitempty"`
-	Status                           *configv1alpha2.InsightsDataGatherStatus  `json:"status,omitempty"`
+	// spec holds user settable values for configuration
+	Spec *InsightsDataGatherSpecApplyConfiguration `json:"spec,omitempty"`
+	// status holds observed values from the cluster. They may not be overridden.
+	Status *configv1alpha2.InsightsDataGatherStatus `json:"status,omitempty"`
 }
 
 // InsightsDataGather constructs a declarative configuration of the InsightsDataGather type for use with
@@ -30,6 +38,26 @@ func InsightsDataGather(name string) *InsightsDataGatherApplyConfiguration {
 	return b
 }
 
+// ExtractInsightsDataGatherFrom extracts the applied configuration owned by fieldManager from
+// insightsDataGather for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
+// insightsDataGather must be a unmodified InsightsDataGather API object that was retrieved from the Kubernetes API.
+// ExtractInsightsDataGatherFrom provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractInsightsDataGatherFrom(insightsDataGather *configv1alpha2.InsightsDataGather, fieldManager string, subresource string) (*InsightsDataGatherApplyConfiguration, error) {
+	b := &InsightsDataGatherApplyConfiguration{}
+	err := managedfields.ExtractInto(insightsDataGather, internal.Parser().Type("com.github.openshift.api.config.v1alpha2.InsightsDataGather"), fieldManager, b, subresource)
+	if err != nil {
+		return nil, err
+	}
+	b.WithName(insightsDataGather.Name)
+
+	b.WithKind("InsightsDataGather")
+	b.WithAPIVersion("config.openshift.io/v1alpha2")
+	return b, nil
+}
+
 // ExtractInsightsDataGather extracts the applied configuration owned by fieldManager from
 // insightsDataGather. If no managedFields are found in insightsDataGather for fieldManager, a
 // InsightsDataGatherApplyConfiguration is returned with only the Name, Namespace (if applicable),
@@ -40,30 +68,16 @@ func InsightsDataGather(name string) *InsightsDataGatherApplyConfiguration {
 // ExtractInsightsDataGather provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
 func ExtractInsightsDataGather(insightsDataGather *configv1alpha2.InsightsDataGather, fieldManager string) (*InsightsDataGatherApplyConfiguration, error) {
-	return extractInsightsDataGather(insightsDataGather, fieldManager, "")
+	return ExtractInsightsDataGatherFrom(insightsDataGather, fieldManager, "")
 }
 
-// ExtractInsightsDataGatherStatus is the same as ExtractInsightsDataGather except
-// that it extracts the status subresource applied configuration.
-// Experimental!
+// ExtractInsightsDataGatherStatus extracts the applied configuration owned by fieldManager from
+// insightsDataGather for the status subresource.
 func ExtractInsightsDataGatherStatus(insightsDataGather *configv1alpha2.InsightsDataGather, fieldManager string) (*InsightsDataGatherApplyConfiguration, error) {
-	return extractInsightsDataGather(insightsDataGather, fieldManager, "status")
+	return ExtractInsightsDataGatherFrom(insightsDataGather, fieldManager, "status")
 }
 
-func extractInsightsDataGather(insightsDataGather *configv1alpha2.InsightsDataGather, fieldManager string, subresource string) (*InsightsDataGatherApplyConfiguration, error) {
-	b := &InsightsDataGatherApplyConfiguration{}
-	err := managedfields.ExtractInto(insightsDataGather, internal.Parser().Type("com.github.openshift.api.config.v1alpha2.InsightsDataGather"), fieldManager, b, subresource)
-	if err != nil {
-		return nil, err
-	}
-	b.WithName(insightsDataGather.Name)
-
-	b.WithKind("InsightsDataGather")
-	b.WithAPIVersion("config.openshift.io/v1alpha2")
-	return b, nil
-}
 func (b InsightsDataGatherApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha2/insightsdatagatherspec.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha2/insightsdatagatherspec.go
index 277b1de86b858..e4ca3a4377fc5 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha2/insightsdatagatherspec.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha2/insightsdatagatherspec.go
@@ -5,6 +5,7 @@ package v1alpha2
 // InsightsDataGatherSpecApplyConfiguration represents a declarative configuration of the InsightsDataGatherSpec type for use
 // with apply.
 type InsightsDataGatherSpecApplyConfiguration struct {
+	// gatherConfig is an optional spec attribute that includes all the configuration options related to gathering of the Insights data and its uploading to the ingress.
 	GatherConfig *GatherConfigApplyConfiguration `json:"gatherConfig,omitempty"`
 }
 
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha2/persistentvolumeclaimreference.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha2/persistentvolumeclaimreference.go
index 9d194b02f85f4..12ce1687a86fb 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha2/persistentvolumeclaimreference.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha2/persistentvolumeclaimreference.go
@@ -4,7 +4,11 @@ package v1alpha2
 
 // PersistentVolumeClaimReferenceApplyConfiguration represents a declarative configuration of the PersistentVolumeClaimReference type for use
 // with apply.
+//
+// persistentVolumeClaimReference is a reference to a PersistentVolumeClaim.
 type PersistentVolumeClaimReferenceApplyConfiguration struct {
+	// name is a string that follows the DNS1123 subdomain format.
+	// It must be at most 253 characters in length, and must consist only of lower case alphanumeric characters, '-' and '.', and must start and end with an alphanumeric character.
 	Name *string `json:"name,omitempty"`
 }
 
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha2/persistentvolumeconfig.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha2/persistentvolumeconfig.go
index d3341d1b16fdd..2e3733226accf 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha2/persistentvolumeconfig.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha2/persistentvolumeconfig.go
@@ -4,9 +4,17 @@ package v1alpha2
 
 // PersistentVolumeConfigApplyConfiguration represents a declarative configuration of the PersistentVolumeConfig type for use
 // with apply.
+//
+// persistentVolumeConfig provides configuration options for PersistentVolume storage.
 type PersistentVolumeConfigApplyConfiguration struct {
-	Claim     *PersistentVolumeClaimReferenceApplyConfiguration `json:"claim,omitempty"`
-	MountPath *string                                           `json:"mountPath,omitempty"`
+	// claim is a required field that specifies the configuration of the PersistentVolumeClaim that will be used to store the Insights data archive.
+	// The PersistentVolumeClaim must be created in the openshift-insights namespace.
+	Claim *PersistentVolumeClaimReferenceApplyConfiguration `json:"claim,omitempty"`
+	// mountPath is an optional field specifying the directory where the PVC will be mounted inside the Insights data gathering Pod.
+	// When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time.
+	// The current default mount path is /var/lib/insights-operator
+	// The path may not exceed 1024 characters and must not contain a colon.
+	MountPath *string `json:"mountPath,omitempty"`
 }
 
 // PersistentVolumeConfigApplyConfiguration constructs a declarative configuration of the PersistentVolumeConfig type for use with
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha2/storage.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha2/storage.go
index 596258c48b3d1..41b4d2560ae8d 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha2/storage.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha2/storage.go
@@ -8,8 +8,18 @@ import (
 
 // StorageApplyConfiguration represents a declarative configuration of the Storage type for use
 // with apply.
+//
+// storage provides persistent storage configuration options for gathering jobs.
+// If the type is set to PersistentVolume, then the PersistentVolume must be defined.
+// If the type is set to Ephemeral, then the PersistentVolume must not be defined.
 type StorageApplyConfiguration struct {
-	Type             *configv1alpha2.StorageType               `json:"type,omitempty"`
+	// type is a required field that specifies the type of storage that will be used to store the Insights data archive.
+	// Valid values are "PersistentVolume" and "Ephemeral".
+	// When set to Ephemeral, the Insights data archive is stored in the ephemeral storage of the gathering job.
+	// When set to PersistentVolume, the Insights data archive is stored in the PersistentVolume that is defined by the persistentVolume field.
+	Type *configv1alpha2.StorageType `json:"type,omitempty"`
+	// persistentVolume is an optional field that specifies the PersistentVolume that will be used to store the Insights data archive.
+	// The PersistentVolume must be created in the openshift-insights namespace.
 	PersistentVolume *PersistentVolumeConfigApplyConfiguration `json:"persistentVolume,omitempty"`
 }
 
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/internal/internal.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/internal/internal.go
index 0d49eb95f25a7..65906b80c50ac 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/internal/internal.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/internal/internal.go
@@ -206,6 +206,12 @@ var schemaYAML = typed.YAMLObject(`types:
       type:
         scalar: string
       default: ""
+- name: com.github.openshift.api.config.v1.AcceptRisk
+  map:
+    fields:
+    - name: name
+      type:
+        scalar: string
 - name: com.github.openshift.api.config.v1.AlibabaCloudPlatformSpec
   map:
     elementType:
@@ -641,7 +647,7 @@ var schemaYAML = typed.YAMLObject(`types:
     fields:
     - name: policy
       type:
-        namedType: com.github.openshift.api.config.v1.Policy
+        namedType: com.github.openshift.api.config.v1.ImageSigstoreVerificationPolicy
       default: {}
     - name: scopes
       type:
@@ -848,6 +854,14 @@ var schemaYAML = typed.YAMLObject(`types:
       type:
         namedType: com.github.openshift.api.config.v1.ClusterVersionCapabilitiesStatus
       default: {}
+    - name: conditionalUpdateRisks
+      type:
+        list:
+          elementType:
+            namedType: com.github.openshift.api.config.v1.ConditionalUpdateRisk
+          elementRelationship: associative
+          keys:
+          - name
     - name: conditionalUpdates
       type:
         list:
@@ -978,6 +992,12 @@ var schemaYAML = typed.YAMLObject(`types:
       type:
         namedType: com.github.openshift.api.config.v1.Release
       default: {}
+    - name: riskNames
+      type:
+        list:
+          elementType:
+            scalar: string
+          elementRelationship: associative
     - name: risks
       type:
         list:
@@ -989,6 +1009,14 @@ var schemaYAML = typed.YAMLObject(`types:
 - name: com.github.openshift.api.config.v1.ConditionalUpdateRisk
   map:
     fields:
+    - name: conditions
+      type:
+        list:
+          elementType:
+            namedType: io.k8s.apimachinery.pkg.apis.meta.v1.Condition
+          elementRelationship: associative
+          keys:
+          - type
     - name: matchingRules
       type:
         list:
@@ -1065,6 +1093,17 @@ var schemaYAML = typed.YAMLObject(`types:
       type:
         scalar: string
       default: ""
+- name: com.github.openshift.api.config.v1.Custom
+  map:
+    fields:
+    - name: configs
+      type:
+        list:
+          elementType:
+            namedType: com.github.openshift.api.config.v1.GathererConfig
+          elementRelationship: associative
+          keys:
+          - name
 - name: com.github.openshift.api.config.v1.CustomFeatureGates
   map:
     fields:
@@ -1329,19 +1368,6 @@ var schemaYAML = typed.YAMLObject(`types:
           elementRelationship: associative
           keys:
           - version
-- name: com.github.openshift.api.config.v1.FulcioCAWithRekor
-  map:
-    fields:
-    - name: fulcioCAData
-      type:
-        scalar: string
-    - name: fulcioSubject
-      type:
-        namedType: com.github.openshift.api.config.v1.PolicyFulcioSubject
-      default: {}
-    - name: rekorKeyData
-      type:
-        scalar: string
 - name: com.github.openshift.api.config.v1.GCPPlatformSpec
   map:
     elementType:
@@ -1412,6 +1438,47 @@ var schemaYAML = typed.YAMLObject(`types:
       type:
         scalar: string
       default: ""
+- name: com.github.openshift.api.config.v1.GatherConfig
+  map:
+    fields:
+    - name: dataPolicy
+      type:
+        list:
+          elementType:
+            scalar: string
+          elementRelationship: atomic
+    - name: gatherers
+      type:
+        namedType: com.github.openshift.api.config.v1.Gatherers
+      default: {}
+    - name: storage
+      type:
+        namedType: com.github.openshift.api.config.v1.Storage
+      default: {}
+- name: com.github.openshift.api.config.v1.GathererConfig
+  map:
+    fields:
+    - name: name
+      type:
+        scalar: string
+    - name: state
+      type:
+        scalar: string
+- name: com.github.openshift.api.config.v1.Gatherers
+  map:
+    fields:
+    - name: custom
+      type:
+        namedType: com.github.openshift.api.config.v1.Custom
+      default: {}
+    - name: mode
+      type:
+        scalar: string
+    unions:
+    - discriminator: mode
+      fields:
+      - fieldName: custom
+        discriminatorValue: Custom
 - name: com.github.openshift.api.config.v1.GitHubIdentityProvider
   map:
     fields:
@@ -1731,12 +1798,47 @@ var schemaYAML = typed.YAMLObject(`types:
       type:
         namedType: com.github.openshift.api.config.v1.ImagePolicyStatus
       default: {}
+- name: com.github.openshift.api.config.v1.ImagePolicyFulcioCAWithRekorRootOfTrust
+  map:
+    fields:
+    - name: fulcioCAData
+      type:
+        scalar: string
+    - name: fulcioSubject
+      type:
+        namedType: com.github.openshift.api.config.v1.PolicyFulcioSubject
+      default: {}
+    - name: rekorKeyData
+      type:
+        scalar: string
+- name: com.github.openshift.api.config.v1.ImagePolicyPKIRootOfTrust
+  map:
+    fields:
+    - name: caIntermediatesData
+      type:
+        scalar: string
+    - name: caRootsData
+      type:
+        scalar: string
+    - name: pkiCertificateSubject
+      type:
+        namedType: com.github.openshift.api.config.v1.PKICertificateSubject
+      default: {}
+- name: com.github.openshift.api.config.v1.ImagePolicyPublicKeyRootOfTrust
+  map:
+    fields:
+    - name: keyData
+      type:
+        scalar: string
+    - name: rekorKeyData
+      type:
+        scalar: string
 - name: com.github.openshift.api.config.v1.ImagePolicySpec
   map:
     fields:
     - name: policy
       type:
-        namedType: com.github.openshift.api.config.v1.Policy
+        namedType: com.github.openshift.api.config.v1.ImageSigstoreVerificationPolicy
       default: {}
     - name: scopes
       type:
@@ -1755,6 +1857,16 @@ var schemaYAML = typed.YAMLObject(`types:
           elementRelationship: associative
           keys:
           - type
+- name: com.github.openshift.api.config.v1.ImageSigstoreVerificationPolicy
+  map:
+    fields:
+    - name: rootOfTrust
+      type:
+        namedType: com.github.openshift.api.config.v1.PolicyRootOfTrust
+      default: {}
+    - name: signedIdentity
+      type:
+        namedType: com.github.openshift.api.config.v1.PolicyIdentity
 - name: com.github.openshift.api.config.v1.ImageSpec
   map:
     fields:
@@ -2004,6 +2116,30 @@ var schemaYAML = typed.YAMLObject(`types:
       type:
         scalar: string
       default: ""
+- name: com.github.openshift.api.config.v1.InsightsDataGather
+  map:
+    fields:
+    - name: apiVersion
+      type:
+        scalar: string
+    - name: kind
+      type:
+        scalar: string
+    - name: metadata
+      type:
+        namedType: io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta
+      default: {}
+    - name: spec
+      type:
+        namedType: com.github.openshift.api.config.v1.InsightsDataGatherSpec
+      default: {}
+- name: com.github.openshift.api.config.v1.InsightsDataGatherSpec
+  map:
+    fields:
+    - name: gatherConfig
+      type:
+        namedType: com.github.openshift.api.config.v1.GatherConfig
+      default: {}
 - name: com.github.openshift.api.config.v1.IntermediateTLSProfile
   map:
     elementType:
@@ -2643,6 +2779,14 @@ var schemaYAML = typed.YAMLObject(`types:
           keys:
           - componentNamespace
           - componentName
+    - name: userValidationRules
+      type:
+        list:
+          elementType:
+            namedType: com.github.openshift.api.config.v1.TokenUserValidationRule
+          elementRelationship: associative
+          keys:
+          - expression
 - name: com.github.openshift.api.config.v1.ObjectReference
   map:
     fields:
@@ -2911,26 +3055,29 @@ var schemaYAML = typed.YAMLObject(`types:
     - name: nodeDNSIP
       type:
         scalar: string
-- name: com.github.openshift.api.config.v1.PKI
+- name: com.github.openshift.api.config.v1.PKICertificateSubject
   map:
     fields:
-    - name: caIntermediatesData
+    - name: email
       type:
         scalar: string
-    - name: caRootsData
+    - name: hostname
       type:
         scalar: string
-    - name: pkiCertificateSubject
-      type:
-        namedType: com.github.openshift.api.config.v1.PKICertificateSubject
-      default: {}
-- name: com.github.openshift.api.config.v1.PKICertificateSubject
+- name: com.github.openshift.api.config.v1.PersistentVolumeClaimReference
   map:
     fields:
-    - name: email
+    - name: name
       type:
         scalar: string
-    - name: hostname
+- name: com.github.openshift.api.config.v1.PersistentVolumeConfig
+  map:
+    fields:
+    - name: claim
+      type:
+        namedType: com.github.openshift.api.config.v1.PersistentVolumeClaimReference
+      default: {}
+    - name: mountPath
       type:
         scalar: string
 - name: com.github.openshift.api.config.v1.PlatformSpec
@@ -3031,16 +3178,6 @@ var schemaYAML = typed.YAMLObject(`types:
     - name: vsphere
       type:
         namedType: com.github.openshift.api.config.v1.VSpherePlatformStatus
-- name: com.github.openshift.api.config.v1.Policy
-  map:
-    fields:
-    - name: rootOfTrust
-      type:
-        namedType: com.github.openshift.api.config.v1.PolicyRootOfTrust
-      default: {}
-    - name: signedIdentity
-      type:
-        namedType: com.github.openshift.api.config.v1.PolicyIdentity
 - name: com.github.openshift.api.config.v1.PolicyFulcioSubject
   map:
     fields:
@@ -3095,17 +3232,17 @@ var schemaYAML = typed.YAMLObject(`types:
     fields:
     - name: fulcioCAWithRekor
       type:
-        namedType: com.github.openshift.api.config.v1.FulcioCAWithRekor
+        namedType: com.github.openshift.api.config.v1.ImagePolicyFulcioCAWithRekorRootOfTrust
     - name: pki
       type:
-        namedType: com.github.openshift.api.config.v1.PKI
+        namedType: com.github.openshift.api.config.v1.ImagePolicyPKIRootOfTrust
     - name: policyType
       type:
         scalar: string
       default: ""
     - name: publicKey
       type:
-        namedType: com.github.openshift.api.config.v1.PublicKey
+        namedType: com.github.openshift.api.config.v1.ImagePolicyPublicKeyRootOfTrust
     unions:
     - discriminator: policyType
       fields:
@@ -3290,15 +3427,6 @@ var schemaYAML = typed.YAMLObject(`types:
     - name: noProxy
       type:
         scalar: string
-- name: com.github.openshift.api.config.v1.PublicKey
-  map:
-    fields:
-    - name: keyData
-      type:
-        scalar: string
-    - name: rekorKeyData
-      type:
-        scalar: string
 - name: com.github.openshift.api.config.v1.RegistryLocation
   map:
     fields:
@@ -3514,6 +3642,21 @@ var schemaYAML = typed.YAMLObject(`types:
       type:
         scalar: string
       default: ""
+- name: com.github.openshift.api.config.v1.Storage
+  map:
+    fields:
+    - name: persistentVolume
+      type:
+        namedType: com.github.openshift.api.config.v1.PersistentVolumeConfig
+      default: {}
+    - name: type
+      type:
+        scalar: string
+    unions:
+    - discriminator: type
+      fields:
+      - fieldName: persistentVolume
+        discriminatorValue: PersistentVolume
 - name: com.github.openshift.api.config.v1.TLSSecurityProfile
   map:
     fields:
@@ -3582,9 +3725,22 @@ var schemaYAML = typed.YAMLObject(`types:
     - name: expression
       type:
         scalar: string
+- name: com.github.openshift.api.config.v1.TokenClaimValidationCELRule
+  map:
+    fields:
+    - name: expression
+      type:
+        scalar: string
+    - name: message
+      type:
+        scalar: string
 - name: com.github.openshift.api.config.v1.TokenClaimValidationRule
   map:
     fields:
+    - name: cel
+      type:
+        namedType: com.github.openshift.api.config.v1.TokenClaimValidationCELRule
+      default: {}
     - name: requiredClaim
       type:
         namedType: com.github.openshift.api.config.v1.TokenRequiredClaim
@@ -3613,6 +3769,9 @@ var schemaYAML = typed.YAMLObject(`types:
           elementType:
             scalar: string
           elementRelationship: associative
+    - name: discoveryURL
+      type:
+        scalar: string
     - name: issuerCertificateAuthority
       type:
         namedType: com.github.openshift.api.config.v1.ConfigMapNameReference
@@ -3632,9 +3791,26 @@ var schemaYAML = typed.YAMLObject(`types:
       type:
         scalar: string
       default: ""
+- name: com.github.openshift.api.config.v1.TokenUserValidationRule
+  map:
+    fields:
+    - name: expression
+      type:
+        scalar: string
+    - name: message
+      type:
+        scalar: string
 - name: com.github.openshift.api.config.v1.Update
   map:
     fields:
+    - name: acceptRisks
+      type:
+        list:
+          elementType:
+            namedType: com.github.openshift.api.config.v1.AcceptRisk
+          elementRelationship: associative
+          keys:
+          - name
     - name: architecture
       type:
         scalar: string
@@ -4042,6 +4218,46 @@ var schemaYAML = typed.YAMLObject(`types:
         elementType:
           namedType: __untyped_deduced_
         elementRelationship: separable
+- name: com.github.openshift.api.config.v1alpha1.CRIOCredentialProviderConfig
+  map:
+    fields:
+    - name: apiVersion
+      type:
+        scalar: string
+    - name: kind
+      type:
+        scalar: string
+    - name: metadata
+      type:
+        namedType: io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta
+      default: {}
+    - name: spec
+      type:
+        namedType: com.github.openshift.api.config.v1alpha1.CRIOCredentialProviderConfigSpec
+    - name: status
+      type:
+        namedType: com.github.openshift.api.config.v1alpha1.CRIOCredentialProviderConfigStatus
+      default: {}
+- name: com.github.openshift.api.config.v1alpha1.CRIOCredentialProviderConfigSpec
+  map:
+    fields:
+    - name: matchImages
+      type:
+        list:
+          elementType:
+            scalar: string
+          elementRelationship: associative
+- name: com.github.openshift.api.config.v1alpha1.CRIOCredentialProviderConfigStatus
+  map:
+    fields:
+    - name: conditions
+      type:
+        list:
+          elementType:
+            namedType: io.k8s.apimachinery.pkg.apis.meta.v1.Condition
+          elementRelationship: associative
+          keys:
+          - type
 - name: com.github.openshift.api.config.v1alpha1.ClusterImagePolicy
   map:
     fields:
@@ -4068,7 +4284,7 @@ var schemaYAML = typed.YAMLObject(`types:
     fields:
     - name: policy
       type:
-        namedType: com.github.openshift.api.config.v1alpha1.Policy
+        namedType: com.github.openshift.api.config.v1alpha1.ImageSigstoreVerificationPolicy
       default: {}
     - name: scopes
       type:
@@ -4119,6 +4335,10 @@ var schemaYAML = typed.YAMLObject(`types:
       type:
         namedType: com.github.openshift.api.config.v1alpha1.MetricsServerConfig
       default: {}
+    - name: prometheusOperatorConfig
+      type:
+        namedType: com.github.openshift.api.config.v1alpha1.PrometheusOperatorConfig
+      default: {}
     - name: userDefined
       type:
         namedType: com.github.openshift.api.config.v1alpha1.UserDefinedMonitoring
@@ -4166,19 +4386,6 @@ var schemaYAML = typed.YAMLObject(`types:
       type:
         scalar: string
       default: ""
-- name: com.github.openshift.api.config.v1alpha1.FulcioCAWithRekor
-  map:
-    fields:
-    - name: fulcioCAData
-      type:
-        scalar: string
-    - name: fulcioSubject
-      type:
-        namedType: com.github.openshift.api.config.v1alpha1.PolicyFulcioSubject
-      default: {}
-    - name: rekorKeyData
-      type:
-        scalar: string
 - name: com.github.openshift.api.config.v1alpha1.GatherConfig
   map:
     fields:
@@ -4215,12 +4422,47 @@ var schemaYAML = typed.YAMLObject(`types:
       type:
         namedType: com.github.openshift.api.config.v1alpha1.ImagePolicyStatus
       default: {}
+- name: com.github.openshift.api.config.v1alpha1.ImagePolicyFulcioCAWithRekorRootOfTrust
+  map:
+    fields:
+    - name: fulcioCAData
+      type:
+        scalar: string
+    - name: fulcioSubject
+      type:
+        namedType: com.github.openshift.api.config.v1alpha1.PolicyFulcioSubject
+      default: {}
+    - name: rekorKeyData
+      type:
+        scalar: string
+- name: com.github.openshift.api.config.v1alpha1.ImagePolicyPKIRootOfTrust
+  map:
+    fields:
+    - name: caIntermediatesData
+      type:
+        scalar: string
+    - name: caRootsData
+      type:
+        scalar: string
+    - name: pkiCertificateSubject
+      type:
+        namedType: com.github.openshift.api.config.v1alpha1.PKICertificateSubject
+      default: {}
+- name: com.github.openshift.api.config.v1alpha1.ImagePolicyPublicKeyRootOfTrust
+  map:
+    fields:
+    - name: keyData
+      type:
+        scalar: string
+    - name: rekorKeyData
+      type:
+        scalar: string
 - name: com.github.openshift.api.config.v1alpha1.ImagePolicySpec
   map:
     fields:
     - name: policy
       type:
-        namedType: com.github.openshift.api.config.v1alpha1.Policy
+        namedType: com.github.openshift.api.config.v1alpha1.ImageSigstoreVerificationPolicy
       default: {}
     - name: scopes
       type:
@@ -4239,6 +4481,17 @@ var schemaYAML = typed.YAMLObject(`types:
           elementRelationship: associative
           keys:
           - type
+- name: com.github.openshift.api.config.v1alpha1.ImageSigstoreVerificationPolicy
+  map:
+    fields:
+    - name: rootOfTrust
+      type:
+        namedType: com.github.openshift.api.config.v1alpha1.PolicyRootOfTrust
+      default: {}
+    - name: signedIdentity
+      type:
+        namedType: com.github.openshift.api.config.v1alpha1.PolicyIdentity
+      default: {}
 - name: com.github.openshift.api.config.v1alpha1.InsightsDataGather
   map:
     fields:
@@ -4317,19 +4570,6 @@ var schemaYAML = typed.YAMLObject(`types:
     - name: verbosity
       type:
         scalar: string
-- name: com.github.openshift.api.config.v1alpha1.PKI
-  map:
-    fields:
-    - name: caIntermediatesData
-      type:
-        scalar: string
-    - name: caRootsData
-      type:
-        scalar: string
-    - name: pkiCertificateSubject
-      type:
-        namedType: com.github.openshift.api.config.v1alpha1.PKICertificateSubject
-      default: {}
 - name: com.github.openshift.api.config.v1alpha1.PKICertificateSubject
   map:
     fields:
@@ -4356,17 +4596,6 @@ var schemaYAML = typed.YAMLObject(`types:
     - name: mountPath
       type:
         scalar: string
-- name: com.github.openshift.api.config.v1alpha1.Policy
-  map:
-    fields:
-    - name: rootOfTrust
-      type:
-        namedType: com.github.openshift.api.config.v1alpha1.PolicyRootOfTrust
-      default: {}
-    - name: signedIdentity
-      type:
-        namedType: com.github.openshift.api.config.v1alpha1.PolicyIdentity
-      default: {}
 - name: com.github.openshift.api.config.v1alpha1.PolicyFulcioSubject
   map:
     fields:
@@ -4421,17 +4650,17 @@ var schemaYAML = typed.YAMLObject(`types:
     fields:
     - name: fulcioCAWithRekor
       type:
-        namedType: com.github.openshift.api.config.v1alpha1.FulcioCAWithRekor
+        namedType: com.github.openshift.api.config.v1alpha1.ImagePolicyFulcioCAWithRekorRootOfTrust
     - name: pki
       type:
-        namedType: com.github.openshift.api.config.v1alpha1.PKI
+        namedType: com.github.openshift.api.config.v1alpha1.ImagePolicyPKIRootOfTrust
     - name: policyType
       type:
         scalar: string
       default: ""
     - name: publicKey
       type:
-        namedType: com.github.openshift.api.config.v1alpha1.PublicKey
+        namedType: com.github.openshift.api.config.v1alpha1.ImagePolicyPublicKeyRootOfTrust
     unions:
     - discriminator: policyType
       fields:
@@ -4441,15 +4670,40 @@ var schemaYAML = typed.YAMLObject(`types:
         discriminatorValue: PKI
       - fieldName: publicKey
         discriminatorValue: PublicKey
-- name: com.github.openshift.api.config.v1alpha1.PublicKey
+- name: com.github.openshift.api.config.v1alpha1.PrometheusOperatorConfig
   map:
     fields:
-    - name: keyData
+    - name: logLevel
       type:
         scalar: string
-    - name: rekorKeyData
+    - name: nodeSelector
       type:
-        scalar: string
+        map:
+          elementType:
+            scalar: string
+    - name: resources
+      type:
+        list:
+          elementType:
+            namedType: com.github.openshift.api.config.v1alpha1.ContainerResource
+          elementRelationship: associative
+          keys:
+          - name
+    - name: tolerations
+      type:
+        list:
+          elementType:
+            namedType: io.k8s.api.core.v1.Toleration
+          elementRelationship: atomic
+    - name: topologySpreadConstraints
+      type:
+        list:
+          elementType:
+            namedType: io.k8s.api.core.v1.TopologySpreadConstraint
+          elementRelationship: associative
+          keys:
+          - topologyKey
+          - whenUnsatisfiable
 - name: com.github.openshift.api.config.v1alpha1.RetentionNumberConfig
   map:
     fields:
diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/utils.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/utils.go
index 048895c1142d8..da8304eaf97e6 100644
--- a/vendor/github.com/openshift/client-go/config/applyconfigurations/utils.go
+++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/utils.go
@@ -20,6 +20,8 @@ import (
 func ForKind(kind schema.GroupVersionKind) interface{} {
 	switch kind {
 	// Group=config.openshift.io, Version=v1
+	case v1.SchemeGroupVersion.WithKind("AcceptRisk"):
+		return &configv1.AcceptRiskApplyConfiguration{}
 	case v1.SchemeGroupVersion.WithKind("AlibabaCloudPlatformStatus"):
 		return &configv1.AlibabaCloudPlatformStatusApplyConfiguration{}
 	case v1.SchemeGroupVersion.WithKind("AlibabaCloudResourceTag"):
@@ -132,6 +134,8 @@ func ForKind(kind schema.GroupVersionKind) interface{} {
 		return &configv1.ConsoleSpecApplyConfiguration{}
 	case v1.SchemeGroupVersion.WithKind("ConsoleStatus"):
 		return &configv1.ConsoleStatusApplyConfiguration{}
+	case v1.SchemeGroupVersion.WithKind("Custom"):
+		return &configv1.CustomApplyConfiguration{}
 	case v1.SchemeGroupVersion.WithKind("CustomFeatureGates"):
 		return &configv1.CustomFeatureGatesApplyConfiguration{}
 	case v1.SchemeGroupVersion.WithKind("CustomTLSProfile"):
@@ -170,8 +174,12 @@ func ForKind(kind schema.GroupVersionKind) interface{} {
 		return &configv1.FeatureGateSpecApplyConfiguration{}
 	case v1.SchemeGroupVersion.WithKind("FeatureGateStatus"):
 		return &configv1.FeatureGateStatusApplyConfiguration{}
-	case v1.SchemeGroupVersion.WithKind("FulcioCAWithRekor"):
-		return &configv1.FulcioCAWithRekorApplyConfiguration{}
+	case v1.SchemeGroupVersion.WithKind("GatherConfig"):
+		return &configv1.GatherConfigApplyConfiguration{}
+	case v1.SchemeGroupVersion.WithKind("GathererConfig"):
+		return &configv1.GathererConfigApplyConfiguration{}
+	case v1.SchemeGroupVersion.WithKind("Gatherers"):
+		return &configv1.GatherersApplyConfiguration{}
 	case v1.SchemeGroupVersion.WithKind("GCPPlatformStatus"):
 		return &configv1.GCPPlatformStatusApplyConfiguration{}
 	case v1.SchemeGroupVersion.WithKind("GCPResourceLabel"):
@@ -216,10 +224,18 @@ func ForKind(kind schema.GroupVersionKind) interface{} {
 		return &configv1.ImageLabelApplyConfiguration{}
 	case v1.SchemeGroupVersion.WithKind("ImagePolicy"):
 		return &configv1.ImagePolicyApplyConfiguration{}
+	case v1.SchemeGroupVersion.WithKind("ImagePolicyFulcioCAWithRekorRootOfTrust"):
+		return &configv1.ImagePolicyFulcioCAWithRekorRootOfTrustApplyConfiguration{}
+	case v1.SchemeGroupVersion.WithKind("ImagePolicyPKIRootOfTrust"):
+		return &configv1.ImagePolicyPKIRootOfTrustApplyConfiguration{}
+	case v1.SchemeGroupVersion.WithKind("ImagePolicyPublicKeyRootOfTrust"):
+		return &configv1.ImagePolicyPublicKeyRootOfTrustApplyConfiguration{}
 	case v1.SchemeGroupVersion.WithKind("ImagePolicySpec"):
 		return &configv1.ImagePolicySpecApplyConfiguration{}
 	case v1.SchemeGroupVersion.WithKind("ImagePolicyStatus"):
 		return &configv1.ImagePolicyStatusApplyConfiguration{}
+	case v1.SchemeGroupVersion.WithKind("ImageSigstoreVerificationPolicy"):
+		return &configv1.ImageSigstoreVerificationPolicyApplyConfiguration{}
 	case v1.SchemeGroupVersion.WithKind("ImageSpec"):
 		return &configv1.ImageSpecApplyConfiguration{}
 	case v1.SchemeGroupVersion.WithKind("ImageStatus"):
@@ -244,6 +260,10 @@ func ForKind(kind schema.GroupVersionKind) interface{} {
 		return &configv1.IngressSpecApplyConfiguration{}
 	case v1.SchemeGroupVersion.WithKind("IngressStatus"):
 		return &configv1.IngressStatusApplyConfiguration{}
+	case v1.SchemeGroupVersion.WithKind("InsightsDataGather"):
+		return &configv1.InsightsDataGatherApplyConfiguration{}
+	case v1.SchemeGroupVersion.WithKind("InsightsDataGatherSpec"):
+		return &configv1.InsightsDataGatherSpecApplyConfiguration{}
 	case v1.SchemeGroupVersion.WithKind("KeystoneIdentityProvider"):
 		return &configv1.KeystoneIdentityProviderApplyConfiguration{}
 	case v1.SchemeGroupVersion.WithKind("KMSConfig"):
@@ -336,16 +356,16 @@ func ForKind(kind schema.GroupVersionKind) interface{} {
 		return &configv1.OvirtPlatformLoadBalancerApplyConfiguration{}
 	case v1.SchemeGroupVersion.WithKind("OvirtPlatformStatus"):
 		return &configv1.OvirtPlatformStatusApplyConfiguration{}
-	case v1.SchemeGroupVersion.WithKind("PKI"):
-		return &configv1.PKIApplyConfiguration{}
+	case v1.SchemeGroupVersion.WithKind("PersistentVolumeClaimReference"):
+		return &configv1.PersistentVolumeClaimReferenceApplyConfiguration{}
+	case v1.SchemeGroupVersion.WithKind("PersistentVolumeConfig"):
+		return &configv1.PersistentVolumeConfigApplyConfiguration{}
 	case v1.SchemeGroupVersion.WithKind("PKICertificateSubject"):
 		return &configv1.PKICertificateSubjectApplyConfiguration{}
 	case v1.SchemeGroupVersion.WithKind("PlatformSpec"):
 		return &configv1.PlatformSpecApplyConfiguration{}
 	case v1.SchemeGroupVersion.WithKind("PlatformStatus"):
 		return &configv1.PlatformStatusApplyConfiguration{}
-	case v1.SchemeGroupVersion.WithKind("Policy"):
-		return &configv1.PolicyApplyConfiguration{}
 	case v1.SchemeGroupVersion.WithKind("PolicyFulcioSubject"):
 		return &configv1.PolicyFulcioSubjectApplyConfiguration{}
 	case v1.SchemeGroupVersion.WithKind("PolicyIdentity"):
@@ -378,8 +398,6 @@ func ForKind(kind schema.GroupVersionKind) interface{} {
 		return &configv1.ProxySpecApplyConfiguration{}
 	case v1.SchemeGroupVersion.WithKind("ProxyStatus"):
 		return &configv1.ProxyStatusApplyConfiguration{}
-	case v1.SchemeGroupVersion.WithKind("PublicKey"):
-		return &configv1.PublicKeyApplyConfiguration{}
 	case v1.SchemeGroupVersion.WithKind("RegistryLocation"):
 		return &configv1.RegistryLocationApplyConfiguration{}
 	case v1.SchemeGroupVersion.WithKind("RegistrySources"):
@@ -400,6 +418,8 @@ func ForKind(kind schema.GroupVersionKind) interface{} {
 		return &configv1.SecretNameReferenceApplyConfiguration{}
 	case v1.SchemeGroupVersion.WithKind("SignatureStore"):
 		return &configv1.SignatureStoreApplyConfiguration{}
+	case v1.SchemeGroupVersion.WithKind("Storage"):
+		return &configv1.StorageApplyConfiguration{}
 	case v1.SchemeGroupVersion.WithKind("TemplateReference"):
 		return &configv1.TemplateReferenceApplyConfiguration{}
 	case v1.SchemeGroupVersion.WithKind("TLSProfileSpec"):
@@ -412,6 +432,8 @@ func ForKind(kind schema.GroupVersionKind) interface{} {
 		return &configv1.TokenClaimMappingsApplyConfiguration{}
 	case v1.SchemeGroupVersion.WithKind("TokenClaimOrExpressionMapping"):
 		return &configv1.TokenClaimOrExpressionMappingApplyConfiguration{}
+	case v1.SchemeGroupVersion.WithKind("TokenClaimValidationCELRule"):
+		return &configv1.TokenClaimValidationCELRuleApplyConfiguration{}
 	case v1.SchemeGroupVersion.WithKind("TokenClaimValidationRule"):
 		return &configv1.TokenClaimValidationRuleApplyConfiguration{}
 	case v1.SchemeGroupVersion.WithKind("TokenConfig"):
@@ -420,6 +442,8 @@ func ForKind(kind schema.GroupVersionKind) interface{} {
 		return &configv1.TokenIssuerApplyConfiguration{}
 	case v1.SchemeGroupVersion.WithKind("TokenRequiredClaim"):
 		return &configv1.TokenRequiredClaimApplyConfiguration{}
+	case v1.SchemeGroupVersion.WithKind("TokenUserValidationRule"):
+		return &configv1.TokenUserValidationRuleApplyConfiguration{}
 	case v1.SchemeGroupVersion.WithKind("Update"):
 		return &configv1.UpdateApplyConfiguration{}
 	case v1.SchemeGroupVersion.WithKind("UpdateHistory"):
@@ -476,18 +500,30 @@ func ForKind(kind schema.GroupVersionKind) interface{} {
 		return &configv1alpha1.ClusterMonitoringSpecApplyConfiguration{}
 	case v1alpha1.SchemeGroupVersion.WithKind("ContainerResource"):
 		return &configv1alpha1.ContainerResourceApplyConfiguration{}
+	case v1alpha1.SchemeGroupVersion.WithKind("CRIOCredentialProviderConfig"):
+		return &configv1alpha1.CRIOCredentialProviderConfigApplyConfiguration{}
+	case v1alpha1.SchemeGroupVersion.WithKind("CRIOCredentialProviderConfigSpec"):
+		return &configv1alpha1.CRIOCredentialProviderConfigSpecApplyConfiguration{}
+	case v1alpha1.SchemeGroupVersion.WithKind("CRIOCredentialProviderConfigStatus"):
+		return &configv1alpha1.CRIOCredentialProviderConfigStatusApplyConfiguration{}
 	case v1alpha1.SchemeGroupVersion.WithKind("EtcdBackupSpec"):
 		return &configv1alpha1.EtcdBackupSpecApplyConfiguration{}
-	case v1alpha1.SchemeGroupVersion.WithKind("FulcioCAWithRekor"):
-		return &configv1alpha1.FulcioCAWithRekorApplyConfiguration{}
 	case v1alpha1.SchemeGroupVersion.WithKind("GatherConfig"):
 		return &configv1alpha1.GatherConfigApplyConfiguration{}
 	case v1alpha1.SchemeGroupVersion.WithKind("ImagePolicy"):
 		return &configv1alpha1.ImagePolicyApplyConfiguration{}
+	case v1alpha1.SchemeGroupVersion.WithKind("ImagePolicyFulcioCAWithRekorRootOfTrust"):
+		return &configv1alpha1.ImagePolicyFulcioCAWithRekorRootOfTrustApplyConfiguration{}
+	case v1alpha1.SchemeGroupVersion.WithKind("ImagePolicyPKIRootOfTrust"):
+		return &configv1alpha1.ImagePolicyPKIRootOfTrustApplyConfiguration{}
+	case v1alpha1.SchemeGroupVersion.WithKind("ImagePolicyPublicKeyRootOfTrust"):
+		return &configv1alpha1.ImagePolicyPublicKeyRootOfTrustApplyConfiguration{}
 	case v1alpha1.SchemeGroupVersion.WithKind("ImagePolicySpec"):
 		return &configv1alpha1.ImagePolicySpecApplyConfiguration{}
 	case v1alpha1.SchemeGroupVersion.WithKind("ImagePolicyStatus"):
 		return &configv1alpha1.ImagePolicyStatusApplyConfiguration{}
+	case v1alpha1.SchemeGroupVersion.WithKind("ImageSigstoreVerificationPolicy"):
+		return &configv1alpha1.ImageSigstoreVerificationPolicyApplyConfiguration{}
 	case v1alpha1.SchemeGroupVersion.WithKind("InsightsDataGather"):
 		return &configv1alpha1.InsightsDataGatherApplyConfiguration{}
 	case v1alpha1.SchemeGroupVersion.WithKind("InsightsDataGatherSpec"):
@@ -498,12 +534,8 @@ func ForKind(kind schema.GroupVersionKind) interface{} {
 		return &configv1alpha1.PersistentVolumeClaimReferenceApplyConfiguration{}
 	case v1alpha1.SchemeGroupVersion.WithKind("PersistentVolumeConfig"):
 		return &configv1alpha1.PersistentVolumeConfigApplyConfiguration{}
-	case v1alpha1.SchemeGroupVersion.WithKind("PKI"):
-		return &configv1alpha1.PKIApplyConfiguration{}
 	case v1alpha1.SchemeGroupVersion.WithKind("PKICertificateSubject"):
 		return &configv1alpha1.PKICertificateSubjectApplyConfiguration{}
-	case v1alpha1.SchemeGroupVersion.WithKind("Policy"):
-		return &configv1alpha1.PolicyApplyConfiguration{}
 	case v1alpha1.SchemeGroupVersion.WithKind("PolicyFulcioSubject"):
 		return &configv1alpha1.PolicyFulcioSubjectApplyConfiguration{}
 	case v1alpha1.SchemeGroupVersion.WithKind("PolicyIdentity"):
@@ -514,8 +546,8 @@ func ForKind(kind schema.GroupVersionKind) interface{} {
 		return &configv1alpha1.PolicyMatchRemapIdentityApplyConfiguration{}
 	case v1alpha1.SchemeGroupVersion.WithKind("PolicyRootOfTrust"):
 		return &configv1alpha1.PolicyRootOfTrustApplyConfiguration{}
-	case v1alpha1.SchemeGroupVersion.WithKind("PublicKey"):
-		return &configv1alpha1.PublicKeyApplyConfiguration{}
+	case v1alpha1.SchemeGroupVersion.WithKind("PrometheusOperatorConfig"):
+		return &configv1alpha1.PrometheusOperatorConfigApplyConfiguration{}
 	case v1alpha1.SchemeGroupVersion.WithKind("RetentionNumberConfig"):
 		return &configv1alpha1.RetentionNumberConfigApplyConfiguration{}
 	case v1alpha1.SchemeGroupVersion.WithKind("RetentionPolicy"):
diff --git a/vendor/github.com/openshift/client-go/config/clientset/versioned/fake/clientset_generated.go b/vendor/github.com/openshift/client-go/config/clientset/versioned/fake/clientset_generated.go
index d0436ada1fc87..0a3678b49ab0d 100644
--- a/vendor/github.com/openshift/client-go/config/clientset/versioned/fake/clientset_generated.go
+++ b/vendor/github.com/openshift/client-go/config/clientset/versioned/fake/clientset_generated.go
@@ -24,7 +24,7 @@ import (
 // without applying any field management, validations and/or defaults. It shouldn't be considered a replacement
 // for a real clientset and is mostly useful in simple unit tests.
 //
-// DEPRECATED: NewClientset replaces this with support for field management, which significantly improves
+// Deprecated: NewClientset replaces this with support for field management, which significantly improves
 // server side apply testing. NewClientset is only available when apply configurations are generated (e.g.
 // via --with-applyconfig).
 func NewSimpleClientset(objects ...runtime.Object) *Clientset {
@@ -40,8 +40,8 @@ func NewSimpleClientset(objects ...runtime.Object) *Clientset {
 	cs.AddReactor("*", "*", testing.ObjectReaction(o))
 	cs.AddWatchReactor("*", func(action testing.Action) (handled bool, ret watch.Interface, err error) {
 		var opts metav1.ListOptions
-		if watchActcion, ok := action.(testing.WatchActionImpl); ok {
-			opts = watchActcion.ListOptions
+		if watchAction, ok := action.(testing.WatchActionImpl); ok {
+			opts = watchAction.ListOptions
 		}
 		gvr := action.GetResource()
 		ns := action.GetNamespace()
@@ -72,6 +72,17 @@ func (c *Clientset) Tracker() testing.ObjectTracker {
 	return c.tracker
 }
 
+// IsWatchListSemanticsSupported informs the reflector that this client
+// doesn't support WatchList semantics.
+//
+// This is a synthetic method whose sole purpose is to satisfy the optional
+// interface check performed by the reflector.
+// Returning true signals that WatchList can NOT be used.
+// No additional logic is implemented here.
+func (c *Clientset) IsWatchListSemanticsUnSupported() bool {
+	return true
+}
+
 // NewClientset returns a clientset that will respond with the provided objects.
 // It's backed by a very simple object tracker that processes creates, updates and deletions as-is,
 // without applying any validations and/or defaults. It shouldn't be considered a replacement
diff --git a/vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1/config_client.go b/vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1/config_client.go
index 70957eee8ba3b..afce6aef52737 100644
--- a/vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1/config_client.go
+++ b/vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1/config_client.go
@@ -28,6 +28,7 @@ type ConfigV1Interface interface {
 	ImageTagMirrorSetsGetter
 	InfrastructuresGetter
 	IngressesGetter
+	InsightsDataGathersGetter
 	NetworksGetter
 	NodesGetter
 	OAuthsGetter
@@ -106,6 +107,10 @@ func (c *ConfigV1Client) Ingresses() IngressInterface {
 	return newIngresses(c)
 }
 
+func (c *ConfigV1Client) InsightsDataGathers() InsightsDataGatherInterface {
+	return newInsightsDataGathers(c)
+}
+
 func (c *ConfigV1Client) Networks() NetworkInterface {
 	return newNetworks(c)
 }
diff --git a/vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1/fake/fake_config_client.go b/vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1/fake/fake_config_client.go
index 764c8912ad9a8..b5a1a52573bcb 100644
--- a/vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1/fake/fake_config_client.go
+++ b/vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1/fake/fake_config_client.go
@@ -76,6 +76,10 @@ func (c *FakeConfigV1) Ingresses() v1.IngressInterface {
 	return newFakeIngresses(c)
 }
 
+func (c *FakeConfigV1) InsightsDataGathers() v1.InsightsDataGatherInterface {
+	return newFakeInsightsDataGathers(c)
+}
+
 func (c *FakeConfigV1) Networks() v1.NetworkInterface {
 	return newFakeNetworks(c)
 }
diff --git a/vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1/fake/fake_insightsdatagather.go b/vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1/fake/fake_insightsdatagather.go
new file mode 100644
index 0000000000000..1901b7db7fe9f
--- /dev/null
+++ b/vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1/fake/fake_insightsdatagather.go
@@ -0,0 +1,37 @@
+// Code generated by client-gen. DO NOT EDIT.
+
+package fake
+
+import (
+	v1 "github.com/openshift/api/config/v1"
+	configv1 "github.com/openshift/client-go/config/applyconfigurations/config/v1"
+	typedconfigv1 "github.com/openshift/client-go/config/clientset/versioned/typed/config/v1"
+	gentype "k8s.io/client-go/gentype"
+)
+
+// fakeInsightsDataGathers implements InsightsDataGatherInterface
+type fakeInsightsDataGathers struct {
+	*gentype.FakeClientWithListAndApply[*v1.InsightsDataGather, *v1.InsightsDataGatherList, *configv1.InsightsDataGatherApplyConfiguration]
+	Fake *FakeConfigV1
+}
+
+func newFakeInsightsDataGathers(fake *FakeConfigV1) typedconfigv1.InsightsDataGatherInterface {
+	return &fakeInsightsDataGathers{
+		gentype.NewFakeClientWithListAndApply[*v1.InsightsDataGather, *v1.InsightsDataGatherList, *configv1.InsightsDataGatherApplyConfiguration](
+			fake.Fake,
+			"",
+			v1.SchemeGroupVersion.WithResource("insightsdatagathers"),
+			v1.SchemeGroupVersion.WithKind("InsightsDataGather"),
+			func() *v1.InsightsDataGather { return &v1.InsightsDataGather{} },
+			func() *v1.InsightsDataGatherList { return &v1.InsightsDataGatherList{} },
+			func(dst, src *v1.InsightsDataGatherList) { dst.ListMeta = src.ListMeta },
+			func(list *v1.InsightsDataGatherList) []*v1.InsightsDataGather {
+				return gentype.ToPointerSlice(list.Items)
+			},
+			func(list *v1.InsightsDataGatherList, items []*v1.InsightsDataGather) {
+				list.Items = gentype.FromPointerSlice(items)
+			},
+		),
+		fake,
+	}
+}
diff --git a/vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1/generated_expansion.go b/vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1/generated_expansion.go
index 44ad19dcb3bfc..27c5fd110b449 100644
--- a/vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1/generated_expansion.go
+++ b/vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1/generated_expansion.go
@@ -34,6 +34,8 @@ type InfrastructureExpansion interface{}
 
 type IngressExpansion interface{}
 
+type InsightsDataGatherExpansion interface{}
+
 type NetworkExpansion interface{}
 
 type NodeExpansion interface{}
diff --git a/vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1/insightsdatagather.go b/vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1/insightsdatagather.go
new file mode 100644
index 0000000000000..43f6620122aa4
--- /dev/null
+++ b/vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1/insightsdatagather.go
@@ -0,0 +1,54 @@
+// Code generated by client-gen. DO NOT EDIT.
+
+package v1
+
+import (
+	context "context"
+
+	configv1 "github.com/openshift/api/config/v1"
+	applyconfigurationsconfigv1 "github.com/openshift/client-go/config/applyconfigurations/config/v1"
+	scheme "github.com/openshift/client-go/config/clientset/versioned/scheme"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	types "k8s.io/apimachinery/pkg/types"
+	watch "k8s.io/apimachinery/pkg/watch"
+	gentype "k8s.io/client-go/gentype"
+)
+
+// InsightsDataGathersGetter has a method to return a InsightsDataGatherInterface.
+// A group's client should implement this interface.
+type InsightsDataGathersGetter interface {
+	InsightsDataGathers() InsightsDataGatherInterface
+}
+
+// InsightsDataGatherInterface has methods to work with InsightsDataGather resources.
+type InsightsDataGatherInterface interface {
+	Create(ctx context.Context, insightsDataGather *configv1.InsightsDataGather, opts metav1.CreateOptions) (*configv1.InsightsDataGather, error)
+	Update(ctx context.Context, insightsDataGather *configv1.InsightsDataGather, opts metav1.UpdateOptions) (*configv1.InsightsDataGather, error)
+	Delete(ctx context.Context, name string, opts metav1.DeleteOptions) error
+	DeleteCollection(ctx context.Context, opts metav1.DeleteOptions, listOpts metav1.ListOptions) error
+	Get(ctx context.Context, name string, opts metav1.GetOptions) (*configv1.InsightsDataGather, error)
+	List(ctx context.Context, opts metav1.ListOptions) (*configv1.InsightsDataGatherList, error)
+	Watch(ctx context.Context, opts metav1.ListOptions) (watch.Interface, error)
+	Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts metav1.PatchOptions, subresources ...string) (result *configv1.InsightsDataGather, err error)
+	Apply(ctx context.Context, insightsDataGather *applyconfigurationsconfigv1.InsightsDataGatherApplyConfiguration, opts metav1.ApplyOptions) (result *configv1.InsightsDataGather, err error)
+	InsightsDataGatherExpansion
+}
+
+// insightsDataGathers implements InsightsDataGatherInterface
+type insightsDataGathers struct {
+	*gentype.ClientWithListAndApply[*configv1.InsightsDataGather, *configv1.InsightsDataGatherList, *applyconfigurationsconfigv1.InsightsDataGatherApplyConfiguration]
+}
+
+// newInsightsDataGathers returns a InsightsDataGathers
+func newInsightsDataGathers(c *ConfigV1Client) *insightsDataGathers {
+	return &insightsDataGathers{
+		gentype.NewClientWithListAndApply[*configv1.InsightsDataGather, *configv1.InsightsDataGatherList, *applyconfigurationsconfigv1.InsightsDataGatherApplyConfiguration](
+			"insightsdatagathers",
+			c.RESTClient(),
+			scheme.ParameterCodec,
+			"",
+			func() *configv1.InsightsDataGather { return &configv1.InsightsDataGather{} },
+			func() *configv1.InsightsDataGatherList { return &configv1.InsightsDataGatherList{} },
+		),
+	}
+}
diff --git a/vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1alpha1/config_client.go b/vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1alpha1/config_client.go
index 2530a4a645fc4..58cf671dc9076 100644
--- a/vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1alpha1/config_client.go
+++ b/vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1alpha1/config_client.go
@@ -13,6 +13,7 @@ import (
 type ConfigV1alpha1Interface interface {
 	RESTClient() rest.Interface
 	BackupsGetter
+	CRIOCredentialProviderConfigsGetter
 	ClusterImagePoliciesGetter
 	ClusterMonitoringsGetter
 	ImagePoliciesGetter
@@ -28,6 +29,10 @@ func (c *ConfigV1alpha1Client) Backups() BackupInterface {
 	return newBackups(c)
 }
 
+func (c *ConfigV1alpha1Client) CRIOCredentialProviderConfigs() CRIOCredentialProviderConfigInterface {
+	return newCRIOCredentialProviderConfigs(c)
+}
+
 func (c *ConfigV1alpha1Client) ClusterImagePolicies() ClusterImagePolicyInterface {
 	return newClusterImagePolicies(c)
 }
diff --git a/vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1alpha1/criocredentialproviderconfig.go b/vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1alpha1/criocredentialproviderconfig.go
new file mode 100644
index 0000000000000..3c4962155a459
--- /dev/null
+++ b/vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1alpha1/criocredentialproviderconfig.go
@@ -0,0 +1,62 @@
+// Code generated by client-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	context "context"
+
+	configv1alpha1 "github.com/openshift/api/config/v1alpha1"
+	applyconfigurationsconfigv1alpha1 "github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1"
+	scheme "github.com/openshift/client-go/config/clientset/versioned/scheme"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	types "k8s.io/apimachinery/pkg/types"
+	watch "k8s.io/apimachinery/pkg/watch"
+	gentype "k8s.io/client-go/gentype"
+)
+
+// CRIOCredentialProviderConfigsGetter has a method to return a CRIOCredentialProviderConfigInterface.
+// A group's client should implement this interface.
+type CRIOCredentialProviderConfigsGetter interface {
+	CRIOCredentialProviderConfigs() CRIOCredentialProviderConfigInterface
+}
+
+// CRIOCredentialProviderConfigInterface has methods to work with CRIOCredentialProviderConfig resources.
+type CRIOCredentialProviderConfigInterface interface {
+	Create(ctx context.Context, cRIOCredentialProviderConfig *configv1alpha1.CRIOCredentialProviderConfig, opts v1.CreateOptions) (*configv1alpha1.CRIOCredentialProviderConfig, error)
+	Update(ctx context.Context, cRIOCredentialProviderConfig *configv1alpha1.CRIOCredentialProviderConfig, opts v1.UpdateOptions) (*configv1alpha1.CRIOCredentialProviderConfig, error)
+	// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus().
+	UpdateStatus(ctx context.Context, cRIOCredentialProviderConfig *configv1alpha1.CRIOCredentialProviderConfig, opts v1.UpdateOptions) (*configv1alpha1.CRIOCredentialProviderConfig, error)
+	Delete(ctx context.Context, name string, opts v1.DeleteOptions) error
+	DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error
+	Get(ctx context.Context, name string, opts v1.GetOptions) (*configv1alpha1.CRIOCredentialProviderConfig, error)
+	List(ctx context.Context, opts v1.ListOptions) (*configv1alpha1.CRIOCredentialProviderConfigList, error)
+	Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error)
+	Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *configv1alpha1.CRIOCredentialProviderConfig, err error)
+	Apply(ctx context.Context, cRIOCredentialProviderConfig *applyconfigurationsconfigv1alpha1.CRIOCredentialProviderConfigApplyConfiguration, opts v1.ApplyOptions) (result *configv1alpha1.CRIOCredentialProviderConfig, err error)
+	// Add a +genclient:noStatus comment above the type to avoid generating ApplyStatus().
+	ApplyStatus(ctx context.Context, cRIOCredentialProviderConfig *applyconfigurationsconfigv1alpha1.CRIOCredentialProviderConfigApplyConfiguration, opts v1.ApplyOptions) (result *configv1alpha1.CRIOCredentialProviderConfig, err error)
+	CRIOCredentialProviderConfigExpansion
+}
+
+// cRIOCredentialProviderConfigs implements CRIOCredentialProviderConfigInterface
+type cRIOCredentialProviderConfigs struct {
+	*gentype.ClientWithListAndApply[*configv1alpha1.CRIOCredentialProviderConfig, *configv1alpha1.CRIOCredentialProviderConfigList, *applyconfigurationsconfigv1alpha1.CRIOCredentialProviderConfigApplyConfiguration]
+}
+
+// newCRIOCredentialProviderConfigs returns a CRIOCredentialProviderConfigs
+func newCRIOCredentialProviderConfigs(c *ConfigV1alpha1Client) *cRIOCredentialProviderConfigs {
+	return &cRIOCredentialProviderConfigs{
+		gentype.NewClientWithListAndApply[*configv1alpha1.CRIOCredentialProviderConfig, *configv1alpha1.CRIOCredentialProviderConfigList, *applyconfigurationsconfigv1alpha1.CRIOCredentialProviderConfigApplyConfiguration](
+			"criocredentialproviderconfigs",
+			c.RESTClient(),
+			scheme.ParameterCodec,
+			"",
+			func() *configv1alpha1.CRIOCredentialProviderConfig {
+				return &configv1alpha1.CRIOCredentialProviderConfig{}
+			},
+			func() *configv1alpha1.CRIOCredentialProviderConfigList {
+				return &configv1alpha1.CRIOCredentialProviderConfigList{}
+			},
+		),
+	}
+}
diff --git a/vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1alpha1/fake/fake_config_client.go b/vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1alpha1/fake/fake_config_client.go
index dd57e4a2cc693..e807c23147491 100644
--- a/vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1alpha1/fake/fake_config_client.go
+++ b/vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1alpha1/fake/fake_config_client.go
@@ -16,6 +16,10 @@ func (c *FakeConfigV1alpha1) Backups() v1alpha1.BackupInterface {
 	return newFakeBackups(c)
 }
 
+func (c *FakeConfigV1alpha1) CRIOCredentialProviderConfigs() v1alpha1.CRIOCredentialProviderConfigInterface {
+	return newFakeCRIOCredentialProviderConfigs(c)
+}
+
 func (c *FakeConfigV1alpha1) ClusterImagePolicies() v1alpha1.ClusterImagePolicyInterface {
 	return newFakeClusterImagePolicies(c)
 }
diff --git a/vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1alpha1/fake/fake_criocredentialproviderconfig.go b/vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1alpha1/fake/fake_criocredentialproviderconfig.go
new file mode 100644
index 0000000000000..588ce179cc3ca
--- /dev/null
+++ b/vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1alpha1/fake/fake_criocredentialproviderconfig.go
@@ -0,0 +1,37 @@
+// Code generated by client-gen. DO NOT EDIT.
+
+package fake
+
+import (
+	v1alpha1 "github.com/openshift/api/config/v1alpha1"
+	configv1alpha1 "github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1"
+	typedconfigv1alpha1 "github.com/openshift/client-go/config/clientset/versioned/typed/config/v1alpha1"
+	gentype "k8s.io/client-go/gentype"
+)
+
+// fakeCRIOCredentialProviderConfigs implements CRIOCredentialProviderConfigInterface
+type fakeCRIOCredentialProviderConfigs struct {
+	*gentype.FakeClientWithListAndApply[*v1alpha1.CRIOCredentialProviderConfig, *v1alpha1.CRIOCredentialProviderConfigList, *configv1alpha1.CRIOCredentialProviderConfigApplyConfiguration]
+	Fake *FakeConfigV1alpha1
+}
+
+func newFakeCRIOCredentialProviderConfigs(fake *FakeConfigV1alpha1) typedconfigv1alpha1.CRIOCredentialProviderConfigInterface {
+	return &fakeCRIOCredentialProviderConfigs{
+		gentype.NewFakeClientWithListAndApply[*v1alpha1.CRIOCredentialProviderConfig, *v1alpha1.CRIOCredentialProviderConfigList, *configv1alpha1.CRIOCredentialProviderConfigApplyConfiguration](
+			fake.Fake,
+			"",
+			v1alpha1.SchemeGroupVersion.WithResource("criocredentialproviderconfigs"),
+			v1alpha1.SchemeGroupVersion.WithKind("CRIOCredentialProviderConfig"),
+			func() *v1alpha1.CRIOCredentialProviderConfig { return &v1alpha1.CRIOCredentialProviderConfig{} },
+			func() *v1alpha1.CRIOCredentialProviderConfigList { return &v1alpha1.CRIOCredentialProviderConfigList{} },
+			func(dst, src *v1alpha1.CRIOCredentialProviderConfigList) { dst.ListMeta = src.ListMeta },
+			func(list *v1alpha1.CRIOCredentialProviderConfigList) []*v1alpha1.CRIOCredentialProviderConfig {
+				return gentype.ToPointerSlice(list.Items)
+			},
+			func(list *v1alpha1.CRIOCredentialProviderConfigList, items []*v1alpha1.CRIOCredentialProviderConfig) {
+				list.Items = gentype.FromPointerSlice(items)
+			},
+		),
+		fake,
+	}
+}
diff --git a/vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1alpha1/generated_expansion.go b/vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1alpha1/generated_expansion.go
index ab5198cce6ae6..9f530ae2201a0 100644
--- a/vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1alpha1/generated_expansion.go
+++ b/vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1alpha1/generated_expansion.go
@@ -4,6 +4,8 @@ package v1alpha1
 
 type BackupExpansion interface{}
 
+type CRIOCredentialProviderConfigExpansion interface{}
+
 type ClusterImagePolicyExpansion interface{}
 
 type ClusterMonitoringExpansion interface{}
diff --git a/vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1/apiserver.go b/vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1/apiserver.go
index f022c5fff5184..7fa3cc852eb17 100644
--- a/vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1/apiserver.go
+++ b/vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1/apiserver.go
@@ -40,7 +40,7 @@ func NewAPIServerInformer(client versioned.Interface, resyncPeriod time.Duration
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredAPIServerInformer(client versioned.Interface, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options metav1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -65,7 +65,7 @@ func NewFilteredAPIServerInformer(client versioned.Interface, resyncPeriod time.
 				}
 				return client.ConfigV1().APIServers().Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apiconfigv1.APIServer{},
 		resyncPeriod,
 		indexers,
diff --git a/vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1/authentication.go b/vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1/authentication.go
index a52a281783212..902537e4ec383 100644
--- a/vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1/authentication.go
+++ b/vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1/authentication.go
@@ -40,7 +40,7 @@ func NewAuthenticationInformer(client versioned.Interface, resyncPeriod time.Dur
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredAuthenticationInformer(client versioned.Interface, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options metav1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -65,7 +65,7 @@ func NewFilteredAuthenticationInformer(client versioned.Interface, resyncPeriod
 				}
 				return client.ConfigV1().Authentications().Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apiconfigv1.Authentication{},
 		resyncPeriod,
 		indexers,
diff --git a/vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1/build.go b/vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1/build.go
index cfa41e7bc4b2c..f1680fe8b200f 100644
--- a/vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1/build.go
+++ b/vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1/build.go
@@ -40,7 +40,7 @@ func NewBuildInformer(client versioned.Interface, resyncPeriod time.Duration, in
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredBuildInformer(client versioned.Interface, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options metav1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -65,7 +65,7 @@ func NewFilteredBuildInformer(client versioned.Interface, resyncPeriod time.Dura
 				}
 				return client.ConfigV1().Builds().Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apiconfigv1.Build{},
 		resyncPeriod,
 		indexers,
diff --git a/vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1/clusterimagepolicy.go b/vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1/clusterimagepolicy.go
index 9dfb2b3da3a0c..d172bdecf5fda 100644
--- a/vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1/clusterimagepolicy.go
+++ b/vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1/clusterimagepolicy.go
@@ -40,7 +40,7 @@ func NewClusterImagePolicyInformer(client versioned.Interface, resyncPeriod time
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredClusterImagePolicyInformer(client versioned.Interface, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options metav1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -65,7 +65,7 @@ func NewFilteredClusterImagePolicyInformer(client versioned.Interface, resyncPer
 				}
 				return client.ConfigV1().ClusterImagePolicies().Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apiconfigv1.ClusterImagePolicy{},
 		resyncPeriod,
 		indexers,
diff --git a/vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1/clusteroperator.go b/vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1/clusteroperator.go
index 79728d2b8daf2..0b524565e9943 100644
--- a/vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1/clusteroperator.go
+++ b/vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1/clusteroperator.go
@@ -40,7 +40,7 @@ func NewClusterOperatorInformer(client versioned.Interface, resyncPeriod time.Du
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredClusterOperatorInformer(client versioned.Interface, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options metav1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -65,7 +65,7 @@ func NewFilteredClusterOperatorInformer(client versioned.Interface, resyncPeriod
 				}
 				return client.ConfigV1().ClusterOperators().Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apiconfigv1.ClusterOperator{},
 		resyncPeriod,
 		indexers,
diff --git a/vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1/clusterversion.go b/vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1/clusterversion.go
index 668c73ac9eaf7..5ba9f5e2e8272 100644
--- a/vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1/clusterversion.go
+++ b/vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1/clusterversion.go
@@ -40,7 +40,7 @@ func NewClusterVersionInformer(client versioned.Interface, resyncPeriod time.Dur
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredClusterVersionInformer(client versioned.Interface, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options metav1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -65,7 +65,7 @@ func NewFilteredClusterVersionInformer(client versioned.Interface, resyncPeriod
 				}
 				return client.ConfigV1().ClusterVersions().Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apiconfigv1.ClusterVersion{},
 		resyncPeriod,
 		indexers,
diff --git a/vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1/console.go b/vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1/console.go
index f39cbb76938ad..8c4a901dc6a10 100644
--- a/vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1/console.go
+++ b/vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1/console.go
@@ -40,7 +40,7 @@ func NewConsoleInformer(client versioned.Interface, resyncPeriod time.Duration,
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredConsoleInformer(client versioned.Interface, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options metav1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -65,7 +65,7 @@ func NewFilteredConsoleInformer(client versioned.Interface, resyncPeriod time.Du
 				}
 				return client.ConfigV1().Consoles().Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apiconfigv1.Console{},
 		resyncPeriod,
 		indexers,
diff --git a/vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1/dns.go b/vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1/dns.go
index 83860dc914412..2e8ae5b5729b5 100644
--- a/vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1/dns.go
+++ b/vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1/dns.go
@@ -40,7 +40,7 @@ func NewDNSInformer(client versioned.Interface, resyncPeriod time.Duration, inde
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredDNSInformer(client versioned.Interface, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options metav1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -65,7 +65,7 @@ func NewFilteredDNSInformer(client versioned.Interface, resyncPeriod time.Durati
 				}
 				return client.ConfigV1().DNSes().Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apiconfigv1.DNS{},
 		resyncPeriod,
 		indexers,
diff --git a/vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1/featuregate.go b/vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1/featuregate.go
index d6cfb650da441..e26cdb9ac315f 100644
--- a/vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1/featuregate.go
+++ b/vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1/featuregate.go
@@ -40,7 +40,7 @@ func NewFeatureGateInformer(client versioned.Interface, resyncPeriod time.Durati
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredFeatureGateInformer(client versioned.Interface, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options metav1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -65,7 +65,7 @@ func NewFilteredFeatureGateInformer(client versioned.Interface, resyncPeriod tim
 				}
 				return client.ConfigV1().FeatureGates().Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apiconfigv1.FeatureGate{},
 		resyncPeriod,
 		indexers,
diff --git a/vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1/image.go b/vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1/image.go
index e67276031c44a..0992eba82b405 100644
--- a/vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1/image.go
+++ b/vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1/image.go
@@ -40,7 +40,7 @@ func NewImageInformer(client versioned.Interface, resyncPeriod time.Duration, in
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredImageInformer(client versioned.Interface, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options metav1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -65,7 +65,7 @@ func NewFilteredImageInformer(client versioned.Interface, resyncPeriod time.Dura
 				}
 				return client.ConfigV1().Images().Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apiconfigv1.Image{},
 		resyncPeriod,
 		indexers,
diff --git a/vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1/imagecontentpolicy.go b/vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1/imagecontentpolicy.go
index 59a069f476e24..9960674341046 100644
--- a/vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1/imagecontentpolicy.go
+++ b/vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1/imagecontentpolicy.go
@@ -40,7 +40,7 @@ func NewImageContentPolicyInformer(client versioned.Interface, resyncPeriod time
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredImageContentPolicyInformer(client versioned.Interface, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options metav1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -65,7 +65,7 @@ func NewFilteredImageContentPolicyInformer(client versioned.Interface, resyncPer
 				}
 				return client.ConfigV1().ImageContentPolicies().Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apiconfigv1.ImageContentPolicy{},
 		resyncPeriod,
 		indexers,
diff --git a/vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1/imagedigestmirrorset.go b/vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1/imagedigestmirrorset.go
index 3eeb939c14387..7efd71d7e06b9 100644
--- a/vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1/imagedigestmirrorset.go
+++ b/vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1/imagedigestmirrorset.go
@@ -40,7 +40,7 @@ func NewImageDigestMirrorSetInformer(client versioned.Interface, resyncPeriod ti
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredImageDigestMirrorSetInformer(client versioned.Interface, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options metav1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -65,7 +65,7 @@ func NewFilteredImageDigestMirrorSetInformer(client versioned.Interface, resyncP
 				}
 				return client.ConfigV1().ImageDigestMirrorSets().Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apiconfigv1.ImageDigestMirrorSet{},
 		resyncPeriod,
 		indexers,
diff --git a/vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1/imagepolicy.go b/vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1/imagepolicy.go
index 191fc5db982ef..64a4d13bce240 100644
--- a/vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1/imagepolicy.go
+++ b/vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1/imagepolicy.go
@@ -41,7 +41,7 @@ func NewImagePolicyInformer(client versioned.Interface, namespace string, resync
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredImagePolicyInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options metav1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -66,7 +66,7 @@ func NewFilteredImagePolicyInformer(client versioned.Interface, namespace string
 				}
 				return client.ConfigV1().ImagePolicies(namespace).Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apiconfigv1.ImagePolicy{},
 		resyncPeriod,
 		indexers,
diff --git a/vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1/imagetagmirrorset.go b/vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1/imagetagmirrorset.go
index 51d1c07fdfc84..e50f27fdeb7d9 100644
--- a/vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1/imagetagmirrorset.go
+++ b/vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1/imagetagmirrorset.go
@@ -40,7 +40,7 @@ func NewImageTagMirrorSetInformer(client versioned.Interface, resyncPeriod time.
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredImageTagMirrorSetInformer(client versioned.Interface, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options metav1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -65,7 +65,7 @@ func NewFilteredImageTagMirrorSetInformer(client versioned.Interface, resyncPeri
 				}
 				return client.ConfigV1().ImageTagMirrorSets().Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apiconfigv1.ImageTagMirrorSet{},
 		resyncPeriod,
 		indexers,
diff --git a/vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1/infrastructure.go b/vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1/infrastructure.go
index 0f128b569c10a..a5bbe9f513ed9 100644
--- a/vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1/infrastructure.go
+++ b/vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1/infrastructure.go
@@ -40,7 +40,7 @@ func NewInfrastructureInformer(client versioned.Interface, resyncPeriod time.Dur
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredInfrastructureInformer(client versioned.Interface, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options metav1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -65,7 +65,7 @@ func NewFilteredInfrastructureInformer(client versioned.Interface, resyncPeriod
 				}
 				return client.ConfigV1().Infrastructures().Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apiconfigv1.Infrastructure{},
 		resyncPeriod,
 		indexers,
diff --git a/vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1/ingress.go b/vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1/ingress.go
index 0a1f492ded962..112b941af99f7 100644
--- a/vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1/ingress.go
+++ b/vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1/ingress.go
@@ -40,7 +40,7 @@ func NewIngressInformer(client versioned.Interface, resyncPeriod time.Duration,
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredIngressInformer(client versioned.Interface, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options metav1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -65,7 +65,7 @@ func NewFilteredIngressInformer(client versioned.Interface, resyncPeriod time.Du
 				}
 				return client.ConfigV1().Ingresses().Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apiconfigv1.Ingress{},
 		resyncPeriod,
 		indexers,
diff --git a/vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1/insightsdatagather.go b/vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1/insightsdatagather.go
new file mode 100644
index 0000000000000..5872bfc6ab597
--- /dev/null
+++ b/vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1/insightsdatagather.go
@@ -0,0 +1,85 @@
+// Code generated by informer-gen. DO NOT EDIT.
+
+package v1
+
+import (
+	context "context"
+	time "time"
+
+	apiconfigv1 "github.com/openshift/api/config/v1"
+	versioned "github.com/openshift/client-go/config/clientset/versioned"
+	internalinterfaces "github.com/openshift/client-go/config/informers/externalversions/internalinterfaces"
+	configv1 "github.com/openshift/client-go/config/listers/config/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	runtime "k8s.io/apimachinery/pkg/runtime"
+	watch "k8s.io/apimachinery/pkg/watch"
+	cache "k8s.io/client-go/tools/cache"
+)
+
+// InsightsDataGatherInformer provides access to a shared informer and lister for
+// InsightsDataGathers.
+type InsightsDataGatherInformer interface {
+	Informer() cache.SharedIndexInformer
+	Lister() configv1.InsightsDataGatherLister
+}
+
+type insightsDataGatherInformer struct {
+	factory          internalinterfaces.SharedInformerFactory
+	tweakListOptions internalinterfaces.TweakListOptionsFunc
+}
+
+// NewInsightsDataGatherInformer constructs a new informer for InsightsDataGather type.
+// Always prefer using an informer factory to get a shared informer instead of getting an independent
+// one. This reduces memory footprint and number of connections to the server.
+func NewInsightsDataGatherInformer(client versioned.Interface, resyncPeriod time.Duration, indexers cache.Indexers) cache.SharedIndexInformer {
+	return NewFilteredInsightsDataGatherInformer(client, resyncPeriod, indexers, nil)
+}
+
+// NewFilteredInsightsDataGatherInformer constructs a new informer for InsightsDataGather type.
+// Always prefer using an informer factory to get a shared informer instead of getting an independent
+// one. This reduces memory footprint and number of connections to the server.
+func NewFilteredInsightsDataGatherInformer(client versioned.Interface, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
+	return cache.NewSharedIndexInformer(
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
+			ListFunc: func(options metav1.ListOptions) (runtime.Object, error) {
+				if tweakListOptions != nil {
+					tweakListOptions(&options)
+				}
+				return client.ConfigV1().InsightsDataGathers().List(context.Background(), options)
+			},
+			WatchFunc: func(options metav1.ListOptions) (watch.Interface, error) {
+				if tweakListOptions != nil {
+					tweakListOptions(&options)
+				}
+				return client.ConfigV1().InsightsDataGathers().Watch(context.Background(), options)
+			},
+			ListWithContextFunc: func(ctx context.Context, options metav1.ListOptions) (runtime.Object, error) {
+				if tweakListOptions != nil {
+					tweakListOptions(&options)
+				}
+				return client.ConfigV1().InsightsDataGathers().List(ctx, options)
+			},
+			WatchFuncWithContext: func(ctx context.Context, options metav1.ListOptions) (watch.Interface, error) {
+				if tweakListOptions != nil {
+					tweakListOptions(&options)
+				}
+				return client.ConfigV1().InsightsDataGathers().Watch(ctx, options)
+			},
+		}, client),
+		&apiconfigv1.InsightsDataGather{},
+		resyncPeriod,
+		indexers,
+	)
+}
+
+func (f *insightsDataGatherInformer) defaultInformer(client versioned.Interface, resyncPeriod time.Duration) cache.SharedIndexInformer {
+	return NewFilteredInsightsDataGatherInformer(client, resyncPeriod, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}, f.tweakListOptions)
+}
+
+func (f *insightsDataGatherInformer) Informer() cache.SharedIndexInformer {
+	return f.factory.InformerFor(&apiconfigv1.InsightsDataGather{}, f.defaultInformer)
+}
+
+func (f *insightsDataGatherInformer) Lister() configv1.InsightsDataGatherLister {
+	return configv1.NewInsightsDataGatherLister(f.Informer().GetIndexer())
+}
diff --git a/vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1/interface.go b/vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1/interface.go
index ff4c521b04b0a..0ad1b98f37b9a 100644
--- a/vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1/interface.go
+++ b/vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1/interface.go
@@ -40,6 +40,8 @@ type Interface interface {
 	Infrastructures() InfrastructureInformer
 	// Ingresses returns a IngressInformer.
 	Ingresses() IngressInformer
+	// InsightsDataGathers returns a InsightsDataGatherInformer.
+	InsightsDataGathers() InsightsDataGatherInformer
 	// Networks returns a NetworkInformer.
 	Networks() NetworkInformer
 	// Nodes returns a NodeInformer.
@@ -147,6 +149,11 @@ func (v *version) Ingresses() IngressInformer {
 	return &ingressInformer{factory: v.factory, tweakListOptions: v.tweakListOptions}
 }
 
+// InsightsDataGathers returns a InsightsDataGatherInformer.
+func (v *version) InsightsDataGathers() InsightsDataGatherInformer {
+	return &insightsDataGatherInformer{factory: v.factory, tweakListOptions: v.tweakListOptions}
+}
+
 // Networks returns a NetworkInformer.
 func (v *version) Networks() NetworkInformer {
 	return &networkInformer{factory: v.factory, tweakListOptions: v.tweakListOptions}
diff --git a/vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1/network.go b/vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1/network.go
index ea96c4e7947be..ad36857a1a813 100644
--- a/vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1/network.go
+++ b/vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1/network.go
@@ -40,7 +40,7 @@ func NewNetworkInformer(client versioned.Interface, resyncPeriod time.Duration,
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredNetworkInformer(client versioned.Interface, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options metav1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -65,7 +65,7 @@ func NewFilteredNetworkInformer(client versioned.Interface, resyncPeriod time.Du
 				}
 				return client.ConfigV1().Networks().Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apiconfigv1.Network{},
 		resyncPeriod,
 		indexers,
diff --git a/vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1/node.go b/vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1/node.go
index d098a79b51135..666868895c484 100644
--- a/vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1/node.go
+++ b/vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1/node.go
@@ -40,7 +40,7 @@ func NewNodeInformer(client versioned.Interface, resyncPeriod time.Duration, ind
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredNodeInformer(client versioned.Interface, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options metav1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -65,7 +65,7 @@ func NewFilteredNodeInformer(client versioned.Interface, resyncPeriod time.Durat
 				}
 				return client.ConfigV1().Nodes().Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apiconfigv1.Node{},
 		resyncPeriod,
 		indexers,
diff --git a/vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1/oauth.go b/vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1/oauth.go
index 3c66d94d1eb06..bd19ddeea64c7 100644
--- a/vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1/oauth.go
+++ b/vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1/oauth.go
@@ -40,7 +40,7 @@ func NewOAuthInformer(client versioned.Interface, resyncPeriod time.Duration, in
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredOAuthInformer(client versioned.Interface, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options metav1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -65,7 +65,7 @@ func NewFilteredOAuthInformer(client versioned.Interface, resyncPeriod time.Dura
 				}
 				return client.ConfigV1().OAuths().Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apiconfigv1.OAuth{},
 		resyncPeriod,
 		indexers,
diff --git a/vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1/operatorhub.go b/vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1/operatorhub.go
index 972c711bb9d75..eb76c7694bf5c 100644
--- a/vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1/operatorhub.go
+++ b/vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1/operatorhub.go
@@ -40,7 +40,7 @@ func NewOperatorHubInformer(client versioned.Interface, resyncPeriod time.Durati
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredOperatorHubInformer(client versioned.Interface, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options metav1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -65,7 +65,7 @@ func NewFilteredOperatorHubInformer(client versioned.Interface, resyncPeriod tim
 				}
 				return client.ConfigV1().OperatorHubs().Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apiconfigv1.OperatorHub{},
 		resyncPeriod,
 		indexers,
diff --git a/vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1/project.go b/vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1/project.go
index c6aa8bfbc22ec..bcbdabcc6eb15 100644
--- a/vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1/project.go
+++ b/vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1/project.go
@@ -40,7 +40,7 @@ func NewProjectInformer(client versioned.Interface, resyncPeriod time.Duration,
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredProjectInformer(client versioned.Interface, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options metav1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -65,7 +65,7 @@ func NewFilteredProjectInformer(client versioned.Interface, resyncPeriod time.Du
 				}
 				return client.ConfigV1().Projects().Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apiconfigv1.Project{},
 		resyncPeriod,
 		indexers,
diff --git a/vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1/proxy.go b/vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1/proxy.go
index 607e5c2273b7b..12dc67e5181d2 100644
--- a/vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1/proxy.go
+++ b/vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1/proxy.go
@@ -40,7 +40,7 @@ func NewProxyInformer(client versioned.Interface, resyncPeriod time.Duration, in
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredProxyInformer(client versioned.Interface, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options metav1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -65,7 +65,7 @@ func NewFilteredProxyInformer(client versioned.Interface, resyncPeriod time.Dura
 				}
 				return client.ConfigV1().Proxies().Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apiconfigv1.Proxy{},
 		resyncPeriod,
 		indexers,
diff --git a/vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1/scheduler.go b/vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1/scheduler.go
index 7a7783f547c6d..f31b64a3a4929 100644
--- a/vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1/scheduler.go
+++ b/vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1/scheduler.go
@@ -40,7 +40,7 @@ func NewSchedulerInformer(client versioned.Interface, resyncPeriod time.Duration
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredSchedulerInformer(client versioned.Interface, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options metav1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -65,7 +65,7 @@ func NewFilteredSchedulerInformer(client versioned.Interface, resyncPeriod time.
 				}
 				return client.ConfigV1().Schedulers().Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apiconfigv1.Scheduler{},
 		resyncPeriod,
 		indexers,
diff --git a/vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1alpha1/backup.go b/vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1alpha1/backup.go
index 2ccf1a314612d..43a7e5abc6078 100644
--- a/vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1alpha1/backup.go
+++ b/vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1alpha1/backup.go
@@ -40,7 +40,7 @@ func NewBackupInformer(client versioned.Interface, resyncPeriod time.Duration, i
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredBackupInformer(client versioned.Interface, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -65,7 +65,7 @@ func NewFilteredBackupInformer(client versioned.Interface, resyncPeriod time.Dur
 				}
 				return client.ConfigV1alpha1().Backups().Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apiconfigv1alpha1.Backup{},
 		resyncPeriod,
 		indexers,
diff --git a/vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1alpha1/clusterimagepolicy.go b/vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1alpha1/clusterimagepolicy.go
index c525adfb9b2a5..af5c3e27f1a31 100644
--- a/vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1alpha1/clusterimagepolicy.go
+++ b/vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1alpha1/clusterimagepolicy.go
@@ -40,7 +40,7 @@ func NewClusterImagePolicyInformer(client versioned.Interface, resyncPeriod time
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredClusterImagePolicyInformer(client versioned.Interface, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -65,7 +65,7 @@ func NewFilteredClusterImagePolicyInformer(client versioned.Interface, resyncPer
 				}
 				return client.ConfigV1alpha1().ClusterImagePolicies().Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apiconfigv1alpha1.ClusterImagePolicy{},
 		resyncPeriod,
 		indexers,
diff --git a/vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1alpha1/clustermonitoring.go b/vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1alpha1/clustermonitoring.go
index 5c47b4b2cbac2..36e2fa631e658 100644
--- a/vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1alpha1/clustermonitoring.go
+++ b/vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1alpha1/clustermonitoring.go
@@ -40,7 +40,7 @@ func NewClusterMonitoringInformer(client versioned.Interface, resyncPeriod time.
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredClusterMonitoringInformer(client versioned.Interface, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -65,7 +65,7 @@ func NewFilteredClusterMonitoringInformer(client versioned.Interface, resyncPeri
 				}
 				return client.ConfigV1alpha1().ClusterMonitorings().Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apiconfigv1alpha1.ClusterMonitoring{},
 		resyncPeriod,
 		indexers,
diff --git a/vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1alpha1/criocredentialproviderconfig.go b/vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1alpha1/criocredentialproviderconfig.go
new file mode 100644
index 0000000000000..132ca8041e71a
--- /dev/null
+++ b/vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1alpha1/criocredentialproviderconfig.go
@@ -0,0 +1,85 @@
+// Code generated by informer-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	context "context"
+	time "time"
+
+	apiconfigv1alpha1 "github.com/openshift/api/config/v1alpha1"
+	versioned "github.com/openshift/client-go/config/clientset/versioned"
+	internalinterfaces "github.com/openshift/client-go/config/informers/externalversions/internalinterfaces"
+	configv1alpha1 "github.com/openshift/client-go/config/listers/config/v1alpha1"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	runtime "k8s.io/apimachinery/pkg/runtime"
+	watch "k8s.io/apimachinery/pkg/watch"
+	cache "k8s.io/client-go/tools/cache"
+)
+
+// CRIOCredentialProviderConfigInformer provides access to a shared informer and lister for
+// CRIOCredentialProviderConfigs.
+type CRIOCredentialProviderConfigInformer interface {
+	Informer() cache.SharedIndexInformer
+	Lister() configv1alpha1.CRIOCredentialProviderConfigLister
+}
+
+type cRIOCredentialProviderConfigInformer struct {
+	factory          internalinterfaces.SharedInformerFactory
+	tweakListOptions internalinterfaces.TweakListOptionsFunc
+}
+
+// NewCRIOCredentialProviderConfigInformer constructs a new informer for CRIOCredentialProviderConfig type.
+// Always prefer using an informer factory to get a shared informer instead of getting an independent
+// one. This reduces memory footprint and number of connections to the server.
+func NewCRIOCredentialProviderConfigInformer(client versioned.Interface, resyncPeriod time.Duration, indexers cache.Indexers) cache.SharedIndexInformer {
+	return NewFilteredCRIOCredentialProviderConfigInformer(client, resyncPeriod, indexers, nil)
+}
+
+// NewFilteredCRIOCredentialProviderConfigInformer constructs a new informer for CRIOCredentialProviderConfig type.
+// Always prefer using an informer factory to get a shared informer instead of getting an independent
+// one. This reduces memory footprint and number of connections to the server.
+func NewFilteredCRIOCredentialProviderConfigInformer(client versioned.Interface, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
+	return cache.NewSharedIndexInformer(
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
+			ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
+				if tweakListOptions != nil {
+					tweakListOptions(&options)
+				}
+				return client.ConfigV1alpha1().CRIOCredentialProviderConfigs().List(context.Background(), options)
+			},
+			WatchFunc: func(options v1.ListOptions) (watch.Interface, error) {
+				if tweakListOptions != nil {
+					tweakListOptions(&options)
+				}
+				return client.ConfigV1alpha1().CRIOCredentialProviderConfigs().Watch(context.Background(), options)
+			},
+			ListWithContextFunc: func(ctx context.Context, options v1.ListOptions) (runtime.Object, error) {
+				if tweakListOptions != nil {
+					tweakListOptions(&options)
+				}
+				return client.ConfigV1alpha1().CRIOCredentialProviderConfigs().List(ctx, options)
+			},
+			WatchFuncWithContext: func(ctx context.Context, options v1.ListOptions) (watch.Interface, error) {
+				if tweakListOptions != nil {
+					tweakListOptions(&options)
+				}
+				return client.ConfigV1alpha1().CRIOCredentialProviderConfigs().Watch(ctx, options)
+			},
+		}, client),
+		&apiconfigv1alpha1.CRIOCredentialProviderConfig{},
+		resyncPeriod,
+		indexers,
+	)
+}
+
+func (f *cRIOCredentialProviderConfigInformer) defaultInformer(client versioned.Interface, resyncPeriod time.Duration) cache.SharedIndexInformer {
+	return NewFilteredCRIOCredentialProviderConfigInformer(client, resyncPeriod, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}, f.tweakListOptions)
+}
+
+func (f *cRIOCredentialProviderConfigInformer) Informer() cache.SharedIndexInformer {
+	return f.factory.InformerFor(&apiconfigv1alpha1.CRIOCredentialProviderConfig{}, f.defaultInformer)
+}
+
+func (f *cRIOCredentialProviderConfigInformer) Lister() configv1alpha1.CRIOCredentialProviderConfigLister {
+	return configv1alpha1.NewCRIOCredentialProviderConfigLister(f.Informer().GetIndexer())
+}
diff --git a/vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1alpha1/imagepolicy.go b/vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1alpha1/imagepolicy.go
index 875eb9d796e26..d56c1e834f87f 100644
--- a/vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1alpha1/imagepolicy.go
+++ b/vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1alpha1/imagepolicy.go
@@ -41,7 +41,7 @@ func NewImagePolicyInformer(client versioned.Interface, namespace string, resync
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredImagePolicyInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -66,7 +66,7 @@ func NewFilteredImagePolicyInformer(client versioned.Interface, namespace string
 				}
 				return client.ConfigV1alpha1().ImagePolicies(namespace).Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apiconfigv1alpha1.ImagePolicy{},
 		resyncPeriod,
 		indexers,
diff --git a/vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1alpha1/insightsdatagather.go b/vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1alpha1/insightsdatagather.go
index 4df1b4b1cb97a..39624071e45dc 100644
--- a/vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1alpha1/insightsdatagather.go
+++ b/vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1alpha1/insightsdatagather.go
@@ -40,7 +40,7 @@ func NewInsightsDataGatherInformer(client versioned.Interface, resyncPeriod time
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredInsightsDataGatherInformer(client versioned.Interface, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -65,7 +65,7 @@ func NewFilteredInsightsDataGatherInformer(client versioned.Interface, resyncPer
 				}
 				return client.ConfigV1alpha1().InsightsDataGathers().Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apiconfigv1alpha1.InsightsDataGather{},
 		resyncPeriod,
 		indexers,
diff --git a/vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1alpha1/interface.go b/vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1alpha1/interface.go
index 893d2db0ad737..10cc930b8cbd5 100644
--- a/vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1alpha1/interface.go
+++ b/vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1alpha1/interface.go
@@ -10,6 +10,8 @@ import (
 type Interface interface {
 	// Backups returns a BackupInformer.
 	Backups() BackupInformer
+	// CRIOCredentialProviderConfigs returns a CRIOCredentialProviderConfigInformer.
+	CRIOCredentialProviderConfigs() CRIOCredentialProviderConfigInformer
 	// ClusterImagePolicies returns a ClusterImagePolicyInformer.
 	ClusterImagePolicies() ClusterImagePolicyInformer
 	// ClusterMonitorings returns a ClusterMonitoringInformer.
@@ -36,6 +38,11 @@ func (v *version) Backups() BackupInformer {
 	return &backupInformer{factory: v.factory, tweakListOptions: v.tweakListOptions}
 }
 
+// CRIOCredentialProviderConfigs returns a CRIOCredentialProviderConfigInformer.
+func (v *version) CRIOCredentialProviderConfigs() CRIOCredentialProviderConfigInformer {
+	return &cRIOCredentialProviderConfigInformer{factory: v.factory, tweakListOptions: v.tweakListOptions}
+}
+
 // ClusterImagePolicies returns a ClusterImagePolicyInformer.
 func (v *version) ClusterImagePolicies() ClusterImagePolicyInformer {
 	return &clusterImagePolicyInformer{factory: v.factory, tweakListOptions: v.tweakListOptions}
diff --git a/vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1alpha2/insightsdatagather.go b/vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1alpha2/insightsdatagather.go
index 28ceb2d75fc68..471c79f1e87f4 100644
--- a/vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1alpha2/insightsdatagather.go
+++ b/vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1alpha2/insightsdatagather.go
@@ -40,7 +40,7 @@ func NewInsightsDataGatherInformer(client versioned.Interface, resyncPeriod time
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredInsightsDataGatherInformer(client versioned.Interface, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -65,7 +65,7 @@ func NewFilteredInsightsDataGatherInformer(client versioned.Interface, resyncPer
 				}
 				return client.ConfigV1alpha2().InsightsDataGathers().Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apiconfigv1alpha2.InsightsDataGather{},
 		resyncPeriod,
 		indexers,
diff --git a/vendor/github.com/openshift/client-go/config/informers/externalversions/factory.go b/vendor/github.com/openshift/client-go/config/informers/externalversions/factory.go
index 2ecff4860a60d..befdfaabd0b36 100644
--- a/vendor/github.com/openshift/client-go/config/informers/externalversions/factory.go
+++ b/vendor/github.com/openshift/client-go/config/informers/externalversions/factory.go
@@ -81,6 +81,7 @@ func NewSharedInformerFactory(client versioned.Interface, defaultResync time.Dur
 // NewFilteredSharedInformerFactory constructs a new instance of sharedInformerFactory.
 // Listers obtained via this SharedInformerFactory will be subject to the same filters
 // as specified here.
+//
 // Deprecated: Please use NewSharedInformerFactoryWithOptions instead
 func NewFilteredSharedInformerFactory(client versioned.Interface, defaultResync time.Duration, namespace string, tweakListOptions internalinterfaces.TweakListOptionsFunc) SharedInformerFactory {
 	return NewSharedInformerFactoryWithOptions(client, defaultResync, WithNamespace(namespace), WithTweakListOptions(tweakListOptions))
@@ -188,7 +189,7 @@ func (f *sharedInformerFactory) InformerFor(obj runtime.Object, newFunc internal
 //
 // It is typically used like this:
 //
-//	ctx, cancel := context.Background()
+//	ctx, cancel := context.WithCancel(context.Background())
 //	defer cancel()
 //	factory := NewSharedInformerFactory(client, resyncPeriod)
 //	defer factory.WaitForStop()    // Returns immediately if nothing was started.
diff --git a/vendor/github.com/openshift/client-go/config/informers/externalversions/generic.go b/vendor/github.com/openshift/client-go/config/informers/externalversions/generic.go
index 59c98ea77cc19..ca697748ae9e1 100644
--- a/vendor/github.com/openshift/client-go/config/informers/externalversions/generic.go
+++ b/vendor/github.com/openshift/client-go/config/informers/externalversions/generic.go
@@ -71,6 +71,8 @@ func (f *sharedInformerFactory) ForResource(resource schema.GroupVersionResource
 		return &genericInformer{resource: resource.GroupResource(), informer: f.Config().V1().Infrastructures().Informer()}, nil
 	case v1.SchemeGroupVersion.WithResource("ingresses"):
 		return &genericInformer{resource: resource.GroupResource(), informer: f.Config().V1().Ingresses().Informer()}, nil
+	case v1.SchemeGroupVersion.WithResource("insightsdatagathers"):
+		return &genericInformer{resource: resource.GroupResource(), informer: f.Config().V1().InsightsDataGathers().Informer()}, nil
 	case v1.SchemeGroupVersion.WithResource("networks"):
 		return &genericInformer{resource: resource.GroupResource(), informer: f.Config().V1().Networks().Informer()}, nil
 	case v1.SchemeGroupVersion.WithResource("nodes"):
@@ -89,6 +91,8 @@ func (f *sharedInformerFactory) ForResource(resource schema.GroupVersionResource
 		// Group=config.openshift.io, Version=v1alpha1
 	case v1alpha1.SchemeGroupVersion.WithResource("backups"):
 		return &genericInformer{resource: resource.GroupResource(), informer: f.Config().V1alpha1().Backups().Informer()}, nil
+	case v1alpha1.SchemeGroupVersion.WithResource("criocredentialproviderconfigs"):
+		return &genericInformer{resource: resource.GroupResource(), informer: f.Config().V1alpha1().CRIOCredentialProviderConfigs().Informer()}, nil
 	case v1alpha1.SchemeGroupVersion.WithResource("clusterimagepolicies"):
 		return &genericInformer{resource: resource.GroupResource(), informer: f.Config().V1alpha1().ClusterImagePolicies().Informer()}, nil
 	case v1alpha1.SchemeGroupVersion.WithResource("clustermonitorings"):
diff --git a/vendor/github.com/openshift/client-go/config/listers/config/v1/expansion_generated.go b/vendor/github.com/openshift/client-go/config/listers/config/v1/expansion_generated.go
index d4e79cd0ea8dd..ca93cb2838c18 100644
--- a/vendor/github.com/openshift/client-go/config/listers/config/v1/expansion_generated.go
+++ b/vendor/github.com/openshift/client-go/config/listers/config/v1/expansion_generated.go
@@ -70,6 +70,10 @@ type InfrastructureListerExpansion interface{}
 // IngressLister.
 type IngressListerExpansion interface{}
 
+// InsightsDataGatherListerExpansion allows custom methods to be added to
+// InsightsDataGatherLister.
+type InsightsDataGatherListerExpansion interface{}
+
 // NetworkListerExpansion allows custom methods to be added to
 // NetworkLister.
 type NetworkListerExpansion interface{}
diff --git a/vendor/github.com/openshift/client-go/config/listers/config/v1/insightsdatagather.go b/vendor/github.com/openshift/client-go/config/listers/config/v1/insightsdatagather.go
new file mode 100644
index 0000000000000..79da7823ff617
--- /dev/null
+++ b/vendor/github.com/openshift/client-go/config/listers/config/v1/insightsdatagather.go
@@ -0,0 +1,32 @@
+// Code generated by lister-gen. DO NOT EDIT.
+
+package v1
+
+import (
+	configv1 "github.com/openshift/api/config/v1"
+	labels "k8s.io/apimachinery/pkg/labels"
+	listers "k8s.io/client-go/listers"
+	cache "k8s.io/client-go/tools/cache"
+)
+
+// InsightsDataGatherLister helps list InsightsDataGathers.
+// All objects returned here must be treated as read-only.
+type InsightsDataGatherLister interface {
+	// List lists all InsightsDataGathers in the indexer.
+	// Objects returned here must be treated as read-only.
+	List(selector labels.Selector) (ret []*configv1.InsightsDataGather, err error)
+	// Get retrieves the InsightsDataGather from the index for a given name.
+	// Objects returned here must be treated as read-only.
+	Get(name string) (*configv1.InsightsDataGather, error)
+	InsightsDataGatherListerExpansion
+}
+
+// insightsDataGatherLister implements the InsightsDataGatherLister interface.
+type insightsDataGatherLister struct {
+	listers.ResourceIndexer[*configv1.InsightsDataGather]
+}
+
+// NewInsightsDataGatherLister returns a new InsightsDataGatherLister.
+func NewInsightsDataGatherLister(indexer cache.Indexer) InsightsDataGatherLister {
+	return &insightsDataGatherLister{listers.New[*configv1.InsightsDataGather](indexer, configv1.Resource("insightsdatagather"))}
+}
diff --git a/vendor/github.com/openshift/client-go/config/listers/config/v1alpha1/criocredentialproviderconfig.go b/vendor/github.com/openshift/client-go/config/listers/config/v1alpha1/criocredentialproviderconfig.go
new file mode 100644
index 0000000000000..cc5dfa3885867
--- /dev/null
+++ b/vendor/github.com/openshift/client-go/config/listers/config/v1alpha1/criocredentialproviderconfig.go
@@ -0,0 +1,32 @@
+// Code generated by lister-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	configv1alpha1 "github.com/openshift/api/config/v1alpha1"
+	labels "k8s.io/apimachinery/pkg/labels"
+	listers "k8s.io/client-go/listers"
+	cache "k8s.io/client-go/tools/cache"
+)
+
+// CRIOCredentialProviderConfigLister helps list CRIOCredentialProviderConfigs.
+// All objects returned here must be treated as read-only.
+type CRIOCredentialProviderConfigLister interface {
+	// List lists all CRIOCredentialProviderConfigs in the indexer.
+	// Objects returned here must be treated as read-only.
+	List(selector labels.Selector) (ret []*configv1alpha1.CRIOCredentialProviderConfig, err error)
+	// Get retrieves the CRIOCredentialProviderConfig from the index for a given name.
+	// Objects returned here must be treated as read-only.
+	Get(name string) (*configv1alpha1.CRIOCredentialProviderConfig, error)
+	CRIOCredentialProviderConfigListerExpansion
+}
+
+// cRIOCredentialProviderConfigLister implements the CRIOCredentialProviderConfigLister interface.
+type cRIOCredentialProviderConfigLister struct {
+	listers.ResourceIndexer[*configv1alpha1.CRIOCredentialProviderConfig]
+}
+
+// NewCRIOCredentialProviderConfigLister returns a new CRIOCredentialProviderConfigLister.
+func NewCRIOCredentialProviderConfigLister(indexer cache.Indexer) CRIOCredentialProviderConfigLister {
+	return &cRIOCredentialProviderConfigLister{listers.New[*configv1alpha1.CRIOCredentialProviderConfig](indexer, configv1alpha1.Resource("criocredentialproviderconfig"))}
+}
diff --git a/vendor/github.com/openshift/client-go/config/listers/config/v1alpha1/expansion_generated.go b/vendor/github.com/openshift/client-go/config/listers/config/v1alpha1/expansion_generated.go
index 09b4d206dba1d..75ba32823f9c9 100644
--- a/vendor/github.com/openshift/client-go/config/listers/config/v1alpha1/expansion_generated.go
+++ b/vendor/github.com/openshift/client-go/config/listers/config/v1alpha1/expansion_generated.go
@@ -6,6 +6,10 @@ package v1alpha1
 // BackupLister.
 type BackupListerExpansion interface{}
 
+// CRIOCredentialProviderConfigListerExpansion allows custom methods to be added to
+// CRIOCredentialProviderConfigLister.
+type CRIOCredentialProviderConfigListerExpansion interface{}
+
 // ClusterImagePolicyListerExpansion allows custom methods to be added to
 // ClusterImagePolicyLister.
 type ClusterImagePolicyListerExpansion interface{}
diff --git a/vendor/github.com/openshift/client-go/image/applyconfigurations/image/v1/image.go b/vendor/github.com/openshift/client-go/image/applyconfigurations/image/v1/image.go
index de981e8ddd40d..5dea79f635b9d 100644
--- a/vendor/github.com/openshift/client-go/image/applyconfigurations/image/v1/image.go
+++ b/vendor/github.com/openshift/client-go/image/applyconfigurations/image/v1/image.go
@@ -14,19 +14,44 @@ import (
 
 // ImageApplyConfiguration represents a declarative configuration of the Image type for use
 // with apply.
+//
+// Image is an immutable representation of a container image and its metadata at a point in time.
+// Images are named by taking a hash of their contents (metadata and content) and any change
+// in format, content, or metadata results in a new name. The images resource is primarily
+// for use by cluster administrators and integrations like the cluster image registry - end
+// users, instead, access images via the imagestreamtags or imagestreamimages resources. While
+// image metadata is stored in the API, any integration that implements the container image
+// registry API must provide its own storage for the raw manifest data, image config, and
+// layer contents.
+//
+// Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
 type ImageApplyConfiguration struct {
-	metav1.TypeMetaApplyConfiguration    `json:",inline"`
+	metav1.TypeMetaApplyConfiguration `json:",inline"`
+	// metadata is the standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	*metav1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	DockerImageReference                 *string                            `json:"dockerImageReference,omitempty"`
-	DockerImageMetadata                  *runtime.RawExtension              `json:"dockerImageMetadata,omitempty"`
-	DockerImageMetadataVersion           *string                            `json:"dockerImageMetadataVersion,omitempty"`
-	DockerImageManifest                  *string                            `json:"dockerImageManifest,omitempty"`
-	DockerImageLayers                    []ImageLayerApplyConfiguration     `json:"dockerImageLayers,omitempty"`
-	Signatures                           []ImageSignatureApplyConfiguration `json:"signatures,omitempty"`
-	DockerImageSignatures                [][]byte                           `json:"dockerImageSignatures,omitempty"`
-	DockerImageManifestMediaType         *string                            `json:"dockerImageManifestMediaType,omitempty"`
-	DockerImageConfig                    *string                            `json:"dockerImageConfig,omitempty"`
-	DockerImageManifests                 []ImageManifestApplyConfiguration  `json:"dockerImageManifests,omitempty"`
+	// dockerImageReference is the string that can be used to pull this image.
+	DockerImageReference *string `json:"dockerImageReference,omitempty"`
+	// dockerImageMetadata contains metadata about this image
+	DockerImageMetadata *runtime.RawExtension `json:"dockerImageMetadata,omitempty"`
+	// dockerImageMetadataVersion conveys the version of the object, which if empty defaults to "1.0"
+	DockerImageMetadataVersion *string `json:"dockerImageMetadataVersion,omitempty"`
+	// dockerImageManifest is the raw JSON of the manifest
+	DockerImageManifest *string `json:"dockerImageManifest,omitempty"`
+	// dockerImageLayers represents the layers in the image. May not be set if the image does not define that data or if the image represents a manifest list.
+	DockerImageLayers []ImageLayerApplyConfiguration `json:"dockerImageLayers,omitempty"`
+	// signatures holds all signatures of the image.
+	Signatures []ImageSignatureApplyConfiguration `json:"signatures,omitempty"`
+	// dockerImageSignatures provides the signatures as opaque blobs. This is a part of manifest schema v1.
+	DockerImageSignatures [][]byte `json:"dockerImageSignatures,omitempty"`
+	// dockerImageManifestMediaType specifies the mediaType of manifest. This is a part of manifest schema v2.
+	DockerImageManifestMediaType *string `json:"dockerImageManifestMediaType,omitempty"`
+	// dockerImageConfig is a JSON blob that the runtime uses to set up the container. This is a part of manifest schema v2.
+	// Will not be set when the image represents a manifest list.
+	DockerImageConfig *string `json:"dockerImageConfig,omitempty"`
+	// dockerImageManifests holds information about sub-manifests when the image represents a manifest list.
+	// When this field is present, no DockerImageLayers should be specified.
+	DockerImageManifests []ImageManifestApplyConfiguration `json:"dockerImageManifests,omitempty"`
 }
 
 // Image constructs a declarative configuration of the Image type for use with
@@ -39,29 +64,14 @@ func Image(name string) *ImageApplyConfiguration {
 	return b
 }
 
-// ExtractImage extracts the applied configuration owned by fieldManager from
-// image. If no managedFields are found in image for fieldManager, a
-// ImageApplyConfiguration is returned with only the Name, Namespace (if applicable),
-// APIVersion and Kind populated. It is possible that no managed fields were found for because other
-// field managers have taken ownership of all the fields previously owned by fieldManager, or because
-// the fieldManager never owned fields any fields.
+// ExtractImageFrom extracts the applied configuration owned by fieldManager from
+// image for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
 // image must be a unmodified Image API object that was retrieved from the Kubernetes API.
-// ExtractImage provides a way to perform a extract/modify-in-place/apply workflow.
+// ExtractImageFrom provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
-func ExtractImage(image *imagev1.Image, fieldManager string) (*ImageApplyConfiguration, error) {
-	return extractImage(image, fieldManager, "")
-}
-
-// ExtractImageStatus is the same as ExtractImage except
-// that it extracts the status subresource applied configuration.
-// Experimental!
-func ExtractImageStatus(image *imagev1.Image, fieldManager string) (*ImageApplyConfiguration, error) {
-	return extractImage(image, fieldManager, "status")
-}
-
-func extractImage(image *imagev1.Image, fieldManager string, subresource string) (*ImageApplyConfiguration, error) {
+func ExtractImageFrom(image *imagev1.Image, fieldManager string, subresource string) (*ImageApplyConfiguration, error) {
 	b := &ImageApplyConfiguration{}
 	err := managedfields.ExtractInto(image, internal.Parser().Type("com.github.openshift.api.image.v1.Image"), fieldManager, b, subresource)
 	if err != nil {
@@ -73,6 +83,21 @@ func extractImage(image *imagev1.Image, fieldManager string, subresource string)
 	b.WithAPIVersion("image.openshift.io/v1")
 	return b, nil
 }
+
+// ExtractImage extracts the applied configuration owned by fieldManager from
+// image. If no managedFields are found in image for fieldManager, a
+// ImageApplyConfiguration is returned with only the Name, Namespace (if applicable),
+// APIVersion and Kind populated. It is possible that no managed fields were found for because other
+// field managers have taken ownership of all the fields previously owned by fieldManager, or because
+// the fieldManager never owned fields any fields.
+// image must be a unmodified Image API object that was retrieved from the Kubernetes API.
+// ExtractImage provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractImage(image *imagev1.Image, fieldManager string) (*ImageApplyConfiguration, error) {
+	return ExtractImageFrom(image, fieldManager, "")
+}
+
 func (b ImageApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/vendor/github.com/openshift/client-go/image/applyconfigurations/image/v1/imagelayer.go b/vendor/github.com/openshift/client-go/image/applyconfigurations/image/v1/imagelayer.go
index 09dc0f931faaf..680723f44177c 100644
--- a/vendor/github.com/openshift/client-go/image/applyconfigurations/image/v1/imagelayer.go
+++ b/vendor/github.com/openshift/client-go/image/applyconfigurations/image/v1/imagelayer.go
@@ -4,9 +4,14 @@ package v1
 
 // ImageLayerApplyConfiguration represents a declarative configuration of the ImageLayer type for use
 // with apply.
+//
+// ImageLayer represents a single layer of the image. Some images may have multiple layers. Some may have none.
 type ImageLayerApplyConfiguration struct {
-	Name      *string `json:"name,omitempty"`
-	LayerSize *int64  `json:"size,omitempty"`
+	// name of the layer as defined by the underlying store.
+	Name *string `json:"name,omitempty"`
+	// size of the layer in bytes as defined by the underlying store.
+	LayerSize *int64 `json:"size,omitempty"`
+	// mediaType of the referenced object.
 	MediaType *string `json:"mediaType,omitempty"`
 }
 
diff --git a/vendor/github.com/openshift/client-go/image/applyconfigurations/image/v1/imagelookuppolicy.go b/vendor/github.com/openshift/client-go/image/applyconfigurations/image/v1/imagelookuppolicy.go
index ecc95d10b1a49..1a5e45656235a 100644
--- a/vendor/github.com/openshift/client-go/image/applyconfigurations/image/v1/imagelookuppolicy.go
+++ b/vendor/github.com/openshift/client-go/image/applyconfigurations/image/v1/imagelookuppolicy.go
@@ -4,7 +4,15 @@ package v1
 
 // ImageLookupPolicyApplyConfiguration represents a declarative configuration of the ImageLookupPolicy type for use
 // with apply.
+//
+// ImageLookupPolicy describes how an image stream can be used to override the image references
+// used by pods, builds, and other resources in a namespace.
 type ImageLookupPolicyApplyConfiguration struct {
+	// local will change the docker short image references (like "mysql" or
+	// "php:latest") on objects in this namespace to the image ID whenever they match
+	// this image stream, instead of reaching out to a remote registry. The name will
+	// be fully qualified to an image ID if found. The tag's referencePolicy is taken
+	// into account on the replaced value. Only works within the current namespace.
 	Local *bool `json:"local,omitempty"`
 }
 
diff --git a/vendor/github.com/openshift/client-go/image/applyconfigurations/image/v1/imagemanifest.go b/vendor/github.com/openshift/client-go/image/applyconfigurations/image/v1/imagemanifest.go
index 5368f96a6646d..f1368387b53c7 100644
--- a/vendor/github.com/openshift/client-go/image/applyconfigurations/image/v1/imagemanifest.go
+++ b/vendor/github.com/openshift/client-go/image/applyconfigurations/image/v1/imagemanifest.go
@@ -4,13 +4,24 @@ package v1
 
 // ImageManifestApplyConfiguration represents a declarative configuration of the ImageManifest type for use
 // with apply.
+//
+// ImageManifest represents sub-manifests of a manifest list. The Digest field points to a regular
+// Image object.
 type ImageManifestApplyConfiguration struct {
-	Digest       *string `json:"digest,omitempty"`
-	MediaType    *string `json:"mediaType,omitempty"`
-	ManifestSize *int64  `json:"manifestSize,omitempty"`
+	// digest is the unique identifier for the manifest. It refers to an Image object.
+	Digest *string `json:"digest,omitempty"`
+	// mediaType defines the type of the manifest, possible values are application/vnd.oci.image.manifest.v1+json,
+	// application/vnd.docker.distribution.manifest.v2+json or application/vnd.docker.distribution.manifest.v1+json.
+	MediaType *string `json:"mediaType,omitempty"`
+	// manifestSize represents the size of the raw object contents, in bytes.
+	ManifestSize *int64 `json:"manifestSize,omitempty"`
+	// architecture specifies the supported CPU architecture, for example `amd64` or `ppc64le`.
 	Architecture *string `json:"architecture,omitempty"`
-	OS           *string `json:"os,omitempty"`
-	Variant      *string `json:"variant,omitempty"`
+	// os specifies the operating system, for example `linux`.
+	OS *string `json:"os,omitempty"`
+	// variant is an optional field repreenting a variant of the CPU, for example v6 to specify a particular CPU
+	// variant of the ARM CPU.
+	Variant *string `json:"variant,omitempty"`
 }
 
 // ImageManifestApplyConfiguration constructs a declarative configuration of the ImageManifest type for use with
diff --git a/vendor/github.com/openshift/client-go/image/applyconfigurations/image/v1/imagesignature.go b/vendor/github.com/openshift/client-go/image/applyconfigurations/image/v1/imagesignature.go
index 56df91994b64c..9ba0d8fcfa5ca 100644
--- a/vendor/github.com/openshift/client-go/image/applyconfigurations/image/v1/imagesignature.go
+++ b/vendor/github.com/openshift/client-go/image/applyconfigurations/image/v1/imagesignature.go
@@ -10,17 +10,38 @@ import (
 
 // ImageSignatureApplyConfiguration represents a declarative configuration of the ImageSignature type for use
 // with apply.
+//
+// ImageSignature holds a signature of an image. It allows to verify image identity and possibly other claims
+// as long as the signature is trusted. Based on this information it is possible to restrict runnable images
+// to those matching cluster-wide policy.
+// Mandatory fields should be parsed by clients doing image verification. The others are parsed from
+// signature's content by the server. They serve just an informative purpose.
+//
+// Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
 type ImageSignatureApplyConfiguration struct {
-	metav1.TypeMetaApplyConfiguration    `json:",inline"`
+	metav1.TypeMetaApplyConfiguration `json:",inline"`
+	// metadata is the standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	*metav1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Type                                 *string                                `json:"type,omitempty"`
-	Content                              []byte                                 `json:"content,omitempty"`
-	Conditions                           []SignatureConditionApplyConfiguration `json:"conditions,omitempty"`
-	ImageIdentity                        *string                                `json:"imageIdentity,omitempty"`
-	SignedClaims                         map[string]string                      `json:"signedClaims,omitempty"`
-	Created                              *apismetav1.Time                       `json:"created,omitempty"`
-	IssuedBy                             *SignatureIssuerApplyConfiguration     `json:"issuedBy,omitempty"`
-	IssuedTo                             *SignatureSubjectApplyConfiguration    `json:"issuedTo,omitempty"`
+	// Required: Describes a type of stored blob.
+	Type *string `json:"type,omitempty"`
+	// Required: An opaque binary string which is an image's signature.
+	Content []byte `json:"content,omitempty"`
+	// conditions represent the latest available observations of a signature's current state.
+	Conditions []SignatureConditionApplyConfiguration `json:"conditions,omitempty"`
+	// A human readable string representing image's identity. It could be a product name and version, or an
+	// image pull spec (e.g. "registry.access.redhat.com/rhel7/rhel:7.2").
+	ImageIdentity *string `json:"imageIdentity,omitempty"`
+	// Contains claims from the signature.
+	SignedClaims map[string]string `json:"signedClaims,omitempty"`
+	// If specified, it is the time of signature's creation.
+	Created *apismetav1.Time `json:"created,omitempty"`
+	// If specified, it holds information about an issuer of signing certificate or key (a person or entity
+	// who signed the signing certificate or key).
+	IssuedBy *SignatureIssuerApplyConfiguration `json:"issuedBy,omitempty"`
+	// If specified, it holds information about a subject of signing certificate or key (a person or entity
+	// who signed the image).
+	IssuedTo *SignatureSubjectApplyConfiguration `json:"issuedTo,omitempty"`
 }
 
 // ImageSignature constructs a declarative configuration of the ImageSignature type for use with
@@ -32,6 +53,7 @@ func ImageSignature(name string) *ImageSignatureApplyConfiguration {
 	b.WithAPIVersion("image.openshift.io/v1")
 	return b
 }
+
 func (b ImageSignatureApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/vendor/github.com/openshift/client-go/image/applyconfigurations/image/v1/imagestream.go b/vendor/github.com/openshift/client-go/image/applyconfigurations/image/v1/imagestream.go
index fec216b4f1315..48d3321df6d1d 100644
--- a/vendor/github.com/openshift/client-go/image/applyconfigurations/image/v1/imagestream.go
+++ b/vendor/github.com/openshift/client-go/image/applyconfigurations/image/v1/imagestream.go
@@ -13,11 +13,32 @@ import (
 
 // ImageStreamApplyConfiguration represents a declarative configuration of the ImageStream type for use
 // with apply.
+//
+// An ImageStream stores a mapping of tags to images, metadata overrides that are applied
+// when images are tagged in a stream, and an optional reference to a container image
+// repository on a registry. Users typically update the spec.tags field to point to external
+// images which are imported from container registries using credentials in your namespace
+// with the pull secret type, or to existing image stream tags and images which are
+// immediately accessible for tagging or pulling. The history of images applied to a tag
+// is visible in the status.tags field and any user who can view an image stream is allowed
+// to tag that image into their own image streams. Access to pull images from the integrated
+// registry is granted by having the "get imagestreams/layers" permission on a given image
+// stream. Users may remove a tag by deleting the imagestreamtag resource, which causes both
+// spec and status for that tag to be removed. Image stream history is retained until an
+// administrator runs the prune operation, which removes references that are no longer in
+// use. To preserve a historical image, ensure there is a tag in spec pointing to that image
+// by its digest.
+//
+// Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
 type ImageStreamApplyConfiguration struct {
-	metav1.TypeMetaApplyConfiguration    `json:",inline"`
+	metav1.TypeMetaApplyConfiguration `json:",inline"`
+	// metadata is the standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	*metav1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Spec                                 *ImageStreamSpecApplyConfiguration   `json:"spec,omitempty"`
-	Status                               *ImageStreamStatusApplyConfiguration `json:"status,omitempty"`
+	// spec describes the desired state of this stream
+	Spec *ImageStreamSpecApplyConfiguration `json:"spec,omitempty"`
+	// status describes the current state of this stream
+	Status *ImageStreamStatusApplyConfiguration `json:"status,omitempty"`
 }
 
 // ImageStream constructs a declarative configuration of the ImageStream type for use with
@@ -31,6 +52,27 @@ func ImageStream(name, namespace string) *ImageStreamApplyConfiguration {
 	return b
 }
 
+// ExtractImageStreamFrom extracts the applied configuration owned by fieldManager from
+// imageStream for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
+// imageStream must be a unmodified ImageStream API object that was retrieved from the Kubernetes API.
+// ExtractImageStreamFrom provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractImageStreamFrom(imageStream *imagev1.ImageStream, fieldManager string, subresource string) (*ImageStreamApplyConfiguration, error) {
+	b := &ImageStreamApplyConfiguration{}
+	err := managedfields.ExtractInto(imageStream, internal.Parser().Type("com.github.openshift.api.image.v1.ImageStream"), fieldManager, b, subresource)
+	if err != nil {
+		return nil, err
+	}
+	b.WithName(imageStream.Name)
+	b.WithNamespace(imageStream.Namespace)
+
+	b.WithKind("ImageStream")
+	b.WithAPIVersion("image.openshift.io/v1")
+	return b, nil
+}
+
 // ExtractImageStream extracts the applied configuration owned by fieldManager from
 // imageStream. If no managedFields are found in imageStream for fieldManager, a
 // ImageStreamApplyConfiguration is returned with only the Name, Namespace (if applicable),
@@ -41,31 +83,28 @@ func ImageStream(name, namespace string) *ImageStreamApplyConfiguration {
 // ExtractImageStream provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
 func ExtractImageStream(imageStream *imagev1.ImageStream, fieldManager string) (*ImageStreamApplyConfiguration, error) {
-	return extractImageStream(imageStream, fieldManager, "")
+	return ExtractImageStreamFrom(imageStream, fieldManager, "")
 }
 
-// ExtractImageStreamStatus is the same as ExtractImageStream except
-// that it extracts the status subresource applied configuration.
-// Experimental!
-func ExtractImageStreamStatus(imageStream *imagev1.ImageStream, fieldManager string) (*ImageStreamApplyConfiguration, error) {
-	return extractImageStream(imageStream, fieldManager, "status")
+// ExtractImageStreamLayers extracts the applied configuration owned by fieldManager from
+// imageStream for the layers subresource.
+func ExtractImageStreamLayers(imageStream *imagev1.ImageStream, fieldManager string) (*ImageStreamApplyConfiguration, error) {
+	return ExtractImageStreamFrom(imageStream, fieldManager, "layers")
 }
 
-func extractImageStream(imageStream *imagev1.ImageStream, fieldManager string, subresource string) (*ImageStreamApplyConfiguration, error) {
-	b := &ImageStreamApplyConfiguration{}
-	err := managedfields.ExtractInto(imageStream, internal.Parser().Type("com.github.openshift.api.image.v1.ImageStream"), fieldManager, b, subresource)
-	if err != nil {
-		return nil, err
-	}
-	b.WithName(imageStream.Name)
-	b.WithNamespace(imageStream.Namespace)
+// ExtractImageStreamSecrets extracts the applied configuration owned by fieldManager from
+// imageStream for the secrets subresource.
+func ExtractImageStreamSecrets(imageStream *imagev1.ImageStream, fieldManager string) (*ImageStreamApplyConfiguration, error) {
+	return ExtractImageStreamFrom(imageStream, fieldManager, "secrets")
+}
 
-	b.WithKind("ImageStream")
-	b.WithAPIVersion("image.openshift.io/v1")
-	return b, nil
+// ExtractImageStreamStatus extracts the applied configuration owned by fieldManager from
+// imageStream for the status subresource.
+func ExtractImageStreamStatus(imageStream *imagev1.ImageStream, fieldManager string) (*ImageStreamApplyConfiguration, error) {
+	return ExtractImageStreamFrom(imageStream, fieldManager, "status")
 }
+
 func (b ImageStreamApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/vendor/github.com/openshift/client-go/image/applyconfigurations/image/v1/imagestreammapping.go b/vendor/github.com/openshift/client-go/image/applyconfigurations/image/v1/imagestreammapping.go
index 518c9ef029fa9..e7f1150b96e31 100644
--- a/vendor/github.com/openshift/client-go/image/applyconfigurations/image/v1/imagestreammapping.go
+++ b/vendor/github.com/openshift/client-go/image/applyconfigurations/image/v1/imagestreammapping.go
@@ -13,11 +13,26 @@ import (
 
 // ImageStreamMappingApplyConfiguration represents a declarative configuration of the ImageStreamMapping type for use
 // with apply.
+//
+// ImageStreamMapping represents a mapping from a single image stream tag to a container
+// image as well as the reference to the container image stream the image came from. This
+// resource is used by privileged integrators to create an image resource and to associate
+// it with an image stream in the status tags field. Creating an ImageStreamMapping will
+// allow any user who can view the image stream to tag or pull that image, so only create
+// mappings where the user has proven they have access to the image contents directly.
+// The only operation supported for this resource is create and the metadata name and
+// namespace should be set to the image stream containing the tag that should be updated.
+//
+// Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
 type ImageStreamMappingApplyConfiguration struct {
-	metav1.TypeMetaApplyConfiguration    `json:",inline"`
+	metav1.TypeMetaApplyConfiguration `json:",inline"`
+	// metadata is the standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	*metav1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Image                                *ImageApplyConfiguration `json:"image,omitempty"`
-	Tag                                  *string                  `json:"tag,omitempty"`
+	// image is a container image.
+	Image *ImageApplyConfiguration `json:"image,omitempty"`
+	// tag is a string value this image can be located with inside the stream.
+	Tag *string `json:"tag,omitempty"`
 }
 
 // ImageStreamMapping constructs a declarative configuration of the ImageStreamMapping type for use with
@@ -31,29 +46,14 @@ func ImageStreamMapping(name, namespace string) *ImageStreamMappingApplyConfigur
 	return b
 }
 
-// ExtractImageStreamMapping extracts the applied configuration owned by fieldManager from
-// imageStreamMapping. If no managedFields are found in imageStreamMapping for fieldManager, a
-// ImageStreamMappingApplyConfiguration is returned with only the Name, Namespace (if applicable),
-// APIVersion and Kind populated. It is possible that no managed fields were found for because other
-// field managers have taken ownership of all the fields previously owned by fieldManager, or because
-// the fieldManager never owned fields any fields.
+// ExtractImageStreamMappingFrom extracts the applied configuration owned by fieldManager from
+// imageStreamMapping for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
 // imageStreamMapping must be a unmodified ImageStreamMapping API object that was retrieved from the Kubernetes API.
-// ExtractImageStreamMapping provides a way to perform a extract/modify-in-place/apply workflow.
+// ExtractImageStreamMappingFrom provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
-func ExtractImageStreamMapping(imageStreamMapping *imagev1.ImageStreamMapping, fieldManager string) (*ImageStreamMappingApplyConfiguration, error) {
-	return extractImageStreamMapping(imageStreamMapping, fieldManager, "")
-}
-
-// ExtractImageStreamMappingStatus is the same as ExtractImageStreamMapping except
-// that it extracts the status subresource applied configuration.
-// Experimental!
-func ExtractImageStreamMappingStatus(imageStreamMapping *imagev1.ImageStreamMapping, fieldManager string) (*ImageStreamMappingApplyConfiguration, error) {
-	return extractImageStreamMapping(imageStreamMapping, fieldManager, "status")
-}
-
-func extractImageStreamMapping(imageStreamMapping *imagev1.ImageStreamMapping, fieldManager string, subresource string) (*ImageStreamMappingApplyConfiguration, error) {
+func ExtractImageStreamMappingFrom(imageStreamMapping *imagev1.ImageStreamMapping, fieldManager string, subresource string) (*ImageStreamMappingApplyConfiguration, error) {
 	b := &ImageStreamMappingApplyConfiguration{}
 	err := managedfields.ExtractInto(imageStreamMapping, internal.Parser().Type("com.github.openshift.api.image.v1.ImageStreamMapping"), fieldManager, b, subresource)
 	if err != nil {
@@ -66,6 +66,21 @@ func extractImageStreamMapping(imageStreamMapping *imagev1.ImageStreamMapping, f
 	b.WithAPIVersion("image.openshift.io/v1")
 	return b, nil
 }
+
+// ExtractImageStreamMapping extracts the applied configuration owned by fieldManager from
+// imageStreamMapping. If no managedFields are found in imageStreamMapping for fieldManager, a
+// ImageStreamMappingApplyConfiguration is returned with only the Name, Namespace (if applicable),
+// APIVersion and Kind populated. It is possible that no managed fields were found for because other
+// field managers have taken ownership of all the fields previously owned by fieldManager, or because
+// the fieldManager never owned fields any fields.
+// imageStreamMapping must be a unmodified ImageStreamMapping API object that was retrieved from the Kubernetes API.
+// ExtractImageStreamMapping provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractImageStreamMapping(imageStreamMapping *imagev1.ImageStreamMapping, fieldManager string) (*ImageStreamMappingApplyConfiguration, error) {
+	return ExtractImageStreamMappingFrom(imageStreamMapping, fieldManager, "")
+}
+
 func (b ImageStreamMappingApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/vendor/github.com/openshift/client-go/image/applyconfigurations/image/v1/imagestreamspec.go b/vendor/github.com/openshift/client-go/image/applyconfigurations/image/v1/imagestreamspec.go
index 09d777f17340e..15b58c823702b 100644
--- a/vendor/github.com/openshift/client-go/image/applyconfigurations/image/v1/imagestreamspec.go
+++ b/vendor/github.com/openshift/client-go/image/applyconfigurations/image/v1/imagestreamspec.go
@@ -4,10 +4,17 @@ package v1
 
 // ImageStreamSpecApplyConfiguration represents a declarative configuration of the ImageStreamSpec type for use
 // with apply.
+//
+// ImageStreamSpec represents options for ImageStreams.
 type ImageStreamSpecApplyConfiguration struct {
-	LookupPolicy          *ImageLookupPolicyApplyConfiguration `json:"lookupPolicy,omitempty"`
-	DockerImageRepository *string                              `json:"dockerImageRepository,omitempty"`
-	Tags                  []TagReferenceApplyConfiguration     `json:"tags,omitempty"`
+	// lookupPolicy controls how other resources reference images within this namespace.
+	LookupPolicy *ImageLookupPolicyApplyConfiguration `json:"lookupPolicy,omitempty"`
+	// dockerImageRepository is optional, if specified this stream is backed by a container repository on this server
+	// Deprecated: This field is deprecated as of v3.7 and will be removed in a future release.
+	// Specify the source for the tags to be imported in each tag via the spec.tags.from reference instead.
+	DockerImageRepository *string `json:"dockerImageRepository,omitempty"`
+	// tags map arbitrary string values to specific image locators
+	Tags []TagReferenceApplyConfiguration `json:"tags,omitempty"`
 }
 
 // ImageStreamSpecApplyConfiguration constructs a declarative configuration of the ImageStreamSpec type for use with
diff --git a/vendor/github.com/openshift/client-go/image/applyconfigurations/image/v1/imagestreamstatus.go b/vendor/github.com/openshift/client-go/image/applyconfigurations/image/v1/imagestreamstatus.go
index e2ab24aa8c635..2e372b095b0ae 100644
--- a/vendor/github.com/openshift/client-go/image/applyconfigurations/image/v1/imagestreamstatus.go
+++ b/vendor/github.com/openshift/client-go/image/applyconfigurations/image/v1/imagestreamstatus.go
@@ -4,10 +4,19 @@ package v1
 
 // ImageStreamStatusApplyConfiguration represents a declarative configuration of the ImageStreamStatus type for use
 // with apply.
+//
+// ImageStreamStatus contains information about the state of this image stream.
 type ImageStreamStatusApplyConfiguration struct {
-	DockerImageRepository       *string                               `json:"dockerImageRepository,omitempty"`
-	PublicDockerImageRepository *string                               `json:"publicDockerImageRepository,omitempty"`
-	Tags                        []NamedTagEventListApplyConfiguration `json:"tags,omitempty"`
+	// dockerImageRepository represents the effective location this stream may be accessed at.
+	// May be empty until the server determines where the repository is located
+	DockerImageRepository *string `json:"dockerImageRepository,omitempty"`
+	// publicDockerImageRepository represents the public location from where the image can
+	// be pulled outside the cluster. This field may be empty if the administrator
+	// has not exposed the integrated registry externally.
+	PublicDockerImageRepository *string `json:"publicDockerImageRepository,omitempty"`
+	// tags are a historical record of images associated with each tag. The first entry in the
+	// TagEvent array is the currently tagged image.
+	Tags []NamedTagEventListApplyConfiguration `json:"tags,omitempty"`
 }
 
 // ImageStreamStatusApplyConfiguration constructs a declarative configuration of the ImageStreamStatus type for use with
diff --git a/vendor/github.com/openshift/client-go/image/applyconfigurations/image/v1/namedtageventlist.go b/vendor/github.com/openshift/client-go/image/applyconfigurations/image/v1/namedtageventlist.go
index 92b096aad0182..85e641850e437 100644
--- a/vendor/github.com/openshift/client-go/image/applyconfigurations/image/v1/namedtageventlist.go
+++ b/vendor/github.com/openshift/client-go/image/applyconfigurations/image/v1/namedtageventlist.go
@@ -4,9 +4,14 @@ package v1
 
 // NamedTagEventListApplyConfiguration represents a declarative configuration of the NamedTagEventList type for use
 // with apply.
+//
+// NamedTagEventList relates a tag to its image history.
 type NamedTagEventListApplyConfiguration struct {
-	Tag        *string                               `json:"tag,omitempty"`
-	Items      []TagEventApplyConfiguration          `json:"items,omitempty"`
+	// tag is the tag for which the history is recorded
+	Tag *string `json:"tag,omitempty"`
+	// Standard object's metadata.
+	Items []TagEventApplyConfiguration `json:"items,omitempty"`
+	// conditions is an array of conditions that apply to the tag event list.
 	Conditions []TagEventConditionApplyConfiguration `json:"conditions,omitempty"`
 }
 
diff --git a/vendor/github.com/openshift/client-go/image/applyconfigurations/image/v1/signaturecondition.go b/vendor/github.com/openshift/client-go/image/applyconfigurations/image/v1/signaturecondition.go
index 232bf7bf96598..f7caa9b625d51 100644
--- a/vendor/github.com/openshift/client-go/image/applyconfigurations/image/v1/signaturecondition.go
+++ b/vendor/github.com/openshift/client-go/image/applyconfigurations/image/v1/signaturecondition.go
@@ -10,13 +10,21 @@ import (
 
 // SignatureConditionApplyConfiguration represents a declarative configuration of the SignatureCondition type for use
 // with apply.
+//
+// SignatureCondition describes an image signature condition of particular kind at particular probe time.
 type SignatureConditionApplyConfiguration struct {
-	Type               *imagev1.SignatureConditionType `json:"type,omitempty"`
-	Status             *corev1.ConditionStatus         `json:"status,omitempty"`
-	LastProbeTime      *metav1.Time                    `json:"lastProbeTime,omitempty"`
-	LastTransitionTime *metav1.Time                    `json:"lastTransitionTime,omitempty"`
-	Reason             *string                         `json:"reason,omitempty"`
-	Message            *string                         `json:"message,omitempty"`
+	// type of signature condition, Complete or Failed.
+	Type *imagev1.SignatureConditionType `json:"type,omitempty"`
+	// status of the condition, one of True, False, Unknown.
+	Status *corev1.ConditionStatus `json:"status,omitempty"`
+	// Last time the condition was checked.
+	LastProbeTime *metav1.Time `json:"lastProbeTime,omitempty"`
+	// Last time the condition transit from one status to another.
+	LastTransitionTime *metav1.Time `json:"lastTransitionTime,omitempty"`
+	// (brief) reason for the condition's last transition.
+	Reason *string `json:"reason,omitempty"`
+	// Human readable message indicating details about last transition.
+	Message *string `json:"message,omitempty"`
 }
 
 // SignatureConditionApplyConfiguration constructs a declarative configuration of the SignatureCondition type for use with
diff --git a/vendor/github.com/openshift/client-go/image/applyconfigurations/image/v1/signaturegenericentity.go b/vendor/github.com/openshift/client-go/image/applyconfigurations/image/v1/signaturegenericentity.go
index 1e40e2ab190c7..45a5c383ea7f6 100644
--- a/vendor/github.com/openshift/client-go/image/applyconfigurations/image/v1/signaturegenericentity.go
+++ b/vendor/github.com/openshift/client-go/image/applyconfigurations/image/v1/signaturegenericentity.go
@@ -4,9 +4,14 @@ package v1
 
 // SignatureGenericEntityApplyConfiguration represents a declarative configuration of the SignatureGenericEntity type for use
 // with apply.
+//
+// SignatureGenericEntity holds a generic information about a person or entity who is an issuer or a subject
+// of signing certificate or key.
 type SignatureGenericEntityApplyConfiguration struct {
+	// organization name.
 	Organization *string `json:"organization,omitempty"`
-	CommonName   *string `json:"commonName,omitempty"`
+	// Common name (e.g. openshift-signing-service).
+	CommonName *string `json:"commonName,omitempty"`
 }
 
 // SignatureGenericEntityApplyConfiguration constructs a declarative configuration of the SignatureGenericEntity type for use with
diff --git a/vendor/github.com/openshift/client-go/image/applyconfigurations/image/v1/signatureissuer.go b/vendor/github.com/openshift/client-go/image/applyconfigurations/image/v1/signatureissuer.go
index 68564dd5f01d1..45d9e3c47a674 100644
--- a/vendor/github.com/openshift/client-go/image/applyconfigurations/image/v1/signatureissuer.go
+++ b/vendor/github.com/openshift/client-go/image/applyconfigurations/image/v1/signatureissuer.go
@@ -4,6 +4,8 @@ package v1
 
 // SignatureIssuerApplyConfiguration represents a declarative configuration of the SignatureIssuer type for use
 // with apply.
+//
+// SignatureIssuer holds information about an issuer of signing certificate or key.
 type SignatureIssuerApplyConfiguration struct {
 	SignatureGenericEntityApplyConfiguration `json:",inline"`
 }
diff --git a/vendor/github.com/openshift/client-go/image/applyconfigurations/image/v1/signaturesubject.go b/vendor/github.com/openshift/client-go/image/applyconfigurations/image/v1/signaturesubject.go
index bc15e4f373056..055786d7ad34a 100644
--- a/vendor/github.com/openshift/client-go/image/applyconfigurations/image/v1/signaturesubject.go
+++ b/vendor/github.com/openshift/client-go/image/applyconfigurations/image/v1/signaturesubject.go
@@ -4,9 +4,14 @@ package v1
 
 // SignatureSubjectApplyConfiguration represents a declarative configuration of the SignatureSubject type for use
 // with apply.
+//
+// SignatureSubject holds information about a person or entity who created the signature.
 type SignatureSubjectApplyConfiguration struct {
 	SignatureGenericEntityApplyConfiguration `json:",inline"`
-	PublicKeyID                              *string `json:"publicKeyID,omitempty"`
+	// If present, it is a human readable key id of public key belonging to the subject used to verify image
+	// signature. It should contain at least 64 lowest bits of public key's fingerprint (e.g.
+	// 0x685ebe62bf278440).
+	PublicKeyID *string `json:"publicKeyID,omitempty"`
 }
 
 // SignatureSubjectApplyConfiguration constructs a declarative configuration of the SignatureSubject type for use with
diff --git a/vendor/github.com/openshift/client-go/image/applyconfigurations/image/v1/tagevent.go b/vendor/github.com/openshift/client-go/image/applyconfigurations/image/v1/tagevent.go
index d123e74cba855..695756e596060 100644
--- a/vendor/github.com/openshift/client-go/image/applyconfigurations/image/v1/tagevent.go
+++ b/vendor/github.com/openshift/client-go/image/applyconfigurations/image/v1/tagevent.go
@@ -8,11 +8,17 @@ import (
 
 // TagEventApplyConfiguration represents a declarative configuration of the TagEvent type for use
 // with apply.
+//
+// TagEvent is used by ImageStreamStatus to keep a historical record of images associated with a tag.
 type TagEventApplyConfiguration struct {
-	Created              *metav1.Time `json:"created,omitempty"`
-	DockerImageReference *string      `json:"dockerImageReference,omitempty"`
-	Image                *string      `json:"image,omitempty"`
-	Generation           *int64       `json:"generation,omitempty"`
+	// created holds the time the TagEvent was created
+	Created *metav1.Time `json:"created,omitempty"`
+	// dockerImageReference is the string that can be used to pull this image
+	DockerImageReference *string `json:"dockerImageReference,omitempty"`
+	// image is the image
+	Image *string `json:"image,omitempty"`
+	// generation is the spec tag generation that resulted in this tag being updated
+	Generation *int64 `json:"generation,omitempty"`
 }
 
 // TagEventApplyConfiguration constructs a declarative configuration of the TagEvent type for use with
diff --git a/vendor/github.com/openshift/client-go/image/applyconfigurations/image/v1/tageventcondition.go b/vendor/github.com/openshift/client-go/image/applyconfigurations/image/v1/tageventcondition.go
index ba6193fc3e672..e77f02ea23d31 100644
--- a/vendor/github.com/openshift/client-go/image/applyconfigurations/image/v1/tageventcondition.go
+++ b/vendor/github.com/openshift/client-go/image/applyconfigurations/image/v1/tageventcondition.go
@@ -10,13 +10,21 @@ import (
 
 // TagEventConditionApplyConfiguration represents a declarative configuration of the TagEventCondition type for use
 // with apply.
+//
+// TagEventCondition contains condition information for a tag event.
 type TagEventConditionApplyConfiguration struct {
-	Type               *imagev1.TagEventConditionType `json:"type,omitempty"`
-	Status             *corev1.ConditionStatus        `json:"status,omitempty"`
-	LastTransitionTime *metav1.Time                   `json:"lastTransitionTime,omitempty"`
-	Reason             *string                        `json:"reason,omitempty"`
-	Message            *string                        `json:"message,omitempty"`
-	Generation         *int64                         `json:"generation,omitempty"`
+	// type of tag event condition, currently only ImportSuccess
+	Type *imagev1.TagEventConditionType `json:"type,omitempty"`
+	// status of the condition, one of True, False, Unknown.
+	Status *corev1.ConditionStatus `json:"status,omitempty"`
+	// lastTransitionTime is the time the condition transitioned from one status to another.
+	LastTransitionTime *metav1.Time `json:"lastTransitionTime,omitempty"`
+	// reason is a brief machine readable explanation for the condition's last transition.
+	Reason *string `json:"reason,omitempty"`
+	// message is a human readable description of the details about last transition, complementing reason.
+	Message *string `json:"message,omitempty"`
+	// generation is the spec tag generation that this status corresponds to
+	Generation *int64 `json:"generation,omitempty"`
 }
 
 // TagEventConditionApplyConfiguration constructs a declarative configuration of the TagEventCondition type for use with
diff --git a/vendor/github.com/openshift/client-go/image/applyconfigurations/image/v1/tagimportpolicy.go b/vendor/github.com/openshift/client-go/image/applyconfigurations/image/v1/tagimportpolicy.go
index 996690343c72f..1a38b33abbdc7 100644
--- a/vendor/github.com/openshift/client-go/image/applyconfigurations/image/v1/tagimportpolicy.go
+++ b/vendor/github.com/openshift/client-go/image/applyconfigurations/image/v1/tagimportpolicy.go
@@ -8,9 +8,14 @@ import (
 
 // TagImportPolicyApplyConfiguration represents a declarative configuration of the TagImportPolicy type for use
 // with apply.
+//
+// TagImportPolicy controls how images related to this tag will be imported.
 type TagImportPolicyApplyConfiguration struct {
-	Insecure   *bool                   `json:"insecure,omitempty"`
-	Scheduled  *bool                   `json:"scheduled,omitempty"`
+	// insecure is true if the server may bypass certificate verification or connect directly over HTTP during image import.
+	Insecure *bool `json:"insecure,omitempty"`
+	// scheduled indicates to the server that this tag should be periodically checked to ensure it is up to date, and imported
+	Scheduled *bool `json:"scheduled,omitempty"`
+	// importMode describes how to import an image manifest.
 	ImportMode *imagev1.ImportModeType `json:"importMode,omitempty"`
 }
 
diff --git a/vendor/github.com/openshift/client-go/image/applyconfigurations/image/v1/tagreference.go b/vendor/github.com/openshift/client-go/image/applyconfigurations/image/v1/tagreference.go
index 648f30e31af44..c6710e6d96719 100644
--- a/vendor/github.com/openshift/client-go/image/applyconfigurations/image/v1/tagreference.go
+++ b/vendor/github.com/openshift/client-go/image/applyconfigurations/image/v1/tagreference.go
@@ -8,13 +8,31 @@ import (
 
 // TagReferenceApplyConfiguration represents a declarative configuration of the TagReference type for use
 // with apply.
+//
+// TagReference specifies optional annotations for images using this tag and an optional reference to an ImageStreamTag, ImageStreamImage, or DockerImage this tag should track.
 type TagReferenceApplyConfiguration struct {
-	Name            *string                               `json:"name,omitempty"`
-	Annotations     map[string]string                     `json:"annotations,omitempty"`
-	From            *corev1.ObjectReference               `json:"from,omitempty"`
-	Reference       *bool                                 `json:"reference,omitempty"`
-	Generation      *int64                                `json:"generation,omitempty"`
-	ImportPolicy    *TagImportPolicyApplyConfiguration    `json:"importPolicy,omitempty"`
+	// name of the tag
+	Name *string `json:"name,omitempty"`
+	// Optional; if specified, annotations that are applied to images retrieved via ImageStreamTags.
+	Annotations map[string]string `json:"annotations,omitempty"`
+	// Optional; if specified, a reference to another image that this tag should point to. Valid values
+	// are ImageStreamTag, ImageStreamImage, and DockerImage.  ImageStreamTag references
+	// can only reference a tag within this same ImageStream.
+	From *corev1.ObjectReference `json:"from,omitempty"`
+	// reference states if the tag will be imported. Default value is false, which means the tag will
+	// be imported.
+	Reference *bool `json:"reference,omitempty"`
+	// generation is a counter that tracks mutations to the spec tag (user intent). When a tag reference
+	// is changed the generation is set to match the current stream generation (which is incremented every
+	// time spec is changed). Other processes in the system like the image importer observe that the
+	// generation of spec tag is newer than the generation recorded in the status and use that as a trigger
+	// to import the newest remote tag. To trigger a new import, clients may set this value to zero which
+	// will reset the generation to the latest stream generation. Legacy clients will send this value as
+	// nil which will be merged with the current tag generation.
+	Generation *int64 `json:"generation,omitempty"`
+	// importPolicy is information that controls how images may be imported by the server.
+	ImportPolicy *TagImportPolicyApplyConfiguration `json:"importPolicy,omitempty"`
+	// referencePolicy defines how other components should consume the image.
 	ReferencePolicy *TagReferencePolicyApplyConfiguration `json:"referencePolicy,omitempty"`
 }
 
diff --git a/vendor/github.com/openshift/client-go/image/applyconfigurations/image/v1/tagreferencepolicy.go b/vendor/github.com/openshift/client-go/image/applyconfigurations/image/v1/tagreferencepolicy.go
index d010d3ac0e8e0..c27def9068101 100644
--- a/vendor/github.com/openshift/client-go/image/applyconfigurations/image/v1/tagreferencepolicy.go
+++ b/vendor/github.com/openshift/client-go/image/applyconfigurations/image/v1/tagreferencepolicy.go
@@ -8,7 +8,19 @@ import (
 
 // TagReferencePolicyApplyConfiguration represents a declarative configuration of the TagReferencePolicy type for use
 // with apply.
+//
+// TagReferencePolicy describes how pull-specs for images in this image stream tag are generated when
+// image change triggers in deployment configs or builds are resolved. This allows the image stream
+// author to control how images are accessed.
 type TagReferencePolicyApplyConfiguration struct {
+	// type determines how the image pull spec should be transformed when the image stream tag is used in
+	// deployment config triggers or new builds. The default value is `Source`, indicating the original
+	// location of the image should be used (if imported). The user may also specify `Local`, indicating
+	// that the pull spec should point to the integrated container image registry and leverage the registry's
+	// ability to proxy the pull to an upstream registry. `Local` allows the credentials used to pull this
+	// image to be managed from the image stream's namespace, so others on the platform can access a remote
+	// image but have no access to the remote secret. It also allows the image layers to be mirrored into
+	// the local registry which the images can still be pulled even if the upstream registry is unavailable.
 	Type *imagev1.TagReferencePolicyType `json:"type,omitempty"`
 }
 
diff --git a/vendor/github.com/openshift/client-go/image/informers/externalversions/factory.go b/vendor/github.com/openshift/client-go/image/informers/externalversions/factory.go
index ecb2d2f95814e..74bef556aeb74 100644
--- a/vendor/github.com/openshift/client-go/image/informers/externalversions/factory.go
+++ b/vendor/github.com/openshift/client-go/image/informers/externalversions/factory.go
@@ -81,6 +81,7 @@ func NewSharedInformerFactory(client versioned.Interface, defaultResync time.Dur
 // NewFilteredSharedInformerFactory constructs a new instance of sharedInformerFactory.
 // Listers obtained via this SharedInformerFactory will be subject to the same filters
 // as specified here.
+//
 // Deprecated: Please use NewSharedInformerFactoryWithOptions instead
 func NewFilteredSharedInformerFactory(client versioned.Interface, defaultResync time.Duration, namespace string, tweakListOptions internalinterfaces.TweakListOptionsFunc) SharedInformerFactory {
 	return NewSharedInformerFactoryWithOptions(client, defaultResync, WithNamespace(namespace), WithTweakListOptions(tweakListOptions))
@@ -188,7 +189,7 @@ func (f *sharedInformerFactory) InformerFor(obj runtime.Object, newFunc internal
 //
 // It is typically used like this:
 //
-//	ctx, cancel := context.Background()
+//	ctx, cancel := context.WithCancel(context.Background())
 //	defer cancel()
 //	factory := NewSharedInformerFactory(client, resyncPeriod)
 //	defer factory.WaitForStop()    // Returns immediately if nothing was started.
diff --git a/vendor/github.com/openshift/client-go/image/informers/externalversions/image/v1/image.go b/vendor/github.com/openshift/client-go/image/informers/externalversions/image/v1/image.go
index 9f5f52a4673c6..e6eaccb365e8a 100644
--- a/vendor/github.com/openshift/client-go/image/informers/externalversions/image/v1/image.go
+++ b/vendor/github.com/openshift/client-go/image/informers/externalversions/image/v1/image.go
@@ -40,7 +40,7 @@ func NewImageInformer(client versioned.Interface, resyncPeriod time.Duration, in
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredImageInformer(client versioned.Interface, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options metav1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -65,7 +65,7 @@ func NewFilteredImageInformer(client versioned.Interface, resyncPeriod time.Dura
 				}
 				return client.ImageV1().Images().Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apiimagev1.Image{},
 		resyncPeriod,
 		indexers,
diff --git a/vendor/github.com/openshift/client-go/image/informers/externalversions/image/v1/imagestream.go b/vendor/github.com/openshift/client-go/image/informers/externalversions/image/v1/imagestream.go
index 18b35e2457a12..fab01df76e1b0 100644
--- a/vendor/github.com/openshift/client-go/image/informers/externalversions/image/v1/imagestream.go
+++ b/vendor/github.com/openshift/client-go/image/informers/externalversions/image/v1/imagestream.go
@@ -41,7 +41,7 @@ func NewImageStreamInformer(client versioned.Interface, namespace string, resync
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredImageStreamInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options metav1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -66,7 +66,7 @@ func NewFilteredImageStreamInformer(client versioned.Interface, namespace string
 				}
 				return client.ImageV1().ImageStreams(namespace).Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apiimagev1.ImageStream{},
 		resyncPeriod,
 		indexers,
diff --git a/vendor/github.com/openshift/client-go/network/applyconfigurations/network/v1/clusternetwork.go b/vendor/github.com/openshift/client-go/network/applyconfigurations/network/v1/clusternetwork.go
index b37ef47a84fef..b5c1152462758 100644
--- a/vendor/github.com/openshift/client-go/network/applyconfigurations/network/v1/clusternetwork.go
+++ b/vendor/github.com/openshift/client-go/network/applyconfigurations/network/v1/clusternetwork.go
@@ -13,16 +13,34 @@ import (
 
 // ClusterNetworkApplyConfiguration represents a declarative configuration of the ClusterNetwork type for use
 // with apply.
+//
+// ClusterNetwork was used by OpenShift SDN.
+// DEPRECATED: OpenShift SDN is no longer supported and this object is no longer used in
+// any way by OpenShift.
+//
+// Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
 type ClusterNetworkApplyConfiguration struct {
-	metav1.TypeMetaApplyConfiguration    `json:",inline"`
+	metav1.TypeMetaApplyConfiguration `json:",inline"`
+	// metadata is the standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	*metav1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Network                              *string                                 `json:"network,omitempty"`
-	HostSubnetLength                     *uint32                                 `json:"hostsubnetlength,omitempty"`
-	ServiceNetwork                       *string                                 `json:"serviceNetwork,omitempty"`
-	PluginName                           *string                                 `json:"pluginName,omitempty"`
-	ClusterNetworks                      []ClusterNetworkEntryApplyConfiguration `json:"clusterNetworks,omitempty"`
-	VXLANPort                            *uint32                                 `json:"vxlanPort,omitempty"`
-	MTU                                  *uint32                                 `json:"mtu,omitempty"`
+	// network is a CIDR string specifying the global overlay network's L3 space
+	Network *string `json:"network,omitempty"`
+	// hostsubnetlength is the number of bits of network to allocate to each node. eg, 8 would mean that each node would have a /24 slice of the overlay network for its pods
+	HostSubnetLength *uint32 `json:"hostsubnetlength,omitempty"`
+	// serviceNetwork is the CIDR range that Service IP addresses are allocated from
+	ServiceNetwork *string `json:"serviceNetwork,omitempty"`
+	// pluginName is the name of the network plugin being used
+	PluginName *string `json:"pluginName,omitempty"`
+	// clusterNetworks is a list of ClusterNetwork objects that defines the global overlay network's L3 space by specifying a set of CIDR and netmasks that the SDN can allocate addresses from.
+	ClusterNetworks []ClusterNetworkEntryApplyConfiguration `json:"clusterNetworks,omitempty"`
+	// vxlanPort sets the VXLAN destination port used by the cluster.
+	// It is set by the master configuration file on startup and cannot be edited manually.
+	// Valid values for VXLANPort are integers 1-65535 inclusive and if unset defaults to 4789.
+	// Changing VXLANPort allows users to resolve issues between openshift SDN and other software trying to use the same VXLAN destination port.
+	VXLANPort *uint32 `json:"vxlanPort,omitempty"`
+	// mtu is the MTU for the overlay network. This should be 50 less than the MTU of the network connecting the nodes. It is normally autodetected by the cluster network operator.
+	MTU *uint32 `json:"mtu,omitempty"`
 }
 
 // ClusterNetwork constructs a declarative configuration of the ClusterNetwork type for use with
@@ -35,29 +53,14 @@ func ClusterNetwork(name string) *ClusterNetworkApplyConfiguration {
 	return b
 }
 
-// ExtractClusterNetwork extracts the applied configuration owned by fieldManager from
-// clusterNetwork. If no managedFields are found in clusterNetwork for fieldManager, a
-// ClusterNetworkApplyConfiguration is returned with only the Name, Namespace (if applicable),
-// APIVersion and Kind populated. It is possible that no managed fields were found for because other
-// field managers have taken ownership of all the fields previously owned by fieldManager, or because
-// the fieldManager never owned fields any fields.
+// ExtractClusterNetworkFrom extracts the applied configuration owned by fieldManager from
+// clusterNetwork for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
 // clusterNetwork must be a unmodified ClusterNetwork API object that was retrieved from the Kubernetes API.
-// ExtractClusterNetwork provides a way to perform a extract/modify-in-place/apply workflow.
+// ExtractClusterNetworkFrom provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
-func ExtractClusterNetwork(clusterNetwork *networkv1.ClusterNetwork, fieldManager string) (*ClusterNetworkApplyConfiguration, error) {
-	return extractClusterNetwork(clusterNetwork, fieldManager, "")
-}
-
-// ExtractClusterNetworkStatus is the same as ExtractClusterNetwork except
-// that it extracts the status subresource applied configuration.
-// Experimental!
-func ExtractClusterNetworkStatus(clusterNetwork *networkv1.ClusterNetwork, fieldManager string) (*ClusterNetworkApplyConfiguration, error) {
-	return extractClusterNetwork(clusterNetwork, fieldManager, "status")
-}
-
-func extractClusterNetwork(clusterNetwork *networkv1.ClusterNetwork, fieldManager string, subresource string) (*ClusterNetworkApplyConfiguration, error) {
+func ExtractClusterNetworkFrom(clusterNetwork *networkv1.ClusterNetwork, fieldManager string, subresource string) (*ClusterNetworkApplyConfiguration, error) {
 	b := &ClusterNetworkApplyConfiguration{}
 	err := managedfields.ExtractInto(clusterNetwork, internal.Parser().Type("com.github.openshift.api.network.v1.ClusterNetwork"), fieldManager, b, subresource)
 	if err != nil {
@@ -69,6 +72,21 @@ func extractClusterNetwork(clusterNetwork *networkv1.ClusterNetwork, fieldManage
 	b.WithAPIVersion("network.openshift.io/v1")
 	return b, nil
 }
+
+// ExtractClusterNetwork extracts the applied configuration owned by fieldManager from
+// clusterNetwork. If no managedFields are found in clusterNetwork for fieldManager, a
+// ClusterNetworkApplyConfiguration is returned with only the Name, Namespace (if applicable),
+// APIVersion and Kind populated. It is possible that no managed fields were found for because other
+// field managers have taken ownership of all the fields previously owned by fieldManager, or because
+// the fieldManager never owned fields any fields.
+// clusterNetwork must be a unmodified ClusterNetwork API object that was retrieved from the Kubernetes API.
+// ExtractClusterNetwork provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractClusterNetwork(clusterNetwork *networkv1.ClusterNetwork, fieldManager string) (*ClusterNetworkApplyConfiguration, error) {
+	return ExtractClusterNetworkFrom(clusterNetwork, fieldManager, "")
+}
+
 func (b ClusterNetworkApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/vendor/github.com/openshift/client-go/network/applyconfigurations/network/v1/clusternetworkentry.go b/vendor/github.com/openshift/client-go/network/applyconfigurations/network/v1/clusternetworkentry.go
index 066edaaf2e695..276f48a26f1b6 100644
--- a/vendor/github.com/openshift/client-go/network/applyconfigurations/network/v1/clusternetworkentry.go
+++ b/vendor/github.com/openshift/client-go/network/applyconfigurations/network/v1/clusternetworkentry.go
@@ -4,8 +4,12 @@ package v1
 
 // ClusterNetworkEntryApplyConfiguration represents a declarative configuration of the ClusterNetworkEntry type for use
 // with apply.
+//
+// ClusterNetworkEntry defines an individual cluster network. The CIDRs cannot overlap with other cluster network CIDRs, CIDRs reserved for external ips, CIDRs reserved for service networks, and CIDRs reserved for ingress ips.
 type ClusterNetworkEntryApplyConfiguration struct {
-	CIDR             *string `json:"CIDR,omitempty"`
+	// CIDR defines the total range of a cluster networks address space.
+	CIDR *string `json:"CIDR,omitempty"`
+	// hostSubnetLength is the number of bits of the accompanying CIDR address to allocate to each node. eg, 8 would mean that each node would have a /24 slice of the overlay network for its pods.
 	HostSubnetLength *uint32 `json:"hostSubnetLength,omitempty"`
 }
 
diff --git a/vendor/github.com/openshift/client-go/network/applyconfigurations/network/v1/egressnetworkpolicy.go b/vendor/github.com/openshift/client-go/network/applyconfigurations/network/v1/egressnetworkpolicy.go
index 0f4fdddc53952..2bf1a55166d63 100644
--- a/vendor/github.com/openshift/client-go/network/applyconfigurations/network/v1/egressnetworkpolicy.go
+++ b/vendor/github.com/openshift/client-go/network/applyconfigurations/network/v1/egressnetworkpolicy.go
@@ -13,10 +13,19 @@ import (
 
 // EgressNetworkPolicyApplyConfiguration represents a declarative configuration of the EgressNetworkPolicy type for use
 // with apply.
+//
+// EgressNetworkPolicy was used by OpenShift SDN.
+// DEPRECATED: OpenShift SDN is no longer supported and this object is no longer used in
+// any way by OpenShift.
+//
+// Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
 type EgressNetworkPolicyApplyConfiguration struct {
-	metav1.TypeMetaApplyConfiguration    `json:",inline"`
+	metav1.TypeMetaApplyConfiguration `json:",inline"`
+	// metadata is the standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	*metav1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Spec                                 *EgressNetworkPolicySpecApplyConfiguration `json:"spec,omitempty"`
+	// spec is the specification of the current egress network policy
+	Spec *EgressNetworkPolicySpecApplyConfiguration `json:"spec,omitempty"`
 }
 
 // EgressNetworkPolicy constructs a declarative configuration of the EgressNetworkPolicy type for use with
@@ -30,29 +39,14 @@ func EgressNetworkPolicy(name, namespace string) *EgressNetworkPolicyApplyConfig
 	return b
 }
 
-// ExtractEgressNetworkPolicy extracts the applied configuration owned by fieldManager from
-// egressNetworkPolicy. If no managedFields are found in egressNetworkPolicy for fieldManager, a
-// EgressNetworkPolicyApplyConfiguration is returned with only the Name, Namespace (if applicable),
-// APIVersion and Kind populated. It is possible that no managed fields were found for because other
-// field managers have taken ownership of all the fields previously owned by fieldManager, or because
-// the fieldManager never owned fields any fields.
+// ExtractEgressNetworkPolicyFrom extracts the applied configuration owned by fieldManager from
+// egressNetworkPolicy for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
 // egressNetworkPolicy must be a unmodified EgressNetworkPolicy API object that was retrieved from the Kubernetes API.
-// ExtractEgressNetworkPolicy provides a way to perform a extract/modify-in-place/apply workflow.
+// ExtractEgressNetworkPolicyFrom provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
-func ExtractEgressNetworkPolicy(egressNetworkPolicy *networkv1.EgressNetworkPolicy, fieldManager string) (*EgressNetworkPolicyApplyConfiguration, error) {
-	return extractEgressNetworkPolicy(egressNetworkPolicy, fieldManager, "")
-}
-
-// ExtractEgressNetworkPolicyStatus is the same as ExtractEgressNetworkPolicy except
-// that it extracts the status subresource applied configuration.
-// Experimental!
-func ExtractEgressNetworkPolicyStatus(egressNetworkPolicy *networkv1.EgressNetworkPolicy, fieldManager string) (*EgressNetworkPolicyApplyConfiguration, error) {
-	return extractEgressNetworkPolicy(egressNetworkPolicy, fieldManager, "status")
-}
-
-func extractEgressNetworkPolicy(egressNetworkPolicy *networkv1.EgressNetworkPolicy, fieldManager string, subresource string) (*EgressNetworkPolicyApplyConfiguration, error) {
+func ExtractEgressNetworkPolicyFrom(egressNetworkPolicy *networkv1.EgressNetworkPolicy, fieldManager string, subresource string) (*EgressNetworkPolicyApplyConfiguration, error) {
 	b := &EgressNetworkPolicyApplyConfiguration{}
 	err := managedfields.ExtractInto(egressNetworkPolicy, internal.Parser().Type("com.github.openshift.api.network.v1.EgressNetworkPolicy"), fieldManager, b, subresource)
 	if err != nil {
@@ -65,6 +59,21 @@ func extractEgressNetworkPolicy(egressNetworkPolicy *networkv1.EgressNetworkPoli
 	b.WithAPIVersion("network.openshift.io/v1")
 	return b, nil
 }
+
+// ExtractEgressNetworkPolicy extracts the applied configuration owned by fieldManager from
+// egressNetworkPolicy. If no managedFields are found in egressNetworkPolicy for fieldManager, a
+// EgressNetworkPolicyApplyConfiguration is returned with only the Name, Namespace (if applicable),
+// APIVersion and Kind populated. It is possible that no managed fields were found for because other
+// field managers have taken ownership of all the fields previously owned by fieldManager, or because
+// the fieldManager never owned fields any fields.
+// egressNetworkPolicy must be a unmodified EgressNetworkPolicy API object that was retrieved from the Kubernetes API.
+// ExtractEgressNetworkPolicy provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractEgressNetworkPolicy(egressNetworkPolicy *networkv1.EgressNetworkPolicy, fieldManager string) (*EgressNetworkPolicyApplyConfiguration, error) {
+	return ExtractEgressNetworkPolicyFrom(egressNetworkPolicy, fieldManager, "")
+}
+
 func (b EgressNetworkPolicyApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/vendor/github.com/openshift/client-go/network/applyconfigurations/network/v1/egressnetworkpolicypeer.go b/vendor/github.com/openshift/client-go/network/applyconfigurations/network/v1/egressnetworkpolicypeer.go
index e7b0e4640cb9b..6c897e5507663 100644
--- a/vendor/github.com/openshift/client-go/network/applyconfigurations/network/v1/egressnetworkpolicypeer.go
+++ b/vendor/github.com/openshift/client-go/network/applyconfigurations/network/v1/egressnetworkpolicypeer.go
@@ -4,9 +4,16 @@ package v1
 
 // EgressNetworkPolicyPeerApplyConfiguration represents a declarative configuration of the EgressNetworkPolicyPeer type for use
 // with apply.
+//
+// EgressNetworkPolicyPeer specifies a target to apply egress network policy to
 type EgressNetworkPolicyPeerApplyConfiguration struct {
+	// cidrSelector is the CIDR range to allow/deny traffic to. If this is set, dnsName must be unset
+	// Ideally we would have liked to use the cidr openapi format for this property.
+	// But openshift-sdn only supports v4 while specifying the cidr format allows both v4 and v6 cidrs
+	// We are therefore using a regex pattern to validate instead.
 	CIDRSelector *string `json:"cidrSelector,omitempty"`
-	DNSName      *string `json:"dnsName,omitempty"`
+	// dnsName is the domain name to allow/deny traffic to. If this is set, cidrSelector must be unset
+	DNSName *string `json:"dnsName,omitempty"`
 }
 
 // EgressNetworkPolicyPeerApplyConfiguration constructs a declarative configuration of the EgressNetworkPolicyPeer type for use with
diff --git a/vendor/github.com/openshift/client-go/network/applyconfigurations/network/v1/egressnetworkpolicyrule.go b/vendor/github.com/openshift/client-go/network/applyconfigurations/network/v1/egressnetworkpolicyrule.go
index 1806975842342..fc1da8067b884 100644
--- a/vendor/github.com/openshift/client-go/network/applyconfigurations/network/v1/egressnetworkpolicyrule.go
+++ b/vendor/github.com/openshift/client-go/network/applyconfigurations/network/v1/egressnetworkpolicyrule.go
@@ -8,9 +8,13 @@ import (
 
 // EgressNetworkPolicyRuleApplyConfiguration represents a declarative configuration of the EgressNetworkPolicyRule type for use
 // with apply.
+//
+// EgressNetworkPolicyRule contains a single egress network policy rule
 type EgressNetworkPolicyRuleApplyConfiguration struct {
-	Type *networkv1.EgressNetworkPolicyRuleType     `json:"type,omitempty"`
-	To   *EgressNetworkPolicyPeerApplyConfiguration `json:"to,omitempty"`
+	// type marks this as an "Allow" or "Deny" rule
+	Type *networkv1.EgressNetworkPolicyRuleType `json:"type,omitempty"`
+	// to is the target that traffic is allowed/denied to
+	To *EgressNetworkPolicyPeerApplyConfiguration `json:"to,omitempty"`
 }
 
 // EgressNetworkPolicyRuleApplyConfiguration constructs a declarative configuration of the EgressNetworkPolicyRule type for use with
diff --git a/vendor/github.com/openshift/client-go/network/applyconfigurations/network/v1/egressnetworkpolicyspec.go b/vendor/github.com/openshift/client-go/network/applyconfigurations/network/v1/egressnetworkpolicyspec.go
index 09c685d2c9fc1..8bc6aaa439280 100644
--- a/vendor/github.com/openshift/client-go/network/applyconfigurations/network/v1/egressnetworkpolicyspec.go
+++ b/vendor/github.com/openshift/client-go/network/applyconfigurations/network/v1/egressnetworkpolicyspec.go
@@ -4,7 +4,10 @@ package v1
 
 // EgressNetworkPolicySpecApplyConfiguration represents a declarative configuration of the EgressNetworkPolicySpec type for use
 // with apply.
+//
+// EgressNetworkPolicySpec provides a list of policies on outgoing network traffic
 type EgressNetworkPolicySpecApplyConfiguration struct {
+	// egress contains the list of egress policy rules
 	Egress []EgressNetworkPolicyRuleApplyConfiguration `json:"egress,omitempty"`
 }
 
diff --git a/vendor/github.com/openshift/client-go/network/applyconfigurations/network/v1/hostsubnet.go b/vendor/github.com/openshift/client-go/network/applyconfigurations/network/v1/hostsubnet.go
index 18da8f66fc248..857dc6a7b8502 100644
--- a/vendor/github.com/openshift/client-go/network/applyconfigurations/network/v1/hostsubnet.go
+++ b/vendor/github.com/openshift/client-go/network/applyconfigurations/network/v1/hostsubnet.go
@@ -13,14 +13,31 @@ import (
 
 // HostSubnetApplyConfiguration represents a declarative configuration of the HostSubnet type for use
 // with apply.
+//
+// HostSubnet was used by OpenShift SDN.
+// DEPRECATED: OpenShift SDN is no longer supported and this object is no longer used in
+// any way by OpenShift.
+//
+// Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
 type HostSubnetApplyConfiguration struct {
-	metav1.TypeMetaApplyConfiguration    `json:",inline"`
+	metav1.TypeMetaApplyConfiguration `json:",inline"`
+	// metadata is the standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	*metav1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Host                                 *string                          `json:"host,omitempty"`
-	HostIP                               *string                          `json:"hostIP,omitempty"`
-	Subnet                               *string                          `json:"subnet,omitempty"`
-	EgressIPs                            []networkv1.HostSubnetEgressIP   `json:"egressIPs,omitempty"`
-	EgressCIDRs                          []networkv1.HostSubnetEgressCIDR `json:"egressCIDRs,omitempty"`
+	// host is the name of the node. (This is the same as the object's name, but both fields must be set.)
+	Host *string `json:"host,omitempty"`
+	// hostIP is the IP address to be used as a VTEP by other nodes in the overlay network
+	HostIP *string `json:"hostIP,omitempty"`
+	// subnet is the CIDR range of the overlay network assigned to the node for its pods
+	Subnet *string `json:"subnet,omitempty"`
+	// egressIPs is the list of automatic egress IP addresses currently hosted by this node.
+	// If EgressCIDRs is empty, this can be set by hand; if EgressCIDRs is set then the
+	// master will overwrite the value here with its own allocation of egress IPs.
+	EgressIPs []networkv1.HostSubnetEgressIP `json:"egressIPs,omitempty"`
+	// egressCIDRs is the list of CIDR ranges available for automatically assigning
+	// egress IPs to this node from. If this field is set then EgressIPs should be
+	// treated as read-only.
+	EgressCIDRs []networkv1.HostSubnetEgressCIDR `json:"egressCIDRs,omitempty"`
 }
 
 // HostSubnet constructs a declarative configuration of the HostSubnet type for use with
@@ -33,29 +50,14 @@ func HostSubnet(name string) *HostSubnetApplyConfiguration {
 	return b
 }
 
-// ExtractHostSubnet extracts the applied configuration owned by fieldManager from
-// hostSubnet. If no managedFields are found in hostSubnet for fieldManager, a
-// HostSubnetApplyConfiguration is returned with only the Name, Namespace (if applicable),
-// APIVersion and Kind populated. It is possible that no managed fields were found for because other
-// field managers have taken ownership of all the fields previously owned by fieldManager, or because
-// the fieldManager never owned fields any fields.
+// ExtractHostSubnetFrom extracts the applied configuration owned by fieldManager from
+// hostSubnet for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
 // hostSubnet must be a unmodified HostSubnet API object that was retrieved from the Kubernetes API.
-// ExtractHostSubnet provides a way to perform a extract/modify-in-place/apply workflow.
+// ExtractHostSubnetFrom provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
-func ExtractHostSubnet(hostSubnet *networkv1.HostSubnet, fieldManager string) (*HostSubnetApplyConfiguration, error) {
-	return extractHostSubnet(hostSubnet, fieldManager, "")
-}
-
-// ExtractHostSubnetStatus is the same as ExtractHostSubnet except
-// that it extracts the status subresource applied configuration.
-// Experimental!
-func ExtractHostSubnetStatus(hostSubnet *networkv1.HostSubnet, fieldManager string) (*HostSubnetApplyConfiguration, error) {
-	return extractHostSubnet(hostSubnet, fieldManager, "status")
-}
-
-func extractHostSubnet(hostSubnet *networkv1.HostSubnet, fieldManager string, subresource string) (*HostSubnetApplyConfiguration, error) {
+func ExtractHostSubnetFrom(hostSubnet *networkv1.HostSubnet, fieldManager string, subresource string) (*HostSubnetApplyConfiguration, error) {
 	b := &HostSubnetApplyConfiguration{}
 	err := managedfields.ExtractInto(hostSubnet, internal.Parser().Type("com.github.openshift.api.network.v1.HostSubnet"), fieldManager, b, subresource)
 	if err != nil {
@@ -67,6 +69,21 @@ func extractHostSubnet(hostSubnet *networkv1.HostSubnet, fieldManager string, su
 	b.WithAPIVersion("network.openshift.io/v1")
 	return b, nil
 }
+
+// ExtractHostSubnet extracts the applied configuration owned by fieldManager from
+// hostSubnet. If no managedFields are found in hostSubnet for fieldManager, a
+// HostSubnetApplyConfiguration is returned with only the Name, Namespace (if applicable),
+// APIVersion and Kind populated. It is possible that no managed fields were found for because other
+// field managers have taken ownership of all the fields previously owned by fieldManager, or because
+// the fieldManager never owned fields any fields.
+// hostSubnet must be a unmodified HostSubnet API object that was retrieved from the Kubernetes API.
+// ExtractHostSubnet provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractHostSubnet(hostSubnet *networkv1.HostSubnet, fieldManager string) (*HostSubnetApplyConfiguration, error) {
+	return ExtractHostSubnetFrom(hostSubnet, fieldManager, "")
+}
+
 func (b HostSubnetApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/vendor/github.com/openshift/client-go/network/applyconfigurations/network/v1/netnamespace.go b/vendor/github.com/openshift/client-go/network/applyconfigurations/network/v1/netnamespace.go
index d1df95920df4f..0170229a51d39 100644
--- a/vendor/github.com/openshift/client-go/network/applyconfigurations/network/v1/netnamespace.go
+++ b/vendor/github.com/openshift/client-go/network/applyconfigurations/network/v1/netnamespace.go
@@ -13,12 +13,24 @@ import (
 
 // NetNamespaceApplyConfiguration represents a declarative configuration of the NetNamespace type for use
 // with apply.
+//
+// NetNamespace was used by OpenShift SDN.
+// DEPRECATED: OpenShift SDN is no longer supported and this object is no longer used in
+// any way by OpenShift.
+//
+// Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
 type NetNamespaceApplyConfiguration struct {
-	metav1.TypeMetaApplyConfiguration    `json:",inline"`
+	metav1.TypeMetaApplyConfiguration `json:",inline"`
+	// metadata is the standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	*metav1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	NetName                              *string                          `json:"netname,omitempty"`
-	NetID                                *uint32                          `json:"netid,omitempty"`
-	EgressIPs                            []networkv1.NetNamespaceEgressIP `json:"egressIPs,omitempty"`
+	// netname is the name of the network namespace. (This is the same as the object's name, but both fields must be set.)
+	NetName *string `json:"netname,omitempty"`
+	// netid is the network identifier of the network namespace assigned to each overlay network packet. This can be manipulated with the "oc adm pod-network" commands.
+	NetID *uint32 `json:"netid,omitempty"`
+	// egressIPs is a list of reserved IPs that will be used as the source for external traffic coming from pods in this namespace.
+	// (If empty, external traffic will be masqueraded to Node IPs.)
+	EgressIPs []networkv1.NetNamespaceEgressIP `json:"egressIPs,omitempty"`
 }
 
 // NetNamespace constructs a declarative configuration of the NetNamespace type for use with
@@ -31,29 +43,14 @@ func NetNamespace(name string) *NetNamespaceApplyConfiguration {
 	return b
 }
 
-// ExtractNetNamespace extracts the applied configuration owned by fieldManager from
-// netNamespace. If no managedFields are found in netNamespace for fieldManager, a
-// NetNamespaceApplyConfiguration is returned with only the Name, Namespace (if applicable),
-// APIVersion and Kind populated. It is possible that no managed fields were found for because other
-// field managers have taken ownership of all the fields previously owned by fieldManager, or because
-// the fieldManager never owned fields any fields.
+// ExtractNetNamespaceFrom extracts the applied configuration owned by fieldManager from
+// netNamespace for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
 // netNamespace must be a unmodified NetNamespace API object that was retrieved from the Kubernetes API.
-// ExtractNetNamespace provides a way to perform a extract/modify-in-place/apply workflow.
+// ExtractNetNamespaceFrom provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
-func ExtractNetNamespace(netNamespace *networkv1.NetNamespace, fieldManager string) (*NetNamespaceApplyConfiguration, error) {
-	return extractNetNamespace(netNamespace, fieldManager, "")
-}
-
-// ExtractNetNamespaceStatus is the same as ExtractNetNamespace except
-// that it extracts the status subresource applied configuration.
-// Experimental!
-func ExtractNetNamespaceStatus(netNamespace *networkv1.NetNamespace, fieldManager string) (*NetNamespaceApplyConfiguration, error) {
-	return extractNetNamespace(netNamespace, fieldManager, "status")
-}
-
-func extractNetNamespace(netNamespace *networkv1.NetNamespace, fieldManager string, subresource string) (*NetNamespaceApplyConfiguration, error) {
+func ExtractNetNamespaceFrom(netNamespace *networkv1.NetNamespace, fieldManager string, subresource string) (*NetNamespaceApplyConfiguration, error) {
 	b := &NetNamespaceApplyConfiguration{}
 	err := managedfields.ExtractInto(netNamespace, internal.Parser().Type("com.github.openshift.api.network.v1.NetNamespace"), fieldManager, b, subresource)
 	if err != nil {
@@ -65,6 +62,21 @@ func extractNetNamespace(netNamespace *networkv1.NetNamespace, fieldManager stri
 	b.WithAPIVersion("network.openshift.io/v1")
 	return b, nil
 }
+
+// ExtractNetNamespace extracts the applied configuration owned by fieldManager from
+// netNamespace. If no managedFields are found in netNamespace for fieldManager, a
+// NetNamespaceApplyConfiguration is returned with only the Name, Namespace (if applicable),
+// APIVersion and Kind populated. It is possible that no managed fields were found for because other
+// field managers have taken ownership of all the fields previously owned by fieldManager, or because
+// the fieldManager never owned fields any fields.
+// netNamespace must be a unmodified NetNamespace API object that was retrieved from the Kubernetes API.
+// ExtractNetNamespace provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractNetNamespace(netNamespace *networkv1.NetNamespace, fieldManager string) (*NetNamespaceApplyConfiguration, error) {
+	return ExtractNetNamespaceFrom(netNamespace, fieldManager, "")
+}
+
 func (b NetNamespaceApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/vendor/github.com/openshift/client-go/network/applyconfigurations/network/v1alpha1/dnsnameresolver.go b/vendor/github.com/openshift/client-go/network/applyconfigurations/network/v1alpha1/dnsnameresolver.go
index 0a1af08b3bce3..5a71411339fb9 100644
--- a/vendor/github.com/openshift/client-go/network/applyconfigurations/network/v1alpha1/dnsnameresolver.go
+++ b/vendor/github.com/openshift/client-go/network/applyconfigurations/network/v1alpha1/dnsnameresolver.go
@@ -13,11 +13,20 @@ import (
 
 // DNSNameResolverApplyConfiguration represents a declarative configuration of the DNSNameResolver type for use
 // with apply.
+//
+// DNSNameResolver stores the DNS name resolution information of a DNS name. It can be enabled by the TechPreviewNoUpgrade feature set.
+// It can also be enabled by the feature gate DNSNameResolver when using CustomNoUpgrade feature set.
+//
+// Compatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.
 type DNSNameResolverApplyConfiguration struct {
-	v1.TypeMetaApplyConfiguration    `json:",inline"`
+	v1.TypeMetaApplyConfiguration `json:",inline"`
+	// metadata is the standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	*v1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Spec                             *DNSNameResolverSpecApplyConfiguration   `json:"spec,omitempty"`
-	Status                           *DNSNameResolverStatusApplyConfiguration `json:"status,omitempty"`
+	// spec is the specification of the desired behavior of the DNSNameResolver.
+	Spec *DNSNameResolverSpecApplyConfiguration `json:"spec,omitempty"`
+	// status is the most recently observed status of the DNSNameResolver.
+	Status *DNSNameResolverStatusApplyConfiguration `json:"status,omitempty"`
 }
 
 // DNSNameResolver constructs a declarative configuration of the DNSNameResolver type for use with
@@ -31,6 +40,27 @@ func DNSNameResolver(name, namespace string) *DNSNameResolverApplyConfiguration
 	return b
 }
 
+// ExtractDNSNameResolverFrom extracts the applied configuration owned by fieldManager from
+// dNSNameResolver for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
+// dNSNameResolver must be a unmodified DNSNameResolver API object that was retrieved from the Kubernetes API.
+// ExtractDNSNameResolverFrom provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractDNSNameResolverFrom(dNSNameResolver *networkv1alpha1.DNSNameResolver, fieldManager string, subresource string) (*DNSNameResolverApplyConfiguration, error) {
+	b := &DNSNameResolverApplyConfiguration{}
+	err := managedfields.ExtractInto(dNSNameResolver, internal.Parser().Type("com.github.openshift.api.network.v1alpha1.DNSNameResolver"), fieldManager, b, subresource)
+	if err != nil {
+		return nil, err
+	}
+	b.WithName(dNSNameResolver.Name)
+	b.WithNamespace(dNSNameResolver.Namespace)
+
+	b.WithKind("DNSNameResolver")
+	b.WithAPIVersion("network.openshift.io/v1alpha1")
+	return b, nil
+}
+
 // ExtractDNSNameResolver extracts the applied configuration owned by fieldManager from
 // dNSNameResolver. If no managedFields are found in dNSNameResolver for fieldManager, a
 // DNSNameResolverApplyConfiguration is returned with only the Name, Namespace (if applicable),
@@ -41,31 +71,16 @@ func DNSNameResolver(name, namespace string) *DNSNameResolverApplyConfiguration
 // ExtractDNSNameResolver provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
 func ExtractDNSNameResolver(dNSNameResolver *networkv1alpha1.DNSNameResolver, fieldManager string) (*DNSNameResolverApplyConfiguration, error) {
-	return extractDNSNameResolver(dNSNameResolver, fieldManager, "")
+	return ExtractDNSNameResolverFrom(dNSNameResolver, fieldManager, "")
 }
 
-// ExtractDNSNameResolverStatus is the same as ExtractDNSNameResolver except
-// that it extracts the status subresource applied configuration.
-// Experimental!
+// ExtractDNSNameResolverStatus extracts the applied configuration owned by fieldManager from
+// dNSNameResolver for the status subresource.
 func ExtractDNSNameResolverStatus(dNSNameResolver *networkv1alpha1.DNSNameResolver, fieldManager string) (*DNSNameResolverApplyConfiguration, error) {
-	return extractDNSNameResolver(dNSNameResolver, fieldManager, "status")
+	return ExtractDNSNameResolverFrom(dNSNameResolver, fieldManager, "status")
 }
 
-func extractDNSNameResolver(dNSNameResolver *networkv1alpha1.DNSNameResolver, fieldManager string, subresource string) (*DNSNameResolverApplyConfiguration, error) {
-	b := &DNSNameResolverApplyConfiguration{}
-	err := managedfields.ExtractInto(dNSNameResolver, internal.Parser().Type("com.github.openshift.api.network.v1alpha1.DNSNameResolver"), fieldManager, b, subresource)
-	if err != nil {
-		return nil, err
-	}
-	b.WithName(dNSNameResolver.Name)
-	b.WithNamespace(dNSNameResolver.Namespace)
-
-	b.WithKind("DNSNameResolver")
-	b.WithAPIVersion("network.openshift.io/v1alpha1")
-	return b, nil
-}
 func (b DNSNameResolverApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/vendor/github.com/openshift/client-go/network/applyconfigurations/network/v1alpha1/dnsnameresolverresolvedaddress.go b/vendor/github.com/openshift/client-go/network/applyconfigurations/network/v1alpha1/dnsnameresolverresolvedaddress.go
index 66cda97e4f158..9412840c84757 100644
--- a/vendor/github.com/openshift/client-go/network/applyconfigurations/network/v1alpha1/dnsnameresolverresolvedaddress.go
+++ b/vendor/github.com/openshift/client-go/network/applyconfigurations/network/v1alpha1/dnsnameresolverresolvedaddress.go
@@ -8,9 +8,23 @@ import (
 
 // DNSNameResolverResolvedAddressApplyConfiguration represents a declarative configuration of the DNSNameResolverResolvedAddress type for use
 // with apply.
+//
+// DNSNameResolverResolvedAddress describes the details of an IP address for a resolved DNS name.
 type DNSNameResolverResolvedAddressApplyConfiguration struct {
-	IP             *string  `json:"ip,omitempty"`
-	TTLSeconds     *int32   `json:"ttlSeconds,omitempty"`
+	// ip is an IP address associated with the dnsName. The validity of the IP address expires after
+	// lastLookupTime + ttlSeconds. To refresh the information, a DNS lookup will be performed upon
+	// the expiration of the IP address's validity. If the information is not refreshed then it will
+	// be removed with a grace period after the expiration of the IP address's validity.
+	IP *string `json:"ip,omitempty"`
+	// ttlSeconds is the time-to-live value of the IP address. The validity of the IP address expires after
+	// lastLookupTime + ttlSeconds. On a successful DNS lookup the value of this field will be updated with
+	// the current time-to-live value. If the information is not refreshed then it will be removed with a
+	// grace period after the expiration of the IP address's validity.
+	TTLSeconds *int32 `json:"ttlSeconds,omitempty"`
+	// lastLookupTime is the timestamp when the last DNS lookup was completed successfully. The validity of
+	// the IP address expires after lastLookupTime + ttlSeconds. The value of this field will be updated to
+	// the current time on a successful DNS lookup. If the information is not refreshed then it will be
+	// removed with a grace period after the expiration of the IP address's validity.
 	LastLookupTime *v1.Time `json:"lastLookupTime,omitempty"`
 }
 
diff --git a/vendor/github.com/openshift/client-go/network/applyconfigurations/network/v1alpha1/dnsnameresolverresolvedname.go b/vendor/github.com/openshift/client-go/network/applyconfigurations/network/v1alpha1/dnsnameresolverresolvedname.go
index 15d3e7e20ec1d..b40b5007ad924 100644
--- a/vendor/github.com/openshift/client-go/network/applyconfigurations/network/v1alpha1/dnsnameresolverresolvedname.go
+++ b/vendor/github.com/openshift/client-go/network/applyconfigurations/network/v1alpha1/dnsnameresolverresolvedname.go
@@ -9,11 +9,31 @@ import (
 
 // DNSNameResolverResolvedNameApplyConfiguration represents a declarative configuration of the DNSNameResolverResolvedName type for use
 // with apply.
+//
+// DNSNameResolverResolvedName describes the details of a resolved DNS name.
 type DNSNameResolverResolvedNameApplyConfiguration struct {
-	Conditions         []v1.ConditionApplyConfiguration                   `json:"conditions,omitempty"`
-	DNSName            *networkv1alpha1.DNSName                           `json:"dnsName,omitempty"`
-	ResolvedAddresses  []DNSNameResolverResolvedAddressApplyConfiguration `json:"resolvedAddresses,omitempty"`
-	ResolutionFailures *int32                                             `json:"resolutionFailures,omitempty"`
+	// conditions provide information about the state of the DNS name.
+	// Known .status.conditions.type is: "Degraded".
+	// "Degraded" is true when the last resolution failed for the DNS name,
+	// and false otherwise.
+	Conditions []v1.ConditionApplyConfiguration `json:"conditions,omitempty"`
+	// dnsName is the resolved DNS name matching the name field of DNSNameResolverSpec. This field can
+	// store both regular and wildcard DNS names which match the spec.name field. When the spec.name
+	// field contains a regular DNS name, this field will store the same regular DNS name after it is
+	// successfully resolved. When the spec.name field contains a wildcard DNS name, each resolvedName.dnsName
+	// will store the regular DNS names which match the wildcard DNS name and have been successfully resolved.
+	// If the wildcard DNS name can also be successfully resolved, then this field will store the wildcard
+	// DNS name as well.
+	DNSName *networkv1alpha1.DNSName `json:"dnsName,omitempty"`
+	// resolvedAddresses gives the list of associated IP addresses and their corresponding TTLs and last
+	// lookup times for the dnsName.
+	ResolvedAddresses []DNSNameResolverResolvedAddressApplyConfiguration `json:"resolvedAddresses,omitempty"`
+	// resolutionFailures keeps the count of how many consecutive times the DNS resolution failed
+	// for the dnsName. If the DNS resolution succeeds then the field will be set to zero. Upon
+	// every failure, the value of the field will be incremented by one. The details about the DNS
+	// name will be removed, if the value of resolutionFailures reaches 5 and the TTL of all the
+	// associated IP addresses have expired.
+	ResolutionFailures *int32 `json:"resolutionFailures,omitempty"`
 }
 
 // DNSNameResolverResolvedNameApplyConfiguration constructs a declarative configuration of the DNSNameResolverResolvedName type for use with
diff --git a/vendor/github.com/openshift/client-go/network/applyconfigurations/network/v1alpha1/dnsnameresolverspec.go b/vendor/github.com/openshift/client-go/network/applyconfigurations/network/v1alpha1/dnsnameresolverspec.go
index 96d13fae199a4..554f4a56a6d99 100644
--- a/vendor/github.com/openshift/client-go/network/applyconfigurations/network/v1alpha1/dnsnameresolverspec.go
+++ b/vendor/github.com/openshift/client-go/network/applyconfigurations/network/v1alpha1/dnsnameresolverspec.go
@@ -8,7 +8,16 @@ import (
 
 // DNSNameResolverSpecApplyConfiguration represents a declarative configuration of the DNSNameResolverSpec type for use
 // with apply.
+//
+// DNSNameResolverSpec is a desired state description of DNSNameResolver.
 type DNSNameResolverSpecApplyConfiguration struct {
+	// name is the DNS name for which the DNS name resolution information will be stored.
+	// For a regular DNS name, only the DNS name resolution information of the regular DNS
+	// name will be stored. For a wildcard DNS name, the DNS name resolution information
+	// of all the DNS names that match the wildcard DNS name will be stored.
+	// For a wildcard DNS name, the '*' will match only one label. Additionally, only a single
+	// '*' can be used at the beginning of the wildcard DNS name. For example, '*.example.com.'
+	// will match 'sub1.example.com.' but won't match 'sub2.sub1.example.com.'
 	Name *networkv1alpha1.DNSName `json:"name,omitempty"`
 }
 
diff --git a/vendor/github.com/openshift/client-go/network/applyconfigurations/network/v1alpha1/dnsnameresolverstatus.go b/vendor/github.com/openshift/client-go/network/applyconfigurations/network/v1alpha1/dnsnameresolverstatus.go
index 234b82495b954..36da8a5dcef46 100644
--- a/vendor/github.com/openshift/client-go/network/applyconfigurations/network/v1alpha1/dnsnameresolverstatus.go
+++ b/vendor/github.com/openshift/client-go/network/applyconfigurations/network/v1alpha1/dnsnameresolverstatus.go
@@ -4,7 +4,11 @@ package v1alpha1
 
 // DNSNameResolverStatusApplyConfiguration represents a declarative configuration of the DNSNameResolverStatus type for use
 // with apply.
+//
+// DNSNameResolverStatus defines the observed status of DNSNameResolver.
 type DNSNameResolverStatusApplyConfiguration struct {
+	// resolvedNames contains a list of matching DNS names and their corresponding IP addresses
+	// along with their TTL and last DNS lookup times.
 	ResolvedNames []DNSNameResolverResolvedNameApplyConfiguration `json:"resolvedNames,omitempty"`
 }
 
diff --git a/vendor/github.com/openshift/client-go/network/informers/externalversions/factory.go b/vendor/github.com/openshift/client-go/network/informers/externalversions/factory.go
index 88987115f40f7..04935d422bfc3 100644
--- a/vendor/github.com/openshift/client-go/network/informers/externalversions/factory.go
+++ b/vendor/github.com/openshift/client-go/network/informers/externalversions/factory.go
@@ -81,6 +81,7 @@ func NewSharedInformerFactory(client versioned.Interface, defaultResync time.Dur
 // NewFilteredSharedInformerFactory constructs a new instance of sharedInformerFactory.
 // Listers obtained via this SharedInformerFactory will be subject to the same filters
 // as specified here.
+//
 // Deprecated: Please use NewSharedInformerFactoryWithOptions instead
 func NewFilteredSharedInformerFactory(client versioned.Interface, defaultResync time.Duration, namespace string, tweakListOptions internalinterfaces.TweakListOptionsFunc) SharedInformerFactory {
 	return NewSharedInformerFactoryWithOptions(client, defaultResync, WithNamespace(namespace), WithTweakListOptions(tweakListOptions))
@@ -188,7 +189,7 @@ func (f *sharedInformerFactory) InformerFor(obj runtime.Object, newFunc internal
 //
 // It is typically used like this:
 //
-//	ctx, cancel := context.Background()
+//	ctx, cancel := context.WithCancel(context.Background())
 //	defer cancel()
 //	factory := NewSharedInformerFactory(client, resyncPeriod)
 //	defer factory.WaitForStop()    // Returns immediately if nothing was started.
diff --git a/vendor/github.com/openshift/client-go/network/informers/externalversions/network/v1/clusternetwork.go b/vendor/github.com/openshift/client-go/network/informers/externalversions/network/v1/clusternetwork.go
index c11948f4da015..ef0ad927fbcfe 100644
--- a/vendor/github.com/openshift/client-go/network/informers/externalversions/network/v1/clusternetwork.go
+++ b/vendor/github.com/openshift/client-go/network/informers/externalversions/network/v1/clusternetwork.go
@@ -40,7 +40,7 @@ func NewClusterNetworkInformer(client versioned.Interface, resyncPeriod time.Dur
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredClusterNetworkInformer(client versioned.Interface, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options metav1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -65,7 +65,7 @@ func NewFilteredClusterNetworkInformer(client versioned.Interface, resyncPeriod
 				}
 				return client.NetworkV1().ClusterNetworks().Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apinetworkv1.ClusterNetwork{},
 		resyncPeriod,
 		indexers,
diff --git a/vendor/github.com/openshift/client-go/network/informers/externalversions/network/v1/egressnetworkpolicy.go b/vendor/github.com/openshift/client-go/network/informers/externalversions/network/v1/egressnetworkpolicy.go
index f93ae4cd40100..0f9f3e222a269 100644
--- a/vendor/github.com/openshift/client-go/network/informers/externalversions/network/v1/egressnetworkpolicy.go
+++ b/vendor/github.com/openshift/client-go/network/informers/externalversions/network/v1/egressnetworkpolicy.go
@@ -41,7 +41,7 @@ func NewEgressNetworkPolicyInformer(client versioned.Interface, namespace string
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredEgressNetworkPolicyInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options metav1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -66,7 +66,7 @@ func NewFilteredEgressNetworkPolicyInformer(client versioned.Interface, namespac
 				}
 				return client.NetworkV1().EgressNetworkPolicies(namespace).Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apinetworkv1.EgressNetworkPolicy{},
 		resyncPeriod,
 		indexers,
diff --git a/vendor/github.com/openshift/client-go/network/informers/externalversions/network/v1/hostsubnet.go b/vendor/github.com/openshift/client-go/network/informers/externalversions/network/v1/hostsubnet.go
index 43d2690019d48..b657b562171d6 100644
--- a/vendor/github.com/openshift/client-go/network/informers/externalversions/network/v1/hostsubnet.go
+++ b/vendor/github.com/openshift/client-go/network/informers/externalversions/network/v1/hostsubnet.go
@@ -40,7 +40,7 @@ func NewHostSubnetInformer(client versioned.Interface, resyncPeriod time.Duratio
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredHostSubnetInformer(client versioned.Interface, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options metav1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -65,7 +65,7 @@ func NewFilteredHostSubnetInformer(client versioned.Interface, resyncPeriod time
 				}
 				return client.NetworkV1().HostSubnets().Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apinetworkv1.HostSubnet{},
 		resyncPeriod,
 		indexers,
diff --git a/vendor/github.com/openshift/client-go/network/informers/externalversions/network/v1/netnamespace.go b/vendor/github.com/openshift/client-go/network/informers/externalversions/network/v1/netnamespace.go
index 9f01b1c398f4d..40ffd811f69fb 100644
--- a/vendor/github.com/openshift/client-go/network/informers/externalversions/network/v1/netnamespace.go
+++ b/vendor/github.com/openshift/client-go/network/informers/externalversions/network/v1/netnamespace.go
@@ -40,7 +40,7 @@ func NewNetNamespaceInformer(client versioned.Interface, resyncPeriod time.Durat
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredNetNamespaceInformer(client versioned.Interface, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options metav1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -65,7 +65,7 @@ func NewFilteredNetNamespaceInformer(client versioned.Interface, resyncPeriod ti
 				}
 				return client.NetworkV1().NetNamespaces().Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apinetworkv1.NetNamespace{},
 		resyncPeriod,
 		indexers,
diff --git a/vendor/github.com/openshift/client-go/network/informers/externalversions/network/v1alpha1/dnsnameresolver.go b/vendor/github.com/openshift/client-go/network/informers/externalversions/network/v1alpha1/dnsnameresolver.go
index c40b371105665..cc53f3feecbb2 100644
--- a/vendor/github.com/openshift/client-go/network/informers/externalversions/network/v1alpha1/dnsnameresolver.go
+++ b/vendor/github.com/openshift/client-go/network/informers/externalversions/network/v1alpha1/dnsnameresolver.go
@@ -41,7 +41,7 @@ func NewDNSNameResolverInformer(client versioned.Interface, namespace string, re
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredDNSNameResolverInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -66,7 +66,7 @@ func NewFilteredDNSNameResolverInformer(client versioned.Interface, namespace st
 				}
 				return client.NetworkV1alpha1().DNSNameResolvers(namespace).Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apinetworkv1alpha1.DNSNameResolver{},
 		resyncPeriod,
 		indexers,
diff --git a/vendor/github.com/openshift/client-go/oauth/applyconfigurations/oauth/v1/clusterrolescoperestriction.go b/vendor/github.com/openshift/client-go/oauth/applyconfigurations/oauth/v1/clusterrolescoperestriction.go
index 692ef70516f27..87405dda66669 100644
--- a/vendor/github.com/openshift/client-go/oauth/applyconfigurations/oauth/v1/clusterrolescoperestriction.go
+++ b/vendor/github.com/openshift/client-go/oauth/applyconfigurations/oauth/v1/clusterrolescoperestriction.go
@@ -4,10 +4,15 @@ package v1
 
 // ClusterRoleScopeRestrictionApplyConfiguration represents a declarative configuration of the ClusterRoleScopeRestriction type for use
 // with apply.
+//
+// ClusterRoleScopeRestriction describes restrictions on cluster role scopes
 type ClusterRoleScopeRestrictionApplyConfiguration struct {
-	RoleNames       []string `json:"roleNames,omitempty"`
-	Namespaces      []string `json:"namespaces,omitempty"`
-	AllowEscalation *bool    `json:"allowEscalation,omitempty"`
+	// roleNames is the list of cluster roles that can referenced.  * means anything
+	RoleNames []string `json:"roleNames,omitempty"`
+	// namespaces is the list of namespaces that can be referenced.  * means any of them (including *)
+	Namespaces []string `json:"namespaces,omitempty"`
+	// allowEscalation indicates whether you can request roles and their escalating resources
+	AllowEscalation *bool `json:"allowEscalation,omitempty"`
 }
 
 // ClusterRoleScopeRestrictionApplyConfiguration constructs a declarative configuration of the ClusterRoleScopeRestriction type for use with
diff --git a/vendor/github.com/openshift/client-go/oauth/applyconfigurations/oauth/v1/oauthaccesstoken.go b/vendor/github.com/openshift/client-go/oauth/applyconfigurations/oauth/v1/oauthaccesstoken.go
index faf1a15b635cc..4063a32186685 100644
--- a/vendor/github.com/openshift/client-go/oauth/applyconfigurations/oauth/v1/oauthaccesstoken.go
+++ b/vendor/github.com/openshift/client-go/oauth/applyconfigurations/oauth/v1/oauthaccesstoken.go
@@ -13,18 +13,40 @@ import (
 
 // OAuthAccessTokenApplyConfiguration represents a declarative configuration of the OAuthAccessToken type for use
 // with apply.
+//
+// OAuthAccessToken describes an OAuth access token.
+// The name of a token must be prefixed with a `sha256~` string, must not contain "/" or "%" characters and must be at
+// least 32 characters long.
+//
+// The name of the token is constructed from the actual token by sha256-hashing it and using URL-safe unpadded
+// base64-encoding (as described in RFC4648) on the hashed result.
+//
+// Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
 type OAuthAccessTokenApplyConfiguration struct {
-	metav1.TypeMetaApplyConfiguration    `json:",inline"`
+	metav1.TypeMetaApplyConfiguration `json:",inline"`
+	// metadata is the standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	*metav1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	ClientName                           *string  `json:"clientName,omitempty"`
-	ExpiresIn                            *int64   `json:"expiresIn,omitempty"`
-	Scopes                               []string `json:"scopes,omitempty"`
-	RedirectURI                          *string  `json:"redirectURI,omitempty"`
-	UserName                             *string  `json:"userName,omitempty"`
-	UserUID                              *string  `json:"userUID,omitempty"`
-	AuthorizeToken                       *string  `json:"authorizeToken,omitempty"`
-	RefreshToken                         *string  `json:"refreshToken,omitempty"`
-	InactivityTimeoutSeconds             *int32   `json:"inactivityTimeoutSeconds,omitempty"`
+	// clientName references the client that created this token.
+	ClientName *string `json:"clientName,omitempty"`
+	// expiresIn is the seconds from CreationTime before this token expires.
+	ExpiresIn *int64 `json:"expiresIn,omitempty"`
+	// scopes is an array of the requested scopes.
+	Scopes []string `json:"scopes,omitempty"`
+	// redirectURI is the redirection associated with the token.
+	RedirectURI *string `json:"redirectURI,omitempty"`
+	// userName is the user name associated with this token
+	UserName *string `json:"userName,omitempty"`
+	// userUID is the unique UID associated with this token
+	UserUID *string `json:"userUID,omitempty"`
+	// authorizeToken contains the token that authorized this token
+	AuthorizeToken *string `json:"authorizeToken,omitempty"`
+	// refreshToken is the value by which this token can be renewed. Can be blank.
+	RefreshToken *string `json:"refreshToken,omitempty"`
+	// inactivityTimeoutSeconds is the value in seconds, from the
+	// CreationTimestamp, after which this token can no longer be used.
+	// The value is automatically incremented when the token is used.
+	InactivityTimeoutSeconds *int32 `json:"inactivityTimeoutSeconds,omitempty"`
 }
 
 // OAuthAccessToken constructs a declarative configuration of the OAuthAccessToken type for use with
@@ -37,29 +59,14 @@ func OAuthAccessToken(name string) *OAuthAccessTokenApplyConfiguration {
 	return b
 }
 
-// ExtractOAuthAccessToken extracts the applied configuration owned by fieldManager from
-// oAuthAccessToken. If no managedFields are found in oAuthAccessToken for fieldManager, a
-// OAuthAccessTokenApplyConfiguration is returned with only the Name, Namespace (if applicable),
-// APIVersion and Kind populated. It is possible that no managed fields were found for because other
-// field managers have taken ownership of all the fields previously owned by fieldManager, or because
-// the fieldManager never owned fields any fields.
+// ExtractOAuthAccessTokenFrom extracts the applied configuration owned by fieldManager from
+// oAuthAccessToken for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
 // oAuthAccessToken must be a unmodified OAuthAccessToken API object that was retrieved from the Kubernetes API.
-// ExtractOAuthAccessToken provides a way to perform a extract/modify-in-place/apply workflow.
+// ExtractOAuthAccessTokenFrom provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
-func ExtractOAuthAccessToken(oAuthAccessToken *oauthv1.OAuthAccessToken, fieldManager string) (*OAuthAccessTokenApplyConfiguration, error) {
-	return extractOAuthAccessToken(oAuthAccessToken, fieldManager, "")
-}
-
-// ExtractOAuthAccessTokenStatus is the same as ExtractOAuthAccessToken except
-// that it extracts the status subresource applied configuration.
-// Experimental!
-func ExtractOAuthAccessTokenStatus(oAuthAccessToken *oauthv1.OAuthAccessToken, fieldManager string) (*OAuthAccessTokenApplyConfiguration, error) {
-	return extractOAuthAccessToken(oAuthAccessToken, fieldManager, "status")
-}
-
-func extractOAuthAccessToken(oAuthAccessToken *oauthv1.OAuthAccessToken, fieldManager string, subresource string) (*OAuthAccessTokenApplyConfiguration, error) {
+func ExtractOAuthAccessTokenFrom(oAuthAccessToken *oauthv1.OAuthAccessToken, fieldManager string, subresource string) (*OAuthAccessTokenApplyConfiguration, error) {
 	b := &OAuthAccessTokenApplyConfiguration{}
 	err := managedfields.ExtractInto(oAuthAccessToken, internal.Parser().Type("com.github.openshift.api.oauth.v1.OAuthAccessToken"), fieldManager, b, subresource)
 	if err != nil {
@@ -71,6 +78,21 @@ func extractOAuthAccessToken(oAuthAccessToken *oauthv1.OAuthAccessToken, fieldMa
 	b.WithAPIVersion("oauth.openshift.io/v1")
 	return b, nil
 }
+
+// ExtractOAuthAccessToken extracts the applied configuration owned by fieldManager from
+// oAuthAccessToken. If no managedFields are found in oAuthAccessToken for fieldManager, a
+// OAuthAccessTokenApplyConfiguration is returned with only the Name, Namespace (if applicable),
+// APIVersion and Kind populated. It is possible that no managed fields were found for because other
+// field managers have taken ownership of all the fields previously owned by fieldManager, or because
+// the fieldManager never owned fields any fields.
+// oAuthAccessToken must be a unmodified OAuthAccessToken API object that was retrieved from the Kubernetes API.
+// ExtractOAuthAccessToken provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractOAuthAccessToken(oAuthAccessToken *oauthv1.OAuthAccessToken, fieldManager string) (*OAuthAccessTokenApplyConfiguration, error) {
+	return ExtractOAuthAccessTokenFrom(oAuthAccessToken, fieldManager, "")
+}
+
 func (b OAuthAccessTokenApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/vendor/github.com/openshift/client-go/oauth/applyconfigurations/oauth/v1/oauthauthorizetoken.go b/vendor/github.com/openshift/client-go/oauth/applyconfigurations/oauth/v1/oauthauthorizetoken.go
index ba7a4f085365f..ff4f4a8727278 100644
--- a/vendor/github.com/openshift/client-go/oauth/applyconfigurations/oauth/v1/oauthauthorizetoken.go
+++ b/vendor/github.com/openshift/client-go/oauth/applyconfigurations/oauth/v1/oauthauthorizetoken.go
@@ -13,18 +13,34 @@ import (
 
 // OAuthAuthorizeTokenApplyConfiguration represents a declarative configuration of the OAuthAuthorizeToken type for use
 // with apply.
+//
+// # OAuthAuthorizeToken describes an OAuth authorization token
+//
+// Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
 type OAuthAuthorizeTokenApplyConfiguration struct {
-	metav1.TypeMetaApplyConfiguration    `json:",inline"`
+	metav1.TypeMetaApplyConfiguration `json:",inline"`
+	// metadata is the standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	*metav1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	ClientName                           *string  `json:"clientName,omitempty"`
-	ExpiresIn                            *int64   `json:"expiresIn,omitempty"`
-	Scopes                               []string `json:"scopes,omitempty"`
-	RedirectURI                          *string  `json:"redirectURI,omitempty"`
-	State                                *string  `json:"state,omitempty"`
-	UserName                             *string  `json:"userName,omitempty"`
-	UserUID                              *string  `json:"userUID,omitempty"`
-	CodeChallenge                        *string  `json:"codeChallenge,omitempty"`
-	CodeChallengeMethod                  *string  `json:"codeChallengeMethod,omitempty"`
+	// clientName references the client that created this token.
+	ClientName *string `json:"clientName,omitempty"`
+	// expiresIn is the seconds from CreationTime before this token expires.
+	ExpiresIn *int64 `json:"expiresIn,omitempty"`
+	// scopes is an array of the requested scopes.
+	Scopes []string `json:"scopes,omitempty"`
+	// redirectURI is the redirection associated with the token.
+	RedirectURI *string `json:"redirectURI,omitempty"`
+	// state data from request
+	State *string `json:"state,omitempty"`
+	// userName is the user name associated with this token
+	UserName *string `json:"userName,omitempty"`
+	// userUID is the unique UID associated with this token. UserUID and UserName must both match
+	// for this token to be valid.
+	UserUID *string `json:"userUID,omitempty"`
+	// codeChallenge is the optional code_challenge associated with this authorization code, as described in rfc7636
+	CodeChallenge *string `json:"codeChallenge,omitempty"`
+	// codeChallengeMethod is the optional code_challenge_method associated with this authorization code, as described in rfc7636
+	CodeChallengeMethod *string `json:"codeChallengeMethod,omitempty"`
 }
 
 // OAuthAuthorizeToken constructs a declarative configuration of the OAuthAuthorizeToken type for use with
@@ -37,29 +53,14 @@ func OAuthAuthorizeToken(name string) *OAuthAuthorizeTokenApplyConfiguration {
 	return b
 }
 
-// ExtractOAuthAuthorizeToken extracts the applied configuration owned by fieldManager from
-// oAuthAuthorizeToken. If no managedFields are found in oAuthAuthorizeToken for fieldManager, a
-// OAuthAuthorizeTokenApplyConfiguration is returned with only the Name, Namespace (if applicable),
-// APIVersion and Kind populated. It is possible that no managed fields were found for because other
-// field managers have taken ownership of all the fields previously owned by fieldManager, or because
-// the fieldManager never owned fields any fields.
+// ExtractOAuthAuthorizeTokenFrom extracts the applied configuration owned by fieldManager from
+// oAuthAuthorizeToken for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
 // oAuthAuthorizeToken must be a unmodified OAuthAuthorizeToken API object that was retrieved from the Kubernetes API.
-// ExtractOAuthAuthorizeToken provides a way to perform a extract/modify-in-place/apply workflow.
+// ExtractOAuthAuthorizeTokenFrom provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
-func ExtractOAuthAuthorizeToken(oAuthAuthorizeToken *oauthv1.OAuthAuthorizeToken, fieldManager string) (*OAuthAuthorizeTokenApplyConfiguration, error) {
-	return extractOAuthAuthorizeToken(oAuthAuthorizeToken, fieldManager, "")
-}
-
-// ExtractOAuthAuthorizeTokenStatus is the same as ExtractOAuthAuthorizeToken except
-// that it extracts the status subresource applied configuration.
-// Experimental!
-func ExtractOAuthAuthorizeTokenStatus(oAuthAuthorizeToken *oauthv1.OAuthAuthorizeToken, fieldManager string) (*OAuthAuthorizeTokenApplyConfiguration, error) {
-	return extractOAuthAuthorizeToken(oAuthAuthorizeToken, fieldManager, "status")
-}
-
-func extractOAuthAuthorizeToken(oAuthAuthorizeToken *oauthv1.OAuthAuthorizeToken, fieldManager string, subresource string) (*OAuthAuthorizeTokenApplyConfiguration, error) {
+func ExtractOAuthAuthorizeTokenFrom(oAuthAuthorizeToken *oauthv1.OAuthAuthorizeToken, fieldManager string, subresource string) (*OAuthAuthorizeTokenApplyConfiguration, error) {
 	b := &OAuthAuthorizeTokenApplyConfiguration{}
 	err := managedfields.ExtractInto(oAuthAuthorizeToken, internal.Parser().Type("com.github.openshift.api.oauth.v1.OAuthAuthorizeToken"), fieldManager, b, subresource)
 	if err != nil {
@@ -71,6 +72,21 @@ func extractOAuthAuthorizeToken(oAuthAuthorizeToken *oauthv1.OAuthAuthorizeToken
 	b.WithAPIVersion("oauth.openshift.io/v1")
 	return b, nil
 }
+
+// ExtractOAuthAuthorizeToken extracts the applied configuration owned by fieldManager from
+// oAuthAuthorizeToken. If no managedFields are found in oAuthAuthorizeToken for fieldManager, a
+// OAuthAuthorizeTokenApplyConfiguration is returned with only the Name, Namespace (if applicable),
+// APIVersion and Kind populated. It is possible that no managed fields were found for because other
+// field managers have taken ownership of all the fields previously owned by fieldManager, or because
+// the fieldManager never owned fields any fields.
+// oAuthAuthorizeToken must be a unmodified OAuthAuthorizeToken API object that was retrieved from the Kubernetes API.
+// ExtractOAuthAuthorizeToken provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractOAuthAuthorizeToken(oAuthAuthorizeToken *oauthv1.OAuthAuthorizeToken, fieldManager string) (*OAuthAuthorizeTokenApplyConfiguration, error) {
+	return ExtractOAuthAuthorizeTokenFrom(oAuthAuthorizeToken, fieldManager, "")
+}
+
 func (b OAuthAuthorizeTokenApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/vendor/github.com/openshift/client-go/oauth/applyconfigurations/oauth/v1/oauthclient.go b/vendor/github.com/openshift/client-go/oauth/applyconfigurations/oauth/v1/oauthclient.go
index 0f0f5e8a649b7..768d5312a3fd4 100644
--- a/vendor/github.com/openshift/client-go/oauth/applyconfigurations/oauth/v1/oauthclient.go
+++ b/vendor/github.com/openshift/client-go/oauth/applyconfigurations/oauth/v1/oauthclient.go
@@ -13,17 +13,50 @@ import (
 
 // OAuthClientApplyConfiguration represents a declarative configuration of the OAuthClient type for use
 // with apply.
+//
+// # OAuthClient describes an OAuth client
+//
+// Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
 type OAuthClientApplyConfiguration struct {
-	metav1.TypeMetaApplyConfiguration    `json:",inline"`
+	metav1.TypeMetaApplyConfiguration `json:",inline"`
+	// metadata is the standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	*metav1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Secret                               *string                              `json:"secret,omitempty"`
-	AdditionalSecrets                    []string                             `json:"additionalSecrets,omitempty"`
-	RespondWithChallenges                *bool                                `json:"respondWithChallenges,omitempty"`
-	RedirectURIs                         []string                             `json:"redirectURIs,omitempty"`
-	GrantMethod                          *oauthv1.GrantHandlerType            `json:"grantMethod,omitempty"`
-	ScopeRestrictions                    []ScopeRestrictionApplyConfiguration `json:"scopeRestrictions,omitempty"`
-	AccessTokenMaxAgeSeconds             *int32                               `json:"accessTokenMaxAgeSeconds,omitempty"`
-	AccessTokenInactivityTimeoutSeconds  *int32                               `json:"accessTokenInactivityTimeoutSeconds,omitempty"`
+	// secret is the unique secret associated with a client
+	Secret *string `json:"secret,omitempty"`
+	// additionalSecrets holds other secrets that may be used to identify the client.  This is useful for rotation
+	// and for service account token validation
+	AdditionalSecrets []string `json:"additionalSecrets,omitempty"`
+	// respondWithChallenges indicates whether the client wants authentication needed responses made in the form of challenges instead of redirects
+	RespondWithChallenges *bool `json:"respondWithChallenges,omitempty"`
+	// redirectURIs is the valid redirection URIs associated with a client
+	RedirectURIs []string `json:"redirectURIs,omitempty"`
+	// grantMethod is a required field which determines how to handle grants for this client.
+	// Valid grant handling methods are:
+	// - auto:   always approves grant requests, useful for trusted clients
+	// - prompt: prompts the end user for approval of grant requests, useful for third-party clients
+	GrantMethod *oauthv1.GrantHandlerType `json:"grantMethod,omitempty"`
+	// scopeRestrictions describes which scopes this client can request.  Each requested scope
+	// is checked against each restriction.  If any restriction matches, then the scope is allowed.
+	// If no restriction matches, then the scope is denied.
+	ScopeRestrictions []ScopeRestrictionApplyConfiguration `json:"scopeRestrictions,omitempty"`
+	// accessTokenMaxAgeSeconds overrides the default access token max age for tokens granted to this client.
+	// 0 means no expiration.
+	AccessTokenMaxAgeSeconds *int32 `json:"accessTokenMaxAgeSeconds,omitempty"`
+	// accessTokenInactivityTimeoutSeconds overrides the default token
+	// inactivity timeout for tokens granted to this client.
+	// The value represents the maximum amount of time that can occur between
+	// consecutive uses of the token. Tokens become invalid if they are not
+	// used within this temporal window. The user will need to acquire a new
+	// token to regain access once a token times out.
+	// This value needs to be set only if the default set in configuration is
+	// not appropriate for this client. Valid values are:
+	// - 0: Tokens for this client never time out
+	// - X: Tokens time out if there is no activity for X seconds
+	// The current minimum allowed value for X is 300 (5 minutes)
+	//
+	// WARNING: existing tokens' timeout will not be affected (lowered) by changing this value
+	AccessTokenInactivityTimeoutSeconds *int32 `json:"accessTokenInactivityTimeoutSeconds,omitempty"`
 }
 
 // OAuthClient constructs a declarative configuration of the OAuthClient type for use with
@@ -36,29 +69,14 @@ func OAuthClient(name string) *OAuthClientApplyConfiguration {
 	return b
 }
 
-// ExtractOAuthClient extracts the applied configuration owned by fieldManager from
-// oAuthClient. If no managedFields are found in oAuthClient for fieldManager, a
-// OAuthClientApplyConfiguration is returned with only the Name, Namespace (if applicable),
-// APIVersion and Kind populated. It is possible that no managed fields were found for because other
-// field managers have taken ownership of all the fields previously owned by fieldManager, or because
-// the fieldManager never owned fields any fields.
+// ExtractOAuthClientFrom extracts the applied configuration owned by fieldManager from
+// oAuthClient for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
 // oAuthClient must be a unmodified OAuthClient API object that was retrieved from the Kubernetes API.
-// ExtractOAuthClient provides a way to perform a extract/modify-in-place/apply workflow.
+// ExtractOAuthClientFrom provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
-func ExtractOAuthClient(oAuthClient *oauthv1.OAuthClient, fieldManager string) (*OAuthClientApplyConfiguration, error) {
-	return extractOAuthClient(oAuthClient, fieldManager, "")
-}
-
-// ExtractOAuthClientStatus is the same as ExtractOAuthClient except
-// that it extracts the status subresource applied configuration.
-// Experimental!
-func ExtractOAuthClientStatus(oAuthClient *oauthv1.OAuthClient, fieldManager string) (*OAuthClientApplyConfiguration, error) {
-	return extractOAuthClient(oAuthClient, fieldManager, "status")
-}
-
-func extractOAuthClient(oAuthClient *oauthv1.OAuthClient, fieldManager string, subresource string) (*OAuthClientApplyConfiguration, error) {
+func ExtractOAuthClientFrom(oAuthClient *oauthv1.OAuthClient, fieldManager string, subresource string) (*OAuthClientApplyConfiguration, error) {
 	b := &OAuthClientApplyConfiguration{}
 	err := managedfields.ExtractInto(oAuthClient, internal.Parser().Type("com.github.openshift.api.oauth.v1.OAuthClient"), fieldManager, b, subresource)
 	if err != nil {
@@ -70,6 +88,21 @@ func extractOAuthClient(oAuthClient *oauthv1.OAuthClient, fieldManager string, s
 	b.WithAPIVersion("oauth.openshift.io/v1")
 	return b, nil
 }
+
+// ExtractOAuthClient extracts the applied configuration owned by fieldManager from
+// oAuthClient. If no managedFields are found in oAuthClient for fieldManager, a
+// OAuthClientApplyConfiguration is returned with only the Name, Namespace (if applicable),
+// APIVersion and Kind populated. It is possible that no managed fields were found for because other
+// field managers have taken ownership of all the fields previously owned by fieldManager, or because
+// the fieldManager never owned fields any fields.
+// oAuthClient must be a unmodified OAuthClient API object that was retrieved from the Kubernetes API.
+// ExtractOAuthClient provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractOAuthClient(oAuthClient *oauthv1.OAuthClient, fieldManager string) (*OAuthClientApplyConfiguration, error) {
+	return ExtractOAuthClientFrom(oAuthClient, fieldManager, "")
+}
+
 func (b OAuthClientApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/vendor/github.com/openshift/client-go/oauth/applyconfigurations/oauth/v1/oauthclientauthorization.go b/vendor/github.com/openshift/client-go/oauth/applyconfigurations/oauth/v1/oauthclientauthorization.go
index f1de4432913cd..5a3fb36760ee5 100644
--- a/vendor/github.com/openshift/client-go/oauth/applyconfigurations/oauth/v1/oauthclientauthorization.go
+++ b/vendor/github.com/openshift/client-go/oauth/applyconfigurations/oauth/v1/oauthclientauthorization.go
@@ -13,13 +13,24 @@ import (
 
 // OAuthClientAuthorizationApplyConfiguration represents a declarative configuration of the OAuthClientAuthorization type for use
 // with apply.
+//
+// # OAuthClientAuthorization describes an authorization created by an OAuth client
+//
+// Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
 type OAuthClientAuthorizationApplyConfiguration struct {
-	metav1.TypeMetaApplyConfiguration    `json:",inline"`
+	metav1.TypeMetaApplyConfiguration `json:",inline"`
+	// metadata is the standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	*metav1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	ClientName                           *string  `json:"clientName,omitempty"`
-	UserName                             *string  `json:"userName,omitempty"`
-	UserUID                              *string  `json:"userUID,omitempty"`
-	Scopes                               []string `json:"scopes,omitempty"`
+	// clientName references the client that created this authorization
+	ClientName *string `json:"clientName,omitempty"`
+	// userName is the user name that authorized this client
+	UserName *string `json:"userName,omitempty"`
+	// userUID is the unique UID associated with this authorization. UserUID and UserName
+	// must both match for this authorization to be valid.
+	UserUID *string `json:"userUID,omitempty"`
+	// scopes is an array of the granted scopes.
+	Scopes []string `json:"scopes,omitempty"`
 }
 
 // OAuthClientAuthorization constructs a declarative configuration of the OAuthClientAuthorization type for use with
@@ -32,29 +43,14 @@ func OAuthClientAuthorization(name string) *OAuthClientAuthorizationApplyConfigu
 	return b
 }
 
-// ExtractOAuthClientAuthorization extracts the applied configuration owned by fieldManager from
-// oAuthClientAuthorization. If no managedFields are found in oAuthClientAuthorization for fieldManager, a
-// OAuthClientAuthorizationApplyConfiguration is returned with only the Name, Namespace (if applicable),
-// APIVersion and Kind populated. It is possible that no managed fields were found for because other
-// field managers have taken ownership of all the fields previously owned by fieldManager, or because
-// the fieldManager never owned fields any fields.
+// ExtractOAuthClientAuthorizationFrom extracts the applied configuration owned by fieldManager from
+// oAuthClientAuthorization for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
 // oAuthClientAuthorization must be a unmodified OAuthClientAuthorization API object that was retrieved from the Kubernetes API.
-// ExtractOAuthClientAuthorization provides a way to perform a extract/modify-in-place/apply workflow.
+// ExtractOAuthClientAuthorizationFrom provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
-func ExtractOAuthClientAuthorization(oAuthClientAuthorization *oauthv1.OAuthClientAuthorization, fieldManager string) (*OAuthClientAuthorizationApplyConfiguration, error) {
-	return extractOAuthClientAuthorization(oAuthClientAuthorization, fieldManager, "")
-}
-
-// ExtractOAuthClientAuthorizationStatus is the same as ExtractOAuthClientAuthorization except
-// that it extracts the status subresource applied configuration.
-// Experimental!
-func ExtractOAuthClientAuthorizationStatus(oAuthClientAuthorization *oauthv1.OAuthClientAuthorization, fieldManager string) (*OAuthClientAuthorizationApplyConfiguration, error) {
-	return extractOAuthClientAuthorization(oAuthClientAuthorization, fieldManager, "status")
-}
-
-func extractOAuthClientAuthorization(oAuthClientAuthorization *oauthv1.OAuthClientAuthorization, fieldManager string, subresource string) (*OAuthClientAuthorizationApplyConfiguration, error) {
+func ExtractOAuthClientAuthorizationFrom(oAuthClientAuthorization *oauthv1.OAuthClientAuthorization, fieldManager string, subresource string) (*OAuthClientAuthorizationApplyConfiguration, error) {
 	b := &OAuthClientAuthorizationApplyConfiguration{}
 	err := managedfields.ExtractInto(oAuthClientAuthorization, internal.Parser().Type("com.github.openshift.api.oauth.v1.OAuthClientAuthorization"), fieldManager, b, subresource)
 	if err != nil {
@@ -66,6 +62,21 @@ func extractOAuthClientAuthorization(oAuthClientAuthorization *oauthv1.OAuthClie
 	b.WithAPIVersion("oauth.openshift.io/v1")
 	return b, nil
 }
+
+// ExtractOAuthClientAuthorization extracts the applied configuration owned by fieldManager from
+// oAuthClientAuthorization. If no managedFields are found in oAuthClientAuthorization for fieldManager, a
+// OAuthClientAuthorizationApplyConfiguration is returned with only the Name, Namespace (if applicable),
+// APIVersion and Kind populated. It is possible that no managed fields were found for because other
+// field managers have taken ownership of all the fields previously owned by fieldManager, or because
+// the fieldManager never owned fields any fields.
+// oAuthClientAuthorization must be a unmodified OAuthClientAuthorization API object that was retrieved from the Kubernetes API.
+// ExtractOAuthClientAuthorization provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractOAuthClientAuthorization(oAuthClientAuthorization *oauthv1.OAuthClientAuthorization, fieldManager string) (*OAuthClientAuthorizationApplyConfiguration, error) {
+	return ExtractOAuthClientAuthorizationFrom(oAuthClientAuthorization, fieldManager, "")
+}
+
 func (b OAuthClientAuthorizationApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/vendor/github.com/openshift/client-go/oauth/applyconfigurations/oauth/v1/scoperestriction.go b/vendor/github.com/openshift/client-go/oauth/applyconfigurations/oauth/v1/scoperestriction.go
index bbeb90273f338..f73cb1814717f 100644
--- a/vendor/github.com/openshift/client-go/oauth/applyconfigurations/oauth/v1/scoperestriction.go
+++ b/vendor/github.com/openshift/client-go/oauth/applyconfigurations/oauth/v1/scoperestriction.go
@@ -4,8 +4,12 @@ package v1
 
 // ScopeRestrictionApplyConfiguration represents a declarative configuration of the ScopeRestriction type for use
 // with apply.
+//
+// ScopeRestriction describe one restriction on scopes.  Exactly one option must be non-nil.
 type ScopeRestrictionApplyConfiguration struct {
-	ExactValues []string                                       `json:"literals,omitempty"`
+	// ExactValues means the scope has to match a particular set of strings exactly
+	ExactValues []string `json:"literals,omitempty"`
+	// clusterRole describes a set of restrictions for cluster role scoping.
 	ClusterRole *ClusterRoleScopeRestrictionApplyConfiguration `json:"clusterRole,omitempty"`
 }
 
diff --git a/vendor/github.com/openshift/client-go/oauth/applyconfigurations/oauth/v1/useroauthaccesstoken.go b/vendor/github.com/openshift/client-go/oauth/applyconfigurations/oauth/v1/useroauthaccesstoken.go
index 902e026c2abe0..110e9e92fcca7 100644
--- a/vendor/github.com/openshift/client-go/oauth/applyconfigurations/oauth/v1/useroauthaccesstoken.go
+++ b/vendor/github.com/openshift/client-go/oauth/applyconfigurations/oauth/v1/useroauthaccesstoken.go
@@ -13,18 +13,34 @@ import (
 
 // UserOAuthAccessTokenApplyConfiguration represents a declarative configuration of the UserOAuthAccessToken type for use
 // with apply.
+//
+// UserOAuthAccessToken is a virtual resource to mirror OAuthAccessTokens to
+// the user the access token was issued for
 type UserOAuthAccessTokenApplyConfiguration struct {
-	metav1.TypeMetaApplyConfiguration    `json:",inline"`
+	metav1.TypeMetaApplyConfiguration `json:",inline"`
+	// metadata is the standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	*metav1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	ClientName                           *string  `json:"clientName,omitempty"`
-	ExpiresIn                            *int64   `json:"expiresIn,omitempty"`
-	Scopes                               []string `json:"scopes,omitempty"`
-	RedirectURI                          *string  `json:"redirectURI,omitempty"`
-	UserName                             *string  `json:"userName,omitempty"`
-	UserUID                              *string  `json:"userUID,omitempty"`
-	AuthorizeToken                       *string  `json:"authorizeToken,omitempty"`
-	RefreshToken                         *string  `json:"refreshToken,omitempty"`
-	InactivityTimeoutSeconds             *int32   `json:"inactivityTimeoutSeconds,omitempty"`
+	// clientName references the client that created this token.
+	ClientName *string `json:"clientName,omitempty"`
+	// expiresIn is the seconds from CreationTime before this token expires.
+	ExpiresIn *int64 `json:"expiresIn,omitempty"`
+	// scopes is an array of the requested scopes.
+	Scopes []string `json:"scopes,omitempty"`
+	// redirectURI is the redirection associated with the token.
+	RedirectURI *string `json:"redirectURI,omitempty"`
+	// userName is the user name associated with this token
+	UserName *string `json:"userName,omitempty"`
+	// userUID is the unique UID associated with this token
+	UserUID *string `json:"userUID,omitempty"`
+	// authorizeToken contains the token that authorized this token
+	AuthorizeToken *string `json:"authorizeToken,omitempty"`
+	// refreshToken is the value by which this token can be renewed. Can be blank.
+	RefreshToken *string `json:"refreshToken,omitempty"`
+	// inactivityTimeoutSeconds is the value in seconds, from the
+	// CreationTimestamp, after which this token can no longer be used.
+	// The value is automatically incremented when the token is used.
+	InactivityTimeoutSeconds *int32 `json:"inactivityTimeoutSeconds,omitempty"`
 }
 
 // UserOAuthAccessToken constructs a declarative configuration of the UserOAuthAccessToken type for use with
@@ -37,29 +53,14 @@ func UserOAuthAccessToken(name string) *UserOAuthAccessTokenApplyConfiguration {
 	return b
 }
 
-// ExtractUserOAuthAccessToken extracts the applied configuration owned by fieldManager from
-// userOAuthAccessToken. If no managedFields are found in userOAuthAccessToken for fieldManager, a
-// UserOAuthAccessTokenApplyConfiguration is returned with only the Name, Namespace (if applicable),
-// APIVersion and Kind populated. It is possible that no managed fields were found for because other
-// field managers have taken ownership of all the fields previously owned by fieldManager, or because
-// the fieldManager never owned fields any fields.
+// ExtractUserOAuthAccessTokenFrom extracts the applied configuration owned by fieldManager from
+// userOAuthAccessToken for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
 // userOAuthAccessToken must be a unmodified UserOAuthAccessToken API object that was retrieved from the Kubernetes API.
-// ExtractUserOAuthAccessToken provides a way to perform a extract/modify-in-place/apply workflow.
+// ExtractUserOAuthAccessTokenFrom provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
-func ExtractUserOAuthAccessToken(userOAuthAccessToken *oauthv1.UserOAuthAccessToken, fieldManager string) (*UserOAuthAccessTokenApplyConfiguration, error) {
-	return extractUserOAuthAccessToken(userOAuthAccessToken, fieldManager, "")
-}
-
-// ExtractUserOAuthAccessTokenStatus is the same as ExtractUserOAuthAccessToken except
-// that it extracts the status subresource applied configuration.
-// Experimental!
-func ExtractUserOAuthAccessTokenStatus(userOAuthAccessToken *oauthv1.UserOAuthAccessToken, fieldManager string) (*UserOAuthAccessTokenApplyConfiguration, error) {
-	return extractUserOAuthAccessToken(userOAuthAccessToken, fieldManager, "status")
-}
-
-func extractUserOAuthAccessToken(userOAuthAccessToken *oauthv1.UserOAuthAccessToken, fieldManager string, subresource string) (*UserOAuthAccessTokenApplyConfiguration, error) {
+func ExtractUserOAuthAccessTokenFrom(userOAuthAccessToken *oauthv1.UserOAuthAccessToken, fieldManager string, subresource string) (*UserOAuthAccessTokenApplyConfiguration, error) {
 	b := &UserOAuthAccessTokenApplyConfiguration{}
 	err := managedfields.ExtractInto(userOAuthAccessToken, internal.Parser().Type("com.github.openshift.api.oauth.v1.UserOAuthAccessToken"), fieldManager, b, subresource)
 	if err != nil {
@@ -71,6 +72,21 @@ func extractUserOAuthAccessToken(userOAuthAccessToken *oauthv1.UserOAuthAccessTo
 	b.WithAPIVersion("oauth.openshift.io/v1")
 	return b, nil
 }
+
+// ExtractUserOAuthAccessToken extracts the applied configuration owned by fieldManager from
+// userOAuthAccessToken. If no managedFields are found in userOAuthAccessToken for fieldManager, a
+// UserOAuthAccessTokenApplyConfiguration is returned with only the Name, Namespace (if applicable),
+// APIVersion and Kind populated. It is possible that no managed fields were found for because other
+// field managers have taken ownership of all the fields previously owned by fieldManager, or because
+// the fieldManager never owned fields any fields.
+// userOAuthAccessToken must be a unmodified UserOAuthAccessToken API object that was retrieved from the Kubernetes API.
+// ExtractUserOAuthAccessToken provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractUserOAuthAccessToken(userOAuthAccessToken *oauthv1.UserOAuthAccessToken, fieldManager string) (*UserOAuthAccessTokenApplyConfiguration, error) {
+	return ExtractUserOAuthAccessTokenFrom(userOAuthAccessToken, fieldManager, "")
+}
+
 func (b UserOAuthAccessTokenApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/vendor/github.com/openshift/client-go/oauth/informers/externalversions/factory.go b/vendor/github.com/openshift/client-go/oauth/informers/externalversions/factory.go
index 150619e56aecd..9b94e66a47faa 100644
--- a/vendor/github.com/openshift/client-go/oauth/informers/externalversions/factory.go
+++ b/vendor/github.com/openshift/client-go/oauth/informers/externalversions/factory.go
@@ -81,6 +81,7 @@ func NewSharedInformerFactory(client versioned.Interface, defaultResync time.Dur
 // NewFilteredSharedInformerFactory constructs a new instance of sharedInformerFactory.
 // Listers obtained via this SharedInformerFactory will be subject to the same filters
 // as specified here.
+//
 // Deprecated: Please use NewSharedInformerFactoryWithOptions instead
 func NewFilteredSharedInformerFactory(client versioned.Interface, defaultResync time.Duration, namespace string, tweakListOptions internalinterfaces.TweakListOptionsFunc) SharedInformerFactory {
 	return NewSharedInformerFactoryWithOptions(client, defaultResync, WithNamespace(namespace), WithTweakListOptions(tweakListOptions))
@@ -188,7 +189,7 @@ func (f *sharedInformerFactory) InformerFor(obj runtime.Object, newFunc internal
 //
 // It is typically used like this:
 //
-//	ctx, cancel := context.Background()
+//	ctx, cancel := context.WithCancel(context.Background())
 //	defer cancel()
 //	factory := NewSharedInformerFactory(client, resyncPeriod)
 //	defer factory.WaitForStop()    // Returns immediately if nothing was started.
diff --git a/vendor/github.com/openshift/client-go/oauth/informers/externalversions/oauth/v1/oauthaccesstoken.go b/vendor/github.com/openshift/client-go/oauth/informers/externalversions/oauth/v1/oauthaccesstoken.go
index f23845bb370d3..b8764240e0fdc 100644
--- a/vendor/github.com/openshift/client-go/oauth/informers/externalversions/oauth/v1/oauthaccesstoken.go
+++ b/vendor/github.com/openshift/client-go/oauth/informers/externalversions/oauth/v1/oauthaccesstoken.go
@@ -40,7 +40,7 @@ func NewOAuthAccessTokenInformer(client versioned.Interface, resyncPeriod time.D
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredOAuthAccessTokenInformer(client versioned.Interface, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options metav1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -65,7 +65,7 @@ func NewFilteredOAuthAccessTokenInformer(client versioned.Interface, resyncPerio
 				}
 				return client.OauthV1().OAuthAccessTokens().Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apioauthv1.OAuthAccessToken{},
 		resyncPeriod,
 		indexers,
diff --git a/vendor/github.com/openshift/client-go/oauth/informers/externalversions/oauth/v1/oauthauthorizetoken.go b/vendor/github.com/openshift/client-go/oauth/informers/externalversions/oauth/v1/oauthauthorizetoken.go
index 81ac32fdce436..2dee67f8fb521 100644
--- a/vendor/github.com/openshift/client-go/oauth/informers/externalversions/oauth/v1/oauthauthorizetoken.go
+++ b/vendor/github.com/openshift/client-go/oauth/informers/externalversions/oauth/v1/oauthauthorizetoken.go
@@ -40,7 +40,7 @@ func NewOAuthAuthorizeTokenInformer(client versioned.Interface, resyncPeriod tim
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredOAuthAuthorizeTokenInformer(client versioned.Interface, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options metav1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -65,7 +65,7 @@ func NewFilteredOAuthAuthorizeTokenInformer(client versioned.Interface, resyncPe
 				}
 				return client.OauthV1().OAuthAuthorizeTokens().Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apioauthv1.OAuthAuthorizeToken{},
 		resyncPeriod,
 		indexers,
diff --git a/vendor/github.com/openshift/client-go/oauth/informers/externalversions/oauth/v1/oauthclient.go b/vendor/github.com/openshift/client-go/oauth/informers/externalversions/oauth/v1/oauthclient.go
index f0659fbc446dd..94811c4e7862c 100644
--- a/vendor/github.com/openshift/client-go/oauth/informers/externalversions/oauth/v1/oauthclient.go
+++ b/vendor/github.com/openshift/client-go/oauth/informers/externalversions/oauth/v1/oauthclient.go
@@ -40,7 +40,7 @@ func NewOAuthClientInformer(client versioned.Interface, resyncPeriod time.Durati
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredOAuthClientInformer(client versioned.Interface, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options metav1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -65,7 +65,7 @@ func NewFilteredOAuthClientInformer(client versioned.Interface, resyncPeriod tim
 				}
 				return client.OauthV1().OAuthClients().Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apioauthv1.OAuthClient{},
 		resyncPeriod,
 		indexers,
diff --git a/vendor/github.com/openshift/client-go/oauth/informers/externalversions/oauth/v1/oauthclientauthorization.go b/vendor/github.com/openshift/client-go/oauth/informers/externalversions/oauth/v1/oauthclientauthorization.go
index e5f684b9d89bd..9fe234b133411 100644
--- a/vendor/github.com/openshift/client-go/oauth/informers/externalversions/oauth/v1/oauthclientauthorization.go
+++ b/vendor/github.com/openshift/client-go/oauth/informers/externalversions/oauth/v1/oauthclientauthorization.go
@@ -40,7 +40,7 @@ func NewOAuthClientAuthorizationInformer(client versioned.Interface, resyncPerio
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredOAuthClientAuthorizationInformer(client versioned.Interface, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options metav1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -65,7 +65,7 @@ func NewFilteredOAuthClientAuthorizationInformer(client versioned.Interface, res
 				}
 				return client.OauthV1().OAuthClientAuthorizations().Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apioauthv1.OAuthClientAuthorization{},
 		resyncPeriod,
 		indexers,
diff --git a/vendor/github.com/openshift/client-go/oauth/informers/externalversions/oauth/v1/useroauthaccesstoken.go b/vendor/github.com/openshift/client-go/oauth/informers/externalversions/oauth/v1/useroauthaccesstoken.go
index 8fba6738f79b8..2fac8ad5b281c 100644
--- a/vendor/github.com/openshift/client-go/oauth/informers/externalversions/oauth/v1/useroauthaccesstoken.go
+++ b/vendor/github.com/openshift/client-go/oauth/informers/externalversions/oauth/v1/useroauthaccesstoken.go
@@ -40,7 +40,7 @@ func NewUserOAuthAccessTokenInformer(client versioned.Interface, resyncPeriod ti
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredUserOAuthAccessTokenInformer(client versioned.Interface, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options metav1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -65,7 +65,7 @@ func NewFilteredUserOAuthAccessTokenInformer(client versioned.Interface, resyncP
 				}
 				return client.OauthV1().UserOAuthAccessTokens().Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apioauthv1.UserOAuthAccessToken{},
 		resyncPeriod,
 		indexers,
diff --git a/vendor/github.com/openshift/client-go/quota/applyconfigurations/quota/v1/clusterresourcequota.go b/vendor/github.com/openshift/client-go/quota/applyconfigurations/quota/v1/clusterresourcequota.go
index aa5ce6672e36c..e9c01322b8a67 100644
--- a/vendor/github.com/openshift/client-go/quota/applyconfigurations/quota/v1/clusterresourcequota.go
+++ b/vendor/github.com/openshift/client-go/quota/applyconfigurations/quota/v1/clusterresourcequota.go
@@ -13,11 +13,20 @@ import (
 
 // ClusterResourceQuotaApplyConfiguration represents a declarative configuration of the ClusterResourceQuota type for use
 // with apply.
+//
+// ClusterResourceQuota mirrors ResourceQuota at a cluster scope.  This object is easily convertible to
+// synthetic ResourceQuota object to allow quota evaluation re-use.
+//
+// Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
 type ClusterResourceQuotaApplyConfiguration struct {
-	metav1.TypeMetaApplyConfiguration    `json:",inline"`
+	metav1.TypeMetaApplyConfiguration `json:",inline"`
+	// metadata is the standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	*metav1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Spec                                 *ClusterResourceQuotaSpecApplyConfiguration   `json:"spec,omitempty"`
-	Status                               *ClusterResourceQuotaStatusApplyConfiguration `json:"status,omitempty"`
+	// spec defines the desired quota
+	Spec *ClusterResourceQuotaSpecApplyConfiguration `json:"spec,omitempty"`
+	// status defines the actual enforced quota and its current usage
+	Status *ClusterResourceQuotaStatusApplyConfiguration `json:"status,omitempty"`
 }
 
 // ClusterResourceQuota constructs a declarative configuration of the ClusterResourceQuota type for use with
@@ -30,6 +39,26 @@ func ClusterResourceQuota(name string) *ClusterResourceQuotaApplyConfiguration {
 	return b
 }
 
+// ExtractClusterResourceQuotaFrom extracts the applied configuration owned by fieldManager from
+// clusterResourceQuota for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
+// clusterResourceQuota must be a unmodified ClusterResourceQuota API object that was retrieved from the Kubernetes API.
+// ExtractClusterResourceQuotaFrom provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractClusterResourceQuotaFrom(clusterResourceQuota *quotav1.ClusterResourceQuota, fieldManager string, subresource string) (*ClusterResourceQuotaApplyConfiguration, error) {
+	b := &ClusterResourceQuotaApplyConfiguration{}
+	err := managedfields.ExtractInto(clusterResourceQuota, internal.Parser().Type("com.github.openshift.api.quota.v1.ClusterResourceQuota"), fieldManager, b, subresource)
+	if err != nil {
+		return nil, err
+	}
+	b.WithName(clusterResourceQuota.Name)
+
+	b.WithKind("ClusterResourceQuota")
+	b.WithAPIVersion("quota.openshift.io/v1")
+	return b, nil
+}
+
 // ExtractClusterResourceQuota extracts the applied configuration owned by fieldManager from
 // clusterResourceQuota. If no managedFields are found in clusterResourceQuota for fieldManager, a
 // ClusterResourceQuotaApplyConfiguration is returned with only the Name, Namespace (if applicable),
@@ -40,30 +69,16 @@ func ClusterResourceQuota(name string) *ClusterResourceQuotaApplyConfiguration {
 // ExtractClusterResourceQuota provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
 func ExtractClusterResourceQuota(clusterResourceQuota *quotav1.ClusterResourceQuota, fieldManager string) (*ClusterResourceQuotaApplyConfiguration, error) {
-	return extractClusterResourceQuota(clusterResourceQuota, fieldManager, "")
+	return ExtractClusterResourceQuotaFrom(clusterResourceQuota, fieldManager, "")
 }
 
-// ExtractClusterResourceQuotaStatus is the same as ExtractClusterResourceQuota except
-// that it extracts the status subresource applied configuration.
-// Experimental!
+// ExtractClusterResourceQuotaStatus extracts the applied configuration owned by fieldManager from
+// clusterResourceQuota for the status subresource.
 func ExtractClusterResourceQuotaStatus(clusterResourceQuota *quotav1.ClusterResourceQuota, fieldManager string) (*ClusterResourceQuotaApplyConfiguration, error) {
-	return extractClusterResourceQuota(clusterResourceQuota, fieldManager, "status")
+	return ExtractClusterResourceQuotaFrom(clusterResourceQuota, fieldManager, "status")
 }
 
-func extractClusterResourceQuota(clusterResourceQuota *quotav1.ClusterResourceQuota, fieldManager string, subresource string) (*ClusterResourceQuotaApplyConfiguration, error) {
-	b := &ClusterResourceQuotaApplyConfiguration{}
-	err := managedfields.ExtractInto(clusterResourceQuota, internal.Parser().Type("com.github.openshift.api.quota.v1.ClusterResourceQuota"), fieldManager, b, subresource)
-	if err != nil {
-		return nil, err
-	}
-	b.WithName(clusterResourceQuota.Name)
-
-	b.WithKind("ClusterResourceQuota")
-	b.WithAPIVersion("quota.openshift.io/v1")
-	return b, nil
-}
 func (b ClusterResourceQuotaApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/vendor/github.com/openshift/client-go/quota/applyconfigurations/quota/v1/clusterresourcequotaselector.go b/vendor/github.com/openshift/client-go/quota/applyconfigurations/quota/v1/clusterresourcequotaselector.go
index a759a1b9bc0f4..096cc58beb1a0 100644
--- a/vendor/github.com/openshift/client-go/quota/applyconfigurations/quota/v1/clusterresourcequotaselector.go
+++ b/vendor/github.com/openshift/client-go/quota/applyconfigurations/quota/v1/clusterresourcequotaselector.go
@@ -8,9 +8,15 @@ import (
 
 // ClusterResourceQuotaSelectorApplyConfiguration represents a declarative configuration of the ClusterResourceQuotaSelector type for use
 // with apply.
+//
+// ClusterResourceQuotaSelector is used to select projects.  At least one of LabelSelector or AnnotationSelector
+// must present.  If only one is present, it is the only selection criteria.  If both are specified,
+// the project must match both restrictions.
 type ClusterResourceQuotaSelectorApplyConfiguration struct {
-	LabelSelector      *metav1.LabelSelectorApplyConfiguration `json:"labels,omitempty"`
-	AnnotationSelector map[string]string                       `json:"annotations,omitempty"`
+	// LabelSelector is used to select projects by label.
+	LabelSelector *metav1.LabelSelectorApplyConfiguration `json:"labels,omitempty"`
+	// AnnotationSelector is used to select projects by annotation.
+	AnnotationSelector map[string]string `json:"annotations,omitempty"`
 }
 
 // ClusterResourceQuotaSelectorApplyConfiguration constructs a declarative configuration of the ClusterResourceQuotaSelector type for use with
diff --git a/vendor/github.com/openshift/client-go/quota/applyconfigurations/quota/v1/clusterresourcequotaspec.go b/vendor/github.com/openshift/client-go/quota/applyconfigurations/quota/v1/clusterresourcequotaspec.go
index 5f64a692e97f5..0ff7001eefb90 100644
--- a/vendor/github.com/openshift/client-go/quota/applyconfigurations/quota/v1/clusterresourcequotaspec.go
+++ b/vendor/github.com/openshift/client-go/quota/applyconfigurations/quota/v1/clusterresourcequotaspec.go
@@ -8,9 +8,16 @@ import (
 
 // ClusterResourceQuotaSpecApplyConfiguration represents a declarative configuration of the ClusterResourceQuotaSpec type for use
 // with apply.
+//
+// ClusterResourceQuotaSpec defines the desired quota restrictions
 type ClusterResourceQuotaSpecApplyConfiguration struct {
+	// selector is the selector used to match projects.
+	// It should only select active projects on the scale of dozens (though it can select
+	// many more less active projects).  These projects will contend on object creation through
+	// this resource.
 	Selector *ClusterResourceQuotaSelectorApplyConfiguration `json:"selector,omitempty"`
-	Quota    *corev1.ResourceQuotaSpec                       `json:"quota,omitempty"`
+	// quota defines the desired quota
+	Quota *corev1.ResourceQuotaSpec `json:"quota,omitempty"`
 }
 
 // ClusterResourceQuotaSpecApplyConfiguration constructs a declarative configuration of the ClusterResourceQuotaSpec type for use with
diff --git a/vendor/github.com/openshift/client-go/quota/applyconfigurations/quota/v1/clusterresourcequotastatus.go b/vendor/github.com/openshift/client-go/quota/applyconfigurations/quota/v1/clusterresourcequotastatus.go
index bd5dbca4d5944..600d942962e51 100644
--- a/vendor/github.com/openshift/client-go/quota/applyconfigurations/quota/v1/clusterresourcequotastatus.go
+++ b/vendor/github.com/openshift/client-go/quota/applyconfigurations/quota/v1/clusterresourcequotastatus.go
@@ -9,8 +9,14 @@ import (
 
 // ClusterResourceQuotaStatusApplyConfiguration represents a declarative configuration of the ClusterResourceQuotaStatus type for use
 // with apply.
+//
+// ClusterResourceQuotaStatus defines the actual enforced quota and its current usage
 type ClusterResourceQuotaStatusApplyConfiguration struct {
-	Total      *corev1.ResourceQuotaStatus              `json:"total,omitempty"`
+	// total defines the actual enforced quota and its current usage across all projects
+	Total *corev1.ResourceQuotaStatus `json:"total,omitempty"`
+	// namespaces slices the usage by project.  This division allows for quick resolution of
+	// deletion reconciliation inside of a single project without requiring a recalculation
+	// across all projects.  This can be used to pull the deltas for a given project.
 	Namespaces *quotav1.ResourceQuotasStatusByNamespace `json:"namespaces,omitempty"`
 }
 
diff --git a/vendor/github.com/openshift/client-go/quota/applyconfigurations/quota/v1/resourcequotastatusbynamespace.go b/vendor/github.com/openshift/client-go/quota/applyconfigurations/quota/v1/resourcequotastatusbynamespace.go
index 973ba124f256d..896402e43ca67 100644
--- a/vendor/github.com/openshift/client-go/quota/applyconfigurations/quota/v1/resourcequotastatusbynamespace.go
+++ b/vendor/github.com/openshift/client-go/quota/applyconfigurations/quota/v1/resourcequotastatusbynamespace.go
@@ -8,9 +8,13 @@ import (
 
 // ResourceQuotaStatusByNamespaceApplyConfiguration represents a declarative configuration of the ResourceQuotaStatusByNamespace type for use
 // with apply.
+//
+// ResourceQuotaStatusByNamespace gives status for a particular project
 type ResourceQuotaStatusByNamespaceApplyConfiguration struct {
-	Namespace *string                     `json:"namespace,omitempty"`
-	Status    *corev1.ResourceQuotaStatus `json:"status,omitempty"`
+	// namespace the project this status applies to
+	Namespace *string `json:"namespace,omitempty"`
+	// status indicates how many resources have been consumed by this project
+	Status *corev1.ResourceQuotaStatus `json:"status,omitempty"`
 }
 
 // ResourceQuotaStatusByNamespaceApplyConfiguration constructs a declarative configuration of the ResourceQuotaStatusByNamespace type for use with
diff --git a/vendor/github.com/openshift/client-go/quota/informers/externalversions/factory.go b/vendor/github.com/openshift/client-go/quota/informers/externalversions/factory.go
index 4e04dffba1878..fe404486443c9 100644
--- a/vendor/github.com/openshift/client-go/quota/informers/externalversions/factory.go
+++ b/vendor/github.com/openshift/client-go/quota/informers/externalversions/factory.go
@@ -81,6 +81,7 @@ func NewSharedInformerFactory(client versioned.Interface, defaultResync time.Dur
 // NewFilteredSharedInformerFactory constructs a new instance of sharedInformerFactory.
 // Listers obtained via this SharedInformerFactory will be subject to the same filters
 // as specified here.
+//
 // Deprecated: Please use NewSharedInformerFactoryWithOptions instead
 func NewFilteredSharedInformerFactory(client versioned.Interface, defaultResync time.Duration, namespace string, tweakListOptions internalinterfaces.TweakListOptionsFunc) SharedInformerFactory {
 	return NewSharedInformerFactoryWithOptions(client, defaultResync, WithNamespace(namespace), WithTweakListOptions(tweakListOptions))
@@ -188,7 +189,7 @@ func (f *sharedInformerFactory) InformerFor(obj runtime.Object, newFunc internal
 //
 // It is typically used like this:
 //
-//	ctx, cancel := context.Background()
+//	ctx, cancel := context.WithCancel(context.Background())
 //	defer cancel()
 //	factory := NewSharedInformerFactory(client, resyncPeriod)
 //	defer factory.WaitForStop()    // Returns immediately if nothing was started.
diff --git a/vendor/github.com/openshift/client-go/quota/informers/externalversions/quota/v1/clusterresourcequota.go b/vendor/github.com/openshift/client-go/quota/informers/externalversions/quota/v1/clusterresourcequota.go
index 7a9b76f4ae9f8..e209e00576496 100644
--- a/vendor/github.com/openshift/client-go/quota/informers/externalversions/quota/v1/clusterresourcequota.go
+++ b/vendor/github.com/openshift/client-go/quota/informers/externalversions/quota/v1/clusterresourcequota.go
@@ -40,7 +40,7 @@ func NewClusterResourceQuotaInformer(client versioned.Interface, resyncPeriod ti
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredClusterResourceQuotaInformer(client versioned.Interface, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options metav1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -65,7 +65,7 @@ func NewFilteredClusterResourceQuotaInformer(client versioned.Interface, resyncP
 				}
 				return client.QuotaV1().ClusterResourceQuotas().Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apiquotav1.ClusterResourceQuota{},
 		resyncPeriod,
 		indexers,
diff --git a/vendor/github.com/openshift/client-go/route/applyconfigurations/route/v1/localobjectreference.go b/vendor/github.com/openshift/client-go/route/applyconfigurations/route/v1/localobjectreference.go
index c0b6f455e9752..dd2625430027d 100644
--- a/vendor/github.com/openshift/client-go/route/applyconfigurations/route/v1/localobjectreference.go
+++ b/vendor/github.com/openshift/client-go/route/applyconfigurations/route/v1/localobjectreference.go
@@ -4,7 +4,12 @@ package v1
 
 // LocalObjectReferenceApplyConfiguration represents a declarative configuration of the LocalObjectReference type for use
 // with apply.
+//
+// LocalObjectReference contains enough information to let you locate the
+// referenced object inside the same namespace.
 type LocalObjectReferenceApplyConfiguration struct {
+	// name of the referent.
+	// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
 	Name *string `json:"name,omitempty"`
 }
 
diff --git a/vendor/github.com/openshift/client-go/route/applyconfigurations/route/v1/route.go b/vendor/github.com/openshift/client-go/route/applyconfigurations/route/v1/route.go
index 9411fc0bd533b..4cfbce50512cc 100644
--- a/vendor/github.com/openshift/client-go/route/applyconfigurations/route/v1/route.go
+++ b/vendor/github.com/openshift/client-go/route/applyconfigurations/route/v1/route.go
@@ -13,11 +13,43 @@ import (
 
 // RouteApplyConfiguration represents a declarative configuration of the Route type for use
 // with apply.
+//
+// A route allows developers to expose services through an HTTP(S) aware load balancing and proxy
+// layer via a public DNS entry. The route may further specify TLS options and a certificate, or
+// specify a public CNAME that the router should also accept for HTTP and HTTPS traffic. An
+// administrator typically configures their router to be visible outside the cluster firewall, and
+// may also add additional security, caching, or traffic controls on the service content. Routers
+// usually talk directly to the service endpoints.
+//
+// Once a route is created, the `host` field may not be changed. Generally, routers use the oldest
+// route with a given host when resolving conflicts.
+//
+// Routers are subject to additional customization and may support additional controls via the
+// annotations field.
+//
+// Because administrators may configure multiple routers, the route status field is used to
+// return information to clients about the names and states of the route under each router.
+// If a client chooses a duplicate name, for instance, the route status conditions are used
+// to indicate the route cannot be chosen.
+//
+// To enable HTTP/2 ALPN on a route it requires a custom
+// (non-wildcard) certificate. This prevents connection coalescing by
+// clients, notably web browsers. We do not support HTTP/2 ALPN on
+// routes that use the default certificate because of the risk of
+// connection re-use/coalescing. Routes that do not have their own
+// custom certificate will not be HTTP/2 ALPN-enabled on either the
+// frontend or the backend.
+//
+// Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
 type RouteApplyConfiguration struct {
-	metav1.TypeMetaApplyConfiguration    `json:",inline"`
+	metav1.TypeMetaApplyConfiguration `json:",inline"`
+	// metadata is the standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	*metav1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Spec                                 *RouteSpecApplyConfiguration   `json:"spec,omitempty"`
-	Status                               *RouteStatusApplyConfiguration `json:"status,omitempty"`
+	// spec is the desired state of the route
+	Spec *RouteSpecApplyConfiguration `json:"spec,omitempty"`
+	// status is the current state of the route
+	Status *RouteStatusApplyConfiguration `json:"status,omitempty"`
 }
 
 // Route constructs a declarative configuration of the Route type for use with
@@ -31,6 +63,27 @@ func Route(name, namespace string) *RouteApplyConfiguration {
 	return b
 }
 
+// ExtractRouteFrom extracts the applied configuration owned by fieldManager from
+// route for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
+// route must be a unmodified Route API object that was retrieved from the Kubernetes API.
+// ExtractRouteFrom provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractRouteFrom(route *routev1.Route, fieldManager string, subresource string) (*RouteApplyConfiguration, error) {
+	b := &RouteApplyConfiguration{}
+	err := managedfields.ExtractInto(route, internal.Parser().Type("com.github.openshift.api.route.v1.Route"), fieldManager, b, subresource)
+	if err != nil {
+		return nil, err
+	}
+	b.WithName(route.Name)
+	b.WithNamespace(route.Namespace)
+
+	b.WithKind("Route")
+	b.WithAPIVersion("route.openshift.io/v1")
+	return b, nil
+}
+
 // ExtractRoute extracts the applied configuration owned by fieldManager from
 // route. If no managedFields are found in route for fieldManager, a
 // RouteApplyConfiguration is returned with only the Name, Namespace (if applicable),
@@ -41,31 +94,16 @@ func Route(name, namespace string) *RouteApplyConfiguration {
 // ExtractRoute provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
 func ExtractRoute(route *routev1.Route, fieldManager string) (*RouteApplyConfiguration, error) {
-	return extractRoute(route, fieldManager, "")
+	return ExtractRouteFrom(route, fieldManager, "")
 }
 
-// ExtractRouteStatus is the same as ExtractRoute except
-// that it extracts the status subresource applied configuration.
-// Experimental!
+// ExtractRouteStatus extracts the applied configuration owned by fieldManager from
+// route for the status subresource.
 func ExtractRouteStatus(route *routev1.Route, fieldManager string) (*RouteApplyConfiguration, error) {
-	return extractRoute(route, fieldManager, "status")
+	return ExtractRouteFrom(route, fieldManager, "status")
 }
 
-func extractRoute(route *routev1.Route, fieldManager string, subresource string) (*RouteApplyConfiguration, error) {
-	b := &RouteApplyConfiguration{}
-	err := managedfields.ExtractInto(route, internal.Parser().Type("com.github.openshift.api.route.v1.Route"), fieldManager, b, subresource)
-	if err != nil {
-		return nil, err
-	}
-	b.WithName(route.Name)
-	b.WithNamespace(route.Namespace)
-
-	b.WithKind("Route")
-	b.WithAPIVersion("route.openshift.io/v1")
-	return b, nil
-}
 func (b RouteApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/vendor/github.com/openshift/client-go/route/applyconfigurations/route/v1/routehttpheader.go b/vendor/github.com/openshift/client-go/route/applyconfigurations/route/v1/routehttpheader.go
index 6223a38a14e4c..e4754c9355ea6 100644
--- a/vendor/github.com/openshift/client-go/route/applyconfigurations/route/v1/routehttpheader.go
+++ b/vendor/github.com/openshift/client-go/route/applyconfigurations/route/v1/routehttpheader.go
@@ -4,8 +4,18 @@ package v1
 
 // RouteHTTPHeaderApplyConfiguration represents a declarative configuration of the RouteHTTPHeader type for use
 // with apply.
+//
+// RouteHTTPHeader specifies configuration for setting or deleting an HTTP header.
 type RouteHTTPHeaderApplyConfiguration struct {
-	Name   *string                                       `json:"name,omitempty"`
+	// name specifies the name of a header on which to perform an action. Its value must be a valid HTTP header
+	// name as defined in RFC 2616 section 4.2.
+	// The name must consist only of alphanumeric and the following special characters, "-!#$%&'*+.^_`".
+	// The following header names are reserved and may not be modified via this API:
+	// Strict-Transport-Security, Proxy, Cookie, Set-Cookie.
+	// It must be no more than 255 characters in length.
+	// Header name must be unique.
+	Name *string `json:"name,omitempty"`
+	// action specifies actions to perform on headers, such as setting or deleting headers.
 	Action *RouteHTTPHeaderActionUnionApplyConfiguration `json:"action,omitempty"`
 }
 
diff --git a/vendor/github.com/openshift/client-go/route/applyconfigurations/route/v1/routehttpheaderactions.go b/vendor/github.com/openshift/client-go/route/applyconfigurations/route/v1/routehttpheaderactions.go
index 2a9f4af162150..e19652cd22087 100644
--- a/vendor/github.com/openshift/client-go/route/applyconfigurations/route/v1/routehttpheaderactions.go
+++ b/vendor/github.com/openshift/client-go/route/applyconfigurations/route/v1/routehttpheaderactions.go
@@ -4,9 +4,41 @@ package v1
 
 // RouteHTTPHeaderActionsApplyConfiguration represents a declarative configuration of the RouteHTTPHeaderActions type for use
 // with apply.
+//
+// RouteHTTPHeaderActions defines configuration for actions on HTTP request and response headers.
 type RouteHTTPHeaderActionsApplyConfiguration struct {
+	// response is a list of HTTP response headers to modify.
+	// Currently, actions may define to either `Set` or `Delete` headers values.
+	// Actions defined here will modify the response headers of all requests made through a route.
+	// These actions are applied to a specific Route defined within a cluster i.e. connections made through a route.
+	// Route actions will be executed before IngressController actions for response headers.
+	// Actions are applied in sequence as defined in this list.
+	// A maximum of 20 response header actions may be configured.
+	// You can use this field to specify HTTP response headers that should be set or deleted
+	// when forwarding responses from your application to the client.
+	// Sample fetchers allowed are "res.hdr" and "ssl_c_der".
+	// Converters allowed are "lower" and "base64".
+	// Example header values: "%[res.hdr(X-target),lower]", "%{+Q}[ssl_c_der,base64]".
+	// Note: This field cannot be used if your route uses TLS passthrough.
 	Response []RouteHTTPHeaderApplyConfiguration `json:"response,omitempty"`
-	Request  []RouteHTTPHeaderApplyConfiguration `json:"request,omitempty"`
+	// request is a list of HTTP request headers to modify.
+	// Currently, actions may define to either `Set` or `Delete` headers values.
+	// Actions defined here will modify the request headers of all requests made through a route.
+	// These actions are applied to a specific Route defined within a cluster i.e. connections made through a route.
+	// Currently, actions may define to either `Set` or `Delete` headers values.
+	// Route actions will be executed after IngressController actions for request headers.
+	// Actions are applied in sequence as defined in this list.
+	// A maximum of 20 request header actions may be configured.
+	// You can use this field to specify HTTP request headers that should be set or deleted
+	// when forwarding connections from the client to your application.
+	// Sample fetchers allowed are "req.hdr" and "ssl_c_der".
+	// Converters allowed are "lower" and "base64".
+	// Example header values: "%[req.hdr(X-target),lower]", "%{+Q}[ssl_c_der,base64]".
+	// Any request header configuration applied directly via a Route resource using this API
+	// will override header configuration for a header of the same name applied via
+	// spec.httpHeaders.actions on the IngressController or route annotation.
+	// Note: This field cannot be used if your route uses TLS passthrough.
+	Request []RouteHTTPHeaderApplyConfiguration `json:"request,omitempty"`
 }
 
 // RouteHTTPHeaderActionsApplyConfiguration constructs a declarative configuration of the RouteHTTPHeaderActions type for use with
diff --git a/vendor/github.com/openshift/client-go/route/applyconfigurations/route/v1/routehttpheaderactionunion.go b/vendor/github.com/openshift/client-go/route/applyconfigurations/route/v1/routehttpheaderactionunion.go
index a54a0913cc3e0..822bc3056d979 100644
--- a/vendor/github.com/openshift/client-go/route/applyconfigurations/route/v1/routehttpheaderactionunion.go
+++ b/vendor/github.com/openshift/client-go/route/applyconfigurations/route/v1/routehttpheaderactionunion.go
@@ -8,9 +8,17 @@ import (
 
 // RouteHTTPHeaderActionUnionApplyConfiguration represents a declarative configuration of the RouteHTTPHeaderActionUnion type for use
 // with apply.
+//
+// RouteHTTPHeaderActionUnion specifies an action to take on an HTTP header.
 type RouteHTTPHeaderActionUnionApplyConfiguration struct {
-	Type *routev1.RouteHTTPHeaderActionType    `json:"type,omitempty"`
-	Set  *RouteSetHTTPHeaderApplyConfiguration `json:"set,omitempty"`
+	// type defines the type of the action to be applied on the header.
+	// Possible values are Set or Delete.
+	// Set allows you to set HTTP request and response headers.
+	// Delete allows you to delete HTTP request and response headers.
+	Type *routev1.RouteHTTPHeaderActionType `json:"type,omitempty"`
+	// set defines the HTTP header that should be set: added if it doesn't exist or replaced if it does.
+	// This field is required when type is Set and forbidden otherwise.
+	Set *RouteSetHTTPHeaderApplyConfiguration `json:"set,omitempty"`
 }
 
 // RouteHTTPHeaderActionUnionApplyConfiguration constructs a declarative configuration of the RouteHTTPHeaderActionUnion type for use with
diff --git a/vendor/github.com/openshift/client-go/route/applyconfigurations/route/v1/routehttpheaders.go b/vendor/github.com/openshift/client-go/route/applyconfigurations/route/v1/routehttpheaders.go
index 0dd34776a536c..7cff1dfeee010 100644
--- a/vendor/github.com/openshift/client-go/route/applyconfigurations/route/v1/routehttpheaders.go
+++ b/vendor/github.com/openshift/client-go/route/applyconfigurations/route/v1/routehttpheaders.go
@@ -4,7 +4,33 @@ package v1
 
 // RouteHTTPHeadersApplyConfiguration represents a declarative configuration of the RouteHTTPHeaders type for use
 // with apply.
+//
+// RouteHTTPHeaders defines policy for HTTP headers.
 type RouteHTTPHeadersApplyConfiguration struct {
+	// actions specifies options for modifying headers and their values.
+	// Note that this option only applies to cleartext HTTP connections
+	// and to secure HTTP connections for which the ingress controller
+	// terminates encryption (that is, edge-terminated or reencrypt
+	// connections).  Headers cannot be modified for TLS passthrough
+	// connections.
+	// Setting the HSTS (`Strict-Transport-Security`) header is not supported via actions.
+	// `Strict-Transport-Security` may only be configured using the "haproxy.router.openshift.io/hsts_header"
+	// route annotation, and only in accordance with the policy specified in Ingress.Spec.RequiredHSTSPolicies.
+	// In case of HTTP request headers, the actions specified in spec.httpHeaders.actions on the Route will be executed after
+	// the actions specified in the IngressController's spec.httpHeaders.actions field.
+	// In case of HTTP response headers, the actions specified in spec.httpHeaders.actions on the IngressController will be
+	// executed after the actions specified in the Route's spec.httpHeaders.actions field.
+	// The headers set via this API will not appear in access logs.
+	// Any actions defined here are applied after any actions related to the following other fields:
+	// cache-control, spec.clientTLS,
+	// spec.httpHeaders.forwardedHeaderPolicy, spec.httpHeaders.uniqueId,
+	// and spec.httpHeaders.headerNameCaseAdjustments.
+	// The following header names are reserved and may not be modified via this API:
+	// Strict-Transport-Security, Proxy, Cookie, Set-Cookie.
+	// Note that the total size of all net added headers *after* interpolating dynamic values
+	// must not exceed the value of spec.tuningOptions.headerBufferMaxRewriteBytes on the
+	// IngressController. Please refer to the documentation
+	// for that API field for more details.
 	Actions *RouteHTTPHeaderActionsApplyConfiguration `json:"actions,omitempty"`
 }
 
diff --git a/vendor/github.com/openshift/client-go/route/applyconfigurations/route/v1/routeingress.go b/vendor/github.com/openshift/client-go/route/applyconfigurations/route/v1/routeingress.go
index 2468d1dd51506..15932cbd977a5 100644
--- a/vendor/github.com/openshift/client-go/route/applyconfigurations/route/v1/routeingress.go
+++ b/vendor/github.com/openshift/client-go/route/applyconfigurations/route/v1/routeingress.go
@@ -8,12 +8,20 @@ import (
 
 // RouteIngressApplyConfiguration represents a declarative configuration of the RouteIngress type for use
 // with apply.
+//
+// RouteIngress holds information about the places where a route is exposed.
 type RouteIngressApplyConfiguration struct {
-	Host                    *string                                   `json:"host,omitempty"`
-	RouterName              *string                                   `json:"routerName,omitempty"`
-	Conditions              []RouteIngressConditionApplyConfiguration `json:"conditions,omitempty"`
-	WildcardPolicy          *routev1.WildcardPolicyType               `json:"wildcardPolicy,omitempty"`
-	RouterCanonicalHostname *string                                   `json:"routerCanonicalHostname,omitempty"`
+	// host is the host string under which the route is exposed; this value is required
+	Host *string `json:"host,omitempty"`
+	// Name is a name chosen by the router to identify itself; this value is required
+	RouterName *string `json:"routerName,omitempty"`
+	// conditions is the state of the route, may be empty.
+	Conditions []RouteIngressConditionApplyConfiguration `json:"conditions,omitempty"`
+	// Wildcard policy is the wildcard policy that was allowed where this route is exposed.
+	WildcardPolicy *routev1.WildcardPolicyType `json:"wildcardPolicy,omitempty"`
+	// CanonicalHostname is the external host name for the router that can be used as a CNAME
+	// for the host requested for this route. This value is optional and may not be set in all cases.
+	RouterCanonicalHostname *string `json:"routerCanonicalHostname,omitempty"`
 }
 
 // RouteIngressApplyConfiguration constructs a declarative configuration of the RouteIngress type for use with
diff --git a/vendor/github.com/openshift/client-go/route/applyconfigurations/route/v1/routeingresscondition.go b/vendor/github.com/openshift/client-go/route/applyconfigurations/route/v1/routeingresscondition.go
index 1ddebe528d241..a895dc9483c9c 100644
--- a/vendor/github.com/openshift/client-go/route/applyconfigurations/route/v1/routeingresscondition.go
+++ b/vendor/github.com/openshift/client-go/route/applyconfigurations/route/v1/routeingresscondition.go
@@ -10,12 +10,23 @@ import (
 
 // RouteIngressConditionApplyConfiguration represents a declarative configuration of the RouteIngressCondition type for use
 // with apply.
+//
+// RouteIngressCondition contains details for the current condition of this route on a particular
+// router.
 type RouteIngressConditionApplyConfiguration struct {
-	Type               *routev1.RouteIngressConditionType `json:"type,omitempty"`
-	Status             *corev1.ConditionStatus            `json:"status,omitempty"`
-	Reason             *string                            `json:"reason,omitempty"`
-	Message            *string                            `json:"message,omitempty"`
-	LastTransitionTime *metav1.Time                       `json:"lastTransitionTime,omitempty"`
+	// type is the type of the condition.
+	// Currently only Admitted or UnservableInFutureVersions.
+	Type *routev1.RouteIngressConditionType `json:"type,omitempty"`
+	// status is the status of the condition.
+	// Can be True, False, Unknown.
+	Status *corev1.ConditionStatus `json:"status,omitempty"`
+	// (brief) reason for the condition's last transition, and is usually a machine and human
+	// readable constant
+	Reason *string `json:"reason,omitempty"`
+	// Human readable message indicating details about last transition.
+	Message *string `json:"message,omitempty"`
+	// RFC 3339 date and time when this condition last transitioned
+	LastTransitionTime *metav1.Time `json:"lastTransitionTime,omitempty"`
 }
 
 // RouteIngressConditionApplyConfiguration constructs a declarative configuration of the RouteIngressCondition type for use with
diff --git a/vendor/github.com/openshift/client-go/route/applyconfigurations/route/v1/routeport.go b/vendor/github.com/openshift/client-go/route/applyconfigurations/route/v1/routeport.go
index d26e4564cb041..b14b3962551b3 100644
--- a/vendor/github.com/openshift/client-go/route/applyconfigurations/route/v1/routeport.go
+++ b/vendor/github.com/openshift/client-go/route/applyconfigurations/route/v1/routeport.go
@@ -8,7 +8,12 @@ import (
 
 // RoutePortApplyConfiguration represents a declarative configuration of the RoutePort type for use
 // with apply.
+//
+// RoutePort defines a port mapping from a router to an endpoint in the service endpoints.
 type RoutePortApplyConfiguration struct {
+	// The target port on pods selected by the service this route points to.
+	// If this is a string, it will be looked up as a named port in the target
+	// endpoints port list. Required
 	TargetPort *intstr.IntOrString `json:"targetPort,omitempty"`
 }
 
diff --git a/vendor/github.com/openshift/client-go/route/applyconfigurations/route/v1/routesethttpheader.go b/vendor/github.com/openshift/client-go/route/applyconfigurations/route/v1/routesethttpheader.go
index cc1438e9ed1bc..2e26ebb3f74c8 100644
--- a/vendor/github.com/openshift/client-go/route/applyconfigurations/route/v1/routesethttpheader.go
+++ b/vendor/github.com/openshift/client-go/route/applyconfigurations/route/v1/routesethttpheader.go
@@ -4,7 +4,17 @@ package v1
 
 // RouteSetHTTPHeaderApplyConfiguration represents a declarative configuration of the RouteSetHTTPHeader type for use
 // with apply.
+//
+// RouteSetHTTPHeader specifies what value needs to be set on an HTTP header.
 type RouteSetHTTPHeaderApplyConfiguration struct {
+	// value specifies a header value.
+	// Dynamic values can be added. The value will be interpreted as an HAProxy format string as defined in
+	// http://cbonte.github.io/haproxy-dconv/2.6/configuration.html#8.2.6 and may use HAProxy's %[] syntax and
+	// otherwise must be a valid HTTP header value as defined in https://datatracker.ietf.org/doc/html/rfc7230#section-3.2.
+	// The value of this field must be no more than 16384 characters in length.
+	// Note that the total size of all net added headers *after* interpolating dynamic values
+	// must not exceed the value of spec.tuningOptions.headerBufferMaxRewriteBytes on the
+	// IngressController.
 	Value *string `json:"value,omitempty"`
 }
 
diff --git a/vendor/github.com/openshift/client-go/route/applyconfigurations/route/v1/routespec.go b/vendor/github.com/openshift/client-go/route/applyconfigurations/route/v1/routespec.go
index 09b6fd421f9ee..d26dc026241fd 100644
--- a/vendor/github.com/openshift/client-go/route/applyconfigurations/route/v1/routespec.go
+++ b/vendor/github.com/openshift/client-go/route/applyconfigurations/route/v1/routespec.go
@@ -8,16 +8,62 @@ import (
 
 // RouteSpecApplyConfiguration represents a declarative configuration of the RouteSpec type for use
 // with apply.
+//
+// RouteSpec describes the hostname or path the route exposes, any security information,
+// and one to four backends (services) the route points to. Requests are distributed
+// among the backends depending on the weights assigned to each backend. When using
+// roundrobin scheduling the portion of requests that go to each backend is the backend
+// weight divided by the sum of all of the backend weights. When the backend has more than
+// one endpoint the requests that end up on the backend are roundrobin distributed among
+// the endpoints. Weights are between 0 and 256 with default 100. Weight 0 causes no requests
+// to the backend. If all weights are zero the route will be considered to have no backends
+// and return a standard 503 response.
+//
+// The `tls` field is optional and allows specific certificates or behavior for the
+// route. Routers typically configure a default certificate on a wildcard domain to
+// terminate routes without explicit certificates, but custom hostnames usually must
+// choose passthrough (send traffic directly to the backend via the TLS Server-Name-
+// Indication field) or provide a certificate.
 type RouteSpecApplyConfiguration struct {
-	Host              *string                                  `json:"host,omitempty"`
-	Subdomain         *string                                  `json:"subdomain,omitempty"`
-	Path              *string                                  `json:"path,omitempty"`
-	To                *RouteTargetReferenceApplyConfiguration  `json:"to,omitempty"`
+	// host is an alias/DNS that points to the service. Optional.
+	// If not specified a route name will typically be automatically
+	// chosen.
+	// Must follow DNS952 subdomain conventions.
+	Host *string `json:"host,omitempty"`
+	// subdomain is a DNS subdomain that is requested within the ingress controller's
+	// domain (as a subdomain). If host is set this field is ignored. An ingress
+	// controller may choose to ignore this suggested name, in which case the controller
+	// will report the assigned name in the status.ingress array or refuse to admit the
+	// route. If this value is set and the server does not support this field host will
+	// be populated automatically. Otherwise host is left empty. The field may have
+	// multiple parts separated by a dot, but not all ingress controllers may honor
+	// the request. This field may not be changed after creation except by a user with
+	// the update routes/custom-host permission.
+	//
+	// Example: subdomain `frontend` automatically receives the router subdomain
+	// `apps.mycluster.com` to have a full hostname `frontend.apps.mycluster.com`.
+	Subdomain *string `json:"subdomain,omitempty"`
+	// path that the router watches for, to route traffic for to the service. Optional
+	Path *string `json:"path,omitempty"`
+	// to is an object the route should use as the primary backend. Only the Service kind
+	// is allowed, and it will be defaulted to Service. If the weight field (0-256 default 100)
+	// is set to zero, no traffic will be sent to this backend.
+	To *RouteTargetReferenceApplyConfiguration `json:"to,omitempty"`
+	// alternateBackends allows up to 3 additional backends to be assigned to the route.
+	// Only the Service kind is allowed, and it will be defaulted to Service.
+	// Use the weight field in RouteTargetReference object to specify relative preference.
 	AlternateBackends []RouteTargetReferenceApplyConfiguration `json:"alternateBackends,omitempty"`
-	Port              *RoutePortApplyConfiguration             `json:"port,omitempty"`
-	TLS               *TLSConfigApplyConfiguration             `json:"tls,omitempty"`
-	WildcardPolicy    *routev1.WildcardPolicyType              `json:"wildcardPolicy,omitempty"`
-	HTTPHeaders       *RouteHTTPHeadersApplyConfiguration      `json:"httpHeaders,omitempty"`
+	// If specified, the port to be used by the router. Most routers will use all
+	// endpoints exposed by the service by default - set this value to instruct routers
+	// which port to use.
+	Port *RoutePortApplyConfiguration `json:"port,omitempty"`
+	// The tls field provides the ability to configure certificates and termination for the route.
+	TLS *TLSConfigApplyConfiguration `json:"tls,omitempty"`
+	// Wildcard policy if any for the route.
+	// Currently only 'Subdomain' or 'None' is allowed.
+	WildcardPolicy *routev1.WildcardPolicyType `json:"wildcardPolicy,omitempty"`
+	// httpHeaders defines policy for HTTP headers.
+	HTTPHeaders *RouteHTTPHeadersApplyConfiguration `json:"httpHeaders,omitempty"`
 }
 
 // RouteSpecApplyConfiguration constructs a declarative configuration of the RouteSpec type for use with
diff --git a/vendor/github.com/openshift/client-go/route/applyconfigurations/route/v1/routestatus.go b/vendor/github.com/openshift/client-go/route/applyconfigurations/route/v1/routestatus.go
index c4f5881c3b29a..a1d77a1951680 100644
--- a/vendor/github.com/openshift/client-go/route/applyconfigurations/route/v1/routestatus.go
+++ b/vendor/github.com/openshift/client-go/route/applyconfigurations/route/v1/routestatus.go
@@ -4,7 +4,13 @@ package v1
 
 // RouteStatusApplyConfiguration represents a declarative configuration of the RouteStatus type for use
 // with apply.
+//
+// RouteStatus provides relevant info about the status of a route, including which routers
+// acknowledge it.
 type RouteStatusApplyConfiguration struct {
+	// ingress describes the places where the route may be exposed. The list of
+	// ingress points may contain duplicate Host or RouterName values. Routes
+	// are considered live once they are `Ready`
 	Ingress []RouteIngressApplyConfiguration `json:"ingress,omitempty"`
 }
 
diff --git a/vendor/github.com/openshift/client-go/route/applyconfigurations/route/v1/routetargetreference.go b/vendor/github.com/openshift/client-go/route/applyconfigurations/route/v1/routetargetreference.go
index 3521a17e230e3..affbe2ac49e3a 100644
--- a/vendor/github.com/openshift/client-go/route/applyconfigurations/route/v1/routetargetreference.go
+++ b/vendor/github.com/openshift/client-go/route/applyconfigurations/route/v1/routetargetreference.go
@@ -4,10 +4,17 @@ package v1
 
 // RouteTargetReferenceApplyConfiguration represents a declarative configuration of the RouteTargetReference type for use
 // with apply.
+//
+// RouteTargetReference specifies the target that resolve into endpoints. Only the 'Service'
+// kind is allowed. Use 'weight' field to emphasize one over others.
 type RouteTargetReferenceApplyConfiguration struct {
-	Kind   *string `json:"kind,omitempty"`
-	Name   *string `json:"name,omitempty"`
-	Weight *int32  `json:"weight,omitempty"`
+	// The kind of target that the route is referring to. Currently, only 'Service' is allowed
+	Kind *string `json:"kind,omitempty"`
+	// name of the service/target that is being referred to. e.g. name of the service
+	Name *string `json:"name,omitempty"`
+	// weight as an integer between 0 and 256, default 100, that specifies the target's relative weight
+	// against other target reference objects. 0 suppresses requests to this backend.
+	Weight *int32 `json:"weight,omitempty"`
 }
 
 // RouteTargetReferenceApplyConfiguration constructs a declarative configuration of the RouteTargetReference type for use with
diff --git a/vendor/github.com/openshift/client-go/route/applyconfigurations/route/v1/tlsconfig.go b/vendor/github.com/openshift/client-go/route/applyconfigurations/route/v1/tlsconfig.go
index 296c4efc9bed4..4cc66b2cc0d9e 100644
--- a/vendor/github.com/openshift/client-go/route/applyconfigurations/route/v1/tlsconfig.go
+++ b/vendor/github.com/openshift/client-go/route/applyconfigurations/route/v1/tlsconfig.go
@@ -8,14 +8,51 @@ import (
 
 // TLSConfigApplyConfiguration represents a declarative configuration of the TLSConfig type for use
 // with apply.
+//
+// TLSConfig defines config used to secure a route and provide termination
 type TLSConfigApplyConfiguration struct {
-	Termination                   *routev1.TLSTerminationType                `json:"termination,omitempty"`
-	Certificate                   *string                                    `json:"certificate,omitempty"`
-	Key                           *string                                    `json:"key,omitempty"`
-	CACertificate                 *string                                    `json:"caCertificate,omitempty"`
-	DestinationCACertificate      *string                                    `json:"destinationCACertificate,omitempty"`
+	// termination indicates the TLS termination type.
+	//
+	// * edge - TLS termination is done by the router and http is used to communicate with the backend (default)
+	//
+	// * passthrough - Traffic is sent straight to the destination without the router providing TLS termination
+	//
+	// * reencrypt - TLS termination is done by the router and https is used to communicate with the backend
+	//
+	// Note: passthrough termination is incompatible with httpHeader actions
+	Termination *routev1.TLSTerminationType `json:"termination,omitempty"`
+	// certificate provides certificate contents. This should be a single serving certificate, not a certificate
+	// chain. Do not include a CA certificate.
+	Certificate *string `json:"certificate,omitempty"`
+	// key provides key file contents
+	Key *string `json:"key,omitempty"`
+	// caCertificate provides the cert authority certificate contents
+	CACertificate *string `json:"caCertificate,omitempty"`
+	// destinationCACertificate provides the contents of the ca certificate of the final destination.  When using reencrypt
+	// termination this file should be provided in order to have routers use it for health checks on the secure connection.
+	// If this field is not specified, the router may provide its own destination CA and perform hostname validation using
+	// the short service name (service.namespace.svc), which allows infrastructure generated certificates to automatically
+	// verify.
+	DestinationCACertificate *string `json:"destinationCACertificate,omitempty"`
+	// insecureEdgeTerminationPolicy indicates the desired behavior for insecure connections to a route. While
+	// each router may make its own decisions on which ports to expose, this is normally port 80.
+	//
+	// If a route does not specify insecureEdgeTerminationPolicy, then the default behavior is "None".
+	//
+	// * Allow - traffic is sent to the server on the insecure port (edge/reencrypt terminations only).
+	//
+	// * None - no traffic is allowed on the insecure port (default).
+	//
+	// * Redirect - clients are redirected to the secure port.
 	InsecureEdgeTerminationPolicy *routev1.InsecureEdgeTerminationPolicyType `json:"insecureEdgeTerminationPolicy,omitempty"`
-	ExternalCertificate           *LocalObjectReferenceApplyConfiguration    `json:"externalCertificate,omitempty"`
+	// externalCertificate provides certificate contents as a secret reference.
+	// This should be a single serving certificate, not a certificate
+	// chain. Do not include a CA certificate. The secret referenced should
+	// be present in the same namespace as that of the Route.
+	// Forbidden when `certificate` is set.
+	// The router service account needs to be granted with read-only access to this secret,
+	// please refer to openshift docs for additional details.
+	ExternalCertificate *LocalObjectReferenceApplyConfiguration `json:"externalCertificate,omitempty"`
 }
 
 // TLSConfigApplyConfiguration constructs a declarative configuration of the TLSConfig type for use with
diff --git a/vendor/github.com/openshift/client-go/route/informers/externalversions/factory.go b/vendor/github.com/openshift/client-go/route/informers/externalversions/factory.go
index 8d23ff72b49d4..9897b77885979 100644
--- a/vendor/github.com/openshift/client-go/route/informers/externalversions/factory.go
+++ b/vendor/github.com/openshift/client-go/route/informers/externalversions/factory.go
@@ -81,6 +81,7 @@ func NewSharedInformerFactory(client versioned.Interface, defaultResync time.Dur
 // NewFilteredSharedInformerFactory constructs a new instance of sharedInformerFactory.
 // Listers obtained via this SharedInformerFactory will be subject to the same filters
 // as specified here.
+//
 // Deprecated: Please use NewSharedInformerFactoryWithOptions instead
 func NewFilteredSharedInformerFactory(client versioned.Interface, defaultResync time.Duration, namespace string, tweakListOptions internalinterfaces.TweakListOptionsFunc) SharedInformerFactory {
 	return NewSharedInformerFactoryWithOptions(client, defaultResync, WithNamespace(namespace), WithTweakListOptions(tweakListOptions))
@@ -188,7 +189,7 @@ func (f *sharedInformerFactory) InformerFor(obj runtime.Object, newFunc internal
 //
 // It is typically used like this:
 //
-//	ctx, cancel := context.Background()
+//	ctx, cancel := context.WithCancel(context.Background())
 //	defer cancel()
 //	factory := NewSharedInformerFactory(client, resyncPeriod)
 //	defer factory.WaitForStop()    // Returns immediately if nothing was started.
diff --git a/vendor/github.com/openshift/client-go/route/informers/externalversions/route/v1/route.go b/vendor/github.com/openshift/client-go/route/informers/externalversions/route/v1/route.go
index da98e3fd2aa7f..f6b2e2065c09e 100644
--- a/vendor/github.com/openshift/client-go/route/informers/externalversions/route/v1/route.go
+++ b/vendor/github.com/openshift/client-go/route/informers/externalversions/route/v1/route.go
@@ -41,7 +41,7 @@ func NewRouteInformer(client versioned.Interface, namespace string, resyncPeriod
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredRouteInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options metav1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -66,7 +66,7 @@ func NewFilteredRouteInformer(client versioned.Interface, namespace string, resy
 				}
 				return client.RouteV1().Routes(namespace).Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apiroutev1.Route{},
 		resyncPeriod,
 		indexers,
diff --git a/vendor/github.com/openshift/client-go/security/applyconfigurations/security/v1/allowedflexvolume.go b/vendor/github.com/openshift/client-go/security/applyconfigurations/security/v1/allowedflexvolume.go
index 0d9e9b40aa535..697d31e2ddda8 100644
--- a/vendor/github.com/openshift/client-go/security/applyconfigurations/security/v1/allowedflexvolume.go
+++ b/vendor/github.com/openshift/client-go/security/applyconfigurations/security/v1/allowedflexvolume.go
@@ -4,7 +4,10 @@ package v1
 
 // AllowedFlexVolumeApplyConfiguration represents a declarative configuration of the AllowedFlexVolume type for use
 // with apply.
+//
+// AllowedFlexVolume represents a single Flexvolume that is allowed to be used.
 type AllowedFlexVolumeApplyConfiguration struct {
+	// driver is the name of the Flexvolume driver.
 	Driver *string `json:"driver,omitempty"`
 }
 
diff --git a/vendor/github.com/openshift/client-go/security/applyconfigurations/security/v1/fsgroupstrategyoptions.go b/vendor/github.com/openshift/client-go/security/applyconfigurations/security/v1/fsgroupstrategyoptions.go
index d9c1dd1a606fe..dc6b70ce98238 100644
--- a/vendor/github.com/openshift/client-go/security/applyconfigurations/security/v1/fsgroupstrategyoptions.go
+++ b/vendor/github.com/openshift/client-go/security/applyconfigurations/security/v1/fsgroupstrategyoptions.go
@@ -8,9 +8,14 @@ import (
 
 // FSGroupStrategyOptionsApplyConfiguration represents a declarative configuration of the FSGroupStrategyOptions type for use
 // with apply.
+//
+// FSGroupStrategyOptions defines the strategy type and options used to create the strategy.
 type FSGroupStrategyOptionsApplyConfiguration struct {
-	Type   *securityv1.FSGroupStrategyType `json:"type,omitempty"`
-	Ranges []IDRangeApplyConfiguration     `json:"ranges,omitempty"`
+	// type is the strategy that will dictate what FSGroup is used in the SecurityContext.
+	Type *securityv1.FSGroupStrategyType `json:"type,omitempty"`
+	// ranges are the allowed ranges of fs groups.  If you would like to force a single
+	// fs group then supply a single range with the same start and end.
+	Ranges []IDRangeApplyConfiguration `json:"ranges,omitempty"`
 }
 
 // FSGroupStrategyOptionsApplyConfiguration constructs a declarative configuration of the FSGroupStrategyOptions type for use with
diff --git a/vendor/github.com/openshift/client-go/security/applyconfigurations/security/v1/idrange.go b/vendor/github.com/openshift/client-go/security/applyconfigurations/security/v1/idrange.go
index 70c20336a0a8b..3847c35235306 100644
--- a/vendor/github.com/openshift/client-go/security/applyconfigurations/security/v1/idrange.go
+++ b/vendor/github.com/openshift/client-go/security/applyconfigurations/security/v1/idrange.go
@@ -4,8 +4,13 @@ package v1
 
 // IDRangeApplyConfiguration represents a declarative configuration of the IDRange type for use
 // with apply.
+//
+// IDRange provides a min/max of an allowed range of IDs.
+// TODO: this could be reused for UIDs.
 type IDRangeApplyConfiguration struct {
+	// min is the start of the range, inclusive.
 	Min *int64 `json:"min,omitempty"`
+	// max is the end of the range, inclusive.
 	Max *int64 `json:"max,omitempty"`
 }
 
diff --git a/vendor/github.com/openshift/client-go/security/applyconfigurations/security/v1/rangeallocation.go b/vendor/github.com/openshift/client-go/security/applyconfigurations/security/v1/rangeallocation.go
index 34737c9e7be9f..0d1122ac0d0ad 100644
--- a/vendor/github.com/openshift/client-go/security/applyconfigurations/security/v1/rangeallocation.go
+++ b/vendor/github.com/openshift/client-go/security/applyconfigurations/security/v1/rangeallocation.go
@@ -13,11 +13,20 @@ import (
 
 // RangeAllocationApplyConfiguration represents a declarative configuration of the RangeAllocation type for use
 // with apply.
+//
+// # RangeAllocation is used so we can easily expose a RangeAllocation typed for security group
+//
+// Compatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.
 type RangeAllocationApplyConfiguration struct {
-	metav1.TypeMetaApplyConfiguration    `json:",inline"`
+	metav1.TypeMetaApplyConfiguration `json:",inline"`
+	// metadata is the standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	*metav1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Range                                *string `json:"range,omitempty"`
-	Data                                 []byte  `json:"data,omitempty"`
+	// range is a string representing a unique label for a range of uids, "1000000000-2000000000/10000".
+	Range *string `json:"range,omitempty"`
+	// data is a byte array representing the serialized state of a range allocation.  It is a bitmap
+	// with each bit set to one to represent a range is taken.
+	Data []byte `json:"data,omitempty"`
 }
 
 // RangeAllocation constructs a declarative configuration of the RangeAllocation type for use with
@@ -30,29 +39,14 @@ func RangeAllocation(name string) *RangeAllocationApplyConfiguration {
 	return b
 }
 
-// ExtractRangeAllocation extracts the applied configuration owned by fieldManager from
-// rangeAllocation. If no managedFields are found in rangeAllocation for fieldManager, a
-// RangeAllocationApplyConfiguration is returned with only the Name, Namespace (if applicable),
-// APIVersion and Kind populated. It is possible that no managed fields were found for because other
-// field managers have taken ownership of all the fields previously owned by fieldManager, or because
-// the fieldManager never owned fields any fields.
+// ExtractRangeAllocationFrom extracts the applied configuration owned by fieldManager from
+// rangeAllocation for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
 // rangeAllocation must be a unmodified RangeAllocation API object that was retrieved from the Kubernetes API.
-// ExtractRangeAllocation provides a way to perform a extract/modify-in-place/apply workflow.
+// ExtractRangeAllocationFrom provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
-func ExtractRangeAllocation(rangeAllocation *securityv1.RangeAllocation, fieldManager string) (*RangeAllocationApplyConfiguration, error) {
-	return extractRangeAllocation(rangeAllocation, fieldManager, "")
-}
-
-// ExtractRangeAllocationStatus is the same as ExtractRangeAllocation except
-// that it extracts the status subresource applied configuration.
-// Experimental!
-func ExtractRangeAllocationStatus(rangeAllocation *securityv1.RangeAllocation, fieldManager string) (*RangeAllocationApplyConfiguration, error) {
-	return extractRangeAllocation(rangeAllocation, fieldManager, "status")
-}
-
-func extractRangeAllocation(rangeAllocation *securityv1.RangeAllocation, fieldManager string, subresource string) (*RangeAllocationApplyConfiguration, error) {
+func ExtractRangeAllocationFrom(rangeAllocation *securityv1.RangeAllocation, fieldManager string, subresource string) (*RangeAllocationApplyConfiguration, error) {
 	b := &RangeAllocationApplyConfiguration{}
 	err := managedfields.ExtractInto(rangeAllocation, internal.Parser().Type("com.github.openshift.api.security.v1.RangeAllocation"), fieldManager, b, subresource)
 	if err != nil {
@@ -64,6 +58,21 @@ func extractRangeAllocation(rangeAllocation *securityv1.RangeAllocation, fieldMa
 	b.WithAPIVersion("security.openshift.io/v1")
 	return b, nil
 }
+
+// ExtractRangeAllocation extracts the applied configuration owned by fieldManager from
+// rangeAllocation. If no managedFields are found in rangeAllocation for fieldManager, a
+// RangeAllocationApplyConfiguration is returned with only the Name, Namespace (if applicable),
+// APIVersion and Kind populated. It is possible that no managed fields were found for because other
+// field managers have taken ownership of all the fields previously owned by fieldManager, or because
+// the fieldManager never owned fields any fields.
+// rangeAllocation must be a unmodified RangeAllocation API object that was retrieved from the Kubernetes API.
+// ExtractRangeAllocation provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractRangeAllocation(rangeAllocation *securityv1.RangeAllocation, fieldManager string) (*RangeAllocationApplyConfiguration, error) {
+	return ExtractRangeAllocationFrom(rangeAllocation, fieldManager, "")
+}
+
 func (b RangeAllocationApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/vendor/github.com/openshift/client-go/security/applyconfigurations/security/v1/runasuserstrategyoptions.go b/vendor/github.com/openshift/client-go/security/applyconfigurations/security/v1/runasuserstrategyoptions.go
index e93f8d6436158..8a13b15a3dd61 100644
--- a/vendor/github.com/openshift/client-go/security/applyconfigurations/security/v1/runasuserstrategyoptions.go
+++ b/vendor/github.com/openshift/client-go/security/applyconfigurations/security/v1/runasuserstrategyoptions.go
@@ -8,11 +8,18 @@ import (
 
 // RunAsUserStrategyOptionsApplyConfiguration represents a declarative configuration of the RunAsUserStrategyOptions type for use
 // with apply.
+//
+// RunAsUserStrategyOptions defines the strategy type and any options used to create the strategy.
 type RunAsUserStrategyOptionsApplyConfiguration struct {
-	Type        *securityv1.RunAsUserStrategyType `json:"type,omitempty"`
-	UID         *int64                            `json:"uid,omitempty"`
-	UIDRangeMin *int64                            `json:"uidRangeMin,omitempty"`
-	UIDRangeMax *int64                            `json:"uidRangeMax,omitempty"`
+	// type is the strategy that will dictate what RunAsUser is used in the SecurityContext.
+	Type *securityv1.RunAsUserStrategyType `json:"type,omitempty"`
+	// uid is the user id that containers must run as.  Required for the MustRunAs strategy if not using
+	// namespace/service account allocated uids.
+	UID *int64 `json:"uid,omitempty"`
+	// uidRangeMin defines the min value for a strategy that allocates by range.
+	UIDRangeMin *int64 `json:"uidRangeMin,omitempty"`
+	// uidRangeMax defines the max value for a strategy that allocates by range.
+	UIDRangeMax *int64 `json:"uidRangeMax,omitempty"`
 }
 
 // RunAsUserStrategyOptionsApplyConfiguration constructs a declarative configuration of the RunAsUserStrategyOptions type for use with
diff --git a/vendor/github.com/openshift/client-go/security/applyconfigurations/security/v1/securitycontextconstraints.go b/vendor/github.com/openshift/client-go/security/applyconfigurations/security/v1/securitycontextconstraints.go
index df0815aa3c200..d2e392506fcfc 100644
--- a/vendor/github.com/openshift/client-go/security/applyconfigurations/security/v1/securitycontextconstraints.go
+++ b/vendor/github.com/openshift/client-go/security/applyconfigurations/security/v1/securitycontextconstraints.go
@@ -14,34 +14,112 @@ import (
 
 // SecurityContextConstraintsApplyConfiguration represents a declarative configuration of the SecurityContextConstraints type for use
 // with apply.
+//
+// SecurityContextConstraints governs the ability to make requests that affect the SecurityContext
+// that will be applied to a container.
+// For historical reasons SCC was exposed under the core Kubernetes API group.
+// That exposure is deprecated and will be removed in a future release - users
+// should instead use the security.openshift.io group to manage
+// SecurityContextConstraints.
+//
+// Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
 type SecurityContextConstraintsApplyConfiguration struct {
-	metav1.TypeMetaApplyConfiguration    `json:",inline"`
+	metav1.TypeMetaApplyConfiguration `json:",inline"`
+	// metadata is the standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	*metav1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Priority                             *int32                                               `json:"priority,omitempty"`
-	AllowPrivilegedContainer             *bool                                                `json:"allowPrivilegedContainer,omitempty"`
-	DefaultAddCapabilities               []corev1.Capability                                  `json:"defaultAddCapabilities,omitempty"`
-	RequiredDropCapabilities             []corev1.Capability                                  `json:"requiredDropCapabilities,omitempty"`
-	AllowedCapabilities                  []corev1.Capability                                  `json:"allowedCapabilities,omitempty"`
-	AllowHostDirVolumePlugin             *bool                                                `json:"allowHostDirVolumePlugin,omitempty"`
-	Volumes                              []securityv1.FSType                                  `json:"volumes,omitempty"`
-	AllowedFlexVolumes                   []AllowedFlexVolumeApplyConfiguration                `json:"allowedFlexVolumes,omitempty"`
-	AllowHostNetwork                     *bool                                                `json:"allowHostNetwork,omitempty"`
-	AllowHostPorts                       *bool                                                `json:"allowHostPorts,omitempty"`
-	AllowHostPID                         *bool                                                `json:"allowHostPID,omitempty"`
-	AllowHostIPC                         *bool                                                `json:"allowHostIPC,omitempty"`
-	UserNamespaceLevel                   *securityv1.NamespaceLevelType                       `json:"userNamespaceLevel,omitempty"`
-	DefaultAllowPrivilegeEscalation      *bool                                                `json:"defaultAllowPrivilegeEscalation,omitempty"`
-	AllowPrivilegeEscalation             *bool                                                `json:"allowPrivilegeEscalation,omitempty"`
-	SELinuxContext                       *SELinuxContextStrategyOptionsApplyConfiguration     `json:"seLinuxContext,omitempty"`
-	RunAsUser                            *RunAsUserStrategyOptionsApplyConfiguration          `json:"runAsUser,omitempty"`
-	SupplementalGroups                   *SupplementalGroupsStrategyOptionsApplyConfiguration `json:"supplementalGroups,omitempty"`
-	FSGroup                              *FSGroupStrategyOptionsApplyConfiguration            `json:"fsGroup,omitempty"`
-	ReadOnlyRootFilesystem               *bool                                                `json:"readOnlyRootFilesystem,omitempty"`
-	Users                                []string                                             `json:"users,omitempty"`
-	Groups                               []string                                             `json:"groups,omitempty"`
-	SeccompProfiles                      []string                                             `json:"seccompProfiles,omitempty"`
-	AllowedUnsafeSysctls                 []string                                             `json:"allowedUnsafeSysctls,omitempty"`
-	ForbiddenSysctls                     []string                                             `json:"forbiddenSysctls,omitempty"`
+	// priority influences the sort order of SCCs when evaluating which SCCs to try first for
+	// a given pod request based on access in the Users and Groups fields.  The higher the int, the
+	// higher priority. An unset value is considered a 0 priority. If scores
+	// for multiple SCCs are equal they will be sorted from most restrictive to
+	// least restrictive. If both priorities and restrictions are equal the
+	// SCCs will be sorted by name.
+	Priority *int32 `json:"priority,omitempty"`
+	// allowPrivilegedContainer determines if a container can request to be run as privileged.
+	AllowPrivilegedContainer *bool `json:"allowPrivilegedContainer,omitempty"`
+	// defaultAddCapabilities is the default set of capabilities that will be added to the container
+	// unless the pod spec specifically drops the capability.  You may not list a capabiility in both
+	// DefaultAddCapabilities and RequiredDropCapabilities.
+	DefaultAddCapabilities []corev1.Capability `json:"defaultAddCapabilities,omitempty"`
+	// requiredDropCapabilities are the capabilities that will be dropped from the container.  These
+	// are required to be dropped and cannot be added.
+	RequiredDropCapabilities []corev1.Capability `json:"requiredDropCapabilities,omitempty"`
+	// allowedCapabilities is a list of capabilities that can be requested to add to the container.
+	// Capabilities in this field maybe added at the pod author's discretion.
+	// You must not list a capability in both AllowedCapabilities and RequiredDropCapabilities.
+	// To allow all capabilities you may use '*'.
+	AllowedCapabilities []corev1.Capability `json:"allowedCapabilities,omitempty"`
+	// allowHostDirVolumePlugin determines if the policy allow containers to use the HostDir volume plugin
+	AllowHostDirVolumePlugin *bool `json:"allowHostDirVolumePlugin,omitempty"`
+	// volumes is a white list of allowed volume plugins.  FSType corresponds directly with the field names
+	// of a VolumeSource (azureFile, configMap, emptyDir).  To allow all volumes you may use "*".
+	// To allow no volumes, set to ["none"].
+	Volumes []securityv1.FSType `json:"volumes,omitempty"`
+	// allowedFlexVolumes is a whitelist of allowed Flexvolumes.  Empty or nil indicates that all
+	// Flexvolumes may be used.  This parameter is effective only when the usage of the Flexvolumes
+	// is allowed in the "Volumes" field.
+	AllowedFlexVolumes []AllowedFlexVolumeApplyConfiguration `json:"allowedFlexVolumes,omitempty"`
+	// allowHostNetwork determines if the policy allows the use of HostNetwork in the pod spec.
+	AllowHostNetwork *bool `json:"allowHostNetwork,omitempty"`
+	// allowHostPorts determines if the policy allows host ports in the containers.
+	AllowHostPorts *bool `json:"allowHostPorts,omitempty"`
+	// allowHostPID determines if the policy allows host pid in the containers.
+	AllowHostPID *bool `json:"allowHostPID,omitempty"`
+	// allowHostIPC determines if the policy allows host ipc in the containers.
+	AllowHostIPC *bool `json:"allowHostIPC,omitempty"`
+	// userNamespaceLevel determines if the policy allows host users in containers.
+	// Valid values are "AllowHostLevel", "RequirePodLevel", and omitted.
+	// When "AllowHostLevel" is set, a pod author may set `hostUsers` to either `true` or `false`.
+	// When "RequirePodLevel" is set, a pod author must set `hostUsers` to `false`.
+	// When omitted, the default value is "AllowHostLevel".
+	UserNamespaceLevel *securityv1.NamespaceLevelType `json:"userNamespaceLevel,omitempty"`
+	// defaultAllowPrivilegeEscalation controls the default setting for whether a
+	// process can gain more privileges than its parent process.
+	DefaultAllowPrivilegeEscalation *bool `json:"defaultAllowPrivilegeEscalation,omitempty"`
+	// allowPrivilegeEscalation determines if a pod can request to allow
+	// privilege escalation. If unspecified, defaults to true.
+	AllowPrivilegeEscalation *bool `json:"allowPrivilegeEscalation,omitempty"`
+	// seLinuxContext is the strategy that will dictate what labels will be set in the SecurityContext.
+	SELinuxContext *SELinuxContextStrategyOptionsApplyConfiguration `json:"seLinuxContext,omitempty"`
+	// runAsUser is the strategy that will dictate what RunAsUser is used in the SecurityContext.
+	RunAsUser *RunAsUserStrategyOptionsApplyConfiguration `json:"runAsUser,omitempty"`
+	// supplementalGroups is the strategy that will dictate what supplemental groups are used by the SecurityContext.
+	SupplementalGroups *SupplementalGroupsStrategyOptionsApplyConfiguration `json:"supplementalGroups,omitempty"`
+	// fsGroup is the strategy that will dictate what fs group is used by the SecurityContext.
+	FSGroup *FSGroupStrategyOptionsApplyConfiguration `json:"fsGroup,omitempty"`
+	// readOnlyRootFilesystem when set to true will force containers to run with a read only root file
+	// system.  If the container specifically requests to run with a non-read only root file system
+	// the SCC should deny the pod.
+	// If set to false the container may run with a read only root file system if it wishes but it
+	// will not be forced to.
+	ReadOnlyRootFilesystem *bool `json:"readOnlyRootFilesystem,omitempty"`
+	// The users who have permissions to use this security context constraints
+	Users []string `json:"users,omitempty"`
+	// The groups that have permission to use this security context constraints
+	Groups []string `json:"groups,omitempty"`
+	// seccompProfiles lists the allowed profiles that may be set for the pod or
+	// container's seccomp annotations.  An unset (nil) or empty value means that no profiles may
+	// be specifid by the pod or container.	The wildcard '*' may be used to allow all profiles.  When
+	// used to generate a value for a pod the first non-wildcard profile will be used as
+	// the default.
+	SeccompProfiles []string `json:"seccompProfiles,omitempty"`
+	// allowedUnsafeSysctls is a list of explicitly allowed unsafe sysctls, defaults to none.
+	// Each entry is either a plain sysctl name or ends in "*" in which case it is considered
+	// as a prefix of allowed sysctls. Single * means all unsafe sysctls are allowed.
+	// Kubelet has to whitelist all allowed unsafe sysctls explicitly to avoid rejection.
+	//
+	// Examples:
+	// e.g. "foo/*" allows "foo/bar", "foo/baz", etc.
+	// e.g. "foo.*" allows "foo.bar", "foo.baz", etc.
+	AllowedUnsafeSysctls []string `json:"allowedUnsafeSysctls,omitempty"`
+	// forbiddenSysctls is a list of explicitly forbidden sysctls, defaults to none.
+	// Each entry is either a plain sysctl name or ends in "*" in which case it is considered
+	// as a prefix of forbidden sysctls. Single * means all sysctls are forbidden.
+	//
+	// Examples:
+	// e.g. "foo/*" forbids "foo/bar", "foo/baz", etc.
+	// e.g. "foo.*" forbids "foo.bar", "foo.baz", etc.
+	ForbiddenSysctls []string `json:"forbiddenSysctls,omitempty"`
 }
 
 // SecurityContextConstraints constructs a declarative configuration of the SecurityContextConstraints type for use with
@@ -54,29 +132,14 @@ func SecurityContextConstraints(name string) *SecurityContextConstraintsApplyCon
 	return b
 }
 
-// ExtractSecurityContextConstraints extracts the applied configuration owned by fieldManager from
-// securityContextConstraints. If no managedFields are found in securityContextConstraints for fieldManager, a
-// SecurityContextConstraintsApplyConfiguration is returned with only the Name, Namespace (if applicable),
-// APIVersion and Kind populated. It is possible that no managed fields were found for because other
-// field managers have taken ownership of all the fields previously owned by fieldManager, or because
-// the fieldManager never owned fields any fields.
+// ExtractSecurityContextConstraintsFrom extracts the applied configuration owned by fieldManager from
+// securityContextConstraints for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
 // securityContextConstraints must be a unmodified SecurityContextConstraints API object that was retrieved from the Kubernetes API.
-// ExtractSecurityContextConstraints provides a way to perform a extract/modify-in-place/apply workflow.
+// ExtractSecurityContextConstraintsFrom provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
-func ExtractSecurityContextConstraints(securityContextConstraints *securityv1.SecurityContextConstraints, fieldManager string) (*SecurityContextConstraintsApplyConfiguration, error) {
-	return extractSecurityContextConstraints(securityContextConstraints, fieldManager, "")
-}
-
-// ExtractSecurityContextConstraintsStatus is the same as ExtractSecurityContextConstraints except
-// that it extracts the status subresource applied configuration.
-// Experimental!
-func ExtractSecurityContextConstraintsStatus(securityContextConstraints *securityv1.SecurityContextConstraints, fieldManager string) (*SecurityContextConstraintsApplyConfiguration, error) {
-	return extractSecurityContextConstraints(securityContextConstraints, fieldManager, "status")
-}
-
-func extractSecurityContextConstraints(securityContextConstraints *securityv1.SecurityContextConstraints, fieldManager string, subresource string) (*SecurityContextConstraintsApplyConfiguration, error) {
+func ExtractSecurityContextConstraintsFrom(securityContextConstraints *securityv1.SecurityContextConstraints, fieldManager string, subresource string) (*SecurityContextConstraintsApplyConfiguration, error) {
 	b := &SecurityContextConstraintsApplyConfiguration{}
 	err := managedfields.ExtractInto(securityContextConstraints, internal.Parser().Type("com.github.openshift.api.security.v1.SecurityContextConstraints"), fieldManager, b, subresource)
 	if err != nil {
@@ -88,6 +151,21 @@ func extractSecurityContextConstraints(securityContextConstraints *securityv1.Se
 	b.WithAPIVersion("security.openshift.io/v1")
 	return b, nil
 }
+
+// ExtractSecurityContextConstraints extracts the applied configuration owned by fieldManager from
+// securityContextConstraints. If no managedFields are found in securityContextConstraints for fieldManager, a
+// SecurityContextConstraintsApplyConfiguration is returned with only the Name, Namespace (if applicable),
+// APIVersion and Kind populated. It is possible that no managed fields were found for because other
+// field managers have taken ownership of all the fields previously owned by fieldManager, or because
+// the fieldManager never owned fields any fields.
+// securityContextConstraints must be a unmodified SecurityContextConstraints API object that was retrieved from the Kubernetes API.
+// ExtractSecurityContextConstraints provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractSecurityContextConstraints(securityContextConstraints *securityv1.SecurityContextConstraints, fieldManager string) (*SecurityContextConstraintsApplyConfiguration, error) {
+	return ExtractSecurityContextConstraintsFrom(securityContextConstraints, fieldManager, "")
+}
+
 func (b SecurityContextConstraintsApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/vendor/github.com/openshift/client-go/security/applyconfigurations/security/v1/selinuxcontextstrategyoptions.go b/vendor/github.com/openshift/client-go/security/applyconfigurations/security/v1/selinuxcontextstrategyoptions.go
index 985472fea422c..fb0e4fd2c10b3 100644
--- a/vendor/github.com/openshift/client-go/security/applyconfigurations/security/v1/selinuxcontextstrategyoptions.go
+++ b/vendor/github.com/openshift/client-go/security/applyconfigurations/security/v1/selinuxcontextstrategyoptions.go
@@ -9,9 +9,13 @@ import (
 
 // SELinuxContextStrategyOptionsApplyConfiguration represents a declarative configuration of the SELinuxContextStrategyOptions type for use
 // with apply.
+//
+// SELinuxContextStrategyOptions defines the strategy type and any options used to create the strategy.
 type SELinuxContextStrategyOptionsApplyConfiguration struct {
-	Type           *securityv1.SELinuxContextStrategyType `json:"type,omitempty"`
-	SELinuxOptions *corev1.SELinuxOptions                 `json:"seLinuxOptions,omitempty"`
+	// type is the strategy that will dictate what SELinux context is used in the SecurityContext.
+	Type *securityv1.SELinuxContextStrategyType `json:"type,omitempty"`
+	// seLinuxOptions required to run as; required for MustRunAs
+	SELinuxOptions *corev1.SELinuxOptions `json:"seLinuxOptions,omitempty"`
 }
 
 // SELinuxContextStrategyOptionsApplyConfiguration constructs a declarative configuration of the SELinuxContextStrategyOptions type for use with
diff --git a/vendor/github.com/openshift/client-go/security/applyconfigurations/security/v1/supplementalgroupsstrategyoptions.go b/vendor/github.com/openshift/client-go/security/applyconfigurations/security/v1/supplementalgroupsstrategyoptions.go
index e1f1db6211e12..6d36d3fef9104 100644
--- a/vendor/github.com/openshift/client-go/security/applyconfigurations/security/v1/supplementalgroupsstrategyoptions.go
+++ b/vendor/github.com/openshift/client-go/security/applyconfigurations/security/v1/supplementalgroupsstrategyoptions.go
@@ -8,9 +8,14 @@ import (
 
 // SupplementalGroupsStrategyOptionsApplyConfiguration represents a declarative configuration of the SupplementalGroupsStrategyOptions type for use
 // with apply.
+//
+// SupplementalGroupsStrategyOptions defines the strategy type and options used to create the strategy.
 type SupplementalGroupsStrategyOptionsApplyConfiguration struct {
-	Type   *securityv1.SupplementalGroupsStrategyType `json:"type,omitempty"`
-	Ranges []IDRangeApplyConfiguration                `json:"ranges,omitempty"`
+	// type is the strategy that will dictate what supplemental groups is used in the SecurityContext.
+	Type *securityv1.SupplementalGroupsStrategyType `json:"type,omitempty"`
+	// ranges are the allowed ranges of supplemental groups.  If you would like to force a single
+	// supplemental group then supply a single range with the same start and end.
+	Ranges []IDRangeApplyConfiguration `json:"ranges,omitempty"`
 }
 
 // SupplementalGroupsStrategyOptionsApplyConfiguration constructs a declarative configuration of the SupplementalGroupsStrategyOptions type for use with
diff --git a/vendor/github.com/openshift/client-go/security/informers/externalversions/factory.go b/vendor/github.com/openshift/client-go/security/informers/externalversions/factory.go
index 1d5116f2feaca..e8bb4a43a8d3e 100644
--- a/vendor/github.com/openshift/client-go/security/informers/externalversions/factory.go
+++ b/vendor/github.com/openshift/client-go/security/informers/externalversions/factory.go
@@ -81,6 +81,7 @@ func NewSharedInformerFactory(client versioned.Interface, defaultResync time.Dur
 // NewFilteredSharedInformerFactory constructs a new instance of sharedInformerFactory.
 // Listers obtained via this SharedInformerFactory will be subject to the same filters
 // as specified here.
+//
 // Deprecated: Please use NewSharedInformerFactoryWithOptions instead
 func NewFilteredSharedInformerFactory(client versioned.Interface, defaultResync time.Duration, namespace string, tweakListOptions internalinterfaces.TweakListOptionsFunc) SharedInformerFactory {
 	return NewSharedInformerFactoryWithOptions(client, defaultResync, WithNamespace(namespace), WithTweakListOptions(tweakListOptions))
@@ -188,7 +189,7 @@ func (f *sharedInformerFactory) InformerFor(obj runtime.Object, newFunc internal
 //
 // It is typically used like this:
 //
-//	ctx, cancel := context.Background()
+//	ctx, cancel := context.WithCancel(context.Background())
 //	defer cancel()
 //	factory := NewSharedInformerFactory(client, resyncPeriod)
 //	defer factory.WaitForStop()    // Returns immediately if nothing was started.
diff --git a/vendor/github.com/openshift/client-go/security/informers/externalversions/security/v1/rangeallocation.go b/vendor/github.com/openshift/client-go/security/informers/externalversions/security/v1/rangeallocation.go
index 3f73215581e3f..c6a6ca5906a6a 100644
--- a/vendor/github.com/openshift/client-go/security/informers/externalversions/security/v1/rangeallocation.go
+++ b/vendor/github.com/openshift/client-go/security/informers/externalversions/security/v1/rangeallocation.go
@@ -40,7 +40,7 @@ func NewRangeAllocationInformer(client versioned.Interface, resyncPeriod time.Du
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredRangeAllocationInformer(client versioned.Interface, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options metav1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -65,7 +65,7 @@ func NewFilteredRangeAllocationInformer(client versioned.Interface, resyncPeriod
 				}
 				return client.SecurityV1().RangeAllocations().Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apisecurityv1.RangeAllocation{},
 		resyncPeriod,
 		indexers,
diff --git a/vendor/github.com/openshift/client-go/security/informers/externalversions/security/v1/securitycontextconstraints.go b/vendor/github.com/openshift/client-go/security/informers/externalversions/security/v1/securitycontextconstraints.go
index 4781ffc20d6c4..bafa371d6948e 100644
--- a/vendor/github.com/openshift/client-go/security/informers/externalversions/security/v1/securitycontextconstraints.go
+++ b/vendor/github.com/openshift/client-go/security/informers/externalversions/security/v1/securitycontextconstraints.go
@@ -40,7 +40,7 @@ func NewSecurityContextConstraintsInformer(client versioned.Interface, resyncPer
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredSecurityContextConstraintsInformer(client versioned.Interface, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options metav1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -65,7 +65,7 @@ func NewFilteredSecurityContextConstraintsInformer(client versioned.Interface, r
 				}
 				return client.SecurityV1().SecurityContextConstraints().Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apisecurityv1.SecurityContextConstraints{},
 		resyncPeriod,
 		indexers,
diff --git a/vendor/github.com/openshift/client-go/template/applyconfigurations/template/v1/brokertemplateinstance.go b/vendor/github.com/openshift/client-go/template/applyconfigurations/template/v1/brokertemplateinstance.go
index c9f8644ac197f..4d5b78aebcfb3 100644
--- a/vendor/github.com/openshift/client-go/template/applyconfigurations/template/v1/brokertemplateinstance.go
+++ b/vendor/github.com/openshift/client-go/template/applyconfigurations/template/v1/brokertemplateinstance.go
@@ -13,10 +13,18 @@ import (
 
 // BrokerTemplateInstanceApplyConfiguration represents a declarative configuration of the BrokerTemplateInstance type for use
 // with apply.
+//
+// BrokerTemplateInstance holds the service broker-related state associated with
+// a TemplateInstance.  BrokerTemplateInstance is part of an experimental API.
+//
+// Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
 type BrokerTemplateInstanceApplyConfiguration struct {
-	metav1.TypeMetaApplyConfiguration    `json:",inline"`
+	metav1.TypeMetaApplyConfiguration `json:",inline"`
+	// metadata is the standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	*metav1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Spec                                 *BrokerTemplateInstanceSpecApplyConfiguration `json:"spec,omitempty"`
+	// spec describes the state of this BrokerTemplateInstance.
+	Spec *BrokerTemplateInstanceSpecApplyConfiguration `json:"spec,omitempty"`
 }
 
 // BrokerTemplateInstance constructs a declarative configuration of the BrokerTemplateInstance type for use with
@@ -29,29 +37,14 @@ func BrokerTemplateInstance(name string) *BrokerTemplateInstanceApplyConfigurati
 	return b
 }
 
-// ExtractBrokerTemplateInstance extracts the applied configuration owned by fieldManager from
-// brokerTemplateInstance. If no managedFields are found in brokerTemplateInstance for fieldManager, a
-// BrokerTemplateInstanceApplyConfiguration is returned with only the Name, Namespace (if applicable),
-// APIVersion and Kind populated. It is possible that no managed fields were found for because other
-// field managers have taken ownership of all the fields previously owned by fieldManager, or because
-// the fieldManager never owned fields any fields.
+// ExtractBrokerTemplateInstanceFrom extracts the applied configuration owned by fieldManager from
+// brokerTemplateInstance for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
 // brokerTemplateInstance must be a unmodified BrokerTemplateInstance API object that was retrieved from the Kubernetes API.
-// ExtractBrokerTemplateInstance provides a way to perform a extract/modify-in-place/apply workflow.
+// ExtractBrokerTemplateInstanceFrom provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
-func ExtractBrokerTemplateInstance(brokerTemplateInstance *templatev1.BrokerTemplateInstance, fieldManager string) (*BrokerTemplateInstanceApplyConfiguration, error) {
-	return extractBrokerTemplateInstance(brokerTemplateInstance, fieldManager, "")
-}
-
-// ExtractBrokerTemplateInstanceStatus is the same as ExtractBrokerTemplateInstance except
-// that it extracts the status subresource applied configuration.
-// Experimental!
-func ExtractBrokerTemplateInstanceStatus(brokerTemplateInstance *templatev1.BrokerTemplateInstance, fieldManager string) (*BrokerTemplateInstanceApplyConfiguration, error) {
-	return extractBrokerTemplateInstance(brokerTemplateInstance, fieldManager, "status")
-}
-
-func extractBrokerTemplateInstance(brokerTemplateInstance *templatev1.BrokerTemplateInstance, fieldManager string, subresource string) (*BrokerTemplateInstanceApplyConfiguration, error) {
+func ExtractBrokerTemplateInstanceFrom(brokerTemplateInstance *templatev1.BrokerTemplateInstance, fieldManager string, subresource string) (*BrokerTemplateInstanceApplyConfiguration, error) {
 	b := &BrokerTemplateInstanceApplyConfiguration{}
 	err := managedfields.ExtractInto(brokerTemplateInstance, internal.Parser().Type("com.github.openshift.api.template.v1.BrokerTemplateInstance"), fieldManager, b, subresource)
 	if err != nil {
@@ -63,6 +56,21 @@ func extractBrokerTemplateInstance(brokerTemplateInstance *templatev1.BrokerTemp
 	b.WithAPIVersion("template.openshift.io/v1")
 	return b, nil
 }
+
+// ExtractBrokerTemplateInstance extracts the applied configuration owned by fieldManager from
+// brokerTemplateInstance. If no managedFields are found in brokerTemplateInstance for fieldManager, a
+// BrokerTemplateInstanceApplyConfiguration is returned with only the Name, Namespace (if applicable),
+// APIVersion and Kind populated. It is possible that no managed fields were found for because other
+// field managers have taken ownership of all the fields previously owned by fieldManager, or because
+// the fieldManager never owned fields any fields.
+// brokerTemplateInstance must be a unmodified BrokerTemplateInstance API object that was retrieved from the Kubernetes API.
+// ExtractBrokerTemplateInstance provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractBrokerTemplateInstance(brokerTemplateInstance *templatev1.BrokerTemplateInstance, fieldManager string) (*BrokerTemplateInstanceApplyConfiguration, error) {
+	return ExtractBrokerTemplateInstanceFrom(brokerTemplateInstance, fieldManager, "")
+}
+
 func (b BrokerTemplateInstanceApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/vendor/github.com/openshift/client-go/template/applyconfigurations/template/v1/brokertemplateinstancespec.go b/vendor/github.com/openshift/client-go/template/applyconfigurations/template/v1/brokertemplateinstancespec.go
index e65b74928c5ba..ed0ae32b0f50a 100644
--- a/vendor/github.com/openshift/client-go/template/applyconfigurations/template/v1/brokertemplateinstancespec.go
+++ b/vendor/github.com/openshift/client-go/template/applyconfigurations/template/v1/brokertemplateinstancespec.go
@@ -8,10 +8,18 @@ import (
 
 // BrokerTemplateInstanceSpecApplyConfiguration represents a declarative configuration of the BrokerTemplateInstanceSpec type for use
 // with apply.
+//
+// BrokerTemplateInstanceSpec describes the state of a BrokerTemplateInstance.
 type BrokerTemplateInstanceSpecApplyConfiguration struct {
+	// templateInstance is a reference to a TemplateInstance object residing
+	// in a namespace.
 	TemplateInstance *corev1.ObjectReference `json:"templateInstance,omitempty"`
-	Secret           *corev1.ObjectReference `json:"secret,omitempty"`
-	BindingIDs       []string                `json:"bindingIDs,omitempty"`
+	// secret is a reference to a Secret object residing in a namespace,
+	// containing the necessary template parameters.
+	Secret *corev1.ObjectReference `json:"secret,omitempty"`
+	// bindingIDs is a list of 'binding_id's provided during successive bind
+	// calls to the template service broker.
+	BindingIDs []string `json:"bindingIDs,omitempty"`
 }
 
 // BrokerTemplateInstanceSpecApplyConfiguration constructs a declarative configuration of the BrokerTemplateInstanceSpec type for use with
diff --git a/vendor/github.com/openshift/client-go/template/applyconfigurations/template/v1/parameter.go b/vendor/github.com/openshift/client-go/template/applyconfigurations/template/v1/parameter.go
index 963d343e9e24c..038f696926776 100644
--- a/vendor/github.com/openshift/client-go/template/applyconfigurations/template/v1/parameter.go
+++ b/vendor/github.com/openshift/client-go/template/applyconfigurations/template/v1/parameter.go
@@ -4,14 +4,43 @@ package v1
 
 // ParameterApplyConfiguration represents a declarative configuration of the Parameter type for use
 // with apply.
+//
+// Parameter defines a name/value variable that is to be processed during
+// the Template to Config transformation.
 type ParameterApplyConfiguration struct {
-	Name        *string `json:"name,omitempty"`
+	// name must be set and it can be referenced in Template
+	// Items using ${PARAMETER_NAME}. Required.
+	Name *string `json:"name,omitempty"`
+	// Optional: The name that will show in UI instead of parameter 'Name'
 	DisplayName *string `json:"displayName,omitempty"`
+	// description of a parameter. Optional.
 	Description *string `json:"description,omitempty"`
-	Value       *string `json:"value,omitempty"`
-	Generate    *string `json:"generate,omitempty"`
-	From        *string `json:"from,omitempty"`
-	Required    *bool   `json:"required,omitempty"`
+	// value holds the Parameter data. If specified, the generator will be
+	// ignored. The value replaces all occurrences of the Parameter ${Name}
+	// expression during the Template to Config transformation. Optional.
+	Value *string `json:"value,omitempty"`
+	// generate specifies the generator to be used to generate random string
+	// from an input value specified by From field. The result string is
+	// stored into Value field. If empty, no generator is being used, leaving
+	// the result Value untouched. Optional.
+	//
+	// The only supported generator is "expression", which accepts a "from"
+	// value in the form of a simple regular expression containing the
+	// range expression "[a-zA-Z0-9]", and the length expression "a{length}".
+	//
+	// Examples:
+	//
+	// from             | value
+	// -----------------------------
+	// "test[0-9]{1}x"  | "test7x"
+	// "[0-1]{8}"       | "01001100"
+	// "0x[A-F0-9]{4}"  | "0xB3AF"
+	// "[a-zA-Z0-9]{8}" | "hW4yQU5i"
+	Generate *string `json:"generate,omitempty"`
+	// from is an input value for the generator. Optional.
+	From *string `json:"from,omitempty"`
+	// Optional: Indicates the parameter must have a value.  Defaults to false.
+	Required *bool `json:"required,omitempty"`
 }
 
 // ParameterApplyConfiguration constructs a declarative configuration of the Parameter type for use with
diff --git a/vendor/github.com/openshift/client-go/template/applyconfigurations/template/v1/template.go b/vendor/github.com/openshift/client-go/template/applyconfigurations/template/v1/template.go
index cd127e5fca1ea..892bcb4b2565b 100644
--- a/vendor/github.com/openshift/client-go/template/applyconfigurations/template/v1/template.go
+++ b/vendor/github.com/openshift/client-go/template/applyconfigurations/template/v1/template.go
@@ -14,13 +14,35 @@ import (
 
 // TemplateApplyConfiguration represents a declarative configuration of the Template type for use
 // with apply.
+//
+// Template contains the inputs needed to produce a Config.
+//
+// Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
 type TemplateApplyConfiguration struct {
-	metav1.TypeMetaApplyConfiguration    `json:",inline"`
+	metav1.TypeMetaApplyConfiguration `json:",inline"`
+	// metadata is the standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	*metav1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Message                              *string                       `json:"message,omitempty"`
-	Objects                              []runtime.RawExtension        `json:"objects,omitempty"`
-	Parameters                           []ParameterApplyConfiguration `json:"parameters,omitempty"`
-	ObjectLabels                         map[string]string             `json:"labels,omitempty"`
+	// message is an optional instructional message that will
+	// be displayed when this template is instantiated.
+	// This field should inform the user how to utilize the newly created resources.
+	// Parameter substitution will be performed on the message before being
+	// displayed so that generated credentials and other parameters can be
+	// included in the output.
+	Message *string `json:"message,omitempty"`
+	// objects is an array of resources to include in this template.
+	// If a namespace value is hardcoded in the object, it will be removed
+	// during template instantiation, however if the namespace value
+	// is, or contains, a ${PARAMETER_REFERENCE}, the resolved
+	// value after parameter substitution will be respected and the object
+	// will be created in that namespace.
+	Objects []runtime.RawExtension `json:"objects,omitempty"`
+	// parameters is an optional array of Parameters used during the
+	// Template to Config transformation.
+	Parameters []ParameterApplyConfiguration `json:"parameters,omitempty"`
+	// labels is a optional set of labels that are applied to every
+	// object during the Template to Config transformation.
+	ObjectLabels map[string]string `json:"labels,omitempty"`
 }
 
 // Template constructs a declarative configuration of the Template type for use with
@@ -34,29 +56,14 @@ func Template(name, namespace string) *TemplateApplyConfiguration {
 	return b
 }
 
-// ExtractTemplate extracts the applied configuration owned by fieldManager from
-// template. If no managedFields are found in template for fieldManager, a
-// TemplateApplyConfiguration is returned with only the Name, Namespace (if applicable),
-// APIVersion and Kind populated. It is possible that no managed fields were found for because other
-// field managers have taken ownership of all the fields previously owned by fieldManager, or because
-// the fieldManager never owned fields any fields.
+// ExtractTemplateFrom extracts the applied configuration owned by fieldManager from
+// template for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
 // template must be a unmodified Template API object that was retrieved from the Kubernetes API.
-// ExtractTemplate provides a way to perform a extract/modify-in-place/apply workflow.
+// ExtractTemplateFrom provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
-func ExtractTemplate(template *templatev1.Template, fieldManager string) (*TemplateApplyConfiguration, error) {
-	return extractTemplate(template, fieldManager, "")
-}
-
-// ExtractTemplateStatus is the same as ExtractTemplate except
-// that it extracts the status subresource applied configuration.
-// Experimental!
-func ExtractTemplateStatus(template *templatev1.Template, fieldManager string) (*TemplateApplyConfiguration, error) {
-	return extractTemplate(template, fieldManager, "status")
-}
-
-func extractTemplate(template *templatev1.Template, fieldManager string, subresource string) (*TemplateApplyConfiguration, error) {
+func ExtractTemplateFrom(template *templatev1.Template, fieldManager string, subresource string) (*TemplateApplyConfiguration, error) {
 	b := &TemplateApplyConfiguration{}
 	err := managedfields.ExtractInto(template, internal.Parser().Type("com.github.openshift.api.template.v1.Template"), fieldManager, b, subresource)
 	if err != nil {
@@ -69,6 +76,21 @@ func extractTemplate(template *templatev1.Template, fieldManager string, subreso
 	b.WithAPIVersion("template.openshift.io/v1")
 	return b, nil
 }
+
+// ExtractTemplate extracts the applied configuration owned by fieldManager from
+// template. If no managedFields are found in template for fieldManager, a
+// TemplateApplyConfiguration is returned with only the Name, Namespace (if applicable),
+// APIVersion and Kind populated. It is possible that no managed fields were found for because other
+// field managers have taken ownership of all the fields previously owned by fieldManager, or because
+// the fieldManager never owned fields any fields.
+// template must be a unmodified Template API object that was retrieved from the Kubernetes API.
+// ExtractTemplate provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractTemplate(template *templatev1.Template, fieldManager string) (*TemplateApplyConfiguration, error) {
+	return ExtractTemplateFrom(template, fieldManager, "")
+}
+
 func (b TemplateApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/vendor/github.com/openshift/client-go/template/applyconfigurations/template/v1/templateinstance.go b/vendor/github.com/openshift/client-go/template/applyconfigurations/template/v1/templateinstance.go
index 674348bba3608..9d5cab70f86ca 100644
--- a/vendor/github.com/openshift/client-go/template/applyconfigurations/template/v1/templateinstance.go
+++ b/vendor/github.com/openshift/client-go/template/applyconfigurations/template/v1/templateinstance.go
@@ -13,11 +13,20 @@ import (
 
 // TemplateInstanceApplyConfiguration represents a declarative configuration of the TemplateInstance type for use
 // with apply.
+//
+// TemplateInstance requests and records the instantiation of a Template.
+// TemplateInstance is part of an experimental API.
+//
+// Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
 type TemplateInstanceApplyConfiguration struct {
-	metav1.TypeMetaApplyConfiguration    `json:",inline"`
+	metav1.TypeMetaApplyConfiguration `json:",inline"`
+	// metadata is the standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	*metav1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Spec                                 *TemplateInstanceSpecApplyConfiguration   `json:"spec,omitempty"`
-	Status                               *TemplateInstanceStatusApplyConfiguration `json:"status,omitempty"`
+	// spec describes the desired state of this TemplateInstance.
+	Spec *TemplateInstanceSpecApplyConfiguration `json:"spec,omitempty"`
+	// status describes the current state of this TemplateInstance.
+	Status *TemplateInstanceStatusApplyConfiguration `json:"status,omitempty"`
 }
 
 // TemplateInstance constructs a declarative configuration of the TemplateInstance type for use with
@@ -31,6 +40,27 @@ func TemplateInstance(name, namespace string) *TemplateInstanceApplyConfiguratio
 	return b
 }
 
+// ExtractTemplateInstanceFrom extracts the applied configuration owned by fieldManager from
+// templateInstance for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
+// templateInstance must be a unmodified TemplateInstance API object that was retrieved from the Kubernetes API.
+// ExtractTemplateInstanceFrom provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractTemplateInstanceFrom(templateInstance *templatev1.TemplateInstance, fieldManager string, subresource string) (*TemplateInstanceApplyConfiguration, error) {
+	b := &TemplateInstanceApplyConfiguration{}
+	err := managedfields.ExtractInto(templateInstance, internal.Parser().Type("com.github.openshift.api.template.v1.TemplateInstance"), fieldManager, b, subresource)
+	if err != nil {
+		return nil, err
+	}
+	b.WithName(templateInstance.Name)
+	b.WithNamespace(templateInstance.Namespace)
+
+	b.WithKind("TemplateInstance")
+	b.WithAPIVersion("template.openshift.io/v1")
+	return b, nil
+}
+
 // ExtractTemplateInstance extracts the applied configuration owned by fieldManager from
 // templateInstance. If no managedFields are found in templateInstance for fieldManager, a
 // TemplateInstanceApplyConfiguration is returned with only the Name, Namespace (if applicable),
@@ -41,31 +71,16 @@ func TemplateInstance(name, namespace string) *TemplateInstanceApplyConfiguratio
 // ExtractTemplateInstance provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
 func ExtractTemplateInstance(templateInstance *templatev1.TemplateInstance, fieldManager string) (*TemplateInstanceApplyConfiguration, error) {
-	return extractTemplateInstance(templateInstance, fieldManager, "")
+	return ExtractTemplateInstanceFrom(templateInstance, fieldManager, "")
 }
 
-// ExtractTemplateInstanceStatus is the same as ExtractTemplateInstance except
-// that it extracts the status subresource applied configuration.
-// Experimental!
+// ExtractTemplateInstanceStatus extracts the applied configuration owned by fieldManager from
+// templateInstance for the status subresource.
 func ExtractTemplateInstanceStatus(templateInstance *templatev1.TemplateInstance, fieldManager string) (*TemplateInstanceApplyConfiguration, error) {
-	return extractTemplateInstance(templateInstance, fieldManager, "status")
+	return ExtractTemplateInstanceFrom(templateInstance, fieldManager, "status")
 }
 
-func extractTemplateInstance(templateInstance *templatev1.TemplateInstance, fieldManager string, subresource string) (*TemplateInstanceApplyConfiguration, error) {
-	b := &TemplateInstanceApplyConfiguration{}
-	err := managedfields.ExtractInto(templateInstance, internal.Parser().Type("com.github.openshift.api.template.v1.TemplateInstance"), fieldManager, b, subresource)
-	if err != nil {
-		return nil, err
-	}
-	b.WithName(templateInstance.Name)
-	b.WithNamespace(templateInstance.Namespace)
-
-	b.WithKind("TemplateInstance")
-	b.WithAPIVersion("template.openshift.io/v1")
-	return b, nil
-}
 func (b TemplateInstanceApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/vendor/github.com/openshift/client-go/template/applyconfigurations/template/v1/templateinstancecondition.go b/vendor/github.com/openshift/client-go/template/applyconfigurations/template/v1/templateinstancecondition.go
index 564bc8023c20f..02a3da981e650 100644
--- a/vendor/github.com/openshift/client-go/template/applyconfigurations/template/v1/templateinstancecondition.go
+++ b/vendor/github.com/openshift/client-go/template/applyconfigurations/template/v1/templateinstancecondition.go
@@ -10,12 +10,23 @@ import (
 
 // TemplateInstanceConditionApplyConfiguration represents a declarative configuration of the TemplateInstanceCondition type for use
 // with apply.
+//
+// TemplateInstanceCondition contains condition information for a
+// TemplateInstance.
 type TemplateInstanceConditionApplyConfiguration struct {
-	Type               *templatev1.TemplateInstanceConditionType `json:"type,omitempty"`
-	Status             *corev1.ConditionStatus                   `json:"status,omitempty"`
-	LastTransitionTime *metav1.Time                              `json:"lastTransitionTime,omitempty"`
-	Reason             *string                                   `json:"reason,omitempty"`
-	Message            *string                                   `json:"message,omitempty"`
+	// type of the condition, currently Ready or InstantiateFailure.
+	Type *templatev1.TemplateInstanceConditionType `json:"type,omitempty"`
+	// status of the condition, one of True, False or Unknown.
+	Status *corev1.ConditionStatus `json:"status,omitempty"`
+	// lastTransitionTime is the last time a condition status transitioned from
+	// one state to another.
+	LastTransitionTime *metav1.Time `json:"lastTransitionTime,omitempty"`
+	// reason is a brief machine readable explanation for the condition's last
+	// transition.
+	Reason *string `json:"reason,omitempty"`
+	// message is a human readable description of the details of the last
+	// transition, complementing reason.
+	Message *string `json:"message,omitempty"`
 }
 
 // TemplateInstanceConditionApplyConfiguration constructs a declarative configuration of the TemplateInstanceCondition type for use with
diff --git a/vendor/github.com/openshift/client-go/template/applyconfigurations/template/v1/templateinstanceobject.go b/vendor/github.com/openshift/client-go/template/applyconfigurations/template/v1/templateinstanceobject.go
index 57fd153169642..2a63df3a0bb1c 100644
--- a/vendor/github.com/openshift/client-go/template/applyconfigurations/template/v1/templateinstanceobject.go
+++ b/vendor/github.com/openshift/client-go/template/applyconfigurations/template/v1/templateinstanceobject.go
@@ -8,7 +8,12 @@ import (
 
 // TemplateInstanceObjectApplyConfiguration represents a declarative configuration of the TemplateInstanceObject type for use
 // with apply.
+//
+// TemplateInstanceObject references an object created by a TemplateInstance.
 type TemplateInstanceObjectApplyConfiguration struct {
+	// ref is a reference to the created object.  When used under .spec, only
+	// name and namespace are used; these can contain references to parameters
+	// which will be substituted following the usual rules.
 	Ref *corev1.ObjectReference `json:"ref,omitempty"`
 }
 
diff --git a/vendor/github.com/openshift/client-go/template/applyconfigurations/template/v1/templateinstancerequester.go b/vendor/github.com/openshift/client-go/template/applyconfigurations/template/v1/templateinstancerequester.go
index 66bd8eb1cb1ba..6aeee916b0f18 100644
--- a/vendor/github.com/openshift/client-go/template/applyconfigurations/template/v1/templateinstancerequester.go
+++ b/vendor/github.com/openshift/client-go/template/applyconfigurations/template/v1/templateinstancerequester.go
@@ -8,11 +8,20 @@ import (
 
 // TemplateInstanceRequesterApplyConfiguration represents a declarative configuration of the TemplateInstanceRequester type for use
 // with apply.
+//
+// TemplateInstanceRequester holds the identity of an agent requesting a
+// template instantiation.
 type TemplateInstanceRequesterApplyConfiguration struct {
-	Username *string                          `json:"username,omitempty"`
-	UID      *string                          `json:"uid,omitempty"`
-	Groups   []string                         `json:"groups,omitempty"`
-	Extra    map[string]templatev1.ExtraValue `json:"extra,omitempty"`
+	// username uniquely identifies this user among all active users.
+	Username *string `json:"username,omitempty"`
+	// uid is a unique value that identifies this user across time; if this user is
+	// deleted and another user by the same name is added, they will have
+	// different UIDs.
+	UID *string `json:"uid,omitempty"`
+	// groups represent the groups this user is a part of.
+	Groups []string `json:"groups,omitempty"`
+	// extra holds additional information provided by the authenticator.
+	Extra map[string]templatev1.ExtraValue `json:"extra,omitempty"`
 }
 
 // TemplateInstanceRequesterApplyConfiguration constructs a declarative configuration of the TemplateInstanceRequester type for use with
diff --git a/vendor/github.com/openshift/client-go/template/applyconfigurations/template/v1/templateinstancespec.go b/vendor/github.com/openshift/client-go/template/applyconfigurations/template/v1/templateinstancespec.go
index 24ef4a2fed36a..83c2d505b7aea 100644
--- a/vendor/github.com/openshift/client-go/template/applyconfigurations/template/v1/templateinstancespec.go
+++ b/vendor/github.com/openshift/client-go/template/applyconfigurations/template/v1/templateinstancespec.go
@@ -8,9 +8,16 @@ import (
 
 // TemplateInstanceSpecApplyConfiguration represents a declarative configuration of the TemplateInstanceSpec type for use
 // with apply.
+//
+// TemplateInstanceSpec describes the desired state of a TemplateInstance.
 type TemplateInstanceSpecApplyConfiguration struct {
-	Template  *TemplateApplyConfiguration                  `json:"template,omitempty"`
-	Secret    *corev1.LocalObjectReference                 `json:"secret,omitempty"`
+	// template is a full copy of the template for instantiation.
+	Template *TemplateApplyConfiguration `json:"template,omitempty"`
+	// secret is a reference to a Secret object containing the necessary
+	// template parameters.
+	Secret *corev1.LocalObjectReference `json:"secret,omitempty"`
+	// requester holds the identity of the agent requesting the template
+	// instantiation.
 	Requester *TemplateInstanceRequesterApplyConfiguration `json:"requester,omitempty"`
 }
 
diff --git a/vendor/github.com/openshift/client-go/template/applyconfigurations/template/v1/templateinstancestatus.go b/vendor/github.com/openshift/client-go/template/applyconfigurations/template/v1/templateinstancestatus.go
index f359612c971f0..e5fed77d730d7 100644
--- a/vendor/github.com/openshift/client-go/template/applyconfigurations/template/v1/templateinstancestatus.go
+++ b/vendor/github.com/openshift/client-go/template/applyconfigurations/template/v1/templateinstancestatus.go
@@ -4,9 +4,14 @@ package v1
 
 // TemplateInstanceStatusApplyConfiguration represents a declarative configuration of the TemplateInstanceStatus type for use
 // with apply.
+//
+// TemplateInstanceStatus describes the current state of a TemplateInstance.
 type TemplateInstanceStatusApplyConfiguration struct {
+	// conditions represent the latest available observations of a
+	// TemplateInstance's current state.
 	Conditions []TemplateInstanceConditionApplyConfiguration `json:"conditions,omitempty"`
-	Objects    []TemplateInstanceObjectApplyConfiguration    `json:"objects,omitempty"`
+	// objects references the objects created by the TemplateInstance.
+	Objects []TemplateInstanceObjectApplyConfiguration `json:"objects,omitempty"`
 }
 
 // TemplateInstanceStatusApplyConfiguration constructs a declarative configuration of the TemplateInstanceStatus type for use with
diff --git a/vendor/github.com/openshift/client-go/template/informers/externalversions/factory.go b/vendor/github.com/openshift/client-go/template/informers/externalversions/factory.go
index 4a8cfee4b05d3..a257279d7dda3 100644
--- a/vendor/github.com/openshift/client-go/template/informers/externalversions/factory.go
+++ b/vendor/github.com/openshift/client-go/template/informers/externalversions/factory.go
@@ -81,6 +81,7 @@ func NewSharedInformerFactory(client versioned.Interface, defaultResync time.Dur
 // NewFilteredSharedInformerFactory constructs a new instance of sharedInformerFactory.
 // Listers obtained via this SharedInformerFactory will be subject to the same filters
 // as specified here.
+//
 // Deprecated: Please use NewSharedInformerFactoryWithOptions instead
 func NewFilteredSharedInformerFactory(client versioned.Interface, defaultResync time.Duration, namespace string, tweakListOptions internalinterfaces.TweakListOptionsFunc) SharedInformerFactory {
 	return NewSharedInformerFactoryWithOptions(client, defaultResync, WithNamespace(namespace), WithTweakListOptions(tweakListOptions))
@@ -188,7 +189,7 @@ func (f *sharedInformerFactory) InformerFor(obj runtime.Object, newFunc internal
 //
 // It is typically used like this:
 //
-//	ctx, cancel := context.Background()
+//	ctx, cancel := context.WithCancel(context.Background())
 //	defer cancel()
 //	factory := NewSharedInformerFactory(client, resyncPeriod)
 //	defer factory.WaitForStop()    // Returns immediately if nothing was started.
diff --git a/vendor/github.com/openshift/client-go/template/informers/externalversions/template/v1/brokertemplateinstance.go b/vendor/github.com/openshift/client-go/template/informers/externalversions/template/v1/brokertemplateinstance.go
index 4e65cbf5d019d..8b3ad5a84eeaa 100644
--- a/vendor/github.com/openshift/client-go/template/informers/externalversions/template/v1/brokertemplateinstance.go
+++ b/vendor/github.com/openshift/client-go/template/informers/externalversions/template/v1/brokertemplateinstance.go
@@ -40,7 +40,7 @@ func NewBrokerTemplateInstanceInformer(client versioned.Interface, resyncPeriod
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredBrokerTemplateInstanceInformer(client versioned.Interface, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options metav1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -65,7 +65,7 @@ func NewFilteredBrokerTemplateInstanceInformer(client versioned.Interface, resyn
 				}
 				return client.TemplateV1().BrokerTemplateInstances().Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apitemplatev1.BrokerTemplateInstance{},
 		resyncPeriod,
 		indexers,
diff --git a/vendor/github.com/openshift/client-go/template/informers/externalversions/template/v1/template.go b/vendor/github.com/openshift/client-go/template/informers/externalversions/template/v1/template.go
index f4c8d0f0ef39f..0dbb2b4b9740a 100644
--- a/vendor/github.com/openshift/client-go/template/informers/externalversions/template/v1/template.go
+++ b/vendor/github.com/openshift/client-go/template/informers/externalversions/template/v1/template.go
@@ -41,7 +41,7 @@ func NewTemplateInformer(client versioned.Interface, namespace string, resyncPer
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredTemplateInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options metav1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -66,7 +66,7 @@ func NewFilteredTemplateInformer(client versioned.Interface, namespace string, r
 				}
 				return client.TemplateV1().Templates(namespace).Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apitemplatev1.Template{},
 		resyncPeriod,
 		indexers,
diff --git a/vendor/github.com/openshift/client-go/template/informers/externalversions/template/v1/templateinstance.go b/vendor/github.com/openshift/client-go/template/informers/externalversions/template/v1/templateinstance.go
index c38f98241ca2e..c0e55621e0699 100644
--- a/vendor/github.com/openshift/client-go/template/informers/externalversions/template/v1/templateinstance.go
+++ b/vendor/github.com/openshift/client-go/template/informers/externalversions/template/v1/templateinstance.go
@@ -41,7 +41,7 @@ func NewTemplateInstanceInformer(client versioned.Interface, namespace string, r
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredTemplateInstanceInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options metav1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -66,7 +66,7 @@ func NewFilteredTemplateInstanceInformer(client versioned.Interface, namespace s
 				}
 				return client.TemplateV1().TemplateInstances(namespace).Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apitemplatev1.TemplateInstance{},
 		resyncPeriod,
 		indexers,
diff --git a/vendor/github.com/openshift/client-go/user/applyconfigurations/user/v1/group.go b/vendor/github.com/openshift/client-go/user/applyconfigurations/user/v1/group.go
index eaa77e203b106..449fc00802bf2 100644
--- a/vendor/github.com/openshift/client-go/user/applyconfigurations/user/v1/group.go
+++ b/vendor/github.com/openshift/client-go/user/applyconfigurations/user/v1/group.go
@@ -13,10 +13,17 @@ import (
 
 // GroupApplyConfiguration represents a declarative configuration of the Group type for use
 // with apply.
+//
+// # Group represents a referenceable set of Users
+//
+// Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
 type GroupApplyConfiguration struct {
-	metav1.TypeMetaApplyConfiguration    `json:",inline"`
+	metav1.TypeMetaApplyConfiguration `json:",inline"`
+	// metadata is the standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	*metav1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Users                                *userv1.OptionalNames `json:"users,omitempty"`
+	// users is the list of users in this group.
+	Users *userv1.OptionalNames `json:"users,omitempty"`
 }
 
 // Group constructs a declarative configuration of the Group type for use with
@@ -29,29 +36,14 @@ func Group(name string) *GroupApplyConfiguration {
 	return b
 }
 
-// ExtractGroup extracts the applied configuration owned by fieldManager from
-// group. If no managedFields are found in group for fieldManager, a
-// GroupApplyConfiguration is returned with only the Name, Namespace (if applicable),
-// APIVersion and Kind populated. It is possible that no managed fields were found for because other
-// field managers have taken ownership of all the fields previously owned by fieldManager, or because
-// the fieldManager never owned fields any fields.
+// ExtractGroupFrom extracts the applied configuration owned by fieldManager from
+// group for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
 // group must be a unmodified Group API object that was retrieved from the Kubernetes API.
-// ExtractGroup provides a way to perform a extract/modify-in-place/apply workflow.
+// ExtractGroupFrom provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
-func ExtractGroup(group *userv1.Group, fieldManager string) (*GroupApplyConfiguration, error) {
-	return extractGroup(group, fieldManager, "")
-}
-
-// ExtractGroupStatus is the same as ExtractGroup except
-// that it extracts the status subresource applied configuration.
-// Experimental!
-func ExtractGroupStatus(group *userv1.Group, fieldManager string) (*GroupApplyConfiguration, error) {
-	return extractGroup(group, fieldManager, "status")
-}
-
-func extractGroup(group *userv1.Group, fieldManager string, subresource string) (*GroupApplyConfiguration, error) {
+func ExtractGroupFrom(group *userv1.Group, fieldManager string, subresource string) (*GroupApplyConfiguration, error) {
 	b := &GroupApplyConfiguration{}
 	err := managedfields.ExtractInto(group, internal.Parser().Type("com.github.openshift.api.user.v1.Group"), fieldManager, b, subresource)
 	if err != nil {
@@ -63,6 +55,21 @@ func extractGroup(group *userv1.Group, fieldManager string, subresource string)
 	b.WithAPIVersion("user.openshift.io/v1")
 	return b, nil
 }
+
+// ExtractGroup extracts the applied configuration owned by fieldManager from
+// group. If no managedFields are found in group for fieldManager, a
+// GroupApplyConfiguration is returned with only the Name, Namespace (if applicable),
+// APIVersion and Kind populated. It is possible that no managed fields were found for because other
+// field managers have taken ownership of all the fields previously owned by fieldManager, or because
+// the fieldManager never owned fields any fields.
+// group must be a unmodified Group API object that was retrieved from the Kubernetes API.
+// ExtractGroup provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractGroup(group *userv1.Group, fieldManager string) (*GroupApplyConfiguration, error) {
+	return ExtractGroupFrom(group, fieldManager, "")
+}
+
 func (b GroupApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/vendor/github.com/openshift/client-go/user/applyconfigurations/user/v1/identity.go b/vendor/github.com/openshift/client-go/user/applyconfigurations/user/v1/identity.go
index 7d44bf78928a3..c34aa44b460da 100644
--- a/vendor/github.com/openshift/client-go/user/applyconfigurations/user/v1/identity.go
+++ b/vendor/github.com/openshift/client-go/user/applyconfigurations/user/v1/identity.go
@@ -14,13 +14,28 @@ import (
 
 // IdentityApplyConfiguration represents a declarative configuration of the Identity type for use
 // with apply.
+//
+// Identity records a successful authentication of a user with an identity provider. The
+// information about the source of authentication is stored on the identity, and the identity
+// is then associated with a single user object. Multiple identities can reference a single
+// user. Information retrieved from the authentication provider is stored in the extra field
+// using a schema determined by the provider.
+//
+// Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
 type IdentityApplyConfiguration struct {
-	metav1.TypeMetaApplyConfiguration    `json:",inline"`
+	metav1.TypeMetaApplyConfiguration `json:",inline"`
+	// metadata is the standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	*metav1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	ProviderName                         *string                 `json:"providerName,omitempty"`
-	ProviderUserName                     *string                 `json:"providerUserName,omitempty"`
-	User                                 *corev1.ObjectReference `json:"user,omitempty"`
-	Extra                                map[string]string       `json:"extra,omitempty"`
+	// providerName is the source of identity information
+	ProviderName *string `json:"providerName,omitempty"`
+	// providerUserName uniquely represents this identity in the scope of the provider
+	ProviderUserName *string `json:"providerUserName,omitempty"`
+	// user is a reference to the user this identity is associated with
+	// Both Name and UID must be set
+	User *corev1.ObjectReference `json:"user,omitempty"`
+	// extra holds extra information about this identity
+	Extra map[string]string `json:"extra,omitempty"`
 }
 
 // Identity constructs a declarative configuration of the Identity type for use with
@@ -33,29 +48,14 @@ func Identity(name string) *IdentityApplyConfiguration {
 	return b
 }
 
-// ExtractIdentity extracts the applied configuration owned by fieldManager from
-// identity. If no managedFields are found in identity for fieldManager, a
-// IdentityApplyConfiguration is returned with only the Name, Namespace (if applicable),
-// APIVersion and Kind populated. It is possible that no managed fields were found for because other
-// field managers have taken ownership of all the fields previously owned by fieldManager, or because
-// the fieldManager never owned fields any fields.
+// ExtractIdentityFrom extracts the applied configuration owned by fieldManager from
+// identity for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
 // identity must be a unmodified Identity API object that was retrieved from the Kubernetes API.
-// ExtractIdentity provides a way to perform a extract/modify-in-place/apply workflow.
+// ExtractIdentityFrom provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
-func ExtractIdentity(identity *userv1.Identity, fieldManager string) (*IdentityApplyConfiguration, error) {
-	return extractIdentity(identity, fieldManager, "")
-}
-
-// ExtractIdentityStatus is the same as ExtractIdentity except
-// that it extracts the status subresource applied configuration.
-// Experimental!
-func ExtractIdentityStatus(identity *userv1.Identity, fieldManager string) (*IdentityApplyConfiguration, error) {
-	return extractIdentity(identity, fieldManager, "status")
-}
-
-func extractIdentity(identity *userv1.Identity, fieldManager string, subresource string) (*IdentityApplyConfiguration, error) {
+func ExtractIdentityFrom(identity *userv1.Identity, fieldManager string, subresource string) (*IdentityApplyConfiguration, error) {
 	b := &IdentityApplyConfiguration{}
 	err := managedfields.ExtractInto(identity, internal.Parser().Type("com.github.openshift.api.user.v1.Identity"), fieldManager, b, subresource)
 	if err != nil {
@@ -67,6 +67,21 @@ func extractIdentity(identity *userv1.Identity, fieldManager string, subresource
 	b.WithAPIVersion("user.openshift.io/v1")
 	return b, nil
 }
+
+// ExtractIdentity extracts the applied configuration owned by fieldManager from
+// identity. If no managedFields are found in identity for fieldManager, a
+// IdentityApplyConfiguration is returned with only the Name, Namespace (if applicable),
+// APIVersion and Kind populated. It is possible that no managed fields were found for because other
+// field managers have taken ownership of all the fields previously owned by fieldManager, or because
+// the fieldManager never owned fields any fields.
+// identity must be a unmodified Identity API object that was retrieved from the Kubernetes API.
+// ExtractIdentity provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractIdentity(identity *userv1.Identity, fieldManager string) (*IdentityApplyConfiguration, error) {
+	return ExtractIdentityFrom(identity, fieldManager, "")
+}
+
 func (b IdentityApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/vendor/github.com/openshift/client-go/user/applyconfigurations/user/v1/user.go b/vendor/github.com/openshift/client-go/user/applyconfigurations/user/v1/user.go
index 1bf2369fff534..45f8aa19ad8af 100644
--- a/vendor/github.com/openshift/client-go/user/applyconfigurations/user/v1/user.go
+++ b/vendor/github.com/openshift/client-go/user/applyconfigurations/user/v1/user.go
@@ -13,12 +13,27 @@ import (
 
 // UserApplyConfiguration represents a declarative configuration of the User type for use
 // with apply.
+//
+// Upon log in, every user of the system receives a User and Identity resource. Administrators
+// may directly manipulate the attributes of the users for their own tracking, or set groups
+// via the API. The user name is unique and is chosen based on the value provided by the
+// identity provider - if a user already exists with the incoming name, the user name may have
+// a number appended to it depending on the configuration of the system.
+//
+// Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
 type UserApplyConfiguration struct {
-	metav1.TypeMetaApplyConfiguration    `json:",inline"`
+	metav1.TypeMetaApplyConfiguration `json:",inline"`
+	// metadata is the standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 	*metav1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	FullName                             *string  `json:"fullName,omitempty"`
-	Identities                           []string `json:"identities,omitempty"`
-	Groups                               []string `json:"groups,omitempty"`
+	// fullName is the full name of user
+	FullName *string `json:"fullName,omitempty"`
+	// identities are the identities associated with this user
+	Identities []string `json:"identities,omitempty"`
+	// groups specifies group names this user is a member of.
+	// This field is deprecated and will be removed in a future release.
+	// Instead, create a Group object containing the name of this User.
+	Groups []string `json:"groups,omitempty"`
 }
 
 // User constructs a declarative configuration of the User type for use with
@@ -31,29 +46,14 @@ func User(name string) *UserApplyConfiguration {
 	return b
 }
 
-// ExtractUser extracts the applied configuration owned by fieldManager from
-// user. If no managedFields are found in user for fieldManager, a
-// UserApplyConfiguration is returned with only the Name, Namespace (if applicable),
-// APIVersion and Kind populated. It is possible that no managed fields were found for because other
-// field managers have taken ownership of all the fields previously owned by fieldManager, or because
-// the fieldManager never owned fields any fields.
+// ExtractUserFrom extracts the applied configuration owned by fieldManager from
+// user for the specified subresource. Pass an empty string for subresource to extract
+// the main resource. Common subresources include "status", "scale", etc.
 // user must be a unmodified User API object that was retrieved from the Kubernetes API.
-// ExtractUser provides a way to perform a extract/modify-in-place/apply workflow.
+// ExtractUserFrom provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
-// Experimental!
-func ExtractUser(user *userv1.User, fieldManager string) (*UserApplyConfiguration, error) {
-	return extractUser(user, fieldManager, "")
-}
-
-// ExtractUserStatus is the same as ExtractUser except
-// that it extracts the status subresource applied configuration.
-// Experimental!
-func ExtractUserStatus(user *userv1.User, fieldManager string) (*UserApplyConfiguration, error) {
-	return extractUser(user, fieldManager, "status")
-}
-
-func extractUser(user *userv1.User, fieldManager string, subresource string) (*UserApplyConfiguration, error) {
+func ExtractUserFrom(user *userv1.User, fieldManager string, subresource string) (*UserApplyConfiguration, error) {
 	b := &UserApplyConfiguration{}
 	err := managedfields.ExtractInto(user, internal.Parser().Type("com.github.openshift.api.user.v1.User"), fieldManager, b, subresource)
 	if err != nil {
@@ -65,6 +65,21 @@ func extractUser(user *userv1.User, fieldManager string, subresource string) (*U
 	b.WithAPIVersion("user.openshift.io/v1")
 	return b, nil
 }
+
+// ExtractUser extracts the applied configuration owned by fieldManager from
+// user. If no managedFields are found in user for fieldManager, a
+// UserApplyConfiguration is returned with only the Name, Namespace (if applicable),
+// APIVersion and Kind populated. It is possible that no managed fields were found for because other
+// field managers have taken ownership of all the fields previously owned by fieldManager, or because
+// the fieldManager never owned fields any fields.
+// user must be a unmodified User API object that was retrieved from the Kubernetes API.
+// ExtractUser provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+func ExtractUser(user *userv1.User, fieldManager string) (*UserApplyConfiguration, error) {
+	return ExtractUserFrom(user, fieldManager, "")
+}
+
 func (b UserApplyConfiguration) IsApplyConfiguration() {}
 
 // WithKind sets the Kind field in the declarative configuration to the given value
diff --git a/vendor/github.com/openshift/client-go/user/clientset/versioned/fake/clientset_generated.go b/vendor/github.com/openshift/client-go/user/clientset/versioned/fake/clientset_generated.go
index 6d61e761a3130..e99fb93ff786d 100644
--- a/vendor/github.com/openshift/client-go/user/clientset/versioned/fake/clientset_generated.go
+++ b/vendor/github.com/openshift/client-go/user/clientset/versioned/fake/clientset_generated.go
@@ -20,7 +20,7 @@ import (
 // without applying any field management, validations and/or defaults. It shouldn't be considered a replacement
 // for a real clientset and is mostly useful in simple unit tests.
 //
-// DEPRECATED: NewClientset replaces this with support for field management, which significantly improves
+// Deprecated: NewClientset replaces this with support for field management, which significantly improves
 // server side apply testing. NewClientset is only available when apply configurations are generated (e.g.
 // via --with-applyconfig).
 func NewSimpleClientset(objects ...runtime.Object) *Clientset {
@@ -36,8 +36,8 @@ func NewSimpleClientset(objects ...runtime.Object) *Clientset {
 	cs.AddReactor("*", "*", testing.ObjectReaction(o))
 	cs.AddWatchReactor("*", func(action testing.Action) (handled bool, ret watch.Interface, err error) {
 		var opts metav1.ListOptions
-		if watchActcion, ok := action.(testing.WatchActionImpl); ok {
-			opts = watchActcion.ListOptions
+		if watchAction, ok := action.(testing.WatchActionImpl); ok {
+			opts = watchAction.ListOptions
 		}
 		gvr := action.GetResource()
 		ns := action.GetNamespace()
@@ -68,6 +68,17 @@ func (c *Clientset) Tracker() testing.ObjectTracker {
 	return c.tracker
 }
 
+// IsWatchListSemanticsSupported informs the reflector that this client
+// doesn't support WatchList semantics.
+//
+// This is a synthetic method whose sole purpose is to satisfy the optional
+// interface check performed by the reflector.
+// Returning true signals that WatchList can NOT be used.
+// No additional logic is implemented here.
+func (c *Clientset) IsWatchListSemanticsUnSupported() bool {
+	return true
+}
+
 // NewClientset returns a clientset that will respond with the provided objects.
 // It's backed by a very simple object tracker that processes creates, updates and deletions as-is,
 // without applying any validations and/or defaults. It shouldn't be considered a replacement
diff --git a/vendor/github.com/openshift/client-go/user/informers/externalversions/factory.go b/vendor/github.com/openshift/client-go/user/informers/externalversions/factory.go
index 952e6e95003a3..7f676c951f9a2 100644
--- a/vendor/github.com/openshift/client-go/user/informers/externalversions/factory.go
+++ b/vendor/github.com/openshift/client-go/user/informers/externalversions/factory.go
@@ -81,6 +81,7 @@ func NewSharedInformerFactory(client versioned.Interface, defaultResync time.Dur
 // NewFilteredSharedInformerFactory constructs a new instance of sharedInformerFactory.
 // Listers obtained via this SharedInformerFactory will be subject to the same filters
 // as specified here.
+//
 // Deprecated: Please use NewSharedInformerFactoryWithOptions instead
 func NewFilteredSharedInformerFactory(client versioned.Interface, defaultResync time.Duration, namespace string, tweakListOptions internalinterfaces.TweakListOptionsFunc) SharedInformerFactory {
 	return NewSharedInformerFactoryWithOptions(client, defaultResync, WithNamespace(namespace), WithTweakListOptions(tweakListOptions))
@@ -188,7 +189,7 @@ func (f *sharedInformerFactory) InformerFor(obj runtime.Object, newFunc internal
 //
 // It is typically used like this:
 //
-//	ctx, cancel := context.Background()
+//	ctx, cancel := context.WithCancel(context.Background())
 //	defer cancel()
 //	factory := NewSharedInformerFactory(client, resyncPeriod)
 //	defer factory.WaitForStop()    // Returns immediately if nothing was started.
diff --git a/vendor/github.com/openshift/client-go/user/informers/externalversions/user/v1/group.go b/vendor/github.com/openshift/client-go/user/informers/externalversions/user/v1/group.go
index 59b875d82f9d2..a8afd12986bc8 100644
--- a/vendor/github.com/openshift/client-go/user/informers/externalversions/user/v1/group.go
+++ b/vendor/github.com/openshift/client-go/user/informers/externalversions/user/v1/group.go
@@ -40,7 +40,7 @@ func NewGroupInformer(client versioned.Interface, resyncPeriod time.Duration, in
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredGroupInformer(client versioned.Interface, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options metav1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -65,7 +65,7 @@ func NewFilteredGroupInformer(client versioned.Interface, resyncPeriod time.Dura
 				}
 				return client.UserV1().Groups().Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apiuserv1.Group{},
 		resyncPeriod,
 		indexers,
diff --git a/vendor/github.com/openshift/client-go/user/informers/externalversions/user/v1/identity.go b/vendor/github.com/openshift/client-go/user/informers/externalversions/user/v1/identity.go
index 9d6a3f7f12edd..4b98aa94141ef 100644
--- a/vendor/github.com/openshift/client-go/user/informers/externalversions/user/v1/identity.go
+++ b/vendor/github.com/openshift/client-go/user/informers/externalversions/user/v1/identity.go
@@ -40,7 +40,7 @@ func NewIdentityInformer(client versioned.Interface, resyncPeriod time.Duration,
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredIdentityInformer(client versioned.Interface, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options metav1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -65,7 +65,7 @@ func NewFilteredIdentityInformer(client versioned.Interface, resyncPeriod time.D
 				}
 				return client.UserV1().Identities().Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apiuserv1.Identity{},
 		resyncPeriod,
 		indexers,
diff --git a/vendor/github.com/openshift/client-go/user/informers/externalversions/user/v1/user.go b/vendor/github.com/openshift/client-go/user/informers/externalversions/user/v1/user.go
index e605bbb6e7e22..37e3afd945e34 100644
--- a/vendor/github.com/openshift/client-go/user/informers/externalversions/user/v1/user.go
+++ b/vendor/github.com/openshift/client-go/user/informers/externalversions/user/v1/user.go
@@ -40,7 +40,7 @@ func NewUserInformer(client versioned.Interface, resyncPeriod time.Duration, ind
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredUserInformer(client versioned.Interface, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return cache.NewSharedIndexInformer(
-		&cache.ListWatch{
+		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(options metav1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&options)
@@ -65,7 +65,7 @@ func NewFilteredUserInformer(client versioned.Interface, resyncPeriod time.Durat
 				}
 				return client.UserV1().Users().Watch(ctx, options)
 			},
-		},
+		}, client),
 		&apiuserv1.User{},
 		resyncPeriod,
 		indexers,
diff --git a/vendor/github.com/openshift/library-go/pkg/crypto/crypto.go b/vendor/github.com/openshift/library-go/pkg/crypto/crypto.go
index 33a09ae16e37a..ca2806ecc6d04 100644
--- a/vendor/github.com/openshift/library-go/pkg/crypto/crypto.go
+++ b/vendor/github.com/openshift/library-go/pkg/crypto/crypto.go
@@ -30,6 +30,8 @@ import (
 	"k8s.io/apimachinery/pkg/util/sets"
 	"k8s.io/apiserver/pkg/authentication/user"
 	"k8s.io/client-go/util/cert"
+
+	configv1 "github.com/openshift/api/config/v1"
 )
 
 // TLS versions that are known to golang. Go 1.13 adds support for
@@ -242,35 +244,44 @@ func ValidCipherSuites() []string {
 	sort.Strings(validCipherSuites)
 	return validCipherSuites
 }
+
+// DefaultTLSProfileType is the intermediate profile type.
+const DefaultTLSProfileType = configv1.TLSProfileIntermediateType
+
+// DefaultCiphers returns the default cipher suites for TLS connections.
+//
+// RECOMMENDATION: Instead of relying on this function directly, consumers should respect
+// TLSSecurityProfile settings from one of the OpenShift API configuration resources:
+//   - For API servers: Use apiserver.config.openshift.io/cluster Spec.TLSSecurityProfile
+//   - For ingress controllers: Use operator.openshift.io/v1 IngressController Spec.TLSSecurityProfile
+//   - For kubelet: Use machineconfiguration.openshift.io/v1 KubeletConfig Spec.TLSSecurityProfile
+//
+// These API resources allow cluster administrators to choose between Old, Intermediate,
+// Modern, or Custom TLS profiles. Components should observe these settings.
 func DefaultCiphers() []uint16 {
-	// HTTP/2 mandates TLS 1.2 or higher with an AEAD cipher
-	// suite (GCM, Poly1305) and ephemeral key exchange (ECDHE, DHE) for
-	// perfect forward secrecy. Servers may provide additional cipher
-	// suites for backwards compatibility with HTTP/1.1 clients.
-	// See RFC7540, section 9.2 (Use of TLS Features) and Appendix A
-	// (TLS 1.2 Cipher Suite Black List).
+	// Aligned with intermediate profile of the 5.7 version of the Mozilla Server
+	// Side TLS guidelines found at: https://ssl-config.mozilla.org/guidelines/5.7.json
+	//
+	// Latest guidelines: https://ssl-config.mozilla.org/guidelines/latest.json
+	//
+	// This profile provides strong security with wide compatibility.
+	// It requires TLS 1.2+ and uses only AEAD cipher suites (GCM, ChaCha20-Poly1305)
+	// with ECDHE key exchange for perfect forward secrecy.
+	//
+	// All CBC-mode ciphers have been removed due to padding oracle vulnerabilities.
+	// All RSA key exchange ciphers have been removed due to lack of perfect forward secrecy.
+	//
+	// HTTP/2 compliance: All ciphers are compliant with RFC7540, section 9.2.
 	return []uint16{
+		// TLS 1.2 cipher suites with ECDHE + AEAD
 		tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
 		tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
 		tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
-		tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, // required by http/2
+		tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, // required by HTTP/2
 		tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
 		tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
-		tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, // forbidden by http/2, not flagged by http2isBadCipher() in go1.8
-		tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,   // forbidden by http/2, not flagged by http2isBadCipher() in go1.8
-		tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,    // forbidden by http/2
-		tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,    // forbidden by http/2
-		tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,      // forbidden by http/2
-		tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,      // forbidden by http/2
-		tls.TLS_RSA_WITH_AES_128_GCM_SHA256,         // forbidden by http/2
-		tls.TLS_RSA_WITH_AES_256_GCM_SHA384,         // forbidden by http/2
-		// the next one is in the intermediate suite, but go1.8 http2isBadCipher() complains when it is included at the recommended index
-		// because it comes after ciphers forbidden by the http/2 spec
-		// tls.TLS_RSA_WITH_AES_128_CBC_SHA256,
-		// tls.TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, // forbidden by http/2, disabled to mitigate SWEET32 attack
-		// tls.TLS_RSA_WITH_3DES_EDE_CBC_SHA,       // forbidden by http/2, disabled to mitigate SWEET32 attack
-		tls.TLS_RSA_WITH_AES_128_CBC_SHA, // forbidden by http/2
-		tls.TLS_RSA_WITH_AES_256_CBC_SHA, // forbidden by http/2
+
+		// TLS 1.3 cipher suites (negotiated automatically, not configurable)
 		tls.TLS_AES_128_GCM_SHA256,
 		tls.TLS_AES_256_GCM_SHA384,
 		tls.TLS_CHACHA20_POLY1305_SHA256,
diff --git a/vendor/github.com/prometheus/client_golang/prometheus/desc.go b/vendor/github.com/prometheus/client_golang/prometheus/desc.go
index ad347113c0480..2331b8b4f3b49 100644
--- a/vendor/github.com/prometheus/client_golang/prometheus/desc.go
+++ b/vendor/github.com/prometheus/client_golang/prometheus/desc.go
@@ -95,7 +95,8 @@ func (v2) NewDesc(fqName, help string, variableLabels ConstrainableLabels, const
 		help:           help,
 		variableLabels: variableLabels.compile(),
 	}
-	if !model.IsValidMetricName(model.LabelValue(fqName)) {
+	//nolint:staticcheck // TODO: Don't use deprecated model.NameValidationScheme.
+	if !model.NameValidationScheme.IsValidMetricName(fqName) {
 		d.err = fmt.Errorf("%q is not a valid metric name", fqName)
 		return d
 	}
diff --git a/vendor/github.com/prometheus/client_golang/prometheus/internal/difflib.go b/vendor/github.com/prometheus/client_golang/prometheus/internal/difflib.go
index 8b016355adb1f..7bac0da33df76 100644
--- a/vendor/github.com/prometheus/client_golang/prometheus/internal/difflib.go
+++ b/vendor/github.com/prometheus/client_golang/prometheus/internal/difflib.go
@@ -453,7 +453,7 @@ func (m *SequenceMatcher) GetGroupedOpCodes(n int) [][]OpCode {
 		}
 		group = append(group, OpCode{c.Tag, i1, i2, j1, j2})
 	}
-	if len(group) > 0 && !(len(group) == 1 && group[0].Tag == 'e') {
+	if len(group) > 0 && (len(group) != 1 || group[0].Tag != 'e') {
 		groups = append(groups, group)
 	}
 	return groups
@@ -568,7 +568,7 @@ func WriteUnifiedDiff(writer io.Writer, diff UnifiedDiff) error {
 	buf := bufio.NewWriter(writer)
 	defer buf.Flush()
 	wf := func(format string, args ...interface{}) error {
-		_, err := buf.WriteString(fmt.Sprintf(format, args...))
+		_, err := fmt.Fprintf(buf, format, args...)
 		return err
 	}
 	ws := func(s string) error {
diff --git a/vendor/github.com/prometheus/client_golang/prometheus/internal/go_runtime_metrics.go b/vendor/github.com/prometheus/client_golang/prometheus/internal/go_runtime_metrics.go
index f7f97ef92624a..d273b6640e4e8 100644
--- a/vendor/github.com/prometheus/client_golang/prometheus/internal/go_runtime_metrics.go
+++ b/vendor/github.com/prometheus/client_golang/prometheus/internal/go_runtime_metrics.go
@@ -67,7 +67,7 @@ func RuntimeMetricsToProm(d *metrics.Description) (string, string, string, bool)
 	}
 
 	// Our current conversion moves to legacy naming, so use legacy validation.
-	valid := model.IsValidLegacyMetricName(namespace + "_" + subsystem + "_" + name)
+	valid := model.LegacyValidation.IsValidMetricName(namespace + "_" + subsystem + "_" + name)
 	switch d.Kind {
 	case metrics.KindUint64:
 	case metrics.KindFloat64:
diff --git a/vendor/github.com/prometheus/client_golang/prometheus/labels.go b/vendor/github.com/prometheus/client_golang/prometheus/labels.go
index c21911f292d4e..5fe8d3b4d2949 100644
--- a/vendor/github.com/prometheus/client_golang/prometheus/labels.go
+++ b/vendor/github.com/prometheus/client_golang/prometheus/labels.go
@@ -184,5 +184,6 @@ func validateLabelValues(vals []string, expectedNumberOfValues int) error {
 }
 
 func checkLabelName(l string) bool {
-	return model.LabelName(l).IsValid() && !strings.HasPrefix(l, reservedLabelPrefix)
+	//nolint:staticcheck // TODO: Don't use deprecated model.NameValidationScheme.
+	return model.NameValidationScheme.IsValidLabelName(l) && !strings.HasPrefix(l, reservedLabelPrefix)
 }
diff --git a/vendor/github.com/prometheus/client_golang/prometheus/metric.go b/vendor/github.com/prometheus/client_golang/prometheus/metric.go
index 592eec3e24f21..76e59f12880cb 100644
--- a/vendor/github.com/prometheus/client_golang/prometheus/metric.go
+++ b/vendor/github.com/prometheus/client_golang/prometheus/metric.go
@@ -186,21 +186,31 @@ func (m *withExemplarsMetric) Write(pb *dto.Metric) error {
 	case pb.Counter != nil:
 		pb.Counter.Exemplar = m.exemplars[len(m.exemplars)-1]
 	case pb.Histogram != nil:
+		h := pb.Histogram
 		for _, e := range m.exemplars {
-			// pb.Histogram.Bucket are sorted by UpperBound.
-			i := sort.Search(len(pb.Histogram.Bucket), func(i int) bool {
-				return pb.Histogram.Bucket[i].GetUpperBound() >= e.GetValue()
+			if (h.GetZeroThreshold() != 0 || h.GetZeroCount() != 0 ||
+				len(h.PositiveSpan) != 0 || len(h.NegativeSpan) != 0) &&
+				e.GetTimestamp() != nil {
+				h.Exemplars = append(h.Exemplars, e)
+				if len(h.Bucket) == 0 {
+					// Don't proceed to classic buckets if there are none.
+					continue
+				}
+			}
+			// h.Bucket are sorted by UpperBound.
+			i := sort.Search(len(h.Bucket), func(i int) bool {
+				return h.Bucket[i].GetUpperBound() >= e.GetValue()
 			})
-			if i < len(pb.Histogram.Bucket) {
-				pb.Histogram.Bucket[i].Exemplar = e
+			if i < len(h.Bucket) {
+				h.Bucket[i].Exemplar = e
 			} else {
 				// The +Inf bucket should be explicitly added if there is an exemplar for it, similar to non-const histogram logic in https://github.com/prometheus/client_golang/blob/main/prometheus/histogram.go#L357-L365.
 				b := &dto.Bucket{
-					CumulativeCount: proto.Uint64(pb.Histogram.GetSampleCount()),
+					CumulativeCount: proto.Uint64(h.GetSampleCount()),
 					UpperBound:      proto.Float64(math.Inf(1)),
 					Exemplar:        e,
 				}
-				pb.Histogram.Bucket = append(pb.Histogram.Bucket, b)
+				h.Bucket = append(h.Bucket, b)
 			}
 		}
 	default:
@@ -227,6 +237,7 @@ type Exemplar struct {
 // Only last applicable exemplar is injected from the list.
 // For example for Counter it means last exemplar is injected.
 // For Histogram, it means last applicable exemplar for each bucket is injected.
+// For a Native Histogram, all valid exemplars are injected.
 //
 // NewMetricWithExemplars works best with MustNewConstMetric and
 // MustNewConstHistogram, see example.
diff --git a/vendor/github.com/prometheus/client_golang/prometheus/process_collector_darwin.go b/vendor/github.com/prometheus/client_golang/prometheus/process_collector_darwin.go
index 0a61b984613fe..b32c95fa3fab8 100644
--- a/vendor/github.com/prometheus/client_golang/prometheus/process_collector_darwin.go
+++ b/vendor/github.com/prometheus/client_golang/prometheus/process_collector_darwin.go
@@ -25,9 +25,9 @@ import (
 	"golang.org/x/sys/unix"
 )
 
-// notImplementedErr is returned by stub functions that replace cgo functions, when cgo
+// errNotImplemented is returned by stub functions that replace cgo functions, when cgo
 // isn't available.
-var notImplementedErr = errors.New("not implemented")
+var errNotImplemented = errors.New("not implemented")
 
 type memoryInfo struct {
 	vsize uint64 // Virtual memory size in bytes
@@ -101,7 +101,7 @@ func (c *processCollector) processCollect(ch chan<- Metric) {
 	if memInfo, err := getMemory(); err == nil {
 		ch <- MustNewConstMetric(c.rss, GaugeValue, float64(memInfo.rss))
 		ch <- MustNewConstMetric(c.vsize, GaugeValue, float64(memInfo.vsize))
-	} else if !errors.Is(err, notImplementedErr) {
+	} else if !errors.Is(err, errNotImplemented) {
 		// Don't report an error when support is not compiled in.
 		c.reportError(ch, c.rss, err)
 		c.reportError(ch, c.vsize, err)
diff --git a/vendor/github.com/prometheus/client_golang/prometheus/process_collector_mem_nocgo_darwin.go b/vendor/github.com/prometheus/client_golang/prometheus/process_collector_mem_nocgo_darwin.go
index 8ddb0995d6ae3..378865129b77a 100644
--- a/vendor/github.com/prometheus/client_golang/prometheus/process_collector_mem_nocgo_darwin.go
+++ b/vendor/github.com/prometheus/client_golang/prometheus/process_collector_mem_nocgo_darwin.go
@@ -16,7 +16,7 @@
 package prometheus
 
 func getMemory() (*memoryInfo, error) {
-	return nil, notImplementedErr
+	return nil, errNotImplemented
 }
 
 // describe returns all descriptions of the collector for Darwin.
diff --git a/vendor/github.com/prometheus/client_golang/prometheus/process_collector_procfsenabled.go b/vendor/github.com/prometheus/client_golang/prometheus/process_collector_procfsenabled.go
index 9f4b130befa6e..8074f70f5d919 100644
--- a/vendor/github.com/prometheus/client_golang/prometheus/process_collector_procfsenabled.go
+++ b/vendor/github.com/prometheus/client_golang/prometheus/process_collector_procfsenabled.go
@@ -66,11 +66,11 @@ func (c *processCollector) processCollect(ch chan<- Metric) {
 
 	if netstat, err := p.Netstat(); err == nil {
 		var inOctets, outOctets float64
-		if netstat.IpExt.InOctets != nil {
-			inOctets = *netstat.IpExt.InOctets
+		if netstat.InOctets != nil {
+			inOctets = *netstat.InOctets
 		}
-		if netstat.IpExt.OutOctets != nil {
-			outOctets = *netstat.IpExt.OutOctets
+		if netstat.OutOctets != nil {
+			outOctets = *netstat.OutOctets
 		}
 		ch <- MustNewConstMetric(c.inBytes, CounterValue, inOctets)
 		ch <- MustNewConstMetric(c.outBytes, CounterValue, outOctets)
diff --git a/vendor/github.com/prometheus/client_golang/prometheus/promhttp/instrument_server.go b/vendor/github.com/prometheus/client_golang/prometheus/promhttp/instrument_server.go
index 356edb7868ccd..9332b0249a972 100644
--- a/vendor/github.com/prometheus/client_golang/prometheus/promhttp/instrument_server.go
+++ b/vendor/github.com/prometheus/client_golang/prometheus/promhttp/instrument_server.go
@@ -392,7 +392,7 @@ func isLabelCurried(c prometheus.Collector, label string) bool {
 func labels(code, method bool, reqMethod string, status int, extraMethods ...string) prometheus.Labels {
 	labels := prometheus.Labels{}
 
-	if !(code || method) {
+	if !code && !method {
 		return labels
 	}
 
diff --git a/vendor/github.com/prometheus/client_golang/prometheus/testutil/testutil.go b/vendor/github.com/prometheus/client_golang/prometheus/testutil/testutil.go
index 1258508e4f937..80a4d7c35585d 100644
--- a/vendor/github.com/prometheus/client_golang/prometheus/testutil/testutil.go
+++ b/vendor/github.com/prometheus/client_golang/prometheus/testutil/testutil.go
@@ -262,7 +262,7 @@ func CollectAndFormat(c prometheus.Collector, format expfmt.FormatType, metricNa
 // convertReaderToMetricFamily would read from a io.Reader object and convert it to a slice of
 // dto.MetricFamily.
 func convertReaderToMetricFamily(reader io.Reader) ([]*dto.MetricFamily, error) {
-	var tp expfmt.TextParser
+	tp := expfmt.NewTextParser(model.UTF8Validation)
 	notNormalized, err := tp.TextToMetricFamilies(reader)
 	if err != nil {
 		return nil, fmt.Errorf("converting reader to metric families failed: %w", err)
diff --git a/vendor/github.com/prometheus/client_golang/prometheus/vec.go b/vendor/github.com/prometheus/client_golang/prometheus/vec.go
index 2c808eece0a0c..487b466563bbc 100644
--- a/vendor/github.com/prometheus/client_golang/prometheus/vec.go
+++ b/vendor/github.com/prometheus/client_golang/prometheus/vec.go
@@ -79,7 +79,7 @@ func (m *MetricVec) DeleteLabelValues(lvs ...string) bool {
 		return false
 	}
 
-	return m.metricMap.deleteByHashWithLabelValues(h, lvs, m.curry)
+	return m.deleteByHashWithLabelValues(h, lvs, m.curry)
 }
 
 // Delete deletes the metric where the variable labels are the same as those
@@ -101,7 +101,7 @@ func (m *MetricVec) Delete(labels Labels) bool {
 		return false
 	}
 
-	return m.metricMap.deleteByHashWithLabels(h, labels, m.curry)
+	return m.deleteByHashWithLabels(h, labels, m.curry)
 }
 
 // DeletePartialMatch deletes all metrics where the variable labels contain all of those
@@ -114,7 +114,7 @@ func (m *MetricVec) DeletePartialMatch(labels Labels) int {
 	labels, closer := constrainLabels(m.desc, labels)
 	defer closer()
 
-	return m.metricMap.deleteByLabels(labels, m.curry)
+	return m.deleteByLabels(labels, m.curry)
 }
 
 // Without explicit forwarding of Describe, Collect, Reset, those methods won't
@@ -216,7 +216,7 @@ func (m *MetricVec) GetMetricWithLabelValues(lvs ...string) (Metric, error) {
 		return nil, err
 	}
 
-	return m.metricMap.getOrCreateMetricWithLabelValues(h, lvs, m.curry), nil
+	return m.getOrCreateMetricWithLabelValues(h, lvs, m.curry), nil
 }
 
 // GetMetricWith returns the Metric for the given Labels map (the label names
@@ -244,7 +244,7 @@ func (m *MetricVec) GetMetricWith(labels Labels) (Metric, error) {
 		return nil, err
 	}
 
-	return m.metricMap.getOrCreateMetricWithLabels(h, labels, m.curry), nil
+	return m.getOrCreateMetricWithLabels(h, labels, m.curry), nil
 }
 
 func (m *MetricVec) hashLabelValues(vals []string) (uint64, error) {
diff --git a/vendor/github.com/prometheus/client_golang/prometheus/wrap.go b/vendor/github.com/prometheus/client_golang/prometheus/wrap.go
index 25da157f152ce..2ed1285068ee6 100644
--- a/vendor/github.com/prometheus/client_golang/prometheus/wrap.go
+++ b/vendor/github.com/prometheus/client_golang/prometheus/wrap.go
@@ -63,7 +63,7 @@ func WrapRegistererWith(labels Labels, reg Registerer) Registerer {
 // metric names that are standardized across applications, as that would break
 // horizontal monitoring, for example the metrics provided by the Go collector
 // (see NewGoCollector) and the process collector (see NewProcessCollector). (In
-// fact, those metrics are already prefixed with “go_” or “process_”,
+// fact, those metrics are already prefixed with "go_" or "process_",
 // respectively.)
 //
 // Conflicts between Collectors registered through the original Registerer with
@@ -78,6 +78,40 @@ func WrapRegistererWithPrefix(prefix string, reg Registerer) Registerer {
 	}
 }
 
+// WrapCollectorWith returns a Collector wrapping the provided Collector. The
+// wrapped Collector will add the provided Labels to all Metrics it collects (as
+// ConstLabels). The Metrics collected by the unmodified Collector must not
+// duplicate any of those labels.
+//
+// WrapCollectorWith can be useful to work with multiple instances of a third
+// party library that does not expose enough flexibility on the lifecycle of its
+// registered metrics.
+// For example, let's say you have a foo.New(reg Registerer) constructor that
+// registers metrics but never unregisters them, and you want to create multiple
+// instances of foo.Foo with different labels.
+// The way to achieve that, is to create a new Registry, pass it to foo.New,
+// then use WrapCollectorWith to wrap that Registry with the desired labels and
+// register that as a collector in your main Registry.
+// Then you can un-register the wrapped collector effectively un-registering the
+// metrics registered by foo.New.
+func WrapCollectorWith(labels Labels, c Collector) Collector {
+	return &wrappingCollector{
+		wrappedCollector: c,
+		labels:           labels,
+	}
+}
+
+// WrapCollectorWithPrefix returns a Collector wrapping the provided Collector. The
+// wrapped Collector will add the provided prefix to the name of all Metrics it collects.
+//
+// See the documentation of WrapCollectorWith for more details on the use case.
+func WrapCollectorWithPrefix(prefix string, c Collector) Collector {
+	return &wrappingCollector{
+		wrappedCollector: c,
+		prefix:           prefix,
+	}
+}
+
 type wrappingRegisterer struct {
 	wrappedRegisterer Registerer
 	prefix            string
diff --git a/vendor/github.com/prometheus/common/expfmt/decode.go b/vendor/github.com/prometheus/common/expfmt/decode.go
index 1448439b7f722..7b762370e270e 100644
--- a/vendor/github.com/prometheus/common/expfmt/decode.go
+++ b/vendor/github.com/prometheus/common/expfmt/decode.go
@@ -70,19 +70,34 @@ func ResponseFormat(h http.Header) Format {
 	return FmtUnknown
 }
 
-// NewDecoder returns a new decoder based on the given input format.
-// If the input format does not imply otherwise, a text format decoder is returned.
+// NewDecoder returns a new decoder based on the given input format. Metric
+// names are validated based on the provided Format -- if the format requires
+// escaping, raditional Prometheues validity checking is used. Otherwise, names
+// are checked for UTF-8 validity. Supported formats include delimited protobuf
+// and Prometheus text format.  For historical reasons, this decoder fallbacks
+// to classic text decoding for any other format. This decoder does not fully
+// support OpenMetrics although it may often succeed due to the similarities
+// between the formats. This decoder may not support the latest features of
+// Prometheus text format and is not intended for high-performance applications.
+// See: https://github.com/prometheus/common/issues/812
 func NewDecoder(r io.Reader, format Format) Decoder {
+	scheme := model.LegacyValidation
+	if format.ToEscapingScheme() == model.NoEscaping {
+		scheme = model.UTF8Validation
+	}
 	switch format.FormatType() {
 	case TypeProtoDelim:
-		return &protoDecoder{r: bufio.NewReader(r)}
+		return &protoDecoder{r: bufio.NewReader(r), s: scheme}
+	case TypeProtoText, TypeProtoCompact:
+		return &errDecoder{err: fmt.Errorf("format %s not supported for decoding", format)}
 	}
-	return &textDecoder{r: r}
+	return &textDecoder{r: r, s: scheme}
 }
 
 // protoDecoder implements the Decoder interface for protocol buffers.
 type protoDecoder struct {
 	r protodelim.Reader
+	s model.ValidationScheme
 }
 
 // Decode implements the Decoder interface.
@@ -93,7 +108,7 @@ func (d *protoDecoder) Decode(v *dto.MetricFamily) error {
 	if err := opts.UnmarshalFrom(d.r, v); err != nil {
 		return err
 	}
-	if !model.IsValidMetricName(model.LabelValue(v.GetName())) {
+	if !d.s.IsValidMetricName(v.GetName()) {
 		return fmt.Errorf("invalid metric name %q", v.GetName())
 	}
 	for _, m := range v.GetMetric() {
@@ -107,7 +122,7 @@ func (d *protoDecoder) Decode(v *dto.MetricFamily) error {
 			if !model.LabelValue(l.GetValue()).IsValid() {
 				return fmt.Errorf("invalid label value %q", l.GetValue())
 			}
-			if !model.LabelName(l.GetName()).IsValid() {
+			if !d.s.IsValidLabelName(l.GetName()) {
 				return fmt.Errorf("invalid label name %q", l.GetName())
 			}
 		}
@@ -115,10 +130,20 @@ func (d *protoDecoder) Decode(v *dto.MetricFamily) error {
 	return nil
 }
 
+// errDecoder is an error-state decoder that always returns the same error.
+type errDecoder struct {
+	err error
+}
+
+func (d *errDecoder) Decode(*dto.MetricFamily) error {
+	return d.err
+}
+
 // textDecoder implements the Decoder interface for the text protocol.
 type textDecoder struct {
 	r    io.Reader
 	fams map[string]*dto.MetricFamily
+	s    model.ValidationScheme
 	err  error
 }
 
@@ -126,7 +151,7 @@ type textDecoder struct {
 func (d *textDecoder) Decode(v *dto.MetricFamily) error {
 	if d.err == nil {
 		// Read all metrics in one shot.
-		var p TextParser
+		p := NewTextParser(d.s)
 		d.fams, d.err = p.TextToMetricFamilies(d.r)
 		// If we don't get an error, store io.EOF for the end.
 		if d.err == nil {
diff --git a/vendor/github.com/prometheus/common/expfmt/encode.go b/vendor/github.com/prometheus/common/expfmt/encode.go
index d7f3d76f55d97..73c24dfbc9cb5 100644
--- a/vendor/github.com/prometheus/common/expfmt/encode.go
+++ b/vendor/github.com/prometheus/common/expfmt/encode.go
@@ -18,14 +18,12 @@ import (
 	"io"
 	"net/http"
 
+	"github.com/munnerz/goautoneg"
+	dto "github.com/prometheus/client_model/go"
 	"google.golang.org/protobuf/encoding/protodelim"
 	"google.golang.org/protobuf/encoding/prototext"
 
 	"github.com/prometheus/common/model"
-
-	"github.com/munnerz/goautoneg"
-
-	dto "github.com/prometheus/client_model/go"
 )
 
 // Encoder types encode metric families into an underlying wire protocol.
@@ -61,7 +59,7 @@ func (ec encoderCloser) Close() error {
 // appropriate accepted type is found, FmtText is returned (which is the
 // Prometheus text format). This function will never negotiate FmtOpenMetrics,
 // as the support is still experimental. To include the option to negotiate
-// FmtOpenMetrics, use NegotiateOpenMetrics.
+// FmtOpenMetrics, use NegotiateIncludingOpenMetrics.
 func Negotiate(h http.Header) Format {
 	escapingScheme := Format(fmt.Sprintf("; escaping=%s", Format(model.NameEscapingScheme.String())))
 	for _, ac := range goautoneg.ParseAccept(h.Get(hdrAccept)) {
@@ -153,7 +151,7 @@ func NewEncoder(w io.Writer, format Format, options ...EncoderOption) Encoder {
 	case TypeProtoDelim:
 		return encoderCloser{
 			encode: func(v *dto.MetricFamily) error {
-				_, err := protodelim.MarshalTo(w, v)
+				_, err := protodelim.MarshalTo(w, model.EscapeMetricFamily(v, escapingScheme))
 				return err
 			},
 			close: func() error { return nil },
diff --git a/vendor/github.com/prometheus/common/expfmt/expfmt.go b/vendor/github.com/prometheus/common/expfmt/expfmt.go
index b26886560d74b..c34c7de432b1d 100644
--- a/vendor/github.com/prometheus/common/expfmt/expfmt.go
+++ b/vendor/github.com/prometheus/common/expfmt/expfmt.go
@@ -36,9 +36,11 @@ const (
 	ProtoType     = `application/vnd.google.protobuf`
 	ProtoProtocol = `io.prometheus.client.MetricFamily`
 	// Deprecated: Use expfmt.NewFormat(expfmt.TypeProtoCompact) instead.
-	ProtoFmt                 = ProtoType + "; proto=" + ProtoProtocol + ";"
-	OpenMetricsType          = `application/openmetrics-text`
+	ProtoFmt        = ProtoType + "; proto=" + ProtoProtocol + ";"
+	OpenMetricsType = `application/openmetrics-text`
+	//nolint:revive // Allow for underscores.
 	OpenMetricsVersion_0_0_1 = "0.0.1"
+	//nolint:revive // Allow for underscores.
 	OpenMetricsVersion_1_0_0 = "1.0.0"
 
 	// The Content-Type values for the different wire protocols. Do not do direct
@@ -54,8 +56,10 @@ const (
 	// Deprecated: Use expfmt.NewFormat(expfmt.TypeProtoCompact) instead.
 	FmtProtoCompact Format = ProtoFmt + ` encoding=compact-text`
 	// Deprecated: Use expfmt.NewFormat(expfmt.TypeOpenMetrics) instead.
+	//nolint:revive // Allow for underscores.
 	FmtOpenMetrics_1_0_0 Format = OpenMetricsType + `; version=` + OpenMetricsVersion_1_0_0 + `; charset=utf-8`
 	// Deprecated: Use expfmt.NewFormat(expfmt.TypeOpenMetrics) instead.
+	//nolint:revive // Allow for underscores.
 	FmtOpenMetrics_0_0_1 Format = OpenMetricsType + `; version=` + OpenMetricsVersion_0_0_1 + `; charset=utf-8`
 )
 
@@ -188,8 +192,8 @@ func (f Format) FormatType() FormatType {
 // Format contains a escaping=allow-utf-8 term, it will select NoEscaping. If a valid
 // "escaping" term exists, that will be used. Otherwise, the global default will
 // be returned.
-func (format Format) ToEscapingScheme() model.EscapingScheme {
-	for _, p := range strings.Split(string(format), ";") {
+func (f Format) ToEscapingScheme() model.EscapingScheme {
+	for _, p := range strings.Split(string(f), ";") {
 		toks := strings.Split(p, "=")
 		if len(toks) != 2 {
 			continue
diff --git a/vendor/github.com/prometheus/common/expfmt/fuzz.go b/vendor/github.com/prometheus/common/expfmt/fuzz.go
index dfac962a4e7e8..0290f6abc40b3 100644
--- a/vendor/github.com/prometheus/common/expfmt/fuzz.go
+++ b/vendor/github.com/prometheus/common/expfmt/fuzz.go
@@ -17,7 +17,11 @@
 
 package expfmt
 
-import "bytes"
+import (
+	"bytes"
+
+	"github.com/prometheus/common/model"
+)
 
 // Fuzz text metric parser with with github.com/dvyukov/go-fuzz:
 //
@@ -26,9 +30,8 @@ import "bytes"
 //
 // Further input samples should go in the folder fuzz/corpus.
 func Fuzz(in []byte) int {
-	parser := TextParser{}
+	parser := NewTextParser(model.UTF8Validation)
 	_, err := parser.TextToMetricFamilies(bytes.NewReader(in))
-
 	if err != nil {
 		return 0
 	}
diff --git a/vendor/github.com/prometheus/common/expfmt/openmetrics_create.go b/vendor/github.com/prometheus/common/expfmt/openmetrics_create.go
index a21ed4ec1f8cd..8dbf6d04ed651 100644
--- a/vendor/github.com/prometheus/common/expfmt/openmetrics_create.go
+++ b/vendor/github.com/prometheus/common/expfmt/openmetrics_create.go
@@ -22,11 +22,10 @@ import (
 	"strconv"
 	"strings"
 
+	dto "github.com/prometheus/client_model/go"
 	"google.golang.org/protobuf/types/known/timestamppb"
 
 	"github.com/prometheus/common/model"
-
-	dto "github.com/prometheus/client_model/go"
 )
 
 type encoderOption struct {
@@ -249,7 +248,7 @@ func MetricFamilyToOpenMetrics(out io.Writer, in *dto.MetricFamily, options ...E
 
 	// Finally the samples, one line for each.
 	if metricType == dto.MetricType_COUNTER && strings.HasSuffix(name, "_total") {
-		compliantName = compliantName + "_total"
+		compliantName += "_total"
 	}
 	for _, metric := range in.Metric {
 		switch metricType {
@@ -477,7 +476,7 @@ func writeOpenMetricsNameAndLabelPairs(
 	if name != "" {
 		// If the name does not pass the legacy validity check, we must put the
 		// metric name inside the braces, quoted.
-		if !model.IsValidLegacyMetricName(name) {
+		if !model.LegacyValidation.IsValidMetricName(name) {
 			metricInsideBraces = true
 			err := w.WriteByte(separator)
 			written++
@@ -641,11 +640,11 @@ func writeExemplar(w enhancedWriter, e *dto.Exemplar) (int, error) {
 		if err != nil {
 			return written, err
 		}
-		err = (*e).Timestamp.CheckValid()
+		err = e.Timestamp.CheckValid()
 		if err != nil {
 			return written, err
 		}
-		ts := (*e).Timestamp.AsTime()
+		ts := e.Timestamp.AsTime()
 		// TODO(beorn7): Format this directly from components of ts to
 		// avoid overflow/underflow and precision issues of the float
 		// conversion.
diff --git a/vendor/github.com/prometheus/common/expfmt/text_create.go b/vendor/github.com/prometheus/common/expfmt/text_create.go
index 4b86434b33275..c4e9c1bbc3a79 100644
--- a/vendor/github.com/prometheus/common/expfmt/text_create.go
+++ b/vendor/github.com/prometheus/common/expfmt/text_create.go
@@ -22,9 +22,9 @@ import (
 	"strings"
 	"sync"
 
-	"github.com/prometheus/common/model"
-
 	dto "github.com/prometheus/client_model/go"
+
+	"github.com/prometheus/common/model"
 )
 
 // enhancedWriter has all the enhanced write functions needed here. bufio.Writer
@@ -354,7 +354,7 @@ func writeNameAndLabelPairs(
 	if name != "" {
 		// If the name does not pass the legacy validity check, we must put the
 		// metric name inside the braces.
-		if !model.IsValidLegacyMetricName(name) {
+		if !model.LegacyValidation.IsValidMetricName(name) {
 			metricInsideBraces = true
 			err := w.WriteByte(separator)
 			written++
@@ -498,7 +498,7 @@ func writeInt(w enhancedWriter, i int64) (int, error) {
 // writeName writes a string as-is if it complies with the legacy naming
 // scheme, or escapes it in double quotes if not.
 func writeName(w enhancedWriter, name string) (int, error) {
-	if model.IsValidLegacyMetricName(name) {
+	if model.LegacyValidation.IsValidMetricName(name) {
 		return w.WriteString(name)
 	}
 	var written int
diff --git a/vendor/github.com/prometheus/common/expfmt/text_parse.go b/vendor/github.com/prometheus/common/expfmt/text_parse.go
index b4607fe4d274f..8f2edde32447f 100644
--- a/vendor/github.com/prometheus/common/expfmt/text_parse.go
+++ b/vendor/github.com/prometheus/common/expfmt/text_parse.go
@@ -78,6 +78,14 @@ type TextParser struct {
 	// These indicate if the metric name from the current line being parsed is inside
 	// braces and if that metric name was found respectively.
 	currentMetricIsInsideBraces, currentMetricInsideBracesIsPresent bool
+	// scheme sets the desired ValidationScheme for names. Defaults to the invalid
+	// UnsetValidation.
+	scheme model.ValidationScheme
+}
+
+// NewTextParser returns a new TextParser with the provided nameValidationScheme.
+func NewTextParser(nameValidationScheme model.ValidationScheme) TextParser {
+	return TextParser{scheme: nameValidationScheme}
 }
 
 // TextToMetricFamilies reads 'in' as the simple and flat text-based exchange
@@ -126,6 +134,7 @@ func (p *TextParser) TextToMetricFamilies(in io.Reader) (map[string]*dto.MetricF
 
 func (p *TextParser) reset(in io.Reader) {
 	p.metricFamiliesByName = map[string]*dto.MetricFamily{}
+	p.currentLabelPairs = nil
 	if p.buf == nil {
 		p.buf = bufio.NewReader(in)
 	} else {
@@ -216,6 +225,9 @@ func (p *TextParser) startComment() stateFn {
 		return nil
 	}
 	p.setOrCreateCurrentMF()
+	if p.err != nil {
+		return nil
+	}
 	if p.skipBlankTab(); p.err != nil {
 		return nil // Unexpected end of input.
 	}
@@ -244,6 +256,9 @@ func (p *TextParser) readingMetricName() stateFn {
 		return nil
 	}
 	p.setOrCreateCurrentMF()
+	if p.err != nil {
+		return nil
+	}
 	// Now is the time to fix the type if it hasn't happened yet.
 	if p.currentMF.Type == nil {
 		p.currentMF.Type = dto.MetricType_UNTYPED.Enum()
@@ -311,6 +326,9 @@ func (p *TextParser) startLabelName() stateFn {
 			switch p.currentByte {
 			case ',':
 				p.setOrCreateCurrentMF()
+				if p.err != nil {
+					return nil
+				}
 				if p.currentMF.Type == nil {
 					p.currentMF.Type = dto.MetricType_UNTYPED.Enum()
 				}
@@ -319,6 +337,10 @@ func (p *TextParser) startLabelName() stateFn {
 				return p.startLabelName
 			case '}':
 				p.setOrCreateCurrentMF()
+				if p.err != nil {
+					p.currentLabelPairs = nil
+					return nil
+				}
 				if p.currentMF.Type == nil {
 					p.currentMF.Type = dto.MetricType_UNTYPED.Enum()
 				}
@@ -341,25 +363,30 @@ func (p *TextParser) startLabelName() stateFn {
 	p.currentLabelPair = &dto.LabelPair{Name: proto.String(p.currentToken.String())}
 	if p.currentLabelPair.GetName() == string(model.MetricNameLabel) {
 		p.parseError(fmt.Sprintf("label name %q is reserved", model.MetricNameLabel))
+		p.currentLabelPairs = nil
+		return nil
+	}
+	if !p.scheme.IsValidLabelName(p.currentLabelPair.GetName()) {
+		p.parseError(fmt.Sprintf("invalid label name %q", p.currentLabelPair.GetName()))
+		p.currentLabelPairs = nil
 		return nil
 	}
 	// Special summary/histogram treatment. Don't add 'quantile' and 'le'
 	// labels to 'real' labels.
-	if !(p.currentMF.GetType() == dto.MetricType_SUMMARY && p.currentLabelPair.GetName() == model.QuantileLabel) &&
-		!(p.currentMF.GetType() == dto.MetricType_HISTOGRAM && p.currentLabelPair.GetName() == model.BucketLabel) {
+	if (p.currentMF.GetType() != dto.MetricType_SUMMARY || p.currentLabelPair.GetName() != model.QuantileLabel) &&
+		(p.currentMF.GetType() != dto.MetricType_HISTOGRAM || p.currentLabelPair.GetName() != model.BucketLabel) {
 		p.currentLabelPairs = append(p.currentLabelPairs, p.currentLabelPair)
 	}
 	// Check for duplicate label names.
 	labels := make(map[string]struct{})
 	for _, l := range p.currentLabelPairs {
 		lName := l.GetName()
-		if _, exists := labels[lName]; !exists {
-			labels[lName] = struct{}{}
-		} else {
+		if _, exists := labels[lName]; exists {
 			p.parseError(fmt.Sprintf("duplicate label names for metric %q", p.currentMF.GetName()))
 			p.currentLabelPairs = nil
 			return nil
 		}
+		labels[lName] = struct{}{}
 	}
 	return p.startLabelValue
 }
@@ -440,7 +467,8 @@ func (p *TextParser) readingValue() stateFn {
 	// When we are here, we have read all the labels, so for the
 	// special case of a summary/histogram, we can finally find out
 	// if the metric already exists.
-	if p.currentMF.GetType() == dto.MetricType_SUMMARY {
+	switch p.currentMF.GetType() {
+	case dto.MetricType_SUMMARY:
 		signature := model.LabelsToSignature(p.currentLabels)
 		if summary := p.summaries[signature]; summary != nil {
 			p.currentMetric = summary
@@ -448,7 +476,7 @@ func (p *TextParser) readingValue() stateFn {
 			p.summaries[signature] = p.currentMetric
 			p.currentMF.Metric = append(p.currentMF.Metric, p.currentMetric)
 		}
-	} else if p.currentMF.GetType() == dto.MetricType_HISTOGRAM {
+	case dto.MetricType_HISTOGRAM:
 		signature := model.LabelsToSignature(p.currentLabels)
 		if histogram := p.histograms[signature]; histogram != nil {
 			p.currentMetric = histogram
@@ -456,7 +484,7 @@ func (p *TextParser) readingValue() stateFn {
 			p.histograms[signature] = p.currentMetric
 			p.currentMF.Metric = append(p.currentMF.Metric, p.currentMetric)
 		}
-	} else {
+	default:
 		p.currentMF.Metric = append(p.currentMF.Metric, p.currentMetric)
 	}
 	if p.readTokenUntilWhitespace(); p.err != nil {
@@ -805,6 +833,10 @@ func (p *TextParser) setOrCreateCurrentMF() {
 	p.currentIsHistogramCount = false
 	p.currentIsHistogramSum = false
 	name := p.currentToken.String()
+	if !p.scheme.IsValidMetricName(name) {
+		p.parseError(fmt.Sprintf("invalid metric name %q", name))
+		return
+	}
 	if p.currentMF = p.metricFamiliesByName[name]; p.currentMF != nil {
 		return
 	}
diff --git a/vendor/github.com/prometheus/common/model/alert.go b/vendor/github.com/prometheus/common/model/alert.go
index bd3a39e3e1471..460f554f2945d 100644
--- a/vendor/github.com/prometheus/common/model/alert.go
+++ b/vendor/github.com/prometheus/common/model/alert.go
@@ -65,7 +65,7 @@ func (a *Alert) Resolved() bool {
 	return a.ResolvedAt(time.Now())
 }
 
-// ResolvedAt returns true off the activity interval ended before
+// ResolvedAt returns true iff the activity interval ended before
 // the given timestamp.
 func (a *Alert) ResolvedAt(ts time.Time) bool {
 	if a.EndsAt.IsZero() {
diff --git a/vendor/github.com/prometheus/common/model/labels.go b/vendor/github.com/prometheus/common/model/labels.go
index 73b7aa3e60bdd..dfeb34be5f3ae 100644
--- a/vendor/github.com/prometheus/common/model/labels.go
+++ b/vendor/github.com/prometheus/common/model/labels.go
@@ -22,7 +22,7 @@ import (
 )
 
 const (
-	// AlertNameLabel is the name of the label containing the an alert's name.
+	// AlertNameLabel is the name of the label containing the alert's name.
 	AlertNameLabel = "alertname"
 
 	// ExportedLabelPrefix is the prefix to prepend to the label names present in
@@ -32,6 +32,12 @@ const (
 	// MetricNameLabel is the label name indicating the metric name of a
 	// timeseries.
 	MetricNameLabel = "__name__"
+	// MetricTypeLabel is the label name indicating the metric type of
+	// timeseries as per the PROM-39 proposal.
+	MetricTypeLabel = "__type__"
+	// MetricUnitLabel is the label name indicating the metric unit of
+	// timeseries as per the PROM-39 proposal.
+	MetricUnitLabel = "__unit__"
 
 	// SchemeLabel is the name of the label that holds the scheme on which to
 	// scrape a target.
@@ -100,33 +106,21 @@ type LabelName string
 // IsValid returns true iff the name matches the pattern of LabelNameRE when
 // NameValidationScheme is set to LegacyValidation, or valid UTF-8 if
 // NameValidationScheme is set to UTF8Validation.
+//
+// Deprecated: This method should not be used and may be removed in the future.
+// Use [ValidationScheme.IsValidLabelName] instead.
 func (ln LabelName) IsValid() bool {
-	if len(ln) == 0 {
-		return false
-	}
-	switch NameValidationScheme {
-	case LegacyValidation:
-		return ln.IsValidLegacy()
-	case UTF8Validation:
-		return utf8.ValidString(string(ln))
-	default:
-		panic(fmt.Sprintf("Invalid name validation scheme requested: %d", NameValidationScheme))
-	}
+	return NameValidationScheme.IsValidLabelName(string(ln))
 }
 
 // IsValidLegacy returns true iff name matches the pattern of LabelNameRE for
 // legacy names. It does not use LabelNameRE for the check but a much faster
 // hardcoded implementation.
+//
+// Deprecated: This method should not be used and may be removed in the future.
+// Use [LegacyValidation.IsValidLabelName] instead.
 func (ln LabelName) IsValidLegacy() bool {
-	if len(ln) == 0 {
-		return false
-	}
-	for i, b := range ln {
-		if !((b >= 'a' && b <= 'z') || (b >= 'A' && b <= 'Z') || b == '_' || (b >= '0' && b <= '9' && i > 0)) {
-			return false
-		}
-	}
-	return true
+	return LegacyValidation.IsValidLabelName(string(ln))
 }
 
 // UnmarshalYAML implements the yaml.Unmarshaler interface.
diff --git a/vendor/github.com/prometheus/common/model/labelset.go b/vendor/github.com/prometheus/common/model/labelset.go
index d0ad88da3346c..9de47b2568eea 100644
--- a/vendor/github.com/prometheus/common/model/labelset.go
+++ b/vendor/github.com/prometheus/common/model/labelset.go
@@ -114,10 +114,10 @@ func (ls LabelSet) Clone() LabelSet {
 }
 
 // Merge is a helper function to non-destructively merge two label sets.
-func (l LabelSet) Merge(other LabelSet) LabelSet {
-	result := make(LabelSet, len(l))
+func (ls LabelSet) Merge(other LabelSet) LabelSet {
+	result := make(LabelSet, len(ls))
 
-	for k, v := range l {
+	for k, v := range ls {
 		result[k] = v
 	}
 
@@ -140,7 +140,7 @@ func (ls LabelSet) FastFingerprint() Fingerprint {
 }
 
 // UnmarshalJSON implements the json.Unmarshaler interface.
-func (l *LabelSet) UnmarshalJSON(b []byte) error {
+func (ls *LabelSet) UnmarshalJSON(b []byte) error {
 	var m map[LabelName]LabelValue
 	if err := json.Unmarshal(b, &m); err != nil {
 		return err
@@ -153,6 +153,6 @@ func (l *LabelSet) UnmarshalJSON(b []byte) error {
 			return fmt.Errorf("%q is not a valid label name", ln)
 		}
 	}
-	*l = LabelSet(m)
+	*ls = LabelSet(m)
 	return nil
 }
diff --git a/vendor/github.com/prometheus/common/model/metric.go b/vendor/github.com/prometheus/common/model/metric.go
index 5766107cf95f0..3feebf328ae61 100644
--- a/vendor/github.com/prometheus/common/model/metric.go
+++ b/vendor/github.com/prometheus/common/model/metric.go
@@ -14,6 +14,7 @@
 package model
 
 import (
+	"encoding/json"
 	"errors"
 	"fmt"
 	"regexp"
@@ -23,17 +24,30 @@ import (
 	"unicode/utf8"
 
 	dto "github.com/prometheus/client_model/go"
+	"go.yaml.in/yaml/v2"
 	"google.golang.org/protobuf/proto"
 )
 
 var (
-	// NameValidationScheme determines the method of name validation to be used by
-	// all calls to IsValidMetricName() and LabelName IsValid(). Setting UTF-8
-	// mode in isolation from other components that don't support UTF-8 may result
-	// in bugs or other undefined behavior. This value can be set to
-	// LegacyValidation during startup if a binary is not UTF-8-aware binaries. To
-	// avoid need for locking, this value should be set once, ideally in an
-	// init(), before multiple goroutines are started.
+	// NameValidationScheme determines the global default method of the name
+	// validation to be used by all calls to IsValidMetricName() and LabelName
+	// IsValid().
+	//
+	// Deprecated: This variable should not be used and might be removed in the
+	// far future. If you wish to stick to the legacy name validation use
+	// `IsValidLegacyMetricName()` and `LabelName.IsValidLegacy()` methods
+	// instead. This variable is here as an escape hatch for emergency cases,
+	// given the recent change from `LegacyValidation` to `UTF8Validation`, e.g.,
+	// to delay UTF-8 migrations in time or aid in debugging unforeseen results of
+	// the change. In such a case, a temporary assignment to `LegacyValidation`
+	// value in the `init()` function in your main.go or so, could be considered.
+	//
+	// Historically we opted for a global variable for feature gating different
+	// validation schemes in operations that were not otherwise easily adjustable
+	// (e.g. Labels yaml unmarshaling). That could have been a mistake, a separate
+	// Labels structure or package might have been a better choice. Given the
+	// change was made and many upgraded the common already, we live this as-is
+	// with this warning and learning for the future.
 	NameValidationScheme = UTF8Validation
 
 	// NameEscapingScheme defines the default way that names will be escaped when
@@ -50,16 +64,151 @@ var (
 type ValidationScheme int
 
 const (
-	// LegacyValidation is a setting that requirets that metric and label names
+	// UnsetValidation represents an undefined ValidationScheme.
+	// Should not be used in practice.
+	UnsetValidation ValidationScheme = iota
+
+	// LegacyValidation is a setting that requires that all metric and label names
 	// conform to the original Prometheus character requirements described by
 	// MetricNameRE and LabelNameRE.
-	LegacyValidation ValidationScheme = iota
+	LegacyValidation
 
 	// UTF8Validation only requires that metric and label names be valid UTF-8
 	// strings.
 	UTF8Validation
 )
 
+var _ interface {
+	yaml.Marshaler
+	yaml.Unmarshaler
+	json.Marshaler
+	json.Unmarshaler
+	fmt.Stringer
+} = new(ValidationScheme)
+
+// String returns the string representation of s.
+func (s ValidationScheme) String() string {
+	switch s {
+	case UnsetValidation:
+		return "unset"
+	case LegacyValidation:
+		return "legacy"
+	case UTF8Validation:
+		return "utf8"
+	default:
+		panic(fmt.Errorf("unhandled ValidationScheme: %d", s))
+	}
+}
+
+// MarshalYAML implements the yaml.Marshaler interface.
+func (s ValidationScheme) MarshalYAML() (any, error) {
+	switch s {
+	case UnsetValidation:
+		return "", nil
+	case LegacyValidation, UTF8Validation:
+		return s.String(), nil
+	default:
+		panic(fmt.Errorf("unhandled ValidationScheme: %d", s))
+	}
+}
+
+// UnmarshalYAML implements the yaml.Unmarshaler interface.
+func (s *ValidationScheme) UnmarshalYAML(unmarshal func(any) error) error {
+	var scheme string
+	if err := unmarshal(&scheme); err != nil {
+		return err
+	}
+	return s.Set(scheme)
+}
+
+// MarshalJSON implements the json.Marshaler interface.
+func (s ValidationScheme) MarshalJSON() ([]byte, error) {
+	switch s {
+	case UnsetValidation:
+		return json.Marshal("")
+	case UTF8Validation, LegacyValidation:
+		return json.Marshal(s.String())
+	default:
+		return nil, fmt.Errorf("unhandled ValidationScheme: %d", s)
+	}
+}
+
+// UnmarshalJSON implements the json.Unmarshaler interface.
+func (s *ValidationScheme) UnmarshalJSON(bytes []byte) error {
+	var repr string
+	if err := json.Unmarshal(bytes, &repr); err != nil {
+		return err
+	}
+	return s.Set(repr)
+}
+
+// Set implements the pflag.Value interface.
+func (s *ValidationScheme) Set(text string) error {
+	switch text {
+	case "":
+		// Don't change the value.
+	case LegacyValidation.String():
+		*s = LegacyValidation
+	case UTF8Validation.String():
+		*s = UTF8Validation
+	default:
+		return fmt.Errorf("unrecognized ValidationScheme: %q", text)
+	}
+	return nil
+}
+
+// IsValidMetricName returns whether metricName is valid according to s.
+func (s ValidationScheme) IsValidMetricName(metricName string) bool {
+	switch s {
+	case LegacyValidation:
+		if len(metricName) == 0 {
+			return false
+		}
+		for i, b := range metricName {
+			if !isValidLegacyRune(b, i) {
+				return false
+			}
+		}
+		return true
+	case UTF8Validation:
+		if len(metricName) == 0 {
+			return false
+		}
+		return utf8.ValidString(metricName)
+	default:
+		panic(fmt.Sprintf("Invalid name validation scheme requested: %s", s.String()))
+	}
+}
+
+// IsValidLabelName returns whether labelName is valid according to s.
+func (s ValidationScheme) IsValidLabelName(labelName string) bool {
+	switch s {
+	case LegacyValidation:
+		if len(labelName) == 0 {
+			return false
+		}
+		for i, b := range labelName {
+			// TODO: Apply De Morgan's law. Make sure there are tests for this.
+			if !((b >= 'a' && b <= 'z') || (b >= 'A' && b <= 'Z') || b == '_' || (b >= '0' && b <= '9' && i > 0)) { //nolint:staticcheck
+				return false
+			}
+		}
+		return true
+	case UTF8Validation:
+		if len(labelName) == 0 {
+			return false
+		}
+		return utf8.ValidString(labelName)
+	default:
+		panic(fmt.Sprintf("Invalid name validation scheme requested: %s", s))
+	}
+}
+
+// Type implements the pflag.Value interface.
+func (ValidationScheme) Type() string {
+	return "validationScheme"
+}
+
 type EscapingScheme int
 
 const (
@@ -89,7 +238,7 @@ const (
 	// Accept header, the default NameEscapingScheme will be used.
 	EscapingKey = "escaping"
 
-	// Possible values for Escaping Key:
+	// Possible values for Escaping Key.
 	AllowUTF8         = "allow-utf-8" // No escaping required.
 	EscapeUnderscores = "underscores"
 	EscapeDots        = "dots"
@@ -163,34 +312,22 @@ func (m Metric) FastFingerprint() Fingerprint {
 // IsValidMetricName returns true iff name matches the pattern of MetricNameRE
 // for legacy names, and iff it's valid UTF-8 if the UTF8Validation scheme is
 // selected.
+//
+// Deprecated: This function should not be used and might be removed in the future.
+// Use [ValidationScheme.IsValidMetricName] instead.
 func IsValidMetricName(n LabelValue) bool {
-	switch NameValidationScheme {
-	case LegacyValidation:
-		return IsValidLegacyMetricName(string(n))
-	case UTF8Validation:
-		if len(n) == 0 {
-			return false
-		}
-		return utf8.ValidString(string(n))
-	default:
-		panic(fmt.Sprintf("Invalid name validation scheme requested: %d", NameValidationScheme))
-	}
+	return NameValidationScheme.IsValidMetricName(string(n))
 }
 
 // IsValidLegacyMetricName is similar to IsValidMetricName but always uses the
 // legacy validation scheme regardless of the value of NameValidationScheme.
 // This function, however, does not use MetricNameRE for the check but a much
 // faster hardcoded implementation.
+//
+// Deprecated: This function should not be used and might be removed in the future.
+// Use [LegacyValidation.IsValidMetricName] instead.
 func IsValidLegacyMetricName(n string) bool {
-	if len(n) == 0 {
-		return false
-	}
-	for i, b := range n {
-		if !isValidLegacyRune(b, i) {
-			return false
-		}
-	}
-	return true
+	return LegacyValidation.IsValidMetricName(n)
 }
 
 // EscapeMetricFamily escapes the given metric names and labels with the given
@@ -298,13 +435,14 @@ func EscapeName(name string, scheme EscapingScheme) string {
 	case DotsEscaping:
 		// Do not early return for legacy valid names, we still escape underscores.
 		for i, b := range name {
-			if b == '_' {
+			switch {
+			case b == '_':
 				escaped.WriteString("__")
-			} else if b == '.' {
+			case b == '.':
 				escaped.WriteString("_dot_")
-			} else if isValidLegacyRune(b, i) {
+			case isValidLegacyRune(b, i):
 				escaped.WriteRune(b)
-			} else {
+			default:
 				escaped.WriteString("__")
 			}
 		}
@@ -315,13 +453,14 @@ func EscapeName(name string, scheme EscapingScheme) string {
 		}
 		escaped.WriteString("U__")
 		for i, b := range name {
-			if b == '_' {
+			switch {
+			case b == '_':
 				escaped.WriteString("__")
-			} else if isValidLegacyRune(b, i) {
+			case isValidLegacyRune(b, i):
 				escaped.WriteRune(b)
-			} else if !utf8.ValidRune(b) {
+			case !utf8.ValidRune(b):
 				escaped.WriteString("_FFFD_")
-			} else {
+			default:
 				escaped.WriteRune('_')
 				escaped.WriteString(strconv.FormatInt(int64(b), 16))
 				escaped.WriteRune('_')
@@ -333,7 +472,7 @@ func EscapeName(name string, scheme EscapingScheme) string {
 	}
 }
 
-// lower function taken from strconv.atoi
+// lower function taken from strconv.atoi.
 func lower(c byte) byte {
 	return c | ('x' - 'X')
 }
@@ -397,11 +536,12 @@ func UnescapeName(name string, scheme EscapingScheme) string {
 				}
 				r := lower(escapedName[i])
 				utf8Val *= 16
-				if r >= '0' && r <= '9' {
+				switch {
+				case r >= '0' && r <= '9':
 					utf8Val += uint(r) - '0'
-				} else if r >= 'a' && r <= 'f' {
+				case r >= 'a' && r <= 'f':
 					utf8Val += uint(r) - 'a' + 10
-				} else {
+				default:
 					return name
 				}
 				i++
diff --git a/vendor/github.com/prometheus/common/model/time.go b/vendor/github.com/prometheus/common/model/time.go
index 5727452c1ee95..1730b0fdc1210 100644
--- a/vendor/github.com/prometheus/common/model/time.go
+++ b/vendor/github.com/prometheus/common/model/time.go
@@ -126,14 +126,14 @@ func (t *Time) UnmarshalJSON(b []byte) error {
 	p := strings.Split(string(b), ".")
 	switch len(p) {
 	case 1:
-		v, err := strconv.ParseInt(string(p[0]), 10, 64)
+		v, err := strconv.ParseInt(p[0], 10, 64)
 		if err != nil {
 			return err
 		}
 		*t = Time(v * second)
 
 	case 2:
-		v, err := strconv.ParseInt(string(p[0]), 10, 64)
+		v, err := strconv.ParseInt(p[0], 10, 64)
 		if err != nil {
 			return err
 		}
@@ -143,7 +143,7 @@ func (t *Time) UnmarshalJSON(b []byte) error {
 		if prec < 0 {
 			p[1] = p[1][:dotPrecision]
 		} else if prec > 0 {
-			p[1] = p[1] + strings.Repeat("0", prec)
+			p[1] += strings.Repeat("0", prec)
 		}
 
 		va, err := strconv.ParseInt(p[1], 10, 32)
@@ -170,15 +170,15 @@ func (t *Time) UnmarshalJSON(b []byte) error {
 // This type should not propagate beyond the scope of input/output processing.
 type Duration time.Duration
 
-// Set implements pflag/flag.Value
+// Set implements pflag/flag.Value.
 func (d *Duration) Set(s string) error {
 	var err error
 	*d, err = ParseDuration(s)
 	return err
 }
 
-// Type implements pflag.Value
-func (d *Duration) Type() string {
+// Type implements pflag.Value.
+func (*Duration) Type() string {
 	return "duration"
 }
 
@@ -201,6 +201,7 @@ var unitMap = map[string]struct {
 
 // ParseDuration parses a string into a time.Duration, assuming that a year
 // always has 365d, a week always has 7d, and a day always has 24h.
+// Negative durations are not supported.
 func ParseDuration(s string) (Duration, error) {
 	switch s {
 	case "0":
@@ -253,18 +254,36 @@ func ParseDuration(s string) (Duration, error) {
 			return 0, errors.New("duration out of range")
 		}
 	}
+
 	return Duration(dur), nil
 }
 
+// ParseDurationAllowNegative is like ParseDuration but also accepts negative durations.
+func ParseDurationAllowNegative(s string) (Duration, error) {
+	if s == "" || s[0] != '-' {
+		return ParseDuration(s)
+	}
+
+	d, err := ParseDuration(s[1:])
+
+	return -d, err
+}
+
 func (d Duration) String() string {
 	var (
-		ms = int64(time.Duration(d) / time.Millisecond)
-		r  = ""
+		ms   = int64(time.Duration(d) / time.Millisecond)
+		r    = ""
+		sign = ""
 	)
+
 	if ms == 0 {
 		return "0s"
 	}
 
+	if ms < 0 {
+		sign, ms = "-", -ms
+	}
+
 	f := func(unit string, mult int64, exact bool) {
 		if exact && ms%mult != 0 {
 			return
@@ -286,7 +305,7 @@ func (d Duration) String() string {
 	f("s", 1000, false)
 	f("ms", 1, false)
 
-	return r
+	return sign + r
 }
 
 // MarshalJSON implements the json.Marshaler interface.
diff --git a/vendor/github.com/prometheus/common/model/value.go b/vendor/github.com/prometheus/common/model/value.go
index 8050637d82230..a9995a37eeeaa 100644
--- a/vendor/github.com/prometheus/common/model/value.go
+++ b/vendor/github.com/prometheus/common/model/value.go
@@ -191,7 +191,8 @@ func (ss SampleStream) String() string {
 }
 
 func (ss SampleStream) MarshalJSON() ([]byte, error) {
-	if len(ss.Histograms) > 0 && len(ss.Values) > 0 {
+	switch {
+	case len(ss.Histograms) > 0 && len(ss.Values) > 0:
 		v := struct {
 			Metric     Metric                `json:"metric"`
 			Values     []SamplePair          `json:"values"`
@@ -202,7 +203,7 @@ func (ss SampleStream) MarshalJSON() ([]byte, error) {
 			Histograms: ss.Histograms,
 		}
 		return json.Marshal(&v)
-	} else if len(ss.Histograms) > 0 {
+	case len(ss.Histograms) > 0:
 		v := struct {
 			Metric     Metric                `json:"metric"`
 			Histograms []SampleHistogramPair `json:"histograms"`
@@ -211,7 +212,7 @@ func (ss SampleStream) MarshalJSON() ([]byte, error) {
 			Histograms: ss.Histograms,
 		}
 		return json.Marshal(&v)
-	} else {
+	default:
 		v := struct {
 			Metric Metric       `json:"metric"`
 			Values []SamplePair `json:"values"`
@@ -258,7 +259,7 @@ func (s Scalar) String() string {
 // MarshalJSON implements json.Marshaler.
 func (s Scalar) MarshalJSON() ([]byte, error) {
 	v := strconv.FormatFloat(float64(s.Value), 'f', -1, 64)
-	return json.Marshal([...]interface{}{s.Timestamp, string(v)})
+	return json.Marshal([...]interface{}{s.Timestamp, v})
 }
 
 // UnmarshalJSON implements json.Unmarshaler.
@@ -349,9 +350,9 @@ func (m Matrix) Len() int           { return len(m) }
 func (m Matrix) Less(i, j int) bool { return m[i].Metric.Before(m[j].Metric) }
 func (m Matrix) Swap(i, j int)      { m[i], m[j] = m[j], m[i] }
 
-func (mat Matrix) String() string {
-	matCp := make(Matrix, len(mat))
-	copy(matCp, mat)
+func (m Matrix) String() string {
+	matCp := make(Matrix, len(m))
+	copy(matCp, m)
 	sort.Sort(matCp)
 
 	strs := make([]string, len(matCp))
diff --git a/vendor/github.com/prometheus/common/model/value_histogram.go b/vendor/github.com/prometheus/common/model/value_histogram.go
index 895e6a3e8393e..91ce5b7a45c21 100644
--- a/vendor/github.com/prometheus/common/model/value_histogram.go
+++ b/vendor/github.com/prometheus/common/model/value_histogram.go
@@ -86,22 +86,22 @@ func (s *HistogramBucket) Equal(o *HistogramBucket) bool {
 	return s == o || (s.Boundaries == o.Boundaries && s.Lower == o.Lower && s.Upper == o.Upper && s.Count == o.Count)
 }
 
-func (b HistogramBucket) String() string {
+func (s HistogramBucket) String() string {
 	var sb strings.Builder
-	lowerInclusive := b.Boundaries == 1 || b.Boundaries == 3
-	upperInclusive := b.Boundaries == 0 || b.Boundaries == 3
+	lowerInclusive := s.Boundaries == 1 || s.Boundaries == 3
+	upperInclusive := s.Boundaries == 0 || s.Boundaries == 3
 	if lowerInclusive {
 		sb.WriteRune('[')
 	} else {
 		sb.WriteRune('(')
 	}
-	fmt.Fprintf(&sb, "%g,%g", b.Lower, b.Upper)
+	fmt.Fprintf(&sb, "%g,%g", s.Lower, s.Upper)
 	if upperInclusive {
 		sb.WriteRune(']')
 	} else {
 		sb.WriteRune(')')
 	}
-	fmt.Fprintf(&sb, ":%v", b.Count)
+	fmt.Fprintf(&sb, ":%v", s.Count)
 	return sb.String()
 }
 
diff --git a/vendor/github.com/prometheus/common/model/value_type.go b/vendor/github.com/prometheus/common/model/value_type.go
index 726c50ee638c6..078910f46b732 100644
--- a/vendor/github.com/prometheus/common/model/value_type.go
+++ b/vendor/github.com/prometheus/common/model/value_type.go
@@ -66,8 +66,8 @@ func (et *ValueType) UnmarshalJSON(b []byte) error {
 	return nil
 }
 
-func (e ValueType) String() string {
-	switch e {
+func (et ValueType) String() string {
+	switch et {
 	case ValNone:
 		return "<ValNone>"
 	case ValScalar:
diff --git a/vendor/github.com/prometheus/procfs/.golangci.yml b/vendor/github.com/prometheus/procfs/.golangci.yml
index 126df9e67acf6..3c3bf910fdfbd 100644
--- a/vendor/github.com/prometheus/procfs/.golangci.yml
+++ b/vendor/github.com/prometheus/procfs/.golangci.yml
@@ -1,22 +1,45 @@
----
+version: "2"
 linters:
   enable:
-  - errcheck
-  - godot
-  - gosimple
-  - govet
-  - ineffassign
-  - misspell
-  - revive
-  - staticcheck
-  - testifylint
-  - unused
-
-linter-settings:
-  godot:
-    capital: true
-    exclude:
-    # Ignore "See: URL"
-    - 'See:'
-  misspell:
-    locale: US
+    - forbidigo
+    - godot
+    - misspell
+    - revive
+    - testifylint
+  settings:
+    forbidigo:
+      forbid:
+        - pattern: ^fmt\.Print.*$
+          msg: Do not commit print statements.
+    godot:
+      exclude:
+        # Ignore "See: URL".
+        - 'See:'
+      capital: true
+    misspell:
+      locale: US
+  exclusions:
+    generated: lax
+    presets:
+      - comments
+      - common-false-positives
+      - legacy
+      - std-error-handling
+    paths:
+      - third_party$
+      - builtin$
+      - examples$
+formatters:
+  enable:
+    - gofmt
+    - goimports
+  settings:
+    goimports:
+      local-prefixes:
+        - github.com/prometheus/procfs
+  exclusions:
+    generated: lax
+    paths:
+      - third_party$
+      - builtin$
+      - examples$
diff --git a/vendor/github.com/prometheus/procfs/Makefile.common b/vendor/github.com/prometheus/procfs/Makefile.common
index 1617292350681..0ed55c2ba21f7 100644
--- a/vendor/github.com/prometheus/procfs/Makefile.common
+++ b/vendor/github.com/prometheus/procfs/Makefile.common
@@ -33,7 +33,7 @@ GOHOSTOS     ?= $(shell $(GO) env GOHOSTOS)
 GOHOSTARCH   ?= $(shell $(GO) env GOHOSTARCH)
 
 GO_VERSION        ?= $(shell $(GO) version)
-GO_VERSION_NUMBER ?= $(word 3, $(GO_VERSION))
+GO_VERSION_NUMBER ?= $(word 3, $(GO_VERSION))Error Parsing File
 PRE_GO_111        ?= $(shell echo $(GO_VERSION_NUMBER) | grep -E 'go1\.(10|[0-9])\.')
 
 PROMU        := $(FIRST_GOPATH)/bin/promu
@@ -61,7 +61,7 @@ PROMU_URL     := https://github.com/prometheus/promu/releases/download/v$(PROMU_
 SKIP_GOLANGCI_LINT :=
 GOLANGCI_LINT :=
 GOLANGCI_LINT_OPTS ?=
-GOLANGCI_LINT_VERSION ?= v1.59.0
+GOLANGCI_LINT_VERSION ?= v2.0.2
 # golangci-lint only supports linux, darwin and windows platforms on i386/amd64/arm64.
 # windows isn't included here because of the path separator being different.
 ifeq ($(GOHOSTOS),$(filter $(GOHOSTOS),linux darwin))
@@ -275,3 +275,9 @@ $(1)_precheck:
 		exit 1; \
 	fi
 endef
+
+govulncheck: install-govulncheck
+	govulncheck ./...
+
+install-govulncheck:
+	command -v govulncheck > /dev/null || go install golang.org/x/vuln/cmd/govulncheck@latest
diff --git a/vendor/github.com/prometheus/procfs/README.md b/vendor/github.com/prometheus/procfs/README.md
index 1224816c2ade9..0718239cf19aa 100644
--- a/vendor/github.com/prometheus/procfs/README.md
+++ b/vendor/github.com/prometheus/procfs/README.md
@@ -47,15 +47,15 @@ However, most of the API includes unit tests which can be run with `make test`.
 The procfs library includes a set of test fixtures which include many example files from
 the `/proc` and `/sys` filesystems.  These fixtures are included as a [ttar](https://github.com/ideaship/ttar) file
 which is extracted automatically during testing.  To add/update the test fixtures, first
-ensure the `fixtures` directory is up to date by removing the existing directory and then
-extracting the ttar file using `make fixtures/.unpacked` or just `make test`.
+ensure the `testdata/fixtures` directory is up to date by removing the existing directory and then
+extracting the ttar file using `make testdata/fixtures/.unpacked` or just `make test`.
 
 ```bash
 rm -rf testdata/fixtures
 make test
 ```
 
-Next, make the required changes to the extracted files in the `fixtures` directory.  When
+Next, make the required changes to the extracted files in the `testdata/fixtures` directory.  When
 the changes are complete, run `make update_fixtures` to create a new `fixtures.ttar` file
 based on the updated `fixtures` directory.  And finally, verify the changes using
 `git diff testdata/fixtures.ttar`.
diff --git a/vendor/github.com/prometheus/procfs/arp.go b/vendor/github.com/prometheus/procfs/arp.go
index cdcc8a7ccc463..2e53344151f54 100644
--- a/vendor/github.com/prometheus/procfs/arp.go
+++ b/vendor/github.com/prometheus/procfs/arp.go
@@ -23,9 +23,9 @@ import (
 
 // Learned from include/uapi/linux/if_arp.h.
 const (
-	// completed entry (ha valid).
+	// Completed entry (ha valid).
 	ATFComplete = 0x02
-	// permanent entry.
+	// Permanent entry.
 	ATFPermanent = 0x04
 	// Publish entry.
 	ATFPublish = 0x08
diff --git a/vendor/github.com/prometheus/procfs/fs.go b/vendor/github.com/prometheus/procfs/fs.go
index 4980c875bfce1..9bdaccc7c8a47 100644
--- a/vendor/github.com/prometheus/procfs/fs.go
+++ b/vendor/github.com/prometheus/procfs/fs.go
@@ -24,8 +24,14 @@ type FS struct {
 	isReal bool
 }
 
-// DefaultMountPoint is the common mount point of the proc filesystem.
-const DefaultMountPoint = fs.DefaultProcMountPoint
+const (
+	// DefaultMountPoint is the common mount point of the proc filesystem.
+	DefaultMountPoint = fs.DefaultProcMountPoint
+
+	// SectorSize represents the size of a sector in bytes.
+	// It is specific to Linux block I/O operations.
+	SectorSize = 512
+)
 
 // NewDefaultFS returns a new proc FS mounted under the default proc mountPoint.
 // It will error if the mount point directory can't be read or is a file.
diff --git a/vendor/github.com/prometheus/procfs/fs_statfs_notype.go b/vendor/github.com/prometheus/procfs/fs_statfs_notype.go
index 134767d69ac13..1b5bdbdf84ac2 100644
--- a/vendor/github.com/prometheus/procfs/fs_statfs_notype.go
+++ b/vendor/github.com/prometheus/procfs/fs_statfs_notype.go
@@ -17,7 +17,7 @@
 package procfs
 
 // isRealProc returns true on architectures that don't have a Type argument
-// in their Statfs_t struct
-func isRealProc(mountPoint string) (bool, error) {
+// in their Statfs_t struct.
+func isRealProc(_ string) (bool, error) {
 	return true, nil
 }
diff --git a/vendor/github.com/prometheus/procfs/fscache.go b/vendor/github.com/prometheus/procfs/fscache.go
index cf2e3eaa03c67..7db8633077932 100644
--- a/vendor/github.com/prometheus/procfs/fscache.go
+++ b/vendor/github.com/prometheus/procfs/fscache.go
@@ -162,7 +162,7 @@ type Fscacheinfo struct {
 	ReleaseRequestsAgainstPagesStoredByTimeLockGranted uint64
 	// Number of release reqs ignored due to in-progress store
 	ReleaseRequestsIgnoredDueToInProgressStore uint64
-	// Number of page stores cancelled due to release req
+	// Number of page stores canceled due to release req
 	PageStoresCancelledByReleaseRequests uint64
 	VmscanWaiting                        uint64
 	// Number of times async ops added to pending queues
@@ -171,11 +171,11 @@ type Fscacheinfo struct {
 	OpsRunning uint64
 	// Number of times async ops queued for processing
 	OpsEnqueued uint64
-	// Number of async ops cancelled
+	// Number of async ops canceled
 	OpsCancelled uint64
 	// Number of async ops rejected due to object lookup/create failure
 	OpsRejected uint64
-	// Number of async ops initialised
+	// Number of async ops initialized
 	OpsInitialised uint64
 	// Number of async ops queued for deferred release
 	OpsDeferred uint64
diff --git a/vendor/github.com/prometheus/procfs/internal/fs/fs.go b/vendor/github.com/prometheus/procfs/internal/fs/fs.go
index 3c18c7610ef56..3a43e83915f50 100644
--- a/vendor/github.com/prometheus/procfs/internal/fs/fs.go
+++ b/vendor/github.com/prometheus/procfs/internal/fs/fs.go
@@ -28,6 +28,9 @@ const (
 
 	// DefaultConfigfsMountPoint is the common mount point of the configfs.
 	DefaultConfigfsMountPoint = "/sys/kernel/config"
+
+	// DefaultSelinuxMountPoint is the common mount point of the selinuxfs.
+	DefaultSelinuxMountPoint = "/sys/fs/selinux"
 )
 
 // FS represents a pseudo-filesystem, normally /proc or /sys, which provides an
diff --git a/vendor/github.com/prometheus/procfs/internal/util/parse.go b/vendor/github.com/prometheus/procfs/internal/util/parse.go
index 14272dc78857d..5a7d2df06ae33 100644
--- a/vendor/github.com/prometheus/procfs/internal/util/parse.go
+++ b/vendor/github.com/prometheus/procfs/internal/util/parse.go
@@ -14,6 +14,7 @@
 package util
 
 import (
+	"errors"
 	"os"
 	"strconv"
 	"strings"
@@ -110,3 +111,16 @@ func ParseBool(b string) *bool {
 	}
 	return &truth
 }
+
+// ReadHexFromFile reads a file and attempts to parse a uint64 from a hexadecimal format 0xXX.
+func ReadHexFromFile(path string) (uint64, error) {
+	data, err := os.ReadFile(path)
+	if err != nil {
+		return 0, err
+	}
+	hexString := strings.TrimSpace(string(data))
+	if !strings.HasPrefix(hexString, "0x") {
+		return 0, errors.New("invalid format: hex string does not start with '0x'")
+	}
+	return strconv.ParseUint(hexString[2:], 16, 64)
+}
diff --git a/vendor/github.com/prometheus/procfs/internal/util/sysreadfile.go b/vendor/github.com/prometheus/procfs/internal/util/sysreadfile.go
index 1ab875ceec6a4..d5404a6d7284b 100644
--- a/vendor/github.com/prometheus/procfs/internal/util/sysreadfile.go
+++ b/vendor/github.com/prometheus/procfs/internal/util/sysreadfile.go
@@ -20,6 +20,8 @@ package util
 import (
 	"bytes"
 	"os"
+	"strconv"
+	"strings"
 	"syscall"
 )
 
@@ -48,3 +50,21 @@ func SysReadFile(file string) (string, error) {
 
 	return string(bytes.TrimSpace(b[:n])), nil
 }
+
+// SysReadUintFromFile reads a file using SysReadFile and attempts to parse a uint64 from it.
+func SysReadUintFromFile(path string) (uint64, error) {
+	data, err := SysReadFile(path)
+	if err != nil {
+		return 0, err
+	}
+	return strconv.ParseUint(strings.TrimSpace(string(data)), 10, 64)
+}
+
+// SysReadIntFromFile reads a file using SysReadFile and attempts to parse a int64 from it.
+func SysReadIntFromFile(path string) (int64, error) {
+	data, err := SysReadFile(path)
+	if err != nil {
+		return 0, err
+	}
+	return strconv.ParseInt(strings.TrimSpace(string(data)), 10, 64)
+}
diff --git a/vendor/github.com/prometheus/procfs/mountstats.go b/vendor/github.com/prometheus/procfs/mountstats.go
index 75a3b6c810ffd..50caa73274ebb 100644
--- a/vendor/github.com/prometheus/procfs/mountstats.go
+++ b/vendor/github.com/prometheus/procfs/mountstats.go
@@ -45,11 +45,11 @@ const (
 	fieldTransport11TCPLen = 13
 	fieldTransport11UDPLen = 10
 
-	// kernel version >= 4.14 MaxLen
+	// Kernel version >= 4.14 MaxLen
 	// See: https://elixir.bootlin.com/linux/v6.4.8/source/net/sunrpc/xprtrdma/xprt_rdma.h#L393
 	fieldTransport11RDMAMaxLen = 28
 
-	// kernel version <= 4.2 MinLen
+	// Kernel version <= 4.2 MinLen
 	// See: https://elixir.bootlin.com/linux/v4.2.8/source/net/sunrpc/xprtrdma/xprt_rdma.h#L331
 	fieldTransport11RDMAMinLen = 20
 )
@@ -601,11 +601,12 @@ func parseNFSTransportStats(ss []string, statVersion string) (*NFSTransportStats
 	switch statVersion {
 	case statVersion10:
 		var expectedLength int
-		if protocol == "tcp" {
+		switch protocol {
+		case "tcp":
 			expectedLength = fieldTransport10TCPLen
-		} else if protocol == "udp" {
+		case "udp":
 			expectedLength = fieldTransport10UDPLen
-		} else {
+		default:
 			return nil, fmt.Errorf("%w: Invalid NFS protocol \"%s\" in stats 1.0 statement: %v", ErrFileParse, protocol, ss)
 		}
 		if len(ss) != expectedLength {
@@ -613,13 +614,14 @@ func parseNFSTransportStats(ss []string, statVersion string) (*NFSTransportStats
 		}
 	case statVersion11:
 		var expectedLength int
-		if protocol == "tcp" {
+		switch protocol {
+		case "tcp":
 			expectedLength = fieldTransport11TCPLen
-		} else if protocol == "udp" {
+		case "udp":
 			expectedLength = fieldTransport11UDPLen
-		} else if protocol == "rdma" {
+		case "rdma":
 			expectedLength = fieldTransport11RDMAMinLen
-		} else {
+		default:
 			return nil, fmt.Errorf("%w: invalid NFS protocol \"%s\" in stats 1.1 statement: %v", ErrFileParse, protocol, ss)
 		}
 		if (len(ss) != expectedLength && (protocol == "tcp" || protocol == "udp")) ||
@@ -655,11 +657,12 @@ func parseNFSTransportStats(ss []string, statVersion string) (*NFSTransportStats
 	// For the udp RPC transport there is no connection count, connect idle time,
 	// or idle time (fields #3, #4, and #5); all other fields are the same. So
 	// we set them to 0 here.
-	if protocol == "udp" {
+	switch protocol {
+	case "udp":
 		ns = append(ns[:2], append(make([]uint64, 3), ns[2:]...)...)
-	} else if protocol == "tcp" {
+	case "tcp":
 		ns = append(ns[:fieldTransport11TCPLen], make([]uint64, fieldTransport11RDMAMaxLen-fieldTransport11TCPLen+3)...)
-	} else if protocol == "rdma" {
+	case "rdma":
 		ns = append(ns[:fieldTransport10TCPLen], append(make([]uint64, 3), ns[fieldTransport10TCPLen:]...)...)
 	}
 
diff --git a/vendor/github.com/prometheus/procfs/net_dev_snmp6.go b/vendor/github.com/prometheus/procfs/net_dev_snmp6.go
new file mode 100644
index 0000000000000..f50b38e352880
--- /dev/null
+++ b/vendor/github.com/prometheus/procfs/net_dev_snmp6.go
@@ -0,0 +1,96 @@
+// Copyright 2018 The Prometheus Authors
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package procfs
+
+import (
+	"bufio"
+	"errors"
+	"io"
+	"os"
+	"strconv"
+	"strings"
+)
+
+// NetDevSNMP6 is parsed from files in /proc/net/dev_snmp6/ or /proc/<PID>/net/dev_snmp6/.
+// The outer map's keys are interface names and the inner map's keys are stat names.
+//
+// If you'd like a total across all interfaces, please use the Snmp6() method of the Proc type.
+type NetDevSNMP6 map[string]map[string]uint64
+
+// Returns kernel/system statistics read from interface files within the /proc/net/dev_snmp6/
+// directory.
+func (fs FS) NetDevSNMP6() (NetDevSNMP6, error) {
+	return newNetDevSNMP6(fs.proc.Path("net/dev_snmp6"))
+}
+
+// Returns kernel/system statistics read from interface files within the /proc/<PID>/net/dev_snmp6/
+// directory.
+func (p Proc) NetDevSNMP6() (NetDevSNMP6, error) {
+	return newNetDevSNMP6(p.path("net/dev_snmp6"))
+}
+
+// newNetDevSNMP6 creates a new NetDevSNMP6 from the contents of the given directory.
+func newNetDevSNMP6(dir string) (NetDevSNMP6, error) {
+	netDevSNMP6 := make(NetDevSNMP6)
+
+	// The net/dev_snmp6 folders contain one file per interface
+	ifaceFiles, err := os.ReadDir(dir)
+	if err != nil {
+		// On systems with IPv6 disabled, this directory won't exist.
+		// Do nothing.
+		if errors.Is(err, os.ErrNotExist) {
+			return netDevSNMP6, err
+		}
+		return netDevSNMP6, err
+	}
+
+	for _, iFaceFile := range ifaceFiles {
+		f, err := os.Open(dir + "/" + iFaceFile.Name())
+		if err != nil {
+			return netDevSNMP6, err
+		}
+		defer f.Close()
+
+		netDevSNMP6[iFaceFile.Name()], err = parseNetDevSNMP6Stats(f)
+		if err != nil {
+			return netDevSNMP6, err
+		}
+	}
+
+	return netDevSNMP6, nil
+}
+
+func parseNetDevSNMP6Stats(r io.Reader) (map[string]uint64, error) {
+	m := make(map[string]uint64)
+
+	scanner := bufio.NewScanner(r)
+	for scanner.Scan() {
+		stat := strings.Fields(scanner.Text())
+		if len(stat) < 2 {
+			continue
+		}
+		key, val := stat[0], stat[1]
+
+		// Expect stat name to contain "6" or be "ifIndex"
+		if strings.Contains(key, "6") || key == "ifIndex" {
+			v, err := strconv.ParseUint(val, 10, 64)
+			if err != nil {
+				return m, err
+			}
+
+			m[key] = v
+		}
+	}
+	return m, scanner.Err()
+}
diff --git a/vendor/github.com/prometheus/procfs/net_ip_socket.go b/vendor/github.com/prometheus/procfs/net_ip_socket.go
index b70f1fc7a4aba..19e3378f72d78 100644
--- a/vendor/github.com/prometheus/procfs/net_ip_socket.go
+++ b/vendor/github.com/prometheus/procfs/net_ip_socket.go
@@ -25,7 +25,7 @@ import (
 )
 
 const (
-	// readLimit is used by io.LimitReader while reading the content of the
+	// Maximum size limit used by io.LimitReader while reading the content of the
 	// /proc/net/udp{,6} files. The number of lines inside such a file is dynamic
 	// as each line represents a single used socket.
 	// In theory, the number of available sockets is 65535 (2^16 - 1) per IP.
@@ -50,12 +50,12 @@ type (
 		// UsedSockets shows the total number of parsed lines representing the
 		// number of used sockets.
 		UsedSockets uint64
-		// Drops shows the total number of dropped packets of all UPD sockets.
+		// Drops shows the total number of dropped packets of all UDP sockets.
 		Drops *uint64
 	}
 
-	// netIPSocketLine represents the fields parsed from a single line
-	// in /proc/net/{t,u}dp{,6}. Fields which are not used by IPSocket are skipped.
+	// A single line parser for fields from /proc/net/{t,u}dp{,6}.
+	// Fields which are not used by IPSocket are skipped.
 	// Drops is non-nil for udp{,6}, but nil for tcp{,6}.
 	// For the proc file format details, see https://linux.die.net/man/5/proc.
 	netIPSocketLine struct {
diff --git a/vendor/github.com/prometheus/procfs/net_protocols.go b/vendor/github.com/prometheus/procfs/net_protocols.go
index b6c77b709faec..8d4b1ac05b006 100644
--- a/vendor/github.com/prometheus/procfs/net_protocols.go
+++ b/vendor/github.com/prometheus/procfs/net_protocols.go
@@ -115,22 +115,24 @@ func (ps NetProtocolStats) parseLine(rawLine string) (*NetProtocolStatLine, erro
 	if err != nil {
 		return nil, err
 	}
-	if fields[4] == enabled {
+	switch fields[4] {
+	case enabled:
 		line.Pressure = 1
-	} else if fields[4] == disabled {
+	case disabled:
 		line.Pressure = 0
-	} else {
+	default:
 		line.Pressure = -1
 	}
 	line.MaxHeader, err = strconv.ParseUint(fields[5], 10, 64)
 	if err != nil {
 		return nil, err
 	}
-	if fields[6] == enabled {
+	switch fields[6] {
+	case enabled:
 		line.Slab = true
-	} else if fields[6] == disabled {
+	case disabled:
 		line.Slab = false
-	} else {
+	default:
 		return nil, fmt.Errorf("%w: capability for protocol: %s", ErrFileParse, line.Name)
 	}
 	line.ModuleName = fields[7]
@@ -168,11 +170,12 @@ func (pc *NetProtocolCapabilities) parseCapabilities(capabilities []string) erro
 	}
 
 	for i := 0; i < len(capabilities); i++ {
-		if capabilities[i] == "y" {
+		switch capabilities[i] {
+		case "y":
 			*capabilityFields[i] = true
-		} else if capabilities[i] == "n" {
+		case "n":
 			*capabilityFields[i] = false
-		} else {
+		default:
 			return fmt.Errorf("%w: capability block for protocol: position %d", ErrFileParse, i)
 		}
 	}
diff --git a/vendor/github.com/prometheus/procfs/net_tcp.go b/vendor/github.com/prometheus/procfs/net_tcp.go
index 52776295572d1..0396d72015c01 100644
--- a/vendor/github.com/prometheus/procfs/net_tcp.go
+++ b/vendor/github.com/prometheus/procfs/net_tcp.go
@@ -25,24 +25,28 @@ type (
 
 // NetTCP returns the IPv4 kernel/networking statistics for TCP datagrams
 // read from /proc/net/tcp.
+// Deprecated: Use github.com/mdlayher/netlink#Conn (with syscall.AF_INET) instead.
 func (fs FS) NetTCP() (NetTCP, error) {
 	return newNetTCP(fs.proc.Path("net/tcp"))
 }
 
 // NetTCP6 returns the IPv6 kernel/networking statistics for TCP datagrams
 // read from /proc/net/tcp6.
+// Deprecated: Use github.com/mdlayher/netlink#Conn (with syscall.AF_INET6) instead.
 func (fs FS) NetTCP6() (NetTCP, error) {
 	return newNetTCP(fs.proc.Path("net/tcp6"))
 }
 
 // NetTCPSummary returns already computed statistics like the total queue lengths
 // for TCP datagrams read from /proc/net/tcp.
+// Deprecated: Use github.com/mdlayher/netlink#Conn (with syscall.AF_INET) instead.
 func (fs FS) NetTCPSummary() (*NetTCPSummary, error) {
 	return newNetTCPSummary(fs.proc.Path("net/tcp"))
 }
 
 // NetTCP6Summary returns already computed statistics like the total queue lengths
 // for TCP datagrams read from /proc/net/tcp6.
+// Deprecated: Use github.com/mdlayher/netlink#Conn (with syscall.AF_INET6) instead.
 func (fs FS) NetTCP6Summary() (*NetTCPSummary, error) {
 	return newNetTCPSummary(fs.proc.Path("net/tcp6"))
 }
diff --git a/vendor/github.com/prometheus/procfs/net_unix.go b/vendor/github.com/prometheus/procfs/net_unix.go
index d868cebdaae8a..d7e0cacb4c670 100644
--- a/vendor/github.com/prometheus/procfs/net_unix.go
+++ b/vendor/github.com/prometheus/procfs/net_unix.go
@@ -121,12 +121,12 @@ func parseNetUNIX(r io.Reader) (*NetUNIX, error) {
 	return &nu, nil
 }
 
-func (u *NetUNIX) parseLine(line string, hasInode bool, min int) (*NetUNIXLine, error) {
+func (u *NetUNIX) parseLine(line string, hasInode bool, minFields int) (*NetUNIXLine, error) {
 	fields := strings.Fields(line)
 
 	l := len(fields)
-	if l < min {
-		return nil, fmt.Errorf("%w: expected at least %d fields but got %d", ErrFileParse, min, l)
+	if l < minFields {
+		return nil, fmt.Errorf("%w: expected at least %d fields but got %d", ErrFileParse, minFields, l)
 	}
 
 	// Field offsets are as follows:
@@ -172,7 +172,7 @@ func (u *NetUNIX) parseLine(line string, hasInode bool, min int) (*NetUNIXLine,
 	}
 
 	// Path field is optional.
-	if l > min {
+	if l > minFields {
 		// Path occurs at either index 6 or 7 depending on whether inode is
 		// already present.
 		pathIdx := 7
diff --git a/vendor/github.com/prometheus/procfs/proc.go b/vendor/github.com/prometheus/procfs/proc.go
index 142796368fef9..368187fa884dd 100644
--- a/vendor/github.com/prometheus/procfs/proc.go
+++ b/vendor/github.com/prometheus/procfs/proc.go
@@ -37,9 +37,9 @@ type Proc struct {
 type Procs []Proc
 
 var (
-	ErrFileParse  = errors.New("Error Parsing File")
-	ErrFileRead   = errors.New("Error Reading File")
-	ErrMountPoint = errors.New("Error Accessing Mount point")
+	ErrFileParse  = errors.New("error parsing file")
+	ErrFileRead   = errors.New("error reading file")
+	ErrMountPoint = errors.New("error accessing mount point")
 )
 
 func (p Procs) Len() int           { return len(p) }
@@ -79,7 +79,7 @@ func (fs FS) Self() (Proc, error) {
 	if err != nil {
 		return Proc{}, err
 	}
-	pid, err := strconv.Atoi(strings.Replace(p, string(fs.proc), "", -1))
+	pid, err := strconv.Atoi(strings.ReplaceAll(p, string(fs.proc), ""))
 	if err != nil {
 		return Proc{}, err
 	}
diff --git a/vendor/github.com/prometheus/procfs/proc_cgroup.go b/vendor/github.com/prometheus/procfs/proc_cgroup.go
index daeed7f571af3..4a64347c03a25 100644
--- a/vendor/github.com/prometheus/procfs/proc_cgroup.go
+++ b/vendor/github.com/prometheus/procfs/proc_cgroup.go
@@ -24,7 +24,7 @@ import (
 )
 
 // Cgroup models one line from /proc/[pid]/cgroup. Each Cgroup struct describes the placement of a PID inside a
-// specific control hierarchy. The kernel has two cgroup APIs, v1 and v2. v1 has one hierarchy per available resource
+// specific control hierarchy. The kernel has two cgroup APIs, v1 and v2. The v1 has one hierarchy per available resource
 // controller, while v2 has one unified hierarchy shared by all controllers. Regardless of v1 or v2, all hierarchies
 // contain all running processes, so the question answerable with a Cgroup struct is 'where is this process in
 // this hierarchy' (where==what path on the specific cgroupfs). By prefixing this path with the mount point of
diff --git a/vendor/github.com/prometheus/procfs/proc_io.go b/vendor/github.com/prometheus/procfs/proc_io.go
index 776f34971730d..d15b66ddb64ab 100644
--- a/vendor/github.com/prometheus/procfs/proc_io.go
+++ b/vendor/github.com/prometheus/procfs/proc_io.go
@@ -50,7 +50,7 @@ func (p Proc) IO() (ProcIO, error) {
 
 	ioFormat := "rchar: %d\nwchar: %d\nsyscr: %d\nsyscw: %d\n" +
 		"read_bytes: %d\nwrite_bytes: %d\n" +
-		"cancelled_write_bytes: %d\n"
+		"cancelled_write_bytes: %d\n" //nolint:misspell
 
 	_, err = fmt.Sscanf(string(data), ioFormat, &pio.RChar, &pio.WChar, &pio.SyscR,
 		&pio.SyscW, &pio.ReadBytes, &pio.WriteBytes, &pio.CancelledWriteBytes)
diff --git a/vendor/github.com/prometheus/procfs/proc_netstat.go b/vendor/github.com/prometheus/procfs/proc_netstat.go
index 8e3ff4d794bac..4248c1716ee98 100644
--- a/vendor/github.com/prometheus/procfs/proc_netstat.go
+++ b/vendor/github.com/prometheus/procfs/proc_netstat.go
@@ -209,232 +209,232 @@ func parseProcNetstat(r io.Reader, fileName string) (ProcNetstat, error) {
 			case "TcpExt":
 				switch key {
 				case "SyncookiesSent":
-					procNetstat.TcpExt.SyncookiesSent = &value
+					procNetstat.SyncookiesSent = &value
 				case "SyncookiesRecv":
-					procNetstat.TcpExt.SyncookiesRecv = &value
+					procNetstat.SyncookiesRecv = &value
 				case "SyncookiesFailed":
-					procNetstat.TcpExt.SyncookiesFailed = &value
+					procNetstat.SyncookiesFailed = &value
 				case "EmbryonicRsts":
-					procNetstat.TcpExt.EmbryonicRsts = &value
+					procNetstat.EmbryonicRsts = &value
 				case "PruneCalled":
-					procNetstat.TcpExt.PruneCalled = &value
+					procNetstat.PruneCalled = &value
 				case "RcvPruned":
-					procNetstat.TcpExt.RcvPruned = &value
+					procNetstat.RcvPruned = &value
 				case "OfoPruned":
-					procNetstat.TcpExt.OfoPruned = &value
+					procNetstat.OfoPruned = &value
 				case "OutOfWindowIcmps":
-					procNetstat.TcpExt.OutOfWindowIcmps = &value
+					procNetstat.OutOfWindowIcmps = &value
 				case "LockDroppedIcmps":
-					procNetstat.TcpExt.LockDroppedIcmps = &value
+					procNetstat.LockDroppedIcmps = &value
 				case "ArpFilter":
-					procNetstat.TcpExt.ArpFilter = &value
+					procNetstat.ArpFilter = &value
 				case "TW":
-					procNetstat.TcpExt.TW = &value
+					procNetstat.TW = &value
 				case "TWRecycled":
-					procNetstat.TcpExt.TWRecycled = &value
+					procNetstat.TWRecycled = &value
 				case "TWKilled":
-					procNetstat.TcpExt.TWKilled = &value
+					procNetstat.TWKilled = &value
 				case "PAWSActive":
-					procNetstat.TcpExt.PAWSActive = &value
+					procNetstat.PAWSActive = &value
 				case "PAWSEstab":
-					procNetstat.TcpExt.PAWSEstab = &value
+					procNetstat.PAWSEstab = &value
 				case "DelayedACKs":
-					procNetstat.TcpExt.DelayedACKs = &value
+					procNetstat.DelayedACKs = &value
 				case "DelayedACKLocked":
-					procNetstat.TcpExt.DelayedACKLocked = &value
+					procNetstat.DelayedACKLocked = &value
 				case "DelayedACKLost":
-					procNetstat.TcpExt.DelayedACKLost = &value
+					procNetstat.DelayedACKLost = &value
 				case "ListenOverflows":
-					procNetstat.TcpExt.ListenOverflows = &value
+					procNetstat.ListenOverflows = &value
 				case "ListenDrops":
-					procNetstat.TcpExt.ListenDrops = &value
+					procNetstat.ListenDrops = &value
 				case "TCPHPHits":
-					procNetstat.TcpExt.TCPHPHits = &value
+					procNetstat.TCPHPHits = &value
 				case "TCPPureAcks":
-					procNetstat.TcpExt.TCPPureAcks = &value
+					procNetstat.TCPPureAcks = &value
 				case "TCPHPAcks":
-					procNetstat.TcpExt.TCPHPAcks = &value
+					procNetstat.TCPHPAcks = &value
 				case "TCPRenoRecovery":
-					procNetstat.TcpExt.TCPRenoRecovery = &value
+					procNetstat.TCPRenoRecovery = &value
 				case "TCPSackRecovery":
-					procNetstat.TcpExt.TCPSackRecovery = &value
+					procNetstat.TCPSackRecovery = &value
 				case "TCPSACKReneging":
-					procNetstat.TcpExt.TCPSACKReneging = &value
+					procNetstat.TCPSACKReneging = &value
 				case "TCPSACKReorder":
-					procNetstat.TcpExt.TCPSACKReorder = &value
+					procNetstat.TCPSACKReorder = &value
 				case "TCPRenoReorder":
-					procNetstat.TcpExt.TCPRenoReorder = &value
+					procNetstat.TCPRenoReorder = &value
 				case "TCPTSReorder":
-					procNetstat.TcpExt.TCPTSReorder = &value
+					procNetstat.TCPTSReorder = &value
 				case "TCPFullUndo":
-					procNetstat.TcpExt.TCPFullUndo = &value
+					procNetstat.TCPFullUndo = &value
 				case "TCPPartialUndo":
-					procNetstat.TcpExt.TCPPartialUndo = &value
+					procNetstat.TCPPartialUndo = &value
 				case "TCPDSACKUndo":
-					procNetstat.TcpExt.TCPDSACKUndo = &value
+					procNetstat.TCPDSACKUndo = &value
 				case "TCPLossUndo":
-					procNetstat.TcpExt.TCPLossUndo = &value
+					procNetstat.TCPLossUndo = &value
 				case "TCPLostRetransmit":
-					procNetstat.TcpExt.TCPLostRetransmit = &value
+					procNetstat.TCPLostRetransmit = &value
 				case "TCPRenoFailures":
-					procNetstat.TcpExt.TCPRenoFailures = &value
+					procNetstat.TCPRenoFailures = &value
 				case "TCPSackFailures":
-					procNetstat.TcpExt.TCPSackFailures = &value
+					procNetstat.TCPSackFailures = &value
 				case "TCPLossFailures":
-					procNetstat.TcpExt.TCPLossFailures = &value
+					procNetstat.TCPLossFailures = &value
 				case "TCPFastRetrans":
-					procNetstat.TcpExt.TCPFastRetrans = &value
+					procNetstat.TCPFastRetrans = &value
 				case "TCPSlowStartRetrans":
-					procNetstat.TcpExt.TCPSlowStartRetrans = &value
+					procNetstat.TCPSlowStartRetrans = &value
 				case "TCPTimeouts":
-					procNetstat.TcpExt.TCPTimeouts = &value
+					procNetstat.TCPTimeouts = &value
 				case "TCPLossProbes":
-					procNetstat.TcpExt.TCPLossProbes = &value
+					procNetstat.TCPLossProbes = &value
 				case "TCPLossProbeRecovery":
-					procNetstat.TcpExt.TCPLossProbeRecovery = &value
+					procNetstat.TCPLossProbeRecovery = &value
 				case "TCPRenoRecoveryFail":
-					procNetstat.TcpExt.TCPRenoRecoveryFail = &value
+					procNetstat.TCPRenoRecoveryFail = &value
 				case "TCPSackRecoveryFail":
-					procNetstat.TcpExt.TCPSackRecoveryFail = &value
+					procNetstat.TCPSackRecoveryFail = &value
 				case "TCPRcvCollapsed":
-					procNetstat.TcpExt.TCPRcvCollapsed = &value
+					procNetstat.TCPRcvCollapsed = &value
 				case "TCPDSACKOldSent":
-					procNetstat.TcpExt.TCPDSACKOldSent = &value
+					procNetstat.TCPDSACKOldSent = &value
 				case "TCPDSACKOfoSent":
-					procNetstat.TcpExt.TCPDSACKOfoSent = &value
+					procNetstat.TCPDSACKOfoSent = &value
 				case "TCPDSACKRecv":
-					procNetstat.TcpExt.TCPDSACKRecv = &value
+					procNetstat.TCPDSACKRecv = &value
 				case "TCPDSACKOfoRecv":
-					procNetstat.TcpExt.TCPDSACKOfoRecv = &value
+					procNetstat.TCPDSACKOfoRecv = &value
 				case "TCPAbortOnData":
-					procNetstat.TcpExt.TCPAbortOnData = &value
+					procNetstat.TCPAbortOnData = &value
 				case "TCPAbortOnClose":
-					procNetstat.TcpExt.TCPAbortOnClose = &value
+					procNetstat.TCPAbortOnClose = &value
 				case "TCPDeferAcceptDrop":
-					procNetstat.TcpExt.TCPDeferAcceptDrop = &value
+					procNetstat.TCPDeferAcceptDrop = &value
 				case "IPReversePathFilter":
-					procNetstat.TcpExt.IPReversePathFilter = &value
+					procNetstat.IPReversePathFilter = &value
 				case "TCPTimeWaitOverflow":
-					procNetstat.TcpExt.TCPTimeWaitOverflow = &value
+					procNetstat.TCPTimeWaitOverflow = &value
 				case "TCPReqQFullDoCookies":
-					procNetstat.TcpExt.TCPReqQFullDoCookies = &value
+					procNetstat.TCPReqQFullDoCookies = &value
 				case "TCPReqQFullDrop":
-					procNetstat.TcpExt.TCPReqQFullDrop = &value
+					procNetstat.TCPReqQFullDrop = &value
 				case "TCPRetransFail":
-					procNetstat.TcpExt.TCPRetransFail = &value
+					procNetstat.TCPRetransFail = &value
 				case "TCPRcvCoalesce":
-					procNetstat.TcpExt.TCPRcvCoalesce = &value
+					procNetstat.TCPRcvCoalesce = &value
 				case "TCPRcvQDrop":
-					procNetstat.TcpExt.TCPRcvQDrop = &value
+					procNetstat.TCPRcvQDrop = &value
 				case "TCPOFOQueue":
-					procNetstat.TcpExt.TCPOFOQueue = &value
+					procNetstat.TCPOFOQueue = &value
 				case "TCPOFODrop":
-					procNetstat.TcpExt.TCPOFODrop = &value
+					procNetstat.TCPOFODrop = &value
 				case "TCPOFOMerge":
-					procNetstat.TcpExt.TCPOFOMerge = &value
+					procNetstat.TCPOFOMerge = &value
 				case "TCPChallengeACK":
-					procNetstat.TcpExt.TCPChallengeACK = &value
+					procNetstat.TCPChallengeACK = &value
 				case "TCPSYNChallenge":
-					procNetstat.TcpExt.TCPSYNChallenge = &value
+					procNetstat.TCPSYNChallenge = &value
 				case "TCPFastOpenActive":
-					procNetstat.TcpExt.TCPFastOpenActive = &value
+					procNetstat.TCPFastOpenActive = &value
 				case "TCPFastOpenActiveFail":
-					procNetstat.TcpExt.TCPFastOpenActiveFail = &value
+					procNetstat.TCPFastOpenActiveFail = &value
 				case "TCPFastOpenPassive":
-					procNetstat.TcpExt.TCPFastOpenPassive = &value
+					procNetstat.TCPFastOpenPassive = &value
 				case "TCPFastOpenPassiveFail":
-					procNetstat.TcpExt.TCPFastOpenPassiveFail = &value
+					procNetstat.TCPFastOpenPassiveFail = &value
 				case "TCPFastOpenListenOverflow":
-					procNetstat.TcpExt.TCPFastOpenListenOverflow = &value
+					procNetstat.TCPFastOpenListenOverflow = &value
 				case "TCPFastOpenCookieReqd":
-					procNetstat.TcpExt.TCPFastOpenCookieReqd = &value
+					procNetstat.TCPFastOpenCookieReqd = &value
 				case "TCPFastOpenBlackhole":
-					procNetstat.TcpExt.TCPFastOpenBlackhole = &value
+					procNetstat.TCPFastOpenBlackhole = &value
 				case "TCPSpuriousRtxHostQueues":
-					procNetstat.TcpExt.TCPSpuriousRtxHostQueues = &value
+					procNetstat.TCPSpuriousRtxHostQueues = &value
 				case "BusyPollRxPackets":
-					procNetstat.TcpExt.BusyPollRxPackets = &value
+					procNetstat.BusyPollRxPackets = &value
 				case "TCPAutoCorking":
-					procNetstat.TcpExt.TCPAutoCorking = &value
+					procNetstat.TCPAutoCorking = &value
 				case "TCPFromZeroWindowAdv":
-					procNetstat.TcpExt.TCPFromZeroWindowAdv = &value
+					procNetstat.TCPFromZeroWindowAdv = &value
 				case "TCPToZeroWindowAdv":
-					procNetstat.TcpExt.TCPToZeroWindowAdv = &value
+					procNetstat.TCPToZeroWindowAdv = &value
 				case "TCPWantZeroWindowAdv":
-					procNetstat.TcpExt.TCPWantZeroWindowAdv = &value
+					procNetstat.TCPWantZeroWindowAdv = &value
 				case "TCPSynRetrans":
-					procNetstat.TcpExt.TCPSynRetrans = &value
+					procNetstat.TCPSynRetrans = &value
 				case "TCPOrigDataSent":
-					procNetstat.TcpExt.TCPOrigDataSent = &value
+					procNetstat.TCPOrigDataSent = &value
 				case "TCPHystartTrainDetect":
-					procNetstat.TcpExt.TCPHystartTrainDetect = &value
+					procNetstat.TCPHystartTrainDetect = &value
 				case "TCPHystartTrainCwnd":
-					procNetstat.TcpExt.TCPHystartTrainCwnd = &value
+					procNetstat.TCPHystartTrainCwnd = &value
 				case "TCPHystartDelayDetect":
-					procNetstat.TcpExt.TCPHystartDelayDetect = &value
+					procNetstat.TCPHystartDelayDetect = &value
 				case "TCPHystartDelayCwnd":
-					procNetstat.TcpExt.TCPHystartDelayCwnd = &value
+					procNetstat.TCPHystartDelayCwnd = &value
 				case "TCPACKSkippedSynRecv":
-					procNetstat.TcpExt.TCPACKSkippedSynRecv = &value
+					procNetstat.TCPACKSkippedSynRecv = &value
 				case "TCPACKSkippedPAWS":
-					procNetstat.TcpExt.TCPACKSkippedPAWS = &value
+					procNetstat.TCPACKSkippedPAWS = &value
 				case "TCPACKSkippedSeq":
-					procNetstat.TcpExt.TCPACKSkippedSeq = &value
+					procNetstat.TCPACKSkippedSeq = &value
 				case "TCPACKSkippedFinWait2":
-					procNetstat.TcpExt.TCPACKSkippedFinWait2 = &value
+					procNetstat.TCPACKSkippedFinWait2 = &value
 				case "TCPACKSkippedTimeWait":
-					procNetstat.TcpExt.TCPACKSkippedTimeWait = &value
+					procNetstat.TCPACKSkippedTimeWait = &value
 				case "TCPACKSkippedChallenge":
-					procNetstat.TcpExt.TCPACKSkippedChallenge = &value
+					procNetstat.TCPACKSkippedChallenge = &value
 				case "TCPWinProbe":
-					procNetstat.TcpExt.TCPWinProbe = &value
+					procNetstat.TCPWinProbe = &value
 				case "TCPKeepAlive":
-					procNetstat.TcpExt.TCPKeepAlive = &value
+					procNetstat.TCPKeepAlive = &value
 				case "TCPMTUPFail":
-					procNetstat.TcpExt.TCPMTUPFail = &value
+					procNetstat.TCPMTUPFail = &value
 				case "TCPMTUPSuccess":
-					procNetstat.TcpExt.TCPMTUPSuccess = &value
+					procNetstat.TCPMTUPSuccess = &value
 				case "TCPWqueueTooBig":
-					procNetstat.TcpExt.TCPWqueueTooBig = &value
+					procNetstat.TCPWqueueTooBig = &value
 				}
 			case "IpExt":
 				switch key {
 				case "InNoRoutes":
-					procNetstat.IpExt.InNoRoutes = &value
+					procNetstat.InNoRoutes = &value
 				case "InTruncatedPkts":
-					procNetstat.IpExt.InTruncatedPkts = &value
+					procNetstat.InTruncatedPkts = &value
 				case "InMcastPkts":
-					procNetstat.IpExt.InMcastPkts = &value
+					procNetstat.InMcastPkts = &value
 				case "OutMcastPkts":
-					procNetstat.IpExt.OutMcastPkts = &value
+					procNetstat.OutMcastPkts = &value
 				case "InBcastPkts":
-					procNetstat.IpExt.InBcastPkts = &value
+					procNetstat.InBcastPkts = &value
 				case "OutBcastPkts":
-					procNetstat.IpExt.OutBcastPkts = &value
+					procNetstat.OutBcastPkts = &value
 				case "InOctets":
-					procNetstat.IpExt.InOctets = &value
+					procNetstat.InOctets = &value
 				case "OutOctets":
-					procNetstat.IpExt.OutOctets = &value
+					procNetstat.OutOctets = &value
 				case "InMcastOctets":
-					procNetstat.IpExt.InMcastOctets = &value
+					procNetstat.InMcastOctets = &value
 				case "OutMcastOctets":
-					procNetstat.IpExt.OutMcastOctets = &value
+					procNetstat.OutMcastOctets = &value
 				case "InBcastOctets":
-					procNetstat.IpExt.InBcastOctets = &value
+					procNetstat.InBcastOctets = &value
 				case "OutBcastOctets":
-					procNetstat.IpExt.OutBcastOctets = &value
+					procNetstat.OutBcastOctets = &value
 				case "InCsumErrors":
-					procNetstat.IpExt.InCsumErrors = &value
+					procNetstat.InCsumErrors = &value
 				case "InNoECTPkts":
-					procNetstat.IpExt.InNoECTPkts = &value
+					procNetstat.InNoECTPkts = &value
 				case "InECT1Pkts":
-					procNetstat.IpExt.InECT1Pkts = &value
+					procNetstat.InECT1Pkts = &value
 				case "InECT0Pkts":
-					procNetstat.IpExt.InECT0Pkts = &value
+					procNetstat.InECT0Pkts = &value
 				case "InCEPkts":
-					procNetstat.IpExt.InCEPkts = &value
+					procNetstat.InCEPkts = &value
 				case "ReasmOverlaps":
-					procNetstat.IpExt.ReasmOverlaps = &value
+					procNetstat.ReasmOverlaps = &value
 				}
 			}
 		}
diff --git a/vendor/github.com/prometheus/procfs/proc_smaps.go b/vendor/github.com/prometheus/procfs/proc_smaps.go
index 09060e820803f..9a297afcf89e6 100644
--- a/vendor/github.com/prometheus/procfs/proc_smaps.go
+++ b/vendor/github.com/prometheus/procfs/proc_smaps.go
@@ -19,7 +19,6 @@ package procfs
 import (
 	"bufio"
 	"errors"
-	"fmt"
 	"os"
 	"regexp"
 	"strconv"
@@ -29,7 +28,7 @@ import (
 )
 
 var (
-	// match the header line before each mapped zone in `/proc/pid/smaps`.
+	// Match the header line before each mapped zone in `/proc/pid/smaps`.
 	procSMapsHeaderLine = regexp.MustCompile(`^[a-f0-9].*$`)
 )
 
@@ -117,7 +116,6 @@ func (p Proc) procSMapsRollupManual() (ProcSMapsRollup, error) {
 func (s *ProcSMapsRollup) parseLine(line string) error {
 	kv := strings.SplitN(line, ":", 2)
 	if len(kv) != 2 {
-		fmt.Println(line)
 		return errors.New("invalid net/dev line, missing colon")
 	}
 
diff --git a/vendor/github.com/prometheus/procfs/proc_snmp.go b/vendor/github.com/prometheus/procfs/proc_snmp.go
index b9d2cf642a745..4bdc90b07eae7 100644
--- a/vendor/github.com/prometheus/procfs/proc_snmp.go
+++ b/vendor/github.com/prometheus/procfs/proc_snmp.go
@@ -173,138 +173,138 @@ func parseSnmp(r io.Reader, fileName string) (ProcSnmp, error) {
 			case "Ip":
 				switch key {
 				case "Forwarding":
-					procSnmp.Ip.Forwarding = &value
+					procSnmp.Forwarding = &value
 				case "DefaultTTL":
-					procSnmp.Ip.DefaultTTL = &value
+					procSnmp.DefaultTTL = &value
 				case "InReceives":
-					procSnmp.Ip.InReceives = &value
+					procSnmp.InReceives = &value
 				case "InHdrErrors":
-					procSnmp.Ip.InHdrErrors = &value
+					procSnmp.InHdrErrors = &value
 				case "InAddrErrors":
-					procSnmp.Ip.InAddrErrors = &value
+					procSnmp.InAddrErrors = &value
 				case "ForwDatagrams":
-					procSnmp.Ip.ForwDatagrams = &value
+					procSnmp.ForwDatagrams = &value
 				case "InUnknownProtos":
-					procSnmp.Ip.InUnknownProtos = &value
+					procSnmp.InUnknownProtos = &value
 				case "InDiscards":
-					procSnmp.Ip.InDiscards = &value
+					procSnmp.InDiscards = &value
 				case "InDelivers":
-					procSnmp.Ip.InDelivers = &value
+					procSnmp.InDelivers = &value
 				case "OutRequests":
-					procSnmp.Ip.OutRequests = &value
+					procSnmp.OutRequests = &value
 				case "OutDiscards":
-					procSnmp.Ip.OutDiscards = &value
+					procSnmp.OutDiscards = &value
 				case "OutNoRoutes":
-					procSnmp.Ip.OutNoRoutes = &value
+					procSnmp.OutNoRoutes = &value
 				case "ReasmTimeout":
-					procSnmp.Ip.ReasmTimeout = &value
+					procSnmp.ReasmTimeout = &value
 				case "ReasmReqds":
-					procSnmp.Ip.ReasmReqds = &value
+					procSnmp.ReasmReqds = &value
 				case "ReasmOKs":
-					procSnmp.Ip.ReasmOKs = &value
+					procSnmp.ReasmOKs = &value
 				case "ReasmFails":
-					procSnmp.Ip.ReasmFails = &value
+					procSnmp.ReasmFails = &value
 				case "FragOKs":
-					procSnmp.Ip.FragOKs = &value
+					procSnmp.FragOKs = &value
 				case "FragFails":
-					procSnmp.Ip.FragFails = &value
+					procSnmp.FragFails = &value
 				case "FragCreates":
-					procSnmp.Ip.FragCreates = &value
+					procSnmp.FragCreates = &value
 				}
 			case "Icmp":
 				switch key {
 				case "InMsgs":
-					procSnmp.Icmp.InMsgs = &value
+					procSnmp.InMsgs = &value
 				case "InErrors":
 					procSnmp.Icmp.InErrors = &value
 				case "InCsumErrors":
 					procSnmp.Icmp.InCsumErrors = &value
 				case "InDestUnreachs":
-					procSnmp.Icmp.InDestUnreachs = &value
+					procSnmp.InDestUnreachs = &value
 				case "InTimeExcds":
-					procSnmp.Icmp.InTimeExcds = &value
+					procSnmp.InTimeExcds = &value
 				case "InParmProbs":
-					procSnmp.Icmp.InParmProbs = &value
+					procSnmp.InParmProbs = &value
 				case "InSrcQuenchs":
-					procSnmp.Icmp.InSrcQuenchs = &value
+					procSnmp.InSrcQuenchs = &value
 				case "InRedirects":
-					procSnmp.Icmp.InRedirects = &value
+					procSnmp.InRedirects = &value
 				case "InEchos":
-					procSnmp.Icmp.InEchos = &value
+					procSnmp.InEchos = &value
 				case "InEchoReps":
-					procSnmp.Icmp.InEchoReps = &value
+					procSnmp.InEchoReps = &value
 				case "InTimestamps":
-					procSnmp.Icmp.InTimestamps = &value
+					procSnmp.InTimestamps = &value
 				case "InTimestampReps":
-					procSnmp.Icmp.InTimestampReps = &value
+					procSnmp.InTimestampReps = &value
 				case "InAddrMasks":
-					procSnmp.Icmp.InAddrMasks = &value
+					procSnmp.InAddrMasks = &value
 				case "InAddrMaskReps":
-					procSnmp.Icmp.InAddrMaskReps = &value
+					procSnmp.InAddrMaskReps = &value
 				case "OutMsgs":
-					procSnmp.Icmp.OutMsgs = &value
+					procSnmp.OutMsgs = &value
 				case "OutErrors":
-					procSnmp.Icmp.OutErrors = &value
+					procSnmp.OutErrors = &value
 				case "OutDestUnreachs":
-					procSnmp.Icmp.OutDestUnreachs = &value
+					procSnmp.OutDestUnreachs = &value
 				case "OutTimeExcds":
-					procSnmp.Icmp.OutTimeExcds = &value
+					procSnmp.OutTimeExcds = &value
 				case "OutParmProbs":
-					procSnmp.Icmp.OutParmProbs = &value
+					procSnmp.OutParmProbs = &value
 				case "OutSrcQuenchs":
-					procSnmp.Icmp.OutSrcQuenchs = &value
+					procSnmp.OutSrcQuenchs = &value
 				case "OutRedirects":
-					procSnmp.Icmp.OutRedirects = &value
+					procSnmp.OutRedirects = &value
 				case "OutEchos":
-					procSnmp.Icmp.OutEchos = &value
+					procSnmp.OutEchos = &value
 				case "OutEchoReps":
-					procSnmp.Icmp.OutEchoReps = &value
+					procSnmp.OutEchoReps = &value
 				case "OutTimestamps":
-					procSnmp.Icmp.OutTimestamps = &value
+					procSnmp.OutTimestamps = &value
 				case "OutTimestampReps":
-					procSnmp.Icmp.OutTimestampReps = &value
+					procSnmp.OutTimestampReps = &value
 				case "OutAddrMasks":
-					procSnmp.Icmp.OutAddrMasks = &value
+					procSnmp.OutAddrMasks = &value
 				case "OutAddrMaskReps":
-					procSnmp.Icmp.OutAddrMaskReps = &value
+					procSnmp.OutAddrMaskReps = &value
 				}
 			case "IcmpMsg":
 				switch key {
 				case "InType3":
-					procSnmp.IcmpMsg.InType3 = &value
+					procSnmp.InType3 = &value
 				case "OutType3":
-					procSnmp.IcmpMsg.OutType3 = &value
+					procSnmp.OutType3 = &value
 				}
 			case "Tcp":
 				switch key {
 				case "RtoAlgorithm":
-					procSnmp.Tcp.RtoAlgorithm = &value
+					procSnmp.RtoAlgorithm = &value
 				case "RtoMin":
-					procSnmp.Tcp.RtoMin = &value
+					procSnmp.RtoMin = &value
 				case "RtoMax":
-					procSnmp.Tcp.RtoMax = &value
+					procSnmp.RtoMax = &value
 				case "MaxConn":
-					procSnmp.Tcp.MaxConn = &value
+					procSnmp.MaxConn = &value
 				case "ActiveOpens":
-					procSnmp.Tcp.ActiveOpens = &value
+					procSnmp.ActiveOpens = &value
 				case "PassiveOpens":
-					procSnmp.Tcp.PassiveOpens = &value
+					procSnmp.PassiveOpens = &value
 				case "AttemptFails":
-					procSnmp.Tcp.AttemptFails = &value
+					procSnmp.AttemptFails = &value
 				case "EstabResets":
-					procSnmp.Tcp.EstabResets = &value
+					procSnmp.EstabResets = &value
 				case "CurrEstab":
-					procSnmp.Tcp.CurrEstab = &value
+					procSnmp.CurrEstab = &value
 				case "InSegs":
-					procSnmp.Tcp.InSegs = &value
+					procSnmp.InSegs = &value
 				case "OutSegs":
-					procSnmp.Tcp.OutSegs = &value
+					procSnmp.OutSegs = &value
 				case "RetransSegs":
-					procSnmp.Tcp.RetransSegs = &value
+					procSnmp.RetransSegs = &value
 				case "InErrs":
-					procSnmp.Tcp.InErrs = &value
+					procSnmp.InErrs = &value
 				case "OutRsts":
-					procSnmp.Tcp.OutRsts = &value
+					procSnmp.OutRsts = &value
 				case "InCsumErrors":
 					procSnmp.Tcp.InCsumErrors = &value
 				}
diff --git a/vendor/github.com/prometheus/procfs/proc_snmp6.go b/vendor/github.com/prometheus/procfs/proc_snmp6.go
index 3059cc6a13672..fb7fd3995befd 100644
--- a/vendor/github.com/prometheus/procfs/proc_snmp6.go
+++ b/vendor/github.com/prometheus/procfs/proc_snmp6.go
@@ -182,161 +182,161 @@ func parseSNMP6Stats(r io.Reader) (ProcSnmp6, error) {
 			case "Ip6":
 				switch key {
 				case "InReceives":
-					procSnmp6.Ip6.InReceives = &value
+					procSnmp6.InReceives = &value
 				case "InHdrErrors":
-					procSnmp6.Ip6.InHdrErrors = &value
+					procSnmp6.InHdrErrors = &value
 				case "InTooBigErrors":
-					procSnmp6.Ip6.InTooBigErrors = &value
+					procSnmp6.InTooBigErrors = &value
 				case "InNoRoutes":
-					procSnmp6.Ip6.InNoRoutes = &value
+					procSnmp6.InNoRoutes = &value
 				case "InAddrErrors":
-					procSnmp6.Ip6.InAddrErrors = &value
+					procSnmp6.InAddrErrors = &value
 				case "InUnknownProtos":
-					procSnmp6.Ip6.InUnknownProtos = &value
+					procSnmp6.InUnknownProtos = &value
 				case "InTruncatedPkts":
-					procSnmp6.Ip6.InTruncatedPkts = &value
+					procSnmp6.InTruncatedPkts = &value
 				case "InDiscards":
-					procSnmp6.Ip6.InDiscards = &value
+					procSnmp6.InDiscards = &value
 				case "InDelivers":
-					procSnmp6.Ip6.InDelivers = &value
+					procSnmp6.InDelivers = &value
 				case "OutForwDatagrams":
-					procSnmp6.Ip6.OutForwDatagrams = &value
+					procSnmp6.OutForwDatagrams = &value
 				case "OutRequests":
-					procSnmp6.Ip6.OutRequests = &value
+					procSnmp6.OutRequests = &value
 				case "OutDiscards":
-					procSnmp6.Ip6.OutDiscards = &value
+					procSnmp6.OutDiscards = &value
 				case "OutNoRoutes":
-					procSnmp6.Ip6.OutNoRoutes = &value
+					procSnmp6.OutNoRoutes = &value
 				case "ReasmTimeout":
-					procSnmp6.Ip6.ReasmTimeout = &value
+					procSnmp6.ReasmTimeout = &value
 				case "ReasmReqds":
-					procSnmp6.Ip6.ReasmReqds = &value
+					procSnmp6.ReasmReqds = &value
 				case "ReasmOKs":
-					procSnmp6.Ip6.ReasmOKs = &value
+					procSnmp6.ReasmOKs = &value
 				case "ReasmFails":
-					procSnmp6.Ip6.ReasmFails = &value
+					procSnmp6.ReasmFails = &value
 				case "FragOKs":
-					procSnmp6.Ip6.FragOKs = &value
+					procSnmp6.FragOKs = &value
 				case "FragFails":
-					procSnmp6.Ip6.FragFails = &value
+					procSnmp6.FragFails = &value
 				case "FragCreates":
-					procSnmp6.Ip6.FragCreates = &value
+					procSnmp6.FragCreates = &value
 				case "InMcastPkts":
-					procSnmp6.Ip6.InMcastPkts = &value
+					procSnmp6.InMcastPkts = &value
 				case "OutMcastPkts":
-					procSnmp6.Ip6.OutMcastPkts = &value
+					procSnmp6.OutMcastPkts = &value
 				case "InOctets":
-					procSnmp6.Ip6.InOctets = &value
+					procSnmp6.InOctets = &value
 				case "OutOctets":
-					procSnmp6.Ip6.OutOctets = &value
+					procSnmp6.OutOctets = &value
 				case "InMcastOctets":
-					procSnmp6.Ip6.InMcastOctets = &value
+					procSnmp6.InMcastOctets = &value
 				case "OutMcastOctets":
-					procSnmp6.Ip6.OutMcastOctets = &value
+					procSnmp6.OutMcastOctets = &value
 				case "InBcastOctets":
-					procSnmp6.Ip6.InBcastOctets = &value
+					procSnmp6.InBcastOctets = &value
 				case "OutBcastOctets":
-					procSnmp6.Ip6.OutBcastOctets = &value
+					procSnmp6.OutBcastOctets = &value
 				case "InNoECTPkts":
-					procSnmp6.Ip6.InNoECTPkts = &value
+					procSnmp6.InNoECTPkts = &value
 				case "InECT1Pkts":
-					procSnmp6.Ip6.InECT1Pkts = &value
+					procSnmp6.InECT1Pkts = &value
 				case "InECT0Pkts":
-					procSnmp6.Ip6.InECT0Pkts = &value
+					procSnmp6.InECT0Pkts = &value
 				case "InCEPkts":
-					procSnmp6.Ip6.InCEPkts = &value
+					procSnmp6.InCEPkts = &value
 
 				}
 			case "Icmp6":
 				switch key {
 				case "InMsgs":
-					procSnmp6.Icmp6.InMsgs = &value
+					procSnmp6.InMsgs = &value
 				case "InErrors":
 					procSnmp6.Icmp6.InErrors = &value
 				case "OutMsgs":
-					procSnmp6.Icmp6.OutMsgs = &value
+					procSnmp6.OutMsgs = &value
 				case "OutErrors":
-					procSnmp6.Icmp6.OutErrors = &value
+					procSnmp6.OutErrors = &value
 				case "InCsumErrors":
 					procSnmp6.Icmp6.InCsumErrors = &value
 				case "InDestUnreachs":
-					procSnmp6.Icmp6.InDestUnreachs = &value
+					procSnmp6.InDestUnreachs = &value
 				case "InPktTooBigs":
-					procSnmp6.Icmp6.InPktTooBigs = &value
+					procSnmp6.InPktTooBigs = &value
 				case "InTimeExcds":
-					procSnmp6.Icmp6.InTimeExcds = &value
+					procSnmp6.InTimeExcds = &value
 				case "InParmProblems":
-					procSnmp6.Icmp6.InParmProblems = &value
+					procSnmp6.InParmProblems = &value
 				case "InEchos":
-					procSnmp6.Icmp6.InEchos = &value
+					procSnmp6.InEchos = &value
 				case "InEchoReplies":
-					procSnmp6.Icmp6.InEchoReplies = &value
+					procSnmp6.InEchoReplies = &value
 				case "InGroupMembQueries":
-					procSnmp6.Icmp6.InGroupMembQueries = &value
+					procSnmp6.InGroupMembQueries = &value
 				case "InGroupMembResponses":
-					procSnmp6.Icmp6.InGroupMembResponses = &value
+					procSnmp6.InGroupMembResponses = &value
 				case "InGroupMembReductions":
-					procSnmp6.Icmp6.InGroupMembReductions = &value
+					procSnmp6.InGroupMembReductions = &value
 				case "InRouterSolicits":
-					procSnmp6.Icmp6.InRouterSolicits = &value
+					procSnmp6.InRouterSolicits = &value
 				case "InRouterAdvertisements":
-					procSnmp6.Icmp6.InRouterAdvertisements = &value
+					procSnmp6.InRouterAdvertisements = &value
 				case "InNeighborSolicits":
-					procSnmp6.Icmp6.InNeighborSolicits = &value
+					procSnmp6.InNeighborSolicits = &value
 				case "InNeighborAdvertisements":
-					procSnmp6.Icmp6.InNeighborAdvertisements = &value
+					procSnmp6.InNeighborAdvertisements = &value
 				case "InRedirects":
-					procSnmp6.Icmp6.InRedirects = &value
+					procSnmp6.InRedirects = &value
 				case "InMLDv2Reports":
-					procSnmp6.Icmp6.InMLDv2Reports = &value
+					procSnmp6.InMLDv2Reports = &value
 				case "OutDestUnreachs":
-					procSnmp6.Icmp6.OutDestUnreachs = &value
+					procSnmp6.OutDestUnreachs = &value
 				case "OutPktTooBigs":
-					procSnmp6.Icmp6.OutPktTooBigs = &value
+					procSnmp6.OutPktTooBigs = &value
 				case "OutTimeExcds":
-					procSnmp6.Icmp6.OutTimeExcds = &value
+					procSnmp6.OutTimeExcds = &value
 				case "OutParmProblems":
-					procSnmp6.Icmp6.OutParmProblems = &value
+					procSnmp6.OutParmProblems = &value
 				case "OutEchos":
-					procSnmp6.Icmp6.OutEchos = &value
+					procSnmp6.OutEchos = &value
 				case "OutEchoReplies":
-					procSnmp6.Icmp6.OutEchoReplies = &value
+					procSnmp6.OutEchoReplies = &value
 				case "OutGroupMembQueries":
-					procSnmp6.Icmp6.OutGroupMembQueries = &value
+					procSnmp6.OutGroupMembQueries = &value
 				case "OutGroupMembResponses":
-					procSnmp6.Icmp6.OutGroupMembResponses = &value
+					procSnmp6.OutGroupMembResponses = &value
 				case "OutGroupMembReductions":
-					procSnmp6.Icmp6.OutGroupMembReductions = &value
+					procSnmp6.OutGroupMembReductions = &value
 				case "OutRouterSolicits":
-					procSnmp6.Icmp6.OutRouterSolicits = &value
+					procSnmp6.OutRouterSolicits = &value
 				case "OutRouterAdvertisements":
-					procSnmp6.Icmp6.OutRouterAdvertisements = &value
+					procSnmp6.OutRouterAdvertisements = &value
 				case "OutNeighborSolicits":
-					procSnmp6.Icmp6.OutNeighborSolicits = &value
+					procSnmp6.OutNeighborSolicits = &value
 				case "OutNeighborAdvertisements":
-					procSnmp6.Icmp6.OutNeighborAdvertisements = &value
+					procSnmp6.OutNeighborAdvertisements = &value
 				case "OutRedirects":
-					procSnmp6.Icmp6.OutRedirects = &value
+					procSnmp6.OutRedirects = &value
 				case "OutMLDv2Reports":
-					procSnmp6.Icmp6.OutMLDv2Reports = &value
+					procSnmp6.OutMLDv2Reports = &value
 				case "InType1":
-					procSnmp6.Icmp6.InType1 = &value
+					procSnmp6.InType1 = &value
 				case "InType134":
-					procSnmp6.Icmp6.InType134 = &value
+					procSnmp6.InType134 = &value
 				case "InType135":
-					procSnmp6.Icmp6.InType135 = &value
+					procSnmp6.InType135 = &value
 				case "InType136":
-					procSnmp6.Icmp6.InType136 = &value
+					procSnmp6.InType136 = &value
 				case "InType143":
-					procSnmp6.Icmp6.InType143 = &value
+					procSnmp6.InType143 = &value
 				case "OutType133":
-					procSnmp6.Icmp6.OutType133 = &value
+					procSnmp6.OutType133 = &value
 				case "OutType135":
-					procSnmp6.Icmp6.OutType135 = &value
+					procSnmp6.OutType135 = &value
 				case "OutType136":
-					procSnmp6.Icmp6.OutType136 = &value
+					procSnmp6.OutType136 = &value
 				case "OutType143":
-					procSnmp6.Icmp6.OutType143 = &value
+					procSnmp6.OutType143 = &value
 				}
 			case "Udp6":
 				switch key {
@@ -355,7 +355,7 @@ func parseSNMP6Stats(r io.Reader) (ProcSnmp6, error) {
 				case "InCsumErrors":
 					procSnmp6.Udp6.InCsumErrors = &value
 				case "IgnoredMulti":
-					procSnmp6.Udp6.IgnoredMulti = &value
+					procSnmp6.IgnoredMulti = &value
 				}
 			case "UdpLite6":
 				switch key {
diff --git a/vendor/github.com/prometheus/procfs/proc_status.go b/vendor/github.com/prometheus/procfs/proc_status.go
index a055197c63e81..dd8aa56885ec3 100644
--- a/vendor/github.com/prometheus/procfs/proc_status.go
+++ b/vendor/github.com/prometheus/procfs/proc_status.go
@@ -146,7 +146,11 @@ func (s *ProcStatus) fillStatus(k string, vString string, vUint uint64, vUintByt
 			}
 		}
 	case "NSpid":
-		s.NSpids = calcNSPidsList(vString)
+		nspids, err := calcNSPidsList(vString)
+		if err != nil {
+			return err
+		}
+		s.NSpids = nspids
 	case "VmPeak":
 		s.VmPeak = vUintBytes
 	case "VmSize":
@@ -222,17 +226,17 @@ func calcCpusAllowedList(cpuString string) []uint64 {
 	return g
 }
 
-func calcNSPidsList(nspidsString string) []uint64 {
-	s := strings.Split(nspidsString, " ")
+func calcNSPidsList(nspidsString string) ([]uint64, error) {
+	s := strings.Split(nspidsString, "\t")
 	var nspids []uint64
 
 	for _, nspid := range s {
-		nspid, _ := strconv.ParseUint(nspid, 10, 64)
-		if nspid == 0 {
-			continue
+		nspid, err := strconv.ParseUint(nspid, 10, 64)
+		if err != nil {
+			return nil, err
 		}
 		nspids = append(nspids, nspid)
 	}
 
-	return nspids
+	return nspids, nil
 }
diff --git a/vendor/github.com/prometheus/procfs/proc_sys.go b/vendor/github.com/prometheus/procfs/proc_sys.go
index 5eefbe2ef8b3e..3810d1ac999f1 100644
--- a/vendor/github.com/prometheus/procfs/proc_sys.go
+++ b/vendor/github.com/prometheus/procfs/proc_sys.go
@@ -21,7 +21,7 @@ import (
 )
 
 func sysctlToPath(sysctl string) string {
-	return strings.Replace(sysctl, ".", "/", -1)
+	return strings.ReplaceAll(sysctl, ".", "/")
 }
 
 func (fs FS) SysctlStrings(sysctl string) ([]string, error) {
diff --git a/vendor/github.com/prometheus/procfs/softirqs.go b/vendor/github.com/prometheus/procfs/softirqs.go
index 28708e074595e..403e6ae70868a 100644
--- a/vendor/github.com/prometheus/procfs/softirqs.go
+++ b/vendor/github.com/prometheus/procfs/softirqs.go
@@ -68,8 +68,8 @@ func parseSoftirqs(r io.Reader) (Softirqs, error) {
 		if len(parts) < 2 {
 			continue
 		}
-		switch {
-		case parts[0] == "HI:":
+		switch parts[0] {
+		case "HI:":
 			perCPU := parts[1:]
 			softirqs.Hi = make([]uint64, len(perCPU))
 			for i, count := range perCPU {
@@ -77,7 +77,7 @@ func parseSoftirqs(r io.Reader) (Softirqs, error) {
 					return Softirqs{}, fmt.Errorf("%w: couldn't parse %q (HI%d): %w", ErrFileParse, count, i, err)
 				}
 			}
-		case parts[0] == "TIMER:":
+		case "TIMER:":
 			perCPU := parts[1:]
 			softirqs.Timer = make([]uint64, len(perCPU))
 			for i, count := range perCPU {
@@ -85,7 +85,7 @@ func parseSoftirqs(r io.Reader) (Softirqs, error) {
 					return Softirqs{}, fmt.Errorf("%w: couldn't parse %q (TIMER%d): %w", ErrFileParse, count, i, err)
 				}
 			}
-		case parts[0] == "NET_TX:":
+		case "NET_TX:":
 			perCPU := parts[1:]
 			softirqs.NetTx = make([]uint64, len(perCPU))
 			for i, count := range perCPU {
@@ -93,7 +93,7 @@ func parseSoftirqs(r io.Reader) (Softirqs, error) {
 					return Softirqs{}, fmt.Errorf("%w: couldn't parse %q (NET_TX%d): %w", ErrFileParse, count, i, err)
 				}
 			}
-		case parts[0] == "NET_RX:":
+		case "NET_RX:":
 			perCPU := parts[1:]
 			softirqs.NetRx = make([]uint64, len(perCPU))
 			for i, count := range perCPU {
@@ -101,7 +101,7 @@ func parseSoftirqs(r io.Reader) (Softirqs, error) {
 					return Softirqs{}, fmt.Errorf("%w: couldn't parse %q (NET_RX%d): %w", ErrFileParse, count, i, err)
 				}
 			}
-		case parts[0] == "BLOCK:":
+		case "BLOCK:":
 			perCPU := parts[1:]
 			softirqs.Block = make([]uint64, len(perCPU))
 			for i, count := range perCPU {
@@ -109,7 +109,7 @@ func parseSoftirqs(r io.Reader) (Softirqs, error) {
 					return Softirqs{}, fmt.Errorf("%w: couldn't parse %q (BLOCK%d): %w", ErrFileParse, count, i, err)
 				}
 			}
-		case parts[0] == "IRQ_POLL:":
+		case "IRQ_POLL:":
 			perCPU := parts[1:]
 			softirqs.IRQPoll = make([]uint64, len(perCPU))
 			for i, count := range perCPU {
@@ -117,7 +117,7 @@ func parseSoftirqs(r io.Reader) (Softirqs, error) {
 					return Softirqs{}, fmt.Errorf("%w: couldn't parse %q (IRQ_POLL%d): %w", ErrFileParse, count, i, err)
 				}
 			}
-		case parts[0] == "TASKLET:":
+		case "TASKLET:":
 			perCPU := parts[1:]
 			softirqs.Tasklet = make([]uint64, len(perCPU))
 			for i, count := range perCPU {
@@ -125,7 +125,7 @@ func parseSoftirqs(r io.Reader) (Softirqs, error) {
 					return Softirqs{}, fmt.Errorf("%w: couldn't parse %q (TASKLET%d): %w", ErrFileParse, count, i, err)
 				}
 			}
-		case parts[0] == "SCHED:":
+		case "SCHED:":
 			perCPU := parts[1:]
 			softirqs.Sched = make([]uint64, len(perCPU))
 			for i, count := range perCPU {
@@ -133,7 +133,7 @@ func parseSoftirqs(r io.Reader) (Softirqs, error) {
 					return Softirqs{}, fmt.Errorf("%w: couldn't parse %q (SCHED%d): %w", ErrFileParse, count, i, err)
 				}
 			}
-		case parts[0] == "HRTIMER:":
+		case "HRTIMER:":
 			perCPU := parts[1:]
 			softirqs.HRTimer = make([]uint64, len(perCPU))
 			for i, count := range perCPU {
@@ -141,7 +141,7 @@ func parseSoftirqs(r io.Reader) (Softirqs, error) {
 					return Softirqs{}, fmt.Errorf("%w: couldn't parse %q (HRTIMER%d): %w", ErrFileParse, count, i, err)
 				}
 			}
-		case parts[0] == "RCU:":
+		case "RCU:":
 			perCPU := parts[1:]
 			softirqs.RCU = make([]uint64, len(perCPU))
 			for i, count := range perCPU {
diff --git a/vendor/github.com/spf13/cobra/.golangci.yml b/vendor/github.com/spf13/cobra/.golangci.yml
index 2c8f4808c1a32..6acf8ab1ea049 100644
--- a/vendor/github.com/spf13/cobra/.golangci.yml
+++ b/vendor/github.com/spf13/cobra/.golangci.yml
@@ -12,14 +12,20 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
+version: "2"
+
 run:
-  deadline: 5m
+  timeout: 5m
+
+formatters:
+  enable:
+    - gofmt
+    - goimports
 
 linters:
-  disable-all: true
+  default: none
   enable:
     #- bodyclose
-    # - deadcode ! deprecated since v1.49.0; replaced by 'unused'
     #- depguard
     #- dogsled
     #- dupl
@@ -30,28 +36,24 @@ linters:
     - goconst
     - gocritic
     #- gocyclo
-    - gofmt
-    - goimports
-    #- gomnd
     #- goprintffuncname
     - gosec
-    - gosimple
     - govet
     - ineffassign
     #- lll
     - misspell
+    #- mnd
     #- nakedret
     #- noctx
     - nolintlint
     #- rowserrcheck
-    #- scopelint
     - staticcheck
-    #- structcheck ! deprecated since v1.49.0; replaced by 'unused'
-    - stylecheck
-    #- typecheck
     - unconvert
     #- unparam
     - unused
-    # - varcheck ! deprecated since v1.49.0; replaced by 'unused'
     #- whitespace
-  fast: false
+  exclusions:
+    presets:
+      - common-false-positives
+      - legacy
+      - std-error-handling
diff --git a/vendor/github.com/spf13/cobra/README.md b/vendor/github.com/spf13/cobra/README.md
index 71757151c333b..8416275f48ee0 100644
--- a/vendor/github.com/spf13/cobra/README.md
+++ b/vendor/github.com/spf13/cobra/README.md
@@ -1,8 +1,14 @@
-
-![cobra logo](https://github.com/user-attachments/assets/cbc3adf8-0dff-46e9-a88d-5e2d971c169e)
+<div align="center">
+<a href="https://cobra.dev">
+<img width="512" height="535" alt="cobra-logo" src="https://github.com/user-attachments/assets/c8bf9aad-b5ae-41d3-8899-d83baec10af8" />
+</a>
+</div>
 
 Cobra is a library for creating powerful modern CLI applications.
 
+<a href="https://cobra.dev">Visit Cobra.dev for extensive documentation</a> 
+
+
 Cobra is used in many Go projects such as [Kubernetes](https://kubernetes.io/),
 [Hugo](https://gohugo.io), and [GitHub CLI](https://github.com/cli/cli) to
 name a few. [This list](site/content/projects_using_cobra.md) contains a more extensive list of projects using Cobra.
@@ -11,6 +17,20 @@ name a few. [This list](site/content/projects_using_cobra.md) contains a more ex
 [![Go Reference](https://pkg.go.dev/badge/github.com/spf13/cobra.svg)](https://pkg.go.dev/github.com/spf13/cobra)
 [![Go Report Card](https://goreportcard.com/badge/github.com/spf13/cobra)](https://goreportcard.com/report/github.com/spf13/cobra)
 [![Slack](https://img.shields.io/badge/Slack-cobra-brightgreen)](https://gophers.slack.com/archives/CD3LP1199)
+<hr>
+<div align="center" markdown="1">
+   <sup>Supported by:</sup>
+   <br>
+   <br>
+   <a href="https://www.warp.dev/cobra">
+      <img alt="Warp sponsorship" width="400" src="https://github.com/user-attachments/assets/ab8dd143-b0fd-4904-bdc5-dd7ecac94eae">
+   </a>
+
+### [Warp, the AI terminal for devs](https://www.warp.dev/cobra)
+[Try Cobra in Warp today](https://www.warp.dev/cobra)<br>
+
+</div>
+<hr>
 
 # Overview
 
diff --git a/vendor/github.com/spf13/cobra/SECURITY.md b/vendor/github.com/spf13/cobra/SECURITY.md
new file mode 100644
index 0000000000000..54e60c28c14ce
--- /dev/null
+++ b/vendor/github.com/spf13/cobra/SECURITY.md
@@ -0,0 +1,105 @@
+# Security Policy
+
+## Reporting a Vulnerability
+
+The `cobra` maintainers take security issues seriously and
+we appreciate your efforts to _**responsibly**_ disclose your findings.
+We will make every effort to swiftly respond and address concerns.
+
+To report a security vulnerability:
+
+1. **DO NOT** create a public GitHub issue for the vulnerability!
+2. **DO NOT** create a public GitHub Pull Request with a fix for the vulnerability!
+3. Send an email to `cobra-security@googlegroups.com`.
+4. Include the following details in your report:
+   - Description of the vulnerability
+   - Steps to reproduce
+   - Potential impact of the vulnerability (to your downstream project, to the Go ecosystem, etc.)
+   - Any potential mitigations you've already identified
+5. Allow up to 7 days for an initial response.
+   You should receive an acknowledgment of your report and an estimated timeline for a fix.
+6. (Optional) If you have a fix and would like to contribute your patch, please work
+   directly with the maintainers via `cobra-security@googlegroups.com` to
+   coordinate pushing the patch to GitHub, cutting a new release, and disclosing the change.
+
+## Response Process
+
+When a security vulnerability report is received, the `cobra` maintainers will:
+
+1. Confirm receipt of the vulnerability report within 7 days.
+2. Assess the report to determine if it constitutes a security vulnerability.
+3. If confirmed, assign the vulnerability a severity level and create a timeline for addressing it.
+4. Develop and test a fix.
+5. Patch the vulnerability and make a new GitHub release: the maintainers will coordinate disclosure with the reporter.
+6. Create a new GitHub Security Advisory to inform the broader Go ecosystem
+
+## Disclosure Policy
+
+The `cobra` maintainers follow a coordinated disclosure process:
+
+1. Security vulnerabilities will be addressed as quickly as possible.
+2. A CVE (Common Vulnerabilities and Exposures) identifier will be requested for significant vulnerabilities
+   that are within `cobra` itself.
+3. Once a fix is ready, the maintainers will:
+   - Release a new version containing the fix.
+   - Update the security advisory with details about the vulnerability.
+   - Credit the reporter (unless they wish to remain anonymous).
+   - Credit the fixer (unless they wish to remain anonymous, this may be the same as the reporter).
+   - Announce the vulnerability through appropriate channels
+     (GitHub Security Advisory, mailing lists, GitHub Releases, etc.)
+
+## Supported Versions
+
+Security fixes will typically only be released for the most recent major release.
+
+## Upstream Security Issues
+
+`cobra` generally will not accept vulnerability reports that originate in upstream
+dependencies. I.e., if there is a problem in Go code that `cobra` depends on,
+it is best to engage that project's maintainers and owners.
+
+This security policy primarily pertains only to `cobra` itself but if you believe you've
+identified a problem that originates in an upstream dependency and is being widely
+distributed by `cobra`, please follow the disclosure procedure above: the `cobra`
+maintainers will work with you to determine the severity and ecosystem impact.
+
+## Security Updates and CVEs
+
+Information about known security vulnerabilities and CVEs affecting `cobra` will
+be published as GitHub Security Advisories at
+https://github.com/spf13/cobra/security/advisories.
+
+All users are encouraged to watch the repository and upgrade promptly when
+security releases are published.
+
+## `cobra` Security Best Practices for Users
+
+When using `cobra` in your CLIs, the `cobra` maintainers recommend the following:
+
+1. Always use the latest version of `cobra`.
+2. [Use Go modules](https://go.dev/blog/using-go-modules) for dependency management.
+3. Always use the latest possible version of Go.
+
+## Security Best Practices for Contributors
+
+When contributing to `cobra`:
+
+1. Be mindful of security implications when adding new features or modifying existing ones.
+2. Be aware of `cobra`'s extremely large reach: it is used in nearly every Go CLI
+   (like Kubernetes, Docker, Prometheus, etc. etc.)
+3. Write tests that explicitly cover edge cases and potential issues.
+4. If you discover a security issue while working on `cobra`, please report it
+   following the process above rather than opening a public pull request or issue that
+   addresses the vulnerability.
+5. Take personal sec-ops seriously and secure your GitHub account: use [two-factor authentication](https://docs.github.com/en/authentication/securing-your-account-with-two-factor-authentication-2fa),
+   [sign your commits with a GPG or SSH key](https://docs.github.com/en/authentication/managing-commit-signature-verification/about-commit-signature-verification),
+   etc.
+
+## Acknowledgments
+
+The `cobra` maintainers would like to thank all security researchers and
+community members who help keep cobra, its users, and the entire Go ecosystem secure through responsible disclosures!!
+
+---
+
+*This security policy is inspired by the [Open Web Application Security Project (OWASP)](https://owasp.org/) guidelines and security best practices.*
diff --git a/vendor/github.com/spf13/cobra/command.go b/vendor/github.com/spf13/cobra/command.go
index dbb2c298ba089..78088db69ca25 100644
--- a/vendor/github.com/spf13/cobra/command.go
+++ b/vendor/github.com/spf13/cobra/command.go
@@ -39,7 +39,7 @@ const (
 )
 
 // FParseErrWhitelist configures Flag parse errors to be ignored
-type FParseErrWhitelist flag.ParseErrorsWhitelist
+type FParseErrWhitelist flag.ParseErrorsAllowlist
 
 // Group Structure to manage groups for commands
 type Group struct {
@@ -1296,6 +1296,11 @@ Simply type ` + c.DisplayName() + ` help [path to command] for full details.`,
 					c.Printf("Unknown help topic %#q\n", args)
 					CheckErr(c.Root().Usage())
 				} else {
+					// FLow the context down to be used in help text
+					if cmd.ctx == nil {
+						cmd.ctx = c.ctx
+					}
+
 					cmd.InitDefaultHelpFlag()    // make possible 'help' flag to be shown
 					cmd.InitDefaultVersionFlag() // make possible 'version' flag to be shown
 					CheckErr(cmd.Help())
@@ -1872,7 +1877,7 @@ func (c *Command) ParseFlags(args []string) error {
 	c.mergePersistentFlags()
 
 	// do it here after merging all flags and just before parse
-	c.Flags().ParseErrorsWhitelist = flag.ParseErrorsWhitelist(c.FParseErrWhitelist)
+	c.Flags().ParseErrorsAllowlist = flag.ParseErrorsAllowlist(c.FParseErrWhitelist)
 
 	err := c.Flags().Parse(args)
 	// Print warnings if they occurred (e.g. deprecated flag messages).
@@ -2020,7 +2025,7 @@ func defaultUsageFunc(w io.Writer, in interface{}) error {
 		fmt.Fprint(w, trimRightSpace(c.InheritedFlags().FlagUsages()))
 	}
 	if c.HasHelpSubCommands() {
-		fmt.Fprintf(w, "\n\nAdditional help topcis:")
+		fmt.Fprintf(w, "\n\nAdditional help topics:")
 		for _, subcmd := range c.Commands() {
 			if subcmd.IsAdditionalHelpTopicCommand() {
 				fmt.Fprintf(w, "\n  %s %s", rpad(subcmd.CommandPath(), subcmd.CommandPathPadding()), subcmd.Short)
diff --git a/vendor/github.com/spf13/cobra/completions.go b/vendor/github.com/spf13/cobra/completions.go
index a1752f7631758..d3607c2d2fefd 100644
--- a/vendor/github.com/spf13/cobra/completions.go
+++ b/vendor/github.com/spf13/cobra/completions.go
@@ -115,6 +115,13 @@ type CompletionOptions struct {
 	DisableDescriptions bool
 	// HiddenDefaultCmd makes the default 'completion' command hidden
 	HiddenDefaultCmd bool
+	// DefaultShellCompDirective sets the ShellCompDirective that is returned
+	// if no special directive can be determined
+	DefaultShellCompDirective *ShellCompDirective
+}
+
+func (receiver *CompletionOptions) SetDefaultShellCompDirective(directive ShellCompDirective) {
+	receiver.DefaultShellCompDirective = &directive
 }
 
 // Completion is a string that can be used for completions
@@ -375,7 +382,7 @@ func (c *Command) getCompletions(args []string) (*Command, []Completion, ShellCo
 	// Error while attempting to parse flags
 	if flagErr != nil {
 		// If error type is flagCompError and we don't want flagCompletion we should ignore the error
-		if _, ok := flagErr.(*flagCompError); !(ok && !flagCompletion) {
+		if _, ok := flagErr.(*flagCompError); !ok || flagCompletion {
 			return finalCmd, []Completion{}, ShellCompDirectiveDefault, flagErr
 		}
 	}
@@ -480,6 +487,14 @@ func (c *Command) getCompletions(args []string) (*Command, []Completion, ShellCo
 		}
 	} else {
 		directive = ShellCompDirectiveDefault
+		// check current and parent commands for a custom DefaultShellCompDirective
+		for cmd := finalCmd; cmd != nil; cmd = cmd.parent {
+			if cmd.CompletionOptions.DefaultShellCompDirective != nil {
+				directive = *cmd.CompletionOptions.DefaultShellCompDirective
+				break
+			}
+		}
+
 		if flag == nil {
 			foundLocalNonPersistentFlag := false
 			// If TraverseChildren is true on the root command we don't check for
@@ -773,7 +788,7 @@ See each sub-command's help for details on how to use the generated script.
 		// shell completion for it (prog __complete completion '')
 		subCmd, cmdArgs, err := c.Find(args)
 		if err != nil || subCmd.Name() != compCmdName &&
-			!(subCmd.Name() == ShellCompRequestCmd && len(cmdArgs) > 1 && cmdArgs[0] == compCmdName) {
+			(subCmd.Name() != ShellCompRequestCmd || len(cmdArgs) <= 1 || cmdArgs[0] != compCmdName) {
 			// The completion command is not being called or being completed so we remove it.
 			c.RemoveCommand(completionCmd)
 			return
diff --git a/vendor/github.com/spf13/cobra/doc/man_docs.go b/vendor/github.com/spf13/cobra/doc/man_docs.go
index 2138f24882b35..560bc20c75da7 100644
--- a/vendor/github.com/spf13/cobra/doc/man_docs.go
+++ b/vendor/github.com/spf13/cobra/doc/man_docs.go
@@ -212,7 +212,7 @@ func genMan(cmd *cobra.Command, header *GenManHeader) []byte {
 	manPrintOptions(buf, cmd)
 	if len(cmd.Example) > 0 {
 		buf.WriteString("# EXAMPLE\n")
-		buf.WriteString(fmt.Sprintf("```\n%s\n```\n", cmd.Example))
+		fmt.Fprintf(buf, "```\n%s\n```\n", cmd.Example)
 	}
 	if hasSeeAlso(cmd) {
 		buf.WriteString("# SEE ALSO\n")
@@ -240,7 +240,7 @@ func genMan(cmd *cobra.Command, header *GenManHeader) []byte {
 		buf.WriteString(strings.Join(seealsos, ", ") + "\n")
 	}
 	if !cmd.DisableAutoGenTag {
-		buf.WriteString(fmt.Sprintf("# HISTORY\n%s Auto generated by spf13/cobra\n", header.Date.Format("2-Jan-2006")))
+		fmt.Fprintf(buf, "# HISTORY\n%s Auto generated by spf13/cobra\n", header.Date.Format("2-Jan-2006"))
 	}
 	return buf.Bytes()
 }
diff --git a/vendor/github.com/spf13/cobra/doc/md_docs.go b/vendor/github.com/spf13/cobra/doc/md_docs.go
index 12592223ba47b..6eae7ccfb6d90 100644
--- a/vendor/github.com/spf13/cobra/doc/md_docs.go
+++ b/vendor/github.com/spf13/cobra/doc/md_docs.go
@@ -69,12 +69,12 @@ func GenMarkdownCustom(cmd *cobra.Command, w io.Writer, linkHandler func(string)
 	}
 
 	if cmd.Runnable() {
-		buf.WriteString(fmt.Sprintf("```\n%s\n```\n\n", cmd.UseLine()))
+		fmt.Fprintf(buf, "```\n%s\n```\n\n", cmd.UseLine())
 	}
 
 	if len(cmd.Example) > 0 {
 		buf.WriteString("### Examples\n\n")
-		buf.WriteString(fmt.Sprintf("```\n%s\n```\n\n", cmd.Example))
+		fmt.Fprintf(buf, "```\n%s\n```\n\n", cmd.Example)
 	}
 
 	if err := printOptions(buf, cmd, name); err != nil {
@@ -87,7 +87,7 @@ func GenMarkdownCustom(cmd *cobra.Command, w io.Writer, linkHandler func(string)
 			pname := parent.CommandPath()
 			link := pname + markdownExtension
 			link = strings.ReplaceAll(link, " ", "_")
-			buf.WriteString(fmt.Sprintf("* [%s](%s)\t - %s\n", pname, linkHandler(link), parent.Short))
+			fmt.Fprintf(buf, "* [%s](%s)\t - %s\n", pname, linkHandler(link), parent.Short)
 			cmd.VisitParents(func(c *cobra.Command) {
 				if c.DisableAutoGenTag {
 					cmd.DisableAutoGenTag = c.DisableAutoGenTag
@@ -105,7 +105,7 @@ func GenMarkdownCustom(cmd *cobra.Command, w io.Writer, linkHandler func(string)
 			cname := name + " " + child.Name()
 			link := cname + markdownExtension
 			link = strings.ReplaceAll(link, " ", "_")
-			buf.WriteString(fmt.Sprintf("* [%s](%s)\t - %s\n", cname, linkHandler(link), child.Short))
+			fmt.Fprintf(buf, "* [%s](%s)\t - %s\n", cname, linkHandler(link), child.Short)
 		}
 		buf.WriteString("\n")
 	}
diff --git a/vendor/github.com/spf13/cobra/doc/rest_docs.go b/vendor/github.com/spf13/cobra/doc/rest_docs.go
index c33acc2baa91a..4901ca9801c9d 100644
--- a/vendor/github.com/spf13/cobra/doc/rest_docs.go
+++ b/vendor/github.com/spf13/cobra/doc/rest_docs.go
@@ -82,13 +82,13 @@ func GenReSTCustom(cmd *cobra.Command, w io.Writer, linkHandler func(string, str
 	buf.WriteString("\n" + long + "\n\n")
 
 	if cmd.Runnable() {
-		buf.WriteString(fmt.Sprintf("::\n\n  %s\n\n", cmd.UseLine()))
+		fmt.Fprintf(buf, "::\n\n  %s\n\n", cmd.UseLine())
 	}
 
 	if len(cmd.Example) > 0 {
 		buf.WriteString("Examples\n")
 		buf.WriteString("~~~~~~~~\n\n")
-		buf.WriteString(fmt.Sprintf("::\n\n%s\n\n", indentString(cmd.Example, "  ")))
+		fmt.Fprintf(buf, "::\n\n%s\n\n", indentString(cmd.Example, "  "))
 	}
 
 	if err := printOptionsReST(buf, cmd, name); err != nil {
@@ -101,7 +101,7 @@ func GenReSTCustom(cmd *cobra.Command, w io.Writer, linkHandler func(string, str
 			parent := cmd.Parent()
 			pname := parent.CommandPath()
 			ref = strings.ReplaceAll(pname, " ", "_")
-			buf.WriteString(fmt.Sprintf("* %s \t - %s\n", linkHandler(pname, ref), parent.Short))
+			fmt.Fprintf(buf, "* %s \t - %s\n", linkHandler(pname, ref), parent.Short)
 			cmd.VisitParents(func(c *cobra.Command) {
 				if c.DisableAutoGenTag {
 					cmd.DisableAutoGenTag = c.DisableAutoGenTag
@@ -118,7 +118,7 @@ func GenReSTCustom(cmd *cobra.Command, w io.Writer, linkHandler func(string, str
 			}
 			cname := name + " " + child.Name()
 			ref = strings.ReplaceAll(cname, " ", "_")
-			buf.WriteString(fmt.Sprintf("* %s \t - %s\n", linkHandler(cname, ref), child.Short))
+			fmt.Fprintf(buf, "* %s \t - %s\n", linkHandler(cname, ref), child.Short)
 		}
 		buf.WriteString("\n")
 	}
diff --git a/vendor/github.com/spf13/cobra/doc/yaml_docs.go b/vendor/github.com/spf13/cobra/doc/yaml_docs.go
index 2b26d6ec0f3ef..3719717037170 100644
--- a/vendor/github.com/spf13/cobra/doc/yaml_docs.go
+++ b/vendor/github.com/spf13/cobra/doc/yaml_docs.go
@@ -153,7 +153,7 @@ func genFlagResult(flags *pflag.FlagSet) []cmdOption {
 		// Todo, when we mark a shorthand is deprecated, but specify an empty message.
 		// The flag.ShorthandDeprecated is empty as the shorthand is deprecated.
 		// Using len(flag.ShorthandDeprecated) > 0 can't handle this, others are ok.
-		if !(len(flag.ShorthandDeprecated) > 0) && len(flag.Shorthand) > 0 {
+		if len(flag.ShorthandDeprecated) == 0 && len(flag.Shorthand) > 0 {
 			opt := cmdOption{
 				flag.Name,
 				flag.Shorthand,
diff --git a/vendor/github.com/spf13/pflag/README.md b/vendor/github.com/spf13/pflag/README.md
index 7eacc5bdbe5f4..388c4e5ead28a 100644
--- a/vendor/github.com/spf13/pflag/README.md
+++ b/vendor/github.com/spf13/pflag/README.md
@@ -284,6 +284,33 @@ func main() {
 }
 ```
 
+### Using pflag with go test
+`pflag` does not parse the shorthand versions of go test's built-in flags (i.e., those starting with `-test.`).
+For more context, see issues [#63](https://github.com/spf13/pflag/issues/63) and [#238](https://github.com/spf13/pflag/issues/238) for more details.
+
+For example, if you use pflag in your `TestMain` function and call `pflag.Parse()` after defining your custom flags, running a test like this:
+```bash
+go test /your/tests -run ^YourTest -v --your-test-pflags
+```
+will result in the `-v` flag being ignored. This happens because of the way pflag handles flag parsing, skipping over go test's built-in shorthand flags.
+To work around this, you can use the `ParseSkippedFlags` function, which ensures that go test's flags are parsed separately using the standard flag package.
+
+**Example**: You want to parse go test flags that are otherwise ignore by `pflag.Parse()`
+```go
+import (
+	goflag "flag"
+	flag "github.com/spf13/pflag"
+)
+
+var ip *int = flag.Int("flagname", 1234, "help message for flagname")
+
+func main() {
+	flag.CommandLine.AddGoFlagSet(goflag.CommandLine)
+    flag.ParseSkippedFlags(os.Args[1:], goflag.CommandLine)
+	flag.Parse()
+}
+```
+
 ## More info
 
 You can see the full reference documentation of the pflag package
diff --git a/vendor/github.com/spf13/pflag/bool_func.go b/vendor/github.com/spf13/pflag/bool_func.go
new file mode 100644
index 0000000000000..83d77afa89fa9
--- /dev/null
+++ b/vendor/github.com/spf13/pflag/bool_func.go
@@ -0,0 +1,40 @@
+package pflag
+
+// -- func Value
+type boolfuncValue func(string) error
+
+func (f boolfuncValue) Set(s string) error { return f(s) }
+
+func (f boolfuncValue) Type() string { return "boolfunc" }
+
+func (f boolfuncValue) String() string { return "" } // same behavior as stdlib 'flag' package
+
+func (f boolfuncValue) IsBoolFlag() bool { return true }
+
+// BoolFunc defines a func flag with specified name, callback function and usage string.
+//
+// The callback function will be called every time "--{name}" (or any form that matches the flag) is parsed
+// on the command line.
+func (f *FlagSet) BoolFunc(name string, usage string, fn func(string) error) {
+	f.BoolFuncP(name, "", usage, fn)
+}
+
+// BoolFuncP is like BoolFunc, but accepts a shorthand letter that can be used after a single dash.
+func (f *FlagSet) BoolFuncP(name, shorthand string, usage string, fn func(string) error) {
+	var val Value = boolfuncValue(fn)
+	flag := f.VarPF(val, name, shorthand, usage)
+	flag.NoOptDefVal = "true"
+}
+
+// BoolFunc defines a func flag with specified name, callback function and usage string.
+//
+// The callback function will be called every time "--{name}" (or any form that matches the flag) is parsed
+// on the command line.
+func BoolFunc(name string, usage string, fn func(string) error) {
+	CommandLine.BoolFuncP(name, "", usage, fn)
+}
+
+// BoolFuncP is like BoolFunc, but accepts a shorthand letter that can be used after a single dash.
+func BoolFuncP(name, shorthand string, usage string, fn func(string) error) {
+	CommandLine.BoolFuncP(name, shorthand, usage, fn)
+}
diff --git a/vendor/github.com/spf13/pflag/count.go b/vendor/github.com/spf13/pflag/count.go
index a0b2679f71c75..d49c0143c18b6 100644
--- a/vendor/github.com/spf13/pflag/count.go
+++ b/vendor/github.com/spf13/pflag/count.go
@@ -85,7 +85,7 @@ func (f *FlagSet) CountP(name, shorthand string, usage string) *int {
 
 // Count defines a count flag with specified name, default value, and usage string.
 // The return value is the address of an int variable that stores the value of the flag.
-// A count flag will add 1 to its value evey time it is found on the command line
+// A count flag will add 1 to its value every time it is found on the command line
 func Count(name string, usage string) *int {
 	return CommandLine.CountP(name, "", usage)
 }
diff --git a/vendor/github.com/spf13/pflag/errors.go b/vendor/github.com/spf13/pflag/errors.go
new file mode 100644
index 0000000000000..ff11b66befe28
--- /dev/null
+++ b/vendor/github.com/spf13/pflag/errors.go
@@ -0,0 +1,149 @@
+package pflag
+
+import "fmt"
+
+// notExistErrorMessageType specifies which flavor of "flag does not exist"
+// is printed by NotExistError. This allows the related errors to be grouped
+// under a single NotExistError struct without making a breaking change to
+// the error message text.
+type notExistErrorMessageType int
+
+const (
+	flagNotExistMessage notExistErrorMessageType = iota
+	flagNotDefinedMessage
+	flagNoSuchFlagMessage
+	flagUnknownFlagMessage
+	flagUnknownShorthandFlagMessage
+)
+
+// NotExistError is the error returned when trying to access a flag that
+// does not exist in the FlagSet.
+type NotExistError struct {
+	name                string
+	specifiedShorthands string
+	messageType         notExistErrorMessageType
+}
+
+// Error implements error.
+func (e *NotExistError) Error() string {
+	switch e.messageType {
+	case flagNotExistMessage:
+		return fmt.Sprintf("flag %q does not exist", e.name)
+
+	case flagNotDefinedMessage:
+		return fmt.Sprintf("flag accessed but not defined: %s", e.name)
+
+	case flagNoSuchFlagMessage:
+		return fmt.Sprintf("no such flag -%v", e.name)
+
+	case flagUnknownFlagMessage:
+		return fmt.Sprintf("unknown flag: --%s", e.name)
+
+	case flagUnknownShorthandFlagMessage:
+		c := rune(e.name[0])
+		return fmt.Sprintf("unknown shorthand flag: %q in -%s", c, e.specifiedShorthands)
+	}
+
+	panic(fmt.Errorf("unknown flagNotExistErrorMessageType: %v", e.messageType))
+}
+
+// GetSpecifiedName returns the name of the flag (without dashes) as it
+// appeared in the parsed arguments.
+func (e *NotExistError) GetSpecifiedName() string {
+	return e.name
+}
+
+// GetSpecifiedShortnames returns the group of shorthand arguments
+// (without dashes) that the flag appeared within. If the flag was not in a
+// shorthand group, this will return an empty string.
+func (e *NotExistError) GetSpecifiedShortnames() string {
+	return e.specifiedShorthands
+}
+
+// ValueRequiredError is the error returned when a flag needs an argument but
+// no argument was provided.
+type ValueRequiredError struct {
+	flag                *Flag
+	specifiedName       string
+	specifiedShorthands string
+}
+
+// Error implements error.
+func (e *ValueRequiredError) Error() string {
+	if len(e.specifiedShorthands) > 0 {
+		c := rune(e.specifiedName[0])
+		return fmt.Sprintf("flag needs an argument: %q in -%s", c, e.specifiedShorthands)
+	}
+
+	return fmt.Sprintf("flag needs an argument: --%s", e.specifiedName)
+}
+
+// GetFlag returns the flag for which the error occurred.
+func (e *ValueRequiredError) GetFlag() *Flag {
+	return e.flag
+}
+
+// GetSpecifiedName returns the name of the flag (without dashes) as it
+// appeared in the parsed arguments.
+func (e *ValueRequiredError) GetSpecifiedName() string {
+	return e.specifiedName
+}
+
+// GetSpecifiedShortnames returns the group of shorthand arguments
+// (without dashes) that the flag appeared within. If the flag was not in a
+// shorthand group, this will return an empty string.
+func (e *ValueRequiredError) GetSpecifiedShortnames() string {
+	return e.specifiedShorthands
+}
+
+// InvalidValueError is the error returned when an invalid value is used
+// for a flag.
+type InvalidValueError struct {
+	flag  *Flag
+	value string
+	cause error
+}
+
+// Error implements error.
+func (e *InvalidValueError) Error() string {
+	flag := e.flag
+	var flagName string
+	if flag.Shorthand != "" && flag.ShorthandDeprecated == "" {
+		flagName = fmt.Sprintf("-%s, --%s", flag.Shorthand, flag.Name)
+	} else {
+		flagName = fmt.Sprintf("--%s", flag.Name)
+	}
+	return fmt.Sprintf("invalid argument %q for %q flag: %v", e.value, flagName, e.cause)
+}
+
+// Unwrap implements errors.Unwrap.
+func (e *InvalidValueError) Unwrap() error {
+	return e.cause
+}
+
+// GetFlag returns the flag for which the error occurred.
+func (e *InvalidValueError) GetFlag() *Flag {
+	return e.flag
+}
+
+// GetValue returns the invalid value that was provided.
+func (e *InvalidValueError) GetValue() string {
+	return e.value
+}
+
+// InvalidSyntaxError is the error returned when a bad flag name is passed on
+// the command line.
+type InvalidSyntaxError struct {
+	specifiedFlag string
+}
+
+// Error implements error.
+func (e *InvalidSyntaxError) Error() string {
+	return fmt.Sprintf("bad flag syntax: %s", e.specifiedFlag)
+}
+
+// GetSpecifiedName returns the exact flag (with dashes) as it
+// appeared in the parsed arguments.
+func (e *InvalidSyntaxError) GetSpecifiedFlag() string {
+	return e.specifiedFlag
+}
diff --git a/vendor/github.com/spf13/pflag/flag.go b/vendor/github.com/spf13/pflag/flag.go
index 7c058de3744a1..eeed1e92b0a5f 100644
--- a/vendor/github.com/spf13/pflag/flag.go
+++ b/vendor/github.com/spf13/pflag/flag.go
@@ -27,23 +27,32 @@ unaffected.
 Define flags using flag.String(), Bool(), Int(), etc.
 
 This declares an integer flag, -flagname, stored in the pointer ip, with type *int.
+
 	var ip = flag.Int("flagname", 1234, "help message for flagname")
+
 If you like, you can bind the flag to a variable using the Var() functions.
+
 	var flagvar int
 	func init() {
 		flag.IntVar(&flagvar, "flagname", 1234, "help message for flagname")
 	}
+
 Or you can create custom flags that satisfy the Value interface (with
 pointer receivers) and couple them to flag parsing by
+
 	flag.Var(&flagVal, "name", "help message for flagname")
+
 For such flags, the default value is just the initial value of the variable.
 
 After all flags are defined, call
+
 	flag.Parse()
+
 to parse the command line into the defined flags.
 
 Flags may then be used directly. If you're using the flags themselves,
 they are all pointers; if you bind to variables, they're values.
+
 	fmt.Println("ip has value ", *ip)
 	fmt.Println("flagvar has value ", flagvar)
 
@@ -54,22 +63,26 @@ The arguments are indexed from 0 through flag.NArg()-1.
 The pflag package also defines some new functions that are not in flag,
 that give one-letter shorthands for flags. You can use these by appending
 'P' to the name of any function that defines a flag.
+
 	var ip = flag.IntP("flagname", "f", 1234, "help message")
 	var flagvar bool
 	func init() {
 		flag.BoolVarP(&flagvar, "boolname", "b", true, "help message")
 	}
 	flag.VarP(&flagval, "varname", "v", "help message")
+
 Shorthand letters can be used with single dashes on the command line.
 Boolean shorthand flags can be combined with other shorthand flags.
 
 Command line flag syntax:
+
 	--flag    // boolean flags only
 	--flag=x
 
 Unlike the flag package, a single dash before an option means something
 different than a double dash. Single dashes signify a series of shorthand
 letters for flags. All but the last shorthand letter must be boolean flags.
+
 	// boolean flags
 	-f
 	-abc
@@ -124,12 +137,16 @@ const (
 	PanicOnError
 )
 
-// ParseErrorsWhitelist defines the parsing errors that can be ignored
-type ParseErrorsWhitelist struct {
+// ParseErrorsAllowlist defines the parsing errors that can be ignored
+type ParseErrorsAllowlist struct {
 	// UnknownFlags will ignore unknown flags errors and continue parsing rest of the flags
 	UnknownFlags bool
 }
 
+// DEPRECATED: please use ParseErrorsAllowlist instead
+// This type will be removed in a future release
+type ParseErrorsWhitelist = ParseErrorsAllowlist
+
 // NormalizedName is a flag name that has been normalized according to rules
 // for the FlagSet (e.g. making '-' and '_' equivalent).
 type NormalizedName string
@@ -145,8 +162,12 @@ type FlagSet struct {
 	// help/usage messages.
 	SortFlags bool
 
-	// ParseErrorsWhitelist is used to configure a whitelist of errors
-	ParseErrorsWhitelist ParseErrorsWhitelist
+	// ParseErrorsAllowlist is used to configure an allowlist of errors
+	ParseErrorsAllowlist ParseErrorsAllowlist
+
+	// DEPRECATED: please use ParseErrorsAllowlist instead
+	// This field will be removed in a future release
+	ParseErrorsWhitelist ParseErrorsAllowlist
 
 	name              string
 	parsed            bool
@@ -381,7 +402,7 @@ func (f *FlagSet) lookup(name NormalizedName) *Flag {
 func (f *FlagSet) getFlagType(name string, ftype string, convFunc func(sval string) (interface{}, error)) (interface{}, error) {
 	flag := f.Lookup(name)
 	if flag == nil {
-		err := fmt.Errorf("flag accessed but not defined: %s", name)
+		err := &NotExistError{name: name, messageType: flagNotDefinedMessage}
 		return nil, err
 	}
 
@@ -411,7 +432,7 @@ func (f *FlagSet) ArgsLenAtDash() int {
 func (f *FlagSet) MarkDeprecated(name string, usageMessage string) error {
 	flag := f.Lookup(name)
 	if flag == nil {
-		return fmt.Errorf("flag %q does not exist", name)
+		return &NotExistError{name: name, messageType: flagNotExistMessage}
 	}
 	if usageMessage == "" {
 		return fmt.Errorf("deprecated message for flag %q must be set", name)
@@ -427,7 +448,7 @@ func (f *FlagSet) MarkDeprecated(name string, usageMessage string) error {
 func (f *FlagSet) MarkShorthandDeprecated(name string, usageMessage string) error {
 	flag := f.Lookup(name)
 	if flag == nil {
-		return fmt.Errorf("flag %q does not exist", name)
+		return &NotExistError{name: name, messageType: flagNotExistMessage}
 	}
 	if usageMessage == "" {
 		return fmt.Errorf("deprecated message for flag %q must be set", name)
@@ -441,7 +462,7 @@ func (f *FlagSet) MarkShorthandDeprecated(name string, usageMessage string) erro
 func (f *FlagSet) MarkHidden(name string) error {
 	flag := f.Lookup(name)
 	if flag == nil {
-		return fmt.Errorf("flag %q does not exist", name)
+		return &NotExistError{name: name, messageType: flagNotExistMessage}
 	}
 	flag.Hidden = true
 	return nil
@@ -464,18 +485,16 @@ func (f *FlagSet) Set(name, value string) error {
 	normalName := f.normalizeFlagName(name)
 	flag, ok := f.formal[normalName]
 	if !ok {
-		return fmt.Errorf("no such flag -%v", name)
+		return &NotExistError{name: name, messageType: flagNoSuchFlagMessage}
 	}
 
 	err := flag.Value.Set(value)
 	if err != nil {
-		var flagName string
-		if flag.Shorthand != "" && flag.ShorthandDeprecated == "" {
-			flagName = fmt.Sprintf("-%s, --%s", flag.Shorthand, flag.Name)
-		} else {
-			flagName = fmt.Sprintf("--%s", flag.Name)
+		return &InvalidValueError{
+			flag:  flag,
+			value: value,
+			cause: err,
 		}
-		return fmt.Errorf("invalid argument %q for %q flag: %v", value, flagName, err)
 	}
 
 	if !flag.Changed {
@@ -501,7 +520,7 @@ func (f *FlagSet) SetAnnotation(name, key string, values []string) error {
 	normalName := f.normalizeFlagName(name)
 	flag, ok := f.formal[normalName]
 	if !ok {
-		return fmt.Errorf("no such flag -%v", name)
+		return &NotExistError{name: name, messageType: flagNoSuchFlagMessage}
 	}
 	if flag.Annotations == nil {
 		flag.Annotations = map[string][]string{}
@@ -538,7 +557,7 @@ func (f *FlagSet) PrintDefaults() {
 func (f *Flag) defaultIsZeroValue() bool {
 	switch f.Value.(type) {
 	case boolFlag:
-		return f.DefValue == "false"
+		return f.DefValue == "false" || f.DefValue == ""
 	case *durationValue:
 		// Beginning in Go 1.7, duration zero values are "0s"
 		return f.DefValue == "0" || f.DefValue == "0s"
@@ -551,7 +570,7 @@ func (f *Flag) defaultIsZeroValue() bool {
 	case *intSliceValue, *stringSliceValue, *stringArrayValue:
 		return f.DefValue == "[]"
 	default:
-		switch f.Value.String() {
+		switch f.DefValue {
 		case "false":
 			return true
 		case "<nil>":
@@ -588,8 +607,10 @@ func UnquoteUsage(flag *Flag) (name string, usage string) {
 
 	name = flag.Value.Type()
 	switch name {
-	case "bool":
+	case "bool", "boolfunc":
 		name = ""
+	case "func":
+		name = "value"
 	case "float64":
 		name = "float"
 	case "int64":
@@ -707,7 +728,7 @@ func (f *FlagSet) FlagUsagesWrapped(cols int) string {
 			switch flag.Value.Type() {
 			case "string":
 				line += fmt.Sprintf("[=\"%s\"]", flag.NoOptDefVal)
-			case "bool":
+			case "bool", "boolfunc":
 				if flag.NoOptDefVal != "true" {
 					line += fmt.Sprintf("[=%s]", flag.NoOptDefVal)
 				}
@@ -911,12 +932,10 @@ func VarP(value Value, name, shorthand, usage string) {
 	CommandLine.VarP(value, name, shorthand, usage)
 }
 
-// failf prints to standard error a formatted error and usage message and
+// fail prints an error message and usage message to standard error and
 // returns the error.
-func (f *FlagSet) failf(format string, a ...interface{}) error {
-	err := fmt.Errorf(format, a...)
+func (f *FlagSet) fail(err error) error {
 	if f.errorHandling != ContinueOnError {
-		fmt.Fprintln(f.Output(), err)
 		f.usage()
 	}
 	return err
@@ -934,9 +953,9 @@ func (f *FlagSet) usage() {
 	}
 }
 
-//--unknown (args will be empty)
-//--unknown --next-flag ... (args will be --next-flag ...)
-//--unknown arg ... (args will be arg ...)
+// --unknown (args will be empty)
+// --unknown --next-flag ... (args will be --next-flag ...)
+// --unknown arg ... (args will be arg ...)
 func stripUnknownFlagValue(args []string) []string {
 	if len(args) == 0 {
 		//--unknown
@@ -960,7 +979,7 @@ func (f *FlagSet) parseLongArg(s string, args []string, fn parseFunc) (a []strin
 	a = args
 	name := s[2:]
 	if len(name) == 0 || name[0] == '-' || name[0] == '=' {
-		err = f.failf("bad flag syntax: %s", s)
+		err = f.fail(&InvalidSyntaxError{specifiedFlag: s})
 		return
 	}
 
@@ -974,6 +993,8 @@ func (f *FlagSet) parseLongArg(s string, args []string, fn parseFunc) (a []strin
 			f.usage()
 			return a, ErrHelp
 		case f.ParseErrorsWhitelist.UnknownFlags:
+			fallthrough
+		case f.ParseErrorsAllowlist.UnknownFlags:
 			// --unknown=unknownval arg ...
 			// we do not want to lose arg in this case
 			if len(split) >= 2 {
@@ -982,7 +1003,7 @@ func (f *FlagSet) parseLongArg(s string, args []string, fn parseFunc) (a []strin
 
 			return stripUnknownFlagValue(a), nil
 		default:
-			err = f.failf("unknown flag: --%s", name)
+			err = f.fail(&NotExistError{name: name, messageType: flagUnknownFlagMessage})
 			return
 		}
 	}
@@ -1000,13 +1021,16 @@ func (f *FlagSet) parseLongArg(s string, args []string, fn parseFunc) (a []strin
 		a = a[1:]
 	} else {
 		// '--flag' (arg was required)
-		err = f.failf("flag needs an argument: %s", s)
+		err = f.fail(&ValueRequiredError{
+			flag:          flag,
+			specifiedName: name,
+		})
 		return
 	}
 
 	err = fn(flag, value)
 	if err != nil {
-		f.failf(err.Error())
+		f.fail(err)
 	}
 	return
 }
@@ -1014,7 +1038,7 @@ func (f *FlagSet) parseLongArg(s string, args []string, fn parseFunc) (a []strin
 func (f *FlagSet) parseSingleShortArg(shorthands string, args []string, fn parseFunc) (outShorts string, outArgs []string, err error) {
 	outArgs = args
 
-	if strings.HasPrefix(shorthands, "test.") {
+	if isGotestShorthandFlag(shorthands) {
 		return
 	}
 
@@ -1029,6 +1053,8 @@ func (f *FlagSet) parseSingleShortArg(shorthands string, args []string, fn parse
 			err = ErrHelp
 			return
 		case f.ParseErrorsWhitelist.UnknownFlags:
+			fallthrough
+		case f.ParseErrorsAllowlist.UnknownFlags:
 			// '-f=arg arg ...'
 			// we do not want to lose arg in this case
 			if len(shorthands) > 2 && shorthands[1] == '=' {
@@ -1039,7 +1065,11 @@ func (f *FlagSet) parseSingleShortArg(shorthands string, args []string, fn parse
 			outArgs = stripUnknownFlagValue(outArgs)
 			return
 		default:
-			err = f.failf("unknown shorthand flag: %q in -%s", c, shorthands)
+			err = f.fail(&NotExistError{
+				name:                string(c),
+				specifiedShorthands: shorthands,
+				messageType:         flagUnknownShorthandFlagMessage,
+			})
 			return
 		}
 	}
@@ -1062,7 +1092,11 @@ func (f *FlagSet) parseSingleShortArg(shorthands string, args []string, fn parse
 		outArgs = args[1:]
 	} else {
 		// '-f' (arg was required)
-		err = f.failf("flag needs an argument: %q in -%s", c, shorthands)
+		err = f.fail(&ValueRequiredError{
+			flag:                flag,
+			specifiedName:       string(c),
+			specifiedShorthands: shorthands,
+		})
 		return
 	}
 
@@ -1072,7 +1106,7 @@ func (f *FlagSet) parseSingleShortArg(shorthands string, args []string, fn parse
 
 	err = fn(flag, value)
 	if err != nil {
-		f.failf(err.Error())
+		f.fail(err)
 	}
 	return
 }
@@ -1135,12 +1169,12 @@ func (f *FlagSet) Parse(arguments []string) error {
 	}
 	f.parsed = true
 
-	if len(arguments) < 0 {
+	f.args = make([]string, 0, len(arguments))
+
+	if len(arguments) == 0 {
 		return nil
 	}
 
-	f.args = make([]string, 0, len(arguments))
-
 	set := func(flag *Flag, value string) error {
 		return f.Set(flag.Name, value)
 	}
@@ -1151,7 +1185,10 @@ func (f *FlagSet) Parse(arguments []string) error {
 		case ContinueOnError:
 			return err
 		case ExitOnError:
-			fmt.Println(err)
+			if errors.Is(err, ErrHelp) {
+				os.Exit(0)
+			}
+			fmt.Fprintln(f.Output(), err)
 			os.Exit(2)
 		case PanicOnError:
 			panic(err)
@@ -1177,6 +1214,10 @@ func (f *FlagSet) ParseAll(arguments []string, fn func(flag *Flag, value string)
 		case ContinueOnError:
 			return err
 		case ExitOnError:
+			if errors.Is(err, ErrHelp) {
+				os.Exit(0)
+			}
+			fmt.Fprintln(f.Output(), err)
 			os.Exit(2)
 		case PanicOnError:
 			panic(err)
diff --git a/vendor/github.com/spf13/pflag/func.go b/vendor/github.com/spf13/pflag/func.go
new file mode 100644
index 0000000000000..9f4d88f271ce9
--- /dev/null
+++ b/vendor/github.com/spf13/pflag/func.go
@@ -0,0 +1,37 @@
+package pflag
+
+// -- func Value
+type funcValue func(string) error
+
+func (f funcValue) Set(s string) error { return f(s) }
+
+func (f funcValue) Type() string { return "func" }
+
+func (f funcValue) String() string { return "" } // same behavior as stdlib 'flag' package
+
+// Func defines a func flag with specified name, callback function and usage string.
+//
+// The callback function will be called every time "--{name}={value}" (or equivalent) is
+// parsed on the command line, with "{value}" as an argument.
+func (f *FlagSet) Func(name string, usage string, fn func(string) error) {
+	f.FuncP(name, "", usage, fn)
+}
+
+// FuncP is like Func, but accepts a shorthand letter that can be used after a single dash.
+func (f *FlagSet) FuncP(name string, shorthand string, usage string, fn func(string) error) {
+	var val Value = funcValue(fn)
+	f.VarP(val, name, shorthand, usage)
+}
+
+// Func defines a func flag with specified name, callback function and usage string.
+//
+// The callback function will be called every time "--{name}={value}" (or equivalent) is
+// parsed on the command line, with "{value}" as an argument.
+func Func(name string, usage string, fn func(string) error) {
+	CommandLine.FuncP(name, "", usage, fn)
+}
+
+// FuncP is like Func, but accepts a shorthand letter that can be used after a single dash.
+func FuncP(name, shorthand string, usage string, fn func(string) error) {
+	CommandLine.FuncP(name, shorthand, usage, fn)
+}
diff --git a/vendor/github.com/spf13/pflag/golangflag.go b/vendor/github.com/spf13/pflag/golangflag.go
index d3dd72b7feed6..e62eab53810c3 100644
--- a/vendor/github.com/spf13/pflag/golangflag.go
+++ b/vendor/github.com/spf13/pflag/golangflag.go
@@ -8,8 +8,18 @@ import (
 	goflag "flag"
 	"reflect"
 	"strings"
+	"time"
 )
 
+// go test flags prefixes
+func isGotestFlag(flag string) bool {
+	return strings.HasPrefix(flag, "-test.")
+}
+
+func isGotestShorthandFlag(flag string) bool {
+	return strings.HasPrefix(flag, "test.")
+}
+
 // flagValueWrapper implements pflag.Value around a flag.Value.  The main
 // difference here is the addition of the Type method that returns a string
 // name of the type.  As this is generally unknown, we approximate that with
@@ -103,3 +113,49 @@ func (f *FlagSet) AddGoFlagSet(newSet *goflag.FlagSet) {
 	}
 	f.addedGoFlagSets = append(f.addedGoFlagSets, newSet)
 }
+
+// CopyToGoFlagSet will add all current flags to the given Go flag set.
+// Deprecation remarks get copied into the usage description.
+// Whenever possible, a flag gets added for which Go flags shows
+// a proper type in the help message.
+func (f *FlagSet) CopyToGoFlagSet(newSet *goflag.FlagSet) {
+	f.VisitAll(func(flag *Flag) {
+		usage := flag.Usage
+		if flag.Deprecated != "" {
+			usage += " (DEPRECATED: " + flag.Deprecated + ")"
+		}
+
+		switch value := flag.Value.(type) {
+		case *stringValue:
+			newSet.StringVar((*string)(value), flag.Name, flag.DefValue, usage)
+		case *intValue:
+			newSet.IntVar((*int)(value), flag.Name, *(*int)(value), usage)
+		case *int64Value:
+			newSet.Int64Var((*int64)(value), flag.Name, *(*int64)(value), usage)
+		case *uintValue:
+			newSet.UintVar((*uint)(value), flag.Name, *(*uint)(value), usage)
+		case *uint64Value:
+			newSet.Uint64Var((*uint64)(value), flag.Name, *(*uint64)(value), usage)
+		case *durationValue:
+			newSet.DurationVar((*time.Duration)(value), flag.Name, *(*time.Duration)(value), usage)
+		case *float64Value:
+			newSet.Float64Var((*float64)(value), flag.Name, *(*float64)(value), usage)
+		default:
+			newSet.Var(flag.Value, flag.Name, usage)
+		}
+	})
+}
+
+// ParseSkippedFlags explicitly Parses go test flags (i.e. the one starting with '-test.') with goflag.Parse(),
+// since by default those are skipped by pflag.Parse().
+// Typical usage example: `ParseGoTestFlags(os.Args[1:], goflag.CommandLine)`
+func ParseSkippedFlags(osArgs []string, goFlagSet *goflag.FlagSet) error {
+	var skippedFlags []string
+	for _, f := range osArgs {
+		if isGotestFlag(f) {
+			skippedFlags = append(skippedFlags, f)
+		}
+	}
+	return goFlagSet.Parse(skippedFlags)
+}
+
diff --git a/vendor/github.com/spf13/pflag/ipnet_slice.go b/vendor/github.com/spf13/pflag/ipnet_slice.go
index 6b541aa8798cf..c6e89da18d8e8 100644
--- a/vendor/github.com/spf13/pflag/ipnet_slice.go
+++ b/vendor/github.com/spf13/pflag/ipnet_slice.go
@@ -73,7 +73,7 @@ func (s *ipNetSliceValue) String() string {
 
 func ipNetSliceConv(val string) (interface{}, error) {
 	val = strings.Trim(val, "[]")
-	// Emtpy string would cause a slice with one (empty) entry
+	// Empty string would cause a slice with one (empty) entry
 	if len(val) == 0 {
 		return []net.IPNet{}, nil
 	}
diff --git a/vendor/github.com/spf13/pflag/string_to_string.go b/vendor/github.com/spf13/pflag/string_to_string.go
index 890a01afc0300..1d1e3bf91a35e 100644
--- a/vendor/github.com/spf13/pflag/string_to_string.go
+++ b/vendor/github.com/spf13/pflag/string_to_string.go
@@ -4,6 +4,7 @@ import (
 	"bytes"
 	"encoding/csv"
 	"fmt"
+	"sort"
 	"strings"
 )
 
@@ -62,8 +63,15 @@ func (s *stringToStringValue) Type() string {
 }
 
 func (s *stringToStringValue) String() string {
+	keys := make([]string, 0, len(*s.value))
+	for k := range *s.value {
+		keys = append(keys, k)
+	}
+	sort.Strings(keys)
+
 	records := make([]string, 0, len(*s.value)>>1)
-	for k, v := range *s.value {
+	for _, k := range keys {
+		v := (*s.value)[k]
 		records = append(records, k+"="+v)
 	}
 
diff --git a/vendor/github.com/spf13/pflag/text.go b/vendor/github.com/spf13/pflag/text.go
new file mode 100644
index 0000000000000..886d5a3d8065a
--- /dev/null
+++ b/vendor/github.com/spf13/pflag/text.go
@@ -0,0 +1,81 @@
+package pflag
+
+import (
+	"encoding"
+	"fmt"
+	"reflect"
+)
+
+// following is copied from go 1.23.4 flag.go
+type textValue struct{ p encoding.TextUnmarshaler }
+
+func newTextValue(val encoding.TextMarshaler, p encoding.TextUnmarshaler) textValue {
+	ptrVal := reflect.ValueOf(p)
+	if ptrVal.Kind() != reflect.Ptr {
+		panic("variable value type must be a pointer")
+	}
+	defVal := reflect.ValueOf(val)
+	if defVal.Kind() == reflect.Ptr {
+		defVal = defVal.Elem()
+	}
+	if defVal.Type() != ptrVal.Type().Elem() {
+		panic(fmt.Sprintf("default type does not match variable type: %v != %v", defVal.Type(), ptrVal.Type().Elem()))
+	}
+	ptrVal.Elem().Set(defVal)
+	return textValue{p}
+}
+
+func (v textValue) Set(s string) error {
+	return v.p.UnmarshalText([]byte(s))
+}
+
+func (v textValue) Get() interface{} {
+	return v.p
+}
+
+func (v textValue) String() string {
+	if m, ok := v.p.(encoding.TextMarshaler); ok {
+		if b, err := m.MarshalText(); err == nil {
+			return string(b)
+		}
+	}
+	return ""
+}
+
+//end of copy
+
+func (v textValue) Type() string {
+	return reflect.ValueOf(v.p).Type().Name()
+}
+
+// GetText set out, which implements encoding.UnmarshalText, to the value of a flag with given name
+func (f *FlagSet) GetText(name string, out encoding.TextUnmarshaler) error {
+	flag := f.Lookup(name)
+	if flag == nil {
+		return fmt.Errorf("flag accessed but not defined: %s", name)
+	}
+	if flag.Value.Type() != reflect.TypeOf(out).Name() {
+		return fmt.Errorf("trying to get %s value of flag of type %s", reflect.TypeOf(out).Name(), flag.Value.Type())
+	}
+	return out.UnmarshalText([]byte(flag.Value.String()))
+}
+
+// TextVar defines a flag with a specified name, default value, and usage string. The argument p must be a pointer to a variable that will hold the value of the flag, and p must implement encoding.TextUnmarshaler. If the flag is used, the flag value will be passed to p's UnmarshalText method. The type of the default value must be the same as the type of p.
+func (f *FlagSet) TextVar(p encoding.TextUnmarshaler, name string, value encoding.TextMarshaler, usage string) {
+	f.VarP(newTextValue(value, p), name, "", usage)
+}
+
+// TextVarP is like TextVar, but accepts a shorthand letter that can be used after a single dash.
+func (f *FlagSet) TextVarP(p encoding.TextUnmarshaler, name, shorthand string, value encoding.TextMarshaler, usage string) {
+	f.VarP(newTextValue(value, p), name, shorthand, usage)
+}
+
+// TextVar defines a flag with a specified name, default value, and usage string. The argument p must be a pointer to a variable that will hold the value of the flag, and p must implement encoding.TextUnmarshaler. If the flag is used, the flag value will be passed to p's UnmarshalText method. The type of the default value must be the same as the type of p.
+func TextVar(p encoding.TextUnmarshaler, name string, value encoding.TextMarshaler, usage string) {
+	CommandLine.VarP(newTextValue(value, p), name, "", usage)
+}
+
+// TextVarP is like TextVar, but accepts a shorthand letter that can be used after a single dash.
+func TextVarP(p encoding.TextUnmarshaler, name, shorthand string, value encoding.TextMarshaler, usage string) {
+	CommandLine.VarP(newTextValue(value, p), name, shorthand, usage)
+}
diff --git a/vendor/github.com/spf13/pflag/time.go b/vendor/github.com/spf13/pflag/time.go
new file mode 100644
index 0000000000000..3dee424791a88
--- /dev/null
+++ b/vendor/github.com/spf13/pflag/time.go
@@ -0,0 +1,124 @@
+package pflag
+
+import (
+	"fmt"
+	"strings"
+	"time"
+)
+
+// TimeValue adapts time.Time for use as a flag.
+type timeValue struct {
+	*time.Time
+	formats []string
+}
+
+func newTimeValue(val time.Time, p *time.Time, formats []string) *timeValue {
+	*p = val
+	return &timeValue{
+		Time:    p,
+		formats: formats,
+	}
+}
+
+// Set time.Time value from string based on accepted formats.
+func (d *timeValue) Set(s string) error {
+	s = strings.TrimSpace(s)
+	for _, f := range d.formats {
+		v, err := time.Parse(f, s)
+		if err != nil {
+			continue
+		}
+		*d.Time = v
+		return nil
+	}
+
+	formatsString := ""
+	for i, f := range d.formats {
+		if i > 0 {
+			formatsString += ", "
+		}
+		formatsString += fmt.Sprintf("`%s`", f)
+	}
+
+	return fmt.Errorf("invalid time format `%s` must be one of: %s", s, formatsString)
+}
+
+// Type name for time.Time flags.
+func (d *timeValue) Type() string {
+	return "time"
+}
+
+func (d *timeValue) String() string {
+	if d.Time.IsZero() {
+		return ""
+	} else {
+		return d.Time.Format(time.RFC3339Nano)
+	}
+}
+
+// GetTime return the time value of a flag with the given name
+func (f *FlagSet) GetTime(name string) (time.Time, error) {
+	flag := f.Lookup(name)
+	if flag == nil {
+		err := fmt.Errorf("flag accessed but not defined: %s", name)
+		return time.Time{}, err
+	}
+
+	if flag.Value.Type() != "time" {
+		err := fmt.Errorf("trying to get %s value of flag of type %s", "time", flag.Value.Type())
+		return time.Time{}, err
+	}
+
+	val, ok := flag.Value.(*timeValue)
+	if !ok {
+		return time.Time{}, fmt.Errorf("value %s is not a time", flag.Value)
+	}
+
+	return *val.Time, nil
+}
+
+// TimeVar defines a time.Time flag with specified name, default value, and usage string.
+// The argument p points to a time.Time variable in which to store the value of the flag.
+func (f *FlagSet) TimeVar(p *time.Time, name string, value time.Time, formats []string, usage string) {
+	f.TimeVarP(p, name, "", value, formats, usage)
+}
+
+// TimeVarP is like TimeVar, but accepts a shorthand letter that can be used after a single dash.
+func (f *FlagSet) TimeVarP(p *time.Time, name, shorthand string, value time.Time, formats []string, usage string) {
+	f.VarP(newTimeValue(value, p, formats), name, shorthand, usage)
+}
+
+// TimeVar defines a time.Time flag with specified name, default value, and usage string.
+// The argument p points to a time.Time variable in which to store the value of the flag.
+func TimeVar(p *time.Time, name string, value time.Time, formats []string, usage string) {
+	CommandLine.TimeVarP(p, name, "", value, formats, usage)
+}
+
+// TimeVarP is like TimeVar, but accepts a shorthand letter that can be used after a single dash.
+func TimeVarP(p *time.Time, name, shorthand string, value time.Time, formats []string, usage string) {
+	CommandLine.VarP(newTimeValue(value, p, formats), name, shorthand, usage)
+}
+
+// Time defines a time.Time flag with specified name, default value, and usage string.
+// The return value is the address of a time.Time variable that stores the value of the flag.
+func (f *FlagSet) Time(name string, value time.Time, formats []string, usage string) *time.Time {
+	return f.TimeP(name, "", value, formats, usage)
+}
+
+// TimeP is like Time, but accepts a shorthand letter that can be used after a single dash.
+func (f *FlagSet) TimeP(name, shorthand string, value time.Time, formats []string, usage string) *time.Time {
+	p := new(time.Time)
+	f.TimeVarP(p, name, shorthand, value, formats, usage)
+	return p
+}
+
+// Time defines a time.Time flag with specified name, default value, and usage string.
+// The return value is the address of a time.Time variable that stores the value of the flag.
+func Time(name string, value time.Time, formats []string, usage string) *time.Time {
+	return CommandLine.TimeP(name, "", value, formats, usage)
+}
+
+// TimeP is like Time, but accepts a shorthand letter that can be used after a single dash.
+func TimeP(name, shorthand string, value time.Time, formats []string, usage string) *time.Time {
+	return CommandLine.TimeP(name, shorthand, value, formats, usage)
+}
diff --git a/vendor/github.com/stretchr/testify/assert/assertion_compare.go b/vendor/github.com/stretchr/testify/assert/assertion_compare.go
index 7e19eba0904d6..ffb24e8e3130f 100644
--- a/vendor/github.com/stretchr/testify/assert/assertion_compare.go
+++ b/vendor/github.com/stretchr/testify/assert/assertion_compare.go
@@ -390,7 +390,8 @@ func Greater(t TestingT, e1 interface{}, e2 interface{}, msgAndArgs ...interface
 	if h, ok := t.(tHelper); ok {
 		h.Helper()
 	}
-	return compareTwoValues(t, e1, e2, []compareResult{compareGreater}, "\"%v\" is not greater than \"%v\"", msgAndArgs...)
+	failMessage := fmt.Sprintf("\"%v\" is not greater than \"%v\"", e1, e2)
+	return compareTwoValues(t, e1, e2, []compareResult{compareGreater}, failMessage, msgAndArgs...)
 }
 
 // GreaterOrEqual asserts that the first element is greater than or equal to the second
@@ -403,7 +404,8 @@ func GreaterOrEqual(t TestingT, e1 interface{}, e2 interface{}, msgAndArgs ...in
 	if h, ok := t.(tHelper); ok {
 		h.Helper()
 	}
-	return compareTwoValues(t, e1, e2, []compareResult{compareGreater, compareEqual}, "\"%v\" is not greater than or equal to \"%v\"", msgAndArgs...)
+	failMessage := fmt.Sprintf("\"%v\" is not greater than or equal to \"%v\"", e1, e2)
+	return compareTwoValues(t, e1, e2, []compareResult{compareGreater, compareEqual}, failMessage, msgAndArgs...)
 }
 
 // Less asserts that the first element is less than the second
@@ -415,7 +417,8 @@ func Less(t TestingT, e1 interface{}, e2 interface{}, msgAndArgs ...interface{})
 	if h, ok := t.(tHelper); ok {
 		h.Helper()
 	}
-	return compareTwoValues(t, e1, e2, []compareResult{compareLess}, "\"%v\" is not less than \"%v\"", msgAndArgs...)
+	failMessage := fmt.Sprintf("\"%v\" is not less than \"%v\"", e1, e2)
+	return compareTwoValues(t, e1, e2, []compareResult{compareLess}, failMessage, msgAndArgs...)
 }
 
 // LessOrEqual asserts that the first element is less than or equal to the second
@@ -428,7 +431,8 @@ func LessOrEqual(t TestingT, e1 interface{}, e2 interface{}, msgAndArgs ...inter
 	if h, ok := t.(tHelper); ok {
 		h.Helper()
 	}
-	return compareTwoValues(t, e1, e2, []compareResult{compareLess, compareEqual}, "\"%v\" is not less than or equal to \"%v\"", msgAndArgs...)
+	failMessage := fmt.Sprintf("\"%v\" is not less than or equal to \"%v\"", e1, e2)
+	return compareTwoValues(t, e1, e2, []compareResult{compareLess, compareEqual}, failMessage, msgAndArgs...)
 }
 
 // Positive asserts that the specified element is positive
@@ -440,7 +444,8 @@ func Positive(t TestingT, e interface{}, msgAndArgs ...interface{}) bool {
 		h.Helper()
 	}
 	zero := reflect.Zero(reflect.TypeOf(e))
-	return compareTwoValues(t, e, zero.Interface(), []compareResult{compareGreater}, "\"%v\" is not positive", msgAndArgs...)
+	failMessage := fmt.Sprintf("\"%v\" is not positive", e)
+	return compareTwoValues(t, e, zero.Interface(), []compareResult{compareGreater}, failMessage, msgAndArgs...)
 }
 
 // Negative asserts that the specified element is negative
@@ -452,7 +457,8 @@ func Negative(t TestingT, e interface{}, msgAndArgs ...interface{}) bool {
 		h.Helper()
 	}
 	zero := reflect.Zero(reflect.TypeOf(e))
-	return compareTwoValues(t, e, zero.Interface(), []compareResult{compareLess}, "\"%v\" is not negative", msgAndArgs...)
+	failMessage := fmt.Sprintf("\"%v\" is not negative", e)
+	return compareTwoValues(t, e, zero.Interface(), []compareResult{compareLess}, failMessage, msgAndArgs...)
 }
 
 func compareTwoValues(t TestingT, e1 interface{}, e2 interface{}, allowedComparesResults []compareResult, failMessage string, msgAndArgs ...interface{}) bool {
@@ -468,11 +474,11 @@ func compareTwoValues(t TestingT, e1 interface{}, e2 interface{}, allowedCompare
 
 	compareResult, isComparable := compare(e1, e2, e1Kind)
 	if !isComparable {
-		return Fail(t, fmt.Sprintf("Can not compare type \"%s\"", reflect.TypeOf(e1)), msgAndArgs...)
+		return Fail(t, fmt.Sprintf(`Can not compare type "%T"`, e1), msgAndArgs...)
 	}
 
 	if !containsValue(allowedComparesResults, compareResult) {
-		return Fail(t, fmt.Sprintf(failMessage, e1, e2), msgAndArgs...)
+		return Fail(t, failMessage, msgAndArgs...)
 	}
 
 	return true
diff --git a/vendor/github.com/stretchr/testify/assert/assertion_format.go b/vendor/github.com/stretchr/testify/assert/assertion_format.go
index 1906341657745..c592f6ad5fb64 100644
--- a/vendor/github.com/stretchr/testify/assert/assertion_format.go
+++ b/vendor/github.com/stretchr/testify/assert/assertion_format.go
@@ -50,10 +50,19 @@ func ElementsMatchf(t TestingT, listA interface{}, listB interface{}, msg string
 	return ElementsMatch(t, listA, listB, append([]interface{}{msg}, args...)...)
 }
 
-// Emptyf asserts that the specified object is empty.  I.e. nil, "", false, 0 or either
-// a slice or a channel with len == 0.
+// Emptyf asserts that the given value is "empty".
+//
+// [Zero values] are "empty".
+//
+// Arrays are "empty" if every element is the zero value of the type (stricter than "empty").
+//
+// Slices, maps and channels with zero length are "empty".
+//
+// Pointer values are "empty" if the pointer is nil or if the pointed value is "empty".
 //
 //	assert.Emptyf(t, obj, "error message %s", "formatted")
+//
+// [Zero values]: https://go.dev/ref/spec#The_zero_value
 func Emptyf(t TestingT, object interface{}, msg string, args ...interface{}) bool {
 	if h, ok := t.(tHelper); ok {
 		h.Helper()
@@ -117,10 +126,8 @@ func EqualValuesf(t TestingT, expected interface{}, actual interface{}, msg stri
 
 // Errorf asserts that a function returned an error (i.e. not `nil`).
 //
-//	  actualObj, err := SomeFunction()
-//	  if assert.Errorf(t, err, "error message %s", "formatted") {
-//		   assert.Equal(t, expectedErrorf, err)
-//	  }
+//	actualObj, err := SomeFunction()
+//	assert.Errorf(t, err, "error message %s", "formatted")
 func Errorf(t TestingT, err error, msg string, args ...interface{}) bool {
 	if h, ok := t.(tHelper); ok {
 		h.Helper()
@@ -438,7 +445,19 @@ func IsNonIncreasingf(t TestingT, object interface{}, msg string, args ...interf
 	return IsNonIncreasing(t, object, append([]interface{}{msg}, args...)...)
 }
 
+// IsNotTypef asserts that the specified objects are not of the same type.
+//
+//	assert.IsNotTypef(t, &NotMyStruct{}, &MyStruct{}, "error message %s", "formatted")
+func IsNotTypef(t TestingT, theType interface{}, object interface{}, msg string, args ...interface{}) bool {
+	if h, ok := t.(tHelper); ok {
+		h.Helper()
+	}
+	return IsNotType(t, theType, object, append([]interface{}{msg}, args...)...)
+}
+
 // IsTypef asserts that the specified objects are of the same type.
+//
+//	assert.IsTypef(t, &MyStruct{}, &MyStruct{}, "error message %s", "formatted")
 func IsTypef(t TestingT, expectedType interface{}, object interface{}, msg string, args ...interface{}) bool {
 	if h, ok := t.(tHelper); ok {
 		h.Helper()
@@ -585,8 +604,7 @@ func NotElementsMatchf(t TestingT, listA interface{}, listB interface{}, msg str
 	return NotElementsMatch(t, listA, listB, append([]interface{}{msg}, args...)...)
 }
 
-// NotEmptyf asserts that the specified object is NOT empty.  I.e. not nil, "", false, 0 or either
-// a slice or a channel with len == 0.
+// NotEmptyf asserts that the specified object is NOT [Empty].
 //
 //	if assert.NotEmptyf(t, obj, "error message %s", "formatted") {
 //	  assert.Equal(t, "two", obj[1])
@@ -693,12 +711,15 @@ func NotSamef(t TestingT, expected interface{}, actual interface{}, msg string,
 	return NotSame(t, expected, actual, append([]interface{}{msg}, args...)...)
 }
 
-// NotSubsetf asserts that the specified list(array, slice...) or map does NOT
-// contain all elements given in the specified subset list(array, slice...) or
-// map.
+// NotSubsetf asserts that the list (array, slice, or map) does NOT contain all
+// elements given in the subset (array, slice, or map).
+// Map elements are key-value pairs unless compared with an array or slice where
+// only the map key is evaluated.
 //
 //	assert.NotSubsetf(t, [1, 3, 4], [1, 2], "error message %s", "formatted")
 //	assert.NotSubsetf(t, {"x": 1, "y": 2}, {"z": 3}, "error message %s", "formatted")
+//	assert.NotSubsetf(t, [1, 3, 4], {1: "one", 2: "two"}, "error message %s", "formatted")
+//	assert.NotSubsetf(t, {"x": 1, "y": 2}, ["z"], "error message %s", "formatted")
 func NotSubsetf(t TestingT, list interface{}, subset interface{}, msg string, args ...interface{}) bool {
 	if h, ok := t.(tHelper); ok {
 		h.Helper()
@@ -782,11 +803,15 @@ func Samef(t TestingT, expected interface{}, actual interface{}, msg string, arg
 	return Same(t, expected, actual, append([]interface{}{msg}, args...)...)
 }
 
-// Subsetf asserts that the specified list(array, slice...) or map contains all
-// elements given in the specified subset list(array, slice...) or map.
+// Subsetf asserts that the list (array, slice, or map) contains all elements
+// given in the subset (array, slice, or map).
+// Map elements are key-value pairs unless compared with an array or slice where
+// only the map key is evaluated.
 //
 //	assert.Subsetf(t, [1, 2, 3], [1, 2], "error message %s", "formatted")
 //	assert.Subsetf(t, {"x": 1, "y": 2}, {"x": 1}, "error message %s", "formatted")
+//	assert.Subsetf(t, [1, 2, 3], {1: "one", 2: "two"}, "error message %s", "formatted")
+//	assert.Subsetf(t, {"x": 1, "y": 2}, ["x"], "error message %s", "formatted")
 func Subsetf(t TestingT, list interface{}, subset interface{}, msg string, args ...interface{}) bool {
 	if h, ok := t.(tHelper); ok {
 		h.Helper()
diff --git a/vendor/github.com/stretchr/testify/assert/assertion_forward.go b/vendor/github.com/stretchr/testify/assert/assertion_forward.go
index 21629087baf76..58db928450dc1 100644
--- a/vendor/github.com/stretchr/testify/assert/assertion_forward.go
+++ b/vendor/github.com/stretchr/testify/assert/assertion_forward.go
@@ -92,10 +92,19 @@ func (a *Assertions) ElementsMatchf(listA interface{}, listB interface{}, msg st
 	return ElementsMatchf(a.t, listA, listB, msg, args...)
 }
 
-// Empty asserts that the specified object is empty.  I.e. nil, "", false, 0 or either
-// a slice or a channel with len == 0.
+// Empty asserts that the given value is "empty".
+//
+// [Zero values] are "empty".
+//
+// Arrays are "empty" if every element is the zero value of the type (stricter than "empty").
+//
+// Slices, maps and channels with zero length are "empty".
+//
+// Pointer values are "empty" if the pointer is nil or if the pointed value is "empty".
 //
 //	a.Empty(obj)
+//
+// [Zero values]: https://go.dev/ref/spec#The_zero_value
 func (a *Assertions) Empty(object interface{}, msgAndArgs ...interface{}) bool {
 	if h, ok := a.t.(tHelper); ok {
 		h.Helper()
@@ -103,10 +112,19 @@ func (a *Assertions) Empty(object interface{}, msgAndArgs ...interface{}) bool {
 	return Empty(a.t, object, msgAndArgs...)
 }
 
-// Emptyf asserts that the specified object is empty.  I.e. nil, "", false, 0 or either
-// a slice or a channel with len == 0.
+// Emptyf asserts that the given value is "empty".
+//
+// [Zero values] are "empty".
+//
+// Arrays are "empty" if every element is the zero value of the type (stricter than "empty").
+//
+// Slices, maps and channels with zero length are "empty".
+//
+// Pointer values are "empty" if the pointer is nil or if the pointed value is "empty".
 //
 //	a.Emptyf(obj, "error message %s", "formatted")
+//
+// [Zero values]: https://go.dev/ref/spec#The_zero_value
 func (a *Assertions) Emptyf(object interface{}, msg string, args ...interface{}) bool {
 	if h, ok := a.t.(tHelper); ok {
 		h.Helper()
@@ -224,10 +242,8 @@ func (a *Assertions) Equalf(expected interface{}, actual interface{}, msg string
 
 // Error asserts that a function returned an error (i.e. not `nil`).
 //
-//	  actualObj, err := SomeFunction()
-//	  if a.Error(err) {
-//		   assert.Equal(t, expectedError, err)
-//	  }
+//	actualObj, err := SomeFunction()
+//	a.Error(err)
 func (a *Assertions) Error(err error, msgAndArgs ...interface{}) bool {
 	if h, ok := a.t.(tHelper); ok {
 		h.Helper()
@@ -297,10 +313,8 @@ func (a *Assertions) ErrorIsf(err error, target error, msg string, args ...inter
 
 // Errorf asserts that a function returned an error (i.e. not `nil`).
 //
-//	  actualObj, err := SomeFunction()
-//	  if a.Errorf(err, "error message %s", "formatted") {
-//		   assert.Equal(t, expectedErrorf, err)
-//	  }
+//	actualObj, err := SomeFunction()
+//	a.Errorf(err, "error message %s", "formatted")
 func (a *Assertions) Errorf(err error, msg string, args ...interface{}) bool {
 	if h, ok := a.t.(tHelper); ok {
 		h.Helper()
@@ -868,7 +882,29 @@ func (a *Assertions) IsNonIncreasingf(object interface{}, msg string, args ...in
 	return IsNonIncreasingf(a.t, object, msg, args...)
 }
 
+// IsNotType asserts that the specified objects are not of the same type.
+//
+//	a.IsNotType(&NotMyStruct{}, &MyStruct{})
+func (a *Assertions) IsNotType(theType interface{}, object interface{}, msgAndArgs ...interface{}) bool {
+	if h, ok := a.t.(tHelper); ok {
+		h.Helper()
+	}
+	return IsNotType(a.t, theType, object, msgAndArgs...)
+}
+
+// IsNotTypef asserts that the specified objects are not of the same type.
+//
+//	a.IsNotTypef(&NotMyStruct{}, &MyStruct{}, "error message %s", "formatted")
+func (a *Assertions) IsNotTypef(theType interface{}, object interface{}, msg string, args ...interface{}) bool {
+	if h, ok := a.t.(tHelper); ok {
+		h.Helper()
+	}
+	return IsNotTypef(a.t, theType, object, msg, args...)
+}
+
 // IsType asserts that the specified objects are of the same type.
+//
+//	a.IsType(&MyStruct{}, &MyStruct{})
 func (a *Assertions) IsType(expectedType interface{}, object interface{}, msgAndArgs ...interface{}) bool {
 	if h, ok := a.t.(tHelper); ok {
 		h.Helper()
@@ -877,6 +913,8 @@ func (a *Assertions) IsType(expectedType interface{}, object interface{}, msgAnd
 }
 
 // IsTypef asserts that the specified objects are of the same type.
+//
+//	a.IsTypef(&MyStruct{}, &MyStruct{}, "error message %s", "formatted")
 func (a *Assertions) IsTypef(expectedType interface{}, object interface{}, msg string, args ...interface{}) bool {
 	if h, ok := a.t.(tHelper); ok {
 		h.Helper()
@@ -1162,8 +1200,7 @@ func (a *Assertions) NotElementsMatchf(listA interface{}, listB interface{}, msg
 	return NotElementsMatchf(a.t, listA, listB, msg, args...)
 }
 
-// NotEmpty asserts that the specified object is NOT empty.  I.e. not nil, "", false, 0 or either
-// a slice or a channel with len == 0.
+// NotEmpty asserts that the specified object is NOT [Empty].
 //
 //	if a.NotEmpty(obj) {
 //	  assert.Equal(t, "two", obj[1])
@@ -1175,8 +1212,7 @@ func (a *Assertions) NotEmpty(object interface{}, msgAndArgs ...interface{}) boo
 	return NotEmpty(a.t, object, msgAndArgs...)
 }
 
-// NotEmptyf asserts that the specified object is NOT empty.  I.e. not nil, "", false, 0 or either
-// a slice or a channel with len == 0.
+// NotEmptyf asserts that the specified object is NOT [Empty].
 //
 //	if a.NotEmptyf(obj, "error message %s", "formatted") {
 //	  assert.Equal(t, "two", obj[1])
@@ -1378,12 +1414,15 @@ func (a *Assertions) NotSamef(expected interface{}, actual interface{}, msg stri
 	return NotSamef(a.t, expected, actual, msg, args...)
 }
 
-// NotSubset asserts that the specified list(array, slice...) or map does NOT
-// contain all elements given in the specified subset list(array, slice...) or
-// map.
+// NotSubset asserts that the list (array, slice, or map) does NOT contain all
+// elements given in the subset (array, slice, or map).
+// Map elements are key-value pairs unless compared with an array or slice where
+// only the map key is evaluated.
 //
 //	a.NotSubset([1, 3, 4], [1, 2])
 //	a.NotSubset({"x": 1, "y": 2}, {"z": 3})
+//	a.NotSubset([1, 3, 4], {1: "one", 2: "two"})
+//	a.NotSubset({"x": 1, "y": 2}, ["z"])
 func (a *Assertions) NotSubset(list interface{}, subset interface{}, msgAndArgs ...interface{}) bool {
 	if h, ok := a.t.(tHelper); ok {
 		h.Helper()
@@ -1391,12 +1430,15 @@ func (a *Assertions) NotSubset(list interface{}, subset interface{}, msgAndArgs
 	return NotSubset(a.t, list, subset, msgAndArgs...)
 }
 
-// NotSubsetf asserts that the specified list(array, slice...) or map does NOT
-// contain all elements given in the specified subset list(array, slice...) or
-// map.
+// NotSubsetf asserts that the list (array, slice, or map) does NOT contain all
+// elements given in the subset (array, slice, or map).
+// Map elements are key-value pairs unless compared with an array or slice where
+// only the map key is evaluated.
 //
 //	a.NotSubsetf([1, 3, 4], [1, 2], "error message %s", "formatted")
 //	a.NotSubsetf({"x": 1, "y": 2}, {"z": 3}, "error message %s", "formatted")
+//	a.NotSubsetf([1, 3, 4], {1: "one", 2: "two"}, "error message %s", "formatted")
+//	a.NotSubsetf({"x": 1, "y": 2}, ["z"], "error message %s", "formatted")
 func (a *Assertions) NotSubsetf(list interface{}, subset interface{}, msg string, args ...interface{}) bool {
 	if h, ok := a.t.(tHelper); ok {
 		h.Helper()
@@ -1556,11 +1598,15 @@ func (a *Assertions) Samef(expected interface{}, actual interface{}, msg string,
 	return Samef(a.t, expected, actual, msg, args...)
 }
 
-// Subset asserts that the specified list(array, slice...) or map contains all
-// elements given in the specified subset list(array, slice...) or map.
+// Subset asserts that the list (array, slice, or map) contains all elements
+// given in the subset (array, slice, or map).
+// Map elements are key-value pairs unless compared with an array or slice where
+// only the map key is evaluated.
 //
 //	a.Subset([1, 2, 3], [1, 2])
 //	a.Subset({"x": 1, "y": 2}, {"x": 1})
+//	a.Subset([1, 2, 3], {1: "one", 2: "two"})
+//	a.Subset({"x": 1, "y": 2}, ["x"])
 func (a *Assertions) Subset(list interface{}, subset interface{}, msgAndArgs ...interface{}) bool {
 	if h, ok := a.t.(tHelper); ok {
 		h.Helper()
@@ -1568,11 +1614,15 @@ func (a *Assertions) Subset(list interface{}, subset interface{}, msgAndArgs ...
 	return Subset(a.t, list, subset, msgAndArgs...)
 }
 
-// Subsetf asserts that the specified list(array, slice...) or map contains all
-// elements given in the specified subset list(array, slice...) or map.
+// Subsetf asserts that the list (array, slice, or map) contains all elements
+// given in the subset (array, slice, or map).
+// Map elements are key-value pairs unless compared with an array or slice where
+// only the map key is evaluated.
 //
 //	a.Subsetf([1, 2, 3], [1, 2], "error message %s", "formatted")
 //	a.Subsetf({"x": 1, "y": 2}, {"x": 1}, "error message %s", "formatted")
+//	a.Subsetf([1, 2, 3], {1: "one", 2: "two"}, "error message %s", "formatted")
+//	a.Subsetf({"x": 1, "y": 2}, ["x"], "error message %s", "formatted")
 func (a *Assertions) Subsetf(list interface{}, subset interface{}, msg string, args ...interface{}) bool {
 	if h, ok := a.t.(tHelper); ok {
 		h.Helper()
diff --git a/vendor/github.com/stretchr/testify/assert/assertion_order.go b/vendor/github.com/stretchr/testify/assert/assertion_order.go
index 1d2f71824aa93..2fdf80fdd3088 100644
--- a/vendor/github.com/stretchr/testify/assert/assertion_order.go
+++ b/vendor/github.com/stretchr/testify/assert/assertion_order.go
@@ -33,7 +33,7 @@ func isOrdered(t TestingT, object interface{}, allowedComparesResults []compareR
 		compareResult, isComparable := compare(prevValueInterface, valueInterface, firstValueKind)
 
 		if !isComparable {
-			return Fail(t, fmt.Sprintf("Can not compare type \"%s\" and \"%s\"", reflect.TypeOf(value), reflect.TypeOf(prevValue)), msgAndArgs...)
+			return Fail(t, fmt.Sprintf(`Can not compare type "%T" and "%T"`, value, prevValue), msgAndArgs...)
 		}
 
 		if !containsValue(allowedComparesResults, compareResult) {
diff --git a/vendor/github.com/stretchr/testify/assert/assertions.go b/vendor/github.com/stretchr/testify/assert/assertions.go
index 4e91332bb51c3..de8de0cb6c431 100644
--- a/vendor/github.com/stretchr/testify/assert/assertions.go
+++ b/vendor/github.com/stretchr/testify/assert/assertions.go
@@ -210,59 +210,77 @@ the problem actually occurred in calling code.*/
 // of each stack frame leading from the current test to the assert call that
 // failed.
 func CallerInfo() []string {
-
 	var pc uintptr
-	var ok bool
 	var file string
 	var line int
 	var name string
 
+	const stackFrameBufferSize = 10
+	pcs := make([]uintptr, stackFrameBufferSize)
+
 	callers := []string{}
-	for i := 0; ; i++ {
-		pc, file, line, ok = runtime.Caller(i)
-		if !ok {
-			// The breaks below failed to terminate the loop, and we ran off the
-			// end of the call stack.
-			break
-		}
+	offset := 1
 
-		// This is a huge edge case, but it will panic if this is the case, see #180
-		if file == "<autogenerated>" {
-			break
-		}
+	for {
+		n := runtime.Callers(offset, pcs)
 
-		f := runtime.FuncForPC(pc)
-		if f == nil {
-			break
-		}
-		name = f.Name()
-
-		// testing.tRunner is the standard library function that calls
-		// tests. Subtests are called directly by tRunner, without going through
-		// the Test/Benchmark/Example function that contains the t.Run calls, so
-		// with subtests we should break when we hit tRunner, without adding it
-		// to the list of callers.
-		if name == "testing.tRunner" {
+		if n == 0 {
 			break
 		}
 
-		parts := strings.Split(file, "/")
-		if len(parts) > 1 {
-			filename := parts[len(parts)-1]
-			dir := parts[len(parts)-2]
-			if (dir != "assert" && dir != "mock" && dir != "require") || filename == "mock_test.go" {
-				callers = append(callers, fmt.Sprintf("%s:%d", file, line))
+		frames := runtime.CallersFrames(pcs[:n])
+
+		for {
+			frame, more := frames.Next()
+			pc = frame.PC
+			file = frame.File
+			line = frame.Line
+
+			// This is a huge edge case, but it will panic if this is the case, see #180
+			if file == "<autogenerated>" {
+				break
 			}
-		}
 
-		// Drop the package
-		segments := strings.Split(name, ".")
-		name = segments[len(segments)-1]
-		if isTest(name, "Test") ||
-			isTest(name, "Benchmark") ||
-			isTest(name, "Example") {
-			break
+			f := runtime.FuncForPC(pc)
+			if f == nil {
+				break
+			}
+			name = f.Name()
+
+			// testing.tRunner is the standard library function that calls
+			// tests. Subtests are called directly by tRunner, without going through
+			// the Test/Benchmark/Example function that contains the t.Run calls, so
+			// with subtests we should break when we hit tRunner, without adding it
+			// to the list of callers.
+			if name == "testing.tRunner" {
+				break
+			}
+
+			parts := strings.Split(file, "/")
+			if len(parts) > 1 {
+				filename := parts[len(parts)-1]
+				dir := parts[len(parts)-2]
+				if (dir != "assert" && dir != "mock" && dir != "require") || filename == "mock_test.go" {
+					callers = append(callers, fmt.Sprintf("%s:%d", file, line))
+				}
+			}
+
+			// Drop the package
+			dotPos := strings.LastIndexByte(name, '.')
+			name = name[dotPos+1:]
+			if isTest(name, "Test") ||
+				isTest(name, "Benchmark") ||
+				isTest(name, "Example") {
+				break
+			}
+
+			if !more {
+				break
+			}
 		}
+
+		// Next batch
+		offset += cap(pcs)
 	}
 
 	return callers
@@ -437,17 +455,34 @@ func NotImplements(t TestingT, interfaceObject interface{}, object interface{},
 	return true
 }
 
+func isType(expectedType, object interface{}) bool {
+	return ObjectsAreEqual(reflect.TypeOf(object), reflect.TypeOf(expectedType))
+}
+
 // IsType asserts that the specified objects are of the same type.
-func IsType(t TestingT, expectedType interface{}, object interface{}, msgAndArgs ...interface{}) bool {
+//
+//	assert.IsType(t, &MyStruct{}, &MyStruct{})
+func IsType(t TestingT, expectedType, object interface{}, msgAndArgs ...interface{}) bool {
+	if isType(expectedType, object) {
+		return true
+	}
 	if h, ok := t.(tHelper); ok {
 		h.Helper()
 	}
+	return Fail(t, fmt.Sprintf("Object expected to be of type %T, but was %T", expectedType, object), msgAndArgs...)
+}
 
-	if !ObjectsAreEqual(reflect.TypeOf(object), reflect.TypeOf(expectedType)) {
-		return Fail(t, fmt.Sprintf("Object expected to be of type %v, but was %v", reflect.TypeOf(expectedType), reflect.TypeOf(object)), msgAndArgs...)
+// IsNotType asserts that the specified objects are not of the same type.
+//
+//	assert.IsNotType(t, &NotMyStruct{}, &MyStruct{})
+func IsNotType(t TestingT, theType, object interface{}, msgAndArgs ...interface{}) bool {
+	if !isType(theType, object) {
+		return true
 	}
-
-	return true
+	if h, ok := t.(tHelper); ok {
+		h.Helper()
+	}
+	return Fail(t, fmt.Sprintf("Object type expected to be different than %T", theType), msgAndArgs...)
 }
 
 // Equal asserts that two objects are equal.
@@ -475,7 +510,6 @@ func Equal(t TestingT, expected, actual interface{}, msgAndArgs ...interface{})
 	}
 
 	return true
-
 }
 
 // validateEqualArgs checks whether provided arguments can be safely used in the
@@ -510,8 +544,9 @@ func Same(t TestingT, expected, actual interface{}, msgAndArgs ...interface{}) b
 	if !same {
 		// both are pointers but not the same type & pointing to the same address
 		return Fail(t, fmt.Sprintf("Not same: \n"+
-			"expected: %p %#v\n"+
-			"actual  : %p %#v", expected, expected, actual, actual), msgAndArgs...)
+			"expected: %p %#[1]v\n"+
+			"actual  : %p %#[2]v",
+			expected, actual), msgAndArgs...)
 	}
 
 	return true
@@ -530,14 +565,14 @@ func NotSame(t TestingT, expected, actual interface{}, msgAndArgs ...interface{}
 
 	same, ok := samePointers(expected, actual)
 	if !ok {
-		//fails when the arguments are not pointers
+		// fails when the arguments are not pointers
 		return !(Fail(t, "Both arguments must be pointers", msgAndArgs...))
 	}
 
 	if same {
 		return Fail(t, fmt.Sprintf(
-			"Expected and actual point to the same object: %p %#v",
-			expected, expected), msgAndArgs...)
+			"Expected and actual point to the same object: %p %#[1]v",
+			expected), msgAndArgs...)
 	}
 	return true
 }
@@ -549,7 +584,7 @@ func NotSame(t TestingT, expected, actual interface{}, msgAndArgs ...interface{}
 func samePointers(first, second interface{}) (same bool, ok bool) {
 	firstPtr, secondPtr := reflect.ValueOf(first), reflect.ValueOf(second)
 	if firstPtr.Kind() != reflect.Ptr || secondPtr.Kind() != reflect.Ptr {
-		return false, false //not both are pointers
+		return false, false // not both are pointers
 	}
 
 	firstType, secondType := reflect.TypeOf(first), reflect.TypeOf(second)
@@ -610,7 +645,6 @@ func EqualValues(t TestingT, expected, actual interface{}, msgAndArgs ...interfa
 	}
 
 	return true
-
 }
 
 // EqualExportedValues asserts that the types of two objects are equal and their public
@@ -665,7 +699,6 @@ func Exactly(t TestingT, expected, actual interface{}, msgAndArgs ...interface{}
 	}
 
 	return Equal(t, expected, actual, msgAndArgs...)
-
 }
 
 // NotNil asserts that the specified object is not nil.
@@ -715,37 +748,45 @@ func Nil(t TestingT, object interface{}, msgAndArgs ...interface{}) bool {
 
 // isEmpty gets whether the specified object is considered empty or not.
 func isEmpty(object interface{}) bool {
-
 	// get nil case out of the way
 	if object == nil {
 		return true
 	}
 
-	objValue := reflect.ValueOf(object)
+	return isEmptyValue(reflect.ValueOf(object))
+}
 
+// isEmptyValue gets whether the specified reflect.Value is considered empty or not.
+func isEmptyValue(objValue reflect.Value) bool {
+	if objValue.IsZero() {
+		return true
+	}
+	// Special cases of non-zero values that we consider empty
 	switch objValue.Kind() {
 	// collection types are empty when they have no element
+	// Note: array types are empty when they match their zero-initialized state.
 	case reflect.Chan, reflect.Map, reflect.Slice:
 		return objValue.Len() == 0
-	// pointers are empty if nil or if the value they point to is empty
+	// non-nil pointers are empty if the value they point to is empty
 	case reflect.Ptr:
-		if objValue.IsNil() {
-			return true
-		}
-		deref := objValue.Elem().Interface()
-		return isEmpty(deref)
-	// for all other types, compare against the zero value
-	// array types are empty when they match their zero-initialized state
-	default:
-		zero := reflect.Zero(objValue.Type())
-		return reflect.DeepEqual(object, zero.Interface())
+		return isEmptyValue(objValue.Elem())
 	}
+	return false
 }
 
-// Empty asserts that the specified object is empty.  I.e. nil, "", false, 0 or either
-// a slice or a channel with len == 0.
+// Empty asserts that the given value is "empty".
+//
+// [Zero values] are "empty".
+//
+// Arrays are "empty" if every element is the zero value of the type (stricter than "empty").
+//
+// Slices, maps and channels with zero length are "empty".
+//
+// Pointer values are "empty" if the pointer is nil or if the pointed value is "empty".
 //
 //	assert.Empty(t, obj)
+//
+// [Zero values]: https://go.dev/ref/spec#The_zero_value
 func Empty(t TestingT, object interface{}, msgAndArgs ...interface{}) bool {
 	pass := isEmpty(object)
 	if !pass {
@@ -756,11 +797,9 @@ func Empty(t TestingT, object interface{}, msgAndArgs ...interface{}) bool {
 	}
 
 	return pass
-
 }
 
-// NotEmpty asserts that the specified object is NOT empty.  I.e. not nil, "", false, 0 or either
-// a slice or a channel with len == 0.
+// NotEmpty asserts that the specified object is NOT [Empty].
 //
 //	if assert.NotEmpty(t, obj) {
 //	  assert.Equal(t, "two", obj[1])
@@ -775,7 +814,6 @@ func NotEmpty(t TestingT, object interface{}, msgAndArgs ...interface{}) bool {
 	}
 
 	return pass
-
 }
 
 // getLen tries to get the length of an object.
@@ -819,7 +857,6 @@ func True(t TestingT, value bool, msgAndArgs ...interface{}) bool {
 	}
 
 	return true
-
 }
 
 // False asserts that the specified value is false.
@@ -834,7 +871,6 @@ func False(t TestingT, value bool, msgAndArgs ...interface{}) bool {
 	}
 
 	return true
-
 }
 
 // NotEqual asserts that the specified values are NOT equal.
@@ -857,7 +893,6 @@ func NotEqual(t TestingT, expected, actual interface{}, msgAndArgs ...interface{
 	}
 
 	return true
-
 }
 
 // NotEqualValues asserts that two objects are not equal even when converted to the same type
@@ -880,7 +915,6 @@ func NotEqualValues(t TestingT, expected, actual interface{}, msgAndArgs ...inte
 // return (true, false) if element was not found.
 // return (true, true) if element was found.
 func containsElement(list interface{}, element interface{}) (ok, found bool) {
-
 	listValue := reflect.ValueOf(list)
 	listType := reflect.TypeOf(list)
 	if listType == nil {
@@ -915,7 +949,6 @@ func containsElement(list interface{}, element interface{}) (ok, found bool) {
 		}
 	}
 	return true, false
-
 }
 
 // Contains asserts that the specified string, list(array, slice...) or map contains the
@@ -938,7 +971,6 @@ func Contains(t TestingT, s, contains interface{}, msgAndArgs ...interface{}) bo
 	}
 
 	return true
-
 }
 
 // NotContains asserts that the specified string, list(array, slice...) or map does NOT contain the
@@ -961,14 +993,17 @@ func NotContains(t TestingT, s, contains interface{}, msgAndArgs ...interface{})
 	}
 
 	return true
-
 }
 
-// Subset asserts that the specified list(array, slice...) or map contains all
-// elements given in the specified subset list(array, slice...) or map.
+// Subset asserts that the list (array, slice, or map) contains all elements
+// given in the subset (array, slice, or map).
+// Map elements are key-value pairs unless compared with an array or slice where
+// only the map key is evaluated.
 //
 //	assert.Subset(t, [1, 2, 3], [1, 2])
 //	assert.Subset(t, {"x": 1, "y": 2}, {"x": 1})
+//	assert.Subset(t, [1, 2, 3], {1: "one", 2: "two"})
+//	assert.Subset(t, {"x": 1, "y": 2}, ["x"])
 func Subset(t TestingT, list, subset interface{}, msgAndArgs ...interface{}) (ok bool) {
 	if h, ok := t.(tHelper); ok {
 		h.Helper()
@@ -983,7 +1018,7 @@ func Subset(t TestingT, list, subset interface{}, msgAndArgs ...interface{}) (ok
 	}
 
 	subsetKind := reflect.TypeOf(subset).Kind()
-	if subsetKind != reflect.Array && subsetKind != reflect.Slice && listKind != reflect.Map {
+	if subsetKind != reflect.Array && subsetKind != reflect.Slice && subsetKind != reflect.Map {
 		return Fail(t, fmt.Sprintf("%q has an unsupported type %s", subset, subsetKind), msgAndArgs...)
 	}
 
@@ -1007,6 +1042,13 @@ func Subset(t TestingT, list, subset interface{}, msgAndArgs ...interface{}) (ok
 	}
 
 	subsetList := reflect.ValueOf(subset)
+	if subsetKind == reflect.Map {
+		keys := make([]interface{}, subsetList.Len())
+		for idx, key := range subsetList.MapKeys() {
+			keys[idx] = key.Interface()
+		}
+		subsetList = reflect.ValueOf(keys)
+	}
 	for i := 0; i < subsetList.Len(); i++ {
 		element := subsetList.Index(i).Interface()
 		ok, found := containsElement(list, element)
@@ -1021,12 +1063,15 @@ func Subset(t TestingT, list, subset interface{}, msgAndArgs ...interface{}) (ok
 	return true
 }
 
-// NotSubset asserts that the specified list(array, slice...) or map does NOT
-// contain all elements given in the specified subset list(array, slice...) or
-// map.
+// NotSubset asserts that the list (array, slice, or map) does NOT contain all
+// elements given in the subset (array, slice, or map).
+// Map elements are key-value pairs unless compared with an array or slice where
+// only the map key is evaluated.
 //
 //	assert.NotSubset(t, [1, 3, 4], [1, 2])
 //	assert.NotSubset(t, {"x": 1, "y": 2}, {"z": 3})
+//	assert.NotSubset(t, [1, 3, 4], {1: "one", 2: "two"})
+//	assert.NotSubset(t, {"x": 1, "y": 2}, ["z"])
 func NotSubset(t TestingT, list, subset interface{}, msgAndArgs ...interface{}) (ok bool) {
 	if h, ok := t.(tHelper); ok {
 		h.Helper()
@@ -1041,7 +1086,7 @@ func NotSubset(t TestingT, list, subset interface{}, msgAndArgs ...interface{})
 	}
 
 	subsetKind := reflect.TypeOf(subset).Kind()
-	if subsetKind != reflect.Array && subsetKind != reflect.Slice && listKind != reflect.Map {
+	if subsetKind != reflect.Array && subsetKind != reflect.Slice && subsetKind != reflect.Map {
 		return Fail(t, fmt.Sprintf("%q has an unsupported type %s", subset, subsetKind), msgAndArgs...)
 	}
 
@@ -1065,11 +1110,18 @@ func NotSubset(t TestingT, list, subset interface{}, msgAndArgs ...interface{})
 	}
 
 	subsetList := reflect.ValueOf(subset)
+	if subsetKind == reflect.Map {
+		keys := make([]interface{}, subsetList.Len())
+		for idx, key := range subsetList.MapKeys() {
+			keys[idx] = key.Interface()
+		}
+		subsetList = reflect.ValueOf(keys)
+	}
 	for i := 0; i < subsetList.Len(); i++ {
 		element := subsetList.Index(i).Interface()
 		ok, found := containsElement(list, element)
 		if !ok {
-			return Fail(t, fmt.Sprintf("\"%s\" could not be applied builtin len()", list), msgAndArgs...)
+			return Fail(t, fmt.Sprintf("%q could not be applied builtin len()", list), msgAndArgs...)
 		}
 		if !found {
 			return true
@@ -1591,10 +1643,8 @@ func NoError(t TestingT, err error, msgAndArgs ...interface{}) bool {
 
 // Error asserts that a function returned an error (i.e. not `nil`).
 //
-//	  actualObj, err := SomeFunction()
-//	  if assert.Error(t, err) {
-//		   assert.Equal(t, expectedError, err)
-//	  }
+//	actualObj, err := SomeFunction()
+//	assert.Error(t, err)
 func Error(t TestingT, err error, msgAndArgs ...interface{}) bool {
 	if err == nil {
 		if h, ok := t.(tHelper); ok {
@@ -1667,7 +1717,6 @@ func matchRegexp(rx interface{}, str interface{}) bool {
 	default:
 		return r.MatchString(fmt.Sprint(v))
 	}
-
 }
 
 // Regexp asserts that a specified regexp matches a string.
@@ -1703,7 +1752,6 @@ func NotRegexp(t TestingT, rx interface{}, str interface{}, msgAndArgs ...interf
 	}
 
 	return !match
-
 }
 
 // Zero asserts that i is the zero value for its type.
@@ -1814,6 +1862,11 @@ func JSONEq(t TestingT, expected string, actual string, msgAndArgs ...interface{
 		return Fail(t, fmt.Sprintf("Expected value ('%s') is not valid json.\nJSON parsing error: '%s'", expected, err.Error()), msgAndArgs...)
 	}
 
+	// Shortcut if same bytes
+	if actual == expected {
+		return true
+	}
+
 	if err := json.Unmarshal([]byte(actual), &actualJSONAsInterface); err != nil {
 		return Fail(t, fmt.Sprintf("Input ('%s') needs to be valid json.\nJSON parsing error: '%s'", actual, err.Error()), msgAndArgs...)
 	}
@@ -1832,6 +1885,11 @@ func YAMLEq(t TestingT, expected string, actual string, msgAndArgs ...interface{
 		return Fail(t, fmt.Sprintf("Expected value ('%s') is not valid yaml.\nYAML parsing error: '%s'", expected, err.Error()), msgAndArgs...)
 	}
 
+	// Shortcut if same bytes
+	if actual == expected {
+		return true
+	}
+
 	if err := yaml.Unmarshal([]byte(actual), &actualYAMLAsInterface); err != nil {
 		return Fail(t, fmt.Sprintf("Input ('%s') needs to be valid yaml.\nYAML error: '%s'", actual, err.Error()), msgAndArgs...)
 	}
@@ -1933,6 +1991,7 @@ func Eventually(t TestingT, condition func() bool, waitFor time.Duration, tick t
 	}
 
 	ch := make(chan bool, 1)
+	checkCond := func() { ch <- condition() }
 
 	timer := time.NewTimer(waitFor)
 	defer timer.Stop()
@@ -1940,18 +1999,23 @@ func Eventually(t TestingT, condition func() bool, waitFor time.Duration, tick t
 	ticker := time.NewTicker(tick)
 	defer ticker.Stop()
 
-	for tick := ticker.C; ; {
+	var tickC <-chan time.Time
+
+	// Check the condition once first on the initial call.
+	go checkCond()
+
+	for {
 		select {
 		case <-timer.C:
 			return Fail(t, "Condition never satisfied", msgAndArgs...)
-		case <-tick:
-			tick = nil
-			go func() { ch <- condition() }()
+		case <-tickC:
+			tickC = nil
+			go checkCond()
 		case v := <-ch:
 			if v {
 				return true
 			}
-			tick = ticker.C
+			tickC = ticker.C
 		}
 	}
 }
@@ -1964,6 +2028,9 @@ type CollectT struct {
 	errors []error
 }
 
+// Helper is like [testing.T.Helper] but does nothing.
+func (CollectT) Helper() {}
+
 // Errorf collects the error.
 func (c *CollectT) Errorf(format string, args ...interface{}) {
 	c.errors = append(c.errors, fmt.Errorf(format, args...))
@@ -2021,35 +2088,42 @@ func EventuallyWithT(t TestingT, condition func(collect *CollectT), waitFor time
 	var lastFinishedTickErrs []error
 	ch := make(chan *CollectT, 1)
 
+	checkCond := func() {
+		collect := new(CollectT)
+		defer func() {
+			ch <- collect
+		}()
+		condition(collect)
+	}
+
 	timer := time.NewTimer(waitFor)
 	defer timer.Stop()
 
 	ticker := time.NewTicker(tick)
 	defer ticker.Stop()
 
-	for tick := ticker.C; ; {
+	var tickC <-chan time.Time
+
+	// Check the condition once first on the initial call.
+	go checkCond()
+
+	for {
 		select {
 		case <-timer.C:
 			for _, err := range lastFinishedTickErrs {
 				t.Errorf("%v", err)
 			}
 			return Fail(t, "Condition never satisfied", msgAndArgs...)
-		case <-tick:
-			tick = nil
-			go func() {
-				collect := new(CollectT)
-				defer func() {
-					ch <- collect
-				}()
-				condition(collect)
-			}()
+		case <-tickC:
+			tickC = nil
+			go checkCond()
 		case collect := <-ch:
 			if !collect.failed() {
 				return true
 			}
 			// Keep the errors from the last ended condition, so that they can be copied to t if timeout is reached.
 			lastFinishedTickErrs = collect.errors
-			tick = ticker.C
+			tickC = ticker.C
 		}
 	}
 }
@@ -2064,6 +2138,7 @@ func Never(t TestingT, condition func() bool, waitFor time.Duration, tick time.D
 	}
 
 	ch := make(chan bool, 1)
+	checkCond := func() { ch <- condition() }
 
 	timer := time.NewTimer(waitFor)
 	defer timer.Stop()
@@ -2071,18 +2146,23 @@ func Never(t TestingT, condition func() bool, waitFor time.Duration, tick time.D
 	ticker := time.NewTicker(tick)
 	defer ticker.Stop()
 
-	for tick := ticker.C; ; {
+	var tickC <-chan time.Time
+
+	// Check the condition once first on the initial call.
+	go checkCond()
+
+	for {
 		select {
 		case <-timer.C:
 			return true
-		case <-tick:
-			tick = nil
-			go func() { ch <- condition() }()
+		case <-tickC:
+			tickC = nil
+			go checkCond()
 		case v := <-ch:
 			if v {
 				return Fail(t, "Condition satisfied", msgAndArgs...)
 			}
-			tick = ticker.C
+			tickC = ticker.C
 		}
 	}
 }
@@ -2100,9 +2180,12 @@ func ErrorIs(t TestingT, err, target error, msgAndArgs ...interface{}) bool {
 	var expectedText string
 	if target != nil {
 		expectedText = target.Error()
+		if err == nil {
+			return Fail(t, fmt.Sprintf("Expected error with %q in chain but got nil.", expectedText), msgAndArgs...)
+		}
 	}
 
-	chain := buildErrorChainString(err)
+	chain := buildErrorChainString(err, false)
 
 	return Fail(t, fmt.Sprintf("Target error should be in err chain:\n"+
 		"expected: %q\n"+
@@ -2125,7 +2208,7 @@ func NotErrorIs(t TestingT, err, target error, msgAndArgs ...interface{}) bool {
 		expectedText = target.Error()
 	}
 
-	chain := buildErrorChainString(err)
+	chain := buildErrorChainString(err, false)
 
 	return Fail(t, fmt.Sprintf("Target error should not be in err chain:\n"+
 		"found: %q\n"+
@@ -2143,11 +2226,17 @@ func ErrorAs(t TestingT, err error, target interface{}, msgAndArgs ...interface{
 		return true
 	}
 
-	chain := buildErrorChainString(err)
+	expectedType := reflect.TypeOf(target).Elem().String()
+	if err == nil {
+		return Fail(t, fmt.Sprintf("An error is expected but got nil.\n"+
+			"expected: %s", expectedType), msgAndArgs...)
+	}
+
+	chain := buildErrorChainString(err, true)
 
 	return Fail(t, fmt.Sprintf("Should be in error chain:\n"+
-		"expected: %q\n"+
-		"in chain: %s", target, chain,
+		"expected: %s\n"+
+		"in chain: %s", expectedType, chain,
 	), msgAndArgs...)
 }
 
@@ -2161,24 +2250,46 @@ func NotErrorAs(t TestingT, err error, target interface{}, msgAndArgs ...interfa
 		return true
 	}
 
-	chain := buildErrorChainString(err)
+	chain := buildErrorChainString(err, true)
 
 	return Fail(t, fmt.Sprintf("Target error should not be in err chain:\n"+
-		"found: %q\n"+
-		"in chain: %s", target, chain,
+		"found: %s\n"+
+		"in chain: %s", reflect.TypeOf(target).Elem().String(), chain,
 	), msgAndArgs...)
 }
 
-func buildErrorChainString(err error) string {
+func unwrapAll(err error) (errs []error) {
+	errs = append(errs, err)
+	switch x := err.(type) {
+	case interface{ Unwrap() error }:
+		err = x.Unwrap()
+		if err == nil {
+			return
+		}
+		errs = append(errs, unwrapAll(err)...)
+	case interface{ Unwrap() []error }:
+		for _, err := range x.Unwrap() {
+			errs = append(errs, unwrapAll(err)...)
+		}
+	}
+	return
+}
+
+func buildErrorChainString(err error, withType bool) string {
 	if err == nil {
 		return ""
 	}
 
-	e := errors.Unwrap(err)
-	chain := fmt.Sprintf("%q", err.Error())
-	for e != nil {
-		chain += fmt.Sprintf("\n\t%q", e.Error())
-		e = errors.Unwrap(e)
+	var chain string
+	errs := unwrapAll(err)
+	for i := range errs {
+		if i != 0 {
+			chain += "\n\t"
+		}
+		chain += fmt.Sprintf("%q", errs[i].Error())
+		if withType {
+			chain += fmt.Sprintf(" (%T)", errs[i])
+		}
 	}
 	return chain
 }
diff --git a/vendor/github.com/stretchr/testify/assert/doc.go b/vendor/github.com/stretchr/testify/assert/doc.go
index 4953981d38780..a0b953aa5cf60 100644
--- a/vendor/github.com/stretchr/testify/assert/doc.go
+++ b/vendor/github.com/stretchr/testify/assert/doc.go
@@ -1,5 +1,9 @@
 // Package assert provides a set of comprehensive testing tools for use with the normal Go testing system.
 //
+// # Note
+//
+// All functions in this package return a bool value indicating whether the assertion has passed.
+//
 // # Example Usage
 //
 // The following is a complete example using assert in a standard test function:
diff --git a/vendor/github.com/stretchr/testify/assert/http_assertions.go b/vendor/github.com/stretchr/testify/assert/http_assertions.go
index 861ed4b7ced0b..5a6bb75f2cfad 100644
--- a/vendor/github.com/stretchr/testify/assert/http_assertions.go
+++ b/vendor/github.com/stretchr/testify/assert/http_assertions.go
@@ -138,7 +138,7 @@ func HTTPBodyContains(t TestingT, handler http.HandlerFunc, method, url string,
 
 	contains := strings.Contains(body, fmt.Sprint(str))
 	if !contains {
-		Fail(t, fmt.Sprintf("Expected response body for \"%s\" to contain \"%s\" but found \"%s\"", url+"?"+values.Encode(), str, body), msgAndArgs...)
+		Fail(t, fmt.Sprintf("Expected response body for %q to contain %q but found %q", url+"?"+values.Encode(), str, body), msgAndArgs...)
 	}
 
 	return contains
@@ -158,7 +158,7 @@ func HTTPBodyNotContains(t TestingT, handler http.HandlerFunc, method, url strin
 
 	contains := strings.Contains(body, fmt.Sprint(str))
 	if contains {
-		Fail(t, fmt.Sprintf("Expected response body for \"%s\" to NOT contain \"%s\" but found \"%s\"", url+"?"+values.Encode(), str, body), msgAndArgs...)
+		Fail(t, fmt.Sprintf("Expected response body for %q to NOT contain %q but found %q", url+"?"+values.Encode(), str, body), msgAndArgs...)
 	}
 
 	return !contains
diff --git a/vendor/github.com/stretchr/testify/assert/yaml/yaml_custom.go b/vendor/github.com/stretchr/testify/assert/yaml/yaml_custom.go
index baa0cc7d7fca7..5a74c4f4d5be0 100644
--- a/vendor/github.com/stretchr/testify/assert/yaml/yaml_custom.go
+++ b/vendor/github.com/stretchr/testify/assert/yaml/yaml_custom.go
@@ -1,5 +1,4 @@
 //go:build testify_yaml_custom && !testify_yaml_fail && !testify_yaml_default
-// +build testify_yaml_custom,!testify_yaml_fail,!testify_yaml_default
 
 // Package yaml is an implementation of YAML functions that calls a pluggable implementation.
 //
diff --git a/vendor/github.com/stretchr/testify/assert/yaml/yaml_default.go b/vendor/github.com/stretchr/testify/assert/yaml/yaml_default.go
index b83c6cf64c2a1..0bae80e34a302 100644
--- a/vendor/github.com/stretchr/testify/assert/yaml/yaml_default.go
+++ b/vendor/github.com/stretchr/testify/assert/yaml/yaml_default.go
@@ -1,5 +1,4 @@
 //go:build !testify_yaml_fail && !testify_yaml_custom
-// +build !testify_yaml_fail,!testify_yaml_custom
 
 // Package yaml is just an indirection to handle YAML deserialization.
 //
diff --git a/vendor/github.com/stretchr/testify/assert/yaml/yaml_fail.go b/vendor/github.com/stretchr/testify/assert/yaml/yaml_fail.go
index e78f7dfe69a16..8041803fd2f1f 100644
--- a/vendor/github.com/stretchr/testify/assert/yaml/yaml_fail.go
+++ b/vendor/github.com/stretchr/testify/assert/yaml/yaml_fail.go
@@ -1,5 +1,4 @@
 //go:build testify_yaml_fail && !testify_yaml_custom && !testify_yaml_default
-// +build testify_yaml_fail,!testify_yaml_custom,!testify_yaml_default
 
 // Package yaml is an implementation of YAML functions that always fail.
 //
diff --git a/vendor/github.com/stretchr/testify/mock/mock.go b/vendor/github.com/stretchr/testify/mock/mock.go
index eb5682df97891..efc89deff38a9 100644
--- a/vendor/github.com/stretchr/testify/mock/mock.go
+++ b/vendor/github.com/stretchr/testify/mock/mock.go
@@ -208,9 +208,16 @@ func (c *Call) On(methodName string, arguments ...interface{}) *Call {
 	return c.Parent.On(methodName, arguments...)
 }
 
-// Unset removes a mock handler from being called.
+// Unset removes all mock handlers that satisfy the call instance arguments from being
+// called. Only supported on call instances with static input arguments.
 //
-//	test.On("func", mock.Anything).Unset()
+// For example, the only handler remaining after the following would be "MyMethod(2, 2)":
+//
+//	Mock.
+//	   On("MyMethod", 2, 2).Return(0).
+//	   On("MyMethod", 3, 3).Return(0).
+//	   On("MyMethod", Anything, Anything).Return(0)
+//	Mock.On("MyMethod", 3, 3).Unset()
 func (c *Call) Unset() *Call {
 	var unlockOnce sync.Once
 
@@ -331,7 +338,10 @@ func (m *Mock) TestData() objx.Map {
 	Setting expectations
 */
 
-// Test sets the test struct variable of the mock object
+// Test sets the [TestingT] on which errors will be reported, otherwise errors
+// will cause a panic.
+// Test should not be called on an object that is going to be used in a
+// goroutine other than the one running the test function.
 func (m *Mock) Test(t TestingT) {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()
@@ -494,7 +504,7 @@ func (m *Mock) MethodCalled(methodName string, arguments ...interface{}) Argumen
 		// expected call found, but it has already been called with repeatable times
 		if call != nil {
 			m.mutex.Unlock()
-			m.fail("\nassert: mock: The method has been called over %d times.\n\tEither do one more Mock.On(\"%s\").Return(...), or remove extra call.\n\tThis call was unexpected:\n\t\t%s\n\tat: %s", call.totalCalls, methodName, callString(methodName, arguments, true), assert.CallerInfo())
+			m.fail("\nassert: mock: The method has been called over %d times.\n\tEither do one more Mock.On(%#v).Return(...), or remove extra call.\n\tThis call was unexpected:\n\t\t%s\n\tat: %s", call.totalCalls, methodName, callString(methodName, arguments, true), assert.CallerInfo())
 		}
 		// we have to fail here - because we don't know what to do
 		// as the return arguments.  This is because:
@@ -514,7 +524,7 @@ func (m *Mock) MethodCalled(methodName string, arguments ...interface{}) Argumen
 				assert.CallerInfo(),
 			)
 		} else {
-			m.fail("\nassert: mock: I don't know what to return because the method call was unexpected.\n\tEither do Mock.On(\"%s\").Return(...) first, or remove the %s() call.\n\tThis method was unexpected:\n\t\t%s\n\tat: %s", methodName, methodName, callString(methodName, arguments, true), assert.CallerInfo())
+			m.fail("\nassert: mock: I don't know what to return because the method call was unexpected.\n\tEither do Mock.On(%#v).Return(...) first, or remove the %s() call.\n\tThis method was unexpected:\n\t\t%s\n\tat: %s", methodName, methodName, callString(methodName, arguments, true), assert.CallerInfo())
 		}
 	}
 
@@ -661,7 +671,7 @@ func (m *Mock) AssertNumberOfCalls(t TestingT, methodName string, expectedCalls
 			actualCalls++
 		}
 	}
-	return assert.Equal(t, expectedCalls, actualCalls, fmt.Sprintf("Expected number of calls (%d) does not match the actual number of calls (%d).", expectedCalls, actualCalls))
+	return assert.Equal(t, expectedCalls, actualCalls, fmt.Sprintf("Expected number of calls (%d) of method %s does not match the actual number of calls (%d).", expectedCalls, methodName, actualCalls))
 }
 
 // AssertCalled asserts that the method was called.
diff --git a/vendor/github.com/stretchr/testify/require/doc.go b/vendor/github.com/stretchr/testify/require/doc.go
index 968434724559c..c8e3f94a8034a 100644
--- a/vendor/github.com/stretchr/testify/require/doc.go
+++ b/vendor/github.com/stretchr/testify/require/doc.go
@@ -23,6 +23,8 @@
 //
 // The `require` package have same global functions as in the `assert` package,
 // but instead of returning a boolean result they call `t.FailNow()`.
+// A consequence of this is that it must be called from the goroutine running
+// the test function, not from other goroutines created during the test.
 //
 // Every assertion function also takes an optional string message as the final argument,
 // allowing custom error messages to be appended to the message the assertion method outputs.
diff --git a/vendor/github.com/stretchr/testify/require/require.go b/vendor/github.com/stretchr/testify/require/require.go
index d8921950d7bef..2d02f9bcef1b7 100644
--- a/vendor/github.com/stretchr/testify/require/require.go
+++ b/vendor/github.com/stretchr/testify/require/require.go
@@ -117,10 +117,19 @@ func ElementsMatchf(t TestingT, listA interface{}, listB interface{}, msg string
 	t.FailNow()
 }
 
-// Empty asserts that the specified object is empty.  I.e. nil, "", false, 0 or either
-// a slice or a channel with len == 0.
+// Empty asserts that the given value is "empty".
+//
+// [Zero values] are "empty".
+//
+// Arrays are "empty" if every element is the zero value of the type (stricter than "empty").
+//
+// Slices, maps and channels with zero length are "empty".
+//
+// Pointer values are "empty" if the pointer is nil or if the pointed value is "empty".
 //
 //	require.Empty(t, obj)
+//
+// [Zero values]: https://go.dev/ref/spec#The_zero_value
 func Empty(t TestingT, object interface{}, msgAndArgs ...interface{}) {
 	if h, ok := t.(tHelper); ok {
 		h.Helper()
@@ -131,10 +140,19 @@ func Empty(t TestingT, object interface{}, msgAndArgs ...interface{}) {
 	t.FailNow()
 }
 
-// Emptyf asserts that the specified object is empty.  I.e. nil, "", false, 0 or either
-// a slice or a channel with len == 0.
+// Emptyf asserts that the given value is "empty".
+//
+// [Zero values] are "empty".
+//
+// Arrays are "empty" if every element is the zero value of the type (stricter than "empty").
+//
+// Slices, maps and channels with zero length are "empty".
+//
+// Pointer values are "empty" if the pointer is nil or if the pointed value is "empty".
 //
 //	require.Emptyf(t, obj, "error message %s", "formatted")
+//
+// [Zero values]: https://go.dev/ref/spec#The_zero_value
 func Emptyf(t TestingT, object interface{}, msg string, args ...interface{}) {
 	if h, ok := t.(tHelper); ok {
 		h.Helper()
@@ -279,10 +297,8 @@ func Equalf(t TestingT, expected interface{}, actual interface{}, msg string, ar
 
 // Error asserts that a function returned an error (i.e. not `nil`).
 //
-//	  actualObj, err := SomeFunction()
-//	  if require.Error(t, err) {
-//		   require.Equal(t, expectedError, err)
-//	  }
+//	actualObj, err := SomeFunction()
+//	require.Error(t, err)
 func Error(t TestingT, err error, msgAndArgs ...interface{}) {
 	if h, ok := t.(tHelper); ok {
 		h.Helper()
@@ -373,10 +389,8 @@ func ErrorIsf(t TestingT, err error, target error, msg string, args ...interface
 
 // Errorf asserts that a function returned an error (i.e. not `nil`).
 //
-//	  actualObj, err := SomeFunction()
-//	  if require.Errorf(t, err, "error message %s", "formatted") {
-//		   require.Equal(t, expectedErrorf, err)
-//	  }
+//	actualObj, err := SomeFunction()
+//	require.Errorf(t, err, "error message %s", "formatted")
 func Errorf(t TestingT, err error, msg string, args ...interface{}) {
 	if h, ok := t.(tHelper); ok {
 		h.Helper()
@@ -1097,7 +1111,35 @@ func IsNonIncreasingf(t TestingT, object interface{}, msg string, args ...interf
 	t.FailNow()
 }
 
+// IsNotType asserts that the specified objects are not of the same type.
+//
+//	require.IsNotType(t, &NotMyStruct{}, &MyStruct{})
+func IsNotType(t TestingT, theType interface{}, object interface{}, msgAndArgs ...interface{}) {
+	if h, ok := t.(tHelper); ok {
+		h.Helper()
+	}
+	if assert.IsNotType(t, theType, object, msgAndArgs...) {
+		return
+	}
+	t.FailNow()
+}
+
+// IsNotTypef asserts that the specified objects are not of the same type.
+//
+//	require.IsNotTypef(t, &NotMyStruct{}, &MyStruct{}, "error message %s", "formatted")
+func IsNotTypef(t TestingT, theType interface{}, object interface{}, msg string, args ...interface{}) {
+	if h, ok := t.(tHelper); ok {
+		h.Helper()
+	}
+	if assert.IsNotTypef(t, theType, object, msg, args...) {
+		return
+	}
+	t.FailNow()
+}
+
 // IsType asserts that the specified objects are of the same type.
+//
+//	require.IsType(t, &MyStruct{}, &MyStruct{})
 func IsType(t TestingT, expectedType interface{}, object interface{}, msgAndArgs ...interface{}) {
 	if h, ok := t.(tHelper); ok {
 		h.Helper()
@@ -1109,6 +1151,8 @@ func IsType(t TestingT, expectedType interface{}, object interface{}, msgAndArgs
 }
 
 // IsTypef asserts that the specified objects are of the same type.
+//
+//	require.IsTypef(t, &MyStruct{}, &MyStruct{}, "error message %s", "formatted")
 func IsTypef(t TestingT, expectedType interface{}, object interface{}, msg string, args ...interface{}) {
 	if h, ok := t.(tHelper); ok {
 		h.Helper()
@@ -1469,8 +1513,7 @@ func NotElementsMatchf(t TestingT, listA interface{}, listB interface{}, msg str
 	t.FailNow()
 }
 
-// NotEmpty asserts that the specified object is NOT empty.  I.e. not nil, "", false, 0 or either
-// a slice or a channel with len == 0.
+// NotEmpty asserts that the specified object is NOT [Empty].
 //
 //	if require.NotEmpty(t, obj) {
 //	  require.Equal(t, "two", obj[1])
@@ -1485,8 +1528,7 @@ func NotEmpty(t TestingT, object interface{}, msgAndArgs ...interface{}) {
 	t.FailNow()
 }
 
-// NotEmptyf asserts that the specified object is NOT empty.  I.e. not nil, "", false, 0 or either
-// a slice or a channel with len == 0.
+// NotEmptyf asserts that the specified object is NOT [Empty].
 //
 //	if require.NotEmptyf(t, obj, "error message %s", "formatted") {
 //	  require.Equal(t, "two", obj[1])
@@ -1745,12 +1787,15 @@ func NotSamef(t TestingT, expected interface{}, actual interface{}, msg string,
 	t.FailNow()
 }
 
-// NotSubset asserts that the specified list(array, slice...) or map does NOT
-// contain all elements given in the specified subset list(array, slice...) or
-// map.
+// NotSubset asserts that the list (array, slice, or map) does NOT contain all
+// elements given in the subset (array, slice, or map).
+// Map elements are key-value pairs unless compared with an array or slice where
+// only the map key is evaluated.
 //
 //	require.NotSubset(t, [1, 3, 4], [1, 2])
 //	require.NotSubset(t, {"x": 1, "y": 2}, {"z": 3})
+//	require.NotSubset(t, [1, 3, 4], {1: "one", 2: "two"})
+//	require.NotSubset(t, {"x": 1, "y": 2}, ["z"])
 func NotSubset(t TestingT, list interface{}, subset interface{}, msgAndArgs ...interface{}) {
 	if h, ok := t.(tHelper); ok {
 		h.Helper()
@@ -1761,12 +1806,15 @@ func NotSubset(t TestingT, list interface{}, subset interface{}, msgAndArgs ...i
 	t.FailNow()
 }
 
-// NotSubsetf asserts that the specified list(array, slice...) or map does NOT
-// contain all elements given in the specified subset list(array, slice...) or
-// map.
+// NotSubsetf asserts that the list (array, slice, or map) does NOT contain all
+// elements given in the subset (array, slice, or map).
+// Map elements are key-value pairs unless compared with an array or slice where
+// only the map key is evaluated.
 //
 //	require.NotSubsetf(t, [1, 3, 4], [1, 2], "error message %s", "formatted")
 //	require.NotSubsetf(t, {"x": 1, "y": 2}, {"z": 3}, "error message %s", "formatted")
+//	require.NotSubsetf(t, [1, 3, 4], {1: "one", 2: "two"}, "error message %s", "formatted")
+//	require.NotSubsetf(t, {"x": 1, "y": 2}, ["z"], "error message %s", "formatted")
 func NotSubsetf(t TestingT, list interface{}, subset interface{}, msg string, args ...interface{}) {
 	if h, ok := t.(tHelper); ok {
 		h.Helper()
@@ -1971,11 +2019,15 @@ func Samef(t TestingT, expected interface{}, actual interface{}, msg string, arg
 	t.FailNow()
 }
 
-// Subset asserts that the specified list(array, slice...) or map contains all
-// elements given in the specified subset list(array, slice...) or map.
+// Subset asserts that the list (array, slice, or map) contains all elements
+// given in the subset (array, slice, or map).
+// Map elements are key-value pairs unless compared with an array or slice where
+// only the map key is evaluated.
 //
 //	require.Subset(t, [1, 2, 3], [1, 2])
 //	require.Subset(t, {"x": 1, "y": 2}, {"x": 1})
+//	require.Subset(t, [1, 2, 3], {1: "one", 2: "two"})
+//	require.Subset(t, {"x": 1, "y": 2}, ["x"])
 func Subset(t TestingT, list interface{}, subset interface{}, msgAndArgs ...interface{}) {
 	if h, ok := t.(tHelper); ok {
 		h.Helper()
@@ -1986,11 +2038,15 @@ func Subset(t TestingT, list interface{}, subset interface{}, msgAndArgs ...inte
 	t.FailNow()
 }
 
-// Subsetf asserts that the specified list(array, slice...) or map contains all
-// elements given in the specified subset list(array, slice...) or map.
+// Subsetf asserts that the list (array, slice, or map) contains all elements
+// given in the subset (array, slice, or map).
+// Map elements are key-value pairs unless compared with an array or slice where
+// only the map key is evaluated.
 //
 //	require.Subsetf(t, [1, 2, 3], [1, 2], "error message %s", "formatted")
 //	require.Subsetf(t, {"x": 1, "y": 2}, {"x": 1}, "error message %s", "formatted")
+//	require.Subsetf(t, [1, 2, 3], {1: "one", 2: "two"}, "error message %s", "formatted")
+//	require.Subsetf(t, {"x": 1, "y": 2}, ["x"], "error message %s", "formatted")
 func Subsetf(t TestingT, list interface{}, subset interface{}, msg string, args ...interface{}) {
 	if h, ok := t.(tHelper); ok {
 		h.Helper()
diff --git a/vendor/github.com/stretchr/testify/require/require_forward.go b/vendor/github.com/stretchr/testify/require/require_forward.go
index 1bd87304f4315..e6f7e944684e4 100644
--- a/vendor/github.com/stretchr/testify/require/require_forward.go
+++ b/vendor/github.com/stretchr/testify/require/require_forward.go
@@ -93,10 +93,19 @@ func (a *Assertions) ElementsMatchf(listA interface{}, listB interface{}, msg st
 	ElementsMatchf(a.t, listA, listB, msg, args...)
 }
 
-// Empty asserts that the specified object is empty.  I.e. nil, "", false, 0 or either
-// a slice or a channel with len == 0.
+// Empty asserts that the given value is "empty".
+//
+// [Zero values] are "empty".
+//
+// Arrays are "empty" if every element is the zero value of the type (stricter than "empty").
+//
+// Slices, maps and channels with zero length are "empty".
+//
+// Pointer values are "empty" if the pointer is nil or if the pointed value is "empty".
 //
 //	a.Empty(obj)
+//
+// [Zero values]: https://go.dev/ref/spec#The_zero_value
 func (a *Assertions) Empty(object interface{}, msgAndArgs ...interface{}) {
 	if h, ok := a.t.(tHelper); ok {
 		h.Helper()
@@ -104,10 +113,19 @@ func (a *Assertions) Empty(object interface{}, msgAndArgs ...interface{}) {
 	Empty(a.t, object, msgAndArgs...)
 }
 
-// Emptyf asserts that the specified object is empty.  I.e. nil, "", false, 0 or either
-// a slice or a channel with len == 0.
+// Emptyf asserts that the given value is "empty".
+//
+// [Zero values] are "empty".
+//
+// Arrays are "empty" if every element is the zero value of the type (stricter than "empty").
+//
+// Slices, maps and channels with zero length are "empty".
+//
+// Pointer values are "empty" if the pointer is nil or if the pointed value is "empty".
 //
 //	a.Emptyf(obj, "error message %s", "formatted")
+//
+// [Zero values]: https://go.dev/ref/spec#The_zero_value
 func (a *Assertions) Emptyf(object interface{}, msg string, args ...interface{}) {
 	if h, ok := a.t.(tHelper); ok {
 		h.Helper()
@@ -225,10 +243,8 @@ func (a *Assertions) Equalf(expected interface{}, actual interface{}, msg string
 
 // Error asserts that a function returned an error (i.e. not `nil`).
 //
-//	  actualObj, err := SomeFunction()
-//	  if a.Error(err) {
-//		   assert.Equal(t, expectedError, err)
-//	  }
+//	actualObj, err := SomeFunction()
+//	a.Error(err)
 func (a *Assertions) Error(err error, msgAndArgs ...interface{}) {
 	if h, ok := a.t.(tHelper); ok {
 		h.Helper()
@@ -298,10 +314,8 @@ func (a *Assertions) ErrorIsf(err error, target error, msg string, args ...inter
 
 // Errorf asserts that a function returned an error (i.e. not `nil`).
 //
-//	  actualObj, err := SomeFunction()
-//	  if a.Errorf(err, "error message %s", "formatted") {
-//		   assert.Equal(t, expectedErrorf, err)
-//	  }
+//	actualObj, err := SomeFunction()
+//	a.Errorf(err, "error message %s", "formatted")
 func (a *Assertions) Errorf(err error, msg string, args ...interface{}) {
 	if h, ok := a.t.(tHelper); ok {
 		h.Helper()
@@ -869,7 +883,29 @@ func (a *Assertions) IsNonIncreasingf(object interface{}, msg string, args ...in
 	IsNonIncreasingf(a.t, object, msg, args...)
 }
 
+// IsNotType asserts that the specified objects are not of the same type.
+//
+//	a.IsNotType(&NotMyStruct{}, &MyStruct{})
+func (a *Assertions) IsNotType(theType interface{}, object interface{}, msgAndArgs ...interface{}) {
+	if h, ok := a.t.(tHelper); ok {
+		h.Helper()
+	}
+	IsNotType(a.t, theType, object, msgAndArgs...)
+}
+
+// IsNotTypef asserts that the specified objects are not of the same type.
+//
+//	a.IsNotTypef(&NotMyStruct{}, &MyStruct{}, "error message %s", "formatted")
+func (a *Assertions) IsNotTypef(theType interface{}, object interface{}, msg string, args ...interface{}) {
+	if h, ok := a.t.(tHelper); ok {
+		h.Helper()
+	}
+	IsNotTypef(a.t, theType, object, msg, args...)
+}
+
 // IsType asserts that the specified objects are of the same type.
+//
+//	a.IsType(&MyStruct{}, &MyStruct{})
 func (a *Assertions) IsType(expectedType interface{}, object interface{}, msgAndArgs ...interface{}) {
 	if h, ok := a.t.(tHelper); ok {
 		h.Helper()
@@ -878,6 +914,8 @@ func (a *Assertions) IsType(expectedType interface{}, object interface{}, msgAnd
 }
 
 // IsTypef asserts that the specified objects are of the same type.
+//
+//	a.IsTypef(&MyStruct{}, &MyStruct{}, "error message %s", "formatted")
 func (a *Assertions) IsTypef(expectedType interface{}, object interface{}, msg string, args ...interface{}) {
 	if h, ok := a.t.(tHelper); ok {
 		h.Helper()
@@ -1163,8 +1201,7 @@ func (a *Assertions) NotElementsMatchf(listA interface{}, listB interface{}, msg
 	NotElementsMatchf(a.t, listA, listB, msg, args...)
 }
 
-// NotEmpty asserts that the specified object is NOT empty.  I.e. not nil, "", false, 0 or either
-// a slice or a channel with len == 0.
+// NotEmpty asserts that the specified object is NOT [Empty].
 //
 //	if a.NotEmpty(obj) {
 //	  assert.Equal(t, "two", obj[1])
@@ -1176,8 +1213,7 @@ func (a *Assertions) NotEmpty(object interface{}, msgAndArgs ...interface{}) {
 	NotEmpty(a.t, object, msgAndArgs...)
 }
 
-// NotEmptyf asserts that the specified object is NOT empty.  I.e. not nil, "", false, 0 or either
-// a slice or a channel with len == 0.
+// NotEmptyf asserts that the specified object is NOT [Empty].
 //
 //	if a.NotEmptyf(obj, "error message %s", "formatted") {
 //	  assert.Equal(t, "two", obj[1])
@@ -1379,12 +1415,15 @@ func (a *Assertions) NotSamef(expected interface{}, actual interface{}, msg stri
 	NotSamef(a.t, expected, actual, msg, args...)
 }
 
-// NotSubset asserts that the specified list(array, slice...) or map does NOT
-// contain all elements given in the specified subset list(array, slice...) or
-// map.
+// NotSubset asserts that the list (array, slice, or map) does NOT contain all
+// elements given in the subset (array, slice, or map).
+// Map elements are key-value pairs unless compared with an array or slice where
+// only the map key is evaluated.
 //
 //	a.NotSubset([1, 3, 4], [1, 2])
 //	a.NotSubset({"x": 1, "y": 2}, {"z": 3})
+//	a.NotSubset([1, 3, 4], {1: "one", 2: "two"})
+//	a.NotSubset({"x": 1, "y": 2}, ["z"])
 func (a *Assertions) NotSubset(list interface{}, subset interface{}, msgAndArgs ...interface{}) {
 	if h, ok := a.t.(tHelper); ok {
 		h.Helper()
@@ -1392,12 +1431,15 @@ func (a *Assertions) NotSubset(list interface{}, subset interface{}, msgAndArgs
 	NotSubset(a.t, list, subset, msgAndArgs...)
 }
 
-// NotSubsetf asserts that the specified list(array, slice...) or map does NOT
-// contain all elements given in the specified subset list(array, slice...) or
-// map.
+// NotSubsetf asserts that the list (array, slice, or map) does NOT contain all
+// elements given in the subset (array, slice, or map).
+// Map elements are key-value pairs unless compared with an array or slice where
+// only the map key is evaluated.
 //
 //	a.NotSubsetf([1, 3, 4], [1, 2], "error message %s", "formatted")
 //	a.NotSubsetf({"x": 1, "y": 2}, {"z": 3}, "error message %s", "formatted")
+//	a.NotSubsetf([1, 3, 4], {1: "one", 2: "two"}, "error message %s", "formatted")
+//	a.NotSubsetf({"x": 1, "y": 2}, ["z"], "error message %s", "formatted")
 func (a *Assertions) NotSubsetf(list interface{}, subset interface{}, msg string, args ...interface{}) {
 	if h, ok := a.t.(tHelper); ok {
 		h.Helper()
@@ -1557,11 +1599,15 @@ func (a *Assertions) Samef(expected interface{}, actual interface{}, msg string,
 	Samef(a.t, expected, actual, msg, args...)
 }
 
-// Subset asserts that the specified list(array, slice...) or map contains all
-// elements given in the specified subset list(array, slice...) or map.
+// Subset asserts that the list (array, slice, or map) contains all elements
+// given in the subset (array, slice, or map).
+// Map elements are key-value pairs unless compared with an array or slice where
+// only the map key is evaluated.
 //
 //	a.Subset([1, 2, 3], [1, 2])
 //	a.Subset({"x": 1, "y": 2}, {"x": 1})
+//	a.Subset([1, 2, 3], {1: "one", 2: "two"})
+//	a.Subset({"x": 1, "y": 2}, ["x"])
 func (a *Assertions) Subset(list interface{}, subset interface{}, msgAndArgs ...interface{}) {
 	if h, ok := a.t.(tHelper); ok {
 		h.Helper()
@@ -1569,11 +1615,15 @@ func (a *Assertions) Subset(list interface{}, subset interface{}, msgAndArgs ...
 	Subset(a.t, list, subset, msgAndArgs...)
 }
 
-// Subsetf asserts that the specified list(array, slice...) or map contains all
-// elements given in the specified subset list(array, slice...) or map.
+// Subsetf asserts that the list (array, slice, or map) contains all elements
+// given in the subset (array, slice, or map).
+// Map elements are key-value pairs unless compared with an array or slice where
+// only the map key is evaluated.
 //
 //	a.Subsetf([1, 2, 3], [1, 2], "error message %s", "formatted")
 //	a.Subsetf({"x": 1, "y": 2}, {"x": 1}, "error message %s", "formatted")
+//	a.Subsetf([1, 2, 3], {1: "one", 2: "two"}, "error message %s", "formatted")
+//	a.Subsetf({"x": 1, "y": 2}, ["x"], "error message %s", "formatted")
 func (a *Assertions) Subsetf(list interface{}, subset interface{}, msg string, args ...interface{}) {
 	if h, ok := a.t.(tHelper); ok {
 		h.Helper()
diff --git a/vendor/go.etcd.io/bbolt/.go-version b/vendor/go.etcd.io/bbolt/.go-version
index b6773170a5f17..7bdcec52d093c 100644
--- a/vendor/go.etcd.io/bbolt/.go-version
+++ b/vendor/go.etcd.io/bbolt/.go-version
@@ -1 +1 @@
-1.23.10
+1.23.12
diff --git a/vendor/go.etcd.io/bbolt/tx.go b/vendor/go.etcd.io/bbolt/tx.go
index 7123ded8fec1f..1669fb16a2f1a 100644
--- a/vendor/go.etcd.io/bbolt/tx.go
+++ b/vendor/go.etcd.io/bbolt/tx.go
@@ -387,16 +387,43 @@ func (tx *Tx) Copy(w io.Writer) error {
 // WriteTo writes the entire database to a writer.
 // If err == nil then exactly tx.Size() bytes will be written into the writer.
 func (tx *Tx) WriteTo(w io.Writer) (n int64, err error) {
-	// Attempt to open reader with WriteFlag
-	f, err := tx.db.openFile(tx.db.path, os.O_RDONLY|tx.WriteFlag, 0)
-	if err != nil {
-		return 0, err
-	}
-	defer func() {
-		if cerr := f.Close(); err == nil {
-			err = cerr
+	var f *os.File
+	// There is a risk that between the time a read-only transaction
+	// is created and the time the file is actually opened, the
+	// underlying db file at tx.db.path may have been replaced
+	// (e.g. via rename). In that case, opening the file again would
+	// unexpectedly point to a different file, rather than the one
+	// the transaction was based on.
+	//
+	// To overcome this, we reuse the already opened file handle when
+	// WritFlag not set. When the WriteFlag is set, we reopen the file
+	// but verify that it still refers to the same underlying file
+	// (by device and inode). If it does not, we fall back to
+	// reusing the existing already opened file handle.
+	if tx.WriteFlag != 0 {
+		// Attempt to open reader with WriteFlag
+		f, err = tx.db.openFile(tx.db.path, os.O_RDONLY|tx.WriteFlag, 0)
+		if err != nil {
+			return 0, err
 		}
-	}()
+
+		if ok, err := sameFile(tx.db.file, f); !ok {
+			lg := tx.db.Logger()
+			if cerr := f.Close(); cerr != nil {
+				lg.Errorf("failed to close the file (%s): %v", tx.db.path, cerr)
+			}
+			lg.Warningf("The underlying file has changed, so reuse the already opened file (%s): %v", tx.db.path, err)
+			f = tx.db.file
+		} else {
+			defer func() {
+				if cerr := f.Close(); err == nil {
+					err = cerr
+				}
+			}()
+		}
+	} else {
+		f = tx.db.file
+	}
 
 	// Generate a meta page. We use the same page data for both meta pages.
 	buf := make([]byte, tx.db.pageSize)
@@ -423,13 +450,13 @@ func (tx *Tx) WriteTo(w io.Writer) (n int64, err error) {
 		return n, fmt.Errorf("meta 1 copy: %s", err)
 	}
 
-	// Move past the meta pages in the file.
-	if _, err := f.Seek(int64(tx.db.pageSize*2), io.SeekStart); err != nil {
-		return n, fmt.Errorf("seek: %s", err)
-	}
+	// Copy data pages using a SectionReader to avoid affecting f's offset.
+	dataOffset := int64(tx.db.pageSize * 2)
+	dataSize := tx.Size() - dataOffset
+	sr := io.NewSectionReader(f, dataOffset, dataSize)
 
 	// Copy data pages.
-	wn, err := io.CopyN(w, f, tx.Size()-int64(tx.db.pageSize*2))
+	wn, err := io.CopyN(w, sr, dataSize)
 	n += wn
 	if err != nil {
 		return n, err
@@ -438,6 +465,19 @@ func (tx *Tx) WriteTo(w io.Writer) (n int64, err error) {
 	return n, nil
 }
 
+func sameFile(f1, f2 *os.File) (bool, error) {
+	fi1, err := f1.Stat()
+	if err != nil {
+		return false, fmt.Errorf("failed to get fileInfo of the first file (%s): %w", f1.Name(), err)
+	}
+	fi2, err := f2.Stat()
+	if err != nil {
+		return false, fmt.Errorf("failed to get fileInfo of the second file (%s): %w", f2.Name(), err)
+	}
+
+	return os.SameFile(fi1, fi2), nil
+}
+
 // CopyFile copies the entire database to file at the given path.
 // A reader transaction is maintained during the copy so it is safe to continue
 // using the database while a copy is in progress.
diff --git a/vendor/go.etcd.io/etcd/api/v3/version/version.go b/vendor/go.etcd.io/etcd/api/v3/version/version.go
index d77e31a972c8d..9e7bc64c17eaa 100644
--- a/vendor/go.etcd.io/etcd/api/v3/version/version.go
+++ b/vendor/go.etcd.io/etcd/api/v3/version/version.go
@@ -26,7 +26,7 @@ import (
 var (
 	// MinClusterVersion is the min cluster version this etcd binary is compatible with.
 	MinClusterVersion = "3.0.0"
-	Version           = "3.6.4"
+	Version           = "3.6.5"
 	APIVersion        = "unknown"
 
 	// Git SHA Value will be set during build
diff --git a/vendor/go.etcd.io/etcd/client/v3/retry_interceptor.go b/vendor/go.etcd.io/etcd/client/v3/retry_interceptor.go
index 2b9301a5808d4..7703e673b0612 100644
--- a/vendor/go.etcd.io/etcd/client/v3/retry_interceptor.go
+++ b/vendor/go.etcd.io/etcd/client/v3/retry_interceptor.go
@@ -351,11 +351,11 @@ func isContextError(err error) bool {
 func contextErrToGRPCErr(err error) error {
 	switch {
 	case errors.Is(err, context.DeadlineExceeded):
-		return status.Errorf(codes.DeadlineExceeded, err.Error())
+		return status.Error(codes.DeadlineExceeded, err.Error())
 	case errors.Is(err, context.Canceled):
-		return status.Errorf(codes.Canceled, err.Error())
+		return status.Error(codes.Canceled, err.Error())
 	default:
-		return status.Errorf(codes.Unknown, err.Error())
+		return status.Error(codes.Unknown, err.Error())
 	}
 }
 
diff --git a/vendor/go.etcd.io/etcd/server/v3/etcdserver/api/v3rpc/maintenance.go b/vendor/go.etcd.io/etcd/server/v3/etcdserver/api/v3rpc/maintenance.go
index e13095b83602b..ec7de4467e466 100644
--- a/vendor/go.etcd.io/etcd/server/v3/etcdserver/api/v3rpc/maintenance.go
+++ b/vendor/go.etcd.io/etcd/server/v3/etcdserver/api/v3rpc/maintenance.go
@@ -46,6 +46,10 @@ type BackendGetter interface {
 	Backend() backend.Backend
 }
 
+type Defrager interface {
+	Defragment() error
+}
+
 type Alarmer interface {
 	// Alarms is implemented in Server interface located in etcdserver/server.go
 	// It returns a list of alarms present in the AlarmStore
@@ -74,6 +78,7 @@ type maintenanceServer struct {
 	rg     apply.RaftStatusGetter
 	hasher mvcc.HashStorage
 	bg     BackendGetter
+	defrag Defrager
 	a      Alarmer
 	lt     LeaderTransferrer
 	hdr    header
@@ -91,6 +96,7 @@ func NewMaintenanceServer(s *etcdserver.EtcdServer, healthNotifier notifier) pb.
 		rg:             s,
 		hasher:         s.KV().HashStorage(),
 		bg:             s,
+		defrag:         s,
 		a:              s,
 		lt:             s,
 		hdr:            newHeader(s),
@@ -110,7 +116,7 @@ func (ms *maintenanceServer) Defragment(ctx context.Context, sr *pb.DefragmentRe
 	ms.lg.Info("starting defragment")
 	ms.healthNotifier.defragStarted()
 	defer ms.healthNotifier.defragFinished()
-	err := ms.bg.Backend().Defrag()
+	err := ms.defrag.Defragment()
 	if err != nil {
 		ms.lg.Warn("failed to defragment", zap.Error(err))
 		return nil, togRPCError(err)
diff --git a/vendor/go.etcd.io/etcd/server/v3/etcdserver/server.go b/vendor/go.etcd.io/etcd/server/v3/etcdserver/server.go
index 9bfbee6b3c57f..0eb16b7d3c2c0 100644
--- a/vendor/go.etcd.io/etcd/server/v3/etcdserver/server.go
+++ b/vendor/go.etcd.io/etcd/server/v3/etcdserver/server.go
@@ -974,6 +974,12 @@ func (s *EtcdServer) Cleanup() {
 	}
 }
 
+func (s *EtcdServer) Defragment() error {
+	s.bemu.Lock()
+	defer s.bemu.Unlock()
+	return s.be.Defrag()
+}
+
 func (s *EtcdServer) applyAll(ep *etcdProgress, apply *toApply) {
 	s.applySnapshot(ep, apply)
 	s.applyEntries(ep, apply)
@@ -1035,11 +1041,21 @@ func (s *EtcdServer) applySnapshot(ep *etcdProgress, toApply *toApply) {
 	// wait for raftNode to persist snapshot onto the disk
 	<-toApply.notifyc
 
+	bemuUnlocked := false
+	s.bemu.Lock()
+	defer func() {
+		if !bemuUnlocked {
+			s.bemu.Unlock()
+		}
+	}()
+
 	// gofail: var applyBeforeOpenSnapshot struct{}
 	newbe, err := serverstorage.OpenSnapshotBackend(s.Cfg, s.snapshotter, toApply.snapshot, s.beHooks)
 	if err != nil {
 		lg.Panic("failed to open snapshot backend", zap.Error(err))
 	}
+	lg.Info("applySnapshot: opened snapshot backend")
+	// gofail: var applyAfterOpenSnapshot struct{}
 
 	// We need to set the backend to consistIndex before recovering the lessor,
 	// because lessor.Recover will commit the boltDB transaction, accordingly it
@@ -1069,11 +1085,14 @@ func (s *EtcdServer) applySnapshot(ep *etcdProgress, toApply *toApply) {
 
 	lg.Info("restored mvcc store", zap.Uint64("consistent-index", s.consistIndex.ConsistentIndex()))
 
+	oldbe := s.be
+	s.be = newbe
+	s.bemu.Unlock()
+	bemuUnlocked = true
+
 	// Closing old backend might block until all the txns
 	// on the backend are finished.
 	// We do not want to wait on closing the old backend.
-	s.bemu.Lock()
-	oldbe := s.be
 	go func() {
 		lg.Info("closing old backend file")
 		defer func() {
@@ -1084,9 +1103,6 @@ func (s *EtcdServer) applySnapshot(ep *etcdProgress, toApply *toApply) {
 		}
 	}()
 
-	s.be = newbe
-	s.bemu.Unlock()
-
 	lg.Info("restoring alarm store")
 
 	if err := s.restoreAlarms(); err != nil {
diff --git a/vendor/go.etcd.io/etcd/server/v3/lease/lessor.go b/vendor/go.etcd.io/etcd/server/v3/lease/lessor.go
index cf2028933d582..b13974c9c9775 100644
--- a/vendor/go.etcd.io/etcd/server/v3/lease/lessor.go
+++ b/vendor/go.etcd.io/etcd/server/v3/lease/lessor.go
@@ -428,6 +428,8 @@ func (le *lessor) Renew(id LeaseID) (int64, error) {
 		}
 	}
 
+	// gofail: var beforeCheckpointInLeaseRenew struct{}
+
 	// Clear remaining TTL when we renew if it is set
 	// By applying a RAFT entry only when the remainingTTL is already set, we limit the number
 	// of RAFT entries written per lease to a max of 2 per checkpoint interval.
@@ -438,6 +440,12 @@ func (le *lessor) Renew(id LeaseID) (int64, error) {
 	}
 
 	le.mu.Lock()
+	// Re-check in case the lease was revoked immediately after the previous check
+	l = le.leaseMap[id]
+	if l == nil {
+		le.mu.Unlock()
+		return -1, ErrLeaseNotFound
+	}
 	l.refresh(0)
 	item := &LeaseWithTime{id: l.ID, time: l.expiry}
 	le.leaseExpiredNotifier.RegisterOrUpdate(item)
diff --git a/vendor/go.etcd.io/etcd/server/v3/storage/schema/schema.go b/vendor/go.etcd.io/etcd/server/v3/storage/schema/schema.go
index c0f5feb5319f6..2150c9ef2da82 100644
--- a/vendor/go.etcd.io/etcd/server/v3/storage/schema/schema.go
+++ b/vendor/go.etcd.io/etcd/server/v3/storage/schema/schema.go
@@ -95,15 +95,11 @@ func UnsafeDetectSchemaVersion(lg *zap.Logger, tx backend.UnsafeReader) (v semve
 		return *vp, nil
 	}
 
-	// TODO: remove the operations of reading the fields `confState`
-	// and `term` in 3.7. We only need to be back-compatible
-	// with 3.6 when we are running 3.7, and the `storageVersion`
-	// already exists in all versions >= 3.6, so we don't need to
-	// use any other fields to identify the etcd's storage version.
-	confstate := UnsafeConfStateFromBackend(lg, tx)
-	if confstate == nil {
-		return v, fmt.Errorf("missing confstate information")
-	}
+	// TODO: remove the operations of reading the field `term`
+	// in 3.7. We only need to be back-compatible with 3.6 when
+	// we are running 3.7, and the `storageVersion` already exists
+	// in all versions >= 3.6, so we don't need to use any other
+	// fields to identify the etcd's storage version.
 	_, term := UnsafeReadConsistentIndex(tx)
 	if term == 0 {
 		return v, fmt.Errorf("missing term information")
diff --git a/vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/config.go b/vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/config.go
index a01bfafbe0773..6bd50d4c9b468 100644
--- a/vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/config.go
+++ b/vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/config.go
@@ -176,6 +176,10 @@ func WithMessageEvents(events ...event) Option {
 
 // WithSpanNameFormatter takes a function that will be called on every
 // request and the returned string will become the Span Name.
+//
+// When using [http.ServeMux] (or any middleware that sets the Pattern of [http.Request]),
+// the span name formatter will run twice. Once when the span is created, and
+// second time after the middleware, so the pattern can be used.
 func WithSpanNameFormatter(f func(operation string, r *http.Request) string) Option {
 	return optionFunc(func(c *config) {
 		c.SpanNameFormatter = f
diff --git a/vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/handler.go b/vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/handler.go
index e555a475f13d9..937f9b4e73745 100644
--- a/vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/handler.go
+++ b/vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/handler.go
@@ -12,6 +12,7 @@ import (
 	"go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/internal/request"
 	"go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/internal/semconv"
 	"go.opentelemetry.io/otel"
+	"go.opentelemetry.io/otel/attribute"
 	"go.opentelemetry.io/otel/propagation"
 	"go.opentelemetry.io/otel/trace"
 )
@@ -21,15 +22,16 @@ type middleware struct {
 	operation string
 	server    string
 
-	tracer            trace.Tracer
-	propagators       propagation.TextMapPropagator
-	spanStartOptions  []trace.SpanStartOption
-	readEvent         bool
-	writeEvent        bool
-	filters           []Filter
-	spanNameFormatter func(string, *http.Request) string
-	publicEndpoint    bool
-	publicEndpointFn  func(*http.Request) bool
+	tracer             trace.Tracer
+	propagators        propagation.TextMapPropagator
+	spanStartOptions   []trace.SpanStartOption
+	readEvent          bool
+	writeEvent         bool
+	filters            []Filter
+	spanNameFormatter  func(string, *http.Request) string
+	publicEndpoint     bool
+	publicEndpointFn   func(*http.Request) bool
+	metricAttributesFn func(*http.Request) []attribute.KeyValue
 
 	semconv semconv.HTTPServer
 }
@@ -79,6 +81,7 @@ func (h *middleware) configure(c *config) {
 	h.publicEndpointFn = c.PublicEndpointFn
 	h.server = c.ServerName
 	h.semconv = semconv.NewHTTPServer(c.Meter)
+	h.metricAttributesFn = c.MetricAttributesFn
 }
 
 // serveHTTP sets up tracing and calls the given next http.Handler with the span
@@ -95,7 +98,7 @@ func (h *middleware) serveHTTP(w http.ResponseWriter, r *http.Request, next http
 
 	ctx := h.propagators.Extract(r.Context(), propagation.HeaderCarrier(r.Header))
 	opts := []trace.SpanStartOption{
-		trace.WithAttributes(h.semconv.RequestTraceAttrs(h.server, r)...),
+		trace.WithAttributes(h.semconv.RequestTraceAttrs(h.server, r, semconv.RequestTraceAttrsOpts{})...),
 	}
 
 	opts = append(opts, h.spanStartOptions...)
@@ -173,7 +176,12 @@ func (h *middleware) serveHTTP(w http.ResponseWriter, r *http.Request, next http
 		ctx = ContextWithLabeler(ctx, labeler)
 	}
 
-	next.ServeHTTP(w, r.WithContext(ctx))
+	r = r.WithContext(ctx)
+	next.ServeHTTP(w, r)
+
+	if r.Pattern != "" {
+		span.SetName(h.spanNameFormatter(h.operation, r))
+	}
 
 	statusCode := rww.StatusCode()
 	bytesWritten := rww.BytesWritten()
@@ -189,14 +197,16 @@ func (h *middleware) serveHTTP(w http.ResponseWriter, r *http.Request, next http
 	// Use floating point division here for higher precision (instead of Millisecond method).
 	elapsedTime := float64(time.Since(requestStartTime)) / float64(time.Millisecond)
 
+	metricAttributes := semconv.MetricAttributes{
+		Req:                  r,
+		StatusCode:           statusCode,
+		AdditionalAttributes: append(labeler.Get(), h.metricAttributesFromRequest(r)...),
+	}
+
 	h.semconv.RecordMetrics(ctx, semconv.ServerMetricData{
-		ServerName:   h.server,
-		ResponseSize: bytesWritten,
-		MetricAttributes: semconv.MetricAttributes{
-			Req:                  r,
-			StatusCode:           statusCode,
-			AdditionalAttributes: labeler.Get(),
-		},
+		ServerName:       h.server,
+		ResponseSize:     bytesWritten,
+		MetricAttributes: metricAttributes,
 		MetricData: semconv.MetricData{
 			RequestSize: bw.BytesRead(),
 			ElapsedTime: elapsedTime,
@@ -204,6 +214,14 @@ func (h *middleware) serveHTTP(w http.ResponseWriter, r *http.Request, next http
 	})
 }
 
+func (h *middleware) metricAttributesFromRequest(r *http.Request) []attribute.KeyValue {
+	var attributeForRequest []attribute.KeyValue
+	if h.metricAttributesFn != nil {
+		attributeForRequest = h.metricAttributesFn(r)
+	}
+	return attributeForRequest
+}
+
 // WithRouteTag annotates spans and metrics with the provided route name
 // with HTTP route attribute.
 func WithRouteTag(route string, h http.Handler) http.Handler {
diff --git a/vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/internal/request/body_wrapper.go b/vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/internal/request/body_wrapper.go
index a945f55661658..d032aa841b38b 100644
--- a/vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/internal/request/body_wrapper.go
+++ b/vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/internal/request/body_wrapper.go
@@ -1,6 +1,11 @@
+// Code generated by gotmpl. DO NOT MODIFY.
+// source: internal/shared/request/body_wrapper.go.tmpl
+
 // Copyright The OpenTelemetry Authors
 // SPDX-License-Identifier: Apache-2.0
 
+// Package request provides types and functionality to handle HTTP request
+// handling.
 package request // import "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/internal/request"
 
 import (
@@ -53,7 +58,7 @@ func (w *BodyWrapper) updateReadData(n int64, err error) {
 	}
 }
 
-// Closes closes the io.ReadCloser.
+// Close closes the io.ReadCloser.
 func (w *BodyWrapper) Close() error {
 	return w.ReadCloser.Close()
 }
diff --git a/vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/internal/request/gen.go b/vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/internal/request/gen.go
new file mode 100644
index 0000000000000..9e00dd2fcefe4
--- /dev/null
+++ b/vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/internal/request/gen.go
@@ -0,0 +1,10 @@
+// Copyright The OpenTelemetry Authors
+// SPDX-License-Identifier: Apache-2.0
+
+package request // import "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/internal/request"
+
+// Generate request package:
+//go:generate gotmpl --body=../../../../../../internal/shared/request/body_wrapper.go.tmpl "--data={}" --out=body_wrapper.go
+//go:generate gotmpl --body=../../../../../../internal/shared/request/body_wrapper_test.go.tmpl "--data={}" --out=body_wrapper_test.go
+//go:generate gotmpl --body=../../../../../../internal/shared/request/resp_writer_wrapper.go.tmpl "--data={}" --out=resp_writer_wrapper.go
+//go:generate gotmpl --body=../../../../../../internal/shared/request/resp_writer_wrapper_test.go.tmpl "--data={}" --out=resp_writer_wrapper_test.go
diff --git a/vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/internal/request/resp_writer_wrapper.go b/vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/internal/request/resp_writer_wrapper.go
index fbc344cbdda36..ca2e4c14c7156 100644
--- a/vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/internal/request/resp_writer_wrapper.go
+++ b/vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/internal/request/resp_writer_wrapper.go
@@ -1,3 +1,6 @@
+// Code generated by gotmpl. DO NOT MODIFY.
+// source: internal/shared/request/resp_writer_wrapper.go.tmpl
+
 // Copyright The OpenTelemetry Authors
 // SPDX-License-Identifier: Apache-2.0
 
@@ -102,7 +105,7 @@ func (w *RespWriterWrapper) BytesWritten() int64 {
 	return w.written
 }
 
-// BytesWritten returns the HTTP status code that was sent.
+// StatusCode returns the HTTP status code that was sent.
 func (w *RespWriterWrapper) StatusCode() int {
 	w.mu.RLock()
 	defer w.mu.RUnlock()
diff --git a/vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/internal/semconv/env.go b/vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/internal/semconv/env.go
index 3b036f8a37b24..7cb9693d98446 100644
--- a/vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/internal/semconv/env.go
+++ b/vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/internal/semconv/env.go
@@ -1,3 +1,6 @@
+// Code generated by gotmpl. DO NOT MODIFY.
+// source: internal/shared/semconv/env.go.tmpl
+
 // Copyright The OpenTelemetry Authors
 // SPDX-License-Identifier: Apache-2.0
 
@@ -16,6 +19,10 @@ import (
 	"go.opentelemetry.io/otel/metric"
 )
 
+// OTelSemConvStabilityOptIn is an environment variable.
+// That can be set to "http/dup" to keep getting the old HTTP semantic conventions.
+const OTelSemConvStabilityOptIn = "OTEL_SEMCONV_STABILITY_OPT_IN"
+
 type ResponseTelemetry struct {
 	StatusCode int
 	ReadBytes  int64
@@ -31,6 +38,11 @@ type HTTPServer struct {
 	requestBytesCounter  metric.Int64Counter
 	responseBytesCounter metric.Int64Counter
 	serverLatencyMeasure metric.Float64Histogram
+
+	// New metrics
+	requestBodySizeHistogram  metric.Int64Histogram
+	responseBodySizeHistogram metric.Int64Histogram
+	requestDurationHistogram  metric.Float64Histogram
 }
 
 // RequestTraceAttrs returns trace attributes for an HTTP request received by a
@@ -49,26 +61,40 @@ type HTTPServer struct {
 //
 // If the primary server name is not known, server should be an empty string.
 // The req Host will be used to determine the server instead.
-func (s HTTPServer) RequestTraceAttrs(server string, req *http.Request) []attribute.KeyValue {
+func (s HTTPServer) RequestTraceAttrs(server string, req *http.Request, opts RequestTraceAttrsOpts) []attribute.KeyValue {
+	attrs := CurrentHTTPServer{}.RequestTraceAttrs(server, req, opts)
+	if s.duplicate {
+		return OldHTTPServer{}.RequestTraceAttrs(server, req, attrs)
+	}
+	return attrs
+}
+
+func (s HTTPServer) NetworkTransportAttr(network string) []attribute.KeyValue {
 	if s.duplicate {
-		return append(OldHTTPServer{}.RequestTraceAttrs(server, req), CurrentHTTPServer{}.RequestTraceAttrs(server, req)...)
+		return []attribute.KeyValue{
+			OldHTTPServer{}.NetworkTransportAttr(network),
+			CurrentHTTPServer{}.NetworkTransportAttr(network),
+		}
+	}
+	return []attribute.KeyValue{
+		CurrentHTTPServer{}.NetworkTransportAttr(network),
 	}
-	return OldHTTPServer{}.RequestTraceAttrs(server, req)
 }
 
 // ResponseTraceAttrs returns trace attributes for telemetry from an HTTP response.
 //
 // If any of the fields in the ResponseTelemetry are not set the attribute will be omitted.
 func (s HTTPServer) ResponseTraceAttrs(resp ResponseTelemetry) []attribute.KeyValue {
+	attrs := CurrentHTTPServer{}.ResponseTraceAttrs(resp)
 	if s.duplicate {
-		return append(OldHTTPServer{}.ResponseTraceAttrs(resp), CurrentHTTPServer{}.ResponseTraceAttrs(resp)...)
+		return OldHTTPServer{}.ResponseTraceAttrs(resp, attrs)
 	}
-	return OldHTTPServer{}.ResponseTraceAttrs(resp)
+	return attrs
 }
 
 // Route returns the attribute for the route.
 func (s HTTPServer) Route(route string) attribute.KeyValue {
-	return OldHTTPServer{}.Route(route)
+	return CurrentHTTPServer{}.Route(route)
 }
 
 // Status returns a span status code and message for an HTTP status code
@@ -100,41 +126,72 @@ type MetricAttributes struct {
 
 type MetricData struct {
 	RequestSize int64
+
+	// The request duration, in milliseconds
 	ElapsedTime float64
 }
 
-var metricAddOptionPool = &sync.Pool{
-	New: func() interface{} {
-		return &[]metric.AddOption{}
-	},
-}
+var (
+	metricAddOptionPool = &sync.Pool{
+		New: func() interface{} {
+			return &[]metric.AddOption{}
+		},
+	}
+
+	metricRecordOptionPool = &sync.Pool{
+		New: func() interface{} {
+			return &[]metric.RecordOption{}
+		},
+	}
+)
 
 func (s HTTPServer) RecordMetrics(ctx context.Context, md ServerMetricData) {
-	if s.requestBytesCounter == nil || s.responseBytesCounter == nil || s.serverLatencyMeasure == nil {
-		// This will happen if an HTTPServer{} is used instead of NewHTTPServer.
-		return
+	if s.requestDurationHistogram != nil && s.requestBodySizeHistogram != nil && s.responseBodySizeHistogram != nil {
+		attributes := CurrentHTTPServer{}.MetricAttributes(md.ServerName, md.Req, md.StatusCode, md.AdditionalAttributes)
+		o := metric.WithAttributeSet(attribute.NewSet(attributes...))
+		recordOpts := metricRecordOptionPool.Get().(*[]metric.RecordOption)
+		*recordOpts = append(*recordOpts, o)
+		s.requestBodySizeHistogram.Record(ctx, md.RequestSize, *recordOpts...)
+		s.responseBodySizeHistogram.Record(ctx, md.ResponseSize, *recordOpts...)
+		s.requestDurationHistogram.Record(ctx, md.ElapsedTime/1000.0, o)
+		*recordOpts = (*recordOpts)[:0]
+		metricRecordOptionPool.Put(recordOpts)
 	}
 
-	attributes := OldHTTPServer{}.MetricAttributes(md.ServerName, md.Req, md.StatusCode, md.AdditionalAttributes)
-	o := metric.WithAttributeSet(attribute.NewSet(attributes...))
-	addOpts := metricAddOptionPool.Get().(*[]metric.AddOption)
-	*addOpts = append(*addOpts, o)
-	s.requestBytesCounter.Add(ctx, md.RequestSize, *addOpts...)
-	s.responseBytesCounter.Add(ctx, md.ResponseSize, *addOpts...)
-	s.serverLatencyMeasure.Record(ctx, md.ElapsedTime, o)
-	*addOpts = (*addOpts)[:0]
-	metricAddOptionPool.Put(addOpts)
+	if s.duplicate && s.requestBytesCounter != nil && s.responseBytesCounter != nil && s.serverLatencyMeasure != nil {
+		attributes := OldHTTPServer{}.MetricAttributes(md.ServerName, md.Req, md.StatusCode, md.AdditionalAttributes)
+		o := metric.WithAttributeSet(attribute.NewSet(attributes...))
+		addOpts := metricAddOptionPool.Get().(*[]metric.AddOption)
+		*addOpts = append(*addOpts, o)
+		s.requestBytesCounter.Add(ctx, md.RequestSize, *addOpts...)
+		s.responseBytesCounter.Add(ctx, md.ResponseSize, *addOpts...)
+		s.serverLatencyMeasure.Record(ctx, md.ElapsedTime, o)
+		*addOpts = (*addOpts)[:0]
+		metricAddOptionPool.Put(addOpts)
+	}
+}
 
-	// TODO: Duplicate Metrics
+// hasOptIn returns true if the comma-separated version string contains the
+// exact optIn value.
+func hasOptIn(version, optIn string) bool {
+	for _, v := range strings.Split(version, ",") {
+		if strings.TrimSpace(v) == optIn {
+			return true
+		}
+	}
+	return false
 }
 
 func NewHTTPServer(meter metric.Meter) HTTPServer {
-	env := strings.ToLower(os.Getenv("OTEL_SEMCONV_STABILITY_OPT_IN"))
-	duplicate := env == "http/dup"
+	env := strings.ToLower(os.Getenv(OTelSemConvStabilityOptIn))
+	duplicate := hasOptIn(env, "http/dup")
 	server := HTTPServer{
 		duplicate: duplicate,
 	}
-	server.requestBytesCounter, server.responseBytesCounter, server.serverLatencyMeasure = OldHTTPServer{}.createMeasures(meter)
+	server.requestBodySizeHistogram, server.responseBodySizeHistogram, server.requestDurationHistogram = CurrentHTTPServer{}.createMeasures(meter)
+	if duplicate {
+		server.requestBytesCounter, server.responseBytesCounter, server.serverLatencyMeasure = OldHTTPServer{}.createMeasures(meter)
+	}
 	return server
 }
 
@@ -145,32 +202,42 @@ type HTTPClient struct {
 	requestBytesCounter  metric.Int64Counter
 	responseBytesCounter metric.Int64Counter
 	latencyMeasure       metric.Float64Histogram
+
+	// new metrics
+	requestBodySize metric.Int64Histogram
+	requestDuration metric.Float64Histogram
 }
 
 func NewHTTPClient(meter metric.Meter) HTTPClient {
-	env := strings.ToLower(os.Getenv("OTEL_SEMCONV_STABILITY_OPT_IN"))
+	env := strings.ToLower(os.Getenv(OTelSemConvStabilityOptIn))
+	duplicate := hasOptIn(env, "http/dup")
 	client := HTTPClient{
-		duplicate: env == "http/dup",
+		duplicate: duplicate,
+	}
+	client.requestBodySize, client.requestDuration = CurrentHTTPClient{}.createMeasures(meter)
+	if duplicate {
+		client.requestBytesCounter, client.responseBytesCounter, client.latencyMeasure = OldHTTPClient{}.createMeasures(meter)
 	}
-	client.requestBytesCounter, client.responseBytesCounter, client.latencyMeasure = OldHTTPClient{}.createMeasures(meter)
+
 	return client
 }
 
 // RequestTraceAttrs returns attributes for an HTTP request made by a client.
 func (c HTTPClient) RequestTraceAttrs(req *http.Request) []attribute.KeyValue {
+	attrs := CurrentHTTPClient{}.RequestTraceAttrs(req)
 	if c.duplicate {
-		return append(OldHTTPClient{}.RequestTraceAttrs(req), CurrentHTTPClient{}.RequestTraceAttrs(req)...)
+		return OldHTTPClient{}.RequestTraceAttrs(req, attrs)
 	}
-	return OldHTTPClient{}.RequestTraceAttrs(req)
+	return attrs
 }
 
 // ResponseTraceAttrs returns metric attributes for an HTTP request made by a client.
 func (c HTTPClient) ResponseTraceAttrs(resp *http.Response) []attribute.KeyValue {
+	attrs := CurrentHTTPClient{}.ResponseTraceAttrs(resp)
 	if c.duplicate {
-		return append(OldHTTPClient{}.ResponseTraceAttrs(resp), CurrentHTTPClient{}.ResponseTraceAttrs(resp)...)
+		return OldHTTPClient{}.ResponseTraceAttrs(resp, attrs)
 	}
-
-	return OldHTTPClient{}.ResponseTraceAttrs(resp)
+	return attrs
 }
 
 func (c HTTPClient) Status(code int) (codes.Code, string) {
@@ -184,11 +251,7 @@ func (c HTTPClient) Status(code int) (codes.Code, string) {
 }
 
 func (c HTTPClient) ErrorType(err error) attribute.KeyValue {
-	if c.duplicate {
-		return CurrentHTTPClient{}.ErrorType(err)
-	}
-
-	return attribute.KeyValue{}
+	return CurrentHTTPClient{}.ErrorType(err)
 }
 
 type MetricOpts struct {
@@ -204,34 +267,57 @@ func (o MetricOpts) AddOptions() metric.AddOption {
 	return o.addOptions
 }
 
-func (c HTTPClient) MetricOptions(ma MetricAttributes) MetricOpts {
-	attributes := OldHTTPClient{}.MetricAttributes(ma.Req, ma.StatusCode, ma.AdditionalAttributes)
-	// TODO: Duplicate Metrics
+func (c HTTPClient) MetricOptions(ma MetricAttributes) map[string]MetricOpts {
+	opts := map[string]MetricOpts{}
+
+	attributes := CurrentHTTPClient{}.MetricAttributes(ma.Req, ma.StatusCode, ma.AdditionalAttributes)
 	set := metric.WithAttributeSet(attribute.NewSet(attributes...))
-	return MetricOpts{
+	opts["new"] = MetricOpts{
 		measurement: set,
 		addOptions:  set,
 	}
+
+	if c.duplicate {
+		attributes := OldHTTPClient{}.MetricAttributes(ma.Req, ma.StatusCode, ma.AdditionalAttributes)
+		set := metric.WithAttributeSet(attribute.NewSet(attributes...))
+		opts["old"] = MetricOpts{
+			measurement: set,
+			addOptions:  set,
+		}
+	}
+
+	return opts
 }
 
-func (s HTTPClient) RecordMetrics(ctx context.Context, md MetricData, opts MetricOpts) {
-	if s.requestBytesCounter == nil || s.latencyMeasure == nil {
+func (s HTTPClient) RecordMetrics(ctx context.Context, md MetricData, opts map[string]MetricOpts) {
+	if s.requestBodySize == nil || s.requestDuration == nil {
 		// This will happen if an HTTPClient{} is used instead of NewHTTPClient().
 		return
 	}
 
-	s.requestBytesCounter.Add(ctx, md.RequestSize, opts.AddOptions())
-	s.latencyMeasure.Record(ctx, md.ElapsedTime, opts.MeasurementOption())
+	s.requestBodySize.Record(ctx, md.RequestSize, opts["new"].MeasurementOption())
+	s.requestDuration.Record(ctx, md.ElapsedTime/1000, opts["new"].MeasurementOption())
 
-	// TODO: Duplicate Metrics
+	if s.duplicate {
+		s.requestBytesCounter.Add(ctx, md.RequestSize, opts["old"].AddOptions())
+		s.latencyMeasure.Record(ctx, md.ElapsedTime, opts["old"].MeasurementOption())
+	}
 }
 
-func (s HTTPClient) RecordResponseSize(ctx context.Context, responseData int64, opts metric.AddOption) {
+func (s HTTPClient) RecordResponseSize(ctx context.Context, responseData int64, opts map[string]MetricOpts) {
 	if s.responseBytesCounter == nil {
 		// This will happen if an HTTPClient{} is used instead of NewHTTPClient().
 		return
 	}
 
-	s.responseBytesCounter.Add(ctx, responseData, opts)
-	// TODO: Duplicate Metrics
+	s.responseBytesCounter.Add(ctx, responseData, opts["old"].AddOptions())
+}
+
+func (s HTTPClient) TraceAttributes(host string) []attribute.KeyValue {
+	attrs := CurrentHTTPClient{}.TraceAttributes(host)
+	if s.duplicate {
+		return OldHTTPClient{}.TraceAttributes(host, attrs)
+	}
+
+	return attrs
 }
diff --git a/vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/internal/semconv/gen.go b/vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/internal/semconv/gen.go
new file mode 100644
index 0000000000000..f2cf8a152d3a9
--- /dev/null
+++ b/vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/internal/semconv/gen.go
@@ -0,0 +1,14 @@
+// Copyright The OpenTelemetry Authors
+// SPDX-License-Identifier: Apache-2.0
+
+package semconv // import "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/internal/semconv"
+
+// Generate semconv package:
+//go:generate gotmpl --body=../../../../../../internal/shared/semconv/bench_test.go.tmpl "--data={ \"pkg\": \"go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp\" }" --out=bench_test.go
+//go:generate gotmpl --body=../../../../../../internal/shared/semconv/env.go.tmpl "--data={ \"pkg\": \"go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp\" }" --out=env.go
+//go:generate gotmpl --body=../../../../../../internal/shared/semconv/env_test.go.tmpl "--data={ \"pkg\": \"go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp\" }" --out=env_test.go
+//go:generate gotmpl --body=../../../../../../internal/shared/semconv/httpconv.go.tmpl "--data={ \"pkg\": \"go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp\" }" --out=httpconv.go
+//go:generate gotmpl --body=../../../../../../internal/shared/semconv/httpconv_test.go.tmpl "--data={ \"pkg\": \"go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp\" }" --out=httpconv_test.go
+//go:generate gotmpl --body=../../../../../../internal/shared/semconv/util.go.tmpl "--data={ \"pkg\": \"go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp\" }" --out=util.go
+//go:generate gotmpl --body=../../../../../../internal/shared/semconv/util_test.go.tmpl "--data={ \"pkg\": \"go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp\" }" --out=util_test.go
+//go:generate gotmpl --body=../../../../../../internal/shared/semconv/v1.20.0.go.tmpl "--data={ \"pkg\": \"go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp\" }" --out=v1.20.0.go
diff --git a/vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/internal/semconv/httpconv.go b/vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/internal/semconv/httpconv.go
index dc9ec7bc39edd..53976b0d5a643 100644
--- a/vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/internal/semconv/httpconv.go
+++ b/vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/internal/semconv/httpconv.go
@@ -1,22 +1,35 @@
+// Code generated by gotmpl. DO NOT MODIFY.
+// source: internal/shared/semconv/httpconv.go.tmpl
+
 // Copyright The OpenTelemetry Authors
 // SPDX-License-Identifier: Apache-2.0
 
+// Package semconv provides OpenTelemetry semantic convention types and
+// functionality.
 package semconv // import "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/internal/semconv"
 
 import (
 	"fmt"
 	"net/http"
 	"reflect"
+	"slices"
 	"strconv"
 	"strings"
 
 	"go.opentelemetry.io/otel/attribute"
+	"go.opentelemetry.io/otel/metric"
+	"go.opentelemetry.io/otel/metric/noop"
 	semconvNew "go.opentelemetry.io/otel/semconv/v1.26.0"
 )
 
+type RequestTraceAttrsOpts struct {
+	// If set, this is used as value for the "http.client_ip" attribute.
+	HTTPClientIP string
+}
+
 type CurrentHTTPServer struct{}
 
-// TraceRequest returns trace attributes for an HTTP request received by a
+// RequestTraceAttrs returns trace attributes for an HTTP request received by a
 // server.
 //
 // The server must be the primary server name if it is known. For example this
@@ -32,7 +45,7 @@ type CurrentHTTPServer struct{}
 //
 // If the primary server name is not known, server should be an empty string.
 // The req Host will be used to determine the server instead.
-func (n CurrentHTTPServer) RequestTraceAttrs(server string, req *http.Request) []attribute.KeyValue {
+func (n CurrentHTTPServer) RequestTraceAttrs(server string, req *http.Request, opts RequestTraceAttrsOpts) []attribute.KeyValue {
 	count := 3 // ServerAddress, Method, Scheme
 
 	var host string
@@ -59,7 +72,8 @@ func (n CurrentHTTPServer) RequestTraceAttrs(server string, req *http.Request) [
 
 	scheme := n.scheme(req.TLS != nil)
 
-	if peer, peerPort := SplitHostPort(req.RemoteAddr); peer != "" {
+	peer, peerPort := SplitHostPort(req.RemoteAddr)
+	if peer != "" {
 		// The Go HTTP server sets RemoteAddr to "IP:port", this will not be a
 		// file-path that would be interpreted with a sock family.
 		count++
@@ -73,7 +87,17 @@ func (n CurrentHTTPServer) RequestTraceAttrs(server string, req *http.Request) [
 		count++
 	}
 
-	clientIP := serverClientIP(req.Header.Get("X-Forwarded-For"))
+	// For client IP, use, in order:
+	// 1. The value passed in the options
+	// 2. The value in the X-Forwarded-For header
+	// 3. The peer address
+	clientIP := opts.HTTPClientIP
+	if clientIP == "" {
+		clientIP = serverClientIP(req.Header.Get("X-Forwarded-For"))
+		if clientIP == "" {
+			clientIP = peer
+		}
+	}
 	if clientIP != "" {
 		count++
 	}
@@ -90,6 +114,11 @@ func (n CurrentHTTPServer) RequestTraceAttrs(server string, req *http.Request) [
 		count++
 	}
 
+	route := httpRoute(req.Pattern)
+	if route != "" {
+		count++
+	}
+
 	attrs := make([]attribute.KeyValue, 0, count)
 	attrs = append(attrs,
 		semconvNew.ServerAddress(host),
@@ -113,7 +142,7 @@ func (n CurrentHTTPServer) RequestTraceAttrs(server string, req *http.Request) [
 		}
 	}
 
-	if useragent := req.UserAgent(); useragent != "" {
+	if useragent != "" {
 		attrs = append(attrs, semconvNew.UserAgentOriginal(useragent))
 	}
 
@@ -132,9 +161,26 @@ func (n CurrentHTTPServer) RequestTraceAttrs(server string, req *http.Request) [
 		attrs = append(attrs, semconvNew.NetworkProtocolVersion(protoVersion))
 	}
 
+	if route != "" {
+		attrs = append(attrs, n.Route(route))
+	}
+
 	return attrs
 }
 
+func (n CurrentHTTPServer) NetworkTransportAttr(network string) attribute.KeyValue {
+	switch network {
+	case "tcp", "tcp4", "tcp6":
+		return semconvNew.NetworkTransportTCP
+	case "udp", "udp4", "udp6":
+		return semconvNew.NetworkTransportUDP
+	case "unix", "unixgram", "unixpacket":
+		return semconvNew.NetworkTransportUnix
+	default:
+		return semconvNew.NetworkTransportPipe
+	}
+}
+
 func (n CurrentHTTPServer) method(method string) (attribute.KeyValue, attribute.KeyValue) {
 	if method == "" {
 		return semconvNew.HTTPRequestMethodGet, attribute.KeyValue{}
@@ -157,9 +203,11 @@ func (n CurrentHTTPServer) scheme(https bool) attribute.KeyValue { // nolint:rev
 	return semconvNew.URLScheme("http")
 }
 
-// TraceResponse returns trace attributes for telemetry from an HTTP response.
+// ResponseTraceAttrs returns trace attributes for telemetry from an HTTP
+// response.
 //
-// If any of the fields in the ResponseTelemetry are not set the attribute will be omitted.
+// If any of the fields in the ResponseTelemetry are not set the attribute will
+// be omitted.
 func (n CurrentHTTPServer) ResponseTraceAttrs(resp ResponseTelemetry) []attribute.KeyValue {
 	var count int
 
@@ -199,6 +247,87 @@ func (n CurrentHTTPServer) Route(route string) attribute.KeyValue {
 	return semconvNew.HTTPRoute(route)
 }
 
+func (n CurrentHTTPServer) createMeasures(meter metric.Meter) (metric.Int64Histogram, metric.Int64Histogram, metric.Float64Histogram) {
+	if meter == nil {
+		return noop.Int64Histogram{}, noop.Int64Histogram{}, noop.Float64Histogram{}
+	}
+
+	var err error
+	requestBodySizeHistogram, err := meter.Int64Histogram(
+		semconvNew.HTTPServerRequestBodySizeName,
+		metric.WithUnit(semconvNew.HTTPServerRequestBodySizeUnit),
+		metric.WithDescription(semconvNew.HTTPServerRequestBodySizeDescription),
+	)
+	handleErr(err)
+
+	responseBodySizeHistogram, err := meter.Int64Histogram(
+		semconvNew.HTTPServerResponseBodySizeName,
+		metric.WithUnit(semconvNew.HTTPServerResponseBodySizeUnit),
+		metric.WithDescription(semconvNew.HTTPServerResponseBodySizeDescription),
+	)
+	handleErr(err)
+	requestDurationHistogram, err := meter.Float64Histogram(
+		semconvNew.HTTPServerRequestDurationName,
+		metric.WithUnit(semconvNew.HTTPServerRequestDurationUnit),
+		metric.WithDescription(semconvNew.HTTPServerRequestDurationDescription),
+		metric.WithExplicitBucketBoundaries(0.005, 0.01, 0.025, 0.05, 0.075, 0.1, 0.25, 0.5, 0.75, 1, 2.5, 5, 7.5, 10),
+	)
+	handleErr(err)
+
+	return requestBodySizeHistogram, responseBodySizeHistogram, requestDurationHistogram
+}
+
+func (n CurrentHTTPServer) MetricAttributes(server string, req *http.Request, statusCode int, additionalAttributes []attribute.KeyValue) []attribute.KeyValue {
+	num := len(additionalAttributes) + 3
+	var host string
+	var p int
+	if server == "" {
+		host, p = SplitHostPort(req.Host)
+	} else {
+		// Prioritize the primary server name.
+		host, p = SplitHostPort(server)
+		if p < 0 {
+			_, p = SplitHostPort(req.Host)
+		}
+	}
+	hostPort := requiredHTTPPort(req.TLS != nil, p)
+	if hostPort > 0 {
+		num++
+	}
+	protoName, protoVersion := netProtocol(req.Proto)
+	if protoName != "" {
+		num++
+	}
+	if protoVersion != "" {
+		num++
+	}
+
+	if statusCode > 0 {
+		num++
+	}
+
+	attributes := slices.Grow(additionalAttributes, num)
+	attributes = append(attributes,
+		semconvNew.HTTPRequestMethodKey.String(standardizeHTTPMethod(req.Method)),
+		n.scheme(req.TLS != nil),
+		semconvNew.ServerAddress(host))
+
+	if hostPort > 0 {
+		attributes = append(attributes, semconvNew.ServerPort(hostPort))
+	}
+	if protoName != "" {
+		attributes = append(attributes, semconvNew.NetworkProtocolName(protoName))
+	}
+	if protoVersion != "" {
+		attributes = append(attributes, semconvNew.NetworkProtocolVersion(protoVersion))
+	}
+
+	if statusCode > 0 {
+		attributes = append(attributes, semconvNew.HTTPResponseStatusCode(statusCode))
+	}
+	return attributes
+}
+
 type CurrentHTTPClient struct{}
 
 // RequestTraceAttrs returns trace attributes for an HTTP request made by a client.
@@ -343,6 +472,102 @@ func (n CurrentHTTPClient) method(method string) (attribute.KeyValue, attribute.
 	return semconvNew.HTTPRequestMethodGet, orig
 }
 
+func (n CurrentHTTPClient) createMeasures(meter metric.Meter) (metric.Int64Histogram, metric.Float64Histogram) {
+	if meter == nil {
+		return noop.Int64Histogram{}, noop.Float64Histogram{}
+	}
+
+	var err error
+	requestBodySize, err := meter.Int64Histogram(
+		semconvNew.HTTPClientRequestBodySizeName,
+		metric.WithUnit(semconvNew.HTTPClientRequestBodySizeUnit),
+		metric.WithDescription(semconvNew.HTTPClientRequestBodySizeDescription),
+	)
+	handleErr(err)
+
+	requestDuration, err := meter.Float64Histogram(
+		semconvNew.HTTPClientRequestDurationName,
+		metric.WithUnit(semconvNew.HTTPClientRequestDurationUnit),
+		metric.WithDescription(semconvNew.HTTPClientRequestDurationDescription),
+		metric.WithExplicitBucketBoundaries(0.005, 0.01, 0.025, 0.05, 0.075, 0.1, 0.25, 0.5, 0.75, 1, 2.5, 5, 7.5, 10),
+	)
+	handleErr(err)
+
+	return requestBodySize, requestDuration
+}
+
+func (n CurrentHTTPClient) MetricAttributes(req *http.Request, statusCode int, additionalAttributes []attribute.KeyValue) []attribute.KeyValue {
+	num := len(additionalAttributes) + 2
+	var h string
+	if req.URL != nil {
+		h = req.URL.Host
+	}
+	var requestHost string
+	var requestPort int
+	for _, hostport := range []string{h, req.Header.Get("Host")} {
+		requestHost, requestPort = SplitHostPort(hostport)
+		if requestHost != "" || requestPort > 0 {
+			break
+		}
+	}
+
+	port := requiredHTTPPort(req.URL != nil && req.URL.Scheme == "https", requestPort)
+	if port > 0 {
+		num++
+	}
+
+	protoName, protoVersion := netProtocol(req.Proto)
+	if protoName != "" {
+		num++
+	}
+	if protoVersion != "" {
+		num++
+	}
+
+	if statusCode > 0 {
+		num++
+	}
+
+	attributes := slices.Grow(additionalAttributes, num)
+	attributes = append(attributes,
+		semconvNew.HTTPRequestMethodKey.String(standardizeHTTPMethod(req.Method)),
+		semconvNew.ServerAddress(requestHost),
+		n.scheme(req),
+	)
+
+	if port > 0 {
+		attributes = append(attributes, semconvNew.ServerPort(port))
+	}
+	if protoName != "" {
+		attributes = append(attributes, semconvNew.NetworkProtocolName(protoName))
+	}
+	if protoVersion != "" {
+		attributes = append(attributes, semconvNew.NetworkProtocolVersion(protoVersion))
+	}
+
+	if statusCode > 0 {
+		attributes = append(attributes, semconvNew.HTTPResponseStatusCode(statusCode))
+	}
+	return attributes
+}
+
+// TraceAttributes returns attributes for httptrace.
+func (n CurrentHTTPClient) TraceAttributes(host string) []attribute.KeyValue {
+	return []attribute.KeyValue{
+		semconvNew.ServerAddress(host),
+	}
+}
+
+func (n CurrentHTTPClient) scheme(req *http.Request) attribute.KeyValue {
+	if req.URL != nil && req.URL.Scheme != "" {
+		return semconvNew.URLScheme(req.URL.Scheme)
+	}
+	if req.TLS != nil {
+		return semconvNew.URLScheme("https")
+	}
+	return semconvNew.URLScheme("http")
+}
+
 func isErrorStatusCode(code int) bool {
 	return code >= 400 || code < 100
 }
diff --git a/vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/internal/semconv/util.go b/vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/internal/semconv/util.go
index 93e8d0f94c115..bc1f7751dbc1c 100644
--- a/vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/internal/semconv/util.go
+++ b/vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/internal/semconv/util.go
@@ -1,3 +1,6 @@
+// Code generated by gotmpl. DO NOT MODIFY.
+// source: internal/shared/semconv/util.go.tmpl
+
 // Copyright The OpenTelemetry Authors
 // SPDX-License-Identifier: Apache-2.0
 
@@ -25,17 +28,17 @@ func SplitHostPort(hostport string) (host string, port int) {
 	port = -1
 
 	if strings.HasPrefix(hostport, "[") {
-		addrEnd := strings.LastIndex(hostport, "]")
+		addrEnd := strings.LastIndexByte(hostport, ']')
 		if addrEnd < 0 {
 			// Invalid hostport.
 			return
 		}
-		if i := strings.LastIndex(hostport[addrEnd:], ":"); i < 0 {
+		if i := strings.LastIndexByte(hostport[addrEnd:], ':'); i < 0 {
 			host = hostport[1:addrEnd]
 			return
 		}
 	} else {
-		if i := strings.LastIndex(hostport, ":"); i < 0 {
+		if i := strings.LastIndexByte(hostport, ':'); i < 0 {
 			host = hostport
 			return
 		}
@@ -67,15 +70,31 @@ func requiredHTTPPort(https bool, port int) int { // nolint:revive
 }
 
 func serverClientIP(xForwardedFor string) string {
-	if idx := strings.Index(xForwardedFor, ","); idx >= 0 {
+	if idx := strings.IndexByte(xForwardedFor, ','); idx >= 0 {
 		xForwardedFor = xForwardedFor[:idx]
 	}
 	return xForwardedFor
 }
 
+func httpRoute(pattern string) string {
+	if idx := strings.IndexByte(pattern, '/'); idx >= 0 {
+		return pattern[idx:]
+	}
+	return ""
+}
+
 func netProtocol(proto string) (name string, version string) {
 	name, version, _ = strings.Cut(proto, "/")
-	name = strings.ToLower(name)
+	switch name {
+	case "HTTP":
+		name = "http"
+	case "QUIC":
+		name = "quic"
+	case "SPDY":
+		name = "spdy"
+	default:
+		name = strings.ToLower(name)
+	}
 	return name, version
 }
 
@@ -96,3 +115,13 @@ func handleErr(err error) {
 		otel.Handle(err)
 	}
 }
+
+func standardizeHTTPMethod(method string) string {
+	method = strings.ToUpper(method)
+	switch method {
+	case http.MethodConnect, http.MethodDelete, http.MethodGet, http.MethodHead, http.MethodOptions, http.MethodPatch, http.MethodPost, http.MethodPut, http.MethodTrace:
+	default:
+		method = "_OTHER"
+	}
+	return method
+}
diff --git a/vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/internal/semconv/v1.20.0.go b/vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/internal/semconv/v1.20.0.go
index c042249dd7249..ba7fccf1efd62 100644
--- a/vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/internal/semconv/v1.20.0.go
+++ b/vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/internal/semconv/v1.20.0.go
@@ -1,3 +1,6 @@
+// Code generated by gotmpl. DO NOT MODIFY.
+// source: internal/shared/semconv/v120.0.go.tmpl
+
 // Copyright The OpenTelemetry Authors
 // SPDX-License-Identifier: Apache-2.0
 
@@ -8,7 +11,6 @@ import (
 	"io"
 	"net/http"
 	"slices"
-	"strings"
 
 	"go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/internal/semconvutil"
 	"go.opentelemetry.io/otel/attribute"
@@ -35,16 +37,18 @@ type OldHTTPServer struct{}
 //
 // If the primary server name is not known, server should be an empty string.
 // The req Host will be used to determine the server instead.
-func (o OldHTTPServer) RequestTraceAttrs(server string, req *http.Request) []attribute.KeyValue {
-	return semconvutil.HTTPServerRequest(server, req)
+func (o OldHTTPServer) RequestTraceAttrs(server string, req *http.Request, attrs []attribute.KeyValue) []attribute.KeyValue {
+	return semconvutil.HTTPServerRequest(server, req, semconvutil.HTTPServerRequestOptions{}, attrs)
+}
+
+func (o OldHTTPServer) NetworkTransportAttr(network string) attribute.KeyValue {
+	return semconvutil.NetTransport(network)
 }
 
 // ResponseTraceAttrs returns trace attributes for telemetry from an HTTP response.
 //
 // If any of the fields in the ResponseTelemetry are not set the attribute will be omitted.
-func (o OldHTTPServer) ResponseTraceAttrs(resp ResponseTelemetry) []attribute.KeyValue {
-	attributes := []attribute.KeyValue{}
-
+func (o OldHTTPServer) ResponseTraceAttrs(resp ResponseTelemetry, attributes []attribute.KeyValue) []attribute.KeyValue {
 	if resp.ReadBytes > 0 {
 		attributes = append(attributes, semconv.HTTPRequestContentLength(int(resp.ReadBytes)))
 	}
@@ -144,7 +148,7 @@ func (o OldHTTPServer) MetricAttributes(server string, req *http.Request, status
 
 	attributes := slices.Grow(additionalAttributes, n)
 	attributes = append(attributes,
-		standardizeHTTPMethodMetric(req.Method),
+		semconv.HTTPMethod(standardizeHTTPMethod(req.Method)),
 		o.scheme(req.TLS != nil),
 		semconv.NetHostName(host))
 
@@ -173,12 +177,12 @@ func (o OldHTTPServer) scheme(https bool) attribute.KeyValue { // nolint:revive
 
 type OldHTTPClient struct{}
 
-func (o OldHTTPClient) RequestTraceAttrs(req *http.Request) []attribute.KeyValue {
-	return semconvutil.HTTPClientRequest(req)
+func (o OldHTTPClient) RequestTraceAttrs(req *http.Request, attrs []attribute.KeyValue) []attribute.KeyValue {
+	return semconvutil.HTTPClientRequest(req, attrs)
 }
 
-func (o OldHTTPClient) ResponseTraceAttrs(resp *http.Response) []attribute.KeyValue {
-	return semconvutil.HTTPClientResponse(resp)
+func (o OldHTTPClient) ResponseTraceAttrs(resp *http.Response, attrs []attribute.KeyValue) []attribute.KeyValue {
+	return semconvutil.HTTPClientResponse(resp, attrs)
 }
 
 func (o OldHTTPClient) MetricAttributes(req *http.Request, statusCode int, additionalAttributes []attribute.KeyValue) []attribute.KeyValue {
@@ -214,7 +218,7 @@ func (o OldHTTPClient) MetricAttributes(req *http.Request, statusCode int, addit
 
 	attributes := slices.Grow(additionalAttributes, n)
 	attributes = append(attributes,
-		standardizeHTTPMethodMetric(req.Method),
+		semconv.HTTPMethod(standardizeHTTPMethod(req.Method)),
 		semconv.NetPeerName(requestHost),
 	)
 
@@ -263,12 +267,7 @@ func (o OldHTTPClient) createMeasures(meter metric.Meter) (metric.Int64Counter,
 	return requestBytesCounter, responseBytesCounter, latencyMeasure
 }
 
-func standardizeHTTPMethodMetric(method string) attribute.KeyValue {
-	method = strings.ToUpper(method)
-	switch method {
-	case http.MethodConnect, http.MethodDelete, http.MethodGet, http.MethodHead, http.MethodOptions, http.MethodPatch, http.MethodPost, http.MethodPut, http.MethodTrace:
-	default:
-		method = "_OTHER"
-	}
-	return semconv.HTTPMethod(method)
+// TraceAttributes returns attributes for httptrace.
+func (c OldHTTPClient) TraceAttributes(host string, attrs []attribute.KeyValue) []attribute.KeyValue {
+	return append(attrs, semconv.NetHostName(host))
 }
diff --git a/vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/internal/semconvutil/httpconv.go b/vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/internal/semconvutil/httpconv.go
index a73bb06e90e48..b9973547931e5 100644
--- a/vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/internal/semconvutil/httpconv.go
+++ b/vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/internal/semconvutil/httpconv.go
@@ -1,14 +1,16 @@
-// Code created by gotmpl. DO NOT MODIFY.
+// Code generated by gotmpl. DO NOT MODIFY.
 // source: internal/shared/semconvutil/httpconv.go.tmpl
 
 // Copyright The OpenTelemetry Authors
 // SPDX-License-Identifier: Apache-2.0
 
+// Package semconvutil provides OpenTelemetry semantic convention utilities.
 package semconvutil // import "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/internal/semconvutil"
 
 import (
 	"fmt"
 	"net/http"
+	"slices"
 	"strings"
 
 	"go.opentelemetry.io/otel/attribute"
@@ -16,6 +18,11 @@ import (
 	semconv "go.opentelemetry.io/otel/semconv/v1.20.0"
 )
 
+type HTTPServerRequestOptions struct {
+	// If set, this is used as value for the "http.client_ip" attribute.
+	HTTPClientIP string
+}
+
 // HTTPClientResponse returns trace attributes for an HTTP response received by a
 // client from a server. It will return the following attributes if the related
 // values are defined in resp: "http.status.code",
@@ -26,9 +33,9 @@ import (
 // attributes. If a complete set of attributes can be generated using the
 // request contained in resp. For example:
 //
-//	append(HTTPClientResponse(resp), ClientRequest(resp.Request)...)
-func HTTPClientResponse(resp *http.Response) []attribute.KeyValue {
-	return hc.ClientResponse(resp)
+//	HTTPClientResponse(resp, ClientRequest(resp.Request)))
+func HTTPClientResponse(resp *http.Response, attrs []attribute.KeyValue) []attribute.KeyValue {
+	return hc.ClientResponse(resp, attrs)
 }
 
 // HTTPClientRequest returns trace attributes for an HTTP request made by a client.
@@ -36,8 +43,8 @@ func HTTPClientResponse(resp *http.Response) []attribute.KeyValue {
 // "net.peer.name". The following attributes are returned if the related values
 // are defined in req: "net.peer.port", "user_agent.original",
 // "http.request_content_length".
-func HTTPClientRequest(req *http.Request) []attribute.KeyValue {
-	return hc.ClientRequest(req)
+func HTTPClientRequest(req *http.Request, attrs []attribute.KeyValue) []attribute.KeyValue {
+	return hc.ClientRequest(req, attrs)
 }
 
 // HTTPClientRequestMetrics returns metric attributes for an HTTP request made by a client.
@@ -75,8 +82,8 @@ func HTTPClientStatus(code int) (codes.Code, string) {
 // "http.target", "net.host.name". The following attributes are returned if
 // they related values are defined in req: "net.host.port", "net.sock.peer.addr",
 // "net.sock.peer.port", "user_agent.original", "http.client_ip".
-func HTTPServerRequest(server string, req *http.Request) []attribute.KeyValue {
-	return hc.ServerRequest(server, req)
+func HTTPServerRequest(server string, req *http.Request, opts HTTPServerRequestOptions, attrs []attribute.KeyValue) []attribute.KeyValue {
+	return hc.ServerRequest(server, req, opts, attrs)
 }
 
 // HTTPServerRequestMetrics returns metric attributes for an HTTP request received by a
@@ -153,8 +160,8 @@ var hc = &httpConv{
 // attributes. If a complete set of attributes can be generated using the
 // request contained in resp. For example:
 //
-//	append(ClientResponse(resp), ClientRequest(resp.Request)...)
-func (c *httpConv) ClientResponse(resp *http.Response) []attribute.KeyValue {
+//	ClientResponse(resp, ClientRequest(resp.Request))
+func (c *httpConv) ClientResponse(resp *http.Response, attrs []attribute.KeyValue) []attribute.KeyValue {
 	/* The following semantic conventions are returned if present:
 	http.status_code                int
 	http.response_content_length    int
@@ -166,8 +173,11 @@ func (c *httpConv) ClientResponse(resp *http.Response) []attribute.KeyValue {
 	if resp.ContentLength > 0 {
 		n++
 	}
+	if n == 0 {
+		return attrs
+	}
 
-	attrs := make([]attribute.KeyValue, 0, n)
+	attrs = slices.Grow(attrs, n)
 	if resp.StatusCode > 0 {
 		attrs = append(attrs, c.HTTPStatusCodeKey.Int(resp.StatusCode))
 	}
@@ -182,7 +192,7 @@ func (c *httpConv) ClientResponse(resp *http.Response) []attribute.KeyValue {
 // "net.peer.name". The following attributes are returned if the related values
 // are defined in req: "net.peer.port", "user_agent.original",
 // "http.request_content_length", "user_agent.original".
-func (c *httpConv) ClientRequest(req *http.Request) []attribute.KeyValue {
+func (c *httpConv) ClientRequest(req *http.Request, attrs []attribute.KeyValue) []attribute.KeyValue {
 	/* The following semantic conventions are returned if present:
 	http.method                     string
 	user_agent.original             string
@@ -221,8 +231,7 @@ func (c *httpConv) ClientRequest(req *http.Request) []attribute.KeyValue {
 		n++
 	}
 
-	attrs := make([]attribute.KeyValue, 0, n)
-
+	attrs = slices.Grow(attrs, n)
 	attrs = append(attrs, c.method(req.Method))
 
 	var u string
@@ -305,7 +314,7 @@ func (c *httpConv) ClientRequestMetrics(req *http.Request) []attribute.KeyValue
 // related values are defined in req: "net.host.port", "net.sock.peer.addr",
 // "net.sock.peer.port", "user_agent.original", "http.client_ip",
 // "net.protocol.name", "net.protocol.version".
-func (c *httpConv) ServerRequest(server string, req *http.Request) []attribute.KeyValue {
+func (c *httpConv) ServerRequest(server string, req *http.Request, opts HTTPServerRequestOptions, attrs []attribute.KeyValue) []attribute.KeyValue {
 	/* The following semantic conventions are returned if present:
 	http.method             string
 	http.scheme             string
@@ -358,7 +367,17 @@ func (c *httpConv) ServerRequest(server string, req *http.Request) []attribute.K
 		n++
 	}
 
-	clientIP := serverClientIP(req.Header.Get("X-Forwarded-For"))
+	// For client IP, use, in order:
+	// 1. The value passed in the options
+	// 2. The value in the X-Forwarded-For header
+	// 3. The peer address
+	clientIP := opts.HTTPClientIP
+	if clientIP == "" {
+		clientIP = serverClientIP(req.Header.Get("X-Forwarded-For"))
+		if clientIP == "" {
+			clientIP = peer
+		}
+	}
 	if clientIP != "" {
 		n++
 	}
@@ -378,7 +397,7 @@ func (c *httpConv) ServerRequest(server string, req *http.Request) []attribute.K
 		n++
 	}
 
-	attrs := make([]attribute.KeyValue, 0, n)
+	attrs = slices.Grow(attrs, n)
 
 	attrs = append(attrs, c.method(req.Method))
 	attrs = append(attrs, c.scheme(req.TLS != nil))
diff --git a/vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/internal/semconvutil/netconv.go b/vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/internal/semconvutil/netconv.go
index b80a1db61fa0f..df97255e418c7 100644
--- a/vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/internal/semconvutil/netconv.go
+++ b/vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/internal/semconvutil/netconv.go
@@ -1,4 +1,4 @@
-// Code created by gotmpl. DO NOT MODIFY.
+// Code generated by gotmpl. DO NOT MODIFY.
 // source: internal/shared/semconvutil/netconv.go.tmpl
 
 // Copyright The OpenTelemetry Authors
@@ -200,6 +200,15 @@ func splitHostPort(hostport string) (host string, port int) {
 
 func netProtocol(proto string) (name string, version string) {
 	name, version, _ = strings.Cut(proto, "/")
-	name = strings.ToLower(name)
+	switch name {
+	case "HTTP":
+		name = "http"
+	case "QUIC":
+		name = "quic"
+	case "SPDY":
+		name = "spdy"
+	default:
+		name = strings.ToLower(name)
+	}
 	return name, version
 }
diff --git a/vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/labeler.go b/vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/labeler.go
index ea504e396f13c..d62ce44b002d5 100644
--- a/vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/labeler.go
+++ b/vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/labeler.go
@@ -35,14 +35,14 @@ func (l *Labeler) Get() []attribute.KeyValue {
 
 type labelerContextKeyType int
 
-const lablelerContextKey labelerContextKeyType = 0
+const labelerContextKey labelerContextKeyType = 0
 
 // ContextWithLabeler returns a new context with the provided Labeler instance.
 // Attributes added to the specified labeler will be injected into metrics
 // emitted by the instrumentation. Only one labeller can be injected into the
 // context. Injecting it multiple times will override the previous calls.
 func ContextWithLabeler(parent context.Context, l *Labeler) context.Context {
-	return context.WithValue(parent, lablelerContextKey, l)
+	return context.WithValue(parent, labelerContextKey, l)
 }
 
 // LabelerFromContext retrieves a Labeler instance from the provided context if
@@ -50,7 +50,7 @@ func ContextWithLabeler(parent context.Context, l *Labeler) context.Context {
 // Labeler is returned and the second return value is false.  In this case it is
 // safe to use the Labeler but any attributes added to it will not be used.
 func LabelerFromContext(ctx context.Context) (*Labeler, bool) {
-	l, ok := ctx.Value(lablelerContextKey).(*Labeler)
+	l, ok := ctx.Value(labelerContextKey).(*Labeler)
 	if !ok {
 		l = &Labeler{}
 	}
diff --git a/vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/transport.go b/vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/transport.go
index 39681ad4b0980..44b86ad86095d 100644
--- a/vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/transport.go
+++ b/vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/transport.go
@@ -153,7 +153,7 @@ func (t *Transport) RoundTrip(r *http.Request) (*http.Response, error) {
 
 	// For handling response bytes we leverage a callback when the client reads the http response
 	readRecordFunc := func(n int64) {
-		t.semconv.RecordResponseSize(ctx, n, metricOpts.AddOptions())
+		t.semconv.RecordResponseSize(ctx, n, metricOpts)
 	}
 
 	// traces
diff --git a/vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/version.go b/vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/version.go
index 353e43b91fd88..6be4c1fde2cdc 100644
--- a/vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/version.go
+++ b/vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/version.go
@@ -5,13 +5,6 @@ package otelhttp // import "go.opentelemetry.io/contrib/instrumentation/net/http
 
 // Version is the current release version of the otelhttp instrumentation.
 func Version() string {
-	return "0.58.0"
+	return "0.61.0"
 	// This string is updated by the pre_release.sh script during release
 }
-
-// SemVersion is the semantic version to be supplied to tracer/meter creation.
-//
-// Deprecated: Use [Version] instead.
-func SemVersion() string {
-	return Version()
-}
diff --git a/vendor/go.opentelemetry.io/otel/.golangci.yml b/vendor/go.opentelemetry.io/otel/.golangci.yml
index c58e48ab0c42a..888e5da8028e0 100644
--- a/vendor/go.opentelemetry.io/otel/.golangci.yml
+++ b/vendor/go.opentelemetry.io/otel/.golangci.yml
@@ -1,13 +1,9 @@
-# See https://github.com/golangci/golangci-lint#config-file
+version: "2"
 run:
-  issues-exit-code: 1 #Default
-  tests: true #Default
-
+  issues-exit-code: 1
+  tests: true
 linters:
-  # Disable everything by default so upgrades to not include new "default
-  # enabled" linters.
-  disable-all: true
-  # Specifically enable linters we want to use.
+  default: none
   enable:
     - asasalint
     - bodyclose
@@ -15,10 +11,7 @@ linters:
     - errcheck
     - errorlint
     - godot
-    - gofumpt
-    - goimports
     - gosec
-    - gosimple
     - govet
     - ineffassign
     - misspell
@@ -26,227 +19,230 @@ linters:
     - revive
     - staticcheck
     - testifylint
-    - typecheck
     - unconvert
-    - unused
     - unparam
+    - unused
     - usestdlibvars
     - usetesting
-
+  settings:
+    depguard:
+      rules:
+        auto/sdk:
+          files:
+            - '!internal/global/trace.go'
+            - ~internal/global/trace_test.go
+          deny:
+            - pkg: go.opentelemetry.io/auto/sdk
+              desc: Do not use SDK from automatic instrumentation.
+        non-tests:
+          files:
+            - '!$test'
+            - '!**/*test/*.go'
+            - '!**/internal/matchers/*.go'
+          deny:
+            - pkg: testing
+            - pkg: github.com/stretchr/testify
+            - pkg: crypto/md5
+            - pkg: crypto/sha1
+            - pkg: crypto/**/pkix
+        otel-internal:
+          files:
+            - '**/sdk/*.go'
+            - '**/sdk/**/*.go'
+            - '**/exporters/*.go'
+            - '**/exporters/**/*.go'
+            - '**/schema/*.go'
+            - '**/schema/**/*.go'
+            - '**/metric/*.go'
+            - '**/metric/**/*.go'
+            - '**/bridge/*.go'
+            - '**/bridge/**/*.go'
+            - '**/trace/*.go'
+            - '**/trace/**/*.go'
+            - '**/log/*.go'
+            - '**/log/**/*.go'
+          deny:
+            - pkg: go.opentelemetry.io/otel/internal$
+              desc: Do not use cross-module internal packages.
+            - pkg: go.opentelemetry.io/otel/internal/internaltest
+              desc: Do not use cross-module internal packages.
+            - pkg: go.opentelemetry.io/otel/internal/matchers
+              desc: Do not use cross-module internal packages.
+        otlp-internal:
+          files:
+            - '!**/exporters/otlp/internal/**/*.go'
+          deny:
+            - pkg: go.opentelemetry.io/otel/exporters/otlp/internal
+              desc: Do not use cross-module internal packages.
+        otlpmetric-internal:
+          files:
+            - '!**/exporters/otlp/otlpmetric/internal/*.go'
+            - '!**/exporters/otlp/otlpmetric/internal/**/*.go'
+          deny:
+            - pkg: go.opentelemetry.io/otel/exporters/otlp/otlpmetric/internal
+              desc: Do not use cross-module internal packages.
+        otlptrace-internal:
+          files:
+            - '!**/exporters/otlp/otlptrace/*.go'
+            - '!**/exporters/otlp/otlptrace/internal/**.go'
+          deny:
+            - pkg: go.opentelemetry.io/otel/exporters/otlp/otlptrace/internal
+              desc: Do not use cross-module internal packages.
+    godot:
+      exclude:
+        # Exclude links.
+        - '^ *\[[^]]+\]:'
+        # Exclude sentence fragments for lists.
+        - ^[ ]*[-•]
+        # Exclude sentences prefixing a list.
+        - :$
+    misspell:
+      locale: US
+      ignore-rules:
+        - cancelled
+    perfsprint:
+      int-conversion: true
+      err-error: true
+      errorf: true
+      sprintf1: true
+      strconcat: true
+    revive:
+      confidence: 0.01
+      rules:
+        - name: blank-imports
+        - name: bool-literal-in-expr
+        - name: constant-logical-expr
+        - name: context-as-argument
+          arguments:
+            - allowTypesBefore: '*testing.T'
+          disabled: true
+        - name: context-keys-type
+        - name: deep-exit
+        - name: defer
+          arguments:
+            - - call-chain
+              - loop
+        - name: dot-imports
+        - name: duplicated-imports
+        - name: early-return
+          arguments:
+            - preserveScope
+        - name: empty-block
+        - name: empty-lines
+        - name: error-naming
+        - name: error-return
+        - name: error-strings
+        - name: errorf
+        - name: exported
+          arguments:
+            - sayRepetitiveInsteadOfStutters
+        - name: flag-parameter
+        - name: identical-branches
+        - name: if-return
+        - name: import-shadowing
+        - name: increment-decrement
+        - name: indent-error-flow
+          arguments:
+            - preserveScope
+        - name: package-comments
+        - name: range
+        - name: range-val-in-closure
+        - name: range-val-address
+        - name: redefines-builtin-id
+        - name: string-format
+          arguments:
+            - - panic
+              - /^[^\n]*$/
+              - must not contain line breaks
+        - name: struct-tag
+        - name: superfluous-else
+          arguments:
+            - preserveScope
+        - name: time-equal
+        - name: unconditional-recursion
+        - name: unexported-return
+        - name: unhandled-error
+          arguments:
+            - fmt.Fprint
+            - fmt.Fprintf
+            - fmt.Fprintln
+            - fmt.Print
+            - fmt.Printf
+            - fmt.Println
+        - name: unnecessary-stmt
+        - name: useless-break
+        - name: var-declaration
+        - name: var-naming
+          arguments:
+            - ["ID"] # AllowList
+            - ["Otel", "Aws", "Gcp"] # DenyList
+        - name: waitgroup-by-value
+    testifylint:
+      enable-all: true
+      disable:
+        - float-compare
+        - go-require
+        - require-error
+  exclusions:
+    generated: lax
+    presets:
+      - common-false-positives
+      - legacy
+      - std-error-handling
+    rules:
+      # TODO: Having appropriate comments for exported objects helps development,
+      # even for objects in internal packages. Appropriate comments for all
+      # exported objects should be added and this exclusion removed.
+      - linters:
+          - revive
+        path: .*internal/.*
+        text: exported (method|function|type|const) (.+) should have comment or be unexported
+      # Yes, they are, but it's okay in a test.
+      - linters:
+          - revive
+        path: _test\.go
+        text: exported func.*returns unexported type.*which can be annoying to use
+      # Example test functions should be treated like main.
+      - linters:
+          - revive
+        path: example.*_test\.go
+        text: calls to (.+) only in main[(][)] or init[(][)] functions
+      # It's okay to not run gosec and perfsprint in a test.
+      - linters:
+          - gosec
+          - perfsprint
+        path: _test\.go
+      # Ignoring gosec G404: Use of weak random number generator (math/rand instead of crypto/rand)
+      # as we commonly use it in tests and examples.
+      - linters:
+          - gosec
+        text: 'G404:'
+      # Ignoring gosec G402: TLS MinVersion too low
+      # as the https://pkg.go.dev/crypto/tls#Config handles MinVersion default well.
+      - linters:
+          - gosec
+        text: 'G402: TLS MinVersion too low.'
+    paths:
+      - third_party$
+      - builtin$
+      - examples$
 issues:
-  # Maximum issues count per one linter.
-  # Set to 0 to disable.
-  # Default: 50
-  # Setting to unlimited so the linter only is run once to debug all issues.
   max-issues-per-linter: 0
-  # Maximum count of issues with the same text.
-  # Set to 0 to disable.
-  # Default: 3
-  # Setting to unlimited so the linter only is run once to debug all issues.
   max-same-issues: 0
-  # Excluding configuration per-path, per-linter, per-text and per-source.
-  exclude-rules:
-    # TODO: Having appropriate comments for exported objects helps development,
-    # even for objects in internal packages. Appropriate comments for all
-    # exported objects should be added and this exclusion removed.
-    - path: '.*internal/.*'
-      text: "exported (method|function|type|const) (.+) should have comment or be unexported"
-      linters:
-        - revive
-    # Yes, they are, but it's okay in a test.
-    - path: _test\.go
-      text: "exported func.*returns unexported type.*which can be annoying to use"
-      linters:
-        - revive
-    # Example test functions should be treated like main.
-    - path: example.*_test\.go
-      text: "calls to (.+) only in main[(][)] or init[(][)] functions"
-      linters:
-        - revive
-    # It's okay to not run gosec and perfsprint in a test.
-    - path: _test\.go
-      linters:
-        - gosec
-        - perfsprint
-    # Ignoring gosec G404: Use of weak random number generator (math/rand instead of crypto/rand)
-    # as we commonly use it in tests and examples.
-    - text: "G404:"
-      linters:
-        - gosec
-    # Ignoring gosec G402: TLS MinVersion too low
-    # as the https://pkg.go.dev/crypto/tls#Config handles MinVersion default well.
-    - text: "G402: TLS MinVersion too low."
-      linters:
-        - gosec
-  include:
-    # revive exported should have comment or be unexported.
-    - EXC0012
-    # revive package comment should be of the form ...
-    - EXC0013
-
-linters-settings:
-  depguard:
-    rules:
-      non-tests:
-        files:
-          - "!$test"
-          - "!**/*test/*.go"
-          - "!**/internal/matchers/*.go"
-        deny:
-          - pkg: "testing"
-          - pkg: "github.com/stretchr/testify"
-          - pkg: "crypto/md5"
-          - pkg: "crypto/sha1"
-          - pkg: "crypto/**/pkix"
-      auto/sdk:
-        files:
-          - "!internal/global/trace.go"
-          - "~internal/global/trace_test.go"
-        deny:
-          - pkg: "go.opentelemetry.io/auto/sdk"
-            desc: Do not use SDK from automatic instrumentation.
-      otlp-internal:
-        files:
-          - "!**/exporters/otlp/internal/**/*.go"
-        deny:
-          - pkg: "go.opentelemetry.io/otel/exporters/otlp/internal"
-            desc: Do not use cross-module internal packages.
-      otlptrace-internal:
-        files:
-          - "!**/exporters/otlp/otlptrace/*.go"
-          - "!**/exporters/otlp/otlptrace/internal/**.go"
-        deny:
-          - pkg: "go.opentelemetry.io/otel/exporters/otlp/otlptrace/internal"
-            desc: Do not use cross-module internal packages.
-      otlpmetric-internal:
-        files:
-          - "!**/exporters/otlp/otlpmetric/internal/*.go"
-          - "!**/exporters/otlp/otlpmetric/internal/**/*.go"
-        deny:
-          - pkg: "go.opentelemetry.io/otel/exporters/otlp/otlpmetric/internal"
-            desc: Do not use cross-module internal packages.
-      otel-internal:
-        files:
-          - "**/sdk/*.go"
-          - "**/sdk/**/*.go"
-          - "**/exporters/*.go"
-          - "**/exporters/**/*.go"
-          - "**/schema/*.go"
-          - "**/schema/**/*.go"
-          - "**/metric/*.go"
-          - "**/metric/**/*.go"
-          - "**/bridge/*.go"
-          - "**/bridge/**/*.go"
-          - "**/trace/*.go"
-          - "**/trace/**/*.go"
-          - "**/log/*.go"
-          - "**/log/**/*.go"
-        deny:
-          - pkg: "go.opentelemetry.io/otel/internal$"
-            desc: Do not use cross-module internal packages.
-          - pkg: "go.opentelemetry.io/otel/internal/attribute"
-            desc: Do not use cross-module internal packages.
-          - pkg: "go.opentelemetry.io/otel/internal/internaltest"
-            desc: Do not use cross-module internal packages.
-          - pkg: "go.opentelemetry.io/otel/internal/matchers"
-            desc: Do not use cross-module internal packages.
-  godot:
-    exclude:
-      # Exclude links.
-      - '^ *\[[^]]+\]:'
-      # Exclude sentence fragments for lists.
-      - '^[ ]*[-•]'
-      # Exclude sentences prefixing a list.
-      - ':$'
-  goimports:
-    local-prefixes: go.opentelemetry.io
-  misspell:
-    locale: US
-    ignore-words:
-      - cancelled
-  perfsprint:
-    err-error: true
-    errorf: true
-    int-conversion: true
-    sprintf1: true
-    strconcat: true
-  revive:
-    # Sets the default failure confidence.
-    # This means that linting errors with less than 0.8 confidence will be ignored.
-    # Default: 0.8
-    confidence: 0.01
-    # https://github.com/mgechev/revive/blob/master/RULES_DESCRIPTIONS.md
-    rules:
-      - name: blank-imports
-      - name: bool-literal-in-expr
-      - name: constant-logical-expr
-      - name: context-as-argument
-        disabled: true
-        arguments:
-          - allowTypesBefore: "*testing.T"
-      - name: context-keys-type
-      - name: deep-exit
-      - name: defer
-        arguments:
-          - ["call-chain", "loop"]
-      - name: dot-imports
-      - name: duplicated-imports
-      - name: early-return
-        arguments:
-          - "preserveScope"
-      - name: empty-block
-      - name: empty-lines
-      - name: error-naming
-      - name: error-return
-      - name: error-strings
-      - name: errorf
-      - name: exported
-        arguments:
-          - "sayRepetitiveInsteadOfStutters"
-      - name: flag-parameter
-      - name: identical-branches
-      - name: if-return
-      - name: import-shadowing
-      - name: increment-decrement
-      - name: indent-error-flow
-        arguments:
-          - "preserveScope"
-      - name: package-comments
-      - name: range
-      - name: range-val-in-closure
-      - name: range-val-address
-      - name: redefines-builtin-id
-      - name: string-format
-        arguments:
-          - - panic
-            - '/^[^\n]*$/'
-            - must not contain line breaks
-      - name: struct-tag
-      - name: superfluous-else
-        arguments:
-          - "preserveScope"
-      - name: time-equal
-      - name: unconditional-recursion
-      - name: unexported-return
-      - name: unhandled-error
-        arguments:
-          - "fmt.Fprint"
-          - "fmt.Fprintf"
-          - "fmt.Fprintln"
-          - "fmt.Print"
-          - "fmt.Printf"
-          - "fmt.Println"
-      - name: unnecessary-stmt
-      - name: useless-break
-      - name: var-declaration
-      - name: var-naming
-        arguments:
-          - ["ID"] # AllowList
-          - ["Otel", "Aws", "Gcp"] # DenyList
-      - name: waitgroup-by-value
-  testifylint:
-    enable-all: true
-    disable:
-      - float-compare
-      - go-require
-      - require-error
+formatters:
+  enable:
+    - gofumpt
+    - goimports
+    - golines
+  settings:
+    goimports:
+      local-prefixes:
+        - go.opentelemetry.io
+    golines:
+      max-len: 120
+  exclusions:
+    generated: lax
+    paths:
+      - third_party$
+      - builtin$
+      - examples$
diff --git a/vendor/go.opentelemetry.io/otel/CHANGELOG.md b/vendor/go.opentelemetry.io/otel/CHANGELOG.md
index c076db2823ff8..648e4abab8c7d 100644
--- a/vendor/go.opentelemetry.io/otel/CHANGELOG.md
+++ b/vendor/go.opentelemetry.io/otel/CHANGELOG.md
@@ -11,6 +11,57 @@ This project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.htm
 <!-- Released section -->
 <!-- Don't change this section unless doing release -->
 
+## [1.36.0/0.58.0/0.12.0] 2025-05-20
+
+### Added
+
+- Add exponential histogram support in `go.opentelemetry.io/otel/exporters/prometheus`. (#6421)
+- The `go.opentelemetry.io/otel/semconv/v1.31.0` package.
+  The package contains semantic conventions from the `v1.31.0` version of the OpenTelemetry Semantic Conventions.
+  See the [migration documentation](./semconv/v1.31.0/MIGRATION.md) for information on how to upgrade from `go.opentelemetry.io/otel/semconv/v1.30.0`. (#6479)
+- Add `Recording`, `Scope`, and `Record` types in `go.opentelemetry.io/otel/log/logtest`. (#6507)
+- Add `WithHTTPClient` option to configure the `http.Client` used by `go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp`. (#6751)
+- Add `WithHTTPClient` option to configure the `http.Client` used by `go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp`. (#6752)
+- Add `WithHTTPClient` option to configure the `http.Client` used by `go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp`. (#6688)
+- Add `ValuesGetter` in `go.opentelemetry.io/otel/propagation`, a `TextMapCarrier` that supports retrieving multiple values for a single key. (#5973)
+- Add `Values` method to `HeaderCarrier` to implement the new `ValuesGetter` interface in `go.opentelemetry.io/otel/propagation`. (#5973)
+- Update `Baggage` in `go.opentelemetry.io/otel/propagation` to retrieve multiple values for a key when the carrier implements `ValuesGetter`. (#5973)
+- Add `AssertEqual` function in `go.opentelemetry.io/otel/log/logtest`. (#6662)
+- The `go.opentelemetry.io/otel/semconv/v1.32.0` package.
+  The package contains semantic conventions from the `v1.32.0` version of the OpenTelemetry Semantic Conventions.
+  See the [migration documentation](./semconv/v1.32.0/MIGRATION.md) for information on how to upgrade from `go.opentelemetry.io/otel/semconv/v1.31.0`(#6782)
+- Add `Transform` option in `go.opentelemetry.io/otel/log/logtest`. (#6794)
+- Add `Desc` option in `go.opentelemetry.io/otel/log/logtest`. (#6796)
+
+### Removed
+
+- Drop support for [Go 1.22]. (#6381, #6418)
+- Remove `Resource` field from `EnabledParameters` in `go.opentelemetry.io/otel/sdk/log`. (#6494)
+- Remove `RecordFactory` type from `go.opentelemetry.io/otel/log/logtest`. (#6492)
+- Remove `ScopeRecords`, `EmittedRecord`, and `RecordFactory` types from `go.opentelemetry.io/otel/log/logtest`. (#6507)
+- Remove `AssertRecordEqual` function in `go.opentelemetry.io/otel/log/logtest`, use `AssertEqual` instead. (#6662)
+
+### Changed
+
+- ⚠️ Update `github.com/prometheus/client_golang` to `v1.21.1`, which changes the `NameValidationScheme` to `UTF8Validation`.
+  This allows metrics names to keep original delimiters (e.g. `.`), rather than replacing with underscores.
+  This can be reverted by setting `github.com/prometheus/common/model.NameValidationScheme` to `LegacyValidation` in `github.com/prometheus/common/model`. (#6433)
+- Initialize map with `len(keys)` in `NewAllowKeysFilter` and `NewDenyKeysFilter` to avoid unnecessary allocations in `go.opentelemetry.io/otel/attribute`. (#6455)
+- `go.opentelemetry.io/otel/log/logtest` is now a separate Go module. (#6465)
+- `go.opentelemetry.io/otel/sdk/log/logtest` is now a separate Go module. (#6466)
+- `Recorder` in `go.opentelemetry.io/otel/log/logtest` no longer separately stores records emitted by loggers with the same instrumentation scope. (#6507)
+- Improve performance of `BatchProcessor` in `go.opentelemetry.io/otel/sdk/log` by not exporting when exporter cannot accept more. (#6569, #6641)
+
+### Deprecated
+
+- Deprecate support for `model.LegacyValidation` for `go.opentelemetry.io/otel/exporters/prometheus`. (#6449)
+
+### Fixes
+
+- Stop percent encoding header environment variables in `go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploggrpc` and `go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp`. (#6392)
+- Ensure the `noopSpan.tracerProvider` method is not inlined in `go.opentelemetry.io/otel/trace` so the `go.opentelemetry.io/auto` instrumentation can instrument non-recording spans. (#6456)
+- Use a `sync.Pool` instead of allocating `metricdata.ResourceMetrics` in `go.opentelemetry.io/otel/exporters/prometheus`. (#6472)
+
 ## [1.35.0/0.57.0/0.11.0] 2025-03-05
 
 This release is the last to support [Go 1.22].
@@ -3237,7 +3288,8 @@ It contains api and sdk for trace and meter.
 - CircleCI build CI manifest files.
 - CODEOWNERS file to track owners of this project.
 
-[Unreleased]: https://github.com/open-telemetry/opentelemetry-go/compare/v1.35.0...HEAD
+[Unreleased]: https://github.com/open-telemetry/opentelemetry-go/compare/v1.36.0...HEAD
+[1.36.0/0.58.0/0.12.0]: https://github.com/open-telemetry/opentelemetry-go/releases/tag/v1.36.0
 [1.35.0/0.57.0/0.11.0]: https://github.com/open-telemetry/opentelemetry-go/releases/tag/v1.35.0
 [1.34.0/0.56.0/0.10.0]: https://github.com/open-telemetry/opentelemetry-go/releases/tag/v1.34.0
 [1.33.0/0.55.0/0.9.0/0.0.12]: https://github.com/open-telemetry/opentelemetry-go/releases/tag/v1.33.0
diff --git a/vendor/go.opentelemetry.io/otel/CONTRIBUTING.md b/vendor/go.opentelemetry.io/otel/CONTRIBUTING.md
index 7b8af585aab06..1902dac057a67 100644
--- a/vendor/go.opentelemetry.io/otel/CONTRIBUTING.md
+++ b/vendor/go.opentelemetry.io/otel/CONTRIBUTING.md
@@ -643,6 +643,7 @@ should be canceled.
 
 ### Triagers
 
+- [Alex Kats](https://github.com/akats7), Capital One
 - [Cheng-Zhen Yang](https://github.com/scorpionknifes), Independent
 
 ### Approvers
diff --git a/vendor/go.opentelemetry.io/otel/Makefile b/vendor/go.opentelemetry.io/otel/Makefile
index 226410d7428c5..62a56f4d341db 100644
--- a/vendor/go.opentelemetry.io/otel/Makefile
+++ b/vendor/go.opentelemetry.io/otel/Makefile
@@ -43,8 +43,11 @@ $(TOOLS)/crosslink: PACKAGE=go.opentelemetry.io/build-tools/crosslink
 SEMCONVKIT = $(TOOLS)/semconvkit
 $(TOOLS)/semconvkit: PACKAGE=go.opentelemetry.io/otel/$(TOOLS_MOD_DIR)/semconvkit
 
+VERIFYREADMES = $(TOOLS)/verifyreadmes
+$(TOOLS)/verifyreadmes: PACKAGE=go.opentelemetry.io/otel/$(TOOLS_MOD_DIR)/verifyreadmes
+
 GOLANGCI_LINT = $(TOOLS)/golangci-lint
-$(TOOLS)/golangci-lint: PACKAGE=github.com/golangci/golangci-lint/cmd/golangci-lint
+$(TOOLS)/golangci-lint: PACKAGE=github.com/golangci/golangci-lint/v2/cmd/golangci-lint
 
 MISSPELL = $(TOOLS)/misspell
 $(TOOLS)/misspell: PACKAGE=github.com/client9/misspell/cmd/misspell
@@ -68,7 +71,7 @@ GOVULNCHECK = $(TOOLS)/govulncheck
 $(TOOLS)/govulncheck: PACKAGE=golang.org/x/vuln/cmd/govulncheck
 
 .PHONY: tools
-tools: $(CROSSLINK) $(GOLANGCI_LINT) $(MISSPELL) $(GOCOVMERGE) $(STRINGER) $(PORTO) $(SEMCONVGEN) $(MULTIMOD) $(SEMCONVKIT) $(GOTMPL) $(GORELEASE)
+tools: $(CROSSLINK) $(GOLANGCI_LINT) $(MISSPELL) $(GOCOVMERGE) $(STRINGER) $(PORTO) $(SEMCONVGEN) $(VERIFYREADMES) $(MULTIMOD) $(SEMCONVKIT) $(GOTMPL) $(GORELEASE)
 
 # Virtualized python tools via docker
 
@@ -213,11 +216,8 @@ go-mod-tidy/%: crosslink
 		&& cd $(DIR) \
 		&& $(GO) mod tidy -compat=1.21
 
-.PHONY: lint-modules
-lint-modules: go-mod-tidy
-
 .PHONY: lint
-lint: misspell lint-modules golangci-lint govulncheck
+lint: misspell go-mod-tidy golangci-lint govulncheck
 
 .PHONY: vanity-import-check
 vanity-import-check: $(PORTO)
@@ -319,10 +319,11 @@ add-tags: verify-mods
 	@[ "${MODSET}" ] || ( echo ">> env var MODSET is not set"; exit 1 )
 	$(MULTIMOD) tag -m ${MODSET} -c ${COMMIT}
 
+MARKDOWNIMAGE := $(shell awk '$$4=="markdown" {print $$2}' $(DEPENDENCIES_DOCKERFILE))
 .PHONY: lint-markdown
 lint-markdown:
-	docker run -v "$(CURDIR):$(WORKDIR)" avtodev/markdown-lint:v1 -c $(WORKDIR)/.markdownlint.yaml $(WORKDIR)/**/*.md
+	docker run --rm -u $(DOCKER_USER) -v "$(CURDIR):$(WORKDIR)" $(MARKDOWNIMAGE) -c $(WORKDIR)/.markdownlint.yaml $(WORKDIR)/**/*.md
 
 .PHONY: verify-readmes
-verify-readmes:
-	./verify_readmes.sh
+verify-readmes: $(VERIFYREADMES)
+	$(VERIFYREADMES)
diff --git a/vendor/go.opentelemetry.io/otel/README.md b/vendor/go.opentelemetry.io/otel/README.md
index 8421cd7e597ae..b600788121254 100644
--- a/vendor/go.opentelemetry.io/otel/README.md
+++ b/vendor/go.opentelemetry.io/otel/README.md
@@ -6,6 +6,7 @@
 [![Go Report Card](https://goreportcard.com/badge/go.opentelemetry.io/otel)](https://goreportcard.com/report/go.opentelemetry.io/otel)
 [![OpenSSF Scorecard](https://api.scorecard.dev/projects/github.com/open-telemetry/opentelemetry-go/badge)](https://scorecard.dev/viewer/?uri=github.com/open-telemetry/opentelemetry-go)
 [![OpenSSF Best Practices](https://www.bestpractices.dev/projects/9996/badge)](https://www.bestpractices.dev/projects/9996)
+[![Fuzzing Status](https://oss-fuzz-build-logs.storage.googleapis.com/badges/opentelemetry-go.svg)](https://issues.oss-fuzz.com/issues?q=project:opentelemetry-go)
 [![Slack](https://img.shields.io/badge/slack-@cncf/otel--go-brightgreen.svg?logo=slack)](https://cloud-native.slack.com/archives/C01NPAXACKT)
 
 OpenTelemetry-Go is the [Go](https://golang.org/) implementation of [OpenTelemetry](https://opentelemetry.io/).
@@ -53,25 +54,18 @@ Currently, this project supports the following environments.
 |----------|------------|--------------|
 | Ubuntu   | 1.24       | amd64        |
 | Ubuntu   | 1.23       | amd64        |
-| Ubuntu   | 1.22       | amd64        |
 | Ubuntu   | 1.24       | 386          |
 | Ubuntu   | 1.23       | 386          |
-| Ubuntu   | 1.22       | 386          |
 | Ubuntu   | 1.24       | arm64        |
 | Ubuntu   | 1.23       | arm64        |
-| Ubuntu   | 1.22       | arm64        |
 | macOS 13 | 1.24       | amd64        |
 | macOS 13 | 1.23       | amd64        |
-| macOS 13 | 1.22       | amd64        |
 | macOS    | 1.24       | arm64        |
 | macOS    | 1.23       | arm64        |
-| macOS    | 1.22       | arm64        |
 | Windows  | 1.24       | amd64        |
 | Windows  | 1.23       | amd64        |
-| Windows  | 1.22       | amd64        |
 | Windows  | 1.24       | 386          |
 | Windows  | 1.23       | 386          |
-| Windows  | 1.22       | 386          |
 
 While this project should work for other systems, no compatibility guarantees
 are made for those systems currently.
diff --git a/vendor/go.opentelemetry.io/otel/RELEASING.md b/vendor/go.opentelemetry.io/otel/RELEASING.md
index 1e13ae54f71bf..7c1a9119dccf8 100644
--- a/vendor/go.opentelemetry.io/otel/RELEASING.md
+++ b/vendor/go.opentelemetry.io/otel/RELEASING.md
@@ -1,5 +1,9 @@
 # Release Process
 
+## Create a `Version Release` issue
+
+Create a `Version Release` issue to track the release process.
+
 ## Semantic Convention Generation
 
 New versions of the [OpenTelemetry Semantic Conventions] mean new versions of the `semconv` package need to be generated.
@@ -123,6 +127,16 @@ Importantly, bump any package versions referenced to be the latest one you just
 [Go instrumentation documentation]: https://opentelemetry.io/docs/languages/go/
 [content/en/docs/languages/go]: https://github.com/open-telemetry/opentelemetry.io/tree/main/content/en/docs/languages/go
 
+### Close the milestone
+
+Once a release is made, ensure all issues that were fixed and PRs that were merged as part of this release are added to the corresponding milestone.
+This helps track what changes were included in each release.
+
+- To find issues that haven't been included in a milestone, use this [GitHub search query](https://github.com/open-telemetry/opentelemetry-go/issues?q=is%3Aissue%20no%3Amilestone%20is%3Aclosed%20sort%3Aupdated-desc%20reason%3Acompleted%20-label%3AStale%20linked%3Apr)
+- To find merged PRs that haven't been included in a milestone, use this [GitHub search query](https://github.com/open-telemetry/opentelemetry-go/pulls?q=is%3Apr+no%3Amilestone+is%3Amerged).
+
+Once all related issues and PRs have been added to the milestone, close the milestone.
+
 ### Demo Repository
 
 Bump the dependencies in the following Go services:
@@ -130,3 +144,7 @@ Bump the dependencies in the following Go services:
 - [`accounting`](https://github.com/open-telemetry/opentelemetry-demo/tree/main/src/accounting)
 - [`checkoutservice`](https://github.com/open-telemetry/opentelemetry-demo/tree/main/src/checkout)
 - [`productcatalogservice`](https://github.com/open-telemetry/opentelemetry-demo/tree/main/src/product-catalog)
+
+### Close the `Version Release` issue
+
+Once the todo list in the `Version Release` issue is complete, close the issue.
diff --git a/vendor/go.opentelemetry.io/otel/attribute/filter.go b/vendor/go.opentelemetry.io/otel/attribute/filter.go
index be9cd922d87ef..3eeaa5d4426a6 100644
--- a/vendor/go.opentelemetry.io/otel/attribute/filter.go
+++ b/vendor/go.opentelemetry.io/otel/attribute/filter.go
@@ -19,7 +19,7 @@ func NewAllowKeysFilter(keys ...Key) Filter {
 		return func(kv KeyValue) bool { return false }
 	}
 
-	allowed := make(map[Key]struct{})
+	allowed := make(map[Key]struct{}, len(keys))
 	for _, k := range keys {
 		allowed[k] = struct{}{}
 	}
@@ -38,7 +38,7 @@ func NewDenyKeysFilter(keys ...Key) Filter {
 		return func(kv KeyValue) bool { return true }
 	}
 
-	forbid := make(map[Key]struct{})
+	forbid := make(map[Key]struct{}, len(keys))
 	for _, k := range keys {
 		forbid[k] = struct{}{}
 	}
diff --git a/vendor/go.opentelemetry.io/otel/internal/attribute/attribute.go b/vendor/go.opentelemetry.io/otel/attribute/internal/attribute.go
similarity index 97%
rename from vendor/go.opentelemetry.io/otel/internal/attribute/attribute.go
rename to vendor/go.opentelemetry.io/otel/attribute/internal/attribute.go
index 691d96c7554c6..b76d2bbfdbd62 100644
--- a/vendor/go.opentelemetry.io/otel/internal/attribute/attribute.go
+++ b/vendor/go.opentelemetry.io/otel/attribute/internal/attribute.go
@@ -5,7 +5,7 @@
 Package attribute provide several helper functions for some commonly used
 logic of processing attributes.
 */
-package attribute // import "go.opentelemetry.io/otel/internal/attribute"
+package attribute // import "go.opentelemetry.io/otel/attribute/internal"
 
 import (
 	"reflect"
diff --git a/vendor/go.opentelemetry.io/otel/attribute/rawhelpers.go b/vendor/go.opentelemetry.io/otel/attribute/rawhelpers.go
new file mode 100644
index 0000000000000..5791c6e7aaa1f
--- /dev/null
+++ b/vendor/go.opentelemetry.io/otel/attribute/rawhelpers.go
@@ -0,0 +1,37 @@
+// Copyright The OpenTelemetry Authors
+// SPDX-License-Identifier: Apache-2.0
+
+package attribute // import "go.opentelemetry.io/otel/attribute"
+
+import (
+	"math"
+)
+
+func boolToRaw(b bool) uint64 { // nolint:revive  // b is not a control flag.
+	if b {
+		return 1
+	}
+	return 0
+}
+
+func rawToBool(r uint64) bool {
+	return r != 0
+}
+
+func int64ToRaw(i int64) uint64 {
+	// Assumes original was a valid int64 (overflow not checked).
+	return uint64(i) // nolint: gosec
+}
+
+func rawToInt64(r uint64) int64 {
+	// Assumes original was a valid int64 (overflow not checked).
+	return int64(r) // nolint: gosec
+}
+
+func float64ToRaw(f float64) uint64 {
+	return math.Float64bits(f)
+}
+
+func rawToFloat64(r uint64) float64 {
+	return math.Float64frombits(r)
+}
diff --git a/vendor/go.opentelemetry.io/otel/attribute/value.go b/vendor/go.opentelemetry.io/otel/attribute/value.go
index 9ea0ecbbd27af..817eecacf11a8 100644
--- a/vendor/go.opentelemetry.io/otel/attribute/value.go
+++ b/vendor/go.opentelemetry.io/otel/attribute/value.go
@@ -9,8 +9,7 @@ import (
 	"reflect"
 	"strconv"
 
-	"go.opentelemetry.io/otel/internal"
-	"go.opentelemetry.io/otel/internal/attribute"
+	attribute "go.opentelemetry.io/otel/attribute/internal"
 )
 
 //go:generate stringer -type=Type
@@ -51,7 +50,7 @@ const (
 func BoolValue(v bool) Value {
 	return Value{
 		vtype:   BOOL,
-		numeric: internal.BoolToRaw(v),
+		numeric: boolToRaw(v),
 	}
 }
 
@@ -82,7 +81,7 @@ func IntSliceValue(v []int) Value {
 func Int64Value(v int64) Value {
 	return Value{
 		vtype:   INT64,
-		numeric: internal.Int64ToRaw(v),
+		numeric: int64ToRaw(v),
 	}
 }
 
@@ -95,7 +94,7 @@ func Int64SliceValue(v []int64) Value {
 func Float64Value(v float64) Value {
 	return Value{
 		vtype:   FLOAT64,
-		numeric: internal.Float64ToRaw(v),
+		numeric: float64ToRaw(v),
 	}
 }
 
@@ -125,7 +124,7 @@ func (v Value) Type() Type {
 // AsBool returns the bool value. Make sure that the Value's type is
 // BOOL.
 func (v Value) AsBool() bool {
-	return internal.RawToBool(v.numeric)
+	return rawToBool(v.numeric)
 }
 
 // AsBoolSlice returns the []bool value. Make sure that the Value's type is
@@ -144,7 +143,7 @@ func (v Value) asBoolSlice() []bool {
 // AsInt64 returns the int64 value. Make sure that the Value's type is
 // INT64.
 func (v Value) AsInt64() int64 {
-	return internal.RawToInt64(v.numeric)
+	return rawToInt64(v.numeric)
 }
 
 // AsInt64Slice returns the []int64 value. Make sure that the Value's type is
@@ -163,7 +162,7 @@ func (v Value) asInt64Slice() []int64 {
 // AsFloat64 returns the float64 value. Make sure that the Value's
 // type is FLOAT64.
 func (v Value) AsFloat64() float64 {
-	return internal.RawToFloat64(v.numeric)
+	return rawToFloat64(v.numeric)
 }
 
 // AsFloat64Slice returns the []float64 value. Make sure that the Value's type is
diff --git a/vendor/go.opentelemetry.io/otel/dependencies.Dockerfile b/vendor/go.opentelemetry.io/otel/dependencies.Dockerfile
index e4c4a753c8877..51fb76b30d07a 100644
--- a/vendor/go.opentelemetry.io/otel/dependencies.Dockerfile
+++ b/vendor/go.opentelemetry.io/otel/dependencies.Dockerfile
@@ -1,3 +1,4 @@
 # This is a renovate-friendly source of Docker images.
-FROM python:3.13.2-slim-bullseye@sha256:31b581c8218e1f3c58672481b3b7dba8e898852866b408c6a984c22832523935 AS python
-FROM otel/weaver:v0.13.2@sha256:ae7346b992e477f629ea327e0979e8a416a97f7956ab1f7e95ac1f44edf1a893 AS weaver
+FROM python:3.13.3-slim-bullseye@sha256:9e3f9243e06fd68eb9519074b49878eda20ad39a855fac51aaffb741de20726e AS python
+FROM otel/weaver:v0.15.0@sha256:1cf1c72eaed57dad813c2e359133b8a15bd4facf305aae5b13bdca6d3eccff56 AS weaver
+FROM avtodev/markdown-lint:v1@sha256:6aeedc2f49138ce7a1cd0adffc1b1c0321b841dc2102408967d9301c031949ee AS markdown
diff --git a/vendor/go.opentelemetry.io/otel/get_main_pkgs.sh b/vendor/go.opentelemetry.io/otel/get_main_pkgs.sh
deleted file mode 100644
index 93e80ea306c13..0000000000000
--- a/vendor/go.opentelemetry.io/otel/get_main_pkgs.sh
+++ /dev/null
@@ -1,30 +0,0 @@
-#!/usr/bin/env bash
-
-# Copyright The OpenTelemetry Authors
-# SPDX-License-Identifier: Apache-2.0
-
-set -euo pipefail
-
-top_dir='.'
-if [[ $# -gt 0 ]]; then
-    top_dir="${1}"
-fi
-
-p=$(pwd)
-mod_dirs=()
-
-# Note `mapfile` does not exist in older bash versions:
-# https://stackoverflow.com/questions/41475261/need-alternative-to-readarray-mapfile-for-script-on-older-version-of-bash
-
-while IFS= read -r line; do
-    mod_dirs+=("$line")
-done < <(find "${top_dir}" -type f -name 'go.mod' -exec dirname {} \; | sort)
-
-for mod_dir in "${mod_dirs[@]}"; do
-    cd "${mod_dir}"
-
-    while IFS= read -r line; do
-        echo ".${line#${p}}"
-    done < <(go list --find -f '{{.Name}}|{{.Dir}}' ./... | grep '^main|' | cut -f 2- -d '|')
-    cd "${p}"
-done
diff --git a/vendor/go.opentelemetry.io/otel/internal/gen.go b/vendor/go.opentelemetry.io/otel/internal/gen.go
deleted file mode 100644
index 4259f0320d4da..0000000000000
--- a/vendor/go.opentelemetry.io/otel/internal/gen.go
+++ /dev/null
@@ -1,18 +0,0 @@
-// Copyright The OpenTelemetry Authors
-// SPDX-License-Identifier: Apache-2.0
-
-package internal // import "go.opentelemetry.io/otel/internal"
-
-//go:generate gotmpl --body=./shared/matchers/expectation.go.tmpl "--data={}" --out=matchers/expectation.go
-//go:generate gotmpl --body=./shared/matchers/expecter.go.tmpl "--data={}" --out=matchers/expecter.go
-//go:generate gotmpl --body=./shared/matchers/temporal_matcher.go.tmpl "--data={}" --out=matchers/temporal_matcher.go
-
-//go:generate gotmpl --body=./shared/internaltest/alignment.go.tmpl "--data={}" --out=internaltest/alignment.go
-//go:generate gotmpl --body=./shared/internaltest/env.go.tmpl "--data={}" --out=internaltest/env.go
-//go:generate gotmpl --body=./shared/internaltest/env_test.go.tmpl "--data={}" --out=internaltest/env_test.go
-//go:generate gotmpl --body=./shared/internaltest/errors.go.tmpl "--data={}" --out=internaltest/errors.go
-//go:generate gotmpl --body=./shared/internaltest/harness.go.tmpl "--data={\"matchersImportPath\": \"go.opentelemetry.io/otel/internal/matchers\"}" --out=internaltest/harness.go
-//go:generate gotmpl --body=./shared/internaltest/text_map_carrier.go.tmpl "--data={}" --out=internaltest/text_map_carrier.go
-//go:generate gotmpl --body=./shared/internaltest/text_map_carrier_test.go.tmpl "--data={}" --out=internaltest/text_map_carrier_test.go
-//go:generate gotmpl --body=./shared/internaltest/text_map_propagator.go.tmpl "--data={}" --out=internaltest/text_map_propagator.go
-//go:generate gotmpl --body=./shared/internaltest/text_map_propagator_test.go.tmpl "--data={}" --out=internaltest/text_map_propagator_test.go
diff --git a/vendor/go.opentelemetry.io/otel/internal/global/handler.go b/vendor/go.opentelemetry.io/otel/internal/global/handler.go
index c657ff8e755a3..2e47b2964c860 100644
--- a/vendor/go.opentelemetry.io/otel/internal/global/handler.go
+++ b/vendor/go.opentelemetry.io/otel/internal/global/handler.go
@@ -1,6 +1,7 @@
 // Copyright The OpenTelemetry Authors
 // SPDX-License-Identifier: Apache-2.0
 
+// Package global provides the OpenTelemetry global API.
 package global // import "go.opentelemetry.io/otel/internal/global"
 
 import (
diff --git a/vendor/go.opentelemetry.io/otel/internal/global/meter.go b/vendor/go.opentelemetry.io/otel/internal/global/meter.go
index a6acd8dca66ea..adb37b5b0e7e5 100644
--- a/vendor/go.opentelemetry.io/otel/internal/global/meter.go
+++ b/vendor/go.opentelemetry.io/otel/internal/global/meter.go
@@ -169,7 +169,10 @@ func (m *meter) Int64Counter(name string, options ...metric.Int64CounterOption)
 	return i, nil
 }
 
-func (m *meter) Int64UpDownCounter(name string, options ...metric.Int64UpDownCounterOption) (metric.Int64UpDownCounter, error) {
+func (m *meter) Int64UpDownCounter(
+	name string,
+	options ...metric.Int64UpDownCounterOption,
+) (metric.Int64UpDownCounter, error) {
 	m.mtx.Lock()
 	defer m.mtx.Unlock()
 
@@ -238,7 +241,10 @@ func (m *meter) Int64Gauge(name string, options ...metric.Int64GaugeOption) (met
 	return i, nil
 }
 
-func (m *meter) Int64ObservableCounter(name string, options ...metric.Int64ObservableCounterOption) (metric.Int64ObservableCounter, error) {
+func (m *meter) Int64ObservableCounter(
+	name string,
+	options ...metric.Int64ObservableCounterOption,
+) (metric.Int64ObservableCounter, error) {
 	m.mtx.Lock()
 	defer m.mtx.Unlock()
 
@@ -261,7 +267,10 @@ func (m *meter) Int64ObservableCounter(name string, options ...metric.Int64Obser
 	return i, nil
 }
 
-func (m *meter) Int64ObservableUpDownCounter(name string, options ...metric.Int64ObservableUpDownCounterOption) (metric.Int64ObservableUpDownCounter, error) {
+func (m *meter) Int64ObservableUpDownCounter(
+	name string,
+	options ...metric.Int64ObservableUpDownCounterOption,
+) (metric.Int64ObservableUpDownCounter, error) {
 	m.mtx.Lock()
 	defer m.mtx.Unlock()
 
@@ -284,7 +293,10 @@ func (m *meter) Int64ObservableUpDownCounter(name string, options ...metric.Int6
 	return i, nil
 }
 
-func (m *meter) Int64ObservableGauge(name string, options ...metric.Int64ObservableGaugeOption) (metric.Int64ObservableGauge, error) {
+func (m *meter) Int64ObservableGauge(
+	name string,
+	options ...metric.Int64ObservableGaugeOption,
+) (metric.Int64ObservableGauge, error) {
 	m.mtx.Lock()
 	defer m.mtx.Unlock()
 
@@ -330,7 +342,10 @@ func (m *meter) Float64Counter(name string, options ...metric.Float64CounterOpti
 	return i, nil
 }
 
-func (m *meter) Float64UpDownCounter(name string, options ...metric.Float64UpDownCounterOption) (metric.Float64UpDownCounter, error) {
+func (m *meter) Float64UpDownCounter(
+	name string,
+	options ...metric.Float64UpDownCounterOption,
+) (metric.Float64UpDownCounter, error) {
 	m.mtx.Lock()
 	defer m.mtx.Unlock()
 
@@ -353,7 +368,10 @@ func (m *meter) Float64UpDownCounter(name string, options ...metric.Float64UpDow
 	return i, nil
 }
 
-func (m *meter) Float64Histogram(name string, options ...metric.Float64HistogramOption) (metric.Float64Histogram, error) {
+func (m *meter) Float64Histogram(
+	name string,
+	options ...metric.Float64HistogramOption,
+) (metric.Float64Histogram, error) {
 	m.mtx.Lock()
 	defer m.mtx.Unlock()
 
@@ -399,7 +417,10 @@ func (m *meter) Float64Gauge(name string, options ...metric.Float64GaugeOption)
 	return i, nil
 }
 
-func (m *meter) Float64ObservableCounter(name string, options ...metric.Float64ObservableCounterOption) (metric.Float64ObservableCounter, error) {
+func (m *meter) Float64ObservableCounter(
+	name string,
+	options ...metric.Float64ObservableCounterOption,
+) (metric.Float64ObservableCounter, error) {
 	m.mtx.Lock()
 	defer m.mtx.Unlock()
 
@@ -422,7 +443,10 @@ func (m *meter) Float64ObservableCounter(name string, options ...metric.Float64O
 	return i, nil
 }
 
-func (m *meter) Float64ObservableUpDownCounter(name string, options ...metric.Float64ObservableUpDownCounterOption) (metric.Float64ObservableUpDownCounter, error) {
+func (m *meter) Float64ObservableUpDownCounter(
+	name string,
+	options ...metric.Float64ObservableUpDownCounterOption,
+) (metric.Float64ObservableUpDownCounter, error) {
 	m.mtx.Lock()
 	defer m.mtx.Unlock()
 
@@ -445,7 +469,10 @@ func (m *meter) Float64ObservableUpDownCounter(name string, options ...metric.Fl
 	return i, nil
 }
 
-func (m *meter) Float64ObservableGauge(name string, options ...metric.Float64ObservableGaugeOption) (metric.Float64ObservableGauge, error) {
+func (m *meter) Float64ObservableGauge(
+	name string,
+	options ...metric.Float64ObservableGaugeOption,
+) (metric.Float64ObservableGauge, error) {
 	m.mtx.Lock()
 	defer m.mtx.Unlock()
 
diff --git a/vendor/go.opentelemetry.io/otel/internal/global/trace.go b/vendor/go.opentelemetry.io/otel/internal/global/trace.go
index 8982aa0dc56e7..49e4ac4faab5b 100644
--- a/vendor/go.opentelemetry.io/otel/internal/global/trace.go
+++ b/vendor/go.opentelemetry.io/otel/internal/global/trace.go
@@ -158,7 +158,18 @@ func (t *tracer) Start(ctx context.Context, name string, opts ...trace.SpanStart
 // a nonRecordingSpan by default.
 var autoInstEnabled = new(bool)
 
-func (t *tracer) newSpan(ctx context.Context, autoSpan *bool, name string, opts []trace.SpanStartOption) (context.Context, trace.Span) {
+// newSpan is called by tracer.Start so auto-instrumentation can attach an eBPF
+// uprobe to this code.
+//
+// "noinline" pragma prevents the method from ever being inlined.
+//
+//go:noinline
+func (t *tracer) newSpan(
+	ctx context.Context,
+	autoSpan *bool,
+	name string,
+	opts []trace.SpanStartOption,
+) (context.Context, trace.Span) {
 	// autoInstEnabled is passed to newSpan via the autoSpan parameter. This is
 	// so the auto-instrumentation can define a uprobe for (*t).newSpan and be
 	// provided with the address of the bool autoInstEnabled points to. It
diff --git a/vendor/go.opentelemetry.io/otel/internal/rawhelpers.go b/vendor/go.opentelemetry.io/otel/internal/rawhelpers.go
deleted file mode 100644
index b2fe3e41d3b18..0000000000000
--- a/vendor/go.opentelemetry.io/otel/internal/rawhelpers.go
+++ /dev/null
@@ -1,48 +0,0 @@
-// Copyright The OpenTelemetry Authors
-// SPDX-License-Identifier: Apache-2.0
-
-package internal // import "go.opentelemetry.io/otel/internal"
-
-import (
-	"math"
-	"unsafe"
-)
-
-func BoolToRaw(b bool) uint64 { // nolint:revive  // b is not a control flag.
-	if b {
-		return 1
-	}
-	return 0
-}
-
-func RawToBool(r uint64) bool {
-	return r != 0
-}
-
-func Int64ToRaw(i int64) uint64 {
-	// Assumes original was a valid int64 (overflow not checked).
-	return uint64(i) // nolint: gosec
-}
-
-func RawToInt64(r uint64) int64 {
-	// Assumes original was a valid int64 (overflow not checked).
-	return int64(r) // nolint: gosec
-}
-
-func Float64ToRaw(f float64) uint64 {
-	return math.Float64bits(f)
-}
-
-func RawToFloat64(r uint64) float64 {
-	return math.Float64frombits(r)
-}
-
-func RawPtrToFloat64Ptr(r *uint64) *float64 {
-	// Assumes original was a valid *float64 (overflow not checked).
-	return (*float64)(unsafe.Pointer(r)) // nolint: gosec
-}
-
-func RawPtrToInt64Ptr(r *uint64) *int64 {
-	// Assumes original was a valid *int64 (overflow not checked).
-	return (*int64)(unsafe.Pointer(r)) // nolint: gosec
-}
diff --git a/vendor/go.opentelemetry.io/otel/metric/asyncfloat64.go b/vendor/go.opentelemetry.io/otel/metric/asyncfloat64.go
index f8435d8f288dd..b7fc973a66c29 100644
--- a/vendor/go.opentelemetry.io/otel/metric/asyncfloat64.go
+++ b/vendor/go.opentelemetry.io/otel/metric/asyncfloat64.go
@@ -106,7 +106,9 @@ type Float64ObservableUpDownCounterConfig struct {
 
 // NewFloat64ObservableUpDownCounterConfig returns a new
 // [Float64ObservableUpDownCounterConfig] with all opts applied.
-func NewFloat64ObservableUpDownCounterConfig(opts ...Float64ObservableUpDownCounterOption) Float64ObservableUpDownCounterConfig {
+func NewFloat64ObservableUpDownCounterConfig(
+	opts ...Float64ObservableUpDownCounterOption,
+) Float64ObservableUpDownCounterConfig {
 	var config Float64ObservableUpDownCounterConfig
 	for _, o := range opts {
 		config = o.applyFloat64ObservableUpDownCounter(config)
@@ -239,12 +241,16 @@ type float64CallbackOpt struct {
 	cback Float64Callback
 }
 
-func (o float64CallbackOpt) applyFloat64ObservableCounter(cfg Float64ObservableCounterConfig) Float64ObservableCounterConfig {
+func (o float64CallbackOpt) applyFloat64ObservableCounter(
+	cfg Float64ObservableCounterConfig,
+) Float64ObservableCounterConfig {
 	cfg.callbacks = append(cfg.callbacks, o.cback)
 	return cfg
 }
 
-func (o float64CallbackOpt) applyFloat64ObservableUpDownCounter(cfg Float64ObservableUpDownCounterConfig) Float64ObservableUpDownCounterConfig {
+func (o float64CallbackOpt) applyFloat64ObservableUpDownCounter(
+	cfg Float64ObservableUpDownCounterConfig,
+) Float64ObservableUpDownCounterConfig {
 	cfg.callbacks = append(cfg.callbacks, o.cback)
 	return cfg
 }
diff --git a/vendor/go.opentelemetry.io/otel/metric/asyncint64.go b/vendor/go.opentelemetry.io/otel/metric/asyncint64.go
index e079aaef169e8..4404b71a22f0f 100644
--- a/vendor/go.opentelemetry.io/otel/metric/asyncint64.go
+++ b/vendor/go.opentelemetry.io/otel/metric/asyncint64.go
@@ -105,7 +105,9 @@ type Int64ObservableUpDownCounterConfig struct {
 
 // NewInt64ObservableUpDownCounterConfig returns a new
 // [Int64ObservableUpDownCounterConfig] with all opts applied.
-func NewInt64ObservableUpDownCounterConfig(opts ...Int64ObservableUpDownCounterOption) Int64ObservableUpDownCounterConfig {
+func NewInt64ObservableUpDownCounterConfig(
+	opts ...Int64ObservableUpDownCounterOption,
+) Int64ObservableUpDownCounterConfig {
 	var config Int64ObservableUpDownCounterConfig
 	for _, o := range opts {
 		config = o.applyInt64ObservableUpDownCounter(config)
@@ -242,7 +244,9 @@ func (o int64CallbackOpt) applyInt64ObservableCounter(cfg Int64ObservableCounter
 	return cfg
 }
 
-func (o int64CallbackOpt) applyInt64ObservableUpDownCounter(cfg Int64ObservableUpDownCounterConfig) Int64ObservableUpDownCounterConfig {
+func (o int64CallbackOpt) applyInt64ObservableUpDownCounter(
+	cfg Int64ObservableUpDownCounterConfig,
+) Int64ObservableUpDownCounterConfig {
 	cfg.callbacks = append(cfg.callbacks, o.cback)
 	return cfg
 }
diff --git a/vendor/go.opentelemetry.io/otel/metric/instrument.go b/vendor/go.opentelemetry.io/otel/metric/instrument.go
index a535782e1d9a7..9f48d5f117c48 100644
--- a/vendor/go.opentelemetry.io/otel/metric/instrument.go
+++ b/vendor/go.opentelemetry.io/otel/metric/instrument.go
@@ -63,7 +63,9 @@ func (o descOpt) applyFloat64ObservableCounter(c Float64ObservableCounterConfig)
 	return c
 }
 
-func (o descOpt) applyFloat64ObservableUpDownCounter(c Float64ObservableUpDownCounterConfig) Float64ObservableUpDownCounterConfig {
+func (o descOpt) applyFloat64ObservableUpDownCounter(
+	c Float64ObservableUpDownCounterConfig,
+) Float64ObservableUpDownCounterConfig {
 	c.description = string(o)
 	return c
 }
@@ -98,7 +100,9 @@ func (o descOpt) applyInt64ObservableCounter(c Int64ObservableCounterConfig) Int
 	return c
 }
 
-func (o descOpt) applyInt64ObservableUpDownCounter(c Int64ObservableUpDownCounterConfig) Int64ObservableUpDownCounterConfig {
+func (o descOpt) applyInt64ObservableUpDownCounter(
+	c Int64ObservableUpDownCounterConfig,
+) Int64ObservableUpDownCounterConfig {
 	c.description = string(o)
 	return c
 }
@@ -138,7 +142,9 @@ func (o unitOpt) applyFloat64ObservableCounter(c Float64ObservableCounterConfig)
 	return c
 }
 
-func (o unitOpt) applyFloat64ObservableUpDownCounter(c Float64ObservableUpDownCounterConfig) Float64ObservableUpDownCounterConfig {
+func (o unitOpt) applyFloat64ObservableUpDownCounter(
+	c Float64ObservableUpDownCounterConfig,
+) Float64ObservableUpDownCounterConfig {
 	c.unit = string(o)
 	return c
 }
@@ -173,7 +179,9 @@ func (o unitOpt) applyInt64ObservableCounter(c Int64ObservableCounterConfig) Int
 	return c
 }
 
-func (o unitOpt) applyInt64ObservableUpDownCounter(c Int64ObservableUpDownCounterConfig) Int64ObservableUpDownCounterConfig {
+func (o unitOpt) applyInt64ObservableUpDownCounter(
+	c Int64ObservableUpDownCounterConfig,
+) Int64ObservableUpDownCounterConfig {
 	c.unit = string(o)
 	return c
 }
diff --git a/vendor/go.opentelemetry.io/otel/metric/meter.go b/vendor/go.opentelemetry.io/otel/metric/meter.go
index 14e08c24a4be6..fdd2a7011c33a 100644
--- a/vendor/go.opentelemetry.io/otel/metric/meter.go
+++ b/vendor/go.opentelemetry.io/otel/metric/meter.go
@@ -110,7 +110,10 @@ type Meter interface {
 	// The name needs to conform to the OpenTelemetry instrument name syntax.
 	// See the Instrument Name section of the package documentation for more
 	// information.
-	Int64ObservableUpDownCounter(name string, options ...Int64ObservableUpDownCounterOption) (Int64ObservableUpDownCounter, error)
+	Int64ObservableUpDownCounter(
+		name string,
+		options ...Int64ObservableUpDownCounterOption,
+	) (Int64ObservableUpDownCounter, error)
 
 	// Int64ObservableGauge returns a new Int64ObservableGauge instrument
 	// identified by name and configured with options. The instrument is used
@@ -194,7 +197,10 @@ type Meter interface {
 	// The name needs to conform to the OpenTelemetry instrument name syntax.
 	// See the Instrument Name section of the package documentation for more
 	// information.
-	Float64ObservableUpDownCounter(name string, options ...Float64ObservableUpDownCounterOption) (Float64ObservableUpDownCounter, error)
+	Float64ObservableUpDownCounter(
+		name string,
+		options ...Float64ObservableUpDownCounterOption,
+	) (Float64ObservableUpDownCounter, error)
 
 	// Float64ObservableGauge returns a new Float64ObservableGauge instrument
 	// identified by name and configured with options. The instrument is used
diff --git a/vendor/go.opentelemetry.io/otel/metric/noop/noop.go b/vendor/go.opentelemetry.io/otel/metric/noop/noop.go
index ca6fcbdc09963..9afb69e583b93 100644
--- a/vendor/go.opentelemetry.io/otel/metric/noop/noop.go
+++ b/vendor/go.opentelemetry.io/otel/metric/noop/noop.go
@@ -86,13 +86,19 @@ func (Meter) Int64Gauge(string, ...metric.Int64GaugeOption) (metric.Int64Gauge,
 
 // Int64ObservableCounter returns an ObservableCounter used to record int64
 // measurements that produces no telemetry.
-func (Meter) Int64ObservableCounter(string, ...metric.Int64ObservableCounterOption) (metric.Int64ObservableCounter, error) {
+func (Meter) Int64ObservableCounter(
+	string,
+	...metric.Int64ObservableCounterOption,
+) (metric.Int64ObservableCounter, error) {
 	return Int64ObservableCounter{}, nil
 }
 
 // Int64ObservableUpDownCounter returns an ObservableUpDownCounter used to
 // record int64 measurements that produces no telemetry.
-func (Meter) Int64ObservableUpDownCounter(string, ...metric.Int64ObservableUpDownCounterOption) (metric.Int64ObservableUpDownCounter, error) {
+func (Meter) Int64ObservableUpDownCounter(
+	string,
+	...metric.Int64ObservableUpDownCounterOption,
+) (metric.Int64ObservableUpDownCounter, error) {
 	return Int64ObservableUpDownCounter{}, nil
 }
 
@@ -128,19 +134,28 @@ func (Meter) Float64Gauge(string, ...metric.Float64GaugeOption) (metric.Float64G
 
 // Float64ObservableCounter returns an ObservableCounter used to record int64
 // measurements that produces no telemetry.
-func (Meter) Float64ObservableCounter(string, ...metric.Float64ObservableCounterOption) (metric.Float64ObservableCounter, error) {
+func (Meter) Float64ObservableCounter(
+	string,
+	...metric.Float64ObservableCounterOption,
+) (metric.Float64ObservableCounter, error) {
 	return Float64ObservableCounter{}, nil
 }
 
 // Float64ObservableUpDownCounter returns an ObservableUpDownCounter used to
 // record int64 measurements that produces no telemetry.
-func (Meter) Float64ObservableUpDownCounter(string, ...metric.Float64ObservableUpDownCounterOption) (metric.Float64ObservableUpDownCounter, error) {
+func (Meter) Float64ObservableUpDownCounter(
+	string,
+	...metric.Float64ObservableUpDownCounterOption,
+) (metric.Float64ObservableUpDownCounter, error) {
 	return Float64ObservableUpDownCounter{}, nil
 }
 
 // Float64ObservableGauge returns an ObservableGauge used to record int64
 // measurements that produces no telemetry.
-func (Meter) Float64ObservableGauge(string, ...metric.Float64ObservableGaugeOption) (metric.Float64ObservableGauge, error) {
+func (Meter) Float64ObservableGauge(
+	string,
+	...metric.Float64ObservableGaugeOption,
+) (metric.Float64ObservableGauge, error) {
 	return Float64ObservableGauge{}, nil
 }
 
diff --git a/vendor/go.opentelemetry.io/otel/propagation/baggage.go b/vendor/go.opentelemetry.io/otel/propagation/baggage.go
index 552263ba73437..ebda5026d6b68 100644
--- a/vendor/go.opentelemetry.io/otel/propagation/baggage.go
+++ b/vendor/go.opentelemetry.io/otel/propagation/baggage.go
@@ -28,7 +28,21 @@ func (b Baggage) Inject(ctx context.Context, carrier TextMapCarrier) {
 }
 
 // Extract returns a copy of parent with the baggage from the carrier added.
+// If carrier implements [ValuesGetter] (e.g. [HeaderCarrier]), Values is invoked
+// for multiple values extraction. Otherwise, Get is called.
 func (b Baggage) Extract(parent context.Context, carrier TextMapCarrier) context.Context {
+	if multiCarrier, ok := carrier.(ValuesGetter); ok {
+		return extractMultiBaggage(parent, multiCarrier)
+	}
+	return extractSingleBaggage(parent, carrier)
+}
+
+// Fields returns the keys who's values are set with Inject.
+func (b Baggage) Fields() []string {
+	return []string{baggageHeader}
+}
+
+func extractSingleBaggage(parent context.Context, carrier TextMapCarrier) context.Context {
 	bStr := carrier.Get(baggageHeader)
 	if bStr == "" {
 		return parent
@@ -41,7 +55,23 @@ func (b Baggage) Extract(parent context.Context, carrier TextMapCarrier) context
 	return baggage.ContextWithBaggage(parent, bag)
 }
 
-// Fields returns the keys who's values are set with Inject.
-func (b Baggage) Fields() []string {
-	return []string{baggageHeader}
+func extractMultiBaggage(parent context.Context, carrier ValuesGetter) context.Context {
+	bVals := carrier.Values(baggageHeader)
+	if len(bVals) == 0 {
+		return parent
+	}
+	var members []baggage.Member
+	for _, bStr := range bVals {
+		currBag, err := baggage.Parse(bStr)
+		if err != nil {
+			continue
+		}
+		members = append(members, currBag.Members()...)
+	}
+
+	b, err := baggage.New(members...)
+	if err != nil || b.Len() == 0 {
+		return parent
+	}
+	return baggage.ContextWithBaggage(parent, b)
 }
diff --git a/vendor/go.opentelemetry.io/otel/propagation/propagation.go b/vendor/go.opentelemetry.io/otel/propagation/propagation.go
index 8c8286aab4d29..5c8c26ea2eb79 100644
--- a/vendor/go.opentelemetry.io/otel/propagation/propagation.go
+++ b/vendor/go.opentelemetry.io/otel/propagation/propagation.go
@@ -9,6 +9,7 @@ import (
 )
 
 // TextMapCarrier is the storage medium used by a TextMapPropagator.
+// See ValuesGetter for how a TextMapCarrier can get multiple values for a key.
 type TextMapCarrier interface {
 	// DO NOT CHANGE: any modification will not be backwards compatible and
 	// must never be done outside of a new major release.
@@ -29,6 +30,18 @@ type TextMapCarrier interface {
 	// must never be done outside of a new major release.
 }
 
+// ValuesGetter can return multiple values for a single key,
+// with contrast to TextMapCarrier.Get which returns a single value.
+type ValuesGetter interface {
+	// DO NOT CHANGE: any modification will not be backwards compatible and
+	// must never be done outside of a new major release.
+
+	// Values returns all values associated with the passed key.
+	Values(key string) []string
+	// DO NOT CHANGE: any modification will not be backwards compatible and
+	// must never be done outside of a new major release.
+}
+
 // MapCarrier is a TextMapCarrier that uses a map held in memory as a storage
 // medium for propagated key-value pairs.
 type MapCarrier map[string]string
@@ -55,14 +68,25 @@ func (c MapCarrier) Keys() []string {
 	return keys
 }
 
-// HeaderCarrier adapts http.Header to satisfy the TextMapCarrier interface.
+// HeaderCarrier adapts http.Header to satisfy the TextMapCarrier and ValuesGetter interfaces.
 type HeaderCarrier http.Header
 
-// Get returns the value associated with the passed key.
+// Compile time check that HeaderCarrier implements ValuesGetter.
+var _ TextMapCarrier = HeaderCarrier{}
+
+// Compile time check that HeaderCarrier implements TextMapCarrier.
+var _ ValuesGetter = HeaderCarrier{}
+
+// Get returns the first value associated with the passed key.
 func (hc HeaderCarrier) Get(key string) string {
 	return http.Header(hc).Get(key)
 }
 
+// Values returns all values associated with the passed key.
+func (hc HeaderCarrier) Values(key string) []string {
+	return http.Header(hc).Values(key)
+}
+
 // Set stores the key-value pair.
 func (hc HeaderCarrier) Set(key string, value string) {
 	http.Header(hc).Set(key, value)
@@ -89,6 +113,8 @@ type TextMapPropagator interface {
 	// must never be done outside of a new major release.
 
 	// Extract reads cross-cutting concerns from the carrier into a Context.
+	// Implementations may check if the carrier implements ValuesGetter,
+	// to support extraction of multiple values per key.
 	Extract(ctx context.Context, carrier TextMapCarrier) context.Context
 	// DO NOT CHANGE: any modification will not be backwards compatible and
 	// must never be done outside of a new major release.
diff --git a/vendor/go.opentelemetry.io/otel/renovate.json b/vendor/go.opentelemetry.io/otel/renovate.json
index a6fa353f95c03..fa5acf2d3bdb0 100644
--- a/vendor/go.opentelemetry.io/otel/renovate.json
+++ b/vendor/go.opentelemetry.io/otel/renovate.json
@@ -1,7 +1,8 @@
 {
   "$schema": "https://docs.renovatebot.com/renovate-schema.json",
   "extends": [
-    "config:best-practices"
+    "config:best-practices",
+    "helpers:pinGitHubActionDigestsToSemver"
   ],
   "ignorePaths": [],
   "labels": ["Skip Changelog", "dependencies"],
@@ -25,6 +26,10 @@
     {
       "matchPackageNames": ["golang.org/x/**"],
       "groupName": "golang.org/x"
+    },
+    {
+      "matchPackageNames": ["go.opentelemetry.io/otel/sdk/log/logtest"],
+      "enabled": false
     }
   ]
 }
diff --git a/vendor/go.opentelemetry.io/otel/sdk/internal/env/env.go b/vendor/go.opentelemetry.io/otel/sdk/internal/env/env.go
index 07923ed8d945b..e3309231d4239 100644
--- a/vendor/go.opentelemetry.io/otel/sdk/internal/env/env.go
+++ b/vendor/go.opentelemetry.io/otel/sdk/internal/env/env.go
@@ -1,6 +1,8 @@
 // Copyright The OpenTelemetry Authors
 // SPDX-License-Identifier: Apache-2.0
 
+// Package env provides types and functionality for environment variable support
+// in the OpenTelemetry SDK.
 package env // import "go.opentelemetry.io/otel/sdk/internal/env"
 
 import (
diff --git a/vendor/go.opentelemetry.io/otel/sdk/resource/os_release_darwin.go b/vendor/go.opentelemetry.io/otel/sdk/resource/os_release_darwin.go
index ce455dc544bff..3d703c5d98e25 100644
--- a/vendor/go.opentelemetry.io/otel/sdk/resource/os_release_darwin.go
+++ b/vendor/go.opentelemetry.io/otel/sdk/resource/os_release_darwin.go
@@ -5,6 +5,7 @@ package resource // import "go.opentelemetry.io/otel/sdk/resource"
 
 import (
 	"encoding/xml"
+	"errors"
 	"fmt"
 	"io"
 	"os"
@@ -63,7 +64,7 @@ func parsePlistFile(file io.Reader) (map[string]string, error) {
 	}
 
 	if len(v.Dict.Key) != len(v.Dict.String) {
-		return nil, fmt.Errorf("the number of <key> and <string> elements doesn't match")
+		return nil, errors.New("the number of <key> and <string> elements doesn't match")
 	}
 
 	properties := make(map[string]string, len(v.Dict.Key))
diff --git a/vendor/go.opentelemetry.io/otel/sdk/resource/resource.go b/vendor/go.opentelemetry.io/otel/sdk/resource/resource.go
index ad4b50df40400..09b91e1e1b0f5 100644
--- a/vendor/go.opentelemetry.io/otel/sdk/resource/resource.go
+++ b/vendor/go.opentelemetry.io/otel/sdk/resource/resource.go
@@ -21,11 +21,22 @@ import (
 // Resources should be passed and stored as pointers
 // (`*resource.Resource`).  The `nil` value is equivalent to an empty
 // Resource.
+//
+// Note that the Go == operator compares not just the resource attributes but
+// also all other internals of the Resource type. Therefore, Resource values
+// should not be used as map or database keys. In general, the [Resource.Equal]
+// method should be used instead of direct comparison with ==, since that
+// method ensures the correct comparison of resource attributes, and the
+// [attribute.Distinct] returned from [Resource.Equivalent] should be used for
+// map and database keys instead.
 type Resource struct {
 	attrs     attribute.Set
 	schemaURL string
 }
 
+// Compile-time check that the Resource remains comparable.
+var _ map[Resource]struct{} = nil
+
 var (
 	defaultResource     *Resource
 	defaultResourceOnce sync.Once
@@ -137,15 +148,19 @@ func (r *Resource) Iter() attribute.Iterator {
 	return r.attrs.Iter()
 }
 
-// Equal returns true when a Resource is equivalent to this Resource.
-func (r *Resource) Equal(eq *Resource) bool {
+// Equal returns whether r and o represent the same resource. Two resources can
+// be equal even if they have different schema URLs.
+//
+// See the documentation on the [Resource] type for the pitfalls of using ==
+// with Resource values; most code should use Equal instead.
+func (r *Resource) Equal(o *Resource) bool {
 	if r == nil {
 		r = Empty()
 	}
-	if eq == nil {
-		eq = Empty()
+	if o == nil {
+		o = Empty()
 	}
-	return r.Equivalent() == eq.Equivalent()
+	return r.Equivalent() == o.Equivalent()
 }
 
 // Merge creates a new [Resource] by merging a and b.
diff --git a/vendor/go.opentelemetry.io/otel/sdk/trace/batch_span_processor.go b/vendor/go.opentelemetry.io/otel/sdk/trace/batch_span_processor.go
index ccc97e1b6625f..6872cbb4e7a26 100644
--- a/vendor/go.opentelemetry.io/otel/sdk/trace/batch_span_processor.go
+++ b/vendor/go.opentelemetry.io/otel/sdk/trace/batch_span_processor.go
@@ -201,10 +201,9 @@ func (bsp *batchSpanProcessor) ForceFlush(ctx context.Context) error {
 			}
 		}
 
-		wait := make(chan error)
+		wait := make(chan error, 1)
 		go func() {
 			wait <- bsp.exportSpans(ctx)
-			close(wait)
 		}()
 		// Wait until the export is finished or the context is cancelled/timed out
 		select {
diff --git a/vendor/go.opentelemetry.io/otel/sdk/trace/id_generator.go b/vendor/go.opentelemetry.io/otel/sdk/trace/id_generator.go
index 925bcf9930574..c8d3fb7e3cf6a 100644
--- a/vendor/go.opentelemetry.io/otel/sdk/trace/id_generator.go
+++ b/vendor/go.opentelemetry.io/otel/sdk/trace/id_generator.go
@@ -5,10 +5,8 @@ package trace // import "go.opentelemetry.io/otel/sdk/trace"
 
 import (
 	"context"
-	crand "crypto/rand"
 	"encoding/binary"
-	"math/rand"
-	"sync"
+	"math/rand/v2"
 
 	"go.opentelemetry.io/otel/trace"
 )
@@ -29,20 +27,15 @@ type IDGenerator interface {
 	// must never be done outside of a new major release.
 }
 
-type randomIDGenerator struct {
-	sync.Mutex
-	randSource *rand.Rand
-}
+type randomIDGenerator struct{}
 
 var _ IDGenerator = &randomIDGenerator{}
 
 // NewSpanID returns a non-zero span ID from a randomly-chosen sequence.
 func (gen *randomIDGenerator) NewSpanID(ctx context.Context, traceID trace.TraceID) trace.SpanID {
-	gen.Lock()
-	defer gen.Unlock()
 	sid := trace.SpanID{}
 	for {
-		_, _ = gen.randSource.Read(sid[:])
+		binary.NativeEndian.PutUint64(sid[:], rand.Uint64())
 		if sid.IsValid() {
 			break
 		}
@@ -53,18 +46,17 @@ func (gen *randomIDGenerator) NewSpanID(ctx context.Context, traceID trace.Trace
 // NewIDs returns a non-zero trace ID and a non-zero span ID from a
 // randomly-chosen sequence.
 func (gen *randomIDGenerator) NewIDs(ctx context.Context) (trace.TraceID, trace.SpanID) {
-	gen.Lock()
-	defer gen.Unlock()
 	tid := trace.TraceID{}
 	sid := trace.SpanID{}
 	for {
-		_, _ = gen.randSource.Read(tid[:])
+		binary.NativeEndian.PutUint64(tid[:8], rand.Uint64())
+		binary.NativeEndian.PutUint64(tid[8:], rand.Uint64())
 		if tid.IsValid() {
 			break
 		}
 	}
 	for {
-		_, _ = gen.randSource.Read(sid[:])
+		binary.NativeEndian.PutUint64(sid[:], rand.Uint64())
 		if sid.IsValid() {
 			break
 		}
@@ -73,9 +65,5 @@ func (gen *randomIDGenerator) NewIDs(ctx context.Context) (trace.TraceID, trace.
 }
 
 func defaultIDGenerator() IDGenerator {
-	gen := &randomIDGenerator{}
-	var rngSeed int64
-	_ = binary.Read(crand.Reader, binary.LittleEndian, &rngSeed)
-	gen.randSource = rand.New(rand.NewSource(rngSeed))
-	return gen
+	return &randomIDGenerator{}
 }
diff --git a/vendor/go.opentelemetry.io/otel/sdk/trace/provider.go b/vendor/go.opentelemetry.io/otel/sdk/trace/provider.go
index 185aa7c08f7c3..0e2a2e7c60d97 100644
--- a/vendor/go.opentelemetry.io/otel/sdk/trace/provider.go
+++ b/vendor/go.opentelemetry.io/otel/sdk/trace/provider.go
@@ -169,7 +169,17 @@ func (p *TracerProvider) Tracer(name string, opts ...trace.TracerOption) trace.T
 		//   slowing down all tracing consumers.
 		// - Logging code may be instrumented with tracing and deadlock because it could try
 		//   acquiring the same non-reentrant mutex.
-		global.Info("Tracer created", "name", name, "version", is.Version, "schemaURL", is.SchemaURL, "attributes", is.Attributes)
+		global.Info(
+			"Tracer created",
+			"name",
+			name,
+			"version",
+			is.Version,
+			"schemaURL",
+			is.SchemaURL,
+			"attributes",
+			is.Attributes,
+		)
 	}
 	return t
 }
diff --git a/vendor/go.opentelemetry.io/otel/sdk/trace/sampling.go b/vendor/go.opentelemetry.io/otel/sdk/trace/sampling.go
index ebb6df6c9085d..aa7b262d0d97a 100644
--- a/vendor/go.opentelemetry.io/otel/sdk/trace/sampling.go
+++ b/vendor/go.opentelemetry.io/otel/sdk/trace/sampling.go
@@ -47,12 +47,12 @@ const (
 	// Drop will not record the span and all attributes/events will be dropped.
 	Drop SamplingDecision = iota
 
-	// Record indicates the span's `IsRecording() == true`, but `Sampled` flag
-	// *must not* be set.
+	// RecordOnly indicates the span's IsRecording method returns true, but trace.FlagsSampled flag
+	// must not be set.
 	RecordOnly
 
-	// RecordAndSample has span's `IsRecording() == true` and `Sampled` flag
-	// *must* be set.
+	// RecordAndSample indicates the span's IsRecording method returns true and trace.FlagsSampled flag
+	// must be set.
 	RecordAndSample
 )
 
diff --git a/vendor/go.opentelemetry.io/otel/sdk/trace/simple_span_processor.go b/vendor/go.opentelemetry.io/otel/sdk/trace/simple_span_processor.go
index 554111bb4a21a..664e13e03f04b 100644
--- a/vendor/go.opentelemetry.io/otel/sdk/trace/simple_span_processor.go
+++ b/vendor/go.opentelemetry.io/otel/sdk/trace/simple_span_processor.go
@@ -58,7 +58,7 @@ func (ssp *simpleSpanProcessor) Shutdown(ctx context.Context) error {
 	var err error
 	ssp.stopOnce.Do(func() {
 		stopFunc := func(exp SpanExporter) (<-chan error, func()) {
-			done := make(chan error)
+			done := make(chan error, 1)
 			return done, func() { done <- exp.Shutdown(ctx) }
 		}
 
diff --git a/vendor/go.opentelemetry.io/otel/sdk/trace/tracer.go b/vendor/go.opentelemetry.io/otel/sdk/trace/tracer.go
index 43419d3b5419f..0b65ae9ab703e 100644
--- a/vendor/go.opentelemetry.io/otel/sdk/trace/tracer.go
+++ b/vendor/go.opentelemetry.io/otel/sdk/trace/tracer.go
@@ -26,7 +26,11 @@ var _ trace.Tracer = &tracer{}
 // The Span is created with the provided name and as a child of any existing
 // span context found in the passed context. The created Span will be
 // configured appropriately by any SpanOption passed.
-func (tr *tracer) Start(ctx context.Context, name string, options ...trace.SpanStartOption) (context.Context, trace.Span) {
+func (tr *tracer) Start(
+	ctx context.Context,
+	name string,
+	options ...trace.SpanStartOption,
+) (context.Context, trace.Span) {
 	config := trace.NewSpanStartConfig(options...)
 
 	if ctx == nil {
@@ -112,7 +116,12 @@ func (tr *tracer) newSpan(ctx context.Context, name string, config *trace.SpanCo
 }
 
 // newRecordingSpan returns a new configured recordingSpan.
-func (tr *tracer) newRecordingSpan(psc, sc trace.SpanContext, name string, sr SamplingResult, config *trace.SpanConfig) *recordingSpan {
+func (tr *tracer) newRecordingSpan(
+	psc, sc trace.SpanContext,
+	name string,
+	sr SamplingResult,
+	config *trace.SpanConfig,
+) *recordingSpan {
 	startTime := config.Timestamp()
 	if startTime.IsZero() {
 		startTime = time.Now()
diff --git a/vendor/go.opentelemetry.io/otel/sdk/version.go b/vendor/go.opentelemetry.io/otel/sdk/version.go
index 6b403851073de..1af257449ac4e 100644
--- a/vendor/go.opentelemetry.io/otel/sdk/version.go
+++ b/vendor/go.opentelemetry.io/otel/sdk/version.go
@@ -1,9 +1,10 @@
 // Copyright The OpenTelemetry Authors
 // SPDX-License-Identifier: Apache-2.0
 
+// Package sdk provides the OpenTelemetry default SDK for Go.
 package sdk // import "go.opentelemetry.io/otel/sdk"
 
 // Version is the current release version of the OpenTelemetry SDK in use.
 func Version() string {
-	return "1.34.0"
+	return "1.36.0"
 }
diff --git a/vendor/go.opentelemetry.io/otel/semconv/internal/http.go b/vendor/go.opentelemetry.io/otel/semconv/internal/http.go
index d5197e16ceddd..e9eb577345b04 100644
--- a/vendor/go.opentelemetry.io/otel/semconv/internal/http.go
+++ b/vendor/go.opentelemetry.io/otel/semconv/internal/http.go
@@ -1,6 +1,7 @@
 // Copyright The OpenTelemetry Authors
 // SPDX-License-Identifier: Apache-2.0
 
+// Package internal provides common semconv functionality.
 package internal // import "go.opentelemetry.io/otel/semconv/internal"
 
 import (
@@ -49,7 +50,10 @@ type SemanticConventions struct {
 // namespace as specified by the OpenTelemetry specification for a
 // span.  The network parameter is a string that net.Dial function
 // from standard library can understand.
-func (sc *SemanticConventions) NetAttributesFromHTTPRequest(network string, request *http.Request) []attribute.KeyValue {
+func (sc *SemanticConventions) NetAttributesFromHTTPRequest(
+	network string,
+	request *http.Request,
+) []attribute.KeyValue {
 	attrs := []attribute.KeyValue{}
 
 	switch network {
@@ -178,9 +182,10 @@ func (sc *SemanticConventions) httpBasicAttributesFromHTTPRequest(request *http.
 	}
 
 	flavor := ""
-	if request.ProtoMajor == 1 {
+	switch request.ProtoMajor {
+	case 1:
 		flavor = fmt.Sprintf("1.%d", request.ProtoMinor)
-	} else if request.ProtoMajor == 2 {
+	case 2:
 		flavor = "2"
 	}
 	if flavor != "" {
@@ -198,7 +203,10 @@ func (sc *SemanticConventions) httpBasicAttributesFromHTTPRequest(request *http.
 
 // HTTPServerMetricAttributesFromHTTPRequest generates low-cardinality attributes
 // to be used with server-side HTTP metrics.
-func (sc *SemanticConventions) HTTPServerMetricAttributesFromHTTPRequest(serverName string, request *http.Request) []attribute.KeyValue {
+func (sc *SemanticConventions) HTTPServerMetricAttributesFromHTTPRequest(
+	serverName string,
+	request *http.Request,
+) []attribute.KeyValue {
 	attrs := []attribute.KeyValue{}
 	if serverName != "" {
 		attrs = append(attrs, sc.HTTPServerNameKey.String(serverName))
@@ -210,7 +218,10 @@ func (sc *SemanticConventions) HTTPServerMetricAttributesFromHTTPRequest(serverN
 // http namespace as specified by the OpenTelemetry specification for
 // a span on the server side. Currently, only basic authentication is
 // supported.
-func (sc *SemanticConventions) HTTPServerAttributesFromHTTPRequest(serverName, route string, request *http.Request) []attribute.KeyValue {
+func (sc *SemanticConventions) HTTPServerAttributesFromHTTPRequest(
+	serverName, route string,
+	request *http.Request,
+) []attribute.KeyValue {
 	attrs := []attribute.KeyValue{
 		sc.HTTPTargetKey.String(request.RequestURI),
 	}
diff --git a/vendor/go.opentelemetry.io/otel/trace/auto.go b/vendor/go.opentelemetry.io/otel/trace/auto.go
index 7e2910025a96d..d90af8f673c55 100644
--- a/vendor/go.opentelemetry.io/otel/trace/auto.go
+++ b/vendor/go.opentelemetry.io/otel/trace/auto.go
@@ -57,14 +57,15 @@ type autoTracer struct {
 var _ Tracer = autoTracer{}
 
 func (t autoTracer) Start(ctx context.Context, name string, opts ...SpanStartOption) (context.Context, Span) {
-	var psc SpanContext
+	var psc, sc SpanContext
 	sampled := true
 	span := new(autoSpan)
 
 	// Ask eBPF for sampling decision and span context info.
-	t.start(ctx, span, &psc, &sampled, &span.spanContext)
+	t.start(ctx, span, &psc, &sampled, &sc)
 
 	span.sampled.Store(sampled)
+	span.spanContext = sc
 
 	ctx = ContextWithSpan(ctx, span)
 
diff --git a/vendor/go.opentelemetry.io/otel/trace/internal/telemetry/span.go b/vendor/go.opentelemetry.io/otel/trace/internal/telemetry/span.go
index 3c5e1cdb1b344..e7ca62c660c98 100644
--- a/vendor/go.opentelemetry.io/otel/trace/internal/telemetry/span.go
+++ b/vendor/go.opentelemetry.io/otel/trace/internal/telemetry/span.go
@@ -251,13 +251,20 @@ func (s *Span) UnmarshalJSON(data []byte) error {
 type SpanFlags int32
 
 const (
+	// SpanFlagsTraceFlagsMask is a mask for trace-flags.
+	//
 	// Bits 0-7 are used for trace flags.
 	SpanFlagsTraceFlagsMask SpanFlags = 255
-	// Bits 8 and 9 are used to indicate that the parent span or link span is remote.
-	// Bit 8 (`HAS_IS_REMOTE`) indicates whether the value is known.
-	// Bit 9 (`IS_REMOTE`) indicates whether the span or link is remote.
+	// SpanFlagsContextHasIsRemoteMask is a mask for HAS_IS_REMOTE status.
+	//
+	// Bits 8 and 9 are used to indicate that the parent span or link span is
+	// remote. Bit 8 (`HAS_IS_REMOTE`) indicates whether the value is known.
 	SpanFlagsContextHasIsRemoteMask SpanFlags = 256
-	// SpanFlagsContextHasIsRemoteMask indicates the Span is remote.
+	// SpanFlagsContextIsRemoteMask is a mask for IS_REMOTE status.
+	//
+	// Bits 8 and 9 are used to indicate that the parent span or link span is
+	// remote. Bit 9 (`IS_REMOTE`) indicates whether the span or link is
+	// remote.
 	SpanFlagsContextIsRemoteMask SpanFlags = 512
 )
 
@@ -266,27 +273,31 @@ const (
 type SpanKind int32
 
 const (
-	// Indicates that the span represents an internal operation within an application,
-	// as opposed to an operation happening at the boundaries. Default value.
+	// SpanKindInternal indicates that the span represents an internal
+	// operation within an application, as opposed to an operation happening at
+	// the boundaries.
 	SpanKindInternal SpanKind = 1
-	// Indicates that the span covers server-side handling of an RPC or other
-	// remote network request.
+	// SpanKindServer indicates that the span covers server-side handling of an
+	// RPC or other remote network request.
 	SpanKindServer SpanKind = 2
-	// Indicates that the span describes a request to some remote service.
+	// SpanKindClient indicates that the span describes a request to some
+	// remote service.
 	SpanKindClient SpanKind = 3
-	// Indicates that the span describes a producer sending a message to a broker.
-	// Unlike CLIENT and SERVER, there is often no direct critical path latency relationship
-	// between producer and consumer spans. A PRODUCER span ends when the message was accepted
-	// by the broker while the logical processing of the message might span a much longer time.
+	// SpanKindProducer indicates that the span describes a producer sending a
+	// message to a broker. Unlike SpanKindClient and SpanKindServer, there is
+	// often no direct critical path latency relationship between producer and
+	// consumer spans. A SpanKindProducer span ends when the message was
+	// accepted by the broker while the logical processing of the message might
+	// span a much longer time.
 	SpanKindProducer SpanKind = 4
-	// Indicates that the span describes consumer receiving a message from a broker.
-	// Like the PRODUCER kind, there is often no direct critical path latency relationship
-	// between producer and consumer spans.
+	// SpanKindConsumer indicates that the span describes a consumer receiving
+	// a message from a broker. Like SpanKindProducer, there is often no direct
+	// critical path latency relationship between producer and consumer spans.
 	SpanKindConsumer SpanKind = 5
 )
 
-// Event is a time-stamped annotation of the span, consisting of user-supplied
-// text description and key-value pairs.
+// SpanEvent is a time-stamped annotation of the span, consisting of
+// user-supplied text description and key-value pairs.
 type SpanEvent struct {
 	// time_unix_nano is the time the event occurred.
 	Time time.Time `json:"timeUnixNano,omitempty"`
@@ -369,10 +380,11 @@ func (se *SpanEvent) UnmarshalJSON(data []byte) error {
 	return nil
 }
 
-// A pointer from the current span to another span in the same trace or in a
-// different trace. For example, this can be used in batching operations,
-// where a single batch handler processes multiple requests from different
-// traces or when the handler receives a request from a different project.
+// SpanLink is a reference from the current span to another span in the same
+// trace or in a different trace. For example, this can be used in batching
+// operations, where a single batch handler processes multiple requests from
+// different traces or when the handler receives a request from a different
+// project.
 type SpanLink struct {
 	// A unique identifier of a trace that this linked span is part of. The ID is a
 	// 16-byte array.
diff --git a/vendor/go.opentelemetry.io/otel/trace/internal/telemetry/status.go b/vendor/go.opentelemetry.io/otel/trace/internal/telemetry/status.go
index 1d013a8fa8028..1039bf40cdae1 100644
--- a/vendor/go.opentelemetry.io/otel/trace/internal/telemetry/status.go
+++ b/vendor/go.opentelemetry.io/otel/trace/internal/telemetry/status.go
@@ -3,17 +3,19 @@
 
 package telemetry // import "go.opentelemetry.io/otel/trace/internal/telemetry"
 
+// StatusCode is the status of a Span.
+//
 // For the semantics of status codes see
 // https://github.com/open-telemetry/opentelemetry-specification/blob/main/specification/trace/api.md#set-status
 type StatusCode int32
 
 const (
-	// The default status.
+	// StatusCodeUnset is the default status.
 	StatusCodeUnset StatusCode = 0
-	// The Span has been validated by an Application developer or Operator to
-	// have completed successfully.
+	// StatusCodeOK is used when the Span has been validated by an Application
+	// developer or Operator to have completed successfully.
 	StatusCodeOK StatusCode = 1
-	// The Span contains an error.
+	// StatusCodeError is used when the Span contains an error.
 	StatusCodeError StatusCode = 2
 )
 
@@ -30,7 +32,7 @@ func (s StatusCode) String() string {
 	return "<unknown telemetry.StatusCode>"
 }
 
-// The Status type defines a logical error model that is suitable for different
+// Status defines a logical error model that is suitable for different
 // programming environments, including REST APIs and RPC APIs.
 type Status struct {
 	// A developer-facing human readable error message.
diff --git a/vendor/go.opentelemetry.io/otel/trace/internal/telemetry/traces.go b/vendor/go.opentelemetry.io/otel/trace/internal/telemetry/traces.go
index b039407081420..e5f10767ca33c 100644
--- a/vendor/go.opentelemetry.io/otel/trace/internal/telemetry/traces.go
+++ b/vendor/go.opentelemetry.io/otel/trace/internal/telemetry/traces.go
@@ -71,7 +71,7 @@ func (td *Traces) UnmarshalJSON(data []byte) error {
 	return nil
 }
 
-// A collection of ScopeSpans from a Resource.
+// ResourceSpans is a collection of ScopeSpans from a Resource.
 type ResourceSpans struct {
 	// The resource for the spans in this message.
 	// If this field is not set then no resource info is known.
@@ -128,7 +128,7 @@ func (rs *ResourceSpans) UnmarshalJSON(data []byte) error {
 	return nil
 }
 
-// A collection of Spans produced by an InstrumentationScope.
+// ScopeSpans is a collection of Spans produced by an InstrumentationScope.
 type ScopeSpans struct {
 	// The instrumentation scope information for the spans in this message.
 	// Semantically when InstrumentationScope isn't set, it is equivalent with
diff --git a/vendor/go.opentelemetry.io/otel/trace/internal/telemetry/value.go b/vendor/go.opentelemetry.io/otel/trace/internal/telemetry/value.go
index 7251492da06fd..ae9ce102a9a8d 100644
--- a/vendor/go.opentelemetry.io/otel/trace/internal/telemetry/value.go
+++ b/vendor/go.opentelemetry.io/otel/trace/internal/telemetry/value.go
@@ -316,7 +316,7 @@ func (v Value) String() string {
 	case ValueKindBool:
 		return strconv.FormatBool(v.asBool())
 	case ValueKindBytes:
-		return fmt.Sprint(v.asBytes())
+		return string(v.asBytes())
 	case ValueKindMap:
 		return fmt.Sprint(v.asMap())
 	case ValueKindSlice:
diff --git a/vendor/go.opentelemetry.io/otel/trace/noop.go b/vendor/go.opentelemetry.io/otel/trace/noop.go
index c8b1ae5d67ecf..0f56e4dbb34bc 100644
--- a/vendor/go.opentelemetry.io/otel/trace/noop.go
+++ b/vendor/go.opentelemetry.io/otel/trace/noop.go
@@ -95,6 +95,8 @@ var autoInstEnabled = new(bool)
 // tracerProvider return a noopTracerProvider if autoEnabled is false,
 // otherwise it will return a TracerProvider from the sdk package used in
 // auto-instrumentation.
+//
+//go:noinline
 func (noopSpan) tracerProvider(autoEnabled *bool) TracerProvider {
 	if *autoEnabled {
 		return newAutoTracerProvider()
diff --git a/vendor/go.opentelemetry.io/otel/verify_readmes.sh b/vendor/go.opentelemetry.io/otel/verify_readmes.sh
deleted file mode 100644
index 1e87855eeaa85..0000000000000
--- a/vendor/go.opentelemetry.io/otel/verify_readmes.sh
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-
-# Copyright The OpenTelemetry Authors
-# SPDX-License-Identifier: Apache-2.0
-
-set -euo pipefail
-
-dirs=$(find . -type d -not -path "*/internal*" -not -path "*/test*" -not -path "*/example*" -not -path "*/.*" | sort)
-
-missingReadme=false
-for dir in $dirs; do
-	if [ ! -f "$dir/README.md" ]; then
-		echo "couldn't find README.md for $dir"
-		missingReadme=true
-	fi
-done
-
-if [ "$missingReadme" = true ] ; then
-	echo "Error: some READMEs couldn't be found."
-	exit 1
-fi
diff --git a/vendor/go.opentelemetry.io/otel/version.go b/vendor/go.opentelemetry.io/otel/version.go
index d5fa71f6745b0..ac3c0b15da254 100644
--- a/vendor/go.opentelemetry.io/otel/version.go
+++ b/vendor/go.opentelemetry.io/otel/version.go
@@ -5,5 +5,5 @@ package otel // import "go.opentelemetry.io/otel"
 
 // Version is the current release version of OpenTelemetry in use.
 func Version() string {
-	return "1.35.0"
+	return "1.36.0"
 }
diff --git a/vendor/go.opentelemetry.io/otel/versions.yaml b/vendor/go.opentelemetry.io/otel/versions.yaml
index 2b4cb4b41875c..79f82f3d058f1 100644
--- a/vendor/go.opentelemetry.io/otel/versions.yaml
+++ b/vendor/go.opentelemetry.io/otel/versions.yaml
@@ -3,7 +3,7 @@
 
 module-sets:
   stable-v1:
-    version: v1.35.0
+    version: v1.36.0
     modules:
       - go.opentelemetry.io/otel
       - go.opentelemetry.io/otel/bridge/opencensus
@@ -23,11 +23,11 @@ module-sets:
       - go.opentelemetry.io/otel/sdk/metric
       - go.opentelemetry.io/otel/trace
   experimental-metrics:
-    version: v0.57.0
+    version: v0.58.0
     modules:
       - go.opentelemetry.io/otel/exporters/prometheus
   experimental-logs:
-    version: v0.11.0
+    version: v0.12.0
     modules:
       - go.opentelemetry.io/otel/log
       - go.opentelemetry.io/otel/sdk/log
@@ -40,4 +40,6 @@ module-sets:
       - go.opentelemetry.io/otel/schema
 excluded-modules:
   - go.opentelemetry.io/otel/internal/tools
+  - go.opentelemetry.io/otel/log/logtest
+  - go.opentelemetry.io/otel/sdk/log/logtest
   - go.opentelemetry.io/otel/trace/internal/telemetry/test
diff --git a/vendor/golang.org/x/crypto/chacha20/chacha_arm64.s b/vendor/golang.org/x/crypto/chacha20/chacha_arm64.s
index 7dd2638e88ada..769af387e2e5f 100644
--- a/vendor/golang.org/x/crypto/chacha20/chacha_arm64.s
+++ b/vendor/golang.org/x/crypto/chacha20/chacha_arm64.s
@@ -29,7 +29,7 @@ loop:
 	MOVD	$NUM_ROUNDS, R21
 	VLD1	(R11), [V30.S4, V31.S4]
 
-	// load contants
+	// load constants
 	// VLD4R (R10), [V0.S4, V1.S4, V2.S4, V3.S4]
 	WORD	$0x4D60E940
 
diff --git a/vendor/golang.org/x/crypto/curve25519/curve25519.go b/vendor/golang.org/x/crypto/curve25519/curve25519.go
index 8ff087df4cc83..048faef3a5dcc 100644
--- a/vendor/golang.org/x/crypto/curve25519/curve25519.go
+++ b/vendor/golang.org/x/crypto/curve25519/curve25519.go
@@ -3,11 +3,14 @@
 // license that can be found in the LICENSE file.
 
 // Package curve25519 provides an implementation of the X25519 function, which
-// performs scalar multiplication on the elliptic curve known as Curve25519.
-// See RFC 7748.
+// performs scalar multiplication on the elliptic curve known as Curve25519
+// according to [RFC 7748].
 //
-// This package is a wrapper for the X25519 implementation
-// in the crypto/ecdh package.
+// The curve25519 package is a wrapper for the X25519 implementation in the
+// crypto/ecdh package. It is [frozen] and is not accepting new features.
+//
+// [RFC 7748]: https://datatracker.ietf.org/doc/html/rfc7748
+// [frozen]: https://go.dev/wiki/Frozen
 package curve25519
 
 import "crypto/ecdh"
diff --git a/vendor/golang.org/x/crypto/ed25519/ed25519.go b/vendor/golang.org/x/crypto/ed25519/ed25519.go
index 59b3a95a7d20f..df453dcce0878 100644
--- a/vendor/golang.org/x/crypto/ed25519/ed25519.go
+++ b/vendor/golang.org/x/crypto/ed25519/ed25519.go
@@ -2,16 +2,19 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
-// Package ed25519 implements the Ed25519 signature algorithm. See
-// https://ed25519.cr.yp.to/.
+// Package ed25519 implements the Ed25519 signature algorithm.
 //
 // These functions are also compatible with the “Ed25519” function defined in
-// RFC 8032. However, unlike RFC 8032's formulation, this package's private key
+// [RFC 8032]. However, unlike RFC 8032's formulation, this package's private key
 // representation includes a public key suffix to make multiple signing
 // operations with the same key more efficient. This package refers to the RFC
 // 8032 private key as the “seed”.
 //
-// This package is a wrapper around the standard library crypto/ed25519 package.
+// The ed25519 package is a wrapper for the Ed25519 implementation in the
+// crypto/ed25519 package. It is [frozen] and is not accepting new features.
+//
+// [RFC 8032]: https://datatracker.ietf.org/doc/html/rfc8032
+// [frozen]: https://go.dev/wiki/Frozen
 package ed25519
 
 import (
diff --git a/vendor/golang.org/x/crypto/salsa20/salsa/hsalsa20.go b/vendor/golang.org/x/crypto/salsa20/salsa/hsalsa20.go
index 3685b34458730..75df77406d61f 100644
--- a/vendor/golang.org/x/crypto/salsa20/salsa/hsalsa20.go
+++ b/vendor/golang.org/x/crypto/salsa20/salsa/hsalsa20.go
@@ -3,6 +3,10 @@
 // license that can be found in the LICENSE file.
 
 // Package salsa provides low-level access to functions in the Salsa family.
+//
+// Deprecated: this package exposes unsafe low-level operations. New applications
+// should consider using the AEAD construction in golang.org/x/crypto/chacha20poly1305
+// instead. Existing users should migrate to golang.org/x/crypto/salsa20.
 package salsa
 
 import "math/bits"
diff --git a/vendor/golang.org/x/crypto/ssh/cipher.go b/vendor/golang.org/x/crypto/ssh/cipher.go
index 6a5b582aa91e1..7554ed57a9918 100644
--- a/vendor/golang.org/x/crypto/ssh/cipher.go
+++ b/vendor/golang.org/x/crypto/ssh/cipher.go
@@ -8,6 +8,7 @@ import (
 	"crypto/aes"
 	"crypto/cipher"
 	"crypto/des"
+	"crypto/fips140"
 	"crypto/rc4"
 	"crypto/subtle"
 	"encoding/binary"
@@ -15,6 +16,7 @@ import (
 	"fmt"
 	"hash"
 	"io"
+	"slices"
 
 	"golang.org/x/crypto/chacha20"
 	"golang.org/x/crypto/internal/poly1305"
@@ -93,41 +95,41 @@ func streamCipherMode(skip int, createFunc func(key, iv []byte) (cipher.Stream,
 }
 
 // cipherModes documents properties of supported ciphers. Ciphers not included
-// are not supported and will not be negotiated, even if explicitly requested in
-// ClientConfig.Crypto.Ciphers.
-var cipherModes = map[string]*cipherMode{
-	// Ciphers from RFC 4344, which introduced many CTR-based ciphers. Algorithms
-	// are defined in the order specified in the RFC.
-	CipherAES128CTR: {16, aes.BlockSize, streamCipherMode(0, newAESCTR)},
-	CipherAES192CTR: {24, aes.BlockSize, streamCipherMode(0, newAESCTR)},
-	CipherAES256CTR: {32, aes.BlockSize, streamCipherMode(0, newAESCTR)},
-
-	// Ciphers from RFC 4345, which introduces security-improved arcfour ciphers.
-	// They are defined in the order specified in the RFC.
-	InsecureCipherRC4128: {16, 0, streamCipherMode(1536, newRC4)},
-	InsecureCipherRC4256: {32, 0, streamCipherMode(1536, newRC4)},
-
-	// Cipher defined in RFC 4253, which describes SSH Transport Layer Protocol.
-	// Note that this cipher is not safe, as stated in RFC 4253: "Arcfour (and
-	// RC4) has problems with weak keys, and should be used with caution."
-	// RFC 4345 introduces improved versions of Arcfour.
-	InsecureCipherRC4: {16, 0, streamCipherMode(0, newRC4)},
-
-	// AEAD ciphers
-	CipherAES128GCM:        {16, 12, newGCMCipher},
-	CipherAES256GCM:        {32, 12, newGCMCipher},
-	CipherChaCha20Poly1305: {64, 0, newChaCha20Cipher},
-
+// are not supported and will not be negotiated, even if explicitly configured.
+// When FIPS mode is enabled, only FIPS-approved algorithms are included.
+var cipherModes = map[string]*cipherMode{}
+
+func init() {
+	cipherModes[CipherAES128CTR] = &cipherMode{16, aes.BlockSize, streamCipherMode(0, newAESCTR)}
+	cipherModes[CipherAES192CTR] = &cipherMode{24, aes.BlockSize, streamCipherMode(0, newAESCTR)}
+	cipherModes[CipherAES256CTR] = &cipherMode{32, aes.BlockSize, streamCipherMode(0, newAESCTR)}
+	//  Use of GCM with arbitrary IVs is not allowed in FIPS 140-only mode,
+	// we'll wire it up to NewGCMForSSH in Go 1.26.
+	//
+	// For now it means we'll work with fips140=on but not fips140=only.
+	cipherModes[CipherAES128GCM] = &cipherMode{16, 12, newGCMCipher}
+	cipherModes[CipherAES256GCM] = &cipherMode{32, 12, newGCMCipher}
+
+	if fips140.Enabled() {
+		defaultCiphers = slices.DeleteFunc(defaultCiphers, func(algo string) bool {
+			_, ok := cipherModes[algo]
+			return !ok
+		})
+		return
+	}
+
+	cipherModes[CipherChaCha20Poly1305] = &cipherMode{64, 0, newChaCha20Cipher}
+	// Insecure ciphers not included in the default configuration.
+	cipherModes[InsecureCipherRC4128] = &cipherMode{16, 0, streamCipherMode(1536, newRC4)}
+	cipherModes[InsecureCipherRC4256] = &cipherMode{32, 0, streamCipherMode(1536, newRC4)}
+	cipherModes[InsecureCipherRC4] = &cipherMode{16, 0, streamCipherMode(0, newRC4)}
 	// CBC mode is insecure and so is not included in the default config.
 	// (See https://www.ieee-security.org/TC/SP2013/papers/4977a526.pdf). If absolutely
 	// needed, it's possible to specify a custom Config to enable it.
 	// You should expect that an active attacker can recover plaintext if
 	// you do.
-	InsecureCipherAES128CBC: {16, aes.BlockSize, newAESCBCCipher},
-
-	// 3des-cbc is insecure and is not included in the default
-	// config.
-	InsecureCipherTripleDESCBC: {24, des.BlockSize, newTripleDESCBCCipher},
+	cipherModes[InsecureCipherAES128CBC] = &cipherMode{16, aes.BlockSize, newAESCBCCipher}
+	cipherModes[InsecureCipherTripleDESCBC] = &cipherMode{24, des.BlockSize, newTripleDESCBCCipher}
 }
 
 // prefixLen is the length of the packet prefix that contains the packet length
diff --git a/vendor/golang.org/x/crypto/ssh/client_auth.go b/vendor/golang.org/x/crypto/ssh/client_auth.go
index c12818fdc5c7e..3127e4990363c 100644
--- a/vendor/golang.org/x/crypto/ssh/client_auth.go
+++ b/vendor/golang.org/x/crypto/ssh/client_auth.go
@@ -9,6 +9,7 @@ import (
 	"errors"
 	"fmt"
 	"io"
+	"slices"
 	"strings"
 )
 
@@ -83,7 +84,7 @@ func (c *connection) clientAuthenticate(config *ClientConfig) error {
 			// success
 			return nil
 		} else if ok == authFailure {
-			if m := auth.method(); !contains(tried, m) {
+			if m := auth.method(); !slices.Contains(tried, m) {
 				tried = append(tried, m)
 			}
 		}
@@ -97,7 +98,7 @@ func (c *connection) clientAuthenticate(config *ClientConfig) error {
 	findNext:
 		for _, a := range config.Auth {
 			candidateMethod := a.method()
-			if contains(tried, candidateMethod) {
+			if slices.Contains(tried, candidateMethod) {
 				continue
 			}
 			for _, meth := range methods {
@@ -117,15 +118,6 @@ func (c *connection) clientAuthenticate(config *ClientConfig) error {
 	return fmt.Errorf("ssh: unable to authenticate, attempted methods %v, no supported methods remain", tried)
 }
 
-func contains(list []string, e string) bool {
-	for _, s := range list {
-		if s == e {
-			return true
-		}
-	}
-	return false
-}
-
 // An AuthMethod represents an instance of an RFC 4252 authentication method.
 type AuthMethod interface {
 	// auth authenticates user over transport t.
@@ -255,7 +247,7 @@ func pickSignatureAlgorithm(signer Signer, extensions map[string][]byte) (MultiA
 		// Fallback to use if there is no "server-sig-algs" extension or a
 		// common algorithm cannot be found. We use the public key format if the
 		// MultiAlgorithmSigner supports it, otherwise we return an error.
-		if !contains(as.Algorithms(), underlyingAlgo(keyFormat)) {
+		if !slices.Contains(as.Algorithms(), underlyingAlgo(keyFormat)) {
 			return "", fmt.Errorf("ssh: no common public key signature algorithm, server only supports %q for key type %q, signer only supports %v",
 				underlyingAlgo(keyFormat), keyFormat, as.Algorithms())
 		}
@@ -284,7 +276,7 @@ func pickSignatureAlgorithm(signer Signer, extensions map[string][]byte) (MultiA
 	// Filter algorithms based on those supported by MultiAlgorithmSigner.
 	var keyAlgos []string
 	for _, algo := range algorithmsForKeyFormat(keyFormat) {
-		if contains(as.Algorithms(), underlyingAlgo(algo)) {
+		if slices.Contains(as.Algorithms(), underlyingAlgo(algo)) {
 			keyAlgos = append(keyAlgos, algo)
 		}
 	}
@@ -334,7 +326,7 @@ func (cb publicKeyCallback) auth(session []byte, user string, c packetConn, rand
 		// the key try to use the obtained algorithm as if "server-sig-algs" had
 		// not been implemented if supported from the algorithm signer.
 		if !ok && idx < origSignersLen && isRSACert(algo) && algo != CertAlgoRSAv01 {
-			if contains(as.Algorithms(), KeyAlgoRSA) {
+			if slices.Contains(as.Algorithms(), KeyAlgoRSA) {
 				// We retry using the compat algorithm after all signers have
 				// been tried normally.
 				signers = append(signers, &multiAlgorithmSigner{
@@ -385,7 +377,7 @@ func (cb publicKeyCallback) auth(session []byte, user string, c packetConn, rand
 		// contain the "publickey" method, do not attempt to authenticate with any
 		// other keys.  According to RFC 4252 Section 7, the latter can occur when
 		// additional authentication methods are required.
-		if success == authSuccess || !contains(methods, cb.method()) {
+		if success == authSuccess || !slices.Contains(methods, cb.method()) {
 			return success, methods, err
 		}
 	}
@@ -434,7 +426,7 @@ func confirmKeyAck(key PublicKey, c packetConn) (bool, error) {
 			// servers send the key type instead. OpenSSH allows any algorithm
 			// that matches the public key, so we do the same.
 			// https://github.com/openssh/openssh-portable/blob/86bdd385/sshconnect2.c#L709
-			if !contains(algorithmsForKeyFormat(key.Type()), msg.Algo) {
+			if !slices.Contains(algorithmsForKeyFormat(key.Type()), msg.Algo) {
 				return false, nil
 			}
 			if !bytes.Equal(msg.PubKey, pubKey) {
diff --git a/vendor/golang.org/x/crypto/ssh/common.go b/vendor/golang.org/x/crypto/ssh/common.go
index 8bfad16c413ba..2e44e9c9ec620 100644
--- a/vendor/golang.org/x/crypto/ssh/common.go
+++ b/vendor/golang.org/x/crypto/ssh/common.go
@@ -6,6 +6,7 @@ package ssh
 
 import (
 	"crypto"
+	"crypto/fips140"
 	"crypto/rand"
 	"fmt"
 	"io"
@@ -256,6 +257,40 @@ type Algorithms struct {
 	PublicKeyAuths []string
 }
 
+func init() {
+	if fips140.Enabled() {
+		defaultHostKeyAlgos = slices.DeleteFunc(defaultHostKeyAlgos, func(algo string) bool {
+			_, err := hashFunc(underlyingAlgo(algo))
+			return err != nil
+		})
+		defaultPubKeyAuthAlgos = slices.DeleteFunc(defaultPubKeyAuthAlgos, func(algo string) bool {
+			_, err := hashFunc(underlyingAlgo(algo))
+			return err != nil
+		})
+	}
+}
+
+func hashFunc(format string) (crypto.Hash, error) {
+	switch format {
+	case KeyAlgoRSASHA256, KeyAlgoECDSA256, KeyAlgoSKED25519, KeyAlgoSKECDSA256:
+		return crypto.SHA256, nil
+	case KeyAlgoECDSA384:
+		return crypto.SHA384, nil
+	case KeyAlgoRSASHA512, KeyAlgoECDSA521:
+		return crypto.SHA512, nil
+	case KeyAlgoED25519:
+		// KeyAlgoED25519 doesn't pre-hash.
+		return 0, nil
+	case KeyAlgoRSA, InsecureKeyAlgoDSA:
+		if fips140.Enabled() {
+			return 0, fmt.Errorf("ssh: hash algorithm for format %q not allowed in FIPS 140 mode", format)
+		}
+		return crypto.SHA1, nil
+	default:
+		return 0, fmt.Errorf("ssh: hash algorithm for format %q not mapped", format)
+	}
+}
+
 // SupportedAlgorithms returns algorithms currently implemented by this package,
 // excluding those with security issues, which are returned by
 // InsecureAlgorithms. The algorithms listed here are in preference order.
@@ -283,21 +318,6 @@ func InsecureAlgorithms() Algorithms {
 
 var supportedCompressions = []string{compressionNone}
 
-// hashFuncs keeps the mapping of supported signature algorithms to their
-// respective hashes needed for signing and verification.
-var hashFuncs = map[string]crypto.Hash{
-	KeyAlgoRSA:         crypto.SHA1,
-	KeyAlgoRSASHA256:   crypto.SHA256,
-	KeyAlgoRSASHA512:   crypto.SHA512,
-	InsecureKeyAlgoDSA: crypto.SHA1,
-	KeyAlgoECDSA256:    crypto.SHA256,
-	KeyAlgoECDSA384:    crypto.SHA384,
-	KeyAlgoECDSA521:    crypto.SHA512,
-	// KeyAlgoED25519 doesn't pre-hash.
-	KeyAlgoSKECDSA256: crypto.SHA256,
-	KeyAlgoSKED25519:  crypto.SHA256,
-}
-
 // algorithmsForKeyFormat returns the supported signature algorithms for a given
 // public key format (PublicKey.Type), in order of preference. See RFC 8332,
 // Section 2. See also the note in sendKexInit on backwards compatibility.
@@ -312,11 +332,40 @@ func algorithmsForKeyFormat(keyFormat string) []string {
 	}
 }
 
+// keyFormatForAlgorithm returns the key format corresponding to the given
+// signature algorithm. It returns an empty string if the signature algorithm is
+// invalid or unsupported.
+func keyFormatForAlgorithm(sigAlgo string) string {
+	switch sigAlgo {
+	case KeyAlgoRSA, KeyAlgoRSASHA256, KeyAlgoRSASHA512:
+		return KeyAlgoRSA
+	case CertAlgoRSAv01, CertAlgoRSASHA256v01, CertAlgoRSASHA512v01:
+		return CertAlgoRSAv01
+	case KeyAlgoED25519,
+		KeyAlgoSKED25519,
+		KeyAlgoSKECDSA256,
+		KeyAlgoECDSA256,
+		KeyAlgoECDSA384,
+		KeyAlgoECDSA521,
+		InsecureKeyAlgoDSA,
+		InsecureCertAlgoDSAv01,
+		CertAlgoECDSA256v01,
+		CertAlgoECDSA384v01,
+		CertAlgoECDSA521v01,
+		CertAlgoSKECDSA256v01,
+		CertAlgoED25519v01,
+		CertAlgoSKED25519v01:
+		return sigAlgo
+	default:
+		return ""
+	}
+}
+
 // isRSA returns whether algo is a supported RSA algorithm, including certificate
 // algorithms.
 func isRSA(algo string) bool {
 	algos := algorithmsForKeyFormat(KeyAlgoRSA)
-	return contains(algos, underlyingAlgo(algo))
+	return slices.Contains(algos, underlyingAlgo(algo))
 }
 
 func isRSACert(algo string) bool {
@@ -515,7 +564,7 @@ func (c *Config) SetDefaults() {
 		if kexAlgoMap[k] != nil {
 			// Ignore the KEX if we have no kexAlgoMap definition.
 			kexs = append(kexs, k)
-			if k == KeyExchangeCurve25519 && !contains(c.KeyExchanges, keyExchangeCurve25519LibSSH) {
+			if k == KeyExchangeCurve25519 && !slices.Contains(c.KeyExchanges, keyExchangeCurve25519LibSSH) {
 				kexs = append(kexs, keyExchangeCurve25519LibSSH)
 			}
 		}
diff --git a/vendor/golang.org/x/crypto/ssh/doc.go b/vendor/golang.org/x/crypto/ssh/doc.go
index 04ccce346176c..5b4de9effcb13 100644
--- a/vendor/golang.org/x/crypto/ssh/doc.go
+++ b/vendor/golang.org/x/crypto/ssh/doc.go
@@ -17,8 +17,18 @@ References:
 	[PROTOCOL.certkeys]: http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/PROTOCOL.certkeys?rev=HEAD
 	[SSH-PARAMETERS]:    http://www.iana.org/assignments/ssh-parameters/ssh-parameters.xml#ssh-parameters-1
 	[SSH-CERTS]:	https://datatracker.ietf.org/doc/html/draft-miller-ssh-cert-01
+	[FIPS 140-3 mode]: https://go.dev/doc/security/fips140
 
 This package does not fall under the stability promise of the Go language itself,
 so its API may be changed when pressing needs arise.
+
+# FIPS 140-3 mode
+
+When the program is in [FIPS 140-3 mode], this package behaves as if only SP
+800-140C and SP 800-140D approved cipher suites, signature algorithms,
+certificate public key types and sizes, and key exchange and derivation
+algorithms were implemented. Others are silently ignored and not negotiated, or
+rejected. This set may depend on the algorithms supported by the FIPS 140-3 Go
+Cryptographic Module selected with GOFIPS140, and may change across Go versions.
 */
 package ssh
diff --git a/vendor/golang.org/x/crypto/ssh/handshake.go b/vendor/golang.org/x/crypto/ssh/handshake.go
index a90bfe331c8cd..4be3cbb6de310 100644
--- a/vendor/golang.org/x/crypto/ssh/handshake.go
+++ b/vendor/golang.org/x/crypto/ssh/handshake.go
@@ -10,6 +10,7 @@ import (
 	"io"
 	"log"
 	"net"
+	"slices"
 	"strings"
 	"sync"
 )
@@ -527,7 +528,7 @@ func (t *handshakeTransport) sendKexInit() error {
 			switch s := k.(type) {
 			case MultiAlgorithmSigner:
 				for _, algo := range algorithmsForKeyFormat(keyFormat) {
-					if contains(s.Algorithms(), underlyingAlgo(algo)) {
+					if slices.Contains(s.Algorithms(), underlyingAlgo(algo)) {
 						msg.ServerHostKeyAlgos = append(msg.ServerHostKeyAlgos, algo)
 					}
 				}
@@ -679,7 +680,7 @@ func (t *handshakeTransport) enterKeyExchange(otherInitPacket []byte) error {
 		return err
 	}
 
-	if t.sessionID == nil && ((isClient && contains(serverInit.KexAlgos, kexStrictServer)) || (!isClient && contains(clientInit.KexAlgos, kexStrictClient))) {
+	if t.sessionID == nil && ((isClient && slices.Contains(serverInit.KexAlgos, kexStrictServer)) || (!isClient && slices.Contains(clientInit.KexAlgos, kexStrictClient))) {
 		t.strictMode = true
 		if err := t.conn.setStrictMode(); err != nil {
 			return err
@@ -736,7 +737,7 @@ func (t *handshakeTransport) enterKeyExchange(otherInitPacket []byte) error {
 	// On the server side, after the first SSH_MSG_NEWKEYS, send a SSH_MSG_EXT_INFO
 	// message with the server-sig-algs extension if the client supports it. See
 	// RFC 8308, Sections 2.4 and 3.1, and [PROTOCOL], Section 1.9.
-	if !isClient && firstKeyExchange && contains(clientInit.KexAlgos, "ext-info-c") {
+	if !isClient && firstKeyExchange && slices.Contains(clientInit.KexAlgos, "ext-info-c") {
 		supportedPubKeyAuthAlgosList := strings.Join(t.publicKeyAuthAlgorithms, ",")
 		extInfo := &extInfoMsg{
 			NumExtensions: 2,
@@ -790,7 +791,7 @@ func (a algorithmSignerWrapper) SignWithAlgorithm(rand io.Reader, data []byte, a
 func pickHostKey(hostKeys []Signer, algo string) AlgorithmSigner {
 	for _, k := range hostKeys {
 		if s, ok := k.(MultiAlgorithmSigner); ok {
-			if !contains(s.Algorithms(), underlyingAlgo(algo)) {
+			if !slices.Contains(s.Algorithms(), underlyingAlgo(algo)) {
 				continue
 			}
 		}
diff --git a/vendor/golang.org/x/crypto/ssh/kex.go b/vendor/golang.org/x/crypto/ssh/kex.go
index 78aaf03103eac..5f7fdd85142f7 100644
--- a/vendor/golang.org/x/crypto/ssh/kex.go
+++ b/vendor/golang.org/x/crypto/ssh/kex.go
@@ -8,12 +8,14 @@ import (
 	"crypto"
 	"crypto/ecdsa"
 	"crypto/elliptic"
+	"crypto/fips140"
 	"crypto/rand"
 	"encoding/binary"
 	"errors"
 	"fmt"
 	"io"
 	"math/big"
+	"slices"
 
 	"golang.org/x/crypto/curve25519"
 )
@@ -395,9 +397,27 @@ func ecHash(curve elliptic.Curve) crypto.Hash {
 	return crypto.SHA512
 }
 
+// kexAlgoMap defines the supported KEXs. KEXs not included are not supported
+// and will not be negotiated, even if explicitly configured. When FIPS mode is
+// enabled, only FIPS-approved algorithms are included.
 var kexAlgoMap = map[string]kexAlgorithm{}
 
 func init() {
+	// mlkem768x25519-sha256 we'll work with fips140=on but not fips140=only
+	// until Go 1.26.
+	kexAlgoMap[KeyExchangeMLKEM768X25519] = &mlkem768WithCurve25519sha256{}
+	kexAlgoMap[KeyExchangeECDHP521] = &ecdh{elliptic.P521()}
+	kexAlgoMap[KeyExchangeECDHP384] = &ecdh{elliptic.P384()}
+	kexAlgoMap[KeyExchangeECDHP256] = &ecdh{elliptic.P256()}
+
+	if fips140.Enabled() {
+		defaultKexAlgos = slices.DeleteFunc(defaultKexAlgos, func(algo string) bool {
+			_, ok := kexAlgoMap[algo]
+			return !ok
+		})
+		return
+	}
+
 	p, _ := new(big.Int).SetString(oakleyGroup2, 16)
 	kexAlgoMap[InsecureKeyExchangeDH1SHA1] = &dhGroup{
 		g:        new(big.Int).SetInt64(2),
@@ -431,14 +451,10 @@ func init() {
 		hashFunc: crypto.SHA512,
 	}
 
-	kexAlgoMap[KeyExchangeECDHP521] = &ecdh{elliptic.P521()}
-	kexAlgoMap[KeyExchangeECDHP384] = &ecdh{elliptic.P384()}
-	kexAlgoMap[KeyExchangeECDHP256] = &ecdh{elliptic.P256()}
 	kexAlgoMap[KeyExchangeCurve25519] = &curve25519sha256{}
 	kexAlgoMap[keyExchangeCurve25519LibSSH] = &curve25519sha256{}
 	kexAlgoMap[InsecureKeyExchangeDHGEXSHA1] = &dhGEXSHA{hashFunc: crypto.SHA1}
 	kexAlgoMap[KeyExchangeDHGEXSHA256] = &dhGEXSHA{hashFunc: crypto.SHA256}
-	kexAlgoMap[KeyExchangeMLKEM768X25519] = &mlkem768WithCurve25519sha256{}
 }
 
 // curve25519sha256 implements the curve25519-sha256 (formerly known as
diff --git a/vendor/golang.org/x/crypto/ssh/keys.go b/vendor/golang.org/x/crypto/ssh/keys.go
index a28c0de503321..47a07539d90ce 100644
--- a/vendor/golang.org/x/crypto/ssh/keys.go
+++ b/vendor/golang.org/x/crypto/ssh/keys.go
@@ -27,6 +27,7 @@ import (
 	"fmt"
 	"io"
 	"math/big"
+	"slices"
 	"strings"
 
 	"golang.org/x/crypto/ssh/internal/bcrypt_pbkdf"
@@ -89,6 +90,11 @@ func parsePubKey(in []byte, algo string) (pubKey PublicKey, rest []byte, err err
 		}
 		return cert, nil, nil
 	}
+	if keyFormat := keyFormatForAlgorithm(algo); keyFormat != "" {
+		return nil, nil, fmt.Errorf("ssh: signature algorithm %q isn't a key format; key is malformed and should be re-encoded with type %q",
+			algo, keyFormat)
+	}
+
 	return nil, nil, fmt.Errorf("ssh: unknown key algorithm: %v", algo)
 }
 
@@ -191,9 +197,10 @@ func ParseKnownHosts(in []byte) (marker string, hosts []string, pubKey PublicKey
 	return "", nil, nil, "", nil, io.EOF
 }
 
-// ParseAuthorizedKey parses a public key from an authorized_keys
-// file used in OpenSSH according to the sshd(8) manual page.
+// ParseAuthorizedKey parses a public key from an authorized_keys file used in
+// OpenSSH according to the sshd(8) manual page. Invalid lines are ignored.
 func ParseAuthorizedKey(in []byte) (out PublicKey, comment string, options []string, rest []byte, err error) {
+	var lastErr error
 	for len(in) > 0 {
 		end := bytes.IndexByte(in, '\n')
 		if end != -1 {
@@ -222,6 +229,8 @@ func ParseAuthorizedKey(in []byte) (out PublicKey, comment string, options []str
 
 		if out, comment, err = parseAuthorizedKey(in[i:]); err == nil {
 			return out, comment, options, rest, nil
+		} else {
+			lastErr = err
 		}
 
 		// No key type recognised. Maybe there's an options field at
@@ -264,12 +273,18 @@ func ParseAuthorizedKey(in []byte) (out PublicKey, comment string, options []str
 		if out, comment, err = parseAuthorizedKey(in[i:]); err == nil {
 			options = candidateOptions
 			return out, comment, options, rest, nil
+		} else {
+			lastErr = err
 		}
 
 		in = rest
 		continue
 	}
 
+	if lastErr != nil {
+		return nil, "", nil, nil, fmt.Errorf("ssh: no key found; last parsing error for ignored line: %w", lastErr)
+	}
+
 	return nil, "", nil, nil, errors.New("ssh: no key found")
 }
 
@@ -395,11 +410,11 @@ func NewSignerWithAlgorithms(signer AlgorithmSigner, algorithms []string) (Multi
 	}
 
 	for _, algo := range algorithms {
-		if !contains(supportedAlgos, algo) {
+		if !slices.Contains(supportedAlgos, algo) {
 			return nil, fmt.Errorf("ssh: algorithm %q is not supported for key type %q",
 				algo, signer.PublicKey().Type())
 		}
-		if !contains(signerAlgos, algo) {
+		if !slices.Contains(signerAlgos, algo) {
 			return nil, fmt.Errorf("ssh: algorithm %q is restricted for the provided signer", algo)
 		}
 	}
@@ -486,10 +501,13 @@ func (r *rsaPublicKey) Marshal() []byte {
 
 func (r *rsaPublicKey) Verify(data []byte, sig *Signature) error {
 	supportedAlgos := algorithmsForKeyFormat(r.Type())
-	if !contains(supportedAlgos, sig.Format) {
+	if !slices.Contains(supportedAlgos, sig.Format) {
 		return fmt.Errorf("ssh: signature type %s for key type %s", sig.Format, r.Type())
 	}
-	hash := hashFuncs[sig.Format]
+	hash, err := hashFunc(sig.Format)
+	if err != nil {
+		return err
+	}
 	h := hash.New()
 	h.Write(data)
 	digest := h.Sum(nil)
@@ -606,7 +624,11 @@ func (k *dsaPublicKey) Verify(data []byte, sig *Signature) error {
 	if sig.Format != k.Type() {
 		return fmt.Errorf("ssh: signature type %s for key type %s", sig.Format, k.Type())
 	}
-	h := hashFuncs[sig.Format].New()
+	hash, err := hashFunc(sig.Format)
+	if err != nil {
+		return err
+	}
+	h := hash.New()
 	h.Write(data)
 	digest := h.Sum(nil)
 
@@ -651,7 +673,11 @@ func (k *dsaPrivateKey) SignWithAlgorithm(rand io.Reader, data []byte, algorithm
 		return nil, fmt.Errorf("ssh: unsupported signature algorithm %s", algorithm)
 	}
 
-	h := hashFuncs[k.PublicKey().Type()].New()
+	hash, err := hashFunc(k.PublicKey().Type())
+	if err != nil {
+		return nil, err
+	}
+	h := hash.New()
 	h.Write(data)
 	digest := h.Sum(nil)
 	r, s, err := dsa.Sign(rand, k.PrivateKey, digest)
@@ -801,8 +827,11 @@ func (k *ecdsaPublicKey) Verify(data []byte, sig *Signature) error {
 	if sig.Format != k.Type() {
 		return fmt.Errorf("ssh: signature type %s for key type %s", sig.Format, k.Type())
 	}
-
-	h := hashFuncs[sig.Format].New()
+	hash, err := hashFunc(sig.Format)
+	if err != nil {
+		return err
+	}
+	h := hash.New()
 	h.Write(data)
 	digest := h.Sum(nil)
 
@@ -905,8 +934,11 @@ func (k *skECDSAPublicKey) Verify(data []byte, sig *Signature) error {
 	if sig.Format != k.Type() {
 		return fmt.Errorf("ssh: signature type %s for key type %s", sig.Format, k.Type())
 	}
-
-	h := hashFuncs[sig.Format].New()
+	hash, err := hashFunc(sig.Format)
+	if err != nil {
+		return err
+	}
+	h := hash.New()
 	h.Write([]byte(k.application))
 	appDigest := h.Sum(nil)
 
@@ -1009,7 +1041,11 @@ func (k *skEd25519PublicKey) Verify(data []byte, sig *Signature) error {
 		return fmt.Errorf("invalid size %d for Ed25519 public key", l)
 	}
 
-	h := hashFuncs[sig.Format].New()
+	hash, err := hashFunc(sig.Format)
+	if err != nil {
+		return err
+	}
+	h := hash.New()
 	h.Write([]byte(k.application))
 	appDigest := h.Sum(nil)
 
@@ -1112,11 +1148,14 @@ func (s *wrappedSigner) SignWithAlgorithm(rand io.Reader, data []byte, algorithm
 		algorithm = s.pubKey.Type()
 	}
 
-	if !contains(s.Algorithms(), algorithm) {
+	if !slices.Contains(s.Algorithms(), algorithm) {
 		return nil, fmt.Errorf("ssh: unsupported signature algorithm %q for key format %q", algorithm, s.pubKey.Type())
 	}
 
-	hashFunc := hashFuncs[algorithm]
+	hashFunc, err := hashFunc(algorithm)
+	if err != nil {
+		return nil, err
+	}
 	var digest []byte
 	if hashFunc != 0 {
 		h := hashFunc.New()
@@ -1451,6 +1490,7 @@ type openSSHEncryptedPrivateKey struct {
 	NumKeys      uint32
 	PubKey       []byte
 	PrivKeyBlock []byte
+	Rest         []byte `ssh:"rest"`
 }
 
 type openSSHPrivateKey struct {
diff --git a/vendor/golang.org/x/crypto/ssh/mac.go b/vendor/golang.org/x/crypto/ssh/mac.go
index de2639d57f877..87d626fbbf7cc 100644
--- a/vendor/golang.org/x/crypto/ssh/mac.go
+++ b/vendor/golang.org/x/crypto/ssh/mac.go
@@ -7,11 +7,13 @@ package ssh
 // Message authentication support
 
 import (
+	"crypto/fips140"
 	"crypto/hmac"
 	"crypto/sha1"
 	"crypto/sha256"
 	"crypto/sha512"
 	"hash"
+	"slices"
 )
 
 type macMode struct {
@@ -46,23 +48,37 @@ func (t truncatingMAC) Size() int {
 
 func (t truncatingMAC) BlockSize() int { return t.hmac.BlockSize() }
 
-var macModes = map[string]*macMode{
-	HMACSHA512ETM: {64, true, func(key []byte) hash.Hash {
+// macModes defines the supported MACs. MACs not included are not supported
+// and will not be negotiated, even if explicitly configured. When FIPS mode is
+// enabled, only FIPS-approved algorithms are included.
+var macModes = map[string]*macMode{}
+
+func init() {
+	macModes[HMACSHA512ETM] = &macMode{64, true, func(key []byte) hash.Hash {
 		return hmac.New(sha512.New, key)
-	}},
-	HMACSHA256ETM: {32, true, func(key []byte) hash.Hash {
+	}}
+	macModes[HMACSHA256ETM] = &macMode{32, true, func(key []byte) hash.Hash {
 		return hmac.New(sha256.New, key)
-	}},
-	HMACSHA512: {64, false, func(key []byte) hash.Hash {
+	}}
+	macModes[HMACSHA512] = &macMode{64, false, func(key []byte) hash.Hash {
 		return hmac.New(sha512.New, key)
-	}},
-	HMACSHA256: {32, false, func(key []byte) hash.Hash {
+	}}
+	macModes[HMACSHA256] = &macMode{32, false, func(key []byte) hash.Hash {
 		return hmac.New(sha256.New, key)
-	}},
-	HMACSHA1: {20, false, func(key []byte) hash.Hash {
+	}}
+
+	if fips140.Enabled() {
+		defaultMACs = slices.DeleteFunc(defaultMACs, func(algo string) bool {
+			_, ok := macModes[algo]
+			return !ok
+		})
+		return
+	}
+
+	macModes[HMACSHA1] = &macMode{20, false, func(key []byte) hash.Hash {
 		return hmac.New(sha1.New, key)
-	}},
-	InsecureHMACSHA196: {20, false, func(key []byte) hash.Hash {
+	}}
+	macModes[InsecureHMACSHA196] = &macMode{20, false, func(key []byte) hash.Hash {
 		return truncatingMAC{12, hmac.New(sha1.New, key)}
-	}},
+	}}
 }
diff --git a/vendor/golang.org/x/crypto/ssh/messages.go b/vendor/golang.org/x/crypto/ssh/messages.go
index 251b9d06a3242..ab22c3d38db84 100644
--- a/vendor/golang.org/x/crypto/ssh/messages.go
+++ b/vendor/golang.org/x/crypto/ssh/messages.go
@@ -792,7 +792,7 @@ func marshalString(to []byte, s []byte) []byte {
 	return to[len(s):]
 }
 
-var bigIntType = reflect.TypeOf((*big.Int)(nil))
+var bigIntType = reflect.TypeFor[*big.Int]()
 
 // Decode a packet into its corresponding message.
 func decode(packet []byte) (interface{}, error) {
diff --git a/vendor/golang.org/x/crypto/ssh/server.go b/vendor/golang.org/x/crypto/ssh/server.go
index 98679ba5b6ed2..064dcbaf5aef4 100644
--- a/vendor/golang.org/x/crypto/ssh/server.go
+++ b/vendor/golang.org/x/crypto/ssh/server.go
@@ -10,6 +10,7 @@ import (
 	"fmt"
 	"io"
 	"net"
+	"slices"
 	"strings"
 )
 
@@ -43,6 +44,9 @@ type Permissions struct {
 	// pass data from the authentication callbacks to the server
 	// application layer.
 	Extensions map[string]string
+
+	// ExtraData allows to store user defined data.
+	ExtraData map[any]any
 }
 
 type GSSAPIWithMICConfig struct {
@@ -126,6 +130,21 @@ type ServerConfig struct {
 	// Permissions.Extensions entry.
 	PublicKeyCallback func(conn ConnMetadata, key PublicKey) (*Permissions, error)
 
+	// VerifiedPublicKeyCallback, if non-nil, is called after a client
+	// successfully confirms having control over a key that was previously
+	// approved by PublicKeyCallback. The permissions object passed to the
+	// callback is the one returned by PublicKeyCallback for the given public
+	// key and its ownership is transferred to the callback. The returned
+	// Permissions object can be the same object, optionally modified, or a
+	// completely new object. If VerifiedPublicKeyCallback is non-nil,
+	// PublicKeyCallback is not allowed to return a PartialSuccessError, which
+	// can instead be returned by VerifiedPublicKeyCallback.
+	//
+	// VerifiedPublicKeyCallback does not affect which authentication methods
+	// are included in the list of methods that can be attempted by the client.
+	VerifiedPublicKeyCallback func(conn ConnMetadata, key PublicKey, permissions *Permissions,
+		signatureAlgorithm string) (*Permissions, error)
+
 	// KeyboardInteractiveCallback, if non-nil, is called when
 	// keyboard-interactive authentication is selected (RFC
 	// 4256). The client object's Challenge function should be
@@ -246,7 +265,7 @@ func NewServerConn(c net.Conn, config *ServerConfig) (*ServerConn, <-chan NewCha
 		fullConf.PublicKeyAuthAlgorithms = defaultPubKeyAuthAlgos
 	} else {
 		for _, algo := range fullConf.PublicKeyAuthAlgorithms {
-			if !contains(SupportedAlgorithms().PublicKeyAuths, algo) && !contains(InsecureAlgorithms().PublicKeyAuths, algo) {
+			if !slices.Contains(SupportedAlgorithms().PublicKeyAuths, algo) && !slices.Contains(InsecureAlgorithms().PublicKeyAuths, algo) {
 				c.Close()
 				return nil, nil, nil, fmt.Errorf("ssh: unsupported public key authentication algorithm %s", algo)
 			}
@@ -631,7 +650,7 @@ userAuthLoop:
 				return nil, parseError(msgUserAuthRequest)
 			}
 			algo := string(algoBytes)
-			if !contains(config.PublicKeyAuthAlgorithms, underlyingAlgo(algo)) {
+			if !slices.Contains(config.PublicKeyAuthAlgorithms, underlyingAlgo(algo)) {
 				authErr = fmt.Errorf("ssh: algorithm %q not accepted", algo)
 				break
 			}
@@ -652,6 +671,9 @@ userAuthLoop:
 				candidate.pubKeyData = pubKeyData
 				candidate.perms, candidate.result = authConfig.PublicKeyCallback(s, pubKey)
 				_, isPartialSuccessError := candidate.result.(*PartialSuccessError)
+				if isPartialSuccessError && config.VerifiedPublicKeyCallback != nil {
+					return nil, errors.New("ssh: invalid library usage: PublicKeyCallback must not return partial success when VerifiedPublicKeyCallback is defined")
+				}
 
 				if (candidate.result == nil || isPartialSuccessError) &&
 					candidate.perms != nil &&
@@ -695,7 +717,7 @@ userAuthLoop:
 				// ssh-rsa-cert-v01@openssh.com algorithm with ssh-rsa public
 				// key type. The algorithm and public key type must be
 				// consistent: both must be certificate algorithms, or neither.
-				if !contains(algorithmsForKeyFormat(pubKey.Type()), algo) {
+				if !slices.Contains(algorithmsForKeyFormat(pubKey.Type()), algo) {
 					authErr = fmt.Errorf("ssh: public key type %q not compatible with selected algorithm %q",
 						pubKey.Type(), algo)
 					break
@@ -705,7 +727,7 @@ userAuthLoop:
 				// algorithm name that corresponds to algo with
 				// sig.Format.  This is usually the same, but
 				// for certs, the names differ.
-				if !contains(config.PublicKeyAuthAlgorithms, sig.Format) {
+				if !slices.Contains(config.PublicKeyAuthAlgorithms, sig.Format) {
 					authErr = fmt.Errorf("ssh: algorithm %q not accepted", sig.Format)
 					break
 				}
@@ -722,6 +744,12 @@ userAuthLoop:
 
 				authErr = candidate.result
 				perms = candidate.perms
+				if authErr == nil && config.VerifiedPublicKeyCallback != nil {
+					// Only call VerifiedPublicKeyCallback after the key has been accepted
+					// and successfully verified. If authErr is non-nil, the key is not
+					// considered verified and the callback must not run.
+					perms, authErr = config.VerifiedPublicKeyCallback(s, pubKey, perms, algo)
+				}
 			}
 		case "gssapi-with-mic":
 			if authConfig.GSSAPIWithMICConfig == nil {
diff --git a/vendor/golang.org/x/crypto/ssh/ssh_gss.go b/vendor/golang.org/x/crypto/ssh/ssh_gss.go
index 24bd7c8e83048..a6249a1227b52 100644
--- a/vendor/golang.org/x/crypto/ssh/ssh_gss.go
+++ b/vendor/golang.org/x/crypto/ssh/ssh_gss.go
@@ -106,6 +106,13 @@ func parseGSSAPIPayload(payload []byte) (*userAuthRequestGSSAPI, error) {
 	if !ok {
 		return nil, errors.New("parse uint32 failed")
 	}
+	// Each ASN.1 encoded OID must have a minimum
+	// of 2 bytes; 64 maximum mechanisms is an
+	// arbitrary, but reasonable ceiling.
+	const maxMechs = 64
+	if n > maxMechs || int(n)*2 > len(rest) {
+		return nil, errors.New("invalid mechanism count")
+	}
 	s := &userAuthRequestGSSAPI{
 		N:    n,
 		OIDS: make([]asn1.ObjectIdentifier, n),
@@ -122,7 +129,6 @@ func parseGSSAPIPayload(payload []byte) (*userAuthRequestGSSAPI, error) {
 		if rest, err = asn1.Unmarshal(desiredMech, &s.OIDS[i]); err != nil {
 			return nil, err
 		}
-
 	}
 	return s, nil
 }
diff --git a/vendor/golang.org/x/crypto/ssh/streamlocal.go b/vendor/golang.org/x/crypto/ssh/streamlocal.go
index b171b330bc380..152470fcb796f 100644
--- a/vendor/golang.org/x/crypto/ssh/streamlocal.go
+++ b/vendor/golang.org/x/crypto/ssh/streamlocal.go
@@ -44,7 +44,7 @@ func (c *Client) ListenUnix(socketPath string) (net.Listener, error) {
 	if !ok {
 		return nil, errors.New("ssh: streamlocal-forward@openssh.com request denied by peer")
 	}
-	ch := c.forwards.add(&net.UnixAddr{Name: socketPath, Net: "unix"})
+	ch := c.forwards.add("unix", socketPath)
 
 	return &unixListener{socketPath, c, ch}, nil
 }
@@ -96,7 +96,7 @@ func (l *unixListener) Accept() (net.Conn, error) {
 // Close closes the listener.
 func (l *unixListener) Close() error {
 	// this also closes the listener.
-	l.conn.forwards.remove(&net.UnixAddr{Name: l.socketPath, Net: "unix"})
+	l.conn.forwards.remove("unix", l.socketPath)
 	m := streamLocalChannelForwardMsg{
 		l.socketPath,
 	}
diff --git a/vendor/golang.org/x/crypto/ssh/tcpip.go b/vendor/golang.org/x/crypto/ssh/tcpip.go
index 93d844f035168..78c41fe5a1264 100644
--- a/vendor/golang.org/x/crypto/ssh/tcpip.go
+++ b/vendor/golang.org/x/crypto/ssh/tcpip.go
@@ -11,6 +11,7 @@ import (
 	"io"
 	"math/rand"
 	"net"
+	"net/netip"
 	"strconv"
 	"strings"
 	"sync"
@@ -22,14 +23,21 @@ import (
 // the returned net.Listener. The listener must be serviced, or the
 // SSH connection may hang.
 // N must be "tcp", "tcp4", "tcp6", or "unix".
+//
+// If the address is a hostname, it is sent to the remote peer as-is, without
+// being resolved locally, and the Listener Addr method will return a zero IP.
 func (c *Client) Listen(n, addr string) (net.Listener, error) {
 	switch n {
 	case "tcp", "tcp4", "tcp6":
-		laddr, err := net.ResolveTCPAddr(n, addr)
+		host, portStr, err := net.SplitHostPort(addr)
+		if err != nil {
+			return nil, err
+		}
+		port, err := strconv.ParseInt(portStr, 10, 32)
 		if err != nil {
 			return nil, err
 		}
-		return c.ListenTCP(laddr)
+		return c.listenTCPInternal(host, int(port))
 	case "unix":
 		return c.ListenUnix(addr)
 	default:
@@ -102,15 +110,24 @@ func (c *Client) handleForwards() {
 // ListenTCP requests the remote peer open a listening socket
 // on laddr. Incoming connections will be available by calling
 // Accept on the returned net.Listener.
+//
+// ListenTCP accepts an IP address, to provide a hostname use [Client.Listen]
+// with "tcp", "tcp4", or "tcp6" network instead.
 func (c *Client) ListenTCP(laddr *net.TCPAddr) (net.Listener, error) {
 	c.handleForwardsOnce.Do(c.handleForwards)
 	if laddr.Port == 0 && isBrokenOpenSSHVersion(string(c.ServerVersion())) {
 		return c.autoPortListenWorkaround(laddr)
 	}
 
+	return c.listenTCPInternal(laddr.IP.String(), laddr.Port)
+}
+
+func (c *Client) listenTCPInternal(host string, port int) (net.Listener, error) {
+	c.handleForwardsOnce.Do(c.handleForwards)
+
 	m := channelForwardMsg{
-		laddr.IP.String(),
-		uint32(laddr.Port),
+		host,
+		uint32(port),
 	}
 	// send message
 	ok, resp, err := c.SendRequest("tcpip-forward", true, Marshal(&m))
@@ -123,20 +140,33 @@ func (c *Client) ListenTCP(laddr *net.TCPAddr) (net.Listener, error) {
 
 	// If the original port was 0, then the remote side will
 	// supply a real port number in the response.
-	if laddr.Port == 0 {
+	if port == 0 {
 		var p struct {
 			Port uint32
 		}
 		if err := Unmarshal(resp, &p); err != nil {
 			return nil, err
 		}
-		laddr.Port = int(p.Port)
+		port = int(p.Port)
 	}
+	// Construct a local address placeholder for the remote listener. If the
+	// original host is an IP address, preserve it so that Listener.Addr()
+	// reports the same IP. If the host is a hostname or cannot be parsed as an
+	// IP, fall back to IPv4zero. The port field is always set, even if the
+	// original port was 0, because in that case the remote server will assign
+	// one, allowing callers to determine which port was selected.
+	ip := net.IPv4zero
+	if parsed, err := netip.ParseAddr(host); err == nil {
+		ip = net.IP(parsed.AsSlice())
+	}
+	laddr := &net.TCPAddr{
+		IP:   ip,
+		Port: port,
+	}
+	addr := net.JoinHostPort(host, strconv.FormatInt(int64(port), 10))
+	ch := c.forwards.add("tcp", addr)
 
-	// Register this forward, using the port number we obtained.
-	ch := c.forwards.add(laddr)
-
-	return &tcpListener{laddr, c, ch}, nil
+	return &tcpListener{laddr, addr, c, ch}, nil
 }
 
 // forwardList stores a mapping between remote
@@ -149,8 +179,9 @@ type forwardList struct {
 // forwardEntry represents an established mapping of a laddr on a
 // remote ssh server to a channel connected to a tcpListener.
 type forwardEntry struct {
-	laddr net.Addr
-	c     chan forward
+	addr    string // host:port or socket path
+	network string // tcp or unix
+	c       chan forward
 }
 
 // forward represents an incoming forwarded tcpip connection. The
@@ -161,12 +192,13 @@ type forward struct {
 	raddr net.Addr   // the raddr of the incoming connection
 }
 
-func (l *forwardList) add(addr net.Addr) chan forward {
+func (l *forwardList) add(n, addr string) chan forward {
 	l.Lock()
 	defer l.Unlock()
 	f := forwardEntry{
-		laddr: addr,
-		c:     make(chan forward, 1),
+		addr:    addr,
+		network: n,
+		c:       make(chan forward, 1),
 	}
 	l.entries = append(l.entries, f)
 	return f.c
@@ -185,19 +217,20 @@ func parseTCPAddr(addr string, port uint32) (*net.TCPAddr, error) {
 	if port == 0 || port > 65535 {
 		return nil, fmt.Errorf("ssh: port number out of range: %d", port)
 	}
-	ip := net.ParseIP(string(addr))
-	if ip == nil {
+	ip, err := netip.ParseAddr(addr)
+	if err != nil {
 		return nil, fmt.Errorf("ssh: cannot parse IP address %q", addr)
 	}
-	return &net.TCPAddr{IP: ip, Port: int(port)}, nil
+	return &net.TCPAddr{IP: net.IP(ip.AsSlice()), Port: int(port)}, nil
 }
 
 func (l *forwardList) handleChannels(in <-chan NewChannel) {
 	for ch := range in {
 		var (
-			laddr net.Addr
-			raddr net.Addr
-			err   error
+			addr    string
+			network string
+			raddr   net.Addr
+			err     error
 		)
 		switch channelType := ch.ChannelType(); channelType {
 		case "forwarded-tcpip":
@@ -207,40 +240,34 @@ func (l *forwardList) handleChannels(in <-chan NewChannel) {
 				continue
 			}
 
-			// RFC 4254 section 7.2 specifies that incoming
-			// addresses should list the address, in string
-			// format. It is implied that this should be an IP
-			// address, as it would be impossible to connect to it
-			// otherwise.
-			laddr, err = parseTCPAddr(payload.Addr, payload.Port)
-			if err != nil {
-				ch.Reject(ConnectionFailed, err.Error())
-				continue
-			}
+			// RFC 4254 section 7.2 specifies that incoming addresses should
+			// list the address that was connected, in string format. It is the
+			// same address used in the tcpip-forward request. The originator
+			// address is an IP address instead.
+			addr = net.JoinHostPort(payload.Addr, strconv.FormatUint(uint64(payload.Port), 10))
+
 			raddr, err = parseTCPAddr(payload.OriginAddr, payload.OriginPort)
 			if err != nil {
 				ch.Reject(ConnectionFailed, err.Error())
 				continue
 			}
-
+			network = "tcp"
 		case "forwarded-streamlocal@openssh.com":
 			var payload forwardedStreamLocalPayload
 			if err = Unmarshal(ch.ExtraData(), &payload); err != nil {
 				ch.Reject(ConnectionFailed, "could not parse forwarded-streamlocal@openssh.com payload: "+err.Error())
 				continue
 			}
-			laddr = &net.UnixAddr{
-				Name: payload.SocketPath,
-				Net:  "unix",
-			}
+			addr = payload.SocketPath
 			raddr = &net.UnixAddr{
 				Name: "@",
 				Net:  "unix",
 			}
+			network = "unix"
 		default:
 			panic(fmt.Errorf("ssh: unknown channel type %s", channelType))
 		}
-		if ok := l.forward(laddr, raddr, ch); !ok {
+		if ok := l.forward(network, addr, raddr, ch); !ok {
 			// Section 7.2, implementations MUST reject spurious incoming
 			// connections.
 			ch.Reject(Prohibited, "no forward for address")
@@ -252,11 +279,11 @@ func (l *forwardList) handleChannels(in <-chan NewChannel) {
 
 // remove removes the forward entry, and the channel feeding its
 // listener.
-func (l *forwardList) remove(addr net.Addr) {
+func (l *forwardList) remove(n, addr string) {
 	l.Lock()
 	defer l.Unlock()
 	for i, f := range l.entries {
-		if addr.Network() == f.laddr.Network() && addr.String() == f.laddr.String() {
+		if n == f.network && addr == f.addr {
 			l.entries = append(l.entries[:i], l.entries[i+1:]...)
 			close(f.c)
 			return
@@ -274,11 +301,11 @@ func (l *forwardList) closeAll() {
 	l.entries = nil
 }
 
-func (l *forwardList) forward(laddr, raddr net.Addr, ch NewChannel) bool {
+func (l *forwardList) forward(n, addr string, raddr net.Addr, ch NewChannel) bool {
 	l.Lock()
 	defer l.Unlock()
 	for _, f := range l.entries {
-		if laddr.Network() == f.laddr.Network() && laddr.String() == f.laddr.String() {
+		if n == f.network && addr == f.addr {
 			f.c <- forward{newCh: ch, raddr: raddr}
 			return true
 		}
@@ -288,6 +315,7 @@ func (l *forwardList) forward(laddr, raddr net.Addr, ch NewChannel) bool {
 
 type tcpListener struct {
 	laddr *net.TCPAddr
+	addr  string
 
 	conn *Client
 	in   <-chan forward
@@ -314,13 +342,21 @@ func (l *tcpListener) Accept() (net.Conn, error) {
 
 // Close closes the listener.
 func (l *tcpListener) Close() error {
+	host, port, err := net.SplitHostPort(l.addr)
+	if err != nil {
+		return err
+	}
+	rport, err := strconv.ParseUint(port, 10, 32)
+	if err != nil {
+		return err
+	}
 	m := channelForwardMsg{
-		l.laddr.IP.String(),
-		uint32(l.laddr.Port),
+		host,
+		uint32(rport),
 	}
 
 	// this also closes the listener.
-	l.conn.forwards.remove(l.laddr)
+	l.conn.forwards.remove("tcp", l.addr)
 	ok, _, err := l.conn.SendRequest("cancel-tcpip-forward", true, Marshal(&m))
 	if err == nil && !ok {
 		err = errors.New("ssh: cancel-tcpip-forward failed")
diff --git a/vendor/golang.org/x/crypto/ssh/transport.go b/vendor/golang.org/x/crypto/ssh/transport.go
index 663619845c79d..fa3dd6a4299b6 100644
--- a/vendor/golang.org/x/crypto/ssh/transport.go
+++ b/vendor/golang.org/x/crypto/ssh/transport.go
@@ -8,6 +8,7 @@ import (
 	"bufio"
 	"bytes"
 	"errors"
+	"fmt"
 	"io"
 	"log"
 )
@@ -254,6 +255,9 @@ var (
 // (to setup server->client keys) or clientKeys (for client->server keys).
 func newPacketCipher(d direction, algs DirectionAlgorithms, kex *kexResult) (packetCipher, error) {
 	cipherMode := cipherModes[algs.Cipher]
+	if cipherMode == nil {
+		return nil, fmt.Errorf("ssh: unsupported cipher %v", algs.Cipher)
+	}
 
 	iv := make([]byte, cipherMode.ivSize)
 	key := make([]byte, cipherMode.keySize)
diff --git a/vendor/golang.org/x/net/context/context.go b/vendor/golang.org/x/net/context/context.go
index db1c95fab1d59..24cea68820499 100644
--- a/vendor/golang.org/x/net/context/context.go
+++ b/vendor/golang.org/x/net/context/context.go
@@ -2,44 +2,9 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
-// Package context defines the Context type, which carries deadlines,
-// cancellation signals, and other request-scoped values across API boundaries
-// and between processes.
-// As of Go 1.7 this package is available in the standard library under the
-// name [context], and migrating to it can be done automatically with [go fix].
-//
-// Incoming requests to a server should create a [Context], and outgoing
-// calls to servers should accept a Context. The chain of function
-// calls between them must propagate the Context, optionally replacing
-// it with a derived Context created using [WithCancel], [WithDeadline],
-// [WithTimeout], or [WithValue].
-//
-// Programs that use Contexts should follow these rules to keep interfaces
-// consistent across packages and enable static analysis tools to check context
-// propagation:
-//
-// Do not store Contexts inside a struct type; instead, pass a Context
-// explicitly to each function that needs it. This is discussed further in
-// https://go.dev/blog/context-and-structs. The Context should be the first
-// parameter, typically named ctx:
-//
-//	func DoSomething(ctx context.Context, arg Arg) error {
-//		// ... use ctx ...
-//	}
-//
-// Do not pass a nil [Context], even if a function permits it. Pass [context.TODO]
-// if you are unsure about which Context to use.
-//
-// Use context Values only for request-scoped data that transits processes and
-// APIs, not for passing optional parameters to functions.
+// Package context has been superseded by the standard library [context] package.
 //
-// The same Context may be passed to functions running in different goroutines;
-// Contexts are safe for simultaneous use by multiple goroutines.
-//
-// See https://go.dev/blog/context for example code for a server that uses
-// Contexts.
-//
-// [go fix]: https://go.dev/cmd/go#hdr-Update_packages_to_use_new_APIs
+// Deprecated: Use the standard library context package instead.
 package context
 
 import (
@@ -51,36 +16,37 @@ import (
 // API boundaries.
 //
 // Context's methods may be called by multiple goroutines simultaneously.
+//
+//go:fix inline
 type Context = context.Context
 
 // Canceled is the error returned by [Context.Err] when the context is canceled
 // for some reason other than its deadline passing.
+//
+//go:fix inline
 var Canceled = context.Canceled
 
 // DeadlineExceeded is the error returned by [Context.Err] when the context is canceled
 // due to its deadline passing.
+//
+//go:fix inline
 var DeadlineExceeded = context.DeadlineExceeded
 
 // Background returns a non-nil, empty Context. It is never canceled, has no
 // values, and has no deadline. It is typically used by the main function,
 // initialization, and tests, and as the top-level Context for incoming
 // requests.
-func Background() Context {
-	return background
-}
+//
+//go:fix inline
+func Background() Context { return context.Background() }
 
 // TODO returns a non-nil, empty Context. Code should use context.TODO when
 // it's unclear which Context to use or it is not yet available (because the
 // surrounding function has not yet been extended to accept a Context
 // parameter).
-func TODO() Context {
-	return todo
-}
-
-var (
-	background = context.Background()
-	todo       = context.TODO()
-)
+//
+//go:fix inline
+func TODO() Context { return context.TODO() }
 
 // A CancelFunc tells an operation to abandon its work.
 // A CancelFunc does not wait for the work to stop.
@@ -95,6 +61,8 @@ type CancelFunc = context.CancelFunc
 //
 // Canceling this context releases resources associated with it, so code should
 // call cancel as soon as the operations running in this [Context] complete.
+//
+//go:fix inline
 func WithCancel(parent Context) (ctx Context, cancel CancelFunc) {
 	return context.WithCancel(parent)
 }
@@ -108,6 +76,8 @@ func WithCancel(parent Context) (ctx Context, cancel CancelFunc) {
 //
 // Canceling this context releases resources associated with it, so code should
 // call cancel as soon as the operations running in this [Context] complete.
+//
+//go:fix inline
 func WithDeadline(parent Context, d time.Time) (Context, CancelFunc) {
 	return context.WithDeadline(parent, d)
 }
@@ -122,6 +92,8 @@ func WithDeadline(parent Context, d time.Time) (Context, CancelFunc) {
 //		defer cancel()  // releases resources if slowOperation completes before timeout elapses
 //		return slowOperation(ctx)
 //	}
+//
+//go:fix inline
 func WithTimeout(parent Context, timeout time.Duration) (Context, CancelFunc) {
 	return context.WithTimeout(parent, timeout)
 }
@@ -139,6 +111,8 @@ func WithTimeout(parent Context, timeout time.Duration) (Context, CancelFunc) {
 // interface{}, context keys often have concrete type
 // struct{}. Alternatively, exported context key variables' static
 // type should be a pointer or interface.
+//
+//go:fix inline
 func WithValue(parent Context, key, val interface{}) Context {
 	return context.WithValue(parent, key, val)
 }
diff --git a/vendor/golang.org/x/net/dns/dnsmessage/message.go b/vendor/golang.org/x/net/dns/dnsmessage/message.go
new file mode 100644
index 0000000000000..7a978b47f666c
--- /dev/null
+++ b/vendor/golang.org/x/net/dns/dnsmessage/message.go
@@ -0,0 +1,2741 @@
+// Copyright 2009 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Package dnsmessage provides a mostly RFC 1035 compliant implementation of
+// DNS message packing and unpacking.
+//
+// The package also supports messages with Extension Mechanisms for DNS
+// (EDNS(0)) as defined in RFC 6891.
+//
+// This implementation is designed to minimize heap allocations and avoid
+// unnecessary packing and unpacking as much as possible.
+package dnsmessage
+
+import (
+	"errors"
+)
+
+// Message formats
+//
+// To add a new Resource Record type:
+// 1. Create Resource Record types
+//   1.1. Add a Type constant named "Type<name>"
+//   1.2. Add the corresponding entry to the typeNames map
+//   1.3. Add a [ResourceBody] implementation named "<name>Resource"
+// 2. Implement packing
+//   2.1. Implement Builder.<name>Resource()
+// 3. Implement unpacking
+//   3.1. Add the unpacking code to unpackResourceBody()
+//   3.2. Implement Parser.<name>Resource()
+
+// A Type is the type of a DNS Resource Record, as defined in the [IANA registry].
+//
+// [IANA registry]: https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml#dns-parameters-4
+type Type uint16
+
+const (
+	// ResourceHeader.Type and Question.Type
+	TypeA     Type = 1
+	TypeNS    Type = 2
+	TypeCNAME Type = 5
+	TypeSOA   Type = 6
+	TypePTR   Type = 12
+	TypeMX    Type = 15
+	TypeTXT   Type = 16
+	TypeAAAA  Type = 28
+	TypeSRV   Type = 33
+	TypeOPT   Type = 41
+	TypeSVCB  Type = 64
+	TypeHTTPS Type = 65
+
+	// Question.Type
+	TypeWKS   Type = 11
+	TypeHINFO Type = 13
+	TypeMINFO Type = 14
+	TypeAXFR  Type = 252
+	TypeALL   Type = 255
+)
+
+var typeNames = map[Type]string{
+	TypeA:     "TypeA",
+	TypeNS:    "TypeNS",
+	TypeCNAME: "TypeCNAME",
+	TypeSOA:   "TypeSOA",
+	TypePTR:   "TypePTR",
+	TypeMX:    "TypeMX",
+	TypeTXT:   "TypeTXT",
+	TypeAAAA:  "TypeAAAA",
+	TypeSRV:   "TypeSRV",
+	TypeOPT:   "TypeOPT",
+	TypeSVCB:  "TypeSVCB",
+	TypeHTTPS: "TypeHTTPS",
+	TypeWKS:   "TypeWKS",
+	TypeHINFO: "TypeHINFO",
+	TypeMINFO: "TypeMINFO",
+	TypeAXFR:  "TypeAXFR",
+	TypeALL:   "TypeALL",
+}
+
+// String implements fmt.Stringer.String.
+func (t Type) String() string {
+	if n, ok := typeNames[t]; ok {
+		return n
+	}
+	return printUint16(uint16(t))
+}
+
+// GoString implements fmt.GoStringer.GoString.
+func (t Type) GoString() string {
+	if n, ok := typeNames[t]; ok {
+		return "dnsmessage." + n
+	}
+	return printUint16(uint16(t))
+}
+
+// A Class is a type of network.
+type Class uint16
+
+const (
+	// ResourceHeader.Class and Question.Class
+	ClassINET   Class = 1
+	ClassCSNET  Class = 2
+	ClassCHAOS  Class = 3
+	ClassHESIOD Class = 4
+
+	// Question.Class
+	ClassANY Class = 255
+)
+
+var classNames = map[Class]string{
+	ClassINET:   "ClassINET",
+	ClassCSNET:  "ClassCSNET",
+	ClassCHAOS:  "ClassCHAOS",
+	ClassHESIOD: "ClassHESIOD",
+	ClassANY:    "ClassANY",
+}
+
+// String implements fmt.Stringer.String.
+func (c Class) String() string {
+	if n, ok := classNames[c]; ok {
+		return n
+	}
+	return printUint16(uint16(c))
+}
+
+// GoString implements fmt.GoStringer.GoString.
+func (c Class) GoString() string {
+	if n, ok := classNames[c]; ok {
+		return "dnsmessage." + n
+	}
+	return printUint16(uint16(c))
+}
+
+// An OpCode is a DNS operation code.
+type OpCode uint16
+
+// GoString implements fmt.GoStringer.GoString.
+func (o OpCode) GoString() string {
+	return printUint16(uint16(o))
+}
+
+// An RCode is a DNS response status code.
+type RCode uint16
+
+// Header.RCode values.
+const (
+	RCodeSuccess        RCode = 0 // NoError
+	RCodeFormatError    RCode = 1 // FormErr
+	RCodeServerFailure  RCode = 2 // ServFail
+	RCodeNameError      RCode = 3 // NXDomain
+	RCodeNotImplemented RCode = 4 // NotImp
+	RCodeRefused        RCode = 5 // Refused
+)
+
+var rCodeNames = map[RCode]string{
+	RCodeSuccess:        "RCodeSuccess",
+	RCodeFormatError:    "RCodeFormatError",
+	RCodeServerFailure:  "RCodeServerFailure",
+	RCodeNameError:      "RCodeNameError",
+	RCodeNotImplemented: "RCodeNotImplemented",
+	RCodeRefused:        "RCodeRefused",
+}
+
+// String implements fmt.Stringer.String.
+func (r RCode) String() string {
+	if n, ok := rCodeNames[r]; ok {
+		return n
+	}
+	return printUint16(uint16(r))
+}
+
+// GoString implements fmt.GoStringer.GoString.
+func (r RCode) GoString() string {
+	if n, ok := rCodeNames[r]; ok {
+		return "dnsmessage." + n
+	}
+	return printUint16(uint16(r))
+}
+
+func printPaddedUint8(i uint8) string {
+	b := byte(i)
+	return string([]byte{
+		b/100 + '0',
+		b/10%10 + '0',
+		b%10 + '0',
+	})
+}
+
+func printUint8Bytes(buf []byte, i uint8) []byte {
+	b := byte(i)
+	if i >= 100 {
+		buf = append(buf, b/100+'0')
+	}
+	if i >= 10 {
+		buf = append(buf, b/10%10+'0')
+	}
+	return append(buf, b%10+'0')
+}
+
+func printByteSlice(b []byte) string {
+	if len(b) == 0 {
+		return ""
+	}
+	buf := make([]byte, 0, 5*len(b))
+	buf = printUint8Bytes(buf, uint8(b[0]))
+	for _, n := range b[1:] {
+		buf = append(buf, ',', ' ')
+		buf = printUint8Bytes(buf, uint8(n))
+	}
+	return string(buf)
+}
+
+const hexDigits = "0123456789abcdef"
+
+func printString(str []byte) string {
+	buf := make([]byte, 0, len(str))
+	for i := 0; i < len(str); i++ {
+		c := str[i]
+		if c == '.' || c == '-' || c == ' ' ||
+			'A' <= c && c <= 'Z' ||
+			'a' <= c && c <= 'z' ||
+			'0' <= c && c <= '9' {
+			buf = append(buf, c)
+			continue
+		}
+
+		upper := c >> 4
+		lower := (c << 4) >> 4
+		buf = append(
+			buf,
+			'\\',
+			'x',
+			hexDigits[upper],
+			hexDigits[lower],
+		)
+	}
+	return string(buf)
+}
+
+func printUint16(i uint16) string {
+	return printUint32(uint32(i))
+}
+
+func printUint32(i uint32) string {
+	// Max value is 4294967295.
+	buf := make([]byte, 10)
+	for b, d := buf, uint32(1000000000); d > 0; d /= 10 {
+		b[0] = byte(i/d%10 + '0')
+		if b[0] == '0' && len(b) == len(buf) && len(buf) > 1 {
+			buf = buf[1:]
+		}
+		b = b[1:]
+		i %= d
+	}
+	return string(buf)
+}
+
+func printBool(b bool) string {
+	if b {
+		return "true"
+	}
+	return "false"
+}
+
+var (
+	// ErrNotStarted indicates that the prerequisite information isn't
+	// available yet because the previous records haven't been appropriately
+	// parsed, skipped or finished.
+	ErrNotStarted = errors.New("parsing/packing of this type isn't available yet")
+
+	// ErrSectionDone indicated that all records in the section have been
+	// parsed or finished.
+	ErrSectionDone = errors.New("parsing/packing of this section has completed")
+
+	errBaseLen            = errors.New("insufficient data for base length type")
+	errCalcLen            = errors.New("insufficient data for calculated length type")
+	errReserved           = errors.New("segment prefix is reserved")
+	errTooManyPtr         = errors.New("too many pointers (>10)")
+	errInvalidPtr         = errors.New("invalid pointer")
+	errInvalidName        = errors.New("invalid dns name")
+	errNilResouceBody     = errors.New("nil resource body")
+	errResourceLen        = errors.New("insufficient data for resource body length")
+	errSegTooLong         = errors.New("segment length too long")
+	errNameTooLong        = errors.New("name too long")
+	errZeroSegLen         = errors.New("zero length segment")
+	errResTooLong         = errors.New("resource length too long")
+	errTooManyQuestions   = errors.New("too many Questions to pack (>65535)")
+	errTooManyAnswers     = errors.New("too many Answers to pack (>65535)")
+	errTooManyAuthorities = errors.New("too many Authorities to pack (>65535)")
+	errTooManyAdditionals = errors.New("too many Additionals to pack (>65535)")
+	errNonCanonicalName   = errors.New("name is not in canonical format (it must end with a .)")
+	errStringTooLong      = errors.New("character string exceeds maximum length (255)")
+	errParamOutOfOrder    = errors.New("parameter out of order")
+	errTooLongSVCBValue   = errors.New("value too long (>65535 bytes)")
+)
+
+// Internal constants.
+const (
+	// packStartingCap is the default initial buffer size allocated during
+	// packing.
+	//
+	// The starting capacity doesn't matter too much, but most DNS responses
+	// Will be <= 512 bytes as it is the limit for DNS over UDP.
+	packStartingCap = 512
+
+	// uint16Len is the length (in bytes) of a uint16.
+	uint16Len = 2
+
+	// uint32Len is the length (in bytes) of a uint32.
+	uint32Len = 4
+
+	// headerLen is the length (in bytes) of a DNS header.
+	//
+	// A header is comprised of 6 uint16s and no padding.
+	headerLen = 6 * uint16Len
+)
+
+type nestedError struct {
+	// s is the current level's error message.
+	s string
+
+	// err is the nested error.
+	err error
+}
+
+// nestedError implements error.Error.
+func (e *nestedError) Error() string {
+	return e.s + ": " + e.err.Error()
+}
+
+// Header is a representation of a DNS message header.
+type Header struct {
+	ID                 uint16
+	Response           bool
+	OpCode             OpCode
+	Authoritative      bool
+	Truncated          bool
+	RecursionDesired   bool
+	RecursionAvailable bool
+	AuthenticData      bool
+	CheckingDisabled   bool
+	RCode              RCode
+}
+
+func (m *Header) pack() (id uint16, bits uint16) {
+	id = m.ID
+	bits = uint16(m.OpCode)<<11 | uint16(m.RCode)
+	if m.RecursionAvailable {
+		bits |= headerBitRA
+	}
+	if m.RecursionDesired {
+		bits |= headerBitRD
+	}
+	if m.Truncated {
+		bits |= headerBitTC
+	}
+	if m.Authoritative {
+		bits |= headerBitAA
+	}
+	if m.Response {
+		bits |= headerBitQR
+	}
+	if m.AuthenticData {
+		bits |= headerBitAD
+	}
+	if m.CheckingDisabled {
+		bits |= headerBitCD
+	}
+	return
+}
+
+// GoString implements fmt.GoStringer.GoString.
+func (m *Header) GoString() string {
+	return "dnsmessage.Header{" +
+		"ID: " + printUint16(m.ID) + ", " +
+		"Response: " + printBool(m.Response) + ", " +
+		"OpCode: " + m.OpCode.GoString() + ", " +
+		"Authoritative: " + printBool(m.Authoritative) + ", " +
+		"Truncated: " + printBool(m.Truncated) + ", " +
+		"RecursionDesired: " + printBool(m.RecursionDesired) + ", " +
+		"RecursionAvailable: " + printBool(m.RecursionAvailable) + ", " +
+		"AuthenticData: " + printBool(m.AuthenticData) + ", " +
+		"CheckingDisabled: " + printBool(m.CheckingDisabled) + ", " +
+		"RCode: " + m.RCode.GoString() + "}"
+}
+
+// Message is a representation of a DNS message.
+type Message struct {
+	Header
+	Questions   []Question
+	Answers     []Resource
+	Authorities []Resource
+	Additionals []Resource
+}
+
+type section uint8
+
+const (
+	sectionNotStarted section = iota
+	sectionHeader
+	sectionQuestions
+	sectionAnswers
+	sectionAuthorities
+	sectionAdditionals
+	sectionDone
+
+	headerBitQR = 1 << 15 // query/response (response=1)
+	headerBitAA = 1 << 10 // authoritative
+	headerBitTC = 1 << 9  // truncated
+	headerBitRD = 1 << 8  // recursion desired
+	headerBitRA = 1 << 7  // recursion available
+	headerBitAD = 1 << 5  // authentic data
+	headerBitCD = 1 << 4  // checking disabled
+)
+
+var sectionNames = map[section]string{
+	sectionHeader:      "header",
+	sectionQuestions:   "Question",
+	sectionAnswers:     "Answer",
+	sectionAuthorities: "Authority",
+	sectionAdditionals: "Additional",
+}
+
+// header is the wire format for a DNS message header.
+type header struct {
+	id          uint16
+	bits        uint16
+	questions   uint16
+	answers     uint16
+	authorities uint16
+	additionals uint16
+}
+
+func (h *header) count(sec section) uint16 {
+	switch sec {
+	case sectionQuestions:
+		return h.questions
+	case sectionAnswers:
+		return h.answers
+	case sectionAuthorities:
+		return h.authorities
+	case sectionAdditionals:
+		return h.additionals
+	}
+	return 0
+}
+
+// pack appends the wire format of the header to msg.
+func (h *header) pack(msg []byte) []byte {
+	msg = packUint16(msg, h.id)
+	msg = packUint16(msg, h.bits)
+	msg = packUint16(msg, h.questions)
+	msg = packUint16(msg, h.answers)
+	msg = packUint16(msg, h.authorities)
+	return packUint16(msg, h.additionals)
+}
+
+func (h *header) unpack(msg []byte, off int) (int, error) {
+	newOff := off
+	var err error
+	if h.id, newOff, err = unpackUint16(msg, newOff); err != nil {
+		return off, &nestedError{"id", err}
+	}
+	if h.bits, newOff, err = unpackUint16(msg, newOff); err != nil {
+		return off, &nestedError{"bits", err}
+	}
+	if h.questions, newOff, err = unpackUint16(msg, newOff); err != nil {
+		return off, &nestedError{"questions", err}
+	}
+	if h.answers, newOff, err = unpackUint16(msg, newOff); err != nil {
+		return off, &nestedError{"answers", err}
+	}
+	if h.authorities, newOff, err = unpackUint16(msg, newOff); err != nil {
+		return off, &nestedError{"authorities", err}
+	}
+	if h.additionals, newOff, err = unpackUint16(msg, newOff); err != nil {
+		return off, &nestedError{"additionals", err}
+	}
+	return newOff, nil
+}
+
+func (h *header) header() Header {
+	return Header{
+		ID:                 h.id,
+		Response:           (h.bits & headerBitQR) != 0,
+		OpCode:             OpCode(h.bits>>11) & 0xF,
+		Authoritative:      (h.bits & headerBitAA) != 0,
+		Truncated:          (h.bits & headerBitTC) != 0,
+		RecursionDesired:   (h.bits & headerBitRD) != 0,
+		RecursionAvailable: (h.bits & headerBitRA) != 0,
+		AuthenticData:      (h.bits & headerBitAD) != 0,
+		CheckingDisabled:   (h.bits & headerBitCD) != 0,
+		RCode:              RCode(h.bits & 0xF),
+	}
+}
+
+// A Resource is a DNS resource record.
+type Resource struct {
+	Header ResourceHeader
+	Body   ResourceBody
+}
+
+func (r *Resource) GoString() string {
+	return "dnsmessage.Resource{" +
+		"Header: " + r.Header.GoString() +
+		", Body: &" + r.Body.GoString() +
+		"}"
+}
+
+// A ResourceBody is a DNS resource record minus the header.
+type ResourceBody interface {
+	// pack packs a Resource except for its header.
+	pack(msg []byte, compression map[string]uint16, compressionOff int) ([]byte, error)
+
+	// realType returns the actual type of the Resource. This is used to
+	// fill in the header Type field.
+	realType() Type
+
+	// GoString implements fmt.GoStringer.GoString.
+	GoString() string
+}
+
+// pack appends the wire format of the Resource to msg.
+func (r *Resource) pack(msg []byte, compression map[string]uint16, compressionOff int) ([]byte, error) {
+	if r.Body == nil {
+		return msg, errNilResouceBody
+	}
+	oldMsg := msg
+	r.Header.Type = r.Body.realType()
+	msg, lenOff, err := r.Header.pack(msg, compression, compressionOff)
+	if err != nil {
+		return msg, &nestedError{"ResourceHeader", err}
+	}
+	preLen := len(msg)
+	msg, err = r.Body.pack(msg, compression, compressionOff)
+	if err != nil {
+		return msg, &nestedError{"content", err}
+	}
+	if err := r.Header.fixLen(msg, lenOff, preLen); err != nil {
+		return oldMsg, err
+	}
+	return msg, nil
+}
+
+// A Parser allows incrementally parsing a DNS message.
+//
+// When parsing is started, the Header is parsed. Next, each Question can be
+// either parsed or skipped. Alternatively, all Questions can be skipped at
+// once. When all Questions have been parsed, attempting to parse Questions
+// will return the [ErrSectionDone] error.
+// After all Questions have been either parsed or skipped, all
+// Answers, Authorities and Additionals can be either parsed or skipped in the
+// same way, and each type of Resource must be fully parsed or skipped before
+// proceeding to the next type of Resource.
+//
+// Parser is safe to copy to preserve the parsing state.
+//
+// Note that there is no requirement to fully skip or parse the message.
+type Parser struct {
+	msg    []byte
+	header header
+
+	section         section
+	off             int
+	index           int
+	resHeaderValid  bool
+	resHeaderOffset int
+	resHeaderType   Type
+	resHeaderLength uint16
+}
+
+// Start parses the header and enables the parsing of Questions.
+func (p *Parser) Start(msg []byte) (Header, error) {
+	if p.msg != nil {
+		*p = Parser{}
+	}
+	p.msg = msg
+	var err error
+	if p.off, err = p.header.unpack(msg, 0); err != nil {
+		return Header{}, &nestedError{"unpacking header", err}
+	}
+	p.section = sectionQuestions
+	return p.header.header(), nil
+}
+
+func (p *Parser) checkAdvance(sec section) error {
+	if p.section < sec {
+		return ErrNotStarted
+	}
+	if p.section > sec {
+		return ErrSectionDone
+	}
+	p.resHeaderValid = false
+	if p.index == int(p.header.count(sec)) {
+		p.index = 0
+		p.section++
+		return ErrSectionDone
+	}
+	return nil
+}
+
+func (p *Parser) resource(sec section) (Resource, error) {
+	var r Resource
+	var err error
+	r.Header, err = p.resourceHeader(sec)
+	if err != nil {
+		return r, err
+	}
+	p.resHeaderValid = false
+	r.Body, p.off, err = unpackResourceBody(p.msg, p.off, r.Header)
+	if err != nil {
+		return Resource{}, &nestedError{"unpacking " + sectionNames[sec], err}
+	}
+	p.index++
+	return r, nil
+}
+
+func (p *Parser) resourceHeader(sec section) (ResourceHeader, error) {
+	if p.resHeaderValid {
+		p.off = p.resHeaderOffset
+	}
+
+	if err := p.checkAdvance(sec); err != nil {
+		return ResourceHeader{}, err
+	}
+	var hdr ResourceHeader
+	off, err := hdr.unpack(p.msg, p.off)
+	if err != nil {
+		return ResourceHeader{}, err
+	}
+	p.resHeaderValid = true
+	p.resHeaderOffset = p.off
+	p.resHeaderType = hdr.Type
+	p.resHeaderLength = hdr.Length
+	p.off = off
+	return hdr, nil
+}
+
+func (p *Parser) skipResource(sec section) error {
+	if p.resHeaderValid && p.section == sec {
+		newOff := p.off + int(p.resHeaderLength)
+		if newOff > len(p.msg) {
+			return errResourceLen
+		}
+		p.off = newOff
+		p.resHeaderValid = false
+		p.index++
+		return nil
+	}
+	if err := p.checkAdvance(sec); err != nil {
+		return err
+	}
+	var err error
+	p.off, err = skipResource(p.msg, p.off)
+	if err != nil {
+		return &nestedError{"skipping: " + sectionNames[sec], err}
+	}
+	p.index++
+	return nil
+}
+
+// Question parses a single Question.
+func (p *Parser) Question() (Question, error) {
+	if err := p.checkAdvance(sectionQuestions); err != nil {
+		return Question{}, err
+	}
+	var name Name
+	off, err := name.unpack(p.msg, p.off)
+	if err != nil {
+		return Question{}, &nestedError{"unpacking Question.Name", err}
+	}
+	typ, off, err := unpackType(p.msg, off)
+	if err != nil {
+		return Question{}, &nestedError{"unpacking Question.Type", err}
+	}
+	class, off, err := unpackClass(p.msg, off)
+	if err != nil {
+		return Question{}, &nestedError{"unpacking Question.Class", err}
+	}
+	p.off = off
+	p.index++
+	return Question{name, typ, class}, nil
+}
+
+// AllQuestions parses all Questions.
+func (p *Parser) AllQuestions() ([]Question, error) {
+	// Multiple questions are valid according to the spec,
+	// but servers don't actually support them. There will
+	// be at most one question here.
+	//
+	// Do not pre-allocate based on info in p.header, since
+	// the data is untrusted.
+	qs := []Question{}
+	for {
+		q, err := p.Question()
+		if err == ErrSectionDone {
+			return qs, nil
+		}
+		if err != nil {
+			return nil, err
+		}
+		qs = append(qs, q)
+	}
+}
+
+// SkipQuestion skips a single Question.
+func (p *Parser) SkipQuestion() error {
+	if err := p.checkAdvance(sectionQuestions); err != nil {
+		return err
+	}
+	off, err := skipName(p.msg, p.off)
+	if err != nil {
+		return &nestedError{"skipping Question Name", err}
+	}
+	if off, err = skipType(p.msg, off); err != nil {
+		return &nestedError{"skipping Question Type", err}
+	}
+	if off, err = skipClass(p.msg, off); err != nil {
+		return &nestedError{"skipping Question Class", err}
+	}
+	p.off = off
+	p.index++
+	return nil
+}
+
+// SkipAllQuestions skips all Questions.
+func (p *Parser) SkipAllQuestions() error {
+	for {
+		if err := p.SkipQuestion(); err == ErrSectionDone {
+			return nil
+		} else if err != nil {
+			return err
+		}
+	}
+}
+
+// AnswerHeader parses a single Answer ResourceHeader.
+func (p *Parser) AnswerHeader() (ResourceHeader, error) {
+	return p.resourceHeader(sectionAnswers)
+}
+
+// Answer parses a single Answer Resource.
+func (p *Parser) Answer() (Resource, error) {
+	return p.resource(sectionAnswers)
+}
+
+// AllAnswers parses all Answer Resources.
+func (p *Parser) AllAnswers() ([]Resource, error) {
+	// The most common query is for A/AAAA, which usually returns
+	// a handful of IPs.
+	//
+	// Pre-allocate up to a certain limit, since p.header is
+	// untrusted data.
+	n := int(p.header.answers)
+	if n > 20 {
+		n = 20
+	}
+	as := make([]Resource, 0, n)
+	for {
+		a, err := p.Answer()
+		if err == ErrSectionDone {
+			return as, nil
+		}
+		if err != nil {
+			return nil, err
+		}
+		as = append(as, a)
+	}
+}
+
+// SkipAnswer skips a single Answer Resource.
+//
+// It does not perform a complete validation of the resource header, which means
+// it may return a nil error when the [AnswerHeader] would actually return an error.
+func (p *Parser) SkipAnswer() error {
+	return p.skipResource(sectionAnswers)
+}
+
+// SkipAllAnswers skips all Answer Resources.
+func (p *Parser) SkipAllAnswers() error {
+	for {
+		if err := p.SkipAnswer(); err == ErrSectionDone {
+			return nil
+		} else if err != nil {
+			return err
+		}
+	}
+}
+
+// AuthorityHeader parses a single Authority ResourceHeader.
+func (p *Parser) AuthorityHeader() (ResourceHeader, error) {
+	return p.resourceHeader(sectionAuthorities)
+}
+
+// Authority parses a single Authority Resource.
+func (p *Parser) Authority() (Resource, error) {
+	return p.resource(sectionAuthorities)
+}
+
+// AllAuthorities parses all Authority Resources.
+func (p *Parser) AllAuthorities() ([]Resource, error) {
+	// Authorities contains SOA in case of NXDOMAIN and friends,
+	// otherwise it is empty.
+	//
+	// Pre-allocate up to a certain limit, since p.header is
+	// untrusted data.
+	n := int(p.header.authorities)
+	if n > 10 {
+		n = 10
+	}
+	as := make([]Resource, 0, n)
+	for {
+		a, err := p.Authority()
+		if err == ErrSectionDone {
+			return as, nil
+		}
+		if err != nil {
+			return nil, err
+		}
+		as = append(as, a)
+	}
+}
+
+// SkipAuthority skips a single Authority Resource.
+//
+// It does not perform a complete validation of the resource header, which means
+// it may return a nil error when the [AuthorityHeader] would actually return an error.
+func (p *Parser) SkipAuthority() error {
+	return p.skipResource(sectionAuthorities)
+}
+
+// SkipAllAuthorities skips all Authority Resources.
+func (p *Parser) SkipAllAuthorities() error {
+	for {
+		if err := p.SkipAuthority(); err == ErrSectionDone {
+			return nil
+		} else if err != nil {
+			return err
+		}
+	}
+}
+
+// AdditionalHeader parses a single Additional ResourceHeader.
+func (p *Parser) AdditionalHeader() (ResourceHeader, error) {
+	return p.resourceHeader(sectionAdditionals)
+}
+
+// Additional parses a single Additional Resource.
+func (p *Parser) Additional() (Resource, error) {
+	return p.resource(sectionAdditionals)
+}
+
+// AllAdditionals parses all Additional Resources.
+func (p *Parser) AllAdditionals() ([]Resource, error) {
+	// Additionals usually contain OPT, and sometimes A/AAAA
+	// glue records.
+	//
+	// Pre-allocate up to a certain limit, since p.header is
+	// untrusted data.
+	n := int(p.header.additionals)
+	if n > 10 {
+		n = 10
+	}
+	as := make([]Resource, 0, n)
+	for {
+		a, err := p.Additional()
+		if err == ErrSectionDone {
+			return as, nil
+		}
+		if err != nil {
+			return nil, err
+		}
+		as = append(as, a)
+	}
+}
+
+// SkipAdditional skips a single Additional Resource.
+//
+// It does not perform a complete validation of the resource header, which means
+// it may return a nil error when the [AdditionalHeader] would actually return an error.
+func (p *Parser) SkipAdditional() error {
+	return p.skipResource(sectionAdditionals)
+}
+
+// SkipAllAdditionals skips all Additional Resources.
+func (p *Parser) SkipAllAdditionals() error {
+	for {
+		if err := p.SkipAdditional(); err == ErrSectionDone {
+			return nil
+		} else if err != nil {
+			return err
+		}
+	}
+}
+
+// CNAMEResource parses a single CNAMEResource.
+//
+// One of the XXXHeader methods must have been called before calling this
+// method.
+func (p *Parser) CNAMEResource() (CNAMEResource, error) {
+	if !p.resHeaderValid || p.resHeaderType != TypeCNAME {
+		return CNAMEResource{}, ErrNotStarted
+	}
+	r, err := unpackCNAMEResource(p.msg, p.off)
+	if err != nil {
+		return CNAMEResource{}, err
+	}
+	p.off += int(p.resHeaderLength)
+	p.resHeaderValid = false
+	p.index++
+	return r, nil
+}
+
+// MXResource parses a single MXResource.
+//
+// One of the XXXHeader methods must have been called before calling this
+// method.
+func (p *Parser) MXResource() (MXResource, error) {
+	if !p.resHeaderValid || p.resHeaderType != TypeMX {
+		return MXResource{}, ErrNotStarted
+	}
+	r, err := unpackMXResource(p.msg, p.off)
+	if err != nil {
+		return MXResource{}, err
+	}
+	p.off += int(p.resHeaderLength)
+	p.resHeaderValid = false
+	p.index++
+	return r, nil
+}
+
+// NSResource parses a single NSResource.
+//
+// One of the XXXHeader methods must have been called before calling this
+// method.
+func (p *Parser) NSResource() (NSResource, error) {
+	if !p.resHeaderValid || p.resHeaderType != TypeNS {
+		return NSResource{}, ErrNotStarted
+	}
+	r, err := unpackNSResource(p.msg, p.off)
+	if err != nil {
+		return NSResource{}, err
+	}
+	p.off += int(p.resHeaderLength)
+	p.resHeaderValid = false
+	p.index++
+	return r, nil
+}
+
+// PTRResource parses a single PTRResource.
+//
+// One of the XXXHeader methods must have been called before calling this
+// method.
+func (p *Parser) PTRResource() (PTRResource, error) {
+	if !p.resHeaderValid || p.resHeaderType != TypePTR {
+		return PTRResource{}, ErrNotStarted
+	}
+	r, err := unpackPTRResource(p.msg, p.off)
+	if err != nil {
+		return PTRResource{}, err
+	}
+	p.off += int(p.resHeaderLength)
+	p.resHeaderValid = false
+	p.index++
+	return r, nil
+}
+
+// SOAResource parses a single SOAResource.
+//
+// One of the XXXHeader methods must have been called before calling this
+// method.
+func (p *Parser) SOAResource() (SOAResource, error) {
+	if !p.resHeaderValid || p.resHeaderType != TypeSOA {
+		return SOAResource{}, ErrNotStarted
+	}
+	r, err := unpackSOAResource(p.msg, p.off)
+	if err != nil {
+		return SOAResource{}, err
+	}
+	p.off += int(p.resHeaderLength)
+	p.resHeaderValid = false
+	p.index++
+	return r, nil
+}
+
+// TXTResource parses a single TXTResource.
+//
+// One of the XXXHeader methods must have been called before calling this
+// method.
+func (p *Parser) TXTResource() (TXTResource, error) {
+	if !p.resHeaderValid || p.resHeaderType != TypeTXT {
+		return TXTResource{}, ErrNotStarted
+	}
+	r, err := unpackTXTResource(p.msg, p.off, p.resHeaderLength)
+	if err != nil {
+		return TXTResource{}, err
+	}
+	p.off += int(p.resHeaderLength)
+	p.resHeaderValid = false
+	p.index++
+	return r, nil
+}
+
+// SRVResource parses a single SRVResource.
+//
+// One of the XXXHeader methods must have been called before calling this
+// method.
+func (p *Parser) SRVResource() (SRVResource, error) {
+	if !p.resHeaderValid || p.resHeaderType != TypeSRV {
+		return SRVResource{}, ErrNotStarted
+	}
+	r, err := unpackSRVResource(p.msg, p.off)
+	if err != nil {
+		return SRVResource{}, err
+	}
+	p.off += int(p.resHeaderLength)
+	p.resHeaderValid = false
+	p.index++
+	return r, nil
+}
+
+// AResource parses a single AResource.
+//
+// One of the XXXHeader methods must have been called before calling this
+// method.
+func (p *Parser) AResource() (AResource, error) {
+	if !p.resHeaderValid || p.resHeaderType != TypeA {
+		return AResource{}, ErrNotStarted
+	}
+	r, err := unpackAResource(p.msg, p.off)
+	if err != nil {
+		return AResource{}, err
+	}
+	p.off += int(p.resHeaderLength)
+	p.resHeaderValid = false
+	p.index++
+	return r, nil
+}
+
+// AAAAResource parses a single AAAAResource.
+//
+// One of the XXXHeader methods must have been called before calling this
+// method.
+func (p *Parser) AAAAResource() (AAAAResource, error) {
+	if !p.resHeaderValid || p.resHeaderType != TypeAAAA {
+		return AAAAResource{}, ErrNotStarted
+	}
+	r, err := unpackAAAAResource(p.msg, p.off)
+	if err != nil {
+		return AAAAResource{}, err
+	}
+	p.off += int(p.resHeaderLength)
+	p.resHeaderValid = false
+	p.index++
+	return r, nil
+}
+
+// OPTResource parses a single OPTResource.
+//
+// One of the XXXHeader methods must have been called before calling this
+// method.
+func (p *Parser) OPTResource() (OPTResource, error) {
+	if !p.resHeaderValid || p.resHeaderType != TypeOPT {
+		return OPTResource{}, ErrNotStarted
+	}
+	r, err := unpackOPTResource(p.msg, p.off, p.resHeaderLength)
+	if err != nil {
+		return OPTResource{}, err
+	}
+	p.off += int(p.resHeaderLength)
+	p.resHeaderValid = false
+	p.index++
+	return r, nil
+}
+
+// UnknownResource parses a single UnknownResource.
+//
+// One of the XXXHeader methods must have been called before calling this
+// method.
+func (p *Parser) UnknownResource() (UnknownResource, error) {
+	if !p.resHeaderValid {
+		return UnknownResource{}, ErrNotStarted
+	}
+	r, err := unpackUnknownResource(p.resHeaderType, p.msg, p.off, p.resHeaderLength)
+	if err != nil {
+		return UnknownResource{}, err
+	}
+	p.off += int(p.resHeaderLength)
+	p.resHeaderValid = false
+	p.index++
+	return r, nil
+}
+
+// Unpack parses a full Message.
+func (m *Message) Unpack(msg []byte) error {
+	var p Parser
+	var err error
+	if m.Header, err = p.Start(msg); err != nil {
+		return err
+	}
+	if m.Questions, err = p.AllQuestions(); err != nil {
+		return err
+	}
+	if m.Answers, err = p.AllAnswers(); err != nil {
+		return err
+	}
+	if m.Authorities, err = p.AllAuthorities(); err != nil {
+		return err
+	}
+	if m.Additionals, err = p.AllAdditionals(); err != nil {
+		return err
+	}
+	return nil
+}
+
+// Pack packs a full Message.
+func (m *Message) Pack() ([]byte, error) {
+	return m.AppendPack(make([]byte, 0, packStartingCap))
+}
+
+// AppendPack is like Pack but appends the full Message to b and returns the
+// extended buffer.
+func (m *Message) AppendPack(b []byte) ([]byte, error) {
+	// Validate the lengths. It is very unlikely that anyone will try to
+	// pack more than 65535 of any particular type, but it is possible and
+	// we should fail gracefully.
+	if len(m.Questions) > int(^uint16(0)) {
+		return nil, errTooManyQuestions
+	}
+	if len(m.Answers) > int(^uint16(0)) {
+		return nil, errTooManyAnswers
+	}
+	if len(m.Authorities) > int(^uint16(0)) {
+		return nil, errTooManyAuthorities
+	}
+	if len(m.Additionals) > int(^uint16(0)) {
+		return nil, errTooManyAdditionals
+	}
+
+	var h header
+	h.id, h.bits = m.Header.pack()
+
+	h.questions = uint16(len(m.Questions))
+	h.answers = uint16(len(m.Answers))
+	h.authorities = uint16(len(m.Authorities))
+	h.additionals = uint16(len(m.Additionals))
+
+	compressionOff := len(b)
+	msg := h.pack(b)
+
+	// RFC 1035 allows (but does not require) compression for packing. RFC
+	// 1035 requires unpacking implementations to support compression, so
+	// unconditionally enabling it is fine.
+	//
+	// DNS lookups are typically done over UDP, and RFC 1035 states that UDP
+	// DNS messages can be a maximum of 512 bytes long. Without compression,
+	// many DNS response messages are over this limit, so enabling
+	// compression will help ensure compliance.
+	compression := map[string]uint16{}
+
+	for i := range m.Questions {
+		var err error
+		if msg, err = m.Questions[i].pack(msg, compression, compressionOff); err != nil {
+			return nil, &nestedError{"packing Question", err}
+		}
+	}
+	for i := range m.Answers {
+		var err error
+		if msg, err = m.Answers[i].pack(msg, compression, compressionOff); err != nil {
+			return nil, &nestedError{"packing Answer", err}
+		}
+	}
+	for i := range m.Authorities {
+		var err error
+		if msg, err = m.Authorities[i].pack(msg, compression, compressionOff); err != nil {
+			return nil, &nestedError{"packing Authority", err}
+		}
+	}
+	for i := range m.Additionals {
+		var err error
+		if msg, err = m.Additionals[i].pack(msg, compression, compressionOff); err != nil {
+			return nil, &nestedError{"packing Additional", err}
+		}
+	}
+
+	return msg, nil
+}
+
+// GoString implements fmt.GoStringer.GoString.
+func (m *Message) GoString() string {
+	s := "dnsmessage.Message{Header: " + m.Header.GoString() + ", " +
+		"Questions: []dnsmessage.Question{"
+	if len(m.Questions) > 0 {
+		s += m.Questions[0].GoString()
+		for _, q := range m.Questions[1:] {
+			s += ", " + q.GoString()
+		}
+	}
+	s += "}, Answers: []dnsmessage.Resource{"
+	if len(m.Answers) > 0 {
+		s += m.Answers[0].GoString()
+		for _, a := range m.Answers[1:] {
+			s += ", " + a.GoString()
+		}
+	}
+	s += "}, Authorities: []dnsmessage.Resource{"
+	if len(m.Authorities) > 0 {
+		s += m.Authorities[0].GoString()
+		for _, a := range m.Authorities[1:] {
+			s += ", " + a.GoString()
+		}
+	}
+	s += "}, Additionals: []dnsmessage.Resource{"
+	if len(m.Additionals) > 0 {
+		s += m.Additionals[0].GoString()
+		for _, a := range m.Additionals[1:] {
+			s += ", " + a.GoString()
+		}
+	}
+	return s + "}}"
+}
+
+// A Builder allows incrementally packing a DNS message.
+//
+// Example usage:
+//
+//	buf := make([]byte, 2, 514)
+//	b := NewBuilder(buf, Header{...})
+//	b.EnableCompression()
+//	// Optionally start a section and add things to that section.
+//	// Repeat adding sections as necessary.
+//	buf, err := b.Finish()
+//	// If err is nil, buf[2:] will contain the built bytes.
+type Builder struct {
+	// msg is the storage for the message being built.
+	msg []byte
+
+	// section keeps track of the current section being built.
+	section section
+
+	// header keeps track of what should go in the header when Finish is
+	// called.
+	header header
+
+	// start is the starting index of the bytes allocated in msg for header.
+	start int
+
+	// compression is a mapping from name suffixes to their starting index
+	// in msg.
+	compression map[string]uint16
+}
+
+// NewBuilder creates a new builder with compression disabled.
+//
+// Note: Most users will want to immediately enable compression with the
+// EnableCompression method. See that method's comment for why you may or may
+// not want to enable compression.
+//
+// The DNS message is appended to the provided initial buffer buf (which may be
+// nil) as it is built. The final message is returned by the (*Builder).Finish
+// method, which includes buf[:len(buf)] and may return the same underlying
+// array if there was sufficient capacity in the slice.
+func NewBuilder(buf []byte, h Header) Builder {
+	if buf == nil {
+		buf = make([]byte, 0, packStartingCap)
+	}
+	b := Builder{msg: buf, start: len(buf)}
+	b.header.id, b.header.bits = h.pack()
+	var hb [headerLen]byte
+	b.msg = append(b.msg, hb[:]...)
+	b.section = sectionHeader
+	return b
+}
+
+// EnableCompression enables compression in the Builder.
+//
+// Leaving compression disabled avoids compression related allocations, but can
+// result in larger message sizes. Be careful with this mode as it can cause
+// messages to exceed the UDP size limit.
+//
+// According to RFC 1035, section 4.1.4, the use of compression is optional, but
+// all implementations must accept both compressed and uncompressed DNS
+// messages.
+//
+// Compression should be enabled before any sections are added for best results.
+func (b *Builder) EnableCompression() {
+	b.compression = map[string]uint16{}
+}
+
+func (b *Builder) startCheck(s section) error {
+	if b.section <= sectionNotStarted {
+		return ErrNotStarted
+	}
+	if b.section > s {
+		return ErrSectionDone
+	}
+	return nil
+}
+
+// StartQuestions prepares the builder for packing Questions.
+func (b *Builder) StartQuestions() error {
+	if err := b.startCheck(sectionQuestions); err != nil {
+		return err
+	}
+	b.section = sectionQuestions
+	return nil
+}
+
+// StartAnswers prepares the builder for packing Answers.
+func (b *Builder) StartAnswers() error {
+	if err := b.startCheck(sectionAnswers); err != nil {
+		return err
+	}
+	b.section = sectionAnswers
+	return nil
+}
+
+// StartAuthorities prepares the builder for packing Authorities.
+func (b *Builder) StartAuthorities() error {
+	if err := b.startCheck(sectionAuthorities); err != nil {
+		return err
+	}
+	b.section = sectionAuthorities
+	return nil
+}
+
+// StartAdditionals prepares the builder for packing Additionals.
+func (b *Builder) StartAdditionals() error {
+	if err := b.startCheck(sectionAdditionals); err != nil {
+		return err
+	}
+	b.section = sectionAdditionals
+	return nil
+}
+
+func (b *Builder) incrementSectionCount() error {
+	var count *uint16
+	var err error
+	switch b.section {
+	case sectionQuestions:
+		count = &b.header.questions
+		err = errTooManyQuestions
+	case sectionAnswers:
+		count = &b.header.answers
+		err = errTooManyAnswers
+	case sectionAuthorities:
+		count = &b.header.authorities
+		err = errTooManyAuthorities
+	case sectionAdditionals:
+		count = &b.header.additionals
+		err = errTooManyAdditionals
+	}
+	if *count == ^uint16(0) {
+		return err
+	}
+	*count++
+	return nil
+}
+
+// Question adds a single Question.
+func (b *Builder) Question(q Question) error {
+	if b.section < sectionQuestions {
+		return ErrNotStarted
+	}
+	if b.section > sectionQuestions {
+		return ErrSectionDone
+	}
+	msg, err := q.pack(b.msg, b.compression, b.start)
+	if err != nil {
+		return err
+	}
+	if err := b.incrementSectionCount(); err != nil {
+		return err
+	}
+	b.msg = msg
+	return nil
+}
+
+func (b *Builder) checkResourceSection() error {
+	if b.section < sectionAnswers {
+		return ErrNotStarted
+	}
+	if b.section > sectionAdditionals {
+		return ErrSectionDone
+	}
+	return nil
+}
+
+// CNAMEResource adds a single CNAMEResource.
+func (b *Builder) CNAMEResource(h ResourceHeader, r CNAMEResource) error {
+	if err := b.checkResourceSection(); err != nil {
+		return err
+	}
+	h.Type = r.realType()
+	msg, lenOff, err := h.pack(b.msg, b.compression, b.start)
+	if err != nil {
+		return &nestedError{"ResourceHeader", err}
+	}
+	preLen := len(msg)
+	if msg, err = r.pack(msg, b.compression, b.start); err != nil {
+		return &nestedError{"CNAMEResource body", err}
+	}
+	if err := h.fixLen(msg, lenOff, preLen); err != nil {
+		return err
+	}
+	if err := b.incrementSectionCount(); err != nil {
+		return err
+	}
+	b.msg = msg
+	return nil
+}
+
+// MXResource adds a single MXResource.
+func (b *Builder) MXResource(h ResourceHeader, r MXResource) error {
+	if err := b.checkResourceSection(); err != nil {
+		return err
+	}
+	h.Type = r.realType()
+	msg, lenOff, err := h.pack(b.msg, b.compression, b.start)
+	if err != nil {
+		return &nestedError{"ResourceHeader", err}
+	}
+	preLen := len(msg)
+	if msg, err = r.pack(msg, b.compression, b.start); err != nil {
+		return &nestedError{"MXResource body", err}
+	}
+	if err := h.fixLen(msg, lenOff, preLen); err != nil {
+		return err
+	}
+	if err := b.incrementSectionCount(); err != nil {
+		return err
+	}
+	b.msg = msg
+	return nil
+}
+
+// NSResource adds a single NSResource.
+func (b *Builder) NSResource(h ResourceHeader, r NSResource) error {
+	if err := b.checkResourceSection(); err != nil {
+		return err
+	}
+	h.Type = r.realType()
+	msg, lenOff, err := h.pack(b.msg, b.compression, b.start)
+	if err != nil {
+		return &nestedError{"ResourceHeader", err}
+	}
+	preLen := len(msg)
+	if msg, err = r.pack(msg, b.compression, b.start); err != nil {
+		return &nestedError{"NSResource body", err}
+	}
+	if err := h.fixLen(msg, lenOff, preLen); err != nil {
+		return err
+	}
+	if err := b.incrementSectionCount(); err != nil {
+		return err
+	}
+	b.msg = msg
+	return nil
+}
+
+// PTRResource adds a single PTRResource.
+func (b *Builder) PTRResource(h ResourceHeader, r PTRResource) error {
+	if err := b.checkResourceSection(); err != nil {
+		return err
+	}
+	h.Type = r.realType()
+	msg, lenOff, err := h.pack(b.msg, b.compression, b.start)
+	if err != nil {
+		return &nestedError{"ResourceHeader", err}
+	}
+	preLen := len(msg)
+	if msg, err = r.pack(msg, b.compression, b.start); err != nil {
+		return &nestedError{"PTRResource body", err}
+	}
+	if err := h.fixLen(msg, lenOff, preLen); err != nil {
+		return err
+	}
+	if err := b.incrementSectionCount(); err != nil {
+		return err
+	}
+	b.msg = msg
+	return nil
+}
+
+// SOAResource adds a single SOAResource.
+func (b *Builder) SOAResource(h ResourceHeader, r SOAResource) error {
+	if err := b.checkResourceSection(); err != nil {
+		return err
+	}
+	h.Type = r.realType()
+	msg, lenOff, err := h.pack(b.msg, b.compression, b.start)
+	if err != nil {
+		return &nestedError{"ResourceHeader", err}
+	}
+	preLen := len(msg)
+	if msg, err = r.pack(msg, b.compression, b.start); err != nil {
+		return &nestedError{"SOAResource body", err}
+	}
+	if err := h.fixLen(msg, lenOff, preLen); err != nil {
+		return err
+	}
+	if err := b.incrementSectionCount(); err != nil {
+		return err
+	}
+	b.msg = msg
+	return nil
+}
+
+// TXTResource adds a single TXTResource.
+func (b *Builder) TXTResource(h ResourceHeader, r TXTResource) error {
+	if err := b.checkResourceSection(); err != nil {
+		return err
+	}
+	h.Type = r.realType()
+	msg, lenOff, err := h.pack(b.msg, b.compression, b.start)
+	if err != nil {
+		return &nestedError{"ResourceHeader", err}
+	}
+	preLen := len(msg)
+	if msg, err = r.pack(msg, b.compression, b.start); err != nil {
+		return &nestedError{"TXTResource body", err}
+	}
+	if err := h.fixLen(msg, lenOff, preLen); err != nil {
+		return err
+	}
+	if err := b.incrementSectionCount(); err != nil {
+		return err
+	}
+	b.msg = msg
+	return nil
+}
+
+// SRVResource adds a single SRVResource.
+func (b *Builder) SRVResource(h ResourceHeader, r SRVResource) error {
+	if err := b.checkResourceSection(); err != nil {
+		return err
+	}
+	h.Type = r.realType()
+	msg, lenOff, err := h.pack(b.msg, b.compression, b.start)
+	if err != nil {
+		return &nestedError{"ResourceHeader", err}
+	}
+	preLen := len(msg)
+	if msg, err = r.pack(msg, b.compression, b.start); err != nil {
+		return &nestedError{"SRVResource body", err}
+	}
+	if err := h.fixLen(msg, lenOff, preLen); err != nil {
+		return err
+	}
+	if err := b.incrementSectionCount(); err != nil {
+		return err
+	}
+	b.msg = msg
+	return nil
+}
+
+// AResource adds a single AResource.
+func (b *Builder) AResource(h ResourceHeader, r AResource) error {
+	if err := b.checkResourceSection(); err != nil {
+		return err
+	}
+	h.Type = r.realType()
+	msg, lenOff, err := h.pack(b.msg, b.compression, b.start)
+	if err != nil {
+		return &nestedError{"ResourceHeader", err}
+	}
+	preLen := len(msg)
+	if msg, err = r.pack(msg, b.compression, b.start); err != nil {
+		return &nestedError{"AResource body", err}
+	}
+	if err := h.fixLen(msg, lenOff, preLen); err != nil {
+		return err
+	}
+	if err := b.incrementSectionCount(); err != nil {
+		return err
+	}
+	b.msg = msg
+	return nil
+}
+
+// AAAAResource adds a single AAAAResource.
+func (b *Builder) AAAAResource(h ResourceHeader, r AAAAResource) error {
+	if err := b.checkResourceSection(); err != nil {
+		return err
+	}
+	h.Type = r.realType()
+	msg, lenOff, err := h.pack(b.msg, b.compression, b.start)
+	if err != nil {
+		return &nestedError{"ResourceHeader", err}
+	}
+	preLen := len(msg)
+	if msg, err = r.pack(msg, b.compression, b.start); err != nil {
+		return &nestedError{"AAAAResource body", err}
+	}
+	if err := h.fixLen(msg, lenOff, preLen); err != nil {
+		return err
+	}
+	if err := b.incrementSectionCount(); err != nil {
+		return err
+	}
+	b.msg = msg
+	return nil
+}
+
+// OPTResource adds a single OPTResource.
+func (b *Builder) OPTResource(h ResourceHeader, r OPTResource) error {
+	if err := b.checkResourceSection(); err != nil {
+		return err
+	}
+	h.Type = r.realType()
+	msg, lenOff, err := h.pack(b.msg, b.compression, b.start)
+	if err != nil {
+		return &nestedError{"ResourceHeader", err}
+	}
+	preLen := len(msg)
+	if msg, err = r.pack(msg, b.compression, b.start); err != nil {
+		return &nestedError{"OPTResource body", err}
+	}
+	if err := h.fixLen(msg, lenOff, preLen); err != nil {
+		return err
+	}
+	if err := b.incrementSectionCount(); err != nil {
+		return err
+	}
+	b.msg = msg
+	return nil
+}
+
+// UnknownResource adds a single UnknownResource.
+func (b *Builder) UnknownResource(h ResourceHeader, r UnknownResource) error {
+	if err := b.checkResourceSection(); err != nil {
+		return err
+	}
+	h.Type = r.realType()
+	msg, lenOff, err := h.pack(b.msg, b.compression, b.start)
+	if err != nil {
+		return &nestedError{"ResourceHeader", err}
+	}
+	preLen := len(msg)
+	if msg, err = r.pack(msg, b.compression, b.start); err != nil {
+		return &nestedError{"UnknownResource body", err}
+	}
+	if err := h.fixLen(msg, lenOff, preLen); err != nil {
+		return err
+	}
+	if err := b.incrementSectionCount(); err != nil {
+		return err
+	}
+	b.msg = msg
+	return nil
+}
+
+// Finish ends message building and generates a binary message.
+func (b *Builder) Finish() ([]byte, error) {
+	if b.section < sectionHeader {
+		return nil, ErrNotStarted
+	}
+	b.section = sectionDone
+	// Space for the header was allocated in NewBuilder.
+	b.header.pack(b.msg[b.start:b.start])
+	return b.msg, nil
+}
+
+// A ResourceHeader is the header of a DNS resource record. There are
+// many types of DNS resource records, but they all share the same header.
+type ResourceHeader struct {
+	// Name is the domain name for which this resource record pertains.
+	Name Name
+
+	// Type is the type of DNS resource record.
+	//
+	// This field will be set automatically during packing.
+	Type Type
+
+	// Class is the class of network to which this DNS resource record
+	// pertains.
+	Class Class
+
+	// TTL is the length of time (measured in seconds) which this resource
+	// record is valid for (time to live). All Resources in a set should
+	// have the same TTL (RFC 2181 Section 5.2).
+	TTL uint32
+
+	// Length is the length of data in the resource record after the header.
+	//
+	// This field will be set automatically during packing.
+	Length uint16
+}
+
+// GoString implements fmt.GoStringer.GoString.
+func (h *ResourceHeader) GoString() string {
+	return "dnsmessage.ResourceHeader{" +
+		"Name: " + h.Name.GoString() + ", " +
+		"Type: " + h.Type.GoString() + ", " +
+		"Class: " + h.Class.GoString() + ", " +
+		"TTL: " + printUint32(h.TTL) + ", " +
+		"Length: " + printUint16(h.Length) + "}"
+}
+
+// pack appends the wire format of the ResourceHeader to oldMsg.
+//
+// lenOff is the offset in msg where the Length field was packed.
+func (h *ResourceHeader) pack(oldMsg []byte, compression map[string]uint16, compressionOff int) (msg []byte, lenOff int, err error) {
+	msg = oldMsg
+	if msg, err = h.Name.pack(msg, compression, compressionOff); err != nil {
+		return oldMsg, 0, &nestedError{"Name", err}
+	}
+	msg = packType(msg, h.Type)
+	msg = packClass(msg, h.Class)
+	msg = packUint32(msg, h.TTL)
+	lenOff = len(msg)
+	msg = packUint16(msg, h.Length)
+	return msg, lenOff, nil
+}
+
+func (h *ResourceHeader) unpack(msg []byte, off int) (int, error) {
+	newOff := off
+	var err error
+	if newOff, err = h.Name.unpack(msg, newOff); err != nil {
+		return off, &nestedError{"Name", err}
+	}
+	if h.Type, newOff, err = unpackType(msg, newOff); err != nil {
+		return off, &nestedError{"Type", err}
+	}
+	if h.Class, newOff, err = unpackClass(msg, newOff); err != nil {
+		return off, &nestedError{"Class", err}
+	}
+	if h.TTL, newOff, err = unpackUint32(msg, newOff); err != nil {
+		return off, &nestedError{"TTL", err}
+	}
+	if h.Length, newOff, err = unpackUint16(msg, newOff); err != nil {
+		return off, &nestedError{"Length", err}
+	}
+	return newOff, nil
+}
+
+// fixLen updates a packed ResourceHeader to include the length of the
+// ResourceBody.
+//
+// lenOff is the offset of the ResourceHeader.Length field in msg.
+//
+// preLen is the length that msg was before the ResourceBody was packed.
+func (h *ResourceHeader) fixLen(msg []byte, lenOff int, preLen int) error {
+	conLen := len(msg) - preLen
+	if conLen > int(^uint16(0)) {
+		return errResTooLong
+	}
+
+	// Fill in the length now that we know how long the content is.
+	packUint16(msg[lenOff:lenOff], uint16(conLen))
+	h.Length = uint16(conLen)
+
+	return nil
+}
+
+// EDNS(0) wire constants.
+const (
+	edns0Version = 0
+
+	edns0DNSSECOK     = 0x00008000
+	ednsVersionMask   = 0x00ff0000
+	edns0DNSSECOKMask = 0x00ff8000
+)
+
+// SetEDNS0 configures h for EDNS(0).
+//
+// The provided extRCode must be an extended RCode.
+func (h *ResourceHeader) SetEDNS0(udpPayloadLen int, extRCode RCode, dnssecOK bool) error {
+	h.Name = Name{Data: [255]byte{'.'}, Length: 1} // RFC 6891 section 6.1.2
+	h.Type = TypeOPT
+	h.Class = Class(udpPayloadLen)
+	h.TTL = uint32(extRCode) >> 4 << 24
+	if dnssecOK {
+		h.TTL |= edns0DNSSECOK
+	}
+	return nil
+}
+
+// DNSSECAllowed reports whether the DNSSEC OK bit is set.
+func (h *ResourceHeader) DNSSECAllowed() bool {
+	return h.TTL&edns0DNSSECOKMask == edns0DNSSECOK // RFC 6891 section 6.1.3
+}
+
+// ExtendedRCode returns an extended RCode.
+//
+// The provided rcode must be the RCode in DNS message header.
+func (h *ResourceHeader) ExtendedRCode(rcode RCode) RCode {
+	if h.TTL&ednsVersionMask == edns0Version { // RFC 6891 section 6.1.3
+		return RCode(h.TTL>>24<<4) | rcode
+	}
+	return rcode
+}
+
+func skipResource(msg []byte, off int) (int, error) {
+	newOff, err := skipName(msg, off)
+	if err != nil {
+		return off, &nestedError{"Name", err}
+	}
+	if newOff, err = skipType(msg, newOff); err != nil {
+		return off, &nestedError{"Type", err}
+	}
+	if newOff, err = skipClass(msg, newOff); err != nil {
+		return off, &nestedError{"Class", err}
+	}
+	if newOff, err = skipUint32(msg, newOff); err != nil {
+		return off, &nestedError{"TTL", err}
+	}
+	length, newOff, err := unpackUint16(msg, newOff)
+	if err != nil {
+		return off, &nestedError{"Length", err}
+	}
+	if newOff += int(length); newOff > len(msg) {
+		return off, errResourceLen
+	}
+	return newOff, nil
+}
+
+// packUint16 appends the wire format of field to msg.
+func packUint16(msg []byte, field uint16) []byte {
+	return append(msg, byte(field>>8), byte(field))
+}
+
+func unpackUint16(msg []byte, off int) (uint16, int, error) {
+	if off+uint16Len > len(msg) {
+		return 0, off, errBaseLen
+	}
+	return uint16(msg[off])<<8 | uint16(msg[off+1]), off + uint16Len, nil
+}
+
+func skipUint16(msg []byte, off int) (int, error) {
+	if off+uint16Len > len(msg) {
+		return off, errBaseLen
+	}
+	return off + uint16Len, nil
+}
+
+// packType appends the wire format of field to msg.
+func packType(msg []byte, field Type) []byte {
+	return packUint16(msg, uint16(field))
+}
+
+func unpackType(msg []byte, off int) (Type, int, error) {
+	t, o, err := unpackUint16(msg, off)
+	return Type(t), o, err
+}
+
+func skipType(msg []byte, off int) (int, error) {
+	return skipUint16(msg, off)
+}
+
+// packClass appends the wire format of field to msg.
+func packClass(msg []byte, field Class) []byte {
+	return packUint16(msg, uint16(field))
+}
+
+func unpackClass(msg []byte, off int) (Class, int, error) {
+	c, o, err := unpackUint16(msg, off)
+	return Class(c), o, err
+}
+
+func skipClass(msg []byte, off int) (int, error) {
+	return skipUint16(msg, off)
+}
+
+// packUint32 appends the wire format of field to msg.
+func packUint32(msg []byte, field uint32) []byte {
+	return append(
+		msg,
+		byte(field>>24),
+		byte(field>>16),
+		byte(field>>8),
+		byte(field),
+	)
+}
+
+func unpackUint32(msg []byte, off int) (uint32, int, error) {
+	if off+uint32Len > len(msg) {
+		return 0, off, errBaseLen
+	}
+	v := uint32(msg[off])<<24 | uint32(msg[off+1])<<16 | uint32(msg[off+2])<<8 | uint32(msg[off+3])
+	return v, off + uint32Len, nil
+}
+
+func skipUint32(msg []byte, off int) (int, error) {
+	if off+uint32Len > len(msg) {
+		return off, errBaseLen
+	}
+	return off + uint32Len, nil
+}
+
+// packText appends the wire format of field to msg.
+func packText(msg []byte, field string) ([]byte, error) {
+	l := len(field)
+	if l > 255 {
+		return nil, errStringTooLong
+	}
+	msg = append(msg, byte(l))
+	msg = append(msg, field...)
+
+	return msg, nil
+}
+
+func unpackText(msg []byte, off int) (string, int, error) {
+	if off >= len(msg) {
+		return "", off, errBaseLen
+	}
+	beginOff := off + 1
+	endOff := beginOff + int(msg[off])
+	if endOff > len(msg) {
+		return "", off, errCalcLen
+	}
+	return string(msg[beginOff:endOff]), endOff, nil
+}
+
+// packBytes appends the wire format of field to msg.
+func packBytes(msg []byte, field []byte) []byte {
+	return append(msg, field...)
+}
+
+func unpackBytes(msg []byte, off int, field []byte) (int, error) {
+	newOff := off + len(field)
+	if newOff > len(msg) {
+		return off, errBaseLen
+	}
+	copy(field, msg[off:newOff])
+	return newOff, nil
+}
+
+const nonEncodedNameMax = 254
+
+// A Name is a non-encoded and non-escaped domain name. It is used instead of strings to avoid
+// allocations.
+type Name struct {
+	Data   [255]byte
+	Length uint8
+}
+
+// NewName creates a new Name from a string.
+func NewName(name string) (Name, error) {
+	n := Name{Length: uint8(len(name))}
+	if len(name) > len(n.Data) {
+		return Name{}, errCalcLen
+	}
+	copy(n.Data[:], name)
+	return n, nil
+}
+
+// MustNewName creates a new Name from a string and panics on error.
+func MustNewName(name string) Name {
+	n, err := NewName(name)
+	if err != nil {
+		panic("creating name: " + err.Error())
+	}
+	return n
+}
+
+// String implements fmt.Stringer.String.
+//
+// Note: characters inside the labels are not escaped in any way.
+func (n Name) String() string {
+	return string(n.Data[:n.Length])
+}
+
+// GoString implements fmt.GoStringer.GoString.
+func (n *Name) GoString() string {
+	return `dnsmessage.MustNewName("` + printString(n.Data[:n.Length]) + `")`
+}
+
+// pack appends the wire format of the Name to msg.
+//
+// Domain names are a sequence of counted strings split at the dots. They end
+// with a zero-length string. Compression can be used to reuse domain suffixes.
+//
+// The compression map will be updated with new domain suffixes. If compression
+// is nil, compression will not be used.
+func (n *Name) pack(msg []byte, compression map[string]uint16, compressionOff int) ([]byte, error) {
+	oldMsg := msg
+
+	if n.Length > nonEncodedNameMax {
+		return nil, errNameTooLong
+	}
+
+	// Add a trailing dot to canonicalize name.
+	if n.Length == 0 || n.Data[n.Length-1] != '.' {
+		return oldMsg, errNonCanonicalName
+	}
+
+	// Allow root domain.
+	if n.Data[0] == '.' && n.Length == 1 {
+		return append(msg, 0), nil
+	}
+
+	var nameAsStr string
+
+	// Emit sequence of counted strings, chopping at dots.
+	for i, begin := 0, 0; i < int(n.Length); i++ {
+		// Check for the end of the segment.
+		if n.Data[i] == '.' {
+			// The two most significant bits have special meaning.
+			// It isn't allowed for segments to be long enough to
+			// need them.
+			if i-begin >= 1<<6 {
+				return oldMsg, errSegTooLong
+			}
+
+			// Segments must have a non-zero length.
+			if i-begin == 0 {
+				return oldMsg, errZeroSegLen
+			}
+
+			msg = append(msg, byte(i-begin))
+
+			for j := begin; j < i; j++ {
+				msg = append(msg, n.Data[j])
+			}
+
+			begin = i + 1
+			continue
+		}
+
+		// We can only compress domain suffixes starting with a new
+		// segment. A pointer is two bytes with the two most significant
+		// bits set to 1 to indicate that it is a pointer.
+		if (i == 0 || n.Data[i-1] == '.') && compression != nil {
+			if ptr, ok := compression[string(n.Data[i:n.Length])]; ok {
+				// Hit. Emit a pointer instead of the rest of
+				// the domain.
+				return append(msg, byte(ptr>>8|0xC0), byte(ptr)), nil
+			}
+
+			// Miss. Add the suffix to the compression table if the
+			// offset can be stored in the available 14 bits.
+			newPtr := len(msg) - compressionOff
+			if newPtr <= int(^uint16(0)>>2) {
+				if nameAsStr == "" {
+					// allocate n.Data on the heap once, to avoid allocating it
+					// multiple times (for next labels).
+					nameAsStr = string(n.Data[:n.Length])
+				}
+				compression[nameAsStr[i:]] = uint16(newPtr)
+			}
+		}
+	}
+	return append(msg, 0), nil
+}
+
+// unpack unpacks a domain name.
+func (n *Name) unpack(msg []byte, off int) (int, error) {
+	// currOff is the current working offset.
+	currOff := off
+
+	// newOff is the offset where the next record will start. Pointers lead
+	// to data that belongs to other names and thus doesn't count towards to
+	// the usage of this name.
+	newOff := off
+
+	// ptr is the number of pointers followed.
+	var ptr int
+
+	// Name is a slice representation of the name data.
+	name := n.Data[:0]
+
+Loop:
+	for {
+		if currOff >= len(msg) {
+			return off, errBaseLen
+		}
+		c := int(msg[currOff])
+		currOff++
+		switch c & 0xC0 {
+		case 0x00: // String segment
+			if c == 0x00 {
+				// A zero length signals the end of the name.
+				break Loop
+			}
+			endOff := currOff + c
+			if endOff > len(msg) {
+				return off, errCalcLen
+			}
+
+			// Reject names containing dots.
+			// See issue golang/go#56246
+			for _, v := range msg[currOff:endOff] {
+				if v == '.' {
+					return off, errInvalidName
+				}
+			}
+
+			name = append(name, msg[currOff:endOff]...)
+			name = append(name, '.')
+			currOff = endOff
+		case 0xC0: // Pointer
+			if currOff >= len(msg) {
+				return off, errInvalidPtr
+			}
+			c1 := msg[currOff]
+			currOff++
+			if ptr == 0 {
+				newOff = currOff
+			}
+			// Don't follow too many pointers, maybe there's a loop.
+			if ptr++; ptr > 10 {
+				return off, errTooManyPtr
+			}
+			currOff = (c^0xC0)<<8 | int(c1)
+		default:
+			// Prefixes 0x80 and 0x40 are reserved.
+			return off, errReserved
+		}
+	}
+	if len(name) == 0 {
+		name = append(name, '.')
+	}
+	if len(name) > nonEncodedNameMax {
+		return off, errNameTooLong
+	}
+	n.Length = uint8(len(name))
+	if ptr == 0 {
+		newOff = currOff
+	}
+	return newOff, nil
+}
+
+func skipName(msg []byte, off int) (int, error) {
+	// newOff is the offset where the next record will start. Pointers lead
+	// to data that belongs to other names and thus doesn't count towards to
+	// the usage of this name.
+	newOff := off
+
+Loop:
+	for {
+		if newOff >= len(msg) {
+			return off, errBaseLen
+		}
+		c := int(msg[newOff])
+		newOff++
+		switch c & 0xC0 {
+		case 0x00:
+			if c == 0x00 {
+				// A zero length signals the end of the name.
+				break Loop
+			}
+			// literal string
+			newOff += c
+			if newOff > len(msg) {
+				return off, errCalcLen
+			}
+		case 0xC0:
+			// Pointer to somewhere else in msg.
+
+			// Pointers are two bytes.
+			newOff++
+
+			// Don't follow the pointer as the data here has ended.
+			break Loop
+		default:
+			// Prefixes 0x80 and 0x40 are reserved.
+			return off, errReserved
+		}
+	}
+
+	return newOff, nil
+}
+
+// A Question is a DNS query.
+type Question struct {
+	Name  Name
+	Type  Type
+	Class Class
+}
+
+// pack appends the wire format of the Question to msg.
+func (q *Question) pack(msg []byte, compression map[string]uint16, compressionOff int) ([]byte, error) {
+	msg, err := q.Name.pack(msg, compression, compressionOff)
+	if err != nil {
+		return msg, &nestedError{"Name", err}
+	}
+	msg = packType(msg, q.Type)
+	return packClass(msg, q.Class), nil
+}
+
+// GoString implements fmt.GoStringer.GoString.
+func (q *Question) GoString() string {
+	return "dnsmessage.Question{" +
+		"Name: " + q.Name.GoString() + ", " +
+		"Type: " + q.Type.GoString() + ", " +
+		"Class: " + q.Class.GoString() + "}"
+}
+
+func unpackResourceBody(msg []byte, off int, hdr ResourceHeader) (ResourceBody, int, error) {
+	var (
+		r    ResourceBody
+		err  error
+		name string
+	)
+	switch hdr.Type {
+	case TypeA:
+		var rb AResource
+		rb, err = unpackAResource(msg, off)
+		r = &rb
+		name = "A"
+	case TypeNS:
+		var rb NSResource
+		rb, err = unpackNSResource(msg, off)
+		r = &rb
+		name = "NS"
+	case TypeCNAME:
+		var rb CNAMEResource
+		rb, err = unpackCNAMEResource(msg, off)
+		r = &rb
+		name = "CNAME"
+	case TypeSOA:
+		var rb SOAResource
+		rb, err = unpackSOAResource(msg, off)
+		r = &rb
+		name = "SOA"
+	case TypePTR:
+		var rb PTRResource
+		rb, err = unpackPTRResource(msg, off)
+		r = &rb
+		name = "PTR"
+	case TypeMX:
+		var rb MXResource
+		rb, err = unpackMXResource(msg, off)
+		r = &rb
+		name = "MX"
+	case TypeTXT:
+		var rb TXTResource
+		rb, err = unpackTXTResource(msg, off, hdr.Length)
+		r = &rb
+		name = "TXT"
+	case TypeAAAA:
+		var rb AAAAResource
+		rb, err = unpackAAAAResource(msg, off)
+		r = &rb
+		name = "AAAA"
+	case TypeSRV:
+		var rb SRVResource
+		rb, err = unpackSRVResource(msg, off)
+		r = &rb
+		name = "SRV"
+	case TypeSVCB:
+		var rb SVCBResource
+		rb, err = unpackSVCBResource(msg, off, hdr.Length)
+		r = &rb
+		name = "SVCB"
+	case TypeHTTPS:
+		var rb HTTPSResource
+		rb.SVCBResource, err = unpackSVCBResource(msg, off, hdr.Length)
+		r = &rb
+		name = "HTTPS"
+	case TypeOPT:
+		var rb OPTResource
+		rb, err = unpackOPTResource(msg, off, hdr.Length)
+		r = &rb
+		name = "OPT"
+	default:
+		var rb UnknownResource
+		rb, err = unpackUnknownResource(hdr.Type, msg, off, hdr.Length)
+		r = &rb
+		name = "Unknown"
+	}
+	if err != nil {
+		return nil, off, &nestedError{name + " record", err}
+	}
+	return r, off + int(hdr.Length), nil
+}
+
+// A CNAMEResource is a CNAME Resource record.
+type CNAMEResource struct {
+	CNAME Name
+}
+
+func (r *CNAMEResource) realType() Type {
+	return TypeCNAME
+}
+
+// pack appends the wire format of the CNAMEResource to msg.
+func (r *CNAMEResource) pack(msg []byte, compression map[string]uint16, compressionOff int) ([]byte, error) {
+	return r.CNAME.pack(msg, compression, compressionOff)
+}
+
+// GoString implements fmt.GoStringer.GoString.
+func (r *CNAMEResource) GoString() string {
+	return "dnsmessage.CNAMEResource{CNAME: " + r.CNAME.GoString() + "}"
+}
+
+func unpackCNAMEResource(msg []byte, off int) (CNAMEResource, error) {
+	var cname Name
+	if _, err := cname.unpack(msg, off); err != nil {
+		return CNAMEResource{}, err
+	}
+	return CNAMEResource{cname}, nil
+}
+
+// An MXResource is an MX Resource record.
+type MXResource struct {
+	Pref uint16
+	MX   Name
+}
+
+func (r *MXResource) realType() Type {
+	return TypeMX
+}
+
+// pack appends the wire format of the MXResource to msg.
+func (r *MXResource) pack(msg []byte, compression map[string]uint16, compressionOff int) ([]byte, error) {
+	oldMsg := msg
+	msg = packUint16(msg, r.Pref)
+	msg, err := r.MX.pack(msg, compression, compressionOff)
+	if err != nil {
+		return oldMsg, &nestedError{"MXResource.MX", err}
+	}
+	return msg, nil
+}
+
+// GoString implements fmt.GoStringer.GoString.
+func (r *MXResource) GoString() string {
+	return "dnsmessage.MXResource{" +
+		"Pref: " + printUint16(r.Pref) + ", " +
+		"MX: " + r.MX.GoString() + "}"
+}
+
+func unpackMXResource(msg []byte, off int) (MXResource, error) {
+	pref, off, err := unpackUint16(msg, off)
+	if err != nil {
+		return MXResource{}, &nestedError{"Pref", err}
+	}
+	var mx Name
+	if _, err := mx.unpack(msg, off); err != nil {
+		return MXResource{}, &nestedError{"MX", err}
+	}
+	return MXResource{pref, mx}, nil
+}
+
+// An NSResource is an NS Resource record.
+type NSResource struct {
+	NS Name
+}
+
+func (r *NSResource) realType() Type {
+	return TypeNS
+}
+
+// pack appends the wire format of the NSResource to msg.
+func (r *NSResource) pack(msg []byte, compression map[string]uint16, compressionOff int) ([]byte, error) {
+	return r.NS.pack(msg, compression, compressionOff)
+}
+
+// GoString implements fmt.GoStringer.GoString.
+func (r *NSResource) GoString() string {
+	return "dnsmessage.NSResource{NS: " + r.NS.GoString() + "}"
+}
+
+func unpackNSResource(msg []byte, off int) (NSResource, error) {
+	var ns Name
+	if _, err := ns.unpack(msg, off); err != nil {
+		return NSResource{}, err
+	}
+	return NSResource{ns}, nil
+}
+
+// A PTRResource is a PTR Resource record.
+type PTRResource struct {
+	PTR Name
+}
+
+func (r *PTRResource) realType() Type {
+	return TypePTR
+}
+
+// pack appends the wire format of the PTRResource to msg.
+func (r *PTRResource) pack(msg []byte, compression map[string]uint16, compressionOff int) ([]byte, error) {
+	return r.PTR.pack(msg, compression, compressionOff)
+}
+
+// GoString implements fmt.GoStringer.GoString.
+func (r *PTRResource) GoString() string {
+	return "dnsmessage.PTRResource{PTR: " + r.PTR.GoString() + "}"
+}
+
+func unpackPTRResource(msg []byte, off int) (PTRResource, error) {
+	var ptr Name
+	if _, err := ptr.unpack(msg, off); err != nil {
+		return PTRResource{}, err
+	}
+	return PTRResource{ptr}, nil
+}
+
+// An SOAResource is an SOA Resource record.
+type SOAResource struct {
+	NS      Name
+	MBox    Name
+	Serial  uint32
+	Refresh uint32
+	Retry   uint32
+	Expire  uint32
+
+	// MinTTL the is the default TTL of Resources records which did not
+	// contain a TTL value and the TTL of negative responses. (RFC 2308
+	// Section 4)
+	MinTTL uint32
+}
+
+func (r *SOAResource) realType() Type {
+	return TypeSOA
+}
+
+// pack appends the wire format of the SOAResource to msg.
+func (r *SOAResource) pack(msg []byte, compression map[string]uint16, compressionOff int) ([]byte, error) {
+	oldMsg := msg
+	msg, err := r.NS.pack(msg, compression, compressionOff)
+	if err != nil {
+		return oldMsg, &nestedError{"SOAResource.NS", err}
+	}
+	msg, err = r.MBox.pack(msg, compression, compressionOff)
+	if err != nil {
+		return oldMsg, &nestedError{"SOAResource.MBox", err}
+	}
+	msg = packUint32(msg, r.Serial)
+	msg = packUint32(msg, r.Refresh)
+	msg = packUint32(msg, r.Retry)
+	msg = packUint32(msg, r.Expire)
+	return packUint32(msg, r.MinTTL), nil
+}
+
+// GoString implements fmt.GoStringer.GoString.
+func (r *SOAResource) GoString() string {
+	return "dnsmessage.SOAResource{" +
+		"NS: " + r.NS.GoString() + ", " +
+		"MBox: " + r.MBox.GoString() + ", " +
+		"Serial: " + printUint32(r.Serial) + ", " +
+		"Refresh: " + printUint32(r.Refresh) + ", " +
+		"Retry: " + printUint32(r.Retry) + ", " +
+		"Expire: " + printUint32(r.Expire) + ", " +
+		"MinTTL: " + printUint32(r.MinTTL) + "}"
+}
+
+func unpackSOAResource(msg []byte, off int) (SOAResource, error) {
+	var ns Name
+	off, err := ns.unpack(msg, off)
+	if err != nil {
+		return SOAResource{}, &nestedError{"NS", err}
+	}
+	var mbox Name
+	if off, err = mbox.unpack(msg, off); err != nil {
+		return SOAResource{}, &nestedError{"MBox", err}
+	}
+	serial, off, err := unpackUint32(msg, off)
+	if err != nil {
+		return SOAResource{}, &nestedError{"Serial", err}
+	}
+	refresh, off, err := unpackUint32(msg, off)
+	if err != nil {
+		return SOAResource{}, &nestedError{"Refresh", err}
+	}
+	retry, off, err := unpackUint32(msg, off)
+	if err != nil {
+		return SOAResource{}, &nestedError{"Retry", err}
+	}
+	expire, off, err := unpackUint32(msg, off)
+	if err != nil {
+		return SOAResource{}, &nestedError{"Expire", err}
+	}
+	minTTL, _, err := unpackUint32(msg, off)
+	if err != nil {
+		return SOAResource{}, &nestedError{"MinTTL", err}
+	}
+	return SOAResource{ns, mbox, serial, refresh, retry, expire, minTTL}, nil
+}
+
+// A TXTResource is a TXT Resource record.
+type TXTResource struct {
+	TXT []string
+}
+
+func (r *TXTResource) realType() Type {
+	return TypeTXT
+}
+
+// pack appends the wire format of the TXTResource to msg.
+func (r *TXTResource) pack(msg []byte, compression map[string]uint16, compressionOff int) ([]byte, error) {
+	oldMsg := msg
+	for _, s := range r.TXT {
+		var err error
+		msg, err = packText(msg, s)
+		if err != nil {
+			return oldMsg, err
+		}
+	}
+	return msg, nil
+}
+
+// GoString implements fmt.GoStringer.GoString.
+func (r *TXTResource) GoString() string {
+	s := "dnsmessage.TXTResource{TXT: []string{"
+	if len(r.TXT) == 0 {
+		return s + "}}"
+	}
+	s += `"` + printString([]byte(r.TXT[0]))
+	for _, t := range r.TXT[1:] {
+		s += `", "` + printString([]byte(t))
+	}
+	return s + `"}}`
+}
+
+func unpackTXTResource(msg []byte, off int, length uint16) (TXTResource, error) {
+	txts := make([]string, 0, 1)
+	for n := uint16(0); n < length; {
+		var t string
+		var err error
+		if t, off, err = unpackText(msg, off); err != nil {
+			return TXTResource{}, &nestedError{"text", err}
+		}
+		// Check if we got too many bytes.
+		if length-n < uint16(len(t))+1 {
+			return TXTResource{}, errCalcLen
+		}
+		n += uint16(len(t)) + 1
+		txts = append(txts, t)
+	}
+	return TXTResource{txts}, nil
+}
+
+// An SRVResource is an SRV Resource record.
+type SRVResource struct {
+	Priority uint16
+	Weight   uint16
+	Port     uint16
+	Target   Name // Not compressed as per RFC 2782.
+}
+
+func (r *SRVResource) realType() Type {
+	return TypeSRV
+}
+
+// pack appends the wire format of the SRVResource to msg.
+func (r *SRVResource) pack(msg []byte, compression map[string]uint16, compressionOff int) ([]byte, error) {
+	oldMsg := msg
+	msg = packUint16(msg, r.Priority)
+	msg = packUint16(msg, r.Weight)
+	msg = packUint16(msg, r.Port)
+	msg, err := r.Target.pack(msg, nil, compressionOff)
+	if err != nil {
+		return oldMsg, &nestedError{"SRVResource.Target", err}
+	}
+	return msg, nil
+}
+
+// GoString implements fmt.GoStringer.GoString.
+func (r *SRVResource) GoString() string {
+	return "dnsmessage.SRVResource{" +
+		"Priority: " + printUint16(r.Priority) + ", " +
+		"Weight: " + printUint16(r.Weight) + ", " +
+		"Port: " + printUint16(r.Port) + ", " +
+		"Target: " + r.Target.GoString() + "}"
+}
+
+func unpackSRVResource(msg []byte, off int) (SRVResource, error) {
+	priority, off, err := unpackUint16(msg, off)
+	if err != nil {
+		return SRVResource{}, &nestedError{"Priority", err}
+	}
+	weight, off, err := unpackUint16(msg, off)
+	if err != nil {
+		return SRVResource{}, &nestedError{"Weight", err}
+	}
+	port, off, err := unpackUint16(msg, off)
+	if err != nil {
+		return SRVResource{}, &nestedError{"Port", err}
+	}
+	var target Name
+	if _, err := target.unpack(msg, off); err != nil {
+		return SRVResource{}, &nestedError{"Target", err}
+	}
+	return SRVResource{priority, weight, port, target}, nil
+}
+
+// An AResource is an A Resource record.
+type AResource struct {
+	A [4]byte
+}
+
+func (r *AResource) realType() Type {
+	return TypeA
+}
+
+// pack appends the wire format of the AResource to msg.
+func (r *AResource) pack(msg []byte, compression map[string]uint16, compressionOff int) ([]byte, error) {
+	return packBytes(msg, r.A[:]), nil
+}
+
+// GoString implements fmt.GoStringer.GoString.
+func (r *AResource) GoString() string {
+	return "dnsmessage.AResource{" +
+		"A: [4]byte{" + printByteSlice(r.A[:]) + "}}"
+}
+
+func unpackAResource(msg []byte, off int) (AResource, error) {
+	var a [4]byte
+	if _, err := unpackBytes(msg, off, a[:]); err != nil {
+		return AResource{}, err
+	}
+	return AResource{a}, nil
+}
+
+// An AAAAResource is an AAAA Resource record.
+type AAAAResource struct {
+	AAAA [16]byte
+}
+
+func (r *AAAAResource) realType() Type {
+	return TypeAAAA
+}
+
+// GoString implements fmt.GoStringer.GoString.
+func (r *AAAAResource) GoString() string {
+	return "dnsmessage.AAAAResource{" +
+		"AAAA: [16]byte{" + printByteSlice(r.AAAA[:]) + "}}"
+}
+
+// pack appends the wire format of the AAAAResource to msg.
+func (r *AAAAResource) pack(msg []byte, compression map[string]uint16, compressionOff int) ([]byte, error) {
+	return packBytes(msg, r.AAAA[:]), nil
+}
+
+func unpackAAAAResource(msg []byte, off int) (AAAAResource, error) {
+	var aaaa [16]byte
+	if _, err := unpackBytes(msg, off, aaaa[:]); err != nil {
+		return AAAAResource{}, err
+	}
+	return AAAAResource{aaaa}, nil
+}
+
+// An OPTResource is an OPT pseudo Resource record.
+//
+// The pseudo resource record is part of the extension mechanisms for DNS
+// as defined in RFC 6891.
+type OPTResource struct {
+	Options []Option
+}
+
+// An Option represents a DNS message option within OPTResource.
+//
+// The message option is part of the extension mechanisms for DNS as
+// defined in RFC 6891.
+type Option struct {
+	Code uint16 // option code
+	Data []byte
+}
+
+// GoString implements fmt.GoStringer.GoString.
+func (o *Option) GoString() string {
+	return "dnsmessage.Option{" +
+		"Code: " + printUint16(o.Code) + ", " +
+		"Data: []byte{" + printByteSlice(o.Data) + "}}"
+}
+
+func (r *OPTResource) realType() Type {
+	return TypeOPT
+}
+
+func (r *OPTResource) pack(msg []byte, compression map[string]uint16, compressionOff int) ([]byte, error) {
+	for _, opt := range r.Options {
+		msg = packUint16(msg, opt.Code)
+		l := uint16(len(opt.Data))
+		msg = packUint16(msg, l)
+		msg = packBytes(msg, opt.Data)
+	}
+	return msg, nil
+}
+
+// GoString implements fmt.GoStringer.GoString.
+func (r *OPTResource) GoString() string {
+	s := "dnsmessage.OPTResource{Options: []dnsmessage.Option{"
+	if len(r.Options) == 0 {
+		return s + "}}"
+	}
+	s += r.Options[0].GoString()
+	for _, o := range r.Options[1:] {
+		s += ", " + o.GoString()
+	}
+	return s + "}}"
+}
+
+func unpackOPTResource(msg []byte, off int, length uint16) (OPTResource, error) {
+	var opts []Option
+	for oldOff := off; off < oldOff+int(length); {
+		var err error
+		var o Option
+		o.Code, off, err = unpackUint16(msg, off)
+		if err != nil {
+			return OPTResource{}, &nestedError{"Code", err}
+		}
+		var l uint16
+		l, off, err = unpackUint16(msg, off)
+		if err != nil {
+			return OPTResource{}, &nestedError{"Data", err}
+		}
+		o.Data = make([]byte, l)
+		if copy(o.Data, msg[off:]) != int(l) {
+			return OPTResource{}, &nestedError{"Data", errCalcLen}
+		}
+		off += int(l)
+		opts = append(opts, o)
+	}
+	return OPTResource{opts}, nil
+}
+
+// An UnknownResource is a catch-all container for unknown record types.
+type UnknownResource struct {
+	Type Type
+	Data []byte
+}
+
+func (r *UnknownResource) realType() Type {
+	return r.Type
+}
+
+// pack appends the wire format of the UnknownResource to msg.
+func (r *UnknownResource) pack(msg []byte, compression map[string]uint16, compressionOff int) ([]byte, error) {
+	return packBytes(msg, r.Data[:]), nil
+}
+
+// GoString implements fmt.GoStringer.GoString.
+func (r *UnknownResource) GoString() string {
+	return "dnsmessage.UnknownResource{" +
+		"Type: " + r.Type.GoString() + ", " +
+		"Data: []byte{" + printByteSlice(r.Data) + "}}"
+}
+
+func unpackUnknownResource(recordType Type, msg []byte, off int, length uint16) (UnknownResource, error) {
+	parsed := UnknownResource{
+		Type: recordType,
+		Data: make([]byte, length),
+	}
+	if _, err := unpackBytes(msg, off, parsed.Data); err != nil {
+		return UnknownResource{}, err
+	}
+	return parsed, nil
+}
diff --git a/vendor/golang.org/x/net/dns/dnsmessage/svcb.go b/vendor/golang.org/x/net/dns/dnsmessage/svcb.go
new file mode 100644
index 0000000000000..de1633f0d16aa
--- /dev/null
+++ b/vendor/golang.org/x/net/dns/dnsmessage/svcb.go
@@ -0,0 +1,329 @@
+// Copyright 2025 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package dnsmessage
+
+import (
+	"math"
+	"slices"
+	"strings"
+)
+
+// An SVCBResource is an SVCB Resource record.
+type SVCBResource struct {
+	Priority uint16
+	Target   Name
+	Params   []SVCParam // Must be in strict increasing order by Key.
+}
+
+func (r *SVCBResource) realType() Type {
+	return TypeSVCB
+}
+
+// GoString implements fmt.GoStringer.GoString.
+func (r *SVCBResource) GoString() string {
+	var b strings.Builder
+	b.WriteString("dnsmessage.SVCBResource{")
+	b.WriteString("Priority: " + printUint16(r.Priority) + ", ")
+	b.WriteString("Target: " + r.Target.GoString() + ", ")
+	b.WriteString("Params: []dnsmessage.SVCParam{")
+	if len(r.Params) > 0 {
+		b.WriteString(r.Params[0].GoString())
+		for _, p := range r.Params[1:] {
+			b.WriteString(", " + p.GoString())
+		}
+	}
+	b.WriteString("}}")
+	return b.String()
+}
+
+// An HTTPSResource is an HTTPS Resource record.
+// It has the same format as the SVCB record.
+type HTTPSResource struct {
+	// Alias for SVCB resource record.
+	SVCBResource
+}
+
+func (r *HTTPSResource) realType() Type {
+	return TypeHTTPS
+}
+
+// GoString implements fmt.GoStringer.GoString.
+func (r *HTTPSResource) GoString() string {
+	return "dnsmessage.HTTPSResource{SVCBResource: " + r.SVCBResource.GoString() + "}"
+}
+
+// GetParam returns a parameter value by key.
+func (r *SVCBResource) GetParam(key SVCParamKey) (value []byte, ok bool) {
+	for i := range r.Params {
+		if r.Params[i].Key == key {
+			return r.Params[i].Value, true
+		}
+		if r.Params[i].Key > key {
+			break
+		}
+	}
+	return nil, false
+}
+
+// SetParam sets a parameter value by key.
+// The Params list is kept sorted by key.
+func (r *SVCBResource) SetParam(key SVCParamKey, value []byte) {
+	i := 0
+	for i < len(r.Params) {
+		if r.Params[i].Key >= key {
+			break
+		}
+		i++
+	}
+
+	if i < len(r.Params) && r.Params[i].Key == key {
+		r.Params[i].Value = value
+		return
+	}
+
+	r.Params = slices.Insert(r.Params, i, SVCParam{Key: key, Value: value})
+}
+
+// DeleteParam deletes a parameter by key.
+// It returns true if the parameter was present.
+func (r *SVCBResource) DeleteParam(key SVCParamKey) bool {
+	for i := range r.Params {
+		if r.Params[i].Key == key {
+			r.Params = slices.Delete(r.Params, i, i+1)
+			return true
+		}
+		if r.Params[i].Key > key {
+			break
+		}
+	}
+	return false
+}
+
+// A SVCParam is a service parameter.
+type SVCParam struct {
+	Key   SVCParamKey
+	Value []byte
+}
+
+// GoString implements fmt.GoStringer.GoString.
+func (p SVCParam) GoString() string {
+	return "dnsmessage.SVCParam{" +
+		"Key: " + p.Key.GoString() + ", " +
+		"Value: []byte{" + printByteSlice(p.Value) + "}}"
+}
+
+// A SVCParamKey is a key for a service parameter.
+type SVCParamKey uint16
+
+// Values defined at https://www.iana.org/assignments/dns-svcb/dns-svcb.xhtml#dns-svcparamkeys.
+const (
+	SVCParamMandatory          SVCParamKey = 0
+	SVCParamALPN               SVCParamKey = 1
+	SVCParamNoDefaultALPN      SVCParamKey = 2
+	SVCParamPort               SVCParamKey = 3
+	SVCParamIPv4Hint           SVCParamKey = 4
+	SVCParamECH                SVCParamKey = 5
+	SVCParamIPv6Hint           SVCParamKey = 6
+	SVCParamDOHPath            SVCParamKey = 7
+	SVCParamOHTTP              SVCParamKey = 8
+	SVCParamTLSSupportedGroups SVCParamKey = 9
+)
+
+var svcParamKeyNames = map[SVCParamKey]string{
+	SVCParamMandatory:          "Mandatory",
+	SVCParamALPN:               "ALPN",
+	SVCParamNoDefaultALPN:      "NoDefaultALPN",
+	SVCParamPort:               "Port",
+	SVCParamIPv4Hint:           "IPv4Hint",
+	SVCParamECH:                "ECH",
+	SVCParamIPv6Hint:           "IPv6Hint",
+	SVCParamDOHPath:            "DOHPath",
+	SVCParamOHTTP:              "OHTTP",
+	SVCParamTLSSupportedGroups: "TLSSupportedGroups",
+}
+
+// String implements fmt.Stringer.String.
+func (k SVCParamKey) String() string {
+	if n, ok := svcParamKeyNames[k]; ok {
+		return n
+	}
+	return printUint16(uint16(k))
+}
+
+// GoString implements fmt.GoStringer.GoString.
+func (k SVCParamKey) GoString() string {
+	if n, ok := svcParamKeyNames[k]; ok {
+		return "dnsmessage.SVCParam" + n
+	}
+	return printUint16(uint16(k))
+}
+
+func (r *SVCBResource) pack(msg []byte, _ map[string]uint16, _ int) ([]byte, error) {
+	oldMsg := msg
+	msg = packUint16(msg, r.Priority)
+	// https://datatracker.ietf.org/doc/html/rfc3597#section-4 prohibits name
+	// compression for RR types that are not "well-known".
+	// https://datatracker.ietf.org/doc/html/rfc9460#section-2.2 explicitly states that
+	// compression of the Target is prohibited, following RFC 3597.
+	msg, err := r.Target.pack(msg, nil, 0)
+	if err != nil {
+		return oldMsg, &nestedError{"SVCBResource.Target", err}
+	}
+	var previousKey SVCParamKey
+	for i, param := range r.Params {
+		if i > 0 && param.Key <= previousKey {
+			return oldMsg, &nestedError{"SVCBResource.Params", errParamOutOfOrder}
+		}
+		if len(param.Value) > math.MaxUint16 {
+			return oldMsg, &nestedError{"SVCBResource.Params", errTooLongSVCBValue}
+		}
+		msg = packUint16(msg, uint16(param.Key))
+		msg = packUint16(msg, uint16(len(param.Value)))
+		msg = append(msg, param.Value...)
+	}
+	return msg, nil
+}
+
+func unpackSVCBResource(msg []byte, off int, length uint16) (SVCBResource, error) {
+	// Wire format reference: https://www.rfc-editor.org/rfc/rfc9460.html#section-2.2.
+	r := SVCBResource{}
+	paramsOff := off
+	bodyEnd := off + int(length)
+
+	var err error
+	if r.Priority, paramsOff, err = unpackUint16(msg, paramsOff); err != nil {
+		return SVCBResource{}, &nestedError{"Priority", err}
+	}
+
+	if paramsOff, err = r.Target.unpack(msg, paramsOff); err != nil {
+		return SVCBResource{}, &nestedError{"Target", err}
+	}
+
+	// Two-pass parsing to avoid allocations.
+	// First, count the number of params.
+	n := 0
+	var totalValueLen uint16
+	off = paramsOff
+	var previousKey uint16
+	for off < bodyEnd {
+		var key, len uint16
+		if key, off, err = unpackUint16(msg, off); err != nil {
+			return SVCBResource{}, &nestedError{"Params key", err}
+		}
+		if n > 0 && key <= previousKey {
+			// As per https://www.rfc-editor.org/rfc/rfc9460.html#section-2.2, clients MUST
+			// consider the RR malformed if the SvcParamKeys are not in strictly increasing numeric order
+			return SVCBResource{}, &nestedError{"Params", errParamOutOfOrder}
+		}
+		if len, off, err = unpackUint16(msg, off); err != nil {
+			return SVCBResource{}, &nestedError{"Params value length", err}
+		}
+		if off+int(len) > bodyEnd {
+			return SVCBResource{}, errResourceLen
+		}
+		totalValueLen += len
+		off += int(len)
+		n++
+	}
+	if off != bodyEnd {
+		return SVCBResource{}, errResourceLen
+	}
+
+	// Second, fill in the params.
+	r.Params = make([]SVCParam, n)
+	// valuesBuf is used to hold all param values to reduce allocations.
+	// Each param's Value slice will point into this buffer.
+	valuesBuf := make([]byte, totalValueLen)
+	off = paramsOff
+	for i := 0; i < n; i++ {
+		p := &r.Params[i]
+		var key, len uint16
+		if key, off, err = unpackUint16(msg, off); err != nil {
+			return SVCBResource{}, &nestedError{"param key", err}
+		}
+		p.Key = SVCParamKey(key)
+		if len, off, err = unpackUint16(msg, off); err != nil {
+			return SVCBResource{}, &nestedError{"param length", err}
+		}
+		if copy(valuesBuf, msg[off:off+int(len)]) != int(len) {
+			return SVCBResource{}, &nestedError{"param value", errCalcLen}
+		}
+		p.Value = valuesBuf[:len:len]
+		valuesBuf = valuesBuf[len:]
+		off += int(len)
+	}
+
+	return r, nil
+}
+
+// genericSVCBResource parses a single Resource Record compatible with SVCB.
+func (p *Parser) genericSVCBResource(svcbType Type) (SVCBResource, error) {
+	if !p.resHeaderValid || p.resHeaderType != svcbType {
+		return SVCBResource{}, ErrNotStarted
+	}
+	r, err := unpackSVCBResource(p.msg, p.off, p.resHeaderLength)
+	if err != nil {
+		return SVCBResource{}, err
+	}
+	p.off += int(p.resHeaderLength)
+	p.resHeaderValid = false
+	p.index++
+	return r, nil
+}
+
+// SVCBResource parses a single SVCBResource.
+//
+// One of the XXXHeader methods must have been called before calling this
+// method.
+func (p *Parser) SVCBResource() (SVCBResource, error) {
+	return p.genericSVCBResource(TypeSVCB)
+}
+
+// HTTPSResource parses a single HTTPSResource.
+//
+// One of the XXXHeader methods must have been called before calling this
+// method.
+func (p *Parser) HTTPSResource() (HTTPSResource, error) {
+	svcb, err := p.genericSVCBResource(TypeHTTPS)
+	if err != nil {
+		return HTTPSResource{}, err
+	}
+	return HTTPSResource{svcb}, nil
+}
+
+// genericSVCBResource is the generic implementation for adding SVCB-like resources.
+func (b *Builder) genericSVCBResource(h ResourceHeader, r SVCBResource) error {
+	if err := b.checkResourceSection(); err != nil {
+		return err
+	}
+	msg, lenOff, err := h.pack(b.msg, b.compression, b.start)
+	if err != nil {
+		return &nestedError{"ResourceHeader", err}
+	}
+	preLen := len(msg)
+	if msg, err = r.pack(msg, b.compression, b.start); err != nil {
+		return &nestedError{"ResourceBody", err}
+	}
+	if err := h.fixLen(msg, lenOff, preLen); err != nil {
+		return err
+	}
+	if err := b.incrementSectionCount(); err != nil {
+		return err
+	}
+	b.msg = msg
+	return nil
+}
+
+// SVCBResource adds a single SVCBResource.
+func (b *Builder) SVCBResource(h ResourceHeader, r SVCBResource) error {
+	h.Type = r.realType()
+	return b.genericSVCBResource(h, r)
+}
+
+// HTTPSResource adds a single HTTPSResource.
+func (b *Builder) HTTPSResource(h ResourceHeader, r HTTPSResource) error {
+	h.Type = r.realType()
+	return b.genericSVCBResource(h, r.SVCBResource)
+}
diff --git a/vendor/golang.org/x/net/html/escape.go b/vendor/golang.org/x/net/html/escape.go
index 04c6bec210737..12f227370625a 100644
--- a/vendor/golang.org/x/net/html/escape.go
+++ b/vendor/golang.org/x/net/html/escape.go
@@ -299,7 +299,7 @@ func escape(w writer, s string) error {
 		case '\r':
 			esc = "&#13;"
 		default:
-			panic("unrecognized escape character")
+			panic("html: unrecognized escape character")
 		}
 		s = s[i+1:]
 		if _, err := w.WriteString(esc); err != nil {
diff --git a/vendor/golang.org/x/net/html/parse.go b/vendor/golang.org/x/net/html/parse.go
index 518ee4c94e749..88fc0056a347b 100644
--- a/vendor/golang.org/x/net/html/parse.go
+++ b/vendor/golang.org/x/net/html/parse.go
@@ -136,7 +136,7 @@ func (p *parser) indexOfElementInScope(s scope, matchTags ...a.Atom) int {
 					return -1
 				}
 			default:
-				panic("unreachable")
+				panic(fmt.Sprintf("html: internal error: indexOfElementInScope unknown scope: %d", s))
 			}
 		}
 		switch s {
@@ -179,7 +179,7 @@ func (p *parser) clearStackToContext(s scope) {
 				return
 			}
 		default:
-			panic("unreachable")
+			panic(fmt.Sprintf("html: internal error: clearStackToContext unknown scope: %d", s))
 		}
 	}
 }
@@ -231,7 +231,14 @@ func (p *parser) addChild(n *Node) {
 	}
 
 	if n.Type == ElementNode {
-		p.oe = append(p.oe, n)
+		p.insertOpenElement(n)
+	}
+}
+
+func (p *parser) insertOpenElement(n *Node) {
+	p.oe = append(p.oe, n)
+	if len(p.oe) > 512 {
+		panic("html: open stack of elements exceeds 512 nodes")
 	}
 }
 
@@ -810,7 +817,7 @@ func afterHeadIM(p *parser) bool {
 			p.im = inFramesetIM
 			return true
 		case a.Base, a.Basefont, a.Bgsound, a.Link, a.Meta, a.Noframes, a.Script, a.Style, a.Template, a.Title:
-			p.oe = append(p.oe, p.head)
+			p.insertOpenElement(p.head)
 			defer p.oe.remove(p.head)
 			return inHeadIM(p)
 		case a.Head:
@@ -1678,7 +1685,7 @@ func inTableBodyIM(p *parser) bool {
 	return inTableIM(p)
 }
 
-// Section 12.2.6.4.14.
+// Section 13.2.6.4.14.
 func inRowIM(p *parser) bool {
 	switch p.tok.Type {
 	case StartTagToken:
@@ -1690,7 +1697,9 @@ func inRowIM(p *parser) bool {
 			p.im = inCellIM
 			return true
 		case a.Caption, a.Col, a.Colgroup, a.Tbody, a.Tfoot, a.Thead, a.Tr:
-			if p.popUntil(tableScope, a.Tr) {
+			if p.elementInScope(tableScope, a.Tr) {
+				p.clearStackToContext(tableRowScope)
+				p.oe.pop()
 				p.im = inTableBodyIM
 				return false
 			}
@@ -1700,22 +1709,28 @@ func inRowIM(p *parser) bool {
 	case EndTagToken:
 		switch p.tok.DataAtom {
 		case a.Tr:
-			if p.popUntil(tableScope, a.Tr) {
+			if p.elementInScope(tableScope, a.Tr) {
+				p.clearStackToContext(tableRowScope)
+				p.oe.pop()
 				p.im = inTableBodyIM
 				return true
 			}
 			// Ignore the token.
 			return true
 		case a.Table:
-			if p.popUntil(tableScope, a.Tr) {
+			if p.elementInScope(tableScope, a.Tr) {
+				p.clearStackToContext(tableRowScope)
+				p.oe.pop()
 				p.im = inTableBodyIM
 				return false
 			}
 			// Ignore the token.
 			return true
 		case a.Tbody, a.Tfoot, a.Thead:
-			if p.elementInScope(tableScope, p.tok.DataAtom) {
-				p.parseImpliedToken(EndTagToken, a.Tr, a.Tr.String())
+			if p.elementInScope(tableScope, p.tok.DataAtom) && p.elementInScope(tableScope, a.Tr) {
+				p.clearStackToContext(tableRowScope)
+				p.oe.pop()
+				p.im = inTableBodyIM
 				return false
 			}
 			// Ignore the token.
@@ -2222,16 +2237,20 @@ func parseForeignContent(p *parser) bool {
 			p.acknowledgeSelfClosingTag()
 		}
 	case EndTagToken:
+		if strings.EqualFold(p.oe[len(p.oe)-1].Data, p.tok.Data) {
+			p.oe = p.oe[:len(p.oe)-1]
+			return true
+		}
 		for i := len(p.oe) - 1; i >= 0; i-- {
-			if p.oe[i].Namespace == "" {
-				return p.im(p)
-			}
 			if strings.EqualFold(p.oe[i].Data, p.tok.Data) {
 				p.oe = p.oe[:i]
+				return true
+			}
+			if i > 0 && p.oe[i-1].Namespace == "" {
 				break
 			}
 		}
-		return true
+		return p.im(p)
 	default:
 		// Ignore the token.
 	}
@@ -2312,9 +2331,13 @@ func (p *parser) parseCurrentToken() {
 	}
 }
 
-func (p *parser) parse() error {
+func (p *parser) parse() (err error) {
+	defer func() {
+		if panicErr := recover(); panicErr != nil {
+			err = fmt.Errorf("%s", panicErr)
+		}
+	}()
 	// Iterate until EOF. Any other error will cause an early return.
-	var err error
 	for err != io.EOF {
 		// CDATA sections are allowed only in foreign content.
 		n := p.oe.top()
@@ -2343,6 +2366,8 @@ func (p *parser) parse() error {
 // <tag>s. Conversely, explicit <tag>s in r's data can be silently dropped,
 // with no corresponding node in the resulting tree.
 //
+// Parse will reject HTML that is nested deeper than 512 elements.
+//
 // The input is assumed to be UTF-8 encoded.
 func Parse(r io.Reader) (*Node, error) {
 	return ParseWithOptions(r)
diff --git a/vendor/golang.org/x/net/html/render.go b/vendor/golang.org/x/net/html/render.go
index e8c12334553d5..0157d89e1fda1 100644
--- a/vendor/golang.org/x/net/html/render.go
+++ b/vendor/golang.org/x/net/html/render.go
@@ -184,7 +184,7 @@ func render1(w writer, n *Node) error {
 		return err
 	}
 
-	// Add initial newline where there is danger of a newline beging ignored.
+	// Add initial newline where there is danger of a newline being ignored.
 	if c := n.FirstChild; c != nil && c.Type == TextNode && strings.HasPrefix(c.Data, "\n") {
 		switch n.Data {
 		case "pre", "listing", "textarea":
diff --git a/vendor/golang.org/x/net/http2/config.go b/vendor/golang.org/x/net/http2/config.go
index ca645d9a1aff0..8a7a89d016ed6 100644
--- a/vendor/golang.org/x/net/http2/config.go
+++ b/vendor/golang.org/x/net/http2/config.go
@@ -27,6 +27,7 @@ import (
 //   - If the resulting value is zero or out of range, use a default.
 type http2Config struct {
 	MaxConcurrentStreams         uint32
+	StrictMaxConcurrentRequests  bool
 	MaxDecoderHeaderTableSize    uint32
 	MaxEncoderHeaderTableSize    uint32
 	MaxReadFrameSize             uint32
@@ -55,7 +56,7 @@ func configFromServer(h1 *http.Server, h2 *Server) http2Config {
 		PermitProhibitedCipherSuites: h2.PermitProhibitedCipherSuites,
 		CountError:                   h2.CountError,
 	}
-	fillNetHTTPServerConfig(&conf, h1)
+	fillNetHTTPConfig(&conf, h1.HTTP2)
 	setConfigDefaults(&conf, true)
 	return conf
 }
@@ -64,12 +65,13 @@ func configFromServer(h1 *http.Server, h2 *Server) http2Config {
 // (the net/http Transport).
 func configFromTransport(h2 *Transport) http2Config {
 	conf := http2Config{
-		MaxEncoderHeaderTableSize: h2.MaxEncoderHeaderTableSize,
-		MaxDecoderHeaderTableSize: h2.MaxDecoderHeaderTableSize,
-		MaxReadFrameSize:          h2.MaxReadFrameSize,
-		SendPingTimeout:           h2.ReadIdleTimeout,
-		PingTimeout:               h2.PingTimeout,
-		WriteByteTimeout:          h2.WriteByteTimeout,
+		StrictMaxConcurrentRequests: h2.StrictMaxConcurrentStreams,
+		MaxEncoderHeaderTableSize:   h2.MaxEncoderHeaderTableSize,
+		MaxDecoderHeaderTableSize:   h2.MaxDecoderHeaderTableSize,
+		MaxReadFrameSize:            h2.MaxReadFrameSize,
+		SendPingTimeout:             h2.ReadIdleTimeout,
+		PingTimeout:                 h2.PingTimeout,
+		WriteByteTimeout:            h2.WriteByteTimeout,
 	}
 
 	// Unlike most config fields, where out-of-range values revert to the default,
@@ -81,7 +83,7 @@ func configFromTransport(h2 *Transport) http2Config {
 	}
 
 	if h2.t1 != nil {
-		fillNetHTTPTransportConfig(&conf, h2.t1)
+		fillNetHTTPConfig(&conf, h2.t1.HTTP2)
 	}
 	setConfigDefaults(&conf, false)
 	return conf
@@ -120,3 +122,48 @@ func adjustHTTP1MaxHeaderSize(n int64) int64 {
 	const typicalHeaders = 10   // conservative
 	return n + typicalHeaders*perFieldOverhead
 }
+
+func fillNetHTTPConfig(conf *http2Config, h2 *http.HTTP2Config) {
+	if h2 == nil {
+		return
+	}
+	if h2.MaxConcurrentStreams != 0 {
+		conf.MaxConcurrentStreams = uint32(h2.MaxConcurrentStreams)
+	}
+	if http2ConfigStrictMaxConcurrentRequests(h2) {
+		conf.StrictMaxConcurrentRequests = true
+	}
+	if h2.MaxEncoderHeaderTableSize != 0 {
+		conf.MaxEncoderHeaderTableSize = uint32(h2.MaxEncoderHeaderTableSize)
+	}
+	if h2.MaxDecoderHeaderTableSize != 0 {
+		conf.MaxDecoderHeaderTableSize = uint32(h2.MaxDecoderHeaderTableSize)
+	}
+	if h2.MaxConcurrentStreams != 0 {
+		conf.MaxConcurrentStreams = uint32(h2.MaxConcurrentStreams)
+	}
+	if h2.MaxReadFrameSize != 0 {
+		conf.MaxReadFrameSize = uint32(h2.MaxReadFrameSize)
+	}
+	if h2.MaxReceiveBufferPerConnection != 0 {
+		conf.MaxUploadBufferPerConnection = int32(h2.MaxReceiveBufferPerConnection)
+	}
+	if h2.MaxReceiveBufferPerStream != 0 {
+		conf.MaxUploadBufferPerStream = int32(h2.MaxReceiveBufferPerStream)
+	}
+	if h2.SendPingTimeout != 0 {
+		conf.SendPingTimeout = h2.SendPingTimeout
+	}
+	if h2.PingTimeout != 0 {
+		conf.PingTimeout = h2.PingTimeout
+	}
+	if h2.WriteByteTimeout != 0 {
+		conf.WriteByteTimeout = h2.WriteByteTimeout
+	}
+	if h2.PermitProhibitedCipherSuites {
+		conf.PermitProhibitedCipherSuites = true
+	}
+	if h2.CountError != nil {
+		conf.CountError = h2.CountError
+	}
+}
diff --git a/vendor/golang.org/x/net/http2/config_go124.go b/vendor/golang.org/x/net/http2/config_go124.go
deleted file mode 100644
index 5b516c55fffd5..0000000000000
--- a/vendor/golang.org/x/net/http2/config_go124.go
+++ /dev/null
@@ -1,61 +0,0 @@
-// Copyright 2024 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-//go:build go1.24
-
-package http2
-
-import "net/http"
-
-// fillNetHTTPServerConfig sets fields in conf from srv.HTTP2.
-func fillNetHTTPServerConfig(conf *http2Config, srv *http.Server) {
-	fillNetHTTPConfig(conf, srv.HTTP2)
-}
-
-// fillNetHTTPTransportConfig sets fields in conf from tr.HTTP2.
-func fillNetHTTPTransportConfig(conf *http2Config, tr *http.Transport) {
-	fillNetHTTPConfig(conf, tr.HTTP2)
-}
-
-func fillNetHTTPConfig(conf *http2Config, h2 *http.HTTP2Config) {
-	if h2 == nil {
-		return
-	}
-	if h2.MaxConcurrentStreams != 0 {
-		conf.MaxConcurrentStreams = uint32(h2.MaxConcurrentStreams)
-	}
-	if h2.MaxEncoderHeaderTableSize != 0 {
-		conf.MaxEncoderHeaderTableSize = uint32(h2.MaxEncoderHeaderTableSize)
-	}
-	if h2.MaxDecoderHeaderTableSize != 0 {
-		conf.MaxDecoderHeaderTableSize = uint32(h2.MaxDecoderHeaderTableSize)
-	}
-	if h2.MaxConcurrentStreams != 0 {
-		conf.MaxConcurrentStreams = uint32(h2.MaxConcurrentStreams)
-	}
-	if h2.MaxReadFrameSize != 0 {
-		conf.MaxReadFrameSize = uint32(h2.MaxReadFrameSize)
-	}
-	if h2.MaxReceiveBufferPerConnection != 0 {
-		conf.MaxUploadBufferPerConnection = int32(h2.MaxReceiveBufferPerConnection)
-	}
-	if h2.MaxReceiveBufferPerStream != 0 {
-		conf.MaxUploadBufferPerStream = int32(h2.MaxReceiveBufferPerStream)
-	}
-	if h2.SendPingTimeout != 0 {
-		conf.SendPingTimeout = h2.SendPingTimeout
-	}
-	if h2.PingTimeout != 0 {
-		conf.PingTimeout = h2.PingTimeout
-	}
-	if h2.WriteByteTimeout != 0 {
-		conf.WriteByteTimeout = h2.WriteByteTimeout
-	}
-	if h2.PermitProhibitedCipherSuites {
-		conf.PermitProhibitedCipherSuites = true
-	}
-	if h2.CountError != nil {
-		conf.CountError = h2.CountError
-	}
-}
diff --git a/vendor/golang.org/x/net/http2/config_go125.go b/vendor/golang.org/x/net/http2/config_go125.go
new file mode 100644
index 0000000000000..b4373fe33c3df
--- /dev/null
+++ b/vendor/golang.org/x/net/http2/config_go125.go
@@ -0,0 +1,15 @@
+// Copyright 2025 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+//go:build !go1.26
+
+package http2
+
+import (
+	"net/http"
+)
+
+func http2ConfigStrictMaxConcurrentRequests(h2 *http.HTTP2Config) bool {
+	return false
+}
diff --git a/vendor/golang.org/x/net/http2/config_go126.go b/vendor/golang.org/x/net/http2/config_go126.go
new file mode 100644
index 0000000000000..6b071c149d22f
--- /dev/null
+++ b/vendor/golang.org/x/net/http2/config_go126.go
@@ -0,0 +1,15 @@
+// Copyright 2025 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+//go:build go1.26
+
+package http2
+
+import (
+	"net/http"
+)
+
+func http2ConfigStrictMaxConcurrentRequests(h2 *http.HTTP2Config) bool {
+	return h2.StrictMaxConcurrentRequests
+}
diff --git a/vendor/golang.org/x/net/http2/config_pre_go124.go b/vendor/golang.org/x/net/http2/config_pre_go124.go
deleted file mode 100644
index 060fd6c64c6ca..0000000000000
--- a/vendor/golang.org/x/net/http2/config_pre_go124.go
+++ /dev/null
@@ -1,16 +0,0 @@
-// Copyright 2024 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-//go:build !go1.24
-
-package http2
-
-import "net/http"
-
-// Pre-Go 1.24 fallback.
-// The Server.HTTP2 and Transport.HTTP2 config fields were added in Go 1.24.
-
-func fillNetHTTPServerConfig(conf *http2Config, srv *http.Server) {}
-
-func fillNetHTTPTransportConfig(conf *http2Config, tr *http.Transport) {}
diff --git a/vendor/golang.org/x/net/http2/frame.go b/vendor/golang.org/x/net/http2/frame.go
index db3264da8cc8e..9a4bd123c95e9 100644
--- a/vendor/golang.org/x/net/http2/frame.go
+++ b/vendor/golang.org/x/net/http2/frame.go
@@ -280,6 +280,8 @@ type Framer struct {
 	// lastHeaderStream is non-zero if the last frame was an
 	// unfinished HEADERS/CONTINUATION.
 	lastHeaderStream uint32
+	// lastFrameType holds the type of the last frame for verifying frame order.
+	lastFrameType FrameType
 
 	maxReadSize uint32
 	headerBuf   [frameHeaderLen]byte
@@ -347,7 +349,7 @@ func (fr *Framer) maxHeaderListSize() uint32 {
 func (f *Framer) startWrite(ftype FrameType, flags Flags, streamID uint32) {
 	// Write the FrameHeader.
 	f.wbuf = append(f.wbuf[:0],
-		0, // 3 bytes of length, filled in in endWrite
+		0, // 3 bytes of length, filled in endWrite
 		0,
 		0,
 		byte(ftype),
@@ -488,30 +490,41 @@ func terminalReadFrameError(err error) bool {
 	return err != nil
 }
 
-// ReadFrame reads a single frame. The returned Frame is only valid
-// until the next call to ReadFrame.
+// ReadFrameHeader reads the header of the next frame.
+// It reads the 9-byte fixed frame header, and does not read any portion of the
+// frame payload. The caller is responsible for consuming the payload, either
+// with ReadFrameForHeader or directly from the Framer's io.Reader.
 //
-// If the frame is larger than previously set with SetMaxReadFrameSize, the
-// returned error is ErrFrameTooLarge. Other errors may be of type
-// ConnectionError, StreamError, or anything else from the underlying
-// reader.
+// If the frame is larger than previously set with SetMaxReadFrameSize, it
+// returns the frame header and ErrFrameTooLarge.
 //
-// If ReadFrame returns an error and a non-nil Frame, the Frame's StreamID
-// indicates the stream responsible for the error.
-func (fr *Framer) ReadFrame() (Frame, error) {
+// If the returned FrameHeader.StreamID is non-zero, it indicates the stream
+// responsible for the error.
+func (fr *Framer) ReadFrameHeader() (FrameHeader, error) {
 	fr.errDetail = nil
-	if fr.lastFrame != nil {
-		fr.lastFrame.invalidate()
-	}
 	fh, err := readFrameHeader(fr.headerBuf[:], fr.r)
 	if err != nil {
-		return nil, err
+		return fh, err
 	}
 	if fh.Length > fr.maxReadSize {
 		if fh == invalidHTTP1LookingFrameHeader() {
-			return nil, fmt.Errorf("http2: failed reading the frame payload: %w, note that the frame header looked like an HTTP/1.1 header", ErrFrameTooLarge)
+			return fh, fmt.Errorf("http2: failed reading the frame payload: %w, note that the frame header looked like an HTTP/1.1 header", ErrFrameTooLarge)
 		}
-		return nil, ErrFrameTooLarge
+		return fh, ErrFrameTooLarge
+	}
+	if err := fr.checkFrameOrder(fh); err != nil {
+		return fh, err
+	}
+	return fh, nil
+}
+
+// ReadFrameForHeader reads the payload for the frame with the given FrameHeader.
+//
+// It behaves identically to ReadFrame, other than not checking the maximum
+// frame size.
+func (fr *Framer) ReadFrameForHeader(fh FrameHeader) (Frame, error) {
+	if fr.lastFrame != nil {
+		fr.lastFrame.invalidate()
 	}
 	payload := fr.getReadBuf(fh.Length)
 	if _, err := io.ReadFull(fr.r, payload); err != nil {
@@ -527,9 +540,7 @@ func (fr *Framer) ReadFrame() (Frame, error) {
 		}
 		return nil, err
 	}
-	if err := fr.checkFrameOrder(f); err != nil {
-		return nil, err
-	}
+	fr.lastFrame = f
 	if fr.logReads {
 		fr.debugReadLoggerf("http2: Framer %p: read %v", fr, summarizeFrame(f))
 	}
@@ -539,6 +550,24 @@ func (fr *Framer) ReadFrame() (Frame, error) {
 	return f, nil
 }
 
+// ReadFrame reads a single frame. The returned Frame is only valid
+// until the next call to ReadFrame or ReadFrameBodyForHeader.
+//
+// If the frame is larger than previously set with SetMaxReadFrameSize, the
+// returned error is ErrFrameTooLarge. Other errors may be of type
+// ConnectionError, StreamError, or anything else from the underlying
+// reader.
+//
+// If ReadFrame returns an error and a non-nil Frame, the Frame's StreamID
+// indicates the stream responsible for the error.
+func (fr *Framer) ReadFrame() (Frame, error) {
+	fh, err := fr.ReadFrameHeader()
+	if err != nil {
+		return nil, err
+	}
+	return fr.ReadFrameForHeader(fh)
+}
+
 // connError returns ConnectionError(code) but first
 // stashes away a public reason to the caller can optionally relay it
 // to the peer before hanging up on them. This might help others debug
@@ -551,20 +580,19 @@ func (fr *Framer) connError(code ErrCode, reason string) error {
 // checkFrameOrder reports an error if f is an invalid frame to return
 // next from ReadFrame. Mostly it checks whether HEADERS and
 // CONTINUATION frames are contiguous.
-func (fr *Framer) checkFrameOrder(f Frame) error {
-	last := fr.lastFrame
-	fr.lastFrame = f
+func (fr *Framer) checkFrameOrder(fh FrameHeader) error {
+	lastType := fr.lastFrameType
+	fr.lastFrameType = fh.Type
 	if fr.AllowIllegalReads {
 		return nil
 	}
 
-	fh := f.Header()
 	if fr.lastHeaderStream != 0 {
 		if fh.Type != FrameContinuation {
 			return fr.connError(ErrCodeProtocol,
 				fmt.Sprintf("got %s for stream %d; expected CONTINUATION following %s for stream %d",
 					fh.Type, fh.StreamID,
-					last.Header().Type, fr.lastHeaderStream))
+					lastType, fr.lastHeaderStream))
 		}
 		if fh.StreamID != fr.lastHeaderStream {
 			return fr.connError(ErrCodeProtocol,
@@ -1152,7 +1180,16 @@ type PriorityFrame struct {
 	PriorityParam
 }
 
-// PriorityParam are the stream prioritzation parameters.
+var defaultRFC9218Priority = PriorityParam{
+	incremental: 0,
+	urgency:     3,
+}
+
+// Note that HTTP/2 has had two different prioritization schemes, and
+// PriorityParam struct below is a superset of both schemes. The exported
+// symbols are from RFC 7540 and the non-exported ones are from RFC 9218.
+
+// PriorityParam are the stream prioritization parameters.
 type PriorityParam struct {
 	// StreamDep is a 31-bit stream identifier for the
 	// stream that this stream depends on. Zero means no
@@ -1167,6 +1204,20 @@ type PriorityParam struct {
 	// the spec, "Add one to the value to obtain a weight between
 	// 1 and 256."
 	Weight uint8
+
+	// "The urgency (u) parameter value is Integer (see Section 3.3.1 of
+	// [STRUCTURED-FIELDS]), between 0 and 7 inclusive, in descending order of
+	// priority. The default is 3."
+	urgency uint8
+
+	// "The incremental (i) parameter value is Boolean (see Section 3.3.6 of
+	// [STRUCTURED-FIELDS]). It indicates if an HTTP response can be processed
+	// incrementally, i.e., provide some meaningful output as chunks of the
+	// response arrive."
+	//
+	// We use uint8 (i.e. 0 is false, 1 is true) instead of bool so we can
+	// avoid unnecessary type conversions and because either type takes 1 byte.
+	incremental uint8
 }
 
 func (p PriorityParam) IsZero() bool {
diff --git a/vendor/golang.org/x/net/http2/gotrack.go b/vendor/golang.org/x/net/http2/gotrack.go
index 9933c9f8c7487..9921ca096d39f 100644
--- a/vendor/golang.org/x/net/http2/gotrack.go
+++ b/vendor/golang.org/x/net/http2/gotrack.go
@@ -15,21 +15,32 @@ import (
 	"runtime"
 	"strconv"
 	"sync"
+	"sync/atomic"
 )
 
 var DebugGoroutines = os.Getenv("DEBUG_HTTP2_GOROUTINES") == "1"
 
+// Setting DebugGoroutines to false during a test to disable goroutine debugging
+// results in race detector complaints when a test leaves goroutines running before
+// returning. Tests shouldn't do this, of course, but when they do it generally shows
+// up as infrequent, hard-to-debug flakes. (See #66519.)
+//
+// Disable goroutine debugging during individual tests with an atomic bool.
+// (Note that it's safe to enable/disable debugging mid-test, so the actual race condition
+// here is harmless.)
+var disableDebugGoroutines atomic.Bool
+
 type goroutineLock uint64
 
 func newGoroutineLock() goroutineLock {
-	if !DebugGoroutines {
+	if !DebugGoroutines || disableDebugGoroutines.Load() {
 		return 0
 	}
 	return goroutineLock(curGoroutineID())
 }
 
 func (g goroutineLock) check() {
-	if !DebugGoroutines {
+	if !DebugGoroutines || disableDebugGoroutines.Load() {
 		return
 	}
 	if curGoroutineID() != uint64(g) {
@@ -38,7 +49,7 @@ func (g goroutineLock) check() {
 }
 
 func (g goroutineLock) checkNotOn() {
-	if !DebugGoroutines {
+	if !DebugGoroutines || disableDebugGoroutines.Load() {
 		return
 	}
 	if curGoroutineID() == uint64(g) {
diff --git a/vendor/golang.org/x/net/http2/http2.go b/vendor/golang.org/x/net/http2/http2.go
index ea5ae629fde0e..105fe12fefaa5 100644
--- a/vendor/golang.org/x/net/http2/http2.go
+++ b/vendor/golang.org/x/net/http2/http2.go
@@ -15,7 +15,6 @@ package http2 // import "golang.org/x/net/http2"
 
 import (
 	"bufio"
-	"context"
 	"crypto/tls"
 	"errors"
 	"fmt"
@@ -35,7 +34,6 @@ var (
 	VerboseLogs    bool
 	logFrameWrites bool
 	logFrameReads  bool
-	inTests        bool
 
 	// Enabling extended CONNECT by causes browsers to attempt to use
 	// WebSockets-over-HTTP/2. This results in problems when the server's websocket
@@ -255,15 +253,13 @@ func (cw closeWaiter) Wait() {
 // idle memory usage with many connections.
 type bufferedWriter struct {
 	_           incomparable
-	group       synctestGroupInterface // immutable
-	conn        net.Conn               // immutable
-	bw          *bufio.Writer          // non-nil when data is buffered
-	byteTimeout time.Duration          // immutable, WriteByteTimeout
+	conn        net.Conn      // immutable
+	bw          *bufio.Writer // non-nil when data is buffered
+	byteTimeout time.Duration // immutable, WriteByteTimeout
 }
 
-func newBufferedWriter(group synctestGroupInterface, conn net.Conn, timeout time.Duration) *bufferedWriter {
+func newBufferedWriter(conn net.Conn, timeout time.Duration) *bufferedWriter {
 	return &bufferedWriter{
-		group:       group,
 		conn:        conn,
 		byteTimeout: timeout,
 	}
@@ -314,24 +310,18 @@ func (w *bufferedWriter) Flush() error {
 type bufferedWriterTimeoutWriter bufferedWriter
 
 func (w *bufferedWriterTimeoutWriter) Write(p []byte) (n int, err error) {
-	return writeWithByteTimeout(w.group, w.conn, w.byteTimeout, p)
+	return writeWithByteTimeout(w.conn, w.byteTimeout, p)
 }
 
 // writeWithByteTimeout writes to conn.
 // If more than timeout passes without any bytes being written to the connection,
 // the write fails.
-func writeWithByteTimeout(group synctestGroupInterface, conn net.Conn, timeout time.Duration, p []byte) (n int, err error) {
+func writeWithByteTimeout(conn net.Conn, timeout time.Duration, p []byte) (n int, err error) {
 	if timeout <= 0 {
 		return conn.Write(p)
 	}
 	for {
-		var now time.Time
-		if group == nil {
-			now = time.Now()
-		} else {
-			now = group.Now()
-		}
-		conn.SetWriteDeadline(now.Add(timeout))
+		conn.SetWriteDeadline(time.Now().Add(timeout))
 		nn, err := conn.Write(p[n:])
 		n += nn
 		if n == len(p) || nn == 0 || !errors.Is(err, os.ErrDeadlineExceeded) {
@@ -417,14 +407,3 @@ func (s *sorter) SortStrings(ss []string) {
 // makes that struct also non-comparable, and generally doesn't add
 // any size (as long as it's first).
 type incomparable [0]func()
-
-// synctestGroupInterface is the methods of synctestGroup used by Server and Transport.
-// It's defined as an interface here to let us keep synctestGroup entirely test-only
-// and not a part of non-test builds.
-type synctestGroupInterface interface {
-	Join()
-	Now() time.Time
-	NewTimer(d time.Duration) timer
-	AfterFunc(d time.Duration, f func()) timer
-	ContextWithTimeout(ctx context.Context, d time.Duration) (context.Context, context.CancelFunc)
-}
diff --git a/vendor/golang.org/x/net/http2/server.go b/vendor/golang.org/x/net/http2/server.go
index 51fca38f61d72..bdc5520ebd3e5 100644
--- a/vendor/golang.org/x/net/http2/server.go
+++ b/vendor/golang.org/x/net/http2/server.go
@@ -176,44 +176,15 @@ type Server struct {
 	// so that we don't embed a Mutex in this struct, which will make the
 	// struct non-copyable, which might break some callers.
 	state *serverInternalState
-
-	// Synchronization group used for testing.
-	// Outside of tests, this is nil.
-	group synctestGroupInterface
-}
-
-func (s *Server) markNewGoroutine() {
-	if s.group != nil {
-		s.group.Join()
-	}
-}
-
-func (s *Server) now() time.Time {
-	if s.group != nil {
-		return s.group.Now()
-	}
-	return time.Now()
-}
-
-// newTimer creates a new time.Timer, or a synthetic timer in tests.
-func (s *Server) newTimer(d time.Duration) timer {
-	if s.group != nil {
-		return s.group.NewTimer(d)
-	}
-	return timeTimer{time.NewTimer(d)}
-}
-
-// afterFunc creates a new time.AfterFunc timer, or a synthetic timer in tests.
-func (s *Server) afterFunc(d time.Duration, f func()) timer {
-	if s.group != nil {
-		return s.group.AfterFunc(d, f)
-	}
-	return timeTimer{time.AfterFunc(d, f)}
 }
 
 type serverInternalState struct {
 	mu          sync.Mutex
 	activeConns map[*serverConn]struct{}
+
+	// Pool of error channels. This is per-Server rather than global
+	// because channels can't be reused across synctest bubbles.
+	errChanPool sync.Pool
 }
 
 func (s *serverInternalState) registerConn(sc *serverConn) {
@@ -245,6 +216,27 @@ func (s *serverInternalState) startGracefulShutdown() {
 	s.mu.Unlock()
 }
 
+// Global error channel pool used for uninitialized Servers.
+// We use a per-Server pool when possible to avoid using channels across synctest bubbles.
+var errChanPool = sync.Pool{
+	New: func() any { return make(chan error, 1) },
+}
+
+func (s *serverInternalState) getErrChan() chan error {
+	if s == nil {
+		return errChanPool.Get().(chan error) // Server used without calling ConfigureServer
+	}
+	return s.errChanPool.Get().(chan error)
+}
+
+func (s *serverInternalState) putErrChan(ch chan error) {
+	if s == nil {
+		errChanPool.Put(ch) // Server used without calling ConfigureServer
+		return
+	}
+	s.errChanPool.Put(ch)
+}
+
 // ConfigureServer adds HTTP/2 support to a net/http Server.
 //
 // The configuration conf may be nil.
@@ -257,7 +249,10 @@ func ConfigureServer(s *http.Server, conf *Server) error {
 	if conf == nil {
 		conf = new(Server)
 	}
-	conf.state = &serverInternalState{activeConns: make(map[*serverConn]struct{})}
+	conf.state = &serverInternalState{
+		activeConns: make(map[*serverConn]struct{}),
+		errChanPool: sync.Pool{New: func() any { return make(chan error, 1) }},
+	}
 	if h1, h2 := s, conf; h2.IdleTimeout == 0 {
 		if h1.IdleTimeout != 0 {
 			h2.IdleTimeout = h1.IdleTimeout
@@ -423,6 +418,9 @@ func (o *ServeConnOpts) handler() http.Handler {
 //
 // The opts parameter is optional. If nil, default values are used.
 func (s *Server) ServeConn(c net.Conn, opts *ServeConnOpts) {
+	if opts == nil {
+		opts = &ServeConnOpts{}
+	}
 	s.serveConn(c, opts, nil)
 }
 
@@ -438,7 +436,7 @@ func (s *Server) serveConn(c net.Conn, opts *ServeConnOpts, newf func(*serverCon
 		conn:                        c,
 		baseCtx:                     baseCtx,
 		remoteAddrStr:               c.RemoteAddr().String(),
-		bw:                          newBufferedWriter(s.group, c, conf.WriteByteTimeout),
+		bw:                          newBufferedWriter(c, conf.WriteByteTimeout),
 		handler:                     opts.handler(),
 		streams:                     make(map[uint32]*stream),
 		readFrameCh:                 make(chan readFrameResult),
@@ -638,11 +636,11 @@ type serverConn struct {
 	pingSent                    bool
 	sentPingData                [8]byte
 	goAwayCode                  ErrCode
-	shutdownTimer               timer // nil until used
-	idleTimer                   timer // nil if unused
+	shutdownTimer               *time.Timer // nil until used
+	idleTimer                   *time.Timer // nil if unused
 	readIdleTimeout             time.Duration
 	pingTimeout                 time.Duration
-	readIdleTimer               timer // nil if unused
+	readIdleTimer               *time.Timer // nil if unused
 
 	// Owned by the writeFrameAsync goroutine:
 	headerWriteBuf bytes.Buffer
@@ -687,12 +685,12 @@ type stream struct {
 	flow             outflow // limits writing from Handler to client
 	inflow           inflow  // what the client is allowed to POST/etc to us
 	state            streamState
-	resetQueued      bool  // RST_STREAM queued for write; set by sc.resetStream
-	gotTrailerHeader bool  // HEADER frame for trailers was seen
-	wroteHeaders     bool  // whether we wrote headers (not status 100)
-	readDeadline     timer // nil if unused
-	writeDeadline    timer // nil if unused
-	closeErr         error // set before cw is closed
+	resetQueued      bool        // RST_STREAM queued for write; set by sc.resetStream
+	gotTrailerHeader bool        // HEADER frame for trailers was seen
+	wroteHeaders     bool        // whether we wrote headers (not status 100)
+	readDeadline     *time.Timer // nil if unused
+	writeDeadline    *time.Timer // nil if unused
+	closeErr         error       // set before cw is closed
 
 	trailer    http.Header // accumulated trailers
 	reqTrailer http.Header // handler's Request.Trailer
@@ -848,7 +846,6 @@ type readFrameResult struct {
 // consumer is done with the frame.
 // It's run on its own goroutine.
 func (sc *serverConn) readFrames() {
-	sc.srv.markNewGoroutine()
 	gate := make(chan struct{})
 	gateDone := func() { gate <- struct{}{} }
 	for {
@@ -881,7 +878,6 @@ type frameWriteResult struct {
 // At most one goroutine can be running writeFrameAsync at a time per
 // serverConn.
 func (sc *serverConn) writeFrameAsync(wr FrameWriteRequest, wd *writeData) {
-	sc.srv.markNewGoroutine()
 	var err error
 	if wd == nil {
 		err = wr.write.writeFrame(sc)
@@ -965,22 +961,22 @@ func (sc *serverConn) serve(conf http2Config) {
 	sc.setConnState(http.StateIdle)
 
 	if sc.srv.IdleTimeout > 0 {
-		sc.idleTimer = sc.srv.afterFunc(sc.srv.IdleTimeout, sc.onIdleTimer)
+		sc.idleTimer = time.AfterFunc(sc.srv.IdleTimeout, sc.onIdleTimer)
 		defer sc.idleTimer.Stop()
 	}
 
 	if conf.SendPingTimeout > 0 {
 		sc.readIdleTimeout = conf.SendPingTimeout
-		sc.readIdleTimer = sc.srv.afterFunc(conf.SendPingTimeout, sc.onReadIdleTimer)
+		sc.readIdleTimer = time.AfterFunc(conf.SendPingTimeout, sc.onReadIdleTimer)
 		defer sc.readIdleTimer.Stop()
 	}
 
 	go sc.readFrames() // closed by defer sc.conn.Close above
 
-	settingsTimer := sc.srv.afterFunc(firstSettingsTimeout, sc.onSettingsTimer)
+	settingsTimer := time.AfterFunc(firstSettingsTimeout, sc.onSettingsTimer)
 	defer settingsTimer.Stop()
 
-	lastFrameTime := sc.srv.now()
+	lastFrameTime := time.Now()
 	loopNum := 0
 	for {
 		loopNum++
@@ -994,7 +990,7 @@ func (sc *serverConn) serve(conf http2Config) {
 		case res := <-sc.wroteFrameCh:
 			sc.wroteFrame(res)
 		case res := <-sc.readFrameCh:
-			lastFrameTime = sc.srv.now()
+			lastFrameTime = time.Now()
 			// Process any written frames before reading new frames from the client since a
 			// written frame could have triggered a new stream to be started.
 			if sc.writingFrameAsync {
@@ -1077,7 +1073,7 @@ func (sc *serverConn) handlePingTimer(lastFrameReadTime time.Time) {
 	}
 
 	pingAt := lastFrameReadTime.Add(sc.readIdleTimeout)
-	now := sc.srv.now()
+	now := time.Now()
 	if pingAt.After(now) {
 		// We received frames since arming the ping timer.
 		// Reset it for the next possible timeout.
@@ -1141,10 +1137,10 @@ func (sc *serverConn) readPreface() error {
 			errc <- nil
 		}
 	}()
-	timer := sc.srv.newTimer(prefaceTimeout) // TODO: configurable on *Server?
+	timer := time.NewTimer(prefaceTimeout) // TODO: configurable on *Server?
 	defer timer.Stop()
 	select {
-	case <-timer.C():
+	case <-timer.C:
 		return errPrefaceTimeout
 	case err := <-errc:
 		if err == nil {
@@ -1156,10 +1152,6 @@ func (sc *serverConn) readPreface() error {
 	}
 }
 
-var errChanPool = sync.Pool{
-	New: func() interface{} { return make(chan error, 1) },
-}
-
 var writeDataPool = sync.Pool{
 	New: func() interface{} { return new(writeData) },
 }
@@ -1167,7 +1159,7 @@ var writeDataPool = sync.Pool{
 // writeDataFromHandler writes DATA response frames from a handler on
 // the given stream.
 func (sc *serverConn) writeDataFromHandler(stream *stream, data []byte, endStream bool) error {
-	ch := errChanPool.Get().(chan error)
+	ch := sc.srv.state.getErrChan()
 	writeArg := writeDataPool.Get().(*writeData)
 	*writeArg = writeData{stream.id, data, endStream}
 	err := sc.writeFrameFromHandler(FrameWriteRequest{
@@ -1199,7 +1191,7 @@ func (sc *serverConn) writeDataFromHandler(stream *stream, data []byte, endStrea
 			return errStreamClosed
 		}
 	}
-	errChanPool.Put(ch)
+	sc.srv.state.putErrChan(ch)
 	if frameWriteDone {
 		writeDataPool.Put(writeArg)
 	}
@@ -1513,7 +1505,7 @@ func (sc *serverConn) goAway(code ErrCode) {
 
 func (sc *serverConn) shutDownIn(d time.Duration) {
 	sc.serveG.check()
-	sc.shutdownTimer = sc.srv.afterFunc(d, sc.onShutdownTimer)
+	sc.shutdownTimer = time.AfterFunc(d, sc.onShutdownTimer)
 }
 
 func (sc *serverConn) resetStream(se StreamError) {
@@ -2118,7 +2110,7 @@ func (sc *serverConn) processHeaders(f *MetaHeadersFrame) error {
 	// (in Go 1.8), though. That's a more sane option anyway.
 	if sc.hs.ReadTimeout > 0 {
 		sc.conn.SetReadDeadline(time.Time{})
-		st.readDeadline = sc.srv.afterFunc(sc.hs.ReadTimeout, st.onReadTimeout)
+		st.readDeadline = time.AfterFunc(sc.hs.ReadTimeout, st.onReadTimeout)
 	}
 
 	return sc.scheduleHandler(id, rw, req, handler)
@@ -2216,7 +2208,7 @@ func (sc *serverConn) newStream(id, pusherID uint32, state streamState) *stream
 	st.flow.add(sc.initialStreamSendWindowSize)
 	st.inflow.init(sc.initialStreamRecvWindowSize)
 	if sc.hs.WriteTimeout > 0 {
-		st.writeDeadline = sc.srv.afterFunc(sc.hs.WriteTimeout, st.onWriteTimeout)
+		st.writeDeadline = time.AfterFunc(sc.hs.WriteTimeout, st.onWriteTimeout)
 	}
 
 	sc.streams[id] = st
@@ -2405,7 +2397,6 @@ func (sc *serverConn) handlerDone() {
 
 // Run on its own goroutine.
 func (sc *serverConn) runHandler(rw *responseWriter, req *http.Request, handler func(http.ResponseWriter, *http.Request)) {
-	sc.srv.markNewGoroutine()
 	defer sc.sendServeMsg(handlerDoneMsg)
 	didPanic := true
 	defer func() {
@@ -2454,7 +2445,7 @@ func (sc *serverConn) writeHeaders(st *stream, headerData *writeResHeaders) erro
 		// waiting for this frame to be written, so an http.Flush mid-handler
 		// writes out the correct value of keys, before a handler later potentially
 		// mutates it.
-		errc = errChanPool.Get().(chan error)
+		errc = sc.srv.state.getErrChan()
 	}
 	if err := sc.writeFrameFromHandler(FrameWriteRequest{
 		write:  headerData,
@@ -2466,7 +2457,7 @@ func (sc *serverConn) writeHeaders(st *stream, headerData *writeResHeaders) erro
 	if errc != nil {
 		select {
 		case err := <-errc:
-			errChanPool.Put(errc)
+			sc.srv.state.putErrChan(errc)
 			return err
 		case <-sc.doneServing:
 			return errClientDisconnected
@@ -2573,7 +2564,7 @@ func (b *requestBody) Read(p []byte) (n int, err error) {
 	if err == io.EOF {
 		b.sawEOF = true
 	}
-	if b.conn == nil && inTests {
+	if b.conn == nil {
 		return
 	}
 	b.conn.noteBodyReadFromHandler(b.stream, n, err)
@@ -2702,7 +2693,7 @@ func (rws *responseWriterState) writeChunk(p []byte) (n int, err error) {
 		var date string
 		if _, ok := rws.snapHeader["Date"]; !ok {
 			// TODO(bradfitz): be faster here, like net/http? measure.
-			date = rws.conn.srv.now().UTC().Format(http.TimeFormat)
+			date = time.Now().UTC().Format(http.TimeFormat)
 		}
 
 		for _, v := range rws.snapHeader["Trailer"] {
@@ -2824,7 +2815,7 @@ func (rws *responseWriterState) promoteUndeclaredTrailers() {
 
 func (w *responseWriter) SetReadDeadline(deadline time.Time) error {
 	st := w.rws.stream
-	if !deadline.IsZero() && deadline.Before(w.rws.conn.srv.now()) {
+	if !deadline.IsZero() && deadline.Before(time.Now()) {
 		// If we're setting a deadline in the past, reset the stream immediately
 		// so writes after SetWriteDeadline returns will fail.
 		st.onReadTimeout()
@@ -2840,9 +2831,9 @@ func (w *responseWriter) SetReadDeadline(deadline time.Time) error {
 		if deadline.IsZero() {
 			st.readDeadline = nil
 		} else if st.readDeadline == nil {
-			st.readDeadline = sc.srv.afterFunc(deadline.Sub(sc.srv.now()), st.onReadTimeout)
+			st.readDeadline = time.AfterFunc(deadline.Sub(time.Now()), st.onReadTimeout)
 		} else {
-			st.readDeadline.Reset(deadline.Sub(sc.srv.now()))
+			st.readDeadline.Reset(deadline.Sub(time.Now()))
 		}
 	})
 	return nil
@@ -2850,7 +2841,7 @@ func (w *responseWriter) SetReadDeadline(deadline time.Time) error {
 
 func (w *responseWriter) SetWriteDeadline(deadline time.Time) error {
 	st := w.rws.stream
-	if !deadline.IsZero() && deadline.Before(w.rws.conn.srv.now()) {
+	if !deadline.IsZero() && deadline.Before(time.Now()) {
 		// If we're setting a deadline in the past, reset the stream immediately
 		// so writes after SetWriteDeadline returns will fail.
 		st.onWriteTimeout()
@@ -2866,9 +2857,9 @@ func (w *responseWriter) SetWriteDeadline(deadline time.Time) error {
 		if deadline.IsZero() {
 			st.writeDeadline = nil
 		} else if st.writeDeadline == nil {
-			st.writeDeadline = sc.srv.afterFunc(deadline.Sub(sc.srv.now()), st.onWriteTimeout)
+			st.writeDeadline = time.AfterFunc(deadline.Sub(time.Now()), st.onWriteTimeout)
 		} else {
-			st.writeDeadline.Reset(deadline.Sub(sc.srv.now()))
+			st.writeDeadline.Reset(deadline.Sub(time.Now()))
 		}
 	})
 	return nil
@@ -3147,7 +3138,7 @@ func (w *responseWriter) Push(target string, opts *http.PushOptions) error {
 		method: opts.Method,
 		url:    u,
 		header: cloneHeader(opts.Header),
-		done:   errChanPool.Get().(chan error),
+		done:   sc.srv.state.getErrChan(),
 	}
 
 	select {
@@ -3164,7 +3155,7 @@ func (w *responseWriter) Push(target string, opts *http.PushOptions) error {
 	case <-st.cw:
 		return errStreamClosed
 	case err := <-msg.done:
-		errChanPool.Put(msg.done)
+		sc.srv.state.putErrChan(msg.done)
 		return err
 	}
 }
diff --git a/vendor/golang.org/x/net/http2/timer.go b/vendor/golang.org/x/net/http2/timer.go
deleted file mode 100644
index 0b1c17b81296d..0000000000000
--- a/vendor/golang.org/x/net/http2/timer.go
+++ /dev/null
@@ -1,20 +0,0 @@
-// Copyright 2024 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-package http2
-
-import "time"
-
-// A timer is a time.Timer, as an interface which can be replaced in tests.
-type timer = interface {
-	C() <-chan time.Time
-	Reset(d time.Duration) bool
-	Stop() bool
-}
-
-// timeTimer adapts a time.Timer to the timer interface.
-type timeTimer struct {
-	*time.Timer
-}
-
-func (t timeTimer) C() <-chan time.Time { return t.Timer.C }
diff --git a/vendor/golang.org/x/net/http2/transport.go b/vendor/golang.org/x/net/http2/transport.go
index f26356b9cd914..1965913e543b4 100644
--- a/vendor/golang.org/x/net/http2/transport.go
+++ b/vendor/golang.org/x/net/http2/transport.go
@@ -9,6 +9,7 @@ package http2
 import (
 	"bufio"
 	"bytes"
+	"compress/flate"
 	"compress/gzip"
 	"context"
 	"crypto/rand"
@@ -193,50 +194,6 @@ type Transport struct {
 
 type transportTestHooks struct {
 	newclientconn func(*ClientConn)
-	group         synctestGroupInterface
-}
-
-func (t *Transport) markNewGoroutine() {
-	if t != nil && t.transportTestHooks != nil {
-		t.transportTestHooks.group.Join()
-	}
-}
-
-func (t *Transport) now() time.Time {
-	if t != nil && t.transportTestHooks != nil {
-		return t.transportTestHooks.group.Now()
-	}
-	return time.Now()
-}
-
-func (t *Transport) timeSince(when time.Time) time.Duration {
-	if t != nil && t.transportTestHooks != nil {
-		return t.now().Sub(when)
-	}
-	return time.Since(when)
-}
-
-// newTimer creates a new time.Timer, or a synthetic timer in tests.
-func (t *Transport) newTimer(d time.Duration) timer {
-	if t.transportTestHooks != nil {
-		return t.transportTestHooks.group.NewTimer(d)
-	}
-	return timeTimer{time.NewTimer(d)}
-}
-
-// afterFunc creates a new time.AfterFunc timer, or a synthetic timer in tests.
-func (t *Transport) afterFunc(d time.Duration, f func()) timer {
-	if t.transportTestHooks != nil {
-		return t.transportTestHooks.group.AfterFunc(d, f)
-	}
-	return timeTimer{time.AfterFunc(d, f)}
-}
-
-func (t *Transport) contextWithTimeout(ctx context.Context, d time.Duration) (context.Context, context.CancelFunc) {
-	if t.transportTestHooks != nil {
-		return t.transportTestHooks.group.ContextWithTimeout(ctx, d)
-	}
-	return context.WithTimeout(ctx, d)
 }
 
 func (t *Transport) maxHeaderListSize() uint32 {
@@ -366,7 +323,7 @@ type ClientConn struct {
 	readerErr  error         // set before readerDone is closed
 
 	idleTimeout time.Duration // or 0 for never
-	idleTimer   timer
+	idleTimer   *time.Timer
 
 	mu               sync.Mutex // guards following
 	cond             *sync.Cond // hold mu; broadcast on flow/closed changes
@@ -399,6 +356,7 @@ type ClientConn struct {
 	readIdleTimeout             time.Duration
 	pingTimeout                 time.Duration
 	extendedConnectAllowed      bool
+	strictMaxConcurrentStreams  bool
 
 	// rstStreamPingsBlocked works around an unfortunate gRPC behavior.
 	// gRPC strictly limits the number of PING frames that it will receive.
@@ -534,14 +492,12 @@ func (cs *clientStream) closeReqBodyLocked() {
 	cs.reqBodyClosed = make(chan struct{})
 	reqBodyClosed := cs.reqBodyClosed
 	go func() {
-		cs.cc.t.markNewGoroutine()
 		cs.reqBody.Close()
 		close(reqBodyClosed)
 	}()
 }
 
 type stickyErrWriter struct {
-	group   synctestGroupInterface
 	conn    net.Conn
 	timeout time.Duration
 	err     *error
@@ -551,7 +507,7 @@ func (sew stickyErrWriter) Write(p []byte) (n int, err error) {
 	if *sew.err != nil {
 		return 0, *sew.err
 	}
-	n, err = writeWithByteTimeout(sew.group, sew.conn, sew.timeout, p)
+	n, err = writeWithByteTimeout(sew.conn, sew.timeout, p)
 	*sew.err = err
 	return n, err
 }
@@ -650,9 +606,9 @@ func (t *Transport) RoundTripOpt(req *http.Request, opt RoundTripOpt) (*http.Res
 				backoff := float64(uint(1) << (uint(retry) - 1))
 				backoff += backoff * (0.1 * mathrand.Float64())
 				d := time.Second * time.Duration(backoff)
-				tm := t.newTimer(d)
+				tm := time.NewTimer(d)
 				select {
-				case <-tm.C():
+				case <-tm.C:
 					t.vlogf("RoundTrip retrying after failure: %v", roundTripErr)
 					continue
 				case <-req.Context().Done():
@@ -699,6 +655,7 @@ var (
 	errClientConnUnusable       = errors.New("http2: client conn not usable")
 	errClientConnNotEstablished = errors.New("http2: client conn could not be established")
 	errClientConnGotGoAway      = errors.New("http2: Transport received Server's graceful shutdown GOAWAY")
+	errClientConnForceClosed    = errors.New("http2: client connection force closed via ClientConn.Close")
 )
 
 // shouldRetryRequest is called by RoundTrip when a request fails to get
@@ -829,7 +786,8 @@ func (t *Transport) newClientConn(c net.Conn, singleUse bool) (*ClientConn, erro
 		initialWindowSize:           65535,    // spec default
 		initialStreamRecvWindowSize: conf.MaxUploadBufferPerStream,
 		maxConcurrentStreams:        initialMaxConcurrentStreams, // "infinite", per spec. Use a smaller value until we have received server settings.
-		peerMaxHeaderListSize:       0xffffffffffffffff,          // "infinite", per spec. Use 2^64-1 instead.
+		strictMaxConcurrentStreams:  conf.StrictMaxConcurrentRequests,
+		peerMaxHeaderListSize:       0xffffffffffffffff, // "infinite", per spec. Use 2^64-1 instead.
 		streams:                     make(map[uint32]*clientStream),
 		singleUse:                   singleUse,
 		seenSettingsChan:            make(chan struct{}),
@@ -838,14 +796,11 @@ func (t *Transport) newClientConn(c net.Conn, singleUse bool) (*ClientConn, erro
 		pingTimeout:                 conf.PingTimeout,
 		pings:                       make(map[[8]byte]chan struct{}),
 		reqHeaderMu:                 make(chan struct{}, 1),
-		lastActive:                  t.now(),
+		lastActive:                  time.Now(),
 	}
-	var group synctestGroupInterface
 	if t.transportTestHooks != nil {
-		t.markNewGoroutine()
 		t.transportTestHooks.newclientconn(cc)
 		c = cc.tconn
-		group = t.group
 	}
 	if VerboseLogs {
 		t.vlogf("http2: Transport creating client conn %p to %v", cc, c.RemoteAddr())
@@ -857,7 +812,6 @@ func (t *Transport) newClientConn(c net.Conn, singleUse bool) (*ClientConn, erro
 	// TODO: adjust this writer size to account for frame size +
 	// MTU + crypto/tls record padding.
 	cc.bw = bufio.NewWriter(stickyErrWriter{
-		group:   group,
 		conn:    c,
 		timeout: conf.WriteByteTimeout,
 		err:     &cc.werr,
@@ -906,7 +860,7 @@ func (t *Transport) newClientConn(c net.Conn, singleUse bool) (*ClientConn, erro
 	// Start the idle timer after the connection is fully initialized.
 	if d := t.idleConnTimeout(); d != 0 {
 		cc.idleTimeout = d
-		cc.idleTimer = t.afterFunc(d, cc.onIdleTimeout)
+		cc.idleTimer = time.AfterFunc(d, cc.onIdleTimeout)
 	}
 
 	go cc.readLoop()
@@ -917,7 +871,7 @@ func (cc *ClientConn) healthCheck() {
 	pingTimeout := cc.pingTimeout
 	// We don't need to periodically ping in the health check, because the readLoop of ClientConn will
 	// trigger the healthCheck again if there is no frame received.
-	ctx, cancel := cc.t.contextWithTimeout(context.Background(), pingTimeout)
+	ctx, cancel := context.WithTimeout(context.Background(), pingTimeout)
 	defer cancel()
 	cc.vlogf("http2: Transport sending health check")
 	err := cc.Ping(ctx)
@@ -1067,7 +1021,7 @@ func (cc *ClientConn) idleStateLocked() (st clientConnIdleState) {
 		return
 	}
 	var maxConcurrentOkay bool
-	if cc.t.StrictMaxConcurrentStreams {
+	if cc.strictMaxConcurrentStreams {
 		// We'll tell the caller we can take a new request to
 		// prevent the caller from dialing a new TCP
 		// connection, but then we'll block later before
@@ -1120,7 +1074,7 @@ func (cc *ClientConn) tooIdleLocked() bool {
 	// times are compared based on their wall time. We don't want
 	// to reuse a connection that's been sitting idle during
 	// VM/laptop suspend if monotonic time was also frozen.
-	return cc.idleTimeout != 0 && !cc.lastIdle.IsZero() && cc.t.timeSince(cc.lastIdle.Round(0)) > cc.idleTimeout
+	return cc.idleTimeout != 0 && !cc.lastIdle.IsZero() && time.Since(cc.lastIdle.Round(0)) > cc.idleTimeout
 }
 
 // onIdleTimeout is called from a time.AfterFunc goroutine. It will
@@ -1186,7 +1140,6 @@ func (cc *ClientConn) Shutdown(ctx context.Context) error {
 	done := make(chan struct{})
 	cancelled := false // guarded by cc.mu
 	go func() {
-		cc.t.markNewGoroutine()
 		cc.mu.Lock()
 		defer cc.mu.Unlock()
 		for {
@@ -1257,8 +1210,7 @@ func (cc *ClientConn) closeForError(err error) {
 //
 // In-flight requests are interrupted. For a graceful shutdown, use Shutdown instead.
 func (cc *ClientConn) Close() error {
-	err := errors.New("http2: client connection force closed via ClientConn.Close")
-	cc.closeForError(err)
+	cc.closeForError(errClientConnForceClosed)
 	return nil
 }
 
@@ -1427,7 +1379,6 @@ func (cc *ClientConn) roundTrip(req *http.Request, streamf func(*clientStream))
 //
 // It sends the request and performs post-request cleanup (closing Request.Body, etc.).
 func (cs *clientStream) doRequest(req *http.Request, streamf func(*clientStream)) {
-	cs.cc.t.markNewGoroutine()
 	err := cs.writeRequest(req, streamf)
 	cs.cleanupWriteRequest(err)
 }
@@ -1558,9 +1509,9 @@ func (cs *clientStream) writeRequest(req *http.Request, streamf func(*clientStre
 	var respHeaderTimer <-chan time.Time
 	var respHeaderRecv chan struct{}
 	if d := cc.responseHeaderTimeout(); d != 0 {
-		timer := cc.t.newTimer(d)
+		timer := time.NewTimer(d)
 		defer timer.Stop()
-		respHeaderTimer = timer.C()
+		respHeaderTimer = timer.C
 		respHeaderRecv = cs.respHeaderRecv
 	}
 	// Wait until the peer half-closes its end of the stream,
@@ -1753,7 +1704,7 @@ func (cc *ClientConn) awaitOpenSlotForStreamLocked(cs *clientStream) error {
 			// Return a fatal error which aborts the retry loop.
 			return errClientConnNotEstablished
 		}
-		cc.lastActive = cc.t.now()
+		cc.lastActive = time.Now()
 		if cc.closed || !cc.canTakeNewRequestLocked() {
 			return errClientConnUnusable
 		}
@@ -2092,10 +2043,10 @@ func (cc *ClientConn) forgetStreamID(id uint32) {
 	if len(cc.streams) != slen-1 {
 		panic("forgetting unknown stream id")
 	}
-	cc.lastActive = cc.t.now()
+	cc.lastActive = time.Now()
 	if len(cc.streams) == 0 && cc.idleTimer != nil {
 		cc.idleTimer.Reset(cc.idleTimeout)
-		cc.lastIdle = cc.t.now()
+		cc.lastIdle = time.Now()
 	}
 	// Wake up writeRequestBody via clientStream.awaitFlowControl and
 	// wake up RoundTrip if there is a pending request.
@@ -2121,7 +2072,6 @@ type clientConnReadLoop struct {
 
 // readLoop runs in its own goroutine and reads and dispatches frames.
 func (cc *ClientConn) readLoop() {
-	cc.t.markNewGoroutine()
 	rl := &clientConnReadLoop{cc: cc}
 	defer rl.cleanup()
 	cc.readerErr = rl.run()
@@ -2188,9 +2138,9 @@ func (rl *clientConnReadLoop) cleanup() {
 	if cc.idleTimeout > 0 && unusedWaitTime > cc.idleTimeout {
 		unusedWaitTime = cc.idleTimeout
 	}
-	idleTime := cc.t.now().Sub(cc.lastActive)
+	idleTime := time.Now().Sub(cc.lastActive)
 	if atomic.LoadUint32(&cc.atomicReused) == 0 && idleTime < unusedWaitTime && !cc.closedOnIdle {
-		cc.idleTimer = cc.t.afterFunc(unusedWaitTime-idleTime, func() {
+		cc.idleTimer = time.AfterFunc(unusedWaitTime-idleTime, func() {
 			cc.t.connPool().MarkDead(cc)
 		})
 	} else {
@@ -2250,9 +2200,9 @@ func (rl *clientConnReadLoop) run() error {
 	cc := rl.cc
 	gotSettings := false
 	readIdleTimeout := cc.readIdleTimeout
-	var t timer
+	var t *time.Timer
 	if readIdleTimeout != 0 {
-		t = cc.t.afterFunc(readIdleTimeout, cc.healthCheck)
+		t = time.AfterFunc(readIdleTimeout, cc.healthCheck)
 	}
 	for {
 		f, err := cc.fr.ReadFrame()
@@ -2998,7 +2948,6 @@ func (cc *ClientConn) Ping(ctx context.Context) error {
 	var pingError error
 	errc := make(chan struct{})
 	go func() {
-		cc.t.markNewGoroutine()
 		cc.wmu.Lock()
 		defer cc.wmu.Unlock()
 		if pingError = cc.fr.WritePing(false, p); pingError != nil {
@@ -3128,35 +3077,102 @@ type erringRoundTripper struct{ err error }
 func (rt erringRoundTripper) RoundTripErr() error                             { return rt.err }
 func (rt erringRoundTripper) RoundTrip(*http.Request) (*http.Response, error) { return nil, rt.err }
 
+var errConcurrentReadOnResBody = errors.New("http2: concurrent read on response body")
+
 // gzipReader wraps a response body so it can lazily
-// call gzip.NewReader on the first call to Read
+// get gzip.Reader from the pool on the first call to Read.
+// After Close is called it puts gzip.Reader to the pool immediately
+// if there is no Read in progress or later when Read completes.
 type gzipReader struct {
 	_    incomparable
 	body io.ReadCloser // underlying Response.Body
-	zr   *gzip.Reader  // lazily-initialized gzip reader
-	zerr error         // sticky error
+	mu   sync.Mutex    // guards zr and zerr
+	zr   *gzip.Reader  // stores gzip reader from the pool between reads
+	zerr error         // sticky gzip reader init error or sentinel value to detect concurrent read and read after close
 }
 
-func (gz *gzipReader) Read(p []byte) (n int, err error) {
+type eofReader struct{}
+
+func (eofReader) Read([]byte) (int, error) { return 0, io.EOF }
+func (eofReader) ReadByte() (byte, error)  { return 0, io.EOF }
+
+var gzipPool = sync.Pool{New: func() any { return new(gzip.Reader) }}
+
+// gzipPoolGet gets a gzip.Reader from the pool and resets it to read from r.
+func gzipPoolGet(r io.Reader) (*gzip.Reader, error) {
+	zr := gzipPool.Get().(*gzip.Reader)
+	if err := zr.Reset(r); err != nil {
+		gzipPoolPut(zr)
+		return nil, err
+	}
+	return zr, nil
+}
+
+// gzipPoolPut puts a gzip.Reader back into the pool.
+func gzipPoolPut(zr *gzip.Reader) {
+	// Reset will allocate bufio.Reader if we pass it anything
+	// other than a flate.Reader, so ensure that it's getting one.
+	var r flate.Reader = eofReader{}
+	zr.Reset(r)
+	gzipPool.Put(zr)
+}
+
+// acquire returns a gzip.Reader for reading response body.
+// The reader must be released after use.
+func (gz *gzipReader) acquire() (*gzip.Reader, error) {
+	gz.mu.Lock()
+	defer gz.mu.Unlock()
 	if gz.zerr != nil {
-		return 0, gz.zerr
+		return nil, gz.zerr
 	}
 	if gz.zr == nil {
-		gz.zr, err = gzip.NewReader(gz.body)
-		if err != nil {
-			gz.zerr = err
-			return 0, err
+		gz.zr, gz.zerr = gzipPoolGet(gz.body)
+		if gz.zerr != nil {
+			return nil, gz.zerr
 		}
 	}
-	return gz.zr.Read(p)
+	ret := gz.zr
+	gz.zr, gz.zerr = nil, errConcurrentReadOnResBody
+	return ret, nil
 }
 
-func (gz *gzipReader) Close() error {
-	if err := gz.body.Close(); err != nil {
-		return err
+// release returns the gzip.Reader to the pool if Close was called during Read.
+func (gz *gzipReader) release(zr *gzip.Reader) {
+	gz.mu.Lock()
+	defer gz.mu.Unlock()
+	if gz.zerr == errConcurrentReadOnResBody {
+		gz.zr, gz.zerr = zr, nil
+	} else { // fs.ErrClosed
+		gzipPoolPut(zr)
+	}
+}
+
+// close returns the gzip.Reader to the pool immediately or
+// signals release to do so after Read completes.
+func (gz *gzipReader) close() {
+	gz.mu.Lock()
+	defer gz.mu.Unlock()
+	if gz.zerr == nil && gz.zr != nil {
+		gzipPoolPut(gz.zr)
+		gz.zr = nil
 	}
 	gz.zerr = fs.ErrClosed
-	return nil
+}
+
+func (gz *gzipReader) Read(p []byte) (n int, err error) {
+	zr, err := gz.acquire()
+	if err != nil {
+		return 0, err
+	}
+	defer gz.release(zr)
+
+	return zr.Read(p)
+}
+
+func (gz *gzipReader) Close() error {
+	gz.close()
+
+	return gz.body.Close()
 }
 
 type errorReader struct{ err error }
@@ -3228,7 +3244,7 @@ func traceGotConn(req *http.Request, cc *ClientConn, reused bool) {
 	cc.mu.Lock()
 	ci.WasIdle = len(cc.streams) == 0 && reused
 	if ci.WasIdle && !cc.lastActive.IsZero() {
-		ci.IdleTime = cc.t.timeSince(cc.lastActive)
+		ci.IdleTime = time.Since(cc.lastActive)
 	}
 	cc.mu.Unlock()
 
diff --git a/vendor/golang.org/x/net/http2/writesched.go b/vendor/golang.org/x/net/http2/writesched.go
index cc893adc29afb..7de27be525094 100644
--- a/vendor/golang.org/x/net/http2/writesched.go
+++ b/vendor/golang.org/x/net/http2/writesched.go
@@ -42,6 +42,8 @@ type OpenStreamOptions struct {
 	// PusherID is zero if the stream was initiated by the client. Otherwise,
 	// PusherID names the stream that pushed the newly opened stream.
 	PusherID uint32
+	// priority is used to set the priority of the newly opened stream.
+	priority PriorityParam
 }
 
 // FrameWriteRequest is a request to write a frame.
@@ -183,45 +185,75 @@ func (wr *FrameWriteRequest) replyToWriter(err error) {
 }
 
 // writeQueue is used by implementations of WriteScheduler.
+//
+// Each writeQueue contains a queue of FrameWriteRequests, meant to store all
+// FrameWriteRequests associated with a given stream. This is implemented as a
+// two-stage queue: currQueue[currPos:] and nextQueue. Removing an item is done
+// by incrementing currPos of currQueue. Adding an item is done by appending it
+// to the nextQueue. If currQueue is empty when trying to remove an item, we
+// can swap currQueue and nextQueue to remedy the situation.
+// This two-stage queue is analogous to the use of two lists in Okasaki's
+// purely functional queue but without the overhead of reversing the list when
+// swapping stages.
+//
+// writeQueue also contains prev and next, this can be used by implementations
+// of WriteScheduler to construct data structures that represent the order of
+// writing between different streams (e.g. circular linked list).
 type writeQueue struct {
-	s          []FrameWriteRequest
+	currQueue []FrameWriteRequest
+	nextQueue []FrameWriteRequest
+	currPos   int
+
 	prev, next *writeQueue
 }
 
-func (q *writeQueue) empty() bool { return len(q.s) == 0 }
+func (q *writeQueue) empty() bool {
+	return (len(q.currQueue) - q.currPos + len(q.nextQueue)) == 0
+}
 
 func (q *writeQueue) push(wr FrameWriteRequest) {
-	q.s = append(q.s, wr)
+	q.nextQueue = append(q.nextQueue, wr)
 }
 
 func (q *writeQueue) shift() FrameWriteRequest {
-	if len(q.s) == 0 {
+	if q.empty() {
 		panic("invalid use of queue")
 	}
-	wr := q.s[0]
-	// TODO: less copy-happy queue.
-	copy(q.s, q.s[1:])
-	q.s[len(q.s)-1] = FrameWriteRequest{}
-	q.s = q.s[:len(q.s)-1]
+	if q.currPos >= len(q.currQueue) {
+		q.currQueue, q.currPos, q.nextQueue = q.nextQueue, 0, q.currQueue[:0]
+	}
+	wr := q.currQueue[q.currPos]
+	q.currQueue[q.currPos] = FrameWriteRequest{}
+	q.currPos++
 	return wr
 }
 
+func (q *writeQueue) peek() *FrameWriteRequest {
+	if q.currPos < len(q.currQueue) {
+		return &q.currQueue[q.currPos]
+	}
+	if len(q.nextQueue) > 0 {
+		return &q.nextQueue[0]
+	}
+	return nil
+}
+
 // consume consumes up to n bytes from q.s[0]. If the frame is
 // entirely consumed, it is removed from the queue. If the frame
 // is partially consumed, the frame is kept with the consumed
 // bytes removed. Returns true iff any bytes were consumed.
 func (q *writeQueue) consume(n int32) (FrameWriteRequest, bool) {
-	if len(q.s) == 0 {
+	if q.empty() {
 		return FrameWriteRequest{}, false
 	}
-	consumed, rest, numresult := q.s[0].Consume(n)
+	consumed, rest, numresult := q.peek().Consume(n)
 	switch numresult {
 	case 0:
 		return FrameWriteRequest{}, false
 	case 1:
 		q.shift()
 	case 2:
-		q.s[0] = rest
+		*q.peek() = rest
 	}
 	return consumed, true
 }
@@ -230,10 +262,15 @@ type writeQueuePool []*writeQueue
 
 // put inserts an unused writeQueue into the pool.
 func (p *writeQueuePool) put(q *writeQueue) {
-	for i := range q.s {
-		q.s[i] = FrameWriteRequest{}
+	for i := range q.currQueue {
+		q.currQueue[i] = FrameWriteRequest{}
+	}
+	for i := range q.nextQueue {
+		q.nextQueue[i] = FrameWriteRequest{}
 	}
-	q.s = q.s[:0]
+	q.currQueue = q.currQueue[:0]
+	q.nextQueue = q.nextQueue[:0]
+	q.currPos = 0
 	*p = append(*p, q)
 }
 
diff --git a/vendor/golang.org/x/net/http2/writesched_priority.go b/vendor/golang.org/x/net/http2/writesched_priority.go
deleted file mode 100644
index f6783339d11ed..0000000000000
--- a/vendor/golang.org/x/net/http2/writesched_priority.go
+++ /dev/null
@@ -1,451 +0,0 @@
-// Copyright 2016 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package http2
-
-import (
-	"fmt"
-	"math"
-	"sort"
-)
-
-// RFC 7540, Section 5.3.5: the default weight is 16.
-const priorityDefaultWeight = 15 // 16 = 15 + 1
-
-// PriorityWriteSchedulerConfig configures a priorityWriteScheduler.
-type PriorityWriteSchedulerConfig struct {
-	// MaxClosedNodesInTree controls the maximum number of closed streams to
-	// retain in the priority tree. Setting this to zero saves a small amount
-	// of memory at the cost of performance.
-	//
-	// See RFC 7540, Section 5.3.4:
-	//   "It is possible for a stream to become closed while prioritization
-	//   information ... is in transit. ... This potentially creates suboptimal
-	//   prioritization, since the stream could be given a priority that is
-	//   different from what is intended. To avoid these problems, an endpoint
-	//   SHOULD retain stream prioritization state for a period after streams
-	//   become closed. The longer state is retained, the lower the chance that
-	//   streams are assigned incorrect or default priority values."
-	MaxClosedNodesInTree int
-
-	// MaxIdleNodesInTree controls the maximum number of idle streams to
-	// retain in the priority tree. Setting this to zero saves a small amount
-	// of memory at the cost of performance.
-	//
-	// See RFC 7540, Section 5.3.4:
-	//   Similarly, streams that are in the "idle" state can be assigned
-	//   priority or become a parent of other streams. This allows for the
-	//   creation of a grouping node in the dependency tree, which enables
-	//   more flexible expressions of priority. Idle streams begin with a
-	//   default priority (Section 5.3.5).
-	MaxIdleNodesInTree int
-
-	// ThrottleOutOfOrderWrites enables write throttling to help ensure that
-	// data is delivered in priority order. This works around a race where
-	// stream B depends on stream A and both streams are about to call Write
-	// to queue DATA frames. If B wins the race, a naive scheduler would eagerly
-	// write as much data from B as possible, but this is suboptimal because A
-	// is a higher-priority stream. With throttling enabled, we write a small
-	// amount of data from B to minimize the amount of bandwidth that B can
-	// steal from A.
-	ThrottleOutOfOrderWrites bool
-}
-
-// NewPriorityWriteScheduler constructs a WriteScheduler that schedules
-// frames by following HTTP/2 priorities as described in RFC 7540 Section 5.3.
-// If cfg is nil, default options are used.
-func NewPriorityWriteScheduler(cfg *PriorityWriteSchedulerConfig) WriteScheduler {
-	if cfg == nil {
-		// For justification of these defaults, see:
-		// https://docs.google.com/document/d/1oLhNg1skaWD4_DtaoCxdSRN5erEXrH-KnLrMwEpOtFY
-		cfg = &PriorityWriteSchedulerConfig{
-			MaxClosedNodesInTree:     10,
-			MaxIdleNodesInTree:       10,
-			ThrottleOutOfOrderWrites: false,
-		}
-	}
-
-	ws := &priorityWriteScheduler{
-		nodes:                make(map[uint32]*priorityNode),
-		maxClosedNodesInTree: cfg.MaxClosedNodesInTree,
-		maxIdleNodesInTree:   cfg.MaxIdleNodesInTree,
-		enableWriteThrottle:  cfg.ThrottleOutOfOrderWrites,
-	}
-	ws.nodes[0] = &ws.root
-	if cfg.ThrottleOutOfOrderWrites {
-		ws.writeThrottleLimit = 1024
-	} else {
-		ws.writeThrottleLimit = math.MaxInt32
-	}
-	return ws
-}
-
-type priorityNodeState int
-
-const (
-	priorityNodeOpen priorityNodeState = iota
-	priorityNodeClosed
-	priorityNodeIdle
-)
-
-// priorityNode is a node in an HTTP/2 priority tree.
-// Each node is associated with a single stream ID.
-// See RFC 7540, Section 5.3.
-type priorityNode struct {
-	q            writeQueue        // queue of pending frames to write
-	id           uint32            // id of the stream, or 0 for the root of the tree
-	weight       uint8             // the actual weight is weight+1, so the value is in [1,256]
-	state        priorityNodeState // open | closed | idle
-	bytes        int64             // number of bytes written by this node, or 0 if closed
-	subtreeBytes int64             // sum(node.bytes) of all nodes in this subtree
-
-	// These links form the priority tree.
-	parent     *priorityNode
-	kids       *priorityNode // start of the kids list
-	prev, next *priorityNode // doubly-linked list of siblings
-}
-
-func (n *priorityNode) setParent(parent *priorityNode) {
-	if n == parent {
-		panic("setParent to self")
-	}
-	if n.parent == parent {
-		return
-	}
-	// Unlink from current parent.
-	if parent := n.parent; parent != nil {
-		if n.prev == nil {
-			parent.kids = n.next
-		} else {
-			n.prev.next = n.next
-		}
-		if n.next != nil {
-			n.next.prev = n.prev
-		}
-	}
-	// Link to new parent.
-	// If parent=nil, remove n from the tree.
-	// Always insert at the head of parent.kids (this is assumed by walkReadyInOrder).
-	n.parent = parent
-	if parent == nil {
-		n.next = nil
-		n.prev = nil
-	} else {
-		n.next = parent.kids
-		n.prev = nil
-		if n.next != nil {
-			n.next.prev = n
-		}
-		parent.kids = n
-	}
-}
-
-func (n *priorityNode) addBytes(b int64) {
-	n.bytes += b
-	for ; n != nil; n = n.parent {
-		n.subtreeBytes += b
-	}
-}
-
-// walkReadyInOrder iterates over the tree in priority order, calling f for each node
-// with a non-empty write queue. When f returns true, this function returns true and the
-// walk halts. tmp is used as scratch space for sorting.
-//
-// f(n, openParent) takes two arguments: the node to visit, n, and a bool that is true
-// if any ancestor p of n is still open (ignoring the root node).
-func (n *priorityNode) walkReadyInOrder(openParent bool, tmp *[]*priorityNode, f func(*priorityNode, bool) bool) bool {
-	if !n.q.empty() && f(n, openParent) {
-		return true
-	}
-	if n.kids == nil {
-		return false
-	}
-
-	// Don't consider the root "open" when updating openParent since
-	// we can't send data frames on the root stream (only control frames).
-	if n.id != 0 {
-		openParent = openParent || (n.state == priorityNodeOpen)
-	}
-
-	// Common case: only one kid or all kids have the same weight.
-	// Some clients don't use weights; other clients (like web browsers)
-	// use mostly-linear priority trees.
-	w := n.kids.weight
-	needSort := false
-	for k := n.kids.next; k != nil; k = k.next {
-		if k.weight != w {
-			needSort = true
-			break
-		}
-	}
-	if !needSort {
-		for k := n.kids; k != nil; k = k.next {
-			if k.walkReadyInOrder(openParent, tmp, f) {
-				return true
-			}
-		}
-		return false
-	}
-
-	// Uncommon case: sort the child nodes. We remove the kids from the parent,
-	// then re-insert after sorting so we can reuse tmp for future sort calls.
-	*tmp = (*tmp)[:0]
-	for n.kids != nil {
-		*tmp = append(*tmp, n.kids)
-		n.kids.setParent(nil)
-	}
-	sort.Sort(sortPriorityNodeSiblings(*tmp))
-	for i := len(*tmp) - 1; i >= 0; i-- {
-		(*tmp)[i].setParent(n) // setParent inserts at the head of n.kids
-	}
-	for k := n.kids; k != nil; k = k.next {
-		if k.walkReadyInOrder(openParent, tmp, f) {
-			return true
-		}
-	}
-	return false
-}
-
-type sortPriorityNodeSiblings []*priorityNode
-
-func (z sortPriorityNodeSiblings) Len() int      { return len(z) }
-func (z sortPriorityNodeSiblings) Swap(i, k int) { z[i], z[k] = z[k], z[i] }
-func (z sortPriorityNodeSiblings) Less(i, k int) bool {
-	// Prefer the subtree that has sent fewer bytes relative to its weight.
-	// See sections 5.3.2 and 5.3.4.
-	wi, bi := float64(z[i].weight+1), float64(z[i].subtreeBytes)
-	wk, bk := float64(z[k].weight+1), float64(z[k].subtreeBytes)
-	if bi == 0 && bk == 0 {
-		return wi >= wk
-	}
-	if bk == 0 {
-		return false
-	}
-	return bi/bk <= wi/wk
-}
-
-type priorityWriteScheduler struct {
-	// root is the root of the priority tree, where root.id = 0.
-	// The root queues control frames that are not associated with any stream.
-	root priorityNode
-
-	// nodes maps stream ids to priority tree nodes.
-	nodes map[uint32]*priorityNode
-
-	// maxID is the maximum stream id in nodes.
-	maxID uint32
-
-	// lists of nodes that have been closed or are idle, but are kept in
-	// the tree for improved prioritization. When the lengths exceed either
-	// maxClosedNodesInTree or maxIdleNodesInTree, old nodes are discarded.
-	closedNodes, idleNodes []*priorityNode
-
-	// From the config.
-	maxClosedNodesInTree int
-	maxIdleNodesInTree   int
-	writeThrottleLimit   int32
-	enableWriteThrottle  bool
-
-	// tmp is scratch space for priorityNode.walkReadyInOrder to reduce allocations.
-	tmp []*priorityNode
-
-	// pool of empty queues for reuse.
-	queuePool writeQueuePool
-}
-
-func (ws *priorityWriteScheduler) OpenStream(streamID uint32, options OpenStreamOptions) {
-	// The stream may be currently idle but cannot be opened or closed.
-	if curr := ws.nodes[streamID]; curr != nil {
-		if curr.state != priorityNodeIdle {
-			panic(fmt.Sprintf("stream %d already opened", streamID))
-		}
-		curr.state = priorityNodeOpen
-		return
-	}
-
-	// RFC 7540, Section 5.3.5:
-	//  "All streams are initially assigned a non-exclusive dependency on stream 0x0.
-	//  Pushed streams initially depend on their associated stream. In both cases,
-	//  streams are assigned a default weight of 16."
-	parent := ws.nodes[options.PusherID]
-	if parent == nil {
-		parent = &ws.root
-	}
-	n := &priorityNode{
-		q:      *ws.queuePool.get(),
-		id:     streamID,
-		weight: priorityDefaultWeight,
-		state:  priorityNodeOpen,
-	}
-	n.setParent(parent)
-	ws.nodes[streamID] = n
-	if streamID > ws.maxID {
-		ws.maxID = streamID
-	}
-}
-
-func (ws *priorityWriteScheduler) CloseStream(streamID uint32) {
-	if streamID == 0 {
-		panic("violation of WriteScheduler interface: cannot close stream 0")
-	}
-	if ws.nodes[streamID] == nil {
-		panic(fmt.Sprintf("violation of WriteScheduler interface: unknown stream %d", streamID))
-	}
-	if ws.nodes[streamID].state != priorityNodeOpen {
-		panic(fmt.Sprintf("violation of WriteScheduler interface: stream %d already closed", streamID))
-	}
-
-	n := ws.nodes[streamID]
-	n.state = priorityNodeClosed
-	n.addBytes(-n.bytes)
-
-	q := n.q
-	ws.queuePool.put(&q)
-	n.q.s = nil
-	if ws.maxClosedNodesInTree > 0 {
-		ws.addClosedOrIdleNode(&ws.closedNodes, ws.maxClosedNodesInTree, n)
-	} else {
-		ws.removeNode(n)
-	}
-}
-
-func (ws *priorityWriteScheduler) AdjustStream(streamID uint32, priority PriorityParam) {
-	if streamID == 0 {
-		panic("adjustPriority on root")
-	}
-
-	// If streamID does not exist, there are two cases:
-	// - A closed stream that has been removed (this will have ID <= maxID)
-	// - An idle stream that is being used for "grouping" (this will have ID > maxID)
-	n := ws.nodes[streamID]
-	if n == nil {
-		if streamID <= ws.maxID || ws.maxIdleNodesInTree == 0 {
-			return
-		}
-		ws.maxID = streamID
-		n = &priorityNode{
-			q:      *ws.queuePool.get(),
-			id:     streamID,
-			weight: priorityDefaultWeight,
-			state:  priorityNodeIdle,
-		}
-		n.setParent(&ws.root)
-		ws.nodes[streamID] = n
-		ws.addClosedOrIdleNode(&ws.idleNodes, ws.maxIdleNodesInTree, n)
-	}
-
-	// Section 5.3.1: A dependency on a stream that is not currently in the tree
-	// results in that stream being given a default priority (Section 5.3.5).
-	parent := ws.nodes[priority.StreamDep]
-	if parent == nil {
-		n.setParent(&ws.root)
-		n.weight = priorityDefaultWeight
-		return
-	}
-
-	// Ignore if the client tries to make a node its own parent.
-	if n == parent {
-		return
-	}
-
-	// Section 5.3.3:
-	//   "If a stream is made dependent on one of its own dependencies, the
-	//   formerly dependent stream is first moved to be dependent on the
-	//   reprioritized stream's previous parent. The moved dependency retains
-	//   its weight."
-	//
-	// That is: if parent depends on n, move parent to depend on n.parent.
-	for x := parent.parent; x != nil; x = x.parent {
-		if x == n {
-			parent.setParent(n.parent)
-			break
-		}
-	}
-
-	// Section 5.3.3: The exclusive flag causes the stream to become the sole
-	// dependency of its parent stream, causing other dependencies to become
-	// dependent on the exclusive stream.
-	if priority.Exclusive {
-		k := parent.kids
-		for k != nil {
-			next := k.next
-			if k != n {
-				k.setParent(n)
-			}
-			k = next
-		}
-	}
-
-	n.setParent(parent)
-	n.weight = priority.Weight
-}
-
-func (ws *priorityWriteScheduler) Push(wr FrameWriteRequest) {
-	var n *priorityNode
-	if wr.isControl() {
-		n = &ws.root
-	} else {
-		id := wr.StreamID()
-		n = ws.nodes[id]
-		if n == nil {
-			// id is an idle or closed stream. wr should not be a HEADERS or
-			// DATA frame. In other case, we push wr onto the root, rather
-			// than creating a new priorityNode.
-			if wr.DataSize() > 0 {
-				panic("add DATA on non-open stream")
-			}
-			n = &ws.root
-		}
-	}
-	n.q.push(wr)
-}
-
-func (ws *priorityWriteScheduler) Pop() (wr FrameWriteRequest, ok bool) {
-	ws.root.walkReadyInOrder(false, &ws.tmp, func(n *priorityNode, openParent bool) bool {
-		limit := int32(math.MaxInt32)
-		if openParent {
-			limit = ws.writeThrottleLimit
-		}
-		wr, ok = n.q.consume(limit)
-		if !ok {
-			return false
-		}
-		n.addBytes(int64(wr.DataSize()))
-		// If B depends on A and B continuously has data available but A
-		// does not, gradually increase the throttling limit to allow B to
-		// steal more and more bandwidth from A.
-		if openParent {
-			ws.writeThrottleLimit += 1024
-			if ws.writeThrottleLimit < 0 {
-				ws.writeThrottleLimit = math.MaxInt32
-			}
-		} else if ws.enableWriteThrottle {
-			ws.writeThrottleLimit = 1024
-		}
-		return true
-	})
-	return wr, ok
-}
-
-func (ws *priorityWriteScheduler) addClosedOrIdleNode(list *[]*priorityNode, maxSize int, n *priorityNode) {
-	if maxSize == 0 {
-		return
-	}
-	if len(*list) == maxSize {
-		// Remove the oldest node, then shift left.
-		ws.removeNode((*list)[0])
-		x := (*list)[1:]
-		copy(*list, x)
-		*list = (*list)[:len(x)]
-	}
-	*list = append(*list, n)
-}
-
-func (ws *priorityWriteScheduler) removeNode(n *priorityNode) {
-	for n.kids != nil {
-		n.kids.setParent(n.parent)
-	}
-	n.setParent(nil)
-	delete(ws.nodes, n.id)
-}
diff --git a/vendor/golang.org/x/net/http2/writesched_priority_rfc7540.go b/vendor/golang.org/x/net/http2/writesched_priority_rfc7540.go
new file mode 100644
index 0000000000000..4e33c29a2445a
--- /dev/null
+++ b/vendor/golang.org/x/net/http2/writesched_priority_rfc7540.go
@@ -0,0 +1,450 @@
+// Copyright 2016 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package http2
+
+import (
+	"fmt"
+	"math"
+	"sort"
+)
+
+// RFC 7540, Section 5.3.5: the default weight is 16.
+const priorityDefaultWeightRFC7540 = 15 // 16 = 15 + 1
+
+// PriorityWriteSchedulerConfig configures a priorityWriteScheduler.
+type PriorityWriteSchedulerConfig struct {
+	// MaxClosedNodesInTree controls the maximum number of closed streams to
+	// retain in the priority tree. Setting this to zero saves a small amount
+	// of memory at the cost of performance.
+	//
+	// See RFC 7540, Section 5.3.4:
+	//   "It is possible for a stream to become closed while prioritization
+	//   information ... is in transit. ... This potentially creates suboptimal
+	//   prioritization, since the stream could be given a priority that is
+	//   different from what is intended. To avoid these problems, an endpoint
+	//   SHOULD retain stream prioritization state for a period after streams
+	//   become closed. The longer state is retained, the lower the chance that
+	//   streams are assigned incorrect or default priority values."
+	MaxClosedNodesInTree int
+
+	// MaxIdleNodesInTree controls the maximum number of idle streams to
+	// retain in the priority tree. Setting this to zero saves a small amount
+	// of memory at the cost of performance.
+	//
+	// See RFC 7540, Section 5.3.4:
+	//   Similarly, streams that are in the "idle" state can be assigned
+	//   priority or become a parent of other streams. This allows for the
+	//   creation of a grouping node in the dependency tree, which enables
+	//   more flexible expressions of priority. Idle streams begin with a
+	//   default priority (Section 5.3.5).
+	MaxIdleNodesInTree int
+
+	// ThrottleOutOfOrderWrites enables write throttling to help ensure that
+	// data is delivered in priority order. This works around a race where
+	// stream B depends on stream A and both streams are about to call Write
+	// to queue DATA frames. If B wins the race, a naive scheduler would eagerly
+	// write as much data from B as possible, but this is suboptimal because A
+	// is a higher-priority stream. With throttling enabled, we write a small
+	// amount of data from B to minimize the amount of bandwidth that B can
+	// steal from A.
+	ThrottleOutOfOrderWrites bool
+}
+
+// NewPriorityWriteScheduler constructs a WriteScheduler that schedules
+// frames by following HTTP/2 priorities as described in RFC 7540 Section 5.3.
+// If cfg is nil, default options are used.
+func NewPriorityWriteScheduler(cfg *PriorityWriteSchedulerConfig) WriteScheduler {
+	if cfg == nil {
+		// For justification of these defaults, see:
+		// https://docs.google.com/document/d/1oLhNg1skaWD4_DtaoCxdSRN5erEXrH-KnLrMwEpOtFY
+		cfg = &PriorityWriteSchedulerConfig{
+			MaxClosedNodesInTree:     10,
+			MaxIdleNodesInTree:       10,
+			ThrottleOutOfOrderWrites: false,
+		}
+	}
+
+	ws := &priorityWriteSchedulerRFC7540{
+		nodes:                make(map[uint32]*priorityNodeRFC7540),
+		maxClosedNodesInTree: cfg.MaxClosedNodesInTree,
+		maxIdleNodesInTree:   cfg.MaxIdleNodesInTree,
+		enableWriteThrottle:  cfg.ThrottleOutOfOrderWrites,
+	}
+	ws.nodes[0] = &ws.root
+	if cfg.ThrottleOutOfOrderWrites {
+		ws.writeThrottleLimit = 1024
+	} else {
+		ws.writeThrottleLimit = math.MaxInt32
+	}
+	return ws
+}
+
+type priorityNodeStateRFC7540 int
+
+const (
+	priorityNodeOpenRFC7540 priorityNodeStateRFC7540 = iota
+	priorityNodeClosedRFC7540
+	priorityNodeIdleRFC7540
+)
+
+// priorityNodeRFC7540 is a node in an HTTP/2 priority tree.
+// Each node is associated with a single stream ID.
+// See RFC 7540, Section 5.3.
+type priorityNodeRFC7540 struct {
+	q            writeQueue               // queue of pending frames to write
+	id           uint32                   // id of the stream, or 0 for the root of the tree
+	weight       uint8                    // the actual weight is weight+1, so the value is in [1,256]
+	state        priorityNodeStateRFC7540 // open | closed | idle
+	bytes        int64                    // number of bytes written by this node, or 0 if closed
+	subtreeBytes int64                    // sum(node.bytes) of all nodes in this subtree
+
+	// These links form the priority tree.
+	parent     *priorityNodeRFC7540
+	kids       *priorityNodeRFC7540 // start of the kids list
+	prev, next *priorityNodeRFC7540 // doubly-linked list of siblings
+}
+
+func (n *priorityNodeRFC7540) setParent(parent *priorityNodeRFC7540) {
+	if n == parent {
+		panic("setParent to self")
+	}
+	if n.parent == parent {
+		return
+	}
+	// Unlink from current parent.
+	if parent := n.parent; parent != nil {
+		if n.prev == nil {
+			parent.kids = n.next
+		} else {
+			n.prev.next = n.next
+		}
+		if n.next != nil {
+			n.next.prev = n.prev
+		}
+	}
+	// Link to new parent.
+	// If parent=nil, remove n from the tree.
+	// Always insert at the head of parent.kids (this is assumed by walkReadyInOrder).
+	n.parent = parent
+	if parent == nil {
+		n.next = nil
+		n.prev = nil
+	} else {
+		n.next = parent.kids
+		n.prev = nil
+		if n.next != nil {
+			n.next.prev = n
+		}
+		parent.kids = n
+	}
+}
+
+func (n *priorityNodeRFC7540) addBytes(b int64) {
+	n.bytes += b
+	for ; n != nil; n = n.parent {
+		n.subtreeBytes += b
+	}
+}
+
+// walkReadyInOrder iterates over the tree in priority order, calling f for each node
+// with a non-empty write queue. When f returns true, this function returns true and the
+// walk halts. tmp is used as scratch space for sorting.
+//
+// f(n, openParent) takes two arguments: the node to visit, n, and a bool that is true
+// if any ancestor p of n is still open (ignoring the root node).
+func (n *priorityNodeRFC7540) walkReadyInOrder(openParent bool, tmp *[]*priorityNodeRFC7540, f func(*priorityNodeRFC7540, bool) bool) bool {
+	if !n.q.empty() && f(n, openParent) {
+		return true
+	}
+	if n.kids == nil {
+		return false
+	}
+
+	// Don't consider the root "open" when updating openParent since
+	// we can't send data frames on the root stream (only control frames).
+	if n.id != 0 {
+		openParent = openParent || (n.state == priorityNodeOpenRFC7540)
+	}
+
+	// Common case: only one kid or all kids have the same weight.
+	// Some clients don't use weights; other clients (like web browsers)
+	// use mostly-linear priority trees.
+	w := n.kids.weight
+	needSort := false
+	for k := n.kids.next; k != nil; k = k.next {
+		if k.weight != w {
+			needSort = true
+			break
+		}
+	}
+	if !needSort {
+		for k := n.kids; k != nil; k = k.next {
+			if k.walkReadyInOrder(openParent, tmp, f) {
+				return true
+			}
+		}
+		return false
+	}
+
+	// Uncommon case: sort the child nodes. We remove the kids from the parent,
+	// then re-insert after sorting so we can reuse tmp for future sort calls.
+	*tmp = (*tmp)[:0]
+	for n.kids != nil {
+		*tmp = append(*tmp, n.kids)
+		n.kids.setParent(nil)
+	}
+	sort.Sort(sortPriorityNodeSiblingsRFC7540(*tmp))
+	for i := len(*tmp) - 1; i >= 0; i-- {
+		(*tmp)[i].setParent(n) // setParent inserts at the head of n.kids
+	}
+	for k := n.kids; k != nil; k = k.next {
+		if k.walkReadyInOrder(openParent, tmp, f) {
+			return true
+		}
+	}
+	return false
+}
+
+type sortPriorityNodeSiblingsRFC7540 []*priorityNodeRFC7540
+
+func (z sortPriorityNodeSiblingsRFC7540) Len() int      { return len(z) }
+func (z sortPriorityNodeSiblingsRFC7540) Swap(i, k int) { z[i], z[k] = z[k], z[i] }
+func (z sortPriorityNodeSiblingsRFC7540) Less(i, k int) bool {
+	// Prefer the subtree that has sent fewer bytes relative to its weight.
+	// See sections 5.3.2 and 5.3.4.
+	wi, bi := float64(z[i].weight)+1, float64(z[i].subtreeBytes)
+	wk, bk := float64(z[k].weight)+1, float64(z[k].subtreeBytes)
+	if bi == 0 && bk == 0 {
+		return wi >= wk
+	}
+	if bk == 0 {
+		return false
+	}
+	return bi/bk <= wi/wk
+}
+
+type priorityWriteSchedulerRFC7540 struct {
+	// root is the root of the priority tree, where root.id = 0.
+	// The root queues control frames that are not associated with any stream.
+	root priorityNodeRFC7540
+
+	// nodes maps stream ids to priority tree nodes.
+	nodes map[uint32]*priorityNodeRFC7540
+
+	// maxID is the maximum stream id in nodes.
+	maxID uint32
+
+	// lists of nodes that have been closed or are idle, but are kept in
+	// the tree for improved prioritization. When the lengths exceed either
+	// maxClosedNodesInTree or maxIdleNodesInTree, old nodes are discarded.
+	closedNodes, idleNodes []*priorityNodeRFC7540
+
+	// From the config.
+	maxClosedNodesInTree int
+	maxIdleNodesInTree   int
+	writeThrottleLimit   int32
+	enableWriteThrottle  bool
+
+	// tmp is scratch space for priorityNode.walkReadyInOrder to reduce allocations.
+	tmp []*priorityNodeRFC7540
+
+	// pool of empty queues for reuse.
+	queuePool writeQueuePool
+}
+
+func (ws *priorityWriteSchedulerRFC7540) OpenStream(streamID uint32, options OpenStreamOptions) {
+	// The stream may be currently idle but cannot be opened or closed.
+	if curr := ws.nodes[streamID]; curr != nil {
+		if curr.state != priorityNodeIdleRFC7540 {
+			panic(fmt.Sprintf("stream %d already opened", streamID))
+		}
+		curr.state = priorityNodeOpenRFC7540
+		return
+	}
+
+	// RFC 7540, Section 5.3.5:
+	//  "All streams are initially assigned a non-exclusive dependency on stream 0x0.
+	//  Pushed streams initially depend on their associated stream. In both cases,
+	//  streams are assigned a default weight of 16."
+	parent := ws.nodes[options.PusherID]
+	if parent == nil {
+		parent = &ws.root
+	}
+	n := &priorityNodeRFC7540{
+		q:      *ws.queuePool.get(),
+		id:     streamID,
+		weight: priorityDefaultWeightRFC7540,
+		state:  priorityNodeOpenRFC7540,
+	}
+	n.setParent(parent)
+	ws.nodes[streamID] = n
+	if streamID > ws.maxID {
+		ws.maxID = streamID
+	}
+}
+
+func (ws *priorityWriteSchedulerRFC7540) CloseStream(streamID uint32) {
+	if streamID == 0 {
+		panic("violation of WriteScheduler interface: cannot close stream 0")
+	}
+	if ws.nodes[streamID] == nil {
+		panic(fmt.Sprintf("violation of WriteScheduler interface: unknown stream %d", streamID))
+	}
+	if ws.nodes[streamID].state != priorityNodeOpenRFC7540 {
+		panic(fmt.Sprintf("violation of WriteScheduler interface: stream %d already closed", streamID))
+	}
+
+	n := ws.nodes[streamID]
+	n.state = priorityNodeClosedRFC7540
+	n.addBytes(-n.bytes)
+
+	q := n.q
+	ws.queuePool.put(&q)
+	if ws.maxClosedNodesInTree > 0 {
+		ws.addClosedOrIdleNode(&ws.closedNodes, ws.maxClosedNodesInTree, n)
+	} else {
+		ws.removeNode(n)
+	}
+}
+
+func (ws *priorityWriteSchedulerRFC7540) AdjustStream(streamID uint32, priority PriorityParam) {
+	if streamID == 0 {
+		panic("adjustPriority on root")
+	}
+
+	// If streamID does not exist, there are two cases:
+	// - A closed stream that has been removed (this will have ID <= maxID)
+	// - An idle stream that is being used for "grouping" (this will have ID > maxID)
+	n := ws.nodes[streamID]
+	if n == nil {
+		if streamID <= ws.maxID || ws.maxIdleNodesInTree == 0 {
+			return
+		}
+		ws.maxID = streamID
+		n = &priorityNodeRFC7540{
+			q:      *ws.queuePool.get(),
+			id:     streamID,
+			weight: priorityDefaultWeightRFC7540,
+			state:  priorityNodeIdleRFC7540,
+		}
+		n.setParent(&ws.root)
+		ws.nodes[streamID] = n
+		ws.addClosedOrIdleNode(&ws.idleNodes, ws.maxIdleNodesInTree, n)
+	}
+
+	// Section 5.3.1: A dependency on a stream that is not currently in the tree
+	// results in that stream being given a default priority (Section 5.3.5).
+	parent := ws.nodes[priority.StreamDep]
+	if parent == nil {
+		n.setParent(&ws.root)
+		n.weight = priorityDefaultWeightRFC7540
+		return
+	}
+
+	// Ignore if the client tries to make a node its own parent.
+	if n == parent {
+		return
+	}
+
+	// Section 5.3.3:
+	//   "If a stream is made dependent on one of its own dependencies, the
+	//   formerly dependent stream is first moved to be dependent on the
+	//   reprioritized stream's previous parent. The moved dependency retains
+	//   its weight."
+	//
+	// That is: if parent depends on n, move parent to depend on n.parent.
+	for x := parent.parent; x != nil; x = x.parent {
+		if x == n {
+			parent.setParent(n.parent)
+			break
+		}
+	}
+
+	// Section 5.3.3: The exclusive flag causes the stream to become the sole
+	// dependency of its parent stream, causing other dependencies to become
+	// dependent on the exclusive stream.
+	if priority.Exclusive {
+		k := parent.kids
+		for k != nil {
+			next := k.next
+			if k != n {
+				k.setParent(n)
+			}
+			k = next
+		}
+	}
+
+	n.setParent(parent)
+	n.weight = priority.Weight
+}
+
+func (ws *priorityWriteSchedulerRFC7540) Push(wr FrameWriteRequest) {
+	var n *priorityNodeRFC7540
+	if wr.isControl() {
+		n = &ws.root
+	} else {
+		id := wr.StreamID()
+		n = ws.nodes[id]
+		if n == nil {
+			// id is an idle or closed stream. wr should not be a HEADERS or
+			// DATA frame. In other case, we push wr onto the root, rather
+			// than creating a new priorityNode.
+			if wr.DataSize() > 0 {
+				panic("add DATA on non-open stream")
+			}
+			n = &ws.root
+		}
+	}
+	n.q.push(wr)
+}
+
+func (ws *priorityWriteSchedulerRFC7540) Pop() (wr FrameWriteRequest, ok bool) {
+	ws.root.walkReadyInOrder(false, &ws.tmp, func(n *priorityNodeRFC7540, openParent bool) bool {
+		limit := int32(math.MaxInt32)
+		if openParent {
+			limit = ws.writeThrottleLimit
+		}
+		wr, ok = n.q.consume(limit)
+		if !ok {
+			return false
+		}
+		n.addBytes(int64(wr.DataSize()))
+		// If B depends on A and B continuously has data available but A
+		// does not, gradually increase the throttling limit to allow B to
+		// steal more and more bandwidth from A.
+		if openParent {
+			ws.writeThrottleLimit += 1024
+			if ws.writeThrottleLimit < 0 {
+				ws.writeThrottleLimit = math.MaxInt32
+			}
+		} else if ws.enableWriteThrottle {
+			ws.writeThrottleLimit = 1024
+		}
+		return true
+	})
+	return wr, ok
+}
+
+func (ws *priorityWriteSchedulerRFC7540) addClosedOrIdleNode(list *[]*priorityNodeRFC7540, maxSize int, n *priorityNodeRFC7540) {
+	if maxSize == 0 {
+		return
+	}
+	if len(*list) == maxSize {
+		// Remove the oldest node, then shift left.
+		ws.removeNode((*list)[0])
+		x := (*list)[1:]
+		copy(*list, x)
+		*list = (*list)[:len(x)]
+	}
+	*list = append(*list, n)
+}
+
+func (ws *priorityWriteSchedulerRFC7540) removeNode(n *priorityNodeRFC7540) {
+	for n.kids != nil {
+		n.kids.setParent(n.parent)
+	}
+	n.setParent(nil)
+	delete(ws.nodes, n.id)
+}
diff --git a/vendor/golang.org/x/net/http2/writesched_priority_rfc9218.go b/vendor/golang.org/x/net/http2/writesched_priority_rfc9218.go
new file mode 100644
index 0000000000000..cb4cadc32d795
--- /dev/null
+++ b/vendor/golang.org/x/net/http2/writesched_priority_rfc9218.go
@@ -0,0 +1,209 @@
+// Copyright 2025 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package http2
+
+import (
+	"fmt"
+	"math"
+)
+
+type streamMetadata struct {
+	location *writeQueue
+	priority PriorityParam
+}
+
+type priorityWriteSchedulerRFC9218 struct {
+	// control contains control frames (SETTINGS, PING, etc.).
+	control writeQueue
+
+	// heads contain the head of a circular list of streams.
+	// We put these heads within a nested array that represents urgency and
+	// incremental, as defined in
+	// https://www.rfc-editor.org/rfc/rfc9218.html#name-priority-parameters.
+	// 8 represents u=0 up to u=7, and 2 represents i=false and i=true.
+	heads [8][2]*writeQueue
+
+	// streams contains a mapping between each stream ID and their metadata, so
+	// we can quickly locate them when needing to, for example, adjust their
+	// priority.
+	streams map[uint32]streamMetadata
+
+	// queuePool are empty queues for reuse.
+	queuePool writeQueuePool
+
+	// prioritizeIncremental is used to determine whether we should prioritize
+	// incremental streams or not, when urgency is the same in a given Pop()
+	// call.
+	prioritizeIncremental bool
+}
+
+func newPriorityWriteSchedulerRFC9218() WriteScheduler {
+	ws := &priorityWriteSchedulerRFC9218{
+		streams: make(map[uint32]streamMetadata),
+	}
+	return ws
+}
+
+func (ws *priorityWriteSchedulerRFC9218) OpenStream(streamID uint32, opt OpenStreamOptions) {
+	if ws.streams[streamID].location != nil {
+		panic(fmt.Errorf("stream %d already opened", streamID))
+	}
+	q := ws.queuePool.get()
+	ws.streams[streamID] = streamMetadata{
+		location: q,
+		priority: opt.priority,
+	}
+
+	u, i := opt.priority.urgency, opt.priority.incremental
+	if ws.heads[u][i] == nil {
+		ws.heads[u][i] = q
+		q.next = q
+		q.prev = q
+	} else {
+		// Queues are stored in a ring.
+		// Insert the new stream before ws.head, putting it at the end of the list.
+		q.prev = ws.heads[u][i].prev
+		q.next = ws.heads[u][i]
+		q.prev.next = q
+		q.next.prev = q
+	}
+}
+
+func (ws *priorityWriteSchedulerRFC9218) CloseStream(streamID uint32) {
+	metadata := ws.streams[streamID]
+	q, u, i := metadata.location, metadata.priority.urgency, metadata.priority.incremental
+	if q == nil {
+		return
+	}
+	if q.next == q {
+		// This was the only open stream.
+		ws.heads[u][i] = nil
+	} else {
+		q.prev.next = q.next
+		q.next.prev = q.prev
+		if ws.heads[u][i] == q {
+			ws.heads[u][i] = q.next
+		}
+	}
+	delete(ws.streams, streamID)
+	ws.queuePool.put(q)
+}
+
+func (ws *priorityWriteSchedulerRFC9218) AdjustStream(streamID uint32, priority PriorityParam) {
+	metadata := ws.streams[streamID]
+	q, u, i := metadata.location, metadata.priority.urgency, metadata.priority.incremental
+	if q == nil {
+		return
+	}
+
+	// Remove stream from current location.
+	if q.next == q {
+		// This was the only open stream.
+		ws.heads[u][i] = nil
+	} else {
+		q.prev.next = q.next
+		q.next.prev = q.prev
+		if ws.heads[u][i] == q {
+			ws.heads[u][i] = q.next
+		}
+	}
+
+	// Insert stream to the new queue.
+	u, i = priority.urgency, priority.incremental
+	if ws.heads[u][i] == nil {
+		ws.heads[u][i] = q
+		q.next = q
+		q.prev = q
+	} else {
+		// Queues are stored in a ring.
+		// Insert the new stream before ws.head, putting it at the end of the list.
+		q.prev = ws.heads[u][i].prev
+		q.next = ws.heads[u][i]
+		q.prev.next = q
+		q.next.prev = q
+	}
+
+	// Update the metadata.
+	ws.streams[streamID] = streamMetadata{
+		location: q,
+		priority: priority,
+	}
+}
+
+func (ws *priorityWriteSchedulerRFC9218) Push(wr FrameWriteRequest) {
+	if wr.isControl() {
+		ws.control.push(wr)
+		return
+	}
+	q := ws.streams[wr.StreamID()].location
+	if q == nil {
+		// This is a closed stream.
+		// wr should not be a HEADERS or DATA frame.
+		// We push the request onto the control queue.
+		if wr.DataSize() > 0 {
+			panic("add DATA on non-open stream")
+		}
+		ws.control.push(wr)
+		return
+	}
+	q.push(wr)
+}
+
+func (ws *priorityWriteSchedulerRFC9218) Pop() (FrameWriteRequest, bool) {
+	// Control and RST_STREAM frames first.
+	if !ws.control.empty() {
+		return ws.control.shift(), true
+	}
+
+	// On the next Pop(), we want to prioritize incremental if we prioritized
+	// non-incremental request of the same urgency this time. Vice-versa.
+	// i.e. when there are incremental and non-incremental requests at the same
+	// priority, we give 50% of our bandwidth to the incremental ones in
+	// aggregate and 50% to the first non-incremental one (since
+	// non-incremental streams do not use round-robin writes).
+	ws.prioritizeIncremental = !ws.prioritizeIncremental
+
+	// Always prioritize lowest u (i.e. highest urgency level).
+	for u := range ws.heads {
+		for i := range ws.heads[u] {
+			// When we want to prioritize incremental, we try to pop i=true
+			// first before i=false when u is the same.
+			if ws.prioritizeIncremental {
+				i = (i + 1) % 2
+			}
+			q := ws.heads[u][i]
+			if q == nil {
+				continue
+			}
+			for {
+				if wr, ok := q.consume(math.MaxInt32); ok {
+					if i == 1 {
+						// For incremental streams, we update head to q.next so
+						// we can round-robin between multiple streams that can
+						// immediately benefit from partial writes.
+						ws.heads[u][i] = q.next
+					} else {
+						// For non-incremental streams, we try to finish one to
+						// completion rather than doing round-robin. However,
+						// we update head here so that if q.consume() is !ok
+						// (e.g. the stream has no more frame to consume), head
+						// is updated to the next q that has frames to consume
+						// on future iterations. This way, we do not prioritize
+						// writing to unavailable stream on next Pop() calls,
+						// preventing head-of-line blocking.
+						ws.heads[u][i] = q
+					}
+					return wr, true
+				}
+				q = q.next
+				if q == ws.heads[u][i] {
+					break
+				}
+			}
+
+		}
+	}
+	return FrameWriteRequest{}, false
+}
diff --git a/vendor/golang.org/x/net/http2/writesched_roundrobin.go b/vendor/golang.org/x/net/http2/writesched_roundrobin.go
index 54fe86322d2fe..737cff9ecbd88 100644
--- a/vendor/golang.org/x/net/http2/writesched_roundrobin.go
+++ b/vendor/golang.org/x/net/http2/writesched_roundrobin.go
@@ -25,7 +25,7 @@ type roundRobinWriteScheduler struct {
 }
 
 // newRoundRobinWriteScheduler constructs a new write scheduler.
-// The round robin scheduler priorizes control frames
+// The round robin scheduler prioritizes control frames
 // like SETTINGS and PING over DATA frames.
 // When there are no control frames to send, it performs a round-robin
 // selection from the ready streams.
diff --git a/vendor/golang.org/x/net/internal/httpcommon/request.go b/vendor/golang.org/x/net/internal/httpcommon/request.go
index 4b705531793c2..1e10f89ebf71e 100644
--- a/vendor/golang.org/x/net/internal/httpcommon/request.go
+++ b/vendor/golang.org/x/net/internal/httpcommon/request.go
@@ -51,7 +51,7 @@ type EncodeHeadersParam struct {
 	DefaultUserAgent string
 }
 
-// EncodeHeadersParam is the result of EncodeHeaders.
+// EncodeHeadersResult is the result of EncodeHeaders.
 type EncodeHeadersResult struct {
 	HasBody     bool
 	HasTrailers bool
@@ -399,7 +399,7 @@ type ServerRequestResult struct {
 
 	// If the request should be rejected, this is a short string suitable for passing
 	// to the http2 package's CountError function.
-	// It might be a bit odd to return errors this way rather than returing an error,
+	// It might be a bit odd to return errors this way rather than returning an error,
 	// but this ensures we don't forget to include a CountError reason.
 	InvalidReason string
 }
diff --git a/vendor/golang.org/x/net/internal/socks/socks.go b/vendor/golang.org/x/net/internal/socks/socks.go
index 84fcc32b634b8..8eedb84cecc59 100644
--- a/vendor/golang.org/x/net/internal/socks/socks.go
+++ b/vendor/golang.org/x/net/internal/socks/socks.go
@@ -297,7 +297,7 @@ func (up *UsernamePassword) Authenticate(ctx context.Context, rw io.ReadWriter,
 		b = append(b, up.Username...)
 		b = append(b, byte(len(up.Password)))
 		b = append(b, up.Password...)
-		// TODO(mikio): handle IO deadlines and cancelation if
+		// TODO(mikio): handle IO deadlines and cancellation if
 		// necessary
 		if _, err := rw.Write(b); err != nil {
 			return err
diff --git a/vendor/golang.org/x/oauth2/internal/doc.go b/vendor/golang.org/x/oauth2/internal/doc.go
index 03265e888af46..8c7c475f2db63 100644
--- a/vendor/golang.org/x/oauth2/internal/doc.go
+++ b/vendor/golang.org/x/oauth2/internal/doc.go
@@ -2,5 +2,5 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
-// Package internal contains support packages for oauth2 package.
+// Package internal contains support packages for [golang.org/x/oauth2].
 package internal
diff --git a/vendor/golang.org/x/oauth2/internal/oauth2.go b/vendor/golang.org/x/oauth2/internal/oauth2.go
index 14989beaf493a..71ea6ad1f5ee3 100644
--- a/vendor/golang.org/x/oauth2/internal/oauth2.go
+++ b/vendor/golang.org/x/oauth2/internal/oauth2.go
@@ -13,7 +13,7 @@ import (
 )
 
 // ParseKey converts the binary contents of a private key file
-// to an *rsa.PrivateKey. It detects whether the private key is in a
+// to an [*rsa.PrivateKey]. It detects whether the private key is in a
 // PEM container or not. If so, it extracts the private key
 // from PEM container before conversion. It only supports PEM
 // containers with no passphrase.
diff --git a/vendor/golang.org/x/oauth2/internal/token.go b/vendor/golang.org/x/oauth2/internal/token.go
index e83ddeef0fc29..8389f24629491 100644
--- a/vendor/golang.org/x/oauth2/internal/token.go
+++ b/vendor/golang.org/x/oauth2/internal/token.go
@@ -10,7 +10,6 @@ import (
 	"errors"
 	"fmt"
 	"io"
-	"io/ioutil"
 	"math"
 	"mime"
 	"net/http"
@@ -26,9 +25,9 @@ import (
 // the requests to access protected resources on the OAuth 2.0
 // provider's backend.
 //
-// This type is a mirror of oauth2.Token and exists to break
+// This type is a mirror of [golang.org/x/oauth2.Token] and exists to break
 // an otherwise-circular dependency. Other internal packages
-// should convert this Token into an oauth2.Token before use.
+// should convert this Token into an [golang.org/x/oauth2.Token] before use.
 type Token struct {
 	// AccessToken is the token that authorizes and authenticates
 	// the requests.
@@ -50,9 +49,16 @@ type Token struct {
 	// mechanisms for that TokenSource will not be used.
 	Expiry time.Time
 
+	// ExpiresIn is the OAuth2 wire format "expires_in" field,
+	// which specifies how many seconds later the token expires,
+	// relative to an unknown time base approximately around "now".
+	// It is the application's responsibility to populate
+	// `Expiry` from `ExpiresIn` when required.
+	ExpiresIn int64 `json:"expires_in,omitempty"`
+
 	// Raw optionally contains extra metadata from the server
 	// when updating a token.
-	Raw interface{}
+	Raw any
 }
 
 // tokenJSON is the struct representing the HTTP response from OAuth2
@@ -99,14 +105,6 @@ func (e *expirationTime) UnmarshalJSON(b []byte) error {
 	return nil
 }
 
-// RegisterBrokenAuthHeaderProvider previously did something. It is now a no-op.
-//
-// Deprecated: this function no longer does anything. Caller code that
-// wants to avoid potential extra HTTP requests made during
-// auto-probing of the provider's auth style should set
-// Endpoint.AuthStyle.
-func RegisterBrokenAuthHeaderProvider(tokenURL string) {}
-
 // AuthStyle is a copy of the golang.org/x/oauth2 package's AuthStyle type.
 type AuthStyle int
 
@@ -143,6 +141,11 @@ func (lc *LazyAuthStyleCache) Get() *AuthStyleCache {
 	return c
 }
 
+type authStyleCacheKey struct {
+	url      string
+	clientID string
+}
+
 // AuthStyleCache is the set of tokenURLs we've successfully used via
 // RetrieveToken and which style auth we ended up using.
 // It's called a cache, but it doesn't (yet?) shrink. It's expected that
@@ -150,26 +153,26 @@ func (lc *LazyAuthStyleCache) Get() *AuthStyleCache {
 // small.
 type AuthStyleCache struct {
 	mu sync.Mutex
-	m  map[string]AuthStyle // keyed by tokenURL
+	m  map[authStyleCacheKey]AuthStyle
 }
 
 // lookupAuthStyle reports which auth style we last used with tokenURL
 // when calling RetrieveToken and whether we have ever done so.
-func (c *AuthStyleCache) lookupAuthStyle(tokenURL string) (style AuthStyle, ok bool) {
+func (c *AuthStyleCache) lookupAuthStyle(tokenURL, clientID string) (style AuthStyle, ok bool) {
 	c.mu.Lock()
 	defer c.mu.Unlock()
-	style, ok = c.m[tokenURL]
+	style, ok = c.m[authStyleCacheKey{tokenURL, clientID}]
 	return
 }
 
 // setAuthStyle adds an entry to authStyleCache, documented above.
-func (c *AuthStyleCache) setAuthStyle(tokenURL string, v AuthStyle) {
+func (c *AuthStyleCache) setAuthStyle(tokenURL, clientID string, v AuthStyle) {
 	c.mu.Lock()
 	defer c.mu.Unlock()
 	if c.m == nil {
-		c.m = make(map[string]AuthStyle)
+		c.m = make(map[authStyleCacheKey]AuthStyle)
 	}
-	c.m[tokenURL] = v
+	c.m[authStyleCacheKey{tokenURL, clientID}] = v
 }
 
 // newTokenRequest returns a new *http.Request to retrieve a new token
@@ -210,9 +213,9 @@ func cloneURLValues(v url.Values) url.Values {
 }
 
 func RetrieveToken(ctx context.Context, clientID, clientSecret, tokenURL string, v url.Values, authStyle AuthStyle, styleCache *AuthStyleCache) (*Token, error) {
-	needsAuthStyleProbe := authStyle == 0
+	needsAuthStyleProbe := authStyle == AuthStyleUnknown
 	if needsAuthStyleProbe {
-		if style, ok := styleCache.lookupAuthStyle(tokenURL); ok {
+		if style, ok := styleCache.lookupAuthStyle(tokenURL, clientID); ok {
 			authStyle = style
 			needsAuthStyleProbe = false
 		} else {
@@ -242,7 +245,7 @@ func RetrieveToken(ctx context.Context, clientID, clientSecret, tokenURL string,
 		token, err = doTokenRoundTrip(ctx, req)
 	}
 	if needsAuthStyleProbe && err == nil {
-		styleCache.setAuthStyle(tokenURL, authStyle)
+		styleCache.setAuthStyle(tokenURL, clientID, authStyle)
 	}
 	// Don't overwrite `RefreshToken` with an empty value
 	// if this was a token refreshing request.
@@ -257,7 +260,7 @@ func doTokenRoundTrip(ctx context.Context, req *http.Request) (*Token, error) {
 	if err != nil {
 		return nil, err
 	}
-	body, err := ioutil.ReadAll(io.LimitReader(r.Body, 1<<20))
+	body, err := io.ReadAll(io.LimitReader(r.Body, 1<<20))
 	r.Body.Close()
 	if err != nil {
 		return nil, fmt.Errorf("oauth2: cannot fetch token: %v", err)
@@ -312,7 +315,8 @@ func doTokenRoundTrip(ctx context.Context, req *http.Request) (*Token, error) {
 			TokenType:    tj.TokenType,
 			RefreshToken: tj.RefreshToken,
 			Expiry:       tj.expiry(),
-			Raw:          make(map[string]interface{}),
+			ExpiresIn:    int64(tj.ExpiresIn),
+			Raw:          make(map[string]any),
 		}
 		json.Unmarshal(body, &token.Raw) // no error checks for optional fields
 	}
diff --git a/vendor/golang.org/x/oauth2/internal/transport.go b/vendor/golang.org/x/oauth2/internal/transport.go
index b9db01ddfdff0..afc0aeb274eb0 100644
--- a/vendor/golang.org/x/oauth2/internal/transport.go
+++ b/vendor/golang.org/x/oauth2/internal/transport.go
@@ -9,8 +9,8 @@ import (
 	"net/http"
 )
 
-// HTTPClient is the context key to use with golang.org/x/net/context's
-// WithValue function to associate an *http.Client value with a context.
+// HTTPClient is the context key to use with [context.WithValue]
+// to associate an [*http.Client] value with a context.
 var HTTPClient ContextKey
 
 // ContextKey is just an empty struct. It exists so HTTPClient can be
diff --git a/vendor/golang.org/x/oauth2/oauth2.go b/vendor/golang.org/x/oauth2/oauth2.go
index 74f052aa9fa8a..de34feb844229 100644
--- a/vendor/golang.org/x/oauth2/oauth2.go
+++ b/vendor/golang.org/x/oauth2/oauth2.go
@@ -22,9 +22,9 @@ import (
 )
 
 // NoContext is the default context you should supply if not using
-// your own context.Context (see https://golang.org/x/net/context).
+// your own [context.Context].
 //
-// Deprecated: Use context.Background() or context.TODO() instead.
+// Deprecated: Use [context.Background] or [context.TODO] instead.
 var NoContext = context.TODO()
 
 // RegisterBrokenAuthHeaderProvider previously did something. It is now a no-op.
@@ -37,8 +37,8 @@ func RegisterBrokenAuthHeaderProvider(tokenURL string) {}
 
 // Config describes a typical 3-legged OAuth2 flow, with both the
 // client application information and the server's endpoint URLs.
-// For the client credentials 2-legged OAuth2 flow, see the clientcredentials
-// package (https://golang.org/x/oauth2/clientcredentials).
+// For the client credentials 2-legged OAuth2 flow, see the
+// [golang.org/x/oauth2/clientcredentials] package.
 type Config struct {
 	// ClientID is the application's ID.
 	ClientID string
@@ -46,7 +46,7 @@ type Config struct {
 	// ClientSecret is the application's secret.
 	ClientSecret string
 
-	// Endpoint contains the resource server's token endpoint
+	// Endpoint contains the authorization server's token endpoint
 	// URLs. These are constants specific to each server and are
 	// often available via site-specific packages, such as
 	// google.Endpoint or github.Endpoint.
@@ -135,7 +135,7 @@ type setParam struct{ k, v string }
 
 func (p setParam) setValue(m url.Values) { m.Set(p.k, p.v) }
 
-// SetAuthURLParam builds an AuthCodeOption which passes key/value parameters
+// SetAuthURLParam builds an [AuthCodeOption] which passes key/value parameters
 // to a provider's authorization endpoint.
 func SetAuthURLParam(key, value string) AuthCodeOption {
 	return setParam{key, value}
@@ -148,8 +148,8 @@ func SetAuthURLParam(key, value string) AuthCodeOption {
 // request and callback. The authorization server includes this value when
 // redirecting the user agent back to the client.
 //
-// Opts may include AccessTypeOnline or AccessTypeOffline, as well
-// as ApprovalForce.
+// Opts may include [AccessTypeOnline] or [AccessTypeOffline], as well
+// as [ApprovalForce].
 //
 // To protect against CSRF attacks, opts should include a PKCE challenge
 // (S256ChallengeOption). Not all servers support PKCE. An alternative is to
@@ -194,7 +194,7 @@ func (c *Config) AuthCodeURL(state string, opts ...AuthCodeOption) string {
 // and when other authorization grant types are not available."
 // See https://tools.ietf.org/html/rfc6749#section-4.3 for more info.
 //
-// The provided context optionally controls which HTTP client is used. See the HTTPClient variable.
+// The provided context optionally controls which HTTP client is used. See the [HTTPClient] variable.
 func (c *Config) PasswordCredentialsToken(ctx context.Context, username, password string) (*Token, error) {
 	v := url.Values{
 		"grant_type": {"password"},
@@ -212,10 +212,10 @@ func (c *Config) PasswordCredentialsToken(ctx context.Context, username, passwor
 // It is used after a resource provider redirects the user back
 // to the Redirect URI (the URL obtained from AuthCodeURL).
 //
-// The provided context optionally controls which HTTP client is used. See the HTTPClient variable.
+// The provided context optionally controls which HTTP client is used. See the [HTTPClient] variable.
 //
-// The code will be in the *http.Request.FormValue("code"). Before
-// calling Exchange, be sure to validate FormValue("state") if you are
+// The code will be in the [http.Request.FormValue]("code"). Before
+// calling Exchange, be sure to validate [http.Request.FormValue]("state") if you are
 // using it to protect against CSRF attacks.
 //
 // If using PKCE to protect against CSRF attacks, opts should include a
@@ -242,10 +242,10 @@ func (c *Config) Client(ctx context.Context, t *Token) *http.Client {
 	return NewClient(ctx, c.TokenSource(ctx, t))
 }
 
-// TokenSource returns a TokenSource that returns t until t expires,
+// TokenSource returns a [TokenSource] that returns t until t expires,
 // automatically refreshing it as necessary using the provided context.
 //
-// Most users will use Config.Client instead.
+// Most users will use [Config.Client] instead.
 func (c *Config) TokenSource(ctx context.Context, t *Token) TokenSource {
 	tkr := &tokenRefresher{
 		ctx:  ctx,
@@ -260,7 +260,7 @@ func (c *Config) TokenSource(ctx context.Context, t *Token) TokenSource {
 	}
 }
 
-// tokenRefresher is a TokenSource that makes "grant_type"=="refresh_token"
+// tokenRefresher is a TokenSource that makes "grant_type=refresh_token"
 // HTTP requests to renew a token using a RefreshToken.
 type tokenRefresher struct {
 	ctx          context.Context // used to get HTTP requests
@@ -288,7 +288,7 @@ func (tf *tokenRefresher) Token() (*Token, error) {
 	if tf.refreshToken != tk.RefreshToken {
 		tf.refreshToken = tk.RefreshToken
 	}
-	return tk, err
+	return tk, nil
 }
 
 // reuseTokenSource is a TokenSource that holds a single token in memory
@@ -305,8 +305,7 @@ type reuseTokenSource struct {
 }
 
 // Token returns the current token if it's still valid, else will
-// refresh the current token (using r.Context for HTTP client
-// information) and return the new one.
+// refresh the current token and return the new one.
 func (s *reuseTokenSource) Token() (*Token, error) {
 	s.mu.Lock()
 	defer s.mu.Unlock()
@@ -322,7 +321,7 @@ func (s *reuseTokenSource) Token() (*Token, error) {
 	return t, nil
 }
 
-// StaticTokenSource returns a TokenSource that always returns the same token.
+// StaticTokenSource returns a [TokenSource] that always returns the same token.
 // Because the provided token t is never refreshed, StaticTokenSource is only
 // useful for tokens that never expire.
 func StaticTokenSource(t *Token) TokenSource {
@@ -338,16 +337,16 @@ func (s staticTokenSource) Token() (*Token, error) {
 	return s.t, nil
 }
 
-// HTTPClient is the context key to use with golang.org/x/net/context's
-// WithValue function to associate an *http.Client value with a context.
+// HTTPClient is the context key to use with [context.WithValue]
+// to associate a [*http.Client] value with a context.
 var HTTPClient internal.ContextKey
 
-// NewClient creates an *http.Client from a Context and TokenSource.
+// NewClient creates an [*http.Client] from a [context.Context] and [TokenSource].
 // The returned client is not valid beyond the lifetime of the context.
 //
-// Note that if a custom *http.Client is provided via the Context it
+// Note that if a custom [*http.Client] is provided via the [context.Context] it
 // is used only for token acquisition and is not used to configure the
-// *http.Client returned from NewClient.
+// [*http.Client] returned from NewClient.
 //
 // As a special case, if src is nil, a non-OAuth2 client is returned
 // using the provided context. This exists to support related OAuth2
@@ -356,15 +355,19 @@ func NewClient(ctx context.Context, src TokenSource) *http.Client {
 	if src == nil {
 		return internal.ContextClient(ctx)
 	}
+	cc := internal.ContextClient(ctx)
 	return &http.Client{
 		Transport: &Transport{
-			Base:   internal.ContextClient(ctx).Transport,
+			Base:   cc.Transport,
 			Source: ReuseTokenSource(nil, src),
 		},
+		CheckRedirect: cc.CheckRedirect,
+		Jar:           cc.Jar,
+		Timeout:       cc.Timeout,
 	}
 }
 
-// ReuseTokenSource returns a TokenSource which repeatedly returns the
+// ReuseTokenSource returns a [TokenSource] which repeatedly returns the
 // same token as long as it's valid, starting with t.
 // When its cached token is invalid, a new token is obtained from src.
 //
@@ -372,10 +375,10 @@ func NewClient(ctx context.Context, src TokenSource) *http.Client {
 // (such as a file on disk) between runs of a program, rather than
 // obtaining new tokens unnecessarily.
 //
-// The initial token t may be nil, in which case the TokenSource is
+// The initial token t may be nil, in which case the [TokenSource] is
 // wrapped in a caching version if it isn't one already. This also
 // means it's always safe to wrap ReuseTokenSource around any other
-// TokenSource without adverse effects.
+// [TokenSource] without adverse effects.
 func ReuseTokenSource(t *Token, src TokenSource) TokenSource {
 	// Don't wrap a reuseTokenSource in itself. That would work,
 	// but cause an unnecessary number of mutex operations.
@@ -393,8 +396,8 @@ func ReuseTokenSource(t *Token, src TokenSource) TokenSource {
 	}
 }
 
-// ReuseTokenSourceWithExpiry returns a TokenSource that acts in the same manner as the
-// TokenSource returned by ReuseTokenSource, except the expiry buffer is
+// ReuseTokenSourceWithExpiry returns a [TokenSource] that acts in the same manner as the
+// [TokenSource] returned by [ReuseTokenSource], except the expiry buffer is
 // configurable. The expiration time of a token is calculated as
 // t.Expiry.Add(-earlyExpiry).
 func ReuseTokenSourceWithExpiry(t *Token, src TokenSource, earlyExpiry time.Duration) TokenSource {
diff --git a/vendor/golang.org/x/oauth2/pkce.go b/vendor/golang.org/x/oauth2/pkce.go
index 6a95da975ce35..cea8374d51bf1 100644
--- a/vendor/golang.org/x/oauth2/pkce.go
+++ b/vendor/golang.org/x/oauth2/pkce.go
@@ -1,6 +1,7 @@
 // Copyright 2023 The Go Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
+
 package oauth2
 
 import (
@@ -20,9 +21,9 @@ const (
 // This follows recommendations in RFC 7636.
 //
 // A fresh verifier should be generated for each authorization.
-// S256ChallengeOption(verifier) should then be passed to Config.AuthCodeURL
-// (or Config.DeviceAuth) and VerifierOption(verifier) to Config.Exchange
-// (or Config.DeviceAccessToken).
+// The resulting verifier should be passed to [Config.AuthCodeURL] or [Config.DeviceAuth]
+// with [S256ChallengeOption], and to [Config.Exchange] or [Config.DeviceAccessToken]
+// with [VerifierOption].
 func GenerateVerifier() string {
 	// "RECOMMENDED that the output of a suitable random number generator be
 	// used to create a 32-octet sequence.  The octet sequence is then
@@ -36,22 +37,22 @@ func GenerateVerifier() string {
 	return base64.RawURLEncoding.EncodeToString(data)
 }
 
-// VerifierOption returns a PKCE code verifier AuthCodeOption. It should be
-// passed to Config.Exchange or Config.DeviceAccessToken only.
+// VerifierOption returns a PKCE code verifier [AuthCodeOption]. It should only be
+// passed to [Config.Exchange] or [Config.DeviceAccessToken].
 func VerifierOption(verifier string) AuthCodeOption {
 	return setParam{k: codeVerifierKey, v: verifier}
 }
 
 // S256ChallengeFromVerifier returns a PKCE code challenge derived from verifier with method S256.
 //
-// Prefer to use S256ChallengeOption where possible.
+// Prefer to use [S256ChallengeOption] where possible.
 func S256ChallengeFromVerifier(verifier string) string {
 	sha := sha256.Sum256([]byte(verifier))
 	return base64.RawURLEncoding.EncodeToString(sha[:])
 }
 
 // S256ChallengeOption derives a PKCE code challenge derived from verifier with
-// method S256. It should be passed to Config.AuthCodeURL or Config.DeviceAuth
+// method S256. It should be passed to [Config.AuthCodeURL] or [Config.DeviceAuth]
 // only.
 func S256ChallengeOption(verifier string) AuthCodeOption {
 	return challengeOption{
diff --git a/vendor/golang.org/x/oauth2/token.go b/vendor/golang.org/x/oauth2/token.go
index 109997d77cea5..239ec329620f6 100644
--- a/vendor/golang.org/x/oauth2/token.go
+++ b/vendor/golang.org/x/oauth2/token.go
@@ -44,7 +44,7 @@ type Token struct {
 
 	// Expiry is the optional expiration time of the access token.
 	//
-	// If zero, TokenSource implementations will reuse the same
+	// If zero, [TokenSource] implementations will reuse the same
 	// token forever and RefreshToken or equivalent
 	// mechanisms for that TokenSource will not be used.
 	Expiry time.Time `json:"expiry,omitempty"`
@@ -58,7 +58,7 @@ type Token struct {
 
 	// raw optionally contains extra metadata from the server
 	// when updating a token.
-	raw interface{}
+	raw any
 
 	// expiryDelta is used to calculate when a token is considered
 	// expired, by subtracting from Expiry. If zero, defaultExpiryDelta
@@ -86,16 +86,16 @@ func (t *Token) Type() string {
 // SetAuthHeader sets the Authorization header to r using the access
 // token in t.
 //
-// This method is unnecessary when using Transport or an HTTP Client
+// This method is unnecessary when using [Transport] or an HTTP Client
 // returned by this package.
 func (t *Token) SetAuthHeader(r *http.Request) {
 	r.Header.Set("Authorization", t.Type()+" "+t.AccessToken)
 }
 
-// WithExtra returns a new Token that's a clone of t, but using the
+// WithExtra returns a new [Token] that's a clone of t, but using the
 // provided raw extra map. This is only intended for use by packages
 // implementing derivative OAuth2 flows.
-func (t *Token) WithExtra(extra interface{}) *Token {
+func (t *Token) WithExtra(extra any) *Token {
 	t2 := new(Token)
 	*t2 = *t
 	t2.raw = extra
@@ -105,8 +105,8 @@ func (t *Token) WithExtra(extra interface{}) *Token {
 // Extra returns an extra field.
 // Extra fields are key-value pairs returned by the server as a
 // part of the token retrieval response.
-func (t *Token) Extra(key string) interface{} {
-	if raw, ok := t.raw.(map[string]interface{}); ok {
+func (t *Token) Extra(key string) any {
+	if raw, ok := t.raw.(map[string]any); ok {
 		return raw[key]
 	}
 
@@ -163,13 +163,14 @@ func tokenFromInternal(t *internal.Token) *Token {
 		TokenType:    t.TokenType,
 		RefreshToken: t.RefreshToken,
 		Expiry:       t.Expiry,
+		ExpiresIn:    t.ExpiresIn,
 		raw:          t.Raw,
 	}
 }
 
 // retrieveToken takes a *Config and uses that to retrieve an *internal.Token.
 // This token is then mapped from *internal.Token into an *oauth2.Token which is returned along
-// with an error..
+// with an error.
 func retrieveToken(ctx context.Context, c *Config, v url.Values) (*Token, error) {
 	tk, err := internal.RetrieveToken(ctx, c.ClientID, c.ClientSecret, c.Endpoint.TokenURL, v, internal.AuthStyle(c.Endpoint.AuthStyle), c.authStyleCache.Get())
 	if err != nil {
diff --git a/vendor/golang.org/x/oauth2/transport.go b/vendor/golang.org/x/oauth2/transport.go
index 90657915fbcf0..8bbebbac9ee77 100644
--- a/vendor/golang.org/x/oauth2/transport.go
+++ b/vendor/golang.org/x/oauth2/transport.go
@@ -11,12 +11,12 @@ import (
 	"sync"
 )
 
-// Transport is an http.RoundTripper that makes OAuth 2.0 HTTP requests,
-// wrapping a base RoundTripper and adding an Authorization header
-// with a token from the supplied Sources.
+// Transport is an [http.RoundTripper] that makes OAuth 2.0 HTTP requests,
+// wrapping a base [http.RoundTripper] and adding an Authorization header
+// with a token from the supplied [TokenSource].
 //
 // Transport is a low-level mechanism. Most code will use the
-// higher-level Config.Client method instead.
+// higher-level [Config.Client] method instead.
 type Transport struct {
 	// Source supplies the token to add to outgoing requests'
 	// Authorization headers.
@@ -47,7 +47,7 @@ func (t *Transport) RoundTrip(req *http.Request) (*http.Response, error) {
 		return nil, err
 	}
 
-	req2 := cloneRequest(req) // per RoundTripper contract
+	req2 := req.Clone(req.Context())
 	token.SetAuthHeader(req2)
 
 	// req.Body is assumed to be closed by the base RoundTripper.
@@ -73,17 +73,3 @@ func (t *Transport) base() http.RoundTripper {
 	}
 	return http.DefaultTransport
 }
-
-// cloneRequest returns a clone of the provided *http.Request.
-// The clone is a shallow copy of the struct and its Header map.
-func cloneRequest(r *http.Request) *http.Request {
-	// shallow copy of the struct
-	r2 := new(http.Request)
-	*r2 = *r
-	// deep copy of the Header
-	r2.Header = make(http.Header, len(r.Header))
-	for k, s := range r.Header {
-		r2.Header[k] = append([]string(nil), s...)
-	}
-	return r2
-}
diff --git a/vendor/golang.org/x/sync/errgroup/errgroup.go b/vendor/golang.org/x/sync/errgroup/errgroup.go
index 1d8cffae8cfc8..2f45dbc86e538 100644
--- a/vendor/golang.org/x/sync/errgroup/errgroup.go
+++ b/vendor/golang.org/x/sync/errgroup/errgroup.go
@@ -3,7 +3,7 @@
 // license that can be found in the LICENSE file.
 
 // Package errgroup provides synchronization, error propagation, and Context
-// cancelation for groups of goroutines working on subtasks of a common task.
+// cancellation for groups of goroutines working on subtasks of a common task.
 //
 // [errgroup.Group] is related to [sync.WaitGroup] but adds handling of tasks
 // returning errors.
diff --git a/vendor/golang.org/x/sys/cpu/cpu.go b/vendor/golang.org/x/sys/cpu/cpu.go
index 63541994ef030..34c9ae76efd48 100644
--- a/vendor/golang.org/x/sys/cpu/cpu.go
+++ b/vendor/golang.org/x/sys/cpu/cpu.go
@@ -92,6 +92,9 @@ var ARM64 struct {
 	HasSHA2     bool // SHA2 hardware implementation
 	HasCRC32    bool // CRC32 hardware implementation
 	HasATOMICS  bool // Atomic memory operation instruction set
+	HasHPDS     bool // Hierarchical permission disables in translations tables
+	HasLOR      bool // Limited ordering regions
+	HasPAN      bool // Privileged access never
 	HasFPHP     bool // Half precision floating-point instruction set
 	HasASIMDHP  bool // Advanced SIMD half precision instruction set
 	HasCPUID    bool // CPUID identification scheme registers
diff --git a/vendor/golang.org/x/sys/cpu/cpu_arm64.go b/vendor/golang.org/x/sys/cpu/cpu_arm64.go
index af2aa99f9f06c..f449c679fe462 100644
--- a/vendor/golang.org/x/sys/cpu/cpu_arm64.go
+++ b/vendor/golang.org/x/sys/cpu/cpu_arm64.go
@@ -65,10 +65,10 @@ func setMinimalFeatures() {
 func readARM64Registers() {
 	Initialized = true
 
-	parseARM64SystemRegisters(getisar0(), getisar1(), getpfr0())
+	parseARM64SystemRegisters(getisar0(), getisar1(), getmmfr1(), getpfr0())
 }
 
-func parseARM64SystemRegisters(isar0, isar1, pfr0 uint64) {
+func parseARM64SystemRegisters(isar0, isar1, mmfr1, pfr0 uint64) {
 	// ID_AA64ISAR0_EL1
 	switch extractBits(isar0, 4, 7) {
 	case 1:
@@ -152,6 +152,22 @@ func parseARM64SystemRegisters(isar0, isar1, pfr0 uint64) {
 		ARM64.HasI8MM = true
 	}
 
+	// ID_AA64MMFR1_EL1
+	switch extractBits(mmfr1, 12, 15) {
+	case 1, 2:
+		ARM64.HasHPDS = true
+	}
+
+	switch extractBits(mmfr1, 16, 19) {
+	case 1:
+		ARM64.HasLOR = true
+	}
+
+	switch extractBits(mmfr1, 20, 23) {
+	case 1, 2, 3:
+		ARM64.HasPAN = true
+	}
+
 	// ID_AA64PFR0_EL1
 	switch extractBits(pfr0, 16, 19) {
 	case 0:
diff --git a/vendor/golang.org/x/sys/cpu/cpu_arm64.s b/vendor/golang.org/x/sys/cpu/cpu_arm64.s
index 22cc99844a756..a4f24b3b0c8fd 100644
--- a/vendor/golang.org/x/sys/cpu/cpu_arm64.s
+++ b/vendor/golang.org/x/sys/cpu/cpu_arm64.s
@@ -9,31 +9,34 @@
 // func getisar0() uint64
 TEXT ·getisar0(SB),NOSPLIT,$0-8
 	// get Instruction Set Attributes 0 into x0
-	// mrs x0, ID_AA64ISAR0_EL1 = d5380600
-	WORD	$0xd5380600
+	MRS	ID_AA64ISAR0_EL1, R0
 	MOVD	R0, ret+0(FP)
 	RET
 
 // func getisar1() uint64
 TEXT ·getisar1(SB),NOSPLIT,$0-8
 	// get Instruction Set Attributes 1 into x0
-	// mrs x0, ID_AA64ISAR1_EL1 = d5380620
-	WORD	$0xd5380620
+	MRS	ID_AA64ISAR1_EL1, R0
+	MOVD	R0, ret+0(FP)
+	RET
+
+// func getmmfr1() uint64
+TEXT ·getmmfr1(SB),NOSPLIT,$0-8
+	// get Memory Model Feature Register 1 into x0
+	MRS	ID_AA64MMFR1_EL1, R0
 	MOVD	R0, ret+0(FP)
 	RET
 
 // func getpfr0() uint64
 TEXT ·getpfr0(SB),NOSPLIT,$0-8
 	// get Processor Feature Register 0 into x0
-	// mrs x0, ID_AA64PFR0_EL1 = d5380400
-	WORD	$0xd5380400
+	MRS	ID_AA64PFR0_EL1, R0
 	MOVD	R0, ret+0(FP)
 	RET
 
 // func getzfr0() uint64
 TEXT ·getzfr0(SB),NOSPLIT,$0-8
 	// get SVE Feature Register 0 into x0
-	// mrs	x0, ID_AA64ZFR0_EL1 = d5380480
-	WORD $0xd5380480
+	MRS	ID_AA64ZFR0_EL1, R0
 	MOVD	R0, ret+0(FP)
 	RET
diff --git a/vendor/golang.org/x/sys/cpu/cpu_gc_arm64.go b/vendor/golang.org/x/sys/cpu/cpu_gc_arm64.go
index 6ac6e1efb2087..e3fc5a8d31ca6 100644
--- a/vendor/golang.org/x/sys/cpu/cpu_gc_arm64.go
+++ b/vendor/golang.org/x/sys/cpu/cpu_gc_arm64.go
@@ -8,5 +8,6 @@ package cpu
 
 func getisar0() uint64
 func getisar1() uint64
+func getmmfr1() uint64
 func getpfr0() uint64
 func getzfr0() uint64
diff --git a/vendor/golang.org/x/sys/cpu/cpu_gccgo_arm64.go b/vendor/golang.org/x/sys/cpu/cpu_gccgo_arm64.go
index 7f1946780bd30..8df2079e15f95 100644
--- a/vendor/golang.org/x/sys/cpu/cpu_gccgo_arm64.go
+++ b/vendor/golang.org/x/sys/cpu/cpu_gccgo_arm64.go
@@ -8,4 +8,5 @@ package cpu
 
 func getisar0() uint64 { return 0 }
 func getisar1() uint64 { return 0 }
+func getmmfr1() uint64 { return 0 }
 func getpfr0() uint64  { return 0 }
diff --git a/vendor/golang.org/x/sys/cpu/cpu_netbsd_arm64.go b/vendor/golang.org/x/sys/cpu/cpu_netbsd_arm64.go
index ebfb3fc8e76d2..19aea0633e8e9 100644
--- a/vendor/golang.org/x/sys/cpu/cpu_netbsd_arm64.go
+++ b/vendor/golang.org/x/sys/cpu/cpu_netbsd_arm64.go
@@ -167,7 +167,7 @@ func doinit() {
 		setMinimalFeatures()
 		return
 	}
-	parseARM64SystemRegisters(cpuid.aa64isar0, cpuid.aa64isar1, cpuid.aa64pfr0)
+	parseARM64SystemRegisters(cpuid.aa64isar0, cpuid.aa64isar1, cpuid.aa64mmfr1, cpuid.aa64pfr0)
 
 	Initialized = true
 }
diff --git a/vendor/golang.org/x/sys/cpu/cpu_openbsd_arm64.go b/vendor/golang.org/x/sys/cpu/cpu_openbsd_arm64.go
index 85b64d5ccb735..87fd3a7780767 100644
--- a/vendor/golang.org/x/sys/cpu/cpu_openbsd_arm64.go
+++ b/vendor/golang.org/x/sys/cpu/cpu_openbsd_arm64.go
@@ -59,7 +59,7 @@ func doinit() {
 	if !ok {
 		return
 	}
-	parseARM64SystemRegisters(isar0, isar1, 0)
+	parseARM64SystemRegisters(isar0, isar1, 0, 0)
 
 	Initialized = true
 }
diff --git a/vendor/golang.org/x/sys/unix/affinity_linux.go b/vendor/golang.org/x/sys/unix/affinity_linux.go
index 3c7a6d6e2f1d2..3ea470387bcf0 100644
--- a/vendor/golang.org/x/sys/unix/affinity_linux.go
+++ b/vendor/golang.org/x/sys/unix/affinity_linux.go
@@ -41,6 +41,15 @@ func (s *CPUSet) Zero() {
 	clear(s[:])
 }
 
+// Fill adds all possible CPU bits to the set s. On Linux, [SchedSetaffinity]
+// will silently ignore any invalid CPU bits in [CPUSet] so this is an
+// efficient way of resetting the CPU affinity of a process.
+func (s *CPUSet) Fill() {
+	for i := range s {
+		s[i] = ^cpuMask(0)
+	}
+}
+
 func cpuBitsIndex(cpu int) int {
 	return cpu / _NCPUBITS
 }
diff --git a/vendor/golang.org/x/sys/unix/fdset.go b/vendor/golang.org/x/sys/unix/fdset.go
index 9e83d18cd0421..62ed12645f48d 100644
--- a/vendor/golang.org/x/sys/unix/fdset.go
+++ b/vendor/golang.org/x/sys/unix/fdset.go
@@ -23,7 +23,5 @@ func (fds *FdSet) IsSet(fd int) bool {
 
 // Zero clears the set fds.
 func (fds *FdSet) Zero() {
-	for i := range fds.Bits {
-		fds.Bits[i] = 0
-	}
+	clear(fds.Bits[:])
 }
diff --git a/vendor/golang.org/x/sys/unix/ifreq_linux.go b/vendor/golang.org/x/sys/unix/ifreq_linux.go
index 848840ae4c758..309f5a2b0c76a 100644
--- a/vendor/golang.org/x/sys/unix/ifreq_linux.go
+++ b/vendor/golang.org/x/sys/unix/ifreq_linux.go
@@ -111,9 +111,7 @@ func (ifr *Ifreq) SetUint32(v uint32) {
 // clear zeroes the ifreq's union field to prevent trailing garbage data from
 // being sent to the kernel if an ifreq is reused.
 func (ifr *Ifreq) clear() {
-	for i := range ifr.raw.Ifru {
-		ifr.raw.Ifru[i] = 0
-	}
+	clear(ifr.raw.Ifru[:])
 }
 
 // TODO(mdlayher): export as IfreqData? For now we can provide helpers such as
diff --git a/vendor/golang.org/x/sys/unix/mkall.sh b/vendor/golang.org/x/sys/unix/mkall.sh
index e6f31d374df52..d0ed611912929 100644
--- a/vendor/golang.org/x/sys/unix/mkall.sh
+++ b/vendor/golang.org/x/sys/unix/mkall.sh
@@ -49,6 +49,7 @@ esac
 if [[ "$GOOS" = "linux" ]]; then
 	# Use the Docker-based build system
 	# Files generated through docker (use $cmd so you can Ctl-C the build or run)
+	set -e
 	$cmd docker build --tag generate:$GOOS $GOOS
 	$cmd docker run --interactive --tty --volume $(cd -- "$(dirname -- "$0")/.." && pwd):/build generate:$GOOS
 	exit
diff --git a/vendor/golang.org/x/sys/unix/mkerrors.sh b/vendor/golang.org/x/sys/unix/mkerrors.sh
index d1c8b2640ebd4..42517077c4374 100644
--- a/vendor/golang.org/x/sys/unix/mkerrors.sh
+++ b/vendor/golang.org/x/sys/unix/mkerrors.sh
@@ -226,6 +226,7 @@ struct ltchars {
 #include <linux/cryptouser.h>
 #include <linux/devlink.h>
 #include <linux/dm-ioctl.h>
+#include <linux/elf.h>
 #include <linux/errqueue.h>
 #include <linux/ethtool_netlink.h>
 #include <linux/falloc.h>
@@ -529,6 +530,7 @@ ccflags="$@"
 		$2 ~ /^O[CNPFPL][A-Z]+[^_][A-Z]+$/ ||
 		$2 ~ /^(NL|CR|TAB|BS|VT|FF)DLY$/ ||
 		$2 ~ /^(NL|CR|TAB|BS|VT|FF)[0-9]$/ ||
+		$2 ~ /^(DT|EI|ELF|EV|NN|NT|PF|SHF|SHN|SHT|STB|STT|VER)_/ ||
 		$2 ~ /^O?XTABS$/ ||
 		$2 ~ /^TC[IO](ON|OFF)$/ ||
 		$2 ~ /^IN_/ ||
diff --git a/vendor/golang.org/x/sys/unix/syscall_linux.go b/vendor/golang.org/x/sys/unix/syscall_linux.go
index 4958a657085bc..06c0eea6fb6a0 100644
--- a/vendor/golang.org/x/sys/unix/syscall_linux.go
+++ b/vendor/golang.org/x/sys/unix/syscall_linux.go
@@ -801,9 +801,7 @@ func (sa *SockaddrPPPoE) sockaddr() (unsafe.Pointer, _Socklen, error) {
 	// one. The kernel expects SID to be in network byte order.
 	binary.BigEndian.PutUint16(sa.raw[6:8], sa.SID)
 	copy(sa.raw[8:14], sa.Remote)
-	for i := 14; i < 14+IFNAMSIZ; i++ {
-		sa.raw[i] = 0
-	}
+	clear(sa.raw[14 : 14+IFNAMSIZ])
 	copy(sa.raw[14:], sa.Dev)
 	return unsafe.Pointer(&sa.raw), SizeofSockaddrPPPoX, nil
 }
@@ -2645,3 +2643,9 @@ func SchedGetAttr(pid int, flags uint) (*SchedAttr, error) {
 
 //sys	Cachestat(fd uint, crange *CachestatRange, cstat *Cachestat_t, flags uint) (err error)
 //sys	Mseal(b []byte, flags uint) (err error)
+
+//sys	setMemPolicy(mode int, mask *CPUSet, size int) (err error) = SYS_SET_MEMPOLICY
+
+func SetMemPolicy(mode int, mask *CPUSet) error {
+	return setMemPolicy(mode, mask, _CPU_SETSIZE)
+}
diff --git a/vendor/golang.org/x/sys/unix/syscall_netbsd.go b/vendor/golang.org/x/sys/unix/syscall_netbsd.go
index 88162099af544..34a4676973042 100644
--- a/vendor/golang.org/x/sys/unix/syscall_netbsd.go
+++ b/vendor/golang.org/x/sys/unix/syscall_netbsd.go
@@ -248,6 +248,23 @@ func Statvfs(path string, buf *Statvfs_t) (err error) {
 	return Statvfs1(path, buf, ST_WAIT)
 }
 
+func Getvfsstat(buf []Statvfs_t, flags int) (n int, err error) {
+	var (
+		_p0     unsafe.Pointer
+		bufsize uintptr
+	)
+	if len(buf) > 0 {
+		_p0 = unsafe.Pointer(&buf[0])
+		bufsize = unsafe.Sizeof(Statvfs_t{}) * uintptr(len(buf))
+	}
+	r0, _, e1 := Syscall(SYS_GETVFSSTAT, uintptr(_p0), bufsize, uintptr(flags))
+	n = int(r0)
+	if e1 != 0 {
+		err = e1
+	}
+	return
+}
+
 /*
  * Exposed directly
  */
diff --git a/vendor/golang.org/x/sys/unix/zerrors_linux.go b/vendor/golang.org/x/sys/unix/zerrors_linux.go
index b6db27d937c8f..d0a75da572c96 100644
--- a/vendor/golang.org/x/sys/unix/zerrors_linux.go
+++ b/vendor/golang.org/x/sys/unix/zerrors_linux.go
@@ -853,20 +853,86 @@ const (
 	DM_VERSION_MAJOR                            = 0x4
 	DM_VERSION_MINOR                            = 0x32
 	DM_VERSION_PATCHLEVEL                       = 0x0
+	DT_ADDRRNGHI                                = 0x6ffffeff
+	DT_ADDRRNGLO                                = 0x6ffffe00
 	DT_BLK                                      = 0x6
 	DT_CHR                                      = 0x2
+	DT_DEBUG                                    = 0x15
 	DT_DIR                                      = 0x4
+	DT_ENCODING                                 = 0x20
 	DT_FIFO                                     = 0x1
+	DT_FINI                                     = 0xd
+	DT_FLAGS_1                                  = 0x6ffffffb
+	DT_GNU_HASH                                 = 0x6ffffef5
+	DT_HASH                                     = 0x4
+	DT_HIOS                                     = 0x6ffff000
+	DT_HIPROC                                   = 0x7fffffff
+	DT_INIT                                     = 0xc
+	DT_JMPREL                                   = 0x17
 	DT_LNK                                      = 0xa
+	DT_LOOS                                     = 0x6000000d
+	DT_LOPROC                                   = 0x70000000
+	DT_NEEDED                                   = 0x1
+	DT_NULL                                     = 0x0
+	DT_PLTGOT                                   = 0x3
+	DT_PLTREL                                   = 0x14
+	DT_PLTRELSZ                                 = 0x2
 	DT_REG                                      = 0x8
+	DT_REL                                      = 0x11
+	DT_RELA                                     = 0x7
+	DT_RELACOUNT                                = 0x6ffffff9
+	DT_RELAENT                                  = 0x9
+	DT_RELASZ                                   = 0x8
+	DT_RELCOUNT                                 = 0x6ffffffa
+	DT_RELENT                                   = 0x13
+	DT_RELSZ                                    = 0x12
+	DT_RPATH                                    = 0xf
 	DT_SOCK                                     = 0xc
+	DT_SONAME                                   = 0xe
+	DT_STRSZ                                    = 0xa
+	DT_STRTAB                                   = 0x5
+	DT_SYMBOLIC                                 = 0x10
+	DT_SYMENT                                   = 0xb
+	DT_SYMTAB                                   = 0x6
+	DT_TEXTREL                                  = 0x16
 	DT_UNKNOWN                                  = 0x0
+	DT_VALRNGHI                                 = 0x6ffffdff
+	DT_VALRNGLO                                 = 0x6ffffd00
+	DT_VERDEF                                   = 0x6ffffffc
+	DT_VERDEFNUM                                = 0x6ffffffd
+	DT_VERNEED                                  = 0x6ffffffe
+	DT_VERNEEDNUM                               = 0x6fffffff
+	DT_VERSYM                                   = 0x6ffffff0
 	DT_WHT                                      = 0xe
 	ECHO                                        = 0x8
 	ECRYPTFS_SUPER_MAGIC                        = 0xf15f
 	EFD_SEMAPHORE                               = 0x1
 	EFIVARFS_MAGIC                              = 0xde5e81e4
 	EFS_SUPER_MAGIC                             = 0x414a53
+	EI_CLASS                                    = 0x4
+	EI_DATA                                     = 0x5
+	EI_MAG0                                     = 0x0
+	EI_MAG1                                     = 0x1
+	EI_MAG2                                     = 0x2
+	EI_MAG3                                     = 0x3
+	EI_NIDENT                                   = 0x10
+	EI_OSABI                                    = 0x7
+	EI_PAD                                      = 0x8
+	EI_VERSION                                  = 0x6
+	ELFCLASS32                                  = 0x1
+	ELFCLASS64                                  = 0x2
+	ELFCLASSNONE                                = 0x0
+	ELFCLASSNUM                                 = 0x3
+	ELFDATA2LSB                                 = 0x1
+	ELFDATA2MSB                                 = 0x2
+	ELFDATANONE                                 = 0x0
+	ELFMAG                                      = "\177ELF"
+	ELFMAG0                                     = 0x7f
+	ELFMAG1                                     = 'E'
+	ELFMAG2                                     = 'L'
+	ELFMAG3                                     = 'F'
+	ELFOSABI_LINUX                              = 0x3
+	ELFOSABI_NONE                               = 0x0
 	EM_386                                      = 0x3
 	EM_486                                      = 0x6
 	EM_68K                                      = 0x4
@@ -1152,14 +1218,24 @@ const (
 	ETH_P_WCCP                                  = 0x883e
 	ETH_P_X25                                   = 0x805
 	ETH_P_XDSA                                  = 0xf8
+	ET_CORE                                     = 0x4
+	ET_DYN                                      = 0x3
+	ET_EXEC                                     = 0x2
+	ET_HIPROC                                   = 0xffff
+	ET_LOPROC                                   = 0xff00
+	ET_NONE                                     = 0x0
+	ET_REL                                      = 0x1
 	EV_ABS                                      = 0x3
 	EV_CNT                                      = 0x20
+	EV_CURRENT                                  = 0x1
 	EV_FF                                       = 0x15
 	EV_FF_STATUS                                = 0x17
 	EV_KEY                                      = 0x1
 	EV_LED                                      = 0x11
 	EV_MAX                                      = 0x1f
 	EV_MSC                                      = 0x4
+	EV_NONE                                     = 0x0
+	EV_NUM                                      = 0x2
 	EV_PWR                                      = 0x16
 	EV_REL                                      = 0x2
 	EV_REP                                      = 0x14
@@ -2276,7 +2352,167 @@ const (
 	NLM_F_REPLACE                               = 0x100
 	NLM_F_REQUEST                               = 0x1
 	NLM_F_ROOT                                  = 0x100
+	NN_386_IOPERM                               = "LINUX"
+	NN_386_TLS                                  = "LINUX"
+	NN_ARC_V2                                   = "LINUX"
+	NN_ARM_FPMR                                 = "LINUX"
+	NN_ARM_GCS                                  = "LINUX"
+	NN_ARM_HW_BREAK                             = "LINUX"
+	NN_ARM_HW_WATCH                             = "LINUX"
+	NN_ARM_PACA_KEYS                            = "LINUX"
+	NN_ARM_PACG_KEYS                            = "LINUX"
+	NN_ARM_PAC_ENABLED_KEYS                     = "LINUX"
+	NN_ARM_PAC_MASK                             = "LINUX"
+	NN_ARM_POE                                  = "LINUX"
+	NN_ARM_SSVE                                 = "LINUX"
+	NN_ARM_SVE                                  = "LINUX"
+	NN_ARM_SYSTEM_CALL                          = "LINUX"
+	NN_ARM_TAGGED_ADDR_CTRL                     = "LINUX"
+	NN_ARM_TLS                                  = "LINUX"
+	NN_ARM_VFP                                  = "LINUX"
+	NN_ARM_ZA                                   = "LINUX"
+	NN_ARM_ZT                                   = "LINUX"
+	NN_AUXV                                     = "CORE"
+	NN_FILE                                     = "CORE"
+	NN_GNU_PROPERTY_TYPE_0                      = "GNU"
+	NN_LOONGARCH_CPUCFG                         = "LINUX"
+	NN_LOONGARCH_CSR                            = "LINUX"
+	NN_LOONGARCH_HW_BREAK                       = "LINUX"
+	NN_LOONGARCH_HW_WATCH                       = "LINUX"
+	NN_LOONGARCH_LASX                           = "LINUX"
+	NN_LOONGARCH_LBT                            = "LINUX"
+	NN_LOONGARCH_LSX                            = "LINUX"
+	NN_MIPS_DSP                                 = "LINUX"
+	NN_MIPS_FP_MODE                             = "LINUX"
+	NN_MIPS_MSA                                 = "LINUX"
+	NN_PPC_DEXCR                                = "LINUX"
+	NN_PPC_DSCR                                 = "LINUX"
+	NN_PPC_EBB                                  = "LINUX"
+	NN_PPC_HASHKEYR                             = "LINUX"
+	NN_PPC_PKEY                                 = "LINUX"
+	NN_PPC_PMU                                  = "LINUX"
+	NN_PPC_PPR                                  = "LINUX"
+	NN_PPC_SPE                                  = "LINUX"
+	NN_PPC_TAR                                  = "LINUX"
+	NN_PPC_TM_CDSCR                             = "LINUX"
+	NN_PPC_TM_CFPR                              = "LINUX"
+	NN_PPC_TM_CGPR                              = "LINUX"
+	NN_PPC_TM_CPPR                              = "LINUX"
+	NN_PPC_TM_CTAR                              = "LINUX"
+	NN_PPC_TM_CVMX                              = "LINUX"
+	NN_PPC_TM_CVSX                              = "LINUX"
+	NN_PPC_TM_SPR                               = "LINUX"
+	NN_PPC_VMX                                  = "LINUX"
+	NN_PPC_VSX                                  = "LINUX"
+	NN_PRFPREG                                  = "CORE"
+	NN_PRPSINFO                                 = "CORE"
+	NN_PRSTATUS                                 = "CORE"
+	NN_PRXFPREG                                 = "LINUX"
+	NN_RISCV_CSR                                = "LINUX"
+	NN_RISCV_TAGGED_ADDR_CTRL                   = "LINUX"
+	NN_RISCV_VECTOR                             = "LINUX"
+	NN_S390_CTRS                                = "LINUX"
+	NN_S390_GS_BC                               = "LINUX"
+	NN_S390_GS_CB                               = "LINUX"
+	NN_S390_HIGH_GPRS                           = "LINUX"
+	NN_S390_LAST_BREAK                          = "LINUX"
+	NN_S390_PREFIX                              = "LINUX"
+	NN_S390_PV_CPU_DATA                         = "LINUX"
+	NN_S390_RI_CB                               = "LINUX"
+	NN_S390_SYSTEM_CALL                         = "LINUX"
+	NN_S390_TDB                                 = "LINUX"
+	NN_S390_TIMER                               = "LINUX"
+	NN_S390_TODCMP                              = "LINUX"
+	NN_S390_TODPREG                             = "LINUX"
+	NN_S390_VXRS_HIGH                           = "LINUX"
+	NN_S390_VXRS_LOW                            = "LINUX"
+	NN_SIGINFO                                  = "CORE"
+	NN_TASKSTRUCT                               = "CORE"
+	NN_VMCOREDD                                 = "LINUX"
+	NN_X86_SHSTK                                = "LINUX"
+	NN_X86_XSAVE_LAYOUT                         = "LINUX"
+	NN_X86_XSTATE                               = "LINUX"
 	NSFS_MAGIC                                  = 0x6e736673
+	NT_386_IOPERM                               = 0x201
+	NT_386_TLS                                  = 0x200
+	NT_ARC_V2                                   = 0x600
+	NT_ARM_FPMR                                 = 0x40e
+	NT_ARM_GCS                                  = 0x410
+	NT_ARM_HW_BREAK                             = 0x402
+	NT_ARM_HW_WATCH                             = 0x403
+	NT_ARM_PACA_KEYS                            = 0x407
+	NT_ARM_PACG_KEYS                            = 0x408
+	NT_ARM_PAC_ENABLED_KEYS                     = 0x40a
+	NT_ARM_PAC_MASK                             = 0x406
+	NT_ARM_POE                                  = 0x40f
+	NT_ARM_SSVE                                 = 0x40b
+	NT_ARM_SVE                                  = 0x405
+	NT_ARM_SYSTEM_CALL                          = 0x404
+	NT_ARM_TAGGED_ADDR_CTRL                     = 0x409
+	NT_ARM_TLS                                  = 0x401
+	NT_ARM_VFP                                  = 0x400
+	NT_ARM_ZA                                   = 0x40c
+	NT_ARM_ZT                                   = 0x40d
+	NT_AUXV                                     = 0x6
+	NT_FILE                                     = 0x46494c45
+	NT_GNU_PROPERTY_TYPE_0                      = 0x5
+	NT_LOONGARCH_CPUCFG                         = 0xa00
+	NT_LOONGARCH_CSR                            = 0xa01
+	NT_LOONGARCH_HW_BREAK                       = 0xa05
+	NT_LOONGARCH_HW_WATCH                       = 0xa06
+	NT_LOONGARCH_LASX                           = 0xa03
+	NT_LOONGARCH_LBT                            = 0xa04
+	NT_LOONGARCH_LSX                            = 0xa02
+	NT_MIPS_DSP                                 = 0x800
+	NT_MIPS_FP_MODE                             = 0x801
+	NT_MIPS_MSA                                 = 0x802
+	NT_PPC_DEXCR                                = 0x111
+	NT_PPC_DSCR                                 = 0x105
+	NT_PPC_EBB                                  = 0x106
+	NT_PPC_HASHKEYR                             = 0x112
+	NT_PPC_PKEY                                 = 0x110
+	NT_PPC_PMU                                  = 0x107
+	NT_PPC_PPR                                  = 0x104
+	NT_PPC_SPE                                  = 0x101
+	NT_PPC_TAR                                  = 0x103
+	NT_PPC_TM_CDSCR                             = 0x10f
+	NT_PPC_TM_CFPR                              = 0x109
+	NT_PPC_TM_CGPR                              = 0x108
+	NT_PPC_TM_CPPR                              = 0x10e
+	NT_PPC_TM_CTAR                              = 0x10d
+	NT_PPC_TM_CVMX                              = 0x10a
+	NT_PPC_TM_CVSX                              = 0x10b
+	NT_PPC_TM_SPR                               = 0x10c
+	NT_PPC_VMX                                  = 0x100
+	NT_PPC_VSX                                  = 0x102
+	NT_PRFPREG                                  = 0x2
+	NT_PRPSINFO                                 = 0x3
+	NT_PRSTATUS                                 = 0x1
+	NT_PRXFPREG                                 = 0x46e62b7f
+	NT_RISCV_CSR                                = 0x900
+	NT_RISCV_TAGGED_ADDR_CTRL                   = 0x902
+	NT_RISCV_VECTOR                             = 0x901
+	NT_S390_CTRS                                = 0x304
+	NT_S390_GS_BC                               = 0x30c
+	NT_S390_GS_CB                               = 0x30b
+	NT_S390_HIGH_GPRS                           = 0x300
+	NT_S390_LAST_BREAK                          = 0x306
+	NT_S390_PREFIX                              = 0x305
+	NT_S390_PV_CPU_DATA                         = 0x30e
+	NT_S390_RI_CB                               = 0x30d
+	NT_S390_SYSTEM_CALL                         = 0x307
+	NT_S390_TDB                                 = 0x308
+	NT_S390_TIMER                               = 0x301
+	NT_S390_TODCMP                              = 0x302
+	NT_S390_TODPREG                             = 0x303
+	NT_S390_VXRS_HIGH                           = 0x30a
+	NT_S390_VXRS_LOW                            = 0x309
+	NT_SIGINFO                                  = 0x53494749
+	NT_TASKSTRUCT                               = 0x4
+	NT_VMCOREDD                                 = 0x700
+	NT_X86_SHSTK                                = 0x204
+	NT_X86_XSAVE_LAYOUT                         = 0x205
+	NT_X86_XSTATE                               = 0x202
 	OCFS2_SUPER_MAGIC                           = 0x7461636f
 	OCRNL                                       = 0x8
 	OFDEL                                       = 0x80
@@ -2463,6 +2699,59 @@ const (
 	PERF_RECORD_MISC_USER                       = 0x2
 	PERF_SAMPLE_BRANCH_PLM_ALL                  = 0x7
 	PERF_SAMPLE_WEIGHT_TYPE                     = 0x1004000
+	PF_ALG                                      = 0x26
+	PF_APPLETALK                                = 0x5
+	PF_ASH                                      = 0x12
+	PF_ATMPVC                                   = 0x8
+	PF_ATMSVC                                   = 0x14
+	PF_AX25                                     = 0x3
+	PF_BLUETOOTH                                = 0x1f
+	PF_BRIDGE                                   = 0x7
+	PF_CAIF                                     = 0x25
+	PF_CAN                                      = 0x1d
+	PF_DECnet                                   = 0xc
+	PF_ECONET                                   = 0x13
+	PF_FILE                                     = 0x1
+	PF_IB                                       = 0x1b
+	PF_IEEE802154                               = 0x24
+	PF_INET                                     = 0x2
+	PF_INET6                                    = 0xa
+	PF_IPX                                      = 0x4
+	PF_IRDA                                     = 0x17
+	PF_ISDN                                     = 0x22
+	PF_IUCV                                     = 0x20
+	PF_KCM                                      = 0x29
+	PF_KEY                                      = 0xf
+	PF_LLC                                      = 0x1a
+	PF_LOCAL                                    = 0x1
+	PF_MAX                                      = 0x2e
+	PF_MCTP                                     = 0x2d
+	PF_MPLS                                     = 0x1c
+	PF_NETBEUI                                  = 0xd
+	PF_NETLINK                                  = 0x10
+	PF_NETROM                                   = 0x6
+	PF_NFC                                      = 0x27
+	PF_PACKET                                   = 0x11
+	PF_PHONET                                   = 0x23
+	PF_PPPOX                                    = 0x18
+	PF_QIPCRTR                                  = 0x2a
+	PF_R                                        = 0x4
+	PF_RDS                                      = 0x15
+	PF_ROSE                                     = 0xb
+	PF_ROUTE                                    = 0x10
+	PF_RXRPC                                    = 0x21
+	PF_SECURITY                                 = 0xe
+	PF_SMC                                      = 0x2b
+	PF_SNA                                      = 0x16
+	PF_TIPC                                     = 0x1e
+	PF_UNIX                                     = 0x1
+	PF_UNSPEC                                   = 0x0
+	PF_VSOCK                                    = 0x28
+	PF_W                                        = 0x2
+	PF_WANPIPE                                  = 0x19
+	PF_X                                        = 0x1
+	PF_X25                                      = 0x9
+	PF_XDP                                      = 0x2c
 	PID_FS_MAGIC                                = 0x50494446
 	PIPEFS_MAGIC                                = 0x50495045
 	PPPIOCGNPMODE                               = 0xc008744c
@@ -2758,6 +3047,23 @@ const (
 	PTRACE_SYSCALL_INFO_NONE                    = 0x0
 	PTRACE_SYSCALL_INFO_SECCOMP                 = 0x3
 	PTRACE_TRACEME                              = 0x0
+	PT_AARCH64_MEMTAG_MTE                       = 0x70000002
+	PT_DYNAMIC                                  = 0x2
+	PT_GNU_EH_FRAME                             = 0x6474e550
+	PT_GNU_PROPERTY                             = 0x6474e553
+	PT_GNU_RELRO                                = 0x6474e552
+	PT_GNU_STACK                                = 0x6474e551
+	PT_HIOS                                     = 0x6fffffff
+	PT_HIPROC                                   = 0x7fffffff
+	PT_INTERP                                   = 0x3
+	PT_LOAD                                     = 0x1
+	PT_LOOS                                     = 0x60000000
+	PT_LOPROC                                   = 0x70000000
+	PT_NOTE                                     = 0x4
+	PT_NULL                                     = 0x0
+	PT_PHDR                                     = 0x6
+	PT_SHLIB                                    = 0x5
+	PT_TLS                                      = 0x7
 	P_ALL                                       = 0x0
 	P_PGID                                      = 0x2
 	P_PID                                       = 0x1
@@ -3091,6 +3397,47 @@ const (
 	SEEK_MAX                                    = 0x4
 	SEEK_SET                                    = 0x0
 	SELINUX_MAGIC                               = 0xf97cff8c
+	SHF_ALLOC                                   = 0x2
+	SHF_EXCLUDE                                 = 0x8000000
+	SHF_EXECINSTR                               = 0x4
+	SHF_GROUP                                   = 0x200
+	SHF_INFO_LINK                               = 0x40
+	SHF_LINK_ORDER                              = 0x80
+	SHF_MASKOS                                  = 0xff00000
+	SHF_MASKPROC                                = 0xf0000000
+	SHF_MERGE                                   = 0x10
+	SHF_ORDERED                                 = 0x4000000
+	SHF_OS_NONCONFORMING                        = 0x100
+	SHF_RELA_LIVEPATCH                          = 0x100000
+	SHF_RO_AFTER_INIT                           = 0x200000
+	SHF_STRINGS                                 = 0x20
+	SHF_TLS                                     = 0x400
+	SHF_WRITE                                   = 0x1
+	SHN_ABS                                     = 0xfff1
+	SHN_COMMON                                  = 0xfff2
+	SHN_HIPROC                                  = 0xff1f
+	SHN_HIRESERVE                               = 0xffff
+	SHN_LIVEPATCH                               = 0xff20
+	SHN_LOPROC                                  = 0xff00
+	SHN_LORESERVE                               = 0xff00
+	SHN_UNDEF                                   = 0x0
+	SHT_DYNAMIC                                 = 0x6
+	SHT_DYNSYM                                  = 0xb
+	SHT_HASH                                    = 0x5
+	SHT_HIPROC                                  = 0x7fffffff
+	SHT_HIUSER                                  = 0xffffffff
+	SHT_LOPROC                                  = 0x70000000
+	SHT_LOUSER                                  = 0x80000000
+	SHT_NOBITS                                  = 0x8
+	SHT_NOTE                                    = 0x7
+	SHT_NULL                                    = 0x0
+	SHT_NUM                                     = 0xc
+	SHT_PROGBITS                                = 0x1
+	SHT_REL                                     = 0x9
+	SHT_RELA                                    = 0x4
+	SHT_SHLIB                                   = 0xa
+	SHT_STRTAB                                  = 0x3
+	SHT_SYMTAB                                  = 0x2
 	SHUT_RD                                     = 0x0
 	SHUT_RDWR                                   = 0x2
 	SHUT_WR                                     = 0x1
@@ -3317,6 +3664,16 @@ const (
 	STATX_UID                                   = 0x8
 	STATX_WRITE_ATOMIC                          = 0x10000
 	STATX__RESERVED                             = 0x80000000
+	STB_GLOBAL                                  = 0x1
+	STB_LOCAL                                   = 0x0
+	STB_WEAK                                    = 0x2
+	STT_COMMON                                  = 0x5
+	STT_FILE                                    = 0x4
+	STT_FUNC                                    = 0x2
+	STT_NOTYPE                                  = 0x0
+	STT_OBJECT                                  = 0x1
+	STT_SECTION                                 = 0x3
+	STT_TLS                                     = 0x6
 	SYNC_FILE_RANGE_WAIT_AFTER                  = 0x4
 	SYNC_FILE_RANGE_WAIT_BEFORE                 = 0x1
 	SYNC_FILE_RANGE_WRITE                       = 0x2
@@ -3553,6 +3910,8 @@ const (
 	UTIME_OMIT                                  = 0x3ffffffe
 	V9FS_MAGIC                                  = 0x1021997
 	VERASE                                      = 0x2
+	VER_FLG_BASE                                = 0x1
+	VER_FLG_WEAK                                = 0x2
 	VINTR                                       = 0x0
 	VKILL                                       = 0x3
 	VLNEXT                                      = 0xf
diff --git a/vendor/golang.org/x/sys/unix/zsyscall_linux.go b/vendor/golang.org/x/sys/unix/zsyscall_linux.go
index 5cc1e8eb2f35e..8935d10a31ce9 100644
--- a/vendor/golang.org/x/sys/unix/zsyscall_linux.go
+++ b/vendor/golang.org/x/sys/unix/zsyscall_linux.go
@@ -2238,3 +2238,13 @@ func Mseal(b []byte, flags uint) (err error) {
 	}
 	return
 }
+
+// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
+
+func setMemPolicy(mode int, mask *CPUSet, size int) (err error) {
+	_, _, e1 := Syscall(SYS_SET_MEMPOLICY, uintptr(mode), uintptr(unsafe.Pointer(mask)), uintptr(size))
+	if e1 != 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
diff --git a/vendor/golang.org/x/sys/unix/ztypes_linux.go b/vendor/golang.org/x/sys/unix/ztypes_linux.go
index 944e75a11cb1d..c1a4670171984 100644
--- a/vendor/golang.org/x/sys/unix/ztypes_linux.go
+++ b/vendor/golang.org/x/sys/unix/ztypes_linux.go
@@ -3590,6 +3590,8 @@ type Nhmsg struct {
 	Flags    uint32
 }
 
+const SizeofNhmsg = 0x8
+
 type NexthopGrp struct {
 	Id     uint32
 	Weight uint8
@@ -3597,6 +3599,8 @@ type NexthopGrp struct {
 	Resvd2 uint16
 }
 
+const SizeofNexthopGrp = 0x8
+
 const (
 	NHA_UNSPEC     = 0x0
 	NHA_ID         = 0x1
@@ -6332,3 +6336,30 @@ type SockDiagReq struct {
 }
 
 const RTM_NEWNVLAN = 0x70
+
+const (
+	MPOL_BIND                = 0x2
+	MPOL_DEFAULT             = 0x0
+	MPOL_F_ADDR              = 0x2
+	MPOL_F_MEMS_ALLOWED      = 0x4
+	MPOL_F_MOF               = 0x8
+	MPOL_F_MORON             = 0x10
+	MPOL_F_NODE              = 0x1
+	MPOL_F_NUMA_BALANCING    = 0x2000
+	MPOL_F_RELATIVE_NODES    = 0x4000
+	MPOL_F_SHARED            = 0x1
+	MPOL_F_STATIC_NODES      = 0x8000
+	MPOL_INTERLEAVE          = 0x3
+	MPOL_LOCAL               = 0x4
+	MPOL_MAX                 = 0x7
+	MPOL_MF_INTERNAL         = 0x10
+	MPOL_MF_LAZY             = 0x8
+	MPOL_MF_MOVE_ALL         = 0x4
+	MPOL_MF_MOVE             = 0x2
+	MPOL_MF_STRICT           = 0x1
+	MPOL_MF_VALID            = 0x7
+	MPOL_MODE_FLAGS          = 0xe000
+	MPOL_PREFERRED           = 0x1
+	MPOL_PREFERRED_MANY      = 0x5
+	MPOL_WEIGHTED_INTERLEAVE = 0x6
+)
diff --git a/vendor/golang.org/x/sys/windows/syscall_windows.go b/vendor/golang.org/x/sys/windows/syscall_windows.go
index 640f6b153f004..69439df2a4680 100644
--- a/vendor/golang.org/x/sys/windows/syscall_windows.go
+++ b/vendor/golang.org/x/sys/windows/syscall_windows.go
@@ -321,6 +321,8 @@ func NewCallbackCDecl(fn interface{}) uintptr {
 //sys	SetConsoleOutputCP(cp uint32) (err error) = kernel32.SetConsoleOutputCP
 //sys	WriteConsole(console Handle, buf *uint16, towrite uint32, written *uint32, reserved *byte) (err error) = kernel32.WriteConsoleW
 //sys	ReadConsole(console Handle, buf *uint16, toread uint32, read *uint32, inputControl *byte) (err error) = kernel32.ReadConsoleW
+//sys	GetNumberOfConsoleInputEvents(console Handle, numevents *uint32) (err error) = kernel32.GetNumberOfConsoleInputEvents
+//sys	FlushConsoleInputBuffer(console Handle) (err error) = kernel32.FlushConsoleInputBuffer
 //sys	resizePseudoConsole(pconsole Handle, size uint32) (hr error) = kernel32.ResizePseudoConsole
 //sys	CreateToolhelp32Snapshot(flags uint32, processId uint32) (handle Handle, err error) [failretval==InvalidHandle] = kernel32.CreateToolhelp32Snapshot
 //sys	Module32First(snapshot Handle, moduleEntry *ModuleEntry32) (err error) = kernel32.Module32FirstW
@@ -890,8 +892,12 @@ const socket_error = uintptr(^uint32(0))
 //sys	MultiByteToWideChar(codePage uint32, dwFlags uint32, str *byte, nstr int32, wchar *uint16, nwchar int32) (nwrite int32, err error) = kernel32.MultiByteToWideChar
 //sys	getBestInterfaceEx(sockaddr unsafe.Pointer, pdwBestIfIndex *uint32) (errcode error) = iphlpapi.GetBestInterfaceEx
 //sys   GetIfEntry2Ex(level uint32, row *MibIfRow2) (errcode error) = iphlpapi.GetIfEntry2Ex
+//sys   GetIpForwardEntry2(row *MibIpForwardRow2) (errcode error) = iphlpapi.GetIpForwardEntry2
+//sys   GetIpForwardTable2(family uint16, table **MibIpForwardTable2) (errcode error) = iphlpapi.GetIpForwardTable2
 //sys   GetUnicastIpAddressEntry(row *MibUnicastIpAddressRow) (errcode error) = iphlpapi.GetUnicastIpAddressEntry
+//sys   FreeMibTable(memory unsafe.Pointer) = iphlpapi.FreeMibTable
 //sys   NotifyIpInterfaceChange(family uint16, callback uintptr, callerContext unsafe.Pointer, initialNotification bool, notificationHandle *Handle) (errcode error) = iphlpapi.NotifyIpInterfaceChange
+//sys   NotifyRouteChange2(family uint16, callback uintptr, callerContext unsafe.Pointer, initialNotification bool, notificationHandle *Handle) (errcode error) = iphlpapi.NotifyRouteChange2
 //sys   NotifyUnicastIpAddressChange(family uint16, callback uintptr, callerContext unsafe.Pointer, initialNotification bool, notificationHandle *Handle) (errcode error) = iphlpapi.NotifyUnicastIpAddressChange
 //sys   CancelMibChangeNotify2(notificationHandle Handle) (errcode error) = iphlpapi.CancelMibChangeNotify2
 
@@ -914,6 +920,17 @@ type RawSockaddrInet6 struct {
 	Scope_id uint32
 }
 
+// RawSockaddrInet is a union that contains an IPv4, an IPv6 address, or an address family. See
+// https://learn.microsoft.com/en-us/windows/win32/api/ws2ipdef/ns-ws2ipdef-sockaddr_inet.
+//
+// A [*RawSockaddrInet] may be converted to a [*RawSockaddrInet4] or [*RawSockaddrInet6] using
+// unsafe, depending on the address family.
+type RawSockaddrInet struct {
+	Family uint16
+	Port   uint16
+	Data   [6]uint32
+}
+
 type RawSockaddr struct {
 	Family uint16
 	Data   [14]int8
diff --git a/vendor/golang.org/x/sys/windows/types_windows.go b/vendor/golang.org/x/sys/windows/types_windows.go
index 993a2297dbe1a..6e4f50eb48356 100644
--- a/vendor/golang.org/x/sys/windows/types_windows.go
+++ b/vendor/golang.org/x/sys/windows/types_windows.go
@@ -65,6 +65,22 @@ var signals = [...]string{
 	15: "terminated",
 }
 
+// File flags for [os.OpenFile]. The O_ prefix is used to indicate
+// that these flags are specific to the OpenFile function.
+const (
+	O_FILE_FLAG_OPEN_NO_RECALL     = FILE_FLAG_OPEN_NO_RECALL
+	O_FILE_FLAG_OPEN_REPARSE_POINT = FILE_FLAG_OPEN_REPARSE_POINT
+	O_FILE_FLAG_SESSION_AWARE      = FILE_FLAG_SESSION_AWARE
+	O_FILE_FLAG_POSIX_SEMANTICS    = FILE_FLAG_POSIX_SEMANTICS
+	O_FILE_FLAG_BACKUP_SEMANTICS   = FILE_FLAG_BACKUP_SEMANTICS
+	O_FILE_FLAG_DELETE_ON_CLOSE    = FILE_FLAG_DELETE_ON_CLOSE
+	O_FILE_FLAG_SEQUENTIAL_SCAN    = FILE_FLAG_SEQUENTIAL_SCAN
+	O_FILE_FLAG_RANDOM_ACCESS      = FILE_FLAG_RANDOM_ACCESS
+	O_FILE_FLAG_NO_BUFFERING       = FILE_FLAG_NO_BUFFERING
+	O_FILE_FLAG_OVERLAPPED         = FILE_FLAG_OVERLAPPED
+	O_FILE_FLAG_WRITE_THROUGH      = FILE_FLAG_WRITE_THROUGH
+)
+
 const (
 	FILE_READ_DATA        = 0x00000001
 	FILE_READ_ATTRIBUTES  = 0x00000080
@@ -2304,6 +2320,82 @@ type MibIfRow2 struct {
 	OutQLen                     uint64
 }
 
+// IP_ADDRESS_PREFIX stores an IP address prefix. See
+// https://learn.microsoft.com/en-us/windows/win32/api/netioapi/ns-netioapi-ip_address_prefix.
+type IpAddressPrefix struct {
+	Prefix       RawSockaddrInet
+	PrefixLength uint8
+}
+
+// NL_ROUTE_ORIGIN enumeration from nldef.h or
+// https://learn.microsoft.com/en-us/windows/win32/api/nldef/ne-nldef-nl_route_origin.
+const (
+	NlroManual              = 0
+	NlroWellKnown           = 1
+	NlroDHCP                = 2
+	NlroRouterAdvertisement = 3
+	Nlro6to4                = 4
+)
+
+// NL_ROUTE_ORIGIN enumeration from nldef.h or
+// https://learn.microsoft.com/en-us/windows/win32/api/nldef/ne-nldef-nl_route_protocol.
+const (
+	MIB_IPPROTO_OTHER             = 1
+	MIB_IPPROTO_LOCAL             = 2
+	MIB_IPPROTO_NETMGMT           = 3
+	MIB_IPPROTO_ICMP              = 4
+	MIB_IPPROTO_EGP               = 5
+	MIB_IPPROTO_GGP               = 6
+	MIB_IPPROTO_HELLO             = 7
+	MIB_IPPROTO_RIP               = 8
+	MIB_IPPROTO_IS_IS             = 9
+	MIB_IPPROTO_ES_IS             = 10
+	MIB_IPPROTO_CISCO             = 11
+	MIB_IPPROTO_BBN               = 12
+	MIB_IPPROTO_OSPF              = 13
+	MIB_IPPROTO_BGP               = 14
+	MIB_IPPROTO_IDPR              = 15
+	MIB_IPPROTO_EIGRP             = 16
+	MIB_IPPROTO_DVMRP             = 17
+	MIB_IPPROTO_RPL               = 18
+	MIB_IPPROTO_DHCP              = 19
+	MIB_IPPROTO_NT_AUTOSTATIC     = 10002
+	MIB_IPPROTO_NT_STATIC         = 10006
+	MIB_IPPROTO_NT_STATIC_NON_DOD = 10007
+)
+
+// MIB_IPFORWARD_ROW2 stores information about an IP route entry. See
+// https://learn.microsoft.com/en-us/windows/win32/api/netioapi/ns-netioapi-mib_ipforward_row2.
+type MibIpForwardRow2 struct {
+	InterfaceLuid        uint64
+	InterfaceIndex       uint32
+	DestinationPrefix    IpAddressPrefix
+	NextHop              RawSockaddrInet
+	SitePrefixLength     uint8
+	ValidLifetime        uint32
+	PreferredLifetime    uint32
+	Metric               uint32
+	Protocol             uint32
+	Loopback             uint8
+	AutoconfigureAddress uint8
+	Publish              uint8
+	Immortal             uint8
+	Age                  uint32
+	Origin               uint32
+}
+
+// MIB_IPFORWARD_TABLE2 contains a table of IP route entries. See
+// https://learn.microsoft.com/en-us/windows/win32/api/netioapi/ns-netioapi-mib_ipforward_table2.
+type MibIpForwardTable2 struct {
+	NumEntries uint32
+	Table      [1]MibIpForwardRow2
+}
+
+// Rows returns the IP route entries in the table.
+func (t *MibIpForwardTable2) Rows() []MibIpForwardRow2 {
+	return unsafe.Slice(&t.Table[0], t.NumEntries)
+}
+
 // MIB_UNICASTIPADDRESS_ROW stores information about a unicast IP address. See
 // https://learn.microsoft.com/en-us/windows/win32/api/netioapi/ns-netioapi-mib_unicastipaddress_row.
 type MibUnicastIpAddressRow struct {
diff --git a/vendor/golang.org/x/sys/windows/zsyscall_windows.go b/vendor/golang.org/x/sys/windows/zsyscall_windows.go
index 641a5f4b775aa..f25b7308a1f3b 100644
--- a/vendor/golang.org/x/sys/windows/zsyscall_windows.go
+++ b/vendor/golang.org/x/sys/windows/zsyscall_windows.go
@@ -182,13 +182,17 @@ var (
 	procDwmGetWindowAttribute                                = moddwmapi.NewProc("DwmGetWindowAttribute")
 	procDwmSetWindowAttribute                                = moddwmapi.NewProc("DwmSetWindowAttribute")
 	procCancelMibChangeNotify2                               = modiphlpapi.NewProc("CancelMibChangeNotify2")
+	procFreeMibTable                                         = modiphlpapi.NewProc("FreeMibTable")
 	procGetAdaptersAddresses                                 = modiphlpapi.NewProc("GetAdaptersAddresses")
 	procGetAdaptersInfo                                      = modiphlpapi.NewProc("GetAdaptersInfo")
 	procGetBestInterfaceEx                                   = modiphlpapi.NewProc("GetBestInterfaceEx")
 	procGetIfEntry                                           = modiphlpapi.NewProc("GetIfEntry")
 	procGetIfEntry2Ex                                        = modiphlpapi.NewProc("GetIfEntry2Ex")
+	procGetIpForwardEntry2                                   = modiphlpapi.NewProc("GetIpForwardEntry2")
+	procGetIpForwardTable2                                   = modiphlpapi.NewProc("GetIpForwardTable2")
 	procGetUnicastIpAddressEntry                             = modiphlpapi.NewProc("GetUnicastIpAddressEntry")
 	procNotifyIpInterfaceChange                              = modiphlpapi.NewProc("NotifyIpInterfaceChange")
+	procNotifyRouteChange2                                   = modiphlpapi.NewProc("NotifyRouteChange2")
 	procNotifyUnicastIpAddressChange                         = modiphlpapi.NewProc("NotifyUnicastIpAddressChange")
 	procAddDllDirectory                                      = modkernel32.NewProc("AddDllDirectory")
 	procAssignProcessToJobObject                             = modkernel32.NewProc("AssignProcessToJobObject")
@@ -238,6 +242,7 @@ var (
 	procFindResourceW                                        = modkernel32.NewProc("FindResourceW")
 	procFindVolumeClose                                      = modkernel32.NewProc("FindVolumeClose")
 	procFindVolumeMountPointClose                            = modkernel32.NewProc("FindVolumeMountPointClose")
+	procFlushConsoleInputBuffer                              = modkernel32.NewProc("FlushConsoleInputBuffer")
 	procFlushFileBuffers                                     = modkernel32.NewProc("FlushFileBuffers")
 	procFlushViewOfFile                                      = modkernel32.NewProc("FlushViewOfFile")
 	procFormatMessageW                                       = modkernel32.NewProc("FormatMessageW")
@@ -284,6 +289,7 @@ var (
 	procGetNamedPipeHandleStateW                             = modkernel32.NewProc("GetNamedPipeHandleStateW")
 	procGetNamedPipeInfo                                     = modkernel32.NewProc("GetNamedPipeInfo")
 	procGetNamedPipeServerProcessId                          = modkernel32.NewProc("GetNamedPipeServerProcessId")
+	procGetNumberOfConsoleInputEvents                        = modkernel32.NewProc("GetNumberOfConsoleInputEvents")
 	procGetOverlappedResult                                  = modkernel32.NewProc("GetOverlappedResult")
 	procGetPriorityClass                                     = modkernel32.NewProc("GetPriorityClass")
 	procGetProcAddress                                       = modkernel32.NewProc("GetProcAddress")
@@ -1622,6 +1628,11 @@ func CancelMibChangeNotify2(notificationHandle Handle) (errcode error) {
 	return
 }
 
+func FreeMibTable(memory unsafe.Pointer) {
+	syscall.SyscallN(procFreeMibTable.Addr(), uintptr(memory))
+	return
+}
+
 func GetAdaptersAddresses(family uint32, flags uint32, reserved uintptr, adapterAddresses *IpAdapterAddresses, sizePointer *uint32) (errcode error) {
 	r0, _, _ := syscall.SyscallN(procGetAdaptersAddresses.Addr(), uintptr(family), uintptr(flags), uintptr(reserved), uintptr(unsafe.Pointer(adapterAddresses)), uintptr(unsafe.Pointer(sizePointer)))
 	if r0 != 0 {
@@ -1662,6 +1673,22 @@ func GetIfEntry2Ex(level uint32, row *MibIfRow2) (errcode error) {
 	return
 }
 
+func GetIpForwardEntry2(row *MibIpForwardRow2) (errcode error) {
+	r0, _, _ := syscall.SyscallN(procGetIpForwardEntry2.Addr(), uintptr(unsafe.Pointer(row)))
+	if r0 != 0 {
+		errcode = syscall.Errno(r0)
+	}
+	return
+}
+
+func GetIpForwardTable2(family uint16, table **MibIpForwardTable2) (errcode error) {
+	r0, _, _ := syscall.SyscallN(procGetIpForwardTable2.Addr(), uintptr(family), uintptr(unsafe.Pointer(table)))
+	if r0 != 0 {
+		errcode = syscall.Errno(r0)
+	}
+	return
+}
+
 func GetUnicastIpAddressEntry(row *MibUnicastIpAddressRow) (errcode error) {
 	r0, _, _ := syscall.SyscallN(procGetUnicastIpAddressEntry.Addr(), uintptr(unsafe.Pointer(row)))
 	if r0 != 0 {
@@ -1682,6 +1709,18 @@ func NotifyIpInterfaceChange(family uint16, callback uintptr, callerContext unsa
 	return
 }
 
+func NotifyRouteChange2(family uint16, callback uintptr, callerContext unsafe.Pointer, initialNotification bool, notificationHandle *Handle) (errcode error) {
+	var _p0 uint32
+	if initialNotification {
+		_p0 = 1
+	}
+	r0, _, _ := syscall.SyscallN(procNotifyRouteChange2.Addr(), uintptr(family), uintptr(callback), uintptr(callerContext), uintptr(_p0), uintptr(unsafe.Pointer(notificationHandle)))
+	if r0 != 0 {
+		errcode = syscall.Errno(r0)
+	}
+	return
+}
+
 func NotifyUnicastIpAddressChange(family uint16, callback uintptr, callerContext unsafe.Pointer, initialNotification bool, notificationHandle *Handle) (errcode error) {
 	var _p0 uint32
 	if initialNotification {
@@ -2111,6 +2150,14 @@ func FindVolumeMountPointClose(findVolumeMountPoint Handle) (err error) {
 	return
 }
 
+func FlushConsoleInputBuffer(console Handle) (err error) {
+	r1, _, e1 := syscall.SyscallN(procFlushConsoleInputBuffer.Addr(), uintptr(console))
+	if r1 == 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
 func FlushFileBuffers(handle Handle) (err error) {
 	r1, _, e1 := syscall.SyscallN(procFlushFileBuffers.Addr(), uintptr(handle))
 	if r1 == 0 {
@@ -2481,6 +2528,14 @@ func GetNamedPipeServerProcessId(pipe Handle, serverProcessID *uint32) (err erro
 	return
 }
 
+func GetNumberOfConsoleInputEvents(console Handle, numevents *uint32) (err error) {
+	r1, _, e1 := syscall.SyscallN(procGetNumberOfConsoleInputEvents.Addr(), uintptr(console), uintptr(unsafe.Pointer(numevents)))
+	if r1 == 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
 func GetOverlappedResult(handle Handle, overlapped *Overlapped, done *uint32, wait bool) (err error) {
 	var _p0 uint32
 	if wait {
diff --git a/vendor/golang.org/x/term/terminal.go b/vendor/golang.org/x/term/terminal.go
index bddb2e2aebd4a..9255449b9b32f 100644
--- a/vendor/golang.org/x/term/terminal.go
+++ b/vendor/golang.org/x/term/terminal.go
@@ -413,7 +413,7 @@ func (t *Terminal) eraseNPreviousChars(n int) {
 	}
 }
 
-// countToLeftWord returns then number of characters from the cursor to the
+// countToLeftWord returns the number of characters from the cursor to the
 // start of the previous word.
 func (t *Terminal) countToLeftWord() int {
 	if t.pos == 0 {
@@ -438,7 +438,7 @@ func (t *Terminal) countToLeftWord() int {
 	return t.pos - pos
 }
 
-// countToRightWord returns then number of characters from the cursor to the
+// countToRightWord returns the number of characters from the cursor to the
 // start of the next word.
 func (t *Terminal) countToRightWord() int {
 	pos := t.pos
@@ -478,7 +478,7 @@ func visualLength(runes []rune) int {
 	return length
 }
 
-// histroryAt unlocks the terminal and relocks it while calling History.At.
+// historyAt unlocks the terminal and relocks it while calling History.At.
 func (t *Terminal) historyAt(idx int) (string, bool) {
 	t.lock.Unlock()     // Unlock to avoid deadlock if History methods use the output writer.
 	defer t.lock.Lock() // panic in At (or Len) protection.
diff --git a/vendor/golang.org/x/text/unicode/bidi/core.go b/vendor/golang.org/x/text/unicode/bidi/core.go
index 9d2ae547b5ed4..fb8273236dde6 100644
--- a/vendor/golang.org/x/text/unicode/bidi/core.go
+++ b/vendor/golang.org/x/text/unicode/bidi/core.go
@@ -427,13 +427,6 @@ type isolatingRunSequence struct {
 
 func (i *isolatingRunSequence) Len() int { return len(i.indexes) }
 
-func maxLevel(a, b level) level {
-	if a > b {
-		return a
-	}
-	return b
-}
-
 // Rule X10, second bullet: Determine the start-of-sequence (sos) and end-of-sequence (eos) types,
 // either L or R, for each isolating run sequence.
 func (p *paragraph) isolatingRunSequence(indexes []int) *isolatingRunSequence {
@@ -474,8 +467,8 @@ func (p *paragraph) isolatingRunSequence(indexes []int) *isolatingRunSequence {
 		indexes: indexes,
 		types:   types,
 		level:   level,
-		sos:     typeForLevel(maxLevel(prevLevel, level)),
-		eos:     typeForLevel(maxLevel(succLevel, level)),
+		sos:     typeForLevel(max(prevLevel, level)),
+		eos:     typeForLevel(max(succLevel, level)),
 	}
 }
 
diff --git a/vendor/golang.org/x/tools/go/ast/astutil/imports.go b/vendor/golang.org/x/tools/go/ast/astutil/imports.go
index 5e5601aa46775..5bacc0fa49e03 100644
--- a/vendor/golang.org/x/tools/go/ast/astutil/imports.go
+++ b/vendor/golang.org/x/tools/go/ast/astutil/imports.go
@@ -209,48 +209,46 @@ func DeleteImport(fset *token.FileSet, f *ast.File, path string) (deleted bool)
 // DeleteNamedImport deletes the import with the given name and path from the file f, if present.
 // If there are duplicate import declarations, all matching ones are deleted.
 func DeleteNamedImport(fset *token.FileSet, f *ast.File, name, path string) (deleted bool) {
-	var delspecs []*ast.ImportSpec
-	var delcomments []*ast.CommentGroup
+	var (
+		delspecs    = make(map[*ast.ImportSpec]bool)
+		delcomments = make(map[*ast.CommentGroup]bool)
+	)
 
 	// Find the import nodes that import path, if any.
 	for i := 0; i < len(f.Decls); i++ {
-		decl := f.Decls[i]
-		gen, ok := decl.(*ast.GenDecl)
+		gen, ok := f.Decls[i].(*ast.GenDecl)
 		if !ok || gen.Tok != token.IMPORT {
 			continue
 		}
 		for j := 0; j < len(gen.Specs); j++ {
-			spec := gen.Specs[j]
-			impspec := spec.(*ast.ImportSpec)
+			impspec := gen.Specs[j].(*ast.ImportSpec)
 			if importName(impspec) != name || importPath(impspec) != path {
 				continue
 			}
 
 			// We found an import spec that imports path.
 			// Delete it.
-			delspecs = append(delspecs, impspec)
+			delspecs[impspec] = true
 			deleted = true
-			copy(gen.Specs[j:], gen.Specs[j+1:])
-			gen.Specs = gen.Specs[:len(gen.Specs)-1]
+			gen.Specs = slices.Delete(gen.Specs, j, j+1)
 
 			// If this was the last import spec in this decl,
 			// delete the decl, too.
 			if len(gen.Specs) == 0 {
-				copy(f.Decls[i:], f.Decls[i+1:])
-				f.Decls = f.Decls[:len(f.Decls)-1]
+				f.Decls = slices.Delete(f.Decls, i, i+1)
 				i--
 				break
 			} else if len(gen.Specs) == 1 {
 				if impspec.Doc != nil {
-					delcomments = append(delcomments, impspec.Doc)
+					delcomments[impspec.Doc] = true
 				}
 				if impspec.Comment != nil {
-					delcomments = append(delcomments, impspec.Comment)
+					delcomments[impspec.Comment] = true
 				}
 				for _, cg := range f.Comments {
 					// Found comment on the same line as the import spec.
 					if cg.End() < impspec.Pos() && fset.Position(cg.End()).Line == fset.Position(impspec.Pos()).Line {
-						delcomments = append(delcomments, cg)
+						delcomments[cg] = true
 						break
 					}
 				}
@@ -294,38 +292,21 @@ func DeleteNamedImport(fset *token.FileSet, f *ast.File, name, path string) (del
 	}
 
 	// Delete imports from f.Imports.
-	for i := 0; i < len(f.Imports); i++ {
-		imp := f.Imports[i]
-		for j, del := range delspecs {
-			if imp == del {
-				copy(f.Imports[i:], f.Imports[i+1:])
-				f.Imports = f.Imports[:len(f.Imports)-1]
-				copy(delspecs[j:], delspecs[j+1:])
-				delspecs = delspecs[:len(delspecs)-1]
-				i--
-				break
-			}
-		}
+	before := len(f.Imports)
+	f.Imports = slices.DeleteFunc(f.Imports, func(imp *ast.ImportSpec) bool {
+		_, ok := delspecs[imp]
+		return ok
+	})
+	if len(f.Imports)+len(delspecs) != before {
+		// This can happen when the AST is invalid (i.e. imports differ between f.Decls and f.Imports).
+		panic(fmt.Sprintf("deleted specs from Decls but not Imports: %v", delspecs))
 	}
 
 	// Delete comments from f.Comments.
-	for i := 0; i < len(f.Comments); i++ {
-		cg := f.Comments[i]
-		for j, del := range delcomments {
-			if cg == del {
-				copy(f.Comments[i:], f.Comments[i+1:])
-				f.Comments = f.Comments[:len(f.Comments)-1]
-				copy(delcomments[j:], delcomments[j+1:])
-				delcomments = delcomments[:len(delcomments)-1]
-				i--
-				break
-			}
-		}
-	}
-
-	if len(delspecs) > 0 {
-		panic(fmt.Sprintf("deleted specs from Decls but not Imports: %v", delspecs))
-	}
+	f.Comments = slices.DeleteFunc(f.Comments, func(cg *ast.CommentGroup) bool {
+		_, ok := delcomments[cg]
+		return ok
+	})
 
 	return
 }
diff --git a/vendor/golang.org/x/tools/go/ast/inspector/cursor.go b/vendor/golang.org/x/tools/go/ast/inspector/cursor.go
index 31c8d2f24096d..7e72d3c284b8a 100644
--- a/vendor/golang.org/x/tools/go/ast/inspector/cursor.go
+++ b/vendor/golang.org/x/tools/go/ast/inspector/cursor.go
@@ -40,7 +40,7 @@ type Cursor struct {
 // Root returns a cursor for the virtual root node,
 // whose children are the files provided to [New].
 //
-// Its [Cursor.Node] and [Cursor.Stack] methods return nil.
+// Its [Cursor.Node] method return nil.
 func (in *Inspector) Root() Cursor {
 	return Cursor{in, -1}
 }
diff --git a/vendor/golang.org/x/tools/go/packages/golist.go b/vendor/golang.org/x/tools/go/packages/golist.go
index 89f89dd2dce51..680a70ca8f0da 100644
--- a/vendor/golang.org/x/tools/go/packages/golist.go
+++ b/vendor/golang.org/x/tools/go/packages/golist.go
@@ -364,12 +364,6 @@ type jsonPackage struct {
 	DepsErrors []*packagesinternal.PackageError
 }
 
-type jsonPackageError struct {
-	ImportStack []string
-	Pos         string
-	Err         string
-}
-
 func otherFiles(p *jsonPackage) [][]string {
 	return [][]string{p.CFiles, p.CXXFiles, p.MFiles, p.HFiles, p.FFiles, p.SFiles, p.SwigFiles, p.SwigCXXFiles, p.SysoFiles}
 }
diff --git a/vendor/golang.org/x/tools/go/packages/visit.go b/vendor/golang.org/x/tools/go/packages/visit.go
index df14ffd94dc3e..af6a60d75f87f 100644
--- a/vendor/golang.org/x/tools/go/packages/visit.go
+++ b/vendor/golang.org/x/tools/go/packages/visit.go
@@ -5,9 +5,11 @@
 package packages
 
 import (
+	"cmp"
 	"fmt"
+	"iter"
 	"os"
-	"sort"
+	"slices"
 )
 
 // Visit visits all the packages in the import graph whose roots are
@@ -16,6 +18,20 @@ import (
 // package's dependencies have been visited (postorder).
 // The boolean result of pre(pkg) determines whether
 // the imports of package pkg are visited.
+//
+// Example:
+//
+//	pkgs, err := Load(...)
+//	if err != nil { ... }
+//	Visit(pkgs, nil, func(pkg *Package) {
+//		log.Println(pkg)
+//	})
+//
+// In most cases, it is more convenient to use [Postorder]:
+//
+//	for pkg := range Postorder(pkgs) {
+//		log.Println(pkg)
+//	}
 func Visit(pkgs []*Package, pre func(*Package) bool, post func(*Package)) {
 	seen := make(map[*Package]bool)
 	var visit func(*Package)
@@ -24,13 +40,8 @@ func Visit(pkgs []*Package, pre func(*Package) bool, post func(*Package)) {
 			seen[pkg] = true
 
 			if pre == nil || pre(pkg) {
-				paths := make([]string, 0, len(pkg.Imports))
-				for path := range pkg.Imports {
-					paths = append(paths, path)
-				}
-				sort.Strings(paths) // Imports is a map, this makes visit stable
-				for _, path := range paths {
-					visit(pkg.Imports[path])
+				for _, imp := range sorted(pkg.Imports) { // for determinism
+					visit(imp)
 				}
 			}
 
@@ -50,7 +61,7 @@ func Visit(pkgs []*Package, pre func(*Package) bool, post func(*Package)) {
 func PrintErrors(pkgs []*Package) int {
 	var n int
 	errModules := make(map[*Module]bool)
-	Visit(pkgs, nil, func(pkg *Package) {
+	for pkg := range Postorder(pkgs) {
 		for _, err := range pkg.Errors {
 			fmt.Fprintln(os.Stderr, err)
 			n++
@@ -63,6 +74,60 @@ func PrintErrors(pkgs []*Package) int {
 			fmt.Fprintln(os.Stderr, mod.Error.Err)
 			n++
 		}
-	})
+	}
 	return n
 }
+
+// Postorder returns an iterator over the the packages in
+// the import graph whose roots are pkg.
+// Packages are enumerated in dependencies-first order.
+func Postorder(pkgs []*Package) iter.Seq[*Package] {
+	return func(yield func(*Package) bool) {
+		seen := make(map[*Package]bool)
+		var visit func(*Package) bool
+		visit = func(pkg *Package) bool {
+			if !seen[pkg] {
+				seen[pkg] = true
+				for _, imp := range sorted(pkg.Imports) { // for determinism
+					if !visit(imp) {
+						return false
+					}
+				}
+				if !yield(pkg) {
+					return false
+				}
+			}
+			return true
+		}
+		for _, pkg := range pkgs {
+			if !visit(pkg) {
+				break
+			}
+		}
+	}
+}
+
+// -- copied from golang.org.x/tools/gopls/internal/util/moremaps --
+
+// sorted returns an iterator over the entries of m in key order.
+func sorted[M ~map[K]V, K cmp.Ordered, V any](m M) iter.Seq2[K, V] {
+	// TODO(adonovan): use maps.Sorted if proposal #68598 is accepted.
+	return func(yield func(K, V) bool) {
+		keys := keySlice(m)
+		slices.Sort(keys)
+		for _, k := range keys {
+			if !yield(k, m[k]) {
+				break
+			}
+		}
+	}
+}
+
+// KeySlice returns the keys of the map M, like slices.Collect(maps.Keys(m)).
+func keySlice[M ~map[K]V, K comparable, V any](m M) []K {
+	r := make([]K, 0, len(m))
+	for k := range m {
+		r = append(r, k)
+	}
+	return r
+}
diff --git a/vendor/golang.org/x/tools/go/types/objectpath/objectpath.go b/vendor/golang.org/x/tools/go/types/objectpath/objectpath.go
index d3c2913bef336..6c0c74968f353 100644
--- a/vendor/golang.org/x/tools/go/types/objectpath/objectpath.go
+++ b/vendor/golang.org/x/tools/go/types/objectpath/objectpath.go
@@ -698,7 +698,10 @@ func Object(pkg *types.Package, p Path) (types.Object, error) {
 			} else if false && aliases.Enabled() {
 				// The Enabled check is too expensive, so for now we
 				// simply assume that aliases are not enabled.
-				// TODO(adonovan): replace with "if true {" when go1.24 is assured.
+				//
+				// Now that go1.24 is assured, we should be able to
+				// replace this with "if true {", but it causes tests
+				// to fail. TODO(adonovan): investigate.
 				return nil, fmt.Errorf("cannot apply %q to %s (got %T, want alias)", code, t, t)
 			}
 
diff --git a/vendor/golang.org/x/tools/go/types/typeutil/map.go b/vendor/golang.org/x/tools/go/types/typeutil/map.go
index b6d542c64ee64..f035a0b6be92c 100644
--- a/vendor/golang.org/x/tools/go/types/typeutil/map.go
+++ b/vendor/golang.org/x/tools/go/types/typeutil/map.go
@@ -11,7 +11,6 @@ import (
 	"fmt"
 	"go/types"
 	"hash/maphash"
-	"unsafe"
 
 	"golang.org/x/tools/internal/typeparams"
 )
@@ -380,22 +379,8 @@ var theSeed = maphash.MakeSeed()
 func (hasher) hashTypeName(tname *types.TypeName) uint32 {
 	// Since types.Identical uses == to compare TypeNames,
 	// the Hash function uses maphash.Comparable.
-	// TODO(adonovan): or will, when it becomes available in go1.24.
-	// In the meantime we use the pointer's numeric value.
-	//
-	//   hash := maphash.Comparable(theSeed, tname)
-	//
-	// (Another approach would be to hash the name and package
-	// path, and whether or not it is a package-level typename. It
-	// is rare for a package to define multiple local types with
-	// the same name.)
-	ptr := uintptr(unsafe.Pointer(tname))
-	if unsafe.Sizeof(ptr) == 8 {
-		hash := uint64(ptr)
-		return uint32(hash ^ (hash >> 32))
-	} else {
-		return uint32(ptr)
-	}
+	hash := maphash.Comparable(theSeed, tname)
+	return uint32(hash ^ (hash >> 32))
 }
 
 // shallowHash computes a hash of t without looking at any of its
diff --git a/vendor/golang.org/x/tools/imports/forward.go b/vendor/golang.org/x/tools/imports/forward.go
index cb6db8893f947..22ae777726768 100644
--- a/vendor/golang.org/x/tools/imports/forward.go
+++ b/vendor/golang.org/x/tools/imports/forward.go
@@ -69,9 +69,3 @@ func Process(filename string, src []byte, opt *Options) ([]byte, error) {
 	}
 	return intimp.Process(filename, src, intopt)
 }
-
-// VendorlessPath returns the devendorized version of the import path ipath.
-// For example, VendorlessPath("foo/bar/vendor/a/b") returns "a/b".
-func VendorlessPath(ipath string) string {
-	return intimp.VendorlessPath(ipath)
-}
diff --git a/vendor/golang.org/x/tools/internal/event/core/event.go b/vendor/golang.org/x/tools/internal/event/core/event.go
index a6cf0e64a4b17..ade5d1e799d64 100644
--- a/vendor/golang.org/x/tools/internal/event/core/event.go
+++ b/vendor/golang.org/x/tools/internal/event/core/event.go
@@ -28,11 +28,6 @@ type Event struct {
 	dynamic []label.Label  // dynamically sized storage for remaining labels
 }
 
-// eventLabelMap implements label.Map for a the labels of an Event.
-type eventLabelMap struct {
-	event Event
-}
-
 func (ev Event) At() time.Time { return ev.at }
 
 func (ev Event) Format(f fmt.State, r rune) {
diff --git a/vendor/golang.org/x/tools/internal/gcimporter/iexport.go b/vendor/golang.org/x/tools/internal/gcimporter/iexport.go
index 780873e3ae784..4a4357d2bd444 100644
--- a/vendor/golang.org/x/tools/internal/gcimporter/iexport.go
+++ b/vendor/golang.org/x/tools/internal/gcimporter/iexport.go
@@ -569,7 +569,6 @@ func (p *iexporter) exportName(obj types.Object) (res string) {
 
 type iexporter struct {
 	fset    *token.FileSet
-	out     *bytes.Buffer
 	version int
 
 	shallow    bool                // don't put types from other packages in the index
diff --git a/vendor/golang.org/x/tools/internal/gcimporter/iimport_go122.go b/vendor/golang.org/x/tools/internal/gcimporter/iimport_go122.go
deleted file mode 100644
index 7586bfaca6038..0000000000000
--- a/vendor/golang.org/x/tools/internal/gcimporter/iimport_go122.go
+++ /dev/null
@@ -1,53 +0,0 @@
-// Copyright 2024 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-//go:build go1.22 && !go1.24
-
-package gcimporter
-
-import (
-	"go/token"
-	"go/types"
-	"unsafe"
-)
-
-// TODO(rfindley): delete this workaround once go1.24 is assured.
-
-func init() {
-	// Update markBlack so that it correctly sets the color
-	// of imported TypeNames.
-	//
-	// See the doc comment for markBlack for details.
-
-	type color uint32
-	const (
-		white color = iota
-		black
-		grey
-	)
-	type object struct {
-		_      *types.Scope
-		_      token.Pos
-		_      *types.Package
-		_      string
-		_      types.Type
-		_      uint32
-		color_ color
-		_      token.Pos
-	}
-	type typeName struct {
-		object
-	}
-
-	// If the size of types.TypeName changes, this will fail to compile.
-	const delta = int64(unsafe.Sizeof(typeName{})) - int64(unsafe.Sizeof(types.TypeName{}))
-	var _ [-delta * delta]int
-
-	markBlack = func(obj *types.TypeName) {
-		type uP = unsafe.Pointer
-		var ptr *typeName
-		*(*uP)(uP(&ptr)) = uP(obj)
-		ptr.color_ = black
-	}
-}
diff --git a/vendor/golang.org/x/tools/internal/imports/fix.go b/vendor/golang.org/x/tools/internal/imports/fix.go
index 50b6ca51a6b1d..1b4dc0cb5daea 100644
--- a/vendor/golang.org/x/tools/internal/imports/fix.go
+++ b/vendor/golang.org/x/tools/internal/imports/fix.go
@@ -16,6 +16,7 @@ import (
 	"go/types"
 	"io/fs"
 	"io/ioutil"
+	"maps"
 	"os"
 	"path"
 	"path/filepath"
@@ -27,8 +28,6 @@ import (
 	"unicode"
 	"unicode/utf8"
 
-	"maps"
-
 	"golang.org/x/tools/go/ast/astutil"
 	"golang.org/x/tools/internal/event"
 	"golang.org/x/tools/internal/gocommand"
@@ -43,7 +42,7 @@ var importToGroup = []func(localPrefix, importPath string) (num int, ok bool){
 		if localPrefix == "" {
 			return
 		}
-		for _, p := range strings.Split(localPrefix, ",") {
+		for p := range strings.SplitSeq(localPrefix, ",") {
 			if strings.HasPrefix(importPath, p) || strings.TrimSuffix(p, "/") == importPath {
 				return 3, true
 			}
@@ -1251,7 +1250,6 @@ func ImportPathToAssumedName(importPath string) string {
 // gopathResolver implements resolver for GOPATH workspaces.
 type gopathResolver struct {
 	env      *ProcessEnv
-	walked   bool
 	cache    *DirInfoCache
 	scanSema chan struct{} // scanSema prevents concurrent scans.
 }
diff --git a/vendor/golang.org/x/tools/internal/modindex/symbols.go b/vendor/golang.org/x/tools/internal/modindex/symbols.go
index fe24db9b13f21..8e9702d84be48 100644
--- a/vendor/golang.org/x/tools/internal/modindex/symbols.go
+++ b/vendor/golang.org/x/tools/internal/modindex/symbols.go
@@ -206,8 +206,7 @@ func isDeprecated(doc *ast.CommentGroup) bool {
 	// go.dev/wiki/Deprecated Paragraph starting 'Deprecated:'
 	// This code fails for /* Deprecated: */, but it's the code from
 	// gopls/internal/analysis/deprecated
-	lines := strings.Split(doc.Text(), "\n\n")
-	for _, line := range lines {
+	for line := range strings.SplitSeq(doc.Text(), "\n\n") {
 		if strings.HasPrefix(line, "Deprecated:") {
 			return true
 		}
diff --git a/vendor/golang.org/x/tools/internal/stdlib/deps.go b/vendor/golang.org/x/tools/internal/stdlib/deps.go
index 77cf8d2181ae4..96ad6c582105e 100644
--- a/vendor/golang.org/x/tools/internal/stdlib/deps.go
+++ b/vendor/golang.org/x/tools/internal/stdlib/deps.go
@@ -12,348 +12,354 @@ type pkginfo struct {
 }
 
 var deps = [...]pkginfo{
-	{"archive/tar", "\x03j\x03E5\x01\v\x01#\x01\x01\x02\x05\n\x02\x01\x02\x02\v"},
-	{"archive/zip", "\x02\x04`\a\x16\x0205\x01+\x05\x01\x11\x03\x02\r\x04"},
-	{"bufio", "\x03j}F\x13"},
-	{"bytes", "m+R\x03\fH\x02\x02"},
+	{"archive/tar", "\x03k\x03E;\x01\n\x01$\x01\x01\x02\x05\b\x02\x01\x02\x02\f"},
+	{"archive/zip", "\x02\x04a\a\x03\x12\x021;\x01+\x05\x01\x0f\x03\x02\x0e\x04"},
+	{"bufio", "\x03k\x83\x01D\x14"},
+	{"bytes", "n*Y\x03\fG\x02\x02"},
 	{"cmp", ""},
-	{"compress/bzip2", "\x02\x02\xe6\x01C"},
-	{"compress/flate", "\x02k\x03z\r\x025\x01\x03"},
-	{"compress/gzip", "\x02\x04`\a\x03\x15eU"},
-	{"compress/lzw", "\x02k\x03z"},
-	{"compress/zlib", "\x02\x04`\a\x03\x13\x01f"},
-	{"container/heap", "\xae\x02"},
+	{"compress/bzip2", "\x02\x02\xed\x01A"},
+	{"compress/flate", "\x02l\x03\x80\x01\f\x033\x01\x03"},
+	{"compress/gzip", "\x02\x04a\a\x03\x14lT"},
+	{"compress/lzw", "\x02l\x03\x80\x01"},
+	{"compress/zlib", "\x02\x04a\a\x03\x12\x01m"},
+	{"container/heap", "\xb3\x02"},
 	{"container/list", ""},
 	{"container/ring", ""},
-	{"context", "m\\i\x01\f"},
-	{"crypto", "\x83\x01gE"},
-	{"crypto/aes", "\x10\n\a\x8e\x02"},
-	{"crypto/cipher", "\x03\x1e\x01\x01\x1d\x11\x1c,Q"},
-	{"crypto/des", "\x10\x13\x1d-,\x96\x01\x03"},
-	{"crypto/dsa", "@\x04)}\x0e"},
-	{"crypto/ecdh", "\x03\v\f\x0e\x04\x14\x04\r\x1c}"},
-	{"crypto/ecdsa", "\x0e\x05\x03\x04\x01\x0e\x16\x01\x04\f\x01\x1c}\x0e\x04L\x01"},
-	{"crypto/ed25519", "\x0e\x1c\x16\n\a\x1c}E"},
-	{"crypto/elliptic", "0=}\x0e:"},
-	{"crypto/fips140", " \x05\x90\x01"},
-	{"crypto/hkdf", "-\x12\x01-\x16"},
-	{"crypto/hmac", "\x1a\x14\x11\x01\x112"},
+	{"context", "n\\m\x01\r"},
+	{"crypto", "\x83\x01nC"},
+	{"crypto/aes", "\x10\n\a\x93\x02"},
+	{"crypto/cipher", "\x03\x1e\x01\x01\x1e\x11\x1c+X"},
+	{"crypto/des", "\x10\x13\x1e-+\x9b\x01\x03"},
+	{"crypto/dsa", "A\x04)\x83\x01\r"},
+	{"crypto/ecdh", "\x03\v\f\x0e\x04\x15\x04\r\x1c\x83\x01"},
+	{"crypto/ecdsa", "\x0e\x05\x03\x04\x01\x0e\a\v\x05\x01\x04\f\x01\x1c\x83\x01\r\x05K\x01"},
+	{"crypto/ed25519", "\x0e\x1c\x11\x06\n\a\x1c\x83\x01C"},
+	{"crypto/elliptic", "0>\x83\x01\r9"},
+	{"crypto/fips140", " \x05"},
+	{"crypto/hkdf", "-\x13\x01-\x15"},
+	{"crypto/hmac", "\x1a\x14\x12\x01\x111"},
 	{"crypto/internal/boring", "\x0e\x02\rf"},
-	{"crypto/internal/boring/bbig", "\x1a\xde\x01M"},
-	{"crypto/internal/boring/bcache", "\xb3\x02\x12"},
+	{"crypto/internal/boring/bbig", "\x1a\xe4\x01M"},
+	{"crypto/internal/boring/bcache", "\xb8\x02\x13"},
 	{"crypto/internal/boring/sig", ""},
-	{"crypto/internal/cryptotest", "\x03\r\n)\x0e\x19\x06\x13\x12#\a\t\x11\x11\x11\x1b\x01\f\r\x05\n"},
-	{"crypto/internal/entropy", "E"},
-	{"crypto/internal/fips140", ">/}9\r\x15"},
-	{"crypto/internal/fips140/aes", "\x03\x1d\x03\x02\x13\x04\x01\x01\x05*\x8c\x016"},
-	{"crypto/internal/fips140/aes/gcm", " \x01\x02\x02\x02\x11\x04\x01\x06*\x8a\x01"},
-	{"crypto/internal/fips140/alias", "\xc5\x02"},
-	{"crypto/internal/fips140/bigmod", "%\x17\x01\x06*\x8c\x01"},
-	{"crypto/internal/fips140/check", " \x0e\x06\b\x02\xac\x01["},
-	{"crypto/internal/fips140/check/checktest", "%\xfe\x01\""},
-	{"crypto/internal/fips140/drbg", "\x03\x1c\x01\x01\x04\x13\x04\b\x01(}\x0f9"},
-	{"crypto/internal/fips140/ecdh", "\x03\x1d\x05\x02\t\f1}\x0f9"},
-	{"crypto/internal/fips140/ecdsa", "\x03\x1d\x04\x01\x02\a\x02\x067}H"},
-	{"crypto/internal/fips140/ed25519", "\x03\x1d\x05\x02\x04\v7\xc2\x01\x03"},
-	{"crypto/internal/fips140/edwards25519", "%\a\f\x041\x8c\x019"},
-	{"crypto/internal/fips140/edwards25519/field", "%\x13\x041\x8c\x01"},
-	{"crypto/internal/fips140/hkdf", "\x03\x1d\x05\t\x069"},
-	{"crypto/internal/fips140/hmac", "\x03\x1d\x14\x01\x017"},
-	{"crypto/internal/fips140/mlkem", "\x03\x1d\x05\x02\x0e\x03\x041"},
-	{"crypto/internal/fips140/nistec", "%\f\a\x041\x8c\x01*\x0f\x13"},
-	{"crypto/internal/fips140/nistec/fiat", "%\x135\x8c\x01"},
-	{"crypto/internal/fips140/pbkdf2", "\x03\x1d\x05\t\x069"},
-	{"crypto/internal/fips140/rsa", "\x03\x1d\x04\x01\x02\r\x01\x01\x025}H"},
-	{"crypto/internal/fips140/sha256", "\x03\x1d\x1c\x01\x06*\x8c\x01"},
-	{"crypto/internal/fips140/sha3", "\x03\x1d\x18\x04\x010\x8c\x01L"},
-	{"crypto/internal/fips140/sha512", "\x03\x1d\x1c\x01\x06*\x8c\x01"},
-	{"crypto/internal/fips140/ssh", " \x05"},
-	{"crypto/internal/fips140/subtle", "#"},
-	{"crypto/internal/fips140/tls12", "\x03\x1d\x05\t\x06\x027"},
-	{"crypto/internal/fips140/tls13", "\x03\x1d\x05\b\a\b1"},
+	{"crypto/internal/cryptotest", "\x03\r\n\x06$\x0e\x19\x06\x12\x12 \x04\a\t\x16\x01\x11\x11\x1b\x01\a\x05\b\x03\x05\v"},
+	{"crypto/internal/entropy", "F"},
+	{"crypto/internal/fips140", "?/\x15\xa7\x01\v\x16"},
+	{"crypto/internal/fips140/aes", "\x03\x1d\x03\x02\x13\x05\x01\x01\x05*\x92\x014"},
+	{"crypto/internal/fips140/aes/gcm", " \x01\x02\x02\x02\x11\x05\x01\x06*\x8f\x01"},
+	{"crypto/internal/fips140/alias", "\xcb\x02"},
+	{"crypto/internal/fips140/bigmod", "%\x18\x01\x06*\x92\x01"},
+	{"crypto/internal/fips140/check", " \x0e\x06\t\x02\xb2\x01Z"},
+	{"crypto/internal/fips140/check/checktest", "%\x85\x02!"},
+	{"crypto/internal/fips140/drbg", "\x03\x1c\x01\x01\x04\x13\x05\b\x01(\x83\x01\x0f7"},
+	{"crypto/internal/fips140/ecdh", "\x03\x1d\x05\x02\t\r1\x83\x01\x0f7"},
+	{"crypto/internal/fips140/ecdsa", "\x03\x1d\x04\x01\x02\a\x02\x068\x15nF"},
+	{"crypto/internal/fips140/ed25519", "\x03\x1d\x05\x02\x04\v8\xc6\x01\x03"},
+	{"crypto/internal/fips140/edwards25519", "%\a\f\x051\x92\x017"},
+	{"crypto/internal/fips140/edwards25519/field", "%\x13\x051\x92\x01"},
+	{"crypto/internal/fips140/hkdf", "\x03\x1d\x05\t\x06:\x15"},
+	{"crypto/internal/fips140/hmac", "\x03\x1d\x14\x01\x018\x15"},
+	{"crypto/internal/fips140/mlkem", "\x03\x1d\x05\x02\x0e\x03\x051"},
+	{"crypto/internal/fips140/nistec", "%\f\a\x051\x92\x01*\r\x14"},
+	{"crypto/internal/fips140/nistec/fiat", "%\x136\x92\x01"},
+	{"crypto/internal/fips140/pbkdf2", "\x03\x1d\x05\t\x06:\x15"},
+	{"crypto/internal/fips140/rsa", "\x03\x1d\x04\x01\x02\r\x01\x01\x026\x15nF"},
+	{"crypto/internal/fips140/sha256", "\x03\x1d\x1d\x01\x06*\x15}"},
+	{"crypto/internal/fips140/sha3", "\x03\x1d\x18\x05\x010\x92\x01K"},
+	{"crypto/internal/fips140/sha512", "\x03\x1d\x1d\x01\x06*\x15}"},
+	{"crypto/internal/fips140/ssh", "%^"},
+	{"crypto/internal/fips140/subtle", "#\x1a\xc3\x01"},
+	{"crypto/internal/fips140/tls12", "\x03\x1d\x05\t\x06\x028\x15"},
+	{"crypto/internal/fips140/tls13", "\x03\x1d\x05\b\a\t1\x15"},
+	{"crypto/internal/fips140cache", "\xaa\x02\r&"},
 	{"crypto/internal/fips140deps", ""},
 	{"crypto/internal/fips140deps/byteorder", "\x99\x01"},
-	{"crypto/internal/fips140deps/cpu", "\xad\x01\a"},
-	{"crypto/internal/fips140deps/godebug", "\xb5\x01"},
-	{"crypto/internal/fips140hash", "5\x1a4\xc2\x01"},
-	{"crypto/internal/fips140only", "'\r\x01\x01M25"},
+	{"crypto/internal/fips140deps/cpu", "\xae\x01\a"},
+	{"crypto/internal/fips140deps/godebug", "\xb6\x01"},
+	{"crypto/internal/fips140hash", "5\x1b3\xc8\x01"},
+	{"crypto/internal/fips140only", "'\r\x01\x01M3;"},
 	{"crypto/internal/fips140test", ""},
-	{"crypto/internal/hpke", "\x0e\x01\x01\x03\x1a\x1d#,`N"},
-	{"crypto/internal/impl", "\xb0\x02"},
-	{"crypto/internal/randutil", "\xea\x01\x12"},
-	{"crypto/internal/sysrand", "mi!\x1f\r\x0f\x01\x01\v\x06"},
-	{"crypto/internal/sysrand/internal/seccomp", "m"},
-	{"crypto/md5", "\x0e2-\x16\x16`"},
+	{"crypto/internal/hpke", "\x0e\x01\x01\x03\x053#+gM"},
+	{"crypto/internal/impl", "\xb5\x02"},
+	{"crypto/internal/randutil", "\xf1\x01\x12"},
+	{"crypto/internal/sysrand", "nn! \r\r\x01\x01\f\x06"},
+	{"crypto/internal/sysrand/internal/seccomp", "n"},
+	{"crypto/md5", "\x0e3-\x15\x16g"},
 	{"crypto/mlkem", "/"},
-	{"crypto/pbkdf2", "2\r\x01-\x16"},
-	{"crypto/rand", "\x1a\x06\a\x19\x04\x01(}\x0eM"},
-	{"crypto/rc4", "#\x1d-\xc2\x01"},
-	{"crypto/rsa", "\x0e\f\x01\t\x0f\f\x01\x04\x06\a\x1c\x03\x1325\r\x01"},
-	{"crypto/sha1", "\x0e\f&-\x16\x16\x14L"},
+	{"crypto/pbkdf2", "2\x0e\x01-\x15"},
+	{"crypto/rand", "\x1a\x06\a\x1a\x04\x01(\x83\x01\rM"},
+	{"crypto/rc4", "#\x1e-\xc6\x01"},
+	{"crypto/rsa", "\x0e\f\x01\t\x0f\r\x01\x04\x06\a\x1c\x03\x123;\f\x01"},
+	{"crypto/sha1", "\x0e\f'\x03*\x15\x16\x15R"},
 	{"crypto/sha256", "\x0e\f\x1aO"},
-	{"crypto/sha3", "\x0e'N\xc2\x01"},
+	{"crypto/sha3", "\x0e'N\xc8\x01"},
 	{"crypto/sha512", "\x0e\f\x1cM"},
-	{"crypto/subtle", "8\x96\x01U"},
-	{"crypto/tls", "\x03\b\x02\x01\x01\x01\x01\x02\x01\x01\x01\x03\x01\a\x01\v\x02\n\x01\b\x05\x03\x01\x01\x01\x01\x02\x01\x02\x01\x17\x02\x03\x13\x16\x14\b5\x16\x16\r\n\x01\x01\x01\x02\x01\f\x06\x02\x01"},
-	{"crypto/tls/internal/fips140tls", " \x93\x02"},
-	{"crypto/x509", "\x03\v\x01\x01\x01\x01\x01\x01\x01\x011\x03\x02\x01\x01\x02\x05\x0e\x06\x02\x02\x03E\x032\x01\x02\t\x01\x01\x01\a\x10\x05\x01\x06\x02\x05\f\x01\x02\r\x02\x01\x01\x02\x03\x01"},
-	{"crypto/x509/pkix", "c\x06\a\x88\x01G"},
-	{"database/sql", "\x03\nJ\x16\x03z\f\x06\"\x05\n\x02\x03\x01\f\x02\x02\x02"},
-	{"database/sql/driver", "\r`\x03\xae\x01\x11\x10"},
-	{"debug/buildinfo", "\x03W\x02\x01\x01\b\a\x03`\x18\x02\x01+\x0f "},
-	{"debug/dwarf", "\x03c\a\x03z1\x13\x01\x01"},
-	{"debug/elf", "\x03\x06P\r\a\x03`\x19\x01,\x19\x01\x15"},
-	{"debug/gosym", "\x03c\n\xbe\x01\x01\x01\x02"},
-	{"debug/macho", "\x03\x06P\r\n`\x1a,\x19\x01"},
-	{"debug/pe", "\x03\x06P\r\a\x03`\x1a,\x19\x01\x15"},
-	{"debug/plan9obj", "f\a\x03`\x1a,"},
-	{"embed", "m+:\x18\x01T"},
+	{"crypto/subtle", "8\x9b\x01W"},
+	{"crypto/tls", "\x03\b\x02\x01\x01\x01\x01\x02\x01\x01\x01\x02\x01\x01\a\x01\r\n\x01\t\x05\x03\x01\x01\x01\x01\x02\x01\x02\x01\x17\x02\x03\x12\x16\x15\b;\x16\x16\r\b\x01\x01\x01\x02\x01\r\x06\x02\x01\x0f"},
+	{"crypto/tls/internal/fips140tls", "\x17\xa1\x02"},
+	{"crypto/x509", "\x03\v\x01\x01\x01\x01\x01\x01\x01\x012\x05\x01\x01\x02\x05\x0e\x06\x02\x02\x03E\x038\x01\x02\b\x01\x01\x02\a\x10\x05\x01\x06\x02\x05\n\x01\x02\x0e\x02\x01\x01\x02\x03\x01"},
+	{"crypto/x509/pkix", "d\x06\a\x8d\x01G"},
+	{"database/sql", "\x03\nK\x16\x03\x80\x01\v\a\"\x05\b\x02\x03\x01\r\x02\x02\x02"},
+	{"database/sql/driver", "\ra\x03\xb4\x01\x0f\x11"},
+	{"debug/buildinfo", "\x03X\x02\x01\x01\b\a\x03e\x19\x02\x01+\x0f\x1f"},
+	{"debug/dwarf", "\x03d\a\x03\x80\x011\x11\x01\x01"},
+	{"debug/elf", "\x03\x06Q\r\a\x03e\x1a\x01,\x17\x01\x16"},
+	{"debug/gosym", "\x03d\n\xc2\x01\x01\x01\x02"},
+	{"debug/macho", "\x03\x06Q\r\ne\x1b,\x17\x01"},
+	{"debug/pe", "\x03\x06Q\r\a\x03e\x1b,\x17\x01\x16"},
+	{"debug/plan9obj", "g\a\x03e\x1b,"},
+	{"embed", "n*@\x19\x01S"},
 	{"embed/internal/embedtest", ""},
 	{"encoding", ""},
-	{"encoding/ascii85", "\xea\x01E"},
-	{"encoding/asn1", "\x03j\x03\x87\x01\x01&\x0f\x02\x01\x0f\x03\x01"},
-	{"encoding/base32", "\xea\x01C\x02"},
-	{"encoding/base64", "\x99\x01QC\x02"},
-	{"encoding/binary", "m}\r'\x0f\x05"},
-	{"encoding/csv", "\x02\x01j\x03zF\x11\x02"},
-	{"encoding/gob", "\x02_\x05\a\x03`\x1a\f\x01\x02\x1d\b\x14\x01\x0e\x02"},
-	{"encoding/hex", "m\x03zC\x03"},
-	{"encoding/json", "\x03\x01]\x04\b\x03z\r'\x0f\x02\x01\x02\x0f\x01\x01\x02"},
-	{"encoding/pem", "\x03b\b}C\x03"},
-	{"encoding/xml", "\x02\x01^\f\x03z4\x05\f\x01\x02\x0f\x02"},
-	{"errors", "\xc9\x01|"},
-	{"expvar", "jK9\t\n\x15\r\n\x02\x03\x01\x10"},
-	{"flag", "a\f\x03z,\b\x05\n\x02\x01\x0f"},
-	{"fmt", "mE8\r\x1f\b\x0f\x02\x03\x11"},
-	{"go/ast", "\x03\x01l\x0f\x01j\x03)\b\x0f\x02\x01"},
-	{"go/ast/internal/tests", ""},
-	{"go/build", "\x02\x01j\x03\x01\x03\x02\a\x02\x01\x17\x1e\x04\x02\t\x14\x12\x01+\x01\x04\x01\a\n\x02\x01\x11\x02\x02"},
-	{"go/build/constraint", "m\xc2\x01\x01\x11\x02"},
-	{"go/constant", "p\x10w\x01\x016\x01\x02\x11"},
-	{"go/doc", "\x04l\x01\x06\t=-1\x12\x02\x01\x11\x02"},
-	{"go/doc/comment", "\x03m\xbd\x01\x01\x01\x01\x11\x02"},
-	{"go/format", "\x03m\x01\f\x01\x02jF"},
-	{"go/importer", "s\a\x01\x01\x04\x01i9"},
-	{"go/internal/gccgoimporter", "\x02\x01W\x13\x03\x05\v\x01g\x02,\x01\x05\x13\x01\v\b"},
-	{"go/internal/gcimporter", "\x02n\x10\x01/\x05\x0e',\x17\x03\x02"},
-	{"go/internal/srcimporter", "p\x01\x02\n\x03\x01i,\x01\x05\x14\x02\x13"},
-	{"go/parser", "\x03j\x03\x01\x03\v\x01j\x01+\x06\x14"},
-	{"go/printer", "p\x01\x03\x03\tj\r\x1f\x17\x02\x01\x02\n\x05\x02"},
-	{"go/scanner", "\x03m\x10j2\x12\x01\x12\x02"},
-	{"go/token", "\x04l\xbd\x01\x02\x03\x01\x0e\x02"},
-	{"go/types", "\x03\x01\x06c\x03\x01\x04\b\x03\x02\x15\x1e\x06+\x04\x03\n%\a\n\x01\x01\x01\x02\x01\x0e\x02\x02"},
-	{"go/version", "\xba\x01v"},
-	{"hash", "\xea\x01"},
-	{"hash/adler32", "m\x16\x16"},
-	{"hash/crc32", "m\x16\x16\x14\x85\x01\x01\x12"},
-	{"hash/crc64", "m\x16\x16\x99\x01"},
-	{"hash/fnv", "m\x16\x16`"},
-	{"hash/maphash", "\x94\x01\x05\x1b\x03@N"},
-	{"html", "\xb0\x02\x02\x11"},
-	{"html/template", "\x03g\x06\x19,5\x01\v \x05\x01\x02\x03\x0e\x01\x02\v\x01\x03\x02"},
-	{"image", "\x02k\x1f^\x0f6\x03\x01"},
+	{"encoding/ascii85", "\xf1\x01C"},
+	{"encoding/asn1", "\x03k\x03\x8c\x01\x01'\r\x02\x01\x10\x03\x01"},
+	{"encoding/base32", "\xf1\x01A\x02"},
+	{"encoding/base64", "\x99\x01XA\x02"},
+	{"encoding/binary", "n\x83\x01\f(\r\x05"},
+	{"encoding/csv", "\x02\x01k\x03\x80\x01D\x12\x02"},
+	{"encoding/gob", "\x02`\x05\a\x03e\x1b\v\x01\x03\x1d\b\x12\x01\x0f\x02"},
+	{"encoding/hex", "n\x03\x80\x01A\x03"},
+	{"encoding/json", "\x03\x01^\x04\b\x03\x80\x01\f(\r\x02\x01\x02\x10\x01\x01\x02"},
+	{"encoding/pem", "\x03c\b\x83\x01A\x03"},
+	{"encoding/xml", "\x02\x01_\f\x03\x80\x014\x05\n\x01\x02\x10\x02"},
+	{"errors", "\xca\x01\x81\x01"},
+	{"expvar", "kK?\b\v\x15\r\b\x02\x03\x01\x11"},
+	{"flag", "b\f\x03\x80\x01,\b\x05\b\x02\x01\x10"},
+	{"fmt", "nE>\f \b\r\x02\x03\x12"},
+	{"go/ast", "\x03\x01m\x0e\x01q\x03)\b\r\x02\x01"},
+	{"go/build", "\x02\x01k\x03\x01\x02\x02\a\x02\x01\x17\x1f\x04\x02\t\x19\x13\x01+\x01\x04\x01\a\b\x02\x01\x12\x02\x02"},
+	{"go/build/constraint", "n\xc6\x01\x01\x12\x02"},
+	{"go/constant", "q\x0f}\x01\x024\x01\x02\x12"},
+	{"go/doc", "\x04m\x01\x05\t>31\x10\x02\x01\x12\x02"},
+	{"go/doc/comment", "\x03n\xc1\x01\x01\x01\x01\x12\x02"},
+	{"go/format", "\x03n\x01\v\x01\x02qD"},
+	{"go/importer", "s\a\x01\x01\x04\x01p9"},
+	{"go/internal/gccgoimporter", "\x02\x01X\x13\x03\x04\v\x01n\x02,\x01\x05\x11\x01\f\b"},
+	{"go/internal/gcimporter", "\x02o\x0f\x010\x05\x0e-,\x15\x03\x02"},
+	{"go/internal/srcimporter", "q\x01\x01\n\x03\x01p,\x01\x05\x12\x02\x14"},
+	{"go/parser", "\x03k\x03\x01\x02\v\x01q\x01+\x06\x12"},
+	{"go/printer", "q\x01\x02\x03\tq\f \x15\x02\x01\x02\v\x05\x02"},
+	{"go/scanner", "\x03n\x0fq2\x10\x01\x13\x02"},
+	{"go/token", "\x04m\x83\x01>\x02\x03\x01\x0f\x02"},
+	{"go/types", "\x03\x01\x06d\x03\x01\x03\b\x03\x02\x15\x1f\x061\x04\x03\t \x06\a\b\x01\x01\x01\x02\x01\x0f\x02\x02"},
+	{"go/version", "\xbb\x01z"},
+	{"hash", "\xf1\x01"},
+	{"hash/adler32", "n\x15\x16"},
+	{"hash/crc32", "n\x15\x16\x15\x89\x01\x01\x13"},
+	{"hash/crc64", "n\x15\x16\x9e\x01"},
+	{"hash/fnv", "n\x15\x16g"},
+	{"hash/maphash", "\x83\x01\x11!\x03\x93\x01"},
+	{"html", "\xb5\x02\x02\x12"},
+	{"html/template", "\x03h\x06\x18-;\x01\n!\x05\x01\x02\x03\f\x01\x02\f\x01\x03\x02"},
+	{"image", "\x02l\x1ee\x0f4\x03\x01"},
 	{"image/color", ""},
 	{"image/color/palette", "\x8c\x01"},
 	{"image/draw", "\x8b\x01\x01\x04"},
-	{"image/gif", "\x02\x01\x05e\x03\x1b\x01\x01\x01\vQ"},
+	{"image/gif", "\x02\x01\x05f\x03\x1a\x01\x01\x01\vX"},
 	{"image/internal/imageutil", "\x8b\x01"},
-	{"image/jpeg", "\x02k\x1e\x01\x04Z"},
-	{"image/png", "\x02\a]\n\x13\x02\x06\x01^E"},
-	{"index/suffixarray", "\x03c\a}\r*\f\x01"},
-	{"internal/abi", "\xb4\x01\x91\x01"},
-	{"internal/asan", "\xc5\x02"},
-	{"internal/bisect", "\xa3\x02\x0f\x01"},
-	{"internal/buildcfg", "pG_\x06\x02\x05\f\x01"},
-	{"internal/bytealg", "\xad\x01\x98\x01"},
+	{"image/jpeg", "\x02l\x1d\x01\x04a"},
+	{"image/png", "\x02\a^\n\x12\x02\x06\x01eC"},
+	{"index/suffixarray", "\x03d\a\x83\x01\f+\n\x01"},
+	{"internal/abi", "\xb5\x01\x96\x01"},
+	{"internal/asan", "\xcb\x02"},
+	{"internal/bisect", "\xaa\x02\r\x01"},
+	{"internal/buildcfg", "qGe\x06\x02\x05\n\x01"},
+	{"internal/bytealg", "\xae\x01\x9d\x01"},
 	{"internal/byteorder", ""},
 	{"internal/cfg", ""},
-	{"internal/chacha8rand", "\x99\x01\x1b\x91\x01"},
+	{"internal/cgrouptest", "q[Q\x06\x0f\x02\x01\x04\x01"},
+	{"internal/chacha8rand", "\x99\x01\x15\a\x96\x01"},
 	{"internal/copyright", ""},
 	{"internal/coverage", ""},
 	{"internal/coverage/calloc", ""},
-	{"internal/coverage/cfile", "j\x06\x17\x16\x01\x02\x01\x01\x01\x01\x01\x01\x01#\x01\x1f,\x06\a\f\x01\x03\f\x06"},
-	{"internal/coverage/cformat", "\x04l-\x04I\f7\x01\x02\f"},
-	{"internal/coverage/cmerge", "p-Z"},
-	{"internal/coverage/decodecounter", "f\n-\v\x02@,\x19\x16"},
-	{"internal/coverage/decodemeta", "\x02d\n\x17\x16\v\x02@,"},
-	{"internal/coverage/encodecounter", "\x02d\n-\f\x01\x02>\f \x17"},
-	{"internal/coverage/encodemeta", "\x02\x01c\n\x13\x04\x16\r\x02>,/"},
-	{"internal/coverage/pods", "\x04l-y\x06\x05\f\x02\x01"},
-	{"internal/coverage/rtcov", "\xc5\x02"},
-	{"internal/coverage/slicereader", "f\nz["},
-	{"internal/coverage/slicewriter", "pz"},
-	{"internal/coverage/stringtab", "p8\x04>"},
+	{"internal/coverage/cfile", "k\x06\x16\x17\x01\x02\x01\x01\x01\x01\x01\x01\x01#\x02$,\x06\a\n\x01\x03\r\x06"},
+	{"internal/coverage/cformat", "\x04m-\x04O\v6\x01\x02\r"},
+	{"internal/coverage/cmerge", "q-_"},
+	{"internal/coverage/decodecounter", "g\n-\v\x02F,\x17\x17"},
+	{"internal/coverage/decodemeta", "\x02e\n\x16\x17\v\x02F,"},
+	{"internal/coverage/encodecounter", "\x02e\n-\f\x01\x02D\v!\x15"},
+	{"internal/coverage/encodemeta", "\x02\x01d\n\x12\x04\x17\r\x02D,."},
+	{"internal/coverage/pods", "\x04m-\x7f\x06\x05\n\x02\x01"},
+	{"internal/coverage/rtcov", "\xcb\x02"},
+	{"internal/coverage/slicereader", "g\n\x80\x01Z"},
+	{"internal/coverage/slicewriter", "q\x80\x01"},
+	{"internal/coverage/stringtab", "q8\x04D"},
 	{"internal/coverage/test", ""},
 	{"internal/coverage/uleb128", ""},
-	{"internal/cpu", "\xc5\x02"},
-	{"internal/dag", "\x04l\xbd\x01\x03"},
-	{"internal/diff", "\x03m\xbe\x01\x02"},
-	{"internal/exportdata", "\x02\x01j\x03\x03]\x1a,\x01\x05\x13\x01\x02"},
-	{"internal/filepathlite", "m+:\x19B"},
-	{"internal/fmtsort", "\x04\x9a\x02\x0f"},
-	{"internal/fuzz", "\x03\nA\x18\x04\x03\x03\x01\f\x0355\r\x02\x1d\x01\x05\x02\x05\f\x01\x02\x01\x01\v\x04\x02"},
+	{"internal/cpu", "\xcb\x02"},
+	{"internal/dag", "\x04m\xc1\x01\x03"},
+	{"internal/diff", "\x03n\xc2\x01\x02"},
+	{"internal/exportdata", "\x02\x01k\x03\x02c\x1b,\x01\x05\x11\x01\x02"},
+	{"internal/filepathlite", "n*@\x1a@"},
+	{"internal/fmtsort", "\x04\xa1\x02\r"},
+	{"internal/fuzz", "\x03\nB\x18\x04\x03\x03\x01\v\x036;\f\x03\x1d\x01\x05\x02\x05\n\x01\x02\x01\x01\f\x04\x02"},
 	{"internal/goarch", ""},
-	{"internal/godebug", "\x96\x01 |\x01\x12"},
+	{"internal/godebug", "\x96\x01!\x80\x01\x01\x13"},
 	{"internal/godebugs", ""},
 	{"internal/goexperiment", ""},
 	{"internal/goos", ""},
-	{"internal/goroot", "\x96\x02\x01\x05\x14\x02"},
+	{"internal/goroot", "\x9d\x02\x01\x05\x12\x02"},
 	{"internal/gover", "\x04"},
 	{"internal/goversion", ""},
 	{"internal/itoa", ""},
-	{"internal/lazyregexp", "\x96\x02\v\x0f\x02"},
-	{"internal/lazytemplate", "\xea\x01,\x1a\x02\v"},
-	{"internal/msan", "\xc5\x02"},
+	{"internal/lazyregexp", "\x9d\x02\v\r\x02"},
+	{"internal/lazytemplate", "\xf1\x01,\x18\x02\f"},
+	{"internal/msan", "\xcb\x02"},
 	{"internal/nettrace", ""},
-	{"internal/obscuretestdata", "e\x85\x01,"},
-	{"internal/oserror", "m"},
-	{"internal/pkgbits", "\x03K\x18\a\x03\x05\vj\x0e\x1e\r\f\x01"},
+	{"internal/obscuretestdata", "f\x8b\x01,"},
+	{"internal/oserror", "n"},
+	{"internal/pkgbits", "\x03L\x18\a\x03\x04\vq\r\x1f\r\n\x01"},
 	{"internal/platform", ""},
-	{"internal/poll", "mO\x1a\x149\x0f\x01\x01\v\x06"},
-	{"internal/profile", "\x03\x04f\x03z7\r\x01\x01\x0f"},
+	{"internal/poll", "nO\x1f\x159\r\x01\x01\f\x06"},
+	{"internal/profile", "\x03\x04g\x03\x80\x017\v\x01\x01\x10"},
 	{"internal/profilerecord", ""},
-	{"internal/race", "\x94\x01\xb1\x01"},
-	{"internal/reflectlite", "\x94\x01 3<\""},
-	{"internal/runtime/atomic", "\xc5\x02"},
-	{"internal/runtime/exithook", "\xca\x01{"},
-	{"internal/runtime/maps", "\x94\x01\x01\x1f\v\t\x05\x01w"},
-	{"internal/runtime/math", "\xb4\x01"},
-	{"internal/runtime/sys", "\xb4\x01\x04"},
-	{"internal/runtime/syscall", "\xc5\x02"},
-	{"internal/saferio", "\xea\x01["},
-	{"internal/singleflight", "\xb2\x02"},
-	{"internal/stringslite", "\x98\x01\xad\x01"},
-	{"internal/sync", "\x94\x01 \x14k\x12"},
-	{"internal/synctest", "\xc5\x02"},
-	{"internal/syscall/execenv", "\xb4\x02"},
-	{"internal/syscall/unix", "\xa3\x02\x10\x01\x11"},
-	{"internal/sysinfo", "\x02\x01\xaa\x01=,\x1a\x02"},
+	{"internal/race", "\x94\x01\xb7\x01"},
+	{"internal/reflectlite", "\x94\x01!9<!"},
+	{"internal/runtime/atomic", "\xb5\x01\x96\x01"},
+	{"internal/runtime/cgroup", "\x98\x01:\x02w"},
+	{"internal/runtime/exithook", "\xcb\x01\x80\x01"},
+	{"internal/runtime/gc", "\xb5\x01"},
+	{"internal/runtime/maps", "\x94\x01\x01 \v\t\a\x03x"},
+	{"internal/runtime/math", "\xb5\x01"},
+	{"internal/runtime/startlinetest", ""},
+	{"internal/runtime/strconv", "\xd0\x01"},
+	{"internal/runtime/sys", "\xb5\x01\x04"},
+	{"internal/runtime/syscall", "\xb5\x01\x96\x01"},
+	{"internal/runtime/wasitest", ""},
+	{"internal/saferio", "\xf1\x01Z"},
+	{"internal/singleflight", "\xb7\x02"},
+	{"internal/stringslite", "\x98\x01\xb3\x01"},
+	{"internal/sync", "\x94\x01!\x14o\x13"},
+	{"internal/synctest", "\x94\x01\xb7\x01"},
+	{"internal/syscall/execenv", "\xb9\x02"},
+	{"internal/syscall/unix", "\xaa\x02\x0e\x01\x12"},
+	{"internal/sysinfo", "\x02\x01\xab\x01C,\x18\x02"},
 	{"internal/syslist", ""},
-	{"internal/testenv", "\x03\n`\x02\x01*\x1a\x10'+\x01\x05\a\f\x01\x02\x02\x01\n"},
-	{"internal/testlog", "\xb2\x02\x01\x12"},
-	{"internal/testpty", "m\x03\xa6\x01"},
-	{"internal/trace", "\x02\x01\x01\x06\\\a\x03n\x03\x03\x06\x03\n6\x01\x02\x0f\x06"},
-	{"internal/trace/internal/testgen", "\x03c\nl\x03\x02\x03\x011\v\x0f"},
-	{"internal/trace/internal/tracev1", "\x03\x01b\a\x03t\x06\r6\x01"},
-	{"internal/trace/raw", "\x02d\nq\x03\x06E\x01\x11"},
-	{"internal/trace/testtrace", "\x02\x01j\x03l\x03\x06\x057\f\x02\x01"},
+	{"internal/testenv", "\x03\na\x02\x01)\x1b\x10-+\x01\x05\a\n\x01\x02\x02\x01\v"},
+	{"internal/testhash", "\x03\x80\x01n\x118\v"},
+	{"internal/testlog", "\xb7\x02\x01\x13"},
+	{"internal/testpty", "n\x03\xac\x01"},
+	{"internal/trace", "\x02\x01\x01\x06]\a\x03t\x03\x03\x06\x03\t5\x01\x01\x01\x10\x06"},
+	{"internal/trace/internal/testgen", "\x03d\nr\x03\x02\x03\x011\v\r\x10"},
+	{"internal/trace/internal/tracev1", "\x03\x01c\a\x03z\x06\f5\x01"},
+	{"internal/trace/raw", "\x02e\nw\x03\x06C\x01\x12"},
+	{"internal/trace/testtrace", "\x02\x01k\x03r\x03\x05\x01\x057\n\x02\x01"},
 	{"internal/trace/tracev2", ""},
-	{"internal/trace/traceviewer", "\x02]\v\x06\x1a<\x16\a\a\x04\t\n\x15\x01\x05\a\f\x01\x02\r"},
+	{"internal/trace/traceviewer", "\x02^\v\x06\x19=\x1c\a\a\x04\b\v\x15\x01\x05\a\n\x01\x02\x0e"},
 	{"internal/trace/traceviewer/format", ""},
-	{"internal/trace/version", "pq\t"},
-	{"internal/txtar", "\x03m\xa6\x01\x1a"},
-	{"internal/types/errors", "\xaf\x02"},
-	{"internal/unsafeheader", "\xc5\x02"},
-	{"internal/xcoff", "Y\r\a\x03`\x1a,\x19\x01"},
-	{"internal/zstd", "f\a\x03z\x0f"},
-	{"io", "m\xc5\x01"},
-	{"io/fs", "m+*(1\x12\x12\x04"},
-	{"io/ioutil", "\xea\x01\x01+\x17\x03"},
-	{"iter", "\xc8\x01[\""},
-	{"log", "pz\x05'\r\x0f\x01\f"},
+	{"internal/trace/version", "qw\t"},
+	{"internal/txtar", "\x03n\xac\x01\x18"},
+	{"internal/types/errors", "\xb4\x02"},
+	{"internal/unsafeheader", "\xcb\x02"},
+	{"internal/xcoff", "Z\r\a\x03e\x1b,\x17\x01"},
+	{"internal/zstd", "g\a\x03\x80\x01\x0f"},
+	{"io", "n\xc9\x01"},
+	{"io/fs", "n*+.1\x10\x13\x04"},
+	{"io/ioutil", "\xf1\x01\x01+\x15\x03"},
+	{"iter", "\xc9\x01a!"},
+	{"log", "q\x80\x01\x05'\r\r\x01\r"},
 	{"log/internal", ""},
-	{"log/slog", "\x03\nT\t\x03\x03z\x04\x01\x02\x02\x04'\x05\n\x02\x01\x02\x01\f\x02\x02\x02"},
+	{"log/slog", "\x03\nU\t\x03\x03\x80\x01\x04\x01\x02\x02\x03(\x05\b\x02\x01\x02\x01\r\x02\x02\x02"},
 	{"log/slog/internal", ""},
-	{"log/slog/internal/benchmarks", "\r`\x03z\x06\x03<\x10"},
-	{"log/slog/internal/buffer", "\xb2\x02"},
-	{"log/slog/internal/slogtest", "\xf0\x01"},
-	{"log/syslog", "m\x03~\x12\x16\x1a\x02\r"},
-	{"maps", "\xed\x01X"},
-	{"math", "\xad\x01LL"},
-	{"math/big", "\x03j\x03)\x14=\r\x02\x024\x01\x02\x13"},
-	{"math/bits", "\xc5\x02"},
-	{"math/cmplx", "\xf7\x01\x02"},
-	{"math/rand", "\xb5\x01B;\x01\x12"},
-	{"math/rand/v2", "m,\x02\\\x02L"},
-	{"mime", "\x02\x01b\b\x03z\f \x17\x03\x02\x0f\x02"},
-	{"mime/multipart", "\x02\x01G#\x03E5\f\x01\x06\x02\x15\x02\x06\x11\x02\x01\x15"},
-	{"mime/quotedprintable", "\x02\x01mz"},
-	{"net", "\x04\t`+\x1d\a\x04\x05\f\x01\x04\x14\x01%\x06\r\n\x05\x01\x01\v\x06\a"},
-	{"net/http", "\x02\x01\x04\x04\x02=\b\x13\x01\a\x03E5\x01\x03\b\x01\x02\x02\x02\x01\x02\x06\x02\x01\x01\n\x01\x01\x05\x01\x02\x05\n\x01\x01\x01\x02\x01\x01\v\x02\x02\x02\b\x01\x01\x01"},
-	{"net/http/cgi", "\x02P\x1b\x03z\x04\b\n\x01\x13\x01\x01\x01\x04\x01\x05\x02\n\x02\x01\x0f\x0e"},
-	{"net/http/cookiejar", "\x04i\x03\x90\x01\x01\b\f\x18\x03\x02\r\x04"},
-	{"net/http/fcgi", "\x02\x01\nY\a\x03z\x16\x01\x01\x14\x1a\x02\r"},
-	{"net/http/httptest", "\x02\x01\nE\x02\x1b\x01z\x04\x12\x01\n\t\x02\x19\x01\x02\r\x0e"},
-	{"net/http/httptrace", "\rEn@\x14\n!"},
-	{"net/http/httputil", "\x02\x01\n`\x03z\x04\x0f\x03\x01\x05\x02\x01\v\x01\x1b\x02\r\x0e"},
-	{"net/http/internal", "\x02\x01j\x03z"},
-	{"net/http/internal/ascii", "\xb0\x02\x11"},
-	{"net/http/internal/httpcommon", "\r`\x03\x96\x01\x0e\x01\x19\x01\x01\x02\x1b\x02"},
-	{"net/http/internal/testcert", "\xb0\x02"},
-	{"net/http/pprof", "\x02\x01\nc\x19,\x11$\x04\x13\x14\x01\r\x06\x03\x01\x02\x01\x0f"},
+	{"log/slog/internal/benchmarks", "\ra\x03\x80\x01\x06\x03:\x11"},
+	{"log/slog/internal/buffer", "\xb7\x02"},
+	{"log/syslog", "n\x03\x84\x01\x12\x16\x18\x02\x0e"},
+	{"maps", "\xf4\x01W"},
+	{"math", "\xae\x01RK"},
+	{"math/big", "\x03k\x03(\x15C\f\x03\x020\x02\x01\x02\x14"},
+	{"math/big/internal/asmgen", "\x03\x01m\x8f\x012\x03"},
+	{"math/bits", "\xcb\x02"},
+	{"math/cmplx", "\xfd\x01\x03"},
+	{"math/rand", "\xb6\x01G:\x01\x13"},
+	{"math/rand/v2", "n+\x03a\x03K"},
+	{"mime", "\x02\x01c\b\x03\x80\x01\v!\x15\x03\x02\x10\x02"},
+	{"mime/multipart", "\x02\x01H#\x03E;\v\x01\a\x02\x15\x02\x06\x0f\x02\x01\x16"},
+	{"mime/quotedprintable", "\x02\x01n\x80\x01"},
+	{"net", "\x04\ta*\x1e\a\x04\x05\x11\x01\x04\x15\x01%\x06\r\b\x05\x01\x01\f\x06\a"},
+	{"net/http", "\x02\x01\x04\x04\x02>\b\x13\x01\a\x03E;\x01\x03\a\x01\x03\x02\x02\x01\x02\x06\x02\x01\x01\n\x01\x01\x05\x01\x02\x05\b\x01\x01\x01\x02\x01\r\x02\x02\x02\b\x01\x01\x01"},
+	{"net/http/cgi", "\x02Q\x1b\x03\x80\x01\x04\a\v\x01\x13\x01\x01\x01\x04\x01\x05\x02\b\x02\x01\x10\x0e"},
+	{"net/http/cookiejar", "\x04j\x03\x96\x01\x01\b\f\x16\x03\x02\x0e\x04"},
+	{"net/http/fcgi", "\x02\x01\nZ\a\x03\x80\x01\x16\x01\x01\x14\x18\x02\x0e"},
+	{"net/http/httptest", "\x02\x01\nF\x02\x1b\x01\x80\x01\x04\x12\x01\n\t\x02\x17\x01\x02\x0e\x0e"},
+	{"net/http/httptrace", "\rFnF\x14\n "},
+	{"net/http/httputil", "\x02\x01\na\x03\x80\x01\x04\x0f\x03\x01\x05\x02\x01\v\x01\x19\x02\x0e\x0e"},
+	{"net/http/internal", "\x02\x01k\x03\x80\x01"},
+	{"net/http/internal/ascii", "\xb5\x02\x12"},
+	{"net/http/internal/httpcommon", "\ra\x03\x9c\x01\x0e\x01\x17\x01\x01\x02\x1c\x02"},
+	{"net/http/internal/testcert", "\xb5\x02"},
+	{"net/http/pprof", "\x02\x01\nd\x18-\x11*\x04\x13\x14\x01\r\x04\x03\x01\x02\x01\x10"},
 	{"net/internal/cgotest", ""},
-	{"net/internal/socktest", "p\xc2\x01\x02"},
-	{"net/mail", "\x02k\x03z\x04\x0f\x03\x14\x1c\x02\r\x04"},
-	{"net/netip", "\x04i+\x01#;\x026\x15"},
-	{"net/rpc", "\x02f\x05\x03\x10\n`\x04\x12\x01\x1d\x0f\x03\x02"},
-	{"net/rpc/jsonrpc", "j\x03\x03z\x16\x11!"},
-	{"net/smtp", "\x19.\v\x13\b\x03z\x16\x14\x1c"},
-	{"net/textproto", "\x02\x01j\x03z\r\t/\x01\x02\x13"},
-	{"net/url", "m\x03\x86\x01%\x12\x02\x01\x15"},
-	{"os", "m+\x01\x18\x03\b\t\r\x03\x01\x04\x10\x018\n\x05\x01\x01\v\x06"},
-	{"os/exec", "\x03\n`H \x01\x14\x01+\x06\a\f\x01\x04\v"},
-	{"os/exec/internal/fdtest", "\xb4\x02"},
-	{"os/signal", "\r\x89\x02\x17\x05\x02"},
-	{"os/user", "\x02\x01j\x03z,\r\f\x01\x02"},
-	{"path", "m+\xab\x01"},
-	{"path/filepath", "m+\x19:+\r\n\x03\x04\x0f"},
-	{"plugin", "m"},
-	{"reflect", "m'\x04\x1c\b\f\x04\x02\x19\x10,\f\x03\x0f\x02\x02"},
+	{"net/internal/socktest", "q\xc6\x01\x02"},
+	{"net/mail", "\x02l\x03\x80\x01\x04\x0f\x03\x14\x1a\x02\x0e\x04"},
+	{"net/netip", "\x04j*\x01$@\x034\x16"},
+	{"net/rpc", "\x02g\x05\x03\x0f\ng\x04\x12\x01\x1d\r\x03\x02"},
+	{"net/rpc/jsonrpc", "k\x03\x03\x80\x01\x16\x11\x1f"},
+	{"net/smtp", "\x19/\v\x13\b\x03\x80\x01\x16\x14\x1a"},
+	{"net/textproto", "\x02\x01k\x03\x80\x01\f\n-\x01\x02\x14"},
+	{"net/url", "n\x03\x8b\x01&\x10\x02\x01\x16"},
+	{"os", "n*\x01\x19\x03\b\t\x12\x03\x01\x05\x10\x018\b\x05\x01\x01\f\x06"},
+	{"os/exec", "\x03\naH%\x01\x15\x01+\x06\a\n\x01\x04\f"},
+	{"os/exec/internal/fdtest", "\xb9\x02"},
+	{"os/signal", "\r\x90\x02\x15\x05\x02"},
+	{"os/user", "\x02\x01k\x03\x80\x01,\r\n\x01\x02"},
+	{"path", "n*\xb1\x01"},
+	{"path/filepath", "n*\x1a@+\r\b\x03\x04\x10"},
+	{"plugin", "n"},
+	{"reflect", "n&\x04\x1d\b\f\x06\x04\x1b\x06\t-\n\x03\x10\x02\x02"},
 	{"reflect/internal/example1", ""},
 	{"reflect/internal/example2", ""},
-	{"regexp", "\x03\xe7\x018\v\x02\x01\x02\x0f\x02"},
-	{"regexp/syntax", "\xad\x02\x01\x01\x01\x11\x02"},
-	{"runtime", "\x94\x01\x04\x01\x02\f\x06\a\x02\x01\x01\x0f\x03\x01\x01\x01\x01\x01\x03\x0fd"},
-	{"runtime/coverage", "\x9f\x01K"},
-	{"runtime/debug", "pUQ\r\n\x02\x01\x0f\x06"},
-	{"runtime/internal/startlinetest", ""},
-	{"runtime/internal/wasitest", ""},
-	{"runtime/metrics", "\xb6\x01A,\""},
-	{"runtime/pprof", "\x02\x01\x01\x03\x06Y\a\x03$3#\r\x1f\r\n\x01\x01\x01\x02\x02\b\x03\x06"},
-	{"runtime/race", "\xab\x02"},
+	{"regexp", "\x03\xee\x018\t\x02\x01\x02\x10\x02"},
+	{"regexp/syntax", "\xb2\x02\x01\x01\x01\x02\x10\x02"},
+	{"runtime", "\x94\x01\x04\x01\x03\f\x06\a\x02\x01\x01\x0f\x03\x01\x01\x01\x01\x01\x02\x01\x01\x04\x10c"},
+	{"runtime/coverage", "\xa0\x01Q"},
+	{"runtime/debug", "qUW\r\b\x02\x01\x10\x06"},
+	{"runtime/metrics", "\xb7\x01F-!"},
+	{"runtime/pprof", "\x02\x01\x01\x03\x06Z\a\x03#4)\f \r\b\x01\x01\x01\x02\x02\t\x03\x06"},
+	{"runtime/race", "\xb0\x02"},
 	{"runtime/race/internal/amd64v1", ""},
-	{"runtime/trace", "\rcz9\x0f\x01\x12"},
-	{"slices", "\x04\xe9\x01\fL"},
-	{"sort", "\xc9\x0104"},
-	{"strconv", "m+:%\x02J"},
-	{"strings", "m'\x04:\x18\x03\f9\x0f\x02\x02"},
+	{"runtime/trace", "\ra\x03w\t9\b\x05\x01\r\x06"},
+	{"slices", "\x04\xf0\x01\fK"},
+	{"sort", "\xca\x0162"},
+	{"strconv", "n*@%\x03I"},
+	{"strings", "n&\x04@\x19\x03\f7\x10\x02\x02"},
 	{"structs", ""},
-	{"sync", "\xc8\x01\vP\x10\x12"},
-	{"sync/atomic", "\xc5\x02"},
-	{"syscall", "m(\x03\x01\x1b\b\x03\x03\x06\aT\n\x05\x01\x12"},
-	{"testing", "\x03\n`\x02\x01X\x0f\x13\r\x04\x1b\x06\x02\x05\x02\a\x01\x02\x01\x02\x01\f\x02\x02\x02"},
-	{"testing/fstest", "m\x03z\x01\v%\x12\x03\b\a"},
-	{"testing/internal/testdeps", "\x02\v\xa6\x01'\x10,\x03\x05\x03\b\a\x02\r"},
-	{"testing/iotest", "\x03j\x03z\x04"},
-	{"testing/quick", "o\x01\x87\x01\x04#\x12\x0f"},
-	{"testing/slogtest", "\r`\x03\x80\x01.\x05\x12\n"},
-	{"text/scanner", "\x03mz,+\x02"},
-	{"text/tabwriter", "pzY"},
-	{"text/template", "m\x03B8\x01\v\x1f\x01\x05\x01\x02\x05\r\x02\f\x03\x02"},
-	{"text/template/parse", "\x03m\xb3\x01\f\x01\x11\x02"},
-	{"time", "m+\x1d\x1d'*\x0f\x02\x11"},
-	{"time/tzdata", "m\xc7\x01\x11"},
+	{"sync", "\xc9\x01\x10\x01P\x0e\x13"},
+	{"sync/atomic", "\xcb\x02"},
+	{"syscall", "n'\x03\x01\x1c\b\x03\x03\x06\vV\b\x05\x01\x13"},
+	{"testing", "\x03\na\x02\x01X\x14\x14\f\x05\x1b\x06\x02\x05\x02\x05\x01\x02\x01\x02\x01\r\x02\x02\x02"},
+	{"testing/fstest", "n\x03\x80\x01\x01\n&\x10\x03\b\b"},
+	{"testing/internal/testdeps", "\x02\v\xa7\x01-\x10,\x03\x05\x03\x06\a\x02\x0e"},
+	{"testing/iotest", "\x03k\x03\x80\x01\x04"},
+	{"testing/quick", "p\x01\x8c\x01\x05#\x10\x10"},
+	{"testing/slogtest", "\ra\x03\x86\x01.\x05\x10\v"},
+	{"testing/synctest", "\xda\x01`\x11"},
+	{"text/scanner", "\x03n\x80\x01,*\x02"},
+	{"text/tabwriter", "q\x80\x01X"},
+	{"text/template", "n\x03B>\x01\n \x01\x05\x01\x02\x05\v\x02\r\x03\x02"},
+	{"text/template/parse", "\x03n\xb9\x01\n\x01\x12\x02"},
+	{"time", "n*\x1e\"(*\r\x02\x12"},
+	{"time/tzdata", "n\xcb\x01\x12"},
 	{"unicode", ""},
 	{"unicode/utf16", ""},
 	{"unicode/utf8", ""},
-	{"unique", "\x94\x01>\x01P\x0f\x13\x12"},
+	{"unique", "\x94\x01!#\x01Q\r\x01\x13\x12"},
 	{"unsafe", ""},
-	{"vendor/golang.org/x/crypto/chacha20", "\x10V\a\x8c\x01*'"},
-	{"vendor/golang.org/x/crypto/chacha20poly1305", "\x10V\a\xd9\x01\x04\x01\a"},
-	{"vendor/golang.org/x/crypto/cryptobyte", "c\n\x03\x88\x01&!\n"},
+	{"vendor/golang.org/x/crypto/chacha20", "\x10W\a\x92\x01*&"},
+	{"vendor/golang.org/x/crypto/chacha20poly1305", "\x10W\a\xde\x01\x04\x01\a"},
+	{"vendor/golang.org/x/crypto/cryptobyte", "d\n\x03\x8d\x01' \n"},
 	{"vendor/golang.org/x/crypto/cryptobyte/asn1", ""},
-	{"vendor/golang.org/x/crypto/internal/alias", "\xc5\x02"},
-	{"vendor/golang.org/x/crypto/internal/poly1305", "Q\x15\x93\x01"},
-	{"vendor/golang.org/x/net/dns/dnsmessage", "m"},
-	{"vendor/golang.org/x/net/http/httpguts", "\x80\x02\x14\x1c\x13\r"},
-	{"vendor/golang.org/x/net/http/httpproxy", "m\x03\x90\x01\x15\x01\x1a\x13\r"},
-	{"vendor/golang.org/x/net/http2/hpack", "\x03j\x03zH"},
-	{"vendor/golang.org/x/net/idna", "p\x87\x019\x13\x10\x02\x01"},
-	{"vendor/golang.org/x/net/nettest", "\x03c\a\x03z\x11\x05\x16\x01\f\f\x01\x02\x02\x01\n"},
-	{"vendor/golang.org/x/sys/cpu", "\x96\x02\r\f\x01\x15"},
-	{"vendor/golang.org/x/text/secure/bidirule", "m\xd6\x01\x11\x01"},
-	{"vendor/golang.org/x/text/transform", "\x03j}Y"},
-	{"vendor/golang.org/x/text/unicode/bidi", "\x03\be~@\x15"},
-	{"vendor/golang.org/x/text/unicode/norm", "f\nzH\x11\x11"},
-	{"weak", "\x94\x01\x8f\x01\""},
+	{"vendor/golang.org/x/crypto/internal/alias", "\xcb\x02"},
+	{"vendor/golang.org/x/crypto/internal/poly1305", "R\x15\x99\x01"},
+	{"vendor/golang.org/x/net/dns/dnsmessage", "n"},
+	{"vendor/golang.org/x/net/http/httpguts", "\x87\x02\x14\x1a\x14\r"},
+	{"vendor/golang.org/x/net/http/httpproxy", "n\x03\x96\x01\x10\x05\x01\x18\x14\r"},
+	{"vendor/golang.org/x/net/http2/hpack", "\x03k\x03\x80\x01F"},
+	{"vendor/golang.org/x/net/idna", "q\x8c\x018\x14\x10\x02\x01"},
+	{"vendor/golang.org/x/net/nettest", "\x03d\a\x03\x80\x01\x11\x05\x16\x01\f\n\x01\x02\x02\x01\v"},
+	{"vendor/golang.org/x/sys/cpu", "\x9d\x02\r\n\x01\x16"},
+	{"vendor/golang.org/x/text/secure/bidirule", "n\xdb\x01\x11\x01"},
+	{"vendor/golang.org/x/text/transform", "\x03k\x83\x01X"},
+	{"vendor/golang.org/x/text/unicode/bidi", "\x03\bf\x84\x01>\x16"},
+	{"vendor/golang.org/x/text/unicode/norm", "g\n\x80\x01F\x12\x11"},
+	{"weak", "\x94\x01\x96\x01!"},
 }
diff --git a/vendor/golang.org/x/tools/internal/stdlib/manifest.go b/vendor/golang.org/x/tools/internal/stdlib/manifest.go
index 64f0326b644d9..c1faa50d367c1 100644
--- a/vendor/golang.org/x/tools/internal/stdlib/manifest.go
+++ b/vendor/golang.org/x/tools/internal/stdlib/manifest.go
@@ -502,6 +502,7 @@ var PackageSymbols = map[string][]Symbol{
 		{"MD4", Const, 0, ""},
 		{"MD5", Const, 0, ""},
 		{"MD5SHA1", Const, 0, ""},
+		{"MessageSigner", Type, 25, ""},
 		{"PrivateKey", Type, 0, ""},
 		{"PublicKey", Type, 2, ""},
 		{"RIPEMD160", Const, 0, ""},
@@ -517,6 +518,7 @@ var PackageSymbols = map[string][]Symbol{
 		{"SHA512", Const, 0, ""},
 		{"SHA512_224", Const, 5, ""},
 		{"SHA512_256", Const, 5, ""},
+		{"SignMessage", Func, 25, "func(signer Signer, rand io.Reader, msg []byte, opts SignerOpts) (signature []byte, err error)"},
 		{"Signer", Type, 4, ""},
 		{"SignerOpts", Type, 4, ""},
 	},
@@ -600,10 +602,12 @@ var PackageSymbols = map[string][]Symbol{
 		{"X25519", Func, 20, "func() Curve"},
 	},
 	"crypto/ecdsa": {
+		{"(*PrivateKey).Bytes", Method, 25, ""},
 		{"(*PrivateKey).ECDH", Method, 20, ""},
 		{"(*PrivateKey).Equal", Method, 15, ""},
 		{"(*PrivateKey).Public", Method, 4, ""},
 		{"(*PrivateKey).Sign", Method, 4, ""},
+		{"(*PublicKey).Bytes", Method, 25, ""},
 		{"(*PublicKey).ECDH", Method, 20, ""},
 		{"(*PublicKey).Equal", Method, 15, ""},
 		{"(PrivateKey).Add", Method, 0, ""},
@@ -619,6 +623,8 @@ var PackageSymbols = map[string][]Symbol{
 		{"(PublicKey).ScalarBaseMult", Method, 0, ""},
 		{"(PublicKey).ScalarMult", Method, 0, ""},
 		{"GenerateKey", Func, 0, "func(c elliptic.Curve, rand io.Reader) (*PrivateKey, error)"},
+		{"ParseRawPrivateKey", Func, 25, "func(curve elliptic.Curve, data []byte) (*PrivateKey, error)"},
+		{"ParseUncompressedPublicKey", Func, 25, "func(curve elliptic.Curve, data []byte) (*PublicKey, error)"},
 		{"PrivateKey", Type, 0, ""},
 		{"PrivateKey.D", Field, 0, ""},
 		{"PrivateKey.PublicKey", Field, 0, ""},
@@ -815,6 +821,7 @@ var PackageSymbols = map[string][]Symbol{
 	"crypto/sha3": {
 		{"(*SHA3).AppendBinary", Method, 24, ""},
 		{"(*SHA3).BlockSize", Method, 24, ""},
+		{"(*SHA3).Clone", Method, 25, ""},
 		{"(*SHA3).MarshalBinary", Method, 24, ""},
 		{"(*SHA3).Reset", Method, 24, ""},
 		{"(*SHA3).Size", Method, 24, ""},
@@ -967,6 +974,7 @@ var PackageSymbols = map[string][]Symbol{
 		{"Config.GetCertificate", Field, 4, ""},
 		{"Config.GetClientCertificate", Field, 8, ""},
 		{"Config.GetConfigForClient", Field, 8, ""},
+		{"Config.GetEncryptedClientHelloKeys", Field, 25, ""},
 		{"Config.InsecureSkipVerify", Field, 0, ""},
 		{"Config.KeyLogWriter", Field, 8, ""},
 		{"Config.MaxVersion", Field, 2, ""},
@@ -5463,6 +5471,7 @@ var PackageSymbols = map[string][]Symbol{
 		{"ParenExpr.X", Field, 0, ""},
 		{"Pkg", Const, 0, ""},
 		{"Preorder", Func, 23, "func(root Node) iter.Seq[Node]"},
+		{"PreorderStack", Func, 25, "func(root Node, stack []Node, f func(n Node, stack []Node) bool)"},
 		{"Print", Func, 0, "func(fset *token.FileSet, x any) error"},
 		{"RECV", Const, 0, ""},
 		{"RangeStmt", Type, 0, ""},
@@ -5933,6 +5942,7 @@ var PackageSymbols = map[string][]Symbol{
 		{"(*File).SetLines", Method, 0, ""},
 		{"(*File).SetLinesForContent", Method, 0, ""},
 		{"(*File).Size", Method, 0, ""},
+		{"(*FileSet).AddExistingFiles", Method, 25, ""},
 		{"(*FileSet).AddFile", Method, 0, ""},
 		{"(*FileSet).Base", Method, 0, ""},
 		{"(*FileSet).File", Method, 0, ""},
@@ -6382,7 +6392,7 @@ var PackageSymbols = map[string][]Symbol{
 		{"Label", Type, 5, ""},
 		{"LocalVar", Const, 25, ""},
 		{"LookupFieldOrMethod", Func, 5, "func(T Type, addressable bool, pkg *Package, name string) (obj Object, index []int, indirect bool)"},
-		{"LookupSelection", Func, 25, ""},
+		{"LookupSelection", Func, 25, "func(T Type, addressable bool, pkg *Package, name string) (Selection, bool)"},
 		{"Map", Type, 5, ""},
 		{"MethodExpr", Const, 5, ""},
 		{"MethodSet", Type, 5, ""},
@@ -6490,9 +6500,11 @@ var PackageSymbols = map[string][]Symbol{
 		{"Lang", Func, 22, "func(x string) string"},
 	},
 	"hash": {
+		{"Cloner", Type, 25, ""},
 		{"Hash", Type, 0, ""},
 		{"Hash32", Type, 0, ""},
 		{"Hash64", Type, 0, ""},
+		{"XOF", Type, 25, ""},
 	},
 	"hash/adler32": {
 		{"Checksum", Func, 0, "func(data []byte) uint32"},
@@ -6533,6 +6545,7 @@ var PackageSymbols = map[string][]Symbol{
 	},
 	"hash/maphash": {
 		{"(*Hash).BlockSize", Method, 14, ""},
+		{"(*Hash).Clone", Method, 25, ""},
 		{"(*Hash).Reset", Method, 14, ""},
 		{"(*Hash).Seed", Method, 14, ""},
 		{"(*Hash).SetSeed", Method, 14, ""},
@@ -7133,7 +7146,7 @@ var PackageSymbols = map[string][]Symbol{
 		{"FormatFileInfo", Func, 21, "func(info FileInfo) string"},
 		{"Glob", Func, 16, "func(fsys FS, pattern string) (matches []string, err error)"},
 		{"GlobFS", Type, 16, ""},
-		{"Lstat", Func, 25, ""},
+		{"Lstat", Func, 25, "func(fsys FS, name string) (FileInfo, error)"},
 		{"ModeAppend", Const, 16, ""},
 		{"ModeCharDevice", Const, 16, ""},
 		{"ModeDevice", Const, 16, ""},
@@ -7158,7 +7171,7 @@ var PackageSymbols = map[string][]Symbol{
 		{"ReadDirFile", Type, 16, ""},
 		{"ReadFile", Func, 16, "func(fsys FS, name string) ([]byte, error)"},
 		{"ReadFileFS", Type, 16, ""},
-		{"ReadLink", Func, 25, ""},
+		{"ReadLink", Func, 25, "func(fsys FS, name string) (string, error)"},
 		{"ReadLinkFS", Type, 25, ""},
 		{"SkipAll", Var, 20, ""},
 		{"SkipDir", Var, 16, ""},
@@ -7275,6 +7288,7 @@ var PackageSymbols = map[string][]Symbol{
 		{"(Record).Attrs", Method, 21, ""},
 		{"(Record).Clone", Method, 21, ""},
 		{"(Record).NumAttrs", Method, 21, ""},
+		{"(Record).Source", Method, 25, ""},
 		{"(Value).Any", Method, 21, ""},
 		{"(Value).Bool", Method, 21, ""},
 		{"(Value).Duration", Method, 21, ""},
@@ -7306,6 +7320,7 @@ var PackageSymbols = map[string][]Symbol{
 		{"Float64", Func, 21, "func(key string, v float64) Attr"},
 		{"Float64Value", Func, 21, "func(v float64) Value"},
 		{"Group", Func, 21, "func(key string, args ...any) Attr"},
+		{"GroupAttrs", Func, 25, "func(key string, attrs ...Attr) Attr"},
 		{"GroupValue", Func, 21, "func(as ...Attr) Value"},
 		{"Handler", Type, 21, ""},
 		{"HandlerOptions", Type, 21, ""},
@@ -7916,7 +7931,7 @@ var PackageSymbols = map[string][]Symbol{
 		{"(*Writer).WriteField", Method, 0, ""},
 		{"ErrMessageTooLarge", Var, 9, ""},
 		{"File", Type, 0, ""},
-		{"FileContentDisposition", Func, 25, ""},
+		{"FileContentDisposition", Func, 25, "func(fieldname string, filename string) string"},
 		{"FileHeader", Type, 0, ""},
 		{"FileHeader.Filename", Field, 0, ""},
 		{"FileHeader.Header", Field, 0, ""},
@@ -8294,6 +8309,11 @@ var PackageSymbols = map[string][]Symbol{
 		{"(*Client).PostForm", Method, 0, ""},
 		{"(*Cookie).String", Method, 0, ""},
 		{"(*Cookie).Valid", Method, 18, ""},
+		{"(*CrossOriginProtection).AddInsecureBypassPattern", Method, 25, ""},
+		{"(*CrossOriginProtection).AddTrustedOrigin", Method, 25, ""},
+		{"(*CrossOriginProtection).Check", Method, 25, ""},
+		{"(*CrossOriginProtection).Handler", Method, 25, ""},
+		{"(*CrossOriginProtection).SetDenyHandler", Method, 25, ""},
 		{"(*MaxBytesError).Error", Method, 19, ""},
 		{"(*ProtocolError).Error", Method, 0, ""},
 		{"(*ProtocolError).Is", Method, 21, ""},
@@ -8388,6 +8408,7 @@ var PackageSymbols = map[string][]Symbol{
 		{"Cookie.Unparsed", Field, 0, ""},
 		{"Cookie.Value", Field, 0, ""},
 		{"CookieJar", Type, 0, ""},
+		{"CrossOriginProtection", Type, 25, ""},
 		{"DefaultClient", Var, 0, ""},
 		{"DefaultMaxHeaderBytes", Const, 0, ""},
 		{"DefaultMaxIdleConnsPerHost", Const, 0, ""},
@@ -8460,6 +8481,7 @@ var PackageSymbols = map[string][]Symbol{
 		{"MethodPost", Const, 6, ""},
 		{"MethodPut", Const, 6, ""},
 		{"MethodTrace", Const, 6, ""},
+		{"NewCrossOriginProtection", Func, 25, "func() *CrossOriginProtection"},
 		{"NewFileTransport", Func, 0, "func(fs FileSystem) RoundTripper"},
 		{"NewFileTransportFS", Func, 22, "func(fsys fs.FS) RoundTripper"},
 		{"NewRequest", Func, 0, "func(method string, url string, body io.Reader) (*Request, error)"},
@@ -9174,15 +9196,19 @@ var PackageSymbols = map[string][]Symbol{
 		{"(*Root).Link", Method, 25, ""},
 		{"(*Root).Lstat", Method, 24, ""},
 		{"(*Root).Mkdir", Method, 24, ""},
+		{"(*Root).MkdirAll", Method, 25, ""},
 		{"(*Root).Name", Method, 24, ""},
 		{"(*Root).Open", Method, 24, ""},
 		{"(*Root).OpenFile", Method, 24, ""},
 		{"(*Root).OpenRoot", Method, 24, ""},
+		{"(*Root).ReadFile", Method, 25, ""},
 		{"(*Root).Readlink", Method, 25, ""},
 		{"(*Root).Remove", Method, 24, ""},
+		{"(*Root).RemoveAll", Method, 25, ""},
 		{"(*Root).Rename", Method, 25, ""},
 		{"(*Root).Stat", Method, 24, ""},
 		{"(*Root).Symlink", Method, 25, ""},
+		{"(*Root).WriteFile", Method, 25, ""},
 		{"(*SyscallError).Error", Method, 0, ""},
 		{"(*SyscallError).Timeout", Method, 10, ""},
 		{"(*SyscallError).Unwrap", Method, 13, ""},
@@ -9623,6 +9649,7 @@ var PackageSymbols = map[string][]Symbol{
 		{"StructTag", Type, 0, ""},
 		{"Swapper", Func, 8, "func(slice any) func(i int, j int)"},
 		{"Type", Type, 0, ""},
+		{"TypeAssert", Func, 25, "func[T any](v Value) (T, bool)"},
 		{"TypeFor", Func, 22, "func[T any]() Type"},
 		{"TypeOf", Func, 0, "func(i any) Type"},
 		{"Uint", Const, 0, ""},
@@ -9909,6 +9936,7 @@ var PackageSymbols = map[string][]Symbol{
 		{"SetBlockProfileRate", Func, 1, "func(rate int)"},
 		{"SetCPUProfileRate", Func, 0, "func(hz int)"},
 		{"SetCgoTraceback", Func, 7, "func(version int, traceback unsafe.Pointer, context unsafe.Pointer, symbolizer unsafe.Pointer)"},
+		{"SetDefaultGOMAXPROCS", Func, 25, "func()"},
 		{"SetFinalizer", Func, 0, "func(obj any, finalizer any)"},
 		{"SetMutexProfileFraction", Func, 8, "func(rate int) int"},
 		{"Stack", Func, 0, "func(buf []byte, all bool) int"},
@@ -10021,11 +10049,20 @@ var PackageSymbols = map[string][]Symbol{
 		{"WriteHeapProfile", Func, 0, "func(w io.Writer) error"},
 	},
 	"runtime/trace": {
+		{"(*FlightRecorder).Enabled", Method, 25, ""},
+		{"(*FlightRecorder).Start", Method, 25, ""},
+		{"(*FlightRecorder).Stop", Method, 25, ""},
+		{"(*FlightRecorder).WriteTo", Method, 25, ""},
 		{"(*Region).End", Method, 11, ""},
 		{"(*Task).End", Method, 11, ""},
+		{"FlightRecorder", Type, 25, ""},
+		{"FlightRecorderConfig", Type, 25, ""},
+		{"FlightRecorderConfig.MaxBytes", Field, 25, ""},
+		{"FlightRecorderConfig.MinAge", Field, 25, ""},
 		{"IsEnabled", Func, 11, "func() bool"},
 		{"Log", Func, 11, "func(ctx context.Context, category string, message string)"},
 		{"Logf", Func, 11, "func(ctx context.Context, category string, format string, args ...any)"},
+		{"NewFlightRecorder", Func, 25, "func(cfg FlightRecorderConfig) *FlightRecorder"},
 		{"NewTask", Func, 11, "func(pctx context.Context, taskType string) (ctx context.Context, task *Task)"},
 		{"Region", Type, 11, ""},
 		{"Start", Func, 5, "func(w io.Writer) error"},
@@ -16642,6 +16679,7 @@ var PackageSymbols = map[string][]Symbol{
 		{"ValueOf", Func, 0, ""},
 	},
 	"testing": {
+		{"(*B).Attr", Method, 25, ""},
 		{"(*B).Chdir", Method, 24, ""},
 		{"(*B).Cleanup", Method, 14, ""},
 		{"(*B).Context", Method, 24, ""},
@@ -16658,6 +16696,7 @@ var PackageSymbols = map[string][]Symbol{
 		{"(*B).Logf", Method, 0, ""},
 		{"(*B).Loop", Method, 24, ""},
 		{"(*B).Name", Method, 8, ""},
+		{"(*B).Output", Method, 25, ""},
 		{"(*B).ReportAllocs", Method, 1, ""},
 		{"(*B).ReportMetric", Method, 13, ""},
 		{"(*B).ResetTimer", Method, 0, ""},
@@ -16674,6 +16713,7 @@ var PackageSymbols = map[string][]Symbol{
 		{"(*B).StopTimer", Method, 0, ""},
 		{"(*B).TempDir", Method, 15, ""},
 		{"(*F).Add", Method, 18, ""},
+		{"(*F).Attr", Method, 25, ""},
 		{"(*F).Chdir", Method, 24, ""},
 		{"(*F).Cleanup", Method, 18, ""},
 		{"(*F).Context", Method, 24, ""},
@@ -16689,6 +16729,7 @@ var PackageSymbols = map[string][]Symbol{
 		{"(*F).Log", Method, 18, ""},
 		{"(*F).Logf", Method, 18, ""},
 		{"(*F).Name", Method, 18, ""},
+		{"(*F).Output", Method, 25, ""},
 		{"(*F).Setenv", Method, 18, ""},
 		{"(*F).Skip", Method, 18, ""},
 		{"(*F).SkipNow", Method, 18, ""},
@@ -16697,6 +16738,7 @@ var PackageSymbols = map[string][]Symbol{
 		{"(*F).TempDir", Method, 18, ""},
 		{"(*M).Run", Method, 4, ""},
 		{"(*PB).Next", Method, 3, ""},
+		{"(*T).Attr", Method, 25, ""},
 		{"(*T).Chdir", Method, 24, ""},
 		{"(*T).Cleanup", Method, 14, ""},
 		{"(*T).Context", Method, 24, ""},
@@ -16712,6 +16754,7 @@ var PackageSymbols = map[string][]Symbol{
 		{"(*T).Log", Method, 0, ""},
 		{"(*T).Logf", Method, 0, ""},
 		{"(*T).Name", Method, 8, ""},
+		{"(*T).Output", Method, 25, ""},
 		{"(*T).Parallel", Method, 0, ""},
 		{"(*T).Run", Method, 7, ""},
 		{"(*T).Setenv", Method, 17, ""},
@@ -16834,6 +16877,10 @@ var PackageSymbols = map[string][]Symbol{
 		{"Run", Func, 22, "func(t *testing.T, newHandler func(*testing.T) slog.Handler, result func(*testing.T) map[string]any)"},
 		{"TestHandler", Func, 21, "func(h slog.Handler, results func() []map[string]any) error"},
 	},
+	"testing/synctest": {
+		{"Test", Func, 25, "func(t *testing.T, f func(*testing.T))"},
+		{"Wait", Func, 25, "func()"},
+	},
 	"text/scanner": {
 		{"(*Position).IsValid", Method, 0, ""},
 		{"(*Scanner).Init", Method, 0, ""},
@@ -17347,6 +17394,7 @@ var PackageSymbols = map[string][]Symbol{
 		{"CaseRange.Lo", Field, 0, ""},
 		{"CaseRanges", Var, 0, ""},
 		{"Categories", Var, 0, ""},
+		{"CategoryAliases", Var, 25, ""},
 		{"Caucasian_Albanian", Var, 4, ""},
 		{"Cc", Var, 0, ""},
 		{"Cf", Var, 0, ""},
@@ -17354,6 +17402,7 @@ var PackageSymbols = map[string][]Symbol{
 		{"Cham", Var, 0, ""},
 		{"Cherokee", Var, 0, ""},
 		{"Chorasmian", Var, 16, ""},
+		{"Cn", Var, 25, ""},
 		{"Co", Var, 0, ""},
 		{"Common", Var, 0, ""},
 		{"Coptic", Var, 0, ""},
@@ -17432,6 +17481,7 @@ var PackageSymbols = map[string][]Symbol{
 		{"Khojki", Var, 4, ""},
 		{"Khudawadi", Var, 4, ""},
 		{"L", Var, 0, ""},
+		{"LC", Var, 25, ""},
 		{"Lao", Var, 0, ""},
 		{"Latin", Var, 0, ""},
 		{"Lepcha", Var, 0, ""},
diff --git a/vendor/golang.org/x/tools/internal/typesinternal/fx.go b/vendor/golang.org/x/tools/internal/typesinternal/fx.go
new file mode 100644
index 0000000000000..93acff21701e0
--- /dev/null
+++ b/vendor/golang.org/x/tools/internal/typesinternal/fx.go
@@ -0,0 +1,49 @@
+// Copyright 2025 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package typesinternal
+
+import (
+	"go/ast"
+	"go/token"
+	"go/types"
+)
+
+// NoEffects reports whether the expression has no side effects, i.e., it
+// does not modify the memory state. This function is conservative: it may
+// return false even when the expression has no effect.
+func NoEffects(info *types.Info, expr ast.Expr) bool {
+	noEffects := true
+	ast.Inspect(expr, func(n ast.Node) bool {
+		switch v := n.(type) {
+		case nil, *ast.Ident, *ast.BasicLit, *ast.BinaryExpr, *ast.ParenExpr,
+			*ast.SelectorExpr, *ast.IndexExpr, *ast.SliceExpr, *ast.TypeAssertExpr,
+			*ast.StarExpr, *ast.CompositeLit, *ast.ArrayType, *ast.StructType,
+			*ast.MapType, *ast.InterfaceType, *ast.KeyValueExpr:
+			// No effect
+		case *ast.UnaryExpr:
+			// Channel send <-ch has effects
+			if v.Op == token.ARROW {
+				noEffects = false
+			}
+		case *ast.CallExpr:
+			// Type conversion has no effects
+			if !info.Types[v.Fun].IsType() {
+				// TODO(adonovan): Add a case for built-in functions without side
+				// effects (by using callsPureBuiltin from tools/internal/refactor/inline)
+
+				noEffects = false
+			}
+		case *ast.FuncLit:
+			// A FuncLit has no effects, but do not descend into it.
+			return false
+		default:
+			// All other expressions have effects
+			noEffects = false
+		}
+
+		return noEffects
+	})
+	return noEffects
+}
diff --git a/vendor/golang.org/x/tools/internal/typesinternal/isnamed.go b/vendor/golang.org/x/tools/internal/typesinternal/isnamed.go
new file mode 100644
index 0000000000000..f2affec4fba92
--- /dev/null
+++ b/vendor/golang.org/x/tools/internal/typesinternal/isnamed.go
@@ -0,0 +1,71 @@
+// Copyright 2025 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package typesinternal
+
+import (
+	"go/types"
+	"slices"
+)
+
+// IsTypeNamed reports whether t is (or is an alias for) a
+// package-level defined type with the given package path and one of
+// the given names. It returns false if t is nil.
+//
+// This function avoids allocating the concatenation of "pkg.Name",
+// which is important for the performance of syntax matching.
+func IsTypeNamed(t types.Type, pkgPath string, names ...string) bool {
+	if named, ok := types.Unalias(t).(*types.Named); ok {
+		tname := named.Obj()
+		return tname != nil &&
+			IsPackageLevel(tname) &&
+			tname.Pkg().Path() == pkgPath &&
+			slices.Contains(names, tname.Name())
+	}
+	return false
+}
+
+// IsPointerToNamed reports whether t is (or is an alias for) a pointer to a
+// package-level defined type with the given package path and one of the given
+// names. It returns false if t is not a pointer type.
+func IsPointerToNamed(t types.Type, pkgPath string, names ...string) bool {
+	r := Unpointer(t)
+	if r == t {
+		return false
+	}
+	return IsTypeNamed(r, pkgPath, names...)
+}
+
+// IsFunctionNamed reports whether obj is a package-level function
+// defined in the given package and has one of the given names.
+// It returns false if obj is nil.
+//
+// This function avoids allocating the concatenation of "pkg.Name",
+// which is important for the performance of syntax matching.
+func IsFunctionNamed(obj types.Object, pkgPath string, names ...string) bool {
+	f, ok := obj.(*types.Func)
+	return ok &&
+		IsPackageLevel(obj) &&
+		f.Pkg().Path() == pkgPath &&
+		f.Type().(*types.Signature).Recv() == nil &&
+		slices.Contains(names, f.Name())
+}
+
+// IsMethodNamed reports whether obj is a method defined on a
+// package-level type with the given package and type name, and has
+// one of the given names. It returns false if obj is nil.
+//
+// This function avoids allocating the concatenation of "pkg.TypeName.Name",
+// which is important for the performance of syntax matching.
+func IsMethodNamed(obj types.Object, pkgPath string, typeName string, names ...string) bool {
+	if fn, ok := obj.(*types.Func); ok {
+		if recv := fn.Type().(*types.Signature).Recv(); recv != nil {
+			_, T := ReceiverNamed(recv)
+			return T != nil &&
+				IsTypeNamed(T, pkgPath, typeName) &&
+				slices.Contains(names, fn.Name())
+		}
+	}
+	return false
+}
diff --git a/vendor/golang.org/x/tools/internal/typesinternal/qualifier.go b/vendor/golang.org/x/tools/internal/typesinternal/qualifier.go
index b64f714eb30f6..64f47919f02e2 100644
--- a/vendor/golang.org/x/tools/internal/typesinternal/qualifier.go
+++ b/vendor/golang.org/x/tools/internal/typesinternal/qualifier.go
@@ -15,6 +15,14 @@ import (
 // file.
 // If the same package is imported multiple times, the last appearance is
 // recorded.
+//
+// TODO(adonovan): this function ignores the effect of shadowing. It
+// should accept a [token.Pos] and a [types.Info] and compute only the
+// set of imports that are not shadowed at that point, analogous to
+// [analysisinternal.AddImport]. It could also compute (as a side
+// effect) the set of additional imports required to ensure that there
+// is an accessible import for each necessary package, making it
+// converge even more closely with AddImport.
 func FileQualifier(f *ast.File, pkg *types.Package) types.Qualifier {
 	// Construct mapping of import paths to their defined names.
 	// It is only necessary to look at renaming imports.
diff --git a/vendor/golang.org/x/tools/internal/typesinternal/types.go b/vendor/golang.org/x/tools/internal/typesinternal/types.go
index a5cd7e8dbfcb9..fef74a7856048 100644
--- a/vendor/golang.org/x/tools/internal/typesinternal/types.go
+++ b/vendor/golang.org/x/tools/internal/typesinternal/types.go
@@ -2,8 +2,20 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
-// Package typesinternal provides access to internal go/types APIs that are not
-// yet exported.
+// Package typesinternal provides helpful operators for dealing with
+// go/types:
+//
+//   - operators for querying typed syntax trees (e.g. [Imports], [IsFunctionNamed]);
+//   - functions for converting types to strings or syntax (e.g. [TypeExpr], FileQualifier]);
+//   - helpers for working with the [go/types] API (e.g. [NewTypesInfo]);
+//   - access to internal go/types APIs that are not yet
+//     exported (e.g. [SetUsesCgo], [ErrorCodeStartEnd], [VarKind]); and
+//   - common algorithms related to types (e.g. [TooNewStdSymbols]).
+//
+// See also:
+//   - [golang.org/x/tools/internal/astutil], for operations on untyped syntax;
+//   - [golang.org/x/tools/internal/analysisinernal], for helpers for analyzers;
+//   - [golang.org/x/tools/internal/refactor], for operators to compute text edits.
 package typesinternal
 
 import (
@@ -13,6 +25,7 @@ import (
 	"reflect"
 	"unsafe"
 
+	"golang.org/x/tools/go/ast/inspector"
 	"golang.org/x/tools/internal/aliases"
 )
 
@@ -60,6 +73,9 @@ func ErrorCodeStartEnd(err types.Error) (code ErrorCode, start, end token.Pos, o
 // which is often excessive.)
 //
 // If pkg is nil, it is equivalent to [*types.Package.Name].
+//
+// TODO(adonovan): all uses of this with TypeString should be
+// eliminated when https://go.dev/issues/75604 is resolved.
 func NameRelativeTo(pkg *types.Package) types.Qualifier {
 	return func(other *types.Package) string {
 		if pkg != nil && pkg == other {
@@ -153,3 +169,31 @@ func NewTypesInfo() *types.Info {
 		FileVersions: map[*ast.File]string{},
 	}
 }
+
+// EnclosingScope returns the innermost block logically enclosing the cursor.
+func EnclosingScope(info *types.Info, cur inspector.Cursor) *types.Scope {
+	for cur := range cur.Enclosing() {
+		n := cur.Node()
+		// A function's Scope is associated with its FuncType.
+		switch f := n.(type) {
+		case *ast.FuncDecl:
+			n = f.Type
+		case *ast.FuncLit:
+			n = f.Type
+		}
+		if b := info.Scopes[n]; b != nil {
+			return b
+		}
+	}
+	panic("no Scope for *ast.File")
+}
+
+// Imports reports whether path is imported by pkg.
+func Imports(pkg *types.Package, path string) bool {
+	for _, imp := range pkg.Imports() {
+		if imp.Path() == path {
+			return true
+		}
+	}
+	return false
+}
diff --git a/vendor/golang.org/x/tools/internal/typesinternal/zerovalue.go b/vendor/golang.org/x/tools/internal/typesinternal/zerovalue.go
index d272949c17718..453bba2ad5e84 100644
--- a/vendor/golang.org/x/tools/internal/typesinternal/zerovalue.go
+++ b/vendor/golang.org/x/tools/internal/typesinternal/zerovalue.go
@@ -204,23 +204,12 @@ func ZeroExpr(t types.Type, qual types.Qualifier) (_ ast.Expr, isValid bool) {
 	}
 }
 
-// IsZeroExpr uses simple syntactic heuristics to report whether expr
-// is a obvious zero value, such as 0, "", nil, or false.
-// It cannot do better without type information.
-func IsZeroExpr(expr ast.Expr) bool {
-	switch e := expr.(type) {
-	case *ast.BasicLit:
-		return e.Value == "0" || e.Value == `""`
-	case *ast.Ident:
-		return e.Name == "nil" || e.Name == "false"
-	default:
-		return false
-	}
-}
-
 // TypeExpr returns syntax for the specified type. References to named types
 // are qualified by an appropriate (optional) qualifier function.
 // It may panic for types such as Tuple or Union.
+//
+// See also https://go.dev/issues/75604, which will provide a robust
+// Type-to-valid-Go-syntax formatter.
 func TypeExpr(t types.Type, qual types.Qualifier) ast.Expr {
 	switch t := t.(type) {
 	case *types.Basic:
diff --git a/vendor/google.golang.org/genproto/googleapis/rpc/errdetails/error_details.pb.go b/vendor/google.golang.org/genproto/googleapis/rpc/errdetails/error_details.pb.go
index 3cd9a5bb8e62b..e017ef0714292 100644
--- a/vendor/google.golang.org/genproto/googleapis/rpc/errdetails/error_details.pb.go
+++ b/vendor/google.golang.org/genproto/googleapis/rpc/errdetails/error_details.pb.go
@@ -1,4 +1,4 @@
-// Copyright 2024 Google LLC
+// Copyright 2025 Google LLC
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -703,6 +703,65 @@ type QuotaFailure_Violation struct {
 	// For example: "Service disabled" or "Daily Limit for read operations
 	// exceeded".
 	Description string `protobuf:"bytes,2,opt,name=description,proto3" json:"description,omitempty"`
+	// The API Service from which the `QuotaFailure.Violation` orginates. In
+	// some cases, Quota issues originate from an API Service other than the one
+	// that was called. In other words, a dependency of the called API Service
+	// could be the cause of the `QuotaFailure`, and this field would have the
+	// dependency API service name.
+	//
+	// For example, if the called API is Kubernetes Engine API
+	// (container.googleapis.com), and a quota violation occurs in the
+	// Kubernetes Engine API itself, this field would be
+	// "container.googleapis.com". On the other hand, if the quota violation
+	// occurs when the Kubernetes Engine API creates VMs in the Compute Engine
+	// API (compute.googleapis.com), this field would be
+	// "compute.googleapis.com".
+	ApiService string `protobuf:"bytes,3,opt,name=api_service,json=apiService,proto3" json:"api_service,omitempty"`
+	// The metric of the violated quota. A quota metric is a named counter to
+	// measure usage, such as API requests or CPUs. When an activity occurs in a
+	// service, such as Virtual Machine allocation, one or more quota metrics
+	// may be affected.
+	//
+	// For example, "compute.googleapis.com/cpus_per_vm_family",
+	// "storage.googleapis.com/internet_egress_bandwidth".
+	QuotaMetric string `protobuf:"bytes,4,opt,name=quota_metric,json=quotaMetric,proto3" json:"quota_metric,omitempty"`
+	// The id of the violated quota. Also know as "limit name", this is the
+	// unique identifier of a quota in the context of an API service.
+	//
+	// For example, "CPUS-PER-VM-FAMILY-per-project-region".
+	QuotaId string `protobuf:"bytes,5,opt,name=quota_id,json=quotaId,proto3" json:"quota_id,omitempty"`
+	// The dimensions of the violated quota. Every non-global quota is enforced
+	// on a set of dimensions. While quota metric defines what to count, the
+	// dimensions specify for what aspects the counter should be increased.
+	//
+	// For example, the quota "CPUs per region per VM family" enforces a limit
+	// on the metric "compute.googleapis.com/cpus_per_vm_family" on dimensions
+	// "region" and "vm_family". And if the violation occurred in region
+	// "us-central1" and for VM family "n1", the quota_dimensions would be,
+	//
+	//	{
+	//	  "region": "us-central1",
+	//	  "vm_family": "n1",
+	//	}
+	//
+	// When a quota is enforced globally, the quota_dimensions would always be
+	// empty.
+	QuotaDimensions map[string]string `protobuf:"bytes,6,rep,name=quota_dimensions,json=quotaDimensions,proto3" json:"quota_dimensions,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"`
+	// The enforced quota value at the time of the `QuotaFailure`.
+	//
+	// For example, if the enforced quota value at the time of the
+	// `QuotaFailure` on the number of CPUs is "10", then the value of this
+	// field would reflect this quantity.
+	QuotaValue int64 `protobuf:"varint,7,opt,name=quota_value,json=quotaValue,proto3" json:"quota_value,omitempty"`
+	// The new quota value being rolled out at the time of the violation. At the
+	// completion of the rollout, this value will be enforced in place of
+	// quota_value. If no rollout is in progress at the time of the violation,
+	// this field is not set.
+	//
+	// For example, if at the time of the violation a rollout is in progress
+	// changing the number of CPUs quota from 10 to 20, 20 would be the value of
+	// this field.
+	FutureQuotaValue *int64 `protobuf:"varint,8,opt,name=future_quota_value,json=futureQuotaValue,proto3,oneof" json:"future_quota_value,omitempty"`
 }
 
 func (x *QuotaFailure_Violation) Reset() {
@@ -751,6 +810,48 @@ func (x *QuotaFailure_Violation) GetDescription() string {
 	return ""
 }
 
+func (x *QuotaFailure_Violation) GetApiService() string {
+	if x != nil {
+		return x.ApiService
+	}
+	return ""
+}
+
+func (x *QuotaFailure_Violation) GetQuotaMetric() string {
+	if x != nil {
+		return x.QuotaMetric
+	}
+	return ""
+}
+
+func (x *QuotaFailure_Violation) GetQuotaId() string {
+	if x != nil {
+		return x.QuotaId
+	}
+	return ""
+}
+
+func (x *QuotaFailure_Violation) GetQuotaDimensions() map[string]string {
+	if x != nil {
+		return x.QuotaDimensions
+	}
+	return nil
+}
+
+func (x *QuotaFailure_Violation) GetQuotaValue() int64 {
+	if x != nil {
+		return x.QuotaValue
+	}
+	return 0
+}
+
+func (x *QuotaFailure_Violation) GetFutureQuotaValue() int64 {
+	if x != nil && x.FutureQuotaValue != nil {
+		return *x.FutureQuotaValue
+	}
+	return 0
+}
+
 // A message type used to describe a single precondition failure.
 type PreconditionFailure_Violation struct {
 	state         protoimpl.MessageState
@@ -775,7 +876,7 @@ type PreconditionFailure_Violation struct {
 func (x *PreconditionFailure_Violation) Reset() {
 	*x = PreconditionFailure_Violation{}
 	if protoimpl.UnsafeEnabled {
-		mi := &file_google_rpc_error_details_proto_msgTypes[12]
+		mi := &file_google_rpc_error_details_proto_msgTypes[13]
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		ms.StoreMessageInfo(mi)
 	}
@@ -788,7 +889,7 @@ func (x *PreconditionFailure_Violation) String() string {
 func (*PreconditionFailure_Violation) ProtoMessage() {}
 
 func (x *PreconditionFailure_Violation) ProtoReflect() protoreflect.Message {
-	mi := &file_google_rpc_error_details_proto_msgTypes[12]
+	mi := &file_google_rpc_error_details_proto_msgTypes[13]
 	if protoimpl.UnsafeEnabled && x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -886,7 +987,7 @@ type BadRequest_FieldViolation struct {
 func (x *BadRequest_FieldViolation) Reset() {
 	*x = BadRequest_FieldViolation{}
 	if protoimpl.UnsafeEnabled {
-		mi := &file_google_rpc_error_details_proto_msgTypes[13]
+		mi := &file_google_rpc_error_details_proto_msgTypes[14]
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		ms.StoreMessageInfo(mi)
 	}
@@ -899,7 +1000,7 @@ func (x *BadRequest_FieldViolation) String() string {
 func (*BadRequest_FieldViolation) ProtoMessage() {}
 
 func (x *BadRequest_FieldViolation) ProtoReflect() protoreflect.Message {
-	mi := &file_google_rpc_error_details_proto_msgTypes[13]
+	mi := &file_google_rpc_error_details_proto_msgTypes[14]
 	if protoimpl.UnsafeEnabled && x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -958,7 +1059,7 @@ type Help_Link struct {
 func (x *Help_Link) Reset() {
 	*x = Help_Link{}
 	if protoimpl.UnsafeEnabled {
-		mi := &file_google_rpc_error_details_proto_msgTypes[14]
+		mi := &file_google_rpc_error_details_proto_msgTypes[15]
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		ms.StoreMessageInfo(mi)
 	}
@@ -971,7 +1072,7 @@ func (x *Help_Link) String() string {
 func (*Help_Link) ProtoMessage() {}
 
 func (x *Help_Link) ProtoReflect() protoreflect.Message {
-	mi := &file_google_rpc_error_details_proto_msgTypes[14]
+	mi := &file_google_rpc_error_details_proto_msgTypes[15]
 	if protoimpl.UnsafeEnabled && x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -1029,79 +1130,102 @@ var file_google_rpc_error_details_proto_rawDesc = []byte{
 	0x0a, 0x0d, 0x73, 0x74, 0x61, 0x63, 0x6b, 0x5f, 0x65, 0x6e, 0x74, 0x72, 0x69, 0x65, 0x73, 0x18,
 	0x01, 0x20, 0x03, 0x28, 0x09, 0x52, 0x0c, 0x73, 0x74, 0x61, 0x63, 0x6b, 0x45, 0x6e, 0x74, 0x72,
 	0x69, 0x65, 0x73, 0x12, 0x16, 0x0a, 0x06, 0x64, 0x65, 0x74, 0x61, 0x69, 0x6c, 0x18, 0x02, 0x20,
-	0x01, 0x28, 0x09, 0x52, 0x06, 0x64, 0x65, 0x74, 0x61, 0x69, 0x6c, 0x22, 0x9b, 0x01, 0x0a, 0x0c,
+	0x01, 0x28, 0x09, 0x52, 0x06, 0x64, 0x65, 0x74, 0x61, 0x69, 0x6c, 0x22, 0x8e, 0x04, 0x0a, 0x0c,
 	0x51, 0x75, 0x6f, 0x74, 0x61, 0x46, 0x61, 0x69, 0x6c, 0x75, 0x72, 0x65, 0x12, 0x42, 0x0a, 0x0a,
 	0x76, 0x69, 0x6f, 0x6c, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b,
 	0x32, 0x22, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x72, 0x70, 0x63, 0x2e, 0x51, 0x75,
 	0x6f, 0x74, 0x61, 0x46, 0x61, 0x69, 0x6c, 0x75, 0x72, 0x65, 0x2e, 0x56, 0x69, 0x6f, 0x6c, 0x61,
 	0x74, 0x69, 0x6f, 0x6e, 0x52, 0x0a, 0x76, 0x69, 0x6f, 0x6c, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x73,
-	0x1a, 0x47, 0x0a, 0x09, 0x56, 0x69, 0x6f, 0x6c, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x18, 0x0a,
-	0x07, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x07,
-	0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x12, 0x20, 0x0a, 0x0b, 0x64, 0x65, 0x73, 0x63, 0x72,
-	0x69, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0b, 0x64, 0x65,
-	0x73, 0x63, 0x72, 0x69, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x22, 0xbd, 0x01, 0x0a, 0x13, 0x50, 0x72,
-	0x65, 0x63, 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x46, 0x61, 0x69, 0x6c, 0x75, 0x72,
-	0x65, 0x12, 0x49, 0x0a, 0x0a, 0x76, 0x69, 0x6f, 0x6c, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x18,
-	0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x29, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x72,
-	0x70, 0x63, 0x2e, 0x50, 0x72, 0x65, 0x63, 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x46,
-	0x61, 0x69, 0x6c, 0x75, 0x72, 0x65, 0x2e, 0x56, 0x69, 0x6f, 0x6c, 0x61, 0x74, 0x69, 0x6f, 0x6e,
-	0x52, 0x0a, 0x76, 0x69, 0x6f, 0x6c, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x1a, 0x5b, 0x0a, 0x09,
-	0x56, 0x69, 0x6f, 0x6c, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x12, 0x0a, 0x04, 0x74, 0x79, 0x70,
-	0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x74, 0x79, 0x70, 0x65, 0x12, 0x18, 0x0a,
-	0x07, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x07,
-	0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x12, 0x20, 0x0a, 0x0b, 0x64, 0x65, 0x73, 0x63, 0x72,
-	0x69, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0b, 0x64, 0x65,
-	0x73, 0x63, 0x72, 0x69, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x22, 0x8c, 0x02, 0x0a, 0x0a, 0x42, 0x61,
-	0x64, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x50, 0x0a, 0x10, 0x66, 0x69, 0x65, 0x6c,
-	0x64, 0x5f, 0x76, 0x69, 0x6f, 0x6c, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x18, 0x01, 0x20, 0x03,
-	0x28, 0x0b, 0x32, 0x25, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x72, 0x70, 0x63, 0x2e,
-	0x42, 0x61, 0x64, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x2e, 0x46, 0x69, 0x65, 0x6c, 0x64,
-	0x56, 0x69, 0x6f, 0x6c, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x0f, 0x66, 0x69, 0x65, 0x6c, 0x64,
-	0x56, 0x69, 0x6f, 0x6c, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x1a, 0xab, 0x01, 0x0a, 0x0e, 0x46,
-	0x69, 0x65, 0x6c, 0x64, 0x56, 0x69, 0x6f, 0x6c, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x14, 0x0a,
-	0x05, 0x66, 0x69, 0x65, 0x6c, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x66, 0x69,
-	0x65, 0x6c, 0x64, 0x12, 0x20, 0x0a, 0x0b, 0x64, 0x65, 0x73, 0x63, 0x72, 0x69, 0x70, 0x74, 0x69,
-	0x6f, 0x6e, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0b, 0x64, 0x65, 0x73, 0x63, 0x72, 0x69,
-	0x70, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x16, 0x0a, 0x06, 0x72, 0x65, 0x61, 0x73, 0x6f, 0x6e, 0x18,
-	0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x72, 0x65, 0x61, 0x73, 0x6f, 0x6e, 0x12, 0x49, 0x0a,
-	0x11, 0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x69, 0x7a, 0x65, 0x64, 0x5f, 0x6d, 0x65, 0x73, 0x73, 0x61,
-	0x67, 0x65, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1c, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c,
-	0x65, 0x2e, 0x72, 0x70, 0x63, 0x2e, 0x4c, 0x6f, 0x63, 0x61, 0x6c, 0x69, 0x7a, 0x65, 0x64, 0x4d,
-	0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x52, 0x10, 0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x69, 0x7a, 0x65,
-	0x64, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x22, 0x4f, 0x0a, 0x0b, 0x52, 0x65, 0x71, 0x75,
-	0x65, 0x73, 0x74, 0x49, 0x6e, 0x66, 0x6f, 0x12, 0x1d, 0x0a, 0x0a, 0x72, 0x65, 0x71, 0x75, 0x65,
-	0x73, 0x74, 0x5f, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x09, 0x72, 0x65, 0x71,
-	0x75, 0x65, 0x73, 0x74, 0x49, 0x64, 0x12, 0x21, 0x0a, 0x0c, 0x73, 0x65, 0x72, 0x76, 0x69, 0x6e,
-	0x67, 0x5f, 0x64, 0x61, 0x74, 0x61, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0b, 0x73, 0x65,
-	0x72, 0x76, 0x69, 0x6e, 0x67, 0x44, 0x61, 0x74, 0x61, 0x22, 0x90, 0x01, 0x0a, 0x0c, 0x52, 0x65,
-	0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x49, 0x6e, 0x66, 0x6f, 0x12, 0x23, 0x0a, 0x0d, 0x72, 0x65,
-	0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x5f, 0x74, 0x79, 0x70, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28,
-	0x09, 0x52, 0x0c, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x54, 0x79, 0x70, 0x65, 0x12,
-	0x23, 0x0a, 0x0d, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x5f, 0x6e, 0x61, 0x6d, 0x65,
-	0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0c, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65,
-	0x4e, 0x61, 0x6d, 0x65, 0x12, 0x14, 0x0a, 0x05, 0x6f, 0x77, 0x6e, 0x65, 0x72, 0x18, 0x03, 0x20,
-	0x01, 0x28, 0x09, 0x52, 0x05, 0x6f, 0x77, 0x6e, 0x65, 0x72, 0x12, 0x20, 0x0a, 0x0b, 0x64, 0x65,
-	0x73, 0x63, 0x72, 0x69, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52,
-	0x0b, 0x64, 0x65, 0x73, 0x63, 0x72, 0x69, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x22, 0x6f, 0x0a, 0x04,
-	0x48, 0x65, 0x6c, 0x70, 0x12, 0x2b, 0x0a, 0x05, 0x6c, 0x69, 0x6e, 0x6b, 0x73, 0x18, 0x01, 0x20,
-	0x03, 0x28, 0x0b, 0x32, 0x15, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x72, 0x70, 0x63,
-	0x2e, 0x48, 0x65, 0x6c, 0x70, 0x2e, 0x4c, 0x69, 0x6e, 0x6b, 0x52, 0x05, 0x6c, 0x69, 0x6e, 0x6b,
-	0x73, 0x1a, 0x3a, 0x0a, 0x04, 0x4c, 0x69, 0x6e, 0x6b, 0x12, 0x20, 0x0a, 0x0b, 0x64, 0x65, 0x73,
-	0x63, 0x72, 0x69, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0b,
-	0x64, 0x65, 0x73, 0x63, 0x72, 0x69, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x10, 0x0a, 0x03, 0x75,
-	0x72, 0x6c, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x75, 0x72, 0x6c, 0x22, 0x44, 0x0a,
-	0x10, 0x4c, 0x6f, 0x63, 0x61, 0x6c, 0x69, 0x7a, 0x65, 0x64, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67,
-	0x65, 0x12, 0x16, 0x0a, 0x06, 0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28,
-	0x09, 0x52, 0x06, 0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x65, 0x12, 0x18, 0x0a, 0x07, 0x6d, 0x65, 0x73,
-	0x73, 0x61, 0x67, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x07, 0x6d, 0x65, 0x73, 0x73,
-	0x61, 0x67, 0x65, 0x42, 0x6c, 0x0a, 0x0e, 0x63, 0x6f, 0x6d, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c,
-	0x65, 0x2e, 0x72, 0x70, 0x63, 0x42, 0x11, 0x45, 0x72, 0x72, 0x6f, 0x72, 0x44, 0x65, 0x74, 0x61,
-	0x69, 0x6c, 0x73, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x50, 0x01, 0x5a, 0x3f, 0x67, 0x6f, 0x6f, 0x67,
-	0x6c, 0x65, 0x2e, 0x67, 0x6f, 0x6c, 0x61, 0x6e, 0x67, 0x2e, 0x6f, 0x72, 0x67, 0x2f, 0x67, 0x65,
-	0x6e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2f, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x61, 0x70, 0x69,
-	0x73, 0x2f, 0x72, 0x70, 0x63, 0x2f, 0x65, 0x72, 0x72, 0x64, 0x65, 0x74, 0x61, 0x69, 0x6c, 0x73,
-	0x3b, 0x65, 0x72, 0x72, 0x64, 0x65, 0x74, 0x61, 0x69, 0x6c, 0x73, 0xa2, 0x02, 0x03, 0x52, 0x50,
-	0x43, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
+	0x1a, 0xb9, 0x03, 0x0a, 0x09, 0x56, 0x69, 0x6f, 0x6c, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x18,
+	0x0a, 0x07, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52,
+	0x07, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x12, 0x20, 0x0a, 0x0b, 0x64, 0x65, 0x73, 0x63,
+	0x72, 0x69, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0b, 0x64,
+	0x65, 0x73, 0x63, 0x72, 0x69, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x1f, 0x0a, 0x0b, 0x61, 0x70,
+	0x69, 0x5f, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52,
+	0x0a, 0x61, 0x70, 0x69, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x12, 0x21, 0x0a, 0x0c, 0x71,
+	0x75, 0x6f, 0x74, 0x61, 0x5f, 0x6d, 0x65, 0x74, 0x72, 0x69, 0x63, 0x18, 0x04, 0x20, 0x01, 0x28,
+	0x09, 0x52, 0x0b, 0x71, 0x75, 0x6f, 0x74, 0x61, 0x4d, 0x65, 0x74, 0x72, 0x69, 0x63, 0x12, 0x19,
+	0x0a, 0x08, 0x71, 0x75, 0x6f, 0x74, 0x61, 0x5f, 0x69, 0x64, 0x18, 0x05, 0x20, 0x01, 0x28, 0x09,
+	0x52, 0x07, 0x71, 0x75, 0x6f, 0x74, 0x61, 0x49, 0x64, 0x12, 0x62, 0x0a, 0x10, 0x71, 0x75, 0x6f,
+	0x74, 0x61, 0x5f, 0x64, 0x69, 0x6d, 0x65, 0x6e, 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x18, 0x06, 0x20,
+	0x03, 0x28, 0x0b, 0x32, 0x37, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x72, 0x70, 0x63,
+	0x2e, 0x51, 0x75, 0x6f, 0x74, 0x61, 0x46, 0x61, 0x69, 0x6c, 0x75, 0x72, 0x65, 0x2e, 0x56, 0x69,
+	0x6f, 0x6c, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2e, 0x51, 0x75, 0x6f, 0x74, 0x61, 0x44, 0x69, 0x6d,
+	0x65, 0x6e, 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x52, 0x0f, 0x71, 0x75,
+	0x6f, 0x74, 0x61, 0x44, 0x69, 0x6d, 0x65, 0x6e, 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x12, 0x1f, 0x0a,
+	0x0b, 0x71, 0x75, 0x6f, 0x74, 0x61, 0x5f, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x07, 0x20, 0x01,
+	0x28, 0x03, 0x52, 0x0a, 0x71, 0x75, 0x6f, 0x74, 0x61, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x12, 0x31,
+	0x0a, 0x12, 0x66, 0x75, 0x74, 0x75, 0x72, 0x65, 0x5f, 0x71, 0x75, 0x6f, 0x74, 0x61, 0x5f, 0x76,
+	0x61, 0x6c, 0x75, 0x65, 0x18, 0x08, 0x20, 0x01, 0x28, 0x03, 0x48, 0x00, 0x52, 0x10, 0x66, 0x75,
+	0x74, 0x75, 0x72, 0x65, 0x51, 0x75, 0x6f, 0x74, 0x61, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x88, 0x01,
+	0x01, 0x1a, 0x42, 0x0a, 0x14, 0x51, 0x75, 0x6f, 0x74, 0x61, 0x44, 0x69, 0x6d, 0x65, 0x6e, 0x73,
+	0x69, 0x6f, 0x6e, 0x73, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65, 0x79,
+	0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, 0x14, 0x0a, 0x05, 0x76,
+	0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75,
+	0x65, 0x3a, 0x02, 0x38, 0x01, 0x42, 0x15, 0x0a, 0x13, 0x5f, 0x66, 0x75, 0x74, 0x75, 0x72, 0x65,
+	0x5f, 0x71, 0x75, 0x6f, 0x74, 0x61, 0x5f, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x22, 0xbd, 0x01, 0x0a,
+	0x13, 0x50, 0x72, 0x65, 0x63, 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x46, 0x61, 0x69,
+	0x6c, 0x75, 0x72, 0x65, 0x12, 0x49, 0x0a, 0x0a, 0x76, 0x69, 0x6f, 0x6c, 0x61, 0x74, 0x69, 0x6f,
+	0x6e, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x29, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c,
+	0x65, 0x2e, 0x72, 0x70, 0x63, 0x2e, 0x50, 0x72, 0x65, 0x63, 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69,
+	0x6f, 0x6e, 0x46, 0x61, 0x69, 0x6c, 0x75, 0x72, 0x65, 0x2e, 0x56, 0x69, 0x6f, 0x6c, 0x61, 0x74,
+	0x69, 0x6f, 0x6e, 0x52, 0x0a, 0x76, 0x69, 0x6f, 0x6c, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x1a,
+	0x5b, 0x0a, 0x09, 0x56, 0x69, 0x6f, 0x6c, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x12, 0x0a, 0x04,
+	0x74, 0x79, 0x70, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x74, 0x79, 0x70, 0x65,
+	0x12, 0x18, 0x0a, 0x07, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x18, 0x02, 0x20, 0x01, 0x28,
+	0x09, 0x52, 0x07, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x12, 0x20, 0x0a, 0x0b, 0x64, 0x65,
+	0x73, 0x63, 0x72, 0x69, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52,
+	0x0b, 0x64, 0x65, 0x73, 0x63, 0x72, 0x69, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x22, 0x8c, 0x02, 0x0a,
+	0x0a, 0x42, 0x61, 0x64, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x50, 0x0a, 0x10, 0x66,
+	0x69, 0x65, 0x6c, 0x64, 0x5f, 0x76, 0x69, 0x6f, 0x6c, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x18,
+	0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x25, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x72,
+	0x70, 0x63, 0x2e, 0x42, 0x61, 0x64, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x2e, 0x46, 0x69,
+	0x65, 0x6c, 0x64, 0x56, 0x69, 0x6f, 0x6c, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x0f, 0x66, 0x69,
+	0x65, 0x6c, 0x64, 0x56, 0x69, 0x6f, 0x6c, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x1a, 0xab, 0x01,
+	0x0a, 0x0e, 0x46, 0x69, 0x65, 0x6c, 0x64, 0x56, 0x69, 0x6f, 0x6c, 0x61, 0x74, 0x69, 0x6f, 0x6e,
+	0x12, 0x14, 0x0a, 0x05, 0x66, 0x69, 0x65, 0x6c, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52,
+	0x05, 0x66, 0x69, 0x65, 0x6c, 0x64, 0x12, 0x20, 0x0a, 0x0b, 0x64, 0x65, 0x73, 0x63, 0x72, 0x69,
+	0x70, 0x74, 0x69, 0x6f, 0x6e, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0b, 0x64, 0x65, 0x73,
+	0x63, 0x72, 0x69, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x16, 0x0a, 0x06, 0x72, 0x65, 0x61, 0x73,
+	0x6f, 0x6e, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x72, 0x65, 0x61, 0x73, 0x6f, 0x6e,
+	0x12, 0x49, 0x0a, 0x11, 0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x69, 0x7a, 0x65, 0x64, 0x5f, 0x6d, 0x65,
+	0x73, 0x73, 0x61, 0x67, 0x65, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1c, 0x2e, 0x67, 0x6f,
+	0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x72, 0x70, 0x63, 0x2e, 0x4c, 0x6f, 0x63, 0x61, 0x6c, 0x69, 0x7a,
+	0x65, 0x64, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x52, 0x10, 0x6c, 0x6f, 0x63, 0x61, 0x6c,
+	0x69, 0x7a, 0x65, 0x64, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x22, 0x4f, 0x0a, 0x0b, 0x52,
+	0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x49, 0x6e, 0x66, 0x6f, 0x12, 0x1d, 0x0a, 0x0a, 0x72, 0x65,
+	0x71, 0x75, 0x65, 0x73, 0x74, 0x5f, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x09,
+	0x72, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x49, 0x64, 0x12, 0x21, 0x0a, 0x0c, 0x73, 0x65, 0x72,
+	0x76, 0x69, 0x6e, 0x67, 0x5f, 0x64, 0x61, 0x74, 0x61, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52,
+	0x0b, 0x73, 0x65, 0x72, 0x76, 0x69, 0x6e, 0x67, 0x44, 0x61, 0x74, 0x61, 0x22, 0x90, 0x01, 0x0a,
+	0x0c, 0x52, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x49, 0x6e, 0x66, 0x6f, 0x12, 0x23, 0x0a,
+	0x0d, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x5f, 0x74, 0x79, 0x70, 0x65, 0x18, 0x01,
+	0x20, 0x01, 0x28, 0x09, 0x52, 0x0c, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x54, 0x79,
+	0x70, 0x65, 0x12, 0x23, 0x0a, 0x0d, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x5f, 0x6e,
+	0x61, 0x6d, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0c, 0x72, 0x65, 0x73, 0x6f, 0x75,
+	0x72, 0x63, 0x65, 0x4e, 0x61, 0x6d, 0x65, 0x12, 0x14, 0x0a, 0x05, 0x6f, 0x77, 0x6e, 0x65, 0x72,
+	0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x6f, 0x77, 0x6e, 0x65, 0x72, 0x12, 0x20, 0x0a,
+	0x0b, 0x64, 0x65, 0x73, 0x63, 0x72, 0x69, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x18, 0x04, 0x20, 0x01,
+	0x28, 0x09, 0x52, 0x0b, 0x64, 0x65, 0x73, 0x63, 0x72, 0x69, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x22,
+	0x6f, 0x0a, 0x04, 0x48, 0x65, 0x6c, 0x70, 0x12, 0x2b, 0x0a, 0x05, 0x6c, 0x69, 0x6e, 0x6b, 0x73,
+	0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x15, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e,
+	0x72, 0x70, 0x63, 0x2e, 0x48, 0x65, 0x6c, 0x70, 0x2e, 0x4c, 0x69, 0x6e, 0x6b, 0x52, 0x05, 0x6c,
+	0x69, 0x6e, 0x6b, 0x73, 0x1a, 0x3a, 0x0a, 0x04, 0x4c, 0x69, 0x6e, 0x6b, 0x12, 0x20, 0x0a, 0x0b,
+	0x64, 0x65, 0x73, 0x63, 0x72, 0x69, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x18, 0x01, 0x20, 0x01, 0x28,
+	0x09, 0x52, 0x0b, 0x64, 0x65, 0x73, 0x63, 0x72, 0x69, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x10,
+	0x0a, 0x03, 0x75, 0x72, 0x6c, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x75, 0x72, 0x6c,
+	0x22, 0x44, 0x0a, 0x10, 0x4c, 0x6f, 0x63, 0x61, 0x6c, 0x69, 0x7a, 0x65, 0x64, 0x4d, 0x65, 0x73,
+	0x73, 0x61, 0x67, 0x65, 0x12, 0x16, 0x0a, 0x06, 0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x65, 0x18, 0x01,
+	0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x65, 0x12, 0x18, 0x0a, 0x07,
+	0x6d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x07, 0x6d,
+	0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x42, 0x6c, 0x0a, 0x0e, 0x63, 0x6f, 0x6d, 0x2e, 0x67, 0x6f,
+	0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x72, 0x70, 0x63, 0x42, 0x11, 0x45, 0x72, 0x72, 0x6f, 0x72, 0x44,
+	0x65, 0x74, 0x61, 0x69, 0x6c, 0x73, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x50, 0x01, 0x5a, 0x3f, 0x67,
+	0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x67, 0x6f, 0x6c, 0x61, 0x6e, 0x67, 0x2e, 0x6f, 0x72, 0x67,
+	0x2f, 0x67, 0x65, 0x6e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2f, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65,
+	0x61, 0x70, 0x69, 0x73, 0x2f, 0x72, 0x70, 0x63, 0x2f, 0x65, 0x72, 0x72, 0x64, 0x65, 0x74, 0x61,
+	0x69, 0x6c, 0x73, 0x3b, 0x65, 0x72, 0x72, 0x64, 0x65, 0x74, 0x61, 0x69, 0x6c, 0x73, 0xa2, 0x02,
+	0x03, 0x52, 0x50, 0x43, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
 }
 
 var (
@@ -1116,7 +1240,7 @@ func file_google_rpc_error_details_proto_rawDescGZIP() []byte {
 	return file_google_rpc_error_details_proto_rawDescData
 }
 
-var file_google_rpc_error_details_proto_msgTypes = make([]protoimpl.MessageInfo, 15)
+var file_google_rpc_error_details_proto_msgTypes = make([]protoimpl.MessageInfo, 16)
 var file_google_rpc_error_details_proto_goTypes = []interface{}{
 	(*ErrorInfo)(nil),                     // 0: google.rpc.ErrorInfo
 	(*RetryInfo)(nil),                     // 1: google.rpc.RetryInfo
@@ -1130,24 +1254,26 @@ var file_google_rpc_error_details_proto_goTypes = []interface{}{
 	(*LocalizedMessage)(nil),              // 9: google.rpc.LocalizedMessage
 	nil,                                   // 10: google.rpc.ErrorInfo.MetadataEntry
 	(*QuotaFailure_Violation)(nil),        // 11: google.rpc.QuotaFailure.Violation
-	(*PreconditionFailure_Violation)(nil), // 12: google.rpc.PreconditionFailure.Violation
-	(*BadRequest_FieldViolation)(nil),     // 13: google.rpc.BadRequest.FieldViolation
-	(*Help_Link)(nil),                     // 14: google.rpc.Help.Link
-	(*durationpb.Duration)(nil),           // 15: google.protobuf.Duration
+	nil,                                   // 12: google.rpc.QuotaFailure.Violation.QuotaDimensionsEntry
+	(*PreconditionFailure_Violation)(nil), // 13: google.rpc.PreconditionFailure.Violation
+	(*BadRequest_FieldViolation)(nil),     // 14: google.rpc.BadRequest.FieldViolation
+	(*Help_Link)(nil),                     // 15: google.rpc.Help.Link
+	(*durationpb.Duration)(nil),           // 16: google.protobuf.Duration
 }
 var file_google_rpc_error_details_proto_depIdxs = []int32{
 	10, // 0: google.rpc.ErrorInfo.metadata:type_name -> google.rpc.ErrorInfo.MetadataEntry
-	15, // 1: google.rpc.RetryInfo.retry_delay:type_name -> google.protobuf.Duration
+	16, // 1: google.rpc.RetryInfo.retry_delay:type_name -> google.protobuf.Duration
 	11, // 2: google.rpc.QuotaFailure.violations:type_name -> google.rpc.QuotaFailure.Violation
-	12, // 3: google.rpc.PreconditionFailure.violations:type_name -> google.rpc.PreconditionFailure.Violation
-	13, // 4: google.rpc.BadRequest.field_violations:type_name -> google.rpc.BadRequest.FieldViolation
-	14, // 5: google.rpc.Help.links:type_name -> google.rpc.Help.Link
-	9,  // 6: google.rpc.BadRequest.FieldViolation.localized_message:type_name -> google.rpc.LocalizedMessage
-	7,  // [7:7] is the sub-list for method output_type
-	7,  // [7:7] is the sub-list for method input_type
-	7,  // [7:7] is the sub-list for extension type_name
-	7,  // [7:7] is the sub-list for extension extendee
-	0,  // [0:7] is the sub-list for field type_name
+	13, // 3: google.rpc.PreconditionFailure.violations:type_name -> google.rpc.PreconditionFailure.Violation
+	14, // 4: google.rpc.BadRequest.field_violations:type_name -> google.rpc.BadRequest.FieldViolation
+	15, // 5: google.rpc.Help.links:type_name -> google.rpc.Help.Link
+	12, // 6: google.rpc.QuotaFailure.Violation.quota_dimensions:type_name -> google.rpc.QuotaFailure.Violation.QuotaDimensionsEntry
+	9,  // 7: google.rpc.BadRequest.FieldViolation.localized_message:type_name -> google.rpc.LocalizedMessage
+	8,  // [8:8] is the sub-list for method output_type
+	8,  // [8:8] is the sub-list for method input_type
+	8,  // [8:8] is the sub-list for extension type_name
+	8,  // [8:8] is the sub-list for extension extendee
+	0,  // [0:8] is the sub-list for field type_name
 }
 
 func init() { file_google_rpc_error_details_proto_init() }
@@ -1288,7 +1414,7 @@ func file_google_rpc_error_details_proto_init() {
 				return nil
 			}
 		}
-		file_google_rpc_error_details_proto_msgTypes[12].Exporter = func(v interface{}, i int) interface{} {
+		file_google_rpc_error_details_proto_msgTypes[13].Exporter = func(v interface{}, i int) interface{} {
 			switch v := v.(*PreconditionFailure_Violation); i {
 			case 0:
 				return &v.state
@@ -1300,7 +1426,7 @@ func file_google_rpc_error_details_proto_init() {
 				return nil
 			}
 		}
-		file_google_rpc_error_details_proto_msgTypes[13].Exporter = func(v interface{}, i int) interface{} {
+		file_google_rpc_error_details_proto_msgTypes[14].Exporter = func(v interface{}, i int) interface{} {
 			switch v := v.(*BadRequest_FieldViolation); i {
 			case 0:
 				return &v.state
@@ -1312,7 +1438,7 @@ func file_google_rpc_error_details_proto_init() {
 				return nil
 			}
 		}
-		file_google_rpc_error_details_proto_msgTypes[14].Exporter = func(v interface{}, i int) interface{} {
+		file_google_rpc_error_details_proto_msgTypes[15].Exporter = func(v interface{}, i int) interface{} {
 			switch v := v.(*Help_Link); i {
 			case 0:
 				return &v.state
@@ -1325,13 +1451,14 @@ func file_google_rpc_error_details_proto_init() {
 			}
 		}
 	}
+	file_google_rpc_error_details_proto_msgTypes[11].OneofWrappers = []interface{}{}
 	type x struct{}
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
 			RawDescriptor: file_google_rpc_error_details_proto_rawDesc,
 			NumEnums:      0,
-			NumMessages:   15,
+			NumMessages:   16,
 			NumExtensions: 0,
 			NumServices:   0,
 		},
diff --git a/vendor/google.golang.org/genproto/googleapis/rpc/status/status.pb.go b/vendor/google.golang.org/genproto/googleapis/rpc/status/status.pb.go
index 6ad1b1c1df017..06a3f71063360 100644
--- a/vendor/google.golang.org/genproto/googleapis/rpc/status/status.pb.go
+++ b/vendor/google.golang.org/genproto/googleapis/rpc/status/status.pb.go
@@ -1,4 +1,4 @@
-// Copyright 2024 Google LLC
+// Copyright 2025 Google LLC
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
diff --git a/vendor/google.golang.org/grpc/internal/resolver/delegatingresolver/delegatingresolver.go b/vendor/google.golang.org/grpc/internal/resolver/delegatingresolver/delegatingresolver.go
index c0e22757727a0..20b8fb098ac3a 100644
--- a/vendor/google.golang.org/grpc/internal/resolver/delegatingresolver/delegatingresolver.go
+++ b/vendor/google.golang.org/grpc/internal/resolver/delegatingresolver/delegatingresolver.go
@@ -186,23 +186,15 @@ func (r *delegatingResolver) Close() {
 	r.proxyResolver = nil
 }
 
-func networkTypeFromAddr(addr resolver.Address) string {
-	networkType, ok := networktype.Get(addr)
-	if !ok {
-		networkType, _ = transport.ParseDialTarget(addr.Addr)
-	}
-	return networkType
-}
-
-func isTCPAddressPresent(state *resolver.State) bool {
+func needsProxyResolver(state *resolver.State) bool {
 	for _, addr := range state.Addresses {
-		if networkType := networkTypeFromAddr(addr); networkType == "tcp" {
+		if !skipProxy(addr) {
 			return true
 		}
 	}
 	for _, endpoint := range state.Endpoints {
 		for _, addr := range endpoint.Addresses {
-			if networktype := networkTypeFromAddr(addr); networktype == "tcp" {
+			if !skipProxy(addr) {
 				return true
 			}
 		}
@@ -210,6 +202,29 @@ func isTCPAddressPresent(state *resolver.State) bool {
 	return false
 }
 
+func skipProxy(address resolver.Address) bool {
+	// Avoid proxy when network is not tcp.
+	networkType, ok := networktype.Get(address)
+	if !ok {
+		networkType, _ = transport.ParseDialTarget(address.Addr)
+	}
+	if networkType != "tcp" {
+		return true
+	}
+
+	req := &http.Request{URL: &url.URL{
+		Scheme: "https",
+		Host:   address.Addr,
+	}}
+	// Avoid proxy when address included in `NO_PROXY` environment variable or
+	// fails to get the proxy address.
+	url, err := HTTPSProxyFromEnvironment(req)
+	if err != nil || url == nil {
+		return true
+	}
+	return false
+}
+
 // updateClientConnStateLocked constructs a combined list of addresses by
 // pairing each proxy address with every target address of type TCP. For each
 // pair, it creates a new [resolver.Address] using the proxy address and
@@ -240,8 +255,7 @@ func (r *delegatingResolver) updateClientConnStateLocked() error {
 	}
 	var addresses []resolver.Address
 	for _, targetAddr := range (*r.targetResolverState).Addresses {
-		// Avoid proxy when network is not tcp.
-		if networkType := networkTypeFromAddr(targetAddr); networkType != "tcp" {
+		if skipProxy(targetAddr) {
 			addresses = append(addresses, targetAddr)
 			continue
 		}
@@ -259,7 +273,7 @@ func (r *delegatingResolver) updateClientConnStateLocked() error {
 		var addrs []resolver.Address
 		for _, targetAddr := range endpt.Addresses {
 			// Avoid proxy when network is not tcp.
-			if networkType := networkTypeFromAddr(targetAddr); networkType != "tcp" {
+			if skipProxy(targetAddr) {
 				addrs = append(addrs, targetAddr)
 				continue
 			}
@@ -340,9 +354,10 @@ func (r *delegatingResolver) updateTargetResolverState(state resolver.State) err
 		logger.Infof("Addresses received from target resolver: %v", state.Addresses)
 	}
 	r.targetResolverState = &state
-	// If no addresses returned by resolver have network type as tcp , do not
-	// wait for proxy update.
-	if !isTCPAddressPresent(r.targetResolverState) {
+	// If all addresses returned by the target resolver have a non-TCP network
+	// type, or are listed in the `NO_PROXY` environment variable, do not wait
+	// for proxy update.
+	if !needsProxyResolver(r.targetResolverState) {
 		return r.cc.UpdateState(*r.targetResolverState)
 	}
 
diff --git a/vendor/google.golang.org/grpc/version.go b/vendor/google.golang.org/grpc/version.go
index 51da8ed5908de..2bae4db890dc6 100644
--- a/vendor/google.golang.org/grpc/version.go
+++ b/vendor/google.golang.org/grpc/version.go
@@ -19,4 +19,4 @@
 package grpc
 
 // Version is the current grpc version.
-const Version = "1.72.1"
+const Version = "1.72.2"
diff --git a/vendor/google.golang.org/protobuf/encoding/protowire/wire.go b/vendor/google.golang.org/protobuf/encoding/protowire/wire.go
index e942bc983eedf..743bfb81d6c41 100644
--- a/vendor/google.golang.org/protobuf/encoding/protowire/wire.go
+++ b/vendor/google.golang.org/protobuf/encoding/protowire/wire.go
@@ -371,7 +371,31 @@ func ConsumeVarint(b []byte) (v uint64, n int) {
 func SizeVarint(v uint64) int {
 	// This computes 1 + (bits.Len64(v)-1)/7.
 	// 9/64 is a good enough approximation of 1/7
-	return int(9*uint32(bits.Len64(v))+64) / 64
+	//
+	// The Go compiler can translate the bits.LeadingZeros64 call into the LZCNT
+	// instruction, which is very fast on CPUs from the last few years. The
+	// specific way of expressing the calculation matches C++ Protobuf, see
+	// https://godbolt.org/z/4P3h53oM4 for the C++ code and how gcc/clang
+	// optimize that function for GOAMD64=v1 and GOAMD64=v3 (-march=haswell).
+
+	// By OR'ing v with 1, we guarantee that v is never 0, without changing the
+	// result of SizeVarint. LZCNT is not defined for 0, meaning the compiler
+	// needs to add extra instructions to handle that case.
+	//
+	// The Go compiler currently (go1.24.4) does not make use of this knowledge.
+	// This opportunity (removing the XOR instruction, which handles the 0 case)
+	// results in a small (1%) performance win across CPU architectures.
+	//
+	// Independently of avoiding the 0 case, we need the v |= 1 line because
+	// it allows the Go compiler to eliminate an extra XCHGL barrier.
+	v |= 1
+
+	// It would be clearer to write log2value := 63 - uint32(...), but
+	// writing uint32(...) ^ 63 is much more efficient (-14% ARM, -20% Intel).
+	// Proof of identity for our value range [0..63]:
+	// https://go.dev/play/p/Pdn9hEWYakX
+	log2value := uint32(bits.LeadingZeros64(v)) ^ 63
+	return int((log2value*9 + (64 + 9)) / 64)
 }
 
 // AppendFixed32 appends v to b as a little-endian uint32.
diff --git a/vendor/google.golang.org/protobuf/internal/editiondefaults/editions_defaults.binpb b/vendor/google.golang.org/protobuf/internal/editiondefaults/editions_defaults.binpb
index 5a57ef6f3c80a..04696351eeeef 100644
Binary files a/vendor/google.golang.org/protobuf/internal/editiondefaults/editions_defaults.binpb and b/vendor/google.golang.org/protobuf/internal/editiondefaults/editions_defaults.binpb differ
diff --git a/vendor/google.golang.org/protobuf/internal/filedesc/editions.go b/vendor/google.golang.org/protobuf/internal/filedesc/editions.go
index 10132c9b38479..a0aad2777f3f9 100644
--- a/vendor/google.golang.org/protobuf/internal/filedesc/editions.go
+++ b/vendor/google.golang.org/protobuf/internal/filedesc/editions.go
@@ -69,6 +69,12 @@ func unmarshalFeatureSet(b []byte, parent EditionFeatures) EditionFeatures {
 				parent.IsDelimitedEncoded = v == genid.FeatureSet_DELIMITED_enum_value
 			case genid.FeatureSet_JsonFormat_field_number:
 				parent.IsJSONCompliant = v == genid.FeatureSet_ALLOW_enum_value
+			case genid.FeatureSet_EnforceNamingStyle_field_number:
+				// EnforceNamingStyle is enforced in protoc, languages other than C++
+				// are not supposed to do anything with this feature.
+			case genid.FeatureSet_DefaultSymbolVisibility_field_number:
+				// DefaultSymbolVisibility is enforced in protoc, runtimes should not
+				// inspect this value.
 			default:
 				panic(fmt.Sprintf("unkown field number %d while unmarshalling FeatureSet", num))
 			}
diff --git a/vendor/google.golang.org/protobuf/internal/filedesc/presence.go b/vendor/google.golang.org/protobuf/internal/filedesc/presence.go
new file mode 100644
index 0000000000000..a12ec9791cbb8
--- /dev/null
+++ b/vendor/google.golang.org/protobuf/internal/filedesc/presence.go
@@ -0,0 +1,33 @@
+// Copyright 2025 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package filedesc
+
+import "google.golang.org/protobuf/reflect/protoreflect"
+
+// UsePresenceForField reports whether the presence bitmap should be used for
+// the specified field.
+func UsePresenceForField(fd protoreflect.FieldDescriptor) (usePresence, canBeLazy bool) {
+	switch {
+	case fd.ContainingOneof() != nil && !fd.ContainingOneof().IsSynthetic():
+		// Oneof fields never use the presence bitmap.
+		//
+		// Synthetic oneofs are an exception: Those are used to implement proto3
+		// optional fields and hence should follow non-oneof field semantics.
+		return false, false
+
+	case fd.IsMap():
+		// Map-typed fields never use the presence bitmap.
+		return false, false
+
+	case fd.Kind() == protoreflect.MessageKind || fd.Kind() == protoreflect.GroupKind:
+		// Lazy fields always use the presence bitmap (only messages can be lazy).
+		isLazy := fd.(interface{ IsLazy() bool }).IsLazy()
+		return isLazy, isLazy
+
+	default:
+		// If the field has presence, use the presence bitmap.
+		return fd.HasPresence(), false
+	}
+}
diff --git a/vendor/google.golang.org/protobuf/internal/genid/api_gen.go b/vendor/google.golang.org/protobuf/internal/genid/api_gen.go
index df8f9185013d1..3ceb6fa7f5e54 100644
--- a/vendor/google.golang.org/protobuf/internal/genid/api_gen.go
+++ b/vendor/google.golang.org/protobuf/internal/genid/api_gen.go
@@ -27,6 +27,7 @@ const (
 	Api_SourceContext_field_name protoreflect.Name = "source_context"
 	Api_Mixins_field_name        protoreflect.Name = "mixins"
 	Api_Syntax_field_name        protoreflect.Name = "syntax"
+	Api_Edition_field_name       protoreflect.Name = "edition"
 
 	Api_Name_field_fullname          protoreflect.FullName = "google.protobuf.Api.name"
 	Api_Methods_field_fullname       protoreflect.FullName = "google.protobuf.Api.methods"
@@ -35,6 +36,7 @@ const (
 	Api_SourceContext_field_fullname protoreflect.FullName = "google.protobuf.Api.source_context"
 	Api_Mixins_field_fullname        protoreflect.FullName = "google.protobuf.Api.mixins"
 	Api_Syntax_field_fullname        protoreflect.FullName = "google.protobuf.Api.syntax"
+	Api_Edition_field_fullname       protoreflect.FullName = "google.protobuf.Api.edition"
 )
 
 // Field numbers for google.protobuf.Api.
@@ -46,6 +48,7 @@ const (
 	Api_SourceContext_field_number protoreflect.FieldNumber = 5
 	Api_Mixins_field_number        protoreflect.FieldNumber = 6
 	Api_Syntax_field_number        protoreflect.FieldNumber = 7
+	Api_Edition_field_number       protoreflect.FieldNumber = 8
 )
 
 // Names for google.protobuf.Method.
@@ -63,6 +66,7 @@ const (
 	Method_ResponseStreaming_field_name protoreflect.Name = "response_streaming"
 	Method_Options_field_name           protoreflect.Name = "options"
 	Method_Syntax_field_name            protoreflect.Name = "syntax"
+	Method_Edition_field_name           protoreflect.Name = "edition"
 
 	Method_Name_field_fullname              protoreflect.FullName = "google.protobuf.Method.name"
 	Method_RequestTypeUrl_field_fullname    protoreflect.FullName = "google.protobuf.Method.request_type_url"
@@ -71,6 +75,7 @@ const (
 	Method_ResponseStreaming_field_fullname protoreflect.FullName = "google.protobuf.Method.response_streaming"
 	Method_Options_field_fullname           protoreflect.FullName = "google.protobuf.Method.options"
 	Method_Syntax_field_fullname            protoreflect.FullName = "google.protobuf.Method.syntax"
+	Method_Edition_field_fullname           protoreflect.FullName = "google.protobuf.Method.edition"
 )
 
 // Field numbers for google.protobuf.Method.
@@ -82,6 +87,7 @@ const (
 	Method_ResponseStreaming_field_number protoreflect.FieldNumber = 5
 	Method_Options_field_number           protoreflect.FieldNumber = 6
 	Method_Syntax_field_number            protoreflect.FieldNumber = 7
+	Method_Edition_field_number           protoreflect.FieldNumber = 8
 )
 
 // Names for google.protobuf.Mixin.
diff --git a/vendor/google.golang.org/protobuf/internal/genid/descriptor_gen.go b/vendor/google.golang.org/protobuf/internal/genid/descriptor_gen.go
index f30ab6b586fe3..950a6a325a477 100644
--- a/vendor/google.golang.org/protobuf/internal/genid/descriptor_gen.go
+++ b/vendor/google.golang.org/protobuf/internal/genid/descriptor_gen.go
@@ -34,6 +34,19 @@ const (
 	Edition_EDITION_MAX_enum_value             = 2147483647
 )
 
+// Full and short names for google.protobuf.SymbolVisibility.
+const (
+	SymbolVisibility_enum_fullname = "google.protobuf.SymbolVisibility"
+	SymbolVisibility_enum_name     = "SymbolVisibility"
+)
+
+// Enum values for google.protobuf.SymbolVisibility.
+const (
+	SymbolVisibility_VISIBILITY_UNSET_enum_value  = 0
+	SymbolVisibility_VISIBILITY_LOCAL_enum_value  = 1
+	SymbolVisibility_VISIBILITY_EXPORT_enum_value = 2
+)
+
 // Names for google.protobuf.FileDescriptorSet.
 const (
 	FileDescriptorSet_message_name     protoreflect.Name     = "FileDescriptorSet"
@@ -65,6 +78,7 @@ const (
 	FileDescriptorProto_Dependency_field_name       protoreflect.Name = "dependency"
 	FileDescriptorProto_PublicDependency_field_name protoreflect.Name = "public_dependency"
 	FileDescriptorProto_WeakDependency_field_name   protoreflect.Name = "weak_dependency"
+	FileDescriptorProto_OptionDependency_field_name protoreflect.Name = "option_dependency"
 	FileDescriptorProto_MessageType_field_name      protoreflect.Name = "message_type"
 	FileDescriptorProto_EnumType_field_name         protoreflect.Name = "enum_type"
 	FileDescriptorProto_Service_field_name          protoreflect.Name = "service"
@@ -79,6 +93,7 @@ const (
 	FileDescriptorProto_Dependency_field_fullname       protoreflect.FullName = "google.protobuf.FileDescriptorProto.dependency"
 	FileDescriptorProto_PublicDependency_field_fullname protoreflect.FullName = "google.protobuf.FileDescriptorProto.public_dependency"
 	FileDescriptorProto_WeakDependency_field_fullname   protoreflect.FullName = "google.protobuf.FileDescriptorProto.weak_dependency"
+	FileDescriptorProto_OptionDependency_field_fullname protoreflect.FullName = "google.protobuf.FileDescriptorProto.option_dependency"
 	FileDescriptorProto_MessageType_field_fullname      protoreflect.FullName = "google.protobuf.FileDescriptorProto.message_type"
 	FileDescriptorProto_EnumType_field_fullname         protoreflect.FullName = "google.protobuf.FileDescriptorProto.enum_type"
 	FileDescriptorProto_Service_field_fullname          protoreflect.FullName = "google.protobuf.FileDescriptorProto.service"
@@ -96,6 +111,7 @@ const (
 	FileDescriptorProto_Dependency_field_number       protoreflect.FieldNumber = 3
 	FileDescriptorProto_PublicDependency_field_number protoreflect.FieldNumber = 10
 	FileDescriptorProto_WeakDependency_field_number   protoreflect.FieldNumber = 11
+	FileDescriptorProto_OptionDependency_field_number protoreflect.FieldNumber = 15
 	FileDescriptorProto_MessageType_field_number      protoreflect.FieldNumber = 4
 	FileDescriptorProto_EnumType_field_number         protoreflect.FieldNumber = 5
 	FileDescriptorProto_Service_field_number          protoreflect.FieldNumber = 6
@@ -124,6 +140,7 @@ const (
 	DescriptorProto_Options_field_name        protoreflect.Name = "options"
 	DescriptorProto_ReservedRange_field_name  protoreflect.Name = "reserved_range"
 	DescriptorProto_ReservedName_field_name   protoreflect.Name = "reserved_name"
+	DescriptorProto_Visibility_field_name     protoreflect.Name = "visibility"
 
 	DescriptorProto_Name_field_fullname           protoreflect.FullName = "google.protobuf.DescriptorProto.name"
 	DescriptorProto_Field_field_fullname          protoreflect.FullName = "google.protobuf.DescriptorProto.field"
@@ -135,6 +152,7 @@ const (
 	DescriptorProto_Options_field_fullname        protoreflect.FullName = "google.protobuf.DescriptorProto.options"
 	DescriptorProto_ReservedRange_field_fullname  protoreflect.FullName = "google.protobuf.DescriptorProto.reserved_range"
 	DescriptorProto_ReservedName_field_fullname   protoreflect.FullName = "google.protobuf.DescriptorProto.reserved_name"
+	DescriptorProto_Visibility_field_fullname     protoreflect.FullName = "google.protobuf.DescriptorProto.visibility"
 )
 
 // Field numbers for google.protobuf.DescriptorProto.
@@ -149,6 +167,7 @@ const (
 	DescriptorProto_Options_field_number        protoreflect.FieldNumber = 7
 	DescriptorProto_ReservedRange_field_number  protoreflect.FieldNumber = 9
 	DescriptorProto_ReservedName_field_number   protoreflect.FieldNumber = 10
+	DescriptorProto_Visibility_field_number     protoreflect.FieldNumber = 11
 )
 
 // Names for google.protobuf.DescriptorProto.ExtensionRange.
@@ -388,12 +407,14 @@ const (
 	EnumDescriptorProto_Options_field_name       protoreflect.Name = "options"
 	EnumDescriptorProto_ReservedRange_field_name protoreflect.Name = "reserved_range"
 	EnumDescriptorProto_ReservedName_field_name  protoreflect.Name = "reserved_name"
+	EnumDescriptorProto_Visibility_field_name    protoreflect.Name = "visibility"
 
 	EnumDescriptorProto_Name_field_fullname          protoreflect.FullName = "google.protobuf.EnumDescriptorProto.name"
 	EnumDescriptorProto_Value_field_fullname         protoreflect.FullName = "google.protobuf.EnumDescriptorProto.value"
 	EnumDescriptorProto_Options_field_fullname       protoreflect.FullName = "google.protobuf.EnumDescriptorProto.options"
 	EnumDescriptorProto_ReservedRange_field_fullname protoreflect.FullName = "google.protobuf.EnumDescriptorProto.reserved_range"
 	EnumDescriptorProto_ReservedName_field_fullname  protoreflect.FullName = "google.protobuf.EnumDescriptorProto.reserved_name"
+	EnumDescriptorProto_Visibility_field_fullname    protoreflect.FullName = "google.protobuf.EnumDescriptorProto.visibility"
 )
 
 // Field numbers for google.protobuf.EnumDescriptorProto.
@@ -403,6 +424,7 @@ const (
 	EnumDescriptorProto_Options_field_number       protoreflect.FieldNumber = 3
 	EnumDescriptorProto_ReservedRange_field_number protoreflect.FieldNumber = 4
 	EnumDescriptorProto_ReservedName_field_number  protoreflect.FieldNumber = 5
+	EnumDescriptorProto_Visibility_field_number    protoreflect.FieldNumber = 6
 )
 
 // Names for google.protobuf.EnumDescriptorProto.EnumReservedRange.
@@ -1008,29 +1030,35 @@ const (
 
 // Field names for google.protobuf.FeatureSet.
 const (
-	FeatureSet_FieldPresence_field_name         protoreflect.Name = "field_presence"
-	FeatureSet_EnumType_field_name              protoreflect.Name = "enum_type"
-	FeatureSet_RepeatedFieldEncoding_field_name protoreflect.Name = "repeated_field_encoding"
-	FeatureSet_Utf8Validation_field_name        protoreflect.Name = "utf8_validation"
-	FeatureSet_MessageEncoding_field_name       protoreflect.Name = "message_encoding"
-	FeatureSet_JsonFormat_field_name            protoreflect.Name = "json_format"
-
-	FeatureSet_FieldPresence_field_fullname         protoreflect.FullName = "google.protobuf.FeatureSet.field_presence"
-	FeatureSet_EnumType_field_fullname              protoreflect.FullName = "google.protobuf.FeatureSet.enum_type"
-	FeatureSet_RepeatedFieldEncoding_field_fullname protoreflect.FullName = "google.protobuf.FeatureSet.repeated_field_encoding"
-	FeatureSet_Utf8Validation_field_fullname        protoreflect.FullName = "google.protobuf.FeatureSet.utf8_validation"
-	FeatureSet_MessageEncoding_field_fullname       protoreflect.FullName = "google.protobuf.FeatureSet.message_encoding"
-	FeatureSet_JsonFormat_field_fullname            protoreflect.FullName = "google.protobuf.FeatureSet.json_format"
+	FeatureSet_FieldPresence_field_name           protoreflect.Name = "field_presence"
+	FeatureSet_EnumType_field_name                protoreflect.Name = "enum_type"
+	FeatureSet_RepeatedFieldEncoding_field_name   protoreflect.Name = "repeated_field_encoding"
+	FeatureSet_Utf8Validation_field_name          protoreflect.Name = "utf8_validation"
+	FeatureSet_MessageEncoding_field_name         protoreflect.Name = "message_encoding"
+	FeatureSet_JsonFormat_field_name              protoreflect.Name = "json_format"
+	FeatureSet_EnforceNamingStyle_field_name      protoreflect.Name = "enforce_naming_style"
+	FeatureSet_DefaultSymbolVisibility_field_name protoreflect.Name = "default_symbol_visibility"
+
+	FeatureSet_FieldPresence_field_fullname           protoreflect.FullName = "google.protobuf.FeatureSet.field_presence"
+	FeatureSet_EnumType_field_fullname                protoreflect.FullName = "google.protobuf.FeatureSet.enum_type"
+	FeatureSet_RepeatedFieldEncoding_field_fullname   protoreflect.FullName = "google.protobuf.FeatureSet.repeated_field_encoding"
+	FeatureSet_Utf8Validation_field_fullname          protoreflect.FullName = "google.protobuf.FeatureSet.utf8_validation"
+	FeatureSet_MessageEncoding_field_fullname         protoreflect.FullName = "google.protobuf.FeatureSet.message_encoding"
+	FeatureSet_JsonFormat_field_fullname              protoreflect.FullName = "google.protobuf.FeatureSet.json_format"
+	FeatureSet_EnforceNamingStyle_field_fullname      protoreflect.FullName = "google.protobuf.FeatureSet.enforce_naming_style"
+	FeatureSet_DefaultSymbolVisibility_field_fullname protoreflect.FullName = "google.protobuf.FeatureSet.default_symbol_visibility"
 )
 
 // Field numbers for google.protobuf.FeatureSet.
 const (
-	FeatureSet_FieldPresence_field_number         protoreflect.FieldNumber = 1
-	FeatureSet_EnumType_field_number              protoreflect.FieldNumber = 2
-	FeatureSet_RepeatedFieldEncoding_field_number protoreflect.FieldNumber = 3
-	FeatureSet_Utf8Validation_field_number        protoreflect.FieldNumber = 4
-	FeatureSet_MessageEncoding_field_number       protoreflect.FieldNumber = 5
-	FeatureSet_JsonFormat_field_number            protoreflect.FieldNumber = 6
+	FeatureSet_FieldPresence_field_number           protoreflect.FieldNumber = 1
+	FeatureSet_EnumType_field_number                protoreflect.FieldNumber = 2
+	FeatureSet_RepeatedFieldEncoding_field_number   protoreflect.FieldNumber = 3
+	FeatureSet_Utf8Validation_field_number          protoreflect.FieldNumber = 4
+	FeatureSet_MessageEncoding_field_number         protoreflect.FieldNumber = 5
+	FeatureSet_JsonFormat_field_number              protoreflect.FieldNumber = 6
+	FeatureSet_EnforceNamingStyle_field_number      protoreflect.FieldNumber = 7
+	FeatureSet_DefaultSymbolVisibility_field_number protoreflect.FieldNumber = 8
 )
 
 // Full and short names for google.protobuf.FeatureSet.FieldPresence.
@@ -1112,6 +1140,40 @@ const (
 	FeatureSet_LEGACY_BEST_EFFORT_enum_value  = 2
 )
 
+// Full and short names for google.protobuf.FeatureSet.EnforceNamingStyle.
+const (
+	FeatureSet_EnforceNamingStyle_enum_fullname = "google.protobuf.FeatureSet.EnforceNamingStyle"
+	FeatureSet_EnforceNamingStyle_enum_name     = "EnforceNamingStyle"
+)
+
+// Enum values for google.protobuf.FeatureSet.EnforceNamingStyle.
+const (
+	FeatureSet_ENFORCE_NAMING_STYLE_UNKNOWN_enum_value = 0
+	FeatureSet_STYLE2024_enum_value                    = 1
+	FeatureSet_STYLE_LEGACY_enum_value                 = 2
+)
+
+// Names for google.protobuf.FeatureSet.VisibilityFeature.
+const (
+	FeatureSet_VisibilityFeature_message_name     protoreflect.Name     = "VisibilityFeature"
+	FeatureSet_VisibilityFeature_message_fullname protoreflect.FullName = "google.protobuf.FeatureSet.VisibilityFeature"
+)
+
+// Full and short names for google.protobuf.FeatureSet.VisibilityFeature.DefaultSymbolVisibility.
+const (
+	FeatureSet_VisibilityFeature_DefaultSymbolVisibility_enum_fullname = "google.protobuf.FeatureSet.VisibilityFeature.DefaultSymbolVisibility"
+	FeatureSet_VisibilityFeature_DefaultSymbolVisibility_enum_name     = "DefaultSymbolVisibility"
+)
+
+// Enum values for google.protobuf.FeatureSet.VisibilityFeature.DefaultSymbolVisibility.
+const (
+	FeatureSet_VisibilityFeature_DEFAULT_SYMBOL_VISIBILITY_UNKNOWN_enum_value = 0
+	FeatureSet_VisibilityFeature_EXPORT_ALL_enum_value                        = 1
+	FeatureSet_VisibilityFeature_EXPORT_TOP_LEVEL_enum_value                  = 2
+	FeatureSet_VisibilityFeature_LOCAL_ALL_enum_value                         = 3
+	FeatureSet_VisibilityFeature_STRICT_enum_value                            = 4
+)
+
 // Names for google.protobuf.FeatureSetDefaults.
 const (
 	FeatureSetDefaults_message_name     protoreflect.Name     = "FeatureSetDefaults"
diff --git a/vendor/google.golang.org/protobuf/internal/impl/codec_message_opaque.go b/vendor/google.golang.org/protobuf/internal/impl/codec_message_opaque.go
index 41c1f74ef81e9..bdad12a9bbc24 100644
--- a/vendor/google.golang.org/protobuf/internal/impl/codec_message_opaque.go
+++ b/vendor/google.golang.org/protobuf/internal/impl/codec_message_opaque.go
@@ -11,6 +11,7 @@ import (
 
 	"google.golang.org/protobuf/encoding/protowire"
 	"google.golang.org/protobuf/internal/encoding/messageset"
+	"google.golang.org/protobuf/internal/filedesc"
 	"google.golang.org/protobuf/internal/order"
 	"google.golang.org/protobuf/reflect/protoreflect"
 	piface "google.golang.org/protobuf/runtime/protoiface"
@@ -80,7 +81,7 @@ func (mi *MessageInfo) makeOpaqueCoderMethods(t reflect.Type, si opaqueStructInf
 		// permit us to skip over definitely-unset fields at marshal time.
 
 		var hasPresence bool
-		hasPresence, cf.isLazy = usePresenceForField(si, fd)
+		hasPresence, cf.isLazy = filedesc.UsePresenceForField(fd)
 
 		if hasPresence {
 			cf.presenceIndex, mi.presenceSize = presenceIndex(mi.Desc, fd)
diff --git a/vendor/google.golang.org/protobuf/internal/impl/message_opaque.go b/vendor/google.golang.org/protobuf/internal/impl/message_opaque.go
index dd55e8e009c22..5a439daacb745 100644
--- a/vendor/google.golang.org/protobuf/internal/impl/message_opaque.go
+++ b/vendor/google.golang.org/protobuf/internal/impl/message_opaque.go
@@ -11,6 +11,7 @@ import (
 	"strings"
 	"sync/atomic"
 
+	"google.golang.org/protobuf/internal/filedesc"
 	"google.golang.org/protobuf/reflect/protoreflect"
 )
 
@@ -53,7 +54,7 @@ func opaqueInitHook(mi *MessageInfo) bool {
 		fd := fds.Get(i)
 		fs := si.fieldsByNumber[fd.Number()]
 		var fi fieldInfo
-		usePresence, _ := usePresenceForField(si, fd)
+		usePresence, _ := filedesc.UsePresenceForField(fd)
 
 		switch {
 		case fd.ContainingOneof() != nil && !fd.ContainingOneof().IsSynthetic():
@@ -343,17 +344,15 @@ func (mi *MessageInfo) fieldInfoForMessageListOpaqueNoPresence(si opaqueStructIn
 			if p.IsNil() {
 				return false
 			}
-			sp := p.Apply(fieldOffset).AtomicGetPointer()
-			if sp.IsNil() {
+			rv := p.Apply(fieldOffset).AsValueOf(fs.Type).Elem()
+			if rv.IsNil() {
 				return false
 			}
-			rv := sp.AsValueOf(fs.Type.Elem())
 			return rv.Elem().Len() > 0
 		},
 		clear: func(p pointer) {
-			sp := p.Apply(fieldOffset).AtomicGetPointer()
-			if !sp.IsNil() {
-				rv := sp.AsValueOf(fs.Type.Elem())
+			rv := p.Apply(fieldOffset).AsValueOf(fs.Type).Elem()
+			if !rv.IsNil() {
 				rv.Elem().Set(reflect.Zero(rv.Type().Elem()))
 			}
 		},
@@ -361,11 +360,10 @@ func (mi *MessageInfo) fieldInfoForMessageListOpaqueNoPresence(si opaqueStructIn
 			if p.IsNil() {
 				return conv.Zero()
 			}
-			sp := p.Apply(fieldOffset).AtomicGetPointer()
-			if sp.IsNil() {
+			rv := p.Apply(fieldOffset).AsValueOf(fs.Type).Elem()
+			if rv.IsNil() {
 				return conv.Zero()
 			}
-			rv := sp.AsValueOf(fs.Type.Elem())
 			if rv.Elem().Len() == 0 {
 				return conv.Zero()
 			}
@@ -598,30 +596,3 @@ func (mi *MessageInfo) clearPresent(p pointer, index uint32) {
 func (mi *MessageInfo) present(p pointer, index uint32) bool {
 	return p.Apply(mi.presenceOffset).PresenceInfo().Present(index)
 }
-
-// usePresenceForField implements the somewhat intricate logic of when
-// the presence bitmap is used for a field.  The main logic is that a
-// field that is optional or that can be lazy will use the presence
-// bit, but for proto2, also maps have a presence bit. It also records
-// if the field can ever be lazy, which is true if we have a
-// lazyOffset and the field is a message or a slice of messages. A
-// field that is lazy will always need a presence bit.  Oneofs are not
-// lazy and do not use presence, unless they are a synthetic oneof,
-// which is a proto3 optional field. For proto3 optionals, we use the
-// presence and they can also be lazy when applicable (a message).
-func usePresenceForField(si opaqueStructInfo, fd protoreflect.FieldDescriptor) (usePresence, canBeLazy bool) {
-	hasLazyField := fd.(interface{ IsLazy() bool }).IsLazy()
-
-	// Non-oneof scalar fields with explicit field presence use the presence array.
-	usesPresenceArray := fd.HasPresence() && fd.Message() == nil && (fd.ContainingOneof() == nil || fd.ContainingOneof().IsSynthetic())
-	switch {
-	case fd.ContainingOneof() != nil && !fd.ContainingOneof().IsSynthetic():
-		return false, false
-	case fd.IsMap():
-		return false, false
-	case fd.Kind() == protoreflect.MessageKind || fd.Kind() == protoreflect.GroupKind:
-		return hasLazyField, hasLazyField
-	default:
-		return usesPresenceArray || (hasLazyField && fd.HasPresence()), false
-	}
-}
diff --git a/vendor/google.golang.org/protobuf/internal/impl/presence.go b/vendor/google.golang.org/protobuf/internal/impl/presence.go
index 914cb1deda22a..443afe81cdab1 100644
--- a/vendor/google.golang.org/protobuf/internal/impl/presence.go
+++ b/vendor/google.golang.org/protobuf/internal/impl/presence.go
@@ -32,9 +32,6 @@ func (p presence) toElem(num uint32) (ret *uint32) {
 
 // Present checks for the presence of a specific field number in a presence set.
 func (p presence) Present(num uint32) bool {
-	if p.P == nil {
-		return false
-	}
 	return Export{}.Present(p.toElem(num), num)
 }
 
diff --git a/vendor/google.golang.org/protobuf/internal/strs/strings_unsafe.go b/vendor/google.golang.org/protobuf/internal/strs/strings_unsafe.go
new file mode 100644
index 0000000000000..42dd6f70c6f9d
--- /dev/null
+++ b/vendor/google.golang.org/protobuf/internal/strs/strings_unsafe.go
@@ -0,0 +1,71 @@
+// Copyright 2018 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package strs
+
+import (
+	"unsafe"
+
+	"google.golang.org/protobuf/reflect/protoreflect"
+)
+
+// UnsafeString returns an unsafe string reference of b.
+// The caller must treat the input slice as immutable.
+//
+// WARNING: Use carefully. The returned result must not leak to the end user
+// unless the input slice is provably immutable.
+func UnsafeString(b []byte) string {
+	return unsafe.String(unsafe.SliceData(b), len(b))
+}
+
+// UnsafeBytes returns an unsafe bytes slice reference of s.
+// The caller must treat returned slice as immutable.
+//
+// WARNING: Use carefully. The returned result must not leak to the end user.
+func UnsafeBytes(s string) []byte {
+	return unsafe.Slice(unsafe.StringData(s), len(s))
+}
+
+// Builder builds a set of strings with shared lifetime.
+// This differs from strings.Builder, which is for building a single string.
+type Builder struct {
+	buf []byte
+}
+
+// AppendFullName is equivalent to protoreflect.FullName.Append,
+// but optimized for large batches where each name has a shared lifetime.
+func (sb *Builder) AppendFullName(prefix protoreflect.FullName, name protoreflect.Name) protoreflect.FullName {
+	n := len(prefix) + len(".") + len(name)
+	if len(prefix) == 0 {
+		n -= len(".")
+	}
+	sb.grow(n)
+	sb.buf = append(sb.buf, prefix...)
+	sb.buf = append(sb.buf, '.')
+	sb.buf = append(sb.buf, name...)
+	return protoreflect.FullName(sb.last(n))
+}
+
+// MakeString is equivalent to string(b), but optimized for large batches
+// with a shared lifetime.
+func (sb *Builder) MakeString(b []byte) string {
+	sb.grow(len(b))
+	sb.buf = append(sb.buf, b...)
+	return sb.last(len(b))
+}
+
+func (sb *Builder) grow(n int) {
+	if cap(sb.buf)-len(sb.buf) >= n {
+		return
+	}
+
+	// Unlike strings.Builder, we do not need to copy over the contents
+	// of the old buffer since our builder provides no API for
+	// retrieving previously created strings.
+	sb.buf = make([]byte, 0, 2*(cap(sb.buf)+n))
+}
+
+func (sb *Builder) last(n int) string {
+	return UnsafeString(sb.buf[len(sb.buf)-n:])
+}
diff --git a/vendor/google.golang.org/protobuf/internal/strs/strings_unsafe_go120.go b/vendor/google.golang.org/protobuf/internal/strs/strings_unsafe_go120.go
deleted file mode 100644
index 832a7988f145f..0000000000000
--- a/vendor/google.golang.org/protobuf/internal/strs/strings_unsafe_go120.go
+++ /dev/null
@@ -1,94 +0,0 @@
-// Copyright 2018 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-//go:build !go1.21
-
-package strs
-
-import (
-	"unsafe"
-
-	"google.golang.org/protobuf/reflect/protoreflect"
-)
-
-type (
-	stringHeader struct {
-		Data unsafe.Pointer
-		Len  int
-	}
-	sliceHeader struct {
-		Data unsafe.Pointer
-		Len  int
-		Cap  int
-	}
-)
-
-// UnsafeString returns an unsafe string reference of b.
-// The caller must treat the input slice as immutable.
-//
-// WARNING: Use carefully. The returned result must not leak to the end user
-// unless the input slice is provably immutable.
-func UnsafeString(b []byte) (s string) {
-	src := (*sliceHeader)(unsafe.Pointer(&b))
-	dst := (*stringHeader)(unsafe.Pointer(&s))
-	dst.Data = src.Data
-	dst.Len = src.Len
-	return s
-}
-
-// UnsafeBytes returns an unsafe bytes slice reference of s.
-// The caller must treat returned slice as immutable.
-//
-// WARNING: Use carefully. The returned result must not leak to the end user.
-func UnsafeBytes(s string) (b []byte) {
-	src := (*stringHeader)(unsafe.Pointer(&s))
-	dst := (*sliceHeader)(unsafe.Pointer(&b))
-	dst.Data = src.Data
-	dst.Len = src.Len
-	dst.Cap = src.Len
-	return b
-}
-
-// Builder builds a set of strings with shared lifetime.
-// This differs from strings.Builder, which is for building a single string.
-type Builder struct {
-	buf []byte
-}
-
-// AppendFullName is equivalent to protoreflect.FullName.Append,
-// but optimized for large batches where each name has a shared lifetime.
-func (sb *Builder) AppendFullName(prefix protoreflect.FullName, name protoreflect.Name) protoreflect.FullName {
-	n := len(prefix) + len(".") + len(name)
-	if len(prefix) == 0 {
-		n -= len(".")
-	}
-	sb.grow(n)
-	sb.buf = append(sb.buf, prefix...)
-	sb.buf = append(sb.buf, '.')
-	sb.buf = append(sb.buf, name...)
-	return protoreflect.FullName(sb.last(n))
-}
-
-// MakeString is equivalent to string(b), but optimized for large batches
-// with a shared lifetime.
-func (sb *Builder) MakeString(b []byte) string {
-	sb.grow(len(b))
-	sb.buf = append(sb.buf, b...)
-	return sb.last(len(b))
-}
-
-func (sb *Builder) grow(n int) {
-	if cap(sb.buf)-len(sb.buf) >= n {
-		return
-	}
-
-	// Unlike strings.Builder, we do not need to copy over the contents
-	// of the old buffer since our builder provides no API for
-	// retrieving previously created strings.
-	sb.buf = make([]byte, 0, 2*(cap(sb.buf)+n))
-}
-
-func (sb *Builder) last(n int) string {
-	return UnsafeString(sb.buf[len(sb.buf)-n:])
-}
diff --git a/vendor/google.golang.org/protobuf/internal/strs/strings_unsafe_go121.go b/vendor/google.golang.org/protobuf/internal/strs/strings_unsafe_go121.go
deleted file mode 100644
index 1ffddf6877a9a..0000000000000
--- a/vendor/google.golang.org/protobuf/internal/strs/strings_unsafe_go121.go
+++ /dev/null
@@ -1,73 +0,0 @@
-// Copyright 2018 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-//go:build go1.21
-
-package strs
-
-import (
-	"unsafe"
-
-	"google.golang.org/protobuf/reflect/protoreflect"
-)
-
-// UnsafeString returns an unsafe string reference of b.
-// The caller must treat the input slice as immutable.
-//
-// WARNING: Use carefully. The returned result must not leak to the end user
-// unless the input slice is provably immutable.
-func UnsafeString(b []byte) string {
-	return unsafe.String(unsafe.SliceData(b), len(b))
-}
-
-// UnsafeBytes returns an unsafe bytes slice reference of s.
-// The caller must treat returned slice as immutable.
-//
-// WARNING: Use carefully. The returned result must not leak to the end user.
-func UnsafeBytes(s string) []byte {
-	return unsafe.Slice(unsafe.StringData(s), len(s))
-}
-
-// Builder builds a set of strings with shared lifetime.
-// This differs from strings.Builder, which is for building a single string.
-type Builder struct {
-	buf []byte
-}
-
-// AppendFullName is equivalent to protoreflect.FullName.Append,
-// but optimized for large batches where each name has a shared lifetime.
-func (sb *Builder) AppendFullName(prefix protoreflect.FullName, name protoreflect.Name) protoreflect.FullName {
-	n := len(prefix) + len(".") + len(name)
-	if len(prefix) == 0 {
-		n -= len(".")
-	}
-	sb.grow(n)
-	sb.buf = append(sb.buf, prefix...)
-	sb.buf = append(sb.buf, '.')
-	sb.buf = append(sb.buf, name...)
-	return protoreflect.FullName(sb.last(n))
-}
-
-// MakeString is equivalent to string(b), but optimized for large batches
-// with a shared lifetime.
-func (sb *Builder) MakeString(b []byte) string {
-	sb.grow(len(b))
-	sb.buf = append(sb.buf, b...)
-	return sb.last(len(b))
-}
-
-func (sb *Builder) grow(n int) {
-	if cap(sb.buf)-len(sb.buf) >= n {
-		return
-	}
-
-	// Unlike strings.Builder, we do not need to copy over the contents
-	// of the old buffer since our builder provides no API for
-	// retrieving previously created strings.
-	sb.buf = make([]byte, 0, 2*(cap(sb.buf)+n))
-}
-
-func (sb *Builder) last(n int) string {
-	return UnsafeString(sb.buf[len(sb.buf)-n:])
-}
diff --git a/vendor/google.golang.org/protobuf/internal/version/version.go b/vendor/google.golang.org/protobuf/internal/version/version.go
index 01efc33030dd5..697d1c14f3c81 100644
--- a/vendor/google.golang.org/protobuf/internal/version/version.go
+++ b/vendor/google.golang.org/protobuf/internal/version/version.go
@@ -52,7 +52,7 @@ import (
 const (
 	Major      = 1
 	Minor      = 36
-	Patch      = 5
+	Patch      = 8
 	PreRelease = ""
 )
 
diff --git a/vendor/google.golang.org/protobuf/proto/merge.go b/vendor/google.golang.org/protobuf/proto/merge.go
index 3c6fe57807bf0..ef55b97dded7c 100644
--- a/vendor/google.golang.org/protobuf/proto/merge.go
+++ b/vendor/google.golang.org/protobuf/proto/merge.go
@@ -59,6 +59,12 @@ func Clone(m Message) Message {
 	return dst.Interface()
 }
 
+// CloneOf returns a deep copy of m. If the top-level message is invalid,
+// it returns an invalid message as well.
+func CloneOf[M Message](m M) M {
+	return Clone(m).(M)
+}
+
 // mergeOptions provides a namespace for merge functions, and can be
 // exported in the future if we add user-visible merge options.
 type mergeOptions struct{}
diff --git a/vendor/google.golang.org/protobuf/reflect/protoreflect/source_gen.go b/vendor/google.golang.org/protobuf/reflect/protoreflect/source_gen.go
index ea154eec44d3d..730331e666866 100644
--- a/vendor/google.golang.org/protobuf/reflect/protoreflect/source_gen.go
+++ b/vendor/google.golang.org/protobuf/reflect/protoreflect/source_gen.go
@@ -21,6 +21,8 @@ func (p *SourcePath) appendFileDescriptorProto(b []byte) []byte {
 		b = p.appendRepeatedField(b, "public_dependency", nil)
 	case 11:
 		b = p.appendRepeatedField(b, "weak_dependency", nil)
+	case 15:
+		b = p.appendRepeatedField(b, "option_dependency", nil)
 	case 4:
 		b = p.appendRepeatedField(b, "message_type", (*SourcePath).appendDescriptorProto)
 	case 5:
@@ -66,6 +68,8 @@ func (p *SourcePath) appendDescriptorProto(b []byte) []byte {
 		b = p.appendRepeatedField(b, "reserved_range", (*SourcePath).appendDescriptorProto_ReservedRange)
 	case 10:
 		b = p.appendRepeatedField(b, "reserved_name", nil)
+	case 11:
+		b = p.appendSingularField(b, "visibility", nil)
 	}
 	return b
 }
@@ -85,6 +89,8 @@ func (p *SourcePath) appendEnumDescriptorProto(b []byte) []byte {
 		b = p.appendRepeatedField(b, "reserved_range", (*SourcePath).appendEnumDescriptorProto_EnumReservedRange)
 	case 5:
 		b = p.appendRepeatedField(b, "reserved_name", nil)
+	case 6:
+		b = p.appendSingularField(b, "visibility", nil)
 	}
 	return b
 }
@@ -398,6 +404,10 @@ func (p *SourcePath) appendFeatureSet(b []byte) []byte {
 		b = p.appendSingularField(b, "message_encoding", nil)
 	case 6:
 		b = p.appendSingularField(b, "json_format", nil)
+	case 7:
+		b = p.appendSingularField(b, "enforce_naming_style", nil)
+	case 8:
+		b = p.appendSingularField(b, "default_symbol_visibility", nil)
 	}
 	return b
 }
diff --git a/vendor/google.golang.org/protobuf/reflect/protoreflect/value_unsafe.go b/vendor/google.golang.org/protobuf/reflect/protoreflect/value_unsafe.go
new file mode 100644
index 0000000000000..fe17f37220e49
--- /dev/null
+++ b/vendor/google.golang.org/protobuf/reflect/protoreflect/value_unsafe.go
@@ -0,0 +1,84 @@
+// Copyright 2018 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package protoreflect
+
+import (
+	"unsafe"
+
+	"google.golang.org/protobuf/internal/pragma"
+)
+
+type (
+	ifaceHeader struct {
+		_    [0]any // if interfaces have greater alignment than unsafe.Pointer, this will enforce it.
+		Type unsafe.Pointer
+		Data unsafe.Pointer
+	}
+)
+
+var (
+	nilType     = typeOf(nil)
+	boolType    = typeOf(*new(bool))
+	int32Type   = typeOf(*new(int32))
+	int64Type   = typeOf(*new(int64))
+	uint32Type  = typeOf(*new(uint32))
+	uint64Type  = typeOf(*new(uint64))
+	float32Type = typeOf(*new(float32))
+	float64Type = typeOf(*new(float64))
+	stringType  = typeOf(*new(string))
+	bytesType   = typeOf(*new([]byte))
+	enumType    = typeOf(*new(EnumNumber))
+)
+
+// typeOf returns a pointer to the Go type information.
+// The pointer is comparable and equal if and only if the types are identical.
+func typeOf(t any) unsafe.Pointer {
+	return (*ifaceHeader)(unsafe.Pointer(&t)).Type
+}
+
+// value is a union where only one type can be represented at a time.
+// The struct is 24B large on 64-bit systems and requires the minimum storage
+// necessary to represent each possible type.
+//
+// The Go GC needs to be able to scan variables containing pointers.
+// As such, pointers and non-pointers cannot be intermixed.
+type value struct {
+	pragma.DoNotCompare // 0B
+
+	// typ stores the type of the value as a pointer to the Go type.
+	typ unsafe.Pointer // 8B
+
+	// ptr stores the data pointer for a String, Bytes, or interface value.
+	ptr unsafe.Pointer // 8B
+
+	// num stores a Bool, Int32, Int64, Uint32, Uint64, Float32, Float64, or
+	// Enum value as a raw uint64.
+	//
+	// It is also used to store the length of a String or Bytes value;
+	// the capacity is ignored.
+	num uint64 // 8B
+}
+
+func valueOfString(v string) Value {
+	return Value{typ: stringType, ptr: unsafe.Pointer(unsafe.StringData(v)), num: uint64(len(v))}
+}
+func valueOfBytes(v []byte) Value {
+	return Value{typ: bytesType, ptr: unsafe.Pointer(unsafe.SliceData(v)), num: uint64(len(v))}
+}
+func valueOfIface(v any) Value {
+	p := (*ifaceHeader)(unsafe.Pointer(&v))
+	return Value{typ: p.Type, ptr: p.Data}
+}
+
+func (v Value) getString() string {
+	return unsafe.String((*byte)(v.ptr), v.num)
+}
+func (v Value) getBytes() []byte {
+	return unsafe.Slice((*byte)(v.ptr), v.num)
+}
+func (v Value) getIface() (x any) {
+	*(*ifaceHeader)(unsafe.Pointer(&x)) = ifaceHeader{Type: v.typ, Data: v.ptr}
+	return x
+}
diff --git a/vendor/google.golang.org/protobuf/reflect/protoreflect/value_unsafe_go120.go b/vendor/google.golang.org/protobuf/reflect/protoreflect/value_unsafe_go120.go
deleted file mode 100644
index 0015fcb35d832..0000000000000
--- a/vendor/google.golang.org/protobuf/reflect/protoreflect/value_unsafe_go120.go
+++ /dev/null
@@ -1,98 +0,0 @@
-// Copyright 2018 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-//go:build !go1.21
-
-package protoreflect
-
-import (
-	"unsafe"
-
-	"google.golang.org/protobuf/internal/pragma"
-)
-
-type (
-	stringHeader struct {
-		Data unsafe.Pointer
-		Len  int
-	}
-	sliceHeader struct {
-		Data unsafe.Pointer
-		Len  int
-		Cap  int
-	}
-	ifaceHeader struct {
-		Type unsafe.Pointer
-		Data unsafe.Pointer
-	}
-)
-
-var (
-	nilType     = typeOf(nil)
-	boolType    = typeOf(*new(bool))
-	int32Type   = typeOf(*new(int32))
-	int64Type   = typeOf(*new(int64))
-	uint32Type  = typeOf(*new(uint32))
-	uint64Type  = typeOf(*new(uint64))
-	float32Type = typeOf(*new(float32))
-	float64Type = typeOf(*new(float64))
-	stringType  = typeOf(*new(string))
-	bytesType   = typeOf(*new([]byte))
-	enumType    = typeOf(*new(EnumNumber))
-)
-
-// typeOf returns a pointer to the Go type information.
-// The pointer is comparable and equal if and only if the types are identical.
-func typeOf(t any) unsafe.Pointer {
-	return (*ifaceHeader)(unsafe.Pointer(&t)).Type
-}
-
-// value is a union where only one type can be represented at a time.
-// The struct is 24B large on 64-bit systems and requires the minimum storage
-// necessary to represent each possible type.
-//
-// The Go GC needs to be able to scan variables containing pointers.
-// As such, pointers and non-pointers cannot be intermixed.
-type value struct {
-	pragma.DoNotCompare // 0B
-
-	// typ stores the type of the value as a pointer to the Go type.
-	typ unsafe.Pointer // 8B
-
-	// ptr stores the data pointer for a String, Bytes, or interface value.
-	ptr unsafe.Pointer // 8B
-
-	// num stores a Bool, Int32, Int64, Uint32, Uint64, Float32, Float64, or
-	// Enum value as a raw uint64.
-	//
-	// It is also used to store the length of a String or Bytes value;
-	// the capacity is ignored.
-	num uint64 // 8B
-}
-
-func valueOfString(v string) Value {
-	p := (*stringHeader)(unsafe.Pointer(&v))
-	return Value{typ: stringType, ptr: p.Data, num: uint64(len(v))}
-}
-func valueOfBytes(v []byte) Value {
-	p := (*sliceHeader)(unsafe.Pointer(&v))
-	return Value{typ: bytesType, ptr: p.Data, num: uint64(len(v))}
-}
-func valueOfIface(v any) Value {
-	p := (*ifaceHeader)(unsafe.Pointer(&v))
-	return Value{typ: p.Type, ptr: p.Data}
-}
-
-func (v Value) getString() (x string) {
-	*(*stringHeader)(unsafe.Pointer(&x)) = stringHeader{Data: v.ptr, Len: int(v.num)}
-	return x
-}
-func (v Value) getBytes() (x []byte) {
-	*(*sliceHeader)(unsafe.Pointer(&x)) = sliceHeader{Data: v.ptr, Len: int(v.num), Cap: int(v.num)}
-	return x
-}
-func (v Value) getIface() (x any) {
-	*(*ifaceHeader)(unsafe.Pointer(&x)) = ifaceHeader{Type: v.typ, Data: v.ptr}
-	return x
-}
diff --git a/vendor/google.golang.org/protobuf/reflect/protoreflect/value_unsafe_go121.go b/vendor/google.golang.org/protobuf/reflect/protoreflect/value_unsafe_go121.go
deleted file mode 100644
index 479527b58dd37..0000000000000
--- a/vendor/google.golang.org/protobuf/reflect/protoreflect/value_unsafe_go121.go
+++ /dev/null
@@ -1,86 +0,0 @@
-// Copyright 2018 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-//go:build go1.21
-
-package protoreflect
-
-import (
-	"unsafe"
-
-	"google.golang.org/protobuf/internal/pragma"
-)
-
-type (
-	ifaceHeader struct {
-		_    [0]any // if interfaces have greater alignment than unsafe.Pointer, this will enforce it.
-		Type unsafe.Pointer
-		Data unsafe.Pointer
-	}
-)
-
-var (
-	nilType     = typeOf(nil)
-	boolType    = typeOf(*new(bool))
-	int32Type   = typeOf(*new(int32))
-	int64Type   = typeOf(*new(int64))
-	uint32Type  = typeOf(*new(uint32))
-	uint64Type  = typeOf(*new(uint64))
-	float32Type = typeOf(*new(float32))
-	float64Type = typeOf(*new(float64))
-	stringType  = typeOf(*new(string))
-	bytesType   = typeOf(*new([]byte))
-	enumType    = typeOf(*new(EnumNumber))
-)
-
-// typeOf returns a pointer to the Go type information.
-// The pointer is comparable and equal if and only if the types are identical.
-func typeOf(t any) unsafe.Pointer {
-	return (*ifaceHeader)(unsafe.Pointer(&t)).Type
-}
-
-// value is a union where only one type can be represented at a time.
-// The struct is 24B large on 64-bit systems and requires the minimum storage
-// necessary to represent each possible type.
-//
-// The Go GC needs to be able to scan variables containing pointers.
-// As such, pointers and non-pointers cannot be intermixed.
-type value struct {
-	pragma.DoNotCompare // 0B
-
-	// typ stores the type of the value as a pointer to the Go type.
-	typ unsafe.Pointer // 8B
-
-	// ptr stores the data pointer for a String, Bytes, or interface value.
-	ptr unsafe.Pointer // 8B
-
-	// num stores a Bool, Int32, Int64, Uint32, Uint64, Float32, Float64, or
-	// Enum value as a raw uint64.
-	//
-	// It is also used to store the length of a String or Bytes value;
-	// the capacity is ignored.
-	num uint64 // 8B
-}
-
-func valueOfString(v string) Value {
-	return Value{typ: stringType, ptr: unsafe.Pointer(unsafe.StringData(v)), num: uint64(len(v))}
-}
-func valueOfBytes(v []byte) Value {
-	return Value{typ: bytesType, ptr: unsafe.Pointer(unsafe.SliceData(v)), num: uint64(len(v))}
-}
-func valueOfIface(v any) Value {
-	p := (*ifaceHeader)(unsafe.Pointer(&v))
-	return Value{typ: p.Type, ptr: p.Data}
-}
-
-func (v Value) getString() string {
-	return unsafe.String((*byte)(v.ptr), v.num)
-}
-func (v Value) getBytes() []byte {
-	return unsafe.Slice((*byte)(v.ptr), v.num)
-}
-func (v Value) getIface() (x any) {
-	*(*ifaceHeader)(unsafe.Pointer(&x)) = ifaceHeader{Type: v.typ, Data: v.ptr}
-	return x
-}
diff --git a/vendor/google.golang.org/protobuf/types/descriptorpb/descriptor.pb.go b/vendor/google.golang.org/protobuf/types/descriptorpb/descriptor.pb.go
index a5163376741ac..4eacb523c33a5 100644
--- a/vendor/google.golang.org/protobuf/types/descriptorpb/descriptor.pb.go
+++ b/vendor/google.golang.org/protobuf/types/descriptorpb/descriptor.pb.go
@@ -151,6 +151,70 @@ func (Edition) EnumDescriptor() ([]byte, []int) {
 	return file_google_protobuf_descriptor_proto_rawDescGZIP(), []int{0}
 }
 
+// Describes the 'visibility' of a symbol with respect to the proto import
+// system. Symbols can only be imported when the visibility rules do not prevent
+// it (ex: local symbols cannot be imported).  Visibility modifiers can only set
+// on `message` and `enum` as they are the only types available to be referenced
+// from other files.
+type SymbolVisibility int32
+
+const (
+	SymbolVisibility_VISIBILITY_UNSET  SymbolVisibility = 0
+	SymbolVisibility_VISIBILITY_LOCAL  SymbolVisibility = 1
+	SymbolVisibility_VISIBILITY_EXPORT SymbolVisibility = 2
+)
+
+// Enum value maps for SymbolVisibility.
+var (
+	SymbolVisibility_name = map[int32]string{
+		0: "VISIBILITY_UNSET",
+		1: "VISIBILITY_LOCAL",
+		2: "VISIBILITY_EXPORT",
+	}
+	SymbolVisibility_value = map[string]int32{
+		"VISIBILITY_UNSET":  0,
+		"VISIBILITY_LOCAL":  1,
+		"VISIBILITY_EXPORT": 2,
+	}
+)
+
+func (x SymbolVisibility) Enum() *SymbolVisibility {
+	p := new(SymbolVisibility)
+	*p = x
+	return p
+}
+
+func (x SymbolVisibility) String() string {
+	return protoimpl.X.EnumStringOf(x.Descriptor(), protoreflect.EnumNumber(x))
+}
+
+func (SymbolVisibility) Descriptor() protoreflect.EnumDescriptor {
+	return file_google_protobuf_descriptor_proto_enumTypes[1].Descriptor()
+}
+
+func (SymbolVisibility) Type() protoreflect.EnumType {
+	return &file_google_protobuf_descriptor_proto_enumTypes[1]
+}
+
+func (x SymbolVisibility) Number() protoreflect.EnumNumber {
+	return protoreflect.EnumNumber(x)
+}
+
+// Deprecated: Do not use.
+func (x *SymbolVisibility) UnmarshalJSON(b []byte) error {
+	num, err := protoimpl.X.UnmarshalJSONEnum(x.Descriptor(), b)
+	if err != nil {
+		return err
+	}
+	*x = SymbolVisibility(num)
+	return nil
+}
+
+// Deprecated: Use SymbolVisibility.Descriptor instead.
+func (SymbolVisibility) EnumDescriptor() ([]byte, []int) {
+	return file_google_protobuf_descriptor_proto_rawDescGZIP(), []int{1}
+}
+
 // The verification state of the extension range.
 type ExtensionRangeOptions_VerificationState int32
 
@@ -183,11 +247,11 @@ func (x ExtensionRangeOptions_VerificationState) String() string {
 }
 
 func (ExtensionRangeOptions_VerificationState) Descriptor() protoreflect.EnumDescriptor {
-	return file_google_protobuf_descriptor_proto_enumTypes[1].Descriptor()
+	return file_google_protobuf_descriptor_proto_enumTypes[2].Descriptor()
 }
 
 func (ExtensionRangeOptions_VerificationState) Type() protoreflect.EnumType {
-	return &file_google_protobuf_descriptor_proto_enumTypes[1]
+	return &file_google_protobuf_descriptor_proto_enumTypes[2]
 }
 
 func (x ExtensionRangeOptions_VerificationState) Number() protoreflect.EnumNumber {
@@ -299,11 +363,11 @@ func (x FieldDescriptorProto_Type) String() string {
 }
 
 func (FieldDescriptorProto_Type) Descriptor() protoreflect.EnumDescriptor {
-	return file_google_protobuf_descriptor_proto_enumTypes[2].Descriptor()
+	return file_google_protobuf_descriptor_proto_enumTypes[3].Descriptor()
 }
 
 func (FieldDescriptorProto_Type) Type() protoreflect.EnumType {
-	return &file_google_protobuf_descriptor_proto_enumTypes[2]
+	return &file_google_protobuf_descriptor_proto_enumTypes[3]
 }
 
 func (x FieldDescriptorProto_Type) Number() protoreflect.EnumNumber {
@@ -362,11 +426,11 @@ func (x FieldDescriptorProto_Label) String() string {
 }
 
 func (FieldDescriptorProto_Label) Descriptor() protoreflect.EnumDescriptor {
-	return file_google_protobuf_descriptor_proto_enumTypes[3].Descriptor()
+	return file_google_protobuf_descriptor_proto_enumTypes[4].Descriptor()
 }
 
 func (FieldDescriptorProto_Label) Type() protoreflect.EnumType {
-	return &file_google_protobuf_descriptor_proto_enumTypes[3]
+	return &file_google_protobuf_descriptor_proto_enumTypes[4]
 }
 
 func (x FieldDescriptorProto_Label) Number() protoreflect.EnumNumber {
@@ -423,11 +487,11 @@ func (x FileOptions_OptimizeMode) String() string {
 }
 
 func (FileOptions_OptimizeMode) Descriptor() protoreflect.EnumDescriptor {
-	return file_google_protobuf_descriptor_proto_enumTypes[4].Descriptor()
+	return file_google_protobuf_descriptor_proto_enumTypes[5].Descriptor()
 }
 
 func (FileOptions_OptimizeMode) Type() protoreflect.EnumType {
-	return &file_google_protobuf_descriptor_proto_enumTypes[4]
+	return &file_google_protobuf_descriptor_proto_enumTypes[5]
 }
 
 func (x FileOptions_OptimizeMode) Number() protoreflect.EnumNumber {
@@ -489,11 +553,11 @@ func (x FieldOptions_CType) String() string {
 }
 
 func (FieldOptions_CType) Descriptor() protoreflect.EnumDescriptor {
-	return file_google_protobuf_descriptor_proto_enumTypes[5].Descriptor()
+	return file_google_protobuf_descriptor_proto_enumTypes[6].Descriptor()
 }
 
 func (FieldOptions_CType) Type() protoreflect.EnumType {
-	return &file_google_protobuf_descriptor_proto_enumTypes[5]
+	return &file_google_protobuf_descriptor_proto_enumTypes[6]
 }
 
 func (x FieldOptions_CType) Number() protoreflect.EnumNumber {
@@ -551,11 +615,11 @@ func (x FieldOptions_JSType) String() string {
 }
 
 func (FieldOptions_JSType) Descriptor() protoreflect.EnumDescriptor {
-	return file_google_protobuf_descriptor_proto_enumTypes[6].Descriptor()
+	return file_google_protobuf_descriptor_proto_enumTypes[7].Descriptor()
 }
 
 func (FieldOptions_JSType) Type() protoreflect.EnumType {
-	return &file_google_protobuf_descriptor_proto_enumTypes[6]
+	return &file_google_protobuf_descriptor_proto_enumTypes[7]
 }
 
 func (x FieldOptions_JSType) Number() protoreflect.EnumNumber {
@@ -611,11 +675,11 @@ func (x FieldOptions_OptionRetention) String() string {
 }
 
 func (FieldOptions_OptionRetention) Descriptor() protoreflect.EnumDescriptor {
-	return file_google_protobuf_descriptor_proto_enumTypes[7].Descriptor()
+	return file_google_protobuf_descriptor_proto_enumTypes[8].Descriptor()
 }
 
 func (FieldOptions_OptionRetention) Type() protoreflect.EnumType {
-	return &file_google_protobuf_descriptor_proto_enumTypes[7]
+	return &file_google_protobuf_descriptor_proto_enumTypes[8]
 }
 
 func (x FieldOptions_OptionRetention) Number() protoreflect.EnumNumber {
@@ -694,11 +758,11 @@ func (x FieldOptions_OptionTargetType) String() string {
 }
 
 func (FieldOptions_OptionTargetType) Descriptor() protoreflect.EnumDescriptor {
-	return file_google_protobuf_descriptor_proto_enumTypes[8].Descriptor()
+	return file_google_protobuf_descriptor_proto_enumTypes[9].Descriptor()
 }
 
 func (FieldOptions_OptionTargetType) Type() protoreflect.EnumType {
-	return &file_google_protobuf_descriptor_proto_enumTypes[8]
+	return &file_google_protobuf_descriptor_proto_enumTypes[9]
 }
 
 func (x FieldOptions_OptionTargetType) Number() protoreflect.EnumNumber {
@@ -756,11 +820,11 @@ func (x MethodOptions_IdempotencyLevel) String() string {
 }
 
 func (MethodOptions_IdempotencyLevel) Descriptor() protoreflect.EnumDescriptor {
-	return file_google_protobuf_descriptor_proto_enumTypes[9].Descriptor()
+	return file_google_protobuf_descriptor_proto_enumTypes[10].Descriptor()
 }
 
 func (MethodOptions_IdempotencyLevel) Type() protoreflect.EnumType {
-	return &file_google_protobuf_descriptor_proto_enumTypes[9]
+	return &file_google_protobuf_descriptor_proto_enumTypes[10]
 }
 
 func (x MethodOptions_IdempotencyLevel) Number() protoreflect.EnumNumber {
@@ -818,11 +882,11 @@ func (x FeatureSet_FieldPresence) String() string {
 }
 
 func (FeatureSet_FieldPresence) Descriptor() protoreflect.EnumDescriptor {
-	return file_google_protobuf_descriptor_proto_enumTypes[10].Descriptor()
+	return file_google_protobuf_descriptor_proto_enumTypes[11].Descriptor()
 }
 
 func (FeatureSet_FieldPresence) Type() protoreflect.EnumType {
-	return &file_google_protobuf_descriptor_proto_enumTypes[10]
+	return &file_google_protobuf_descriptor_proto_enumTypes[11]
 }
 
 func (x FeatureSet_FieldPresence) Number() protoreflect.EnumNumber {
@@ -877,11 +941,11 @@ func (x FeatureSet_EnumType) String() string {
 }
 
 func (FeatureSet_EnumType) Descriptor() protoreflect.EnumDescriptor {
-	return file_google_protobuf_descriptor_proto_enumTypes[11].Descriptor()
+	return file_google_protobuf_descriptor_proto_enumTypes[12].Descriptor()
 }
 
 func (FeatureSet_EnumType) Type() protoreflect.EnumType {
-	return &file_google_protobuf_descriptor_proto_enumTypes[11]
+	return &file_google_protobuf_descriptor_proto_enumTypes[12]
 }
 
 func (x FeatureSet_EnumType) Number() protoreflect.EnumNumber {
@@ -936,11 +1000,11 @@ func (x FeatureSet_RepeatedFieldEncoding) String() string {
 }
 
 func (FeatureSet_RepeatedFieldEncoding) Descriptor() protoreflect.EnumDescriptor {
-	return file_google_protobuf_descriptor_proto_enumTypes[12].Descriptor()
+	return file_google_protobuf_descriptor_proto_enumTypes[13].Descriptor()
 }
 
 func (FeatureSet_RepeatedFieldEncoding) Type() protoreflect.EnumType {
-	return &file_google_protobuf_descriptor_proto_enumTypes[12]
+	return &file_google_protobuf_descriptor_proto_enumTypes[13]
 }
 
 func (x FeatureSet_RepeatedFieldEncoding) Number() protoreflect.EnumNumber {
@@ -995,11 +1059,11 @@ func (x FeatureSet_Utf8Validation) String() string {
 }
 
 func (FeatureSet_Utf8Validation) Descriptor() protoreflect.EnumDescriptor {
-	return file_google_protobuf_descriptor_proto_enumTypes[13].Descriptor()
+	return file_google_protobuf_descriptor_proto_enumTypes[14].Descriptor()
 }
 
 func (FeatureSet_Utf8Validation) Type() protoreflect.EnumType {
-	return &file_google_protobuf_descriptor_proto_enumTypes[13]
+	return &file_google_protobuf_descriptor_proto_enumTypes[14]
 }
 
 func (x FeatureSet_Utf8Validation) Number() protoreflect.EnumNumber {
@@ -1054,11 +1118,11 @@ func (x FeatureSet_MessageEncoding) String() string {
 }
 
 func (FeatureSet_MessageEncoding) Descriptor() protoreflect.EnumDescriptor {
-	return file_google_protobuf_descriptor_proto_enumTypes[14].Descriptor()
+	return file_google_protobuf_descriptor_proto_enumTypes[15].Descriptor()
 }
 
 func (FeatureSet_MessageEncoding) Type() protoreflect.EnumType {
-	return &file_google_protobuf_descriptor_proto_enumTypes[14]
+	return &file_google_protobuf_descriptor_proto_enumTypes[15]
 }
 
 func (x FeatureSet_MessageEncoding) Number() protoreflect.EnumNumber {
@@ -1113,11 +1177,11 @@ func (x FeatureSet_JsonFormat) String() string {
 }
 
 func (FeatureSet_JsonFormat) Descriptor() protoreflect.EnumDescriptor {
-	return file_google_protobuf_descriptor_proto_enumTypes[15].Descriptor()
+	return file_google_protobuf_descriptor_proto_enumTypes[16].Descriptor()
 }
 
 func (FeatureSet_JsonFormat) Type() protoreflect.EnumType {
-	return &file_google_protobuf_descriptor_proto_enumTypes[15]
+	return &file_google_protobuf_descriptor_proto_enumTypes[16]
 }
 
 func (x FeatureSet_JsonFormat) Number() protoreflect.EnumNumber {
@@ -1139,6 +1203,136 @@ func (FeatureSet_JsonFormat) EnumDescriptor() ([]byte, []int) {
 	return file_google_protobuf_descriptor_proto_rawDescGZIP(), []int{19, 5}
 }
 
+type FeatureSet_EnforceNamingStyle int32
+
+const (
+	FeatureSet_ENFORCE_NAMING_STYLE_UNKNOWN FeatureSet_EnforceNamingStyle = 0
+	FeatureSet_STYLE2024                    FeatureSet_EnforceNamingStyle = 1
+	FeatureSet_STYLE_LEGACY                 FeatureSet_EnforceNamingStyle = 2
+)
+
+// Enum value maps for FeatureSet_EnforceNamingStyle.
+var (
+	FeatureSet_EnforceNamingStyle_name = map[int32]string{
+		0: "ENFORCE_NAMING_STYLE_UNKNOWN",
+		1: "STYLE2024",
+		2: "STYLE_LEGACY",
+	}
+	FeatureSet_EnforceNamingStyle_value = map[string]int32{
+		"ENFORCE_NAMING_STYLE_UNKNOWN": 0,
+		"STYLE2024":                    1,
+		"STYLE_LEGACY":                 2,
+	}
+)
+
+func (x FeatureSet_EnforceNamingStyle) Enum() *FeatureSet_EnforceNamingStyle {
+	p := new(FeatureSet_EnforceNamingStyle)
+	*p = x
+	return p
+}
+
+func (x FeatureSet_EnforceNamingStyle) String() string {
+	return protoimpl.X.EnumStringOf(x.Descriptor(), protoreflect.EnumNumber(x))
+}
+
+func (FeatureSet_EnforceNamingStyle) Descriptor() protoreflect.EnumDescriptor {
+	return file_google_protobuf_descriptor_proto_enumTypes[17].Descriptor()
+}
+
+func (FeatureSet_EnforceNamingStyle) Type() protoreflect.EnumType {
+	return &file_google_protobuf_descriptor_proto_enumTypes[17]
+}
+
+func (x FeatureSet_EnforceNamingStyle) Number() protoreflect.EnumNumber {
+	return protoreflect.EnumNumber(x)
+}
+
+// Deprecated: Do not use.
+func (x *FeatureSet_EnforceNamingStyle) UnmarshalJSON(b []byte) error {
+	num, err := protoimpl.X.UnmarshalJSONEnum(x.Descriptor(), b)
+	if err != nil {
+		return err
+	}
+	*x = FeatureSet_EnforceNamingStyle(num)
+	return nil
+}
+
+// Deprecated: Use FeatureSet_EnforceNamingStyle.Descriptor instead.
+func (FeatureSet_EnforceNamingStyle) EnumDescriptor() ([]byte, []int) {
+	return file_google_protobuf_descriptor_proto_rawDescGZIP(), []int{19, 6}
+}
+
+type FeatureSet_VisibilityFeature_DefaultSymbolVisibility int32
+
+const (
+	FeatureSet_VisibilityFeature_DEFAULT_SYMBOL_VISIBILITY_UNKNOWN FeatureSet_VisibilityFeature_DefaultSymbolVisibility = 0
+	// Default pre-EDITION_2024, all UNSET visibility are export.
+	FeatureSet_VisibilityFeature_EXPORT_ALL FeatureSet_VisibilityFeature_DefaultSymbolVisibility = 1
+	// All top-level symbols default to export, nested default to local.
+	FeatureSet_VisibilityFeature_EXPORT_TOP_LEVEL FeatureSet_VisibilityFeature_DefaultSymbolVisibility = 2
+	// All symbols default to local.
+	FeatureSet_VisibilityFeature_LOCAL_ALL FeatureSet_VisibilityFeature_DefaultSymbolVisibility = 3
+	// All symbols local by default. Nested types cannot be exported.
+	// With special case caveat for message { enum {} reserved 1 to max; }
+	// This is the recommended setting for new protos.
+	FeatureSet_VisibilityFeature_STRICT FeatureSet_VisibilityFeature_DefaultSymbolVisibility = 4
+)
+
+// Enum value maps for FeatureSet_VisibilityFeature_DefaultSymbolVisibility.
+var (
+	FeatureSet_VisibilityFeature_DefaultSymbolVisibility_name = map[int32]string{
+		0: "DEFAULT_SYMBOL_VISIBILITY_UNKNOWN",
+		1: "EXPORT_ALL",
+		2: "EXPORT_TOP_LEVEL",
+		3: "LOCAL_ALL",
+		4: "STRICT",
+	}
+	FeatureSet_VisibilityFeature_DefaultSymbolVisibility_value = map[string]int32{
+		"DEFAULT_SYMBOL_VISIBILITY_UNKNOWN": 0,
+		"EXPORT_ALL":                        1,
+		"EXPORT_TOP_LEVEL":                  2,
+		"LOCAL_ALL":                         3,
+		"STRICT":                            4,
+	}
+)
+
+func (x FeatureSet_VisibilityFeature_DefaultSymbolVisibility) Enum() *FeatureSet_VisibilityFeature_DefaultSymbolVisibility {
+	p := new(FeatureSet_VisibilityFeature_DefaultSymbolVisibility)
+	*p = x
+	return p
+}
+
+func (x FeatureSet_VisibilityFeature_DefaultSymbolVisibility) String() string {
+	return protoimpl.X.EnumStringOf(x.Descriptor(), protoreflect.EnumNumber(x))
+}
+
+func (FeatureSet_VisibilityFeature_DefaultSymbolVisibility) Descriptor() protoreflect.EnumDescriptor {
+	return file_google_protobuf_descriptor_proto_enumTypes[18].Descriptor()
+}
+
+func (FeatureSet_VisibilityFeature_DefaultSymbolVisibility) Type() protoreflect.EnumType {
+	return &file_google_protobuf_descriptor_proto_enumTypes[18]
+}
+
+func (x FeatureSet_VisibilityFeature_DefaultSymbolVisibility) Number() protoreflect.EnumNumber {
+	return protoreflect.EnumNumber(x)
+}
+
+// Deprecated: Do not use.
+func (x *FeatureSet_VisibilityFeature_DefaultSymbolVisibility) UnmarshalJSON(b []byte) error {
+	num, err := protoimpl.X.UnmarshalJSONEnum(x.Descriptor(), b)
+	if err != nil {
+		return err
+	}
+	*x = FeatureSet_VisibilityFeature_DefaultSymbolVisibility(num)
+	return nil
+}
+
+// Deprecated: Use FeatureSet_VisibilityFeature_DefaultSymbolVisibility.Descriptor instead.
+func (FeatureSet_VisibilityFeature_DefaultSymbolVisibility) EnumDescriptor() ([]byte, []int) {
+	return file_google_protobuf_descriptor_proto_rawDescGZIP(), []int{19, 0, 0}
+}
+
 // Represents the identified object's effect on the element in the original
 // .proto file.
 type GeneratedCodeInfo_Annotation_Semantic int32
@@ -1177,11 +1371,11 @@ func (x GeneratedCodeInfo_Annotation_Semantic) String() string {
 }
 
 func (GeneratedCodeInfo_Annotation_Semantic) Descriptor() protoreflect.EnumDescriptor {
-	return file_google_protobuf_descriptor_proto_enumTypes[16].Descriptor()
+	return file_google_protobuf_descriptor_proto_enumTypes[19].Descriptor()
 }
 
 func (GeneratedCodeInfo_Annotation_Semantic) Type() protoreflect.EnumType {
-	return &file_google_protobuf_descriptor_proto_enumTypes[16]
+	return &file_google_protobuf_descriptor_proto_enumTypes[19]
 }
 
 func (x GeneratedCodeInfo_Annotation_Semantic) Number() protoreflect.EnumNumber {
@@ -1262,6 +1456,9 @@ type FileDescriptorProto struct {
 	// Indexes of the weak imported files in the dependency list.
 	// For Google-internal migration only. Do not use.
 	WeakDependency []int32 `protobuf:"varint,11,rep,name=weak_dependency,json=weakDependency" json:"weak_dependency,omitempty"`
+	// Names of files imported by this file purely for the purpose of providing
+	// option extensions. These are excluded from the dependency list above.
+	OptionDependency []string `protobuf:"bytes,15,rep,name=option_dependency,json=optionDependency" json:"option_dependency,omitempty"`
 	// All top-level definitions in this file.
 	MessageType []*DescriptorProto        `protobuf:"bytes,4,rep,name=message_type,json=messageType" json:"message_type,omitempty"`
 	EnumType    []*EnumDescriptorProto    `protobuf:"bytes,5,rep,name=enum_type,json=enumType" json:"enum_type,omitempty"`
@@ -1277,8 +1474,14 @@ type FileDescriptorProto struct {
 	// The supported values are "proto2", "proto3", and "editions".
 	//
 	// If `edition` is present, this value must be "editions".
+	// WARNING: This field should only be used by protobuf plugins or special
+	// cases like the proto compiler. Other uses are discouraged and
+	// developers should rely on the protoreflect APIs for their client language.
 	Syntax *string `protobuf:"bytes,12,opt,name=syntax" json:"syntax,omitempty"`
 	// The edition of the proto file.
+	// WARNING: This field should only be used by protobuf plugins or special
+	// cases like the proto compiler. Other uses are discouraged and
+	// developers should rely on the protoreflect APIs for their client language.
 	Edition       *Edition `protobuf:"varint,14,opt,name=edition,enum=google.protobuf.Edition" json:"edition,omitempty"`
 	unknownFields protoimpl.UnknownFields
 	sizeCache     protoimpl.SizeCache
@@ -1349,6 +1552,13 @@ func (x *FileDescriptorProto) GetWeakDependency() []int32 {
 	return nil
 }
 
+func (x *FileDescriptorProto) GetOptionDependency() []string {
+	if x != nil {
+		return x.OptionDependency
+	}
+	return nil
+}
+
 func (x *FileDescriptorProto) GetMessageType() []*DescriptorProto {
 	if x != nil {
 		return x.MessageType
@@ -1419,7 +1629,9 @@ type DescriptorProto struct {
 	ReservedRange  []*DescriptorProto_ReservedRange  `protobuf:"bytes,9,rep,name=reserved_range,json=reservedRange" json:"reserved_range,omitempty"`
 	// Reserved field names, which may not be used by fields in the same message.
 	// A given name may only be reserved once.
-	ReservedName  []string `protobuf:"bytes,10,rep,name=reserved_name,json=reservedName" json:"reserved_name,omitempty"`
+	ReservedName []string `protobuf:"bytes,10,rep,name=reserved_name,json=reservedName" json:"reserved_name,omitempty"`
+	// Support for `export` and `local` keywords on enums.
+	Visibility    *SymbolVisibility `protobuf:"varint,11,opt,name=visibility,enum=google.protobuf.SymbolVisibility" json:"visibility,omitempty"`
 	unknownFields protoimpl.UnknownFields
 	sizeCache     protoimpl.SizeCache
 }
@@ -1524,6 +1736,13 @@ func (x *DescriptorProto) GetReservedName() []string {
 	return nil
 }
 
+func (x *DescriptorProto) GetVisibility() SymbolVisibility {
+	if x != nil && x.Visibility != nil {
+		return *x.Visibility
+	}
+	return SymbolVisibility_VISIBILITY_UNSET
+}
+
 type ExtensionRangeOptions struct {
 	state protoimpl.MessageState `protogen:"open.v1"`
 	// The parser stores options it doesn't recognize here. See above.
@@ -1836,7 +2055,9 @@ type EnumDescriptorProto struct {
 	ReservedRange []*EnumDescriptorProto_EnumReservedRange `protobuf:"bytes,4,rep,name=reserved_range,json=reservedRange" json:"reserved_range,omitempty"`
 	// Reserved enum value names, which may not be reused. A given name may only
 	// be reserved once.
-	ReservedName  []string `protobuf:"bytes,5,rep,name=reserved_name,json=reservedName" json:"reserved_name,omitempty"`
+	ReservedName []string `protobuf:"bytes,5,rep,name=reserved_name,json=reservedName" json:"reserved_name,omitempty"`
+	// Support for `export` and `local` keywords on enums.
+	Visibility    *SymbolVisibility `protobuf:"varint,6,opt,name=visibility,enum=google.protobuf.SymbolVisibility" json:"visibility,omitempty"`
 	unknownFields protoimpl.UnknownFields
 	sizeCache     protoimpl.SizeCache
 }
@@ -1906,6 +2127,13 @@ func (x *EnumDescriptorProto) GetReservedName() []string {
 	return nil
 }
 
+func (x *EnumDescriptorProto) GetVisibility() SymbolVisibility {
+	if x != nil && x.Visibility != nil {
+		return *x.Visibility
+	}
+	return SymbolVisibility_VISIBILITY_UNSET
+}
+
 // Describes a value within an enum.
 type EnumValueDescriptorProto struct {
 	state         protoimpl.MessageState `protogen:"open.v1"`
@@ -2212,6 +2440,9 @@ type FileOptions struct {
 	// determining the ruby package.
 	RubyPackage *string `protobuf:"bytes,45,opt,name=ruby_package,json=rubyPackage" json:"ruby_package,omitempty"`
 	// Any features defined in the specific edition.
+	// WARNING: This field should only be used by protobuf plugins or special
+	// cases like the proto compiler. Other uses are discouraged and
+	// developers should rely on the protoreflect APIs for their client language.
 	Features *FeatureSet `protobuf:"bytes,50,opt,name=features" json:"features,omitempty"`
 	// The parser stores options it doesn't recognize here.
 	// See the documentation for the "Options" section above.
@@ -2482,6 +2713,9 @@ type MessageOptions struct {
 	// Deprecated: Marked as deprecated in google/protobuf/descriptor.proto.
 	DeprecatedLegacyJsonFieldConflicts *bool `protobuf:"varint,11,opt,name=deprecated_legacy_json_field_conflicts,json=deprecatedLegacyJsonFieldConflicts" json:"deprecated_legacy_json_field_conflicts,omitempty"`
 	// Any features defined in the specific edition.
+	// WARNING: This field should only be used by protobuf plugins or special
+	// cases like the proto compiler. Other uses are discouraged and
+	// developers should rely on the protoreflect APIs for their client language.
 	Features *FeatureSet `protobuf:"bytes,12,opt,name=features" json:"features,omitempty"`
 	// The parser stores options it doesn't recognize here. See above.
 	UninterpretedOption []*UninterpretedOption `protobuf:"bytes,999,rep,name=uninterpreted_option,json=uninterpretedOption" json:"uninterpreted_option,omitempty"`
@@ -2639,7 +2873,10 @@ type FieldOptions struct {
 	// for accessors, or it will be completely ignored; in the very least, this
 	// is a formalization for deprecating fields.
 	Deprecated *bool `protobuf:"varint,3,opt,name=deprecated,def=0" json:"deprecated,omitempty"`
+	// DEPRECATED. DO NOT USE!
 	// For Google-internal migration only. Do not use.
+	//
+	// Deprecated: Marked as deprecated in google/protobuf/descriptor.proto.
 	Weak *bool `protobuf:"varint,10,opt,name=weak,def=0" json:"weak,omitempty"`
 	// Indicate that the field value should not be printed out when using debug
 	// formats, e.g. when the field contains sensitive credentials.
@@ -2648,6 +2885,9 @@ type FieldOptions struct {
 	Targets         []FieldOptions_OptionTargetType `protobuf:"varint,19,rep,name=targets,enum=google.protobuf.FieldOptions_OptionTargetType" json:"targets,omitempty"`
 	EditionDefaults []*FieldOptions_EditionDefault  `protobuf:"bytes,20,rep,name=edition_defaults,json=editionDefaults" json:"edition_defaults,omitempty"`
 	// Any features defined in the specific edition.
+	// WARNING: This field should only be used by protobuf plugins or special
+	// cases like the proto compiler. Other uses are discouraged and
+	// developers should rely on the protoreflect APIs for their client language.
 	Features       *FeatureSet                  `protobuf:"bytes,21,opt,name=features" json:"features,omitempty"`
 	FeatureSupport *FieldOptions_FeatureSupport `protobuf:"bytes,22,opt,name=feature_support,json=featureSupport" json:"feature_support,omitempty"`
 	// The parser stores options it doesn't recognize here. See above.
@@ -2740,6 +2980,7 @@ func (x *FieldOptions) GetDeprecated() bool {
 	return Default_FieldOptions_Deprecated
 }
 
+// Deprecated: Marked as deprecated in google/protobuf/descriptor.proto.
 func (x *FieldOptions) GetWeak() bool {
 	if x != nil && x.Weak != nil {
 		return *x.Weak
@@ -2799,6 +3040,9 @@ func (x *FieldOptions) GetUninterpretedOption() []*UninterpretedOption {
 type OneofOptions struct {
 	state protoimpl.MessageState `protogen:"open.v1"`
 	// Any features defined in the specific edition.
+	// WARNING: This field should only be used by protobuf plugins or special
+	// cases like the proto compiler. Other uses are discouraged and
+	// developers should rely on the protoreflect APIs for their client language.
 	Features *FeatureSet `protobuf:"bytes,1,opt,name=features" json:"features,omitempty"`
 	// The parser stores options it doesn't recognize here. See above.
 	UninterpretedOption []*UninterpretedOption `protobuf:"bytes,999,rep,name=uninterpreted_option,json=uninterpretedOption" json:"uninterpreted_option,omitempty"`
@@ -2871,6 +3115,9 @@ type EnumOptions struct {
 	// Deprecated: Marked as deprecated in google/protobuf/descriptor.proto.
 	DeprecatedLegacyJsonFieldConflicts *bool `protobuf:"varint,6,opt,name=deprecated_legacy_json_field_conflicts,json=deprecatedLegacyJsonFieldConflicts" json:"deprecated_legacy_json_field_conflicts,omitempty"`
 	// Any features defined in the specific edition.
+	// WARNING: This field should only be used by protobuf plugins or special
+	// cases like the proto compiler. Other uses are discouraged and
+	// developers should rely on the protoreflect APIs for their client language.
 	Features *FeatureSet `protobuf:"bytes,7,opt,name=features" json:"features,omitempty"`
 	// The parser stores options it doesn't recognize here. See above.
 	UninterpretedOption []*UninterpretedOption `protobuf:"bytes,999,rep,name=uninterpreted_option,json=uninterpretedOption" json:"uninterpreted_option,omitempty"`
@@ -2958,6 +3205,9 @@ type EnumValueOptions struct {
 	// this is a formalization for deprecating enum values.
 	Deprecated *bool `protobuf:"varint,1,opt,name=deprecated,def=0" json:"deprecated,omitempty"`
 	// Any features defined in the specific edition.
+	// WARNING: This field should only be used by protobuf plugins or special
+	// cases like the proto compiler. Other uses are discouraged and
+	// developers should rely on the protoreflect APIs for their client language.
 	Features *FeatureSet `protobuf:"bytes,2,opt,name=features" json:"features,omitempty"`
 	// Indicate that fields annotated with this enum value should not be printed
 	// out when using debug formats, e.g. when the field contains sensitive
@@ -3046,6 +3296,9 @@ func (x *EnumValueOptions) GetUninterpretedOption() []*UninterpretedOption {
 type ServiceOptions struct {
 	state protoimpl.MessageState `protogen:"open.v1"`
 	// Any features defined in the specific edition.
+	// WARNING: This field should only be used by protobuf plugins or special
+	// cases like the proto compiler. Other uses are discouraged and
+	// developers should rely on the protoreflect APIs for their client language.
 	Features *FeatureSet `protobuf:"bytes,34,opt,name=features" json:"features,omitempty"`
 	// Is this service deprecated?
 	// Depending on the target platform, this can emit Deprecated annotations
@@ -3124,6 +3377,9 @@ type MethodOptions struct {
 	Deprecated       *bool                           `protobuf:"varint,33,opt,name=deprecated,def=0" json:"deprecated,omitempty"`
 	IdempotencyLevel *MethodOptions_IdempotencyLevel `protobuf:"varint,34,opt,name=idempotency_level,json=idempotencyLevel,enum=google.protobuf.MethodOptions_IdempotencyLevel,def=0" json:"idempotency_level,omitempty"`
 	// Any features defined in the specific edition.
+	// WARNING: This field should only be used by protobuf plugins or special
+	// cases like the proto compiler. Other uses are discouraged and
+	// developers should rely on the protoreflect APIs for their client language.
 	Features *FeatureSet `protobuf:"bytes,35,opt,name=features" json:"features,omitempty"`
 	// The parser stores options it doesn't recognize here. See above.
 	UninterpretedOption []*UninterpretedOption `protobuf:"bytes,999,rep,name=uninterpreted_option,json=uninterpretedOption" json:"uninterpreted_option,omitempty"`
@@ -3303,16 +3559,18 @@ func (x *UninterpretedOption) GetAggregateValue() string {
 // be designed and implemented to handle this, hopefully before we ever hit a
 // conflict here.
 type FeatureSet struct {
-	state                 protoimpl.MessageState            `protogen:"open.v1"`
-	FieldPresence         *FeatureSet_FieldPresence         `protobuf:"varint,1,opt,name=field_presence,json=fieldPresence,enum=google.protobuf.FeatureSet_FieldPresence" json:"field_presence,omitempty"`
-	EnumType              *FeatureSet_EnumType              `protobuf:"varint,2,opt,name=enum_type,json=enumType,enum=google.protobuf.FeatureSet_EnumType" json:"enum_type,omitempty"`
-	RepeatedFieldEncoding *FeatureSet_RepeatedFieldEncoding `protobuf:"varint,3,opt,name=repeated_field_encoding,json=repeatedFieldEncoding,enum=google.protobuf.FeatureSet_RepeatedFieldEncoding" json:"repeated_field_encoding,omitempty"`
-	Utf8Validation        *FeatureSet_Utf8Validation        `protobuf:"varint,4,opt,name=utf8_validation,json=utf8Validation,enum=google.protobuf.FeatureSet_Utf8Validation" json:"utf8_validation,omitempty"`
-	MessageEncoding       *FeatureSet_MessageEncoding       `protobuf:"varint,5,opt,name=message_encoding,json=messageEncoding,enum=google.protobuf.FeatureSet_MessageEncoding" json:"message_encoding,omitempty"`
-	JsonFormat            *FeatureSet_JsonFormat            `protobuf:"varint,6,opt,name=json_format,json=jsonFormat,enum=google.protobuf.FeatureSet_JsonFormat" json:"json_format,omitempty"`
-	extensionFields       protoimpl.ExtensionFields
-	unknownFields         protoimpl.UnknownFields
-	sizeCache             protoimpl.SizeCache
+	state                   protoimpl.MessageState                                `protogen:"open.v1"`
+	FieldPresence           *FeatureSet_FieldPresence                             `protobuf:"varint,1,opt,name=field_presence,json=fieldPresence,enum=google.protobuf.FeatureSet_FieldPresence" json:"field_presence,omitempty"`
+	EnumType                *FeatureSet_EnumType                                  `protobuf:"varint,2,opt,name=enum_type,json=enumType,enum=google.protobuf.FeatureSet_EnumType" json:"enum_type,omitempty"`
+	RepeatedFieldEncoding   *FeatureSet_RepeatedFieldEncoding                     `protobuf:"varint,3,opt,name=repeated_field_encoding,json=repeatedFieldEncoding,enum=google.protobuf.FeatureSet_RepeatedFieldEncoding" json:"repeated_field_encoding,omitempty"`
+	Utf8Validation          *FeatureSet_Utf8Validation                            `protobuf:"varint,4,opt,name=utf8_validation,json=utf8Validation,enum=google.protobuf.FeatureSet_Utf8Validation" json:"utf8_validation,omitempty"`
+	MessageEncoding         *FeatureSet_MessageEncoding                           `protobuf:"varint,5,opt,name=message_encoding,json=messageEncoding,enum=google.protobuf.FeatureSet_MessageEncoding" json:"message_encoding,omitempty"`
+	JsonFormat              *FeatureSet_JsonFormat                                `protobuf:"varint,6,opt,name=json_format,json=jsonFormat,enum=google.protobuf.FeatureSet_JsonFormat" json:"json_format,omitempty"`
+	EnforceNamingStyle      *FeatureSet_EnforceNamingStyle                        `protobuf:"varint,7,opt,name=enforce_naming_style,json=enforceNamingStyle,enum=google.protobuf.FeatureSet_EnforceNamingStyle" json:"enforce_naming_style,omitempty"`
+	DefaultSymbolVisibility *FeatureSet_VisibilityFeature_DefaultSymbolVisibility `protobuf:"varint,8,opt,name=default_symbol_visibility,json=defaultSymbolVisibility,enum=google.protobuf.FeatureSet_VisibilityFeature_DefaultSymbolVisibility" json:"default_symbol_visibility,omitempty"`
+	extensionFields         protoimpl.ExtensionFields
+	unknownFields           protoimpl.UnknownFields
+	sizeCache               protoimpl.SizeCache
 }
 
 func (x *FeatureSet) Reset() {
@@ -3387,6 +3645,20 @@ func (x *FeatureSet) GetJsonFormat() FeatureSet_JsonFormat {
 	return FeatureSet_JSON_FORMAT_UNKNOWN
 }
 
+func (x *FeatureSet) GetEnforceNamingStyle() FeatureSet_EnforceNamingStyle {
+	if x != nil && x.EnforceNamingStyle != nil {
+		return *x.EnforceNamingStyle
+	}
+	return FeatureSet_ENFORCE_NAMING_STYLE_UNKNOWN
+}
+
+func (x *FeatureSet) GetDefaultSymbolVisibility() FeatureSet_VisibilityFeature_DefaultSymbolVisibility {
+	if x != nil && x.DefaultSymbolVisibility != nil {
+		return *x.DefaultSymbolVisibility
+	}
+	return FeatureSet_VisibilityFeature_DEFAULT_SYMBOL_VISIBILITY_UNKNOWN
+}
+
 // A compiled specification for the defaults of a set of features.  These
 // messages are generated from FeatureSet extensions and can be used to seed
 // feature resolution. The resolution with this object becomes a simple search
@@ -4047,6 +4319,42 @@ func (x *UninterpretedOption_NamePart) GetIsExtension() bool {
 	return false
 }
 
+type FeatureSet_VisibilityFeature struct {
+	state         protoimpl.MessageState `protogen:"open.v1"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *FeatureSet_VisibilityFeature) Reset() {
+	*x = FeatureSet_VisibilityFeature{}
+	mi := &file_google_protobuf_descriptor_proto_msgTypes[30]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *FeatureSet_VisibilityFeature) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*FeatureSet_VisibilityFeature) ProtoMessage() {}
+
+func (x *FeatureSet_VisibilityFeature) ProtoReflect() protoreflect.Message {
+	mi := &file_google_protobuf_descriptor_proto_msgTypes[30]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use FeatureSet_VisibilityFeature.ProtoReflect.Descriptor instead.
+func (*FeatureSet_VisibilityFeature) Descriptor() ([]byte, []int) {
+	return file_google_protobuf_descriptor_proto_rawDescGZIP(), []int{19, 0}
+}
+
 // A map from every known edition with a unique set of defaults to its
 // defaults. Not all editions may be contained here.  For a given edition,
 // the defaults at the closest matching edition ordered at or before it should
@@ -4064,7 +4372,7 @@ type FeatureSetDefaults_FeatureSetEditionDefault struct {
 
 func (x *FeatureSetDefaults_FeatureSetEditionDefault) Reset() {
 	*x = FeatureSetDefaults_FeatureSetEditionDefault{}
-	mi := &file_google_protobuf_descriptor_proto_msgTypes[30]
+	mi := &file_google_protobuf_descriptor_proto_msgTypes[31]
 	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 	ms.StoreMessageInfo(mi)
 }
@@ -4076,7 +4384,7 @@ func (x *FeatureSetDefaults_FeatureSetEditionDefault) String() string {
 func (*FeatureSetDefaults_FeatureSetEditionDefault) ProtoMessage() {}
 
 func (x *FeatureSetDefaults_FeatureSetEditionDefault) ProtoReflect() protoreflect.Message {
-	mi := &file_google_protobuf_descriptor_proto_msgTypes[30]
+	mi := &file_google_protobuf_descriptor_proto_msgTypes[31]
 	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -4212,7 +4520,7 @@ type SourceCodeInfo_Location struct {
 
 func (x *SourceCodeInfo_Location) Reset() {
 	*x = SourceCodeInfo_Location{}
-	mi := &file_google_protobuf_descriptor_proto_msgTypes[31]
+	mi := &file_google_protobuf_descriptor_proto_msgTypes[32]
 	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 	ms.StoreMessageInfo(mi)
 }
@@ -4224,7 +4532,7 @@ func (x *SourceCodeInfo_Location) String() string {
 func (*SourceCodeInfo_Location) ProtoMessage() {}
 
 func (x *SourceCodeInfo_Location) ProtoReflect() protoreflect.Message {
-	mi := &file_google_protobuf_descriptor_proto_msgTypes[31]
+	mi := &file_google_protobuf_descriptor_proto_msgTypes[32]
 	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -4296,7 +4604,7 @@ type GeneratedCodeInfo_Annotation struct {
 
 func (x *GeneratedCodeInfo_Annotation) Reset() {
 	*x = GeneratedCodeInfo_Annotation{}
-	mi := &file_google_protobuf_descriptor_proto_msgTypes[32]
+	mi := &file_google_protobuf_descriptor_proto_msgTypes[33]
 	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 	ms.StoreMessageInfo(mi)
 }
@@ -4308,7 +4616,7 @@ func (x *GeneratedCodeInfo_Annotation) String() string {
 func (*GeneratedCodeInfo_Annotation) ProtoMessage() {}
 
 func (x *GeneratedCodeInfo_Annotation) ProtoReflect() protoreflect.Message {
-	mi := &file_google_protobuf_descriptor_proto_msgTypes[32]
+	mi := &file_google_protobuf_descriptor_proto_msgTypes[33]
 	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -4361,777 +4669,389 @@ func (x *GeneratedCodeInfo_Annotation) GetSemantic() GeneratedCodeInfo_Annotatio
 
 var File_google_protobuf_descriptor_proto protoreflect.FileDescriptor
 
-var file_google_protobuf_descriptor_proto_rawDesc = string([]byte{
-	0x0a, 0x20, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75,
-	0x66, 0x2f, 0x64, 0x65, 0x73, 0x63, 0x72, 0x69, 0x70, 0x74, 0x6f, 0x72, 0x2e, 0x70, 0x72, 0x6f,
-	0x74, 0x6f, 0x12, 0x0f, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f,
-	0x62, 0x75, 0x66, 0x22, 0x5b, 0x0a, 0x11, 0x46, 0x69, 0x6c, 0x65, 0x44, 0x65, 0x73, 0x63, 0x72,
-	0x69, 0x70, 0x74, 0x6f, 0x72, 0x53, 0x65, 0x74, 0x12, 0x38, 0x0a, 0x04, 0x66, 0x69, 0x6c, 0x65,
-	0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x24, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e,
-	0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x46, 0x69, 0x6c, 0x65, 0x44, 0x65, 0x73,
-	0x63, 0x72, 0x69, 0x70, 0x74, 0x6f, 0x72, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x52, 0x04, 0x66, 0x69,
-	0x6c, 0x65, 0x2a, 0x0c, 0x08, 0x80, 0xec, 0xca, 0xff, 0x01, 0x10, 0x81, 0xec, 0xca, 0xff, 0x01,
-	0x22, 0x98, 0x05, 0x0a, 0x13, 0x46, 0x69, 0x6c, 0x65, 0x44, 0x65, 0x73, 0x63, 0x72, 0x69, 0x70,
-	0x74, 0x6f, 0x72, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x12, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65,
-	0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x18, 0x0a, 0x07,
-	0x70, 0x61, 0x63, 0x6b, 0x61, 0x67, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x07, 0x70,
-	0x61, 0x63, 0x6b, 0x61, 0x67, 0x65, 0x12, 0x1e, 0x0a, 0x0a, 0x64, 0x65, 0x70, 0x65, 0x6e, 0x64,
-	0x65, 0x6e, 0x63, 0x79, 0x18, 0x03, 0x20, 0x03, 0x28, 0x09, 0x52, 0x0a, 0x64, 0x65, 0x70, 0x65,
-	0x6e, 0x64, 0x65, 0x6e, 0x63, 0x79, 0x12, 0x2b, 0x0a, 0x11, 0x70, 0x75, 0x62, 0x6c, 0x69, 0x63,
-	0x5f, 0x64, 0x65, 0x70, 0x65, 0x6e, 0x64, 0x65, 0x6e, 0x63, 0x79, 0x18, 0x0a, 0x20, 0x03, 0x28,
-	0x05, 0x52, 0x10, 0x70, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x44, 0x65, 0x70, 0x65, 0x6e, 0x64, 0x65,
-	0x6e, 0x63, 0x79, 0x12, 0x27, 0x0a, 0x0f, 0x77, 0x65, 0x61, 0x6b, 0x5f, 0x64, 0x65, 0x70, 0x65,
-	0x6e, 0x64, 0x65, 0x6e, 0x63, 0x79, 0x18, 0x0b, 0x20, 0x03, 0x28, 0x05, 0x52, 0x0e, 0x77, 0x65,
-	0x61, 0x6b, 0x44, 0x65, 0x70, 0x65, 0x6e, 0x64, 0x65, 0x6e, 0x63, 0x79, 0x12, 0x43, 0x0a, 0x0c,
-	0x6d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x5f, 0x74, 0x79, 0x70, 0x65, 0x18, 0x04, 0x20, 0x03,
-	0x28, 0x0b, 0x32, 0x20, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74,
-	0x6f, 0x62, 0x75, 0x66, 0x2e, 0x44, 0x65, 0x73, 0x63, 0x72, 0x69, 0x70, 0x74, 0x6f, 0x72, 0x50,
-	0x72, 0x6f, 0x74, 0x6f, 0x52, 0x0b, 0x6d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x54, 0x79, 0x70,
-	0x65, 0x12, 0x41, 0x0a, 0x09, 0x65, 0x6e, 0x75, 0x6d, 0x5f, 0x74, 0x79, 0x70, 0x65, 0x18, 0x05,
-	0x20, 0x03, 0x28, 0x0b, 0x32, 0x24, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72,
-	0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x45, 0x6e, 0x75, 0x6d, 0x44, 0x65, 0x73, 0x63, 0x72,
-	0x69, 0x70, 0x74, 0x6f, 0x72, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x52, 0x08, 0x65, 0x6e, 0x75, 0x6d,
-	0x54, 0x79, 0x70, 0x65, 0x12, 0x41, 0x0a, 0x07, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x18,
-	0x06, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x27, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70,
-	0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x44,
-	0x65, 0x73, 0x63, 0x72, 0x69, 0x70, 0x74, 0x6f, 0x72, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x52, 0x07,
-	0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x12, 0x43, 0x0a, 0x09, 0x65, 0x78, 0x74, 0x65, 0x6e,
-	0x73, 0x69, 0x6f, 0x6e, 0x18, 0x07, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x25, 0x2e, 0x67, 0x6f, 0x6f,
-	0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x46, 0x69, 0x65,
-	0x6c, 0x64, 0x44, 0x65, 0x73, 0x63, 0x72, 0x69, 0x70, 0x74, 0x6f, 0x72, 0x50, 0x72, 0x6f, 0x74,
-	0x6f, 0x52, 0x09, 0x65, 0x78, 0x74, 0x65, 0x6e, 0x73, 0x69, 0x6f, 0x6e, 0x12, 0x36, 0x0a, 0x07,
-	0x6f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x18, 0x08, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1c, 0x2e,
-	0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e,
-	0x46, 0x69, 0x6c, 0x65, 0x4f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x52, 0x07, 0x6f, 0x70, 0x74,
-	0x69, 0x6f, 0x6e, 0x73, 0x12, 0x49, 0x0a, 0x10, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x5f, 0x63,
-	0x6f, 0x64, 0x65, 0x5f, 0x69, 0x6e, 0x66, 0x6f, 0x18, 0x09, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1f,
-	0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66,
-	0x2e, 0x53, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x43, 0x6f, 0x64, 0x65, 0x49, 0x6e, 0x66, 0x6f, 0x52,
-	0x0e, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x43, 0x6f, 0x64, 0x65, 0x49, 0x6e, 0x66, 0x6f, 0x12,
-	0x16, 0x0a, 0x06, 0x73, 0x79, 0x6e, 0x74, 0x61, 0x78, 0x18, 0x0c, 0x20, 0x01, 0x28, 0x09, 0x52,
-	0x06, 0x73, 0x79, 0x6e, 0x74, 0x61, 0x78, 0x12, 0x32, 0x0a, 0x07, 0x65, 0x64, 0x69, 0x74, 0x69,
-	0x6f, 0x6e, 0x18, 0x0e, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x18, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c,
-	0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x45, 0x64, 0x69, 0x74, 0x69,
-	0x6f, 0x6e, 0x52, 0x07, 0x65, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x22, 0xb9, 0x06, 0x0a, 0x0f,
-	0x44, 0x65, 0x73, 0x63, 0x72, 0x69, 0x70, 0x74, 0x6f, 0x72, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x12,
-	0x12, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x6e,
-	0x61, 0x6d, 0x65, 0x12, 0x3b, 0x0a, 0x05, 0x66, 0x69, 0x65, 0x6c, 0x64, 0x18, 0x02, 0x20, 0x03,
-	0x28, 0x0b, 0x32, 0x25, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74,
-	0x6f, 0x62, 0x75, 0x66, 0x2e, 0x46, 0x69, 0x65, 0x6c, 0x64, 0x44, 0x65, 0x73, 0x63, 0x72, 0x69,
-	0x70, 0x74, 0x6f, 0x72, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x52, 0x05, 0x66, 0x69, 0x65, 0x6c, 0x64,
-	0x12, 0x43, 0x0a, 0x09, 0x65, 0x78, 0x74, 0x65, 0x6e, 0x73, 0x69, 0x6f, 0x6e, 0x18, 0x06, 0x20,
-	0x03, 0x28, 0x0b, 0x32, 0x25, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f,
-	0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x46, 0x69, 0x65, 0x6c, 0x64, 0x44, 0x65, 0x73, 0x63, 0x72,
-	0x69, 0x70, 0x74, 0x6f, 0x72, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x52, 0x09, 0x65, 0x78, 0x74, 0x65,
-	0x6e, 0x73, 0x69, 0x6f, 0x6e, 0x12, 0x41, 0x0a, 0x0b, 0x6e, 0x65, 0x73, 0x74, 0x65, 0x64, 0x5f,
-	0x74, 0x79, 0x70, 0x65, 0x18, 0x03, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x20, 0x2e, 0x67, 0x6f, 0x6f,
-	0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x44, 0x65, 0x73,
-	0x63, 0x72, 0x69, 0x70, 0x74, 0x6f, 0x72, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x52, 0x0a, 0x6e, 0x65,
-	0x73, 0x74, 0x65, 0x64, 0x54, 0x79, 0x70, 0x65, 0x12, 0x41, 0x0a, 0x09, 0x65, 0x6e, 0x75, 0x6d,
-	0x5f, 0x74, 0x79, 0x70, 0x65, 0x18, 0x04, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x24, 0x2e, 0x67, 0x6f,
-	0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x45, 0x6e,
-	0x75, 0x6d, 0x44, 0x65, 0x73, 0x63, 0x72, 0x69, 0x70, 0x74, 0x6f, 0x72, 0x50, 0x72, 0x6f, 0x74,
-	0x6f, 0x52, 0x08, 0x65, 0x6e, 0x75, 0x6d, 0x54, 0x79, 0x70, 0x65, 0x12, 0x58, 0x0a, 0x0f, 0x65,
-	0x78, 0x74, 0x65, 0x6e, 0x73, 0x69, 0x6f, 0x6e, 0x5f, 0x72, 0x61, 0x6e, 0x67, 0x65, 0x18, 0x05,
-	0x20, 0x03, 0x28, 0x0b, 0x32, 0x2f, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72,
-	0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x44, 0x65, 0x73, 0x63, 0x72, 0x69, 0x70, 0x74, 0x6f,
-	0x72, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x2e, 0x45, 0x78, 0x74, 0x65, 0x6e, 0x73, 0x69, 0x6f, 0x6e,
-	0x52, 0x61, 0x6e, 0x67, 0x65, 0x52, 0x0e, 0x65, 0x78, 0x74, 0x65, 0x6e, 0x73, 0x69, 0x6f, 0x6e,
-	0x52, 0x61, 0x6e, 0x67, 0x65, 0x12, 0x44, 0x0a, 0x0a, 0x6f, 0x6e, 0x65, 0x6f, 0x66, 0x5f, 0x64,
-	0x65, 0x63, 0x6c, 0x18, 0x08, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x25, 0x2e, 0x67, 0x6f, 0x6f, 0x67,
-	0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x4f, 0x6e, 0x65, 0x6f,
-	0x66, 0x44, 0x65, 0x73, 0x63, 0x72, 0x69, 0x70, 0x74, 0x6f, 0x72, 0x50, 0x72, 0x6f, 0x74, 0x6f,
-	0x52, 0x09, 0x6f, 0x6e, 0x65, 0x6f, 0x66, 0x44, 0x65, 0x63, 0x6c, 0x12, 0x39, 0x0a, 0x07, 0x6f,
-	0x70, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x18, 0x07, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1f, 0x2e, 0x67,
-	0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x4d,
-	0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x4f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x52, 0x07, 0x6f,
-	0x70, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x12, 0x55, 0x0a, 0x0e, 0x72, 0x65, 0x73, 0x65, 0x72, 0x76,
-	0x65, 0x64, 0x5f, 0x72, 0x61, 0x6e, 0x67, 0x65, 0x18, 0x09, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x2e,
-	0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66,
-	0x2e, 0x44, 0x65, 0x73, 0x63, 0x72, 0x69, 0x70, 0x74, 0x6f, 0x72, 0x50, 0x72, 0x6f, 0x74, 0x6f,
-	0x2e, 0x52, 0x65, 0x73, 0x65, 0x72, 0x76, 0x65, 0x64, 0x52, 0x61, 0x6e, 0x67, 0x65, 0x52, 0x0d,
-	0x72, 0x65, 0x73, 0x65, 0x72, 0x76, 0x65, 0x64, 0x52, 0x61, 0x6e, 0x67, 0x65, 0x12, 0x23, 0x0a,
-	0x0d, 0x72, 0x65, 0x73, 0x65, 0x72, 0x76, 0x65, 0x64, 0x5f, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x0a,
-	0x20, 0x03, 0x28, 0x09, 0x52, 0x0c, 0x72, 0x65, 0x73, 0x65, 0x72, 0x76, 0x65, 0x64, 0x4e, 0x61,
-	0x6d, 0x65, 0x1a, 0x7a, 0x0a, 0x0e, 0x45, 0x78, 0x74, 0x65, 0x6e, 0x73, 0x69, 0x6f, 0x6e, 0x52,
-	0x61, 0x6e, 0x67, 0x65, 0x12, 0x14, 0x0a, 0x05, 0x73, 0x74, 0x61, 0x72, 0x74, 0x18, 0x01, 0x20,
-	0x01, 0x28, 0x05, 0x52, 0x05, 0x73, 0x74, 0x61, 0x72, 0x74, 0x12, 0x10, 0x0a, 0x03, 0x65, 0x6e,
-	0x64, 0x18, 0x02, 0x20, 0x01, 0x28, 0x05, 0x52, 0x03, 0x65, 0x6e, 0x64, 0x12, 0x40, 0x0a, 0x07,
-	0x6f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x26, 0x2e,
-	0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e,
-	0x45, 0x78, 0x74, 0x65, 0x6e, 0x73, 0x69, 0x6f, 0x6e, 0x52, 0x61, 0x6e, 0x67, 0x65, 0x4f, 0x70,
-	0x74, 0x69, 0x6f, 0x6e, 0x73, 0x52, 0x07, 0x6f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x1a, 0x37,
-	0x0a, 0x0d, 0x52, 0x65, 0x73, 0x65, 0x72, 0x76, 0x65, 0x64, 0x52, 0x61, 0x6e, 0x67, 0x65, 0x12,
-	0x14, 0x0a, 0x05, 0x73, 0x74, 0x61, 0x72, 0x74, 0x18, 0x01, 0x20, 0x01, 0x28, 0x05, 0x52, 0x05,
-	0x73, 0x74, 0x61, 0x72, 0x74, 0x12, 0x10, 0x0a, 0x03, 0x65, 0x6e, 0x64, 0x18, 0x02, 0x20, 0x01,
-	0x28, 0x05, 0x52, 0x03, 0x65, 0x6e, 0x64, 0x22, 0xcc, 0x04, 0x0a, 0x15, 0x45, 0x78, 0x74, 0x65,
-	0x6e, 0x73, 0x69, 0x6f, 0x6e, 0x52, 0x61, 0x6e, 0x67, 0x65, 0x4f, 0x70, 0x74, 0x69, 0x6f, 0x6e,
-	0x73, 0x12, 0x58, 0x0a, 0x14, 0x75, 0x6e, 0x69, 0x6e, 0x74, 0x65, 0x72, 0x70, 0x72, 0x65, 0x74,
-	0x65, 0x64, 0x5f, 0x6f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x18, 0xe7, 0x07, 0x20, 0x03, 0x28, 0x0b,
-	0x32, 0x24, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62,
-	0x75, 0x66, 0x2e, 0x55, 0x6e, 0x69, 0x6e, 0x74, 0x65, 0x72, 0x70, 0x72, 0x65, 0x74, 0x65, 0x64,
-	0x4f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x13, 0x75, 0x6e, 0x69, 0x6e, 0x74, 0x65, 0x72, 0x70,
-	0x72, 0x65, 0x74, 0x65, 0x64, 0x4f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x59, 0x0a, 0x0b, 0x64,
-	0x65, 0x63, 0x6c, 0x61, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x18, 0x02, 0x20, 0x03, 0x28, 0x0b,
-	0x32, 0x32, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62,
-	0x75, 0x66, 0x2e, 0x45, 0x78, 0x74, 0x65, 0x6e, 0x73, 0x69, 0x6f, 0x6e, 0x52, 0x61, 0x6e, 0x67,
-	0x65, 0x4f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x2e, 0x44, 0x65, 0x63, 0x6c, 0x61, 0x72, 0x61,
-	0x74, 0x69, 0x6f, 0x6e, 0x42, 0x03, 0x88, 0x01, 0x02, 0x52, 0x0b, 0x64, 0x65, 0x63, 0x6c, 0x61,
-	0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x37, 0x0a, 0x08, 0x66, 0x65, 0x61, 0x74, 0x75, 0x72,
-	0x65, 0x73, 0x18, 0x32, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1b, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c,
-	0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x46, 0x65, 0x61, 0x74, 0x75,
-	0x72, 0x65, 0x53, 0x65, 0x74, 0x52, 0x08, 0x66, 0x65, 0x61, 0x74, 0x75, 0x72, 0x65, 0x73, 0x12,
-	0x6d, 0x0a, 0x0c, 0x76, 0x65, 0x72, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x18,
-	0x03, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x38, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70,
-	0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x45, 0x78, 0x74, 0x65, 0x6e, 0x73, 0x69, 0x6f,
-	0x6e, 0x52, 0x61, 0x6e, 0x67, 0x65, 0x4f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x2e, 0x56, 0x65,
-	0x72, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x53, 0x74, 0x61, 0x74, 0x65, 0x3a,
-	0x0a, 0x55, 0x4e, 0x56, 0x45, 0x52, 0x49, 0x46, 0x49, 0x45, 0x44, 0x42, 0x03, 0x88, 0x01, 0x02,
-	0x52, 0x0c, 0x76, 0x65, 0x72, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x1a, 0x94,
-	0x01, 0x0a, 0x0b, 0x44, 0x65, 0x63, 0x6c, 0x61, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x16,
-	0x0a, 0x06, 0x6e, 0x75, 0x6d, 0x62, 0x65, 0x72, 0x18, 0x01, 0x20, 0x01, 0x28, 0x05, 0x52, 0x06,
-	0x6e, 0x75, 0x6d, 0x62, 0x65, 0x72, 0x12, 0x1b, 0x0a, 0x09, 0x66, 0x75, 0x6c, 0x6c, 0x5f, 0x6e,
-	0x61, 0x6d, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x66, 0x75, 0x6c, 0x6c, 0x4e,
-	0x61, 0x6d, 0x65, 0x12, 0x12, 0x0a, 0x04, 0x74, 0x79, 0x70, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28,
-	0x09, 0x52, 0x04, 0x74, 0x79, 0x70, 0x65, 0x12, 0x1a, 0x0a, 0x08, 0x72, 0x65, 0x73, 0x65, 0x72,
-	0x76, 0x65, 0x64, 0x18, 0x05, 0x20, 0x01, 0x28, 0x08, 0x52, 0x08, 0x72, 0x65, 0x73, 0x65, 0x72,
-	0x76, 0x65, 0x64, 0x12, 0x1a, 0x0a, 0x08, 0x72, 0x65, 0x70, 0x65, 0x61, 0x74, 0x65, 0x64, 0x18,
-	0x06, 0x20, 0x01, 0x28, 0x08, 0x52, 0x08, 0x72, 0x65, 0x70, 0x65, 0x61, 0x74, 0x65, 0x64, 0x4a,
-	0x04, 0x08, 0x04, 0x10, 0x05, 0x22, 0x34, 0x0a, 0x11, 0x56, 0x65, 0x72, 0x69, 0x66, 0x69, 0x63,
-	0x61, 0x74, 0x69, 0x6f, 0x6e, 0x53, 0x74, 0x61, 0x74, 0x65, 0x12, 0x0f, 0x0a, 0x0b, 0x44, 0x45,
-	0x43, 0x4c, 0x41, 0x52, 0x41, 0x54, 0x49, 0x4f, 0x4e, 0x10, 0x00, 0x12, 0x0e, 0x0a, 0x0a, 0x55,
-	0x4e, 0x56, 0x45, 0x52, 0x49, 0x46, 0x49, 0x45, 0x44, 0x10, 0x01, 0x2a, 0x09, 0x08, 0xe8, 0x07,
-	0x10, 0x80, 0x80, 0x80, 0x80, 0x02, 0x22, 0xc1, 0x06, 0x0a, 0x14, 0x46, 0x69, 0x65, 0x6c, 0x64,
-	0x44, 0x65, 0x73, 0x63, 0x72, 0x69, 0x70, 0x74, 0x6f, 0x72, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x12,
-	0x12, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x6e,
-	0x61, 0x6d, 0x65, 0x12, 0x16, 0x0a, 0x06, 0x6e, 0x75, 0x6d, 0x62, 0x65, 0x72, 0x18, 0x03, 0x20,
-	0x01, 0x28, 0x05, 0x52, 0x06, 0x6e, 0x75, 0x6d, 0x62, 0x65, 0x72, 0x12, 0x41, 0x0a, 0x05, 0x6c,
-	0x61, 0x62, 0x65, 0x6c, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x2b, 0x2e, 0x67, 0x6f, 0x6f,
-	0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x46, 0x69, 0x65,
-	0x6c, 0x64, 0x44, 0x65, 0x73, 0x63, 0x72, 0x69, 0x70, 0x74, 0x6f, 0x72, 0x50, 0x72, 0x6f, 0x74,
-	0x6f, 0x2e, 0x4c, 0x61, 0x62, 0x65, 0x6c, 0x52, 0x05, 0x6c, 0x61, 0x62, 0x65, 0x6c, 0x12, 0x3e,
-	0x0a, 0x04, 0x74, 0x79, 0x70, 0x65, 0x18, 0x05, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x2a, 0x2e, 0x67,
-	0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x46,
-	0x69, 0x65, 0x6c, 0x64, 0x44, 0x65, 0x73, 0x63, 0x72, 0x69, 0x70, 0x74, 0x6f, 0x72, 0x50, 0x72,
-	0x6f, 0x74, 0x6f, 0x2e, 0x54, 0x79, 0x70, 0x65, 0x52, 0x04, 0x74, 0x79, 0x70, 0x65, 0x12, 0x1b,
-	0x0a, 0x09, 0x74, 0x79, 0x70, 0x65, 0x5f, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x06, 0x20, 0x01, 0x28,
-	0x09, 0x52, 0x08, 0x74, 0x79, 0x70, 0x65, 0x4e, 0x61, 0x6d, 0x65, 0x12, 0x1a, 0x0a, 0x08, 0x65,
-	0x78, 0x74, 0x65, 0x6e, 0x64, 0x65, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x65,
-	0x78, 0x74, 0x65, 0x6e, 0x64, 0x65, 0x65, 0x12, 0x23, 0x0a, 0x0d, 0x64, 0x65, 0x66, 0x61, 0x75,
-	0x6c, 0x74, 0x5f, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x07, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0c,
-	0x64, 0x65, 0x66, 0x61, 0x75, 0x6c, 0x74, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x12, 0x1f, 0x0a, 0x0b,
-	0x6f, 0x6e, 0x65, 0x6f, 0x66, 0x5f, 0x69, 0x6e, 0x64, 0x65, 0x78, 0x18, 0x09, 0x20, 0x01, 0x28,
-	0x05, 0x52, 0x0a, 0x6f, 0x6e, 0x65, 0x6f, 0x66, 0x49, 0x6e, 0x64, 0x65, 0x78, 0x12, 0x1b, 0x0a,
-	0x09, 0x6a, 0x73, 0x6f, 0x6e, 0x5f, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x0a, 0x20, 0x01, 0x28, 0x09,
-	0x52, 0x08, 0x6a, 0x73, 0x6f, 0x6e, 0x4e, 0x61, 0x6d, 0x65, 0x12, 0x37, 0x0a, 0x07, 0x6f, 0x70,
-	0x74, 0x69, 0x6f, 0x6e, 0x73, 0x18, 0x08, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1d, 0x2e, 0x67, 0x6f,
-	0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x46, 0x69,
-	0x65, 0x6c, 0x64, 0x4f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x52, 0x07, 0x6f, 0x70, 0x74, 0x69,
-	0x6f, 0x6e, 0x73, 0x12, 0x27, 0x0a, 0x0f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, 0x5f, 0x6f, 0x70,
-	0x74, 0x69, 0x6f, 0x6e, 0x61, 0x6c, 0x18, 0x11, 0x20, 0x01, 0x28, 0x08, 0x52, 0x0e, 0x70, 0x72,
-	0x6f, 0x74, 0x6f, 0x33, 0x4f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x61, 0x6c, 0x22, 0xb6, 0x02, 0x0a,
-	0x04, 0x54, 0x79, 0x70, 0x65, 0x12, 0x0f, 0x0a, 0x0b, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x44, 0x4f,
-	0x55, 0x42, 0x4c, 0x45, 0x10, 0x01, 0x12, 0x0e, 0x0a, 0x0a, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x46,
-	0x4c, 0x4f, 0x41, 0x54, 0x10, 0x02, 0x12, 0x0e, 0x0a, 0x0a, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x49,
-	0x4e, 0x54, 0x36, 0x34, 0x10, 0x03, 0x12, 0x0f, 0x0a, 0x0b, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x55,
-	0x49, 0x4e, 0x54, 0x36, 0x34, 0x10, 0x04, 0x12, 0x0e, 0x0a, 0x0a, 0x54, 0x59, 0x50, 0x45, 0x5f,
-	0x49, 0x4e, 0x54, 0x33, 0x32, 0x10, 0x05, 0x12, 0x10, 0x0a, 0x0c, 0x54, 0x59, 0x50, 0x45, 0x5f,
-	0x46, 0x49, 0x58, 0x45, 0x44, 0x36, 0x34, 0x10, 0x06, 0x12, 0x10, 0x0a, 0x0c, 0x54, 0x59, 0x50,
-	0x45, 0x5f, 0x46, 0x49, 0x58, 0x45, 0x44, 0x33, 0x32, 0x10, 0x07, 0x12, 0x0d, 0x0a, 0x09, 0x54,
-	0x59, 0x50, 0x45, 0x5f, 0x42, 0x4f, 0x4f, 0x4c, 0x10, 0x08, 0x12, 0x0f, 0x0a, 0x0b, 0x54, 0x59,
-	0x50, 0x45, 0x5f, 0x53, 0x54, 0x52, 0x49, 0x4e, 0x47, 0x10, 0x09, 0x12, 0x0e, 0x0a, 0x0a, 0x54,
-	0x59, 0x50, 0x45, 0x5f, 0x47, 0x52, 0x4f, 0x55, 0x50, 0x10, 0x0a, 0x12, 0x10, 0x0a, 0x0c, 0x54,
-	0x59, 0x50, 0x45, 0x5f, 0x4d, 0x45, 0x53, 0x53, 0x41, 0x47, 0x45, 0x10, 0x0b, 0x12, 0x0e, 0x0a,
-	0x0a, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x42, 0x59, 0x54, 0x45, 0x53, 0x10, 0x0c, 0x12, 0x0f, 0x0a,
-	0x0b, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x55, 0x49, 0x4e, 0x54, 0x33, 0x32, 0x10, 0x0d, 0x12, 0x0d,
-	0x0a, 0x09, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x45, 0x4e, 0x55, 0x4d, 0x10, 0x0e, 0x12, 0x11, 0x0a,
-	0x0d, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x53, 0x46, 0x49, 0x58, 0x45, 0x44, 0x33, 0x32, 0x10, 0x0f,
-	0x12, 0x11, 0x0a, 0x0d, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x53, 0x46, 0x49, 0x58, 0x45, 0x44, 0x36,
-	0x34, 0x10, 0x10, 0x12, 0x0f, 0x0a, 0x0b, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x53, 0x49, 0x4e, 0x54,
-	0x33, 0x32, 0x10, 0x11, 0x12, 0x0f, 0x0a, 0x0b, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x53, 0x49, 0x4e,
-	0x54, 0x36, 0x34, 0x10, 0x12, 0x22, 0x43, 0x0a, 0x05, 0x4c, 0x61, 0x62, 0x65, 0x6c, 0x12, 0x12,
-	0x0a, 0x0e, 0x4c, 0x41, 0x42, 0x45, 0x4c, 0x5f, 0x4f, 0x50, 0x54, 0x49, 0x4f, 0x4e, 0x41, 0x4c,
-	0x10, 0x01, 0x12, 0x12, 0x0a, 0x0e, 0x4c, 0x41, 0x42, 0x45, 0x4c, 0x5f, 0x52, 0x45, 0x50, 0x45,
-	0x41, 0x54, 0x45, 0x44, 0x10, 0x03, 0x12, 0x12, 0x0a, 0x0e, 0x4c, 0x41, 0x42, 0x45, 0x4c, 0x5f,
-	0x52, 0x45, 0x51, 0x55, 0x49, 0x52, 0x45, 0x44, 0x10, 0x02, 0x22, 0x63, 0x0a, 0x14, 0x4f, 0x6e,
-	0x65, 0x6f, 0x66, 0x44, 0x65, 0x73, 0x63, 0x72, 0x69, 0x70, 0x74, 0x6f, 0x72, 0x50, 0x72, 0x6f,
-	0x74, 0x6f, 0x12, 0x12, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09,
-	0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x37, 0x0a, 0x07, 0x6f, 0x70, 0x74, 0x69, 0x6f, 0x6e,
-	0x73, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1d, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65,
-	0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x4f, 0x6e, 0x65, 0x6f, 0x66, 0x4f,
-	0x70, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x52, 0x07, 0x6f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x22,
-	0xe3, 0x02, 0x0a, 0x13, 0x45, 0x6e, 0x75, 0x6d, 0x44, 0x65, 0x73, 0x63, 0x72, 0x69, 0x70, 0x74,
-	0x6f, 0x72, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x12, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18,
-	0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x3f, 0x0a, 0x05, 0x76,
-	0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x29, 0x2e, 0x67, 0x6f, 0x6f,
-	0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x45, 0x6e, 0x75,
-	0x6d, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x44, 0x65, 0x73, 0x63, 0x72, 0x69, 0x70, 0x74, 0x6f, 0x72,
-	0x50, 0x72, 0x6f, 0x74, 0x6f, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x12, 0x36, 0x0a, 0x07,
-	0x6f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1c, 0x2e,
-	0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e,
-	0x45, 0x6e, 0x75, 0x6d, 0x4f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x52, 0x07, 0x6f, 0x70, 0x74,
-	0x69, 0x6f, 0x6e, 0x73, 0x12, 0x5d, 0x0a, 0x0e, 0x72, 0x65, 0x73, 0x65, 0x72, 0x76, 0x65, 0x64,
-	0x5f, 0x72, 0x61, 0x6e, 0x67, 0x65, 0x18, 0x04, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x36, 0x2e, 0x67,
-	0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x45,
-	0x6e, 0x75, 0x6d, 0x44, 0x65, 0x73, 0x63, 0x72, 0x69, 0x70, 0x74, 0x6f, 0x72, 0x50, 0x72, 0x6f,
-	0x74, 0x6f, 0x2e, 0x45, 0x6e, 0x75, 0x6d, 0x52, 0x65, 0x73, 0x65, 0x72, 0x76, 0x65, 0x64, 0x52,
-	0x61, 0x6e, 0x67, 0x65, 0x52, 0x0d, 0x72, 0x65, 0x73, 0x65, 0x72, 0x76, 0x65, 0x64, 0x52, 0x61,
-	0x6e, 0x67, 0x65, 0x12, 0x23, 0x0a, 0x0d, 0x72, 0x65, 0x73, 0x65, 0x72, 0x76, 0x65, 0x64, 0x5f,
-	0x6e, 0x61, 0x6d, 0x65, 0x18, 0x05, 0x20, 0x03, 0x28, 0x09, 0x52, 0x0c, 0x72, 0x65, 0x73, 0x65,
-	0x72, 0x76, 0x65, 0x64, 0x4e, 0x61, 0x6d, 0x65, 0x1a, 0x3b, 0x0a, 0x11, 0x45, 0x6e, 0x75, 0x6d,
-	0x52, 0x65, 0x73, 0x65, 0x72, 0x76, 0x65, 0x64, 0x52, 0x61, 0x6e, 0x67, 0x65, 0x12, 0x14, 0x0a,
-	0x05, 0x73, 0x74, 0x61, 0x72, 0x74, 0x18, 0x01, 0x20, 0x01, 0x28, 0x05, 0x52, 0x05, 0x73, 0x74,
-	0x61, 0x72, 0x74, 0x12, 0x10, 0x0a, 0x03, 0x65, 0x6e, 0x64, 0x18, 0x02, 0x20, 0x01, 0x28, 0x05,
-	0x52, 0x03, 0x65, 0x6e, 0x64, 0x22, 0x83, 0x01, 0x0a, 0x18, 0x45, 0x6e, 0x75, 0x6d, 0x56, 0x61,
-	0x6c, 0x75, 0x65, 0x44, 0x65, 0x73, 0x63, 0x72, 0x69, 0x70, 0x74, 0x6f, 0x72, 0x50, 0x72, 0x6f,
-	0x74, 0x6f, 0x12, 0x12, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09,
-	0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x16, 0x0a, 0x06, 0x6e, 0x75, 0x6d, 0x62, 0x65, 0x72,
-	0x18, 0x02, 0x20, 0x01, 0x28, 0x05, 0x52, 0x06, 0x6e, 0x75, 0x6d, 0x62, 0x65, 0x72, 0x12, 0x3b,
-	0x0a, 0x07, 0x6f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0b, 0x32,
-	0x21, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75,
-	0x66, 0x2e, 0x45, 0x6e, 0x75, 0x6d, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x4f, 0x70, 0x74, 0x69, 0x6f,
-	0x6e, 0x73, 0x52, 0x07, 0x6f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x22, 0xa7, 0x01, 0x0a, 0x16,
-	0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x44, 0x65, 0x73, 0x63, 0x72, 0x69, 0x70, 0x74, 0x6f,
-	0x72, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x12, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x01,
-	0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x3e, 0x0a, 0x06, 0x6d, 0x65,
-	0x74, 0x68, 0x6f, 0x64, 0x18, 0x02, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x26, 0x2e, 0x67, 0x6f, 0x6f,
-	0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x4d, 0x65, 0x74,
-	0x68, 0x6f, 0x64, 0x44, 0x65, 0x73, 0x63, 0x72, 0x69, 0x70, 0x74, 0x6f, 0x72, 0x50, 0x72, 0x6f,
-	0x74, 0x6f, 0x52, 0x06, 0x6d, 0x65, 0x74, 0x68, 0x6f, 0x64, 0x12, 0x39, 0x0a, 0x07, 0x6f, 0x70,
-	0x74, 0x69, 0x6f, 0x6e, 0x73, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1f, 0x2e, 0x67, 0x6f,
-	0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x53, 0x65,
-	0x72, 0x76, 0x69, 0x63, 0x65, 0x4f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x52, 0x07, 0x6f, 0x70,
-	0x74, 0x69, 0x6f, 0x6e, 0x73, 0x22, 0x89, 0x02, 0x0a, 0x15, 0x4d, 0x65, 0x74, 0x68, 0x6f, 0x64,
-	0x44, 0x65, 0x73, 0x63, 0x72, 0x69, 0x70, 0x74, 0x6f, 0x72, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x12,
-	0x12, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x6e,
-	0x61, 0x6d, 0x65, 0x12, 0x1d, 0x0a, 0x0a, 0x69, 0x6e, 0x70, 0x75, 0x74, 0x5f, 0x74, 0x79, 0x70,
-	0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x09, 0x69, 0x6e, 0x70, 0x75, 0x74, 0x54, 0x79,
-	0x70, 0x65, 0x12, 0x1f, 0x0a, 0x0b, 0x6f, 0x75, 0x74, 0x70, 0x75, 0x74, 0x5f, 0x74, 0x79, 0x70,
-	0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0a, 0x6f, 0x75, 0x74, 0x70, 0x75, 0x74, 0x54,
-	0x79, 0x70, 0x65, 0x12, 0x38, 0x0a, 0x07, 0x6f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x18, 0x04,
-	0x20, 0x01, 0x28, 0x0b, 0x32, 0x1e, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72,
-	0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x4d, 0x65, 0x74, 0x68, 0x6f, 0x64, 0x4f, 0x70, 0x74,
-	0x69, 0x6f, 0x6e, 0x73, 0x52, 0x07, 0x6f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x12, 0x30, 0x0a,
-	0x10, 0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x5f, 0x73, 0x74, 0x72, 0x65, 0x61, 0x6d, 0x69, 0x6e,
-	0x67, 0x18, 0x05, 0x20, 0x01, 0x28, 0x08, 0x3a, 0x05, 0x66, 0x61, 0x6c, 0x73, 0x65, 0x52, 0x0f,
-	0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x53, 0x74, 0x72, 0x65, 0x61, 0x6d, 0x69, 0x6e, 0x67, 0x12,
-	0x30, 0x0a, 0x10, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x5f, 0x73, 0x74, 0x72, 0x65, 0x61, 0x6d,
-	0x69, 0x6e, 0x67, 0x18, 0x06, 0x20, 0x01, 0x28, 0x08, 0x3a, 0x05, 0x66, 0x61, 0x6c, 0x73, 0x65,
-	0x52, 0x0f, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x53, 0x74, 0x72, 0x65, 0x61, 0x6d, 0x69, 0x6e,
-	0x67, 0x22, 0xad, 0x09, 0x0a, 0x0b, 0x46, 0x69, 0x6c, 0x65, 0x4f, 0x70, 0x74, 0x69, 0x6f, 0x6e,
-	0x73, 0x12, 0x21, 0x0a, 0x0c, 0x6a, 0x61, 0x76, 0x61, 0x5f, 0x70, 0x61, 0x63, 0x6b, 0x61, 0x67,
-	0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0b, 0x6a, 0x61, 0x76, 0x61, 0x50, 0x61, 0x63,
-	0x6b, 0x61, 0x67, 0x65, 0x12, 0x30, 0x0a, 0x14, 0x6a, 0x61, 0x76, 0x61, 0x5f, 0x6f, 0x75, 0x74,
-	0x65, 0x72, 0x5f, 0x63, 0x6c, 0x61, 0x73, 0x73, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x08, 0x20, 0x01,
-	0x28, 0x09, 0x52, 0x12, 0x6a, 0x61, 0x76, 0x61, 0x4f, 0x75, 0x74, 0x65, 0x72, 0x43, 0x6c, 0x61,
-	0x73, 0x73, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x35, 0x0a, 0x13, 0x6a, 0x61, 0x76, 0x61, 0x5f, 0x6d,
-	0x75, 0x6c, 0x74, 0x69, 0x70, 0x6c, 0x65, 0x5f, 0x66, 0x69, 0x6c, 0x65, 0x73, 0x18, 0x0a, 0x20,
-	0x01, 0x28, 0x08, 0x3a, 0x05, 0x66, 0x61, 0x6c, 0x73, 0x65, 0x52, 0x11, 0x6a, 0x61, 0x76, 0x61,
-	0x4d, 0x75, 0x6c, 0x74, 0x69, 0x70, 0x6c, 0x65, 0x46, 0x69, 0x6c, 0x65, 0x73, 0x12, 0x44, 0x0a,
-	0x1d, 0x6a, 0x61, 0x76, 0x61, 0x5f, 0x67, 0x65, 0x6e, 0x65, 0x72, 0x61, 0x74, 0x65, 0x5f, 0x65,
-	0x71, 0x75, 0x61, 0x6c, 0x73, 0x5f, 0x61, 0x6e, 0x64, 0x5f, 0x68, 0x61, 0x73, 0x68, 0x18, 0x14,
-	0x20, 0x01, 0x28, 0x08, 0x42, 0x02, 0x18, 0x01, 0x52, 0x19, 0x6a, 0x61, 0x76, 0x61, 0x47, 0x65,
-	0x6e, 0x65, 0x72, 0x61, 0x74, 0x65, 0x45, 0x71, 0x75, 0x61, 0x6c, 0x73, 0x41, 0x6e, 0x64, 0x48,
-	0x61, 0x73, 0x68, 0x12, 0x3a, 0x0a, 0x16, 0x6a, 0x61, 0x76, 0x61, 0x5f, 0x73, 0x74, 0x72, 0x69,
-	0x6e, 0x67, 0x5f, 0x63, 0x68, 0x65, 0x63, 0x6b, 0x5f, 0x75, 0x74, 0x66, 0x38, 0x18, 0x1b, 0x20,
-	0x01, 0x28, 0x08, 0x3a, 0x05, 0x66, 0x61, 0x6c, 0x73, 0x65, 0x52, 0x13, 0x6a, 0x61, 0x76, 0x61,
-	0x53, 0x74, 0x72, 0x69, 0x6e, 0x67, 0x43, 0x68, 0x65, 0x63, 0x6b, 0x55, 0x74, 0x66, 0x38, 0x12,
-	0x53, 0x0a, 0x0c, 0x6f, 0x70, 0x74, 0x69, 0x6d, 0x69, 0x7a, 0x65, 0x5f, 0x66, 0x6f, 0x72, 0x18,
-	0x09, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x29, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70,
-	0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x46, 0x69, 0x6c, 0x65, 0x4f, 0x70, 0x74, 0x69,
-	0x6f, 0x6e, 0x73, 0x2e, 0x4f, 0x70, 0x74, 0x69, 0x6d, 0x69, 0x7a, 0x65, 0x4d, 0x6f, 0x64, 0x65,
-	0x3a, 0x05, 0x53, 0x50, 0x45, 0x45, 0x44, 0x52, 0x0b, 0x6f, 0x70, 0x74, 0x69, 0x6d, 0x69, 0x7a,
-	0x65, 0x46, 0x6f, 0x72, 0x12, 0x1d, 0x0a, 0x0a, 0x67, 0x6f, 0x5f, 0x70, 0x61, 0x63, 0x6b, 0x61,
-	0x67, 0x65, 0x18, 0x0b, 0x20, 0x01, 0x28, 0x09, 0x52, 0x09, 0x67, 0x6f, 0x50, 0x61, 0x63, 0x6b,
-	0x61, 0x67, 0x65, 0x12, 0x35, 0x0a, 0x13, 0x63, 0x63, 0x5f, 0x67, 0x65, 0x6e, 0x65, 0x72, 0x69,
-	0x63, 0x5f, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x73, 0x18, 0x10, 0x20, 0x01, 0x28, 0x08,
-	0x3a, 0x05, 0x66, 0x61, 0x6c, 0x73, 0x65, 0x52, 0x11, 0x63, 0x63, 0x47, 0x65, 0x6e, 0x65, 0x72,
-	0x69, 0x63, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x73, 0x12, 0x39, 0x0a, 0x15, 0x6a, 0x61,
-	0x76, 0x61, 0x5f, 0x67, 0x65, 0x6e, 0x65, 0x72, 0x69, 0x63, 0x5f, 0x73, 0x65, 0x72, 0x76, 0x69,
-	0x63, 0x65, 0x73, 0x18, 0x11, 0x20, 0x01, 0x28, 0x08, 0x3a, 0x05, 0x66, 0x61, 0x6c, 0x73, 0x65,
-	0x52, 0x13, 0x6a, 0x61, 0x76, 0x61, 0x47, 0x65, 0x6e, 0x65, 0x72, 0x69, 0x63, 0x53, 0x65, 0x72,
-	0x76, 0x69, 0x63, 0x65, 0x73, 0x12, 0x35, 0x0a, 0x13, 0x70, 0x79, 0x5f, 0x67, 0x65, 0x6e, 0x65,
-	0x72, 0x69, 0x63, 0x5f, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x73, 0x18, 0x12, 0x20, 0x01,
-	0x28, 0x08, 0x3a, 0x05, 0x66, 0x61, 0x6c, 0x73, 0x65, 0x52, 0x11, 0x70, 0x79, 0x47, 0x65, 0x6e,
-	0x65, 0x72, 0x69, 0x63, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x73, 0x12, 0x25, 0x0a, 0x0a,
-	0x64, 0x65, 0x70, 0x72, 0x65, 0x63, 0x61, 0x74, 0x65, 0x64, 0x18, 0x17, 0x20, 0x01, 0x28, 0x08,
-	0x3a, 0x05, 0x66, 0x61, 0x6c, 0x73, 0x65, 0x52, 0x0a, 0x64, 0x65, 0x70, 0x72, 0x65, 0x63, 0x61,
-	0x74, 0x65, 0x64, 0x12, 0x2e, 0x0a, 0x10, 0x63, 0x63, 0x5f, 0x65, 0x6e, 0x61, 0x62, 0x6c, 0x65,
-	0x5f, 0x61, 0x72, 0x65, 0x6e, 0x61, 0x73, 0x18, 0x1f, 0x20, 0x01, 0x28, 0x08, 0x3a, 0x04, 0x74,
-	0x72, 0x75, 0x65, 0x52, 0x0e, 0x63, 0x63, 0x45, 0x6e, 0x61, 0x62, 0x6c, 0x65, 0x41, 0x72, 0x65,
-	0x6e, 0x61, 0x73, 0x12, 0x2a, 0x0a, 0x11, 0x6f, 0x62, 0x6a, 0x63, 0x5f, 0x63, 0x6c, 0x61, 0x73,
-	0x73, 0x5f, 0x70, 0x72, 0x65, 0x66, 0x69, 0x78, 0x18, 0x24, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0f,
-	0x6f, 0x62, 0x6a, 0x63, 0x43, 0x6c, 0x61, 0x73, 0x73, 0x50, 0x72, 0x65, 0x66, 0x69, 0x78, 0x12,
-	0x29, 0x0a, 0x10, 0x63, 0x73, 0x68, 0x61, 0x72, 0x70, 0x5f, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70,
-	0x61, 0x63, 0x65, 0x18, 0x25, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0f, 0x63, 0x73, 0x68, 0x61, 0x72,
-	0x70, 0x4e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x12, 0x21, 0x0a, 0x0c, 0x73, 0x77,
-	0x69, 0x66, 0x74, 0x5f, 0x70, 0x72, 0x65, 0x66, 0x69, 0x78, 0x18, 0x27, 0x20, 0x01, 0x28, 0x09,
-	0x52, 0x0b, 0x73, 0x77, 0x69, 0x66, 0x74, 0x50, 0x72, 0x65, 0x66, 0x69, 0x78, 0x12, 0x28, 0x0a,
-	0x10, 0x70, 0x68, 0x70, 0x5f, 0x63, 0x6c, 0x61, 0x73, 0x73, 0x5f, 0x70, 0x72, 0x65, 0x66, 0x69,
-	0x78, 0x18, 0x28, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0e, 0x70, 0x68, 0x70, 0x43, 0x6c, 0x61, 0x73,
-	0x73, 0x50, 0x72, 0x65, 0x66, 0x69, 0x78, 0x12, 0x23, 0x0a, 0x0d, 0x70, 0x68, 0x70, 0x5f, 0x6e,
-	0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x18, 0x29, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0c,
-	0x70, 0x68, 0x70, 0x4e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x12, 0x34, 0x0a, 0x16,
-	0x70, 0x68, 0x70, 0x5f, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x5f, 0x6e, 0x61, 0x6d,
-	0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x18, 0x2c, 0x20, 0x01, 0x28, 0x09, 0x52, 0x14, 0x70, 0x68,
-	0x70, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x4e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61,
-	0x63, 0x65, 0x12, 0x21, 0x0a, 0x0c, 0x72, 0x75, 0x62, 0x79, 0x5f, 0x70, 0x61, 0x63, 0x6b, 0x61,
-	0x67, 0x65, 0x18, 0x2d, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0b, 0x72, 0x75, 0x62, 0x79, 0x50, 0x61,
-	0x63, 0x6b, 0x61, 0x67, 0x65, 0x12, 0x37, 0x0a, 0x08, 0x66, 0x65, 0x61, 0x74, 0x75, 0x72, 0x65,
-	0x73, 0x18, 0x32, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1b, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65,
-	0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x46, 0x65, 0x61, 0x74, 0x75, 0x72,
-	0x65, 0x53, 0x65, 0x74, 0x52, 0x08, 0x66, 0x65, 0x61, 0x74, 0x75, 0x72, 0x65, 0x73, 0x12, 0x58,
-	0x0a, 0x14, 0x75, 0x6e, 0x69, 0x6e, 0x74, 0x65, 0x72, 0x70, 0x72, 0x65, 0x74, 0x65, 0x64, 0x5f,
-	0x6f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x18, 0xe7, 0x07, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x24, 0x2e,
-	0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e,
-	0x55, 0x6e, 0x69, 0x6e, 0x74, 0x65, 0x72, 0x70, 0x72, 0x65, 0x74, 0x65, 0x64, 0x4f, 0x70, 0x74,
-	0x69, 0x6f, 0x6e, 0x52, 0x13, 0x75, 0x6e, 0x69, 0x6e, 0x74, 0x65, 0x72, 0x70, 0x72, 0x65, 0x74,
-	0x65, 0x64, 0x4f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x22, 0x3a, 0x0a, 0x0c, 0x4f, 0x70, 0x74, 0x69,
-	0x6d, 0x69, 0x7a, 0x65, 0x4d, 0x6f, 0x64, 0x65, 0x12, 0x09, 0x0a, 0x05, 0x53, 0x50, 0x45, 0x45,
-	0x44, 0x10, 0x01, 0x12, 0x0d, 0x0a, 0x09, 0x43, 0x4f, 0x44, 0x45, 0x5f, 0x53, 0x49, 0x5a, 0x45,
-	0x10, 0x02, 0x12, 0x10, 0x0a, 0x0c, 0x4c, 0x49, 0x54, 0x45, 0x5f, 0x52, 0x55, 0x4e, 0x54, 0x49,
-	0x4d, 0x45, 0x10, 0x03, 0x2a, 0x09, 0x08, 0xe8, 0x07, 0x10, 0x80, 0x80, 0x80, 0x80, 0x02, 0x4a,
-	0x04, 0x08, 0x2a, 0x10, 0x2b, 0x4a, 0x04, 0x08, 0x26, 0x10, 0x27, 0x52, 0x14, 0x70, 0x68, 0x70,
-	0x5f, 0x67, 0x65, 0x6e, 0x65, 0x72, 0x69, 0x63, 0x5f, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65,
-	0x73, 0x22, 0xf4, 0x03, 0x0a, 0x0e, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x4f, 0x70, 0x74,
-	0x69, 0x6f, 0x6e, 0x73, 0x12, 0x3c, 0x0a, 0x17, 0x6d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x5f,
-	0x73, 0x65, 0x74, 0x5f, 0x77, 0x69, 0x72, 0x65, 0x5f, 0x66, 0x6f, 0x72, 0x6d, 0x61, 0x74, 0x18,
-	0x01, 0x20, 0x01, 0x28, 0x08, 0x3a, 0x05, 0x66, 0x61, 0x6c, 0x73, 0x65, 0x52, 0x14, 0x6d, 0x65,
-	0x73, 0x73, 0x61, 0x67, 0x65, 0x53, 0x65, 0x74, 0x57, 0x69, 0x72, 0x65, 0x46, 0x6f, 0x72, 0x6d,
-	0x61, 0x74, 0x12, 0x4c, 0x0a, 0x1f, 0x6e, 0x6f, 0x5f, 0x73, 0x74, 0x61, 0x6e, 0x64, 0x61, 0x72,
-	0x64, 0x5f, 0x64, 0x65, 0x73, 0x63, 0x72, 0x69, 0x70, 0x74, 0x6f, 0x72, 0x5f, 0x61, 0x63, 0x63,
-	0x65, 0x73, 0x73, 0x6f, 0x72, 0x18, 0x02, 0x20, 0x01, 0x28, 0x08, 0x3a, 0x05, 0x66, 0x61, 0x6c,
-	0x73, 0x65, 0x52, 0x1c, 0x6e, 0x6f, 0x53, 0x74, 0x61, 0x6e, 0x64, 0x61, 0x72, 0x64, 0x44, 0x65,
-	0x73, 0x63, 0x72, 0x69, 0x70, 0x74, 0x6f, 0x72, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x6f, 0x72,
-	0x12, 0x25, 0x0a, 0x0a, 0x64, 0x65, 0x70, 0x72, 0x65, 0x63, 0x61, 0x74, 0x65, 0x64, 0x18, 0x03,
-	0x20, 0x01, 0x28, 0x08, 0x3a, 0x05, 0x66, 0x61, 0x6c, 0x73, 0x65, 0x52, 0x0a, 0x64, 0x65, 0x70,
-	0x72, 0x65, 0x63, 0x61, 0x74, 0x65, 0x64, 0x12, 0x1b, 0x0a, 0x09, 0x6d, 0x61, 0x70, 0x5f, 0x65,
-	0x6e, 0x74, 0x72, 0x79, 0x18, 0x07, 0x20, 0x01, 0x28, 0x08, 0x52, 0x08, 0x6d, 0x61, 0x70, 0x45,
-	0x6e, 0x74, 0x72, 0x79, 0x12, 0x56, 0x0a, 0x26, 0x64, 0x65, 0x70, 0x72, 0x65, 0x63, 0x61, 0x74,
-	0x65, 0x64, 0x5f, 0x6c, 0x65, 0x67, 0x61, 0x63, 0x79, 0x5f, 0x6a, 0x73, 0x6f, 0x6e, 0x5f, 0x66,
-	0x69, 0x65, 0x6c, 0x64, 0x5f, 0x63, 0x6f, 0x6e, 0x66, 0x6c, 0x69, 0x63, 0x74, 0x73, 0x18, 0x0b,
-	0x20, 0x01, 0x28, 0x08, 0x42, 0x02, 0x18, 0x01, 0x52, 0x22, 0x64, 0x65, 0x70, 0x72, 0x65, 0x63,
-	0x61, 0x74, 0x65, 0x64, 0x4c, 0x65, 0x67, 0x61, 0x63, 0x79, 0x4a, 0x73, 0x6f, 0x6e, 0x46, 0x69,
-	0x65, 0x6c, 0x64, 0x43, 0x6f, 0x6e, 0x66, 0x6c, 0x69, 0x63, 0x74, 0x73, 0x12, 0x37, 0x0a, 0x08,
-	0x66, 0x65, 0x61, 0x74, 0x75, 0x72, 0x65, 0x73, 0x18, 0x0c, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1b,
-	0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66,
-	0x2e, 0x46, 0x65, 0x61, 0x74, 0x75, 0x72, 0x65, 0x53, 0x65, 0x74, 0x52, 0x08, 0x66, 0x65, 0x61,
-	0x74, 0x75, 0x72, 0x65, 0x73, 0x12, 0x58, 0x0a, 0x14, 0x75, 0x6e, 0x69, 0x6e, 0x74, 0x65, 0x72,
-	0x70, 0x72, 0x65, 0x74, 0x65, 0x64, 0x5f, 0x6f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x18, 0xe7, 0x07,
-	0x20, 0x03, 0x28, 0x0b, 0x32, 0x24, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72,
-	0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x55, 0x6e, 0x69, 0x6e, 0x74, 0x65, 0x72, 0x70, 0x72,
-	0x65, 0x74, 0x65, 0x64, 0x4f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x13, 0x75, 0x6e, 0x69, 0x6e,
-	0x74, 0x65, 0x72, 0x70, 0x72, 0x65, 0x74, 0x65, 0x64, 0x4f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x2a,
-	0x09, 0x08, 0xe8, 0x07, 0x10, 0x80, 0x80, 0x80, 0x80, 0x02, 0x4a, 0x04, 0x08, 0x04, 0x10, 0x05,
-	0x4a, 0x04, 0x08, 0x05, 0x10, 0x06, 0x4a, 0x04, 0x08, 0x06, 0x10, 0x07, 0x4a, 0x04, 0x08, 0x08,
-	0x10, 0x09, 0x4a, 0x04, 0x08, 0x09, 0x10, 0x0a, 0x22, 0x9d, 0x0d, 0x0a, 0x0c, 0x46, 0x69, 0x65,
-	0x6c, 0x64, 0x4f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x12, 0x41, 0x0a, 0x05, 0x63, 0x74, 0x79,
-	0x70, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x23, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c,
-	0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x46, 0x69, 0x65, 0x6c, 0x64,
-	0x4f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x2e, 0x43, 0x54, 0x79, 0x70, 0x65, 0x3a, 0x06, 0x53,
-	0x54, 0x52, 0x49, 0x4e, 0x47, 0x52, 0x05, 0x63, 0x74, 0x79, 0x70, 0x65, 0x12, 0x16, 0x0a, 0x06,
-	0x70, 0x61, 0x63, 0x6b, 0x65, 0x64, 0x18, 0x02, 0x20, 0x01, 0x28, 0x08, 0x52, 0x06, 0x70, 0x61,
-	0x63, 0x6b, 0x65, 0x64, 0x12, 0x47, 0x0a, 0x06, 0x6a, 0x73, 0x74, 0x79, 0x70, 0x65, 0x18, 0x06,
-	0x20, 0x01, 0x28, 0x0e, 0x32, 0x24, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72,
-	0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x46, 0x69, 0x65, 0x6c, 0x64, 0x4f, 0x70, 0x74, 0x69,
-	0x6f, 0x6e, 0x73, 0x2e, 0x4a, 0x53, 0x54, 0x79, 0x70, 0x65, 0x3a, 0x09, 0x4a, 0x53, 0x5f, 0x4e,
-	0x4f, 0x52, 0x4d, 0x41, 0x4c, 0x52, 0x06, 0x6a, 0x73, 0x74, 0x79, 0x70, 0x65, 0x12, 0x19, 0x0a,
-	0x04, 0x6c, 0x61, 0x7a, 0x79, 0x18, 0x05, 0x20, 0x01, 0x28, 0x08, 0x3a, 0x05, 0x66, 0x61, 0x6c,
-	0x73, 0x65, 0x52, 0x04, 0x6c, 0x61, 0x7a, 0x79, 0x12, 0x2e, 0x0a, 0x0f, 0x75, 0x6e, 0x76, 0x65,
-	0x72, 0x69, 0x66, 0x69, 0x65, 0x64, 0x5f, 0x6c, 0x61, 0x7a, 0x79, 0x18, 0x0f, 0x20, 0x01, 0x28,
-	0x08, 0x3a, 0x05, 0x66, 0x61, 0x6c, 0x73, 0x65, 0x52, 0x0e, 0x75, 0x6e, 0x76, 0x65, 0x72, 0x69,
-	0x66, 0x69, 0x65, 0x64, 0x4c, 0x61, 0x7a, 0x79, 0x12, 0x25, 0x0a, 0x0a, 0x64, 0x65, 0x70, 0x72,
-	0x65, 0x63, 0x61, 0x74, 0x65, 0x64, 0x18, 0x03, 0x20, 0x01, 0x28, 0x08, 0x3a, 0x05, 0x66, 0x61,
-	0x6c, 0x73, 0x65, 0x52, 0x0a, 0x64, 0x65, 0x70, 0x72, 0x65, 0x63, 0x61, 0x74, 0x65, 0x64, 0x12,
-	0x19, 0x0a, 0x04, 0x77, 0x65, 0x61, 0x6b, 0x18, 0x0a, 0x20, 0x01, 0x28, 0x08, 0x3a, 0x05, 0x66,
-	0x61, 0x6c, 0x73, 0x65, 0x52, 0x04, 0x77, 0x65, 0x61, 0x6b, 0x12, 0x28, 0x0a, 0x0c, 0x64, 0x65,
-	0x62, 0x75, 0x67, 0x5f, 0x72, 0x65, 0x64, 0x61, 0x63, 0x74, 0x18, 0x10, 0x20, 0x01, 0x28, 0x08,
-	0x3a, 0x05, 0x66, 0x61, 0x6c, 0x73, 0x65, 0x52, 0x0b, 0x64, 0x65, 0x62, 0x75, 0x67, 0x52, 0x65,
-	0x64, 0x61, 0x63, 0x74, 0x12, 0x4b, 0x0a, 0x09, 0x72, 0x65, 0x74, 0x65, 0x6e, 0x74, 0x69, 0x6f,
-	0x6e, 0x18, 0x11, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x2d, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65,
-	0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x46, 0x69, 0x65, 0x6c, 0x64, 0x4f,
-	0x70, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x2e, 0x4f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x65, 0x74,
-	0x65, 0x6e, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x09, 0x72, 0x65, 0x74, 0x65, 0x6e, 0x74, 0x69, 0x6f,
-	0x6e, 0x12, 0x48, 0x0a, 0x07, 0x74, 0x61, 0x72, 0x67, 0x65, 0x74, 0x73, 0x18, 0x13, 0x20, 0x03,
-	0x28, 0x0e, 0x32, 0x2e, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74,
-	0x6f, 0x62, 0x75, 0x66, 0x2e, 0x46, 0x69, 0x65, 0x6c, 0x64, 0x4f, 0x70, 0x74, 0x69, 0x6f, 0x6e,
-	0x73, 0x2e, 0x4f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x54, 0x61, 0x72, 0x67, 0x65, 0x74, 0x54, 0x79,
-	0x70, 0x65, 0x52, 0x07, 0x74, 0x61, 0x72, 0x67, 0x65, 0x74, 0x73, 0x12, 0x57, 0x0a, 0x10, 0x65,
-	0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x64, 0x65, 0x66, 0x61, 0x75, 0x6c, 0x74, 0x73, 0x18,
-	0x14, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x2c, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70,
-	0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x46, 0x69, 0x65, 0x6c, 0x64, 0x4f, 0x70, 0x74,
-	0x69, 0x6f, 0x6e, 0x73, 0x2e, 0x45, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x44, 0x65, 0x66, 0x61,
-	0x75, 0x6c, 0x74, 0x52, 0x0f, 0x65, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x44, 0x65, 0x66, 0x61,
-	0x75, 0x6c, 0x74, 0x73, 0x12, 0x37, 0x0a, 0x08, 0x66, 0x65, 0x61, 0x74, 0x75, 0x72, 0x65, 0x73,
-	0x18, 0x15, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1b, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e,
-	0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x46, 0x65, 0x61, 0x74, 0x75, 0x72, 0x65,
-	0x53, 0x65, 0x74, 0x52, 0x08, 0x66, 0x65, 0x61, 0x74, 0x75, 0x72, 0x65, 0x73, 0x12, 0x55, 0x0a,
-	0x0f, 0x66, 0x65, 0x61, 0x74, 0x75, 0x72, 0x65, 0x5f, 0x73, 0x75, 0x70, 0x70, 0x6f, 0x72, 0x74,
-	0x18, 0x16, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x2c, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e,
-	0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x46, 0x69, 0x65, 0x6c, 0x64, 0x4f, 0x70,
-	0x74, 0x69, 0x6f, 0x6e, 0x73, 0x2e, 0x46, 0x65, 0x61, 0x74, 0x75, 0x72, 0x65, 0x53, 0x75, 0x70,
-	0x70, 0x6f, 0x72, 0x74, 0x52, 0x0e, 0x66, 0x65, 0x61, 0x74, 0x75, 0x72, 0x65, 0x53, 0x75, 0x70,
-	0x70, 0x6f, 0x72, 0x74, 0x12, 0x58, 0x0a, 0x14, 0x75, 0x6e, 0x69, 0x6e, 0x74, 0x65, 0x72, 0x70,
-	0x72, 0x65, 0x74, 0x65, 0x64, 0x5f, 0x6f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x18, 0xe7, 0x07, 0x20,
-	0x03, 0x28, 0x0b, 0x32, 0x24, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f,
-	0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x55, 0x6e, 0x69, 0x6e, 0x74, 0x65, 0x72, 0x70, 0x72, 0x65,
-	0x74, 0x65, 0x64, 0x4f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x13, 0x75, 0x6e, 0x69, 0x6e, 0x74,
-	0x65, 0x72, 0x70, 0x72, 0x65, 0x74, 0x65, 0x64, 0x4f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x1a, 0x5a,
-	0x0a, 0x0e, 0x45, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x44, 0x65, 0x66, 0x61, 0x75, 0x6c, 0x74,
-	0x12, 0x32, 0x0a, 0x07, 0x65, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x18, 0x03, 0x20, 0x01, 0x28,
-	0x0e, 0x32, 0x18, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f,
-	0x62, 0x75, 0x66, 0x2e, 0x45, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x07, 0x65, 0x64, 0x69,
-	0x74, 0x69, 0x6f, 0x6e, 0x12, 0x14, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20,
-	0x01, 0x28, 0x09, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x1a, 0x96, 0x02, 0x0a, 0x0e, 0x46,
-	0x65, 0x61, 0x74, 0x75, 0x72, 0x65, 0x53, 0x75, 0x70, 0x70, 0x6f, 0x72, 0x74, 0x12, 0x47, 0x0a,
-	0x12, 0x65, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x69, 0x6e, 0x74, 0x72, 0x6f, 0x64, 0x75,
-	0x63, 0x65, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x18, 0x2e, 0x67, 0x6f, 0x6f, 0x67,
-	0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x45, 0x64, 0x69, 0x74,
-	0x69, 0x6f, 0x6e, 0x52, 0x11, 0x65, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x49, 0x6e, 0x74, 0x72,
-	0x6f, 0x64, 0x75, 0x63, 0x65, 0x64, 0x12, 0x47, 0x0a, 0x12, 0x65, 0x64, 0x69, 0x74, 0x69, 0x6f,
-	0x6e, 0x5f, 0x64, 0x65, 0x70, 0x72, 0x65, 0x63, 0x61, 0x74, 0x65, 0x64, 0x18, 0x02, 0x20, 0x01,
-	0x28, 0x0e, 0x32, 0x18, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74,
-	0x6f, 0x62, 0x75, 0x66, 0x2e, 0x45, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x11, 0x65, 0x64,
-	0x69, 0x74, 0x69, 0x6f, 0x6e, 0x44, 0x65, 0x70, 0x72, 0x65, 0x63, 0x61, 0x74, 0x65, 0x64, 0x12,
-	0x2f, 0x0a, 0x13, 0x64, 0x65, 0x70, 0x72, 0x65, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x77,
-	0x61, 0x72, 0x6e, 0x69, 0x6e, 0x67, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x12, 0x64, 0x65,
-	0x70, 0x72, 0x65, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x57, 0x61, 0x72, 0x6e, 0x69, 0x6e, 0x67,
-	0x12, 0x41, 0x0a, 0x0f, 0x65, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x72, 0x65, 0x6d, 0x6f,
-	0x76, 0x65, 0x64, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x18, 0x2e, 0x67, 0x6f, 0x6f, 0x67,
-	0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x45, 0x64, 0x69, 0x74,
-	0x69, 0x6f, 0x6e, 0x52, 0x0e, 0x65, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x65, 0x6d, 0x6f,
-	0x76, 0x65, 0x64, 0x22, 0x2f, 0x0a, 0x05, 0x43, 0x54, 0x79, 0x70, 0x65, 0x12, 0x0a, 0x0a, 0x06,
-	0x53, 0x54, 0x52, 0x49, 0x4e, 0x47, 0x10, 0x00, 0x12, 0x08, 0x0a, 0x04, 0x43, 0x4f, 0x52, 0x44,
-	0x10, 0x01, 0x12, 0x10, 0x0a, 0x0c, 0x53, 0x54, 0x52, 0x49, 0x4e, 0x47, 0x5f, 0x50, 0x49, 0x45,
-	0x43, 0x45, 0x10, 0x02, 0x22, 0x35, 0x0a, 0x06, 0x4a, 0x53, 0x54, 0x79, 0x70, 0x65, 0x12, 0x0d,
-	0x0a, 0x09, 0x4a, 0x53, 0x5f, 0x4e, 0x4f, 0x52, 0x4d, 0x41, 0x4c, 0x10, 0x00, 0x12, 0x0d, 0x0a,
-	0x09, 0x4a, 0x53, 0x5f, 0x53, 0x54, 0x52, 0x49, 0x4e, 0x47, 0x10, 0x01, 0x12, 0x0d, 0x0a, 0x09,
-	0x4a, 0x53, 0x5f, 0x4e, 0x55, 0x4d, 0x42, 0x45, 0x52, 0x10, 0x02, 0x22, 0x55, 0x0a, 0x0f, 0x4f,
-	0x70, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x65, 0x74, 0x65, 0x6e, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x15,
-	0x0a, 0x11, 0x52, 0x45, 0x54, 0x45, 0x4e, 0x54, 0x49, 0x4f, 0x4e, 0x5f, 0x55, 0x4e, 0x4b, 0x4e,
-	0x4f, 0x57, 0x4e, 0x10, 0x00, 0x12, 0x15, 0x0a, 0x11, 0x52, 0x45, 0x54, 0x45, 0x4e, 0x54, 0x49,
-	0x4f, 0x4e, 0x5f, 0x52, 0x55, 0x4e, 0x54, 0x49, 0x4d, 0x45, 0x10, 0x01, 0x12, 0x14, 0x0a, 0x10,
-	0x52, 0x45, 0x54, 0x45, 0x4e, 0x54, 0x49, 0x4f, 0x4e, 0x5f, 0x53, 0x4f, 0x55, 0x52, 0x43, 0x45,
-	0x10, 0x02, 0x22, 0x8c, 0x02, 0x0a, 0x10, 0x4f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x54, 0x61, 0x72,
-	0x67, 0x65, 0x74, 0x54, 0x79, 0x70, 0x65, 0x12, 0x17, 0x0a, 0x13, 0x54, 0x41, 0x52, 0x47, 0x45,
-	0x54, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x55, 0x4e, 0x4b, 0x4e, 0x4f, 0x57, 0x4e, 0x10, 0x00,
-	0x12, 0x14, 0x0a, 0x10, 0x54, 0x41, 0x52, 0x47, 0x45, 0x54, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f,
-	0x46, 0x49, 0x4c, 0x45, 0x10, 0x01, 0x12, 0x1f, 0x0a, 0x1b, 0x54, 0x41, 0x52, 0x47, 0x45, 0x54,
-	0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x45, 0x58, 0x54, 0x45, 0x4e, 0x53, 0x49, 0x4f, 0x4e, 0x5f,
-	0x52, 0x41, 0x4e, 0x47, 0x45, 0x10, 0x02, 0x12, 0x17, 0x0a, 0x13, 0x54, 0x41, 0x52, 0x47, 0x45,
-	0x54, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x4d, 0x45, 0x53, 0x53, 0x41, 0x47, 0x45, 0x10, 0x03,
-	0x12, 0x15, 0x0a, 0x11, 0x54, 0x41, 0x52, 0x47, 0x45, 0x54, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f,
-	0x46, 0x49, 0x45, 0x4c, 0x44, 0x10, 0x04, 0x12, 0x15, 0x0a, 0x11, 0x54, 0x41, 0x52, 0x47, 0x45,
-	0x54, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x4f, 0x4e, 0x45, 0x4f, 0x46, 0x10, 0x05, 0x12, 0x14,
-	0x0a, 0x10, 0x54, 0x41, 0x52, 0x47, 0x45, 0x54, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x45, 0x4e,
-	0x55, 0x4d, 0x10, 0x06, 0x12, 0x1a, 0x0a, 0x16, 0x54, 0x41, 0x52, 0x47, 0x45, 0x54, 0x5f, 0x54,
-	0x59, 0x50, 0x45, 0x5f, 0x45, 0x4e, 0x55, 0x4d, 0x5f, 0x45, 0x4e, 0x54, 0x52, 0x59, 0x10, 0x07,
-	0x12, 0x17, 0x0a, 0x13, 0x54, 0x41, 0x52, 0x47, 0x45, 0x54, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f,
-	0x53, 0x45, 0x52, 0x56, 0x49, 0x43, 0x45, 0x10, 0x08, 0x12, 0x16, 0x0a, 0x12, 0x54, 0x41, 0x52,
-	0x47, 0x45, 0x54, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x4d, 0x45, 0x54, 0x48, 0x4f, 0x44, 0x10,
-	0x09, 0x2a, 0x09, 0x08, 0xe8, 0x07, 0x10, 0x80, 0x80, 0x80, 0x80, 0x02, 0x4a, 0x04, 0x08, 0x04,
-	0x10, 0x05, 0x4a, 0x04, 0x08, 0x12, 0x10, 0x13, 0x22, 0xac, 0x01, 0x0a, 0x0c, 0x4f, 0x6e, 0x65,
-	0x6f, 0x66, 0x4f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x12, 0x37, 0x0a, 0x08, 0x66, 0x65, 0x61,
-	0x74, 0x75, 0x72, 0x65, 0x73, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1b, 0x2e, 0x67, 0x6f,
-	0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x46, 0x65,
-	0x61, 0x74, 0x75, 0x72, 0x65, 0x53, 0x65, 0x74, 0x52, 0x08, 0x66, 0x65, 0x61, 0x74, 0x75, 0x72,
-	0x65, 0x73, 0x12, 0x58, 0x0a, 0x14, 0x75, 0x6e, 0x69, 0x6e, 0x74, 0x65, 0x72, 0x70, 0x72, 0x65,
-	0x74, 0x65, 0x64, 0x5f, 0x6f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x18, 0xe7, 0x07, 0x20, 0x03, 0x28,
-	0x0b, 0x32, 0x24, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f,
-	0x62, 0x75, 0x66, 0x2e, 0x55, 0x6e, 0x69, 0x6e, 0x74, 0x65, 0x72, 0x70, 0x72, 0x65, 0x74, 0x65,
-	0x64, 0x4f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x13, 0x75, 0x6e, 0x69, 0x6e, 0x74, 0x65, 0x72,
-	0x70, 0x72, 0x65, 0x74, 0x65, 0x64, 0x4f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x2a, 0x09, 0x08, 0xe8,
-	0x07, 0x10, 0x80, 0x80, 0x80, 0x80, 0x02, 0x22, 0xd1, 0x02, 0x0a, 0x0b, 0x45, 0x6e, 0x75, 0x6d,
-	0x4f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x12, 0x1f, 0x0a, 0x0b, 0x61, 0x6c, 0x6c, 0x6f, 0x77,
-	0x5f, 0x61, 0x6c, 0x69, 0x61, 0x73, 0x18, 0x02, 0x20, 0x01, 0x28, 0x08, 0x52, 0x0a, 0x61, 0x6c,
-	0x6c, 0x6f, 0x77, 0x41, 0x6c, 0x69, 0x61, 0x73, 0x12, 0x25, 0x0a, 0x0a, 0x64, 0x65, 0x70, 0x72,
-	0x65, 0x63, 0x61, 0x74, 0x65, 0x64, 0x18, 0x03, 0x20, 0x01, 0x28, 0x08, 0x3a, 0x05, 0x66, 0x61,
-	0x6c, 0x73, 0x65, 0x52, 0x0a, 0x64, 0x65, 0x70, 0x72, 0x65, 0x63, 0x61, 0x74, 0x65, 0x64, 0x12,
-	0x56, 0x0a, 0x26, 0x64, 0x65, 0x70, 0x72, 0x65, 0x63, 0x61, 0x74, 0x65, 0x64, 0x5f, 0x6c, 0x65,
-	0x67, 0x61, 0x63, 0x79, 0x5f, 0x6a, 0x73, 0x6f, 0x6e, 0x5f, 0x66, 0x69, 0x65, 0x6c, 0x64, 0x5f,
-	0x63, 0x6f, 0x6e, 0x66, 0x6c, 0x69, 0x63, 0x74, 0x73, 0x18, 0x06, 0x20, 0x01, 0x28, 0x08, 0x42,
-	0x02, 0x18, 0x01, 0x52, 0x22, 0x64, 0x65, 0x70, 0x72, 0x65, 0x63, 0x61, 0x74, 0x65, 0x64, 0x4c,
-	0x65, 0x67, 0x61, 0x63, 0x79, 0x4a, 0x73, 0x6f, 0x6e, 0x46, 0x69, 0x65, 0x6c, 0x64, 0x43, 0x6f,
-	0x6e, 0x66, 0x6c, 0x69, 0x63, 0x74, 0x73, 0x12, 0x37, 0x0a, 0x08, 0x66, 0x65, 0x61, 0x74, 0x75,
-	0x72, 0x65, 0x73, 0x18, 0x07, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1b, 0x2e, 0x67, 0x6f, 0x6f, 0x67,
-	0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x46, 0x65, 0x61, 0x74,
-	0x75, 0x72, 0x65, 0x53, 0x65, 0x74, 0x52, 0x08, 0x66, 0x65, 0x61, 0x74, 0x75, 0x72, 0x65, 0x73,
-	0x12, 0x58, 0x0a, 0x14, 0x75, 0x6e, 0x69, 0x6e, 0x74, 0x65, 0x72, 0x70, 0x72, 0x65, 0x74, 0x65,
-	0x64, 0x5f, 0x6f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x18, 0xe7, 0x07, 0x20, 0x03, 0x28, 0x0b, 0x32,
-	0x24, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75,
-	0x66, 0x2e, 0x55, 0x6e, 0x69, 0x6e, 0x74, 0x65, 0x72, 0x70, 0x72, 0x65, 0x74, 0x65, 0x64, 0x4f,
-	0x70, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x13, 0x75, 0x6e, 0x69, 0x6e, 0x74, 0x65, 0x72, 0x70, 0x72,
-	0x65, 0x74, 0x65, 0x64, 0x4f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x2a, 0x09, 0x08, 0xe8, 0x07, 0x10,
-	0x80, 0x80, 0x80, 0x80, 0x02, 0x4a, 0x04, 0x08, 0x05, 0x10, 0x06, 0x22, 0xd8, 0x02, 0x0a, 0x10,
-	0x45, 0x6e, 0x75, 0x6d, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x4f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x73,
-	0x12, 0x25, 0x0a, 0x0a, 0x64, 0x65, 0x70, 0x72, 0x65, 0x63, 0x61, 0x74, 0x65, 0x64, 0x18, 0x01,
-	0x20, 0x01, 0x28, 0x08, 0x3a, 0x05, 0x66, 0x61, 0x6c, 0x73, 0x65, 0x52, 0x0a, 0x64, 0x65, 0x70,
-	0x72, 0x65, 0x63, 0x61, 0x74, 0x65, 0x64, 0x12, 0x37, 0x0a, 0x08, 0x66, 0x65, 0x61, 0x74, 0x75,
-	0x72, 0x65, 0x73, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1b, 0x2e, 0x67, 0x6f, 0x6f, 0x67,
-	0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x46, 0x65, 0x61, 0x74,
-	0x75, 0x72, 0x65, 0x53, 0x65, 0x74, 0x52, 0x08, 0x66, 0x65, 0x61, 0x74, 0x75, 0x72, 0x65, 0x73,
-	0x12, 0x28, 0x0a, 0x0c, 0x64, 0x65, 0x62, 0x75, 0x67, 0x5f, 0x72, 0x65, 0x64, 0x61, 0x63, 0x74,
-	0x18, 0x03, 0x20, 0x01, 0x28, 0x08, 0x3a, 0x05, 0x66, 0x61, 0x6c, 0x73, 0x65, 0x52, 0x0b, 0x64,
-	0x65, 0x62, 0x75, 0x67, 0x52, 0x65, 0x64, 0x61, 0x63, 0x74, 0x12, 0x55, 0x0a, 0x0f, 0x66, 0x65,
-	0x61, 0x74, 0x75, 0x72, 0x65, 0x5f, 0x73, 0x75, 0x70, 0x70, 0x6f, 0x72, 0x74, 0x18, 0x04, 0x20,
-	0x01, 0x28, 0x0b, 0x32, 0x2c, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f,
-	0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x46, 0x69, 0x65, 0x6c, 0x64, 0x4f, 0x70, 0x74, 0x69, 0x6f,
-	0x6e, 0x73, 0x2e, 0x46, 0x65, 0x61, 0x74, 0x75, 0x72, 0x65, 0x53, 0x75, 0x70, 0x70, 0x6f, 0x72,
-	0x74, 0x52, 0x0e, 0x66, 0x65, 0x61, 0x74, 0x75, 0x72, 0x65, 0x53, 0x75, 0x70, 0x70, 0x6f, 0x72,
-	0x74, 0x12, 0x58, 0x0a, 0x14, 0x75, 0x6e, 0x69, 0x6e, 0x74, 0x65, 0x72, 0x70, 0x72, 0x65, 0x74,
-	0x65, 0x64, 0x5f, 0x6f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x18, 0xe7, 0x07, 0x20, 0x03, 0x28, 0x0b,
-	0x32, 0x24, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62,
-	0x75, 0x66, 0x2e, 0x55, 0x6e, 0x69, 0x6e, 0x74, 0x65, 0x72, 0x70, 0x72, 0x65, 0x74, 0x65, 0x64,
-	0x4f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x13, 0x75, 0x6e, 0x69, 0x6e, 0x74, 0x65, 0x72, 0x70,
-	0x72, 0x65, 0x74, 0x65, 0x64, 0x4f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x2a, 0x09, 0x08, 0xe8, 0x07,
-	0x10, 0x80, 0x80, 0x80, 0x80, 0x02, 0x22, 0xd5, 0x01, 0x0a, 0x0e, 0x53, 0x65, 0x72, 0x76, 0x69,
-	0x63, 0x65, 0x4f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x12, 0x37, 0x0a, 0x08, 0x66, 0x65, 0x61,
-	0x74, 0x75, 0x72, 0x65, 0x73, 0x18, 0x22, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1b, 0x2e, 0x67, 0x6f,
-	0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x46, 0x65,
-	0x61, 0x74, 0x75, 0x72, 0x65, 0x53, 0x65, 0x74, 0x52, 0x08, 0x66, 0x65, 0x61, 0x74, 0x75, 0x72,
-	0x65, 0x73, 0x12, 0x25, 0x0a, 0x0a, 0x64, 0x65, 0x70, 0x72, 0x65, 0x63, 0x61, 0x74, 0x65, 0x64,
-	0x18, 0x21, 0x20, 0x01, 0x28, 0x08, 0x3a, 0x05, 0x66, 0x61, 0x6c, 0x73, 0x65, 0x52, 0x0a, 0x64,
-	0x65, 0x70, 0x72, 0x65, 0x63, 0x61, 0x74, 0x65, 0x64, 0x12, 0x58, 0x0a, 0x14, 0x75, 0x6e, 0x69,
-	0x6e, 0x74, 0x65, 0x72, 0x70, 0x72, 0x65, 0x74, 0x65, 0x64, 0x5f, 0x6f, 0x70, 0x74, 0x69, 0x6f,
-	0x6e, 0x18, 0xe7, 0x07, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x24, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c,
-	0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x55, 0x6e, 0x69, 0x6e, 0x74,
-	0x65, 0x72, 0x70, 0x72, 0x65, 0x74, 0x65, 0x64, 0x4f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x13,
-	0x75, 0x6e, 0x69, 0x6e, 0x74, 0x65, 0x72, 0x70, 0x72, 0x65, 0x74, 0x65, 0x64, 0x4f, 0x70, 0x74,
-	0x69, 0x6f, 0x6e, 0x2a, 0x09, 0x08, 0xe8, 0x07, 0x10, 0x80, 0x80, 0x80, 0x80, 0x02, 0x22, 0x99,
-	0x03, 0x0a, 0x0d, 0x4d, 0x65, 0x74, 0x68, 0x6f, 0x64, 0x4f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x73,
-	0x12, 0x25, 0x0a, 0x0a, 0x64, 0x65, 0x70, 0x72, 0x65, 0x63, 0x61, 0x74, 0x65, 0x64, 0x18, 0x21,
-	0x20, 0x01, 0x28, 0x08, 0x3a, 0x05, 0x66, 0x61, 0x6c, 0x73, 0x65, 0x52, 0x0a, 0x64, 0x65, 0x70,
-	0x72, 0x65, 0x63, 0x61, 0x74, 0x65, 0x64, 0x12, 0x71, 0x0a, 0x11, 0x69, 0x64, 0x65, 0x6d, 0x70,
-	0x6f, 0x74, 0x65, 0x6e, 0x63, 0x79, 0x5f, 0x6c, 0x65, 0x76, 0x65, 0x6c, 0x18, 0x22, 0x20, 0x01,
-	0x28, 0x0e, 0x32, 0x2f, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74,
-	0x6f, 0x62, 0x75, 0x66, 0x2e, 0x4d, 0x65, 0x74, 0x68, 0x6f, 0x64, 0x4f, 0x70, 0x74, 0x69, 0x6f,
-	0x6e, 0x73, 0x2e, 0x49, 0x64, 0x65, 0x6d, 0x70, 0x6f, 0x74, 0x65, 0x6e, 0x63, 0x79, 0x4c, 0x65,
-	0x76, 0x65, 0x6c, 0x3a, 0x13, 0x49, 0x44, 0x45, 0x4d, 0x50, 0x4f, 0x54, 0x45, 0x4e, 0x43, 0x59,
-	0x5f, 0x55, 0x4e, 0x4b, 0x4e, 0x4f, 0x57, 0x4e, 0x52, 0x10, 0x69, 0x64, 0x65, 0x6d, 0x70, 0x6f,
-	0x74, 0x65, 0x6e, 0x63, 0x79, 0x4c, 0x65, 0x76, 0x65, 0x6c, 0x12, 0x37, 0x0a, 0x08, 0x66, 0x65,
-	0x61, 0x74, 0x75, 0x72, 0x65, 0x73, 0x18, 0x23, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1b, 0x2e, 0x67,
-	0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x46,
-	0x65, 0x61, 0x74, 0x75, 0x72, 0x65, 0x53, 0x65, 0x74, 0x52, 0x08, 0x66, 0x65, 0x61, 0x74, 0x75,
-	0x72, 0x65, 0x73, 0x12, 0x58, 0x0a, 0x14, 0x75, 0x6e, 0x69, 0x6e, 0x74, 0x65, 0x72, 0x70, 0x72,
-	0x65, 0x74, 0x65, 0x64, 0x5f, 0x6f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x18, 0xe7, 0x07, 0x20, 0x03,
-	0x28, 0x0b, 0x32, 0x24, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74,
-	0x6f, 0x62, 0x75, 0x66, 0x2e, 0x55, 0x6e, 0x69, 0x6e, 0x74, 0x65, 0x72, 0x70, 0x72, 0x65, 0x74,
-	0x65, 0x64, 0x4f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x13, 0x75, 0x6e, 0x69, 0x6e, 0x74, 0x65,
-	0x72, 0x70, 0x72, 0x65, 0x74, 0x65, 0x64, 0x4f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x22, 0x50, 0x0a,
-	0x10, 0x49, 0x64, 0x65, 0x6d, 0x70, 0x6f, 0x74, 0x65, 0x6e, 0x63, 0x79, 0x4c, 0x65, 0x76, 0x65,
-	0x6c, 0x12, 0x17, 0x0a, 0x13, 0x49, 0x44, 0x45, 0x4d, 0x50, 0x4f, 0x54, 0x45, 0x4e, 0x43, 0x59,
-	0x5f, 0x55, 0x4e, 0x4b, 0x4e, 0x4f, 0x57, 0x4e, 0x10, 0x00, 0x12, 0x13, 0x0a, 0x0f, 0x4e, 0x4f,
-	0x5f, 0x53, 0x49, 0x44, 0x45, 0x5f, 0x45, 0x46, 0x46, 0x45, 0x43, 0x54, 0x53, 0x10, 0x01, 0x12,
-	0x0e, 0x0a, 0x0a, 0x49, 0x44, 0x45, 0x4d, 0x50, 0x4f, 0x54, 0x45, 0x4e, 0x54, 0x10, 0x02, 0x2a,
-	0x09, 0x08, 0xe8, 0x07, 0x10, 0x80, 0x80, 0x80, 0x80, 0x02, 0x22, 0x9a, 0x03, 0x0a, 0x13, 0x55,
-	0x6e, 0x69, 0x6e, 0x74, 0x65, 0x72, 0x70, 0x72, 0x65, 0x74, 0x65, 0x64, 0x4f, 0x70, 0x74, 0x69,
-	0x6f, 0x6e, 0x12, 0x41, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x02, 0x20, 0x03, 0x28, 0x0b,
-	0x32, 0x2d, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62,
-	0x75, 0x66, 0x2e, 0x55, 0x6e, 0x69, 0x6e, 0x74, 0x65, 0x72, 0x70, 0x72, 0x65, 0x74, 0x65, 0x64,
-	0x4f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x2e, 0x4e, 0x61, 0x6d, 0x65, 0x50, 0x61, 0x72, 0x74, 0x52,
-	0x04, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x29, 0x0a, 0x10, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x66,
-	0x69, 0x65, 0x72, 0x5f, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52,
-	0x0f, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x66, 0x69, 0x65, 0x72, 0x56, 0x61, 0x6c, 0x75, 0x65,
-	0x12, 0x2c, 0x0a, 0x12, 0x70, 0x6f, 0x73, 0x69, 0x74, 0x69, 0x76, 0x65, 0x5f, 0x69, 0x6e, 0x74,
-	0x5f, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x04, 0x20, 0x01, 0x28, 0x04, 0x52, 0x10, 0x70, 0x6f,
-	0x73, 0x69, 0x74, 0x69, 0x76, 0x65, 0x49, 0x6e, 0x74, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x12, 0x2c,
-	0x0a, 0x12, 0x6e, 0x65, 0x67, 0x61, 0x74, 0x69, 0x76, 0x65, 0x5f, 0x69, 0x6e, 0x74, 0x5f, 0x76,
-	0x61, 0x6c, 0x75, 0x65, 0x18, 0x05, 0x20, 0x01, 0x28, 0x03, 0x52, 0x10, 0x6e, 0x65, 0x67, 0x61,
-	0x74, 0x69, 0x76, 0x65, 0x49, 0x6e, 0x74, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x12, 0x21, 0x0a, 0x0c,
-	0x64, 0x6f, 0x75, 0x62, 0x6c, 0x65, 0x5f, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x06, 0x20, 0x01,
-	0x28, 0x01, 0x52, 0x0b, 0x64, 0x6f, 0x75, 0x62, 0x6c, 0x65, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x12,
-	0x21, 0x0a, 0x0c, 0x73, 0x74, 0x72, 0x69, 0x6e, 0x67, 0x5f, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18,
-	0x07, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x0b, 0x73, 0x74, 0x72, 0x69, 0x6e, 0x67, 0x56, 0x61, 0x6c,
-	0x75, 0x65, 0x12, 0x27, 0x0a, 0x0f, 0x61, 0x67, 0x67, 0x72, 0x65, 0x67, 0x61, 0x74, 0x65, 0x5f,
-	0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x08, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0e, 0x61, 0x67, 0x67,
-	0x72, 0x65, 0x67, 0x61, 0x74, 0x65, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x1a, 0x4a, 0x0a, 0x08, 0x4e,
-	0x61, 0x6d, 0x65, 0x50, 0x61, 0x72, 0x74, 0x12, 0x1b, 0x0a, 0x09, 0x6e, 0x61, 0x6d, 0x65, 0x5f,
-	0x70, 0x61, 0x72, 0x74, 0x18, 0x01, 0x20, 0x02, 0x28, 0x09, 0x52, 0x08, 0x6e, 0x61, 0x6d, 0x65,
-	0x50, 0x61, 0x72, 0x74, 0x12, 0x21, 0x0a, 0x0c, 0x69, 0x73, 0x5f, 0x65, 0x78, 0x74, 0x65, 0x6e,
-	0x73, 0x69, 0x6f, 0x6e, 0x18, 0x02, 0x20, 0x02, 0x28, 0x08, 0x52, 0x0b, 0x69, 0x73, 0x45, 0x78,
-	0x74, 0x65, 0x6e, 0x73, 0x69, 0x6f, 0x6e, 0x22, 0xa7, 0x0a, 0x0a, 0x0a, 0x46, 0x65, 0x61, 0x74,
-	0x75, 0x72, 0x65, 0x53, 0x65, 0x74, 0x12, 0x91, 0x01, 0x0a, 0x0e, 0x66, 0x69, 0x65, 0x6c, 0x64,
-	0x5f, 0x70, 0x72, 0x65, 0x73, 0x65, 0x6e, 0x63, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0e, 0x32,
-	0x29, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75,
-	0x66, 0x2e, 0x46, 0x65, 0x61, 0x74, 0x75, 0x72, 0x65, 0x53, 0x65, 0x74, 0x2e, 0x46, 0x69, 0x65,
-	0x6c, 0x64, 0x50, 0x72, 0x65, 0x73, 0x65, 0x6e, 0x63, 0x65, 0x42, 0x3f, 0x88, 0x01, 0x01, 0x98,
-	0x01, 0x04, 0x98, 0x01, 0x01, 0xa2, 0x01, 0x0d, 0x12, 0x08, 0x45, 0x58, 0x50, 0x4c, 0x49, 0x43,
-	0x49, 0x54, 0x18, 0x84, 0x07, 0xa2, 0x01, 0x0d, 0x12, 0x08, 0x49, 0x4d, 0x50, 0x4c, 0x49, 0x43,
-	0x49, 0x54, 0x18, 0xe7, 0x07, 0xa2, 0x01, 0x0d, 0x12, 0x08, 0x45, 0x58, 0x50, 0x4c, 0x49, 0x43,
-	0x49, 0x54, 0x18, 0xe8, 0x07, 0xb2, 0x01, 0x03, 0x08, 0xe8, 0x07, 0x52, 0x0d, 0x66, 0x69, 0x65,
-	0x6c, 0x64, 0x50, 0x72, 0x65, 0x73, 0x65, 0x6e, 0x63, 0x65, 0x12, 0x6c, 0x0a, 0x09, 0x65, 0x6e,
-	0x75, 0x6d, 0x5f, 0x74, 0x79, 0x70, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x24, 0x2e,
-	0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e,
-	0x46, 0x65, 0x61, 0x74, 0x75, 0x72, 0x65, 0x53, 0x65, 0x74, 0x2e, 0x45, 0x6e, 0x75, 0x6d, 0x54,
-	0x79, 0x70, 0x65, 0x42, 0x29, 0x88, 0x01, 0x01, 0x98, 0x01, 0x06, 0x98, 0x01, 0x01, 0xa2, 0x01,
-	0x0b, 0x12, 0x06, 0x43, 0x4c, 0x4f, 0x53, 0x45, 0x44, 0x18, 0x84, 0x07, 0xa2, 0x01, 0x09, 0x12,
-	0x04, 0x4f, 0x50, 0x45, 0x4e, 0x18, 0xe7, 0x07, 0xb2, 0x01, 0x03, 0x08, 0xe8, 0x07, 0x52, 0x08,
-	0x65, 0x6e, 0x75, 0x6d, 0x54, 0x79, 0x70, 0x65, 0x12, 0x98, 0x01, 0x0a, 0x17, 0x72, 0x65, 0x70,
-	0x65, 0x61, 0x74, 0x65, 0x64, 0x5f, 0x66, 0x69, 0x65, 0x6c, 0x64, 0x5f, 0x65, 0x6e, 0x63, 0x6f,
-	0x64, 0x69, 0x6e, 0x67, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x31, 0x2e, 0x67, 0x6f, 0x6f,
-	0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x46, 0x65, 0x61,
-	0x74, 0x75, 0x72, 0x65, 0x53, 0x65, 0x74, 0x2e, 0x52, 0x65, 0x70, 0x65, 0x61, 0x74, 0x65, 0x64,
-	0x46, 0x69, 0x65, 0x6c, 0x64, 0x45, 0x6e, 0x63, 0x6f, 0x64, 0x69, 0x6e, 0x67, 0x42, 0x2d, 0x88,
-	0x01, 0x01, 0x98, 0x01, 0x04, 0x98, 0x01, 0x01, 0xa2, 0x01, 0x0d, 0x12, 0x08, 0x45, 0x58, 0x50,
-	0x41, 0x4e, 0x44, 0x45, 0x44, 0x18, 0x84, 0x07, 0xa2, 0x01, 0x0b, 0x12, 0x06, 0x50, 0x41, 0x43,
-	0x4b, 0x45, 0x44, 0x18, 0xe7, 0x07, 0xb2, 0x01, 0x03, 0x08, 0xe8, 0x07, 0x52, 0x15, 0x72, 0x65,
-	0x70, 0x65, 0x61, 0x74, 0x65, 0x64, 0x46, 0x69, 0x65, 0x6c, 0x64, 0x45, 0x6e, 0x63, 0x6f, 0x64,
-	0x69, 0x6e, 0x67, 0x12, 0x7e, 0x0a, 0x0f, 0x75, 0x74, 0x66, 0x38, 0x5f, 0x76, 0x61, 0x6c, 0x69,
-	0x64, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x2a, 0x2e, 0x67,
-	0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x46,
-	0x65, 0x61, 0x74, 0x75, 0x72, 0x65, 0x53, 0x65, 0x74, 0x2e, 0x55, 0x74, 0x66, 0x38, 0x56, 0x61,
-	0x6c, 0x69, 0x64, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x42, 0x29, 0x88, 0x01, 0x01, 0x98, 0x01, 0x04,
-	0x98, 0x01, 0x01, 0xa2, 0x01, 0x09, 0x12, 0x04, 0x4e, 0x4f, 0x4e, 0x45, 0x18, 0x84, 0x07, 0xa2,
-	0x01, 0x0b, 0x12, 0x06, 0x56, 0x45, 0x52, 0x49, 0x46, 0x59, 0x18, 0xe7, 0x07, 0xb2, 0x01, 0x03,
-	0x08, 0xe8, 0x07, 0x52, 0x0e, 0x75, 0x74, 0x66, 0x38, 0x56, 0x61, 0x6c, 0x69, 0x64, 0x61, 0x74,
-	0x69, 0x6f, 0x6e, 0x12, 0x7e, 0x0a, 0x10, 0x6d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x5f, 0x65,
-	0x6e, 0x63, 0x6f, 0x64, 0x69, 0x6e, 0x67, 0x18, 0x05, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x2b, 0x2e,
-	0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e,
-	0x46, 0x65, 0x61, 0x74, 0x75, 0x72, 0x65, 0x53, 0x65, 0x74, 0x2e, 0x4d, 0x65, 0x73, 0x73, 0x61,
-	0x67, 0x65, 0x45, 0x6e, 0x63, 0x6f, 0x64, 0x69, 0x6e, 0x67, 0x42, 0x26, 0x88, 0x01, 0x01, 0x98,
-	0x01, 0x04, 0x98, 0x01, 0x01, 0xa2, 0x01, 0x14, 0x12, 0x0f, 0x4c, 0x45, 0x4e, 0x47, 0x54, 0x48,
-	0x5f, 0x50, 0x52, 0x45, 0x46, 0x49, 0x58, 0x45, 0x44, 0x18, 0x84, 0x07, 0xb2, 0x01, 0x03, 0x08,
-	0xe8, 0x07, 0x52, 0x0f, 0x6d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x45, 0x6e, 0x63, 0x6f, 0x64,
-	0x69, 0x6e, 0x67, 0x12, 0x82, 0x01, 0x0a, 0x0b, 0x6a, 0x73, 0x6f, 0x6e, 0x5f, 0x66, 0x6f, 0x72,
-	0x6d, 0x61, 0x74, 0x18, 0x06, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x26, 0x2e, 0x67, 0x6f, 0x6f, 0x67,
-	0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x46, 0x65, 0x61, 0x74,
-	0x75, 0x72, 0x65, 0x53, 0x65, 0x74, 0x2e, 0x4a, 0x73, 0x6f, 0x6e, 0x46, 0x6f, 0x72, 0x6d, 0x61,
-	0x74, 0x42, 0x39, 0x88, 0x01, 0x01, 0x98, 0x01, 0x03, 0x98, 0x01, 0x06, 0x98, 0x01, 0x01, 0xa2,
-	0x01, 0x17, 0x12, 0x12, 0x4c, 0x45, 0x47, 0x41, 0x43, 0x59, 0x5f, 0x42, 0x45, 0x53, 0x54, 0x5f,
-	0x45, 0x46, 0x46, 0x4f, 0x52, 0x54, 0x18, 0x84, 0x07, 0xa2, 0x01, 0x0a, 0x12, 0x05, 0x41, 0x4c,
-	0x4c, 0x4f, 0x57, 0x18, 0xe7, 0x07, 0xb2, 0x01, 0x03, 0x08, 0xe8, 0x07, 0x52, 0x0a, 0x6a, 0x73,
-	0x6f, 0x6e, 0x46, 0x6f, 0x72, 0x6d, 0x61, 0x74, 0x22, 0x5c, 0x0a, 0x0d, 0x46, 0x69, 0x65, 0x6c,
-	0x64, 0x50, 0x72, 0x65, 0x73, 0x65, 0x6e, 0x63, 0x65, 0x12, 0x1a, 0x0a, 0x16, 0x46, 0x49, 0x45,
-	0x4c, 0x44, 0x5f, 0x50, 0x52, 0x45, 0x53, 0x45, 0x4e, 0x43, 0x45, 0x5f, 0x55, 0x4e, 0x4b, 0x4e,
-	0x4f, 0x57, 0x4e, 0x10, 0x00, 0x12, 0x0c, 0x0a, 0x08, 0x45, 0x58, 0x50, 0x4c, 0x49, 0x43, 0x49,
-	0x54, 0x10, 0x01, 0x12, 0x0c, 0x0a, 0x08, 0x49, 0x4d, 0x50, 0x4c, 0x49, 0x43, 0x49, 0x54, 0x10,
-	0x02, 0x12, 0x13, 0x0a, 0x0f, 0x4c, 0x45, 0x47, 0x41, 0x43, 0x59, 0x5f, 0x52, 0x45, 0x51, 0x55,
-	0x49, 0x52, 0x45, 0x44, 0x10, 0x03, 0x22, 0x37, 0x0a, 0x08, 0x45, 0x6e, 0x75, 0x6d, 0x54, 0x79,
-	0x70, 0x65, 0x12, 0x15, 0x0a, 0x11, 0x45, 0x4e, 0x55, 0x4d, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f,
-	0x55, 0x4e, 0x4b, 0x4e, 0x4f, 0x57, 0x4e, 0x10, 0x00, 0x12, 0x08, 0x0a, 0x04, 0x4f, 0x50, 0x45,
-	0x4e, 0x10, 0x01, 0x12, 0x0a, 0x0a, 0x06, 0x43, 0x4c, 0x4f, 0x53, 0x45, 0x44, 0x10, 0x02, 0x22,
-	0x56, 0x0a, 0x15, 0x52, 0x65, 0x70, 0x65, 0x61, 0x74, 0x65, 0x64, 0x46, 0x69, 0x65, 0x6c, 0x64,
-	0x45, 0x6e, 0x63, 0x6f, 0x64, 0x69, 0x6e, 0x67, 0x12, 0x23, 0x0a, 0x1f, 0x52, 0x45, 0x50, 0x45,
-	0x41, 0x54, 0x45, 0x44, 0x5f, 0x46, 0x49, 0x45, 0x4c, 0x44, 0x5f, 0x45, 0x4e, 0x43, 0x4f, 0x44,
-	0x49, 0x4e, 0x47, 0x5f, 0x55, 0x4e, 0x4b, 0x4e, 0x4f, 0x57, 0x4e, 0x10, 0x00, 0x12, 0x0a, 0x0a,
-	0x06, 0x50, 0x41, 0x43, 0x4b, 0x45, 0x44, 0x10, 0x01, 0x12, 0x0c, 0x0a, 0x08, 0x45, 0x58, 0x50,
-	0x41, 0x4e, 0x44, 0x45, 0x44, 0x10, 0x02, 0x22, 0x49, 0x0a, 0x0e, 0x55, 0x74, 0x66, 0x38, 0x56,
-	0x61, 0x6c, 0x69, 0x64, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x1b, 0x0a, 0x17, 0x55, 0x54, 0x46,
-	0x38, 0x5f, 0x56, 0x41, 0x4c, 0x49, 0x44, 0x41, 0x54, 0x49, 0x4f, 0x4e, 0x5f, 0x55, 0x4e, 0x4b,
-	0x4e, 0x4f, 0x57, 0x4e, 0x10, 0x00, 0x12, 0x0a, 0x0a, 0x06, 0x56, 0x45, 0x52, 0x49, 0x46, 0x59,
-	0x10, 0x02, 0x12, 0x08, 0x0a, 0x04, 0x4e, 0x4f, 0x4e, 0x45, 0x10, 0x03, 0x22, 0x04, 0x08, 0x01,
-	0x10, 0x01, 0x22, 0x53, 0x0a, 0x0f, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x45, 0x6e, 0x63,
-	0x6f, 0x64, 0x69, 0x6e, 0x67, 0x12, 0x1c, 0x0a, 0x18, 0x4d, 0x45, 0x53, 0x53, 0x41, 0x47, 0x45,
-	0x5f, 0x45, 0x4e, 0x43, 0x4f, 0x44, 0x49, 0x4e, 0x47, 0x5f, 0x55, 0x4e, 0x4b, 0x4e, 0x4f, 0x57,
-	0x4e, 0x10, 0x00, 0x12, 0x13, 0x0a, 0x0f, 0x4c, 0x45, 0x4e, 0x47, 0x54, 0x48, 0x5f, 0x50, 0x52,
-	0x45, 0x46, 0x49, 0x58, 0x45, 0x44, 0x10, 0x01, 0x12, 0x0d, 0x0a, 0x09, 0x44, 0x45, 0x4c, 0x49,
-	0x4d, 0x49, 0x54, 0x45, 0x44, 0x10, 0x02, 0x22, 0x48, 0x0a, 0x0a, 0x4a, 0x73, 0x6f, 0x6e, 0x46,
-	0x6f, 0x72, 0x6d, 0x61, 0x74, 0x12, 0x17, 0x0a, 0x13, 0x4a, 0x53, 0x4f, 0x4e, 0x5f, 0x46, 0x4f,
-	0x52, 0x4d, 0x41, 0x54, 0x5f, 0x55, 0x4e, 0x4b, 0x4e, 0x4f, 0x57, 0x4e, 0x10, 0x00, 0x12, 0x09,
-	0x0a, 0x05, 0x41, 0x4c, 0x4c, 0x4f, 0x57, 0x10, 0x01, 0x12, 0x16, 0x0a, 0x12, 0x4c, 0x45, 0x47,
-	0x41, 0x43, 0x59, 0x5f, 0x42, 0x45, 0x53, 0x54, 0x5f, 0x45, 0x46, 0x46, 0x4f, 0x52, 0x54, 0x10,
-	0x02, 0x2a, 0x06, 0x08, 0xe8, 0x07, 0x10, 0x8b, 0x4e, 0x2a, 0x06, 0x08, 0x8b, 0x4e, 0x10, 0x90,
-	0x4e, 0x2a, 0x06, 0x08, 0x90, 0x4e, 0x10, 0x91, 0x4e, 0x4a, 0x06, 0x08, 0xe7, 0x07, 0x10, 0xe8,
-	0x07, 0x22, 0xef, 0x03, 0x0a, 0x12, 0x46, 0x65, 0x61, 0x74, 0x75, 0x72, 0x65, 0x53, 0x65, 0x74,
-	0x44, 0x65, 0x66, 0x61, 0x75, 0x6c, 0x74, 0x73, 0x12, 0x58, 0x0a, 0x08, 0x64, 0x65, 0x66, 0x61,
-	0x75, 0x6c, 0x74, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x3c, 0x2e, 0x67, 0x6f, 0x6f,
-	0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x46, 0x65, 0x61,
-	0x74, 0x75, 0x72, 0x65, 0x53, 0x65, 0x74, 0x44, 0x65, 0x66, 0x61, 0x75, 0x6c, 0x74, 0x73, 0x2e,
-	0x46, 0x65, 0x61, 0x74, 0x75, 0x72, 0x65, 0x53, 0x65, 0x74, 0x45, 0x64, 0x69, 0x74, 0x69, 0x6f,
-	0x6e, 0x44, 0x65, 0x66, 0x61, 0x75, 0x6c, 0x74, 0x52, 0x08, 0x64, 0x65, 0x66, 0x61, 0x75, 0x6c,
-	0x74, 0x73, 0x12, 0x41, 0x0a, 0x0f, 0x6d, 0x69, 0x6e, 0x69, 0x6d, 0x75, 0x6d, 0x5f, 0x65, 0x64,
-	0x69, 0x74, 0x69, 0x6f, 0x6e, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x18, 0x2e, 0x67, 0x6f,
-	0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x45, 0x64,
-	0x69, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x0e, 0x6d, 0x69, 0x6e, 0x69, 0x6d, 0x75, 0x6d, 0x45, 0x64,
-	0x69, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x41, 0x0a, 0x0f, 0x6d, 0x61, 0x78, 0x69, 0x6d, 0x75, 0x6d,
-	0x5f, 0x65, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x18, 0x05, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x18,
-	0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66,
-	0x2e, 0x45, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x0e, 0x6d, 0x61, 0x78, 0x69, 0x6d, 0x75,
-	0x6d, 0x45, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x1a, 0xf8, 0x01, 0x0a, 0x18, 0x46, 0x65, 0x61,
-	0x74, 0x75, 0x72, 0x65, 0x53, 0x65, 0x74, 0x45, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x44, 0x65,
-	0x66, 0x61, 0x75, 0x6c, 0x74, 0x12, 0x32, 0x0a, 0x07, 0x65, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e,
-	0x18, 0x03, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x18, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e,
-	0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x45, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e,
-	0x52, 0x07, 0x65, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x4e, 0x0a, 0x14, 0x6f, 0x76, 0x65,
-	0x72, 0x72, 0x69, 0x64, 0x61, 0x62, 0x6c, 0x65, 0x5f, 0x66, 0x65, 0x61, 0x74, 0x75, 0x72, 0x65,
-	0x73, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1b, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65,
-	0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x46, 0x65, 0x61, 0x74, 0x75, 0x72,
-	0x65, 0x53, 0x65, 0x74, 0x52, 0x13, 0x6f, 0x76, 0x65, 0x72, 0x72, 0x69, 0x64, 0x61, 0x62, 0x6c,
-	0x65, 0x46, 0x65, 0x61, 0x74, 0x75, 0x72, 0x65, 0x73, 0x12, 0x42, 0x0a, 0x0e, 0x66, 0x69, 0x78,
-	0x65, 0x64, 0x5f, 0x66, 0x65, 0x61, 0x74, 0x75, 0x72, 0x65, 0x73, 0x18, 0x05, 0x20, 0x01, 0x28,
-	0x0b, 0x32, 0x1b, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f,
-	0x62, 0x75, 0x66, 0x2e, 0x46, 0x65, 0x61, 0x74, 0x75, 0x72, 0x65, 0x53, 0x65, 0x74, 0x52, 0x0d,
-	0x66, 0x69, 0x78, 0x65, 0x64, 0x46, 0x65, 0x61, 0x74, 0x75, 0x72, 0x65, 0x73, 0x4a, 0x04, 0x08,
-	0x01, 0x10, 0x02, 0x4a, 0x04, 0x08, 0x02, 0x10, 0x03, 0x52, 0x08, 0x66, 0x65, 0x61, 0x74, 0x75,
-	0x72, 0x65, 0x73, 0x22, 0xb5, 0x02, 0x0a, 0x0e, 0x53, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x43, 0x6f,
-	0x64, 0x65, 0x49, 0x6e, 0x66, 0x6f, 0x12, 0x44, 0x0a, 0x08, 0x6c, 0x6f, 0x63, 0x61, 0x74, 0x69,
-	0x6f, 0x6e, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x28, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c,
-	0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x53, 0x6f, 0x75, 0x72, 0x63,
-	0x65, 0x43, 0x6f, 0x64, 0x65, 0x49, 0x6e, 0x66, 0x6f, 0x2e, 0x4c, 0x6f, 0x63, 0x61, 0x74, 0x69,
-	0x6f, 0x6e, 0x52, 0x08, 0x6c, 0x6f, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x1a, 0xce, 0x01, 0x0a,
-	0x08, 0x4c, 0x6f, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x16, 0x0a, 0x04, 0x70, 0x61, 0x74,
-	0x68, 0x18, 0x01, 0x20, 0x03, 0x28, 0x05, 0x42, 0x02, 0x10, 0x01, 0x52, 0x04, 0x70, 0x61, 0x74,
-	0x68, 0x12, 0x16, 0x0a, 0x04, 0x73, 0x70, 0x61, 0x6e, 0x18, 0x02, 0x20, 0x03, 0x28, 0x05, 0x42,
-	0x02, 0x10, 0x01, 0x52, 0x04, 0x73, 0x70, 0x61, 0x6e, 0x12, 0x29, 0x0a, 0x10, 0x6c, 0x65, 0x61,
-	0x64, 0x69, 0x6e, 0x67, 0x5f, 0x63, 0x6f, 0x6d, 0x6d, 0x65, 0x6e, 0x74, 0x73, 0x18, 0x03, 0x20,
-	0x01, 0x28, 0x09, 0x52, 0x0f, 0x6c, 0x65, 0x61, 0x64, 0x69, 0x6e, 0x67, 0x43, 0x6f, 0x6d, 0x6d,
-	0x65, 0x6e, 0x74, 0x73, 0x12, 0x2b, 0x0a, 0x11, 0x74, 0x72, 0x61, 0x69, 0x6c, 0x69, 0x6e, 0x67,
-	0x5f, 0x63, 0x6f, 0x6d, 0x6d, 0x65, 0x6e, 0x74, 0x73, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52,
-	0x10, 0x74, 0x72, 0x61, 0x69, 0x6c, 0x69, 0x6e, 0x67, 0x43, 0x6f, 0x6d, 0x6d, 0x65, 0x6e, 0x74,
-	0x73, 0x12, 0x3a, 0x0a, 0x19, 0x6c, 0x65, 0x61, 0x64, 0x69, 0x6e, 0x67, 0x5f, 0x64, 0x65, 0x74,
-	0x61, 0x63, 0x68, 0x65, 0x64, 0x5f, 0x63, 0x6f, 0x6d, 0x6d, 0x65, 0x6e, 0x74, 0x73, 0x18, 0x06,
-	0x20, 0x03, 0x28, 0x09, 0x52, 0x17, 0x6c, 0x65, 0x61, 0x64, 0x69, 0x6e, 0x67, 0x44, 0x65, 0x74,
-	0x61, 0x63, 0x68, 0x65, 0x64, 0x43, 0x6f, 0x6d, 0x6d, 0x65, 0x6e, 0x74, 0x73, 0x2a, 0x0c, 0x08,
-	0x80, 0xec, 0xca, 0xff, 0x01, 0x10, 0x81, 0xec, 0xca, 0xff, 0x01, 0x22, 0xd0, 0x02, 0x0a, 0x11,
-	0x47, 0x65, 0x6e, 0x65, 0x72, 0x61, 0x74, 0x65, 0x64, 0x43, 0x6f, 0x64, 0x65, 0x49, 0x6e, 0x66,
-	0x6f, 0x12, 0x4d, 0x0a, 0x0a, 0x61, 0x6e, 0x6e, 0x6f, 0x74, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x18,
-	0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x2d, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70,
-	0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x47, 0x65, 0x6e, 0x65, 0x72, 0x61, 0x74, 0x65,
-	0x64, 0x43, 0x6f, 0x64, 0x65, 0x49, 0x6e, 0x66, 0x6f, 0x2e, 0x41, 0x6e, 0x6e, 0x6f, 0x74, 0x61,
-	0x74, 0x69, 0x6f, 0x6e, 0x52, 0x0a, 0x61, 0x6e, 0x6e, 0x6f, 0x74, 0x61, 0x74, 0x69, 0x6f, 0x6e,
-	0x1a, 0xeb, 0x01, 0x0a, 0x0a, 0x41, 0x6e, 0x6e, 0x6f, 0x74, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x12,
-	0x16, 0x0a, 0x04, 0x70, 0x61, 0x74, 0x68, 0x18, 0x01, 0x20, 0x03, 0x28, 0x05, 0x42, 0x02, 0x10,
-	0x01, 0x52, 0x04, 0x70, 0x61, 0x74, 0x68, 0x12, 0x1f, 0x0a, 0x0b, 0x73, 0x6f, 0x75, 0x72, 0x63,
-	0x65, 0x5f, 0x66, 0x69, 0x6c, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0a, 0x73, 0x6f,
-	0x75, 0x72, 0x63, 0x65, 0x46, 0x69, 0x6c, 0x65, 0x12, 0x14, 0x0a, 0x05, 0x62, 0x65, 0x67, 0x69,
-	0x6e, 0x18, 0x03, 0x20, 0x01, 0x28, 0x05, 0x52, 0x05, 0x62, 0x65, 0x67, 0x69, 0x6e, 0x12, 0x10,
-	0x0a, 0x03, 0x65, 0x6e, 0x64, 0x18, 0x04, 0x20, 0x01, 0x28, 0x05, 0x52, 0x03, 0x65, 0x6e, 0x64,
-	0x12, 0x52, 0x0a, 0x08, 0x73, 0x65, 0x6d, 0x61, 0x6e, 0x74, 0x69, 0x63, 0x18, 0x05, 0x20, 0x01,
-	0x28, 0x0e, 0x32, 0x36, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74,
-	0x6f, 0x62, 0x75, 0x66, 0x2e, 0x47, 0x65, 0x6e, 0x65, 0x72, 0x61, 0x74, 0x65, 0x64, 0x43, 0x6f,
-	0x64, 0x65, 0x49, 0x6e, 0x66, 0x6f, 0x2e, 0x41, 0x6e, 0x6e, 0x6f, 0x74, 0x61, 0x74, 0x69, 0x6f,
-	0x6e, 0x2e, 0x53, 0x65, 0x6d, 0x61, 0x6e, 0x74, 0x69, 0x63, 0x52, 0x08, 0x73, 0x65, 0x6d, 0x61,
-	0x6e, 0x74, 0x69, 0x63, 0x22, 0x28, 0x0a, 0x08, 0x53, 0x65, 0x6d, 0x61, 0x6e, 0x74, 0x69, 0x63,
-	0x12, 0x08, 0x0a, 0x04, 0x4e, 0x4f, 0x4e, 0x45, 0x10, 0x00, 0x12, 0x07, 0x0a, 0x03, 0x53, 0x45,
-	0x54, 0x10, 0x01, 0x12, 0x09, 0x0a, 0x05, 0x41, 0x4c, 0x49, 0x41, 0x53, 0x10, 0x02, 0x2a, 0xa7,
-	0x02, 0x0a, 0x07, 0x45, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x13, 0x0a, 0x0f, 0x45, 0x44,
-	0x49, 0x54, 0x49, 0x4f, 0x4e, 0x5f, 0x55, 0x4e, 0x4b, 0x4e, 0x4f, 0x57, 0x4e, 0x10, 0x00, 0x12,
-	0x13, 0x0a, 0x0e, 0x45, 0x44, 0x49, 0x54, 0x49, 0x4f, 0x4e, 0x5f, 0x4c, 0x45, 0x47, 0x41, 0x43,
-	0x59, 0x10, 0x84, 0x07, 0x12, 0x13, 0x0a, 0x0e, 0x45, 0x44, 0x49, 0x54, 0x49, 0x4f, 0x4e, 0x5f,
-	0x50, 0x52, 0x4f, 0x54, 0x4f, 0x32, 0x10, 0xe6, 0x07, 0x12, 0x13, 0x0a, 0x0e, 0x45, 0x44, 0x49,
-	0x54, 0x49, 0x4f, 0x4e, 0x5f, 0x50, 0x52, 0x4f, 0x54, 0x4f, 0x33, 0x10, 0xe7, 0x07, 0x12, 0x11,
-	0x0a, 0x0c, 0x45, 0x44, 0x49, 0x54, 0x49, 0x4f, 0x4e, 0x5f, 0x32, 0x30, 0x32, 0x33, 0x10, 0xe8,
-	0x07, 0x12, 0x11, 0x0a, 0x0c, 0x45, 0x44, 0x49, 0x54, 0x49, 0x4f, 0x4e, 0x5f, 0x32, 0x30, 0x32,
-	0x34, 0x10, 0xe9, 0x07, 0x12, 0x17, 0x0a, 0x13, 0x45, 0x44, 0x49, 0x54, 0x49, 0x4f, 0x4e, 0x5f,
-	0x31, 0x5f, 0x54, 0x45, 0x53, 0x54, 0x5f, 0x4f, 0x4e, 0x4c, 0x59, 0x10, 0x01, 0x12, 0x17, 0x0a,
-	0x13, 0x45, 0x44, 0x49, 0x54, 0x49, 0x4f, 0x4e, 0x5f, 0x32, 0x5f, 0x54, 0x45, 0x53, 0x54, 0x5f,
-	0x4f, 0x4e, 0x4c, 0x59, 0x10, 0x02, 0x12, 0x1d, 0x0a, 0x17, 0x45, 0x44, 0x49, 0x54, 0x49, 0x4f,
-	0x4e, 0x5f, 0x39, 0x39, 0x39, 0x39, 0x37, 0x5f, 0x54, 0x45, 0x53, 0x54, 0x5f, 0x4f, 0x4e, 0x4c,
-	0x59, 0x10, 0x9d, 0x8d, 0x06, 0x12, 0x1d, 0x0a, 0x17, 0x45, 0x44, 0x49, 0x54, 0x49, 0x4f, 0x4e,
-	0x5f, 0x39, 0x39, 0x39, 0x39, 0x38, 0x5f, 0x54, 0x45, 0x53, 0x54, 0x5f, 0x4f, 0x4e, 0x4c, 0x59,
-	0x10, 0x9e, 0x8d, 0x06, 0x12, 0x1d, 0x0a, 0x17, 0x45, 0x44, 0x49, 0x54, 0x49, 0x4f, 0x4e, 0x5f,
-	0x39, 0x39, 0x39, 0x39, 0x39, 0x5f, 0x54, 0x45, 0x53, 0x54, 0x5f, 0x4f, 0x4e, 0x4c, 0x59, 0x10,
-	0x9f, 0x8d, 0x06, 0x12, 0x13, 0x0a, 0x0b, 0x45, 0x44, 0x49, 0x54, 0x49, 0x4f, 0x4e, 0x5f, 0x4d,
-	0x41, 0x58, 0x10, 0xff, 0xff, 0xff, 0xff, 0x07, 0x42, 0x7e, 0x0a, 0x13, 0x63, 0x6f, 0x6d, 0x2e,
-	0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x42,
-	0x10, 0x44, 0x65, 0x73, 0x63, 0x72, 0x69, 0x70, 0x74, 0x6f, 0x72, 0x50, 0x72, 0x6f, 0x74, 0x6f,
-	0x73, 0x48, 0x01, 0x5a, 0x2d, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x67, 0x6f, 0x6c, 0x61,
-	0x6e, 0x67, 0x2e, 0x6f, 0x72, 0x67, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2f,
-	0x74, 0x79, 0x70, 0x65, 0x73, 0x2f, 0x64, 0x65, 0x73, 0x63, 0x72, 0x69, 0x70, 0x74, 0x6f, 0x72,
-	0x70, 0x62, 0xf8, 0x01, 0x01, 0xa2, 0x02, 0x03, 0x47, 0x50, 0x42, 0xaa, 0x02, 0x1a, 0x47, 0x6f,
-	0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x52, 0x65,
-	0x66, 0x6c, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e,
-})
+const file_google_protobuf_descriptor_proto_rawDesc = "" +
+	"\n" +
+	" google/protobuf/descriptor.proto\x12\x0fgoogle.protobuf\"[\n" +
+	"\x11FileDescriptorSet\x128\n" +
+	"\x04file\x18\x01 \x03(\v2$.google.protobuf.FileDescriptorProtoR\x04file*\f\b\x80\xec\xca\xff\x01\x10\x81\xec\xca\xff\x01\"\xc5\x05\n" +
+	"\x13FileDescriptorProto\x12\x12\n" +
+	"\x04name\x18\x01 \x01(\tR\x04name\x12\x18\n" +
+	"\apackage\x18\x02 \x01(\tR\apackage\x12\x1e\n" +
+	"\n" +
+	"dependency\x18\x03 \x03(\tR\n" +
+	"dependency\x12+\n" +
+	"\x11public_dependency\x18\n" +
+	" \x03(\x05R\x10publicDependency\x12'\n" +
+	"\x0fweak_dependency\x18\v \x03(\x05R\x0eweakDependency\x12+\n" +
+	"\x11option_dependency\x18\x0f \x03(\tR\x10optionDependency\x12C\n" +
+	"\fmessage_type\x18\x04 \x03(\v2 .google.protobuf.DescriptorProtoR\vmessageType\x12A\n" +
+	"\tenum_type\x18\x05 \x03(\v2$.google.protobuf.EnumDescriptorProtoR\benumType\x12A\n" +
+	"\aservice\x18\x06 \x03(\v2'.google.protobuf.ServiceDescriptorProtoR\aservice\x12C\n" +
+	"\textension\x18\a \x03(\v2%.google.protobuf.FieldDescriptorProtoR\textension\x126\n" +
+	"\aoptions\x18\b \x01(\v2\x1c.google.protobuf.FileOptionsR\aoptions\x12I\n" +
+	"\x10source_code_info\x18\t \x01(\v2\x1f.google.protobuf.SourceCodeInfoR\x0esourceCodeInfo\x12\x16\n" +
+	"\x06syntax\x18\f \x01(\tR\x06syntax\x122\n" +
+	"\aedition\x18\x0e \x01(\x0e2\x18.google.protobuf.EditionR\aedition\"\xfc\x06\n" +
+	"\x0fDescriptorProto\x12\x12\n" +
+	"\x04name\x18\x01 \x01(\tR\x04name\x12;\n" +
+	"\x05field\x18\x02 \x03(\v2%.google.protobuf.FieldDescriptorProtoR\x05field\x12C\n" +
+	"\textension\x18\x06 \x03(\v2%.google.protobuf.FieldDescriptorProtoR\textension\x12A\n" +
+	"\vnested_type\x18\x03 \x03(\v2 .google.protobuf.DescriptorProtoR\n" +
+	"nestedType\x12A\n" +
+	"\tenum_type\x18\x04 \x03(\v2$.google.protobuf.EnumDescriptorProtoR\benumType\x12X\n" +
+	"\x0fextension_range\x18\x05 \x03(\v2/.google.protobuf.DescriptorProto.ExtensionRangeR\x0eextensionRange\x12D\n" +
+	"\n" +
+	"oneof_decl\x18\b \x03(\v2%.google.protobuf.OneofDescriptorProtoR\toneofDecl\x129\n" +
+	"\aoptions\x18\a \x01(\v2\x1f.google.protobuf.MessageOptionsR\aoptions\x12U\n" +
+	"\x0ereserved_range\x18\t \x03(\v2..google.protobuf.DescriptorProto.ReservedRangeR\rreservedRange\x12#\n" +
+	"\rreserved_name\x18\n" +
+	" \x03(\tR\freservedName\x12A\n" +
+	"\n" +
+	"visibility\x18\v \x01(\x0e2!.google.protobuf.SymbolVisibilityR\n" +
+	"visibility\x1az\n" +
+	"\x0eExtensionRange\x12\x14\n" +
+	"\x05start\x18\x01 \x01(\x05R\x05start\x12\x10\n" +
+	"\x03end\x18\x02 \x01(\x05R\x03end\x12@\n" +
+	"\aoptions\x18\x03 \x01(\v2&.google.protobuf.ExtensionRangeOptionsR\aoptions\x1a7\n" +
+	"\rReservedRange\x12\x14\n" +
+	"\x05start\x18\x01 \x01(\x05R\x05start\x12\x10\n" +
+	"\x03end\x18\x02 \x01(\x05R\x03end\"\xcc\x04\n" +
+	"\x15ExtensionRangeOptions\x12X\n" +
+	"\x14uninterpreted_option\x18\xe7\a \x03(\v2$.google.protobuf.UninterpretedOptionR\x13uninterpretedOption\x12Y\n" +
+	"\vdeclaration\x18\x02 \x03(\v22.google.protobuf.ExtensionRangeOptions.DeclarationB\x03\x88\x01\x02R\vdeclaration\x127\n" +
+	"\bfeatures\x182 \x01(\v2\x1b.google.protobuf.FeatureSetR\bfeatures\x12m\n" +
+	"\fverification\x18\x03 \x01(\x0e28.google.protobuf.ExtensionRangeOptions.VerificationState:\n" +
+	"UNVERIFIEDB\x03\x88\x01\x02R\fverification\x1a\x94\x01\n" +
+	"\vDeclaration\x12\x16\n" +
+	"\x06number\x18\x01 \x01(\x05R\x06number\x12\x1b\n" +
+	"\tfull_name\x18\x02 \x01(\tR\bfullName\x12\x12\n" +
+	"\x04type\x18\x03 \x01(\tR\x04type\x12\x1a\n" +
+	"\breserved\x18\x05 \x01(\bR\breserved\x12\x1a\n" +
+	"\brepeated\x18\x06 \x01(\bR\brepeatedJ\x04\b\x04\x10\x05\"4\n" +
+	"\x11VerificationState\x12\x0f\n" +
+	"\vDECLARATION\x10\x00\x12\x0e\n" +
+	"\n" +
+	"UNVERIFIED\x10\x01*\t\b\xe8\a\x10\x80\x80\x80\x80\x02\"\xc1\x06\n" +
+	"\x14FieldDescriptorProto\x12\x12\n" +
+	"\x04name\x18\x01 \x01(\tR\x04name\x12\x16\n" +
+	"\x06number\x18\x03 \x01(\x05R\x06number\x12A\n" +
+	"\x05label\x18\x04 \x01(\x0e2+.google.protobuf.FieldDescriptorProto.LabelR\x05label\x12>\n" +
+	"\x04type\x18\x05 \x01(\x0e2*.google.protobuf.FieldDescriptorProto.TypeR\x04type\x12\x1b\n" +
+	"\ttype_name\x18\x06 \x01(\tR\btypeName\x12\x1a\n" +
+	"\bextendee\x18\x02 \x01(\tR\bextendee\x12#\n" +
+	"\rdefault_value\x18\a \x01(\tR\fdefaultValue\x12\x1f\n" +
+	"\voneof_index\x18\t \x01(\x05R\n" +
+	"oneofIndex\x12\x1b\n" +
+	"\tjson_name\x18\n" +
+	" \x01(\tR\bjsonName\x127\n" +
+	"\aoptions\x18\b \x01(\v2\x1d.google.protobuf.FieldOptionsR\aoptions\x12'\n" +
+	"\x0fproto3_optional\x18\x11 \x01(\bR\x0eproto3Optional\"\xb6\x02\n" +
+	"\x04Type\x12\x0f\n" +
+	"\vTYPE_DOUBLE\x10\x01\x12\x0e\n" +
+	"\n" +
+	"TYPE_FLOAT\x10\x02\x12\x0e\n" +
+	"\n" +
+	"TYPE_INT64\x10\x03\x12\x0f\n" +
+	"\vTYPE_UINT64\x10\x04\x12\x0e\n" +
+	"\n" +
+	"TYPE_INT32\x10\x05\x12\x10\n" +
+	"\fTYPE_FIXED64\x10\x06\x12\x10\n" +
+	"\fTYPE_FIXED32\x10\a\x12\r\n" +
+	"\tTYPE_BOOL\x10\b\x12\x0f\n" +
+	"\vTYPE_STRING\x10\t\x12\x0e\n" +
+	"\n" +
+	"TYPE_GROUP\x10\n" +
+	"\x12\x10\n" +
+	"\fTYPE_MESSAGE\x10\v\x12\x0e\n" +
+	"\n" +
+	"TYPE_BYTES\x10\f\x12\x0f\n" +
+	"\vTYPE_UINT32\x10\r\x12\r\n" +
+	"\tTYPE_ENUM\x10\x0e\x12\x11\n" +
+	"\rTYPE_SFIXED32\x10\x0f\x12\x11\n" +
+	"\rTYPE_SFIXED64\x10\x10\x12\x0f\n" +
+	"\vTYPE_SINT32\x10\x11\x12\x0f\n" +
+	"\vTYPE_SINT64\x10\x12\"C\n" +
+	"\x05Label\x12\x12\n" +
+	"\x0eLABEL_OPTIONAL\x10\x01\x12\x12\n" +
+	"\x0eLABEL_REPEATED\x10\x03\x12\x12\n" +
+	"\x0eLABEL_REQUIRED\x10\x02\"c\n" +
+	"\x14OneofDescriptorProto\x12\x12\n" +
+	"\x04name\x18\x01 \x01(\tR\x04name\x127\n" +
+	"\aoptions\x18\x02 \x01(\v2\x1d.google.protobuf.OneofOptionsR\aoptions\"\xa6\x03\n" +
+	"\x13EnumDescriptorProto\x12\x12\n" +
+	"\x04name\x18\x01 \x01(\tR\x04name\x12?\n" +
+	"\x05value\x18\x02 \x03(\v2).google.protobuf.EnumValueDescriptorProtoR\x05value\x126\n" +
+	"\aoptions\x18\x03 \x01(\v2\x1c.google.protobuf.EnumOptionsR\aoptions\x12]\n" +
+	"\x0ereserved_range\x18\x04 \x03(\v26.google.protobuf.EnumDescriptorProto.EnumReservedRangeR\rreservedRange\x12#\n" +
+	"\rreserved_name\x18\x05 \x03(\tR\freservedName\x12A\n" +
+	"\n" +
+	"visibility\x18\x06 \x01(\x0e2!.google.protobuf.SymbolVisibilityR\n" +
+	"visibility\x1a;\n" +
+	"\x11EnumReservedRange\x12\x14\n" +
+	"\x05start\x18\x01 \x01(\x05R\x05start\x12\x10\n" +
+	"\x03end\x18\x02 \x01(\x05R\x03end\"\x83\x01\n" +
+	"\x18EnumValueDescriptorProto\x12\x12\n" +
+	"\x04name\x18\x01 \x01(\tR\x04name\x12\x16\n" +
+	"\x06number\x18\x02 \x01(\x05R\x06number\x12;\n" +
+	"\aoptions\x18\x03 \x01(\v2!.google.protobuf.EnumValueOptionsR\aoptions\"\xa7\x01\n" +
+	"\x16ServiceDescriptorProto\x12\x12\n" +
+	"\x04name\x18\x01 \x01(\tR\x04name\x12>\n" +
+	"\x06method\x18\x02 \x03(\v2&.google.protobuf.MethodDescriptorProtoR\x06method\x129\n" +
+	"\aoptions\x18\x03 \x01(\v2\x1f.google.protobuf.ServiceOptionsR\aoptions\"\x89\x02\n" +
+	"\x15MethodDescriptorProto\x12\x12\n" +
+	"\x04name\x18\x01 \x01(\tR\x04name\x12\x1d\n" +
+	"\n" +
+	"input_type\x18\x02 \x01(\tR\tinputType\x12\x1f\n" +
+	"\voutput_type\x18\x03 \x01(\tR\n" +
+	"outputType\x128\n" +
+	"\aoptions\x18\x04 \x01(\v2\x1e.google.protobuf.MethodOptionsR\aoptions\x120\n" +
+	"\x10client_streaming\x18\x05 \x01(\b:\x05falseR\x0fclientStreaming\x120\n" +
+	"\x10server_streaming\x18\x06 \x01(\b:\x05falseR\x0fserverStreaming\"\xad\t\n" +
+	"\vFileOptions\x12!\n" +
+	"\fjava_package\x18\x01 \x01(\tR\vjavaPackage\x120\n" +
+	"\x14java_outer_classname\x18\b \x01(\tR\x12javaOuterClassname\x125\n" +
+	"\x13java_multiple_files\x18\n" +
+	" \x01(\b:\x05falseR\x11javaMultipleFiles\x12D\n" +
+	"\x1djava_generate_equals_and_hash\x18\x14 \x01(\bB\x02\x18\x01R\x19javaGenerateEqualsAndHash\x12:\n" +
+	"\x16java_string_check_utf8\x18\x1b \x01(\b:\x05falseR\x13javaStringCheckUtf8\x12S\n" +
+	"\foptimize_for\x18\t \x01(\x0e2).google.protobuf.FileOptions.OptimizeMode:\x05SPEEDR\voptimizeFor\x12\x1d\n" +
+	"\n" +
+	"go_package\x18\v \x01(\tR\tgoPackage\x125\n" +
+	"\x13cc_generic_services\x18\x10 \x01(\b:\x05falseR\x11ccGenericServices\x129\n" +
+	"\x15java_generic_services\x18\x11 \x01(\b:\x05falseR\x13javaGenericServices\x125\n" +
+	"\x13py_generic_services\x18\x12 \x01(\b:\x05falseR\x11pyGenericServices\x12%\n" +
+	"\n" +
+	"deprecated\x18\x17 \x01(\b:\x05falseR\n" +
+	"deprecated\x12.\n" +
+	"\x10cc_enable_arenas\x18\x1f \x01(\b:\x04trueR\x0eccEnableArenas\x12*\n" +
+	"\x11objc_class_prefix\x18$ \x01(\tR\x0fobjcClassPrefix\x12)\n" +
+	"\x10csharp_namespace\x18% \x01(\tR\x0fcsharpNamespace\x12!\n" +
+	"\fswift_prefix\x18' \x01(\tR\vswiftPrefix\x12(\n" +
+	"\x10php_class_prefix\x18( \x01(\tR\x0ephpClassPrefix\x12#\n" +
+	"\rphp_namespace\x18) \x01(\tR\fphpNamespace\x124\n" +
+	"\x16php_metadata_namespace\x18, \x01(\tR\x14phpMetadataNamespace\x12!\n" +
+	"\fruby_package\x18- \x01(\tR\vrubyPackage\x127\n" +
+	"\bfeatures\x182 \x01(\v2\x1b.google.protobuf.FeatureSetR\bfeatures\x12X\n" +
+	"\x14uninterpreted_option\x18\xe7\a \x03(\v2$.google.protobuf.UninterpretedOptionR\x13uninterpretedOption\":\n" +
+	"\fOptimizeMode\x12\t\n" +
+	"\x05SPEED\x10\x01\x12\r\n" +
+	"\tCODE_SIZE\x10\x02\x12\x10\n" +
+	"\fLITE_RUNTIME\x10\x03*\t\b\xe8\a\x10\x80\x80\x80\x80\x02J\x04\b*\x10+J\x04\b&\x10'R\x14php_generic_services\"\xf4\x03\n" +
+	"\x0eMessageOptions\x12<\n" +
+	"\x17message_set_wire_format\x18\x01 \x01(\b:\x05falseR\x14messageSetWireFormat\x12L\n" +
+	"\x1fno_standard_descriptor_accessor\x18\x02 \x01(\b:\x05falseR\x1cnoStandardDescriptorAccessor\x12%\n" +
+	"\n" +
+	"deprecated\x18\x03 \x01(\b:\x05falseR\n" +
+	"deprecated\x12\x1b\n" +
+	"\tmap_entry\x18\a \x01(\bR\bmapEntry\x12V\n" +
+	"&deprecated_legacy_json_field_conflicts\x18\v \x01(\bB\x02\x18\x01R\"deprecatedLegacyJsonFieldConflicts\x127\n" +
+	"\bfeatures\x18\f \x01(\v2\x1b.google.protobuf.FeatureSetR\bfeatures\x12X\n" +
+	"\x14uninterpreted_option\x18\xe7\a \x03(\v2$.google.protobuf.UninterpretedOptionR\x13uninterpretedOption*\t\b\xe8\a\x10\x80\x80\x80\x80\x02J\x04\b\x04\x10\x05J\x04\b\x05\x10\x06J\x04\b\x06\x10\aJ\x04\b\b\x10\tJ\x04\b\t\x10\n" +
+	"\"\xa1\r\n" +
+	"\fFieldOptions\x12A\n" +
+	"\x05ctype\x18\x01 \x01(\x0e2#.google.protobuf.FieldOptions.CType:\x06STRINGR\x05ctype\x12\x16\n" +
+	"\x06packed\x18\x02 \x01(\bR\x06packed\x12G\n" +
+	"\x06jstype\x18\x06 \x01(\x0e2$.google.protobuf.FieldOptions.JSType:\tJS_NORMALR\x06jstype\x12\x19\n" +
+	"\x04lazy\x18\x05 \x01(\b:\x05falseR\x04lazy\x12.\n" +
+	"\x0funverified_lazy\x18\x0f \x01(\b:\x05falseR\x0eunverifiedLazy\x12%\n" +
+	"\n" +
+	"deprecated\x18\x03 \x01(\b:\x05falseR\n" +
+	"deprecated\x12\x1d\n" +
+	"\x04weak\x18\n" +
+	" \x01(\b:\x05falseB\x02\x18\x01R\x04weak\x12(\n" +
+	"\fdebug_redact\x18\x10 \x01(\b:\x05falseR\vdebugRedact\x12K\n" +
+	"\tretention\x18\x11 \x01(\x0e2-.google.protobuf.FieldOptions.OptionRetentionR\tretention\x12H\n" +
+	"\atargets\x18\x13 \x03(\x0e2..google.protobuf.FieldOptions.OptionTargetTypeR\atargets\x12W\n" +
+	"\x10edition_defaults\x18\x14 \x03(\v2,.google.protobuf.FieldOptions.EditionDefaultR\x0feditionDefaults\x127\n" +
+	"\bfeatures\x18\x15 \x01(\v2\x1b.google.protobuf.FeatureSetR\bfeatures\x12U\n" +
+	"\x0ffeature_support\x18\x16 \x01(\v2,.google.protobuf.FieldOptions.FeatureSupportR\x0efeatureSupport\x12X\n" +
+	"\x14uninterpreted_option\x18\xe7\a \x03(\v2$.google.protobuf.UninterpretedOptionR\x13uninterpretedOption\x1aZ\n" +
+	"\x0eEditionDefault\x122\n" +
+	"\aedition\x18\x03 \x01(\x0e2\x18.google.protobuf.EditionR\aedition\x12\x14\n" +
+	"\x05value\x18\x02 \x01(\tR\x05value\x1a\x96\x02\n" +
+	"\x0eFeatureSupport\x12G\n" +
+	"\x12edition_introduced\x18\x01 \x01(\x0e2\x18.google.protobuf.EditionR\x11editionIntroduced\x12G\n" +
+	"\x12edition_deprecated\x18\x02 \x01(\x0e2\x18.google.protobuf.EditionR\x11editionDeprecated\x12/\n" +
+	"\x13deprecation_warning\x18\x03 \x01(\tR\x12deprecationWarning\x12A\n" +
+	"\x0fedition_removed\x18\x04 \x01(\x0e2\x18.google.protobuf.EditionR\x0eeditionRemoved\"/\n" +
+	"\x05CType\x12\n" +
+	"\n" +
+	"\x06STRING\x10\x00\x12\b\n" +
+	"\x04CORD\x10\x01\x12\x10\n" +
+	"\fSTRING_PIECE\x10\x02\"5\n" +
+	"\x06JSType\x12\r\n" +
+	"\tJS_NORMAL\x10\x00\x12\r\n" +
+	"\tJS_STRING\x10\x01\x12\r\n" +
+	"\tJS_NUMBER\x10\x02\"U\n" +
+	"\x0fOptionRetention\x12\x15\n" +
+	"\x11RETENTION_UNKNOWN\x10\x00\x12\x15\n" +
+	"\x11RETENTION_RUNTIME\x10\x01\x12\x14\n" +
+	"\x10RETENTION_SOURCE\x10\x02\"\x8c\x02\n" +
+	"\x10OptionTargetType\x12\x17\n" +
+	"\x13TARGET_TYPE_UNKNOWN\x10\x00\x12\x14\n" +
+	"\x10TARGET_TYPE_FILE\x10\x01\x12\x1f\n" +
+	"\x1bTARGET_TYPE_EXTENSION_RANGE\x10\x02\x12\x17\n" +
+	"\x13TARGET_TYPE_MESSAGE\x10\x03\x12\x15\n" +
+	"\x11TARGET_TYPE_FIELD\x10\x04\x12\x15\n" +
+	"\x11TARGET_TYPE_ONEOF\x10\x05\x12\x14\n" +
+	"\x10TARGET_TYPE_ENUM\x10\x06\x12\x1a\n" +
+	"\x16TARGET_TYPE_ENUM_ENTRY\x10\a\x12\x17\n" +
+	"\x13TARGET_TYPE_SERVICE\x10\b\x12\x16\n" +
+	"\x12TARGET_TYPE_METHOD\x10\t*\t\b\xe8\a\x10\x80\x80\x80\x80\x02J\x04\b\x04\x10\x05J\x04\b\x12\x10\x13\"\xac\x01\n" +
+	"\fOneofOptions\x127\n" +
+	"\bfeatures\x18\x01 \x01(\v2\x1b.google.protobuf.FeatureSetR\bfeatures\x12X\n" +
+	"\x14uninterpreted_option\x18\xe7\a \x03(\v2$.google.protobuf.UninterpretedOptionR\x13uninterpretedOption*\t\b\xe8\a\x10\x80\x80\x80\x80\x02\"\xd1\x02\n" +
+	"\vEnumOptions\x12\x1f\n" +
+	"\vallow_alias\x18\x02 \x01(\bR\n" +
+	"allowAlias\x12%\n" +
+	"\n" +
+	"deprecated\x18\x03 \x01(\b:\x05falseR\n" +
+	"deprecated\x12V\n" +
+	"&deprecated_legacy_json_field_conflicts\x18\x06 \x01(\bB\x02\x18\x01R\"deprecatedLegacyJsonFieldConflicts\x127\n" +
+	"\bfeatures\x18\a \x01(\v2\x1b.google.protobuf.FeatureSetR\bfeatures\x12X\n" +
+	"\x14uninterpreted_option\x18\xe7\a \x03(\v2$.google.protobuf.UninterpretedOptionR\x13uninterpretedOption*\t\b\xe8\a\x10\x80\x80\x80\x80\x02J\x04\b\x05\x10\x06\"\xd8\x02\n" +
+	"\x10EnumValueOptions\x12%\n" +
+	"\n" +
+	"deprecated\x18\x01 \x01(\b:\x05falseR\n" +
+	"deprecated\x127\n" +
+	"\bfeatures\x18\x02 \x01(\v2\x1b.google.protobuf.FeatureSetR\bfeatures\x12(\n" +
+	"\fdebug_redact\x18\x03 \x01(\b:\x05falseR\vdebugRedact\x12U\n" +
+	"\x0ffeature_support\x18\x04 \x01(\v2,.google.protobuf.FieldOptions.FeatureSupportR\x0efeatureSupport\x12X\n" +
+	"\x14uninterpreted_option\x18\xe7\a \x03(\v2$.google.protobuf.UninterpretedOptionR\x13uninterpretedOption*\t\b\xe8\a\x10\x80\x80\x80\x80\x02\"\xd5\x01\n" +
+	"\x0eServiceOptions\x127\n" +
+	"\bfeatures\x18\" \x01(\v2\x1b.google.protobuf.FeatureSetR\bfeatures\x12%\n" +
+	"\n" +
+	"deprecated\x18! \x01(\b:\x05falseR\n" +
+	"deprecated\x12X\n" +
+	"\x14uninterpreted_option\x18\xe7\a \x03(\v2$.google.protobuf.UninterpretedOptionR\x13uninterpretedOption*\t\b\xe8\a\x10\x80\x80\x80\x80\x02\"\x99\x03\n" +
+	"\rMethodOptions\x12%\n" +
+	"\n" +
+	"deprecated\x18! \x01(\b:\x05falseR\n" +
+	"deprecated\x12q\n" +
+	"\x11idempotency_level\x18\" \x01(\x0e2/.google.protobuf.MethodOptions.IdempotencyLevel:\x13IDEMPOTENCY_UNKNOWNR\x10idempotencyLevel\x127\n" +
+	"\bfeatures\x18# \x01(\v2\x1b.google.protobuf.FeatureSetR\bfeatures\x12X\n" +
+	"\x14uninterpreted_option\x18\xe7\a \x03(\v2$.google.protobuf.UninterpretedOptionR\x13uninterpretedOption\"P\n" +
+	"\x10IdempotencyLevel\x12\x17\n" +
+	"\x13IDEMPOTENCY_UNKNOWN\x10\x00\x12\x13\n" +
+	"\x0fNO_SIDE_EFFECTS\x10\x01\x12\x0e\n" +
+	"\n" +
+	"IDEMPOTENT\x10\x02*\t\b\xe8\a\x10\x80\x80\x80\x80\x02\"\x9a\x03\n" +
+	"\x13UninterpretedOption\x12A\n" +
+	"\x04name\x18\x02 \x03(\v2-.google.protobuf.UninterpretedOption.NamePartR\x04name\x12)\n" +
+	"\x10identifier_value\x18\x03 \x01(\tR\x0fidentifierValue\x12,\n" +
+	"\x12positive_int_value\x18\x04 \x01(\x04R\x10positiveIntValue\x12,\n" +
+	"\x12negative_int_value\x18\x05 \x01(\x03R\x10negativeIntValue\x12!\n" +
+	"\fdouble_value\x18\x06 \x01(\x01R\vdoubleValue\x12!\n" +
+	"\fstring_value\x18\a \x01(\fR\vstringValue\x12'\n" +
+	"\x0faggregate_value\x18\b \x01(\tR\x0eaggregateValue\x1aJ\n" +
+	"\bNamePart\x12\x1b\n" +
+	"\tname_part\x18\x01 \x02(\tR\bnamePart\x12!\n" +
+	"\fis_extension\x18\x02 \x02(\bR\visExtension\"\x8e\x0f\n" +
+	"\n" +
+	"FeatureSet\x12\x91\x01\n" +
+	"\x0efield_presence\x18\x01 \x01(\x0e2).google.protobuf.FeatureSet.FieldPresenceB?\x88\x01\x01\x98\x01\x04\x98\x01\x01\xa2\x01\r\x12\bEXPLICIT\x18\x84\a\xa2\x01\r\x12\bIMPLICIT\x18\xe7\a\xa2\x01\r\x12\bEXPLICIT\x18\xe8\a\xb2\x01\x03\b\xe8\aR\rfieldPresence\x12l\n" +
+	"\tenum_type\x18\x02 \x01(\x0e2$.google.protobuf.FeatureSet.EnumTypeB)\x88\x01\x01\x98\x01\x06\x98\x01\x01\xa2\x01\v\x12\x06CLOSED\x18\x84\a\xa2\x01\t\x12\x04OPEN\x18\xe7\a\xb2\x01\x03\b\xe8\aR\benumType\x12\x98\x01\n" +
+	"\x17repeated_field_encoding\x18\x03 \x01(\x0e21.google.protobuf.FeatureSet.RepeatedFieldEncodingB-\x88\x01\x01\x98\x01\x04\x98\x01\x01\xa2\x01\r\x12\bEXPANDED\x18\x84\a\xa2\x01\v\x12\x06PACKED\x18\xe7\a\xb2\x01\x03\b\xe8\aR\x15repeatedFieldEncoding\x12~\n" +
+	"\x0futf8_validation\x18\x04 \x01(\x0e2*.google.protobuf.FeatureSet.Utf8ValidationB)\x88\x01\x01\x98\x01\x04\x98\x01\x01\xa2\x01\t\x12\x04NONE\x18\x84\a\xa2\x01\v\x12\x06VERIFY\x18\xe7\a\xb2\x01\x03\b\xe8\aR\x0eutf8Validation\x12~\n" +
+	"\x10message_encoding\x18\x05 \x01(\x0e2+.google.protobuf.FeatureSet.MessageEncodingB&\x88\x01\x01\x98\x01\x04\x98\x01\x01\xa2\x01\x14\x12\x0fLENGTH_PREFIXED\x18\x84\a\xb2\x01\x03\b\xe8\aR\x0fmessageEncoding\x12\x82\x01\n" +
+	"\vjson_format\x18\x06 \x01(\x0e2&.google.protobuf.FeatureSet.JsonFormatB9\x88\x01\x01\x98\x01\x03\x98\x01\x06\x98\x01\x01\xa2\x01\x17\x12\x12LEGACY_BEST_EFFORT\x18\x84\a\xa2\x01\n" +
+	"\x12\x05ALLOW\x18\xe7\a\xb2\x01\x03\b\xe8\aR\n" +
+	"jsonFormat\x12\xab\x01\n" +
+	"\x14enforce_naming_style\x18\a \x01(\x0e2..google.protobuf.FeatureSet.EnforceNamingStyleBI\x88\x01\x02\x98\x01\x01\x98\x01\x02\x98\x01\x03\x98\x01\x04\x98\x01\x05\x98\x01\x06\x98\x01\a\x98\x01\b\x98\x01\t\xa2\x01\x11\x12\fSTYLE_LEGACY\x18\x84\a\xa2\x01\x0e\x12\tSTYLE2024\x18\xe9\a\xb2\x01\x03\b\xe9\aR\x12enforceNamingStyle\x12\xb9\x01\n" +
+	"\x19default_symbol_visibility\x18\b \x01(\x0e2E.google.protobuf.FeatureSet.VisibilityFeature.DefaultSymbolVisibilityB6\x88\x01\x02\x98\x01\x01\xa2\x01\x0f\x12\n" +
+	"EXPORT_ALL\x18\x84\a\xa2\x01\x15\x12\x10EXPORT_TOP_LEVEL\x18\xe9\a\xb2\x01\x03\b\xe9\aR\x17defaultSymbolVisibility\x1a\xa1\x01\n" +
+	"\x11VisibilityFeature\"\x81\x01\n" +
+	"\x17DefaultSymbolVisibility\x12%\n" +
+	"!DEFAULT_SYMBOL_VISIBILITY_UNKNOWN\x10\x00\x12\x0e\n" +
+	"\n" +
+	"EXPORT_ALL\x10\x01\x12\x14\n" +
+	"\x10EXPORT_TOP_LEVEL\x10\x02\x12\r\n" +
+	"\tLOCAL_ALL\x10\x03\x12\n" +
+	"\n" +
+	"\x06STRICT\x10\x04J\b\b\x01\x10\x80\x80\x80\x80\x02\"\\\n" +
+	"\rFieldPresence\x12\x1a\n" +
+	"\x16FIELD_PRESENCE_UNKNOWN\x10\x00\x12\f\n" +
+	"\bEXPLICIT\x10\x01\x12\f\n" +
+	"\bIMPLICIT\x10\x02\x12\x13\n" +
+	"\x0fLEGACY_REQUIRED\x10\x03\"7\n" +
+	"\bEnumType\x12\x15\n" +
+	"\x11ENUM_TYPE_UNKNOWN\x10\x00\x12\b\n" +
+	"\x04OPEN\x10\x01\x12\n" +
+	"\n" +
+	"\x06CLOSED\x10\x02\"V\n" +
+	"\x15RepeatedFieldEncoding\x12#\n" +
+	"\x1fREPEATED_FIELD_ENCODING_UNKNOWN\x10\x00\x12\n" +
+	"\n" +
+	"\x06PACKED\x10\x01\x12\f\n" +
+	"\bEXPANDED\x10\x02\"I\n" +
+	"\x0eUtf8Validation\x12\x1b\n" +
+	"\x17UTF8_VALIDATION_UNKNOWN\x10\x00\x12\n" +
+	"\n" +
+	"\x06VERIFY\x10\x02\x12\b\n" +
+	"\x04NONE\x10\x03\"\x04\b\x01\x10\x01\"S\n" +
+	"\x0fMessageEncoding\x12\x1c\n" +
+	"\x18MESSAGE_ENCODING_UNKNOWN\x10\x00\x12\x13\n" +
+	"\x0fLENGTH_PREFIXED\x10\x01\x12\r\n" +
+	"\tDELIMITED\x10\x02\"H\n" +
+	"\n" +
+	"JsonFormat\x12\x17\n" +
+	"\x13JSON_FORMAT_UNKNOWN\x10\x00\x12\t\n" +
+	"\x05ALLOW\x10\x01\x12\x16\n" +
+	"\x12LEGACY_BEST_EFFORT\x10\x02\"W\n" +
+	"\x12EnforceNamingStyle\x12 \n" +
+	"\x1cENFORCE_NAMING_STYLE_UNKNOWN\x10\x00\x12\r\n" +
+	"\tSTYLE2024\x10\x01\x12\x10\n" +
+	"\fSTYLE_LEGACY\x10\x02*\x06\b\xe8\a\x10\x8bN*\x06\b\x8bN\x10\x90N*\x06\b\x90N\x10\x91NJ\x06\b\xe7\a\x10\xe8\a\"\xef\x03\n" +
+	"\x12FeatureSetDefaults\x12X\n" +
+	"\bdefaults\x18\x01 \x03(\v2<.google.protobuf.FeatureSetDefaults.FeatureSetEditionDefaultR\bdefaults\x12A\n" +
+	"\x0fminimum_edition\x18\x04 \x01(\x0e2\x18.google.protobuf.EditionR\x0eminimumEdition\x12A\n" +
+	"\x0fmaximum_edition\x18\x05 \x01(\x0e2\x18.google.protobuf.EditionR\x0emaximumEdition\x1a\xf8\x01\n" +
+	"\x18FeatureSetEditionDefault\x122\n" +
+	"\aedition\x18\x03 \x01(\x0e2\x18.google.protobuf.EditionR\aedition\x12N\n" +
+	"\x14overridable_features\x18\x04 \x01(\v2\x1b.google.protobuf.FeatureSetR\x13overridableFeatures\x12B\n" +
+	"\x0efixed_features\x18\x05 \x01(\v2\x1b.google.protobuf.FeatureSetR\rfixedFeaturesJ\x04\b\x01\x10\x02J\x04\b\x02\x10\x03R\bfeatures\"\xb5\x02\n" +
+	"\x0eSourceCodeInfo\x12D\n" +
+	"\blocation\x18\x01 \x03(\v2(.google.protobuf.SourceCodeInfo.LocationR\blocation\x1a\xce\x01\n" +
+	"\bLocation\x12\x16\n" +
+	"\x04path\x18\x01 \x03(\x05B\x02\x10\x01R\x04path\x12\x16\n" +
+	"\x04span\x18\x02 \x03(\x05B\x02\x10\x01R\x04span\x12)\n" +
+	"\x10leading_comments\x18\x03 \x01(\tR\x0fleadingComments\x12+\n" +
+	"\x11trailing_comments\x18\x04 \x01(\tR\x10trailingComments\x12:\n" +
+	"\x19leading_detached_comments\x18\x06 \x03(\tR\x17leadingDetachedComments*\f\b\x80\xec\xca\xff\x01\x10\x81\xec\xca\xff\x01\"\xd0\x02\n" +
+	"\x11GeneratedCodeInfo\x12M\n" +
+	"\n" +
+	"annotation\x18\x01 \x03(\v2-.google.protobuf.GeneratedCodeInfo.AnnotationR\n" +
+	"annotation\x1a\xeb\x01\n" +
+	"\n" +
+	"Annotation\x12\x16\n" +
+	"\x04path\x18\x01 \x03(\x05B\x02\x10\x01R\x04path\x12\x1f\n" +
+	"\vsource_file\x18\x02 \x01(\tR\n" +
+	"sourceFile\x12\x14\n" +
+	"\x05begin\x18\x03 \x01(\x05R\x05begin\x12\x10\n" +
+	"\x03end\x18\x04 \x01(\x05R\x03end\x12R\n" +
+	"\bsemantic\x18\x05 \x01(\x0e26.google.protobuf.GeneratedCodeInfo.Annotation.SemanticR\bsemantic\"(\n" +
+	"\bSemantic\x12\b\n" +
+	"\x04NONE\x10\x00\x12\a\n" +
+	"\x03SET\x10\x01\x12\t\n" +
+	"\x05ALIAS\x10\x02*\xa7\x02\n" +
+	"\aEdition\x12\x13\n" +
+	"\x0fEDITION_UNKNOWN\x10\x00\x12\x13\n" +
+	"\x0eEDITION_LEGACY\x10\x84\a\x12\x13\n" +
+	"\x0eEDITION_PROTO2\x10\xe6\a\x12\x13\n" +
+	"\x0eEDITION_PROTO3\x10\xe7\a\x12\x11\n" +
+	"\fEDITION_2023\x10\xe8\a\x12\x11\n" +
+	"\fEDITION_2024\x10\xe9\a\x12\x17\n" +
+	"\x13EDITION_1_TEST_ONLY\x10\x01\x12\x17\n" +
+	"\x13EDITION_2_TEST_ONLY\x10\x02\x12\x1d\n" +
+	"\x17EDITION_99997_TEST_ONLY\x10\x9d\x8d\x06\x12\x1d\n" +
+	"\x17EDITION_99998_TEST_ONLY\x10\x9e\x8d\x06\x12\x1d\n" +
+	"\x17EDITION_99999_TEST_ONLY\x10\x9f\x8d\x06\x12\x13\n" +
+	"\vEDITION_MAX\x10\xff\xff\xff\xff\a*U\n" +
+	"\x10SymbolVisibility\x12\x14\n" +
+	"\x10VISIBILITY_UNSET\x10\x00\x12\x14\n" +
+	"\x10VISIBILITY_LOCAL\x10\x01\x12\x15\n" +
+	"\x11VISIBILITY_EXPORT\x10\x02B~\n" +
+	"\x13com.google.protobufB\x10DescriptorProtosH\x01Z-google.golang.org/protobuf/types/descriptorpb\xf8\x01\x01\xa2\x02\x03GPB\xaa\x02\x1aGoogle.Protobuf.Reflection"
 
 var (
 	file_google_protobuf_descriptor_proto_rawDescOnce sync.Once
@@ -5145,143 +5065,151 @@ func file_google_protobuf_descriptor_proto_rawDescGZIP() []byte {
 	return file_google_protobuf_descriptor_proto_rawDescData
 }
 
-var file_google_protobuf_descriptor_proto_enumTypes = make([]protoimpl.EnumInfo, 17)
-var file_google_protobuf_descriptor_proto_msgTypes = make([]protoimpl.MessageInfo, 33)
+var file_google_protobuf_descriptor_proto_enumTypes = make([]protoimpl.EnumInfo, 20)
+var file_google_protobuf_descriptor_proto_msgTypes = make([]protoimpl.MessageInfo, 34)
 var file_google_protobuf_descriptor_proto_goTypes = []any{
-	(Edition)(0), // 0: google.protobuf.Edition
-	(ExtensionRangeOptions_VerificationState)(0),        // 1: google.protobuf.ExtensionRangeOptions.VerificationState
-	(FieldDescriptorProto_Type)(0),                      // 2: google.protobuf.FieldDescriptorProto.Type
-	(FieldDescriptorProto_Label)(0),                     // 3: google.protobuf.FieldDescriptorProto.Label
-	(FileOptions_OptimizeMode)(0),                       // 4: google.protobuf.FileOptions.OptimizeMode
-	(FieldOptions_CType)(0),                             // 5: google.protobuf.FieldOptions.CType
-	(FieldOptions_JSType)(0),                            // 6: google.protobuf.FieldOptions.JSType
-	(FieldOptions_OptionRetention)(0),                   // 7: google.protobuf.FieldOptions.OptionRetention
-	(FieldOptions_OptionTargetType)(0),                  // 8: google.protobuf.FieldOptions.OptionTargetType
-	(MethodOptions_IdempotencyLevel)(0),                 // 9: google.protobuf.MethodOptions.IdempotencyLevel
-	(FeatureSet_FieldPresence)(0),                       // 10: google.protobuf.FeatureSet.FieldPresence
-	(FeatureSet_EnumType)(0),                            // 11: google.protobuf.FeatureSet.EnumType
-	(FeatureSet_RepeatedFieldEncoding)(0),               // 12: google.protobuf.FeatureSet.RepeatedFieldEncoding
-	(FeatureSet_Utf8Validation)(0),                      // 13: google.protobuf.FeatureSet.Utf8Validation
-	(FeatureSet_MessageEncoding)(0),                     // 14: google.protobuf.FeatureSet.MessageEncoding
-	(FeatureSet_JsonFormat)(0),                          // 15: google.protobuf.FeatureSet.JsonFormat
-	(GeneratedCodeInfo_Annotation_Semantic)(0),          // 16: google.protobuf.GeneratedCodeInfo.Annotation.Semantic
-	(*FileDescriptorSet)(nil),                           // 17: google.protobuf.FileDescriptorSet
-	(*FileDescriptorProto)(nil),                         // 18: google.protobuf.FileDescriptorProto
-	(*DescriptorProto)(nil),                             // 19: google.protobuf.DescriptorProto
-	(*ExtensionRangeOptions)(nil),                       // 20: google.protobuf.ExtensionRangeOptions
-	(*FieldDescriptorProto)(nil),                        // 21: google.protobuf.FieldDescriptorProto
-	(*OneofDescriptorProto)(nil),                        // 22: google.protobuf.OneofDescriptorProto
-	(*EnumDescriptorProto)(nil),                         // 23: google.protobuf.EnumDescriptorProto
-	(*EnumValueDescriptorProto)(nil),                    // 24: google.protobuf.EnumValueDescriptorProto
-	(*ServiceDescriptorProto)(nil),                      // 25: google.protobuf.ServiceDescriptorProto
-	(*MethodDescriptorProto)(nil),                       // 26: google.protobuf.MethodDescriptorProto
-	(*FileOptions)(nil),                                 // 27: google.protobuf.FileOptions
-	(*MessageOptions)(nil),                              // 28: google.protobuf.MessageOptions
-	(*FieldOptions)(nil),                                // 29: google.protobuf.FieldOptions
-	(*OneofOptions)(nil),                                // 30: google.protobuf.OneofOptions
-	(*EnumOptions)(nil),                                 // 31: google.protobuf.EnumOptions
-	(*EnumValueOptions)(nil),                            // 32: google.protobuf.EnumValueOptions
-	(*ServiceOptions)(nil),                              // 33: google.protobuf.ServiceOptions
-	(*MethodOptions)(nil),                               // 34: google.protobuf.MethodOptions
-	(*UninterpretedOption)(nil),                         // 35: google.protobuf.UninterpretedOption
-	(*FeatureSet)(nil),                                  // 36: google.protobuf.FeatureSet
-	(*FeatureSetDefaults)(nil),                          // 37: google.protobuf.FeatureSetDefaults
-	(*SourceCodeInfo)(nil),                              // 38: google.protobuf.SourceCodeInfo
-	(*GeneratedCodeInfo)(nil),                           // 39: google.protobuf.GeneratedCodeInfo
-	(*DescriptorProto_ExtensionRange)(nil),              // 40: google.protobuf.DescriptorProto.ExtensionRange
-	(*DescriptorProto_ReservedRange)(nil),               // 41: google.protobuf.DescriptorProto.ReservedRange
-	(*ExtensionRangeOptions_Declaration)(nil),           // 42: google.protobuf.ExtensionRangeOptions.Declaration
-	(*EnumDescriptorProto_EnumReservedRange)(nil),       // 43: google.protobuf.EnumDescriptorProto.EnumReservedRange
-	(*FieldOptions_EditionDefault)(nil),                 // 44: google.protobuf.FieldOptions.EditionDefault
-	(*FieldOptions_FeatureSupport)(nil),                 // 45: google.protobuf.FieldOptions.FeatureSupport
-	(*UninterpretedOption_NamePart)(nil),                // 46: google.protobuf.UninterpretedOption.NamePart
-	(*FeatureSetDefaults_FeatureSetEditionDefault)(nil), // 47: google.protobuf.FeatureSetDefaults.FeatureSetEditionDefault
-	(*SourceCodeInfo_Location)(nil),                     // 48: google.protobuf.SourceCodeInfo.Location
-	(*GeneratedCodeInfo_Annotation)(nil),                // 49: google.protobuf.GeneratedCodeInfo.Annotation
+	(Edition)(0),          // 0: google.protobuf.Edition
+	(SymbolVisibility)(0), // 1: google.protobuf.SymbolVisibility
+	(ExtensionRangeOptions_VerificationState)(0),              // 2: google.protobuf.ExtensionRangeOptions.VerificationState
+	(FieldDescriptorProto_Type)(0),                            // 3: google.protobuf.FieldDescriptorProto.Type
+	(FieldDescriptorProto_Label)(0),                           // 4: google.protobuf.FieldDescriptorProto.Label
+	(FileOptions_OptimizeMode)(0),                             // 5: google.protobuf.FileOptions.OptimizeMode
+	(FieldOptions_CType)(0),                                   // 6: google.protobuf.FieldOptions.CType
+	(FieldOptions_JSType)(0),                                  // 7: google.protobuf.FieldOptions.JSType
+	(FieldOptions_OptionRetention)(0),                         // 8: google.protobuf.FieldOptions.OptionRetention
+	(FieldOptions_OptionTargetType)(0),                        // 9: google.protobuf.FieldOptions.OptionTargetType
+	(MethodOptions_IdempotencyLevel)(0),                       // 10: google.protobuf.MethodOptions.IdempotencyLevel
+	(FeatureSet_FieldPresence)(0),                             // 11: google.protobuf.FeatureSet.FieldPresence
+	(FeatureSet_EnumType)(0),                                  // 12: google.protobuf.FeatureSet.EnumType
+	(FeatureSet_RepeatedFieldEncoding)(0),                     // 13: google.protobuf.FeatureSet.RepeatedFieldEncoding
+	(FeatureSet_Utf8Validation)(0),                            // 14: google.protobuf.FeatureSet.Utf8Validation
+	(FeatureSet_MessageEncoding)(0),                           // 15: google.protobuf.FeatureSet.MessageEncoding
+	(FeatureSet_JsonFormat)(0),                                // 16: google.protobuf.FeatureSet.JsonFormat
+	(FeatureSet_EnforceNamingStyle)(0),                        // 17: google.protobuf.FeatureSet.EnforceNamingStyle
+	(FeatureSet_VisibilityFeature_DefaultSymbolVisibility)(0), // 18: google.protobuf.FeatureSet.VisibilityFeature.DefaultSymbolVisibility
+	(GeneratedCodeInfo_Annotation_Semantic)(0),                // 19: google.protobuf.GeneratedCodeInfo.Annotation.Semantic
+	(*FileDescriptorSet)(nil),                                 // 20: google.protobuf.FileDescriptorSet
+	(*FileDescriptorProto)(nil),                               // 21: google.protobuf.FileDescriptorProto
+	(*DescriptorProto)(nil),                                   // 22: google.protobuf.DescriptorProto
+	(*ExtensionRangeOptions)(nil),                             // 23: google.protobuf.ExtensionRangeOptions
+	(*FieldDescriptorProto)(nil),                              // 24: google.protobuf.FieldDescriptorProto
+	(*OneofDescriptorProto)(nil),                              // 25: google.protobuf.OneofDescriptorProto
+	(*EnumDescriptorProto)(nil),                               // 26: google.protobuf.EnumDescriptorProto
+	(*EnumValueDescriptorProto)(nil),                          // 27: google.protobuf.EnumValueDescriptorProto
+	(*ServiceDescriptorProto)(nil),                            // 28: google.protobuf.ServiceDescriptorProto
+	(*MethodDescriptorProto)(nil),                             // 29: google.protobuf.MethodDescriptorProto
+	(*FileOptions)(nil),                                       // 30: google.protobuf.FileOptions
+	(*MessageOptions)(nil),                                    // 31: google.protobuf.MessageOptions
+	(*FieldOptions)(nil),                                      // 32: google.protobuf.FieldOptions
+	(*OneofOptions)(nil),                                      // 33: google.protobuf.OneofOptions
+	(*EnumOptions)(nil),                                       // 34: google.protobuf.EnumOptions
+	(*EnumValueOptions)(nil),                                  // 35: google.protobuf.EnumValueOptions
+	(*ServiceOptions)(nil),                                    // 36: google.protobuf.ServiceOptions
+	(*MethodOptions)(nil),                                     // 37: google.protobuf.MethodOptions
+	(*UninterpretedOption)(nil),                               // 38: google.protobuf.UninterpretedOption
+	(*FeatureSet)(nil),                                        // 39: google.protobuf.FeatureSet
+	(*FeatureSetDefaults)(nil),                                // 40: google.protobuf.FeatureSetDefaults
+	(*SourceCodeInfo)(nil),                                    // 41: google.protobuf.SourceCodeInfo
+	(*GeneratedCodeInfo)(nil),                                 // 42: google.protobuf.GeneratedCodeInfo
+	(*DescriptorProto_ExtensionRange)(nil),                    // 43: google.protobuf.DescriptorProto.ExtensionRange
+	(*DescriptorProto_ReservedRange)(nil),                     // 44: google.protobuf.DescriptorProto.ReservedRange
+	(*ExtensionRangeOptions_Declaration)(nil),                 // 45: google.protobuf.ExtensionRangeOptions.Declaration
+	(*EnumDescriptorProto_EnumReservedRange)(nil),             // 46: google.protobuf.EnumDescriptorProto.EnumReservedRange
+	(*FieldOptions_EditionDefault)(nil),                       // 47: google.protobuf.FieldOptions.EditionDefault
+	(*FieldOptions_FeatureSupport)(nil),                       // 48: google.protobuf.FieldOptions.FeatureSupport
+	(*UninterpretedOption_NamePart)(nil),                      // 49: google.protobuf.UninterpretedOption.NamePart
+	(*FeatureSet_VisibilityFeature)(nil),                      // 50: google.protobuf.FeatureSet.VisibilityFeature
+	(*FeatureSetDefaults_FeatureSetEditionDefault)(nil),       // 51: google.protobuf.FeatureSetDefaults.FeatureSetEditionDefault
+	(*SourceCodeInfo_Location)(nil),                           // 52: google.protobuf.SourceCodeInfo.Location
+	(*GeneratedCodeInfo_Annotation)(nil),                      // 53: google.protobuf.GeneratedCodeInfo.Annotation
 }
 var file_google_protobuf_descriptor_proto_depIdxs = []int32{
-	18, // 0: google.protobuf.FileDescriptorSet.file:type_name -> google.protobuf.FileDescriptorProto
-	19, // 1: google.protobuf.FileDescriptorProto.message_type:type_name -> google.protobuf.DescriptorProto
-	23, // 2: google.protobuf.FileDescriptorProto.enum_type:type_name -> google.protobuf.EnumDescriptorProto
-	25, // 3: google.protobuf.FileDescriptorProto.service:type_name -> google.protobuf.ServiceDescriptorProto
-	21, // 4: google.protobuf.FileDescriptorProto.extension:type_name -> google.protobuf.FieldDescriptorProto
-	27, // 5: google.protobuf.FileDescriptorProto.options:type_name -> google.protobuf.FileOptions
-	38, // 6: google.protobuf.FileDescriptorProto.source_code_info:type_name -> google.protobuf.SourceCodeInfo
+	21, // 0: google.protobuf.FileDescriptorSet.file:type_name -> google.protobuf.FileDescriptorProto
+	22, // 1: google.protobuf.FileDescriptorProto.message_type:type_name -> google.protobuf.DescriptorProto
+	26, // 2: google.protobuf.FileDescriptorProto.enum_type:type_name -> google.protobuf.EnumDescriptorProto
+	28, // 3: google.protobuf.FileDescriptorProto.service:type_name -> google.protobuf.ServiceDescriptorProto
+	24, // 4: google.protobuf.FileDescriptorProto.extension:type_name -> google.protobuf.FieldDescriptorProto
+	30, // 5: google.protobuf.FileDescriptorProto.options:type_name -> google.protobuf.FileOptions
+	41, // 6: google.protobuf.FileDescriptorProto.source_code_info:type_name -> google.protobuf.SourceCodeInfo
 	0,  // 7: google.protobuf.FileDescriptorProto.edition:type_name -> google.protobuf.Edition
-	21, // 8: google.protobuf.DescriptorProto.field:type_name -> google.protobuf.FieldDescriptorProto
-	21, // 9: google.protobuf.DescriptorProto.extension:type_name -> google.protobuf.FieldDescriptorProto
-	19, // 10: google.protobuf.DescriptorProto.nested_type:type_name -> google.protobuf.DescriptorProto
-	23, // 11: google.protobuf.DescriptorProto.enum_type:type_name -> google.protobuf.EnumDescriptorProto
-	40, // 12: google.protobuf.DescriptorProto.extension_range:type_name -> google.protobuf.DescriptorProto.ExtensionRange
-	22, // 13: google.protobuf.DescriptorProto.oneof_decl:type_name -> google.protobuf.OneofDescriptorProto
-	28, // 14: google.protobuf.DescriptorProto.options:type_name -> google.protobuf.MessageOptions
-	41, // 15: google.protobuf.DescriptorProto.reserved_range:type_name -> google.protobuf.DescriptorProto.ReservedRange
-	35, // 16: google.protobuf.ExtensionRangeOptions.uninterpreted_option:type_name -> google.protobuf.UninterpretedOption
-	42, // 17: google.protobuf.ExtensionRangeOptions.declaration:type_name -> google.protobuf.ExtensionRangeOptions.Declaration
-	36, // 18: google.protobuf.ExtensionRangeOptions.features:type_name -> google.protobuf.FeatureSet
-	1,  // 19: google.protobuf.ExtensionRangeOptions.verification:type_name -> google.protobuf.ExtensionRangeOptions.VerificationState
-	3,  // 20: google.protobuf.FieldDescriptorProto.label:type_name -> google.protobuf.FieldDescriptorProto.Label
-	2,  // 21: google.protobuf.FieldDescriptorProto.type:type_name -> google.protobuf.FieldDescriptorProto.Type
-	29, // 22: google.protobuf.FieldDescriptorProto.options:type_name -> google.protobuf.FieldOptions
-	30, // 23: google.protobuf.OneofDescriptorProto.options:type_name -> google.protobuf.OneofOptions
-	24, // 24: google.protobuf.EnumDescriptorProto.value:type_name -> google.protobuf.EnumValueDescriptorProto
-	31, // 25: google.protobuf.EnumDescriptorProto.options:type_name -> google.protobuf.EnumOptions
-	43, // 26: google.protobuf.EnumDescriptorProto.reserved_range:type_name -> google.protobuf.EnumDescriptorProto.EnumReservedRange
-	32, // 27: google.protobuf.EnumValueDescriptorProto.options:type_name -> google.protobuf.EnumValueOptions
-	26, // 28: google.protobuf.ServiceDescriptorProto.method:type_name -> google.protobuf.MethodDescriptorProto
-	33, // 29: google.protobuf.ServiceDescriptorProto.options:type_name -> google.protobuf.ServiceOptions
-	34, // 30: google.protobuf.MethodDescriptorProto.options:type_name -> google.protobuf.MethodOptions
-	4,  // 31: google.protobuf.FileOptions.optimize_for:type_name -> google.protobuf.FileOptions.OptimizeMode
-	36, // 32: google.protobuf.FileOptions.features:type_name -> google.protobuf.FeatureSet
-	35, // 33: google.protobuf.FileOptions.uninterpreted_option:type_name -> google.protobuf.UninterpretedOption
-	36, // 34: google.protobuf.MessageOptions.features:type_name -> google.protobuf.FeatureSet
-	35, // 35: google.protobuf.MessageOptions.uninterpreted_option:type_name -> google.protobuf.UninterpretedOption
-	5,  // 36: google.protobuf.FieldOptions.ctype:type_name -> google.protobuf.FieldOptions.CType
-	6,  // 37: google.protobuf.FieldOptions.jstype:type_name -> google.protobuf.FieldOptions.JSType
-	7,  // 38: google.protobuf.FieldOptions.retention:type_name -> google.protobuf.FieldOptions.OptionRetention
-	8,  // 39: google.protobuf.FieldOptions.targets:type_name -> google.protobuf.FieldOptions.OptionTargetType
-	44, // 40: google.protobuf.FieldOptions.edition_defaults:type_name -> google.protobuf.FieldOptions.EditionDefault
-	36, // 41: google.protobuf.FieldOptions.features:type_name -> google.protobuf.FeatureSet
-	45, // 42: google.protobuf.FieldOptions.feature_support:type_name -> google.protobuf.FieldOptions.FeatureSupport
-	35, // 43: google.protobuf.FieldOptions.uninterpreted_option:type_name -> google.protobuf.UninterpretedOption
-	36, // 44: google.protobuf.OneofOptions.features:type_name -> google.protobuf.FeatureSet
-	35, // 45: google.protobuf.OneofOptions.uninterpreted_option:type_name -> google.protobuf.UninterpretedOption
-	36, // 46: google.protobuf.EnumOptions.features:type_name -> google.protobuf.FeatureSet
-	35, // 47: google.protobuf.EnumOptions.uninterpreted_option:type_name -> google.protobuf.UninterpretedOption
-	36, // 48: google.protobuf.EnumValueOptions.features:type_name -> google.protobuf.FeatureSet
-	45, // 49: google.protobuf.EnumValueOptions.feature_support:type_name -> google.protobuf.FieldOptions.FeatureSupport
-	35, // 50: google.protobuf.EnumValueOptions.uninterpreted_option:type_name -> google.protobuf.UninterpretedOption
-	36, // 51: google.protobuf.ServiceOptions.features:type_name -> google.protobuf.FeatureSet
-	35, // 52: google.protobuf.ServiceOptions.uninterpreted_option:type_name -> google.protobuf.UninterpretedOption
-	9,  // 53: google.protobuf.MethodOptions.idempotency_level:type_name -> google.protobuf.MethodOptions.IdempotencyLevel
-	36, // 54: google.protobuf.MethodOptions.features:type_name -> google.protobuf.FeatureSet
-	35, // 55: google.protobuf.MethodOptions.uninterpreted_option:type_name -> google.protobuf.UninterpretedOption
-	46, // 56: google.protobuf.UninterpretedOption.name:type_name -> google.protobuf.UninterpretedOption.NamePart
-	10, // 57: google.protobuf.FeatureSet.field_presence:type_name -> google.protobuf.FeatureSet.FieldPresence
-	11, // 58: google.protobuf.FeatureSet.enum_type:type_name -> google.protobuf.FeatureSet.EnumType
-	12, // 59: google.protobuf.FeatureSet.repeated_field_encoding:type_name -> google.protobuf.FeatureSet.RepeatedFieldEncoding
-	13, // 60: google.protobuf.FeatureSet.utf8_validation:type_name -> google.protobuf.FeatureSet.Utf8Validation
-	14, // 61: google.protobuf.FeatureSet.message_encoding:type_name -> google.protobuf.FeatureSet.MessageEncoding
-	15, // 62: google.protobuf.FeatureSet.json_format:type_name -> google.protobuf.FeatureSet.JsonFormat
-	47, // 63: google.protobuf.FeatureSetDefaults.defaults:type_name -> google.protobuf.FeatureSetDefaults.FeatureSetEditionDefault
-	0,  // 64: google.protobuf.FeatureSetDefaults.minimum_edition:type_name -> google.protobuf.Edition
-	0,  // 65: google.protobuf.FeatureSetDefaults.maximum_edition:type_name -> google.protobuf.Edition
-	48, // 66: google.protobuf.SourceCodeInfo.location:type_name -> google.protobuf.SourceCodeInfo.Location
-	49, // 67: google.protobuf.GeneratedCodeInfo.annotation:type_name -> google.protobuf.GeneratedCodeInfo.Annotation
-	20, // 68: google.protobuf.DescriptorProto.ExtensionRange.options:type_name -> google.protobuf.ExtensionRangeOptions
-	0,  // 69: google.protobuf.FieldOptions.EditionDefault.edition:type_name -> google.protobuf.Edition
-	0,  // 70: google.protobuf.FieldOptions.FeatureSupport.edition_introduced:type_name -> google.protobuf.Edition
-	0,  // 71: google.protobuf.FieldOptions.FeatureSupport.edition_deprecated:type_name -> google.protobuf.Edition
-	0,  // 72: google.protobuf.FieldOptions.FeatureSupport.edition_removed:type_name -> google.protobuf.Edition
-	0,  // 73: google.protobuf.FeatureSetDefaults.FeatureSetEditionDefault.edition:type_name -> google.protobuf.Edition
-	36, // 74: google.protobuf.FeatureSetDefaults.FeatureSetEditionDefault.overridable_features:type_name -> google.protobuf.FeatureSet
-	36, // 75: google.protobuf.FeatureSetDefaults.FeatureSetEditionDefault.fixed_features:type_name -> google.protobuf.FeatureSet
-	16, // 76: google.protobuf.GeneratedCodeInfo.Annotation.semantic:type_name -> google.protobuf.GeneratedCodeInfo.Annotation.Semantic
-	77, // [77:77] is the sub-list for method output_type
-	77, // [77:77] is the sub-list for method input_type
-	77, // [77:77] is the sub-list for extension type_name
-	77, // [77:77] is the sub-list for extension extendee
-	0,  // [0:77] is the sub-list for field type_name
+	24, // 8: google.protobuf.DescriptorProto.field:type_name -> google.protobuf.FieldDescriptorProto
+	24, // 9: google.protobuf.DescriptorProto.extension:type_name -> google.protobuf.FieldDescriptorProto
+	22, // 10: google.protobuf.DescriptorProto.nested_type:type_name -> google.protobuf.DescriptorProto
+	26, // 11: google.protobuf.DescriptorProto.enum_type:type_name -> google.protobuf.EnumDescriptorProto
+	43, // 12: google.protobuf.DescriptorProto.extension_range:type_name -> google.protobuf.DescriptorProto.ExtensionRange
+	25, // 13: google.protobuf.DescriptorProto.oneof_decl:type_name -> google.protobuf.OneofDescriptorProto
+	31, // 14: google.protobuf.DescriptorProto.options:type_name -> google.protobuf.MessageOptions
+	44, // 15: google.protobuf.DescriptorProto.reserved_range:type_name -> google.protobuf.DescriptorProto.ReservedRange
+	1,  // 16: google.protobuf.DescriptorProto.visibility:type_name -> google.protobuf.SymbolVisibility
+	38, // 17: google.protobuf.ExtensionRangeOptions.uninterpreted_option:type_name -> google.protobuf.UninterpretedOption
+	45, // 18: google.protobuf.ExtensionRangeOptions.declaration:type_name -> google.protobuf.ExtensionRangeOptions.Declaration
+	39, // 19: google.protobuf.ExtensionRangeOptions.features:type_name -> google.protobuf.FeatureSet
+	2,  // 20: google.protobuf.ExtensionRangeOptions.verification:type_name -> google.protobuf.ExtensionRangeOptions.VerificationState
+	4,  // 21: google.protobuf.FieldDescriptorProto.label:type_name -> google.protobuf.FieldDescriptorProto.Label
+	3,  // 22: google.protobuf.FieldDescriptorProto.type:type_name -> google.protobuf.FieldDescriptorProto.Type
+	32, // 23: google.protobuf.FieldDescriptorProto.options:type_name -> google.protobuf.FieldOptions
+	33, // 24: google.protobuf.OneofDescriptorProto.options:type_name -> google.protobuf.OneofOptions
+	27, // 25: google.protobuf.EnumDescriptorProto.value:type_name -> google.protobuf.EnumValueDescriptorProto
+	34, // 26: google.protobuf.EnumDescriptorProto.options:type_name -> google.protobuf.EnumOptions
+	46, // 27: google.protobuf.EnumDescriptorProto.reserved_range:type_name -> google.protobuf.EnumDescriptorProto.EnumReservedRange
+	1,  // 28: google.protobuf.EnumDescriptorProto.visibility:type_name -> google.protobuf.SymbolVisibility
+	35, // 29: google.protobuf.EnumValueDescriptorProto.options:type_name -> google.protobuf.EnumValueOptions
+	29, // 30: google.protobuf.ServiceDescriptorProto.method:type_name -> google.protobuf.MethodDescriptorProto
+	36, // 31: google.protobuf.ServiceDescriptorProto.options:type_name -> google.protobuf.ServiceOptions
+	37, // 32: google.protobuf.MethodDescriptorProto.options:type_name -> google.protobuf.MethodOptions
+	5,  // 33: google.protobuf.FileOptions.optimize_for:type_name -> google.protobuf.FileOptions.OptimizeMode
+	39, // 34: google.protobuf.FileOptions.features:type_name -> google.protobuf.FeatureSet
+	38, // 35: google.protobuf.FileOptions.uninterpreted_option:type_name -> google.protobuf.UninterpretedOption
+	39, // 36: google.protobuf.MessageOptions.features:type_name -> google.protobuf.FeatureSet
+	38, // 37: google.protobuf.MessageOptions.uninterpreted_option:type_name -> google.protobuf.UninterpretedOption
+	6,  // 38: google.protobuf.FieldOptions.ctype:type_name -> google.protobuf.FieldOptions.CType
+	7,  // 39: google.protobuf.FieldOptions.jstype:type_name -> google.protobuf.FieldOptions.JSType
+	8,  // 40: google.protobuf.FieldOptions.retention:type_name -> google.protobuf.FieldOptions.OptionRetention
+	9,  // 41: google.protobuf.FieldOptions.targets:type_name -> google.protobuf.FieldOptions.OptionTargetType
+	47, // 42: google.protobuf.FieldOptions.edition_defaults:type_name -> google.protobuf.FieldOptions.EditionDefault
+	39, // 43: google.protobuf.FieldOptions.features:type_name -> google.protobuf.FeatureSet
+	48, // 44: google.protobuf.FieldOptions.feature_support:type_name -> google.protobuf.FieldOptions.FeatureSupport
+	38, // 45: google.protobuf.FieldOptions.uninterpreted_option:type_name -> google.protobuf.UninterpretedOption
+	39, // 46: google.protobuf.OneofOptions.features:type_name -> google.protobuf.FeatureSet
+	38, // 47: google.protobuf.OneofOptions.uninterpreted_option:type_name -> google.protobuf.UninterpretedOption
+	39, // 48: google.protobuf.EnumOptions.features:type_name -> google.protobuf.FeatureSet
+	38, // 49: google.protobuf.EnumOptions.uninterpreted_option:type_name -> google.protobuf.UninterpretedOption
+	39, // 50: google.protobuf.EnumValueOptions.features:type_name -> google.protobuf.FeatureSet
+	48, // 51: google.protobuf.EnumValueOptions.feature_support:type_name -> google.protobuf.FieldOptions.FeatureSupport
+	38, // 52: google.protobuf.EnumValueOptions.uninterpreted_option:type_name -> google.protobuf.UninterpretedOption
+	39, // 53: google.protobuf.ServiceOptions.features:type_name -> google.protobuf.FeatureSet
+	38, // 54: google.protobuf.ServiceOptions.uninterpreted_option:type_name -> google.protobuf.UninterpretedOption
+	10, // 55: google.protobuf.MethodOptions.idempotency_level:type_name -> google.protobuf.MethodOptions.IdempotencyLevel
+	39, // 56: google.protobuf.MethodOptions.features:type_name -> google.protobuf.FeatureSet
+	38, // 57: google.protobuf.MethodOptions.uninterpreted_option:type_name -> google.protobuf.UninterpretedOption
+	49, // 58: google.protobuf.UninterpretedOption.name:type_name -> google.protobuf.UninterpretedOption.NamePart
+	11, // 59: google.protobuf.FeatureSet.field_presence:type_name -> google.protobuf.FeatureSet.FieldPresence
+	12, // 60: google.protobuf.FeatureSet.enum_type:type_name -> google.protobuf.FeatureSet.EnumType
+	13, // 61: google.protobuf.FeatureSet.repeated_field_encoding:type_name -> google.protobuf.FeatureSet.RepeatedFieldEncoding
+	14, // 62: google.protobuf.FeatureSet.utf8_validation:type_name -> google.protobuf.FeatureSet.Utf8Validation
+	15, // 63: google.protobuf.FeatureSet.message_encoding:type_name -> google.protobuf.FeatureSet.MessageEncoding
+	16, // 64: google.protobuf.FeatureSet.json_format:type_name -> google.protobuf.FeatureSet.JsonFormat
+	17, // 65: google.protobuf.FeatureSet.enforce_naming_style:type_name -> google.protobuf.FeatureSet.EnforceNamingStyle
+	18, // 66: google.protobuf.FeatureSet.default_symbol_visibility:type_name -> google.protobuf.FeatureSet.VisibilityFeature.DefaultSymbolVisibility
+	51, // 67: google.protobuf.FeatureSetDefaults.defaults:type_name -> google.protobuf.FeatureSetDefaults.FeatureSetEditionDefault
+	0,  // 68: google.protobuf.FeatureSetDefaults.minimum_edition:type_name -> google.protobuf.Edition
+	0,  // 69: google.protobuf.FeatureSetDefaults.maximum_edition:type_name -> google.protobuf.Edition
+	52, // 70: google.protobuf.SourceCodeInfo.location:type_name -> google.protobuf.SourceCodeInfo.Location
+	53, // 71: google.protobuf.GeneratedCodeInfo.annotation:type_name -> google.protobuf.GeneratedCodeInfo.Annotation
+	23, // 72: google.protobuf.DescriptorProto.ExtensionRange.options:type_name -> google.protobuf.ExtensionRangeOptions
+	0,  // 73: google.protobuf.FieldOptions.EditionDefault.edition:type_name -> google.protobuf.Edition
+	0,  // 74: google.protobuf.FieldOptions.FeatureSupport.edition_introduced:type_name -> google.protobuf.Edition
+	0,  // 75: google.protobuf.FieldOptions.FeatureSupport.edition_deprecated:type_name -> google.protobuf.Edition
+	0,  // 76: google.protobuf.FieldOptions.FeatureSupport.edition_removed:type_name -> google.protobuf.Edition
+	0,  // 77: google.protobuf.FeatureSetDefaults.FeatureSetEditionDefault.edition:type_name -> google.protobuf.Edition
+	39, // 78: google.protobuf.FeatureSetDefaults.FeatureSetEditionDefault.overridable_features:type_name -> google.protobuf.FeatureSet
+	39, // 79: google.protobuf.FeatureSetDefaults.FeatureSetEditionDefault.fixed_features:type_name -> google.protobuf.FeatureSet
+	19, // 80: google.protobuf.GeneratedCodeInfo.Annotation.semantic:type_name -> google.protobuf.GeneratedCodeInfo.Annotation.Semantic
+	81, // [81:81] is the sub-list for method output_type
+	81, // [81:81] is the sub-list for method input_type
+	81, // [81:81] is the sub-list for extension type_name
+	81, // [81:81] is the sub-list for extension extendee
+	0,  // [0:81] is the sub-list for field type_name
 }
 
 func init() { file_google_protobuf_descriptor_proto_init() }
@@ -5294,8 +5222,8 @@ func file_google_protobuf_descriptor_proto_init() {
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
 			RawDescriptor: unsafe.Slice(unsafe.StringData(file_google_protobuf_descriptor_proto_rawDesc), len(file_google_protobuf_descriptor_proto_rawDesc)),
-			NumEnums:      17,
-			NumMessages:   33,
+			NumEnums:      20,
+			NumMessages:   34,
 			NumExtensions: 0,
 			NumServices:   0,
 		},
diff --git a/vendor/google.golang.org/protobuf/types/gofeaturespb/go_features.pb.go b/vendor/google.golang.org/protobuf/types/gofeaturespb/go_features.pb.go
index 28d24bad79e57..37e712b6b7258 100644
--- a/vendor/google.golang.org/protobuf/types/gofeaturespb/go_features.pb.go
+++ b/vendor/google.golang.org/protobuf/types/gofeaturespb/go_features.pb.go
@@ -228,63 +228,29 @@ var (
 
 var File_google_protobuf_go_features_proto protoreflect.FileDescriptor
 
-var file_google_protobuf_go_features_proto_rawDesc = string([]byte{
-	0x0a, 0x21, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75,
-	0x66, 0x2f, 0x67, 0x6f, 0x5f, 0x66, 0x65, 0x61, 0x74, 0x75, 0x72, 0x65, 0x73, 0x2e, 0x70, 0x72,
-	0x6f, 0x74, 0x6f, 0x12, 0x02, 0x70, 0x62, 0x1a, 0x20, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2f,
-	0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2f, 0x64, 0x65, 0x73, 0x63, 0x72, 0x69, 0x70,
-	0x74, 0x6f, 0x72, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0xab, 0x05, 0x0a, 0x0a, 0x47, 0x6f,
-	0x46, 0x65, 0x61, 0x74, 0x75, 0x72, 0x65, 0x73, 0x12, 0xbe, 0x01, 0x0a, 0x1a, 0x6c, 0x65, 0x67,
-	0x61, 0x63, 0x79, 0x5f, 0x75, 0x6e, 0x6d, 0x61, 0x72, 0x73, 0x68, 0x61, 0x6c, 0x5f, 0x6a, 0x73,
-	0x6f, 0x6e, 0x5f, 0x65, 0x6e, 0x75, 0x6d, 0x18, 0x01, 0x20, 0x01, 0x28, 0x08, 0x42, 0x80, 0x01,
-	0x88, 0x01, 0x01, 0x98, 0x01, 0x06, 0x98, 0x01, 0x01, 0xa2, 0x01, 0x09, 0x12, 0x04, 0x74, 0x72,
-	0x75, 0x65, 0x18, 0x84, 0x07, 0xa2, 0x01, 0x0a, 0x12, 0x05, 0x66, 0x61, 0x6c, 0x73, 0x65, 0x18,
-	0xe7, 0x07, 0xb2, 0x01, 0x5b, 0x08, 0xe8, 0x07, 0x10, 0xe8, 0x07, 0x1a, 0x53, 0x54, 0x68, 0x65,
-	0x20, 0x6c, 0x65, 0x67, 0x61, 0x63, 0x79, 0x20, 0x55, 0x6e, 0x6d, 0x61, 0x72, 0x73, 0x68, 0x61,
-	0x6c, 0x4a, 0x53, 0x4f, 0x4e, 0x20, 0x41, 0x50, 0x49, 0x20, 0x69, 0x73, 0x20, 0x64, 0x65, 0x70,
-	0x72, 0x65, 0x63, 0x61, 0x74, 0x65, 0x64, 0x20, 0x61, 0x6e, 0x64, 0x20, 0x77, 0x69, 0x6c, 0x6c,
-	0x20, 0x62, 0x65, 0x20, 0x72, 0x65, 0x6d, 0x6f, 0x76, 0x65, 0x64, 0x20, 0x69, 0x6e, 0x20, 0x61,
-	0x20, 0x66, 0x75, 0x74, 0x75, 0x72, 0x65, 0x20, 0x65, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x2e,
-	0x52, 0x17, 0x6c, 0x65, 0x67, 0x61, 0x63, 0x79, 0x55, 0x6e, 0x6d, 0x61, 0x72, 0x73, 0x68, 0x61,
-	0x6c, 0x4a, 0x73, 0x6f, 0x6e, 0x45, 0x6e, 0x75, 0x6d, 0x12, 0x74, 0x0a, 0x09, 0x61, 0x70, 0x69,
-	0x5f, 0x6c, 0x65, 0x76, 0x65, 0x6c, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x17, 0x2e, 0x70,
-	0x62, 0x2e, 0x47, 0x6f, 0x46, 0x65, 0x61, 0x74, 0x75, 0x72, 0x65, 0x73, 0x2e, 0x41, 0x50, 0x49,
-	0x4c, 0x65, 0x76, 0x65, 0x6c, 0x42, 0x3e, 0x88, 0x01, 0x01, 0x98, 0x01, 0x03, 0x98, 0x01, 0x01,
-	0xa2, 0x01, 0x1a, 0x12, 0x15, 0x41, 0x50, 0x49, 0x5f, 0x4c, 0x45, 0x56, 0x45, 0x4c, 0x5f, 0x55,
-	0x4e, 0x53, 0x50, 0x45, 0x43, 0x49, 0x46, 0x49, 0x45, 0x44, 0x18, 0x84, 0x07, 0xa2, 0x01, 0x0f,
-	0x12, 0x0a, 0x41, 0x50, 0x49, 0x5f, 0x4f, 0x50, 0x41, 0x51, 0x55, 0x45, 0x18, 0xe9, 0x07, 0xb2,
-	0x01, 0x03, 0x08, 0xe8, 0x07, 0x52, 0x08, 0x61, 0x70, 0x69, 0x4c, 0x65, 0x76, 0x65, 0x6c, 0x12,
-	0x7c, 0x0a, 0x11, 0x73, 0x74, 0x72, 0x69, 0x70, 0x5f, 0x65, 0x6e, 0x75, 0x6d, 0x5f, 0x70, 0x72,
-	0x65, 0x66, 0x69, 0x78, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x1e, 0x2e, 0x70, 0x62, 0x2e,
-	0x47, 0x6f, 0x46, 0x65, 0x61, 0x74, 0x75, 0x72, 0x65, 0x73, 0x2e, 0x53, 0x74, 0x72, 0x69, 0x70,
-	0x45, 0x6e, 0x75, 0x6d, 0x50, 0x72, 0x65, 0x66, 0x69, 0x78, 0x42, 0x30, 0x88, 0x01, 0x01, 0x98,
-	0x01, 0x06, 0x98, 0x01, 0x07, 0x98, 0x01, 0x01, 0xa2, 0x01, 0x1b, 0x12, 0x16, 0x53, 0x54, 0x52,
-	0x49, 0x50, 0x5f, 0x45, 0x4e, 0x55, 0x4d, 0x5f, 0x50, 0x52, 0x45, 0x46, 0x49, 0x58, 0x5f, 0x4b,
-	0x45, 0x45, 0x50, 0x18, 0x84, 0x07, 0xb2, 0x01, 0x03, 0x08, 0xe9, 0x07, 0x52, 0x0f, 0x73, 0x74,
-	0x72, 0x69, 0x70, 0x45, 0x6e, 0x75, 0x6d, 0x50, 0x72, 0x65, 0x66, 0x69, 0x78, 0x22, 0x53, 0x0a,
-	0x08, 0x41, 0x50, 0x49, 0x4c, 0x65, 0x76, 0x65, 0x6c, 0x12, 0x19, 0x0a, 0x15, 0x41, 0x50, 0x49,
-	0x5f, 0x4c, 0x45, 0x56, 0x45, 0x4c, 0x5f, 0x55, 0x4e, 0x53, 0x50, 0x45, 0x43, 0x49, 0x46, 0x49,
-	0x45, 0x44, 0x10, 0x00, 0x12, 0x0c, 0x0a, 0x08, 0x41, 0x50, 0x49, 0x5f, 0x4f, 0x50, 0x45, 0x4e,
-	0x10, 0x01, 0x12, 0x0e, 0x0a, 0x0a, 0x41, 0x50, 0x49, 0x5f, 0x48, 0x59, 0x42, 0x52, 0x49, 0x44,
-	0x10, 0x02, 0x12, 0x0e, 0x0a, 0x0a, 0x41, 0x50, 0x49, 0x5f, 0x4f, 0x50, 0x41, 0x51, 0x55, 0x45,
-	0x10, 0x03, 0x22, 0x92, 0x01, 0x0a, 0x0f, 0x53, 0x74, 0x72, 0x69, 0x70, 0x45, 0x6e, 0x75, 0x6d,
-	0x50, 0x72, 0x65, 0x66, 0x69, 0x78, 0x12, 0x21, 0x0a, 0x1d, 0x53, 0x54, 0x52, 0x49, 0x50, 0x5f,
-	0x45, 0x4e, 0x55, 0x4d, 0x5f, 0x50, 0x52, 0x45, 0x46, 0x49, 0x58, 0x5f, 0x55, 0x4e, 0x53, 0x50,
-	0x45, 0x43, 0x49, 0x46, 0x49, 0x45, 0x44, 0x10, 0x00, 0x12, 0x1a, 0x0a, 0x16, 0x53, 0x54, 0x52,
-	0x49, 0x50, 0x5f, 0x45, 0x4e, 0x55, 0x4d, 0x5f, 0x50, 0x52, 0x45, 0x46, 0x49, 0x58, 0x5f, 0x4b,
-	0x45, 0x45, 0x50, 0x10, 0x01, 0x12, 0x23, 0x0a, 0x1f, 0x53, 0x54, 0x52, 0x49, 0x50, 0x5f, 0x45,
-	0x4e, 0x55, 0x4d, 0x5f, 0x50, 0x52, 0x45, 0x46, 0x49, 0x58, 0x5f, 0x47, 0x45, 0x4e, 0x45, 0x52,
-	0x41, 0x54, 0x45, 0x5f, 0x42, 0x4f, 0x54, 0x48, 0x10, 0x02, 0x12, 0x1b, 0x0a, 0x17, 0x53, 0x54,
-	0x52, 0x49, 0x50, 0x5f, 0x45, 0x4e, 0x55, 0x4d, 0x5f, 0x50, 0x52, 0x45, 0x46, 0x49, 0x58, 0x5f,
-	0x53, 0x54, 0x52, 0x49, 0x50, 0x10, 0x03, 0x3a, 0x3c, 0x0a, 0x02, 0x67, 0x6f, 0x12, 0x1b, 0x2e,
-	0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e,
-	0x46, 0x65, 0x61, 0x74, 0x75, 0x72, 0x65, 0x53, 0x65, 0x74, 0x18, 0xea, 0x07, 0x20, 0x01, 0x28,
-	0x0b, 0x32, 0x0e, 0x2e, 0x70, 0x62, 0x2e, 0x47, 0x6f, 0x46, 0x65, 0x61, 0x74, 0x75, 0x72, 0x65,
-	0x73, 0x52, 0x02, 0x67, 0x6f, 0x42, 0x2f, 0x5a, 0x2d, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e,
-	0x67, 0x6f, 0x6c, 0x61, 0x6e, 0x67, 0x2e, 0x6f, 0x72, 0x67, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f,
-	0x62, 0x75, 0x66, 0x2f, 0x74, 0x79, 0x70, 0x65, 0x73, 0x2f, 0x67, 0x6f, 0x66, 0x65, 0x61, 0x74,
-	0x75, 0x72, 0x65, 0x73, 0x70, 0x62,
-})
+const file_google_protobuf_go_features_proto_rawDesc = "" +
+	"\n" +
+	"!google/protobuf/go_features.proto\x12\x02pb\x1a google/protobuf/descriptor.proto\"\xab\x05\n" +
+	"\n" +
+	"GoFeatures\x12\xbe\x01\n" +
+	"\x1alegacy_unmarshal_json_enum\x18\x01 \x01(\bB\x80\x01\x88\x01\x01\x98\x01\x06\x98\x01\x01\xa2\x01\t\x12\x04true\x18\x84\a\xa2\x01\n" +
+	"\x12\x05false\x18\xe7\a\xb2\x01[\b\xe8\a\x10\xe8\a\x1aSThe legacy UnmarshalJSON API is deprecated and will be removed in a future edition.R\x17legacyUnmarshalJsonEnum\x12t\n" +
+	"\tapi_level\x18\x02 \x01(\x0e2\x17.pb.GoFeatures.APILevelB>\x88\x01\x01\x98\x01\x03\x98\x01\x01\xa2\x01\x1a\x12\x15API_LEVEL_UNSPECIFIED\x18\x84\a\xa2\x01\x0f\x12\n" +
+	"API_OPAQUE\x18\xe9\a\xb2\x01\x03\b\xe8\aR\bapiLevel\x12|\n" +
+	"\x11strip_enum_prefix\x18\x03 \x01(\x0e2\x1e.pb.GoFeatures.StripEnumPrefixB0\x88\x01\x01\x98\x01\x06\x98\x01\a\x98\x01\x01\xa2\x01\x1b\x12\x16STRIP_ENUM_PREFIX_KEEP\x18\x84\a\xb2\x01\x03\b\xe9\aR\x0fstripEnumPrefix\"S\n" +
+	"\bAPILevel\x12\x19\n" +
+	"\x15API_LEVEL_UNSPECIFIED\x10\x00\x12\f\n" +
+	"\bAPI_OPEN\x10\x01\x12\x0e\n" +
+	"\n" +
+	"API_HYBRID\x10\x02\x12\x0e\n" +
+	"\n" +
+	"API_OPAQUE\x10\x03\"\x92\x01\n" +
+	"\x0fStripEnumPrefix\x12!\n" +
+	"\x1dSTRIP_ENUM_PREFIX_UNSPECIFIED\x10\x00\x12\x1a\n" +
+	"\x16STRIP_ENUM_PREFIX_KEEP\x10\x01\x12#\n" +
+	"\x1fSTRIP_ENUM_PREFIX_GENERATE_BOTH\x10\x02\x12\x1b\n" +
+	"\x17STRIP_ENUM_PREFIX_STRIP\x10\x03:<\n" +
+	"\x02go\x12\x1b.google.protobuf.FeatureSet\x18\xea\a \x01(\v2\x0e.pb.GoFeaturesR\x02goB/Z-google.golang.org/protobuf/types/gofeaturespb"
 
 var (
 	file_google_protobuf_go_features_proto_rawDescOnce sync.Once
diff --git a/vendor/google.golang.org/protobuf/types/known/anypb/any.pb.go b/vendor/google.golang.org/protobuf/types/known/anypb/any.pb.go
index 497da66e91f81..1ff0d1494d4db 100644
--- a/vendor/google.golang.org/protobuf/types/known/anypb/any.pb.go
+++ b/vendor/google.golang.org/protobuf/types/known/anypb/any.pb.go
@@ -412,23 +412,13 @@ func (x *Any) GetValue() []byte {
 
 var File_google_protobuf_any_proto protoreflect.FileDescriptor
 
-var file_google_protobuf_any_proto_rawDesc = string([]byte{
-	0x0a, 0x19, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75,
-	0x66, 0x2f, 0x61, 0x6e, 0x79, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x0f, 0x67, 0x6f, 0x6f,
-	0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x22, 0x36, 0x0a, 0x03,
-	0x41, 0x6e, 0x79, 0x12, 0x19, 0x0a, 0x08, 0x74, 0x79, 0x70, 0x65, 0x5f, 0x75, 0x72, 0x6c, 0x18,
-	0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x07, 0x74, 0x79, 0x70, 0x65, 0x55, 0x72, 0x6c, 0x12, 0x14,
-	0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x05, 0x76,
-	0x61, 0x6c, 0x75, 0x65, 0x42, 0x76, 0x0a, 0x13, 0x63, 0x6f, 0x6d, 0x2e, 0x67, 0x6f, 0x6f, 0x67,
-	0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x42, 0x08, 0x41, 0x6e, 0x79,
-	0x50, 0x72, 0x6f, 0x74, 0x6f, 0x50, 0x01, 0x5a, 0x2c, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e,
-	0x67, 0x6f, 0x6c, 0x61, 0x6e, 0x67, 0x2e, 0x6f, 0x72, 0x67, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f,
-	0x62, 0x75, 0x66, 0x2f, 0x74, 0x79, 0x70, 0x65, 0x73, 0x2f, 0x6b, 0x6e, 0x6f, 0x77, 0x6e, 0x2f,
-	0x61, 0x6e, 0x79, 0x70, 0x62, 0xa2, 0x02, 0x03, 0x47, 0x50, 0x42, 0xaa, 0x02, 0x1e, 0x47, 0x6f,
-	0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x57, 0x65,
-	0x6c, 0x6c, 0x4b, 0x6e, 0x6f, 0x77, 0x6e, 0x54, 0x79, 0x70, 0x65, 0x73, 0x62, 0x06, 0x70, 0x72,
-	0x6f, 0x74, 0x6f, 0x33,
-})
+const file_google_protobuf_any_proto_rawDesc = "" +
+	"\n" +
+	"\x19google/protobuf/any.proto\x12\x0fgoogle.protobuf\"6\n" +
+	"\x03Any\x12\x19\n" +
+	"\btype_url\x18\x01 \x01(\tR\atypeUrl\x12\x14\n" +
+	"\x05value\x18\x02 \x01(\fR\x05valueBv\n" +
+	"\x13com.google.protobufB\bAnyProtoP\x01Z,google.golang.org/protobuf/types/known/anypb\xa2\x02\x03GPB\xaa\x02\x1eGoogle.Protobuf.WellKnownTypesb\x06proto3"
 
 var (
 	file_google_protobuf_any_proto_rawDescOnce sync.Once
diff --git a/vendor/google.golang.org/protobuf/types/known/durationpb/duration.pb.go b/vendor/google.golang.org/protobuf/types/known/durationpb/duration.pb.go
index 193880d181386..ca2e7b38f4990 100644
--- a/vendor/google.golang.org/protobuf/types/known/durationpb/duration.pb.go
+++ b/vendor/google.golang.org/protobuf/types/known/durationpb/duration.pb.go
@@ -289,24 +289,13 @@ func (x *Duration) GetNanos() int32 {
 
 var File_google_protobuf_duration_proto protoreflect.FileDescriptor
 
-var file_google_protobuf_duration_proto_rawDesc = string([]byte{
-	0x0a, 0x1e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75,
-	0x66, 0x2f, 0x64, 0x75, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f,
-	0x12, 0x0f, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75,
-	0x66, 0x22, 0x3a, 0x0a, 0x08, 0x44, 0x75, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x18, 0x0a,
-	0x07, 0x73, 0x65, 0x63, 0x6f, 0x6e, 0x64, 0x73, 0x18, 0x01, 0x20, 0x01, 0x28, 0x03, 0x52, 0x07,
-	0x73, 0x65, 0x63, 0x6f, 0x6e, 0x64, 0x73, 0x12, 0x14, 0x0a, 0x05, 0x6e, 0x61, 0x6e, 0x6f, 0x73,
-	0x18, 0x02, 0x20, 0x01, 0x28, 0x05, 0x52, 0x05, 0x6e, 0x61, 0x6e, 0x6f, 0x73, 0x42, 0x83, 0x01,
-	0x0a, 0x13, 0x63, 0x6f, 0x6d, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f,
-	0x74, 0x6f, 0x62, 0x75, 0x66, 0x42, 0x0d, 0x44, 0x75, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x50,
-	0x72, 0x6f, 0x74, 0x6f, 0x50, 0x01, 0x5a, 0x31, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x67,
-	0x6f, 0x6c, 0x61, 0x6e, 0x67, 0x2e, 0x6f, 0x72, 0x67, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62,
-	0x75, 0x66, 0x2f, 0x74, 0x79, 0x70, 0x65, 0x73, 0x2f, 0x6b, 0x6e, 0x6f, 0x77, 0x6e, 0x2f, 0x64,
-	0x75, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x70, 0x62, 0xf8, 0x01, 0x01, 0xa2, 0x02, 0x03, 0x47,
-	0x50, 0x42, 0xaa, 0x02, 0x1e, 0x47, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x50, 0x72, 0x6f, 0x74,
-	0x6f, 0x62, 0x75, 0x66, 0x2e, 0x57, 0x65, 0x6c, 0x6c, 0x4b, 0x6e, 0x6f, 0x77, 0x6e, 0x54, 0x79,
-	0x70, 0x65, 0x73, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
-})
+const file_google_protobuf_duration_proto_rawDesc = "" +
+	"\n" +
+	"\x1egoogle/protobuf/duration.proto\x12\x0fgoogle.protobuf\":\n" +
+	"\bDuration\x12\x18\n" +
+	"\aseconds\x18\x01 \x01(\x03R\aseconds\x12\x14\n" +
+	"\x05nanos\x18\x02 \x01(\x05R\x05nanosB\x83\x01\n" +
+	"\x13com.google.protobufB\rDurationProtoP\x01Z1google.golang.org/protobuf/types/known/durationpb\xf8\x01\x01\xa2\x02\x03GPB\xaa\x02\x1eGoogle.Protobuf.WellKnownTypesb\x06proto3"
 
 var (
 	file_google_protobuf_duration_proto_rawDescOnce sync.Once
diff --git a/vendor/google.golang.org/protobuf/types/known/emptypb/empty.pb.go b/vendor/google.golang.org/protobuf/types/known/emptypb/empty.pb.go
index a5b8657c4ba25..1d7ee3b47660f 100644
--- a/vendor/google.golang.org/protobuf/types/known/emptypb/empty.pb.go
+++ b/vendor/google.golang.org/protobuf/types/known/emptypb/empty.pb.go
@@ -86,20 +86,12 @@ func (*Empty) Descriptor() ([]byte, []int) {
 
 var File_google_protobuf_empty_proto protoreflect.FileDescriptor
 
-var file_google_protobuf_empty_proto_rawDesc = string([]byte{
-	0x0a, 0x1b, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75,
-	0x66, 0x2f, 0x65, 0x6d, 0x70, 0x74, 0x79, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x0f, 0x67,
-	0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x22, 0x07,
-	0x0a, 0x05, 0x45, 0x6d, 0x70, 0x74, 0x79, 0x42, 0x7d, 0x0a, 0x13, 0x63, 0x6f, 0x6d, 0x2e, 0x67,
-	0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x42, 0x0a,
-	0x45, 0x6d, 0x70, 0x74, 0x79, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x50, 0x01, 0x5a, 0x2e, 0x67, 0x6f,
-	0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x67, 0x6f, 0x6c, 0x61, 0x6e, 0x67, 0x2e, 0x6f, 0x72, 0x67, 0x2f,
-	0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2f, 0x74, 0x79, 0x70, 0x65, 0x73, 0x2f, 0x6b,
-	0x6e, 0x6f, 0x77, 0x6e, 0x2f, 0x65, 0x6d, 0x70, 0x74, 0x79, 0x70, 0x62, 0xf8, 0x01, 0x01, 0xa2,
-	0x02, 0x03, 0x47, 0x50, 0x42, 0xaa, 0x02, 0x1e, 0x47, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x50,
-	0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x57, 0x65, 0x6c, 0x6c, 0x4b, 0x6e, 0x6f, 0x77,
-	0x6e, 0x54, 0x79, 0x70, 0x65, 0x73, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
-})
+const file_google_protobuf_empty_proto_rawDesc = "" +
+	"\n" +
+	"\x1bgoogle/protobuf/empty.proto\x12\x0fgoogle.protobuf\"\a\n" +
+	"\x05EmptyB}\n" +
+	"\x13com.google.protobufB\n" +
+	"EmptyProtoP\x01Z.google.golang.org/protobuf/types/known/emptypb\xf8\x01\x01\xa2\x02\x03GPB\xaa\x02\x1eGoogle.Protobuf.WellKnownTypesb\x06proto3"
 
 var (
 	file_google_protobuf_empty_proto_rawDescOnce sync.Once
diff --git a/vendor/google.golang.org/protobuf/types/known/fieldmaskpb/field_mask.pb.go b/vendor/google.golang.org/protobuf/types/known/fieldmaskpb/field_mask.pb.go
index 041feb0f3eccb..91ee89a5cd92d 100644
--- a/vendor/google.golang.org/protobuf/types/known/fieldmaskpb/field_mask.pb.go
+++ b/vendor/google.golang.org/protobuf/types/known/fieldmaskpb/field_mask.pb.go
@@ -504,23 +504,12 @@ func (x *FieldMask) GetPaths() []string {
 
 var File_google_protobuf_field_mask_proto protoreflect.FileDescriptor
 
-var file_google_protobuf_field_mask_proto_rawDesc = string([]byte{
-	0x0a, 0x20, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75,
-	0x66, 0x2f, 0x66, 0x69, 0x65, 0x6c, 0x64, 0x5f, 0x6d, 0x61, 0x73, 0x6b, 0x2e, 0x70, 0x72, 0x6f,
-	0x74, 0x6f, 0x12, 0x0f, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f,
-	0x62, 0x75, 0x66, 0x22, 0x21, 0x0a, 0x09, 0x46, 0x69, 0x65, 0x6c, 0x64, 0x4d, 0x61, 0x73, 0x6b,
-	0x12, 0x14, 0x0a, 0x05, 0x70, 0x61, 0x74, 0x68, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x09, 0x52,
-	0x05, 0x70, 0x61, 0x74, 0x68, 0x73, 0x42, 0x85, 0x01, 0x0a, 0x13, 0x63, 0x6f, 0x6d, 0x2e, 0x67,
-	0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x42, 0x0e,
-	0x46, 0x69, 0x65, 0x6c, 0x64, 0x4d, 0x61, 0x73, 0x6b, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x50, 0x01,
-	0x5a, 0x32, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x67, 0x6f, 0x6c, 0x61, 0x6e, 0x67, 0x2e,
-	0x6f, 0x72, 0x67, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2f, 0x74, 0x79, 0x70,
-	0x65, 0x73, 0x2f, 0x6b, 0x6e, 0x6f, 0x77, 0x6e, 0x2f, 0x66, 0x69, 0x65, 0x6c, 0x64, 0x6d, 0x61,
-	0x73, 0x6b, 0x70, 0x62, 0xf8, 0x01, 0x01, 0xa2, 0x02, 0x03, 0x47, 0x50, 0x42, 0xaa, 0x02, 0x1e,
-	0x47, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e,
-	0x57, 0x65, 0x6c, 0x6c, 0x4b, 0x6e, 0x6f, 0x77, 0x6e, 0x54, 0x79, 0x70, 0x65, 0x73, 0x62, 0x06,
-	0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
-})
+const file_google_protobuf_field_mask_proto_rawDesc = "" +
+	"\n" +
+	" google/protobuf/field_mask.proto\x12\x0fgoogle.protobuf\"!\n" +
+	"\tFieldMask\x12\x14\n" +
+	"\x05paths\x18\x01 \x03(\tR\x05pathsB\x85\x01\n" +
+	"\x13com.google.protobufB\x0eFieldMaskProtoP\x01Z2google.golang.org/protobuf/types/known/fieldmaskpb\xf8\x01\x01\xa2\x02\x03GPB\xaa\x02\x1eGoogle.Protobuf.WellKnownTypesb\x06proto3"
 
 var (
 	file_google_protobuf_field_mask_proto_rawDescOnce sync.Once
diff --git a/vendor/google.golang.org/protobuf/types/known/structpb/struct.pb.go b/vendor/google.golang.org/protobuf/types/known/structpb/struct.pb.go
index ecdd31ab5380c..30411b72838ca 100644
--- a/vendor/google.golang.org/protobuf/types/known/structpb/struct.pb.go
+++ b/vendor/google.golang.org/protobuf/types/known/structpb/struct.pb.go
@@ -672,55 +672,31 @@ func (x *ListValue) GetValues() []*Value {
 
 var File_google_protobuf_struct_proto protoreflect.FileDescriptor
 
-var file_google_protobuf_struct_proto_rawDesc = string([]byte{
-	0x0a, 0x1c, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75,
-	0x66, 0x2f, 0x73, 0x74, 0x72, 0x75, 0x63, 0x74, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x0f,
-	0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x22,
-	0x98, 0x01, 0x0a, 0x06, 0x53, 0x74, 0x72, 0x75, 0x63, 0x74, 0x12, 0x3b, 0x0a, 0x06, 0x66, 0x69,
-	0x65, 0x6c, 0x64, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x23, 0x2e, 0x67, 0x6f, 0x6f,
-	0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x53, 0x74, 0x72,
-	0x75, 0x63, 0x74, 0x2e, 0x46, 0x69, 0x65, 0x6c, 0x64, 0x73, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x52,
-	0x06, 0x66, 0x69, 0x65, 0x6c, 0x64, 0x73, 0x1a, 0x51, 0x0a, 0x0b, 0x46, 0x69, 0x65, 0x6c, 0x64,
-	0x73, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20,
-	0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, 0x2c, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75,
-	0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x16, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65,
-	0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x52,
-	0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x3a, 0x02, 0x38, 0x01, 0x22, 0xb2, 0x02, 0x0a, 0x05, 0x56,
-	0x61, 0x6c, 0x75, 0x65, 0x12, 0x3b, 0x0a, 0x0a, 0x6e, 0x75, 0x6c, 0x6c, 0x5f, 0x76, 0x61, 0x6c,
-	0x75, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c,
-	0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x4e, 0x75, 0x6c, 0x6c, 0x56,
-	0x61, 0x6c, 0x75, 0x65, 0x48, 0x00, 0x52, 0x09, 0x6e, 0x75, 0x6c, 0x6c, 0x56, 0x61, 0x6c, 0x75,
-	0x65, 0x12, 0x23, 0x0a, 0x0c, 0x6e, 0x75, 0x6d, 0x62, 0x65, 0x72, 0x5f, 0x76, 0x61, 0x6c, 0x75,
-	0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x01, 0x48, 0x00, 0x52, 0x0b, 0x6e, 0x75, 0x6d, 0x62, 0x65,
-	0x72, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x12, 0x23, 0x0a, 0x0c, 0x73, 0x74, 0x72, 0x69, 0x6e, 0x67,
-	0x5f, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x48, 0x00, 0x52, 0x0b,
-	0x73, 0x74, 0x72, 0x69, 0x6e, 0x67, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x12, 0x1f, 0x0a, 0x0a, 0x62,
-	0x6f, 0x6f, 0x6c, 0x5f, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x04, 0x20, 0x01, 0x28, 0x08, 0x48,
-	0x00, 0x52, 0x09, 0x62, 0x6f, 0x6f, 0x6c, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x12, 0x3c, 0x0a, 0x0c,
-	0x73, 0x74, 0x72, 0x75, 0x63, 0x74, 0x5f, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x05, 0x20, 0x01,
-	0x28, 0x0b, 0x32, 0x17, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74,
-	0x6f, 0x62, 0x75, 0x66, 0x2e, 0x53, 0x74, 0x72, 0x75, 0x63, 0x74, 0x48, 0x00, 0x52, 0x0b, 0x73,
-	0x74, 0x72, 0x75, 0x63, 0x74, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x12, 0x3b, 0x0a, 0x0a, 0x6c, 0x69,
-	0x73, 0x74, 0x5f, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x06, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a,
-	0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66,
-	0x2e, 0x4c, 0x69, 0x73, 0x74, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x48, 0x00, 0x52, 0x09, 0x6c, 0x69,
-	0x73, 0x74, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x42, 0x06, 0x0a, 0x04, 0x6b, 0x69, 0x6e, 0x64, 0x22,
-	0x3b, 0x0a, 0x09, 0x4c, 0x69, 0x73, 0x74, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x12, 0x2e, 0x0a, 0x06,
-	0x76, 0x61, 0x6c, 0x75, 0x65, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x16, 0x2e, 0x67,
-	0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x56,
-	0x61, 0x6c, 0x75, 0x65, 0x52, 0x06, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x73, 0x2a, 0x1b, 0x0a, 0x09,
-	0x4e, 0x75, 0x6c, 0x6c, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x12, 0x0e, 0x0a, 0x0a, 0x4e, 0x55, 0x4c,
-	0x4c, 0x5f, 0x56, 0x41, 0x4c, 0x55, 0x45, 0x10, 0x00, 0x42, 0x7f, 0x0a, 0x13, 0x63, 0x6f, 0x6d,
-	0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66,
-	0x42, 0x0b, 0x53, 0x74, 0x72, 0x75, 0x63, 0x74, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x50, 0x01, 0x5a,
-	0x2f, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x67, 0x6f, 0x6c, 0x61, 0x6e, 0x67, 0x2e, 0x6f,
-	0x72, 0x67, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2f, 0x74, 0x79, 0x70, 0x65,
-	0x73, 0x2f, 0x6b, 0x6e, 0x6f, 0x77, 0x6e, 0x2f, 0x73, 0x74, 0x72, 0x75, 0x63, 0x74, 0x70, 0x62,
-	0xf8, 0x01, 0x01, 0xa2, 0x02, 0x03, 0x47, 0x50, 0x42, 0xaa, 0x02, 0x1e, 0x47, 0x6f, 0x6f, 0x67,
-	0x6c, 0x65, 0x2e, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x57, 0x65, 0x6c, 0x6c,
-	0x4b, 0x6e, 0x6f, 0x77, 0x6e, 0x54, 0x79, 0x70, 0x65, 0x73, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74,
-	0x6f, 0x33,
-})
+const file_google_protobuf_struct_proto_rawDesc = "" +
+	"\n" +
+	"\x1cgoogle/protobuf/struct.proto\x12\x0fgoogle.protobuf\"\x98\x01\n" +
+	"\x06Struct\x12;\n" +
+	"\x06fields\x18\x01 \x03(\v2#.google.protobuf.Struct.FieldsEntryR\x06fields\x1aQ\n" +
+	"\vFieldsEntry\x12\x10\n" +
+	"\x03key\x18\x01 \x01(\tR\x03key\x12,\n" +
+	"\x05value\x18\x02 \x01(\v2\x16.google.protobuf.ValueR\x05value:\x028\x01\"\xb2\x02\n" +
+	"\x05Value\x12;\n" +
+	"\n" +
+	"null_value\x18\x01 \x01(\x0e2\x1a.google.protobuf.NullValueH\x00R\tnullValue\x12#\n" +
+	"\fnumber_value\x18\x02 \x01(\x01H\x00R\vnumberValue\x12#\n" +
+	"\fstring_value\x18\x03 \x01(\tH\x00R\vstringValue\x12\x1f\n" +
+	"\n" +
+	"bool_value\x18\x04 \x01(\bH\x00R\tboolValue\x12<\n" +
+	"\fstruct_value\x18\x05 \x01(\v2\x17.google.protobuf.StructH\x00R\vstructValue\x12;\n" +
+	"\n" +
+	"list_value\x18\x06 \x01(\v2\x1a.google.protobuf.ListValueH\x00R\tlistValueB\x06\n" +
+	"\x04kind\";\n" +
+	"\tListValue\x12.\n" +
+	"\x06values\x18\x01 \x03(\v2\x16.google.protobuf.ValueR\x06values*\x1b\n" +
+	"\tNullValue\x12\x0e\n" +
+	"\n" +
+	"NULL_VALUE\x10\x00B\x7f\n" +
+	"\x13com.google.protobufB\vStructProtoP\x01Z/google.golang.org/protobuf/types/known/structpb\xf8\x01\x01\xa2\x02\x03GPB\xaa\x02\x1eGoogle.Protobuf.WellKnownTypesb\x06proto3"
 
 var (
 	file_google_protobuf_struct_proto_rawDescOnce sync.Once
diff --git a/vendor/google.golang.org/protobuf/types/known/timestamppb/timestamp.pb.go b/vendor/google.golang.org/protobuf/types/known/timestamppb/timestamp.pb.go
index 00ac835c0bb16..06d584c14beab 100644
--- a/vendor/google.golang.org/protobuf/types/known/timestamppb/timestamp.pb.go
+++ b/vendor/google.golang.org/protobuf/types/known/timestamppb/timestamp.pb.go
@@ -298,24 +298,13 @@ func (x *Timestamp) GetNanos() int32 {
 
 var File_google_protobuf_timestamp_proto protoreflect.FileDescriptor
 
-var file_google_protobuf_timestamp_proto_rawDesc = string([]byte{
-	0x0a, 0x1f, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75,
-	0x66, 0x2f, 0x74, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x2e, 0x70, 0x72, 0x6f, 0x74,
-	0x6f, 0x12, 0x0f, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62,
-	0x75, 0x66, 0x22, 0x3b, 0x0a, 0x09, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x12,
-	0x18, 0x0a, 0x07, 0x73, 0x65, 0x63, 0x6f, 0x6e, 0x64, 0x73, 0x18, 0x01, 0x20, 0x01, 0x28, 0x03,
-	0x52, 0x07, 0x73, 0x65, 0x63, 0x6f, 0x6e, 0x64, 0x73, 0x12, 0x14, 0x0a, 0x05, 0x6e, 0x61, 0x6e,
-	0x6f, 0x73, 0x18, 0x02, 0x20, 0x01, 0x28, 0x05, 0x52, 0x05, 0x6e, 0x61, 0x6e, 0x6f, 0x73, 0x42,
-	0x85, 0x01, 0x0a, 0x13, 0x63, 0x6f, 0x6d, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70,
-	0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x42, 0x0e, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61,
-	0x6d, 0x70, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x50, 0x01, 0x5a, 0x32, 0x67, 0x6f, 0x6f, 0x67, 0x6c,
-	0x65, 0x2e, 0x67, 0x6f, 0x6c, 0x61, 0x6e, 0x67, 0x2e, 0x6f, 0x72, 0x67, 0x2f, 0x70, 0x72, 0x6f,
-	0x74, 0x6f, 0x62, 0x75, 0x66, 0x2f, 0x74, 0x79, 0x70, 0x65, 0x73, 0x2f, 0x6b, 0x6e, 0x6f, 0x77,
-	0x6e, 0x2f, 0x74, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x70, 0x62, 0xf8, 0x01, 0x01,
-	0xa2, 0x02, 0x03, 0x47, 0x50, 0x42, 0xaa, 0x02, 0x1e, 0x47, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e,
-	0x50, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x57, 0x65, 0x6c, 0x6c, 0x4b, 0x6e, 0x6f,
-	0x77, 0x6e, 0x54, 0x79, 0x70, 0x65, 0x73, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
-})
+const file_google_protobuf_timestamp_proto_rawDesc = "" +
+	"\n" +
+	"\x1fgoogle/protobuf/timestamp.proto\x12\x0fgoogle.protobuf\";\n" +
+	"\tTimestamp\x12\x18\n" +
+	"\aseconds\x18\x01 \x01(\x03R\aseconds\x12\x14\n" +
+	"\x05nanos\x18\x02 \x01(\x05R\x05nanosB\x85\x01\n" +
+	"\x13com.google.protobufB\x0eTimestampProtoP\x01Z2google.golang.org/protobuf/types/known/timestamppb\xf8\x01\x01\xa2\x02\x03GPB\xaa\x02\x1eGoogle.Protobuf.WellKnownTypesb\x06proto3"
 
 var (
 	file_google_protobuf_timestamp_proto_rawDescOnce sync.Once
diff --git a/vendor/google.golang.org/protobuf/types/known/wrapperspb/wrappers.pb.go b/vendor/google.golang.org/protobuf/types/known/wrapperspb/wrappers.pb.go
index 5de5301063bad..b7c2d0607d794 100644
--- a/vendor/google.golang.org/protobuf/types/known/wrapperspb/wrappers.pb.go
+++ b/vendor/google.golang.org/protobuf/types/known/wrapperspb/wrappers.pb.go
@@ -28,10 +28,17 @@
 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 //
-// Wrappers for primitive (non-message) types. These types are useful
-// for embedding primitives in the `google.protobuf.Any` type and for places
-// where we need to distinguish between the absence of a primitive
-// typed field and its default value.
+// Wrappers for primitive (non-message) types. These types were needed
+// for legacy reasons and are not recommended for use in new APIs.
+//
+// Historically these wrappers were useful to have presence on proto3 primitive
+// fields, but proto3 syntax has been updated to support the `optional` keyword.
+// Using that keyword is now the strongly preferred way to add presence to
+// proto3 primitive fields.
+//
+// A secondary usecase was to embed primitives in the `google.protobuf.Any`
+// type: it is now recommended that you embed your value in your own wrapper
+// message which can be specifically documented.
 //
 // These wrappers have no meaningful use within repeated fields as they lack
 // the ability to detect presence on individual elements.
@@ -54,6 +61,9 @@ import (
 // Wrapper message for `double`.
 //
 // The JSON representation for `DoubleValue` is JSON number.
+//
+// Not recommended for use in new APIs, but still useful for legacy APIs and
+// has no plan to be removed.
 type DoubleValue struct {
 	state protoimpl.MessageState `protogen:"open.v1"`
 	// The double value.
@@ -107,6 +117,9 @@ func (x *DoubleValue) GetValue() float64 {
 // Wrapper message for `float`.
 //
 // The JSON representation for `FloatValue` is JSON number.
+//
+// Not recommended for use in new APIs, but still useful for legacy APIs and
+// has no plan to be removed.
 type FloatValue struct {
 	state protoimpl.MessageState `protogen:"open.v1"`
 	// The float value.
@@ -160,6 +173,9 @@ func (x *FloatValue) GetValue() float32 {
 // Wrapper message for `int64`.
 //
 // The JSON representation for `Int64Value` is JSON string.
+//
+// Not recommended for use in new APIs, but still useful for legacy APIs and
+// has no plan to be removed.
 type Int64Value struct {
 	state protoimpl.MessageState `protogen:"open.v1"`
 	// The int64 value.
@@ -213,6 +229,9 @@ func (x *Int64Value) GetValue() int64 {
 // Wrapper message for `uint64`.
 //
 // The JSON representation for `UInt64Value` is JSON string.
+//
+// Not recommended for use in new APIs, but still useful for legacy APIs and
+// has no plan to be removed.
 type UInt64Value struct {
 	state protoimpl.MessageState `protogen:"open.v1"`
 	// The uint64 value.
@@ -266,6 +285,9 @@ func (x *UInt64Value) GetValue() uint64 {
 // Wrapper message for `int32`.
 //
 // The JSON representation for `Int32Value` is JSON number.
+//
+// Not recommended for use in new APIs, but still useful for legacy APIs and
+// has no plan to be removed.
 type Int32Value struct {
 	state protoimpl.MessageState `protogen:"open.v1"`
 	// The int32 value.
@@ -319,6 +341,9 @@ func (x *Int32Value) GetValue() int32 {
 // Wrapper message for `uint32`.
 //
 // The JSON representation for `UInt32Value` is JSON number.
+//
+// Not recommended for use in new APIs, but still useful for legacy APIs and
+// has no plan to be removed.
 type UInt32Value struct {
 	state protoimpl.MessageState `protogen:"open.v1"`
 	// The uint32 value.
@@ -372,6 +397,9 @@ func (x *UInt32Value) GetValue() uint32 {
 // Wrapper message for `bool`.
 //
 // The JSON representation for `BoolValue` is JSON `true` and `false`.
+//
+// Not recommended for use in new APIs, but still useful for legacy APIs and
+// has no plan to be removed.
 type BoolValue struct {
 	state protoimpl.MessageState `protogen:"open.v1"`
 	// The bool value.
@@ -425,6 +453,9 @@ func (x *BoolValue) GetValue() bool {
 // Wrapper message for `string`.
 //
 // The JSON representation for `StringValue` is JSON string.
+//
+// Not recommended for use in new APIs, but still useful for legacy APIs and
+// has no plan to be removed.
 type StringValue struct {
 	state protoimpl.MessageState `protogen:"open.v1"`
 	// The string value.
@@ -478,6 +509,9 @@ func (x *StringValue) GetValue() string {
 // Wrapper message for `bytes`.
 //
 // The JSON representation for `BytesValue` is JSON string.
+//
+// Not recommended for use in new APIs, but still useful for legacy APIs and
+// has no plan to be removed.
 type BytesValue struct {
 	state protoimpl.MessageState `protogen:"open.v1"`
 	// The bytes value.
@@ -530,41 +564,32 @@ func (x *BytesValue) GetValue() []byte {
 
 var File_google_protobuf_wrappers_proto protoreflect.FileDescriptor
 
-var file_google_protobuf_wrappers_proto_rawDesc = string([]byte{
-	0x0a, 0x1e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75,
-	0x66, 0x2f, 0x77, 0x72, 0x61, 0x70, 0x70, 0x65, 0x72, 0x73, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f,
-	0x12, 0x0f, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75,
-	0x66, 0x22, 0x23, 0x0a, 0x0b, 0x44, 0x6f, 0x75, 0x62, 0x6c, 0x65, 0x56, 0x61, 0x6c, 0x75, 0x65,
-	0x12, 0x14, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x01, 0x52,
-	0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x22, 0x22, 0x0a, 0x0a, 0x46, 0x6c, 0x6f, 0x61, 0x74, 0x56,
-	0x61, 0x6c, 0x75, 0x65, 0x12, 0x14, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x01, 0x20,
-	0x01, 0x28, 0x02, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x22, 0x22, 0x0a, 0x0a, 0x49, 0x6e,
-	0x74, 0x36, 0x34, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x12, 0x14, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75,
-	0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x03, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x22, 0x23,
-	0x0a, 0x0b, 0x55, 0x49, 0x6e, 0x74, 0x36, 0x34, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x12, 0x14, 0x0a,
-	0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x04, 0x52, 0x05, 0x76, 0x61,
-	0x6c, 0x75, 0x65, 0x22, 0x22, 0x0a, 0x0a, 0x49, 0x6e, 0x74, 0x33, 0x32, 0x56, 0x61, 0x6c, 0x75,
-	0x65, 0x12, 0x14, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x05,
-	0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x22, 0x23, 0x0a, 0x0b, 0x55, 0x49, 0x6e, 0x74, 0x33,
-	0x32, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x12, 0x14, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18,
-	0x01, 0x20, 0x01, 0x28, 0x0d, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x22, 0x21, 0x0a, 0x09,
-	0x42, 0x6f, 0x6f, 0x6c, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x12, 0x14, 0x0a, 0x05, 0x76, 0x61, 0x6c,
-	0x75, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x08, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x22,
-	0x23, 0x0a, 0x0b, 0x53, 0x74, 0x72, 0x69, 0x6e, 0x67, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x12, 0x14,
-	0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x76,
-	0x61, 0x6c, 0x75, 0x65, 0x22, 0x22, 0x0a, 0x0a, 0x42, 0x79, 0x74, 0x65, 0x73, 0x56, 0x61, 0x6c,
-	0x75, 0x65, 0x12, 0x14, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28,
-	0x0c, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x42, 0x83, 0x01, 0x0a, 0x13, 0x63, 0x6f, 0x6d,
-	0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66,
-	0x42, 0x0d, 0x57, 0x72, 0x61, 0x70, 0x70, 0x65, 0x72, 0x73, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x50,
-	0x01, 0x5a, 0x31, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x67, 0x6f, 0x6c, 0x61, 0x6e, 0x67,
-	0x2e, 0x6f, 0x72, 0x67, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2f, 0x74, 0x79,
-	0x70, 0x65, 0x73, 0x2f, 0x6b, 0x6e, 0x6f, 0x77, 0x6e, 0x2f, 0x77, 0x72, 0x61, 0x70, 0x70, 0x65,
-	0x72, 0x73, 0x70, 0x62, 0xf8, 0x01, 0x01, 0xa2, 0x02, 0x03, 0x47, 0x50, 0x42, 0xaa, 0x02, 0x1e,
-	0x47, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e,
-	0x57, 0x65, 0x6c, 0x6c, 0x4b, 0x6e, 0x6f, 0x77, 0x6e, 0x54, 0x79, 0x70, 0x65, 0x73, 0x62, 0x06,
-	0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
-})
+const file_google_protobuf_wrappers_proto_rawDesc = "" +
+	"\n" +
+	"\x1egoogle/protobuf/wrappers.proto\x12\x0fgoogle.protobuf\"#\n" +
+	"\vDoubleValue\x12\x14\n" +
+	"\x05value\x18\x01 \x01(\x01R\x05value\"\"\n" +
+	"\n" +
+	"FloatValue\x12\x14\n" +
+	"\x05value\x18\x01 \x01(\x02R\x05value\"\"\n" +
+	"\n" +
+	"Int64Value\x12\x14\n" +
+	"\x05value\x18\x01 \x01(\x03R\x05value\"#\n" +
+	"\vUInt64Value\x12\x14\n" +
+	"\x05value\x18\x01 \x01(\x04R\x05value\"\"\n" +
+	"\n" +
+	"Int32Value\x12\x14\n" +
+	"\x05value\x18\x01 \x01(\x05R\x05value\"#\n" +
+	"\vUInt32Value\x12\x14\n" +
+	"\x05value\x18\x01 \x01(\rR\x05value\"!\n" +
+	"\tBoolValue\x12\x14\n" +
+	"\x05value\x18\x01 \x01(\bR\x05value\"#\n" +
+	"\vStringValue\x12\x14\n" +
+	"\x05value\x18\x01 \x01(\tR\x05value\"\"\n" +
+	"\n" +
+	"BytesValue\x12\x14\n" +
+	"\x05value\x18\x01 \x01(\fR\x05valueB\x83\x01\n" +
+	"\x13com.google.protobufB\rWrappersProtoP\x01Z1google.golang.org/protobuf/types/known/wrapperspb\xf8\x01\x01\xa2\x02\x03GPB\xaa\x02\x1eGoogle.Protobuf.WellKnownTypesb\x06proto3"
 
 var (
 	file_google_protobuf_wrappers_proto_rawDescOnce sync.Once
diff --git a/vendor/gopkg.in/evanphx/json-patch.v4/README.md b/vendor/gopkg.in/evanphx/json-patch.v4/README.md
index 28e35169375bd..86fefd5bf7d67 100644
--- a/vendor/gopkg.in/evanphx/json-patch.v4/README.md
+++ b/vendor/gopkg.in/evanphx/json-patch.v4/README.md
@@ -4,7 +4,7 @@
 well as for calculating & applying [RFC7396 JSON merge patches](https://tools.ietf.org/html/rfc7396).
 
 [![GoDoc](https://godoc.org/github.com/evanphx/json-patch?status.svg)](http://godoc.org/github.com/evanphx/json-patch)
-[![Build Status](https://travis-ci.org/evanphx/json-patch.svg?branch=master)](https://travis-ci.org/evanphx/json-patch)
+[![Build Status](https://github.com/evanphx/json-patch/actions/workflows/go.yml/badge.svg)](https://github.com/evanphx/json-patch/actions/workflows/go.yml)
 [![Report Card](https://goreportcard.com/badge/github.com/evanphx/json-patch)](https://goreportcard.com/report/github.com/evanphx/json-patch)
 
 # Get It!
@@ -14,9 +14,7 @@ well as for calculating & applying [RFC7396 JSON merge patches](https://tools.ie
 go get -u github.com/evanphx/json-patch/v5
 ```
 
-**Stable Versions**:
-* Version 5: `go get -u gopkg.in/evanphx/json-patch.v5`
-* Version 4: `go get -u gopkg.in/evanphx/json-patch.v4`
+If you need version 4, use `go get -u gopkg.in/evanphx/json-patch.v4`
 
 (previous versions below `v3` are unavailable)
 
@@ -314,4 +312,4 @@ go test -cover ./...
 ```
 
 Builds for pull requests are tested automatically 
-using [TravisCI](https://travis-ci.org/evanphx/json-patch).
+using [GitHub Actions](https://github.com/evanphx/json-patch/actions/workflows/go.yml).
diff --git a/vendor/gopkg.in/evanphx/json-patch.v4/patch.go b/vendor/gopkg.in/evanphx/json-patch.v4/patch.go
index dc2b7e51e60b1..95136681ba767 100644
--- a/vendor/gopkg.in/evanphx/json-patch.v4/patch.go
+++ b/vendor/gopkg.in/evanphx/json-patch.v4/patch.go
@@ -3,11 +3,10 @@ package jsonpatch
 import (
 	"bytes"
 	"encoding/json"
+	"errors"
 	"fmt"
 	"strconv"
 	"strings"
-
-	"github.com/pkg/errors"
 )
 
 const (
@@ -277,7 +276,7 @@ func (o Operation) Path() (string, error) {
 		return op, nil
 	}
 
-	return "unknown", errors.Wrapf(ErrMissing, "operation missing path field")
+	return "unknown", fmt.Errorf("operation missing path field: %w", ErrMissing)
 }
 
 // From reads the "from" field of the Operation.
@@ -294,7 +293,7 @@ func (o Operation) From() (string, error) {
 		return op, nil
 	}
 
-	return "unknown", errors.Wrapf(ErrMissing, "operation, missing from field")
+	return "unknown", fmt.Errorf("operation, missing from field: %w", ErrMissing)
 }
 
 func (o Operation) value() *lazyNode {
@@ -319,7 +318,7 @@ func (o Operation) ValueInterface() (interface{}, error) {
 		return v, nil
 	}
 
-	return nil, errors.Wrapf(ErrMissing, "operation, missing value field")
+	return nil, fmt.Errorf("operation, missing value field: %w", ErrMissing)
 }
 
 func isArray(buf []byte) bool {
@@ -359,7 +358,7 @@ func findObject(pd *container, path string) (container, string) {
 
 		next, ok := doc.get(decodePatchKey(part))
 
-		if next == nil || ok != nil {
+		if next == nil || ok != nil || next.raw == nil {
 			return nil, ""
 		}
 
@@ -398,7 +397,7 @@ func (d *partialDoc) get(key string) (*lazyNode, error) {
 func (d *partialDoc) remove(key string) error {
 	_, ok := (*d)[key]
 	if !ok {
-		return errors.Wrapf(ErrMissing, "Unable to remove nonexistent key: %s", key)
+		return fmt.Errorf("Unable to remove nonexistent key: %s: %w", key, ErrMissing)
 	}
 
 	delete(*d, key)
@@ -415,10 +414,10 @@ func (d *partialArray) set(key string, val *lazyNode) error {
 
 	if idx < 0 {
 		if !SupportNegativeIndices {
-			return errors.Wrapf(ErrInvalidIndex, "Unable to access invalid index: %d", idx)
+			return fmt.Errorf("Unable to access invalid index: %d: %w", idx, ErrInvalidIndex)
 		}
 		if idx < -len(*d) {
-			return errors.Wrapf(ErrInvalidIndex, "Unable to access invalid index: %d", idx)
+			return fmt.Errorf("Unable to access invalid index: %d: %w", idx, ErrInvalidIndex)
 		}
 		idx += len(*d)
 	}
@@ -435,7 +434,7 @@ func (d *partialArray) add(key string, val *lazyNode) error {
 
 	idx, err := strconv.Atoi(key)
 	if err != nil {
-		return errors.Wrapf(err, "value was not a proper array index: '%s'", key)
+		return fmt.Errorf("value was not a proper array index: '%s': %w", key, err)
 	}
 
 	sz := len(*d) + 1
@@ -445,15 +444,15 @@ func (d *partialArray) add(key string, val *lazyNode) error {
 	cur := *d
 
 	if idx >= len(ary) {
-		return errors.Wrapf(ErrInvalidIndex, "Unable to access invalid index: %d", idx)
+		return fmt.Errorf("Unable to access invalid index: %d: %w", idx, ErrInvalidIndex)
 	}
 
 	if idx < 0 {
 		if !SupportNegativeIndices {
-			return errors.Wrapf(ErrInvalidIndex, "Unable to access invalid index: %d", idx)
+			return fmt.Errorf("Unable to access invalid index: %d: %w", idx, ErrInvalidIndex)
 		}
 		if idx < -len(ary) {
-			return errors.Wrapf(ErrInvalidIndex, "Unable to access invalid index: %d", idx)
+			return fmt.Errorf("Unable to access invalid index: %d: %w", idx, ErrInvalidIndex)
 		}
 		idx += len(ary)
 	}
@@ -475,16 +474,16 @@ func (d *partialArray) get(key string) (*lazyNode, error) {
 
 	if idx < 0 {
 		if !SupportNegativeIndices {
-			return nil, errors.Wrapf(ErrInvalidIndex, "Unable to access invalid index: %d", idx)
+			return nil, fmt.Errorf("Unable to access invalid index: %d: %w", idx, ErrInvalidIndex)
 		}
 		if idx < -len(*d) {
-			return nil, errors.Wrapf(ErrInvalidIndex, "Unable to access invalid index: %d", idx)
+			return nil, fmt.Errorf("Unable to access invalid index: %d: %w", idx, ErrInvalidIndex)
 		}
 		idx += len(*d)
 	}
 
 	if idx >= len(*d) {
-		return nil, errors.Wrapf(ErrInvalidIndex, "Unable to access invalid index: %d", idx)
+		return nil, fmt.Errorf("Unable to access invalid index: %d: %w", idx, ErrInvalidIndex)
 	}
 
 	return (*d)[idx], nil
@@ -499,15 +498,15 @@ func (d *partialArray) remove(key string) error {
 	cur := *d
 
 	if idx >= len(cur) {
-		return errors.Wrapf(ErrInvalidIndex, "Unable to access invalid index: %d", idx)
+		return fmt.Errorf("Unable to access invalid index: %d: %w", idx, ErrInvalidIndex)
 	}
 
 	if idx < 0 {
 		if !SupportNegativeIndices {
-			return errors.Wrapf(ErrInvalidIndex, "Unable to access invalid index: %d", idx)
+			return fmt.Errorf("Unable to access invalid index: %d: %w", idx, ErrInvalidIndex)
 		}
 		if idx < -len(cur) {
-			return errors.Wrapf(ErrInvalidIndex, "Unable to access invalid index: %d", idx)
+			return fmt.Errorf("Unable to access invalid index: %d: %w", idx, ErrInvalidIndex)
 		}
 		idx += len(cur)
 	}
@@ -525,18 +524,18 @@ func (d *partialArray) remove(key string) error {
 func (p Patch) add(doc *container, op Operation) error {
 	path, err := op.Path()
 	if err != nil {
-		return errors.Wrapf(ErrMissing, "add operation failed to decode path")
+		return fmt.Errorf("add operation failed to decode path: %w", ErrMissing)
 	}
 
 	con, key := findObject(doc, path)
 
 	if con == nil {
-		return errors.Wrapf(ErrMissing, "add operation does not apply: doc is missing path: \"%s\"", path)
+		return fmt.Errorf("add operation does not apply: doc is missing path: \"%s\": %w", path, ErrMissing)
 	}
 
 	err = con.add(key, op.value())
 	if err != nil {
-		return errors.Wrapf(err, "error in add for path: '%s'", path)
+		return fmt.Errorf("error in add for path: '%s': %w", path, err)
 	}
 
 	return nil
@@ -545,18 +544,18 @@ func (p Patch) add(doc *container, op Operation) error {
 func (p Patch) remove(doc *container, op Operation) error {
 	path, err := op.Path()
 	if err != nil {
-		return errors.Wrapf(ErrMissing, "remove operation failed to decode path")
+		return fmt.Errorf("remove operation failed to decode path: %w", ErrMissing)
 	}
 
 	con, key := findObject(doc, path)
 
 	if con == nil {
-		return errors.Wrapf(ErrMissing, "remove operation does not apply: doc is missing path: \"%s\"", path)
+		return fmt.Errorf("remove operation does not apply: doc is missing path: \"%s\": %w", path, ErrMissing)
 	}
 
 	err = con.remove(key)
 	if err != nil {
-		return errors.Wrapf(err, "error in remove for path: '%s'", path)
+		return fmt.Errorf("error in remove for path: '%s': %w", path, err)
 	}
 
 	return nil
@@ -565,7 +564,7 @@ func (p Patch) remove(doc *container, op Operation) error {
 func (p Patch) replace(doc *container, op Operation) error {
 	path, err := op.Path()
 	if err != nil {
-		return errors.Wrapf(err, "replace operation failed to decode path")
+		return fmt.Errorf("replace operation failed to decode path: %w", err)
 	}
 
 	if path == "" {
@@ -574,7 +573,7 @@ func (p Patch) replace(doc *container, op Operation) error {
 		if val.which == eRaw {
 			if !val.tryDoc() {
 				if !val.tryAry() {
-					return errors.Wrapf(err, "replace operation value must be object or array")
+					return fmt.Errorf("replace operation value must be object or array: %w", err)
 				}
 			}
 		}
@@ -585,7 +584,7 @@ func (p Patch) replace(doc *container, op Operation) error {
 		case eDoc:
 			*doc = &val.doc
 		case eRaw:
-			return errors.Wrapf(err, "replace operation hit impossible case")
+			return fmt.Errorf("replace operation hit impossible case: %w", err)
 		}
 
 		return nil
@@ -594,17 +593,17 @@ func (p Patch) replace(doc *container, op Operation) error {
 	con, key := findObject(doc, path)
 
 	if con == nil {
-		return errors.Wrapf(ErrMissing, "replace operation does not apply: doc is missing path: %s", path)
+		return fmt.Errorf("replace operation does not apply: doc is missing path: %s: %w", path, ErrMissing)
 	}
 
 	_, ok := con.get(key)
 	if ok != nil {
-		return errors.Wrapf(ErrMissing, "replace operation does not apply: doc is missing key: %s", path)
+		return fmt.Errorf("replace operation does not apply: doc is missing key: %s: %w", path, ErrMissing)
 	}
 
 	err = con.set(key, op.value())
 	if err != nil {
-		return errors.Wrapf(err, "error in remove for path: '%s'", path)
+		return fmt.Errorf("error in remove for path: '%s': %w", path, err)
 	}
 
 	return nil
@@ -613,39 +612,39 @@ func (p Patch) replace(doc *container, op Operation) error {
 func (p Patch) move(doc *container, op Operation) error {
 	from, err := op.From()
 	if err != nil {
-		return errors.Wrapf(err, "move operation failed to decode from")
+		return fmt.Errorf("move operation failed to decode from: %w", err)
 	}
 
 	con, key := findObject(doc, from)
 
 	if con == nil {
-		return errors.Wrapf(ErrMissing, "move operation does not apply: doc is missing from path: %s", from)
+		return fmt.Errorf("move operation does not apply: doc is missing from path: %s: %w", from, ErrMissing)
 	}
 
 	val, err := con.get(key)
 	if err != nil {
-		return errors.Wrapf(err, "error in move for path: '%s'", key)
+		return fmt.Errorf("error in move for path: '%s': %w", key, err)
 	}
 
 	err = con.remove(key)
 	if err != nil {
-		return errors.Wrapf(err, "error in move for path: '%s'", key)
+		return fmt.Errorf("error in move for path: '%s': %w", key, err)
 	}
 
 	path, err := op.Path()
 	if err != nil {
-		return errors.Wrapf(err, "move operation failed to decode path")
+		return fmt.Errorf("move operation failed to decode path: %w", err)
 	}
 
 	con, key = findObject(doc, path)
 
 	if con == nil {
-		return errors.Wrapf(ErrMissing, "move operation does not apply: doc is missing destination path: %s", path)
+		return fmt.Errorf("move operation does not apply: doc is missing destination path: %s: %w", path, ErrMissing)
 	}
 
 	err = con.add(key, val)
 	if err != nil {
-		return errors.Wrapf(err, "error in move for path: '%s'", path)
+		return fmt.Errorf("error in move for path: '%s': %w", path, err)
 	}
 
 	return nil
@@ -654,7 +653,7 @@ func (p Patch) move(doc *container, op Operation) error {
 func (p Patch) test(doc *container, op Operation) error {
 	path, err := op.Path()
 	if err != nil {
-		return errors.Wrapf(err, "test operation failed to decode path")
+		return fmt.Errorf("test operation failed to decode path: %w", err)
 	}
 
 	if path == "" {
@@ -673,67 +672,67 @@ func (p Patch) test(doc *container, op Operation) error {
 			return nil
 		}
 
-		return errors.Wrapf(ErrTestFailed, "testing value %s failed", path)
+		return fmt.Errorf("testing value %s failed: %w", path, ErrTestFailed)
 	}
 
 	con, key := findObject(doc, path)
 
 	if con == nil {
-		return errors.Wrapf(ErrMissing, "test operation does not apply: is missing path: %s", path)
+		return fmt.Errorf("test operation does not apply: is missing path: %s: %w", path, ErrMissing)
 	}
 
 	val, err := con.get(key)
 	if err != nil {
-		return errors.Wrapf(err, "error in test for path: '%s'", path)
+		return fmt.Errorf("error in test for path: '%s': %w", path, err)
 	}
 
 	if val == nil {
-		if op.value().raw == nil {
+		if op.value() == nil || op.value().raw == nil {
 			return nil
 		}
-		return errors.Wrapf(ErrTestFailed, "testing value %s failed", path)
+		return fmt.Errorf("testing value %s failed: %w", path, ErrTestFailed)
 	} else if op.value() == nil {
-		return errors.Wrapf(ErrTestFailed, "testing value %s failed", path)
+		return fmt.Errorf("testing value %s failed: %w", path, ErrTestFailed)
 	}
 
 	if val.equal(op.value()) {
 		return nil
 	}
 
-	return errors.Wrapf(ErrTestFailed, "testing value %s failed", path)
+	return fmt.Errorf("testing value %s failed: %w", path, ErrTestFailed)
 }
 
 func (p Patch) copy(doc *container, op Operation, accumulatedCopySize *int64) error {
 	from, err := op.From()
 	if err != nil {
-		return errors.Wrapf(err, "copy operation failed to decode from")
+		return fmt.Errorf("copy operation failed to decode from: %w", err)
 	}
 
 	con, key := findObject(doc, from)
 
 	if con == nil {
-		return errors.Wrapf(ErrMissing, "copy operation does not apply: doc is missing from path: %s", from)
+		return fmt.Errorf("copy operation does not apply: doc is missing from path: %s: %w", from, ErrMissing)
 	}
 
 	val, err := con.get(key)
 	if err != nil {
-		return errors.Wrapf(err, "error in copy for from: '%s'", from)
+		return fmt.Errorf("error in copy for from: '%s': %w", from, err)
 	}
 
 	path, err := op.Path()
 	if err != nil {
-		return errors.Wrapf(ErrMissing, "copy operation failed to decode path")
+		return fmt.Errorf("copy operation failed to decode path: %w", ErrMissing)
 	}
 
 	con, key = findObject(doc, path)
 
 	if con == nil {
-		return errors.Wrapf(ErrMissing, "copy operation does not apply: doc is missing destination path: %s", path)
+		return fmt.Errorf("copy operation does not apply: doc is missing destination path: %s: %w", path, ErrMissing)
 	}
 
 	valCopy, sz, err := deepCopy(val)
 	if err != nil {
-		return errors.Wrapf(err, "error while performing deep copy")
+		return fmt.Errorf("error while performing deep copy: %w", err)
 	}
 
 	(*accumulatedCopySize) += int64(sz)
@@ -743,7 +742,7 @@ func (p Patch) copy(doc *container, op Operation, accumulatedCopySize *int64) er
 
 	err = con.add(key, valCopy)
 	if err != nil {
-		return errors.Wrapf(err, "error while adding value during copy")
+		return fmt.Errorf("error while adding value during copy: %w", err)
 	}
 
 	return nil
diff --git a/vendor/k8s.io/gengo/v2/Makefile b/vendor/k8s.io/gengo/v2/Makefile
index 8d0fbdaa8a8a4..5cb81a2fdb9ef 100644
--- a/vendor/k8s.io/gengo/v2/Makefile
+++ b/vendor/k8s.io/gengo/v2/Makefile
@@ -11,4 +11,4 @@ test:
 verify:
 	GODEBUG=gotypesalias=0 ./hack/verify-examples.sh
 	GODEBUG=gotypesalias=1 ./hack/verify-examples.sh
-	./hack/verify-go-directive.sh 1.20
+	./hack/verify-go-directive.sh 1.23
diff --git a/vendor/k8s.io/gengo/v2/generator/execute.go b/vendor/k8s.io/gengo/v2/generator/execute.go
index a1e052f5cc678..964a70e91c269 100644
--- a/vendor/k8s.io/gengo/v2/generator/execute.go
+++ b/vendor/k8s.io/gengo/v2/generator/execute.go
@@ -22,6 +22,7 @@ import (
 	"fmt"
 	"io"
 	"os"
+	"os/exec"
 	"path/filepath"
 	"strings"
 
@@ -114,19 +115,53 @@ func assembleGoFile(w io.Writer, f *File) {
 	w.Write(f.Body.Bytes())
 }
 
+func formatCode(src []byte) ([]byte, error) {
+	// We call goimports because it formats imports better than gofmt, but also
+	// call gofmt because it has the "simplify" logic.  If a gofmt binary is
+	// not found, we will skip it.
+	src, err := importsWrapper(src)
+	if err != nil {
+		return nil, err
+	}
+	return gofmtWrapper(src)
+}
+
 func importsWrapper(src []byte) ([]byte, error) {
 	opt := imports.Options{
 		Comments:   true,
 		TabIndent:  true,
 		TabWidth:   8,
-		FormatOnly: true, // Disable the insertion and deletion of imports
+		FormatOnly: true, // Disable the insertion and deletion of imports (slow!)
 	}
 	return imports.Process("", src, &opt)
 }
 
+func gofmtWrapper(src []byte) ([]byte, error) {
+	const gofmt = "gofmt"
+
+	if _, err := exec.LookPath(gofmt); err != nil {
+		klog.Errorf("WARNING: skipping output simplification: %v", err)
+		return src, nil
+	}
+
+	cmd := exec.Command(gofmt, "-s")
+	cmd.Stdin = bytes.NewReader(src)
+	stdout := &bytes.Buffer{}
+	cmd.Stdout = stdout
+	stderr := &bytes.Buffer{}
+	cmd.Stderr = stderr
+	if err := cmd.Run(); err != nil {
+		if stderr.Len() > 0 {
+			return nil, fmt.Errorf("%s failed: %v: %s", gofmt, err, strings.TrimSpace(stderr.String()))
+		}
+		return nil, fmt.Errorf("%s failed: %v", gofmt, err)
+	}
+	return stdout.Bytes(), nil
+}
+
 func NewGoFile() *DefaultFileType {
 	return &DefaultFileType{
-		Format:   importsWrapper,
+		Format:   formatCode,
 		Assemble: assembleGoFile,
 	}
 }
diff --git a/vendor/k8s.io/gengo/v2/generator/import_tracker.go b/vendor/k8s.io/gengo/v2/generator/import_tracker.go
index 22393e4d49391..f4b0f7b5f7f38 100644
--- a/vendor/k8s.io/gengo/v2/generator/import_tracker.go
+++ b/vendor/k8s.io/gengo/v2/generator/import_tracker.go
@@ -61,13 +61,13 @@ func goTrackerLocalName(tracker namer.ImportTracker, localPkg string, t types.Na
 	path := t.Package
 
 	// Using backslashes in package names causes gengo to produce Go code which
-	// will not compile with the gc compiler. See the comment on GoSeperator.
+	// will not compile with the gc compiler. See the comment on GoSeparator.
 	if strings.ContainsRune(path, '\\') {
 		klog.Warningf("Warning: backslash used in import path '%v', this is unsupported.\n", path)
 	}
 	localLeaf := filepath.Base(localPkg)
 
-	dirs := strings.Split(path, namer.GoSeperator)
+	dirs := strings.Split(path, namer.GoSeparator)
 	for n := len(dirs) - 1; n >= 0; n-- {
 		// follow kube convention of not having anything between directory names
 		name := strings.Join(dirs[n:], "")
diff --git a/vendor/k8s.io/gengo/v2/namer/namer.go b/vendor/k8s.io/gengo/v2/namer/namer.go
index bae2ee9b5b419..2202f8e70e9d8 100644
--- a/vendor/k8s.io/gengo/v2/namer/namer.go
+++ b/vendor/k8s.io/gengo/v2/namer/namer.go
@@ -26,14 +26,17 @@ import (
 )
 
 const (
-	// GoSeperator is used to split go import paths.
+	// GoSeparator is used to split go import paths.
 	// Forward slash is used instead of filepath.Seperator because it is the
 	// only universally-accepted path delimiter and the only delimiter not
 	// potentially forbidden by Go compilers. (In particular gc does not allow
 	// the use of backslashes in import paths.)
 	// See https://golang.org/ref/spec#Import_declarations.
 	// See also https://github.com/kubernetes/gengo/issues/83#issuecomment-367040772.
-	GoSeperator = "/"
+	GoSeparator = "/"
+	// GoSeperator is a typo for GoSeparator.
+	// Deprecated: use GoSeparator instead.
+	GoSeperator = GoSeparator
 )
 
 // Returns whether a name is a private Go name.
@@ -200,7 +203,7 @@ var (
 
 // filters out unwanted directory names and sanitizes remaining names.
 func (ns *NameStrategy) filterDirs(path string) []string {
-	allDirs := strings.Split(path, GoSeperator)
+	allDirs := strings.Split(path, GoSeparator)
 	dirs := make([]string, 0, len(allDirs))
 	for _, p := range allDirs {
 		if ns.IgnoreWords == nil || !ns.IgnoreWords[p] {
diff --git a/vendor/k8s.io/gengo/v2/parser/parse.go b/vendor/k8s.io/gengo/v2/parser/parse.go
index 4c1efa00104fb..f3760983d3857 100644
--- a/vendor/k8s.io/gengo/v2/parser/parse.go
+++ b/vendor/k8s.io/gengo/v2/parser/parse.go
@@ -23,7 +23,10 @@ import (
 	"go/constant"
 	"go/token"
 	gotypes "go/types"
+	"maps"
 	"path/filepath"
+	"reflect"
+	"slices"
 	"sort"
 	"strings"
 	"time"
@@ -382,11 +385,117 @@ func (p *Parser) NewUniverse() (types.Universe, error) {
 	return u, nil
 }
 
+// minimize returns a copy of lines with "irrelevant" lines removed.  This
+// includes blank lines and paragraphs starting with "Deprecated:".
+func minimize(lines []string) []string {
+	out := make([]string, 0, len(lines))
+	inDeprecated := false // paragraph tracking
+	prevWasBlank := false
+	for _, line := range lines {
+		if len(strings.TrimSpace(line)) == 0 {
+			prevWasBlank = true
+			inDeprecated = false
+			continue
+		}
+		if inDeprecated {
+			continue
+		}
+		if prevWasBlank && strings.HasPrefix(strings.TrimSpace(line), "Deprecated:") {
+			prevWasBlank = false
+			inDeprecated = true
+			continue
+		}
+		prevWasBlank = false
+		out = append(out, line)
+	}
+	return out
+}
+
 // addCommentsToType takes any accumulated comment lines prior to obj and
 // attaches them to the type t.
 func (p *Parser) addCommentsToType(obj gotypes.Object, t *types.Type) {
-	t.CommentLines = p.docComment(obj.Pos())
-	t.SecondClosestCommentLines = p.priorDetachedComment(obj.Pos())
+	if newLines, oldLines := p.docComment(obj.Pos()), t.CommentLines; len(newLines) > 0 {
+		switch {
+		case reflect.DeepEqual(oldLines, newLines):
+			// nothing needed
+
+		case len(oldLines) == 0:
+			// no comments associated, or comments match exactly
+			t.CommentLines = newLines
+
+		case isTypeAlias(obj.Type()):
+			// Ignore mismatched comments from obj because it's an alias.
+			// This can only be hit if gotypesalias is enabled.
+			if !reflect.DeepEqual(minimize(oldLines), minimize(newLines)) {
+				klog.Warningf(
+					"Mismatched comments on type %v.\n  Using comments:\n%s\n  Ignoring comments from type alias:\n%s\n",
+					t.GoType,
+					formatCommentBlock(oldLines),
+					formatCommentBlock(newLines),
+				)
+			}
+
+		case !isTypeAlias(obj.Type()):
+			// Overwrite existing comments with ones from obj because obj is not an alias.
+			// If gotypesalias is enabled, this should mean we found the "real"
+			// type, not an alias.  If gotypesalias is disabled, we can end up
+			// overwriting the "real" comments with an alias's comments, but
+			// it is not clear if we can assume which one is the "real" one.
+			t.CommentLines = newLines
+			if !reflect.DeepEqual(minimize(oldLines), minimize(newLines)) {
+				klog.Warningf(
+					"Mismatched comments on type %v.\n  Using comments:\n%s\n  Ignoring comments from possible type alias:\n%s\n",
+					t.GoType,
+					formatCommentBlock(newLines),
+					formatCommentBlock(oldLines),
+				)
+			}
+		}
+	}
+
+	if newLines, oldLines := p.priorDetachedComment(obj.Pos()), t.SecondClosestCommentLines; len(newLines) > 0 {
+		switch {
+		case reflect.DeepEqual(oldLines, newLines):
+			// nothing needed
+
+		case len(oldLines) == 0:
+			// no comments associated, or comments match exactly
+			t.SecondClosestCommentLines = newLines
+
+		case isTypeAlias(obj.Type()):
+			// Ignore mismatched comments from obj because it's an alias.
+			// This can only be hit if gotypesalias is enabled.
+			if !reflect.DeepEqual(minimize(oldLines), minimize(newLines)) {
+				// ignore mismatched comments from obj because it's an alias
+				klog.Warningf(
+					"Mismatched secondClosestCommentLines on type %v.\n  Using comments:\n%s\n  Ignoring comments from type alias:\n%s\n",
+					t.GoType,
+					formatCommentBlock(oldLines),
+					formatCommentBlock(newLines),
+				)
+			}
+
+		case !isTypeAlias(obj.Type()):
+			// Overwrite existing comments with ones from obj because obj is not an alias.
+			// If gotypesalias is enabled, this should mean we found the "real"
+			// type, not an alias.  If gotypesalias is disabled, we can end up
+			// overwriting the "real" comments with an alias's comments, but
+			// it is not clear if we can assume which one is the "real" one.
+			t.SecondClosestCommentLines = newLines
+			if !reflect.DeepEqual(minimize(oldLines), minimize(newLines)) {
+				klog.Warningf(
+					"Mismatched secondClosestCommentLines on type %v.\n  Using comments:\n%s\n  Ignoring comments from possible type alias:\n%s\n",
+					t.GoType,
+					formatCommentBlock(newLines),
+					formatCommentBlock(oldLines),
+				)
+			}
+		}
+	}
+}
+
+func formatCommentBlock(lines []string) string {
+	return "    ```\n    " + strings.Join(lines, "\n    ") + "\n    ```"
 }
 
 // packageDir tries to figure out the directory of the specified package.
@@ -510,7 +619,9 @@ func (p *Parser) addPkgToUniverse(pkg *packages.Package, u *types.Universe) erro
 
 	// Add all of this package's imports.
 	importedPkgs := []string{}
-	for _, imp := range pkg.Imports {
+	// Iterate imports in a predictable order
+	for _, key := range slices.Sorted(maps.Keys(pkg.Imports)) {
+		imp := pkg.Imports[key]
 		if err := p.addPkgToUniverse(imp, u); err != nil {
 			return err
 		}
@@ -557,7 +668,11 @@ func (p *Parser) priorCommentLines(pos token.Pos, lines int) *ast.CommentGroup {
 }
 
 func splitLines(str string) []string {
-	return strings.Split(strings.TrimRight(str, "\n"), "\n")
+	lines := strings.Split(strings.TrimRight(str, "\n"), "\n")
+	if len(lines) == 1 && lines[0] == "" {
+		return nil
+	}
+	return lines
 }
 
 func goFuncNameToName(in string) types.Name {
diff --git a/vendor/k8s.io/gengo/v2/parser/parse_122.go b/vendor/k8s.io/gengo/v2/parser/parse_122.go
index ec2064958a909..de378eedd7339 100644
--- a/vendor/k8s.io/gengo/v2/parser/parse_122.go
+++ b/vendor/k8s.io/gengo/v2/parser/parse_122.go
@@ -31,3 +31,8 @@ func (p *Parser) walkAliasType(u types.Universe, in gotypes.Type) *types.Type {
 	}
 	return nil
 }
+
+func isTypeAlias(in gotypes.Type) bool {
+	_, isAlias := in.(*gotypes.Alias)
+	return isAlias
+}
diff --git a/vendor/k8s.io/gengo/v2/parser/parse_pre_122.go b/vendor/k8s.io/gengo/v2/parser/parse_pre_122.go
index 6f62100c0a773..535d6c9db6880 100644
--- a/vendor/k8s.io/gengo/v2/parser/parse_pre_122.go
+++ b/vendor/k8s.io/gengo/v2/parser/parse_pre_122.go
@@ -28,3 +28,7 @@ import (
 func (p *Parser) walkAliasType(u types.Universe, in gotypes.Type) *types.Type {
 	return nil
 }
+
+func isTypeAlias(in gotypes.Type) bool {
+	return false
+}
diff --git a/vendor/k8s.io/kube-openapi/cmd/openapi-gen/args/args.go b/vendor/k8s.io/kube-openapi/cmd/openapi-gen/args/args.go
index 153784ed9b081..7634c727b3e01 100644
--- a/vendor/k8s.io/kube-openapi/cmd/openapi-gen/args/args.go
+++ b/vendor/k8s.io/kube-openapi/cmd/openapi-gen/args/args.go
@@ -33,6 +33,12 @@ type Args struct {
 	// by API linter. If specified, API rule violations will be printed to report file.
 	// Otherwise default value "-" will be used which indicates stdout.
 	ReportFilename string
+
+	// OutputModelNameFile is the name of the file to be generated for OpenAPI schema name
+	// accessor functions. If empty, no model name accessor functions are generated.
+	// When this is specified, the OpenAPI spec generator will use the function names
+	// instead of Go type names for schema names.
+	OutputModelNameFile string
 }
 
 // New returns default arguments for the generator. Returning the arguments instead
@@ -54,6 +60,13 @@ func (args *Args) AddFlags(fs *pflag.FlagSet) {
 		"the base Go import-path under which to generate results")
 	fs.StringVar(&args.OutputFile, "output-file", "generated.openapi.go",
 		"the name of the file to be generated")
+	fs.StringVar(&args.OutputModelNameFile, "output-model-name-file", "",
+		`The filename for generated model name accessor functions.
+If specified, a file with this name will be created in each package containing
+a "+k8s:openapi-model-package" tag. The generated functions return fully qualified
+model names, which are used in the OpenAPI spec as schema references instead of
+Go type names. If empty, no model name accessor functions are generated and names
+are inferred from Go type names.`)
 	fs.StringVar(&args.GoHeaderFile, "go-header-file", "",
 		"the path to a file containing boilerplate header text; the string \"YEAR\" will be replaced with the current 4-digit year")
 	fs.StringVarP(&args.ReportFilename, "report-filename", "r", args.ReportFilename,
diff --git a/vendor/k8s.io/kube-openapi/cmd/openapi-gen/openapi-gen.go b/vendor/k8s.io/kube-openapi/cmd/openapi-gen/openapi-gen.go
index b466019ad6864..b19da6f63ba1e 100644
--- a/vendor/k8s.io/kube-openapi/cmd/openapi-gen/openapi-gen.go
+++ b/vendor/k8s.io/kube-openapi/cmd/openapi-gen/openapi-gen.go
@@ -25,6 +25,7 @@ import (
 	"log"
 
 	"github.com/spf13/pflag"
+
 	"k8s.io/gengo/v2"
 	"k8s.io/gengo/v2/generator"
 	"k8s.io/klog/v2"
@@ -45,15 +46,35 @@ func main() {
 		log.Fatalf("Arguments validation error: %v", err)
 	}
 
-	myTargets := func(context *generator.Context) []generator.Target {
-		return generators.GetTargets(context, args)
+	boilerplate, err := gengo.GoBoilerplate(args.GoHeaderFile, gengo.StdBuildTag, gengo.StdGeneratedBy)
+	if err != nil {
+		log.Fatalf("Failed loading boilerplate: %v", err)
+	}
+
+	// Generates the code for model name accessors.
+	if len(args.OutputModelNameFile) > 0 {
+		modelNameTargets := func(context *generator.Context) []generator.Target {
+			return generators.GetModelNameTargets(context, args, boilerplate)
+		}
+		if err := gengo.Execute(
+			generators.NameSystems(),
+			generators.DefaultNameSystem(),
+			modelNameTargets,
+			gengo.StdBuildTag,
+			pflag.Args(),
+		); err != nil {
+			log.Fatalf("Model name code generation error: %v", err)
+		}
 	}
 
 	// Generates the code for the OpenAPIDefinitions.
+	openAPITargets := func(context *generator.Context) []generator.Target {
+		return generators.GetOpenAPITargets(context, args, boilerplate)
+	}
 	if err := gengo.Execute(
 		generators.NameSystems(),
 		generators.DefaultNameSystem(),
-		myTargets,
+		openAPITargets,
 		gengo.StdBuildTag,
 		pflag.Args(),
 	); err != nil {
diff --git a/vendor/k8s.io/kube-openapi/pkg/generators/config.go b/vendor/k8s.io/kube-openapi/pkg/generators/config.go
index 1fbd775985c5b..1bcf2a5231275 100644
--- a/vendor/k8s.io/kube-openapi/pkg/generators/config.go
+++ b/vendor/k8s.io/kube-openapi/pkg/generators/config.go
@@ -19,7 +19,6 @@ package generators
 import (
 	"path"
 
-	"k8s.io/gengo/v2"
 	"k8s.io/gengo/v2/generator"
 	"k8s.io/gengo/v2/namer"
 	"k8s.io/gengo/v2/types"
@@ -49,12 +48,8 @@ func DefaultNameSystem() string {
 	return "sorting_namer"
 }
 
-func GetTargets(context *generator.Context, args *args.Args) []generator.Target {
-	boilerplate, err := gengo.GoBoilerplate(args.GoHeaderFile, gengo.StdBuildTag, gengo.StdGeneratedBy)
-	if err != nil {
-		klog.Fatalf("Failed loading boilerplate: %v", err)
-	}
-
+// GetOpenAPITargets returns the targets for OpenAPI definition generation.
+func GetOpenAPITargets(context *generator.Context, args *args.Args, boilerplate []byte) []generator.Target {
 	reportPath := "-"
 	if args.ReportFilename != "" {
 		reportPath = args.ReportFilename
@@ -82,3 +77,56 @@ func GetTargets(context *generator.Context, args *args.Args) []generator.Target
 		},
 	}
 }
+
+// GetModelNameTargets returns the targets for model name generation.
+func GetModelNameTargets(context *generator.Context, args *args.Args, boilerplate []byte) []generator.Target {
+	var targets []generator.Target
+	for _, i := range context.Inputs {
+		klog.V(5).Infof("Considering pkg %q", i)
+
+		pkg := context.Universe[i]
+
+		openAPISchemaNamePackage, err := extractOpenAPISchemaNamePackage(pkg.Comments)
+		if err != nil {
+			klog.Fatalf("Package %v: invalid %s:%v", i, tagModelPackage, err)
+		}
+		hasPackageTag := len(openAPISchemaNamePackage) > 0
+
+		hasCandidates := false
+		for _, t := range pkg.Types {
+			v, err := singularTag(tagModelPackage, t.CommentLines)
+			if err != nil {
+				klog.Fatalf("Type %v: invalid %s:%v", t.Name, tagModelPackage, err)
+			}
+			hasTag := hasPackageTag || v != nil
+			hasModel := isSchemaNameType(t)
+			if hasModel && hasTag {
+				hasCandidates = true
+				break
+			}
+		}
+		if !hasCandidates {
+			klog.V(5).Infof("  skipping package")
+			continue
+		}
+
+		klog.V(3).Infof("Generating package %q", pkg.Path)
+
+		targets = append(targets,
+			&generator.SimpleTarget{
+				PkgName:       path.Base(pkg.Path),
+				PkgPath:       pkg.Path,
+				PkgDir:        pkg.Dir, // output pkg is the same as the input
+				HeaderComment: boilerplate,
+				FilterFunc: func(c *generator.Context, t *types.Type) bool {
+					return t.Name.Package == pkg.Path
+				},
+				GeneratorsFunc: func(c *generator.Context) (generators []generator.Generator) {
+					return []generator.Generator{
+						NewSchemaNameGen(args.OutputModelNameFile, pkg.Path, openAPISchemaNamePackage),
+					}
+				},
+			})
+	}
+	return targets
+}
diff --git a/vendor/k8s.io/kube-openapi/pkg/generators/model_names.go b/vendor/k8s.io/kube-openapi/pkg/generators/model_names.go
new file mode 100644
index 0000000000000..783e975d442c2
--- /dev/null
+++ b/vendor/k8s.io/kube-openapi/pkg/generators/model_names.go
@@ -0,0 +1,177 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package generators
+
+import (
+	"fmt"
+	"io"
+	"strings"
+
+	"k8s.io/gengo/v2"
+	"k8s.io/gengo/v2/generator"
+	"k8s.io/gengo/v2/namer"
+	"k8s.io/gengo/v2/types"
+	"k8s.io/klog/v2"
+)
+
+const (
+	tagModelPackage = "k8s:openapi-model-package"
+)
+
+func extractOpenAPISchemaNamePackage(comments []string) (string, error) {
+	v, err := singularTag(tagModelPackage, comments)
+	if v == nil || err != nil {
+		return "", err
+	}
+	return v.Value, nil
+}
+
+func singularTag(tagName string, comments []string) (*gengo.Tag, error) {
+	tags, err := gengo.ExtractFunctionStyleCommentTags("+", []string{tagName}, comments)
+	if err != nil {
+		return nil, err
+	}
+	if len(tags) == 0 {
+		return nil, nil
+	}
+	if len(tags) > 1 {
+		return nil, fmt.Errorf("multiple %s tags found", tagName)
+	}
+	tag := tags[tagName]
+	if len(tag) == 0 {
+		return nil, nil
+	}
+	if len(tag) > 1 {
+		klog.V(5).Infof("multiple %s tags found, using the first one", tagName)
+	}
+	value := tag[0]
+	return &value, nil
+}
+
+// genSchemaName produces a file with autogenerated openapi schema name functions.
+type genSchemaName struct {
+	generator.GoGenerator
+	targetPackage            string
+	imports                  namer.ImportTracker
+	typesForInit             []*types.Type
+	openAPISchemaNamePackage string
+}
+
+// NewSchemaNameGen creates a generator
+func NewSchemaNameGen(outputFilename, targetPackage string, openAPISchemaNamePackage string) generator.Generator {
+	return &genSchemaName{
+		GoGenerator: generator.GoGenerator{
+			OutputFilename: outputFilename,
+		},
+		targetPackage:            targetPackage,
+		imports:                  generator.NewImportTracker(),
+		typesForInit:             make([]*types.Type, 0),
+		openAPISchemaNamePackage: openAPISchemaNamePackage,
+	}
+}
+
+func (g *genSchemaName) Namers(c *generator.Context) namer.NameSystems {
+	return namer.NameSystems{
+		"public": namer.NewPublicNamer(1),
+		"local":  namer.NewPublicNamer(0),
+		"raw":    namer.NewRawNamer("", nil),
+	}
+}
+
+func (g *genSchemaName) Filter(c *generator.Context, t *types.Type) bool {
+	// Filter out types not being processed or not copyable within the package.
+	if !isSchemaNameType(t) {
+		klog.V(2).Infof("Type %v is not a valid target for OpenAPI schema name", t)
+		return false
+	}
+	g.typesForInit = append(g.typesForInit, t)
+	return true
+}
+
+// isSchemaNameType indicates whether or not a type could be used to serve an API.
+func isSchemaNameType(t *types.Type) bool {
+	// Filter out private types.
+	if namer.IsPrivateGoName(t.Name.Name) {
+		return false
+	}
+
+	for t.Kind == types.Alias {
+		t = t.Underlying
+	}
+
+	if t.Kind != types.Struct {
+		return false
+	}
+	return true
+}
+
+func (g *genSchemaName) isOtherPackage(pkg string) bool {
+	if pkg == g.targetPackage {
+		return false
+	}
+	if strings.HasSuffix(pkg, ""+g.targetPackage+"") {
+		return false
+	}
+	return true
+}
+
+func (g *genSchemaName) Imports(c *generator.Context) (imports []string) {
+	importLines := []string{}
+	for _, singleImport := range g.imports.ImportLines() {
+		if g.isOtherPackage(singleImport) {
+			importLines = append(importLines, singleImport)
+		}
+	}
+	return importLines
+}
+
+func (g *genSchemaName) Init(c *generator.Context, w io.Writer) error {
+	return nil
+}
+
+func (g *genSchemaName) GenerateType(c *generator.Context, t *types.Type, w io.Writer) error {
+	klog.V(3).Infof("Generating openapi schema name for type %v", t)
+
+	openAPISchemaNamePackage := g.openAPISchemaNamePackage
+	v, err := singularTag(tagModelPackage, t.CommentLines)
+	if err != nil {
+		return fmt.Errorf("type %v: invalid %s:%v", t.Name, tagModelPackage, err)
+	}
+	if v != nil && v.Value != "" {
+		openAPISchemaNamePackage = v.Value
+	}
+
+	if openAPISchemaNamePackage == "" {
+		return nil
+	}
+
+	schemaName := openAPISchemaNamePackage + "." + t.Name.Name
+
+	a := map[string]interface{}{
+		"type":       t,
+		"schemaName": schemaName,
+	}
+
+	sw := generator.NewSnippetWriter(w, c, "$", "$")
+
+	sw.Do("// OpenAPIModelName returns the OpenAPI model name for this type.\n", a)
+	sw.Do("func (in $.type|local$) OpenAPIModelName() string {\n", a)
+	sw.Do("\treturn \"$.schemaName$\"\n", a)
+	sw.Do("}\n\n", nil)
+
+	return sw.Error()
+}
diff --git a/vendor/k8s.io/kube-openapi/pkg/generators/openapi.go b/vendor/k8s.io/kube-openapi/pkg/generators/openapi.go
index c5c0093818363..5d58754a779c3 100644
--- a/vendor/k8s.io/kube-openapi/pkg/generators/openapi.go
+++ b/vendor/k8s.io/kube-openapi/pkg/generators/openapi.go
@@ -295,6 +295,40 @@ func hasOpenAPIV3OneOfMethod(t *types.Type) bool {
 	return false
 }
 
+func hasOpenAPIModelName(t *types.Type) bool {
+	for mn, mt := range t.Methods {
+		if mn != "OpenAPIModelName" {
+			continue
+		}
+		return methodReturnsValue(mt, "", "string")
+	}
+	return false
+}
+
+func (g openAPITypeWriter) shouldUseOpenAPIModelName(t *types.Type) bool {
+	// Finds non-generated OpenAPIModelName() functions.
+	// Generated OpenAPIModelName() are ignored due to the 'ignore_autogenerated' build tag
+	// but are handled below by checking for use of the +k8s:openapi-model-package.
+	// This approach allows code generators to be called in any order.
+	if hasOpenAPIModelName(t) {
+		return true
+	}
+
+	value, err := extractOpenAPISchemaNamePackage(t.CommentLines)
+	if err != nil {
+		klog.Fatalf("Type %v: invalid %s:%v", t, tagModelPackage, err)
+	}
+	if value != "" {
+		return true
+	}
+	pkg := g.context.Universe.Package(t.Name.Package)
+	value, err = extractOpenAPISchemaNamePackage(pkg.Comments)
+	if err != nil {
+		klog.Fatalf("Package %v: invalid %s:%v", pkg, tagModelPackage, err)
+	}
+	return value != ""
+}
+
 // typeShortName returns short package name (e.g. the name x appears in package x definition) dot type name.
 func typeShortName(t *types.Type) string {
 	// `path` vs. `filepath` because packages use '/'
@@ -339,8 +373,18 @@ func (g openAPITypeWriter) generateCall(t *types.Type) error {
 	// Only generate for struct type and ignore the rest
 	switch t.Kind {
 	case types.Struct:
+		if namer.IsPrivateGoName(t.Name.Name) { // skip private types
+			return nil
+		}
+
 		args := argsFromType(t)
-		g.Do("\"$.$\": ", t.Name)
+
+		if g.shouldUseOpenAPIModelName(t) {
+			g.Do("$.|raw${}.OpenAPIModelName(): ", t)
+		} else {
+			// Legacy case: use the "canonical type name"
+			g.Do("\"$.$\": ", t.Name)
+		}
 
 		hasV2Definition := hasOpenAPIDefinitionMethod(t)
 		hasV2DefinitionTypeAndFormat := hasOpenAPIDefinitionMethods(t)
@@ -657,6 +701,9 @@ func (g openAPITypeWriter) generate(t *types.Type) error {
 		deps := []string{}
 		for _, k := range keys {
 			v := g.refTypes[k]
+			if t.Kind != types.Struct {
+				continue
+			}
 			if t, _ := openapi.OpenAPITypeFormat(v.String()); t != "" {
 				// This is a known type, we do not need a reference to it
 				// Will eliminate special case of time.Time
@@ -667,7 +714,12 @@ func (g openAPITypeWriter) generate(t *types.Type) error {
 		if len(deps) > 0 {
 			g.Do("Dependencies: []string{\n", args)
 			for _, k := range deps {
-				g.Do("\"$.$\",", k)
+				t := g.refTypes[k]
+				if g.shouldUseOpenAPIModelName(t) {
+					g.Do("$.|raw${}.OpenAPIModelName(),", t)
+				} else {
+					g.Do("\"$.$\",", k)
+				}
 			}
 			g.Do("},\n", nil)
 		}
@@ -1011,8 +1063,10 @@ func (g openAPITypeWriter) generateProperty(m *types.Member, parent *types.Type)
 		if err := g.generateSliceProperty(t); err != nil {
 			return fmt.Errorf("failed to generate slice property in %v: %v: %v", parent, m.Name, err)
 		}
-	case types.Struct, types.Interface:
+	case types.Struct:
 		g.generateReferenceProperty(t)
+	case types.Interface:
+		// Don't generate references to interfaces since we don't declare them
 	default:
 		return fmt.Errorf("cannot generate spec for type %v", t)
 	}
@@ -1027,7 +1081,11 @@ func (g openAPITypeWriter) generateSimpleProperty(typeString, format string) {
 
 func (g openAPITypeWriter) generateReferenceProperty(t *types.Type) {
 	g.refTypes[t.Name.String()] = t
-	g.Do("Ref: ref(\"$.$\"),\n", t.Name.String())
+	if g.shouldUseOpenAPIModelName(t) {
+		g.Do("Ref: ref($.|raw${}.OpenAPIModelName()),\n", t)
+	} else {
+		g.Do("Ref: ref(\"$.$\"),\n", t.Name.String())
+	}
 }
 
 func resolvePtrType(t *types.Type) *types.Type {
diff --git a/vendor/k8s.io/kube-openapi/pkg/util/util.go b/vendor/k8s.io/kube-openapi/pkg/util/util.go
index 6eee935b22a92..830ec3ca091ab 100644
--- a/vendor/k8s.io/kube-openapi/pkg/util/util.go
+++ b/vendor/k8s.io/kube-openapi/pkg/util/util.go
@@ -92,10 +92,21 @@ type OpenAPICanonicalTypeNamer interface {
 	OpenAPICanonicalTypeName() string
 }
 
+// OpenAPIModelNamer is an interface Go types may implement to provide an OpenAPI model name.
+//
+// This takes precedence over OpenAPICanonicalTypeNamer, and should be used when a Go type has a model
+// name that differs from its canonical type name as determined by Go package name reflection.
+type OpenAPIModelNamer interface {
+	OpenAPIModelName() string
+}
+
 // GetCanonicalTypeName will find the canonical type name of a sample object, removing
 // the "vendor" part of the path
 func GetCanonicalTypeName(model interface{}) string {
-	if namer, ok := model.(OpenAPICanonicalTypeNamer); ok {
+	switch namer := model.(type) {
+	case OpenAPIModelNamer:
+		return namer.OpenAPIModelName()
+	case OpenAPICanonicalTypeNamer:
 		return namer.OpenAPICanonicalTypeName()
 	}
 	t := reflect.TypeOf(model)
diff --git a/vendor/k8s.io/kube-openapi/pkg/validation/strfmt/default.go b/vendor/k8s.io/kube-openapi/pkg/validation/strfmt/default.go
index 97b2f989e9f4c..23109816eb6c7 100644
--- a/vendor/k8s.io/kube-openapi/pkg/validation/strfmt/default.go
+++ b/vendor/k8s.io/kube-openapi/pkg/validation/strfmt/default.go
@@ -17,7 +17,6 @@ package strfmt
 import (
 	"encoding/base64"
 	"encoding/json"
-	"fmt"
 	"net/mail"
 	"regexp"
 	"strings"
@@ -247,29 +246,6 @@ func (b *Base64) UnmarshalText(data []byte) error { // validation is performed l
 	return nil
 }
 
-// Scan read a value from a database driver
-func (b *Base64) Scan(raw interface{}) error {
-	switch v := raw.(type) {
-	case []byte:
-		dbuf := make([]byte, base64.StdEncoding.DecodedLen(len(v)))
-		n, err := base64.StdEncoding.Decode(dbuf, v)
-		if err != nil {
-			return err
-		}
-		*b = dbuf[:n]
-	case string:
-		vv, err := base64.StdEncoding.DecodeString(v)
-		if err != nil {
-			return err
-		}
-		*b = Base64(vv)
-	default:
-		return fmt.Errorf("cannot sql.Scan() strfmt.Base64 from: %#v", v)
-	}
-
-	return nil
-}
-
 func (b Base64) String() string {
 	return base64.StdEncoding.EncodeToString([]byte(b))
 }
@@ -324,20 +300,6 @@ func (u *URI) UnmarshalText(data []byte) error { // validation is performed late
 	return nil
 }
 
-// Scan read a value from a database driver
-func (u *URI) Scan(raw interface{}) error {
-	switch v := raw.(type) {
-	case []byte:
-		*u = URI(string(v))
-	case string:
-		*u = URI(v)
-	default:
-		return fmt.Errorf("cannot sql.Scan() strfmt.URI from: %#v", v)
-	}
-
-	return nil
-}
-
 func (u URI) String() string {
 	return string(u)
 }
@@ -388,20 +350,6 @@ func (e *Email) UnmarshalText(data []byte) error { // validation is performed la
 	return nil
 }
 
-// Scan read a value from a database driver
-func (e *Email) Scan(raw interface{}) error {
-	switch v := raw.(type) {
-	case []byte:
-		*e = Email(string(v))
-	case string:
-		*e = Email(v)
-	default:
-		return fmt.Errorf("cannot sql.Scan() strfmt.Email from: %#v", v)
-	}
-
-	return nil
-}
-
 func (e Email) String() string {
 	return string(e)
 }
@@ -452,20 +400,6 @@ func (h *Hostname) UnmarshalText(data []byte) error { // validation is performed
 	return nil
 }
 
-// Scan read a value from a database driver
-func (h *Hostname) Scan(raw interface{}) error {
-	switch v := raw.(type) {
-	case []byte:
-		*h = Hostname(string(v))
-	case string:
-		*h = Hostname(v)
-	default:
-		return fmt.Errorf("cannot sql.Scan() strfmt.Hostname from: %#v", v)
-	}
-
-	return nil
-}
-
 func (h Hostname) String() string {
 	return string(h)
 }
@@ -516,20 +450,6 @@ func (u *IPv4) UnmarshalText(data []byte) error { // validation is performed lat
 	return nil
 }
 
-// Scan read a value from a database driver
-func (u *IPv4) Scan(raw interface{}) error {
-	switch v := raw.(type) {
-	case []byte:
-		*u = IPv4(string(v))
-	case string:
-		*u = IPv4(v)
-	default:
-		return fmt.Errorf("cannot sql.Scan() strfmt.IPv4 from: %#v", v)
-	}
-
-	return nil
-}
-
 func (u IPv4) String() string {
 	return string(u)
 }
@@ -580,20 +500,6 @@ func (u *IPv6) UnmarshalText(data []byte) error { // validation is performed lat
 	return nil
 }
 
-// Scan read a value from a database driver
-func (u *IPv6) Scan(raw interface{}) error {
-	switch v := raw.(type) {
-	case []byte:
-		*u = IPv6(string(v))
-	case string:
-		*u = IPv6(v)
-	default:
-		return fmt.Errorf("cannot sql.Scan() strfmt.IPv6 from: %#v", v)
-	}
-
-	return nil
-}
-
 func (u IPv6) String() string {
 	return string(u)
 }
@@ -644,20 +550,6 @@ func (u *CIDR) UnmarshalText(data []byte) error { // validation is performed lat
 	return nil
 }
 
-// Scan read a value from a database driver
-func (u *CIDR) Scan(raw interface{}) error {
-	switch v := raw.(type) {
-	case []byte:
-		*u = CIDR(string(v))
-	case string:
-		*u = CIDR(v)
-	default:
-		return fmt.Errorf("cannot sql.Scan() strfmt.CIDR from: %#v", v)
-	}
-
-	return nil
-}
-
 func (u CIDR) String() string {
 	return string(u)
 }
@@ -708,20 +600,6 @@ func (u *MAC) UnmarshalText(data []byte) error { // validation is performed late
 	return nil
 }
 
-// Scan read a value from a database driver
-func (u *MAC) Scan(raw interface{}) error {
-	switch v := raw.(type) {
-	case []byte:
-		*u = MAC(string(v))
-	case string:
-		*u = MAC(v)
-	default:
-		return fmt.Errorf("cannot sql.Scan() strfmt.IPv4 from: %#v", v)
-	}
-
-	return nil
-}
-
 func (u MAC) String() string {
 	return string(u)
 }
@@ -772,20 +650,6 @@ func (u *UUID) UnmarshalText(data []byte) error { // validation is performed lat
 	return nil
 }
 
-// Scan read a value from a database driver
-func (u *UUID) Scan(raw interface{}) error {
-	switch v := raw.(type) {
-	case []byte:
-		*u = UUID(string(v))
-	case string:
-		*u = UUID(v)
-	default:
-		return fmt.Errorf("cannot sql.Scan() strfmt.UUID from: %#v", v)
-	}
-
-	return nil
-}
-
 func (u UUID) String() string {
 	return string(u)
 }
@@ -839,20 +703,6 @@ func (u *UUID3) UnmarshalText(data []byte) error { // validation is performed la
 	return nil
 }
 
-// Scan read a value from a database driver
-func (u *UUID3) Scan(raw interface{}) error {
-	switch v := raw.(type) {
-	case []byte:
-		*u = UUID3(string(v))
-	case string:
-		*u = UUID3(v)
-	default:
-		return fmt.Errorf("cannot sql.Scan() strfmt.UUID3 from: %#v", v)
-	}
-
-	return nil
-}
-
 func (u UUID3) String() string {
 	return string(u)
 }
@@ -906,20 +756,6 @@ func (u *UUID4) UnmarshalText(data []byte) error { // validation is performed la
 	return nil
 }
 
-// Scan read a value from a database driver
-func (u *UUID4) Scan(raw interface{}) error {
-	switch v := raw.(type) {
-	case []byte:
-		*u = UUID4(string(v))
-	case string:
-		*u = UUID4(v)
-	default:
-		return fmt.Errorf("cannot sql.Scan() strfmt.UUID4 from: %#v", v)
-	}
-
-	return nil
-}
-
 func (u UUID4) String() string {
 	return string(u)
 }
@@ -973,20 +809,6 @@ func (u *UUID5) UnmarshalText(data []byte) error { // validation is performed la
 	return nil
 }
 
-// Scan read a value from a database driver
-func (u *UUID5) Scan(raw interface{}) error {
-	switch v := raw.(type) {
-	case []byte:
-		*u = UUID5(string(v))
-	case string:
-		*u = UUID5(v)
-	default:
-		return fmt.Errorf("cannot sql.Scan() strfmt.UUID5 from: %#v", v)
-	}
-
-	return nil
-}
-
 func (u UUID5) String() string {
 	return string(u)
 }
@@ -1040,20 +862,6 @@ func (u *ISBN) UnmarshalText(data []byte) error { // validation is performed lat
 	return nil
 }
 
-// Scan read a value from a database driver
-func (u *ISBN) Scan(raw interface{}) error {
-	switch v := raw.(type) {
-	case []byte:
-		*u = ISBN(string(v))
-	case string:
-		*u = ISBN(v)
-	default:
-		return fmt.Errorf("cannot sql.Scan() strfmt.ISBN from: %#v", v)
-	}
-
-	return nil
-}
-
 func (u ISBN) String() string {
 	return string(u)
 }
@@ -1107,20 +915,6 @@ func (u *ISBN10) UnmarshalText(data []byte) error { // validation is performed l
 	return nil
 }
 
-// Scan read a value from a database driver
-func (u *ISBN10) Scan(raw interface{}) error {
-	switch v := raw.(type) {
-	case []byte:
-		*u = ISBN10(string(v))
-	case string:
-		*u = ISBN10(v)
-	default:
-		return fmt.Errorf("cannot sql.Scan() strfmt.ISBN10 from: %#v", v)
-	}
-
-	return nil
-}
-
 func (u ISBN10) String() string {
 	return string(u)
 }
@@ -1174,20 +968,6 @@ func (u *ISBN13) UnmarshalText(data []byte) error { // validation is performed l
 	return nil
 }
 
-// Scan read a value from a database driver
-func (u *ISBN13) Scan(raw interface{}) error {
-	switch v := raw.(type) {
-	case []byte:
-		*u = ISBN13(string(v))
-	case string:
-		*u = ISBN13(v)
-	default:
-		return fmt.Errorf("cannot sql.Scan() strfmt.ISBN13 from: %#v", v)
-	}
-
-	return nil
-}
-
 func (u ISBN13) String() string {
 	return string(u)
 }
@@ -1241,20 +1021,6 @@ func (u *CreditCard) UnmarshalText(data []byte) error { // validation is perform
 	return nil
 }
 
-// Scan read a value from a database driver
-func (u *CreditCard) Scan(raw interface{}) error {
-	switch v := raw.(type) {
-	case []byte:
-		*u = CreditCard(string(v))
-	case string:
-		*u = CreditCard(v)
-	default:
-		return fmt.Errorf("cannot sql.Scan() strfmt.CreditCard from: %#v", v)
-	}
-
-	return nil
-}
-
 func (u CreditCard) String() string {
 	return string(u)
 }
@@ -1308,20 +1074,6 @@ func (u *SSN) UnmarshalText(data []byte) error { // validation is performed late
 	return nil
 }
 
-// Scan read a value from a database driver
-func (u *SSN) Scan(raw interface{}) error {
-	switch v := raw.(type) {
-	case []byte:
-		*u = SSN(string(v))
-	case string:
-		*u = SSN(v)
-	default:
-		return fmt.Errorf("cannot sql.Scan() strfmt.SSN from: %#v", v)
-	}
-
-	return nil
-}
-
 func (u SSN) String() string {
 	return string(u)
 }
@@ -1375,20 +1127,6 @@ func (h *HexColor) UnmarshalText(data []byte) error { // validation is performed
 	return nil
 }
 
-// Scan read a value from a database driver
-func (h *HexColor) Scan(raw interface{}) error {
-	switch v := raw.(type) {
-	case []byte:
-		*h = HexColor(string(v))
-	case string:
-		*h = HexColor(v)
-	default:
-		return fmt.Errorf("cannot sql.Scan() strfmt.HexColor from: %#v", v)
-	}
-
-	return nil
-}
-
 func (h HexColor) String() string {
 	return string(h)
 }
@@ -1442,20 +1180,6 @@ func (r *RGBColor) UnmarshalText(data []byte) error { // validation is performed
 	return nil
 }
 
-// Scan read a value from a database driver
-func (r *RGBColor) Scan(raw interface{}) error {
-	switch v := raw.(type) {
-	case []byte:
-		*r = RGBColor(string(v))
-	case string:
-		*r = RGBColor(v)
-	default:
-		return fmt.Errorf("cannot sql.Scan() strfmt.RGBColor from: %#v", v)
-	}
-
-	return nil
-}
-
 func (r RGBColor) String() string {
 	return string(r)
 }
@@ -1510,20 +1234,6 @@ func (r *Password) UnmarshalText(data []byte) error { // validation is performed
 	return nil
 }
 
-// Scan read a value from a database driver
-func (r *Password) Scan(raw interface{}) error {
-	switch v := raw.(type) {
-	case []byte:
-		*r = Password(string(v))
-	case string:
-		*r = Password(v)
-	default:
-		return fmt.Errorf("cannot sql.Scan() strfmt.Password from: %#v", v)
-	}
-
-	return nil
-}
-
 func (r Password) String() string {
 	return string(r)
 }
diff --git a/vendor/k8s.io/kube-openapi/pkg/validation/strfmt/duration.go b/vendor/k8s.io/kube-openapi/pkg/validation/strfmt/duration.go
index 8fbeb635fb433..04545296bd3e0 100644
--- a/vendor/k8s.io/kube-openapi/pkg/validation/strfmt/duration.go
+++ b/vendor/k8s.io/kube-openapi/pkg/validation/strfmt/duration.go
@@ -119,23 +119,6 @@ func ParseDuration(cand string) (time.Duration, error) {
 	return 0, fmt.Errorf("unable to parse %s as duration", cand)
 }
 
-// Scan reads a Duration value from database driver type.
-func (d *Duration) Scan(raw interface{}) error {
-	switch v := raw.(type) {
-	// TODO: case []byte: // ?
-	case int64:
-		*d = Duration(v)
-	case float64:
-		*d = Duration(int64(v))
-	case nil:
-		*d = Duration(0)
-	default:
-		return fmt.Errorf("cannot sql.Scan() strfmt.Duration from: %#v", v)
-	}
-
-	return nil
-}
-
 // String converts this duration to a string
 func (d Duration) String() string {
 	return time.Duration(d).String()
diff --git a/vendor/k8s.io/kube-openapi/pkg/validation/strfmt/time.go b/vendor/k8s.io/kube-openapi/pkg/validation/strfmt/time.go
index b2324db052c58..d0fd31a9dbf6a 100644
--- a/vendor/k8s.io/kube-openapi/pkg/validation/strfmt/time.go
+++ b/vendor/k8s.io/kube-openapi/pkg/validation/strfmt/time.go
@@ -16,7 +16,6 @@ package strfmt
 
 import (
 	"encoding/json"
-	"fmt"
 	"regexp"
 	"strings"
 	"time"
@@ -114,25 +113,6 @@ func (t *DateTime) UnmarshalText(text []byte) error {
 	return nil
 }
 
-// Scan scans a DateTime value from database driver type.
-func (t *DateTime) Scan(raw interface{}) error {
-	// TODO: case int64: and case float64: ?
-	switch v := raw.(type) {
-	case []byte:
-		return t.UnmarshalText(v)
-	case string:
-		return t.UnmarshalText([]byte(v))
-	case time.Time:
-		*t = DateTime(v)
-	case nil:
-		*t = DateTime{}
-	default:
-		return fmt.Errorf("cannot sql.Scan() strfmt.DateTime from: %#v", v)
-	}
-
-	return nil
-}
-
 // MarshalJSON returns the DateTime as JSON
 func (t DateTime) MarshalJSON() ([]byte, error) {
 	return json.Marshal(time.Time(t).Format(MarshalFormat))
diff --git a/vendor/k8s.io/system-validators/validators/cgroup_validator_linux.go b/vendor/k8s.io/system-validators/validators/cgroup_validator_linux.go
index ce93e7bc1b72c..e8075cd98dfd5 100644
--- a/vendor/k8s.io/system-validators/validators/cgroup_validator_linux.go
+++ b/vendor/k8s.io/system-validators/validators/cgroup_validator_linux.go
@@ -26,13 +26,16 @@ import (
 	"os"
 	"path/filepath"
 	"strings"
+
+	"github.com/blang/semver/v4"
 )
 
 var _ Validator = &CgroupsValidator{}
 
 // CgroupsValidator validates cgroup configuration.
 type CgroupsValidator struct {
-	Reporter Reporter
+	Reporter       Reporter
+	KubeletVersion string
 }
 
 // Name is part of the system.Validator interface.
@@ -114,7 +117,22 @@ func (c *CgroupsValidator) Validate(spec SysSpec) (warns, errs []error) {
 		requiredCgroupSpec = spec.CgroupsV2
 		optionalCgroupSpec = spec.CgroupsV2Optional
 	} else {
-		warns = append(warns, errors.New("cgroups v1 support is in maintenance mode, please migrate to cgroups v2"))
+		v1DisabledInKubelet, err := c.isCgroupsV1DisabledInKubelet()
+		if err != nil {
+			return nil, []error{err}
+		}
+
+		v1Error := errors.New("cgroups v1 support is deprecated and will be removed in a future release. " +
+			"Please migrate to cgroups v2. To explicitly enable cgroups v1 support for kubelet v1.35 or newer, " +
+			"you must set the kubelet configuration option 'FailCgroupV1' to 'false'. You must also explicitly " +
+			"skip this validation. For more information, see https://git.k8s.io/enhancements/keps/sig-node/5573-remove-cgroup-v1")
+
+		if v1DisabledInKubelet {
+			errs = append(errs, v1Error)
+		} else {
+			warns = append(warns, v1Error)
+		}
+
 		subsystems, err = c.getCgroupV1Subsystems()
 		if err != nil {
 			return nil, []error{fmt.Errorf("failed to get cgroups v1 subsystems: %w", err)}
@@ -229,3 +247,24 @@ func checkCgroupV2Freeze(unifiedMountpoint string) (isCgroupfs bool, warn error)
 	isCgroupfs = true
 	return
 }
+
+// isCgroupsV1DisabledInKubelet checks the KubeletVersion and determines if that version
+// disabled cgroups v1 support by default:
+// - If the version is newer than 1.35 pre-release, return true.
+// - If the version is not defined or older than pre-release 1.35, return false.
+func (c *CgroupsValidator) isCgroupsV1DisabledInKubelet() (bool, error) {
+	if c.KubeletVersion == "" {
+		return false, nil
+	}
+
+	kv, err := semver.Parse(c.KubeletVersion)
+	if err != nil {
+		return false, fmt.Errorf("malformed KubeletVersion in CgroupsValidator: %w", err)
+	}
+
+	if kv.Compare(semver.MustParse("1.35.0-0")) > -1 {
+		return true, nil
+	}
+
+	return false, nil
+}
diff --git a/vendor/k8s.io/system-validators/validators/cgroup_validator_other.go b/vendor/k8s.io/system-validators/validators/cgroup_validator_other.go
index 9d74a7ba917b9..9a2b243070642 100644
--- a/vendor/k8s.io/system-validators/validators/cgroup_validator_other.go
+++ b/vendor/k8s.io/system-validators/validators/cgroup_validator_other.go
@@ -23,9 +23,12 @@ package system
 
 var _ Validator = &CgroupsValidator{}
 
+const mountsFilePath = ""
+
 // CgroupsValidator validates cgroup configuration.
 type CgroupsValidator struct {
-	Reporter Reporter
+	Reporter       Reporter
+	KubeletVersion string
 }
 
 // Validate is part of the system.Validator interface.
@@ -37,3 +40,8 @@ func (c *CgroupsValidator) Validate(spec SysSpec) (warns, errs []error) {
 func (c *CgroupsValidator) Name() string {
 	return "cgroups"
 }
+
+// getUnifiedMountpoint is a no-op for non-Linux OSes.
+func getUnifiedMountpoint(path string) (string, bool, error) {
+	return "", false, nil
+}
diff --git a/vendor/k8s.io/system-validators/validators/kernel_validator.go b/vendor/k8s.io/system-validators/validators/kernel_validator.go
index ffad14994a61f..0b37396b8060d 100644
--- a/vendor/k8s.io/system-validators/validators/kernel_validator.go
+++ b/vendor/k8s.io/system-validators/validators/kernel_validator.go
@@ -70,7 +70,8 @@ func (k *KernelValidator) Validate(spec SysSpec) ([]error, []error) {
 		warns = append(warns, warn)
 	}
 	// only validate kernel config when necessary (currently no kernel config for windows)
-	if len(spec.KernelSpec.Required) > 0 || len(spec.KernelSpec.Forbidden) > 0 || len(spec.KernelSpec.Optional) > 0 {
+	if len(spec.KernelSpec.Required) > 0 || len(spec.KernelSpec.Forbidden) > 0 || len(spec.KernelSpec.Optional) > 0 ||
+		len(spec.KernelSpec.RequiredCgroupsV1) > 0 || len(spec.KernelSpec.RequiredCgroupsV2) > 0 {
 		if err = k.validateKernelConfig(spec.KernelSpec); err != nil {
 			errs = append(errs, err)
 		}
@@ -158,6 +159,20 @@ func (k *KernelValidator) validateCachedKernelConfig(allConfig map[string]kConfi
 	for _, config := range kSpec.Required {
 		validateOpt(config, required)
 	}
+	_, isCgroupsV2, err := getUnifiedMountpoint(mountsFilePath)
+	if err != nil {
+		return fmt.Errorf("failed to get unified mountpoint: %w", err)
+	}
+	if isCgroupsV2 {
+		for _, config := range kSpec.RequiredCgroupsV2 {
+			validateOpt(config, required)
+		}
+	} else {
+		for _, config := range kSpec.RequiredCgroupsV1 {
+			validateOpt(config, required)
+		}
+	}
+
 	for _, config := range kSpec.Optional {
 		validateOpt(config, optional)
 	}
diff --git a/vendor/k8s.io/system-validators/validators/types.go b/vendor/k8s.io/system-validators/validators/types.go
index eee7e81762a6c..6256c37fb3ed5 100644
--- a/vendor/k8s.io/system-validators/validators/types.go
+++ b/vendor/k8s.io/system-validators/validators/types.go
@@ -46,10 +46,18 @@ type KernelSpec struct {
 	VersionsNote string `json:"versionsNote,omitempty"`
 	// Required contains all kernel configurations required to be enabled
 	// (built in or as module).
+	// RequiredCgroupsV1 and RequiredCgroupsV2 are mutually exclusive.
 	Required []KernelConfig `json:"required,omitempty"`
-	// Optional contains all kernel configurations are required for optional
-	// features.
+	// RequiredCgroupsV1 contains all kernel configurations required to be enabled for cgroups v1.
+	RequiredCgroupsV1 []KernelConfig `json:"requiredCgroupsV1,omitempty"`
+	// RequiredCgroupsV2 contains all kernel configurations required to be enabled for cgroups v2.
+	RequiredCgroupsV2 []KernelConfig `json:"requiredCgroupsV2,omitempty"`
+	// Optional contains optional kernel configurations.
 	Optional []KernelConfig `json:"optional,omitempty"`
+	// OptionalCgroupsV1 contains optional kernel configurations related to cgroups v1.
+	OptionalCgroupsV1 []KernelConfig `json:"optionalCgroupsV1,omitempty"`
+	// OptionalCgroupsV2 contains optional kernel configurations related to cgroups v2.
+	OptionalCgroupsV2 []KernelConfig `json:"optionalCgroupsV2,omitempty"`
 	// Forbidden contains all kernel configurations which areforbidden (disabled
 	// or not set)
 	Forbidden []KernelConfig `json:"forbidden,omitempty"`
diff --git a/vendor/k8s.io/system-validators/validators/types_unix.go b/vendor/k8s.io/system-validators/validators/types_unix.go
index e2fc25fc5073d..1edd0ecb03cab 100644
--- a/vendor/k8s.io/system-validators/validators/types_unix.go
+++ b/vendor/k8s.io/system-validators/validators/types_unix.go
@@ -41,7 +41,6 @@ var DefaultSysSpec = SysSpec{
 			{Name: "PID_NS"},
 			{Name: "IPC_NS"},
 			{Name: "UTS_NS"},
-			{Name: "CGROUPS"},
 			{Name: "CPUSETS"},
 			{Name: "MEMCG"},
 			{Name: "INET"},
@@ -51,6 +50,20 @@ var DefaultSysSpec = SysSpec{
 			{Name: "NETFILTER_XT_MATCH_COMMENT"},
 			{Name: "FAIR_GROUP_SCHED"},
 		},
+		RequiredCgroupsV1: []KernelConfig{
+			{Name: "CGROUPS", Description: "Required for cgroups."},
+			{Name: "CGROUP_CPUACCT", Description: "Required for cpuacct controller, used in simple CPU accounting controller."},
+			{Name: "CGROUP_DEVICE", Description: "Required for device controller."},
+			{Name: "CGROUP_FREEZER", Description: "Required for freezer controller."},
+			{Name: "CGROUP_PIDS", Description: "Required for PIDs controller."},
+			{Name: "CGROUP_SCHED", Description: "Required for CPU controller."},
+		},
+		RequiredCgroupsV2: []KernelConfig{
+			{Name: "CGROUPS", Description: "Required for cgroups."},
+			{Name: "CGROUP_BPF", Description: "Required for eBPF programs attached to cgroups, used in device controller."},
+			{Name: "CGROUP_PIDS", Description: "Required for PIDs controller."},
+			{Name: "CGROUP_SCHED", Description: "Required for CPU controller."},
+		},
 		Optional: []KernelConfig{
 			{Name: "OVERLAY_FS", Aliases: []string{"OVERLAYFS_FS"}, Description: "Required for overlayfs."},
 			{Name: "AUFS_FS", Description: "Required for aufs."},
@@ -59,6 +72,12 @@ var DefaultSysSpec = SysSpec{
 			{Name: "SECCOMP", Description: "Required for seccomp."},
 			{Name: "SECCOMP_FILTER", Description: "Required for seccomp mode 2."},
 		},
+		OptionalCgroupsV1: []KernelConfig{
+			{Name: "CGROUP_HUGETLB", Description: "Required for hugetlb cgroup."},
+		},
+		OptionalCgroupsV2: []KernelConfig{
+			{Name: "CGROUP_HUGETLB", Description: "Required for hugetlb cgroup."},
+		},
 		Forbidden: []KernelConfig{},
 	},
 	Cgroups: []string{"cpu", "cpuacct", "cpuset", "devices", "freezer", "memory", "pids"},
diff --git a/vendor/k8s.io/utils/net/multi_listen.go b/vendor/k8s.io/utils/net/multi_listen.go
index 7cb7795beca7f..e5d508055d326 100644
--- a/vendor/k8s.io/utils/net/multi_listen.go
+++ b/vendor/k8s.io/utils/net/multi_listen.go
@@ -21,6 +21,7 @@ import (
 	"fmt"
 	"net"
 	"sync"
+	"sync/atomic"
 )
 
 // connErrPair pairs conn and error which is returned by accept on sub-listeners.
@@ -38,6 +39,7 @@ type multiListener struct {
 	connCh chan connErrPair
 	// stopCh communicates from parent to child listeners.
 	stopCh chan struct{}
+	closed atomic.Bool
 }
 
 // compile time check to ensure *multiListener implements net.Listener
@@ -150,10 +152,8 @@ func (ml *multiListener) Accept() (net.Conn, error) {
 // the go-routines to exit.
 func (ml *multiListener) Close() error {
 	// Make sure this can be called repeatedly without explosions.
-	select {
-	case <-ml.stopCh:
+	if !ml.closed.CompareAndSwap(false, true) {
 		return fmt.Errorf("use of closed network connection")
-	default:
 	}
 
 	// Tell all sub-listeners to stop.
diff --git a/vendor/modules.txt b/vendor/modules.txt
index b2047ef605ec5..66eb5f1713638 100644
--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@@ -5,6 +5,12 @@ bitbucket.org/bertimus9/systemstat
 # cel.dev/expr v0.24.0
 ## explicit; go 1.22.0
 cel.dev/expr
+# cyphar.com/go-pathrs v0.2.1
+## explicit; go 1.18
+cyphar.com/go-pathrs
+cyphar.com/go-pathrs/internal/fdutils
+cyphar.com/go-pathrs/internal/libpathrs
+cyphar.com/go-pathrs/procfs
 # github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161
 ## explicit; go 1.16
 github.com/Azure/go-ansiterm
@@ -18,6 +24,9 @@ github.com/JeffAshton/win_pdh
 # github.com/MakeNowJust/heredoc v1.0.0
 ## explicit; go 1.12
 github.com/MakeNowJust/heredoc
+# github.com/Masterminds/semver/v3 v3.4.0
+## explicit; go 1.21
+github.com/Masterminds/semver/v3
 # github.com/Microsoft/go-winio v0.6.2
 ## explicit; go 1.21
 github.com/Microsoft/go-winio
@@ -25,7 +34,7 @@ github.com/Microsoft/go-winio/internal/fs
 github.com/Microsoft/go-winio/internal/socket
 github.com/Microsoft/go-winio/internal/stringbuffer
 github.com/Microsoft/go-winio/pkg/guid
-# github.com/Microsoft/hnslib v0.1.1
+# github.com/Microsoft/hnslib v0.1.2
 ## explicit; go 1.22.0
 github.com/Microsoft/hnslib
 github.com/Microsoft/hnslib/hcn
@@ -67,8 +76,8 @@ github.com/chai2010/gettext-go/po
 # github.com/container-storage-interface/spec v1.9.0
 ## explicit; go 1.18
 github.com/container-storage-interface/spec/lib/go/csi
-# github.com/containerd/containerd/api v1.8.0
-## explicit; go 1.21
+# github.com/containerd/containerd/api v1.9.0
+## explicit; go 1.23.0
 github.com/containerd/containerd/api/services/containers/v1
 github.com/containerd/containerd/api/services/tasks/v1
 github.com/containerd/containerd/api/services/version/v1
@@ -85,16 +94,16 @@ github.com/containerd/errdefs/pkg/internal/types
 # github.com/containerd/log v0.1.0
 ## explicit; go 1.20
 github.com/containerd/log
-# github.com/containerd/ttrpc v1.2.6
+# github.com/containerd/ttrpc v1.2.7
 ## explicit; go 1.19
 github.com/containerd/ttrpc
-# github.com/containerd/typeurl/v2 v2.2.2
+# github.com/containerd/typeurl/v2 v2.2.3
 ## explicit; go 1.21
 github.com/containerd/typeurl/v2
 # github.com/coredns/caddy v1.1.1
 ## explicit; go 1.13
 github.com/coredns/caddy/caddyfile
-# github.com/coredns/corefile-migration v1.0.26
+# github.com/coredns/corefile-migration v1.0.29
 ## explicit; go 1.14
 github.com/coredns/corefile-migration/migration
 github.com/coredns/corefile-migration/migration/corefile
@@ -114,9 +123,20 @@ github.com/coreos/go-systemd/v22/util
 # github.com/cpuguy83/go-md2man/v2 v2.0.6
 ## explicit; go 1.12
 github.com/cpuguy83/go-md2man/v2/md2man
-# github.com/cyphar/filepath-securejoin v0.4.1
+# github.com/cyphar/filepath-securejoin v0.6.0
 ## explicit; go 1.18
 github.com/cyphar/filepath-securejoin
+github.com/cyphar/filepath-securejoin/internal/consts
+github.com/cyphar/filepath-securejoin/pathrs-lite
+github.com/cyphar/filepath-securejoin/pathrs-lite/internal
+github.com/cyphar/filepath-securejoin/pathrs-lite/internal/assert
+github.com/cyphar/filepath-securejoin/pathrs-lite/internal/fd
+github.com/cyphar/filepath-securejoin/pathrs-lite/internal/gocompat
+github.com/cyphar/filepath-securejoin/pathrs-lite/internal/gopathrs
+github.com/cyphar/filepath-securejoin/pathrs-lite/internal/kernelversion
+github.com/cyphar/filepath-securejoin/pathrs-lite/internal/linux
+github.com/cyphar/filepath-securejoin/pathrs-lite/internal/procfs
+github.com/cyphar/filepath-securejoin/pathrs-lite/procfs
 # github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc
 ## explicit
 github.com/davecgh/go-spew/spew
@@ -161,7 +181,7 @@ github.com/go-errors/errors
 # github.com/go-ldap/ldap/v3 v3.4.11
 ## explicit; go 1.23.0
 github.com/go-ldap/ldap/v3
-# github.com/go-logr/logr v1.4.2
+# github.com/go-logr/logr v1.4.3
 ## explicit; go 1.18
 github.com/go-logr/logr
 github.com/go-logr/logr/funcr
@@ -228,7 +248,7 @@ github.com/golang/protobuf/ptypes/wrappers
 # github.com/google/btree v1.1.3
 ## explicit; go 1.18
 github.com/google/btree
-# github.com/google/cadvisor v0.52.1 => github.com/openshift/google-cadvisor v0.52.1-openshift-4.21-1
+# github.com/google/cadvisor v0.53.0
 ## explicit; go 1.23.0
 github.com/google/cadvisor/cache/memory
 github.com/google/cadvisor/client/v2
@@ -310,8 +330,8 @@ github.com/google/go-cmp/cmp/internal/diff
 github.com/google/go-cmp/cmp/internal/flags
 github.com/google/go-cmp/cmp/internal/function
 github.com/google/go-cmp/cmp/internal/value
-# github.com/google/pprof v0.0.0-20241029153458-d1b30febd7db
-## explicit; go 1.22
+# github.com/google/pprof v0.0.0-20250403155104-27863c87afa6
+## explicit; go 1.23
 github.com/google/pprof/profile
 # github.com/google/uuid v1.6.0
 ## explicit
@@ -426,12 +446,13 @@ github.com/munnerz/goautoneg
 # github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f
 ## explicit
 github.com/mxk/go-flowrate/flowrate
-# github.com/onsi/ginkgo/v2 v2.21.0 => github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251001123353-fd5b1fb35db1
-## explicit; go 1.22.0
+# github.com/onsi/ginkgo/v2 v2.25.1 => github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251120221002-696928a6a0d7
+## explicit; go 1.23.0
 github.com/onsi/ginkgo/v2
 github.com/onsi/ginkgo/v2/config
 github.com/onsi/ginkgo/v2/formatter
 github.com/onsi/ginkgo/v2/ginkgo
+github.com/onsi/ginkgo/v2/ginkgo/automaxprocs
 github.com/onsi/ginkgo/v2/ginkgo/build
 github.com/onsi/ginkgo/v2/ginkgo/command
 github.com/onsi/ginkgo/v2/ginkgo/generators
@@ -445,11 +466,12 @@ github.com/onsi/ginkgo/v2/internal
 github.com/onsi/ginkgo/v2/internal/global
 github.com/onsi/ginkgo/v2/internal/interrupt_handler
 github.com/onsi/ginkgo/v2/internal/parallel_support
+github.com/onsi/ginkgo/v2/internal/reporters
 github.com/onsi/ginkgo/v2/internal/testingtproxy
 github.com/onsi/ginkgo/v2/reporters
 github.com/onsi/ginkgo/v2/types
-# github.com/onsi/gomega v1.35.1
-## explicit; go 1.22
+# github.com/onsi/gomega v1.38.2
+## explicit; go 1.23.0
 github.com/onsi/gomega
 github.com/onsi/gomega/format
 github.com/onsi/gomega/gcustom
@@ -460,6 +482,7 @@ github.com/onsi/gomega/gstruct/errors
 github.com/onsi/gomega/internal
 github.com/onsi/gomega/internal/gutil
 github.com/onsi/gomega/matchers
+github.com/onsi/gomega/matchers/internal/miter
 github.com/onsi/gomega/matchers/support/goraph/bipartitegraph
 github.com/onsi/gomega/matchers/support/goraph/edge
 github.com/onsi/gomega/matchers/support/goraph/node
@@ -482,21 +505,15 @@ github.com/opencontainers/go-digest
 ## explicit; go 1.18
 github.com/opencontainers/image-spec/specs-go
 github.com/opencontainers/image-spec/specs-go/v1
-# github.com/opencontainers/runc v1.2.5
-## explicit; go 1.22
-github.com/opencontainers/runc/libcontainer/cgroups
-github.com/opencontainers/runc/libcontainer/configs
-github.com/opencontainers/runc/libcontainer/devices
-github.com/opencontainers/runc/libcontainer/utils
-# github.com/opencontainers/runtime-spec v1.2.0
+# github.com/opencontainers/runtime-spec v1.2.1
 ## explicit
 github.com/opencontainers/runtime-spec/specs-go
-# github.com/opencontainers/selinux v1.11.1
+# github.com/opencontainers/selinux v1.13.0
 ## explicit; go 1.19
 github.com/opencontainers/selinux/go-selinux
 github.com/opencontainers/selinux/go-selinux/label
 github.com/opencontainers/selinux/pkg/pwalkdir
-# github.com/openshift-eng/openshift-tests-extension v0.0.0-20250916161632-d81c09058835
+# github.com/openshift-eng/openshift-tests-extension v0.0.0-20260127124016-0fed2b824818
 ## explicit; go 1.23.0
 github.com/openshift-eng/openshift-tests-extension/pkg/cmd
 github.com/openshift-eng/openshift-tests-extension/pkg/cmd/cmdimages
@@ -512,8 +529,8 @@ github.com/openshift-eng/openshift-tests-extension/pkg/ginkgo
 github.com/openshift-eng/openshift-tests-extension/pkg/junit
 github.com/openshift-eng/openshift-tests-extension/pkg/util/sets
 github.com/openshift-eng/openshift-tests-extension/pkg/version
-# github.com/openshift/api v0.0.0-20251214014457-bfa868a22401
-## explicit; go 1.24.0
+# github.com/openshift/api v0.0.0-20260211194905-f62f47eaf03d => github.com/jacobsee/openshift-api v0.0.0-20260211194905-f62f47eaf03d
+## explicit; go 1.25.0
 github.com/openshift/api/apiserver/v1
 github.com/openshift/api/apps/v1
 github.com/openshift/api/authorization/v1
@@ -539,8 +556,8 @@ github.com/openshift/api/security
 github.com/openshift/api/security/v1
 github.com/openshift/api/template/v1
 github.com/openshift/api/user/v1
-# github.com/openshift/apiserver-library-go v0.0.0-20251015164739-79d04067059d
-## explicit; go 1.24.0
+# github.com/openshift/apiserver-library-go v0.0.0-20260211203915-ee5ba89cd34b => github.com/jacobsee/apiserver-library-go v0.0.0-20260211203915-ee5ba89cd34b
+## explicit; go 1.25.0
 github.com/openshift/apiserver-library-go/pkg/admission/imagepolicy
 github.com/openshift/apiserver-library-go/pkg/admission/imagepolicy/apis/imagepolicy/v1
 github.com/openshift/apiserver-library-go/pkg/admission/imagepolicy/apis/imagepolicy/validation
@@ -560,8 +577,8 @@ github.com/openshift/apiserver-library-go/pkg/securitycontextconstraints/sysctl
 github.com/openshift/apiserver-library-go/pkg/securitycontextconstraints/user
 github.com/openshift/apiserver-library-go/pkg/securitycontextconstraints/util
 github.com/openshift/apiserver-library-go/pkg/securitycontextconstraints/util/sort
-# github.com/openshift/client-go v0.0.0-20251205093018-96a6cbc1420c
-## explicit; go 1.24.0
+# github.com/openshift/client-go v0.0.0-20260211200652-3585e10bcc17 => github.com/jacobsee/client-go v0.0.0-20260211200652-3585e10bcc17
+## explicit; go 1.25.0
 github.com/openshift/client-go/apiserver/applyconfigurations
 github.com/openshift/client-go/apiserver/applyconfigurations/apiserver/v1
 github.com/openshift/client-go/apiserver/applyconfigurations/internal
@@ -713,8 +730,8 @@ github.com/openshift/client-go/user/informers/externalversions/internalinterface
 github.com/openshift/client-go/user/informers/externalversions/user
 github.com/openshift/client-go/user/informers/externalversions/user/v1
 github.com/openshift/client-go/user/listers/user/v1
-# github.com/openshift/library-go v0.0.0-20251015151611-6fc7a74b67c5
-## explicit; go 1.24.0
+# github.com/openshift/library-go v0.0.0-20260211202355-e615a1f60a34 => github.com/jacobsee/library-go v0.0.0-20260211202355-e615a1f60a34
+## explicit; go 1.25.0
 github.com/openshift/library-go/pkg/apiserver/admission/admissionregistrationtesting
 github.com/openshift/library-go/pkg/apiserver/admission/admissionrestconfig
 github.com/openshift/library-go/pkg/apiserver/admission/admissiontimeout
@@ -757,8 +774,8 @@ github.com/pmezard/go-difflib/difflib
 ## explicit; go 1.16
 github.com/pquerna/cachecontrol
 github.com/pquerna/cachecontrol/cacheobject
-# github.com/prometheus/client_golang v1.22.0
-## explicit; go 1.22
+# github.com/prometheus/client_golang v1.23.2
+## explicit; go 1.23.0
 github.com/prometheus/client_golang/internal/github.com/golang/gddo/httputil
 github.com/prometheus/client_golang/internal/github.com/golang/gddo/httputil/header
 github.com/prometheus/client_golang/prometheus
@@ -769,23 +786,23 @@ github.com/prometheus/client_golang/prometheus/promhttp/internal
 github.com/prometheus/client_golang/prometheus/testutil
 github.com/prometheus/client_golang/prometheus/testutil/promlint
 github.com/prometheus/client_golang/prometheus/testutil/promlint/validations
-# github.com/prometheus/client_model v0.6.1
-## explicit; go 1.19
+# github.com/prometheus/client_model v0.6.2
+## explicit; go 1.22.0
 github.com/prometheus/client_model/go
-# github.com/prometheus/common v0.62.0
-## explicit; go 1.21
+# github.com/prometheus/common v0.66.1
+## explicit; go 1.23.0
 github.com/prometheus/common/expfmt
 github.com/prometheus/common/model
-# github.com/prometheus/procfs v0.15.1
-## explicit; go 1.20
+# github.com/prometheus/procfs v0.16.1
+## explicit; go 1.23.0
 github.com/prometheus/procfs
 github.com/prometheus/procfs/internal/fs
 github.com/prometheus/procfs/internal/util
 # github.com/robfig/cron/v3 v3.0.1
 ## explicit; go 1.12
 github.com/robfig/cron/v3
-# github.com/rogpeppe/go-internal v1.13.1
-## explicit; go 1.22
+# github.com/rogpeppe/go-internal v1.14.1
+## explicit; go 1.23
 # github.com/russross/blackfriday/v2 v2.1.0
 ## explicit
 github.com/russross/blackfriday/v2
@@ -795,11 +812,11 @@ github.com/sirupsen/logrus
 # github.com/soheilhy/cmux v0.1.5
 ## explicit; go 1.11
 github.com/soheilhy/cmux
-# github.com/spf13/cobra v1.9.1
+# github.com/spf13/cobra v1.10.0
 ## explicit; go 1.15
 github.com/spf13/cobra
 github.com/spf13/cobra/doc
-# github.com/spf13/pflag v1.0.6
+# github.com/spf13/pflag v1.0.9
 ## explicit; go 1.12
 github.com/spf13/pflag
 # github.com/stoewer/go-strcase v1.3.0
@@ -808,7 +825,7 @@ github.com/stoewer/go-strcase
 # github.com/stretchr/objx v0.5.2
 ## explicit; go 1.20
 github.com/stretchr/objx
-# github.com/stretchr/testify v1.10.0
+# github.com/stretchr/testify v1.11.1
 ## explicit; go 1.17
 github.com/stretchr/testify/assert
 github.com/stretchr/testify/assert/yaml
@@ -833,14 +850,14 @@ github.com/xiang90/probing
 # github.com/xlab/treeprint v1.2.0
 ## explicit; go 1.13
 github.com/xlab/treeprint
-# go.etcd.io/bbolt v1.4.2
+# go.etcd.io/bbolt v1.4.3
 ## explicit; go 1.23
 go.etcd.io/bbolt
 go.etcd.io/bbolt/errors
 go.etcd.io/bbolt/internal/common
 go.etcd.io/bbolt/internal/freelist
-# go.etcd.io/etcd/api/v3 v3.6.4
-## explicit; go 1.23.0
+# go.etcd.io/etcd/api/v3 v3.6.5
+## explicit; go 1.24
 go.etcd.io/etcd/api/v3/authpb
 go.etcd.io/etcd/api/v3/etcdserverpb
 go.etcd.io/etcd/api/v3/etcdserverpb/gw
@@ -849,8 +866,8 @@ go.etcd.io/etcd/api/v3/mvccpb
 go.etcd.io/etcd/api/v3/v3rpc/rpctypes
 go.etcd.io/etcd/api/v3/version
 go.etcd.io/etcd/api/v3/versionpb
-# go.etcd.io/etcd/client/pkg/v3 v3.6.4
-## explicit; go 1.23.0
+# go.etcd.io/etcd/client/pkg/v3 v3.6.5
+## explicit; go 1.24
 go.etcd.io/etcd/client/pkg/v3/fileutil
 go.etcd.io/etcd/client/pkg/v3/logutil
 go.etcd.io/etcd/client/pkg/v3/pathutil
@@ -860,16 +877,16 @@ go.etcd.io/etcd/client/pkg/v3/tlsutil
 go.etcd.io/etcd/client/pkg/v3/transport
 go.etcd.io/etcd/client/pkg/v3/types
 go.etcd.io/etcd/client/pkg/v3/verify
-# go.etcd.io/etcd/client/v3 v3.6.4
-## explicit; go 1.23.0
+# go.etcd.io/etcd/client/v3 v3.6.5
+## explicit; go 1.24
 go.etcd.io/etcd/client/v3
 go.etcd.io/etcd/client/v3/concurrency
 go.etcd.io/etcd/client/v3/credentials
 go.etcd.io/etcd/client/v3/internal/endpoint
 go.etcd.io/etcd/client/v3/internal/resolver
 go.etcd.io/etcd/client/v3/kubernetes
-# go.etcd.io/etcd/pkg/v3 v3.6.4
-## explicit; go 1.23.0
+# go.etcd.io/etcd/pkg/v3 v3.6.5
+## explicit; go 1.24
 go.etcd.io/etcd/pkg/v3/adt
 go.etcd.io/etcd/pkg/v3/contention
 go.etcd.io/etcd/pkg/v3/cpuutil
@@ -887,8 +904,8 @@ go.etcd.io/etcd/pkg/v3/runtime
 go.etcd.io/etcd/pkg/v3/schedule
 go.etcd.io/etcd/pkg/v3/traceutil
 go.etcd.io/etcd/pkg/v3/wait
-# go.etcd.io/etcd/server/v3 v3.6.4
-## explicit; go 1.23.0
+# go.etcd.io/etcd/server/v3 v3.6.5
+## explicit; go 1.24
 go.etcd.io/etcd/server/v3/auth
 go.etcd.io/etcd/server/v3/config
 go.etcd.io/etcd/server/v3/embed
@@ -953,20 +970,19 @@ go.opentelemetry.io/contrib/instrumentation/github.com/emicklei/go-restful/otelr
 ## explicit; go 1.22.0
 go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc
 go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc/internal
-# go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.58.0
-## explicit; go 1.22.0
+# go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.61.0
+## explicit; go 1.23.0
 go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp
 go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/internal/request
 go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/internal/semconv
 go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/internal/semconvutil
-# go.opentelemetry.io/otel v1.35.0
-## explicit; go 1.22.0
+# go.opentelemetry.io/otel v1.36.0
+## explicit; go 1.23.0
 go.opentelemetry.io/otel
 go.opentelemetry.io/otel/attribute
+go.opentelemetry.io/otel/attribute/internal
 go.opentelemetry.io/otel/baggage
 go.opentelemetry.io/otel/codes
-go.opentelemetry.io/otel/internal
-go.opentelemetry.io/otel/internal/attribute
 go.opentelemetry.io/otel/internal/baggage
 go.opentelemetry.io/otel/internal/global
 go.opentelemetry.io/otel/propagation
@@ -986,13 +1002,13 @@ go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc/internal
 go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc/internal/envconfig
 go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc/internal/otlpconfig
 go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc/internal/retry
-# go.opentelemetry.io/otel/metric v1.35.0
-## explicit; go 1.22.0
+# go.opentelemetry.io/otel/metric v1.36.0
+## explicit; go 1.23.0
 go.opentelemetry.io/otel/metric
 go.opentelemetry.io/otel/metric/embedded
 go.opentelemetry.io/otel/metric/noop
-# go.opentelemetry.io/otel/sdk v1.34.0
-## explicit; go 1.22.0
+# go.opentelemetry.io/otel/sdk v1.36.0
+## explicit; go 1.23.0
 go.opentelemetry.io/otel/sdk
 go.opentelemetry.io/otel/sdk/instrumentation
 go.opentelemetry.io/otel/sdk/internal/env
@@ -1000,8 +1016,10 @@ go.opentelemetry.io/otel/sdk/internal/x
 go.opentelemetry.io/otel/sdk/resource
 go.opentelemetry.io/otel/sdk/trace
 go.opentelemetry.io/otel/sdk/trace/tracetest
-# go.opentelemetry.io/otel/trace v1.35.0
-## explicit; go 1.22.0
+# go.opentelemetry.io/otel/sdk/metric v1.36.0
+## explicit; go 1.23.0
+# go.opentelemetry.io/otel/trace v1.36.0
+## explicit; go 1.23.0
 go.opentelemetry.io/otel/trace
 go.opentelemetry.io/otel/trace/embedded
 go.opentelemetry.io/otel/trace/internal/telemetry
@@ -1036,13 +1054,13 @@ go.uber.org/zap/internal/ztest
 go.uber.org/zap/zapcore
 go.uber.org/zap/zapgrpc
 go.uber.org/zap/zaptest
-# go.yaml.in/yaml/v2 v2.4.2
+# go.yaml.in/yaml/v2 v2.4.3
 ## explicit; go 1.15
 go.yaml.in/yaml/v2
 # go.yaml.in/yaml/v3 v3.0.4
 ## explicit; go 1.16
 go.yaml.in/yaml/v3
-# golang.org/x/crypto v0.42.0
+# golang.org/x/crypto v0.45.0
 ## explicit; go 1.24.0
 golang.org/x/crypto/bcrypt
 golang.org/x/crypto/blowfish
@@ -1064,14 +1082,15 @@ golang.org/x/crypto/ssh/internal/bcrypt_pbkdf
 ## explicit; go 1.20
 golang.org/x/exp/constraints
 golang.org/x/exp/slices
-# golang.org/x/mod v0.27.0
-## explicit; go 1.23.0
+# golang.org/x/mod v0.29.0
+## explicit; go 1.24.0
 golang.org/x/mod/internal/lazyregexp
 golang.org/x/mod/module
 golang.org/x/mod/semver
-# golang.org/x/net v0.43.0
-## explicit; go 1.23.0
+# golang.org/x/net v0.47.0
+## explicit; go 1.24.0
 golang.org/x/net/context
+golang.org/x/net/dns/dnsmessage
 golang.org/x/net/html
 golang.org/x/net/html/atom
 golang.org/x/net/html/charset
@@ -1085,15 +1104,15 @@ golang.org/x/net/internal/timeseries
 golang.org/x/net/proxy
 golang.org/x/net/trace
 golang.org/x/net/websocket
-# golang.org/x/oauth2 v0.27.0
+# golang.org/x/oauth2 v0.30.0
 ## explicit; go 1.23.0
 golang.org/x/oauth2
 golang.org/x/oauth2/internal
-# golang.org/x/sync v0.17.0
+# golang.org/x/sync v0.18.0
 ## explicit; go 1.24.0
 golang.org/x/sync/errgroup
 golang.org/x/sync/singleflight
-# golang.org/x/sys v0.36.0
+# golang.org/x/sys v0.38.0
 ## explicit; go 1.24.0
 golang.org/x/sys/cpu
 golang.org/x/sys/plan9
@@ -1102,10 +1121,10 @@ golang.org/x/sys/windows
 golang.org/x/sys/windows/registry
 golang.org/x/sys/windows/svc
 golang.org/x/sys/windows/svc/mgr
-# golang.org/x/term v0.35.0
+# golang.org/x/term v0.37.0
 ## explicit; go 1.24.0
 golang.org/x/term
-# golang.org/x/text v0.29.0
+# golang.org/x/text v0.31.0
 ## explicit; go 1.24.0
 golang.org/x/text/cases
 golang.org/x/text/encoding
@@ -1139,8 +1158,8 @@ golang.org/x/text/unicode/norm
 # golang.org/x/time v0.9.0
 ## explicit; go 1.18
 golang.org/x/time/rate
-# golang.org/x/tools v0.36.0
-## explicit; go 1.23.0
+# golang.org/x/tools v0.38.0
+## explicit; go 1.24.0
 golang.org/x/tools/benchmark/parse
 golang.org/x/tools/container/intsets
 golang.org/x/tools/cover
@@ -1168,9 +1187,7 @@ golang.org/x/tools/internal/stdlib
 golang.org/x/tools/internal/typeparams
 golang.org/x/tools/internal/typesinternal
 golang.org/x/tools/internal/versions
-# golang.org/x/tools/go/expect v0.1.0-deprecated
-## explicit; go 1.23.0
-# golang.org/x/tools/go/packages/packagestest v0.1.1-deprecated
+# golang.org/x/tools/go/expect v0.1.1-deprecated
 ## explicit; go 1.23.0
 # google.golang.org/genproto/googleapis/api v0.0.0-20250303144028-a0af3efb3deb
 ## explicit; go 1.23.0
@@ -1178,11 +1195,11 @@ google.golang.org/genproto/googleapis/api
 google.golang.org/genproto/googleapis/api/annotations
 google.golang.org/genproto/googleapis/api/expr/v1alpha1
 google.golang.org/genproto/googleapis/api/httpbody
-# google.golang.org/genproto/googleapis/rpc v0.0.0-20250303144028-a0af3efb3deb
+# google.golang.org/genproto/googleapis/rpc v0.0.0-20250528174236-200df99c418a
 ## explicit; go 1.23.0
 google.golang.org/genproto/googleapis/rpc/errdetails
 google.golang.org/genproto/googleapis/rpc/status
-# google.golang.org/grpc v1.72.1
+# google.golang.org/grpc v1.72.2
 ## explicit; go 1.23
 google.golang.org/grpc
 google.golang.org/grpc/attributes
@@ -1252,8 +1269,8 @@ google.golang.org/grpc/serviceconfig
 google.golang.org/grpc/stats
 google.golang.org/grpc/status
 google.golang.org/grpc/tap
-# google.golang.org/protobuf v1.36.5
-## explicit; go 1.21
+# google.golang.org/protobuf v1.36.8
+## explicit; go 1.23
 google.golang.org/protobuf/encoding/protodelim
 google.golang.org/protobuf/encoding/protojson
 google.golang.org/protobuf/encoding/prototext
@@ -1299,7 +1316,7 @@ google.golang.org/protobuf/types/known/timestamppb
 google.golang.org/protobuf/types/known/wrapperspb
 # gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c
 ## explicit; go 1.11
-# gopkg.in/evanphx/json-patch.v4 v4.12.0
+# gopkg.in/evanphx/json-patch.v4 v4.13.0
 ## explicit
 gopkg.in/evanphx/json-patch.v4
 # gopkg.in/go-jose/go-jose.v2 v2.6.3
@@ -1321,59 +1338,61 @@ gopkg.in/yaml.v2
 ## explicit
 gopkg.in/yaml.v3
 # k8s.io/api v0.0.0 => ./staging/src/k8s.io/api
-## explicit; go 1.24.0
-# k8s.io/api v0.34.1 => ./staging/src/k8s.io/api
-## explicit; go 1.24.0
-# k8s.io/apiextensions-apiserver v0.34.1 => ./staging/src/k8s.io/apiextensions-apiserver
-## explicit; go 1.24.0
+## explicit; go 1.25.0
+# k8s.io/api v0.35.1 => ./staging/src/k8s.io/api
+## explicit; go 1.25.0
+# k8s.io/apiextensions-apiserver v0.35.1 => ./staging/src/k8s.io/apiextensions-apiserver
+## explicit; go 1.25.0
 # k8s.io/apimachinery v0.0.0 => ./staging/src/k8s.io/apimachinery
-## explicit; go 1.24.0
-# k8s.io/apimachinery v0.34.1 => ./staging/src/k8s.io/apimachinery
-## explicit; go 1.24.0
+## explicit; go 1.25.0
+# k8s.io/apimachinery v0.35.1 => ./staging/src/k8s.io/apimachinery
+## explicit; go 1.25.0
 # k8s.io/apiserver v0.0.0 => ./staging/src/k8s.io/apiserver
-## explicit; go 1.24.0
-# k8s.io/apiserver v0.34.1 => ./staging/src/k8s.io/apiserver
-## explicit; go 1.24.0
+## explicit; go 1.25.0
+# k8s.io/apiserver v0.35.1 => ./staging/src/k8s.io/apiserver
+## explicit; go 1.25.0
 # k8s.io/cli-runtime v0.0.0 => ./staging/src/k8s.io/cli-runtime
-## explicit; go 1.24.0
+## explicit; go 1.25.0
 # k8s.io/client-go v0.0.0 => ./staging/src/k8s.io/client-go
-## explicit; go 1.24.0
-# k8s.io/client-go v0.34.1 => ./staging/src/k8s.io/client-go
-## explicit; go 1.24.0
+## explicit; go 1.25.0
+# k8s.io/client-go v0.35.1 => ./staging/src/k8s.io/client-go
+## explicit; go 1.25.0
 # k8s.io/cloud-provider v0.0.0 => ./staging/src/k8s.io/cloud-provider
-## explicit; go 1.24.0
+## explicit; go 1.25.0
 # k8s.io/cluster-bootstrap v0.0.0 => ./staging/src/k8s.io/cluster-bootstrap
-## explicit; go 1.24.0
+## explicit; go 1.25.0
 # k8s.io/code-generator v0.0.0 => ./staging/src/k8s.io/code-generator
-## explicit; go 1.24.0
-# k8s.io/code-generator v0.34.1 => ./staging/src/k8s.io/code-generator
-## explicit; go 1.24.0
+## explicit; go 1.25.0
+# k8s.io/code-generator v0.35.1 => ./staging/src/k8s.io/code-generator
+## explicit; go 1.25.0
 # k8s.io/component-base v0.0.0 => ./staging/src/k8s.io/component-base
-## explicit; go 1.24.0
-# k8s.io/component-base v0.34.1 => ./staging/src/k8s.io/component-base
-## explicit; go 1.24.0
+## explicit; go 1.25.0
+# k8s.io/component-base v0.35.1 => ./staging/src/k8s.io/component-base
+## explicit; go 1.25.0
 # k8s.io/component-helpers v0.0.0 => ./staging/src/k8s.io/component-helpers
-## explicit; go 1.24.0
-# k8s.io/component-helpers v0.32.1 => ./staging/src/k8s.io/component-helpers
-## explicit; go 1.24.0
+## explicit; go 1.25.0
+# k8s.io/component-helpers v0.35.0 => ./staging/src/k8s.io/component-helpers
+## explicit; go 1.25.0
 # k8s.io/controller-manager v0.0.0 => ./staging/src/k8s.io/controller-manager
-## explicit; go 1.24.0
+## explicit; go 1.25.0
 # k8s.io/controller-manager v0.32.1 => ./staging/src/k8s.io/controller-manager
-## explicit; go 1.24.0
+## explicit; go 1.25.0
 # k8s.io/cri-api v0.0.0 => ./staging/src/k8s.io/cri-api
-## explicit; go 1.24.0
+## explicit; go 1.25.0
 # k8s.io/cri-client v0.0.0 => ./staging/src/k8s.io/cri-client
-## explicit; go 1.24.0
+## explicit; go 1.25.0
 # k8s.io/csi-translation-lib v0.0.0 => ./staging/src/k8s.io/csi-translation-lib
-## explicit; go 1.24.0
+## explicit; go 1.25.0
 # k8s.io/dynamic-resource-allocation v0.0.0 => ./staging/src/k8s.io/dynamic-resource-allocation
-## explicit; go 1.24.0
+## explicit; go 1.25.0
+# k8s.io/dynamic-resource-allocation v0.35.0 => ./staging/src/k8s.io/dynamic-resource-allocation
+## explicit; go 1.25.0
 # k8s.io/endpointslice v0.0.0 => ./staging/src/k8s.io/endpointslice
-## explicit; go 1.24.0
+## explicit; go 1.25.0
 # k8s.io/externaljwt v0.0.0 => ./staging/src/k8s.io/externaljwt
-## explicit; go 1.24.0
-# k8s.io/gengo/v2 v2.0.0-20250604051438-85fd79dbfd9f
-## explicit; go 1.20
+## explicit; go 1.25.0
+# k8s.io/gengo/v2 v2.0.0-20250922181213-ec3ebc5fd46b
+## explicit; go 1.23
 k8s.io/gengo/v2
 k8s.io/gengo/v2/codetags
 k8s.io/gengo/v2/generator
@@ -1395,14 +1414,14 @@ k8s.io/klog/v2/ktesting
 k8s.io/klog/v2/ktesting/init
 k8s.io/klog/v2/test
 k8s.io/klog/v2/textlogger
-# k8s.io/kms v0.34.1 => ./staging/src/k8s.io/kms
-## explicit; go 1.24.0
-# k8s.io/kube-aggregator v0.34.1 => ./staging/src/k8s.io/kube-aggregator
-## explicit; go 1.24.0
+# k8s.io/kms v0.35.1 => ./staging/src/k8s.io/kms
+## explicit; go 1.25.0
+# k8s.io/kube-aggregator v0.35.1 => ./staging/src/k8s.io/kube-aggregator
+## explicit; go 1.25.0
 # k8s.io/kube-controller-manager v0.0.0 => ./staging/src/k8s.io/kube-controller-manager
-## explicit; go 1.24.0
-# k8s.io/kube-openapi v0.0.0-20250710124328-f3f2b991d03b
-## explicit; go 1.23
+## explicit; go 1.25.0
+# k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912
+## explicit; go 1.23.0
 k8s.io/kube-openapi/cmd/openapi-gen
 k8s.io/kube-openapi/cmd/openapi-gen/args
 k8s.io/kube-openapi/pkg/aggregator
@@ -1434,25 +1453,25 @@ k8s.io/kube-openapi/pkg/validation/strfmt
 k8s.io/kube-openapi/pkg/validation/strfmt/bson
 k8s.io/kube-openapi/pkg/validation/validate
 # k8s.io/kube-proxy v0.0.0 => ./staging/src/k8s.io/kube-proxy
-## explicit; go 1.24.0
+## explicit; go 1.25.0
 # k8s.io/kube-scheduler v0.0.0 => ./staging/src/k8s.io/kube-scheduler
-## explicit; go 1.24.0
+## explicit; go 1.25.0
 # k8s.io/kubectl v0.0.0 => ./staging/src/k8s.io/kubectl
-## explicit; go 1.24.0
+## explicit; go 1.25.0
 # k8s.io/kubelet v0.0.0 => ./staging/src/k8s.io/kubelet
-## explicit; go 1.24.0
+## explicit; go 1.25.0
 # k8s.io/metrics v0.0.0 => ./staging/src/k8s.io/metrics
-## explicit; go 1.24.0
+## explicit; go 1.25.0
 # k8s.io/mount-utils v0.0.0 => ./staging/src/k8s.io/mount-utils
-## explicit; go 1.24.0
+## explicit; go 1.25.0
 # k8s.io/pod-security-admission v0.0.0 => ./staging/src/k8s.io/pod-security-admission
-## explicit; go 1.24.0
+## explicit; go 1.25.0
 # k8s.io/sample-apiserver v0.0.0 => ./staging/src/k8s.io/sample-apiserver
-## explicit; go 1.24.0
-# k8s.io/system-validators v1.10.2
+## explicit; go 1.25.0
+# k8s.io/system-validators v1.12.1
 ## explicit; go 1.16
 k8s.io/system-validators/validators
-# k8s.io/utils v0.0.0-20250604170112-4c0f3b243397
+# k8s.io/utils v0.0.0-20251002143259-bc988d571ff4
 ## explicit; go 1.18
 k8s.io/utils/buffer
 k8s.io/utils/clock
@@ -1479,7 +1498,7 @@ sigs.k8s.io/apiserver-network-proxy/konnectivity-client/pkg/client
 sigs.k8s.io/apiserver-network-proxy/konnectivity-client/pkg/client/metrics
 sigs.k8s.io/apiserver-network-proxy/konnectivity-client/pkg/common/metrics
 sigs.k8s.io/apiserver-network-proxy/konnectivity-client/proto/client
-# sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8
+# sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730
 ## explicit; go 1.23
 sigs.k8s.io/json
 sigs.k8s.io/json/internal/golang/encoding/json
@@ -1582,5 +1601,8 @@ sigs.k8s.io/structured-merge-diff/v6/value
 ## explicit; go 1.22
 sigs.k8s.io/yaml
 sigs.k8s.io/yaml/kyaml
-# github.com/google/cadvisor => github.com/openshift/google-cadvisor v0.52.1-openshift-4.21-1
-# github.com/onsi/ginkgo/v2 => github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251001123353-fd5b1fb35db1
+# github.com/onsi/ginkgo/v2 => github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251120221002-696928a6a0d7
+# github.com/openshift/api => github.com/jacobsee/openshift-api v0.0.0-20260211194905-f62f47eaf03d
+# github.com/openshift/apiserver-library-go => github.com/jacobsee/apiserver-library-go v0.0.0-20260211203915-ee5ba89cd34b
+# github.com/openshift/client-go => github.com/jacobsee/client-go v0.0.0-20260211200652-3585e10bcc17
+# github.com/openshift/library-go => github.com/jacobsee/library-go v0.0.0-20260211202355-e615a1f60a34
diff --git a/vendor/sigs.k8s.io/json/internal/golang/encoding/json/decode.go b/vendor/sigs.k8s.io/json/internal/golang/encoding/json/decode.go
index d538ac119b7e1..3fe528bbf3b5d 100644
--- a/vendor/sigs.k8s.io/json/internal/golang/encoding/json/decode.go
+++ b/vendor/sigs.k8s.io/json/internal/golang/encoding/json/decode.go
@@ -52,8 +52,8 @@ import (
 //   - bool, for JSON booleans
 //   - float64, for JSON numbers
 //   - string, for JSON strings
-//   - []interface{}, for JSON arrays
-//   - map[string]interface{}, for JSON objects
+//   - []any, for JSON arrays
+//   - map[string]any, for JSON objects
 //   - nil for JSON null
 //
 // To unmarshal a JSON array into a slice, Unmarshal resets the slice length
@@ -117,9 +117,6 @@ func Unmarshal(data []byte, v any, opts ...UnmarshalOpt) error {
 // The input can be assumed to be a valid encoding of
 // a JSON value. UnmarshalJSON must copy the JSON data
 // if it wishes to retain the data after returning.
-//
-// By convention, to approximate the behavior of [Unmarshal] itself,
-// Unmarshalers implement UnmarshalJSON([]byte("null")) as a no-op.
 type Unmarshaler interface {
 	UnmarshalJSON([]byte) error
 }
@@ -132,7 +129,7 @@ type UnmarshalTypeError struct {
 	Type   reflect.Type // type of Go value it could not be assigned to
 	Offset int64        // error occurred after reading Offset bytes
 	Struct string       // name of the struct type containing the field
-	Field  string       // the full path from root node to the field
+	Field  string       // the full path from root node to the field, include embedded struct
 }
 
 func (e *UnmarshalTypeError) Error() string {
@@ -281,7 +278,11 @@ func (d *decodeState) addErrorContext(err error) error {
 		switch err := err.(type) {
 		case *UnmarshalTypeError:
 			err.Struct = d.errorContext.Struct.Name()
-			err.Field = strings.Join(d.errorContext.FieldStack, ".")
+			fieldStack := d.errorContext.FieldStack
+			if err.Field != "" {
+				fieldStack = append(fieldStack, err.Field)
+			}
+			err.Field = strings.Join(fieldStack, ".")
 		}
 	}
 	return err
@@ -492,9 +493,9 @@ func indirect(v reflect.Value, decodingNull bool) (Unmarshaler, encoding.TextUnm
 		}
 
 		// Prevent infinite loop if v is an interface pointing to its own address:
-		//     var v interface{}
+		//     var v any
 		//     v = &v
-		if v.Elem().Kind() == reflect.Interface && v.Elem().Elem() == v {
+		if v.Elem().Kind() == reflect.Interface && v.Elem().Elem().Equal(v) {
 			v = v.Elem()
 			break
 		}
@@ -784,7 +785,10 @@ func (d *decodeState) object(v reflect.Value) error {
 				}
 				subv = v
 				destring = f.quoted
-				for _, i := range f.index {
+				if d.errorContext == nil {
+					d.errorContext = new(errorContext)
+				}
+				for i, ind := range f.index {
 					if subv.Kind() == reflect.Pointer {
 						if subv.IsNil() {
 							// If a struct embeds a pointer to an unexported type,
@@ -804,13 +808,16 @@ func (d *decodeState) object(v reflect.Value) error {
 						}
 						subv = subv.Elem()
 					}
-					subv = subv.Field(i)
-				}
-				if d.errorContext == nil {
-					d.errorContext = new(errorContext)
+					if i < len(f.index)-1 {
+						d.errorContext.FieldStack = append(
+							d.errorContext.FieldStack,
+							subv.Type().Field(ind).Name,
+						)
+					}
+					subv = subv.Field(ind)
 				}
-				d.errorContext.FieldStack = append(d.errorContext.FieldStack, f.name)
 				d.errorContext.Struct = t
+				d.errorContext.FieldStack = append(d.errorContext.FieldStack, f.name)
 				d.appendStrictFieldStackKey(f.name)
 			} else if d.disallowUnknownFields {
 				d.saveStrictError(d.newFieldError(unknownStrictErrType, string(key)))
@@ -1118,7 +1125,7 @@ func (d *decodeState) literalStore(item []byte, v reflect.Value, fromQuoted bool
 // in an empty interface. They are not strictly necessary,
 // but they avoid the weight of reflection in this common case.
 
-// valueInterface is like value but returns interface{}
+// valueInterface is like value but returns any.
 func (d *decodeState) valueInterface() (val any) {
 	switch d.opcode {
 	default:
@@ -1135,7 +1142,7 @@ func (d *decodeState) valueInterface() (val any) {
 	return
 }
 
-// arrayInterface is like array but returns []interface{}.
+// arrayInterface is like array but returns []any.
 func (d *decodeState) arrayInterface() []any {
 	origStrictFieldStackLen := len(d.strictFieldStack)
 	defer func() {
@@ -1170,7 +1177,7 @@ func (d *decodeState) arrayInterface() []any {
 	return v
 }
 
-// objectInterface is like object but returns map[string]interface{}.
+// objectInterface is like object but returns map[string]any.
 func (d *decodeState) objectInterface() map[string]any {
 	origStrictFieldStackLen := len(d.strictFieldStack)
 	defer func() {
diff --git a/vendor/sigs.k8s.io/json/internal/golang/encoding/json/encode.go b/vendor/sigs.k8s.io/json/internal/golang/encoding/json/encode.go
index eb73bff58b021..4e3a1a2f10e87 100644
--- a/vendor/sigs.k8s.io/json/internal/golang/encoding/json/encode.go
+++ b/vendor/sigs.k8s.io/json/internal/golang/encoding/json/encode.go
@@ -71,8 +71,8 @@ import (
 //
 // The "omitempty" option specifies that the field should be omitted
 // from the encoding if the field has an empty value, defined as
-// false, 0, a nil pointer, a nil interface value, and any empty array,
-// slice, map, or string.
+// false, 0, a nil pointer, a nil interface value, and any array,
+// slice, map, or string of length zero.
 //
 // As a special case, if the field tag is "-", the field is always omitted.
 // Note that a field with name "-" can still be generated using the tag "-,".
@@ -98,6 +98,17 @@ import (
 //	// Field appears in JSON as key "-".
 //	Field int `json:"-,"`
 //
+// The "omitzero" option specifies that the field should be omitted
+// from the encoding if the field has a zero value, according to rules:
+//
+// 1) If the field type has an "IsZero() bool" method, that will be used to
+// determine whether the value is zero.
+//
+// 2) Otherwise, the value is zero if it is the zero value for its type.
+//
+// If both "omitempty" and "omitzero" are specified, the field will be omitted
+// if the value is either empty or zero (or both).
+//
 // The "string" option signals that a field is stored as JSON inside a
 // JSON-encoded string. It applies only to fields of string, floating point,
 // integer, or boolean types. This extra level of encoding is sometimes used
@@ -690,7 +701,8 @@ FieldLoop:
 			fv = fv.Field(i)
 		}
 
-		if f.omitEmpty && isEmptyValue(fv) {
+		if (f.omitEmpty && isEmptyValue(fv)) ||
+			(f.omitZero && (f.isZero == nil && fv.IsZero() || (f.isZero != nil && f.isZero(fv)))) {
 			continue
 		}
 		e.WriteByte(next)
@@ -808,7 +820,7 @@ func (se sliceEncoder) encode(e *encodeState, v reflect.Value, opts encOpts) {
 		// Here we use a struct to memorize the pointer to the first element of the slice
 		// and its length.
 		ptr := struct {
-			ptr interface{} // always an unsafe.Pointer, but avoids a dependency on package unsafe
+			ptr any // always an unsafe.Pointer, but avoids a dependency on package unsafe
 			len int
 		}{v.UnsafePointer(), v.Len()}
 		if _, ok := e.ptrSeen[ptr]; ok {
@@ -1039,11 +1051,19 @@ type field struct {
 	index     []int
 	typ       reflect.Type
 	omitEmpty bool
+	omitZero  bool
+	isZero    func(reflect.Value) bool
 	quoted    bool
 
 	encoder encoderFunc
 }
 
+type isZeroer interface {
+	IsZero() bool
+}
+
+var isZeroerType = reflect.TypeFor[isZeroer]()
+
 // typeFields returns a list of fields that JSON should recognize for the given type.
 // The algorithm is breadth-first search over the set of structs to include - the top struct
 // and then any reachable anonymous structs.
@@ -1135,6 +1155,7 @@ func typeFields(t reflect.Type) structFields {
 						index:     index,
 						typ:       ft,
 						omitEmpty: opts.Contains("omitempty"),
+						omitZero:  opts.Contains("omitzero"),
 						quoted:    quoted,
 					}
 					field.nameBytes = []byte(field.name)
@@ -1144,6 +1165,40 @@ func typeFields(t reflect.Type) structFields {
 					field.nameEscHTML = `"` + string(nameEscBuf) + `":`
 					field.nameNonEsc = `"` + field.name + `":`
 
+					if field.omitZero {
+						t := sf.Type
+						// Provide a function that uses a type's IsZero method.
+						switch {
+						case t.Kind() == reflect.Interface && t.Implements(isZeroerType):
+							field.isZero = func(v reflect.Value) bool {
+								// Avoid panics calling IsZero on a nil interface or
+								// non-nil interface with nil pointer.
+								return v.IsNil() ||
+									(v.Elem().Kind() == reflect.Pointer && v.Elem().IsNil()) ||
+									v.Interface().(isZeroer).IsZero()
+							}
+						case t.Kind() == reflect.Pointer && t.Implements(isZeroerType):
+							field.isZero = func(v reflect.Value) bool {
+								// Avoid panics calling IsZero on nil pointer.
+								return v.IsNil() || v.Interface().(isZeroer).IsZero()
+							}
+						case t.Implements(isZeroerType):
+							field.isZero = func(v reflect.Value) bool {
+								return v.Interface().(isZeroer).IsZero()
+							}
+						case reflect.PointerTo(t).Implements(isZeroerType):
+							field.isZero = func(v reflect.Value) bool {
+								if !v.CanAddr() {
+									// Temporarily box v so we can take the address.
+									v2 := reflect.New(v.Type()).Elem()
+									v2.Set(v)
+									v = v2
+								}
+								return v.Addr().Interface().(isZeroer).IsZero()
+							}
+						}
+					}
+
 					fields = append(fields, field)
 					if count[f.typ] > 1 {
 						// If there were multiple instances, add a second,
diff --git a/vendor/sigs.k8s.io/json/internal/golang/encoding/json/stream.go b/vendor/sigs.k8s.io/json/internal/golang/encoding/json/stream.go
index 48fc4d9453953..cc2108b927487 100644
--- a/vendor/sigs.k8s.io/json/internal/golang/encoding/json/stream.go
+++ b/vendor/sigs.k8s.io/json/internal/golang/encoding/json/stream.go
@@ -31,8 +31,8 @@ func NewDecoder(r io.Reader) *Decoder {
 	return &Decoder{r: r}
 }
 
-// UseNumber causes the Decoder to unmarshal a number into an interface{} as a
-// [Number] instead of as a float64.
+// UseNumber causes the Decoder to unmarshal a number into an
+// interface value as a [Number] instead of as a float64.
 func (dec *Decoder) UseNumber() { dec.d.useNumber = true }
 
 // DisallowUnknownFields causes the Decoder to return an error when the destination